heimdal: Vendor import f62e2f278vendor/heimdal/7.8.0-2023-06-10-f62e2f278vendor/heimdal

Heimdal 7.8.0 does not support OpenSSL 3.0. 7.9.0 will but it hasn't
been released yet. We are importing f62e2f278 for its OpenSSL 3.0
support.

184 files changed, 18504 insertions, 26936 deletions

diff --git a/lib/krb5/Makefile.am b/lib/krb5/Makefile.am
index 74d8ae171c5a..ecce461dd89c 100644
--- a/lib/krb5/Makefile.am
+++ b/lib/krb5/Makefile.am
@@ -2,7 +2,9 @@
 
 include $(top_srcdir)/Makefile.am.common
 
-AM_CPPFLAGS += -I../com_err -I$(srcdir)/../com_err $(INCLUDE_sqlite3) $(INCLUDE_libintl) $(INCLUDE_openssl_crypto)
+WFLAGS += $(WFLAGS_ENUM_CONV)
+
+AM_CPPFLAGS += -I../com_err -I$(srcdir)/../com_err -I../base -I$(srcdir)/../base $(INCLUDE_sqlite3) $(INCLUDE_libintl) $(INCLUDE_openssl_crypto)
 
 bin_PROGRAMS = verify_krb5_conf
 
@@ -50,7 +52,8 @@ TESTS =						\
 
 check_DATA = test_config_strings.out
 
-check_PROGRAMS = $(TESTS) test_hostname test_ap-req test_canon test_set_kvno0
+check_PROGRAMS = $(TESTS) test_hostname test_ap-req test_canon test_set_kvno0 \
+		test_mkforwardable
 
 LDADD = libkrb5.la \
 	$(LIB_hcrypto) \
@@ -58,6 +61,12 @@ LDADD = libkrb5.la \
 	$(top_builddir)/lib/wind/libwind.la \
 	$(LIB_heimbase) $(LIB_roken)
 
+if HAVE_KEYUTILS
+test_cc_LDADD = $(LDADD) -lkeyutils
+else
+test_cc_LDADD = $(LDADD)
+endif
+
 if PKINIT
 LIB_pkinit = ../hx509/libhx509.la
 endif
@@ -71,7 +80,7 @@ libkrb5_la_LIBADD = \
 	$(top_builddir)/lib/ipc/libheim-ipcc.la \
 	$(top_builddir)/lib/wind/libwind.la \
 	$(top_builddir)/lib/base/libheimbase.la \
-	$(LIB_pkinit) \
+	$(top_builddir)/lib/hx509/libhx509.la \
 	$(LIB_openssl_crypto) \
 	$(use_sqlite) \
 	$(LIB_com_err) \
@@ -79,8 +88,8 @@ libkrb5_la_LIBADD = \
 	$(LIB_libintl) \
 	$(LIBADD_roken) \
 	$(PTHREAD_LIBADD) \
-	$(LIB_door_create) \
-	$(LIB_dlopen)
+	$(LIB_add_key) \
+	$(LIB_door_create)
 
 librfc3961_la_LIBADD = \
 	$(top_builddir)/lib/asn1/libasn1.la \
@@ -93,12 +102,12 @@ librfc3961_la_LIBADD = \
 	$(LIB_libintl) \
 	$(LIBADD_roken) \
 	$(PTHREAD_LIBADD) \
-	$(LIB_door_create) \
-	$(LIB_dlopen)
+	$(LIB_add_key) \
+	$(LIB_door_create)
 
 lib_LTLIBRARIES = libkrb5.la
 
-ERR_FILES = krb5_err.c krb_err.c heim_err.c k524_err.c
+ERR_FILES = krb5_err.c krb_err.c k524_err.c k5e1_err.c kx509_err.c
 
 libkrb5_la_CPPFLAGS = \
 	-DBUILD_KRB5_LIB \
@@ -120,9 +129,11 @@ dist_libkrb5_la_SOURCES =			\
 	appdefault.c				\
 	asn1_glue.c				\
 	auth_context.c				\
+	authdata.c				\
 	build_ap_req.c				\
 	build_auth.c				\
 	cache.c					\
+	ccache_plugin.h				\
 	changepw.c				\
 	codec.c					\
 	config_file.c				\
@@ -182,13 +193,15 @@ dist_libkrb5_la_SOURCES =			\
 	keytab_keyfile.c			\
 	keytab_memory.c				\
 	krb5_locl.h				\
-	krb5-v4compat.h				\
+	krcache.c				\
 	krbhst.c				\
 	kuserok.c				\
 	kuserok_plugin.h			\
+	kx509.c			\
 	log.c					\
 	mcache.c				\
 	misc.c					\
+	mk_cred.c				\
 	mk_error.c				\
 	mk_priv.c				\
 	mk_rep.c				\
@@ -235,6 +248,7 @@ dist_libkrb5_la_SOURCES =			\
 	store_fd.c				\
 	store_mem.c				\
 	store_sock.c				\
+	store_stdio.c				\
 	plugin.c				\
 	ticket.c				\
 	time.c					\
@@ -252,6 +266,9 @@ libkrb5_la_DEPENDENCIES =			\
 	version-script.map
 
 libkrb5_la_LDFLAGS = -version-info 26:0:0
+if FRAMEWORK_COREFOUNDATION
+libkrb5_la_LDFLAGS += -framework CoreFoundation
+endif
 
 if versionscript
 libkrb5_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
@@ -272,7 +289,8 @@ ALL_OBJECTS += $(test_renew_OBJECTS)
 ALL_OBJECTS += $(test_rfc3961_OBJECTS)
 
 $(ALL_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h
-$(ALL_OBJECTS): krb5_err.h heim_err.h k524_err.h krb5_err.h krb_err.h k524_err.h
+$(ALL_OBJECTS): krb5_err.h k524_err.h k5e1_err.h \
+		krb_err.h k524_err.h kx509_err.h
 
 librfc3961_la_SOURCES =				\
 	crc.c					\
@@ -376,11 +394,17 @@ dist_include_HEADERS = \
 noinst_HEADERS = $(srcdir)/krb5-private.h
 
 
-nodist_include_HEADERS = krb5_err.h heim_err.h k524_err.h
+nodist_include_HEADERS = krb5_err.h k524_err.h k5e1_err.h kx509_err.h
 
 # XXX use nobase_include_HEADERS = krb5/locate_plugin.h
 krb5dir = $(includedir)/krb5
-krb5_HEADERS = locate_plugin.h send_to_kdc_plugin.h ccache_plugin.h an2ln_plugin.h db_plugin.h
+krb5_HEADERS = \
+	an2ln_plugin.h \
+	ccache_plugin.h \
+	db_plugin.h \
+	kuserok_plugin.h \
+	locate_plugin.h \
+	send_to_kdc_plugin.h
 
 build_HEADERZ = \
 	$(krb5_HEADERS) \
@@ -391,24 +415,25 @@ CLEANFILES = \
 	test-store-data \
 	krb5_err.c krb5_err.h \
 	krb_err.c krb_err.h \
-	heim_err.c heim_err.h \
-	k524_err.c k524_err.h
+	k524_err.c k524_err.h \
+	k5e1_err.c k5e1_err.h \
+	kx509_err.c kx509_err.h
 
-$(libkrb5_la_OBJECTS): krb5_err.h krb_err.h heim_err.h k524_err.h
+$(libkrb5_la_OBJECTS): krb5_err.h krb_err.h k524_err.h k5e1_err.h kx509_err.h
 
 test_config_strings.out: test_config_strings.cfg
 	$(CP) $(srcdir)/test_config_strings.cfg test_config_strings.out
 
 EXTRA_DIST = \
 	NTMakefile \
-	config_reg.c \
 	dll.c \
 	libkrb5-exports.def.in \
 	verify_krb5_conf-version.rc \
 	krb5_err.et \
 	krb_err.et \
-	heim_err.et \
 	k524_err.et \
+	k5e1_err.et \
+	kx509_err.et \
 	$(man_MANS) \
 	version-script.map \
 	test_config_strings.cfg \
@@ -422,6 +447,8 @@ krb5_err.h: krb5_err.et
 
 krb_err.h: krb_err.et
 
-heim_err.h: heim_err.et
-
 k524_err.h: k524_err.et
+
+k5e1_err.h: k5e1_err.et
+
+kx509_err.h: kx509_err.et
diff --git a/lib/krb5/Makefile.in b/lib/krb5/Makefile.in
deleted file mode 100644
index cc7f98b0d8ab..000000000000
--- a/lib/krb5/Makefile.in
+++ /dev/null
@@ -1,4710 +0,0 @@
-# Makefile.in generated by automake 1.16.5 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994-2021 Free Software Foundation, Inc.
-
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-# $Id$
-
-# $Id$
-
-# $Id$
-
-
-
-VPATH = @srcdir@
-am__is_gnu_make = { \
-  if test -z '$(MAKELEVEL)'; then \
-    false; \
-  elif test -n '$(MAKE_HOST)'; then \
-    true; \
-  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
-    true; \
-  else \
-    false; \
-  fi; \
-}
-am__make_running_with_option = \
-  case $${target_option-} in \
-      ?) ;; \
-      *) echo "am__make_running_with_option: internal error: invalid" \
-              "target option '$${target_option-}' specified" >&2; \
-         exit 1;; \
-  esac; \
-  has_opt=no; \
-  sane_makeflags=$$MAKEFLAGS; \
-  if $(am__is_gnu_make); then \
-    sane_makeflags=$$MFLAGS; \
-  else \
-    case $$MAKEFLAGS in \
-      *\\[\ \	]*) \
-        bs=\\; \
-        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
-          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
-    esac; \
-  fi; \
-  skip_next=no; \
-  strip_trailopt () \
-  { \
-    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
-  }; \
-  for flg in $$sane_makeflags; do \
-    test $$skip_next = yes && { skip_next=no; continue; }; \
-    case $$flg in \
-      *=*|--*) continue;; \
-        -*I) strip_trailopt 'I'; skip_next=yes;; \
-      -*I?*) strip_trailopt 'I';; \
-        -*O) strip_trailopt 'O'; skip_next=yes;; \
-      -*O?*) strip_trailopt 'O';; \
-        -*l) strip_trailopt 'l'; skip_next=yes;; \
-      -*l?*) strip_trailopt 'l';; \
-      -[dEDm]) skip_next=yes;; \
-      -[JT]) skip_next=yes;; \
-    esac; \
-    case $$flg in \
-      *$$target_option*) has_opt=yes; break;; \
-    esac; \
-  done; \
-  test $$has_opt = yes
-am__make_dryrun = (target_option=n; $(am__make_running_with_option))
-am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-bin_PROGRAMS = verify_krb5_conf$(EXEEXT)
-noinst_PROGRAMS = krbhst-test$(EXEEXT) test_alname$(EXEEXT) \
-	test_crypto$(EXEEXT) test_forward$(EXEEXT) \
-	test_get_addrs$(EXEEXT) test_gic$(EXEEXT) \
-	test_kuserok$(EXEEXT) test_renew$(EXEEXT) \
-	test_rfc3961$(EXEEXT)
-TESTS = aes-test$(EXEEXT) derived-key-test$(EXEEXT) \
-	n-fold-test$(EXEEXT) parse-name-test$(EXEEXT) \
-	pseudo-random-test$(EXEEXT) store-test$(EXEEXT) \
-	string-to-key-test$(EXEEXT) test_acl$(EXEEXT) \
-	test_addr$(EXEEXT) test_cc$(EXEEXT) test_config$(EXEEXT) \
-	test_fx$(EXEEXT) test_prf$(EXEEXT) test_store$(EXEEXT) \
-	test_crypto_wrapping$(EXEEXT) test_keytab$(EXEEXT) \
-	test_mem$(EXEEXT) test_pac$(EXEEXT) test_plugin$(EXEEXT) \
-	test_princ$(EXEEXT) test_pkinit_dh2key$(EXEEXT) \
-	test_pknistkdf$(EXEEXT) test_time$(EXEEXT) \
-	test_expand_toks$(EXEEXT) test_x500$(EXEEXT)
-check_PROGRAMS = $(am__EXEEXT_1) test_hostname$(EXEEXT) \
-	test_ap-req$(EXEEXT) test_canon$(EXEEXT) \
-	test_set_kvno0$(EXEEXT)
-@versionscript_TRUE@am__append_1 = $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
-subdir = lib/krb5
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 \
-	$(top_srcdir)/cf/broken-glob.m4 \
-	$(top_srcdir)/cf/broken-realloc.m4 \
-	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
-	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
-	$(top_srcdir)/cf/capabilities.m4 \
-	$(top_srcdir)/cf/check-compile-et.m4 \
-	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
-	$(top_srcdir)/cf/check-man.m4 \
-	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
-	$(top_srcdir)/cf/check-type-extra.m4 \
-	$(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/crypto.m4 \
-	$(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
-	$(top_srcdir)/cf/dispatch.m4 $(top_srcdir)/cf/dlopen.m4 \
-	$(top_srcdir)/cf/find-func-no-libs.m4 \
-	$(top_srcdir)/cf/find-func-no-libs2.m4 \
-	$(top_srcdir)/cf/find-func.m4 \
-	$(top_srcdir)/cf/find-if-not-broken.m4 \
-	$(top_srcdir)/cf/framework-security.m4 \
-	$(top_srcdir)/cf/have-struct-field.m4 \
-	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
-	$(top_srcdir)/cf/krb-bigendian.m4 \
-	$(top_srcdir)/cf/krb-func-getlogin.m4 \
-	$(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \
-	$(top_srcdir)/cf/krb-prog-perl.m4 \
-	$(top_srcdir)/cf/krb-readline.m4 \
-	$(top_srcdir)/cf/krb-struct-spwd.m4 \
-	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/libtool.m4 \
-	$(top_srcdir)/cf/ltoptions.m4 $(top_srcdir)/cf/ltsugar.m4 \
-	$(top_srcdir)/cf/ltversion.m4 $(top_srcdir)/cf/lt~obsolete.m4 \
-	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
-	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
-	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/pkg.m4 \
-	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
-	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
-	$(top_srcdir)/cf/roken-frag.m4 \
-	$(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \
-	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
-	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
-	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
-	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
-	$(ACLOCAL_M4)
-DIST_COMMON = $(srcdir)/Makefile.am $(dist_include_HEADERS) \
-	$(krb5_HEADERS) $(noinst_HEADERS) $(am__DIST_COMMON)
-mkinstalldirs = $(install_sh) -d
-CONFIG_HEADER = $(top_builddir)/include/config.h
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libdir)" \
-	"$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" \
-	"$(DESTDIR)$(man7dir)" "$(DESTDIR)$(man8dir)" \
-	"$(DESTDIR)$(includedir)" "$(DESTDIR)$(krb5dir)" \
-	"$(DESTDIR)$(includedir)"
-am__EXEEXT_1 = aes-test$(EXEEXT) derived-key-test$(EXEEXT) \
-	n-fold-test$(EXEEXT) parse-name-test$(EXEEXT) \
-	pseudo-random-test$(EXEEXT) store-test$(EXEEXT) \
-	string-to-key-test$(EXEEXT) test_acl$(EXEEXT) \
-	test_addr$(EXEEXT) test_cc$(EXEEXT) test_config$(EXEEXT) \
-	test_fx$(EXEEXT) test_prf$(EXEEXT) test_store$(EXEEXT) \
-	test_crypto_wrapping$(EXEEXT) test_keytab$(EXEEXT) \
-	test_mem$(EXEEXT) test_pac$(EXEEXT) test_plugin$(EXEEXT) \
-	test_princ$(EXEEXT) test_pkinit_dh2key$(EXEEXT) \
-	test_pknistkdf$(EXEEXT) test_time$(EXEEXT) \
-	test_expand_toks$(EXEEXT) test_x500$(EXEEXT)
-PROGRAMS = $(bin_PROGRAMS) $(noinst_PROGRAMS)
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
-    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
-    *) f=$$p;; \
-  esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
-  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
-  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
-  for p in $$list; do echo "$$p $$p"; done | \
-  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
-  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
-    if (++n[$$2] == $(am__install_max)) \
-      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
-    END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
-  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
-  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__uninstall_files_from_dir = { \
-  test -z "$$files" \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-         $(am__cd) "$$dir" && rm -f $$files; }; \
-  }
-LTLIBRARIES = $(lib_LTLIBRARIES) $(noinst_LTLIBRARIES)
-am__DEPENDENCIES_1 =
-@have_scc_TRUE@am__DEPENDENCIES_2 = $(am__DEPENDENCIES_1)
-dist_libkrb5_la_OBJECTS = libkrb5_la-acache.lo libkrb5_la-acl.lo \
-	libkrb5_la-add_et_list.lo libkrb5_la-addr_families.lo \
-	libkrb5_la-aname_to_localname.lo libkrb5_la-appdefault.lo \
-	libkrb5_la-asn1_glue.lo libkrb5_la-auth_context.lo \
-	libkrb5_la-build_ap_req.lo libkrb5_la-build_auth.lo \
-	libkrb5_la-cache.lo libkrb5_la-changepw.lo libkrb5_la-codec.lo \
-	libkrb5_la-config_file.lo libkrb5_la-convert_creds.lo \
-	libkrb5_la-constants.lo libkrb5_la-context.lo \
-	libkrb5_la-copy_host_realm.lo libkrb5_la-crc.lo \
-	libkrb5_la-creds.lo libkrb5_la-crypto.lo \
-	libkrb5_la-crypto-aes-sha1.lo libkrb5_la-crypto-aes-sha2.lo \
-	libkrb5_la-crypto-algs.lo libkrb5_la-crypto-arcfour.lo \
-	libkrb5_la-crypto-des.lo libkrb5_la-crypto-des-common.lo \
-	libkrb5_la-crypto-des3.lo libkrb5_la-crypto-evp.lo \
-	libkrb5_la-crypto-null.lo libkrb5_la-crypto-pk.lo \
-	libkrb5_la-crypto-rand.lo libkrb5_la-doxygen.lo \
-	libkrb5_la-data.lo libkrb5_la-db_plugin.lo \
-	libkrb5_la-dcache.lo libkrb5_la-deprecated.lo \
-	libkrb5_la-digest.lo libkrb5_la-eai_to_heim_errno.lo \
-	libkrb5_la-enomem.lo libkrb5_la-error_string.lo \
-	libkrb5_la-expand_hostname.lo libkrb5_la-expand_path.lo \
-	libkrb5_la-fast.lo libkrb5_la-fcache.lo libkrb5_la-free.lo \
-	libkrb5_la-free_host_realm.lo \
-	libkrb5_la-generate_seq_number.lo \
-	libkrb5_la-generate_subkey.lo libkrb5_la-get_addrs.lo \
-	libkrb5_la-get_cred.lo libkrb5_la-get_default_principal.lo \
-	libkrb5_la-get_default_realm.lo libkrb5_la-get_for_creds.lo \
-	libkrb5_la-get_host_realm.lo libkrb5_la-get_in_tkt.lo \
-	libkrb5_la-get_port.lo libkrb5_la-init_creds.lo \
-	libkrb5_la-init_creds_pw.lo libkrb5_la-kcm.lo \
-	libkrb5_la-keyblock.lo libkrb5_la-keytab.lo \
-	libkrb5_la-keytab_any.lo libkrb5_la-keytab_file.lo \
-	libkrb5_la-keytab_keyfile.lo libkrb5_la-keytab_memory.lo \
-	libkrb5_la-krbhst.lo libkrb5_la-kuserok.lo libkrb5_la-log.lo \
-	libkrb5_la-mcache.lo libkrb5_la-misc.lo libkrb5_la-mk_error.lo \
-	libkrb5_la-mk_priv.lo libkrb5_la-mk_rep.lo \
-	libkrb5_la-mk_req.lo libkrb5_la-mk_req_ext.lo \
-	libkrb5_la-mk_safe.lo libkrb5_la-mit_glue.lo \
-	libkrb5_la-net_read.lo libkrb5_la-net_write.lo \
-	libkrb5_la-n-fold.lo libkrb5_la-pac.lo libkrb5_la-padata.lo \
-	libkrb5_la-pcache.lo libkrb5_la-pkinit.lo \
-	libkrb5_la-pkinit-ec.lo libkrb5_la-principal.lo \
-	libkrb5_la-prog_setup.lo libkrb5_la-prompter_posix.lo \
-	libkrb5_la-rd_cred.lo libkrb5_la-rd_error.lo \
-	libkrb5_la-rd_priv.lo libkrb5_la-rd_rep.lo \
-	libkrb5_la-rd_req.lo libkrb5_la-rd_safe.lo \
-	libkrb5_la-read_message.lo libkrb5_la-recvauth.lo \
-	libkrb5_la-replay.lo libkrb5_la-salt.lo \
-	libkrb5_la-salt-aes-sha1.lo libkrb5_la-salt-aes-sha2.lo \
-	libkrb5_la-salt-arcfour.lo libkrb5_la-salt-des.lo \
-	libkrb5_la-salt-des3.lo libkrb5_la-sp800-108-kdf.lo \
-	libkrb5_la-scache.lo libkrb5_la-send_to_kdc.lo \
-	libkrb5_la-sendauth.lo libkrb5_la-set_default_realm.lo \
-	libkrb5_la-sock_principal.lo libkrb5_la-store.lo \
-	libkrb5_la-store-int.lo libkrb5_la-store_emem.lo \
-	libkrb5_la-store_fd.lo libkrb5_la-store_mem.lo \
-	libkrb5_la-store_sock.lo libkrb5_la-plugin.lo \
-	libkrb5_la-ticket.lo libkrb5_la-time.lo \
-	libkrb5_la-transited.lo libkrb5_la-verify_init.lo \
-	libkrb5_la-verify_user.lo libkrb5_la-version.lo \
-	libkrb5_la-warn.lo libkrb5_la-write_message.lo
-am__objects_1 = libkrb5_la-krb5_err.lo libkrb5_la-krb_err.lo \
-	libkrb5_la-heim_err.lo libkrb5_la-k524_err.lo
-nodist_libkrb5_la_OBJECTS = $(am__objects_1)
-libkrb5_la_OBJECTS = $(dist_libkrb5_la_OBJECTS) \
-	$(nodist_libkrb5_la_OBJECTS)
-AM_V_lt = $(am__v_lt_@AM_V@)
-am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
-am__v_lt_0 = --silent
-am__v_lt_1 = 
-libkrb5_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(libkrb5_la_LDFLAGS) $(LDFLAGS) -o $@
-librfc3961_la_DEPENDENCIES = $(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/ipc/libheim-ipcc.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_pkinit) \
-	$(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
-am_librfc3961_la_OBJECTS = librfc3961_la-crc.lo \
-	librfc3961_la-crypto.lo librfc3961_la-crypto-aes-sha1.lo \
-	librfc3961_la-crypto-aes-sha2.lo librfc3961_la-crypto-algs.lo \
-	librfc3961_la-crypto-arcfour.lo librfc3961_la-crypto-des.lo \
-	librfc3961_la-crypto-des-common.lo \
-	librfc3961_la-crypto-des3.lo librfc3961_la-crypto-evp.lo \
-	librfc3961_la-crypto-null.lo librfc3961_la-crypto-pk.lo \
-	librfc3961_la-crypto-rand.lo librfc3961_la-crypto-stubs.lo \
-	librfc3961_la-data.lo librfc3961_la-enomem.lo \
-	librfc3961_la-error_string.lo librfc3961_la-keyblock.lo \
-	librfc3961_la-n-fold.lo librfc3961_la-salt.lo \
-	librfc3961_la-salt-aes-sha1.lo librfc3961_la-salt-aes-sha2.lo \
-	librfc3961_la-salt-arcfour.lo librfc3961_la-salt-des.lo \
-	librfc3961_la-salt-des3.lo librfc3961_la-sp800-108-kdf.lo \
-	librfc3961_la-store-int.lo librfc3961_la-warn.lo
-librfc3961_la_OBJECTS = $(am_librfc3961_la_OBJECTS)
-aes_test_SOURCES = aes-test.c
-aes_test_OBJECTS = aes-test.$(OBJEXT)
-aes_test_LDADD = $(LDADD)
-aes_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-derived_key_test_SOURCES = derived-key-test.c
-derived_key_test_OBJECTS = derived-key-test.$(OBJEXT)
-derived_key_test_LDADD = $(LDADD)
-derived_key_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-krbhst_test_SOURCES = krbhst-test.c
-krbhst_test_OBJECTS = krbhst-test.$(OBJEXT)
-krbhst_test_LDADD = $(LDADD)
-krbhst_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-n_fold_test_SOURCES = n-fold-test.c
-n_fold_test_OBJECTS = n-fold-test.$(OBJEXT)
-n_fold_test_LDADD = $(LDADD)
-n_fold_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-parse_name_test_SOURCES = parse-name-test.c
-parse_name_test_OBJECTS = parse-name-test.$(OBJEXT)
-parse_name_test_LDADD = $(LDADD)
-parse_name_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-pseudo_random_test_SOURCES = pseudo-random-test.c
-pseudo_random_test_OBJECTS = pseudo-random-test.$(OBJEXT)
-pseudo_random_test_LDADD = $(LDADD)
-pseudo_random_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-store_test_SOURCES = store-test.c
-store_test_OBJECTS = store-test.$(OBJEXT)
-store_test_LDADD = $(LDADD)
-store_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-string_to_key_test_SOURCES = string-to-key-test.c
-string_to_key_test_OBJECTS = string-to-key-test.$(OBJEXT)
-string_to_key_test_LDADD = $(LDADD)
-string_to_key_test_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_acl_SOURCES = test_acl.c
-test_acl_OBJECTS = test_acl.$(OBJEXT)
-test_acl_LDADD = $(LDADD)
-test_acl_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_addr_SOURCES = test_addr.c
-test_addr_OBJECTS = test_addr.$(OBJEXT)
-test_addr_LDADD = $(LDADD)
-test_addr_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_alname_SOURCES = test_alname.c
-test_alname_OBJECTS = test_alname.$(OBJEXT)
-test_alname_LDADD = $(LDADD)
-test_alname_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_ap_req_SOURCES = test_ap-req.c
-test_ap_req_OBJECTS = test_ap-req.$(OBJEXT)
-test_ap_req_LDADD = $(LDADD)
-test_ap_req_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_canon_SOURCES = test_canon.c
-test_canon_OBJECTS = test_canon.$(OBJEXT)
-test_canon_LDADD = $(LDADD)
-test_canon_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_cc_SOURCES = test_cc.c
-test_cc_OBJECTS = test_cc.$(OBJEXT)
-test_cc_LDADD = $(LDADD)
-test_cc_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_config_SOURCES = test_config.c
-test_config_OBJECTS = test_config.$(OBJEXT)
-test_config_LDADD = $(LDADD)
-test_config_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_crypto_SOURCES = test_crypto.c
-test_crypto_OBJECTS = test_crypto.$(OBJEXT)
-test_crypto_LDADD = $(LDADD)
-test_crypto_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_crypto_wrapping_SOURCES = test_crypto_wrapping.c
-test_crypto_wrapping_OBJECTS = test_crypto_wrapping.$(OBJEXT)
-test_crypto_wrapping_LDADD = $(LDADD)
-test_crypto_wrapping_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_expand_toks_SOURCES = test_expand_toks.c
-test_expand_toks_OBJECTS = test_expand_toks.$(OBJEXT)
-test_expand_toks_LDADD = $(LDADD)
-test_expand_toks_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_forward_SOURCES = test_forward.c
-test_forward_OBJECTS = test_forward.$(OBJEXT)
-test_forward_LDADD = $(LDADD)
-test_forward_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_fx_SOURCES = test_fx.c
-test_fx_OBJECTS = test_fx.$(OBJEXT)
-test_fx_LDADD = $(LDADD)
-test_fx_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_get_addrs_SOURCES = test_get_addrs.c
-test_get_addrs_OBJECTS = test_get_addrs.$(OBJEXT)
-test_get_addrs_LDADD = $(LDADD)
-test_get_addrs_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_gic_SOURCES = test_gic.c
-test_gic_OBJECTS = test_gic.$(OBJEXT)
-test_gic_LDADD = $(LDADD)
-test_gic_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_hostname_SOURCES = test_hostname.c
-test_hostname_OBJECTS = test_hostname.$(OBJEXT)
-test_hostname_LDADD = $(LDADD)
-test_hostname_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_keytab_SOURCES = test_keytab.c
-test_keytab_OBJECTS = test_keytab.$(OBJEXT)
-test_keytab_LDADD = $(LDADD)
-test_keytab_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_kuserok_SOURCES = test_kuserok.c
-test_kuserok_OBJECTS = test_kuserok.$(OBJEXT)
-test_kuserok_LDADD = $(LDADD)
-test_kuserok_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_mem_SOURCES = test_mem.c
-test_mem_OBJECTS = test_mem.$(OBJEXT)
-test_mem_LDADD = $(LDADD)
-test_mem_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_pac_SOURCES = test_pac.c
-test_pac_OBJECTS = test_pac.$(OBJEXT)
-test_pac_LDADD = $(LDADD)
-test_pac_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_pkinit_dh2key_SOURCES = test_pkinit_dh2key.c
-test_pkinit_dh2key_OBJECTS = test_pkinit_dh2key.$(OBJEXT)
-test_pkinit_dh2key_LDADD = $(LDADD)
-test_pkinit_dh2key_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_pknistkdf_SOURCES = test_pknistkdf.c
-test_pknistkdf_OBJECTS = test_pknistkdf.$(OBJEXT)
-test_pknistkdf_LDADD = $(LDADD)
-test_pknistkdf_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_plugin_SOURCES = test_plugin.c
-test_plugin_OBJECTS = test_plugin.$(OBJEXT)
-test_plugin_LDADD = $(LDADD)
-test_plugin_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_prf_SOURCES = test_prf.c
-test_prf_OBJECTS = test_prf.$(OBJEXT)
-test_prf_LDADD = $(LDADD)
-test_prf_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_princ_SOURCES = test_princ.c
-test_princ_OBJECTS = test_princ.$(OBJEXT)
-test_princ_LDADD = $(LDADD)
-test_princ_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_renew_SOURCES = test_renew.c
-test_renew_OBJECTS = test_renew.$(OBJEXT)
-test_renew_LDADD = $(LDADD)
-test_renew_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_rfc3961_SOURCES = test_rfc3961.c
-test_rfc3961_OBJECTS = test_rfc3961.$(OBJEXT)
-test_rfc3961_DEPENDENCIES = librfc3961.la \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1)
-test_set_kvno0_SOURCES = test_set_kvno0.c
-test_set_kvno0_OBJECTS = test_set_kvno0.$(OBJEXT)
-test_set_kvno0_LDADD = $(LDADD)
-test_set_kvno0_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_store_SOURCES = test_store.c
-test_store_OBJECTS = test_store.$(OBJEXT)
-test_store_LDADD = $(LDADD)
-test_store_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_time_SOURCES = test_time.c
-test_time_OBJECTS = test_time.$(OBJEXT)
-test_time_LDADD = $(LDADD)
-test_time_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-test_x500_SOURCES = test_x500.c
-test_x500_OBJECTS = test_x500.$(OBJEXT)
-test_x500_LDADD = $(LDADD)
-test_x500_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-verify_krb5_conf_SOURCES = verify_krb5_conf.c
-verify_krb5_conf_OBJECTS = verify_krb5_conf.$(OBJEXT)
-verify_krb5_conf_LDADD = $(LDADD)
-verify_krb5_conf_DEPENDENCIES = libkrb5.la $(am__DEPENDENCIES_1) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la $(LIB_heimbase) \
-	$(am__DEPENDENCIES_1)
-AM_V_P = $(am__v_P_@AM_V@)
-am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
-am__v_P_0 = false
-am__v_P_1 = :
-AM_V_GEN = $(am__v_GEN_@AM_V@)
-am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
-am__v_GEN_0 = @echo "  GEN     " $@;
-am__v_GEN_1 = 
-AM_V_at = $(am__v_at_@AM_V@)
-am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
-am__v_at_0 = @
-am__v_at_1 = 
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__maybe_remake_depfiles = depfiles
-am__depfiles_remade = ./$(DEPDIR)/aes-test.Po \
-	./$(DEPDIR)/derived-key-test.Po ./$(DEPDIR)/krbhst-test.Po \
-	./$(DEPDIR)/libkrb5_la-acache.Plo \
-	./$(DEPDIR)/libkrb5_la-acl.Plo \
-	./$(DEPDIR)/libkrb5_la-add_et_list.Plo \
-	./$(DEPDIR)/libkrb5_la-addr_families.Plo \
-	./$(DEPDIR)/libkrb5_la-aname_to_localname.Plo \
-	./$(DEPDIR)/libkrb5_la-appdefault.Plo \
-	./$(DEPDIR)/libkrb5_la-asn1_glue.Plo \
-	./$(DEPDIR)/libkrb5_la-auth_context.Plo \
-	./$(DEPDIR)/libkrb5_la-build_ap_req.Plo \
-	./$(DEPDIR)/libkrb5_la-build_auth.Plo \
-	./$(DEPDIR)/libkrb5_la-cache.Plo \
-	./$(DEPDIR)/libkrb5_la-changepw.Plo \
-	./$(DEPDIR)/libkrb5_la-codec.Plo \
-	./$(DEPDIR)/libkrb5_la-config_file.Plo \
-	./$(DEPDIR)/libkrb5_la-constants.Plo \
-	./$(DEPDIR)/libkrb5_la-context.Plo \
-	./$(DEPDIR)/libkrb5_la-convert_creds.Plo \
-	./$(DEPDIR)/libkrb5_la-copy_host_realm.Plo \
-	./$(DEPDIR)/libkrb5_la-crc.Plo \
-	./$(DEPDIR)/libkrb5_la-creds.Plo \
-	./$(DEPDIR)/libkrb5_la-crypto-aes-sha1.Plo \
-	./$(DEPDIR)/libkrb5_la-crypto-aes-sha2.Plo \
-	./$(DEPDIR)/libkrb5_la-crypto-algs.Plo \
-	./$(DEPDIR)/libkrb5_la-crypto-arcfour.Plo \
-	./$(DEPDIR)/libkrb5_la-crypto-des-common.Plo \
-	./$(DEPDIR)/libkrb5_la-crypto-des.Plo \
-	./$(DEPDIR)/libkrb5_la-crypto-des3.Plo \
-	./$(DEPDIR)/libkrb5_la-crypto-evp.Plo \
-	./$(DEPDIR)/libkrb5_la-crypto-null.Plo \
-	./$(DEPDIR)/libkrb5_la-crypto-pk.Plo \
-	./$(DEPDIR)/libkrb5_la-crypto-rand.Plo \
-	./$(DEPDIR)/libkrb5_la-crypto.Plo \
-	./$(DEPDIR)/libkrb5_la-data.Plo \
-	./$(DEPDIR)/libkrb5_la-db_plugin.Plo \
-	./$(DEPDIR)/libkrb5_la-dcache.Plo \
-	./$(DEPDIR)/libkrb5_la-deprecated.Plo \
-	./$(DEPDIR)/libkrb5_la-digest.Plo \
-	./$(DEPDIR)/libkrb5_la-doxygen.Plo \
-	./$(DEPDIR)/libkrb5_la-eai_to_heim_errno.Plo \
-	./$(DEPDIR)/libkrb5_la-enomem.Plo \
-	./$(DEPDIR)/libkrb5_la-error_string.Plo \
-	./$(DEPDIR)/libkrb5_la-expand_hostname.Plo \
-	./$(DEPDIR)/libkrb5_la-expand_path.Plo \
-	./$(DEPDIR)/libkrb5_la-fast.Plo \
-	./$(DEPDIR)/libkrb5_la-fcache.Plo \
-	./$(DEPDIR)/libkrb5_la-free.Plo \
-	./$(DEPDIR)/libkrb5_la-free_host_realm.Plo \
-	./$(DEPDIR)/libkrb5_la-generate_seq_number.Plo \
-	./$(DEPDIR)/libkrb5_la-generate_subkey.Plo \
-	./$(DEPDIR)/libkrb5_la-get_addrs.Plo \
-	./$(DEPDIR)/libkrb5_la-get_cred.Plo \
-	./$(DEPDIR)/libkrb5_la-get_default_principal.Plo \
-	./$(DEPDIR)/libkrb5_la-get_default_realm.Plo \
-	./$(DEPDIR)/libkrb5_la-get_for_creds.Plo \
-	./$(DEPDIR)/libkrb5_la-get_host_realm.Plo \
-	./$(DEPDIR)/libkrb5_la-get_in_tkt.Plo \
-	./$(DEPDIR)/libkrb5_la-get_port.Plo \
-	./$(DEPDIR)/libkrb5_la-heim_err.Plo \
-	./$(DEPDIR)/libkrb5_la-init_creds.Plo \
-	./$(DEPDIR)/libkrb5_la-init_creds_pw.Plo \
-	./$(DEPDIR)/libkrb5_la-k524_err.Plo \
-	./$(DEPDIR)/libkrb5_la-kcm.Plo \
-	./$(DEPDIR)/libkrb5_la-keyblock.Plo \
-	./$(DEPDIR)/libkrb5_la-keytab.Plo \
-	./$(DEPDIR)/libkrb5_la-keytab_any.Plo \
-	./$(DEPDIR)/libkrb5_la-keytab_file.Plo \
-	./$(DEPDIR)/libkrb5_la-keytab_keyfile.Plo \
-	./$(DEPDIR)/libkrb5_la-keytab_memory.Plo \
-	./$(DEPDIR)/libkrb5_la-krb5_err.Plo \
-	./$(DEPDIR)/libkrb5_la-krb_err.Plo \
-	./$(DEPDIR)/libkrb5_la-krbhst.Plo \
-	./$(DEPDIR)/libkrb5_la-kuserok.Plo \
-	./$(DEPDIR)/libkrb5_la-log.Plo \
-	./$(DEPDIR)/libkrb5_la-mcache.Plo \
-	./$(DEPDIR)/libkrb5_la-misc.Plo \
-	./$(DEPDIR)/libkrb5_la-mit_glue.Plo \
-	./$(DEPDIR)/libkrb5_la-mk_error.Plo \
-	./$(DEPDIR)/libkrb5_la-mk_priv.Plo \
-	./$(DEPDIR)/libkrb5_la-mk_rep.Plo \
-	./$(DEPDIR)/libkrb5_la-mk_req.Plo \
-	./$(DEPDIR)/libkrb5_la-mk_req_ext.Plo \
-	./$(DEPDIR)/libkrb5_la-mk_safe.Plo \
-	./$(DEPDIR)/libkrb5_la-n-fold.Plo \
-	./$(DEPDIR)/libkrb5_la-net_read.Plo \
-	./$(DEPDIR)/libkrb5_la-net_write.Plo \
-	./$(DEPDIR)/libkrb5_la-pac.Plo \
-	./$(DEPDIR)/libkrb5_la-padata.Plo \
-	./$(DEPDIR)/libkrb5_la-pcache.Plo \
-	./$(DEPDIR)/libkrb5_la-pkinit-ec.Plo \
-	./$(DEPDIR)/libkrb5_la-pkinit.Plo \
-	./$(DEPDIR)/libkrb5_la-plugin.Plo \
-	./$(DEPDIR)/libkrb5_la-principal.Plo \
-	./$(DEPDIR)/libkrb5_la-prog_setup.Plo \
-	./$(DEPDIR)/libkrb5_la-prompter_posix.Plo \
-	./$(DEPDIR)/libkrb5_la-rd_cred.Plo \
-	./$(DEPDIR)/libkrb5_la-rd_error.Plo \
-	./$(DEPDIR)/libkrb5_la-rd_priv.Plo \
-	./$(DEPDIR)/libkrb5_la-rd_rep.Plo \
-	./$(DEPDIR)/libkrb5_la-rd_req.Plo \
-	./$(DEPDIR)/libkrb5_la-rd_safe.Plo \
-	./$(DEPDIR)/libkrb5_la-read_message.Plo \
-	./$(DEPDIR)/libkrb5_la-recvauth.Plo \
-	./$(DEPDIR)/libkrb5_la-replay.Plo \
-	./$(DEPDIR)/libkrb5_la-salt-aes-sha1.Plo \
-	./$(DEPDIR)/libkrb5_la-salt-aes-sha2.Plo \
-	./$(DEPDIR)/libkrb5_la-salt-arcfour.Plo \
-	./$(DEPDIR)/libkrb5_la-salt-des.Plo \
-	./$(DEPDIR)/libkrb5_la-salt-des3.Plo \
-	./$(DEPDIR)/libkrb5_la-salt.Plo \
-	./$(DEPDIR)/libkrb5_la-scache.Plo \
-	./$(DEPDIR)/libkrb5_la-send_to_kdc.Plo \
-	./$(DEPDIR)/libkrb5_la-sendauth.Plo \
-	./$(DEPDIR)/libkrb5_la-set_default_realm.Plo \
-	./$(DEPDIR)/libkrb5_la-sock_principal.Plo \
-	./$(DEPDIR)/libkrb5_la-sp800-108-kdf.Plo \
-	./$(DEPDIR)/libkrb5_la-store-int.Plo \
-	./$(DEPDIR)/libkrb5_la-store.Plo \
-	./$(DEPDIR)/libkrb5_la-store_emem.Plo \
-	./$(DEPDIR)/libkrb5_la-store_fd.Plo \
-	./$(DEPDIR)/libkrb5_la-store_mem.Plo \
-	./$(DEPDIR)/libkrb5_la-store_sock.Plo \
-	./$(DEPDIR)/libkrb5_la-ticket.Plo \
-	./$(DEPDIR)/libkrb5_la-time.Plo \
-	./$(DEPDIR)/libkrb5_la-transited.Plo \
-	./$(DEPDIR)/libkrb5_la-verify_init.Plo \
-	./$(DEPDIR)/libkrb5_la-verify_user.Plo \
-	./$(DEPDIR)/libkrb5_la-version.Plo \
-	./$(DEPDIR)/libkrb5_la-warn.Plo \
-	./$(DEPDIR)/libkrb5_la-write_message.Plo \
-	./$(DEPDIR)/librfc3961_la-crc.Plo \
-	./$(DEPDIR)/librfc3961_la-crypto-aes-sha1.Plo \
-	./$(DEPDIR)/librfc3961_la-crypto-aes-sha2.Plo \
-	./$(DEPDIR)/librfc3961_la-crypto-algs.Plo \
-	./$(DEPDIR)/librfc3961_la-crypto-arcfour.Plo \
-	./$(DEPDIR)/librfc3961_la-crypto-des-common.Plo \
-	./$(DEPDIR)/librfc3961_la-crypto-des.Plo \
-	./$(DEPDIR)/librfc3961_la-crypto-des3.Plo \
-	./$(DEPDIR)/librfc3961_la-crypto-evp.Plo \
-	./$(DEPDIR)/librfc3961_la-crypto-null.Plo \
-	./$(DEPDIR)/librfc3961_la-crypto-pk.Plo \
-	./$(DEPDIR)/librfc3961_la-crypto-rand.Plo \
-	./$(DEPDIR)/librfc3961_la-crypto-stubs.Plo \
-	./$(DEPDIR)/librfc3961_la-crypto.Plo \
-	./$(DEPDIR)/librfc3961_la-data.Plo \
-	./$(DEPDIR)/librfc3961_la-enomem.Plo \
-	./$(DEPDIR)/librfc3961_la-error_string.Plo \
-	./$(DEPDIR)/librfc3961_la-keyblock.Plo \
-	./$(DEPDIR)/librfc3961_la-n-fold.Plo \
-	./$(DEPDIR)/librfc3961_la-salt-aes-sha1.Plo \
-	./$(DEPDIR)/librfc3961_la-salt-aes-sha2.Plo \
-	./$(DEPDIR)/librfc3961_la-salt-arcfour.Plo \
-	./$(DEPDIR)/librfc3961_la-salt-des.Plo \
-	./$(DEPDIR)/librfc3961_la-salt-des3.Plo \
-	./$(DEPDIR)/librfc3961_la-salt.Plo \
-	./$(DEPDIR)/librfc3961_la-sp800-108-kdf.Plo \
-	./$(DEPDIR)/librfc3961_la-store-int.Plo \
-	./$(DEPDIR)/librfc3961_la-warn.Plo ./$(DEPDIR)/n-fold-test.Po \
-	./$(DEPDIR)/parse-name-test.Po \
-	./$(DEPDIR)/pseudo-random-test.Po ./$(DEPDIR)/store-test.Po \
-	./$(DEPDIR)/string-to-key-test.Po ./$(DEPDIR)/test_acl.Po \
-	./$(DEPDIR)/test_addr.Po ./$(DEPDIR)/test_alname.Po \
-	./$(DEPDIR)/test_ap-req.Po ./$(DEPDIR)/test_canon.Po \
-	./$(DEPDIR)/test_cc.Po ./$(DEPDIR)/test_config.Po \
-	./$(DEPDIR)/test_crypto.Po ./$(DEPDIR)/test_crypto_wrapping.Po \
-	./$(DEPDIR)/test_expand_toks.Po ./$(DEPDIR)/test_forward.Po \
-	./$(DEPDIR)/test_fx.Po ./$(DEPDIR)/test_get_addrs.Po \
-	./$(DEPDIR)/test_gic.Po ./$(DEPDIR)/test_hostname.Po \
-	./$(DEPDIR)/test_keytab.Po ./$(DEPDIR)/test_kuserok.Po \
-	./$(DEPDIR)/test_mem.Po ./$(DEPDIR)/test_pac.Po \
-	./$(DEPDIR)/test_pkinit_dh2key.Po \
-	./$(DEPDIR)/test_pknistkdf.Po ./$(DEPDIR)/test_plugin.Po \
-	./$(DEPDIR)/test_prf.Po ./$(DEPDIR)/test_princ.Po \
-	./$(DEPDIR)/test_renew.Po ./$(DEPDIR)/test_rfc3961.Po \
-	./$(DEPDIR)/test_set_kvno0.Po ./$(DEPDIR)/test_store.Po \
-	./$(DEPDIR)/test_time.Po ./$(DEPDIR)/test_x500.Po \
-	./$(DEPDIR)/verify_krb5_conf.Po
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
-	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
-AM_V_CC = $(am__v_CC_@AM_V@)
-am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
-am__v_CC_0 = @echo "  CC      " $@;
-am__v_CC_1 = 
-CCLD = $(CC)
-LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
-	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
-AM_V_CCLD = $(am__v_CCLD_@AM_V@)
-am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
-am__v_CCLD_0 = @echo "  CCLD    " $@;
-am__v_CCLD_1 = 
-SOURCES = $(dist_libkrb5_la_SOURCES) $(nodist_libkrb5_la_SOURCES) \
-	$(librfc3961_la_SOURCES) aes-test.c derived-key-test.c \
-	krbhst-test.c n-fold-test.c parse-name-test.c \
-	pseudo-random-test.c store-test.c string-to-key-test.c \
-	test_acl.c test_addr.c test_alname.c test_ap-req.c \
-	test_canon.c test_cc.c test_config.c test_crypto.c \
-	test_crypto_wrapping.c test_expand_toks.c test_forward.c \
-	test_fx.c test_get_addrs.c test_gic.c test_hostname.c \
-	test_keytab.c test_kuserok.c test_mem.c test_pac.c \
-	test_pkinit_dh2key.c test_pknistkdf.c test_plugin.c test_prf.c \
-	test_princ.c test_renew.c test_rfc3961.c test_set_kvno0.c \
-	test_store.c test_time.c test_x500.c verify_krb5_conf.c
-DIST_SOURCES = $(dist_libkrb5_la_SOURCES) $(librfc3961_la_SOURCES) \
-	aes-test.c derived-key-test.c krbhst-test.c n-fold-test.c \
-	parse-name-test.c pseudo-random-test.c store-test.c \
-	string-to-key-test.c test_acl.c test_addr.c test_alname.c \
-	test_ap-req.c test_canon.c test_cc.c test_config.c \
-	test_crypto.c test_crypto_wrapping.c test_expand_toks.c \
-	test_forward.c test_fx.c test_get_addrs.c test_gic.c \
-	test_hostname.c test_keytab.c test_kuserok.c test_mem.c \
-	test_pac.c test_pkinit_dh2key.c test_pknistkdf.c test_plugin.c \
-	test_prf.c test_princ.c test_renew.c test_rfc3961.c \
-	test_set_kvno0.c test_store.c test_time.c test_x500.c \
-	verify_krb5_conf.c
-am__can_run_installinfo = \
-  case $$AM_UPDATE_INFO_DIR in \
-    n|no|NO) false;; \
-    *) (install-info --version) >/dev/null 2>&1;; \
-  esac
-man3dir = $(mandir)/man3
-man5dir = $(mandir)/man5
-man7dir = $(mandir)/man7
-man8dir = $(mandir)/man8
-MANS = $(man_MANS)
-HEADERS = $(dist_include_HEADERS) $(krb5_HEADERS) \
-	$(nodist_include_HEADERS) $(noinst_HEADERS)
-am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
-# Read a list of newline-separated strings from the standard input,
-# and print each of them once, without duplicates.  Input order is
-# *not* preserved.
-am__uniquify_input = $(AWK) '\
-  BEGIN { nonempty = 0; } \
-  { items[$$0] = 1; nonempty = 1; } \
-  END { if (nonempty) { for (i in items) print i; }; } \
-'
-# Make sure the list of sources is unique.  This is necessary because,
-# e.g., the same source file might be shared among _SOURCES variables
-# for different programs/libraries.
-am__define_uniq_tagged_files = \
-  list='$(am__tagged_files)'; \
-  unique=`for i in $$list; do \
-    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-  done | $(am__uniquify_input)`
-am__tty_colors_dummy = \
-  mgn= red= grn= lgn= blu= brg= std=; \
-  am__color_tests=no
-am__tty_colors = { \
-  $(am__tty_colors_dummy); \
-  if test "X$(AM_COLOR_TESTS)" = Xno; then \
-    am__color_tests=no; \
-  elif test "X$(AM_COLOR_TESTS)" = Xalways; then \
-    am__color_tests=yes; \
-  elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \
-    am__color_tests=yes; \
-  fi; \
-  if test $$am__color_tests = yes; then \
-    red=''; \
-    grn=''; \
-    lgn=''; \
-    blu=''; \
-    mgn=''; \
-    brg=''; \
-    std=''; \
-  fi; \
-}
-am__recheck_rx = ^[ 	]*:recheck:[ 	]*
-am__global_test_result_rx = ^[ 	]*:global-test-result:[ 	]*
-am__copy_in_global_log_rx = ^[ 	]*:copy-in-global-log:[ 	]*
-# A command that, given a newline-separated list of test names on the
-# standard input, print the name of the tests that are to be re-run
-# upon "make recheck".
-am__list_recheck_tests = $(AWK) '{ \
-  recheck = 1; \
-  while ((rc = (getline line < ($$0 ".trs"))) != 0) \
-    { \
-      if (rc < 0) \
-        { \
-          if ((getline line2 < ($$0 ".log")) < 0) \
-	    recheck = 0; \
-          break; \
-        } \
-      else if (line ~ /$(am__recheck_rx)[nN][Oo]/) \
-        { \
-          recheck = 0; \
-          break; \
-        } \
-      else if (line ~ /$(am__recheck_rx)[yY][eE][sS]/) \
-        { \
-          break; \
-        } \
-    }; \
-  if (recheck) \
-    print $$0; \
-  close ($$0 ".trs"); \
-  close ($$0 ".log"); \
-}'
-# A command that, given a newline-separated list of test names on the
-# standard input, create the global log from their .trs and .log files.
-am__create_global_log = $(AWK) ' \
-function fatal(msg) \
-{ \
-  print "fatal: making $@: " msg | "cat >&2"; \
-  exit 1; \
-} \
-function rst_section(header) \
-{ \
-  print header; \
-  len = length(header); \
-  for (i = 1; i <= len; i = i + 1) \
-    printf "="; \
-  printf "\n\n"; \
-} \
-{ \
-  copy_in_global_log = 1; \
-  global_test_result = "RUN"; \
-  while ((rc = (getline line < ($$0 ".trs"))) != 0) \
-    { \
-      if (rc < 0) \
-         fatal("failed to read from " $$0 ".trs"); \
-      if (line ~ /$(am__global_test_result_rx)/) \
-        { \
-          sub("$(am__global_test_result_rx)", "", line); \
-          sub("[ 	]*$$", "", line); \
-          global_test_result = line; \
-        } \
-      else if (line ~ /$(am__copy_in_global_log_rx)[nN][oO]/) \
-        copy_in_global_log = 0; \
-    }; \
-  if (copy_in_global_log) \
-    { \
-      rst_section(global_test_result ": " $$0); \
-      while ((rc = (getline line < ($$0 ".log"))) != 0) \
-      { \
-        if (rc < 0) \
-          fatal("failed to read from " $$0 ".log"); \
-        print line; \
-      }; \
-      printf "\n"; \
-    }; \
-  close ($$0 ".trs"); \
-  close ($$0 ".log"); \
-}'
-# Restructured Text title.
-am__rst_title = { sed 's/.*/   &   /;h;s/./=/g;p;x;s/ *$$//;p;g' && echo; }
-# Solaris 10 'make', and several other traditional 'make' implementations,
-# pass "-e" to $(SHELL), and POSIX 2008 even requires this.  Work around it
-# by disabling -e (using the XSI extension "set +e") if it's set.
-am__sh_e_setup = case $$- in *e*) set +e;; esac
-# Default flags passed to test drivers.
-am__common_driver_flags = \
-  --color-tests "$$am__color_tests" \
-  --enable-hard-errors "$$am__enable_hard_errors" \
-  --expect-failure "$$am__expect_failure"
-# To be inserted before the command running the test.  Creates the
-# directory for the log if needed.  Stores in $dir the directory
-# containing $f, in $tst the test, in $log the log.  Executes the
-# developer- defined test setup AM_TESTS_ENVIRONMENT (if any), and
-# passes TESTS_ENVIRONMENT.  Set up options for the wrapper that
-# will run the test scripts (or their associated LOG_COMPILER, if
-# thy have one).
-am__check_pre = \
-$(am__sh_e_setup);					\
-$(am__vpath_adj_setup) $(am__vpath_adj)			\
-$(am__tty_colors);					\
-srcdir=$(srcdir); export srcdir;			\
-case "$@" in						\
-  */*) am__odir=`echo "./$@" | sed 's|/[^/]*$$||'`;;	\
-    *) am__odir=.;; 					\
-esac;							\
-test "x$$am__odir" = x"." || test -d "$$am__odir" 	\
-  || $(MKDIR_P) "$$am__odir" || exit $$?;		\
-if test -f "./$$f"; then dir=./;			\
-elif test -f "$$f"; then dir=;				\
-else dir="$(srcdir)/"; fi;				\
-tst=$$dir$$f; log='$@'; 				\
-if test -n '$(DISABLE_HARD_ERRORS)'; then		\
-  am__enable_hard_errors=no; 				\
-else							\
-  am__enable_hard_errors=yes; 				\
-fi; 							\
-case " $(XFAIL_TESTS) " in				\
-  *[\ \	]$$f[\ \	]* | *[\ \	]$$dir$$f[\ \	]*) \
-    am__expect_failure=yes;;				\
-  *)							\
-    am__expect_failure=no;;				\
-esac; 							\
-$(AM_TESTS_ENVIRONMENT) $(TESTS_ENVIRONMENT)
-# A shell command to get the names of the tests scripts with any registered
-# extension removed (i.e., equivalently, the names of the test logs, with
-# the '.log' extension removed).  The result is saved in the shell variable
-# '$bases'.  This honors runtime overriding of TESTS and TEST_LOGS.  Sadly,
-# we cannot use something simpler, involving e.g., "$(TEST_LOGS:.log=)",
-# since that might cause problem with VPATH rewrites for suffix-less tests.
-# See also 'test-harness-vpath-rewrite.sh' and 'test-trs-basic.sh'.
-am__set_TESTS_bases = \
-  bases='$(TEST_LOGS)'; \
-  bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \
-  bases=`echo $$bases`
-AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)'
-RECHECK_LOGS = $(TEST_LOGS)
-AM_RECURSIVE_TARGETS = check recheck
-TEST_SUITE_LOG = test-suite.log
-TEST_EXTENSIONS = @EXEEXT@ .test
-LOG_DRIVER = $(SHELL) $(top_srcdir)/test-driver
-LOG_COMPILE = $(LOG_COMPILER) $(AM_LOG_FLAGS) $(LOG_FLAGS)
-am__set_b = \
-  case '$@' in \
-    */*) \
-      case '$*' in \
-        */*) b='$*';; \
-          *) b=`echo '$@' | sed 's/\.log$$//'`; \
-       esac;; \
-    *) \
-      b='$*';; \
-  esac
-am__test_logs1 = $(TESTS:=.log)
-am__test_logs2 = $(am__test_logs1:@EXEEXT@.log=.log)
-TEST_LOGS = $(am__test_logs2:.test.log=.log)
-TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/test-driver
-TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \
-	$(TEST_LOG_FLAGS)
-am__DIST_COMMON = $(srcdir)/Makefile.in \
-	$(top_srcdir)/Makefile.am.common \
-	$(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/depcomp \
-	$(top_srcdir)/test-driver
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AMTAR = @AMTAR@
-AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
-AR = @AR@
-AS = @AS@
-ASN1_COMPILE = @ASN1_COMPILE@
-ASN1_COMPILE_DEP = @ASN1_COMPILE_DEP@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-CANONICAL_HOST = @CANONICAL_HOST@
-CAPNG_CFLAGS = @CAPNG_CFLAGS@
-CAPNG_LIBS = @CAPNG_LIBS@
-CATMAN = @CATMAN@
-CATMANEXT = @CATMANEXT@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CLANG_FORMAT = @CLANG_FORMAT@
-COMPILE_ET = @COMPILE_ET@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CSCOPE = @CSCOPE@
-CTAGS = @CTAGS@
-CYGPATH_W = @CYGPATH_W@
-DB1LIB = @DB1LIB@
-DB3LIB = @DB3LIB@
-DBHEADER = @DBHEADER@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DIR_com_err = @DIR_com_err@
-DIR_hdbdir = @DIR_hdbdir@
-DIR_roken = @DIR_roken@
-DLLTOOL = @DLLTOOL@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-ENABLE_AFS_STRING_TO_KEY = @ENABLE_AFS_STRING_TO_KEY@
-ETAGS = @ETAGS@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-FILECMD = @FILECMD@
-GCD_MIG = @GCD_MIG@
-GREP = @GREP@
-GROFF = @GROFF@
-INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_libedit = @INCLUDE_libedit@
-INCLUDE_libintl = @INCLUDE_libintl@
-INCLUDE_openldap = @INCLUDE_openldap@
-INCLUDE_openssl_crypto = @INCLUDE_openssl_crypto@
-INCLUDE_readline = @INCLUDE_readline@
-INCLUDE_sqlite3 = @INCLUDE_sqlite3@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBADD_roken = @LIBADD_roken@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
-LIB_bswap16 = @LIB_bswap16@
-LIB_bswap32 = @LIB_bswap32@
-LIB_bswap64 = @LIB_bswap64@
-LIB_com_err = @LIB_com_err@
-LIB_com_err_a = @LIB_com_err_a@
-LIB_com_err_so = @LIB_com_err_so@
-LIB_crypt = @LIB_crypt@
-LIB_db_create = @LIB_db_create@
-LIB_dbm_firstkey = @LIB_dbm_firstkey@
-LIB_dbopen = @LIB_dbopen@
-LIB_dispatch_async_f = @LIB_dispatch_async_f@
-LIB_dladdr = @LIB_dladdr@
-LIB_dlopen = @LIB_dlopen@
-LIB_dn_expand = @LIB_dn_expand@
-LIB_dns_search = @LIB_dns_search@
-LIB_door_create = @LIB_door_create@
-LIB_freeaddrinfo = @LIB_freeaddrinfo@
-LIB_gai_strerror = @LIB_gai_strerror@
-LIB_getaddrinfo = @LIB_getaddrinfo@
-LIB_gethostbyname = @LIB_gethostbyname@
-LIB_gethostbyname2 = @LIB_gethostbyname2@
-LIB_getnameinfo = @LIB_getnameinfo@
-LIB_getpwnam_r = @LIB_getpwnam_r@
-LIB_getsockopt = @LIB_getsockopt@
-LIB_hcrypto = @LIB_hcrypto@
-LIB_hcrypto_a = @LIB_hcrypto_a@
-LIB_hcrypto_appl = @LIB_hcrypto_appl@
-LIB_hcrypto_so = @LIB_hcrypto_so@
-LIB_hstrerror = @LIB_hstrerror@
-LIB_kdb = @LIB_kdb@
-LIB_libedit = @LIB_libedit@
-LIB_libintl = @LIB_libintl@
-LIB_loadquery = @LIB_loadquery@
-LIB_logout = @LIB_logout@
-LIB_logwtmp = @LIB_logwtmp@
-LIB_openldap = @LIB_openldap@
-LIB_openpty = @LIB_openpty@
-LIB_openssl_crypto = @LIB_openssl_crypto@
-LIB_otp = @LIB_otp@
-LIB_pidfile = @LIB_pidfile@
-LIB_readline = @LIB_readline@
-LIB_res_ndestroy = @LIB_res_ndestroy@
-LIB_res_nsearch = @LIB_res_nsearch@
-LIB_res_search = @LIB_res_search@
-LIB_roken = @LIB_roken@
-LIB_security = @LIB_security@
-LIB_setsockopt = @LIB_setsockopt@
-LIB_socket = @LIB_socket@
-LIB_sqlite3 = @LIB_sqlite3@
-LIB_syslog = @LIB_syslog@
-LIB_tgetent = @LIB_tgetent@
-LIPO = @LIPO@
-LMDBLIB = @LMDBLIB@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
-MAINT = @MAINT@
-MAKEINFO = @MAKEINFO@
-MANIFEST_TOOL = @MANIFEST_TOOL@
-MKDIR_P = @MKDIR_P@
-NDBMLIB = @NDBMLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-NO_AFS = @NO_AFS@
-NROFF = @NROFF@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
-PTHREAD_LDADD = @PTHREAD_LDADD@
-PTHREAD_LIBADD = @PTHREAD_LIBADD@
-PYTHON = @PYTHON@
-PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
-PYTHON_PLATFORM = @PYTHON_PLATFORM@
-PYTHON_PREFIX = @PYTHON_PREFIX@
-PYTHON_VERSION = @PYTHON_VERSION@
-RANLIB = @RANLIB@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SLC = @SLC@
-SLC_DEP = @SLC_DEP@
-STRIP = @STRIP@
-VERSION = @VERSION@
-VERSIONING = @VERSIONING@
-WFLAGS = @WFLAGS@
-WFLAGS_LITE = @WFLAGS_LITE@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_AR = @ac_ct_AR@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-db_type = @db_type@
-db_type_preference = @db_type_preference@
-docdir = @docdir@
-dpagaix_cflags = @dpagaix_cflags@
-dpagaix_ldadd = @dpagaix_ldadd@
-dpagaix_ldflags = @dpagaix_ldflags@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-libdir = @libdir@
-libexecdir = @libexecdir@
-localedir = @localedir@
-localstatedir = @localstatedir@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-pkgpyexecdir = @pkgpyexecdir@
-pkgpythondir = @pkgpythondir@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-pyexecdir = @pyexecdir@
-pythondir = @pythondir@
-runstatedir = @runstatedir@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-subdirs = @subdirs@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-SUFFIXES = .et .h .pc.in .pc .x .z .hx .1 .3 .5 .7 .8 .cat1 .cat3 \
-	.cat5 .cat7 .cat8
-DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -I$(top_srcdir)/include
-AM_CPPFLAGS = $(INCLUDES_roken) -I../com_err -I$(srcdir)/../com_err \
-	$(INCLUDE_sqlite3) $(INCLUDE_libintl) \
-	$(INCLUDE_openssl_crypto)
-@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
-AM_CFLAGS = $(WFLAGS)
-CP = cp
-buildinclude = $(top_builddir)/include
-LIB_XauReadAuth = @LIB_XauReadAuth@
-LIB_el_init = @LIB_el_init@
-LIB_getattr = @LIB_getattr@
-LIB_getpwent_r = @LIB_getpwent_r@
-LIB_odm_initialize = @LIB_odm_initialize@
-LIB_setpcred = @LIB_setpcred@
-INCLUDE_krb4 = @INCLUDE_krb4@
-LIB_krb4 = @LIB_krb4@
-libexec_heimdaldir = $(libexecdir)/heimdal
-NROFF_MAN = groff -mandoc -Tascii
-@NO_AFS_FALSE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
-@NO_AFS_TRUE@LIB_kafs = 
-@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
-@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
-
-@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
-LIB_heimbase = $(top_builddir)/lib/base/libheimbase.la
-@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
-
-#silent-rules
-heim_verbose = $(heim_verbose_$(V))
-heim_verbose_ = $(heim_verbose_$(AM_DEFAULT_VERBOSITY))
-heim_verbose_0 = @echo "  GEN    "$@;
-noinst_LTLIBRARIES = \
-	librfc3961.la
-
-check_DATA = test_config_strings.out
-LDADD = libkrb5.la \
-	$(LIB_hcrypto) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/wind/libwind.la \
-	$(LIB_heimbase) $(LIB_roken)
-
-@PKINIT_TRUE@LIB_pkinit = ../hx509/libhx509.la
-@have_scc_TRUE@use_sqlite = $(LIB_sqlite3)
-libkrb5_la_LIBADD = \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/ipc/libheim-ipcc.la \
-	$(top_builddir)/lib/wind/libwind.la \
-	$(top_builddir)/lib/base/libheimbase.la \
-	$(LIB_pkinit) \
-	$(LIB_openssl_crypto) \
-	$(use_sqlite) \
-	$(LIB_com_err) \
-	$(LIB_hcrypto) \
-	$(LIB_libintl) \
-	$(LIBADD_roken) \
-	$(PTHREAD_LIBADD) \
-	$(LIB_door_create) \
-	$(LIB_dlopen)
-
-librfc3961_la_LIBADD = \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	$(top_builddir)/lib/ipc/libheim-ipcc.la \
-	$(top_builddir)/lib/wind/libwind.la \
-	$(LIB_pkinit) \
-	$(use_sqlite) \
-	$(LIB_com_err) \
-	$(LIB_hcrypto) \
-	$(LIB_libintl) \
-	$(LIBADD_roken) \
-	$(PTHREAD_LIBADD) \
-	$(LIB_door_create) \
-	$(LIB_dlopen)
-
-lib_LTLIBRARIES = libkrb5.la
-ERR_FILES = krb5_err.c krb_err.c heim_err.c k524_err.c
-libkrb5_la_CPPFLAGS = \
-	-DBUILD_KRB5_LIB \
-	$(AM_CPPFLAGS) \
-	-DHEIMDAL_LOCALEDIR='"$(localedir)"'
-
-librfc3961_la_CPPFLAGS = \
-	-DBUILD_KRB5_LIB \
-	$(AM_CPPFLAGS) \
-	-DHEIMDAL_LOCALEDIR='"$(localedir)"'
-
-dist_libkrb5_la_SOURCES = \
-	acache.c				\
-	acl.c					\
-	add_et_list.c				\
-	addr_families.c				\
-	an2ln_plugin.h				\
-	aname_to_localname.c			\
-	appdefault.c				\
-	asn1_glue.c				\
-	auth_context.c				\
-	build_ap_req.c				\
-	build_auth.c				\
-	cache.c					\
-	changepw.c				\
-	codec.c					\
-	config_file.c				\
-	convert_creds.c				\
-	constants.c				\
-	context.c				\
-	copy_host_realm.c			\
-	crc.c					\
-	creds.c					\
-	crypto.c				\
-	crypto.h				\
-	crypto-aes-sha1.c			\
-	crypto-aes-sha2.c			\
-	crypto-algs.c				\
-	crypto-arcfour.c			\
-	crypto-des.c				\
-	crypto-des-common.c			\
-	crypto-des3.c				\
-	crypto-evp.c				\
-	crypto-null.c				\
-	crypto-pk.c				\
-	crypto-rand.c				\
-	doxygen.c				\
-	data.c					\
-	db_plugin.c				\
-	db_plugin.h				\
-	dcache.c				\
-	deprecated.c				\
-	digest.c				\
-	eai_to_heim_errno.c			\
-        enomem.c                                \
-	error_string.c				\
-	expand_hostname.c			\
-	expand_path.c				\
-	fast.c					\
-	fcache.c				\
-	free.c					\
-	free_host_realm.c			\
-	generate_seq_number.c			\
-	generate_subkey.c			\
-	get_addrs.c				\
-	get_cred.c				\
-	get_default_principal.c			\
-	get_default_realm.c			\
-	get_for_creds.c				\
-	get_host_realm.c			\
-	get_in_tkt.c				\
-	get_port.c				\
-	init_creds.c				\
-	init_creds_pw.c				\
-	kcm.c					\
-	kcm.h					\
-	keyblock.c				\
-	keytab.c				\
-	keytab_any.c				\
-	keytab_file.c				\
-	keytab_keyfile.c			\
-	keytab_memory.c				\
-	krb5_locl.h				\
-	krb5-v4compat.h				\
-	krbhst.c				\
-	kuserok.c				\
-	kuserok_plugin.h			\
-	log.c					\
-	mcache.c				\
-	misc.c					\
-	mk_error.c				\
-	mk_priv.c				\
-	mk_rep.c				\
-	mk_req.c				\
-	mk_req_ext.c				\
-	mk_safe.c				\
-	mit_glue.c				\
-	net_read.c				\
-	net_write.c				\
-	n-fold.c				\
-	pac.c					\
-	padata.c				\
-	pcache.c				\
-	pkinit.c				\
-	pkinit-ec.c				\
-	principal.c				\
-	prog_setup.c				\
-	prompter_posix.c			\
-	rd_cred.c				\
-	rd_error.c				\
-	rd_priv.c				\
-	rd_rep.c				\
-	rd_req.c				\
-	rd_safe.c				\
-	read_message.c				\
-	recvauth.c				\
-	replay.c				\
-	salt.c					\
-	salt-aes-sha1.c				\
-	salt-aes-sha2.c				\
-	salt-arcfour.c				\
-	salt-des.c				\
-	salt-des3.c				\
-	sp800-108-kdf.c				\
-	scache.c				\
-	send_to_kdc.c				\
-	sendauth.c				\
-	set_default_realm.c			\
-	sock_principal.c			\
-	store.c					\
-	store-int.c				\
-	store-int.h				\
-	store_emem.c				\
-	store_fd.c				\
-	store_mem.c				\
-	store_sock.c				\
-	plugin.c				\
-	ticket.c				\
-	time.c					\
-	transited.c				\
-	verify_init.c				\
-	verify_user.c				\
-	version.c				\
-	warn.c					\
-	write_message.c
-
-nodist_libkrb5_la_SOURCES = \
-	$(ERR_FILES)
-
-libkrb5_la_DEPENDENCIES = \
-	version-script.map
-
-libkrb5_la_LDFLAGS = -version-info 26:0:0 $(am__append_1)
-ALL_OBJECTS = $(libkrb5_la_OBJECTS) $(verify_krb5_conf_OBJECTS) \
-	$(librfc3961_la_OBJECTS) $(librfc3961_la_OBJECTS) \
-	$(krbhst_test_OBJECTS) $(test_alname_OBJECTS) \
-	$(test_crypto_OBJECTS) $(test_forward_OBJECTS) \
-	$(test_get_addrs_OBJECTS) $(test_gic_OBJECTS) \
-	$(test_kuserok_OBJECTS) $(test_renew_OBJECTS) \
-	$(test_rfc3961_OBJECTS)
-librfc3961_la_SOURCES = \
-	crc.c					\
-	crypto.c				\
-	crypto.h				\
-	crypto-aes-sha1.c			\
-	crypto-aes-sha2.c			\
-	crypto-algs.c				\
-	crypto-arcfour.c			\
-	crypto-des.c				\
-	crypto-des-common.c			\
-	crypto-des3.c				\
-	crypto-evp.c				\
-	crypto-null.c				\
-	crypto-pk.c				\
-	crypto-rand.c				\
-	crypto-stubs.c				\
-	data.c					\
-	enomem.c				\
-	error_string.c				\
-	keyblock.c				\
-	n-fold.c				\
-	salt.c					\
-	salt-aes-sha1.c				\
-	salt-aes-sha2.c				\
-	salt-arcfour.c				\
-	salt-des.c				\
-	salt-des3.c				\
-	sp800-108-kdf.c				\
-	store-int.c				\
-	warn.c
-
-test_rfc3961_LDADD = \
-	librfc3961.la 				\
-	$(top_builddir)/lib/asn1/libasn1.la	\
-	$(top_builddir)/lib/wind/libwind.la 	\
-	$(LIB_hcrypto)				\
-	$(LIB_roken)
-
-@DEVELOPER_MODE_TRUE@headerdeps = $(dist_libkrb5_la_SOURCES)
-man_MANS = \
-	kerberos.8				\
-	krb5.conf.5				\
-	krb5-plugin.7				\
-	krb524_convert_creds_kdc.3		\
-	krb5_425_conv_principal.3		\
-	krb5_acl_match_file.3			\
-	krb5_aname_to_localname.3		\
-	krb5_appdefault.3			\
-	krb5_auth_context.3			\
-	krb5_c_make_checksum.3			\
-	krb5_check_transited.3			\
-	krb5_create_checksum.3			\
-	krb5_creds.3				\
-	krb5_digest.3				\
-	krb5_eai_to_heim_errno.3		\
-	krb5_encrypt.3				\
-	krb5_find_padata.3			\
-	krb5_generate_random_block.3		\
-	krb5_get_all_client_addrs.3		\
-	krb5_get_credentials.3			\
-	krb5_get_creds.3			\
-	krb5_get_forwarded_creds.3		\
-	krb5_get_in_cred.3			\
-	krb5_get_init_creds.3			\
-	krb5_get_krbhst.3			\
-	krb5_getportbyname.3			\
-	krb5_init_context.3			\
-	krb5_is_thread_safe.3			\
-	krb5_krbhst_init.3			\
-	krb5_mk_req.3				\
-	krb5_mk_safe.3				\
-	krb5_openlog.3				\
-	krb5_parse_name.3			\
-	krb5_principal.3			\
-	krb5_rcache.3				\
-	krb5_rd_error.3				\
-	krb5_rd_safe.3				\
-	krb5_set_default_realm.3		\
-	krb5_set_password.3			\
-	krb5_string_to_key.3			\
-	krb5_timeofday.3			\
-	krb5_verify_init_creds.3		\
-	krb5_verify_user.3			\
-	verify_krb5_conf.8
-
-dist_include_HEADERS = \
-	krb5.h \
-	$(srcdir)/krb5-protos.h \
-	krb5_ccapi.h
-
-noinst_HEADERS = $(srcdir)/krb5-private.h
-nodist_include_HEADERS = krb5_err.h heim_err.h k524_err.h
-
-# XXX use nobase_include_HEADERS = krb5/locate_plugin.h
-krb5dir = $(includedir)/krb5
-krb5_HEADERS = locate_plugin.h send_to_kdc_plugin.h ccache_plugin.h an2ln_plugin.h db_plugin.h
-build_HEADERZ = \
-	$(krb5_HEADERS) \
-	krb_err.h
-
-CLEANFILES = \
-	test_config_strings.out \
-	test-store-data \
-	krb5_err.c krb5_err.h \
-	krb_err.c krb_err.h \
-	heim_err.c heim_err.h \
-	k524_err.c k524_err.h
-
-EXTRA_DIST = \
-	NTMakefile \
-	config_reg.c \
-	dll.c \
-	libkrb5-exports.def.in \
-	verify_krb5_conf-version.rc \
-	krb5_err.et \
-	krb_err.et \
-	heim_err.et \
-	k524_err.et \
-	$(man_MANS) \
-	version-script.map \
-	test_config_strings.cfg \
-	krb5.moduli
-
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .et .h .pc.in .pc .x .z .hx .1 .3 .5 .7 .8 .cat1 .cat3 .cat5 .cat7 .cat8 .c .lo .log .o .obj .test .test$(EXEEXT) .trs
-$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
-	@for dep in $?; do \
-	  case '$(am__configure_deps)' in \
-	    *$$dep*) \
-	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
-	        && { if test -f $@; then exit 0; else break; fi; }; \
-	      exit 1;; \
-	  esac; \
-	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/krb5/Makefile'; \
-	$(am__cd) $(top_srcdir) && \
-	  $(AUTOMAKE) --foreign lib/krb5/Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
-	@case '$?' in \
-	  *config.status*) \
-	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
-	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
-	esac;
-$(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__empty):
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
-	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-binPROGRAMS: $(bin_PROGRAMS)
-	@$(NORMAL_INSTALL)
-	@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
-	if test -n "$$list"; then \
-	  echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \
-	  $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \
-	fi; \
-	for p in $$list; do echo "$$p $$p"; done | \
-	sed 's/$(EXEEXT)$$//' | \
-	while read p p1; do if test -f $$p \
-	 || test -f $$p1 \
-	  ; then echo "$$p"; echo "$$p"; else :; fi; \
-	done | \
-	sed -e 'p;s,.*/,,;n;h' \
-	    -e 's|.*|.|' \
-	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
-	sed 'N;N;N;s,\n, ,g' | \
-	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
-	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
-	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
-	    else { print "f", $$3 "/" $$4, $$1; } } \
-	  END { for (d in files) print "f", d, files[d] }' | \
-	while read type dir files; do \
-	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
-	    test -z "$$files" || { \
-	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \
-	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \
-	    } \
-	; done
-
-uninstall-binPROGRAMS:
-	@$(NORMAL_UNINSTALL)
-	@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
-	files=`for p in $$list; do echo "$$p"; done | \
-	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
-	      -e 's/$$/$(EXEEXT)/' \
-	`; \
-	test -n "$$list" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(bindir)" && rm -f $$files
-
-clean-binPROGRAMS:
-	@list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \
-	echo " rm -f" $$list; \
-	rm -f $$list || exit $$?; \
-	test -n "$(EXEEXT)" || exit 0; \
-	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
-	echo " rm -f" $$list; \
-	rm -f $$list
-
-clean-checkPROGRAMS:
-	@list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
-	echo " rm -f" $$list; \
-	rm -f $$list || exit $$?; \
-	test -n "$(EXEEXT)" || exit 0; \
-	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
-	echo " rm -f" $$list; \
-	rm -f $$list
-
-clean-noinstPROGRAMS:
-	@list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \
-	echo " rm -f" $$list; \
-	rm -f $$list || exit $$?; \
-	test -n "$(EXEEXT)" || exit 0; \
-	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
-	echo " rm -f" $$list; \
-	rm -f $$list
-
-install-libLTLIBRARIES: $(lib_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	@list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(MKDIR_P) '$(DESTDIR)$(libdir)'"; \
-	  $(MKDIR_P) "$(DESTDIR)$(libdir)" || exit 1; \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \
-	}
-
-uninstall-libLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \
-	done
-
-clean-libLTLIBRARIES:
-	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
-	@list='$(lib_LTLIBRARIES)'; \
-	locs=`for p in $$list; do echo $$p; done | \
-	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
-	      sort -u`; \
-	test -z "$$locs" || { \
-	  echo rm -f $${locs}; \
-	  rm -f $${locs}; \
-	}
-
-clean-noinstLTLIBRARIES:
-	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
-	@list='$(noinst_LTLIBRARIES)'; \
-	locs=`for p in $$list; do echo $$p; done | \
-	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
-	      sort -u`; \
-	test -z "$$locs" || { \
-	  echo rm -f $${locs}; \
-	  rm -f $${locs}; \
-	}
-
-libkrb5.la: $(libkrb5_la_OBJECTS) $(libkrb5_la_DEPENDENCIES) $(EXTRA_libkrb5_la_DEPENDENCIES) 
-	$(AM_V_CCLD)$(libkrb5_la_LINK) -rpath $(libdir) $(libkrb5_la_OBJECTS) $(libkrb5_la_LIBADD) $(LIBS)
-
-librfc3961.la: $(librfc3961_la_OBJECTS) $(librfc3961_la_DEPENDENCIES) $(EXTRA_librfc3961_la_DEPENDENCIES) 
-	$(AM_V_CCLD)$(LINK)  $(librfc3961_la_OBJECTS) $(librfc3961_la_LIBADD) $(LIBS)
-
-aes-test$(EXEEXT): $(aes_test_OBJECTS) $(aes_test_DEPENDENCIES) $(EXTRA_aes_test_DEPENDENCIES) 
-	@rm -f aes-test$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(aes_test_OBJECTS) $(aes_test_LDADD) $(LIBS)
-
-derived-key-test$(EXEEXT): $(derived_key_test_OBJECTS) $(derived_key_test_DEPENDENCIES) $(EXTRA_derived_key_test_DEPENDENCIES) 
-	@rm -f derived-key-test$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(derived_key_test_OBJECTS) $(derived_key_test_LDADD) $(LIBS)
-
-krbhst-test$(EXEEXT): $(krbhst_test_OBJECTS) $(krbhst_test_DEPENDENCIES) $(EXTRA_krbhst_test_DEPENDENCIES) 
-	@rm -f krbhst-test$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(krbhst_test_OBJECTS) $(krbhst_test_LDADD) $(LIBS)
-
-n-fold-test$(EXEEXT): $(n_fold_test_OBJECTS) $(n_fold_test_DEPENDENCIES) $(EXTRA_n_fold_test_DEPENDENCIES) 
-	@rm -f n-fold-test$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(n_fold_test_OBJECTS) $(n_fold_test_LDADD) $(LIBS)
-
-parse-name-test$(EXEEXT): $(parse_name_test_OBJECTS) $(parse_name_test_DEPENDENCIES) $(EXTRA_parse_name_test_DEPENDENCIES) 
-	@rm -f parse-name-test$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(parse_name_test_OBJECTS) $(parse_name_test_LDADD) $(LIBS)
-
-pseudo-random-test$(EXEEXT): $(pseudo_random_test_OBJECTS) $(pseudo_random_test_DEPENDENCIES) $(EXTRA_pseudo_random_test_DEPENDENCIES) 
-	@rm -f pseudo-random-test$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(pseudo_random_test_OBJECTS) $(pseudo_random_test_LDADD) $(LIBS)
-
-store-test$(EXEEXT): $(store_test_OBJECTS) $(store_test_DEPENDENCIES) $(EXTRA_store_test_DEPENDENCIES) 
-	@rm -f store-test$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(store_test_OBJECTS) $(store_test_LDADD) $(LIBS)
-
-string-to-key-test$(EXEEXT): $(string_to_key_test_OBJECTS) $(string_to_key_test_DEPENDENCIES) $(EXTRA_string_to_key_test_DEPENDENCIES) 
-	@rm -f string-to-key-test$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(string_to_key_test_OBJECTS) $(string_to_key_test_LDADD) $(LIBS)
-
-test_acl$(EXEEXT): $(test_acl_OBJECTS) $(test_acl_DEPENDENCIES) $(EXTRA_test_acl_DEPENDENCIES) 
-	@rm -f test_acl$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_acl_OBJECTS) $(test_acl_LDADD) $(LIBS)
-
-test_addr$(EXEEXT): $(test_addr_OBJECTS) $(test_addr_DEPENDENCIES) $(EXTRA_test_addr_DEPENDENCIES) 
-	@rm -f test_addr$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_addr_OBJECTS) $(test_addr_LDADD) $(LIBS)
-
-test_alname$(EXEEXT): $(test_alname_OBJECTS) $(test_alname_DEPENDENCIES) $(EXTRA_test_alname_DEPENDENCIES) 
-	@rm -f test_alname$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_alname_OBJECTS) $(test_alname_LDADD) $(LIBS)
-
-test_ap-req$(EXEEXT): $(test_ap_req_OBJECTS) $(test_ap_req_DEPENDENCIES) $(EXTRA_test_ap_req_DEPENDENCIES) 
-	@rm -f test_ap-req$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_ap_req_OBJECTS) $(test_ap_req_LDADD) $(LIBS)
-
-test_canon$(EXEEXT): $(test_canon_OBJECTS) $(test_canon_DEPENDENCIES) $(EXTRA_test_canon_DEPENDENCIES) 
-	@rm -f test_canon$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_canon_OBJECTS) $(test_canon_LDADD) $(LIBS)
-
-test_cc$(EXEEXT): $(test_cc_OBJECTS) $(test_cc_DEPENDENCIES) $(EXTRA_test_cc_DEPENDENCIES) 
-	@rm -f test_cc$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_cc_OBJECTS) $(test_cc_LDADD) $(LIBS)
-
-test_config$(EXEEXT): $(test_config_OBJECTS) $(test_config_DEPENDENCIES) $(EXTRA_test_config_DEPENDENCIES) 
-	@rm -f test_config$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_config_OBJECTS) $(test_config_LDADD) $(LIBS)
-
-test_crypto$(EXEEXT): $(test_crypto_OBJECTS) $(test_crypto_DEPENDENCIES) $(EXTRA_test_crypto_DEPENDENCIES) 
-	@rm -f test_crypto$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_crypto_OBJECTS) $(test_crypto_LDADD) $(LIBS)
-
-test_crypto_wrapping$(EXEEXT): $(test_crypto_wrapping_OBJECTS) $(test_crypto_wrapping_DEPENDENCIES) $(EXTRA_test_crypto_wrapping_DEPENDENCIES) 
-	@rm -f test_crypto_wrapping$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_crypto_wrapping_OBJECTS) $(test_crypto_wrapping_LDADD) $(LIBS)
-
-test_expand_toks$(EXEEXT): $(test_expand_toks_OBJECTS) $(test_expand_toks_DEPENDENCIES) $(EXTRA_test_expand_toks_DEPENDENCIES) 
-	@rm -f test_expand_toks$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_expand_toks_OBJECTS) $(test_expand_toks_LDADD) $(LIBS)
-
-test_forward$(EXEEXT): $(test_forward_OBJECTS) $(test_forward_DEPENDENCIES) $(EXTRA_test_forward_DEPENDENCIES) 
-	@rm -f test_forward$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_forward_OBJECTS) $(test_forward_LDADD) $(LIBS)
-
-test_fx$(EXEEXT): $(test_fx_OBJECTS) $(test_fx_DEPENDENCIES) $(EXTRA_test_fx_DEPENDENCIES) 
-	@rm -f test_fx$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_fx_OBJECTS) $(test_fx_LDADD) $(LIBS)
-
-test_get_addrs$(EXEEXT): $(test_get_addrs_OBJECTS) $(test_get_addrs_DEPENDENCIES) $(EXTRA_test_get_addrs_DEPENDENCIES) 
-	@rm -f test_get_addrs$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_get_addrs_OBJECTS) $(test_get_addrs_LDADD) $(LIBS)
-
-test_gic$(EXEEXT): $(test_gic_OBJECTS) $(test_gic_DEPENDENCIES) $(EXTRA_test_gic_DEPENDENCIES) 
-	@rm -f test_gic$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_gic_OBJECTS) $(test_gic_LDADD) $(LIBS)
-
-test_hostname$(EXEEXT): $(test_hostname_OBJECTS) $(test_hostname_DEPENDENCIES) $(EXTRA_test_hostname_DEPENDENCIES) 
-	@rm -f test_hostname$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_hostname_OBJECTS) $(test_hostname_LDADD) $(LIBS)
-
-test_keytab$(EXEEXT): $(test_keytab_OBJECTS) $(test_keytab_DEPENDENCIES) $(EXTRA_test_keytab_DEPENDENCIES) 
-	@rm -f test_keytab$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_keytab_OBJECTS) $(test_keytab_LDADD) $(LIBS)
-
-test_kuserok$(EXEEXT): $(test_kuserok_OBJECTS) $(test_kuserok_DEPENDENCIES) $(EXTRA_test_kuserok_DEPENDENCIES) 
-	@rm -f test_kuserok$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_kuserok_OBJECTS) $(test_kuserok_LDADD) $(LIBS)
-
-test_mem$(EXEEXT): $(test_mem_OBJECTS) $(test_mem_DEPENDENCIES) $(EXTRA_test_mem_DEPENDENCIES) 
-	@rm -f test_mem$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_mem_OBJECTS) $(test_mem_LDADD) $(LIBS)
-
-test_pac$(EXEEXT): $(test_pac_OBJECTS) $(test_pac_DEPENDENCIES) $(EXTRA_test_pac_DEPENDENCIES) 
-	@rm -f test_pac$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_pac_OBJECTS) $(test_pac_LDADD) $(LIBS)
-
-test_pkinit_dh2key$(EXEEXT): $(test_pkinit_dh2key_OBJECTS) $(test_pkinit_dh2key_DEPENDENCIES) $(EXTRA_test_pkinit_dh2key_DEPENDENCIES) 
-	@rm -f test_pkinit_dh2key$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_pkinit_dh2key_OBJECTS) $(test_pkinit_dh2key_LDADD) $(LIBS)
-
-test_pknistkdf$(EXEEXT): $(test_pknistkdf_OBJECTS) $(test_pknistkdf_DEPENDENCIES) $(EXTRA_test_pknistkdf_DEPENDENCIES) 
-	@rm -f test_pknistkdf$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_pknistkdf_OBJECTS) $(test_pknistkdf_LDADD) $(LIBS)
-
-test_plugin$(EXEEXT): $(test_plugin_OBJECTS) $(test_plugin_DEPENDENCIES) $(EXTRA_test_plugin_DEPENDENCIES) 
-	@rm -f test_plugin$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_plugin_OBJECTS) $(test_plugin_LDADD) $(LIBS)
-
-test_prf$(EXEEXT): $(test_prf_OBJECTS) $(test_prf_DEPENDENCIES) $(EXTRA_test_prf_DEPENDENCIES) 
-	@rm -f test_prf$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_prf_OBJECTS) $(test_prf_LDADD) $(LIBS)
-
-test_princ$(EXEEXT): $(test_princ_OBJECTS) $(test_princ_DEPENDENCIES) $(EXTRA_test_princ_DEPENDENCIES) 
-	@rm -f test_princ$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_princ_OBJECTS) $(test_princ_LDADD) $(LIBS)
-
-test_renew$(EXEEXT): $(test_renew_OBJECTS) $(test_renew_DEPENDENCIES) $(EXTRA_test_renew_DEPENDENCIES) 
-	@rm -f test_renew$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_renew_OBJECTS) $(test_renew_LDADD) $(LIBS)
-
-test_rfc3961$(EXEEXT): $(test_rfc3961_OBJECTS) $(test_rfc3961_DEPENDENCIES) $(EXTRA_test_rfc3961_DEPENDENCIES) 
-	@rm -f test_rfc3961$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_rfc3961_OBJECTS) $(test_rfc3961_LDADD) $(LIBS)
-
-test_set_kvno0$(EXEEXT): $(test_set_kvno0_OBJECTS) $(test_set_kvno0_DEPENDENCIES) $(EXTRA_test_set_kvno0_DEPENDENCIES) 
-	@rm -f test_set_kvno0$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_set_kvno0_OBJECTS) $(test_set_kvno0_LDADD) $(LIBS)
-
-test_store$(EXEEXT): $(test_store_OBJECTS) $(test_store_DEPENDENCIES) $(EXTRA_test_store_DEPENDENCIES) 
-	@rm -f test_store$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_store_OBJECTS) $(test_store_LDADD) $(LIBS)
-
-test_time$(EXEEXT): $(test_time_OBJECTS) $(test_time_DEPENDENCIES) $(EXTRA_test_time_DEPENDENCIES) 
-	@rm -f test_time$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_time_OBJECTS) $(test_time_LDADD) $(LIBS)
-
-test_x500$(EXEEXT): $(test_x500_OBJECTS) $(test_x500_DEPENDENCIES) $(EXTRA_test_x500_DEPENDENCIES) 
-	@rm -f test_x500$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(test_x500_OBJECTS) $(test_x500_LDADD) $(LIBS)
-
-verify_krb5_conf$(EXEEXT): $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_DEPENDENCIES) $(EXTRA_verify_krb5_conf_DEPENDENCIES) 
-	@rm -f verify_krb5_conf$(EXEEXT)
-	$(AM_V_CCLD)$(LINK) $(verify_krb5_conf_OBJECTS) $(verify_krb5_conf_LDADD) $(LIBS)
-
-mostlyclean-compile:
-	-rm -f *.$(OBJEXT)
-
-distclean-compile:
-	-rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes-test.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/derived-key-test.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/krbhst-test.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-acache.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-acl.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-add_et_list.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-addr_families.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-aname_to_localname.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-appdefault.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-asn1_glue.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-auth_context.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-build_ap_req.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-build_auth.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-cache.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-changepw.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-codec.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-config_file.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-constants.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-context.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-convert_creds.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-copy_host_realm.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crc.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-creds.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-aes-sha1.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-aes-sha2.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-algs.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-arcfour.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-des-common.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-des.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-des3.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-evp.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-null.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-pk.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-rand.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-data.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-db_plugin.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-dcache.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-deprecated.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-digest.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-doxygen.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-eai_to_heim_errno.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-enomem.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-error_string.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-expand_hostname.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-expand_path.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-fast.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-fcache.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-free.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-free_host_realm.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-generate_seq_number.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-generate_subkey.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_addrs.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_cred.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_default_principal.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_default_realm.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_for_creds.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_host_realm.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_in_tkt.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_port.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-heim_err.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-init_creds.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-init_creds_pw.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-k524_err.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-kcm.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keyblock.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keytab.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keytab_any.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keytab_file.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keytab_keyfile.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keytab_memory.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-krb5_err.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-krb_err.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-krbhst.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-kuserok.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-log.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mcache.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-misc.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mit_glue.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_error.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_priv.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_rep.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_req.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_req_ext.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_safe.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-n-fold.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-net_read.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-net_write.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-pac.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-padata.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-pcache.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-pkinit-ec.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-pkinit.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-plugin.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-principal.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-prog_setup.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-prompter_posix.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_cred.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_error.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_priv.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_rep.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_req.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_safe.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-read_message.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-recvauth.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-replay.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt-aes-sha1.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt-aes-sha2.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt-arcfour.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt-des.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt-des3.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-scache.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-send_to_kdc.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-sendauth.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-set_default_realm.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-sock_principal.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-sp800-108-kdf.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store-int.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store_emem.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store_fd.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store_mem.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store_sock.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-ticket.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-time.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-transited.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-verify_init.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-verify_user.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-version.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-warn.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-write_message.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crc.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-aes-sha1.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-aes-sha2.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-algs.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-arcfour.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-des-common.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-des.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-des3.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-evp.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-null.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-pk.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-rand.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-stubs.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-data.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-enomem.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-error_string.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-keyblock.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-n-fold.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt-aes-sha1.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt-aes-sha2.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt-arcfour.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt-des.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt-des3.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-sp800-108-kdf.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-store-int.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-warn.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/n-fold-test.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/parse-name-test.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pseudo-random-test.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/store-test.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/string-to-key-test.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_acl.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_addr.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_alname.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_ap-req.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_canon.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_cc.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_config.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_crypto.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_crypto_wrapping.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_expand_toks.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_forward.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_fx.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_get_addrs.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_gic.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_hostname.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_keytab.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_kuserok.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_mem.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_pac.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_pkinit_dh2key.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_pknistkdf.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_plugin.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_prf.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_princ.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_renew.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_rfc3961.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_set_kvno0.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_store.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_time.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_x500.Po@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/verify_krb5_conf.Po@am__quote@ # am--include-marker
-
-$(am__depfiles_remade):
-	@$(MKDIR_P) $(@D)
-	@echo '# dummy' >$@-t && $(am__mv) $@-t $@
-
-am--depfiles: $(am__depfiles_remade)
-
-.c.o:
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
-
-.c.obj:
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
-
-libkrb5_la-acache.lo: acache.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-acache.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-acache.Tpo -c -o libkrb5_la-acache.lo `test -f 'acache.c' || echo '$(srcdir)/'`acache.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-acache.Tpo $(DEPDIR)/libkrb5_la-acache.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='acache.c' object='libkrb5_la-acache.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-acache.lo `test -f 'acache.c' || echo '$(srcdir)/'`acache.c
-
-libkrb5_la-acl.lo: acl.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-acl.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-acl.Tpo -c -o libkrb5_la-acl.lo `test -f 'acl.c' || echo '$(srcdir)/'`acl.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-acl.Tpo $(DEPDIR)/libkrb5_la-acl.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='acl.c' object='libkrb5_la-acl.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-acl.lo `test -f 'acl.c' || echo '$(srcdir)/'`acl.c
-
-libkrb5_la-add_et_list.lo: add_et_list.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-add_et_list.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-add_et_list.Tpo -c -o libkrb5_la-add_et_list.lo `test -f 'add_et_list.c' || echo '$(srcdir)/'`add_et_list.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-add_et_list.Tpo $(DEPDIR)/libkrb5_la-add_et_list.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='add_et_list.c' object='libkrb5_la-add_et_list.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-add_et_list.lo `test -f 'add_et_list.c' || echo '$(srcdir)/'`add_et_list.c
-
-libkrb5_la-addr_families.lo: addr_families.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-addr_families.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-addr_families.Tpo -c -o libkrb5_la-addr_families.lo `test -f 'addr_families.c' || echo '$(srcdir)/'`addr_families.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-addr_families.Tpo $(DEPDIR)/libkrb5_la-addr_families.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='addr_families.c' object='libkrb5_la-addr_families.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-addr_families.lo `test -f 'addr_families.c' || echo '$(srcdir)/'`addr_families.c
-
-libkrb5_la-aname_to_localname.lo: aname_to_localname.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-aname_to_localname.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-aname_to_localname.Tpo -c -o libkrb5_la-aname_to_localname.lo `test -f 'aname_to_localname.c' || echo '$(srcdir)/'`aname_to_localname.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-aname_to_localname.Tpo $(DEPDIR)/libkrb5_la-aname_to_localname.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='aname_to_localname.c' object='libkrb5_la-aname_to_localname.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-aname_to_localname.lo `test -f 'aname_to_localname.c' || echo '$(srcdir)/'`aname_to_localname.c
-
-libkrb5_la-appdefault.lo: appdefault.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-appdefault.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-appdefault.Tpo -c -o libkrb5_la-appdefault.lo `test -f 'appdefault.c' || echo '$(srcdir)/'`appdefault.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-appdefault.Tpo $(DEPDIR)/libkrb5_la-appdefault.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='appdefault.c' object='libkrb5_la-appdefault.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-appdefault.lo `test -f 'appdefault.c' || echo '$(srcdir)/'`appdefault.c
-
-libkrb5_la-asn1_glue.lo: asn1_glue.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-asn1_glue.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-asn1_glue.Tpo -c -o libkrb5_la-asn1_glue.lo `test -f 'asn1_glue.c' || echo '$(srcdir)/'`asn1_glue.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-asn1_glue.Tpo $(DEPDIR)/libkrb5_la-asn1_glue.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='asn1_glue.c' object='libkrb5_la-asn1_glue.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-asn1_glue.lo `test -f 'asn1_glue.c' || echo '$(srcdir)/'`asn1_glue.c
-
-libkrb5_la-auth_context.lo: auth_context.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-auth_context.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-auth_context.Tpo -c -o libkrb5_la-auth_context.lo `test -f 'auth_context.c' || echo '$(srcdir)/'`auth_context.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-auth_context.Tpo $(DEPDIR)/libkrb5_la-auth_context.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='auth_context.c' object='libkrb5_la-auth_context.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-auth_context.lo `test -f 'auth_context.c' || echo '$(srcdir)/'`auth_context.c
-
-libkrb5_la-build_ap_req.lo: build_ap_req.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-build_ap_req.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-build_ap_req.Tpo -c -o libkrb5_la-build_ap_req.lo `test -f 'build_ap_req.c' || echo '$(srcdir)/'`build_ap_req.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-build_ap_req.Tpo $(DEPDIR)/libkrb5_la-build_ap_req.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='build_ap_req.c' object='libkrb5_la-build_ap_req.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-build_ap_req.lo `test -f 'build_ap_req.c' || echo '$(srcdir)/'`build_ap_req.c
-
-libkrb5_la-build_auth.lo: build_auth.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-build_auth.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-build_auth.Tpo -c -o libkrb5_la-build_auth.lo `test -f 'build_auth.c' || echo '$(srcdir)/'`build_auth.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-build_auth.Tpo $(DEPDIR)/libkrb5_la-build_auth.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='build_auth.c' object='libkrb5_la-build_auth.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-build_auth.lo `test -f 'build_auth.c' || echo '$(srcdir)/'`build_auth.c
-
-libkrb5_la-cache.lo: cache.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-cache.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-cache.Tpo -c -o libkrb5_la-cache.lo `test -f 'cache.c' || echo '$(srcdir)/'`cache.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-cache.Tpo $(DEPDIR)/libkrb5_la-cache.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='cache.c' object='libkrb5_la-cache.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-cache.lo `test -f 'cache.c' || echo '$(srcdir)/'`cache.c
-
-libkrb5_la-changepw.lo: changepw.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-changepw.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-changepw.Tpo -c -o libkrb5_la-changepw.lo `test -f 'changepw.c' || echo '$(srcdir)/'`changepw.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-changepw.Tpo $(DEPDIR)/libkrb5_la-changepw.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='changepw.c' object='libkrb5_la-changepw.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-changepw.lo `test -f 'changepw.c' || echo '$(srcdir)/'`changepw.c
-
-libkrb5_la-codec.lo: codec.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-codec.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-codec.Tpo -c -o libkrb5_la-codec.lo `test -f 'codec.c' || echo '$(srcdir)/'`codec.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-codec.Tpo $(DEPDIR)/libkrb5_la-codec.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='codec.c' object='libkrb5_la-codec.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-codec.lo `test -f 'codec.c' || echo '$(srcdir)/'`codec.c
-
-libkrb5_la-config_file.lo: config_file.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-config_file.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-config_file.Tpo -c -o libkrb5_la-config_file.lo `test -f 'config_file.c' || echo '$(srcdir)/'`config_file.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-config_file.Tpo $(DEPDIR)/libkrb5_la-config_file.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='config_file.c' object='libkrb5_la-config_file.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-config_file.lo `test -f 'config_file.c' || echo '$(srcdir)/'`config_file.c
-
-libkrb5_la-convert_creds.lo: convert_creds.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-convert_creds.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-convert_creds.Tpo -c -o libkrb5_la-convert_creds.lo `test -f 'convert_creds.c' || echo '$(srcdir)/'`convert_creds.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-convert_creds.Tpo $(DEPDIR)/libkrb5_la-convert_creds.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='convert_creds.c' object='libkrb5_la-convert_creds.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-convert_creds.lo `test -f 'convert_creds.c' || echo '$(srcdir)/'`convert_creds.c
-
-libkrb5_la-constants.lo: constants.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-constants.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-constants.Tpo -c -o libkrb5_la-constants.lo `test -f 'constants.c' || echo '$(srcdir)/'`constants.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-constants.Tpo $(DEPDIR)/libkrb5_la-constants.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='constants.c' object='libkrb5_la-constants.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-constants.lo `test -f 'constants.c' || echo '$(srcdir)/'`constants.c
-
-libkrb5_la-context.lo: context.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-context.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-context.Tpo -c -o libkrb5_la-context.lo `test -f 'context.c' || echo '$(srcdir)/'`context.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-context.Tpo $(DEPDIR)/libkrb5_la-context.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='context.c' object='libkrb5_la-context.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-context.lo `test -f 'context.c' || echo '$(srcdir)/'`context.c
-
-libkrb5_la-copy_host_realm.lo: copy_host_realm.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-copy_host_realm.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-copy_host_realm.Tpo -c -o libkrb5_la-copy_host_realm.lo `test -f 'copy_host_realm.c' || echo '$(srcdir)/'`copy_host_realm.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-copy_host_realm.Tpo $(DEPDIR)/libkrb5_la-copy_host_realm.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='copy_host_realm.c' object='libkrb5_la-copy_host_realm.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-copy_host_realm.lo `test -f 'copy_host_realm.c' || echo '$(srcdir)/'`copy_host_realm.c
-
-libkrb5_la-crc.lo: crc.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crc.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crc.Tpo -c -o libkrb5_la-crc.lo `test -f 'crc.c' || echo '$(srcdir)/'`crc.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-crc.Tpo $(DEPDIR)/libkrb5_la-crc.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crc.c' object='libkrb5_la-crc.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crc.lo `test -f 'crc.c' || echo '$(srcdir)/'`crc.c
-
-libkrb5_la-creds.lo: creds.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-creds.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-creds.Tpo -c -o libkrb5_la-creds.lo `test -f 'creds.c' || echo '$(srcdir)/'`creds.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-creds.Tpo $(DEPDIR)/libkrb5_la-creds.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='creds.c' object='libkrb5_la-creds.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-creds.lo `test -f 'creds.c' || echo '$(srcdir)/'`creds.c
-
-libkrb5_la-crypto.lo: crypto.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto.Tpo -c -o libkrb5_la-crypto.lo `test -f 'crypto.c' || echo '$(srcdir)/'`crypto.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-crypto.Tpo $(DEPDIR)/libkrb5_la-crypto.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto.c' object='libkrb5_la-crypto.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto.lo `test -f 'crypto.c' || echo '$(srcdir)/'`crypto.c
-
-libkrb5_la-crypto-aes-sha1.lo: crypto-aes-sha1.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-aes-sha1.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-aes-sha1.Tpo -c -o libkrb5_la-crypto-aes-sha1.lo `test -f 'crypto-aes-sha1.c' || echo '$(srcdir)/'`crypto-aes-sha1.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-crypto-aes-sha1.Tpo $(DEPDIR)/libkrb5_la-crypto-aes-sha1.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto-aes-sha1.c' object='libkrb5_la-crypto-aes-sha1.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-aes-sha1.lo `test -f 'crypto-aes-sha1.c' || echo '$(srcdir)/'`crypto-aes-sha1.c
-
-libkrb5_la-crypto-aes-sha2.lo: crypto-aes-sha2.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-aes-sha2.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-aes-sha2.Tpo -c -o libkrb5_la-crypto-aes-sha2.lo `test -f 'crypto-aes-sha2.c' || echo '$(srcdir)/'`crypto-aes-sha2.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-crypto-aes-sha2.Tpo $(DEPDIR)/libkrb5_la-crypto-aes-sha2.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto-aes-sha2.c' object='libkrb5_la-crypto-aes-sha2.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-aes-sha2.lo `test -f 'crypto-aes-sha2.c' || echo '$(srcdir)/'`crypto-aes-sha2.c
-
-libkrb5_la-crypto-algs.lo: crypto-algs.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-algs.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-algs.Tpo -c -o libkrb5_la-crypto-algs.lo `test -f 'crypto-algs.c' || echo '$(srcdir)/'`crypto-algs.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-crypto-algs.Tpo $(DEPDIR)/libkrb5_la-crypto-algs.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto-algs.c' object='libkrb5_la-crypto-algs.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-algs.lo `test -f 'crypto-algs.c' || echo '$(srcdir)/'`crypto-algs.c
-
-libkrb5_la-crypto-arcfour.lo: crypto-arcfour.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-arcfour.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-arcfour.Tpo -c -o libkrb5_la-crypto-arcfour.lo `test -f 'crypto-arcfour.c' || echo '$(srcdir)/'`crypto-arcfour.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-crypto-arcfour.Tpo $(DEPDIR)/libkrb5_la-crypto-arcfour.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto-arcfour.c' object='libkrb5_la-crypto-arcfour.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-arcfour.lo `test -f 'crypto-arcfour.c' || echo '$(srcdir)/'`crypto-arcfour.c
-
-libkrb5_la-crypto-des.lo: crypto-des.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-des.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-des.Tpo -c -o libkrb5_la-crypto-des.lo `test -f 'crypto-des.c' || echo '$(srcdir)/'`crypto-des.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-crypto-des.Tpo $(DEPDIR)/libkrb5_la-crypto-des.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto-des.c' object='libkrb5_la-crypto-des.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-des.lo `test -f 'crypto-des.c' || echo '$(srcdir)/'`crypto-des.c
-
-libkrb5_la-crypto-des-common.lo: crypto-des-common.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-des-common.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-des-common.Tpo -c -o libkrb5_la-crypto-des-common.lo `test -f 'crypto-des-common.c' || echo '$(srcdir)/'`crypto-des-common.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-crypto-des-common.Tpo $(DEPDIR)/libkrb5_la-crypto-des-common.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto-des-common.c' object='libkrb5_la-crypto-des-common.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-des-common.lo `test -f 'crypto-des-common.c' || echo '$(srcdir)/'`crypto-des-common.c
-
-libkrb5_la-crypto-des3.lo: crypto-des3.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-des3.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-des3.Tpo -c -o libkrb5_la-crypto-des3.lo `test -f 'crypto-des3.c' || echo '$(srcdir)/'`crypto-des3.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-crypto-des3.Tpo $(DEPDIR)/libkrb5_la-crypto-des3.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto-des3.c' object='libkrb5_la-crypto-des3.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-des3.lo `test -f 'crypto-des3.c' || echo '$(srcdir)/'`crypto-des3.c
-
-libkrb5_la-crypto-evp.lo: crypto-evp.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-evp.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-evp.Tpo -c -o libkrb5_la-crypto-evp.lo `test -f 'crypto-evp.c' || echo '$(srcdir)/'`crypto-evp.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-crypto-evp.Tpo $(DEPDIR)/libkrb5_la-crypto-evp.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto-evp.c' object='libkrb5_la-crypto-evp.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-evp.lo `test -f 'crypto-evp.c' || echo '$(srcdir)/'`crypto-evp.c
-
-libkrb5_la-crypto-null.lo: crypto-null.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-null.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-null.Tpo -c -o libkrb5_la-crypto-null.lo `test -f 'crypto-null.c' || echo '$(srcdir)/'`crypto-null.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-crypto-null.Tpo $(DEPDIR)/libkrb5_la-crypto-null.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto-null.c' object='libkrb5_la-crypto-null.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-null.lo `test -f 'crypto-null.c' || echo '$(srcdir)/'`crypto-null.c
-
-libkrb5_la-crypto-pk.lo: crypto-pk.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-pk.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-pk.Tpo -c -o libkrb5_la-crypto-pk.lo `test -f 'crypto-pk.c' || echo '$(srcdir)/'`crypto-pk.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-crypto-pk.Tpo $(DEPDIR)/libkrb5_la-crypto-pk.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto-pk.c' object='libkrb5_la-crypto-pk.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-pk.lo `test -f 'crypto-pk.c' || echo '$(srcdir)/'`crypto-pk.c
-
-libkrb5_la-crypto-rand.lo: crypto-rand.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-crypto-rand.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-crypto-rand.Tpo -c -o libkrb5_la-crypto-rand.lo `test -f 'crypto-rand.c' || echo '$(srcdir)/'`crypto-rand.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-crypto-rand.Tpo $(DEPDIR)/libkrb5_la-crypto-rand.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto-rand.c' object='libkrb5_la-crypto-rand.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-crypto-rand.lo `test -f 'crypto-rand.c' || echo '$(srcdir)/'`crypto-rand.c
-
-libkrb5_la-doxygen.lo: doxygen.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-doxygen.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-doxygen.Tpo -c -o libkrb5_la-doxygen.lo `test -f 'doxygen.c' || echo '$(srcdir)/'`doxygen.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-doxygen.Tpo $(DEPDIR)/libkrb5_la-doxygen.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='doxygen.c' object='libkrb5_la-doxygen.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-doxygen.lo `test -f 'doxygen.c' || echo '$(srcdir)/'`doxygen.c
-
-libkrb5_la-data.lo: data.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-data.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-data.Tpo -c -o libkrb5_la-data.lo `test -f 'data.c' || echo '$(srcdir)/'`data.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-data.Tpo $(DEPDIR)/libkrb5_la-data.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='data.c' object='libkrb5_la-data.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-data.lo `test -f 'data.c' || echo '$(srcdir)/'`data.c
-
-libkrb5_la-db_plugin.lo: db_plugin.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-db_plugin.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-db_plugin.Tpo -c -o libkrb5_la-db_plugin.lo `test -f 'db_plugin.c' || echo '$(srcdir)/'`db_plugin.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-db_plugin.Tpo $(DEPDIR)/libkrb5_la-db_plugin.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='db_plugin.c' object='libkrb5_la-db_plugin.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-db_plugin.lo `test -f 'db_plugin.c' || echo '$(srcdir)/'`db_plugin.c
-
-libkrb5_la-dcache.lo: dcache.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-dcache.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-dcache.Tpo -c -o libkrb5_la-dcache.lo `test -f 'dcache.c' || echo '$(srcdir)/'`dcache.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-dcache.Tpo $(DEPDIR)/libkrb5_la-dcache.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='dcache.c' object='libkrb5_la-dcache.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-dcache.lo `test -f 'dcache.c' || echo '$(srcdir)/'`dcache.c
-
-libkrb5_la-deprecated.lo: deprecated.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-deprecated.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-deprecated.Tpo -c -o libkrb5_la-deprecated.lo `test -f 'deprecated.c' || echo '$(srcdir)/'`deprecated.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-deprecated.Tpo $(DEPDIR)/libkrb5_la-deprecated.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='deprecated.c' object='libkrb5_la-deprecated.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-deprecated.lo `test -f 'deprecated.c' || echo '$(srcdir)/'`deprecated.c
-
-libkrb5_la-digest.lo: digest.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-digest.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-digest.Tpo -c -o libkrb5_la-digest.lo `test -f 'digest.c' || echo '$(srcdir)/'`digest.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-digest.Tpo $(DEPDIR)/libkrb5_la-digest.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='digest.c' object='libkrb5_la-digest.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-digest.lo `test -f 'digest.c' || echo '$(srcdir)/'`digest.c
-
-libkrb5_la-eai_to_heim_errno.lo: eai_to_heim_errno.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-eai_to_heim_errno.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-eai_to_heim_errno.Tpo -c -o libkrb5_la-eai_to_heim_errno.lo `test -f 'eai_to_heim_errno.c' || echo '$(srcdir)/'`eai_to_heim_errno.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-eai_to_heim_errno.Tpo $(DEPDIR)/libkrb5_la-eai_to_heim_errno.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='eai_to_heim_errno.c' object='libkrb5_la-eai_to_heim_errno.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-eai_to_heim_errno.lo `test -f 'eai_to_heim_errno.c' || echo '$(srcdir)/'`eai_to_heim_errno.c
-
-libkrb5_la-enomem.lo: enomem.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-enomem.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-enomem.Tpo -c -o libkrb5_la-enomem.lo `test -f 'enomem.c' || echo '$(srcdir)/'`enomem.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-enomem.Tpo $(DEPDIR)/libkrb5_la-enomem.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='enomem.c' object='libkrb5_la-enomem.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-enomem.lo `test -f 'enomem.c' || echo '$(srcdir)/'`enomem.c
-
-libkrb5_la-error_string.lo: error_string.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-error_string.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-error_string.Tpo -c -o libkrb5_la-error_string.lo `test -f 'error_string.c' || echo '$(srcdir)/'`error_string.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-error_string.Tpo $(DEPDIR)/libkrb5_la-error_string.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='error_string.c' object='libkrb5_la-error_string.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-error_string.lo `test -f 'error_string.c' || echo '$(srcdir)/'`error_string.c
-
-libkrb5_la-expand_hostname.lo: expand_hostname.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-expand_hostname.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-expand_hostname.Tpo -c -o libkrb5_la-expand_hostname.lo `test -f 'expand_hostname.c' || echo '$(srcdir)/'`expand_hostname.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-expand_hostname.Tpo $(DEPDIR)/libkrb5_la-expand_hostname.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='expand_hostname.c' object='libkrb5_la-expand_hostname.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-expand_hostname.lo `test -f 'expand_hostname.c' || echo '$(srcdir)/'`expand_hostname.c
-
-libkrb5_la-expand_path.lo: expand_path.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-expand_path.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-expand_path.Tpo -c -o libkrb5_la-expand_path.lo `test -f 'expand_path.c' || echo '$(srcdir)/'`expand_path.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-expand_path.Tpo $(DEPDIR)/libkrb5_la-expand_path.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='expand_path.c' object='libkrb5_la-expand_path.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-expand_path.lo `test -f 'expand_path.c' || echo '$(srcdir)/'`expand_path.c
-
-libkrb5_la-fast.lo: fast.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-fast.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-fast.Tpo -c -o libkrb5_la-fast.lo `test -f 'fast.c' || echo '$(srcdir)/'`fast.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-fast.Tpo $(DEPDIR)/libkrb5_la-fast.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='fast.c' object='libkrb5_la-fast.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-fast.lo `test -f 'fast.c' || echo '$(srcdir)/'`fast.c
-
-libkrb5_la-fcache.lo: fcache.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-fcache.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-fcache.Tpo -c -o libkrb5_la-fcache.lo `test -f 'fcache.c' || echo '$(srcdir)/'`fcache.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-fcache.Tpo $(DEPDIR)/libkrb5_la-fcache.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='fcache.c' object='libkrb5_la-fcache.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-fcache.lo `test -f 'fcache.c' || echo '$(srcdir)/'`fcache.c
-
-libkrb5_la-free.lo: free.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-free.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-free.Tpo -c -o libkrb5_la-free.lo `test -f 'free.c' || echo '$(srcdir)/'`free.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-free.Tpo $(DEPDIR)/libkrb5_la-free.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='free.c' object='libkrb5_la-free.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-free.lo `test -f 'free.c' || echo '$(srcdir)/'`free.c
-
-libkrb5_la-free_host_realm.lo: free_host_realm.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-free_host_realm.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-free_host_realm.Tpo -c -o libkrb5_la-free_host_realm.lo `test -f 'free_host_realm.c' || echo '$(srcdir)/'`free_host_realm.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-free_host_realm.Tpo $(DEPDIR)/libkrb5_la-free_host_realm.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='free_host_realm.c' object='libkrb5_la-free_host_realm.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-free_host_realm.lo `test -f 'free_host_realm.c' || echo '$(srcdir)/'`free_host_realm.c
-
-libkrb5_la-generate_seq_number.lo: generate_seq_number.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-generate_seq_number.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-generate_seq_number.Tpo -c -o libkrb5_la-generate_seq_number.lo `test -f 'generate_seq_number.c' || echo '$(srcdir)/'`generate_seq_number.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-generate_seq_number.Tpo $(DEPDIR)/libkrb5_la-generate_seq_number.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='generate_seq_number.c' object='libkrb5_la-generate_seq_number.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-generate_seq_number.lo `test -f 'generate_seq_number.c' || echo '$(srcdir)/'`generate_seq_number.c
-
-libkrb5_la-generate_subkey.lo: generate_subkey.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-generate_subkey.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-generate_subkey.Tpo -c -o libkrb5_la-generate_subkey.lo `test -f 'generate_subkey.c' || echo '$(srcdir)/'`generate_subkey.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-generate_subkey.Tpo $(DEPDIR)/libkrb5_la-generate_subkey.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='generate_subkey.c' object='libkrb5_la-generate_subkey.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-generate_subkey.lo `test -f 'generate_subkey.c' || echo '$(srcdir)/'`generate_subkey.c
-
-libkrb5_la-get_addrs.lo: get_addrs.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-get_addrs.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-get_addrs.Tpo -c -o libkrb5_la-get_addrs.lo `test -f 'get_addrs.c' || echo '$(srcdir)/'`get_addrs.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-get_addrs.Tpo $(DEPDIR)/libkrb5_la-get_addrs.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='get_addrs.c' object='libkrb5_la-get_addrs.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_addrs.lo `test -f 'get_addrs.c' || echo '$(srcdir)/'`get_addrs.c
-
-libkrb5_la-get_cred.lo: get_cred.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-get_cred.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-get_cred.Tpo -c -o libkrb5_la-get_cred.lo `test -f 'get_cred.c' || echo '$(srcdir)/'`get_cred.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-get_cred.Tpo $(DEPDIR)/libkrb5_la-get_cred.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='get_cred.c' object='libkrb5_la-get_cred.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_cred.lo `test -f 'get_cred.c' || echo '$(srcdir)/'`get_cred.c
-
-libkrb5_la-get_default_principal.lo: get_default_principal.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-get_default_principal.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-get_default_principal.Tpo -c -o libkrb5_la-get_default_principal.lo `test -f 'get_default_principal.c' || echo '$(srcdir)/'`get_default_principal.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-get_default_principal.Tpo $(DEPDIR)/libkrb5_la-get_default_principal.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='get_default_principal.c' object='libkrb5_la-get_default_principal.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_default_principal.lo `test -f 'get_default_principal.c' || echo '$(srcdir)/'`get_default_principal.c
-
-libkrb5_la-get_default_realm.lo: get_default_realm.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-get_default_realm.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-get_default_realm.Tpo -c -o libkrb5_la-get_default_realm.lo `test -f 'get_default_realm.c' || echo '$(srcdir)/'`get_default_realm.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-get_default_realm.Tpo $(DEPDIR)/libkrb5_la-get_default_realm.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='get_default_realm.c' object='libkrb5_la-get_default_realm.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_default_realm.lo `test -f 'get_default_realm.c' || echo '$(srcdir)/'`get_default_realm.c
-
-libkrb5_la-get_for_creds.lo: get_for_creds.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-get_for_creds.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-get_for_creds.Tpo -c -o libkrb5_la-get_for_creds.lo `test -f 'get_for_creds.c' || echo '$(srcdir)/'`get_for_creds.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-get_for_creds.Tpo $(DEPDIR)/libkrb5_la-get_for_creds.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='get_for_creds.c' object='libkrb5_la-get_for_creds.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_for_creds.lo `test -f 'get_for_creds.c' || echo '$(srcdir)/'`get_for_creds.c
-
-libkrb5_la-get_host_realm.lo: get_host_realm.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-get_host_realm.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-get_host_realm.Tpo -c -o libkrb5_la-get_host_realm.lo `test -f 'get_host_realm.c' || echo '$(srcdir)/'`get_host_realm.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-get_host_realm.Tpo $(DEPDIR)/libkrb5_la-get_host_realm.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='get_host_realm.c' object='libkrb5_la-get_host_realm.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_host_realm.lo `test -f 'get_host_realm.c' || echo '$(srcdir)/'`get_host_realm.c
-
-libkrb5_la-get_in_tkt.lo: get_in_tkt.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-get_in_tkt.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-get_in_tkt.Tpo -c -o libkrb5_la-get_in_tkt.lo `test -f 'get_in_tkt.c' || echo '$(srcdir)/'`get_in_tkt.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-get_in_tkt.Tpo $(DEPDIR)/libkrb5_la-get_in_tkt.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='get_in_tkt.c' object='libkrb5_la-get_in_tkt.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_in_tkt.lo `test -f 'get_in_tkt.c' || echo '$(srcdir)/'`get_in_tkt.c
-
-libkrb5_la-get_port.lo: get_port.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-get_port.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-get_port.Tpo -c -o libkrb5_la-get_port.lo `test -f 'get_port.c' || echo '$(srcdir)/'`get_port.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-get_port.Tpo $(DEPDIR)/libkrb5_la-get_port.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='get_port.c' object='libkrb5_la-get_port.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-get_port.lo `test -f 'get_port.c' || echo '$(srcdir)/'`get_port.c
-
-libkrb5_la-init_creds.lo: init_creds.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-init_creds.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-init_creds.Tpo -c -o libkrb5_la-init_creds.lo `test -f 'init_creds.c' || echo '$(srcdir)/'`init_creds.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-init_creds.Tpo $(DEPDIR)/libkrb5_la-init_creds.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='init_creds.c' object='libkrb5_la-init_creds.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-init_creds.lo `test -f 'init_creds.c' || echo '$(srcdir)/'`init_creds.c
-
-libkrb5_la-init_creds_pw.lo: init_creds_pw.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-init_creds_pw.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-init_creds_pw.Tpo -c -o libkrb5_la-init_creds_pw.lo `test -f 'init_creds_pw.c' || echo '$(srcdir)/'`init_creds_pw.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-init_creds_pw.Tpo $(DEPDIR)/libkrb5_la-init_creds_pw.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='init_creds_pw.c' object='libkrb5_la-init_creds_pw.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-init_creds_pw.lo `test -f 'init_creds_pw.c' || echo '$(srcdir)/'`init_creds_pw.c
-
-libkrb5_la-kcm.lo: kcm.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-kcm.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-kcm.Tpo -c -o libkrb5_la-kcm.lo `test -f 'kcm.c' || echo '$(srcdir)/'`kcm.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-kcm.Tpo $(DEPDIR)/libkrb5_la-kcm.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='kcm.c' object='libkrb5_la-kcm.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-kcm.lo `test -f 'kcm.c' || echo '$(srcdir)/'`kcm.c
-
-libkrb5_la-keyblock.lo: keyblock.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-keyblock.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-keyblock.Tpo -c -o libkrb5_la-keyblock.lo `test -f 'keyblock.c' || echo '$(srcdir)/'`keyblock.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-keyblock.Tpo $(DEPDIR)/libkrb5_la-keyblock.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='keyblock.c' object='libkrb5_la-keyblock.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keyblock.lo `test -f 'keyblock.c' || echo '$(srcdir)/'`keyblock.c
-
-libkrb5_la-keytab.lo: keytab.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-keytab.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-keytab.Tpo -c -o libkrb5_la-keytab.lo `test -f 'keytab.c' || echo '$(srcdir)/'`keytab.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-keytab.Tpo $(DEPDIR)/libkrb5_la-keytab.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='keytab.c' object='libkrb5_la-keytab.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab.lo `test -f 'keytab.c' || echo '$(srcdir)/'`keytab.c
-
-libkrb5_la-keytab_any.lo: keytab_any.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-keytab_any.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-keytab_any.Tpo -c -o libkrb5_la-keytab_any.lo `test -f 'keytab_any.c' || echo '$(srcdir)/'`keytab_any.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-keytab_any.Tpo $(DEPDIR)/libkrb5_la-keytab_any.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='keytab_any.c' object='libkrb5_la-keytab_any.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_any.lo `test -f 'keytab_any.c' || echo '$(srcdir)/'`keytab_any.c
-
-libkrb5_la-keytab_file.lo: keytab_file.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-keytab_file.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-keytab_file.Tpo -c -o libkrb5_la-keytab_file.lo `test -f 'keytab_file.c' || echo '$(srcdir)/'`keytab_file.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-keytab_file.Tpo $(DEPDIR)/libkrb5_la-keytab_file.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='keytab_file.c' object='libkrb5_la-keytab_file.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_file.lo `test -f 'keytab_file.c' || echo '$(srcdir)/'`keytab_file.c
-
-libkrb5_la-keytab_keyfile.lo: keytab_keyfile.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-keytab_keyfile.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-keytab_keyfile.Tpo -c -o libkrb5_la-keytab_keyfile.lo `test -f 'keytab_keyfile.c' || echo '$(srcdir)/'`keytab_keyfile.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-keytab_keyfile.Tpo $(DEPDIR)/libkrb5_la-keytab_keyfile.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='keytab_keyfile.c' object='libkrb5_la-keytab_keyfile.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_keyfile.lo `test -f 'keytab_keyfile.c' || echo '$(srcdir)/'`keytab_keyfile.c
-
-libkrb5_la-keytab_memory.lo: keytab_memory.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-keytab_memory.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-keytab_memory.Tpo -c -o libkrb5_la-keytab_memory.lo `test -f 'keytab_memory.c' || echo '$(srcdir)/'`keytab_memory.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-keytab_memory.Tpo $(DEPDIR)/libkrb5_la-keytab_memory.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='keytab_memory.c' object='libkrb5_la-keytab_memory.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-keytab_memory.lo `test -f 'keytab_memory.c' || echo '$(srcdir)/'`keytab_memory.c
-
-libkrb5_la-krbhst.lo: krbhst.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-krbhst.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-krbhst.Tpo -c -o libkrb5_la-krbhst.lo `test -f 'krbhst.c' || echo '$(srcdir)/'`krbhst.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-krbhst.Tpo $(DEPDIR)/libkrb5_la-krbhst.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='krbhst.c' object='libkrb5_la-krbhst.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-krbhst.lo `test -f 'krbhst.c' || echo '$(srcdir)/'`krbhst.c
-
-libkrb5_la-kuserok.lo: kuserok.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-kuserok.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-kuserok.Tpo -c -o libkrb5_la-kuserok.lo `test -f 'kuserok.c' || echo '$(srcdir)/'`kuserok.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-kuserok.Tpo $(DEPDIR)/libkrb5_la-kuserok.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='kuserok.c' object='libkrb5_la-kuserok.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-kuserok.lo `test -f 'kuserok.c' || echo '$(srcdir)/'`kuserok.c
-
-libkrb5_la-log.lo: log.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-log.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-log.Tpo -c -o libkrb5_la-log.lo `test -f 'log.c' || echo '$(srcdir)/'`log.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-log.Tpo $(DEPDIR)/libkrb5_la-log.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='log.c' object='libkrb5_la-log.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-log.lo `test -f 'log.c' || echo '$(srcdir)/'`log.c
-
-libkrb5_la-mcache.lo: mcache.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-mcache.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-mcache.Tpo -c -o libkrb5_la-mcache.lo `test -f 'mcache.c' || echo '$(srcdir)/'`mcache.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-mcache.Tpo $(DEPDIR)/libkrb5_la-mcache.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='mcache.c' object='libkrb5_la-mcache.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mcache.lo `test -f 'mcache.c' || echo '$(srcdir)/'`mcache.c
-
-libkrb5_la-misc.lo: misc.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-misc.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-misc.Tpo -c -o libkrb5_la-misc.lo `test -f 'misc.c' || echo '$(srcdir)/'`misc.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-misc.Tpo $(DEPDIR)/libkrb5_la-misc.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='misc.c' object='libkrb5_la-misc.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-misc.lo `test -f 'misc.c' || echo '$(srcdir)/'`misc.c
-
-libkrb5_la-mk_error.lo: mk_error.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-mk_error.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-mk_error.Tpo -c -o libkrb5_la-mk_error.lo `test -f 'mk_error.c' || echo '$(srcdir)/'`mk_error.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-mk_error.Tpo $(DEPDIR)/libkrb5_la-mk_error.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='mk_error.c' object='libkrb5_la-mk_error.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_error.lo `test -f 'mk_error.c' || echo '$(srcdir)/'`mk_error.c
-
-libkrb5_la-mk_priv.lo: mk_priv.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-mk_priv.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-mk_priv.Tpo -c -o libkrb5_la-mk_priv.lo `test -f 'mk_priv.c' || echo '$(srcdir)/'`mk_priv.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-mk_priv.Tpo $(DEPDIR)/libkrb5_la-mk_priv.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='mk_priv.c' object='libkrb5_la-mk_priv.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_priv.lo `test -f 'mk_priv.c' || echo '$(srcdir)/'`mk_priv.c
-
-libkrb5_la-mk_rep.lo: mk_rep.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-mk_rep.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-mk_rep.Tpo -c -o libkrb5_la-mk_rep.lo `test -f 'mk_rep.c' || echo '$(srcdir)/'`mk_rep.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-mk_rep.Tpo $(DEPDIR)/libkrb5_la-mk_rep.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='mk_rep.c' object='libkrb5_la-mk_rep.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_rep.lo `test -f 'mk_rep.c' || echo '$(srcdir)/'`mk_rep.c
-
-libkrb5_la-mk_req.lo: mk_req.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-mk_req.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-mk_req.Tpo -c -o libkrb5_la-mk_req.lo `test -f 'mk_req.c' || echo '$(srcdir)/'`mk_req.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-mk_req.Tpo $(DEPDIR)/libkrb5_la-mk_req.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='mk_req.c' object='libkrb5_la-mk_req.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_req.lo `test -f 'mk_req.c' || echo '$(srcdir)/'`mk_req.c
-
-libkrb5_la-mk_req_ext.lo: mk_req_ext.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-mk_req_ext.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-mk_req_ext.Tpo -c -o libkrb5_la-mk_req_ext.lo `test -f 'mk_req_ext.c' || echo '$(srcdir)/'`mk_req_ext.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-mk_req_ext.Tpo $(DEPDIR)/libkrb5_la-mk_req_ext.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='mk_req_ext.c' object='libkrb5_la-mk_req_ext.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_req_ext.lo `test -f 'mk_req_ext.c' || echo '$(srcdir)/'`mk_req_ext.c
-
-libkrb5_la-mk_safe.lo: mk_safe.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-mk_safe.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-mk_safe.Tpo -c -o libkrb5_la-mk_safe.lo `test -f 'mk_safe.c' || echo '$(srcdir)/'`mk_safe.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-mk_safe.Tpo $(DEPDIR)/libkrb5_la-mk_safe.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='mk_safe.c' object='libkrb5_la-mk_safe.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mk_safe.lo `test -f 'mk_safe.c' || echo '$(srcdir)/'`mk_safe.c
-
-libkrb5_la-mit_glue.lo: mit_glue.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-mit_glue.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-mit_glue.Tpo -c -o libkrb5_la-mit_glue.lo `test -f 'mit_glue.c' || echo '$(srcdir)/'`mit_glue.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-mit_glue.Tpo $(DEPDIR)/libkrb5_la-mit_glue.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='mit_glue.c' object='libkrb5_la-mit_glue.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-mit_glue.lo `test -f 'mit_glue.c' || echo '$(srcdir)/'`mit_glue.c
-
-libkrb5_la-net_read.lo: net_read.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-net_read.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-net_read.Tpo -c -o libkrb5_la-net_read.lo `test -f 'net_read.c' || echo '$(srcdir)/'`net_read.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-net_read.Tpo $(DEPDIR)/libkrb5_la-net_read.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='net_read.c' object='libkrb5_la-net_read.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-net_read.lo `test -f 'net_read.c' || echo '$(srcdir)/'`net_read.c
-
-libkrb5_la-net_write.lo: net_write.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-net_write.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-net_write.Tpo -c -o libkrb5_la-net_write.lo `test -f 'net_write.c' || echo '$(srcdir)/'`net_write.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-net_write.Tpo $(DEPDIR)/libkrb5_la-net_write.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='net_write.c' object='libkrb5_la-net_write.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-net_write.lo `test -f 'net_write.c' || echo '$(srcdir)/'`net_write.c
-
-libkrb5_la-n-fold.lo: n-fold.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-n-fold.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-n-fold.Tpo -c -o libkrb5_la-n-fold.lo `test -f 'n-fold.c' || echo '$(srcdir)/'`n-fold.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-n-fold.Tpo $(DEPDIR)/libkrb5_la-n-fold.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='n-fold.c' object='libkrb5_la-n-fold.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-n-fold.lo `test -f 'n-fold.c' || echo '$(srcdir)/'`n-fold.c
-
-libkrb5_la-pac.lo: pac.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-pac.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-pac.Tpo -c -o libkrb5_la-pac.lo `test -f 'pac.c' || echo '$(srcdir)/'`pac.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-pac.Tpo $(DEPDIR)/libkrb5_la-pac.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pac.c' object='libkrb5_la-pac.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-pac.lo `test -f 'pac.c' || echo '$(srcdir)/'`pac.c
-
-libkrb5_la-padata.lo: padata.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-padata.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-padata.Tpo -c -o libkrb5_la-padata.lo `test -f 'padata.c' || echo '$(srcdir)/'`padata.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-padata.Tpo $(DEPDIR)/libkrb5_la-padata.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='padata.c' object='libkrb5_la-padata.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-padata.lo `test -f 'padata.c' || echo '$(srcdir)/'`padata.c
-
-libkrb5_la-pcache.lo: pcache.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-pcache.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-pcache.Tpo -c -o libkrb5_la-pcache.lo `test -f 'pcache.c' || echo '$(srcdir)/'`pcache.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-pcache.Tpo $(DEPDIR)/libkrb5_la-pcache.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pcache.c' object='libkrb5_la-pcache.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-pcache.lo `test -f 'pcache.c' || echo '$(srcdir)/'`pcache.c
-
-libkrb5_la-pkinit.lo: pkinit.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-pkinit.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-pkinit.Tpo -c -o libkrb5_la-pkinit.lo `test -f 'pkinit.c' || echo '$(srcdir)/'`pkinit.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-pkinit.Tpo $(DEPDIR)/libkrb5_la-pkinit.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pkinit.c' object='libkrb5_la-pkinit.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-pkinit.lo `test -f 'pkinit.c' || echo '$(srcdir)/'`pkinit.c
-
-libkrb5_la-pkinit-ec.lo: pkinit-ec.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-pkinit-ec.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-pkinit-ec.Tpo -c -o libkrb5_la-pkinit-ec.lo `test -f 'pkinit-ec.c' || echo '$(srcdir)/'`pkinit-ec.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-pkinit-ec.Tpo $(DEPDIR)/libkrb5_la-pkinit-ec.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='pkinit-ec.c' object='libkrb5_la-pkinit-ec.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-pkinit-ec.lo `test -f 'pkinit-ec.c' || echo '$(srcdir)/'`pkinit-ec.c
-
-libkrb5_la-principal.lo: principal.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-principal.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-principal.Tpo -c -o libkrb5_la-principal.lo `test -f 'principal.c' || echo '$(srcdir)/'`principal.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-principal.Tpo $(DEPDIR)/libkrb5_la-principal.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='principal.c' object='libkrb5_la-principal.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-principal.lo `test -f 'principal.c' || echo '$(srcdir)/'`principal.c
-
-libkrb5_la-prog_setup.lo: prog_setup.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-prog_setup.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-prog_setup.Tpo -c -o libkrb5_la-prog_setup.lo `test -f 'prog_setup.c' || echo '$(srcdir)/'`prog_setup.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-prog_setup.Tpo $(DEPDIR)/libkrb5_la-prog_setup.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='prog_setup.c' object='libkrb5_la-prog_setup.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-prog_setup.lo `test -f 'prog_setup.c' || echo '$(srcdir)/'`prog_setup.c
-
-libkrb5_la-prompter_posix.lo: prompter_posix.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-prompter_posix.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-prompter_posix.Tpo -c -o libkrb5_la-prompter_posix.lo `test -f 'prompter_posix.c' || echo '$(srcdir)/'`prompter_posix.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-prompter_posix.Tpo $(DEPDIR)/libkrb5_la-prompter_posix.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='prompter_posix.c' object='libkrb5_la-prompter_posix.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-prompter_posix.lo `test -f 'prompter_posix.c' || echo '$(srcdir)/'`prompter_posix.c
-
-libkrb5_la-rd_cred.lo: rd_cred.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-rd_cred.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-rd_cred.Tpo -c -o libkrb5_la-rd_cred.lo `test -f 'rd_cred.c' || echo '$(srcdir)/'`rd_cred.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-rd_cred.Tpo $(DEPDIR)/libkrb5_la-rd_cred.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='rd_cred.c' object='libkrb5_la-rd_cred.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_cred.lo `test -f 'rd_cred.c' || echo '$(srcdir)/'`rd_cred.c
-
-libkrb5_la-rd_error.lo: rd_error.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-rd_error.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-rd_error.Tpo -c -o libkrb5_la-rd_error.lo `test -f 'rd_error.c' || echo '$(srcdir)/'`rd_error.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-rd_error.Tpo $(DEPDIR)/libkrb5_la-rd_error.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='rd_error.c' object='libkrb5_la-rd_error.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_error.lo `test -f 'rd_error.c' || echo '$(srcdir)/'`rd_error.c
-
-libkrb5_la-rd_priv.lo: rd_priv.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-rd_priv.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-rd_priv.Tpo -c -o libkrb5_la-rd_priv.lo `test -f 'rd_priv.c' || echo '$(srcdir)/'`rd_priv.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-rd_priv.Tpo $(DEPDIR)/libkrb5_la-rd_priv.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='rd_priv.c' object='libkrb5_la-rd_priv.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_priv.lo `test -f 'rd_priv.c' || echo '$(srcdir)/'`rd_priv.c
-
-libkrb5_la-rd_rep.lo: rd_rep.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-rd_rep.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-rd_rep.Tpo -c -o libkrb5_la-rd_rep.lo `test -f 'rd_rep.c' || echo '$(srcdir)/'`rd_rep.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-rd_rep.Tpo $(DEPDIR)/libkrb5_la-rd_rep.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='rd_rep.c' object='libkrb5_la-rd_rep.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_rep.lo `test -f 'rd_rep.c' || echo '$(srcdir)/'`rd_rep.c
-
-libkrb5_la-rd_req.lo: rd_req.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-rd_req.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-rd_req.Tpo -c -o libkrb5_la-rd_req.lo `test -f 'rd_req.c' || echo '$(srcdir)/'`rd_req.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-rd_req.Tpo $(DEPDIR)/libkrb5_la-rd_req.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='rd_req.c' object='libkrb5_la-rd_req.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_req.lo `test -f 'rd_req.c' || echo '$(srcdir)/'`rd_req.c
-
-libkrb5_la-rd_safe.lo: rd_safe.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-rd_safe.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-rd_safe.Tpo -c -o libkrb5_la-rd_safe.lo `test -f 'rd_safe.c' || echo '$(srcdir)/'`rd_safe.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-rd_safe.Tpo $(DEPDIR)/libkrb5_la-rd_safe.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='rd_safe.c' object='libkrb5_la-rd_safe.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-rd_safe.lo `test -f 'rd_safe.c' || echo '$(srcdir)/'`rd_safe.c
-
-libkrb5_la-read_message.lo: read_message.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-read_message.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-read_message.Tpo -c -o libkrb5_la-read_message.lo `test -f 'read_message.c' || echo '$(srcdir)/'`read_message.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-read_message.Tpo $(DEPDIR)/libkrb5_la-read_message.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='read_message.c' object='libkrb5_la-read_message.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-read_message.lo `test -f 'read_message.c' || echo '$(srcdir)/'`read_message.c
-
-libkrb5_la-recvauth.lo: recvauth.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-recvauth.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-recvauth.Tpo -c -o libkrb5_la-recvauth.lo `test -f 'recvauth.c' || echo '$(srcdir)/'`recvauth.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-recvauth.Tpo $(DEPDIR)/libkrb5_la-recvauth.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='recvauth.c' object='libkrb5_la-recvauth.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-recvauth.lo `test -f 'recvauth.c' || echo '$(srcdir)/'`recvauth.c
-
-libkrb5_la-replay.lo: replay.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-replay.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-replay.Tpo -c -o libkrb5_la-replay.lo `test -f 'replay.c' || echo '$(srcdir)/'`replay.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-replay.Tpo $(DEPDIR)/libkrb5_la-replay.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='replay.c' object='libkrb5_la-replay.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-replay.lo `test -f 'replay.c' || echo '$(srcdir)/'`replay.c
-
-libkrb5_la-salt.lo: salt.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-salt.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-salt.Tpo -c -o libkrb5_la-salt.lo `test -f 'salt.c' || echo '$(srcdir)/'`salt.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-salt.Tpo $(DEPDIR)/libkrb5_la-salt.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='salt.c' object='libkrb5_la-salt.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-salt.lo `test -f 'salt.c' || echo '$(srcdir)/'`salt.c
-
-libkrb5_la-salt-aes-sha1.lo: salt-aes-sha1.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-salt-aes-sha1.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-salt-aes-sha1.Tpo -c -o libkrb5_la-salt-aes-sha1.lo `test -f 'salt-aes-sha1.c' || echo '$(srcdir)/'`salt-aes-sha1.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-salt-aes-sha1.Tpo $(DEPDIR)/libkrb5_la-salt-aes-sha1.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='salt-aes-sha1.c' object='libkrb5_la-salt-aes-sha1.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-salt-aes-sha1.lo `test -f 'salt-aes-sha1.c' || echo '$(srcdir)/'`salt-aes-sha1.c
-
-libkrb5_la-salt-aes-sha2.lo: salt-aes-sha2.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-salt-aes-sha2.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-salt-aes-sha2.Tpo -c -o libkrb5_la-salt-aes-sha2.lo `test -f 'salt-aes-sha2.c' || echo '$(srcdir)/'`salt-aes-sha2.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-salt-aes-sha2.Tpo $(DEPDIR)/libkrb5_la-salt-aes-sha2.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='salt-aes-sha2.c' object='libkrb5_la-salt-aes-sha2.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-salt-aes-sha2.lo `test -f 'salt-aes-sha2.c' || echo '$(srcdir)/'`salt-aes-sha2.c
-
-libkrb5_la-salt-arcfour.lo: salt-arcfour.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-salt-arcfour.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-salt-arcfour.Tpo -c -o libkrb5_la-salt-arcfour.lo `test -f 'salt-arcfour.c' || echo '$(srcdir)/'`salt-arcfour.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-salt-arcfour.Tpo $(DEPDIR)/libkrb5_la-salt-arcfour.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='salt-arcfour.c' object='libkrb5_la-salt-arcfour.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-salt-arcfour.lo `test -f 'salt-arcfour.c' || echo '$(srcdir)/'`salt-arcfour.c
-
-libkrb5_la-salt-des.lo: salt-des.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-salt-des.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-salt-des.Tpo -c -o libkrb5_la-salt-des.lo `test -f 'salt-des.c' || echo '$(srcdir)/'`salt-des.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-salt-des.Tpo $(DEPDIR)/libkrb5_la-salt-des.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='salt-des.c' object='libkrb5_la-salt-des.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-salt-des.lo `test -f 'salt-des.c' || echo '$(srcdir)/'`salt-des.c
-
-libkrb5_la-salt-des3.lo: salt-des3.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-salt-des3.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-salt-des3.Tpo -c -o libkrb5_la-salt-des3.lo `test -f 'salt-des3.c' || echo '$(srcdir)/'`salt-des3.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-salt-des3.Tpo $(DEPDIR)/libkrb5_la-salt-des3.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='salt-des3.c' object='libkrb5_la-salt-des3.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-salt-des3.lo `test -f 'salt-des3.c' || echo '$(srcdir)/'`salt-des3.c
-
-libkrb5_la-sp800-108-kdf.lo: sp800-108-kdf.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-sp800-108-kdf.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-sp800-108-kdf.Tpo -c -o libkrb5_la-sp800-108-kdf.lo `test -f 'sp800-108-kdf.c' || echo '$(srcdir)/'`sp800-108-kdf.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-sp800-108-kdf.Tpo $(DEPDIR)/libkrb5_la-sp800-108-kdf.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sp800-108-kdf.c' object='libkrb5_la-sp800-108-kdf.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-sp800-108-kdf.lo `test -f 'sp800-108-kdf.c' || echo '$(srcdir)/'`sp800-108-kdf.c
-
-libkrb5_la-scache.lo: scache.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-scache.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-scache.Tpo -c -o libkrb5_la-scache.lo `test -f 'scache.c' || echo '$(srcdir)/'`scache.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-scache.Tpo $(DEPDIR)/libkrb5_la-scache.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='scache.c' object='libkrb5_la-scache.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-scache.lo `test -f 'scache.c' || echo '$(srcdir)/'`scache.c
-
-libkrb5_la-send_to_kdc.lo: send_to_kdc.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-send_to_kdc.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-send_to_kdc.Tpo -c -o libkrb5_la-send_to_kdc.lo `test -f 'send_to_kdc.c' || echo '$(srcdir)/'`send_to_kdc.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-send_to_kdc.Tpo $(DEPDIR)/libkrb5_la-send_to_kdc.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='send_to_kdc.c' object='libkrb5_la-send_to_kdc.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-send_to_kdc.lo `test -f 'send_to_kdc.c' || echo '$(srcdir)/'`send_to_kdc.c
-
-libkrb5_la-sendauth.lo: sendauth.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-sendauth.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-sendauth.Tpo -c -o libkrb5_la-sendauth.lo `test -f 'sendauth.c' || echo '$(srcdir)/'`sendauth.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-sendauth.Tpo $(DEPDIR)/libkrb5_la-sendauth.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sendauth.c' object='libkrb5_la-sendauth.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-sendauth.lo `test -f 'sendauth.c' || echo '$(srcdir)/'`sendauth.c
-
-libkrb5_la-set_default_realm.lo: set_default_realm.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-set_default_realm.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-set_default_realm.Tpo -c -o libkrb5_la-set_default_realm.lo `test -f 'set_default_realm.c' || echo '$(srcdir)/'`set_default_realm.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-set_default_realm.Tpo $(DEPDIR)/libkrb5_la-set_default_realm.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='set_default_realm.c' object='libkrb5_la-set_default_realm.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-set_default_realm.lo `test -f 'set_default_realm.c' || echo '$(srcdir)/'`set_default_realm.c
-
-libkrb5_la-sock_principal.lo: sock_principal.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-sock_principal.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-sock_principal.Tpo -c -o libkrb5_la-sock_principal.lo `test -f 'sock_principal.c' || echo '$(srcdir)/'`sock_principal.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-sock_principal.Tpo $(DEPDIR)/libkrb5_la-sock_principal.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sock_principal.c' object='libkrb5_la-sock_principal.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-sock_principal.lo `test -f 'sock_principal.c' || echo '$(srcdir)/'`sock_principal.c
-
-libkrb5_la-store.lo: store.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-store.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-store.Tpo -c -o libkrb5_la-store.lo `test -f 'store.c' || echo '$(srcdir)/'`store.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-store.Tpo $(DEPDIR)/libkrb5_la-store.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='store.c' object='libkrb5_la-store.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store.lo `test -f 'store.c' || echo '$(srcdir)/'`store.c
-
-libkrb5_la-store-int.lo: store-int.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-store-int.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-store-int.Tpo -c -o libkrb5_la-store-int.lo `test -f 'store-int.c' || echo '$(srcdir)/'`store-int.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-store-int.Tpo $(DEPDIR)/libkrb5_la-store-int.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='store-int.c' object='libkrb5_la-store-int.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store-int.lo `test -f 'store-int.c' || echo '$(srcdir)/'`store-int.c
-
-libkrb5_la-store_emem.lo: store_emem.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-store_emem.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-store_emem.Tpo -c -o libkrb5_la-store_emem.lo `test -f 'store_emem.c' || echo '$(srcdir)/'`store_emem.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-store_emem.Tpo $(DEPDIR)/libkrb5_la-store_emem.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='store_emem.c' object='libkrb5_la-store_emem.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store_emem.lo `test -f 'store_emem.c' || echo '$(srcdir)/'`store_emem.c
-
-libkrb5_la-store_fd.lo: store_fd.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-store_fd.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-store_fd.Tpo -c -o libkrb5_la-store_fd.lo `test -f 'store_fd.c' || echo '$(srcdir)/'`store_fd.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-store_fd.Tpo $(DEPDIR)/libkrb5_la-store_fd.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='store_fd.c' object='libkrb5_la-store_fd.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store_fd.lo `test -f 'store_fd.c' || echo '$(srcdir)/'`store_fd.c
-
-libkrb5_la-store_mem.lo: store_mem.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-store_mem.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-store_mem.Tpo -c -o libkrb5_la-store_mem.lo `test -f 'store_mem.c' || echo '$(srcdir)/'`store_mem.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-store_mem.Tpo $(DEPDIR)/libkrb5_la-store_mem.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='store_mem.c' object='libkrb5_la-store_mem.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store_mem.lo `test -f 'store_mem.c' || echo '$(srcdir)/'`store_mem.c
-
-libkrb5_la-store_sock.lo: store_sock.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-store_sock.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-store_sock.Tpo -c -o libkrb5_la-store_sock.lo `test -f 'store_sock.c' || echo '$(srcdir)/'`store_sock.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-store_sock.Tpo $(DEPDIR)/libkrb5_la-store_sock.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='store_sock.c' object='libkrb5_la-store_sock.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-store_sock.lo `test -f 'store_sock.c' || echo '$(srcdir)/'`store_sock.c
-
-libkrb5_la-plugin.lo: plugin.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-plugin.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-plugin.Tpo -c -o libkrb5_la-plugin.lo `test -f 'plugin.c' || echo '$(srcdir)/'`plugin.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-plugin.Tpo $(DEPDIR)/libkrb5_la-plugin.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='plugin.c' object='libkrb5_la-plugin.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-plugin.lo `test -f 'plugin.c' || echo '$(srcdir)/'`plugin.c
-
-libkrb5_la-ticket.lo: ticket.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-ticket.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-ticket.Tpo -c -o libkrb5_la-ticket.lo `test -f 'ticket.c' || echo '$(srcdir)/'`ticket.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-ticket.Tpo $(DEPDIR)/libkrb5_la-ticket.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ticket.c' object='libkrb5_la-ticket.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-ticket.lo `test -f 'ticket.c' || echo '$(srcdir)/'`ticket.c
-
-libkrb5_la-time.lo: time.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-time.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-time.Tpo -c -o libkrb5_la-time.lo `test -f 'time.c' || echo '$(srcdir)/'`time.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-time.Tpo $(DEPDIR)/libkrb5_la-time.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='time.c' object='libkrb5_la-time.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-time.lo `test -f 'time.c' || echo '$(srcdir)/'`time.c
-
-libkrb5_la-transited.lo: transited.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-transited.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-transited.Tpo -c -o libkrb5_la-transited.lo `test -f 'transited.c' || echo '$(srcdir)/'`transited.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-transited.Tpo $(DEPDIR)/libkrb5_la-transited.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='transited.c' object='libkrb5_la-transited.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-transited.lo `test -f 'transited.c' || echo '$(srcdir)/'`transited.c
-
-libkrb5_la-verify_init.lo: verify_init.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-verify_init.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-verify_init.Tpo -c -o libkrb5_la-verify_init.lo `test -f 'verify_init.c' || echo '$(srcdir)/'`verify_init.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-verify_init.Tpo $(DEPDIR)/libkrb5_la-verify_init.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='verify_init.c' object='libkrb5_la-verify_init.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-verify_init.lo `test -f 'verify_init.c' || echo '$(srcdir)/'`verify_init.c
-
-libkrb5_la-verify_user.lo: verify_user.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-verify_user.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-verify_user.Tpo -c -o libkrb5_la-verify_user.lo `test -f 'verify_user.c' || echo '$(srcdir)/'`verify_user.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-verify_user.Tpo $(DEPDIR)/libkrb5_la-verify_user.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='verify_user.c' object='libkrb5_la-verify_user.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-verify_user.lo `test -f 'verify_user.c' || echo '$(srcdir)/'`verify_user.c
-
-libkrb5_la-version.lo: version.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-version.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-version.Tpo -c -o libkrb5_la-version.lo `test -f 'version.c' || echo '$(srcdir)/'`version.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-version.Tpo $(DEPDIR)/libkrb5_la-version.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='version.c' object='libkrb5_la-version.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-version.lo `test -f 'version.c' || echo '$(srcdir)/'`version.c
-
-libkrb5_la-warn.lo: warn.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-warn.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-warn.Tpo -c -o libkrb5_la-warn.lo `test -f 'warn.c' || echo '$(srcdir)/'`warn.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-warn.Tpo $(DEPDIR)/libkrb5_la-warn.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='warn.c' object='libkrb5_la-warn.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-warn.lo `test -f 'warn.c' || echo '$(srcdir)/'`warn.c
-
-libkrb5_la-write_message.lo: write_message.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-write_message.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-write_message.Tpo -c -o libkrb5_la-write_message.lo `test -f 'write_message.c' || echo '$(srcdir)/'`write_message.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-write_message.Tpo $(DEPDIR)/libkrb5_la-write_message.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='write_message.c' object='libkrb5_la-write_message.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-write_message.lo `test -f 'write_message.c' || echo '$(srcdir)/'`write_message.c
-
-libkrb5_la-krb5_err.lo: krb5_err.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-krb5_err.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-krb5_err.Tpo -c -o libkrb5_la-krb5_err.lo `test -f 'krb5_err.c' || echo '$(srcdir)/'`krb5_err.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-krb5_err.Tpo $(DEPDIR)/libkrb5_la-krb5_err.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='krb5_err.c' object='libkrb5_la-krb5_err.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-krb5_err.lo `test -f 'krb5_err.c' || echo '$(srcdir)/'`krb5_err.c
-
-libkrb5_la-krb_err.lo: krb_err.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-krb_err.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-krb_err.Tpo -c -o libkrb5_la-krb_err.lo `test -f 'krb_err.c' || echo '$(srcdir)/'`krb_err.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-krb_err.Tpo $(DEPDIR)/libkrb5_la-krb_err.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='krb_err.c' object='libkrb5_la-krb_err.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-krb_err.lo `test -f 'krb_err.c' || echo '$(srcdir)/'`krb_err.c
-
-libkrb5_la-heim_err.lo: heim_err.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-heim_err.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-heim_err.Tpo -c -o libkrb5_la-heim_err.lo `test -f 'heim_err.c' || echo '$(srcdir)/'`heim_err.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-heim_err.Tpo $(DEPDIR)/libkrb5_la-heim_err.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='heim_err.c' object='libkrb5_la-heim_err.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-heim_err.lo `test -f 'heim_err.c' || echo '$(srcdir)/'`heim_err.c
-
-libkrb5_la-k524_err.lo: k524_err.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libkrb5_la-k524_err.lo -MD -MP -MF $(DEPDIR)/libkrb5_la-k524_err.Tpo -c -o libkrb5_la-k524_err.lo `test -f 'k524_err.c' || echo '$(srcdir)/'`k524_err.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libkrb5_la-k524_err.Tpo $(DEPDIR)/libkrb5_la-k524_err.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='k524_err.c' object='libkrb5_la-k524_err.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libkrb5_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libkrb5_la-k524_err.lo `test -f 'k524_err.c' || echo '$(srcdir)/'`k524_err.c
-
-librfc3961_la-crc.lo: crc.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crc.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crc.Tpo -c -o librfc3961_la-crc.lo `test -f 'crc.c' || echo '$(srcdir)/'`crc.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crc.Tpo $(DEPDIR)/librfc3961_la-crc.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crc.c' object='librfc3961_la-crc.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crc.lo `test -f 'crc.c' || echo '$(srcdir)/'`crc.c
-
-librfc3961_la-crypto.lo: crypto.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto.Tpo -c -o librfc3961_la-crypto.lo `test -f 'crypto.c' || echo '$(srcdir)/'`crypto.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crypto.Tpo $(DEPDIR)/librfc3961_la-crypto.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto.c' object='librfc3961_la-crypto.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto.lo `test -f 'crypto.c' || echo '$(srcdir)/'`crypto.c
-
-librfc3961_la-crypto-aes-sha1.lo: crypto-aes-sha1.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-aes-sha1.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-aes-sha1.Tpo -c -o librfc3961_la-crypto-aes-sha1.lo `test -f 'crypto-aes-sha1.c' || echo '$(srcdir)/'`crypto-aes-sha1.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crypto-aes-sha1.Tpo $(DEPDIR)/librfc3961_la-crypto-aes-sha1.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto-aes-sha1.c' object='librfc3961_la-crypto-aes-sha1.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-aes-sha1.lo `test -f 'crypto-aes-sha1.c' || echo '$(srcdir)/'`crypto-aes-sha1.c
-
-librfc3961_la-crypto-aes-sha2.lo: crypto-aes-sha2.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-aes-sha2.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-aes-sha2.Tpo -c -o librfc3961_la-crypto-aes-sha2.lo `test -f 'crypto-aes-sha2.c' || echo '$(srcdir)/'`crypto-aes-sha2.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crypto-aes-sha2.Tpo $(DEPDIR)/librfc3961_la-crypto-aes-sha2.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto-aes-sha2.c' object='librfc3961_la-crypto-aes-sha2.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-aes-sha2.lo `test -f 'crypto-aes-sha2.c' || echo '$(srcdir)/'`crypto-aes-sha2.c
-
-librfc3961_la-crypto-algs.lo: crypto-algs.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-algs.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-algs.Tpo -c -o librfc3961_la-crypto-algs.lo `test -f 'crypto-algs.c' || echo '$(srcdir)/'`crypto-algs.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crypto-algs.Tpo $(DEPDIR)/librfc3961_la-crypto-algs.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto-algs.c' object='librfc3961_la-crypto-algs.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-algs.lo `test -f 'crypto-algs.c' || echo '$(srcdir)/'`crypto-algs.c
-
-librfc3961_la-crypto-arcfour.lo: crypto-arcfour.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-arcfour.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-arcfour.Tpo -c -o librfc3961_la-crypto-arcfour.lo `test -f 'crypto-arcfour.c' || echo '$(srcdir)/'`crypto-arcfour.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crypto-arcfour.Tpo $(DEPDIR)/librfc3961_la-crypto-arcfour.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto-arcfour.c' object='librfc3961_la-crypto-arcfour.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-arcfour.lo `test -f 'crypto-arcfour.c' || echo '$(srcdir)/'`crypto-arcfour.c
-
-librfc3961_la-crypto-des.lo: crypto-des.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-des.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-des.Tpo -c -o librfc3961_la-crypto-des.lo `test -f 'crypto-des.c' || echo '$(srcdir)/'`crypto-des.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crypto-des.Tpo $(DEPDIR)/librfc3961_la-crypto-des.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto-des.c' object='librfc3961_la-crypto-des.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-des.lo `test -f 'crypto-des.c' || echo '$(srcdir)/'`crypto-des.c
-
-librfc3961_la-crypto-des-common.lo: crypto-des-common.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-des-common.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-des-common.Tpo -c -o librfc3961_la-crypto-des-common.lo `test -f 'crypto-des-common.c' || echo '$(srcdir)/'`crypto-des-common.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crypto-des-common.Tpo $(DEPDIR)/librfc3961_la-crypto-des-common.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto-des-common.c' object='librfc3961_la-crypto-des-common.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-des-common.lo `test -f 'crypto-des-common.c' || echo '$(srcdir)/'`crypto-des-common.c
-
-librfc3961_la-crypto-des3.lo: crypto-des3.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-des3.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-des3.Tpo -c -o librfc3961_la-crypto-des3.lo `test -f 'crypto-des3.c' || echo '$(srcdir)/'`crypto-des3.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crypto-des3.Tpo $(DEPDIR)/librfc3961_la-crypto-des3.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto-des3.c' object='librfc3961_la-crypto-des3.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-des3.lo `test -f 'crypto-des3.c' || echo '$(srcdir)/'`crypto-des3.c
-
-librfc3961_la-crypto-evp.lo: crypto-evp.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-evp.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-evp.Tpo -c -o librfc3961_la-crypto-evp.lo `test -f 'crypto-evp.c' || echo '$(srcdir)/'`crypto-evp.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crypto-evp.Tpo $(DEPDIR)/librfc3961_la-crypto-evp.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto-evp.c' object='librfc3961_la-crypto-evp.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-evp.lo `test -f 'crypto-evp.c' || echo '$(srcdir)/'`crypto-evp.c
-
-librfc3961_la-crypto-null.lo: crypto-null.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-null.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-null.Tpo -c -o librfc3961_la-crypto-null.lo `test -f 'crypto-null.c' || echo '$(srcdir)/'`crypto-null.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crypto-null.Tpo $(DEPDIR)/librfc3961_la-crypto-null.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto-null.c' object='librfc3961_la-crypto-null.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-null.lo `test -f 'crypto-null.c' || echo '$(srcdir)/'`crypto-null.c
-
-librfc3961_la-crypto-pk.lo: crypto-pk.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-pk.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-pk.Tpo -c -o librfc3961_la-crypto-pk.lo `test -f 'crypto-pk.c' || echo '$(srcdir)/'`crypto-pk.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crypto-pk.Tpo $(DEPDIR)/librfc3961_la-crypto-pk.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto-pk.c' object='librfc3961_la-crypto-pk.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-pk.lo `test -f 'crypto-pk.c' || echo '$(srcdir)/'`crypto-pk.c
-
-librfc3961_la-crypto-rand.lo: crypto-rand.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-rand.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-rand.Tpo -c -o librfc3961_la-crypto-rand.lo `test -f 'crypto-rand.c' || echo '$(srcdir)/'`crypto-rand.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crypto-rand.Tpo $(DEPDIR)/librfc3961_la-crypto-rand.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto-rand.c' object='librfc3961_la-crypto-rand.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-rand.lo `test -f 'crypto-rand.c' || echo '$(srcdir)/'`crypto-rand.c
-
-librfc3961_la-crypto-stubs.lo: crypto-stubs.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-crypto-stubs.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-crypto-stubs.Tpo -c -o librfc3961_la-crypto-stubs.lo `test -f 'crypto-stubs.c' || echo '$(srcdir)/'`crypto-stubs.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-crypto-stubs.Tpo $(DEPDIR)/librfc3961_la-crypto-stubs.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='crypto-stubs.c' object='librfc3961_la-crypto-stubs.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-crypto-stubs.lo `test -f 'crypto-stubs.c' || echo '$(srcdir)/'`crypto-stubs.c
-
-librfc3961_la-data.lo: data.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-data.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-data.Tpo -c -o librfc3961_la-data.lo `test -f 'data.c' || echo '$(srcdir)/'`data.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-data.Tpo $(DEPDIR)/librfc3961_la-data.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='data.c' object='librfc3961_la-data.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-data.lo `test -f 'data.c' || echo '$(srcdir)/'`data.c
-
-librfc3961_la-enomem.lo: enomem.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-enomem.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-enomem.Tpo -c -o librfc3961_la-enomem.lo `test -f 'enomem.c' || echo '$(srcdir)/'`enomem.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-enomem.Tpo $(DEPDIR)/librfc3961_la-enomem.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='enomem.c' object='librfc3961_la-enomem.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-enomem.lo `test -f 'enomem.c' || echo '$(srcdir)/'`enomem.c
-
-librfc3961_la-error_string.lo: error_string.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-error_string.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-error_string.Tpo -c -o librfc3961_la-error_string.lo `test -f 'error_string.c' || echo '$(srcdir)/'`error_string.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-error_string.Tpo $(DEPDIR)/librfc3961_la-error_string.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='error_string.c' object='librfc3961_la-error_string.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-error_string.lo `test -f 'error_string.c' || echo '$(srcdir)/'`error_string.c
-
-librfc3961_la-keyblock.lo: keyblock.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-keyblock.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-keyblock.Tpo -c -o librfc3961_la-keyblock.lo `test -f 'keyblock.c' || echo '$(srcdir)/'`keyblock.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-keyblock.Tpo $(DEPDIR)/librfc3961_la-keyblock.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='keyblock.c' object='librfc3961_la-keyblock.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-keyblock.lo `test -f 'keyblock.c' || echo '$(srcdir)/'`keyblock.c
-
-librfc3961_la-n-fold.lo: n-fold.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-n-fold.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-n-fold.Tpo -c -o librfc3961_la-n-fold.lo `test -f 'n-fold.c' || echo '$(srcdir)/'`n-fold.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-n-fold.Tpo $(DEPDIR)/librfc3961_la-n-fold.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='n-fold.c' object='librfc3961_la-n-fold.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-n-fold.lo `test -f 'n-fold.c' || echo '$(srcdir)/'`n-fold.c
-
-librfc3961_la-salt.lo: salt.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-salt.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-salt.Tpo -c -o librfc3961_la-salt.lo `test -f 'salt.c' || echo '$(srcdir)/'`salt.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-salt.Tpo $(DEPDIR)/librfc3961_la-salt.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='salt.c' object='librfc3961_la-salt.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-salt.lo `test -f 'salt.c' || echo '$(srcdir)/'`salt.c
-
-librfc3961_la-salt-aes-sha1.lo: salt-aes-sha1.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-salt-aes-sha1.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-salt-aes-sha1.Tpo -c -o librfc3961_la-salt-aes-sha1.lo `test -f 'salt-aes-sha1.c' || echo '$(srcdir)/'`salt-aes-sha1.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-salt-aes-sha1.Tpo $(DEPDIR)/librfc3961_la-salt-aes-sha1.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='salt-aes-sha1.c' object='librfc3961_la-salt-aes-sha1.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-salt-aes-sha1.lo `test -f 'salt-aes-sha1.c' || echo '$(srcdir)/'`salt-aes-sha1.c
-
-librfc3961_la-salt-aes-sha2.lo: salt-aes-sha2.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-salt-aes-sha2.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-salt-aes-sha2.Tpo -c -o librfc3961_la-salt-aes-sha2.lo `test -f 'salt-aes-sha2.c' || echo '$(srcdir)/'`salt-aes-sha2.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-salt-aes-sha2.Tpo $(DEPDIR)/librfc3961_la-salt-aes-sha2.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='salt-aes-sha2.c' object='librfc3961_la-salt-aes-sha2.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-salt-aes-sha2.lo `test -f 'salt-aes-sha2.c' || echo '$(srcdir)/'`salt-aes-sha2.c
-
-librfc3961_la-salt-arcfour.lo: salt-arcfour.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-salt-arcfour.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-salt-arcfour.Tpo -c -o librfc3961_la-salt-arcfour.lo `test -f 'salt-arcfour.c' || echo '$(srcdir)/'`salt-arcfour.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-salt-arcfour.Tpo $(DEPDIR)/librfc3961_la-salt-arcfour.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='salt-arcfour.c' object='librfc3961_la-salt-arcfour.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-salt-arcfour.lo `test -f 'salt-arcfour.c' || echo '$(srcdir)/'`salt-arcfour.c
-
-librfc3961_la-salt-des.lo: salt-des.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-salt-des.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-salt-des.Tpo -c -o librfc3961_la-salt-des.lo `test -f 'salt-des.c' || echo '$(srcdir)/'`salt-des.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-salt-des.Tpo $(DEPDIR)/librfc3961_la-salt-des.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='salt-des.c' object='librfc3961_la-salt-des.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-salt-des.lo `test -f 'salt-des.c' || echo '$(srcdir)/'`salt-des.c
-
-librfc3961_la-salt-des3.lo: salt-des3.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-salt-des3.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-salt-des3.Tpo -c -o librfc3961_la-salt-des3.lo `test -f 'salt-des3.c' || echo '$(srcdir)/'`salt-des3.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-salt-des3.Tpo $(DEPDIR)/librfc3961_la-salt-des3.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='salt-des3.c' object='librfc3961_la-salt-des3.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-salt-des3.lo `test -f 'salt-des3.c' || echo '$(srcdir)/'`salt-des3.c
-
-librfc3961_la-sp800-108-kdf.lo: sp800-108-kdf.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-sp800-108-kdf.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-sp800-108-kdf.Tpo -c -o librfc3961_la-sp800-108-kdf.lo `test -f 'sp800-108-kdf.c' || echo '$(srcdir)/'`sp800-108-kdf.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-sp800-108-kdf.Tpo $(DEPDIR)/librfc3961_la-sp800-108-kdf.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='sp800-108-kdf.c' object='librfc3961_la-sp800-108-kdf.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-sp800-108-kdf.lo `test -f 'sp800-108-kdf.c' || echo '$(srcdir)/'`sp800-108-kdf.c
-
-librfc3961_la-store-int.lo: store-int.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-store-int.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-store-int.Tpo -c -o librfc3961_la-store-int.lo `test -f 'store-int.c' || echo '$(srcdir)/'`store-int.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-store-int.Tpo $(DEPDIR)/librfc3961_la-store-int.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='store-int.c' object='librfc3961_la-store-int.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-store-int.lo `test -f 'store-int.c' || echo '$(srcdir)/'`store-int.c
-
-librfc3961_la-warn.lo: warn.c
-@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT librfc3961_la-warn.lo -MD -MP -MF $(DEPDIR)/librfc3961_la-warn.Tpo -c -o librfc3961_la-warn.lo `test -f 'warn.c' || echo '$(srcdir)/'`warn.c
-@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/librfc3961_la-warn.Tpo $(DEPDIR)/librfc3961_la-warn.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='warn.c' object='librfc3961_la-warn.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(librfc3961_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o librfc3961_la-warn.lo `test -f 'warn.c' || echo '$(srcdir)/'`warn.c
-
-mostlyclean-libtool:
-	-rm -f *.lo
-
-clean-libtool:
-	-rm -rf .libs _libs
-install-man3: $(man_MANS)
-	@$(NORMAL_INSTALL)
-	@list1=''; \
-	list2='$(man_MANS)'; \
-	test -n "$(man3dir)" \
-	  && test -n "`echo $$list1$$list2`" \
-	  || exit 0; \
-	echo " $(MKDIR_P) '$(DESTDIR)$(man3dir)'"; \
-	$(MKDIR_P) "$(DESTDIR)$(man3dir)" || exit 1; \
-	{ for i in $$list1; do echo "$$i"; done;  \
-	if test -n "$$list2"; then \
-	  for i in $$list2; do echo "$$i"; done \
-	    | sed -n '/\.3[a-z]*$$/p'; \
-	fi; \
-	} | while read p; do \
-	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; echo "$$p"; \
-	done | \
-	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^3][0-9a-z]*$$,3,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
-	sed 'N;N;s,\n, ,g' | { \
-	list=; while read file base inst; do \
-	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
-	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man3dir)/$$inst'"; \
-	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man3dir)/$$inst" || exit $$?; \
-	  fi; \
-	done; \
-	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
-	while read files; do \
-	  test -z "$$files" || { \
-	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man3dir)'"; \
-	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man3dir)" || exit $$?; }; \
-	done; }
-
-uninstall-man3:
-	@$(NORMAL_UNINSTALL)
-	@list=''; test -n "$(man3dir)" || exit 0; \
-	files=`{ for i in $$list; do echo "$$i"; done; \
-	l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.3[a-z]*$$/p'; \
-	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^3][0-9a-z]*$$,3,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	dir='$(DESTDIR)$(man3dir)'; $(am__uninstall_files_from_dir)
-install-man5: $(man_MANS)
-	@$(NORMAL_INSTALL)
-	@list1=''; \
-	list2='$(man_MANS)'; \
-	test -n "$(man5dir)" \
-	  && test -n "`echo $$list1$$list2`" \
-	  || exit 0; \
-	echo " $(MKDIR_P) '$(DESTDIR)$(man5dir)'"; \
-	$(MKDIR_P) "$(DESTDIR)$(man5dir)" || exit 1; \
-	{ for i in $$list1; do echo "$$i"; done;  \
-	if test -n "$$list2"; then \
-	  for i in $$list2; do echo "$$i"; done \
-	    | sed -n '/\.5[a-z]*$$/p'; \
-	fi; \
-	} | while read p; do \
-	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; echo "$$p"; \
-	done | \
-	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
-	sed 'N;N;s,\n, ,g' | { \
-	list=; while read file base inst; do \
-	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
-	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \
-	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \
-	  fi; \
-	done; \
-	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
-	while read files; do \
-	  test -z "$$files" || { \
-	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \
-	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \
-	done; }
-
-uninstall-man5:
-	@$(NORMAL_UNINSTALL)
-	@list=''; test -n "$(man5dir)" || exit 0; \
-	files=`{ for i in $$list; do echo "$$i"; done; \
-	l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.5[a-z]*$$/p'; \
-	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir)
-install-man7: $(man_MANS)
-	@$(NORMAL_INSTALL)
-	@list1=''; \
-	list2='$(man_MANS)'; \
-	test -n "$(man7dir)" \
-	  && test -n "`echo $$list1$$list2`" \
-	  || exit 0; \
-	echo " $(MKDIR_P) '$(DESTDIR)$(man7dir)'"; \
-	$(MKDIR_P) "$(DESTDIR)$(man7dir)" || exit 1; \
-	{ for i in $$list1; do echo "$$i"; done;  \
-	if test -n "$$list2"; then \
-	  for i in $$list2; do echo "$$i"; done \
-	    | sed -n '/\.7[a-z]*$$/p'; \
-	fi; \
-	} | while read p; do \
-	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; echo "$$p"; \
-	done | \
-	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^7][0-9a-z]*$$,7,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
-	sed 'N;N;s,\n, ,g' | { \
-	list=; while read file base inst; do \
-	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
-	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man7dir)/$$inst'"; \
-	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man7dir)/$$inst" || exit $$?; \
-	  fi; \
-	done; \
-	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
-	while read files; do \
-	  test -z "$$files" || { \
-	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man7dir)'"; \
-	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man7dir)" || exit $$?; }; \
-	done; }
-
-uninstall-man7:
-	@$(NORMAL_UNINSTALL)
-	@list=''; test -n "$(man7dir)" || exit 0; \
-	files=`{ for i in $$list; do echo "$$i"; done; \
-	l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.7[a-z]*$$/p'; \
-	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^7][0-9a-z]*$$,7,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	dir='$(DESTDIR)$(man7dir)'; $(am__uninstall_files_from_dir)
-install-man8: $(man_MANS)
-	@$(NORMAL_INSTALL)
-	@list1=''; \
-	list2='$(man_MANS)'; \
-	test -n "$(man8dir)" \
-	  && test -n "`echo $$list1$$list2`" \
-	  || exit 0; \
-	echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
-	$(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
-	{ for i in $$list1; do echo "$$i"; done;  \
-	if test -n "$$list2"; then \
-	  for i in $$list2; do echo "$$i"; done \
-	    | sed -n '/\.8[a-z]*$$/p'; \
-	fi; \
-	} | while read p; do \
-	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; echo "$$p"; \
-	done | \
-	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
-	sed 'N;N;s,\n, ,g' | { \
-	list=; while read file base inst; do \
-	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
-	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
-	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
-	  fi; \
-	done; \
-	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
-	while read files; do \
-	  test -z "$$files" || { \
-	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
-	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
-	done; }
-
-uninstall-man8:
-	@$(NORMAL_UNINSTALL)
-	@list=''; test -n "$(man8dir)" || exit 0; \
-	files=`{ for i in $$list; do echo "$$i"; done; \
-	l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.8[a-z]*$$/p'; \
-	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
-install-dist_includeHEADERS: $(dist_include_HEADERS)
-	@$(NORMAL_INSTALL)
-	@list='$(dist_include_HEADERS)'; test -n "$(includedir)" || list=; \
-	if test -n "$$list"; then \
-	  echo " $(MKDIR_P) '$(DESTDIR)$(includedir)'"; \
-	  $(MKDIR_P) "$(DESTDIR)$(includedir)" || exit 1; \
-	fi; \
-	for p in $$list; do \
-	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; \
-	done | $(am__base_list) | \
-	while read files; do \
-	  echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(includedir)'"; \
-	  $(INSTALL_HEADER) $$files "$(DESTDIR)$(includedir)" || exit $$?; \
-	done
-
-uninstall-dist_includeHEADERS:
-	@$(NORMAL_UNINSTALL)
-	@list='$(dist_include_HEADERS)'; test -n "$(includedir)" || list=; \
-	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	dir='$(DESTDIR)$(includedir)'; $(am__uninstall_files_from_dir)
-install-krb5HEADERS: $(krb5_HEADERS)
-	@$(NORMAL_INSTALL)
-	@list='$(krb5_HEADERS)'; test -n "$(krb5dir)" || list=; \
-	if test -n "$$list"; then \
-	  echo " $(MKDIR_P) '$(DESTDIR)$(krb5dir)'"; \
-	  $(MKDIR_P) "$(DESTDIR)$(krb5dir)" || exit 1; \
-	fi; \
-	for p in $$list; do \
-	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; \
-	done | $(am__base_list) | \
-	while read files; do \
-	  echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(krb5dir)'"; \
-	  $(INSTALL_HEADER) $$files "$(DESTDIR)$(krb5dir)" || exit $$?; \
-	done
-
-uninstall-krb5HEADERS:
-	@$(NORMAL_UNINSTALL)
-	@list='$(krb5_HEADERS)'; test -n "$(krb5dir)" || list=; \
-	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	dir='$(DESTDIR)$(krb5dir)'; $(am__uninstall_files_from_dir)
-install-nodist_includeHEADERS: $(nodist_include_HEADERS)
-	@$(NORMAL_INSTALL)
-	@list='$(nodist_include_HEADERS)'; test -n "$(includedir)" || list=; \
-	if test -n "$$list"; then \
-	  echo " $(MKDIR_P) '$(DESTDIR)$(includedir)'"; \
-	  $(MKDIR_P) "$(DESTDIR)$(includedir)" || exit 1; \
-	fi; \
-	for p in $$list; do \
-	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; \
-	done | $(am__base_list) | \
-	while read files; do \
-	  echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(includedir)'"; \
-	  $(INSTALL_HEADER) $$files "$(DESTDIR)$(includedir)" || exit $$?; \
-	done
-
-uninstall-nodist_includeHEADERS:
-	@$(NORMAL_UNINSTALL)
-	@list='$(nodist_include_HEADERS)'; test -n "$(includedir)" || list=; \
-	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	dir='$(DESTDIR)$(includedir)'; $(am__uninstall_files_from_dir)
-
-ID: $(am__tagged_files)
-	$(am__define_uniq_tagged_files); mkid -fID $$unique
-tags: tags-am
-TAGS: tags
-
-tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
-	set x; \
-	here=`pwd`; \
-	$(am__define_uniq_tagged_files); \
-	shift; \
-	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
-	  test -n "$$unique" || unique=$$empty_fix; \
-	  if test $$# -gt 0; then \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      "$$@" $$unique; \
-	  else \
-	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	      $$unique; \
-	  fi; \
-	fi
-ctags: ctags-am
-
-CTAGS: ctags
-ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
-	$(am__define_uniq_tagged_files); \
-	test -z "$(CTAGS_ARGS)$$unique" \
-	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$unique
-
-GTAGS:
-	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && $(am__cd) $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) "$$here"
-cscopelist: cscopelist-am
-
-cscopelist-am: $(am__tagged_files)
-	list='$(am__tagged_files)'; \
-	case "$(srcdir)" in \
-	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
-	  *) sdir=$(subdir)/$(srcdir) ;; \
-	esac; \
-	for i in $$list; do \
-	  if test -f "$$i"; then \
-	    echo "$(subdir)/$$i"; \
-	  else \
-	    echo "$$sdir/$$i"; \
-	  fi; \
-	done >> $(top_builddir)/cscope.files
-
-distclean-tags:
-	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-# Recover from deleted '.trs' file; this should ensure that
-# "rm -f foo.log; make foo.trs" re-run 'foo.test', and re-create
-# both 'foo.log' and 'foo.trs'.  Break the recipe in two subshells
-# to avoid problems with "make -n".
-.log.trs:
-	rm -f $< $@
-	$(MAKE) $(AM_MAKEFLAGS) $<
-
-# Leading 'am--fnord' is there to ensure the list of targets does not
-# expand to empty, as could happen e.g. with make check TESTS=''.
-am--fnord $(TEST_LOGS) $(TEST_LOGS:.log=.trs): $(am__force_recheck)
-am--force-recheck:
-	@:
-
-$(TEST_SUITE_LOG): $(TEST_LOGS)
-	@$(am__set_TESTS_bases); \
-	am__f_ok () { test -f "$$1" && test -r "$$1"; }; \
-	redo_bases=`for i in $$bases; do \
-	              am__f_ok $$i.trs && am__f_ok $$i.log || echo $$i; \
-	            done`; \
-	if test -n "$$redo_bases"; then \
-	  redo_logs=`for i in $$redo_bases; do echo $$i.log; done`; \
-	  redo_results=`for i in $$redo_bases; do echo $$i.trs; done`; \
-	  if $(am__make_dryrun); then :; else \
-	    rm -f $$redo_logs && rm -f $$redo_results || exit 1; \
-	  fi; \
-	fi; \
-	if test -n "$$am__remaking_logs"; then \
-	  echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \
-	       "recursion detected" >&2; \
-	elif test -n "$$redo_logs"; then \
-	  am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \
-	fi; \
-	if $(am__make_dryrun); then :; else \
-	  st=0;  \
-	  errmsg="fatal: making $(TEST_SUITE_LOG): failed to create"; \
-	  for i in $$redo_bases; do \
-	    test -f $$i.trs && test -r $$i.trs \
-	      || { echo "$$errmsg $$i.trs" >&2; st=1; }; \
-	    test -f $$i.log && test -r $$i.log \
-	      || { echo "$$errmsg $$i.log" >&2; st=1; }; \
-	  done; \
-	  test $$st -eq 0 || exit 1; \
-	fi
-	@$(am__sh_e_setup); $(am__tty_colors); $(am__set_TESTS_bases); \
-	ws='[ 	]'; \
-	results=`for b in $$bases; do echo $$b.trs; done`; \
-	test -n "$$results" || results=/dev/null; \
-	all=`  grep "^$$ws*:test-result:"           $$results | wc -l`; \
-	pass=` grep "^$$ws*:test-result:$$ws*PASS"  $$results | wc -l`; \
-	fail=` grep "^$$ws*:test-result:$$ws*FAIL"  $$results | wc -l`; \
-	skip=` grep "^$$ws*:test-result:$$ws*SKIP"  $$results | wc -l`; \
-	xfail=`grep "^$$ws*:test-result:$$ws*XFAIL" $$results | wc -l`; \
-	xpass=`grep "^$$ws*:test-result:$$ws*XPASS" $$results | wc -l`; \
-	error=`grep "^$$ws*:test-result:$$ws*ERROR" $$results | wc -l`; \
-	if test `expr $$fail + $$xpass + $$error` -eq 0; then \
-	  success=true; \
-	else \
-	  success=false; \
-	fi; \
-	br='==================='; br=$$br$$br$$br$$br; \
-	result_count () \
-	{ \
-	    if test x"$$1" = x"--maybe-color"; then \
-	      maybe_colorize=yes; \
-	    elif test x"$$1" = x"--no-color"; then \
-	      maybe_colorize=no; \
-	    else \
-	      echo "$@: invalid 'result_count' usage" >&2; exit 4; \
-	    fi; \
-	    shift; \
-	    desc=$$1 count=$$2; \
-	    if test $$maybe_colorize = yes && test $$count -gt 0; then \
-	      color_start=$$3 color_end=$$std; \
-	    else \
-	      color_start= color_end=; \
-	    fi; \
-	    echo "$${color_start}# $$desc $$count$${color_end}"; \
-	}; \
-	create_testsuite_report () \
-	{ \
-	  result_count $$1 "TOTAL:" $$all   "$$brg"; \
-	  result_count $$1 "PASS: " $$pass  "$$grn"; \
-	  result_count $$1 "SKIP: " $$skip  "$$blu"; \
-	  result_count $$1 "XFAIL:" $$xfail "$$lgn"; \
-	  result_count $$1 "FAIL: " $$fail  "$$red"; \
-	  result_count $$1 "XPASS:" $$xpass "$$red"; \
-	  result_count $$1 "ERROR:" $$error "$$mgn"; \
-	}; \
-	{								\
-	  echo "$(PACKAGE_STRING): $(subdir)/$(TEST_SUITE_LOG)" |	\
-	    $(am__rst_title);						\
-	  create_testsuite_report --no-color;				\
-	  echo;								\
-	  echo ".. contents:: :depth: 2";				\
-	  echo;								\
-	  for b in $$bases; do echo $$b; done				\
-	    | $(am__create_global_log);					\
-	} >$(TEST_SUITE_LOG).tmp || exit 1;				\
-	mv $(TEST_SUITE_LOG).tmp $(TEST_SUITE_LOG);			\
-	if $$success; then						\
-	  col="$$grn";							\
-	 else								\
-	  col="$$red";							\
-	  test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG);		\
-	fi;								\
-	echo "$${col}$$br$${std}"; 					\
-	echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}";	\
-	echo "$${col}$$br$${std}"; 					\
-	create_testsuite_report --maybe-color;				\
-	echo "$$col$$br$$std";						\
-	if $$success; then :; else					\
-	  echo "$${col}See $(subdir)/$(TEST_SUITE_LOG)$${std}";		\
-	  if test -n "$(PACKAGE_BUGREPORT)"; then			\
-	    echo "$${col}Please report to $(PACKAGE_BUGREPORT)$${std}";	\
-	  fi;								\
-	  echo "$$col$$br$$std";					\
-	fi;								\
-	$$success || exit 1
-
-check-TESTS: $(check_PROGRAMS) $(check_DATA)
-	@list='$(RECHECK_LOGS)';           test -z "$$list" || rm -f $$list
-	@list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list
-	@test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
-	@set +e; $(am__set_TESTS_bases); \
-	log_list=`for i in $$bases; do echo $$i.log; done`; \
-	trs_list=`for i in $$bases; do echo $$i.trs; done`; \
-	log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \
-	$(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \
-	exit $$?;
-recheck: all $(check_PROGRAMS) $(check_DATA)
-	@test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
-	@set +e; $(am__set_TESTS_bases); \
-	bases=`for i in $$bases; do echo $$i; done \
-	         | $(am__list_recheck_tests)` || exit 1; \
-	log_list=`for i in $$bases; do echo $$i.log; done`; \
-	log_list=`echo $$log_list`; \
-	$(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) \
-	        am__force_recheck=am--force-recheck \
-	        TEST_LOGS="$$log_list"; \
-	exit $$?
-aes-test.log: aes-test$(EXEEXT)
-	@p='aes-test$(EXEEXT)'; \
-	b='aes-test'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-derived-key-test.log: derived-key-test$(EXEEXT)
-	@p='derived-key-test$(EXEEXT)'; \
-	b='derived-key-test'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-n-fold-test.log: n-fold-test$(EXEEXT)
-	@p='n-fold-test$(EXEEXT)'; \
-	b='n-fold-test'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-parse-name-test.log: parse-name-test$(EXEEXT)
-	@p='parse-name-test$(EXEEXT)'; \
-	b='parse-name-test'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-pseudo-random-test.log: pseudo-random-test$(EXEEXT)
-	@p='pseudo-random-test$(EXEEXT)'; \
-	b='pseudo-random-test'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-store-test.log: store-test$(EXEEXT)
-	@p='store-test$(EXEEXT)'; \
-	b='store-test'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-string-to-key-test.log: string-to-key-test$(EXEEXT)
-	@p='string-to-key-test$(EXEEXT)'; \
-	b='string-to-key-test'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_acl.log: test_acl$(EXEEXT)
-	@p='test_acl$(EXEEXT)'; \
-	b='test_acl'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_addr.log: test_addr$(EXEEXT)
-	@p='test_addr$(EXEEXT)'; \
-	b='test_addr'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_cc.log: test_cc$(EXEEXT)
-	@p='test_cc$(EXEEXT)'; \
-	b='test_cc'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_config.log: test_config$(EXEEXT)
-	@p='test_config$(EXEEXT)'; \
-	b='test_config'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_fx.log: test_fx$(EXEEXT)
-	@p='test_fx$(EXEEXT)'; \
-	b='test_fx'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_prf.log: test_prf$(EXEEXT)
-	@p='test_prf$(EXEEXT)'; \
-	b='test_prf'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_store.log: test_store$(EXEEXT)
-	@p='test_store$(EXEEXT)'; \
-	b='test_store'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_crypto_wrapping.log: test_crypto_wrapping$(EXEEXT)
-	@p='test_crypto_wrapping$(EXEEXT)'; \
-	b='test_crypto_wrapping'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_keytab.log: test_keytab$(EXEEXT)
-	@p='test_keytab$(EXEEXT)'; \
-	b='test_keytab'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_mem.log: test_mem$(EXEEXT)
-	@p='test_mem$(EXEEXT)'; \
-	b='test_mem'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_pac.log: test_pac$(EXEEXT)
-	@p='test_pac$(EXEEXT)'; \
-	b='test_pac'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_plugin.log: test_plugin$(EXEEXT)
-	@p='test_plugin$(EXEEXT)'; \
-	b='test_plugin'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_princ.log: test_princ$(EXEEXT)
-	@p='test_princ$(EXEEXT)'; \
-	b='test_princ'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_pkinit_dh2key.log: test_pkinit_dh2key$(EXEEXT)
-	@p='test_pkinit_dh2key$(EXEEXT)'; \
-	b='test_pkinit_dh2key'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_pknistkdf.log: test_pknistkdf$(EXEEXT)
-	@p='test_pknistkdf$(EXEEXT)'; \
-	b='test_pknistkdf'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_time.log: test_time$(EXEEXT)
-	@p='test_time$(EXEEXT)'; \
-	b='test_time'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_expand_toks.log: test_expand_toks$(EXEEXT)
-	@p='test_expand_toks$(EXEEXT)'; \
-	b='test_expand_toks'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-test_x500.log: test_x500$(EXEEXT)
-	@p='test_x500$(EXEEXT)'; \
-	b='test_x500'; \
-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-.test.log:
-	@p='$<'; \
-	$(am__set_b); \
-	$(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \
-	--log-file $$b.log --trs-file $$b.trs \
-	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
-	"$$tst" $(AM_TESTS_FD_REDIRECT)
-@am__EXEEXT_TRUE@.test$(EXEEXT).log:
-@am__EXEEXT_TRUE@	@p='$<'; \
-@am__EXEEXT_TRUE@	$(am__set_b); \
-@am__EXEEXT_TRUE@	$(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \
-@am__EXEEXT_TRUE@	--log-file $$b.log --trs-file $$b.trs \
-@am__EXEEXT_TRUE@	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
-@am__EXEEXT_TRUE@	"$$tst" $(AM_TESTS_FD_REDIRECT)
-distdir: $(BUILT_SOURCES)
-	$(MAKE) $(AM_MAKEFLAGS) distdir-am
-
-distdir-am: $(DISTFILES)
-	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
-	list='$(DISTFILES)'; \
-	  dist_files=`for file in $$list; do echo $$file; done | \
-	  sed -e "s|^$$srcdirstrip/||;t" \
-	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
-	case $$dist_files in \
-	  */*) $(MKDIR_P) `echo "$$dist_files" | \
-			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
-			   sort -u` ;; \
-	esac; \
-	for file in $$dist_files; do \
-	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  if test -d $$d/$$file; then \
-	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
-	    if test -d "$(distdir)/$$file"; then \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
-	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
-	    fi; \
-	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
-	  else \
-	    test -f "$(distdir)/$$file" \
-	    || cp -p $$d/$$file "$(distdir)/$$file" \
-	    || exit 1; \
-	  fi; \
-	done
-	$(MAKE) $(AM_MAKEFLAGS) \
-	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
-	  dist-hook
-check-am: all-am
-	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) $(check_DATA)
-	$(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local
-check: check-am
-all-am: Makefile $(PROGRAMS) $(LTLIBRARIES) $(MANS) $(HEADERS) \
-		all-local
-install-binPROGRAMS: install-libLTLIBRARIES
-
-install-checkPROGRAMS: install-libLTLIBRARIES
-
-installdirs:
-	for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libdir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man7dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(includedir)" "$(DESTDIR)$(krb5dir)" "$(DESTDIR)$(includedir)"; do \
-	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
-	done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
-	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
-	if test -z '$(STRIP)'; then \
-	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	      install; \
-	else \
-	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
-	fi
-mostlyclean-generic:
-	-test -z "$(TEST_LOGS)" || rm -f $(TEST_LOGS)
-	-test -z "$(TEST_LOGS:.log=.trs)" || rm -f $(TEST_LOGS:.log=.trs)
-	-test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
-
-clean-generic:
-	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
-
-distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
-	@echo "This command is intended for maintainers to use"
-	@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-binPROGRAMS clean-checkPROGRAMS clean-generic \
-	clean-libLTLIBRARIES clean-libtool clean-noinstLTLIBRARIES \
-	clean-noinstPROGRAMS mostlyclean-am
-
-distclean: distclean-am
-		-rm -f ./$(DEPDIR)/aes-test.Po
-	-rm -f ./$(DEPDIR)/derived-key-test.Po
-	-rm -f ./$(DEPDIR)/krbhst-test.Po
-	-rm -f ./$(DEPDIR)/libkrb5_la-acache.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-acl.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-add_et_list.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-addr_families.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-aname_to_localname.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-appdefault.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-asn1_glue.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-auth_context.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-build_ap_req.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-build_auth.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-cache.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-changepw.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-codec.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-config_file.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-constants.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-context.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-convert_creds.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-copy_host_realm.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-crc.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-creds.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-aes-sha1.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-aes-sha2.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-algs.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-arcfour.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-des-common.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-des.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-des3.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-evp.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-null.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-pk.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-rand.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-crypto.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-data.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-db_plugin.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-dcache.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-deprecated.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-digest.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-doxygen.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-eai_to_heim_errno.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-enomem.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-error_string.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-expand_hostname.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-expand_path.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-fast.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-fcache.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-free.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-free_host_realm.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-generate_seq_number.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-generate_subkey.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-get_addrs.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-get_cred.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-get_default_principal.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-get_default_realm.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-get_for_creds.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-get_host_realm.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-get_in_tkt.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-get_port.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-heim_err.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-init_creds.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-init_creds_pw.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-k524_err.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-kcm.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-keyblock.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-keytab.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-keytab_any.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-keytab_file.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-keytab_keyfile.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-keytab_memory.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-krb5_err.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-krb_err.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-krbhst.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-kuserok.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-log.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-mcache.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-misc.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-mit_glue.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-mk_error.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-mk_priv.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-mk_rep.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-mk_req.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-mk_req_ext.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-mk_safe.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-n-fold.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-net_read.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-net_write.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-pac.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-padata.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-pcache.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-pkinit-ec.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-pkinit.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-plugin.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-principal.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-prog_setup.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-prompter_posix.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-rd_cred.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-rd_error.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-rd_priv.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-rd_rep.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-rd_req.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-rd_safe.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-read_message.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-recvauth.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-replay.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-salt-aes-sha1.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-salt-aes-sha2.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-salt-arcfour.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-salt-des.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-salt-des3.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-salt.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-scache.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-send_to_kdc.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-sendauth.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-set_default_realm.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-sock_principal.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-sp800-108-kdf.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-store-int.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-store.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-store_emem.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-store_fd.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-store_mem.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-store_sock.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-ticket.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-time.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-transited.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-verify_init.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-verify_user.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-version.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-warn.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-write_message.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crc.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-aes-sha1.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-aes-sha2.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-algs.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-arcfour.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-des-common.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-des.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-des3.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-evp.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-null.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-pk.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-rand.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-stubs.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crypto.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-data.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-enomem.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-error_string.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-keyblock.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-n-fold.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-salt-aes-sha1.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-salt-aes-sha2.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-salt-arcfour.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-salt-des.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-salt-des3.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-salt.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-sp800-108-kdf.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-store-int.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-warn.Plo
-	-rm -f ./$(DEPDIR)/n-fold-test.Po
-	-rm -f ./$(DEPDIR)/parse-name-test.Po
-	-rm -f ./$(DEPDIR)/pseudo-random-test.Po
-	-rm -f ./$(DEPDIR)/store-test.Po
-	-rm -f ./$(DEPDIR)/string-to-key-test.Po
-	-rm -f ./$(DEPDIR)/test_acl.Po
-	-rm -f ./$(DEPDIR)/test_addr.Po
-	-rm -f ./$(DEPDIR)/test_alname.Po
-	-rm -f ./$(DEPDIR)/test_ap-req.Po
-	-rm -f ./$(DEPDIR)/test_canon.Po
-	-rm -f ./$(DEPDIR)/test_cc.Po
-	-rm -f ./$(DEPDIR)/test_config.Po
-	-rm -f ./$(DEPDIR)/test_crypto.Po
-	-rm -f ./$(DEPDIR)/test_crypto_wrapping.Po
-	-rm -f ./$(DEPDIR)/test_expand_toks.Po
-	-rm -f ./$(DEPDIR)/test_forward.Po
-	-rm -f ./$(DEPDIR)/test_fx.Po
-	-rm -f ./$(DEPDIR)/test_get_addrs.Po
-	-rm -f ./$(DEPDIR)/test_gic.Po
-	-rm -f ./$(DEPDIR)/test_hostname.Po
-	-rm -f ./$(DEPDIR)/test_keytab.Po
-	-rm -f ./$(DEPDIR)/test_kuserok.Po
-	-rm -f ./$(DEPDIR)/test_mem.Po
-	-rm -f ./$(DEPDIR)/test_pac.Po
-	-rm -f ./$(DEPDIR)/test_pkinit_dh2key.Po
-	-rm -f ./$(DEPDIR)/test_pknistkdf.Po
-	-rm -f ./$(DEPDIR)/test_plugin.Po
-	-rm -f ./$(DEPDIR)/test_prf.Po
-	-rm -f ./$(DEPDIR)/test_princ.Po
-	-rm -f ./$(DEPDIR)/test_renew.Po
-	-rm -f ./$(DEPDIR)/test_rfc3961.Po
-	-rm -f ./$(DEPDIR)/test_set_kvno0.Po
-	-rm -f ./$(DEPDIR)/test_store.Po
-	-rm -f ./$(DEPDIR)/test_time.Po
-	-rm -f ./$(DEPDIR)/test_x500.Po
-	-rm -f ./$(DEPDIR)/verify_krb5_conf.Po
-	-rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am: install-dist_includeHEADERS install-krb5HEADERS \
-	install-man install-nodist_includeHEADERS
-	@$(NORMAL_INSTALL)
-	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am: install-binPROGRAMS install-exec-local \
-	install-libLTLIBRARIES
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man: install-man3 install-man5 install-man7 install-man8
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
-		-rm -f ./$(DEPDIR)/aes-test.Po
-	-rm -f ./$(DEPDIR)/derived-key-test.Po
-	-rm -f ./$(DEPDIR)/krbhst-test.Po
-	-rm -f ./$(DEPDIR)/libkrb5_la-acache.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-acl.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-add_et_list.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-addr_families.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-aname_to_localname.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-appdefault.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-asn1_glue.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-auth_context.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-build_ap_req.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-build_auth.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-cache.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-changepw.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-codec.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-config_file.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-constants.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-context.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-convert_creds.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-copy_host_realm.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-crc.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-creds.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-aes-sha1.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-aes-sha2.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-algs.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-arcfour.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-des-common.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-des.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-des3.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-evp.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-null.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-pk.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-rand.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-crypto.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-data.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-db_plugin.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-dcache.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-deprecated.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-digest.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-doxygen.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-eai_to_heim_errno.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-enomem.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-error_string.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-expand_hostname.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-expand_path.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-fast.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-fcache.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-free.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-free_host_realm.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-generate_seq_number.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-generate_subkey.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-get_addrs.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-get_cred.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-get_default_principal.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-get_default_realm.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-get_for_creds.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-get_host_realm.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-get_in_tkt.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-get_port.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-heim_err.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-init_creds.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-init_creds_pw.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-k524_err.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-kcm.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-keyblock.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-keytab.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-keytab_any.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-keytab_file.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-keytab_keyfile.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-keytab_memory.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-krb5_err.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-krb_err.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-krbhst.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-kuserok.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-log.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-mcache.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-misc.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-mit_glue.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-mk_error.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-mk_priv.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-mk_rep.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-mk_req.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-mk_req_ext.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-mk_safe.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-n-fold.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-net_read.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-net_write.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-pac.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-padata.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-pcache.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-pkinit-ec.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-pkinit.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-plugin.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-principal.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-prog_setup.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-prompter_posix.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-rd_cred.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-rd_error.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-rd_priv.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-rd_rep.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-rd_req.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-rd_safe.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-read_message.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-recvauth.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-replay.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-salt-aes-sha1.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-salt-aes-sha2.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-salt-arcfour.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-salt-des.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-salt-des3.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-salt.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-scache.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-send_to_kdc.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-sendauth.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-set_default_realm.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-sock_principal.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-sp800-108-kdf.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-store-int.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-store.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-store_emem.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-store_fd.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-store_mem.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-store_sock.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-ticket.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-time.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-transited.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-verify_init.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-verify_user.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-version.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-warn.Plo
-	-rm -f ./$(DEPDIR)/libkrb5_la-write_message.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crc.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-aes-sha1.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-aes-sha2.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-algs.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-arcfour.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-des-common.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-des.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-des3.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-evp.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-null.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-pk.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-rand.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-stubs.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-crypto.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-data.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-enomem.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-error_string.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-keyblock.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-n-fold.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-salt-aes-sha1.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-salt-aes-sha2.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-salt-arcfour.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-salt-des.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-salt-des3.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-salt.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-sp800-108-kdf.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-store-int.Plo
-	-rm -f ./$(DEPDIR)/librfc3961_la-warn.Plo
-	-rm -f ./$(DEPDIR)/n-fold-test.Po
-	-rm -f ./$(DEPDIR)/parse-name-test.Po
-	-rm -f ./$(DEPDIR)/pseudo-random-test.Po
-	-rm -f ./$(DEPDIR)/store-test.Po
-	-rm -f ./$(DEPDIR)/string-to-key-test.Po
-	-rm -f ./$(DEPDIR)/test_acl.Po
-	-rm -f ./$(DEPDIR)/test_addr.Po
-	-rm -f ./$(DEPDIR)/test_alname.Po
-	-rm -f ./$(DEPDIR)/test_ap-req.Po
-	-rm -f ./$(DEPDIR)/test_canon.Po
-	-rm -f ./$(DEPDIR)/test_cc.Po
-	-rm -f ./$(DEPDIR)/test_config.Po
-	-rm -f ./$(DEPDIR)/test_crypto.Po
-	-rm -f ./$(DEPDIR)/test_crypto_wrapping.Po
-	-rm -f ./$(DEPDIR)/test_expand_toks.Po
-	-rm -f ./$(DEPDIR)/test_forward.Po
-	-rm -f ./$(DEPDIR)/test_fx.Po
-	-rm -f ./$(DEPDIR)/test_get_addrs.Po
-	-rm -f ./$(DEPDIR)/test_gic.Po
-	-rm -f ./$(DEPDIR)/test_hostname.Po
-	-rm -f ./$(DEPDIR)/test_keytab.Po
-	-rm -f ./$(DEPDIR)/test_kuserok.Po
-	-rm -f ./$(DEPDIR)/test_mem.Po
-	-rm -f ./$(DEPDIR)/test_pac.Po
-	-rm -f ./$(DEPDIR)/test_pkinit_dh2key.Po
-	-rm -f ./$(DEPDIR)/test_pknistkdf.Po
-	-rm -f ./$(DEPDIR)/test_plugin.Po
-	-rm -f ./$(DEPDIR)/test_prf.Po
-	-rm -f ./$(DEPDIR)/test_princ.Po
-	-rm -f ./$(DEPDIR)/test_renew.Po
-	-rm -f ./$(DEPDIR)/test_rfc3961.Po
-	-rm -f ./$(DEPDIR)/test_set_kvno0.Po
-	-rm -f ./$(DEPDIR)/test_store.Po
-	-rm -f ./$(DEPDIR)/test_time.Po
-	-rm -f ./$(DEPDIR)/test_x500.Po
-	-rm -f ./$(DEPDIR)/verify_krb5_conf.Po
-	-rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-binPROGRAMS uninstall-dist_includeHEADERS \
-	uninstall-krb5HEADERS uninstall-libLTLIBRARIES uninstall-man \
-	uninstall-nodist_includeHEADERS
-	@$(NORMAL_INSTALL)
-	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
-uninstall-man: uninstall-man3 uninstall-man5 uninstall-man7 \
-	uninstall-man8
-
-.MAKE: check-am install-am install-data-am install-strip uninstall-am
-
-.PHONY: CTAGS GTAGS TAGS all all-am all-local am--depfiles check \
-	check-TESTS check-am check-local clean clean-binPROGRAMS \
-	clean-checkPROGRAMS clean-generic clean-libLTLIBRARIES \
-	clean-libtool clean-noinstLTLIBRARIES clean-noinstPROGRAMS \
-	cscopelist-am ctags ctags-am dist-hook distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-binPROGRAMS install-data \
-	install-data-am install-data-hook install-dist_includeHEADERS \
-	install-dvi install-dvi-am install-exec install-exec-am \
-	install-exec-local install-html install-html-am install-info \
-	install-info-am install-krb5HEADERS install-libLTLIBRARIES \
-	install-man install-man3 install-man5 install-man7 \
-	install-man8 install-nodist_includeHEADERS install-pdf \
-	install-pdf-am install-ps install-ps-am install-strip \
-	installcheck installcheck-am installdirs maintainer-clean \
-	maintainer-clean-generic mostlyclean mostlyclean-compile \
-	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	recheck tags tags-am uninstall uninstall-am \
-	uninstall-binPROGRAMS uninstall-dist_includeHEADERS \
-	uninstall-hook uninstall-krb5HEADERS uninstall-libLTLIBRARIES \
-	uninstall-man uninstall-man3 uninstall-man5 uninstall-man7 \
-	uninstall-man8 uninstall-nodist_includeHEADERS
-
-.PRECIOUS: Makefile
-
-
-install-suid-programs:
-	@foo='$(bin_SUIDS)'; \
-	for file in $$foo; do \
-		x=$(DESTDIR)$(bindir)/$$file; \
-		if chown 0:0 $$x && chmod u+s $$x; then :; else \
-			echo "*"; \
-			echo "* Failed to install $$x setuid root"; \
-			echo "*"; \
-		fi; \
-	done
-
-install-exec-local: install-suid-programs
-
-codesign-all:
-	@if [ X"$$CODE_SIGN_IDENTITY" != X ] ; then \
-		foo='$(bin_PROGRAMS) $(sbin_PROGRAMS) $(libexec_PROGRAMS)' ; \
-		for file in $$foo ; do \
-			echo "CODESIGN $$file" ; \
-			codesign -f -s "$$CODE_SIGN_IDENTITY" $$file || exit 1 ; \
-		done ; \
-	fi
-
-all-local: codesign-all
-
-install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS) $(noinst_HEADERS)
-	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(noinst_HEADERS)'; \
-	for f in $$foo; do \
-		f=`basename $$f`; \
-		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
-		else file="$$f"; fi; \
-		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
-		: ; else \
-			echo " $(CP) $$file $(buildinclude)/$$f"; \
-			$(CP) $$file $(buildinclude)/$$f || true; \
-		fi ; \
-	done ; \
-	foo='$(nobase_include_HEADERS)'; \
-	for f in $$foo; do \
-		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
-		else file="$$f"; fi; \
-		$(mkdir_p) $(buildinclude)/`dirname $$f` ; \
-		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
-		: ; else \
-			echo " $(CP) $$file $(buildinclude)/$$f"; \
-			$(CP) $$file $(buildinclude)/$$f; \
-		fi ; \
-	done
-
-all-local: install-build-headers
-
-check-local::
-	@if test '$(CHECK_LOCAL)' = "no-check-local"; then \
-	  foo=''; elif test '$(CHECK_LOCAL)'; then \
-	  foo='$(CHECK_LOCAL)'; else \
-	  foo='$(PROGRAMS)'; fi; \
-	  if test "$$foo"; then \
-	  failed=0; all=0; \
-	  for i in $$foo; do \
-	    all=`expr $$all + 1`; \
-	    if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \
-	      echo "PASS: $$i"; \
-	    else \
-	      echo "FAIL: $$i"; \
-	      failed=`expr $$failed + 1`; \
-	    fi; \
-	  done; \
-	  if test "$$failed" -eq 0; then \
-	    banner="All $$all tests passed"; \
-	  else \
-	    banner="$$failed of $$all tests failed"; \
-	  fi; \
-	  dashes=`echo "$$banner" | sed s/./=/g`; \
-	  echo "$$dashes"; \
-	  echo "$$banner"; \
-	  echo "$$dashes"; \
-	  test "$$failed" -eq 0 || exit 1; \
-	fi
-
-# It's useful for debugging to format generated sources.  The default for all
-# clang-format styles is to sort includes, but in many cases in-tree we really
-# don't want to do that.
-.x.c:
-	@if [ -z "$(CLANG_FORMAT)" ]; then \
-	    cmp -s $< $@ 2> /dev/null || cp $< $@; \
-	else \
-	    cp $< $@.tmp.c; \
-            $(CLANG_FORMAT) -style='{BasedOnStyle: Chromium, SortIncludes: false}' -i $@.tmp.c; \
-	    cmp -s $@.tmp.c $@ 2> /dev/null || mv $@.tmp.c $@; \
-	fi
-
-.hx.h:
-	@cmp -s $< $@ 2> /dev/null || cp $< $@;
-#NROFF_MAN = nroff -man
-.1.cat1:
-	$(NROFF_MAN) $< > $@
-.3.cat3:
-	$(NROFF_MAN) $< > $@
-.5.cat5:
-	$(NROFF_MAN) $< > $@
-.7.cat7:
-	$(NROFF_MAN) $< > $@
-.8.cat8:
-	$(NROFF_MAN) $< > $@
-
-dist-cat1-mans:
-	@foo='$(man1_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.1) foo="$$foo $$i";; \
-	esac; done ;\
-	for i in $$foo; do \
-		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
-		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
-		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
-	done
-
-dist-cat3-mans:
-	@foo='$(man3_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.3) foo="$$foo $$i";; \
-	esac; done ;\
-	for i in $$foo; do \
-		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
-		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
-		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
-	done
-
-dist-cat5-mans:
-	@foo='$(man5_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.5) foo="$$foo $$i";; \
-	esac; done ;\
-	for i in $$foo; do \
-		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
-		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
-		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
-	done
-
-dist-cat7-mans:
-	@foo='$(man7_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.7) foo="$$foo $$i";; \
-	esac; done ;\
-	for i in $$foo; do \
-		x=`echo $$i | sed 's/\.[^.]*$$/.cat7/'`; \
-		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
-		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
-	done
-
-dist-cat8-mans:
-	@foo='$(man8_MANS)'; \
-	bar='$(man_MANS)'; \
-	for i in $$bar; do \
-	case $$i in \
-	*.8) foo="$$foo $$i";; \
-	esac; done ;\
-	for i in $$foo; do \
-		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
-		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
-		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
-	done
-
-dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat7-mans dist-cat8-mans
-
-install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man7_MANS) $(man8_MANS)
-
-uninstall-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man7_MANS) $(man8_MANS)
-
-install-data-hook: install-cat-mans
-uninstall-hook: uninstall-cat-mans
-
-.et.h:
-	$(COMPILE_ET) $<
-.et.c:
-	$(COMPILE_ET) $<
-
-#
-# Useful target for debugging
-#
-
-check-valgrind:
-	tobjdir=`cd $(top_builddir) && pwd` ; \
-	tsrcdir=`cd $(top_srcdir) && pwd` ; \
-	env TESTS_ENVIRONMENT="$${tsrcdir}/cf/maybe-valgrind.sh -s $${tsrcdir} -o $${tobjdir}" make check
-
-#
-# Target to please samba build farm, builds distfiles in-tree.
-# Will break when automake changes...
-#
-
-distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
-	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" != .; then \
-	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \
-	  fi ; \
-	done
-
-$(ALL_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h
-$(ALL_OBJECTS): krb5_err.h heim_err.h k524_err.h krb5_err.h krb_err.h k524_err.h
-
-$(srcdir)/krb5-protos.h: $(headerdeps)
-	@cd $(srcdir) && perl ../../cf/make-proto.pl -E KRB5_LIB -q -P comment -o krb5-protos.h $(dist_libkrb5_la_SOURCES) || rm -f krb5-protos.h
-
-$(srcdir)/krb5-private.h: $(headerdeps)
-	@cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p krb5-private.h $(dist_libkrb5_la_SOURCES) || rm -f krb5-private.h
-
-$(libkrb5_la_OBJECTS): krb5_err.h krb_err.h heim_err.h k524_err.h
-
-test_config_strings.out: test_config_strings.cfg
-	$(CP) $(srcdir)/test_config_strings.cfg test_config_strings.out
-
-#sysconf_DATA = krb5.moduli
-
-# to help stupid solaris make
-
-krb5_err.h: krb5_err.et
-
-krb_err.h: krb_err.et
-
-heim_err.h: heim_err.et
-
-k524_err.h: k524_err.et
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/lib/krb5/NTMakefile b/lib/krb5/NTMakefile
index b0848716cd1a..993e76fcc23f 100644
--- a/lib/krb5/NTMakefile
+++ b/lib/krb5/NTMakefile
@@ -1,20 +1,20 @@
 ########################################################################
 #
-# Copyright (c) 2009 - 2016, Secure Endpoints Inc.
+# Copyright (c) 2009 - 2017, Secure Endpoints Inc.
 # All rights reserved.
-# 
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
 # are met:
-# 
+#
 # - Redistributions of source code must retain the above copyright
 #   notice, this list of conditions and the following disclaimer.
-# 
+#
 # - Redistributions in binary form must reproduce the above copyright
 #   notice, this list of conditions and the following disclaimer in
 #   the documentation and/or other materials provided with the
 #   distribution.
-# 
+#
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
@@ -27,10 +27,12 @@
 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 # POSSIBILITY OF SUCH DAMAGE.
-# 
+#
 
 RELDIR=lib\krb5
 
+intcflags=-I$(SRCDIR) -I$(SRCDIR)\..\com_err -I$(SRCDIR)\..\base
+
 !include ../../windows/NTMakefile.w32
 
 libkrb5_OBJS =			\
@@ -42,13 +44,13 @@ libkrb5_OBJS =			\
 	$(OBJ)\appdefault.obj		    \
 	$(OBJ)\asn1_glue.obj		    \
 	$(OBJ)\auth_context.obj		    \
+	$(OBJ)\authdata.obj		    \
 	$(OBJ)\build_ap_req.obj		    \
 	$(OBJ)\build_auth.obj		    \
 	$(OBJ)\cache.obj		    \
 	$(OBJ)\changepw.obj		    \
 	$(OBJ)\codec.obj		    \
 	$(OBJ)\config_file.obj		    \
-	$(OBJ)\config_reg.obj		    \
 	$(OBJ)\constants.obj		    \
 	$(OBJ)\context.obj		    \
         $(OBJ)\convert_creds.obj            \
@@ -103,10 +105,12 @@ libkrb5_OBJS =			\
 	$(OBJ)\keytab_memory.obj	    \
 	$(OBJ)\krbhst.obj		    \
 	$(OBJ)\kuserok.obj		    \
+	$(OBJ)\kx509.obj		    \
 	$(OBJ)\log.obj			    \
 	$(OBJ)\mcache.obj		    \
 	$(OBJ)\misc.obj			    \
 	$(OBJ)\mit_glue.obj		    \
+	$(OBJ)\mk_cred.obj		    \
 	$(OBJ)\mk_error.obj		    \
 	$(OBJ)\mk_priv.obj		    \
 	$(OBJ)\mk_rep.obj		    \
@@ -152,6 +156,7 @@ libkrb5_OBJS =			\
 	$(OBJ)\store_fd.obj		    \
 	$(OBJ)\store_mem.obj		    \
 	$(OBJ)\store_sock.obj		    \
+	$(OBJ)\store_stdio.obj		    \
 	$(OBJ)\ticket.obj		    \
 	$(OBJ)\time.obj			    \
 	$(OBJ)\transited.obj		    \
@@ -164,12 +169,13 @@ libkrb5_OBJS =			\
 libkrb5_gen_OBJS=	    \
 	$(OBJ)\krb5_err.obj \
 	$(OBJ)\krb_err.obj  \
-	$(OBJ)\heim_err.obj \
-	$(OBJ)\k524_err.obj
+	$(OBJ)\k524_err.obj \
+	$(OBJ)\k5e1_err.obj
 
 INCFILES=			\
-	$(INCDIR)\heim_err.h	\
 	$(INCDIR)\k524_err.h	\
+	$(INCDIR)\k5e1_err.h	\
+	$(INCDIR)\kx509_err.h	\
         $(INCDIR)\kcm.h         \
 	$(INCDIR)\krb_err.h	\
 	$(INCDIR)\krb5.h	\
@@ -178,8 +184,13 @@ INCFILES=			\
 	$(INCDIR)\krb5_locl.h	\
 	$(INCDIR)\krb5-protos.h	\
 	$(INCDIR)\krb5-private.h	\
-	$(INCDIR)\krb5-v4compat.h	\
-	$(INCDIR)\crypto.h
+	$(INCDIR)\crypto.h \
+	$(INCDIR)\an2ln_plugin.h \
+	$(INCDIR)\ccache_plugin.h \
+	$(INCDIR)\db_plugin.h \
+	$(INCDIR)\kuserok_plugin.h \
+	$(INCDIR)\locate_plugin.h \
+	$(INCDIR)\send_to_kdc_plugin.h
 
 all:: $(INCFILES)
 
@@ -195,13 +206,13 @@ dist_libkrb5_la_SOURCES =			\
 	appdefault.c				\
 	asn1_glue.c				\
 	auth_context.c				\
+	authdata.c				\
 	build_ap_req.c				\
 	build_auth.c				\
 	cache.c					\
 	changepw.c				\
 	codec.c					\
 	config_file.c				\
-	config_reg.c				\
 	constants.c				\
 	context.c				\
 	copy_host_realm.c			\
@@ -255,12 +266,13 @@ dist_libkrb5_la_SOURCES =			\
 	keytab_keyfile.c			\
 	keytab_memory.c				\
 	krb5_locl.h				\
-	krb5-v4compat.h				\
 	krbhst.c				\
 	kuserok.c				\
+	kx509.c					\
 	log.c					\
 	mcache.c				\
 	misc.c					\
+	mk_cred.c				\
 	mk_error.c				\
 	mk_priv.c				\
 	mk_rep.c				\
@@ -307,6 +319,7 @@ dist_libkrb5_la_SOURCES =			\
 	store_fd.c				\
 	store_mem.c				\
 	store_sock.c				\
+	store_stdio.c		    		\
 	pcache.c				\
 	plugin.c				\
 	ticket.c				\
@@ -334,14 +347,19 @@ $(OBJ)\krb_err.c $(OBJ)\krb_err.h: krb_err.et
 	$(BINDIR)\compile_et.exe $(SRCDIR)\krb_err.et
 	cd $(SRCDIR)
 
-$(OBJ)\heim_err.c $(OBJ)\heim_err.h: heim_err.et
+$(OBJ)\k524_err.c $(OBJ)\k524_err.h: k524_err.et
 	cd $(OBJ)
-	$(BINDIR)\compile_et.exe $(SRCDIR)\heim_err.et
+	$(BINDIR)\compile_et.exe $(SRCDIR)\k524_err.et
 	cd $(SRCDIR)
 
-$(OBJ)\k524_err.c $(OBJ)\k524_err.h: k524_err.et
+$(OBJ)\k5e1_err.c $(OBJ)\k5e1_err.h: k5e1_err.et
 	cd $(OBJ)
-	$(BINDIR)\compile_et.exe $(SRCDIR)\k524_err.et
+	$(BINDIR)\compile_et.exe $(SRCDIR)\k5e1_err.et
+	cd $(SRCDIR)
+
+$(OBJ)\kx509_err.c $(OBJ)\kx509_err.h: kx509_err.et
+	cd $(OBJ)
+	$(BINDIR)\compile_et.exe $(SRCDIR)\kx509_err.et
 	cd $(SRCDIR)
 
 #----------------------------------------------------------------------
diff --git a/lib/krb5/acache.c b/lib/krb5/acache.c
index 9d33df133c27..63d56c400bf5 100644
--- a/lib/krb5/acache.c
+++ b/lib/krb5/acache.c
@@ -35,9 +35,6 @@
 
 #include "krb5_locl.h"
 #include <krb5_ccapi.h>
-#ifdef HAVE_DLFCN_H
-#include <dlfcn.h>
-#endif
 
 #ifndef KCM_IS_API_CACHE
 
@@ -52,6 +49,7 @@ static void *cc_handle;
 
 typedef struct krb5_acc {
     char *cache_name;
+    char *cache_subsidiary;
     cc_context_t context;
     cc_ccache_t ccache;
 } krb5_acc;
@@ -90,6 +88,7 @@ static krb5_error_code
 init_ccapi(krb5_context context)
 {
     const char *lib = NULL;
+    char *explib = NULL;
 
     HEIMDAL_MUTEX_lock(&acc_mutex);
     if (init_func) {
@@ -106,40 +105,25 @@ init_ccapi(krb5_context context)
     if (lib == NULL) {
 #ifdef __APPLE__
 	lib = "/System/Library/Frameworks/Kerberos.framework/Kerberos";
-#elif defined(KRB5_USE_PATH_TOKENS) && defined(_WIN32)
+#elif defined(_WIN32)
 	lib = "%{LIBDIR}/libkrb5_cc.dll";
 #else
-	lib = "/usr/lib/libkrb5_cc.so";
+	lib = "%{LIBDIR}/libkrb5_cc.so";
 #endif
     }
 
 #ifdef HAVE_DLOPEN
 
-#ifndef RTLD_LAZY
-#define RTLD_LAZY 0
-#endif
-#ifndef RTLD_LOCAL
-#define RTLD_LOCAL 0
-#endif
-
-#ifdef KRB5_USE_PATH_TOKENS
-    {
-      char * explib = NULL;
-      if (_krb5_expand_path_tokens(context, lib, 0, &explib) == 0) {
-	cc_handle = dlopen(explib, RTLD_LAZY|RTLD_LOCAL);
-	free(explib);
-      }
+    if (_krb5_expand_path_tokens(context, lib, 0, &explib) == 0) {
+        cc_handle = dlopen(explib, RTLD_LAZY|RTLD_LOCAL|RTLD_GROUP);
+        free(explib);
     }
-#else
-    cc_handle = dlopen(lib, RTLD_LAZY|RTLD_LOCAL);
-#endif
 
     if (cc_handle == NULL) {
 	HEIMDAL_MUTEX_unlock(&acc_mutex);
-	if (context)
-	    krb5_set_error_message(context, KRB5_CC_NOSUPP,
-				   N_("Failed to load API cache module %s", "file"),
-				   lib);
+        krb5_set_error_message(context, KRB5_CC_NOSUPP,
+                               N_("Failed to load API cache module %s", "file"),
+                               lib);
 	return KRB5_CC_NOSUPP;
     }
 
@@ -150,10 +134,9 @@ init_ccapi(krb5_context context)
 	dlsym(cc_handle, "krb5_ipc_client_clear_target");
     HEIMDAL_MUTEX_unlock(&acc_mutex);
     if (init_func == NULL) {
-	if (context)
-	    krb5_set_error_message(context, KRB5_CC_NOSUPP,
-				   N_("Failed to find cc_initialize"
-				      "in %s: %s", "file, error"), lib, dlerror());
+        krb5_set_error_message(context, KRB5_CC_NOSUPP,
+                               N_("Failed to find cc_initialize"
+                                  "in %s: %s", "file, error"), lib, dlerror());
 	dlclose(cc_handle);
 	return KRB5_CC_NOSUPP;
     }
@@ -161,9 +144,8 @@ init_ccapi(krb5_context context)
     return 0;
 #else
     HEIMDAL_MUTEX_unlock(&acc_mutex);
-    if (context)
-	krb5_set_error_message(context, KRB5_CC_NOSUPP,
-			       N_("no support for shared object", ""));
+    krb5_set_error_message(context, KRB5_CC_NOSUPP,
+                           N_("no support for shared object", ""));
     return KRB5_CC_NOSUPP;
 #endif
 }
@@ -452,41 +434,51 @@ get_cc_name(krb5_acc *a)
 }
 
 
-static const char* KRB5_CALLCONV
-acc_get_name(krb5_context context,
-	     krb5_ccache id)
+static krb5_error_code KRB5_CALLCONV
+acc_get_name_2(krb5_context context,
+	       krb5_ccache id,
+	       const char **name,
+	       const char **colname,
+	       const char **subsidiary)
 {
+    krb5_error_code ret = 0;
     krb5_acc *a = ACACHE(id);
     int32_t error;
 
-    if (a->cache_name == NULL) {
-	krb5_error_code ret;
-	krb5_principal principal;
-	char *name;
+    if (name)
+        *name = NULL;
+    if (colname)
+        *colname = NULL;
+    if (subsidiary)
+        *subsidiary = NULL;
+    if (a->cache_subsidiary == NULL) {
+	krb5_principal principal = NULL;
 
 	ret = _krb5_get_default_principal_local(context, &principal);
-	if (ret)
-	    return NULL;
-
-	ret = krb5_unparse_name(context, principal, &name);
+	if (ret == 0)
+            ret = krb5_unparse_name(context, principal, &a->cache_subsidiary);
 	krb5_free_principal(context, principal);
 	if (ret)
-	    return NULL;
-
-	error = (*a->context->func->create_new_ccache)(a->context,
-						       cc_credentials_v5,
-						       name,
-						       &a->ccache);
-	krb5_xfree(name);
-	if (error)
-	    return NULL;
-
-	error = get_cc_name(a);
-	if (error)
-	    return NULL;
+	    return ret;
     }
 
-    return a->cache_name;
+    if (a->cache_name == NULL) {
+        error = (*a->context->func->create_new_ccache)(a->context,
+                                                       cc_credentials_v5,
+                                                       a->cache_subsidiary,
+                                                       &a->ccache);
+        if (error == ccNoError)
+            error = get_cc_name(a);
+        if (error != ccNoError)
+            ret = translate_cc_error(context, error);
+    }
+    if (name)
+        *name = a->cache_name;
+    if (colname)
+        *colname = "";
+    if (subsidiary)
+        *subsidiary = a->cache_subsidiary;
+    return ret;
 }
 
 static krb5_error_code KRB5_CALLCONV
@@ -507,6 +499,10 @@ acc_alloc(krb5_context context, krb5_ccache *id)
     }
 
     a = ACACHE(*id);
+    a->cache_subsidiary = NULL;
+    a->cache_name = NULL;
+    a->context = NULL;
+    a->ccache = NULL;
 
     error = (*init_func)(&a->context, ccapi_version_3, NULL, NULL);
     if (error) {
@@ -514,17 +510,17 @@ acc_alloc(krb5_context context, krb5_ccache *id)
 	return translate_cc_error(context, error);
     }
 
-    a->cache_name = NULL;
-
     return 0;
 }
 
 static krb5_error_code KRB5_CALLCONV
-acc_resolve(krb5_context context, krb5_ccache *id, const char *res)
+acc_resolve_2(krb5_context context, krb5_ccache *id, const char *res, const char *sub)
 {
     krb5_error_code ret;
+    cc_time_t offset;
     cc_int32 error;
     krb5_acc *a;
+    char *s = NULL;
 
     ret = acc_alloc(context, id);
     if (ret)
@@ -532,49 +528,60 @@ acc_resolve(krb5_context context, krb5_ccache *id, const char *res)
 
     a = ACACHE(*id);
 
-    error = (*a->context->func->open_ccache)(a->context, res, &a->ccache);
-    if (error == ccNoError) {
-	cc_time_t offset;
-	error = get_cc_name(a);
-	if (error != ccNoError) {
+    if (sub) {
+        /*
+         * For API there's no such thing as a collection name, there's only the
+         * default collection.  Though we could perhaps put a CCAPI shared
+         * object path in the collection name.
+         *
+         * So we'll treat (res && !sub) and (!res && sub) as the same cases.
+         *
+         * See also the KCM ccache type, where we have similar considerations.
+         */
+        if (asprintf(&s, "%s%s%s", res && *res ? res : "",
+                     res && *res ? ":" : "", sub) == -1 || s == NULL ||
+            (a->cache_subsidiary = strdup(sub)) == NULL) {
 	    acc_close(context, *id);
-	    *id = NULL;
-	    return translate_cc_error(context, error);
-	}
-
-	error = (*a->ccache->func->get_kdc_time_offset)(a->ccache,
-							cc_credentials_v5,
-							&offset);
-	if (error == 0)
-	    context->kdc_sec_offset = offset;
+            free(s);
+            return krb5_enomem(context);
+        }
+        res = s;
+        /*
+         * XXX With a bit of extra refactoring we could use the collection name
+         * as the path to the shared object implementing CCAPI...  For now we
+         * ignore the collection name.
+         */
+    }
 
-    } else if (error == ccErrCCacheNotFound) {
-	a->ccache = NULL;
-	a->cache_name = NULL;
-    } else {
-	*id = NULL;
-	return translate_cc_error(context, error);
+    error = (*a->context->func->open_ccache)(a->context, res, &a->ccache);
+    if (error == ccErrCCacheNotFound) {
+        a->ccache = NULL;
+        a->cache_name = NULL;
+	free(s);
+	return 0;
+    }
+    if (error == ccNoError)
+        error = get_cc_name(a);
+    if (error != ccNoError) {
+        acc_close(context, *id);
+        *id = NULL;
+        free(s);
+        return translate_cc_error(context, error);
     }
 
+    error = (*a->ccache->func->get_kdc_time_offset)(a->ccache,
+                                                    cc_credentials_v5,
+                                                    &offset);
+    if (error == 0)
+        context->kdc_sec_offset = offset;
+    free(s);
     return 0;
 }
 
 static krb5_error_code KRB5_CALLCONV
 acc_gen_new(krb5_context context, krb5_ccache *id)
 {
-    krb5_error_code ret;
-    krb5_acc *a;
-
-    ret = acc_alloc(context, id);
-    if (ret)
-	return ret;
-
-    a = ACACHE(*id);
-
-    a->ccache = NULL;
-    a->cache_name = NULL;
-
-    return 0;
+    return acc_alloc(context, id);
 }
 
 static krb5_error_code KRB5_CALLCONV
@@ -978,6 +985,7 @@ acc_end_cache_get(krb5_context context, krb5_cc_cursor cursor)
 static krb5_error_code KRB5_CALLCONV
 acc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
 {
+    krb5_error_code ret;
     krb5_acc *afrom = ACACHE(from);
     krb5_acc *ato = ACACHE(to);
     int32_t error;
@@ -1001,10 +1009,10 @@ acc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
     }
 
     error = (*ato->ccache->func->move)(afrom->ccache, ato->ccache);
-
-    acc_destroy(context, from);
-
-    return translate_cc_error(context, error);
+    ret = translate_cc_error(context, error);
+    if (ret == 0)
+        krb5_cc_destroy(context, from);
+    return ret;
 }
 
 static krb5_error_code KRB5_CALLCONV
@@ -1086,10 +1094,10 @@ acc_lastchange(krb5_context context, krb5_ccache id, krb5_timestamp *mtime)
  */
 
 KRB5_LIB_VARIABLE const krb5_cc_ops krb5_acc_ops = {
-    KRB5_CC_OPS_VERSION,
+    KRB5_CC_OPS_VERSION_5,
     "API",
-    acc_get_name,
-    acc_resolve,
+    NULL,
+    NULL,
     acc_gen_new,
     acc_initialize,
     acc_destroy,
@@ -1112,6 +1120,8 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_acc_ops = {
     acc_lastchange,
     NULL,
     NULL,
+    acc_get_name_2,
+    acc_resolve_2
 };
 
 #endif
diff --git a/lib/krb5/acl.c b/lib/krb5/acl.c
index 4365a7a0f5d8..d3196148287e 100644
--- a/lib/krb5/acl.c
+++ b/lib/krb5/acl.c
@@ -119,7 +119,7 @@ acl_match_field(krb5_context context,
 		struct acl_field *field)
 {
     if(field->type == acl_string) {
-	return !strcmp(field->u.cstr, string);
+	return strcmp(field->u.cstr, string) == 0;
     } else if(field->type == acl_fnmatch) {
 	return !fnmatch(field->u.cstr, string, 0);
     } else if(field->type == acl_retval) {
diff --git a/lib/krb5/add_et_list.c b/lib/krb5/add_et_list.c
index 082014e107a7..1a289eeaec1c 100644
--- a/lib/krb5/add_et_list.c
+++ b/lib/krb5/add_et_list.c
@@ -48,9 +48,7 @@
  */
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_add_et_list (krb5_context context,
-		  void (*func)(struct et_list **))
+krb5_add_et_list(krb5_context context, void (*func)(struct et_list **))
 {
-    (*func)(&context->et_list);
-    return 0;
+    return heim_add_et_list(context->hcontext, func);
 }
diff --git a/lib/krb5/addr_families.c b/lib/krb5/addr_families.c
index 16fe4a8c1e46..7d13211a28db 100644
--- a/lib/krb5/addr_families.c
+++ b/lib/krb5/addr_families.c
@@ -543,7 +543,13 @@ arange_parse_addr (krb5_context context,
 	    return ret;
     }
 
-    krb5_data_alloc(&addr->address, sizeof(*a));
+    ret = krb5_data_alloc(&addr->address, sizeof(*a));
+    if (ret) {
+	krb5_free_address(context, &low0);
+	krb5_free_address(context, &high0);
+        return ret;
+    }
+
     addr->addr_type = KRB5_ADDRESS_ARANGE;
     a = addr->address.data;
 
@@ -728,7 +734,7 @@ addrport_print_addr (const krb5_address *addr, char *str, size_t len)
     return ret_len;
 }
 
-static struct addr_operations at[] = {
+static const struct addr_operations at[] = {
     {
 	AF_INET,	KRB5_ADDRESS_INET, sizeof(struct sockaddr_in),
 	ipv4_sockaddr2addr,
@@ -804,7 +810,7 @@ static struct addr_operations at[] = {
     }
 };
 
-static int num_addrs = sizeof(at) / sizeof(at[0]);
+static const size_t num_addrs = sizeof(at) / sizeof(at[0]);
 
 static size_t max_sockaddr_size = 0;
 
@@ -812,25 +818,27 @@ static size_t max_sockaddr_size = 0;
  * generic functions
  */
 
-static struct addr_operations *
+static const struct addr_operations *
 find_af(int af)
 {
-    struct addr_operations *a;
+    size_t i;
 
-    for (a = at; a < at + num_addrs; ++a)
-	if (af == a->af)
-	    return a;
+    for (i = 0; i < num_addrs; i++) {
+	if (af == at[i].af)
+	    return &at[i];
+    }
     return NULL;
 }
 
-static struct addr_operations *
+static const struct addr_operations *
 find_atype(krb5_address_type atype)
 {
-    struct addr_operations *a;
+    size_t i;
 
-    for (a = at; a < at + num_addrs; ++a)
-	if (atype == a->atype)
-	    return a;
+    for (i = 0; i < num_addrs; i++) {
+	if (atype == at[i].atype)
+	    return &at[i];
+    }
     return NULL;
 }
 
@@ -851,7 +859,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_sockaddr2address (krb5_context context,
 		       const struct sockaddr *sa, krb5_address *addr)
 {
-    struct addr_operations *a = find_af(sa->sa_family);
+    const struct addr_operations *a = find_af(sa->sa_family);
     if (a == NULL) {
 	krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
 				N_("Address family %d not supported", ""),
@@ -879,7 +887,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_sockaddr2port (krb5_context context,
 		    const struct sockaddr *sa, int16_t *port)
 {
-    struct addr_operations *a = find_af(sa->sa_family);
+    const struct addr_operations *a = find_af(sa->sa_family);
     if (a == NULL) {
 	krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
 				N_("Address family %d not supported", ""),
@@ -917,7 +925,7 @@ krb5_addr2sockaddr (krb5_context context,
 		    krb5_socklen_t *sa_size,
 		    int port)
 {
-    struct addr_operations *a = find_atype(addr->addr_type);
+    const struct addr_operations *a = find_atype(addr->addr_type);
 
     if (a == NULL) {
 	krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
@@ -950,10 +958,10 @@ KRB5_LIB_FUNCTION size_t KRB5_LIB_CALL
 krb5_max_sockaddr_size (void)
 {
     if (max_sockaddr_size == 0) {
-	struct addr_operations *a;
+	size_t i;
 
-	for(a = at; a < at + num_addrs; ++a)
-	    max_sockaddr_size = max(max_sockaddr_size, a->max_sockaddr_size);
+	for (i = 0; i < num_addrs; i++)
+	    max_sockaddr_size = max(max_sockaddr_size, at[i].max_sockaddr_size);
     }
     return max_sockaddr_size;
 }
@@ -973,7 +981,7 @@ krb5_max_sockaddr_size (void)
 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_sockaddr_uninteresting(const struct sockaddr *sa)
 {
-    struct addr_operations *a = find_af(sa->sa_family);
+    const struct addr_operations *a = find_af(sa->sa_family);
     if (a == NULL || a->uninteresting == NULL)
 	return TRUE;
     return (*a->uninteresting)(sa);
@@ -982,7 +990,7 @@ krb5_sockaddr_uninteresting(const struct sockaddr *sa)
 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_sockaddr_is_loopback(const struct sockaddr *sa)
 {
-    struct addr_operations *a = find_af(sa->sa_family);
+    const struct addr_operations *a = find_af(sa->sa_family);
     if (a == NULL || a->is_loopback == NULL)
 	return TRUE;
     return (*a->is_loopback)(sa);
@@ -1014,7 +1022,7 @@ krb5_h_addr2sockaddr (krb5_context context,
 		      krb5_socklen_t *sa_size,
 		      int port)
 {
-    struct addr_operations *a = find_af(af);
+    const struct addr_operations *a = find_af(af);
     if (a == NULL) {
 	krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
 				"Address family %d not supported", af);
@@ -1043,7 +1051,7 @@ krb5_h_addr2addr (krb5_context context,
 		  int af,
 		  const char *haddr, krb5_address *addr)
 {
-    struct addr_operations *a = find_af(af);
+    const struct addr_operations *a = find_af(af);
     if (a == NULL) {
 	krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
 				N_("Address family %d not supported", ""), af);
@@ -1076,7 +1084,7 @@ krb5_anyaddr (krb5_context context,
 	      krb5_socklen_t *sa_size,
 	      int port)
 {
-    struct addr_operations *a = find_af (af);
+    const struct addr_operations *a = find_af (af);
 
     if (a == NULL) {
 	krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
@@ -1108,7 +1116,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_print_address (const krb5_address *addr,
 		    char *str, size_t len, size_t *ret_len)
 {
-    struct addr_operations *a = find_atype(addr->addr_type);
+    const struct addr_operations *a = find_atype(addr->addr_type);
     int ret;
 
     if (a == NULL || a->print_addr == NULL) {
@@ -1141,6 +1149,32 @@ krb5_print_address (const krb5_address *addr,
     return 0;
 }
 
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_parse_address_no_lookup(krb5_context context,
+                              const char *string,
+                              krb5_addresses *addresses)
+{
+    int i;
+
+    addresses->len = 0;
+    addresses->val = NULL;
+
+    for(i = 0; i < num_addrs; i++) {
+	if(at[i].parse_addr) {
+	    krb5_address addr;
+	    if((*at[i].parse_addr)(context, string, &addr) == 0) {
+		ALLOC_SEQ(addresses, 1);
+		if (addresses->val == NULL)
+		    return krb5_enomem(context);
+		addresses->val[0] = addr;
+		return 0;
+	    }
+	}
+    }
+
+    return -1;
+}
+
 /**
  * krb5_parse_address returns the resolved hostname in string to the
  * krb5_addresses addresses .
@@ -1159,6 +1193,7 @@ krb5_parse_address(krb5_context context,
 		   const char *string,
 		   krb5_addresses *addresses)
 {
+    krb5_error_code ret;
     int i, n;
     struct addrinfo *ai, *a;
     struct addrinfo hint;
@@ -1168,18 +1203,9 @@ krb5_parse_address(krb5_context context,
     addresses->len = 0;
     addresses->val = NULL;
 
-    for(i = 0; i < num_addrs; i++) {
-	if(at[i].parse_addr) {
-	    krb5_address addr;
-	    if((*at[i].parse_addr)(context, string, &addr) == 0) {
-		ALLOC_SEQ(addresses, 1);
-		if (addresses->val == NULL)
-		    return krb5_enomem(context);
-		addresses->val[0] = addr;
-		return 0;
-	    }
-	}
-    }
+    ret = _krb5_parse_address_no_lookup(context, string, addresses);
+    if (ret == 0 || ret != -1)
+        return ret;
 
     /* if not parsed as numeric address, do a name lookup */
     memset(&hint, 0, sizeof(hint));
@@ -1188,7 +1214,7 @@ krb5_parse_address(krb5_context context,
     if (error) {
 	krb5_error_code ret2;
 	save_errno = errno;
-	ret2 = krb5_eai_to_heim_errno(error, save_errno);
+	ret2 = krb5_eai_to_heim_errno(save_errno, error);
 	krb5_set_error_message (context, ret2, "%s: %s",
 				string, gai_strerror(error));
 	return ret2;
@@ -1241,7 +1267,7 @@ krb5_address_order(krb5_context context,
 {
     /* this sucks; what if both addresses have order functions, which
        should we call? this works for now, though */
-    struct addr_operations *a;
+    const struct addr_operations *a;
     a = find_atype(addr1->addr_type);
     if(a == NULL) {
 	krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
@@ -1333,7 +1359,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_free_address(krb5_context context,
 		  krb5_address *address)
 {
-    struct addr_operations *a = find_atype (address->addr_type);
+    const struct addr_operations *a = find_atype (address->addr_type);
     if(a != NULL && a->free_addr != NULL)
 	return (*a->free_addr)(context, address);
     krb5_data_free (&address->address);
@@ -1357,12 +1383,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_free_addresses(krb5_context context,
 		    krb5_addresses *addresses)
 {
-    size_t i;
-    for(i = 0; i < addresses->len; i++)
-	krb5_free_address(context, &addresses->val[i]);
-    free(addresses->val);
-    addresses->len = 0;
-    addresses->val = NULL;
+    free_HostAddresses(addresses);
     return 0;
 }
 
@@ -1384,7 +1405,7 @@ krb5_copy_address(krb5_context context,
 		  const krb5_address *inaddr,
 		  krb5_address *outaddr)
 {
-    struct addr_operations *a = find_af (inaddr->addr_type);
+    const struct addr_operations *a = find_af (inaddr->addr_type);
     if(a != NULL && a->copy_addr != NULL)
 	return (*a->copy_addr)(context, inaddr, outaddr);
     return copy_HostAddress(inaddr, outaddr);
@@ -1479,6 +1500,8 @@ krb5_make_addrport (krb5_context context,
     size_t len = addr->address.length + 2 + 4 * 4;
     u_char *p;
 
+    /* XXX Make this assume port == 0 -> port is absent */
+
     *res = malloc (sizeof(**res));
     if (*res == NULL)
 	return krb5_enomem(context);
@@ -1540,7 +1563,7 @@ krb5_address_prefixlen_boundary(krb5_context context,
 				krb5_address *low,
 				krb5_address *high)
 {
-    struct addr_operations *a = find_atype (inaddr->addr_type);
+    const struct addr_operations *a = find_atype (inaddr->addr_type);
     if(a != NULL && a->mask_boundary != NULL)
 	return (*a->mask_boundary)(context, inaddr, prefixlen, low, high);
     krb5_set_error_message(context, KRB5_PROG_ATYPE_NOSUPP,
diff --git a/lib/krb5/aes-test.c b/lib/krb5/aes-test.c
index 5526b910fe4f..2d048e426e59 100644
--- a/lib/krb5/aes-test.c
+++ b/lib/krb5/aes-test.c
@@ -756,6 +756,9 @@ krb_enc_test(krb5_context context)
 	kb.keyvalue.data = krbencs[i].key;
 
 	ret = krb5_crypto_init(context, &kb, krbencs[i].enctype, &crypto);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_crypto_init failed with %d for test %d",
+                     ret, i);
 
 	cipher.length = krbencs[i].elen;
 	cipher.data = krbencs[i].edata;
@@ -765,20 +768,24 @@ krb_enc_test(krb5_context context)
 	ret = krb_enc(context, crypto, krbencs[i].usage, &cipher, &plain);
 
 	if (ret)
-	    errx(1, "krb_enc failed with %d for test %d", ret, i);
+	    krb5_err(context, 1, ret, "krb_enc failed with %d for test %d",
+                     ret, i);
 
 	ret = krb_enc_iov(context, crypto, krbencs[i].usage, &cipher, &plain);
 	if (ret)
-	    errx(1, "krb_enc_iov failed with %d for test %d", ret, i);
+	    krb5_err(context, 1, ret, "krb_enc_iov failed with %d for test %d",
+                     ret, i);
 
 	ret = krb_enc_iov2(context, crypto, krbencs[i].usage,
 			   cipher.length, &plain);
 	if (ret)
-	    errx(1, "krb_enc_iov2 failed with %d for test %d", ret, i);
+	    krb5_err(context, 1, ret, "krb_enc_iov2 failed with %d for test %d",
+                     ret, i);
 
 	ret = krb_checksum_iov(context, crypto, krbencs[i].usage, &plain, NULL);
 	if (ret)
-	    errx(1, "krb_checksum_iov failed with %d for test %d", ret, i);
+            krb5_err(context, 1, ret,
+                     "krb_checksum_iov failed with %d for test %d", ret, i);
 
 	if (krbencs[i].cdata) {
 	    krb5_data checksum;
@@ -789,7 +796,9 @@ krb_enc_test(krb5_context context)
 	    ret = krb_checksum_iov(context, crypto, krbencs[i].usage,
 				   &plain, &checksum);
 	    if (ret)
-		errx(1, "krb_checksum_iov(2) failed with %d for test %d", ret, i);
+		krb5_err(context, 1, ret,
+                         "krb_checksum_iov(2) failed with %d for test %d",
+                         ret, i);
 	}
 
 	krb5_crypto_destroy(context, crypto);
@@ -797,7 +806,8 @@ krb_enc_test(krb5_context context)
 	ret = krb_enc_mit(context, krbencs[i].enctype, &kb,
 			  krbencs[i].usage, &cipher, &plain);
 	if (ret)
-	    errx(1, "krb_enc_mit failed with %d for test %d", ret, i);
+	    krb5_err(context, 1, ret, "krb_enc_mit failed with %d for test %d",
+                     ret, i);
     }
 
     return 0;
diff --git a/lib/krb5/an2ln_plugin.h b/lib/krb5/an2ln_plugin.h
index 89913b5780a3..b592f23b845c 100644
--- a/lib/krb5/an2ln_plugin.h
+++ b/lib/krb5/an2ln_plugin.h
@@ -36,6 +36,8 @@
 #ifndef HEIMDAL_KRB5_AN2LN_PLUGIN_H
 #define HEIMDAL_KRB5_AN2LN_PLUGIN_H 1
 
+#include <heimbase-svc.h>
+
 #define KRB5_PLUGIN_AN2LN "an2ln"
 #define KRB5_PLUGIN_AN2LN_VERSION_0 0
 
@@ -80,9 +82,7 @@ typedef krb5_error_code (KRB5_LIB_CALL *set_result_f)(void *, const char *);
  * @ingroup krb5_support
  */
 typedef struct krb5plugin_an2ln_ftable_desc {
-    int			minor_version;
-    krb5_error_code	(KRB5_LIB_CALL *init)(krb5_context, void **);
-    void		(KRB5_LIB_CALL *fini)(void *);
+    HEIM_PLUGIN_FTABLE_COMMON_ELEMENTS(krb5_context);
     krb5_error_code	(KRB5_LIB_CALL *an2ln)(void *, krb5_context, const char *,
 	                         krb5_const_principal, set_result_f, void *);
 } krb5plugin_an2ln_ftable;
diff --git a/lib/krb5/aname_to_localname.c b/lib/krb5/aname_to_localname.c
index e4818c360b37..7c546fb382b3 100644
--- a/lib/krb5/aname_to_localname.c
+++ b/lib/krb5/aname_to_localname.c
@@ -31,11 +31,12 @@
  * SUCH DAMAGE.
  */
 
-#include <string.h>
 #include "krb5_locl.h"
 #include "an2ln_plugin.h"
 #include "db_plugin.h"
 
+#include <string.h>
+
 /* Default plugin (DB using binary search of sorted text file) follows */
 static krb5_error_code KRB5_LIB_CALL an2ln_def_plug_init(krb5_context, void **);
 static void KRB5_LIB_CALL an2ln_def_plug_fini(void *);
@@ -43,7 +44,7 @@ static krb5_error_code KRB5_LIB_CALL an2ln_def_plug_an2ln(void *, krb5_context,
 					    krb5_const_principal, set_result_f,
 					    void *);
 
-static krb5plugin_an2ln_ftable an2ln_def_plug = {
+static const krb5plugin_an2ln_ftable an2ln_def_plug = {
     0,
     an2ln_def_plug_init,
     an2ln_def_plug_fini,
@@ -80,6 +81,17 @@ plcallback(krb5_context context,
     return locate->an2ln(plugctx, context, plctx->rule, plctx->aname, set_res, plctx);
 }
 
+static const char *const an2ln_plugin_deps[] = { "krb5", NULL };
+
+static const struct heim_plugin_data
+an2ln_plugin_data = {
+    "krb5",
+    KRB5_PLUGIN_AN2LN,
+    KRB5_PLUGIN_AN2LN_VERSION_0,
+    an2ln_plugin_deps,
+    krb5_get_instance
+};
+
 static krb5_error_code
 an2ln_plugin(krb5_context context, const char *rule, krb5_const_principal aname,
 	     size_t lnsize, char *lname)
@@ -96,8 +108,8 @@ an2ln_plugin(krb5_context context, const char *rule, krb5_const_principal aname,
      * really be no more than one plugin that can handle any given kind
      * rule, so the effect should be deterministic anyways.
      */
-    ret = _krb5_plugin_run_f(context, "krb5", KRB5_PLUGIN_AN2LN,
-			     KRB5_PLUGIN_AN2LN_VERSION_0, 0, &ctx, plcallback);
+    ret = _krb5_plugin_run_f(context, &an2ln_plugin_data,
+			     0, &ctx, plcallback);
     if (ret != 0) {
 	heim_release(ctx.luser);
 	return ret;
@@ -409,6 +421,7 @@ an2ln_def_plug_an2ln(void *plug_ctx, krb5_context context,
 	heim_dict_set_value(db_options, HSTR("read-only"),
 			    heim_number_create(1));
     dbh = heim_db_create(NULL, an2ln_db_fname, db_options, &error);
+    heim_release(db_options);
     if (dbh == NULL) {
 	krb5_set_error_message(context, heim_error_get_code(error),
 			       N_("Couldn't open aname2lname-text-db", ""));
diff --git a/lib/krb5/asn1_glue.c b/lib/krb5/asn1_glue.c
index 6df8defbce9a..16eda2f6f73d 100644
--- a/lib/krb5/asn1_glue.c
+++ b/lib/krb5/asn1_glue.c
@@ -38,8 +38,8 @@
 #include "krb5_locl.h"
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_principal2principalname (PrincipalName *p,
-			       const krb5_principal from)
+_krb5_principal2principalname(PrincipalName *p,
+			      krb5_const_principal from)
 {
     return copy_PrincipalName(&from->name, p);
 }
@@ -70,3 +70,93 @@ _krb5_principalname2krb5_principal (krb5_context context,
     *principal = p;
     return 0;
 }
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_ticket2krb5_principal(krb5_context context,
+                            krb5_principal *principal,
+                            const EncTicketPart *ticket,
+                            const AuthorizationData *authenticator_ad)
+{
+    krb5_error_code ret;
+    krb5_principal p = NULL;
+
+    *principal = NULL;
+
+    ret = _krb5_principalname2krb5_principal(context,
+                                             &p,
+                                             ticket->cname,
+                                             ticket->crealm);
+    if (ret == 0 &&
+        (p->nameattrs = calloc(1, sizeof(p->nameattrs[0]))) == NULL)
+        ret = krb5_enomem(context);
+    if (ret == 0)
+        p->nameattrs->authenticated = 1;
+    if (ret == 0 &&
+        (p->nameattrs->source =
+         calloc(1, sizeof(p->nameattrs->source[0]))) == NULL)
+        ret = krb5_enomem(context);
+    if (ret == 0) {
+        p->nameattrs->source->element =
+            choice_PrincipalNameAttrSrc_enc_ticket_part;
+        ret = copy_EncTicketPart(ticket,
+                                 &p->nameattrs->source->u.enc_ticket_part);
+        /* NOTE: we don't want to keep a copy of the session key here! */
+        if (ret == 0)
+            der_free_octet_string(&p->nameattrs->source->u.enc_ticket_part.key.keyvalue);
+    }
+    if (ret == 0 && authenticator_ad) {
+        p->nameattrs->authenticator_ad =
+            calloc(1, sizeof(p->nameattrs->authenticator_ad[0]));
+        if (p->nameattrs->authenticator_ad == NULL)
+            ret = krb5_enomem(context);
+        if (ret == 0)
+            ret = copy_AuthorizationData(authenticator_ad,
+                                         p->nameattrs->authenticator_ad);
+    }
+
+    if (ret == 0)
+        *principal = p;
+    else
+        krb5_free_principal(context, p);
+    return ret;
+}
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_kdcrep2krb5_principal(krb5_context context,
+                            krb5_principal *principal,
+                            const EncKDCRepPart *kdcrep)
+{
+    krb5_error_code ret;
+    krb5_principal p = NULL;
+
+    *principal = NULL;
+
+    ret = _krb5_principalname2krb5_principal(context,
+                                             &p,
+                                             kdcrep->sname,
+                                             kdcrep->srealm);
+    if (ret == 0 &&
+        (p->nameattrs = calloc(1, sizeof(p->nameattrs[0]))) == NULL)
+        ret = krb5_enomem(context);
+    if (ret == 0)
+        p->nameattrs->authenticated = 1;
+    if (ret == 0 &&
+        (p->nameattrs->source =
+         calloc(1, sizeof(p->nameattrs->source[0]))) == NULL)
+        ret = krb5_enomem(context);
+    if (ret == 0) {
+        p->nameattrs->source->element =
+            choice_PrincipalNameAttrSrc_enc_kdc_rep_part;
+        ret = copy_EncKDCRepPart(kdcrep,
+                                 &p->nameattrs->source->u.enc_kdc_rep_part);
+        /* NOTE: we don't want to keep a copy of the session key here! */
+        if (ret == 0)
+            der_free_octet_string(&p->nameattrs->source->u.enc_kdc_rep_part.key.keyvalue);
+    }
+
+    if (ret == 0)
+        *principal = p;
+    else
+        krb5_free_principal(context, p);
+    return ret;
+}
diff --git a/lib/krb5/auth_context.c b/lib/krb5/auth_context.c
index 9c6c0c40f9e4..8b43b63706c9 100644
--- a/lib/krb5/auth_context.c
+++ b/lib/krb5/auth_context.c
@@ -86,7 +86,8 @@ krb5_auth_con_free(krb5_context context,
 		   krb5_auth_context auth_context)
 {
     if (auth_context != NULL) {
-	krb5_free_authenticator(context, &auth_context->authenticator);
+	if (auth_context->authenticator)
+	    krb5_free_authenticator(context, &auth_context->authenticator);
 	if(auth_context->local_address){
 	    free_HostAddress(auth_context->local_address);
 	    free(auth_context->local_address);
@@ -409,24 +410,79 @@ krb5_auth_con_getkeytype (krb5_context context,
     return 0;
 }
 
+krb5_error_code
+_krb5_add_1auth_data(krb5_context context,
+                     krb5int32 ad_type, krb5_data *ad_data, int critical,
+                     krb5_authdata **dst)
+{
+    AuthorizationDataElement e;
+
+    e.ad_type = ad_type;
+    e.ad_data = *ad_data;
+
+    if (!critical) {
+        AuthorizationData ad;
+        krb5_error_code ret;
+        krb5_data ir;
+        size_t len;
+
+        /* Build an AD-IF-RELEVANT with the new element inside it */
+        ad.len = 0;
+        ad.val = NULL;
+        ret = add_AuthorizationData(&ad, &e);
+
+        /* Encode the AD-IF-RELEVANT */
+        if (ret == 0)
+            ASN1_MALLOC_ENCODE(AuthorizationData, ir.data, ir.length, &ad,
+                               &len, ret);
+        if (ret == 0 && ir.length != len)
+            krb5_abortx(context, "internal error in ASN.1 encoder");
+
+        /* Re-enter to add the encoded AD-IF-RELEVANT */
+        ret = _krb5_add_1auth_data(context, KRB5_AUTHDATA_IF_RELEVANT, &ir, 1,
+                                   dst);
+
+        free_AuthorizationData(&ad);
+        krb5_data_free(&ir);
+        return ret;
+    }
+
+    if (*dst == NULL) {
+        ALLOC(*dst, 1);
+        if (*dst == NULL)
+            return krb5_enomem(context);
+    }
+    return add_AuthorizationData(*dst, &e);
+}
+
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_add_AuthorizationData(krb5_context context,
 				    krb5_auth_context auth_context,
 				    int type,
 				    krb5_data *data)
 {
-    AuthorizationDataElement el;
-
     if (auth_context->auth_data == NULL) {
 	auth_context->auth_data = calloc(1, sizeof(*auth_context->auth_data));
 	if (auth_context->auth_data == NULL)
 	    return krb5_enomem(context);
     }
-    el.ad_type = type;
-    el.ad_data.data = data->data;
-    el.ad_data.length = data->length;
+    return _krb5_add_1auth_data(context, type, data, 1,
+                                &auth_context->auth_data);
+}
 
-    return add_AuthorizationData(auth_context->auth_data, &el);
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_auth_con_add_AuthorizationDataIfRelevant(krb5_context context,
+                                              krb5_auth_context auth_context,
+                                              krb5int32 type,
+                                              krb5_data *data)
+{
+    if (auth_context->auth_data == NULL) {
+	auth_context->auth_data = calloc(1, sizeof(*auth_context->auth_data));
+	if (auth_context->auth_data == NULL)
+	    return krb5_enomem(context);
+    }
+    return _krb5_add_1auth_data(context, type, data, 0,
+                                &auth_context->auth_data);
 }
 
 
@@ -501,9 +557,8 @@ krb5_auth_con_getauthenticator(krb5_context context,
     if (*authenticator == NULL)
 	return krb5_enomem(context);
 
-    copy_Authenticator(auth_context->authenticator,
-		       *authenticator);
-    return 0;
+    return copy_Authenticator(auth_context->authenticator,
+                              *authenticator);
 }
 
 
diff --git a/lib/krb5/authdata.c b/lib/krb5/authdata.c
new file mode 100644
index 000000000000..ac426618f6ee
--- /dev/null
+++ b/lib/krb5/authdata.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 1997-2021 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * Copyright (c) 2021 Isaac Boukris
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb5_locl.h"
+
+/*
+ * Add the AuthorizationData `data´ of `type´ to the last element in
+ * the sequence of authorization_data in `tkt´ wrapped in an IF_RELEVANT
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_kdc_tkt_add_if_relevant_ad(krb5_context context,
+			    EncTicketPart *tkt,
+			    int type,
+			    const krb5_data *data)
+{
+    krb5_error_code ret;
+    size_t size = 0;
+
+    if (tkt->authorization_data == NULL) {
+	tkt->authorization_data = calloc(1, sizeof(*tkt->authorization_data));
+	if (tkt->authorization_data == NULL) {
+	    return krb5_enomem(context);
+	}
+    }
+
+    /* add the entry to the last element */
+    {
+	AuthorizationData ad = { 0, NULL };
+	AuthorizationDataElement ade;
+
+	ade.ad_type = type;
+	ade.ad_data = *data;
+
+	ret = add_AuthorizationData(&ad, &ade);
+	if (ret) {
+	    krb5_set_error_message(context, ret, "add AuthorizationData failed");
+	    return ret;
+	}
+
+	ade.ad_type = KRB5_AUTHDATA_IF_RELEVANT;
+
+	ASN1_MALLOC_ENCODE(AuthorizationData,
+			   ade.ad_data.data, ade.ad_data.length,
+			   &ad, &size, ret);
+	free_AuthorizationData(&ad);
+	if (ret) {
+	    krb5_set_error_message(context, ret, "ASN.1 encode of "
+				   "AuthorizationData failed");
+	    return ret;
+	}
+	if (ade.ad_data.length != size)
+	    krb5_abortx(context, "internal asn.1 encoder error");
+
+	ret = add_AuthorizationData(tkt->authorization_data, &ade);
+	der_free_octet_string(&ade.ad_data);
+	if (ret) {
+	    krb5_set_error_message(context, ret, "add AuthorizationData failed");
+	    return ret;
+	}
+    }
+
+    return 0;
+}
+
+/*
+ * Insert a PAC wrapped in AD-IF-RELEVANT container as the first AD element,
+ * as some clients such as Windows may fail to parse it otherwise.
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_kdc_tkt_insert_pac(krb5_context context,
+		    EncTicketPart *tkt,
+		    const krb5_data *data)
+{
+    AuthorizationDataElement ade;
+    unsigned int i;
+    krb5_error_code ret;
+
+    ret = _kdc_tkt_add_if_relevant_ad(context, tkt, KRB5_AUTHDATA_WIN2K_PAC,
+				      data);
+    if (ret)
+	return ret;
+
+    heim_assert(tkt->authorization_data->len != 0, "No authorization_data!");
+    ade = tkt->authorization_data->val[tkt->authorization_data->len - 1];
+    for (i = 0; i < tkt->authorization_data->len - 1; i++) {
+	tkt->authorization_data->val[i + 1] = tkt->authorization_data->val[i];
+    }
+    tkt->authorization_data->val[0] = ade;
+
+    return 0;
+}
diff --git a/lib/krb5/build_ap_req.c b/lib/krb5/build_ap_req.c
index d56a0a194e1e..01019520514e 100644
--- a/lib/krb5/build_ap_req.c
+++ b/lib/krb5/build_ap_req.c
@@ -41,34 +41,24 @@ krb5_build_ap_req (krb5_context context,
 		   krb5_data authenticator,
 		   krb5_data *retdata)
 {
-  krb5_error_code ret = 0;
-  AP_REQ ap;
-  Ticket t;
-  size_t len;
+    krb5_error_code ret = 0;
+    AP_REQ ap;
+    size_t len;
 
-  ap.pvno = 5;
-  ap.msg_type = krb_ap_req;
-  memset(&ap.ap_options, 0, sizeof(ap.ap_options));
-  ap.ap_options.use_session_key = (ap_options & AP_OPTS_USE_SESSION_KEY) > 0;
-  ap.ap_options.mutual_required = (ap_options & AP_OPTS_MUTUAL_REQUIRED) > 0;
+    ap.pvno = 5;
+    ap.msg_type = krb_ap_req;
+    memset(&ap.ap_options, 0, sizeof(ap.ap_options));
+    ap.ap_options.use_session_key = (ap_options & AP_OPTS_USE_SESSION_KEY) > 0;
+    ap.ap_options.mutual_required = (ap_options & AP_OPTS_MUTUAL_REQUIRED) > 0;
 
-  ap.ticket.tkt_vno = 5;
-  copy_Realm(&cred->server->realm, &ap.ticket.realm);
-  copy_PrincipalName(&cred->server->name, &ap.ticket.sname);
-
-  decode_Ticket(cred->ticket.data, cred->ticket.length, &t, &len);
-  copy_EncryptedData(&t.enc_part, &ap.ticket.enc_part);
-  free_Ticket(&t);
-
-  ap.authenticator.etype = enctype;
-  ap.authenticator.kvno  = NULL;
-  ap.authenticator.cipher = authenticator;
-
-  ASN1_MALLOC_ENCODE(AP_REQ, retdata->data, retdata->length,
-		     &ap, &len, ret);
-  if(ret == 0 && retdata->length != len)
-      krb5_abortx(context, "internal error in ASN.1 encoder");
-  free_AP_REQ(&ap);
-  return ret;
+    decode_Ticket(cred->ticket.data, cred->ticket.length, &ap.ticket, &len);
+    ap.authenticator.etype = enctype;
+    ap.authenticator.kvno  = NULL;
+    ap.authenticator.cipher = authenticator;
 
+    ASN1_MALLOC_ENCODE(AP_REQ, retdata->data, retdata->length, &ap, &len, ret);
+    if (ret == 0 && retdata->length != len)
+        krb5_abortx(context, "internal error in ASN.1 encoder");
+    free_AP_REQ(&ap);
+    return ret;
 }
diff --git a/lib/krb5/build_auth.c b/lib/krb5/build_auth.c
index cbc67744a4e1..3e0012562a3c 100644
--- a/lib/krb5/build_auth.c
+++ b/lib/krb5/build_auth.c
@@ -34,15 +34,30 @@
 #include "krb5_locl.h"
 
 static krb5_error_code
-make_etypelist(krb5_context context,
-	       krb5_authdata **auth_data)
+add_auth_data(krb5_context context,
+              AuthorizationData *src,
+              AuthorizationData **dst)
 {
+    krb5_error_code ret = 0;
+    size_t i;
+
+    if (*dst == NULL &&
+        (*dst = calloc(1, sizeof(**dst))) == NULL)
+        return krb5_enomem(context);
+    for (i = 0; ret == 0 && i < src->len; i++)
+        ret = add_AuthorizationData(*dst, &src->val[i]);
+    return ret;
+}
+
+static krb5_error_code
+add_etypelist(krb5_context context,
+	      krb5_authdata *auth_data)
+{
+    AuthorizationDataElement ade;
     EtypeList etypes;
     krb5_error_code ret;
-    krb5_authdata ad;
-    u_char *buf;
+    krb5_data e;
     size_t len = 0;
-    size_t buf_size;
 
     ret = _krb5_init_etype(context, KRB5_PDU_NONE,
 			   &etypes.len, &etypes.val,
@@ -50,52 +65,98 @@ make_etypelist(krb5_context context,
     if (ret)
 	return ret;
 
-    ASN1_MALLOC_ENCODE(EtypeList, buf, buf_size, &etypes, &len, ret);
+    ASN1_MALLOC_ENCODE(EtypeList, e.data, e.length, &etypes, &len, ret);
     if (ret) {
 	free_EtypeList(&etypes);
 	return ret;
     }
-    if(buf_size != len)
+    if(e.length != len)
 	krb5_abortx(context, "internal error in ASN.1 encoder");
     free_EtypeList(&etypes);
 
-    ALLOC_SEQ(&ad, 1);
-    if (ad.val == NULL) {
-	free(buf);
-	return krb5_enomem(context);
-    }
+    ade.ad_type = KRB5_AUTHDATA_GSS_API_ETYPE_NEGOTIATION;
+    ade.ad_data = e;
 
-    ad.val[0].ad_type = KRB5_AUTHDATA_GSS_API_ETYPE_NEGOTIATION;
-    ad.val[0].ad_data.length = len;
-    ad.val[0].ad_data.data = buf;
+    ret = add_AuthorizationData(auth_data, &ade);
 
-    ASN1_MALLOC_ENCODE(AD_IF_RELEVANT, buf, buf_size, &ad, &len, ret);
+    krb5_data_free(&e);
+
+    return ret;
+}
+
+static krb5_error_code
+add_ap_options(krb5_context context,
+	       krb5_authdata *auth_data)
+{
+    krb5_error_code ret;
+    AuthorizationDataElement ade;
+    krb5_boolean require_cb;
+    uint8_t ap_options[4];
+
+    require_cb = krb5_config_get_bool_default(context, NULL, FALSE,
+					      "libdefaults",
+					      "client_aware_channel_bindings",
+					      NULL);
+
+    if (!require_cb)
+	return 0;
+
+    ap_options[0] = (KERB_AP_OPTIONS_CBT >> 0 ) & 0xFF;
+    ap_options[1] = (KERB_AP_OPTIONS_CBT >> 8 ) & 0xFF;
+    ap_options[2] = (KERB_AP_OPTIONS_CBT >> 16) & 0xFF;
+    ap_options[3] = (KERB_AP_OPTIONS_CBT >> 24) & 0xFF;
+
+    ade.ad_type = KRB5_AUTHDATA_AP_OPTIONS;
+    ade.ad_data.length = sizeof(ap_options);
+    ade.ad_data.data = ap_options;
+
+    ret = add_AuthorizationData(auth_data, &ade);
+
+    return ret;
+}
+
+static krb5_error_code
+make_ap_authdata(krb5_context context,
+                 krb5_authdata **auth_data)
+{
+    krb5_error_code ret;
+    AuthorizationData ad;
+    krb5_data ir;
+    size_t len;
+
+    ad.len = 0;
+    ad.val = NULL;
+
+    ret = add_etypelist(context, &ad);
+    if (ret)
+	return ret;
+
+    /*
+     * Windows has a bug and only looks for first occurrence of AD-IF-RELEVANT
+     * in the AP authenticator when looking for AD-AP-OPTIONS. Make sure to
+     * bundle it together with etypes.
+     */
+    ret = add_ap_options(context, &ad);
     if (ret) {
 	free_AuthorizationData(&ad);
 	return ret;
     }
-    if(buf_size != len)
-	krb5_abortx(context, "internal error in ASN.1 encoder");
-    free_AuthorizationData(&ad);
 
-    ALLOC(*auth_data, 1);
-    if (*auth_data == NULL) {
-        free(buf);
-	return krb5_enomem(context);
+    ASN1_MALLOC_ENCODE(AuthorizationData, ir.data, ir.length, &ad, &len, ret);
+    if (ret) {
+	free_AuthorizationData(&ad);
+	return ret;
     }
+    if(ir.length != len)
+	krb5_abortx(context, "internal error in ASN.1 encoder");
 
-    ALLOC_SEQ(*auth_data, 1);
-    if ((*auth_data)->val == NULL) {
-        free(*auth_data);
-	free(buf);
-	return krb5_enomem(context);
-    }
+    ret = _krb5_add_1auth_data(context, KRB5_AUTHDATA_IF_RELEVANT, &ir, 1,
+                               auth_data);
 
-    (*auth_data)->val[0].ad_type = KRB5_AUTHDATA_IF_RELEVANT;
-    (*auth_data)->val[0].ad_data.length = len;
-    (*auth_data)->val[0].ad_data.data = buf;
+    free_AuthorizationData(&ad);
+    krb5_data_free(&ir);
 
-    return 0;
+    return ret;
 }
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
@@ -160,12 +221,19 @@ _krb5_build_authenticator (krb5_context context,
 	     * This is not GSS-API specific, we only enable it for
 	     * GSS for now
 	     */
-	    ret = make_etypelist(context, &auth.authorization_data);
+	    ret = make_ap_authdata(context, &auth.authorization_data);
 	    if (ret)
 		goto fail;
 	}
     }
 
+    /* Copy other authz data from auth_context */
+    if (auth_context->auth_data) {
+        ret = add_auth_data(context, auth_context->auth_data, &auth.authorization_data);
+        if (ret)
+            goto fail;
+    }
+
     /* XXX - Copy more to auth_context? */
 
     auth_context->authenticator->ctime = auth.ctime;
diff --git a/lib/krb5/cache.c b/lib/krb5/cache.c
index c43cd0ab7096..4afb0ca5c80d 100644
--- a/lib/krb5/cache.c
+++ b/lib/krb5/cache.c
@@ -100,11 +100,16 @@ main (int argc, char **argv)
 * @endcode
 */
 
+static const krb5_cc_ops *
+cc_get_prefix_ops(krb5_context context,
+		  const char *prefix,
+		  const char **residual);
+
 /**
  * Add a new ccache type with operations `ops', overwriting any
  * existing one if `override'.
  *
- * @param context a Keberos context
+ * @param context a Kerberos context
  * @param ops type of plugin symbol
  * @param override flag to select if the registration is to overide
  * an existing ops with the same name.
@@ -180,74 +185,47 @@ _krb5_cc_allocate(krb5_context context,
  */
 
 static krb5_error_code
-allocate_ccache (krb5_context context,
-		 const krb5_cc_ops *ops,
-		 const char *residual,
-		 krb5_ccache *id)
+allocate_ccache(krb5_context context,
+                const krb5_cc_ops *ops,
+                const char *residual,
+                const char *subsidiary,
+                krb5_ccache *id)
 {
-    krb5_error_code ret;
-#ifdef KRB5_USE_PATH_TOKENS
-    char * exp_residual = NULL;
+    krb5_error_code ret = 0;
+    char *exp_residual = NULL;
     int filepath;
 
     filepath = (strcmp("FILE", ops->prefix) == 0
 		 || strcmp("DIR", ops->prefix) == 0
 		 || strcmp("SCC", ops->prefix) == 0);
 
-    ret = _krb5_expand_path_tokens(context, residual, filepath, &exp_residual);
-    if (ret)
-	return ret;
-
-    residual = exp_residual;
-#endif
+    if (residual)
+        ret = _krb5_expand_path_tokens(context, residual, filepath, &exp_residual);
+    if (ret == 0)
+        ret = _krb5_cc_allocate(context, ops, id);
 
-    ret = _krb5_cc_allocate(context, ops, id);
-    if (ret) {
-#ifdef KRB5_USE_PATH_TOKENS
-	if (exp_residual)
-	    free(exp_residual);
-#endif
-	return ret;
+    if (ret == 0) {
+        if ((*id)->ops->version < KRB5_CC_OPS_VERSION_5
+            || (*id)->ops->resolve_2 == NULL) {
+            ret = (*id)->ops->resolve(context, id, exp_residual);
+        } else {
+            ret = (*id)->ops->resolve_2(context, id, exp_residual, subsidiary);
+        }
     }
-
-    ret = (*id)->ops->resolve(context, id, residual);
-    if(ret) {
+    if (ret) {
 	free(*id);
         *id = NULL;
     }
-
-#ifdef KRB5_USE_PATH_TOKENS
-    if (exp_residual)
-	free(exp_residual);
-#endif
-
+    free(exp_residual);
     return ret;
 }
 
-static int
-is_possible_path_name(const char * name)
-{
-    const char * colon;
-
-    if ((colon = strchr(name, ':')) == NULL)
-        return TRUE;
-
-#ifdef _WIN32
-    /* <drive letter>:\path\to\cache ? */
-
-    if (colon == name + 1 &&
-        strchr(colon + 1, ':') == NULL)
-        return TRUE;
-#endif
-
-    return FALSE;
-}
 
 /**
  * Find and allocate a ccache in `id' from the specification in `residual'.
  * If the ccache name doesn't contain any colon, interpret it as a file name.
  *
- * @param context a Keberos context.
+ * @param context a Kerberos context.
  * @param name string name of a credential cache.
  * @param id return pointer to a found credential cache.
  *
@@ -263,27 +241,183 @@ krb5_cc_resolve(krb5_context context,
 		const char *name,
 		krb5_ccache *id)
 {
-    int i;
+    const krb5_cc_ops *ops;
+    const char *residual = NULL;
 
     *id = NULL;
 
-    for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
-	size_t prefix_len = strlen(context->cc_ops[i]->prefix);
+    ops = cc_get_prefix_ops(context, name, &residual);
+    if (ops == NULL)
+	ops = &krb5_fcc_ops; /* residual will point to name */
+
+    return allocate_ccache(context, ops, residual, NULL, id);
+}
 
-	if(strncmp(context->cc_ops[i]->prefix, name, prefix_len) == 0
-	   && name[prefix_len] == ':') {
-	    return allocate_ccache (context, context->cc_ops[i],
-				    name + prefix_len + 1,
-				    id);
+#ifdef _WIN32
+static const char *
+get_default_cc_type_win32(krb5_context context)
+{
+    krb5_error_code ret;
+    krb5_ccache id;
+
+    /*
+     * If the MSLSA ccache type has a principal name,
+     * use it as the default.
+     */
+    ret = krb5_cc_resolve(context, "MSLSA:", &id);
+    if (ret == 0) {
+        krb5_principal princ;
+        ret = krb5_cc_get_principal(context, id, &princ);
+        krb5_cc_close(context, id);
+        if (ret == 0) {
+            krb5_free_principal(context, princ);
+	    return "MSLSA";
 	}
     }
-    if (is_possible_path_name(name))
-	return allocate_ccache (context, &krb5_fcc_ops, name, id);
-    else {
+
+    /*
+     * If the API: ccache can be resolved,
+     * use it as the default.
+     */
+    ret = krb5_cc_resolve(context, "API:", &id);
+    if (ret == 0) {
+	krb5_cc_close(context, id);
+	return "API";
+    }
+
+    return NULL;
+}
+#endif /* _WIN32 */
+
+static const char *
+get_default_cc_type(krb5_context context, int simple)
+{
+    const char *def_ccname;
+    const char *def_cctype =
+        krb5_config_get_string_default(context, NULL,
+                                       secure_getenv("KRB5CCTYPE"),
+                                       "libdefaults", "default_cc_type", NULL);
+    const char *def_cccol =
+        krb5_config_get_string(context, NULL, "libdefaults",
+                               "default_cc_collection", NULL);
+    const krb5_cc_ops *ops;
+
+    if (!simple && (def_ccname = krb5_cc_default_name(context))) {
+	ops = cc_get_prefix_ops(context, def_ccname, NULL);
+	if (ops)
+	    return ops->prefix;
+    }
+    if (!def_cctype && def_cccol) {
+	ops = cc_get_prefix_ops(context, def_cccol, NULL);
+	if (ops)
+	    return ops->prefix;
+    }
+#ifdef _WIN32
+    if (def_cctype == NULL)
+	def_cctype = get_default_cc_type_win32(context);
+#endif
+    if (def_cctype == NULL)
+	def_cctype = KRB5_DEFAULT_CCTYPE->prefix;
+    return def_cctype;
+}
+
+/**
+ * Find and allocate a ccache in `id' for the subsidiary cache named by
+ * `subsidiary' in the collection named by `collection'.
+ *
+ * @param context a Kerberos context.
+ * @param cctype string name of a credential cache collection type.
+ * @param collection string name of a credential cache collection.
+ * @param subsidiary string name of a credential cache in a collection.
+ * @param id return pointer to a found credential cache.
+ *
+ * @return Return 0 or an error code. In case of an error, id is set
+ * to NULL, see krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cc_resolve_sub(krb5_context context,
+                    const char *cctype,
+                    const char *collection,
+                    const char *subsidiary,
+                    krb5_ccache *id)
+{
+    const krb5_cc_ops *ops = NULL;
+
+    *id = NULL;
+
+    /* Get the cctype from the collection, maybe */
+    if (cctype == NULL && collection)
+	ops = cc_get_prefix_ops(context, collection, &collection);
+
+    if (ops == NULL)
+	ops = cc_get_prefix_ops(context, get_default_cc_type(context, 0), NULL);
+
+    if (ops == NULL) {
 	krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
-			       N_("unknown ccache type %s", "name"), name);
+			       N_("unknown ccache type %s", ""), cctype);
 	return KRB5_CC_UNKNOWN_TYPE;
     }
+
+    return allocate_ccache(context, ops, collection, subsidiary, id);
+}
+
+
+/**
+ * Find and allocate a ccache in `id' from the specification in `residual', but
+ * specific to the given principal `principal' by using the principal name as
+ * the name of a "subsidiary" credentials cache in the collection named by
+ * `name'.  If the ccache name doesn't contain any colon, interpret it as a
+ * file name.
+ *
+ * @param context a Kerberos context.
+ * @param name string name of a credential cache.
+ * @param principal principal name of desired credentials.
+ * @param id return pointer to a found credential cache.
+ *
+ * @return Return 0 or an error code. In case of an error, id is set
+ * to NULL, see krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cc_resolve_for(krb5_context context,
+                    const char *cctype,
+		    const char *name,
+                    krb5_const_principal principal,
+                    krb5_ccache *id)
+{
+    krb5_error_code ret;
+    char *p, *s;
+
+    *id = NULL;
+
+    ret = krb5_unparse_name(context, principal, &p);
+    if (ret)
+        return ret;
+    /*
+     * Subsidiary components cannot have various chars in them that are used as
+     * separators.  ':' is used for subsidiary separators in all ccache types
+     * except FILE, where '+' is used instead because we can't use ':' in file
+     * paths on Windows and because ':' is not in the POSIX safe set.
+     */
+    for (s = p; *s; s++) {
+        switch (s[0]) {
+        case ':':
+        case '+':
+        case '/':
+        case '\\':
+            s[0] = '-';
+        default: break;
+        }
+    }
+    ret = krb5_cc_resolve_sub(context, cctype, name, p, id);
+    free(p);
+    return ret;
 }
 
 /**
@@ -305,6 +439,9 @@ krb5_cc_new_unique(krb5_context context, const char *type,
     const krb5_cc_ops *ops;
     krb5_error_code ret;
 
+    if (type == NULL)
+        type = get_default_cc_type(context, 1);
+
     ops = krb5_cc_get_prefix_ops(context, type);
     if (ops == NULL) {
 	krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
@@ -334,7 +471,52 @@ KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
 krb5_cc_get_name(krb5_context context,
 		 krb5_ccache id)
 {
-    return id->ops->get_name(context, id);
+    const char *name = NULL;
+
+    if (id->ops->version < KRB5_CC_OPS_VERSION_5
+	|| id->ops->get_name_2 == NULL)
+	return id->ops->get_name(context, id);
+
+    (void) id->ops->get_name_2(context, id, &name, NULL, NULL);
+    return name;
+}
+
+/**
+ * Return the name of the ccache collection associated with `id'
+ *
+ * @ingroup krb5_ccache
+ */
+
+
+KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
+krb5_cc_get_collection(krb5_context context, krb5_ccache id)
+{
+    const char *name = NULL;
+
+    if (id->ops->version < KRB5_CC_OPS_VERSION_5
+	|| id->ops->get_name_2 == NULL)
+	return NULL;
+
+    (void) id->ops->get_name_2(context, id, NULL, &name, NULL);
+    return name;
+}
+
+/**
+ * Return the name of the subsidiary ccache of `id'
+ *
+ * @ingroup krb5_ccache
+ */
+
+
+KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
+krb5_cc_get_subsidiary(krb5_context context, krb5_ccache id)
+{
+    const char *name = NULL;
+
+    if (id->ops->version >= KRB5_CC_OPS_VERSION_5
+	&& id->ops->get_name_2 != NULL)
+        (void) id->ops->get_name_2(context, id, NULL, NULL, &name);
+    return name;
 }
 
 /**
@@ -354,7 +536,7 @@ krb5_cc_get_type(krb5_context context,
 /**
  * Return the complete resolvable name the cache
 
- * @param context a Keberos context
+ * @param context a Kerberos context
  * @param id return pointer to a found credential cache
  * @param str the returned name of a credential cache, free with krb5_xfree()
  *
@@ -443,10 +625,7 @@ environment_changed(krb5_context context)
 	 strncmp(context->default_cc_name, "API:", 4) == 0))
 	return 1;
 
-    if(issuid())
-	return 0;
-
-    e = getenv("KRB5CCNAME");
+    e = secure_getenv("KRB5CCNAME");
     if (e == NULL) {
 	if (context->default_cc_name_env) {
 	    free(context->default_cc_name_env);
@@ -478,7 +657,8 @@ krb5_cc_switch(krb5_context context, krb5_ccache id)
     _krb5_set_default_cc_name_to_registry(context, id);
 #endif
 
-    if (id->ops->set_default == NULL)
+    if (id->ops->version == KRB5_CC_OPS_VERSION_0
+	|| id->ops->set_default == NULL)
 	return 0;
 
     return (*id->ops->set_default)(context, id);
@@ -496,7 +676,7 @@ krb5_cc_support_switch(krb5_context context, const char *type)
     const krb5_cc_ops *ops;
 
     ops = krb5_cc_get_prefix_ops(context, type);
-    if (ops && ops->set_default)
+    if (ops && ops->version > KRB5_CC_OPS_VERSION_0 && ops->set_default)
 	return 1;
     return FALSE;
 }
@@ -511,109 +691,61 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_set_default_name(krb5_context context, const char *name)
 {
     krb5_error_code ret = 0;
-    char *p = NULL, *exp_p = NULL;
-    int filepath;
-    const krb5_cc_ops *ops = KRB5_DEFAULT_CCTYPE;
+    char *p = NULL;
 
     if (name == NULL) {
-	const char *e = NULL;
-
-	if (!issuid()) {
-	    e = getenv("KRB5CCNAME");
-	    if (e) {
-		p = strdup(e);
-		if (context->default_cc_name_env)
-		    free(context->default_cc_name_env);
-		context->default_cc_name_env = strdup(e);
-	    }
-	}
-
-#ifdef _WIN32
-	if (p == NULL) {
-	    p = _krb5_get_default_cc_name_from_registry(context);
+	const char *e;
+
+        if ((e = secure_getenv("KRB5CCNAME"))) {
+            if ((p = strdup(e)) == NULL)
+                return krb5_enomem(context);
+
+            free(context->default_cc_name_env);
+            context->default_cc_name_env = p;
+
+            if ((p = strdup(e)) == NULL)
+                return krb5_enomem(context);
+
+            /*
+             * We're resetting the default ccache name.  Recall that we got
+             * this from the environment, which might change.
+             */
+            context->default_cc_name_set = 0;
+        } else if ((e = krb5_cc_configured_default_name(context))) {
+            if ((p = strdup(e)) == NULL)
+                return krb5_enomem(context);
+
+            /*
+             * Since $KRB5CCNAME was not set, and since we got the default
+             * ccache name from configuration, we'll not want
+             * environment_changed() to return true to avoid re-doing the
+             * krb5_cc_configured_default_name() call unnecessarily.
+             *
+             * XXX Perhaps if we got the ccache name from the registry then
+             *     we'd want to recheck it?  If so we might need an indication
+             *     from krb5_cc_configured_default_name() about that!
+             */
+            context->default_cc_name_set = 1;
         }
-#endif
-	if (p == NULL) {
-	    e = krb5_config_get_string(context, NULL, "libdefaults",
-				       "default_cc_name", NULL);
-	    if (e) {
-		ret = _krb5_expand_default_cc_name(context, e, &p);
-		if (ret)
-		    return ret;
-	    }
-	}
-	if (p == NULL) {
-	    e = krb5_config_get_string(context, NULL, "libdefaults",
-				       "default_cc_type", NULL);
-	    if (e) {
-		ops = krb5_cc_get_prefix_ops(context, e);
-		if (ops == NULL) {
-		    krb5_set_error_message(context,
-					   KRB5_CC_UNKNOWN_TYPE,
-					   "Credential cache type %s "
-					   "is unknown", e);
-		    return KRB5_CC_UNKNOWN_TYPE;
-		}
-	    }
-	}
-#ifdef _WIN32
-	if (p == NULL) {
-	    /*
-	     * If the MSLSA ccache type has a principal name,
-	     * use it as the default.
-	     */
-	    krb5_ccache id;
-	    ret = krb5_cc_resolve(context, "MSLSA:", &id);
-	    if (ret == 0) {
-		krb5_principal princ;
-		ret = krb5_cc_get_principal(context, id, &princ);
-		if (ret == 0) {
-		    krb5_free_principal(context, princ);
-		    p = strdup("MSLSA:");
-		}
-		krb5_cc_close(context, id);
-	    }
-	}
-	if (p == NULL) {
-	    /*
-	     * If the API:krb5cc ccache can be resolved,
-	     * use it as the default.
-	     */
-	    krb5_ccache api_id;
-	    ret = krb5_cc_resolve(context, "API:krb5cc", &api_id);
-	    if (ret == 0)
-		krb5_cc_close(context, api_id);
-	}
-	/* Otherwise, fallback to the FILE ccache */
-#endif
-	if (p == NULL) {
-	    ret = (*ops->get_default_name)(context, &p);
-	    if (ret)
-		return ret;
-	}
-	context->default_cc_name_set = 0;
     } else {
-	p = strdup(name);
-	if (p == NULL)
-	    return krb5_enomem(context);
-	context->default_cc_name_set = 1;
-    }
-
-    filepath = (strncmp("FILE:", p, 5) == 0
-		 || strncmp("DIR:", p, 4) == 0
-		 || strncmp("SCC:", p, 4) == 0);
+        int filepath = (strncmp("FILE:", name, 5) == 0 ||
+                        strncmp("DIR:",  name, 4) == 0 ||
+                        strncmp("SCC:",  name, 4) == 0);
 
-    ret = _krb5_expand_path_tokens(context, p, filepath, &exp_p);
-    free(p);
-    p = exp_p;
-    if (ret)
-	return ret;
+        ret = _krb5_expand_path_tokens(context, name, filepath, &p);
+        if (ret)
+            return ret;
 
-    if (context->default_cc_name)
-	free(context->default_cc_name);
+        /*
+         * Since the default ccache name was set explicitly, we won't want
+         * environment_changed() to return true until the default ccache name
+         * is reset.
+         */
+	context->default_cc_name_set = 1;
+    }
 
+    free(context->default_cc_name);
     context->default_cc_name = p;
-
     return 0;
 }
 
@@ -636,6 +768,71 @@ krb5_cc_default_name(krb5_context context)
     return context->default_cc_name;
 }
 
+KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL
+krb5_cc_configured_default_name(krb5_context context)
+{
+    krb5_error_code ret = 0;
+#ifdef _WIN32
+    krb5_ccache id;
+#endif
+    const char *cfg;
+    char *expanded;
+    const krb5_cc_ops *ops;
+
+    if (context->configured_default_cc_name)
+        return context->configured_default_cc_name;
+
+#ifdef _WIN32
+    if ((expanded = _krb5_get_default_cc_name_from_registry(context)))
+        return context->configured_default_cc_name = expanded;
+#endif
+
+    /* If there's a configured default, expand the tokens and use it */
+    cfg = krb5_config_get_string(context, NULL, "libdefaults",
+                                 "default_cc_name", NULL);
+    if (cfg == NULL)
+        cfg = krb5_config_get_string(context, NULL, "libdefaults",
+                                     "default_ccache_name", NULL);
+    if (cfg) {
+        ret = _krb5_expand_default_cc_name(context, cfg, &expanded);
+        if (ret) {
+            krb5_set_error_message(context, ret,
+                                   "token expansion failed for %s", cfg);
+            return NULL;
+        }
+        return context->configured_default_cc_name = expanded;
+    }
+
+    /* Else try a configured default ccache type's default */
+    cfg = get_default_cc_type(context, 1);
+    if ((ops = krb5_cc_get_prefix_ops(context, cfg)) == NULL) {
+	krb5_set_error_message(context, KRB5_CC_UNKNOWN_TYPE,
+                               "unknown configured credential cache "
+                               "type %s", cfg);
+	return NULL;
+    }
+
+    /* The get_default_name() method expands any tokens */
+    ret = (*ops->get_default_name)(context, &expanded);
+    if (ret) {
+	krb5_set_error_message(context, ret, "failed to find a default "
+			       "ccache for default ccache type %s", cfg);
+	return NULL;
+    }
+    return context->configured_default_cc_name = expanded;
+}
+
+KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
+krb5_cccol_get_default_ccname(krb5_context context)
+{
+    const char *cfg = get_default_cc_type(context, 1);
+    char *cccol_default_ccname;
+    const krb5_cc_ops *ops = krb5_cc_get_prefix_ops(context, cfg);
+
+    (void) (*ops->get_default_name)(context, &cccol_default_ccname);
+    return cccol_default_ccname;
+}
+
 /**
  * Open the default ccache in `id'.
  *
@@ -644,19 +841,53 @@ krb5_cc_default_name(krb5_context context)
  * @ingroup krb5_ccache
  */
 
-
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_default(krb5_context context,
 		krb5_ccache *id)
 {
     const char *p = krb5_cc_default_name(context);
 
+    *id = NULL;
     if (p == NULL)
 	return krb5_enomem(context);
     return krb5_cc_resolve(context, p, id);
 }
 
 /**
+ * Open the named subsidiary cache from the default ccache collection in `id'.
+ *
+ * @return Return an error code or 0, see krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cc_default_sub(krb5_context context,
+                    const char *subsidiary,
+		    krb5_ccache *id)
+{
+    return krb5_cc_resolve_sub(context, get_default_cc_type(context, 0), NULL,
+                               subsidiary, id);
+}
+
+/**
+ * Open the default ccache in `id' that corresponds to the given principal.
+ *
+ * @return Return an error code or 0, see krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cc_default_for(krb5_context context,
+                    krb5_const_principal principal,
+                    krb5_ccache *id)
+{
+    return krb5_cc_resolve_for(context, get_default_cc_type(context, 0), NULL,
+                               principal, id);
+}
+
+/**
  * Create a new ccache in `id' for `primary_principal'.
  *
  * @return Return an error code or 0, see krb5_get_error_message().
@@ -673,8 +904,12 @@ krb5_cc_initialize(krb5_context context,
     krb5_error_code ret;
 
     ret = (*id->ops->init)(context, id, primary_principal);
-    if (ret == 0)
-        id->initialized = 1;
+    if (ret == 0) {
+        id->cc_kx509_done = 0;
+        id->cc_initialized = 1;
+        id->cc_need_start_realm = 1;
+        id->cc_start_tgt_stored = 0;
+    }
     return ret;
 }
 
@@ -692,11 +927,32 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_destroy(krb5_context context,
 		krb5_ccache id)
 {
+    krb5_error_code ret2 = 0;
     krb5_error_code ret;
+    krb5_data d;
+
+    /*
+     * Destroy associated hx509 PKIX credential store created by krb5_kx509*().
+     */
+    if (krb5_cc_get_config(context, id, NULL, "kx509store", &d) == 0) {
+        char *name;
+
+        if ((name = strndup(d.data, d.length)) == NULL) {
+            ret2 = krb5_enomem(context);
+        } else {
+            hx509_certs certs;
+            ret = hx509_certs_init(context->hx509ctx, name, 0, NULL, &certs);
+            if (ret == 0)
+                ret2 = hx509_certs_destroy(context->hx509ctx, &certs);
+            else
+                hx509_certs_free(&certs);
+            free(name);
+        }
+    }
 
     ret = (*id->ops->destroy)(context, id);
-    krb5_cc_close (context, id);
-    return ret;
+    (void) krb5_cc_close(context, id);
+    return ret ? ret : ret2;
 }
 
 /**
@@ -713,6 +969,52 @@ krb5_cc_close(krb5_context context,
 	      krb5_ccache id)
 {
     krb5_error_code ret;
+
+    if (!id)
+	return 0;
+
+    /*
+     * We want to automatically acquire a PKIX credential using kx509.
+     *
+     * This can be slow if we're generating an RSA key.  Plus it means talking
+     * to the KDC.
+     *
+     * We only want to do this when:
+     *
+     *  - krb5_cc_initialize() was called on this ccache handle,
+     *  - a start TGT was stored (actually, a cross-realm TGT would do),
+     *
+     * and
+     *
+     *  - we aren't creating a gss_cred_id_t for a delegated credential.
+     *
+     * We only have a heuristic for the last condition: that `id' is not a
+     * MEMORY ccache, which is what's used for delegated credentials.
+     *
+     * We really only want to do this when storing a credential in a user's
+     * default ccache, but we leave it to krb5_kx509() to do that check.
+     *
+     * XXX Perhaps we should do what krb5_kx509() does here, and just call
+     *     krb5_kx509_ext() (renamed to krb5_kx509()).  Then we wouldn't need
+     *     the delegated cred handle heuristic.
+     */
+    if (id->cc_initialized && id->cc_start_tgt_stored && !id->cc_kx509_done &&
+        strcmp("MEMORY", krb5_cc_get_type(context, id)) != 0) {
+        krb5_boolean enabled;
+
+        krb5_appdefault_boolean(context, NULL, NULL, "enable_kx509", FALSE,
+                                &enabled);
+        if (enabled) {
+            _krb5_debug(context, 2, "attempting to fetch a certificate using "
+                        "kx509");
+            ret = krb5_kx509(context, id, NULL);
+            if (ret)
+                _krb5_debug(context, 2, "failed to fetch a certificate");
+            else
+                _krb5_debug(context, 2, "fetched a certificate");
+        }
+    }
+
     ret = (*id->ops->close)(context, id);
     free(id);
     return ret;
@@ -734,31 +1036,54 @@ krb5_cc_store_cred(krb5_context context,
 {
     krb5_error_code ret;
     krb5_data realm;
+    const char *cfg = "";
+
+    /* Automatic cc_config-setting and other actions */
+    if (krb5_principal_get_num_comp(context, creds->server) > 1 &&
+        krb5_is_config_principal(context, creds->server))
+        cfg = krb5_principal_get_comp_string(context, creds->server, 1);
+
+    if (id->cc_initialized && !id->cc_need_start_realm &&
+        strcmp(cfg, "start_realm") == 0)
+        return 0;
 
     ret = (*id->ops->store)(context, id, creds);
+    if (ret)
+        return ret;
 
-    /* Look for and mark the first root TGT's realm as the start realm */
-    if (ret == 0 && id->initialized &&
+    if (id->cc_initialized && !id->cc_start_tgt_stored &&
+        id->cc_need_start_realm &&
         krb5_principal_is_root_krbtgt(context, creds->server)) {
-
-        id->initialized = 0;
+        /* Mark the first root TGT's realm as the start realm */
+        id->cc_start_tgt_stored = 1;
         realm.length = strlen(creds->server->realm);
         realm.data = creds->server->realm;
         (void) krb5_cc_set_config(context, id, NULL, "start_realm", &realm);
-    } else if (ret == 0 && id->initialized &&
-        krb5_is_config_principal(context, creds->server) &&
-        strcmp(creds->server->name.name_string.val[1], "start_realm") == 0) {
-
+        id->cc_need_start_realm = 0;
+    } else if (id->cc_initialized && id->cc_start_tgt_stored &&
+               !id->cc_kx509_done && strcmp(cfg, "kx509cert") == 0) {
         /*
-         * But if the caller is storing a start_realm ccconfig, then
-         * stop looking for root TGTs to mark as the start_realm.
+         * Do not attempt kx509 at cc close time -- we're copying a ccache and
+         * we've already got a cert (and private key).
+         */
+        id->cc_kx509_done = 1;
+    } else if (id->cc_initialized && id->cc_start_tgt_stored &&
+               !id->cc_kx509_done && strcmp(cfg, "kx509_service_status") == 0) {
+        /*
+         * Do not attempt kx509 at cc close time -- we're copying a ccache and
+         * we know the kx509 service is not available.
+         */
+        id->cc_kx509_done = 1;
+    } else if (id->cc_initialized && strcmp(cfg, "start_realm") == 0) {
+        /*
+         * If the caller is storing a start_realm ccconfig, then stop looking
+         * for root TGTs to mark as the start_realm.
          *
-         * By honoring any start_realm cc config stored, we interop
-         * both, with ccache implementations that don't preserve
-         * insertion order, and Kerberos implementations that store this
-         * cc config before the TGT.
+         * By honoring any start_realm cc config stored, we interop both, with
+         * ccache implementations that don't preserve insertion order, and
+         * Kerberos implementations that store this cc config before the TGT.
          */
-        id->initialized = 0;
+        id->cc_need_start_realm = 0;
     }
     return ret;
 }
@@ -1055,9 +1380,35 @@ krb5_cc_clear_mcred(krb5_creds *mcred)
 KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL
 krb5_cc_get_prefix_ops(krb5_context context, const char *prefix)
 {
-    char *p, *p1;
+    return cc_get_prefix_ops(context, prefix, NULL);
+}
+
+/**
+ * Get the cc ops that is registered in `context' to handle the
+ * prefix. prefix can be a complete credential cache name or a
+ * prefix, the function will only use part up to the first colon (:)
+ * if there is one. If prefix the argument is NULL, the default ccache
+ * implementation is returned.
+ *
+ * If residual is non-NULL, it is set to the residual component of
+ * prefix (if present) or the prefix itself.
+ *
+ * @return Returns NULL if ops not found.
+ *
+ * @ingroup krb5_ccache
+ */
+
+
+static const krb5_cc_ops *
+cc_get_prefix_ops(krb5_context context,
+		  const char *prefix,
+		  const char **residual)
+{
     int i;
 
+    if (residual)
+	*residual = prefix;
+
     if (prefix == NULL)
 	return KRB5_DEFAULT_CCTYPE;
 
@@ -1067,26 +1418,26 @@ krb5_cc_get_prefix_ops(krb5_context context, const char *prefix)
 
 #ifdef _WIN32
     /* Is drive letter? */
-    if (isalpha(prefix[0]) && prefix[1] == ':')
+    if (isalpha((unsigned char)prefix[0]) && prefix[1] == ':')
 	return &krb5_fcc_ops;
 #endif
 
-    p = strdup(prefix);
-    if (p == NULL) {
-	krb5_enomem(context);
-	return NULL;
-    }
-    p1 = strchr(p, ':');
-    if (p1)
-	*p1 = '\0';
-
     for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
-	if(strcmp(context->cc_ops[i]->prefix, p) == 0) {
-	    free(p);
+	size_t prefix_len = strlen(context->cc_ops[i]->prefix);
+
+	if (strncmp(context->cc_ops[i]->prefix, prefix, prefix_len) == 0 &&
+	    (prefix[prefix_len] == ':' || prefix[prefix_len] == '\0')) {
+	    if (residual) {
+		if (prefix[prefix_len] == ':' && prefix[prefix_len + 1] != '\0')
+		    *residual = &prefix[prefix_len + 1];
+		else
+		    *residual = NULL;
+	    }
+
 	    return context->cc_ops[i];
 	}
     }
-    free(p);
+
     return NULL;
 }
 
@@ -1266,8 +1617,7 @@ krb5_cc_cache_match (krb5_context context,
     } else if (cache == NULL) {
 	char *str;
 
-	krb5_unparse_name(context, client, &str);
-
+	(void) krb5_unparse_name(context, client, &str);
 	krb5_set_error_message(context, KRB5_CC_NOTFOUND,
 			       N_("Principal %s not found in any "
 				  "credential cache", ""),
@@ -1286,12 +1636,13 @@ krb5_cc_cache_match (krb5_context context,
  * Move the content from one credential cache to another. The
  * operation is an atomic switch.
  *
- * @param context a Keberos context
+ * @param context a Kerberos context
  * @param from the credential cache to move the content from
  * @param to the credential cache to move the content to
 
- * @return On sucess, from is freed. On failure, error code is
- * returned and from and to are both still allocated, see krb5_get_error_message().
+ * @return On sucess, from is destroyed and closed. On failure, error code is
+ *         returned and from and to are both still allocated; see
+ *         krb5_get_error_message().
  *
  * @ingroup krb5_ccache
  */
@@ -1299,20 +1650,39 @@ krb5_cc_cache_match (krb5_context context,
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
 {
-    krb5_error_code ret;
+    krb5_error_code ret = ENOTSUP;
+    krb5_principal princ = NULL;
 
-    if (strcmp(from->ops->prefix, to->ops->prefix) != 0) {
-	krb5_set_error_message(context, KRB5_CC_NOSUPP,
-			       N_("Moving credentials between diffrent "
-				 "types not yet supported", ""));
-	return KRB5_CC_NOSUPP;
-    }
-
-    ret = (*to->ops->move)(context, from, to);
-    if (ret == 0) {
-	memset(from, 0, sizeof(*from));
-	free(from);
-    }
+    if (to->ops->move &&
+        strcmp(from->ops->prefix, to->ops->prefix) == 0) {
+        /*
+         * NOTE: to->ops->move() is expected to call
+         *       krb5_cc_destroy(context, from) on success.
+         */
+        ret = (*to->ops->move)(context, from, to);
+        if (ret == 0)
+            return 0;
+        if (ret != EXDEV && ret != ENOTSUP && ret != KRB5_CC_NOSUPP &&
+            ret != KRB5_FCC_INTERNAL)
+            return ret;
+        /* Fallback to high-level copy */
+    }   /* Else        high-level copy */
+
+    /*
+     * Initialize destination, copy the source's contents to the destination,
+     * then destroy the source on success.
+     *
+     * It'd be nice if we could destroy any half-built destination if the copy
+     * fails, but the interface is not documented as doing so.
+     */
+    ret = krb5_cc_get_principal(context, from, &princ);
+    if (ret == 0)
+        ret = krb5_cc_initialize(context, to, princ);
+    krb5_free_principal(context, princ);
+    if (ret == 0)
+        ret = krb5_cc_copy_cache(context, from, to);
+    if (ret == 0)
+        krb5_cc_destroy(context, from);
     return ret;
 }
 
@@ -1358,7 +1728,7 @@ build_conf_principals(krb5_context context, krb5_ccache id,
  * principal (generated part of krb5_cc_set_config()). Returns FALSE
  * (zero) if not a configuration principal.
  *
- * @param context a Keberos context
+ * @param context a Kerberos context
  * @param principal principal to check if it a configuration principal
  *
  * @ingroup krb5_ccache
@@ -1382,7 +1752,7 @@ krb5_is_config_principal(krb5_context context,
  * Store some configuration for the credential cache in the cache.
  * Existing configuration under the same name is over-written.
  *
- * @param context a Keberos context
+ * @param context a Kerberos context
  * @param id the credential cache to store the data for
  * @param principal configuration for a specific principal, if
  * NULL, global for the whole cache.
@@ -1406,7 +1776,8 @@ krb5_cc_set_config(krb5_context context, krb5_ccache id,
 
     /* Remove old configuration */
     ret = krb5_cc_remove_cred(context, id, 0, &cred);
-    if (ret && ret != KRB5_CC_NOTFOUND)
+    if (ret && ret != KRB5_CC_NOTFOUND && ret != KRB5_CC_NOSUPP &&
+        ret != KRB5_FCC_INTERNAL)
         goto out;
 
     if (data) {
@@ -1429,12 +1800,14 @@ out:
 /**
  * Get some configuration for the credential cache in the cache.
  *
- * @param context a Keberos context
+ * @param context a Kerberos context
  * @param id the credential cache to store the data for
  * @param principal configuration for a specific principal, if
  * NULL, global for the whole cache.
  * @param name name under which the configuraion is stored.
  * @param data data to fetched, free with krb5_data_free()
+ * @return 0 on success, KRB5_CC_NOTFOUND or KRB5_CC_END if not found,
+ *           or other system error.
  *
  * @ingroup krb5_ccache
  */
@@ -1480,7 +1853,7 @@ struct krb5_cccol_cursor_data {
  * Get a new cache interation cursor that will interate over all
  * credentials caches independent of type.
  *
- * @param context a Keberos context
+ * @param context a Kerberos context
  * @param cursor passed into krb5_cccol_cursor_next() and free with krb5_cccol_cursor_free().
  *
  * @return Returns 0 or and error code, see krb5_get_error_message().
@@ -1522,7 +1895,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor,
 		       krb5_ccache *cache)
 {
-    krb5_error_code ret;
+    krb5_error_code ret = 0;
 
     *cache = NULL;
 
@@ -1554,7 +1927,7 @@ krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor,
 	return KRB5_CC_END;
     }
 
-    return 0;
+    return ret;
 }
 
 /**
@@ -1602,6 +1975,11 @@ krb5_cc_last_change_time(krb5_context context,
 			 krb5_timestamp *mtime)
 {
     *mtime = 0;
+
+    if (id->ops->version < KRB5_CC_OPS_VERSION_2
+	 || id->ops->lastchange == NULL)
+	return KRB5_CC_NOSUPP;
+
     return (*id->ops->lastchange)(context, id, mtime);
 }
 
@@ -1816,7 +2194,8 @@ krb5_cc_get_lifetime(krb5_context context, krb5_ccache id, time_t *t)
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat offset)
 {
-    if (id->ops->set_kdc_offset == NULL) {
+    if (id->ops->version < KRB5_CC_OPS_VERSION_3
+	|| id->ops->set_kdc_offset == NULL) {
 	context->kdc_sec_offset = offset;
 	context->kdc_usec_offset = 0;
 	return 0;
@@ -1841,7 +2220,8 @@ krb5_cc_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat offset)
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *offset)
 {
-    if (id->ops->get_kdc_offset == NULL) {
+    if (id->ops->version < KRB5_CC_OPS_VERSION_3
+	|| id->ops->get_kdc_offset == NULL) {
 	*offset = context->kdc_sec_offset;
 	return 0;
     }
@@ -1865,8 +2245,8 @@ _get_default_cc_name_from_registry(krb5_context context, HKEY hkBase)
     if (code != ERROR_SUCCESS)
         return NULL;
 
-    ccname = _krb5_parse_reg_value_as_string(context, hk_k5, "ccname",
-                                             REG_NONE, 0);
+    ccname = heim_parse_reg_value_as_string(context->hcontext, hk_k5, "ccname",
+                                            REG_NONE, 0);
 
     RegCloseKey(hk_k5);
 
@@ -1905,8 +2285,8 @@ _krb5_set_default_cc_name_to_registry(krb5_context context, krb5_ccache id)
     if (ret < 0)
         goto cleanup;
 
-    ret = _krb5_store_string_to_reg_value(context, hk_k5, "ccname",
-                                          REG_SZ, ccname, -1, 0);
+    ret = heim_store_string_to_reg_value(context->hcontext, hk_k5, "ccname",
+                                         REG_SZ, ccname, -1, 0);
 
   cleanup:
 
diff --git a/lib/krb5/ccache_plugin.h b/lib/krb5/ccache_plugin.h
index f6871d65d16b..e0fda4c94a84 100644
--- a/lib/krb5/ccache_plugin.h
+++ b/lib/krb5/ccache_plugin.h
@@ -33,7 +33,14 @@
 #define HEIMDAL_KRB5_CCACHE_PLUGIN_H 1
 
 #include <krb5.h>
+#include <common_plugin.h>
 
 #define KRB5_PLUGIN_CCACHE "ccache_ops"
 
+krb5_error_code KRB5_CALLCONV
+ccache_ops_plugin_load(krb5_context context,
+		       krb5_get_instance_func_t *func,
+		       size_t *n_ftables,
+		       heim_plugin_common_ftable_p **ftables);
+
 #endif /* HEIMDAL_KRB5_CCACHE_PLUGIN_H */
diff --git a/lib/krb5/changepw.c b/lib/krb5/changepw.c
index e028753dbcfd..22a1f404c70e 100644
--- a/lib/krb5/changepw.c
+++ b/lib/krb5/changepw.c
@@ -384,7 +384,7 @@ process_reply (krb5_context context,
     ap_rep_data.data = reply + 6;
     ap_rep_data.length  = (reply[4] << 8) | (reply[5]);
 
-    if (reply + len < (u_char *)ap_rep_data.data + ap_rep_data.length) {
+    if (len - 6 < ap_rep_data.length) {
 	str2data (result_string, "client: wrong AP len in reply");
 	*result_code = KRB5_KPASSWD_MALFORMED;
 	return 0;
@@ -478,7 +478,7 @@ typedef krb5_error_code (*kpwd_process_reply) (krb5_context,
 					       krb5_data *,
 					       const char *);
 
-static struct kpwd_proc {
+static const struct kpwd_proc {
     const char *name;
     int flags;
 #define SUPPORT_TCP	1
@@ -513,7 +513,7 @@ change_password_loop (krb5_context	context,
 		      int		*result_code,
 		      krb5_data		*result_code_string,
 		      krb5_data		*result_string,
-		      struct kpwd_proc	*proc)
+		      const struct kpwd_proc	*proc)
 {
     krb5_error_code ret;
     krb5_auth_context auth_context = NULL;
@@ -662,10 +662,10 @@ change_password_loop (krb5_context	context,
 
 #ifndef HEIMDAL_SMALLER
 
-static struct kpwd_proc *
+static const struct kpwd_proc *
 find_chpw_proto(const char *name)
 {
-    struct kpwd_proc *p;
+    const struct kpwd_proc *p;
     for (p = procs; p->name != NULL; p++) {
 	if (strcmp(p->name, name) == 0)
 	    return p;
@@ -695,9 +695,9 @@ krb5_change_password (krb5_context	context,
 		      int		*result_code,
 		      krb5_data		*result_code_string,
 		      krb5_data		*result_string)
-    KRB5_DEPRECATED_FUNCTION("Use X instead")
+    KRB5_DEPRECATED_FUNCTION("Use krb5_set_password instead")
 {
-    struct kpwd_proc *p = find_chpw_proto("change password");
+    const struct kpwd_proc *p = find_chpw_proto("change password");
 
     *result_code = KRB5_KPASSWD_MALFORMED;
     result_code_string->data = result_string->data = NULL;
@@ -718,7 +718,7 @@ krb5_change_password (krb5_context	context,
  * @param context a Keberos context
  * @param creds The initial kadmin/passwd for the principal or an admin principal
  * @param newpw The new password to set
- * @param targprinc if unset, the default principal is used.
+ * @param targprinc if unset, the client principal from creds is used
  * @param result_code Result code, KRB5_KPASSWD_SUCCESS is when password is changed.
  * @param result_code_string binary message from the server, contains
  * at least the result_code.
@@ -748,7 +748,7 @@ krb5_set_password(krb5_context context,
     krb5_data_zero(result_string);
 
     if (targprinc == NULL) {
-	ret = krb5_get_default_principal(context, &principal);
+	ret = krb5_copy_principal(context, creds->client, &principal);
 	if (ret)
 	    return ret;
     } else
diff --git a/lib/krb5/config_file.c b/lib/krb5/config_file.c
index 6293bd72ddb9..22eff10d27f2 100644
--- a/lib/krb5/config_file.c
+++ b/lib/krb5/config_file.c
@@ -35,370 +35,49 @@
 
 #include "krb5_locl.h"
 
-#ifdef __APPLE__
+#if defined(HAVE_FRAMEWORK_COREFOUNDATION)
 #include <CoreFoundation/CoreFoundation.h>
 #endif
 
-/* Gaah! I want a portable funopen */
-struct fileptr {
-    const char *s;
-    FILE *f;
-};
-
-static char *
-config_fgets(char *str, size_t len, struct fileptr *ptr)
-{
-    /* XXX this is not correct, in that they don't do the same if the
-       line is longer than len */
-    if(ptr->f != NULL)
-	return fgets(str, len, ptr->f);
-    else {
-	/* this is almost strsep_copy */
-	const char *p;
-	ssize_t l;
-	if(*ptr->s == '\0')
-	    return NULL;
-	p = ptr->s + strcspn(ptr->s, "\n");
-	if(*p == '\n')
-	    p++;
-	l = min(len, (size_t)(p - ptr->s));
-	if(len > 0) {
-	    memcpy(str, ptr->s, l);
-	    str[l] = '\0';
-	}
-	ptr->s = p;
-	return str;
-    }
-}
-
-static krb5_error_code parse_section(char *p, krb5_config_section **s,
-				     krb5_config_section **res,
-				     const char **err_message);
-static krb5_error_code parse_binding(struct fileptr *f, unsigned *lineno, char *p,
-				     krb5_config_binding **b,
-				     krb5_config_binding **parent,
-				     const char **err_message);
-static krb5_error_code parse_list(struct fileptr *f, unsigned *lineno,
-				  krb5_config_binding **parent,
-				  const char **err_message);
-
-KRB5_LIB_FUNCTION krb5_config_section * KRB5_LIB_CALL
-_krb5_config_get_entry(krb5_config_section **parent, const char *name, int type)
-{
-    krb5_config_section **q;
-
-    for(q = parent; *q != NULL; q = &(*q)->next)
-	if(type == krb5_config_list &&
-	   (unsigned)type == (*q)->type &&
-	   strcmp(name, (*q)->name) == 0)
-	    return *q;
-    *q = calloc(1, sizeof(**q));
-    if(*q == NULL)
-	return NULL;
-    (*q)->name = strdup(name);
-    (*q)->type = type;
-    if((*q)->name == NULL) {
-	free(*q);
-	*q = NULL;
-	return NULL;
-    }
-    return *q;
-}
-
-/*
- * Parse a section:
- *
- * [section]
- *	foo = bar
- *	b = {
- *		a
- *	    }
- * ...
- *
- * starting at the line in `p', storing the resulting structure in
- * `s' and hooking it into `parent'.
- * Store the error message in `err_message'.
- */
-
-static krb5_error_code
-parse_section(char *p, krb5_config_section **s, krb5_config_section **parent,
-	      const char **err_message)
-{
-    char *p1;
-    krb5_config_section *tmp;
-
-    p1 = strchr (p + 1, ']');
-    if (p1 == NULL) {
-	*err_message = "missing ]";
-	return KRB5_CONFIG_BADFORMAT;
-    }
-    *p1 = '\0';
-    tmp = _krb5_config_get_entry(parent, p + 1, krb5_config_list);
-    if(tmp == NULL) {
-	*err_message = "out of memory";
-	return KRB5_CONFIG_BADFORMAT;
-    }
-    *s = tmp;
-    return 0;
-}
-
-/*
- * Parse a brace-enclosed list from `f', hooking in the structure at
- * `parent'.
- * Store the error message in `err_message'.
- */
-
-static krb5_error_code
-parse_list(struct fileptr *f, unsigned *lineno, krb5_config_binding **parent,
-	   const char **err_message)
-{
-    char buf[KRB5_BUFSIZ];
-    krb5_error_code ret;
-    krb5_config_binding *b = NULL;
-    unsigned beg_lineno = *lineno;
-
-    while(config_fgets(buf, sizeof(buf), f) != NULL) {
-	char *p;
-
-	++*lineno;
-	buf[strcspn(buf, "\r\n")] = '\0';
-	p = buf;
-	while(isspace((unsigned char)*p))
-	    ++p;
-	if (*p == '#' || *p == ';' || *p == '\0')
-	    continue;
-	while(isspace((unsigned char)*p))
-	    ++p;
-	if (*p == '}')
-	    return 0;
-	if (*p == '\0')
-	    continue;
-	ret = parse_binding (f, lineno, p, &b, parent, err_message);
-	if (ret)
-	    return ret;
-    }
-    *lineno = beg_lineno;
-    *err_message = "unclosed {";
-    return KRB5_CONFIG_BADFORMAT;
-}
-
-/*
+/**
+ * Parse configuration files in the given directory and add the result
+ * into res.  Only files whose names consist only of alphanumeric
+ * characters, hyphen, and underscore, will be parsed, though files
+ * ending in ".conf" will also be parsed.
+ *
+ * This interface can be used to parse several configuration directories
+ * into one resulting krb5_config_section by calling it repeatably.
+ *
+ * @param context a Kerberos 5 context.
+ * @param dname a directory name to a Kerberos configuration file
+ * @param res the returned result, must be free with krb5_free_config_files().
+ * @return Return an error code or 0, see krb5_get_error_message().
  *
+ * @ingroup krb5_support
  */
 
-static krb5_error_code
-parse_binding(struct fileptr *f, unsigned *lineno, char *p,
-	      krb5_config_binding **b, krb5_config_binding **parent,
-	      const char **err_message)
-{
-    krb5_config_binding *tmp;
-    char *p1, *p2;
-    krb5_error_code ret = 0;
-
-    p1 = p;
-    while (*p && *p != '=' && !isspace((unsigned char)*p))
-	++p;
-    if (*p == '\0') {
-	*err_message = "missing =";
-	return KRB5_CONFIG_BADFORMAT;
-    }
-    p2 = p;
-    while (isspace((unsigned char)*p))
-	++p;
-    if (*p != '=') {
-	*err_message = "missing =";
-	return KRB5_CONFIG_BADFORMAT;
-    }
-    ++p;
-    while(isspace((unsigned char)*p))
-	++p;
-    *p2 = '\0';
-    if (*p == '{') {
-	tmp = _krb5_config_get_entry(parent, p1, krb5_config_list);
-	if (tmp == NULL) {
-	    *err_message = "out of memory";
-	    return KRB5_CONFIG_BADFORMAT;
-	}
-	ret = parse_list (f, lineno, &tmp->u.list, err_message);
-    } else {
-	tmp = _krb5_config_get_entry(parent, p1, krb5_config_string);
-	if (tmp == NULL) {
-	    *err_message = "out of memory";
-	    return KRB5_CONFIG_BADFORMAT;
-	}
-	p1 = p;
-	p = p1 + strlen(p1);
-	while(p > p1 && isspace((unsigned char)*(p-1)))
-	    --p;
-	*p = '\0';
-	tmp->u.string = strdup(p1);
-    }
-    *b = tmp;
-    return ret;
-}
-
-#if defined(__APPLE__)
-
-#if MAC_OS_X_VERSION_MIN_REQUIRED >= 1060
-#define HAVE_CFPROPERTYLISTCREATEWITHSTREAM 1
-#endif
-
-static char *
-cfstring2cstring(CFStringRef string)
-{
-    CFIndex len;
-    char *str;
-
-    str = (char *) CFStringGetCStringPtr(string, kCFStringEncodingUTF8);
-    if (str)
-	return strdup(str);
-
-    len = CFStringGetLength(string);
-    len = 1 + CFStringGetMaximumSizeForEncoding(len, kCFStringEncodingUTF8);
-    str = malloc(len);
-    if (str == NULL)
-	return NULL;
-
-    if (!CFStringGetCString (string, str, len, kCFStringEncodingUTF8)) {
-	free (str);
-	return NULL;
-    }
-    return str;
-}
-
-static void
-convert_content(const void *key, const void *value, void *context)
-{
-    krb5_config_section *tmp, **parent = context;
-    char *k;
-
-    if (CFGetTypeID(key) != CFStringGetTypeID())
-	return;
-
-    k = cfstring2cstring(key);
-    if (k == NULL)
-	return;
-
-    if (CFGetTypeID(value) == CFStringGetTypeID()) {
-	tmp = _krb5_config_get_entry(parent, k, krb5_config_string);
-	tmp->u.string = cfstring2cstring(value);
-    } else if (CFGetTypeID(value) == CFDictionaryGetTypeID()) {
-	tmp = _krb5_config_get_entry(parent, k, krb5_config_list);
-	CFDictionaryApplyFunction(value, convert_content, &tmp->u.list);
-    } else {
-	/* log */
-    }
-    free(k);
-}
-
-static krb5_error_code
-parse_plist_config(krb5_context context, const char *path, krb5_config_section **parent)
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_config_parse_dir_multi(krb5_context context,
+                            const char *dname,
+                            krb5_config_section **res)
 {
-    CFReadStreamRef s;
-    CFDictionaryRef d;
-    CFURLRef url;
-
-    url = CFURLCreateFromFileSystemRepresentation(kCFAllocatorDefault, (UInt8 *)path, strlen(path), FALSE);
-    if (url == NULL) {
-	krb5_clear_error_message(context);
-	return ENOMEM;
-    }
-
-    s = CFReadStreamCreateWithFile(kCFAllocatorDefault, url);
-    CFRelease(url);
-    if (s == NULL) {
-	krb5_clear_error_message(context);
-	return ENOMEM;
-    }
-
-    if (!CFReadStreamOpen(s)) {
-	CFRelease(s);
-	krb5_clear_error_message(context);
-	return ENOENT;
-    }
-
-#ifdef HAVE_CFPROPERTYLISTCREATEWITHSTREAM
-    d = (CFDictionaryRef)CFPropertyListCreateWithStream(NULL, s, 0, kCFPropertyListImmutable, NULL, NULL);
-#else
-    d = (CFDictionaryRef)CFPropertyListCreateFromStream(NULL, s, 0, kCFPropertyListImmutable, NULL, NULL);
-#endif
-    CFRelease(s);
-    if (d == NULL) {
-	krb5_clear_error_message(context);
-	return ENOENT;
-    }
-
-    CFDictionaryApplyFunction(d, convert_content, parent);
-    CFRelease(d);
-
-    return 0;
-}
-
-#endif
-
+    krb5_error_code ret;
+    heim_config_section *section = NULL;
 
-/*
- * Parse the config file `fname', generating the structures into `res'
- * returning error messages in `err_message'
- */
+    if (res == NULL)
+	return EINVAL;
 
-static krb5_error_code
-krb5_config_parse_debug (struct fileptr *f,
-			 krb5_config_section **res,
-			 unsigned *lineno,
-			 const char **err_message)
-{
-    krb5_config_section *s = NULL;
-    krb5_config_binding *b = NULL;
-    char buf[KRB5_BUFSIZ];
-    krb5_error_code ret;
+    *res = NULL;
 
-    *lineno = 0;
-    *err_message = "";
-
-    while (config_fgets(buf, sizeof(buf), f) != NULL) {
-	char *p;
-
-	++*lineno;
-	buf[strcspn(buf, "\r\n")] = '\0';
-	p = buf;
-	while(isspace((unsigned char)*p))
-	    ++p;
-	if (*p == '#' || *p == ';')
-	    continue;
-	if (*p == '[') {
-	    ret = parse_section(p, &s, res, err_message);
-	    if (ret)
-		return ret;
-	    b = NULL;
-	} else if (*p == '}') {
-	    *err_message = "unmatched }";
-	    return KRB5_CONFIG_BADFORMAT;
-	} else if(*p != '\0') {
-	    if (s == NULL) {
-		*err_message = "binding before section";
-		return KRB5_CONFIG_BADFORMAT;
-	    }
-	    ret = parse_binding(f, lineno, p, &b, &s->u.list, err_message);
-	    if (ret)
-		return ret;
-	}
-    }
+    ret = heim_config_parse_dir_multi(context->hcontext, dname, &section);
+    if (ret == HEIM_ERR_CONFIG_BADFORMAT)
+        return KRB5_CONFIG_BADFORMAT;
+    if (ret)
+	return ret;
+    *res = (krb5_config_section *)section;
     return 0;
 }
 
-static int
-is_plist_file(const char *fname)
-{
-    size_t len = strlen(fname);
-    char suffix[] = ".plist";
-    if (len < sizeof(suffix))
-	return 0;
-    if (strcasecmp(&fname[len - (sizeof(suffix) - 1)], suffix) != 0)
-	return 0;
-    return 1;
-}
-
 /**
  * Parse a configuration file and add the result into res. This
  * interface can be used to parse several configuration files into one
@@ -413,139 +92,35 @@ is_plist_file(const char *fname)
  */
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_config_parse_file_multi (krb5_context context,
-			      const char *fname,
-			      krb5_config_section **res)
+krb5_config_parse_file_multi(krb5_context context,
+			     const char *fname,
+			     krb5_config_section **res)
 {
-    const char *str;
-    char *newfname = NULL;
-    unsigned lineno = 0;
     krb5_error_code ret;
-    struct fileptr f;
-
-    /**
-     * If the fname starts with "~/" parse configuration file in the
-     * current users home directory. The behavior can be disabled and
-     * enabled by calling krb5_set_home_dir_access().
-     */
-    if (ISTILDE(fname[0]) && ISPATHSEP(fname[1])) {
-#ifndef KRB5_USE_PATH_TOKENS
-	const char *home = NULL;
-
-	if (!_krb5_homedir_access(context)) {
-	    krb5_set_error_message(context, EPERM,
-				   "Access to home directory not allowed");
-	    return EPERM;
-	}
-
-	if(!issuid())
-	    home = getenv("HOME");
-
-	if (home == NULL) {
-	    struct passwd *pw = getpwuid(getuid());
-	    if(pw != NULL)
-		home = pw->pw_dir;
-	}
-	if (home) {
-	    int aret;
-
-	    aret = asprintf(&newfname, "%s%s", home, &fname[1]);
-	    if (aret == -1 || newfname == NULL)
-		return krb5_enomem(context);
-	    fname = newfname;
-	}
-#else  /* KRB5_USE_PATH_TOKENS */
-	if (asprintf(&newfname, "%%{USERCONFIG}%s", &fname[1]) < 0 ||
-	    newfname == NULL)
-	    return krb5_enomem(context);
-	fname = newfname;
-#endif
-    }
-
-    if (is_plist_file(fname)) {
-#ifdef __APPLE__
-	ret = parse_plist_config(context, fname, res);
-	if (ret) {
-	    krb5_set_error_message(context, ret,
-				   "Failed to parse plist %s", fname);
-	    if (newfname)
-		free(newfname);
-	    return ret;
-	}
-#else
-	krb5_set_error_message(context, ENOENT,
-			       "no support for plist configuration files");
-	return ENOENT;
-#endif
-    } else {
-#ifdef KRB5_USE_PATH_TOKENS
-	char * exp_fname = NULL;
-
-	ret = _krb5_expand_path_tokens(context, fname, 1, &exp_fname);
-	if (ret) {
-	    if (newfname)
-		free(newfname);
-	    return ret;
-	}
-
-	if (newfname)
-	    free(newfname);
-	fname = newfname = exp_fname;
-#endif
+    heim_config_section *section = NULL;
+
+    if (res == NULL)
+	return EINVAL;
+
+    *res = NULL;
 
-	f.f = fopen(fname, "r");
-	f.s = NULL;
-	if(f.f == NULL) {
-	    ret = errno;
-	    krb5_set_error_message (context, ret, "open %s: %s",
-				    fname, strerror(ret));
-	    if (newfname)
-		free(newfname);
-	    return ret;
-	}
-
-	ret = krb5_config_parse_debug (&f, res, &lineno, &str);
-	fclose(f.f);
-	if (ret) {
-	    krb5_set_error_message (context, ret, "%s:%u: %s",
-				    fname, lineno, str);
-	    if (newfname)
-		free(newfname);
-	    return ret;
-	}
-    }
+    ret = heim_config_parse_file_multi(context->hcontext, fname, &section);
+    if (ret == HEIM_ERR_CONFIG_BADFORMAT)
+        return KRB5_CONFIG_BADFORMAT;
+    if (ret)
+	return ret;
+    *res = (krb5_config_section *)section;
     return 0;
 }
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_config_parse_file (krb5_context context,
-			const char *fname,
-			krb5_config_section **res)
+krb5_config_parse_file(krb5_context context,
+                       const char *fname,
+                       krb5_config_section **res)
 {
-    *res = NULL;
     return krb5_config_parse_file_multi(context, fname, res);
 }
 
-static void
-free_binding (krb5_context context, krb5_config_binding *b)
-{
-    krb5_config_binding *next_b;
-
-    while (b) {
-	free (b->name);
-	if (b->type == krb5_config_string)
-	    free (b->u.string);
-	else if (b->type == krb5_config_list)
-	    free_binding (context, b->u.list);
-	else
-	    krb5_abortx(context, "unknown binding type (%d) in free_binding",
-			b->type);
-	next_b = b->next;
-	free (b);
-	b = next_b;
-    }
-}
-
 /**
  * Free configuration file section, the result of
  * krb5_config_parse_file() and krb5_config_parse_file_multi().
@@ -560,10 +135,9 @@ free_binding (krb5_context context, krb5_config_binding *b)
  */
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_config_file_free (krb5_context context, krb5_config_section *s)
+krb5_config_file_free(krb5_context context, krb5_config_section *s)
 {
-    free_binding (context, s);
-    return 0;
+    return heim_config_file_free(context->hcontext, (heim_config_section *)s);
 }
 
 #ifndef HEIMDAL_SMALLER
@@ -571,139 +145,81 @@ krb5_config_file_free (krb5_context context, krb5_config_section *s)
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 _krb5_config_copy(krb5_context context,
 		  krb5_config_section *c,
-		  krb5_config_section **head)
+		  krb5_config_section **res)
 {
-    krb5_config_binding *d, *previous = NULL;
-
-    *head = NULL;
-
-    while (c) {
-	d = calloc(1, sizeof(*d));
-
-	if (*head == NULL)
-	    *head = d;
-
-	d->name = strdup(c->name);
-	d->type = c->type;
-	if (d->type == krb5_config_string)
-	    d->u.string = strdup(c->u.string);
-	else if (d->type == krb5_config_list)
-	    _krb5_config_copy (context, c->u.list, &d->u.list);
-	else
-	    krb5_abortx(context,
-			"unknown binding type (%d) in krb5_config_copy",
-			d->type);
-	if (previous)
-	    previous->next = d;
-
-	previous = d;
-	c = c->next;
-    }
+    krb5_error_code ret;
+    heim_config_section *section = NULL;
+
+    if (res == NULL)
+	return EINVAL;
+
+    *res = NULL;
+    ret = heim_config_copy(context->hcontext, (heim_config_section *)c, &section);
+    if (ret)
+	return ret;
+    *res = (krb5_config_section *)section;
     return 0;
 }
 
 #endif /* HEIMDAL_SMALLER */
 
 KRB5_LIB_FUNCTION const void * KRB5_LIB_CALL
-_krb5_config_get_next (krb5_context context,
-		       const krb5_config_section *c,
-		       const krb5_config_binding **pointer,
-		       int type,
-		       ...)
+_krb5_config_get_next(krb5_context context,
+		      const krb5_config_section *c,
+		      const krb5_config_binding **pointer,
+		      int type,
+		      ...)
 {
     const char *ret;
     va_list args;
 
     va_start(args, type);
-    ret = _krb5_config_vget_next (context, c, pointer, type, args);
+    ret = heim_config_vget_next(context->hcontext,
+				(const heim_config_section *)(c ? c : context->cf),
+                                (const heim_config_binding **)pointer, type, args);
     va_end(args);
     return ret;
 }
 
-static const void *
-vget_next(krb5_context context,
-	  const krb5_config_binding *b,
-	  const krb5_config_binding **pointer,
-	  int type,
-	  const char *name,
-	  va_list args)
-{
-    const char *p = va_arg(args, const char *);
-    while(b != NULL) {
-	if(strcmp(b->name, name) == 0) {
-	    if(b->type == (unsigned)type && p == NULL) {
-		*pointer = b;
-		return b->u.generic;
-	    } else if(b->type == krb5_config_list && p != NULL) {
-		return vget_next(context, b->u.list, pointer, type, p, args);
-	    }
-	}
-	b = b->next;
-    }
-    return NULL;
-}
-
 KRB5_LIB_FUNCTION const void * KRB5_LIB_CALL
-_krb5_config_vget_next (krb5_context context,
-			const krb5_config_section *c,
-			const krb5_config_binding **pointer,
-			int type,
-			va_list args)
+_krb5_config_vget_next(krb5_context context,
+                       const krb5_config_section *c,
+                       const krb5_config_binding **pointer,
+                       int type,
+                       va_list args)
 {
-    const krb5_config_binding *b;
-    const char *p;
-
-    if(c == NULL)
-	c = context->cf;
-
-    if (c == NULL)
-	return NULL;
-
-    if (*pointer == NULL) {
-	/* first time here, walk down the tree looking for the right
-           section */
-	p = va_arg(args, const char *);
-	if (p == NULL)
-	    return NULL;
-	return vget_next(context, c, pointer, type, p, args);
-    }
-
-    /* we were called again, so just look for more entries with the
-       same name and type */
-    for (b = (*pointer)->next; b != NULL; b = b->next) {
-	if(strcmp(b->name, (*pointer)->name) == 0 && b->type == (unsigned)type) {
-	    *pointer = b;
-	    return b->u.generic;
-	}
-    }
-    return NULL;
+    return heim_config_vget_next(context->hcontext,
+				 (const heim_config_section *)(c ? c : context->cf),
+				 (const heim_config_binding **)pointer, type, args);
 }
 
 KRB5_LIB_FUNCTION const void * KRB5_LIB_CALL
-_krb5_config_get (krb5_context context,
-		  const krb5_config_section *c,
-		  int type,
-		  ...)
+_krb5_config_get(krb5_context context,
+		 const krb5_config_section *c,
+		 int type,
+		 ...)
 {
     const void *ret;
     va_list args;
 
     va_start(args, type);
-    ret = _krb5_config_vget (context, c, type, args);
+    ret = heim_config_vget(context->hcontext,
+			   (const heim_config_section *)(c ? c : context->cf),
+			   type, args);
     va_end(args);
     return ret;
 }
 
 
 KRB5_LIB_FUNCTION const void * KRB5_LIB_CALL
-_krb5_config_vget (krb5_context context,
-		   const krb5_config_section *c,
-		   int type,
-		   va_list args)
+_krb5_config_vget(krb5_context context,
+		  const krb5_config_section *c,
+		  int type,
+		  va_list args)
 {
-    const krb5_config_binding *foo = NULL;
-
-    return _krb5_config_vget_next (context, c, &foo, type, args);
+    return heim_config_vget(context->hcontext,
+			    (const heim_config_section *)(c ? c : context->cf),
+			    type, args);
 }
 
 /**
@@ -719,17 +235,19 @@ _krb5_config_vget (krb5_context context,
  */
 
 KRB5_LIB_FUNCTION const krb5_config_binding * KRB5_LIB_CALL
-krb5_config_get_list (krb5_context context,
-		      const krb5_config_section *c,
-		      ...)
+krb5_config_get_list(krb5_context context,
+		     const krb5_config_section *c,
+		     ...)
 {
-    const krb5_config_binding *ret;
+    const heim_config_binding *ret;
     va_list args;
 
     va_start(args, c);
-    ret = krb5_config_vget_list (context, c, args);
+    ret = heim_config_vget_list(context->hcontext,
+				(const heim_config_section *)(c ? c : context->cf),
+				args);
     va_end(args);
-    return ret;
+    return (const krb5_config_binding *)ret;
 }
 
 /**
@@ -745,11 +263,16 @@ krb5_config_get_list (krb5_context context,
  */
 
 KRB5_LIB_FUNCTION const krb5_config_binding * KRB5_LIB_CALL
-krb5_config_vget_list (krb5_context context,
-		       const krb5_config_section *c,
-		       va_list args)
+krb5_config_vget_list(krb5_context context,
+		      const krb5_config_section *c,
+		      va_list args)
 {
-    return _krb5_config_vget (context, c, krb5_config_list, args);
+    const heim_config_binding *ret;
+
+    ret = heim_config_vget_list(context->hcontext,
+				(const heim_config_section *)(c ? c : context->cf),
+				args);
+    return (const krb5_config_binding *)ret;
 }
 
 /**
@@ -768,15 +291,17 @@ krb5_config_vget_list (krb5_context context,
  */
 
 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_config_get_string (krb5_context context,
-			const krb5_config_section *c,
-			...)
+krb5_config_get_string(krb5_context context,
+                       const krb5_config_section *c,
+                       ...)
 {
     const char *ret;
     va_list args;
 
     va_start(args, c);
-    ret = krb5_config_vget_string (context, c, args);
+    ret = heim_config_vget_string(context->hcontext,
+				  (const heim_config_section *)(c ? c : context->cf),
+				  args);
     va_end(args);
     return ret;
 }
@@ -794,11 +319,13 @@ krb5_config_get_string (krb5_context context,
  */
 
 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_config_vget_string (krb5_context context,
-			 const krb5_config_section *c,
-			 va_list args)
+krb5_config_vget_string(krb5_context context,
+                        const krb5_config_section *c,
+                        va_list args)
 {
-    return _krb5_config_vget (context, c, krb5_config_string, args);
+    return heim_config_vget_string(context->hcontext,
+				   (const heim_config_section *)(c ? c : context->cf),
+				   args);
 }
 
 /**
@@ -817,17 +344,14 @@ krb5_config_vget_string (krb5_context context,
  */
 
 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_config_vget_string_default (krb5_context context,
-				 const krb5_config_section *c,
-				 const char *def_value,
-				 va_list args)
+krb5_config_vget_string_default(krb5_context context,
+                                const krb5_config_section *c,
+                                const char *def_value,
+                                va_list args)
 {
-    const char *ret;
-
-    ret = krb5_config_vget_string (context, c, args);
-    if (ret == NULL)
-	ret = def_value;
-    return ret;
+    return heim_config_vget_string_default(context->hcontext,
+					   (const heim_config_section *)(c ? c : context->cf),
+					   def_value, args);
 }
 
 /**
@@ -846,64 +370,22 @@ krb5_config_vget_string_default (krb5_context context,
  */
 
 KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_config_get_string_default (krb5_context context,
-				const krb5_config_section *c,
-				const char *def_value,
-				...)
+krb5_config_get_string_default(krb5_context context,
+                               const krb5_config_section *c,
+                               const char *def_value,
+                               ...)
 {
     const char *ret;
     va_list args;
 
     va_start(args, def_value);
-    ret = krb5_config_vget_string_default (context, c, def_value, args);
+    ret = heim_config_vget_string_default(context->hcontext,
+					  (const heim_config_section *)(c ? c : context->cf),
+					  def_value, args);
     va_end(args);
     return ret;
 }
 
-static char *
-next_component_string(char * begin, const char * delims, char **state)
-{
-    char * end;
-
-    if (begin == NULL)
-        begin = *state;
-
-    if (*begin == '\0')
-        return NULL;
-
-    end = begin;
-    while (*end == '"') {
-        char * t = strchr(end + 1, '"');
-
-        if (t)
-            end = ++t;
-        else
-            end += strlen(end);
-    }
-
-    if (*end != '\0') {
-        size_t pos;
-
-        pos = strcspn(end, delims);
-        end = end + pos;
-    }
-
-    if (*end != '\0') {
-        *end = '\0';
-        *state = end + 1;
-        if (*begin == '"' && *(end - 1) == '"' && begin + 1 < end) {
-            begin++; *(end - 1) = '\0';
-        }
-        return begin;
-    }
-
-    *state = end;
-    if (*begin == '"' && *(end - 1) == '"' && begin + 1 < end) {
-        begin++; *(end - 1) = '\0';
-    }
-    return begin;
-}
-
 /**
  * Get a list of configuration strings, free the result with
  * krb5_config_free_strings().
@@ -922,50 +404,9 @@ krb5_config_vget_strings(krb5_context context,
 			 const krb5_config_section *c,
 			 va_list args)
 {
-    char **strings = NULL;
-    int nstr = 0;
-    const krb5_config_binding *b = NULL;
-    const char *p;
-
-    while((p = _krb5_config_vget_next(context, c, &b,
-				      krb5_config_string, args))) {
-	char *tmp = strdup(p);
-	char *pos = NULL;
-	char *s;
-	if(tmp == NULL)
-	    goto cleanup;
-	s = next_component_string(tmp, " \t", &pos);
-	while(s){
-	    char **tmp2 = realloc(strings, (nstr + 1) * sizeof(*strings));
-	    if(tmp2 == NULL) {
-		free(tmp);
-		goto cleanup;
-	    }
-	    strings = tmp2;
-	    strings[nstr] = strdup(s);
-	    nstr++;
-	    if(strings[nstr-1] == NULL)	{
-		free(tmp);
-		goto cleanup;
-	    }
-	    s = next_component_string(NULL, " \t", &pos);
-	}
-	free(tmp);
-    }
-    if(nstr){
-	char **tmp = realloc(strings, (nstr + 1) * sizeof(*strings));
-	if(tmp == NULL)
-	    goto cleanup;
-	strings = tmp;
-	strings[nstr] = NULL;
-    }
-    return strings;
-cleanup:
-    while(nstr--)
-	free(strings[nstr]);
-    free(strings);
-    return NULL;
-
+    return heim_config_vget_strings(context->hcontext,
+				    (const heim_config_section *)(c ? c : context->cf),
+				    args);
 }
 
 /**
@@ -989,7 +430,9 @@ krb5_config_get_strings(krb5_context context,
     va_list ap;
     char **ret;
     va_start(ap, c);
-    ret = krb5_config_vget_strings(context, c, ap);
+    ret = heim_config_vget_strings(context->hcontext,
+				   (const heim_config_section *)(c ? c : context->cf),
+				   ap);
     va_end(ap);
     return ret;
 }
@@ -1006,12 +449,7 @@ krb5_config_get_strings(krb5_context context,
 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_config_free_strings(char **strings)
 {
-    char **s = strings;
-    while(s && *s){
-	free(*s);
-	s++;
-    }
-    free(strings);
+    heim_config_free_strings(strings);
 }
 
 /**
@@ -1033,19 +471,14 @@ krb5_config_free_strings(char **strings)
  */
 
 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_config_vget_bool_default (krb5_context context,
-			       const krb5_config_section *c,
-			       krb5_boolean def_value,
-			       va_list args)
+krb5_config_vget_bool_default(krb5_context context,
+			      const krb5_config_section *c,
+			      krb5_boolean def_value,
+			      va_list args)
 {
-    const char *str;
-    str = krb5_config_vget_string (context, c, args);
-    if(str == NULL)
-	return def_value;
-    if(strcasecmp(str, "yes") == 0 ||
-       strcasecmp(str, "true") == 0 ||
-       atoi(str)) return TRUE;
-    return FALSE;
+    return heim_config_vget_bool_default(context->hcontext,
+					 (const heim_config_section *)(c ? c : context->cf),
+					 def_value, args);
 }
 
 /**
@@ -1063,11 +496,13 @@ krb5_config_vget_bool_default (krb5_context context,
  */
 
 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_config_vget_bool  (krb5_context context,
-			const krb5_config_section *c,
-			va_list args)
+krb5_config_vget_bool(krb5_context context,
+                      const krb5_config_section *c,
+                      va_list args)
 {
-    return krb5_config_vget_bool_default (context, c, FALSE, args);
+    return heim_config_vget_bool_default(context->hcontext,
+					 (const heim_config_section *)(c ? c : context->cf),
+					 FALSE, args);
 }
 
 /**
@@ -1087,15 +522,17 @@ krb5_config_vget_bool  (krb5_context context,
  */
 
 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_config_get_bool_default (krb5_context context,
-			      const krb5_config_section *c,
-			      krb5_boolean def_value,
-			      ...)
+krb5_config_get_bool_default(krb5_context context,
+			     const krb5_config_section *c,
+			     krb5_boolean def_value,
+			     ...)
 {
     va_list ap;
     krb5_boolean ret;
     va_start(ap, def_value);
-    ret = krb5_config_vget_bool_default(context, c, def_value, ap);
+    ret = heim_config_vget_bool_default(context->hcontext,
+					(const heim_config_section *)(c ? c : context->cf),
+					def_value, ap);
     va_end(ap);
     return ret;
 }
@@ -1147,20 +584,14 @@ krb5_config_get_bool (krb5_context context,
  */
 
 KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_vget_time_default (krb5_context context,
-			       const krb5_config_section *c,
-			       int def_value,
-			       va_list args)
+krb5_config_vget_time_default(krb5_context context,
+			      const krb5_config_section *c,
+			      int def_value,
+			      va_list args)
 {
-    const char *str;
-    krb5_deltat t;
-
-    str = krb5_config_vget_string (context, c, args);
-    if(str == NULL)
-	return def_value;
-    if (krb5_string_to_deltat(str, &t))
-	return def_value;
-    return t;
+    return heim_config_vget_time_default(context->hcontext,
+					 (const heim_config_section *)(c ? c : context->cf),
+					 def_value, args);
 }
 
 /**
@@ -1176,11 +607,13 @@ krb5_config_vget_time_default (krb5_context context,
  */
 
 KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_vget_time  (krb5_context context,
-			const krb5_config_section *c,
-			va_list args)
+krb5_config_vget_time(krb5_context context,
+                      const krb5_config_section *c,
+                      va_list args)
 {
-    return krb5_config_vget_time_default (context, c, -1, args);
+    return heim_config_vget_time_default(context->hcontext,
+					 (const heim_config_section *)(c ? c : context->cf),
+					 -1, args);
 }
 
 /**
@@ -1198,15 +631,17 @@ krb5_config_vget_time  (krb5_context context,
  */
 
 KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_get_time_default (krb5_context context,
-			      const krb5_config_section *c,
-			      int def_value,
-			      ...)
+krb5_config_get_time_default(krb5_context context,
+			     const krb5_config_section *c,
+			     int def_value,
+			     ...)
 {
     va_list ap;
     int ret;
     va_start(ap, def_value);
-    ret = krb5_config_vget_time_default(context, c, def_value, ap);
+    ret = heim_config_vget_time_default(context->hcontext,
+					(const heim_config_section *)(c ? c : context->cf),
+					def_value, ap);
     va_end(ap);
     return ret;
 }
@@ -1224,78 +659,75 @@ krb5_config_get_time_default (krb5_context context,
  */
 
 KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_get_time (krb5_context context,
-		      const krb5_config_section *c,
-		      ...)
+krb5_config_get_time(krb5_context context,
+                     const krb5_config_section *c,
+                     ...)
 {
     va_list ap;
     int ret;
     va_start(ap, c);
-    ret = krb5_config_vget_time (context, c, ap);
+    ret = heim_config_vget_time(context->hcontext,
+				(const heim_config_section *)(c ? c : context->cf),
+				ap);
     va_end(ap);
     return ret;
 }
 
 
 KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_vget_int_default (krb5_context context,
-			      const krb5_config_section *c,
-			      int def_value,
-			      va_list args)
+krb5_config_vget_int_default(krb5_context context,
+			     const krb5_config_section *c,
+			     int def_value,
+			     va_list args)
 {
-    const char *str;
-    str = krb5_config_vget_string (context, c, args);
-    if(str == NULL)
-	return def_value;
-    else {
-	char *endptr;
-	long l;
-	l = strtol(str, &endptr, 0);
-	if (endptr == str)
-	    return def_value;
-	else
-	    return l;
-    }
+    return heim_config_vget_int_default(context->hcontext,
+					(const heim_config_section *)(c ? c : context->cf),
+					def_value, args);
 }
 
 KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_vget_int  (krb5_context context,
-		       const krb5_config_section *c,
-		       va_list args)
+krb5_config_vget_int(krb5_context context,
+		     const krb5_config_section *c,
+		     va_list args)
 {
-    return krb5_config_vget_int_default (context, c, -1, args);
+    return heim_config_vget_int_default(context->hcontext,
+					(const heim_config_section *)(c ? c : context->cf),
+					-1, args);
 }
 
 KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_get_int_default (krb5_context context,
-			     const krb5_config_section *c,
-			     int def_value,
-			     ...)
+krb5_config_get_int_default(krb5_context context,
+			    const krb5_config_section *c,
+			    int def_value,
+			    ...)
 {
     va_list ap;
     int ret;
     va_start(ap, def_value);
-    ret = krb5_config_vget_int_default(context, c, def_value, ap);
+    ret = heim_config_vget_int_default(context->hcontext,
+				       (const heim_config_section *)(c ? c : context->cf),
+				       def_value, ap);
     va_end(ap);
     return ret;
 }
 
 KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_get_int (krb5_context context,
-		     const krb5_config_section *c,
-		     ...)
+krb5_config_get_int(krb5_context context,
+		    const krb5_config_section *c,
+		    ...)
 {
     va_list ap;
     int ret;
     va_start(ap, c);
-    ret = krb5_config_vget_int (context, c, ap);
+    ret = heim_config_vget_int(context->hcontext,
+			       (const heim_config_section *)(c ? c : context->cf),
+			       ap);
     va_end(ap);
     return ret;
 }
 
 
 #ifndef HEIMDAL_SMALLER
-
 /**
  * Deprecated: configuration files are not strings
  *
@@ -1308,20 +740,19 @@ krb5_config_parse_string_multi(krb5_context context,
 			       krb5_config_section **res)
     KRB5_DEPRECATED_FUNCTION("Use X instead")
 {
-    const char *str;
-    unsigned lineno = 0;
     krb5_error_code ret;
-    struct fileptr f;
-    f.f = NULL;
-    f.s = string;
-
-    ret = krb5_config_parse_debug (&f, res, &lineno, &str);
-    if (ret) {
-	krb5_set_error_message (context, ret, "%s:%u: %s",
-				"<constant>", lineno, str);
+    heim_config_section *section = NULL;
+
+    if (res == NULL)
+	return EINVAL;
+
+    *res = NULL;
+    ret = heim_config_parse_string_multi(context->hcontext, string, &section);
+    if (ret == HEIM_ERR_CONFIG_BADFORMAT)
+        return KRB5_CONFIG_BADFORMAT;
+    if (ret)
 	return ret;
-    }
+    *res = (krb5_config_section *)section;
     return 0;
 }
-
 #endif
diff --git a/lib/krb5/config_reg.c b/lib/krb5/config_reg.c
deleted file mode 100644
index 6ee6a6496f4b..000000000000
--- a/lib/krb5/config_reg.c
+++ /dev/null
@@ -1,649 +0,0 @@
-/***********************************************************************
- * Copyright (c) 2010, Secure Endpoints Inc.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * - Redistributions of source code must retain the above copyright
- *   notice, this list of conditions and the following disclaimer.
- *
- * - Redistributions in binary form must reproduce the above copyright
- *   notice, this list of conditions and the following disclaimer in
- *   the documentation and/or other materials provided with the
- *   distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- **********************************************************************/
-
-#include "krb5_locl.h"
-
-#ifndef _WIN32
-#error  config_reg.c is only for Windows
-#endif
-
-#include <shlwapi.h>
-
-#ifndef MAX_DWORD
-#define MAX_DWORD 0xFFFFFFFF
-#endif
-
-#define REGPATH_KERBEROS "SOFTWARE\\Kerberos"
-#define REGPATH_HEIMDAL  "SOFTWARE\\Heimdal"
-
-/**
- * Store a string as a registry value of the specified type
- *
- * The following registry types are handled:
- *
- * - REG_DWORD: The string is converted to a number.
- *
- * - REG_SZ: The string is stored as is.
- *
- * - REG_EXPAND_SZ: The string is stored as is.
- *
- * - REG_MULTI_SZ:
- *
- *   . If a separator is specified, the input string is broken
- *     up into multiple strings and stored as a multi-sz.
- *
- *   . If no separator is provided, the input string is stored
- *     as a multi-sz.
- *
- * - REG_NONE:
- *
- *   . If the string is all numeric, it will be stored as a
- *     REG_DWORD.
- *
- *   . Otherwise, the string is stored as a REG_SZ.
- *
- * Other types are rejected.
- *
- * If cb_data is MAX_DWORD, the string pointed to by data must be nul-terminated
- * otherwise a buffer overrun will occur.
- *
- * @param [in]valuename Name of the registry value to be modified or created
- * @param [in]type      Type of the value. REG_NONE if unknown
- * @param [in]data      The input string to be stored in the registry.
- * @param [in]cb_data   Size of the input string in bytes. MAX_DWORD if unknown.
- * @param [in]separator Separator character for parsing strings.
- *
- * @retval 0 if success or non-zero on error.
- * If non-zero is returned, an error message has been set using
- * krb5_set_error_message().
- *
- */
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-_krb5_store_string_to_reg_value(krb5_context context,
-                                HKEY key, const char * valuename,
-                                DWORD type, const char *data, DWORD cb_data,
-                                const char * separator)
-{
-    LONG        rcode;
-    DWORD       dwData;
-    BYTE        static_buffer[16384];
-    BYTE        *pbuffer = &static_buffer[0];
-
-    if (data == NULL)
-    {
-        if (context)
-            krb5_set_error_message(context, 0,
-                                   "'data' must not be NULL");
-        return -1;
-    }
-
-    if (cb_data == MAX_DWORD)
-    {
-        cb_data = (DWORD)strlen(data) + 1;
-    }
-    else if ((type == REG_MULTI_SZ && cb_data >= sizeof(static_buffer) - 1) ||
-             cb_data >= sizeof(static_buffer))
-    {
-        if (context)
-            krb5_set_error_message(context, 0, "cb_data too big");
-        return -1;
-    }
-    else if (data[cb_data-1] != '\0')
-    {
-        memcpy(static_buffer, data, cb_data);
-        static_buffer[cb_data++] = '\0';
-        if (type == REG_MULTI_SZ)
-            static_buffer[cb_data++] = '\0';
-        data = static_buffer;
-    }
-
-    if (type == REG_NONE)
-    {
-        /*
-         * If input is all numeric, convert to DWORD and save as REG_DWORD.
-         * Otherwise, store as REG_SZ.
-         */
-        if ( StrToIntExA( data, STIF_SUPPORT_HEX, &dwData) )
-        {
-            type = REG_DWORD;
-        } else {
-            type = REG_SZ;
-        }
-    }
-
-    switch (type) {
-    case REG_SZ:
-    case REG_EXPAND_SZ:
-        rcode = RegSetValueEx(key, valuename, 0, type, data, cb_data);
-        if (rcode)
-        {
-            if (context)
-                krb5_set_error_message(context, 0,
-                                       "Unexpected error when setting registry value %s gle 0x%x",
-                                       valuename,
-                                       GetLastError());
-            return -1;
-        }
-        break;
-    case REG_MULTI_SZ:
-        if (separator && *separator)
-        {
-            char *cp;
-
-            if (data != static_buffer)
-                static_buffer[cb_data++] = '\0';
-
-            for ( cp = static_buffer; cp < static_buffer+cb_data; cp++)
-            {
-                if (*cp == *separator)
-                    *cp = '\0';
-            }
-
-            rcode = RegSetValueEx(key, valuename, 0, type, data, cb_data);
-            if (rcode)
-            {
-                if (context)
-                    krb5_set_error_message(context, 0,
-                                           "Unexpected error when setting registry value %s gle 0x%x",
-                                           valuename,
-                                           GetLastError());
-                return -1;
-            }
-        }
-        break;
-    case REG_DWORD:
-        if ( !StrToIntExA( data, STIF_SUPPORT_HEX, &dwData) )
-        {
-            if (context)
-                krb5_set_error_message(context, 0,
-                                       "Unexpected error when parsing %s as number gle 0x%x",
-                                       data,
-                                       GetLastError());
-        }
-
-	rcode = RegSetValueEx(key, valuename, 0, type, (BYTE *)&dwData, sizeof(DWORD));
-        if (rcode)
-        {
-            if (context)
-                krb5_set_error_message(context, 0,
-                                       "Unexpected error when setting registry value %s gle 0x%x",
-                                       valuename,
-                                       GetLastError());
-            return -1;
-        }
-        break;
-    default:
-        return -1;
-    }
-
-    return 0;
-}
-
-/**
- * Parse a registry value as a string
- *
- * @see _krb5_parse_reg_value_as_multi_string()
- */
-KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
-_krb5_parse_reg_value_as_string(krb5_context context,
-                                HKEY key, const char * valuename,
-                                DWORD type, DWORD cb_data)
-{
-    return _krb5_parse_reg_value_as_multi_string(context, key, valuename,
-                                                 type, cb_data, " ");
-}
-
-/**
- * Parse a registry value as a multi string
- *
- * The following registry value types are handled:
- *
- * - REG_DWORD: The decimal string representation is used as the
- *   value.
- *
- * - REG_SZ: The string is used as-is.
- *
- * - REG_EXPAND_SZ: Environment variables in the string are expanded
- *   and the result is used as the value.
- *
- * - REG_MULTI_SZ: The list of strings is concatenated using the
- *   separator.  No quoting is performed.
- *
- * Any other value type is rejected.
- *
- * @param [in]valuename Name of the registry value to be queried
- * @param [in]type      Type of the value. REG_NONE if unknown
- * @param [in]cbdata    Size of value. 0 if unknown.
- * @param [in]separator Separator character for concatenating strings.
- *
- * @a type and @a cbdata are only considered valid if both are
- * specified.
- *
- * @retval The registry value string, or NULL if there was an error.
- * If NULL is returned, an error message has been set using
- * krb5_set_error_message().
- */
-KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
-_krb5_parse_reg_value_as_multi_string(krb5_context context,
-                                      HKEY key, const char * valuename,
-                                      DWORD type, DWORD cb_data, char *separator)
-{
-    LONG                rcode = ERROR_MORE_DATA;
-
-    BYTE                static_buffer[16384];
-    BYTE                *pbuffer = &static_buffer[0];
-    DWORD               cb_alloc = sizeof(static_buffer);
-    char                *ret_string = NULL;
-
-    /* If we know a type and cb_data from a previous call to
-     * RegEnumValue(), we use it.  Otherwise we use the
-     * static_buffer[] and query directly.  We do this to minimize the
-     * number of queries. */
-
-    if (type == REG_NONE || cb_data == 0) {
-
-        pbuffer = &static_buffer[0];
-        cb_alloc = cb_data = sizeof(static_buffer);
-        rcode = RegQueryValueExA(key, valuename, NULL, &type, pbuffer, &cb_data);
-
-        if (rcode == ERROR_SUCCESS &&
-
-            ((type != REG_SZ &&
-              type != REG_EXPAND_SZ) || cb_data + 1 <= sizeof(static_buffer)) &&
-
-            (type != REG_MULTI_SZ || cb_data + 2 <= sizeof(static_buffer)))
-            goto have_data;
-
-        if (rcode != ERROR_MORE_DATA && rcode != ERROR_SUCCESS)
-            return NULL;
-    }
-
-    /* Either we don't have the data or we aren't sure of the size
-     * (due to potentially missing terminating NULs). */
-
-    switch (type) {
-    case REG_DWORD:
-        if (cb_data != sizeof(DWORD)) {
-            if (context)
-                krb5_set_error_message(context, 0,
-                                       "Unexpected size while reading registry value %s",
-                                       valuename);
-            return NULL;
-        }
-        break;
-
-    case REG_SZ:
-    case REG_EXPAND_SZ:
-
-        if (rcode == ERROR_SUCCESS && cb_data > 0 && pbuffer[cb_data - 1] == '\0')
-            goto have_data;
-
-        cb_data += sizeof(char); /* Accout for potential missing NUL
-                                  * terminator. */
-        break;
-
-    case REG_MULTI_SZ:
-
-        if (rcode == ERROR_SUCCESS && cb_data > 0 && pbuffer[cb_data - 1] == '\0' &&
-            (cb_data == 1 || pbuffer[cb_data - 2] == '\0'))
-            goto have_data;
-
-        cb_data += sizeof(char) * 2; /* Potential missing double NUL
-                                      * terminator. */
-        break;
-
-    default:
-        if (context)
-            krb5_set_error_message(context, 0,
-                                   "Unexpected type while reading registry value %s",
-                                   valuename);
-        return NULL;
-    }
-
-    if (cb_data <= sizeof(static_buffer))
-        pbuffer = &static_buffer[0];
-    else {
-        pbuffer = malloc(cb_data);
-        if (pbuffer == NULL)
-            return NULL;
-    }
-
-    cb_alloc = cb_data;
-    rcode = RegQueryValueExA(key, valuename, NULL, NULL, pbuffer, &cb_data);
-
-    if (rcode != ERROR_SUCCESS) {
-
-        /* This can potentially be from a race condition. I.e. some
-         * other process or thread went and modified the registry
-         * value between the time we queried its size and queried for
-         * its value.  Ideally we would retry the query in a loop. */
-
-        if (context)
-            krb5_set_error_message(context, 0,
-                                   "Unexpected error while reading registry value %s",
-                                   valuename);
-        goto done;
-    }
-
-    if (cb_data > cb_alloc || cb_data == 0) {
-        if (context)
-            krb5_set_error_message(context, 0,
-                                   "Unexpected size while reading registry value %s",
-                                   valuename);
-        goto done;
-    }
-
-have_data:
-    switch (type) {
-    case REG_DWORD:
-        asprintf(&ret_string, "%d", *((DWORD *) pbuffer));
-        break;
-
-    case REG_SZ:
-    {
-        char * str = (char *) pbuffer;
-
-        if (str[cb_data - 1] != '\0') {
-            if (cb_data < cb_alloc)
-                str[cb_data] = '\0';
-            else
-                break;
-        }
-
-        if (pbuffer != static_buffer) {
-            ret_string = (char *) pbuffer;
-            pbuffer = NULL;
-        } else {
-            ret_string = strdup((char *) pbuffer);
-        }
-    }
-    break;
-
-    case REG_EXPAND_SZ:
-    {
-        char    *str = (char *) pbuffer;
-        char    expsz[32768];   /* Size of output buffer for
-                                 * ExpandEnvironmentStrings() is
-                                 * limited to 32K. */
-
-        if (str[cb_data - 1] != '\0') {
-            if (cb_data < cb_alloc)
-                str[cb_data] = '\0';
-            else
-                break;
-        }
-
-        if (ExpandEnvironmentStrings(str, expsz, sizeof(expsz)/sizeof(char)) != 0) {
-            ret_string = strdup(expsz);
-        } else {
-            if (context)
-                krb5_set_error_message(context, 0,
-                                       "Overflow while expanding environment strings "
-                                       "for registry value %s", valuename);
-        }
-    }
-    break;
-
-    case REG_MULTI_SZ:
-    {
-        char * str = (char *) pbuffer;
-        char * iter;
-
-        str[cb_alloc - 1] = '\0';
-        str[cb_alloc - 2] = '\0';
-
-        for (iter = str; *iter;) {
-            size_t len = strlen(iter);
-
-            iter += len;
-            if (iter[1] != '\0')
-                *iter++ = *separator;
-            else
-                break;
-        }
-
-        if (pbuffer != static_buffer) {
-            ret_string = str;
-            pbuffer = NULL;
-        } else {
-            ret_string = strdup(str);
-        }
-    }
-    break;
-
-    default:
-        if (context)
-            krb5_set_error_message(context, 0,
-                                   "Unexpected type while reading registry value %s",
-                                   valuename);
-    }
-
-done:
-    if (pbuffer != static_buffer && pbuffer != NULL)
-        free(pbuffer);
-
-    return ret_string;
-}
-
-/**
- * Parse a registry value as a configuration value
- *
- * @see parse_reg_value_as_string()
- */
-static krb5_error_code
-parse_reg_value(krb5_context context,
-                HKEY key, const char * valuename,
-                DWORD type, DWORD cbdata, krb5_config_section ** parent)
-{
-    char                *reg_string = NULL;
-    krb5_config_section *value;
-    krb5_error_code     code = 0;
-
-    reg_string = _krb5_parse_reg_value_as_string(context, key, valuename, type, cbdata);
-
-    if (reg_string == NULL)
-        return KRB5_CONFIG_BADFORMAT;
-
-    value = _krb5_config_get_entry(parent, valuename, krb5_config_string);
-    if (value == NULL) {
-        code = ENOMEM;
-        goto done;
-    }
-
-    if (value->u.string != NULL)
-        free(value->u.string);
-
-    value->u.string = reg_string;
-    reg_string = NULL;
-
-done:
-    if (reg_string != NULL)
-        free(reg_string);
-
-    return code;
-}
-
-static krb5_error_code
-parse_reg_values(krb5_context context,
-                 HKEY key,
-                 krb5_config_section ** parent)
-{
-    DWORD index;
-    LONG  rcode;
-
-    for (index = 0; ; index ++) {
-        char    name[16385];
-        DWORD   cch = sizeof(name)/sizeof(name[0]);
-        DWORD   type;
-        DWORD   cbdata = 0;
-        krb5_error_code code;
-
-        rcode = RegEnumValue(key, index, name, &cch, NULL,
-                             &type, NULL, &cbdata);
-        if (rcode != ERROR_SUCCESS)
-            break;
-
-        if (cbdata == 0)
-            continue;
-
-        code = parse_reg_value(context, key, name, type, cbdata, parent);
-        if (code != 0)
-            return code;
-    }
-
-    return 0;
-}
-
-static krb5_error_code
-parse_reg_subkeys(krb5_context context,
-                  HKEY key,
-                  krb5_config_section ** parent)
-{
-    DWORD index;
-    LONG  rcode;
-
-    for (index = 0; ; index ++) {
-        HKEY    subkey = NULL;
-        char    name[256];
-        DWORD   cch = sizeof(name)/sizeof(name[0]);
-        krb5_config_section     *section = NULL;
-        krb5_error_code         code;
-
-        rcode = RegEnumKeyEx(key, index, name, &cch, NULL, NULL, NULL, NULL);
-        if (rcode != ERROR_SUCCESS)
-            break;
-
-        rcode = RegOpenKeyEx(key, name, 0, KEY_READ, &subkey);
-        if (rcode != ERROR_SUCCESS)
-            continue;
-
-        section = _krb5_config_get_entry(parent, name, krb5_config_list);
-        if (section == NULL) {
-            RegCloseKey(subkey);
-            return ENOMEM;
-        }
-
-        code = parse_reg_values(context, subkey, &section->u.list);
-        if (code) {
-            RegCloseKey(subkey);
-            return code;
-        }
-
-        code = parse_reg_subkeys(context, subkey, &section->u.list);
-        if (code) {
-            RegCloseKey(subkey);
-            return code;
-        }
-
-        RegCloseKey(subkey);
-    }
-
-    return 0;
-}
-
-static krb5_error_code
-parse_reg_root(krb5_context context,
-               HKEY key,
-               krb5_config_section ** parent)
-{
-    krb5_config_section *libdefaults = NULL;
-    krb5_error_code     code = 0;
-
-    libdefaults = _krb5_config_get_entry(parent, "libdefaults", krb5_config_list);
-    if (libdefaults == NULL)
-        return krb5_enomem(context);
-
-    code = parse_reg_values(context, key, &libdefaults->u.list);
-    if (code)
-        return code;
-
-    return parse_reg_subkeys(context, key, parent);
-}
-
-static krb5_error_code
-load_config_from_regpath(krb5_context context,
-                         HKEY hk_root,
-                         const char* key_path,
-                         krb5_config_section ** res)
-{
-    HKEY            key  = NULL;
-    LONG            rcode;
-    krb5_error_code code = 0;
-
-    rcode = RegOpenKeyEx(hk_root, key_path, 0, KEY_READ, &key);
-    if (rcode == ERROR_SUCCESS) {
-        code = parse_reg_root(context, key, res);
-        RegCloseKey(key);
-        key = NULL;
-    }
-
-    return code;
-}
-
-/**
- * Load configuration from registry
- *
- * The registry keys 'HKCU\Software\Heimdal' and
- * 'HKLM\Software\Heimdal' are treated as krb5.conf files.  Each
- * registry key corresponds to a configuration section (or bound list)
- * and each value in a registry key is treated as a bound value.  The
- * set of values that are directly under the Heimdal key are treated
- * as if they were defined in the [libdefaults] section.
- *
- * @see parse_reg_value() for details about how each type of value is handled.
- */
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_load_config_from_registry(krb5_context context,
-                                krb5_config_section ** res)
-{
-    krb5_error_code code;
-
-    code = load_config_from_regpath(context, HKEY_LOCAL_MACHINE,
-                                    REGPATH_KERBEROS, res);
-    if (code)
-        return code;
-
-    code = load_config_from_regpath(context, HKEY_LOCAL_MACHINE,
-                                    REGPATH_HEIMDAL, res);
-    if (code)
-        return code;
-
-    code = load_config_from_regpath(context, HKEY_CURRENT_USER,
-                                    REGPATH_KERBEROS, res);
-    if (code)
-        return code;
-
-    code = load_config_from_regpath(context, HKEY_CURRENT_USER,
-                                    REGPATH_HEIMDAL, res);
-    if (code)
-        return code;
-    return 0;
-}
diff --git a/lib/krb5/constants.c b/lib/krb5/constants.c
index 87147c22bcb7..43b8f54eb165 100644
--- a/lib/krb5/constants.c
+++ b/lib/krb5/constants.c
@@ -35,7 +35,7 @@
 
 #include "krb5_locl.h"
 
-KRB5_LIB_VARIABLE const char *krb5_config_file =
+KRB5_LIB_VARIABLE const char *const krb5_config_file =
 #ifdef KRB5_DEFAULT_CONFIG_FILE
 KRB5_DEFAULT_CONFIG_FILE
 #else
@@ -56,11 +56,12 @@ SYSCONFDIR "/krb5.conf" PATH_SEP
 #endif /* KRB5_DEFAULT_CONFIG_FILE */
 ;
 
-KRB5_LIB_VARIABLE const char *krb5_defkeyname = KEYTAB_DEFAULT;
+KRB5_LIB_VARIABLE const char *const krb5_defkeyname = KEYTAB_DEFAULT;
 
-KRB5_LIB_VARIABLE const char *krb5_cc_type_api = "API";
-KRB5_LIB_VARIABLE const char *krb5_cc_type_file = "FILE";
-KRB5_LIB_VARIABLE const char *krb5_cc_type_memory = "MEMORY";
-KRB5_LIB_VARIABLE const char *krb5_cc_type_kcm = "KCM";
-KRB5_LIB_VARIABLE const char *krb5_cc_type_scc = "SCC";
-KRB5_LIB_VARIABLE const char *krb5_cc_type_dcc = "DIR";
+KRB5_LIB_VARIABLE const char *const krb5_cc_type_api = "API";
+KRB5_LIB_VARIABLE const char *const krb5_cc_type_file = "FILE";
+KRB5_LIB_VARIABLE const char *const krb5_cc_type_memory = "MEMORY";
+KRB5_LIB_VARIABLE const char *const krb5_cc_type_kcm = "KCM";
+KRB5_LIB_VARIABLE const char *const krb5_cc_type_scc = "SCC";
+KRB5_LIB_VARIABLE const char *const krb5_cc_type_dcc = "DIR";
+KRB5_LIB_VARIABLE const char *const krb5_cc_type_keyring = "KEYRING";
diff --git a/lib/krb5/context.c b/lib/krb5/context.c
index 58ed4761056f..19548d4130db 100644
--- a/lib/krb5/context.c
+++ b/lib/krb5/context.c
@@ -33,10 +33,15 @@
  * SUCH DAMAGE.
  */
 
+#undef KRB5_DEPRECATED_FUNCTION
+#define KRB5_DEPRECATED_FUNCTION(x)
+
 #include "krb5_locl.h"
 #include <assert.h>
 #include <com_err.h>
 
+static void _krb5_init_ets(krb5_context);
+
 #define INIT_FIELD(C, T, E, D, F)					\
     (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), 	\
 						"libdefaults", F, NULL)
@@ -179,7 +184,8 @@ init_context_from_config_file(krb5_context context)
     INIT_FIELD(context, bool, log_utc,
 	       FALSE, "log_utc");
 
-
+    context->no_ticket_store =
+        getenv("KRB5_NO_TICKET_STORE") != NULL;
 
     /* init dns-proxy slime */
     tmp = krb5_config_get_string(context, NULL, "libdefaults",
@@ -233,29 +239,35 @@ init_context_from_config_file(krb5_context context)
     INIT_FIELD(context, int, max_msg_size, 1000 * 1024, "maximum_message_size");
     INIT_FLAG(context, flags, KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME, TRUE, "dns_canonicalize_hostname");
     INIT_FLAG(context, flags, KRB5_CTX_F_CHECK_PAC, TRUE, "check_pac");
+    INIT_FLAG(context, flags, KRB5_CTX_F_ENFORCE_OK_AS_DELEGATE, FALSE, "enforce_ok_as_delegate");
+    INIT_FLAG(context, flags, KRB5_CTX_F_REPORT_CANONICAL_CLIENT_NAME, FALSE, "report_canonical_client_name");
 
-    if (context->default_cc_name)
-	free(context->default_cc_name);
+    /* report_canonical_client_name implies check_pac */
+    if (context->flags & KRB5_CTX_F_REPORT_CANONICAL_CLIENT_NAME)
+	context->flags |= KRB5_CTX_F_CHECK_PAC;
+
+    free(context->default_cc_name);
     context->default_cc_name = NULL;
     context->default_cc_name_set = 0;
+    free(context->configured_default_cc_name);
+    context->configured_default_cc_name = NULL;
 
+    tmp = secure_getenv("KRB5_TRACE");
+    if (tmp)
+        heim_add_debug_dest(context->hcontext, "libkrb5", tmp);
     s = krb5_config_get_strings(context, NULL, "logging", "krb5", NULL);
-    if(s) {
+    if (s) {
 	char **p;
 
-	if (context->debug_dest)
-	    krb5_closelog(context, context->debug_dest);
-
-	krb5_initlog(context, "libkrb5", &context->debug_dest);
-	for(p = s; *p; p++)
-	    krb5_addlog_dest(context, context->debug_dest, *p);
-	krb5_config_free_strings(s);
+        for (p = s; *p; p++)
+            heim_add_debug_dest(context->hcontext, "libkrb5", *p);
+        krb5_config_free_strings(s);
     }
 
     tmp = krb5_config_get_string(context, NULL, "libdefaults",
 				 "check-rd-req-server", NULL);
-    if (tmp == NULL && !issuid())
-	tmp = getenv("KRB5_CHECK_RD_REQ_SERVER");
+    if (tmp == NULL)
+	tmp = secure_getenv("KRB5_CHECK_RD_REQ_SERVER");
     if(tmp) {
 	if (strcasecmp(tmp, "ignore") == 0)
 	    context->flags |= KRB5_CTX_F_RD_REQ_IGNORE;
@@ -290,6 +302,9 @@ cc_ops_register(krb5_context context)
 #endif
     krb5_cc_register(context, &krb5_kcm_ops, TRUE);
 #endif
+#if defined(HAVE_KEYUTILS_H)
+    krb5_cc_register(context, &krb5_krcc_ops, TRUE);
+#endif
     _krb5_load_ccache_plugins(context);
     return 0;
 }
@@ -357,7 +372,7 @@ kt_ops_copy(krb5_context context, const krb5_context src_context)
     return 0;
 }
 
-static const char *sysplugin_dirs[] =  {
+static const char *const sysplugin_dirs[] =  {
 #ifdef _WIN32
     "$ORIGIN",
 #else
@@ -396,7 +411,6 @@ init_context_once(void *ctx)
     bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR);
 }
 
-
 /**
  * Initializes the context structure and reads the configuration file
  * /etc/krb5.conf. The structure should be freed by calling
@@ -441,9 +455,13 @@ krb5_init_context(krb5_context *context)
     if(!p)
 	return ENOMEM;
 
-    HEIMDAL_MUTEX_init(&p->mutex);
+    if ((p->hcontext = heim_context_init()) == NULL) {
+        ret = ENOMEM;
+        goto out;
+    }
 
-    p->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
+    if (!issuid())
+        p->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
 
     ret = krb5_get_default_config_files(&files);
     if(ret)
@@ -457,7 +475,7 @@ krb5_init_context(krb5_context *context)
     heim_base_once_f(&init_context, p, init_context_once);
 
     /* init error tables */
-    krb5_init_ets(p);
+    _krb5_init_ets(p);
     cc_ops_register(p);
     kt_ops_register(p);
 
@@ -470,9 +488,11 @@ krb5_init_context(krb5_context *context)
 	p->flags |= KRB5_CTX_F_SOCKETS_INITIALIZED;
 
 out:
-    if(ret) {
+    if (ret) {
 	krb5_free_context(p);
 	p = NULL;
+    } else {
+        heim_context_set_log_utc(p->hcontext, p->log_utc);
     }
     *context = p;
     return ret;
@@ -525,7 +545,7 @@ copy_etypes (krb5_context context,
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_copy_context(krb5_context context, krb5_context *out)
 {
-    krb5_error_code ret;
+    krb5_error_code ret = 0;
     krb5_context p;
 
     *out = NULL;
@@ -534,70 +554,80 @@ krb5_copy_context(krb5_context context, krb5_context *out)
     if (p == NULL)
 	return krb5_enomem(context);
 
-    HEIMDAL_MUTEX_init(&p->mutex);
-
-    if (context->default_cc_name)
-	p->default_cc_name = strdup(context->default_cc_name);
-    if (context->default_cc_name_env)
-	p->default_cc_name_env = strdup(context->default_cc_name_env);
+    p->cc_ops = NULL;
+    p->etypes = NULL;
+    p->kt_types = NULL;
+    p->cfg_etypes = NULL;
+    p->etypes_des = NULL;
+    p->default_realms = NULL;
+    p->extra_addresses = NULL;
+    p->ignore_addresses = NULL;
+
+    if ((p->hcontext = heim_context_init()) == NULL)
+        ret = ENOMEM;
+
+    if (ret == 0) {
+        heim_context_set_log_utc(p->hcontext, context->log_utc);
+        ret = _krb5_config_copy(context, context->cf, &p->cf);
+    }
+    if (ret == 0)
+        ret = init_context_from_config_file(p);
+    if (ret == 0 && context->default_cc_name) {
+        free(p->default_cc_name);
+        if ((p->default_cc_name = strdup(context->default_cc_name)) == NULL)
+            ret = ENOMEM;
+    }
+    if (ret == 0 && context->default_cc_name_env) {
+        free(p->default_cc_name_env);
+        if ((p->default_cc_name_env =
+             strdup(context->default_cc_name_env)) == NULL)
+            ret = ENOMEM;
+    }
+    if (ret == 0 && context->configured_default_cc_name) {
+        free(p->configured_default_cc_name);
+        if ((p->configured_default_cc_name =
+             strdup(context->configured_default_cc_name)) == NULL)
+            ret = ENOMEM;
+    }
 
-    if (context->etypes) {
+    if (ret == 0 && context->etypes) {
+        free(p->etypes);
 	ret = copy_etypes(context, context->etypes, &p->etypes);
-	if (ret)
-	    goto out;
     }
-    if (context->cfg_etypes) {
+    if (ret == 0 && context->cfg_etypes) {
+        free(p->cfg_etypes);
 	ret = copy_etypes(context, context->cfg_etypes, &p->cfg_etypes);
-	if (ret)
-	    goto out;
     }
-    if (context->etypes_des) {
+    if (ret == 0 && context->etypes_des) {
+        free(p->etypes_des);
 	ret = copy_etypes(context, context->etypes_des, &p->etypes_des);
-	if (ret)
-	    goto out;
     }
 
-    if (context->default_realms) {
+    if (ret == 0 && context->default_realms) {
+        krb5_free_host_realm(context, p->default_realms);
 	ret = krb5_copy_host_realm(context,
 				   context->default_realms, &p->default_realms);
-	if (ret)
-	    goto out;
     }
 
-    ret = _krb5_config_copy(context, context->cf, &p->cf);
-    if (ret)
-	goto out;
-
     /* XXX should copy */
-    krb5_init_ets(p);
-
-    cc_ops_copy(p, context);
-    kt_ops_copy(p, context);
-
-#if 0 /* XXX */
-    if(context->warn_dest != NULL)
-	;
-    if(context->debug_dest != NULL)
-	;
-#endif
-
-    ret = krb5_set_extra_addresses(p, context->extra_addresses);
-    if (ret)
-	goto out;
-    ret = krb5_set_extra_addresses(p, context->ignore_addresses);
-    if (ret)
-	goto out;
-
-    ret = _krb5_copy_send_to_kdc_func(p, context);
-    if (ret)
-	goto out;
-
-    *out = p;
-
-    return 0;
-
- out:
-    krb5_free_context(p);
+    if (ret == 0)
+        _krb5_init_ets(p);
+
+    if (ret == 0)
+        ret = cc_ops_copy(p, context);
+    if (ret == 0)
+        ret = kt_ops_copy(p, context);
+    if (ret == 0)
+        ret = krb5_set_extra_addresses(p, context->extra_addresses);
+    if (ret == 0)
+        ret = krb5_set_extra_addresses(p, context->ignore_addresses);
+    if (ret == 0)
+        ret = _krb5_copy_send_to_kdc_func(p, context);
+
+    if (ret == 0)
+        *out = p;
+    else
+        krb5_free_context(p);
     return ret;
 }
 
@@ -615,37 +645,33 @@ KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_free_context(krb5_context context)
 {
     _krb5_free_name_canon_rules(context, context->name_canon_rules);
-    if (context->default_cc_name)
-	free(context->default_cc_name);
-    if (context->default_cc_name_env)
-	free(context->default_cc_name_env);
+    free(context->default_cc_name);
+    free(context->default_cc_name_env);
+    free(context->configured_default_cc_name);
     free(context->etypes);
     free(context->cfg_etypes);
     free(context->etypes_des);
+    free(context->permitted_enctypes);
+    free(context->tgs_etypes);
+    free(context->as_etypes);
     krb5_free_host_realm (context, context->default_realms);
     krb5_config_file_free (context, context->cf);
-    free_error_table (context->et_list);
     free(rk_UNCONST(context->cc_ops));
     free(context->kt_types);
     krb5_clear_error_message(context);
-    if(context->warn_dest != NULL)
-	krb5_closelog(context, context->warn_dest);
-    if(context->debug_dest != NULL)
-	krb5_closelog(context, context->debug_dest);
     krb5_set_extra_addresses(context, NULL);
     krb5_set_ignore_addresses(context, NULL);
     krb5_set_send_to_kdc_func(context, NULL, NULL);
 
 #ifdef PKINIT
-    if (context->hx509ctx)
-	hx509_context_free(&context->hx509ctx);
+    hx509_context_free(&context->hx509ctx);
 #endif
 
-    HEIMDAL_MUTEX_destroy(&context->mutex);
     if (context->flags & KRB5_CTX_F_SOCKETS_INITIALIZED) {
  	rk_SOCK_EXIT();
     }
 
+    heim_context_free(&context->hcontext);
     memset(context, 0, sizeof(*context));
     free(context);
 }
@@ -666,58 +692,51 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_set_config_files(krb5_context context, char **filenames)
 {
     krb5_error_code ret;
+    heim_config_binding *tmp = NULL;
+
+    if ((ret = heim_set_config_files(context->hcontext, filenames,
+                                     &tmp)))
+        return ret;
+    krb5_config_file_free(context, context->cf);
+    context->cf = (krb5_config_binding *)tmp;
+    return init_context_from_config_file(context);
+}
+
+#ifndef HEIMDAL_SMALLER
+/**
+ * Reinit the context from configuration file contents in a C string.
+ * This should only be used in tests.
+ *
+ * @param context context to add configuration too.
+ * @param config configuration.
+ *
+ * @return Returns 0 to indicate success.  Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_set_config(krb5_context context, const char *config)
+{
+    krb5_error_code ret;
     krb5_config_binding *tmp = NULL;
-    while(filenames != NULL && *filenames != NULL && **filenames != '\0') {
-	ret = krb5_config_parse_file_multi(context, *filenames, &tmp);
-	if (ret != 0 && ret != ENOENT && ret != EACCES && ret != EPERM
-	    && ret != KRB5_CONFIG_BADFORMAT) {
-	    krb5_config_file_free(context, tmp);
-	    return ret;
-	}
-	filenames++;
-    }
+
+    if ((ret = krb5_config_parse_string_multi(context, config, &tmp)))
+        return ret;
 #if 0
     /* with this enabled and if there are no config files, Kerberos is
        considererd disabled */
-    if(tmp == NULL)
+    if (tmp == NULL)
 	return ENXIO;
 #endif
 
-#ifdef _WIN32
-    _krb5_load_config_from_registry(context, &tmp);
-#endif
-
     krb5_config_file_free(context, context->cf);
     context->cf = tmp;
     ret = init_context_from_config_file(context);
     return ret;
 }
-
-static krb5_error_code
-add_file(char ***pfilenames, int *len, char *file)
-{
-    char **pp = *pfilenames;
-    int i;
-
-    for(i = 0; i < *len; i++) {
-	if(strcmp(pp[i], file) == 0) {
-	    free(file);
-	    return 0;
-	}
-    }
-
-    pp = realloc(*pfilenames, (*len + 2) * sizeof(*pp));
-    if (pp == NULL) {
-	free(file);
-	return ENOMEM;
-    }
-
-    pp[*len] = file;
-    pp[*len + 1] = NULL;
-    *pfilenames = pp;
-    *len += 1;
-    return 0;
-}
+#endif
 
 /*
  *  `pq' isn't free, it's up the the caller
@@ -726,54 +745,7 @@ add_file(char ***pfilenames, int *len, char *file)
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp)
 {
-    krb5_error_code ret;
-    const char *p, *q;
-    char **pp;
-    int len;
-    char *fn;
-
-    pp = NULL;
-
-    len = 0;
-    p = filelist;
-    while(1) {
-	ssize_t l;
-	q = p;
-	l = strsep_copy(&q, PATH_SEP, NULL, 0);
-	if(l == -1)
-	    break;
-	fn = malloc(l + 1);
-	if(fn == NULL) {
-	    krb5_free_config_files(pp);
-	    return ENOMEM;
-	}
-	(void)strsep_copy(&p, PATH_SEP, fn, l + 1);
-	ret = add_file(&pp, &len, fn);
-	if (ret) {
-	    krb5_free_config_files(pp);
-	    return ret;
-	}
-    }
-
-    if (pq != NULL) {
-	int i;
-
-	for (i = 0; pq[i] != NULL; i++) {
-	    fn = strdup(pq[i]);
-	    if (fn == NULL) {
-		krb5_free_config_files(pp);
-		return ENOMEM;
-	    }
-	    ret = add_file(&pp, &len, fn);
-	    if (ret) {
-		krb5_free_config_files(pp);
-		return ret;
-	    }
-	}
-    }
-
-    *ret_pp = pp;
-    return 0;
+    return heim_prepend_config_files(filelist, pq, ret_pp);
 }
 
 /**
@@ -791,61 +763,10 @@ krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp)
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_prepend_config_files_default(const char *filelist, char ***pfilenames)
 {
-    krb5_error_code ret;
-    char **defpp, **pp = NULL;
-
-    ret = krb5_get_default_config_files(&defpp);
-    if (ret)
-	return ret;
-
-    ret = krb5_prepend_config_files(filelist, defpp, &pp);
-    krb5_free_config_files(defpp);
-    if (ret) {
-	return ret;
-    }
-    *pfilenames = pp;
-    return 0;
-}
-
-#ifdef _WIN32
-
-/**
- * Checks the registry for configuration file location
- *
- * Kerberos for Windows and other legacy Kerberos applications expect
- * to find the configuration file location in the
- * SOFTWARE\MIT\Kerberos registry key under the value "config".
- */
-KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
-_krb5_get_default_config_config_files_from_registry()
-{
-    static const char * KeyName = "Software\\MIT\\Kerberos";
-    char *config_file = NULL;
-    LONG rcode;
-    HKEY key;
-
-    rcode = RegOpenKeyEx(HKEY_CURRENT_USER, KeyName, 0, KEY_READ, &key);
-    if (rcode == ERROR_SUCCESS) {
-        config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config",
-                                                            REG_NONE, 0, PATH_SEP);
-        RegCloseKey(key);
-    }
-
-    if (config_file)
-        return config_file;
-
-    rcode = RegOpenKeyEx(HKEY_LOCAL_MACHINE, KeyName, 0, KEY_READ, &key);
-    if (rcode == ERROR_SUCCESS) {
-        config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config",
-                                                            REG_NONE, 0, PATH_SEP);
-        RegCloseKey(key);
-    }
-
-    return config_file;
+    return heim_prepend_config_files_default(filelist, krb5_config_file,
+                                             "KRB5_CONFIG", pfilenames);
 }
 
-#endif
-
 /**
  * Get the global configuration list.
  *
@@ -860,32 +781,10 @@ _krb5_get_default_config_config_files_from_registry()
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_default_config_files(char ***pfilenames)
 {
-    const char *files = NULL;
-
     if (pfilenames == NULL)
         return EINVAL;
-    if(!issuid())
-	files = getenv("KRB5_CONFIG");
-
-#ifdef _WIN32
-    if (files == NULL) {
-        char * reg_files;
-        reg_files = _krb5_get_default_config_config_files_from_registry();
-        if (reg_files != NULL) {
-            krb5_error_code code;
-
-            code = krb5_prepend_config_files(reg_files, NULL, pfilenames);
-            free(reg_files);
-
-            return code;
-        }
-    }
-#endif
-
-    if (files == NULL)
-	files = krb5_config_file;
-
-    return krb5_prepend_config_files(files, NULL, pfilenames);
+    return heim_get_default_config_files(krb5_config_file, "KRB5_CONFIG",
+                                         pfilenames);
 }
 
 /**
@@ -903,10 +802,7 @@ krb5_get_default_config_files(char ***pfilenames)
 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_free_config_files(char **filenames)
 {
-    char **p;
-    for(p = filenames; p && *p != NULL; p++)
-	free(*p);
-    free(filenames);
+    heim_free_config_files(filenames);
 }
 
 /**
@@ -1107,27 +1003,31 @@ krb5_get_default_in_tkt_etypes(krb5_context context,
 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_init_ets(krb5_context context)
 {
-    if(context->et_list == NULL){
-	krb5_add_et_list(context, initialize_krb5_error_table_r);
-	krb5_add_et_list(context, initialize_asn1_error_table_r);
-	krb5_add_et_list(context, initialize_heim_error_table_r);
+}
 
-	krb5_add_et_list(context, initialize_k524_error_table_r);
+static void
+_krb5_init_ets(krb5_context context)
+{
+    heim_add_et_list(context->hcontext, initialize_krb5_error_table_r);
+    heim_add_et_list(context->hcontext, initialize_asn1_error_table_r);
+    heim_add_et_list(context->hcontext, initialize_heim_error_table_r);
+
+    heim_add_et_list(context->hcontext, initialize_k524_error_table_r);
+    heim_add_et_list(context->hcontext, initialize_k5e1_error_table_r);
 
 #ifdef COM_ERR_BINDDOMAIN_krb5
-	bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR);
-	bindtextdomain(COM_ERR_BINDDOMAIN_asn1, HEIMDAL_LOCALEDIR);
-	bindtextdomain(COM_ERR_BINDDOMAIN_heim, HEIMDAL_LOCALEDIR);
-	bindtextdomain(COM_ERR_BINDDOMAIN_k524, HEIMDAL_LOCALEDIR);
+    bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR);
+    bindtextdomain(COM_ERR_BINDDOMAIN_asn1, HEIMDAL_LOCALEDIR);
+    bindtextdomain(COM_ERR_BINDDOMAIN_heim, HEIMDAL_LOCALEDIR);
+    bindtextdomain(COM_ERR_BINDDOMAIN_k524, HEIMDAL_LOCALEDIR);
 #endif
 
 #ifdef PKINIT
-	krb5_add_et_list(context, initialize_hx_error_table_r);
+    heim_add_et_list(context->hcontext, initialize_hx_error_table_r);
 #ifdef COM_ERR_BINDDOMAIN_hx
-	bindtextdomain(COM_ERR_BINDDOMAIN_hx, HEIMDAL_LOCALEDIR);
+    bindtextdomain(COM_ERR_BINDDOMAIN_hx, HEIMDAL_LOCALEDIR);
 #endif
 #endif
-    }
 }
 
 /**
@@ -1527,24 +1427,15 @@ _krb5_init_etype(krb5_context context,
 }
 
 /*
- * Allow homedir accces
+ * Allow homedir access
  */
 
-static HEIMDAL_MUTEX homedir_mutex = HEIMDAL_MUTEX_INITIALIZER;
-static krb5_boolean allow_homedir = TRUE;
-
 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 _krb5_homedir_access(krb5_context context)
 {
-    krb5_boolean allow;
-
-    if (context && (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) == 0)
-	return FALSE;
-
-    HEIMDAL_MUTEX_lock(&homedir_mutex);
-    allow = allow_homedir;
-    HEIMDAL_MUTEX_unlock(&homedir_mutex);
-    return allow;
+    if (context)
+        return !!(context->flags & KRB5_CTX_F_HOMEDIR_ACCESS);
+    return !issuid();
 }
 
 /**
@@ -1566,19 +1457,16 @@ _krb5_homedir_access(krb5_context context)
 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_set_home_dir_access(krb5_context context, krb5_boolean allow)
 {
-    krb5_boolean old;
+    krb5_boolean old = _krb5_homedir_access(context);
+
     if (context) {
-	old = (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) ? TRUE : FALSE;
 	if (allow)
 	    context->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
 	else
 	    context->flags &= ~KRB5_CTX_F_HOMEDIR_ACCESS;
-    } else {
-	HEIMDAL_MUTEX_lock(&homedir_mutex);
-	old = allow_homedir;
-	allow_homedir = allow;
-	HEIMDAL_MUTEX_unlock(&homedir_mutex);
+        heim_context_set_homedir_access(context->hcontext, allow ? 1 : 0);
     }
 
     return old;
 }
+
diff --git a/lib/krb5/convert_creds.c b/lib/krb5/convert_creds.c
index fc371c637764..56261b29fa68 100644
--- a/lib/krb5/convert_creds.c
+++ b/lib/krb5/convert_creds.c
@@ -32,7 +32,6 @@
  */
 
 #include "krb5_locl.h"
-#include "krb5-v4compat.h"
 
 #ifndef HEIMDAL_SMALLER
 
@@ -58,7 +57,6 @@ krb524_convert_creds_kdc(krb5_context context,
 			 struct credentials *v4creds)
     KRB5_DEPRECATED_FUNCTION("Use X instead")
 {
-    memset(v4creds, 0, sizeof(*v4creds));
     krb5_set_error_message(context, EINVAL,
 			   N_("krb524_convert_creds_kdc not supported", ""));
     return EINVAL;
@@ -86,7 +84,6 @@ krb524_convert_creds_kdc_ccache(krb5_context context,
 				struct credentials *v4creds)
     KRB5_DEPRECATED_FUNCTION("Use X instead")
 {
-    memset(v4creds, 0, sizeof(*v4creds));
     krb5_set_error_message(context, EINVAL,
 			   N_("krb524_convert_creds_kdc_ccache not supported", ""));
     return EINVAL;
diff --git a/lib/krb5/creds.c b/lib/krb5/creds.c
index 16e3f5780802..d62a70acb45f 100644
--- a/lib/krb5/creds.c
+++ b/lib/krb5/creds.c
@@ -190,7 +190,7 @@ krb5_times_equal(const krb5_times *a, const krb5_times *b)
  * - KRB5_TC_MATCH_TIMES Compares only the expiration times of the creds.
  * - KRB5_TC_MATCH_AUTHDATA Compares the authdata fields.
  * - KRB5_TC_MATCH_2ND_TKT Compares the second tickets (used by user-to-user authentication).
- * - KRB5_TC_MATCH_IS_SKEY Compares the existance of the second ticket.
+ * - KRB5_TC_MATCH_IS_SKEY Compares the existence of the second ticket.
  *
  * @param context Kerberos 5 context.
  * @param whichfields which fields to compare.
diff --git a/lib/krb5/crypto-aes-sha1.c b/lib/krb5/crypto-aes-sha1.c
index 30df0ee86b84..1f3760d18f77 100644
--- a/lib/krb5/crypto-aes-sha1.c
+++ b/lib/krb5/crypto-aes-sha1.c
@@ -72,7 +72,7 @@ struct _krb5_checksum_type _krb5_checksum_hmac_sha1_aes128 = {
     12,
     F_KEYED | F_CPROOF | F_DERIVED,
     _krb5_SP_HMAC_SHA1_checksum,
-    NULL
+    _krb5_SP_HMAC_SHA1_verify
 };
 
 struct _krb5_checksum_type _krb5_checksum_hmac_sha1_aes256 = {
@@ -82,7 +82,7 @@ struct _krb5_checksum_type _krb5_checksum_hmac_sha1_aes256 = {
     12,
     F_KEYED | F_CPROOF | F_DERIVED,
     _krb5_SP_HMAC_SHA1_checksum,
-    NULL
+    _krb5_SP_HMAC_SHA1_verify
 };
 
 static krb5_error_code
@@ -92,6 +92,7 @@ AES_SHA1_PRF(krb5_context context,
 	     krb5_data *out)
 {
     struct _krb5_checksum_type *ct = crypto->et->checksum;
+    struct krb5_crypto_iov iov[1];
     krb5_error_code ret;
     Checksum result;
     krb5_keyblock *derived;
@@ -103,7 +104,9 @@ AES_SHA1_PRF(krb5_context context,
 	return ret;
     }
 
-    ret = (*ct->checksum)(context, NULL, in->data, in->length, 0, &result);
+    iov[0].data = *in;
+    iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
+    ret = (*ct->checksum)(context, crypto, NULL, 0, iov, 1, &result);
     if (ret) {
 	krb5_data_free(&result.checksum);
 	return ret;
@@ -151,6 +154,7 @@ struct _krb5_encryption_type _krb5_enctype_aes128_cts_hmac_sha1 = {
     &_krb5_checksum_hmac_sha1_aes128,
     F_DERIVED | F_RFC3961_ENC | F_RFC3961_KDF,
     _krb5_evp_encrypt_cts,
+    _krb5_evp_encrypt_iov_cts,
     16,
     AES_SHA1_PRF
 };
@@ -167,6 +171,7 @@ struct _krb5_encryption_type _krb5_enctype_aes256_cts_hmac_sha1 = {
     &_krb5_checksum_hmac_sha1_aes256,
     F_DERIVED | F_RFC3961_ENC | F_RFC3961_KDF,
     _krb5_evp_encrypt_cts,
+    _krb5_evp_encrypt_iov_cts,
     16,
     AES_SHA1_PRF
 };
diff --git a/lib/krb5/crypto-aes-sha2.c b/lib/krb5/crypto-aes-sha2.c
index 4630ce071527..94ec9a1d6e5e 100644
--- a/lib/krb5/crypto-aes-sha2.c
+++ b/lib/krb5/crypto-aes-sha2.c
@@ -58,10 +58,11 @@ _krb5_aes_sha2_md_for_enctype(krb5_context context,
 
 static krb5_error_code
 SP_HMAC_SHA2_checksum(krb5_context context,
+                      krb5_crypto crypto,
 		      struct _krb5_key_data *key,
-		      const void *data,
-		      size_t len,
-		      unsigned usage,
+                      unsigned usage,
+                      const struct krb5_crypto_iov *iov,
+                      int niov,
 		      Checksum *result)
 {
     krb5_error_code ret;
@@ -73,8 +74,10 @@ SP_HMAC_SHA2_checksum(krb5_context context,
     if (ret)
 	return ret;
 
-    HMAC(md, key->key->keyvalue.data, key->key->keyvalue.length,
-	 data, len, hmac, &hmaclen);
+    ret = _krb5_evp_hmac_iov(context, crypto, key, iov, niov, hmac,
+                             &hmaclen, md, NULL);
+    if (ret)
+        return ret;
 
     heim_assert(result->checksum.length <= hmaclen, "SHA2 internal error");
 
@@ -173,6 +176,7 @@ struct _krb5_encryption_type _krb5_enctype_aes128_cts_hmac_sha256_128 = {
     &_krb5_checksum_hmac_sha256_128_aes128,
     F_DERIVED | F_ENC_THEN_CKSUM | F_SP800_108_HMAC_KDF,
     _krb5_evp_encrypt_cts,
+    NULL,
     16,
     AES_SHA2_PRF
 };
@@ -189,6 +193,7 @@ struct _krb5_encryption_type _krb5_enctype_aes256_cts_hmac_sha384_192 = {
     &_krb5_checksum_hmac_sha384_192_aes256,
     F_DERIVED | F_ENC_THEN_CKSUM | F_SP800_108_HMAC_KDF,
     _krb5_evp_encrypt_cts,
+    NULL,
     16,
     AES_SHA2_PRF
 };
diff --git a/lib/krb5/crypto-algs.c b/lib/krb5/crypto-algs.c
index c0540257a441..eb21fcef0713 100644
--- a/lib/krb5/crypto-algs.c
+++ b/lib/krb5/crypto-algs.c
@@ -55,7 +55,10 @@ struct _krb5_checksum_type *_krb5_checksum_types[] = {
     &_krb5_checksum_hmac_sha1_aes256,
     &_krb5_checksum_hmac_sha256_128_aes128,
     &_krb5_checksum_hmac_sha384_192_aes256,
-    &_krb5_checksum_hmac_md5
+    &_krb5_checksum_hmac_md5,
+    &_krb5_checksum_sha256,
+    &_krb5_checksum_sha384,
+    &_krb5_checksum_sha512
 };
 
 int _krb5_num_checksums
diff --git a/lib/krb5/crypto-arcfour.c b/lib/krb5/crypto-arcfour.c
index ae576eccfea5..28fc52e4cbf2 100644
--- a/lib/krb5/crypto-arcfour.c
+++ b/lib/krb5/crypto-arcfour.c
@@ -57,10 +57,11 @@ static struct _krb5_key_type keytype_arcfour = {
 
 krb5_error_code
 _krb5_HMAC_MD5_checksum(krb5_context context,
+			krb5_crypto crypto,
 			struct _krb5_key_data *key,
-			const void *data,
-			size_t len,
 			unsigned usage,
+			const struct krb5_crypto_iov *iov,
+			int niov,
 			Checksum *result)
 {
     EVP_MD_CTX *m;
@@ -73,18 +74,24 @@ _krb5_HMAC_MD5_checksum(krb5_context context,
     unsigned char tmp[16];
     unsigned char ksign_c_data[16];
     krb5_error_code ret;
+    int i;
+
+    if (crypto != NULL) {
+        if (crypto->mdctx == NULL)
+	    crypto->mdctx = EVP_MD_CTX_create();
+        if (crypto->mdctx == NULL)
+	    return krb5_enomem(context);
+	m = crypto->mdctx;
+    } else
+        m = EVP_MD_CTX_create();
 
-    m = EVP_MD_CTX_create();
-    if (m == NULL)
-	return krb5_enomem(context);
     ksign_c.checksum.length = sizeof(ksign_c_data);
     ksign_c.checksum.data   = ksign_c_data;
-    ret = _krb5_internal_hmac(context, c, signature, sizeof(signature),
+    ret = _krb5_internal_hmac(context, crypto, c, signature, sizeof(signature),
 			      0, key, &ksign_c);
-    if (ret) {
-	EVP_MD_CTX_destroy(m);
-	return ret;
-    }
+    if (ret)
+	goto out;
+
     ksign.key = &kb;
     kb.keyvalue = ksign_c.checksum;
     EVP_DigestInit_ex(m, EVP_md5(), NULL);
@@ -93,14 +100,18 @@ _krb5_HMAC_MD5_checksum(krb5_context context,
     t[2] = (usage >> 16) & 0xFF;
     t[3] = (usage >> 24) & 0xFF;
     EVP_DigestUpdate(m, t, 4);
-    EVP_DigestUpdate(m, data, len);
+    for (i = 0; i < niov; i++) {
+	if (_krb5_crypto_iov_should_sign(&iov[i]))
+	    EVP_DigestUpdate(m, iov[i].data.data, iov[i].data.length);
+    }
     EVP_DigestFinal_ex (m, tmp, NULL);
-    EVP_MD_CTX_destroy(m);
 
-    ret = _krb5_internal_hmac(context, c, tmp, sizeof(tmp), 0, &ksign, result);
-    if (ret)
-	return ret;
-    return 0;
+    ret = _krb5_internal_hmac(context, crypto, c, tmp, sizeof(tmp), 0, &ksign, result);
+out:
+    if (crypto == NULL)
+        EVP_MD_CTX_destroy(m);
+
+    return ret;
 }
 
 struct _krb5_checksum_type _krb5_checksum_hmac_md5 = {
@@ -137,6 +148,10 @@ ARCFOUR_subencrypt(krb5_context context,
     unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16];
     krb5_error_code ret;
 
+    if (len < 16) {
+	    return KRB5KRB_AP_ERR_INAPP_CKSUM;
+    }
+
     t[0] = (usage >>  0) & 0xFF;
     t[1] = (usage >>  8) & 0xFF;
     t[2] = (usage >> 16) & 0xFF;
@@ -145,7 +160,7 @@ ARCFOUR_subencrypt(krb5_context context,
     k1_c.checksum.length = sizeof(k1_c_data);
     k1_c.checksum.data   = k1_c_data;
 
-    ret = _krb5_internal_hmac(context, c, t, sizeof(t), 0, key, &k1_c);
+    ret = _krb5_internal_hmac(context, NULL, c, t, sizeof(t), 0, key, &k1_c);
     if (ret)
 	krb5_abortx(context, "hmac failed");
 
@@ -160,7 +175,7 @@ ARCFOUR_subencrypt(krb5_context context,
     cksum.checksum.length = 16;
     cksum.checksum.data   = data;
 
-    ret = _krb5_internal_hmac(context, c, cdata + 16, len - 16, 0, &ke, &cksum);
+    ret = _krb5_internal_hmac(context, NULL, c, cdata + 16, len - 16, 0, &ke, &cksum);
     if (ret)
 	krb5_abortx(context, "hmac failed");
 
@@ -170,7 +185,7 @@ ARCFOUR_subencrypt(krb5_context context,
     k3_c.checksum.length = sizeof(k3_c_data);
     k3_c.checksum.data   = k3_c_data;
 
-    ret = _krb5_internal_hmac(context, c, data, 16, 0, &ke, &k3_c);
+    ret = _krb5_internal_hmac(context, NULL, c, data, 16, 0, &ke, &k3_c);
     if (ret)
 	krb5_abortx(context, "hmac failed");
 
@@ -205,6 +220,10 @@ ARCFOUR_subdecrypt(krb5_context context,
     unsigned char cksum_data[16];
     krb5_error_code ret;
 
+    if (len < 16) {
+	    return KRB5KRB_AP_ERR_INAPP_CKSUM;
+    }
+
     t[0] = (usage >>  0) & 0xFF;
     t[1] = (usage >>  8) & 0xFF;
     t[2] = (usage >> 16) & 0xFF;
@@ -213,7 +232,7 @@ ARCFOUR_subdecrypt(krb5_context context,
     k1_c.checksum.length = sizeof(k1_c_data);
     k1_c.checksum.data   = k1_c_data;
 
-    ret = _krb5_internal_hmac(context, c, t, sizeof(t), 0, key, &k1_c);
+    ret = _krb5_internal_hmac(context, NULL, c, t, sizeof(t), 0, key, &k1_c);
     if (ret)
 	krb5_abortx(context, "hmac failed");
 
@@ -228,7 +247,7 @@ ARCFOUR_subdecrypt(krb5_context context,
     k3_c.checksum.length = sizeof(k3_c_data);
     k3_c.checksum.data   = k3_c_data;
 
-    ret = _krb5_internal_hmac(context, c, cdata, 16, 0, &ke, &k3_c);
+    ret = _krb5_internal_hmac(context, NULL, c, cdata, 16, 0, &ke, &k3_c);
     if (ret)
 	krb5_abortx(context, "hmac failed");
 
@@ -243,7 +262,7 @@ ARCFOUR_subdecrypt(krb5_context context,
     cksum.checksum.length = 16;
     cksum.checksum.data   = cksum_data;
 
-    ret = _krb5_internal_hmac(context, c, cdata + 16, len - 16, 0, &ke, &cksum);
+    ret = _krb5_internal_hmac(context, NULL, c, cdata + 16, len - 16, 0, &ke, &cksum);
     if (ret)
 	krb5_abortx(context, "hmac failed");
 
@@ -324,7 +343,7 @@ ARCFOUR_prf(krb5_context context,
     res.checksum.data = out->data;
     res.checksum.length = out->length;
 
-    ret = _krb5_internal_hmac(context, c, in->data, in->length, 0, &crypto->key, &res);
+    ret = _krb5_internal_hmac(context, crypto, c, in->data, in->length, 0, &crypto->key, &res);
     if (ret)
 	krb5_data_free(out);
     return 0;
@@ -341,8 +360,9 @@ struct _krb5_encryption_type _krb5_enctype_arcfour_hmac_md5 = {
     &keytype_arcfour,
     &_krb5_checksum_hmac_md5,
     &_krb5_checksum_hmac_md5,
-    F_SPECIAL | F_WEAK,
+    F_SPECIAL | F_WEAK | F_OLD,
     ARCFOUR_encrypt,
+    NULL,
     0,
     ARCFOUR_prf
 };
diff --git a/lib/krb5/crypto-des-common.c b/lib/krb5/crypto-des-common.c
index 95f6389d1e84..a8344ae5bc75 100644
--- a/lib/krb5/crypto-des-common.c
+++ b/lib/krb5/crypto-des-common.c
@@ -57,13 +57,14 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 _krb5_des_checksum(krb5_context context,
 		   const EVP_MD *evp_md,
 		   struct _krb5_key_data *key,
-		   const void *data,
-		   size_t len,
+		   const struct krb5_crypto_iov *iov,
+		   int niov,
 		   Checksum *cksum)
 {
     struct _krb5_evp_schedule *ctx = key->schedule->data;
     EVP_MD_CTX *m;
     DES_cblock ivec;
+    int i;
     unsigned char *p = cksum->checksum.data;
 
     krb5_generate_random_block(p, 8);
@@ -74,7 +75,10 @@ _krb5_des_checksum(krb5_context context,
 
     EVP_DigestInit_ex(m, evp_md, NULL);
     EVP_DigestUpdate(m, p, 8);
-    EVP_DigestUpdate(m, data, len);
+    for (i = 0; i < niov; i++) {
+	if (_krb5_crypto_iov_should_sign(&iov[i]))
+	    EVP_DigestUpdate(m, iov[i].data.data, iov[i].data.length);
+    }
     EVP_DigestFinal_ex (m, p + 8, NULL);
     EVP_MD_CTX_destroy(m);
     memset_s(&ivec, sizeof(ivec), 0, sizeof(ivec));
@@ -88,8 +92,8 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 _krb5_des_verify(krb5_context context,
 		 const EVP_MD *evp_md,
 		 struct _krb5_key_data *key,
-		 const void *data,
-		 size_t len,
+		 const struct krb5_crypto_iov *iov,
+		 int niov,
 		 Checksum *C)
 {
     struct _krb5_evp_schedule *ctx = key->schedule->data;
@@ -98,6 +102,7 @@ _krb5_des_verify(krb5_context context,
     unsigned char res[16];
     DES_cblock ivec;
     krb5_error_code ret = 0;
+    int i;
 
     m = EVP_MD_CTX_create();
     if (m == NULL)
@@ -109,7 +114,10 @@ _krb5_des_verify(krb5_context context,
 
     EVP_DigestInit_ex(m, evp_md, NULL);
     EVP_DigestUpdate(m, tmp, 8); /* confounder */
-    EVP_DigestUpdate(m, data, len);
+    for (i = 0; i < niov; i++) {
+	if (_krb5_crypto_iov_should_sign(&iov[i]))
+	    EVP_DigestUpdate(m, iov[i].data.data, iov[i].data.length);
+    }
     EVP_DigestFinal_ex (m, res, NULL);
     EVP_MD_CTX_destroy(m);
     if(ct_memcmp(res, tmp + 8, sizeof(res)) != 0) {
@@ -125,14 +133,17 @@ _krb5_des_verify(krb5_context context,
 
 static krb5_error_code
 RSA_MD5_checksum(krb5_context context,
+		 krb5_crypto crypto,
 		 struct _krb5_key_data *key,
-		 const void *data,
-		 size_t len,
 		 unsigned usage,
+		 const struct krb5_crypto_iov *iov,
+		 int niov,
 		 Checksum *C)
 {
-    if (EVP_Digest(data, len, C->checksum.data, NULL, EVP_md5(), NULL) != 1)
+    if (_krb5_evp_digest_iov(crypto, iov, niov, C->checksum.data,
+			     NULL, EVP_md5(), NULL) != 1)
 	krb5_abortx(context, "md5 checksum failed");
+
     return 0;
 }
 
diff --git a/lib/krb5/crypto-des.c b/lib/krb5/crypto-des.c
index 8ea145b56d4b..c5692954c48a 100644
--- a/lib/krb5/crypto-des.c
+++ b/lib/krb5/crypto-des.c
@@ -98,16 +98,24 @@ static struct _krb5_key_type keytype_des = {
 
 static krb5_error_code
 CRC32_checksum(krb5_context context,
+	       krb5_crypto crypto,
 	       struct _krb5_key_data *key,
-	       const void *data,
-	       size_t len,
 	       unsigned usage,
+	       const struct krb5_crypto_iov *iov,
+	       int niov,
 	       Checksum *C)
 {
-    uint32_t crc;
+    uint32_t crc = 0;
     unsigned char *r = C->checksum.data;
+    int i;
+
     _krb5_crc_init_table ();
-    crc = _krb5_crc_update (data, len, 0);
+
+    for (i = 0; i < niov; i++) {
+	if (_krb5_crypto_iov_should_sign(&iov[i]))
+	    crc = _krb5_crc_update(iov[i].data.data, iov[i].data.length, crc);
+    }
+
     r[0] = crc & 0xff;
     r[1] = (crc >> 8)  & 0xff;
     r[2] = (crc >> 16) & 0xff;
@@ -117,59 +125,65 @@ CRC32_checksum(krb5_context context,
 
 static krb5_error_code
 RSA_MD4_checksum(krb5_context context,
+		 krb5_crypto crypto,
 		 struct _krb5_key_data *key,
-		 const void *data,
-		 size_t len,
 		 unsigned usage,
+		 const struct krb5_crypto_iov *iov,
+		 int niov,
 		 Checksum *C)
 {
-    if (EVP_Digest(data, len, C->checksum.data, NULL, EVP_md4(), NULL) != 1)
+    if (_krb5_evp_digest_iov(crypto, iov, niov, C->checksum.data,
+			     NULL, EVP_md4(), NULL) != 1)
 	krb5_abortx(context, "md4 checksum failed");
     return 0;
 }
 
 static krb5_error_code
 RSA_MD4_DES_checksum(krb5_context context,
+		     krb5_crypto crypto,
 		     struct _krb5_key_data *key,
-		     const void *data,
-		     size_t len,
 		     unsigned usage,
+		     const struct krb5_crypto_iov *iov,
+		     int niov,
 		     Checksum *cksum)
 {
-    return _krb5_des_checksum(context, EVP_md4(), key, data, len, cksum);
+    return _krb5_des_checksum(context, EVP_md4(), key, iov, niov, cksum);
 }
 
 static krb5_error_code
 RSA_MD4_DES_verify(krb5_context context,
+		   krb5_crypto crypto,
 		   struct _krb5_key_data *key,
-		   const void *data,
-		   size_t len,
 		   unsigned usage,
+                   const struct krb5_crypto_iov *iov,
+                   int niov,
 		   Checksum *C)
 {
-    return _krb5_des_verify(context, EVP_md4(), key, data, len, C);
+    return _krb5_des_verify(context, EVP_md4(), key, iov, niov, C);
 }
 
 static krb5_error_code
 RSA_MD5_DES_checksum(krb5_context context,
+		     krb5_crypto crypto,
 		     struct _krb5_key_data *key,
-		     const void *data,
-		     size_t len,
 		     unsigned usage,
+		     const struct krb5_crypto_iov *iov,
+		     int niov,
 		     Checksum *C)
 {
-    return _krb5_des_checksum(context, EVP_md5(), key, data, len, C);
+    return _krb5_des_checksum(context, EVP_md5(), key, iov, niov, C);
 }
 
 static krb5_error_code
 RSA_MD5_DES_verify(krb5_context context,
+		   krb5_crypto crypto,
 		   struct _krb5_key_data *key,
-		   const void *data,
-		   size_t len,
 		   unsigned usage,
+                   const struct krb5_crypto_iov *iov,
+                   int niov,
 		   Checksum *C)
 {
-    return _krb5_des_verify(context, EVP_md5(), key, data, len, C);
+    return _krb5_des_verify(context, EVP_md5(), key, iov, niov, C);
 }
 
 struct _krb5_checksum_type _krb5_checksum_crc32 = {
@@ -295,8 +309,9 @@ struct _krb5_encryption_type _krb5_enctype_des_cbc_crc = {
     &keytype_des,
     &_krb5_checksum_crc32,
     NULL,
-    F_DISABLED|F_WEAK,
+    F_DISABLED|F_WEAK|F_OLD,
     evp_des_encrypt_key_ivec,
+    NULL,
     0,
     NULL
 };
@@ -311,8 +326,9 @@ struct _krb5_encryption_type _krb5_enctype_des_cbc_md4 = {
     &keytype_des,
     &_krb5_checksum_rsa_md4,
     &_krb5_checksum_rsa_md4_des,
-    F_DISABLED|F_WEAK,
+    F_DISABLED|F_WEAK|F_OLD,
     evp_des_encrypt_null_ivec,
+    NULL,
     0,
     NULL
 };
@@ -327,8 +343,9 @@ struct _krb5_encryption_type _krb5_enctype_des_cbc_md5 = {
     &keytype_des,
     &_krb5_checksum_rsa_md5,
     &_krb5_checksum_rsa_md5_des,
-    F_DISABLED|F_WEAK,
+    F_DISABLED|F_WEAK|F_OLD,
     evp_des_encrypt_null_ivec,
+    NULL,
     0,
     NULL
 };
@@ -343,8 +360,9 @@ struct _krb5_encryption_type _krb5_enctype_des_cbc_none = {
     &keytype_des,
     &_krb5_checksum_none,
     NULL,
-    F_PSEUDO|F_DISABLED|F_WEAK,
+    F_PSEUDO|F_DISABLED|F_WEAK|F_OLD,
     evp_des_encrypt_null_ivec,
+    NULL,
     0,
     NULL
 };
@@ -359,8 +377,9 @@ struct _krb5_encryption_type _krb5_enctype_des_cfb64_none = {
     &keytype_des_old,
     &_krb5_checksum_none,
     NULL,
-    F_PSEUDO|F_DISABLED|F_WEAK,
+    F_PSEUDO|F_DISABLED|F_WEAK|F_OLD,
     DES_CFB64_encrypt_null_ivec,
+    NULL,
     0,
     NULL
 };
@@ -375,8 +394,9 @@ struct _krb5_encryption_type _krb5_enctype_des_pcbc_none = {
     &keytype_des_old,
     &_krb5_checksum_none,
     NULL,
-    F_PSEUDO|F_DISABLED|F_WEAK,
+    F_PSEUDO|F_DISABLED|F_WEAK|F_OLD,
     DES_PCBC_encrypt_key_ivec,
+    NULL,
     0,
     NULL
 };
diff --git a/lib/krb5/crypto-des3.c b/lib/krb5/crypto-des3.c
index ed3e7c960e99..d231921d6dbf 100644
--- a/lib/krb5/crypto-des3.c
+++ b/lib/krb5/crypto-des3.c
@@ -59,6 +59,7 @@ DES3_prf(krb5_context context,
 	 krb5_data *out)
 {
     struct _krb5_checksum_type *ct = crypto->et->checksum;
+    struct krb5_crypto_iov iov[1];
     krb5_error_code ret;
     Checksum result;
     krb5_keyblock *derived;
@@ -70,7 +71,9 @@ DES3_prf(krb5_context context,
 	return ret;
     }
 
-    ret = (*ct->checksum)(context, NULL, in->data, in->length, 0, &result);
+    iov[0].data = *in;
+    iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
+    ret = (*ct->checksum)(context, crypto, NULL, 0, iov, 1, &result);
     if (ret) {
 	krb5_data_free(&result.checksum);
 	return ret;
@@ -139,24 +142,26 @@ static struct _krb5_key_type keytype_des3_derived = {
 #ifdef DES3_OLD_ENCTYPE
 static krb5_error_code
 RSA_MD5_DES3_checksum(krb5_context context,
+		      krb5_crypto crypto,
 		      struct _krb5_key_data *key,
-		      const void *data,
-		      size_t len,
 		      unsigned usage,
+		      const struct krb5_crypto_iov *iov,
+		      int niov,
 		      Checksum *C)
 {
-    return _krb5_des_checksum(context, EVP_md5(), key, data, len, C);
+    return _krb5_des_checksum(context, EVP_md5(), key, iov, niov, C);
 }
 
 static krb5_error_code
 RSA_MD5_DES3_verify(krb5_context context,
+		    krb5_crypto crypto,
 		    struct _krb5_key_data *key,
-		    const void *data,
-		    size_t len,
 		    unsigned usage,
+                    const struct krb5_crypto_iov *iov,
+                    int niov,
 		    Checksum *C)
 {
-    return _krb5_des_verify(context, EVP_md5(), key, data, len, C);
+    return _krb5_des_verify(context, EVP_md5(), key, iov, niov, C);
 }
 
 struct _krb5_checksum_type _krb5_checksum_rsa_md5_des3 = {
@@ -191,8 +196,9 @@ struct _krb5_encryption_type _krb5_enctype_des3_cbc_md5 = {
     &keytype_des3,
     &_krb5_checksum_rsa_md5,
     &_krb5_checksum_rsa_md5_des3,
-    0,
+    F_OLD,
     _krb5_evp_encrypt,
+    _krb5_evp_encrypt_iov,
     0,
     NULL
 };
@@ -208,8 +214,9 @@ struct _krb5_encryption_type _krb5_enctype_des3_cbc_sha1 = {
     &keytype_des3_derived,
     &_krb5_checksum_sha1,
     &_krb5_checksum_hmac_sha1_des3,
-    F_DERIVED | F_RFC3961_ENC | F_RFC3961_KDF,
+    F_DERIVED | F_RFC3961_ENC | F_RFC3961_KDF | F_OLD,
     _krb5_evp_encrypt,
+    _krb5_evp_encrypt_iov,
     16,
     DES3_prf
 };
@@ -225,8 +232,9 @@ struct _krb5_encryption_type _krb5_enctype_old_des3_cbc_sha1 = {
     &keytype_des3,
     &_krb5_checksum_sha1,
     &_krb5_checksum_hmac_sha1_des3,
-    0,
+    F_OLD,
     _krb5_evp_encrypt,
+    _krb5_evp_encrypt_iov,
     0,
     NULL
 };
@@ -242,8 +250,9 @@ struct _krb5_encryption_type _krb5_enctype_des3_cbc_none = {
     &keytype_des3_derived,
     &_krb5_checksum_none,
     NULL,
-    F_PSEUDO,
+    F_PSEUDO | F_OLD,
     _krb5_evp_encrypt,
+    _krb5_evp_encrypt_iov,
     0,
     NULL
 };
diff --git a/lib/krb5/crypto-evp.c b/lib/krb5/crypto-evp.c
index cab7c29061f7..0ed749a243cc 100644
--- a/lib/krb5/crypto-evp.c
+++ b/lib/krb5/crypto-evp.c
@@ -56,6 +56,119 @@ _krb5_evp_cleanup(krb5_context context, struct _krb5_key_data *kd)
     EVP_CIPHER_CTX_cleanup(&key->dctx);
 }
 
+int
+_krb5_evp_digest_iov(krb5_crypto crypto,
+		     const struct krb5_crypto_iov *iov,
+		     int niov,
+		     void *hash,
+		     unsigned int *hsize,
+		     const EVP_MD *md,
+		     ENGINE *engine)
+{
+    EVP_MD_CTX *ctx;
+    int ret, i;
+    krb5_data current = {0,0};
+
+    if (crypto != NULL) {
+	if (crypto->mdctx == NULL)
+	    crypto->mdctx = EVP_MD_CTX_create();
+	if (crypto->mdctx == NULL)
+	    return 0;
+	ctx = crypto->mdctx;
+    } else
+        ctx = EVP_MD_CTX_create();
+
+    ret = EVP_DigestInit_ex(ctx, md, engine);
+    if (ret != 1)
+	goto out;
+
+    /* Minimize EVP calls by coalescing contiguous iovec elements */
+    for (i = 0; i < niov; i++) {
+        if (_krb5_crypto_iov_should_sign(&iov[i])) {
+	    if (current.data &&
+                (char *)current.data + current.length == iov[i].data.data) {
+		current.length += iov[i].data.length;
+	    } else {
+		if (current.data) {
+		    ret = EVP_DigestUpdate(ctx, current.data, current.length);
+		    if (ret != 1)
+		        goto out;
+		}
+		current = iov[i].data;
+	    }
+	}
+    }
+
+    if (current.data) {
+	ret = EVP_DigestUpdate(ctx, current.data, current.length);
+	if (ret != 1)
+	    goto out;
+    }
+
+    ret = EVP_DigestFinal_ex(ctx, hash, hsize);
+
+out:
+    if (crypto == NULL)
+        EVP_MD_CTX_destroy(ctx);
+
+    return ret;
+}
+
+krb5_error_code
+_krb5_evp_hmac_iov(krb5_context context,
+                   krb5_crypto crypto,
+                   struct _krb5_key_data *key,
+                   const struct krb5_crypto_iov *iov,
+                   int niov,
+                   void *hmac,
+                   unsigned int *hmaclen,
+                   const EVP_MD *md,
+                   ENGINE *engine)
+{
+    HMAC_CTX *ctx;
+    krb5_data current = {0, 0};
+    int i;
+
+    if (crypto != NULL) {
+	if (crypto->hmacctx == NULL)
+	    crypto->hmacctx = HMAC_CTX_new();
+	ctx = crypto->hmacctx;
+    } else {
+	ctx = HMAC_CTX_new();
+    }
+    if (ctx == NULL)
+        return krb5_enomem(context);
+
+    if (HMAC_Init_ex(ctx, key->key->keyvalue.data, key->key->keyvalue.length,
+                     md, engine) == 0) {
+        HMAC_CTX_free(ctx);
+        return krb5_enomem(context);
+    }
+
+    for (i = 0; i < niov; i++) {
+        if (_krb5_crypto_iov_should_sign(&iov[i])) {
+	    if (current.data &&
+                (char *)current.data + current.length == iov[i].data.data) {
+		current.length += iov[i].data.length;
+	    } else {
+		if (current.data)
+		    HMAC_Update(ctx, current.data, current.length);
+		current = iov[i].data;
+	    }
+	}
+    }
+
+    if (current.data)
+	HMAC_Update(ctx, current.data, current.length);
+
+    HMAC_Final(ctx, hmac, hmaclen);
+
+    if (crypto == NULL)
+        HMAC_CTX_free(ctx);
+
+    return 0;
+}
+
 krb5_error_code
 _krb5_evp_encrypt(krb5_context context,
 		struct _krb5_key_data *key,
@@ -83,8 +196,389 @@ _krb5_evp_encrypt(krb5_context context,
     return 0;
 }
 
+struct _krb5_evp_iov_cursor
+{
+    struct krb5_crypto_iov *iov;
+    int niov;
+    krb5_data current;
+    int nextidx;
+};
+
 static const unsigned char zero_ivec[EVP_MAX_BLOCK_LENGTH] = { 0 };
 
+static inline int
+_krb5_evp_iov_should_encrypt(struct krb5_crypto_iov *iov)
+{
+    return (iov->flags == KRB5_CRYPTO_TYPE_DATA
+	    || iov->flags == KRB5_CRYPTO_TYPE_HEADER
+	    || iov->flags == KRB5_CRYPTO_TYPE_PADDING);
+}
+/*
+ * If we have a group of iovecs which have been split up from
+ * a single common buffer, expand the 'current' iovec out to
+ * be as large as possible.
+ */
+
+static inline void
+_krb5_evp_iov_cursor_expand(struct _krb5_evp_iov_cursor *cursor)
+{
+    if (cursor->nextidx == cursor->niov)
+       return;
+
+    while (_krb5_evp_iov_should_encrypt(&cursor->iov[cursor->nextidx])) {
+	if (cursor->iov[cursor->nextidx].data.length != 0 &&
+	    ((char *)cursor->current.data + cursor->current.length
+	     != cursor->iov[cursor->nextidx].data.data)) {
+            return;
+        }
+	cursor->current.length += cursor->iov[cursor->nextidx].data.length;
+	cursor->nextidx++;
+    }
+
+    return;
+}
+
+/* Move the cursor along to the start of the next block to be
+ * encrypted */
+static inline void
+_krb5_evp_iov_cursor_nextcrypt(struct _krb5_evp_iov_cursor *cursor)
+{
+    for (; cursor->nextidx < cursor->niov; cursor->nextidx++) {
+	if (_krb5_evp_iov_should_encrypt(&cursor->iov[cursor->nextidx])
+	    && cursor->iov[cursor->nextidx].data.length != 0) {
+	    cursor->current = cursor->iov[cursor->nextidx].data;
+	    cursor->nextidx++;
+	    _krb5_evp_iov_cursor_expand(cursor);
+	    return;
+	}
+    }
+
+    cursor->current.length = 0; /* No matches, so we're done here */
+}
+
+static inline void
+_krb5_evp_iov_cursor_init(struct _krb5_evp_iov_cursor *cursor,
+                          struct krb5_crypto_iov *iov, int niov)
+{
+    memset(cursor, 0, sizeof(struct _krb5_evp_iov_cursor));
+
+    cursor->iov = iov;
+    cursor->niov = niov;
+    cursor->nextidx = 0;
+
+    /* Move along to the first block we're going to be encrypting */
+    _krb5_evp_iov_cursor_nextcrypt(cursor);
+}
+
+static inline void
+_krb5_evp_iov_cursor_advance(struct _krb5_evp_iov_cursor *cursor,
+                             size_t amount)
+{
+    while (amount > 0) {
+        if (cursor->current.length > amount) {
+            cursor->current.data = (char *)cursor->current.data + amount;
+            cursor->current.length -= amount;
+            return;
+        }
+	amount -= cursor->current.length;
+	_krb5_evp_iov_cursor_nextcrypt(cursor);
+    }
+}
+
+static inline int
+_krb5_evp_iov_cursor_done(struct _krb5_evp_iov_cursor *cursor)
+{
+    return (cursor->nextidx == cursor->niov && cursor->current.length == 0);
+}
+
+/* Fill a memory buffer with data from one or more iovecs. Doesn't
+ * advance the passed in cursor - use outcursor for the position
+ * at the end
+ */
+static inline void
+_krb5_evp_iov_cursor_fillbuf(struct _krb5_evp_iov_cursor *cursor,
+                             unsigned char *buf, size_t length,
+                             struct _krb5_evp_iov_cursor *outcursor)
+{
+    struct _krb5_evp_iov_cursor cursorint;
+
+    cursorint = *cursor;
+
+    while (length > 0 && !_krb5_evp_iov_cursor_done(&cursorint)) {
+	if (cursorint.current.length > length) {
+	    memcpy(buf, cursorint.current.data, length);
+	    _krb5_evp_iov_cursor_advance(&cursorint, length);
+	    length = 0;
+	} else {
+	    memcpy(buf, cursorint.current.data, cursorint.current.length);
+	    length -= cursorint.current.length;
+	    buf += cursorint.current.length;
+	    _krb5_evp_iov_cursor_nextcrypt(&cursorint);
+	}
+    }
+
+    if (outcursor != NULL)
+	*outcursor = cursorint;
+}
+
+/* Fill an iovec from a memory buffer. Always advances the cursor to
+ * the end of the filled region
+ */
+static inline void
+_krb5_evp_iov_cursor_fillvec(struct _krb5_evp_iov_cursor *cursor,
+                             unsigned char *buf, size_t length)
+{
+    while (length > 0 && !_krb5_evp_iov_cursor_done(cursor)) {
+	if (cursor->current.length > length) {
+	    memcpy(cursor->current.data, buf, length);
+	    _krb5_evp_iov_cursor_advance(cursor, length);
+	    length = 0;
+	} else {
+	    memcpy(cursor->current.data, buf, cursor->current.length);
+	    length -= cursor->current.length;
+	    buf += cursor->current.length;
+	    _krb5_evp_iov_cursor_nextcrypt(cursor);
+	}
+    }
+}
+
+static size_t
+_krb5_evp_iov_cryptlength(struct krb5_crypto_iov *iov, int niov)
+{
+    int i;
+    size_t length = 0;
+
+    for (i = 0; i < niov; i++) {
+	if (_krb5_evp_iov_should_encrypt(&iov[i]))
+	    length += iov[i].data.length;
+    }
+
+    return length;
+}
+
+int
+_krb5_evp_encrypt_iov(krb5_context context,
+		      struct _krb5_key_data *key,
+		      struct krb5_crypto_iov *iov,
+		      int niov,
+		      krb5_boolean encryptp,
+		      int usage,
+		      void *ivec)
+{
+    size_t blocksize, blockmask, wholeblocks;
+    struct _krb5_evp_schedule *ctx = key->schedule->data;
+    unsigned char tmp[EVP_MAX_BLOCK_LENGTH];
+    EVP_CIPHER_CTX *c;
+    struct _krb5_evp_iov_cursor cursor;
+
+    c = encryptp ? &ctx->ectx : &ctx->dctx;
+
+    blocksize = EVP_CIPHER_CTX_block_size(c);
+
+    blockmask = ~(blocksize - 1);
+
+    if (ivec)
+	EVP_CipherInit_ex(c, NULL, NULL, NULL, ivec, -1);
+    else
+	EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1);
+
+    _krb5_evp_iov_cursor_init(&cursor, iov, niov);
+
+    while (!_krb5_evp_iov_cursor_done(&cursor)) {
+
+	/* Number of bytes of data in this iovec that are in whole blocks */
+        wholeblocks = cursor.current.length & ~blockmask;
+
+        if (wholeblocks != 0) {
+            EVP_Cipher(c, cursor.current.data,
+                       cursor.current.data, wholeblocks);
+            _krb5_evp_iov_cursor_advance(&cursor, wholeblocks);
+        }
+
+        /* If there's a partial block of data remaining in the current
+         * iovec, steal enough from subsequent iovecs to form a whole block */
+        if (cursor.current.length > 0 && cursor.current.length < blocksize) {
+	    /* Build up a block's worth of data in tmp, leaving the cursor
+	     * pointing at where we started */
+            _krb5_evp_iov_cursor_fillbuf(&cursor, tmp, blocksize, NULL);
+
+            EVP_Cipher(c, tmp, tmp, blocksize);
+
+            /* Copy the data in tmp back into the iovecs that it came from,
+             * advancing the cursor */
+            _krb5_evp_iov_cursor_fillvec(&cursor, tmp, blocksize);
+        }
+    }
+
+    return 0;
+}
+
+int
+_krb5_evp_encrypt_iov_cts(krb5_context context,
+			  struct _krb5_key_data *key,
+			  struct krb5_crypto_iov *iov,
+			  int niov,
+			  krb5_boolean encryptp,
+			  int usage,
+			  void *ivec)
+{
+    size_t blocksize, blockmask, wholeblocks, length;
+    size_t remaining, partiallen;
+    struct _krb5_evp_iov_cursor cursor, lastpos;
+    struct _krb5_evp_schedule *ctx = key->schedule->data;
+    unsigned char tmp[EVP_MAX_BLOCK_LENGTH], tmp2[EVP_MAX_BLOCK_LENGTH];
+    unsigned char tmp3[EVP_MAX_BLOCK_LENGTH], ivec2[EVP_MAX_BLOCK_LENGTH];
+    EVP_CIPHER_CTX *c;
+    int i;
+
+    c = encryptp ? &ctx->ectx : &ctx->dctx;
+
+    blocksize = EVP_CIPHER_CTX_block_size(c);
+    blockmask = ~(blocksize - 1);
+
+    length = _krb5_evp_iov_cryptlength(iov, niov);
+
+    if (length < blocksize) {
+	krb5_set_error_message(context, EINVAL,
+			       "message block too short");
+	return EINVAL;
+    }
+
+    if (length == blocksize)
+	return _krb5_evp_encrypt_iov(context, key, iov, niov,
+	                             encryptp, usage, ivec);
+
+    if (ivec)
+	EVP_CipherInit_ex(c, NULL, NULL, NULL, ivec, -1);
+    else
+	EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1);
+
+    if (encryptp) {
+	/* On our first pass, we want to process everything but the
+	 * final partial block */
+	remaining = ((length - 1) & blockmask);
+	partiallen = length - remaining;
+
+	memset(&lastpos, 0, sizeof(lastpos)); /* Keep the compiler happy */
+    } else {
+	/* Decryption needs to leave 2 whole blocks and a partial for
+	 * further processing */
+	if (length > 2 * blocksize) {
+	    remaining = (((length - 1) / blocksize) * blocksize) - (blocksize*2);
+	    partiallen = length - remaining - (blocksize * 2);
+	} else {
+	    remaining = 0;
+	    partiallen = length - blocksize;
+	}
+    }
+
+    _krb5_evp_iov_cursor_init(&cursor, iov, niov);
+    while (remaining > 0) {
+	/* If the iovec has more data than we need, just use it */
+	if (cursor.current.length >= remaining) {
+	    EVP_Cipher(c, cursor.current.data, cursor.current.data, remaining);
+
+	    if (encryptp) {
+	        /* We've just encrypted the last block of data. Make a copy
+	         * of it (and its location) for the CTS dance, below */
+	        lastpos = cursor;
+	        _krb5_evp_iov_cursor_advance(&lastpos, remaining - blocksize);
+	        memcpy(ivec2, lastpos.current.data, blocksize);
+	    }
+
+	    _krb5_evp_iov_cursor_advance(&cursor, remaining);
+	    remaining = 0;
+	} else {
+	    /* Use as much as we can, firstly all of the whole blocks */
+	    wholeblocks = cursor.current.length & blockmask;
+
+	    if (wholeblocks > 0) {
+		EVP_Cipher(c, cursor.current.data, cursor.current.data,
+		           wholeblocks);
+		_krb5_evp_iov_cursor_advance(&cursor, wholeblocks);
+		remaining -= wholeblocks;
+	    }
+
+	    /* Then, if we have partial data left, steal enough from subsequent
+	     * iovecs to make a whole block */
+	    if (cursor.current.length > 0 && cursor.current.length < blocksize) {
+		if (encryptp && remaining == blocksize)
+		    lastpos = cursor;
+
+		_krb5_evp_iov_cursor_fillbuf(&cursor, ivec2, blocksize, NULL);
+		EVP_Cipher(c, ivec2, ivec2, blocksize);
+		_krb5_evp_iov_cursor_fillvec(&cursor, ivec2, blocksize);
+
+		remaining -= blocksize;
+            }
+        }
+    }
+
+    /* Encryption */
+    if (encryptp) {
+	/* Copy the partial block into tmp */
+	_krb5_evp_iov_cursor_fillbuf(&cursor, tmp, partiallen, NULL);
+
+	/* XOR the final partial block with ivec2 */
+	for (i = 0; i < partiallen; i++)
+	    tmp[i] = tmp[i] ^ ivec2[i];
+	for (; i < blocksize; i++)
+	    tmp[i] = 0 ^ ivec2[i]; /* XOR 0s if partial block exhausted */
+
+	EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1);
+	EVP_Cipher(c, tmp, tmp, blocksize);
+
+	_krb5_evp_iov_cursor_fillvec(&lastpos, tmp, blocksize);
+	_krb5_evp_iov_cursor_fillvec(&cursor, ivec2, partiallen);
+
+        if (ivec)
+	    memcpy(ivec, tmp, blocksize);
+
+        return 0;
+    }
+
+    /* Decryption */
+
+    /* Make a copy of the 2nd last full ciphertext block in ivec2 before
+     * decrypting it. If no such block exists, use ivec or zero_ivec */
+    if (length <= blocksize * 2) {
+	if (ivec)
+	   memcpy(ivec2, ivec, blocksize);
+	else
+	   memcpy(ivec2, zero_ivec, blocksize);
+    } else {
+	_krb5_evp_iov_cursor_fillbuf(&cursor, ivec2, blocksize, NULL);
+	EVP_Cipher(c, tmp, ivec2, blocksize);
+	_krb5_evp_iov_cursor_fillvec(&cursor, tmp, blocksize);
+    }
+
+    lastpos = cursor; /* Remember where the last block is */
+    _krb5_evp_iov_cursor_fillbuf(&cursor, tmp, blocksize, &cursor);
+    EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1);
+    EVP_Cipher(c, tmp2, tmp, blocksize); /* tmp eventually becomes output ivec */
+
+    _krb5_evp_iov_cursor_fillbuf(&cursor, tmp3, partiallen, NULL);
+
+    memcpy(tmp3 + partiallen, tmp2 + partiallen, blocksize - partiallen); /* xor 0 */
+    for (i = 0; i < partiallen; i++)
+	tmp2[i] = tmp2[i] ^ tmp3[i];
+
+    _krb5_evp_iov_cursor_fillvec(&cursor, tmp2, partiallen);
+
+    EVP_CipherInit_ex(c, NULL, NULL, NULL, zero_ivec, -1);
+    EVP_Cipher(c, tmp3, tmp3, blocksize);
+
+    for (i = 0; i < blocksize; i++)
+	tmp3[i] ^= ivec2[i];
+
+    _krb5_evp_iov_cursor_fillvec(&lastpos, tmp3, blocksize);
+
+    if (ivec)
+	memcpy(ivec, tmp, blocksize);
+
+    return 0;
+}
+
 krb5_error_code
 _krb5_evp_encrypt_cts(krb5_context context,
 		      struct _krb5_key_data *key,
diff --git a/lib/krb5/crypto-null.c b/lib/krb5/crypto-null.c
index 96b77994708c..a62a57ffccb0 100644
--- a/lib/krb5/crypto-null.c
+++ b/lib/krb5/crypto-null.c
@@ -53,10 +53,11 @@ static struct _krb5_key_type keytype_null = {
 
 static krb5_error_code
 NONE_checksum(krb5_context context,
+	      krb5_crypto crypto,
 	      struct _krb5_key_data *key,
-	      const void *data,
-	      size_t len,
 	      unsigned usage,
+	      const struct krb5_crypto_iov *iov,
+	      int niov,
 	      Checksum *C)
 {
     return 0;
@@ -94,8 +95,9 @@ struct _krb5_encryption_type _krb5_enctype_null = {
     &keytype_null,
     &_krb5_checksum_none,
     NULL,
-    F_DISABLED,
+    F_DISABLED | F_OLD,
     NULL_encrypt,
+    NULL,
     0,
     NULL
 };
diff --git a/lib/krb5/crypto-stubs.c b/lib/krb5/crypto-stubs.c
index 2398a4630a04..5251f8857a8c 100644
--- a/lib/krb5/crypto-stubs.c
+++ b/lib/krb5/crypto-stubs.c
@@ -49,8 +49,6 @@ krb5_init_context(krb5_context *context)
     if(!p)
         return ENOMEM;
 
-    HEIMDAL_MUTEX_init(&p->mutex);
-
     *context = p;
     return 0;
 }
@@ -60,7 +58,6 @@ krb5_free_context(krb5_context context)
 {
     krb5_clear_error_message(context);
 
-    HEIMDAL_MUTEX_destroy(&context->mutex);
     if (context->flags & KRB5_CTX_F_SOCKETS_INITIALIZED) {
         rk_SOCK_EXIT();
     }
diff --git a/lib/krb5/crypto.c b/lib/krb5/crypto.c
index 1c30629db704..ba7e132254a5 100644
--- a/lib/krb5/crypto.c
+++ b/lib/krb5/crypto.c
@@ -51,7 +51,7 @@ static void free_key_schedule(krb5_context,
 			      struct _krb5_key_data *,
 			      struct _krb5_encryption_type *);
 
-/* 
+/*
  * Converts etype to a user readable string and sets as a side effect
  * the krb5_error_message containing this string. Returns
  * KRB5_PROG_ETYPE_NOSUPP in not the conversion of the etype failed in
@@ -132,9 +132,14 @@ _key_schedule(krb5_context context,
 	      struct _krb5_key_data *key)
 {
     krb5_error_code ret;
-    struct _krb5_encryption_type *et = _krb5_find_enctype(key->key->keytype);
+    struct _krb5_encryption_type *et;
     struct _krb5_key_type *kt;
 
+    if (key->schedule != NULL)
+	return 0;
+
+    et = _krb5_find_enctype(key->key->keytype);
+
     if (et == NULL) {
         return unsupported_enctype (context,
                                key->key->keytype);
@@ -144,8 +149,6 @@ _key_schedule(krb5_context context,
 
     if(kt->schedule == NULL)
 	return 0;
-    if (key->schedule != NULL)
-	return 0;
     ALLOC(key->schedule, 1);
     if (key->schedule == NULL)
 	return krb5_enomem(context);
@@ -164,50 +167,91 @@ _key_schedule(krb5_context context,
  ************************************************************/
 
 static krb5_error_code
-SHA1_checksum(krb5_context context,
-	      struct _krb5_key_data *key,
-	      const void *data,
-	      size_t len,
-	      unsigned usage,
-	      Checksum *C)
-{
-    if (EVP_Digest(data, len, C->checksum.data, NULL, EVP_sha1(), NULL) != 1)
-	krb5_abortx(context, "sha1 checksum failed");
+EVP_unkeyed_checksum(krb5_context context,
+		     krb5_crypto crypto,
+		     struct _krb5_key_data *key,
+		     unsigned usage,
+		     const struct krb5_crypto_iov *iov,
+		     int niov,
+		     Checksum *C,
+		     const EVP_MD *md)
+{
+    if (_krb5_evp_digest_iov(crypto,
+			     iov, niov,
+			     C->checksum.data, NULL,
+			     md, NULL) != 1)
+	krb5_abortx(context, "unkeyed checksum failed");
+
     return 0;
 }
 
+#define EVP_SHA_CHECKSUM(name)				    \
+							    \
+    static krb5_error_code				    \
+    SHA ## name ##_checksum(krb5_context context,	    \
+		       krb5_crypto crypto,		    \
+		       struct _krb5_key_data *key,	    \
+		       unsigned usage,			    \
+		       const struct krb5_crypto_iov *iov,   \
+		       int niov,			    \
+		       Checksum *C)			    \
+    {							    \
+	return EVP_unkeyed_checksum(context, crypto, key,   \
+				    usage, iov, niov,	    \
+				    C, EVP_sha##name());    \
+    }
+
+EVP_SHA_CHECKSUM(1)
+EVP_SHA_CHECKSUM(256)
+EVP_SHA_CHECKSUM(384)
+EVP_SHA_CHECKSUM(512)
+
 /* HMAC according to RFC2104 */
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_internal_hmac(krb5_context context,
-		    struct _krb5_checksum_type *cm,
-		    const void *data,
-		    size_t len,
-		    unsigned usage,
-		    struct _krb5_key_data *keyblock,
-		    Checksum *result)
+_krb5_internal_hmac_iov(krb5_context context,
+			krb5_crypto crypto,
+			struct _krb5_checksum_type *cm,
+			unsigned usage,
+			const struct krb5_crypto_iov *iov,
+			int niov,
+			struct _krb5_key_data *keyblock,
+			Checksum *result)
 {
     unsigned char *ipad, *opad;
     unsigned char *key;
+    struct krb5_crypto_iov *working;
     size_t key_len;
     size_t i;
 
-    ipad = malloc(cm->blocksize + len);
+    ipad = malloc(cm->blocksize);
     if (ipad == NULL)
 	return ENOMEM;
+
     opad = malloc(cm->blocksize + cm->checksumsize);
     if (opad == NULL) {
 	free(ipad);
 	return ENOMEM;
     }
+
+    working = calloc(niov + 1, sizeof(struct krb5_crypto_iov));
+    if (working == NULL) {
+	free(ipad);
+	free(opad);
+	return ENOMEM;
+    }
+
     memset(ipad, 0x36, cm->blocksize);
     memset(opad, 0x5c, cm->blocksize);
 
     if(keyblock->key->keyvalue.length > cm->blocksize){
+	working[0].data = keyblock->key->keyvalue;
+	working[0].flags = KRB5_CRYPTO_TYPE_DATA;
 	(*cm->checksum)(context,
+			crypto,
 			keyblock,
-			keyblock->key->keyvalue.data,
-			keyblock->key->keyvalue.length,
 			usage,
+			working,
+			1,
 			result);
 	key = result->checksum.data;
 	key_len = result->checksum.length;
@@ -219,22 +263,50 @@ _krb5_internal_hmac(krb5_context context,
 	ipad[i] ^= key[i];
 	opad[i] ^= key[i];
     }
-    memcpy(ipad + cm->blocksize, data, len);
-    (*cm->checksum)(context, keyblock, ipad, cm->blocksize + len,
-		    usage, result);
+
+    working[0].data.data = ipad;
+    working[0].data.length = cm->blocksize;
+    working[0].flags = KRB5_CRYPTO_TYPE_DATA;
+    for (i = 0; i < niov; i++)
+	working[i + 1] = iov[i];
+
+    (*cm->checksum)(context, crypto, keyblock, usage, working, niov + 1, result);
     memcpy(opad + cm->blocksize, result->checksum.data,
 	   result->checksum.length);
-    (*cm->checksum)(context, keyblock, opad,
-		    cm->blocksize + cm->checksumsize, usage, result);
-    memset(ipad, 0, cm->blocksize + len);
+
+    working[0].data.data = opad;
+    working[0].data.length = cm->blocksize + cm->checksumsize;
+    working[0].flags = KRB5_CRYPTO_TYPE_DATA;
+    (*cm->checksum)(context, crypto, keyblock, usage, working, 1, result);
+    memset(ipad, 0, cm->blocksize);
     free(ipad);
     memset(opad, 0, cm->blocksize + cm->checksumsize);
     free(opad);
+    free(working);
 
     return 0;
 }
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_internal_hmac(krb5_context context,
+		    krb5_crypto crypto,
+		    struct _krb5_checksum_type *cm,
+		    const void *data,
+		    size_t len,
+		    unsigned usage,
+		    struct _krb5_key_data *keyblock,
+		    Checksum *result)
+{
+    struct krb5_crypto_iov iov[1];
+
+    iov[0].data.data = (void *) data;
+    iov[0].data.length = len;
+    iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
+    return _krb5_internal_hmac_iov(context, crypto, cm, usage, iov, 1,
+				   keyblock, result);
+}
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_hmac(krb5_context context,
 	  krb5_cksumtype cktype,
 	  const void *data,
@@ -245,6 +317,7 @@ krb5_hmac(krb5_context context,
 {
     struct _krb5_checksum_type *c = _krb5_find_checksum(cktype);
     struct _krb5_key_data kd;
+
     krb5_error_code ret;
 
     if (c == NULL) {
@@ -257,7 +330,7 @@ krb5_hmac(krb5_context context,
     kd.key = key;
     kd.schedule = NULL;
 
-    ret = _krb5_internal_hmac(context, c, data, len, usage, &kd, result);
+    ret = _krb5_internal_hmac(context, NULL, c, data, len, usage, &kd, result);
 
     if (kd.schedule)
 	krb5_free_data(context, kd.schedule);
@@ -267,36 +340,72 @@ krb5_hmac(krb5_context context,
 
 krb5_error_code
 _krb5_SP_HMAC_SHA1_checksum(krb5_context context,
+			    krb5_crypto crypto,
 			    struct _krb5_key_data *key,
-			    const void *data,
-			    size_t len,
 			    unsigned usage,
+			    const struct krb5_crypto_iov *iov,
+			    int niov,
 			    Checksum *result)
 {
-    struct _krb5_checksum_type *c = _krb5_find_checksum(CKSUMTYPE_SHA1);
-    Checksum res;
-    char sha1_data[20];
     krb5_error_code ret;
+    unsigned char hmac[EVP_MAX_MD_SIZE];
+    unsigned int hmaclen = sizeof(hmac);
+
+    ret = _krb5_evp_hmac_iov(context, crypto, key, iov, niov, hmac, &hmaclen,
+                             EVP_sha1(), NULL);
+    if (ret)
+        return ret;
+
+    heim_assert(result->checksum.length <= hmaclen,
+                "SHA1 checksum too short");
+    memcpy(result->checksum.data, hmac, result->checksum.length);
 
-    res.checksum.data = sha1_data;
-    res.checksum.length = sizeof(sha1_data);
+    return 0;
+}
+
+krb5_error_code
+_krb5_SP_HMAC_SHA1_verify(krb5_context context,
+                          krb5_crypto crypto,
+                          struct _krb5_key_data *key,
+                          unsigned usage,
+                          const struct krb5_crypto_iov *iov,
+                          int niov,
+                          Checksum *verify)
+{
+    krb5_error_code ret;
+    unsigned char hmac[EVP_MAX_MD_SIZE];
+    unsigned int hmaclen = sizeof(hmac);
+    krb5_data data;
 
-    ret = _krb5_internal_hmac(context, c, data, len, usage, key, &res);
+    ret = _krb5_evp_hmac_iov(context, crypto, key, iov, niov, hmac, &hmaclen,
+                             EVP_sha1(), NULL);
     if (ret)
-	krb5_abortx(context, "hmac failed");
-    memcpy(result->checksum.data, res.checksum.data, result->checksum.length);
+        return ret;
+
+    data.data = hmac;
+    data.length = min(hmaclen, verify->checksum.length);
+
+    if(krb5_data_ct_cmp(&data, &verify->checksum) != 0)
+        return KRB5KRB_AP_ERR_BAD_INTEGRITY;
+
     return 0;
 }
 
-struct _krb5_checksum_type _krb5_checksum_sha1 = {
-    CKSUMTYPE_SHA1,
-    "sha1",
-    64,
-    20,
-    F_CPROOF,
-    SHA1_checksum,
-    NULL
-};
+#define SHA_CHECKSUM(name, blocksize, outputsize)	    \
+    struct _krb5_checksum_type _krb5_checksum_sha##name = { \
+	CKSUMTYPE_SHA##name,				    \
+	"sha" #name,					    \
+	blocksize,					    \
+	outputsize,					    \
+	F_CPROOF,					    \
+	SHA##name##_checksum,				    \
+	NULL						    \
+    };
+
+SHA_CHECKSUM(1,   64,  20);
+SHA_CHECKSUM(256, 64,  32);
+SHA_CHECKSUM(384, 128, 48);
+SHA_CHECKSUM(512, 128, 64);
 
 KRB5_LIB_FUNCTION struct _krb5_checksum_type * KRB5_LIB_CALL
 _krb5_find_checksum(krb5_cksumtype type)
@@ -316,6 +425,24 @@ get_checksum_key(krb5_context context,
 		 struct _krb5_key_data **key)
 {
     krb5_error_code ret = 0;
+    struct _krb5_checksum_type *kct = NULL;
+
+    if (crypto == NULL) {
+	krb5_set_error_message(context, KRB5_BAD_ENCTYPE,
+			       N_("Checksum type %s is keyed but no "
+			          "crypto context (key) was passed in", ""),
+			       ct->name);
+	return KRB5_BAD_ENCTYPE;
+    }
+    kct = crypto->et->keyed_checksum;
+    if (kct == NULL || kct->type != ct->type) {
+	krb5_set_error_message(context, KRB5_BAD_ENCTYPE,
+			       N_("Checksum type %s is keyed, but "
+			          "the key type %s passed didnt have that checksum "
+			          "type as the keyed type", ""),
+			       ct->name, crypto->et->name);
+	return KRB5_BAD_ENCTYPE;
+    }
 
     if(ct->flags & F_DERIVED)
 	ret = _get_derived_key(context, crypto, usage, key);
@@ -339,41 +466,58 @@ get_checksum_key(krb5_context context,
 }
 
 static krb5_error_code
-create_checksum (krb5_context context,
-		 struct _krb5_checksum_type *ct,
-		 krb5_crypto crypto,
-		 unsigned usage,
-		 void *data,
-		 size_t len,
-		 Checksum *result)
+create_checksum_iov(krb5_context context,
+		    struct _krb5_checksum_type *ct,
+		    krb5_crypto crypto,
+		    unsigned usage,
+		    struct krb5_crypto_iov *iov,
+		    int niov,
+		    krb5_flags flags,
+		    Checksum *result)
 {
     krb5_error_code ret;
     struct _krb5_key_data *dkey;
-    int keyed_checksum;
 
     if (ct->flags & F_DISABLED) {
 	krb5_clear_error_message (context);
 	return KRB5_PROG_SUMTYPE_NOSUPP;
     }
-    keyed_checksum = (ct->flags & F_KEYED) != 0;
-    if(keyed_checksum && crypto == NULL) {
-	krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
-				N_("Checksum type %s is keyed but no "
-				   "crypto context (key) was passed in", ""),
-				ct->name);
-	return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
-    }
-    if(keyed_checksum) {
+    if (ct->flags & F_KEYED) {
 	ret = get_checksum_key(context, crypto, usage, ct, &dkey);
 	if (ret)
 	    return ret;
+    } else if ((flags & KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM) == 0) {
+	return EINVAL;
     } else
 	dkey = NULL;
+
     result->cksumtype = ct->type;
+
+    return (*ct->checksum)(context, crypto, dkey, usage, iov, niov, result);
+}
+
+static krb5_error_code
+create_checksum (krb5_context context,
+		 struct _krb5_checksum_type *ct,
+		 krb5_crypto crypto,
+		 unsigned usage,
+		 void *data,
+		 size_t len,
+		 krb5_flags flags,
+		 Checksum *result)
+{
+    int ret;
+    struct krb5_crypto_iov iov[1];
+
     ret = krb5_data_alloc(&result->checksum, ct->checksumsize);
     if (ret)
-	return (ret);
-    return (*ct->checksum)(context, dkey, data, len, usage, result);
+	return ret;
+
+    iov[0].data.data = data;
+    iov[0].data.length = len;
+    iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
+
+    return create_checksum_iov(context, ct, crypto, usage, iov, 1, flags, result);
 }
 
 static int
@@ -383,6 +527,16 @@ arcfour_checksum_p(struct _krb5_checksum_type *ct, krb5_crypto crypto)
 	(crypto->key.key->keytype == KEYTYPE_ARCFOUR);
 }
 
+static inline krb5_flags
+crypto_flags(krb5_crypto crypto)
+{
+    /* If caller didn't specify a key, unkeyed checksums are the only option */
+    if (crypto == NULL)
+	return KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM;
+    else
+	return crypto->flags;
+}
+
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_create_checksum(krb5_context context,
 		     krb5_crypto crypto,
@@ -417,21 +571,21 @@ krb5_create_checksum(krb5_context context,
     } else
 	keyusage = CHECKSUM_USAGE(usage);
 
-    return create_checksum(context, ct, crypto, keyusage,
-			   data, len, result);
+    return create_checksum(context, ct, crypto, keyusage, data, len,
+			   crypto_flags(crypto), result);
 }
 
 static krb5_error_code
-verify_checksum(krb5_context context,
-		krb5_crypto crypto,
-		unsigned usage, /* not krb5_key_usage */
-		void *data,
-		size_t len,
-		Checksum *cksum)
+verify_checksum_iov(krb5_context context,
+		    krb5_crypto crypto,
+		    unsigned usage, /* not krb5_key_usage */
+		    struct krb5_crypto_iov *iov,
+		    int niov,
+		    krb5_flags flags,
+		    Checksum *cksum)
 {
     krb5_error_code ret;
     struct _krb5_key_data *dkey;
-    int keyed_checksum;
     Checksum c;
     struct _krb5_checksum_type *ct;
 
@@ -452,29 +606,17 @@ verify_checksum(krb5_context context,
 
 	return KRB5KRB_AP_ERR_BAD_INTEGRITY; /* XXX */
     }
-    keyed_checksum = (ct->flags & F_KEYED) != 0;
-    if(keyed_checksum) {
-	struct _krb5_checksum_type *kct;
-	if (crypto == NULL) {
-	    krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP,
-				   N_("Checksum type %s is keyed but no "
-				      "crypto context (key) was passed in", ""),
-				   ct->name);
-	    return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
-	}
-	kct = crypto->et->keyed_checksum;
-	if (kct == NULL || kct->type != ct->type) {
-	    krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP,
-				   N_("Checksum type %s is keyed, but "
-				      "the key type %s passed didnt have that checksum "
-				      "type as the keyed type", ""),
-				    ct->name, crypto->et->name);
-	    return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
-	}
-
+    if (ct->flags & F_KEYED) {
 	ret = get_checksum_key(context, crypto, usage, ct, &dkey);
 	if (ret)
 	    return ret;
+    } else if ((flags & KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM) == 0) {
+	krb5_clear_error_message (context);
+	krb5_set_error_message(context, KRB5KRB_AP_ERR_INAPP_CKSUM,
+			       N_("Unkeyed checksum type %s provided where keyed "
+				  "checksum was expected", ""), ct->name);
+
+	return KRB5KRB_AP_ERR_INAPP_CKSUM;
     } else
 	dkey = NULL;
 
@@ -484,7 +626,7 @@ verify_checksum(krb5_context context,
      */
 
     if(ct->verify) {
-	ret = (*ct->verify)(context, dkey, data, len, usage, cksum);
+	ret = (*ct->verify)(context, crypto, dkey, usage, iov, niov, cksum);
 	if (ret)
 	    krb5_set_error_message(context, ret,
 				   N_("Decrypt integrity check failed for checksum "
@@ -497,7 +639,7 @@ verify_checksum(krb5_context context,
     if (ret)
 	return ret;
 
-    ret = (*ct->checksum)(context, dkey, data, len, usage, &c);
+    ret = (*ct->checksum)(context, crypto, dkey, usage, iov, niov, &c);
     if (ret) {
 	krb5_data_free(&c.checksum);
 	return ret;
@@ -516,6 +658,24 @@ verify_checksum(krb5_context context,
     return ret;
 }
 
+static krb5_error_code
+verify_checksum(krb5_context context,
+		krb5_crypto crypto,
+		unsigned usage, /* not krb5_key_usage */
+		void *data,
+		size_t len,
+		krb5_flags flags,
+		Checksum *cksum)
+{
+    struct krb5_crypto_iov iov[1];
+
+    iov[0].data.data = data;
+    iov[0].data.length = len;
+    iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
+
+    return verify_checksum_iov(context, crypto, usage, iov, 1, flags, cksum);
+}
+
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_verify_checksum(krb5_context context,
 		     krb5_crypto crypto,
@@ -542,7 +702,7 @@ krb5_verify_checksum(krb5_context context,
 	keyusage = CHECKSUM_USAGE(usage);
 
     return verify_checksum(context, crypto, keyusage,
-			   data, len, cksum);
+			   data, len, crypto_flags(crypto), cksum);
 }
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
@@ -699,7 +859,7 @@ krb5_enctype_to_keytype(krb5_context context,
     if(e == NULL) {
         return unsupported_enctype (context, etype);
     }
-    *keytype = e->keytype->type; /* XXX */
+    *keytype = (krb5_keytype)e->keytype->type;
     return 0;
 }
 
@@ -836,6 +996,7 @@ encrypt_internal_derived(krb5_context context,
 			  INTEGRITY_USAGE(usage),
 			  p,
 			  block_sz,
+			  0,
 			  &cksum);
     if(ret == 0 && cksum.checksum.length != checksum_sz) {
 	free_Checksum (&cksum);
@@ -923,6 +1084,7 @@ encrypt_internal_enc_then_cksum(krb5_context context,
 			  INTEGRITY_USAGE(usage),
 			  ivc,
 			  et->blocksize + block_sz,
+			  0,
 			  &cksum);
     if(ret == 0 && cksum.checksum.length != checksum_sz) {
 	free_Checksum (&cksum);
@@ -979,6 +1141,7 @@ encrypt_internal(krb5_context context,
 			  0,
 			  p,
 			  block_sz,
+			  KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM,
 			  &cksum);
     if(ret == 0 && cksum.checksum.length != checksum_sz) {
 	krb5_clear_error_message (context);
@@ -1104,6 +1267,7 @@ decrypt_internal_derived(krb5_context context,
 			  INTEGRITY_USAGE(usage),
 			  p,
 			  len,
+			  0,
 			  &cksum);
     if(ret) {
 	free(p);
@@ -1111,11 +1275,7 @@ decrypt_internal_derived(krb5_context context,
     }
     l = len - et->confoundersize;
     memmove(p, p + et->confoundersize, l);
-    result->data = realloc(p, l);
-    if(result->data == NULL && l != 0) {
-	free(p);
-	return krb5_enomem(context);
-    }
+    result->data = p;
     result->length = l;
     return 0;
 }
@@ -1171,6 +1331,7 @@ decrypt_internal_enc_then_cksum(krb5_context context,
 			  INTEGRITY_USAGE(usage),
 			  p,
 			  et->blocksize + len,
+			  0,
 			  &cksum);
     if(ret) {
 	free(p);
@@ -1195,11 +1356,7 @@ decrypt_internal_enc_then_cksum(krb5_context context,
 
     l = len - et->confoundersize;
     memmove(p, p + et->blocksize + et->confoundersize, l);
-    result->data = realloc(p, l);
-    if(result->data == NULL && l != 0) {
-	free(p);
-	return krb5_enomem(context);
-    }
+    result->data = p;
     result->length = l;
     return 0;
 }
@@ -1252,7 +1409,8 @@ decrypt_internal(krb5_context context,
     }
     memset(p + et->confoundersize, 0, checksum_sz);
     cksum.cksumtype = CHECKSUMTYPE(et->checksum);
-    ret = verify_checksum(context, NULL, 0, p, len, &cksum);
+    ret = verify_checksum(context, NULL, 0, p, len,
+			  KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM, &cksum);
     free_Checksum(&cksum);
     if(ret) {
 	free(p);
@@ -1260,11 +1418,7 @@ decrypt_internal(krb5_context context,
     }
     l = len - et->confoundersize - checksum_sz;
     memmove(p, p + et->confoundersize + checksum_sz, l);
-    result->data = realloc(p, l);
-    if(result->data == NULL && l != 0) {
-	free(p);
-	return krb5_enomem(context);
-    }
+    result->data = p;
     result->length = l;
     return 0;
 }
@@ -1307,11 +1461,7 @@ decrypt_internal_special(krb5_context context,
     }
 
     memmove (p, p + cksum_sz + et->confoundersize, sz);
-    result->data = realloc(p, sz);
-    if(result->data == NULL && sz != 0) {
-	free(p);
-	return krb5_enomem(context);
-    }
+    result->data = p;
     result->length = sz;
     return 0;
 }
@@ -1346,10 +1496,11 @@ iov_sign_data_len(krb5_crypto_iov *data, int num_data)
     size_t i, len;
 
     for (len = 0, i = 0; i < num_data; i++) {
-	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
-	    data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
-	    continue;
-	len += data[i].data.length;
+	/* Can't use should_sign, because we must only count data, not
+	 * header/trailer */
+	if (data[i].flags == KRB5_CRYPTO_TYPE_DATA ||
+	    data[i].flags == KRB5_CRYPTO_TYPE_SIGN_ONLY)
+	    len += data[i].data.length;
     }
 
     return len;
@@ -1465,7 +1616,7 @@ iov_pad_validate(const struct _krb5_encryption_type *et,
 	    return KRB5_BAD_MSIZE;
 	piv->data.length = pad_sz;
 	if (pad_sz)
-	    memset(piv->data.data, pad_sz, pad_sz);
+	    memset(piv->data.data, 0, pad_sz);
 	else
 	    piv = NULL;
     }
@@ -1552,9 +1703,8 @@ krb5_encrypt_iov_ivec(krb5_context context,
 	unsigned char old_ivec[EVP_MAX_IV_LENGTH];
 	krb5_data ivec_data;
 
-	ret = iov_coalesce(context, NULL, data, num_data, FALSE, &enc_data);
-	if(ret)
-	    goto cleanup;
+	heim_assert(et->blocksize <= sizeof(old_ivec),
+		    "blocksize too big for ivec buffer");
 
 	ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey);
 	if(ret)
@@ -1564,22 +1714,30 @@ krb5_encrypt_iov_ivec(krb5_context context,
 	if(ret)
 	    goto cleanup;
 
-	heim_assert(et->blocksize <= sizeof(old_ivec),
-		    "blocksize too big for ivec buffer");
-
 	if (ivec)
 	    memcpy(old_ivec, ivec, et->blocksize);
 	else
 	    memset(old_ivec, 0, et->blocksize);
 
-	ret = (*et->encrypt)(context, dkey, enc_data.data, enc_data.length,
-			     1, usage, ivec);
-	if(ret)
-	    goto cleanup;
+	if (et->encrypt_iov != NULL) {
+	    ret = (*et->encrypt_iov)(context, dkey, data, num_data, 1, usage,
+				     ivec);
+	    if (ret)
+		goto cleanup;
+	} else {
+	    ret = iov_coalesce(context, NULL, data, num_data, FALSE, &enc_data);
+	    if (ret)
+		goto cleanup;
 
-	ret = iov_uncoalesce(context, &enc_data, data, num_data);
-	if(ret)
-	    goto cleanup;
+	    ret = (*et->encrypt)(context, dkey, enc_data.data, enc_data.length,
+				 1, usage, ivec);
+	    if (ret)
+		goto cleanup;
+
+	    ret = iov_uncoalesce(context, &enc_data, data, num_data);
+	    if (ret)
+		goto cleanup;
+        }
 
 	ivec_data.length = et->blocksize;
 	ivec_data.data = old_ivec;
@@ -1587,36 +1745,43 @@ krb5_encrypt_iov_ivec(krb5_context context,
 	ret = iov_coalesce(context, &ivec_data, data, num_data, TRUE, &sign_data);
 	if(ret)
 	    goto cleanup;
-    } else {
-	ret = iov_coalesce(context, NULL, data, num_data, TRUE, &sign_data);
-	if(ret)
-	    goto cleanup;
-    }
-
-    ret = create_checksum(context,
-			  et->keyed_checksum,
-			  crypto,
-			  INTEGRITY_USAGE(usage),
-			  sign_data.data,
-			  sign_data.length,
-			  &cksum);
-    if(ret == 0 && cksum.checksum.length != trailersz) {
-	free_Checksum (&cksum);
-	krb5_clear_error_message (context);
-	ret = KRB5_CRYPTO_INTERNAL;
-    }
-    if(ret)
-	goto cleanup;
-
-    /* save cksum at end */
-    memcpy(tiv->data.data, cksum.checksum.data, cksum.checksum.length);
-    free_Checksum (&cksum);
 
-    if (!(et->flags & F_ENC_THEN_CKSUM)) {
-	ret = iov_coalesce(context, NULL, data, num_data, FALSE, &enc_data);
-	if(ret)
-	    goto cleanup;
+        ret = create_checksum(context,
+                              et->keyed_checksum,
+                              crypto,
+                              INTEGRITY_USAGE(usage),
+                              sign_data.data,
+                              sign_data.length,
+                              0,
+                              &cksum);
+
+        if(ret == 0 && cksum.checksum.length != trailersz) {
+            free_Checksum (&cksum);
+            krb5_clear_error_message (context);
+            ret = KRB5_CRYPTO_INTERNAL;
+        }
+        if (ret)
+            goto cleanup;
+
+        /* save cksum at end */
+        memcpy(tiv->data.data, cksum.checksum.data, cksum.checksum.length);
+        free_Checksum (&cksum);
 
+    } else {
+        cksum.checksum = tiv->data;
+        ret = create_checksum_iov(context,
+                              et->keyed_checksum,
+                              crypto,
+                              INTEGRITY_USAGE(usage),
+                              data,
+                              num_data,
+                              0,
+                              &cksum);
+        if (ret)
+            goto cleanup;
+
+        /* create_checksum may realloc the derived key space, so any keys
+         * obtained before it was called may no longer be valid */
 	ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey);
 	if(ret)
 	    goto cleanup;
@@ -1625,14 +1790,25 @@ krb5_encrypt_iov_ivec(krb5_context context,
 	if(ret)
 	    goto cleanup;
 
-	ret = (*et->encrypt)(context, dkey, enc_data.data, enc_data.length,
-			     1, usage, ivec);
-	if(ret)
-	    goto cleanup;
+        if (et->encrypt_iov != NULL) {
+            ret = (*et->encrypt_iov)(context, dkey, data, num_data, 1, usage,
+                                     ivec);
+            if (ret)
+                goto cleanup;
+        } else {
+            ret = iov_coalesce(context, NULL, data, num_data, FALSE, &enc_data);
+            if (ret)
+                goto cleanup;
 
-	ret = iov_uncoalesce(context, &enc_data, data, num_data);
-	if(ret)
-	    goto cleanup;
+            ret = (*et->encrypt)(context, dkey, enc_data.data, enc_data.length,
+                                 1, usage, ivec);
+            if (ret)
+                goto cleanup;
+
+            ret = iov_uncoalesce(context, &enc_data, data, num_data);
+            if (ret)
+                goto cleanup;
+        }
     }
 
 cleanup:
@@ -1708,10 +1884,6 @@ krb5_decrypt_iov_ivec(krb5_context context,
     krb5_data_zero(&sign_data);
 
     if (!(et->flags & F_ENC_THEN_CKSUM)) {
-	ret = iov_coalesce(context, NULL, data, num_data, FALSE, &enc_data);
-	if(ret)
-	    goto cleanup;
-
 	ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey);
 	if(ret)
 	    goto cleanup;
@@ -1720,47 +1892,62 @@ krb5_decrypt_iov_ivec(krb5_context context,
 	if(ret)
 	    goto cleanup;
 
-	ret = (*et->encrypt)(context, dkey, enc_data.data, enc_data.length,
-			     0, usage, ivec);
-	if(ret)
-	    goto cleanup;
+	if (et->encrypt_iov != NULL) {
+	    ret = (*et->encrypt_iov)(context, dkey, data, num_data,
+				     0, usage, ivec);
+	    if(ret)
+		goto cleanup;
+	} else {
+	    ret = iov_coalesce(context, NULL, data, num_data, FALSE, &enc_data);
+	    if(ret)
+		goto cleanup;
+
+	    ret = (*et->encrypt)(context, dkey, enc_data.data, enc_data.length,
+			         0, usage, ivec);
+	    if(ret)
+	        goto cleanup;
+
+	    ret = iov_uncoalesce(context, &enc_data, data, num_data);
+	    if(ret)
+		goto cleanup;
+	}
 
-	ret = iov_uncoalesce(context, &enc_data, data, num_data);
-	if(ret)
-	    goto cleanup;
+	cksum.checksum.data   = tiv->data.data;
+	cksum.checksum.length = tiv->data.length;
+	cksum.cksumtype       = CHECKSUMTYPE(et->keyed_checksum);
 
-	ret = iov_coalesce(context, NULL, data, num_data, TRUE, &sign_data);
+	ret = verify_checksum_iov(context, crypto, INTEGRITY_USAGE(usage),
+	                          data, num_data, 0, &cksum);
 	if(ret)
 	    goto cleanup;
     } else {
 	krb5_data ivec_data;
-	static unsigned char zero_ivec[EVP_MAX_IV_LENGTH];
+	static const unsigned char zero_ivec[EVP_MAX_IV_LENGTH];
 
 	heim_assert(et->blocksize <= sizeof(zero_ivec),
 		    "blocksize too big for ivec buffer");
 
 	ivec_data.length = et->blocksize;
-	ivec_data.data = ivec ? ivec : zero_ivec;
+	ivec_data.data = ivec ? ivec : rk_UNCONST(zero_ivec);
 
 	ret = iov_coalesce(context, &ivec_data, data, num_data, TRUE, &sign_data);
 	if(ret)
 	    goto cleanup;
-    }
 
-    cksum.checksum.data   = tiv->data.data;
-    cksum.checksum.length = tiv->data.length;
-    cksum.cksumtype       = CHECKSUMTYPE(et->keyed_checksum);
-
-    ret = verify_checksum(context,
-			  crypto,
-			  INTEGRITY_USAGE(usage),
-			  sign_data.data,
-			  sign_data.length,
-			  &cksum);
-    if(ret)
-	goto cleanup;
+	cksum.checksum.data   = tiv->data.data;
+	cksum.checksum.length = tiv->data.length;
+	cksum.cksumtype       = CHECKSUMTYPE(et->keyed_checksum);
+
+	ret = verify_checksum(context,
+			      crypto,
+			      INTEGRITY_USAGE(usage),
+			      sign_data.data,
+			      sign_data.length,
+			      0,
+			      &cksum);
+	if(ret)
+	    goto cleanup;
 
-    if (et->flags & F_ENC_THEN_CKSUM) {
 	ret = iov_coalesce(context, NULL, data, num_data, FALSE, &enc_data);
 	if(ret)
 	    goto cleanup;
@@ -1819,58 +2006,44 @@ krb5_create_checksum_iov(krb5_context context,
 {
     Checksum cksum;
     krb5_crypto_iov *civ;
+    struct _krb5_checksum_type *ct;
+    unsigned keyusage;
     krb5_error_code ret;
-    size_t i;
-    size_t len;
-    char *p, *q;
-
-    if(!derived_crypto(context, crypto)) {
-	krb5_clear_error_message(context);
-	return KRB5_CRYPTO_INTERNAL;
-    }
 
     civ = iov_find(data, num_data, KRB5_CRYPTO_TYPE_CHECKSUM);
     if (civ == NULL)
 	return KRB5_BAD_MSIZE;
 
-    len = 0;
-    for (i = 0; i < num_data; i++) {
-	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
-	    data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
-	    continue;
-	len += data[i].data.length;
-    }
-
-    p = q = malloc(len);
+    ct = crypto->et->keyed_checksum;
+    if (ct == NULL)
+	ct = crypto->et->checksum;
 
-    for (i = 0; i < num_data; i++) {
-	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
-	    data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
-	    continue;
-	memcpy(q, data[i].data.data, data[i].data.length);
-	q += data[i].data.length;
+    if(ct == NULL) {
+	krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
+				N_("checksum type not found", ""));
+	return KRB5_PROG_SUMTYPE_NOSUPP;
     }
 
-    ret = krb5_create_checksum(context, crypto, usage, 0, p, len, &cksum);
-    free(p);
-    if (ret)
-	return ret;
-
-    if (type)
-	*type = cksum.cksumtype;
+    if (arcfour_checksum_p(ct, crypto)) {
+	keyusage = usage;
+	_krb5_usage2arcfour(context, &keyusage);
+    } else
+	keyusage = CHECKSUM_USAGE(usage);
 
-    if (cksum.checksum.length > civ->data.length) {
+    if (ct->checksumsize > civ->data.length) {
 	krb5_set_error_message(context, KRB5_BAD_MSIZE,
 			       N_("Checksum larger then input buffer", ""));
-	free_Checksum(&cksum);
 	return KRB5_BAD_MSIZE;
     }
 
-    civ->data.length = cksum.checksum.length;
-    memcpy(civ->data.data, cksum.checksum.data, civ->data.length);
-    free_Checksum(&cksum);
+    cksum.checksum = civ->data;
+    ret = create_checksum_iov(context, ct, crypto, keyusage,
+			      data, num_data, crypto_flags(crypto), &cksum);
 
-    return 0;
+    if (ret == 0 && type)
+	*type = cksum.cksumtype;
+
+    return ret;
 }
 
 /**
@@ -1896,46 +2069,36 @@ krb5_verify_checksum_iov(krb5_context context,
 			 krb5_cksumtype *type)
 {
     struct _krb5_encryption_type *et = crypto->et;
+    struct _krb5_checksum_type *ct;
     Checksum cksum;
     krb5_crypto_iov *civ;
     krb5_error_code ret;
-    size_t i;
-    size_t len;
-    char *p, *q;
-
-    if(!derived_crypto(context, crypto)) {
-	krb5_clear_error_message(context);
-	return KRB5_CRYPTO_INTERNAL;
-    }
+    unsigned keyusage;
 
     civ = iov_find(data, num_data, KRB5_CRYPTO_TYPE_CHECKSUM);
     if (civ == NULL)
 	return KRB5_BAD_MSIZE;
 
-    len = 0;
-    for (i = 0; i < num_data; i++) {
-	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
-	    data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
-	    continue;
-	len += data[i].data.length;
-    }
-
-    p = q = malloc(len);
-
-    for (i = 0; i < num_data; i++) {
-	if (data[i].flags != KRB5_CRYPTO_TYPE_DATA &&
-	    data[i].flags != KRB5_CRYPTO_TYPE_SIGN_ONLY)
-	    continue;
-	memcpy(q, data[i].data.data, data[i].data.length);
-	q += data[i].data.length;
-    }
-
     cksum.cksumtype = CHECKSUMTYPE(et->keyed_checksum);
     cksum.checksum.length = civ->data.length;
     cksum.checksum.data = civ->data.data;
 
-    ret = krb5_verify_checksum(context, crypto, usage, p, len, &cksum);
-    free(p);
+    ct = _krb5_find_checksum(cksum.cksumtype);
+    if(ct == NULL) {
+	krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
+				N_("checksum type %d not supported", ""),
+				cksum.cksumtype);
+	return KRB5_PROG_SUMTYPE_NOSUPP;
+    }
+
+    if (arcfour_checksum_p(ct, crypto)) {
+	keyusage = usage;
+	_krb5_usage2arcfour(context, &keyusage);
+    } else
+	keyusage = CHECKSUM_USAGE(usage);
+
+    ret = verify_checksum_iov(context, crypto, keyusage, data, num_data,
+			      crypto_flags(crypto), &cksum);
 
     if (ret == 0 && type)
 	*type = cksum.cksumtype;
@@ -1973,7 +2136,10 @@ krb5_crypto_length(krb5_context context,
 	    *len = 0;
 	return 0;
     case KRB5_CRYPTO_TYPE_TRAILER:
-	*len = CHECKSUMSIZE(crypto->et->keyed_checksum);
+        if (crypto->et->keyed_checksum)
+            *len = CHECKSUMSIZE(crypto->et->keyed_checksum);
+        else
+            *len = 0;
 	return 0;
     case KRB5_CRYPTO_TYPE_CHECKSUM:
 	if (crypto->et->keyed_checksum)
@@ -2159,8 +2325,12 @@ derive_key_rfc3961(krb5_context context,
 		memcpy(k + i * et->blocksize,
 		       k + (i - 1) * et->blocksize,
 		       et->blocksize);
-	    (*et->encrypt)(context, key, k + i * et->blocksize, et->blocksize,
-			   1, 0, NULL);
+	    ret = (*et->encrypt)(context, key, k + i * et->blocksize,
+				 et->blocksize, 1, 0, NULL);
+	    if (ret) {
+		    krb5_set_error_message(context, ret, N_("encrypt failed", ""));
+		    goto out;
+	    }
 	}
     } else {
 	/* this case is probably broken, but won't be run anyway */
@@ -2172,7 +2342,12 @@ derive_key_rfc3961(krb5_context context,
 	    goto out;
 	}
 	memcpy(c, constant, len);
-	(*et->encrypt)(context, key, c, len, 1, 0, NULL);
+	ret = (*et->encrypt)(context, key, c, len, 1, 0, NULL);
+	if (ret) {
+		free(c);
+		krb5_set_error_message(context, ret, N_("encrypt failed", ""));
+		goto out;
+	}
 	k = malloc(res_len);
 	if(res_len != 0 && k == NULL) {
 	    free(c);
@@ -2384,7 +2559,7 @@ krb5_crypto_init(krb5_context context,
     ALLOC(*crypto, 1);
     if (*crypto == NULL)
 	return krb5_enomem(context);
-    if(etype == (krb5_enctype)ETYPE_NULL)
+    if(etype == ETYPE_NULL)
 	etype = key->keytype;
     (*crypto)->et = _krb5_find_enctype(etype);
     if((*crypto)->et == NULL || ((*crypto)->et->flags & F_DISABLED)) {
@@ -2408,6 +2583,7 @@ krb5_crypto_init(krb5_context context,
     (*crypto)->key.schedule = NULL;
     (*crypto)->num_key_usage = 0;
     (*crypto)->key_usage = NULL;
+    (*crypto)->flags = 0;
     return 0;
 }
 
@@ -2461,6 +2637,13 @@ krb5_crypto_destroy(krb5_context context,
 	free_key_usage(context, &crypto->key_usage[i], crypto->et);
     free(crypto->key_usage);
     _krb5_free_key_data(context, &crypto->key, crypto->et);
+
+    if (crypto->mdctx)
+	EVP_MD_CTX_destroy(crypto->mdctx);
+
+    if (crypto->hmacctx)
+	HMAC_CTX_free(crypto->hmacctx);
+
     free (crypto);
     return 0;
 }
@@ -2652,6 +2835,26 @@ krb5_is_enctype_weak(krb5_context context, krb5_enctype enctype)
 }
 
 /**
+ * Returns whether the encryption type is new or old
+ *
+ * @param context Kerberos 5 context
+ * @param enctype encryption type to probe
+ *
+ * @return Returns true if encryption type is old or is not supported.
+ *
+ * @ingroup krb5_crypto
+ */
+
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
+krb5_is_enctype_old(krb5_context context, krb5_enctype enctype)
+{
+    struct _krb5_encryption_type *et = _krb5_find_enctype(enctype);
+    if (!et  || (et->flags & F_OLD))
+	return TRUE;
+    return FALSE;
+}
+
+/**
  * Returns whether the encryption type should use randomly generated salts
  *
  * @param context Kerberos 5 context
@@ -2856,7 +3059,7 @@ krb5_crypto_prf(krb5_context context,
     return (*et->prf)(context, crypto, input, output);
 }
 
-static krb5_error_code
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_crypto_prfplus(krb5_context context,
 		    const krb5_crypto crypto,
 		    const krb5_data *input,
@@ -2970,7 +3173,13 @@ krb5_crypto_fx_cf2(krb5_context context,
     return ret;
 }
 
-
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
+_krb5_crypto_set_flags(krb5_context context,
+		       krb5_crypto crypto,
+		       krb5_flags flags)
+{
+    crypto->flags |= flags;
+}
 
 #ifndef HEIMDAL_SMALLER
 
diff --git a/lib/krb5/crypto.h b/lib/krb5/crypto.h
index ede0338442ec..d02f841305bd 100644
--- a/lib/krb5/crypto.h
+++ b/lib/krb5/crypto.h
@@ -42,13 +42,6 @@ struct _krb5_key_data {
 
 struct _krb5_key_usage;
 
-struct krb5_crypto_data {
-    struct _krb5_encryption_type *et;
-    struct _krb5_key_data key;
-    int num_key_usage;
-    struct _krb5_key_usage *key_usage;
-};
-
 #define CRYPTO_ETYPE(C) ((C)->et->type)
 
 /* bits for `flags' below */
@@ -59,6 +52,7 @@ struct krb5_crypto_data {
 #define F_PSEUDO		0x0010	/* not a real protocol type */
 #define F_DISABLED		0x0020	/* enctype/checksum disabled */
 #define F_WEAK			0x0040	/* enctype is considered weak */
+#define F_OLD			0x0080	/* enctype is old */
 
 #define F_RFC3961_ENC		0x0100	/* RFC3961 simplified profile */
 #define F_SPECIAL		0x0200	/* backwards */
@@ -97,14 +91,16 @@ struct _krb5_checksum_type {
     size_t checksumsize;
     unsigned flags;
     krb5_error_code (*checksum)(krb5_context context,
+				krb5_crypto crypto,
 				struct _krb5_key_data *key,
-				const void *buf, size_t len,
 				unsigned usage,
+				const struct krb5_crypto_iov *iov, int niov,
 				Checksum *csum);
     krb5_error_code (*verify)(krb5_context context,
+			      krb5_crypto crypto,
 			      struct _krb5_key_data *key,
-			      const void *buf, size_t len,
 			      unsigned usage,
+			      const struct krb5_crypto_iov *iov, int niov,
 			      Checksum *csum);
 };
 
@@ -125,14 +121,20 @@ struct _krb5_encryption_type {
 			       krb5_boolean encryptp,
 			       int usage,
 			       void *ivec);
+    krb5_error_code (*encrypt_iov)(krb5_context context,
+			       struct _krb5_key_data *key,
+			       krb5_crypto_iov *iov, int niov,
+			       krb5_boolean encryptp,
+			       int usage,
+			       void *ivec);
     size_t prf_length;
     krb5_error_code (*prf)(krb5_context,
 			   krb5_crypto, const krb5_data *, krb5_data *);
 };
 
-#define ENCRYPTION_USAGE(U) ((int32_t)((((uint32_t)(U)) << 8)) | 0xAA)
-#define INTEGRITY_USAGE(U)  ((int32_t)((((uint32_t)(U)) << 8)) | 0x55)
-#define CHECKSUM_USAGE(U)   ((int32_t)((((uint32_t)(U)) << 8)) | 0x99)
+#define ENCRYPTION_USAGE(U) (((uint32_t)(U) << 8) | 0xAA)
+#define INTEGRITY_USAGE(U) (((uint32_t)(U) << 8) | 0x55)
+#define CHECKSUM_USAGE(U) (((uint32_t)(U) << 8) | 0x99)
 
 /* Checksums */
 
@@ -150,7 +152,9 @@ extern struct _krb5_checksum_type _krb5_checksum_hmac_sha256_128_aes128;
 extern struct _krb5_checksum_type _krb5_checksum_hmac_sha384_192_aes256;
 extern struct _krb5_checksum_type _krb5_checksum_hmac_md5;
 extern struct _krb5_checksum_type _krb5_checksum_sha1;
-extern struct _krb5_checksum_type _krb5_checksum_sha2;
+extern struct _krb5_checksum_type _krb5_checksum_sha256;
+extern struct _krb5_checksum_type _krb5_checksum_sha384;
+extern struct _krb5_checksum_type _krb5_checksum_sha512;
 
 extern struct _krb5_checksum_type *_krb5_checksum_types[];
 extern int _krb5_num_checksums;
@@ -187,15 +191,41 @@ extern struct _krb5_encryption_type _krb5_enctype_null;
 extern struct _krb5_encryption_type *_krb5_etypes[];
 extern int _krb5_num_etypes;
 
+static inline int
+_krb5_crypto_iov_should_sign(const struct krb5_crypto_iov *iov)
+{
+    return (iov->flags == KRB5_CRYPTO_TYPE_DATA
+            || iov->flags == KRB5_CRYPTO_TYPE_SIGN_ONLY
+            || iov->flags == KRB5_CRYPTO_TYPE_HEADER
+            || iov->flags == KRB5_CRYPTO_TYPE_PADDING);
+}
+
 /* NO_HCRYPTO_POLLUTION is defined in pkinit-ec.c.  See commentary there. */
 #ifndef NO_HCRYPTO_POLLUTION
 /* Interface to the EVP crypto layer provided by hcrypto */
 struct _krb5_evp_schedule {
     /*
      * Normally we'd say EVP_CIPHER_CTX here, but!  this header gets
-     * included in lib/krb5/pkinit-ec.ck
+     * included in lib/krb5/pkinit-ec.c
      */
     EVP_CIPHER_CTX ectx;
     EVP_CIPHER_CTX dctx;
 };
+
+struct krb5_crypto_data {
+    struct _krb5_encryption_type *et;
+    struct _krb5_key_data key;
+    EVP_MD_CTX *mdctx;
+    HMAC_CTX *hmacctx;
+    int num_key_usage;
+    struct _krb5_key_usage *key_usage;
+    krb5_flags flags;
+};
+
+/*
+ * Allow generation and verification of unkeyed checksums even when
+ * key material is available.
+ */
+#define KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM		    0x01
+
 #endif
diff --git a/lib/krb5/data.c b/lib/krb5/data.c
index d49685d94d4f..abfa0531f0ef 100644
--- a/lib/krb5/data.c
+++ b/lib/krb5/data.c
@@ -34,7 +34,7 @@
 #include "krb5_locl.h"
 
 /**
- * Reset the (potentially uninitalized) krb5_data structure.
+ * Reset the (potentially uninitialized) krb5_data structure.
  *
  * @param p krb5_data to reset.
  *
@@ -148,7 +148,7 @@ krb5_data_copy(krb5_data *p, const void *data, size_t len)
     if (len) {
 	if(krb5_data_alloc(p, len))
 	    return ENOMEM;
-	memmove(p->data, data, len);
+	memcpy(p->data,	data, len);
     } else
 	p->data = NULL;
     p->length = len;
@@ -200,9 +200,12 @@ krb5_copy_data(krb5_context context,
 KRB5_LIB_FUNCTION int KRB5_LIB_CALL
 krb5_data_cmp(const krb5_data *data1, const krb5_data *data2)
 {
-    if (data1->length != data2->length)
+    size_t len = data1->length < data2->length ? data1->length : data2->length;
+    int cmp = memcmp(data1->data, data2->data, len);
+
+    if (cmp == 0)
 	return data1->length - data2->length;
-    return memcmp(data1->data, data2->data, data1->length);
+    return cmp;
 }
 
 /**
diff --git a/lib/krb5/db_plugin.c b/lib/krb5/db_plugin.c
index a46bbc1f0106..e997d3d286cd 100644
--- a/lib/krb5/db_plugin.c
+++ b/lib/krb5/db_plugin.c
@@ -14,12 +14,22 @@ db_plugins_plcallback(krb5_context context, const void *plug, void *plugctx,
     return 0;
 }
 
+static const char *const db_plugin_deps[] = { "krb5", NULL };
+
+static const struct heim_plugin_data
+db_plugin_data = {
+    "krb5",
+    KRB5_PLUGIN_DB,
+    KRB5_PLUGIN_DB_VERSION_0,
+    db_plugin_deps,
+    krb5_get_instance
+};
+
 static void
 db_plugins_init(void *arg)
 {
     krb5_context context = arg;
-    (void)_krb5_plugin_run_f(context, "krb5", KRB5_PLUGIN_DB,
-			     KRB5_PLUGIN_DB_VERSION_0, 0, NULL,
+    (void)_krb5_plugin_run_f(context, &db_plugin_data, 0, NULL,
 			     db_plugins_plcallback);
 }
 
diff --git a/lib/krb5/db_plugin.h b/lib/krb5/db_plugin.h
index 730c06095558..ab676d51a6fa 100644
--- a/lib/krb5/db_plugin.h
+++ b/lib/krb5/db_plugin.h
@@ -33,6 +33,8 @@
 #ifndef HEIMDAL_KRB5_DB_PLUGIN_H
 #define HEIMDAL_KRB5_DB_PLUGIN_H 1
 
+#include <heimbase-svc.h>
+
 #define KRB5_PLUGIN_DB "krb5_db_plug"
 #define KRB5_PLUGIN_DB_VERSION_0 0
 
@@ -59,9 +61,7 @@
  * @ingroup krb5_support
  */
 typedef struct krb5plugin_db_ftable_desc {
-    int			minor_version;
-    krb5_error_code	(KRB5_LIB_CALL *init)(krb5_context, void **);
-    void		(KRB5_LIB_CALL *fini)(void *);
+    HEIM_PLUGIN_FTABLE_COMMON_ELEMENTS(krb5_context);
 } krb5plugin_db_ftable;
 
 #endif /* HEIMDAL_KRB5_DB_PLUGIN_H */
diff --git a/lib/krb5/dcache.c b/lib/krb5/dcache.c
index c89e157de5a3..77ccda13e72b 100644
--- a/lib/krb5/dcache.c
+++ b/lib/krb5/dcache.c
@@ -37,8 +37,10 @@
 
 typedef struct krb5_dcache{
     krb5_ccache fcache;
-    char *dir;
     char *name;
+    char *dir;
+    char *sub;
+    unsigned int default_candidate:1;
 } krb5_dcache;
 
 #define DCACHE(X) ((krb5_dcache*)(X)->data.data)
@@ -46,16 +48,56 @@ typedef struct krb5_dcache{
 
 static krb5_error_code KRB5_CALLCONV dcc_close(krb5_context, krb5_ccache);
 static krb5_error_code KRB5_CALLCONV dcc_get_default_name(krb5_context, char **);
+static krb5_error_code KRB5_CALLCONV dcc_set_default(krb5_context, krb5_ccache);
+
+/*
+ * Make subsidiary filesystem safe by mapping / and : to -.  If the subsidiary
+ * is longer than 128 bytes, then truncate.
+ * In all cases, "tkt." is prefixed to be compatible with the DIR requirement
+ * that subsidiary ccache files be named tkt*.
+ *
+ * Thus host/foo.bar.baz@BAR.BAZ -> tkt.host-foo.bar.baz@BAR.BAZ.
+ *
+ * In particular, no filesystem component separators will be emitted, and . and
+ * .. will never be traversed.
+ */
+static krb5_error_code
+fs_encode_subsidiary(krb5_context context,
+                     krb5_dcache *dc,
+                     const char *subsidiary,
+                     char **res)
+{
+    size_t len = strlen(subsidiary);
+    size_t i;
+
+    *res = NULL;
+    if (asprintf(res, "tkt.%s", subsidiary) == -1 || *res == NULL)
+        return krb5_enomem(context);
+    for (i = sizeof("tkt.") - 1; i < len; i++) {
+        switch ((*res)[i]) {
+#ifdef WIN32
+        case '\\':  (*res)[0] = '-'; break;
+#endif
+        case '/':   (*res)[0] = '-'; break;
+        case ':':   (*res)[0] = '-'; break;
+        default:                     break;
+        }
+    }
 
+    /* Hopefully this will work on all filesystems */
+    if (len > 128 - sizeof("tkt.") - 1)
+        (*res)[127] = '\0';
+    return 0;
+}
 
 static char *
 primary_create(krb5_dcache *dc)
 {
     char *primary = NULL;
-
-    asprintf(&primary, "%s/primary", dc->dir);
-    if (primary == NULL)
+    int asprintf_ret = asprintf(&primary, "%s/primary", dc->dir);
+    if (asprintf_ret == -1 || primary == NULL) {
 	return NULL;
+    }
 
     return primary;
 }
@@ -63,8 +105,14 @@ primary_create(krb5_dcache *dc)
 static int
 is_filename_cacheish(const char *name)
 {
-    return strncmp(name, "tkt", 3) == 0;
-	
+    size_t i;
+
+    if (strncmp(name, "tkt", sizeof("tkt") - 1) != 0)
+        return 0;
+    for (i = sizeof("tkt") - 1; name[i]; i++)
+        if (ISPATHSEP(name[i]))
+            return 0;
+    return 1;
 }
 
 static krb5_error_code
@@ -75,16 +123,12 @@ set_default_cache(krb5_context context, krb5_dcache *dc, const char *residual)
     struct iovec iov[2];
     size_t len;
     int fd = -1;
+    int asprintf_ret;
 
-    if (!is_filename_cacheish(residual)) {
-	krb5_set_error_message(context, KRB5_CC_FORMAT,
-			       "name %s is not a cache (doesn't start with tkt)", residual);
-	return KRB5_CC_FORMAT;
-    }
-
-    asprintf(&path, "%s/primary-XXXXXX", dc->dir);
-    if (path == NULL)
+    asprintf_ret = asprintf(&path, "%s/primary-XXXXXX", dc->dir);
+    if (asprintf_ret == -1 || path == NULL) {
 	return krb5_enomem(context);
+    }
 
     fd = mkstemp(path);
     if (fd < 0) {
@@ -139,14 +183,18 @@ set_default_cache(krb5_context context, krb5_dcache *dc, const char *residual)
 }
 
 static krb5_error_code
-get_default_cache(krb5_context context, krb5_dcache *dc, char **residual)
+get_default_cache(krb5_context context, krb5_dcache *dc,
+                  const char *subsidiary, char **residual)
 {
     krb5_error_code ret;
     char buf[MAXPATHLEN];
-    char *primary;
+    char *primary = NULL;
     FILE *f;
 
     *residual = NULL;
+    if (subsidiary)
+        return fs_encode_subsidiary(context, dc, subsidiary, residual);
+
     primary = primary_create(dc);
     if (primary == NULL)
 	return krb5_enomem(context);
@@ -195,12 +243,22 @@ get_default_cache(krb5_context context, krb5_dcache *dc, char **residual)
 
 
 
-static const char* KRB5_CALLCONV
-dcc_get_name(krb5_context context,
-	     krb5_ccache id)
+static krb5_error_code KRB5_CALLCONV
+dcc_get_name_2(krb5_context context,
+	       krb5_ccache id,
+	       const char **name,
+	       const char **dir,
+	       const char **sub)
 {
     krb5_dcache *dc = DCACHE(id);
-    return dc->name;
+
+    if (name)
+        *name = dc->name;
+    if (dir)
+        *dir = dc->dir;
+    if (sub)
+        *sub = dc->sub;
+    return 0;
 }
 
 
@@ -209,19 +267,24 @@ verify_directory(krb5_context context, const char *path)
 {
     struct stat sb;
 
+    if (!path[0]) {
+        krb5_set_error_message(context, EINVAL,
+                               N_("DIR empty directory component", ""));
+        return EINVAL;
+    }
+
+    /* XXX should use mkdirx_np()  */
+    if (rk_mkdir(path, S_IRWXU) == 0)
+        return 0;
+
     if (stat(path, &sb) != 0) {
 	if (errno == ENOENT) {
-	    /* XXX should use mkdirx_np()  */
-	    if (rk_mkdir(path, S_IRWXU) == 0)
-		return 0;
-
 	    krb5_set_error_message(context, ENOENT,
 				   N_("DIR directory %s doesn't exists", ""), path);
 	    return ENOENT;
 	} else {
-	    int ret = errno;
-	    krb5_set_error_message(context, ret,
-				   N_("DIR directory %s is bad: %s", ""), path, strerror(ret));
+	    krb5_set_error_message(context, errno,
+				   N_("DIR directory %s is bad: %s", ""), path, strerror(errno));
 	    return errno;
 	}
     }
@@ -239,116 +302,176 @@ dcc_release(krb5_context context, krb5_dcache *dc)
 {
     if (dc->fcache)
 	krb5_cc_close(context, dc->fcache);
-    if (dc->dir)
-	free(dc->dir);
-    if (dc->name)
-	free(dc->name);
+    free(dc->sub);
+    free(dc->dir);
+    free(dc->name);
     memset(dc, 0, sizeof(*dc));
     free(dc);
 }
 
-static krb5_error_code KRB5_CALLCONV
-dcc_resolve(krb5_context context, krb5_ccache *id, const char *res)
+static krb5_error_code
+get_default_dir(krb5_context context, char **res)
 {
-    char *filename = NULL;
     krb5_error_code ret;
-    krb5_dcache *dc;
-    const char *p;
-
-    p = res;
-    do {
-	p = strstr(p, "..");
-	if (p && (p == res || ISPATHSEP(p[-1])) && (ISPATHSEP(p[2]) || p[2] == '\0')) {
-	    krb5_set_error_message(context, KRB5_CC_FORMAT,
-				   N_("Path contains a .. component", ""));
-	    return KRB5_CC_FORMAT;
-	}
-	if (p)
-	    p += 3;
-    } while (p);
-
-    dc = calloc(1, sizeof(*dc));
-    if (dc == NULL) {
-	krb5_set_error_message(context, KRB5_CC_NOMEM,
-			       N_("malloc: out of memory", ""));
-	return KRB5_CC_NOMEM;
+    char *s;
+
+    if ((ret = dcc_get_default_name(context, &s)))
+        return ret;
+    if (strncmp(s, "DIR:", sizeof("DIR:") - 1) != 0) {
+        *res = s;
+        s = NULL;
+    } else if ((*res = strdup(s + sizeof("DIR:") - 1)) == NULL) {
+        ret = krb5_enomem(context);
     }
-    
-    /* check for explicit component */
-    if (res[0] == ':') {
-	char *q;
+    free(s);
+    return ret;
+}
 
-	dc->dir = strdup(&res[1]);
-#ifdef _WIN32
-	q = strrchr(dc->dir, '\\');
-	if (q == NULL)
+static krb5_error_code KRB5_CALLCONV
+dcc_resolve_2(krb5_context context,
+	      krb5_ccache *id,
+	      const char *res,
+	      const char *sub)
+{
+    krb5_error_code ret;
+    krb5_dcache *dc = NULL;
+    char *filename = NULL;
+    size_t len;
+    int has_pathsep = 0;
+
+    if (sub) {
+        /*
+         * Here `res' has the directory name (or, if NULL, refers to the
+         * default DIR cccol), and `sub' has the "subsidiary" name, to which
+         * we'll prefix "tkt." (though we will insist only on "tkt" later).
+         */
+        if ((dc = calloc(1, sizeof(*dc))) == NULL ||
+            asprintf(&dc->sub, "tkt.%s", sub) == -1 || dc->sub == NULL) {
+            free(dc);
+            return krb5_enomem(context);
+        }
+        if (res && res[0] && (dc->dir = strdup(res)) == NULL) {
+            free(dc->sub);
+            free(dc);
+            return krb5_enomem(context);
+        } else if ((!res || !res[0]) && (ret = get_default_dir(context, &dc->dir))) {
+            free(dc->sub);
+            free(dc);
+            return ret;
+        }
+    } else {
+        const char *p;
+        int is_drive_letter_colon = 0;
+
+        /*
+         * Here `res' has whatever string followed "DIR:", and we need to parse
+         * it into `dc->dir' and `dc->sub'.
+         *
+         * Conventions we support for DIR cache naming:
+         *
+         *  - DIR:path:NAME     ---> FILE:path/tktNAME
+         *  - DIR::path/tktNAME ---> FILE:path/tktNAME
+         *  - DIR::NAME         ---> FILE:${default_DIR_cccol_path}/tktNAME
+         *                       \-> FILE:/tmp/krb5cc_${uid}_dir/tktNAME
+         *  - DIR:path          ---> FILE:path/$(cat primary) or FILE:path/tkt
+         *
+         */
+
+        if (res == NULL || *res == '\0' || (res[0] == ':' && res[1] == '\0')) {
+            /* XXX Why not? */
+            krb5_set_error_message(context, KRB5_CC_FORMAT,
+                                   N_("\"DIR:\" is not a valid ccache name", ""));
+            return KRB5_CC_FORMAT;
+        }
+
+#ifdef WIN32
+        has_pathsep = strchr(res, '\\') != NULL;
 #endif
-	q = strrchr(dc->dir, '/');
-	if (q) {
-	    *q++ = '\0';
-	} else {
-	    krb5_set_error_message(context, KRB5_CC_FORMAT, N_("Cache not an absolute path: %s", ""), dc->dir);
-	    dcc_release(context, dc);
-	    return KRB5_CC_FORMAT;
-	}
+        has_pathsep |= strchr(res, '/') != NULL;
 
-	if (!is_filename_cacheish(q)) {
-	    krb5_set_error_message(context, KRB5_CC_FORMAT,
-				   N_("Name %s is not a cache (doesn't start with tkt)", ""), q);
-	    dcc_release(context, dc);
-	    return KRB5_CC_FORMAT;
-	}
-	
-	ret = verify_directory(context, dc->dir);
-	if (ret) {
-	    dcc_release(context, dc);
-	    return ret;
-	}
-
-	dc->name = strdup(res);
-	if (dc->name == NULL) {
-	    dcc_release(context, dc);
-	    return krb5_enomem(context);
-	}
+        if ((dc = calloc(1, sizeof(*dc))) == NULL)
+            return krb5_enomem(context);
 
-    } else {
-	char *residual;
-	size_t len;
-
-	dc->dir = strdup(res);
-	if (dc->dir == NULL) {
-	    dcc_release(context, dc);
-	    return krb5_enomem(context);
-	}
+        p = strrchr(res, ':');
+#ifdef WIN32
+        is_drive_letter_colon =
+            p && ((res[0] == ':' && res[1] != ':' && p - res == 2) ||
+                  (res[0] != ':' && p - res == 1));
+#endif
 
-	len = strlen(dc->dir);
+        if (res[0] != ':' && p && !is_drive_letter_colon) {
+            /* DIR:path:NAME */
+            if ((dc->dir = strndup(res, (p - res))) == NULL ||
+                asprintf(&dc->sub, "tkt.%s", p + 1) < 0 || dc->sub == NULL) {
+                dcc_release(context, dc);
+                return krb5_enomem(context);
+            }
+        } else if (res[0] == ':' && has_pathsep) {
+            char *q;
+
+            /* DIR::path/tktNAME (the "tkt" must be there; we'll check) */
+            if ((dc->dir = strdup(&res[1])) == NULL) {
+                dcc_release(context, dc);
+                return krb5_enomem(context);
+            }
+#ifdef _WIN32
+            q = strrchr(dc->dir, '\\');
+            if (q == NULL || ((p = strrchr(dc->dir, '/')) && q < p))
+#endif
+                q = strrchr(dc->dir, '/');
+            *q++ = '\0';
+            if ((dc->sub = strdup(q)) == NULL) {
+                dcc_release(context, dc);
+                return krb5_enomem(context);
+            }
+        } else if (res[0] == ':') {
+            /* DIR::NAME -- no path component separators in NAME */
+            if ((ret = get_default_dir(context, &dc->dir))) {
+                dcc_release(context, dc);
+                return ret;
+            }
+            if (asprintf(&dc->sub, "tkt.%s", res + 1) < 0 || dc->sub == NULL) {
+                dcc_release(context, dc);
+                return krb5_enomem(context);
+            }
+        } else {
+            /* DIR:path */
+            if ((dc->dir = strdup(res)) == NULL) {
+                dcc_release(context, dc);
+                return krb5_enomem(context);
+            }
+
+            if ((ret = get_default_cache(context, dc, NULL, &dc->sub))) {
+                dcc_release(context, dc);
+                return ret;
+            }
+        }
+    }
 
-	if (ISPATHSEP(dc->dir[len - 1]))
-	    dc->dir[len - 1] = '\0';
+    /* Strip off extra slashes on the end */
+    for (len = strlen(dc->dir);
+         len && ISPATHSEP(dc->dir[len - 1]);
+         len--)
+        dc->dir[len - 1] = '\0';
 
-	ret = verify_directory(context, dc->dir);
-	if (ret) {
-	    dcc_release(context, dc);
-	    return ret;
-	}
+    /* If we got here then `dc->dir' and `dc->sub' must both be set */
 
-	ret = get_default_cache(context, dc, &residual);
-	if (ret) {
-	    dcc_release(context, dc);
-	    return ret;
-	}
-	asprintf(&dc->name, ":%s/%s", dc->dir, residual);
-	free(residual);
-	if (dc->name == NULL) {
-	    dcc_release(context, dc);
-	    return krb5_enomem(context);
-	}
+    if ((ret = verify_directory(context, dc->dir))) {
+        dcc_release(context, dc);
+        return ret;
     }
-
-    asprintf(&filename, "FILE%s", dc->name);
-    if (filename == NULL) {
-	dcc_release(context, dc);
-	return krb5_enomem(context);
+    if (!is_filename_cacheish(dc->sub)) {
+        krb5_set_error_message(context, KRB5_CC_FORMAT,
+                               N_("Name %s is not a cache "
+                                  "(doesn't start with tkt)", ""), dc->sub);
+        dcc_release(context, dc);
+        return KRB5_CC_FORMAT;
+    }
+    if (asprintf(&dc->name, ":%s/%s", dc->dir, dc->sub) == -1 ||
+        dc->name == NULL ||
+        asprintf(&filename, "FILE%s", dc->name) == -1 || filename == NULL) {
+        dcc_release(context, dc);
+        return krb5_enomem(context);
     }
 
     ret = krb5_cc_resolve(context, filename, &dc->fcache);
@@ -358,85 +481,36 @@ dcc_resolve(krb5_context context, krb5_ccache *id, const char *res)
 	return ret;
     }
 
-
+    dc->default_candidate = 1;
     (*id)->data.data = dc;
     (*id)->data.length = sizeof(*dc);
     return 0;
 }
 
-static char *
-copy_default_dcc_cache(krb5_context context)
-{
-    const char *defname;
-    krb5_error_code ret;
-    char *name = NULL;
-    size_t len;
-
-    len = strlen(krb5_dcc_ops.prefix);
-
-    defname = krb5_cc_default_name(context);
-    if (defname == NULL ||
-	strncmp(defname, krb5_dcc_ops.prefix, len) != 0 ||
-	defname[len] != ':')
-    {
-	ret = dcc_get_default_name(context, &name);
-	if (ret)
-	    return NULL;
-
-	return name;
-    } else {
-	return strdup(&defname[len + 1]);
-    }
-}
-
-
 static krb5_error_code KRB5_CALLCONV
 dcc_gen_new(krb5_context context, krb5_ccache *id)
 {
     krb5_error_code ret;
+    char *def_dir = NULL;
     char *name = NULL;
-    krb5_dcache *dc;
-    int fd;
-    size_t len;
-
-    name = copy_default_dcc_cache(context);
-    if (name == NULL) {
-	krb5_set_error_message(context, KRB5_CC_FORMAT,
-			       N_("Can't generate DIR caches unless its the default type", ""));
-	return KRB5_CC_FORMAT;
-    }
+    int fd = -1;
 
-    len = strlen(krb5_dcc_ops.prefix);
-    if (strncmp(name, krb5_dcc_ops.prefix, len) == 0 && name[len] == ':')
-	++len;
-    else
-	len = 0;
+    ret = get_default_dir(context, &def_dir);
+    if (ret == 0)
+        ret = verify_directory(context, def_dir);
+    if (ret == 0 &&
+        (asprintf(&name, "DIR::%s/tktXXXXXX", def_dir) == -1 || name == NULL))
+	ret = krb5_enomem(context);
+    if (ret == 0 && (fd = mkstemp(name + sizeof("DIR::") - 1)) == -1)
+	ret = errno;
+    if (ret == 0)
+	ret = dcc_resolve_2(context, id, name + sizeof("DIR:") - 1, NULL);
 
-    ret = dcc_resolve(context, id, name + len);
+    free(def_dir);
     free(name);
-    name = NULL;
-    if (ret)
-	return ret;
-
-    dc = DCACHE((*id));
-
-    asprintf(&name, ":%s/tktXXXXXX", dc->dir);
-    if (name == NULL) {
-	dcc_close(context, *id);
-	return krb5_enomem(context);
-    }
-
-    fd = mkstemp(&name[1]);
-    if (fd < 0) {
-	dcc_close(context, *id);
-	return krb5_enomem(context);
-    }
-    close(fd);
-
-    free(dc->name);
-    dc->name = name;
-
-    return 0;
+    if (fd != -1)
+        close(fd);
+    return ret;
 }
 
 static krb5_error_code KRB5_CALLCONV
@@ -452,6 +526,25 @@ static krb5_error_code KRB5_CALLCONV
 dcc_close(krb5_context context,
 	  krb5_ccache id)
 {
+    krb5_dcache *dc = DCACHE(id);
+    krb5_principal p = NULL;
+    struct stat st;
+    char *primary = NULL;
+
+    /*
+     * If there's no default cache, but we're closing one, and the one we're
+     * closing has been initialized, then make it the default.  This makes the
+     * first cache created the default.
+     *
+     * FIXME We should check if `D2FCACHE(dc)' has live credentials.
+     */
+    if (dc->default_candidate && D2FCACHE(dc) &&
+        krb5_cc_get_principal(context, D2FCACHE(dc), &p) == 0 &&
+        (primary = primary_create(dc)) &&
+        (stat(primary, &st) == -1 || !S_ISREG(st.st_mode) || st.st_size == 0))
+        dcc_set_default(context, id);
+    krb5_free_principal(context, p);
+    free(primary);
     dcc_release(context, DCACHE(id));
     return 0;
 }
@@ -540,39 +633,61 @@ dcc_get_version(krb5_context context,
 }
 
 struct dcache_iter {
-    int first;
+    char *primary;
     krb5_dcache *dc;
+    DIR *d;
+    unsigned int first:1;
 };
 
 static krb5_error_code KRB5_CALLCONV
 dcc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor)
 {
-    struct dcache_iter *iter;
-    krb5_error_code ret;
-    char *name;
+    struct dcache_iter *iter = NULL;
+    const char *name = krb5_cc_default_name(context);
+    size_t len;
+    char *p;
 
     *cursor = NULL;
-    iter = calloc(1, sizeof(*iter));
-    if (iter == NULL)
-	return krb5_enomem(context);
-    iter->first = 1;
 
-    name = copy_default_dcc_cache(context);
-    if (name == NULL) {
-        free(iter);
+    if (strncmp(name, "DIR:", sizeof("DIR:") - 1) != 0) {
 	krb5_set_error_message(context, KRB5_CC_FORMAT,
-			       N_("Can't generate DIR caches unless its the default type", ""));
+			       N_("Can't list DIR caches unless its the default type", ""));
 	return KRB5_CC_FORMAT;
     }
 
-    ret = dcc_resolve(context, NULL, name);
-    free(name);
-    if (ret) {
+    if ((iter = calloc(1, sizeof(*iter))) == NULL ||
+        (iter->dc = calloc(1, sizeof(iter->dc[0]))) == NULL ||
+        (iter->dc->dir = strdup(name + sizeof("DIR:") - 1)) == NULL) {
+        if (iter)
+            free(iter->dc);
         free(iter);
-        return ret;
+	return krb5_enomem(context);
+    }
+    iter->first = 1;
+    p = strrchr(iter->dc->dir, ':');
+#ifdef WIN32
+    if (p == iter->dc->dir + 1)
+        p = NULL;
+#endif
+    if (p)
+        *p = '\0';
+
+    /* Strip off extra slashes on the end */
+    for (len = strlen(iter->dc->dir);
+         len && ISPATHSEP(iter->dc->dir[len - 1]);
+         len--) {
+        iter->dc->dir[len - 1] = '\0';
     }
 
-    /* XXX We need to opendir() here */
+    if ((iter->d = opendir(iter->dc->dir)) == NULL) {
+	krb5_set_error_message(context, KRB5_CC_FORMAT,
+                               N_("Can't open DIR %s: %s", ""),
+                               iter->dc->dir, strerror(errno));
+        free(iter->dc->dir);
+        free(iter->dc);
+        free(iter);
+	return KRB5_CC_FORMAT;
+    }
 
     *cursor = iter;
     return 0;
@@ -582,18 +697,49 @@ static krb5_error_code KRB5_CALLCONV
 dcc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id)
 {
     struct dcache_iter *iter = cursor;
+    krb5_error_code ret;
+    struct stat st;
+    struct dirent *dentry;
+    char *p = NULL;
 
+    *id = NULL;
     if (iter == NULL)
         return krb5_einval(context, 2);
 
-    if (!iter->first) {
-	krb5_clear_error_message(context);
-	return KRB5_CC_END;
+    /* Emit primary subsidiary first */
+    if (iter->first &&
+        get_default_cache(context, iter->dc, NULL, &iter->primary) == 0 &&
+        iter->primary && is_filename_cacheish(iter->primary)) {
+        iter->first = 0;
+        ret = KRB5_CC_END;
+        if (asprintf(&p, "FILE:%s/%s", iter->dc->dir, iter->primary) > -1 && p != NULL &&
+            stat(p + sizeof("FILE:") - 1, &st) == 0 && S_ISREG(st.st_mode))
+            ret = krb5_cc_resolve(context, p, id);
+        if (p == NULL)
+            return krb5_enomem(context);
+        free(p);
+        if (ret == 0)
+            return ret;
+        p = NULL;
     }
 
-    /* XXX We need to readdir() here */
     iter->first = 0;
-
+    for (dentry = readdir(iter->d); dentry; dentry = readdir(iter->d)) {
+        if (!is_filename_cacheish(dentry->d_name) ||
+            (iter->primary && strcmp(dentry->d_name, iter->primary) == 0))
+            continue;
+        p = NULL;
+        ret = KRB5_CC_END;
+        if (asprintf(&p, "FILE:%s/%s", iter->dc->dir, dentry->d_name) > -1 &&
+            p != NULL &&
+            stat(p + sizeof("FILE:") - 1, &st) == 0 && S_ISREG(st.st_mode))
+            ret = krb5_cc_resolve(context, p, id);
+        free(p);
+        if (p == NULL)
+            return krb5_enomem(context);
+        if (ret == 0)
+            return ret;
+    }
     return KRB5_CC_END;
 }
 
@@ -605,9 +751,10 @@ dcc_end_cache_get(krb5_context context, krb5_cc_cursor cursor)
     if (iter == NULL)
         return krb5_einval(context, 2);
 
-    /* XXX We need to closedir() here */
-    if (iter->dc)
-	dcc_release(context, iter->dc);
+    (void) closedir(iter->d);
+    free(iter->dc->dir);
+    free(iter->dc);
+    free(iter->primary);
     free(iter);
     return 0;
 }
@@ -617,28 +764,34 @@ dcc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
 {
     krb5_dcache *dcfrom = DCACHE(from);
     krb5_dcache *dcto = DCACHE(to);
+
+    dcfrom->default_candidate = 0;
+    dcto->default_candidate = 1;
     return krb5_cc_move(context, D2FCACHE(dcfrom), D2FCACHE(dcto));
 }
 
 static krb5_error_code KRB5_CALLCONV
 dcc_get_default_name(krb5_context context, char **str)
 {
-    return _krb5_expand_default_cc_name(context,
-					KRB5_DEFAULT_CCNAME_DIR,
-					str);
+    const char *def_cc_colname =
+        krb5_config_get_string_default(context, NULL, KRB5_DEFAULT_CCNAME_DIR,
+                                       "libdefaults", "default_cc_collection",
+                                       NULL);
+
+    /* [libdefaults] default_cc_collection is for testing */
+    if (strncmp(def_cc_colname, "DIR:", sizeof("DIR:") - 1) != 0)
+        def_cc_colname = KRB5_DEFAULT_CCNAME_DIR;
+    return _krb5_expand_default_cc_name(context, def_cc_colname, str);
 }
 
 static krb5_error_code KRB5_CALLCONV
 dcc_set_default(krb5_context context, krb5_ccache id)
 {
     krb5_dcache *dc = DCACHE(id);
-    const char *name;
 
-    name = krb5_cc_get_name(context, D2FCACHE(dc));
-    if (name == NULL)
+    if (dc->sub == NULL)
 	return ENOENT;
-
-    return set_default_cache(context, dc, name);
+    return set_default_cache(context, dc, dc->sub);
 }
 
 static krb5_error_code KRB5_CALLCONV
@@ -670,10 +823,10 @@ dcc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *kdc_offset
  */
 
 KRB5_LIB_VARIABLE const krb5_cc_ops krb5_dcc_ops = {
-    KRB5_CC_OPS_VERSION,
+    KRB5_CC_OPS_VERSION_5,
     "DIR",
-    dcc_get_name,
-    dcc_resolve,
+    NULL,
+    NULL,
     dcc_gen_new,
     dcc_initialize,
     dcc_destroy,
@@ -695,5 +848,7 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_dcc_ops = {
     dcc_set_default,
     dcc_lastchange,
     dcc_set_kdc_offset,
-    dcc_get_kdc_offset
+    dcc_get_kdc_offset,
+    dcc_get_name_2,
+    dcc_resolve_2
 };
diff --git a/lib/krb5/deprecated.c b/lib/krb5/deprecated.c
index 0871aaf71db3..172f089175cc 100644
--- a/lib/krb5/deprecated.c
+++ b/lib/krb5/deprecated.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2009 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2009 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  *
@@ -57,7 +57,7 @@
 
 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_free_data_contents(krb5_context context, krb5_data *data)
-    KRB5_DEPRECATED_FUNCTION("Use X instead")
+    KRB5_DEPRECATED_FUNCTION("Use krb5_data_free instead")
 {
     krb5_data_free(data);
 }
@@ -120,7 +120,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_keytype_to_string(krb5_context context,
 		       krb5_keytype keytype,
 		       char **string)
-    KRB5_DEPRECATED_FUNCTION("Use X instead")
+    KRB5_DEPRECATED_FUNCTION("Use krb5_enctype_to_string instead")
 {
     const char *name = NULL;
     int i;
@@ -154,7 +154,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_string_to_keytype(krb5_context context,
 		       const char *string,
 		       krb5_keytype *keytype)
-    KRB5_DEPRECATED_FUNCTION("Use X instead")
+    KRB5_DEPRECATED_FUNCTION("Use krb5_string_to_enctype instead")
 {
     char *end;
     int i;
@@ -386,7 +386,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_gen_new(krb5_context context,
 		const krb5_cc_ops *ops,
 		krb5_ccache *id)
-    KRB5_DEPRECATED_FUNCTION("Use X instead")
+    KRB5_DEPRECATED_FUNCTION("Use krb5_cc_new_unique instead")
 {
     return krb5_cc_new_unique(context, ops->prefix, NULL, id);
 }
@@ -400,7 +400,7 @@ krb5_cc_gen_new(krb5_context context,
 KRB5_LIB_FUNCTION krb5_realm * KRB5_LIB_CALL
 krb5_princ_realm(krb5_context context,
 		 krb5_principal principal)
-    KRB5_DEPRECATED_FUNCTION("Use X instead")
+    KRB5_DEPRECATED_FUNCTION("Use krb5_principal_get_realm instead")
 {
     return &principal->realm;
 }
@@ -416,7 +416,7 @@ KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_princ_set_realm(krb5_context context,
 		     krb5_principal principal,
 		     krb5_realm *realm)
-    KRB5_DEPRECATED_FUNCTION("Use X instead")
+    KRB5_DEPRECATED_FUNCTION("Use krb5_principal_set_realm instead")
 {
     principal->realm = *realm;
 }
@@ -430,7 +430,7 @@ krb5_princ_set_realm(krb5_context context,
 /* keep this for compatibility with older code */
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_free_creds_contents (krb5_context context, krb5_creds *c)
-    KRB5_DEPRECATED_FUNCTION("Use X instead")
+    KRB5_DEPRECATED_FUNCTION("Use krb5_free_cred_contents instead")
 {
     return krb5_free_cred_contents (context, c);
 }
@@ -448,7 +448,7 @@ krb5_free_creds_contents (krb5_context context, krb5_creds *c)
 
 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_free_error_string(krb5_context context, char *str)
-    KRB5_DEPRECATED_FUNCTION("Use X instead")
+    KRB5_DEPRECATED_FUNCTION("Use krb5_free_error_message instead")
 {
     krb5_free_error_message(context, str);
 }
@@ -456,7 +456,7 @@ krb5_free_error_string(krb5_context context, char *str)
 /**
  * Set the error message returned by krb5_get_error_string().
  *
- * Deprecated: use krb5_get_error_message()
+ * Deprecated: use krb5_set_error_message()
  *
  * @param context Kerberos context
  * @param fmt error message to free
@@ -469,7 +469,7 @@ krb5_free_error_string(krb5_context context, char *str)
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_set_error_string(krb5_context context, const char *fmt, ...)
     __attribute__ ((__format__ (__printf__, 2, 3)))
-    KRB5_DEPRECATED_FUNCTION("Use X instead")
+    KRB5_DEPRECATED_FUNCTION("Use krb5_set_error_message instead")
 {
     va_list ap;
 
@@ -480,8 +480,7 @@ krb5_set_error_string(krb5_context context, const char *fmt, ...)
 }
 
 /**
- * Set the error message returned by krb5_get_error_string(),
- * deprecated, use krb5_set_error_message().
+ * Set the error message returned by krb5_get_error_string().
  *
  * Deprecated: use krb5_vset_error_message()
  *
@@ -497,7 +496,7 @@ krb5_set_error_string(krb5_context context, const char *fmt, ...)
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_vset_error_string(krb5_context context, const char *fmt, va_list args)
     __attribute__ ((__format__ (__printf__, 2, 0)))
-    KRB5_DEPRECATED_FUNCTION("Use X instead")
+    KRB5_DEPRECATED_FUNCTION("Use krb5_vset_error_message instead")
 {
     krb5_vset_error_message(context, 0, fmt, args);
     return 0;
@@ -515,7 +514,7 @@ krb5_vset_error_string(krb5_context context, const char *fmt, va_list args)
 
 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_clear_error_string(krb5_context context)
-    KRB5_DEPRECATED_FUNCTION("Use X instead")
+    KRB5_DEPRECATED_FUNCTION("Use krb5_clear_error_message instead")
 {
     krb5_clear_error_message(context);
 }
@@ -533,11 +532,11 @@ krb5_get_cred_from_kdc_opt(krb5_context context,
 			   krb5_creds **out_creds,
 			   krb5_creds ***ret_tgts,
 			   krb5_flags flags)
-    KRB5_DEPRECATED_FUNCTION("Use X instead")
+    KRB5_DEPRECATED_FUNCTION("Use krb5_get_credentials_with_flags instead")
 {
     krb5_kdc_flags f;
     f.i = flags;
-    return _krb5_get_cred_kdc_any(context, f, ccache,
+    return _krb5_get_cred_kdc_any(context, f, ccache, NULL,
 				  in_creds, NULL, NULL,
 				  out_creds, ret_tgts);
 }
@@ -554,7 +553,7 @@ krb5_get_cred_from_kdc(krb5_context context,
 		       krb5_creds *in_creds,
 		       krb5_creds **out_creds,
 		       krb5_creds ***ret_tgts)
-    KRB5_DEPRECATED_FUNCTION("Use X instead")
+    KRB5_DEPRECATED_FUNCTION("Use krb5_get_credentials_with_flags instead")
 {
     return krb5_get_cred_from_kdc_opt(context, ccache,
 				      in_creds, out_creds, ret_tgts, 0);
@@ -568,7 +567,7 @@ krb5_get_cred_from_kdc(krb5_context context,
 
 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_free_unparsed_name(krb5_context context, char *str)
-    KRB5_DEPRECATED_FUNCTION("Use X instead")
+    KRB5_DEPRECATED_FUNCTION("Use krb5_xfree instead")
 {
     krb5_xfree(str);
 }
@@ -583,7 +582,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_generate_subkey(krb5_context context,
 		     const krb5_keyblock *key,
 		     krb5_keyblock **subkey)
-    KRB5_DEPRECATED_FUNCTION("Use X instead")
+    KRB5_DEPRECATED_FUNCTION("Use krb5_generate_subkey_extended instead")
 {
     return krb5_generate_subkey_extended(context, key, ETYPE_NULL, subkey);
 }
@@ -598,7 +597,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_getremoteseqnumber(krb5_context context,
 			     krb5_auth_context auth_context,
 			     int32_t *seqnumber)
-    KRB5_DEPRECATED_FUNCTION("Use X instead")
+    KRB5_DEPRECATED_FUNCTION("Use krb5_auth_con_getremoteseqnumber instead")
 {
   *seqnumber = auth_context->remote_seqnumber;
   return 0;
@@ -616,28 +615,18 @@ krb5_auth_getremoteseqnumber(krb5_context context,
  * @ingroup krb5_error
  */
 
-KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
+KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL
 krb5_get_error_string(krb5_context context)
     KRB5_DEPRECATED_FUNCTION("Use krb5_get_error_message instead")
 {
-    char *ret = NULL;
-
-    HEIMDAL_MUTEX_lock(&context->mutex);
-    if (context->error_string)
-	ret = strdup(context->error_string);
-    HEIMDAL_MUTEX_unlock(&context->mutex);
-    return ret;
+    return heim_get_error_string(context->hcontext);
 }
 
 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_have_error_string(krb5_context context)
     KRB5_DEPRECATED_FUNCTION("Use krb5_get_error_message instead")
 {
-    char *str;
-    HEIMDAL_MUTEX_lock(&context->mutex);
-    str = context->error_string;
-    HEIMDAL_MUTEX_unlock(&context->mutex);
-    return str != NULL;
+    return heim_have_error_string(context->hcontext);
 }
 
 struct send_to_kdc {
diff --git a/lib/krb5/doxygen.c b/lib/krb5/doxygen.c
index d3ee52fe9bcc..e9266c919400 100644
--- a/lib/krb5/doxygen.c
+++ b/lib/krb5/doxygen.c
@@ -572,7 +572,7 @@
  * Fields and their types are:
  *
  * @code
- * 	Quoted princial (quote character is \) [string]
+ * 	Quoted principal (quote character is \) [string]
  * 	Keys [keys]
  * 	Created by [event]
  * 	Modified by [event optional]
diff --git a/lib/krb5/enomem.c b/lib/krb5/enomem.c
index 7f0aaeb35f83..b4444e5a2cdc 100644
--- a/lib/krb5/enomem.c
+++ b/lib/krb5/enomem.c
@@ -34,7 +34,7 @@
 #include "krb5_locl.h"
 
 #undef krb5_enomem
-krb5_error_code
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_enomem(krb5_context context)
 {
     krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
diff --git a/lib/krb5/error_string.c b/lib/krb5/error_string.c
index fa181733d1e9..da86b375f83c 100644
--- a/lib/krb5/error_string.c
+++ b/lib/krb5/error_string.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001, 2003, 2005 - 2006 Kungliga Tekniska Högskolan
+ * Copyright (c) 2001, 2003, 2005 - 2020 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  *
@@ -47,12 +47,7 @@
 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_clear_error_message(krb5_context context)
 {
-    HEIMDAL_MUTEX_lock(&context->mutex);
-    if (context->error_string)
-	free(context->error_string);
-    context->error_code = 0;
-    context->error_string = NULL;
-    HEIMDAL_MUTEX_unlock(&context->mutex);
+    heim_clear_error_message(context->hcontext);
 }
 
 /**
@@ -96,27 +91,21 @@ krb5_set_error_message(krb5_context context, krb5_error_code ret,
 
 
 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_vset_error_message (krb5_context context, krb5_error_code ret,
-			 const char *fmt, va_list args)
+krb5_vset_error_message(krb5_context context, krb5_error_code ret,
+                        const char *fmt, va_list args)
     __attribute__ ((__format__ (__printf__, 3, 0)))
 {
-    int r;
+    const char *msg;
 
     if (context == NULL)
 	return;
 
-    HEIMDAL_MUTEX_lock(&context->mutex);
-    if (context->error_string) {
-	free(context->error_string);
-	context->error_string = NULL;
+    heim_vset_error_message(context->hcontext, ret, fmt, args);
+    msg = heim_get_error_message(context->hcontext, ret);
+    if (msg) {
+	_krb5_debug(context, 100, "error message: %s: %d", msg, ret);
+	heim_free_error_message(context->hcontext, msg);
     }
-    context->error_code = ret;
-    r = vasprintf(&context->error_string, fmt, args);
-    if (r < 0)
-	context->error_string = NULL;
-    HEIMDAL_MUTEX_unlock(&context->mutex);
-    if (context->error_string)
-	_krb5_debug(context, 100, "error message: %s: %d", context->error_string, ret);
 }
 
 /**
@@ -163,33 +152,8 @@ krb5_vprepend_error_message(krb5_context context, krb5_error_code ret,
 			    const char *fmt, va_list args)
     __attribute__ ((__format__ (__printf__, 3, 0)))
 {
-    char *str = NULL, *str2 = NULL;
-
-    if (context == NULL)
-	return;
-
-    HEIMDAL_MUTEX_lock(&context->mutex);
-    if (context->error_code != ret) {
-	HEIMDAL_MUTEX_unlock(&context->mutex);
-	return;
-    }
-    if (vasprintf(&str, fmt, args) < 0 || str == NULL) {
-	HEIMDAL_MUTEX_unlock(&context->mutex);
-	return;
-    }
-    if (context->error_string) {
-	int e;
-
-	e = asprintf(&str2, "%s: %s", str, context->error_string);
-	free(context->error_string);
-	if (e < 0 || str2 == NULL)
-	    context->error_string = NULL;
-	else
-	    context->error_string = str2;
-	free(str);
-    } else
-	context->error_string = str;
-    HEIMDAL_MUTEX_unlock(&context->mutex);
+    if (context)
+        heim_vprepend_error_message(context->hcontext, ret, fmt, args);
 }
 
 /**
@@ -208,10 +172,7 @@ krb5_vprepend_error_message(krb5_context context, krb5_error_code ret,
 KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL
 krb5_get_error_message(krb5_context context, krb5_error_code code)
 {
-    char *str = NULL;
     const char *cstr = NULL;
-    char buf[128];
-    int free_context = 0;
 
     if (code == 0)
 	return strdup("Success");
@@ -224,42 +185,15 @@ krb5_get_error_message(krb5_context context, krb5_error_code code)
      * might be provided is if the krb5_init_context() call itself
      * failed.
      */
-    if (context)
-    {
-	HEIMDAL_MUTEX_lock(&context->mutex);
-        if (context->error_string &&
-            (code == context->error_code || context->error_code == 0))
-        {
-            str = strdup(context->error_string);
-        }
-	HEIMDAL_MUTEX_unlock(&context->mutex);
-
-        if (str)
-            return str;
-    }
-    else
-    {
-        if (krb5_init_context(&context) == 0)
-            free_context = 1;
-    }
-
-    if (context)
-        cstr = com_right_r(context->et_list, code, buf, sizeof(buf));
-
-    if (free_context)
+    if (context == NULL && krb5_init_context(&context) == 0) {
+        cstr = heim_get_error_message(context->hcontext, code);
         krb5_free_context(context);
-
-    if (cstr)
-        return strdup(cstr);
-
-    cstr = error_message(code);
-    if (cstr)
-        return strdup(cstr);
-
-    if (asprintf(&str, "<unknown error: %d>", (int)code) == -1 || str == NULL)
-	return NULL;
-
-    return str;
+    } else if (context) {
+        cstr = heim_get_error_message(context->hcontext, code);
+    } else {
+        cstr = heim_get_error_message(NULL, code);
+    }
+    return cstr;
 }
 
 
@@ -276,7 +210,7 @@ krb5_get_error_message(krb5_context context, krb5_error_code code)
 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_free_error_message(krb5_context context, const char *msg)
 {
-    free(rk_UNCONST(msg));
+    heim_free_error_message(context ? context->hcontext : NULL, msg);
 }
 
 
@@ -298,13 +232,5 @@ KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
 krb5_get_err_text(krb5_context context, krb5_error_code code)
     KRB5_DEPRECATED_FUNCTION("Use krb5_get_error_message instead")
 {
-    const char *p = NULL;
-    if(context != NULL)
-	p = com_right(context->et_list, code);
-    if(p == NULL)
-	p = strerror(code);
-    if (p == NULL)
-	p = "Unknown error";
-    return p;
+    return krb5_get_error_message(context, code);
 }
-
diff --git a/lib/krb5/expand_path.c b/lib/krb5/expand_path.c
index 43b8dfeb3a91..a0402350d0f3 100644
--- a/lib/krb5/expand_path.c
+++ b/lib/krb5/expand_path.c
@@ -34,381 +34,6 @@
 
 #include <stdarg.h>
 
-typedef int PTYPE;
-
-#ifdef _WIN32
-#include <shlobj.h>
-#include <sddl.h>
-
-/*
- * Expand a %{TEMP} token
- *
- * The %{TEMP} token expands to the temporary path for the current
- * user as returned by GetTempPath().
- *
- * @note: Since the GetTempPath() function relies on the TMP or TEMP
- * environment variables, this function will failover to the system
- * temporary directory until the user profile is loaded.  In addition,
- * the returned path may or may not exist.
- */
-static krb5_error_code
-_expand_temp_folder(krb5_context context, PTYPE param, const char *postfix, char **ret)
-{
-    TCHAR tpath[MAX_PATH];
-    size_t len;
-
-    if (!GetTempPath(sizeof(tpath)/sizeof(tpath[0]), tpath)) {
-	if (context)
-	    krb5_set_error_message(context, EINVAL,
-				   "Failed to get temporary path (GLE=%d)",
-				   GetLastError());
-	return EINVAL;
-    }
-
-    len = strlen(tpath);
-
-    if (len > 0 && tpath[len - 1] == '\\')
-	tpath[len - 1] = '\0';
-
-    *ret = strdup(tpath);
-
-    if (*ret == NULL)
-	return krb5_enomem(context);
-
-    return 0;
-}
-
-extern HINSTANCE _krb5_hInstance;
-
-/*
- * Expand a %{BINDIR} token
- *
- * This is also used to expand a few other tokens on Windows, since
- * most of the executable binaries end up in the same directory.  The
- * "bin" directory is considered to be the directory in which the
- * krb5.dll is located.
- */
-static krb5_error_code
-_expand_bin_dir(krb5_context context, PTYPE param, const char *postfix, char **ret)
-{
-    TCHAR path[MAX_PATH];
-    TCHAR *lastSlash;
-    DWORD nc;
-
-    nc = GetModuleFileName(_krb5_hInstance, path, sizeof(path)/sizeof(path[0]));
-    if (nc == 0 ||
-	nc == sizeof(path)/sizeof(path[0])) {
-	return EINVAL;
-    }
-
-    lastSlash = strrchr(path, '\\');
-    if (lastSlash != NULL) {
-	TCHAR *fslash = strrchr(lastSlash, '/');
-
-	if (fslash != NULL)
-	    lastSlash = fslash;
-
-	*lastSlash = '\0';
-    }
-
-    if (postfix) {
-	if (strlcat(path, postfix, sizeof(path)/sizeof(path[0])) >= sizeof(path)/sizeof(path[0]))
-	    return EINVAL;
-    }
-
-    *ret = strdup(path);
-    if (*ret == NULL)
-	return krb5_enomem(context);
-
-    return 0;
-}
-
-/*
- *  Expand a %{USERID} token
- *
- *  The %{USERID} token expands to the string representation of the
- *  user's SID.  The user account that will be used is the account
- *  corresponding to the current thread's security token.  This means
- *  that:
- *
- *  - If the current thread token has the anonymous impersonation
- *    level, the call will fail.
- *
- *  - If the current thread is impersonating a token at
- *    SecurityIdentification level the call will fail.
- *
- */
-static krb5_error_code
-_expand_userid(krb5_context context, PTYPE param, const char *postfix, char **ret)
-{
-    int rv = EINVAL;
-    HANDLE hThread = NULL;
-    HANDLE hToken = NULL;
-    PTOKEN_OWNER pOwner = NULL;
-    DWORD len = 0;
-    LPTSTR strSid = NULL;
-
-    hThread = GetCurrentThread();
-
-    if (!OpenThreadToken(hThread, TOKEN_QUERY,
-			 FALSE,	/* Open the thread token as the
-				   current thread user. */
-			 &hToken)) {
-
-	DWORD le = GetLastError();
-
-	if (le == ERROR_NO_TOKEN) {
-	    HANDLE hProcess = GetCurrentProcess();
-
-	    le = 0;
-	    if (!OpenProcessToken(hProcess, TOKEN_QUERY, &hToken))
-		le = GetLastError();
-	}
-
-	if (le != 0) {
-	    if (context)
-		krb5_set_error_message(context, rv,
-				       "Can't open thread token (GLE=%d)", le);
-	    goto _exit;
-	}
-    }
-
-    if (!GetTokenInformation(hToken, TokenOwner, NULL, 0, &len)) {
-	if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
-	    if (context)
-		krb5_set_error_message(context, rv,
-				       "Unexpected error reading token information (GLE=%d)",
-				       GetLastError());
-	    goto _exit;
-	}
-
-	if (len == 0) {
-	    if (context)
-		krb5_set_error_message(context, rv,
-				      "GetTokenInformation() returned truncated buffer");
-	    goto _exit;
-	}
-
-	pOwner = malloc(len);
-	if (pOwner == NULL) {
-	    if (context)
-		krb5_set_error_message(context, rv, "Out of memory");
-	    goto _exit;
-	}
-    } else {
-	if (context)
-	    krb5_set_error_message(context, rv, "GetTokenInformation() returned truncated buffer");
-	goto _exit;
-    }
-
-    if (!GetTokenInformation(hToken, TokenOwner, pOwner, len, &len)) {
-	if (context)
-	    krb5_set_error_message(context, rv, "GetTokenInformation() failed. GLE=%d", GetLastError());
-	goto _exit;
-    }
-
-    if (!ConvertSidToStringSid(pOwner->Owner, &strSid)) {
-	if (context)
-	    krb5_set_error_message(context, rv, "Can't convert SID to string. GLE=%d", GetLastError());
-	goto _exit;
-    }
-
-    *ret = strdup(strSid);
-    if (*ret == NULL && context)
-	krb5_set_error_message(context, rv, "Out of memory");
-
-    rv = 0;
-
- _exit:
-    if (hToken != NULL)
-	CloseHandle(hToken);
-
-    if (pOwner != NULL)
-	free (pOwner);
-
-    if (strSid != NULL)
-	LocalFree(strSid);
-
-    return rv;
-}
-
-/*
- * Expand a folder identified by a CSIDL
- */
-
-static krb5_error_code
-_expand_csidl(krb5_context context, PTYPE folder, const char *postfix, char **ret)
-{
-    TCHAR path[MAX_PATH];
-    size_t len;
-
-    if (SHGetFolderPath(NULL, folder, NULL, SHGFP_TYPE_CURRENT, path) != S_OK) {
-	if (context)
-	    krb5_set_error_message(context, EINVAL, "Unable to determine folder path");
-	return EINVAL;
-    }
-
-    len = strlen(path);
-
-    if (len > 0 && path[len - 1] == '\\')
-	path[len - 1] = '\0';
-
-    if (postfix &&
-	strlcat(path, postfix, sizeof(path)/sizeof(path[0])) >= sizeof(path)/sizeof(path[0]))
-	return krb5_enomem(context);
-
-    *ret = strdup(path);
-    if (*ret == NULL)
-	return krb5_enomem(context);
-    return 0;
-}
-
-#else
-
-static krb5_error_code
-_expand_path(krb5_context context, PTYPE param, const char *postfix, char **ret)
-{
-    *ret = strdup(postfix);
-    if (*ret == NULL)
-	return krb5_enomem(context);
-    return 0;
-}
-
-static krb5_error_code
-_expand_temp_folder(krb5_context context, PTYPE param, const char *postfix, char **ret)
-{
-    const char *p = NULL;
-
-    if (!issuid())
-	p = getenv("TEMP");
-
-    if (p)
-	*ret = strdup(p);
-    else
-	*ret = strdup("/tmp");
-    if (*ret == NULL)
-	return krb5_enomem(context);
-    return 0;
-}
-
-static krb5_error_code
-_expand_userid(krb5_context context, PTYPE param, const char *postfix, char **str)
-{
-    int ret = asprintf(str, "%ld", (unsigned long)getuid());
-    if (ret < 0 || *str == NULL)
-	return krb5_enomem(context);
-    return 0;
-}
-
-
-#endif /* _WIN32 */
-
-/**
- * Expand an extra token
- */
-
-static krb5_error_code
-_expand_extra_token(krb5_context context, const char *value, char **ret)
-{
-    *ret = strdup(value);
-    if (*ret == NULL)
-	return krb5_enomem(context);
-    return 0;
-}
-
-/**
- * Expand a %{null} token
- *
- * The expansion of a %{null} token is always the empty string.
- */
-
-static krb5_error_code
-_expand_null(krb5_context context, PTYPE param, const char *postfix, char **ret)
-{
-    *ret = strdup("");
-    if (*ret == NULL)
-	return krb5_enomem(context);
-    return 0;
-}
-
-
-static const struct {
-    const char * tok;
-    int ftype;
-#define FTYPE_CSIDL 0
-#define FTYPE_SPECIAL 1
-
-    PTYPE param;
-    const char * postfix;
-
-    int (*exp_func)(krb5_context, PTYPE, const char *, char **);
-
-#define SPECIALP(f, P) FTYPE_SPECIAL, 0, P, f
-#define SPECIAL(f) SPECIALP(f, NULL)
-
-} tokens[] = {
-#ifdef _WIN32
-#define CSIDLP(C,P) FTYPE_CSIDL, C, P, _expand_csidl
-#define CSIDL(C) CSIDLP(C, NULL)
-
-    {"APPDATA", CSIDL(CSIDL_APPDATA)}, /* Roaming application data (for current user) */
-    {"COMMON_APPDATA", CSIDL(CSIDL_COMMON_APPDATA)}, /* Application data (all users) */
-    {"LOCAL_APPDATA", CSIDL(CSIDL_LOCAL_APPDATA)}, /* Local application data (for current user) */
-    {"SYSTEM", CSIDL(CSIDL_SYSTEM)}, /* Windows System folder (e.g. %WINDIR%\System32) */
-    {"WINDOWS", CSIDL(CSIDL_WINDOWS)}, /* Windows folder */
-    {"USERCONFIG", CSIDLP(CSIDL_APPDATA, "\\" PACKAGE)}, /* Per user Heimdal configuration file path */
-    {"COMMONCONFIG", CSIDLP(CSIDL_COMMON_APPDATA, "\\" PACKAGE)}, /* Common Heimdal configuration file path */
-    {"LIBDIR", SPECIAL(_expand_bin_dir)},
-    {"BINDIR", SPECIAL(_expand_bin_dir)},
-    {"LIBEXEC", SPECIAL(_expand_bin_dir)},
-    {"SBINDIR", SPECIAL(_expand_bin_dir)},
-#else
-    {"LIBDIR", FTYPE_SPECIAL, 0, LIBDIR, _expand_path},
-    {"BINDIR", FTYPE_SPECIAL, 0, BINDIR, _expand_path},
-    {"LIBEXEC", FTYPE_SPECIAL, 0, LIBEXECDIR, _expand_path},
-    {"SBINDIR", FTYPE_SPECIAL, 0, SBINDIR, _expand_path},
-#endif
-    {"TEMP", SPECIAL(_expand_temp_folder)},
-    {"USERID", SPECIAL(_expand_userid)},
-    {"uid", SPECIAL(_expand_userid)},
-    {"null", SPECIAL(_expand_null)}
-};
-
-static krb5_error_code
-_expand_token(krb5_context context,
-	      const char *token,
-	      const char *token_end,
-	      char **extra_tokens,
-	      char **ret)
-{
-    size_t i;
-    char **p;
-
-    *ret = NULL;
-
-    if (token[0] != '%' || token[1] != '{' || token_end[0] != '}' ||
-	token_end - token <= 2) {
-	if (context)
-	    krb5_set_error_message(context, EINVAL,"Invalid token.");
-	return EINVAL;
-    }
-
-    for (p = extra_tokens; p && p[0]; p += 2) {
-	if (strncmp(token+2, p[0], (token_end - token) - 2) == 0)
-	    return _expand_extra_token(context, p[1], ret);
-    }
-
-    for (i = 0; i < sizeof(tokens)/sizeof(tokens[0]); i++) {
-	if (!strncmp(token+2, tokens[i].tok, (token_end - token) - 2))
-	    return tokens[i].exp_func(context, tokens[i].param,
-				      tokens[i].postfix, ret);
-    }
-
-    if (context)
-	krb5_set_error_message(context, EINVAL, "Invalid token.");
-    return EINVAL;
-}
-
 /**
  * Internal function to expand tokens in paths.
  *
@@ -416,6 +41,9 @@ _expand_token(krb5_context context,
  *
  * @context   A krb5_context
  * @path_in   The path to expand tokens from
+ * @filepath  True if the value is a filesystem path (converts slashes to
+ *            backslashes on Windows)
+ * @ppath_out The expanded path
  * 
  * Outputs:
  *
@@ -427,17 +55,8 @@ _krb5_expand_path_tokens(krb5_context context,
 			 int filepath,
 			 char **ppath_out)
 {
-    return _krb5_expand_path_tokensv(context, path_in, filepath, ppath_out, NULL);
-}
-
-static void
-free_extra_tokens(char **extra_tokens)
-{
-    char **p;
-
-    for (p = extra_tokens; p && *p; p++)
-	free(*p);
-    free(extra_tokens);
+    return heim_expand_path_tokens(context ? context->hcontext : NULL, path_in,
+                                   filepath, ppath_out, NULL);
 }
 
 /**
@@ -447,6 +66,8 @@ free_extra_tokens(char **extra_tokens)
  *
  * @context   A krb5_context
  * @path_in   The path to expand tokens from
+ * @filepath  True if the value is a filesystem path (converts slashes to
+ *            backslashes on Windows)
  * @ppath_out The expanded path
  * @...       Variable number of pairs of strings, the first of each
  *            being a token (e.g., "luser") and the second a string to
@@ -462,143 +83,12 @@ _krb5_expand_path_tokensv(krb5_context context,
 			  int filepath,
 			  char **ppath_out, ...)
 {
-    char *tok_begin, *tok_end, *append;
-    char **extra_tokens = NULL;
-    const char *path_left;
-    size_t nargs = 0;
-    size_t len = 0;
+    krb5_error_code ret;
     va_list ap;
 
-    if (path_in == NULL || *path_in == '\0') {
-        *ppath_out = strdup("");
-        return 0;
-    }
-
-    *ppath_out = NULL;
-
     va_start(ap, ppath_out);
-    while (va_arg(ap, const char *)) {
-	nargs++;
-        va_arg(ap, const char *);
-    }
+    ret = heim_expand_path_tokensv(context->hcontext, path_in, filepath, ppath_out, ap);
     va_end(ap);
-    nargs *= 2;
-
-    /* Get extra tokens */
-    if (nargs) {
-	size_t i;
-
-	extra_tokens = calloc(nargs + 1, sizeof (*extra_tokens));
-	if (extra_tokens == NULL)
-	    return krb5_enomem(context);
-	va_start(ap, ppath_out);
-	for (i = 0; i < nargs; i++) {
-	    const char *s = va_arg(ap, const char *); /* token key */
-	    if (s == NULL)
-		break;
-	    extra_tokens[i] = strdup(s);
-	    if (extra_tokens[i++] == NULL) {
-		va_end(ap);
-		free_extra_tokens(extra_tokens);
-		return krb5_enomem(context);
-	    }
-	    s = va_arg(ap, const char *); /* token value */
-	    if (s == NULL)
-		s = "";
-	    extra_tokens[i] = strdup(s);
-	    if (extra_tokens[i] == NULL) {
-		va_end(ap);
-		free_extra_tokens(extra_tokens);
-		return krb5_enomem(context);
-	    }
-	}
-	va_end(ap);
-    }
-
-    for (path_left = path_in; path_left && *path_left; ) {
-
-	tok_begin = strstr(path_left, "%{");
-
-	if (tok_begin && tok_begin != path_left) {
-
-	    append = malloc((tok_begin - path_left) + 1);
-	    if (append) {
-		memcpy(append, path_left, tok_begin - path_left);
-		append[tok_begin - path_left] = '\0';
-	    }
-	    path_left = tok_begin;
-
-	} else if (tok_begin) {
-
-	    tok_end = strchr(tok_begin, '}');
-	    if (tok_end == NULL) {
-		free_extra_tokens(extra_tokens);
-		if (*ppath_out)
-		    free(*ppath_out);
-		*ppath_out = NULL;
-		if (context)
-		    krb5_set_error_message(context, EINVAL, "variable missing }");
-		return EINVAL;
-	    }
-
-	    if (_expand_token(context, tok_begin, tok_end, extra_tokens,
-			      &append)) {
-		free_extra_tokens(extra_tokens);
-		if (*ppath_out)
-		    free(*ppath_out);
-		*ppath_out = NULL;
-		return EINVAL;
-	    }
-
-	    path_left = tok_end + 1;
-	} else {
-
-	    append = strdup(path_left);
-	    path_left = NULL;
-
-	}
-
-	if (append == NULL) {
-
-	    free_extra_tokens(extra_tokens);
-	    if (*ppath_out)
-		free(*ppath_out);
-	    *ppath_out = NULL;
-	    return krb5_enomem(context);
-
-	}
-
-	{
-	    size_t append_len = strlen(append);
-	    char * new_str = realloc(*ppath_out, len + append_len + 1);
-
-	    if (new_str == NULL) {
-		free_extra_tokens(extra_tokens);
-		free(append);
-		if (*ppath_out)
-		    free(*ppath_out);
-		*ppath_out = NULL;
-		return krb5_enomem(context);
-	    }
-
-	    *ppath_out = new_str;
-	    memcpy(*ppath_out + len, append, append_len + 1);
-	    len = len + append_len;
-	    free(append);
-	}
-    }
-
-#ifdef _WIN32
-    /* Also deal with slashes */
-    if (filepath && *ppath_out) {
-	char * c;
-
-	for (c = *ppath_out; *c; c++)
-	    if (*c == '/')
-		*c = '\\';
-    }
-#endif
 
-    free_extra_tokens(extra_tokens);
-    return 0;
+    return ret;
 }
diff --git a/lib/krb5/fast.c b/lib/krb5/fast.c
index c30d5442f73a..338c4facfcca 100644
--- a/lib/krb5/fast.c
+++ b/lib/krb5/fast.c
@@ -32,7 +32,9 @@
  */
 
 #include "krb5_locl.h"
-
+#ifndef WIN32
+#include <heim-ipc.h>
+#endif
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 _krb5_fast_cf2(krb5_context context,
@@ -93,3 +95,872 @@ _krb5_fast_armor_key(krb5_context context,
 			  armorkey,
 			  armor_crypto);
 }
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_fast_explicit_armor_key(krb5_context context,
+			      krb5_keyblock *armorkey,
+			      krb5_keyblock *subkey,
+			      krb5_keyblock *explicit_armorkey,
+			      krb5_crypto *explicit_armor_crypto)
+{
+    return _krb5_fast_cf2(context,
+			  armorkey,
+			  "explicitarmor",
+			  subkey,
+			  "tgsarmor",
+			  explicit_armorkey,
+			  explicit_armor_crypto);
+}
+
+static krb5_error_code
+check_fast(krb5_context context, struct krb5_fast_state *state)
+{
+    if (state && (state->flags & KRB5_FAST_EXPECTED)) {
+	krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
+			       "Expected FAST, but no FAST "
+			       "was in the response from the KDC");
+	return KRB5KRB_AP_ERR_MODIFIED;
+    }
+    return 0;
+}
+
+static krb5_error_code
+make_local_fast_ap_fxarmor(krb5_context context,
+			   krb5_ccache armor_ccache,
+			   krb5_const_realm realm,
+			   krb5_data *armor_value,
+			   krb5_keyblock *armor_key,
+			   krb5_crypto *armor_crypto)
+{
+    krb5_auth_context auth_context = NULL;
+    krb5_creds cred, *credp = NULL;
+    krb5_error_code ret;
+    krb5_data empty;
+    krb5_const_realm tgs_realm;
+
+    if (armor_ccache == NULL) {
+	krb5_set_error_message(context, EINVAL,
+			       "Armor credential cache required");
+	return EINVAL;
+    }
+
+    krb5_data_zero(&empty);
+    memset(&cred, 0, sizeof(cred));
+
+    ret = krb5_auth_con_init (context, &auth_context);
+    if (ret)
+	goto out;
+
+    ret = krb5_cc_get_principal(context, armor_ccache, &cred.client);
+    if (ret)
+	goto out;
+
+    /*
+     * Make sure we don't ask for a krbtgt/WELLKNOWN:ANONYMOUS
+     */
+    if (krb5_principal_is_anonymous(context, cred.client,
+				    KRB5_ANON_MATCH_UNAUTHENTICATED))
+	tgs_realm = realm;
+    else
+	tgs_realm = cred.client->realm;
+
+    ret = krb5_make_principal(context, &cred.server,
+			      tgs_realm,
+			      KRB5_TGS_NAME,
+			      tgs_realm,
+			      NULL);
+    if (ret)
+	goto out;
+
+    ret = krb5_get_credentials(context, 0, armor_ccache, &cred, &credp);
+    if (ret)
+	goto out;
+
+    ret = krb5_auth_con_add_AuthorizationData(context, auth_context,
+					      KRB5_AUTHDATA_FX_FAST_ARMOR,
+					      &empty);
+    if (ret)
+	goto out;
+
+    ret = krb5_mk_req_extended(context,
+			       &auth_context,
+			       AP_OPTS_USE_SUBKEY,
+			       NULL,
+			       credp,
+			       armor_value);
+    if (ret)
+	goto out;
+
+    ret = _krb5_fast_armor_key(context,
+			       auth_context->local_subkey,
+			       auth_context->keyblock,
+			       armor_key,
+			       armor_crypto);
+    if (ret)
+	goto out;
+
+ out:
+    if (auth_context)
+	krb5_auth_con_free(context, auth_context);
+    if (credp)
+	krb5_free_creds(context, credp);
+    krb5_free_principal(context, cred.server);
+    krb5_free_principal(context, cred.client);
+
+    return ret;
+}
+
+#ifndef WIN32
+static heim_base_once_t armor_service_once = HEIM_BASE_ONCE_INIT;
+static heim_ipc armor_service = NULL;
+
+static void
+fast_armor_init_ipc(void *ctx)
+{
+    heim_ipc *ipc = ctx;
+    heim_ipc_init_context("ANY:org.h5l.armor-service", ipc);
+}
+#endif
+
+static krb5_error_code
+make_fast_ap_fxarmor(krb5_context context,
+		     struct krb5_fast_state *state,
+		     krb5_const_realm realm,
+		     KrbFastArmor **armor)
+{
+    KrbFastArmor *fxarmor = NULL;
+    krb5_error_code ret;
+
+    *armor = NULL;
+
+    ALLOC(fxarmor, 1);
+    if (fxarmor == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+
+    if (state->flags & KRB5_FAST_AP_ARMOR_SERVICE) {
+#ifdef WIN32
+	krb5_set_error_message(context, ENOTSUP, "Fast armor IPC service not supportted yet on Windows");
+	ret = ENOTSUP;
+	goto out;
+#else
+	KERB_ARMOR_SERVICE_REPLY msg;
+	krb5_data request, reply;
+
+	heim_base_once_f(&armor_service_once, &armor_service, fast_armor_init_ipc);
+	if (armor_service == NULL) {
+	    krb5_set_error_message(context, ENOENT, "Failed to open fast armor service");
+	    ret = ENOENT;
+	    goto out;
+	}
+
+	krb5_data_zero(&reply);
+
+	request.data = rk_UNCONST(realm);
+	request.length = strlen(realm);
+
+	ret = heim_ipc_call(armor_service, &request, &reply, NULL);
+	if (ret) {
+	    krb5_set_error_message(context, ret, "Failed to get armor service credential");
+	    goto out;
+	}
+
+	ret = decode_KERB_ARMOR_SERVICE_REPLY(reply.data, reply.length, &msg, NULL);
+	krb5_data_free(&reply);
+	if (ret)
+	    goto out;
+
+	ret = copy_KrbFastArmor(fxarmor, &msg.armor);
+	if (ret) {
+	    free_KERB_ARMOR_SERVICE_REPLY(&msg);
+	    goto out;
+	}
+
+	ret = krb5_copy_keyblock_contents(context, &msg.armor_key, &state->armor_key);
+	free_KERB_ARMOR_SERVICE_REPLY(&msg);
+	if (ret)
+	    goto out;
+
+	ret = krb5_crypto_init(context, &state->armor_key, 0, &state->armor_crypto);
+	if (ret)
+	    goto out;
+#endif /* WIN32 */
+    } else {
+	fxarmor->armor_type = 1;
+
+	ret = make_local_fast_ap_fxarmor(context,
+					 state->armor_ccache,
+					 realm,
+					 &fxarmor->armor_value,
+					 &state->armor_key,
+					 &state->armor_crypto);
+	if (ret)
+	    goto out;
+    }
+
+
+    *armor = fxarmor;
+    fxarmor = NULL;
+
+ out:
+    if (fxarmor) {
+	free_KrbFastArmor(fxarmor);
+	free(fxarmor);
+    }
+    return ret;
+}
+
+static krb5_error_code
+unwrap_fast_rep(krb5_context context,
+		struct krb5_fast_state *state,
+		PA_DATA *pa,
+		KrbFastResponse *fastrep)
+{
+    PA_FX_FAST_REPLY fxfastrep;
+    krb5_error_code ret;
+
+    memset(&fxfastrep, 0, sizeof(fxfastrep));
+
+    ret = decode_PA_FX_FAST_REPLY(pa->padata_value.data,
+				  pa->padata_value.length,
+				  &fxfastrep, NULL);
+    if (ret)
+	return ret;
+
+    if (fxfastrep.element == choice_PA_FX_FAST_REPLY_armored_data) {
+	krb5_data data;
+
+	ret = krb5_decrypt_EncryptedData(context,
+					 state->armor_crypto,
+					 KRB5_KU_FAST_REP,
+					 &fxfastrep.u.armored_data.enc_fast_rep,
+					 &data);
+	if (ret)
+	    goto out;
+
+	ret = decode_KrbFastResponse(data.data, data.length, fastrep, NULL);
+	krb5_data_free(&data);
+	if (ret)
+	    goto out;
+
+    } else {
+	ret = KRB5KDC_ERR_PREAUTH_FAILED;
+	goto out;
+    }
+
+ out:
+    free_PA_FX_FAST_REPLY(&fxfastrep);
+
+    return ret;
+}
+
+static krb5_error_code
+set_anon_principal(krb5_context context, PrincipalName **p)
+{
+
+    ALLOC((*p), 1);
+    if (*p == NULL)
+	goto fail;
+
+    (*p)->name_type = KRB5_NT_PRINCIPAL;
+
+    ALLOC_SEQ(&(*p)->name_string, 2);
+    if ((*p)->name_string.val == NULL)
+	goto fail;
+
+    (*p)->name_string.val[0] = strdup(KRB5_WELLKNOWN_NAME);
+    if ((*p)->name_string.val[0] == NULL)
+	goto fail;
+
+    (*p)->name_string.val[1] = strdup(KRB5_ANON_NAME);
+    if ((*p)->name_string.val[1] == NULL)
+	goto fail;
+
+    return 0;
+ fail:
+    if (*p) {
+	if ((*p)->name_string.val) {
+	    free((*p)->name_string.val[0]);
+	    free((*p)->name_string.val[1]);
+	    free((*p)->name_string.val);
+	}
+	free(*p);
+    }
+
+    return krb5_enomem(context);
+}
+
+krb5_error_code
+_krb5_fast_create_armor(krb5_context context,
+			struct krb5_fast_state *state,
+			const char *realm)
+{
+    krb5_error_code ret;
+
+    if (state->armor_crypto == NULL) {
+	if (state->armor_ccache || state->armor_ac || (state->flags & KRB5_FAST_AP_ARMOR_SERVICE)) {
+	    /*
+	     * Instead of keeping state in FX_COOKIE in the KDC, we
+	     * rebuild a new armor key for every request, because this
+	     * is what the MIT KDC expect and RFC6113 is vage about
+	     * what the behavior should be.
+	     */
+	    state->type = choice_PA_FX_FAST_REQUEST_armored_data;
+	} else {
+	    return check_fast(context, state);
+	}
+    }
+
+    if (state->type == choice_PA_FX_FAST_REQUEST_armored_data) {
+	if (state->armor_crypto) {
+	    krb5_crypto_destroy(context, state->armor_crypto);
+	    state->armor_crypto = NULL;
+	}
+	if (state->strengthen_key) {
+	    krb5_free_keyblock(context, state->strengthen_key);
+	    state->strengthen_key = NULL;
+	}
+	krb5_free_keyblock_contents(context, &state->armor_key);
+
+	/*
+	 * If we have a armor auth context, its because the caller
+	 * wants us to do an implicit FAST armor (TGS-REQ).
+	 */
+	if (state->armor_ac) {
+	    heim_assert((state->flags & KRB5_FAST_AS_REQ) == 0, "FAST AS with AC");
+
+	    ret = _krb5_fast_armor_key(context,
+				       state->armor_ac->local_subkey,
+				       state->armor_ac->keyblock,
+				       &state->armor_key,
+				       &state->armor_crypto);
+	    if (ret)
+		goto out;
+	} else {
+	    heim_assert((state->flags & KRB5_FAST_AS_REQ) != 0, "FAST TGS without AC");
+
+	    if (state->armor_data) {
+		free_KrbFastArmor(state->armor_data);
+		free(state->armor_data);
+                state->armor_data = NULL;
+	    }
+	    ret = make_fast_ap_fxarmor(context, state, realm,
+				       &state->armor_data);
+	    if (ret)
+		goto out;
+	}
+    } else {
+	heim_abort("unknown state type: %d", (int)state->type);
+    }
+ out:
+    return ret;
+}
+
+
+krb5_error_code
+_krb5_fast_wrap_req(krb5_context context,
+		    struct krb5_fast_state *state,
+		    KDC_REQ *req)
+{
+    PA_FX_FAST_REQUEST fxreq;
+    krb5_error_code ret;
+    KrbFastReq fastreq;
+    krb5_data data, aschecksum_data, tgschecksum_data;
+    const krb5_data *checksum_data = NULL;
+    size_t size = 0;
+    krb5_boolean readd_padata_to_outer = FALSE;
+
+    if (state->flags & KRB5_FAST_DISABLED) {
+	_krb5_debug(context, 10, "fast disabled, not doing any fast wrapping");
+	return 0;
+    }
+
+    memset(&fxreq, 0, sizeof(fxreq));
+    memset(&fastreq, 0, sizeof(fastreq));
+    krb5_data_zero(&data);
+    krb5_data_zero(&aschecksum_data);
+    krb5_data_zero(&tgschecksum_data);
+
+    if (state->armor_crypto == NULL)
+	return check_fast(context, state);
+
+    state->flags |= KRB5_FAST_EXPECTED;
+
+    fastreq.fast_options.hide_client_names = 1;
+
+    ret = copy_KDC_REQ_BODY(&req->req_body, &fastreq.req_body);
+    if (ret)
+	goto out;
+
+    /*
+     * In the case of a AS-REQ, remove all account names. Want to this
+     * for TGS-REQ too, but due to layering this is tricky.
+     *
+     * 1. TGS-REQ need checksum of REQ-BODY
+     * 2. FAST needs checksum of TGS-REQ, so, FAST needs to happen after TGS-REQ
+     * 3. FAST privacy mangaling needs to happen before TGS-REQ does the checksum in 1.
+     *
+     * So lets not modify the bits for now for TGS-REQ
+     */
+    if (state->flags & KRB5_FAST_AS_REQ) {
+	free_KDC_REQ_BODY(&req->req_body);
+
+	req->req_body.realm = strdup(KRB5_ANON_REALM);
+	if (req->req_body.realm == NULL) {
+	    ret = krb5_enomem(context);
+	    goto out;
+	}
+
+	ret = set_anon_principal(context, &req->req_body.cname);
+	if (ret)
+	    goto out;
+
+	ALLOC(req->req_body.till, 1);
+	*req->req_body.till = 0;
+
+	ASN1_MALLOC_ENCODE(KDC_REQ_BODY,
+			   aschecksum_data.data,
+			   aschecksum_data.length,
+			   &req->req_body,
+			   &size, ret);
+	if (ret)
+	    goto out;
+	heim_assert(aschecksum_data.length == size, "ASN.1 internal error");
+
+	checksum_data = &aschecksum_data;
+
+	if (req->padata) {
+	    ret = copy_METHOD_DATA(req->padata, &fastreq.padata);
+	    free_METHOD_DATA(req->padata);
+	    if (ret)
+		goto out;
+	}
+    } else {
+	const PA_DATA *tgs_req_ptr = NULL;
+	int tgs_req_idx = 0;
+	size_t i;
+
+	heim_assert(req->padata != NULL, "req->padata is NULL");
+
+	tgs_req_ptr = krb5_find_padata(req->padata->val,
+				       req->padata->len,
+				       KRB5_PADATA_TGS_REQ,
+				       &tgs_req_idx);
+	heim_assert(tgs_req_ptr != NULL, "KRB5_PADATA_TGS_REQ not found");
+	heim_assert(tgs_req_idx == 0, "KRB5_PADATA_TGS_REQ not first");
+
+	tgschecksum_data.data = tgs_req_ptr->padata_value.data;
+	tgschecksum_data.length = tgs_req_ptr->padata_value.length;
+	checksum_data = &tgschecksum_data;
+
+	/*
+	 * Now copy all remaining once to
+	 * the fastreq.padata and clear
+	 * them in the outer req first,
+	 * and remember to readd them later.
+	 */
+	readd_padata_to_outer = TRUE;
+
+	for (i = 1; i < req->padata->len; i++) {
+	    PA_DATA *val = &req->padata->val[i];
+
+	    ret = krb5_padata_add(context,
+				  &fastreq.padata,
+				  val->padata_type,
+				  val->padata_value.data,
+				  val->padata_value.length);
+	    if (ret) {
+		krb5_set_error_message(context, ret,
+				       N_("malloc: out of memory", ""));
+		goto out;
+	    }
+	    val->padata_value.data = NULL;
+	    val->padata_value.length = 0;
+	}
+
+	/*
+	 * Only TGS-REQ remaining
+	 */
+	req->padata->len = 1;
+    }
+
+    if (req->padata == NULL) {
+	ALLOC(req->padata, 1);
+	if (req->padata == NULL) {
+	    ret = krb5_enomem(context);
+	    goto out;
+	}
+    }
+
+    ASN1_MALLOC_ENCODE(KrbFastReq, data.data, data.length, &fastreq, &size, ret);
+    if (ret)
+	goto out;
+    heim_assert(data.length == size, "ASN.1 internal error");
+
+    fxreq.element = state->type;
+
+    if (state->type == choice_PA_FX_FAST_REQUEST_armored_data) {
+	fxreq.u.armored_data.armor = state->armor_data;
+	state->armor_data = NULL;
+
+	heim_assert(state->armor_crypto != NULL,
+		    "FAST armor key missing when FAST started");
+
+	ret = krb5_create_checksum(context, state->armor_crypto,
+				   KRB5_KU_FAST_REQ_CHKSUM, 0,
+				   checksum_data->data,
+				   checksum_data->length,
+				   &fxreq.u.armored_data.req_checksum);
+	if (ret)
+	    goto out;
+
+	ret = krb5_encrypt_EncryptedData(context, state->armor_crypto,
+					 KRB5_KU_FAST_ENC,
+					 data.data,
+					 data.length,
+					 0,
+					 &fxreq.u.armored_data.enc_fast_req);
+	krb5_data_free(&data);
+	if (ret)
+	    goto out;
+
+    } else {
+	krb5_data_free(&data);
+	heim_assert(false, "unknown FAST type, internal error");
+    }
+
+    ASN1_MALLOC_ENCODE(PA_FX_FAST_REQUEST, data.data, data.length, &fxreq, &size, ret);
+    if (ret)
+	goto out;
+    heim_assert(data.length == size, "ASN.1 internal error");
+
+
+    ret = krb5_padata_add(context, req->padata, KRB5_PADATA_FX_FAST, data.data, data.length);
+    if (ret)
+	goto out;
+    krb5_data_zero(&data);
+
+    if (readd_padata_to_outer) {
+	size_t i;
+
+	for (i = 0; i < fastreq.padata.len; i++) {
+	    PA_DATA *val = &fastreq.padata.val[i];
+
+	    ret = krb5_padata_add(context,
+				  req->padata,
+				  val->padata_type,
+				  val->padata_value.data,
+				  val->padata_value.length);
+	    if (ret) {
+		krb5_set_error_message(context, ret,
+				       N_("malloc: out of memory", ""));
+		goto out;
+	    }
+	    val->padata_value.data = NULL;
+	    val->padata_value.length = 0;
+	}
+    }
+
+ out:
+    free_KrbFastReq(&fastreq);
+    free_PA_FX_FAST_REQUEST(&fxreq);
+    krb5_data_free(&data);
+    krb5_data_free(&aschecksum_data);
+
+    return ret;
+}
+
+krb5_error_code
+_krb5_fast_unwrap_error(krb5_context context,
+			int32_t nonce,
+			struct krb5_fast_state *state,
+			METHOD_DATA *md,
+			KRB_ERROR *error)
+{
+    KrbFastResponse fastrep;
+    krb5_error_code ret;
+    PA_DATA *pa;
+    int idx;
+
+    if (state->armor_crypto == NULL)
+	return check_fast(context, state);
+
+    memset(&fastrep, 0, sizeof(fastrep));
+
+    if (error->error_code != KRB5_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED)
+	_krb5_debug(context, 10, "using FAST without FAST outer error code");
+
+    idx = 0;
+    pa = krb5_find_padata(md->val, md->len, KRB5_PADATA_FX_FAST, &idx);
+    if (pa == NULL) {
+	ret = KRB5_KDCREP_MODIFIED;
+	krb5_set_error_message(context, ret,
+			       N_("FAST fast response is missing FX-FAST", ""));
+	goto out;
+    }
+
+    ret = unwrap_fast_rep(context, state, pa, &fastrep);
+    if (ret)
+	goto out;
+
+    if (fastrep.strengthen_key || nonce != (int32_t)fastrep.nonce) {
+	ret = KRB5KDC_ERR_PREAUTH_FAILED;
+	goto out;
+    }
+
+    idx = 0;
+    pa = krb5_find_padata(fastrep.padata.val, fastrep.padata.len, KRB5_PADATA_FX_ERROR, &idx);
+    if (pa == NULL) {
+	ret = KRB5_KDCREP_MODIFIED;
+	krb5_set_error_message(context, ret, N_("No wrapped error", ""));
+	goto out;
+    }
+
+    free_KRB_ERROR(error);
+
+    ret = krb5_rd_error(context, &pa->padata_value, error);
+    if (ret)
+	goto out;
+
+    if (error->e_data)
+	_krb5_debug(context, 10, "FAST wrapped KBB_ERROR contained e_data: %d",
+		     (int)error->e_data->length);
+
+    free_METHOD_DATA(md);
+    md->val = fastrep.padata.val;
+    md->len = fastrep.padata.len;
+
+    fastrep.padata.val = NULL;
+    fastrep.padata.len = 0;
+
+ out:
+    free_KrbFastResponse(&fastrep);
+    return ret;
+}
+
+krb5_error_code
+_krb5_fast_unwrap_kdc_rep(krb5_context context, int32_t nonce,
+			  krb5_data *chksumdata,
+			  struct krb5_fast_state *state, AS_REP *rep)
+{
+    KrbFastResponse fastrep;
+    krb5_error_code ret;
+    PA_DATA *pa = NULL;
+    int idx = 0;
+
+    if (state == NULL || state->armor_crypto == NULL || rep->padata == NULL)
+	return check_fast(context, state);
+
+    /* find PA_FX_FAST_REPLY */
+
+    pa = krb5_find_padata(rep->padata->val, rep->padata->len,
+			  KRB5_PADATA_FX_FAST, &idx);
+    if (pa == NULL)
+	return check_fast(context, state);
+
+    memset(&fastrep, 0, sizeof(fastrep));
+
+    ret = unwrap_fast_rep(context, state, pa, &fastrep);
+    if (ret)
+	goto out;
+
+    free_METHOD_DATA(rep->padata);
+    ret = copy_METHOD_DATA(&fastrep.padata, rep->padata);
+    if (ret)
+	goto out;
+
+    if (fastrep.strengthen_key) {
+	if (state->strengthen_key)
+	    krb5_free_keyblock(context, state->strengthen_key);
+
+	ret = krb5_copy_keyblock(context, fastrep.strengthen_key, &state->strengthen_key);
+	if (ret)
+	    goto out;
+    }
+
+    if (nonce != (int32_t)fastrep.nonce) {
+	ret = KRB5KDC_ERR_PREAUTH_FAILED;
+	goto out;
+    }
+    if (fastrep.finished) {
+	PrincipalName cname;
+	krb5_realm crealm = NULL;
+
+	if (chksumdata == NULL) {
+	    ret = KRB5KDC_ERR_PREAUTH_FAILED;
+	    goto out;
+	}
+
+	ret = krb5_verify_checksum(context, state->armor_crypto,
+				   KRB5_KU_FAST_FINISHED,
+				   chksumdata->data, chksumdata->length,
+				   &fastrep.finished->ticket_checksum);
+	if (ret)
+	    goto out;
+
+	/* update */
+	ret = copy_Realm(&fastrep.finished->crealm, &crealm);
+	if (ret)
+	    goto out;
+	free_Realm(&rep->crealm);
+	rep->crealm = crealm;
+
+	ret = copy_PrincipalName(&fastrep.finished->cname, &cname);
+	if (ret)
+	    goto out;
+	free_PrincipalName(&rep->cname);
+	rep->cname = cname;
+    } else if (chksumdata) {
+	/* expected fastrep.finish but didn't get it */
+	ret = KRB5KDC_ERR_PREAUTH_FAILED;
+    }
+
+ out:
+    free_KrbFastResponse(&fastrep);
+    return ret;
+}
+
+void
+_krb5_fast_free(krb5_context context, struct krb5_fast_state *state)
+{
+    if (state->armor_ccache) {
+	if (state->flags & KRB5_FAST_ANON_PKINIT_ARMOR)
+	    krb5_cc_destroy(context, state->armor_ccache);
+	else
+	    krb5_cc_close(context, state->armor_ccache);
+    }
+    if (state->armor_service)
+	krb5_free_principal(context, state->armor_service);
+    if (state->armor_crypto)
+	krb5_crypto_destroy(context, state->armor_crypto);
+    if (state->strengthen_key)
+	krb5_free_keyblock(context, state->strengthen_key);
+    krb5_free_keyblock_contents(context, &state->armor_key);
+    if (state->armor_data) {
+	free_KrbFastArmor(state->armor_data);
+	free(state->armor_data);
+    }
+
+    if (state->anon_pkinit_ctx)
+	krb5_init_creds_free(context, state->anon_pkinit_ctx);
+    if (state->anon_pkinit_opt)
+	krb5_get_init_creds_opt_free(context, state->anon_pkinit_opt);
+
+    memset(state, 0, sizeof(*state));
+}
+
+krb5_error_code
+_krb5_fast_anon_pkinit_step(krb5_context context,
+			    krb5_init_creds_context ctx,
+			    struct krb5_fast_state *state,
+			    const krb5_data *in,
+			    krb5_data *out,
+			    krb5_realm *out_realm,
+			    unsigned int *flags)
+{
+    krb5_error_code ret;
+    krb5_const_realm realm = _krb5_init_creds_get_cred_client(context, ctx)->realm;
+    krb5_init_creds_context anon_pk_ctx;
+    krb5_principal principal = NULL, anon_pk_client;
+    krb5_ccache ccache = NULL;
+    krb5_creds cred;
+    krb5_data data = { 3, rk_UNCONST("yes") };
+
+    krb5_data_zero(out);
+    *out_realm = NULL;
+
+    memset(&cred, 0, sizeof(cred));
+
+    if (state->anon_pkinit_opt == NULL) {
+	ret = krb5_get_init_creds_opt_alloc(context, &state->anon_pkinit_opt);
+	if (ret)
+	    goto out;
+
+	krb5_get_init_creds_opt_set_tkt_life(state->anon_pkinit_opt, 60);
+	krb5_get_init_creds_opt_set_anonymous(state->anon_pkinit_opt, TRUE);
+
+	ret = krb5_make_principal(context, &principal, realm,
+				  KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME, NULL);
+	if (ret)
+	    goto out;
+
+	ret = krb5_get_init_creds_opt_set_pkinit(context,
+						 state->anon_pkinit_opt,
+						 principal,
+						 NULL, NULL, NULL, NULL,
+						 KRB5_GIC_OPT_PKINIT_ANONYMOUS |
+						 KRB5_GIC_OPT_PKINIT_NO_KDC_ANCHOR,
+						 NULL, NULL, NULL);
+	if (ret)
+	    goto out;
+
+	ret = krb5_init_creds_init(context, principal, NULL, NULL,
+				   _krb5_init_creds_get_cred_starttime(context, ctx),
+				   state->anon_pkinit_opt,
+				   &state->anon_pkinit_ctx);
+	if (ret)
+	    goto out;
+    }
+
+    anon_pk_ctx = state->anon_pkinit_ctx;
+
+    ret = krb5_init_creds_step(context, anon_pk_ctx, in, out, out_realm, flags);
+    if (ret ||
+	(*flags & KRB5_INIT_CREDS_STEP_FLAG_CONTINUE))
+	goto out;
+
+    ret = krb5_process_last_request(context, state->anon_pkinit_opt, anon_pk_ctx);
+    if (ret)
+	goto out;
+
+    ret = krb5_cc_new_unique(context, "MEMORY", NULL, &ccache);
+    if (ret)
+	goto out;
+
+    ret = krb5_init_creds_get_creds(context, anon_pk_ctx, &cred);
+    if (ret)
+	goto out;
+
+    if (!cred.flags.b.enc_pa_rep) {
+	ret = KRB5KDC_ERR_BADOPTION; /* KDC does not support FAST */
+	goto out;
+    }
+
+    anon_pk_client = _krb5_init_creds_get_cred_client(context, anon_pk_ctx);
+
+    ret = krb5_cc_initialize(context, ccache, anon_pk_client);
+    if (ret)
+	goto out;
+
+    ret = krb5_cc_store_cred(context, ccache, &cred);
+    if (ret)
+	goto out;
+
+    ret = krb5_cc_set_config(context, ccache, cred.server,
+			     "fast_avail", &data);
+    if (ret && ret != KRB5_CC_NOSUPP)
+	return ret;
+
+    if (_krb5_pk_is_kdc_verified(context, state->anon_pkinit_opt))
+	state->flags |= KRB5_FAST_KDC_VERIFIED;
+    else
+	state->flags &= ~(KRB5_FAST_KDC_VERIFIED);
+
+    state->armor_ccache = ccache;
+    ccache = NULL;
+
+    krb5_init_creds_free(context, state->anon_pkinit_ctx);
+    state->anon_pkinit_ctx = NULL;
+
+    krb5_get_init_creds_opt_free(context, state->anon_pkinit_opt);
+    state->anon_pkinit_opt = NULL;
+
+out:
+    krb5_free_principal(context, principal);
+    krb5_free_cred_contents(context, &cred);
+    if (ccache)
+	krb5_cc_destroy(context, ccache);
+
+    return ret;
+}
diff --git a/lib/krb5/fcache.c b/lib/krb5/fcache.c
index ab5d1c137f74..20c335db3beb 100644
--- a/lib/krb5/fcache.c
+++ b/lib/krb5/fcache.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2017 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  *
@@ -37,6 +37,9 @@
 
 typedef struct krb5_fcache{
     char *filename;
+    char *res;
+    char *sub;
+    char *tmpfn;
     int version;
 }krb5_fcache;
 
@@ -57,17 +60,29 @@ struct fcc_cursor {
 #define FCACHE(X) ((krb5_fcache*)(X)->data.data)
 
 #define FILENAME(X) (FCACHE(X)->filename)
+#define TMPFILENAME(X) (FCACHE(X)->tmpfn)
+#define RESFILENAME(X) (FCACHE(X)->res)
+#define SUBFILENAME(X) (FCACHE(X)->sub)
 
 #define FCC_CURSOR(C) ((struct fcc_cursor*)(C))
 
-static const char* KRB5_CALLCONV
-fcc_get_name(krb5_context context,
-	     krb5_ccache id)
+static krb5_error_code KRB5_CALLCONV
+fcc_get_name_2(krb5_context context,
+	       krb5_ccache id,
+	       const char **name,
+	       const char **colname,
+	       const char **sub)
 {
     if (FCACHE(id) == NULL)
-        return NULL;
-
-    return FILENAME(id);
+        return KRB5_CC_NOTFOUND;
+
+    if (name)
+        *name = FILENAME(id);
+    if (colname)
+        *colname = FILENAME(id);
+    if (sub)
+        *sub = NULL;
+    return 0;
 }
 
 KRB5_LIB_FUNCTION int KRB5_LIB_CALL
@@ -176,35 +191,78 @@ static krb5_error_code KRB5_CALLCONV
 fcc_lock(krb5_context context, krb5_ccache id,
 	 int fd, krb5_boolean exclusive)
 {
-    return _krb5_xlock(context, fd, exclusive, fcc_get_name(context, id));
+    krb5_error_code ret;
+    const char *name;
+
+    if (exclusive == FALSE)
+        return 0;
+    ret = fcc_get_name_2(context, id, &name, NULL, NULL);
+    if (ret == 0)
+        ret = _krb5_xlock(context, fd, exclusive, name);
+    return ret;
 }
 
 static krb5_error_code KRB5_CALLCONV
-fcc_unlock(krb5_context context, int fd)
-{
-    return _krb5_xunlock(context, fd);
-}
+fcc_get_default_name(krb5_context, char **);
+
+/*
+ * This is the character used to separate the residual from the subsidiary name
+ * when both are given.  It's tempting to use ':' just as we do in the ccache
+ * names, but we can't on Windows.
+ */
+#define FILESUBSEP "+"
+#define FILESUBSEPCHR ((FILESUBSEP)[0])
 
 static krb5_error_code KRB5_CALLCONV
-fcc_resolve(krb5_context context, krb5_ccache *id, const char *res)
+fcc_resolve_2(krb5_context context,
+	      krb5_ccache *id,
+	      const char *res,
+	      const char *sub)
 {
     krb5_fcache *f;
-    f = malloc(sizeof(*f));
-    if(f == NULL) {
-	krb5_set_error_message(context, KRB5_CC_NOMEM,
-			       N_("malloc: out of memory", ""));
-	return KRB5_CC_NOMEM;
+    char *freeme = NULL;
+
+    if (res == NULL && sub == NULL)
+        return krb5_einval(context, 3);
+    if (res == NULL) {
+        krb5_error_code ret;
+
+        if ((ret = fcc_get_default_name(context, &freeme)))
+            return ret;
+        res = freeme + sizeof("FILE:") - 1;
+    } else if (!sub && (sub = strchr(res, FILESUBSEPCHR))) {
+        if (sub[1] == '\0') {
+            sub = NULL;
+        } else {
+            /* `res' has a subsidiary component, so split on it */
+            if ((freeme = strndup(res, sub - res)) == NULL)
+                return krb5_enomem(context);
+            res = freeme;
+            sub++;
+        }
     }
-    f->filename = strdup(res);
-    if(f->filename == NULL){
-	free(f);
-	krb5_set_error_message(context, KRB5_CC_NOMEM,
-			       N_("malloc: out of memory", ""));
-	return KRB5_CC_NOMEM;
+
+    if ((f = calloc(1, sizeof(*f))) == NULL ||
+        (f->res = strdup(res)) == NULL ||
+        (f->sub = sub ? strdup(sub) : NULL) == (sub ? NULL : "") ||
+        asprintf(&f->filename, "%s%s%s",
+                 res, sub ? FILESUBSEP : "", sub ? sub : "") == -1 ||
+        f->filename == NULL) {
+        if (f) {
+            free(f->filename);
+            free(f->res);
+            free(f->sub);
+        }
+        free(f);
+        free(freeme);
+        return krb5_enomem(context);
     }
+    f->tmpfn = NULL;
     f->version = 0;
     (*id)->data.data = f;
     (*id)->data.length = sizeof(*f);
+
+    free(freeme);
     return 0;
 }
 
@@ -258,8 +316,12 @@ _krb5_erase_file(krb5_context context, const char *filename)
     int ret;
 
     ret = lstat (filename, &sb1);
-    if (ret < 0)
-	return errno;
+    if (ret < 0) {
+	if(errno == ENOENT)
+	    return 0;
+	else
+	    return errno;
+    }
 
     fd = open(filename, O_RDWR | O_BINARY | O_CLOEXEC | O_NOFOLLOW);
     if(fd < 0) {
@@ -276,7 +338,6 @@ _krb5_erase_file(krb5_context context, const char *filename)
     }
     if (unlink(filename) < 0) {
 	ret = errno;
-	_krb5_xunlock(context, fd);
         close (fd);
 	krb5_set_error_message(context, errno,
 	    N_("krb5_cc_destroy: unlinking \"%s\": %s", ""),
@@ -286,7 +347,6 @@ _krb5_erase_file(krb5_context context, const char *filename)
     ret = fstat(fd, &sb2);
     if (ret < 0) {
 	ret = errno;
-	_krb5_xunlock(context, fd);
 	close (fd);
 	return ret;
     }
@@ -294,7 +354,6 @@ _krb5_erase_file(krb5_context context, const char *filename)
     /* check if someone was playing with symlinks */
 
     if (sb1.st_dev != sb2.st_dev || sb1.st_ino != sb2.st_ino) {
-	_krb5_xunlock(context, fd);
 	close(fd);
 	return EPERM;
     }
@@ -302,18 +361,11 @@ _krb5_erase_file(krb5_context context, const char *filename)
     /* there are still hard links to this file */
 
     if (sb2.st_nlink != 0) {
-	_krb5_xunlock(context, fd);
         close(fd);
         return 0;
     }
 
     ret = scrub_file(fd);
-    if (ret) {
-	_krb5_xunlock(context, fd);
-	close(fd);
-	return ret;
-    }
-    ret = _krb5_xunlock(context, fd);
     close(fd);
     return ret;
 }
@@ -326,12 +378,18 @@ fcc_gen_new(krb5_context context, krb5_ccache *id)
     krb5_fcache *f;
     int fd;
 
-    f = malloc(sizeof(*f));
+    f = calloc(1, sizeof(*f));
     if(f == NULL) {
 	krb5_set_error_message(context, KRB5_CC_NOMEM,
 			       N_("malloc: out of memory", ""));
 	return KRB5_CC_NOMEM;
     }
+    f->tmpfn = NULL;
+    /*
+     * XXX We should asprintf(&file, "%s:XXXXXX", KRB5_DEFAULT_CCNAME_FILE)
+     * instead so that new unique FILE ccaches can be found in the user's
+     * default collection.
+     * */
     ret = asprintf(&file, "%sXXXXXX", KRB5_DEFAULT_CCFILE_ROOT);
     if(ret < 0 || file == NULL) {
 	free(f);
@@ -348,7 +406,7 @@ fcc_gen_new(krb5_context context, krb5_ccache *id)
 
     file = exp_file;
 
-    fd = mkstemp(exp_file);
+    fd = mkostemp(exp_file, O_CLOEXEC);
     if(fd < 0) {
 	ret = (krb5_error_code)errno;
 	krb5_set_error_message(context, ret, N_("mkstemp %s failed", ""), exp_file);
@@ -358,6 +416,8 @@ fcc_gen_new(krb5_context context, krb5_ccache *id)
     }
     close(fd);
     f->filename = exp_file;
+    f->res = strdup(exp_file); /* XXX See above commentary about collection */
+    f->sub = NULL;
     f->version = 0;
     (*id)->data.data = f;
     (*id)->data.length = sizeof(*f);
@@ -416,12 +476,37 @@ fcc_open(krb5_context context,
     if (FCACHE(id) == NULL)
         return krb5_einval(context, 2);
 
-    filename = FILENAME(id);
+    if ((flags & O_EXCL)) {
+        /*
+         * FIXME Instead of mkostemp()... we could instead try to use a .new
+         * file... with care.  Or the O_TMPFILE / linkat() extensions.  We need
+         * a roken / heimbase abstraction for that.
+         */
+        if (TMPFILENAME(id))
+            (void) unlink(TMPFILENAME(id));
+        free(TMPFILENAME(id));
+        TMPFILENAME(id) = NULL;
+        if (asprintf(&TMPFILENAME(id), "%s-XXXXXX", FILENAME(id)) < 0 ||
+            TMPFILENAME(id) == NULL)
+            return krb5_enomem(context);
+        if ((fd = mkostemp(TMPFILENAME(id), O_CLOEXEC)) == -1) {
+            krb5_set_error_message(context, ret = errno,
+                                   N_("Could not make temp ccache FILE:%s", ""),
+                                   TMPFILENAME(id));
+            free(TMPFILENAME(id));
+            TMPFILENAME(id) = NULL;
+            return ret;
+        }
+        goto out;
+    }
 
+    filename = TMPFILENAME(id) ? TMPFILENAME(id) : FILENAME(id);
     strict_checking = (flags & O_CREAT) == 0 &&
 	(context->flags & KRB5_CTX_F_FCACHE_STRICT_CHECKING) != 0;
 
+#ifndef WIN32
 again:
+#endif
     memset(&sb1, 0, sizeof(sb1));
     ret = lstat(filename, &sb1);
     if (ret == 0) {
@@ -496,7 +581,7 @@ again:
      * locations on tmpfs "run" directories.  But we don't know here
      * that this is the case.  Thus: no hard-links, no symlinks.
      */
-    if (sb2.st_nlink != 1) {
+    if (sb2.st_nlink > 1) {
 	krb5_set_error_message(context, EPERM, N_("Refuses to open hardlinks for caches FILE:%s", ""), filename);
 	close(fd);
 	return EPERM;
@@ -527,6 +612,7 @@ again:
 #endif
     }
 
+out:
     if((ret = fcc_lock(context, id, fd, exclusive)) != 0) {
 	close(fd);
 	return ret;
@@ -547,41 +633,54 @@ fcc_initialize(krb5_context context,
     if (f == NULL)
         return krb5_einval(context, 2);
 
-    unlink (f->filename);
-
+    /*
+     * fcc_open() will notice the O_EXCL and will make a temporary file that
+     * will later be renamed into place.
+     */
     ret = fcc_open(context, id, "initialize", &fd, O_RDWR | O_CREAT | O_EXCL, 0600);
     if(ret)
 	return ret;
     {
 	krb5_storage *sp;
 	sp = krb5_storage_emem();
+	if (sp == NULL)
+	    return krb5_enomem(context);
 	krb5_storage_set_eof_code(sp, KRB5_CC_END);
 	if(context->fcache_vno != 0)
 	    f->version = context->fcache_vno;
 	else
 	    f->version = KRB5_FCC_FVNO_4;
-	ret |= krb5_store_int8(sp, 5);
-	ret |= krb5_store_int8(sp, f->version);
+        if (ret == 0)
+            ret = krb5_store_int8(sp, 5);
+        if (ret == 0)
+            ret = krb5_store_int8(sp, f->version);
 	storage_set_flags(context, sp, f->version);
 	if(f->version == KRB5_FCC_FVNO_4 && ret == 0) {
 	    /* V4 stuff */
 	    if (context->kdc_sec_offset) {
-		ret |= krb5_store_int16 (sp, 12); /* length */
-		ret |= krb5_store_int16 (sp, FCC_TAG_DELTATIME); /* Tag */
-		ret |= krb5_store_int16 (sp, 8); /* length of data */
-		ret |= krb5_store_int32 (sp, context->kdc_sec_offset);
-		ret |= krb5_store_int32 (sp, context->kdc_usec_offset);
+                if (ret == 0)
+                    ret = krb5_store_int16 (sp, 12); /* length */
+                if (ret == 0)
+                    ret = krb5_store_int16 (sp, FCC_TAG_DELTATIME); /* Tag */
+                if (ret == 0)
+                    ret = krb5_store_int16 (sp, 8); /* length of data */
+                if (ret == 0)
+                    ret = krb5_store_int32 (sp, context->kdc_sec_offset);
+                if (ret == 0)
+                    ret = krb5_store_int32 (sp, context->kdc_usec_offset);
 	    } else {
-		ret |= krb5_store_int16 (sp, 0);
+                if (ret == 0)
+                    ret = krb5_store_int16 (sp, 0);
 	    }
 	}
-	ret |= krb5_store_principal(sp, primary_principal);
+        if (ret == 0)
+            ret = krb5_store_principal(sp, primary_principal);
 
-	ret |= write_storage(context, sp, fd);
+        if (ret == 0)
+            ret = write_storage(context, sp, fd);
 
 	krb5_storage_free(sp);
     }
-    fcc_unlock(context, fd);
     if (close(fd) < 0)
 	if (ret == 0) {
 	    char buf[128];
@@ -600,7 +699,12 @@ fcc_close(krb5_context context,
     if (FCACHE(id) == NULL)
         return krb5_einval(context, 2);
 
-    free (FILENAME(id));
+    if (TMPFILENAME(id))
+        (void) unlink(TMPFILENAME(id));
+    free(TMPFILENAME(id));
+    free(RESFILENAME(id));
+    free(SUBFILENAME(id));
+    free(FILENAME(id));
     krb5_data_free(&id->data);
     return 0;
 }
@@ -612,6 +716,8 @@ fcc_destroy(krb5_context context,
     if (FCACHE(id) == NULL)
         return krb5_einval(context, 2);
 
+    if (TMPFILENAME(id))
+        (void) _krb5_erase_file(context, TMPFILENAME(id));
     return _krb5_erase_file(context, FILENAME(id));
 }
 
@@ -630,6 +736,8 @@ fcc_store_cred(krb5_context context,
 	krb5_storage *sp;
 
 	sp = krb5_storage_emem();
+	if (sp == NULL)
+	    return krb5_enomem(context);
 	krb5_storage_set_eof_code(sp, KRB5_CC_END);
 	storage_set_flags(context, sp, FCACHE(id)->version);
 	ret = krb5_store_creds(sp, creds);
@@ -637,7 +745,6 @@ fcc_store_cred(krb5_context context,
 	    ret = write_storage(context, sp, fd);
 	krb5_storage_free(sp);
     }
-    fcc_unlock(context, fd);
     if (close(fd) < 0) {
 	if (ret == 0) {
 	    char buf[128];
@@ -647,6 +754,21 @@ fcc_store_cred(krb5_context context,
 				   FILENAME(id), buf);
 	}
     }
+    if (ret == 0 && TMPFILENAME(id) &&
+        !krb5_is_config_principal(context, creds->server)) {
+
+        /*
+         * Portability note: there's no need to have WIN32 or other code here
+         * for odd rename cases because rk_rename() is meant to handle that.
+         */
+        ret = rk_rename(TMPFILENAME(id), FILENAME(id));
+        if (ret == 0) {
+            free(TMPFILENAME(id));
+            TMPFILENAME(id) = NULL;
+        } else {
+            ret = errno;
+        }
+    }
     return ret;
 }
 
@@ -672,7 +794,7 @@ init_fcc(krb5_context context,
     if(ret)
 	return ret;
 
-    sp = krb5_storage_from_fd(fd);
+    sp = krb5_storage_stdio_from_fd(fd, "r");
     if(sp == NULL) {
 	krb5_clear_error_message(context);
 	ret = ENOMEM;
@@ -798,7 +920,6 @@ init_fcc(krb5_context context,
   out:
     if(sp != NULL)
 	krb5_storage_free(sp);
-    fcc_unlock(context, fd);
     close(fd);
     return ret;
 }
@@ -819,20 +940,19 @@ fcc_get_principal(krb5_context context,
     if (ret)
 	krb5_clear_error_message(context);
     krb5_storage_free(sp);
-    fcc_unlock(context, fd);
     close(fd);
     return ret;
 }
 
 static krb5_error_code KRB5_CALLCONV
-fcc_end_get (krb5_context context,
-	     krb5_ccache id,
-	     krb5_cc_cursor *cursor);
+fcc_end_get(krb5_context context,
+	    krb5_ccache id,
+	    krb5_cc_cursor *cursor);
 
 static krb5_error_code KRB5_CALLCONV
-fcc_get_first (krb5_context context,
-	       krb5_ccache id,
-	       krb5_cc_cursor *cursor)
+fcc_get_first(krb5_context context,
+	      krb5_ccache id,
+	      krb5_cc_cursor *cursor)
 {
     krb5_error_code ret;
     krb5_principal principal;
@@ -840,14 +960,13 @@ fcc_get_first (krb5_context context,
     if (FCACHE(id) == NULL)
         return krb5_einval(context, 2);
 
-    *cursor = malloc(sizeof(struct fcc_cursor));
+    *cursor = calloc(1, sizeof(struct fcc_cursor));
     if (*cursor == NULL) {
         krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
 	return ENOMEM;
     }
-    memset(*cursor, 0, sizeof(struct fcc_cursor));
 
-    ret = init_fcc(context, id, "get-frist", &FCC_CURSOR(*cursor)->sp,
+    ret = init_fcc(context, id, "get-first", &FCC_CURSOR(*cursor)->sp,
 		   &FCC_CURSOR(*cursor)->fd, NULL);
     if (ret) {
 	free(*cursor);
@@ -861,7 +980,6 @@ fcc_get_first (krb5_context context,
 	return ret;
     }
     krb5_free_principal (context, principal);
-    fcc_unlock(context, FCC_CURSOR(*cursor)->fd);
     return 0;
 }
 
@@ -879,19 +997,16 @@ fcc_get_next (krb5_context context,
     if (FCC_CURSOR(*cursor) == NULL)
         return krb5_einval(context, 3);
 
-    if((ret = fcc_lock(context, id, FCC_CURSOR(*cursor)->fd, FALSE)) != 0)
-	return ret;
-    FCC_CURSOR(*cursor)->cred_start = lseek(FCC_CURSOR(*cursor)->fd,
-					   0, SEEK_CUR);
+    FCC_CURSOR(*cursor)->cred_start =
+        krb5_storage_seek(FCC_CURSOR(*cursor)->sp, 0, SEEK_CUR);
 
     ret = krb5_ret_creds(FCC_CURSOR(*cursor)->sp, creds);
     if (ret)
 	krb5_clear_error_message(context);
 
-    FCC_CURSOR(*cursor)->cred_end = lseek(FCC_CURSOR(*cursor)->fd,
-					 0, SEEK_CUR);
+    FCC_CURSOR(*cursor)->cred_end =
+        krb5_storage_seek(FCC_CURSOR(*cursor)->sp, 0, SEEK_CUR);
 
-    fcc_unlock(context, FCC_CURSOR(*cursor)->fd);
     return ret;
 }
 
@@ -1025,7 +1140,6 @@ cred_delete(krb5_context context,
     ret = write_storage(context, sp, fd);
 out:
     if (fd > -1) {
-	fcc_unlock(context, fd);
 	if (close(fd) < 0 && ret == 0) {
 	    krb5_set_error_message(context, errno, N_("close %s", ""),
 				   FILENAME(id));
@@ -1062,7 +1176,7 @@ fcc_remove_cred(krb5_context context,
 	krb5_free_cred_contents(context, &found_cred);
     }
     ret2 = krb5_cc_end_seq_get(context, id, &cursor);
-    if (ret == 0)
+    if (ret2)	/* not expected to fail */
 	return ret2;
     if (ret == KRB5_CC_END)
 	return 0;
@@ -1090,62 +1204,326 @@ fcc_get_version(krb5_context context,
     return FCACHE(id)->version;
 }
 
+static const char *
+my_basename(const char *fn)
+{
+    const char *base, *p;
+
+    if (strncmp(fn, "FILE:", sizeof("FILE:") - 1) == 0)
+        fn += sizeof("FILE:") - 1;
+    for (p = base = fn; *p; p++) {
+#ifdef WIN32
+        if (*p == '/' || *p == '\\')
+            base = p + 1;
+#else
+        if (*p == '/')
+            base = p + 1;
+#endif
+    }
+    return base;
+}
+
+/* We could use an rk_dirname()... */
+static char *
+my_dirname(const char *fn)
+{
+    size_t len, i;
+    char *dname;
+
+    if (strncmp(fn, "FILE:", sizeof("FILE:") - 1) == 0)
+        fn += sizeof("FILE:") - 1;
+
+    if ((dname = strdup(fn)) == NULL)
+        return NULL;
+    len = strlen(dname);
+    for (i = 0; i < len; i++) {
+#ifdef WIN32
+        if (dname[len - i] == '\\' ||
+            dname[len - i] == '/') {
+            dname[len - i] = '\0';
+            break;
+        }
+#else
+        if (dname[len - i] == '/') {
+            dname[len - i] = '\0';
+            break;
+        }
+#endif
+    }
+    if (i < len)
+        return dname;
+    free(dname);
+    return strdup(".");
+}
+
+/*
+ * This checks that a directory entry matches a required basename and has a
+ * non-empty subsidiary component.
+ */
+static int
+matchbase(const char *fn, const char *base, size_t baselen)
+{
+    return strncmp(fn, base, baselen) == 0 &&
+        (fn[baselen] == FILESUBSEPCHR && fn[baselen + 1] != '\0');
+}
+
+/*
+ * Check if `def_locs' contains `name' (which must be the default ccache name),
+ * in which case the caller may look for subsidiaries of all of `def_locs'.
+ *
+ * This is needed because the collection iterators don't take a base location
+ * as an argument, so we can only search default locations, but only if the
+ * current default ccache name is indeed a default (as opposed to from
+ * KRB5CCNAME being set in the environment pointing to a non-default name).
+ */
+static krb5_error_code
+is_default_collection(krb5_context context, const char *name,
+                      const char * const *def_locs, int *res)
+{
+    krb5_error_code ret;
+    const char *def_loc[2] = { KRB5_DEFAULT_CCNAME_FILE, NULL };
+    const char *sep;
+    size_t namelen;
+    size_t i;
+
+    *res = 0;
+    if (name == NULL) {
+        *res = 1;
+        return 0;
+    }
+    if ((sep = strchr(name, FILESUBSEPCHR)))
+        namelen = (size_t)(sep - name);
+    else
+        namelen = strlen(name);
+    if (def_locs == NULL)
+        def_locs = def_loc;
+    for (i = 0; !(*res) && def_locs[i]; i++) {
+        char *e = NULL;
+
+        if ((ret = _krb5_expand_default_cc_name(context, def_locs[i], &e)))
+            return ret;
+        *res = strncmp(e, name, namelen) == 0 &&
+        (sep == NULL || e[namelen] == FILESUBSEPCHR || e[namelen] == '\0');
+        free(e);
+    }
+    return 0;
+}
+
+/*
+ * Collection iterator cursor.
+ *
+ * There may be an array of locations, and for each location we'll try
+ * resolving it, as well as doing a readdir() of the dirname of it and output
+ * all ccache names in that directory that begin with the current location and
+ * end in "+${subsidiary}".
+ */
 struct fcache_iter {
-    int first;
+    const char *curr_location;
+    char *def_ccname;   /* The default ccname */
+    char **locations;   /* All the other places we'll look for a ccache */
+    char *dname;        /* dirname() of curr_location */
+    DIR *d;
+    struct dirent *dentry;
+    int location;       /* Index of `locations' */
+    unsigned int first:1;
+    unsigned int dead:1;
 };
 
+/* Initiate FILE collection iteration */
 static krb5_error_code KRB5_CALLCONV
 fcc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor)
 {
-    struct fcache_iter *iter;
+    struct fcache_iter *iter = NULL;
+    krb5_error_code ret;
+    const char *def_ccname = NULL;
+    char **def_locs = NULL;
+    int is_def_coll = 0;
+
+    if (krb5_config_get_bool_default(context, NULL, FALSE, "libdefaults",
+                                     "enable_file_cache_iteration", NULL)) {
+        def_ccname = krb5_cc_default_name(context);
+        def_locs = krb5_config_get_strings(context, NULL, "libdefaults",
+                                           "default_file_cache_collections",
+                                           NULL);
+    }
 
-    iter = calloc(1, sizeof(*iter));
-    if (iter == NULL) {
-	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
-	return ENOMEM;
+    /*
+     * Note: do not allow krb5_cc_default_name() to recurse via
+     * krb5_cc_cache_match().
+     * Note that context->default_cc_name will be NULL even though
+     * KRB5CCNAME is set in the environment if neither krb5_cc_default_name()
+     * nor krb5_cc_set_default_name() have been called.
+     */
+
+    /*
+     * Figure out if the current default ccache name is a really a default one
+     * so we know whether to search any other default FILE collection
+     * locations.
+     */
+    if ((ret = is_default_collection(context, def_ccname,
+                                     (const char **)def_locs,
+                                     &is_def_coll)))
+        goto out;
+
+    /* Setup the cursor */
+    if ((iter = calloc(1, sizeof(*iter))) == NULL ||
+        (def_ccname && (iter->def_ccname = strdup(def_ccname)) == NULL)) {
+        ret = krb5_enomem(context);
+        goto out;
     }
+
+    if (is_def_coll) {
+        /* Since def_ccname is in the `def_locs', we'll include those */
+        iter->locations = def_locs;
+        free(iter->def_ccname);
+        iter->def_ccname = NULL;
+        def_locs = NULL;
+    } else {
+        /* Since def_ccname is NOT in the `def_locs', we'll exclude those */
+        iter->locations = NULL;
+    }
+    iter->curr_location = NULL;
+    iter->location = -1; /* Pre-incremented */
     iter->first = 1;
+    iter->dname = NULL;
+    iter->d = NULL;
     *cursor = iter;
+    iter = NULL;
+    ret = 0;
+
+out:
+    krb5_config_free_strings(def_locs);
+    free(iter);
+    return ret;
+}
+
+/* Pick the next location as the `iter->curr_location' */
+static krb5_error_code
+next_location(krb5_context context, struct fcache_iter *iter)
+{
+    if (iter->first && iter->def_ccname) {
+        iter->curr_location = iter->def_ccname;
+        iter->first = 0;
+        return 0;
+    }
+    iter->first = 0;
+
+    if (iter->d)
+        closedir(iter->d);
+    iter->d = NULL;
+    iter->curr_location = NULL;
+    if (iter->locations &&
+        (iter->curr_location = iter->locations[++(iter->location)]))
+        return 0;
+
+    iter->dead = 1; /* Do not run off the end of iter->locations */
+    return KRB5_CC_END;
+}
+
+/* Output the next match for `iter->curr_location' from readdir() */
+static krb5_error_code
+next_dir_match(krb5_context context, struct fcache_iter *iter, char **fn)
+{
+    struct stat st;
+    const char *base = my_basename(iter->curr_location);
+    size_t baselen = strlen(base);
+    char *s;
+
+    *fn = NULL;
+    if (iter->d == NULL)
+        return 0;
+    for (iter->dentry = readdir(iter->d);
+         iter->dentry;
+         iter->dentry = readdir(iter->d)) {
+        if (!matchbase(iter->dentry->d_name, base, baselen))
+            continue;
+        if (asprintf(&s, "FILE:%s/%s", iter->dname, iter->dentry->d_name) == -1 ||
+            s == NULL)
+            return krb5_enomem(context);
+        if (stat(s + sizeof("FILE:") - 1, &st) == 0 && S_ISREG(st.st_mode)) {
+            *fn = s;
+            return 0;
+        }
+        free(s);
+    }
+    iter->curr_location = NULL;
+    closedir(iter->d);
+    iter->d = NULL;
+    return 0;
+}
+
+/* See if the given `ccname' is a FILE ccache we can resolve */
+static krb5_error_code
+try1(krb5_context context, const char *ccname, krb5_ccache *id)
+{
+    krb5_error_code ret;
+    krb5_ccache cc;
+
+    ret = krb5_cc_resolve(context, ccname, &cc);
+    if (ret == ENOMEM)
+        return ret;
+    if (ret == 0) {
+        if (strcmp(krb5_cc_get_type(context, cc), "FILE") == 0) {
+            *id = cc;
+            cc = NULL;
+        }
+        krb5_cc_close(context, cc);
+    }
     return 0;
 }
 
+/* Output the next FILE ccache in the FILE ccache collection */
 static krb5_error_code KRB5_CALLCONV
 fcc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id)
 {
     struct fcache_iter *iter = cursor;
     krb5_error_code ret;
-    const char *fn, *cc_type;
-    krb5_ccache cc;
+    char *name = NULL;
 
+    *id = NULL;
     if (iter == NULL)
         return krb5_einval(context, 2);
 
-    if (!iter->first) {
-	krb5_clear_error_message(context);
-	return KRB5_CC_END;
-    }
-    iter->first = 0;
-
-    /*
-     * Note: do not allow krb5_cc_default_name() to recurse via
-     * krb5_cc_cache_match().
-     * Note that context->default_cc_name will be NULL even though
-     * KRB5CCNAME is set in the environment if
-     * krb5_cc_set_default_name() hasn't
-     */
-    fn = krb5_cc_default_name(context);
-    ret = krb5_cc_resolve(context, fn, &cc);
-    if (ret != 0)
-        return ret;
-    cc_type = krb5_cc_get_type(context, cc);
-    if (strcmp(cc_type, "FILE") != 0) {
-        krb5_cc_close(context, cc);
+    /* Do not run off the end of iter->locations */
+    if (iter->dead)
         return KRB5_CC_END;
+
+    if (!iter->curr_location) {
+        /* Next base location */
+        if ((ret = next_location(context, iter)))
+            return ret;
+        /* Output the current base location */
+        if ((ret = try1(context, iter->curr_location, id)) || *id)
+            return ret;
     }
 
-    *id = cc;
+    /* Look for subsidiaries of iter->curr_location */
+    if (!iter->d) {
+        free(iter->dname);
+        if ((iter->dname = my_dirname(iter->curr_location)) == NULL)
+            return krb5_enomem(context);
+        if ((iter->d = opendir(iter->dname)) == NULL) {
+            /* Dirname ENOENT -> next location */
+            if ((ret = next_location(context, iter)))
+                return ret;
+            /* Tail-recurse */
+            return fcc_get_cache_next(context, cursor, id);
+        }
+    }
+    for (ret = next_dir_match(context, iter, &name);
+         ret == 0 && name != NULL;
+         ret = next_dir_match(context, iter, &name)) {
+        if ((ret = try1(context, name, id)) || *id) {
+            free(name);
+            return ret;
+        }
+        free(name);
+    }
 
-    return 0;
+    /* Directory listing exhausted -> go to next location, tail-recurse */
+    if ((ret = next_location(context, iter)))
+        return ret;
+    return fcc_get_cache_next(context, cursor, id);
 }
 
 static krb5_error_code KRB5_CALLCONV
@@ -1156,6 +1534,11 @@ fcc_end_cache_get(krb5_context context, krb5_cc_cursor cursor)
     if (iter == NULL)
         return krb5_einval(context, 2);
 
+    krb5_config_free_strings(iter->locations);
+    if (iter->d)
+        closedir(iter->d);
+    free(iter->def_ccname);
+    free(iter->dname);
     free(iter);
     return 0;
 }
@@ -1164,82 +1547,32 @@ static krb5_error_code KRB5_CALLCONV
 fcc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
 {
     krb5_error_code ret = 0;
-
-    ret = rk_rename(FILENAME(from), FILENAME(to));
-
-    if (ret && errno != EXDEV) {
-	char buf[128];
-	ret = errno;
-	rk_strerror_r(ret, buf, sizeof(buf));
-	krb5_set_error_message(context, ret,
-			       N_("Rename of file from %s "
-				  "to %s failed: %s", ""),
-			       FILENAME(from), FILENAME(to), buf);
-	return ret;
-    } else if (ret && errno == EXDEV) {
-	/* make a copy and delete the orignal */
-	krb5_ssize_t sz1, sz2;
-	int fd1, fd2;
-	char buf[BUFSIZ];
-
-	ret = fcc_open(context, from, "move/from", &fd1, O_RDONLY, 0);
-	if(ret)
-	    return ret;
-
-	unlink(FILENAME(to));
-
-	ret = fcc_open(context, to, "move/to", &fd2,
-		       O_WRONLY | O_CREAT | O_EXCL, 0600);
-	if(ret)
-	    goto out1;
-
-	while((sz1 = read(fd1, buf, sizeof(buf))) > 0) {
-	    sz2 = write(fd2, buf, sz1);
-	    if (sz1 != sz2) {
-		ret = EIO;
-		krb5_set_error_message(context, ret,
-				       N_("Failed to write data from one file "
-					  "credential cache to the other", ""));
-		goto out2;
-	    }
-	}
-	if (sz1 < 0) {
-	    ret = EIO;
-	    krb5_set_error_message(context, ret,
-				   N_("Failed to read data from one file "
-				      "credential cache to the other", ""));
-	    goto out2;
-	}
-    out2:
-	fcc_unlock(context, fd2);
-	close(fd2);
-
-    out1:
-	fcc_unlock(context, fd1);
-	close(fd1);
-
-	_krb5_erase_file(context, FILENAME(from));
-
-	if (ret) {
-	    _krb5_erase_file(context, FILENAME(to));
-	    return ret;
-	}
-    }
-
-    /* make sure ->version is uptodate */
-    {
-	krb5_storage *sp;
-	int fd;
-	if ((ret = init_fcc (context, to, "move", &sp, &fd, NULL)) == 0) {
-	    if (sp)
-		krb5_storage_free(sp);
-	    fcc_unlock(context, fd);
-	    close(fd);
-	}
+    krb5_fcache *f = FCACHE(from);
+    krb5_fcache *t = FCACHE(to);
+
+    if (f->tmpfn) {
+        /*
+         * If `from' has a temp file and we haven't renamed it into place yet,
+         * then we should rename TMPFILENAME(from) to FILENAME(to).
+         *
+         * This can only happen if we're moving a ccache where only cc config
+         * entries, or no entries, have been written.  That's not likely.
+         */
+        if (rk_rename(f->tmpfn, t->filename)) {
+            ret = errno;
+        } else {
+            free(f->tmpfn);
+            f->tmpfn = NULL;
+        }
+    } else if (rk_rename(f->filename, t->filename)) {
+        ret = errno;
     }
-
-    fcc_close(context, from);
-
+    /*
+     * We need only close from -- we can't destroy it since the rename
+     * succeeded, which "destroyed" it at its old name.
+     */
+    if (ret == 0)
+        krb5_cc_close(context, from);
     return ret;
 }
 
@@ -1252,6 +1585,35 @@ fcc_get_default_name(krb5_context context, char **str)
 }
 
 static krb5_error_code KRB5_CALLCONV
+fcc_set_default_cache(krb5_context context, krb5_ccache id)
+{
+    krb5_error_code ret;
+    krb5_ccache dest;
+    char *s = NULL;
+
+    if (SUBFILENAME(id) == NULL)
+        return 0; /* Already a primary */
+    if (asprintf(&s, "FILE:%s", RESFILENAME(id)) == -1 || s == NULL)
+        return krb5_enomem(context);
+
+    /*
+     * We can't hard-link, since we refuse to open ccaches with st_nlink > 1,
+     * and we can't rename() the ccache because the old name should remain
+     * available.  Ergo, we copy the ccache.
+     */
+    ret = krb5_cc_resolve(context, s, &dest);
+    if (ret == 0)
+        ret = krb5_cc_copy_cache(context, id, dest);
+    free(s);
+    if (ret)
+	krb5_set_error_message(context, ret,
+                               N_("Failed to copy subsidiary cache file %s to "
+                                  "default %s", ""), FILENAME(id),
+                               RESFILENAME(id));
+    return ret;
+}
+
+static krb5_error_code KRB5_CALLCONV
 fcc_lastchange(krb5_context context, krb5_ccache id, krb5_timestamp *mtime)
 {
     krb5_error_code ret;
@@ -1287,7 +1649,6 @@ fcc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *kdc_offset
     ret = init_fcc(context, id, "get-kdc-offset", &sp, &fd, kdc_offset);
     if (sp)
 	krb5_storage_free(sp);
-    fcc_unlock(context, fd);
     close(fd);
 
     return ret;
@@ -1301,10 +1662,10 @@ fcc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *kdc_offset
  */
 
 KRB5_LIB_VARIABLE const krb5_cc_ops krb5_fcc_ops = {
-    KRB5_CC_OPS_VERSION,
+    KRB5_CC_OPS_VERSION_5,
     "FILE",
-    fcc_get_name,
-    fcc_resolve,
+    NULL,
+    NULL,
     fcc_gen_new,
     fcc_initialize,
     fcc_destroy,
@@ -1323,8 +1684,10 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_fcc_ops = {
     fcc_end_cache_get,
     fcc_move,
     fcc_get_default_name,
-    NULL,
+    fcc_set_default_cache,
     fcc_lastchange,
     fcc_set_kdc_offset,
-    fcc_get_kdc_offset
+    fcc_get_kdc_offset,
+    fcc_get_name_2,
+    fcc_resolve_2
 };
diff --git a/lib/krb5/generate_subkey.c b/lib/krb5/generate_subkey.c
index 07047461ee77..767d94cf7fe6 100644
--- a/lib/krb5/generate_subkey.c
+++ b/lib/krb5/generate_subkey.c
@@ -58,7 +58,7 @@ krb5_generate_subkey_extended(krb5_context context,
     if (*subkey == NULL)
 	return krb5_enomem(context);
 
-    if (etype == (krb5_enctype)ETYPE_NULL)
+    if (etype == ETYPE_NULL)
 	etype = key->keytype; /* use session key etype */
 
     /* XXX should we use the session key as input to the RF? */
diff --git a/lib/krb5/get_cred.c b/lib/krb5/get_cred.c
index 70b3e5f41447..6e48846bcb3a 100644
--- a/lib/krb5/get_cred.c
+++ b/lib/krb5/get_cred.c
@@ -3,7 +3,7 @@
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  *
- * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ * Portions Copyright (c) 2009 - 2010 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -38,8 +38,10 @@
 
 static krb5_error_code
 get_cred_kdc_capath(krb5_context, krb5_kdc_flags,
-		    krb5_ccache, krb5_creds *, krb5_principal,
-		    Ticket *, krb5_creds **, krb5_creds ***);
+		    krb5_ccache, struct krb5_fast_state *,
+		    krb5_creds *, krb5_principal,
+		    Ticket *, const char *, const char *,
+		    krb5_creds **, krb5_creds ***);
 
 /*
  * Take the `body' and encode it into `padata' using the credentials
@@ -48,35 +50,33 @@ get_cred_kdc_capath(krb5_context, krb5_kdc_flags,
 
 static krb5_error_code
 make_pa_tgs_req(krb5_context context,
-		krb5_auth_context ac,
+		krb5_auth_context *ac,
 		KDC_REQ_BODY *body,
-		PA_DATA *padata,
-		krb5_creds *creds)
+		krb5_ccache ccache,
+		krb5_creds *creds,
+		krb5_data *tgs_req)
 {
-    u_char *buf;
+    krb5_error_code ret;
+    krb5_data in_data;
     size_t buf_size;
     size_t len = 0;
-    krb5_data in_data;
-    krb5_error_code ret;
+    uint8_t *buf;
 
     ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, body, &len, ret);
     if (ret)
-	goto out;
+	return ret;
+
     if(buf_size != len)
 	krb5_abortx(context, "internal error in ASN.1 encoder");
 
     in_data.length = len;
     in_data.data   = buf;
-    ret = _krb5_mk_req_internal(context, &ac, 0, &in_data, creds,
-				&padata->padata_value,
+    ret = _krb5_mk_req_internal(context, ac, 0, &in_data,
+				creds, tgs_req,
 				KRB5_KU_TGS_REQ_AUTH_CKSUM,
 				KRB5_KU_TGS_REQ_AUTH);
- out:
     free (buf);
-    if(ret)
-	return ret;
-    padata->padata_type = KRB5_PADATA_TGS_REQ;
-    return 0;
+    return ret;
 }
 
 /*
@@ -114,19 +114,20 @@ set_auth_data (krb5_context context,
 	    req_body->enc_authorization_data = NULL;
 	    return ret;
 	}
-	krb5_encrypt_EncryptedData(context,
-				   crypto,
-				   KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY,
-				   buf,
-				   len,
-				   0,
-				   req_body->enc_authorization_data);
+        ret = krb5_encrypt_EncryptedData(context,
+                                         crypto,
+                                         KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY,
+                                         buf,
+                                         len,
+                                         0,
+                                         req_body->enc_authorization_data);
 	free (buf);
 	krb5_crypto_destroy(context, crypto);
+        return ret;
     } else {
 	req_body->enc_authorization_data = NULL;
+        return 0;
     }
-    return 0;
 }
 
 /*
@@ -138,6 +139,7 @@ set_auth_data (krb5_context context,
 static krb5_error_code
 init_tgs_req (krb5_context context,
 	      krb5_ccache ccache,
+	      struct krb5_fast_state *state,
 	      krb5_addresses *addresses,
 	      krb5_kdc_flags flags,
 	      Ticket *second_ticket,
@@ -150,8 +152,11 @@ init_tgs_req (krb5_context context,
 {
     krb5_auth_context ac = NULL;
     krb5_error_code ret = 0;
+    krb5_data tgs_req;
 
+    krb5_data_zero(&tgs_req);
     memset(t, 0, sizeof(*t));
+
     t->pvno = 5;
     t->msg_type = krb_tgs_req;
     if (in_creds->session.keytype) {
@@ -234,21 +239,80 @@ init_tgs_req (krb5_context context,
 	if (ret)
 	    goto fail;
     }
-    ALLOC(t->padata, 1);
-    if (t->padata == NULL) {
-	ret = krb5_enomem(context);
+
+    ret = krb5_auth_con_init(context, &ac);
+    if(ret)
+	goto fail;
+
+    ret = krb5_auth_con_generatelocalsubkey(context, ac, &krbtgt->session);
+    if (ret)
 	goto fail;
+
+    if (state) {
+	krb5_data empty;
+
+	krb5_data_zero(&empty);
+	ret = krb5_auth_con_add_AuthorizationData(context, ac,
+						  KRB5_AUTHDATA_FX_FAST_USED,
+						   &empty);
+	if (ret)
+	    goto fail;
     }
-    ALLOC_SEQ(t->padata, 1 + padata->len);
-    if (t->padata->val == NULL) {
-	ret = krb5_enomem(context);
+
+    ret = set_auth_data(context, &t->req_body,
+			&in_creds->authdata, ac->local_subkey);
+    if (ret)
 	goto fail;
+
+    ret = make_pa_tgs_req(context,
+			  &ac,
+			  &t->req_body,
+			  ccache,
+			  krbtgt,
+			  &tgs_req);
+    if(ret)
+	goto fail;
+
+    /*
+     * Add KRB5_PADATA_TGS_REQ first
+     * followed by all others.
+     */
+
+    if (t->padata == NULL) {
+	ALLOC(t->padata, 1);
+	if (t->padata == NULL) {
+	    ret = krb5_enomem(context);
+	    goto fail;
+	}
     }
+
+    ret = krb5_padata_add(context, t->padata, KRB5_PADATA_TGS_REQ,
+			  tgs_req.data, tgs_req.length);
+    if (ret)
+	goto fail;
+
+    krb5_data_zero(&tgs_req);
+
     {
 	size_t i;
 	for (i = 0; i < padata->len; i++) {
-	    ret = copy_PA_DATA(&padata->val[i], &t->padata->val[i + 1]);
+	    const PA_DATA *val1 = &padata->val[i];
+	    PA_DATA val2;
+
+	    ret = copy_PA_DATA(val1, &val2);
+	    if (ret) {
+		krb5_set_error_message(context, ret,
+				       N_("malloc: out of memory", ""));
+		goto fail;
+	    }
+
+	    ret = krb5_padata_add(context, t->padata,
+				  val2.padata_type,
+				  val2.padata_value.data,
+				  val2.padata_value.length);
 	    if (ret) {
+		free_PA_DATA(&val2);
+
 		krb5_set_error_message(context, ret,
 				       N_("malloc: out of memory", ""));
 		goto fail;
@@ -256,26 +320,20 @@ init_tgs_req (krb5_context context,
 	}
     }
 
-    ret = krb5_auth_con_init(context, &ac);
-    if(ret)
-	goto fail;
-
-    ret = krb5_auth_con_generatelocalsubkey(context, ac, &krbtgt->session);
-    if (ret)
-	goto fail;
+    if (state) {
+	state->armor_ac = ac;
+	ret = _krb5_fast_create_armor(context, state, NULL);
+	state->armor_ac = NULL;
+	if (ret)
+	    goto fail;
 
-    ret = set_auth_data (context, &t->req_body, &in_creds->authdata,
-			 ac->local_subkey);
-    if (ret)
-	goto fail;
+	ret = _krb5_fast_wrap_req(context, state, t);
+	if (ret)
+	    goto fail;
 
-    ret = make_pa_tgs_req(context,
-			  ac,
-			  &t->req_body,
-			  &t->padata->val[0],
-			  krbtgt);
-    if(ret)
-	goto fail;
+	/* Its ok if there is no fast in the TGS-REP, older heimdal only support it in the AS code path */
+	state->flags &= ~KRB5_FAST_EXPECTED;
+    }
 
     ret = krb5_auth_con_getlocalsubkey(context, ac, subkey);
     if (ret)
@@ -288,6 +346,8 @@ fail:
 	t->req_body.addresses = NULL;
 	free_TGS_REQ (t);
     }
+    krb5_data_free(&tgs_req);
+
     return ret;
 }
 
@@ -306,6 +366,9 @@ _krb5_get_krbtgt(krb5_context context,
     if (ret)
 	return ret;
 
+    if (realm == NULL)
+	realm = tmp_cred.client->realm;
+
     ret = krb5_make_principal(context,
 			      &tmp_cred.server,
 			      realm,
@@ -333,6 +396,42 @@ _krb5_get_krbtgt(krb5_context context,
     return 0;
 }
 
+static krb5_error_code
+fast_tgs_strengthen_key(krb5_context context,
+			struct krb5_fast_state *state,
+			krb5_keyblock *reply_key,
+			krb5_keyblock *extract_key)
+{
+    krb5_error_code ret;
+
+    if (state && state->strengthen_key) {
+	_krb5_debug(context, 5, "_krb5_fast_tgs_strengthen_key");
+	
+	if (state->strengthen_key->keytype != reply_key->keytype) {
+	    krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
+				   N_("strengthen_key %d not same enctype as reply key %d", ""),
+				   state->strengthen_key->keytype, reply_key->keytype);
+	    return KRB5KRB_AP_ERR_MODIFIED;
+	}
+
+	ret = _krb5_fast_cf2(context,
+			     state->strengthen_key,
+			     "strengthenkey",
+			     reply_key,
+			     "replykey",
+			     extract_key,
+			     NULL);
+	if (ret)
+	    return ret;
+    } else {
+	ret = krb5_copy_keyblock_contents(context, reply_key, extract_key);
+	if (ret)
+	    return ret;
+    }
+
+    return 0;
+}
+
 /* DCE compatible decrypt proc */
 static krb5_error_code KRB5_CALLCONV
 decrypt_tkt_with_subkey (krb5_context context,
@@ -341,11 +440,14 @@ decrypt_tkt_with_subkey (krb5_context context,
 			 krb5_const_pointer skey,
 			 krb5_kdc_rep *dec_rep)
 {
-    const krb5_keyblock *subkey = skey;
+    struct krb5_decrypt_tkt_with_subkey_state *state;
     krb5_error_code ret = 0;
     krb5_data data;
     size_t size;
     krb5_crypto crypto;
+    krb5_keyblock extract_key;
+
+    state = (struct krb5_decrypt_tkt_with_subkey_state *)skey;
 
     assert(usage == 0);
 
@@ -354,8 +456,14 @@ decrypt_tkt_with_subkey (krb5_context context,
     /*
      * start out with trying with subkey if we have one
      */
-    if (subkey) {
-	ret = krb5_crypto_init(context, subkey, 0, &crypto);
+    if (state->subkey) {
+	ret = fast_tgs_strengthen_key(context, state->fast_state,
+				      state->subkey, &extract_key);
+	if (ret)
+	    return ret;
+
+	ret = krb5_crypto_init(context, &extract_key, 0, &crypto);
+	krb5_free_keyblock_contents(context, &extract_key);
 	if (ret)
 	    return ret;
 	ret = krb5_decrypt_EncryptedData (context,
@@ -367,7 +475,7 @@ decrypt_tkt_with_subkey (krb5_context context,
 	 * If the is Windows 2000 DC, we need to retry with key usage
 	 * 8 when doing ARCFOUR.
 	 */
-	if (ret && subkey->keytype == ETYPE_ARCFOUR_HMAC_MD5) {
+	if (ret && state->subkey->keytype == ETYPE_ARCFOUR_HMAC_MD5) {
 	    ret = krb5_decrypt_EncryptedData(context,
 					     crypto,
 					     8,
@@ -376,7 +484,11 @@ decrypt_tkt_with_subkey (krb5_context context,
 	}
 	krb5_crypto_destroy(context, crypto);
     }
-    if (subkey == NULL || ret) {
+    if (state->subkey == NULL || ret) {
+	ret = fast_tgs_strengthen_key(context, state->fast_state, key, &extract_key);
+	if (ret)
+	    return ret;
+
 	ret = krb5_crypto_init(context, key, 0, &crypto);
 	if (ret)
 	    return ret;
@@ -409,19 +521,21 @@ decrypt_tkt_with_subkey (krb5_context context,
 static krb5_error_code
 get_cred_kdc(krb5_context context,
 	     krb5_ccache id,
+	     struct krb5_fast_state *fast_state,
 	     krb5_kdc_flags flags,
 	     krb5_addresses *addresses,
 	     krb5_creds *in_creds,
 	     krb5_creds *krbtgt,
 	     krb5_principal impersonate_principal,
 	     Ticket *second_ticket,
+	     const char *kdc_hostname,
+	     const char *sitename,
 	     krb5_creds *out_creds)
 {
     TGS_REQ req;
     krb5_data enc;
     krb5_data resp;
-    krb5_kdc_rep rep = {0};
-    KRB_ERROR error;
+    krb5_kdc_rep rep;
     krb5_error_code ret;
     unsigned nonce;
     krb5_keyblock *subkey = NULL;
@@ -429,6 +543,7 @@ get_cred_kdc(krb5_context context,
     Ticket second_ticket_data;
     METHOD_DATA padata;
 
+    memset(&rep, 0, sizeof(rep));
     krb5_data_zero(&resp);
     krb5_data_zero(&enc);
     padata.val = NULL;
@@ -500,6 +615,7 @@ get_cred_kdc(krb5_context context,
 
     ret = init_tgs_req (context,
 			id,
+			fast_state,
 			addresses,
 			flags,
 			second_ticket,
@@ -532,6 +648,11 @@ get_cred_kdc(krb5_context context,
 	    return ret;
 	krb5_sendto_ctx_set_func(stctx, _krb5_kdc_retry, NULL);
 
+	if (kdc_hostname)
+	    krb5_sendto_set_hostname(context, stctx, kdc_hostname);
+	if (sitename)
+	    krb5_sendto_set_sitename(context, stctx, sitename);
+
 	ret = krb5_sendto_context (context, stctx, &enc,
 				   krbtgt->server->name.name_string.val[1],
 				   &resp);
@@ -541,18 +662,33 @@ get_cred_kdc(krb5_context context,
 	goto out;
 
     if(decode_TGS_REP(resp.data, resp.length, &rep.kdc_rep, &len) == 0) {
+	struct krb5_decrypt_tkt_with_subkey_state state;
 	unsigned eflags = 0;
+	krb5_data data;
+	size_t size;
+
+	ASN1_MALLOC_ENCODE(Ticket, data.data, data.length,
+			   &rep.kdc_rep.ticket, &size, ret);
+	if (ret)
+	    goto out;
+	heim_assert(data.length == size, "ASN.1 internal error");
+
+	ret = _krb5_fast_unwrap_kdc_rep(context, nonce, &data,
+					fast_state, &rep.kdc_rep);
+	krb5_data_free(&data);
+	if (ret)
+	    goto out;
 
 	ret = krb5_copy_principal(context,
 				  in_creds->client,
 				  &out_creds->client);
 	if(ret)
-	    goto out2;
+	    goto out;
 	ret = krb5_copy_principal(context,
 				  in_creds->server,
 				  &out_creds->server);
 	if(ret)
-	    goto out2;
+	    goto out;
 	/* this should go someplace else */
 	out_creds->times.endtime = in_creds->times.endtime;
 
@@ -562,6 +698,9 @@ get_cred_kdc(krb5_context context,
 	if (flags.b.request_anonymous)
 	    eflags |= EXTRACT_TICKET_MATCH_ANON;
 
+	state.subkey = subkey;
+	state.fast_state = fast_state;
+
 	ret = _krb5_extract_ticket(context,
 				   &rep,
 				   out_creds,
@@ -573,12 +712,36 @@ get_cred_kdc(krb5_context context,
 				   eflags,
 				   NULL,
 				   decrypt_tkt_with_subkey,
-				   subkey);
-    out2:
-	krb5_free_kdc_rep(context, &rep);
-    } else if(krb5_rd_error(context, &resp, &error) == 0) {
-	ret = krb5_error_from_rd_error(context, &error, in_creds);
-	krb5_free_error_contents(context, &error);
+				   &state);
+    } else if(krb5_rd_error(context, &resp, &rep.error) == 0) {
+	METHOD_DATA md;
+
+	memset(&md, 0, sizeof(md));
+
+	if (rep.error.e_data) {
+	    ret = decode_METHOD_DATA(rep.error.e_data->data,
+				     rep.error.e_data->length,
+				     &md, NULL);
+	    if (ret) {
+		krb5_set_error_message(context, ret,
+				       N_("Failed to decode METHOD-DATA", ""));
+		goto out;
+	    }
+	}
+
+	ret = _krb5_fast_unwrap_error(context, nonce, fast_state, &md, &rep.error);
+	free_METHOD_DATA(&md);
+	if (ret)
+	    goto out;
+
+	ret = krb5_error_from_rd_error(context, &rep.error, in_creds);
+
+	/* log the failure */
+	if (_krb5_have_debug(context, 5)) {
+	    const char *str = krb5_get_error_message(context, ret);
+	    _krb5_debug(context, 5, "parse_tgs_rep: KRB-ERROR %d/%s", ret, str);
+	    krb5_free_error_message(context, str);
+	}
     } else if(resp.length > 0 && ((char*)resp.data)[0] == 4) {
 	ret = KRB5KRB_AP_ERR_V4_REPLY;
 	krb5_clear_error_message(context);
@@ -588,6 +751,7 @@ get_cred_kdc(krb5_context context,
     }
 
 out:
+    krb5_free_kdc_rep(context, &rep);
     if (second_ticket == &second_ticket_data)
 	free_Ticket(&second_ticket_data);
     free_METHOD_DATA(&padata);
@@ -607,12 +771,15 @@ out:
 static krb5_error_code
 get_cred_kdc_address(krb5_context context,
 		     krb5_ccache id,
+		     struct krb5_fast_state *fast_state,
 		     krb5_kdc_flags flags,
 		     krb5_addresses *addrs,
 		     krb5_creds *in_creds,
 		     krb5_creds *krbtgt,
 		     krb5_principal impersonate_principal,
 		     Ticket *second_ticket,
+		     const char *kdc_hostname,
+		     const char *sitename,
 		     krb5_creds *out_creds)
 {
     krb5_error_code ret;
@@ -630,16 +797,18 @@ get_cred_kdc_address(krb5_context context,
 				"no-addresses", FALSE, &noaddr);
 
 	if (!noaddr) {
-	    krb5_get_all_client_addrs(context, &addresses);
+	    ret = krb5_get_all_client_addrs(context, &addresses);
+            if (ret)
+                return ret;
 	    /* XXX this sucks. */
 	    addrs = &addresses;
 	    if(addresses.len == 0)
 		addrs = NULL;
 	}
     }
-    ret = get_cred_kdc(context, id, flags, addrs, in_creds,
-		       krbtgt, impersonate_principal,
-		       second_ticket, out_creds);
+    ret = get_cred_kdc(context, id, fast_state, flags, addrs,
+		       in_creds, krbtgt, impersonate_principal,
+		       second_ticket, kdc_hostname, sitename, out_creds);
     krb5_free_addresses(context, &addresses);
     return ret;
 }
@@ -656,6 +825,9 @@ krb5_get_kdc_cred(krb5_context context,
 {
     krb5_error_code ret;
     krb5_creds *krbtgt;
+    struct krb5_fast_state fast_state;
+
+    memset(&fast_state, 0, sizeof(fast_state));
 
     *out_creds = calloc(1, sizeof(**out_creds));
     if(*out_creds == NULL)
@@ -669,9 +841,11 @@ krb5_get_kdc_cred(krb5_context context,
 	*out_creds = NULL;
 	return ret;
     }
-    ret = get_cred_kdc(context, id, flags, addresses,
-		       in_creds, krbtgt, NULL, NULL, *out_creds);
+    ret = get_cred_kdc(context, id, &fast_state, flags,
+		       addresses, in_creds, krbtgt,
+		       NULL, NULL, NULL, NULL, *out_creds);
     krb5_free_creds (context, krbtgt);
+    _krb5_fast_free(context, &fast_state);
     if(ret) {
 	free(*out_creds);
 	*out_creds = NULL;
@@ -683,16 +857,17 @@ static int
 not_found(krb5_context context, krb5_const_principal p, krb5_error_code code)
 {
     krb5_error_code ret;
-    const char *err;
     char *str;
+    const char *err;
 
-    err = krb5_get_error_message(context, code);
     ret = krb5_unparse_name(context, p, &str);
     if(ret) {
 	krb5_clear_error_message(context);
 	return code;
     }
+    err = krb5_get_error_message(context, code);
     krb5_set_error_message(context, code, N_("%s (%s)", ""), err, str);
+    krb5_free_error_message(context, err);
     free(str);
     return code;
 }
@@ -748,10 +923,13 @@ static krb5_error_code
 get_cred_kdc_capath_worker(krb5_context context,
                            krb5_kdc_flags flags,
                            krb5_ccache ccache,
+			   struct krb5_fast_state *fast_state,
                            krb5_creds *in_creds,
                            krb5_const_realm try_realm,
                            krb5_principal impersonate_principal,
                            Ticket *second_ticket,
+			   const char *kdc_hostname,
+			   const char *sitename,
                            krb5_creds **out_creds,
                            krb5_creds ***ret_tgts)
 {
@@ -798,11 +976,14 @@ get_cred_kdc_capath_worker(krb5_context context,
 		ok_as_delegate = tgts.flags.b.ok_as_delegate;
 	    }
 
-	    ret = get_cred_kdc_address(context, ccache, flags, NULL,
-				   in_creds, &tgts,
-				   impersonate_principal,
-				   second_ticket,
-				   *out_creds);
+	    ret = get_cred_kdc_address(context, ccache, fast_state,
+				       flags, NULL,
+				       in_creds, &tgts,
+				       impersonate_principal,
+				       second_ticket,
+				       kdc_hostname,
+				       sitename,
+				       *out_creds);
             krb5_free_cred_contents(context, &tgts);
 	    if (ret == 0 &&
                 !krb5_principal_compare(context, in_creds->server,
@@ -834,8 +1015,10 @@ get_cred_kdc_capath_worker(krb5_context context,
     while (1) {
 	heim_general_string tgt_inst;
 
-	ret = get_cred_kdc_capath(context, flags, ccache, &tmp_creds,
-				  NULL, NULL, &tgt, ret_tgts);
+	ret = get_cred_kdc_capath(context, flags, ccache, fast_state,
+				  &tmp_creds, NULL, NULL,
+				  kdc_hostname, sitename,
+				  &tgt, ret_tgts);
 	if (ret)
 	    goto out;
 
@@ -866,9 +1049,9 @@ get_cred_kdc_capath_worker(krb5_context context,
 	    goto out;
     }
 
-    ret = get_cred_kdc_address(context, ccache, flags, NULL,
+    ret = get_cred_kdc_address(context, ccache, fast_state, flags, NULL,
 			       in_creds, tgt, impersonate_principal,
-			       second_ticket, *out_creds);
+			       second_ticket, kdc_hostname, sitename, *out_creds);
     if (ret == 0 &&
         !krb5_principal_compare(context, in_creds->server,
                                     (*out_creds)->server)) {
@@ -911,9 +1094,12 @@ static krb5_error_code
 get_cred_kdc_capath(krb5_context context,
 		    krb5_kdc_flags flags,
 		    krb5_ccache ccache,
+		    struct krb5_fast_state *fast_state,
 		    krb5_creds *in_creds,
 		    krb5_principal impersonate_principal,
 		    Ticket *second_ticket,
+		    const char *kdc_hostname,
+		    const char *sitename,
 		    krb5_creds **out_creds,
 		    krb5_creds ***ret_tgts)
 {
@@ -924,24 +1110,32 @@ get_cred_kdc_capath(krb5_context context,
     server_realm = krb5_principal_get_realm(context, in_creds->server);
 
     try_realm = client_realm;
-    ret = get_cred_kdc_capath_worker(context, flags, ccache, in_creds, try_realm,
-                                     impersonate_principal, second_ticket, out_creds,
-                                     ret_tgts);
+    ret = get_cred_kdc_capath_worker(context, flags, ccache, fast_state,
+				     in_creds, try_realm, impersonate_principal,
+				     second_ticket, kdc_hostname, sitename,
+				     out_creds, ret_tgts);
 
     if (ret == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) {
         try_realm = krb5_config_get_string(context, NULL, "capaths",
                                            client_realm, server_realm, NULL);
 
-        if (try_realm != NULL && strcmp(try_realm, client_realm)) {
-            ret = get_cred_kdc_capath_worker(context, flags, ccache, in_creds,
-                                             try_realm, impersonate_principal,
-                                             second_ticket, out_creds, ret_tgts);
+        if (try_realm != NULL && strcmp(try_realm, client_realm) != 0) {
+            ret = get_cred_kdc_capath_worker(context, flags, ccache, fast_state,
+					     in_creds, try_realm, impersonate_principal,
+                                             second_ticket, kdc_hostname, sitename,
+					     out_creds, ret_tgts);
         }
     }
 
     return ret;
 }
 
+static krb5_boolean skip_referrals(krb5_principal server,
+				   krb5_kdc_flags *flags)
+{
+    return server->name.name_string.len < 2 && !flags->b.canonicalize;
+}
+
 /*
  * Get a service ticket from a KDC by chasing referrals from a start realm.
  *
@@ -953,9 +1147,12 @@ static krb5_error_code
 get_cred_kdc_referral(krb5_context context,
 		      krb5_kdc_flags flags,
 		      krb5_ccache ccache,
+		      struct krb5_fast_state *fast_state,
 		      krb5_creds *in_creds,
 		      krb5_principal impersonate_principal,
 		      Ticket *second_ticket,
+		      const char *kdc_hostname,
+		      const char *sitename,
 		      krb5_creds **out_creds)
 {
     krb5_realm start_realm = NULL;
@@ -965,9 +1162,10 @@ get_cred_kdc_referral(krb5_context context,
     krb5_creds **referral_tgts = NULL;  /* used for loop detection */
     int loop = 0;
     int ok_as_delegate = 1;
+    int want_tgt;
     size_t i;
 
-    if (in_creds->server->name.name_string.len < 2 && !flags.b.canonicalize) {
+    if (skip_referrals(in_creds->server, &flags)) {
 	krb5_set_error_message(context, KRB5KDC_ERR_PATH_NOT_ACCEPTED,
 			       N_("Name too short to do referals, skipping", ""));
 	return KRB5KDC_ERR_PATH_NOT_ACCEPTED;
@@ -1013,14 +1211,34 @@ get_cred_kdc_referral(krb5_context context,
         }
     }
 
+    /*
+     * If the desired service principal service/host@REALM is not a TGT, start
+     * by asking for a ticket for service/host@START_REALM and process referrals
+     * from there.
+     *
+     * However, when we ask for a TGT, krbtgt/A@B, we're actually looking for a
+     * path to realm B, so that we can explicitly obtain a ticket for krbtgt/A
+     * from B, and not some other realm.  Therefore, in this case our starting
+     * point will be krbtgt/B@START_REALM.  Only once we obtain a ticket for
+     * krbtgt/B@some-transit, do we switch to requesting krbtgt/A@B on our
+     * final request.
+     */
     referral = *in_creds;
-    ret = krb5_copy_principal(context, in_creds->server, &referral.server);
+    want_tgt = in_creds->server->realm[0] != '\0' &&
+               krb5_principal_is_krbtgt(context, in_creds->server);
+    if (!want_tgt)
+        ret = krb5_copy_principal(context, in_creds->server, &referral.server);
+    else
+	ret = krb5_make_principal(context, &referral.server, start_realm,
+                                  KRB5_TGS_NAME, in_creds->server->realm, NULL);
+
     if (ret) {
 	krb5_free_cred_contents(context, &tgt);
         free(start_realm);
 	return ret;
     }
-    ret = krb5_principal_set_realm(context, referral.server, start_realm);
+    if (!want_tgt)
+        ret = krb5_principal_set_realm(context, referral.server, start_realm);
     free(start_realm);
     start_realm = NULL;
     if (ret) {
@@ -1035,7 +1253,7 @@ get_cred_kdc_referral(krb5_context context,
 	char *referral_realm;
 
 	/* Use cache if we are not doing impersonation or contrained deleg */
-	if (impersonate_principal == NULL || flags.b.cname_in_addl_tkt) {
+	if (impersonate_principal == NULL && !flags.b.cname_in_addl_tkt) {
 	    krb5_cc_clear_mcred(&mcreds);
 	    mcreds.server = referral.server;
 	    krb5_timeofday(context, &mcreds.times.endtime);
@@ -1045,17 +1263,32 @@ get_cred_kdc_referral(krb5_context context,
 	    ret = EINVAL;
 
 	if (ret) {
-	    ret = get_cred_kdc_address(context, ccache, flags, NULL,
+	    ret = get_cred_kdc_address(context, ccache, fast_state, flags, NULL,
 				       &referral, &tgt, impersonate_principal,
-				       second_ticket, &ticket);
+				       second_ticket, kdc_hostname, sitename, &ticket);
 	    if (ret)
 		goto out;
 	}
 
-	/* Did we get the right ticket ? */
-	if (krb5_principal_compare_any_realm(context,
-					     referral.server,
-					     ticket.server))
+        /*
+         * Did we get the right ticket?
+         *
+         * If we weren't asking for a TGT, then we don't mind if we took a realm
+         * change (referral.server has a referral realm, not necessarily the
+         * original).
+         *
+         * However, if we were looking for a TGT (which wouldn't be the start
+         * TGT, since that one must be in the ccache) then we actually want the
+         * one from the realm we wanted, since otherwise a _referral_ will
+         * confuse us and we will store that referral.  In Heimdal we mostly
+         * never ask krb5_get_cred*() for TGTs, but some sites have code to ask
+         * for a ktbgt/REMOTE.REALM@REMOTE.REALM, and one could always use
+         * kgetcred(1) to get here asking for a krbtgt/C@D and we need to handle
+         * the case where last hop we get is krbtgt/C@B (in which case we must
+         * stop so we don't beat up on B for the remaining tries).
+         */
+        if (!want_tgt &&
+            krb5_principal_compare(context, referral.server, ticket.server))
 	    break;
 
 	if (!krb5_principal_is_krbtgt(context, ticket.server)) {
@@ -1107,9 +1340,21 @@ get_cred_kdc_referral(krb5_context context,
 	    goto out;
 
 	/* try realm in the referral */
-	ret = krb5_principal_set_realm(context,
-				       referral.server,
-				       referral_realm);
+        if (!want_tgt || strcmp(referral_realm, in_creds->server->realm) != 0)
+            ret = krb5_principal_set_realm(context,
+                                           referral.server,
+                                           referral_realm);
+        else {
+            /*
+             * Now that we have a ticket for the desired realm, we reset
+             * want_tgt and reinstate the desired principal so that the we can
+             * match it and break out of the loop.
+             */
+            want_tgt = 0;
+            krb5_free_principal(context, referral.server);
+            referral.server = NULL;
+            ret = krb5_copy_principal(context, in_creds->server, &referral.server);
+        }
 	krb5_free_cred_contents(context, &tgt);
 	tgt = ticket;
 	memset(&ticket, 0, sizeof(ticket));
@@ -1139,14 +1384,43 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 _krb5_get_cred_kdc_any(krb5_context context,
 		       krb5_kdc_flags flags,
 		       krb5_ccache ccache,
+		       struct krb5_fast_state *fast_state,
 		       krb5_creds *in_creds,
 		       krb5_principal impersonate_principal,
 		       Ticket *second_ticket,
 		       krb5_creds **out_creds,
 		       krb5_creds ***ret_tgts)
 {
+    char *kdc_hostname = NULL;
+    char *sitename = NULL;
     krb5_error_code ret;
     krb5_deltat offset;
+    krb5_data data;
+
+    krb5_data_zero(&data);
+
+    /*
+     * If we are using LKDC, lets pull out the addreses from the
+     * ticket and use that.
+     */
+    
+    ret = krb5_cc_get_config(context, ccache, NULL, "lkdc-hostname", &data);
+    if (ret == 0) {
+	if ((kdc_hostname = strndup(data.data, data.length)) == NULL) {
+            ret = krb5_enomem(context);
+            goto out;
+        }
+	krb5_data_free(&data);
+    }
+
+    ret = krb5_cc_get_config(context, ccache, NULL, "sitename", &data);
+    if (ret == 0) {
+	if ((sitename = strndup(data.data, data.length)) == NULL) {
+	    ret = krb5_enomem(context);
+            goto out;
+        }
+	krb5_data_free(&data);
+    }
 
     ret = krb5_cc_get_kdc_offset(context, ccache, &offset);
     if (ret == 0) {
@@ -1161,24 +1435,36 @@ _krb5_get_cred_kdc_any(krb5_context context,
          */
         ret = get_cred_kdc_capath(context,
                                   flags,
-                                  ccache,
-                                  in_creds,
-                                  impersonate_principal,
-                                  second_ticket,
-                                  out_creds,
-                                  ret_tgts);
-        if (ret == 0)
-            return ret;
+				  ccache,
+				  fast_state,
+				  in_creds,
+				  impersonate_principal,
+				  second_ticket,
+				  kdc_hostname,
+				  sitename,
+				  out_creds,
+				  ret_tgts);
+        if (ret == 0 || skip_referrals(in_creds->server, &flags))
+	    goto out;
     }
 
     /* Otherwise try referrals */
-    return get_cred_kdc_referral(context,
-                                 flags,
-                                 ccache,
-                                 in_creds,
-                                 impersonate_principal,
-                                 second_ticket,
-                                 out_creds);
+    ret = get_cred_kdc_referral(context,
+                                flags,
+                                ccache,
+				fast_state,
+                                in_creds,
+                                impersonate_principal,
+                                second_ticket,
+				kdc_hostname,
+				sitename,
+                                out_creds);
+    
+out:
+    krb5_data_free(&data);
+    free(kdc_hostname);
+    free(sitename);
+    return ret;
 }
 
 static krb5_error_code
@@ -1224,6 +1510,33 @@ check_cc(krb5_context context, krb5_flags options, krb5_ccache ccache,
     if (options & KRB5_GC_ANONYMOUS)
 	krb5_free_principal(context, mcreds.client);
 
+    if (ret == 0 && out_creds->server->realm &&
+        out_creds->server->realm[0] == '\0') {
+        Ticket ticket;
+
+        /*
+         * We only write tickets to the ccache that have been validated, as in,
+         * the sname/srealm from the KDC-REP enc-part have been checked to
+         * match the sname/realm from the Ticket from the KDC-REP.
+         *
+         * Our caller needs the canonical realm of the service in order to be
+         * able to get forwarded credentials for it when destination-TGT
+         * forwarding is enabled.
+         *
+         * As well, gss_init_sec_context() ought to arrange for
+         * gss_inquire_context() to output the canonical acceptor name on the
+         * initiator side.
+         */
+        ret = decode_Ticket(out_creds->ticket.data, out_creds->ticket.length,
+                            &ticket, NULL);
+        if (ret == 0) {
+            ret = krb5_principal_set_realm(context, out_creds->server,
+                                           ticket.realm);
+            free_Ticket(&ticket);
+        } else {
+            krb5_free_cred_contents(context, out_creds);
+        }
+    }
     return ret;
 }
 
@@ -1231,7 +1544,10 @@ static void
 store_cred(krb5_context context, krb5_ccache ccache,
 	   krb5_const_principal server_princ, krb5_creds *creds)
 {
-    if (!krb5_principal_compare(context, creds->server, server_princ)) {
+    if (context->no_ticket_store)
+        return;
+    if (!krb5_principal_compare(context, creds->server, server_princ) &&
+        !krb5_principal_is_krbtgt(context, server_princ)) {
         krb5_principal tmp_princ = creds->server;
         /*
          * Store the cred with the pre-canon server princ first so it
@@ -1254,6 +1570,7 @@ krb5_get_credentials_with_flags(krb5_context context,
 				krb5_creds *in_creds,
 				krb5_creds **out_creds)
 {
+    struct krb5_fast_state fast_state;
     krb5_error_code ret;
     krb5_name_canon_iterator name_canon_iter = NULL;
     krb5_name_canon_rule_options rule_opts;
@@ -1263,6 +1580,8 @@ krb5_get_credentials_with_flags(krb5_context context,
     krb5_creds *res_creds;
     int i;
 
+    memset(&fast_state, 0, sizeof(fast_state));
+
     if (_krb5_have_debug(context, 5)) {
         char *unparsed;
 
@@ -1292,7 +1611,7 @@ krb5_get_credentials_with_flags(krb5_context context,
     ret = krb5_name_canon_iterator_start(context, in_creds->server,
 					 &name_canon_iter);
     if (ret)
-	return ret;
+	goto out;
 
 next_rule:
     krb5_free_cred_contents(context, res_creds);
@@ -1328,7 +1647,7 @@ next_rule:
 	options |= KRB5_GC_NO_STORE;
 
     tgts = NULL;
-    ret = _krb5_get_cred_kdc_any(context, flags, ccache,
+    ret = _krb5_get_cred_kdc_any(context, flags, ccache, &fast_state,
 				 in_creds, NULL, NULL, out_creds, &tgts);
     for (i = 0; tgts && tgts[i]; i++) {
 	if ((options & KRB5_GC_NO_STORE) == 0)
@@ -1363,6 +1682,7 @@ out:
     in_creds->server = save_princ;
     krb5_free_creds(context, res_creds);
     krb5_free_name_canon_iterator(context, name_canon_iter);
+    _krb5_fast_free(context, &fast_state);
     if (ret)
 	return not_found(context, in_creds->server, ret);
     return 0;
@@ -1481,6 +1801,7 @@ krb5_get_creds(krb5_context context,
 	       krb5_const_principal inprinc,
 	       krb5_creds **out_creds)
 {
+    struct krb5_fast_state fast_state;
     krb5_kdc_flags flags;
     krb5_flags options;
     krb5_creds in_creds;
@@ -1494,6 +1815,7 @@ krb5_get_creds(krb5_context context,
     int type;
     const char *comp;
 
+    memset(&fast_state, 0, sizeof(fast_state));
     memset(&in_creds, 0, sizeof(in_creds));
     in_creds.server = rk_UNCONST(inprinc);
 
@@ -1559,13 +1881,15 @@ next_rule:
 	goto out;
     }
 
-    ret = check_cc(context, options, ccache, &in_creds, res_creds);
-    if (ret == 0) {
-	*out_creds = res_creds;
-        res_creds = NULL;
-	goto out;
-    } else if (ret != KRB5_CC_END) {
-	goto out;
+    if ((options & KRB5_GC_CONSTRAINED_DELEGATION) == 0) {
+	ret = check_cc(context, options, ccache, &in_creds, res_creds);
+	if (ret == 0) {
+	    *out_creds = res_creds;
+	    res_creds = NULL;
+	    goto out;
+	} else if (ret != KRB5_CC_END) {
+	    goto out;
+	}
     }
     if (options & KRB5_GC_CACHED)
 	goto next_rule;
@@ -1593,7 +1917,7 @@ next_rule:
 	flags.b.request_anonymous = 1;
 
     tgts = NULL;
-    ret = _krb5_get_cred_kdc_any(context, flags, ccache,
+    ret = _krb5_get_cred_kdc_any(context, flags, ccache, &fast_state,
 				 &in_creds, opt ? opt->self : 0,
 				 opt ? opt->ticket : 0, out_creds,
 				 &tgts);
@@ -1627,6 +1951,7 @@ next_rule:
     }
 
 out:
+    _krb5_fast_free(context, &fast_state);
     krb5_free_creds(context, res_creds);
     krb5_free_principal(context, in_creds.client);
     krb5_free_name_canon_iterator(context, name_canon_iter);
diff --git a/lib/krb5/get_default_principal.c b/lib/krb5/get_default_principal.c
index e102e5a1fad8..35480740f6fc 100644
--- a/lib/krb5/get_default_principal.c
+++ b/lib/krb5/get_default_principal.c
@@ -37,112 +37,42 @@
  * Try to find out what's a reasonable default principal.
  */
 
-static const char*
-get_env_user(void)
-{
-    const char *user = getenv("USER");
-    if(user == NULL)
-	user = getenv("LOGNAME");
-    if(user == NULL)
-	user = getenv("USERNAME");
-    return user;
-}
-
-#ifndef _WIN32
-
-/*
- * Will only use operating-system dependant operation to get the
- * default principal, for use of functions that in ccache layer to
- * avoid recursive calls.
- */
-
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 _krb5_get_default_principal_local (krb5_context context,
 				   krb5_principal *princ)
 {
-    krb5_error_code ret;
-    const char *user;
-    uid_t uid;
+    const char *user = NULL;
+    const char *second_component = NULL;
+    char userbuf[128];
 
     *princ = NULL;
 
-    uid = getuid();
-    if(uid == 0) {
-	user = getlogin();
-	if(user == NULL)
-	    user = get_env_user();
-	if(user != NULL && strcmp(user, "root") != 0)
-	    ret = krb5_make_principal(context, princ, NULL, user, "root", NULL);
-	else
-	    ret = krb5_make_principal(context, princ, NULL, "root", NULL);
-    } else {
-	struct passwd *pw = getpwuid(uid);
-	if(pw != NULL)
-	    user = pw->pw_name;
-	else {
-	    user = get_env_user();
-	    if(user == NULL)
-		user = getlogin();
-	}
-	if(user == NULL) {
-	    krb5_set_error_message(context, ENOTTY,
-				   N_("unable to figure out current "
-				      "principal", ""));
-	    return ENOTTY; /* XXX */
-	}
-	ret = krb5_make_principal(context, princ, NULL, user, NULL);
-    }
-    return ret;
-}
-
-#else  /* _WIN32 */
-
-#define SECURITY_WIN32
-#include <security.h>
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_get_default_principal_local(krb5_context context,
-				  krb5_principal *princ)
-{
-    /* See if we can get the principal first.  We only expect this to
-       work if logged into a domain. */
-    {
-	char username[1024];
-	ULONG sz = sizeof(username);
-
-	if (GetUserNameEx(NameUserPrincipal, username, &sz)) {
-	    return krb5_parse_name_flags(context, username,
-					 KRB5_PRINCIPAL_PARSE_ENTERPRISE,
-					 princ);
-	}
-    }
-
-    /* Just get the Windows username.  This should pretty much always
-       work. */
-    {
-	char username[1024];
-	DWORD dsz = sizeof(username);
-
-	if (GetUserName(username, &dsz)) {
-	    return krb5_make_principal(context, princ, NULL, username, NULL);
-	}
-    }
-
-    /* Failing that, we look at the environment */
-    {
-	const char * username = get_env_user();
-
-	if (username == NULL) {
-	    krb5_set_error_string(context,
-				  "unable to figure out current principal");
-	    return ENOTTY;	/* Really? */
-	}
-
-	return krb5_make_principal(context, princ, NULL, username, NULL);
+    /*
+     * NOTE: We prefer getlogin_r() (via roken_get_loginname()) to using $USER,
+     *       $LOGNAME, or getpwuid_r() (via roken_get_username()), in that
+     *       order, otherwise we won't figure out to output
+     *       <username>/root@DEFAULT_REALM.
+     */
+#ifndef WIN32
+    if (geteuid() == 0)
+        user = roken_get_loginname(userbuf, sizeof(userbuf));
+#endif
+    if (user == NULL)
+        user = roken_get_username(userbuf, sizeof(userbuf));
+    if (user == NULL) {
+        krb5_set_error_message(context, ENOTTY,
+                               N_("unable to figure out current principal",
+                                  ""));
+        return ENOTTY; /* XXX */
     }
-}
 
+#ifndef WIN32
+    if (!issuid() && getuid() == 0 && strcmp(user, "root") != 0)
+        second_component = "root"; /* We'll use <user>/root */
 #endif
+    return krb5_make_principal(context, princ, NULL, user,
+                               second_component, NULL);
+}
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_default_principal (krb5_context context,
diff --git a/lib/krb5/get_for_creds.c b/lib/krb5/get_for_creds.c
index 43265d827fe5..3a6be1090062 100644
--- a/lib/krb5/get_for_creds.c
+++ b/lib/krb5/get_for_creds.c
@@ -33,6 +33,14 @@
 
 #include "krb5_locl.h"
 
+static krb5_error_code set_tgs_creds(krb5_context, krb5_ccache,
+                                     krb5_const_principal,
+                                     krb5_const_principal, krb5_creds *);
+static krb5_error_code get_cred(krb5_context, krb5_ccache, krb5_creds *,
+                                krb5_flags, const char *, krb5_creds **);
+static krb5_error_code get_addresses(krb5_context, krb5_ccache, krb5_creds *,
+                                     const char *, krb5_addresses *);
+
 static krb5_error_code
 add_addrs(krb5_context context,
 	  krb5_addresses *addr,
@@ -81,10 +89,16 @@ fail:
 }
 
 /**
- * Forward credentials for client to host hostname , making them
+ * Forward credentials for client to host hostname, making them
  * forwardable if forwardable, and returning the blob of data to sent
  * in out_data.  If hostname == NULL, pick it from server.
  *
+ * If the server's realm is configured for delegation of destination
+ * TGTs, forward a TGT for the server realm, rather than the client
+ * realm. This works better with destinations on the far side of a
+ * firewall. We also forward the destination TGT when the client
+ * TGT is not available (we may have just the destination TGT).
+ *
  * @param context A kerberos 5 context.
  * @param auth_context the auth context with the key to encrypt the out_data.
  * @param hostname the host to forward the tickets too.
@@ -100,19 +114,18 @@ fail:
  */
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_fwd_tgt_creds (krb5_context	context,
-		    krb5_auth_context	auth_context,
-		    const char		*hostname,
-		    krb5_principal	client,
-		    krb5_principal	server,
-		    krb5_ccache		ccache,
-		    int			forwardable,
-		    krb5_data		*out_data)
+krb5_fwd_tgt_creds(krb5_context	context,
+		   krb5_auth_context	auth_context,
+		   const char		*hostname,
+		   krb5_const_principal	client,
+		   krb5_const_principal	server,
+		   krb5_ccache		ccache,
+		   int			forwardable,
+		   krb5_data		*out_data)
 {
     krb5_flags flags = 0;
     krb5_creds creds;
     krb5_error_code ret;
-    krb5_const_realm client_realm;
 
     flags |= KDC_OPT_FORWARDED;
 
@@ -131,17 +144,11 @@ krb5_fwd_tgt_creds (krb5_context	context,
 	    hostname = host;
     }
 
-    client_realm = krb5_principal_get_realm(context, client);
-
-    memset (&creds, 0, sizeof(creds));
-    creds.client = client;
-
-    ret = krb5_make_principal(context,
-			      &creds.server,
-			      client_realm,
-			      KRB5_TGS_NAME,
-			      client_realm,
-			      NULL);
+    /*
+     * Fill-in the request creds, the server principal will be the TGS
+     * of either the client's or the server's realm.
+     */
+    ret = set_tgs_creds(context, ccache, client, server, &creds);
     if (ret)
 	return ret;
 
@@ -152,6 +159,8 @@ krb5_fwd_tgt_creds (krb5_context	context,
 				    hostname,
 				    &creds,
 				    out_data);
+
+    krb5_free_cred_contents(context, &creds);
     return ret;
 }
 
@@ -192,273 +201,167 @@ krb5_get_forwarded_creds (krb5_context	    context,
 			  krb5_data         *out_data)
 {
     krb5_error_code ret;
-    krb5_creds *out_creds;
-    krb5_addresses addrs, *paddrs;
-    KRB_CRED cred;
-    KrbCredInfo *krb_cred_info;
-    EncKrbCredPart enc_krb_cred_part;
-    size_t len;
-    unsigned char *buf;
-    size_t buf_size;
-    krb5_kdc_flags kdc_flags;
-    krb5_crypto crypto;
-    struct addrinfo *ai;
-    krb5_creds *ticket;
+    krb5_creds *creds;
 
-    paddrs = NULL;
-    addrs.len = 0;
-    addrs.val = NULL;
-
-    ret = krb5_get_credentials(context, 0, ccache, in_creds, &ticket);
-    if(ret == 0) {
-	if (ticket->addresses.len)
-	    paddrs = &addrs;
-	krb5_free_creds (context, ticket);
-    } else {
-	krb5_boolean noaddr;
-	krb5_appdefault_boolean(context, NULL,
-				krb5_principal_get_realm(context,
-							 in_creds->client),
-				"no-addresses", KRB5_ADDRESSLESS_DEFAULT,
-				&noaddr);
-	if (!noaddr)
-	    paddrs = &addrs;
-    }
-
-    /*
-     * If tickets have addresses, get the address of the remote host.
-     */
-
-    if (paddrs != NULL) {
+    /* Obtain the requested TGT */
+    ret = get_cred(context, ccache, in_creds, flags, hostname, &creds);
+    if (ret)
+        return ret;
 
-	ret = getaddrinfo (hostname, NULL, NULL, &ai);
-	if (ret) {
-	    krb5_error_code ret2 = krb5_eai_to_heim_errno(ret, errno);
-	    krb5_set_error_message(context, ret2,
-				   N_("resolving host %s failed: %s",
-				      "hostname, error"),
-				  hostname, gai_strerror(ret));
-	    return ret2;
-	}
+    /* Forward obtained creds */
+    ret = _krb5_mk_1cred(context, auth_context, creds, out_data, NULL);
+    krb5_free_creds(context, creds);
+    return ret;
+}
 
-	ret = add_addrs (context, &addrs, ai);
-	freeaddrinfo (ai);
-	if (ret)
-	    return ret;
-    }
+/*
+ * Get a TGT for forwarding to hostname. If the client TGT is
+ * addressless, the forwarded ticket will also be addressless.
+ *
+ * If the TGT has any addresses, hostname will be used to determine
+ * the address to forward the ticket to. Thus, since this might use DNS,
+ * it's insecure and also may not capture all the addresses of the host.
+ * In general addressless tickets are more robust, be it at a small
+ * security penalty.
+ *
+ * @param context A kerberos 5 context.
+ * @param ccache The credential cache to use
+ * @param creds Creds with client and server principals
+ * @param flags The flags to control the resulting ticket flags
+ * @param hostname The hostname of server
+ * @param out_creds The resulting credential
+ *
+ * @return Return an error code or 0.
+ */
 
-    kdc_flags.b = int2KDCOptions(flags);
+static krb5_error_code
+get_cred(krb5_context      context,
+	 krb5_ccache       ccache,
+	 krb5_creds	   *creds,
+	 krb5_flags        flags,
+	 const char        *hostname,
+	 krb5_creds        **out_creds)
+{
+    krb5_error_code ret;
+    krb5_kdc_flags kdc_flags;
+    krb5_addresses addrs;
 
-    ret = krb5_get_kdc_cred (context,
-			     ccache,
-			     kdc_flags,
-			     paddrs,
-			     NULL,
-			     in_creds,
-			     &out_creds);
-    krb5_free_addresses (context, &addrs);
+    addrs.len = 0;
+    addrs.val = NULL;
+    ret = get_addresses(context, ccache, creds, hostname, &addrs);
     if (ret)
 	return ret;
 
-    memset (&cred, 0, sizeof(cred));
-    cred.pvno = 5;
-    cred.msg_type = krb_cred;
-    ALLOC_SEQ(&cred.tickets, 1);
-    if (cred.tickets.val == NULL) {
-	ret = krb5_enomem(context);
-	goto out2;
-    }
-    ret = decode_Ticket(out_creds->ticket.data,
-			out_creds->ticket.length,
-			cred.tickets.val, &len);
-    if (ret)
-	goto out3;
+    kdc_flags.b = int2KDCOptions(flags);
+    ret = krb5_get_kdc_cred(context, ccache, kdc_flags, &addrs, NULL,
+			    creds, out_creds);
 
-    memset (&enc_krb_cred_part, 0, sizeof(enc_krb_cred_part));
-    ALLOC_SEQ(&enc_krb_cred_part.ticket_info, 1);
-    if (enc_krb_cred_part.ticket_info.val == NULL) {
-	ret = krb5_enomem(context);
-	goto out4;
-    }
+    krb5_free_addresses(context, &addrs);
+    return ret;
+}
 
-    if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
-	krb5_timestamp sec;
-	int32_t usec;
+static krb5_error_code
+set_tgs_creds(krb5_context		context,
+	      krb5_ccache		ccache,
+	      krb5_const_principal	client,
+	      krb5_const_principal	server,
+	      krb5_creds		*creds)
+{
+    krb5_error_code ret;
+    krb5_const_realm client_realm;
+    krb5_const_realm server_realm;
+    krb5_boolean fwd_dest_tgt;
+    krb5_creds *client_tgt;
 
-	krb5_us_timeofday (context, &sec, &usec);
+    client_realm = krb5_principal_get_realm(context, client);
+    server_realm = krb5_principal_get_realm(context, server);
 
-	ALLOC(enc_krb_cred_part.timestamp, 1);
-	if (enc_krb_cred_part.timestamp == NULL) {
-	    ret = krb5_enomem(context);
-	    goto out4;
-	}
-	*enc_krb_cred_part.timestamp = sec;
-	ALLOC(enc_krb_cred_part.usec, 1);
-	if (enc_krb_cred_part.usec == NULL) {
-	    ret = krb5_enomem(context);
-	    goto out4;
-	}
-	*enc_krb_cred_part.usec      = usec;
-    } else {
-	enc_krb_cred_part.timestamp = NULL;
-	enc_krb_cred_part.usec = NULL;
+    memset (creds, 0, sizeof(*creds));
+    ret = krb5_copy_principal(context, client, &creds->client);
+    if (ret)
+	return ret;
+    ret = krb5_make_principal(context, &creds->server, client_realm,
+			      KRB5_TGS_NAME, client_realm, NULL);
+    if (ret) {
+	krb5_free_principal(context, creds->client);
+	return ret;
     }
 
-    if (auth_context->local_address && auth_context->local_port && paddrs) {
-
-	ret = krb5_make_addrport (context,
-				  &enc_krb_cred_part.s_address,
-				  auth_context->local_address,
-				  auth_context->local_port);
-	if (ret)
-	    goto out4;
-    }
+    /*
+     * Optionally delegate a TGT for the server's realm, rather than
+     * the client's. Do this also when we don't have a client realm TGT.
+     *
+     * XXX: Note, when we have a start-realm, and delegate-destination-tgt
+     * is not set, we must use the start-realm.
+     */
+    krb5_appdefault_boolean(context, NULL, server_realm,
+			    "delegate-destination-tgt", FALSE, &fwd_dest_tgt);
 
-    if (auth_context->remote_address) {
-	if (auth_context->remote_port) {
-	    krb5_boolean noaddr;
-	    krb5_const_realm srealm;
-
-	    srealm = krb5_principal_get_realm(context, out_creds->server);
-	    /* Is this correct, and should we use the paddrs == NULL
-               trick here as well? Having an address-less ticket may
-               indicate that we don't know our own global address, but
-               it does not necessary mean that we don't know the
-               server's. */
-	    krb5_appdefault_boolean(context, NULL, srealm, "no-addresses",
-				    FALSE, &noaddr);
-	    if (!noaddr) {
-		ret = krb5_make_addrport (context,
-					  &enc_krb_cred_part.r_address,
-					  auth_context->remote_address,
-					  auth_context->remote_port);
-		if (ret)
-		    goto out4;
-	    }
-	} else {
-	    ALLOC(enc_krb_cred_part.r_address, 1);
-	    if (enc_krb_cred_part.r_address == NULL) {
-		ret = krb5_enomem(context);
-		goto out4;
-	    }
-
-	    ret = krb5_copy_address (context, auth_context->remote_address,
-				     enc_krb_cred_part.r_address);
-	    if (ret)
-		goto out4;
+    if (!fwd_dest_tgt) {
+	ret = krb5_get_credentials(context, KRB5_GC_CACHED, ccache, creds,
+				   &client_tgt);
+	if (ret == 0) {
+	    krb5_free_creds(context, client_tgt);
+	    return ret;
 	}
     }
 
-    /* fill ticket_info.val[0] */
+    /*
+     * Client TGT inapplicable or unavailable
+     */
+    krb5_free_principal(context, creds->server);
+    creds->server = 0;
+    return krb5_make_principal(context, &creds->server, server_realm,
+			       KRB5_TGS_NAME, server_realm, NULL);
+}
 
-    enc_krb_cred_part.ticket_info.len = 1;
+/*
+ * Obtain address list for hostname if server realm policy is not addressless.
+ */
+static krb5_error_code
+get_addresses(krb5_context      context,
+	      krb5_ccache       ccache,
+	      krb5_creds        *creds,
+	      const char        *hostname,
+	      krb5_addresses    *addrs)
+{
+    krb5_error_code ret;
+    krb5_creds *ticket;
+    krb5_const_realm realm;
+    krb5_boolean noaddr;
+    struct addrinfo *ai;
+    int eai;
 
-    krb_cred_info = enc_krb_cred_part.ticket_info.val;
+    if (hostname == 0)
+	return 0;
 
-    ret = copy_EncryptionKey (&out_creds->session, &krb_cred_info->key);
-    if (ret)
-	goto out4;
-    ALLOC(krb_cred_info->prealm, 1);
-    ret = copy_Realm (&out_creds->client->realm, krb_cred_info->prealm);
-    if (ret)
-	goto out4;
-    ALLOC(krb_cred_info->pname, 1);
-    ret = copy_PrincipalName(&out_creds->client->name, krb_cred_info->pname);
-    if (ret)
-	goto out4;
-    ALLOC(krb_cred_info->flags, 1);
-    *krb_cred_info->flags          = out_creds->flags.b;
-    ALLOC(krb_cred_info->authtime, 1);
-    *krb_cred_info->authtime       = out_creds->times.authtime;
-    ALLOC(krb_cred_info->starttime, 1);
-    *krb_cred_info->starttime      = out_creds->times.starttime;
-    ALLOC(krb_cred_info->endtime, 1);
-    *krb_cred_info->endtime        = out_creds->times.endtime;
-    ALLOC(krb_cred_info->renew_till, 1);
-    *krb_cred_info->renew_till = out_creds->times.renew_till;
-    ALLOC(krb_cred_info->srealm, 1);
-    ret = copy_Realm (&out_creds->server->realm, krb_cred_info->srealm);
-    if (ret)
-	goto out4;
-    ALLOC(krb_cred_info->sname, 1);
-    ret = copy_PrincipalName (&out_creds->server->name, krb_cred_info->sname);
-    if (ret)
-	goto out4;
-    ALLOC(krb_cred_info->caddr, 1);
-    ret = copy_HostAddresses (&out_creds->addresses, krb_cred_info->caddr);
-    if (ret)
-	goto out4;
+    ret = krb5_get_credentials(context, 0, ccache, creds, &ticket);
+    if (ret == 0) {
+        noaddr = (ticket->addresses.len == 0) ? TRUE : FALSE;
+	krb5_free_creds(context, ticket);
+    } else {
+	realm = krb5_principal_get_realm(context, creds->server);
+	krb5_appdefault_boolean(context, NULL, realm, "no-addresses",
+				KRB5_ADDRESSLESS_DEFAULT, &noaddr);
+    }
 
-    krb5_free_creds (context, out_creds);
+    if (noaddr)
+	return 0;
 
-    /* encode EncKrbCredPart */
+    /* Need addresses, get the address of the remote host. */
 
-    ASN1_MALLOC_ENCODE(EncKrbCredPart, buf, buf_size,
-		       &enc_krb_cred_part, &len, ret);
-    free_EncKrbCredPart (&enc_krb_cred_part);
-    if (ret) {
-	free_KRB_CRED(&cred);
+    eai = getaddrinfo (hostname, NULL, NULL, &ai);
+    if (eai) {
+	ret = krb5_eai_to_heim_errno(eai, errno);
+	krb5_set_error_message(context, ret,
+			       N_("resolving host %s failed: %s",
+				  "hostname, error"),
+			       hostname, gai_strerror(eai));
 	return ret;
     }
-    if(buf_size != len)
-	krb5_abortx(context, "internal error in ASN.1 encoder");
-
-    /**
-     * Some older of the MIT gssapi library used clear-text tickets
-     * (warped inside AP-REQ encryption), use the krb5_auth_context
-     * flag KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED to support those
-     * tickets. The session key is used otherwise to encrypt the
-     * forwarded ticket.
-     */
 
-    if (auth_context->flags & KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED) {
-	cred.enc_part.etype = KRB5_ENCTYPE_NULL;
-	cred.enc_part.kvno = NULL;
-	cred.enc_part.cipher.data = buf;
-	cred.enc_part.cipher.length = buf_size;
-    } else {
-	/*
-	 * Here older versions then 0.7.2 of Heimdal used the local or
-	 * remote subkey. That is wrong, the session key should be
-	 * used. Heimdal 0.7.2 and newer have code to try both in the
-	 * receiving end.
-	 */
-
-	ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
-	if (ret) {
-	    free(buf);
-	    free_KRB_CRED(&cred);
-	    return ret;
-	}
-	ret = krb5_encrypt_EncryptedData (context,
-					  crypto,
-					  KRB5_KU_KRB_CRED,
-					  buf,
-					  len,
-					  0,
-					  &cred.enc_part);
-	free(buf);
-	krb5_crypto_destroy(context, crypto);
-	if (ret) {
-	    free_KRB_CRED(&cred);
-	    return ret;
-	}
-    }
+    ret = add_addrs(context, addrs, ai);
+    freeaddrinfo(ai);
 
-    ASN1_MALLOC_ENCODE(KRB_CRED, buf, buf_size, &cred, &len, ret);
-    free_KRB_CRED (&cred);
-    if (ret)
-	return ret;
-    if(buf_size != len)
-	krb5_abortx(context, "internal error in ASN.1 encoder");
-    out_data->length = len;
-    out_data->data   = buf;
-    return 0;
- out4:
-    free_EncKrbCredPart(&enc_krb_cred_part);
- out3:
-    free_KRB_CRED(&cred);
- out2:
-    krb5_free_creds (context, out_creds);
     return ret;
 }
diff --git a/lib/krb5/get_host_realm.c b/lib/krb5/get_host_realm.c
index 955d5462d418..7b58fe9a4f56 100644
--- a/lib/krb5/get_host_realm.c
+++ b/lib/krb5/get_host_realm.c
@@ -109,17 +109,17 @@ dns_find_realm(krb5_context context,
 	       const char *domain,
 	       krb5_realm **realms)
 {
-    static const char *default_labels[] = { "_kerberos", NULL };
+    static const char *const default_labels[] = { "_kerberos", NULL };
     char dom[MAXHOSTNAMELEN];
     struct rk_dns_reply *r;
-    const char **labels;
+    const char *const *labels;
     char **config_labels;
     int i, ret = 0;
 
     config_labels = krb5_config_get_strings(context, NULL, "libdefaults",
 					    "dns_lookup_realm_labels", NULL);
     if(config_labels != NULL)
-	labels = (const char **)config_labels;
+	labels = (const char *const *)config_labels;
     else
 	labels = default_labels;
     if(*domain == '.')
@@ -185,20 +185,21 @@ _krb5_get_host_realm_int(krb5_context context,
 {
     const char *p, *q;
     const char *port;
+    char *freeme = NULL;
     krb5_boolean dns_locate_enable;
     krb5_error_code ret = 0;
 
     /* Strip off any trailing ":port" suffix. */
     port = strchr(host, ':');
-    if (port != NULL) {
-        host = strndup(host, port - host);
+    if (port != NULL && port != host && port[1] != '\0') {
+        host = freeme = strndup(host, port - host);
         if (host == NULL)
             return krb5_enomem(context);
     }
 
     dns_locate_enable = krb5_config_get_bool_default(context, NULL, TRUE,
         "libdefaults", "dns_lookup_realm", NULL);
-    for (p = host; p != NULL; p = strchr (p + 1, '.')) {
+    for (p = host; p != NULL && p[0] != '\0'; p = strchr (p + 1, '.')) {
         if (config_find_realm(context, p, realms) == 0) {
             if (strcasecmp(*realms[0], "dns_locate") != 0)
                 break;
@@ -219,11 +220,20 @@ _krb5_get_host_realm_int(krb5_context context,
 
     /*
      * If 'p' is NULL, we did not find an explicit realm mapping in either the
-     * configuration file or DNS.  Try the hostname suffix as a last resort.
+     * configuration file or DNS.  Try the hostname suffix -upcased- as a realm
+     * as a last resort.
      *
-     * XXX: If we implement a KDC-specific variant of this function just for
-     * referrals, we could check whether we have a cross-realm TGT for the
-     * realm in question, and if not try the parent (loop again).
+     * NOTE: If we implement a KDC-specific variant of this function just for
+     *       referrals, we could check whether we have a cross-realm TGT for the
+     *       realm in question, and if not try the parent (loop again).  Such a
+     *       variant would have to have access to the HDB, naturally.
+     *
+     *       We should start by adding an argument to this function that
+     *       indicates whether this fallback here is desired (the KDC wouldn't
+     *       desire it).  Then when the KDC gets KRB5_ERR_HOST_REALM_UNKNOWN
+     *       from this function, the KDC would search the HDB for cross-realm
+     *       krbtgt principals that denote a hierarchical path to a realm that
+     *       matches the host's domain suffix (or a suffix of it...).
      */
     if (p == NULL) {
         p = strchr(host, '.');
@@ -246,9 +256,7 @@ _krb5_get_host_realm_int(krb5_context context,
         }
     }
 
-    /* If 'port' is not NULL, we have a copy of 'host' to free. */
-    if (port)
-        free((void *)host);
+    free(freeme);
     return ret;
 }
 
diff --git a/lib/krb5/get_in_tkt.c b/lib/krb5/get_in_tkt.c
index 19a638fb3bf3..476844cc83d8 100644
--- a/lib/krb5/get_in_tkt.c
+++ b/lib/krb5/get_in_tkt.c
@@ -115,7 +115,7 @@ add_padata(krb5_context context,
     if (!enctypes) {
 	enctypes = context->etypes;
 	netypes = 0;
-	for (ep = enctypes; *ep != (krb5_enctype)ETYPE_NULL; ep++)
+	for (ep = enctypes; *ep != ETYPE_NULL; ep++)
 	    netypes++;
     }
     pa2 = realloc (md->val, (md->len + netypes) * sizeof(*md->val));
@@ -319,7 +319,9 @@ set_ptypes(krb5_context context,
 	   krb5_preauthdata **preauth)
 {
     static krb5_preauthdata preauth2;
-    static krb5_preauthtype ptypes2[] = { KRB5_PADATA_ENC_TIMESTAMP, KRB5_PADATA_NONE };
+    static const krb5_preauthtype ptypes2[] = {
+	    KRB5_PADATA_ENC_TIMESTAMP, KRB5_PADATA_NONE
+    };
 
     if(error->e_data) {
 	METHOD_DATA md;
@@ -438,9 +440,6 @@ krb5_get_in_cred(krb5_context context,
                    one more try */
 		if (!ptypes && !preauth
 		    && ret == KRB5KDC_ERR_PREAUTH_REQUIRED
-#if 0
-			|| ret == KRB5KDC_ERR_BADOPTION
-#endif
 		    && set_ptypes(context, &error, &ptypes, &my_preauth)) {
 		    done = 0;
 		    preauth = my_preauth;
diff --git a/lib/krb5/heim_err.et b/lib/krb5/heim_err.et
deleted file mode 100644
index 69039bb4dfe0..000000000000
--- a/lib/krb5/heim_err.et
+++ /dev/null
@@ -1,53 +0,0 @@
-#
-# Error messages for the krb5 library
-#
-# This might look like a com_err file, but is not
-#
-id "$Id$"
-
-error_table heim
-
-prefix HEIM_ERR
-
-error_code LOG_PARSE,		"Error parsing log destination"
-error_code V4_PRINC_NO_CONV,	"Failed to convert v4 principal"
-error_code SALTTYPE_NOSUPP,	"Salt type is not supported by enctype"
-error_code NOHOST,		"Host not found"
-error_code OPNOTSUPP,		"Operation not supported"
-error_code EOF,			"End of file"
-error_code BAD_MKEY,		"Failed to get the master key"
-error_code SERVICE_NOMATCH,	"Unacceptable service used"
-error_code NOT_SEEKABLE,	"File descriptor not seekable"
-error_code TOO_BIG,		"Offset too large"
-error_code BAD_HDBENT_ENCODING,	"Invalid HDB entry encoding"
-error_code RANDOM_OFFLINE,	"No random source available"
-
-index 64
-prefix HEIM_PKINIT
-error_code NO_CERTIFICATE,	"Certificate missing"
-error_code NO_PRIVATE_KEY,	"Private key missing"
-error_code NO_VALID_CA,		"No valid certificate authority"
-error_code CERTIFICATE_INVALID,	"Certificate invalid"
-error_code PRIVATE_KEY_INVALID,	"Private key invalid"
-
-index 128
-prefix HEIM_EAI
-#error_code NOERROR,		"no error"
-error_code UNKNOWN,		"unknown error from getaddrinfo"
-error_code ADDRFAMILY,		"address family for nodename not supported"
-error_code AGAIN,		"temporary failure in name resolution"
-error_code BADFLAGS,		"invalid value for ai_flags"
-error_code FAIL,		"non-recoverable failure in name resolution"
-error_code FAMILY,		"ai_family not supported"
-error_code MEMORY,		"memory allocation failure"
-error_code NODATA,		"no address associated with nodename"
-error_code NONAME,		"nodename nor servname provided, or not known"
-error_code SERVICE,		"servname not supported for ai_socktype"
-error_code SOCKTYPE,		"ai_socktype not supported"
-error_code SYSTEM,		"system error returned in errno"
-
-index 192
-prefix HEIM_NET
-error_code CONN_REFUSED,	"connection refused"
-
-end
diff --git a/lib/krb5/init_creds.c b/lib/krb5/init_creds.c
index b34e3eb325c8..b2d0d39a3dc3 100644
--- a/lib/krb5/init_creds.c
+++ b/lib/krb5/init_creds.c
@@ -408,7 +408,7 @@ krb5_get_init_creds_opt_set_process_last_req(krb5_context context,
 
 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt)
-    KRB5_DEPRECATED_FUNCTION("Use X instead")
+    KRB5_DEPRECATED_FUNCTION("Use krb5_get_init_creds_opt_alloc instead")
 {
     memset (opt, 0, sizeof(*opt));
 }
diff --git a/lib/krb5/init_creds_pw.c b/lib/krb5/init_creds_pw.c
index 4e1088be182b..1a649dfa965d 100644
--- a/lib/krb5/init_creds_pw.c
+++ b/lib/krb5/init_creds_pw.c
@@ -3,7 +3,8 @@
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  *
- * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ * Portions Copyright (c) 2009 - 2010 Apple Inc. All rights reserved.
+ * Portions Copyright (c) 2021, PADL Software Pty Ltd. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -34,14 +35,33 @@
  */
 
 #include "krb5_locl.h"
-#ifndef WIN32
-#include <heim-ipc.h>
-#endif /* WIN32 */
 
-typedef struct krb5_get_init_creds_ctx {
+#include <heimbasepriv.h>
+
+struct pa_info_data {
+    krb5_enctype etype;
+    krb5_salt salt;
+    krb5_data *s2kparams;
+};
+
+struct krb5_gss_init_ctx_data {
+    krb5_gssic_step step;
+    krb5_gssic_finish finish;
+    krb5_gssic_release_cred release_cred;
+    krb5_gssic_delete_sec_context delete_sec_context;
+
+    const struct gss_OID_desc_struct *mech;
+    struct gss_cred_id_t_desc_struct *cred;
+
+    struct {
+	unsigned int release_cred : 1;
+    } flags;
+};
+
+struct krb5_get_init_creds_ctx {
     KDCOptions flags;
     krb5_creds cred;
-    krb5_addresses *addrs;
+    const krb5_addresses *addrs;
     krb5_enctype *etypes;
     krb5_preauthtype *pre_auth_types;
     char *in_tkt_service;
@@ -62,53 +82,43 @@ typedef struct krb5_get_init_creds_ctx {
     krb5_get_init_creds_tristate req_pac;
 
     krb5_pk_init_ctx pk_init_ctx;
+    krb5_gss_init_ctx gss_init_ctx;
     int ic_flags;
 
+    char *kdc_hostname;
+    char *sitename;
+
     struct {
-	unsigned change_password:1;
+	unsigned int change_password:1;
+	unsigned int change_password_prompt:1;
+	unsigned int allow_enc_pa_rep:1;
+	unsigned int allow_save_as_reply_key:1;
     } runflags;
 
-    int used_pa_types;
-#define  USED_PKINIT	1
-#define  USED_PKINIT_W2K	2
-#define  USED_ENC_TS_GUESS	4
-#define  USED_ENC_TS_INFO	8
+    struct pa_info_data paid;
 
     METHOD_DATA md;
     KRB_ERROR error;
-    AS_REP as_rep;
     EncKDCRepPart enc_part;
 
     krb5_prompter_fct prompter;
     void *prompter_data;
+    int warned_user;
 
     struct pa_info_data *ppaid;
-    struct fast_state {
-	enum PA_FX_FAST_REQUEST_enum type;
-	unsigned int flags;
-#define KRB5_FAST_REPLY_KEY_USE_TO_ENCRYPT_THE_REPLY 1
-#define KRB5_FAST_REPLY_KEY_USE_IN_TRANSACTION 2
-#define KRB5_FAST_KDC_REPLY_KEY_REPLACED 4
-#define KRB5_FAST_REPLY_REPLY_VERIFED 8
-#define KRB5_FAST_STRONG 16
-#define KRB5_FAST_EXPECTED 32 /* in exchange with KDC, fast was discovered */
-#define KRB5_FAST_REQUIRED 64 /* fast required by action of caller */
-#define KRB5_FAST_DISABLED 128
-#define KRB5_FAST_AP_ARMOR_SERVICE 256
-	krb5_keyblock *reply_key;
-	krb5_ccache armor_ccache;
-	krb5_principal armor_service;
-	krb5_crypto armor_crypto;
-	krb5_keyblock armor_key;
-	krb5_keyblock *strengthen_key;
-    } fast_state;
-} krb5_get_init_creds_ctx;
 
+    struct krb5_fast_state fast_state;
+    krb5_enctype as_enctype;
+    krb5_keyblock *as_reply_key;
 
-struct pa_info_data {
-    krb5_enctype etype;
-    krb5_salt salt;
-    krb5_data *s2kparams;
+    /* current and available pa mechansm in this exchange */
+    struct pa_auth_mech *pa_mech;
+    heim_array_t available_pa_mechs;
+    const char *pa_used;
+
+    struct {
+	struct timeval run_time;
+    } stats;
 };
 
 static void
@@ -117,6 +127,7 @@ free_paid(krb5_context context, struct pa_info_data *ppaid)
     krb5_free_salt(context, ppaid->salt);
     if (ppaid->s2kparams)
 	krb5_free_data(context, ppaid->s2kparams);
+    memset(ppaid, 0, sizeof(*ppaid));
 }
 
 static krb5_error_code KRB5_CALLCONV
@@ -129,10 +140,18 @@ default_s2k_func(krb5_context context, krb5_enctype type,
     krb5_data password;
     krb5_data opaque;
 
-    _krb5_debug(context, 5, "krb5_get_init_creds: using default_s2k_func");
+    if (_krb5_have_debug(context, 5)) {
+	char *str = NULL;
+	ret = krb5_enctype_to_string(context, type, &str);
+	if (ret)
+	    return ret;
+
+	_krb5_debug(context, 5, "krb5_get_init_creds: using default_s2k_func: %s (%d)", str, (int)type);
+	free(str);
+    }
 
     password.data = rk_UNCONST(keyseed);
-    password.length = strlen(keyseed);
+    password.length = keyseed ? strlen(keyseed) : 0;
     if (s2kparms)
 	opaque = *s2kparms;
     else
@@ -140,7 +159,7 @@ default_s2k_func(krb5_context context, krb5_enctype type,
 
     *key = malloc(sizeof(**key));
     if (*key == NULL)
-	return ENOMEM;
+	return krb5_enomem(context);
     ret = krb5_string_to_key_data_salt_opaque(context, type, password,
 					      salt, opaque, *key);
     if (ret) {
@@ -151,6 +170,17 @@ default_s2k_func(krb5_context context, krb5_enctype type,
 }
 
 static void
+free_gss_init_ctx(krb5_context context, krb5_gss_init_ctx gssic)
+{
+    if (gssic == NULL)
+	return;
+
+    if (gssic->flags.release_cred)
+	gssic->release_cred(context, gssic, gssic->cred);
+    free(gssic);
+}
+
+static void
 free_init_creds_ctx(krb5_context context, krb5_init_creds_context ctx)
 {
     if (ctx->etypes)
@@ -167,40 +197,37 @@ free_init_creds_ctx(krb5_context context, krb5_init_creds_context ctx)
 	memset_s(ctx->password, len, 0, len);
 	free(ctx->password);
     }
+    free_gss_init_ctx(context, ctx->gss_init_ctx);
     /*
-     * FAST state (we don't close the armor_ccache because we might have
-     * to destroy it, and how would we know? also, the caller should
-     * take care of cleaning up the armor_ccache).
+     * FAST state
      */
-    if (ctx->fast_state.armor_service)
-	krb5_free_principal(context, ctx->fast_state.armor_service);
-    if (ctx->fast_state.armor_crypto)
-	krb5_crypto_destroy(context, ctx->fast_state.armor_crypto);
-    if (ctx->fast_state.strengthen_key)
-	krb5_free_keyblock(context, ctx->fast_state.strengthen_key);
-    krb5_free_keyblock_contents(context, &ctx->fast_state.armor_key);
+    _krb5_fast_free(context, &ctx->fast_state);
+    if (ctx->as_reply_key)
+	krb5_free_keyblock(context, ctx->as_reply_key);
 
     krb5_data_free(&ctx->req_buffer);
     krb5_free_cred_contents(context, &ctx->cred);
     free_METHOD_DATA(&ctx->md);
-    free_AS_REP(&ctx->as_rep);
     free_EncKDCRepPart(&ctx->enc_part);
     free_KRB_ERROR(&ctx->error);
     free_AS_REQ(&ctx->as_req);
-    if (ctx->ppaid) {
-	free_paid(context, ctx->ppaid);
-	free(ctx->ppaid);
-    }
+
+    heim_release(ctx->available_pa_mechs);
+    heim_release(ctx->pa_mech);
+    ctx->pa_mech = NULL;
+    free(ctx->kdc_hostname);
+    free(ctx->sitename);
+    free_paid(context, &ctx->paid);
     memset_s(ctx, sizeof(*ctx), 0, sizeof(*ctx));
 }
 
-static int
+static krb5_deltat
 get_config_time (krb5_context context,
 		 const char *realm,
 		 const char *name,
 		 int def)
 {
-    int ret;
+    krb5_deltat ret;
 
     ret = krb5_config_get_time (context, NULL,
 				"realms",
@@ -226,7 +253,7 @@ init_cred (krb5_context context,
 	   krb5_get_init_creds_opt *options)
 {
     krb5_error_code ret;
-    int tmp;
+    krb5_deltat tmp;
     krb5_timestamp now;
 
     krb5_timeofday (context, &now);
@@ -238,7 +265,7 @@ init_cred (krb5_context context,
     else
 	ret = krb5_get_default_principal(context, &cred->client);
     if (ret)
-        goto out;
+	goto out;
 
     if (start_time)
 	cred->times.starttime  = now + start_time;
@@ -297,18 +324,13 @@ krb5_process_last_request(krb5_context context,
 			  krb5_get_init_creds_opt *options,
 			  krb5_init_creds_context ctx)
 {
-    krb5_const_realm realm;
     LastReq *lr;
-    krb5_boolean reported = FALSE;
-    krb5_timestamp sec;
-    time_t t;
     size_t i;
 
     /*
      * First check if there is a API consumer.
      */
 
-    realm = krb5_principal_get_realm (context, ctx->cred.client);
     lr = &ctx->enc_part.last_req;
 
     if (options && options->opt_private && options->opt_private->lr.func) {
@@ -317,6 +339,7 @@ krb5_process_last_request(krb5_context context,
 	lre = calloc(lr->len + 1, sizeof(*lre));
 	if (lre == NULL)
 	    return krb5_enomem(context);
+
 	for (i = 0; i < lr->len; i++) {
 	    lre[i] = calloc(1, sizeof(*lre[i]));
 	    if (lre[i] == NULL)
@@ -333,15 +356,44 @@ krb5_process_last_request(krb5_context context,
 	free(lre);
     }
 
-    /*
-     * Now check if we should prompt the user
-     */
+    return krb5_init_creds_warn_user(context, ctx);
+}
+
+/**
+ * Warn the user using prompter in the krb5_init_creds_context about
+ * possible password and account expiration.
+ *
+ * @param context a Kerberos 5 context.
+ * @param ctx a krb5_init_creds_context context.
+ *
+ * @return 0 for success, or an Kerberos 5 error code, see krb5_get_error_message().
+ * @ingroup krb5_credential
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_init_creds_warn_user(krb5_context context,
+			  krb5_init_creds_context ctx)
+{
+    krb5_timestamp sec;
+    krb5_const_realm realm;
+    krb5_enctype weak_enctype = KRB5_ENCTYPE_NULL;
+    LastReq *lr;
+    unsigned i;
+    time_t t;
 
     if (ctx->prompter == NULL)
-        return 0;
+	return 0;
+
+    if (ctx->warned_user)
+	return 0;
+
+    ctx->warned_user = 1;
 
     krb5_timeofday (context, &sec);
 
+    realm = krb5_principal_get_realm (context, ctx->cred.client);
+    lr = &ctx->enc_part.last_req;
+
     t = sec + get_config_time (context,
 			       realm,
 			       "warn_pwexpire",
@@ -355,37 +407,53 @@ krb5_process_last_request(krb5_context context,
 				  ctx->prompter_data,
 				  "Your password will expire at ",
 				  lr->val[i].lr_value);
-		reported = TRUE;
 		break;
 	    case LR_ACCT_EXPTIME :
 		report_expiration(context, ctx->prompter,
 				  ctx->prompter_data,
 				  "Your account will expire at ",
 				  lr->val[i].lr_value);
-		reported = TRUE;
 		break;
-            default:
-                break;
+	    default:
+		break;
 	    }
 	}
     }
 
-    if (!reported
-	&& ctx->enc_part.key_expiration
-	&& *ctx->enc_part.key_expiration <= t) {
-        report_expiration(context, ctx->prompter,
-			  ctx->prompter_data,
-			  "Your password/account will expire at ",
-			  *ctx->enc_part.key_expiration);
+    if (krb5_is_enctype_weak(context, ctx->as_enctype))
+	weak_enctype = ctx->as_enctype;
+    else if (krb5_is_enctype_weak(context, ctx->cred.session.keytype))
+	weak_enctype = ctx->cred.session.keytype;
+
+    if (ctx->prompter && weak_enctype != KRB5_ENCTYPE_NULL) {
+	int suppress = krb5_config_get_bool_default(context, NULL, false,
+						    "libdefaults",
+						    "suppress_weak_enctype", NULL);
+	if (!suppress) {
+	    char *str = NULL, *p = NULL;
+	    int aret;
+
+	    (void) krb5_enctype_to_string(context, weak_enctype, &str);
+	    aret = asprintf(&p, "Encryption type %s(%d) used for authentication is weak and will be deprecated",
+			    str ? str : "unknown", weak_enctype);
+	    if (aret >= 0 && p) {
+		(*ctx->prompter)(context, ctx->prompter_data, NULL, p, 0, NULL);
+		free(p);
+	    }
+	    free(str);
+	}
     }
+
     return 0;
 }
 
-static krb5_addresses no_addrs = { 0, NULL };
+static const krb5_addresses no_addrs = { 0, NULL };
 
 static krb5_error_code
 get_init_creds_common(krb5_context context,
 		      krb5_principal client,
+		      krb5_prompter_fct prompter,
+		      void *prompter_data,
 		      krb5_deltat start_time,
 		      krb5_get_init_creds_opt *options,
 		      krb5_init_creds_context ctx)
@@ -400,7 +468,9 @@ get_init_creds_common(krb5_context context,
     if (options == NULL) {
 	const char *realm = krb5_principal_get_realm(context, client);
 
-        krb5_get_init_creds_opt_alloc (context, &default_opt);
+        ret = krb5_get_init_creds_opt_alloc(context, &default_opt);
+        if (ret)
+            return ret;
 	options = default_opt;
 	krb5_get_init_creds_opt_set_default_flags(context, NULL, realm, options);
     }
@@ -423,9 +493,7 @@ get_init_creds_common(krb5_context context,
     if (ctx->keyproc == NULL)
 	ctx->keyproc = default_s2k_func;
 
-    /* Enterprise name implicitly turns on canonicalize */
-    if ((ctx->ic_flags & KRB5_INIT_CREDS_CANONICALIZE) ||
-	krb5_principal_get_type(context, client) == KRB5_NT_ENTERPRISE_PRINCIPAL)
+    if (ctx->ic_flags & KRB5_INIT_CREDS_CANONICALIZE)
 	ctx->flags.canonicalize = 1;
 
     ctx->pre_auth_types = NULL;
@@ -434,11 +502,8 @@ get_init_creds_common(krb5_context context,
     ctx->pre_auth_types = NULL;
 
     ret = init_cred(context, &ctx->cred, client, start_time, options);
-    if (ret) {
-	if (default_opt)
-	    krb5_get_init_creds_opt_free(context, default_opt);
-	return ret;
-    }
+    if (ret)
+        goto out;
 
     ret = krb5_init_creds_set_service(context, ctx, NULL);
     if (ret)
@@ -502,9 +567,16 @@ get_init_creds_common(krb5_context context,
     }
     if (options->flags & KRB5_GET_INIT_CREDS_OPT_ANONYMOUS)
 	ctx->flags.request_anonymous = options->anonymous;
-    if (default_opt)
-        krb5_get_init_creds_opt_free(context, default_opt);
-    return 0;
+
+    ctx->prompter = prompter;
+    ctx->prompter_data = prompter_data;
+
+    if ((options->flags & KRB5_GET_INIT_CREDS_OPT_CHANGE_PASSWORD_PROMPT) &&
+	!options->change_password_prompt)
+	ctx->runflags.change_password_prompt = 0;
+    else
+	ctx->runflags.change_password_prompt = ctx->prompter != NULL;
+
  out:
     if (default_opt)
 	krb5_get_init_creds_opt_free(context, default_opt);
@@ -608,27 +680,27 @@ change_password (krb5_context context,
 			     &result_string);
     if (ret)
 	goto out;
+
     if (asprintf(&p, "%s: %.*s\n",
 		 result_code ? "Error" : "Success",
 		 (int)result_string.length,
 		 result_string.length > 0 ? (char*)result_string.data : "") < 0)
     {
-	ret = ENOMEM;
+	ret = krb5_enomem(context);
 	goto out;
     }
 
     /* return the result */
     (*prompter) (context, data, NULL, p, 0, NULL);
 
-    free (p);
     if (result_code == 0) {
 	strlcpy (newpw, buf1, newpw_sz);
 	ret = 0;
     } else {
-	ret = ENOTTY;
-	krb5_set_error_message(context, ret,
-			       N_("failed changing password", ""));
+	krb5_set_error_message(context, ret = KRB5_CHPW_FAIL,
+			       N_("failed changing password: %s", ""), p);
     }
+    free (p);
 
 out:
     memset_s(buf1, sizeof(buf1), 0, sizeof(buf1));
@@ -669,12 +741,12 @@ init_as_req (krb5_context context,
     a->pvno = 5;
     a->msg_type = krb_as_req;
     a->req_body.kdc_options = opts;
-    a->req_body.cname = malloc(sizeof(*a->req_body.cname));
+    a->req_body.cname = calloc(1, sizeof(*a->req_body.cname));
     if (a->req_body.cname == NULL) {
 	ret = krb5_enomem(context);
 	goto fail;
     }
-    a->req_body.sname = malloc(sizeof(*a->req_body.sname));
+    a->req_body.sname = calloc(1, sizeof(*a->req_body.sname));
     if (a->req_body.sname == NULL) {
 	ret = krb5_enomem(context);
 	goto fail;
@@ -774,7 +846,7 @@ set_paid(struct pa_info_data *paid, krb5_context context,
     paid->salt.saltvalue.data = malloc(salt_len + 1);
     if (paid->salt.saltvalue.data == NULL) {
 	krb5_clear_error_message(context);
-	return ENOMEM;
+	return krb5_enomem(context);
     }
     memcpy(paid->salt.saltvalue.data, salt_string, salt_len);
     ((char *)paid->salt.saltvalue.data)[salt_len] = '\0';
@@ -814,6 +886,10 @@ pa_etype_info2(krb5_context context,
 	goto out;
     for (j = 0; j < asreq->req_body.etype.len; j++) {
 	for (i = 0; i < e.len; i++) {
+
+	    if (krb5_enctype_valid(context, e.val[i].etype) != 0)
+		continue;
+
 	    if (asreq->req_body.etype.val[j] == e.val[i].etype) {
 		krb5_salt salt;
 		if (e.val[i].salt == NULL)
@@ -863,6 +939,10 @@ pa_etype_info(krb5_context context,
 	goto out;
     for (j = 0; j < asreq->req_body.etype.len; j++) {
 	for (i = 0; i < e.len; i++) {
+
+	    if (krb5_enctype_valid(context, e.val[i].etype) != 0)
+		continue;
+
 	    if (asreq->req_body.etype.val[j] == e.val[i].etype) {
 		krb5_salt salt;
 		salt.salttype = KRB5_PW_SALT;
@@ -905,6 +985,9 @@ pa_pw_or_afs3_salt(krb5_context context,
     krb5_error_code ret;
     if (paid->etype == KRB5_ENCTYPE_NULL)
 	return NULL;
+    if (krb5_enctype_valid(context, paid->etype) != 0)
+	return NULL;
+
     ret = set_paid(paid, context,
 		   paid->etype,
 		   paid->salt.salttype,
@@ -917,55 +1000,6 @@ pa_pw_or_afs3_salt(krb5_context context,
 }
 
 
-struct pa_info {
-    krb5_preauthtype type;
-    struct pa_info_data *(*salt_info)(krb5_context,
-				      const krb5_principal,
-				      const AS_REQ *,
-				      struct pa_info_data *,
-				      heim_octet_string *);
-};
-
-static struct pa_info pa_prefs[] = {
-    { KRB5_PADATA_ETYPE_INFO2, pa_etype_info2 },
-    { KRB5_PADATA_ETYPE_INFO, pa_etype_info },
-    { KRB5_PADATA_PW_SALT, pa_pw_or_afs3_salt },
-    { KRB5_PADATA_AFS3_SALT, pa_pw_or_afs3_salt }
-};
-
-static PA_DATA *
-find_pa_data(const METHOD_DATA *md, unsigned type)
-{
-    size_t i;
-    if (md == NULL)
-	return NULL;
-    for (i = 0; i < md->len; i++)
-	if (md->val[i].padata_type == type)
-	    return &md->val[i];
-    return NULL;
-}
-
-static struct pa_info_data *
-process_pa_info(krb5_context context,
-		const krb5_principal client,
-		const AS_REQ *asreq,
-		struct pa_info_data *paid,
-		METHOD_DATA *md)
-{
-    struct pa_info_data *p = NULL;
-    size_t i;
-
-    for (i = 0; p == NULL && i < sizeof(pa_prefs)/sizeof(pa_prefs[0]); i++) {
-	PA_DATA *pa = find_pa_data(md, pa_prefs[i].type);
-	if (pa == NULL)
-	    continue;
-	paid->salt.salttype = (krb5_salttype)pa_prefs[i].type;
-	p = (*pa_prefs[i].salt_info)(context, client, asreq,
-				     paid, &pa->padata_value);
-    }
-    return p;
-}
-
 static krb5_error_code
 make_pa_enc_timestamp(krb5_context context, METHOD_DATA *md,
 		      krb5_enctype etype, krb5_keyblock *key)
@@ -1036,6 +1070,8 @@ add_enc_ts_padata(krb5_context context,
     krb5_enctype *ep;
     size_t i;
 
+    memset(&salt2, 0, sizeof(salt2));
+
     if(salt == NULL) {
 	/* default to standard salt */
 	ret = krb5_get_pw_salt (context, client, &salt2);
@@ -1046,7 +1082,7 @@ add_enc_ts_padata(krb5_context context,
     if (!enctypes) {
 	enctypes = context->etypes;
 	netypes = 0;
-	for (ep = enctypes; *ep != (krb5_enctype)ETYPE_NULL; ep++)
+	for (ep = enctypes; *ep != ETYPE_NULL; ep++)
 	    netypes++;
     }
 
@@ -1073,7 +1109,7 @@ static krb5_error_code
 pa_data_to_md_ts_enc(krb5_context context,
 		     const AS_REQ *a,
 		     const krb5_principal client,
-		     krb5_get_init_creds_ctx *ctx,
+		     krb5_init_creds_context ctx,
 		     struct pa_info_data *ppaid,
 		     METHOD_DATA *md)
 {
@@ -1110,7 +1146,7 @@ pa_data_to_md_ts_enc(krb5_context context,
 static krb5_error_code
 pa_data_to_key_plain(krb5_context context,
 		     const krb5_principal client,
-		     krb5_get_init_creds_ctx *ctx,
+		     krb5_init_creds_context ctx,
 		     krb5_salt salt,
 		     krb5_data *s2kparams,
 		     krb5_enctype etype,
@@ -1123,13 +1159,18 @@ pa_data_to_key_plain(krb5_context context,
     return ret;
 }
 
+struct pkinit_context {
+    unsigned int win2k : 1;
+    unsigned int used_pkinit : 1;
+};
+
 
 static krb5_error_code
 pa_data_to_md_pkinit(krb5_context context,
 		     const AS_REQ *a,
 		     const krb5_principal client,
 		     int win2k,
-		     krb5_get_init_creds_ctx *ctx,
+		     krb5_init_creds_context ctx,
 		     METHOD_DATA *md)
 {
     if (ctx->pk_init_ctx == NULL)
@@ -1150,9 +1191,666 @@ pa_data_to_md_pkinit(krb5_context context,
 }
 
 static krb5_error_code
-pa_data_add_pac_request(krb5_context context,
-			krb5_get_init_creds_ctx *ctx,
-			METHOD_DATA *md)
+pkinit_configure_ietf(krb5_context context, krb5_init_creds_context ctx, void *pa_ctx)
+{
+    struct pkinit_context *pkinit_ctx = pa_ctx;
+
+    pkinit_ctx->win2k = 0;
+
+    if (ctx->pk_init_ctx == NULL)
+	return HEIM_ERR_PA_CANT_CONTINUE;
+
+    return 0;
+}
+
+static krb5_error_code
+pkinit_configure_win(krb5_context context, krb5_init_creds_context ctx, void *pa_ctx)
+{
+    struct pkinit_context *pkinit_ctx = pa_ctx;
+
+    pkinit_ctx->win2k = 1;
+    pkinit_ctx->used_pkinit = 0;
+
+    if (ctx->pk_init_ctx == NULL)
+	return HEIM_ERR_PA_CANT_CONTINUE;
+
+    return 0;
+}
+
+static krb5_error_code
+pkinit_step(krb5_context context, krb5_init_creds_context ctx, void *pa_ctx, PA_DATA *pa, const AS_REQ *a,
+	    const AS_REP *rep, METHOD_DATA *in_md, METHOD_DATA *out_md)
+{
+    krb5_error_code ret = HEIM_ERR_PA_CANT_CONTINUE;
+    struct pkinit_context *pkinit_ctx = pa_ctx;
+
+    if (rep == NULL) {
+	if (pkinit_ctx->used_pkinit) {
+	    krb5_set_error_message(context, KRB5_GET_IN_TKT_LOOP,
+				   "Already tried PKINIT(%s), looping",
+				   pkinit_ctx->win2k ? "win2k" : "ietf");
+	} else {
+	    ret = pa_data_to_md_pkinit(context, a, ctx->cred.client,
+				       (pkinit_ctx->win2k != 0),
+				       ctx, out_md);
+	    if (ret == 0)
+		ret = HEIM_ERR_PA_CONTINUE_NEEDED;
+
+	    pkinit_ctx->used_pkinit = 1;
+	}
+    } else if (pa) {
+	ret = _krb5_pk_rd_pa_reply(context,
+				   a->req_body.realm,
+				   ctx->pk_init_ctx,
+				   rep->enc_part.etype,
+				   ctx->pk_nonce,
+				   &ctx->req_buffer,
+				   pa,
+				   &ctx->fast_state.reply_key);
+	if (ret == 0)
+	    ctx->runflags.allow_save_as_reply_key = 1;
+    }
+
+    return ret;
+}
+
+static void
+pkinit_release(void *pa_ctx)
+{
+}
+
+/*
+ * GSS-API pre-authentication support
+ */
+
+struct pa_gss_context {
+    struct gss_ctx_id_t_desc_struct *context_handle;
+    int open;
+};
+
+static krb5_error_code
+pa_gss_configure(krb5_context context,
+		 krb5_init_creds_context ctx,
+		 void *pa_ctx)
+{
+    krb5_gss_init_ctx gssic = ctx->gss_init_ctx;
+    struct pa_gss_context *pa_gss_ctx = pa_ctx;
+
+    if (gssic == NULL)
+	return HEIM_ERR_PA_CANT_CONTINUE;
+
+    pa_gss_ctx->context_handle = NULL;
+    pa_gss_ctx->open = 0;
+
+    return 0;
+}
+
+static krb5_error_code
+pa_data_to_md_gss(krb5_context context,
+		  const AS_REQ *a,
+		  const krb5_creds *creds,
+		  krb5_init_creds_context ctx,
+		  struct pa_gss_context *pa_gss_ctx,
+		  PA_DATA *pa,
+		  METHOD_DATA *out_md)
+{
+    krb5_error_code ret;
+    krb5_gss_init_ctx gssic = ctx->gss_init_ctx;
+    krb5_data req_body;
+    krb5_data *input_token, output_token;
+    size_t len = 0;
+
+    krb5_data_zero(&req_body);
+    krb5_data_zero(&output_token);
+
+    input_token = pa ? &pa->padata_value : NULL;
+
+    if ((input_token == NULL || input_token->length == 0) &&
+	pa_gss_ctx->context_handle) {
+	krb5_set_error_message(context, HEIM_ERR_PA_CANT_CONTINUE,
+			       "Missing GSS preauthentication data from KDC");
+	return HEIM_ERR_PA_CANT_CONTINUE;
+    }
+
+    ASN1_MALLOC_ENCODE(KDC_REQ_BODY, req_body.data, req_body.length,
+		       &ctx->as_req.req_body, &len, ret);
+    if (ret)
+	goto out;
+    heim_assert(req_body.length == len, "ASN.1 internal error");
+
+    ret = gssic->step(context, gssic, creds, &pa_gss_ctx->context_handle,
+		      ctx->flags, &req_body,
+		      input_token, &output_token);
+
+    /*
+     * If FAST authenticated the KDC (which will be the case unless anonymous
+     * PKINIT was used without KDC certificate validation) then we can relax
+     * the mutual authentication requirement.
+     */
+    if (ret == KRB5_MUTUAL_FAILED &&
+	(ctx->fast_state.flags & KRB5_FAST_EXPECTED) &&
+	(ctx->fast_state.flags & KRB5_FAST_KDC_VERIFIED))
+	ret = 0;
+    if (ret == 0) {
+	/*
+	 * Always require a strengthen key if FAST was used, to avoid a MITM
+	 * attack that could result in unintended privilege escalation should
+	 * the KDC add positive authorization data from the armor ticket.
+	 */
+	if ((ctx->fast_state.flags & KRB5_FAST_EXPECTED) &&
+	    ctx->fast_state.strengthen_key == NULL) {
+	    krb5_set_error_message(context, HEIM_ERR_PA_CANT_CONTINUE,
+				   "FAST GSS pre-authentication without strengthen key");
+	    ret = KRB5_KDCREP_MODIFIED;
+	    goto out;
+	}
+
+	pa_gss_ctx->open = 1;
+    }
+
+    if (output_token.length) {
+	ret = krb5_padata_add(context, out_md, KRB5_PADATA_GSS,
+			      output_token.data, output_token.length);
+	if (ret)
+	    goto out;
+
+	krb5_data_zero(&output_token);
+    }
+
+out:
+    krb5_data_free(&output_token);
+    krb5_data_free(&req_body);
+
+    return ret;
+}
+
+static krb5_error_code
+pa_gss_step(krb5_context context,
+	    krb5_init_creds_context ctx,
+	    void *pa_ctx,
+	    PA_DATA *pa,
+	    const AS_REQ *a,
+	    const AS_REP *rep,
+	    METHOD_DATA *in_md,
+	    METHOD_DATA *out_md)
+{
+    krb5_error_code ret;
+    krb5_principal cname;
+    krb5_gss_init_ctx gssic = ctx->gss_init_ctx;
+    struct pa_gss_context *pa_gss_ctx = pa_ctx;
+
+    heim_assert(gssic != NULL, "invalid context passed to pa_gss_step");
+
+    if (!pa_gss_ctx->open) {
+	ret = pa_data_to_md_gss(context, a, &ctx->cred, ctx,
+				pa_gss_ctx, pa, out_md);
+	if (ret == HEIM_ERR_PA_CONTINUE_NEEDED && rep) {
+	    krb5_set_error_message(context, KRB5_PREAUTH_FAILED,
+				   "KDC sent AS-REP before GSS "
+				   "pre-authentication completed");
+	    ret = KRB5_KDCREP_MODIFIED;
+	} else if (ret == 0 && rep == NULL) {
+	    ret = HEIM_ERR_PA_CONTINUE_NEEDED; /* odd number of legs */
+	}
+	if (ret)
+	    return ret;
+    } else if (pa && pa->padata_value.length) {
+	krb5_set_error_message(context, KRB5_GET_IN_TKT_LOOP,
+			       "Already completed GSS pre-authentication");
+	return KRB5_GET_IN_TKT_LOOP;
+    } else if (rep == NULL) {
+	krb5_set_error_message(context, KRB5_PREAUTH_FAILED,
+			       "Completed GSS pre-authentication before KDC");
+	return KRB5_PREAUTH_FAILED;
+    }
+
+    heim_assert(pa_gss_ctx->open,
+		"GSS pre-authentication incomplete");
+
+    ret = gssic->finish(context, gssic, &ctx->cred,
+			pa_gss_ctx->context_handle, ctx->nonce,
+			rep->enc_part.etype, &cname,
+			&ctx->fast_state.reply_key);
+    if (ret)
+	return ret;
+
+    {
+	char *from = NULL;
+	char *to = NULL;
+
+	if (krb5_unparse_name(context, ctx->cred.client, &from) == 0) {
+	    if (krb5_unparse_name(context, cname, &to) == 0) {
+		_krb5_debug(context, 1, "pa_gss_step: %s as %s",
+			    from, to);
+		krb5_xfree(to);
+	    }
+	    krb5_xfree(from);
+	}
+    }
+
+    if (krb5_principal_is_federated(context, ctx->cred.client)) {
+	/*
+	 * The well-known federated name will be replaced with the cname
+	 * in the AS-REP, but save the locally mapped initiator name in the
+	 * cred for logging.
+	 */
+	krb5_free_principal(context, ctx->cred.client);
+	ctx->cred.client = cname;
+
+	ctx->ic_flags |= KRB5_INIT_CREDS_NO_C_CANON_CHECK;
+    } else {
+	krb5_free_principal(context, cname);
+    }
+
+    ctx->runflags.allow_save_as_reply_key = 1;
+
+    gssic->delete_sec_context(context, gssic, pa_gss_ctx->context_handle);
+    pa_gss_ctx->context_handle = NULL;
+    pa_gss_ctx->open = 0;
+
+    return 0;
+}
+
+static krb5_error_code
+pa_gss_restart(krb5_context context,
+	       krb5_init_creds_context ctx,
+	       void *pa_ctx)
+{
+    krb5_gss_init_ctx gssic = ctx->gss_init_ctx;
+    struct pa_gss_context *pa_gss_ctx = pa_ctx;
+
+    if (gssic == NULL)
+	return HEIM_ERR_PA_CANT_CONTINUE;
+
+    gssic->delete_sec_context(context, gssic, pa_gss_ctx->context_handle);
+    pa_gss_ctx->context_handle = NULL;
+    pa_gss_ctx->open = 0;
+
+    return 0;
+}
+
+static void
+pa_gss_release(void *pa_ctx)
+{
+}
+
+krb5_error_code
+_krb5_make_pa_enc_challenge(krb5_context context,
+			    krb5_crypto crypto,
+			    krb5_key_usage usage,
+			    METHOD_DATA *md)
+{
+    PA_ENC_TS_ENC p;
+    unsigned char *buf;
+    size_t buf_size;
+    size_t len = 0;
+    EncryptedData encdata;
+    krb5_error_code ret;
+    int32_t usec;
+    int usec2;
+
+    krb5_us_timeofday (context, &p.patimestamp, &usec);
+    usec2         = usec;
+    p.pausec      = &usec2;
+
+    ASN1_MALLOC_ENCODE(PA_ENC_TS_ENC, buf, buf_size, &p, &len, ret);
+    if (ret)
+	return ret;
+    if(buf_size != len)
+	krb5_abortx(context, "internal error in ASN.1 encoder");
+
+    ret = krb5_encrypt_EncryptedData(context,
+				     crypto,
+				     usage,
+				     buf,
+				     len,
+				     0,
+				     &encdata);
+    free(buf);
+    if (ret)
+	return ret;
+
+    ASN1_MALLOC_ENCODE(EncryptedData, buf, buf_size, &encdata, &len, ret);
+    free_EncryptedData(&encdata);
+    if (ret)
+	return ret;
+    if(buf_size != len)
+	krb5_abortx(context, "internal error in ASN.1 encoder");
+
+    ret = krb5_padata_add(context, md, KRB5_PADATA_ENCRYPTED_CHALLENGE, buf, len);
+    if (ret)
+	free(buf);
+    return ret;
+}
+
+krb5_error_code
+_krb5_validate_pa_enc_challenge(krb5_context context,
+				krb5_crypto crypto,
+				krb5_key_usage usage,
+				EncryptedData *enc_data,
+				const char *peer_name)
+{
+    krb5_error_code ret;
+    krb5_data ts_data;
+    PA_ENC_TS_ENC p;
+    time_t timestamp;
+    int32_t usec;
+    size_t size;
+
+    ret = krb5_decrypt_EncryptedData(context, crypto, usage, enc_data, &ts_data);
+    if (ret)
+	return ret;
+
+    ret = decode_PA_ENC_TS_ENC(ts_data.data,
+			       ts_data.length,
+			       &p,
+			       &size);
+    krb5_data_free(&ts_data);
+    if(ret){
+	ret = KRB5KDC_ERR_PREAUTH_FAILED;
+	_krb5_debug(context, 5, "Failed to decode PA-ENC-TS_ENC -- %s", peer_name);
+	goto out;
+    }
+
+    krb5_us_timeofday(context, &timestamp, &usec);
+
+    if (krb5_time_abs(timestamp, p.patimestamp) > context->max_skew) {
+	char client_time[100];
+
+	krb5_format_time(context, p.patimestamp,
+			 client_time, sizeof(client_time), TRUE);
+
+	ret = KRB5KRB_AP_ERR_SKEW;
+	_krb5_debug(context, 0, "Too large time skew, "
+		    "client time %s is out by %u > %d seconds -- %s",
+		    client_time,
+		    (unsigned)krb5_time_abs(timestamp, p.patimestamp),
+		    (int)context->max_skew,
+		    peer_name);
+    } else {
+	ret = 0;
+    }
+
+ out:
+    free_PA_ENC_TS_ENC(&p);
+
+    return ret;
+}
+
+
+static struct pa_info_data *
+process_pa_info(krb5_context, const krb5_principal, const AS_REQ *, struct pa_info_data *, METHOD_DATA *);
+
+
+static krb5_error_code
+enc_chal_step(krb5_context context, krb5_init_creds_context ctx, void *pa_ctx, PA_DATA *pa, const AS_REQ *a,
+	      const AS_REP *rep, METHOD_DATA *in_md, METHOD_DATA *out_md)
+{
+    struct pa_info_data paid, *ppaid;
+    krb5_keyblock challengekey;
+    krb5_data pepper1, pepper2;
+    krb5_crypto crypto = NULL;
+    krb5_enctype aenctype;
+    krb5_error_code ret;
+
+    memset(&paid, 0, sizeof(paid));
+
+    if (rep == NULL)
+	paid.etype = KRB5_ENCTYPE_NULL;
+    else
+	paid.etype = rep->enc_part.etype;
+    ppaid = process_pa_info(context, ctx->cred.client, a, &paid, in_md);
+
+    /*
+     * If we don't have ppaid, ts because the KDC have not sent any
+     * salt info, lets to the first roundtrip so the KDC have a chance
+     * to send any.
+     */
+    if (ppaid == NULL) {
+	_krb5_debug(context, 5, "no ppaid found");
+	return HEIM_ERR_PA_CONTINUE_NEEDED;
+    }
+    if (ppaid->etype == KRB5_ENCTYPE_NULL) {
+	return HEIM_ERR_PA_CANT_CONTINUE;
+    }
+
+    if (ctx->fast_state.reply_key)
+	krb5_free_keyblock(context, ctx->fast_state.reply_key);
+
+    ret = pa_data_to_key_plain(context, ctx->cred.client, ctx,
+			       ppaid->salt, ppaid->s2kparams, ppaid->etype,
+			       &ctx->fast_state.reply_key);
+    free_paid(context, &paid);
+    if (ret) {
+	_krb5_debug(context, 5, "enc-chal: failed to build key");
+	return ret;
+    }
+
+    ret = krb5_crypto_init(context, ctx->fast_state.reply_key, 0, &crypto);
+    if (ret)
+	return ret;
+
+    krb5_crypto_getenctype(context, ctx->fast_state.armor_crypto, &aenctype);
+
+    pepper1.data = rep ? "kdcchallengearmor" : "clientchallengearmor";
+    pepper1.length = strlen(pepper1.data);
+    pepper2.data = "challengelongterm";
+    pepper2.length = strlen(pepper2.data);
+
+    ret = krb5_crypto_fx_cf2(context, ctx->fast_state.armor_crypto, crypto,
+			     &pepper1, &pepper2, aenctype,
+			     &challengekey);
+    krb5_crypto_destroy(context, crypto);
+    if (ret)
+	return ret;
+
+    ret = krb5_crypto_init(context, &challengekey, 0, &crypto);
+    krb5_free_keyblock_contents(context, &challengekey);
+    if (ret)
+	return ret;
+
+    if (rep) {
+	EncryptedData enc_data;
+	size_t size;
+
+	_krb5_debug(context, 5, "ENC_CHAL rep key");
+
+	if (ctx->fast_state.strengthen_key == NULL) {
+	    krb5_crypto_destroy(context, crypto);
+	    _krb5_debug(context, 5, "ENC_CHAL w/o strengthen_key");
+	    return KRB5_KDCREP_MODIFIED;
+	}
+
+	if (pa == NULL) {
+	    krb5_crypto_destroy(context, crypto);
+	    _krb5_debug(context, 0, "KDC response missing");
+	    return HEIM_ERR_PA_CANT_CONTINUE;
+	}
+
+	ret = decode_EncryptedData(pa->padata_value.data,
+				   pa->padata_value.length,
+				   &enc_data,
+				   &size);
+	if (ret) {
+	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+	    _krb5_debug(context, 5, "Failed to decode ENC_CHAL KDC reply");
+	    return ret;
+	}
+
+	ret = _krb5_validate_pa_enc_challenge(context, crypto,
+					      KRB5_KU_ENC_CHALLENGE_KDC,
+					      &enc_data,
+					      "KDC");
+	free_EncryptedData(&enc_data);
+	krb5_crypto_destroy(context, crypto);
+
+	return ret;
+
+    } else {
+
+	ret = _krb5_make_pa_enc_challenge(context, crypto,
+					  KRB5_KU_ENC_CHALLENGE_CLIENT,
+					  out_md);
+	krb5_crypto_destroy(context, crypto);
+	if (ret) {
+	    _krb5_debug(context, 5, "enc-chal: failed build enc challenge");
+	    return ret;
+	}
+
+	return HEIM_ERR_PA_CONTINUE_NEEDED;
+    }
+}
+
+struct enc_ts_context {
+    int used_pa_types;
+#define  USED_ENC_TS_GUESS	4
+#define  USED_ENC_TS_INFO	8
+#define  USED_ENC_TS_RENEG	16
+    krb5_principal user;
+};
+
+static krb5_error_code
+enc_ts_restart(krb5_context context, krb5_init_creds_context ctx, void *pa_ctx)
+{
+    struct enc_ts_context *pactx = (struct enc_ts_context *)pa_ctx;
+    pactx->used_pa_types = 0;
+    krb5_free_principal(context, pactx->user);
+    pactx->user = NULL;
+    return 0;
+}
+
+static krb5_error_code
+enc_ts_step(krb5_context context, krb5_init_creds_context ctx, void *pa_ctx, PA_DATA *pa,
+	    const AS_REQ *a,
+	    const AS_REP *rep,
+	    METHOD_DATA *in_md, METHOD_DATA *out_md)
+{
+    struct enc_ts_context *pactx = (struct enc_ts_context *)pa_ctx;
+    struct pa_info_data paid, *ppaid;
+    krb5_error_code ret;
+    const char *state;
+    unsigned flag;
+
+    /*
+     * Keep track of the user we used so that we can restart
+     * authentication when we get referrals.
+     */
+
+    if (pactx->user && !krb5_principal_compare(context, pactx->user, ctx->cred.client)) {
+	pactx->used_pa_types = 0;
+	krb5_free_principal(context, pactx->user);
+	pactx->user = NULL;
+    }
+
+    if (pactx->user == NULL) {
+	ret = krb5_copy_principal(context, ctx->cred.client, &pactx->user);
+	if (ret)
+	    return ret;
+    }
+
+    memset(&paid, 0, sizeof(paid));
+
+    if (rep == NULL)
+	paid.etype = KRB5_ENCTYPE_NULL;
+    else
+	paid.etype = rep->enc_part.etype;
+
+    ppaid = process_pa_info(context, ctx->cred.client, a, &paid, in_md);
+
+    if (rep) {
+	/*
+	 * Some KDC's don't send salt info in the reply when there is
+	 * success pre-auth happned before, so use cached copy (or
+	 * even better, if there is just one pre-auth, save reply-key).
+	 */
+	if (ppaid == NULL && ctx->paid.etype != KRB5_ENCTYPE_NULL) {
+	    ppaid = &ctx->paid;
+
+	} else if (ppaid == NULL) {
+	    _krb5_debug(context, 0, "no paid when building key, build a default salt structure ?");
+	    return HEIM_ERR_PA_CANT_CONTINUE;
+	}
+
+	ret = pa_data_to_key_plain(context, ctx->cred.client, ctx,
+				   ppaid->salt, ppaid->s2kparams, rep->enc_part.etype,
+				   &ctx->fast_state.reply_key);
+	free_paid(context, &paid);
+	return ret;
+    }
+
+    /*
+     * If we don't have ppaid, ts because the KDC have not sent any
+     * salt info, lets to the first roundtrip so the KDC have a chance
+     * to send any.
+     *
+     * Don't bother guessing, it sounds like a good idea until you run
+     * into KDCs that are doing failed auth counting based on the
+     * ENC_TS tries.
+     *
+     * Stashing the salt for the next run is a diffrent issue and
+     * could be considered in the future.
+     */
+
+    if (ppaid == NULL) {
+	_krb5_debug(context, 5,
+		     "TS-ENC: waiting for KDC to set pw-salt/etype_info{,2}");
+	return HEIM_ERR_PA_CONTINUE_NEEDED;
+    }
+    if (ppaid->etype == KRB5_ENCTYPE_NULL) {
+	free_paid(context, &paid);
+	_krb5_debug(context, 5,
+		     "TS-ENC: kdc proposes enctype NULL ?");
+	return HEIM_ERR_PA_CANT_CONTINUE;
+    }
+
+    /*
+     * We have to allow the KDC to re-negotiate the PA-TS data
+     * once, this is since the in the case of a windows read only
+     * KDC that doesn't have the keys simply guesses what the
+     * master is supposed to support. In the case where this
+     * breaks in when the RO-KDC is a newer version the the RW-KDC
+     * and the RO-KDC announced a enctype that the older doesn't
+     * support.
+     */
+    if (pactx->used_pa_types & USED_ENC_TS_INFO) {
+	flag = USED_ENC_TS_RENEG;
+	state = "reneg";
+    } else {
+	flag = USED_ENC_TS_INFO;
+	state = "info";
+    }
+
+    if (pactx->used_pa_types & flag) {
+	free_paid(context, &paid);
+	krb5_set_error_message(context, KRB5_GET_IN_TKT_LOOP,
+			       "Already tried ENC-TS-%s, looping", state);
+	return KRB5_GET_IN_TKT_LOOP;
+    }
+
+    pactx->used_pa_types |= flag;
+
+    free_paid(context, &ctx->paid);
+    ctx->paid = *ppaid;
+
+    ret = pa_data_to_md_ts_enc(context, a, ctx->cred.client, ctx, ppaid, out_md);
+    if (ret)
+	return ret;
+
+    return HEIM_ERR_PA_CONTINUE_NEEDED;
+}
+
+static void
+enc_ts_release(void *pa_ctx)
+{
+    struct enc_ts_context *pactx = (struct enc_ts_context *)pa_ctx;
+
+    if (pactx->user)
+	krb5_free_principal(NULL, pactx->user);
+}
+
+static krb5_error_code
+pa_pac_step(krb5_context context, krb5_init_creds_context ctx, void *pa_ctx, PA_DATA *pa, const AS_REQ *a,
+	    const AS_REP *rep, METHOD_DATA *in_md, METHOD_DATA *out_md)
 {
     size_t len = 0, length;
     krb5_error_code ret;
@@ -1173,16 +1871,489 @@ pa_data_add_pac_request(krb5_context context,
 		       &req, &len, ret);
     if (ret)
 	return ret;
-    if(len != length)
-	krb5_abortx(context, "internal error in ASN.1 encoder");
+    heim_assert(len == length, "internal error in ASN.1 encoder");
 
-    ret = krb5_padata_add(context, md, KRB5_PADATA_PA_PAC_REQUEST, buf, len);
+    ret = krb5_padata_add(context, out_md, KRB5_PADATA_PA_PAC_REQUEST, buf, len);
     if (ret)
 	free(buf);
 
     return 0;
 }
 
+static krb5_error_code
+pa_enc_pa_rep_step(krb5_context context, krb5_init_creds_context ctx, void *pa_ctx, PA_DATA *pa, const AS_REQ *a,
+		   const AS_REP *rep, METHOD_DATA *in_md, METHOD_DATA *out_md)
+{
+    if (ctx->runflags.allow_enc_pa_rep)
+	return krb5_padata_add(context, out_md, KRB5_PADATA_REQ_ENC_PA_REP, NULL, 0);
+
+    return 0;
+}
+
+static krb5_error_code
+pa_fx_cookie_step(krb5_context context,
+		  krb5_init_creds_context ctx,
+		  void *pa_ctx,
+		  PA_DATA *pa,
+		  const AS_REQ *a,
+		  const AS_REP *rep,
+		  METHOD_DATA *in_md,
+		  METHOD_DATA *out_md)
+{
+    krb5_error_code ret;
+    void *cookie;
+    PA_DATA *pad;
+    int idx = 0;
+
+    pad = krb5_find_padata(in_md->val, in_md->len, KRB5_PADATA_FX_COOKIE, &idx);
+    if (pad == NULL) {
+	/*
+	 * RFC 6113 5.4.3: PA-FX-COOKIE MUST be included if the KDC
+	 * expects at least one more message from the client.
+	 */
+	if (ctx->error.error_code == KRB5_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED)
+	    return KRB5_PREAUTH_FAILED;
+	else
+	    return 0;
+    }
+
+    cookie = malloc(pad->padata_value.length);
+    if (cookie == NULL)
+	return krb5_enomem(context);
+
+    memcpy(cookie, pad->padata_value.data, pad->padata_value.length);
+
+    ret = krb5_padata_add(context, out_md, KRB5_PADATA_FX_COOKIE,
+			  cookie, pad->padata_value.length);
+    if (ret)
+	free(cookie);
+    else
+	_krb5_debug(context, 5, "Mirrored FX-COOKIE to KDC");
+
+    return ret;
+}
+
+typedef struct pa_info_data *(*pa_salt_info_f)(krb5_context, const krb5_principal, const AS_REQ *, struct pa_info_data *, heim_octet_string *);
+typedef krb5_error_code (*pa_configure_f)(krb5_context, krb5_init_creds_context, void *);
+typedef krb5_error_code (*pa_restart_f)(krb5_context, krb5_init_creds_context, void *);
+typedef krb5_error_code (*pa_step_f)(krb5_context, krb5_init_creds_context, void *, PA_DATA *, const AS_REQ *, const AS_REP *, METHOD_DATA *, METHOD_DATA *);
+typedef void            (*pa_release_f)(void *);
+
+static const struct patype {
+    int type;
+    const char *name;
+    int flags;
+#define PA_F_ANNOUNCE		1
+#define PA_F_CONFIG		2
+#define PA_F_FAST		4 /* available inside FAST */
+#define PA_F_NOT_FAST		8 /* only available without FAST */
+    size_t pa_ctx_size;
+    pa_salt_info_f salt_info;
+    /**
+     * Return 0 if the PA-mechanism is available and optionally set pa_ctx pointer to non-NULL.
+     */
+    pa_configure_f configure;
+    /**
+     * Return 0 if the PA-mechanism can be restarted (time skew, referrals, etc)
+     */
+    pa_restart_f restart;
+    /**
+     * Return 0 if the when complete, HEIM_ERR_PA_CONTINUE_NEEDED if more steps are require
+     */
+    pa_step_f step;
+    pa_release_f release;
+} patypes[] = {
+    {
+	KRB5_PADATA_PK_AS_REP,
+	"PKINIT(IETF)",
+	PA_F_FAST | PA_F_NOT_FAST,
+	sizeof(struct pkinit_context),
+	NULL,
+	pkinit_configure_ietf,
+	NULL,
+	pkinit_step,
+	pkinit_release
+    },
+    {
+	KRB5_PADATA_PK_AS_REP_19,
+	"PKINIT(win)",
+	PA_F_FAST | PA_F_NOT_FAST,
+	sizeof(struct pkinit_context),
+	NULL,
+	pkinit_configure_win,
+	NULL,
+	pkinit_step,
+	pkinit_release
+    },
+    {
+	KRB5_PADATA_GSS,
+	"GSS",
+	PA_F_FAST | PA_F_NOT_FAST,
+	sizeof(struct pa_gss_context),
+	NULL,
+	pa_gss_configure,
+	pa_gss_restart,
+	pa_gss_step,
+	pa_gss_release
+    },
+    {
+	KRB5_PADATA_ENCRYPTED_CHALLENGE,
+	"ENCRYPTED_CHALLENGE",
+	PA_F_FAST,
+	0,
+	NULL,
+	NULL,
+	NULL,
+	enc_chal_step,
+	NULL
+    },
+    {
+	KRB5_PADATA_ENC_TIMESTAMP,
+	"ENCRYPTED_TIMESTAMP",
+	PA_F_NOT_FAST,
+	sizeof(struct enc_ts_context),
+	NULL,
+	NULL,
+	enc_ts_restart,
+	enc_ts_step,
+	enc_ts_release
+    },
+    {
+	KRB5_PADATA_PA_PAC_REQUEST,
+	"PA_PAC_REQUEST",
+	PA_F_CONFIG,
+	0,
+	NULL,
+	NULL,
+	NULL,
+	pa_pac_step,
+	NULL
+    },
+    {
+	KRB5_PADATA_REQ_ENC_PA_REP,
+	"REQ-ENC-PA-REP",
+	PA_F_CONFIG,
+	0,
+	NULL,
+	NULL,
+	NULL,
+	pa_enc_pa_rep_step,
+	NULL
+    },
+    {
+	KRB5_PADATA_FX_COOKIE,
+	"FX-COOKIE",
+	PA_F_CONFIG,
+	0,
+	NULL,
+	NULL,
+	NULL,
+	pa_fx_cookie_step,
+	NULL
+    },
+#define patype_salt(n, f) { KRB5_PADATA_##n, #n, 0, 0, f, NULL, NULL, NULL, NULL }
+    patype_salt(ETYPE_INFO2, pa_etype_info2),
+    patype_salt(ETYPE_INFO, pa_etype_info),
+    patype_salt(PW_SALT, pa_pw_or_afs3_salt),
+    patype_salt(AFS3_SALT, pa_pw_or_afs3_salt),
+#undef patype_salt
+    /* below are just for pretty printing */
+#define patype_info(n) { KRB5_PADATA_##n, #n, 0, 0, NULL, NULL, NULL, NULL, NULL }
+    patype_info(AUTHENTICATION_SET),
+    patype_info(AUTH_SET_SELECTED),
+    patype_info(FX_FAST),
+    patype_info(FX_ERROR),
+    patype_info(PKINIT_KX),
+    patype_info(PK_AS_REQ)
+#undef patype_info
+};
+
+static const char *
+get_pa_type_name(int type)
+{
+    size_t n;
+    for (n = 0; n < sizeof(patypes)/sizeof(patypes[0]); n++)
+	if (type == patypes[n].type)
+	    return patypes[n].name;
+    return "unknown";
+}
+
+/*
+ *
+ */
+
+struct pa_auth_mech {
+    const struct patype *patype;
+    struct pa_auth_mech *next; /* when doing authentication sets */
+    char pactx[1];
+};
+
+/*
+ *
+ */
+
+static struct pa_info_data *
+process_pa_info(krb5_context context,
+		const krb5_principal client,
+		const AS_REQ *asreq,
+		struct pa_info_data *paid,
+		METHOD_DATA *md)
+{
+    struct pa_info_data *p = NULL;
+    PA_DATA *pa;
+    size_t i;
+
+    if (md == NULL)
+	return NULL;
+
+    for (i = 0; p == NULL && i < sizeof(patypes)/sizeof(patypes[0]); i++) {
+	int idx = 0;
+
+	if (patypes[i].salt_info == NULL)
+	    continue;
+
+	pa = krb5_find_padata(md->val, md->len, patypes[i].type, &idx);
+	if (pa == NULL)
+	    continue;
+
+	paid->salt.salttype = (krb5_salttype)patypes[i].type;
+	p = patypes[i].salt_info(context, client, asreq, paid, &pa->padata_value);
+    }
+    return p;
+}
+
+static krb5_error_code
+pa_announce(krb5_context context,
+	    int types,
+	    krb5_init_creds_context ctx,
+	    METHOD_DATA *in_md,
+	    METHOD_DATA *out_md)
+{
+    krb5_error_code ret = 0;
+    size_t n;
+
+    for (n = 0; ret == 0 && n < sizeof(patypes)/sizeof(patypes[0]); n++) {
+	if ((patypes[n].flags & types) == 0)
+	    continue;
+
+	if (patypes[n].step)
+	    patypes[n].step(context, ctx, NULL, NULL, NULL, NULL, in_md, out_md);
+	else
+	    ret = krb5_padata_add(context, out_md, patypes[n].type, NULL, 0);
+    }
+    return ret;
+}
+
+
+static void HEIM_CALLCONV
+mech_dealloc(void *ctx)
+{
+    struct pa_auth_mech *pa_mech = ctx;
+    if (pa_mech->patype->release)
+	pa_mech->patype->release((void *)&pa_mech->pactx[0]);
+}
+
+static const struct heim_type_data pa_auth_mech_object = {
+    HEIM_TID_PA_AUTH_MECH,
+    "heim-pa-mech-context",
+    NULL,
+    mech_dealloc,
+    NULL,
+    NULL,
+    NULL,
+    NULL
+};
+
+static struct pa_auth_mech *
+pa_mech_create(krb5_context context, krb5_init_creds_context ctx, int pa_type)
+{
+    struct pa_auth_mech *pa_mech;
+    const struct patype *patype = NULL;
+    size_t n;
+
+    for (n = 0; patype == NULL && n < sizeof(patypes)/sizeof(patypes[0]); n++) {
+	if (patypes[n].type == pa_type)
+	    patype = &patypes[n];
+    }
+    if (patype == NULL)
+	return NULL;
+
+    pa_mech = _heim_alloc_object(&pa_auth_mech_object, sizeof(*pa_mech) - 1 + patype->pa_ctx_size);
+    if (pa_mech == NULL)
+	return NULL;
+
+    pa_mech->patype = patype;
+
+    if (pa_mech->patype->configure) {
+	krb5_error_code ret;
+
+	ret = pa_mech->patype->configure(context, ctx, &pa_mech->pactx[0]);
+	if (ret) {
+	    heim_release(pa_mech);
+	    return NULL;
+	}
+    }
+
+    _krb5_debug(context, 5, "Adding PA mech: %s", patype->name);
+
+    return pa_mech;
+}
+
+static void
+pa_mech_add(krb5_context context, krb5_init_creds_context ctx, int pa_type)
+{
+    struct pa_auth_mech *mech;
+
+    mech = pa_mech_create(context, ctx, pa_type);
+    if (mech) {
+	heim_array_append_value(ctx->available_pa_mechs, mech);
+	heim_release(mech);
+    }
+}
+
+static krb5_error_code
+pa_configure(krb5_context context,
+	     krb5_init_creds_context ctx,
+	     METHOD_DATA *in_md)
+{
+    ctx->available_pa_mechs = heim_array_create();
+
+    if (ctx->gss_init_ctx) {
+	pa_mech_add(context, ctx, KRB5_PADATA_GSS);
+    } else if (ctx->pk_init_ctx) {
+	pa_mech_add(context, ctx, KRB5_PADATA_PK_AS_REP);
+	pa_mech_add(context, ctx, KRB5_PADATA_PK_AS_REP_19);
+    } else if (ctx->keyproc || ctx->keyseed || ctx->prompter) {
+	pa_mech_add(context, ctx, KRB5_PADATA_ENCRYPTED_CHALLENGE);
+	pa_mech_add(context, ctx, KRB5_PADATA_ENC_TIMESTAMP);
+    }
+    /* XXX setup context based on KDC reply */
+
+    return 0;
+}
+
+static krb5_error_code
+pa_restart(krb5_context context,
+	   krb5_init_creds_context ctx)
+{
+    krb5_error_code ret = HEIM_ERR_PA_CANT_CONTINUE;
+
+    if (ctx->pa_mech && ctx->pa_mech->patype->restart)
+	ret = ctx->pa_mech->patype->restart(context, ctx, (void *)&ctx->pa_mech->pactx[0]);
+
+    return ret;
+}
+
+
+static krb5_error_code
+pa_step(krb5_context context,
+	krb5_init_creds_context ctx,
+	const AS_REQ *a,
+	const AS_REP *rep,
+	METHOD_DATA *in_md,
+	METHOD_DATA *out_md)
+{
+    krb5_error_code ret;
+    PA_DATA *pa = NULL;
+    int idx;
+
+ next:
+    do {
+	if (ctx->pa_mech == NULL) {
+	    size_t len = heim_array_get_length(ctx->available_pa_mechs);
+	    if (len == 0) {
+		_krb5_debug(context, 0, "no more available_pa_mechs to try");
+		return HEIM_ERR_NO_MORE_PA_MECHS;
+	    }
+
+	    ctx->pa_mech = heim_array_copy_value(ctx->available_pa_mechs, 0);
+	    heim_array_delete_value(ctx->available_pa_mechs, 0);
+	}
+
+	if (ctx->fast_state.armor_crypto) {
+	    if ((ctx->pa_mech->patype->flags & PA_F_FAST) == 0) {
+		_krb5_debug(context, 0, "pa-mech %s dropped under FAST (not supported)",
+			    ctx->pa_mech->patype->name);
+		heim_release(ctx->pa_mech);
+		ctx->pa_mech = NULL;
+		continue;
+	    }
+	} else {
+	    if ((ctx->pa_mech->patype->flags & PA_F_NOT_FAST) == 0) {
+		_krb5_debug(context, 0, "dropped pa-mech %s since not running under FAST",
+			    ctx->pa_mech->patype->name);
+		heim_release(ctx->pa_mech);
+		ctx->pa_mech = NULL;
+		continue;
+	    }
+	}
+
+	_krb5_debug(context, 0, "pa-mech trying: %s, searching for %d",
+		    ctx->pa_mech->patype->name, ctx->pa_mech->patype->type);
+
+	idx = 0;
+	if (in_md)
+	    pa = krb5_find_padata(in_md->val, in_md->len, ctx->pa_mech->patype->type, &idx);
+	else
+	    pa = NULL;
+
+    } while (ctx->pa_mech == NULL);
+
+    _krb5_debug(context, 5, "Stepping pa-mech: %s", ctx->pa_mech->patype->name);
+
+    ret = ctx->pa_mech->patype->step(context, ctx, (void *)&ctx->pa_mech->pactx[0], pa, a, rep, in_md, out_md);
+    _krb5_debug(context, 10, "PA type %s returned %d", ctx->pa_mech->patype->name, ret);
+    if (ret == 0) {
+	struct pa_auth_mech *next_pa = ctx->pa_mech->next;
+
+	if (next_pa) {
+	    _krb5_debug(context, 5, "Next PA type in set is: %s",
+			 next_pa->patype->name);
+	    ret = HEIM_ERR_PA_CONTINUE_NEEDED;
+	} else if (rep == NULL) {
+	    _krb5_debug(context, 5, "PA %s done, but no ticket in sight!!!",
+			 ctx->pa_mech->patype->name);
+	    ret = HEIM_ERR_PA_CANT_CONTINUE;
+	} else {
+	    ctx->pa_used = ctx->pa_mech->patype->name;
+	}
+
+	heim_retain(next_pa);
+	heim_release(ctx->pa_mech);
+	ctx->pa_mech = next_pa;
+    }
+
+    if (ret == HEIM_ERR_PA_CANT_CONTINUE) {
+	if (ctx->pa_mech) {
+	    _krb5_debug(context, 5, "Dropping PA type %s", ctx->pa_mech->patype->name);
+	    heim_release(ctx->pa_mech);
+	    ctx->pa_mech = NULL;
+	}
+	goto next;
+    } else if (ret == HEIM_ERR_PA_CONTINUE_NEEDED) {
+	_krb5_debug(context, 5, "Continue needed for %s", ctx->pa_mech->patype->name);
+    } else if (ret != 0) {
+	_krb5_debug(context, 5, "Other error from mech %s: %d", ctx->pa_mech->patype->name, ret);
+	heim_release(ctx->pa_mech);
+	ctx->pa_mech = NULL;
+    }
+
+    return ret;
+}
+
+static void
+log_kdc_pa_types(krb5_context context, METHOD_DATA *in_md)
+{
+    if (_krb5_have_debug(context, 5)) {
+	unsigned i;
+	_krb5_debug(context, 5, "KDC sent %d patypes", in_md->len);
+	for (i = 0; i < in_md->len; i++)
+	    _krb5_debug(context, 5, "KDC sent PA-DATA type: %d (%s)",
+			 in_md->val[i].padata_type,
+			 get_pa_type_name(in_md->val[i].padata_type));
+    }
+}
+
 /*
  * Assumes caller always will free `out_md', even on error.
  */
@@ -1191,191 +2362,119 @@ static krb5_error_code
 process_pa_data_to_md(krb5_context context,
 		      const krb5_creds *creds,
 		      const AS_REQ *a,
-		      krb5_get_init_creds_ctx *ctx,
+		      krb5_init_creds_context ctx,
 		      METHOD_DATA *in_md,
-		      METHOD_DATA **out_md,
-		      krb5_prompter_fct prompter,
-		      void *prompter_data)
+		      METHOD_DATA **out_md)
 {
     krb5_error_code ret;
 
     ALLOC(*out_md, 1);
-    if (*out_md == NULL)
+    if (*out_md == NULL) {
 	return krb5_enomem(context);
-
+    }
     (*out_md)->len = 0;
     (*out_md)->val = NULL;
 
-    if (_krb5_have_debug(context, 5)) {
-	unsigned i;
-	_krb5_debug(context, 5, "KDC send %d patypes", in_md->len);
-	for (i = 0; i < in_md->len; i++)
-	    _krb5_debug(context, 5, "KDC send PA-DATA type: %d", in_md->val[i].padata_type);
+    log_kdc_pa_types(context, in_md);
+
+    ret = pa_step(context, ctx, a, NULL, in_md, *out_md);
+    if (ret == HEIM_ERR_PA_CONTINUE_NEEDED) {
+	_krb5_debug(context, 0, "pamech need more stepping");
+    } else if (ret == 0) {
+	_krb5_debug(context, 0, "pamech done step");
+    } else {
+	return ret;
     }
 
     /*
-     * Make sure we don't sent both ENC-TS and PK-INIT pa data, no
-     * need to expose our password protecting our PKCS12 key.
+     * Send announcement (what we support) and configuration (user
+     * introduced behavior change)
      */
+    ret = pa_announce(context, PA_F_ANNOUNCE|PA_F_CONFIG, ctx, in_md, *out_md);
 
-    if (ctx->pk_init_ctx) {
-
- 	_krb5_debug(context, 5, "krb5_get_init_creds: "
-		    "prepareing PKINIT padata (%s)",
- 		    (ctx->used_pa_types & USED_PKINIT_W2K) ? "win2k" : "ietf");
-
- 	if (ctx->used_pa_types & USED_PKINIT_W2K) {
- 	    krb5_set_error_message(context, KRB5_GET_IN_TKT_LOOP,
- 				   "Already tried pkinit, looping");
- 	    return KRB5_GET_IN_TKT_LOOP;
- 	}
-
-	ret = pa_data_to_md_pkinit(context, a, creds->client,
-				   (ctx->used_pa_types & USED_PKINIT),
-				   ctx, *out_md);
-	if (ret)
-	    return ret;
-
-	if (ctx->used_pa_types & USED_PKINIT)
-	    ctx->used_pa_types |= USED_PKINIT_W2K;
- 	else
- 	    ctx->used_pa_types |= USED_PKINIT;
-
-    } else if (in_md->len != 0) {
-	struct pa_info_data *paid, *ppaid;
- 	unsigned flag;
-
-	paid = calloc(1, sizeof(*paid));
-        if (paid == NULL)
-            return krb5_enomem(context);
-
-	paid->etype = KRB5_ENCTYPE_NULL;
-	ppaid = process_pa_info(context, creds->client, a, paid, in_md);
-
- 	if (ppaid)
- 	    flag = USED_ENC_TS_INFO;
- 	else
- 	    flag = USED_ENC_TS_GUESS;
-
- 	if (ctx->used_pa_types & flag) {
- 	    if (ppaid)
- 		free_paid(context, ppaid);
-            free(paid);
- 	    krb5_set_error_message(context, KRB5_GET_IN_TKT_LOOP,
- 				   "Already tried ENC-TS-%s, looping",
- 				   flag == USED_ENC_TS_INFO ? "info" : "guess");
- 	    return KRB5_GET_IN_TKT_LOOP;
- 	}
-
-	pa_data_to_md_ts_enc(context, a, creds->client, ctx, ppaid, *out_md);
-
-	ctx->used_pa_types |= flag;
-
-	if (ppaid) {
-	    if (ctx->ppaid) {
-		free_paid(context, ctx->ppaid);
-		free(ctx->ppaid);
-	    }
-	    ctx->ppaid = ppaid;
-	} else
-	    free(paid);
-    }
-
-    pa_data_add_pac_request(context, ctx, *out_md);
-
-    if ((ctx->fast_state.flags & KRB5_FAST_DISABLED) == 0) {
- 	ret = krb5_padata_add(context, *out_md, KRB5_PADATA_REQ_ENC_PA_REP, NULL, 0);
- 	if (ret)
- 	    return ret;
-    }
+    /*
+     *
+     */
 
     if ((*out_md)->len == 0) {
 	free(*out_md);
 	*out_md = NULL;
     }
 
-    return 0;
+    return ret;
 }
 
 static krb5_error_code
 process_pa_data_to_key(krb5_context context,
-		       krb5_get_init_creds_ctx *ctx,
+		       krb5_init_creds_context ctx,
 		       krb5_creds *creds,
 		       AS_REQ *a,
 		       AS_REP *rep,
-		       const krb5_krbhst_info *hi,
 		       krb5_keyblock **key)
 {
     struct pa_info_data paid, *ppaid = NULL;
     krb5_error_code ret;
-    krb5_enctype etype;
-    PA_DATA *pa;
+    krb5_enctype etype = rep->enc_part.etype;
 
     memset(&paid, 0, sizeof(paid));
 
-    etype = rep->enc_part.etype;
+    if (rep->padata)
+	log_kdc_pa_types(context, rep->padata);
 
     if (rep->padata) {
 	paid.etype = etype;
 	ppaid = process_pa_info(context, creds->client, a, &paid,
 				rep->padata);
     }
-    if (ppaid == NULL)
-	ppaid = ctx->ppaid;
     if (ppaid == NULL) {
-	ret = krb5_get_pw_salt (context, creds->client, &paid.salt);
-	if (ret)
-	    return ret;
-	paid.etype = etype;
-	paid.s2kparams = NULL;
-	ppaid = &paid;
-    }
-
-    pa = NULL;
-    if (rep->padata) {
-	int idx = 0;
-	pa = krb5_find_padata(rep->padata->val,
-			      rep->padata->len,
-			      KRB5_PADATA_PK_AS_REP,
-			      &idx);
-	if (pa == NULL) {
-	    idx = 0;
-	    pa = krb5_find_padata(rep->padata->val,
-				  rep->padata->len,
-				  KRB5_PADATA_PK_AS_REP_19,
-				  &idx);
+	if (ctx->paid.etype == KRB5_ENCTYPE_NULL) {
+	    ctx->paid.etype = etype;
+	    ctx->paid.s2kparams = NULL;
+	    ret = krb5_get_pw_salt (context, creds->client, &ctx->paid.salt);
+	    if (ret)
+		return ret;
 	}
     }
-    if (pa && ctx->pk_init_ctx) {
-#ifdef PKINIT
-	_krb5_debug(context, 5, "krb5_get_init_creds: using PKINIT");
 
-	ret = _krb5_pk_rd_pa_reply(context,
-				   a->req_body.realm,
-				   ctx->pk_init_ctx,
-				   etype,
-				   hi,
-				   ctx->pk_nonce,
-				   &ctx->req_buffer,
-				   pa,
-				   key);
-#else
-	ret = EINVAL;
-	krb5_set_error_message(context, ret, N_("no support for PKINIT compiled in", ""));
-#endif
-    } else if (ctx->keyseed) {
- 	_krb5_debug(context, 5, "krb5_get_init_creds: using keyproc");
-	ret = pa_data_to_key_plain(context, creds->client, ctx,
-				   ppaid->salt, ppaid->s2kparams, etype, key);
+    ret = pa_step(context, ctx, a, rep, rep->padata, NULL);
+    if (ret == HEIM_ERR_PA_CONTINUE_NEEDED) {
+	_krb5_debug(context, 0, "In final stretch and pa require more stepping ?");
+	return ret;
+    } else if (ret == 0) {
+	_krb5_debug(context, 0, "final pamech done step");
+	goto out;
     } else {
-	ret = EINVAL;
-	krb5_set_error_message(context, ret, N_("No usable pa data type", ""));
+	return ret;
     }
-
+ out:
     free_paid(context, &paid);
     return ret;
 }
 
+/*
+ *
+ */
+
+static krb5_error_code
+capture_lkdc_domain(krb5_context context,
+		    krb5_init_creds_context ctx)
+{
+    size_t len;
+
+    len = strlen(_krb5_wellknown_lkdc);
+
+    if (ctx->kdc_hostname != NULL ||
+	strncmp(ctx->cred.client->realm, _krb5_wellknown_lkdc, len) != 0 ||
+	ctx->cred.client->realm[len] != ':')
+	return 0;
+
+    ctx->kdc_hostname = strdup(&ctx->cred.client->realm[len + 1]);
+
+    _krb5_debug(context, 5, "krb5_get_init_creds: setting LKDC hostname to: %s",
+		ctx->kdc_hostname);
+    return 0;
+}
+
 /**
  * Start a new context to get a new initial credential.
  *
@@ -1412,13 +2511,15 @@ krb5_init_creds_init(krb5_context context,
     if (ctx == NULL)
 	return krb5_enomem(context);
 
-    ret = get_init_creds_common(context, client, start_time, options, ctx);
+    ret = get_init_creds_common(context, client, prompter, prompter_data,
+				 start_time, options, ctx);
     if (ret) {
 	free(ctx);
 	return ret;
     }
 
     /* Set a new nonce. */
+    /* FIXME should generate a new nonce for each AS-REQ */
     krb5_generate_random_block (&ctx->nonce, sizeof(ctx->nonce));
     ctx->nonce &= 0x7fffffff;
     /* XXX these just needs to be the same when using Windows PK-INIT */
@@ -1427,12 +2528,66 @@ krb5_init_creds_init(krb5_context context,
     ctx->prompter = prompter;
     ctx->prompter_data = prompter_data;
 
+    /* pick up hostname from LKDC realm name */
+    ret = capture_lkdc_domain(context, ctx);
+    if (ret) {
+	free_init_creds_ctx(context, ctx);
+	return ret;
+    }
+
+    ctx->runflags.allow_enc_pa_rep = 1;
+
+    ctx->fast_state.flags |= KRB5_FAST_AS_REQ;
+
     *rctx = ctx;
 
     return ret;
 }
 
 /**
+ * Set the KDC hostname for the initial request, it will not be
+ * considered in referrals to another KDC.
+ *
+ * @param context a Kerberos 5 context.
+ * @param ctx a krb5_init_creds_context context.
+ * @param hostname the hostname for the KDC of realm
+ *
+ * @return 0 for success, or an Kerberos 5 error code, see krb5_get_error_message().
+ * @ingroup krb5_credential
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_init_creds_set_kdc_hostname(krb5_context context,
+				 krb5_init_creds_context ctx,
+				 const char *hostname)
+{
+    if (ctx->kdc_hostname)
+	free(ctx->kdc_hostname);
+    ctx->kdc_hostname = strdup(hostname);
+    if (ctx->kdc_hostname == NULL)
+	return krb5_enomem(context);
+    return 0;
+}
+
+/**
+ * Set the sitename for the request
+ *
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_init_creds_set_sitename(krb5_context context,
+			     krb5_init_creds_context ctx,
+			     const char *sitename)
+{
+    if (ctx->sitename)
+	free(ctx->sitename);
+    ctx->sitename = strdup(sitename);
+    if (ctx->sitename == NULL)
+	return krb5_enomem(context);
+    return 0;
+}
+
+/**
  * Sets the service that the is requested. This call is only neede for
  * special initial tickets, by default the a krbtgt is fetched in the default realm.
  *
@@ -1461,7 +2616,11 @@ krb5_init_creds_set_service(krb5_context context,
 	ret = krb5_parse_name (context, service, &principal);
 	if (ret)
 	    return ret;
-	krb5_principal_set_realm (context, principal, client_realm);
+	ret = krb5_principal_set_realm (context, principal, client_realm);
+	if (ret) {
+	    krb5_free_principal(context, principal);
+	    return ret;
+	}
     } else {
 	ret = krb5_make_principal(context, &principal,
 				  client_realm, KRB5_TGS_NAME, client_realm,
@@ -1531,23 +2690,23 @@ keytab_key_proc(krb5_context context, krb5_enctype enctype,
     krb5_keytab keytab = args->keytab;
     krb5_principal principal = args->principal;
     krb5_error_code ret;
-    krb5_keytab real_keytab;
+    krb5_keytab real_keytab = NULL;
     krb5_keytab_entry entry;
 
-    if(keytab == NULL)
-	krb5_kt_default(context, &real_keytab);
-    else
-	real_keytab = keytab;
+    if (keytab == NULL) {
+	ret = krb5_kt_default(context, &real_keytab);
+	if (ret)
+	    return ret;
+        keytab = real_keytab;
+    }
 
-    ret = krb5_kt_get_entry (context, real_keytab, principal,
-			     0, enctype, &entry);
+    ret = krb5_kt_get_entry (context, keytab, principal, 0, enctype, &entry);
     if (ret == 0) {
         ret = krb5_copy_keyblock(context, &entry.keyblock, key);
         krb5_kt_free_entry(context, &entry);
     }
 
-    if (keytab == NULL)
-	krb5_kt_close (context, real_keytab);
+    krb5_kt_close(context, real_keytab);
     return ret;
 }
 
@@ -1575,6 +2734,7 @@ krb5_init_creds_set_keytab(krb5_context context,
     krb5_error_code ret;
     size_t netypes = 0;
     int kvno = 0, found = 0;
+    unsigned n;
 
     a = malloc(sizeof(*a));
     if (a == NULL)
@@ -1621,6 +2781,19 @@ krb5_init_creds_set_keytab(krb5_context context,
 	if (krb5_enctype_valid(context, entry.keyblock.keytype) != 0)
 	    goto next;
 
+	/*
+	 * If user already provided a enctype list, use that as an
+	 * additonal filter.
+	 */
+	if (ctx->etypes) {
+	    for (n = 0; ctx->etypes[n] != KRB5_ENCTYPE_NULL; n++) {
+		if (ctx->etypes[n] == entry.keyblock.keytype)
+		    break;
+	    }
+	    if (ctx->etypes[n] == KRB5_ENCTYPE_NULL)
+		goto next;
+	}
+
 	/* add enctype to supported list */
 	ptr = realloc(etypes, sizeof(etypes[0]) * (netypes + 2));
 	if (ptr == NULL) {
@@ -1681,9 +2854,42 @@ krb5_init_creds_set_fast_ccache(krb5_context context,
 {
     ctx->fast_state.armor_ccache = fast_ccache;
     ctx->fast_state.flags |= KRB5_FAST_REQUIRED;
+    ctx->fast_state.flags |= KRB5_FAST_KDC_VERIFIED;
     return 0;
 }
 
+static krb5_error_code
+validate_pkinit_fx(krb5_context context,
+		   krb5_init_creds_context ctx,
+		   AS_REP *rep,
+		   krb5_keyblock *ticket_sessionkey)
+{
+    PA_DATA *pa = NULL;
+    int idx = 0;
+
+    if (rep->padata)
+	pa = krb5_find_padata(rep->padata->val, rep->padata->len, KRB5_PADATA_PKINIT_KX, &idx);
+
+    if (pa == NULL) {
+	if (ctx->flags.request_anonymous && ctx->pk_init_ctx) {
+	    /* XXX handle the case where pkinit is not used */
+	    krb5_set_error_message(context, KRB5_KDCREP_MODIFIED,
+				   N_("Requested anonymous with PKINIT and KDC didn't set PKINIT_KX", ""));
+	    return KRB5_KDCREP_MODIFIED;
+	}
+
+	return 0;
+    }
+
+    heim_assert(ctx->fast_state.reply_key != NULL, "must have a reply key at this stage");
+
+    return _krb5_pk_kx_confirm(context,
+			       ctx->pk_init_ctx,
+			       ctx->fast_state.reply_key,
+			       ticket_sessionkey,
+			       pa);
+}
+
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_init_creds_set_fast_ap_armor_service(krb5_context context,
 					  krb5_init_creds_context ctx,
@@ -1700,503 +2906,92 @@ krb5_init_creds_set_fast_ap_armor_service(krb5_context context,
     } else {
 	ctx->fast_state.armor_service = NULL;
     }
-    ctx->fast_state.flags |= KRB5_FAST_REQUIRED | KRB5_FAST_AP_ARMOR_SERVICE;
+    ctx->fast_state.flags |= KRB5_FAST_AP_ARMOR_SERVICE;
     return 0;
 }
 
-/*
- * FAST
- */
-
-static krb5_error_code
-check_fast(krb5_context context, struct fast_state *state)
-{
-    if (state->flags & KRB5_FAST_EXPECTED) {
-	krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
-			       "Expected FAST, but no FAST "
-			       "was in the response from the KDC");
-	return KRB5KRB_AP_ERR_MODIFIED;
-    }
-    return 0;
-}
-
-
-static krb5_error_code
-fast_unwrap_as_rep(krb5_context context, int32_t nonce,
-		   krb5_data *chksumdata,
-		   struct fast_state *state, AS_REP *rep)
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_init_creds_set_fast_anon_pkinit(krb5_context context,
+				     krb5_init_creds_context ctx)
 {
-    PA_FX_FAST_REPLY fxfastrep;
-    KrbFastResponse fastrep;
-    krb5_error_code ret;
-    PA_DATA *pa = NULL;
-    int idx = 0;
-
-    if (state->armor_crypto == NULL || rep->padata == NULL)
-	return check_fast(context, state);
-
-    /* find PA_FX_FAST_REPLY */
-
-    pa = krb5_find_padata(rep->padata->val, rep->padata->len,
-			  KRB5_PADATA_FX_FAST, &idx);
-    if (pa == NULL)
-	return check_fast(context, state);
-
-    memset(&fxfastrep, 0, sizeof(fxfastrep));
-    memset(&fastrep, 0, sizeof(fastrep));
-
-    ret = decode_PA_FX_FAST_REPLY(pa->padata_value.data, pa->padata_value.length, &fxfastrep, NULL);
-    if (ret)
-	return ret;
-
-    if (fxfastrep.element == choice_PA_FX_FAST_REPLY_armored_data) {
-	krb5_data data;
-	ret = krb5_decrypt_EncryptedData(context,
-					 state->armor_crypto,
-					 KRB5_KU_FAST_REP,
-					 &fxfastrep.u.armored_data.enc_fast_rep,
-					 &data);
-	if (ret)
-	    goto out;
-
-	ret = decode_KrbFastResponse(data.data, data.length, &fastrep, NULL);
-	krb5_data_free(&data);
-	if (ret)
-	    goto out;
-
-    } else {
-	ret = KRB5KDC_ERR_PREAUTH_FAILED;
-	goto out;
-    }
-
-    free_METHOD_DATA(rep->padata);
-    ret = copy_METHOD_DATA(&fastrep.padata, rep->padata);
-    if (ret)
-	goto out;
-
-    if (fastrep.strengthen_key) {
-	if (state->strengthen_key)
-	    krb5_free_keyblock(context, state->strengthen_key);
-
-	ret = krb5_copy_keyblock(context, fastrep.strengthen_key, &state->strengthen_key);
-	if (ret)
-	    goto out;
-    }
-
-    if (nonce != fastrep.nonce) {
-	ret = KRB5KDC_ERR_PREAUTH_FAILED;
-	goto out;
-    }
-    if (fastrep.finished) {
-	PrincipalName cname;
-	krb5_realm crealm = NULL;
+    if (ctx->fast_state.armor_ccache)
+	return EINVAL;
 
-	if (chksumdata == NULL) {
-	    ret = KRB5KDC_ERR_PREAUTH_FAILED;
-	    goto out;
-	}
-
-	ret = krb5_verify_checksum(context, state->armor_crypto,
-				   KRB5_KU_FAST_FINISHED,
-				   chksumdata->data, chksumdata->length,
-				   &fastrep.finished->ticket_checksum);
-	if (ret)
-	    goto out;
-
-	/* update */
-	ret = copy_Realm(&fastrep.finished->crealm, &crealm);
-	if (ret)
-	    goto out;
-	free_Realm(&rep->crealm);
-	rep->crealm = crealm;
-
-	ret = copy_PrincipalName(&fastrep.finished->cname, &cname);
-	if (ret)
-	    goto out;
-	free_PrincipalName(&rep->cname);
-	rep->cname = cname;
-	
-#if 0 /* store authenticated checksum as kdc-offset */
-	fastrep->finished.timestamp;
-	fastrep->finished.usec = 0;
-#endif
-
-    } else if (chksumdata) {
-	/* expected fastrep.finish but didn't get it */
-	ret = KRB5KDC_ERR_PREAUTH_FAILED;
-    }
-
- out:
-    free_PA_FX_FAST_REPLY(&fxfastrep);
-
-    return ret;
+    ctx->fast_state.flags |= KRB5_FAST_REQUIRED;
+    ctx->fast_state.flags |= KRB5_FAST_ANON_PKINIT_ARMOR;
+    return 0;
 }
 
-static krb5_error_code
-fast_unwrap_error(krb5_context context, struct fast_state *state, KRB_ERROR *error)
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_init_creds_set_fast_anon_pkinit_optimistic(krb5_context context,
+                                                 krb5_init_creds_context ctx)
 {
-    if (state->armor_crypto == NULL)
-	return check_fast(context, state);
+    if (ctx->fast_state.armor_ccache)
+	return EINVAL;
 
+    ctx->fast_state.flags |= KRB5_FAST_REQUIRED;
+    ctx->fast_state.flags |= KRB5_FAST_ANON_PKINIT_ARMOR;
+    ctx->fast_state.flags |= KRB5_FAST_OPTIMISTIC;
     return 0;
 }
 
-krb5_error_code
-_krb5_make_fast_ap_fxarmor(krb5_context context,
-			   krb5_ccache armor_ccache,
-			   krb5_data *armor_value,
-			   krb5_keyblock *armor_key,
-			   krb5_crypto *armor_crypto)
-{
-    krb5_auth_context auth_context = NULL;
-    krb5_creds cred, *credp = NULL;
-    krb5_error_code ret;
-    krb5_data empty;
-
-    krb5_data_zero(&empty);
-
-    memset(&cred, 0, sizeof(cred));
-
-    ret = krb5_auth_con_init (context, &auth_context);
-    if (ret)
-	goto out;
-    
-    ret = krb5_cc_get_principal(context, armor_ccache, &cred.client);
-    if (ret)
-	goto out;
-    
-    ret = krb5_make_principal(context, &cred.server,
-			      cred.client->realm,
-			      KRB5_TGS_NAME,
-			      cred.client->realm,
-			      NULL);
-    if (ret) {
-	krb5_free_principal(context, cred.client);
-	goto out;
-    }
-    
-    ret = krb5_get_credentials(context, 0, armor_ccache, &cred, &credp);
-    krb5_free_principal(context, cred.server);
-    krb5_free_principal(context, cred.client);
-    if (ret)
-	goto out;
-    
-    ret = krb5_auth_con_add_AuthorizationData(context, auth_context, KRB5_PADATA_FX_FAST_ARMOR, &empty);
-    if (ret)
-	goto out;
-
-    ret = krb5_mk_req_extended(context,
-			       &auth_context,
-			       AP_OPTS_USE_SUBKEY,
-			       NULL,
-			       credp,
-			       armor_value);
-    krb5_free_creds(context, credp);
-    if (ret)
-	goto out;
-    
-    ret = _krb5_fast_armor_key(context,
-			       auth_context->local_subkey,
-			       auth_context->keyblock,
-			       armor_key,
-			       armor_crypto);
-    if (ret)
-	goto out;
-
- out:
-    krb5_auth_con_free(context, auth_context);
-    return ret;
-}
-
-#ifndef WIN32
-static heim_base_once_t armor_service_once = HEIM_BASE_ONCE_INIT;
-static heim_ipc armor_service = NULL;
-
-static void
-fast_armor_init_ipc(void *ctx)
+static size_t
+available_padata_count(METHOD_DATA *md)
 {
-    heim_ipc *ipc = ctx;
-    heim_ipc_init_context("ANY:org.h5l.armor-service", ipc);
-}
-#endif /* WIN32 */
-
-
-static krb5_error_code
-make_fast_ap_fxarmor(krb5_context context,
-		     struct fast_state *state,
-		     const char *realm,
-		     KrbFastArmor **armor)
-{
-    KrbFastArmor *fxarmor = NULL;
-    krb5_error_code ret;
-
-    if (state->armor_crypto)
-	krb5_crypto_destroy(context, state->armor_crypto);
-    krb5_free_keyblock_contents(context, &state->armor_key);
-
-
-    ALLOC(fxarmor, 1);
-    if (fxarmor == NULL)
-	return krb5_enomem(context);
-
-    if (state->flags & KRB5_FAST_AP_ARMOR_SERVICE) {
-#ifdef WIN32
-	krb5_set_error_message(context, ENOTSUP, "Fast armor IPC service not supportted yet on Windows");
-	ret = ENOTSUP;
-        goto out;
-#else /* WIN32 */
-	KERB_ARMOR_SERVICE_REPLY msg;
-	krb5_data request, reply;
-
-	heim_base_once_f(&armor_service_once, &armor_service, fast_armor_init_ipc);
-	if (armor_service == NULL) {
-	    krb5_set_error_message(context, ENOENT, "Failed to open fast armor service");
-            ret = ENOENT;
-	    goto out;
-	}
-
-	krb5_data_zero(&reply);
+    size_t i, count = 0;
 
-	request.data = rk_UNCONST(realm);
-	request.length = strlen(realm);
+    for (i = 0; i < md->len; i++) {
+	PA_DATA *pa = &md->val[i];
 
-	ret = heim_ipc_call(armor_service, &request, &reply, NULL);
-	heim_release(send);
-	if (ret) {
-	    krb5_set_error_message(context, ret, "Failed to get armor service credential");
-	    goto out;
-	}
-
-	ret = decode_KERB_ARMOR_SERVICE_REPLY(reply.data, reply.length, &msg, NULL);
-	krb5_data_free(&reply);
-	if (ret)
-	    goto out;
-
-	ret = copy_KrbFastArmor(fxarmor, &msg.armor);
-	if (ret) {
-	    free_KERB_ARMOR_SERVICE_REPLY(&msg);
-	    goto out;
-	}
-
-	ret = krb5_copy_keyblock_contents(context, &msg.armor_key, &state->armor_key);
-	free_KERB_ARMOR_SERVICE_REPLY(&msg);
-	if (ret)
-	    goto out;
-
-	ret = krb5_crypto_init(context, &state->armor_key, 0, &state->armor_crypto);
-	if (ret)
-	    goto out;
-#endif /* WIN32 */
-    } else {
-
-	fxarmor->armor_type = 1;
+	if (pa->padata_type == KRB5_PADATA_FX_COOKIE ||
+	    pa->padata_type == KRB5_PADATA_FX_ERROR)
+	    continue;
 
-	ret = _krb5_make_fast_ap_fxarmor(context,
-					 state->armor_ccache,
-					 &fxarmor->armor_value,
-					 &state->armor_key,
-					 &state->armor_crypto);
-	if (ret)
-	    goto out;
+	count++;
     }
-    
 
-    *armor = fxarmor;
-    fxarmor = NULL;
- out:
-    if (fxarmor) {
-	free_KrbFastArmor(fxarmor);
-	free(fxarmor);
-    }
-    return ret;
+    return count;
 }
 
 static krb5_error_code
-fast_wrap_req(krb5_context context, struct fast_state *state, KDC_REQ *req)
-{
-    KrbFastArmor *fxarmor = NULL;
-    PA_FX_FAST_REQUEST fxreq;
-    krb5_error_code ret;
-    KrbFastReq fastreq;
-    krb5_data data;
-    size_t size;
-
-    if (state->flags & KRB5_FAST_DISABLED) {
-	_krb5_debug(context, 10, "fast disabled, not doing any fast wrapping");
-	return 0;
-    }
-
-    memset(&fxreq, 0, sizeof(fxreq));
-    memset(&fastreq, 0, sizeof(fastreq));
-    krb5_data_zero(&data);
-
-    if (state->armor_crypto == NULL) {
-	if (state->armor_ccache) {
-	    /*
-	     * Instead of keeping state in FX_COOKIE in the KDC, we
-	     * rebuild a new armor key for every request, because this
-	     * is what the MIT KDC expect and RFC6113 is vage about
-	     * what the behavior should be.
-	     */
-	    state->type = choice_PA_FX_FAST_REQUEST_armored_data;
-	} else {
-	    return check_fast(context, state);
-	}
-    }
-
-    state->flags |= KRB5_FAST_EXPECTED;
-
-    fastreq.fast_options.hide_client_names = 1;
-
-    ret = copy_KDC_REQ_BODY(&req->req_body, &fastreq.req_body);
-    free_KDC_REQ_BODY(&req->req_body);
-
-    req->req_body.realm = strdup(KRB5_ANON_REALM);
-    if ((ALLOC(req->req_body.cname, 1)) != NULL) {
-        req->req_body.cname->name_type = KRB5_NT_WELLKNOWN;
-    if ((ALLOC(req->req_body.cname->name_string.val, 2)) != NULL) {
-        req->req_body.cname->name_string.len = 2;
-        req->req_body.cname->name_string.val[0] = strdup(KRB5_WELLKNOWN_NAME);
-        req->req_body.cname->name_string.val[1] = strdup(KRB5_ANON_NAME);
-        if (req->req_body.cname->name_string.val[0] == NULL ||
-            req->req_body.cname->name_string.val[1] == NULL)
-            ret = krb5_enomem(context);
-      } else
-          ret = krb5_enomem(context);
-    } else
-        ret = krb5_enomem(context);
-    if ((ALLOC(req->req_body.till, 1)) != NULL)
-        *req->req_body.till = 0;
-    else
-        ret = krb5_enomem(context);
-    if (ret)
-        goto out;
-
-    if (req->padata) {
-	ret = copy_METHOD_DATA(req->padata, &fastreq.padata);
-	free_METHOD_DATA(req->padata);
-    } else {
-	if ((ALLOC(req->padata, 1)) == NULL)
-            ret = krb5_enomem(context);
-    }
-    if (ret)
-        goto out;
-
-    ASN1_MALLOC_ENCODE(KrbFastReq, data.data, data.length, &fastreq, &size, ret);
-    if (ret)
-	goto out;
-    heim_assert(data.length == size, "ASN.1 internal error");
-
-    fxreq.element = state->type;
-
-    if (state->type == choice_PA_FX_FAST_REQUEST_armored_data) {
-	size_t len;
-	void *buf;
-
-	ret = make_fast_ap_fxarmor(context, state, fastreq.req_body.realm, &fxreq.u.armored_data.armor);
-	if (ret)
-	    goto out;
-
-	heim_assert(state->armor_crypto != NULL, "FAST armor key missing when FAST started");
-
-	ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, len, &req->req_body, &size, ret);
-	if (ret)
-	    goto out;
-	heim_assert(len == size, "ASN.1 internal error");
-
-	ret = krb5_create_checksum(context, state->armor_crypto,
-				   KRB5_KU_FAST_REQ_CHKSUM, 0,
-				   buf, len, 
-				   &fxreq.u.armored_data.req_checksum);
-	free(buf);
-	if (ret)
-	    goto out;
-
-	ret = krb5_encrypt_EncryptedData(context, state->armor_crypto,
-					 KRB5_KU_FAST_ENC,
-					 data.data,
-					 data.length,
-					 0,
-					 &fxreq.u.armored_data.enc_fast_req);
-	krb5_data_free(&data);
-        if (ret)
-            goto out;
-
-    } else {
-	krb5_data_free(&data);
-	heim_assert(false, "unknown FAST type, internal error");
-    }
-
-    ASN1_MALLOC_ENCODE(PA_FX_FAST_REQUEST, data.data, data.length, &fxreq, &size, ret);
-    if (ret)
-	goto out;
-    heim_assert(data.length == size, "ASN.1 internal error");
-
-
-    ret = krb5_padata_add(context, req->padata, KRB5_PADATA_FX_FAST, data.data, data.length);
-    if (ret)
-	goto out;
-    krb5_data_zero(&data);
-
- out:
-    free_PA_FX_FAST_REQUEST(&fxreq);
-    free_KrbFastReq(&fastreq);
-    if (fxarmor) {
-	free_KrbFastArmor(fxarmor);
-	free(fxarmor);
-    }
-    krb5_data_free(&data);
-
-    return ret;
-}
-
-
-/**
- * The core loop if krb5_get_init_creds() function family. Create the
- * packets and have the caller send them off to the KDC.
- *
- * If the caller want all work been done for them, use
- * krb5_init_creds_get() instead.
- *
- * @param context a Kerberos 5 context.
- * @param ctx ctx krb5_init_creds_context context.
- * @param in input data from KDC, first round it should be reset by krb5_data_zer().
- * @param out reply to KDC.
- * @param hostinfo KDC address info, first round it can be NULL.
- * @param flags status of the round, if
- *        KRB5_INIT_CREDS_STEP_FLAG_CONTINUE is set, continue one more round.
- *
- * @return 0 for success, or an Kerberos 5 error code, see
- *     krb5_get_error_message().
- *
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_creds_step(krb5_context context,
-		     krb5_init_creds_context ctx,
-		     krb5_data *in,
-		     krb5_data *out,
-		     krb5_krbhst_info *hostinfo,
-		     unsigned int *flags)
+init_creds_step(krb5_context context,
+		krb5_init_creds_context ctx,
+		const krb5_data *in,
+		krb5_data *out,
+		krb5_realm *out_realm,
+		unsigned int *flags)
 {
+    struct timeval start_time, end_time;
+    krb5_data checksum_data;
     krb5_error_code ret;
     size_t len = 0;
     size_t size;
     AS_REQ req2;
 
+    gettimeofday(&start_time, NULL);
+
     krb5_data_zero(out);
+    *out_realm = NULL;
+    krb5_data_zero(&checksum_data);
 
     if (ctx->as_req.req_body.cname == NULL) {
 	ret = init_as_req(context, ctx->flags, &ctx->cred,
 			  ctx->addrs, ctx->etypes, &ctx->as_req);
-	if (ret) {
-	    free_init_creds_ctx(context, ctx);
+	if (ret)
 	    return ret;
-	}
+	if (ctx->fast_state.flags & KRB5_FAST_REQUIRED)
+	    ;
+	else if (ctx->fast_state.flags & KRB5_FAST_AP_ARMOR_SERVICE)
+	    /* Check with armor service if there is FAST */;
+	else
+	    ctx->fast_state.flags |= KRB5_FAST_DISABLED;
+
+
+	/* XXX should happen after we get back reply from KDC */
+	pa_configure(context, ctx, NULL);
     }
 
-#define MAX_PA_COUNTER 10
+#define MAX_PA_COUNTER 15
     if (ctx->pa_counter > MAX_PA_COUNTER) {
 	krb5_set_error_message(context, KRB5_GET_IN_TKT_LOOP,
 			       N_("Looping %d times while getting "
@@ -2230,8 +3025,8 @@ krb5_init_creds_step(krb5_context context,
 		goto out;
 	    heim_assert(data.length == size, "ASN.1 internal error");
 
-	    ret = fast_unwrap_as_rep(context, ctx->nonce, &data,
-				     &ctx->fast_state, &rep.kdc_rep);
+	    ret = _krb5_fast_unwrap_kdc_rep(context, ctx->nonce, &data,
+					    &ctx->fast_state, &rep.kdc_rep);
 	    krb5_data_free(&data);
 	    if (ret)
 		goto out;
@@ -2251,12 +3046,35 @@ krb5_init_creds_step(krb5_context context,
 
 	    ret = process_pa_data_to_key(context, ctx, &ctx->cred,
 					 &ctx->as_req, &rep.kdc_rep,
-					 hostinfo, &ctx->fast_state.reply_key);
+					 &ctx->fast_state.reply_key);
 	    if (ret) {
 		free_AS_REP(&rep.kdc_rep);
 		goto out;
 	    }
 
+	    if (ctx->fast_state.strengthen_key) {
+		krb5_keyblock result;
+
+		_krb5_debug(context, 5, "krb5_get_init_creds: FAST strengthen_key");
+
+		ret = _krb5_fast_cf2(context,
+				     ctx->fast_state.strengthen_key,
+				     "strengthenkey",
+				     ctx->fast_state.reply_key,
+				     "replykey",
+				     &result,
+				     NULL);
+		if (ret) {
+		    free_AS_REP(&rep.kdc_rep);
+		    goto out;
+		}
+
+		ctx->runflags.allow_save_as_reply_key = 1;
+
+		krb5_free_keyblock_contents(context, ctx->fast_state.reply_key);
+		*ctx->fast_state.reply_key = result;
+	    }
+
 	    _krb5_debug(context, 5, "krb5_get_init_creds: extracting ticket");
 
 	    ret = _krb5_extract_ticket(context,
@@ -2271,42 +3089,40 @@ krb5_init_creds_step(krb5_context context,
 				       &ctx->req_buffer,
 				       NULL,
 				       NULL);
-	    if (ret == 0 && ctx->pk_init_ctx) {
-		PA_DATA *pa_pkinit_kx;
-		int idx = 0;
-
-		pa_pkinit_kx =
-		    krb5_find_padata(rep.kdc_rep.padata->val,
-				     rep.kdc_rep.padata->len,
-				     KRB5_PADATA_PKINIT_KX,
-				     &idx);
-
-		ret = _krb5_pk_kx_confirm(context, ctx->pk_init_ctx,
-					  ctx->fast_state.reply_key,
-					  &ctx->cred.session,
-					  pa_pkinit_kx);
-		if (ret)
-		    krb5_set_error_message(context, ret,
-					   N_("Failed to confirm PA-PKINIT-KX", ""));
-		else if (pa_pkinit_kx != NULL)
-		    ctx->ic_flags |= KRB5_INIT_CREDS_PKINIT_KX_VALID;
-	    }
+
 	    if (ret == 0)
 		ret = copy_EncKDCRepPart(&rep.enc_part, &ctx->enc_part);
+	    if (ret == 0)
+		ret = validate_pkinit_fx(context, ctx, &rep.kdc_rep, &ctx->cred.session);
 
-	    krb5_free_keyblock(context, ctx->fast_state.reply_key);
-	    ctx->fast_state.reply_key = NULL;
+	    ctx->as_enctype = ctx->fast_state.reply_key->keytype;
+
+	    if (ctx->runflags.allow_save_as_reply_key) {
+		ctx->as_reply_key = ctx->fast_state.reply_key;
+		ctx->fast_state.reply_key = NULL;
+	    } else {
+		krb5_free_keyblock(context, ctx->fast_state.reply_key);
+		ctx->fast_state.reply_key = NULL;
+	    }
+	    ctx->ic_flags |= KRB5_INIT_CREDS_DONE;
 	    *flags = 0;
 
 	    free_AS_REP(&rep.kdc_rep);
 	    free_EncASRepPart(&rep.enc_part);
 
+	    gettimeofday(&end_time, NULL);
+	    timevalsub(&end_time, &start_time);
+	    timevaladd(&ctx->stats.run_time, &end_time);
+
+	    _krb5_debug(context, 1, "krb5_get_init_creds: wc: %lld.%06ld",
+			(long long)ctx->stats.run_time.tv_sec,
+			(long)ctx->stats.run_time.tv_usec);
 	    return ret;
 
 	} else {
 	    /* let's try to parse it as a KRB-ERROR */
 
-	    _krb5_debug(context, 5, "krb5_get_init_creds: got an error");
+	    _krb5_debug(context, 5, "krb5_get_init_creds: got an KRB-ERROR from KDC");
 
 	    free_KRB_ERROR(&ctx->error);
 
@@ -2319,9 +3135,39 @@ krb5_init_creds_step(krb5_context context,
 	    }
 
 	    /*
-	     * Unwrap KRB-ERROR
+	     * Unwrap method-data, if there is any,
+	     * fast_unwrap_error() below might replace it with a
+	     * wrapped version if we are using FAST.
+	     */
+
+	    free_METHOD_DATA(&ctx->md);
+	    memset(&ctx->md, 0, sizeof(ctx->md));
+
+	    if (ctx->error.e_data) {
+		krb5_error_code ret2;
+
+		ret2 = decode_METHOD_DATA(ctx->error.e_data->data,
+					 ctx->error.e_data->length,
+					 &ctx->md,
+					 NULL);
+		if (ret2) {
+		    /*
+		     * Just ignore any error, the error will be pushed
+		     * out from krb5_error_from_rd_error() if there
+		     * was one.
+		     */
+		    _krb5_debug(context, 5, N_("Failed to decode METHOD-DATA", ""));
+		}
+	    }
+
+	    /*
+	     * Unwrap KRB-ERROR, we are always calling this so that
+	     * FAST can tell us if your peer KDC suddenly dropped FAST
+	     * wrapping and its really an attacker's packet (or a bug
+	     * in the KDC).
 	     */
-	    ret = fast_unwrap_error(context, &ctx->fast_state, &ctx->error);
+	    ret = _krb5_fast_unwrap_error(context, ctx->nonce, &ctx->fast_state,
+					  &ctx->md, &ctx->error);
 	    if (ret)
 		goto out;
 
@@ -2331,30 +3177,36 @@ krb5_init_creds_step(krb5_context context,
 
 	    ret = krb5_error_from_rd_error(context, &ctx->error, &ctx->cred);
 
-	    _krb5_debug(context, 5, "krb5_get_init_creds: KRB-ERROR %d", ret);
+	    /* log the failure */
+	    if (_krb5_have_debug(context, 5)) {
+		const char *str = krb5_get_error_message(context, ret);
+		_krb5_debug(context, 5, "krb5_get_init_creds: KRB-ERROR %d/%s", ret, str);
+		krb5_free_error_message(context, str);
+	    }
 
 	    /*
-	     * If no preauth was set and KDC requires it, give it one
-	     * more try.
+	     * Handle special error codes
 	     */
 
-	    if (ret == KRB5KDC_ERR_PREAUTH_REQUIRED) {
-
-	        free_METHOD_DATA(&ctx->md);
-		memset_s(&ctx->md, sizeof(ctx->md), 0, sizeof(ctx->md));
+	    if (ret == KRB5KDC_ERR_PREAUTH_REQUIRED
+		|| ret == KRB5_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED
+		|| ret == KRB5KDC_ERR_ETYPE_NOSUPP)
+	    {
+		/*
+		 * If no preauth was set and KDC requires it, give it one
+		 * more try.
+		 *
+		 * If the KDC returned KRB5KDC_ERR_ETYPE_NOSUPP, just loop
+		 * one more time since that might mean we are dealing with
+		 * a Windows KDC that is confused about what enctypes are
+		 * available.
+		 */
 
-		if (ctx->error.e_data) {
-		    ret = decode_METHOD_DATA(ctx->error.e_data->data,
-					     ctx->error.e_data->length,
-					     &ctx->md,
-					     NULL);
-		    if (ret)
-			krb5_set_error_message(context, ret,
-					       N_("Failed to decode METHOD-DATA", ""));
-		} else {
+		if (available_padata_count(&ctx->md) == 0) {
 		    krb5_set_error_message(context, ret,
 					   N_("Preauth required but no preauth "
 					      "options send by KDC", ""));
+		    goto out;
 		}
 	    } else if (ret == KRB5KRB_AP_ERR_SKEW && context->kdc_sec_offset == 0) {
 		/*
@@ -2365,22 +3217,49 @@ krb5_init_creds_step(krb5_context context,
 		if (context->kdc_sec_offset)
 		    ret = 0;
 
-		_krb5_debug(context, 10, "init_creds: err skew updateing kdc offset to %d",
+		_krb5_debug(context, 10, "init_creds: err skew updating kdc offset to %d",
 			    context->kdc_sec_offset);
+		if (ret)
+		    goto out;
 
-		ctx->used_pa_types = 0;
+		pa_restart(context, ctx);
 
 	    } else if (ret == KRB5_KDC_ERR_WRONG_REALM && ctx->flags.canonicalize) {
-	        /* client referal to a new realm */
+		/* client referral to a new realm */
+		char *ref_realm;
 
 		if (ctx->error.crealm == NULL) {
 		    krb5_set_error_message(context, ret,
 					   N_("Got a client referral, not but no realm", ""));
 		    goto out;
 		}
-		_krb5_debug(context, 5,
-			    "krb5_get_init_creds: got referal to realm %s",
-			    *ctx->error.crealm);
+		ref_realm = *ctx->error.crealm;
+
+		_krb5_debug(context, 5, "krb5_get_init_creds: referral to realm %s",
+			    ref_realm);
+
+		/*
+		 * If its a krbtgt, lets updat the requested krbtgt too
+		 */
+		if (krb5_principal_is_krbtgt(context, ctx->cred.server)) {
+
+		    free(ctx->cred.server->name.name_string.val[1]);
+		    ctx->cred.server->name.name_string.val[1] = strdup(ref_realm);
+		    if (ctx->cred.server->name.name_string.val[1] == NULL) {
+			ret = krb5_enomem(context);
+			goto out;
+		    }
+
+		    free_PrincipalName(ctx->as_req.req_body.sname);
+		    ret = _krb5_principal2principalname(ctx->as_req.req_body.sname, ctx->cred.server);
+		    if (ret)
+			goto out;
+		}
+
+		free(ctx->as_req.req_body.realm);
+		ret = copy_Realm(&ref_realm, &ctx->as_req.req_body.realm);
+		if (ret)
+		    goto out;
 
 		ret = krb5_principal_set_realm(context,
 					       ctx->cred.client,
@@ -2388,31 +3267,30 @@ krb5_init_creds_step(krb5_context context,
 		if (ret)
 		    goto out;
 
-		if (krb5_principal_is_krbtgt(context, ctx->cred.server)) {
-		    ret = krb5_init_creds_set_service(context, ctx, NULL);
-		    if (ret)
-			goto out;
+		ret = krb5_unparse_name(context, ctx->cred.client, &ref_realm);
+		if (ret == 0) {
+		    _krb5_debug(context, 5, "krb5_get_init_creds: got referral to %s", ref_realm);
+		    krb5_xfree(ref_realm);
 		}
 
-		free_AS_REQ(&ctx->as_req);
-		memset_s(&ctx->as_req, sizeof(ctx->as_req), 0, sizeof(ctx->as_req));
+		pa_restart(context, ctx);
 
-		ctx->used_pa_types = 0;
-	    } else if (ret == KRB5KDC_ERR_KEY_EXP && ctx->runflags.change_password == 0 && ctx->prompter) {
+	    } else if (ret == KRB5KDC_ERR_KEY_EXP && ctx->runflags.change_password == 0 &&
+		       ctx->runflags.change_password_prompt) {
 		char buf2[1024];
 
 		ctx->runflags.change_password = 1;
 
 		ctx->prompter(context, ctx->prompter_data, NULL, N_("Password has expired", ""), 0, NULL);
 
-
 		/* try to avoid recursion */
 		if (ctx->in_tkt_service != NULL && strcmp(ctx->in_tkt_service, "kadmin/changepw") == 0)
 		    goto out;
 
-                /* don't try to change password where then where none */
-                if (ctx->prompter == NULL)
-                    goto out;
+		/* don't include prompter in runtime */
+		gettimeofday(&end_time, NULL);
+		timevalsub(&end_time, &start_time);
+		timevaladd(&ctx->stats.run_time, &end_time);
 
 		ret = change_password(context,
 				      ctx->cred.client,
@@ -2425,36 +3303,51 @@ krb5_init_creds_step(krb5_context context,
 		if (ret)
 		    goto out;
 
+		gettimeofday(&start_time, NULL);
+
 		krb5_init_creds_set_password(context, ctx, buf2);
 
- 		ctx->used_pa_types = 0;
-		ret = 0;
-
- 	    } else if (ret == KRB5KDC_ERR_PREAUTH_FAILED) {
- 
- 		if (ctx->fast_state.flags & KRB5_FAST_DISABLED)
- 		    goto out;
- 		if (ctx->fast_state.flags & (KRB5_FAST_REQUIRED | KRB5_FAST_EXPECTED))
- 		    goto out;
- 
- 		_krb5_debug(context, 10, "preauth failed with FAST, "
-			    "and told by KD or user, trying w/o FAST");
- 
- 		ctx->fast_state.flags |= KRB5_FAST_DISABLED;
- 		ctx->used_pa_types = 0;
-		ret = 0;
-	    }
-	    if (ret)
-		goto out;
-	}
-    }
+		pa_restart(context, ctx);
 
-    if (ctx->as_req.req_body.cname == NULL) {
-	ret = init_as_req(context, ctx->flags, &ctx->cred,
-			  ctx->addrs, ctx->etypes, &ctx->as_req);
-	if (ret) {
-	    free_init_creds_ctx(context, ctx);
-	    return ret;
+	    } else if (ret == KRB5KDC_ERR_PREAUTH_FAILED) {
+
+		/*
+		 * Old MIT KDC can't handle KRB5_PADATA_REQ_ENC_PA_REP,
+		 * so drop it and try again. But only try that for MIT
+		 * Kerberos servers by keying of no METHOD-DATA.
+		 */
+		if (ctx->runflags.allow_enc_pa_rep) {
+		    if (ctx->md.len != 0) {
+			_krb5_debug(context, 10, "Server sent PA data with KRB-ERROR, "
+				    "so not a pre 1.7 MIT KDC and won't retry w/o ENC-PA-REQ");
+			goto out;
+		    }
+		    _krb5_debug(context, 10, "Disabling allow_enc_pa_rep and trying again");
+		    ctx->runflags.allow_enc_pa_rep = 0;
+		    goto retry;
+		}
+
+		if (ctx->fast_state.flags & KRB5_FAST_DISABLED) {
+		    _krb5_debug(context, 10, "FAST disabled and got preauth failed");
+		    goto out;
+		}
+
+	    retry:
+		pa_restart(context, ctx);
+
+	    } else if (ctx->fast_state.flags & KRB5_FAST_OPTIMISTIC) {
+		_krb5_debug(context, 10,
+			    "Some other error %d failed with optimistic FAST, trying w/o FAST", ret);
+
+		ctx->fast_state.flags &= ~KRB5_FAST_OPTIMISTIC;
+                ctx->fast_state.flags &= ~KRB5_FAST_REQUIRED;
+                ctx->fast_state.flags &= ~KRB5_FAST_ANON_PKINIT_ARMOR;
+		ctx->fast_state.flags |= KRB5_FAST_DISABLED;
+		pa_restart(context, ctx);
+	    } else {
+		/* some other error code from the KDC, lets' return it to the user */
+		goto out;
+	    }
 	}
     }
 
@@ -2464,22 +3357,37 @@ krb5_init_creds_step(krb5_context context,
 	ctx->as_req.padata = NULL;
     }
 
+    ret = _krb5_fast_create_armor(context, &ctx->fast_state,
+				  ctx->cred.client->realm);
+    if (ret)
+	goto out;
+
     /* Set a new nonce. */
     ctx->as_req.req_body.nonce = ctx->nonce;
 
-    /* fill_in_md_data */
+
+    /*
+     * Step and announce PA-DATA
+     */
+
     ret = process_pa_data_to_md(context, &ctx->cred, &ctx->as_req, ctx,
-				&ctx->md, &ctx->as_req.padata,
-				ctx->prompter, ctx->prompter_data);
+				&ctx->md, &ctx->as_req.padata);
     if (ret)
 	goto out;
 
+
     /*
      * Wrap with FAST
      */
-    copy_AS_REQ(&ctx->as_req, &req2);
+    ret = copy_AS_REQ(&ctx->as_req, &req2);
+    if (ret)
+	goto out;
 
-    ret = fast_wrap_req(context, &ctx->fast_state, &req2);
+    ret = _krb5_fast_wrap_req(context,
+			      &ctx->fast_state,
+			      &req2);
+
+    krb5_data_free(&checksum_data);
     if (ret) {
 	free_AS_REQ(&req2);
 	goto out;
@@ -2496,17 +3404,87 @@ krb5_init_creds_step(krb5_context context,
     if(len != ctx->req_buffer.length)
 	krb5_abortx(context, "internal error in ASN.1 encoder");
 
-    out->data = ctx->req_buffer.data;
-    out->length = ctx->req_buffer.length;
+    ret = krb5_data_copy(out,
+			 ctx->req_buffer.data,
+			 ctx->req_buffer.length);
+    if (ret)
+	goto out;
+
+    *out_realm = strdup(ctx->cred.client->realm);
+    if (*out_realm == NULL) {
+	krb5_data_free(out);
+	ret = ENOMEM;
+	goto out;
+    }
 
     *flags = KRB5_INIT_CREDS_STEP_FLAG_CONTINUE;
 
+    gettimeofday(&end_time, NULL);
+    timevalsub(&end_time, &start_time);
+    timevaladd(&ctx->stats.run_time, &end_time);
+
     return 0;
  out:
     return ret;
 }
 
 /**
+ * The core loop if krb5_get_init_creds() function family. Create the
+ * packets and have the caller send them off to the KDC.
+ *
+ * If the caller want all work been done for them, use
+ * krb5_init_creds_get() instead.
+ *
+ * @param context a Kerberos 5 context.
+ * @param ctx ctx krb5_init_creds_context context.
+ * @param in input data from KDC, first round it should be reset by krb5_data_zero().
+ * @param out reply to KDC. The caller needs to call krb5_data_free()
+ * @param out_realm the destination realm for 'out', free with krb5_xfree()
+ * @param flags status of the round, if
+ *        KRB5_INIT_CREDS_STEP_FLAG_CONTINUE is set, continue one more round.
+ *
+ * @return 0 for success, or an Kerberos 5 error code, see
+ *     krb5_get_error_message().
+ *
+ * @ingroup krb5_credential
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_init_creds_step(krb5_context context,
+		     krb5_init_creds_context ctx,
+		     const krb5_data *in,
+		     krb5_data *out,
+		     krb5_realm *out_realm,
+		     unsigned int *flags)
+{
+    krb5_error_code ret;
+    krb5_data empty;
+
+    krb5_data_zero(&empty);
+    krb5_data_zero(out);
+    *out_realm = NULL;
+
+    if ((ctx->fast_state.flags & KRB5_FAST_ANON_PKINIT_ARMOR) &&
+	ctx->fast_state.armor_ccache == NULL) {
+	ret = _krb5_fast_anon_pkinit_step(context, ctx, &ctx->fast_state,
+					  in, out, out_realm, flags);
+        if (ret && (ctx->fast_state.flags & KRB5_FAST_OPTIMISTIC)) {
+            _krb5_debug(context, 5, "Preauth failed with optimistic "
+                        "FAST, trying w/o FAST");
+            ctx->fast_state.flags &= ~KRB5_FAST_OPTIMISTIC;
+            ctx->fast_state.flags &= ~KRB5_FAST_REQUIRED;
+            ctx->fast_state.flags &= ~KRB5_FAST_ANON_PKINIT_ARMOR;
+        } else if (ret ||
+                   (*flags & KRB5_INIT_CREDS_STEP_FLAG_CONTINUE))
+	    return ret;
+
+	in = &empty;
+    }
+
+    return init_creds_step(context, ctx, in, out, out_realm, flags);
+}
+
+/**
  * Extract the newly acquired credentials from krb5_init_creds_context
  * context.
  *
@@ -2526,6 +3504,47 @@ krb5_init_creds_get_creds(krb5_context context,
 }
 
 /**
+ * Extract the as-reply key from the context.
+ *
+ * Only allowed when the as-reply-key is not directly derived from the
+ * password like PK-INIT, GSS, FAST hardened key, etc.
+ *
+ * @param context A Kerberos 5 context.
+ * @param ctx ctx krb5_init_creds_context context.
+ * @param as_reply_key keyblock, free with krb5_free_keyblock_contents().
+ *
+ * @return 0 for sucess or An Kerberos error code, see krb5_get_error_message().
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_init_creds_get_as_reply_key(krb5_context context,
+				 krb5_init_creds_context ctx,
+				 krb5_keyblock *as_reply_key)
+{
+    if (ctx->as_reply_key == NULL)
+	return KRB5KDC_ERR_PREAUTH_REQUIRED;
+    return krb5_copy_keyblock_contents(context, ctx->as_reply_key, as_reply_key);
+}
+
+KRB5_LIB_FUNCTION krb5_timestamp KRB5_LIB_CALL
+_krb5_init_creds_get_cred_starttime(krb5_context context, krb5_init_creds_context ctx)
+{
+    return ctx->cred.times.starttime;
+}
+
+KRB5_LIB_FUNCTION krb5_timestamp KRB5_LIB_CALL
+_krb5_init_creds_get_cred_endtime(krb5_context context, krb5_init_creds_context ctx)
+{
+    return ctx->cred.times.endtime;
+}
+
+KRB5_LIB_FUNCTION krb5_principal KRB5_LIB_CALL
+_krb5_init_creds_get_cred_client(krb5_context context, krb5_init_creds_context ctx)
+{
+    return ctx->cred.client;
+}
+
+/**
  * Get the last error from the transaction.
  *
  * @return Returns 0 or an error code
@@ -2548,6 +3567,47 @@ krb5_init_creds_get_error(krb5_context context,
 }
 
 /**
+ * Store config
+ *
+ * @param context A Kerberos 5 context.
+ * @param ctx The krb5_init_creds_context to free.
+ * @param id store
+ *
+ * @return Returns 0 or an error code
+ *
+ * @ingroup krb5_credential
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_init_creds_store_config(krb5_context context,
+			     krb5_init_creds_context ctx,
+			     krb5_ccache id)
+{
+    krb5_error_code ret;
+
+    if (ctx->kdc_hostname) {
+	krb5_data data;
+	data.length = strlen(ctx->kdc_hostname);
+	data.data = ctx->kdc_hostname;
+
+	ret = krb5_cc_set_config(context, id, NULL, "lkdc-hostname", &data);
+	if (ret)
+	    return ret;
+    }
+    if (ctx->sitename) {
+	krb5_data data;
+	data.length = strlen(ctx->sitename);
+	data.data = ctx->sitename;
+
+	ret = krb5_cc_set_config(context, id, NULL, "sitename", &data);
+	if (ret)
+	    return ret;
+    }
+
+    return 0;
+}
+
+/**
  *
  * @ingroup krb5_credential
  */
@@ -2577,11 +3637,11 @@ krb5_init_creds_store(krb5_context context,
 	krb5_data data = { 3, rk_UNCONST("yes") };
 	ret = krb5_cc_set_config(context, id, ctx->cred.server,
 				 "fast_avail", &data);
-	if (ret)
+	if (ret && ret != KRB5_CC_NOSUPP)
 	    return ret;
     }
 
-    return ret;
+    return 0;
 }
 
 /**
@@ -2614,7 +3674,6 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_init_creds_get(krb5_context context, krb5_init_creds_context ctx)
 {
     krb5_sendto_ctx stctx = NULL;
-    krb5_krbhst_info *hostinfo = NULL;
     krb5_error_code ret;
     krb5_data in, out;
     unsigned int flags = 0;
@@ -2627,21 +3686,35 @@ krb5_init_creds_get(krb5_context context, krb5_init_creds_context ctx)
 	goto out;
     krb5_sendto_ctx_set_func(stctx, _krb5_kdc_retry, NULL);
 
+    if (ctx->kdc_hostname)
+	krb5_sendto_set_hostname(context, stctx, ctx->kdc_hostname);
+    if (ctx->sitename)
+	krb5_sendto_set_sitename(context, stctx, ctx->sitename);
+
     while (1) {
+	struct timeval nstart, nend;
+	krb5_realm realm = NULL;
+
 	flags = 0;
-	ret = krb5_init_creds_step(context, ctx, &in, &out, hostinfo, &flags);
+	ret = krb5_init_creds_step(context, ctx, &in, &out, &realm, &flags);
 	krb5_data_free(&in);
 	if (ret)
 	    goto out;
 
-	if ((flags & 1) == 0)
+	if ((flags & KRB5_INIT_CREDS_STEP_FLAG_CONTINUE) == 0)
 	    break;
 
-	ret = krb5_sendto_context (context, stctx, &out,
-				   ctx->cred.client->realm, &in);
+	gettimeofday(&nstart, NULL);
+
+	ret = krb5_sendto_context (context, stctx, &out, realm, &in);
+	krb5_data_free(&out);
+	free(realm);
     	if (ret)
 	    goto out;
 
+	gettimeofday(&nend, NULL);
+	timevalsub(&nend, &nstart);
+	timevaladd(&ctx->stats.run_time, &nend);
     }
 
  out:
@@ -2734,14 +3807,10 @@ krb5_get_init_creds_password(krb5_context context,
 	if (in_tkt_service != NULL && strcmp(in_tkt_service, "kadmin/changepw") == 0)
 	   goto out;
 
-	/* don't try to change password where then where none */
-	if (prompter == NULL)
+	/* don't try to change password if no prompter or prompting disabled */
+	if (!ctx->runflags.change_password_prompt)
 	    goto out;
 
-	if ((options->flags & KRB5_GET_INIT_CREDS_OPT_CHANGE_PASSWORD_PROMPT) &&
-            !options->change_password_prompt)
-		goto out;
-
 	ret = change_password (context,
 			       client,
 			       ctx->password,
@@ -2875,3 +3944,71 @@ krb5_get_init_creds_keytab(krb5_context context,
 
     return ret;
 }
+
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
+_krb5_init_creds_set_gss_mechanism(krb5_context context,
+				   krb5_gss_init_ctx gssic,
+				   const struct gss_OID_desc_struct *gss_mech)
+{
+    gssic->mech = gss_mech; /* OIDs are interned, so no copy required */
+}
+
+KRB5_LIB_FUNCTION const struct gss_OID_desc_struct * KRB5_LIB_CALL
+_krb5_init_creds_get_gss_mechanism(krb5_context context,
+				   krb5_gss_init_ctx gssic)
+{
+    return gssic->mech;
+}
+
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
+_krb5_init_creds_set_gss_cred(krb5_context context,
+			      krb5_gss_init_ctx gssic,
+			      struct gss_cred_id_t_desc_struct *gss_cred)
+{
+    if (gssic->cred != gss_cred && gssic->flags.release_cred)
+	gssic->release_cred(context, gssic, gssic->cred);
+
+    gssic->cred = gss_cred;
+    gssic->flags.release_cred = 1;
+}
+
+KRB5_LIB_FUNCTION const struct gss_cred_id_t_desc_struct * KRB5_LIB_CALL
+_krb5_init_creds_get_gss_cred(krb5_context context,
+			      krb5_gss_init_ctx gssic)
+{
+    return gssic->cred;
+}
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_init_creds_init_gss(krb5_context context,
+			  krb5_init_creds_context ctx,
+			  krb5_gssic_step step,
+			  krb5_gssic_finish finish,
+			  krb5_gssic_release_cred release_cred,
+			  krb5_gssic_delete_sec_context delete_sec_context,
+			  const struct gss_cred_id_t_desc_struct *gss_cred,
+			  const struct gss_OID_desc_struct *gss_mech,
+			  unsigned int flags)
+{
+    krb5_gss_init_ctx gssic;
+
+    gssic = calloc(1, sizeof(*gssic));
+    if (gssic == NULL)
+	return krb5_enomem(context);
+
+    if (ctx->gss_init_ctx)
+	free_gss_init_ctx(context, ctx->gss_init_ctx);
+    ctx->gss_init_ctx = gssic;
+
+    gssic->cred = (struct gss_cred_id_t_desc_struct *)gss_cred;
+    gssic->mech = gss_mech;
+    if (flags & KRB5_GSS_IC_FLAG_RELEASE_CRED)
+	gssic->flags.release_cred = 1;
+
+    gssic->step = step;
+    gssic->finish = finish;
+    gssic->release_cred = release_cred;
+    gssic->delete_sec_context = delete_sec_context;
+
+    return 0;
+}
diff --git a/lib/krb5/k5e1_err.et b/lib/krb5/k5e1_err.et
new file mode 100644
index 000000000000..19414f10a14e
--- /dev/null
+++ b/lib/krb5/k5e1_err.et
@@ -0,0 +1,13 @@
+id "$Id$"
+
+error_table k5e1
+
+index 4
+
+prefix KRB5_DCC
+error_code CANNOT_CREATE,	"Can't create new subsidiary cache"
+
+prefix KRB5_KCC
+error_code INVALID_ANCHOR,	"Invalid keyring anchor name"
+error_code UNKNOWN_VERSION,	"Unknown keyring collection version"
+error_code INVALID_UID,		"Invalid UID in persistent keyring name"
diff --git a/lib/krb5/kcm.c b/lib/krb5/kcm.c
index 8e1dfff2d0ca..17a26e34f72e 100644
--- a/lib/krb5/kcm.c
+++ b/lib/krb5/kcm.c
@@ -73,6 +73,8 @@ kcm_send_request(krb5_context context,
     krb5_error_code ret = 0;
     krb5_data request_data;
 
+    krb5_data_zero(response_data);
+
     HEIMDAL_MUTEX_lock(&kcm_mutex);
     if (kcm_ipc == NULL)
 	ret = heim_ipc_init_context(kcm_ipc_name, &kcm_ipc);
@@ -82,18 +84,11 @@ kcm_send_request(krb5_context context,
 
     ret = krb5_storage_to_data(request, &request_data);
     if (ret) {
-	krb5_clear_error_message(context);
-	return KRB5_CC_NOMEM;
+	return krb5_enomem(context);
     }
 
     ret = heim_ipc_call(kcm_ipc, &request_data, response_data, NULL);
     krb5_data_free(&request_data);
-
-    if (ret) {
-	krb5_clear_error_message(context);
-	ret = KRB5_CC_NOSUPP;
-    }
-
     return ret;
 }
 
@@ -108,10 +103,8 @@ krb5_kcm_storage_request(krb5_context context,
     *storage_p = NULL;
 
     sp = krb5_storage_emem();
-    if (sp == NULL) {
-	krb5_set_error_message(context, KRB5_CC_NOMEM, N_("malloc: out of memory", ""));
-	return KRB5_CC_NOMEM;
-    }
+    if (sp == NULL)
+	return krb5_enomem(context);
 
     /* Send MAJOR | VERSION | OPCODE */
     ret  = krb5_store_int8(sp, KCM_PROTOCOL_VERSION_MAJOR);
@@ -135,29 +128,165 @@ krb5_kcm_storage_request(krb5_context context,
     return ret;
 }
 
+/*
+ * A sort of a state() for caches -- we use this to see if the local default
+ * cache name for KCM happens to exist.  See kcm_alloc() below.
+ */
+static krb5_error_code
+kcm_stat(krb5_context context, const char *name)
+{
+    krb5_error_code ret;
+    krb5_storage *request = NULL;
+    krb5_data response_data;
+
+    krb5_data_zero(&response_data);
+
+    ret = krb5_kcm_storage_request(context, KCM_OP_GET_PRINCIPAL, &request);
+    if (ret == 0)
+        ret = krb5_store_stringz(request, name);
+    if (ret == 0)
+        ret = krb5_kcm_call(context, request, NULL, &response_data);
+    krb5_storage_free(request);
+    krb5_data_free(&response_data);
+    return ret;
+}
+
+static krb5_error_code kcm_get_default_name(krb5_context,
+                                            const krb5_cc_ops *,
+                                            const char *, char **);
+
 static krb5_error_code
-kcm_alloc(krb5_context context, const char *name, krb5_ccache *id)
+kcm_alloc(krb5_context context,
+          const krb5_cc_ops *ops,
+          const char *residual,
+          const char *sub,
+          krb5_ccache *id)
 {
+    krb5_error_code ret;
     krb5_kcmcache *k;
+    size_t ops_prefix_len = strlen(ops->prefix);
+    size_t plen = 0;
+    size_t local_def_name_len;
+    char *local_def_name = NULL; /* Our idea of default KCM cache name */
+    char *kcm_def_name = NULL; /* KCM's knowledge of default cache name */
+    int aret;
 
-    k = malloc(sizeof(*k));
-    if (k == NULL) {
-	krb5_set_error_message(context, KRB5_CC_NOMEM,
-			       N_("malloc: out of memory", ""));
-	return KRB5_CC_NOMEM;
+    /* Get the KCM:%{UID} default */
+    if (ops == &krb5_kcm_ops)
+        ret = _krb5_expand_default_cc_name(context, KRB5_DEFAULT_CCNAME_KCM_KCM, &local_def_name);
+    else
+        ret = _krb5_expand_default_cc_name(context, KRB5_DEFAULT_CCNAME_KCM_API, &local_def_name);
+    if (ret)
+        return ret;
+    local_def_name_len = strlen(local_def_name);
+
+    /* Get the default ccache name from KCM if possible */
+    (void) kcm_get_default_name(context, ops, NULL, &kcm_def_name);
+
+    /*
+     * We have a sticky situation in that applications that call
+     * krb5_cc_default() will be getting the locally configured or compiled-in
+     * default KCM cache name, which may not exist in the user's KCM session,
+     * and which the KCM daemon may not be able to alias to the actual default
+     * for the user's session.
+     *
+     * To deal with this we heuristically detect when an application uses the
+     * default KCM ccache name.
+     *
+     * If the residual happens to be the local default KCM name we may end up
+     * using whatever the default KCM cache name is instead of the local
+     * default.
+     *
+     * Note that here `residual' may be any of:
+     *
+     *  - %{UID}
+     *  - %{UID}:
+     *  - %{UID}:<subsidiary>
+     *  - <something not starting with %{UID}:>
+     *  - <empty string>
+     *  - <NULL>
+     *
+     * Only the first two count as "maybe I mean the default KCM cache".
+     */
+    if (residual && !sub &&
+        strncmp(residual, local_def_name + ops_prefix_len + 1,
+                local_def_name_len - (ops_prefix_len + 1)) == 0) {
+        if (residual[local_def_name_len - (ops_prefix_len + 1)] == '\0' ||
+            (residual[local_def_name_len - (ops_prefix_len + 1)] == ':' &&
+             residual[local_def_name_len - ops_prefix_len] == '\0')) {
+            /*
+             * If we got a default cache name from KCM and the requested default
+             * cache does not exist, use the former.
+             */
+            if (kcm_def_name && kcm_stat(context, residual))
+                residual = kcm_def_name + ops_prefix_len + 1;
+        }
     }
 
-    if (name != NULL) {
-	k->name = strdup(name);
-	if (k->name == NULL) {
-	    free(k);
-	    krb5_set_error_message(context, KRB5_CC_NOMEM,
-				   N_("malloc: out of memory", ""));
-	    return KRB5_CC_NOMEM;
-	}
-    } else
-	k->name = NULL;
+    if (residual && residual[0] == '\0')
+        residual = NULL;
+    if (sub && sub[0] == '\0')
+        sub = NULL;
+
+    if (residual == NULL && sub == NULL) {
+        /* Use the default cache name, either from KCM or local default */
+        if (kcm_def_name)
+            residual = kcm_def_name + ops_prefix_len + 1;
+        else
+            residual = local_def_name + ops_prefix_len + 1;
+    }
+
+    if (residual) {
+        /* KCM cache names must start with {UID} or {UID}: */
+        plen = strspn(residual, "0123456789");
+        if (plen && residual[plen] != ':' && residual[plen] != '\0')
+            plen = 0;
+        /*
+         * If `plen', then residual is such a residual, else we'll want to
+         * prefix the {UID}:.
+         */
+    }
+
+    k = calloc(1, sizeof(*k));
+    if (k == NULL) {
+        free(local_def_name);
+        free(kcm_def_name);
+	return krb5_enomem(context);
+    }
+    k->name = NULL;
+
+    if (residual == NULL && sub == NULL) {
+        /* One more way to get a default */
+        aret = asprintf(&k->name, "%llu", (unsigned long long)getuid());
+    } else if (residual == NULL) {
+        /*
+         * Treat the subsidiary as the residual (maybe this will turn out to be
+         * wrong).
+         */
+        aret = asprintf(&k->name, "%llu:%s", (unsigned long long)getuid(),
+                        sub);
+    } else if (plen) {
+        /* The residual is a UID */
+        aret = asprintf(&k->name, "%s%s%s", residual,
+                        sub ? ":" : "", sub ? sub : "");
+    } else if (sub == NULL) {
+        /* The residual is NOT a UID */
+        aret = asprintf(&k->name, "%llu:%s", (unsigned long long)getuid(),
+                        residual);
+    } else {
+        /* Ditto, plus we have a subsidiary.  `residual && sub && !plen' */
+        aret = asprintf(&k->name, "%llu:%s:%s", (unsigned long long)getuid(),
+                        residual, sub);
+    }
+    if (aret == -1 || k->name == NULL) {
+        free(local_def_name);
+        free(kcm_def_name);
+        free(k);
+        return krb5_enomem(context);
+    }
 
+    free(local_def_name);
+    free(kcm_def_name);
     (*id)->data.data = k;
     (*id)->data.length = sizeof(*k);
 
@@ -179,10 +308,11 @@ krb5_kcm_call(krb5_context context,
 	*response_p = NULL;
 
     krb5_data_zero(&response_data);
-
     ret = kcm_send_request(context, request, &response_data);
-    if (ret)
-	return ret;
+    if (ret) {
+        krb5_data_free(&response_data);
+        return ret;
+    }
 
     response = krb5_storage_from_data(&response_data);
     if (response == NULL) {
@@ -222,24 +352,63 @@ kcm_free(krb5_context context, krb5_ccache *id)
     krb5_kcmcache *k = KCMCACHE(*id);
 
     if (k != NULL) {
-	if (k->name != NULL)
-	    free(k->name);
+        free(k->name);
 	memset_s(k, sizeof(*k), 0, sizeof(*k));
 	krb5_data_free(&(*id)->data);
     }
 }
 
-static const char *
-kcm_get_name(krb5_context context,
-	     krb5_ccache id)
+static krb5_error_code KRB5_CALLCONV
+kcm_get_name_2(krb5_context context,
+	       krb5_ccache id,
+	       const char **name,
+	       const char **col,
+	       const char **sub)
 {
-    return CACHENAME(id);
+    /*
+     * TODO:
+     *
+     *  - name should be <IPC-name>:<cache-name>
+     *  - col  should be <IPC-name>
+     *  - sub  should be <cache-name>
+     */
+    if (name)
+        *name = CACHENAME(id);
+    if (col)
+        *col = NULL;
+    if (sub)
+        *sub = CACHENAME(id);
+    return 0;
 }
 
 static krb5_error_code
-kcm_resolve(krb5_context context, krb5_ccache *id, const char *res)
+kcm_resolve_2_kcm(krb5_context context,
+                  krb5_ccache *id,
+                  const char *res,
+                  const char *sub)
 {
-    return kcm_alloc(context, res, id);
+    /*
+     * For now, for KCM the `res' is the `sub'.
+     *
+     * TODO: We should use `res' as the IPC name instead of the one currently
+     *       hard-coded in `kcm_ipc_name'.
+     */
+    return kcm_alloc(context, &krb5_kcm_ops, res, sub, id);
+}
+
+static krb5_error_code
+kcm_resolve_2_api(krb5_context context,
+                  krb5_ccache *id,
+                  const char *res,
+                  const char *sub)
+{
+    /*
+     * For now, for KCM the `res' is the `sub'.
+     *
+     * TODO: We should use `res' as the IPC name instead of the one currently
+     *       hard-coded in `kcm_ipc_name'.
+     */
+    return kcm_alloc(context, &krb5_akcm_ops, res, sub, id);
 }
 
 /*
@@ -249,14 +418,14 @@ kcm_resolve(krb5_context context, krb5_ccache *id, const char *res)
  *      NameZ
  */
 static krb5_error_code
-kcm_gen_new(krb5_context context, krb5_ccache *id)
+kcm_gen_new(krb5_context context, const krb5_cc_ops *ops, krb5_ccache *id)
 {
     krb5_kcmcache *k;
     krb5_error_code ret;
     krb5_storage *request, *response;
     krb5_data response_data;
 
-    ret = kcm_alloc(context, NULL, id);
+    ret = kcm_alloc(context, ops, NULL, NULL, id);
     if (ret)
 	return ret;
 
@@ -275,6 +444,8 @@ kcm_gen_new(krb5_context context, krb5_ccache *id)
 	return ret;
     }
 
+    free(k->name);
+    k->name = NULL;
     ret = krb5_ret_stringz(response, &k->name);
     if (ret)
 	ret = KRB5_CC_IO;
@@ -289,6 +460,18 @@ kcm_gen_new(krb5_context context, krb5_ccache *id)
     return ret;
 }
 
+static krb5_error_code
+kcm_gen_new_kcm(krb5_context context, krb5_ccache *id)
+{
+    return kcm_gen_new(context, &krb5_kcm_ops, id);
+}
+
+static krb5_error_code
+kcm_gen_new_api(krb5_context context, krb5_ccache *id)
+{
+    return kcm_gen_new(context, &krb5_akcm_ops, id);
+}
+
 /*
  * Request:
  *      NameZ
@@ -639,15 +822,15 @@ kcm_get_next (krb5_context context,
     c->offset++;
     if (sret != sizeof(c->uuids[c->offset])) {
 	krb5_storage_free(request);
-	krb5_clear_error_message(context);
-	return ENOMEM;
+	return krb5_enomem(context);
     }
 
     ret = krb5_kcm_call(context, request, &response, &response_data);
     krb5_storage_free(request);
     if (ret == KRB5_CC_END) {
 	goto again;
-    }
+    } else if (ret)
+	return ret;
 
     ret = krb5_ret_creds(response, creds);
     if (ret)
@@ -867,14 +1050,15 @@ kcm_get_cache_next(krb5_context context, krb5_cc_cursor cursor, const krb5_cc_op
     c->offset++;
     if (sret != sizeof(c->uuids[c->offset])) {
 	krb5_storage_free(request);
-	krb5_clear_error_message(context);
-	return ENOMEM;
+	return krb5_enomem(context);
     }
 
     ret = krb5_kcm_call(context, request, &response, &response_data);
     krb5_storage_free(request);
     if (ret == KRB5_CC_END)
 	goto again;
+    else if (ret)
+	return ret;
 
     ret = krb5_ret_stringz(response, &name);
     krb5_storage_free(response);
@@ -883,7 +1067,7 @@ kcm_get_cache_next(krb5_context context, krb5_cc_cursor cursor, const krb5_cc_op
     if (ret == 0) {
 	ret = _krb5_cc_allocate(context, ops, id);
 	if (ret == 0)
-	    ret = kcm_alloc(context, name, id);
+	    ret = kcm_alloc(context, ops, name, NULL, id);
 	krb5_xfree(name);
     }
 
@@ -944,6 +1128,9 @@ kcm_move(krb5_context context, krb5_ccache from, krb5_ccache to)
     ret = krb5_kcm_call(context, request, NULL, NULL);
 
     krb5_storage_free(request);
+
+    if (ret == 0)
+        krb5_cc_destroy(context, from);
     return ret;
 }
 
@@ -965,8 +1152,11 @@ kcm_get_default_name(krb5_context context, const krb5_cc_ops *ops,
 
     ret = krb5_kcm_call(context, request, &response, &response_data);
     krb5_storage_free(request);
-    if (ret)
-	return _krb5_expand_default_cc_name(context, defstr, str);
+    if (ret) {
+        if (defstr)
+            return _krb5_expand_default_cc_name(context, defstr, str);
+        return ret;
+    }
 
     ret = krb5_ret_stringz(response, &name);
     krb5_storage_free(response);
@@ -976,8 +1166,8 @@ kcm_get_default_name(krb5_context context, const krb5_cc_ops *ops,
 
     aret = asprintf(str, "%s:%s", ops->prefix, name);
     free(name);
-    if (aret == -1 || str == NULL)
-	return ENOMEM;
+    if (aret == -1 || *str == NULL)
+	return krb5_enomem(context);
 
     return 0;
 }
@@ -1096,11 +1286,11 @@ kcm_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *kdc_offset
  */
 
 KRB5_LIB_VARIABLE const krb5_cc_ops krb5_kcm_ops = {
-    KRB5_CC_OPS_VERSION,
+    KRB5_CC_OPS_VERSION_5,
     "KCM",
-    kcm_get_name,
-    kcm_resolve,
-    kcm_gen_new,
+    NULL,
+    NULL,
+    kcm_gen_new_kcm,
     kcm_initialize,
     kcm_destroy,
     kcm_close,
@@ -1121,15 +1311,17 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_kcm_ops = {
     kcm_set_default,
     kcm_lastchange,
     kcm_set_kdc_offset,
-    kcm_get_kdc_offset
+    kcm_get_kdc_offset,
+    kcm_get_name_2,
+    kcm_resolve_2_kcm
 };
 
 KRB5_LIB_VARIABLE const krb5_cc_ops krb5_akcm_ops = {
-    KRB5_CC_OPS_VERSION,
+    KRB5_CC_OPS_VERSION_5,
     "API",
-    kcm_get_name,
-    kcm_resolve,
-    kcm_gen_new,
+    NULL,
+    NULL,
+    kcm_gen_new_api,
     kcm_initialize,
     kcm_destroy,
     kcm_close,
@@ -1150,10 +1342,11 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_akcm_ops = {
     kcm_set_default,
     kcm_lastchange,
     NULL,
-    NULL
+    NULL,
+    kcm_get_name_2,
+    kcm_resolve_2_api
 };
 
-
 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 _krb5_kcm_is_running(krb5_context context)
 {
@@ -1162,7 +1355,7 @@ _krb5_kcm_is_running(krb5_context context)
     krb5_ccache id = &ccdata;
     krb5_boolean running;
 
-    ret = kcm_alloc(context, NULL, &id);
+    ret = kcm_alloc(context, &krb5_kcm_ops, NULL, NULL, &id);
     if (ret)
 	return 0;
 
diff --git a/lib/krb5/kcm.h b/lib/krb5/kcm.h
index 27197fec3eda..ba484b9cab71 100644
--- a/lib/krb5/kcm.h
+++ b/lib/krb5/kcm.h
@@ -78,9 +78,6 @@ typedef enum kcm_operation {
     KCM_OP_MAX
 } kcm_operation;
 
-#define _PATH_KCM_SOCKET      "/var/run/.kcm_socket"
-#define _PATH_KCM_DOOR      "/var/run/.kcm_door"
-
 #define KCM_NTLM_FLAG_SESSIONKEY 1
 #define KCM_NTLM_FLAG_NTLM2_SESSION 2
 #define KCM_NTLM_FLAG_KEYEX 4
diff --git a/lib/krb5/kerberos.8 b/lib/krb5/kerberos.8
index d54ced53ed8c..fdcea0460d6a 100644
--- a/lib/krb5/kerberos.8
+++ b/lib/krb5/kerberos.8
@@ -71,9 +71,12 @@ or
 .Ic ftp ,
 without giving your password.
 .Pp
-For more information on how Kerberos works, and other general Kerberos
-questions see the Kerberos FAQ at
-.Lk http://www.cmf.nrl.navy.mil/krb/kerberos-faq.html .
+For more information on how Kerberos works, see the tutorial at
+.Lk https://kerberos.org/software/tutorial.html
+or the informal
+.Dq dialogue
+at
+.Lk https://web.mit.edu/kerberos/dialogue.html .
 .Pp
 For setup instructions see the Heimdal Texinfo manual.
 .Sh SEE ALSO
diff --git a/lib/krb5/kerberos.cat8 b/lib/krb5/kerberos.cat8
deleted file mode 100644
index 65093c0dce4c..000000000000
--- a/lib/krb5/kerberos.cat8
+++ /dev/null
@@ -1,57 +0,0 @@
-KERBEROS(8)               BSD System Manager's Manual              KERBEROS(8)
-
-NAME
-     kerberos -- introduction to the Kerberos system
-
-DESCRIPTION
-     Kerberos is a network authentication system. Its purpose is to securely
-     authenticate users and services in an insecure network environment.
-
-     This is done with a Kerberos server acting as a trusted third party,
-     keeping a database with secret keys for all users and services (collec-
-     tively called principals).
-
-     Each principal belongs to exactly one realm, which is the administrative
-     domain in Kerberos. A realm usually corresponds to an organisation, and
-     the realm should normally be derived from that organisation's domain
-     name. A realm is served by one or more Kerberos servers.
-
-     The authentication process involves exchange of `tickets' and
-     `authenticators' which together prove the principal's identity.
-
-     When you login to the Kerberos system, either through the normal system
-     login or with the kinit(1) program, you acquire a ticket granting ticket
-     which allows you to get new tickets for other services, such as telnet or
-     ftp, without giving your password.
-
-     For more information on how Kerberos works, and other general Kerberos
-     questions see the Kerberos FAQ at
-     http://www.cmf.nrl.navy.mil/krb/kerberos-faq.html
-
-     For setup instructions see the Heimdal Texinfo manual.
-
-SEE ALSO
-     ftp(1), kdestroy(1), kinit(1), klist(1), kpasswd(1), telnet(1), krb5(3),
-     krb5.conf(5), kadmin(1), kdc(8), ktutil(1)
-
-HISTORY
-     The Kerberos authentication system was developed in the late 1980's as
-     part of the Athena Project at the Massachusetts Institute of Technology.
-     Versions one through three never reached outside MIT, but version 4 was
-     (and still is) quite popular, especially in the academic community, but
-     is also used in commercial products like the AFS filesystem.
-
-     The problems with version 4 are that it has many limitations, the code
-     was not too well written (since it had been developed over a long time),
-     and it has a number of known security problems. To resolve many of these
-     issues work on version five started, and resulted in IETF RFC 1510 in
-     1993. IETF RFC 1510 was obsoleted in 2005 with IETF RFC 4120, also known
-     as Kerberos clarifications. With the arrival of IETF RFC 4120, the work
-     on adding extensibility and internationalization have started (Kerberos
-     extensions), and a new RFC will hopefully appear soon.
-
-     This manual page is part of the Heimdal Kerberos 5 distribution, which
-     has been in development at the Royal Institute of Technology in Stock-
-     holm, Sweden, since about 1997.
-
-HEIMDAL                          Jun 27, 2013                          HEIMDAL
diff --git a/lib/krb5/keyblock.c b/lib/krb5/keyblock.c
index abca3ee059f6..317bed382d77 100644
--- a/lib/krb5/keyblock.c
+++ b/lib/krb5/keyblock.c
@@ -63,7 +63,8 @@ krb5_free_keyblock_contents(krb5_context context,
 {
     if(keyblock) {
 	if (keyblock->keyvalue.data != NULL)
-	    memset(keyblock->keyvalue.data, 0, keyblock->keyvalue.length);
+	    memset_s(keyblock->keyvalue.data, keyblock->keyvalue.length,
+		     0, keyblock->keyvalue.length);
 	krb5_data_free (&keyblock->keyvalue);
 	keyblock->keytype = KRB5_ENCTYPE_NULL;
     }
diff --git a/lib/krb5/keytab.c b/lib/krb5/keytab.c
index 4977a62f21c4..bcb3ed837331 100644
--- a/lib/krb5/keytab.c
+++ b/lib/krb5/keytab.c
@@ -250,8 +250,7 @@ static const char *default_ktname(krb5_context context)
 {
     const char *tmp = NULL;
 
-    if(!issuid())
-	tmp = getenv("KRB5_KTNAME");
+    tmp = secure_getenv("KRB5_KTNAME");
     if(tmp != NULL)
 	return tmp;
     return context->default_keytab;
@@ -583,29 +582,31 @@ _krb5_kt_principal_not_found(krb5_context context,
 			     krb5_enctype enctype,
 			     int kvno)
 {
-    char princ[256], kvno_str[25], *kt_name;
+    char kvno_str[25];
     char *enctype_str = NULL;
+    char *kt_name = NULL;
+    char *princ = NULL;
 
-    krb5_unparse_name_fixed (context, principal, princ, sizeof(princ));
-    krb5_kt_get_full_name (context, id, &kt_name);
+    (void) krb5_unparse_name(context, principal, &princ);
+    (void) krb5_kt_get_full_name(context, id, &kt_name);
     if (enctype)
-	krb5_enctype_to_string(context, enctype, &enctype_str);
+	(void) krb5_enctype_to_string(context, enctype, &enctype_str);
 
     if (kvno)
 	snprintf(kvno_str, sizeof(kvno_str), "(kvno %d)", kvno);
     else
 	kvno_str[0] = '\0';
 
-    krb5_set_error_message (context, ret,
-			    N_("Failed to find %s%s in keytab %s (%s)",
-			       "principal, kvno, keytab file, enctype"),
-			    princ,
-			    kvno_str,
-			    kt_name ? kt_name : "unknown keytab",
-			    enctype_str ? enctype_str : "unknown enctype");
+    krb5_set_error_message(context, ret,
+			   N_("Failed to find %s%s in keytab %s (%s)",
+			      "principal, kvno, keytab file, enctype"),
+			   princ ? princ : "<unknown>",
+			   kvno_str,
+			   kt_name ? kt_name : "unknown keytab",
+			   enctype_str ? enctype_str : "unknown enctype");
+    free(princ);
     free(kt_name);
-    if (enctype_str)
-	free(enctype_str);
+    free(enctype_str);
     return ret;
 }
 
@@ -688,7 +689,8 @@ krb5_kt_get_entry(krb5_context context,
     krb5_name_canon_iterator name_canon_iter;
 
     if (!principal)
-	return krb5_kt_get_entry_wrapped(context, id, principal, kvno, enctype,
+        /* Use `NULL' instead of `principal' to quiet static analizers */
+	return krb5_kt_get_entry_wrapped(context, id, NULL, kvno, enctype,
 					 entry);
 
     ret = krb5_name_canon_iterator_start(context, principal, &name_canon_iter);
@@ -708,7 +710,7 @@ krb5_kt_get_entry(krb5_context context,
 					enctype, entry);
     } while (ret == KRB5_KT_NOTFOUND && name_canon_iter);
 
-    if (ret != KRB5_KT_NOTFOUND)
+    if (ret && ret != KRB5_KT_NOTFOUND)
 	krb5_set_error_message(context, ret,
 			       N_("Name canon failed while searching keytab",
 				  ""));
@@ -828,6 +830,7 @@ krb5_kt_next_entry(krb5_context context,
 			       id->prefix);
 	return HEIM_ERR_OPNOTSUPP;
     }
+    memset(entry, 0x0, sizeof(*entry));
     return (*id->next_entry)(context, id, entry, cursor);
 }
 
@@ -880,7 +883,8 @@ krb5_kt_add_entry(krb5_context context,
 			       id->prefix);
 	return KRB5_KT_NOWRITE;
     }
-    entry->timestamp = time(NULL);
+    if (entry->timestamp == 0)
+        entry->timestamp = time(NULL);
     return (*id->add)(context, id,entry);
 }
 
@@ -954,3 +958,19 @@ krb5_kt_have_content(krb5_context context,
     }
     return KRB5_KT_NOTFOUND;
 }
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_kt_client_default_name(krb5_context context, char **name)
+{
+    const char *tmp;
+
+    tmp = secure_getenv("KRB5_CLIENT_KTNAME");
+    if (tmp == NULL)
+	tmp =  krb5_config_get_string(context, NULL,
+                                      "libdefaults",
+                                      "default_client_keytab_name", NULL);
+    if (tmp == NULL)
+	tmp = CLIENT_KEYTAB_DEFAULT;
+
+    return _krb5_expand_path_tokens(context, tmp, 1, name);
+}
diff --git a/lib/krb5/keytab_any.c b/lib/krb5/keytab_any.c
index eea5d64bfb60..6663d171fc83 100644
--- a/lib/krb5/keytab_any.c
+++ b/lib/krb5/keytab_any.c
@@ -222,11 +222,11 @@ any_remove_entry(krb5_context context,
 {
     struct any_data *a = id->data;
     krb5_error_code ret;
-    int found = 0;
+    krb5_boolean found = FALSE;
     while(a != NULL) {
 	ret = krb5_kt_remove_entry(context, a->kt, entry);
 	if(ret == 0)
-	    found++;
+	    found = TRUE;
 	else {
 	    if(ret != KRB5_KT_NOWRITE && ret != KRB5_KT_NOTFOUND) {
 		krb5_set_error_message(context, ret,
diff --git a/lib/krb5/keytab_file.c b/lib/krb5/keytab_file.c
index 14b0f6c5987a..61b5d6d29cf8 100644
--- a/lib/krb5/keytab_file.c
+++ b/lib/krb5/keytab_file.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2017 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  *
@@ -52,8 +52,10 @@ krb5_kt_ret_data(krb5_context context,
 		 krb5_storage *sp,
 		 krb5_data *data)
 {
-    int ret;
+    krb5_error_code ret;
+    krb5_ssize_t bytes;
     int16_t size;
+
     ret = krb5_ret_int16(sp, &size);
     if(ret)
 	return ret;
@@ -61,9 +63,9 @@ krb5_kt_ret_data(krb5_context context,
     data->data = malloc(size);
     if (data->data == NULL)
 	return krb5_enomem(context);
-    ret = krb5_storage_read(sp, data->data, size);
-    if(ret != size)
-	return (ret < 0)? errno : KRB5_KT_END;
+    bytes = krb5_storage_read(sp, data->data, size);
+    if (bytes != size)
+	return (bytes == -1) ? errno : KRB5_KT_END;
     return 0;
 }
 
@@ -72,18 +74,20 @@ krb5_kt_ret_string(krb5_context context,
 		   krb5_storage *sp,
 		   heim_general_string *data)
 {
-    int ret;
+    krb5_error_code ret;
+    krb5_ssize_t bytes;
     int16_t size;
+
     ret = krb5_ret_int16(sp, &size);
     if(ret)
 	return ret;
     *data = malloc(size + 1);
     if (*data == NULL)
 	return krb5_enomem(context);
-    ret = krb5_storage_read(sp, *data, size);
+    bytes = krb5_storage_read(sp, *data, size);
     (*data)[size] = '\0';
-    if(ret != size)
-	return (ret < 0)? errno : KRB5_KT_END;
+    if (bytes != size)
+	return (bytes == -1) ? errno : KRB5_KT_END;
     return 0;
 }
 
@@ -92,16 +96,15 @@ krb5_kt_store_data(krb5_context context,
 		   krb5_storage *sp,
 		   krb5_data data)
 {
-    int ret;
+    krb5_error_code ret;
+    krb5_ssize_t bytes;
+
     ret = krb5_store_int16(sp, data.length);
-    if(ret < 0)
-	return ret;
-    ret = krb5_storage_write(sp, data.data, data.length);
-    if(ret != (int)data.length){
-	if(ret < 0)
-	    return errno;
-	return KRB5_KT_END;
-    }
+    if (ret != 0)
+        return ret;
+    bytes = krb5_storage_write(sp, data.data, data.length);
+    if (bytes != (int)data.length)
+        return bytes == -1 ? errno : KRB5_KT_END;
     return 0;
 }
 
@@ -109,17 +112,16 @@ static krb5_error_code
 krb5_kt_store_string(krb5_storage *sp,
 		     heim_general_string data)
 {
-    int ret;
+    krb5_error_code ret;
+    krb5_ssize_t bytes;
     size_t len = strlen(data);
+
     ret = krb5_store_int16(sp, len);
-    if(ret < 0)
+    if (ret != 0)
 	return ret;
-    ret = krb5_storage_write(sp, data, len);
-    if(ret != (int)len){
-	if(ret < 0)
-	    return errno;
-	return KRB5_KT_END;
-    }
+    bytes = krb5_storage_write(sp, data, len);
+    if (bytes != (int)len)
+        return bytes == -1 ? errno : KRB5_KT_END;
     return 0;
 }
 
@@ -367,7 +369,9 @@ fkt_start_seq_get_int(krb5_context context,
     int8_t pvno, tag;
     krb5_error_code ret;
     struct fkt_data *d = id->data;
+    const char *stdio_mode = "rb";
 
+    memset(c, 0, sizeof(*c));
     c->fd = open (d->filename, flags);
     if (c->fd < 0) {
 	ret = errno;
@@ -382,9 +386,14 @@ fkt_start_seq_get_int(krb5_context context,
 	close(c->fd);
 	return ret;
     }
-    c->sp = krb5_storage_from_fd(c->fd);
+    if ((flags & O_ACCMODE) == O_RDWR && (flags & O_APPEND))
+        stdio_mode = "ab+";
+    else if ((flags & O_ACCMODE) == O_RDWR)
+        stdio_mode = "rb+";
+    else if ((flags & O_ACCMODE) == O_WRONLY)
+        stdio_mode = "wb";
+    c->sp = krb5_storage_stdio_from_fd(c->fd, stdio_mode);
     if (c->sp == NULL) {
-	_krb5_xunlock(context, c->fd);
 	close(c->fd);
 	return krb5_enomem(context);
     }
@@ -392,14 +401,12 @@ fkt_start_seq_get_int(krb5_context context,
     ret = krb5_ret_int8(c->sp, &pvno);
     if(ret) {
 	krb5_storage_free(c->sp);
-	_krb5_xunlock(context, c->fd);
 	close(c->fd);
 	krb5_clear_error_message(context);
 	return ret;
     }
     if(pvno != 5) {
 	krb5_storage_free(c->sp);
-	_krb5_xunlock(context, c->fd);
 	close(c->fd);
 	krb5_clear_error_message (context);
 	return KRB5_KEYTAB_BADVNO;
@@ -407,7 +414,6 @@ fkt_start_seq_get_int(krb5_context context,
     ret = krb5_ret_int8(c->sp, &tag);
     if (ret) {
 	krb5_storage_free(c->sp);
-	_krb5_xunlock(context, c->fd);
 	close(c->fd);
 	krb5_clear_error_message(context);
 	return ret;
@@ -507,7 +513,6 @@ fkt_end_seq_get(krb5_context context,
 		krb5_kt_cursor *cursor)
 {
     krb5_storage_free(cursor->sp);
-    _krb5_xunlock(context, cursor->fd);
     close(cursor->fd);
     return 0;
 }
@@ -534,13 +539,14 @@ fkt_add_entry(krb5_context context,
     int ret;
     int fd;
     krb5_storage *sp;
+    krb5_ssize_t bytes;
     struct fkt_data *d = id->data;
     krb5_data keytab;
     int32_t len;
 
-    fd = open (d->filename, O_RDWR | O_BINARY | O_CLOEXEC);
+    fd = open(d->filename, O_RDWR | O_BINARY | O_CLOEXEC);
     if (fd < 0) {
-	fd = open (d->filename, O_RDWR | O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC, 0600);
+	fd = open(d->filename, O_RDWR | O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC, 0600);
 	if (fd < 0) {
 	    ret = errno;
 	    krb5_set_error_message(context, ret,
@@ -555,10 +561,14 @@ fkt_add_entry(krb5_context context,
 	    close(fd);
 	    return ret;
 	}
-	sp = krb5_storage_from_fd(fd);
+	sp = krb5_storage_stdio_from_fd(fd, "wb+");
+        if (sp == NULL) {
+	    close(fd);
+	    return krb5_enomem(context);
+        }
 	krb5_storage_set_eof_code(sp, KRB5_KT_END);
 	ret = fkt_setup_keytab(context, id, sp);
-	if(ret) {
+	if (ret) {
 	    goto out;
 	}
 	storage_set_flags(context, sp, id->version);
@@ -572,7 +582,11 @@ fkt_add_entry(krb5_context context,
 	    close(fd);
 	    return ret;
 	}
-	sp = krb5_storage_from_fd(fd);
+	sp = krb5_storage_stdio_from_fd(fd, "wb+");
+        if (sp == NULL) {
+            (void) close(fd);
+            return ret;
+        }
 	krb5_storage_set_eof_code(sp, KRB5_KT_END);
 	ret = krb5_ret_int8(sp, &pvno);
 	if(ret) {
@@ -679,8 +693,21 @@ fkt_add_entry(krb5_context context,
     }
 
     while(1) {
+        off_t here;
+
+        here = krb5_storage_seek(sp, 0, SEEK_CUR);
+        if (here == -1) {
+            ret = errno;
+            krb5_set_error_message(context, ret,
+                                   N_("Failed writing keytab block "
+                                      "in keytab %s: %s", ""),
+                                   d->filename, strerror(ret));
+            goto out;
+        }
 	ret = krb5_ret_int32(sp, &len);
-	if(ret == KRB5_KT_END) {
+	if (ret) {
+            /* There could have been a partial length.  Recover! */
+            (void) krb5_storage_truncate(sp, here);
 	    len = keytab.length;
 	    break;
 	}
@@ -694,8 +721,11 @@ fkt_add_entry(krb5_context context,
 	krb5_storage_seek(sp, len, SEEK_CUR);
     }
     ret = krb5_store_int32(sp, len);
-    if(krb5_storage_write(sp, keytab.data, keytab.length) < 0) {
-	ret = errno;
+    if (ret != 0)
+        goto out;
+    bytes = krb5_storage_write(sp, keytab.data, keytab.length);
+    if (bytes != keytab.length) {
+	ret = bytes == -1 ? errno : KRB5_KT_END;
 	krb5_set_error_message(context, ret,
 			       N_("Failed writing keytab block "
 				  "in keytab %s: %s", ""),
@@ -704,8 +734,9 @@ fkt_add_entry(krb5_context context,
     memset(keytab.data, 0, keytab.length);
     krb5_data_free(&keytab);
   out:
+    if (ret == 0)
+        ret = krb5_storage_fsync(sp);
     krb5_storage_free(sp);
-    _krb5_xunlock(context, fd);
     close(fd);
     return ret;
 }
@@ -715,6 +746,8 @@ fkt_remove_entry(krb5_context context,
 		 krb5_keytab id,
 		 krb5_keytab_entry *entry)
 {
+    struct fkt_data *fkt = id->data;
+    krb5_ssize_t bytes;
     krb5_keytab_entry e;
     krb5_kt_cursor cursor;
     off_t pos_start, pos_end;
@@ -722,34 +755,56 @@ fkt_remove_entry(krb5_context context,
     krb5_error_code ret;
 
     ret = fkt_start_seq_get_int(context, id, O_RDWR | O_BINARY | O_CLOEXEC, 1, &cursor);
-    if(ret != 0)
-	goto out; /* return other error here? */
-    while(fkt_next_entry_int(context, id, &e, &cursor,
-			     &pos_start, &pos_end) == 0) {
-	if(krb5_kt_compare(context, &e, entry->principal,
-			   entry->vno, entry->keyblock.keytype)) {
+    if (ret != 0) {
+        const char *emsg = krb5_get_error_message(context, ret);
+
+	krb5_set_error_message(context, ret,
+			       N_("Could not open keytab file for write: %s: %s", ""),
+			       fkt->filename,
+                               emsg);
+        krb5_free_error_message(context, emsg);
+	return ret;
+    }
+    while (ret == 0 &&
+           (ret = fkt_next_entry_int(context, id, &e, &cursor,
+                                     &pos_start, &pos_end)) == 0) {
+	if (krb5_kt_compare(context, &e, entry->principal,
+			    entry->vno, entry->keyblock.keytype)) {
 	    int32_t len;
 	    unsigned char buf[128];
 	    found = 1;
 	    krb5_storage_seek(cursor.sp, pos_start, SEEK_SET);
 	    len = pos_end - pos_start - 4;
-	    krb5_store_int32(cursor.sp, -len);
+	    ret = krb5_store_int32(cursor.sp, -len);
 	    memset(buf, 0, sizeof(buf));
-	    while(len > 0) {
-		krb5_storage_write(cursor.sp, buf,
+	    while (ret == 0 && len > 0) {
+		bytes = krb5_storage_write(cursor.sp, buf,
 		    min((size_t)len, sizeof(buf)));
+                if (bytes != min((size_t)len, sizeof(buf))) {
+                    ret = bytes == -1 ? errno : KRB5_KT_END;
+                    break;
+                }
 		len -= min((size_t)len, sizeof(buf));
 	    }
 	}
 	krb5_kt_free_entry(context, &e);
     }
-    krb5_kt_end_seq_get(context, id, &cursor);
-  out:
-    if (!found) {
-	krb5_clear_error_message (context);
+    (void) krb5_kt_end_seq_get(context, id, &cursor);
+    if (ret == KRB5_KT_END)
+        ret = 0;
+    if (ret) {
+        const char *emsg = krb5_get_error_message(context, ret);
+
+        krb5_set_error_message(context, ret,
+                               N_("Could not remove keytab entry from %s: %s", ""),
+                               fkt->filename,
+                               emsg);
+        krb5_free_error_message(context, emsg);
+    } else if (!found) {
+	krb5_clear_error_message(context);
 	return KRB5_KT_NOTFOUND;
     }
-    return 0;
+    return ret;
 }
 
 const krb5_kt_ops krb5_fkt_ops = {
diff --git a/lib/krb5/keytab_keyfile.c b/lib/krb5/keytab_keyfile.c
index cb865a794c08..af3ac86faf0a 100644
--- a/lib/krb5/keytab_keyfile.c
+++ b/lib/krb5/keytab_keyfile.c
@@ -403,7 +403,7 @@ akf_add_entry(krb5_context context,
 	ret = errno;
 	krb5_set_error_message (context, ret,
 				N_("keytab keyfile failed new length", ""));
-	return ret;
+	goto out;
     }
 
     if(krb5_storage_seek(sp, (len - 1) * (8 + 4), SEEK_CUR) < 0) {
diff --git a/lib/krb5/krb5-plugin.7 b/lib/krb5/krb5-plugin.7
index 5ba68c645134..0b1e729c1617 100644
--- a/lib/krb5/krb5-plugin.7
+++ b/lib/krb5/krb5-plugin.7
@@ -57,11 +57,54 @@ associated header file, such as, for example,
 .Va krb5plugin_kuserok_ftable
 and a pointer to which is either registered via
 .Xr krb5_plugin_register 3
-or found in a shared object via a symbol lookup for the symbol name
-defined in the associated header file (e.g., "kuserok" for the
-plugin for
+or via a plugin load function exported by a shared object.
+Plugin load functions should be named by concatenating the name defined in the
+associated header file with the string "plugin_load" (e.g.
+"krb5_plugin_kuserok_plugin_load" for the plugin for
 .Xr krb5_kuserok 3
 ).
+The plugin load function must be of type
+.Va heim_plugin_load_ft
+which is:
+.Bd -literal -offset indent
+krb5_error_code HEIM_CALLCONV
+my_plugin_load(heim_pcontext context,
+               krb5_get_instance_func_t *get_instance,
+               size_t *num_plugins,
+               heim_plugin_common_ftable_cp **plugins);
+
+.Ed
+where
+.Va HEIM_CALLCONV
+is
+.Va __stdcall
+on Windows.
+.Pp
+The plugin should set the get_instance output parameter to the a
+function that will return the instances of its library
+dependencies.  For example:
+.Bd -literal -offset indent
+static uintptr_t HEIM_LIB_CALL
+my_plugin_get_instance(const char *name)
+{
+    if (strcmp(name, "krb5") == 0)
+        return krb5_get_instance(name);
+    return 0;
+}
+.Ed
+.Pp
+The
+.Va get_instance
+function is used to check that dynamically-linked plugins are
+linked with the same Heimdal shared objects as the one loading
+and running the plugin.
+.Pp
+The output parameters
+.Va plugins
+and
+.Va n_plugins
+output an array of pointers to function tabls, and the number of
+those, respectively.
 .Pp
 The plugin structs for all plugin types always begin with the same three
 common fields:
@@ -72,24 +115,41 @@ common fields:
 associated header file.
 .It
 .Va init
-, a pointer to a function with two arguments, a krb5_context and a
-void **, returning a krb5_error_code.  This function will be called to
-initialize a plugin-specific context in the form of a void * that will
-be output through the init function's second argument.
+, a pointer to a function with two arguments, a
+.Va heim_pcontext
+(which for krb5 plugins is actually a krb5_context),
+and a
+.Va void **
+, returning a heim_error_code.  This function will be called to
+initialize a plugin-specific context in the form of a
+.Va void *
+that will be output through the init function's second argument.
 .It
 .Va fini
-, a pointer to a function of one argument, a void *, consisting of the
-plugin's context to be destroyed, and returning void.
+, a pointer to a function of one argument, a
+.Va void *
+, consisting of the plugin's context to be destroyed, and
+returning
+.Va void.
 .El
 .Pp
-Each plugin type must add zero or more fields to this struct following
-the above three.  Plugins are typically invoked in no particular order
-until one succeeds or fails, or all return a special return value such
-as KRB5_PLUGIN_NO_HANDLE to indicate that the plugin was not applicable.
-Most plugin types obtain deterministic plugin behavior in spite of the
-non-deterministic invocation order by, for example, invoking all plugins
-for each "rule" and passing the rule to each plugin with the expectation
-that just one plugin will match any given rule.
+Each plugin type may add fields to this struct following the above
+three.  Plugins are typically invoked in no particular order until one
+succeeds or fails, or all return a special return value that indicates
+that the plugin was not applicable.  For krb5 plugins,
+.Va KRB5_PLUGIN_NO_HANDLE
+indicates that the plugin was not applicable.
+.Pp
+Heimdal plugin callers either invoke all plugins until one returns an
+error or all return
+.Va KRB5_PLUGIN_NO_HANDLE
+, or invoke all plugins until one returns a value other than
+.Va KRB5_PLUGIN_NO_HANDLE
+with the expectation that only one plugin would return success and all
+oters would return
+.Va KRB5_PLUGIN_NO_HANDLE.
+Thus Heimdal plugin invokation can be deterministic in spite of
+non-deterministic invocation order.
 .Pp
 There is a database plugin system intended for many of the uses of
 databases in Heimdal.  The plugin is expected to call
@@ -169,8 +229,9 @@ follows:
 .Bd -literal -offset indent
 #include <krb5/an2ln_plugin.h>
 
+/* Note that `context' here is actually a krb5_context value */
 static krb5_error_code KRB5_CALLCONV
-nouser_plug_init(krb5_context context, void **ctx)
+nouser_plug_init(heim_pcontext context, void **ctx)
 {
     *ctx = NULL;
     return 0;
@@ -200,6 +261,32 @@ krb5plugin_an2ln_ftable an2ln = {
     nouser_plug_fini,
     nouser_plug_an2ln,
 };
+
+static const krb5plugin_an2ln_ftable *const plugins[] = {
+    &an2ln
+};
+
+static uintptr_t
+an2ln_get_instance(const char *libname)
+{
+    if (strcmp(libname, "krb5") == 0)
+	return krb5_get_instance(libname);
+
+    return 0;
+}
+
+/* Note that `context' here is actually a krb5_context value */
+krb5_error_code
+an2ln_plugin_load(heim_pcontext context,
+                 krb5_get_instance_func_t *get_instance,
+                 size_t *num_plugins,
+                 const krb5plugin_an2ln_ftable * const **pplugins)
+{
+    *get_instance = an2ln_get_instance;
+    *num_plugins = sizeof(plugins) / sizeof(plugins[0]);
+    *pplugins = plugins;
+    return 0;
+}
 .Ed
 .Pp
 An example kuserok plugin that rejects all requests follows.  (Note that
@@ -210,8 +297,8 @@ there exists a built-in plugin with this functionality; see
 .Bd -literal -offset indent
 #include <krb5/kuserok_plugin.h>
 
-static krb5_error_code KRB5_CALLCONV 
-reject_plug_init(krb5_context context, void **ctx)
+static krb5_error_code KRB5_CALLCONV
+reject_plug_init(heim_context context, void **ctx)
 {
     *ctx = NULL;
     return 0;
@@ -232,12 +319,39 @@ reject_plug_kuserok(void *plug_ctx, krb5_context context, const char *rule,
     return 0;
 }
 
-krb5plugin_kuserok_ftable kuserok = {
+static krb5plugin_kuserok_ftable kuserok = {
     KRB5_PLUGIN_KUSEROK_VERSION_0,
     reject_plug_init,
     reject_plug_fini,
     reject_plug_kuserok,
 };
+
+static const krb5plugin_kuserok_ftable *const plugins[] = {
+    &kuserok
+};
+
+static uintptr_t
+kuserok_get_instance(const char *libname)
+{
+    if (strcmp(libname, "krb5") == 0)
+	return krb5_get_instance(libname);
+
+    return 0;
+}
+
+krb5_error_code
+krb5_plugin_kuserok_plugin_load(
+    heim_context context,
+    krb5_get_instance_func_t *get_instance,
+    size_t *num_plugins,
+    const krb5plugin_kuserok_ftable * const **pplugins)
+{
+    *krb5_instance = kuserok_get_instance;
+    *num_plugins = sizeof(plugins) / sizeof(plugins[0]);
+    *pplugins = plugins;
+    return 0;
+}
+
 .Ed
 .Sh SEE ALSO
 .Xr krb5_plugin_register 3
diff --git a/lib/krb5/krb5-plugin.cat7 b/lib/krb5/krb5-plugin.cat7
deleted file mode 100644
index c691ebef47f1..000000000000
--- a/lib/krb5/krb5-plugin.cat7
+++ /dev/null
@@ -1,167 +0,0 @@
-KRB5-PLUGIN(7)       BSD Miscellaneous Information Manual       KRB5-PLUGIN(7)
-
-NAME
-     krb5-plugin -- plugin interface for Heimdal
-
-SYNOPSIS
-     #include <krb5.h>
-     #include <krb5/an2ln_plugin.h>
-     #include <krb5/ccache_plugin.h>
-     #include <krb5/db_plugin.h>
-     #include <krb5/kuserok_plugin.h>
-     #include <krb5/locate_plugin.h>
-     #include <krb5/send_to_kdc_plugin.h>
-
-DESCRIPTION
-     Heimdal has a plugin interface.  Plugins may be statically linked into
-     Heimdal and registered via the krb5_plugin_register(3) function, or they
-     may be dynamically loaded from shared objects present in the Heimdal
-     plugins directories.
-
-     Plugins consist of a C struct whose struct name is given in the associ-
-     ated header file, such as, for example, krb5plugin_kuserok_ftable and a
-     pointer to which is either registered via krb5_plugin_register(3) or
-     found in a shared object via a symbol lookup for the symbol name defined
-     in the associated header file (e.g., "kuserok" for the plugin for
-     krb5_kuserok(3) ).
-
-     The plugin structs for all plugin types always begin with the same three
-     common fields:
-     1.   minor_version , an int.  Plugin minor versions are defined in each
-          plugin type's associated header file.
-     2.   init , a pointer to a function with two arguments, a krb5_context
-          and a void **, returning a krb5_error_code.  This function will be
-          called to initialize a plugin-specific context in the form of a void
-          * that will be output through the init function's second argument.
-     3.   fini , a pointer to a function of one argument, a void *, consisting
-          of the plugin's context to be destroyed, and returning void.
-
-     Each plugin type must add zero or more fields to this struct following
-     the above three.  Plugins are typically invoked in no particular order
-     until one succeeds or fails, or all return a special return value such as
-     KRB5_PLUGIN_NO_HANDLE to indicate that the plugin was not applicable.
-     Most plugin types obtain deterministic plugin behavior in spite of the
-     non-deterministic invocation order by, for example, invoking all plugins
-     for each "rule" and passing the rule to each plugin with the expectation
-     that just one plugin will match any given rule.
-
-     There is a database plugin system intended for many of the uses of data-
-     bases in Heimdal.  The plugin is expected to call heim_db_register(3)
-     from its init entry point to register a DB type.  The DB plugin's fini
-     function must do nothing, and the plugin must not provide any other entry
-     points.
-
-     The krb5_kuserok plugin adds a single field to its struct: a pointer to a
-     function that implements kuserok functionality with the following form:
-
-           static krb5_error_code
-           kuserok(void *plug_ctx, krb5_context context, const char *rule,
-                   unsigned int flags, const char *k5login_dir,
-                   const char *luser, krb5_const_principal principal,
-                   krb5_boolean *result)
-
-     The luser , principal and result arguments are self-explanatory (see
-     krb5_kuserok(3) ).  The plug_ctx argument is the context output by the
-     plugin's init function.  The rule argument is a kuserok rule from the
-     krb5.conf file; each plugin is invoked once for each rule until all plug-
-     ins fail or one succeeds.  The k5login_dir argument provides an alterna-
-     tive k5login file location, if not NULL.  The flags argument indicates
-     whether the plugin may call krb5_aname_to_localname(3)
-     (KUSEROK_ANAME_TO_LNAME_OK), and whether k5login databases are expected
-     to be authoritative (KUSEROK_K5LOGIN_IS_AUTHORITATIVE).
-
-     The plugin for krb5_aname_to_localname(3) is named "an2ln" and has a sin-
-     gle extra field for the plugin struct:
-
-           typedef krb5_error_code (*set_result_f)(void *, const char *);
-
-           static krb5_error_code
-           an2ln(void *plug_ctx, krb5_context context, const char *rule,
-                 krb5_const_principal aname, set_result_f set_res_f, void *set_res_ctx)
-
-     The arguments for the an2ln plugin are similar to those of the kuserok
-     plugin, but the result, being a string, is set by calling the set_res_f
-     function argument with the set_res_ctx and result string as arguments.
-     The set_res_f function will make a copy of the string.
-
-FILES
-     libdir/plugin/krb5/*
-             Shared objects containing plugins for Heimdal.
-
-EXAMPLES
-     An example an2ln plugin that maps principals to a constant "nouser" fol-
-     lows:
-
-           #include <krb5/an2ln_plugin.h>
-
-           static krb5_error_code KRB5_CALLCONV
-           nouser_plug_init(krb5_context context, void **ctx)
-           {
-               *ctx = NULL;
-               return 0;
-           }
-
-           static void KRB5_CALLCONV nouser_plug_fini(void *ctx) { }
-
-           static krb5_error_code KRB5_CALLCONV
-           nouser_plug_an2ln(void *plug_ctx, krb5_context context,
-                             const char *rule,
-                             krb5_const_principal aname,
-                             set_result_f set_res_f, void *set_res_ctx)
-           {
-               krb5_error_code ret;
-
-               if (strcmp(rule, "NOUSER") != 0)
-                   return KRB5_PLUGIN_NO_HANDLE;
-
-               ret = set_res_f(set_res_ctx, "nouser");
-
-               return ret;
-           }
-
-           krb5plugin_an2ln_ftable an2ln = {
-               KRB5_PLUGIN_AN2LN_VERSION_0,
-               nouser_plug_init,
-               nouser_plug_fini,
-               nouser_plug_an2ln,
-           };
-
-     An example kuserok plugin that rejects all requests follows.  (Note that
-     there exists a built-in plugin with this functionality; see
-     krb5_kuserok(3) ).
-
-           #include <krb5/kuserok_plugin.h>
-
-           static krb5_error_code KRB5_CALLCONV
-           reject_plug_init(krb5_context context, void **ctx)
-           {
-               *ctx = NULL;
-               return 0;
-           }
-
-           static void KRB5_CALLCONV reject_plug_fini(void *ctx) { }
-
-           static krb5_error_code KRB5_CALLCONV
-           reject_plug_kuserok(void *plug_ctx, krb5_context context, const char *rule,
-                               unsigned int flags, const char *k5login_dir,
-                               const char *luser, krb5_const_principal principal,
-                               krb5_boolean *result)
-           {
-               if (strcmp(rule, "REJECT") != 0)
-                   return KRB5_PLUGIN_NO_HANDLE;
-
-               *result = FALSE;
-               return 0;
-           }
-
-           krb5plugin_kuserok_ftable kuserok = {
-               KRB5_PLUGIN_KUSEROK_VERSION_0,
-               reject_plug_init,
-               reject_plug_fini,
-               reject_plug_kuserok,
-           };
-
-SEE ALSO
-     krb5_plugin_register(3) krb5_kuserok(3) krb5_aname_to_localname(3)
-
-HEIMDAL                        December 21, 2011                       HEIMDAL
diff --git a/lib/krb5/krb5-private.h b/lib/krb5/krb5-private.h
deleted file mode 100644
index 79bd27e9397f..000000000000
--- a/lib/krb5/krb5-private.h
+++ /dev/null
@@ -1,733 +0,0 @@
-/* This is a generated file */
-#ifndef __krb5_private_h__
-#define __krb5_private_h__
-
-#include <stdarg.h>
-
-#if !defined(__GNUC__) && !defined(__attribute__)
-#define __attribute__(x)
-#endif
-
-#ifndef KRB5_DEPRECATED_FUNCTION
-#ifndef __has_extension
-#define __has_extension(x) 0
-#define KRB5_DEPRECATED_FUNCTIONhas_extension 1
-#endif
-#if __has_extension(attribute_deprecated_with_message)
-#define KRB5_DEPRECATED_FUNCTION(x) __attribute__((__deprecated__(x)))
-#elif defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 )))
-#define KRB5_DEPRECATED_FUNCTION(X) __attribute__((__deprecated__))
-#else
-#define KRB5_DEPRECATED_FUNCTION(X)
-#endif
-#ifdef KRB5_DEPRECATED_FUNCTIONhas_extension
-#undef __has_extension
-#undef KRB5_DEPRECATED_FUNCTIONhas_extension
-#endif
-#endif /* KRB5_DEPRECATED_FUNCTION */
-
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_heim_krb5_ipc_client_clear_target (void);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_heim_krb5_ipc_client_set_target_uid (uid_t /*uid*/);
-
-void
-_krb5_DES3_random_to_key (
-	krb5_context /*context*/,
-	krb5_keyblock */*key*/,
-	const void */*data*/,
-	size_t /*size*/);
-
-krb5_error_code
-_krb5_HMAC_MD5_checksum (
-	krb5_context /*context*/,
-	struct _krb5_key_data */*key*/,
-	const void */*data*/,
-	size_t /*len*/,
-	unsigned /*usage*/,
-	Checksum */*result*/);
-
-krb5_error_code
-_krb5_SP800_108_HMAC_KDF (
-	krb5_context /*context*/,
-	const krb5_data */*kdf_K1*/,
-	const krb5_data */*kdf_label*/,
-	const krb5_data */*kdf_context*/,
-	const EVP_MD */*md*/,
-	krb5_data */*kdf_K0*/);
-
-krb5_error_code
-_krb5_SP_HMAC_SHA1_checksum (
-	krb5_context /*context*/,
-	struct _krb5_key_data */*key*/,
-	const void */*data*/,
-	size_t /*len*/,
-	unsigned /*usage*/,
-	Checksum */*result*/);
-
-krb5_error_code
-_krb5_aes_sha2_md_for_enctype (
-	krb5_context /*context*/,
-	krb5_enctype /*enctype*/,
-	const EVP_MD **/*md*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_build_authenticator (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_enctype /*enctype*/,
-	krb5_creds */*cred*/,
-	Checksum */*cksum*/,
-	krb5_data */*result*/,
-	krb5_key_usage /*usage*/);
-
-krb5_error_code
-_krb5_build_authpack_subjectPK_EC (
-	krb5_context /*context*/,
-	krb5_pk_init_ctx /*ctx*/,
-	AuthPack */*a*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_cc_allocate (
-	krb5_context /*context*/,
-	const krb5_cc_ops */*ops*/,
-	krb5_ccache */*id*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_config_copy (
-	krb5_context /*context*/,
-	krb5_config_section */*c*/,
-	krb5_config_section **/*head*/);
-
-KRB5_LIB_FUNCTION const void * KRB5_LIB_CALL
-_krb5_config_get (
-	krb5_context /*context*/,
-	const krb5_config_section */*c*/,
-	int /*type*/,
-	...);
-
-KRB5_LIB_FUNCTION krb5_config_section * KRB5_LIB_CALL
-_krb5_config_get_entry (
-	krb5_config_section **/*parent*/,
-	const char */*name*/,
-	int /*type*/);
-
-KRB5_LIB_FUNCTION const void * KRB5_LIB_CALL
-_krb5_config_get_next (
-	krb5_context /*context*/,
-	const krb5_config_section */*c*/,
-	const krb5_config_binding **/*pointer*/,
-	int /*type*/,
-	...);
-
-KRB5_LIB_FUNCTION const void * KRB5_LIB_CALL
-_krb5_config_vget (
-	krb5_context /*context*/,
-	const krb5_config_section */*c*/,
-	int /*type*/,
-	va_list /*args*/);
-
-KRB5_LIB_FUNCTION const void * KRB5_LIB_CALL
-_krb5_config_vget_next (
-	krb5_context /*context*/,
-	const krb5_config_section */*c*/,
-	const krb5_config_binding **/*pointer*/,
-	int /*type*/,
-	va_list /*args*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_copy_send_to_kdc_func (
-	krb5_context /*context*/,
-	krb5_context /*to*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_crc_init_table (void);
-
-KRB5_LIB_FUNCTION uint32_t KRB5_LIB_CALL
-_krb5_crc_update (
-	const char */*p*/,
-	size_t /*len*/,
-	uint32_t /*res*/);
-
-void KRB5_LIB_FUNCTION
-_krb5_debug (
-	krb5_context /*context*/,
-	int /*level*/,
-	const char */*fmt*/,
-	...)
-     __attribute__ ((__format__ (__printf__, 3, 4)));
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_debug_backtrace (krb5_context /*context*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_derive_key (
-	krb5_context /*context*/,
-	struct _krb5_encryption_type */*et*/,
-	struct _krb5_key_data */*key*/,
-	const void */*constant*/,
-	size_t /*len*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_des_checksum (
-	krb5_context /*context*/,
-	const EVP_MD */*evp_md*/,
-	struct _krb5_key_data */*key*/,
-	const void */*data*/,
-	size_t /*len*/,
-	Checksum */*cksum*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_des_verify (
-	krb5_context /*context*/,
-	const EVP_MD */*evp_md*/,
-	struct _krb5_key_data */*key*/,
-	const void */*data*/,
-	size_t /*len*/,
-	Checksum */*C*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_dh_group_ok (
-	krb5_context /*context*/,
-	unsigned long /*bits*/,
-	heim_integer */*p*/,
-	heim_integer */*g*/,
-	heim_integer */*q*/,
-	struct krb5_dh_moduli **/*moduli*/,
-	char **/*name*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_einval (
-	krb5_context /*context*/,
-	const char */*func*/,
-	unsigned long /*argn*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-_krb5_enctype_requires_random_salt (
-	krb5_context /*context*/,
-	krb5_enctype /*enctype*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_erase_file (
-	krb5_context /*context*/,
-	const char */*filename*/);
-
-void
-_krb5_evp_cleanup (
-	krb5_context /*context*/,
-	struct _krb5_key_data */*kd*/);
-
-krb5_error_code
-_krb5_evp_encrypt (
-	krb5_context /*context*/,
-	struct _krb5_key_data */*key*/,
-	void */*data*/,
-	size_t /*len*/,
-	krb5_boolean /*encryptp*/,
-	int /*usage*/,
-	void */*ivec*/);
-
-krb5_error_code
-_krb5_evp_encrypt_cts (
-	krb5_context /*context*/,
-	struct _krb5_key_data */*key*/,
-	void */*data*/,
-	size_t /*len*/,
-	krb5_boolean /*encryptp*/,
-	int /*usage*/,
-	void */*ivec*/);
-
-void
-_krb5_evp_schedule (
-	krb5_context /*context*/,
-	struct _krb5_key_type */*kt*/,
-	struct _krb5_key_data */*kd*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_expand_default_cc_name (
-	krb5_context /*context*/,
-	const char */*str*/,
-	char **/*res*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_expand_path_tokens (
-	krb5_context /*context*/,
-	const char */*path_in*/,
-	int /*filepath*/,
-	char **/*ppath_out*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_expand_path_tokensv (
-	krb5_context /*context*/,
-	const char */*path_in*/,
-	int /*filepath*/,
-	char **/*ppath_out*/,
-	...);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-_krb5_extract_ticket (
-	krb5_context /*context*/,
-	krb5_kdc_rep */*rep*/,
-	krb5_creds */*creds*/,
-	krb5_keyblock */*key*/,
-	krb5_const_pointer /*keyseed*/,
-	krb5_key_usage /*key_usage*/,
-	krb5_addresses */*addrs*/,
-	unsigned /*nonce*/,
-	unsigned /*flags*/,
-	krb5_data */*request*/,
-	krb5_decrypt_proc /*decrypt_proc*/,
-	krb5_const_pointer /*decryptarg*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_fast_armor_key (
-	krb5_context /*context*/,
-	krb5_keyblock */*subkey*/,
-	krb5_keyblock */*sessionkey*/,
-	krb5_keyblock */*armorkey*/,
-	krb5_crypto */*armor_crypto*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_fast_cf2 (
-	krb5_context /*context*/,
-	krb5_keyblock */*key1*/,
-	const char */*pepper1*/,
-	krb5_keyblock */*key2*/,
-	const char */*pepper2*/,
-	krb5_keyblock */*armorkey*/,
-	krb5_crypto */*armor_crypto*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_find_capath (
-	krb5_context /*context*/,
-	const char */*client_realm*/,
-	const char */*local_realm*/,
-	const char */*server_realm*/,
-	krb5_boolean /*use_hierarchical*/,
-	char ***/*rpath*/,
-	size_t */*npath*/);
-
-KRB5_LIB_FUNCTION struct _krb5_checksum_type * KRB5_LIB_CALL
-_krb5_find_checksum (krb5_cksumtype /*type*/);
-
-KRB5_LIB_FUNCTION struct _krb5_encryption_type * KRB5_LIB_CALL
-_krb5_find_enctype (krb5_enctype /*type*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_free_capath (
-	krb5_context /*context*/,
-	char **/*capath*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_free_key_data (
-	krb5_context /*context*/,
-	struct _krb5_key_data */*key*/,
-	struct _krb5_encryption_type */*et*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_free_krbhst_info (krb5_krbhst_info */*hi*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_free_moduli (struct krb5_dh_moduli **/*moduli*/);
-
-KRB5_LIB_FUNCTION void
-_krb5_free_name_canon_rules (
-	krb5_context /*context*/,
-	krb5_name_canon_rule /*rules*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_get_ad (
-	krb5_context /*context*/,
-	const AuthorizationData */*ad*/,
-	krb5_keyblock */*sessionkey*/,
-	int /*type*/,
-	krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_get_cred_kdc_any (
-	krb5_context /*context*/,
-	krb5_kdc_flags /*flags*/,
-	krb5_ccache /*ccache*/,
-	krb5_creds */*in_creds*/,
-	krb5_principal /*impersonate_principal*/,
-	Ticket */*second_ticket*/,
-	krb5_creds **/*out_creds*/,
-	krb5_creds ***/*ret_tgts*/);
-
-KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
-_krb5_get_default_cc_name_from_registry (krb5_context /*context*/);
-
-KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
-_krb5_get_default_config_config_files_from_registry (void);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_get_default_principal_local (
-	krb5_context /*context*/,
-	krb5_principal */*princ*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_get_host_realm_int (
-	krb5_context /*context*/,
-	const char */*host*/,
-	krb5_boolean /*use_dns*/,
-	krb5_realm **/*realms*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_get_init_creds_opt_free_pkinit (krb5_get_init_creds_opt */*opt*/);
-
-KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
-_krb5_get_int (
-	void */*buffer*/,
-	unsigned long */*value*/,
-	size_t /*size*/);
-
-KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
-_krb5_get_int64 (
-	void */*buffer*/,
-	uint64_t */*value*/,
-	size_t /*size*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_get_krbtgt (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/,
-	krb5_realm /*realm*/,
-	krb5_creds **/*cred*/);
-
-KRB5_LIB_FUNCTION krb5_error_code
-_krb5_get_name_canon_rules (
-	krb5_context /*context*/,
-	krb5_name_canon_rule */*rules*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-_krb5_have_debug (
-	krb5_context /*context*/,
-	int /*level*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-_krb5_homedir_access (krb5_context /*context*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_init_etype (
-	krb5_context /*context*/,
-	krb5_pdu /*pdu_type*/,
-	unsigned */*len*/,
-	krb5_enctype **/*val*/,
-	const krb5_enctype */*etypes*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_internal_hmac (
-	krb5_context /*context*/,
-	struct _krb5_checksum_type */*cm*/,
-	const void */*data*/,
-	size_t /*len*/,
-	unsigned /*usage*/,
-	struct _krb5_key_data */*keyblock*/,
-	Checksum */*result*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_kcm_get_initial_ticket (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/,
-	krb5_principal /*server*/,
-	krb5_keyblock */*key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_kcm_get_ticket (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/,
-	krb5_kdc_flags /*flags*/,
-	krb5_enctype /*enctype*/,
-	krb5_principal /*server*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-_krb5_kcm_is_running (krb5_context /*context*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_kcm_noop (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_kdc_retry (
-	krb5_context /*context*/,
-	krb5_sendto_ctx /*ctx*/,
-	void */*data*/,
-	const krb5_data */*reply*/,
-	int */*action*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_krbhost_info_move (
-	krb5_context /*context*/,
-	krb5_krbhst_info */*from*/,
-	krb5_krbhst_info **/*to*/);
-
-KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL
-_krb5_krbhst_get_realm (krb5_krbhst_handle /*handle*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_kt_principal_not_found (
-	krb5_context /*context*/,
-	krb5_error_code /*ret*/,
-	krb5_keytab /*id*/,
-	krb5_const_principal /*principal*/,
-	krb5_enctype /*enctype*/,
-	int /*kvno*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-_krb5_kuserok (
-	krb5_context /*context*/,
-	krb5_principal /*principal*/,
-	const char */*luser*/,
-	krb5_boolean /*an2ln_ok*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_load_ccache_plugins (krb5_context /*context*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_load_db_plugins (krb5_context /*context*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_load_plugins (
-	krb5_context /*context*/,
-	const char */*name*/,
-	const char **/*paths*/);
-
-krb5_error_code
-_krb5_make_fast_ap_fxarmor (
-	krb5_context /*context*/,
-	krb5_ccache /*armor_ccache*/,
-	krb5_data */*armor_value*/,
-	krb5_keyblock */*armor_key*/,
-	krb5_crypto */*armor_crypto*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_mk_req_internal (
-	krb5_context /*context*/,
-	krb5_auth_context */*auth_context*/,
-	const krb5_flags /*ap_req_options*/,
-	krb5_data */*in_data*/,
-	krb5_creds */*in_creds*/,
-	krb5_data */*outbuf*/,
-	krb5_key_usage /*checksum_usage*/,
-	krb5_key_usage /*encrypt_usage*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_n_fold (
-	const void */*str*/,
-	size_t /*len*/,
-	void */*key*/,
-	size_t /*size*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_pac_sign (
-	krb5_context /*context*/,
-	krb5_pac /*p*/,
-	time_t /*authtime*/,
-	krb5_principal /*principal*/,
-	const krb5_keyblock */*server_key*/,
-	const krb5_keyblock */*priv_key*/,
-	krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_parse_moduli (
-	krb5_context /*context*/,
-	const char */*file*/,
-	struct krb5_dh_moduli ***/*moduli*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_parse_moduli_line (
-	krb5_context /*context*/,
-	const char */*file*/,
-	int /*lineno*/,
-	char */*p*/,
-	struct krb5_dh_moduli **/*m*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_pk_cert_free (struct krb5_pk_cert */*cert*/);
-
-void
-_krb5_pk_eckey_free (void */*eckey*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_pk_kdf (
-	krb5_context /*context*/,
-	const struct AlgorithmIdentifier */*ai*/,
-	const void */*dhdata*/,
-	size_t /*dhsize*/,
-	krb5_const_principal /*client*/,
-	krb5_const_principal /*server*/,
-	krb5_enctype /*enctype*/,
-	const krb5_data */*as_req*/,
-	const krb5_data */*pk_as_rep*/,
-	const Ticket */*ticket*/,
-	krb5_keyblock */*key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_pk_kx_confirm (
-	krb5_context /*context*/,
-	krb5_pk_init_ctx /*ctx*/,
-	krb5_keyblock */*reply_key*/,
-	krb5_keyblock */*session_key*/,
-	PA_DATA */*pa_pkinit_kx*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_pk_load_id (
-	krb5_context /*context*/,
-	struct krb5_pk_identity **/*ret_id*/,
-	const char */*user_id*/,
-	const char */*anchor_id*/,
-	char * const */*chain_list*/,
-	char * const */*revoke_list*/,
-	krb5_prompter_fct /*prompter*/,
-	void */*prompter_data*/,
-	char */*password*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_pk_mk_ContentInfo (
-	krb5_context /*context*/,
-	const krb5_data */*buf*/,
-	const heim_oid */*oid*/,
-	struct ContentInfo */*content_info*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_pk_mk_padata (
-	krb5_context /*context*/,
-	void */*c*/,
-	int /*ic_flags*/,
-	int /*win2k*/,
-	const KDC_REQ_BODY */*req_body*/,
-	unsigned /*nonce*/,
-	METHOD_DATA */*md*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_pk_octetstring2key (
-	krb5_context /*context*/,
-	krb5_enctype /*type*/,
-	const void */*dhdata*/,
-	size_t /*dhsize*/,
-	const heim_octet_string */*c_n*/,
-	const heim_octet_string */*k_n*/,
-	krb5_keyblock */*key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_pk_rd_pa_reply (
-	krb5_context /*context*/,
-	const char */*realm*/,
-	void */*c*/,
-	krb5_enctype /*etype*/,
-	const krb5_krbhst_info */*hi*/,
-	unsigned /*nonce*/,
-	const krb5_data */*req_buffer*/,
-	PA_DATA */*pa*/,
-	krb5_keyblock **/*key*/);
-
-krb5_error_code
-_krb5_pk_rd_pa_reply_ecdh_compute_key (
-	krb5_context /*context*/,
-	krb5_pk_init_ctx /*ctx*/,
-	const unsigned char */*in*/,
-	size_t /*in_sz*/,
-	unsigned char **/*out*/,
-	int */*out_sz*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_plugin_find (
-	krb5_context /*context*/,
-	enum krb5_plugin_type /*type*/,
-	const char */*name*/,
-	struct krb5_plugin **/*list*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_plugin_free (struct krb5_plugin */*list*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_plugin_run_f (
-	krb5_context /*context*/,
-	const char */*module*/,
-	const char */*name*/,
-	int /*min_version*/,
-	int /*flags*/,
-	void */*userctx*/,
-	krb5_error_code (KRB5_LIB_CALL *func)(krb5_context, const void *, void *, void *));
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_principal2principalname (
-	PrincipalName */*p*/,
-	const krb5_principal /*from*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-_krb5_principal_compare_PrincipalName (
-	krb5_context /*context*/,
-	krb5_const_principal /*princ1*/,
-	PrincipalName */*princ2*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_principalname2krb5_principal (
-	krb5_context /*context*/,
-	krb5_principal */*principal*/,
-	const PrincipalName /*from*/,
-	const Realm /*realm*/);
-
-KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
-_krb5_put_int (
-	void */*buffer*/,
-	uint64_t /*value*/,
-	size_t /*size*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_s4u2self_to_checksumdata (
-	krb5_context /*context*/,
-	const PA_S4U2Self */*self*/,
-	krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_sendto_ctx_set_krb5hst (
-	krb5_context /*context*/,
-	krb5_sendto_ctx /*ctx*/,
-	krb5_krbhst_handle /*handle*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_sendto_ctx_set_prexmit (
-	krb5_sendto_ctx /*ctx*/,
-	krb5_sendto_prexmit /*prexmit*/,
-	void */*data*/);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-_krb5_set_default_cc_name_to_registry (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_unload_plugins (
-	krb5_context /*context*/,
-	const char */*name*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_usage2arcfour (
-	krb5_context /*context*/,
-	unsigned */*usage*/);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-_krb5_xlock (
-	krb5_context /*context*/,
-	int /*fd*/,
-	krb5_boolean /*exclusive*/,
-	const char */*filename*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_xor8 (
-	unsigned char */*a*/,
-	const unsigned char */*b*/);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-_krb5_xunlock (
-	krb5_context /*context*/,
-	int /*fd*/);
-
-#undef KRB5_DEPRECATED_FUNCTION
-#define KRB5_DEPRECATED_FUNCTION(X)
-
-#endif /* __krb5_private_h__ */
diff --git a/lib/krb5/krb5-protos.h b/lib/krb5/krb5-protos.h
deleted file mode 100644
index fb2e0eabe140..000000000000
--- a/lib/krb5/krb5-protos.h
+++ /dev/null
@@ -1,9301 +0,0 @@
-/* This is a generated file */
-#ifndef __krb5_protos_h__
-#define __krb5_protos_h__
-#ifndef DOXY
-
-#include <stdarg.h>
-
-#if !defined(__GNUC__) && !defined(__attribute__)
-#define __attribute__(x)
-#endif
-
-#ifndef KRB5_DEPRECATED_FUNCTION
-#ifndef __has_extension
-#define __has_extension(x) 0
-#define KRB5_DEPRECATED_FUNCTIONhas_extension 1
-#endif
-#if __has_extension(attribute_deprecated_with_message)
-#define KRB5_DEPRECATED_FUNCTION(x) __attribute__((__deprecated__(x)))
-#elif defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 )))
-#define KRB5_DEPRECATED_FUNCTION(X) __attribute__((__deprecated__))
-#else
-#define KRB5_DEPRECATED_FUNCTION(X)
-#endif
-#ifdef KRB5_DEPRECATED_FUNCTIONhas_extension
-#undef __has_extension
-#undef KRB5_DEPRECATED_FUNCTIONhas_extension
-#endif
-#endif /* KRB5_DEPRECATED_FUNCTION */
-
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#ifndef KRB5_LIB
-#ifndef KRB5_LIB_FUNCTION
-#if defined(_WIN32)
-#define KRB5_LIB_FUNCTION __declspec(dllimport)
-#define KRB5_LIB_CALL __stdcall
-#define KRB5_LIB_VARIABLE __declspec(dllimport)
-#else
-#define KRB5_LIB_FUNCTION
-#define KRB5_LIB_CALL
-#define KRB5_LIB_VARIABLE
-#endif
-#endif
-#endif
-/**
- * Convert the v5 credentials in in_cred to v4-dito in v4creds.  This
- * is done by sending them to the 524 function in the KDC.  If
- * `in_cred' doesn't contain a DES session key, then a new one is
- * gotten from the KDC and stored in the cred cache `ccache'.
- *
- * @param context Kerberos 5 context.
- * @param in_cred the credential to convert
- * @param v4creds the converted credential
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5_v4compat
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb524_convert_creds_kdc (
-	krb5_context /*context*/,
-	krb5_creds */*in_cred*/,
-	struct credentials */*v4creds*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Convert the v5 credentials in in_cred to v4-dito in v4creds,
- * check the credential cache ccache before checking with the KDC.
- *
- * @param context Kerberos 5 context.
- * @param ccache credential cache used to check for des-ticket.
- * @param in_cred the credential to convert
- * @param v4creds the converted credential
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5_v4compat
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb524_convert_creds_kdc_ccache (
-	krb5_context /*context*/,
-	krb5_ccache /*ccache*/,
-	krb5_creds */*in_cred*/,
-	struct credentials */*v4creds*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Log a warning to the log, default stderr, include the error from
- * the last failure and then abort.
- *
- * @param context A Kerberos 5 context
- * @param code error code of the last error
- * @param fmt message to print
- * @param ... arguments for format string
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_abort (
-	krb5_context /*context*/,
-	krb5_error_code /*code*/,
-	const char */*fmt*/,
-	...)
-     __attribute__ ((__noreturn__, __format__ (__printf__, 3, 4)));
-
-/**
- * Log a warning to the log, default stderr, and then abort.
- *
- * @param context A Kerberos 5 context
- * @param fmt printf format string of message to print
- * @param ... arguments for format string
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_abortx (
-	krb5_context /*context*/,
-	const char */*fmt*/,
-	...)
-     __attribute__ ((__noreturn__, __format__ (__printf__, 2, 3)));
-
-/**
- * krb5_acl_match_file matches ACL format against each line in a file
- * using krb5_acl_match_string(). Lines starting with # are treated
- * like comments and ignored.
- *
- * @param context Kerberos 5 context.
- * @param file file with acl listed in the file.
- * @param format format to match.
- * @param ... parameter to format string.
- *
- * @return Return an error code or 0.
- *
- * @sa krb5_acl_match_string
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_acl_match_file (
-	krb5_context /*context*/,
-	const char */*file*/,
-	const char */*format*/,
-	...);
-
-/**
- * krb5_acl_match_string matches ACL format against a string.
- *
- * The ACL format has three format specifiers: s, f, and r.  Each
- * specifier will retrieve one argument from the variable arguments
- * for either matching or storing data.  The input string is split up
- * using " " (space) and "\t" (tab) as a delimiter; multiple and "\t"
- * in a row are considered to be the same.
- *
- * List of format specifiers:
- * - s Matches a string using strcmp(3) (case sensitive).
- * - f Matches the string with fnmatch(3). Theflags
- *     argument (the last argument) passed to the fnmatch function is 0.
- * - r Returns a copy of the string in the char ** passed in; the copy
- *     must be freed with free(3). There is no need to free(3) the
- *     string on error: the function will clean up and set the pointer
- *     to NULL.
- *
- * @param context Kerberos 5 context
- * @param string string to match with
- * @param format format to match
- * @param ... parameter to format string
- *
- * @return Return an error code or 0.
- *
- *
- * @code
- * char *s;
- *
- * ret = krb5_acl_match_string(context, "foo", "s", "foo");
- * if (ret)
- *     krb5_errx(context, 1, "acl didn't match");
- * ret = krb5_acl_match_string(context, "foo foo baz/kaka",
- *     "ss", "foo", &s, "foo/\\*");
- * if (ret) {
- *     // no need to free(s) on error
- *     assert(s == NULL);
- *     krb5_errx(context, 1, "acl didn't match");
- * }
- * free(s);
- * @endcode
- *
- * @sa krb5_acl_match_file
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_acl_match_string (
-	krb5_context /*context*/,
-	const char */*string*/,
-	const char */*format*/,
-	...);
-
-/**
- * Add a specified list of error messages to the et list in context.
- * Call func (probably a comerr-generated function) with a pointer to
- * the current et_list.
- *
- * @param context A kerberos context.
- * @param func The generated com_err et function.
- *
- * @return Returns 0 to indicate success.  Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_add_et_list (
-	krb5_context /*context*/,
-	void (*/*func*/)(struct et_list **));
-
-/**
- * Add extra address to the address list that the library will add to
- * the client's address list when communicating with the KDC.
- *
- * @param context Kerberos 5 context.
- * @param addresses addreses to add
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_add_extra_addresses (
-	krb5_context /*context*/,
-	krb5_addresses */*addresses*/);
-
-/**
- * Add extra addresses to ignore when fetching addresses from the
- * underlaying operating system.
- *
- * @param context Kerberos 5 context.
- * @param addresses addreses to ignore
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_add_ignore_addresses (
-	krb5_context /*context*/,
-	krb5_addresses */*addresses*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_addlog_dest (
-	krb5_context /*context*/,
-	krb5_log_facility */*f*/,
-	const char */*orig*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_addlog_func (
-	krb5_context /*context*/,
-	krb5_log_facility */*fac*/,
-	int /*min*/,
-	int /*max*/,
-	krb5_log_log_func_t /*log_func*/,
-	krb5_log_close_func_t /*close_func*/,
-	void */*data*/);
-
-/**
- * krb5_addr2sockaddr sets the "struct sockaddr sockaddr" from addr
- * and port. The argument sa_size should initially contain the size of
- * the sa and after the call, it will contain the actual length of the
- * address. In case of the sa is too small to fit the whole address,
- * the up to *sa_size will be stored, and then *sa_size will be set to
- * the required length.
- *
- * @param context a Keberos context
- * @param addr the address to copy the from
- * @param sa the struct sockaddr that will be filled in
- * @param sa_size pointer to length of sa, and after the call, it will
- * contain the actual length of the address.
- * @param port set port in sa.
- *
- * @return Return an error code or 0. Will return
- * KRB5_PROG_ATYPE_NOSUPP in case address type is not supported.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_addr2sockaddr (
-	krb5_context /*context*/,
-	const krb5_address */*addr*/,
-	struct sockaddr */*sa*/,
-	krb5_socklen_t */*sa_size*/,
-	int /*port*/);
-
-/**
- * krb5_address_compare compares the addresses  addr1 and addr2.
- * Returns TRUE if the two addresses are the same.
- *
- * @param context a Keberos context
- * @param addr1 address to compare
- * @param addr2 address to compare
- *
- * @return Return an TRUE is the address are the same FALSE if not
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_address_compare (
-	krb5_context /*context*/,
-	const krb5_address */*addr1*/,
-	const krb5_address */*addr2*/);
-
-/**
- * krb5_address_order compares the addresses addr1 and addr2 so that
- * it can be used for sorting addresses. If the addresses are the same
- * address krb5_address_order will return 0. Behavies like memcmp(2).
- *
- * @param context a Keberos context
- * @param addr1 krb5_address to compare
- * @param addr2 krb5_address to compare
- *
- * @return < 0 if address addr1 in "less" then addr2. 0 if addr1 and
- * addr2 is the same address, > 0 if addr2 is "less" then addr1.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_address_order (
-	krb5_context /*context*/,
-	const krb5_address */*addr1*/,
-	const krb5_address */*addr2*/);
-
-/**
- * Calculate the boundary addresses of `inaddr'/`prefixlen' and store
- * them in `low' and `high'.
- *
- * @param context a Keberos context
- * @param inaddr address in prefixlen that the bondery searched
- * @param prefixlen width of boundery
- * @param low lowest address
- * @param high highest address
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_address_prefixlen_boundary (
-	krb5_context /*context*/,
-	const krb5_address */*inaddr*/,
-	unsigned long /*prefixlen*/,
-	krb5_address */*low*/,
-	krb5_address */*high*/);
-
-/**
- * krb5_address_search checks if the address addr is a member of the
- * address set list addrlist .
- *
- * @param context a Keberos context.
- * @param addr address to search for.
- * @param addrlist list of addresses to look in for addr.
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_address_search (
-	krb5_context /*context*/,
-	const krb5_address */*addr*/,
-	const krb5_addresses */*addrlist*/);
-
-/**
- * Enable or disable all weak encryption types
- *
- * @param context Kerberos 5 context
- * @param enable true to enable, false to disable
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_allow_weak_crypto (
-	krb5_context /*context*/,
-	krb5_boolean /*enable*/);
-
-/**
- * Map a principal name to a local username.
- *
- * Returns 0 on success, KRB5_NO_LOCALNAME if no mapping was found, or
- * some Kerberos or system error.
- *
- * Inputs:
- *
- * @param context    A krb5_context
- * @param aname      A principal name
- * @param lnsize     The size of the buffer into which the username will be written
- * @param lname      The buffer into which the username will be written
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_aname_to_localname (
-	krb5_context /*context*/,
-	krb5_const_principal /*aname*/,
-	size_t /*lnsize*/,
-	char */*lname*/);
-
-/**
- * krb5_anyaddr fills in a "struct sockaddr sa" that can be used to
- * bind(2) to.  The argument sa_size should initially contain the size
- * of the sa, and after the call, it will contain the actual length
- * of the address.
- *
- * @param context a Keberos context
- * @param af address family
- * @param sa sockaddr
- * @param sa_size lenght of sa.
- * @param port for to fill into sa.
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_anyaddr (
-	krb5_context /*context*/,
-	int /*af*/,
-	struct sockaddr */*sa*/,
-	krb5_socklen_t */*sa_size*/,
-	int /*port*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_appdefault_boolean (
-	krb5_context /*context*/,
-	const char */*appname*/,
-	krb5_const_realm /*realm*/,
-	const char */*option*/,
-	krb5_boolean /*def_val*/,
-	krb5_boolean */*ret_val*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_appdefault_string (
-	krb5_context /*context*/,
-	const char */*appname*/,
-	krb5_const_realm /*realm*/,
-	const char */*option*/,
-	const char */*def_val*/,
-	char **/*ret_val*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_appdefault_time (
-	krb5_context /*context*/,
-	const char */*appname*/,
-	krb5_const_realm /*realm*/,
-	const char */*option*/,
-	time_t /*def_val*/,
-	time_t */*ret_val*/);
-
-/**
- * krb5_append_addresses adds the set of addresses in source to
- * dest. While copying the addresses, duplicates are also sorted out.
- *
- * @param context a Keberos context
- * @param dest destination of copy operation
- * @param source adresses that are going to be added to dest
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_append_addresses (
-	krb5_context /*context*/,
-	krb5_addresses */*dest*/,
-	const krb5_addresses */*source*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_add_AuthorizationData (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	int /*type*/,
-	krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_addflags (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	int32_t /*addflags*/,
-	int32_t */*flags*/);
-
-/**
- * Deallocate an authentication context previously initialized with
- * krb5_auth_con_init().
- *
- * @param context      A kerberos context.
- * @param auth_context The authentication context to be deallocated.
- *
- * @return An krb5 error code, see krb5_get_error_message().
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_free (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/);
-
-/**
- * Update the authentication context \a auth_context with the local
- * and remote addresses from socket \a fd, according to \a flags.
- *
- * @return An krb5 error code, see krb5_get_error_message().
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_genaddrs (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_socket_t /*fd*/,
-	int /*flags*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_generatelocalsubkey (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_keyblock */*key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_getaddrs (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_address **/*local_addr*/,
-	krb5_address **/*remote_addr*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_getauthenticator (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_authenticator */*authenticator*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_getcksumtype (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_cksumtype */*cksumtype*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_getflags (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	int32_t */*flags*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_getkey (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_keyblock **/*keyblock*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_getkeytype (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_keytype */*keytype*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_getlocalseqnumber (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	int32_t */*seqnumber*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_getlocalsubkey (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_keyblock **/*keyblock*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_getrcache (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_rcache */*rcache*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_getrecvsubkey (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_keyblock **/*keyblock*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_getremoteseqnumber (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	int32_t */*seqnumber*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_getremotesubkey (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_keyblock **/*keyblock*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_getsendsubkey (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_keyblock **/*keyblock*/);
-
-/**
- * Allocate and initialize an autentication context.
- *
- * @param context      A kerberos context.
- * @param auth_context The authentication context to be initialized.
- *
- * Use krb5_auth_con_free() to release the memory when done using the context.
- *
- * @return An krb5 error code, see krb5_get_error_message().
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_init (
-	krb5_context /*context*/,
-	krb5_auth_context */*auth_context*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_removeflags (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	int32_t /*removeflags*/,
-	int32_t */*flags*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setaddrs (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_address */*local_addr*/,
-	krb5_address */*remote_addr*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setaddrs_from_fd (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	void */*p_fd*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setcksumtype (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_cksumtype /*cksumtype*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setflags (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	int32_t /*flags*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setkey (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_keyblock */*keyblock*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setkeytype (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_keytype /*keytype*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setlocalseqnumber (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	int32_t /*seqnumber*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setlocalsubkey (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_keyblock */*keyblock*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setrcache (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_rcache /*rcache*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setrecvsubkey (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_keyblock */*keyblock*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setremoteseqnumber (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	int32_t /*seqnumber*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setremotesubkey (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_keyblock */*keyblock*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setsendsubkey (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_keyblock */*keyblock*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_con_setuserkey (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_keyblock */*keyblock*/);
-
-/**
- * Deprecated: use krb5_auth_con_getremoteseqnumber()
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_auth_getremoteseqnumber (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	int32_t */*seqnumber*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_build_ap_req (
-	krb5_context /*context*/,
-	krb5_enctype /*enctype*/,
-	krb5_creds */*cred*/,
-	krb5_flags /*ap_options*/,
-	krb5_data /*authenticator*/,
-	krb5_data */*retdata*/);
-
-/**
- * Build a principal using vararg style building
- *
- * @param context A Kerberos context.
- * @param principal returned principal
- * @param rlen length of realm
- * @param realm realm name
- * @param ... a list of components ended with NULL.
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_build_principal (
-	krb5_context /*context*/,
-	krb5_principal */*principal*/,
-	int /*rlen*/,
-	krb5_const_realm /*realm*/,
-	...);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_build_principal_ext (
-	krb5_context /*context*/,
-	krb5_principal */*principal*/,
-	int /*rlen*/,
-	krb5_const_realm /*realm*/,
-	...);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_build_principal_va (
-	krb5_context /*context*/,
-	krb5_principal */*principal*/,
-	int /*rlen*/,
-	krb5_const_realm /*realm*/,
-	va_list /*ap*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_build_principal_va_ext (
-	krb5_context /*context*/,
-	krb5_principal */*principal*/,
-	int /*rlen*/,
-	krb5_const_realm /*realm*/,
-	va_list /*ap*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_block_size (
-	krb5_context /*context*/,
-	krb5_enctype /*enctype*/,
-	size_t */*blocksize*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_checksum_length (
-	krb5_context /*context*/,
-	krb5_cksumtype /*cksumtype*/,
-	size_t */*length*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_decrypt (
-	krb5_context /*context*/,
-	const krb5_keyblock /*key*/,
-	krb5_keyusage /*usage*/,
-	const krb5_data */*ivec*/,
-	krb5_enc_data */*input*/,
-	krb5_data */*output*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_encrypt (
-	krb5_context /*context*/,
-	const krb5_keyblock */*key*/,
-	krb5_keyusage /*usage*/,
-	const krb5_data */*ivec*/,
-	const krb5_data */*input*/,
-	krb5_enc_data */*output*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_encrypt_length (
-	krb5_context /*context*/,
-	krb5_enctype /*enctype*/,
-	size_t /*inputlen*/,
-	size_t */*length*/);
-
-/**
- * Deprecated: keytypes doesn't exists, they are really enctypes.
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_enctype_compare (
-	krb5_context /*context*/,
-	krb5_enctype /*e1*/,
-	krb5_enctype /*e2*/,
-	krb5_boolean */*similar*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_get_checksum (
-	krb5_context /*context*/,
-	const krb5_checksum */*cksum*/,
-	krb5_cksumtype */*type*/,
-	krb5_data **/*data*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_c_is_coll_proof_cksum (krb5_cksumtype /*ctype*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_c_is_keyed_cksum (krb5_cksumtype /*ctype*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_keylengths (
-	krb5_context /*context*/,
-	krb5_enctype /*enctype*/,
-	size_t */*ilen*/,
-	size_t */*keylen*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_make_checksum (
-	krb5_context /*context*/,
-	krb5_cksumtype /*cksumtype*/,
-	const krb5_keyblock */*key*/,
-	krb5_keyusage /*usage*/,
-	const krb5_data */*input*/,
-	krb5_checksum */*cksum*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_make_random_key (
-	krb5_context /*context*/,
-	krb5_enctype /*enctype*/,
-	krb5_keyblock */*random_key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_prf (
-	krb5_context /*context*/,
-	const krb5_keyblock */*key*/,
-	const krb5_data */*input*/,
-	krb5_data */*output*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_prf_length (
-	krb5_context /*context*/,
-	krb5_enctype /*type*/,
-	size_t */*length*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_random_make_octets (
-	krb5_context /*context*/,
-	krb5_data * /*data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_set_checksum (
-	krb5_context /*context*/,
-	krb5_checksum */*cksum*/,
-	krb5_cksumtype /*type*/,
-	const krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_c_valid_cksumtype (krb5_cksumtype /*ctype*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_c_valid_enctype (krb5_enctype /*etype*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_c_verify_checksum (
-	krb5_context /*context*/,
-	const krb5_keyblock */*key*/,
-	krb5_keyusage /*usage*/,
-	const krb5_data */*data*/,
-	const krb5_checksum */*cksum*/,
-	krb5_boolean */*valid*/);
-
-/**
- * Destroy the cursor `cursor'.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_cache_end_seq_get (
-	krb5_context /*context*/,
-	krb5_cc_cache_cursor /*cursor*/);
-
-/**
- * Start iterating over all caches of specified type. See also
- * krb5_cccol_cursor_new().
-
- * @param context A Kerberos 5 context
- * @param type optional type to iterate over, if NULL, the default cache is used.
- * @param cursor cursor should be freed with krb5_cc_cache_end_seq_get().
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_cache_get_first (
-	krb5_context /*context*/,
-	const char */*type*/,
-	krb5_cc_cache_cursor */*cursor*/);
-
-/**
- * Search for a matching credential cache that have the
- * `principal' as the default principal. On success, `id' needs to be
- * freed with krb5_cc_close() or krb5_cc_destroy().
- *
- * @param context A Kerberos 5 context
- * @param client The principal to search for
- * @param id the returned credential cache
- *
- * @return On failure, error code is returned and `id' is set to NULL.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_cache_match (
-	krb5_context /*context*/,
-	krb5_principal /*client*/,
-	krb5_ccache */*id*/);
-
-/**
- * Retrieve the next cache pointed to by (`cursor') in `id'
- * and advance `cursor'.
- *
- * @param context A Kerberos 5 context
- * @param cursor the iterator cursor, returned by krb5_cc_cache_get_first()
- * @param id next ccache
- *
- * @return Return 0 or an error code. Returns KRB5_CC_END when the end
- *         of caches is reached, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_cache_next (
-	krb5_context /*context*/,
-	krb5_cc_cache_cursor /*cursor*/,
-	krb5_ccache */*id*/);
-
-/**
- * Clear `mcreds' so it can be used with krb5_cc_retrieve_cred
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_cc_clear_mcred (krb5_creds */*mcred*/);
-
-/**
- * Stop using the ccache `id' and free the related resources.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_close (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/);
-
-/**
- * Just like krb5_cc_copy_match_f(), but copy everything.
- *
- * @ingroup @krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_copy_cache (
-	krb5_context /*context*/,
-	const krb5_ccache /*from*/,
-	krb5_ccache /*to*/);
-
-/**
- * MIT compat glue
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_copy_creds (
-	krb5_context /*context*/,
-	const krb5_ccache /*from*/,
-	krb5_ccache /*to*/);
-
-/**
- * Copy the contents of `from' to `to' if the given match function
- * return true.
- *
- * @param context A Kerberos 5 context.
- * @param from the cache to copy data from.
- * @param to the cache to copy data to.
- * @param match a match function that should return TRUE if cred argument should be copied, if NULL, all credentials are copied.
- * @param matchctx context passed to match function.
- * @param matched set to true if there was a credential that matched, may be NULL.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_copy_match_f (
-	krb5_context /*context*/,
-	const krb5_ccache /*from*/,
-	krb5_ccache /*to*/,
-	krb5_boolean (*/*match*/)(krb5_context, void *, const krb5_creds *),
-	void */*matchctx*/,
-	unsigned int */*matched*/);
-
-/**
- * Open the default ccache in `id'.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_default (
-	krb5_context /*context*/,
-	krb5_ccache */*id*/);
-
-/**
- * Return a pointer to a context static string containing the default
- * ccache name.
- *
- * @return String to the default credential cache name.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_cc_default_name (krb5_context /*context*/);
-
-/**
- * Remove the ccache `id'.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_destroy (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/);
-
-/**
- * Destroy the cursor `cursor'.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_end_seq_get (
-	krb5_context /*context*/,
-	const krb5_ccache /*id*/,
-	krb5_cc_cursor */*cursor*/);
-
-/**
- * Generate a new ccache of type `ops' in `id'.
- *
- * Deprecated: use krb5_cc_new_unique() instead.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_gen_new (
-	krb5_context /*context*/,
-	const krb5_cc_ops */*ops*/,
-	krb5_ccache */*id*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Get some configuration for the credential cache in the cache.
- *
- * @param context a Keberos context
- * @param id the credential cache to store the data for
- * @param principal configuration for a specific principal, if
- * NULL, global for the whole cache.
- * @param name name under which the configuraion is stored.
- * @param data data to fetched, free with krb5_data_free()
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_get_config (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/,
-	krb5_const_principal /*principal*/,
-	const char */*name*/,
-	krb5_data */*data*/);
-
-/**
- * Get the flags of `id', store them in `flags'.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_get_flags (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/,
-	krb5_flags */*flags*/);
-
-/**
- * Return a friendly name on credential cache. Free the result with krb5_xfree().
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_get_friendly_name (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/,
-	char **/*name*/);
-
-/**
- * Return the complete resolvable name the cache
-
- * @param context a Keberos context
- * @param id return pointer to a found credential cache
- * @param str the returned name of a credential cache, free with krb5_xfree()
- *
- * @return Returns 0 or an error (and then *str is set to NULL).
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_get_full_name (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/,
-	char **/*str*/);
-
-/**
- * Get the time offset betwen the client and the KDC
- *
- * If the backend doesn't support KDC offset, use the context global setting.
- *
- * @param context A Kerberos 5 context.
- * @param id a credential cache
- * @param offset the offset in seconds
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_get_kdc_offset (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/,
-	krb5_deltat */*offset*/);
-
-/**
- * Get the lifetime of the initial ticket in the cache
- *
- * Get the lifetime of the initial ticket in the cache, if the initial
- * ticket was not found, the error code KRB5_CC_END is returned.
- *
- * @param context A Kerberos 5 context.
- * @param id a credential cache
- * @param t the relative lifetime of the initial ticket
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_get_lifetime (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/,
-	time_t */*t*/);
-
-/**
- * Return the name of the ccache `id'
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_cc_get_name (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/);
-
-/**
- * Return krb5_cc_ops of a the ccache `id'.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL
-krb5_cc_get_ops (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/);
-
-/**
- * Get the cc ops that is registered in `context' to handle the
- * prefix. prefix can be a complete credential cache name or a
- * prefix, the function will only use part up to the first colon (:)
- * if there is one. If prefix the argument is NULL, the default ccache
- * implemtation is returned.
- *
- * @return Returns NULL if ops not found.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL
-krb5_cc_get_prefix_ops (
-	krb5_context /*context*/,
-	const char */*prefix*/);
-
-/**
- * Return the principal of `id' in `principal'.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_get_principal (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/,
-	krb5_principal */*principal*/);
-
-/**
- * Return the type of the ccache `id'.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_cc_get_type (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/);
-
-/**
- * Return the version of `id'.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_get_version (
-	krb5_context /*context*/,
-	const krb5_ccache /*id*/);
-
-/**
- * Create a new ccache in `id' for `primary_principal'.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_initialize (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/,
-	krb5_principal /*primary_principal*/);
-
-/**
- * Return the last time the credential cache was modified.
- *
- * @param context A Kerberos 5 context
- * @param id The credential cache to probe
- * @param mtime the last modification time, set to 0 on error.
-
- * @return Return 0 or and error. See krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_last_change_time (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/,
-	krb5_timestamp */*mtime*/);
-
-/**
- * Move the content from one credential cache to another. The
- * operation is an atomic switch.
- *
- * @param context a Keberos context
- * @param from the credential cache to move the content from
- * @param to the credential cache to move the content to
-
- * @return On sucess, from is freed. On failure, error code is
- * returned and from and to are both still allocated, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_move (
-	krb5_context /*context*/,
-	krb5_ccache /*from*/,
-	krb5_ccache /*to*/);
-
-/**
- * Generates a new unique ccache of `type` in `id'. If `type' is NULL,
- * the library chooses the default credential cache type. The supplied
- * `hint' (that can be NULL) is a string that the credential cache
- * type can use to base the name of the credential on, this is to make
- * it easier for the user to differentiate the credentials.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_new_unique (
-	krb5_context /*context*/,
-	const char */*type*/,
-	const char */*hint*/,
-	krb5_ccache */*id*/);
-
-/**
- * Retrieve the next cred pointed to by (`id', `cursor') in `creds'
- * and advance `cursor'.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_next_cred (
-	krb5_context /*context*/,
-	const krb5_ccache /*id*/,
-	krb5_cc_cursor */*cursor*/,
-	krb5_creds */*creds*/);
-
-/**
- * Add a new ccache type with operations `ops', overwriting any
- * existing one if `override'.
- *
- * @param context a Keberos context
- * @param ops type of plugin symbol
- * @param override flag to select if the registration is to overide
- * an existing ops with the same name.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_register (
-	krb5_context /*context*/,
-	const krb5_cc_ops */*ops*/,
-	krb5_boolean /*override*/);
-
-/**
- * Remove the credential identified by `cred', `which' from `id'.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_remove_cred (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/,
-	krb5_flags /*which*/,
-	krb5_creds */*cred*/);
-
-/**
- * Find and allocate a ccache in `id' from the specification in `residual'.
- * If the ccache name doesn't contain any colon, interpret it as a file name.
- *
- * @param context a Keberos context.
- * @param name string name of a credential cache.
- * @param id return pointer to a found credential cache.
- *
- * @return Return 0 or an error code. In case of an error, id is set
- * to NULL, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_resolve (
-	krb5_context /*context*/,
-	const char */*name*/,
-	krb5_ccache */*id*/);
-
-/**
- * Retrieve the credential identified by `mcreds' (and `whichfields')
- * from `id' in `creds'. 'creds' must be free by the caller using
- * krb5_free_cred_contents.
- *
- * @param context A Kerberos 5 context
- * @param id a Kerberos 5 credential cache
- * @param whichfields what fields to use for matching credentials, same
- *        flags as whichfields in krb5_compare_creds()
- * @param mcreds template credential to use for comparing
- * @param creds returned credential, free with krb5_free_cred_contents()
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_retrieve_cred (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/,
-	krb5_flags /*whichfields*/,
-	const krb5_creds */*mcreds*/,
-	krb5_creds */*creds*/);
-
-/**
- * Store some configuration for the credential cache in the cache.
- * Existing configuration under the same name is over-written.
- *
- * @param context a Keberos context
- * @param id the credential cache to store the data for
- * @param principal configuration for a specific principal, if
- * NULL, global for the whole cache.
- * @param name name under which the configuraion is stored.
- * @param data data to store, if NULL, configure is removed.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_set_config (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/,
-	krb5_const_principal /*principal*/,
-	const char */*name*/,
-	krb5_data */*data*/);
-
-/**
- * Set the default cc name for `context' to `name'.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_set_default_name (
-	krb5_context /*context*/,
-	const char */*name*/);
-
-/**
- * Set the flags of `id' to `flags'.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_set_flags (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/,
-	krb5_flags /*flags*/);
-
-/**
- * Set the friendly name on credential cache.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_set_friendly_name (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/,
-	const char */*name*/);
-
-/**
- * Set the time offset betwen the client and the KDC
- *
- * If the backend doesn't support KDC offset, use the context global setting.
- *
- * @param context A Kerberos 5 context.
- * @param id a credential cache
- * @param offset the offset in seconds
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_set_kdc_offset (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/,
-	krb5_deltat /*offset*/);
-
-/**
- * Start iterating over `id', `cursor' is initialized to the
- * beginning.  Caller must free the cursor with krb5_cc_end_seq_get().
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_start_seq_get (
-	krb5_context /*context*/,
-	const krb5_ccache /*id*/,
-	krb5_cc_cursor */*cursor*/);
-
-/**
- * Store `creds' in the ccache `id'.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_store_cred (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/,
-	krb5_creds */*creds*/);
-
-/**
- * Return true if the default credential cache support switch
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_cc_support_switch (
-	krb5_context /*context*/,
-	const char */*type*/);
-
-/**
- * Switch the default default credential cache for a specific
- * credcache type (and name for some implementations).
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cc_switch (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/);
-
-/**
- * End an iteration and free all resources, can be done before end is reached.
- *
- * @param context A Kerberos 5 context
- * @param cursor the iteration cursor to be freed.
- *
- * @return Return 0 or and error, KRB5_CC_END is returned at the end
- *        of iteration. See krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cccol_cursor_free (
-	krb5_context /*context*/,
-	krb5_cccol_cursor */*cursor*/);
-
-/**
- * Get a new cache interation cursor that will interate over all
- * credentials caches independent of type.
- *
- * @param context a Keberos context
- * @param cursor passed into krb5_cccol_cursor_next() and free with krb5_cccol_cursor_free().
- *
- * @return Returns 0 or and error code, see krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cccol_cursor_new (
-	krb5_context /*context*/,
-	krb5_cccol_cursor */*cursor*/);
-
-/**
- * Get next credential cache from the iteration.
- *
- * @param context A Kerberos 5 context
- * @param cursor the iteration cursor
- * @param cache the returned cursor, pointer is set to NULL on failure
- *        and a cache on success. The returned cache needs to be freed
- *        with krb5_cc_close() or destroyed with krb5_cc_destroy().
- *        MIT Kerberos behavies slightly diffrent and sets cache to NULL
- *        when all caches are iterated over and return 0.
- *
- * @return Return 0 or and error, KRB5_CC_END is returned at the end
- *        of iteration. See krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cccol_cursor_next (
-	krb5_context /*context*/,
-	krb5_cccol_cursor /*cursor*/,
-	krb5_ccache */*cache*/);
-
-/**
- * Return the last modfication time for a cache collection. The query
- * can be limited to a specific cache type. If the function return 0
- * and mtime is 0, there was no credentials in the caches.
- *
- * @param context A Kerberos 5 context
- * @param type The credential cache to probe, if NULL, all type are traversed.
- * @param mtime the last modification time, set to 0 on error.
-
- * @return Return 0 or and error. See krb5_get_error_message().
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cccol_last_change_time (
-	krb5_context /*context*/,
-	const char */*type*/,
-	krb5_timestamp */*mtime*/);
-
-/**
- * Deprecated: krb5_change_password() is deprecated, use krb5_set_password().
- *
- * @param context a Keberos context
- * @param creds
- * @param newpw
- * @param result_code
- * @param result_code_string
- * @param result_string
- *
- * @return On sucess password is changed.
-
- * @ingroup @krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_change_password (
-	krb5_context /*context*/,
-	krb5_creds */*creds*/,
-	const char */*newpw*/,
-	int */*result_code*/,
-	krb5_data */*result_code_string*/,
-	krb5_data */*result_string*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_check_transited (
-	krb5_context /*context*/,
-	krb5_const_realm /*client_realm*/,
-	krb5_const_realm /*server_realm*/,
-	krb5_realm */*realms*/,
-	unsigned int /*num_realms*/,
-	int */*bad_realm*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_check_transited_realms (
-	krb5_context /*context*/,
-	const char *const */*realms*/,
-	unsigned int /*num_realms*/,
-	int */*bad_realm*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_checksum_disable (
-	krb5_context /*context*/,
-	krb5_cksumtype /*type*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_checksum_free (
-	krb5_context /*context*/,
-	krb5_checksum */*cksum*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_checksum_is_collision_proof (
-	krb5_context /*context*/,
-	krb5_cksumtype /*type*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_checksum_is_keyed (
-	krb5_context /*context*/,
-	krb5_cksumtype /*type*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_checksumsize (
-	krb5_context /*context*/,
-	krb5_cksumtype /*type*/,
-	size_t */*size*/);
-
-/**
- * Return the coresponding encryption type for a checksum type.
- *
- * @param context Kerberos context
- * @param ctype The checksum type to get the result enctype for
- * @param etype The returned encryption, when the matching etype is
- * not found, etype is set to ETYPE_NULL.
- *
- * @return Return an error code for an failure or 0 on success.
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cksumtype_to_enctype (
-	krb5_context /*context*/,
-	krb5_cksumtype /*ctype*/,
-	krb5_enctype */*etype*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_cksumtype_valid (
-	krb5_context /*context*/,
-	krb5_cksumtype /*ctype*/);
-
-/**
- * Clears the error message from the Kerberos 5 context.
- *
- * @param context The Kerberos 5 context to clear
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_clear_error_message (krb5_context /*context*/);
-
-/**
- * Clear the error message returned by krb5_get_error_string().
- *
- * Deprecated: use krb5_clear_error_message()
- *
- * @param context Kerberos context
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_clear_error_string (krb5_context /*context*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_closelog (
-	krb5_context /*context*/,
-	krb5_log_facility */*fac*/);
-
-/**
- * Return TRUE if `mcreds' and `creds' are equal (`whichfields'
- * determines what equal means).
- *
- *
- * The following flags, set in whichfields affects the comparison:
- * - KRB5_TC_MATCH_SRV_NAMEONLY Consider all realms equal when comparing the service principal.
- * - KRB5_TC_MATCH_KEYTYPE Compare enctypes.
- * - KRB5_TC_MATCH_FLAGS_EXACT Make sure that the ticket flags are identical.
- * - KRB5_TC_MATCH_FLAGS Make sure that all ticket flags set in mcreds are also present in creds .
- * - KRB5_TC_MATCH_TIMES_EXACT Compares the ticket times exactly.
- * - KRB5_TC_MATCH_TIMES Compares only the expiration times of the creds.
- * - KRB5_TC_MATCH_AUTHDATA Compares the authdata fields.
- * - KRB5_TC_MATCH_2ND_TKT Compares the second tickets (used by user-to-user authentication).
- * - KRB5_TC_MATCH_IS_SKEY Compares the existance of the second ticket.
- *
- * @param context Kerberos 5 context.
- * @param whichfields which fields to compare.
- * @param mcreds cred to compare with.
- * @param creds cred to compare with.
- *
- * @return return TRUE if mcred and creds are equal, FALSE if not.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_compare_creds (
-	krb5_context /*context*/,
-	krb5_flags /*whichfields*/,
-	const krb5_creds * /*mcreds*/,
-	const krb5_creds * /*creds*/);
-
-/**
- * Free configuration file section, the result of
- * krb5_config_parse_file() and krb5_config_parse_file_multi().
- *
- * @param context A Kerberos 5 context
- * @param s the configuration section to free
- *
- * @return returns 0 on successes, otherwise an error code, see
- *          krb5_get_error_message()
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_config_file_free (
-	krb5_context /*context*/,
-	krb5_config_section */*s*/);
-
-/**
- * Free the resulting strings from krb5_config-get_strings() and
- * krb5_config_vget_strings().
- *
- * @param strings strings to free
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_config_free_strings (char **/*strings*/);
-
-/**
- * Like krb5_config_get_bool() but with a va_list list of
- * configuration selection.
- *
- * Configuration value to a boolean value, where yes/true and any
- * non-zero number means TRUE and other value is FALSE.
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param ... a list of names, terminated with NULL.
- *
- * @return TRUE or FALSE
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_config_get_bool (
-	krb5_context /*context*/,
-	const krb5_config_section */*c*/,
-	...);
-
-/**
- * krb5_config_get_bool_default() will convert the configuration
- * option value to a boolean value, where yes/true and any non-zero
- * number means TRUE and other value is FALSE.
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param def_value the default value to return if no configuration
- *        found in the database.
- * @param ... a list of names, terminated with NULL.
- *
- * @return TRUE or FALSE
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_config_get_bool_default (
-	krb5_context /*context*/,
-	const krb5_config_section */*c*/,
-	krb5_boolean /*def_value*/,
-	...);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_get_int (
-	krb5_context /*context*/,
-	const krb5_config_section */*c*/,
-	...);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_get_int_default (
-	krb5_context /*context*/,
-	const krb5_config_section */*c*/,
-	int /*def_value*/,
-	...);
-
-/**
- * Get a list of configuration binding list for more processing
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param ... a list of names, terminated with NULL.
- *
- * @return NULL if configuration list is not found, a list otherwise
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION const krb5_config_binding * KRB5_LIB_CALL
-krb5_config_get_list (
-	krb5_context /*context*/,
-	const krb5_config_section */*c*/,
-	...);
-
-/**
- * Returns a "const char *" to a string in the configuration database.
- * The string may not be valid after a reload of the configuration
- * database so a caller should make a local copy if it needs to keep
- * the string.
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param ... a list of names, terminated with NULL.
- *
- * @return NULL if configuration string not found, a string otherwise
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_config_get_string (
-	krb5_context /*context*/,
-	const krb5_config_section */*c*/,
-	...);
-
-/**
- * Like krb5_config_get_string(), but instead of returning NULL,
- * instead return a default value.
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param def_value the default value to return if no configuration
- *        found in the database.
- * @param ... a list of names, terminated with NULL.
- *
- * @return a configuration string
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_config_get_string_default (
-	krb5_context /*context*/,
-	const krb5_config_section */*c*/,
-	const char */*def_value*/,
-	...);
-
-/**
- * Get a list of configuration strings, free the result with
- * krb5_config_free_strings().
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param ... a list of names, terminated with NULL.
- *
- * @return TRUE or FALSE
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION char** KRB5_LIB_CALL
-krb5_config_get_strings (
-	krb5_context /*context*/,
-	const krb5_config_section */*c*/,
-	...);
-
-/**
- * Get the time from the configuration file using a relative time, for example: 1h30s
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param ... a list of names, terminated with NULL.
- *
- * @return parsed the time or -1 on error
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_get_time (
-	krb5_context /*context*/,
-	const krb5_config_section */*c*/,
-	...);
-
-/**
- * Get the time from the configuration file using a relative time, for example: 1h30s
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param def_value the default value to return if no configuration
- *        found in the database.
- * @param ... a list of names, terminated with NULL.
- *
- * @return parsed the time (or def_value on parse error)
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_get_time_default (
-	krb5_context /*context*/,
-	const krb5_config_section */*c*/,
-	int /*def_value*/,
-	...);
-
-/**
-     * If the fname starts with "~/" parse configuration file in the
-     * current users home directory. The behavior can be disabled and
-     * enabled by calling krb5_set_home_dir_access().
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_config_parse_file (
-	krb5_context /*context*/,
-	const char */*fname*/,
-	krb5_config_section **/*res*/);
-
-/**
- * Parse a configuration file and add the result into res. This
- * interface can be used to parse several configuration files into one
- * resulting krb5_config_section by calling it repeatably.
- *
- * @param context a Kerberos 5 context.
- * @param fname a file name to a Kerberos configuration file
- * @param res the returned result, must be free with krb5_free_config_files().
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_config_parse_file_multi (
-	krb5_context /*context*/,
-	const char */*fname*/,
-	krb5_config_section **/*res*/);
-
-/**
- * Deprecated: configuration files are not strings
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_config_parse_string_multi (
-	krb5_context /*context*/,
-	const char */*string*/,
-	krb5_config_section **/*res*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * krb5_config_get_bool() will convert the configuration
- * option value to a boolean value, where yes/true and any non-zero
- * number means TRUE and other value is FALSE.
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param args a va_list of arguments
- *
- * @return TRUE or FALSE
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_config_vget_bool (
-	krb5_context /*context*/,
-	const krb5_config_section */*c*/,
-	va_list /*args*/);
-
-/**
- * Like krb5_config_get_bool_default() but with a va_list list of
- * configuration selection.
- *
- * Configuration value to a boolean value, where yes/true and any
- * non-zero number means TRUE and other value is FALSE.
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param def_value the default value to return if no configuration
- *        found in the database.
- * @param args a va_list of arguments
- *
- * @return TRUE or FALSE
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_config_vget_bool_default (
-	krb5_context /*context*/,
-	const krb5_config_section */*c*/,
-	krb5_boolean /*def_value*/,
-	va_list /*args*/);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_vget_int (
-	krb5_context /*context*/,
-	const krb5_config_section */*c*/,
-	va_list /*args*/);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_vget_int_default (
-	krb5_context /*context*/,
-	const krb5_config_section */*c*/,
-	int /*def_value*/,
-	va_list /*args*/);
-
-/**
- * Get a list of configuration binding list for more processing
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param args a va_list of arguments
- *
- * @return NULL if configuration list is not found, a list otherwise
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION const krb5_config_binding * KRB5_LIB_CALL
-krb5_config_vget_list (
-	krb5_context /*context*/,
-	const krb5_config_section */*c*/,
-	va_list /*args*/);
-
-/**
- * Like krb5_config_get_string(), but uses a va_list instead of ...
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param args a va_list of arguments
- *
- * @return NULL if configuration string not found, a string otherwise
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_config_vget_string (
-	krb5_context /*context*/,
-	const krb5_config_section */*c*/,
-	va_list /*args*/);
-
-/**
- * Like krb5_config_vget_string(), but instead of returning NULL,
- * instead return a default value.
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param def_value the default value to return if no configuration
- *        found in the database.
- * @param args a va_list of arguments
- *
- * @return a configuration string
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_config_vget_string_default (
-	krb5_context /*context*/,
-	const krb5_config_section */*c*/,
-	const char */*def_value*/,
-	va_list /*args*/);
-
-/**
- * Get a list of configuration strings, free the result with
- * krb5_config_free_strings().
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param args a va_list of arguments
- *
- * @return TRUE or FALSE
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION char ** KRB5_LIB_CALL
-krb5_config_vget_strings (
-	krb5_context /*context*/,
-	const krb5_config_section */*c*/,
-	va_list /*args*/);
-
-/**
- * Get the time from the configuration file using a relative time, for example: 1h30s
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param args a va_list of arguments
- *
- * @return parsed the time or -1 on error
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_vget_time (
-	krb5_context /*context*/,
-	const krb5_config_section */*c*/,
-	va_list /*args*/);
-
-/**
- * Get the time from the configuration file using a relative time.
- *
- * Like krb5_config_get_time_default() but with a va_list list of
- * configuration selection.
- *
- * @param context A Kerberos 5 context.
- * @param c a configuration section, or NULL to use the section from context
- * @param def_value the default value to return if no configuration
- *        found in the database.
- * @param args a va_list of arguments
- *
- * @return parsed the time (or def_value on parse error)
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_config_vget_time_default (
-	krb5_context /*context*/,
-	const krb5_config_section */*c*/,
-	int /*def_value*/,
-	va_list /*args*/);
-
-/**
- * krb5_copy_address copies the content of address
- * inaddr to outaddr.
- *
- * @param context a Keberos context
- * @param inaddr pointer to source address
- * @param outaddr pointer to destination address
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_copy_address (
-	krb5_context /*context*/,
-	const krb5_address */*inaddr*/,
-	krb5_address */*outaddr*/);
-
-/**
- * krb5_copy_addresses copies the content of addresses
- * inaddr to outaddr.
- *
- * @param context a Keberos context
- * @param inaddr pointer to source addresses
- * @param outaddr pointer to destination addresses
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_copy_addresses (
-	krb5_context /*context*/,
-	const krb5_addresses */*inaddr*/,
-	krb5_addresses */*outaddr*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_copy_checksum (
-	krb5_context /*context*/,
-	const krb5_checksum */*old*/,
-	krb5_checksum **/*new*/);
-
-/**
- * Make a copy for the Kerberos 5 context, the new krb5_context shoud
- * be freed with krb5_free_context().
- *
- * @param context the Kerberos context to copy
- * @param out the copy of the Kerberos, set to NULL error.
- *
- * @return Returns 0 to indicate success.  Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_copy_context (
-	krb5_context /*context*/,
-	krb5_context */*out*/);
-
-/**
- * Copy krb5_creds.
- *
- * @param context Kerberos 5 context.
- * @param incred source credential
- * @param outcred destination credential, free with krb5_free_creds().
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_copy_creds (
-	krb5_context /*context*/,
-	const krb5_creds */*incred*/,
-	krb5_creds **/*outcred*/);
-
-/**
- * Copy content of krb5_creds.
- *
- * @param context Kerberos 5 context.
- * @param incred source credential
- * @param c destination credential, free with krb5_free_cred_contents().
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_copy_creds_contents (
-	krb5_context /*context*/,
-	const krb5_creds */*incred*/,
-	krb5_creds */*c*/);
-
-/**
- * Copy the data into a newly allocated krb5_data.
- *
- * @param context Kerberos 5 context.
- * @param indata the krb5_data data to copy
- * @param outdata new krb5_date to copy too. Free with krb5_free_data().
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_copy_data (
-	krb5_context /*context*/,
-	const krb5_data */*indata*/,
-	krb5_data **/*outdata*/);
-
-/**
- * Copy the list of realms from `from' to `to'.
- *
- * @param context Kerberos 5 context.
- * @param from list of realms to copy from.
- * @param to list of realms to copy to, free list of krb5_free_host_realm().
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_copy_host_realm (
-	krb5_context /*context*/,
-	const krb5_realm */*from*/,
-	krb5_realm **/*to*/);
-
-/**
- * Copy a keyblock, free the output keyblock with
- * krb5_free_keyblock().
- *
- * @param context a Kerberos 5 context
- * @param inblock the key to copy
- * @param to the output key.
- *
- * @return 0 on success or a Kerberos 5 error code
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_copy_keyblock (
-	krb5_context /*context*/,
-	const krb5_keyblock */*inblock*/,
-	krb5_keyblock **/*to*/);
-
-/**
- * Copy a keyblock, free the output keyblock with
- * krb5_free_keyblock_contents().
- *
- * @param context a Kerberos 5 context
- * @param inblock the key to copy
- * @param to the output key.
- *
- * @return 0 on success or a Kerberos 5 error code
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_copy_keyblock_contents (
-	krb5_context /*context*/,
-	const krb5_keyblock */*inblock*/,
-	krb5_keyblock */*to*/);
-
-/**
- * Copy a principal
- *
- * @param context A Kerberos context.
- * @param inprinc principal to copy
- * @param outprinc copied principal, free with krb5_free_principal()
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_copy_principal (
-	krb5_context /*context*/,
-	krb5_const_principal /*inprinc*/,
-	krb5_principal */*outprinc*/);
-
-/**
- * Copy ticket and content
- *
- * @param context a Kerberos 5 context
- * @param from ticket to copy
- * @param to new copy of ticket, free with krb5_free_ticket()
- *
- * @return Returns 0 to indicate success.  Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_copy_ticket (
-	krb5_context /*context*/,
-	const krb5_ticket */*from*/,
-	krb5_ticket **/*to*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_create_checksum (
-	krb5_context /*context*/,
-	krb5_crypto /*crypto*/,
-	krb5_key_usage /*usage*/,
-	int /*type*/,
-	void */*data*/,
-	size_t /*len*/,
-	Checksum */*result*/);
-
-/**
- * Create a Kerberos message checksum.
- *
- * @param context Kerberos context
- * @param crypto Kerberos crypto context
- * @param usage Key usage for this buffer
- * @param data array of buffers to process
- * @param num_data length of array
- * @param type output data
- *
- * @return Return an error code or 0.
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_create_checksum_iov (
-	krb5_context /*context*/,
-	krb5_crypto /*crypto*/,
-	unsigned /*usage*/,
-	krb5_crypto_iov */*data*/,
-	unsigned int /*num_data*/,
-	krb5_cksumtype */*type*/);
-
-/**
- * Returns the ticket flags for the credentials in creds.
- * See also krb5_ticket_get_flags().
- *
- * @param creds credential to get ticket flags from
- *
- * @return ticket flags
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION unsigned long KRB5_LIB_CALL
-krb5_creds_get_ticket_flags (krb5_creds */*creds*/);
-
-/**
- * Free a crypto context created by krb5_crypto_init().
- *
- * @param context Kerberos context
- * @param crypto crypto context to free
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_crypto_destroy (
-	krb5_context /*context*/,
-	krb5_crypto /*crypto*/);
-
-/**
- * The FX-CF2 key derivation function, used in FAST and preauth framework.
- *
- * @param context Kerberos 5 context
- * @param crypto1 first key to combine
- * @param crypto2 second key to combine
- * @param pepper1 factor to combine with first key to garante uniqueness
- * @param pepper2 factor to combine with second key to garante uniqueness
- * @param enctype the encryption type of the resulting key
- * @param res allocated key, free with krb5_free_keyblock_contents()
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_crypto_fx_cf2 (
-	krb5_context /*context*/,
-	const krb5_crypto /*crypto1*/,
-	const krb5_crypto /*crypto2*/,
-	krb5_data */*pepper1*/,
-	krb5_data */*pepper2*/,
-	krb5_enctype /*enctype*/,
-	krb5_keyblock */*res*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_crypto_get_checksum_type (
-	krb5_context /*context*/,
-	krb5_crypto /*crypto*/,
-	krb5_cksumtype */*type*/);
-
-/**
- * Return the blocksize used algorithm referenced by the crypto context
- *
- * @param context Kerberos context
- * @param crypto crypto context to query
- * @param blocksize the resulting blocksize
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_crypto_getblocksize (
-	krb5_context /*context*/,
-	krb5_crypto /*crypto*/,
-	size_t */*blocksize*/);
-
-/**
- * Return the confounder size used by the crypto context
- *
- * @param context Kerberos context
- * @param crypto crypto context to query
- * @param confoundersize the returned confounder size
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_crypto_getconfoundersize (
-	krb5_context /*context*/,
-	krb5_crypto /*crypto*/,
-	size_t */*confoundersize*/);
-
-/**
- * Return the encryption type used by the crypto context
- *
- * @param context Kerberos context
- * @param crypto crypto context to query
- * @param enctype the resulting encryption type
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_crypto_getenctype (
-	krb5_context /*context*/,
-	krb5_crypto /*crypto*/,
-	krb5_enctype */*enctype*/);
-
-/**
- * Return the padding size used by the crypto context
- *
- * @param context Kerberos context
- * @param crypto crypto context to query
- * @param padsize the return padding size
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_crypto_getpadsize (
-	krb5_context /*context*/,
-	krb5_crypto /*crypto*/,
-	size_t */*padsize*/);
-
-/**
- * Create a crypto context used for all encryption and signature
- * operation. The encryption type to use is taken from the key, but
- * can be overridden with the enctype parameter.  This can be useful
- * for encryptions types which is compatiable (DES for example).
- *
- * To free the crypto context, use krb5_crypto_destroy().
- *
- * @param context Kerberos context
- * @param key the key block information with all key data
- * @param etype the encryption type
- * @param crypto the resulting crypto context
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_crypto_init (
-	krb5_context /*context*/,
-	const krb5_keyblock */*key*/,
-	krb5_enctype /*etype*/,
-	krb5_crypto */*crypto*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_crypto_length (
-	krb5_context /*context*/,
-	krb5_crypto /*crypto*/,
-	int /*type*/,
-	size_t */*len*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_crypto_length_iov (
-	krb5_context /*context*/,
-	krb5_crypto /*crypto*/,
-	krb5_crypto_iov */*data*/,
-	unsigned int /*num_data*/);
-
-KRB5_LIB_FUNCTION size_t KRB5_LIB_CALL
-krb5_crypto_overhead (
-	krb5_context /*context*/,
-	krb5_crypto /*crypto*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_crypto_prf (
-	krb5_context /*context*/,
-	const krb5_crypto /*crypto*/,
-	const krb5_data */*input*/,
-	krb5_data */*output*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_crypto_prf_length (
-	krb5_context /*context*/,
-	krb5_enctype /*type*/,
-	size_t */*length*/);
-
-/**
- * Allocate data of and krb5_data.
- *
- * @param p krb5_data to allocate.
- * @param len size to allocate.
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_data_alloc (
-	krb5_data */*p*/,
-	int /*len*/);
-
-/**
- * Compare to data.
- *
- * @param data1 krb5_data to compare
- * @param data2 krb5_data to compare
- *
- * @return return the same way as memcmp(), useful when sorting.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_data_cmp (
-	const krb5_data */*data1*/,
-	const krb5_data */*data2*/);
-
-/**
- * Copy the data of len into the krb5_data.
- *
- * @param p krb5_data to copy into.
- * @param data data to copy..
- * @param len new size.
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_data_copy (
-	krb5_data */*p*/,
-	const void */*data*/,
-	size_t /*len*/);
-
-/**
- * Compare to data not exposing timing information from the checksum data
- *
- * @param data1 krb5_data to compare
- * @param data2 krb5_data to compare
- *
- * @return returns zero for same data, otherwise non zero.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_data_ct_cmp (
-	const krb5_data */*data1*/,
-	const krb5_data */*data2*/);
-
-/**
- * Free the content of krb5_data structure, its ok to free a zeroed
- * structure (with memset() or krb5_data_zero()). When done, the
- * structure will be zeroed. The same function is called
- * krb5_free_data_contents() in MIT Kerberos.
- *
- * @param p krb5_data to free.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_data_free (krb5_data */*p*/);
-
-/**
- * Grow (or shrink) the content of krb5_data to a new size.
- *
- * @param p krb5_data to free.
- * @param len new size.
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_data_realloc (
-	krb5_data */*p*/,
-	int /*len*/);
-
-/**
- * Reset the (potentially uninitalized) krb5_data structure.
- *
- * @param p krb5_data to reset.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_data_zero (krb5_data */*p*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decode_Authenticator (
-	krb5_context /*context*/,
-	const void */*data*/,
-	size_t /*length*/,
-	Authenticator */*t*/,
-	size_t */*len*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decode_ETYPE_INFO (
-	krb5_context /*context*/,
-	const void */*data*/,
-	size_t /*length*/,
-	ETYPE_INFO */*t*/,
-	size_t */*len*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decode_ETYPE_INFO2 (
-	krb5_context /*context*/,
-	const void */*data*/,
-	size_t /*length*/,
-	ETYPE_INFO2 */*t*/,
-	size_t */*len*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decode_EncAPRepPart (
-	krb5_context /*context*/,
-	const void */*data*/,
-	size_t /*length*/,
-	EncAPRepPart */*t*/,
-	size_t */*len*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decode_EncASRepPart (
-	krb5_context /*context*/,
-	const void */*data*/,
-	size_t /*length*/,
-	EncASRepPart */*t*/,
-	size_t */*len*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decode_EncKrbCredPart (
-	krb5_context /*context*/,
-	const void */*data*/,
-	size_t /*length*/,
-	EncKrbCredPart */*t*/,
-	size_t */*len*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decode_EncTGSRepPart (
-	krb5_context /*context*/,
-	const void */*data*/,
-	size_t /*length*/,
-	EncTGSRepPart */*t*/,
-	size_t */*len*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decode_EncTicketPart (
-	krb5_context /*context*/,
-	const void */*data*/,
-	size_t /*length*/,
-	EncTicketPart */*t*/,
-	size_t */*len*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decode_ap_req (
-	krb5_context /*context*/,
-	const krb5_data */*inbuf*/,
-	krb5_ap_req */*ap_req*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decrypt (
-	krb5_context /*context*/,
-	krb5_crypto /*crypto*/,
-	unsigned /*usage*/,
-	void */*data*/,
-	size_t /*len*/,
-	krb5_data */*result*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decrypt_EncryptedData (
-	krb5_context /*context*/,
-	krb5_crypto /*crypto*/,
-	unsigned /*usage*/,
-	const EncryptedData */*e*/,
-	krb5_data */*result*/);
-
-/**
- * Inline decrypt a Kerberos message.
- *
- * @param context Kerberos context
- * @param crypto Kerberos crypto context
- * @param usage Key usage for this buffer
- * @param data array of buffers to process
- * @param num_data length of array
- * @param ivec initial cbc/cts vector
- *
- * @return Return an error code or 0.
- * @ingroup krb5_crypto
- *
- * 1. KRB5_CRYPTO_TYPE_HEADER
- * 2. one KRB5_CRYPTO_TYPE_DATA and array [0,...] of KRB5_CRYPTO_TYPE_SIGN_ONLY in
- *  any order, however the receiver have to aware of the
- *  order. KRB5_CRYPTO_TYPE_SIGN_ONLY is commonly used unencrypoted
- *  protocol headers and trailers. The output data will be of same
- *  size as the input data or shorter.
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decrypt_iov_ivec (
-	krb5_context /*context*/,
-	krb5_crypto /*crypto*/,
-	unsigned /*usage*/,
-	krb5_crypto_iov */*data*/,
-	unsigned int /*num_data*/,
-	void */*ivec*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decrypt_ivec (
-	krb5_context /*context*/,
-	krb5_crypto /*crypto*/,
-	unsigned /*usage*/,
-	void */*data*/,
-	size_t /*len*/,
-	krb5_data */*result*/,
-	void */*ivec*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_decrypt_ticket (
-	krb5_context /*context*/,
-	Ticket */*ticket*/,
-	krb5_keyblock */*key*/,
-	EncTicketPart */*out*/,
-	krb5_flags /*flags*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_derive_key (
-	krb5_context /*context*/,
-	const krb5_keyblock */*key*/,
-	krb5_enctype /*etype*/,
-	const void */*constant*/,
-	size_t /*constant_len*/,
-	krb5_keyblock **/*derived_key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_alloc (
-	krb5_context /*context*/,
-	krb5_digest */*digest*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_digest_free (krb5_digest /*digest*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_get_client_binding (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/,
-	char **/*type*/,
-	char **/*binding*/);
-
-KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL
-krb5_digest_get_identifier (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/);
-
-KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL
-krb5_digest_get_opaque (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/);
-
-KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL
-krb5_digest_get_rsp (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/);
-
-KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL
-krb5_digest_get_server_nonce (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_get_session_key (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/,
-	krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_get_tickets (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/,
-	Ticket **/*tickets*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_init_request (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/,
-	krb5_realm /*realm*/,
-	krb5_ccache /*ccache*/);
-
-/**
- * Get the supported/allowed mechanism for this principal.
- *
- * @param context A Keberos context.
- * @param realm The realm of the KDC.
- * @param ccache The credential cache to use when talking to the KDC.
- * @param flags The supported mechanism.
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_digest
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_probe (
-	krb5_context /*context*/,
-	krb5_realm /*realm*/,
-	krb5_ccache /*ccache*/,
-	unsigned */*flags*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_digest_rep_get_status (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_request (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/,
-	krb5_realm /*realm*/,
-	krb5_ccache /*ccache*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_authentication_user (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/,
-	krb5_principal /*authentication_user*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_authid (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/,
-	const char */*authid*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_client_nonce (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/,
-	const char */*nonce*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_digest (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/,
-	const char */*dgst*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_hostname (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/,
-	const char */*hostname*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_identifier (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/,
-	const char */*id*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_method (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/,
-	const char */*method*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_nonceCount (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/,
-	const char */*nonce_count*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_opaque (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/,
-	const char */*opaque*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_qop (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/,
-	const char */*qop*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_realm (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/,
-	const char */*realm*/);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_digest_set_responseData (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/,
-	const char */*response*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_server_cb (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/,
-	const char */*type*/,
-	const char */*binding*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_server_nonce (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/,
-	const char */*nonce*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_type (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/,
-	const char */*type*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_uri (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/,
-	const char */*uri*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_digest_set_username (
-	krb5_context /*context*/,
-	krb5_digest /*digest*/,
-	const char */*username*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_domain_x500_decode (
-	krb5_context /*context*/,
-	krb5_data /*tr*/,
-	char ***/*realms*/,
-	unsigned int */*num_realms*/,
-	const char */*client_realm*/,
-	const char */*server_realm*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_domain_x500_encode (
-	char **/*realms*/,
-	unsigned int /*num_realms*/,
-	krb5_data */*encoding*/);
-
-/**
- * Convert the getaddrinfo() error code to a Kerberos et error code.
- *
- * @param eai_errno contains the error code from getaddrinfo().
- * @param system_error should have the value of errno after the failed getaddrinfo().
- *
- * @return Kerberos error code representing the EAI errors.
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_eai_to_heim_errno (
-	int /*eai_errno*/,
-	int /*system_error*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_encode_Authenticator (
-	krb5_context /*context*/,
-	void */*data*/,
-	size_t /*length*/,
-	Authenticator */*t*/,
-	size_t */*len*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_encode_ETYPE_INFO (
-	krb5_context /*context*/,
-	void */*data*/,
-	size_t /*length*/,
-	ETYPE_INFO */*t*/,
-	size_t */*len*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_encode_ETYPE_INFO2 (
-	krb5_context /*context*/,
-	void */*data*/,
-	size_t /*length*/,
-	ETYPE_INFO2 */*t*/,
-	size_t */*len*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_encode_EncAPRepPart (
-	krb5_context /*context*/,
-	void */*data*/,
-	size_t /*length*/,
-	EncAPRepPart */*t*/,
-	size_t */*len*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_encode_EncASRepPart (
-	krb5_context /*context*/,
-	void */*data*/,
-	size_t /*length*/,
-	EncASRepPart */*t*/,
-	size_t */*len*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_encode_EncKrbCredPart (
-	krb5_context /*context*/,
-	void */*data*/,
-	size_t /*length*/,
-	EncKrbCredPart */*t*/,
-	size_t */*len*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_encode_EncTGSRepPart (
-	krb5_context /*context*/,
-	void */*data*/,
-	size_t /*length*/,
-	EncTGSRepPart */*t*/,
-	size_t */*len*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_encode_EncTicketPart (
-	krb5_context /*context*/,
-	void */*data*/,
-	size_t /*length*/,
-	EncTicketPart */*t*/,
-	size_t */*len*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_encrypt (
-	krb5_context /*context*/,
-	krb5_crypto /*crypto*/,
-	unsigned /*usage*/,
-	const void */*data*/,
-	size_t /*len*/,
-	krb5_data */*result*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_encrypt_EncryptedData (
-	krb5_context /*context*/,
-	krb5_crypto /*crypto*/,
-	unsigned /*usage*/,
-	void */*data*/,
-	size_t /*len*/,
-	int /*kvno*/,
-	EncryptedData */*result*/);
-
-/**
- * Inline encrypt a kerberos message
- *
- * @param context Kerberos context
- * @param crypto Kerberos crypto context
- * @param usage Key usage for this buffer
- * @param data array of buffers to process
- * @param num_data length of array
- * @param ivec initial cbc/cts vector
- *
- * @return Return an error code or 0.
- * @ingroup krb5_crypto
- *
- * Kerberos encrypted data look like this:
- *
- * 1. KRB5_CRYPTO_TYPE_HEADER
- * 2. array [1,...] KRB5_CRYPTO_TYPE_DATA and array [0,...]
- *    KRB5_CRYPTO_TYPE_SIGN_ONLY in any order, however the receiver
- *    have to aware of the order. KRB5_CRYPTO_TYPE_SIGN_ONLY is
- *    commonly used headers and trailers.
- * 3. KRB5_CRYPTO_TYPE_PADDING, at least on padsize long if padsize > 1
- * 4. KRB5_CRYPTO_TYPE_TRAILER
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_encrypt_iov_ivec (
-	krb5_context /*context*/,
-	krb5_crypto /*crypto*/,
-	unsigned /*usage*/,
-	krb5_crypto_iov */*data*/,
-	int /*num_data*/,
-	void */*ivec*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_encrypt_ivec (
-	krb5_context /*context*/,
-	krb5_crypto /*crypto*/,
-	unsigned /*usage*/,
-	const void */*data*/,
-	size_t /*len*/,
-	krb5_data */*result*/,
-	void */*ivec*/);
-
-/**
- * Disable encryption type
- *
- * @param context Kerberos 5 context
- * @param enctype encryption type to disable
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_enctype_disable (
-	krb5_context /*context*/,
-	krb5_enctype /*enctype*/);
-
-/**
- * Enable encryption type
- *
- * @param context Kerberos 5 context
- * @param enctype encryption type to enable
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_enctype_enable (
-	krb5_context /*context*/,
-	krb5_enctype /*enctype*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_enctype_keybits (
-	krb5_context /*context*/,
-	krb5_enctype /*type*/,
-	size_t */*keybits*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_enctype_keysize (
-	krb5_context /*context*/,
-	krb5_enctype /*type*/,
-	size_t */*keysize*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_enctype_to_keytype (
-	krb5_context /*context*/,
-	krb5_enctype /*etype*/,
-	krb5_keytype */*keytype*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_enctype_to_string (
-	krb5_context /*context*/,
-	krb5_enctype /*etype*/,
-	char **/*string*/);
-
-/**
- * Check if a enctype is valid, return 0 if it is.
- *
- * @param context Kerberos context
- * @param etype enctype to check if its valid or not
- *
- * @return Return an error code for an failure or 0 on success (enctype valid).
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_enctype_valid (
-	krb5_context /*context*/,
-	krb5_enctype /*etype*/);
-
-/**
- * Deprecated: keytypes doesn't exists, they are really enctypes.
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_enctypes_compatible_keys (
-	krb5_context /*context*/,
-	krb5_enctype /*etype1*/,
-	krb5_enctype /*etype2*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-krb5_error_code
-krb5_enomem (krb5_context /*context*/);
-
-/**
- * Log a warning to the log, default stderr, include bthe error from
- * the last failure and then exit.
- *
- * @param context A Kerberos 5 context
- * @param eval the exit code to exit with
- * @param code error code of the last error
- * @param fmt message to print
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_err (
-	krb5_context /*context*/,
-	int /*eval*/,
-	krb5_error_code /*code*/,
-	const char */*fmt*/,
-	...)
-     __attribute__ ((__noreturn__, __format__ (__printf__, 4, 5)));
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_error_from_rd_error (
-	krb5_context /*context*/,
-	const krb5_error */*error*/,
-	const krb5_creds */*creds*/);
-
-/**
- * Log a warning to the log, default stderr, and then exit.
- *
- * @param context A Kerberos 5 context
- * @param eval the exit code to exit with
- * @param fmt message to print
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_errx (
-	krb5_context /*context*/,
-	int /*eval*/,
-	const char */*fmt*/,
-	...)
-     __attribute__ ((__noreturn__, __format__ (__printf__, 3, 4)));
-
-/**
- * krb5_expand_hostname() tries to make orig_hostname into a more
- * canonical one in the newly allocated space returned in
- * new_hostname.
-
- * @param context a Keberos context
- * @param orig_hostname hostname to canonicalise.
- * @param new_hostname output hostname, caller must free hostname with
- *        krb5_xfree().
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_expand_hostname (
-	krb5_context /*context*/,
-	const char */*orig_hostname*/,
-	char **/*new_hostname*/);
-
-/**
- * krb5_expand_hostname_realms() expands orig_hostname to a name we
- * believe to be a hostname in newly allocated space in new_hostname
- * and return the realms new_hostname is believed to belong to in
- * realms.
- *
- * @param context a Keberos context
- * @param orig_hostname hostname to canonicalise.
- * @param new_hostname output hostname, caller must free hostname with
- *        krb5_xfree().
- * @param realms output possible realms, is an array that is terminated
- *        with NULL. Caller must free with krb5_free_host_realm().
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_expand_hostname_realms (
-	krb5_context /*context*/,
-	const char */*orig_hostname*/,
-	char **/*new_hostname*/,
-	char ***/*realms*/);
-
-KRB5_LIB_FUNCTION PA_DATA * KRB5_LIB_CALL
-krb5_find_padata (
-	PA_DATA */*val*/,
-	unsigned /*len*/,
-	int /*type*/,
-	int */*idx*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_format_time (
-	krb5_context /*context*/,
-	time_t /*t*/,
-	char */*s*/,
-	size_t /*len*/,
-	krb5_boolean /*include_time*/);
-
-/**
- * krb5_free_address frees the data stored in the address that is
- * alloced with any of the krb5_address functions.
- *
- * @param context a Keberos context
- * @param address addresss to be freed.
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_free_address (
-	krb5_context /*context*/,
-	krb5_address */*address*/);
-
-/**
- * krb5_free_addresses frees the data stored in the address that is
- * alloced with any of the krb5_address functions.
- *
- * @param context a Keberos context
- * @param addresses addressses to be freed.
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_free_addresses (
-	krb5_context /*context*/,
-	krb5_addresses */*addresses*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_ap_rep_enc_part (
-	krb5_context /*context*/,
-	krb5_ap_rep_enc_part */*val*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_authenticator (
-	krb5_context /*context*/,
-	krb5_authenticator */*authenticator*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_checksum (
-	krb5_context /*context*/,
-	krb5_checksum */*cksum*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_checksum_contents (
-	krb5_context /*context*/,
-	krb5_checksum */*cksum*/);
-
-/**
- * Free a list of configuration files.
- *
- * @param filenames list, terminated with a NULL pointer, to be
- * freed. NULL is an valid argument.
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_config_files (char **/*filenames*/);
-
-/**
- * Frees the krb5_context allocated by krb5_init_context().
- *
- * @param context context to be freed.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_context (krb5_context /*context*/);
-
-/**
- * Free content of krb5_creds.
- *
- * @param context Kerberos 5 context.
- * @param c krb5_creds to free.
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_free_cred_contents (
-	krb5_context /*context*/,
-	krb5_creds */*c*/);
-
-/**
- * Free krb5_creds.
- *
- * @param context Kerberos 5 context.
- * @param c krb5_creds to free.
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_free_creds (
-	krb5_context /*context*/,
-	krb5_creds */*c*/);
-
-/**
- * Deprecated: use krb5_free_cred_contents()
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_free_creds_contents (
-	krb5_context /*context*/,
-	krb5_creds */*c*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Free krb5_data (and its content).
- *
- * @param context Kerberos 5 context.
- * @param p krb5_data to free.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_data (
-	krb5_context /*context*/,
-	krb5_data */*p*/);
-
-/**
- * Same as krb5_data_free(). MIT compat.
- *
- * Deprecated: use krb5_data_free().
- *
- * @param context Kerberos 5 context.
- * @param data krb5_data to free.
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_data_contents (
-	krb5_context /*context*/,
-	krb5_data */*data*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_free_default_realm (
-	krb5_context /*context*/,
-	krb5_realm /*realm*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_error (
-	krb5_context /*context*/,
-	krb5_error */*error*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_error_contents (
-	krb5_context /*context*/,
-	krb5_error */*error*/);
-
-/**
- * Free the error message returned by krb5_get_error_message().
- *
- * @param context Kerberos context
- * @param msg error message to free, returned byg
- *        krb5_get_error_message().
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_error_message (
-	krb5_context /*context*/,
-	const char */*msg*/);
-
-/**
- * Free the error message returned by krb5_get_error_string().
- *
- * Deprecated: use krb5_free_error_message()
- *
- * @param context Kerberos context
- * @param str error message to free
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_error_string (
-	krb5_context /*context*/,
-	char */*str*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Free all memory allocated by `realmlist'
- *
- * @param context A Kerberos 5 context.
- * @param realmlist realmlist to free, NULL is ok
- *
- * @return a Kerberos error code, always 0.
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_free_host_realm (
-	krb5_context /*context*/,
-	krb5_realm */*realmlist*/);
-
-/**
- * Variable containing the FILE based credential cache implemention.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_free_kdc_rep (
-	krb5_context /*context*/,
-	krb5_kdc_rep */*rep*/);
-
-/**
- * Free a keyblock, also zero out the content of the keyblock, uses
- * krb5_free_keyblock_contents() to free the content.
- *
- * @param context a Kerberos 5 context
- * @param keyblock keyblock to free, NULL is valid argument
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_keyblock (
-	krb5_context /*context*/,
-	krb5_keyblock */*keyblock*/);
-
-/**
- * Free a keyblock's content, also zero out the content of the keyblock.
- *
- * @param context a Kerberos 5 context
- * @param keyblock keyblock content to free, NULL is valid argument
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_keyblock_contents (
-	krb5_context /*context*/,
-	krb5_keyblock */*keyblock*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_free_krbhst (
-	krb5_context /*context*/,
-	char **/*hostlist*/);
-
-/**
- * Free a name canonicalization rule iterator.
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_name_canon_iterator (
-	krb5_context /*context*/,
-	krb5_name_canon_iterator /*iter*/);
-
-/**
- * Frees a Kerberos principal allocated by the library with
- * krb5_parse_name(), krb5_make_principal() or any other related
- * principal functions.
- *
- * @param context A Kerberos context.
- * @param p a principal to free.
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_principal (
-	krb5_context /*context*/,
-	krb5_principal /*p*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_free_salt (
-	krb5_context /*context*/,
-	krb5_salt /*salt*/);
-
-/**
- * Free ticket and content
- *
- * @param context a Kerberos 5 context
- * @param ticket ticket to free
- *
- * @return Returns 0 to indicate success.  Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_free_ticket (
-	krb5_context /*context*/,
-	krb5_ticket */*ticket*/);
-
-/**
- * Deprecated: use krb5_xfree().
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_free_unparsed_name (
-	krb5_context /*context*/,
-	char */*str*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Forward credentials for client to host hostname , making them
- * forwardable if forwardable, and returning the blob of data to sent
- * in out_data.  If hostname == NULL, pick it from server.
- *
- * @param context A kerberos 5 context.
- * @param auth_context the auth context with the key to encrypt the out_data.
- * @param hostname the host to forward the tickets too.
- * @param client the client to delegate from.
- * @param server the server to delegate the credential too.
- * @param ccache credential cache to use.
- * @param forwardable make the forwarded ticket forwabledable.
- * @param out_data the resulting credential.
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_fwd_tgt_creds (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	const char */*hostname*/,
-	krb5_principal /*client*/,
-	krb5_principal /*server*/,
-	krb5_ccache /*ccache*/,
-	int /*forwardable*/,
-	krb5_data */*out_data*/);
-
-/**
- * Fill buffer buf with len bytes of PRNG randomness that is ok to use
- * for key generation, padding and public diclosing the randomness w/o
- * disclosing the randomness source.
- *
- * This function can fail, and callers must check the return value.
- *
- * @param buf a buffer to fill with randomness
- * @param len length of memory that buf points to.
- *
- * @return return 0 on success or HEIM_ERR_RANDOM_OFFLINE if the
- * funcation failed to initialize the randomness source.
- *
- * @ingroup krb5_crypto
- */
-
-HEIMDAL_WARN_UNUSED_RESULT_ATTRIBUTE KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_generate_random (
-	void */*buf*/,
-	size_t /*len*/);
-
-/**
- * Fill buffer buf with len bytes of PRNG randomness that is ok to use
- * for key generation, padding and public diclosing the randomness w/o
- * disclosing the randomness source.
- *
- * This function can NOT fail, instead it will abort() and program will crash.
- *
- * If this function is called after a successful krb5_init_context(),
- * the chance of it failing is low due to that krb5_init_context()
- * pulls out some random, and quite commonly the randomness sources
- * will not fail once it have started to produce good output,
- * /dev/urandom behavies that way.
- *
- * @param buf a buffer to fill with randomness
- * @param len length of memory that buf points to.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_generate_random_block (
-	void */*buf*/,
-	size_t /*len*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_generate_random_keyblock (
-	krb5_context /*context*/,
-	krb5_enctype /*type*/,
-	krb5_keyblock */*key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_generate_seq_number (
-	krb5_context /*context*/,
-	const krb5_keyblock */*key*/,
-	uint32_t */*seqno*/);
-
-/**
- * Deprecated: use krb5_generate_subkey_extended()
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_generate_subkey (
-	krb5_context /*context*/,
-	const krb5_keyblock */*key*/,
-	krb5_keyblock **/*subkey*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Generate subkey, from keyblock
- *
- * @param context kerberos context
- * @param key session key
- * @param etype encryption type of subkey, if ETYPE_NULL, use key's enctype
- * @param subkey returned new, free with krb5_free_keyblock().
- *
- * @return 0 on success or a Kerberos 5 error code
- *
-* @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_generate_subkey_extended (
-	krb5_context /*context*/,
-	const krb5_keyblock */*key*/,
-	krb5_enctype /*etype*/,
-	krb5_keyblock **/*subkey*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_all_client_addrs (
-	krb5_context /*context*/,
-	krb5_addresses */*res*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_all_server_addrs (
-	krb5_context /*context*/,
-	krb5_addresses */*res*/);
-
-/**
- * Deprecated: use krb5_get_credentials_with_flags().
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_cred_from_kdc (
-	krb5_context /*context*/,
-	krb5_ccache /*ccache*/,
-	krb5_creds */*in_creds*/,
-	krb5_creds **/*out_creds*/,
-	krb5_creds ***/*ret_tgts*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Deprecated: use krb5_get_credentials_with_flags().
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_cred_from_kdc_opt (
-	krb5_context /*context*/,
-	krb5_ccache /*ccache*/,
-	krb5_creds */*in_creds*/,
-	krb5_creds **/*out_creds*/,
-	krb5_creds ***/*ret_tgts*/,
-	krb5_flags /*flags*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_credentials (
-	krb5_context /*context*/,
-	krb5_flags /*options*/,
-	krb5_ccache /*ccache*/,
-	krb5_creds */*in_creds*/,
-	krb5_creds **/*out_creds*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_credentials_with_flags (
-	krb5_context /*context*/,
-	krb5_flags /*options*/,
-	krb5_kdc_flags /*flags*/,
-	krb5_ccache /*ccache*/,
-	krb5_creds */*in_creds*/,
-	krb5_creds **/*out_creds*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_creds (
-	krb5_context /*context*/,
-	krb5_get_creds_opt /*opt*/,
-	krb5_ccache /*ccache*/,
-	krb5_const_principal /*inprinc*/,
-	krb5_creds **/*out_creds*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_creds_opt_add_options (
-	krb5_context /*context*/,
-	krb5_get_creds_opt /*opt*/,
-	krb5_flags /*options*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_creds_opt_alloc (
-	krb5_context /*context*/,
-	krb5_get_creds_opt */*opt*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_creds_opt_free (
-	krb5_context /*context*/,
-	krb5_get_creds_opt /*opt*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_creds_opt_set_enctype (
-	krb5_context /*context*/,
-	krb5_get_creds_opt /*opt*/,
-	krb5_enctype /*enctype*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_creds_opt_set_impersonate (
-	krb5_context /*context*/,
-	krb5_get_creds_opt /*opt*/,
-	krb5_const_principal /*self*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_creds_opt_set_options (
-	krb5_context /*context*/,
-	krb5_get_creds_opt /*opt*/,
-	krb5_flags /*options*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_creds_opt_set_ticket (
-	krb5_context /*context*/,
-	krb5_get_creds_opt /*opt*/,
-	const Ticket */*ticket*/);
-
-/**
- * Get the global configuration list.
- *
- * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
- *
- * @return Returns 0 to indicate success.  Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_default_config_files (char ***/*pfilenames*/);
-
-/**
- * Get the default encryption types that will be use in communcation
- * with the KDC, clients and servers.
- *
- * @param context Kerberos 5 context.
- * @param pdu_type request type (AS, TGS or none)
- * @param etypes Encryption types, array terminated with
- * ETYPE_NULL(0), caller should free array with krb5_xfree():
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_default_in_tkt_etypes (
-	krb5_context /*context*/,
-	krb5_pdu /*pdu_type*/,
-	krb5_enctype **/*etypes*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_default_principal (
-	krb5_context /*context*/,
-	krb5_principal */*princ*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_default_realm (
-	krb5_context /*context*/,
-	krb5_realm */*realm*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_default_realms (
-	krb5_context /*context*/,
-	krb5_realm **/*realms*/);
-
-/**
- * Get if the library uses DNS to canonicalize hostnames.
- *
- * @param context Kerberos 5 context.
- *
- * @return return non zero if the library uses DNS to canonicalize hostnames.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_get_dns_canonicalize_hostname (krb5_context /*context*/);
-
-/**
- * Return the error string for the error code. The caller must not
- * free the string.
- *
- * This function is deprecated since its not threadsafe.
- *
- * @param context Kerberos 5 context.
- * @param code Kerberos error code.
- *
- * @return the error message matching code
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_get_err_text (
-	krb5_context /*context*/,
-	krb5_error_code /*code*/)
-     KRB5_DEPRECATED_FUNCTION("Use krb5_get_error_message instead");
-
-/**
- * Return the error message for `code' in context. On memory
- * allocation error the function returns NULL.
- *
- * @param context Kerberos 5 context
- * @param code Error code related to the error
- *
- * @return an error string, needs to be freed with
- * krb5_free_error_message(). The functions return NULL on error.
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL
-krb5_get_error_message (
-	krb5_context /*context*/,
-	krb5_error_code /*code*/);
-
-/**
- * Return the error message in context. On error or no error string,
- * the function returns NULL.
- *
- * @param context Kerberos 5 context
- *
- * @return an error string, needs to be freed with
- * krb5_free_error_message(). The functions return NULL on error.
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
-krb5_get_error_string (krb5_context /*context*/)
-     KRB5_DEPRECATED_FUNCTION("Use krb5_get_error_message instead");
-
-/**
- * Get extra address to the address list that the library will add to
- * the client's address list when communicating with the KDC.
- *
- * @param context Kerberos 5 context.
- * @param addresses addreses to set
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_extra_addresses (
-	krb5_context /*context*/,
-	krb5_addresses */*addresses*/);
-
-/**
- * Get version of fcache that the library should use.
- *
- * @param context Kerberos 5 context.
- * @param version version number.
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_fcache_version (
-	krb5_context /*context*/,
-	int */*version*/);
-
-/**
- * Gets tickets forwarded to hostname. If the tickets that are
- * forwarded are address-less, the forwarded tickets will also be
- * address-less.
- *
- * If the ticket have any address, hostname will be used for figure
- * out the address to forward the ticket too. This since this might
- * use DNS, its insecure and also doesn't represent configured all
- * addresses of the host. For example, the host might have two
- * adresses, one IPv4 and one IPv6 address where the later is not
- * published in DNS. This IPv6 address might be used communications
- * and thus the resulting ticket useless.
- *
- * @param context A kerberos 5 context.
- * @param auth_context the auth context with the key to encrypt the out_data.
- * @param ccache credential cache to use
- * @param flags the flags to control the resulting ticket flags
- * @param hostname the host to forward the tickets too.
- * @param in_creds the in client and server ticket names.  The client
- * and server components forwarded to the remote host.
- * @param out_data the resulting credential.
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_forwarded_creds (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_ccache /*ccache*/,
-	krb5_flags /*flags*/,
-	const char */*hostname*/,
-	krb5_creds */*in_creds*/,
-	krb5_data */*out_data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_host_realm (
-	krb5_context /*context*/,
-	const char */*targethost*/,
-	krb5_realm **/*realms*/);
-
-/**
- * Get extra addresses to ignore when fetching addresses from the
- * underlaying operating system.
- *
- * @param context Kerberos 5 context.
- * @param addresses list addreses ignored
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_ignore_addresses (
-	krb5_context /*context*/,
-	krb5_addresses */*addresses*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_in_cred (
-	krb5_context /*context*/,
-	krb5_flags /*options*/,
-	const krb5_addresses */*addrs*/,
-	const krb5_enctype */*etypes*/,
-	const krb5_preauthtype */*ptypes*/,
-	const krb5_preauthdata */*preauth*/,
-	krb5_key_proc /*key_proc*/,
-	krb5_const_pointer /*keyseed*/,
-	krb5_decrypt_proc /*decrypt_proc*/,
-	krb5_const_pointer /*decryptarg*/,
-	krb5_creds */*creds*/,
-	krb5_kdc_rep */*ret_as_reply*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_in_tkt (
-	krb5_context /*context*/,
-	krb5_flags /*options*/,
-	const krb5_addresses */*addrs*/,
-	const krb5_enctype */*etypes*/,
-	const krb5_preauthtype */*ptypes*/,
-	krb5_key_proc /*key_proc*/,
-	krb5_const_pointer /*keyseed*/,
-	krb5_decrypt_proc /*decrypt_proc*/,
-	krb5_const_pointer /*decryptarg*/,
-	krb5_creds */*creds*/,
-	krb5_ccache /*ccache*/,
-	krb5_kdc_rep */*ret_as_reply*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Deprecated: use krb5_get_init_creds() and friends.
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_in_tkt_with_keytab (
-	krb5_context /*context*/,
-	krb5_flags /*options*/,
-	krb5_addresses */*addrs*/,
-	const krb5_enctype */*etypes*/,
-	const krb5_preauthtype */*pre_auth_types*/,
-	krb5_keytab /*keytab*/,
-	krb5_ccache /*ccache*/,
-	krb5_creds */*creds*/,
-	krb5_kdc_rep */*ret_as_reply*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Deprecated: use krb5_get_init_creds() and friends.
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_in_tkt_with_password (
-	krb5_context /*context*/,
-	krb5_flags /*options*/,
-	krb5_addresses */*addrs*/,
-	const krb5_enctype */*etypes*/,
-	const krb5_preauthtype */*pre_auth_types*/,
-	const char */*password*/,
-	krb5_ccache /*ccache*/,
-	krb5_creds */*creds*/,
-	krb5_kdc_rep */*ret_as_reply*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Deprecated: use krb5_get_init_creds() and friends.
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_in_tkt_with_skey (
-	krb5_context /*context*/,
-	krb5_flags /*options*/,
-	krb5_addresses */*addrs*/,
-	const krb5_enctype */*etypes*/,
-	const krb5_preauthtype */*pre_auth_types*/,
-	const krb5_keyblock */*key*/,
-	krb5_ccache /*ccache*/,
-	krb5_creds */*creds*/,
-	krb5_kdc_rep */*ret_as_reply*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Get new credentials using keyblock.
- *
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_init_creds_keyblock (
-	krb5_context /*context*/,
-	krb5_creds */*creds*/,
-	krb5_principal /*client*/,
-	krb5_keyblock */*keyblock*/,
-	krb5_deltat /*start_time*/,
-	const char */*in_tkt_service*/,
-	krb5_get_init_creds_opt */*options*/);
-
-/**
- * Get new credentials using keytab.
- *
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_init_creds_keytab (
-	krb5_context /*context*/,
-	krb5_creds */*creds*/,
-	krb5_principal /*client*/,
-	krb5_keytab /*keytab*/,
-	krb5_deltat /*start_time*/,
-	const char */*in_tkt_service*/,
-	krb5_get_init_creds_opt */*options*/);
-
-/**
- * Allocate a new krb5_get_init_creds_opt structure, free with
- * krb5_get_init_creds_opt_free().
- *
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_init_creds_opt_alloc (
-	krb5_context /*context*/,
-	krb5_get_init_creds_opt **/*opt*/);
-
-/**
- * Free krb5_get_init_creds_opt structure.
- *
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_init_creds_opt_free (
-	krb5_context /*context*/,
-	krb5_get_init_creds_opt */*opt*/);
-
-/**
- * Deprecated: use the new krb5_init_creds_init() and
- * krb5_init_creds_get_error().
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_init_creds_opt_get_error (
-	krb5_context /*context*/,
-	krb5_get_init_creds_opt */*opt*/,
-	KRB_ERROR **/*error*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Deprecated: use krb5_get_init_creds_opt_alloc().
- *
- * The reason krb5_get_init_creds_opt_init() is deprecated is that
- * krb5_get_init_creds_opt is a static structure and for ABI reason it
- * can't grow, ie can't add new functionality.
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_init_creds_opt_init (krb5_get_init_creds_opt */*opt*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_address_list (
-	krb5_get_init_creds_opt */*opt*/,
-	krb5_addresses */*addresses*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_addressless (
-	krb5_context /*context*/,
-	krb5_get_init_creds_opt */*opt*/,
-	krb5_boolean /*addressless*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_anonymous (
-	krb5_get_init_creds_opt */*opt*/,
-	int /*anonymous*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_canonicalize (
-	krb5_context /*context*/,
-	krb5_get_init_creds_opt */*opt*/,
-	krb5_boolean /*req*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_change_password_prompt (
-	krb5_get_init_creds_opt */*opt*/,
-	int /*change_password_prompt*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_default_flags (
-	krb5_context /*context*/,
-	const char */*appname*/,
-	krb5_const_realm /*realm*/,
-	krb5_get_init_creds_opt */*opt*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_etype_list (
-	krb5_get_init_creds_opt */*opt*/,
-	krb5_enctype */*etype_list*/,
-	int /*etype_list_length*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_forwardable (
-	krb5_get_init_creds_opt */*opt*/,
-	int /*forwardable*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_pa_password (
-	krb5_context /*context*/,
-	krb5_get_init_creds_opt */*opt*/,
-	const char */*password*/,
-	krb5_s2k_proc /*key_proc*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_pac_request (
-	krb5_context /*context*/,
-	krb5_get_init_creds_opt */*opt*/,
-	krb5_boolean /*req_pac*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_pkinit (
-	krb5_context /*context*/,
-	krb5_get_init_creds_opt */*opt*/,
-	krb5_principal /*principal*/,
-	const char */*user_id*/,
-	const char */*x509_anchors*/,
-	char * const * /*pool*/,
-	char * const * /*pki_revoke*/,
-	int /*flags*/,
-	krb5_prompter_fct /*prompter*/,
-	void */*prompter_data*/,
-	char */*password*/);
-
-krb5_error_code KRB5_LIB_FUNCTION
-krb5_get_init_creds_opt_set_pkinit_user_certs (
-	krb5_context /*context*/,
-	krb5_get_init_creds_opt */*opt*/,
-	struct hx509_certs_data */*certs*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_preauth_list (
-	krb5_get_init_creds_opt */*opt*/,
-	krb5_preauthtype */*preauth_list*/,
-	int /*preauth_list_length*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_process_last_req (
-	krb5_context /*context*/,
-	krb5_get_init_creds_opt */*opt*/,
-	krb5_gic_process_last_req /*func*/,
-	void */*ctx*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_proxiable (
-	krb5_get_init_creds_opt */*opt*/,
-	int /*proxiable*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_renew_life (
-	krb5_get_init_creds_opt */*opt*/,
-	krb5_deltat /*renew_life*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_salt (
-	krb5_get_init_creds_opt */*opt*/,
-	krb5_data */*salt*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_tkt_life (
-	krb5_get_init_creds_opt */*opt*/,
-	krb5_deltat /*tkt_life*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_init_creds_opt_set_win2k (
-	krb5_context /*context*/,
-	krb5_get_init_creds_opt */*opt*/,
-	krb5_boolean /*req*/);
-
-/**
- * Get new credentials using password.
- *
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_init_creds_password (
-	krb5_context /*context*/,
-	krb5_creds */*creds*/,
-	krb5_principal /*client*/,
-	const char */*password*/,
-	krb5_prompter_fct /*prompter*/,
-	void */*data*/,
-	krb5_deltat /*start_time*/,
-	const char */*in_tkt_service*/,
-	krb5_get_init_creds_opt */*options*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_kdc_cred (
-	krb5_context /*context*/,
-	krb5_ccache /*id*/,
-	krb5_kdc_flags /*flags*/,
-	krb5_addresses */*addresses*/,
-	Ticket */*second_ticket*/,
-	krb5_creds */*in_creds*/,
-	krb5_creds **out_creds );
-
-/**
- * Get current offset in time to the KDC.
- *
- * @param context Kerberos 5 context.
- * @param sec seconds part of offset.
- * @param usec micro seconds part of offset.
- *
- * @return returns zero
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_kdc_sec_offset (
-	krb5_context /*context*/,
-	int32_t */*sec*/,
-	int32_t */*usec*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_krb524hst (
-	krb5_context /*context*/,
-	const krb5_realm */*realm*/,
-	char ***/*hostlist*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_krb_admin_hst (
-	krb5_context /*context*/,
-	const krb5_realm */*realm*/,
-	char ***/*hostlist*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_krb_changepw_hst (
-	krb5_context /*context*/,
-	const krb5_realm */*realm*/,
-	char ***/*hostlist*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_krbhst (
-	krb5_context /*context*/,
-	const krb5_realm */*realm*/,
-	char ***/*hostlist*/);
-
-/**
- * Get max time skew allowed.
- *
- * @param context Kerberos 5 context.
- *
- * @return timeskew in seconds.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL
-krb5_get_max_time_skew (krb5_context /*context*/);
-
-/**
-     * krb5_init_context() will get one random byte to make sure our
-     * random is alive.  Assumption is that once the non blocking
-     * source allows us to pull bytes, its all seeded and allows us to
-     * pull more bytes.
-     *
-     * Most Kerberos users calls krb5_init_context(), so this is
-     * useful point where we can do the checking.
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_permitted_enctypes (
-	krb5_context /*context*/,
-	krb5_enctype **/*etypes*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_pw_salt (
-	krb5_context /*context*/,
-	krb5_const_principal /*principal*/,
-	krb5_salt */*salt*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_renewed_creds (
-	krb5_context /*context*/,
-	krb5_creds */*creds*/,
-	krb5_const_principal /*client*/,
-	krb5_ccache /*ccache*/,
-	const char */*in_tkt_service*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_server_rcache (
-	krb5_context /*context*/,
-	const krb5_data */*piece*/,
-	krb5_rcache */*id*/);
-
-/**
- * Make the kerberos library default to the admin KDC.
- *
- * @param context Kerberos 5 context.
- *
- * @return boolean flag to telling the context will use admin KDC as the default KDC.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_get_use_admin_kdc (krb5_context /*context*/);
-
-/**
- * Validate the newly fetch credential, see also krb5_verify_init_creds().
- *
- * @param context a Kerberos 5 context
- * @param creds the credentials to verify
- * @param client the client name to match up
- * @param ccache the credential cache to use
- * @param service a service name to use, used with
- *        krb5_sname_to_principal() to build a hostname to use to
- *        verify.
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_validated_creds (
-	krb5_context /*context*/,
-	krb5_creds */*creds*/,
-	krb5_principal /*client*/,
-	krb5_ccache /*ccache*/,
-	char */*service*/);
-
-/**
- * Get the default logging facility.
- *
- * @param context A Kerberos 5 context
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_log_facility * KRB5_LIB_CALL
-krb5_get_warn_dest (krb5_context /*context*/);
-
-KRB5_LIB_FUNCTION size_t KRB5_LIB_CALL
-krb5_get_wrapped_length (
-	krb5_context /*context*/,
-	krb5_crypto /*crypto*/,
-	size_t /*data_len*/);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_getportbyname (
-	krb5_context /*context*/,
-	const char */*service*/,
-	const char */*proto*/,
-	int /*default_port*/);
-
-/**
- * krb5_h_addr2addr works like krb5_h_addr2sockaddr with the exception
- * that it operates on a krb5_address instead of a struct sockaddr.
- *
- * @param context a Keberos context
- * @param af address family
- * @param haddr host address from struct hostent.
- * @param addr returned krb5_address.
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_h_addr2addr (
-	krb5_context /*context*/,
-	int /*af*/,
-	const char */*haddr*/,
-	krb5_address */*addr*/);
-
-/**
- * krb5_h_addr2sockaddr initializes a "struct sockaddr sa" from af and
- * the "struct hostent" (see gethostbyname(3) ) h_addr_list
- * component. The argument sa_size should initially contain the size
- * of the sa, and after the call, it will contain the actual length of
- * the address.
- *
- * @param context a Keberos context
- * @param af addresses
- * @param addr address
- * @param sa returned struct sockaddr
- * @param sa_size size of sa
- * @param port port to set in sa.
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_h_addr2sockaddr (
-	krb5_context /*context*/,
-	int /*af*/,
-	const char */*addr*/,
-	struct sockaddr */*sa*/,
-	krb5_socklen_t */*sa_size*/,
-	int /*port*/);
-
-/**
- * Convert the gethostname() error code (h_error) to a Kerberos et
- * error code.
- *
- * @param eai_errno contains the error code from gethostname().
- *
- * @return Kerberos error code representing the gethostname errors.
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_h_errno_to_heim_errno (int /*eai_errno*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_have_error_string (krb5_context /*context*/)
-     KRB5_DEPRECATED_FUNCTION("Use krb5_get_error_message instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_hmac (
-	krb5_context /*context*/,
-	krb5_cksumtype /*cktype*/,
-	const void */*data*/,
-	size_t /*len*/,
-	unsigned /*usage*/,
-	krb5_keyblock */*key*/,
-	Checksum */*result*/);
-
-/**
- * Initializes the context structure and reads the configuration file
- * /etc/krb5.conf. The structure should be freed by calling
- * krb5_free_context() when it is no longer being used.
- *
- * @param context pointer to returned context
- *
- * @return Returns 0 to indicate success.  Otherwise an errno code is
- * returned.  Failure means either that something bad happened during
- * initialization (typically ENOMEM) or that Kerberos should not be
- * used ENXIO. If the function returns HEIM_ERR_RANDOM_OFFLINE, the
- * random source is not available and later Kerberos calls might fail.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_context (krb5_context */*context*/);
-
-/**
- * Free the krb5_init_creds_context allocated by krb5_init_creds_init().
- *
- * @param context A Kerberos 5 context.
- * @param ctx The krb5_init_creds_context to free.
- *
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_init_creds_free (
-	krb5_context /*context*/,
-	krb5_init_creds_context /*ctx*/);
-
-/**
- * Get new credentials as setup by the krb5_init_creds_context.
- *
- * @param context A Kerberos 5 context.
- * @param ctx The krb5_init_creds_context to process.
- *
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_creds_get (
-	krb5_context /*context*/,
-	krb5_init_creds_context /*ctx*/);
-
-/**
- * Extract the newly acquired credentials from krb5_init_creds_context
- * context.
- *
- * @param context A Kerberos 5 context.
- * @param ctx
- * @param cred credentials, free with krb5_free_cred_contents().
- *
- * @return 0 for sucess or An Kerberos error code, see krb5_get_error_message().
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_creds_get_creds (
-	krb5_context /*context*/,
-	krb5_init_creds_context /*ctx*/,
-	krb5_creds */*cred*/);
-
-/**
- * Get the last error from the transaction.
- *
- * @return Returns 0 or an error code
- *
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_creds_get_error (
-	krb5_context /*context*/,
-	krb5_init_creds_context /*ctx*/,
-	KRB_ERROR */*error*/);
-
-/**
- * Start a new context to get a new initial credential.
- *
- * @param context A Kerberos 5 context.
- * @param client The Kerberos principal to get the credential for, if
- *     NULL is given, the default principal is used as determined by
- *     krb5_get_default_principal().
- * @param prompter
- * @param prompter_data
- * @param start_time the time the ticket should start to be valid or 0 for now.
- * @param options a options structure, can be NULL for default options.
- * @param rctx A new allocated free with krb5_init_creds_free().
- *
- * @return 0 for success or an Kerberos 5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_creds_init (
-	krb5_context /*context*/,
-	krb5_principal /*client*/,
-	krb5_prompter_fct /*prompter*/,
-	void */*prompter_data*/,
-	krb5_deltat /*start_time*/,
-	krb5_get_init_creds_opt */*options*/,
-	krb5_init_creds_context */*rctx*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_creds_set_fast_ap_armor_service (
-	krb5_context /*context*/,
-	krb5_init_creds_context /*ctx*/,
-	krb5_const_principal /*armor_service*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_creds_set_fast_ccache (
-	krb5_context /*context*/,
-	krb5_init_creds_context /*ctx*/,
-	krb5_ccache /*fast_ccache*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_creds_set_keyblock (
-	krb5_context /*context*/,
-	krb5_init_creds_context /*ctx*/,
-	krb5_keyblock */*keyblock*/);
-
-/**
- * Set the keytab to use for authentication.
- *
- * @param context a Kerberos 5 context.
- * @param ctx ctx krb5_init_creds_context context.
- * @param keytab the keytab to read the key from.
- *
- * @return 0 for success, or an Kerberos 5 error code, see krb5_get_error_message().
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_creds_set_keytab (
-	krb5_context /*context*/,
-	krb5_init_creds_context /*ctx*/,
-	krb5_keytab /*keytab*/);
-
-/**
- * Sets the password that will use for the request.
- *
- * @param context a Kerberos 5 context.
- * @param ctx ctx krb5_init_creds_context context.
- * @param password the password to use.
- *
- * @return 0 for success, or an Kerberos 5 error code, see krb5_get_error_message().
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_creds_set_password (
-	krb5_context /*context*/,
-	krb5_init_creds_context /*ctx*/,
-	const char */*password*/);
-
-/**
- * Sets the service that the is requested. This call is only neede for
- * special initial tickets, by default the a krbtgt is fetched in the default realm.
- *
- * @param context a Kerberos 5 context.
- * @param ctx a krb5_init_creds_context context.
- * @param service the service given as a string, for example
- *        "kadmind/admin". If NULL, the default krbtgt in the clients
- *        realm is set.
- *
- * @return 0 for success, or an Kerberos 5 error code, see krb5_get_error_message().
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_creds_set_service (
-	krb5_context /*context*/,
-	krb5_init_creds_context /*ctx*/,
-	const char */*service*/);
-
-/**
- * The core loop if krb5_get_init_creds() function family. Create the
- * packets and have the caller send them off to the KDC.
- *
- * If the caller want all work been done for them, use
- * krb5_init_creds_get() instead.
- *
- * @param context a Kerberos 5 context.
- * @param ctx ctx krb5_init_creds_context context.
- * @param in input data from KDC, first round it should be reset by krb5_data_zer().
- * @param out reply to KDC.
- * @param hostinfo KDC address info, first round it can be NULL.
- * @param flags status of the round, if
- *        KRB5_INIT_CREDS_STEP_FLAG_CONTINUE is set, continue one more round.
- *
- * @return 0 for success, or an Kerberos 5 error code, see
- *     krb5_get_error_message().
- *
- * @ingroup krb5_credential
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_creds_step (
-	krb5_context /*context*/,
-	krb5_init_creds_context /*ctx*/,
-	krb5_data */*in*/,
-	krb5_data */*out*/,
-	krb5_krbhst_info */*hostinfo*/,
-	unsigned int */*flags*/);
-
-/**
- *
- * @ingroup krb5_credential
- */
-
-krb5_error_code
-krb5_init_creds_store (
-	krb5_context /*context*/,
-	krb5_init_creds_context /*ctx*/,
-	krb5_ccache /*id*/);
-
-/**
- * Init the built-in ets in the Kerberos library.
- *
- * @param context kerberos context to add the ets too
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_init_ets (krb5_context /*context*/);
-
-/**
- @struct krb5plugin_kuserok_ftable_desc *
- * @brief Description of the krb5_kuserok(3) plugin facility.
- *
- * The krb5_kuserok(3) function is pluggable.  The plugin is named
- * KRB5_PLUGIN_KUSEROK ("krb5_plugin_kuserok"), with a single minor
- * version, KRB5_PLUGIN_KUSEROK_VERSION_0 (0).
- *
- * The plugin for krb5_kuserok(3) consists of a data symbol referencing
- * a structure of type krb5plugin_kuserok_ftable, with four fields:
- *
- * @param init          Plugin initialization function (see krb5-plugin(7))
- *
- * @param minor_version The plugin minor version number (0)
- *
- * @param fini          Plugin finalization function
- *
- * @param kuserok       Plugin kuserok function
- *
- * The kuserok field is the plugin entry point that performs the
- * traditional kuserok operation however the plugin desires.  It is
- * invoked in no particular order relative to other kuserok plugins, but
- * it has a 'rule' argument that indicates which plugin is intended to
- * act on the rule.  The plugin kuserok function must return
- * KRB5_PLUGIN_NO_HANDLE if the rule is not applicable to it.
- *
- * The plugin kuserok function has the following arguments, in this
- * order:
- *
- * -# plug_ctx, the context value output by the plugin's init function
- * -# context, a krb5_context
- * -# rule, the kuserok rule being evaluated (from krb5.conf(5))
- * -# flags
- * -# k5login_dir, configured location of k5login per-user files if any
- * -# luser, name of the local user account to which principal is attempting to access.
- * -# principal, the krb5_principal trying to access the luser account
- * -# result, a krb5_boolean pointer where the plugin will output its result
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_initlog (
-	krb5_context /*context*/,
-	const char */*program*/,
-	krb5_log_facility **/*fac*/);
-
-/**
- * Return TRUE (non zero) if the principal is a configuration
- * principal (generated part of krb5_cc_set_config()). Returns FALSE
- * (zero) if not a configuration principal.
- *
- * @param context a Keberos context
- * @param principal principal to check if it a configuration principal
- *
- * @ingroup krb5_ccache
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_is_config_principal (
-	krb5_context /*context*/,
-	krb5_const_principal /*principal*/);
-
-/**
- * Returns is the encryption is strong or weak
- *
- * @param context Kerberos 5 context
- * @param enctype encryption type to probe
- *
- * @return Returns true if encryption type is weak or is not supported.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_is_enctype_weak (
-	krb5_context /*context*/,
-	krb5_enctype /*enctype*/);
-
-/**
- * Runtime check if the Kerberos library was complied with thread support.
- *
- * @return TRUE if the library was compiled with thread support, FALSE if not.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_is_thread_safe (void);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kcm_call (
-	krb5_context /*context*/,
-	krb5_storage */*request*/,
-	krb5_storage **/*response_p*/,
-	krb5_data */*response_data_p*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kcm_storage_request (
-	krb5_context /*context*/,
-	uint16_t /*opcode*/,
-	krb5_storage **/*storage_p*/);
-
-/**
- * Returns the list of Kerberos encryption types sorted in order of
- * most preferred to least preferred encryption type.  Note that some
- * encryption types might be disabled, so you need to check with
- * krb5_enctype_valid() before using the encryption type.
- *
- * @return list of enctypes, terminated with ETYPE_NULL. Its a static
- * array completed into the Kerberos library so the content doesn't
- * need to be freed.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION const krb5_enctype * KRB5_LIB_CALL
-krb5_kerberos_enctypes (krb5_context /*context*/);
-
-/**
- * Get encryption type of a keyblock.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_enctype KRB5_LIB_CALL
-krb5_keyblock_get_enctype (const krb5_keyblock */*block*/);
-
-/**
- * Fill in `key' with key data of type `enctype' from `data' of length
- * `size'. Key should be freed using krb5_free_keyblock_contents().
- *
- * @return 0 on success or a Kerberos 5 error code
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_keyblock_init (
-	krb5_context /*context*/,
-	krb5_enctype /*type*/,
-	const void */*data*/,
-	size_t /*size*/,
-	krb5_keyblock */*key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_keyblock_key_proc (
-	krb5_context /*context*/,
-	krb5_keytype /*type*/,
-	krb5_data */*salt*/,
-	krb5_const_pointer /*keyseed*/,
-	krb5_keyblock **/*key*/);
-
-/**
- * Zero out a keyblock
- *
- * @param keyblock keyblock to zero out
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_keyblock_zero (krb5_keyblock */*keyblock*/);
-
-/**
- * Deprecated: use krb5_get_init_creds() and friends.
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_CALLCONV
-krb5_keytab_key_proc (
-	krb5_context /*context*/,
-	krb5_enctype /*enctype*/,
-	krb5_salt /*salt*/,
-	krb5_const_pointer /*keyseed*/,
-	krb5_keyblock **/*key*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Deprecated: keytypes doesn't exists, they are really enctypes.
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_keytype_to_enctypes (
-	krb5_context /*context*/,
-	krb5_keytype /*keytype*/,
-	unsigned */*len*/,
-	krb5_enctype **/*val*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Deprecated: keytypes doesn't exists, they are really enctypes.
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_keytype_to_enctypes_default (
-	krb5_context /*context*/,
-	krb5_keytype /*keytype*/,
-	unsigned */*len*/,
-	krb5_enctype **/*val*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Deprecated: keytypes doesn't exists, they are really enctypes in
- * most cases, use krb5_enctype_to_string().
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_keytype_to_string (
-	krb5_context /*context*/,
-	krb5_keytype /*keytype*/,
-	char **/*string*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_krbhst_format_string (
-	krb5_context /*context*/,
-	const krb5_krbhst_info */*host*/,
-	char */*hostname*/,
-	size_t /*hostlen*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_krbhst_free (
-	krb5_context /*context*/,
-	krb5_krbhst_handle /*handle*/);
-
-/**
- * Return an `struct addrinfo *' for a KDC host.
- *
- * Returns an the struct addrinfo in in that corresponds to the
- * information in `host'.  free:ing is handled by krb5_krbhst_free, so
- * the returned ai must not be released.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_krbhst_get_addrinfo (
-	krb5_context /*context*/,
-	krb5_krbhst_info */*host*/,
-	struct addrinfo **/*ai*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_krbhst_init (
-	krb5_context /*context*/,
-	const char */*realm*/,
-	unsigned int /*type*/,
-	krb5_krbhst_handle */*handle*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_krbhst_init_flags (
-	krb5_context /*context*/,
-	const char */*realm*/,
-	unsigned int /*type*/,
-	int /*flags*/,
-	krb5_krbhst_handle */*handle*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_krbhst_next (
-	krb5_context /*context*/,
-	krb5_krbhst_handle /*handle*/,
-	krb5_krbhst_info **/*host*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_krbhst_next_as_string (
-	krb5_context /*context*/,
-	krb5_krbhst_handle /*handle*/,
-	char */*hostname*/,
-	size_t /*hostlen*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_krbhst_reset (
-	krb5_context /*context*/,
-	krb5_krbhst_handle /*handle*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_krbhst_set_hostname (
-	krb5_context /*context*/,
-	krb5_krbhst_handle /*handle*/,
-	const char */*hostname*/);
-
-/**
- * Add the entry in `entry' to the keytab `id'.
- *
- * @param context a Keberos context.
- * @param id a keytab.
- * @param entry the entry to add
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_add_entry (
-	krb5_context /*context*/,
-	krb5_keytab /*id*/,
-	krb5_keytab_entry */*entry*/);
-
-/**
- * Finish using the keytab in `id'.  All resources will be released,
- * even on errors.
- *
- * @param context a Keberos context.
- * @param id keytab to close.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_close (
-	krb5_context /*context*/,
-	krb5_keytab /*id*/);
-
-/**
- * Compare `entry' against `principal, vno, enctype'.
- * Any of `principal, vno, enctype' might be 0 which acts as a wildcard.
- * Return TRUE if they compare the same, FALSE otherwise.
- *
- * @param context a Keberos context.
- * @param entry an entry to match with.
- * @param principal principal to match, NULL matches all principals.
- * @param vno key version to match, 0 matches all key version numbers.
- * @param enctype encryption type to match, 0 matches all encryption types.
- *
- * @return Return TRUE or match, FALSE if not matched.
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_kt_compare (
-	krb5_context /*context*/,
-	krb5_keytab_entry */*entry*/,
-	krb5_const_principal /*principal*/,
-	krb5_kvno /*vno*/,
-	krb5_enctype /*enctype*/);
-
-/**
- * Copy the contents of `in' into `out'.
- *
- * @param context a Keberos context.
- * @param in the keytab entry to copy.
- * @param out the copy of the keytab entry, free with krb5_kt_free_entry().
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_copy_entry_contents (
-	krb5_context /*context*/,
-	const krb5_keytab_entry */*in*/,
-	krb5_keytab_entry */*out*/);
-
-/**
- * Set `id' to the default keytab.
- *
- * @param context a Keberos context.
- * @param id the new default keytab.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_default (
-	krb5_context /*context*/,
-	krb5_keytab */*id*/);
-
-/**
- * Copy the name of the default modify keytab into `name'.
- *
- * @param context a Keberos context.
- * @param name buffer where the name will be written
- * @param namesize length of name
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_default_modify_name (
-	krb5_context /*context*/,
-	char */*name*/,
-	size_t /*namesize*/);
-
-/**
- * copy the name of the default keytab into `name'.
- *
- * @param context a Keberos context.
- * @param name buffer where the name will be written
- * @param namesize length of name
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_default_name (
-	krb5_context /*context*/,
-	char */*name*/,
-	size_t /*namesize*/);
-
-/**
- * Destroy (remove) the keytab in `id'.  All resources will be released,
- * even on errors, does the equvalment of krb5_kt_close() on the resources.
- *
- * @param context a Keberos context.
- * @param id keytab to destroy.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_destroy (
-	krb5_context /*context*/,
-	krb5_keytab /*id*/);
-
-/**
- * Release all resources associated with `cursor'.
- *
- * @param context a Keberos context.
- * @param id a keytab.
- * @param cursor the cursor to free.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_end_seq_get (
-	krb5_context /*context*/,
-	krb5_keytab /*id*/,
-	krb5_kt_cursor */*cursor*/);
-
-/**
- * Free the contents of `entry'.
- *
- * @param context a Keberos context.
- * @param entry the entry to free
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_free_entry (
-	krb5_context /*context*/,
-	krb5_keytab_entry */*entry*/);
-
-/**
- * Retrieve the keytab entry for `principal, kvno, enctype' into `entry'
- * from the keytab `id'. Matching is done like krb5_kt_compare().
- *
- * @param context a Keberos context.
- * @param id a keytab.
- * @param principal principal to match, NULL matches all principals.
- * @param kvno key version to match, 0 matches all key version numbers.
- * @param enctype encryption type to match, 0 matches all encryption types.
- * @param entry the returned entry, free with krb5_kt_free_entry().
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_get_entry (
-	krb5_context /*context*/,
-	krb5_keytab /*id*/,
-	krb5_const_principal /*principal*/,
-	krb5_kvno /*kvno*/,
-	krb5_enctype /*enctype*/,
-	krb5_keytab_entry */*entry*/);
-
-/**
- * Retrieve the full name of the keytab `keytab' and store the name in
- * `str'.
- *
- * @param context a Keberos context.
- * @param keytab keytab to get name for.
- * @param str the name of the keytab name, usee krb5_xfree() to free
- *        the string.  On error, *str is set to NULL.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_get_full_name (
-	krb5_context /*context*/,
-	krb5_keytab /*keytab*/,
-	char **/*str*/);
-
-/**
- * Retrieve the name of the keytab `keytab' into `name', `namesize'
- *
- * @param context a Keberos context.
- * @param keytab the keytab to get the name for.
- * @param name name buffer.
- * @param namesize size of name buffer.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_get_name (
-	krb5_context /*context*/,
-	krb5_keytab /*keytab*/,
-	char */*name*/,
-	size_t /*namesize*/);
-
-/**
- * Return the type of the `keytab' in the string `prefix of length
- * `prefixsize'.
- *
- * @param context a Keberos context.
- * @param keytab the keytab to get the prefix for
- * @param prefix prefix buffer
- * @param prefixsize length of prefix buffer
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_get_type (
-	krb5_context /*context*/,
-	krb5_keytab /*keytab*/,
-	char */*prefix*/,
-	size_t /*prefixsize*/);
-
-/**
- * Return true if the keytab exists and have entries
- *
- * @param context a Keberos context.
- * @param id a keytab.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_have_content (
-	krb5_context /*context*/,
-	krb5_keytab /*id*/);
-
-/**
- * Get the next entry from keytab, advance the cursor.  On last entry
- * the function will return KRB5_KT_END.
- *
- * @param context a Keberos context.
- * @param id a keytab.
- * @param entry the returned entry, free with krb5_kt_free_entry().
- * @param cursor the cursor of the iteration.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_next_entry (
-	krb5_context /*context*/,
-	krb5_keytab /*id*/,
-	krb5_keytab_entry */*entry*/,
-	krb5_kt_cursor */*cursor*/);
-
-/**
- * Read the key identified by `(principal, vno, enctype)' from the
- * keytab in `keyprocarg' (the default if == NULL) into `*key'.
- *
- * @param context a Keberos context.
- * @param keyprocarg
- * @param principal
- * @param vno
- * @param enctype
- * @param key
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_read_service_key (
-	krb5_context /*context*/,
-	krb5_pointer /*keyprocarg*/,
-	krb5_principal /*principal*/,
-	krb5_kvno /*vno*/,
-	krb5_enctype /*enctype*/,
-	krb5_keyblock **/*key*/);
-
-/**
- * Register a new keytab backend.
- *
- * @param context a Keberos context.
- * @param ops a backend to register.
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_register (
-	krb5_context /*context*/,
-	const krb5_kt_ops */*ops*/);
-
-/**
- * Remove an entry from the keytab, matching is done using
- * krb5_kt_compare().
-
- * @param context a Keberos context.
- * @param id a keytab.
- * @param entry the entry to remove
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_remove_entry (
-	krb5_context /*context*/,
-	krb5_keytab /*id*/,
-	krb5_keytab_entry */*entry*/);
-
-/**
- * Resolve the keytab name (of the form `type:residual') in `name'
- * into a keytab in `id'.
- *
- * @param context a Keberos context.
- * @param name name to resolve
- * @param id resulting keytab, free with krb5_kt_close().
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_resolve (
-	krb5_context /*context*/,
-	const char */*name*/,
-	krb5_keytab */*id*/);
-
-/**
- * Set `cursor' to point at the beginning of `id'.
- *
- * @param context a Keberos context.
- * @param id a keytab.
- * @param cursor a newly allocated cursor, free with krb5_kt_end_seq_get().
- *
- * @return Return an error code or 0, see krb5_get_error_message().
- *
- * @ingroup krb5_keytab
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_kt_start_seq_get (
-	krb5_context /*context*/,
-	krb5_keytab /*id*/,
-	krb5_kt_cursor */*cursor*/);
-
-/**
- * This function takes the name of a local user and checks if
- * principal is allowed to log in as that user.
- *
- * The user may have a ~/.k5login file listing principals that are
- * allowed to login as that user. If that file does not exist, all
- * principals with a only one component that is identical to the
- * username, and a realm considered local, are allowed access.
- *
- * The .k5login file must contain one principal per line, be owned by
- * user and not be writable by group or other (but must be readable by
- * anyone).
- *
- * Note that if the file exists, no implicit access rights are given
- * to user@@LOCALREALM.
- *
- * Optionally, a set of files may be put in ~/.k5login.d (a
- * directory), in which case they will all be checked in the same
- * manner as .k5login.  The files may be called anything, but files
- * starting with a hash (#) , or ending with a tilde (~) are
- * ignored. Subdirectories are not traversed. Note that this directory
- * may not be checked by other Kerberos implementations.
- *
- * If no configuration file exists, match user against local domains,
- * ie luser@@LOCAL-REALMS-IN-CONFIGURATION-FILES.
- *
- * @param context Kerberos 5 context.
- * @param principal principal to check if allowed to login
- * @param luser local user id
- *
- * @return returns TRUE if access should be granted, FALSE otherwise.
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_kuserok (
-	krb5_context /*context*/,
-	krb5_principal /*principal*/,
-	const char */*luser*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_log (
-	krb5_context /*context*/,
-	krb5_log_facility */*fac*/,
-	int /*level*/,
-	const char */*fmt*/,
-	...)
-     __attribute__ ((__format__ (__printf__, 4, 5)));
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_log_msg (
-	krb5_context /*context*/,
-	krb5_log_facility */*fac*/,
-	int /*level*/,
-	char **/*reply*/,
-	const char */*fmt*/,
-	...)
-     __attribute__ ((__format__ (__printf__, 5, 6)));
-
-/**
- * Create an address of type KRB5_ADDRESS_ADDRPORT from (addr, port)
- *
- * @param context a Keberos context
- * @param res built address from addr/port
- * @param addr address to use
- * @param port port to use
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_make_addrport (
-	krb5_context /*context*/,
-	krb5_address **/*res*/,
-	const krb5_address */*addr*/,
-	int16_t /*port*/);
-
-/**
- * Build a principal using vararg style building
- *
- * @param context A Kerberos context.
- * @param principal returned principal
- * @param realm realm name
- * @param ... a list of components ended with NULL.
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_make_principal (
-	krb5_context /*context*/,
-	krb5_principal */*principal*/,
-	krb5_const_realm /*realm*/,
-	...);
-
-/**
- * krb5_max_sockaddr_size returns the max size of the .Li struct
- * sockaddr that the Kerberos library will return.
- *
- * @return Return an size_t of the maximum struct sockaddr.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION size_t KRB5_LIB_CALL
-krb5_max_sockaddr_size (void);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_mk_error (
-	krb5_context /*context*/,
-	krb5_error_code /*error_code*/,
-	const char */*e_text*/,
-	const krb5_data */*e_data*/,
-	const krb5_principal /*client*/,
-	const krb5_principal /*server*/,
-	time_t */*client_time*/,
-	int */*client_usec*/,
-	krb5_data */*reply*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_mk_error_ext (
-	krb5_context /*context*/,
-	krb5_error_code /*error_code*/,
-	const char */*e_text*/,
-	const krb5_data */*e_data*/,
-	const krb5_principal /*server*/,
-	const PrincipalName */*client_name*/,
-	const Realm */*client_realm*/,
-	time_t */*client_time*/,
-	int */*client_usec*/,
-	krb5_data */*reply*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_mk_priv (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	const krb5_data */*userdata*/,
-	krb5_data */*outbuf*/,
-	krb5_replay_data */*outdata*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_mk_rep (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_data */*outbuf*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_mk_req (
-	krb5_context /*context*/,
-	krb5_auth_context */*auth_context*/,
-	const krb5_flags /*ap_req_options*/,
-	const char */*service*/,
-	const char */*hostname*/,
-	krb5_data */*in_data*/,
-	krb5_ccache /*ccache*/,
-	krb5_data */*outbuf*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_mk_req_exact (
-	krb5_context /*context*/,
-	krb5_auth_context */*auth_context*/,
-	const krb5_flags /*ap_req_options*/,
-	const krb5_principal /*server*/,
-	krb5_data */*in_data*/,
-	krb5_ccache /*ccache*/,
-	krb5_data */*outbuf*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_mk_req_extended (
-	krb5_context /*context*/,
-	krb5_auth_context */*auth_context*/,
-	const krb5_flags /*ap_req_options*/,
-	krb5_data */*in_data*/,
-	krb5_creds */*in_creds*/,
-	krb5_data */*outbuf*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_mk_safe (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	const krb5_data */*userdata*/,
-	krb5_data */*outbuf*/,
-	krb5_replay_data */*outdata*/);
-
-/**
- * Iteratively apply name canon rules, outputing a principal and rule
- * options each time.  Iteration completes when the @iter is NULL on
- * return or when an error is returned.  Callers must free the iterator
- * if they abandon it mid-way.
- *
- * @param context   Kerberos context
- * @param iter	    name canon rule iterator (input/output)
- * @param try_princ output principal name
- * @param rule_opts output rule options
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_name_canon_iterate (
-	krb5_context /*context*/,
-	krb5_name_canon_iterator */*iter*/,
-	krb5_const_principal */*try_princ*/,
-	krb5_name_canon_rule_options */*rule_opts*/);
-
-/**
- * Initialize name canonicalization iterator.
- *
- * @param context   Kerberos context
- * @param in_princ  principal name to be canonicalized OR
- * @param iter	    output iterator object
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_name_canon_iterator_start (
-	krb5_context /*context*/,
-	krb5_const_principal /*in_princ*/,
-	krb5_name_canon_iterator */*iter*/);
-
-/**
- * Read \a len bytes from socket \a p_fd into buffer \a buf.
- * Block until \a len bytes are read or until an error.
- *
- * @return If successful, the number of bytes read: \a len.
- *         On end-of-file, 0.
- *         On error, less than 0 (if single-threaded, the error can be found
- *         in the errno global variable).
- */
-
-KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
-krb5_net_read (
-	krb5_context /*context*/,
-	void */*p_fd*/,
-	void */*buf*/,
-	size_t /*len*/);
-
-KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
-krb5_net_write (
-	krb5_context /*context*/,
-	void */*p_fd*/,
-	const void */*buf*/,
-	size_t /*len*/);
-
-KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
-krb5_net_write_block (
-	krb5_context /*context*/,
-	void */*p_fd*/,
-	const void */*buf*/,
-	size_t /*len*/,
-	time_t /*timeout*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_alloc (
-	krb5_context /*context*/,
-	krb5_ntlm */*ntlm*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_free (
-	krb5_context /*context*/,
-	krb5_ntlm /*ntlm*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_init_get_challenge (
-	krb5_context /*context*/,
-	krb5_ntlm /*ntlm*/,
-	krb5_data */*challenge*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_init_get_flags (
-	krb5_context /*context*/,
-	krb5_ntlm /*ntlm*/,
-	uint32_t */*flags*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_init_get_opaque (
-	krb5_context /*context*/,
-	krb5_ntlm /*ntlm*/,
-	krb5_data */*opaque*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_init_get_targetinfo (
-	krb5_context /*context*/,
-	krb5_ntlm /*ntlm*/,
-	krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_init_get_targetname (
-	krb5_context /*context*/,
-	krb5_ntlm /*ntlm*/,
-	char **/*name*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_init_request (
-	krb5_context /*context*/,
-	krb5_ntlm /*ntlm*/,
-	krb5_realm /*realm*/,
-	krb5_ccache /*ccache*/,
-	uint32_t /*flags*/,
-	const char */*hostname*/,
-	const char */*domainname*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_rep_get_sessionkey (
-	krb5_context /*context*/,
-	krb5_ntlm /*ntlm*/,
-	krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_ntlm_rep_get_status (
-	krb5_context /*context*/,
-	krb5_ntlm /*ntlm*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_req_set_flags (
-	krb5_context /*context*/,
-	krb5_ntlm /*ntlm*/,
-	uint32_t /*flags*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_req_set_lm (
-	krb5_context /*context*/,
-	krb5_ntlm /*ntlm*/,
-	void */*hash*/,
-	size_t /*len*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_req_set_ntlm (
-	krb5_context /*context*/,
-	krb5_ntlm /*ntlm*/,
-	void */*hash*/,
-	size_t /*len*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_req_set_opaque (
-	krb5_context /*context*/,
-	krb5_ntlm /*ntlm*/,
-	krb5_data */*opaque*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_req_set_session (
-	krb5_context /*context*/,
-	krb5_ntlm /*ntlm*/,
-	void */*sessionkey*/,
-	size_t /*length*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_req_set_targetname (
-	krb5_context /*context*/,
-	krb5_ntlm /*ntlm*/,
-	const char */*targetname*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_req_set_username (
-	krb5_context /*context*/,
-	krb5_ntlm /*ntlm*/,
-	const char */*username*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ntlm_request (
-	krb5_context /*context*/,
-	krb5_ntlm /*ntlm*/,
-	krb5_realm /*realm*/,
-	krb5_ccache /*ccache*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_openlog (
-	krb5_context /*context*/,
-	const char */*program*/,
-	krb5_log_facility **/*fac*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_pac_add_buffer (
-	krb5_context /*context*/,
-	krb5_pac /*p*/,
-	uint32_t /*type*/,
-	const krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_pac_free (
-	krb5_context /*context*/,
-	krb5_pac /*pac*/);
-
-/**
- * Get the PAC buffer of specific type from the pac.
- *
- * @param context Kerberos 5 context.
- * @param p the pac structure returned by krb5_pac_parse().
- * @param type type of buffer to get
- * @param data return data, free with krb5_data_free().
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5_pac
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_pac_get_buffer (
-	krb5_context /*context*/,
-	krb5_pac /*p*/,
-	uint32_t /*type*/,
-	krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_pac_get_types (
-	krb5_context /*context*/,
-	krb5_pac /*p*/,
-	size_t */*len*/,
-	uint32_t **/*types*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_pac_init (
-	krb5_context /*context*/,
-	krb5_pac */*pac*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_pac_parse (
-	krb5_context /*context*/,
-	const void */*ptr*/,
-	size_t /*len*/,
-	krb5_pac */*pac*/);
-
-/**
- * Verify the PAC.
- *
- * @param context Kerberos 5 context.
- * @param pac the pac structure returned by krb5_pac_parse().
- * @param authtime The time of the ticket the PAC belongs to.
- * @param principal the principal to verify.
- * @param server The service key, most always be given.
- * @param privsvr The KDC key, may be given.
-
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5_pac
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_pac_verify (
-	krb5_context /*context*/,
-	const krb5_pac /*pac*/,
-	time_t /*authtime*/,
-	krb5_const_principal /*principal*/,
-	const krb5_keyblock */*server*/,
-	const krb5_keyblock */*privsvr*/);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_padata_add (
-	krb5_context /*context*/,
-	METHOD_DATA */*md*/,
-	int /*type*/,
-	void */*buf*/,
-	size_t /*len*/);
-
-/**
- * krb5_parse_address returns the resolved hostname in string to the
- * krb5_addresses addresses .
- *
- * @param context a Keberos context
- * @param string
- * @param addresses
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_parse_address (
-	krb5_context /*context*/,
-	const char */*string*/,
-	krb5_addresses */*addresses*/);
-
-/**
- * Parse a name into a krb5_principal structure
- *
- * @param context Kerberos 5 context
- * @param name name to parse into a Kerberos principal
- * @param principal returned principal, free with krb5_free_principal().
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_parse_name (
-	krb5_context /*context*/,
-	const char */*name*/,
-	krb5_principal */*principal*/);
-
-/**
- * Parse a name into a krb5_principal structure, flags controls the behavior.
- *
- * @param context Kerberos 5 context
- * @param name name to parse into a Kerberos principal
- * @param flags flags to control the behavior
- * @param principal returned principal, free with krb5_free_principal().
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_parse_name_flags (
-	krb5_context /*context*/,
-	const char */*name*/,
-	int /*flags*/,
-	krb5_principal */*principal*/);
-
-/**
- * Parse nametype string and return a nametype integer
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_parse_nametype (
-	krb5_context /*context*/,
-	const char */*str*/,
-	int32_t */*nametype*/);
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_passwd_result_to_string (
-	krb5_context /*context*/,
-	int /*result*/);
-
-/**
- * Deprecated: use krb5_get_init_creds() and friends.
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_CALLCONV
-krb5_password_key_proc (
-	krb5_context /*context*/,
-	krb5_enctype /*type*/,
-	krb5_salt /*salt*/,
-	krb5_const_pointer /*keyseed*/,
-	krb5_keyblock **/*key*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_pk_enterprise_cert (
-	krb5_context /*context*/,
-	const char */*user_id*/,
-	krb5_const_realm /*realm*/,
-	krb5_principal */*principal*/,
-	struct hx509_certs_data **/*res*/);
-
-/**
- * Register a plugin symbol name of specific type.
- * @param context a Keberos context
- * @param type type of plugin symbol
- * @param name name of plugin symbol
- * @param symbol a pointer to the named symbol
- * @return In case of error a non zero error com_err error is returned
- * and the Kerberos error string is set.
- *
- * @ingroup krb5_support
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_plugin_register (
-	krb5_context /*context*/,
-	enum krb5_plugin_type /*type*/,
-	const char */*name*/,
-	void */*symbol*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_prepend_config_files (
-	const char */*filelist*/,
-	char **/*pq*/,
-	char ***/*ret_pp*/);
-
-/**
- * Prepend the filename to the global configuration list.
- *
- * @param filelist a filename to add to the default list of filename
- * @param pfilenames return array of filenames, should be freed with krb5_free_config_files().
- *
- * @return Returns 0 to indicate success.  Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_prepend_config_files_default (
-	const char */*filelist*/,
-	char ***/*pfilenames*/);
-
-/**
- * Prepend the context full error string for a specific error code.
- * The error that is stored should be internationalized.
- *
- * The if context is NULL, no error string is stored.
- *
- * @param context Kerberos 5 context
- * @param ret The error code
- * @param fmt Error string for the error code
- * @param ... printf(3) style parameters.
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_prepend_error_message (
-	krb5_context /*context*/,
-	krb5_error_code /*ret*/,
-	const char */*fmt*/,
-	...)
-     __attribute__ ((__format__ (__printf__, 3, 4)));
-
-/**
- * Deprecated: use krb5_principal_get_realm()
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_realm * KRB5_LIB_CALL
-krb5_princ_realm (
-	krb5_context /*context*/,
-	krb5_principal /*principal*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Deprecated: use krb5_principal_set_realm()
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_princ_set_realm (
-	krb5_context /*context*/,
-	krb5_principal /*principal*/,
-	krb5_realm */*realm*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Compares the two principals, including realm of the principals and returns
- * TRUE if they are the same and FALSE if not.
- *
- * @param context Kerberos 5 context
- * @param princ1 first principal to compare
- * @param princ2 second principal to compare
- *
- * @ingroup krb5_principal
- * @see krb5_principal_compare_any_realm()
- * @see krb5_realm_compare()
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_principal_compare (
-	krb5_context /*context*/,
-	krb5_const_principal /*princ1*/,
-	krb5_const_principal /*princ2*/);
-
-/**
- * Return TRUE iff princ1 == princ2 (without considering the realm)
- *
- * @param context Kerberos 5 context
- * @param princ1 first principal to compare
- * @param princ2 second principal to compare
- *
- * @return non zero if equal, 0 if not
- *
- * @ingroup krb5_principal
- * @see krb5_principal_compare()
- * @see krb5_realm_compare()
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_principal_compare_any_realm (
-	krb5_context /*context*/,
-	krb5_const_principal /*princ1*/,
-	krb5_const_principal /*princ2*/);
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_principal_get_comp_string (
-	krb5_context /*context*/,
-	krb5_const_principal /*principal*/,
-	unsigned int /*component*/);
-
-/**
- * Get number of component is principal.
- *
- * @param context Kerberos 5 context
- * @param principal principal to query
- *
- * @return number of components in string
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION unsigned int KRB5_LIB_CALL
-krb5_principal_get_num_comp (
-	krb5_context /*context*/,
-	krb5_const_principal /*principal*/);
-
-/**
- * Get the realm of the principal
- *
- * @param context A Kerberos context.
- * @param principal principal to get the realm for
- *
- * @return realm of the principal, don't free or use after krb5_principal is freed
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_principal_get_realm (
-	krb5_context /*context*/,
-	krb5_const_principal /*principal*/);
-
-/**
- * Get the type of the principal
- *
- * @param context A Kerberos context.
- * @param principal principal to get the type for
- *
- * @return the type of principal
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_principal_get_type (
-	krb5_context /*context*/,
-	krb5_const_principal /*principal*/);
-
-/**
- * Returns true iff name is WELLKNOWN/ANONYMOUS
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_principal_is_anonymous (
-	krb5_context /*context*/,
-	krb5_const_principal /*p*/,
-	unsigned int /*flags*/);
-
-/**
- * Returns true iff name is an WELLKNOWN:ORG.H5L.HOSTBASED-SERVICE
- *
- * @ingroup krb5_principal
- */
-
-krb5_boolean KRB5_LIB_FUNCTION
-krb5_principal_is_gss_hostbased_service (
-	krb5_context /*context*/,
-	krb5_const_principal /*principal*/);
-
-/**
- * Check if the cname part of the principal is a krbtgt principal
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_principal_is_krbtgt (
-	krb5_context /*context*/,
-	krb5_const_principal /*p*/);
-
-/**
- * Returns true if name is Kerberos an LKDC realm
- *
- * @ingroup krb5_principal
- */
-
-krb5_boolean KRB5_LIB_FUNCTION
-krb5_principal_is_lkdc (
-	krb5_context /*context*/,
-	krb5_const_principal /*principal*/);
-
-/**
- * Returns true if name is Kerberos NULL name
- *
- * @ingroup krb5_principal
- */
-
-krb5_boolean KRB5_LIB_FUNCTION
-krb5_principal_is_null (
-	krb5_context /*context*/,
-	krb5_const_principal /*principal*/);
-
-/**
- * Returns true if name is Kerberos an LKDC realm
- *
- * @ingroup krb5_principal
- */
-
-krb5_boolean KRB5_LIB_FUNCTION
-krb5_principal_is_pku2u (
-	krb5_context /*context*/,
-	krb5_const_principal /*principal*/);
-
-/**
- * Check if the cname part of the principal is a initial or renewed krbtgt principal
- *
- * @ingroup krb5_principal
- */
-
-krb5_boolean KRB5_LIB_FUNCTION
-krb5_principal_is_root_krbtgt (
-	krb5_context /*context*/,
-	krb5_const_principal /*p*/);
-
-/**
- * return TRUE iff princ matches pattern
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_principal_match (
-	krb5_context /*context*/,
-	krb5_const_principal /*princ*/,
-	krb5_const_principal /*pattern*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_principal_set_comp_string (
-	krb5_context /*context*/,
-	krb5_principal /*principal*/,
-	unsigned int /*k*/,
-	const char */*component*/);
-
-/**
- * Set a new realm for a principal, and as a side-effect free the
- * previous realm.
- *
- * @param context A Kerberos context.
- * @param principal principal set the realm for
- * @param realm the new realm to set
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_principal_set_realm (
-	krb5_context /*context*/,
-	krb5_principal /*principal*/,
-	krb5_const_realm /*realm*/);
-
-/**
- * Set the type of the principal
- *
- * @param context A Kerberos context.
- * @param principal principal to set the type for
- * @param type the new type
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_principal_set_type (
-	krb5_context /*context*/,
-	krb5_principal /*principal*/,
-	int /*type*/);
-
-/**
- * krb5_print_address prints the address in addr to the string string
- * that have the length len. If ret_len is not NULL, it will be filled
- * with the length of the string if size were unlimited (not including
- * the final NUL) .
- *
- * @param addr address to be printed
- * @param str pointer string to print the address into
- * @param len length that will fit into area pointed to by "str".
- * @param ret_len return length the str.
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_print_address (
-	const krb5_address */*addr*/,
-	char */*str*/,
-	size_t /*len*/,
-	size_t */*ret_len*/);
-
-krb5_error_code
-krb5_process_last_request (
-	krb5_context /*context*/,
-	krb5_get_init_creds_opt */*options*/,
-	krb5_init_creds_context /*ctx*/);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_program_setup (
-	krb5_context */*context*/,
-	int /*argc*/,
-	char **/*argv*/,
-	struct getargs */*args*/,
-	int /*num_args*/,
-	void (KRB5_LIB_CALL *usage)(int, struct getargs*, int));
-
-KRB5_LIB_FUNCTION int KRB5_CALLCONV
-krb5_prompter_posix (
-	krb5_context /*context*/,
-	void */*data*/,
-	const char */*name*/,
-	const char */*banner*/,
-	int /*num_prompts*/,
-	krb5_prompt prompts[]);
-
-/**
- * Converts the random bytestring to a protocol key according to
- * Kerberos crypto frame work. It may be assumed that all the bits of
- * the input string are equally random, even though the entropy
- * present in the random source may be limited.
- *
- * @param context Kerberos 5 context
- * @param type the enctype resulting key will be of
- * @param data input random data to convert to a key
- * @param size size of input random data, at least krb5_enctype_keysize() long
- * @param key key, output key, free with krb5_free_keyblock_contents()
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_random_to_key (
-	krb5_context /*context*/,
-	krb5_enctype /*type*/,
-	const void */*data*/,
-	size_t /*size*/,
-	krb5_keyblock */*key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rc_close (
-	krb5_context /*context*/,
-	krb5_rcache /*id*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rc_default (
-	krb5_context /*context*/,
-	krb5_rcache */*id*/);
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_rc_default_name (krb5_context /*context*/);
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_rc_default_type (krb5_context /*context*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rc_destroy (
-	krb5_context /*context*/,
-	krb5_rcache /*id*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rc_expunge (
-	krb5_context /*context*/,
-	krb5_rcache /*id*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rc_get_lifespan (
-	krb5_context /*context*/,
-	krb5_rcache /*id*/,
-	krb5_deltat */*auth_lifespan*/);
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_rc_get_name (
-	krb5_context /*context*/,
-	krb5_rcache /*id*/);
-
-KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
-krb5_rc_get_type (
-	krb5_context /*context*/,
-	krb5_rcache /*id*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rc_initialize (
-	krb5_context /*context*/,
-	krb5_rcache /*id*/,
-	krb5_deltat /*auth_lifespan*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rc_recover (
-	krb5_context /*context*/,
-	krb5_rcache /*id*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rc_resolve (
-	krb5_context /*context*/,
-	krb5_rcache /*id*/,
-	const char */*name*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rc_resolve_full (
-	krb5_context /*context*/,
-	krb5_rcache */*id*/,
-	const char */*string_name*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rc_resolve_type (
-	krb5_context /*context*/,
-	krb5_rcache */*id*/,
-	const char */*type*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rc_store (
-	krb5_context /*context*/,
-	krb5_rcache /*id*/,
-	krb5_donot_replay */*rep*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_cred (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_data */*in_data*/,
-	krb5_creds ***/*ret_creds*/,
-	krb5_replay_data */*outdata*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_cred2 (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	krb5_ccache /*ccache*/,
-	krb5_data */*in_data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_error (
-	krb5_context /*context*/,
-	const krb5_data */*msg*/,
-	KRB_ERROR */*result*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_priv (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	const krb5_data */*inbuf*/,
-	krb5_data */*outbuf*/,
-	krb5_replay_data */*outdata*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_rep (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	const krb5_data */*inbuf*/,
-	krb5_ap_rep_enc_part **/*repl*/);
-
-/**
- * Process an AP_REQ message.
- *
- * @param context        Kerberos 5 context.
- * @param auth_context   authentication context of the peer.
- * @param inbuf          the AP_REQ message, obtained for example with krb5_read_message().
- * @param server         server principal.
- * @param keytab         server keytab.
- * @param ap_req_options set to the AP_REQ options. See the AP_OPTS_* defines.
- * @param ticket         on success, set to the authenticated client credentials.
- *                       Must be deallocated with krb5_free_ticket(). If not
- *                       interested, pass a NULL value.
- *
- * @return 0 to indicate success. Otherwise a Kerberos error code is
- *         returned, see krb5_get_error_message().
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_req (
-	krb5_context /*context*/,
-	krb5_auth_context */*auth_context*/,
-	const krb5_data */*inbuf*/,
-	krb5_const_principal /*server*/,
-	krb5_keytab /*keytab*/,
-	krb5_flags */*ap_req_options*/,
-	krb5_ticket **/*ticket*/);
-
-/**
- * The core server function that verify application authentication
- * requests from clients.
- *
- * @param context Keberos 5 context.
- * @param auth_context the authentication context, can be NULL, then
- *        default values for the authentication context will used.
- * @param inbuf the (AP-REQ) authentication buffer
- *
- * @param server the server to authenticate to. If NULL the function
- *        will try to find any available credential in the keytab
- *        that will verify the reply. The function will prefer the
- *        server specified in the AP-REQ, but if
- *        there is no mach, it will try all keytab entries for a
- *        match. This has serious performance issues for large keytabs.
- *
- * @param inctx control the behavior of the function, if NULL, the
- *        default behavior is used.
- * @param outctx the return outctx, free with krb5_rd_req_out_ctx_free().
- * @return Kerberos 5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_auth
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_req_ctx (
-	krb5_context /*context*/,
-	krb5_auth_context */*auth_context*/,
-	const krb5_data */*inbuf*/,
-	krb5_const_principal /*server*/,
-	krb5_rd_req_in_ctx /*inctx*/,
-	krb5_rd_req_out_ctx */*outctx*/);
-
-/**
- * Allocate a krb5_rd_req_in_ctx as an input parameter to
- * krb5_rd_req_ctx(). The caller should free the context with
- * krb5_rd_req_in_ctx_free() when done with the context.
- *
- * @param context Keberos 5 context.
- * @param ctx in ctx to krb5_rd_req_ctx().
- *
- * @return Kerberos 5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_auth
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_req_in_ctx_alloc (
-	krb5_context /*context*/,
-	krb5_rd_req_in_ctx */*ctx*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_rd_req_in_ctx_free (
-	krb5_context /*context*/,
-	krb5_rd_req_in_ctx /*ctx*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_req_in_set_keyblock (
-	krb5_context /*context*/,
-	krb5_rd_req_in_ctx /*in*/,
-	krb5_keyblock */*keyblock*/);
-
-/**
- * Set the keytab that krb5_rd_req_ctx() will use.
- *
- * @param context Keberos 5 context.
- * @param in in ctx to krb5_rd_req_ctx().
- * @param keytab keytab that krb5_rd_req_ctx() will use, only copy the
- *        pointer, so the caller must free they keytab after
- *        krb5_rd_req_in_ctx_free() is called.
- *
- * @return Kerberos 5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_auth
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_req_in_set_keytab (
-	krb5_context /*context*/,
-	krb5_rd_req_in_ctx /*in*/,
-	krb5_keytab /*keytab*/);
-
-/**
- * Set if krb5_rq_red() is going to check the Windows PAC or not
- *
- * @param context Keberos 5 context.
- * @param in krb5_rd_req_in_ctx to check the option on.
- * @param flag flag to select if to check the pac (TRUE) or not (FALSE).
- *
- * @return Kerberos 5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_auth
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_req_in_set_pac_check (
-	krb5_context /*context*/,
-	krb5_rd_req_in_ctx /*in*/,
-	krb5_boolean /*flag*/);
-
-/**
- * Free the krb5_rd_req_out_ctx.
- *
- * @param context Keberos 5 context.
- * @param ctx krb5_rd_req_out_ctx context to free.
- *
- * @ingroup krb5_auth
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_rd_req_out_ctx_free (
-	krb5_context /*context*/,
-	krb5_rd_req_out_ctx /*ctx*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_req_out_get_ap_req_options (
-	krb5_context /*context*/,
-	krb5_rd_req_out_ctx /*out*/,
-	krb5_flags */*ap_req_options*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_req_out_get_keyblock (
-	krb5_context /*context*/,
-	krb5_rd_req_out_ctx /*out*/,
-	krb5_keyblock **/*keyblock*/);
-
-/**
- * Get the principal that was used in the request from the
- * client. Might not match whats in the ticket if krb5_rd_req_ctx()
- * searched in the keytab for a matching key.
- *
- * @param context a Kerberos 5 context.
- * @param out a krb5_rd_req_out_ctx from krb5_rd_req_ctx().
- * @param principal return principal, free with krb5_free_principal().
- *
- * @ingroup krb5_auth
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_req_out_get_server (
-	krb5_context /*context*/,
-	krb5_rd_req_out_ctx /*out*/,
-	krb5_principal */*principal*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_req_out_get_ticket (
-	krb5_context /*context*/,
-	krb5_rd_req_out_ctx /*out*/,
-	krb5_ticket **/*ticket*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_req_with_keyblock (
-	krb5_context /*context*/,
-	krb5_auth_context */*auth_context*/,
-	const krb5_data */*inbuf*/,
-	krb5_const_principal /*server*/,
-	krb5_keyblock */*keyblock*/,
-	krb5_flags */*ap_req_options*/,
-	krb5_ticket **/*ticket*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_rd_safe (
-	krb5_context /*context*/,
-	krb5_auth_context /*auth_context*/,
-	const krb5_data */*inbuf*/,
-	krb5_data */*outbuf*/,
-	krb5_replay_data */*outdata*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_read_message (
-	krb5_context /*context*/,
-	krb5_pointer /*p_fd*/,
-	krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_read_priv_message (
-	krb5_context /*context*/,
-	krb5_auth_context /*ac*/,
-	krb5_pointer /*p_fd*/,
-	krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_read_safe_message (
-	krb5_context /*context*/,
-	krb5_auth_context /*ac*/,
-	krb5_pointer /*p_fd*/,
-	krb5_data */*data*/);
-
-/**
- * return TRUE iff realm(princ1) == realm(princ2)
- *
- * @param context Kerberos 5 context
- * @param princ1 first principal to compare
- * @param princ2 second principal to compare
- *
- * @ingroup krb5_principal
- * @see krb5_principal_compare_any_realm()
- * @see krb5_principal_compare()
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_realm_compare (
-	krb5_context /*context*/,
-	krb5_const_principal /*princ1*/,
-	krb5_const_principal /*princ2*/);
-
-/**
- * Returns true if name is Kerberos an LKDC realm
- *
- * @ingroup krb5_principal
- */
-
-krb5_boolean KRB5_LIB_FUNCTION
-krb5_realm_is_lkdc (const char */*realm*/);
-
-/**
- * Perform the server side of the sendauth protocol.
- *
- * @param context       Kerberos 5 context.
- * @param auth_context  authentication context of the peer.
- * @param p_fd          socket associated to the connection.
- * @param appl_version  server-specific string.
- * @param server        server principal.
- * @param flags         if KRB5_RECVAUTH_IGNORE_VERSION is set, skip the sendauth version
- *                      part of the protocol.
- * @param keytab        server keytab.
- * @param ticket        on success, set to the authenticated client credentials.
- *                      Must be deallocated with krb5_free_ticket(). If not
- *                      interested, pass a NULL value.
- *
- * @return 0 to indicate success. Otherwise a Kerberos error code is
- *         returned, see krb5_get_error_message().
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_recvauth (
-	krb5_context /*context*/,
-	krb5_auth_context */*auth_context*/,
-	krb5_pointer /*p_fd*/,
-	const char */*appl_version*/,
-	krb5_principal /*server*/,
-	int32_t /*flags*/,
-	krb5_keytab /*keytab*/,
-	krb5_ticket **/*ticket*/);
-
-/**
- * Perform the server side of the sendauth protocol like krb5_recvauth(), but support
- * a user-specified callback, \a match_appl_version, to perform the match of the application
- * version \a match_data.
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_recvauth_match_version (
-	krb5_context /*context*/,
-	krb5_auth_context */*auth_context*/,
-	krb5_pointer /*p_fd*/,
-	krb5_boolean (*/*match_appl_version*/)(const void *, const char*),
-	const void */*match_data*/,
-	krb5_principal /*server*/,
-	int32_t /*flags*/,
-	krb5_keytab /*keytab*/,
-	krb5_ticket **/*ticket*/);
-
-/**
- * Read a address block from the storage.
- *
- * @param sp the storage buffer to write to
- * @param adr the address block read from storage
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_address (
-	krb5_storage */*sp*/,
-	krb5_address */*adr*/);
-
-/**
- * Read a addresses block from the storage.
- *
- * @param sp the storage buffer to write to
- * @param adr the addresses block read from storage
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_addrs (
-	krb5_storage */*sp*/,
-	krb5_addresses */*adr*/);
-
-/**
- * Read a auth data from the storage.
- *
- * @param sp the storage buffer to write to
- * @param auth the auth data block read from storage
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_authdata (
-	krb5_storage */*sp*/,
-	krb5_authdata */*auth*/);
-
-/**
- * Read a credentials block from the storage.
- *
- * @param sp the storage buffer to write to
- * @param creds the credentials block read from storage
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_creds (
-	krb5_storage */*sp*/,
-	krb5_creds */*creds*/);
-
-/**
- * Read a tagged credentials block from the storage.
- *
- * @param sp the storage buffer to write to
- * @param creds the credentials block read from storage
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_creds_tag (
-	krb5_storage */*sp*/,
-	krb5_creds */*creds*/);
-
-/**
- * Parse a data from the storage.
- *
- * @param sp the storage buffer to read from
- * @param data the parsed data
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_data (
-	krb5_storage */*sp*/,
-	krb5_data */*data*/);
-
-/**
- * Read a int16 from storage, byte order is controlled by the settings
- * on the storage, see krb5_storage_set_byteorder().
- *
- * @param sp the storage to write too
- * @param value the value read from the buffer
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_int16 (
-	krb5_storage */*sp*/,
-	int16_t */*value*/);
-
-/**
- * Read a int32 from storage, byte order is controlled by the settings
- * on the storage, see krb5_storage_set_byteorder().
- *
- * @param sp the storage to write too
- * @param value the value read from the buffer
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_int32 (
-	krb5_storage */*sp*/,
-	int32_t */*value*/);
-
-/**
- * Read a int64 from storage, byte order is controlled by the settings
- * on the storage, see krb5_storage_set_byteorder().
- *
- * @param sp the storage to write too
- * @param value the value read from the buffer
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_int64 (
-	krb5_storage */*sp*/,
-	int64_t */*value*/);
-
-/**
- * Read a int8 from storage
- *
- * @param sp the storage to write too
- * @param value the value read from the buffer
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_int8 (
-	krb5_storage */*sp*/,
-	int8_t */*value*/);
-
-/**
- * Read a keyblock from the storage.
- *
- * @param sp the storage buffer to write to
- * @param p the keyblock read from storage, free using krb5_free_keyblock()
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_keyblock (
-	krb5_storage */*sp*/,
-	krb5_keyblock */*p*/);
-
-/**
- * Parse principal from the storage.
- *
- * @param sp the storage buffer to read from
- * @param princ the parsed principal
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_principal (
-	krb5_storage */*sp*/,
-	krb5_principal */*princ*/);
-
-/**
- * Parse a string from the storage.
- *
- * @param sp the storage buffer to read from
- * @param string the parsed string
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_string (
-	krb5_storage */*sp*/,
-	char **/*string*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_stringnl (
-	krb5_storage */*sp*/,
-	char **/*string*/);
-
-/**
- * Parse zero terminated string from the storage.
- *
- * @param sp the storage buffer to read from
- * @param string the parsed string
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_stringz (
-	krb5_storage */*sp*/,
-	char **/*string*/);
-
-/**
- * Read a times block from the storage.
- *
- * @param sp the storage buffer to write to
- * @param times the times block read from storage
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_times (
-	krb5_storage */*sp*/,
-	krb5_times */*times*/);
-
-/**
- * Read a int16 from storage, byte order is controlled by the settings
- * on the storage, see krb5_storage_set_byteorder().
- *
- * @param sp the storage to write too
- * @param value the value read from the buffer
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_uint16 (
-	krb5_storage */*sp*/,
-	uint16_t */*value*/);
-
-/**
- * Read a uint32 from storage, byte order is controlled by the settings
- * on the storage, see krb5_storage_set_byteorder().
- *
- * @param sp the storage to write too
- * @param value the value read from the buffer
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_uint32 (
-	krb5_storage */*sp*/,
-	uint32_t */*value*/);
-
-/**
- * Read a uint64 from storage, byte order is controlled by the settings
- * on the storage, see krb5_storage_set_byteorder().
- *
- * @param sp the storage to write too
- * @param value the value read from the buffer
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_uint64 (
-	krb5_storage */*sp*/,
-	uint64_t */*value*/);
-
-/**
- * Read a uint8 from storage
- *
- * @param sp the storage to write too
- * @param value the value read from the buffer
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ret_uint8 (
-	krb5_storage */*sp*/,
-	uint8_t */*value*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_salttype_to_string (
-	krb5_context /*context*/,
-	krb5_enctype /*etype*/,
-	krb5_salttype /*stype*/,
-	char **/*string*/);
-
-/**
- * Perform the client side of the sendauth protocol.
- *
- * @param context        Kerberos 5 context.
- * @param auth_context   Authentication context of the peer.
- * @param p_fd           Socket associated to the connection.
- * @param appl_version   Server-specific string.
- * @param client         Client principal. If NULL, use the credentials in \a ccache.
- * @param server         Server principal.
- * @param ap_req_options Options for the AP_REQ message. See the AP_OPTS_* defines in krb5.h.
- * @param in_data        FIXME
- * @param in_creds       FIXME
- * @param ccache         Credentials cache. If NULL, use the default credentials cache.
- * @param ret_error      If not NULL, will be set to the error reported by server, if any.
- *                       Must be deallocated with krb5_free_error_contents().
- * @param rep_result     If not NULL, will be set to the EncApRepPart of the AP_REP message.
- *                       Must be deallocated with krb5_free_ap_rep_enc_part().
- * @param out_creds      FIXME If not NULL, will be set to FIXME. Must be deallocated with
- *                       krb5_free_creds().
- *
- * @return 0 to indicate success. Otherwise a Kerberos error code is
- *         returned, see krb5_get_error_message().
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_sendauth (
-	krb5_context /*context*/,
-	krb5_auth_context */*auth_context*/,
-	krb5_pointer /*p_fd*/,
-	const char */*appl_version*/,
-	krb5_principal /*client*/,
-	krb5_principal /*server*/,
-	krb5_flags /*ap_req_options*/,
-	krb5_data */*in_data*/,
-	krb5_creds */*in_creds*/,
-	krb5_ccache /*ccache*/,
-	krb5_error **/*ret_error*/,
-	krb5_ap_rep_enc_part **/*rep_result*/,
-	krb5_creds **/*out_creds*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_sendto (
-	krb5_context /*context*/,
-	const krb5_data */*send_data*/,
-	krb5_krbhst_handle /*handle*/,
-	krb5_data */*receive*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_sendto_context (
-	krb5_context /*context*/,
-	krb5_sendto_ctx /*ctx*/,
-	const krb5_data */*send_data*/,
-	krb5_const_realm /*realm*/,
-	krb5_data */*receive*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_sendto_ctx_add_flags (
-	krb5_sendto_ctx /*ctx*/,
-	int /*flags*/);
-
-/**
- * @section send_to_kdc Locating and sending packets to the KDC
- *
- * The send to kdc code is responsible to request the list of KDC from
- * the locate-kdc subsystem and then send requests to each of them.
- *
- * - Each second a new hostname is tried.
- * - If the hostname have several addresses, the first will be tried
- *   directly then in turn the other will be tried every 3 seconds
- *   (host_timeout).
- * - UDP requests are tried 3 times, and it tried with a individual timeout of kdc_timeout / 3.
- * - TCP and HTTP requests are tried 1 time.
- *
- *  Total wait time shorter then (number of addresses * 3) + kdc_timeout seconds.
- *
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_sendto_ctx_alloc (
-	krb5_context /*context*/,
-	krb5_sendto_ctx */*ctx*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_sendto_ctx_free (
-	krb5_context /*context*/,
-	krb5_sendto_ctx /*ctx*/);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_sendto_ctx_get_flags (krb5_sendto_ctx /*ctx*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_sendto_ctx_set_func (
-	krb5_sendto_ctx /*ctx*/,
-	krb5_sendto_ctx_func /*func*/,
-	void */*data*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_sendto_ctx_set_type (
-	krb5_sendto_ctx /*ctx*/,
-	int /*type*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_sendto_kdc (
-	krb5_context /*context*/,
-	const krb5_data */*send_data*/,
-	const krb5_realm */*realm*/,
-	krb5_data */*receive*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_sendto_kdc_flags (
-	krb5_context /*context*/,
-	const krb5_data */*send_data*/,
-	const krb5_realm */*realm*/,
-	krb5_data */*receive*/,
-	int /*flags*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_sendto_set_hostname (
-	krb5_context /*context*/,
-	krb5_sendto_ctx /*ctx*/,
-	const char */*hostname*/);
-
-/**
- * Reinit the context from a new set of filenames.
- *
- * @param context context to add configuration too.
- * @param filenames array of filenames, end of list is indicated with a NULL filename.
- *
- * @return Returns 0 to indicate success.  Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_config_files (
-	krb5_context /*context*/,
-	char **/*filenames*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_debug_dest (
-	krb5_context /*context*/,
-	const char */*program*/,
-	const char */*log_spec*/);
-
-/**
- * Set the default encryption types that will be use in communcation
- * with the KDC, clients and servers.
- *
- * @param context Kerberos 5 context.
- * @param etypes Encryption types, array terminated with ETYPE_NULL (0).
- * A value of NULL resets the encryption types to the defaults set in the
- * configuration file.
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_default_in_tkt_etypes (
-	krb5_context /*context*/,
-	const krb5_enctype */*etypes*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_default_realm (
-	krb5_context /*context*/,
-	const char */*realm*/);
-
-/**
- * Set if the library should use DNS to canonicalize hostnames.
- *
- * @param context Kerberos 5 context.
- * @param flag if its dns canonicalizion is used or not.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_set_dns_canonicalize_hostname (
-	krb5_context /*context*/,
-	krb5_boolean /*flag*/);
-
-/**
- * Set the context full error string for a specific error code.
- * The error that is stored should be internationalized.
- *
- * The if context is NULL, no error string is stored.
- *
- * @param context Kerberos 5 context
- * @param ret The error code
- * @param fmt Error string for the error code
- * @param ... printf(3) style parameters.
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_set_error_message (
-	krb5_context /*context*/,
-	krb5_error_code /*ret*/,
-	const char */*fmt*/,
-	...)
-     __attribute__ ((__format__ (__printf__, 3, 4)));
-
-/**
- * Set the error message returned by krb5_get_error_string().
- *
- * Deprecated: use krb5_get_error_message()
- *
- * @param context Kerberos context
- * @param fmt error message to free
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_error_string (
-	krb5_context /*context*/,
-	const char */*fmt*/,
-	...)
-     __attribute__ ((__format__ (__printf__, 2, 3))) KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Set extra address to the address list that the library will add to
- * the client's address list when communicating with the KDC.
- *
- * @param context Kerberos 5 context.
- * @param addresses addreses to set
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_extra_addresses (
-	krb5_context /*context*/,
-	const krb5_addresses */*addresses*/);
-
-/**
- * Set version of fcache that the library should use.
- *
- * @param context Kerberos 5 context.
- * @param version version number.
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_fcache_version (
-	krb5_context /*context*/,
-	int /*version*/);
-
-/**
- * Enable and disable home directory access on either the global state
- * or the krb5_context state. By calling krb5_set_home_dir_access()
- * with context set to NULL, the global state is configured otherwise
- * the state for the krb5_context is modified.
- *
- * For home directory access to be allowed, both the global state and
- * the krb5_context state have to be allowed.
- *
- * @param context a Kerberos 5 context or NULL
- * @param allow allow if TRUE home directory
- * @return the old value
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_set_home_dir_access (
-	krb5_context /*context*/,
-	krb5_boolean /*allow*/);
-
-/**
- * Set extra addresses to ignore when fetching addresses from the
- * underlaying operating system.
- *
- * @param context Kerberos 5 context.
- * @param addresses addreses to ignore
- *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_ignore_addresses (
-	krb5_context /*context*/,
-	const krb5_addresses */*addresses*/);
-
-/**
- * Set current offset in time to the KDC.
- *
- * @param context Kerberos 5 context.
- * @param sec seconds part of offset.
- * @param usec micro seconds part of offset.
- *
- * @return returns zero
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_kdc_sec_offset (
-	krb5_context /*context*/,
-	int32_t /*sec*/,
-	int32_t /*usec*/);
-
-/**
- * Set max time skew allowed.
- *
- * @param context Kerberos 5 context.
- * @param t timeskew in seconds.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_set_max_time_skew (
-	krb5_context /*context*/,
-	time_t /*t*/);
-
-/**
- * Change password using creds.
- *
- * @param context a Keberos context
- * @param creds The initial kadmin/passwd for the principal or an admin principal
- * @param newpw The new password to set
- * @param targprinc if unset, the default principal is used.
- * @param result_code Result code, KRB5_KPASSWD_SUCCESS is when password is changed.
- * @param result_code_string binary message from the server, contains
- * at least the result_code.
- * @param result_string A message from the kpasswd service or the
- * library in human printable form. The string is NUL terminated.
- *
- * @return On sucess and *result_code is KRB5_KPASSWD_SUCCESS, the password is changed.
-
- * @ingroup @krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_password (
-	krb5_context /*context*/,
-	krb5_creds */*creds*/,
-	const char */*newpw*/,
-	krb5_principal /*targprinc*/,
-	int */*result_code*/,
-	krb5_data */*result_code_string*/,
-	krb5_data */*result_string*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_password_using_ccache (
-	krb5_context /*context*/,
-	krb5_ccache /*ccache*/,
-	const char */*newpw*/,
-	krb5_principal /*targprinc*/,
-	int */*result_code*/,
-	krb5_data */*result_code_string*/,
-	krb5_data */*result_string*/);
-
-/**
- * Set the absolute time that the caller knows the kdc has so the
- * kerberos library can calculate the relative diffrence beteen the
- * KDC time and local system time.
- *
- * @param context Keberos 5 context.
- * @param sec The applications new of "now" in seconds
- * @param usec The applications new of "now" in micro seconds
-
- * @return Kerberos 5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_real_time (
-	krb5_context /*context*/,
-	krb5_timestamp /*sec*/,
-	int32_t /*usec*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_send_to_kdc_func (
-	krb5_context /*context*/,
-	krb5_send_to_kdc_func /*func*/,
-	void */*data*/);
-
-/**
- * Make the kerberos library default to the admin KDC.
- *
- * @param context Kerberos 5 context.
- * @param flag boolean flag to select if the use the admin KDC or not.
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_set_use_admin_kdc (
-	krb5_context /*context*/,
-	krb5_boolean /*flag*/);
-
-/**
- * Set the default logging facility.
- *
- * @param context A Kerberos 5 context
- * @param fac Facility to use for logging.
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_set_warn_dest (
-	krb5_context /*context*/,
-	krb5_log_facility */*fac*/);
-
-/**
- * Create a principal for the given service running on the given
- * hostname. If KRB5_NT_SRV_HST is used, the hostname is canonicalized
- * according the configured name canonicalization rules, with
- * canonicalization delayed in some cases.  One rule involves DNS, which
- * is insecure unless DNSSEC is used, but we don't use DNSSEC-capable
- * resolver APIs here, so that if DNSSEC is used we wouldn't know it.
- *
- * Canonicalization is immediate (not delayed) only when there is only
- * one canonicalization rule and that rule indicates that we should do a
- * host lookup by name (i.e., DNS).
- *
- * @param context A Kerberos context.
- * @param hostname hostname to use
- * @param sname Service name to use
- * @param type name type of principal, use KRB5_NT_SRV_HST or KRB5_NT_UNKNOWN.
- * @param ret_princ return principal, free with krb5_free_principal().
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_sname_to_principal (
-	krb5_context /*context*/,
-	const char */*hostname*/,
-	const char */*sname*/,
-	int32_t /*type*/,
-	krb5_principal */*ret_princ*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_sock_to_principal (
-	krb5_context /*context*/,
-	int /*sock*/,
-	const char */*sname*/,
-	int32_t /*type*/,
-	krb5_principal */*ret_princ*/);
-
-/**
- * krb5_sockaddr2address stores a address a "struct sockaddr" sa in
- * the krb5_address addr.
- *
- * @param context a Keberos context
- * @param sa a struct sockaddr to extract the address from
- * @param addr an Kerberos 5 address to store the address in.
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_sockaddr2address (
-	krb5_context /*context*/,
-	const struct sockaddr */*sa*/,
-	krb5_address */*addr*/);
-
-/**
- * krb5_sockaddr2port extracts a port (if possible) from a "struct
- * sockaddr.
- *
- * @param context a Keberos context
- * @param sa a struct sockaddr to extract the port from
- * @param port a pointer to an int16_t store the port in.
- *
- * @return Return an error code or 0. Will return
- * KRB5_PROG_ATYPE_NOSUPP in case address type is not supported.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_sockaddr2port (
-	krb5_context /*context*/,
-	const struct sockaddr */*sa*/,
-	int16_t */*port*/);
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_sockaddr_is_loopback (const struct sockaddr */*sa*/);
-
-/**
- * krb5_sockaddr_uninteresting returns TRUE for all .Fa sa that the
- * kerberos library thinks are uninteresting.  One example are link
- * local addresses.
- *
- * @param sa pointer to struct sockaddr that might be interesting.
- *
- * @return Return a non zero for uninteresting addresses.
- *
- * @ingroup krb5_address
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_sockaddr_uninteresting (const struct sockaddr */*sa*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_std_usage (
-	int /*code*/,
-	struct getargs */*args*/,
-	int /*num_args*/);
-
-/**
- * Clear the flags on a storage buffer
- *
- * @param sp the storage buffer to clear the flags on
- * @param flags the flags to clear
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_storage_clear_flags (
-	krb5_storage */*sp*/,
-	krb5_flags /*flags*/);
-
-/**
- * Create a elastic (allocating) memory storage backend. Memory is
- * allocated on demand. Free returned krb5_storage with
- * krb5_storage_free().
- *
- * @return A krb5_storage on success, or NULL on out of memory error.
- *
- * @ingroup krb5_storage
- *
- * @sa krb5_storage_from_mem()
- * @sa krb5_storage_from_readonly_mem()
- * @sa krb5_storage_from_fd()
- * @sa krb5_storage_from_data()
- * @sa krb5_storage_from_socket()
- */
-
-KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL
-krb5_storage_emem (void);
-
-/**
- * Free a krb5 storage.
- *
- * @param sp the storage to free.
- *
- * @return An Kerberos 5 error code.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_storage_free (krb5_storage */*sp*/);
-
-/**
- * Create a fixed size memory storage block
- *
- * @return A krb5_storage on success, or NULL on out of memory error.
- *
- * @ingroup krb5_storage
- *
- * @sa krb5_storage_mem()
- * @sa krb5_storage_from_mem()
- * @sa krb5_storage_from_readonly_mem()
- * @sa krb5_storage_from_fd()
- */
-
-KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL
-krb5_storage_from_data (krb5_data */*data*/);
-
-/**
- *
- *
- * @return A krb5_storage on success, or NULL on out of memory error.
- *
- * @ingroup krb5_storage
- *
- * @sa krb5_storage_emem()
- * @sa krb5_storage_from_mem()
- * @sa krb5_storage_from_readonly_mem()
- * @sa krb5_storage_from_data()
- * @sa krb5_storage_from_socket()
- */
-
-KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL
-krb5_storage_from_fd (int /*fd_in*/);
-
-/**
- * Create a fixed size memory storage block
- *
- * @return A krb5_storage on success, or NULL on out of memory error.
- *
- * @ingroup krb5_storage
- *
- * @sa krb5_storage_mem()
- * @sa krb5_storage_from_readonly_mem()
- * @sa krb5_storage_from_data()
- * @sa krb5_storage_from_fd()
- * @sa krb5_storage_from_socket()
- */
-
-KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL
-krb5_storage_from_mem (
-	void */*buf*/,
-	size_t /*len*/);
-
-/**
- * Create a fixed size memory storage block that is read only
- *
- * @return A krb5_storage on success, or NULL on out of memory error.
- *
- * @ingroup krb5_storage
- *
- * @sa krb5_storage_mem()
- * @sa krb5_storage_from_mem()
- * @sa krb5_storage_from_data()
- * @sa krb5_storage_from_fd()
- */
-
-KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL
-krb5_storage_from_readonly_mem (
-	const void */*buf*/,
-	size_t /*len*/);
-
-/**
- *
- *
- * @return A krb5_storage on success, or NULL on out of memory error.
- *
- * @ingroup krb5_storage
- *
- * @sa krb5_storage_emem()
- * @sa krb5_storage_from_mem()
- * @sa krb5_storage_from_readonly_mem()
- * @sa krb5_storage_from_data()
- * @sa krb5_storage_from_fd()
- */
-
-KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL
-krb5_storage_from_socket (krb5_socket_t /*sock_in*/);
-
-/**
- * Sync the storage buffer to its backing store.  If there is no
- * backing store this function will return success.
- *
- * @param sp the storage buffer to sync
- *
- * @return A Kerberos 5 error code
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_storage_fsync (krb5_storage */*sp*/);
-
-/**
- * Return the current byteorder for the buffer. See krb5_storage_set_byteorder() for the list or byte order contants.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_flags KRB5_LIB_CALL
-krb5_storage_get_byteorder (krb5_storage */*sp*/);
-
-/**
- * Get the return code that will be used when end of storage is reached.
- *
- * @param sp the storage
- *
- * @return storage error code
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_storage_get_eof_code (krb5_storage */*sp*/);
-
-/**
- * Return true or false depending on if the storage flags is set or
- * not. NB testing for the flag 0 always return true.
- *
- * @param sp the storage buffer to check flags on
- * @param flags The flags to test for
- *
- * @return true if all the flags are set, false if not.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
-krb5_storage_is_flags (
-	krb5_storage */*sp*/,
-	krb5_flags /*flags*/);
-
-/**
- * Read to the storage buffer.
- *
- * @param sp the storage buffer to read from
- * @param buf the buffer to store the data in
- * @param len the length to read
- *
- * @return The length of data read (can be shorter then len), or negative on error.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
-krb5_storage_read (
-	krb5_storage */*sp*/,
-	void */*buf*/,
-	size_t /*len*/);
-
-/**
- * Seek to a new offset.
- *
- * @param sp the storage buffer to seek in.
- * @param offset the offset to seek
- * @param whence relateive searching, SEEK_CUR from the current
- * position, SEEK_END from the end, SEEK_SET absolute from the start.
- *
- * @return The new current offset
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION off_t KRB5_LIB_CALL
-krb5_storage_seek (
-	krb5_storage */*sp*/,
-	off_t /*offset*/,
-	int /*whence*/);
-
-/**
- * Set the new byte order of the storage buffer.
- *
- * @param sp the storage buffer to set the byte order for.
- * @param byteorder the new byte order.
- *
- * The byte order are: KRB5_STORAGE_BYTEORDER_BE,
- * KRB5_STORAGE_BYTEORDER_LE and KRB5_STORAGE_BYTEORDER_HOST.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_storage_set_byteorder (
-	krb5_storage */*sp*/,
-	krb5_flags /*byteorder*/);
-
-/**
- * Set the return code that will be used when end of storage is reached.
- *
- * @param sp the storage
- * @param code the error code to return on end of storage
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_storage_set_eof_code (
-	krb5_storage */*sp*/,
-	int /*code*/);
-
-/**
- * Add the flags on a storage buffer by or-ing in the flags to the buffer.
- *
- * @param sp the storage buffer to set the flags on
- * @param flags the flags to set
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_storage_set_flags (
-	krb5_storage */*sp*/,
-	krb5_flags /*flags*/);
-
-/**
- * Set the max alloc value
- *
- * @param sp the storage buffer set the max allow for
- * @param size maximum size to allocate, use 0 to remove limit
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_storage_set_max_alloc (
-	krb5_storage */*sp*/,
-	size_t /*size*/);
-
-/**
- * Copy the contnent of storage
- *
- * @param sp the storage to copy to a data
- * @param data the copied data, free with krb5_data_free()
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_storage_to_data (
-	krb5_storage */*sp*/,
-	krb5_data */*data*/);
-
-/**
- * Truncate the storage buffer in sp to offset.
- *
- * @param sp the storage buffer to truncate.
- * @param offset the offset to truncate too.
- *
- * @return An Kerberos 5 error code.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_storage_truncate (
-	krb5_storage */*sp*/,
-	off_t /*offset*/);
-
-/**
- * Write to the storage buffer.
- *
- * @param sp the storage buffer to write to
- * @param buf the buffer to write to the storage buffer
- * @param len the length to write
- *
- * @return The length of data written (can be shorter then len), or negative on error.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
-krb5_storage_write (
-	krb5_storage */*sp*/,
-	const void */*buf*/,
-	size_t /*len*/);
-
-/**
- * Write a address block to storage.
- *
- * @param sp the storage buffer to write to
- * @param p the address block to write.
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_address (
-	krb5_storage */*sp*/,
-	krb5_address /*p*/);
-
-/**
- * Write a addresses block to storage.
- *
- * @param sp the storage buffer to write to
- * @param p the addresses block to write.
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_addrs (
-	krb5_storage */*sp*/,
-	krb5_addresses /*p*/);
-
-/**
- * Write a auth data block to storage.
- *
- * @param sp the storage buffer to write to
- * @param auth the auth data block to write.
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_authdata (
-	krb5_storage */*sp*/,
-	krb5_authdata /*auth*/);
-
-/**
- * Write a credentials block to storage.
- *
- * @param sp the storage buffer to write to
- * @param creds the creds block to write.
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_creds (
-	krb5_storage */*sp*/,
-	krb5_creds */*creds*/);
-
-/**
- * Write a tagged credentials block to storage.
- *
- * @param sp the storage buffer to write to
- * @param creds the creds block to write.
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_creds_tag (
-	krb5_storage */*sp*/,
-	krb5_creds */*creds*/);
-
-/**
- * Store a data to the storage. The data is stored with an int32 as
- * lenght plus the data (not padded).
- *
- * @param sp the storage buffer to write to
- * @param data the buffer to store.
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_data (
-	krb5_storage */*sp*/,
-	krb5_data /*data*/);
-
-/**
- * Store a int16 to storage, byte order is controlled by the settings
- * on the storage, see krb5_storage_set_byteorder().
- *
- * @param sp the storage to write too
- * @param value the value to store
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_int16 (
-	krb5_storage */*sp*/,
-	int16_t /*value*/);
-
-/**
- * Store a int32 to storage, byte order is controlled by the settings
- * on the storage, see krb5_storage_set_byteorder().
- *
- * @param sp the storage to write too
- * @param value the value to store
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_int32 (
-	krb5_storage */*sp*/,
-	int32_t /*value*/);
-
-/**
- * Store a int64 to storage, byte order is controlled by the settings
- * on the storage, see krb5_storage_set_byteorder().
- *
- * @param sp the storage to write too
- * @param value the value to store
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_int64 (
-	krb5_storage */*sp*/,
-	int64_t /*value*/);
-
-/**
- * Store a int8 to storage.
- *
- * @param sp the storage to write too
- * @param value the value to store
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_int8 (
-	krb5_storage */*sp*/,
-	int8_t /*value*/);
-
-/**
- * Store a keyblock to the storage.
- *
- * @param sp the storage buffer to write to
- * @param p the keyblock to write
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_keyblock (
-	krb5_storage */*sp*/,
-	krb5_keyblock /*p*/);
-
-/**
- * Write a principal block to storage.
- *
- * @param sp the storage buffer to write to
- * @param p the principal block to write.
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_principal (
-	krb5_storage */*sp*/,
-	krb5_const_principal /*p*/);
-
-/**
- * Store a string to the buffer. The data is formated as an len:uint32
- * plus the string itself (not padded).
- *
- * @param sp the storage buffer to write to
- * @param s the string to store.
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_string (
-	krb5_storage */*sp*/,
-	const char */*s*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_stringnl (
-	krb5_storage */*sp*/,
-	const char */*s*/);
-
-/**
- * Store a zero terminated string to the buffer. The data is stored
- * one character at a time until a NUL is stored.
- *
- * @param sp the storage buffer to write to
- * @param s the string to store.
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_stringz (
-	krb5_storage */*sp*/,
-	const char */*s*/);
-
-/**
- * Write a times block to storage.
- *
- * @param sp the storage buffer to write to
- * @param times the times block to write.
- *
- * @return 0 on success, a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_times (
-	krb5_storage */*sp*/,
-	krb5_times /*times*/);
-
-/**
- * Store a uint16 to storage, byte order is controlled by the settings
- * on the storage, see krb5_storage_set_byteorder().
- *
- * @param sp the storage to write too
- * @param value the value to store
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_uint16 (
-	krb5_storage */*sp*/,
-	uint16_t /*value*/);
-
-/**
- * Store a uint32 to storage, byte order is controlled by the settings
- * on the storage, see krb5_storage_set_byteorder().
- *
- * @param sp the storage to write too
- * @param value the value to store
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_uint32 (
-	krb5_storage */*sp*/,
-	uint32_t /*value*/);
-
-/**
- * Store a uint64 to storage, byte order is controlled by the settings
- * on the storage, see krb5_storage_set_byteorder().
- *
- * @param sp the storage to write too
- * @param value the value to store
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_uint64 (
-	krb5_storage */*sp*/,
-	uint64_t /*value*/);
-
-/**
- * Store a uint8 to storage.
- *
- * @param sp the storage to write too
- * @param value the value to store
- *
- * @return 0 for success, or a Kerberos 5 error code on failure.
- *
- * @ingroup krb5_storage
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_store_uint8 (
-	krb5_storage */*sp*/,
-	uint8_t /*value*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_string_to_deltat (
-	const char */*string*/,
-	krb5_deltat */*deltat*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_string_to_enctype (
-	krb5_context /*context*/,
-	const char */*string*/,
-	krb5_enctype */*etype*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_string_to_key (
-	krb5_context /*context*/,
-	krb5_enctype /*enctype*/,
-	const char */*password*/,
-	krb5_principal /*principal*/,
-	krb5_keyblock */*key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_string_to_key_data (
-	krb5_context /*context*/,
-	krb5_enctype /*enctype*/,
-	krb5_data /*password*/,
-	krb5_principal /*principal*/,
-	krb5_keyblock */*key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_string_to_key_data_salt (
-	krb5_context /*context*/,
-	krb5_enctype /*enctype*/,
-	krb5_data /*password*/,
-	krb5_salt /*salt*/,
-	krb5_keyblock */*key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_string_to_key_data_salt_opaque (
-	krb5_context /*context*/,
-	krb5_enctype /*enctype*/,
-	krb5_data /*password*/,
-	krb5_salt /*salt*/,
-	krb5_data /*opaque*/,
-	krb5_keyblock */*key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_string_to_key_derived (
-	krb5_context /*context*/,
-	const void */*str*/,
-	size_t /*len*/,
-	krb5_enctype /*etype*/,
-	krb5_keyblock */*key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_string_to_key_salt (
-	krb5_context /*context*/,
-	krb5_enctype /*enctype*/,
-	const char */*password*/,
-	krb5_salt /*salt*/,
-	krb5_keyblock */*key*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_string_to_key_salt_opaque (
-	krb5_context /*context*/,
-	krb5_enctype /*enctype*/,
-	const char */*password*/,
-	krb5_salt /*salt*/,
-	krb5_data /*opaque*/,
-	krb5_keyblock */*key*/);
-
-/**
- * Deprecated: keytypes doesn't exists, they are really enctypes in
- * most cases, use krb5_string_to_enctype().
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_string_to_keytype (
-	krb5_context /*context*/,
-	const char */*string*/,
-	krb5_keytype */*keytype*/)
-     KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_string_to_salttype (
-	krb5_context /*context*/,
-	krb5_enctype /*etype*/,
-	const char */*string*/,
-	krb5_salttype */*salttype*/);
-
-/**
- * Extract the authorization data type of type from the ticket. Store
- * the field in data. This function is to use for kerberos
- * applications.
- *
- * @param context a Kerberos 5 context
- * @param ticket Kerberos ticket
- * @param type type to fetch
- * @param data returned data, free with krb5_data_free()
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ticket_get_authorization_data_type (
-	krb5_context /*context*/,
-	krb5_ticket */*ticket*/,
-	int /*type*/,
-	krb5_data */*data*/);
-
-/**
- * Return client principal in ticket
- *
- * @param context a Kerberos 5 context
- * @param ticket ticket to copy
- * @param client client principal, free with krb5_free_principal()
- *
- * @return Returns 0 to indicate success.  Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ticket_get_client (
-	krb5_context /*context*/,
-	const krb5_ticket */*ticket*/,
-	krb5_principal */*client*/);
-
-/**
- * Return end time of ticket
- *
- * @param context a Kerberos 5 context
- * @param ticket ticket to copy
- *
- * @return end time of ticket
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL
-krb5_ticket_get_endtime (
-	krb5_context /*context*/,
-	const krb5_ticket */*ticket*/);
-
-/**
- * Get the flags from the Kerberos ticket
- *
- * @param context Kerberos context
- * @param ticket Kerberos ticket
- *
- * @return ticket flags
- *
- * @ingroup krb5_ticket
- */
-
-KRB5_LIB_FUNCTION unsigned long KRB5_LIB_CALL
-krb5_ticket_get_flags (
-	krb5_context /*context*/,
-	const krb5_ticket */*ticket*/);
-
-/**
- * Return server principal in ticket
- *
- * @param context a Kerberos 5 context
- * @param ticket ticket to copy
- * @param server server principal, free with krb5_free_principal()
- *
- * @return Returns 0 to indicate success.  Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
- *
- * @ingroup krb5
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_ticket_get_server (
-	krb5_context /*context*/,
-	const krb5_ticket */*ticket*/,
-	krb5_principal */*server*/);
-
-/**
-     * If the caller passes in a negative usec, its assumed to be
-     * unknown and the function will use the current time usec.
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_timeofday (
-	krb5_context /*context*/,
-	krb5_timestamp */*timeret*/);
-
-/**
- * Unparse the Kerberos name into a string
- *
- * @param context Kerberos 5 context
- * @param principal principal to query
- * @param name resulting string, free with krb5_xfree()
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_unparse_name (
-	krb5_context /*context*/,
-	krb5_const_principal /*principal*/,
-	char **/*name*/);
-
-/**
- * Unparse the principal name to a fixed buffer
- *
- * @param context A Kerberos context.
- * @param principal principal to unparse
- * @param name buffer to write name to
- * @param len length of buffer
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_unparse_name_fixed (
-	krb5_context /*context*/,
-	krb5_const_principal /*principal*/,
-	char */*name*/,
-	size_t /*len*/);
-
-/**
- * Unparse the principal name with unparse flags to a fixed buffer.
- *
- * @param context A Kerberos context.
- * @param principal principal to unparse
- * @param flags unparse flags
- * @param name buffer to write name to
- * @param len length of buffer
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_unparse_name_fixed_flags (
-	krb5_context /*context*/,
-	krb5_const_principal /*principal*/,
-	int /*flags*/,
-	char */*name*/,
-	size_t /*len*/);
-
-/**
- * Unparse the principal name to a fixed buffer. The realm is skipped
- * if its a default realm.
- *
- * @param context A Kerberos context.
- * @param principal principal to unparse
- * @param name buffer to write name to
- * @param len length of buffer
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_unparse_name_fixed_short (
-	krb5_context /*context*/,
-	krb5_const_principal /*principal*/,
-	char */*name*/,
-	size_t /*len*/);
-
-/**
- * Unparse the Kerberos name into a string
- *
- * @param context Kerberos 5 context
- * @param principal principal to query
- * @param flags flag to determine the behavior
- * @param name resulting string, free with krb5_xfree()
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_unparse_name_flags (
-	krb5_context /*context*/,
-	krb5_const_principal /*principal*/,
-	int /*flags*/,
-	char **/*name*/);
-
-/**
- * Unparse the principal name to a allocated buffer. The realm is
- * skipped if its a default realm.
- *
- * @param context A Kerberos context.
- * @param principal principal to unparse
- * @param name returned buffer, free with krb5_xfree()
- *
- * @return An krb5 error code, see krb5_get_error_message().
- *
- * @ingroup krb5_principal
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_unparse_name_short (
-	krb5_context /*context*/,
-	krb5_const_principal /*principal*/,
-	char **/*name*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_us_timeofday (
-	krb5_context /*context*/,
-	krb5_timestamp */*sec*/,
-	int32_t */*usec*/);
-
-/**
- * Log a warning to the log, default stderr, include bthe error from
- * the last failure and then abort.
- *
- * @param context A Kerberos 5 context
- * @param code error code of the last error
- * @param fmt message to print
- * @param ap arguments
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_vabort (
-	krb5_context /*context*/,
-	krb5_error_code /*code*/,
-	const char */*fmt*/,
-	va_list /*ap*/)
-     __attribute__ ((__noreturn__, __format__ (__printf__, 3, 0)));
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_vabortx (
-	krb5_context /*context*/,
-	const char */*fmt*/,
-	va_list /*ap*/)
-     __attribute__ ((__noreturn__, __format__ (__printf__, 2, 0)));
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_verify_ap_req (
-	krb5_context /*context*/,
-	krb5_auth_context */*auth_context*/,
-	krb5_ap_req */*ap_req*/,
-	krb5_const_principal /*server*/,
-	krb5_keyblock */*keyblock*/,
-	krb5_flags /*flags*/,
-	krb5_flags */*ap_req_options*/,
-	krb5_ticket **/*ticket*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_verify_ap_req2 (
-	krb5_context /*context*/,
-	krb5_auth_context */*auth_context*/,
-	krb5_ap_req */*ap_req*/,
-	krb5_const_principal /*server*/,
-	krb5_keyblock */*keyblock*/,
-	krb5_flags /*flags*/,
-	krb5_flags */*ap_req_options*/,
-	krb5_ticket **/*ticket*/,
-	krb5_key_usage /*usage*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_verify_authenticator_checksum (
-	krb5_context /*context*/,
-	krb5_auth_context /*ac*/,
-	void */*data*/,
-	size_t /*len*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_verify_checksum (
-	krb5_context /*context*/,
-	krb5_crypto /*crypto*/,
-	krb5_key_usage /*usage*/,
-	void */*data*/,
-	size_t /*len*/,
-	Checksum */*cksum*/);
-
-/**
- * Verify a Kerberos message checksum.
- *
- * @param context Kerberos context
- * @param crypto Kerberos crypto context
- * @param usage Key usage for this buffer
- * @param data array of buffers to process
- * @param num_data length of array
- * @param type return checksum type if not NULL
- *
- * @return Return an error code or 0.
- * @ingroup krb5_crypto
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_verify_checksum_iov (
-	krb5_context /*context*/,
-	krb5_crypto /*crypto*/,
-	unsigned /*usage*/,
-	krb5_crypto_iov */*data*/,
-	unsigned int /*num_data*/,
-	krb5_cksumtype */*type*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_verify_init_creds (
-	krb5_context /*context*/,
-	krb5_creds */*creds*/,
-	krb5_principal /*ap_req_server*/,
-	krb5_keytab /*ap_req_keytab*/,
-	krb5_ccache */*ccache*/,
-	krb5_verify_init_creds_opt */*options*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_verify_init_creds_opt_init (krb5_verify_init_creds_opt */*options*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_verify_init_creds_opt_set_ap_req_nofail (
-	krb5_verify_init_creds_opt */*options*/,
-	int /*ap_req_nofail*/);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-krb5_verify_opt_alloc (
-	krb5_context /*context*/,
-	krb5_verify_opt **/*opt*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_verify_opt_free (krb5_verify_opt */*opt*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_verify_opt_init (krb5_verify_opt */*opt*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_verify_opt_set_ccache (
-	krb5_verify_opt */*opt*/,
-	krb5_ccache /*ccache*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_verify_opt_set_flags (
-	krb5_verify_opt */*opt*/,
-	unsigned int /*flags*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_verify_opt_set_keytab (
-	krb5_verify_opt */*opt*/,
-	krb5_keytab /*keytab*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_verify_opt_set_secure (
-	krb5_verify_opt */*opt*/,
-	krb5_boolean /*secure*/);
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_verify_opt_set_service (
-	krb5_verify_opt */*opt*/,
-	const char */*service*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_verify_user (
-	krb5_context /*context*/,
-	krb5_principal /*principal*/,
-	krb5_ccache /*ccache*/,
-	const char */*password*/,
-	krb5_boolean /*secure*/,
-	const char */*service*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_verify_user_lrealm (
-	krb5_context /*context*/,
-	krb5_principal /*principal*/,
-	krb5_ccache /*ccache*/,
-	const char */*password*/,
-	krb5_boolean /*secure*/,
-	const char */*service*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_verify_user_opt (
-	krb5_context /*context*/,
-	krb5_principal /*principal*/,
-	const char */*password*/,
-	krb5_verify_opt */*opt*/);
-
-/**
- * Log a warning to the log, default stderr, include bthe error from
- * the last failure and then exit.
- *
- * @param context A Kerberos 5 context
- * @param eval the exit code to exit with
- * @param code error code of the last error
- * @param fmt message to print
- * @param ap arguments
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_verr (
-	krb5_context /*context*/,
-	int /*eval*/,
-	krb5_error_code /*code*/,
-	const char */*fmt*/,
-	va_list /*ap*/)
-     __attribute__ ((__noreturn__, __format__ (__printf__, 4, 0)));
-
-/**
- * Log a warning to the log, default stderr, and then exit.
- *
- * @param context A Kerberos 5 context
- * @param eval the exit code to exit with
- * @param fmt message to print
- * @param ap arguments
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_verrx (
-	krb5_context /*context*/,
-	int /*eval*/,
-	const char */*fmt*/,
-	va_list /*ap*/)
-     __attribute__ ((__noreturn__, __format__ (__printf__, 3, 0)));
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_vlog (
-	krb5_context /*context*/,
-	krb5_log_facility */*fac*/,
-	int /*level*/,
-	const char */*fmt*/,
-	va_list /*ap*/)
-     __attribute__ ((__format__ (__printf__, 4, 0)));
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_vlog_msg (
-	krb5_context /*context*/,
-	krb5_log_facility */*fac*/,
-	char **/*reply*/,
-	int /*level*/,
-	const char */*fmt*/,
-	va_list /*ap*/)
-     __attribute__ ((__format__ (__printf__, 5, 0)));
-
-/**
- * Prepend the contexts's full error string for a specific error code.
- *
- * The if context is NULL, no error string is stored.
- *
- * @param context Kerberos 5 context
- * @param ret The error code
- * @param fmt Error string for the error code
- * @param args printf(3) style parameters.
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_vprepend_error_message (
-	krb5_context /*context*/,
-	krb5_error_code /*ret*/,
-	const char */*fmt*/,
-	va_list /*args*/)
-     __attribute__ ((__format__ (__printf__, 3, 0)));
-
-/**
- * Set the context full error string for a specific error code.
- *
- * The if context is NULL, no error string is stored.
- *
- * @param context Kerberos 5 context
- * @param ret The error code
- * @param fmt Error string for the error code
- * @param args printf(3) style parameters.
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-krb5_vset_error_message (
-	krb5_context /*context*/,
-	krb5_error_code /*ret*/,
-	const char */*fmt*/,
-	va_list /*args*/)
-     __attribute__ ((__format__ (__printf__, 3, 0)));
-
-/**
- * Set the error message returned by krb5_get_error_string(),
- * deprecated, use krb5_set_error_message().
- *
- * Deprecated: use krb5_vset_error_message()
- *
- * @param context Kerberos context
- * @param fmt error message to free
- * @param args variable argument list vector
- *
- * @return Return an error code or 0.
- *
- * @ingroup krb5_deprecated
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_vset_error_string (
-	krb5_context /*context*/,
-	const char */*fmt*/,
-	va_list /*args*/)
-     __attribute__ ((__format__ (__printf__, 2, 0))) KRB5_DEPRECATED_FUNCTION("Use X instead");
-
-/**
- * Log a warning to the log, default stderr, include the error from
- * the last failure.
- *
- * @param context A Kerberos 5 context.
- * @param code error code of the last error
- * @param fmt message to print
- * @param ap arguments
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_vwarn (
-	krb5_context /*context*/,
-	krb5_error_code /*code*/,
-	const char */*fmt*/,
-	va_list /*ap*/)
-     __attribute__ ((__format__ (__printf__, 3, 0)));
-
-/**
- * Log a warning to the log, default stderr.
- *
- * @param context A Kerberos 5 context.
- * @param fmt message to print
- * @param ap arguments
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_vwarnx (
-	krb5_context /*context*/,
-	const char */*fmt*/,
-	va_list /*ap*/)
-     __attribute__ ((__format__ (__printf__, 2, 0)));
-
-/**
- * Log a warning to the log, default stderr, include the error from
- * the last failure.
- *
- * @param context A Kerberos 5 context.
- * @param code error code of the last error
- * @param fmt message to print
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_warn (
-	krb5_context /*context*/,
-	krb5_error_code /*code*/,
-	const char */*fmt*/,
-	...)
-     __attribute__ ((__format__ (__printf__, 3, 4)));
-
-/**
- * Log a warning to the log, default stderr.
- *
- * @param context A Kerberos 5 context.
- * @param fmt message to print
- *
- * @ingroup krb5_error
- */
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_warnx (
-	krb5_context /*context*/,
-	const char */*fmt*/,
-	...)
-     __attribute__ ((__format__ (__printf__, 2, 3)));
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_write_message (
-	krb5_context /*context*/,
-	krb5_pointer /*p_fd*/,
-	krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_write_priv_message (
-	krb5_context /*context*/,
-	krb5_auth_context /*ac*/,
-	krb5_pointer /*p_fd*/,
-	krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_write_safe_message (
-	krb5_context /*context*/,
-	krb5_auth_context /*ac*/,
-	krb5_pointer /*p_fd*/,
-	krb5_data */*data*/);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_xfree (void */*ptr*/);
-
-#ifdef __cplusplus
-}
-#endif
-
-#undef KRB5_DEPRECATED_FUNCTION
-
-#endif /* DOXY */
-#endif /* __krb5_protos_h__ */
diff --git a/lib/krb5/krb5-v4compat.h b/lib/krb5/krb5-v4compat.h
deleted file mode 100644
index 324c8c1d3c89..000000000000
--- a/lib/krb5/krb5-v4compat.h
+++ /dev/null
@@ -1,143 +0,0 @@
-/*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* $Id$ */
-
-#ifndef __KRB5_V4COMPAT_H__
-#define __KRB5_V4COMPAT_H__
-
-#include "krb_err.h"
-
-/*
- * This file must only be included with v4 compat glue stuff in
- * heimdal sources.
- *
- * It MUST NOT be installed.
- */
-
-#define		KRB_PROT_VERSION 	4
-
-#define		AUTH_MSG_KDC_REQUEST			 (1<<1)
-#define 	AUTH_MSG_KDC_REPLY			 (2<<1)
-#define		AUTH_MSG_APPL_REQUEST			 (3<<1)
-#define		AUTH_MSG_APPL_REQUEST_MUTUAL		 (4<<1)
-#define		AUTH_MSG_ERR_REPLY			 (5<<1)
-#define		AUTH_MSG_PRIVATE			 (6<<1)
-#define		AUTH_MSG_SAFE				 (7<<1)
-#define		AUTH_MSG_APPL_ERR			 (8<<1)
-#define		AUTH_MSG_KDC_FORWARD			 (9<<1)
-#define		AUTH_MSG_KDC_RENEW			(10<<1)
-#define 	AUTH_MSG_DIE				(63<<1)
-
-/* General definitions */
-#define		KSUCCESS	0
-#define		KFAILURE	255
-
-/* */
-
-#define		MAX_KTXT_LEN	1250
-
-#define 	ANAME_SZ	40
-#define		REALM_SZ	40
-#define		SNAME_SZ	40
-#define		INST_SZ		40
-
-struct ktext {
-    unsigned int length;		/* Length of the text */
-    unsigned char dat[MAX_KTXT_LEN];	/* The data itself */
-    uint32_t mbz;		/* zero to catch runaway strings */
-};
-
-struct credentials {
-    char    service[ANAME_SZ];	/* Service name */
-    char    instance[INST_SZ];	/* Instance */
-    char    realm[REALM_SZ];	/* Auth domain */
-    char    session[8];		/* Session key */
-    int     lifetime;		/* Lifetime */
-    int     kvno;		/* Key version number */
-    struct ktext ticket_st;	/* The ticket itself */
-    int32_t    issue_date;	/* The issue time */
-    char    pname[ANAME_SZ];	/* Principal's name */
-    char    pinst[INST_SZ];	/* Principal's instance */
-};
-
-#define TKTLIFENUMFIXED 64
-#define TKTLIFEMINFIXED 0x80
-#define TKTLIFEMAXFIXED 0xBF
-#define TKTLIFENOEXPIRE 0xFF
-#define MAXTKTLIFETIME	(30*24*3600)	/* 30 days */
-#ifndef NEVERDATE
-#define NEVERDATE ((time_t)0x7fffffffL)
-#endif
-
-#define		KERB_ERR_NULL_KEY	10
-
-#define 	CLOCK_SKEW	5*60
-
-#ifndef TKT_ROOT
-#ifdef KRB5_USE_PATH_TOKENS
-#define TKT_ROOT "%{TEMP}/tkt"
-#else
-#define TKT_ROOT "/tmp/tkt"
-#endif
-#endif
-
-struct _krb5_krb_auth_data {
-    int8_t  k_flags;		/* Flags from ticket */
-    char    *pname;		/* Principal's name */
-    char    *pinst;		/* His Instance */
-    char    *prealm;		/* His Realm */
-    uint32_t checksum;		/* Data checksum (opt) */
-    krb5_keyblock session;	/* Session Key */
-    unsigned char life;		/* Life of ticket */
-    uint32_t time_sec;		/* Time ticket issued */
-    uint32_t address;		/* Address in ticket */
-};
-
-KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL
-_krb5_krb_life_to_time (int, int);
-
-KRB5_LIB_FUNCTION int KRB5_LIB_CALL
-_krb5_krb_time_to_life (time_t, time_t);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_krb_tf_setup (krb5_context, struct credentials *,
-		    const char *, int);
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_krb_dest_tkt(krb5_context, const char *);
-
-#define krb_time_to_life	_krb5_krb_time_to_life
-#define krb_life_to_time	_krb5_krb_life_to_time
-
-#endif /*  __KRB5_V4COMPAT_H__ */
diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5
index 8a0f0847a487..41b2d3b40791 100644
--- a/lib/krb5/krb5.conf.5
+++ b/lib/krb5/krb5.conf.5
@@ -54,6 +54,7 @@ The grammar looks like:
 file:
 	/* empty */
 	sections
+        includes
 
 sections:
 	section sections
@@ -76,10 +77,23 @@ binding:
 name:
 	STRING
 
+includes:
+	'include' path
+	'includedir' path
+
+path: STRING
+
 .Ed
 .Li STRINGs
 consists of one or more non-whitespace characters.
 .Pp
+Files and directories may be included by absolute path, with percent
+token expansion (see the TOKEN EXPANSION section).  Including a
+directory causes all files in the directory to be included as if each
+file had been included separately, but only files whose names consist of
+alphanumeric, hyphen, and underscore are included, though they may also
+end in '.conf'.
+.Pp
 STRINGs that are specified later in this man-page uses the following
 notation.
 .Bl -tag -width "xxx" -offset indent
@@ -91,8 +105,8 @@ Example: 1 month 2 days 30 min.
 If no unit is given, seconds is assumed.
 .It etypes
 valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-md5,
-des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96, and
-aes256-cts-hmac-sha1-96 .
+des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96,
+aes128-cts-hmac-sha256-128, and aes256-cts-hmac-sha384-192.
 .It address
 an address can be either a IPv4 or a IPv6 address.
 .El
@@ -148,6 +162,31 @@ If a principal argument is specified, it is used as an explicit realm name for
 anonymous pkinit even without an
 .Li @
 prefix.
+.It Li delegate-destination-tgt = Va boolean
+When forwarding credentials to a remote host, forward a TGT for the
+realm of the destination host rather than a TGT for the user's realm.
+This is useful when hosts in the remote realm should not or cannot
+(e.g. firewalled from user realm's KDC) obtain tickets for services
+in the user's realm. When the user's realm and the host's realm are
+the same, this parameter has no effect.  The setting can be applied
+to a single realm as follows:
+.Bd -literal -offset indent
+EXAMPLE.COM = {
+	delegate-destination-tgt = true
+}
+.Ed
+.It Li pkinit_pool = Va HX509-STORE
+This is a multi-valued parameter naming one or more stores of
+intermediate certification authority (CA) certificates for the
+client's end entity certificate.
+.It Li pkinit_anchors = Va HX509-STORE ...
+This is a multi-valued parameter naming one or more stores of
+anchors for PKINIT KDC certificates.
+.It Li pkinit_revoke = Va HX509-STORE ...
+This is a multi-valued parameter naming one or more stores of
+of CRLs for the issuers of PKINIT KDC certificates.
+If no CRLs are configured, then CRLs will not be checked.
+This is because hx509 currently lacks support.
 .El
 .It Li [libdefaults]
 .Bl -tag -width "xxx" -offset indent
@@ -180,10 +219,30 @@ sets the default credentials type.
 the default credentials cache name.
 If you want to change the type only use
 .Li default_cc_type .
-The string can contain variables that are expanded on runtime.
-The Only supported variable currently is
-.Li %{uid}
-which expands to the current user id.
+The string can contain variables that are expanded at runtime. See the TOKEN
+EXPANSION section.
+.It Li default_file_cache_collections = Va FILE:/path/with/tokens ...
+This multi-valued parameter allows more than one path to be
+configured for the FILE credentials cache type to look in.  The FILE
+credentials cache type will also consider file names whose prefixes
+match these and end in
+.Va +name
+as subsidiary caches in the collection.  The values of this
+parameter are subject to token expansion.  See the TOKEN EXPANSION
+section.
+.It Li enable_file_cache_iteration = Va boolean
+If enabled, the
+.Va FILE
+credential cache type will support iteration of all subsidiary
+caches in the default collection, meaning that
+.Xr kinit 1
+.Va -l
+option will list them.  This does require scanning the directory
+containing a given
+.Va FILE
+ccache, which, if it is
+.Va /tmp
+may be a slow operation.  Defaults to false.
 .It Li default_etypes = Va etypes ...
 A list of default encryption types to use. (Default: all enctypes if
 allow_weak_crypto = TRUE, else all enctypes except single DES enctypes.)
@@ -198,10 +257,25 @@ A list of default encryption types to use when requesting a DES credential.
 .It Li default_keytab_name = Va keytab
 The keytab to use if no other is specified, default is
 .Dq FILE:/etc/krb5.keytab .
+.It Li default_client_keytab_name = Va keytab
+The keytab to use for client credential acquisition if no other is
+specified, default is
+.Dq FILE:%{LOCALSTATEDIR}/user/%{euid}/client.keytab .
+See the TOKEN EXPANSION section.
 .It Li dns_lookup_kdc = Va boolean
 Use DNS SRV records to lookup KDC services location.
 .It Li dns_lookup_realm = Va boolean
 Use DNS TXT records to lookup domain to realm mappings.
+.It Li enforce_ok_as_delegate = Va boolean
+If this flag to true, GSSAPI credential delegation will be
+disabled when the 
+.Ar ok-as-delegate
+flag is not set in the service ticket.
+If this flag is false, the 
+.Ar ok-as-delegate
+ticket flag is only enforced when an application specifically
+requests enforcement.
+The default value is false.
 .It Li kdc_timesync = Va boolean
 Try to keep track of the time differential between the local machine
 and the KDC, and then compensate for that when issuing requests.
@@ -264,7 +338,8 @@ this is very useful when the GSS-API server input the
 wrong server name into the gss_accept_sec_context call.
 .It Li k5login_directory = Va directory
 Alternative location for user .k5login files. This option is provided
-for compatibility with MIT krb5 configuration files.
+for compatibility with MIT krb5 configuration files. This path is
+subject to percent token expansion (see TOKEN EXPANSION).
 .It Li k5login_authoritative = Va boolean
 If true then if a principal is not found in k5login files then
 .Xr krb5_userok 3
@@ -324,6 +399,40 @@ be allowed to run.
 .It Li fcache_strict_checking
 strict checking in FILE credential caches that owner, no symlink and
 permissions is correct.
+.It Li moduli = Va FILE
+Names a file that contains acceptable modular Diffie-Hellman
+groups for PKINIT.
+The given file should contain lines with whitespace-separated
+fields in this order:
+.Va name, nbits, p, g, q .
+Lines starting with a
+.Va #
+are comments.
+.It Li pkinit_dh_min_bits = Va NUMBER
+PKINIT client's minimum acceptable modular Diffie-Hellman public
+key size in bits.
+.It Li enable-kx509 = Va boolean
+Enable use of kx509 so that every TGT that can has a corresponding
+PKIX certificate.  Default: false.
+.It Li kx509_gen_key_type = Va public-key-type
+Type of public key for kx509 private key generation.  Defaults to
+.Va rsa
+and currently only
+.Va rsa
+is supported.
+.It Li kx509_gen_rsa_key_size = Va number-of-bits
+RSA key size for kx509.  Defaults to 2048.
+.It Li kx509_store = path
+A file path into which to write a certificate obtained with
+kx509, and its private key, when attempting kx509 optimistically
+using credentials from a default ccache.  Tokens will be
+expanded.
+.It Li kx509_hostname = Va hostname
+If set, then the kx509 client will use this hostname for the
+kx509 service.  This can also be set in the
+.Li [realm]
+section on a per-realm basis.  If not set then a TGS name will be
+used.
 .It Li name_canon_rules = Va rules
 One or more service principal name canonicalization rules.  Each rule
 consists of one or more tokens separated by colon (':').  Currently
@@ -416,9 +525,40 @@ Defaults to true.
 Note, absent an explicit setting, hierarchical capaths are always used by
 the KDC when generating a referral to a destination with which is no direct
 trust.
+.It Li client_aware_channel_bindings = Va boolean
+If this flag is true, then all application protocol authentication
+requests will be flagged to indicate that the application supports
+channel bindings when operating over a secure channel.
+The default value is false.
+.It Li check_pac = Va boolean
+If this flag is true and a Windows Privilege Attribute Certificate (PAC)
+is present in the ticket authorization data, then
+.Xr krb5_rd_req 3
+will validate the PAC before returning success. The default value is true.
+.It Li report_canonical_client_name = Va boolean
+If this flag is true, then the canonical client name from the PAC will
+be used instead of the client name in the ticket. The default value is false.
+Note that setting it to true implicitly sets
+.Va check_pac
+to true.
 .El
 .It Li [domain_realm]
 This is a list of mappings from DNS domain to Kerberos realm.
+.Pp
+It is used by the client and the TGS both to determine the realm
+of host-based service principal names based on the principal's
+hostname component.
+.Pp
+The client may try DNS to determine a host's realm; see the
+`dns_lookup_realm' parameter, and see below.
+.Pp
+The TGS will issue a referral when a host-based service does not
+exist in the requested realm but can be mapped with these rules
+to a different realm.
+The TGS will also issue a referral when a host-based service
+exists in the requested realm as an alias of a service in another
+realm.
+.Pp
 Each binding in this section looks like:
 .Pp
 .Dl domain = realm
@@ -534,6 +674,39 @@ No additional principal to username mapping is done. Note that
 and any preceding
 .Va auth_to_local
 rules have precedence.
+.It Li pkinit_require_eku = BOOL
+If
+.Va true
+then the KDC PKINIT Extended Key Usage (EKU) OID (1.3.6.5.2.3.5)
+must be present in KDCs' PKINIT certificates.
+Defaults to
+.Va true .
+.It Li pkinit_require_krbtgt_otherName = BOOL
+If
+.Va true
+then the PKINIT Subject Alternative Name (SAN) for the TGS must
+be present in KDCs' PKINIT certificates, and must match their
+realm.
+Defaults to
+.Va true .
+.It Li pkinit_require_hostname_match = BOOL
+If
+.Va true
+then KDCs' PKINIT certificates must match their hostnames.
+Defaults to
+.Va false .
+.It Li pkinit_trustedCertifiers = BOOL
+If
+.Va true
+then PKINIT client will tell KDCs which trust anchors it trusts.
+Defaults to
+.Va true .
+.It Li disable_pac = BOOL
+If
+.Va true
+then the KDC will not sign tickets with PAC, which disables S4U2Proxy support.
+Defaults to
+.Va false .
 .El
 .It Li }
 .El
@@ -649,11 +822,180 @@ target service principal's hdb entry's current keyset.  Defaults to TRUE.
 .It Li check-ticket-addresses = Va BOOL
 Verify the addresses in the tickets used in tgs requests.
 .\" XXX
+.It Li warn_ticket_addresses = Va BOOL
+Warn about, but allow, usage of tickets from hosts that don't match the
+addresses in the tickets.
 .It Li allow-null-ticket-addresses = Va BOOL
 Allow address-less tickets.
 .\" XXX
+.It Li disable_pac = Va BOOL
+Do not include a PAC in service tickets.
+However, if a service has the
+.Li auth-data-reqd
+attribute then the KDC will include a PAC anyways.
+.It Li enable_fast = Va BOOL
+Enable RFC 6113 FAST support, this is enabled by default.
+.It Li enable_armored_pa_enc_timestamp = Va BOOL
+Enable armored encrypted timestamp pre-authentication with key
+strengthening.
+RFC 6113 says not to use PA-ENC-TIMESTAMP in FAST armored tunnels
+as there is a newer replacement, PA-ENC-CHALLENGE, but for
+interoperability with earlier versions of Heimdal, this is
+enabled by default for now.
+.It Li enable_unarmored_pa_enc_timestamp = Va BOOL
+Enable unarmored encrypted timestamp pre-authentication.
+Enabled by default for now, but in a future release will be
+disabled.
+.It Li enable-pkinit = Va BOOL
+Enable PKINIT (disabled by default).
 .It Li allow-anonymous = Va BOOL
 If the kdc is allowed to hand out anonymous tickets.
+.It Li synthetic_clients = Va BOOL
+If enabled then the KDC will issue tickets for clients that don't
+exist in the HDB provided that they use PKINIT, that PKINIT is
+enabled, and that the client's have certificates with PKINIT
+subject alternative names (SANs).
+.It Li synthetic_clients_max_life = Va TIME
+Maximum ticket lifetime for synthetic clients.
+Default: 5 minutes.
+.It Li synthetic_clients_max_renew = Va TIME
+Maximum ticket renewable lifetime for synthetic clients.
+Default: 5 minutes.
+.It Li pkinit_identity = Va HX509-STORE
+This is an HX509 store containing the KDC's PKINIT credential
+(private key and end-entity certificate).
+This is single valued, though multiple stores can be specified by
+separating them with commas.
+An
+.Va HX509-STORE
+is of the form
+.Va TYPE:name
+where
+.Va TYPE
+is one of
+.Va FILE, Va PEM-FILE, Va DER-FILE, Va PKCS12, Va PKCS11,
+or on OX X,
+.Va KEYCHAIN .
+The form of the
+.Va name
+depends on the
+.Va TYPE .
+For
+.Va FILE, Va PEM-FILE, Va DER-FILE,
+and
+.Va PKCS12
+the
+.Va name
+is a file path.
+See the Heimdal hx509 documentation for more information.
+.It Li pkinit_pool = Va HX509-STORE
+This is a multi-valued parameter naming one or more stores of
+intermediate certification authority (CA) certificates for the
+KDC's end entity certificate.
+.It Li pkinit_anchors = Va HX509-STORE ...
+This is a multi-valued parameter naming one or more stores of
+anchors for PKINIT client certificates.
+Note that the
+.Va DIR
+type of
+.Va HX509-STORE
+is also supported here.
+.Va DIR
+type stores are OpenSSL-style CA certificate hash directories.
+.It Li pkinit_revoke = Va HX509-STORE ...
+This is a multi-valued parameter naming one or more stores of
+of CRLs for the issuers of PKINIT client certificates.
+If no CRLs are configured, then CRLs will not be checked.
+This is because the KDC will not dereference CRL distribution
+points nor request OCSP responses.
+.It Li pkinit_kdc_ocsp = Va PATH
+This names a file whose contents is the DER encoding of an
+OCSPResponse for the KDC's end entity certificate.
+.It Li pkinit_kdc_friendly_name = Va NAME
+This is an optional friendly name of the KDC's end entity
+certificate.
+This is only helpful when the
+.Li pkinit_identity
+store contains many credentials.
+.It Li pkinit_principal_in_certificate = Va BOOL
+If set to
+.Va true
+then the KDC will match AS-REQ client principal names to the
+PKINIT
+.Va subjectAlternativeName
+values from the clients' certificates.
+Defaults to
+.Va true .
+.It Li pkinit_dh_min_bits = Va NUMBER
+Minimum acceptable modular Diffie-Hellman public key size in
+bits.
+.It Li pkinit_max_life_from_cert_extension = Va BOOL
+If set to
+.Va true
+then the KDC will override the
+.Va max_life
+attribute of the client principal's HDB record with a maximum
+ticket life taken from a certificate extension with OID
+.Va { iso(1) member-body(2) se(752) su(43) heim-pkix(16) 4 }
+and the DER encoding of an
+.Va INTEGER
+number of seconds.
+Alternatively, if the extended key usage OID
+.Va { iso(1) member-body(2) se(752) su(43) heim-pkix(16) 3 }
+is included in the client's certificate, then the
+.Va notAfter
+minus the current time will be used.
+.It Li pkinit_max_life_bound = Va TIME
+If set, this will be a hard bound on the maximum ticket lifetime
+taken from the client's certificate.
+As usual,
+.Va TIME
+can be given as a number followed by a unit, such as
+.Dq 2d
+for
+.Dq two days .
+.It Li pkinit_max_life_from_cert = Va TIME
+If set, this will override the
+.Va max_life
+attribute of the client principal's HDB record with the
+.Va notAfter
+of the client's certificate minus the current time, bounded to
+the given relative
+.Va TIME
+unless the
+.Li pkinit_max_life_from_cert_extension
+parameter is set and the client's certificate has that extension.
+As usual,
+.Va TIME
+can be given as a number followed by a unit, such as
+.Dq 2d
+for
+.Dq two days .
+.It Li enable_gss_preauth = Va boolean
+Enables pre-authentication using a GSS-API mechanism supported by the client and KDC.
+The GSS-API initiator and AS request client names must match, unless the
+.Li WELLKNOWN/FEDERATED
+name was used in the AS request, in which case the AS reply will contain the
+GSS-API initiator name. Authorization and mapping behavior may be customized
+by plugins. If synthetic clients are enabled, then the GSS-API initiator need
+not exist in the local database. GSS-API pre-authentication is disabled by
+default.
+.It Li enable_gss_auth_data = Va boolean
+When using GSS-API pre-authentication, includes a Kerberos authorization data
+element containing naming attributes associated with the GSS-API initiator. This
+is disabled by default as it may significantly increase the size of returned
+tickets.
+.It Li gss_mechanisms_allowed = Va mechs ...
+A list of GSS-API mechanisms that may be used for GSS-API pre-authentication.
+.It Li gss_cross_realm_mechanisms_allowed = Va mechs ...
+A list of GSS-API mechanisms that, when using the default authorization
+mechanism, will be permitted to map Kerberos principals in foreign realms. The
+list is empty by default. Initiator names from mechanisms not on this list will
+be mapped to an enterprise principal in the AS-REQ realm. This option is
+intended to avoid conflating GSS-API pre-authentication and Kerberos
+cross-realm authentication. The behavior is provided by the default
+authorization mechanism and will be overridden by an authorization plugin.
+Mechanisms may be identified by dot-separated OID or a short name.
 .It Li historical_anon_realm = Va boolean
 Enables pre-7.0 non-RFC-comformant KDC behavior.
 With this option set to
@@ -688,26 +1030,125 @@ Should the kdc answer digest requests. The default is FALSE.
 .It Li digests_allowed = Va list of digests
 Specifies the digests the kdc will reply to. The default is
 .Li ntlm-v2 .
-.It Li kx509_ca = Va file
-Specifies the PEM credentials for the kx509 certification authority.
+.It Li enable-kx509 = Va boolean
+Enables kx509 service.
+.Pp
+The kx509 service is configurable for a number of cases:
+.Bl -tag -width "" -offset indent
+.It Li default certificates for user or service principals,
+.It Li non-default certificate requests including subject alternative names (SAN) and extended key usage (EKU) certificate extensions, for either client, server, or mixed usage.
+.El
+.Pp
+Distinct configurations are supported for all of these cases as
+shown below:
+.Bd -literal -offset indent
+[kdc]
+    enable-kx509 = yes | no
+    require_csr  = yes | no
+    require_initial_kca_tickets = yes | no
+    realm = {
+        <REALM> = {
+            kx509 = {
+                <label> = {
+                    <param> = <value>
+                }
+                hostbased_service = {
+                    <service> = {
+                        <param> = <value>
+                    }
+                }
+            }
+        }
+    }
+.Ed
+where
+.Va label
+is one of:
+.Bl -tag -width "xxx" -offset indent
+.It Li user
+for default certificates for user principals,
+.It Li root_user
+for default certificates for root user principals,
+.It Li admin_user
+for default certificates for admin user principals,
+.It Li hostbased_service
+for default certificates for host-based service principals, in which case the
+service name is used as shown above,
+.It Li client
+for non-default client certificates,
+.It Li server
+for non-default server certificates,
+.It Li mixed
+for non-default client and server certificates.
+.El
+and where the parameters are as follows:
+.Bl -tag -width "xxx" -offset indent
+.It Li ca = Va file
+Specifies the PEM credentials for the kx509 / bx509d certification
+authority.
+If not specified for any specific use-case, then that use-case
+will be disabled.
+.It Li max_cert_lifetime = Va NUMunit
+Specifies the maximum certificate lifetime as a decimal number
+and an optional unit (the default unit is
+.Dq day
+).
+.It Li force_cert_lifetime = Va NUMunit
+Specifies a minimum certificate lifetime as a decimal number and
+an optional unit (the default unit is
+.Dq day
+).
+.It Li allow_extra_lifetime = Va boolean
+Indicates whether a client may request longer lifetimes than
+their authentication credentials.
+Defaults to false.
 .It Li require_initial_kca_tickets = Va boolean
 Specified whether to require that tickets for the
 .Li kca_service
 service principal be INITIAL.
 This may be set on a per-realm basis as well as globally.
 Defaults to true for the global setting.
-.It Li kx509_include_pkinit_san = Va boolean
+.It Li include_pkinit_san = Va boolean
 If true then the kx509 client principal's name and realm will be
 included in an
 .Li id-pkinit-san
-certificate extension.
+subject alternative name certificate extension.
 This can be set on a per-realm basis as well as globally.
 Defaults to true for the global setting.
-.It Li kx509_template = Va file
-Specifies the PEM file with a template for the certificates to be
-issued.
-The following variables can be interpolated in the subject name using
-${variable} syntax:
+.It Li email_domain = Va domain
+If set then the kx509 client user principal's name at the given
+domain will be included in an
+.Li rfc822Name
+subject alternative name certificate extension.
+This can be set on a per-realm basis as well as globally.
+Defaults to false for the global setting.
+.It Li include_dnsname_san = Va boolean
+If true then a kx509 host-based or domain-based client
+principal's hostname will be included in an
+.Li dNSName
+subject alternative name certificate extension, with the
+downcased realm as the domainname.  This can be set on a
+per-realm basis as well as
+globally.  Defaults to false for the global setting.
+.It Li ekus = Va OID
+List of OIDs to include as EKUs.
+.It Li subject_name = Va DN
+Specifies a subject name that should either be empty or contain
+variable interpolation as described below for
+.Va template_cert .
+The subject may be the empty string, causing the issued
+certificates' subject names to be empty.
+.It Li template_cert = Va store
+Specifies the hx509 store (e.g.,
+.Va PEM-FILE:path )
+with a template
+for the certificates to be issued to kx509 clients whose
+principal names have one component (i.e., are user principals).
+A template is a certificate with variables to be interpolated in
+the subjectName.  The following variables can be interpolated in
+the subject name using
+.Va ${variable}
+syntax:
 .Bl -tag -width "xxx" -offset indent
 .It principal-name
 The full name of the kx509 client principal.
@@ -715,15 +1156,147 @@ The full name of the kx509 client principal.
 The full name of the kx509 client principal, excluding the realm name.
 .It principal-name-realm
 The name of the client principal's realm.
+.It principal-component0
+The first component of the client principal.
+.It principal-component1
+The second component of the client principal.
+.It principal-component2
+The third component of the client principal.
+.It principal-service-name
+The name of the service.
+.It principal-host-name
+The name of the host.
 .El
+.Pp
+If a template and subject name are not specified and no default
+SANs are configured, then no certificate will be issued.
+Otherwise if a template and subject name are not specified, then
+subject of the certificate will be empty.
 .El
-The 
-.Li kx509 ,
-.Li kx509_template ,
-.Li kx509_include_pkinit_san ,
-and
-.Li require_initial_kca_tickets
-parameters may be set on a per-realm basis as well.
+.El
+.Pp
+.It Li [hdb]
+.Bl -tag -width "xxx" -offset indent
+.It Li db-dir = Va path
+This parameter defines a directory that can contain:
+.Bl -tag -width "xxx" -offset indent
+.It Va kdc.conf
+A configuration file with the same format as krb5.conf that will
+be included.
+.It Va m-key
+The master key file.
+.It Va kdc.log
+The default logfile for the KDC when a logfile is not specified in
+.Li [logging]
+.It Va kadm5.acl
+The access controls for
+.Nm kadmind .
+.It Va log
+The (binary) log of transactions used for
+.Nm HDB
+replication via the
+.Nm iprop
+protocol.
+See
+.Nm iprop-log(1)
+for more detail.
+.It Va pki-mapping
+The default PKINIT mapping file if one is not specified in
+.Va [kdc] pkinit_mappings_file .
+.El
+and other files related to
+.Nm iprop
+operation.
+.It Li new_service_key_delay = Va time
+Sets a bias such that new keys are not taken into service until
+after the given time has passed since they were set.
+This is useful for key rotation on concrete principals shared by
+multiple instances of an application: set this time to twice or
+more the keytab fetch period used by applications.
+.It Li enable_virtual_hostbased_princs = Va boolean
+Heimdal supports a notion of virtual host-based service
+principals whose keys are derived from those of a base namespace
+principal of the form
+.Nm WELLKNOWN/HOSTBASED-NAMESPACE/svc/hostname .
+The service name can be wild-carded as
+.Va _ .
+Non-wildcarded services have to be listed in the
+.Li virtual_hostbased_princ_svcs
+parameter (see below).
+This parameter enables this feature, which is disabled by
+default.
+.It Li virtual_hostbased_princ_ndots = Va Integer
+Minimum number of label-separating periods in virtual host-based
+service principals' hostname component.
+.It Li virtual_hostbased_princ_maxdots = Va Integer
+Maximum number of label-separating periods in namespaces'
+hostname component.
+.It Li virtual_hostbased_princ_svcs = Va service-name
+This multi-valued parameter lists service names not to wildcard
+when searching for a namespace for a virtual host-based service
+principal.
+Other service names will have keys derived from a matching
+namespace with a wild-carded service name.
+This allows one to have different attributes for different
+services.
+For example, the
+.Nm "host"
+service can be configured to have the ok-as-delegate flag while
+all others do not.
+.El
+.Pp
+.It Li [bx509]
+This section contains online certification authority configuration, much
+like
+.Li kx509
+in the
+.Li [kdc]
+section, but with the
+.Li kx509
+layer removed.
+.Bd -literal -offset indent
+[kdc]
+    realm = {
+        <REALM> = {
+            ...
+        }
+    }
+.Ed
+.It Li [get-tgt]
+.Bl -tag -width "xxx" -offset indent
+.It Li no_addresses = Va BOOL
+If set to
+.Va true
+then the
+.Va /get-tgt
+end-point of the
+.Xr bx509d 8
+service will issue address-less TGTs.
+If set to
+.Va false
+then the
+.Va /get-tgt
+end-point of the
+.Xr bx509d 8
+service will include the client's IP address in the TGT it issues
+it.
+Defaults to
+.Va true .
+.It Li allow_addresses = Va BOOL
+If set to
+.Va true
+then the
+.Va /get-tgt
+end-point of the
+.Xr bx509d 8
+service will add arbitrary addresses requested by clients to the
+TGTs it issues them.
+Defaults to
+.Va false .
+.El
+.Pp
+Certification authority related parameters are as for
+.Va bx509 .
 .It Li [kadmin]
 .Bl -tag -width "xxx" -offset indent
 .It Li password_lifetime = Va time
@@ -784,6 +1357,60 @@ among other minimum-length, character-class, external-check.
 .El
 .El
 .El
+.Sh TOKEN EXPANSION
+The values of some parameters are subject to percent token expansion.
+Expansions supported on all platforms:
+.Bl -tag -width "xxx" -offset indent
+.It %{LIBDIR}
+The install location of Heimdal libraries.
+.It %{BINDIR}
+The install location of Heimdal user programs.
+.It %{LIBEXEC}
+The install location of Heimdal services.
+.It %{SBINDIR}
+The install location of Heimdal admin programs.
+.It %{username}
+The current username.
+.It %{TEMP}
+A temporary directory.
+.It %{USERID}
+The current user's SID (Windows) or effective user ID (POSIX).
+.It %{uid}
+The current user's SID (Windows) or real user ID (POSIX).  On POSIX it is best
+to use the
+.Va %{euid}
+token instead (see below).
+.It %{null}
+The empty string.
+.El
+.Pp
+Expansions supported on POSIX-like platforms:
+.Bl -tag -width "xxx" -offset indent
+.It %{euid}
+The current effective user ID.
+.It %{loginname}
+The username of the logged-in user for this terminal.
+.It %{LOCALSTATEDIR}
+The install location of Heimdal databases.
+.El
+.Pp
+On Windows, several additional tokens can also be expanded:
+.Bl -tag -width "xxx" -offset indent
+.It %{APPDATA}
+Roaming application data (for current user).
+.It %{COMMON_APPDATA}
+Application data (all users).
+.It %{LOCAL_APPDATA}
+Local application data (for current user).
+.It %{SYSTEM}
+Windows System folder.
+.It %{WINDOWS}
+Windows folder.
+.It %{USERCONFIG}
+Per user Heimdal configuration file path.
+.It %{COMMONCONFIG}
+Common Heimdal configuration file path.
+.El
 .Sh ENVIRONMENT
 .Ev KRB5_CONFIG
 points to the configuration file to read.
diff --git a/lib/krb5/krb5.conf.cat5 b/lib/krb5/krb5.conf.cat5
deleted file mode 100644
index 03a2c0ce42a6..000000000000
--- a/lib/krb5/krb5.conf.cat5
+++ /dev/null
@@ -1,840 +0,0 @@
-KRB5.CONF(5)                BSD File Formats Manual               KRB5.CONF(5)
-
-NAME
-     krb5.conf -- configuration file for Kerberos 5
-
-SYNOPSIS
-     #include <krb5.h>
-
-DESCRIPTION
-     The krb5.conf file specifies several configuration parameters for the
-     Kerberos 5 library, as well as for some programs.
-
-     The file consists of one or more sections, containing a number of bind-
-     ings.  The value of each binding can be either a string or a list of
-     other bindings.  The grammar looks like:
-
-           file:
-                   /* empty */
-                   sections
-
-           sections:
-                   section sections
-                   section
-
-           section:
-                   '[' section_name ']' bindings
-
-           section_name:
-                   STRING
-
-           bindings:
-                   binding bindings
-                   binding
-
-           binding:
-                   name '=' STRING
-                   name '=' '{' bindings '}'
-
-           name:
-                   STRING
-
-     STRINGs consists of one or more non-whitespace characters.
-
-     STRINGs that are specified later in this man-page uses the following no-
-     tation.
-
-           boolean
-                values can be either yes/true or no/false.
-
-           time
-                values can be a list of year, month, day, hour, min, second.
-                Example: 1 month 2 days 30 min.  If no unit is given, seconds
-                is assumed.
-
-           etypes
-                valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-
-                md5, des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96,
-                and aes256-cts-hmac-sha1-96 .
-
-           address
-                an address can be either a IPv4 or a IPv6 address.
-
-     Currently recognised sections and bindings are:
-
-           [appdefaults]
-                Specifies the default values to be used for Kerberos applica-
-                tions.  You can specify defaults per application, realm, or a
-                combination of these.  The preference order is:
-                1.   application realm option
-                2.   application option
-                3.   realm option
-                4.   option
-
-                The supported options are:
-
-                      forwardable = boolean
-                           When obtaining initial credentials, make the cre-
-                           dentials forwardable.
-
-                      proxiable = boolean
-                           When obtaining initial credentials, make the cre-
-                           dentials proxiable.
-
-                      no-addresses = boolean
-                           When obtaining initial credentials, request them
-                           for an empty set of addresses, making the tickets
-                           valid from any address.
-
-                      ticket_lifetime = time
-                           Default ticket lifetime.
-
-                      renew_lifetime = time
-                           Default renewable ticket lifetime.
-
-                      encrypt = boolean
-                           Use encryption, when available.
-
-                      forward = boolean
-                           Forward credentials to remote host (for rsh(1),
-                           telnet(1), etc).
-
-                      historical_anon_pkinit = boolean
-                           Enable legacy anonymous pkinit command-line syntax.
-                           With this option set to true, the kinit(1)
-                           --anonymous command with no principal argument
-                           specified will request an anonymous pkinit ticket
-                           from the default realm.  If a principal argument is
-                           specified, it is used as an explicit realm name for
-                           anonymous pkinit even without an @ prefix.
-
-           [libdefaults]
-
-                      default_realm = REALM
-                           Default realm to use, this is also known as your
-                           "local realm".  The default is the result of
-                           krb5_get_host_realm(local hostname).
-
-                      allow_weak_crypto = boolean
-                           are weak crypto algorithms allowed to be used,
-                           among others, DES is considered weak.
-
-                      clockskew = time
-                           Maximum time differential (in seconds) allowed when
-                           comparing times.  Default is 300 seconds (five min-
-                           utes).
-
-                      kdc_timeout = time
-                           Maximum time to wait for a reply from the kdc, de-
-                           fault is 3 seconds.
-
-                      capath = {
-
-                                 destination-realm = next-hop-realm
-
-                                 ...
-
-                                 }
-                           This is deprecated, see the capaths section below.
-
-                      default_cc_type = cctype
-                           sets the default credentials type.
-
-                      default_cc_name = ccname
-                           the default credentials cache name.  If you want to
-                           change the type only use default_cc_type.  The
-                           string can contain variables that are expanded on
-                           runtime.  The Only supported variable currently is
-                           %{uid} which expands to the current user id.
-
-                      default_etypes = etypes ...
-                           A list of default encryption types to use. (De-
-                           fault: all enctypes if allow_weak_crypto = TRUE,
-                           else all enctypes except single DES enctypes.)
-
-                      default_as_etypes = etypes ...
-                           A list of default encryption types to use in AS re-
-                           quests.  (Default: the value of default_etypes.)
-
-                      default_tgs_etypes = etypes ...
-                           A list of default encryption types to use in TGS
-                           requests.  (Default: the value of default_etypes.)
-
-                      default_etypes_des = etypes ...
-                           A list of default encryption types to use when re-
-                           questing a DES credential.
-
-                      default_keytab_name = keytab
-                           The keytab to use if no other is specified, default
-                           is "FILE:/etc/krb5.keytab".
-
-                      dns_lookup_kdc = boolean
-                           Use DNS SRV records to lookup KDC services loca-
-                           tion.
-
-                      dns_lookup_realm = boolean
-                           Use DNS TXT records to lookup domain to realm map-
-                           pings.
-
-                      kdc_timesync = boolean
-                           Try to keep track of the time differential between
-                           the local machine and the KDC, and then compensate
-                           for that when issuing requests.
-
-                      max_retries = number
-                           The max number of times to try to contact each KDC.
-
-                      large_msg_size = number
-                           The threshold where protocols with tiny maximum
-                           message sizes are not considered usable to send
-                           messages to the KDC.
-
-                      ticket_lifetime = time
-                           Default ticket lifetime.
-
-                      renew_lifetime = time
-                           Default renewable ticket lifetime.
-
-                      forwardable = boolean
-                           When obtaining initial credentials, make the cre-
-                           dentials forwardable.  This option is also valid in
-                           the [realms] section.
-
-                      proxiable = boolean
-                           When obtaining initial credentials, make the cre-
-                           dentials proxiable.  This option is also valid in
-                           the [realms] section.
-
-                      verify_ap_req_nofail = boolean
-                           If enabled, failure to verify credentials against a
-                           local key is a fatal error.  The application has to
-                           be able to read the corresponding service key for
-                           this to work.  Some applications, like su(1), en-
-                           able this option unconditionally.
-
-                      warn_pwexpire = time
-                           How soon to warn for expiring password.  Default is
-                           seven days.
-
-                      http_proxy = proxy-spec
-                           A HTTP-proxy to use when talking to the KDC via
-                           HTTP.
-
-                      dns_proxy = proxy-spec
-                           Enable using DNS via HTTP.
-
-                      extra_addresses = address ...
-                           A list of addresses to get tickets for along with
-                           all local addresses.
-
-                      time_format = string
-                           How to print time strings in logs, this string is
-                           passed to strftime(3).
-
-                      date_format = string
-                           How to print date strings in logs, this string is
-                           passed to strftime(3).
-
-                      log_utc = boolean
-                           Write log-entries using UTC instead of your local
-                           time zone.
-
-                      scan_interfaces = boolean
-                           Scan all network interfaces for addresses, as op-
-                           posed to simply using the address associated with
-                           the system's host name.
-
-                      fcache_version = int
-                           Use file credential cache format version specified.
-
-                      fcc-mit-ticketflags = boolean
-                           Use MIT compatible format for file credential
-                           cache.  It's the field ticketflags that is stored
-                           in reverse bit order for older than Heimdal 0.7.
-                           Setting this flag to TRUE makes it store the MIT
-                           way, this is default for Heimdal 0.7.
-
-                      check-rd-req-server
-                           If set to "ignore", the framework will ignore any
-                           of the server input to krb5_rd_req(3), this is very
-                           useful when the GSS-API server input the wrong
-                           server name into the gss_accept_sec_context call.
-
-                      k5login_directory = directory
-                           Alternative location for user .k5login files. This
-                           option is provided for compatibility with MIT krb5
-                           configuration files.
-
-                      k5login_authoritative = boolean
-                           If true then if a principal is not found in k5login
-                           files then krb5_userok(3) will not fallback on
-                           principal to username mapping. This option is pro-
-                           vided for compatibility with MIT krb5 configuration
-                           files.
-
-                      kuserok = rule ...
-                           Specifies krb5_userok(3) behavior.  If multiple
-                           values are given, then krb5_userok(3) will evaluate
-                           them in order until one succeeds or all fail.
-                           Rules are implemented by plugins, with three built-
-                           in plugins described below. Default: USER-K5LOGIN
-                           SIMPLE DENY.
-
-                      kuserok = DENY
-                           If set and evaluated then krb5_userok(3) will deny
-                           access to the given username no matter what the
-                           principal name might be.
-
-                      kuserok = SIMPLE
-                           If set and evaluated then krb5_userok(3) will use
-                           principal to username mapping (see auth_to_local
-                           below).  If the principal maps to the requested
-                           username then access is allowed.
-
-                      kuserok = SYSTEM-K5LOGIN[:directory]
-                           If set and evaluated then krb5_userok(3) will use
-                           k5login files named after the luser argument to
-                           krb5_userok(3) in the given directory or in
-                           /etc/k5login.d/.  K5login files are text files,
-                           with each line containing just a principal name;
-                           principals apearing in a user's k5login file are
-                           permitted access to the user's account. Note: this
-                           rule performs no ownership nor permissions checks
-                           on k5login files; proper ownership and permis-
-                           sions/ACLs are expected due to the k5login location
-                           being a system location.
-
-                      kuserok = USER-K5LOGIN
-                           If set and evaluated then krb5_userok(3) will use
-                           ~luser/.k5login and ~luser/.k5login.d/*.  User
-                           k5login files and directories must be owned by the
-                           user and must not have world nor group write per-
-                           missions.
-
-                      aname2lname-text-db = filename
-                           The named file must be a sorted (in increasing or-
-                           der) text file where every line consists of an un-
-                           parsed principal name optionally followed by white-
-                           space and a username.  The aname2lname function
-                           will do a binary search on this file, if config-
-                           ured, looking for lines that match the given prin-
-                           cipal name, and if found the given username will be
-                           used, or, if the username is missing, an error will
-                           be returned.  If the file doesn't exist, or if no
-                           matching line is found then other plugins will be
-                           allowed to run.
-
-                      fcache_strict_checking
-                           strict checking in FILE credential caches that
-                           owner, no symlink and permissions is correct.
-
-                      name_canon_rules = rules
-                           One or more service principal name canonicalization
-                           rules.  Each rule consists of one or more tokens
-                           separated by colon (':').  Currently these rules
-                           are used only for hostname canonicalization (usu-
-                           ally when getting a service ticket, from a ccache
-                           or a TGS, but also when acquiring GSS initiator
-                           credentials from a keytab).  These rules can be
-                           used to implement DNS resolver-like search lists
-                           without having to use DNS.
-
-                           NOTE: Name canonicalization rules are an experimen-
-                           tal feature.
-
-                           The first token is a rule type, one of: as-is,
-                           qualify, or nss.
-
-                           Any remaining tokens must be options tokens:
-                           use_fast (use FAST to protect TGS exchanges; cur-
-                           rently not supported), use_dnssec (use DNSSEC to
-                           protect hostname lookups; currently not supported),
-                           ccache_only , use_referrals, no_referrals,
-                           lookup_realm, mindots=N, maxdots=N, order=N, do-
-                           main= domain, realm= realm, match_domain= domain,
-                           and match_realm= realm.
-
-                           When trying to obtain a service ticket for a host-
-                           based service principal name, name canonicalization
-                           rules are applied to that name in the order given,
-                           one by one, until one succeds (a service ticket is
-                           obtained), or all fail.  Similarly when acquiring
-                           GSS initiator credentials from a keytab, and when
-                           comparing a non-canonical GSS name to a canonical
-                           one.
-
-                           For each rule the system checks that the hostname
-                           has at least mindots periods (if given) in it, at
-                           most maxdots periods (if given), that the hostname
-                           ends in the given match_domain (if given), and that
-                           the realm of the principal matches the match_realm
-                           (if given).
-
-                           As-is rules leave the hostname unmodified but may
-                           set a realm.  Qualify rules qualify the hostname
-                           with the given domain and also may set the realm.
-                           The nss rule uses the system resolver to lookup the
-                           host's canonical name and is usually not secure.
-                           Note that using the nss rule type implies having to
-                           have principal aliases in the HDB (though not nec-
-                           essarily in keytabs).
-
-                           The empty realm denotes "ask the client's realm's
-                           TGS".  The empty realm may be set as well as
-                           matched.
-
-                           The order in which rules are applied is as follows:
-                           first all the rules with explicit order then all
-                           other rules in the order in which they appear.  If
-                           any two rules have the same explicit order, their
-                           order of appearance in krb5.conf breaks the tie.
-                           Explicitly specifying order can be useful where
-                           tools read and write the configuration file without
-                           preserving parameter order.
-
-                           Malformed rules are ignored.
-
-                      allow_hierarchical_capaths = boolean
-                           When validating cross-realm transit paths, absent
-                           any explicit capath from the client realm to the
-                           server realm, allow a hierarchical transit path via
-                           the common ancestor domain of the two realms.  De-
-                           faults to true.  Note, absent an explicit setting,
-                           hierarchical capaths are always used by the KDC
-                           when generating a referral to a destination with
-                           which is no direct trust.
-
-           [domain_realm]
-                This is a list of mappings from DNS domain to Kerberos realm.
-                Each binding in this section looks like:
-
-                      domain = realm
-
-                The domain can be either a full name of a host or a trailing
-                component, in the latter case the domain-string should start
-                with a period.  The trailing component only matches hosts that
-                are in the same domain, ie ".example.com" matches
-                "foo.example.com", but not "foo.test.example.com".
-
-                The realm may be the token `dns_locate', in which case the ac-
-                tual realm will be determined using DNS (independently of the
-                setting of the `dns_lookup_realm' option).
-
-           [realms]
-
-                      REALM = {
-
-                                 kdc = [service/]host[:port]
-                                      Specifies a list of kdcs for this realm.
-                                      If the optional port is absent, the de-
-                                      fault value for the "kerberos/udp"
-                                      "kerberos/tcp", and "http/tcp" port (de-
-                                      pending on service) will be used.  The
-                                      kdcs will be used in the order that they
-                                      are specified.
-
-                                      The optional service specifies over what
-                                      medium the kdc should be contacted.
-                                      Possible services are "udp", "tcp", and
-                                      "http".  Http can also be written as
-                                      "http://".  Default service is "udp" and
-                                      "tcp".
-
-                                 admin_server = host[:port]
-                                      Specifies the admin server for this
-                                      realm, where all the modifications to
-                                      the database are performed.
-
-                                 kpasswd_server = host[:port]
-                                      Points to the server where all the pass-
-                                      word changes are performed.  If there is
-                                      no such entry, the kpasswd port on the
-                                      admin_server host will be tried.
-
-                                 tgs_require_subkey
-                                      a boolan variable that defaults to
-                                      false.  Old DCE secd (pre 1.1) might
-                                      need this to be true.
-
-                                 auth_to_local_names = {
-
-                                            principal_name = username
-                                                 The given principal_name will
-                                                 be mapped to the given
-                                                 username if the REALM is a
-                                                 default realm.
-
-                                 }
-
-                                 auth_to_local = HEIMDAL_DEFAULT
-                                      Use the Heimdal default principal to
-                                      username mapping.  Applies to principals
-                                      from the REALM if and only if REALM is a
-                                      default realm.
-
-                                 auth_to_local = DEFAULT
-                                      Use the MIT default principal to user-
-                                      name mapping.  Applies to principals
-                                      from the REALM if and only if REALM is a
-                                      default realm.
-
-                                 auth_to_local = DB:/path/to/db.txt
-                                      Use a binary search of the given DB.
-                                      The DB must be a flat-text file sortedf
-                                      in the "C" locale, with each record be-
-                                      ing a line (separated by either LF or
-                                      CRLF) consisting of a principal name
-                                      followed by whitespace followed by a
-                                      username.  Applies to principals from
-                                      the REALM if and only if REALM is a de-
-                                      fault realm.
-
-                                 auth_to_local = DB:/path/to/db
-                                      Use the given DB, if there's a plugin
-                                      for it.  Applies to principals from the
-                                      REALM if and only if REALM is a default
-                                      realm.
-
-                                 auth_to_local = RULE:...
-                                      Use the given rule, if there's a plugin
-                                      for it.  Applies to principals from the
-                                      REALM if and only if REALM is a default
-                                      realm.
-
-                                 auth_to_local = NONE
-                                      No additional principal to username map-
-                                      ping is done. Note that
-                                      auth_to_local_names and any preceding
-                                      auth_to_local rules have precedence.
-
-                      }
-
-           [capaths]
-
-                      client-realm = {
-
-                                 server-realm = hop-realm ...
-                                      This serves two purposes. First the
-                                      first listed hop-realm tells a client
-                                      which realm it should contact in order
-                                      to ultimately obtain credentials for a
-                                      service in the server-realm.  Secondly,
-                                      it tells the KDC (and other servers)
-                                      which realms are allowed in a multi-hop
-                                      traversal from client-realm to
-                                      server-realm.  Except for the client
-                                      case, the order of the realms are not
-                                      important.
-
-                      }
-
-           [logging]
-
-                      entity = destination
-                           Specifies that entity should use the specified
-                           destination for logging.  See the krb5_openlog(3)
-                           manual page for a list of defined destinations.
-
-           [kdc]
-
-                      database = {
-
-                                 dbname = [DATBASETYPE:]DATABASENAME
-                                      Use this database for this realm.  The
-                                      DATABASETYPE should be one of 'lmdb',
-                                      'db3', 'db1', 'db', 'sqlite', or 'ldap'.
-                                      See the info documetation how to config-
-                                      ure different database backends.
-
-                                 realm = REALM
-                                      Specifies the realm that will be stored
-                                      in this database.  It realm isn't set,
-                                      it will used as the default database,
-                                      there can only be one entry that doesn't
-                                      have a realm stanza.
-
-                                 mkey_file = FILENAME
-                                      Use this keytab file for the master key
-                                      of this database.  If not specified
-                                      DATABASENAME.mkey will be used.
-
-                                 acl_file = PA FILENAME
-                                      Use this file for the ACL list of this
-                                      database.
-
-                                 log_file = FILENAME
-                                      Use this file as the log of changes per-
-                                      formed to the database.  This file is
-                                      used by ipropd-master for propagating
-                                      changes to slaves.  It is also used by
-                                      kadmind and kadmin (when used with the
-                                      -l option), and by all applications us-
-                                      ing libkadm5 with the local backend, for
-                                      two-phase commit functionality.  Slaves
-                                      also use this.  Setting this to
-                                      /dev/null disables two-phase commit and
-                                      incremental propagation.  Use iprop-log
-                                      to show the contents of this log file.
-
-                                 log-max-size = number
-                                      When the log reaches this size (in
-                                      bytes), the log will be truncated, sav-
-                                      ing some entries, and keeping the latest
-                                      version number so as to not disrupt in-
-                                      cremental propagation.  If set to a neg-
-                                      ative value then automatic log trunca-
-                                      tion will be disabled.  Defaults to
-                                      52428800 (50MB).
-
-                      }
-
-                      max-request = SIZE
-                           Maximum size of a kdc request.
-
-                      require-preauth = BOOL
-                           If set pre-authentication is required.
-
-                      ports = list of ports
-                           List of ports the kdc should listen to.
-
-                      addresses = list of interfaces
-                           List of addresses the kdc should bind to.
-
-                      enable-http = BOOL
-                           Should the kdc answer kdc-requests over http.
-
-                      tgt-use-strongest-session-key = BOOL
-                           If this is TRUE then the KDC will prefer the
-                           strongest key from the client's AS-REQ or TGS-REQ
-                           enctype list for the ticket session key that is
-                           supported by the KDC and the target principal when
-                           the target principal is a krbtgt principal.  Else
-                           it will prefer the first key from the client's AS-
-                           REQ enctype list that is also supported by the KDC
-                           and the target principal.  Defaults to FALSE.
-
-                      svc-use-strongest-session-key = BOOL
-                           Like tgt-use-strongest-session-key, but applies to
-                           the session key enctype of tickets for services
-                           other than krbtgt principals. Defaults to FALSE.
-
-                      preauth-use-strongest-session-key = BOOL
-                           If TRUE then select the strongest possible enctype
-                           from the client's AS-REQ for PA-ETYPE-INFO2 (i.e.,
-                           for password-based pre-authentication).  Else pick
-                           the first supported enctype from the client's AS-
-                           REQ.  Defaults to FALSE.
-
-                      use-strongest-server-key = BOOL
-                           If TRUE then the KDC picks, for the ticket en-
-                           crypted part's key, the first supported enctype
-                           from the target service principal's hdb entry's
-                           current keyset. Else the KDC picks the first sup-
-                           ported enctype from the target service principal's
-                           hdb entry's current keyset.  Defaults to TRUE.
-
-                      check-ticket-addresses = BOOL
-                           Verify the addresses in the tickets used in tgs re-
-                           quests.
-
-                      allow-null-ticket-addresses = BOOL
-                           Allow address-less tickets.
-
-                      allow-anonymous = BOOL
-                           If the kdc is allowed to hand out anonymous tick-
-                           ets.
-
-                      historical_anon_realm = boolean
-                           Enables pre-7.0 non-RFC-comformant KDC behavior.
-                           With this option set to true the client realm in
-                           anonymous pkinit AS replies will be the requested
-                           realm, rather than the RFC-conformant
-                           WELLKNOWN:ANONYMOUS realm.  This can have a secu-
-                           rity impact on servers that expect to grant access
-                           to anonymous-but-authenticated to the KDC users of
-                           the realm in question: they would also grant access
-                           to unauthenticated anonymous users.  As such, it is
-                           not recommend to set this option to true.
-
-                      encode_as_rep_as_tgs_rep = BOOL
-                           Encode as-rep as tgs-rep to be compatible with mis-
-                           takes older DCE secd did.
-
-                      kdc_warn_pwexpire = TIME
-                           The time before expiration that the user should be
-                           warned that her password is about to expire.
-
-                      logging = Logging
-                           What type of logging the kdc should use, see also
-                           [logging]/kdc.
-
-                      hdb-ldap-structural-object structural object
-                           If the LDAP backend is used for storing principals,
-                           this is the structural object that will be used
-                           when creating and when reading objects.  The de-
-                           fault value is account .
-
-                      hdb-ldap-create-base creation dn
-                           is the dn that will be appended to the principal
-                           when creating entries.  Default value is the search
-                           dn.
-
-                      enable-digest = BOOL
-                           Should the kdc answer digest requests. The default
-                           is FALSE.
-
-                      digests_allowed = list of digests
-                           Specifies the digests the kdc will reply to. The
-                           default is ntlm-v2.
-
-                      kx509_ca = file
-                           Specifies the PEM credentials for the kx509 certi-
-                           fication authority.
-
-                      require_initial_kca_tickets = boolean
-                           Specified whether to require that tickets for the
-                           kca_service service principal be INITIAL.  This may
-                           be set on a per-realm basis as well as globally.
-                           Defaults to true for the global setting.
-
-                      kx509_include_pkinit_san = boolean
-                           If true then the kx509 client principal's name and
-                           realm will be included in an id-pkinit-san certifi-
-                           cate extension.  This can be set on a per-realm ba-
-                           sis as well as globally.  Defaults to true for the
-                           global setting.
-
-                      kx509_template = file
-                           Specifies the PEM file with a template for the cer-
-                           tificates to be issued.  The following variables
-                           can be interpolated in the subject name using
-                           ${variable} syntax:
-
-                                 principal-name
-                                      The full name of the kx509 client prin-
-                                      cipal.
-
-                                 principal-name-without-realm
-                                      The full name of the kx509 client prin-
-                                      cipal, excluding the realm name.
-
-                                 principal-name-realm
-                                      The name of the client principal's
-                                      realm.
-                The kx509, kx509_template, kx509_include_pkinit_san, and
-                require_initial_kca_tickets parameters may be set on a per-
-                realm basis as well.
-
-           [kadmin]
-
-                      password_lifetime = time
-                           If a principal already have its password set for
-                           expiration, this is the time it will be valid for
-                           after a change.
-
-                      default_keys = keytypes...
-                           For each entry in default_keys try to parse it as a
-                           sequence of etype:salttype:salt syntax of this if
-                           something like:
-
-                           [(des|des3|etype):](pw-salt|afs3-salt)[:string]
-
-                           If etype is omitted it means everything, and if
-                           string is omitted it means the default salt string
-                           (for that principal and encryption type).  Addi-
-                           tional special values of keytypes are:
-
-                                 v5   The Kerberos 5 salt pw-salt
-
-                      default_key_rules = {
-
-                                 globing-rule = keytypes...
-                                      a globbing rule to matching a principal,
-                                      and when true, use the keytypes as spec-
-                                      ified the same format as [kadmin]de-
-                                      fault_keys .
-
-                      }
-
-                      prune-key-history = BOOL
-                           When adding keys to the key history, drop keys that
-                           are too old to match unexpired tickets (based on
-                           the principal's maximum ticket lifetime).  If the
-                           KDC keystore is later compromised traffic protected
-                           with the discarded older keys may remain protected.
-                           This also keeps the HDB records for principals with
-                           key history from growing without bound.  The de-
-                           fault (backwards compatible) value is "false".
-
-                      use_v4_salt = BOOL
-                           When true, this is the same as
-
-                           default_keys = des3:pw-salt v4
-
-                           and is only left for backwards compatibility.
-
-                      [password_quality]
-                           Check the Password quality assurance in the info
-                           documentation for more information.
-
-                                 check_library = library-name
-                                      Library name that contains the password
-                                      check_function
-
-                                 check_function = function-name
-                                      Function name for checking passwords in
-                                      check_library
-
-                                 policy_libraries = library1 ... libraryN
-                                      List of libraries that can do password
-                                      policy checks
-
-                                 policies = policy1 ... policyN
-                                      List of policy names to apply to the
-                                      password. Builtin policies are among
-                                      other minimum-length, character-class,
-                                      external-check.
-
-ENVIRONMENT
-     KRB5_CONFIG points to the configuration file to read.
-
-FILES
-     /etc/krb5.conf  configuration file for Kerberos 5.
-
-EXAMPLES
-           [libdefaults]
-                   default_realm = FOO.SE
-                   name_canon_rules = as-is:realm=FOO.SE
-                   name_canon_rules = qualify:domain=foo.se:realm=FOO.SE
-                   name_canon_rules = qualify:domain=bar.se:realm=FOO.SE
-                   name_canon_rules = nss
-           [domain_realm]
-                   .foo.se = FOO.SE
-                   .bar.se = FOO.SE
-           [realms]
-                   FOO.SE = {
-                           kdc = kerberos.foo.se
-                           default_domain = foo.se
-                   }
-           [logging]
-                   kdc = FILE:/var/heimdal/kdc.log
-                   kdc = SYSLOG:INFO
-                   default = SYSLOG:INFO:USER
-           [kadmin]
-                   default_key_rules = {
-                           */ppp@* = arcfour-hmac-md5:pw-salt
-                   }
-
-DIAGNOSTICS
-     Since krb5.conf is read and parsed by the krb5 library, there is not a
-     lot of opportunities for programs to report parsing errors in any useful
-     format.  To help overcome this problem, there is a program
-     verify_krb5_conf that reads krb5.conf and tries to emit useful diagnos-
-     tics from parsing errors.  Note that this program does not have any way
-     of knowing what options are actually used and thus cannot warn about un-
-     known or misspelled ones.
-
-SEE ALSO
-     kinit(1), krb5_openlog(3), strftime(3), verify_krb5_conf(8)
-
-HEIMDAL                           May 4, 2005                          HEIMDAL
diff --git a/lib/krb5/krb5.h b/lib/krb5/krb5.h
index c37af35933b2..593d1a366c25 100644
--- a/lib/krb5/krb5.h
+++ b/lib/krb5/krb5.h
@@ -45,8 +45,11 @@
 #include <krb5_err.h>
 #include <heim_err.h>
 #include <k524_err.h>
+#include <k5e1_err.h>
 
 #include <krb5_asn1.h>
+typedef Krb5Int32 krb5int32;
+typedef Krb5UInt32 krb5uint32;
 
 /* name confusion with MIT */
 #ifndef KRB5KDC_ERR_KEY_EXP
@@ -55,8 +58,10 @@
 
 #ifdef _WIN32
 #define KRB5_CALLCONV __stdcall
+#define KRB5_LIB_CALL __stdcall
 #else
 #define KRB5_CALLCONV
+#define KRB5_LIB_CALL
 #endif
 
 /* simple constants */
@@ -90,6 +95,7 @@ typedef struct krb5_ntlm_data *krb5_ntlm;
 
 struct krb5_pac_data;
 typedef struct krb5_pac_data *krb5_pac;
+typedef const struct krb5_pac_data *krb5_const_pac;
 
 typedef struct krb5_rd_req_in_ctx_data *krb5_rd_req_in_ctx;
 typedef struct krb5_rd_req_out_ctx_data *krb5_rd_req_out_ctx;
@@ -117,52 +123,53 @@ typedef struct krb5_enc_data {
 } krb5_enc_data;
 
 /* alternative names */
-#define ENCTYPE_NULL KRB5_ENCTYPE_NULL
-#define ENCTYPE_DES_CBC_CRC KRB5_ENCTYPE_DES_CBC_CRC
-#define ENCTYPE_DES_CBC_MD4 KRB5_ENCTYPE_DES_CBC_MD4
-#define ENCTYPE_DES_CBC_MD5 KRB5_ENCTYPE_DES_CBC_MD5
-#define ENCTYPE_DES3_CBC_MD5 KRB5_ENCTYPE_DES3_CBC_MD5
-#define ENCTYPE_OLD_DES3_CBC_SHA1 KRB5_ENCTYPE_OLD_DES3_CBC_SHA1
-#define ENCTYPE_SIGN_DSA_GENERATE KRB5_ENCTYPE_SIGN_DSA_GENERATE
-#define ENCTYPE_ENCRYPT_RSA_PRIV KRB5_ENCTYPE_ENCRYPT_RSA_PRIV
-#define ENCTYPE_ENCRYPT_RSA_PUB KRB5_ENCTYPE_ENCRYPT_RSA_PUB
-#define ENCTYPE_DES3_CBC_SHA1 KRB5_ENCTYPE_DES3_CBC_SHA1
+#define ENCTYPE_NULL		KRB5_ENCTYPE_NULL
+#define ENCTYPE_DES_CBC_CRC	KRB5_ENCTYPE_DES_CBC_CRC
+#define ENCTYPE_DES_CBC_MD4	KRB5_ENCTYPE_DES_CBC_MD4
+#define ENCTYPE_DES_CBC_MD5	KRB5_ENCTYPE_DES_CBC_MD5
+#define ENCTYPE_DES3_CBC_MD5	KRB5_ENCTYPE_DES3_CBC_MD5
+#define ENCTYPE_OLD_DES3_CBC_SHA1	KRB5_ENCTYPE_OLD_DES3_CBC_SHA1
+#define ENCTYPE_SIGN_DSA_GENERATE	KRB5_ENCTYPE_SIGN_DSA_GENERATE
+#define ENCTYPE_ENCRYPT_RSA_PRIV	KRB5_ENCTYPE_ENCRYPT_RSA_PRIV
+#define ENCTYPE_ENCRYPT_RSA_PUB	KRB5_ENCTYPE_ENCRYPT_RSA_PUB
+#define ENCTYPE_DES3_CBC_SHA1	KRB5_ENCTYPE_DES3_CBC_SHA1
 #define ENCTYPE_AES128_CTS_HMAC_SHA1_96 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96
 #define ENCTYPE_AES256_CTS_HMAC_SHA1_96 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96
-#define ENCTYPE_ARCFOUR_HMAC KRB5_ENCTYPE_ARCFOUR_HMAC_MD5
-#define ENCTYPE_ARCFOUR_HMAC_MD5 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5
-#define ENCTYPE_ARCFOUR_HMAC_MD5_56 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56
-#define ENCTYPE_ENCTYPE_PK_CROSS KRB5_ENCTYPE_ENCTYPE_PK_CROSS
-#define ENCTYPE_DES_CBC_NONE KRB5_ENCTYPE_DES_CBC_NONE
-#define ENCTYPE_DES3_CBC_NONE KRB5_ENCTYPE_DES3_CBC_NONE
-#define ENCTYPE_DES_CFB64_NONE KRB5_ENCTYPE_DES_CFB64_NONE
-#define ENCTYPE_DES_PCBC_NONE KRB5_ENCTYPE_DES_PCBC_NONE
-#define ETYPE_NULL KRB5_ENCTYPE_NULL
-#define ETYPE_DES_CBC_CRC KRB5_ENCTYPE_DES_CBC_CRC
-#define ETYPE_DES_CBC_MD4 KRB5_ENCTYPE_DES_CBC_MD4
-#define ETYPE_DES_CBC_MD5 KRB5_ENCTYPE_DES_CBC_MD5
-#define ETYPE_DES3_CBC_MD5 KRB5_ENCTYPE_DES3_CBC_MD5
-#define ETYPE_OLD_DES3_CBC_SHA1 KRB5_ENCTYPE_OLD_DES3_CBC_SHA1
-#define ETYPE_SIGN_DSA_GENERATE KRB5_ENCTYPE_SIGN_DSA_GENERATE
-#define ETYPE_ENCRYPT_RSA_PRIV KRB5_ENCTYPE_ENCRYPT_RSA_PRIV
-#define ETYPE_ENCRYPT_RSA_PUB KRB5_ENCTYPE_ENCRYPT_RSA_PUB
-#define ETYPE_DES3_CBC_SHA1 KRB5_ENCTYPE_DES3_CBC_SHA1
-#define ETYPE_AES128_CTS_HMAC_SHA1_96 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96
-#define ETYPE_AES256_CTS_HMAC_SHA1_96 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96
-#define ETYPE_AES128_CTS_HMAC_SHA256_128 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128
-#define ETYPE_AES256_CTS_HMAC_SHA384_192 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192
-#define ETYPE_ARCFOUR_HMAC_MD5 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5
-#define ETYPE_ARCFOUR_HMAC_MD5_56 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56
-#define ETYPE_ENCTYPE_PK_CROSS KRB5_ENCTYPE_ENCTYPE_PK_CROSS
-#define ETYPE_ARCFOUR_MD4 KRB5_ENCTYPE_ARCFOUR_MD4
-#define ETYPE_ARCFOUR_HMAC_OLD KRB5_ENCTYPE_ARCFOUR_HMAC_OLD
-#define ETYPE_ARCFOUR_HMAC_OLD_EXP KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP
-#define ETYPE_DES_CBC_NONE KRB5_ENCTYPE_DES_CBC_NONE
-#define ETYPE_DES3_CBC_NONE KRB5_ENCTYPE_DES3_CBC_NONE
-#define ETYPE_DES_CFB64_NONE KRB5_ENCTYPE_DES_CFB64_NONE
-#define ETYPE_DES_PCBC_NONE KRB5_ENCTYPE_DES_PCBC_NONE
-#define ETYPE_DIGEST_MD5_NONE KRB5_ENCTYPE_DIGEST_MD5_NONE
-#define ETYPE_CRAM_MD5_NONE KRB5_ENCTYPE_CRAM_MD5_NONE
+#define ENCTYPE_ARCFOUR_HMAC	KRB5_ENCTYPE_ARCFOUR_HMAC_MD5
+#define ENCTYPE_ARCFOUR_HMAC_MD5	KRB5_ENCTYPE_ARCFOUR_HMAC_MD5
+#define ENCTYPE_ARCFOUR_HMAC_MD5_56	KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56
+#define ENCTYPE_ENCTYPE_PK_CROSS	KRB5_ENCTYPE_ENCTYPE_PK_CROSS
+#define ENCTYPE_DES_CBC_NONE	KRB5_ENCTYPE_DES_CBC_NONE
+#define ENCTYPE_DES3_CBC_NONE	KRB5_ENCTYPE_DES3_CBC_NONE
+#define ENCTYPE_DES_CFB64_NONE	KRB5_ENCTYPE_DES_CFB64_NONE
+#define ENCTYPE_DES_PCBC_NONE	KRB5_ENCTYPE_DES_PCBC_NONE
+#define ETYPE_NULL		KRB5_ENCTYPE_NULL
+#define ETYPE_DES_CBC_CRC	KRB5_ENCTYPE_DES_CBC_CRC
+#define ETYPE_DES_CBC_MD4	KRB5_ENCTYPE_DES_CBC_MD4
+#define ETYPE_DES_CBC_MD5	KRB5_ENCTYPE_DES_CBC_MD5
+#define ETYPE_DES3_CBC_MD5	KRB5_ENCTYPE_DES3_CBC_MD5
+#define ETYPE_OLD_DES3_CBC_SHA1	KRB5_ENCTYPE_OLD_DES3_CBC_SHA1
+#define ETYPE_SIGN_DSA_GENERATE	KRB5_ENCTYPE_SIGN_DSA_GENERATE
+#define ETYPE_ENCRYPT_RSA_PRIV	KRB5_ENCTYPE_ENCRYPT_RSA_PRIV
+#define ETYPE_ENCRYPT_RSA_PUB	KRB5_ENCTYPE_ENCRYPT_RSA_PUB
+#define ETYPE_DES3_CBC_SHA1	KRB5_ENCTYPE_DES3_CBC_SHA1
+#define ETYPE_AES128_CTS_HMAC_SHA1_96	KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+#define ETYPE_AES256_CTS_HMAC_SHA1_96	KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+#define ETYPE_AES128_CTS_HMAC_SHA256_128	KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128
+#define ETYPE_AES256_CTS_HMAC_SHA384_192	KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192
+#define ETYPE_ARCFOUR_HMAC_MD5	KRB5_ENCTYPE_ARCFOUR_HMAC_MD5
+#define ETYPE_ARCFOUR_HMAC_MD5_56	KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56
+#define ETYPE_ENCTYPE_PK_CROSS	KRB5_ENCTYPE_ENCTYPE_PK_CROSS
+#define ETYPE_ARCFOUR_MD4	KRB5_ENCTYPE_ARCFOUR_MD4
+#define ETYPE_ARCFOUR_HMAC_OLD	KRB5_ENCTYPE_ARCFOUR_HMAC_OLD
+#define ETYPE_ARCFOUR_HMAC_OLD_EXP	KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP
+#define ETYPE_DES_CBC_NONE	KRB5_ENCTYPE_DES_CBC_NONE
+#define ETYPE_DES3_CBC_NONE	KRB5_ENCTYPE_DES3_CBC_NONE
+#define ETYPE_DES_CFB64_NONE	KRB5_ENCTYPE_DES_CFB64_NONE
+#define ETYPE_DES_PCBC_NONE	KRB5_ENCTYPE_DES_PCBC_NONE
+#define ETYPE_DIGEST_MD5_NONE	KRB5_ENCTYPE_DIGEST_MD5_NONE
+#define ETYPE_CRAM_MD5_NONE	KRB5_ENCTYPE_CRAM_MD5_NONE
+#define DOMAIN_X500_COMPRESS	domain_X500_Compress
 
 /* PDU types */
 typedef enum krb5_pdu {
@@ -268,6 +275,10 @@ typedef enum krb5_key_usage {
     KRB5_KU_PA_SERVER_REFERRAL = 26,
     /* Keyusage for the server referral in a TGS req */
     KRB5_KU_SAM_ENC_NONCE_SAD = 27,
+    /* Defined in [MS-SFU] */
+    KRB5_KU_PA_S4U_X509_USER_REQUEST = 26,
+    /* Defined in [MS-SFU] */
+    KRB5_KU_PA_S4U_X509_USER_REPLY = 27,
     /* Encryption of the SAM-NONCE-OR-SAD field */
     KRB5_KU_PA_PKINIT_KX = 44,
     /* Encryption type of the kdc session contribution in pk-init */
@@ -357,15 +368,7 @@ typedef AP_REQ krb5_ap_req;
 
 struct krb5_cc_ops;
 
-#ifdef _WIN32
-#define KRB5_USE_PATH_TOKENS 1
-#endif
-
-#ifdef KRB5_USE_PATH_TOKENS
 #define KRB5_DEFAULT_CCFILE_ROOT "%{TEMP}/krb5cc_"
-#else
-#define KRB5_DEFAULT_CCFILE_ROOT "/tmp/krb5cc_"
-#endif
 
 #define KRB5_DEFAULT_CCROOT "FILE:" KRB5_DEFAULT_CCFILE_ROOT
 
@@ -380,7 +383,10 @@ typedef struct krb5_cccol_cursor_data *krb5_cccol_cursor;
 typedef struct krb5_ccache_data {
     const struct krb5_cc_ops *ops;
     krb5_data data;
-    int initialized; /* if non-zero: krb5_cc_initialize() called, now empty */
+    unsigned int cc_initialized:1;      /* if 1: krb5_cc_initialize() called */
+    unsigned int cc_need_start_realm:1;
+    unsigned int cc_start_tgt_stored:1;
+    unsigned int cc_kx509_done:1;
 }krb5_ccache_data;
 
 typedef struct krb5_ccache_data *krb5_ccache;
@@ -436,6 +442,7 @@ typedef union {
 /* flags for krb5_verify_ap_req */
 
 #define KRB5_VERIFY_AP_REQ_IGNORE_INVALID	(1 << 0)
+#define KRB5_VERIFY_AP_REQ_IGNORE_ADDRS		(1 << 1)
 
 #define KRB5_GC_CACHED			(1U << 0)
 #define KRB5_GC_USER_USER		(1U << 1)
@@ -482,9 +489,15 @@ typedef struct krb5_creds {
 
 typedef struct krb5_cc_cache_cursor_data *krb5_cc_cache_cursor;
 
-#define KRB5_CC_OPS_VERSION 3
+#define KRB5_CC_OPS_VERSION_0	0
+#define KRB5_CC_OPS_VERSION_1	1
+#define KRB5_CC_OPS_VERSION_2	2
+#define KRB5_CC_OPS_VERSION_3	3
+#define KRB5_CC_OPS_VERSION_5	5
 
+/* Only extend the structure. Do not change signatures. */
 typedef struct krb5_cc_ops {
+    /* Version 0 */
     int version;
     const char *prefix;
     const char* (KRB5_CALLCONV * get_name)(krb5_context, krb5_ccache);
@@ -511,27 +524,43 @@ typedef struct krb5_cc_ops {
     krb5_error_code (KRB5_CALLCONV * end_cache_get)(krb5_context, krb5_cc_cursor);
     krb5_error_code (KRB5_CALLCONV * move)(krb5_context, krb5_ccache, krb5_ccache);
     krb5_error_code (KRB5_CALLCONV * get_default_name)(krb5_context, char **);
+    /* Version 1 */
     krb5_error_code (KRB5_CALLCONV * set_default)(krb5_context, krb5_ccache);
+    /* Version 2 */
     krb5_error_code (KRB5_CALLCONV * lastchange)(krb5_context, krb5_ccache, krb5_timestamp *);
+    /* Version 3 */
     krb5_error_code (KRB5_CALLCONV * set_kdc_offset)(krb5_context, krb5_ccache, krb5_deltat);
     krb5_error_code (KRB5_CALLCONV * get_kdc_offset)(krb5_context, krb5_ccache, krb5_deltat *);
+    /* Version 5 */
+    krb5_error_code (KRB5_CALLCONV * get_name_2)(krb5_context, krb5_ccache,
+						 const char **id, const char **res,
+						 const char **sub);
+    krb5_error_code (KRB5_CALLCONV * resolve_2)(krb5_context, krb5_ccache *id, const char *res,
+						const char *sub);
+    /* Add new functions here for versions 6 and above */
 } krb5_cc_ops;
 
-struct krb5_log_facility;
-
+/*
+ * krb5_config_binding is identical to struct heim_config_binding
+ * within heimbase.h.  Its format is public and used by callers of
+ * krb5_config_get_list() and krb5_config_vget_list().
+ */
+enum krb5_config_type {
+    krb5_config_string,
+    krb5_config_list,
+};
 struct krb5_config_binding {
-    enum { krb5_config_string, krb5_config_list } type;
+    enum krb5_config_type type;
     char *name;
     struct krb5_config_binding *next;
     union {
-	char *string;
-	struct krb5_config_binding *list;
-	void *generic;
+        char *string;
+        struct krb5_config_binding *list;
+        void *generic;
     } u;
 };
 
 typedef struct krb5_config_binding krb5_config_binding;
-
 typedef krb5_config_binding krb5_config_section;
 
 typedef struct krb5_ticket {
@@ -552,8 +581,9 @@ typedef Authenticator krb5_donot_replay;
 #define KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS	0x02
 #define KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE		0x04
 #define KRB5_STORAGE_KEYBLOCK_KEYTYPE_TWICE		0x08
-#define KRB5_STORAGE_BYTEORDER_MASK			0x60
+#define KRB5_STORAGE_BYTEORDER_MASK			0x70
 #define KRB5_STORAGE_BYTEORDER_BE			0x00 /* default */
+#define KRB5_STORAGE_BYTEORDER_PACKED			0x10
 #define KRB5_STORAGE_BYTEORDER_LE			0x20
 #define KRB5_STORAGE_BYTEORDER_HOST			0x40
 #define KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER		0x80
@@ -667,16 +697,15 @@ typedef struct {
     KRB_ERROR error;
 } krb5_kdc_rep;
 
-extern const char *heimdal_version, *heimdal_long_version;
+extern const char *const heimdal_version, *const heimdal_long_version;
 
-typedef void (KRB5_CALLCONV * krb5_log_log_func_t)(const char*, const char*, void*);
+typedef void (KRB5_CALLCONV * krb5_log_log_func_t)(krb5_context,
+						   const char*,
+						   const char*,
+						   void*);
 typedef void (KRB5_CALLCONV * krb5_log_close_func_t)(void*);
 
-typedef struct krb5_log_facility {
-    char *program;
-    int len;
-    struct facility *val;
-} krb5_log_facility;
+typedef struct heim_log_facility_s krb5_log_facility;
 
 typedef EncAPRepPart krb5_ap_rep_enc_part;
 
@@ -689,10 +718,11 @@ typedef EncAPRepPart krb5_ap_rep_enc_part;
 #define KRB5_WELLKNOWN_NAME ("WELLKNOWN")
 #define KRB5_ANON_NAME ("ANONYMOUS")
 #define KRB5_ANON_REALM ("WELLKNOWN:ANONYMOUS")
+#define KRB5_FEDERATED_NAME ("FEDERATED")
+#define KRB5_FEDERATED_REALM ("WELLKNOWN:FEDERATED")
 #define KRB5_WELLKNOWN_ORG_H5L_REALM ("WELLKNOWN:ORG.H5L")
 #define KRB5_DIGEST_NAME ("digest")
 
-
 #define KRB5_PKU2U_REALM_NAME ("WELLKNOWN:PKU2U")
 #define KRB5_LKDC_REALM_NAME ("WELLKNOWN:COM.APPLE.LKDC")
 
@@ -811,11 +841,13 @@ typedef struct krb5_verify_opt {
 struct krb5_krbhst_data;
 typedef struct krb5_krbhst_data *krb5_krbhst_handle;
 
-#define KRB5_KRBHST_KDC		1
-#define KRB5_KRBHST_ADMIN	2
-#define KRB5_KRBHST_CHANGEPW	3
-#define KRB5_KRBHST_KRB524	4
-#define KRB5_KRBHST_KCA		5
+#define KRB5_KRBHST_KDC			1
+#define KRB5_KRBHST_ADMIN		2
+#define KRB5_KRBHST_CHANGEPW		3
+#define KRB5_KRBHST_KRB524		4
+#define KRB5_KRBHST_KCA			5
+#define KRB5_KRBHST_READONLY_ADMIN	6
+#define KRB5_KRBHST_TKTBRIDGEAP		7
 
 typedef struct krb5_krbhst_info {
     enum { KRB5_KRBHST_UDP,
@@ -870,14 +902,31 @@ typedef krb5_error_code
 (KRB5_CALLCONV * krb5_sendto_ctx_func)(krb5_context, krb5_sendto_ctx, void *,
 				       const krb5_data *, int *);
 
-struct krb5_plugin;
 enum krb5_plugin_type {
     PLUGIN_TYPE_DATA = 1,
-    PLUGIN_TYPE_FUNC
+    PLUGIN_TYPE_FUNC /* no longer supported */
 };
 
+/*
+ * Since <krb5/common_plugin.h> is new with Heimdal 8, users looking to write
+ * portable plugins across Heimdal 7 and 8 need a conditional compilation
+ * predicate from a header file that does exist in both major releases.  This
+ * is as good a place as any to define a plugin source-compatibility version
+ * number.
+ *
+ * When this macro is defined and is equal to 1, the Heimdal 8 plugin source
+ * API, and <krb5/common_plugin.h> header are available and should be used.
+ *
+ * In Heimdal 7, this macro is not defined, and <krb5/common_plugin.h> may not
+ * be available.
+ */
+#define KRB5_PLUGIN_COMMON_SPI_VERSION 1
+
 #define KRB5_PLUGIN_INVOKE_ALL  1
 
+typedef uintptr_t
+(KRB5_LIB_CALL *krb5_get_instance_func_t)(const char *);
+
 struct credentials; /* this is to keep the compiler happy */
 struct getargs;
 struct sockaddr;
@@ -963,13 +1012,14 @@ typedef struct krb5_name_canon_iterator_data *krb5_name_canon_iterator;
  */
 
 struct hx509_certs_data;
+typedef struct krb5_kx509_req_ctx_data *krb5_kx509_req_ctx;
 
 #include <krb5-protos.h>
 
 /* variables */
 
-extern KRB5_LIB_VARIABLE const char *krb5_config_file;
-extern KRB5_LIB_VARIABLE const char *krb5_defkeyname;
+extern KRB5_LIB_VARIABLE const char *const krb5_config_file;
+extern KRB5_LIB_VARIABLE const char *const krb5_defkeyname;
 
 
 extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_acc_ops;
@@ -979,6 +1029,7 @@ extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_mcc_ops;
 extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_kcm_ops;
 extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_akcm_ops;
 extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_scc_ops;
+extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_krcc_ops;
 
 extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_fkt_ops;
 extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_wrfkt_ops;
@@ -987,12 +1038,13 @@ extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_mkt_ops;
 extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_akf_ops;
 extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_any_ops;
 
-extern KRB5_LIB_VARIABLE const char *krb5_cc_type_api;
-extern KRB5_LIB_VARIABLE const char *krb5_cc_type_file;
-extern KRB5_LIB_VARIABLE const char *krb5_cc_type_memory;
-extern KRB5_LIB_VARIABLE const char *krb5_cc_type_kcm;
-extern KRB5_LIB_VARIABLE const char *krb5_cc_type_scc;
-extern KRB5_LIB_VARIABLE const char *krb5_cc_type_dcc;
+extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_api;
+extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_file;
+extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_memory;
+extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_kcm;
+extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_scc;
+extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_dcc;
+extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_keyring;
 
 /* clang analyzer workarounds */
 
diff --git a/lib/krb5/krb524_convert_creds_kdc.cat3 b/lib/krb5/krb524_convert_creds_kdc.cat3
deleted file mode 100644
index b6992ec07f53..000000000000
--- a/lib/krb5/krb524_convert_creds_kdc.cat3
+++ /dev/null
@@ -1,42 +0,0 @@
-KRB524_CONVERT_CREDS_... BSD Library Functions Manual KRB524_CONVERT_CREDS_...
-
-NAME
-     krb524_convert_creds_kdc, krb524_convert_creds_kdc_ccache -- converts
-     Kerberos 5 credentials to Kerberos 4 credentials
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_error_code
-     krb524_convert_creds_kdc(krb5_context context, krb5_creds *in_cred,
-         struct credentials *v4creds);
-
-     krb5_error_code
-     krb524_convert_creds_kdc_ccache(krb5_context context, krb5_ccache ccache,
-         krb5_creds *in_cred, struct credentials *v4creds);
-
-DESCRIPTION
-     Convert the Kerberos 5 credential to Kerberos 4 credential.  This is done
-     by sending them to the 524 service in the KDC.
-
-     krb524_convert_creds_kdc() converts the Kerberos 5 credential in in_cred
-     to Kerberos 4 credential that is stored in credentials.
-
-     krb524_convert_creds_kdc_ccache() is different from
-     krb524_convert_creds_kdc() in that way that if in_cred doesn't contain a
-     DES session key, then a new one is fetched from the KDC and stored in the
-     cred cache ccache, and then the KDC is queried to convert the credential.
-
-     This interfaces are used to make the migration to Kerberos 5 from Ker-
-     beros 4 easier.  There are few services that still need Kerberos 4, and
-     this is mainly for compatibility for those services.  Some services, like
-     AFS, really have Kerberos 5 supports, but still uses the 524 interface to
-     make the migration easier.
-
-SEE ALSO
-     krb5(3), krb5.conf(5)
-
-HEIMDAL                         March 20, 2004                         HEIMDAL
diff --git a/lib/krb5/krb5_425_conv_principal.cat3 b/lib/krb5/krb5_425_conv_principal.cat3
deleted file mode 100644
index 3845106ca656..000000000000
--- a/lib/krb5/krb5_425_conv_principal.cat3
+++ /dev/null
@@ -1,139 +0,0 @@
-KRB5_425_CONV_PRINCIP... BSD Library Functions Manual KRB5_425_CONV_PRINCIP...
-
-NAME
-     krb5_425_conv_principal, krb5_425_conv_principal_ext,
-     krb5_524_conv_principal -- converts to and from version 4 principals
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_error_code
-     krb5_425_conv_principal(krb5_context context, const char *name,
-         const char *instance, const char *realm, krb5_principal *principal);
-
-     krb5_error_code
-     krb5_425_conv_principal_ext(krb5_context context, const char *name,
-         const char *instance, const char *realm,
-         krb5_boolean (*func)(krb5_context, krb5_principal),
-         krb5_boolean resolve, krb5_principal *principal);
-
-     krb5_error_code
-     krb5_524_conv_principal(krb5_context context,
-         const krb5_principal principal, char *name, char *instance,
-         char *realm);
-
-DESCRIPTION
-     Converting between version 4 and version 5 principals can at best be de-
-     scribed as a mess.
-
-     A version 4 principal consists of a name, an instance, and a realm. A
-     version 5 principal consists of one or more components, and a realm. In
-     some cases also the first component/name will differ between version 4
-     and version 5.  Furthermore the second component of a host principal will
-     be the fully qualified domain name of the host in question, while the in-
-     stance of a version 4 principal will only contain the first part (short
-     hostname).  Because of these problems the conversion between principals
-     will have to be site customized.
-
-     krb5_425_conv_principal_ext() will try to convert a version 4 principal,
-     given by name, instance, and realm, to a version 5 principal. This can
-     result in several possible principals, and if func is non-NULL, it will
-     be called for each candidate principal.  func should return true if the
-     principal was "good".  To accomplish this, krb5_425_conv_principal_ext()
-     will look up the name in krb5.conf.  It first looks in the
-     v4_name_convert/host subsection, which should contain a list of version 4
-     names whose instance should be treated as a hostname. This list can be
-     specified for each realm (in the realms section), or in the libdefaults
-     section.  If the name is found the resulting name of the principal will
-     be the value of this binding. The instance is then first looked up in
-     v4_instance_convert for the specified realm. If found the resulting value
-     will be used as instance (this can be used for special cases), no further
-     attempts will be made to find a conversion if this fails (with func).  If
-     the resolve parameter is true, the instance will be looked up with
-     gethostbyname().  This can be a time consuming, error prone, and unsafe
-     operation.  Next a list of hostnames will be created from the instance
-     and the v4_domains variable, which should contain a list of possible do-
-     mains for the specific realm.
-
-     On the other hand, if the name is not found in a host section, it is
-     looked up in a v4_name_convert/plain binding. If found here the name will
-     be converted, but the instance will be untouched.
-
-     This list of default host-type conversions is compiled-in:
-
-           v4_name_convert = {
-                   host = {
-                           ftp = ftp
-                           hprop = hprop
-                           imap = imap
-                           pop = pop
-                           rcmd = host
-                           smtp = smtp
-                   }
-           }
-
-     It will only be used if there isn't an entry for these names in the con-
-     fig file, so you can override these defaults.
-
-     krb5_425_conv_principal() will call krb5_425_conv_principal_ext() with
-     NULL as func, and the value of v4_instance_resolve (from the libdefaults
-     section) as resolve.
-
-     krb5_524_conv_principal() basically does the opposite of
-     krb5_425_conv_principal(), it just doesn't have to look up any names, but
-     will instead truncate instances found to belong to a host principal. The
-     name, instance, and realm should be at least 40 characters long.
-
-EXAMPLES
-     Since this is confusing an example is in place.
-
-     Assume that we have the "foo.com", and "bar.com" domains that have shared
-     a single version 4 realm, FOO.COM. The version 4 krb.realms file looked
-     like:
-
-           foo.com         FOO.COM
-           .foo.com        FOO.COM
-           .bar.com        FOO.COM
-
-     A krb5.conf file that covers this case might look like:
-
-           [libdefaults]
-                   v4_instance_resolve = yes
-           [realms]
-                   FOO.COM = {
-                           kdc = kerberos.foo.com
-                           v4_instance_convert = {
-                                   foo = foo.com
-                           }
-                           v4_domains = foo.com
-                   }
-
-     With this setup and the following host table:
-
-           foo.com
-           a-host.foo.com
-           b-host.bar.com
-     the following conversions will be made:
-
-           rcmd.a-host     -> host/a-host.foo.com
-           ftp.b-host      -> ftp/b-host.bar.com
-           pop.foo         -> pop/foo.com
-           ftp.other       -> ftp/other.foo.com
-           other.a-host    -> other/a-host
-
-     The first three are what you expect. If you remove the "v4_domains", the
-     fourth entry will result in an error (since the host "other" can't be
-     found). Even if "a-host" is a valid host name, the last entry will not be
-     converted, since the "other" name is not known to represent a host-type
-     principal.  If you turn off "v4_instance_resolve" the second example will
-     result in "ftp/b-host.foo.com" (because of the default domain). And all
-     of this is of course only valid if you have working name resolving.
-
-SEE ALSO
-     krb5_build_principal(3), krb5_free_principal(3), krb5_parse_name(3),
-     krb5_sname_to_principal(3), krb5_unparse_name(3), krb5.conf(5)
-
-HEIMDAL                        September 3, 2003                       HEIMDAL
diff --git a/lib/krb5/krb5_acl_match_file.cat3 b/lib/krb5/krb5_acl_match_file.cat3
deleted file mode 100644
index 40b09c1f16f2..000000000000
--- a/lib/krb5/krb5_acl_match_file.cat3
+++ /dev/null
@@ -1,60 +0,0 @@
-KRB5_ACL_MATCH_FILE(3)   BSD Library Functions Manual   KRB5_ACL_MATCH_FILE(3)
-
-NAME
-     krb5_acl_match_file, krb5_acl_match_string -- ACL matching functions
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     krb5_error_code
-     krb5_acl_match_file(krb5_context context, const char *file,
-         const char *format, ...);
-
-     krb5_error_code
-     krb5_acl_match_string(krb5_context context, const char *string,
-         const char *format, ...);
-
-DESCRIPTION
-     krb5_acl_match_file matches ACL format against each line in a file.
-     Lines starting with # are treated like comments and ignored.
-
-     krb5_acl_match_string matches ACL format against a string.
-
-     The ACL format has three format specifiers: s, f, and r.  Each specifier
-     will retrieve one argument from the variable arguments for either match-
-     ing or storing data.  The input string is split up using " " and "\t" as
-     a delimiter; multiple " " and "\t" in a row are considered to be the
-     same.
-
-           s    Matches a string using strcmp(3) (case sensitive).
-
-           f    Matches the string with fnmatch(3).  The flags argument (the
-                last argument) passed to the fnmatch function is 0.
-
-           r    Returns a copy of the string in the char ** passed in; the
-                copy must be freed with free(3).  There is no need to free(3)
-                the string on error: the function will clean up and set the
-                pointer to NULL.
-
-     All unknown format specifiers cause an error.
-
-EXAMPLES
-           char *s;
-
-           ret = krb5_acl_match_string(context, "foo", "s", "foo");
-           if (ret)
-               krb5_errx(context, 1, "acl didn't match");
-           ret = krb5_acl_match_string(context, "foo foo baz/kaka",
-               "ss", "foo", &s, "foo/*");
-           if (ret) {
-               /* no need to free(s) on error */
-               assert(s == NULL);
-               krb5_errx(context, 1, "acl didn't match");
-           }
-           free(s);
-
-SEE ALSO
-     krb5(3)
-
-HEIMDAL                          May 12, 2006                          HEIMDAL
diff --git a/lib/krb5/krb5_aname_to_localname.cat3 b/lib/krb5/krb5_aname_to_localname.cat3
deleted file mode 100644
index 6c134bc3995e..000000000000
--- a/lib/krb5/krb5_aname_to_localname.cat3
+++ /dev/null
@@ -1,38 +0,0 @@
-KRB5_ANAME_TO_LOCALNA... BSD Library Functions Manual KRB5_ANAME_TO_LOCALNA...
-
-NAME
-     krb5_aname_to_localname -- converts a principal to a system local name
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_boolean
-     krb5_aname_to_localname(krb5_context context, krb5_const_principal name,
-         size_t lnsize, char *lname);
-
-DESCRIPTION
-     This function takes a principal name, verifies that it is in the local
-     realm (using krb5_get_default_realms()) and then returns the local name
-     of the principal.
-
-     If name isn't in one of the local realms an error is returned.
-
-     If the size (lnsize) of the local name (lname) is too small, an error is
-     returned.
-
-     krb5_aname_to_localname() should only be use by an application that im-
-     plements protocols that don't transport the login name and thus needs to
-     convert a principal to a local name.
-
-     Protocols should be designed so that they authenticate using Kerberos,
-     send over the login name and then verify the principal that is authenti-
-     cated is allowed to login and the login name.  A way to check if a user
-     is allowed to login is using the function krb5_kuserok().
-
-SEE ALSO
-     krb5_get_default_realms(3), krb5_kuserok(3)
-
-HEIMDAL                        February 18, 2006                       HEIMDAL
diff --git a/lib/krb5/krb5_appdefault.cat3 b/lib/krb5/krb5_appdefault.cat3
deleted file mode 100644
index 41674112d170..000000000000
--- a/lib/krb5/krb5_appdefault.cat3
+++ /dev/null
@@ -1,56 +0,0 @@
-KRB5_APPDEFAULT(3)       BSD Library Functions Manual       KRB5_APPDEFAULT(3)
-
-NAME
-     krb5_appdefault_boolean, krb5_appdefault_string, krb5_appdefault_time --
-     get application configuration value
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     void
-     krb5_appdefault_boolean(krb5_context context, const char *appname,
-         krb5_realm realm, const char *option, krb5_boolean def_val,
-         krb5_boolean *ret_val);
-
-     void
-     krb5_appdefault_string(krb5_context context, const char *appname,
-         krb5_realm realm, const char *option, const char *def_val,
-         char **ret_val);
-
-     void
-     krb5_appdefault_time(krb5_context context, const char *appname,
-         krb5_realm realm, const char *option, time_t def_val,
-         time_t *ret_val);
-
-DESCRIPTION
-     These functions get application defaults from the appdefaults section of
-     the krb5.conf(5) configuration file. These defaults can be specified per
-     application, and/or per realm.
-
-     These values will be looked for in krb5.conf(5), in order of descending
-     importance.
-
-           [appdefaults]
-                   appname = {
-                           realm = {
-                                   option = value
-                           }
-                   }
-                   appname = {
-                           option = value
-                   }
-                   realm = {
-                           option = value
-                   }
-                   option = value
-     appname is the name of the application, and realm is the realm name. If
-     the realm is omitted it will not be used for resolving values.  def_val
-     is the value to return if no value is found in krb5.conf(5).
-
-SEE ALSO
-     krb5_config(3), krb5.conf(5)
-
-HEIMDAL                          July 25, 2000                         HEIMDAL
diff --git a/lib/krb5/krb5_auth_context.cat3 b/lib/krb5/krb5_auth_context.cat3
deleted file mode 100644
index 7b0366e42777..000000000000
--- a/lib/krb5/krb5_auth_context.cat3
+++ /dev/null
@@ -1,220 +0,0 @@
-KRB5_AUTH_CONTEXT(3)     BSD Library Functions Manual     KRB5_AUTH_CONTEXT(3)
-
-NAME
-     krb5_auth_con_addflags, krb5_auth_con_free, krb5_auth_con_genaddrs,
-     krb5_auth_con_generatelocalsubkey, krb5_auth_con_getaddrs,
-     krb5_auth_con_getauthenticator, krb5_auth_con_getflags,
-     krb5_auth_con_getkey, krb5_auth_con_getlocalsubkey,
-     krb5_auth_con_getrcache, krb5_auth_con_getremotesubkey,
-     krb5_auth_con_getuserkey, krb5_auth_con_init, krb5_auth_con_initivector,
-     krb5_auth_con_removeflags, krb5_auth_con_setaddrs,
-     krb5_auth_con_setaddrs_from_fd, krb5_auth_con_setflags,
-     krb5_auth_con_setivector, krb5_auth_con_setkey,
-     krb5_auth_con_setlocalsubkey, krb5_auth_con_setrcache,
-     krb5_auth_con_setremotesubkey, krb5_auth_con_setuserkey,
-     krb5_auth_context, krb5_auth_getcksumtype, krb5_auth_getkeytype,
-     krb5_auth_getlocalseqnumber, krb5_auth_getremoteseqnumber,
-     krb5_auth_setcksumtype, krb5_auth_setkeytype,
-     krb5_auth_setlocalseqnumber, krb5_auth_setremoteseqnumber,
-     krb5_free_authenticator -- manage authentication on connection level
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_error_code
-     krb5_auth_con_init(krb5_context context,
-         krb5_auth_context *auth_context);
-
-     void
-     krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context);
-
-     krb5_error_code
-     krb5_auth_con_setflags(krb5_context context,
-         krb5_auth_context auth_context, int32_t flags);
-
-     krb5_error_code
-     krb5_auth_con_getflags(krb5_context context,
-         krb5_auth_context auth_context, int32_t *flags);
-
-     krb5_error_code
-     krb5_auth_con_addflags(krb5_context context,
-         krb5_auth_context auth_context, int32_t addflags, int32_t *flags);
-
-     krb5_error_code
-     krb5_auth_con_removeflags(krb5_context context,
-         krb5_auth_context auth_context, int32_t removelags, int32_t *flags);
-
-     krb5_error_code
-     krb5_auth_con_setaddrs(krb5_context context,
-         krb5_auth_context auth_context, krb5_address *local_addr,
-         krb5_address *remote_addr);
-
-     krb5_error_code
-     krb5_auth_con_getaddrs(krb5_context context,
-         krb5_auth_context auth_context, krb5_address **local_addr,
-         krb5_address **remote_addr);
-
-     krb5_error_code
-     krb5_auth_con_genaddrs(krb5_context context,
-         krb5_auth_context auth_context, int fd, int flags);
-
-     krb5_error_code
-     krb5_auth_con_setaddrs_from_fd(krb5_context context,
-         krb5_auth_context auth_context, void *p_fd);
-
-     krb5_error_code
-     krb5_auth_con_getkey(krb5_context context,
-         krb5_auth_context auth_context, krb5_keyblock **keyblock);
-
-     krb5_error_code
-     krb5_auth_con_getlocalsubkey(krb5_context context,
-         krb5_auth_context auth_context, krb5_keyblock **keyblock);
-
-     krb5_error_code
-     krb5_auth_con_getremotesubkey(krb5_context context,
-         krb5_auth_context auth_context, krb5_keyblock **keyblock);
-
-     krb5_error_code
-     krb5_auth_con_generatelocalsubkey(krb5_context context,
-         krb5_auth_context auth_context, krb5_keyblock, *key");
-
-     krb5_error_code
-     krb5_auth_con_initivector(krb5_context context,
-         krb5_auth_context auth_context);
-
-     krb5_error_code
-     krb5_auth_con_setivector(krb5_context context,
-         krb5_auth_context *auth_context, krb5_pointer ivector);
-
-     void
-     krb5_free_authenticator(krb5_context context,
-         krb5_authenticator *authenticator);
-
-DESCRIPTION
-     The krb5_auth_context structure holds all context related to an authenti-
-     cated connection, in a similar way to krb5_context that holds the context
-     for the thread or process.  krb5_auth_context is used by various func-
-     tions that are directly related to authentication between the
-     server/client. Example of data that this structure contains are various
-     flags, addresses of client and server, port numbers, keyblocks (and sub-
-     keys), sequence numbers, replay cache, and checksum-type.
-
-     krb5_auth_con_init() allocates and initializes the krb5_auth_context
-     structure. Default values can be changed with
-     krb5_auth_con_setcksumtype() and krb5_auth_con_setflags().  The
-     auth_context structure must be freed by krb5_auth_con_free().
-
-     krb5_auth_con_getflags(), krb5_auth_con_setflags(),
-     krb5_auth_con_addflags() and krb5_auth_con_removeflags() gets and modi-
-     fies the flags for a krb5_auth_context structure. Possible flags to set
-     are:
-
-     KRB5_AUTH_CONTEXT_DO_SEQUENCE
-             Generate and check sequence-number on each packet.
-
-     KRB5_AUTH_CONTEXT_DO_TIME
-             Check timestamp on incoming packets.
-
-     KRB5_AUTH_CONTEXT_RET_SEQUENCE, KRB5_AUTH_CONTEXT_RET_TIME
-             Return sequence numbers and time stamps in the outdata parame-
-             ters.
-
-     KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED
-             will force krb5_get_forwarded_creds() and krb5_fwd_tgt_creds() to
-             create unencrypted ) KRB5_ENCTYPE_NULL) credentials.  This is for
-             use with old MIT server and JAVA based servers as they can't han-
-             dle encrypted KRB-CRED.  Note that sending such KRB-CRED is clear
-             exposes crypto keys and tickets and is insecure, make sure the
-             packet is encrypted in the protocol.  krb5_rd_cred(3),
-             krb5_rd_priv(3), krb5_rd_safe(3), krb5_mk_priv(3) and
-             krb5_mk_safe(3).  Setting this flag requires that parameter to be
-             passed to these functions.
-
-             The flags KRB5_AUTH_CONTEXT_DO_TIME also modifies the behavior
-             the function krb5_get_forwarded_creds() by removing the timestamp
-             in the forward credential message, this have backward compatibil-
-             ity problems since not all versions of the heimdal supports time-
-             less credentional messages.  Is very useful since it always the
-             sender of the message to cache forward message and thus avoiding
-             a round trip to the KDC for each time a credential is forwarded.
-             The same functionality can be obtained by using address-less
-             tickets.
-
-     krb5_auth_con_setaddrs(), krb5_auth_con_setaddrs_from_fd() and
-     krb5_auth_con_getaddrs() gets and sets the addresses that are checked
-     when a packet is received.  It is mandatory to set an address for the re-
-     mote host. If the local address is not set, it iss deduced from the un-
-     derlaying operating system.  krb5_auth_con_getaddrs() will call
-     krb5_free_address() on any address that is passed in local_addr or
-     remote_addr.  krb5_auth_con_setaddr() allows passing in a NULL pointer as
-     local_addr and remote_addr, in that case it will just not set that ad-
-     dress.
-
-     krb5_auth_con_setaddrs_from_fd() fetches the addresses from a file de-
-     scriptor.
-
-     krb5_auth_con_genaddrs() fetches the address information from the given
-     file descriptor fd depending on the bitmap argument flags.
-
-     Possible values on flags are:
-
-     KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR
-             fetches the local address from fd.
-
-     KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR
-             fetches the remote address from fd.
-
-     krb5_auth_con_setkey(), krb5_auth_con_setuserkey() and
-     krb5_auth_con_getkey() gets and sets the key used for this auth context.
-     The keyblock returned by krb5_auth_con_getkey() should be freed with
-     krb5_free_keyblock().  The keyblock send into krb5_auth_con_setkey() is
-     copied into the krb5_auth_context, and thus no special handling is
-     needed.  NULL is not a valid keyblock to krb5_auth_con_setkey().
-
-     krb5_auth_con_setuserkey() is only useful when doing user to user authen-
-     tication.  krb5_auth_con_setkey() is equivalent to
-     krb5_auth_con_setuserkey().
-
-     krb5_auth_con_getlocalsubkey(), krb5_auth_con_setlocalsubkey(),
-     krb5_auth_con_getremotesubkey() and krb5_auth_con_setremotesubkey() gets
-     and sets the keyblock for the local and remote subkey.  The keyblock re-
-     turned by krb5_auth_con_getlocalsubkey() and
-     krb5_auth_con_getremotesubkey() must be freed with krb5_free_keyblock().
-
-     krb5_auth_setcksumtype() and krb5_auth_getcksumtype() sets and gets the
-     checksum type that should be used for this connection.
-
-     krb5_auth_con_generatelocalsubkey() generates a local subkey that have
-     the same encryption type as key.
-
-     krb5_auth_getremoteseqnumber() krb5_auth_setremoteseqnumber(),
-     krb5_auth_getlocalseqnumber() and krb5_auth_setlocalseqnumber() gets and
-     sets the sequence-number for the local and remote sequence-number
-     counter.
-
-     krb5_auth_setkeytype() and krb5_auth_getkeytype() gets and gets the key-
-     type of the keyblock in krb5_auth_context.
-
-     krb5_auth_con_getauthenticator() Retrieves the authenticator that was
-     used during mutual authentication. The authenticator returned should be
-     freed by calling krb5_free_authenticator().
-
-     krb5_auth_con_getrcache() and krb5_auth_con_setrcache() gets and sets the
-     replay-cache.
-
-     krb5_auth_con_initivector() allocates memory for and zeros the initial
-     vector in the auth_context keyblock.
-
-     krb5_auth_con_setivector() sets the i_vector portion of auth_context to
-     ivector.
-
-     krb5_free_authenticator() free the content of authenticator and
-     authenticator itself.
-
-SEE ALSO
-     krb5_context(3), kerberos(8)
-
-HEIMDAL                          May 17, 2005                          HEIMDAL
diff --git a/lib/krb5/krb5_c_make_checksum.cat3 b/lib/krb5/krb5_c_make_checksum.cat3
deleted file mode 100644
index b83c0e29065a..000000000000
--- a/lib/krb5/krb5_c_make_checksum.cat3
+++ /dev/null
@@ -1,141 +0,0 @@
-KRB5_C_MAKE_CHECKSUM(3)  BSD Library Functions Manual  KRB5_C_MAKE_CHECKSUM(3)
-
-NAME
-     krb5_c_block_size, krb5_c_decrypt, krb5_c_encrypt, krb5_c_encrypt_length,
-     krb5_c_enctype_compare, krb5_c_get_checksum, krb5_c_is_coll_proof_cksum,
-     krb5_c_is_keyed_cksum, krb5_c_keylength, krb5_c_make_checksum,
-     krb5_c_make_random_key, krb5_c_set_checksum, krb5_c_valid_cksumtype,
-     krb5_c_valid_enctype, krb5_c_verify_checksum, krb5_c_checksum_length --
-     Kerberos 5 crypto API
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_error_code
-     krb5_c_block_size(krb5_context context, krb5_enctype enctype,
-         size_t *blocksize);
-
-     krb5_error_code
-     krb5_c_decrypt(krb5_context context, const krb5_keyblock key,
-         krb5_keyusage usage, const krb5_data *ivec, krb5_enc_data *input,
-         krb5_data *output);
-
-     krb5_error_code
-     krb5_c_encrypt(krb5_context context, const krb5_keyblock *key,
-         krb5_keyusage usage, const krb5_data *ivec, const krb5_data *input,
-         krb5_enc_data *output);
-
-     krb5_error_code
-     krb5_c_encrypt_length(krb5_context context, krb5_enctype enctype,
-         size_t inputlen, size_t *length);
-
-     krb5_error_code
-     krb5_c_enctype_compare(krb5_context context, krb5_enctype e1,
-         krb5_enctype e2, krb5_boolean *similar);
-
-     krb5_error_code
-     krb5_c_make_random_key(krb5_context context, krb5_enctype enctype,
-         krb5_keyblock *random_key);
-
-     krb5_error_code
-     krb5_c_make_checksum(krb5_context context, krb5_cksumtype cksumtype,
-         const krb5_keyblock *key, krb5_keyusage usage,
-         const krb5_data *input, krb5_checksum *cksum);
-
-     krb5_error_code
-     krb5_c_verify_checksum(krb5_context context, const krb5_keyblock *key,
-         krb5_keyusage usage, const krb5_data *data,
-         const krb5_checksum *cksum, krb5_boolean *valid);
-
-     krb5_error_code
-     krb5_c_checksum_length(krb5_context context, krb5_cksumtype cksumtype,
-         size_t *length);
-
-     krb5_error_code
-     krb5_c_get_checksum(krb5_context context, const krb5_checksum *cksum,
-         krb5_cksumtype *type, krb5_data **data);
-
-     krb5_error_code
-     krb5_c_set_checksum(krb5_context context, krb5_checksum *cksum,
-         krb5_cksumtype type, const krb5_data *data);
-
-     krb5_boolean
-     krb5_c_valid_enctype(krb5_enctype, etype");
-
-     krb5_boolean
-     krb5_c_valid_cksumtype(krb5_cksumtype ctype);
-
-     krb5_boolean
-     krb5_c_is_coll_proof_cksum(krb5_cksumtype ctype);
-
-     krb5_boolean
-     krb5_c_is_keyed_cksum(krb5_cksumtype ctype);
-
-     krb5_error_code
-     krb5_c_keylengths(krb5_context context, krb5_enctype enctype,
-         size_t *inlength, size_t *keylength);
-
-DESCRIPTION
-     The functions starting with krb5_c are compat functions with MIT ker-
-     beros.
-
-     The krb5_enc_data structure holds and encrypted data.  There are two pub-
-     lic accessible members of krb5_enc_data.  enctype that holds the encryp-
-     tion type of the data encrypted and ciphertext that is a krb5_data that
-     might contain the encrypted data.
-
-     krb5_c_block_size() returns the blocksize of the encryption type.
-
-     krb5_c_decrypt() decrypts input and store the data in output. If ivec is
-     NULL the default initialization vector for that encryption type will be
-     used.
-
-     krb5_c_encrypt() encrypts the plaintext in input and store the ciphertext
-     in output.
-
-     krb5_c_encrypt_length() returns the length the encrypted data given the
-     plaintext length.
-
-     krb5_c_enctype_compare() compares to encryption types and returns if they
-     use compatible encryption key types.
-
-     krb5_c_make_checksum() creates a checksum cksum with the checksum type
-     cksumtype of the data in data.  key and usage are used if the checksum is
-     a keyed checksum type.  Returns 0 or an error code.
-
-     krb5_c_verify_checksum() verifies the checksum of data in cksum that was
-     created with key using the key usage usage.  verify is set to non-zero if
-     the checksum verifies correctly and zero if not.  Returns 0 or an error
-     code.
-
-     krb5_c_checksum_length() returns the length of the checksum.
-
-     krb5_c_set_checksum() sets the krb5_checksum structure given type and
-     data.  The content of cksum should be freeed with
-     krb5_c_free_checksum_contents().
-
-     krb5_c_get_checksum() retrieves the components of the krb5_checksum.
-     structure.  data should be free with krb5_free_data().  If some either of
-     data or checksum is not needed for the application, NULL can be passed
-     in.
-
-     krb5_c_valid_enctype() returns true if etype is a valid encryption type.
-
-     krb5_c_valid_cksumtype() returns true if ctype is a valid checksum type.
-
-     krb5_c_is_keyed_cksum() return true if ctype is a keyed checksum type.
-
-     krb5_c_is_coll_proof_cksum() returns true if ctype is a collision proof
-     checksum type.
-
-     krb5_c_keylengths() return the minimum length (inlength) bytes needed to
-     create a key and the length (keylength) of the resulting key for the
-     enctype.
-
-SEE ALSO
-     krb5(3), krb5_create_checksum(3), krb5_free_data(3), kerberos(8)
-
-HEIMDAL                          Nov 17, 2006                          HEIMDAL
diff --git a/lib/krb5/krb5_ccapi.h b/lib/krb5/krb5_ccapi.h
index 06d8886145af..ed7b848c6b97 100644
--- a/lib/krb5/krb5_ccapi.h
+++ b/lib/krb5/krb5_ccapi.h
@@ -38,7 +38,7 @@
 
 #include <krb5-types.h>
 
-#ifdef __APPLE__
+#if defined(__APPLE__) && (defined(__ppc__) || defined(__ppc64__) || defined(__i386__) || defined(__x86_64__))
 #pragma pack(push,2)
 #endif
 
@@ -231,7 +231,7 @@ struct cc_context_t {
 typedef cc_int32
 (*cc_initialize_func)(cc_context_t*, cc_int32, cc_int32 *, char const **);
 
-#if defined(__APPLE__)
+#if defined(__APPLE__) && (defined(__ppc__) || defined(__ppc64__) || defined(__i386__) || defined(__x86_64__))
 #pragma pack(pop)
 #endif
 
diff --git a/lib/krb5/krb5_check_transited.cat3 b/lib/krb5/krb5_check_transited.cat3
deleted file mode 100644
index 9907d6cc27c1..000000000000
--- a/lib/krb5/krb5_check_transited.cat3
+++ /dev/null
@@ -1,48 +0,0 @@
-KRB5_CHECK_TRANSITED(3)  BSD Library Functions Manual  KRB5_CHECK_TRANSITED(3)
-
-NAME
-     krb5_check_transited, krb5_check_transited_realms,
-     krb5_domain_x500_decode, krb5_domain_x500_encode -- realm transit verifi-
-     cation and encoding/decoding functions
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_error_code
-     krb5_check_transited(krb5_context context, krb5_const_realm client_realm,
-         krb5_const_realm server_realm, krb5_realm *realms, int num_realms,
-         int *bad_realm);
-
-     krb5_error_code
-     krb5_check_transited_realms(krb5_context context,
-         const char *const *realms, int num_realms, int *bad_realm);
-
-     krb5_error_code
-     krb5_domain_x500_decode(krb5_context context, krb5_data tr,
-         char ***realms, int *num_realms, const char *client_realm,
-         const char *server_realm);
-
-     krb5_error_code
-     krb5_domain_x500_encode(char **realms, int num_realms,
-         krb5_data *encoding);
-
-DESCRIPTION
-     krb5_check_transited() checks the path from client_realm to server_realm
-     where realms and num_realms is the realms between them.  If the function
-     returns an error value, bad_realm will be set to the realm in the list
-     causing the error.  krb5_check_transited() is used internally by the KDC
-     and libkrb5 and should not be called by client applications.
-
-     krb5_check_transited_realms() is deprecated.
-
-     krb5_domain_x500_encode() and krb5_domain_x500_decode() encodes and de-
-     codes the realm names in the X500 format that Kerberos uses to describe
-     the transited realms in krbtgts.
-
-SEE ALSO
-     krb5(3), krb5.conf(5)
-
-HEIMDAL                           May 1, 2006                          HEIMDAL
diff --git a/lib/krb5/krb5_create_checksum.cat3 b/lib/krb5/krb5_create_checksum.cat3
deleted file mode 100644
index 673f56d708b6..000000000000
--- a/lib/krb5/krb5_create_checksum.cat3
+++ /dev/null
@@ -1,112 +0,0 @@
-NAME(3)                  BSD Library Functions Manual                  NAME(3)
-
-NAME
-     krb5_checksum, krb5_checksum_disable, krb5_checksum_is_collision_proof,
-     krb5_checksum_is_keyed, krb5_checksumsize, krb5_cksumtype_valid,
-     krb5_copy_checksum, krb5_create_checksum, krb5_crypto_get_checksum_type
-     krb5_free_checksum, krb5_free_checksum_contents, krb5_hmac,
-     krb5_verify_checksum -- creates, handles and verifies checksums
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     typedef Checksum krb5_checksum;
-
-     void
-     krb5_checksum_disable(krb5_context context, krb5_cksumtype type);
-
-     krb5_boolean
-     krb5_checksum_is_collision_proof(krb5_context context,
-         krb5_cksumtype type);
-
-     krb5_boolean
-     krb5_checksum_is_keyed(krb5_context context, krb5_cksumtype type);
-
-     krb5_error_code
-     krb5_cksumtype_valid(krb5_context context, krb5_cksumtype ctype);
-
-     krb5_error_code
-     krb5_checksumsize(krb5_context context, krb5_cksumtype type,
-         size_t *size);
-
-     krb5_error_code
-     krb5_create_checksum(krb5_context context, krb5_crypto crypto,
-         krb5_key_usage usage, int type, void *data, size_t len,
-         Checksum *result);
-
-     krb5_error_code
-     krb5_verify_checksum(krb5_context context, krb5_crypto crypto,
-         krb5_key_usage usage, void *data, size_t len, Checksum *cksum);
-
-     krb5_error_code
-     krb5_crypto_get_checksum_type(krb5_context context, krb5_crypto crypto,
-         krb5_cksumtype *type);
-
-     void
-     krb5_free_checksum(krb5_context context, krb5_checksum *cksum);
-
-     void
-     krb5_free_checksum_contents(krb5_context context, krb5_checksum *cksum);
-
-     krb5_error_code
-     krb5_hmac(krb5_context context, krb5_cksumtype cktype, const void *data,
-         size_t len, unsigned usage, krb5_keyblock *key, Checksum *result);
-
-     krb5_error_code
-     krb5_copy_checksum(krb5_context context, const krb5_checksum *old,
-         krb5_checksum **new);
-
-DESCRIPTION
-     The krb5_checksum structure holds a Kerberos checksum.  There is no com-
-     ponent inside krb5_checksum that is directly referable.
-
-     The functions are used to create and verify checksums.
-     krb5_create_checksum() creates a checksum of the specified data, and puts
-     it in result.  If crypto is NULL, usage_or_type specifies the checksum
-     type to use; it must not be keyed. Otherwise crypto is an encryption con-
-     text created by krb5_crypto_init(), and usage_or_type specifies a key-us-
-     age.
-
-     krb5_verify_checksum() verifies the checksum against the provided data.
-
-     krb5_checksum_is_collision_proof() returns true is the specified checksum
-     is collision proof (that it's very unlikely that two strings has the same
-     hash value, and that it's hard to find two strings that has the same
-     hash). Examples of collision proof checksums are MD5, and SHA1, while
-     CRC32 is not.
-
-     krb5_checksum_is_keyed() returns true if the specified checksum type is
-     keyed (that the hash value is a function of both the data, and a separate
-     key). Examples of keyed hash algorithms are HMAC-SHA1-DES3, and RSA-
-     MD5-DES. The "plain" hash functions MD5, and SHA1 are not keyed.
-
-     krb5_crypto_get_checksum_type() returns the checksum type that will be
-     used when creating a checksum for the given crypto context.  This func-
-     tion is useful in combination with krb5_checksumsize() when you want to
-     know the size a checksum will use when you create it.
-
-     krb5_cksumtype_valid() returns 0 or an error if the checksumtype is im-
-     plemented and not currently disabled in this kerberos library.
-
-     krb5_checksumsize() returns the size of the outdata of checksum function.
-
-     krb5_copy_checksum() returns a copy of the checksum krb5_free_checksum()
-     should use used to free the new checksum.
-
-     krb5_free_checksum() free the checksum and the content of the checksum.
-
-     krb5_free_checksum_contents() frees the content of checksum in cksum.
-
-     krb5_hmac() calculates the HMAC over data (with length len) using the
-     keyusage usage and keyblock key.  Note that keyusage is not always used
-     in checksums.
-
-     krb5_checksum_disable globally disables the checksum type.
-
-SEE ALSO
-     krb5_crypto_init(3), krb5_c_encrypt(3), krb5_encrypt(3)
-
-HEIMDAL                         August 12, 2005                        HEIMDAL
diff --git a/lib/krb5/krb5_creds.cat3 b/lib/krb5/krb5_creds.cat3
deleted file mode 100644
index a7254961e9af..000000000000
--- a/lib/krb5/krb5_creds.cat3
+++ /dev/null
@@ -1,57 +0,0 @@
-KRB5_CREDS(3)            BSD Library Functions Manual            KRB5_CREDS(3)
-
-NAME
-     krb5_creds, krb5_copy_creds, krb5_copy_creds_contents, krb5_free_creds,
-     krb5_free_cred_contents -- Kerberos 5 credential handling functions
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_error_code
-     krb5_copy_creds(krb5_context context, const krb5_creds *incred,
-         krb5_creds **outcred);
-
-     krb5_error_code
-     krb5_copy_creds_contents(krb5_context context, const krb5_creds *incred,
-         krb5_creds *outcred);
-
-     krb5_error_code
-     krb5_free_creds(krb5_context context, krb5_creds *outcred);
-
-     krb5_error_code
-     krb5_free_cred_contents(krb5_context context, krb5_creds *cred);
-
-DESCRIPTION
-     krb5_creds holds Kerberos credentials:
-
-     typedef struct krb5_creds {
-         krb5_principal      client;
-         krb5_principal      server;
-         krb5_keyblock       session;
-         krb5_times          times;
-         krb5_data           ticket;
-         krb5_data           second_ticket;
-         krb5_authdata       authdata;
-         krb5_addresses      addresses;
-         krb5_ticket_flags   flags;
-     } krb5_creds;
-
-     krb5_copy_creds() makes a copy of incred to outcred.  outcred should be
-     freed with krb5_free_creds() by the caller.
-
-     krb5_copy_creds_contents() makes a copy of the content of incred to
-     outcreds.  outcreds should be freed by the called with
-     krb5_free_creds_contents().
-
-     krb5_free_creds() frees the content of the cred structure and the struc-
-     ture itself.
-
-     krb5_free_cred_contents() frees the content of the cred structure.
-
-SEE ALSO
-     krb5(3), krb5_compare_creds(3), krb5_get_init_creds(3), kerberos(8)
-
-HEIMDAL                           May 1, 2006                          HEIMDAL
diff --git a/lib/krb5/krb5_digest.cat3 b/lib/krb5/krb5_digest.cat3
deleted file mode 100644
index ac69a1305b86..000000000000
--- a/lib/krb5/krb5_digest.cat3
+++ /dev/null
@@ -1,145 +0,0 @@
-KRB5_DIGEST(3)           BSD Library Functions Manual           KRB5_DIGEST(3)
-
-NAME
-     krb5_digest, krb5_digest_alloc, krb5_digest_free,
-     krb5_digest_set_server_cb, krb5_digest_set_type,
-     krb5_digest_set_hostname, krb5_digest_get_server_nonce,
-     krb5_digest_set_server_nonce, krb5_digest_get_opaque,
-     krb5_digest_set_opaque, krb5_digest_get_identifier,
-     krb5_digest_set_identifier, krb5_digest_init_request,
-     krb5_digest_set_client_nonce, krb5_digest_set_digest,
-     krb5_digest_set_username, krb5_digest_set_authid,
-     krb5_digest_set_authentication_user, krb5_digest_set_realm,
-     krb5_digest_set_method, krb5_digest_set_uri, krb5_digest_set_nonceCount,
-     krb5_digest_set_qop, krb5_digest_request, krb5_digest_get_responseData,
-     krb5_digest_get_rsp, krb5_digest_get_tickets,
-     krb5_digest_get_client_binding, krb5_digest_get_a1_hash -- remote digest
-     (HTTP-DIGEST, SASL, CHAP) support
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     typedef struct krb5_digest *krb5_digest;
-
-     krb5_error_code
-     krb5_digest_alloc(krb5_context context, krb5_digest *digest);
-
-     void
-     krb5_digest_free(krb5_digest digest);
-
-     krb5_error_code
-     krb5_digest_set_type(krb5_context context, krb5_digest digest,
-         const char *type);
-
-     krb5_error_code
-     krb5_digest_set_server_cb(krb5_context context, krb5_digest digest,
-         const char *type, const char *binding);
-
-     krb5_error_code
-     krb5_digest_set_hostname(krb5_context context, krb5_digest digest,
-         const char *hostname);
-
-     const char *
-     krb5_digest_get_server_nonce(krb5_context context, krb5_digest digest);
-
-     krb5_error_code
-     krb5_digest_set_server_nonce(krb5_context context, krb5_digest digest,
-         const char *nonce);
-
-     const char *
-     krb5_digest_get_opaque(krb5_context context, krb5_digest digest);
-
-     krb5_error_code
-     krb5_digest_set_opaque(krb5_context context, krb5_digest digest,
-         const char *opaque);
-
-     const char *
-     krb5_digest_get_identifier(krb5_context context, krb5_digest digest);
-
-     krb5_error_code
-     krb5_digest_set_identifier(krb5_context context, krb5_digest digest,
-         const char *id);
-
-     krb5_error_code
-     krb5_digest_init_request(krb5_context context, krb5_digest digest,
-         krb5_realm realm, krb5_ccache ccache);
-
-     krb5_error_code
-     krb5_digest_set_client_nonce(krb5_context context, krb5_digest digest,
-         const char *nonce);
-
-     krb5_error_code
-     krb5_digest_set_digest(krb5_context context, krb5_digest digest,
-         const char *dgst);
-
-     krb5_error_code
-     krb5_digest_set_username(krb5_context context, krb5_digest digest,
-         const char *username);
-
-     krb5_error_code
-     krb5_digest_set_authid(krb5_context context, krb5_digest digest,
-         const char *authid);
-
-     krb5_error_code
-     krb5_digest_set_authentication_user(krb5_context context,
-         krb5_digest digest, krb5_principal authentication_user);
-
-     krb5_error_code
-     krb5_digest_set_realm(krb5_context context, krb5_digest digest,
-         const char *realm);
-
-     krb5_error_code
-     krb5_digest_set_method(krb5_context context, krb5_digest digest,
-         const char *method);
-
-     krb5_error_code
-     krb5_digest_set_uri(krb5_context context, krb5_digest digest,
-         const char *uri);
-
-     krb5_error_code
-     krb5_digest_set_nonceCount(krb5_context context, krb5_digest digest,
-         const char *nonce_count);
-
-     krb5_error_code
-     krb5_digest_set_qop(krb5_context context, krb5_digest digest,
-         const char *qop);
-
-     krb5_error_code
-     krb5_digest_request(krb5_context context, krb5_digest digest,
-         krb5_realm realm, krb5_ccache ccache);
-
-     const char *
-     krb5_digest_get_responseData(krb5_context context, krb5_digest digest);
-
-     const char *
-     krb5_digest_get_rsp(krb5_context context, krb5_digest digest);
-
-     krb5_error_code
-     krb5_digest_get_tickets(krb5_context context, krb5_digest digest,
-         Ticket **tickets);
-
-     krb5_error_code
-     krb5_digest_get_client_binding(krb5_context context, krb5_digest digest,
-         char **type, char **binding);
-
-     krb5_error_code
-     krb5_digest_get_a1_hash(krb5_context context, krb5_digest digest,
-         krb5_data *data);
-
-DESCRIPTION
-     The krb5_digest_alloc() function allocatates the digest structure.  The
-     structure should be freed with krb5_digest_free() when it is no longer
-     being used.
-
-     krb5_digest_alloc() returns 0 to indicate success.  Otherwise an kerberos
-     code is returned and the pointer that digest points to is set to NULL.
-
-     krb5_digest_free() free the structure digest.
-
-SEE ALSO
-     krb5(3), kerberos(8)
-
-HEIMDAL                        February 18, 2007                       HEIMDAL
diff --git a/lib/krb5/krb5_eai_to_heim_errno.cat3 b/lib/krb5/krb5_eai_to_heim_errno.cat3
deleted file mode 100644
index 721914050761..000000000000
--- a/lib/krb5/krb5_eai_to_heim_errno.cat3
+++ /dev/null
@@ -1,28 +0,0 @@
-KRB5_EAI_TO_HEIM_ERRN... BSD Library Functions Manual KRB5_EAI_TO_HEIM_ERRN...
-
-NAME
-     krb5_eai_to_heim_errno, krb5_h_errno_to_heim_errno -- convert resolver
-     error code to com_err error codes
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_error_code
-     krb5_eai_to_heim_errno(int eai_errno, int system_error);
-
-     krb5_error_code
-     krb5_h_errno_to_heim_errno(int eai_errno);
-
-DESCRIPTION
-     krb5_eai_to_heim_errno() and krb5_h_errno_to_heim_errno() convert
-     getaddrinfo(3), getnameinfo(3), and h_errno(3) to com_err error code that
-     are used by Heimdal, this is useful for for function returning kerberos
-     errors and needs to communicate failures from resolver function.
-
-SEE ALSO
-     krb5(3), kerberos(8)
-
-HEIMDAL                         April 13, 2004                         HEIMDAL
diff --git a/lib/krb5/krb5_encrypt.cat3 b/lib/krb5/krb5_encrypt.cat3
deleted file mode 100644
index dd0c0c04e002..000000000000
--- a/lib/krb5/krb5_encrypt.cat3
+++ /dev/null
@@ -1,137 +0,0 @@
-KRB5_ENCRYPT(3)          BSD Library Functions Manual          KRB5_ENCRYPT(3)
-
-NAME
-     krb5_crypto_getblocksize, krb5_crypto_getconfoundersize
-     krb5_crypto_getenctype, krb5_crypto_getpadsize, krb5_crypto_overhead,
-     krb5_decrypt, krb5_decrypt_EncryptedData, krb5_decrypt_ivec,
-     krb5_decrypt_ticket, krb5_encrypt, krb5_encrypt_EncryptedData,
-     krb5_encrypt_ivec, krb5_enctype_disable, krb5_enctype_keysize,
-     krb5_enctype_to_string, krb5_enctype_valid, krb5_get_wrapped_length,
-     krb5_string_to_enctype -- encrypt and decrypt data, set and get encryp-
-     tion type parameters
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_error_code
-     krb5_encrypt(krb5_context context, krb5_crypto crypto, unsigned usage,
-         void *data, size_t len, krb5_data *result);
-
-     krb5_error_code
-     krb5_encrypt_EncryptedData(krb5_context context, krb5_crypto crypto,
-         unsigned usage, void *data, size_t len, int kvno,
-         EncryptedData *result);
-
-     krb5_error_code
-     krb5_encrypt_ivec(krb5_context context, krb5_crypto crypto,
-         unsigned usage, void *data, size_t len, krb5_data *result,
-         void *ivec);
-
-     krb5_error_code
-     krb5_decrypt(krb5_context context, krb5_crypto crypto, unsigned usage,
-         void *data, size_t len, krb5_data *result);
-
-     krb5_error_code
-     krb5_decrypt_EncryptedData(krb5_context context, krb5_crypto crypto,
-         unsigned usage, EncryptedData *e, krb5_data *result);
-
-     krb5_error_code
-     krb5_decrypt_ivec(krb5_context context, krb5_crypto crypto,
-         unsigned usage, void *data, size_t len, krb5_data *result,
-         void *ivec);
-
-     krb5_error_code
-     krb5_decrypt_ticket(krb5_context context, Ticket *ticket,
-         krb5_keyblock *key, EncTicketPart *out, krb5_flags flags);
-
-     krb5_error_code
-     krb5_crypto_getblocksize(krb5_context context, size_t *blocksize);
-
-     krb5_error_code
-     krb5_crypto_getenctype(krb5_context context, krb5_crypto crypto,
-         krb5_enctype *enctype);
-
-     krb5_error_code
-     krb5_crypto_getpadsize(krb5_context context, size_t, *padsize");
-
-     krb5_error_code
-     krb5_crypto_getconfoundersize(krb5_context context, krb5_crypto crypto,
-         size_t, *confoundersize");
-
-     krb5_error_code
-     krb5_enctype_keysize(krb5_context context, krb5_enctype type,
-         size_t *keysize);
-
-     krb5_error_code
-     krb5_crypto_overhead(krb5_context context, size_t, *padsize");
-
-     krb5_error_code
-     krb5_string_to_enctype(krb5_context context, const char *string,
-         krb5_enctype *etype);
-
-     krb5_error_code
-     krb5_enctype_to_string(krb5_context context, krb5_enctype etype,
-         char **string);
-
-     krb5_error_code
-     krb5_enctype_valid(krb5_context context, krb5_enctype etype);
-
-     void
-     krb5_enctype_disable(krb5_context context, krb5_enctype etype);
-
-     size_t
-     krb5_get_wrapped_length(krb5_context context, krb5_crypto crypto,
-         size_t data_len);
-
-DESCRIPTION
-     These functions are used to encrypt and decrypt data.
-
-     krb5_encrypt_ivec() puts the encrypted version of data (of size len) in
-     result.  If the encryption type supports using derived keys, usage should
-     be the appropriate key-usage.  ivec is a pointer to a initial IV, it is
-     modified to the end IV at the end of the round.  Ivec should be the size
-     of If NULL is passed in, the default IV is used.  krb5_encrypt() does the
-     same as krb5_encrypt_ivec() but with ivec being NULL.
-     krb5_encrypt_EncryptedData() does the same as krb5_encrypt(), but it puts
-     the encrypted data in a EncryptedData structure instead. If kvno is not
-     zero, it will be put in the (optional) kvno field in the EncryptedData.
-
-     krb5_decrypt_ivec(), krb5_decrypt(), and krb5_decrypt_EncryptedData()
-     works similarly.
-
-     krb5_decrypt_ticket() decrypts the encrypted part of ticket with key.
-     krb5_decrypt_ticket() also verifies the timestamp in the ticket, invalid
-     flag and if the KDC haven't verified the transited path, the transit
-     path.
-
-     krb5_enctype_keysize(), krb5_crypto_getconfoundersize(),
-     krb5_crypto_getblocksize(), krb5_crypto_getenctype(),
-     krb5_crypto_getpadsize(), krb5_crypto_overhead() all returns various
-     (sometimes) useful information from a crypto context.
-     krb5_crypto_overhead() is the combination of krb5_crypto_getconfounder-
-     size, krb5_crypto_getblocksize and krb5_crypto_getpadsize and return the
-     maximum overhead size.
-
-     krb5_enctype_to_string() converts a encryption type number to a string
-     that can be printable and stored. The strings returned should be freed
-     with free(3).
-
-     krb5_string_to_enctype() converts a encryption type strings to a encryp-
-     tion type number that can use used for other Kerberos crypto functions.
-
-     krb5_enctype_valid() returns 0 if the encrypt is supported and not dis-
-     abled, otherwise and error code is returned.
-
-     krb5_enctype_disable() (globally, for all contextes) disables the
-     enctype.
-
-     krb5_get_wrapped_length() returns the size of an encrypted packet by
-     crypto of length data_len.
-
-SEE ALSO
-     krb5_create_checksum(3), krb5_crypto_init(3)
-
-HEIMDAL                         March 20, 2004                         HEIMDAL
diff --git a/lib/krb5/krb5_err.et b/lib/krb5/krb5_err.et
index f660fbae7829..1a64c14a411d 100644
--- a/lib/krb5/krb5_err.et
+++ b/lib/krb5/krb5_err.et
@@ -3,6 +3,8 @@
 #
 # This might look like a com_err file, but is not
 #
+# Do try to keep this in sync with MIT's.
+#
 id "$Id$"
 
 error_table krb5
@@ -92,7 +94,7 @@ error_code CANT_VERIFY_CERTIFICATE, "Cannot verify certificate"
 error_code INVALID_CERTIFICATE, "Certificate invalid"
 error_code REVOKED_CERTIFICATE, "Certificate revoked"
 error_code REVOCATION_STATUS_UNKNOWN, "Revocation status unknown"
-error_code REVOCATION_STATUS_UNAVAILABLE, "Revocation status unavaible"
+error_code REVOCATION_STATUS_UNAVAILABLE, "Revocation status unavailable"
 error_code CLIENT_NAME_MISMATCH, "Client name mismatch in certificate"
 error_code INCONSISTENT_KEY_PURPOSE, "Inconsistent key purpose"
 error_code DIGEST_IN_CERT_NOT_ACCEPTED, "Digest in certificate not accepted"
@@ -101,12 +103,16 @@ error_code DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED, "Digest in signedData not accepte
 error_code PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED, "Public key encryption not supported"
 
 ## these are never used
-#index 80
+#index 85
 #prefix KRB5_IAKERB
 #error_code ERR_KDC_NOT_FOUND,	"IAKERB proxy could not find a KDC"
 #error_code ERR_KDC_NO_RESPONSE,	"IAKERB proxy never reeived a response from a KDC"
 
-# 82-93 are reserved
+index 91
+error_code MORE_PREAUTH_DATA_REQUIRED, "More pre-authentication data required"
+
+index 93
+error_code UNKNOWN_CRITICAL_FAST_OPTIONS, "Unknown critical FAST options"
 
 index 94
 error_code INVALID_HASH_ALG, "Invalid OTP digest algorithm"
@@ -265,15 +271,44 @@ error_code KRB5_SAM_INVALID_ETYPE,  "Invalid encryption type in SAM challenge"
 error_code KRB5_SAM_NO_CHECKSUM,  "Missing checksum in SAM challenge"
 error_code KRB5_SAM_BAD_CHECKSUM,  "Bad checksum in SAM challenge"
 
-index 238
+error_code KRB5_KT_NAME_TOOLONG,        "Keytab name too long"
+error_code KRB5_KT_KVNONOTFOUND,        "Key version number for principal in key table is incorrect"
+error_code KRB5_APPL_EXPIRED,   "This application has expired"
+error_code KRB5_LIB_EXPIRED,    "This Krb5 library has expired"
+
+error_code KRB5_CHPW_PWDNULL,           "New password cannot be zero length"
+error_code KRB5_CHPW_FAIL,              "Password change failed"
+error_code KRB5_KT_FORMAT,              "Bad format in keytab"
+
+error_code KRB5_NOPERM_ETYPE,   "Encryption type not permitted"
+error_code KRB5_CONFIG_ETYPE_NOSUPP,    "No supported encryption types (config file error?)"
+
 error_code KRB5_OBSOLETE_FN,	"Program called an obsolete, deleted function"
 
-index 245
+error_code KRB5_EAI_FAIL,       "unknown getaddrinfo failure"
+error_code KRB5_EAI_NODATA,     "no data available for host/domain name"
+error_code KRB5_EAI_NONAME,     "host/domain name not found"
+error_code KRB5_EAI_SERVICE,    "service name unknown"
+
+error_code KRB5_ERR_NUMERIC_REALM, "Cannot determine realm for numeric host address"
+
 error_code KRB5_ERR_BAD_S2K_PARAMS, "Invalid key generation parameters from KDC"
+
 error_code KRB5_ERR_NO_SERVICE,	"Service not available"
+
+index 247
 error_code KRB5_CC_NOSUPP,      "Credential cache function not supported"
 error_code KRB5_DELTAT_BADFORMAT,	"Invalid format of Kerberos lifetime or clock skew string"
 error_code KRB5_PLUGIN_NO_HANDLE,	"Supplied data not handled by this plugin"
 error_code KRB5_PLUGIN_OP_NOTSUPP,	"Plugin does not support the operaton"
 
+error_code KRB5_ERR_INVALID_UTF8,       "Invalid UTF-8 string"
+error_code KRB5_ERR_FAST_REQUIRED,      "FAST protected pre-authentication required but not supported by KDC"
+
+error_code KRB5_LOCAL_ADDR_REQUIRED,    "Auth context must contain local address"
+error_code KRB5_REMOTE_ADDR_REQUIRED,   "Auth context must contain remote address"
+
+error_code KRB5_TRACE_NOSUPP,           "Tracing unsupported"
+
+
 end
diff --git a/lib/krb5/krb5_find_padata.cat3 b/lib/krb5/krb5_find_padata.cat3
deleted file mode 100644
index 2b7f5f288d54..000000000000
--- a/lib/krb5/krb5_find_padata.cat3
+++ /dev/null
@@ -1,32 +0,0 @@
-KRB5_FIND_PADATA(3)      BSD Library Functions Manual      KRB5_FIND_PADATA(3)
-
-NAME
-     krb5_find_padata, krb5_padata_add -- Kerberos 5 pre-authentication data
-     handling functions
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     PA_DATA *
-     krb5_find_padata(PA_DATA *val, unsigned len, int type, int *index);
-
-     int
-     krb5_padata_add(krb5_context context, METHOD_DATA *md, int type,
-         void *buf, size_t len);
-
-DESCRIPTION
-     krb5_find_padata() tries to find the pre-authentication data entry of
-     type type in the array val of length len.  The search is started at entry
-     pointed out by *index (zero based indexing).  If the type isn't found,
-     NULL is returned.
-
-     krb5_padata_add() adds a pre-authentication data entry of type type
-     pointed out by buf and len to md.
-
-SEE ALSO
-     krb5(3), kerberos(8)
-
-HEIMDAL                         March 21, 2004                         HEIMDAL
diff --git a/lib/krb5/krb5_generate_random_block.cat3 b/lib/krb5/krb5_generate_random_block.cat3
deleted file mode 100644
index ca4848d1d654..000000000000
--- a/lib/krb5/krb5_generate_random_block.cat3
+++ /dev/null
@@ -1,22 +0,0 @@
-KRB5_GENERATE_RANDOM_... BSD Library Functions Manual KRB5_GENERATE_RANDOM_...
-
-NAME
-     krb5_generate_random_block -- Kerberos 5 random functions
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     void
-     krb5_generate_random_block(void *buf, size_t len);
-
-DESCRIPTION
-     krb5_generate_random_block() generates a cryptographically strong pseudo-
-     random block into the buffer buf of length len.
-
-SEE ALSO
-     krb5(3), krb5.conf(5)
-
-HEIMDAL                         March 21, 2004                         HEIMDAL
diff --git a/lib/krb5/krb5_get_all_client_addrs.cat3 b/lib/krb5/krb5_get_all_client_addrs.cat3
deleted file mode 100644
index 8538a6d6c619..000000000000
--- a/lib/krb5/krb5_get_all_client_addrs.cat3
+++ /dev/null
@@ -1,38 +0,0 @@
-KRB5_GET_ADDRS(3)        BSD Library Functions Manual        KRB5_GET_ADDRS(3)
-
-NAME
-     krb5_get_all_client_addrs, krb5_get_all_server_addrs -- return local ad-
-     dresses
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_error_code
-     krb5_get_all_client_addrs(krb5_context context, krb5_addresses *addrs);
-
-     krb5_error_code
-     krb5_get_all_server_addrs(krb5_context context, krb5_addresses *addrs);
-
-DESCRIPTION
-     These functions return in addrs a list of addresses associated with the
-     local host.
-
-     The server variant returns all configured interface addresses (if possi-
-     ble), including loop-back addresses. This is useful if you want to create
-     sockets to listen to.
-
-     The client version will also scan local interfaces (can be turned off by
-     setting libdefaults/scan_interfaces to false in krb5.conf), but will not
-     include loop-back addresses, unless there are no other addresses found.
-     It will remove all addresses included in libdefaults/ignore_addresses but
-     will unconditionally include addresses in libdefaults/extra_addresses.
-
-     The returned addresses should be freed by calling krb5_free_addresses().
-
-SEE ALSO
-     krb5_free_addresses(3)
-
-HEIMDAL                          July 1, 2001                          HEIMDAL
diff --git a/lib/krb5/krb5_get_credentials.cat3 b/lib/krb5/krb5_get_credentials.cat3
deleted file mode 100644
index 595484d72397..000000000000
--- a/lib/krb5/krb5_get_credentials.cat3
+++ /dev/null
@@ -1,96 +0,0 @@
-KRB5_GET_CREDENTIALS(3)  BSD Library Functions Manual  KRB5_GET_CREDENTIALS(3)
-
-NAME
-     krb5_get_credentials, krb5_get_credentials_with_flags, krb5_get_kdc_cred,
-     krb5_get_renewed_creds -- get credentials from the KDC using krbtgt
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_error_code
-     krb5_get_credentials(krb5_context context, krb5_flags options,
-         krb5_ccache ccache, krb5_creds *in_creds, krb5_creds **out_creds);
-
-     krb5_error_code
-     krb5_get_credentials_with_flags(krb5_context context, krb5_flags options,
-         krb5_kdc_flags flags, krb5_ccache ccache, krb5_creds *in_creds,
-         krb5_creds **out_creds);
-
-     krb5_error_code
-     krb5_get_kdc_cred(krb5_context context, krb5_ccache id,
-         krb5_kdc_flags flags, krb5_addresses *addresses,
-         Ticket *second_ticket, krb5_creds *in_creds, krb5_creds **out_creds);
-
-     krb5_error_code
-     krb5_get_renewed_creds(krb5_context context, krb5_creds *creds,
-         krb5_const_principal client, krb5_ccache ccache,
-         const char *in_tkt_service);
-
-DESCRIPTION
-     krb5_get_credentials_with_flags() get credentials specified by
-     in_creds->server and in_creds->client (the rest of the in_creds structure
-     is ignored) by first looking in the ccache and if doesn't exists or is
-     expired, fetch the credential from the KDC using the krbtgt in ccache.
-     The credential is returned in out_creds and should be freed using the
-     function krb5_free_creds().
-
-     Valid flags to pass into options argument are:
-
-     KRB5_GC_CACHED      Only check the ccache, don't got out on network to
-                         fetch credential.
-     KRB5_GC_USER_USER   Request a user to user ticket.  This option doesn't
-                         store the resulting user to user credential in the
-                         ccache.
-     KRB5_GC_EXPIRED_OK  returns the credential even if it is expired, default
-                         behavior is trying to refetch the credential from the
-                         KDC.
-
-     Flags are KDCOptions, note the caller must fill in the bit-field and not
-     use the integer associated structure.
-
-     krb5_get_credentials() works the same way as
-     krb5_get_credentials_with_flags() except that the flags field is missing.
-
-     krb5_get_kdc_cred() does the same as the functions above, but the caller
-     must fill in all the information andits closer to the wire protocol.
-
-     krb5_get_renewed_creds() renews a credential given by in_tkt_service (if
-     NULL the default krbtgt) using the credential cache ccache.  The result
-     is stored in creds and should be freed using krb5_free_creds.
-
-EXAMPLES
-     Here is a example function that get a credential from a credential cache
-     id or the KDC and returns it to the caller.
-
-     #include <krb5.h>
-
-     int
-     getcred(krb5_context context, krb5_ccache id, krb5_creds **creds)
-     {
-         krb5_error_code ret;
-         krb5_creds in;
-
-         ret = krb5_parse_name(context, "client@EXAMPLE.COM",
-                               &in.client);
-         if (ret)
-             krb5_err(context, 1, ret, "krb5_parse_name");
-
-         ret = krb5_parse_name(context, "host/server.example.com@EXAMPLE.COM",
-                               &in.server);
-         if (ret)
-             krb5_err(context, 1, ret, "krb5_parse_name");
-
-         ret = krb5_get_credentials(context, 0, id, &in, creds);
-         if (ret)
-             krb5_err(context, 1, ret, "krb5_get_credentials");
-
-         return 0;
-     }
-
-SEE ALSO
-     krb5(3), krb5_get_forwarded_creds(3), krb5.conf(5)
-
-HEIMDAL                          July 26, 2004                         HEIMDAL
diff --git a/lib/krb5/krb5_get_creds.cat3 b/lib/krb5/krb5_get_creds.cat3
deleted file mode 100644
index 88f4aa2d16ca..000000000000
--- a/lib/krb5/krb5_get_creds.cat3
+++ /dev/null
@@ -1,92 +0,0 @@
-KRB5_GET_CREDS(3)        BSD Library Functions Manual        KRB5_GET_CREDS(3)
-
-NAME
-     krb5_get_creds, krb5_get_creds_opt_add_options, krb5_get_creds_opt_alloc,
-     krb5_get_creds_opt_free, krb5_get_creds_opt_set_enctype,
-     krb5_get_creds_opt_set_impersonate, krb5_get_creds_opt_set_options,
-     krb5_get_creds_opt_set_ticket -- get credentials from the KDC
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_error_code
-     krb5_get_creds(krb5_context context, krb5_get_creds_opt opt,
-         krb5_ccache ccache, krb5_const_principal inprinc,
-         krb5_creds **out_creds);
-
-     void
-     krb5_get_creds_opt_add_options(krb5_context context,
-         krb5_get_creds_opt opt, krb5_flags options);
-
-     krb5_error_code
-     krb5_get_creds_opt_alloc(krb5_context context, krb5_get_creds_opt *opt);
-
-     void
-     krb5_get_creds_opt_free(krb5_context context, krb5_get_creds_opt opt);
-
-     void
-     krb5_get_creds_opt_set_enctype(krb5_context context,
-         krb5_get_creds_opt opt, krb5_enctype enctype);
-
-     krb5_error_code
-     krb5_get_creds_opt_set_impersonate(krb5_context context,
-         krb5_get_creds_opt opt, krb5_const_principal self);
-
-     void
-     krb5_get_creds_opt_set_options(krb5_context context,
-         krb5_get_creds_opt opt, krb5_flags options);
-
-     krb5_error_code
-     krb5_get_creds_opt_set_ticket(krb5_context context,
-         krb5_get_creds_opt opt, const Ticket *ticket);
-
-DESCRIPTION
-     krb5_get_creds() fetches credentials specified by opt by first looking in
-     the ccache, and then it doesn't exists, fetch the credential from the KDC
-     using the krbtgts in ccache.  The credential is returned in out_creds and
-     should be freed using the function krb5_free_creds().
-
-     The structure krb5_get_creds_opt controls the behavior of
-     krb5_get_creds().  The structure is opaque to consumers that can set the
-     content of the structure with accessors functions. All accessor functions
-     make copies of the data that is passed into accessor functions, so exter-
-     nal consumers free the memory before calling krb5_get_creds().
-
-     The structure krb5_get_creds_opt is allocated with
-     krb5_get_creds_opt_alloc() and freed with krb5_get_creds_opt_free().  The
-     free function also frees the content of the structure set by the accessor
-     functions.
-
-     krb5_get_creds_opt_add_options() and krb5_get_creds_opt_set_options()
-     adds and sets options to the krb5_get_creds_opt structure .  The possible
-     options to set are
-     KRB5_GC_CACHED     Only check the ccache, don't got out on network to
-                        fetch credential.
-     KRB5_GC_USER_USER  request a user to user ticket.  This options doesn't
-                        store the resulting user to user credential in the
-                        ccache.
-     KRB5_GC_EXPIRED_OK
-                        returns the credential even if it is expired, default
-                        behavior is trying to refetch the credential from the
-                        KDC.
-     KRB5_GC_NO_STORE   Do not store the resulting credentials in the ccache.
-
-     krb5_get_creds_opt_set_enctype() sets the preferred encryption type of
-     the application. Don't set this unless you have to since if there is no
-     match in the KDC, the function call will fail.
-
-     krb5_get_creds_opt_set_impersonate() sets the principal to impersonate.,
-     Returns a ticket that have the impersonation principal as a client and
-     the requestor as the service. Note that the requested principal have to
-     be the same as the client principal in the krbtgt.
-
-     krb5_get_creds_opt_set_ticket() sets the extra ticket used in user-to-
-     user or contrained delegation use case.
-
-SEE ALSO
-     krb5(3), krb5_get_credentials(3), krb5.conf(5)
-
-HEIMDAL                          June 15, 2006                         HEIMDAL
diff --git a/lib/krb5/krb5_get_forwarded_creds.cat3 b/lib/krb5/krb5_get_forwarded_creds.cat3
deleted file mode 100644
index 0cf9282437a7..000000000000
--- a/lib/krb5/krb5_get_forwarded_creds.cat3
+++ /dev/null
@@ -1,32 +0,0 @@
-KRB5_GET_FORWARDED_CR... BSD Library Functions Manual KRB5_GET_FORWARDED_CR...
-
-NAME
-     krb5_get_forwarded_creds, krb5_fwd_tgt_creds -- get forwarded credentials
-     from the KDC
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_error_code
-     krb5_get_forwarded_creds(krb5_context context,
-         krb5_auth_context auth_context, krb5_ccache ccache, krb5_flags flags,
-         const char *hostname, krb5_creds *in_creds, krb5_data *out_data);
-
-     krb5_error_code
-     krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context,
-         const char *hostname, krb5_principal client, krb5_principal server,
-         krb5_ccache ccache, int forwardable, krb5_data *out_data);
-
-DESCRIPTION
-     krb5_get_forwarded_creds() and krb5_fwd_tgt_creds() get tickets forwarded
-     to hostname. If the tickets that are forwarded are address-less, the for-
-     warded tickets will also be address-less, otherwise hostname will be used
-     for figure out the address to forward the ticket too.
-
-SEE ALSO
-     krb5(3), krb5_get_credentials(3), krb5.conf(5)
-
-HEIMDAL                          July 26, 2004                         HEIMDAL
diff --git a/lib/krb5/krb5_get_in_cred.cat3 b/lib/krb5/krb5_get_in_cred.cat3
deleted file mode 100644
index e0f0fcea0c93..000000000000
--- a/lib/krb5/krb5_get_in_cred.cat3
+++ /dev/null
@@ -1,131 +0,0 @@
-KRB5_GET_IN_TKT(3)       BSD Library Functions Manual       KRB5_GET_IN_TKT(3)
-
-NAME
-     krb5_get_in_tkt, krb5_get_in_cred, krb5_get_in_tkt_with_password,
-     krb5_get_in_tkt_with_keytab, krb5_get_in_tkt_with_skey,
-     krb5_free_kdc_rep, krb5_password_key_proc -- deprecated initial authenti-
-     cation functions
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_error_code
-     krb5_get_in_tkt(krb5_context context, krb5_flags options,
-         const krb5_addresses *addrs, const krb5_enctype *etypes,
-         const krb5_preauthtype *ptypes, krb5_key_proc key_proc,
-         krb5_const_pointer keyseed, krb5_decrypt_proc decrypt_proc,
-         krb5_const_pointer decryptarg, krb5_creds *creds, krb5_ccache ccache,
-         krb5_kdc_rep *ret_as_reply);
-
-     krb5_error_code
-     krb5_get_in_cred(krb5_context context, krb5_flags options,
-         const krb5_addresses *addrs, const krb5_enctype *etypes,
-         const krb5_preauthtype *ptypes, const krb5_preauthdata *preauth,
-         krb5_key_proc key_proc, krb5_const_pointer keyseed,
-         krb5_decrypt_proc decrypt_proc, krb5_const_pointer decryptarg,
-         krb5_creds *creds, krb5_kdc_rep *ret_as_reply);
-
-     krb5_error_code
-     krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options,
-         krb5_addresses *addrs, const krb5_enctype *etypes,
-         const krb5_preauthtype *pre_auth_types, const char *password,
-         krb5_ccache ccache, krb5_creds *creds, krb5_kdc_rep *ret_as_reply);
-
-     krb5_error_code
-     krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options,
-         krb5_addresses *addrs, const krb5_enctype *etypes,
-         const krb5_preauthtype *pre_auth_types, krb5_keytab keytab,
-         krb5_ccache ccache, krb5_creds *creds, krb5_kdc_rep *ret_as_reply);
-
-     krb5_error_code
-     krb5_get_in_tkt_with_skey(krb5_context context, krb5_flags options,
-         krb5_addresses *addrs, const krb5_enctype *etypes,
-         const krb5_preauthtype *pre_auth_types, const krb5_keyblock *key,
-         krb5_ccache ccache, krb5_creds *creds, krb5_kdc_rep *ret_as_reply);
-
-     krb5_error_code
-     krb5_free_kdc_rep(krb5_context context, krb5_kdc_rep *rep);
-
-     krb5_error_code
-     krb5_password_key_proc(krb5_context context, krb5_enctype type,
-         krb5_salt salt, krb5_const_pointer keyseed, krb5_keyblock **key);
-
-DESCRIPTION
-     All the functions in this manual page are deprecated in the MIT implemen-
-     tation, and will soon be deprecated in Heimdal too, don't use them.
-
-     Getting initial credential ticket for a principal.  krb5_get_in_cred is
-     the function all other krb5_get_in function uses to fetch tickets.  The
-     other krb5_get_in function are more specialized and therefor somewhat
-     easier to use.
-
-     If your need is only to verify a user and password, consider using
-     krb5_verify_user(3) instead, it have a much simpler interface.
-
-     krb5_get_in_tkt and krb5_get_in_cred fetches initial credential, queries
-     after key using the key_proc argument.  The differences between the two
-     function is that krb5_get_in_tkt stores the credential in a krb5_creds
-     while krb5_get_in_cred stores the credential in a krb5_ccache.
-
-     krb5_get_in_tkt_with_password, krb5_get_in_tkt_with_keytab, and
-     krb5_get_in_tkt_with_skey does the same work as krb5_get_in_cred but are
-     more specialized.
-
-     krb5_get_in_tkt_with_password uses the clients password to authenticate.
-     If the password argument is NULL the user user queried with the default
-     password query function.
-
-     krb5_get_in_tkt_with_keytab searches the given keytab for a service entry
-     for the client principal.  If the keytab is NULL the default keytab is
-     used.
-
-     krb5_get_in_tkt_with_skey uses a key to get the initial credential.
-
-     There are some common arguments to the krb5_get_in functions, these are:
-
-     options are the KDC_OPT flags.
-
-     etypes is a NULL terminated array of encryption types that the client ap-
-     proves.
-
-     addrs a list of the addresses that the initial ticket.  If it is NULL the
-     list will be generated by the library.
-
-     pre_auth_types a NULL terminated array of pre-authentication types.  If
-     pre_auth_types is NULL the function will try without pre-authentication
-     and return those pre-authentication that the KDC returned.
-
-     ret_as_reply will (if not NULL) be filled in with the response of the KDC
-     and should be free with krb5_free_kdc_rep().
-
-     key_proc is a pointer to a function that should return a key salted ap-
-     propriately.  Using NULL will use the default password query function.
-
-     decrypt_proc Using NULL will use the default decryption function.
-
-     decryptarg will be passed to the decryption function decrypt_proc.
-
-     creds creds should be filled in with the template for a credential that
-     should be requested.  The client and server elements of the creds struc-
-     ture must be filled in.  Upon return of the function it will be contain
-     the content of the requested credential (krb5_get_in_cred), or it will be
-     freed with krb5_free_creds(3) (all the other krb5_get_in functions).
-
-     ccache will store the credential in the credential cache ccache.  The
-     credential cache will not be initialized, thats up the the caller.
-
-     krb5_password_key_proc is a library function that is suitable using as
-     the krb5_key_proc argument to krb5_get_in_cred or krb5_get_in_tkt.
-     keyseed should be a pointer to a NUL terminated string or NULL.
-     krb5_password_key_proc will query the user for the pass on the console if
-     the password isn't given as the argument keyseed.
-
-     krb5_free_kdc_rep() frees the content of rep.
-
-SEE ALSO
-     krb5(3), krb5_verify_user(3), krb5.conf(5), kerberos(8)
-
-HEIMDAL                          May 31, 2003                          HEIMDAL
diff --git a/lib/krb5/krb5_get_init_creds.cat3 b/lib/krb5/krb5_get_init_creds.cat3
deleted file mode 100644
index c92749926ded..000000000000
--- a/lib/krb5/krb5_get_init_creds.cat3
+++ /dev/null
@@ -1,248 +0,0 @@
-KRB5_GET_INIT_CREDS(3)   BSD Library Functions Manual   KRB5_GET_INIT_CREDS(3)
-
-NAME
-     krb5_get_init_creds, krb5_get_init_creds_keytab, krb5_get_init_creds_opt,
-     krb5_get_init_creds_opt_alloc, krb5_get_init_creds_opt_free,
-     krb5_get_init_creds_opt_init, krb5_get_init_creds_opt_set_address_list,
-     krb5_get_init_creds_opt_set_addressless,
-     krb5_get_init_creds_opt_set_anonymous,
-     krb5_get_init_creds_opt_set_default_flags,
-     krb5_get_init_creds_opt_set_etype_list,
-     krb5_get_init_creds_opt_set_forwardable,
-     krb5_get_init_creds_opt_set_pa_password,
-     krb5_get_init_creds_opt_set_paq_request,
-     krb5_get_init_creds_opt_set_preauth_list,
-     krb5_get_init_creds_opt_set_proxiable,
-     krb5_get_init_creds_opt_set_renew_life, krb5_get_init_creds_opt_set_salt,
-     krb5_get_init_creds_opt_set_tkt_life,
-     krb5_get_init_creds_opt_set_canonicalize,
-     krb5_get_init_creds_opt_set_win2k, krb5_get_init_creds_password,
-     krb5_prompt, krb5_prompter_posix -- Kerberos 5 initial authentication
-     functions
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_get_init_creds_opt;
-
-     krb5_error_code
-     krb5_get_init_creds_opt_alloc(krb5_context context,
-         krb5_get_init_creds_opt **opt);
-
-     void
-     krb5_get_init_creds_opt_free(krb5_context context,
-         krb5_get_init_creds_opt *opt);
-
-     void
-     krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt);
-
-     void
-     krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt,
-         krb5_addresses *addresses);
-
-     void
-     krb5_get_init_creds_opt_set_addressless(krb5_get_init_creds_opt *opt,
-         krb5_boolean addressless);
-
-     void
-     krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt *opt,
-         int anonymous);
-
-     void
-     krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt *opt,
-         int change_password_prompt);
-
-     void
-     krb5_get_init_creds_opt_set_default_flags(krb5_context context,
-         const char *appname, krb5_const_realm realm,
-         krb5_get_init_creds_opt *opt);
-
-     void
-     krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt,
-         krb5_enctype *etype_list, int etype_list_length);
-
-     void
-     krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt,
-         int forwardable);
-
-     krb5_error_code
-     krb5_get_init_creds_opt_set_pa_password(krb5_context context,
-         krb5_get_init_creds_opt *opt, const char *password,
-         krb5_s2k_proc key_proc);
-
-     krb5_error_code
-     krb5_get_init_creds_opt_set_paq_request(krb5_context context,
-         krb5_get_init_creds_opt *opt, krb5_boolean req_pac);
-
-     krb5_error_code
-     krb5_get_init_creds_opt_set_pkinit(krb5_context context,
-         krb5_get_init_creds_opt *opt, const char *cert_file,
-         const char *key_file, const char *x509_anchors, int flags,
-         char *password);
-
-     void
-     krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt,
-         krb5_preauthtype *preauth_list, int preauth_list_length);
-
-     void
-     krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt,
-         int proxiable);
-
-     void
-     krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt,
-         krb5_deltat renew_life);
-
-     void
-     krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt,
-         krb5_data *salt);
-
-     void
-     krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt,
-         krb5_deltat tkt_life);
-
-     krb5_error_code
-     krb5_get_init_creds_opt_set_canonicalize(krb5_context context,
-         krb5_get_init_creds_opt *opt, krb5_boolean req);
-
-     krb5_error_code
-     krb5_get_init_creds_opt_set_win2k(krb5_context context,
-         krb5_get_init_creds_opt *opt, krb5_boolean req);
-
-     krb5_error_code
-     krb5_get_init_creds(krb5_context context, krb5_creds *creds,
-         krb5_principal client, krb5_prompter_fct prompter,
-         void *prompter_data, krb5_deltat start_time,
-         const char *in_tkt_service, krb5_get_init_creds_opt *options);
-
-     krb5_error_code
-     krb5_get_init_creds_password(krb5_context context, krb5_creds *creds,
-         krb5_principal client, const char *password,
-         krb5_prompter_fct prompter, void *prompter_data,
-         krb5_deltat start_time, const char *in_tkt_service,
-         krb5_get_init_creds_opt *in_options);
-
-     krb5_error_code
-     krb5_get_init_creds_keytab(krb5_context context, krb5_creds *creds,
-         krb5_principal client, krb5_keytab keytab, krb5_deltat start_time,
-         const char *in_tkt_service, krb5_get_init_creds_opt *options);
-
-     int
-     krb5_prompter_posix(krb5_context context, void *data, const char *name,
-         const char *banner, int num_prompts, krb5_prompt prompts[]);
-
-DESCRIPTION
-     Getting initial credential ticket for a principal.  That may include
-     changing an expired password, and doing preauthentication.  This inter-
-     face that replaces the deprecated krb5_in_tkt and krb5_in_cred functions.
-
-     If you only want to verify a username and password, consider using
-     krb5_verify_user(3) instead, since it also verifies that initial creden-
-     tials with using a keytab to make sure the response was from the KDC.
-
-     First a krb5_get_init_creds_opt structure is initialized with
-     krb5_get_init_creds_opt_alloc() or krb5_get_init_creds_opt_init().
-     krb5_get_init_creds_opt_alloc() allocates a extendible structures that
-     needs to be freed with krb5_get_init_creds_opt_free().  The structure may
-     be modified by any of the krb5_get_init_creds_opt_set() functions to
-     change request parameters and authentication information.
-
-     If the caller want to use the default options, NULL can be passed in-
-     stead.
-
-     The the actual request to the KDC is done by any of the
-     krb5_get_init_creds(), krb5_get_init_creds_password(), or
-     krb5_get_init_creds_keytab() functions.  krb5_get_init_creds() is the
-     least specialized function and can, with the right in data, behave like
-     the latter two.  The latter two are there for compatibility with older
-     releases and they are slightly easier to use.
-
-     krb5_prompt is a structure containing the following elements:
-
-     typedef struct {
-         const char *prompt;
-         int hidden;
-         krb5_data *reply;
-         krb5_prompt_type type
-     } krb5_prompt;
-
-     prompt is the prompt that should shown to the user If hidden is set, the
-     prompter function shouldn't echo the output to the display device.  reply
-     must be preallocated; it will not be allocated by the prompter function.
-     Possible values for the type element are:
-
-           KRB5_PROMPT_TYPE_PASSWORD
-           KRB5_PROMPT_TYPE_NEW_PASSWORD
-           KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN
-           KRB5_PROMPT_TYPE_PREAUTH
-           KRB5_PROMPT_TYPE_INFO
-
-     krb5_prompter_posix() is the default prompter function in a POSIX envi-
-     ronment.  It matches the krb5_prompter_fct and can be used in the
-     krb5_get_init_creds functions.  krb5_prompter_posix() doesn't require
-     prompter_data.
-
-     If the start_time is zero, then the requested ticket will be valid begin-
-     ning immediately.  Otherwise, the start_time indicates how far in the fu-
-     ture the ticket should be postdated.
-
-     If the in_tkt_service name is non-NULL, that principal name will be used
-     as the server name for the initial ticket request.  The realm of the name
-     specified will be ignored and will be set to the realm of the client
-     name.  If no in_tkt_service name is specified, krbtgt/CLIENT-
-     REALM@CLIENT-REALM will be used.
-
-     For the rest of arguments, a configuration or library default will be
-     used if no value is specified in the options structure.
-
-     krb5_get_init_creds_opt_set_address_list() sets the list of addresses
-     that is should be stored in the ticket.
-
-     krb5_get_init_creds_opt_set_addressless() controls if the ticket is re-
-     quested with addresses or not, krb5_get_init_creds_opt_set_address_list()
-     overrides this option.
-
-     krb5_get_init_creds_opt_set_anonymous() make the request anonymous if the
-     anonymous parameter is non-zero.
-
-     krb5_get_init_creds_opt_set_default_flags() sets the default flags using
-     the configuration file.
-
-     krb5_get_init_creds_opt_set_etype_list() set a list of enctypes that the
-     client is willing to support in the request.
-
-     krb5_get_init_creds_opt_set_forwardable() request a forwardable ticket.
-
-     krb5_get_init_creds_opt_set_pa_password() set the password and key_proc
-     that is going to be used to get a new ticket.  password or key_proc can
-     be NULL if the caller wants to use the default values.  If the password
-     is unset and needed, the user will be prompted for it.
-
-     krb5_get_init_creds_opt_set_paq_request() sets the password that is going
-     to be used to get a new ticket.
-
-     krb5_get_init_creds_opt_set_preauth_list() sets the list of client-sup-
-     ported preauth types.
-
-     krb5_get_init_creds_opt_set_proxiable() makes the request proxiable.
-
-     krb5_get_init_creds_opt_set_renew_life() sets the requested renewable
-     lifetime.
-
-     krb5_get_init_creds_opt_set_salt() sets the salt that is going to be used
-     in the request.
-
-     krb5_get_init_creds_opt_set_tkt_life() sets requested ticket lifetime.
-
-     krb5_get_init_creds_opt_set_canonicalize() requests that the KDC canoni-
-     calize the client principal if possible.
-
-     krb5_get_init_creds_opt_set_win2k() turns on compatibility with Windows
-     2000.
-
-SEE ALSO
-     krb5(3), krb5_creds(3), krb5_verify_user(3), krb5.conf(5), kerberos(8)
-
-HEIMDAL                          Sep 16, 2006                          HEIMDAL
diff --git a/lib/krb5/krb5_get_krbhst.cat3 b/lib/krb5/krb5_get_krbhst.cat3
deleted file mode 100644
index 27d544807e73..000000000000
--- a/lib/krb5/krb5_get_krbhst.cat3
+++ /dev/null
@@ -1,55 +0,0 @@
-KRB5_GET_KRBHST(3)       BSD Library Functions Manual       KRB5_GET_KRBHST(3)
-
-NAME
-     krb5_get_krbhst, krb5_get_krb_admin_hst, krb5_get_krb_changepw_hst,
-     krb5_get_krb524hst, krb5_free_krbhst -- lookup Kerberos KDC hosts
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_error_code
-     krb5_get_krbhst(krb5_context context, const krb5_realm *realm,
-         char ***hostlist);
-
-     krb5_error_code
-     krb5_get_krb_admin_hst(krb5_context context, const krb5_realm *realm,
-         char ***hostlist);
-
-     krb5_error_code
-     krb5_get_krb_changepw_hst(krb5_context context, const krb5_realm *realm,
-         char ***hostlist);
-
-     krb5_error_code
-     krb5_get_krb524hst(krb5_context context, const krb5_realm *realm,
-         char ***hostlist);
-
-     krb5_error_code
-     krb5_free_krbhst(krb5_context context, char **hostlist);
-
-DESCRIPTION
-     These functions implement the old API to get a list of Kerberos hosts,
-     and are thus similar to the krb5_krbhst_init() functions. However, since
-     these functions returns all hosts in one go, they potentially have to do
-     more lookups than necessary. These functions remain for compatibility
-     reasons.
-
-     After a call to one of these functions, hostlist is a NULL terminated
-     list of strings, pointing to the requested Kerberos hosts. These should
-     be freed with krb5_free_krbhst() when done with.
-
-EXAMPLES
-     The following code will print the KDCs of the realm "MY.REALM".
-
-           char **hosts, **p;
-           krb5_get_krbhst(context, "MY.REALM", &hosts);
-           for(p = hosts; *p; p++)
-               printf("%s\n", *p);
-           krb5_free_krbhst(context, hosts);
-
-SEE ALSO
-     krb5_krbhst_init(3)
-
-HEIMDAL                         April 24, 2005                         HEIMDAL
diff --git a/lib/krb5/krb5_getportbyname.cat3 b/lib/krb5/krb5_getportbyname.cat3
deleted file mode 100644
index 106177186413..000000000000
--- a/lib/krb5/krb5_getportbyname.cat3
+++ /dev/null
@@ -1,28 +0,0 @@
-NAME(3)                  BSD Library Functions Manual                  NAME(3)
-
-NAME
-     krb5_getportbyname -- get port number by name
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     int
-     krb5_getportbyname(krb5_context context, const char *service,
-         const char *proto, int default_port);
-
-DESCRIPTION
-     krb5_getportbyname() gets the port number for service / proto pair from
-     the global service table for and returns it in network order.  If it
-     isn't found in the global table, the default_port (given in host order)
-     is returned.
-
-EXAMPLE
-     int port = krb5_getportbyname(context, "kerberos", "tcp", 88);
-
-SEE ALSO
-     krb5(3)
-
-HEIMDAL                         August 15, 2004                        HEIMDAL
diff --git a/lib/krb5/krb5_init_context.cat3 b/lib/krb5/krb5_init_context.cat3
deleted file mode 100644
index 6bc70e974423..000000000000
--- a/lib/krb5/krb5_init_context.cat3
+++ /dev/null
@@ -1,184 +0,0 @@
-KRB5_CONTEXT(3)          BSD Library Functions Manual          KRB5_CONTEXT(3)
-
-NAME
-     krb5_add_et_list, krb5_add_extra_addresses, krb5_add_ignore_addresses,
-     krb5_context, krb5_free_config_files, krb5_free_context,
-     krb5_get_default_config_files, krb5_get_dns_canonize_hostname,
-     krb5_get_extra_addresses, krb5_get_fcache_version,
-     krb5_get_ignore_addresses, krb5_get_kdc_sec_offset,
-     krb5_get_max_time_skew, krb5_get_use_admin_kdc krb5_init_context,
-     krb5_init_ets, krb5_prepend_config_files,
-     krb5_prepend_config_files_default, krb5_set_config_files,
-     krb5_set_dns_canonize_hostname, krb5_set_extra_addresses,
-     krb5_set_fcache_version, krb5_set_ignore_addresses,
-     krb5_set_max_time_skew, krb5_set_use_admin_kdc, -- create, modify and
-     delete krb5_context structures
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     struct krb5_context;
-
-     krb5_error_code
-     krb5_init_context(krb5_context *context);
-
-     void
-     krb5_free_context(krb5_context context);
-
-     void
-     krb5_init_ets(krb5_context context);
-
-     krb5_error_code
-     krb5_add_et_list(krb5_context context, void (*func)(struct et_list **));
-
-     krb5_error_code
-     krb5_add_extra_addresses(krb5_context context,
-         krb5_addresses *addresses);
-
-     krb5_error_code
-     krb5_set_extra_addresses(krb5_context context,
-         const krb5_addresses *addresses);
-
-     krb5_error_code
-     krb5_get_extra_addresses(krb5_context context,
-         krb5_addresses *addresses);
-
-     krb5_error_code
-     krb5_add_ignore_addresses(krb5_context context,
-         krb5_addresses *addresses);
-
-     krb5_error_code
-     krb5_set_ignore_addresses(krb5_context context,
-         const krb5_addresses *addresses);
-
-     krb5_error_code
-     krb5_get_ignore_addresses(krb5_context context,
-         krb5_addresses *addresses);
-
-     krb5_error_code
-     krb5_set_fcache_version(krb5_context context, int version);
-
-     krb5_error_code
-     krb5_get_fcache_version(krb5_context context, int *version);
-
-     void
-     krb5_set_dns_canonize_hostname(krb5_context context, krb5_boolean flag);
-
-     krb5_boolean
-     krb5_get_dns_canonize_hostname(krb5_context context);
-
-     krb5_error_code
-     krb5_get_kdc_sec_offset(krb5_context context, int32_t *sec,
-         int32_t *usec);
-
-     krb5_error_code
-     krb5_set_config_files(krb5_context context, char **filenames);
-
-     krb5_error_code
-     krb5_prepend_config_files(const char *filelist, char **pq,
-         char ***ret_pp);
-
-     krb5_error_code
-     krb5_prepend_config_files_default(const char *filelist,
-         char ***pfilenames);
-
-     krb5_error_code
-     krb5_get_default_config_files(char ***pfilenames);
-
-     void
-     krb5_free_config_files(char **filenames);
-
-     void
-     krb5_set_use_admin_kdc(krb5_context context, krb5_boolean flag);
-
-     krb5_boolean
-     krb5_get_use_admin_kdc(krb5_context context);
-
-     time_t
-     krb5_get_max_time_skew(krb5_context context);
-
-     krb5_error_code
-     krb5_set_max_time_skew(krb5_context context, time_t time);
-
-DESCRIPTION
-     The krb5_init_context() function initializes the context structure and
-     reads the configuration file /etc/krb5.conf.
-
-     The structure should be freed by calling krb5_free_context() when it is
-     no longer being used.
-
-     krb5_init_context() returns 0 to indicate success.  Otherwise an errno
-     code is returned.  Failure means either that something bad happened dur-
-     ing initialization (typically [ENOMEM]) or that Kerberos should not be
-     used [ENXIO].
-
-     krb5_init_ets() adds all com_err(3) libs to context.  This is done by
-     krb5_init_context().
-
-     krb5_add_et_list() adds a com_err(3) error-code handler func to the spec-
-     ified context.  The error handler must generated by the the re-rentrant
-     version of the compile_et(1) program.  krb5_add_extra_addresses() add a
-     list of addresses that should be added when requesting tickets.
-
-     krb5_add_ignore_addresses() add a list of addresses that should be ig-
-     nored when requesting tickets.
-
-     krb5_get_extra_addresses() get the list of addresses that should be added
-     when requesting tickets.
-
-     krb5_get_ignore_addresses() get the list of addresses that should be ig-
-     nored when requesting tickets.
-
-     krb5_set_ignore_addresses() set the list of addresses that should be ig-
-     nored when requesting tickets.
-
-     krb5_set_extra_addresses() set the list of addresses that should be added
-     when requesting tickets.
-
-     krb5_set_fcache_version() sets the version of file credentials caches
-     that should be used.
-
-     krb5_get_fcache_version() gets the version of file credentials caches
-     that should be used.
-
-     krb5_set_dns_canonize_hostname() sets if the context is configured to
-     canonicalize hostnames using DNS.
-
-     krb5_get_dns_canonize_hostname() returns if the context is configured to
-     canonicalize hostnames using DNS.
-
-     krb5_get_kdc_sec_offset() returns the offset between the localtime and
-     the KDC's time.  sec and usec are both optional argument and NULL can be
-     passed in.
-
-     krb5_set_config_files() set the list of configuration files to use and
-     re-initialize the configuration from the files.
-
-     krb5_prepend_config_files() parse the filelist and prepend the result to
-     the already existing list pq The result is returned in ret_pp and should
-     be freed with krb5_free_config_files().
-
-     krb5_prepend_config_files_default() parse the filelist and append that to
-     the default list of configuration files.
-
-     krb5_get_default_config_files() get a list of default configuration
-     files.
-
-     krb5_free_config_files() free a list of configuration files returned by
-     krb5_get_default_config_files(), krb5_prepend_config_files_default(), or
-     krb5_prepend_config_files().
-
-     krb5_set_use_admin_kdc() sets if all KDC requests should go admin KDC.
-
-     krb5_get_use_admin_kdc() gets if all KDC requests should go admin KDC.
-
-     krb5_get_max_time_skew() and krb5_set_max_time_skew() get and sets the
-     maximum allowed time skew between client and server.
-
-SEE ALSO
-     errno(2), krb5(3), krb5_config(3), krb5_context(3), kerberos(8)
-
-HEIMDAL                        December 8, 2004                        HEIMDAL
diff --git a/lib/krb5/krb5_is_thread_safe.cat3 b/lib/krb5/krb5_is_thread_safe.cat3
deleted file mode 100644
index bd9b37940c9f..000000000000
--- a/lib/krb5/krb5_is_thread_safe.cat3
+++ /dev/null
@@ -1,25 +0,0 @@
-KRB5_IS_THREAD_SAFE(3)   BSD Library Functions Manual   KRB5_IS_THREAD_SAFE(3)
-
-NAME
-     krb5_is_thread_safe -- is the Kerberos library compiled with multithread
-     support
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_boolean
-     krb5_is_thread_safe(void);
-
-DESCRIPTION
-     krb5_is_thread_safe returns TRUE if the library was compiled with with
-     multithread support.  If the library isn't compiled, the consumer have to
-     use a global lock to make sure Kerboros functions are not called at the
-     same time by different threads.
-
-SEE ALSO
-     krb5_create_checksum(3), krb5_encrypt(3)
-
-HEIMDAL                           May 5, 2006                          HEIMDAL
diff --git a/lib/krb5/krb5_krbhst_init.cat3 b/lib/krb5/krb5_krbhst_init.cat3
deleted file mode 100644
index 44ddb4d2c8f2..000000000000
--- a/lib/krb5/krb5_krbhst_init.cat3
+++ /dev/null
@@ -1,117 +0,0 @@
-KRB5_KRBHST_INIT(3)      BSD Library Functions Manual      KRB5_KRBHST_INIT(3)
-
-NAME
-     krb5_krbhst_init, krb5_krbhst_init_flags, krb5_krbhst_next,
-     krb5_krbhst_next_as_string, krb5_krbhst_reset, krb5_krbhst_free,
-     krb5_krbhst_format_string, krb5_krbhst_get_addrinfo -- lookup Kerberos
-     KDC hosts
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_error_code
-     krb5_krbhst_init(krb5_context context, const char *realm,
-         unsigned int type, krb5_krbhst_handle *handle);
-
-     krb5_error_code
-     krb5_krbhst_init_flags(krb5_context context, const char *realm,
-         unsigned int type, int flags, krb5_krbhst_handle *handle);
-
-     krb5_error_code
-     krb5_krbhst_next(krb5_context context, krb5_krbhst_handle handle,
-         krb5_krbhst_info **host);
-
-     krb5_error_code
-     krb5_krbhst_next_as_string(krb5_context context,
-         krb5_krbhst_handle handle, char *hostname, size_t hostlen);
-
-     void
-     krb5_krbhst_reset(krb5_context context, krb5_krbhst_handle handle);
-
-     void
-     krb5_krbhst_free(krb5_context context, krb5_krbhst_handle handle);
-
-     krb5_error_code
-     krb5_krbhst_format_string(krb5_context context,
-         const krb5_krbhst_info *host, char *hostname, size_t hostlen);
-
-     krb5_error_code
-     krb5_krbhst_get_addrinfo(krb5_context context, krb5_krbhst_info *host,
-         struct addrinfo **ai);
-
-DESCRIPTION
-     These functions are used to sequence through all Kerberos hosts of a par-
-     ticular realm and service. The service type can be the KDCs, the adminis-
-     trative servers, the password changing servers, or the servers for Ker-
-     beros 4 ticket conversion.
-
-     First a handle to a particular service is obtained by calling
-     krb5_krbhst_init() (or krb5_krbhst_init_flags()) with the realm of inter-
-     est and the type of service to lookup. The type can be one of:
-
-           KRB5_KRBHST_KDC
-           KRB5_KRBHST_ADMIN
-           KRB5_KRBHST_CHANGEPW
-           KRB5_KRBHST_KRB524
-
-     The handle is returned to the caller, and should be passed to the other
-     functions.
-
-     The flag argument to krb5_krbhst_init_flags is the same flags as
-     krb5_send_to_kdc_flags() uses.  Possible values are:
-
-           KRB5_KRBHST_FLAGS_MASTER     only talk to master (readwrite) KDC
-           KRB5_KRBHST_FLAGS_LARGE_MSG  this is a large message, so use trans-
-                                        port that can handle that.
-
-     For each call to krb5_krbhst_next() information on a new host is re-
-     turned. The former function returns in host a pointer to a structure con-
-     taining information about the host, such as protocol, hostname, and port:
-
-           typedef struct krb5_krbhst_info {
-               enum { KRB5_KRBHST_UDP,
-                      KRB5_KRBHST_TCP,
-                      KRB5_KRBHST_HTTP } proto;
-               unsigned short port;
-               struct addrinfo *ai;
-               struct krb5_krbhst_info *next;
-               char hostname[1];
-           } krb5_krbhst_info;
-
-     The related function, krb5_krbhst_next_as_string(), return the same in-
-     formation as a URL-like string.
-
-     When there are no more hosts, these functions return KRB5_KDC_UNREACH.
-
-     To re-iterate over all hosts, call krb5_krbhst_reset() and the next call
-     to krb5_krbhst_next() will return the first host.
-
-     When done with the handle, krb5_krbhst_free() should be called.
-
-     To use a krb5_krbhst_info, there are two functions:
-     krb5_krbhst_format_string() that will return a printable representation
-     of that struct and krb5_krbhst_get_addrinfo() that will return a struct
-     addrinfo that can then be used for communicating with the server men-
-     tioned.
-
-EXAMPLES
-     The following code will print the KDCs of the realm "MY.REALM":
-
-           krb5_krbhst_handle handle;
-           char host[MAXHOSTNAMELEN];
-           krb5_krbhst_init(context, "MY.REALM", KRB5_KRBHST_KDC, &handle);
-           while(krb5_krbhst_next_as_string(context, handle,
-                                            host, sizeof(host)) == 0)
-               printf("%s\n", host);
-           krb5_krbhst_free(context, handle);
-
-SEE ALSO
-     getaddrinfo(3), krb5_get_krbhst(3), krb5_send_to_kdc_flags(3)
-
-HISTORY
-     These functions first appeared in Heimdal 0.3g.
-
-HEIMDAL                          May 10, 2005                          HEIMDAL
diff --git a/lib/krb5/krb5_locl.h b/lib/krb5/krb5_locl.h
index b64f3a9fbd49..75ca24b66767 100644
--- a/lib/krb5/krb5_locl.h
+++ b/lib/krb5/krb5_locl.h
@@ -82,6 +82,7 @@ struct mbuf;
 #include <com_err.h>
 
 #include <heimbase.h>
+#include "heimbase-atomics.h"
 
 #define HEIMDAL_TEXTDOMAIN "heimdal_krb5"
 
@@ -122,6 +123,8 @@ struct mbuf;
 
 
 #include <krb5_asn1.h>
+typedef Krb5Int32 krb5int32;
+typedef Krb5UInt32 krb5uint32;
 #include <pkinit_asn1.h>
 
 struct send_to_kdc;
@@ -134,14 +137,24 @@ struct ContentInfo;
 struct AlgorithmIdentifier;
 typedef struct krb5_pk_init_ctx_data *krb5_pk_init_ctx;
 struct krb5_dh_moduli;
+struct krb5_fast_state;
+struct krb5_gss_init_ctx_data;
 
 /* v4 glue */
 struct _krb5_krb_auth_data;
 
+struct krb5_gss_init_ctx_data;
+typedef struct krb5_gss_init_ctx_data *krb5_gss_init_ctx;
+
+struct gss_ctx_id_t_desc_struct;
+struct gss_cred_id_t_desc_struct;
+struct gss_OID_desc_struct;
+
 #include <der.h>
 
 #include <krb5.h>
 #include <krb5_err.h>
+#include <k5e1_err.h>
 #include <asn1_err.h>
 #ifdef PKINIT
 #include <hx509.h>
@@ -149,17 +162,47 @@ struct _krb5_krb_auth_data;
 
 #include "crypto.h"
 
+typedef krb5_error_code (KRB5_LIB_CALL *krb5_gssic_step)(
+    krb5_context,
+    krb5_gss_init_ctx,
+    const krb5_creds *,
+    struct gss_ctx_id_t_desc_struct **,
+    KDCOptions options,
+    krb5_data *,
+    krb5_data *,
+    krb5_data *);
+
+typedef krb5_error_code (KRB5_LIB_CALL *krb5_gssic_finish)(
+    krb5_context,
+    krb5_gss_init_ctx,
+    const krb5_creds *,
+    struct gss_ctx_id_t_desc_struct *,
+    krb5int32,
+    krb5_enctype,
+    krb5_principal *,
+    krb5_keyblock **);
+
+typedef void (KRB5_LIB_CALL *krb5_gssic_release_cred)(
+    krb5_context,
+    krb5_gss_init_ctx,
+    struct gss_cred_id_t_desc_struct *);
+
+typedef void (KRB5_LIB_CALL *krb5_gssic_delete_sec_context)(
+    krb5_context,
+    krb5_gss_init_ctx,
+    struct gss_ctx_id_t_desc_struct *);
+
+#define KRB5_GSS_IC_FLAG_RELEASE_CRED 1
+
 #include <krb5-private.h>
 
 #include "heim_threads.h"
 
+extern const char _krb5_wellknown_lkdc[];
+
 #define ALLOC(X, N) (X) = calloc((N), sizeof(*(X)))
 #define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0)
 
-#ifndef __func__
-#define __func__ "unknown-function"
-#endif
-
 #define krb5_einval(context, argnum) _krb5_einval((context), __func__, (argnum))
 
 #ifndef PATH_SEP
@@ -170,6 +213,9 @@ struct _krb5_krb_auth_data;
 #define KEYTAB_DEFAULT "FILE:" SYSCONFDIR "/krb5.keytab"
 #define KEYTAB_DEFAULT_MODIFY "FILE:" SYSCONFDIR "/krb5.keytab"
 
+#ifndef CLIENT_KEYTAB_DEFAULT
+#define CLIENT_KEYTAB_DEFAULT	"FILE:" LOCALSTATEDIR "/user/%{euid}/client.keytab";
+#endif
 
 #define MODULI_FILE SYSCONFDIR "/krb5.moduli"
 
@@ -205,10 +251,11 @@ struct _krb5_get_init_creds_opt_private {
     krb5_pk_init_ctx pk_init_ctx;
     krb5_get_init_creds_tristate addressless;
     int flags;
-#define KRB5_INIT_CREDS_CANONICALIZE		1
-#define KRB5_INIT_CREDS_NO_C_CANON_CHECK	2
-#define KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK	4
-#define KRB5_INIT_CREDS_PKINIT_KX_VALID		32
+#define KRB5_INIT_CREDS_DONE				    1
+#define KRB5_INIT_CREDS_CANONICALIZE			    2
+#define KRB5_INIT_CREDS_NO_C_CANON_CHECK		    4
+#define KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK		    8
+#define KRB5_INIT_CREDS_PKINIT_KX_VALID			    32
 #define KRB5_INIT_CREDS_PKINIT_NO_KRBTGT_OTHERNAME_CHECK    64
     struct {
         krb5_gic_process_last_req func;
@@ -218,7 +265,18 @@ struct _krb5_get_init_creds_opt_private {
 
 typedef uint32_t krb5_enctype_set;
 
+/*
+ * Do not remove or reorder the fields of this structure.
+ * Fields that are no longer used should be marked "deprecated".
+ * New fields should always be appended to the end of the
+ * structure.
+ *
+ * Although this structure is internal it is shared with
+ * plugins and such changes will result in data corruption
+ * if plugins are not built with a matching version.
+ */
 typedef struct krb5_context_data {
+    heim_context hcontext;
     krb5_enctype *etypes;
     krb5_enctype *cfg_etypes;
     krb5_enctype *etypes_des;/* deprecated */
@@ -233,9 +291,6 @@ typedef struct krb5_context_data {
     int32_t kdc_sec_offset;
     int32_t kdc_usec_offset;
     krb5_config_section *cf;
-    struct et_list *et_list;
-    struct krb5_log_facility *warn_dest;
-    struct krb5_log_facility *debug_dest;
     const krb5_cc_ops **cc_ops;
     int num_cc_ops;
     const char *http_proxy;
@@ -253,13 +308,12 @@ typedef struct krb5_context_data {
     int num_kt_types;			/* # of registered keytab types */
     struct krb5_keytab_data *kt_types;  /* registered keytab types */
     const char *date_fmt;
-    char *error_string;
     krb5_error_code error_code;
     krb5_addresses *ignore_addresses;
     char *default_cc_name;
     char *default_cc_name_env;
+    char *configured_default_cc_name;
     int default_cc_name_set;
-    HEIMDAL_MUTEX mutex;		/* protects error_string */
     int large_msg_size;
     int max_msg_size;
     int tgs_negative_timeout;		/* timeout for TGS negative cache */
@@ -270,21 +324,20 @@ typedef struct krb5_context_data {
 #define KRB5_CTX_F_SOCKETS_INITIALIZED          8
 #define KRB5_CTX_F_RD_REQ_IGNORE		16
 #define KRB5_CTX_F_FCACHE_STRICT_CHECKING	32
+#define KRB5_CTX_F_ENFORCE_OK_AS_DELEGATE	64
+#define KRB5_CTX_F_REPORT_CANONICAL_CLIENT_NAME	128
     struct send_to_kdc *send_to_kdc;
 #ifdef PKINIT
     hx509_context hx509ctx;
 #endif
     unsigned int num_kdc_requests;
     krb5_name_canon_rule name_canon_rules;
+    size_t config_include_depth;
+    krb5_boolean no_ticket_store;       /* Don't store service tickets */
 } krb5_context_data;
 
-#ifndef KRB5_USE_PATH_TOKENS
-#define KRB5_DEFAULT_CCNAME_FILE "FILE:/tmp/krb5cc_%{uid}"
-#define KRB5_DEFAULT_CCNAME_DIR "DIR:/tmp/krb5cc_%{uid}_dir/"
-#else
 #define KRB5_DEFAULT_CCNAME_FILE "FILE:%{TEMP}/krb5cc_%{uid}"
 #define KRB5_DEFAULT_CCNAME_DIR "DIR:%{TEMP}/krb5cc_%{uid}_dir/"
-#endif
 #define KRB5_DEFAULT_CCNAME_API "API:"
 #define KRB5_DEFAULT_CCNAME_KCM_KCM "KCM:%{uid}"
 #define KRB5_DEFAULT_CCNAME_KCM_API "API:%{uid}"
@@ -343,6 +396,7 @@ struct krb5_pk_identity {
     hx509_revoke_ctx revokectx;
     int flags;
 #define PKINIT_BTMM 1
+#define PKINIT_NO_KDC_ANCHOR 2
 };
 
 enum krb5_pk_type {
@@ -369,10 +423,50 @@ struct krb5_pk_init_ctx_data {
     unsigned int require_hostname_match:1;
     unsigned int trustedCertifiers:1;
     unsigned int anonymous:1;
+    unsigned int kdc_verified:1;
 };
 
 #endif /* PKINIT */
 
+struct krb5_fast_state {
+    enum PA_FX_FAST_REQUEST_enum type;
+    unsigned int flags;
+#define KRB5_FAST_REPLY_KEY_USE_TO_ENCRYPT_THE_REPLY	0x0001
+#define KRB5_FAST_REPLY_KEY_USE_IN_TRANSACTION		0x0002
+#define KRB5_FAST_KDC_REPLY_KEY_REPLACED		0x0004
+#define KRB5_FAST_REPLY_REPLY_VERIFIED			0x0008
+#define KRB5_FAST_STRONG				0x0010
+#define KRB5_FAST_EXPECTED				0x0020 /* in exchange with KDC, fast was discovered */
+#define KRB5_FAST_REQUIRED				0x0040 /* fast required by action of caller */
+#define KRB5_FAST_DISABLED				0x0080
+
+#define KRB5_FAST_AP_ARMOR_SERVICE			0x0100
+#define KRB5_FAST_OPTIMISTIC				0x0200 /* Optimistic try, like Anon + PKINIT or service fast bit */
+#define KRB5_FAST_REQUIRE_ENC_PA			0x0400
+
+#define KRB5_FAST_AS_REQ				0x1000
+#define KRB5_FAST_ANON_PKINIT_ARMOR			0x2000
+#define KRB5_FAST_KDC_VERIFIED				0x4000
+
+    krb5_keyblock *reply_key;
+    krb5_ccache armor_ccache;
+    krb5_auth_context armor_ac;
+    KrbFastArmor *armor_data;
+    krb5_principal armor_service;
+    krb5_crypto armor_crypto;
+    krb5_keyblock armor_key;
+    krb5_keyblock *strengthen_key;
+
+    /* KRB5_FAST_ANON_PKINIT_ARMOR */
+    krb5_get_init_creds_opt *anon_pkinit_opt;
+    krb5_init_creds_context anon_pkinit_ctx;
+};
+
+struct krb5_decrypt_tkt_with_subkey_state {
+    krb5_keyblock *subkey;
+    struct krb5_fast_state *fast_state;
+};
+
 #define ISTILDE(x) (x == '~')
 #ifdef _WIN32
 # define ISPATHSEP(x) (x == '/' || x =='\\')
@@ -380,4 +474,11 @@ struct krb5_pk_init_ctx_data {
 # define ISPATHSEP(x) (x == '/')
 #endif
 
+/* Flag in KRB5_AUTHDATA_AP_OPTIONS */
+#define KERB_AP_OPTIONS_CBT 0x00004000
+
+/* Flag in PAC_ATTRIBUTES_INFO */
+#define KRB5_PAC_WAS_REQUESTED		0x1
+#define KRB5_PAC_WAS_GIVEN_IMPLICITLY	0x2
+
 #endif /* __KRB5_LOCL_H__ */
diff --git a/lib/krb5/krb5_mk_req.cat3 b/lib/krb5/krb5_mk_req.cat3
deleted file mode 100644
index 266f1a052e9a..000000000000
--- a/lib/krb5/krb5_mk_req.cat3
+++ /dev/null
@@ -1,88 +0,0 @@
-KRB5_MK_REQ(3)           BSD Library Functions Manual           KRB5_MK_REQ(3)
-
-NAME
-     krb5_mk_req, krb5_mk_req_exact, krb5_mk_req_extended, krb5_rd_req,
-     krb5_rd_req_with_keyblock, krb5_mk_rep, krb5_mk_rep_exact,
-     krb5_mk_rep_extended, krb5_rd_rep, krb5_build_ap_req, krb5_verify_ap_req
-     -- create and read application authentication request
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_error_code
-     krb5_mk_req(krb5_context context, krb5_auth_context *auth_context,
-         const krb5_flags ap_req_options, const char *service,
-         const char *hostname, krb5_data *in_data, krb5_ccache ccache,
-         krb5_data *outbuf);
-
-     krb5_error_code
-     krb5_mk_req_extended(krb5_context context,
-         krb5_auth_context *auth_context, const krb5_flags ap_req_options,
-         krb5_data *in_data, krb5_creds *in_creds, krb5_data *outbuf);
-
-     krb5_error_code
-     krb5_rd_req(krb5_context context, krb5_auth_context *auth_context,
-         const krb5_data *inbuf, krb5_const_principal server,
-         krb5_keytab keytab, krb5_flags *ap_req_options,
-         krb5_ticket **ticket);
-
-     krb5_error_code
-     krb5_build_ap_req(krb5_context context, krb5_enctype enctype,
-         krb5_creds *cred, krb5_flags ap_options, krb5_data authenticator,
-         krb5_data *retdata);
-
-     krb5_error_code
-     krb5_verify_ap_req(krb5_context context, krb5_auth_context *auth_context,
-         krb5_ap_req *ap_req, krb5_const_principal server,
-         krb5_keyblock *keyblock, krb5_flags flags,
-         krb5_flags *ap_req_options, krb5_ticket **ticket);
-
-DESCRIPTION
-     The functions documented in this manual page document the functions that
-     facilitates the exchange between a Kerberos client and server.  They are
-     the core functions used in the authentication exchange between the client
-     and the server.
-
-     The krb5_mk_req and krb5_mk_req_extended creates the Kerberos message
-     KRB_AP_REQ that is sent from the client to the server as the first packet
-     in a client/server exchange.  The result that should be sent to server is
-     stored in outbuf.
-
-     auth_context should be allocated with krb5_auth_con_init() or NULL passed
-     in, in that case, it will be allocated and freed internally.
-
-     The input data in_data will have a checksum calculated over it and check-
-     sum will be transported in the message to the server.
-
-     ap_req_options can be set to one or more of the following flags:
-
-     AP_OPTS_USE_SESSION_KEY
-             Use the session key when creating the request, used for user to
-             user authentication.
-
-     AP_OPTS_MUTUAL_REQUIRED
-             Mark the request as mutual authenticate required so that the re-
-             ceiver returns a mutual authentication packet.
-
-     The krb5_rd_req read the AP_REQ in inbuf and verify and extract the con-
-     tent.  If server is specified, that server will be fetched from the
-     keytab and used unconditionally.  If server is NULL, the keytab will be
-     search for a matching principal.
-
-     The keytab argument specifies what keytab to search for receiving princi-
-     pals.  The arguments ap_req_options and ticket returns the content.
-
-     When the AS-REQ is a user to user request, neither of keytab or principal
-     are used, instead krb5_rd_req() expects the session key to be set in
-     auth_context.
-
-     The krb5_verify_ap_req and krb5_build_ap_req both constructs and verify
-     the AP_REQ message, should not be used by external code.
-
-SEE ALSO
-     krb5(3), krb5.conf(5)
-
-HEIMDAL                         August 27, 2005                        HEIMDAL
diff --git a/lib/krb5/krb5_mk_safe.cat3 b/lib/krb5/krb5_mk_safe.cat3
deleted file mode 100644
index a517fefd8412..000000000000
--- a/lib/krb5/krb5_mk_safe.cat3
+++ /dev/null
@@ -1,35 +0,0 @@
-KRB5_MK_SAFE(3)          BSD Library Functions Manual          KRB5_MK_SAFE(3)
-
-NAME
-     krb5_mk_safe, krb5_mk_priv -- generates integrity protected and/or en-
-     crypted messages
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_error_code
-     krb5_mk_priv(krb5_context context, krb5_auth_context auth_context,
-         const krb5_data *userdata, krb5_data *outbuf,
-         krb5_replay_data *outdata);
-
-     krb5_error_code
-     krb5_mk_safe(krb5_context context, krb5_auth_context auth_context,
-         const krb5_data *userdata, krb5_data *outbuf,
-         krb5_replay_data *outdata);
-
-DESCRIPTION
-     krb5_mk_safe() and krb5_mk_priv() formats KRB-SAFE (integrity protected)
-     and KRB-PRIV (also encrypted) messages into outbuf.  The actual message
-     data is taken from userdata.  If the KRB5_AUTH_CONTEXT_DO_SEQUENCE or
-     KRB5_AUTH_CONTEXT_DO_TIME flags are set in the auth_context, sequence
-     numbers and time stamps are generated.  If the
-     KRB5_AUTH_CONTEXT_RET_SEQUENCE or KRB5_AUTH_CONTEXT_RET_TIME flags are
-     set they are also returned in the outdata parameter.
-
-SEE ALSO
-     krb5_auth_con_init(3), krb5_rd_priv(3), krb5_rd_safe(3)
-
-HEIMDAL                           May 1, 2006                          HEIMDAL
diff --git a/lib/krb5/krb5_openlog.3 b/lib/krb5/krb5_openlog.3
index 28e9a1f4bc88..09de9d0c7ebf 100644
--- a/lib/krb5/krb5_openlog.3
+++ b/lib/krb5/krb5_openlog.3
@@ -161,13 +161,24 @@ follows:
 .Bl -tag -width "xxx" -offset indent
 .It Li STDERR
 This logs to the program's stderr.
+.It Li EFILE: Ns Pa /file
+Log to the specified file if it exists, otherwise do nothing.
+All writes will be appended to the end of the file and the file
+will be re-opened for each new write.
+Non-existence of the file is cached for 1 second which reduces
+the potential performance impact significantly.
+This is useful for defining a trace file which can be enabled
+without restarting a server.
 .It Li FILE: Ns Pa /file
+Log to the specified file.
+All writes will be appended to the end of the file and the file
+will be re-opened for each new write.
 .It Li FILE= Ns Pa /file
-Log to the specified file. The form using a colon appends to the file, the
-form with an equal truncates the file. The truncating form keeps the file
-open, while the appending form closes it after each log message (which
-makes it possible to rotate logs). The truncating form is mainly for
-compatibility with the MIT libkrb5.
+On the first write, this form will
+.Xr truncate 2
+the file and then append all subsequent messages whilst keeping the
+file descriptor open.
+This form is mainly for compatibility with MIT libkrb5.
 .It Li DEVICE= Ns Pa /device
 This logs to the specified device, at present this is the same as
 .Li FILE:/device .
@@ -203,9 +214,44 @@ parameter to
 .Fn krb5_log
 is within this range (inclusive) the message gets logged to this
 destination, otherwise not. Either of the min and max valued may be
-omitted, in this case min is assumed to be zero, and max is assumed to be
-infinity.  If you don't include a dash, both min and max gets set to the
-specified value. If no range is specified, all messages gets logged.
+omitted, in this case min is assumed to be 0, and max is assumed to
+be 3.
+If you don't include a dash, both min and max get set to the
+specified value.
+.Pp
+The paths specified are subject to token expansion.
+For the purposes of logging, the most interesting token
+expansion is
+.ar %{strftime:<string>}
+which calls
+.Xr strftime 3
+on
+.Ar <string>
+with the localised current time of day.
+.Ss Levels
+Each log message has a level as follows:
+.Bl -tag -width "xxx" -offset indent
+.It 0
+Critical conditions.
+This is a condition that should be corrected immediately, such as a
+corrupted Kerberos database.
+.It 1
+Errors.
+These are errors that occur in the normal processing of requests.
+.It 2
+Warning messages.
+On the KDC, this includes malformed requests and requests that
+are out of policy.
+.It 3
+Informational messages.
+.It 4-6
+Debugging messages with increasing obscurity as the level rises.
+.It 7
+Tracing messages.
+These messages may be high volume and are likely to impact
+performance significantly.
+Notably, tracing messages may be emitted whilst locks are held.
+.El
 .Sh EXAMPLES
 .Bd -literal -offset indent
 [logging]
@@ -222,7 +268,24 @@ other messages will be logged to syslog with priority
 .Li LOG_INFO ,
 and facility
 .Li LOG_USER .
-All other programs will log all messages to their stderr.
+.Bd -literal -offset indent
+[logging]
+	kdc = FILE:/var/log/kdc-%{strftime:%Y%m%d%H}
+	kdc = 4-/EFILE:/tmp/kdc-trace
+.Ed
+.Pp
+This will log all messages from the
+.Nm kdc
+program with level 0 to 3 (inclusively) to a file whose
+name is generated using
+.Xr strftime 3 .
+As the file is
+.Xr open 2 ed
+each time a log message is written, this can be used to write
+automatically rotating log files.
+All of the KDC debugging messages will be written into
+.Pa /tmp/kdc-trace
+but only if it exists.
 .Sh SEE ALSO
 .Xr syslog 3 ,
 .Xr krb5.conf 5
diff --git a/lib/krb5/krb5_openlog.cat3 b/lib/krb5/krb5_openlog.cat3
deleted file mode 100644
index e976a1174fa5..000000000000
--- a/lib/krb5/krb5_openlog.cat3
+++ /dev/null
@@ -1,158 +0,0 @@
-KRB5_OPENLOG(3)          BSD Library Functions Manual          KRB5_OPENLOG(3)
-
-NAME
-     krb5_initlog, krb5_openlog, krb5_closelog, krb5_addlog_dest,
-     krb5_addlog_func, krb5_log, krb5_vlog, krb5_log_msg, krb5_vlog_msg --
-     Heimdal logging functions
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     typedef void
-     (*krb5_log_log_func_t)(const char *time, const char *message,
-         void *data);
-
-     typedef void
-     (*krb5_log_close_func_t)(void *data);
-
-     krb5_error_code
-     krb5_addlog_dest(krb5_context context, krb5_log_facility *facility,
-         const char *destination);
-
-     krb5_error_code
-     krb5_addlog_func(krb5_context context, krb5_log_facility *facility,
-         int min, int max, krb5_log_log_func_t log,
-         krb5_log_close_func_t close, void *data);
-
-     krb5_error_code
-     krb5_closelog(krb5_context context, krb5_log_facility *facility);
-
-     krb5_error_code
-     krb5_initlog(krb5_context context, const char *program,
-         krb5_log_facility **facility);
-
-     krb5_error_code
-     krb5_log(krb5_context context, krb5_log_facility *facility, int level,
-         const char *format, ...);
-
-     krb5_error_code
-     krb5_log_msg(krb5_context context, krb5_log_facility *facility,
-         char **reply, int level, const char *format, ...);
-
-     krb5_error_code
-     krb5_openlog(krb5_context context, const char *program,
-         krb5_log_facility **facility);
-
-     krb5_error_code
-     krb5_vlog(krb5_context context, krb5_log_facility *facility, int level,
-         const char *format, va_list arglist);
-
-     krb5_error_code
-     krb5_vlog_msg(krb5_context context, krb5_log_facility *facility,
-         char **reply, int level, const char *format, va_list arglist);
-
-DESCRIPTION
-     These functions logs messages to one or more destinations.
-
-     The krb5_openlog() function creates a logging facility, that is used to
-     log messages. A facility consists of one or more destinations (which can
-     be files or syslog or some other device). The program parameter should be
-     the generic name of the program that is doing the logging. This name is
-     used to lookup which destinations to use. This information is contained
-     in the logging section of the krb5.conf configuration file.  If no entry
-     is found for program, the entry for default is used, or if that is miss-
-     ing too, SYSLOG will be used as destination.
-
-     To close a logging facility, use the krb5_closelog() function.
-
-     To log a message to a facility use one of the functions krb5_log(),
-     krb5_log_msg(), krb5_vlog(), or krb5_vlog_msg().  The functions ending in
-     _msg return in reply a pointer to the message that just got logged. This
-     string is allocated, and should be freed with free().  The format is a
-     standard printf() style format string (but see the BUGS section).
-
-     If you want better control of where things gets logged, you can instead
-     of using krb5_openlog() call krb5_initlog(), which just initializes a fa-
-     cility, but doesn't define any actual logging destinations. You can then
-     add destinations with the krb5_addlog_dest() and krb5_addlog_func() func-
-     tions.  The first of these takes a string specifying a logging destina-
-     tion, and adds this to the facility. If you want to do some non-standard
-     logging you can use the krb5_addlog_func() function, which takes a func-
-     tion to use when logging.  The log function is called for each message
-     with time being a string specifying the current time, and message the
-     message to log.  close is called when the facility is closed. You can
-     pass application specific data in the data parameter. The min and max pa-
-     rameter are the same as in a destination (defined below). To specify a
-     max of infinity, pass -1.
-
-     krb5_openlog() calls krb5_initlog() and then calls krb5_addlog_dest() for
-     each destination found.
-
-   Destinations
-     The defined destinations (as specified in krb5.conf) follows:
-
-           STDERR
-                This logs to the program's stderr.
-
-           FILE:/file
-
-           FILE=/file
-                Log to the specified file. The form using a colon appends to
-                the file, the form with an equal truncates the file. The trun-
-                cating form keeps the file open, while the appending form
-                closes it after each log message (which makes it possible to
-                rotate logs). The truncating form is mainly for compatibility
-                with the MIT libkrb5.
-
-           DEVICE=/device
-                This logs to the specified device, at present this is the same
-                as FILE:/device.
-
-           CONSOLE
-                Log to the console, this is the same as DEVICE=/dev/console.
-
-           SYSLOG[:priority[:facility]]
-                Send messages to the syslog system, using priority, and facil-
-                ity. To get the name for one of these, you take the name of
-                the macro passed to syslog(3), and remove the leading LOG_
-                (LOG_NOTICE becomes NOTICE).  The default values (as well as
-                the values used for unrecognised values), are ERR, and AUTH,
-                respectively.  See syslog(3) for a list of priorities and fa-
-                cilities.
-
-     Each destination may optionally be prepended with a range of logging lev-
-     els, specified as min-max/.  If the level parameter to krb5_log() is
-     within this range (inclusive) the message gets logged to this destina-
-     tion, otherwise not. Either of the min and max valued may be omitted, in
-     this case min is assumed to be zero, and max is assumed to be infinity.
-     If you don't include a dash, both min and max gets set to the specified
-     value. If no range is specified, all messages gets logged.
-
-EXAMPLES
-           [logging]
-                   kdc = 0/FILE:/var/log/kdc.log
-                   kdc = 1-/SYSLOG:INFO:USER
-                   default = STDERR
-
-     This will log all messages from the kdc program with level 0 to
-     /var/log/kdc.log, other messages will be logged to syslog with priority
-     LOG_INFO, and facility LOG_USER.  All other programs will log all mes-
-     sages to their stderr.
-
-SEE ALSO
-     syslog(3), krb5.conf(5)
-
-BUGS
-     These functions use asprintf() to format the message. If your operating
-     system does not have a working asprintf(), a replacement will be used. At
-     present this replacement does not handle some correct conversion specifi-
-     cations (like floating point numbers). Until this is fixed, the use of
-     these conversions should be avoided.
-
-     If logging is done to the syslog facility, these functions might not be
-     thread-safe, depending on the implementation of openlog(), and syslog().
-
-HEIMDAL                         August 6, 1997                         HEIMDAL
diff --git a/lib/krb5/krb5_parse_name.cat3 b/lib/krb5/krb5_parse_name.cat3
deleted file mode 100644
index 5799ef31bfee..000000000000
--- a/lib/krb5/krb5_parse_name.cat3
+++ /dev/null
@@ -1,30 +0,0 @@
-KRB5_PARSE_NAME(3)       BSD Library Functions Manual       KRB5_PARSE_NAME(3)
-
-NAME
-     krb5_parse_name -- string to principal conversion
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_error_code
-     krb5_parse_name(krb5_context context, const char *name,
-         krb5_principal *principal);
-
-DESCRIPTION
-     krb5_parse_name() converts a string representation of a principal name to
-     krb5_principal.  The principal will point to allocated data that should
-     be freed with krb5_free_principal().
-
-     The string should consist of one or more name components separated with
-     slashes ("/"), optionally followed with an "@" and a realm name. A slash
-     or @ may be contained in a name component by quoting it with a backslash
-     ("\").  A realm should not contain slashes or colons.
-
-SEE ALSO
-     krb5_build_principal(3), krb5_free_principal(3),
-     krb5_sname_to_principal(3), krb5_unparse_name(3)
-
-HEIMDAL                           May 1, 2006                          HEIMDAL
diff --git a/lib/krb5/krb5_principal.cat3 b/lib/krb5/krb5_principal.cat3
deleted file mode 100644
index 5488ad9dfb83..000000000000
--- a/lib/krb5/krb5_principal.cat3
+++ /dev/null
@@ -1,259 +0,0 @@
-KRB5_PRINCIPAL(3)        BSD Library Functions Manual        KRB5_PRINCIPAL(3)
-
-NAME
-     krb5_get_default_principal, krb5_principal, krb5_build_principal,
-     krb5_build_principal_ext, krb5_build_principal_va,
-     krb5_build_principal_va_ext, krb5_copy_principal, krb5_free_principal,
-     krb5_make_principal, krb5_parse_name, krb5_parse_name_flags,
-     krb5_parse_nametype, krb5_princ_set_realm, krb5_principal_compare,
-     krb5_principal_compare_any_realm, krb5_principal_get_comp_string,
-     krb5_principal_get_realm, krb5_principal_get_type, krb5_principal_match,
-     krb5_principal_set_type, krb5_realm_compare, krb5_sname_to_principal,
-     krb5_sock_to_principal, krb5_unparse_name, krb5_unparse_name_flags,
-     krb5_unparse_name_fixed, krb5_unparse_name_fixed_flags,
-     krb5_unparse_name_fixed_short, krb5_unparse_name_short -- Kerberos 5
-     principal handling functions
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_principal;
-
-     void
-     krb5_free_principal(krb5_context context, krb5_principal principal);
-
-     krb5_error_code
-     krb5_parse_name(krb5_context context, const char *name,
-         krb5_principal *principal);
-
-     krb5_error_code
-     krb5_parse_name_flags(krb5_context context, const char *name, int flags,
-         krb5_principal *principal);
-
-     krb5_error_code
-     krb5_unparse_name(krb5_context context, krb5_const_principal principal,
-         char **name);
-
-     krb5_error_code
-     krb5_unparse_name_flags(krb5_context context,
-         krb5_const_principal principal, int flags, char **name);
-
-     krb5_error_code
-     krb5_unparse_name_fixed(krb5_context context,
-         krb5_const_principal principal, char *name, size_t len);
-
-     krb5_error_code
-     krb5_unparse_name_fixed_flags(krb5_context context,
-         krb5_const_principal principal, int flags, char *name, size_t len);
-
-     krb5_error_code
-     krb5_unparse_name_short(krb5_context context,
-         krb5_const_principal principal, char **name);
-
-     krb5_error_code
-     krb5_unparse_name_fixed_short(krb5_context context,
-         krb5_const_principal principal, char *name, size_t len);
-
-     void
-     krb5_princ_set_realm(krb5_context context, krb5_principal principal,
-         krb5_realm *realm);
-
-     krb5_error_code
-     krb5_build_principal(krb5_context context, krb5_principal *principal,
-         int rlen, krb5_const_realm realm, ...);
-
-     krb5_error_code
-     krb5_build_principal_va(krb5_context context, krb5_principal *principal,
-         int rlen, krb5_const_realm realm, va_list ap);
-
-     krb5_error_code
-     krb5_build_principal_ext(krb5_context context, krb5_principal *principal,
-         int rlen, krb5_const_realm realm, ...);
-
-     krb5_error_code
-     krb5_build_principal_va_ext(krb5_context context,
-         krb5_principal *principal, int rlen, krb5_const_realm realm,
-         va_list ap);
-
-     krb5_error_code
-     krb5_make_principal(krb5_context context, krb5_principal *principal,
-         krb5_const_realm realm, ...);
-
-     krb5_error_code
-     krb5_copy_principal(krb5_context context, krb5_const_principal inprinc,
-         krb5_principal *outprinc);
-
-     krb5_boolean
-     krb5_principal_compare(krb5_context context, krb5_const_principal princ1,
-         krb5_const_principal princ2);
-
-     krb5_boolean
-     krb5_principal_compare_any_realm(krb5_context context,
-         krb5_const_principal princ1, krb5_const_principal princ2);
-
-     const char *
-     krb5_principal_get_comp_string(krb5_context context,
-         krb5_const_principal principal, unsigned int component);
-
-     const char *
-     krb5_principal_get_realm(krb5_context context,
-         krb5_const_principal principal);
-
-     int
-     krb5_principal_get_type(krb5_context context,
-         krb5_const_principal principal);
-
-     krb5_boolean
-     krb5_principal_match(krb5_context context,
-         krb5_const_principal principal, krb5_const_principal pattern);
-
-     void
-     krb5_principal_set_type(krb5_context context, krb5_principal principal,
-         int type);
-
-     krb5_boolean
-     krb5_realm_compare(krb5_context context, krb5_const_principal princ1,
-         krb5_const_principal princ2);
-
-     krb5_error_code
-     krb5_sname_to_principal(krb5_context context, const char *hostname,
-         const char *sname, int32_t type, krb5_principal *ret_princ);
-
-     krb5_error_code
-     krb5_sock_to_principal(krb5_context context, int socket,
-         const char *sname, int32_t type, krb5_principal *principal);
-
-     krb5_error_code
-     krb5_get_default_principal(krb5_context context, krb5_principal *princ);
-
-     krb5_error_code
-     krb5_parse_nametype(krb5_context context, const char *str,
-         int32_t *type);
-
-DESCRIPTION
-     krb5_principal holds the name of a user or service in Kerberos.
-
-     A principal has two parts, a PrincipalName and a realm.  The Principal-
-     Name consists of one or more components. In printed form, the components
-     are separated by /.  The PrincipalName also has a name-type.
-
-     Examples of a principal are nisse/root@EXAMPLE.COM and
-     host/datan.kth.se@KTH.SE.  krb5_parse_name() and krb5_parse_name_flags()
-     passes a principal name in name to the kerberos principal structure.
-     krb5_parse_name_flags() takes an extra flags argument the following flags
-     can be passed in
-
-     KRB5_PRINCIPAL_PARSE_NO_REALM
-             requires the input string to be without a realm, and no realm is
-             stored in the principal return argument.
-
-     KRB5_PRINCIPAL_PARSE_REQUIRE_REALM
-             requires the input string to with a realm.
-
-     krb5_unparse_name() and krb5_unparse_name_flags() prints the principal
-     princ to the string name.  name should be freed with free(3).  To the
-     flags argument the following flags can be passed in
-
-     KRB5_PRINCIPAL_UNPARSE_SHORT
-             no realm if the realm is one of the local realms.
-
-     KRB5_PRINCIPAL_UNPARSE_NO_REALM
-             never include any realm in the principal name.
-
-     KRB5_PRINCIPAL_UNPARSE_DISPLAY
-             don't quote
-     On failure name is set to NULL.  krb5_unparse_name_fixed() and
-     krb5_unparse_name_fixed_flags() behaves just like krb5_unparse(), but in-
-     stead unparses the principal into a fixed size buffer.
-
-     krb5_unparse_name_short() just returns the principal without the realm if
-     the principal is in the default realm. If the principal isn't, the full
-     name is returned.  krb5_unparse_name_fixed_short() works just like
-     krb5_unparse_name_short() but on a fixed size buffer.
-
-     krb5_build_principal() builds a principal from the realm realm that has
-     the length rlen.  The following arguments form the components of the
-     principal.  The list of components is terminated with NULL.
-
-     krb5_build_principal_va() works like krb5_build_principal() using vargs.
-
-     krb5_build_principal_ext() and krb5_build_principal_va_ext() take a list
-     of length-value pairs, the list is terminated with a zero length.
-
-     krb5_make_principal() works the same way as krb5_build_principal(), ex-
-     cept it figures out the length of the realm itself.
-
-     krb5_copy_principal() makes a copy of a principal.  The copy needs to be
-     freed with krb5_free_principal().
-
-     krb5_principal_compare() compares the two principals, including realm of
-     the principals and returns TRUE if they are the same and FALSE if not.
-
-     krb5_principal_compare_any_realm() works the same way as
-     krb5_principal_compare() but doesn't compare the realm component of the
-     principal.
-
-     krb5_realm_compare() compares the realms of the two principals and re-
-     turns TRUE is they are the same, and FALSE if not.
-
-     krb5_principal_match() matches a principal against a pattern.  The pat-
-     tern is a globbing expression, where each component (separated by /) is
-     matched against the corresponding component of the principal.
-
-     The krb5_principal_get_realm() and krb5_principal_get_comp_string() func-
-     tions return parts of the principal, either the realm or a specific com-
-     ponent.  Both functions return string pointers to data inside the princi-
-     pal, so they are valid only as long as the principal exists.
-
-     The component argument to krb5_principal_get_comp_string() is the index
-     of the component to return, from zero to the total number of components
-     minus one. If the index is out of range NULL is returned.
-
-     krb5_principal_get_realm() and krb5_principal_get_comp_string() are re-
-     placements for krb5_princ_component() and related macros, described as
-     internal in the MIT API specification.  Unlike the macros, these func-
-     tions return strings, not krb5_data.  A reason to return krb5_data was
-     that it was believed that principal components could contain binary data,
-     but this belief was unfounded, and it has been decided that principal
-     components are infact UTF8, so it's safe to use zero terminated strings.
-
-     It's generally not necessary to look at the components of a principal.
-
-     krb5_principal_get_type() and krb5_principal_set_type() get and sets the
-     name type for a principal.  Name type handling is tricky and not often
-     needed, don't use this unless you know what you do.
-
-     krb5_sname_to_principal() and krb5_sock_to_principal() are for easy cre-
-     ation of "service" principals that can, for instance, be used to lookup a
-     key in a keytab.  For both functions the sname parameter will be used for
-     the first component of the created principal.  If sname is NULL, "host"
-     will be used instead.
-
-     krb5_sname_to_principal() will use the passed hostname for the second
-     component.  If type is KRB5_NT_SRV_HST this name will be looked up with
-     gethostbyname().  If hostname is NULL, the local hostname will be used.
-
-     krb5_sock_to_principal() will use the "sockname" of the passed socket,
-     which should be a bound AF_INET or AF_INET6 socket.  There must be a map-
-     ping between the address and "sockname".  The function may try to resolve
-     the name in DNS.
-
-     krb5_get_default_principal() tries to find out what's a reasonable de-
-     fault principal by looking at the environment it is running in.
-
-     krb5_parse_nametype() parses and returns the name type integer value in
-     type.  On failure the function returns an error code and set the error
-     string.
-
-SEE ALSO
-     krb5_config(3), krb5.conf(5)
-
-BUGS
-     You can not have a NUL in a component in some of the variable argument
-     functions above.  Until someone can give a good example of where it would
-     be a good idea to have NUL's in a component, this will not be fixed.
-
-HEIMDAL                           May 1, 2006                          HEIMDAL
diff --git a/lib/krb5/krb5_rcache.cat3 b/lib/krb5/krb5_rcache.cat3
deleted file mode 100644
index e16ad25e6b45..000000000000
--- a/lib/krb5/krb5_rcache.cat3
+++ /dev/null
@@ -1,83 +0,0 @@
-KRB5_RCACHE(3)           BSD Library Functions Manual           KRB5_RCACHE(3)
-
-NAME
-     krb5_rcache, krb5_rc_close, krb5_rc_default, krb5_rc_default_name,
-     krb5_rc_default_type, krb5_rc_destroy, krb5_rc_expunge,
-     krb5_rc_get_lifespan, krb5_rc_get_name, krb5_rc_get_type,
-     krb5_rc_initialize, krb5_rc_recover, krb5_rc_resolve,
-     krb5_rc_resolve_full, krb5_rc_resolve_type, krb5_rc_store,
-     krb5_get_server_rcache -- Kerberos 5 replay cache
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     struct krb5_rcache;
-
-     krb5_error_code
-     krb5_rc_close(krb5_context context, krb5_rcache id);
-
-     krb5_error_code
-     krb5_rc_default(krb5_context context, krb5_rcache *id);
-
-     const char *
-     krb5_rc_default_name(krb5_context context);
-
-     const char *
-     krb5_rc_default_type(krb5_context context);
-
-     krb5_error_code
-     krb5_rc_destroy(krb5_context context, krb5_rcache id);
-
-     krb5_error_code
-     krb5_rc_expunge(krb5_context context, krb5_rcache id);
-
-     krb5_error_code
-     krb5_rc_get_lifespan(krb5_context context, krb5_rcache id,
-         krb5_deltat *auth_lifespan);
-
-     const char*
-     krb5_rc_get_name(krb5_context context, krb5_rcache id);
-
-     const char*
-     krb5_rc_get_type(krb5_context context, krb5_rcache id);
-
-     krb5_error_code
-     krb5_rc_initialize(krb5_context context, krb5_rcache id,
-         krb5_deltat auth_lifespan);
-
-     krb5_error_code
-     krb5_rc_recover(krb5_context context, krb5_rcache id);
-
-     krb5_error_code
-     krb5_rc_resolve(krb5_context context, krb5_rcache id, const char *name);
-
-     krb5_error_code
-     krb5_rc_resolve_full(krb5_context context, krb5_rcache *id,
-         const char *string_name);
-
-     krb5_error_code
-     krb5_rc_resolve_type(krb5_context context, krb5_rcache *id,
-         const char *type);
-
-     krb5_error_code
-     krb5_rc_store(krb5_context context, krb5_rcache id,
-         krb5_donot_replay *rep);
-
-     krb5_error_code
-     krb5_get_server_rcache(krb5_context context, const krb5_data *piece,
-         krb5_rcache *id);
-
-DESCRIPTION
-     The krb5_rcache structure holds a storage element that is used for data
-     manipulation.  The structure contains no public accessible elements.
-
-     krb5_rc_initialize() Creates the reply cache id and sets it lifespan to
-     auth_lifespan.  If the cache already exists, the content is destroyed.
-
-SEE ALSO
-     krb5(3), krb5_data(3), kerberos(8)
-
-HEIMDAL                           May 1, 2006                          HEIMDAL
diff --git a/lib/krb5/krb5_rd_error.cat3 b/lib/krb5/krb5_rd_error.cat3
deleted file mode 100644
index a64ad0a172ef..000000000000
--- a/lib/krb5/krb5_rd_error.cat3
+++ /dev/null
@@ -1,51 +0,0 @@
-KRB5_RD_ERROR(3)         BSD Library Functions Manual         KRB5_RD_ERROR(3)
-
-NAME
-     krb5_rd_error, krb5_free_error, krb5_free_error_contents,
-     krb5_error_from_rd_error -- parse, free and read error from KRB-ERROR
-     message
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_error_code
-     krb5_rd_error(krb5_context context, const krb5_data *msg,
-         KRB_ERROR *result);
-
-     void
-     krb5_free_error(krb5_context context, krb5_error *error);
-
-     void
-     krb5_free_error_contents(krb5_context context, krb5_error *error);
-
-     krb5_error_code
-     krb5_error_from_rd_error(krb5_context context, const krb5_error *error,
-         const krb5_creds *creds);
-
-DESCRIPTION
-     Usually applications never needs to parse and understand Kerberos error
-     messages since higher level functions will parse and push up the error in
-     the krb5_context.  These functions are described for completeness.
-
-     krb5_rd_error() parses and returns the kerboeros error message, the
-     structure should be freed with krb5_free_error_contents() when the caller
-     is done with the structure.
-
-     krb5_free_error() frees the content and the memory region holding the
-     structure iself.
-
-     krb5_free_error_contents() free the content of the KRB-ERROR message.
-
-     krb5_error_from_rd_error() will parse the error message and set the error
-     buffer in krb5_context to the error string passed back or the matching
-     error code in the KRB-ERROR message.  Caller should pick up the message
-     with krb5_get_error_string(3) (don't forget to free the returned string
-     with krb5_free_error_string()).
-
-SEE ALSO
-     krb5(3), krb5_set_error_string(3), krb5_get_error_string(3), krb5.conf(5)
-
-HEIMDAL                          July 26, 2004                         HEIMDAL
diff --git a/lib/krb5/krb5_rd_safe.cat3 b/lib/krb5/krb5_rd_safe.cat3
deleted file mode 100644
index 0f4fd9fe9ea5..000000000000
--- a/lib/krb5/krb5_rd_safe.cat3
+++ /dev/null
@@ -1,34 +0,0 @@
-KRB5_RD_SAFE(3)          BSD Library Functions Manual          KRB5_RD_SAFE(3)
-
-NAME
-     krb5_rd_safe, krb5_rd_priv -- verifies authenticity of messages
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_error_code
-     krb5_rd_priv(krb5_context context, krb5_auth_context auth_context,
-         const krb5_data *inbuf, krb5_data *outbuf,
-         krb5_replay_data *outdata);
-
-     krb5_error_code
-     krb5_rd_safe(krb5_context context, krb5_auth_context auth_context,
-         const krb5_data *inbuf, krb5_data *outbuf,
-         krb5_replay_data *outdata);
-
-DESCRIPTION
-     krb5_rd_safe() and krb5_rd_priv() parses KRB-SAFE and KRB-PRIV messages
-     (as generated by krb5_mk_safe(3) and krb5_mk_priv(3)) from inbuf and ver-
-     ifies its integrity. The user data part of the message in put in outbuf.
-     The encryption state, including keyblocks and addresses, is taken from
-     auth_context.  If the KRB5_AUTH_CONTEXT_RET_SEQUENCE or
-     KRB5_AUTH_CONTEXT_RET_TIME flags are set in the auth_context the sequence
-     number and time are returned in the outdata parameter.
-
-SEE ALSO
-     krb5_auth_con_init(3), krb5_mk_priv(3), krb5_mk_safe(3)
-
-HEIMDAL                           May 1, 2006                          HEIMDAL
diff --git a/lib/krb5/krb5_set_default_realm.cat3 b/lib/krb5/krb5_set_default_realm.cat3
deleted file mode 100644
index 2bf0a5b825b8..000000000000
--- a/lib/krb5/krb5_set_default_realm.cat3
+++ /dev/null
@@ -1,69 +0,0 @@
-KRB5_SET_DEFAULT_REAL... BSD Library Functions Manual KRB5_SET_DEFAULT_REAL...
-
-NAME
-     krb5_copy_host_realm, krb5_free_host_realm, krb5_get_default_realm,
-     krb5_get_default_realms, krb5_get_host_realm, krb5_set_default_realm --
-     default and host realm read and manipulation routines
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_error_code
-     krb5_copy_host_realm(krb5_context context, const krb5_realm *from,
-         krb5_realm **to);
-
-     krb5_error_code
-     krb5_free_host_realm(krb5_context context, krb5_realm *realmlist);
-
-     krb5_error_code
-     krb5_get_default_realm(krb5_context context, krb5_realm *realm);
-
-     krb5_error_code
-     krb5_get_default_realms(krb5_context context, krb5_realm **realm);
-
-     krb5_error_code
-     krb5_get_host_realm(krb5_context context, const char *host,
-         krb5_realm **realms);
-
-     krb5_error_code
-     krb5_set_default_realm(krb5_context context, const char *realm);
-
-DESCRIPTION
-     krb5_copy_host_realm() copies the list of realms from from to to.  to
-     should be freed by the caller using krb5_free_host_realm.
-
-     krb5_free_host_realm() frees all memory allocated by realmlist.
-
-     krb5_get_default_realm() returns the first default realm for this host.
-     The realm returned should be freed with krb5_xfree().
-
-     krb5_get_default_realms() returns a NULL terminated list of default
-     realms for this context.  Realms returned by krb5_get_default_realms()
-     should be freed with krb5_free_host_realm().
-
-     krb5_get_host_realm() returns a NULL terminated list of realms for host
-     by looking up the information in the [domain_realm] in krb5.conf or in
-     DNS.  If the mapping in [domain_realm] results in the string dns_locate,
-     DNS is used to lookup the realm.
-
-     When using DNS to a resolve the domain for the host a.b.c,
-     krb5_get_host_realm() looks for a TXT resource record named
-     _kerberos.a.b.c, and if not found, it strips off the first component and
-     tries a again (_kerberos.b.c) until it reaches the root.
-
-     If there is no configuration or DNS information found,
-     krb5_get_host_realm() assumes it can use the domain part of the host to
-     form a realm.  Caller must free realmlist with krb5_free_host_realm().
-
-     krb5_set_default_realm() sets the default realm for the context.  If NULL
-     is used as a realm, the [libdefaults]default_realm stanza in krb5.conf is
-     used.  If there is no such stanza in the configuration file, the
-     krb5_get_host_realm() function is used to form a default realm.
-
-SEE ALSO
-     free(3), krb5.conf(5)
-
-HEIMDAL                         April 24, 2005                         HEIMDAL
diff --git a/lib/krb5/krb5_set_password.cat3 b/lib/krb5/krb5_set_password.cat3
deleted file mode 100644
index f6b7f387487f..000000000000
--- a/lib/krb5/krb5_set_password.cat3
+++ /dev/null
@@ -1,65 +0,0 @@
-KRB5_SET_PASSWORD(3)     BSD Library Functions Manual     KRB5_SET_PASSWORD(3)
-
-NAME
-     krb5_change_password, krb5_set_password, krb5_set_password_using_ccache,
-     krb5_passwd_result_to_string -- change password functions
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_error_code
-     krb5_change_password(krb5_context context, krb5_creds *creds,
-         char *newpw, int *result_code, krb5_data *result_code_string,
-         krb5_data *result_string);
-
-     krb5_error_code
-     krb5_set_password(krb5_context context, krb5_creds *creds, char *newpw,
-         krb5_principal targprinc, int *result_code,
-         krb5_data *result_code_string, krb5_data *result_string);
-
-     krb5_error_code
-     krb5_set_password_using_ccache(krb5_context context, krb5_ccache ccache,
-         char *newpw, krb5_principal targprinc, int *result_code,
-         krb5_data *result_code_string, krb5_data *result_string);
-
-     const char *
-     krb5_passwd_result_to_string(krb5_context context, int result);
-
-DESCRIPTION
-     These functions change the password for a given principal.
-
-     krb5_set_password() and krb5_set_password_using_ccache() are the newer of
-     the three functions, and use a newer version of the protocol (and also
-     fall back to the older set-password protocol if the newer protocol
-     doesn't work).
-
-     krb5_change_password() sets the password newpasswd for the client princi-
-     pal in creds.  The server principal of creds must be kadmin/changepw.
-
-     krb5_set_password() and krb5_set_password_using_ccache() change the pass-
-     word for the principal targprinc.
-
-     krb5_set_password() requires that the credential for
-     kadmin/changepw@REALM is in creds.  If the user caller isn't an adminis-
-     trator, this credential needs to be an initial credential, see
-     krb5_get_init_creds(3) how to get such credentials.
-
-     krb5_set_password_using_ccache() will get the credential from ccache.
-
-     If targprinc is NULL, krb5_set_password_using_ccache() uses the the de-
-     fault principal in ccache and krb5_set_password() uses the global the de-
-     fault principal.
-
-     All three functions return an error in result_code and maybe an error
-     string to print in result_string.
-
-     krb5_passwd_result_to_string() returns an human readable string describ-
-     ing the error code in result_code from the krb5_set_password() functions.
-
-SEE ALSO
-     krb5_ccache(3), krb5_init_context(3)
-
-HEIMDAL                          July 15, 2004                         HEIMDAL
diff --git a/lib/krb5/krb5_string_to_key.cat3 b/lib/krb5/krb5_string_to_key.cat3
deleted file mode 100644
index 3e3621880185..000000000000
--- a/lib/krb5/krb5_string_to_key.cat3
+++ /dev/null
@@ -1,73 +0,0 @@
-KRB5_STRING_TO_KEY(3)    BSD Library Functions Manual    KRB5_STRING_TO_KEY(3)
-
-NAME
-     krb5_string_to_key, krb5_string_to_key_data,
-     krb5_string_to_key_data_salt, krb5_string_to_key_data_salt_opaque,
-     krb5_string_to_key_salt, krb5_string_to_key_salt_opaque,
-     krb5_get_pw_salt, krb5_free_salt -- turns a string to a Kerberos key
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_error_code
-     krb5_string_to_key(krb5_context context, krb5_enctype enctype,
-         const char *password, krb5_principal principal, krb5_keyblock *key);
-
-     krb5_error_code
-     krb5_string_to_key_data(krb5_context context, krb5_enctype enctype,
-         krb5_data password, krb5_principal principal, krb5_keyblock *key);
-
-     krb5_error_code
-     krb5_string_to_key_data_salt(krb5_context context, krb5_enctype enctype,
-         krb5_data password, krb5_salt salt, krb5_keyblock *key);
-
-     krb5_error_code
-     krb5_string_to_key_data_salt_opaque(krb5_context context,
-         krb5_enctype enctype, krb5_data password, krb5_salt salt,
-         krb5_data opaque, krb5_keyblock *key);
-
-     krb5_error_code
-     krb5_string_to_key_salt(krb5_context context, krb5_enctype enctype,
-         const char *password, krb5_salt salt, krb5_keyblock *key);
-
-     krb5_error_code
-     krb5_string_to_key_salt_opaque(krb5_context context,
-         krb5_enctype enctype, const char *password, krb5_salt salt,
-         krb5_data opaque, krb5_keyblock *key);
-
-     krb5_error_code
-     krb5_get_pw_salt(krb5_context context, krb5_const_principal principal,
-         krb5_salt *salt);
-
-     krb5_error_code
-     krb5_free_salt(krb5_context context, krb5_salt salt);
-
-DESCRIPTION
-     The string to key functions convert a string to a kerberos key.
-
-     krb5_string_to_key_data_salt_opaque() is the function that does all the
-     work, the rest of the functions are just wrappers around
-     krb5_string_to_key_data_salt_opaque() that calls it with default values.
-
-     krb5_string_to_key_data_salt_opaque() transforms the password with the
-     given salt-string salt and the opaque, encryption type specific parameter
-     opaque to a encryption key key according to the string to key function
-     associated with enctype.
-
-     The key should be freed with krb5_free_keyblock_contents().
-
-     If one of the functions that doesn't take a krb5_salt as it argument
-     krb5_get_pw_salt() is used to get the salt value.
-
-     krb5_get_pw_salt() get the default password salt for a principal, use
-     krb5_free_salt() to free the salt when done.
-
-     krb5_free_salt() frees the content of salt.
-
-SEE ALSO
-     krb5(3), krb5_data(3), krb5_keyblock(3), kerberos(8)
-
-HEIMDAL                          July 10, 2006                         HEIMDAL
diff --git a/lib/krb5/krb5_timeofday.cat3 b/lib/krb5/krb5_timeofday.cat3
deleted file mode 100644
index bec02a410644..000000000000
--- a/lib/krb5/krb5_timeofday.cat3
+++ /dev/null
@@ -1,54 +0,0 @@
-KRB5_TIMEOFDAY(3)        BSD Library Functions Manual        KRB5_TIMEOFDAY(3)
-
-NAME
-     krb5_timeofday, krb5_set_real_time, krb5_us_timeofday, krb5_format_time,
-     krb5_string_to_deltat -- Kerberos 5 time handling functions
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_timestamp;
-
-     krb5_deltat;
-
-     krb5_error_code
-     krb5_set_real_time(krb5_context context, krb5_timestamp sec,
-         int32_t usec);
-
-     krb5_error_code
-     krb5_timeofday(krb5_context context, krb5_timestamp *timeret);
-
-     krb5_error_code
-     krb5_us_timeofday(krb5_context context, krb5_timestamp *sec,
-         int32_t *usec);
-
-     krb5_error_code
-     krb5_format_time(krb5_context context, time_t t, char *s, size_t len,
-         krb5_boolean include_time);
-
-     krb5_error_code
-     krb5_string_to_deltat(const char *string, krb5_deltat *deltat);
-
-DESCRIPTION
-     krb5_set_real_time sets the absolute time that the caller knows the KDC
-     has.  With this the Kerberos library can calculate the relative differ-
-     ence between the KDC time and the local system time and store it in the
-     context.  With this information the Kerberos library can adjust all time
-     stamps in Kerberos packages.
-
-     krb5_timeofday() returns the current time, but adjusted with the time
-     difference between the local host and the KDC.  krb5_us_timeofday() also
-     returns microseconds.
-
-     krb5_format_time formats the time t into the string s of length len.  If
-     include_time is set, the time is set include_time.
-
-     krb5_string_to_deltat parses delta time string into deltat.
-
-SEE ALSO
-     gettimeofday(2), krb5(3)
-
-HEIMDAL                       September 16, 2006                       HEIMDAL
diff --git a/lib/krb5/krb5_verify_init_creds.cat3 b/lib/krb5/krb5_verify_init_creds.cat3
deleted file mode 100644
index 05dcb76ce6e3..000000000000
--- a/lib/krb5/krb5_verify_init_creds.cat3
+++ /dev/null
@@ -1,51 +0,0 @@
-KRB5_VERIFY_INIT_CRED... BSD Library Functions Manual KRB5_VERIFY_INIT_CRED...
-
-NAME
-     krb5_verify_init_creds_opt_init,
-     krb5_verify_init_creds_opt_set_ap_req_nofail, krb5_verify_init_creds --
-     verifies a credential cache is correct by using a local keytab
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     struct krb5_verify_init_creds_opt;
-
-     void
-     krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *options);
-
-     void
-     krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt *options,
-         int ap_req_nofail);
-
-     krb5_error_code
-     krb5_verify_init_creds(krb5_context context, krb5_creds *creds,
-         krb5_principal ap_req_server, krb5_ccache *ccache,
-         krb5_verify_init_creds_opt *options);
-
-DESCRIPTION
-     The krb5_verify_init_creds function verifies the initial tickets with the
-     local keytab to make sure the response of the KDC was spoof-ed.
-
-     krb5_verify_init_creds will use principal ap_req_server from the local
-     keytab, if NULL is passed in, the code will guess the local hostname and
-     use that to form host/hostname/GUESSED-REALM-FOR-HOSTNAME.  creds is the
-     credential that krb5_verify_init_creds should verify.  If ccache is given
-     krb5_verify_init_creds() stores all credentials it fetched from the KDC
-     there, otherwise it will use a memory credential cache that is destroyed
-     when done.
-
-     krb5_verify_init_creds_opt_init() cleans the the structure, must be used
-     before trying to pass it in to krb5_verify_init_creds().
-
-     krb5_verify_init_creds_opt_set_ap_req_nofail() controls controls the be-
-     havior if ap_req_server doesn't exists in the local keytab or in the
-     KDC's database, if it's true, the error will be ignored.  Note that this
-     use is possible insecure.
-
-SEE ALSO
-     krb5(3), krb5_get_init_creds(3), krb5_verify_user(3), krb5.conf(5)
-
-HEIMDAL                           May 1, 2006                          HEIMDAL
diff --git a/lib/krb5/krb5_verify_user.cat3 b/lib/krb5/krb5_verify_user.cat3
deleted file mode 100644
index df5d56d33427..000000000000
--- a/lib/krb5/krb5_verify_user.cat3
+++ /dev/null
@@ -1,140 +0,0 @@
-KRB5_VERIFY_USER(3)      BSD Library Functions Manual      KRB5_VERIFY_USER(3)
-
-NAME
-     krb5_verify_user, krb5_verify_user_lrealm, krb5_verify_user_opt,
-     krb5_verify_opt_init, krb5_verify_opt_alloc, krb5_verify_opt_free,
-     krb5_verify_opt_set_ccache, krb5_verify_opt_set_flags,
-     krb5_verify_opt_set_service, krb5_verify_opt_set_secure,
-     krb5_verify_opt_set_keytab -- Heimdal password verifying functions
-
-LIBRARY
-     Kerberos 5 Library (libkrb5, -lkrb5)
-
-SYNOPSIS
-     #include <krb5.h>
-
-     krb5_error_code
-     krb5_verify_user(krb5_context context, krb5_principal principal,
-         krb5_ccache ccache, const char *password, krb5_boolean secure,
-         const char *service);
-
-     krb5_error_code
-     krb5_verify_user_lrealm(krb5_context context, krb5_principal principal,
-         krb5_ccache ccache, const char *password, krb5_boolean secure,
-         const char *service);
-
-     void
-     krb5_verify_opt_init(krb5_verify_opt *opt);
-
-     void
-     krb5_verify_opt_alloc(krb5_verify_opt **opt);
-
-     void
-     krb5_verify_opt_free(krb5_verify_opt *opt);
-
-     void
-     krb5_verify_opt_set_ccache(krb5_verify_opt *opt, krb5_ccache ccache);
-
-     void
-     krb5_verify_opt_set_keytab(krb5_verify_opt *opt, krb5_keytab keytab);
-
-     void
-     krb5_verify_opt_set_secure(krb5_verify_opt *opt, krb5_boolean secure);
-
-     void
-     krb5_verify_opt_set_service(krb5_verify_opt *opt, const char *service);
-
-     void
-     krb5_verify_opt_set_flags(krb5_verify_opt *opt, unsigned int flags);
-
-     krb5_error_code
-     krb5_verify_user_opt(krb5_context context, krb5_principal principal,
-         const char *password, krb5_verify_opt *opt);
-
-DESCRIPTION
-     The krb5_verify_user function verifies the password supplied by a user.
-     The principal whose password will be verified is specified in principal.
-     New tickets will be obtained as a side-effect and stored in ccache (if
-     NULL, the default ccache is used).  krb5_verify_user() will call
-     krb5_cc_initialize() on the given ccache, so ccache must only initialized
-     with krb5_cc_resolve() or krb5_cc_gen_new().  If the password is not sup-
-     plied in password (and is given as NULL) the user will be prompted for
-     it.  If secure the ticket will be verified against the locally stored
-     service key service (by default `host' if given as NULL ).
-
-     The krb5_verify_user_lrealm() function does the same, except that it ig-
-     nores the realm in principal and tries all the local realms (see
-     krb5.conf(5)).  After a successful return, the principal is set to the
-     authenticated realm. If the call fails, the principal will not be mean-
-     ingful, and should only be freed with krb5_free_principal(3).
-
-     krb5_verify_opt_alloc() and krb5_verify_opt_free() allocates and frees a
-     krb5_verify_opt.  You should use the the alloc and free function instead
-     of allocation the structure yourself, this is because in a future release
-     the structure wont be exported.
-
-     krb5_verify_opt_init() resets all opt to default values.
-
-     None of the krb5_verify_opt_set function makes a copy of the data struc-
-     ture that they are called with. It's up the caller to free them after the
-     krb5_verify_user_opt() is called.
-
-     krb5_verify_opt_set_ccache() sets the ccache that user of opt will use.
-     If not set, the default credential cache will be used.
-
-     krb5_verify_opt_set_keytab() sets the keytab that user of opt will use.
-     If not set, the default keytab will be used.
-
-     krb5_verify_opt_set_secure() if secure if true, the password verification
-     will require that the ticket will be verified against the locally stored
-     service key. If not set, default value is true.
-
-     krb5_verify_opt_set_service() sets the service principal that user of opt
-     will use. If not set, the `host' service will be used.
-
-     krb5_verify_opt_set_flags() sets flags that user of opt will use.  If the
-     flag KRB5_VERIFY_LREALMS is used, the principal will be modified like
-     krb5_verify_user_lrealm() modifies it.
-
-     krb5_verify_user_opt() function verifies the password supplied by a user.
-     The principal whose password will be verified is specified in principal.
-     Options the to the verification process is pass in in opt.
-
-EXAMPLES
-     Here is a example program that verifies a password. it uses the
-     `host/`hostname`' service principal in krb5.keytab.
-
-     #include <krb5.h>
-
-     int
-     main(int argc, char **argv)
-     {
-         char *user;
-         krb5_error_code error;
-         krb5_principal princ;
-         krb5_context context;
-
-         if (argc != 2)
-             errx(1, "usage: verify_passwd <principal-name>");
-
-         user = argv[1];
-
-         if (krb5_init_context(&context) < 0)
-             errx(1, "krb5_init_context");
-
-         if ((error = krb5_parse_name(context, user, &princ)) != 0)
-             krb5_err(context, 1, error, "krb5_parse_name");
-
-         error = krb5_verify_user(context, princ, NULL, NULL, TRUE, NULL);
-         if (error)
-             krb5_err(context, 1, error, "krb5_verify_user");
-
-         return 0;
-     }
-
-SEE ALSO
-     krb5_cc_gen_new(3), krb5_cc_initialize(3), krb5_cc_resolve(3),
-     krb5_err(3), krb5_free_principal(3), krb5_init_context(3),
-     krb5_kt_default(3), krb5.conf(5)
-
-HEIMDAL                           May 1, 2006                          HEIMDAL
diff --git a/lib/krb5/krbhst-test.c b/lib/krb5/krbhst-test.c
index 873734fce77a..cd388ecfaaa0 100644
--- a/lib/krb5/krbhst-test.c
+++ b/lib/krb5/krbhst-test.c
@@ -59,6 +59,7 @@ usage (int ret)
 int
 main(int argc, char **argv)
 {
+    krb5_error_code ret;
     int i, j;
     krb5_context context;
     int types[] = {KRB5_KRBHST_KDC, KRB5_KRBHST_ADMIN, KRB5_KRBHST_CHANGEPW,
@@ -82,7 +83,9 @@ main(int argc, char **argv)
     argc -= optidx;
     argv += optidx;
 
-    krb5_init_context (&context);
+    ret = krb5_init_context(&context);
+    if (ret)
+        krb5_err(NULL, 1, ret, "Failed to initialize context");
     for(i = 0; i < argc; i++) {
 	krb5_krbhst_handle handle;
 	char host[MAXHOSTNAMELEN];
@@ -90,12 +93,16 @@ main(int argc, char **argv)
 	for (j = 0; j < sizeof(types)/sizeof(*types); ++j) {
 	    printf ("%s for %s:\n", type_str[j], argv[i]);
 
-	    krb5_krbhst_init(context, argv[i], types[j], &handle);
-	    while(krb5_krbhst_next_as_string(context, handle,
-					     host, sizeof(host)) == 0)
+	    ret = krb5_krbhst_init(context, argv[i], types[j], &handle);
+            if (ret)
+                krb5_err(context, 1, ret, "Could not init krbhst iterator");
+	    while ((ret = krb5_krbhst_next_as_string(context, handle, host,
+                                                     sizeof(host))) == 0)
 		printf("\thost: %s\n", host);
 	    krb5_krbhst_reset(context, handle);
-	    printf ("\n");
+	    printf("\n");
+            if (ret)
+                krb5_err(context, 1, ret, "Could not iterate all krbhst");
 	}
     }
     return 0;
diff --git a/lib/krb5/krbhst.c b/lib/krb5/krbhst.c
index 36da64b0e469..99a96d298c1e 100644
--- a/lib/krb5/krbhst.c
+++ b/lib/krb5/krbhst.c
@@ -65,7 +65,7 @@ is_invalid_tld_srv_target(const char *target)
 
 static krb5_error_code
 srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count,
-	       const char *realm, const char *dns_type,
+	       const char *realm, const char *dns_type, const char *sitename,
 	       const char *proto, const char *service, int port)
 {
     char domain[1024];
@@ -93,7 +93,11 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count,
     else
 	def_port = port;
 
-    snprintf(domain, sizeof(domain), "_%s._%s.%s.", service, proto, realm);
+    if (sitename)
+	snprintf(domain, sizeof(domain), "_%s._%s.%s._sites.%s.",
+		 service, proto, sitename, realm);
+    else
+	snprintf(domain, sizeof(domain), "_%s._%s.%s.", service, proto, realm);
 
     r = rk_dns_lookup(domain, dns_type);
     if(r == NULL) {
@@ -109,6 +113,7 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count,
     if (num_srv == 0) {
 	_krb5_debug(context, 0,
 		    "DNS SRV RR lookup domain nodata: %s", domain);
+	rk_dns_free_data(r);
 	return KRB5_KDC_UNREACH;
     }
 
@@ -169,23 +174,29 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count,
 
 
 struct krb5_krbhst_data {
+    const char *config_param;
+    const char *srv_label;
     char *realm;
     unsigned int flags;
     int def_port;
     int port;			/* hardwired port number if != 0 */
-#define KD_CONFIG		 1
-#define KD_SRV_UDP		 2
-#define KD_SRV_TCP		 4
-#define KD_SRV_HTTP		 8
-#define KD_FALLBACK		16
-#define KD_CONFIG_EXISTS	32
-#define KD_LARGE_MSG		64
-#define KD_PLUGIN	       128
-#define KD_HOSTNAMES	       256
+#define KD_CONFIG		0x0001
+#define KD_SRV_UDP		0x0002
+#define KD_SRV_TCP		0x0004
+#define KD_SITE_SRV_UDP		0x0008
+#define KD_SITE_SRV_TCP		0x0010
+#define KD_SRV_HTTP		0x0020
+#define KD_SRV_KKDCP		0x0040
+#define KD_FALLBACK		0x0080
+#define KD_CONFIG_EXISTS	0x0100
+#define KD_LARGE_MSG		0x0200
+#define KD_PLUGIN		0x0400
+#define KD_HOSTNAMES		0x0800
     krb5_error_code (*get_next)(krb5_context, struct krb5_krbhst_data *,
 				krb5_krbhst_info**);
 
     char *hostname;
+    char *sitename;
     unsigned int fallback_count;
 
     struct krb5_krbhst_info *hosts, **index, **end;
@@ -332,7 +343,13 @@ append_host_hostinfo(struct krb5_krbhst_data *kd, struct krb5_krbhst_info *host)
 	    _krb5_free_krbhst_info(host);
 	    return;
 	}
-    *kd->end = host;
+    /*
+     * We should always initialize kd->end in common_init(), but static
+     * analyzers may not see that we do, and the compiler might conclude
+     * there's UB here.
+     */
+    if (kd->end)
+        *kd->end = host;
     kd->end = &host->next;
 }
 
@@ -359,14 +376,14 @@ krb5_krbhst_format_string(krb5_context context, const krb5_krbhst_info *host,
 			  char *hostname, size_t hostlen)
 {
     const char *proto = "";
-    char portstr[7] = "";
     if(host->proto == KRB5_KRBHST_TCP)
 	proto = "tcp/";
     else if(host->proto == KRB5_KRBHST_HTTP)
 	proto = "http://";
-    if(host->port != host->def_port)
-	snprintf(portstr, sizeof(portstr), ":%d", host->port);
-    snprintf(hostname, hostlen, "%s%s%s", proto, host->hostname, portstr);
+    if (host->port != host->def_port)
+	snprintf(hostname, hostlen, "%s%s:%d", proto, host->hostname, (int)host->port);
+    else
+	snprintf(hostname, hostlen, "%s%s", proto, host->hostname);
     return 0;
 }
 
@@ -427,7 +444,7 @@ krb5_krbhst_get_addrinfo(krb5_context context, krb5_krbhst_info *host,
 static krb5_boolean
 get_next(struct krb5_krbhst_data *kd, krb5_krbhst_info **host)
 {
-    struct krb5_krbhst_info *hi = *kd->index;
+    struct krb5_krbhst_info *hi = kd ? *kd->index : NULL;
     if(hi != NULL) {
 	*host = hi;
 	kd->index = &(*kd->index)->next;
@@ -438,7 +455,7 @@ get_next(struct krb5_krbhst_data *kd, krb5_krbhst_info **host)
 
 static void
 srv_get_hosts(krb5_context context, struct krb5_krbhst_data *kd,
-	      const char *proto, const char *service)
+	      const char *sitename, const char *proto, const char *service)
 {
     krb5_error_code ret;
     krb5_krbhst_info **res;
@@ -447,8 +464,8 @@ srv_get_hosts(krb5_context context, struct krb5_krbhst_data *kd,
     if (krb5_realm_is_lkdc(kd->realm))
 	return;
 
-    ret = srv_find_realm(context, &res, &count, kd->realm, "SRV", proto, service,
-			 kd->port);
+    ret = srv_find_realm(context, &res, &count, kd->realm, "SRV",
+			 sitename, proto, service, kd->port);
     _krb5_debug(context, 2, "searching DNS for realm %s %s.%s -> %d",
 		kd->realm, proto, service, ret);
     if (ret)
@@ -551,6 +568,8 @@ fallback_get_hosts(krb5_context context, struct krb5_krbhst_data *kd,
 			   "Realm %s needs immediate attention "
 			   "see https://icann.org/namecollision",
 			   kd->realm);
+                free(host);
+		freeaddrinfo(ai);
 		return KRB5_KDC_UNREACH;
 	    }
 	}
@@ -559,6 +578,7 @@ fallback_get_hosts(krb5_context context, struct krb5_krbhst_data *kd,
 	hi = calloc(1, sizeof(*hi) + hostlen);
 	if(hi == NULL) {
 	    free(host);
+	    freeaddrinfo(ai);
 	    return krb5_enomem(context);
 	}
 
@@ -680,6 +700,17 @@ plcallback(krb5_context context,
     return KRB5_PLUGIN_NO_HANDLE;
 }
 
+static const char *const locate_plugin_deps[] = { "krb5", NULL };
+
+static const struct heim_plugin_data
+locate_plugin_data = {
+    "krb5",
+    KRB5_PLUGIN_LOCATE,
+    KRB5_PLUGIN_LOCATE_VERSION_0,
+    locate_plugin_deps,
+    krb5_get_instance
+};
+
 static void
 plugin_get_hosts(krb5_context context,
 		 struct krb5_krbhst_data *kd,
@@ -690,8 +721,7 @@ plugin_get_hosts(krb5_context context,
     if (_krb5_homedir_access(context))
 	ctx.flags |= KRB5_PLF_ALLOW_HOMEDIR;
 
-    _krb5_plugin_run_f(context, "krb5", KRB5_PLUGIN_LOCATE,
-		       KRB5_PLUGIN_LOCATE_VERSION_0,
+    _krb5_plugin_run_f(context, &locate_plugin_data,
 		       0, &ctx, plcallback);
 }
 
@@ -735,7 +765,7 @@ kdc_get_next(krb5_context context,
     }
 
     if((kd->flags & KD_CONFIG) == 0) {
-	config_get_hosts(context, kd, "kdc");
+	config_get_hosts(context, kd, kd->config_param);
 	kd->flags |= KD_CONFIG;
 	if(get_next(kd, host))
 	    return 0;
@@ -749,21 +779,28 @@ kdc_get_next(krb5_context context,
     }
 
     if(context->srv_lookup) {
+	if(kd->sitename && (kd->flags & KD_SITE_SRV_TCP) == 0) {
+	    srv_get_hosts(context, kd, kd->sitename, "tcp", "kerberos");
+	    kd->flags |= KD_SITE_SRV_TCP;
+	    if(get_next(kd, host))
+		return 0;
+	}
+
 	if((kd->flags & KD_SRV_UDP) == 0 && (kd->flags & KD_LARGE_MSG) == 0) {
-	    srv_get_hosts(context, kd, "udp", "kerberos");
+	    srv_get_hosts(context, kd, NULL, "udp", kd->srv_label);
 	    kd->flags |= KD_SRV_UDP;
 	    if(get_next(kd, host))
 		return 0;
 	}
 
 	if((kd->flags & KD_SRV_TCP) == 0) {
-	    srv_get_hosts(context, kd, "tcp", "kerberos");
+	    srv_get_hosts(context, kd, NULL, "tcp", kd->srv_label);
 	    kd->flags |= KD_SRV_TCP;
 	    if(get_next(kd, host))
 		return 0;
 	}
 	if((kd->flags & KD_SRV_HTTP) == 0) {
-	    srv_get_hosts(context, kd, "http", "kerberos");
+	    srv_get_hosts(context, kd, NULL, "http", kd->srv_label);
 	    kd->flags |= KD_SRV_HTTP;
 	    if(get_next(kd, host))
 		return 0;
@@ -800,7 +837,7 @@ admin_get_next(krb5_context context,
     }
 
     if((kd->flags & KD_CONFIG) == 0) {
-	config_get_hosts(context, kd, "admin_server");
+	config_get_hosts(context, kd, kd->config_param);
 	kd->flags |= KD_CONFIG;
 	if(get_next(kd, host))
 	    return 0;
@@ -815,7 +852,7 @@ admin_get_next(krb5_context context,
 
     if(context->srv_lookup) {
 	if((kd->flags & KD_SRV_TCP) == 0) {
-	    srv_get_hosts(context, kd, "tcp", "kerberos-adm");
+	    srv_get_hosts(context, kd, NULL, "tcp", kd->srv_label);
 	    kd->flags |= KD_SRV_TCP;
 	    if(get_next(kd, host))
 		return 0;
@@ -854,7 +891,7 @@ kpasswd_get_next(krb5_context context,
     }
 
     if((kd->flags & KD_CONFIG) == 0) {
-	config_get_hosts(context, kd, "kpasswd_server");
+	config_get_hosts(context, kd, kd->config_param);
 	kd->flags |= KD_CONFIG;
 	if(get_next(kd, host))
 	    return 0;
@@ -869,13 +906,13 @@ kpasswd_get_next(krb5_context context,
 
     if(context->srv_lookup) {
 	if((kd->flags & KD_SRV_UDP) == 0) {
-	    srv_get_hosts(context, kd, "udp", "kpasswd");
+	    srv_get_hosts(context, kd, NULL, "udp", kd->srv_label);
 	    kd->flags |= KD_SRV_UDP;
 	    if(get_next(kd, host))
 		return 0;
 	}
 	if((kd->flags & KD_SRV_TCP) == 0) {
-	    srv_get_hosts(context, kd, "tcp", "kpasswd");
+	    srv_get_hosts(context, kd, NULL, "tcp", kd->srv_label);
 	    kd->flags |= KD_SRV_TCP;
 	    if(get_next(kd, host))
 		return 0;
@@ -899,7 +936,7 @@ kpasswd_get_next(krb5_context context,
     return KRB5_KDC_UNREACH;
 }
 
-static void
+static void KRB5_CALLCONV
 krbhost_dealloc(void *ptr)
 {
     struct krb5_krbhst_data *handle = (struct krb5_krbhst_data *)ptr;
@@ -911,12 +948,16 @@ krbhost_dealloc(void *ptr)
     }
     if (handle->hostname)
 	free(handle->hostname);
+    if (handle->sitename)
+	free(handle->sitename);
 
     free(handle->realm);
 }
 
 static struct krb5_krbhst_data*
 common_init(krb5_context context,
+	    const char *config_param,
+	    const char *srv_label,
 	    const char *service,
 	    const char *realm,
 	    int flags)
@@ -931,6 +972,9 @@ common_init(krb5_context context,
 	return NULL;
     }
 
+    kd->config_param = config_param;
+    kd->srv_label = srv_label;
+
     _krb5_debug(context, 2, "Trying to find service %s for realm %s flags %x",
 		service, realm, flags);
 
@@ -968,6 +1012,8 @@ krb5_krbhst_init_flags(krb5_context context,
     krb5_error_code (*next)(krb5_context, struct krb5_krbhst_data *,
 			    krb5_krbhst_info **);
     int def_port;
+    const char *config_param;
+    const char *srv_label;
     const char *service;
 
     *handle = NULL;
@@ -975,27 +1021,49 @@ krb5_krbhst_init_flags(krb5_context context,
     switch(type) {
     case KRB5_KRBHST_KDC:
 	next = kdc_get_next;
-	def_port = ntohs(krb5_getportbyname (context, "kerberos", "udp", 88));
+	def_port = ntohs(krb5_getportbyname(context, "kerberos", "udp", 88));
+        config_param = "kdc";
+        srv_label = "kerberos";
 	service = "kdc";
 	break;
     case KRB5_KRBHST_ADMIN:
 	next = admin_get_next;
-	def_port = ntohs(krb5_getportbyname (context, "kerberos-adm",
-					     "tcp", 749));
+	def_port = ntohs(krb5_getportbyname(context, "kerberos-adm",
+					    "tcp", 749));
+        config_param = "admin_server";
+        srv_label = "kerberos-adm";
+	service = "admin";
+	break;
+    case KRB5_KRBHST_READONLY_ADMIN:
+	next = admin_get_next;
+	def_port = ntohs(krb5_getportbyname(context, "kerberos-adm",
+					    "tcp", 749));
+        config_param = "readonly_admin_server";
+        srv_label = "kerberos-adm-readonly";
 	service = "admin";
 	break;
     case KRB5_KRBHST_CHANGEPW:
 	next = kpasswd_get_next;
-	def_port = ntohs(krb5_getportbyname (context, "kpasswd", "udp",
-					     KPASSWD_PORT));
+	def_port = ntohs(krb5_getportbyname(context, "kpasswd", "udp",
+					    KPASSWD_PORT));
+        config_param = "kpasswd_server";
+        srv_label = "kpasswd";
 	service = "change_password";
 	break;
+    case KRB5_KRBHST_TKTBRIDGEAP:
+	next = kdc_get_next;
+	def_port = ntohs(krb5_getportbyname(context, "kerberos", "tcp", 88));
+        config_param = "tktbridgeap";
+        srv_label = "kerberos-tkt-bridge";
+	service = "kdc";
+	break;
     default:
 	krb5_set_error_message(context, ENOTTY,
 			       N_("unknown krbhst type (%u)", ""), type);
 	return ENOTTY;
     }
-    if((kd = common_init(context, service, realm, flags)) == NULL)
+    if((kd = common_init(context, config_param, srv_label, service, realm,
+                         flags)) == NULL)
 	return ENOMEM;
     kd->get_next = next;
     kd->def_port = def_port;
@@ -1054,6 +1122,19 @@ krb5_krbhst_set_hostname(krb5_context context,
     return 0;
 }
 
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_krbhst_set_sitename(krb5_context context,
+                         krb5_krbhst_handle handle,
+                         const char *sitename)
+{
+    if (handle->sitename)
+	free(handle->sitename);
+    handle->sitename = strdup(sitename);
+    if (handle->sitename == NULL)
+	return krb5_enomem(context);
+    return 0;
+}
+
 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_krbhst_reset(krb5_context context, krb5_krbhst_handle handle)
 {
@@ -1084,24 +1165,25 @@ gethostlist(krb5_context context, const char *realm,
     if (ret)
 	return ret;
 
-    while(krb5_krbhst_next(context, handle, &hostinfo) == 0)
+    while (krb5_krbhst_next(context, handle, &hostinfo) == 0)
 	nhost++;
-    if(nhost == 0) {
+    if (nhost == 0) {
 	krb5_set_error_message(context, KRB5_KDC_UNREACH,
 			       N_("No KDC found for realm %s", ""), realm);
+        krb5_krbhst_free(context, handle);
 	return KRB5_KDC_UNREACH;
     }
     *hostlist = calloc(nhost + 1, sizeof(**hostlist));
-    if(*hostlist == NULL) {
+    if (*hostlist == NULL) {
 	krb5_krbhst_free(context, handle);
 	return krb5_enomem(context);
     }
 
     krb5_krbhst_reset(context, handle);
     nhost = 0;
-    while(krb5_krbhst_next_as_string(context, handle,
-				     host, sizeof(host)) == 0) {
-	if(((*hostlist)[nhost++] = strdup(host)) == NULL) {
+    while (krb5_krbhst_next_as_string(context, handle,
+				      host, sizeof(host)) == 0) {
+	if (((*hostlist)[nhost++] = strdup(host)) == NULL) {
 	    krb5_free_krbhst(context, *hostlist);
 	    krb5_krbhst_free(context, handle);
 	    return krb5_enomem(context);
@@ -1113,18 +1195,30 @@ gethostlist(krb5_context context, const char *realm,
 }
 
 /*
- * return an malloced list of kadmin-hosts for `realm' in `hostlist'
+ * Return a malloced list of kadmin-hosts for `realm' in `hostlist'
  */
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_get_krb_admin_hst (krb5_context context,
-			const krb5_realm *realm,
-			char ***hostlist)
+krb5_get_krb_admin_hst(krb5_context context,
+                       const krb5_realm *realm,
+                       char ***hostlist)
 {
     return gethostlist(context, *realm, KRB5_KRBHST_ADMIN, hostlist);
 }
 
 /*
+ * Return a malloced list of writable kadmin-hosts for `realm' in `hostlist'
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_get_krb_readonly_admin_hst(krb5_context context,
+                                const krb5_realm *realm,
+                                char ***hostlist)
+{
+    return gethostlist(context, *realm, KRB5_KRBHST_READONLY_ADMIN, hostlist);
+}
+
+/*
  * return an malloced list of changepw-hosts for `realm' in `hostlist'
  */
 
diff --git a/lib/krb5/krcache.c b/lib/krb5/krcache.c
new file mode 100644
index 000000000000..9e992216153d
--- /dev/null
+++ b/lib/krb5/krcache.c
@@ -0,0 +1,2075 @@
+/*
+ * Copyright (c) 2006 The Regents of the University of Michigan.
+ * All rights reserved.
+ *
+ * Portions Copyright (c) 2018, AuriStor, Inc.
+ *
+ * Permission is granted to use, copy, create derivative works
+ * and redistribute this software and such derivative works
+ * for any purpose, so long as the name of The University of
+ * Michigan is not used in any advertising or publicity
+ * pertaining to the use of distribution of this software
+ * without specific, written prior authorization.  If the
+ * above copyright notice or any other identification of the
+ * University of Michigan is included in any copy of any
+ * portion of this software, then the disclaimer below must
+ * also be included.
+ *
+ * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
+ * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
+ * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
+ * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+ * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
+ * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
+ * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
+ * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
+ * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGES.
+ */
+/*
+ * Copyright 1990,1991,1992,1993,1994,2000,2004 Massachusetts Institute of
+ * Technology.  All Rights Reserved.
+ *
+ * Original stdio support copyright 1995 by Cygnus Support.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/*
+ * This file implements a collection-enabled credential cache type where the
+ * credentials are stored in the Linux keyring facility.
+ *
+ * A residual of this type can have three forms:
+ *    anchor:collection:subsidiary
+ *    anchor:collection
+ *    collection
+ *
+ * The anchor name is "process", "thread", or "legacy" and determines where we
+ * search for keyring collections.  In the third form, the anchor name is
+ * presumed to be "legacy".  The anchor keyring for legacy caches is the
+ * session keyring.
+ *
+ * If the subsidiary name is present, the residual identifies a single cache
+ * within a collection.  Otherwise, the residual identifies the collection
+ * itself.  When a residual identifying a collection is resolved, the
+ * collection's primary key is looked up (or initialized, using the collection
+ * name as the subsidiary name), and the resulting cache's name will use the
+ * first name form and will identify the primary cache.
+ *
+ * Keyring collections are named "_krb_<collection>" and are linked from the
+ * anchor keyring.  The keys within a keyring collection are links to cache
+ * keyrings, plus a link to one user key named "krb_ccache:primary" which
+ * contains a serialized representation of the collection version (currently 1)
+ * and the primary name of the collection.
+ *
+ * Cache keyrings contain one user key per credential which contains a
+ * serialized representation of the credential.  There is also one user key
+ * named "__krb5_princ__" which contains a serialized representation of the
+ * cache's default principal.
+ *
+ * If the anchor name is "legacy", then the initial primary cache (the one
+ * named with the collection name) is also linked to the session keyring, and
+ * we look for a cache in that location when initializing the collection.  This
+ * extra link allows that cache to be visible to old versions of the KEYRING
+ * cache type, and allows us to see caches created by that code.
+ */
+
+#include "krb5_locl.h"
+
+#ifdef HAVE_KEYUTILS_H
+
+#include <keyutils.h>
+
+/*
+ * We try to use the big_key key type for credentials except in legacy caches.
+ * We fall back to the user key type if the kernel does not support big_key.
+ * If the library doesn't support keyctl_get_persistent(), we don't even try
+ * big_key since the two features were added at the same time.
+ */
+#ifdef HAVE_KEYCTL_GET_PERSISTENT
+#define KRCC_CRED_KEY_TYPE		"big_key"
+#else
+#define KRCC_CRED_KEY_TYPE		"user"
+#endif
+
+/*
+ * We use the "user" key type for collection primary names, for cache principal
+ * names, and for credentials in legacy caches.
+ */
+#define KRCC_KEY_TYPE_USER		"user"
+
+/*
+ * We create ccaches as separate keyrings
+ */
+#define KRCC_KEY_TYPE_KEYRING		"keyring"
+
+/*
+ * Special name of the key within a ccache keyring
+ * holding principal information
+ */
+#define KRCC_SPEC_PRINC_KEYNAME		"__krb5_princ__"
+
+/*
+ * Special name for the key to communicate the name(s)
+ * of credentials caches to be used for requests.
+ * This should currently contain a single name, but
+ * in the future may contain a list that may be
+ * intelligently chosen from.
+ */
+#define KRCC_SPEC_CCACHE_SET_KEYNAME	"__krb5_cc_set__"
+
+/*
+ * This name identifies the key containing the name of the current primary
+ * cache within a collection.
+ */
+#define KRCC_COLLECTION_PRIMARY		"krb_ccache:primary"
+
+/*
+ * If the library context does not specify a keyring collection, unique ccaches
+ * will be created within this collection.
+ */
+#define KRCC_DEFAULT_UNIQUE_COLLECTION	"session:__krb5_unique__"
+
+/*
+ * Collection keyring names begin with this prefix.  We use a prefix so that a
+ * cache keyring with the collection name itself can be linked directly into
+ * the anchor, for legacy session keyring compatibility.
+ */
+#define KRCC_CCCOL_PREFIX		"_krb_"
+
+/*
+ * For the "persistent" anchor type, we look up or create this fixed keyring
+ * name within the per-UID persistent keyring.
+ */
+#define KRCC_PERSISTENT_KEYRING_NAME	"_krb"
+
+/*
+ * Name of the key holding time offsets for the individual cache
+ */
+#define KRCC_TIME_OFFSETS		"__krb5_time_offsets__"
+
+/*
+ * Keyring name prefix and length of random name part
+ */
+#define KRCC_NAME_PREFIX		"krb_ccache_"
+#define KRCC_NAME_RAND_CHARS		8
+
+#define KRCC_COLLECTION_VERSION		1
+
+#define KRCC_PERSISTENT_ANCHOR		"persistent"
+#define KRCC_PROCESS_ANCHOR		"process"
+#define KRCC_THREAD_ANCHOR		"thread"
+#define KRCC_SESSION_ANCHOR		"session"
+#define KRCC_USER_ANCHOR		"user"
+#define KRCC_LEGACY_ANCHOR		"legacy"
+
+#if SIZEOF_KEY_SERIAL_T != 4
+/* lockless implementation assumes 32-bit key serials */
+#error only 32-bit key serial numbers supported by this version of keyring ccache
+#endif
+
+typedef heim_base_atomic(key_serial_t) atomic_key_serial_t;
+
+typedef union _krb5_krcache_and_princ_id {
+    heim_base_atomic(uint64_t) krcu_cache_and_princ_id;
+    struct {
+	atomic_key_serial_t cache_id;	/* keyring ID representing ccache */
+	atomic_key_serial_t princ_id;	/* key ID holding principal info */
+    } krcu_id;
+    #define krcu_cache_id		krcu_id.cache_id
+    #define krcu_princ_id		krcu_id.princ_id
+} krb5_krcache_and_princ_id;
+
+/*
+ * This represents a credentials cache "file" where cache_id is the keyring
+ * serial number for this credentials cache "file".  Each key in the keyring
+ * contains a separate key.
+ *
+ * Thread-safe as long as caches are not destroyed whilst other threads are
+ * using them.
+ */
+typedef struct _krb5_krcache {
+    char *krc_name;			/* Name for this credentials cache */
+    char *krc_collection;
+    char *krc_subsidiary;
+    heim_base_atomic(krb5_timestamp) krc_changetime;	/* update time, does not decrease (mutable) */
+    krb5_krcache_and_princ_id krc_id;	/* cache and principal IDs (mutable) */
+    #define krc_cache_and_principal_id	krc_id.krcu_cache_and_princ_id
+    #define krc_cache_id		krc_id.krcu_id.cache_id
+    #define krc_princ_id		krc_id.krcu_id.princ_id
+    key_serial_t krc_coll_id;		/* collection containing this cache keyring */
+    krb5_boolean krc_is_legacy;		/* */
+} krb5_krcache;
+
+#define KRCACHE(X) ((krb5_krcache *)(X)->data.data)
+
+static krb5_error_code KRB5_CALLCONV
+krcc_get_first(krb5_context, krb5_ccache id, krb5_cc_cursor *cursor);
+
+static krb5_error_code KRB5_CALLCONV
+krcc_get_next(krb5_context context,
+	      krb5_ccache id,
+	      krb5_cc_cursor *cursor,
+	      krb5_creds *creds);
+
+static krb5_error_code KRB5_CALLCONV
+krcc_end_get(krb5_context context,
+	     krb5_ccache id,
+	     krb5_cc_cursor *cursor);
+
+static krb5_error_code KRB5_CALLCONV
+krcc_end_cache_get(krb5_context context, krb5_cc_cursor cursor);
+
+static krb5_error_code
+clear_cache_keyring(krb5_context context, atomic_key_serial_t *pcache_id);
+
+static krb5_error_code
+alloc_cache(krb5_context context,
+ 	    key_serial_t collection_id,
+	    key_serial_t cache_id,
+	    const char *anchor_name,
+	    const char *collection_name,
+	    const char *subsidiary_name,
+	    krb5_krcache **data);
+
+static krb5_error_code
+save_principal(krb5_context context,
+	       key_serial_t cache_id,
+	       krb5_const_principal princ,
+	       atomic_key_serial_t *pprinc_id);
+
+static krb5_error_code
+save_time_offsets(krb5_context context,
+		  key_serial_t cache_id,
+		  int32_t sec_offset,
+		  int32_t usec_offset);
+
+static void
+update_change_time(krb5_context context,
+		   krb5_timestamp now,
+		   krb5_krcache *d);
+
+/*
+ * GET_PERSISTENT(uid) acquires the persistent keyring for uid, or falls back
+ * to the user keyring if uid matches the current effective uid.
+ */
+
+static key_serial_t
+get_persistent_fallback(uid_t uid)
+{
+    return (uid == geteuid()) ? KEY_SPEC_USER_KEYRING : -1;
+}
+
+#ifdef HAVE_KEYCTL_GET_PERSISTENT
+#define GET_PERSISTENT get_persistent_real
+static key_serial_t
+get_persistent_real(uid_t uid)
+{
+    key_serial_t key;
+
+    key = keyctl_get_persistent(uid, KEY_SPEC_PROCESS_KEYRING);
+
+    return (key == -1 && errno == ENOTSUP) ? get_persistent_fallback(uid) : key;
+}
+#else
+#define GET_PERSISTENT get_persistent_fallback
+#endif
+
+/*
+ * If a process has no explicitly set session keyring, KEY_SPEC_SESSION_KEYRING
+ * will resolve to the user session keyring for ID lookup and reading, but in
+ * some kernel versions, writing to that special keyring will instead create a
+ * new empty session keyring for the process.  We do not want that; the keys we
+ * create would be invisible to other processes.  We can work around that
+ * behavior by explicitly writing to the user session keyring when it matches
+ * the session keyring.  This function returns the keyring we should write to
+ * for the session anchor.
+ */
+static key_serial_t
+session_write_anchor(void)
+{
+    key_serial_t s, u;
+
+    s = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0);
+    u = keyctl_get_keyring_ID(KEY_SPEC_USER_SESSION_KEYRING, 0);
+
+    return (s == u) ? KEY_SPEC_USER_SESSION_KEYRING : KEY_SPEC_SESSION_KEYRING;
+}
+
+/*
+ * Find or create a keyring within parent with the given name.  If possess is
+ * nonzero, also make sure the key is linked from possess.  This is necessary
+ * to ensure that we have possession rights on the key when the parent is the
+ * user or persistent keyring.
+ */
+static krb5_error_code
+find_or_create_keyring(key_serial_t parent,
+		       key_serial_t possess,
+		       const char *name,
+		       atomic_key_serial_t *pkey)
+{
+    key_serial_t key;
+
+    key = keyctl_search(parent, KRCC_KEY_TYPE_KEYRING, name, possess);
+    if (key == -1) {
+	if (possess != 0) {
+	    key = add_key(KRCC_KEY_TYPE_KEYRING, name, NULL, 0, possess);
+	    if (key == -1 || keyctl_link(key, parent) == -1)
+		return errno;
+	} else {
+	    key = add_key(KRCC_KEY_TYPE_KEYRING, name, NULL, 0, parent);
+	    if (key == -1)
+		return errno;
+	}
+    }
+
+    heim_base_atomic_store(pkey, key);
+
+    return 0;
+}
+
+/*
+ * Parse a residual name into an anchor name, a collection name, and possibly a
+ * subsidiary name.
+ */
+static krb5_error_code
+parse_residual(krb5_context context,
+	       const char *residual,
+	       char **panchor_name,
+	       char **pcollection_name,
+	       char **psubsidiary_name)
+{
+    char *anchor_name = NULL;
+    char *collection_name = NULL;
+    char *subsidiary_name = NULL;
+    const char *sep;
+
+    *panchor_name = NULL;
+    *pcollection_name = NULL;
+    *psubsidiary_name = NULL;
+
+    if (residual == NULL)
+        residual = "";
+
+    /* Parse out the anchor name.  Use the legacy anchor if not present. */
+    sep = strchr(residual, ':');
+    if (sep == NULL) {
+	anchor_name = strdup(KRCC_LEGACY_ANCHOR);
+	if (anchor_name == NULL)
+	    goto nomem;
+    } else {
+	anchor_name = strndup(residual, sep - residual);
+	if (anchor_name == NULL)
+	    goto nomem;
+	residual = sep + 1;
+    }
+
+    /* Parse out the collection and subsidiary name. */
+    sep = strchr(residual, ':');
+    if (sep == NULL) {
+	collection_name = strdup(residual);
+	if (collection_name == NULL)
+	    goto nomem;
+    } else {
+	collection_name = strndup(residual, sep - residual);
+	if (collection_name == NULL)
+	    goto nomem;
+
+	subsidiary_name = strdup(sep + 1);
+	if (subsidiary_name == NULL)
+	    goto nomem;
+    }
+
+    *panchor_name = anchor_name;
+    *pcollection_name = collection_name;
+    *psubsidiary_name = subsidiary_name;
+
+    return 0;
+
+nomem:
+    free(anchor_name);
+    free(collection_name);
+    free(subsidiary_name);
+
+    return krb5_enomem(context);
+}
+
+/*
+ * Return TRUE if residual identifies a subsidiary cache which should be linked
+ * into the anchor so it can be visible to old code.  This is the case if the
+ * residual has the legacy anchor and the subsidiary name matches the
+ * collection name.
+ */
+static krb5_boolean
+is_legacy_cache_name_p(const char *residual)
+{
+    const char *sep, *aname, *cname, *sname;
+    size_t alen, clen, legacy_len = sizeof(KRCC_LEGACY_ANCHOR) - 1;
+
+    /* Get pointers to the anchor, collection, and subsidiary names. */
+    aname = residual;
+    sep = strchr(residual, ':');
+    if (sep == NULL)
+	return FALSE;
+
+    alen = sep - aname;
+    cname = sep + 1;
+    sep = strchr(cname, ':');
+    if (sep == NULL)
+	return FALSE;
+
+    clen = sep - cname;
+    sname = sep + 1;
+
+    return alen == legacy_len && clen == strlen(sname) &&
+	   strncmp(aname, KRCC_LEGACY_ANCHOR, alen) == 0 &&
+	   strncmp(cname, sname, clen) == 0;
+}
+
+/*
+ * If the default cache name for context is a KEYRING cache, parse its residual
+ * string.  Otherwise set all outputs to NULL.
+ */
+static krb5_error_code
+get_default(krb5_context context,
+	    char **panchor_name,
+	    char **pcollection_name,
+	    char **psubsidiary_name)
+{
+    const char *defname;
+
+    *panchor_name = *pcollection_name = *psubsidiary_name = NULL;
+
+    defname = krb5_cc_default_name(context);
+    if (defname == NULL || strncmp(defname, "KEYRING:", 8) != 0)
+	return 0;
+
+    return parse_residual(context, defname + 8,
+			  panchor_name, pcollection_name, psubsidiary_name);
+}
+
+/* Create a residual identifying a subsidiary cache. */
+static krb5_error_code
+make_subsidiary_residual(krb5_context context,
+			 const char *anchor_name,
+			 const char *collection_name,
+			 const char *subsidiary_name,
+			 char **presidual)
+{
+    if (asprintf(presidual, "%s:%s:%s", anchor_name, collection_name,
+		 subsidiary_name ? subsidiary_name : "tkt") < 0) {
+	*presidual = NULL;
+	return krb5_enomem(context);
+    }
+
+    return 0;
+}
+
+/*
+ * Retrieve or create a keyring for collection_name within the anchor, and set
+ * *collection_id to its serial number.
+ */
+static krb5_error_code
+get_collection(krb5_context context,
+	       const char *anchor_name,
+	       const char *collection_name,
+	       atomic_key_serial_t *pcollection_id)
+{
+    krb5_error_code ret;
+    key_serial_t persistent_id, anchor_id, possess_id = 0;
+    char *ckname, *cnend;
+    uid_t uidnum;
+
+    heim_base_atomic_init(pcollection_id, 0);
+
+    if (!anchor_name || !collection_name)
+	return KRB5_KCC_INVALID_ANCHOR;
+
+    if (strcmp(anchor_name, KRCC_PERSISTENT_ANCHOR) == 0) {
+	/*
+	 * The collection name is a uid (or empty for the current effective
+	 * uid), and we look up a fixed keyring name within the persistent
+	 * keyring for that uid.  We link it to the process keyring to ensure
+	 * that we have possession rights on the collection key.
+	 */
+	if (*collection_name != '\0') {
+	    errno = 0;
+	    uidnum = (uid_t)strtol(collection_name, &cnend, 10);
+	    if (errno || *cnend != '\0')
+		return KRB5_KCC_INVALID_UID;
+	} else {
+	    uidnum = geteuid();
+	}
+
+	persistent_id = GET_PERSISTENT(uidnum);
+	if (persistent_id == -1)
+	    return KRB5_KCC_INVALID_UID;
+
+	return find_or_create_keyring(persistent_id, KEY_SPEC_PROCESS_KEYRING,
+				      KRCC_PERSISTENT_KEYRING_NAME,
+				      pcollection_id);
+    }
+
+    if (strcmp(anchor_name, KRCC_PROCESS_ANCHOR) == 0) {
+	anchor_id = KEY_SPEC_PROCESS_KEYRING;
+    } else if (strcmp(anchor_name, KRCC_THREAD_ANCHOR) == 0) {
+	anchor_id = KEY_SPEC_THREAD_KEYRING;
+    } else if (strcmp(anchor_name, KRCC_SESSION_ANCHOR) == 0) {
+	anchor_id = session_write_anchor();
+    } else if (strcmp(anchor_name, KRCC_USER_ANCHOR) == 0) {
+	/*
+	 * The user keyring does not confer possession, so we need to link the
+	 * collection to the process keyring to maintain possession rights.
+	 */
+	anchor_id = KEY_SPEC_USER_KEYRING;
+	possess_id = KEY_SPEC_PROCESS_KEYRING;
+    } else if (strcmp(anchor_name, KRCC_LEGACY_ANCHOR) == 0) {
+	anchor_id = session_write_anchor();
+    } else {
+	return KRB5_KCC_INVALID_ANCHOR;
+    }
+
+    /* Look up the collection keyring name within the anchor keyring. */
+    if (asprintf(&ckname, "%s%s", KRCC_CCCOL_PREFIX, collection_name) == -1)
+	return krb5_enomem(context);
+
+    ret = find_or_create_keyring(anchor_id, possess_id, ckname,
+				 pcollection_id);
+    free(ckname);
+
+    return ret;
+}
+
+/* Store subsidiary_name into the primary index key for collection_id. */
+static krb5_error_code
+set_primary_name(krb5_context context,
+		 key_serial_t collection_id,
+		 const char *subsidiary_name)
+{
+    krb5_error_code ret;
+    krb5_storage *sp;
+    krb5_data payload;
+    key_serial_t key;
+
+    sp = krb5_storage_emem();
+    if (sp == NULL) {
+	krb5_set_error_message(context, KRB5_CC_NOMEM, N_("malloc: out of memory", ""));
+	return KRB5_CC_NOMEM;
+    }
+    krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE);
+
+    ret = krb5_store_int32(sp, KRCC_COLLECTION_VERSION);
+    if (ret)
+	goto cleanup;
+
+    ret = krb5_store_string(sp, subsidiary_name);
+    if (ret)
+	goto cleanup;
+
+    ret = krb5_storage_to_data(sp, &payload);
+    if (ret)
+	goto cleanup;
+
+    key = add_key(KRCC_KEY_TYPE_USER, KRCC_COLLECTION_PRIMARY,
+		  payload.data, payload.length, collection_id);
+    ret = (key == -1) ? errno : 0;
+    krb5_data_free(&payload);
+
+cleanup:
+    krb5_storage_free(sp);
+
+    return ret;
+}
+
+static krb5_error_code
+parse_index(krb5_context context,
+	    int32_t *version,
+	    char **primary,
+	    const unsigned char *payload,
+	    size_t psize)
+{
+    krb5_error_code ret;
+    krb5_data payload_data;
+    krb5_storage *sp;
+
+    payload_data.length = psize;
+    payload_data.data = rk_UNCONST(payload);
+
+    sp = krb5_storage_from_data(&payload_data);
+    if (sp == NULL)
+	return KRB5_CC_NOMEM;
+
+    krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE);
+
+    ret = krb5_ret_int32(sp, version);
+    if (ret == 0)
+	ret = krb5_ret_string(sp, primary);
+
+    krb5_storage_free(sp);
+
+    return ret;
+}
+
+/*
+ * Get or initialize the primary name within collection_id and set
+ * *subsidiary to its value.  If initializing a legacy collection, look
+ * for a legacy cache and add it to the collection.
+ */
+static krb5_error_code
+get_primary_name(krb5_context context,
+		 const char *anchor_name,
+		 const char *collection_name,
+		 key_serial_t collection_id,
+		 char **psubsidiary)
+{
+    krb5_error_code ret;
+    key_serial_t primary_id, legacy;
+    void *payload = NULL;
+    int payloadlen;
+    int32_t version;
+    char *subsidiary_name = NULL;
+
+    *psubsidiary = NULL;
+
+    primary_id = keyctl_search(collection_id, KRCC_KEY_TYPE_USER,
+			       KRCC_COLLECTION_PRIMARY, 0);
+    if (primary_id == -1) {
+	/*
+	 * Initialize the primary key using the collection name.  We can't name
+	 * a key with the empty string, so map that to an arbitrary string.
+	 */
+	subsidiary_name = strdup((*collection_name == '\0') ? "tkt" :
+				 collection_name);
+	if (subsidiary_name == NULL) {
+	    ret = krb5_enomem(context);
+	    goto cleanup;
+	}
+
+	ret = set_primary_name(context, collection_id, subsidiary_name);
+	if (ret)
+	    goto cleanup;
+
+	if (strcmp(anchor_name, KRCC_LEGACY_ANCHOR) == 0) {
+	    /*
+	     * Look for a cache created by old code. If we find one, add it to
+	     * the collection.
+	     */
+	    legacy = keyctl_search(KEY_SPEC_SESSION_KEYRING,
+				   KRCC_KEY_TYPE_KEYRING, subsidiary_name, 0);
+	    if (legacy != -1 && keyctl_link(legacy, collection_id) == -1) {
+		ret = errno;
+		goto cleanup;
+	    }
+	}
+    } else {
+	/* Read, parse, and free the primary key's payload. */
+	payloadlen = keyctl_read_alloc(primary_id, &payload);
+	if (payloadlen == -1) {
+	    ret = errno;
+	    goto cleanup;
+	}
+	ret = parse_index(context, &version, &subsidiary_name, payload,
+			  payloadlen);
+	if (ret)
+	    goto cleanup;
+
+	if (version != KRCC_COLLECTION_VERSION) {
+	    ret = KRB5_KCC_UNKNOWN_VERSION;
+	    goto cleanup;
+	}
+    }
+
+    *psubsidiary = subsidiary_name;
+    subsidiary_name = NULL;
+
+cleanup:
+    free(payload);
+    free(subsidiary_name);
+
+    return ret;
+}
+
+/*
+ * Note: MIT keyring code uses krb5int_random_string() as if the second argument
+ * is a character count rather than a size. The function below takes a character
+ * count to match the usage in this file correctly.
+ */
+static krb5_error_code
+generate_random_string(krb5_context context, char *s, size_t slen)
+{
+    static char chars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+    char *p;
+    size_t i;
+
+    p = malloc(slen);
+    if (p == NULL)
+	return krb5_enomem(context);
+
+    krb5_generate_random_block(p, slen);
+
+    for (i = 0; i < slen; i++)
+	s[i] = chars[p[i] % (sizeof(chars) - 1)];
+
+    s[i] = '\0';
+    free(p);
+
+    return 0;
+}
+
+/*
+ * Create a keyring with a unique random name within collection_id.  Set
+ * *subsidiary to its name and *cache_id to its key serial number.
+ */
+static krb5_error_code
+add_unique_keyring(krb5_context context,
+		   key_serial_t collection_id,
+		   char **psubsidiary,
+		   key_serial_t *pcache_id)
+{
+    key_serial_t key;
+    krb5_error_code ret;
+    char uniquename[sizeof(KRCC_NAME_PREFIX) + KRCC_NAME_RAND_CHARS];
+    int prefixlen = sizeof(KRCC_NAME_PREFIX) - 1;
+    int tries;
+
+    *psubsidiary = NULL;
+    *pcache_id = 0;
+
+    memcpy(uniquename, KRCC_NAME_PREFIX, sizeof(KRCC_NAME_PREFIX));
+
+    for (key = -1, tries = 0; tries < 5; tries++) {
+	ret = generate_random_string(context, uniquename + prefixlen,
+				     KRCC_NAME_RAND_CHARS);
+	if (ret)
+	    return ret;
+
+	key = keyctl_search(collection_id, KRCC_KEY_TYPE_KEYRING, uniquename, 0);
+	if (key == -1) {
+	    /* Name does not already exist.  Create it to reserve the name. */
+	    key = add_key(KRCC_KEY_TYPE_KEYRING, uniquename, NULL, 0, collection_id);
+	    if (key == -1)
+		return errno;
+	    break;
+	}
+    }
+
+    *psubsidiary = strdup(uniquename);
+    if (*psubsidiary == NULL)
+	return krb5_enomem(context);
+
+    *pcache_id = key;
+
+    return 0;
+}
+
+static krb5_error_code
+add_cred_key(const char *name,
+	     const void *payload,
+	     size_t plen,
+	     key_serial_t cache_id,
+	     krb5_boolean legacy_type,
+	     key_serial_t *pkey)
+{
+    key_serial_t key;
+
+    *pkey = -1;
+
+    if (!legacy_type) {
+	/* Try the preferred cred key type; fall back if no kernel support. */
+	key = add_key(KRCC_CRED_KEY_TYPE, name, payload, plen, cache_id);
+	if (key != -1) {
+	    *pkey = key;
+	    return 0;
+	} else if (errno != EINVAL && errno != ENODEV)
+	    return errno;
+    }
+
+    /* Use the user key type. */
+    key = add_key(KRCC_KEY_TYPE_USER, name, payload, plen, cache_id);
+    if (key == -1)
+	return errno;
+
+    *pkey = key;
+
+    return 0;
+}
+
+static void
+update_keyring_expiration(krb5_context context,
+			  krb5_ccache id,
+			  key_serial_t cache_id,
+			  krb5_timestamp now)
+{
+    krb5_cc_cursor cursor;
+    krb5_creds creds;
+    krb5_timestamp endtime = 0;
+    unsigned int timeout;
+
+    /*
+     * We have no way to know what is the actual timeout set on the keyring.
+     * We also cannot keep track of it in a local variable as another process
+     * can always modify the keyring independently, so just always enumerate
+     * all start TGT keys and find out the highest endtime time.
+     */
+    if (krcc_get_first(context, id, &cursor) != 0)
+	return;
+
+    for (;;) {
+	if (krcc_get_next(context, id, &cursor, &creds) != 0)
+	    break;
+	if (creds.times.endtime > endtime)
+	    endtime = creds.times.endtime;
+	krb5_free_cred_contents(context, &creds);
+    }
+    (void) krcc_end_get(context, id, &cursor);
+
+    if (endtime == 0)	/* No creds with end times */
+	return;
+
+    /*
+     * Setting the timeout to zero would reset the timeout, so we set it to one
+     * second instead if creds are already expired.
+     */
+    timeout = endtime > now ? endtime - now : 1;
+    (void) keyctl_set_timeout(cache_id, timeout);
+}
+
+/*
+ * Create or overwrite the cache keyring, and set the default principal.
+ */
+static krb5_error_code
+initialize_internal(krb5_context context,
+		    krb5_ccache id,
+		    krb5_const_principal princ)
+{
+    krb5_krcache *data = KRCACHE(id);
+    krb5_error_code ret;
+    const char *cache_name, *p;
+    krb5_krcache_and_princ_id ids;
+
+    if (data == NULL)
+	return krb5_einval(context, 2);
+
+    memset(&ids, 0, sizeof(ids));
+    ids.krcu_cache_and_princ_id = heim_base_atomic_load(&data->krc_cache_and_principal_id);
+
+    ret = clear_cache_keyring(context, &ids.krcu_cache_id);
+    if (ret)
+	return ret;
+
+    if (ids.krcu_cache_id == 0) {
+	/*
+	 * The key didn't exist at resolve time, or was destroyed after resolving.
+	 * Check again and create the key if it still isn't there.
+         */
+	p = strrchr(data->krc_name, ':');
+	cache_name = (p != NULL) ? p + 1 : data->krc_name;
+	ret = find_or_create_keyring(data->krc_coll_id, 0, cache_name, &ids.krcu_cache_id);
+	if (ret)
+	    return ret;
+    }
+
+    /*
+     * If this is the legacy cache in a legacy session collection, link it
+     * directly to the session keyring so that old code can see it.
+     */
+    if (is_legacy_cache_name_p(data->krc_name))
+	(void) keyctl_link(ids.krcu_cache_id, session_write_anchor());
+
+    if (princ != NULL) {
+	ret = save_principal(context, ids.krcu_cache_id, princ, &ids.krcu_princ_id);
+	if (ret)
+	    return ret;
+    } else
+	ids.krcu_princ_id = 0;
+
+    /*
+     * Save time offset if it is valid and this is not a legacy cache.  Legacy
+     * applications would fail to parse the new key in the cache keyring.
+     */
+    if (context->kdc_sec_offset && !is_legacy_cache_name_p(data->krc_name)) {
+	ret = save_time_offsets(context,
+				ids.krcu_cache_id,
+				context->kdc_sec_offset,
+				context->kdc_usec_offset);
+	if (ret)
+	    return ret;
+    }
+
+    /* update cache and principal IDs atomically */
+    heim_base_atomic_store(&data->krc_cache_and_principal_id, ids.krcu_cache_and_princ_id);
+
+    return 0;
+}
+
+static krb5_error_code KRB5_CALLCONV
+krcc_initialize(krb5_context context, krb5_ccache id, krb5_principal princ)
+{
+    krb5_krcache *data = KRCACHE(id);
+    krb5_error_code ret;
+
+    if (data == NULL)
+	return krb5_einval(context, 2);
+
+    if (princ == NULL)
+	return KRB5_CC_BADNAME;
+
+    ret = initialize_internal(context, id, princ);
+    if (ret == 0)
+	update_change_time(context, 0, data);
+
+    return ret;
+}
+
+/* Release the ccache handle. */
+static krb5_error_code KRB5_CALLCONV
+krcc_close(krb5_context context, krb5_ccache id)
+{
+    krb5_krcache *data = KRCACHE(id);
+
+    if (data == NULL)
+	return krb5_einval(context, 2);
+
+    free(data->krc_subsidiary);
+    free(data->krc_collection);
+    free(data->krc_name);
+    krb5_data_free(&id->data);
+
+    return 0;
+}
+
+/*
+ * Clear out a ccache keyring, unlinking all keys within it.
+ */
+static krb5_error_code
+clear_cache_keyring(krb5_context context,
+		    atomic_key_serial_t *pcache_id)
+{
+    int res;
+    key_serial_t cache_id = heim_base_atomic_load(pcache_id);
+
+    _krb5_debug(context, 10, "clear_cache_keyring: cache_id %d\n", cache_id);
+
+    if (cache_id != 0) {
+	res = keyctl_clear(cache_id);
+	if (res == -1 && (errno == EACCES || errno == ENOKEY)) {
+	    /*
+	     * Possibly the keyring was destroyed between krcc_resolve() and now;
+	     * if we really don't have permission, we will fail later.
+	     */
+	    res = 0;
+	    heim_base_atomic_store(pcache_id, 0);
+	}
+	if (res == -1)
+	    return errno;
+    }
+
+    return 0;
+}
+
+/* Destroy the cache keyring */
+static krb5_error_code KRB5_CALLCONV
+krcc_destroy(krb5_context context, krb5_ccache id)
+{
+    krb5_error_code ret = 0;
+    krb5_krcache *data = KRCACHE(id);
+    int res;
+
+    if (data == NULL)
+	return krb5_einval(context, 2);
+
+    /* no atomics, destroy is not thread-safe */
+    (void) clear_cache_keyring(context, &data->krc_cache_id);
+
+    if (data->krc_cache_id != 0) {
+	res = keyctl_unlink(data->krc_cache_id, data->krc_coll_id);
+	if (res < 0) {
+	    ret = errno;
+	    _krb5_debug(context, 10, "unlinking key %d from ring %d: %s",
+			data->krc_cache_id, data->krc_coll_id, error_message(errno));
+	}
+	/* If this is a legacy cache, unlink it from the session anchor. */
+	if (is_legacy_cache_name_p(data->krc_name))
+	    (void) keyctl_unlink(data->krc_cache_id, session_write_anchor());
+    }
+
+    heim_base_atomic_store(&data->krc_princ_id, 0);
+
+    /* krcc_close is called by libkrb5, do not double-free */
+    return ret;
+}
+
+/* Create a cache handle for a cache ID. */
+static krb5_error_code
+make_cache(krb5_context context,
+	   key_serial_t collection_id,
+	   key_serial_t cache_id,
+	   const char *anchor_name,
+	   const char *collection_name,
+	   const char *subsidiary_name,
+	   krb5_ccache *cache)
+{
+    krb5_error_code ret;
+    krb5_krcache *data;
+    key_serial_t princ_id = 0;
+
+    /* Determine the key containing principal information, if present. */
+    princ_id = keyctl_search(cache_id, KRCC_KEY_TYPE_USER, KRCC_SPEC_PRINC_KEYNAME, 0);
+    if (princ_id == -1)
+	princ_id = 0;
+
+    ret = alloc_cache(context, collection_id, cache_id,
+		      anchor_name, collection_name, subsidiary_name, &data);
+    if (ret)
+	return ret;
+
+    if (*cache == NULL) {
+	ret = _krb5_cc_allocate(context, &krb5_krcc_ops, cache);
+	if (ret) {
+	    free(data->krc_name);
+	    free(data);
+	    return ret;
+	}
+    }
+
+    data->krc_princ_id = princ_id;
+
+    (*cache)->data.data = data;
+    (*cache)->data.length = sizeof(*data);
+
+    return 0;
+}
+
+/* Create a keyring ccache handle for the given residual string. */
+static krb5_error_code KRB5_CALLCONV
+krcc_resolve_2(krb5_context context,
+	       krb5_ccache *id,
+	       const char *residual,
+	       const char *sub)
+{
+    krb5_error_code ret;
+    atomic_key_serial_t collection_id;
+    key_serial_t cache_id;
+    char *anchor_name = NULL, *collection_name = NULL, *subsidiary_name = NULL;
+
+    ret = parse_residual(context, residual, &anchor_name, &collection_name,
+                         &subsidiary_name);
+    if (ret)
+	goto cleanup;
+    if (sub) {
+        free(subsidiary_name);
+        if ((subsidiary_name = strdup(sub)) == NULL) {
+            ret = krb5_enomem(context);
+            goto cleanup;
+        }
+    }
+
+    ret = get_collection(context, anchor_name, collection_name, &collection_id);
+    if (ret)
+	goto cleanup;
+
+    if (subsidiary_name == NULL) {
+	/* Retrieve or initialize the primary name for the collection. */
+	ret = get_primary_name(context, anchor_name, collection_name,
+			       collection_id, &subsidiary_name);
+	if (ret)
+	    goto cleanup;
+    }
+
+    /* Look up the cache keyring ID, if the cache is already initialized. */
+    cache_id = keyctl_search(collection_id, KRCC_KEY_TYPE_KEYRING,
+			     subsidiary_name, 0);
+    if (cache_id < 0)
+	cache_id = 0;
+
+    ret = make_cache(context, collection_id, cache_id, anchor_name,
+		     collection_name, subsidiary_name, id);
+    if (ret)
+	goto cleanup;
+
+cleanup:
+    free(anchor_name);
+    free(collection_name);
+    free(subsidiary_name);
+
+    return ret;
+}
+
+struct krcc_cursor {
+    size_t numkeys;
+    size_t currkey;
+    key_serial_t princ_id;
+    key_serial_t offsets_id;
+    key_serial_t *keys;
+};
+
+/* Prepare for a sequential iteration over the cache keyring. */
+static krb5_error_code
+krcc_get_first(krb5_context context,
+	       krb5_ccache id,
+	       krb5_cc_cursor *cursor)
+{
+    struct krcc_cursor *krcursor;
+    krb5_krcache *data = KRCACHE(id);
+    key_serial_t cache_id;
+    void *keys;
+    long size;
+
+    if (data == NULL)
+	return krb5_einval(context, 2);
+
+    cache_id = heim_base_atomic_load(&data->krc_cache_id);
+    if (cache_id == 0)
+	return KRB5_FCC_NOFILE;
+
+    size = keyctl_read_alloc(cache_id, &keys);
+    if (size == -1) {
+	_krb5_debug(context, 10, "Error getting from keyring: %s\n",
+		    strerror(errno));
+	return KRB5_CC_IO;
+    }
+
+    krcursor = calloc(1, sizeof(*krcursor));
+    if (krcursor == NULL) {
+	free(keys);
+	return KRB5_CC_NOMEM;
+    }
+
+    krcursor->princ_id = heim_base_atomic_load(&data->krc_princ_id);
+    krcursor->offsets_id = keyctl_search(cache_id, KRCC_KEY_TYPE_USER,
+					 KRCC_TIME_OFFSETS, 0);
+    krcursor->numkeys = size / sizeof(key_serial_t);
+    krcursor->keys = keys;
+
+    *cursor = krcursor;
+
+    return 0;
+}
+
+static krb5_error_code
+keyctl_read_krb5_data(key_serial_t keyid, krb5_data *payload)
+{
+    krb5_data_zero(payload);
+
+    payload->length = keyctl_read_alloc(keyid, &payload->data);
+
+    return (payload->length == -1) ? KRB5_FCC_NOFILE : 0;
+}
+
+/* Get the next credential from the cache keyring. */
+static krb5_error_code KRB5_CALLCONV
+krcc_get_next(krb5_context context,
+	      krb5_ccache id,
+	      krb5_cc_cursor *cursor,
+	      krb5_creds *creds)
+{
+    struct krcc_cursor *krcursor;
+    krb5_error_code ret;
+    krb5_data payload;
+    krb5_storage *sp;
+
+    memset(creds, 0, sizeof(krb5_creds));
+
+    krcursor = *cursor;
+    if (krcursor == NULL)
+	return KRB5_CC_END;
+
+    if (krcursor->currkey >= krcursor->numkeys)
+	return KRB5_CC_END;
+
+    /*
+     * If we're pointing at the entry with the principal, or at the key
+     * with the time offsets, skip it.
+     */
+    while (krcursor->keys[krcursor->currkey] == krcursor->princ_id ||
+	   krcursor->keys[krcursor->currkey] == krcursor->offsets_id) {
+	krcursor->currkey++;
+	if (krcursor->currkey >= krcursor->numkeys)
+	    return KRB5_CC_END;
+    }
+
+    ret = keyctl_read_krb5_data(krcursor->keys[krcursor->currkey], &payload);
+    if (ret) {
+	_krb5_debug(context, 10, "Error reading key %d: %s\n",
+		    krcursor->keys[krcursor->currkey],
+		    strerror(errno));
+	return ret;
+    }
+    krcursor->currkey++;
+
+    sp = krb5_storage_from_data(&payload);
+    if (sp == NULL) {
+	ret = KRB5_CC_IO;
+    } else {
+	ret = krb5_ret_creds(sp, creds);
+	krb5_storage_free(sp);
+    }
+
+    krb5_data_free(&payload);
+
+    return ret;
+}
+
+/* Release an iteration cursor. */
+static krb5_error_code KRB5_CALLCONV
+krcc_end_get(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor)
+{
+    struct krcc_cursor *krcursor = *cursor;
+
+    if (krcursor != NULL) {
+	free(krcursor->keys);
+	free(krcursor);
+    }
+
+    *cursor = NULL;
+
+    return 0;
+}
+
+/* Create keyring data for a credential cache. */
+static krb5_error_code
+alloc_cache(krb5_context context,
+ 	    key_serial_t collection_id,
+	    key_serial_t cache_id,
+	    const char *anchor_name,
+	    const char *collection_name,
+	    const char *subsidiary_name,
+	    krb5_krcache **pdata)
+{
+    krb5_error_code ret;
+    krb5_krcache *data;
+
+    *pdata = NULL;
+
+    data = calloc(1, sizeof(*data));
+    if (data == NULL)
+	return KRB5_CC_NOMEM;
+
+    ret = make_subsidiary_residual(context, anchor_name, collection_name,
+				   subsidiary_name, &data->krc_name);
+    if (ret ||
+        (data->krc_collection = strdup(collection_name)) == NULL ||
+        (data->krc_subsidiary = strdup(subsidiary_name ? subsidiary_name : "tkt")) == NULL) {
+        if (data) {
+            free(data->krc_collection);
+            free(data->krc_name);
+        }
+	free(data);
+        if (ret == 0)
+            ret = krb5_enomem(context);
+	return ret;
+    }
+
+    heim_base_atomic_init(&data->krc_princ_id, 0);
+    heim_base_atomic_init(&data->krc_cache_id, cache_id);
+    data->krc_coll_id = collection_id;
+    data->krc_changetime = 0;
+    data->krc_is_legacy = (strcmp(anchor_name, KRCC_LEGACY_ANCHOR) == 0);
+
+    update_change_time(context, 0, data);
+
+    *pdata = data;
+
+    return 0;
+}
+
+/* Create a new keyring cache with a unique name. */
+static krb5_error_code KRB5_CALLCONV
+krcc_gen_new(krb5_context context, krb5_ccache *id)
+{
+    krb5_error_code ret;
+    char *anchor_name, *collection_name, *subsidiary_name;
+    char *new_subsidiary_name = NULL, *new_residual = NULL;
+    krb5_krcache *data;
+    atomic_key_serial_t collection_id;
+    key_serial_t cache_id = 0;
+
+    /* Determine the collection in which we will create the cache.*/
+    ret = get_default(context, &anchor_name, &collection_name,
+		      &subsidiary_name);
+    if (ret)
+	return ret;
+
+    if (anchor_name == NULL) {
+	ret = parse_residual(context, KRCC_DEFAULT_UNIQUE_COLLECTION, &anchor_name,
+			     &collection_name, &subsidiary_name);
+	if (ret)
+	    return ret;
+    }
+    if (subsidiary_name != NULL) {
+	krb5_set_error_message(context, KRB5_DCC_CANNOT_CREATE,
+		N_("Can't create new subsidiary cache because default cache "
+		   "is already a subsidiary", ""));
+	ret = KRB5_DCC_CANNOT_CREATE;
+	goto cleanup;
+    }
+
+    /* Make a unique keyring within the chosen collection. */
+    ret = get_collection(context, anchor_name, collection_name, &collection_id);
+    if (ret)
+	goto cleanup;
+
+    ret = add_unique_keyring(context, collection_id, &new_subsidiary_name, &cache_id);
+    if (ret)
+	goto cleanup;
+
+    ret = alloc_cache(context, collection_id, cache_id,
+		      anchor_name, collection_name, new_subsidiary_name,
+		      &data);
+    if (ret)
+	goto cleanup;
+
+    (*id)->data.data = data;
+    (*id)->data.length = sizeof(*data);
+
+cleanup:
+    free(anchor_name);
+    free(collection_name);
+    free(subsidiary_name);
+    free(new_subsidiary_name);
+    free(new_residual);
+
+    return ret;
+}
+
+/* Return an alias to the residual string of the cache. */
+static krb5_error_code KRB5_CALLCONV
+krcc_get_name_2(krb5_context context,
+		krb5_ccache id,
+		const char **name,
+		const char **collection_name,
+		const char **subsidiary_name)
+{
+    krb5_krcache *data = KRCACHE(id);
+
+    if (data == NULL)
+	return krb5_einval(context, 2);
+
+    if (name)
+        *name = data->krc_name;
+    if (collection_name)
+        *collection_name = data->krc_collection;
+    if (subsidiary_name)
+        *subsidiary_name = data->krc_subsidiary;
+    return 0;
+}
+
+/* Retrieve a copy of the default principal, if the cache is initialized. */
+static krb5_error_code KRB5_CALLCONV
+krcc_get_principal(krb5_context context,
+		   krb5_ccache id,
+		   krb5_principal *princ)
+{
+    krb5_krcache *data = KRCACHE(id);
+    krb5_error_code ret;
+    krb5_storage *sp = NULL;
+    krb5_data payload;
+    krb5_krcache_and_princ_id ids;
+
+    krb5_data_zero(&payload);
+    *princ = NULL;
+
+    if (data == NULL)
+	return krb5_einval(context, 2);
+
+    memset(&ids, 0, sizeof(ids));
+    ids.krcu_cache_and_princ_id = heim_base_atomic_load(&data->krc_cache_and_principal_id);
+    if (ids.krcu_cache_id == 0 || ids.krcu_princ_id == 0) {
+	ret = KRB5_FCC_NOFILE;
+	krb5_set_error_message(context, ret,
+			       N_("Credentials cache keyring '%s' not found", ""),
+			       data->krc_name);
+	goto cleanup;
+    }
+
+    ret = keyctl_read_krb5_data(ids.krcu_princ_id, &payload);
+    if (ret) {
+	_krb5_debug(context, 10, "Reading principal key %d: %s\n",
+		    ids.krcu_princ_id, strerror(errno));
+	goto cleanup;
+    }
+
+    sp = krb5_storage_from_data(&payload);
+    if (sp == NULL) {
+	ret = KRB5_CC_IO;
+	goto cleanup;
+    }
+
+    ret = krb5_ret_principal(sp, princ);
+    if (ret)
+	goto cleanup;
+
+cleanup:
+    krb5_storage_free(sp);
+    krb5_data_free(&payload);
+
+    return ret;
+}
+
+/* Remove a cred from the cache keyring */
+static krb5_error_code KRB5_CALLCONV
+krcc_remove_cred(krb5_context context, krb5_ccache id,
+		 krb5_flags which, krb5_creds *mcred)
+{
+    krb5_krcache *data = KRCACHE(id);
+    krb5_error_code ret, ret2;
+    krb5_cc_cursor cursor;
+    krb5_creds found_cred;
+    krb5_krcache_and_princ_id ids;
+
+    if (data == NULL)
+	return krb5_einval(context, 2);
+
+    ret = krcc_get_first(context, id, &cursor);
+    if (ret)
+	return ret;
+
+    memset(&ids, 0, sizeof(ids));
+    ids.krcu_cache_and_princ_id = heim_base_atomic_load(&data->krc_cache_and_principal_id);
+
+    while ((ret = krcc_get_next(context, id, &cursor, &found_cred)) == 0) {
+	struct krcc_cursor *krcursor = cursor;
+
+	if (!krb5_compare_creds(context, which, mcred, &found_cred)) {
+	    krb5_free_cred_contents(context, &found_cred);
+	    continue;
+	}
+
+	_krb5_debug(context, 10, "Removing cred %d from cache_id %d, princ_id %d\n",
+		    krcursor->keys[krcursor->currkey - 1],
+		    ids.krcu_cache_id, ids.krcu_princ_id);
+
+	keyctl_invalidate(krcursor->keys[krcursor->currkey - 1]);
+	krcursor->keys[krcursor->currkey - 1] = 0;
+	krb5_free_cred_contents(context, &found_cred);
+    }
+
+    ret2 = krcc_end_get(context, id, &cursor);
+    if (ret == KRB5_CC_END)
+	ret = ret2;
+
+    return ret;
+}
+
+/* Set flags on the cache.  (We don't care about any flags.) */
+static krb5_error_code KRB5_CALLCONV
+krcc_set_flags(krb5_context context, krb5_ccache id, krb5_flags flags)
+{
+    return 0;
+}
+
+static int KRB5_CALLCONV
+krcc_get_version(krb5_context context, krb5_ccache id)
+{
+    return 0;
+}
+ 
+/* Store a credential in the cache keyring. */
+static krb5_error_code KRB5_CALLCONV
+krcc_store(krb5_context context, krb5_ccache id, krb5_creds *creds)
+{
+    krb5_error_code ret;
+    krb5_krcache *data = KRCACHE(id);
+    krb5_storage *sp = NULL;
+    char *keyname = NULL;
+    key_serial_t cred_key, cache_id;
+    krb5_timestamp now;
+    krb5_data payload;
+
+    krb5_data_zero(&payload);
+
+    if (data == NULL)
+	return krb5_einval(context, 2);
+
+    cache_id = heim_base_atomic_load(&data->krc_cache_id);
+    if (cache_id == 0)
+	return KRB5_FCC_NOFILE;
+
+    ret = krb5_unparse_name(context, creds->server, &keyname);
+    if (ret)
+	goto cleanup;
+
+    sp = krb5_storage_emem();
+    if (sp == NULL) {
+	krb5_set_error_message(context, KRB5_CC_NOMEM, N_("malloc: out of memory", ""));
+	ret = KRB5_CC_NOMEM;
+	goto cleanup;
+    }
+
+    ret = krb5_store_creds(sp, creds);
+    if (ret)
+	goto cleanup;
+
+    ret = krb5_storage_to_data(sp, &payload);
+    if (ret)
+	goto cleanup;
+
+    _krb5_debug(context, 10, "krcc_store: adding new key '%s' to keyring %d\n",
+		keyname, cache_id);
+    ret = add_cred_key(keyname, payload.data, payload.length, cache_id,
+		       data->krc_is_legacy, &cred_key);
+    if (ret)
+	goto cleanup;
+
+    ret = krb5_timeofday(context, &now);
+    if (ret)
+	goto cleanup;
+
+    update_change_time(context, now, data);
+
+    /* Set timeout on credential key */
+    if (creds->times.endtime > now)
+	(void) keyctl_set_timeout(cred_key, creds->times.endtime - now);
+
+    /* Set timeout on credential cache keyring */
+    update_keyring_expiration(context, id, cache_id, now);
+
+cleanup:
+    krb5_data_free(&payload);
+    krb5_storage_free(sp);
+    krb5_xfree(keyname);
+
+    return ret;
+}
+
+/*
+ * Get the cache's last modification time.  (This is currently broken; it
+ * returns only the last change made using this handle.)
+ */
+static krb5_error_code KRB5_CALLCONV
+krcc_lastchange(krb5_context context,
+		krb5_ccache id,
+		krb5_timestamp *change_time)
+{
+    krb5_krcache *data = KRCACHE(id);
+
+    if (data == NULL)
+	return krb5_einval(context, 2);
+
+    *change_time = heim_base_atomic_load(&data->krc_changetime);
+
+    return 0;
+}
+
+static krb5_error_code
+save_principal(krb5_context context,
+	       key_serial_t cache_id,
+	       krb5_const_principal princ,
+	       atomic_key_serial_t *pprinc_id)
+{
+    krb5_error_code ret;
+    krb5_storage *sp;
+    key_serial_t newkey;
+    krb5_data payload;
+
+    krb5_data_zero(&payload);
+
+    sp = krb5_storage_emem();
+    if (sp == NULL) {
+	krb5_set_error_message(context, KRB5_CC_NOMEM, N_("malloc: out of memory", ""));
+	return KRB5_CC_NOMEM;
+    }
+
+    ret = krb5_store_principal(sp, princ);
+    if (ret) {
+	krb5_storage_free(sp);
+	return ret;
+    }
+
+    ret = krb5_storage_to_data(sp, &payload);
+    if (ret) {
+	krb5_storage_free(sp);
+	return ret;
+    }
+
+    krb5_storage_free(sp);
+    {
+	krb5_error_code tmp;
+	char *princname = NULL;
+
+	tmp = krb5_unparse_name(context, princ, &princname);
+	_krb5_debug(context, 10, "save_principal: adding new key '%s' "
+		    "to keyring %d for principal '%s'\n",
+		    KRCC_SPEC_PRINC_KEYNAME, cache_id,
+		    tmp ? "<unknown>" : princname);
+	if (tmp == 0)
+	    krb5_xfree(princname);
+    }
+
+    /* Add new key into keyring */
+    newkey = add_key(KRCC_KEY_TYPE_USER, KRCC_SPEC_PRINC_KEYNAME,
+		     payload.data, payload.length, cache_id);
+    if (newkey == -1) {
+	ret = errno;
+	_krb5_debug(context, 10, "Error adding principal key: %s\n", strerror(ret));
+    } else {
+	ret = 0;
+	heim_base_atomic_store(pprinc_id, newkey);
+    }
+
+    krb5_data_free(&payload);
+
+    return ret;
+}
+
+/* Add a key to the cache keyring containing the given time offsets. */
+static krb5_error_code
+save_time_offsets(krb5_context context,
+		  key_serial_t cache_id,
+		  int32_t sec_offset,
+		  int32_t usec_offset)
+{
+    krb5_error_code ret;
+    key_serial_t newkey;
+    krb5_storage *sp;
+    krb5_data payload;
+
+    krb5_data_zero(&payload);
+
+    sp = krb5_storage_emem();
+    if (sp == NULL) {
+	krb5_set_error_message(context, KRB5_CC_NOMEM, N_("malloc: out of memory", ""));
+	return KRB5_CC_NOMEM;
+    }
+
+    krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE);
+
+    ret = krb5_store_int32(sp, sec_offset);
+    if (ret == 0)
+	ret = krb5_store_int32(sp, usec_offset);
+    if (ret) {
+	krb5_storage_free(sp);
+	return ret;
+    }
+
+    ret = krb5_storage_to_data(sp, &payload);
+    if (ret) {
+	krb5_storage_free(sp);
+	return ret;
+    }
+
+    krb5_storage_free(sp);
+
+    newkey = add_key(KRCC_KEY_TYPE_USER, KRCC_TIME_OFFSETS, payload.data,
+		     payload.length, cache_id);
+    ret = newkey == -1 ? errno : 0;
+
+    krb5_data_free(&payload);
+
+    return ret;
+}
+
+static krb5_error_code KRB5_CALLCONV
+krcc_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat offset)
+{
+    krb5_krcache *data = KRCACHE(id);
+    key_serial_t cache_id;
+    krb5_error_code ret;
+
+    if (data == NULL)
+	return krb5_einval(context, 2);
+
+    cache_id = heim_base_atomic_load(&data->krc_cache_id);
+ 
+    ret = save_time_offsets(context, cache_id, (int32_t)offset, 0);
+    if (ret == 0)
+	update_change_time(context, 0, data);
+
+    return ret;
+}
+
+/* Retrieve and parse the key in the cache keyring containing time offsets. */
+static krb5_error_code KRB5_CALLCONV
+krcc_get_kdc_offset(krb5_context context,
+		    krb5_ccache id,
+		    krb5_deltat *offset)
+{
+    krb5_krcache *data = KRCACHE(id);
+    krb5_error_code ret = 0;
+    key_serial_t key, cache_id;
+    krb5_storage *sp = NULL;
+    krb5_data payload;
+    int32_t sec_offset = 0;
+
+    if (data == NULL)
+	return krb5_einval(context, 2);
+
+    krb5_data_zero(&payload);
+
+    cache_id = heim_base_atomic_load(&data->krc_cache_id);
+    if (cache_id == 0) {
+	ret = KRB5_FCC_NOFILE;
+	goto cleanup;
+    }
+
+    key = keyctl_search(cache_id, KRCC_KEY_TYPE_USER, KRCC_TIME_OFFSETS, 0);
+    if (key == -1) {
+	ret = ENOENT;
+	goto cleanup;
+    }
+
+    ret = keyctl_read_krb5_data(key, &payload);
+    if (ret) {
+	_krb5_debug(context, 10, "Reading time offsets key %d: %s\n",
+		    key, strerror(errno));
+	goto cleanup;
+    }
+
+    sp = krb5_storage_from_data(&payload);
+    if (sp == NULL) {
+	ret = krb5_enomem(context);;
+	goto cleanup;
+    }
+
+    krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE);
+
+    ret = krb5_ret_int32(sp, &sec_offset);
+    /*
+     * We can't output nor use the usec_offset here, so we don't bother to read
+     * it, though we do write it.
+     */
+
+cleanup:
+    *offset = sec_offset;
+    krb5_storage_free(sp);
+    krb5_data_free(&payload);
+    return ret;
+}
+
+struct krcc_iter {
+    atomic_key_serial_t collection_id;
+    char *anchor_name;
+    char *collection_name;
+    char *subsidiary_name;
+    char *primary_name;
+    krb5_boolean first;
+    long num_keys;
+    long next_key;
+    key_serial_t *keys;
+};
+
+static krb5_error_code KRB5_CALLCONV
+krcc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor)
+{
+    struct krcc_iter *iter;
+    krb5_error_code ret;
+    void *keys;
+    long size;
+
+    *cursor = NULL;
+
+    iter = calloc(1, sizeof(*iter));
+    if (iter == NULL) {
+	ret = krb5_enomem(context);
+	goto error;
+    }
+    iter->first = TRUE;
+
+    ret = get_default(context, &iter->anchor_name, &iter->collection_name,
+		      &iter->subsidiary_name);
+    if (ret)
+	goto error;
+
+    /* If there is no default collection, return an empty cursor. */
+    if (iter->anchor_name == NULL) {
+	*cursor = iter;
+	return 0;
+    }
+
+    ret = get_collection(context, iter->anchor_name, iter->collection_name,
+			 &iter->collection_id);
+    if (ret)
+	goto error;
+
+    if (iter->subsidiary_name == NULL) {
+	ret = get_primary_name(context, iter->anchor_name,
+			       iter->collection_name, iter->collection_id,
+			       &iter->primary_name);
+	if (ret)
+	    goto error;
+
+	size = keyctl_read_alloc(iter->collection_id, &keys);
+	if (size == -1) {
+	    ret = errno;
+	    goto error;
+	}
+	iter->keys = keys;
+	iter->num_keys = size / sizeof(key_serial_t);
+    }
+
+    *cursor = iter;
+
+    return 0;
+
+error:
+    krcc_end_cache_get(context, iter);
+
+    return ret;
+}
+
+static krb5_error_code KRB5_CALLCONV
+krcc_get_cache_next(krb5_context context,
+		    krb5_cc_cursor cursor,
+		    krb5_ccache *cache)
+{
+    krb5_error_code ret;
+    struct krcc_iter *iter = cursor;
+    key_serial_t key, cache_id = 0;
+    const char *first_name, *keytype, *sep, *subsidiary_name;
+    size_t keytypelen;
+    char *description = NULL;
+
+    *cache = NULL;
+
+    /* No keyring available */
+    if (iter->collection_id == 0)
+	return KRB5_CC_END;
+
+    if (iter->first) {
+	/*
+	 * Look for the primary cache for a collection cursor, or the
+	 * subsidiary cache for a subsidiary cursor.
+	 */
+	iter->first = FALSE;
+	first_name = (iter->primary_name != NULL) ? iter->primary_name :
+		     iter->subsidiary_name;
+	cache_id = keyctl_search(iter->collection_id, KRCC_KEY_TYPE_KEYRING,
+				 first_name, 0);
+	if (cache_id != -1) {
+	    return make_cache(context, iter->collection_id, cache_id,
+			      iter->anchor_name, iter->collection_name,
+			      first_name, cache);
+	}
+    }
+
+    /* A subsidiary cursor yields at most the first cache. */
+    if (iter->subsidiary_name != NULL)
+	return KRB5_CC_END;
+
+    keytype = KRCC_KEY_TYPE_KEYRING ";";
+    keytypelen = strlen(keytype);
+
+    for (ret = KRB5_CC_END; iter->next_key < iter->num_keys; iter->next_key++) {
+	free(description);
+	description = NULL;
+
+	/*
+	 * Get the key description, which should have the form:
+	 *   typename;UID;GID;permissions;description
+	 */
+	key = iter->keys[iter->next_key];
+	if (keyctl_describe_alloc(key, &description) < 0)
+	    continue;
+	sep = strrchr(description, ';');
+	if (sep == NULL)
+	    continue;
+	subsidiary_name = sep + 1;
+
+	/* Skip this key if it isn't a keyring. */
+	if (strncmp(description, keytype, keytypelen) != 0)
+	    continue;
+
+	/* Don't repeat the primary cache. */
+	if (iter->primary_name &&
+            strcmp(subsidiary_name, iter->primary_name) == 0)
+	    continue;
+
+	/* We found a valid key */
+	iter->next_key++;
+	ret = make_cache(context, iter->collection_id, key, iter->anchor_name,
+			 iter->collection_name, subsidiary_name, cache);
+	break;
+    }
+
+    free(description);
+
+    return ret;
+}
+
+static krb5_error_code KRB5_CALLCONV
+krcc_end_cache_get(krb5_context context, krb5_cc_cursor cursor)
+{
+    struct krcc_iter *iter = cursor;
+
+    if (iter != NULL) {
+	free(iter->anchor_name);
+	free(iter->collection_name);
+	free(iter->subsidiary_name);
+	free(iter->primary_name);
+	free(iter->keys);
+
+	memset(iter, 0, sizeof(*iter));
+	free(iter);
+    }
+
+    return 0;
+}
+
+static krb5_error_code KRB5_CALLCONV
+krcc_set_default(krb5_context context, krb5_ccache id)
+{
+    krb5_krcache *data = KRCACHE(id);
+    krb5_error_code ret;
+    char *anchor_name, *collection_name, *subsidiary_name;
+    atomic_key_serial_t collection_id;
+
+    if (data == NULL)
+	return krb5_einval(context, 2);
+
+    ret = parse_residual(context, data->krc_name,
+			 &anchor_name, &collection_name, &subsidiary_name);
+    if (ret)
+	goto cleanup;
+
+    ret = get_collection(context, anchor_name, collection_name, &collection_id);
+    if (ret)
+	goto cleanup;
+
+    ret = set_primary_name(context, collection_id, subsidiary_name);
+    if (ret)
+	goto cleanup;
+
+cleanup:
+    free(anchor_name);
+    free(collection_name);
+    free(subsidiary_name);
+
+    return ret;
+}
+
+/*
+ * Utility routine: called by krcc_* functions to keep
+ * result of krcc_last_change_time up to date.
+ */
+static void
+update_change_time(krb5_context context, krb5_timestamp now, krb5_krcache *data)
+{
+    krb5_timestamp old;
+
+    if (now == 0)
+	krb5_timeofday(context, &now);
+
+    old = heim_base_exchange_time_t(&data->krc_changetime, now);
+    if (old > now) /* don't go backwards */
+	heim_base_atomic_store(&data->krc_changetime, old + 1);
+}
+
+static int
+move_key_to_new_keyring(key_serial_t parent, key_serial_t key,
+			char *desc, int desc_len, void *data)
+{
+    key_serial_t cache_id = *(key_serial_t *)data;
+
+    if (parent) {
+	if (keyctl_link(key, cache_id) == -1 ||
+	    keyctl_unlink(key, parent) == -1)
+	    return -1;
+    }
+
+    return 0;
+}
+
+/* Move contents of one ccache to another; destroys from cache */
+static krb5_error_code KRB5_CALLCONV
+krcc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
+{
+    krb5_krcache *krfrom = KRCACHE(from);
+    krb5_krcache *krto = KRCACHE(to);
+    krb5_error_code ret;
+    krb5_timestamp now;
+    key_serial_t to_cache_id;
+
+    if (krfrom == NULL || krto == NULL)
+	return krb5_einval(context, 2);
+
+    ret = initialize_internal(context, to, NULL);
+    if (ret)
+	return ret;
+
+    krb5_timeofday(context, &now);
+    to_cache_id = heim_base_atomic_load(&krto->krc_cache_id);
+
+    if (krfrom->krc_cache_id != 0) {
+	ret = recursive_key_scan(krfrom->krc_cache_id,
+				 move_key_to_new_keyring, &to_cache_id);
+	if (ret)
+	    return KRB5_CC_IO;
+
+	if (keyctl_unlink(krfrom->krc_cache_id, krfrom->krc_coll_id) == -1)
+	    return errno;
+
+	heim_base_exchange_32(&krto->krc_princ_id, krfrom->krc_princ_id);
+    }
+
+    update_change_time(context, now, krto);
+    krb5_cc_destroy(context, from);
+    return 0;
+}
+
+static krb5_error_code KRB5_CALLCONV
+krcc_get_default_name(krb5_context context, char **str)
+{
+    *str = strdup("KEYRING:");
+    if (*str == NULL)
+	return krb5_enomem(context);
+
+    return 0;
+}
+
+/*
+ * ccache implementation storing credentials in the Linux keyring facility
+ * The default is to put them at the session keyring level.
+ * If "KEYRING:process:" or "KEYRING:thread:" is specified, then they will
+ * be stored at the process or thread level respectively.
+ */
+KRB5_LIB_VARIABLE const krb5_cc_ops krb5_krcc_ops = {
+    KRB5_CC_OPS_VERSION_5,
+    "KEYRING",
+    NULL,
+    NULL,
+    krcc_gen_new,
+    krcc_initialize,
+    krcc_destroy,
+    krcc_close,
+    krcc_store,
+    NULL,		    /* retrieve */
+    krcc_get_principal,
+    krcc_get_first,
+    krcc_get_next,
+    krcc_end_get,
+    krcc_remove_cred,
+    krcc_set_flags,
+    krcc_get_version,
+    krcc_get_cache_first,
+    krcc_get_cache_next,
+    krcc_end_cache_get,
+    krcc_move,
+    krcc_get_default_name,
+    krcc_set_default,
+    krcc_lastchange,
+    krcc_set_kdc_offset,
+    krcc_get_kdc_offset,
+    krcc_get_name_2,
+    krcc_resolve_2
+};
+
+#endif /* HAVE_KEYUTILS_H */
diff --git a/lib/krb5/kuserok.c b/lib/krb5/kuserok.c
index 492d0c6b858e..7a7de452ae6f 100644
--- a/lib/krb5/kuserok.c
+++ b/lib/krb5/kuserok.c
@@ -67,10 +67,10 @@ plcallback(krb5_context context, const void *plug, void *plugctx, void *userctx)
 }
 
 static krb5_error_code plugin_reg_ret;
-static krb5plugin_kuserok_ftable kuserok_simple_plug;
-static krb5plugin_kuserok_ftable kuserok_sys_k5login_plug;
-static krb5plugin_kuserok_ftable kuserok_user_k5login_plug;
-static krb5plugin_kuserok_ftable kuserok_deny_plug;
+static const krb5plugin_kuserok_ftable kuserok_simple_plug;
+static const krb5plugin_kuserok_ftable kuserok_sys_k5login_plug;
+static const krb5plugin_kuserok_ftable kuserok_user_k5login_plug;
+static const krb5plugin_kuserok_ftable kuserok_deny_plug;
 
 static void
 reg_def_plugins_once(void *ctx)
@@ -144,7 +144,7 @@ check_owner_dir(krb5_context context,
 
     heim_assert(owner != NULL, "no directory owner ?");
 
-    if (rk_getpwnam_r(owner, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0) {
+    if (getpwnam_r(owner, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0) {
 	krb5_set_error_message(context, errno,
 			       "User unknown %s (getpwnam_r())", owner);
 	return EACCES;
@@ -219,7 +219,7 @@ check_owner_file(krb5_context context,
     if (owner == NULL)
 	return 0;
 
-    if (rk_getpwnam_r(owner, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0) {
+    if (getpwnam_r(owner, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0) {
 	krb5_set_error_message(context, errno,
 			       "User unknown %s (getpwnam_r())", owner);
 	return EACCES;
@@ -455,6 +455,17 @@ krb5_kuserok(krb5_context context,
 }
 
 
+static const char *const kuserok_plugin_deps[] = { "krb5", NULL };
+
+static const struct heim_plugin_data
+kuserok_plugin_data = {
+    "krb5",
+    KRB5_PLUGIN_KUSEROK,
+    KRB5_PLUGIN_KUSEROK_VERSION_0,
+    kuserok_plugin_deps,
+    krb5_get_instance
+};
+
 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 _krb5_kuserok(krb5_context context,
 	      krb5_principal principal,
@@ -515,9 +526,8 @@ _krb5_kuserok(krb5_context context,
 	for (n = 0; rules[n]; n++) {
 	    ctx.rule = rules[n];
 
-	    ret = _krb5_plugin_run_f(context, "krb5", KRB5_PLUGIN_KUSEROK,
-				     KRB5_PLUGIN_KUSEROK_VERSION_0, 0,
-				     &ctx, plcallback);
+	    ret = _krb5_plugin_run_f(context, &kuserok_plugin_data,
+				     0, &ctx, plcallback);
 	    if (ret != KRB5_PLUGIN_NO_HANDLE) 
 		goto out;
 	}
@@ -713,28 +723,28 @@ kuser_ok_null_plugin_fini(void *ctx)
     return;
 }
 
-static krb5plugin_kuserok_ftable kuserok_simple_plug = {
+static const krb5plugin_kuserok_ftable kuserok_simple_plug = {
     KRB5_PLUGIN_KUSEROK_VERSION_0,
     kuser_ok_null_plugin_init,
     kuser_ok_null_plugin_fini,
     kuserok_simple_plug_f,
 };
 
-static krb5plugin_kuserok_ftable kuserok_sys_k5login_plug = {
+static const krb5plugin_kuserok_ftable kuserok_sys_k5login_plug = {
     KRB5_PLUGIN_KUSEROK_VERSION_0,
     kuser_ok_null_plugin_init,
     kuser_ok_null_plugin_fini,
     kuserok_sys_k5login_plug_f,
 };
 
-static krb5plugin_kuserok_ftable kuserok_user_k5login_plug = {
+static const krb5plugin_kuserok_ftable kuserok_user_k5login_plug = {
     KRB5_PLUGIN_KUSEROK_VERSION_0,
     kuser_ok_null_plugin_init,
     kuser_ok_null_plugin_fini,
     kuserok_user_k5login_plug_f,
 };
 
-static krb5plugin_kuserok_ftable kuserok_deny_plug = {
+static const krb5plugin_kuserok_ftable kuserok_deny_plug = {
     KRB5_PLUGIN_KUSEROK_VERSION_0,
     kuser_ok_null_plugin_init,
     kuser_ok_null_plugin_fini,
diff --git a/lib/krb5/kuserok_plugin.h b/lib/krb5/kuserok_plugin.h
index b45071d18e73..7c3f3b4c8dcc 100644
--- a/lib/krb5/kuserok_plugin.h
+++ b/lib/krb5/kuserok_plugin.h
@@ -32,6 +32,8 @@
 #ifndef HEIMDAL_KRB5_KUSEROK_PLUGIN_H
 #define HEIMDAL_KRB5_KUSEROK_PLUGIN_H 1
 
+#include <heimbase-svc.h>
+
 #define KRB5_PLUGIN_KUSEROK "krb5_plugin_kuserok"
 #define KRB5_PLUGIN_KUSEROK_VERSION_0 0
 
@@ -76,9 +78,7 @@
  * @ingroup krb5_support
  */
 typedef struct krb5plugin_kuserok_ftable_desc {
-    int			minor_version;
-    krb5_error_code	(KRB5_LIB_CALL *init)(krb5_context, void **);
-    void		(KRB5_LIB_CALL *fini)(void *);
+    HEIM_PLUGIN_FTABLE_COMMON_ELEMENTS(krb5_context);
     krb5_error_code	(KRB5_LIB_CALL *kuserok)(void *, krb5_context, const char *,
 				   unsigned int, const char *, const char *,
 				   krb5_const_principal,
diff --git a/lib/krb5/kx509.c b/lib/krb5/kx509.c
new file mode 100644
index 000000000000..7525739f66ca
--- /dev/null
+++ b/lib/krb5/kx509.c
@@ -0,0 +1,1323 @@
+/*
+ * Copyright (c) 2019 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb5_locl.h"
+#include <kx509_asn1.h>
+#include <kx509_err.h>
+#include "../hx509/hx_locl.h" /* XXX find a better way */
+#include "hx509-private.h"
+
+/*
+ * This file implements a client for the kx509 protocol -- a Kerberized online
+ * CA that can issue a Certificate to a client that authenticates using
+ * Kerberos.
+ *
+ * The kx509 protocol is the inverse of PKINIT.  Whereas PKINIT allows users
+ * with PKIX credentials to acquire Kerberos credentials, the kx509 protocol
+ * allows users with Kerberos credentials to acquire PKIX credentials.
+ *
+ * I.e., kx509 is a bridge, just like PKINIT.
+ *
+ * The kx509 protocol is very simple, and very limited.
+ *
+ * A request consists of a DER-encoded Kx509Request message prefixed with four
+ * bytes identifying the protocol (see `version_2_0' below).
+ *
+ * A Kx509Request message contains an AP-REQ, a public key, and an HMAC of the
+ * public key made with the session key of the AP-REQ's ticket.
+ *
+ * The service principal can be either kca_service/hostname.fqdn or
+ * krbtgt/REALM (a Heimdal innovation).
+ *
+ * If a request is missing a public key, then the request is a probe intended
+ * to discover whether the service is enabled, thus helping the client avoid
+ * a possibly-slow private key generation operation.
+ *
+ * The response is a DER-encoded Kx509Response also prefixed with
+ * `version_2_0', and contains: an optional error code and error text, an
+ * optional certificate (for the success case), and an optional HMAC of those
+ * fields that is present when the service was able to verify the AP-REQ.
+ *
+ * Limitations:
+ *
+ *  - no proof of possession for the public key
+ *  - only RSA keys are supported
+ *  - no way to express options (e.g., what KUs, EKUs, or SANs are desired)
+ *  - no sub-session key usage
+ *  - no reflection protection other than the HMAC's forgery protection and the
+ *    fact that the client could tell that a reflected attack isn't success
+ *
+ * Future directions:
+ *
+ *  - Since the public key field of the request is an OCTET STRING, we could
+ *    send a CSR, or even an expired certificate (possibly self-signed,
+ *    possibly one issued earlier) that can serve as a template.
+ *
+ *    This solves the first three limitations, as it allows the client to
+ *    demonstrate proof of possession, allows arbitrary public key types, and
+ *    allows the client to express desires about the to-be-issued certificate.
+ *
+ *  - Use the AP-REQ's Authenticator's sub-session key for the HMAC, and derive
+ *    per-direction sub-sub-keys.
+ *
+ *  - We might design a new protocol that better fits the RFC4120 KDC message
+ *    framework.
+ */
+
+static const unsigned char version_2_0[4] = {0 , 0, 2, 0};
+
+struct krb5_kx509_req_ctx_data {
+    krb5_auth_context   ac;
+    krb5_data           given_csr;
+    hx509_request       csr;
+    Kx509CSRPlus        csr_plus;
+    char                *realm;     /* Realm to which to send request */
+    krb5_keyblock       *hmac_key;  /* For HMAC validation */
+    hx509_private_key   *keys;
+    hx509_private_key   priv_key;
+    unsigned int        expect_chain;
+};
+
+/**
+ * Create a kx509 request context.
+ *
+ * @param context The Kerberos library context
+ * @param out Where to place the kx509 request context
+ *
+ * @return A krb5 error code.
+ */
+krb5_error_code
+krb5_kx509_ctx_init(krb5_context context, krb5_kx509_req_ctx *out)
+{
+    krb5_kx509_req_ctx ctx;
+    krb5_error_code ret;
+    hx509_name name = NULL;
+
+    ALLOC(ctx, 1);
+    if (ctx == NULL)
+        return krb5_enomem(context);
+    ctx->given_csr.data = NULL;
+    ctx->priv_key = NULL;
+    ctx->hmac_key = NULL;
+    ctx->realm = NULL;
+    ctx->keys = NULL;
+    ctx->csr = NULL;
+    ret = hx509_request_init(context->hx509ctx, &ctx->csr);
+    if (ret == 0)
+        ret = hx509_parse_name(context->hx509ctx, "", &name);
+    if (ret == 0)
+        ret = hx509_request_set_name(context->hx509ctx, ctx->csr, name);
+    if (ret == 0)
+        ret = krb5_auth_con_init(context, &ctx->ac);
+    if (name)
+        hx509_name_free(&name);
+    if (ret == 0)
+        *out = ctx;
+    else
+        krb5_kx509_ctx_free(context, &ctx);
+    return ret;
+}
+
+/**
+ * Free a kx509 request context.
+ *
+ * @param context The Kerberos library context
+ * @param ctxp Pointer to krb5 request context to free
+ *
+ * @return A krb5 error code.
+ */
+void
+krb5_kx509_ctx_free(krb5_context context, krb5_kx509_req_ctx *ctxp)
+{
+    krb5_kx509_req_ctx ctx = *ctxp;
+
+    *ctxp = NULL;
+    if (ctx == NULL)
+        return;
+    krb5_free_keyblock(context, ctx->hmac_key);
+    krb5_auth_con_free(context, ctx->ac);
+    free_Kx509CSRPlus(&ctx->csr_plus);
+    free(ctx->realm);
+    hx509_request_free(&ctx->csr);
+    krb5_data_free(&ctx->given_csr);
+    hx509_private_key_free(&ctx->priv_key);
+    _hx509_certs_keys_free(context->hx509ctx, ctx->keys);
+    free(ctx);
+}
+
+/**
+ * Set a realm to send kx509 request to, if different from the client's.
+ *
+ * @param context The Kerberos library context
+ * @param ctx The kx509 request context
+ * @param realm Realm name
+ *
+ * @return A krb5 error code.
+ */
+krb5_error_code
+krb5_kx509_ctx_set_realm(krb5_context context,
+                         krb5_kx509_req_ctx kx509_ctx,
+                         const char *realm)
+{
+    return ((kx509_ctx->realm = strdup(realm)) == NULL) ?
+        krb5_enomem(context) : 0;
+}
+
+/**
+ * Sets a CSR for a kx509 request.
+ *
+ * Normally kx509 will generate a CSR (and even a private key for it)
+ * automatically.  If a CSR is given then kx509 will use it instead of
+ * generating one.
+ *
+ * @param context The Kerberos library context
+ * @param ctx The kx509 request context
+ * @param csr_der A DER-encoded PKCS#10 CSR
+ *
+ * @return A krb5 error code.
+ */
+krb5_error_code
+krb5_kx509_ctx_set_csr_der(krb5_context context,
+                           krb5_kx509_req_ctx ctx,
+                           krb5_data *csr_der)
+{
+    krb5_data_free(&ctx->given_csr);
+    return krb5_data_copy(&ctx->given_csr, csr_der->data, csr_der->length);
+}
+
+/**
+ * Adds an EKU as an additional desired Certificate Extension or in the CSR if
+ * the caller does not set a CSR.
+ *
+ * @param context The Kerberos library context
+ * @param ctx The kx509 request context
+ * @param oids A string representation of an OID
+ *
+ * @return A krb5 error code.
+ */
+krb5_error_code
+krb5_kx509_ctx_add_eku(krb5_context context,
+                       krb5_kx509_req_ctx kx509_ctx,
+                       const char *oids)
+{
+    krb5_error_code ret;
+    heim_oid oid;
+
+    ret = der_parse_heim_oid(oids, NULL, &oid);
+    if (ret == 0)
+        hx509_request_add_eku(context->hx509ctx, kx509_ctx->csr, &oid);
+    der_free_oid(&oid);
+    return ret;
+}
+
+/**
+ * Adds a dNSName SAN (domainname, hostname) as an additional desired
+ * Certificate Extension or in the CSR if the caller does not set a CSR.
+ *
+ * @param context The Kerberos library context
+ * @param ctx The kx509 request context
+ * @param dname A string containing a DNS domainname
+ *
+ * @return A krb5 error code.
+ */
+krb5_error_code
+krb5_kx509_ctx_add_san_dns_name(krb5_context context,
+                                krb5_kx509_req_ctx kx509_ctx,
+                                const char *dname)
+{
+    return hx509_request_add_dns_name(context->hx509ctx, kx509_ctx->csr,
+                                      dname);
+}
+
+/**
+ * Adds an xmppAddr SAN (jabber address) as an additional desired Certificate
+ * Extension or in the CSR if the caller does not set a CSR.
+ *
+ * @param context The Kerberos library context
+ * @param ctx The kx509 request context
+ * @param jid A string containing a Jabber address
+ *
+ * @return A krb5 error code.
+ */
+krb5_error_code
+krb5_kx509_ctx_add_san_xmpp(krb5_context context,
+                            krb5_kx509_req_ctx kx509_ctx,
+                            const char *jid)
+{
+    return hx509_request_add_xmpp_name(context->hx509ctx, kx509_ctx->csr, jid);
+}
+
+/**
+ * Adds an rfc822Name SAN (e-mail address) as an additional desired Certificate
+ * Extension or in the CSR if the caller does not set a CSR.
+ *
+ * @param context The Kerberos library context
+ * @param ctx The kx509 request context
+ * @param email A string containing an e-mail address
+ *
+ * @return A krb5 error code.
+ */
+krb5_error_code
+krb5_kx509_ctx_add_san_rfc822Name(krb5_context context,
+                                  krb5_kx509_req_ctx kx509_ctx,
+                                  const char *email)
+{
+    return hx509_request_add_email(context->hx509ctx, kx509_ctx->csr, email);
+}
+
+/**
+ * Adds an pkinit SAN (Kerberos principal name) as an additional desired
+ * Certificate Extension or in the CSR if the caller does not set a CSR.
+ *
+ * @param context The Kerberos library context
+ * @param ctx The kx509 request context
+ * @param pname A string containing a representation of a Kerberos principal
+ *              name
+ *
+ * @return A krb5 error code.
+ */
+krb5_error_code
+krb5_kx509_ctx_add_san_pkinit(krb5_context context,
+                              krb5_kx509_req_ctx kx509_ctx,
+                              const char *pname)
+{
+    return hx509_request_add_pkinit(context->hx509ctx, kx509_ctx->csr, pname);
+}
+
+/**
+ * Adds a Microsoft-style UPN (user principal name) as an additional desired
+ * Certificate Extension or in the CSR if the caller does not set a CSR.
+ *
+ * @param context The Kerberos library context
+ * @param ctx The kx509 request context
+ * @param upn A string containing a representation of a UPN
+ *
+ * @return A krb5 error code.
+ */
+krb5_error_code
+krb5_kx509_ctx_add_san_ms_upn(krb5_context context,
+                              krb5_kx509_req_ctx kx509_ctx,
+                              const char *upn)
+{
+    return hx509_request_add_ms_upn_name(context->hx509ctx, kx509_ctx->csr,
+                                         upn);
+}
+
+/**
+ * Adds an registeredID SAN (OID) as an additional desired Certificate
+ * Extension or in the CSR if the caller does not set a CSR.
+ *
+ * @param context The Kerberos library context
+ * @param ctx The kx509 request context
+ * @param oids A string representation of an OID
+ *
+ * @return A krb5 error code.
+ */
+krb5_error_code
+krb5_kx509_ctx_add_san_registeredID(krb5_context context,
+                                    krb5_kx509_req_ctx kx509_ctx,
+                                    const char *oids)
+{
+    krb5_error_code ret;
+    heim_oid oid;
+
+    ret = der_parse_heim_oid(oids, NULL, &oid);
+    if (ret == 0)
+        hx509_request_add_registered(context->hx509ctx, kx509_ctx->csr, &oid);
+    der_free_oid(&oid);
+    return ret;
+}
+
+static krb5_error_code
+load_priv_key(krb5_context context,
+              krb5_kx509_req_ctx kx509_ctx,
+              const char *fn)
+{
+    hx509_private_key *keys = NULL;
+    hx509_certs certs = NULL;
+    krb5_error_code ret;
+
+    ret = hx509_certs_init(context->hx509ctx, fn, 0, NULL, &certs);
+    if (ret == ENOENT)
+        return 0;
+    if (ret == 0)
+        ret = _hx509_certs_keys_get(context->hx509ctx, certs, &keys);
+    if (ret == 0 && keys[0] == NULL)
+        ret = ENOENT;
+    if (ret == 0)
+        kx509_ctx->priv_key = _hx509_private_key_ref(keys[0]);
+    if (ret) {
+	char *emsg = hx509_get_error_string(context->hx509ctx, ret);
+
+        krb5_set_error_message(context, ret, "Could not load private key "
+                               "from %s for kx509: %s", fn, emsg);
+	hx509_free_error_string(emsg);
+    }
+    hx509_certs_free(&certs);
+    return ret;
+}
+
+/**
+ * Set a private key.
+ *
+ * @param context The Kerberos library context
+ * @param ctx The kx509 request context
+ * @param store The name of a PKIX credential store
+ *
+ * @return A krb5 error code.
+ */
+krb5_error_code
+krb5_kx509_ctx_set_key(krb5_context context,
+                       krb5_kx509_req_ctx kx509_ctx,
+                       const char *store)
+{
+    SubjectPublicKeyInfo key;
+    krb5_error_code ret;
+
+    memset(&key, 0, sizeof(key));
+    hx509_private_key_free(&kx509_ctx->priv_key);
+    _hx509_certs_keys_free(context->hx509ctx, kx509_ctx->keys);
+    kx509_ctx->keys = NULL;
+    ret = load_priv_key(context, kx509_ctx, store);
+    if (ret == 0)
+        ret = hx509_private_key2SPKI(context->hx509ctx, kx509_ctx->priv_key,
+                                     &key);
+    if (ret == 0)
+        ret = hx509_request_set_SubjectPublicKeyInfo(context->hx509ctx,
+                                                     kx509_ctx->csr, &key);
+    free_SubjectPublicKeyInfo(&key);
+    return ret;
+}
+
+static krb5_error_code
+gen_priv_key(krb5_context context,
+             const char *gen_type,
+             unsigned long gen_bits,
+             hx509_private_key *key)
+{
+    struct hx509_generate_private_context *key_gen_ctx = NULL;
+    krb5_error_code ret;
+
+    _krb5_debug(context, 1, "kx509: gen priv key");
+    if (strcmp(gen_type, "rsa") != 0) {
+        krb5_set_error_message(context, ENOTSUP, "Key type %s is not "
+                               "supported for kx509; only \"rsa\" is "
+                               "supported for kx509 at this time",
+                               gen_type);
+        return ENOTSUP;
+    }
+
+    ret = _hx509_generate_private_key_init(context->hx509ctx,
+                                           ASN1_OID_ID_PKCS1_RSAENCRYPTION,
+                                           &key_gen_ctx);
+    if (ret == 0)
+        ret = _hx509_generate_private_key_bits(context->hx509ctx, key_gen_ctx, gen_bits);
+
+    if (ret == 0)
+        ret = _hx509_generate_private_key(context->hx509ctx, key_gen_ctx, key);
+    _hx509_generate_private_key_free(&key_gen_ctx);
+    if (ret) {
+	char *emsg = hx509_get_error_string(context->hx509ctx, ret);
+
+        krb5_set_error_message(context, ret,
+                               "Could not generate a private key: %s", emsg);
+	hx509_free_error_string(emsg);
+    }
+    return ret;
+}
+
+/**
+ * Generate a private key.
+ *
+ * @param context The Kerberos library context
+ * @param ctx The kx509 request context
+ * @param gen_type The type of key (default: rsa)
+ * @param gen_bits The size of the key (for non-ECC, really, for RSA)
+ *
+ * @return A krb5 error code.
+ */
+krb5_error_code
+krb5_kx509_ctx_gen_key(krb5_context context,
+                       krb5_kx509_req_ctx kx509_ctx,
+                       const char *gen_type,
+                       int gen_bits)
+{
+    SubjectPublicKeyInfo key;
+    krb5_error_code ret;
+
+    memset(&key, 0, sizeof(key));
+
+    if (gen_type == NULL) {
+        gen_type = krb5_config_get_string_default(context, NULL, "rsa",
+                                                  "libdefaults",
+                                                  "kx509_gen_key_type", NULL);
+    }
+    if (gen_bits == 0) {
+        /*
+         * The key size is really only for non-ECC, of which we'll only support
+         * RSA.  For ECC key sizes will either be implied by the `key_type' or
+         * will have to be a magic value that allows us to pick from some small
+         * set of curves (e.g., 255 == Curve25519).
+         */
+        gen_bits = krb5_config_get_int_default(context, NULL, 2048,
+                                               "libdefaults",
+                                               "kx509_gen_rsa_key_size", NULL);
+    }
+    hx509_private_key_free(&kx509_ctx->priv_key);
+    _hx509_certs_keys_free(context->hx509ctx, kx509_ctx->keys);
+    kx509_ctx->keys = NULL;
+
+    ret = gen_priv_key(context, gen_type, gen_bits, &kx509_ctx->priv_key);
+    if (ret == 0)
+        ret = hx509_private_key2SPKI(context->hx509ctx, kx509_ctx->priv_key,
+                                     &key);
+    if (ret == 0)
+        ret = hx509_request_set_SubjectPublicKeyInfo(context->hx509ctx,
+                                                     kx509_ctx->csr, &key);
+    free_SubjectPublicKeyInfo(&key);
+    return ret;
+}
+
+/* Set a cc config entry indicating that the kx509 service is not available */
+static void
+store_kx509_disabled(krb5_context context, const char *realm, krb5_ccache cc)
+{
+    krb5_data data;
+
+    if (!cc)
+        return;
+
+    data.data = (void *)(uintptr_t)realm;
+    data.length = strlen(realm);
+    krb5_cc_set_config(context, cc, NULL, "kx509_service_realm", &data);
+    data.data = "disabled";
+    data.length = strlen(data.data);
+    krb5_cc_set_config(context, cc, NULL, "kx509_service_status", &data);
+}
+
+static int KRB5_CALLCONV
+certs_export_func(hx509_context context, void *d, hx509_cert c)
+{
+    heim_octet_string os;
+    Certificates *cs = d;
+    Certificate c2;
+    int ret;
+
+    ret = hx509_cert_binary(context, c, &os);
+    if (ret)
+        return ret;
+    ret = decode_Certificate(os.data, os.length, &c2, NULL);
+    der_free_octet_string(&os);
+    if (ret)
+        return ret;
+    ret = add_Certificates(cs, &c2);
+    free_Certificate(&c2);
+    return ret;
+}
+
+static krb5_error_code
+certs_export(hx509_context context, hx509_certs certs, heim_octet_string *out)
+{
+    Certificates cs;
+    size_t len;
+    int ret;
+
+    cs.len = 0;
+    cs.val = 0;
+    ret = hx509_certs_iter_f(context, certs, certs_export_func, &cs);
+    if (ret == 0)
+        ASN1_MALLOC_ENCODE(Certificates, out->data, out->length, &cs, &len, ret);
+    free_Certificates(&cs);
+    return ret;
+}
+
+/* Store the private key and certificate where requested */
+static krb5_error_code
+store(krb5_context context,
+      const char *hx509_store,
+      const char *realm,
+      krb5_ccache cc,
+      hx509_private_key key,
+      hx509_cert cert,
+      hx509_certs chain)
+{
+    heim_octet_string hdata;
+    krb5_error_code ret = 0;
+    krb5_data data;
+
+    krb5_clear_error_message(context);
+
+    if (cc) {
+        /* Record the realm we used */
+        data.data = (void *)(uintptr_t)realm;
+        data.length = strlen(realm);
+        krb5_cc_set_config(context, cc, NULL, "kx509_service_realm", &data);
+
+        /* Serialize and store the certificate in the ccache */
+        ret = hx509_cert_binary(context->hx509ctx, cert, &hdata);
+        if (ret == 0)
+            ret = krb5_cc_set_config(context, cc, NULL, "kx509cert", &hdata);
+        der_free_octet_string(&hdata);
+
+        if (ret == 0 && key) {
+            /*
+             * Serialized and store the key in the ccache.  Use PKCS#8 so that we
+             * store the algorithm OID too, which is needed in order to be able to
+             * read the private key back.
+             */
+            if (ret == 0)
+                ret = _hx509_private_key_export(context->hx509ctx, key,
+                                                HX509_KEY_FORMAT_PKCS8, &hdata);
+            if (ret == 0)
+                ret = krb5_cc_set_config(context, cc, NULL, "kx509key", &hdata);
+            der_free_octet_string(&hdata);
+            if (ret)
+                krb5_set_error_message(context, ret, "Could not store kx509 "
+                                       "private key and certificate in ccache %s",
+                                       krb5_cc_get_name(context, cc));
+        }
+
+        if (ret == 0 && chain) {
+            ret = certs_export(context->hx509ctx, chain, &hdata);
+            if (ret == 0)
+                ret = krb5_cc_set_config(context, cc, NULL, "kx509cert-chain",
+                                         &hdata);
+            der_free_octet_string(&hdata);
+        }
+    }
+
+    /* Store the private key and cert in an hx509 store */
+    if (hx509_store != NULL) {
+        hx509_certs certs;
+
+        if (key)
+            _hx509_cert_assign_key(cert, key); /* store both in the same store */
+
+        ret = hx509_certs_init(context->hx509ctx, hx509_store,
+                               HX509_CERTS_CREATE, NULL, &certs);
+        if (ret == 0)
+            ret = hx509_certs_add(context->hx509ctx, certs, cert);
+        if (ret == 0 && chain != NULL)
+            ret = hx509_certs_merge(context->hx509ctx, certs, chain);
+        if (ret == 0)
+            ret = hx509_certs_store(context->hx509ctx, certs, 0, NULL);
+        hx509_certs_free(&certs);
+        if (ret)
+            krb5_prepend_error_message(context, ret, "Could not store kx509 "
+                                       "private key and certificate in key "
+                                       "store %s", hx509_store);
+    }
+
+    /* Store the name of the hx509 store in the ccache too */
+    if (cc && hx509_store) {
+        data.data = (void *)(uintptr_t)hx509_store;
+        data.length = strlen(hx509_store);
+        (void) krb5_cc_set_config(context, cc, NULL, "kx509store", &data);
+    }
+    return ret;
+}
+
+/* Make a Kx509CSRPlus or a raw SPKI */
+static krb5_error_code
+mk_kx509_req_body(krb5_context context,
+                  krb5_kx509_req_ctx kx509_ctx,
+                  krb5_data *out)
+{
+    krb5_error_code ret;
+    size_t len;
+
+    if (krb5_config_get_bool_default(context, NULL, FALSE,
+                                     "realms", kx509_ctx->realm,
+                                     "kx509_req_use_raw_spki", NULL)) {
+        SubjectPublicKeyInfo spki;
+
+        /* Interop with old kx509 servers, send a raw SPKI, not a CSR */
+        out->data = NULL;
+        out->length = 0;
+        memset(&spki, 0, sizeof(spki));
+        ret = hx509_private_key2SPKI(context->hx509ctx,
+                                     kx509_ctx->priv_key, &spki);
+        if (ret == 0) {
+            out->length = spki.subjectPublicKey.length >> 3;
+            out->data = spki.subjectPublicKey.data;
+        }
+        kx509_ctx->expect_chain = 0;
+        return ret;
+    }
+
+    /*
+     * New kx509 servers use a CSR for proof of possession, and send back a
+     * chain of certificates, with the issued certificate first.
+     */
+    kx509_ctx->expect_chain = 1;
+
+    if (kx509_ctx->given_csr.length) {
+        krb5_data exts_der;
+
+        exts_der.data = NULL;
+        exts_der.length = 0;
+
+        /* Use the given CSR */
+        ret = der_copy_octet_string(&kx509_ctx->given_csr,
+                                    &kx509_ctx->csr_plus.csr);
+
+        /*
+         * Extract the desired Certificate Extensions from our internal
+         * as-yet-unsigned CSR, then decode them into place in the
+         * Kx509CSRPlus.
+         */
+        if (ret == 0)
+            ret = hx509_request_get_exts(context->hx509ctx,
+                                         kx509_ctx->csr,
+                                         &exts_der);
+        if (ret == 0 && exts_der.data && exts_der.length &&
+            (kx509_ctx->csr_plus.exts =
+             calloc(1, sizeof (kx509_ctx->csr_plus.exts[0]))) == NULL)
+            ret = krb5_enomem(context);
+        if (ret == 0 && exts_der.data && exts_der.length)
+            ret = decode_Extensions(exts_der.data, exts_der.length,
+                                    kx509_ctx->csr_plus.exts, NULL);
+        krb5_data_free(&exts_der);
+    } else {
+        /*
+         * Sign and use our internal CSR, which will carry all our desired
+         * Certificate Extensions as an extReq CSR Attribute.
+         */
+        ret = hx509_request_to_pkcs10(context->hx509ctx,
+                                      kx509_ctx->csr,
+                                      kx509_ctx->priv_key,
+                                      &kx509_ctx->csr_plus.csr);
+    }
+    if (ret == 0)
+        ASN1_MALLOC_ENCODE(Kx509CSRPlus, out->data, out->length,
+                           &kx509_ctx->csr_plus, &len, ret);
+    return ret;
+}
+
+static krb5_error_code
+get_start_realm(krb5_context context,
+                krb5_ccache cc,
+                krb5_const_principal princ,
+                char **out)
+{
+    krb5_error_code ret;
+    krb5_data d;
+
+    ret = krb5_cc_get_config(context, cc, NULL, "start_realm", &d);
+    if (ret == 0) {
+        *out = strndup(d.data, d.length);
+        krb5_data_free(&d);
+    } else if (princ) {
+        *out = strdup(krb5_principal_get_realm(context, princ));
+    } else {
+        krb5_principal ccprinc = NULL;
+
+        ret = krb5_cc_get_principal(context, cc, &ccprinc);
+        if (ret)
+            return ret;
+        *out = strdup(krb5_principal_get_realm(context, ccprinc));
+        krb5_free_principal(context, ccprinc);
+    }
+    return (*out) ? 0 : krb5_enomem(context);
+}
+
+/*
+ * Make a request, which is a DER-encoded Kx509Request with version_2_0
+ * prefixed to it.
+ *
+ * If no private key is given, then a probe request will be made.
+ */
+static krb5_error_code
+mk_kx509_req(krb5_context context,
+             krb5_kx509_req_ctx kx509_ctx,
+             krb5_ccache incc,
+             hx509_private_key private_key,
+             krb5_data *req)
+{
+    unsigned char digest[SHA_DIGEST_LENGTH];
+    SubjectPublicKeyInfo spki;
+    struct Kx509Request kx509_req;
+    krb5_data pre_req;
+    krb5_error_code ret = 0;
+    krb5_creds this_cred;
+    krb5_creds *cred = NULL;
+    HMAC_CTX ctx;
+    const char *hostname;
+    char *start_realm = NULL;
+    size_t len = 0;
+
+    krb5_data_zero(&pre_req);
+    memset(&spki, 0, sizeof(spki));
+    memset(&this_cred, 0, sizeof(this_cred));
+    memset(&kx509_req, 0, sizeof(kx509_req));
+    kx509_req.pk_hash.data = digest;
+    kx509_req.pk_hash.length = SHA_DIGEST_LENGTH;
+
+    if (private_key || kx509_ctx->given_csr.data) {
+        /* Encode the CSR or public key for use in the request */
+        ret = mk_kx509_req_body(context, kx509_ctx, &kx509_req.pk_key);
+    } else {
+        /* Probe */
+        kx509_req.pk_key.data = NULL;
+        kx509_req.pk_key.length = 0;
+    }
+
+    if (ret == 0)
+        ret = krb5_cc_get_principal(context, incc, &this_cred.client);
+    if (ret == 0)
+        ret = get_start_realm(context, incc, this_cred.client, &start_realm);
+    if (ret == 0 && kx509_ctx->realm == NULL)
+        ret = krb5_kx509_ctx_set_realm(context, kx509_ctx, start_realm);
+    if (ret == 0) {
+        /*
+         * The kx509 protocol as deployed uses kca_service/kdc_hostname, but
+         * this is inconvenient in libkrb5: we want to be able to use the
+         * send_to_kdc machinery, and since the Heimdal KDC is also the kx509
+         * service, we want not to have to specify kx509 hosts separately from
+         * KDCs.
+         *
+         * We'd much rather use krbtgt/CLIENT_REALM@REQUESTED_REALM.  What
+         * we do is assume all KDCs for `realm' support the kx509 service and
+         * then sendto the KDCs for that realm while using a hostbased service
+         * if still desired.
+         *
+         * Note that upstairs we try to get the start_realm cc config, so if
+         * realm wasn't given to krb5_kx509_ext(), then it should be set to
+         * that already unless there's no start_realm cc config, in which case
+         * we'll use the ccache's default client principal's realm.
+         */
+        hostname = krb5_config_get_string(context, NULL, "realms",
+                                          kx509_ctx->realm, "kx509_hostname",
+                                          NULL);
+        if (hostname == NULL)
+            hostname = krb5_config_get_string(context, NULL, "libdefaults",
+                                              "kx509_hostname", NULL);
+        if (hostname) {
+            ret = krb5_sname_to_principal(context, hostname, "kca_service",
+                                          KRB5_NT_SRV_HST, &this_cred.server);
+            if (ret == 0)
+                ret = krb5_principal_set_realm(context, this_cred.server,
+                                               kx509_ctx->realm);
+        } else {
+            ret = krb5_make_principal(context, &this_cred.server,
+                                      start_realm,
+                                      KRB5_TGS_NAME,
+                                      kx509_ctx->realm,
+                                      NULL);
+        }
+    }
+
+    /* Make the AP-REQ and extract the HMAC key */
+    if (ret == 0)
+        ret = krb5_get_credentials(context, 0, incc, &this_cred, &cred);
+    if (ret == 0)
+        ret = krb5_mk_req_extended(context, &kx509_ctx->ac, AP_OPTS_USE_SUBKEY,
+                                   NULL, cred, &kx509_req.authenticator);
+    krb5_free_keyblock(context, kx509_ctx->hmac_key);
+    kx509_ctx->hmac_key = NULL;
+    if (ret == 0)
+        ret = krb5_auth_con_getkey(context, kx509_ctx->ac,
+                                   &kx509_ctx->hmac_key);
+
+    if (ret)
+        goto out;
+
+    /* Add the the key and HMAC to the message */
+    HMAC_CTX_init(&ctx);
+    if (HMAC_Init_ex(&ctx, kx509_ctx->hmac_key->keyvalue.data,
+                     kx509_ctx->hmac_key->keyvalue.length,
+                     EVP_sha1(), NULL) == 0) {
+        HMAC_CTX_cleanup(&ctx);
+        ret = krb5_enomem(context);
+    } else {
+        HMAC_Update(&ctx, version_2_0, sizeof(version_2_0));
+        if (private_key || kx509_ctx->given_csr.data) {
+            HMAC_Update(&ctx, kx509_req.pk_key.data, kx509_req.pk_key.length);
+        } else {
+            /* Probe */
+            HMAC_Update(&ctx, kx509_req.authenticator.data, kx509_req.authenticator.length);
+        }
+        HMAC_Final(&ctx, kx509_req.pk_hash.data, 0);
+        HMAC_CTX_cleanup(&ctx);
+    }
+
+    /* Encode the message, prefix `version_2_0', output the result */
+    if (ret == 0)
+        ASN1_MALLOC_ENCODE(Kx509Request, pre_req.data, pre_req.length, &kx509_req, &len, ret);
+    if (ret == 0)
+        ret = krb5_data_alloc(req, pre_req.length + sizeof(version_2_0));
+    if (ret == 0) {
+        memcpy(req->data, version_2_0, sizeof(version_2_0));
+        memcpy(((unsigned char *)req->data) + sizeof(version_2_0),
+               pre_req.data, pre_req.length);
+    }
+
+out:
+    free(start_realm);
+    free(pre_req.data);
+    krb5_free_creds(context, cred);
+    kx509_req.pk_hash.data = NULL;
+    kx509_req.pk_hash.length = 0;
+    free_Kx509Request(&kx509_req);
+    free_SubjectPublicKeyInfo(&spki);
+    krb5_free_cred_contents(context, &this_cred);
+    if (ret == 0 && req->length != len + sizeof(version_2_0)) {
+        krb5_data_free(req);
+        krb5_set_error_message(context, ret = ERANGE,
+                               "Could not make a kx509 request");
+    }
+    return ret;
+}
+
+static krb5_error_code
+rd_chain(krb5_context context,
+         heim_octet_string *d,
+         hx509_cert *cert,
+         hx509_certs *chain,
+         heim_error_t *herr)
+{
+    krb5_error_code ret;
+    Certificates certs;
+    size_t i, len;
+
+    *cert = NULL;
+    *chain = NULL;
+
+    if ((ret = decode_Certificates(d->data, d->length, &certs, &len)))
+        return ret;
+    if (certs.len == 0) {
+        *herr = heim_error_create(EINVAL, "Server sent empty Certificate list");
+        return EINVAL;
+    }
+    *cert = hx509_cert_init(context->hx509ctx, &certs.val[0], herr);
+    if (*cert == NULL) {
+        free_Certificates(&certs);
+        return errno;
+    }
+    if (certs.len == 1)
+        _krb5_debug(context, 1, "kx509 server sent certificate but no chain");
+    else
+        _krb5_debug(context, 1, "kx509 server sent %llu certificates",
+                    (unsigned long long)certs.len);
+
+    ret = hx509_certs_init(context->hx509ctx, "MEMORY:anonymous",
+                           HX509_CERTS_CREATE, NULL, chain);
+    if (ret) {
+        hx509_cert_free(*cert);
+        *cert = NULL;
+        free_Certificates(&certs);
+        return ret;
+    }
+
+    for (i = 1; ret == 0 && i < certs.len; i++) {
+        hx509_cert c = hx509_cert_init(context->hx509ctx, &certs.val[i], herr);
+
+        if (c == NULL)
+            ret = errno;
+        else
+            ret = hx509_certs_add(context->hx509ctx, *chain, c);
+        hx509_cert_free(c);
+    }
+    free_Certificates(&certs);
+    if (ret) {
+        hx509_certs_free(chain);
+        hx509_cert_free(*cert);
+        *cert = NULL;
+    }
+    return ret;
+}
+
+/* Parse and validate a kx509 reply */
+static krb5_error_code
+rd_kx509_resp(krb5_context context,
+              krb5_kx509_req_ctx kx509_ctx,
+              krb5_data *rep,
+              hx509_cert *cert,
+              hx509_certs *chain)
+{
+    unsigned char digest[SHA_DIGEST_LENGTH];
+    Kx509Response r;
+    krb5_error_code code = 0;
+    krb5_error_code ret = 0;
+    heim_string_t hestr;
+    heim_error_t herr = NULL;
+    const char *estr;
+    HMAC_CTX ctx;
+    size_t hdr_len = sizeof(version_2_0);
+    size_t len;
+
+    *cert = NULL;
+    *chain = NULL;
+
+    /* Strip `version_2_0' prefix */
+    if (rep->length < hdr_len || memcmp(rep->data, version_2_0, hdr_len) != 0) {
+        krb5_set_error_message(context, ENOTSUP,
+                               "KDC does not support kx509 protocol");
+        return ENOTSUP; /* XXX */
+    }
+
+    /* Decode */
+    ret = decode_Kx509Response(((unsigned char *)rep->data) + 4,
+                               rep->length - 4, &r, &len);
+    if (ret == 0 && len + hdr_len != rep->length)
+        ret = EINVAL; /* XXX */
+    if (ret) {
+        krb5_set_error_message(context, ret, "kx509 response is not valid");
+        return ret;
+    }
+
+    HMAC_CTX_init(&ctx);
+    if (HMAC_Init_ex(&ctx, kx509_ctx->hmac_key->keyvalue.data,
+                     kx509_ctx->hmac_key->keyvalue.length, EVP_sha1(), NULL) == 0) {
+        free_Kx509Response(&r);
+        HMAC_CTX_cleanup(&ctx);
+        return krb5_enomem(context);
+    }
+
+    HMAC_Update(&ctx, version_2_0, sizeof(version_2_0));
+
+    {
+        int32_t t = r.error_code;
+        unsigned char encint[sizeof(t) + 1];
+        size_t k;
+
+        /*
+         * RFC6717 says this about how the error-code is included in the HMAC:
+         *
+         *  o DER representation of the error-code exclusive of the tag and
+         *    length, if it is present.
+         *
+         * So we use der_put_integer(), which encodes from the right.
+         *
+         * RFC6717 does not constrain the error-code's range.  We assume it to
+         * be a 32-bit, signed integer, for which we'll need no more than 5
+         * bytes.
+         */
+        ret = der_put_integer(&encint[sizeof(encint) - 1],
+                              sizeof(encint), &t, &k);
+        if (ret == 0)
+            HMAC_Update(&ctx, &encint[sizeof(encint)] - k, k);
+
+        /* Normalize error code */
+        if (r.error_code == 0) {
+            code = 0; /* No error */
+        } else if (r.error_code < 0) {
+            code = KRB5KRB_ERR_GENERIC; /* ??? */
+        } else if (r.error_code <= KX509_ERR_SRV_OVERLOADED) {
+            /*
+             * RFC6717 (kx509) error code.  These are actually not used on the
+             * wire in any existing implementations that we are aware of.  Just
+             * in case, however, we'll map these.
+             */
+            code = KX509_ERR_CLNT_FATAL + r.error_code;
+        } else if (r.error_code < kx509_krb5_error_base) {
+            /* Unknown error codes */
+            code = KRB5KRB_ERR_GENERIC;
+        } else {
+            /*
+             * Heimdal-specific enhancement to RFC6171: Kerberos wire protocol
+             * error codes.
+             */
+            code = KRB5KDC_ERR_NONE + r.error_code - kx509_krb5_error_base;
+            if (code >= KRB5_ERR_RCSID)
+                code = KRB5KRB_ERR_GENERIC;
+            if (code == KRB5KDC_ERR_NONE)
+                code = 0;
+        }
+    }
+    if (r.certificate)
+        HMAC_Update(&ctx, r.certificate->data, r.certificate->length);
+    if (r.e_text)
+        HMAC_Update(&ctx, *r.e_text, strlen(*r.e_text));
+    HMAC_Final(&ctx, &digest, 0);
+    HMAC_CTX_cleanup(&ctx);
+
+    if (r.hash == NULL) {
+        /*
+         * No HMAC -> unauthenticated [error] response.
+         *
+         * Do not output any certificate.
+         */
+        free_Kx509Response(&r);
+        return code;
+    }
+
+    /*
+     * WARNING: We do not validate that `r.certificate' is a DER-encoded
+     *          Certificate, not here, and we don't use a different HMAC key
+     *          for the response than for the request.
+     *
+     *          If ever we start sending a Certificate as the Kx509Request
+     *          pk-key field, then we'll have a reflection attack.  As the
+     *          Certificate we'd send in that case will be expired, the
+     *          reflection attack would be just a DoS.
+     */
+    if (r.hash->length != sizeof(digest) ||
+        ct_memcmp(r.hash->data, digest, sizeof(digest)) != 0) {
+        krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
+                               "kx509 response MAC mismatch");
+        free_Kx509Response(&r);
+        return KRB5KRB_AP_ERR_BAD_INTEGRITY;
+    }
+
+    if (r.certificate == NULL) {
+        /* Authenticated response, either an error or probe success */
+        free_Kx509Response(&r);
+        if (code != KRB5KDC_ERR_POLICY && kx509_ctx->priv_key == NULL)
+            return 0; /* Probe success */
+        return code ? code : KRB5KDC_ERR_POLICY; /* Not a probe -> must fail */
+    }
+
+    /* Import the certificate payload */
+    if (kx509_ctx->expect_chain) {
+        ret = rd_chain(context, r.certificate, cert, chain, &herr);
+    } else {
+        *cert = hx509_cert_init_data(context->hx509ctx, r.certificate->data,
+                                     r.certificate->length, &herr);
+        if (!*cert)
+            ret = errno;
+    }
+    free_Kx509Response(&r);
+    if (*cert) {
+        heim_release(herr);
+        return 0;
+    }
+
+    hestr = herr ? heim_error_copy_string(herr) : NULL;
+    estr = hestr ? heim_string_get_utf8(hestr) : "(no error message)";
+    krb5_set_error_message(context, ret, "Could not parse certificate "
+                           "produced by kx509 KDC: %s (%ld)",
+                           estr,
+                           herr ? (long)heim_error_get_code(herr) : 0L);
+
+    heim_release(hestr);
+    heim_release(herr);
+    return HEIM_PKINIT_CERTIFICATE_INVALID; /* XXX */
+}
+
+/*
+ * Make a request, send it, get the response, parse it, and store the
+ * private key and certificate.
+ */
+static krb5_error_code
+kx509_core(krb5_context context,
+           krb5_kx509_req_ctx kx509_ctx,
+           krb5_ccache incc,
+           const char *hx509_store,
+           krb5_ccache outcc)
+{
+    krb5_error_code ret;
+    hx509_certs chain = NULL;
+    hx509_cert cert = NULL;
+    krb5_data req, resp;
+
+    krb5_data_zero(&req);
+    krb5_data_zero(&resp);
+
+    /* Make the kx509 request */
+    ret = mk_kx509_req(context, kx509_ctx, incc, kx509_ctx->priv_key, &req);
+
+    /* Send the kx509 request and get the response */
+    if (ret == 0)
+        ret = krb5_sendto_context(context, NULL, &req,
+                                  kx509_ctx->realm, &resp);
+    if (ret == 0)
+        ret = rd_kx509_resp(context, kx509_ctx, &resp, &cert, &chain);
+
+    /* Store the key and cert! */
+    if (ret == 0 && cert && (kx509_ctx->priv_key || kx509_ctx->given_csr.data))
+        ret = store(context, hx509_store, kx509_ctx->realm, outcc,
+                    kx509_ctx->priv_key, cert, chain);
+    else if (ret == KRB5KDC_ERR_POLICY)
+        /* Probe failed -> record that the realm does not support kx509 */
+        store_kx509_disabled(context, kx509_ctx->realm, outcc);
+
+    hx509_certs_free(&chain);
+    hx509_cert_free(cert);
+    krb5_data_free(&resp);
+    krb5_data_free(&req);
+    return ret;
+}
+
+/**
+ * Use the kx509 v2 protocol to get a certificate for the client principal.
+ *
+ * Given a private key this function will get a certificate.  If no private key
+ * is given, one will be generated.
+ *
+ * The private key and certificate will be stored in the given PKIX credential
+ * store (e.g, "PEM-FILE:/path/to/file.pem") and/or given output ccache.  When
+ * stored in a ccache, the DER-encoded Certificate will be stored as the data
+ * payload of a "cc config" named "kx509cert", while the key will be stored as
+ * a DER-encoded PKCS#8 PrivateKeyInfo in a cc config named "kx509key".
+ *
+ * @param context The Kerberos library context
+ * @param kx509_ctx A kx509 request context
+ * @param incc A credential cache (if NULL use default ccache)
+ * @param hx509_store An PKIX credential store into which to store the private
+ *                    key and certificate (e.g, "PEM-FILE:/path/to/file.pem")
+ * @param outcc A ccache into which to store the private key and certificate
+ *              (mandatory)
+ *
+ * @return A krb5 error code.
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_kx509_ext(krb5_context context,
+               krb5_kx509_req_ctx kx509_ctx,
+               krb5_ccache incc,
+               const char *hx509_store,
+               krb5_ccache outcc)
+{
+    krb5_ccache def_cc = NULL;
+    krb5_error_code ret;
+
+    if (incc == NULL) {
+        if ((ret = krb5_cc_default(context, &def_cc)))
+            return ret;
+        incc = def_cc;
+    }
+
+    if (kx509_ctx->realm == NULL &&
+        (ret = get_start_realm(context, incc, NULL, &kx509_ctx->realm))) {
+        if (def_cc)
+            krb5_cc_close(context, def_cc);
+        return ret;
+    }
+
+    if (kx509_ctx->priv_key || kx509_ctx->given_csr.data) {
+        /* If given a private key, use it */
+        ret = kx509_core(context, kx509_ctx, incc, hx509_store, outcc);
+        if (def_cc)
+            krb5_cc_close(context, def_cc);
+        return ret;
+    }
+
+    /*
+     * No private key given, so we generate one.
+     *
+     * However, before taking the hit for generating a keypair we probe to see
+     * if we're likely to succeeed.
+     */
+
+    /* Probe == call kx509_core() w/o a private key */
+    ret = kx509_core(context, kx509_ctx, incc, NULL, outcc);
+    if (ret == 0 && kx509_ctx->given_csr.data == NULL)
+        ret = krb5_kx509_ctx_gen_key(context, kx509_ctx, NULL, 0);
+    if (ret == 0)
+        ret = kx509_core(context, kx509_ctx, incc, hx509_store, outcc);
+
+    if (def_cc)
+        krb5_cc_close(context, def_cc);
+    return ret;
+}
+
+/**
+ * Generates a public key and uses the kx509 v2 protocol to get a certificate
+ * for that key and the client principal's subject name.
+ *
+ * The private key and certificate will be stored in the given ccache, and also
+ * in a corresponding PKIX credential store if one is configured via
+ * [libdefaults] kx509_store.
+ *
+ * XXX NOTE: Dicey feature here...  Review carefully!
+ *
+ * @param context The Kerberos library context
+ * @param cc A credential cache
+ * @param realm A realm from which to get the certificate (uses the client
+ *              principal's realm if NULL)
+ *
+ * @return A krb5 error code.
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_kx509(krb5_context context, krb5_ccache cc, const char *realm)
+{
+    krb5_kx509_req_ctx kx509_ctx;
+    krb5_error_code ret;
+    const char *defcc;
+    char *ccache_full_name = NULL;
+    char *store_exp = NULL;
+
+    ret = krb5_kx509_ctx_init(context, &kx509_ctx);
+    if (ret)
+        return ret;
+    if (realm)
+        ret = krb5_kx509_ctx_set_realm(context, kx509_ctx, realm);
+
+    /*
+     * The idea is that IF we are asked to do kx509 w/ creds from a default
+     * ccache THEN we should store the kx509 certificate (if we get one) and
+     * private key in the default hx509 store for kx509.
+     *
+     * Ideally we could have HTTP user-agents and/or TLS libraries look for
+     * client certificates and private keys in that default hx509 store.
+     *
+     * Of course, those user-agents / libraries should be configured to use
+     * those credentials with specific hostnames/domainnames, not the entire
+     * Internet, as the latter leaks the user's identity to the world.
+     *
+     * So we check if the full name for `cc' is the same as that of the default
+     * ccache name, and if so we get the [libdefaults] kx509_store string and
+     * expand it, then use it.
+     */
+    if (ret == 0 &&
+        (defcc = krb5_cc_configured_default_name(context)) &&
+        krb5_cc_get_full_name(context, cc, &ccache_full_name) == 0 &&
+        strcmp(defcc, ccache_full_name) == 0) {
+
+        /* Find an hx509 store */
+        const char *store = krb5_config_get_string(context, NULL,
+                                                   "libdefaults",
+                                                   "kx509_store", NULL);
+        if (store)
+            ret = _krb5_expand_path_tokens(context, store, 1, &store_exp);
+
+        /*
+         * If there's a private key in the store already, we'll use it, else
+         * we'll let krb5_kx509_ext() generate one, so we ignore this return
+         * value:
+         */
+        (void) krb5_kx509_ctx_set_key(context, kx509_ctx, store);
+    }
+
+    /*
+     * If we did settle on a default hx509 store, we'll use it for reading the
+     * private key from (if it exists) as well as for storing the certificate
+     * (and private key) into, which may save us some key generation cycles.
+     */
+    if (ret == 0)
+        ret = krb5_kx509_ext(context, kx509_ctx, cc, store_exp, cc);
+    krb5_kx509_ctx_free(context, &kx509_ctx);
+    free(ccache_full_name);
+    free(store_exp);
+    return ret;
+}
diff --git a/lib/krb5/kx509_err.et b/lib/krb5/kx509_err.et
new file mode 100644
index 000000000000..0be3907f15e0
--- /dev/null
+++ b/lib/krb5/kx509_err.et
@@ -0,0 +1,39 @@
+#
+# Error messages for the krb5 library
+#
+# This might look like a com_err file, but is not
+#
+
+# RFC6171 says:
+#
+#   +------------+-----------------------------+------------------------+
+#   | error-code | Condition                   | Example                |
+#   +------------+-----------------------------+------------------------+
+#   | 1          | Permanent problem with      | Incompatible version   |
+#   |            | client request              |                        |
+#   | 2          | Solvable problem with       | Expired Kerberos       |
+#   |            | client request              | credentials            |
+#   | 3          | Temporary problem with      | Packet loss            |
+#   |            | client request              |                        |
+#   | 4          | Permanent problem with the  | Internal               |
+#   |            | server                      | misconfiguration       |
+#   | 5          | Temporary problem with the  | Server overloaded      |
+#   |            | server                      |                        |
+#   +------------+-----------------------------+------------------------+
+#
+# Error 3 makes no sense on the wire, and in the library it only makes sense as
+# a timeout, so we'll name it KX509_ERR_TIMEOUT.
+
+# Error table names must be no more than four characters...
+error_table kx59
+
+prefix KX509_ERR
+
+error_code NONE,		"Kx509 success"
+error_code CLNT_FATAL,		"Kx509 request error, possibly unsupported version"
+error_code CLNT_SOLVABLE,	"Kx509 request error such as expired credentials"
+error_code TIMEOUT,		"Kx509 request timed out"
+error_code SRV_FATAL,		"Permanent server problem"
+error_code SRV_OVERLOADED,	"Kx509 server is overloaded"
+
+end
diff --git a/lib/krb5/libkrb5-exports.def.in b/lib/krb5/libkrb5-exports.def.in
index 47aaa8fe4f37..191a0c48c861 100644
--- a/lib/krb5/libkrb5-exports.def.in
+++ b/lib/krb5/libkrb5-exports.def.in
@@ -23,6 +23,8 @@ EXPORTS
 	krb5_appdefault_time
 	krb5_append_addresses
 	krb5_auth_con_addflags
+	krb5_auth_con_add_AuthorizationData
+	krb5_auth_con_add_AuthorizationDataIfRelevant
 	krb5_auth_con_free
 	krb5_auth_con_genaddrs
 	krb5_auth_con_generatelocalsubkey
@@ -82,10 +84,13 @@ EXPORTS
 	krb5_cc_cache_next
 	krb5_cc_clear_mcred
 	krb5_cc_close
+	krb5_cc_configured_default_name
 	krb5_cc_copy_cache
 	krb5_cc_copy_creds      ;!
 	krb5_cc_copy_match_f
 	krb5_cc_default
+	krb5_cc_default_sub
+	krb5_cc_default_for
 	krb5_cc_default_name
 	krb5_cc_destroy
 	krb5_cc_end_seq_get
@@ -110,6 +115,8 @@ EXPORTS
 	krb5_cc_register
 	krb5_cc_remove_cred
 	krb5_cc_resolve
+	krb5_cc_resolve_sub
+	krb5_cc_resolve_for
 	krb5_cc_retrieve_cred
 	krb5_cc_set_config
 	krb5_cc_set_default_name
@@ -187,6 +194,7 @@ EXPORTS
 	krb5_crypto_init
 	krb5_crypto_overhead
 	krb5_crypto_prf
+	krb5_crypto_prfplus
 	krb5_crypto_prf_length
 	krb5_crypto_length
 	krb5_crypto_length_iov
@@ -199,6 +207,7 @@ EXPORTS
 	krb5_data_free
 	krb5_data_realloc
 	krb5_data_zero
+	krb5_debug
 	krb5_decode_Authenticator
 	krb5_decode_ETYPE_INFO2
 	krb5_decode_ETYPE_INFO
@@ -366,11 +375,13 @@ EXPORTS
 	krb5_get_init_creds_opt_set_tkt_life
 	krb5_get_init_creds_opt_set_win2k
 	krb5_get_init_creds_password
+	krb5_get_instance
 	krb5_get_kdc_cred
 	krb5_get_kdc_sec_offset
 	krb5_get_krb524hst
 	krb5_get_krb_admin_hst
 	krb5_get_krb_changepw_hst
+	krb5_get_krb_readonly_admin_hst
 	krb5_get_krbhst
 	krb5_get_max_time_skew
 	krb5_get_pw_salt
@@ -385,11 +396,13 @@ EXPORTS
 	krb5_h_addr2sockaddr
 	krb5_h_errno_to_heim_errno
 	krb5_have_error_string
+	krb5_have_debug
 	krb5_hmac
 	krb5_init_context
 	krb5_init_ets
 	krb5_initlog
 	krb5_is_config_principal
+	krb5_is_enctype_old
 	krb5_is_enctype_weak
 	krb5_is_thread_safe
 #ifdef HAVE_KCM
@@ -435,13 +448,29 @@ EXPORTS
 	krb5_kt_resolve
 	krb5_kt_start_seq_get
 	krb5_kuserok
+	krb5_kx509
+        krb5_kx509_ctx_add_eku
+        krb5_kx509_ctx_add_san_dns_name
+        krb5_kx509_ctx_add_san_ms_upn
+        krb5_kx509_ctx_add_san_pkinit
+        krb5_kx509_ctx_add_san_registeredID
+        krb5_kx509_ctx_add_san_rfc822Name
+        krb5_kx509_ctx_add_san_xmpp
+	krb5_kx509_ctx_free
+	krb5_kx509_ctx_init
+	krb5_kx509_ctx_set_csr_der
+	krb5_kx509_ctx_set_key
+	krb5_kx509_ctx_set_realm
+	krb5_kx509_ext
 	krb5_log
 	krb5_log_msg
 	krb5_make_addrport
 	krb5_make_principal
 	krb5_max_sockaddr_size
+	krb5_mk_1cred
 	krb5_mk_error
 	krb5_mk_error_ext
+	krb5_mk_ncred
 	krb5_mk_priv
 	krb5_mk_rep
 	krb5_mk_req
@@ -473,11 +502,14 @@ EXPORTS
 	krb5_pac_add_buffer
 	krb5_pac_free
 	krb5_pac_get_buffer
+	_krb5_pac_get_buffer_by_name
+	krb5_pac_get_kdc_checksum_info
 	krb5_pac_get_types
 	krb5_pac_init
 	krb5_pac_parse
 	krb5_pac_verify
 	krb5_padata_add
+	_krb5_parse_address_no_lookup
 	krb5_parse_address
 	krb5_parse_name
 	krb5_parse_name_flags
@@ -498,7 +530,9 @@ EXPORTS
 	krb5_principal_get_realm
 	krb5_principal_get_type
 	krb5_principal_is_anonymous
+	krb5_principal_is_federated
 	krb5_principal_is_krbtgt
+	krb5_principal_is_root_krbtgt
 	krb5_principal_match
 	krb5_principal_set_comp_string
 	krb5_principal_set_realm
@@ -578,6 +612,9 @@ EXPORTS
 	krb5_sendto_ctx_set_type
 	krb5_sendto_kdc
 	krb5_sendto_kdc_flags
+	krb5_sendto_set_hostname
+	krb5_sendto_set_sitename
+	krb5_set_config
 	krb5_set_config_files
 	krb5_set_debug_dest
 	krb5_set_default_in_tkt_etypes
@@ -590,6 +627,7 @@ EXPORTS
 	krb5_set_home_dir_access
 	krb5_set_ignore_addresses
 	krb5_set_kdc_sec_offset
+	krb5_set_log_dest
 	krb5_set_max_time_skew
 	krb5_set_password
 	krb5_set_password_using_ccache
@@ -616,6 +654,7 @@ EXPORTS
 	krb5_storage_get_eof_code
 	krb5_storage_is_flags
 	krb5_storage_read
+	krb5_storage_stdio_from_fd
 	krb5_storage_seek
 	krb5_storage_set_byteorder
 	krb5_storage_set_eof_code
@@ -627,9 +666,11 @@ EXPORTS
 	krb5_store_address
 	krb5_store_addrs
 	krb5_store_authdata
+	krb5_store_bytes
 	krb5_store_creds
 	krb5_store_creds_tag
 	krb5_store_data
+	krb5_store_datalen
 	krb5_store_int16
 	krb5_store_int32
 	krb5_store_int64
@@ -653,11 +694,13 @@ EXPORTS
 	krb5_string_to_key_derived
 	krb5_string_to_key_salt
 	krb5_string_to_key_salt_opaque
+	krb5_string_to_keysalts2
 	krb5_string_to_keytype
 	krb5_string_to_salttype
 	krb5_ticket_get_authorization_data_type
 	krb5_ticket_get_client
 	krb5_ticket_get_endtime
+	krb5_ticket_get_times
 	krb5_ticket_get_server
 	krb5_timeofday
 	krb5_unparse_name
@@ -707,6 +750,7 @@ EXPORTS
 	krb5_cccol_cursor_new
 	krb5_cccol_cursor_next
 	krb5_cccol_cursor_free
+	krb5_cccol_get_default_ccname
 
 	; com_err error tables
 	initialize_krb5_error_table_r
@@ -717,6 +761,8 @@ EXPORTS
 	initialize_heim_error_table
 	initialize_k524_error_table_r
 	initialize_k524_error_table
+	initialize_k5e1_error_table_r
+	initialize_k5e1_error_table
 
         ; variables
 	krb5_mcc_ops            DATA
@@ -728,6 +774,9 @@ EXPORTS
 #ifdef HAVE_KCM
 	krb5_kcm_ops            DATA
 #endif
+#ifdef HAVE_KEYUTILS
+	krb5_krcc_ops           DATA
+#endif
 	krb5_wrfkt_ops          DATA
 	krb5_mkt_ops            DATA
 	krb5_akf_ops            DATA
@@ -740,6 +789,7 @@ EXPORTS
 	krb5_cc_type_file       DATA
 	krb5_cc_type_memory     DATA
 	krb5_cc_type_kcm        DATA
+	krb5_cc_type_keyring    DATA
 	krb5_cc_type_scc        DATA
 
         ; Shared with GSSAPI krb5
@@ -747,6 +797,26 @@ EXPORTS
 	_krb5_crc_update
 	_krb5_get_krbtgt
 	_krb5_build_authenticator
+	_krb5_kt_client_default_name
+	_krb5_have_debug
+	_krb5_SP800_108_HMAC_KDF
+	_krb5_get_ad
+
+	; Shared with GSSAPI preauth wrapper
+	_krb5_init_creds_set_gss_mechanism
+	_krb5_init_creds_get_gss_mechanism
+	_krb5_init_creds_set_gss_cred
+	_krb5_init_creds_get_gss_cred
+	_krb5_init_creds_init_gss
+
+	; Private init_creds API
+	_krb5_init_creds_get_cred_starttime
+	_krb5_init_creds_get_cred_endtime
+	_krb5_init_creds_get_cred_client
+
+	; Shared with libkadm5
+	_krb5_load_plugins
+	_krb5_unload_plugins
 
 	; Shared with libkdc
 	_krb5_AES_SHA1_string_to_default_iterator
@@ -756,6 +826,12 @@ EXPORTS
 	_krb5_get_int
         _krb5_get_int64
 	_krb5_pac_sign
+	_krb5_pac_get_attributes_info
+	_krb5_pac_get_canon_principal
+	_krb5_kdc_pac_sign_ticket
+	_krb5_kdc_pac_ticket_parse
+	_kdc_tkt_insert_pac
+	_kdc_tkt_add_if_relevant_ad
 	_krb5_parse_moduli
 	_krb5_pk_kdf
 	_krb5_pk_load_id
@@ -765,10 +841,15 @@ EXPORTS
 	_krb5_enctype_requires_random_salt
 	_krb5_principal2principalname
 	_krb5_principalname2krb5_principal
+	_krb5_kdcrep2krb5_principal
+	_krb5_ticket2krb5_principal
 	_krb5_put_int
 	_krb5_s4u2self_to_checksumdata
 	_krb5_HMAC_MD5_checksum
+	_krb5_crypto_set_flags
 	_krb5_expand_path_tokens	;!
+	_krb5_make_pa_enc_challenge
+	_krb5_validate_pa_enc_challenge
 
         ; kinit helper
 	krb5_get_init_creds_opt_set_pkinit_user_certs
@@ -777,30 +858,38 @@ EXPORTS
 	krb5_auth_con_getsendsubkey
 	krb5_init_creds_free
 	krb5_init_creds_get
+	krb5_init_creds_get_as_reply_key
 	krb5_init_creds_get_creds
 	krb5_init_creds_get_error
 	krb5_init_creds_init
+	krb5_init_creds_set_fast_anon_pkinit
+	_krb5_init_creds_set_fast_anon_pkinit_optimistic
 	krb5_init_creds_set_fast_ccache
 	krb5_init_creds_set_keytab
+	krb5_init_creds_set_kdc_hostname
 	krb5_init_creds_set_password
 	krb5_init_creds_set_service
+	krb5_init_creds_set_sitename
+	krb5_init_creds_step
 	krb5_init_creds_store
+	krb5_init_creds_store_config
+	krb5_init_creds_warn_user
 	krb5_process_last_request
 
 	; testing
 ;!	_krb5_aes_cts_encrypt
+	krb5_time_abs;
 	_krb5_n_fold
 	_krb5_expand_default_cc_name
 
 	; FAST
 	_krb5_fast_cf2
 	_krb5_fast_armor_key
+	_krb5_fast_explicit_armor_key
 
 	; Recent additions
 	krb5_cc_type_dcc;
 	krb5_dcc_ops;
-	_krb5_plugin_find;
-	_krb5_plugin_free;
 	_krb5_expand_path_tokensv;
         _krb5_find_capath;
         _krb5_free_capath;
diff --git a/lib/krb5/locate_plugin.h b/lib/krb5/locate_plugin.h
index 52ef0f380ee4..7fcb5ec6f5a0 100644
--- a/lib/krb5/locate_plugin.h
+++ b/lib/krb5/locate_plugin.h
@@ -38,6 +38,8 @@
 #ifndef HEIMDAL_KRB5_LOCATE_PLUGIN_H
 #define HEIMDAL_KRB5_LOCATE_PLUGIN_H 1
 
+#include <heimbase-svc.h>
+
 #define KRB5_PLUGIN_LOCATE "service_locator"
 #define KRB5_PLUGIN_LOCATE_VERSION 1
 #define KRB5_PLUGIN_LOCATE_VERSION_0 0
@@ -70,9 +72,7 @@ typedef krb5_error_code
 
 
 typedef struct krb5plugin_service_locate_ftable {
-    int			minor_version;
-    krb5_error_code	(KRB5_CALLCONV *init)(krb5_context, void **);
-    void		(KRB5_CALLCONV *fini)(void *);
+    HEIM_PLUGIN_FTABLE_COMMON_ELEMENTS(krb5_context);
     krb5plugin_service_locate_lookup_old old_lookup;
     krb5plugin_service_locate_lookup lookup; /* version 2 */
 } krb5plugin_service_locate_ftable;
diff --git a/lib/krb5/log.c b/lib/krb5/log.c
index 2d66ae4c9090..306431a5ca7e 100644
--- a/lib/krb5/log.c
+++ b/lib/krb5/log.c
@@ -34,330 +34,77 @@
  */
 
 #include "krb5_locl.h"
+#include <assert.h>
 #include <vis.h>
 
-struct facility {
-    int min;
-    int max;
-    krb5_log_log_func_t log_func;
-    krb5_log_close_func_t close_func;
-    void *data;
-};
-
-static struct facility*
-log_realloc(krb5_log_facility *f)
-{
-    struct facility *fp;
-    fp = realloc(f->val, (f->len + 1) * sizeof(*f->val));
-    if(fp == NULL)
-	return NULL;
-    f->len++;
-    f->val = fp;
-    fp += f->len - 1;
-    return fp;
-}
-
-struct s2i {
-    const char *s;
-    int val;
-};
-
-#define L(X) { #X, LOG_ ## X }
-
-static struct s2i syslogvals[] = {
-    L(EMERG),
-    L(ALERT),
-    L(CRIT),
-    L(ERR),
-    L(WARNING),
-    L(NOTICE),
-    L(INFO),
-    L(DEBUG),
-
-    L(AUTH),
-#ifdef LOG_AUTHPRIV
-    L(AUTHPRIV),
-#endif
-#ifdef LOG_CRON
-    L(CRON),
-#endif
-    L(DAEMON),
-#ifdef LOG_FTP
-    L(FTP),
-#endif
-    L(KERN),
-    L(LPR),
-    L(MAIL),
-#ifdef LOG_NEWS
-    L(NEWS),
-#endif
-    L(SYSLOG),
-    L(USER),
-#ifdef LOG_UUCP
-    L(UUCP),
-#endif
-    L(LOCAL0),
-    L(LOCAL1),
-    L(LOCAL2),
-    L(LOCAL3),
-    L(LOCAL4),
-    L(LOCAL5),
-    L(LOCAL6),
-    L(LOCAL7),
-    { NULL, -1 }
-};
-
-static int
-find_value(const char *s, struct s2i *table)
-{
-    while(table->s && strcasecmp(table->s, s))
-	table++;
-    return table->val;
-}
-
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_initlog(krb5_context context,
 	     const char *program,
 	     krb5_log_facility **fac)
 {
-    krb5_log_facility *f = calloc(1, sizeof(*f));
-    if (f == NULL)
-	return krb5_enomem(context);
-    f->program = strdup(program);
-    if(f->program == NULL){
-	free(f);
-	return krb5_enomem(context);
-    }
-    *fac = f;
-    return 0;
+    return heim_initlog(context->hcontext, program, fac);
 }
 
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_addlog_func(krb5_context context,
-		 krb5_log_facility *fac,
-		 int min,
-		 int max,
-		 krb5_log_log_func_t log_func,
-		 krb5_log_close_func_t close_func,
-		 void *data)
-{
-    struct facility *fp = log_realloc(fac);
-    if (fp == NULL)
-	return krb5_enomem(context);
-    fp->min = min;
-    fp->max = max;
-    fp->log_func = log_func;
-    fp->close_func = close_func;
-    fp->data = data;
-    return 0;
-}
-
-
-struct _heimdal_syslog_data{
-    int priority;
+struct krb5_addlog_func_wrapper {
+    krb5_context context;
+    krb5_log_log_func_t log_func;
+    krb5_log_close_func_t close_func;
+    void *data;
 };
 
-static void KRB5_CALLCONV
-log_syslog(const char *timestr,
-	   const char *msg,
-	   void *data)
-
+static void HEIM_CALLCONV
+krb5_addlog_func_wrapper_log(heim_context hcontext,
+			     const char *prefix,
+			     const char *msg,
+			     void *data)
 {
-    struct _heimdal_syslog_data *s = data;
-    syslog(s->priority, "%s", msg);
-}
+    struct krb5_addlog_func_wrapper *w = data;
 
-static void KRB5_CALLCONV
-close_syslog(void *data)
-{
-    free(data);
-    closelog();
+    w->log_func(w->context,
+                prefix,
+                msg,
+                w->data);
 }
 
-static krb5_error_code
-open_syslog(krb5_context context,
-	    krb5_log_facility *facility, int min, int max,
-	    const char *sev, const char *fac)
+static void HEIM_CALLCONV
+krb5_addlog_func_wrapper_close(void *data)
 {
-    struct _heimdal_syslog_data *sd = malloc(sizeof(*sd));
-    int i;
+    struct krb5_addlog_func_wrapper *w = data;
 
-    if (sd == NULL)
-	return krb5_enomem(context);
-    i = find_value(sev, syslogvals);
-    if(i == -1)
-	i = LOG_ERR;
-    sd->priority = i;
-    i = find_value(fac, syslogvals);
-    if(i == -1)
-	i = LOG_AUTH;
-    sd->priority |= i;
-    roken_openlog(facility->program, LOG_PID | LOG_NDELAY, i);
-    return krb5_addlog_func(context, facility, min, max,
-			    log_syslog, close_syslog, sd);
+    w->close_func(w->data);
+    free(w);
 }
 
-struct file_data{
-    const char *filename;
-    const char *mode;
-    FILE *fd;
-    int keep_open;
-    int freefilename;
-};
-
-static void KRB5_CALLCONV
-log_file(const char *timestr,
-	 const char *msg,
-	 void *data)
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_addlog_func(krb5_context context,
+                 krb5_log_facility *fac,
+                 int min,
+                 int max,
+                 krb5_log_log_func_t log_func,
+                 krb5_log_close_func_t close_func,
+                 void *data)
 {
-    struct file_data *f = data;
-    char *msgclean;
-    size_t len = strlen(msg);
-    if(f->keep_open == 0)
-	f->fd = fopen(f->filename, f->mode);
-    if(f->fd == NULL)
-	return;
-    /* make sure the log doesn't contain special chars */
-    msgclean = malloc((len + 1) * 4);
-    if (msgclean == NULL)
-	goto out;
-    strvisx(msgclean, rk_UNCONST(msg), len, VIS_OCTAL);
-    fprintf(f->fd, "%s %s\n", timestr, msgclean);
-    free(msgclean);
- out:
-    if(f->keep_open == 0) {
-	fclose(f->fd);
-	f->fd = NULL;
-    }
-}
+    struct krb5_addlog_func_wrapper *w = NULL;
 
-static void KRB5_CALLCONV
-close_file(void *data)
-{
-    struct file_data *f = data;
-    if(f->keep_open && f->filename)
-	fclose(f->fd);
-    if (f->filename && f->freefilename)
-	free((char *)f->filename);
-    free(data);
-}
-
-static krb5_error_code
-open_file(krb5_context context, krb5_log_facility *fac, int min, int max,
-	  const char *filename, const char *mode, FILE *f, int keep_open,
-	  int freefilename)
-{
-    struct file_data *fd = malloc(sizeof(*fd));
-    if (fd == NULL) {
-	if (freefilename && filename)
-	    free((char *)filename);
+    w = calloc(1, sizeof(*w));
+    if (w == NULL)
 	return krb5_enomem(context);
-    }
-    fd->filename = filename;
-    fd->mode = mode;
-    fd->fd = f;
-    fd->keep_open = keep_open;
-    fd->freefilename = freefilename;
-
-    return krb5_addlog_func(context, fac, min, max, log_file, close_file, fd);
-}
 
+    w->context = context;
+    w->log_func = log_func;
+    w->close_func = close_func;
+    w->data = data;
 
+    return heim_addlog_func(context->hcontext, fac, min, max,
+                            krb5_addlog_func_wrapper_log,
+                            krb5_addlog_func_wrapper_close,
+                            w);
+}
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig)
 {
-    krb5_error_code ret = 0;
-    int min = 0, max = -1, n;
-    char c;
-    const char *p = orig;
-#ifdef _WIN32
-    const char *q;
-#endif
-
-    n = sscanf(p, "%d%c%d/", &min, &c, &max);
-    if(n == 2){
-	if(ISPATHSEP(c)) {
-	    if(min < 0){
-		max = -min;
-		min = 0;
-	    }else{
-		max = min;
-	    }
-	}
-    }
-    if(n){
-#ifdef _WIN32
-	q = strrchr(p, '\\');
-	if (q != NULL)
-	    p = q;
-	else
-#endif
-	p = strchr(p, '/');
-	if(p == NULL) {
-	    krb5_set_error_message(context, HEIM_ERR_LOG_PARSE,
-				   N_("failed to parse \"%s\"", ""), orig);
-	    return HEIM_ERR_LOG_PARSE;
-	}
-	p++;
-    }
-    if(strcmp(p, "STDERR") == 0){
-	ret = open_file(context, f, min, max, NULL, NULL, stderr, 1, 0);
-    }else if(strcmp(p, "CONSOLE") == 0){
-	ret = open_file(context, f, min, max, "/dev/console", "w", NULL, 0, 0);
-    }else if(strncmp(p, "FILE", 4) == 0 && (p[4] == ':' || p[4] == '=')){
-	char *fn;
-	FILE *file = NULL;
-	int keep_open = 0;
-	fn = strdup(p + 5);
-	if (fn == NULL)
-	    return krb5_enomem(context);
-	if(p[4] == '='){
-	    int i = open(fn, O_WRONLY | O_CREAT |
-			 O_TRUNC | O_APPEND, 0666);
-	    if(i < 0) {
-		ret = errno;
-		krb5_set_error_message(context, ret,
-				       N_("open(%s) logfile: %s", ""), fn,
-				       strerror(ret));
-		free(fn);
-		return ret;
-	    }
-	    rk_cloexec(i);
-	    file = fdopen(i, "a");
-	    if(file == NULL){
-		ret = errno;
-		close(i);
-		krb5_set_error_message(context, ret,
-				       N_("fdopen(%s) logfile: %s", ""),
-				       fn, strerror(ret));
-		free(fn);
-		return ret;
-	    }
-	    keep_open = 1;
-	}
-	ret = open_file(context, f, min, max, fn, "a", file, keep_open, 1);
-    }else if(strncmp(p, "DEVICE", 6) == 0 && (p[6] == ':' || p[6] == '=')){
-	ret = open_file(context, f, min, max, strdup(p + 7), "w", NULL, 0, 1);
-    }else if(strncmp(p, "SYSLOG", 6) == 0 && (p[6] == '\0' || p[6] == ':')){
-	char severity[128] = "";
-	char facility[128] = "";
-	p += 6;
-	if(*p != '\0')
-	    p++;
-	if(strsep_copy(&p, ":", severity, sizeof(severity)) != -1)
-	    strsep_copy(&p, ":", facility, sizeof(facility));
-	if(*severity == '\0')
-	    strlcpy(severity, "ERR", sizeof(severity));
- 	if(*facility == '\0')
-	    strlcpy(facility, "AUTH", sizeof(facility));
-	ret = open_syslog(context, f, min, max, severity, facility);
-    }else{
-	ret = HEIM_ERR_LOG_PARSE; /* XXX */
-	krb5_set_error_message (context, ret,
-				N_("unknown log type: %s", ""), p);
-    }
-    return ret;
+    return heim_addlog_dest(context->hcontext, f, orig);
 }
 
 
@@ -367,37 +114,21 @@ krb5_openlog(krb5_context context,
 	     krb5_log_facility **fac)
 {
     krb5_error_code ret;
-    char **p, **q;
-
-    ret = krb5_initlog(context, program, fac);
-    if(ret)
-	return ret;
+    char **p;
 
     p = krb5_config_get_strings(context, NULL, "logging", program, NULL);
-    if(p == NULL)
+    if (p == NULL)
 	p = krb5_config_get_strings(context, NULL, "logging", "default", NULL);
-    if(p){
-	for(q = p; *q && ret == 0; q++)
-	    ret = krb5_addlog_dest(context, *fac, *q);
-	krb5_config_free_strings(p);
-    }else
-	ret = krb5_addlog_dest(context, *fac, "SYSLOG");
+    ret = heim_openlog(context->hcontext, program, (const char **)p, fac);
+    krb5_config_free_strings(p);
     return ret;
 }
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_closelog(krb5_context context,
-	      krb5_log_facility *fac)
+             krb5_log_facility *fac)
 {
-    int i;
-    for(i = 0; i < fac->len; i++)
-	(*fac->val[i].close_func)(fac->val[i].data);
-    free(fac->val);
-    free(fac->program);
-    fac->val = NULL;
-    fac->len = 0;
-    fac->program = NULL;
-    free(fac);
+    heim_closelog(context->hcontext, fac);
     return 0;
 }
 
@@ -413,34 +144,7 @@ krb5_vlog_msg(krb5_context context,
 	      va_list ap)
      __attribute__ ((__format__ (__printf__, 5, 0)))
 {
-
-    char *msg = NULL;
-    const char *actual = NULL;
-    char buf[64];
-    time_t t = 0;
-    int i;
-
-    for(i = 0; fac && i < fac->len; i++)
-	if(fac->val[i].min <= level &&
-	   (fac->val[i].max < 0 || fac->val[i].max >= level)) {
-	    if(t == 0) {
-		t = time(NULL);
-		krb5_format_time(context, t, buf, sizeof(buf), TRUE);
-	    }
-	    if(actual == NULL) {
-		int ret = vasprintf(&msg, fmt, ap);
-		if(ret < 0 || msg == NULL)
-		    actual = fmt;
-		else
-		    actual = msg;
-	    }
-	    (*fac->val[i].log_func)(buf, actual, fac->val[i].data);
-	}
-    if(reply == NULL)
-	free(msg);
-    else
-	*reply = msg;
-    return 0;
+    return heim_vlog_msg(context->hcontext, fac, reply, level, fmt, ap);
 }
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
@@ -451,7 +155,7 @@ krb5_vlog(krb5_context context,
 	  va_list ap)
      __attribute__ ((__format__ (__printf__, 4, 0)))
 {
-    return krb5_vlog_msg(context, fac, NULL, level, fmt, ap);
+    return heim_vlog_msg(context->hcontext, fac, NULL, level, fmt, ap);
 }
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
@@ -467,7 +171,7 @@ krb5_log_msg(krb5_context context,
     krb5_error_code ret;
 
     va_start(ap, fmt);
-    ret = krb5_vlog_msg(context, fac, reply, level, fmt, ap);
+    ret = heim_vlog_msg(context->hcontext, fac, reply, level, fmt, ap);
     va_end(ap);
     return ret;
 }
@@ -485,7 +189,7 @@ krb5_log(krb5_context context,
     krb5_error_code ret;
 
     va_start(ap, fmt);
-    ret = krb5_vlog(context, fac, level, fmt, ap);
+    ret = heim_vlog(context->hcontext, fac, level, fmt, ap);
     va_end(ap);
     return ret;
 }
@@ -499,36 +203,50 @@ _krb5_debug(krb5_context context,
 {
     va_list ap;
 
-    if (context == NULL || context->debug_dest == NULL)
-	return;
+    va_start(ap, fmt);
+    if (context && context->hcontext)
+        heim_vdebug(context->hcontext, level, fmt, ap);
+    va_end(ap);
+}
+
+void KRB5_LIB_FUNCTION
+krb5_debug(krb5_context context,
+	    int level,
+	    const char *fmt,
+	    ...)
+    __attribute__ ((__format__ (__printf__, 3, 4)))
+{
+    va_list ap;
 
     va_start(ap, fmt);
-    krb5_vlog(context, context->debug_dest, level, fmt, ap);
+    if (context && context->hcontext)
+        heim_vdebug(context->hcontext, level, fmt, ap);
     va_end(ap);
 }
 
 KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 _krb5_have_debug(krb5_context context, int level)
 {
-    if (context == NULL || context->debug_dest == NULL)
-	return 0 ;
-    return 1;
+    if (context == NULL || context->hcontext == NULL)
+	return 0;
+    return heim_have_debug(context->hcontext, level);
+}
+
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
+krb5_have_debug(krb5_context context, int level)
+{
+    return _krb5_have_debug(context, level);
 }
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_set_debug_dest(krb5_context context, const char *program,
                     const char *log_spec)
 {
-    krb5_error_code ret;
-
-    if (context->debug_dest == NULL) {
-        ret = krb5_initlog(context, program, &context->debug_dest);
-        if (ret)
-            return ret;
-    }
+    return heim_add_debug_dest(context->hcontext, program, log_spec);
+}
 
-    ret = krb5_addlog_dest(context, context->debug_dest, log_spec);
-    if (ret)
-        return ret;
-    return 0;
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_set_log_dest(krb5_context context, krb5_log_facility *fac)
+{
+    return heim_set_log_dest(context->hcontext, fac);
 }
diff --git a/lib/krb5/mcache.c b/lib/krb5/mcache.c
index e45bc1b0a77f..b381cae8008d 100644
--- a/lib/krb5/mcache.c
+++ b/lib/krb5/mcache.c
@@ -38,7 +38,8 @@
 typedef struct krb5_mcache {
     char *name;
     unsigned int refcnt;
-    int dead;
+    unsigned int anonymous:1;
+    unsigned int dead:1;
     krb5_principal primary_principal;
     struct link {
 	krb5_creds cred;
@@ -57,42 +58,90 @@ static struct krb5_mcache *mcc_head;
 
 #define MISDEAD(X)	((X)->dead)
 
-static const char* KRB5_CALLCONV
-mcc_get_name(krb5_context context,
-	     krb5_ccache id)
+static krb5_error_code KRB5_CALLCONV
+mcc_get_name_2(krb5_context context,
+	       krb5_ccache id,
+	       const char **name,
+	       const char **col,
+	       const char **sub)
 {
-    return MCACHE(id)->name;
+    if (name)
+        *name = MCACHE(id)->name;
+    if (col)
+        *col = NULL;
+    if (sub)
+        *sub = MCACHE(id)->name;
+    return 0;
 }
 
-static krb5_mcache * KRB5_CALLCONV
-mcc_alloc(const char *name)
+static krb5_error_code
+mcc_alloc(krb5_context context, const char *name, krb5_mcache **out)
 {
     krb5_mcache *m, *m_c;
+    size_t counter = 0;
     int ret = 0;
 
+    *out = NULL;
     ALLOC(m, 1);
     if(m == NULL)
-	return NULL;
+	return krb5_enomem(context);
+
+again:
+    if (counter > 3) {
+        free(m->name);
+        free(m);
+        return EAGAIN; /* XXX */
+    }
     if(name == NULL)
-	ret = asprintf(&m->name, "%p", m);
+	ret = asprintf(&m->name, "u%p-%llu", m, (unsigned long long)counter);
     else
 	m->name = strdup(name);
     if(ret < 0 || m->name == NULL) {
 	free(m);
-	return NULL;
+	return krb5_enomem(context);
     }
+    if (strcmp(m->name, "anonymous") == 0) {
+        HEIMDAL_MUTEX_init(&(m->mutex));
+        m->anonymous = 1;
+        m->dead = 0;
+        m->refcnt = 1;
+        m->primary_principal = NULL;
+        m->creds = NULL;
+        m->mtime = time(NULL);
+        m->kdc_offset = 0;
+        m->next = NULL;
+        *out = m;
+        return 0;
+    }
+
     /* check for dups first */
     HEIMDAL_MUTEX_lock(&mcc_mutex);
     for (m_c = mcc_head; m_c != NULL; m_c = m_c->next)
-	if (strcmp(m->name, m_c->name) == 0)
-	    break;
+        if (strcmp(m->name, m_c->name) == 0)
+            break;
     if (m_c) {
-	free(m->name);
-	free(m);
-	HEIMDAL_MUTEX_unlock(&mcc_mutex);
-	return NULL;
+        if (name) {
+            /* We raced with another thread to create this cache */
+            free(m->name);
+            free(m);
+            m = m_c;
+            HEIMDAL_MUTEX_lock(&(m->mutex));
+            m->refcnt++;
+            HEIMDAL_MUTEX_unlock(&(m->mutex));
+        } else {
+            /* How likely are we to conflict on new_unique anyways?? */
+            counter++;
+            free(m->name);
+            m->name = NULL;
+            HEIMDAL_MUTEX_unlock(&mcc_mutex);
+            goto again;
+        }
+        HEIMDAL_MUTEX_unlock(&mcc_mutex);
+        *out = m;
+        return 0;
     }
 
+    m->anonymous = 0;
     m->dead = 0;
     m->refcnt = 1;
     m->primary_principal = NULL;
@@ -103,35 +152,21 @@ mcc_alloc(const char *name)
     HEIMDAL_MUTEX_init(&(m->mutex));
     mcc_head = m;
     HEIMDAL_MUTEX_unlock(&mcc_mutex);
-    return m;
+    *out = m;
+    return 0;
 }
 
 static krb5_error_code KRB5_CALLCONV
-mcc_resolve(krb5_context context, krb5_ccache *id, const char *res)
+mcc_resolve_2(krb5_context context,
+	      krb5_ccache *id,
+	      const char *res,
+	      const char *sub)
 {
+    krb5_error_code ret;
     krb5_mcache *m;
 
-    HEIMDAL_MUTEX_lock(&mcc_mutex);
-    for (m = mcc_head; m != NULL; m = m->next)
-	if (strcmp(m->name, res) == 0)
-	    break;
-    HEIMDAL_MUTEX_unlock(&mcc_mutex);
-
-    if (m != NULL) {
-    	HEIMDAL_MUTEX_lock(&(m->mutex));
-    	m->refcnt++;
-    	HEIMDAL_MUTEX_unlock(&(m->mutex));
-    	(*id)->data.data = m;
-    	(*id)->data.length = sizeof(*m);
-    	return 0;
-    }
-
-    m = mcc_alloc(res);
-    if (m == NULL) {
-	krb5_set_error_message(context, KRB5_CC_NOMEM,
-			       N_("malloc: out of memory", ""));
-	return KRB5_CC_NOMEM;
-    }
+    if ((ret = mcc_alloc(context, sub && *sub ? sub : res, &m)))
+        return ret;
 
     (*id)->data.data = m;
     (*id)->data.length = sizeof(*m);
@@ -143,15 +178,11 @@ mcc_resolve(krb5_context context, krb5_ccache *id, const char *res)
 static krb5_error_code KRB5_CALLCONV
 mcc_gen_new(krb5_context context, krb5_ccache *id)
 {
+    krb5_error_code ret;
     krb5_mcache *m;
 
-    m = mcc_alloc(NULL);
-
-    if (m == NULL) {
-	krb5_set_error_message(context, KRB5_CC_NOMEM,
-			       N_("malloc: out of memory", ""));
-	return KRB5_CC_NOMEM;
-    }
+    if ((ret = mcc_alloc(context, NULL, &m)))
+        return ret;
 
     (*id)->data.data = m;
     (*id)->data.length = sizeof(*m);
@@ -221,7 +252,7 @@ mcc_close_internal(krb5_mcache *m)
 	return 0;
     }
     if (MISDEAD(m)) {
-	free (m->name);
+	free(m->name);
 	HEIMDAL_MUTEX_unlock(&(m->mutex));
 	return 1;
     }
@@ -248,6 +279,18 @@ mcc_destroy(krb5_context context,
 {
     krb5_mcache **n, *m = MCACHE(id);
 
+    if (m->anonymous) {
+        HEIMDAL_MUTEX_lock(&(m->mutex));
+        if (m->refcnt == 0) {
+            HEIMDAL_MUTEX_unlock(&(m->mutex));
+            krb5_abortx(context, "mcc_destroy: refcnt already 0");
+        }
+        if (!MISDEAD(m))
+            mcc_destroy_internal(context, m);
+        HEIMDAL_MUTEX_unlock(&(m->mutex));
+        return 0;
+    }
+
     HEIMDAL_MUTEX_lock(&mcc_mutex);
     HEIMDAL_MUTEX_lock(&(m->mutex));
     if (m->refcnt == 0)
@@ -290,12 +333,8 @@ mcc_store_cred(krb5_context context,
     }
 
     l = malloc (sizeof(*l));
-    if (l == NULL) {
-    	krb5_set_error_message(context, KRB5_CC_NOMEM,
-    			N_("malloc: out of memory", ""));
-    	HEIMDAL_MUTEX_unlock(&(m->mutex));
-    	return KRB5_CC_NOMEM;
-    }
+    if (l == NULL)
+        return krb5_enomem(context);
     l->next = m->creds;
     m->creds = l;
     memset (&l->cred, 0, sizeof(l->cred));
@@ -519,8 +558,8 @@ mcc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
     HEIMDAL_MUTEX_unlock(&(mfrom->mutex));
     HEIMDAL_MUTEX_unlock(&(mto->mutex));
     HEIMDAL_MUTEX_unlock(&mcc_mutex);
-    mcc_destroy(context, from);
 
+    krb5_cc_destroy(context, from);
     return 0;
 }
 
@@ -571,10 +610,10 @@ mcc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *kdc_offset
  */
 
 KRB5_LIB_VARIABLE const krb5_cc_ops krb5_mcc_ops = {
-    KRB5_CC_OPS_VERSION,
+    KRB5_CC_OPS_VERSION_5,
     "MEMORY",
-    mcc_get_name,
-    mcc_resolve,
+    NULL,
+    NULL,
     mcc_gen_new,
     mcc_initialize,
     mcc_destroy,
@@ -596,5 +635,7 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_mcc_ops = {
     NULL,
     mcc_lastchange,
     mcc_set_kdc_offset,
-    mcc_get_kdc_offset
+    mcc_get_kdc_offset,
+    mcc_get_name_2,
+    mcc_resolve_2
 };
diff --git a/lib/krb5/mit_glue.c b/lib/krb5/mit_glue.c
index deee242c1e8c..44725f1ad29a 100644
--- a/lib/krb5/mit_glue.c
+++ b/lib/krb5/mit_glue.c
@@ -67,22 +67,23 @@ krb5_c_verify_checksum(krb5_context context, const krb5_keyblock *key,
 		       const krb5_checksum *cksum, krb5_boolean *valid)
 {
     krb5_error_code ret;
-    krb5_checksum data_cksum;
+    krb5_crypto crypto;
 
     *valid = 0;
 
-    ret = krb5_c_make_checksum(context, cksum->cksumtype,
-			       key, usage, data, &data_cksum);
+    ret = krb5_crypto_init(context, key, 0, &crypto);
     if (ret)
 	return ret;
 
-    if (data_cksum.cksumtype == cksum->cksumtype
-	&& krb5_data_ct_cmp(&data_cksum.checksum, &cksum->checksum) == 0)
-	*valid = 1;
+    ret = krb5_verify_checksum(context, crypto, usage,
+			       data->data, data->length, rk_UNCONST(cksum));
+    krb5_crypto_destroy(context, crypto);
 
-    krb5_free_checksum_contents(context, &data_cksum);
+    if (ret == 0) {
+	*valid = 1;
+    }
 
-    return 0;
+    return ret;
 }
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
diff --git a/lib/krb5/mk_cred.c b/lib/krb5/mk_cred.c
new file mode 100644
index 000000000000..41e858f80588
--- /dev/null
+++ b/lib/krb5/mk_cred.c
@@ -0,0 +1,324 @@
+/*
+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb5_locl.h"
+
+#define CHECKED_ALLOC(dst) do {                                 \
+            if ((ALLOC(dst, 1)) == NULL) {                      \
+                ret = krb5_enomem(context);                     \
+                goto out;                                       \
+            }                                                   \
+        } while (0)
+
+#define CHECKED_COPY(cp_func, dst, src) do {                    \
+            if (cp_func(src, dst)) {                            \
+                ret = krb5_enomem(context);                     \
+                goto out;                                       \
+            }                                                   \
+        } while (0)
+#define CHECKED_COPY_PPC2KCI(cp_func, dst, src)                 \
+        CHECKED_COPY(cp_func, krb_cred_info->dst, &ppcreds[i]->src)
+
+#define CHECKED_ALLOC_ASSIGN(dst, src) do {                     \
+            if ((ALLOC(dst, 1)) == NULL) {                      \
+                ret = krb5_enomem(context);                     \
+                goto out;                                       \
+            } else                                              \
+                *dst = src;                                     \
+        } while (0)
+#define CHECKED_ALLOC_ASSIGN_PPC2KCI(dst, src)                  \
+        CHECKED_ALLOC_ASSIGN(krb_cred_info->dst, ppcreds[i]->src)
+
+#define CHECKED_ALLOC_COPY(cp_func, dst, src) do {              \
+            if ((ALLOC(dst, 1)) == NULL || cp_func(src, dst)) { \
+                ret = krb5_enomem(context);                     \
+                goto out;                                       \
+            }                                                   \
+        } while (0)
+#define CHECKED_ALLOC_COPY_PPC2KCI(cp_func, dst, src)           \
+        CHECKED_ALLOC_COPY(cp_func, krb_cred_info->dst, &ppcreds[i]->src)
+
+/**
+ * Make a KRB-CRED PDU with N credentials.
+ *
+ * @param context A kerberos 5 context.
+ * @param auth_context The auth context with the key to encrypt the out_data.
+ * @param ppcreds A null-terminated array of credentials to forward.
+ * @param ppdata The output KRB-CRED (to be freed by caller).
+ * @param replay_data (unused).
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_credential
+ */
+
+/* ARGSUSED */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context,
+              krb5_creds **ppcreds, krb5_data **ppdata,
+              krb5_replay_data *replay_data)
+{
+    krb5_error_code ret;
+    krb5_data out_data;
+
+    ret = _krb5_mk_ncred(context, auth_context, ppcreds, &out_data,
+        replay_data);
+    if (ret == 0) {
+        /*
+         * MIT allocates the return structure for no good reason. We do
+         * likewise as, in this case, incompatibility is the greater evil.
+         */
+        *ppdata = calloc(1, sizeof(**ppdata));
+        if (*ppdata) {
+            **ppdata = out_data;
+        } else {
+            krb5_data_free(&out_data);
+            ret = krb5_enomem(context);
+        }
+    }
+
+    return ret;
+}
+
+/* ARGSUSED */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_mk_ncred(krb5_context context,
+               krb5_auth_context auth_context,
+               krb5_creds **ppcreds,
+               krb5_data *out_data,
+               krb5_replay_data *replay_data)
+{
+    krb5_error_code ret;
+    EncKrbCredPart enc_krb_cred_part;
+    KrbCredInfo *krb_cred_info;
+    krb5_crypto crypto;
+    KRB_CRED cred;
+    unsigned char *buf = NULL;
+    size_t ncreds, i;
+    size_t buf_size;
+    size_t len;
+
+    /*
+     * The ownership of 'buf' is re-assigned to a containing structure
+     * multiple times. We enforce an invariant, either buf is non-zero
+     * and we own it, or buf is zero and it is freed or some structure
+     * owns any storage previously allocated as 'buf'.
+     */
+#define CHOWN_BUF(x, buf) do { (x) = (buf); (buf) = 0; } while (0)
+#define DISOWN_BUF(buf) do { free(buf); (buf) = 0; } while (0)
+
+    for (ncreds = 0; ppcreds[ncreds]; ncreds++)
+        ;
+
+    memset (&cred, 0, sizeof(cred));
+    memset (&enc_krb_cred_part, 0, sizeof(enc_krb_cred_part));
+    cred.pvno = 5;
+    cred.msg_type = krb_cred;
+    ALLOC_SEQ(&cred.tickets, ncreds);
+    if (cred.tickets.val == NULL) {
+        ret = krb5_enomem(context);
+        goto out;
+    }
+    ALLOC_SEQ(&enc_krb_cred_part.ticket_info, ncreds);
+    if (enc_krb_cred_part.ticket_info.val == NULL) {
+        ret = krb5_enomem(context);
+        goto out;
+    }
+
+    for (i = 0; i < ncreds; i++) {
+        ret = decode_Ticket(ppcreds[i]->ticket.data,
+                            ppcreds[i]->ticket.length,
+                            &cred.tickets.val[i],
+                            &len);/* don't care about len */
+        if (ret)
+           goto out;
+
+        /* fill ticket_info.val[i] */
+        krb_cred_info = &enc_krb_cred_part.ticket_info.val[i];
+
+        CHECKED_COPY(copy_EncryptionKey,
+                     &krb_cred_info->key, &ppcreds[i]->session);
+        CHECKED_ALLOC_COPY_PPC2KCI(copy_Realm, prealm, client->realm);
+        CHECKED_ALLOC_COPY_PPC2KCI(copy_PrincipalName, pname, client->name);
+        CHECKED_ALLOC_ASSIGN_PPC2KCI(flags, flags.b);
+        CHECKED_ALLOC_ASSIGN_PPC2KCI(authtime, times.authtime);
+        CHECKED_ALLOC_ASSIGN_PPC2KCI(starttime, times.starttime);
+        CHECKED_ALLOC_ASSIGN_PPC2KCI(endtime, times.endtime);
+        CHECKED_ALLOC_ASSIGN_PPC2KCI(renew_till, times.renew_till);
+        CHECKED_ALLOC_COPY_PPC2KCI(copy_Realm, srealm, server->realm);
+        CHECKED_ALLOC_COPY_PPC2KCI(copy_PrincipalName, sname, server->name);
+        CHECKED_ALLOC_COPY_PPC2KCI(copy_HostAddresses, caddr, addresses);
+    }
+
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
+        krb5_timestamp sec;
+        int32_t usec;
+
+        krb5_us_timeofday (context, &sec, &usec);
+
+        CHECKED_ALLOC_ASSIGN(enc_krb_cred_part.timestamp, sec);
+        CHECKED_ALLOC_ASSIGN(enc_krb_cred_part.usec, usec);
+    } else {
+        enc_krb_cred_part.timestamp = NULL;
+        enc_krb_cred_part.usec = NULL;
+        /* XXX Er, shouldn't we set the seq nums?? */
+    }
+
+    /* XXX: Is this needed? */
+    if (auth_context->local_address && auth_context->local_port) {
+        ret = krb5_make_addrport(context,
+                                 &enc_krb_cred_part.s_address,
+                                 auth_context->local_address,
+                                 auth_context->local_port);
+        if (ret)
+            goto out;
+    }
+
+    /* XXX: Is this needed? */
+    if (auth_context->remote_address) {
+        if (auth_context->remote_port) {
+            /*
+             * XXX: Should we be checking "no-addresses" for
+             * the receiving realm?
+             */
+            ret = krb5_make_addrport(context,
+                                     &enc_krb_cred_part.r_address,
+                                     auth_context->remote_address,
+                                     auth_context->remote_port);
+            if (ret)
+                goto out;
+        } else {
+            /*
+             * XXX Ugly, make krb5_make_addrport() handle missing port
+             * number (i.e., port == 0), then remove this else.
+             */
+            CHECKED_ALLOC(enc_krb_cred_part.r_address);
+            ret = krb5_copy_address(context, auth_context->remote_address,
+                                    enc_krb_cred_part.r_address);
+            if (ret)
+                goto out;
+        }
+    }
+
+    /* encode EncKrbCredPart */
+    ASN1_MALLOC_ENCODE(EncKrbCredPart, buf, buf_size,
+                       &enc_krb_cred_part, &len, ret);
+    if (ret)
+        goto out;
+
+    /**
+     * Some older of the MIT gssapi library used clear-text tickets
+     * (warped inside AP-REQ encryption), use the krb5_auth_context
+     * flag KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED to support those
+     * tickets. The session key is used otherwise to encrypt the
+     * forwarded ticket.
+     */
+
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED) {
+        cred.enc_part.etype = KRB5_ENCTYPE_NULL;
+        cred.enc_part.kvno = NULL;
+        CHOWN_BUF(cred.enc_part.cipher.data, buf);
+        cred.enc_part.cipher.length = buf_size;
+    } else {
+        /*
+         * Here older versions then 0.7.2 of Heimdal used the local or
+         * remote subkey. That is wrong, the session key should be
+         * used. Heimdal 0.7.2 and newer have code to try both in the
+         * receiving end.
+         */
+
+        ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
+        if (ret == 0)
+            ret = krb5_encrypt_EncryptedData(context,
+                                             crypto,
+                                             KRB5_KU_KRB_CRED,
+                                             buf,
+                                             len,
+                                             0,
+                                             &cred.enc_part);
+        if (ret)
+            goto out;
+        DISOWN_BUF(buf);
+        krb5_crypto_destroy(context, crypto);
+    }
+
+    ASN1_MALLOC_ENCODE(KRB_CRED, buf, buf_size, &cred, &len, ret);
+    if (ret)
+        goto out;
+
+    CHOWN_BUF(out_data->data, buf);
+    out_data->length = len;
+    ret = 0;
+
+ out:
+    free_EncKrbCredPart(&enc_krb_cred_part);
+    free_KRB_CRED(&cred);
+    free(buf);
+    return ret;
+}
+
+/**
+ * Make a KRB-CRED PDU with 1 credential.
+ *
+ * @param context A kerberos 5 context.
+ * @param auth_context The auth context with the key to encrypt the out_data.
+ * @param ppcred A credential to forward.
+ * @param ppdata The output KRB-CRED (to be freed by caller).
+ * @param replay_data (unused).
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_credential
+ */
+
+/* ARGSUSED */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_mk_1cred(krb5_context context, krb5_auth_context auth_context,
+              krb5_creds *ppcred, krb5_data **ppdata,
+              krb5_replay_data *replay_data)
+{
+    krb5_creds *ppcreds[2] = { ppcred, NULL };
+
+    return krb5_mk_ncred(context, auth_context, ppcreds, ppdata, replay_data);
+}
+
+/* ARGSUSED */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_mk_1cred(krb5_context context, krb5_auth_context auth_context,
+               krb5_creds *ppcred, krb5_data *ppdata,
+               krb5_replay_data *replay_data)
+{
+    krb5_creds *ppcreds[2] = { ppcred, NULL };
+
+    return _krb5_mk_ncred(context, auth_context, ppcreds, ppdata, replay_data);
+}
diff --git a/lib/krb5/mk_error.c b/lib/krb5/mk_error.c
index 7f0be713e04f..3791fe75a289 100644
--- a/lib/krb5/mk_error.c
+++ b/lib/krb5/mk_error.c
@@ -76,8 +76,8 @@ krb5_mk_error_ext(krb5_context context,
 	msg.realm = server->realm;
 	msg.sname = server->name;
     }else{
-	static char unspec[] = "<unspecified realm>";
-	msg.realm = unspec;
+	static const char unspec[] = "<unspecified realm>";
+	msg.realm = rk_UNCONST(unspec);
     }
     msg.crealm = rk_UNCONST(client_realm);
     msg.cname = rk_UNCONST(client_name);
diff --git a/lib/krb5/mk_req_ext.c b/lib/krb5/mk_req_ext.c
index 18b16a9bf2b0..a8a07f1c718f 100644
--- a/lib/krb5/mk_req_ext.c
+++ b/lib/krb5/mk_req_ext.c
@@ -73,48 +73,37 @@ _krb5_mk_req_internal(krb5_context context,
     if (ret)
 	goto out;
 
-    /* it's unclear what type of checksum we can use.  try the best one, except:
-     * a) if it's configured differently for the current realm, or
-     * b) if the session key is des-cbc-crc
+    /*
+     * Use the default checksum type except for some interoperability cases
+     * with older MIT, DCE and Windows KDCs.
      */
-
     if (in_data) {
-	if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) {
-	    /* this is to make DCE secd (and older MIT kdcs?) happy */
-	    ret = krb5_create_checksum(context,
-				       NULL,
-				       0,
-				       CKSUMTYPE_RSA_MD4,
-				       in_data->data,
-				       in_data->length,
-				       &c);
-	} else if(ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5 ||
-		  ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5_56 ||
-		  ac->keyblock->keytype == ETYPE_DES_CBC_MD4 ||
-		  ac->keyblock->keytype == ETYPE_DES_CBC_MD5) {
-	    /* this is to make MS kdc happy */
-	    ret = krb5_create_checksum(context,
-				       NULL,
-				       0,
-				       CKSUMTYPE_RSA_MD5,
-				       in_data->data,
-				       in_data->length,
-				       &c);
-	} else {
-	    krb5_crypto crypto;
+	krb5_crypto crypto;
+	krb5_cksumtype checksum_type = CKSUMTYPE_NONE;
+
+	if (ac->keyblock->keytype == ETYPE_DES_CBC_CRC)
+	    checksum_type = CKSUMTYPE_RSA_MD4;
+	else if (ac->keyblock->keytype == ETYPE_DES_CBC_MD4 ||
+		 ac->keyblock->keytype == ETYPE_DES_CBC_MD5 ||
+		 ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5 ||
+		 ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5_56)
+	    checksum_type = CKSUMTYPE_RSA_MD5;
+	else
+	    checksum_type = CKSUMTYPE_NONE;
+
+	ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto);
+	if (ret)
+	    goto out;
 
-	    ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto);
-	    if (ret)
-		goto out;
-	    ret = krb5_create_checksum(context,
-				       crypto,
-				       checksum_usage,
-				       0,
-				       in_data->data,
-				       in_data->length,
-				       &c);
-	    krb5_crypto_destroy(context, crypto);
-	}
+	_krb5_crypto_set_flags(context, crypto, KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM);
+	ret = krb5_create_checksum(context,
+				   crypto,
+				   checksum_usage,
+				   checksum_type,
+				   in_data->data,
+				   in_data->length,
+				   &c);
+	krb5_crypto_destroy(context, crypto);
 	c_opt = &c;
     } else {
 	c_opt = NULL;
diff --git a/lib/krb5/pac.c b/lib/krb5/pac.c
index 240845f72e38..e5b133f233d3 100644
--- a/lib/krb5/pac.c
+++ b/lib/krb5/pac.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+ * Copyright (c) 2006 - 2017 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  *
@@ -32,27 +32,58 @@
  */
 
 #include "krb5_locl.h"
+
+#include <heimbasepriv.h>
 #include <wind.h>
+#include <assert.h>
 
+/*
+ * https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/3341cfa2-6ef5-42e0-b7bc-4544884bf399
+ */
 struct PAC_INFO_BUFFER {
-    uint32_t type;
-    uint32_t buffersize;
-    uint32_t offset_hi;
-    uint32_t offset_lo;
+    uint32_t type;          /* ULONG   ulType       in the original */
+    uint32_t buffersize;    /* ULONG   cbBufferSize in the original */
+    uint64_t offset;        /* ULONG64 Offset       in the original
+                             * this being the offset from the beginning of the
+                             * struct PACTYPE to the beginning of the buffer
+                             * containing data of type ulType
+                             */
 };
 
+/*
+ * https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/6655b92f-ab06-490b-845d-037e6987275f
+ */
 struct PACTYPE {
-    uint32_t numbuffers;
-    uint32_t version;
-    struct PAC_INFO_BUFFER buffers[1];
+    uint32_t numbuffers;    /* named cBuffers of type ULONG in the original */
+    uint32_t version;       /* Named Version  of type ULONG in the original */
+    struct PAC_INFO_BUFFER buffers[1]; /* an ellipsis (...) in the original */
 };
 
+/*
+ * A PAC starts with a PACTYPE header structure that is followed by an array of
+ * numbuffers PAC_INFO_BUFFER structures, each of which points to a buffer
+ * beyond the last PAC_INFO_BUFFER structures.
+ */
+
 struct krb5_pac_data {
     struct PACTYPE *pac;
     krb5_data data;
     struct PAC_INFO_BUFFER *server_checksum;
     struct PAC_INFO_BUFFER *privsvr_checksum;
     struct PAC_INFO_BUFFER *logon_name;
+    struct PAC_INFO_BUFFER *upn_dns_info;
+    struct PAC_INFO_BUFFER *ticket_checksum;
+    struct PAC_INFO_BUFFER *attributes_info;
+    krb5_data ticket_sign_data;
+
+    /* PAC_UPN_DNS_INFO */
+    krb5_principal upn_princ;
+    uint32_t upn_flags;
+    krb5_principal canon_princ;
+    krb5_data sid;
+
+    /* PAC_ATTRIBUTES_INFO */
+    uint64_t pac_attributes;
 };
 
 #define PAC_ALIGNMENT			8
@@ -60,10 +91,20 @@ struct krb5_pac_data {
 #define PACTYPE_SIZE			8
 #define PAC_INFO_BUFFER_SIZE		16
 
+#define PAC_LOGON_INFO			1
+#define PAC_CREDENTIALS_INFO		2
 #define PAC_SERVER_CHECKSUM		6
 #define PAC_PRIVSVR_CHECKSUM		7
 #define PAC_LOGON_NAME			10
 #define PAC_CONSTRAINED_DELEGATION	11
+#define PAC_UPN_DNS_INFO		12
+#define PAC_TICKET_CHECKSUM		16
+#define PAC_ATTRIBUTES_INFO		17
+#define PAC_REQUESTOR_SID		18
+
+/* Flag in PAC_UPN_DNS_INFO */
+#define PAC_EXTRA_LOGON_INFO_FLAGS_UPN_DEFAULTED	0x1
+#define PAC_EXTRA_LOGON_INFO_FLAGS_HAS_SAM_NAME_AND_SID	0x2
 
 #define CHECK(r,f,l)						\
 	do {							\
@@ -73,63 +114,62 @@ struct krb5_pac_data {
 		}						\
 	} while(0)
 
-static const char zeros[PAC_ALIGNMENT] = { 0 };
+static const char zeros[PAC_ALIGNMENT];
 
-/*
- * HMAC-MD5 checksum over any key (needed for the PAC routines)
- */
-
-static krb5_error_code
-HMAC_MD5_any_checksum(krb5_context context,
-		      const krb5_keyblock *key,
-		      const void *data,
-		      size_t len,
-		      unsigned usage,
-		      Checksum *result)
+static void HEIM_CALLCONV
+pac_dealloc(void *ctx)
 {
-    struct _krb5_key_data local_key;
-    krb5_error_code ret;
-
-    memset(&local_key, 0, sizeof(local_key));
+    krb5_pac pac = (krb5_pac)ctx;
 
-    ret = krb5_copy_keyblock(context, key, &local_key.key);
-    if (ret)
-	return ret;
+    krb5_data_free(&pac->data);
+    krb5_data_free(&pac->ticket_sign_data);
 
-    ret = krb5_data_alloc (&result->checksum, 16);
-    if (ret) {
-	krb5_free_keyblock(context, local_key.key);
-	return ret;
+    if (pac->upn_princ) {
+	free_Principal(pac->upn_princ);
+	free(pac->upn_princ);
     }
+    if (pac->canon_princ) {
+	free_Principal(pac->canon_princ);
+	free(pac->canon_princ);
+    }
+    krb5_data_free(&pac->sid);
 
-    result->cksumtype = CKSUMTYPE_HMAC_MD5;
-    ret = _krb5_HMAC_MD5_checksum(context, &local_key, data, len, usage, result);
-    if (ret)
-	krb5_data_free(&result->checksum);
-
-    krb5_free_keyblock(context, local_key.key);
-    return ret;
+    free(pac->pac);
 }
 
+static const struct heim_type_data pac_object = {
+    HEIM_TID_PAC,
+    "heim-pac",
+    NULL,
+    pac_dealloc,
+    NULL,
+    NULL,
+    NULL,
+    NULL
+};
 
-static krb5_error_code pac_header_size(krb5_context context,
-				       uint32_t num_buffers,
-				       uint32_t *result)
+/*
+ * Returns the size of the PACTYPE header + the PAC_INFO_BUFFER array.  This is
+ * also the end of the whole thing, and any offsets to buffers from
+ * thePAC_INFO_BUFFER[] entries have to be beyond it.
+ */
+static krb5_error_code
+pac_header_size(krb5_context context, uint32_t num_buffers, uint32_t *result)
 {
     krb5_error_code ret;
     uint32_t header_size;
 
-    /* Guard against integer overflow on 32-bit systems. */
+    /* Guard against integer overflow */
     if (num_buffers > UINT32_MAX / PAC_INFO_BUFFER_SIZE) {
-	ret = EINVAL;
+	ret = EOVERFLOW;
 	krb5_set_error_message(context, ret, "PAC has too many buffers");
 	return ret;
     }
     header_size = PAC_INFO_BUFFER_SIZE * num_buffers;
 
-    /* Guard against integer overflow on 32-bit systems. */
+    /* Guard against integer overflow */
     if (header_size > UINT32_MAX - PACTYPE_SIZE) {
-	ret = EINVAL;
+	ret = EOVERFLOW;
 	krb5_set_error_message(context, ret, "PAC has too many buffers");
 	return ret;
     }
@@ -140,28 +180,71 @@ static krb5_error_code pac_header_size(krb5_context context,
     return 0;
 }
 
-static krb5_error_code pac_aligned_size(krb5_context context,
-					uint32_t size,
-					uint32_t *aligned_size)
+/* Output `size' + `addend' + padding for alignment if it doesn't overflow */
+static krb5_error_code
+pac_aligned_size(krb5_context context,
+                 uint32_t size,
+                 uint32_t addend,
+                 uint32_t *aligned_size)
 {
     krb5_error_code ret;
 
-    /* Guard against integer overflow on 32-bit systems. */
-    if (size > UINT32_MAX - (PAC_ALIGNMENT - 1)) {
-	ret = EINVAL;
+    if (size > UINT32_MAX - addend ||
+        (size + addend) > UINT32_MAX - (PAC_ALIGNMENT - 1)) {
+	ret = EOVERFLOW;
 	krb5_set_error_message(context, ret, "integer overrun");
 	return ret;
     }
+    size += addend;
     size += PAC_ALIGNMENT - 1;
+    size &= ~(PAC_ALIGNMENT - 1);
+    *aligned_size = size;
+    return 0;
+}
 
-    /* align to PAC_ALIGNMENT */
-    size = (size / PAC_ALIGNMENT) * PAC_ALIGNMENT;
+/*
+ * HMAC-MD5 checksum over any key (needed for the PAC routines)
+ */
 
-    *aligned_size = size;
+static krb5_error_code
+HMAC_MD5_any_checksum(krb5_context context,
+		      const krb5_keyblock *key,
+		      const void *data,
+		      size_t len,
+		      unsigned usage,
+		      Checksum *result)
+{
+    struct _krb5_key_data local_key;
+    struct krb5_crypto_iov iov;
+    krb5_error_code ret;
 
-    return 0;
+    memset(&local_key, 0, sizeof(local_key));
+
+    ret = krb5_copy_keyblock(context, key, &local_key.key);
+    if (ret)
+	return ret;
+
+    ret = krb5_data_alloc (&result->checksum, 16);
+    if (ret) {
+	krb5_free_keyblock(context, local_key.key);
+	return ret;
+    }
+
+    result->cksumtype = CKSUMTYPE_HMAC_MD5;
+    iov.data.data = (void *)data;
+    iov.data.length = len;
+    iov.flags = KRB5_CRYPTO_TYPE_DATA;
+
+    ret = _krb5_HMAC_MD5_checksum(context, NULL, &local_key, usage, &iov, 1,
+                                  result);
+    if (ret)
+	krb5_data_free(&result->checksum);
+
+    krb5_free_keyblock(context, local_key.key);
+    return ret;
 }
 
+
 /*
  *
  */
@@ -170,144 +253,164 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
 	       krb5_pac *pac)
 {
-    krb5_error_code ret;
+    krb5_error_code ret = 0;
     krb5_pac p;
     krb5_storage *sp = NULL;
-    uint32_t i, tmp, tmp2, header_end;
-
-    p = calloc(1, sizeof(*p));
-    if (p == NULL) {
-	ret = krb5_enomem(context);
-	goto out;
-    }
+    uint32_t i, num_buffers, version, header_size = 0;
+    uint32_t prev_start = 0;
+    uint32_t prev_end = 0;
 
-    sp = krb5_storage_from_readonly_mem(ptr, len);
-    if (sp == NULL) {
+    *pac = NULL;
+    p = _heim_alloc_object(&pac_object, sizeof(*p));
+    if (p)
+        sp = krb5_storage_from_readonly_mem(ptr, len);
+    if (sp == NULL)
 	ret = krb5_enomem(context);
-	goto out;
-    }
-    krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
-
-    CHECK(ret, krb5_ret_uint32(sp, &tmp), out);
-    CHECK(ret, krb5_ret_uint32(sp, &tmp2), out);
-    if (tmp < 1) {
-	ret = EINVAL; /* Too few buffers */
-	krb5_set_error_message(context, ret, N_("PAC have too few buffer", ""));
-	goto out;
-    }
-    if (tmp2 != 0) {
-	ret = EINVAL; /* Wrong version */
-	krb5_set_error_message(context, ret,
-			       N_("PAC have wrong version %d", ""),
-			       (int)tmp2);
-	goto out;
-    }
-
-    ret = pac_header_size(context, tmp, &header_end);
-    if (ret) {
-	return ret;
+    if (ret == 0) {
+        krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
+        ret = krb5_ret_uint32(sp, &num_buffers);
     }
-
-    p->pac = calloc(1, header_end);
-    if (p->pac == NULL) {
+    if (ret == 0)
+        ret = krb5_ret_uint32(sp, &version);
+    if (ret == 0 && num_buffers < 1)
+	krb5_set_error_message(context, ret = EINVAL,
+                               N_("PAC has too few buffers", ""));
+    if (ret == 0 && num_buffers > 1000)
+	krb5_set_error_message(context, ret = EINVAL,
+                               N_("PAC has too many buffers", ""));
+    if (ret == 0 && version != 0)
+	krb5_set_error_message(context, ret = EINVAL,
+			       N_("PAC has wrong version %d", ""),
+			       (int)version);
+    if (ret == 0)
+        ret = pac_header_size(context, num_buffers, &header_size);
+    if (ret == 0 && header_size > len)
+        krb5_set_error_message(context, ret = EOVERFLOW,
+                               N_("PAC encoding invalid, would overflow buffers", ""));
+    if (ret == 0)
+        p->pac = calloc(1, header_size);
+    if (ret == 0 && p->pac == NULL)
 	ret = krb5_enomem(context);
-	goto out;
-    }
-
-    p->pac->numbuffers = tmp;
-    p->pac->version = tmp2;
 
-    if (header_end > len) {
-	ret = EINVAL;
-	goto out;
+    if (ret == 0) {
+        p->pac->numbuffers = num_buffers;
+        p->pac->version = version;
     }
 
-    for (i = 0; i < p->pac->numbuffers; i++) {
-	CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].type), out);
-	CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].buffersize), out);
-	CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].offset_lo), out);
-	CHECK(ret, krb5_ret_uint32(sp, &p->pac->buffers[i].offset_hi), out);
+    for (i = 0; ret == 0 && i < p->pac->numbuffers; i++) {
+        ret = krb5_ret_uint32(sp, &p->pac->buffers[i].type);
+        if (ret == 0)
+            ret = krb5_ret_uint32(sp, &p->pac->buffers[i].buffersize);
+        if (ret == 0)
+            ret = krb5_ret_uint64(sp, &p->pac->buffers[i].offset);
+        if (ret)
+            break;
 
-	/* consistency checks */
-	if (p->pac->buffers[i].offset_lo & (PAC_ALIGNMENT - 1)) {
-	    ret = EINVAL;
-	    krb5_set_error_message(context, ret,
-				   N_("PAC out of allignment", ""));
-	    goto out;
-	}
-	if (p->pac->buffers[i].offset_hi) {
-	    ret = EINVAL;
-	    krb5_set_error_message(context, ret,
-				   N_("PAC high offset set", ""));
-	    goto out;
+	/* Consistency checks (we don't check for wasted space) */
+	if (p->pac->buffers[i].offset & (PAC_ALIGNMENT - 1)) {
+	    krb5_set_error_message(context, ret = EINVAL,
+				   N_("PAC out of alignment", ""));
+	    break;
 	}
-	if (p->pac->buffers[i].offset_lo > len) {
-	    ret = EINVAL;
-	    krb5_set_error_message(context, ret,
-				   N_("PAC offset off end", ""));
-	    goto out;
+	if (p->pac->buffers[i].offset > len ||
+            p->pac->buffers[i].buffersize > len ||
+            len - p->pac->buffers[i].offset < p->pac->buffers[i].buffersize) {
+	    krb5_set_error_message(context, ret = EOVERFLOW,
+				   N_("PAC buffer overflow", ""));
+	    break;
 	}
-	if (p->pac->buffers[i].offset_lo < header_end) {
-	    ret = EINVAL;
-	    krb5_set_error_message(context, ret,
+	if (p->pac->buffers[i].offset < header_size) {
+	    krb5_set_error_message(context, ret = EINVAL,
 				   N_("PAC offset inside header: %lu %lu", ""),
-				   (unsigned long)p->pac->buffers[i].offset_lo,
-				   (unsigned long)header_end);
-	    goto out;
-	}
-	if (p->pac->buffers[i].buffersize > len - p->pac->buffers[i].offset_lo){
-	    ret = EINVAL;
-	    krb5_set_error_message(context, ret, N_("PAC length off end", ""));
-	    goto out;
+				   (unsigned long)p->pac->buffers[i].offset,
+				   (unsigned long)header_size);
+	    break;
 	}
 
-	/* let save pointer to data we need later */
-	if (p->pac->buffers[i].type == PAC_SERVER_CHECKSUM) {
-	    if (p->server_checksum) {
-		ret = EINVAL;
-		krb5_set_error_message(context, ret,
-				       N_("PAC have two server checksums", ""));
-		goto out;
-	    }
-	    p->server_checksum = &p->pac->buffers[i];
-	} else if (p->pac->buffers[i].type == PAC_PRIVSVR_CHECKSUM) {
-	    if (p->privsvr_checksum) {
-		ret = EINVAL;
-		krb5_set_error_message(context, ret,
-				       N_("PAC have two KDC checksums", ""));
-		goto out;
-	    }
-	    p->privsvr_checksum = &p->pac->buffers[i];
-	} else if (p->pac->buffers[i].type == PAC_LOGON_NAME) {
-	    if (p->logon_name) {
-		ret = EINVAL;
-		krb5_set_error_message(context, ret,
-				       N_("PAC have two logon names", ""));
-		goto out;
-	    }
-	    p->logon_name = &p->pac->buffers[i];
-	}
+        /*
+         * We'd like to check for non-overlapping of buffers, but the buffers
+         * need not be in the same order as the PAC_INFO_BUFFER[] entries
+         * pointing to them!  To fully check for overlap we'd have to have an
+         * O(N^2) loop after we parse all the PAC_INFO_BUFFER[].
+         *
+         * But we can check that each buffer does not overlap the previous
+         * buffer.
+         */
+        if (prev_start) {
+            if (p->pac->buffers[i].offset >= prev_start &&
+                p->pac->buffers[i].offset <  prev_end) {
+                krb5_set_error_message(context, ret = EINVAL,
+                                       N_("PAC overlap", ""));
+                break;
+            }
+            if (p->pac->buffers[i].offset < prev_start &&
+                p->pac->buffers[i].offset +
+                p->pac->buffers[i].buffersize > prev_start) {
+                krb5_set_error_message(context, ret = EINVAL,
+                                       N_("PAC overlap", ""));
+                break;
+            }
+        }
+        prev_start = p->pac->buffers[i].offset;
+        prev_end = p->pac->buffers[i].offset + p->pac->buffers[i].buffersize;
+
+	/* Let's save pointers to buffers we'll need later */
+        switch (p->pac->buffers[i].type) {
+        case PAC_SERVER_CHECKSUM:
+	    if (p->server_checksum)
+		krb5_set_error_message(context, ret = EINVAL,
+				       N_("PAC has multiple server checksums", ""));
+	    else
+                p->server_checksum = &p->pac->buffers[i];
+            break;
+        case PAC_PRIVSVR_CHECKSUM:
+	    if (p->privsvr_checksum)
+                krb5_set_error_message(context, ret = EINVAL,
+                                       N_("PAC has multiple KDC checksums", ""));
+            else
+                p->privsvr_checksum = &p->pac->buffers[i];
+            break;
+        case PAC_LOGON_NAME:
+	    if (p->logon_name)
+		krb5_set_error_message(context, ret = EINVAL,
+                                       N_("PAC has multiple logon names", ""));
+            else
+                p->logon_name = &p->pac->buffers[i];
+            break;
+        case PAC_UPN_DNS_INFO:
+	    if (p->upn_dns_info)
+		krb5_set_error_message(context, ret = EINVAL,
+				       N_("PAC has multiple UPN DNS info buffers", ""));
+            else
+                p->upn_dns_info = &p->pac->buffers[i];
+            break;
+        case PAC_TICKET_CHECKSUM:
+	    if (p->ticket_checksum)
+		krb5_set_error_message(context, ret = EINVAL,
+				       N_("PAC has multiple ticket checksums", ""));
+            else
+                p->ticket_checksum = &p->pac->buffers[i];
+            break;
+        case PAC_ATTRIBUTES_INFO:
+	    if (p->attributes_info)
+		krb5_set_error_message(context, ret = EINVAL,
+				       N_("PAC has multiple attributes info buffers", ""));
+            else
+                p->attributes_info = &p->pac->buffers[i];
+            break;
+        default: break;
+        }
     }
 
-    ret = krb5_data_copy(&p->data, ptr, len);
-    if (ret)
-	goto out;
-
-    krb5_storage_free(sp);
-
-    *pac = p;
-    return 0;
-
-out:
-    if (sp)
-	krb5_storage_free(sp);
-    if (p) {
-	if (p->pac)
-	    free(p->pac);
-	free(p);
+    if (ret == 0)
+        ret = krb5_data_copy(&p->data, ptr, len);
+    if (ret == 0) {
+        *pac = p;
+        p = NULL;
     }
-    *pac = NULL;
-
+    if (sp)
+        krb5_storage_free(sp);
+    krb5_pac_free(context, p);
     return ret;
 }
 
@@ -317,120 +420,128 @@ krb5_pac_init(krb5_context context, krb5_pac *pac)
     krb5_error_code ret;
     krb5_pac p;
 
-    p = calloc(1, sizeof(*p));
+    p = _heim_alloc_object(&pac_object, sizeof(*p));
     if (p == NULL) {
 	return krb5_enomem(context);
     }
 
     p->pac = calloc(1, sizeof(*p->pac));
     if (p->pac == NULL) {
-	free(p);
+	krb5_pac_free(context, p);
 	return krb5_enomem(context);
     }
 
     ret = krb5_data_alloc(&p->data, PACTYPE_SIZE);
     if (ret) {
 	free (p->pac);
-	free(p);
+	krb5_pac_free(context, p);
 	return krb5_enomem(context);
     }
+    memset(p->data.data, 0, p->data.length);
 
     *pac = p;
     return 0;
 }
 
+/**
+ * Add a PAC buffer `nd' of type `type' to the pac `p'.
+ *
+ * @param context
+ * @param p
+ * @param type
+ * @param nd
+ *
+ * @return 0 on success or a Kerberos or system error.
+ */
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_pac_add_buffer(krb5_context context, krb5_pac p,
-		    uint32_t type, const krb5_data *data)
+		    uint32_t type, const krb5_data *nd)
 {
     krb5_error_code ret;
     void *ptr;
-    uint32_t unaligned_len, num_buffers, len, offset, header_end, old_end;
+    size_t old_len = p->data.length;
+    uint32_t len, offset, header_size;
     uint32_t i;
+    uint32_t num_buffers;
 
-    if (data->length > UINT32_MAX) {
-	ret = EINVAL;
-	krb5_set_error_message(context, ret, "integer overrun");
-	return ret;
-    }
+    assert(nd->data != NULL);
 
     num_buffers = p->pac->numbuffers;
-
-    if (num_buffers >= UINT32_MAX) {
-	ret = EINVAL;
-	krb5_set_error_message(context, ret, "integer overrun");
-	return ret;
-    }
-    ret = pac_header_size(context, num_buffers + 1, &header_end);
-    if (ret) {
+    ret = pac_header_size(context, num_buffers + 1, &header_size);
+    if (ret)
 	return ret;
-    }
 
-    ptr = realloc(p->pac, header_end);
+    ptr = realloc(p->pac, header_size);
     if (ptr == NULL)
 	return krb5_enomem(context);
 
     p->pac = ptr;
+    p->pac->buffers[num_buffers].type = 0;
+    p->pac->buffers[num_buffers].buffersize = 0;
+    p->pac->buffers[num_buffers].offset = 0;
 
+    /*
+     * Check that we can adjust all the buffer offsets in the existing
+     * PAC_INFO_BUFFERs, since changing the size of PAC_INFO_BUFFER[] means
+     * changing the offsets of buffers following that array.
+     *
+     * We don't adjust them until we can't fail.
+     */
     for (i = 0; i < num_buffers; i++) {
-	if (p->pac->buffers[i].offset_lo > UINT32_MAX - PAC_INFO_BUFFER_SIZE) {
-	    ret = EINVAL;
-	    krb5_set_error_message(context, ret, "integer overrun");
+	if (p->pac->buffers[i].offset > UINT32_MAX - PAC_INFO_BUFFER_SIZE) {
+	    krb5_set_error_message(context, ret = EOVERFLOW,
+                                   "too many / too large PAC buffers");
 	    return ret;
 	}
-
-	p->pac->buffers[i].offset_lo += PAC_INFO_BUFFER_SIZE;
-    }
-
-    if (p->data.length > UINT32_MAX - PAC_INFO_BUFFER_SIZE) {
-	ret = EINVAL;
-	krb5_set_error_message(context, ret, "integer overrun");
-	return ret;
     }
-    offset = p->data.length + PAC_INFO_BUFFER_SIZE;
 
-    p->pac->buffers[num_buffers].type = type;
-    p->pac->buffers[num_buffers].buffersize = data->length;
-    p->pac->buffers[num_buffers].offset_lo = offset;
-    p->pac->buffers[num_buffers].offset_hi = 0;
+    /*
+     * The new buffer's offset must be past the end of the buffers we have
+     * (p->data), which is the sum of the header and p->data.length.
+     */
 
-    old_end = p->data.length;
-    if (offset > UINT32_MAX - data->length) {
-	krb5_set_error_message(context, EINVAL, "integer overrun");
-	return EINVAL;
+    /* Set offset = p->data.length + PAC_INFO_BUFFER_SIZE + alignment */
+    ret = pac_aligned_size(context, p->data.length, PAC_INFO_BUFFER_SIZE, &offset);
+    if (ret == 0)
+        /* Set the new length = offset + nd->length + alignment */
+        ret = pac_aligned_size(context, offset, nd->length, &len);
+    if (ret) {
+	krb5_set_error_message(context, ret, "PAC buffer too large");
+        return ret;
     }
-    unaligned_len = offset + data->length;
-
-    ret = pac_aligned_size(context, unaligned_len, &len);
-    if (ret)
-	return ret;
-
     ret = krb5_data_realloc(&p->data, len);
     if (ret) {
 	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
 	return ret;
     }
 
+    /* Zero out the new allocation to zero out any padding */
+    memset((char *)p->data.data + old_len, 0, len - old_len);
+
+    p->pac->buffers[num_buffers].type = type;
+    p->pac->buffers[num_buffers].buffersize = nd->length;
+    p->pac->buffers[num_buffers].offset = offset;
+
+    /* Adjust all the buffer offsets in the existing PAC_INFO_BUFFERs now */
+    for (i = 0; i < num_buffers; i++)
+	p->pac->buffers[i].offset += PAC_INFO_BUFFER_SIZE;
+
     /*
-     * make place for new PAC INFO BUFFER header
+     * Make place for new PAC INFO BUFFER header
      */
-    header_end -= PAC_INFO_BUFFER_SIZE;
-    memmove((unsigned char *)p->data.data + header_end + PAC_INFO_BUFFER_SIZE,
-	    (unsigned char *)p->data.data + header_end ,
-	    old_end - header_end);
-    memset((unsigned char *)p->data.data + header_end, 0, PAC_INFO_BUFFER_SIZE);
+    header_size -= PAC_INFO_BUFFER_SIZE;
+    memmove((unsigned char *)p->data.data + header_size + PAC_INFO_BUFFER_SIZE,
+	    (unsigned char *)p->data.data + header_size ,
+	    old_len - header_size);
+    /* Clear the space where we would put the new PAC_INFO_BUFFER[] element */
+    memset((unsigned char *)p->data.data + header_size, 0,
+           PAC_INFO_BUFFER_SIZE);
 
     /*
-     * copy in new data part
+     * Copy in new data part
      */
-
-    memcpy((unsigned char *)p->data.data + offset,
-	   data->data, data->length);
-    memset((unsigned char *)p->data.data + offset + data->length,
- 	   0, p->data.length - unaligned_len);
-
+    memcpy((unsigned char *)p->data.data + offset, nd->data, nd->length);
     p->pac->numbuffers += 1;
-
     return 0;
 }
 
@@ -442,45 +553,85 @@ krb5_pac_add_buffer(krb5_context context, krb5_pac p,
  * @param type type of buffer to get
  * @param data return data, free with krb5_data_free().
  *
- * @return Returns 0 to indicate success. Otherwise an kerberos et
- * error code is returned, see krb5_get_error_message().
+ * @return Returns 0 to indicate success, ENOENT to indicate that a buffer of
+ * the given type was not found, or a Kerberos or system error code.
  *
  * @ingroup krb5_pac
  */
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_pac_get_buffer(krb5_context context, krb5_pac p,
+krb5_pac_get_buffer(krb5_context context, krb5_const_pac p,
 		    uint32_t type, krb5_data *data)
 {
     krb5_error_code ret;
     uint32_t i;
 
     for (i = 0; i < p->pac->numbuffers; i++) {
-	const uint32_t len = p->pac->buffers[i].buffersize;
-	const uint32_t offset = p->pac->buffers[i].offset_lo;
+	size_t len = p->pac->buffers[i].buffersize;
+	size_t offset = p->pac->buffers[i].offset;
 
 	if (p->pac->buffers[i].type != type)
 	    continue;
 
-	ret = krb5_data_copy(data, (unsigned char *)p->data.data + offset, len);
-	if (ret) {
-	    krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
-	    return ret;
-	}
-	return 0;
+	if (!data)
+            return 0;
+
+        ret = krb5_data_copy(data, (unsigned char *)p->data.data + offset, len);
+        if (ret)
+            krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
+	return ret;
     }
     krb5_set_error_message(context, ENOENT, "No PAC buffer of type %lu was found",
 			   (unsigned long)type);
     return ENOENT;
 }
 
+static const struct {
+    uint32_t type;
+    krb5_data name;
+} pac_buffer_name_map[] = {
+#define PAC_MAP_ENTRY(type, name) { PAC_##type, { sizeof(name) - 1, name } }
+    PAC_MAP_ENTRY(LOGON_INFO,		    "logon-info"	),
+    PAC_MAP_ENTRY(CREDENTIALS_INFO,	    "credentials-info"  ),
+    PAC_MAP_ENTRY(SERVER_CHECKSUM,	    "server-checksum"   ),
+    PAC_MAP_ENTRY(PRIVSVR_CHECKSUM,	    "privsvr-checksum"  ),
+    PAC_MAP_ENTRY(LOGON_NAME,		    "client-info"	),
+    PAC_MAP_ENTRY(CONSTRAINED_DELEGATION,   "delegation-info"   ),
+    PAC_MAP_ENTRY(UPN_DNS_INFO,		    "upn-dns-info"	),
+    PAC_MAP_ENTRY(TICKET_CHECKSUM,	    "ticket-checksum"   ),
+    PAC_MAP_ENTRY(ATTRIBUTES_INFO,	    "attributes-info"   ),
+    PAC_MAP_ENTRY(REQUESTOR_SID,	    "requestor-sid"	)
+};
+
+/*
+ *
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_pac_get_buffer_by_name(krb5_context context, krb5_const_pac p,
+			     const krb5_data *name, krb5_data *data)
+{
+    size_t i;
+
+    for (i = 0;
+	 i < sizeof(pac_buffer_name_map) / sizeof(pac_buffer_name_map[0]);
+	 i++) {
+	if (krb5_data_cmp(name, &pac_buffer_name_map[i].name) == 0)
+	    return krb5_pac_get_buffer(context, p, pac_buffer_name_map[i].type, data);
+    }
+
+    krb5_set_error_message(context, ENOENT, "No PAC buffer with name %.*s was found",
+			   (int)name->length, (char *)name->data);
+    return ENOENT;
+}
+
 /*
  *
  */
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_pac_get_types(krb5_context context,
-		   krb5_pac p,
+		   krb5_const_pac p,
 		   size_t *len,
 		   uint32_t **types)
 {
@@ -505,9 +656,7 @@ krb5_pac_get_types(krb5_context context,
 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_pac_free(krb5_context context, krb5_pac pac)
 {
-    krb5_data_free(&pac->data);
-    free(pac->pac);
-    free(pac);
+    heim_release(pac);
 }
 
 /*
@@ -525,10 +674,11 @@ verify_checksum(krb5_context context,
     uint32_t type;
     krb5_error_code ret;
     Checksum cksum;
+    size_t cksumsize;
 
     memset(&cksum, 0, sizeof(cksum));
 
-    sp = krb5_storage_from_mem((char *)data->data + sig->offset_lo,
+    sp = krb5_storage_from_mem((char *)data->data + sig->offset,
 			       sig->buffersize);
     if (sp == NULL)
 	return krb5_enomem(context);
@@ -537,8 +687,17 @@ verify_checksum(krb5_context context,
 
     CHECK(ret, krb5_ret_uint32(sp, &type), out);
     cksum.cksumtype = type;
-    cksum.checksum.length =
-	sig->buffersize - krb5_storage_seek(sp, 0, SEEK_CUR);
+
+    ret = krb5_checksumsize(context, type, &cksumsize);
+    if (ret)
+	goto out;
+
+    /* Allow for RODCIdentifier trailer, see MS-PAC 2.8 */
+    if (cksumsize > (sig->buffersize - krb5_storage_seek(sp, 0, SEEK_CUR))) {
+	ret = EINVAL;
+	goto out;
+    }
+    cksum.checksum.length = cksumsize;
     cksum.checksum.data = malloc(cksum.checksum.length);
     if (cksum.checksum.data == NULL) {
 	ret = krb5_enomem(context);
@@ -546,13 +705,13 @@ verify_checksum(krb5_context context,
     }
     ret = krb5_storage_read(sp, cksum.checksum.data, cksum.checksum.length);
     if (ret != (int)cksum.checksum.length) {
-	ret = EINVAL;
+	ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
 	krb5_set_error_message(context, ret, "PAC checksum missing checksum");
 	goto out;
     }
 
     if (!krb5_checksum_is_keyed(context, cksum.cksumtype)) {
-	ret = EINVAL;
+	ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
 	krb5_set_error_message(context, ret, "Checksum type %d not keyed",
 			       cksum.cksumtype);
 	goto out;
@@ -655,6 +814,202 @@ create_checksum(krb5_context context,
     return 0;
 }
 
+static krb5_error_code
+parse_upn_dns_info(krb5_context context,
+		   const struct PAC_INFO_BUFFER *upndnsinfo,
+		   const krb5_data *data,
+		   krb5_principal *upn_princ,
+		   uint32_t *flags,
+		   krb5_principal *canon_princ,
+		   krb5_data *sid)
+{
+    krb5_error_code ret;
+    krb5_storage *sp = NULL;
+    uint16_t upn_length, upn_offset;
+    uint16_t dns_domain_name_length, dns_domain_name_offset;
+    uint16_t canon_princ_length, canon_princ_offset;
+    uint16_t sid_length, sid_offset;
+    char *upn = NULL;
+    char *dns_domain_name = NULL;
+    char *sam_name = NULL;
+
+    *upn_princ = NULL;
+    *flags = 0;
+    *canon_princ = NULL;
+    krb5_data_zero(sid);
+
+    sp = krb5_storage_from_readonly_mem((const char *)data->data + upndnsinfo->offset,
+					upndnsinfo->buffersize);
+    if (sp == NULL)
+	return krb5_enomem(context);
+
+    krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
+
+    CHECK(ret, krb5_ret_uint16(sp, &upn_length), out);
+    CHECK(ret, krb5_ret_uint16(sp, &upn_offset), out);
+    CHECK(ret, krb5_ret_uint16(sp, &dns_domain_name_length), out);
+    CHECK(ret, krb5_ret_uint16(sp, &dns_domain_name_offset), out);
+    CHECK(ret, krb5_ret_uint32(sp, flags), out);
+
+    if (*flags & PAC_EXTRA_LOGON_INFO_FLAGS_HAS_SAM_NAME_AND_SID) {
+	CHECK(ret, krb5_ret_uint16(sp, &canon_princ_length), out);
+	CHECK(ret, krb5_ret_uint16(sp, &canon_princ_offset), out);
+	CHECK(ret, krb5_ret_uint16(sp, &sid_length), out);
+	CHECK(ret, krb5_ret_uint16(sp, &sid_offset), out);
+    } else {
+	canon_princ_length = canon_princ_offset = 0;
+	sid_length = sid_offset = 0;
+    }
+
+    if (upn_offset) {
+	CHECK(ret, _krb5_ret_utf8_from_ucs2le_at_offset(sp, upn_offset,
+							upn_length, &upn), out);
+    }
+    CHECK(ret, _krb5_ret_utf8_from_ucs2le_at_offset(sp, dns_domain_name_offset,
+						    dns_domain_name_length, &dns_domain_name), out);
+    if ((*flags & PAC_EXTRA_LOGON_INFO_FLAGS_HAS_SAM_NAME_AND_SID) && canon_princ_offset) {
+	CHECK(ret, _krb5_ret_utf8_from_ucs2le_at_offset(sp, canon_princ_offset,
+							canon_princ_length, &sam_name), out);
+    }
+
+    if (upn_offset) {
+	ret = krb5_parse_name_flags(context,
+				    upn,
+				    KRB5_PRINCIPAL_PARSE_ENTERPRISE |
+				    KRB5_PRINCIPAL_PARSE_NO_DEF_REALM,
+				    upn_princ);
+	if (ret)
+	    goto out;
+
+	ret = krb5_principal_set_realm(context, *upn_princ, dns_domain_name);
+	if (ret)
+	    goto out;
+    }
+
+    if (canon_princ_offset) {
+	ret = krb5_parse_name_flags(context,
+				    sam_name,
+				    KRB5_PRINCIPAL_PARSE_NO_REALM |
+				    KRB5_PRINCIPAL_PARSE_NO_DEF_REALM,
+				    canon_princ);
+	if (ret)
+	    goto out;
+
+	ret = krb5_principal_set_realm(context, *canon_princ, dns_domain_name);
+	if (ret)
+	    goto out;
+    }
+
+    if (sid_offset)
+	CHECK(ret, _krb5_ret_data_at_offset(sp, sid_offset, sid_length, sid), out);
+
+out:
+    free(upn);
+    free(dns_domain_name);
+    free(sam_name);
+
+    krb5_storage_free(sp);
+
+    return ret;
+}
+
+#define UPN_DNS_INFO_EX_LENGTH	20
+
+static krb5_error_code
+build_upn_dns_info(krb5_context context,
+		   krb5_const_principal upn_princ,
+		   krb5_boolean upn_defaulted,
+		   krb5_const_principal canon_princ,
+		   const krb5_data *sid,
+		   krb5_data *upn_dns_info)
+{
+    krb5_error_code ret;
+    krb5_storage *sp = NULL;
+    char *upn_princ_name = NULL;
+    char *canon_princ_name = NULL;
+    uint32_t flags;
+    krb5_const_realm realm;
+
+    sp = krb5_storage_emem();
+    if (sp == NULL) {
+	ret = krb5_enomem(context);
+	goto out;
+    }
+
+    krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
+
+    if (upn_princ) {
+	ret = krb5_unparse_name_flags(context, upn_princ,
+				      KRB5_PRINCIPAL_UNPARSE_DISPLAY,
+				      &upn_princ_name);
+	if (ret)
+	    goto out;
+    }
+
+    ret = krb5_storage_truncate(sp, UPN_DNS_INFO_EX_LENGTH);
+    if (ret)
+	goto out;
+
+    ret = _krb5_store_utf8_as_ucs2le_at_offset(sp, (off_t)-1, upn_princ_name);
+    if (ret)
+	goto out;
+
+    if (canon_princ) {
+	ret = krb5_unparse_name_flags(context, canon_princ,
+				      KRB5_PRINCIPAL_UNPARSE_NO_REALM,
+				      &canon_princ_name);
+	if (ret)
+	    goto out;
+    }
+
+    if (canon_princ)
+	realm = canon_princ->realm;
+    else if (upn_princ)
+	realm = upn_princ->realm;
+    else {
+	ret = EINVAL;
+	goto out;
+    }
+
+    ret = _krb5_store_utf8_as_ucs2le_at_offset(sp, (off_t)-1, realm);
+    if (ret)
+	goto out;
+
+    flags = 0;
+    if (upn_princ && upn_defaulted)
+	flags |= PAC_EXTRA_LOGON_INFO_FLAGS_UPN_DEFAULTED;
+    if (canon_princ || sid)
+	flags |= PAC_EXTRA_LOGON_INFO_FLAGS_HAS_SAM_NAME_AND_SID;
+
+    ret = krb5_store_uint32(sp, flags);
+    if (ret)
+	goto out;
+
+    if (flags & PAC_EXTRA_LOGON_INFO_FLAGS_HAS_SAM_NAME_AND_SID) {
+	ret = _krb5_store_utf8_as_ucs2le_at_offset(sp, (off_t)-1,
+						   canon_princ_name);
+	if (ret)
+	    goto out;
+
+	ret = _krb5_store_data_at_offset(sp, (off_t)-1, sid);
+	if (ret)
+	    goto out;
+    }
+
+    ret = krb5_storage_to_data(sp, upn_dns_info);
+    if (ret)
+	goto out;
+
+out:
+    if (ret)
+	krb5_data_free(upn_dns_info);
+
+    krb5_xfree(canon_princ_name);
+    krb5_xfree(upn_princ_name);
+    krb5_storage_free(sp);
+
+    return ret;
+}
 
 /*
  *
@@ -679,13 +1034,13 @@ verify_logonname(krb5_context context,
 {
     krb5_error_code ret;
     uint32_t time1, time2;
-    krb5_storage *sp;
+    krb5_storage *sp = NULL;
     uint16_t len;
     char *s = NULL;
     char *principal_string = NULL;
     char *logon_string = NULL;
 
-    sp = krb5_storage_from_readonly_mem((const char *)data->data + logon_name->offset_lo,
+    sp = krb5_storage_from_readonly_mem((const char *)data->data + logon_name->offset,
 					logon_name->buffersize);
     if (sp == NULL)
 	return krb5_enomem(context);
@@ -725,6 +1080,7 @@ verify_logonname(krb5_context context,
     }
     ret = krb5_storage_read(sp, s, len);
     if (ret != len) {
+	free(s);
 	krb5_storage_free(sp);
 	krb5_set_error_message(context, EINVAL, "Failed to read PAC logon name");
 	return EINVAL;
@@ -737,8 +1093,10 @@ verify_logonname(krb5_context context,
 	unsigned int flags = WIND_RW_LE;
 
 	ucs2 = malloc(sizeof(ucs2[0]) * ucs2len);
-	if (ucs2 == NULL)
+	if (ucs2 == NULL) {
+	    free(s);
 	    return krb5_enomem(context);
+	}
 
 	ret = wind_ucs2read(s, len, &flags, ucs2, &ucs2len);
 	free(s);
@@ -776,8 +1134,7 @@ verify_logonname(krb5_context context,
 	return ret;
     }
 
-    ret = strcmp(logon_string, principal_string);
-    if (ret != 0) {
+    if (strcmp(logon_string, principal_string) != 0) {
 	ret = EINVAL;
 	krb5_set_error_message(context, ret, "PAC logon name [%s] mismatch principal name [%s]",
 			       logon_string, principal_string);
@@ -786,6 +1143,7 @@ verify_logonname(krb5_context context,
     free(principal_string);
     return ret;
 out:
+    krb5_storage_free(sp);
     return ret;
 }
 
@@ -802,7 +1160,7 @@ build_logon_name(krb5_context context,
     krb5_error_code ret;
     krb5_storage *sp;
     uint64_t t;
-    char *s, *s2;
+    char *s, *s2 = NULL;
     size_t s2_len;
 
     t = unix2nttime(authtime);
@@ -849,7 +1207,7 @@ build_logon_name(krb5_context context,
 	    krb5_set_error_message(context, ret, "Principal %s is not valid UTF-8", s);
 	    free(s);
 	    return ret;
-	} else 
+	} else
 	    free(s);
 
 	s2_len = (ucs2_len + 1) * 2;
@@ -878,22 +1236,91 @@ build_logon_name(krb5_context context,
     CHECK(ret, krb5_store_uint16(sp, s2_len), out);
 
     ret = krb5_storage_write(sp, s2, s2_len);
-    free(s2);
     if (ret != (int)s2_len) {
 	ret = krb5_enomem(context);
 	goto out;
     }
     ret = krb5_storage_to_data(sp, logon);
-    if (ret)
-	goto out;
+
+ out:
+    free(s2);
     krb5_storage_free(sp);
+    return ret;
+}
+
+static krb5_error_code
+parse_attributes_info(krb5_context context,
+		      const struct PAC_INFO_BUFFER *attributes_info,
+		      const krb5_data *data,
+		      uint64_t *pac_attributes)
+{
+    krb5_error_code ret;
+    krb5_storage *sp = NULL;
+    uint32_t flags_length;
+
+    *pac_attributes = 0;
+
+    sp = krb5_storage_from_readonly_mem((const char *)data->data + attributes_info->offset,
+					attributes_info->buffersize);
+    if (sp == NULL)
+	return krb5_enomem(context);
+
+    krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
+
+    ret = krb5_ret_uint32(sp, &flags_length);
+    if (ret == 0) {
+	if (flags_length > 32)
+	    ret = krb5_ret_uint64(sp, pac_attributes);
+	else {
+	    uint32_t pac_attributes32 = 0;
+	    ret = krb5_ret_uint32(sp, &pac_attributes32);
+	    *pac_attributes = pac_attributes32;
+	}
+    }
 
-    return 0;
-out:
     krb5_storage_free(sp);
+
     return ret;
 }
 
+static krb5_error_code
+build_attributes_info(krb5_context context,
+		      uint64_t pac_attributes,
+		      krb5_data *attributes_info)
+{
+    krb5_error_code ret;
+    krb5_storage *sp = NULL;
+    uint32_t flags_length;
+
+    krb5_data_zero(attributes_info);
+
+    sp = krb5_storage_emem();
+    if (sp == NULL)
+	return krb5_enomem(context);
+
+    krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
+
+    if (pac_attributes == 0)
+	flags_length = 0;
+    else
+	flags_length = 64 - rk_clzll(pac_attributes);
+    if (flags_length < KRB5_PAC_WAS_GIVEN_IMPLICITLY)
+	flags_length = KRB5_PAC_WAS_GIVEN_IMPLICITLY;
+
+    ret = krb5_store_uint32(sp, flags_length);
+    if (ret == 0) {
+	if (flags_length > 32)
+	    ret = krb5_store_uint64(sp, pac_attributes);
+	else
+	    ret = krb5_store_uint32(sp, (uint32_t)pac_attributes);
+    }
+    if (ret == 0)
+	ret = krb5_storage_to_data(sp, attributes_info);
+
+    krb5_storage_free(sp);
+
+    return ret;
+}
 
 /**
  * Verify the PAC.
@@ -934,34 +1361,34 @@ krb5_pac_verify(krb5_context context,
 	return EINVAL;
     }
 
-    ret = verify_logonname(context,
-			   pac->logon_name,
-			   &pac->data,
-			   authtime,
-			   principal);
-    if (ret)
-	return ret;
+    if (principal != NULL) {
+	ret = verify_logonname(context, pac->logon_name, &pac->data, authtime,
+			       principal);
+	if (ret)
+	    return ret;
+    }
+
+    if (pac->server_checksum->buffersize < 4 ||
+        pac->privsvr_checksum->buffersize < 4)
+	return EINVAL;
 
     /*
      * in the service case, clean out data option of the privsvr and
      * server checksum before checking the checksum.
      */
+    if (server != NULL)
     {
 	krb5_data *copy;
 
-	if (pac->server_checksum->buffersize < 4 ||
-            pac->privsvr_checksum->buffersize < 4)
-	    return EINVAL;
-
 	ret = krb5_copy_data(context, &pac->data, &copy);
 	if (ret)
 	    return ret;
 
-	memset((char *)copy->data + pac->server_checksum->offset_lo + 4,
+	memset((char *)copy->data + pac->server_checksum->offset + 4,
 	       0,
 	       pac->server_checksum->buffersize - 4);
 
-	memset((char *)copy->data + pac->privsvr_checksum->offset_lo + 4,
+	memset((char *)copy->data + pac->privsvr_checksum->offset + 4,
 	       0,
 	       pac->privsvr_checksum->buffersize - 4);
 
@@ -981,11 +1408,46 @@ krb5_pac_verify(krb5_context context,
 			      pac->privsvr_checksum,
 			      &pac->data,
 			      (char *)pac->data.data
-			      + pac->server_checksum->offset_lo + 4,
+			      + pac->server_checksum->offset + 4,
 			      pac->server_checksum->buffersize - 4,
 			      privsvr);
 	if (ret)
 	    return ret;
+
+	if (pac->ticket_sign_data.length != 0) {
+	    if (pac->ticket_checksum == NULL) {
+		krb5_set_error_message(context, EINVAL,
+				       "PAC missing ticket checksum");
+		return EINVAL;
+	    }
+
+	    ret = verify_checksum(context, pac->ticket_checksum, &pac->data,
+				 pac->ticket_sign_data.data,
+				 pac->ticket_sign_data.length, privsvr);
+	    if (ret)
+		return ret;
+	}
+    }
+
+    if (pac->upn_dns_info &&
+	pac->upn_princ == NULL && pac->canon_princ == NULL && pac->sid.data == NULL) {
+	ret = parse_upn_dns_info(context, pac->upn_dns_info, &pac->data,
+				 &pac->upn_princ, &pac->upn_flags,
+				 &pac->canon_princ, &pac->sid);
+	if (ret)
+	    return ret;
+
+	if (principal && pac->canon_princ &&
+	    !krb5_realm_compare(context, principal, pac->canon_princ)) {
+	    return KRB5KRB_AP_ERR_MODIFIED;
+	}
+    }
+
+    if (pac->attributes_info) {
+	ret = parse_attributes_info(context, pac->attributes_info, &pac->data,
+				    &pac->pac_attributes);
+	if (ret)
+	    return ret;
     }
 
     return 0;
@@ -1006,7 +1468,7 @@ fill_zeros(krb5_context context, krb5_storage *sp, size_t len)
 	if (l > sizeof(zeros))
 	    l = sizeof(zeros);
 	sret = krb5_storage_write(sp, zeros, l);
-	if (sret <= 0)
+	if (sret != l)
 	    return krb5_enomem(context);
 
 	len -= sret;
@@ -1051,32 +1513,48 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 _krb5_pac_sign(krb5_context context,
 	       krb5_pac p,
 	       time_t authtime,
-	       krb5_principal principal,
+	       krb5_const_principal principal,
 	       const krb5_keyblock *server_key,
 	       const krb5_keyblock *priv_key,
+	       uint16_t rodc_id,
+	       krb5_const_principal upn_princ,
+	       krb5_const_principal canon_princ,
+	       uint64_t *pac_attributes, /* optional */
 	       krb5_data *data)
 {
     krb5_error_code ret;
     krb5_storage *sp = NULL, *spdata = NULL;
     uint32_t end;
     size_t server_size, priv_size;
-    uint32_t server_offset = 0, priv_offset = 0;
+    uint32_t server_offset = 0, priv_offset = 0, ticket_offset = 0;
     uint32_t server_cksumtype = 0, priv_cksumtype = 0;
     uint32_t num = 0;
-    uint32_t i;
+    uint32_t i, sz;
     krb5_data logon, d;
+    krb5_data upn_dns_info;
+    krb5_data attributes_info;
 
+    krb5_data_zero(&d);
     krb5_data_zero(&logon);
+    krb5_data_zero(&upn_dns_info);
+    krb5_data_zero(&attributes_info);
 
+    /*
+     * Set convenience buffer pointers.
+     *
+     * This could really stand to be moved to krb5_pac_add_buffer() and/or
+     * utility function, so that when this function gets called they must
+     * already have been set.
+     */
     for (i = 0; i < p->pac->numbuffers; i++) {
 	if (p->pac->buffers[i].type == PAC_SERVER_CHECKSUM) {
 	    if (p->server_checksum == NULL) {
 		p->server_checksum = &p->pac->buffers[i];
 	    }
 	    if (p->server_checksum != &p->pac->buffers[i]) {
-		ret = EINVAL;
+		ret = KRB5KDC_ERR_BADOPTION;
 		krb5_set_error_message(context, ret,
-				       N_("PAC have two server checksums", ""));
+				       N_("PAC has multiple server checksums", ""));
 		goto out;
 	    }
 	} else if (p->pac->buffers[i].type == PAC_PRIVSVR_CHECKSUM) {
@@ -1084,9 +1562,9 @@ _krb5_pac_sign(krb5_context context,
 		p->privsvr_checksum = &p->pac->buffers[i];
 	    }
 	    if (p->privsvr_checksum != &p->pac->buffers[i]) {
-		ret = EINVAL;
+		ret = KRB5KDC_ERR_BADOPTION;
 		krb5_set_error_message(context, ret,
-				       N_("PAC have two KDC checksums", ""));
+				       N_("PAC has multiple KDC checksums", ""));
 		goto out;
 	    }
 	} else if (p->pac->buffers[i].type == PAC_LOGON_NAME) {
@@ -1094,84 +1572,150 @@ _krb5_pac_sign(krb5_context context,
 		p->logon_name = &p->pac->buffers[i];
 	    }
 	    if (p->logon_name != &p->pac->buffers[i]) {
-		ret = EINVAL;
+		ret = KRB5KDC_ERR_BADOPTION;
+		krb5_set_error_message(context, ret,
+				       N_("PAC has multiple logon names", ""));
+		goto out;
+	    }
+	} else if (p->pac->buffers[i].type == PAC_UPN_DNS_INFO) {
+	    if (p->upn_dns_info == NULL) {
+		p->upn_dns_info = &p->pac->buffers[i];
+	    }
+	    if (p->upn_dns_info != &p->pac->buffers[i]) {
+		ret = KRB5KDC_ERR_BADOPTION;
+		krb5_set_error_message(context, ret,
+				       N_("PAC has multiple UPN DNS info buffers", ""));
+		goto out;
+	    }
+	} else if (p->pac->buffers[i].type == PAC_TICKET_CHECKSUM) {
+	    if (p->ticket_checksum == NULL) {
+		p->ticket_checksum = &p->pac->buffers[i];
+	    }
+	    if (p->ticket_checksum != &p->pac->buffers[i]) {
+		ret = KRB5KDC_ERR_BADOPTION;
+		krb5_set_error_message(context, ret,
+				       N_("PAC has multiple ticket checksums", ""));
+		goto out;
+	    }
+	} else if (p->pac->buffers[i].type == PAC_ATTRIBUTES_INFO) {
+	    if (p->attributes_info == NULL) {
+		p->attributes_info = &p->pac->buffers[i];
+	    }
+	    if (p->attributes_info != &p->pac->buffers[i]) {
+		ret = KRB5KDC_ERR_BADOPTION;
 		krb5_set_error_message(context, ret,
-				       N_("PAC have two logon names", ""));
+				       N_("PAC has multiple attributes info buffers", ""));
 		goto out;
 	    }
 	}
     }
 
+    /* Count missing-but-necessary buffers */
     if (p->logon_name == NULL)
 	num++;
     if (p->server_checksum == NULL)
 	num++;
     if (p->privsvr_checksum == NULL)
 	num++;
+    if ((upn_princ || canon_princ) && p->upn_dns_info == NULL)
+	num++;
+    if (p->ticket_sign_data.length != 0 && p->ticket_checksum == NULL)
+	num++;
+    if (pac_attributes && p->attributes_info == NULL)
+	num++;
 
+    /* Allocate any missing-but-necessary buffers */
     if (num) {
 	void *ptr;
-        uint32_t len;
-
- 	if (p->pac->numbuffers > UINT32_MAX - num) {
- 	    ret = EINVAL;
- 	    krb5_set_error_message(context, ret, "integer overrun");
- 	    goto out;
- 	}
- 	ret = pac_header_size(context, p->pac->numbuffers + num, &len);
- 	if (ret)
- 	    goto out;
- 
- 	ptr = realloc(p->pac, len);
-	if (ptr == NULL)
-	    return krb5_enomem(context);
+	uint32_t old_len, len;
 
+	if (p->pac->numbuffers > UINT32_MAX - num) {
+	    ret = EINVAL;
+	    krb5_set_error_message(context, ret, "integer overrun");
+	    goto out;
+	}
+	ret = pac_header_size(context, p->pac->numbuffers, &old_len);
+        if (ret == 0)
+            ret = pac_header_size(context, p->pac->numbuffers + num, &len);
+	if (ret)
+	    goto out;
+
+	ptr = realloc(p->pac, len);
+	if (ptr == NULL) {
+	    ret = krb5_enomem(context);
+            goto out;
+        }
+        memset((char *)ptr + old_len, 0, len - old_len);
 	p->pac = ptr;
 
+
 	if (p->logon_name == NULL) {
 	    p->logon_name = &p->pac->buffers[p->pac->numbuffers++];
-	    memset(p->logon_name, 0, sizeof(*p->logon_name));
 	    p->logon_name->type = PAC_LOGON_NAME;
 	}
 	if (p->server_checksum == NULL) {
 	    p->server_checksum = &p->pac->buffers[p->pac->numbuffers++];
-	    memset(p->server_checksum, 0, sizeof(*p->server_checksum));
 	    p->server_checksum->type = PAC_SERVER_CHECKSUM;
 	}
 	if (p->privsvr_checksum == NULL) {
 	    p->privsvr_checksum = &p->pac->buffers[p->pac->numbuffers++];
-	    memset(p->privsvr_checksum, 0, sizeof(*p->privsvr_checksum));
 	    p->privsvr_checksum->type = PAC_PRIVSVR_CHECKSUM;
 	}
+	if ((upn_princ || canon_princ) && p->upn_dns_info == NULL) {
+	    p->upn_dns_info = &p->pac->buffers[p->pac->numbuffers++];
+	    p->upn_dns_info->type = PAC_UPN_DNS_INFO;
+	}
+	if (p->ticket_sign_data.length != 0 && p->ticket_checksum == NULL) {
+	    p->ticket_checksum = &p->pac->buffers[p->pac->numbuffers++];
+	    p->ticket_checksum->type = PAC_TICKET_CHECKSUM;
+	}
+	if (pac_attributes && p->attributes_info == NULL) {
+	    p->attributes_info = &p->pac->buffers[p->pac->numbuffers++];
+	    p->attributes_info->type = PAC_ATTRIBUTES_INFO;
+	}
     }
 
     /* Calculate LOGON NAME */
     ret = build_logon_name(context, authtime, principal, &logon);
-    if (ret)
-	goto out;
 
     /* Set lengths for checksum */
-    ret = pac_checksum(context, server_key, &server_cksumtype, &server_size);
-    if (ret)
-	goto out;
-    ret = pac_checksum(context, priv_key, &priv_cksumtype, &priv_size);
-    if (ret)
-	goto out;
+    if (ret == 0)
+        ret = pac_checksum(context, server_key, &server_cksumtype, &server_size);
 
-    /* Encode PAC */
-    sp = krb5_storage_emem();
-    if (sp == NULL)
-	return krb5_enomem(context);
+    if (ret == 0)
+        ret = pac_checksum(context, priv_key, &priv_cksumtype, &priv_size);
 
-    krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
+    if (ret == 0 && (upn_princ || canon_princ)) {
+	krb5_boolean upn_defaulted =
+	    upn_princ && krb5_principal_compare(context, principal, upn_princ);
 
-    spdata = krb5_storage_emem();
-    if (spdata == NULL) {
-	krb5_storage_free(sp);
-	return krb5_enomem(context);
+	ret = build_upn_dns_info(context, upn_princ, upn_defaulted,
+				 canon_princ, NULL, &upn_dns_info);
+    }
+
+    if (ret == 0 && pac_attributes)
+	ret = build_attributes_info(context, *pac_attributes, &attributes_info);
+
+    /* Encode PAC */
+    if (ret == 0) {
+        sp = krb5_storage_emem();
+        if (sp == NULL)
+            ret = krb5_enomem(context);
+    }
+
+    if (ret == 0) {
+        krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
+        spdata = krb5_storage_emem();
+        if (spdata == NULL)
+            ret = krb5_enomem(context);
     }
+
+    if (ret)
+        goto out;
+
     krb5_storage_set_flags(spdata, KRB5_STORAGE_BYTEORDER_LE);
 
+    /* `sp' has the header, `spdata' has the buffers */
     CHECK(ret, krb5_store_uint32(sp, p->pac->numbuffers), out);
     CHECK(ret, krb5_store_uint32(sp, p->pac->version), out);
 
@@ -1179,6 +1723,28 @@ _krb5_pac_sign(krb5_context context,
     if (ret)
         goto out;
 
+    /*
+     * For each buffer we write its contents to `spdata' and then append the
+     * PAC_INFO_BUFFER for that buffer into the header in `sp'.  The logical
+     * end of the whole thing is kept in `end', which functions as the offset
+     * to write in the buffer's PAC_INFO_BUFFER, then we update it at the
+     * bottom so that the next buffer can be written there.
+     *
+     * TODO?  Maybe rewrite all of this so that:
+     *
+     *  - we use krb5_pac_add_buffer() to add the buffers we produce
+     *  - we use the krb5_data of the concatenated buffers that's maintained by
+     *    krb5_pac_add_buffer() so we don't need `spdata' here
+     *
+     * We do way too much here, and that makes this code hard to read.  Plus we
+     * throw away all the work done in krb5_pac_add_buffer().  On the other
+     * hand, krb5_pac_add_buffer() has to loop over all the buffers, so if we
+     * call krb5_pac_add_buffer() here in a loop, we'll be accidentally
+     * quadratic, but we only need to loop over adding the buffers we add,
+     * which is very few, so not quite quadratic.  We should also cap the
+     * number of buffers we're willing to accept in a PAC we parse to something
+     * reasonable, like a few tens.
+     */
     for (i = 0; i < p->pac->numbuffers; i++) {
 	uint32_t len;
 	size_t sret;
@@ -1192,12 +1758,12 @@ _krb5_pac_sign(krb5_context context,
 		krb5_set_error_message(context, ret, "integer overrun");
 		goto out;
 	    }
+	    len = server_size + 4;
 	    if (end > UINT32_MAX - 4) {
 		ret = EINVAL;
 		krb5_set_error_message(context, ret, "integer overrun");
 		goto out;
 	    }
-	    len = server_size + 4;
 	    server_offset = end + 4;
 	    CHECK(ret, krb5_store_uint32(spdata, server_cksumtype), out);
 	    CHECK(ret, fill_zeros(context, spdata, server_size), out);
@@ -1207,24 +1773,72 @@ _krb5_pac_sign(krb5_context context,
 		krb5_set_error_message(context, ret, "integer overrun");
 		goto out;
 	    }
+	    len = priv_size + 4;
 	    if (end > UINT32_MAX - 4) {
 		ret = EINVAL;
 		krb5_set_error_message(context, ret, "integer overrun");
 		goto out;
 	    }
-	    len = priv_size + 4;
 	    priv_offset = end + 4;
 	    CHECK(ret, krb5_store_uint32(spdata, priv_cksumtype), out);
 	    CHECK(ret, fill_zeros(context, spdata, priv_size), out);
+	    if (rodc_id != 0) {
+		if (len > UINT32_MAX - sizeof(rodc_id)) {
+		    ret = EINVAL;
+		    krb5_set_error_message(context, ret, "integer overrun");
+		    goto out;
+		}
+		len += sizeof(rodc_id);
+		CHECK(ret, fill_zeros(context, spdata, sizeof(rodc_id)), out);
+	    }
+	} else if (p->ticket_sign_data.length != 0 &&
+		   p->pac->buffers[i].type == PAC_TICKET_CHECKSUM) {
+	    if (priv_size > UINT32_MAX - 4) {
+		ret = EINVAL;
+		krb5_set_error_message(context, ret, "integer overrun");
+		goto out;
+	    }
+	    len = priv_size + 4;
+	    if (end > UINT32_MAX - 4) {
+		ret = EINVAL;
+		krb5_set_error_message(context, ret, "integer overrun");
+		goto out;
+	    }
+	    ticket_offset = end + 4;
+	    CHECK(ret, krb5_store_uint32(spdata, priv_cksumtype), out);
+	    CHECK(ret, fill_zeros(context, spdata, priv_size), out);
+	    if (rodc_id != 0) {
+		if (len > UINT32_MAX - sizeof(rodc_id)) {
+		    ret = EINVAL;
+		    krb5_set_error_message(context, ret, "integer overrun");
+		    goto out;
+		}
+		len += sizeof(rodc_id);
+		CHECK(ret, krb5_store_uint16(spdata, rodc_id), out);
+	    }
 	} else if (p->pac->buffers[i].type == PAC_LOGON_NAME) {
 	    len = krb5_storage_write(spdata, logon.data, logon.length);
 	    if (logon.length != len) {
-		ret = EINVAL;
+		ret = KRB5KDC_ERR_BADOPTION;
+		goto out;
+	    }
+	} else if (upn_dns_info.length != 0 &&
+		   p->pac->buffers[i].type == PAC_UPN_DNS_INFO) {
+	    len = krb5_storage_write(spdata, upn_dns_info.data, upn_dns_info.length);
+	    if (upn_dns_info.length != len) {
+		ret = KRB5KDC_ERR_BADOPTION;
+		goto out;
+	    }
+	} else if (attributes_info.length != 0 &&
+		   p->pac->buffers[i].type == PAC_ATTRIBUTES_INFO) {
+	    len = krb5_storage_write(spdata, attributes_info.data, attributes_info.length);
+	    if (attributes_info.length != len) {
+		ret = KRB5KDC_ERR_BADOPTION;
 		goto out;
 	    }
 	} else {
 	    len = p->pac->buffers[i].buffersize;
-	    ptr = (char *)p->data.data + p->pac->buffers[i].offset_lo;
+	    ptr = (char *)p->data.data + p->pac->buffers[i].offset;
 
 	    sret = krb5_storage_write(spdata, ptr, len);
 	    if (sret != len) {
@@ -1237,27 +1851,17 @@ _krb5_pac_sign(krb5_context context,
 	/* write header */
 	CHECK(ret, krb5_store_uint32(sp, p->pac->buffers[i].type), out);
 	CHECK(ret, krb5_store_uint32(sp, len), out);
-	CHECK(ret, krb5_store_uint32(sp, end), out);
-	CHECK(ret, krb5_store_uint32(sp, 0), out);
+	CHECK(ret, krb5_store_uint64(sp, end), out); /* offset */
 
 	/* advance data endpointer and align */
 	{
 	    uint32_t e;
 
-	    if (end > UINT32_MAX - len) {
-		ret = EINVAL;
-		krb5_set_error_message(context, ret, "integer overrun");
-		goto out;
-	    }
-	    end += len;
-
-	    ret = pac_aligned_size(context, end, &e);
+	    ret = pac_aligned_size(context, end, len, &e);
+            if (ret == 0 && end + len != e)
+                ret = fill_zeros(context, spdata, e - (end + len));
 	    if (ret)
 		goto out;
-
-	    if (end != e) {
-		CHECK(ret, fill_zeros(context, spdata, e - end), out);
-	    }
 	    end = e;
 	}
 
@@ -1266,54 +1870,338 @@ _krb5_pac_sign(krb5_context context,
     /* assert (server_offset != 0 && priv_offset != 0); */
 
     /* export PAC */
-    ret = krb5_storage_to_data(spdata, &d);
-    if (ret) {
-	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
-	goto out;
-    }
-    ret = krb5_storage_write(sp, d.data, d.length);
-    if (ret != (int)d.length) {
-	krb5_data_free(&d);
-	ret = krb5_enomem(context);
-	goto out;
+    if (ret == 0)
+        ret = krb5_storage_to_data(spdata, &d);
+    if (ret == 0) {
+        sz = krb5_storage_write(sp, d.data, d.length);
+        if (sz != d.length) {
+            krb5_data_free(&d);
+            ret = krb5_enomem(context);
+            goto out;
+        }
     }
     krb5_data_free(&d);
 
-    ret = krb5_storage_to_data(sp, &d);
-    if (ret) {
-	ret = krb5_enomem(context);
-	goto out;
-    }
+    if (ret == 0)
+        ret = krb5_storage_to_data(sp, &d);
 
     /* sign */
-    ret = create_checksum(context, server_key, server_cksumtype,
-			  d.data, d.length,
-			  (char *)d.data + server_offset, server_size);
-    if (ret) {
-	krb5_data_free(&d);
-	goto out;
-    }
-    ret = create_checksum(context, priv_key, priv_cksumtype,
-			  (char *)d.data + server_offset, server_size,
-			  (char *)d.data + priv_offset, priv_size);
-    if (ret) {
-	krb5_data_free(&d);
-	goto out;
+    if (ret == 0 && p->ticket_sign_data.length)
+	ret = create_checksum(context, priv_key, priv_cksumtype,
+			      p->ticket_sign_data.data,
+			      p->ticket_sign_data.length,
+			      (char *)d.data + ticket_offset, priv_size);
+    if (ret == 0)
+        ret = create_checksum(context, server_key, server_cksumtype,
+                              d.data, d.length,
+                              (char *)d.data + server_offset, server_size);
+    if (ret == 0)
+        ret = create_checksum(context, priv_key, priv_cksumtype,
+                              (char *)d.data + server_offset, server_size,
+                              (char *)d.data + priv_offset, priv_size);
+    if (ret == 0 && rodc_id != 0) {
+	krb5_data rd;
+	krb5_storage *rs = krb5_storage_emem();
+	if (rs == NULL)
+	    ret = krb5_enomem(context);
+        else
+            krb5_storage_set_flags(rs, KRB5_STORAGE_BYTEORDER_LE);
+        if (ret == 0)
+            ret = krb5_store_uint16(rs, rodc_id);
+        if (ret == 0)
+            ret = krb5_storage_to_data(rs, &rd);
+	krb5_storage_free(rs);
+	if (ret)
+	    goto out;
+	heim_assert(rd.length == sizeof(rodc_id), "invalid length");
+	memcpy((char *)d.data + priv_offset + priv_size, rd.data, rd.length);
+	krb5_data_free(&rd);
     }
 
+    if (ret)
+        goto out;
+
     /* done */
     *data = d;
 
     krb5_data_free(&logon);
+    krb5_data_free(&upn_dns_info);
+    krb5_data_free(&attributes_info);
     krb5_storage_free(sp);
     krb5_storage_free(spdata);
 
     return 0;
 out:
+    krb5_data_free(&d);
     krb5_data_free(&logon);
+    krb5_data_free(&upn_dns_info);
+    krb5_data_free(&attributes_info);
     if (sp)
 	krb5_storage_free(sp);
     if (spdata)
 	krb5_storage_free(spdata);
     return ret;
 }
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_pac_get_kdc_checksum_info(krb5_context context,
+			       krb5_const_pac pac,
+			       krb5_cksumtype *cstype,
+			       uint16_t *rodc_id)
+{
+    krb5_error_code ret;
+    krb5_storage *sp = NULL;
+    const struct PAC_INFO_BUFFER *sig;
+    size_t cksumsize, prefix;
+    uint32_t type = 0;
+
+    *cstype = 0;
+    *rodc_id = 0;
+
+    sig = pac->privsvr_checksum;
+    if (sig == NULL) {
+	krb5_set_error_message(context, KRB5KDC_ERR_BADOPTION,
+			       "PAC missing kdc checksum");
+	return KRB5KDC_ERR_BADOPTION;
+    }
+
+    sp = krb5_storage_from_mem((char *)pac->data.data + sig->offset,
+			       sig->buffersize);
+    if (sp == NULL)
+	return krb5_enomem(context);
+
+    krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
+
+    ret = krb5_ret_uint32(sp, &type);
+    if (ret)
+	goto out;
+
+    ret = krb5_checksumsize(context, type, &cksumsize);
+    if (ret)
+	goto out;
+
+    prefix = krb5_storage_seek(sp, 0, SEEK_CUR);
+
+    if ((sig->buffersize - prefix) >= cksumsize + 2) {
+	krb5_storage_seek(sp, cksumsize, SEEK_CUR);
+	ret = krb5_ret_uint16(sp, rodc_id);
+	if (ret)
+	    goto out;
+    }
+
+    *cstype = type;
+
+out:
+    krb5_storage_free(sp);
+
+    return ret;
+}
+
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_pac_get_canon_principal(krb5_context context,
+			      krb5_const_pac pac,
+			      krb5_principal *canon_princ)
+{
+    *canon_princ = NULL;
+
+    if (pac->canon_princ == NULL) {
+	krb5_set_error_message(context, ENOENT,
+			       "PAC missing UPN DNS info buffer");
+	return ENOENT;
+    }
+
+    return krb5_copy_principal(context, pac->canon_princ, canon_princ);
+}
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_pac_get_attributes_info(krb5_context context,
+			      krb5_const_pac pac,
+			      uint64_t *pac_attributes)
+{
+    *pac_attributes = 0;
+
+    if (pac->attributes_info == NULL) {
+	krb5_set_error_message(context, ENOENT,
+			       "PAC missing attributes info buffer");
+	return ENOENT;
+    }
+
+    *pac_attributes = pac->pac_attributes;
+
+    return 0;
+}
+
+static const unsigned char single_zero = '\0';
+static const krb5_data single_zero_pac = { 1, rk_UNCONST(&single_zero) };
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_kdc_pac_ticket_parse(krb5_context context,
+			   EncTicketPart *tkt,
+			   krb5_boolean *signedticket,
+			   krb5_pac *ppac)
+{
+    AuthorizationData *ad = tkt->authorization_data;
+    krb5_pac pac = NULL;
+    unsigned i, j;
+    size_t len = 0;
+    krb5_error_code ret = 0;
+
+    *signedticket = FALSE;
+    *ppac = NULL;
+
+    if (ad == NULL || ad->len == 0)
+	return 0;
+
+    for (i = 0; i < ad->len; i++) {
+	AuthorizationData child;
+
+	if (ad->val[i].ad_type == KRB5_AUTHDATA_WIN2K_PAC) {
+	    ret = KRB5KDC_ERR_BADOPTION;
+	    goto out;
+	}
+
+	if (ad->val[i].ad_type != KRB5_AUTHDATA_IF_RELEVANT)
+	    continue;
+
+	ret = decode_AuthorizationData(ad->val[i].ad_data.data,
+				       ad->val[i].ad_data.length,
+				       &child,
+				       NULL);
+	if (ret) {
+	    krb5_set_error_message(context, ret, "Failed to decode "
+				   "AD-IF-RELEVANT with %d", ret);
+	    goto out;
+	}
+
+	for (j = 0; j < child.len; j++) {
+	    krb5_data adifr_data = ad->val[i].ad_data;
+	    krb5_data pac_data = child.val[j].ad_data;
+	    krb5_data recoded_adifr;
+
+	    if (child.val[j].ad_type != KRB5_AUTHDATA_WIN2K_PAC)
+		continue;
+
+	    if (pac != NULL) {
+		free_AuthorizationData(&child);
+		ret = KRB5KDC_ERR_BADOPTION;
+		goto out;
+	    }
+
+	    ret = krb5_pac_parse(context,
+				 pac_data.data,
+				 pac_data.length,
+				 &pac);
+	    if (ret) {
+		free_AuthorizationData(&child);
+		goto out;
+	    }
+
+	    if (pac->ticket_checksum == NULL)
+		continue;
+
+	    /*
+	     * Encode the ticket with the PAC replaced with a single zero
+	     * byte, to be used as input data to the ticket signature.
+	     */
+
+	    child.val[j].ad_data = single_zero_pac;
+
+	    ASN1_MALLOC_ENCODE(AuthorizationData, recoded_adifr.data,
+			       recoded_adifr.length, &child, &len, ret);
+	    if (recoded_adifr.length != len)
+		krb5_abortx(context, "Internal error in ASN.1 encoder");
+
+	    child.val[j].ad_data = pac_data;
+
+	    if (ret) {
+		free_AuthorizationData(&child);
+		goto out;
+	    }
+
+	    ad->val[i].ad_data = recoded_adifr;
+
+	    ASN1_MALLOC_ENCODE(EncTicketPart,
+			       pac->ticket_sign_data.data,
+			       pac->ticket_sign_data.length, tkt, &len,
+			       ret);
+	    if (pac->ticket_sign_data.length != len)
+		krb5_abortx(context, "Internal error in ASN.1 encoder");
+
+	    ad->val[i].ad_data = adifr_data;
+	    krb5_data_free(&recoded_adifr);
+
+	    if (ret) {
+		free_AuthorizationData(&child);
+		goto out;
+	    }
+
+	    *signedticket = TRUE;
+	}
+	free_AuthorizationData(&child);
+    }
+
+out:
+    if (ret) {
+	krb5_pac_free(context, pac);
+	return ret;
+    }
+
+    *ppac = pac;
+
+    return 0;
+}
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_kdc_pac_sign_ticket(krb5_context context,
+			  const krb5_pac pac,
+			  krb5_const_principal client,
+			  const krb5_keyblock *server_key,
+			  const krb5_keyblock *kdc_key,
+			  uint16_t rodc_id,
+			  krb5_const_principal upn,
+			  krb5_const_principal canon_name,
+			  krb5_boolean add_ticket_sig,
+			  EncTicketPart *tkt,
+			  uint64_t *pac_attributes) /* optional */
+{
+    krb5_error_code ret;
+    krb5_data tkt_data;
+    krb5_data rspac;
+
+    krb5_data_zero(&rspac);
+    krb5_data_zero(&tkt_data);
+
+    krb5_data_free(&pac->ticket_sign_data);
+
+    if (add_ticket_sig) {
+	size_t len = 0;
+
+	ret = _kdc_tkt_insert_pac(context, tkt, &single_zero_pac);
+	if (ret)
+	    return ret;
+
+	ASN1_MALLOC_ENCODE(EncTicketPart, tkt_data.data, tkt_data.length,
+			   tkt, &len, ret);
+	if(tkt_data.length != len)
+	    krb5_abortx(context, "Internal error in ASN.1 encoder");
+	if (ret)
+	    return ret;
+
+	ret = remove_AuthorizationData(tkt->authorization_data, 0);
+	if (ret) {
+	    krb5_data_free(&tkt_data);
+	    return ret;
+	}
+
+	pac->ticket_sign_data = tkt_data;
+    }
+
+    ret = _krb5_pac_sign(context, pac, tkt->authtime, client, server_key,
+			 kdc_key, rodc_id, upn, canon_name,
+			 pac_attributes, &rspac);
+    if (ret == 0)
+        ret = _kdc_tkt_insert_pac(context, tkt, &rspac);
+    krb5_data_free(&rspac);
+    return ret;
+}
diff --git a/lib/krb5/pcache.c b/lib/krb5/pcache.c
index 3a9949dc2777..980449027330 100644
--- a/lib/krb5/pcache.c
+++ b/lib/krb5/pcache.c
@@ -48,7 +48,7 @@ cc_plugin_register_to_context(krb5_context context, const void *plug, void *plug
     krb5_cc_ops *ccops = (krb5_cc_ops *)plugctx;
     krb5_error_code ret;
 
-    if (ccops == NULL || ccops->version < KRB5_CC_OPS_VERSION)
+    if (ccops == NULL)
        return KRB5_PLUGIN_NO_HANDLE;
 
     ret = krb5_cc_register(context, ccops, TRUE);
@@ -58,13 +58,24 @@ cc_plugin_register_to_context(krb5_context context, const void *plug, void *plug
     return KRB5_PLUGIN_NO_HANDLE;
 }
 
+static const char *const ccache_plugin_deps[] = { "krb5", NULL };
+
+static const struct heim_plugin_data
+ccache_plugin_data = {
+    "krb5",
+    KRB5_PLUGIN_CCACHE,
+    0,
+    ccache_plugin_deps,
+    krb5_get_instance
+};
+
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 _krb5_load_ccache_plugins(krb5_context context)
 {
     krb5_error_code userctx = 0;
 
-    (void)_krb5_plugin_run_f(context, "krb5", KRB5_PLUGIN_CCACHE,
-			     0, 0, &userctx, cc_plugin_register_to_context);
+    (void)_krb5_plugin_run_f(context, &ccache_plugin_data, 0,
+			     &userctx, cc_plugin_register_to_context);
 
     return userctx;
 }
diff --git a/lib/krb5/pkinit-ec.c b/lib/krb5/pkinit-ec.c
index 33bc62c8dcef..34cefd506fe3 100644
--- a/lib/krb5/pkinit-ec.c
+++ b/lib/krb5/pkinit-ec.c
@@ -56,6 +56,7 @@
 #include <openssl/ecdh.h>
 #include <openssl/evp.h>
 #include <openssl/bn.h>
+#include <openssl/dh.h>
 #define HEIM_NO_CRYPTO_HDRS
 #endif
 
@@ -125,6 +126,9 @@ _krb5_build_authpack_subjectPK_EC(krb5_context context,
     if (ret)
         return ret;
 
+#ifdef HAVE_OPENSSL_30
+    ctx->u.eckey = EVP_EC_gen(OSSL_EC_curve_nid2name(NID_X9_62_prime256v1));
+#else
     ctx->u.eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
     if (ctx->u.eckey == NULL)
         return krb5_enomem(context);
@@ -132,8 +136,13 @@ _krb5_build_authpack_subjectPK_EC(krb5_context context,
     ret = EC_KEY_generate_key(ctx->u.eckey);
     if (ret != 1)
         return EINVAL;
+#endif
 
+#ifdef HAVE_OPENSSL_30
+    xlen = i2d_PublicKey(ctx->u.eckey, NULL);
+#else
     xlen = i2o_ECPublicKey(ctx->u.eckey, NULL);
+#endif
     if (xlen <= 0)
         return EINVAL;
 
@@ -143,7 +152,11 @@ _krb5_build_authpack_subjectPK_EC(krb5_context context,
 
     a->clientPublicValue->subjectPublicKey.data = p;
 
+#ifdef HAVE_OPENSSL_30
+    xlen = i2d_PublicKey(ctx->u.eckey, &p);
+#else
     xlen = i2o_ECPublicKey(ctx->u.eckey, &p);
+#endif
     if (xlen <= 0) {
         a->clientPublicValue->subjectPublicKey.data = NULL;
         free(p);
@@ -171,6 +184,61 @@ _krb5_pk_rd_pa_reply_ecdh_compute_key(krb5_context context,
                                       int *out_sz)
 {
 #ifdef HAVE_HCRYPTO_W_OPENSSL
+#ifdef HAVE_OPENSSL_30
+    krb5_error_code ret = 0;
+    EVP_PKEY_CTX *pctx = NULL;
+    EVP_PKEY *template = NULL;
+    EVP_PKEY *public = NULL;
+    size_t shared_len = 0;
+
+    if ((template = EVP_PKEY_new()) == NULL)
+        ret = krb5_enomem(context);
+    if (ret == 0 &&
+        EVP_PKEY_copy_parameters(template, ctx->u.eckey) != 1)
+        ret = krb5_enomem(context);
+    if (ret == 0 && (pctx = EVP_PKEY_CTX_new(ctx->u.eckey, NULL)) == NULL)
+        ret = krb5_enomem(context);
+    if (ret == 0 && EVP_PKEY_derive_init(pctx) != 1)
+        ret = krb5_enomem(context);
+    if (ret == 0 &&
+        EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_NONE) != 1)
+        ret = krb5_enomem(context);
+    if (ret == 0 &&
+        (public = d2i_PublicKey(EVP_PKEY_EC, &template, &in, in_sz)) == NULL)
+        krb5_set_error_message(context,
+                               ret = HX509_PARSING_KEY_FAILED,
+                               "PKINIT: Can't parse the KDC's ECDH public key");
+    if (ret == 0 &&
+        EVP_PKEY_derive_set_peer_ex(pctx, public, 1) != 1)
+        krb5_set_error_message(context,
+                               ret = KRB5KRB_ERR_GENERIC,
+                               "Could not derive ECDH shared secret for PKINIT key exchange "
+                               "(EVP_PKEY_derive_set_peer_ex)");
+    if (ret == 0 &&
+        (EVP_PKEY_derive(pctx, NULL, &shared_len) != 1 || shared_len == 0))
+        krb5_set_error_message(context,
+                               ret = KRB5KRB_ERR_GENERIC,
+                               "Could not derive ECDH shared secret for PKINIT key exchange "
+                               "(EVP_PKEY_derive to get length)");
+    if (ret == 0 && shared_len > INT_MAX)
+        krb5_set_error_message(context,
+                               ret = KRB5KRB_ERR_GENERIC,
+                               "Could not derive ECDH shared secret for PKINIT key exchange "
+                               "(shared key too large)");
+    if (ret == 0 && (*out = malloc(shared_len)) == NULL)
+        ret = krb5_enomem(context);
+    if (ret == 0 && EVP_PKEY_derive(pctx, *out, &shared_len) != 1)
+        krb5_set_error_message(context,
+                               ret = KRB5KRB_ERR_GENERIC,
+                               "Could not derive ECDH shared secret for PKINIT key exchange "
+                               "(EVP_PKEY_derive)");
+    if (ret == 0)
+        *out_sz = shared_len;
+    EVP_PKEY_CTX_free(pctx); // move
+    EVP_PKEY_free(template);
+
+    return ret;
+#else
     krb5_error_code ret = 0;
     int dh_gen_keylen;
 
@@ -219,6 +287,7 @@ _krb5_pk_rd_pa_reply_ecdh_compute_key(krb5_context context,
     *out_sz = dh_gen_keylen;
 
     return ret;
+#endif
 #else
     krb5_set_error_message(context, ENOTSUP,
                            N_("PKINIT: ECDH not supported", ""));
@@ -230,8 +299,12 @@ void
 _krb5_pk_eckey_free(void *eckey)
 {
 #ifdef HAVE_HCRYPTO_W_OPENSSL
+#ifdef HAVE_OPENSSL_30
+    EVP_PKEY_free(eckey);
+#else
     EC_KEY_free(eckey);
 #endif
+#endif
 }
 
 #else
diff --git a/lib/krb5/pkinit.c b/lib/krb5/pkinit.c
index 7ede91c3fa9a..2a0979b7e127 100644
--- a/lib/krb5/pkinit.c
+++ b/lib/krb5/pkinit.c
@@ -109,26 +109,34 @@ integer_to_BN(krb5_context context, const char *field, const heim_integer *f)
 }
 
 static krb5_error_code
-select_dh_group(krb5_context context, DH *dh, unsigned long bits,
+select_dh_group(krb5_context context, DH *dh, unsigned long min_bits,
 		struct krb5_dh_moduli **moduli)
 {
     const struct krb5_dh_moduli *m;
 
-    if (bits == 0) {
+    if (moduli[0] == NULL) {
+        krb5_set_error_message(context, EINVAL,
+                               N_("Did not find a DH group parameter "
+                                  "matching requirement of %lu bits", ""),
+                               min_bits);
+        return EINVAL;
+    }
+
+    if (min_bits == 0) {
 	m = moduli[1]; /* XXX */
 	if (m == NULL)
 	    m = moduli[0]; /* XXX */
     } else {
 	int i;
 	for (i = 0; moduli[i] != NULL; i++) {
-	    if (bits < moduli[i]->bits)
+	    if (moduli[i]->bits >= min_bits)
 		break;
 	}
 	if (moduli[i] == NULL) {
 	    krb5_set_error_message(context, EINVAL,
 				   N_("Did not find a DH group parameter "
 				      "matching requirement of %lu bits", ""),
-				   bits);
+				   min_bits);
 	    return EINVAL;
 	}
 	m = moduli[i];
@@ -232,7 +240,7 @@ create_signature(krb5_context context,
     return 0;
 }
 
-static int
+static int KRB5_LIB_CALL
 cert2epi(hx509_context context, void *ctx, hx509_cert c)
 {
     ExternalPrincipalIdentifiers *ids = ctx;
@@ -473,16 +481,29 @@ build_auth_pack(krb5_context context,
 		free_DomainParameters(&dp);
 		return ret;
 	    }
-	    dp.q = calloc(1, sizeof(*dp.q));
-	    if (dp.q == NULL) {
-		free_DomainParameters(&dp);
-		return ENOMEM;
-	    }
-	    ret = BN_to_integer(context, dh->q, dp.q);
-	    if (ret) {
-		free_DomainParameters(&dp);
-		return ret;
-	    }
+            if (dh->q && BN_num_bits(dh->q)) {
+                /*
+                 * The q parameter is required, but MSFT made it optional.
+                 * It's only required in order to verify the domain parameters
+                 * -- the security of the DH group --, but we validate groups
+                 * against known groups rather than accepting arbitrary groups
+                 * chosen by the peer, so we really don't need to have put it
+                 * on the wire.  Because these are Oakley groups, and the
+                 * primes are Sophie Germain primes, q is p>>1 and we can
+                 * compute it on the fly like MIT Kerberos does, but we'd have
+                 * to implement BN_rshift1().
+                 */
+                dp.q = calloc(1, sizeof(*dp.q));
+                if (dp.q == NULL) {
+                    free_DomainParameters(&dp);
+                    return ENOMEM;
+                }
+                ret = BN_to_integer(context, dh->q, dp.q);
+                if (ret) {
+                    free_DomainParameters(&dp);
+                    return ret;
+                }
+            }
 	    dp.j = NULL;
 	    dp.validationParms = NULL;
 
@@ -719,7 +740,7 @@ pk_mk_padata(krb5_context context,
 	free(buf.data);
 
     if (ret == 0)
-    	krb5_padata_add(context, md, KRB5_PADATA_PK_AS_09_BINDING, NULL, 0);
+    	ret = krb5_padata_add(context, md, KRB5_PADATA_PK_AS_09_BINDING, NULL, 0);
 
  out:
     free_ContentInfo(&content_info);
@@ -774,7 +795,7 @@ _krb5_pk_mk_padata(krb5_context context,
 				     NULL);
     if (ic_flags & KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK)
 	ctx->require_eku = 0;
-    if (ctx->id->flags & PKINIT_BTMM)
+    if (ctx->id->flags & (PKINIT_BTMM | PKINIT_NO_KDC_ANCHOR))
 	ctx->require_eku = 0;
 
     ctx->require_krbtgt_otherName =
@@ -816,33 +837,43 @@ pk_verify_sign(krb5_context context,
 	       struct krb5_pk_cert **signer)
 {
     hx509_certs signer_certs;
-    int ret, flags = 0;
+    int ret;
+    unsigned flags = 0, verify_flags = 0;
+
+    *signer = NULL;
 
-    /* BTMM is broken in Leo and SnowLeo */
     if (id->flags & PKINIT_BTMM) {
 	flags |= HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH;
 	flags |= HX509_CMS_VS_NO_KU_CHECK;
 	flags |= HX509_CMS_VS_NO_VALIDATE;
     }
+    if (id->flags & PKINIT_NO_KDC_ANCHOR)
+	flags |= HX509_CMS_VS_NO_VALIDATE;
 
-    *signer = NULL;
-
-    ret = hx509_cms_verify_signed(context->hx509ctx,
-				  id->verify_ctx,
-				  flags,
-				  data,
-				  length,
-				  NULL,
-				  id->certpool,
-				  contentType,
-				  content,
-				  &signer_certs);
+    ret = hx509_cms_verify_signed_ext(context->hx509ctx,
+				      id->verify_ctx,
+				      flags,
+				      data,
+				      length,
+				      NULL,
+				      id->certpool,
+				      contentType,
+				      content,
+				      &signer_certs,
+				      &verify_flags);
     if (ret) {
 	pk_copy_error(context, context->hx509ctx, ret,
 		      "CMS verify signed failed");
 	return ret;
     }
 
+    heim_assert((verify_flags & HX509_CMS_VSE_VALIDATED) ||
+	(id->flags & PKINIT_NO_KDC_ANCHOR),
+	"Either PKINIT signer must be validated, or NO_KDC_ANCHOR must be set");
+
+    if ((verify_flags & HX509_CMS_VSE_VALIDATED) == 0)
+	goto out;
+
     *signer = calloc(1, sizeof(**signer));
     if (*signer == NULL) {
 	krb5_clear_error_message(context);
@@ -983,7 +1014,6 @@ get_reply_key(krb5_context context,
 static krb5_error_code
 pk_verify_host(krb5_context context,
 	       const char *realm,
-	       const krb5_krbhst_info *hi,
 	       struct krb5_pk_init_ctx_data *ctx,
 	       struct krb5_pk_cert *host)
 {
@@ -1048,7 +1078,9 @@ pk_verify_host(krb5_context context,
 	    free_KRB5PrincipalName(&r);
 	}
 	hx509_free_octet_string_list(&list);
-	if (matched == 0) {
+
+	if (matched == 0 &&
+	    (ctx->id->flags & PKINIT_NO_KDC_ANCHOR) == 0) {
 	    ret = KRB5_KDC_ERR_INVALID_CERTIFICATE;
 	    /* XXX: Lost in translation... */
 	    krb5_set_error_message(context, ret,
@@ -1059,18 +1091,6 @@ pk_verify_host(krb5_context context,
     if (ret)
 	return ret;
 
-    if (hi) {
-	ret = hx509_verify_hostname(context->hx509ctx, host->cert,
-				    ctx->require_hostname_match,
-				    HX509_HN_HOSTNAME,
-				    hi->hostname,
-				    hi->ai->ai_addr, hi->ai->ai_addrlen);
-
-	if (ret)
-	    krb5_set_error_message(context, ret,
-				   N_("Address mismatch in "
-				      "the KDC certificate", ""));
-    }
     return ret;
 }
 
@@ -1082,7 +1102,6 @@ pk_rd_pa_reply_enckey(krb5_context context,
 		      const char *realm,
 		      krb5_pk_init_ctx ctx,
 		      krb5_enctype etype,
-		      const krb5_krbhst_info *hi,
 	       	      unsigned nonce,
 		      const krb5_data *req_buffer,
 	       	      PA_DATA *pa,
@@ -1091,6 +1110,7 @@ pk_rd_pa_reply_enckey(krb5_context context,
     krb5_error_code ret;
     struct krb5_pk_cert *host = NULL;
     krb5_data content;
+    heim_octet_string unwrapped;
     heim_oid contentType = { 0, NULL };
     int flags = HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT;
 
@@ -1122,9 +1142,8 @@ pk_rd_pa_reply_enckey(krb5_context context,
     /* win2k uses ContentInfo */
     if (type == PKINIT_WIN2K) {
 	heim_oid type2;
-	heim_octet_string out;
 
-	ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &out, NULL);
+	ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &unwrapped, NULL);
 	if (ret) {
 	    /* windows LH with interesting CMS packets */
 	    size_t ph = 1 + der_length_len(content.length);
@@ -1143,7 +1162,7 @@ pk_rd_pa_reply_enckey(krb5_context context,
 	    content.data = ptr;
 	    content.length += ph;
 
-	    ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &out, NULL);
+	    ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &unwrapped, NULL);
 	    if (ret)
 		goto out;
 	}
@@ -1152,13 +1171,13 @@ pk_rd_pa_reply_enckey(krb5_context context,
 	    krb5_set_error_message(context, ret,
 				   N_("PKINIT: Invalid content type", ""));
 	    der_free_oid(&type2);
-	    der_free_octet_string(&out);
+	    der_free_octet_string(&unwrapped);
 	    goto out;
 	}
 	der_free_oid(&type2);
 	krb5_data_free(&content);
-	ret = krb5_data_copy(&content, out.data, out.length);
-	der_free_octet_string(&out);
+	ret = krb5_data_copy(&content, unwrapped.data, unwrapped.length);
+	der_free_octet_string(&unwrapped);
 	if (ret) {
 	    krb5_set_error_message(context, ret,
 				   N_("malloc: out of memory", ""));
@@ -1171,15 +1190,26 @@ pk_rd_pa_reply_enckey(krb5_context context,
 			 content.length,
 			 ctx->id,
 			 &contentType,
-			 &content,
+			 &unwrapped,
 			 &host);
+    if (ret == 0) {
+        krb5_data_free(&content);
+        ret = krb5_data_copy(&content, unwrapped.data, unwrapped.length);
+        der_free_octet_string(&unwrapped);
+    }
     if (ret)
 	goto out;
 
-    /* make sure that it is the kdc's certificate */
-    ret = pk_verify_host(context, realm, hi, ctx, host);
-    if (ret) {
-	goto out;
+    heim_assert(host || (ctx->id->flags & PKINIT_NO_KDC_ANCHOR),
+		"KDC signature must be verified unless PKINIT_NO_KDC_ANCHOR set");
+
+    if (host) {
+	/* make sure that it is the kdc's certificate */
+	ret = pk_verify_host(context, realm, ctx, host);
+	if (ret)
+	    goto out;
+
+	ctx->kdc_verified = 1;
     }
 
 #if 0
@@ -1321,7 +1351,6 @@ pk_rd_pa_reply_dh(krb5_context context,
 		  const char *realm,
 		  krb5_pk_init_ctx ctx,
 		  krb5_enctype etype,
-		  const krb5_krbhst_info *hi,
 		  const DHNonce *c_n,
 		  const DHNonce *k_n,
                   unsigned nonce,
@@ -1358,10 +1387,17 @@ pk_rd_pa_reply_dh(krb5_context context,
     if (ret)
 	goto out;
 
-    /* make sure that it is the kdc's certificate */
-    ret = pk_verify_host(context, realm, hi, ctx, host);
-    if (ret)
-	goto out;
+    heim_assert(host || (ctx->id->flags & PKINIT_NO_KDC_ANCHOR),
+		"KDC signature must be verified unless PKINIT_NO_KDC_ANCHOR set");
+
+    if (host) {
+	/* make sure that it is the kdc's certificate */
+	ret = pk_verify_host(context, realm, ctx, host);
+	if (ret)
+	    goto out;
+
+	ctx->kdc_verified = 1;
+    }
 
     if (der_heim_oid_cmp(&contentType, &asn1_oid_id_pkdhkeydata)) {
 	ret = KRB5KRB_AP_ERR_MSG_TYPE;
@@ -1516,7 +1552,6 @@ _krb5_pk_rd_pa_reply(krb5_context context,
 		     const char *realm,
 		     void *c,
 		     krb5_enctype etype,
-		     const krb5_krbhst_info *hi,
 		     unsigned nonce,
 		     const krb5_data *req_buffer,
 		     PA_DATA *pa,
@@ -1607,14 +1642,14 @@ _krb5_pk_rd_pa_reply(krb5_context context,
 
 	switch (rep.element) {
 	case choice_PA_PK_AS_REP_dhInfo:
-	    ret = pk_rd_pa_reply_dh(context, &data, &oid, realm, ctx, etype, hi,
+	    ret = pk_rd_pa_reply_dh(context, &data, &oid, realm, ctx, etype,
 				    ctx->clientDHNonce,
 				    rep.u.dhInfo.serverDHNonce,
 				    nonce, pa, key);
 	    break;
 	case choice_PA_PK_AS_REP_encKeyPack:
 	    ret = pk_rd_pa_reply_enckey(context, PKINIT_27, &data, &oid, realm,
-					ctx, etype, hi, nonce, req_buffer, pa, key);
+					ctx, etype, nonce, req_buffer, pa, key);
 	    break;
 	default:
 	    krb5_abortx(context, "pk-init as-rep case not possible to happen");
@@ -1666,7 +1701,7 @@ _krb5_pk_rd_pa_reply(krb5_context context,
 	    }
 
 	    ret = pk_rd_pa_reply_enckey(context, PKINIT_WIN2K, &data, &oid, realm,
-					ctx, etype, hi, nonce, req_buffer, pa, key);
+					ctx, etype, nonce, req_buffer, pa, key);
 	    der_free_octet_string(&data);
 	    der_free_oid(&oid);
 
@@ -1790,7 +1825,7 @@ _krb5_pk_set_user_id(krb5_context context,
 	ret = der_print_hex_heim_integer(&i, &sn);
 	der_free_heim_integer(&i);
 	if (ret) {
-	    free(name);
+	    free(str);
 	    goto out;
 	}
 
@@ -1816,16 +1851,10 @@ _krb5_pk_load_id(krb5_context context,
 {
     struct krb5_pk_identity *id = NULL;
     struct prompter p;
-    int ret;
+    krb5_error_code ret;
 
     *ret_id = NULL;
 
-    if (anchor_id == NULL) {
-	krb5_set_error_message(context, HEIM_PKINIT_NO_VALID_CA,
-			       N_("PKINIT: No anchor given", ""));
-	return HEIM_PKINIT_NO_VALID_CA;
-    }
-
     /* load cert */
 
     id = calloc(1, sizeof(*id));
@@ -1887,7 +1916,7 @@ _krb5_pk_load_id(krb5_context context,
 				 NULL, *chain_list);
 	if (ret) {
 	    pk_copy_error(context, context->hx509ctx, ret,
-			  "Failed to laod chain %s",
+			  "Failed to load chain %s",
 			  *chain_list);
 	    goto out;
 	}
@@ -2060,8 +2089,12 @@ _krb5_parse_moduli_line(krb5_context context,
     if (ret)
 	goto out;
     ret = parse_integer(context, &p, file, lineno, "q", &m1->q);
-    if (ret)
-	goto out;
+    if (ret) {
+        m1->q.negative = 0;
+        m1->q.length = 0;
+        m1->q.data = 0;
+        krb5_clear_error_message(context);
+    }
 
     *m = m1;
 
@@ -2075,17 +2108,22 @@ _krb5_parse_moduli_line(krb5_context context,
     return ret;
 }
 
+static void
+free_moduli_element(struct krb5_dh_moduli *element)
+{
+    free(element->name);
+    der_free_heim_integer(&element->p);
+    der_free_heim_integer(&element->g);
+    der_free_heim_integer(&element->q);
+    free(element);
+}
+
 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 _krb5_free_moduli(struct krb5_dh_moduli **moduli)
 {
     int i;
-    for (i = 0; moduli[i] != NULL; i++) {
-	free(moduli[i]->name);
-	der_free_heim_integer(&moduli[i]->p);
-	der_free_heim_integer(&moduli[i]->g);
-	der_free_heim_integer(&moduli[i]->q);
-	free(moduli[i]);
-    }
+    for (i = 0; moduli[i] != NULL; i++)
+	free_moduli_element(moduli[i]);
     free(moduli);
 }
 
@@ -2115,7 +2153,7 @@ static const char *default_moduli_rfc3526_MODP_group14 =
     /* name */
     "rfc3526-MODP-group14 "
     /* bits */
-    "1760 "
+    "2048 "
     /* p */
     "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
     "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
@@ -2180,9 +2218,8 @@ _krb5_parse_moduli(krb5_context context, const char *file,
     if (file == NULL)
 	file = MODULI_FILE;
 
-#ifdef KRB5_USE_PATH_TOKENS
     {
-        char * exp_file;
+        char *exp_file;
 
 	if (_krb5_expand_path_tokens(context, file, 1, &exp_file) == 0) {
             f = fopen(exp_file, "r");
@@ -2191,9 +2228,6 @@ _krb5_parse_moduli(krb5_context context, const char *file,
             f = NULL;
         }
     }
-#else
-    f = fopen(file, "r");
-#endif
 
     if (f == NULL) {
 	*moduli = m;
@@ -2207,29 +2241,33 @@ _krb5_parse_moduli(krb5_context context, const char *file,
 	buf[strcspn(buf, "\n")] = '\0';
 	lineno++;
 
+	ret = _krb5_parse_moduli_line(context, file, lineno, buf,  &element);
+	if (ret)
+	    break;
+	if (element == NULL)
+	    continue;
+
 	m2 = realloc(m, (n + 2) * sizeof(m[0]));
 	if (m2 == NULL) {
-	    _krb5_free_moduli(m);
-	    return krb5_enomem(context);
+	    free_moduli_element(element);
+	    ret = krb5_enomem(context);
+	    break;
 	}
 	m = m2;
 
-	m[n] = NULL;
-
-	ret = _krb5_parse_moduli_line(context, file, lineno, buf,  &element);
-	if (ret) {
-	    _krb5_free_moduli(m);
-	    return ret;
-	}
-	if (element == NULL)
-	    continue;
-
 	m[n] = element;
 	m[n + 1] = NULL;
 	n++;
     }
+    if (ret) {
+	_krb5_free_moduli(m);
+	m = NULL;
+    }
+
     *moduli = m;
-    return 0;
+
+    (void) fclose(f);
+    return ret;
 }
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
@@ -2246,7 +2284,8 @@ _krb5_dh_group_ok(krb5_context context, unsigned long bits,
     for (i = 0; moduli[i] != NULL; i++) {
 	if (der_heim_integer_cmp(&moduli[i]->g, g) == 0 &&
 	    der_heim_integer_cmp(&moduli[i]->p, p) == 0 &&
-	    (q == NULL || der_heim_integer_cmp(&moduli[i]->q, q) == 0))
+	    (q == NULL || moduli[i]->q.length == 0 ||
+             der_heim_integer_cmp(&moduli[i]->q, q) == 0))
 	    {
 		if (bits && bits > moduli[i]->bits) {
 		    krb5_set_error_message(context,
@@ -2326,6 +2365,8 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
 {
 #ifdef PKINIT
     krb5_error_code ret;
+    char **freeme1 = NULL;
+    char **freeme2 = NULL;
     char *anchors = NULL;
 
     if (opt->opt_private == NULL) {
@@ -2345,16 +2386,13 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
 
     /* XXX implement krb5_appdefault_strings  */
     if (pool == NULL)
-	pool = krb5_config_get_strings(context, NULL,
-				       "appdefaults",
-				       "pkinit_pool",
-				       NULL);
+        pool = freeme1 = krb5_config_get_strings(context, NULL, "appdefaults",
+                                                 "pkinit_pool", NULL);
 
     if (pki_revoke == NULL)
-	pki_revoke = krb5_config_get_strings(context, NULL,
-					     "appdefaults",
-					     "pkinit_revoke",
-					     NULL);
+        pki_revoke = freeme2 = krb5_config_get_strings(context, NULL,
+                                                       "appdefaults",
+                                                       "pkinit_revoke", NULL);
 
     if (x509_anchors == NULL) {
 	krb5_appdefault_string(context, "kinit",
@@ -2366,6 +2404,13 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
     if (flags & KRB5_GIC_OPT_PKINIT_ANONYMOUS)
 	opt->opt_private->pk_init_ctx->anonymous = 1;
 
+    if ((flags & KRB5_GIC_OPT_PKINIT_NO_KDC_ANCHOR) == 0 &&
+	x509_anchors == NULL) {
+	krb5_set_error_message(context, HEIM_PKINIT_NO_VALID_CA,
+			       N_("PKINIT: No anchor given", ""));
+	return HEIM_PKINIT_NO_VALID_CA;
+    }
+
     ret = _krb5_pk_load_id(context,
 			   &opt->opt_private->pk_init_ctx->id,
 			   user_id,
@@ -2375,6 +2420,9 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
 			   prompter,
 			   prompter_data,
 			   password);
+    krb5_config_free_strings(freeme2);
+    krb5_config_free_strings(freeme1);
+    free(anchors);
     if (ret) {
 	free(opt->opt_private->pk_init_ctx);
 	opt->opt_private->pk_init_ctx = NULL;
@@ -2382,15 +2430,21 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
     }
     if (flags & KRB5_GIC_OPT_PKINIT_BTMM)
 	opt->opt_private->pk_init_ctx->id->flags |= PKINIT_BTMM;
-
     if (principal && krb5_principal_is_lkdc(context, principal))
 	opt->opt_private->pk_init_ctx->id->flags |= PKINIT_BTMM;
+    if (flags & KRB5_GIC_OPT_PKINIT_NO_KDC_ANCHOR)
+	opt->opt_private->pk_init_ctx->id->flags |= PKINIT_NO_KDC_ANCHOR;
 
     if (opt->opt_private->pk_init_ctx->id->certs) {
-	_krb5_pk_set_user_id(context,
-			     principal,
-			     opt->opt_private->pk_init_ctx,
-			     opt->opt_private->pk_init_ctx->id->certs);
+        ret = _krb5_pk_set_user_id(context,
+                                   principal,
+                                   opt->opt_private->pk_init_ctx,
+                                   opt->opt_private->pk_init_ctx->id->certs);
+        if (ret) {
+            free(opt->opt_private->pk_init_ctx);
+            opt->opt_private->pk_init_ctx = NULL;
+            return ret;
+        }
     } else
 	opt->opt_private->pk_init_ctx->id->cert = NULL;
 
@@ -2449,9 +2503,7 @@ krb5_get_init_creds_opt_set_pkinit_user_certs(krb5_context context,
 	return EINVAL;
     }
 
-    _krb5_pk_set_user_id(context, NULL, opt->opt_private->pk_init_ctx, certs);
-
-    return 0;
+    return _krb5_pk_set_user_id(context, NULL, opt->opt_private->pk_init_ctx, certs);
 #else
     krb5_set_error_message(context, EINVAL,
 			   N_("no support for PKINIT compiled in", ""));
@@ -2601,3 +2653,15 @@ krb5_pk_enterprise_cert(krb5_context context,
     return EINVAL;
 #endif
 }
+
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
+_krb5_pk_is_kdc_verified(krb5_context context,
+			 krb5_get_init_creds_opt *opt)
+{
+    if (opt == NULL ||
+	opt->opt_private == NULL ||
+	opt->opt_private->pk_init_ctx == NULL)
+	return FALSE;
+
+    return opt->opt_private->pk_init_ctx->kdc_verified;
+}
diff --git a/lib/krb5/plugin.c b/lib/krb5/plugin.c
index f4bf99953ebb..b4035d39d58a 100644
--- a/lib/krb5/plugin.c
+++ b/lib/krb5/plugin.c
@@ -3,6 +3,8 @@
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  *
+ * Portions Copyright (c) 2018 AuriStor, Inc.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -32,35 +34,30 @@
  */
 
 #include "krb5_locl.h"
+#include "common_plugin.h"
 
-#ifdef HAVE_DLFCN_H
-#include <dlfcn.h>
-#endif
-#include <dirent.h>
-
-struct krb5_plugin {
-    void *symbol;
-    struct krb5_plugin *next;
-};
-
-struct plugin {
-    enum { DSO, SYMBOL } type;
-    union {
-	struct {
-	    char *path;
-	    void *dsohandle;
-	} dso;
-	struct {
-	    enum krb5_plugin_type type;
-	    char *name;
-	    char *symbol;
-	} symbol;
-    } u;
-    struct plugin *next;
-};
-
-static HEIMDAL_MUTEX plugin_mutex = HEIMDAL_MUTEX_INITIALIZER;
-static struct plugin *registered = NULL;
+/*
+ * Definitions:
+ *
+ *	module	    - a category of plugin module, identified by subsystem
+ *		      (typically "krb5")
+ *	dso	    - a library for a module containing a map of plugin
+ *		      types to plugins (e.g. "service_locator")
+ *	plugin	    - a set of callbacks and state that follows the
+ *		      common plugin module definition (version, init, fini)
+ *
+ * Obviously it would have been clearer to use the term "module" rather than
+ * "DSO" given there is an internal "DSO", but "module" was already taken...
+ *
+ *	modules := { module: dsos }
+ *	dsos := { path, dsohandle, plugins-by-name }
+ *	plugins-by-name := { plugin-name: [plug] }
+ *	plug := { ftable, ctx }
+ *
+ * Some existing plugin consumers outside libkrb5 use the "krb5" module
+ * namespace, but going forward the module should match the consumer library
+ * name (e.g. libhdb should use the "hdb" module rather than "krb5").
+ */
 
 /**
  * Register a plugin symbol name of specific type.
@@ -78,187 +75,22 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_plugin_register(krb5_context context,
 		     enum krb5_plugin_type type,
 		     const char *name,
-		     void *symbol)
-{
-    struct plugin *e;
-
-    HEIMDAL_MUTEX_lock(&plugin_mutex);
-
-    /* check for duplicates */
-    for (e = registered; e != NULL; e = e->next) {
-	if (e->type == SYMBOL &&
-	    strcmp(e->u.symbol.name, name) == 0 &&
-	    e->u.symbol.type == type && e->u.symbol.symbol == symbol) {
-	    HEIMDAL_MUTEX_unlock(&plugin_mutex);
-	    return 0;
-	}
-    }
-
-    e = calloc(1, sizeof(*e));
-    if (e == NULL) {
-	HEIMDAL_MUTEX_unlock(&plugin_mutex);
-	krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
-	return ENOMEM;
-    }
-    e->type = SYMBOL;
-    e->u.symbol.type = type;
-    e->u.symbol.name = strdup(name);
-    if (e->u.symbol.name == NULL) {
-	HEIMDAL_MUTEX_unlock(&plugin_mutex);
-	free(e);
-	krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
-	return ENOMEM;
-    }
-    e->u.symbol.symbol = symbol;
-
-    e->next = registered;
-    registered = e;
-    HEIMDAL_MUTEX_unlock(&plugin_mutex);
-
-    return 0;
-}
-
-static krb5_error_code
-add_symbol(krb5_context context, struct krb5_plugin **list, void *symbol)
-{
-    struct krb5_plugin *e;
-
-    e = calloc(1, sizeof(*e));
-    if (e == NULL) {
-	krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
-	return ENOMEM;
-    }
-    e->symbol = symbol;
-    e->next = *list;
-    *list = e;
-    return 0;
-}
-
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-_krb5_plugin_find(krb5_context context,
-		  enum krb5_plugin_type type,
-		  const char *name,
-		  struct krb5_plugin **list)
-{
-    struct plugin *e;
-    krb5_error_code ret;
-
-    *list = NULL;
-
-    HEIMDAL_MUTEX_lock(&plugin_mutex);
-
-    for (ret = 0, e = registered; e != NULL; e = e->next) {
-	switch(e->type) {
-	case DSO: {
-	    void *sym;
-	    if (e->u.dso.dsohandle == NULL)
-		continue;
-	    sym = dlsym(e->u.dso.dsohandle, name);
-	    if (sym)
-		ret = add_symbol(context, list, sym);
-	    break;
-	}
-	case SYMBOL:
-	    if (strcmp(e->u.symbol.name, name) == 0 && e->u.symbol.type == type)
-		ret = add_symbol(context, list, e->u.symbol.symbol);
-	    break;
-	}
-	if (ret) {
-	    _krb5_plugin_free(*list);
-	    *list = NULL;
-	}
-    }
-
-    HEIMDAL_MUTEX_unlock(&plugin_mutex);
-    if (ret)
-	return ret;
-
-    if (*list == NULL) {
-	krb5_set_error_message(context, ENOENT, "Did not find a plugin for %s", name);
-	return ENOENT;
-    }
-
-    return 0;
-}
-
-KRB5_LIB_FUNCTION void KRB5_LIB_CALL
-_krb5_plugin_free(struct krb5_plugin *list)
-{
-    struct krb5_plugin *next;
-    while (list) {
-	next = list->next;
-	free(list);
-	list = next;
-    }
-}
-/*
- * module - dict of {
- *      ModuleName = [
- *          plugin = object{
- *              array = { ptr, ctx }
- *          }
- *      ]
- * }
- */
-
-static heim_dict_t modules;
-
-struct plugin2 {
-    heim_string_t path;
-    void *dsohandle;
-    heim_dict_t names;
-};
-
-static void
-plug_dealloc(void *ptr)
-{
-    struct plugin2 *p = ptr;
-    heim_release(p->path);
-    heim_release(p->names);
-    if (p->dsohandle)
-	dlclose(p->dsohandle);
-}
-
-static char *
-resolve_origin(const char *di)
+		     const void *symbol)
 {
-#ifdef HAVE_DLADDR
-    Dl_info dl_info;
-    const char *dname;
-    char *path, *p;
-#endif
-
-    if (strncmp(di, "$ORIGIN/", sizeof("$ORIGIN/") - 1) &&
-        strcmp(di, "$ORIGIN"))
-        return strdup(di);
-
-#ifndef HAVE_DLADDR
-    return strdup(LIBDIR "/plugin/krb5");
-#else /* !HAVE_DLADDR */
-    di += sizeof("$ORIGIN") - 1;
-
-    if (dladdr(_krb5_load_plugins, &dl_info) == 0)
-        return strdup(LIBDIR "/plugin/krb5");
-
-    dname = dl_info.dli_fname;
-#ifdef _WIN32
-    p = strrchr(dname, '\\');
-    if (p == NULL)
-#endif
-	p = strrchr(dname, '/');
-    if (p) {
-        if (asprintf(&path, "%.*s%s", (int) (p - dname), dname, di) == -1)
-            return NULL;
-    } else {
-        if (asprintf(&path, "%s%s", dname, di) == -1)
-            return NULL;
+    /*
+     * It's not clear that PLUGIN_TYPE_FUNC was ever used or supported. It likely
+     * would have caused _krb5_plugin_run_f() to crash as the previous implementation
+     * assumed PLUGIN_TYPE_DATA.
+     */
+    if (type != PLUGIN_TYPE_DATA) {
+	krb5_warnx(context, "krb5_plugin_register: PLUGIN_TYPE_DATA no longer supported");
+	return EINVAL;
     }
 
-    return path;
-#endif /* !HAVE_DLADDR */
+    return heim_plugin_register(context->hcontext, (heim_pcontext)context,
+                                "krb5", name, symbol);
 }
 
-
 /**
  * Load plugins (new system) for the given module @name (typically
  * "krb5") from the given directory @paths.
@@ -272,132 +104,7 @@ resolve_origin(const char *di)
 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 _krb5_load_plugins(krb5_context context, const char *name, const char **paths)
 {
-#ifdef HAVE_DLOPEN
-    heim_string_t s = heim_string_create(name);
-    heim_dict_t module;
-    struct dirent *entry;
-    krb5_error_code ret;
-    const char **di;
-    char *dirname = NULL;
-    DIR *d;
-#ifdef _WIN32
-    const char * plugin_prefix;
-    size_t plugin_prefix_len;
-
-    if (asprintf(&plugin_prefix, "plugin_%s_", name) == -1)
-	return;
-    plugin_prefix_len = (plugin_prefix ? strlen(plugin_prefix) : 0);
-#endif
-
-    HEIMDAL_MUTEX_lock(&plugin_mutex);
-
-    if (modules == NULL) {
-	modules = heim_dict_create(11);
-	if (modules == NULL) {
-	    HEIMDAL_MUTEX_unlock(&plugin_mutex);
-	    return;
-	}
-    }
-
-    module = heim_dict_copy_value(modules, s);
-    if (module == NULL) {
-	module = heim_dict_create(11);
-	if (module == NULL) {
-	    HEIMDAL_MUTEX_unlock(&plugin_mutex);
-	    heim_release(s);
-	    return;
-	}
-	heim_dict_set_value(modules, s, module);
-    }
-    heim_release(s);
-
-    for (di = paths; *di != NULL; di++) {
-        free(dirname);
-        dirname = resolve_origin(*di);
-        if (dirname == NULL)
-            continue;
-	d = opendir(dirname);
-	if (d == NULL)
-	    continue;
-	rk_cloexec_dir(d);
-
-	while ((entry = readdir(d)) != NULL) {
-	    char *n = entry->d_name;
-	    char *path = NULL;
-	    heim_string_t spath;
-	    struct plugin2 *p;
-
-	    /* skip . and .. */
-	    if (n[0] == '.' && (n[1] == '\0' || (n[1] == '.' && n[2] == '\0')))
-		continue;
-
-	    ret = 0;
-#ifdef _WIN32
-	    /*
-	     * On Windows, plugins must be loaded from the same directory as
-	     * heimdal.dll (typically the assembly directory) and must have
-	     * the name form "plugin_<module>_<name>.dll".
-	     */
-	    {
-		char *ext;
-
-		if (strnicmp(n, plugin_prefix, plugin_prefix_len))
-		    continue;
-		ext = strrchr(n, '.');
-		if (ext == NULL || stricmp(ext, ".dll"))
-		     continue;
-
-		ret = asprintf(&path, "%s\\%s", dirname, n);
-		if (ret < 0 || path == NULL)
-		    continue;
-	    }
-#endif
-#ifdef __APPLE__
-	    { /* support loading bundles on MacOS */
-		size_t len = strlen(n);
-		if (len > 7 && strcmp(&n[len - 7],  ".bundle") == 0)
-		    ret = asprintf(&path, "%s/%s/Contents/MacOS/%.*s", dirname, n, (int)(len - 7), n);
-	    }
-#endif
-	    if (ret < 0 || path == NULL)
-		ret = asprintf(&path, "%s/%s", dirname, n);
-
-	    if (ret < 0 || path == NULL)
-		continue;
-
-	    spath = heim_string_create(n);
-	    if (spath == NULL) {
-		free(path);
-		continue;
-	    }
-
-	    /* check if already cached */
-	    p = heim_dict_copy_value(module, spath);
-	    if (p == NULL) {
-		p = heim_alloc(sizeof(*p), "krb5-plugin", plug_dealloc);
-		if (p)
-		    p->dsohandle = dlopen(path, RTLD_LOCAL|RTLD_LAZY);
-
-		if (p && p->dsohandle) {
-		    p->path = heim_retain(spath);
-		    p->names = heim_dict_create(11);
-		    heim_dict_set_value(module, spath, p);
-		}
-	    }
-            heim_release(p);
-	    heim_release(spath);
-	    free(path);
-	}
-	closedir(d);
-    }
-    free(dirname);
-    HEIMDAL_MUTEX_unlock(&plugin_mutex);
-    heim_release(module);
-#ifdef _WIN32
-    if (plugin_prefix)
-	free(plugin_prefix);
-#endif
-#endif /* HAVE_DLOPEN */
+    heim_load_plugins(context->hcontext, name, paths);
 }
 
 /**
@@ -406,101 +113,14 @@ _krb5_load_plugins(krb5_context context, const char *name, const char **paths)
 KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 _krb5_unload_plugins(krb5_context context, const char *name)
 {
-    HEIMDAL_MUTEX_lock(&plugin_mutex);
-    heim_release(modules);
-    modules = NULL;
-    HEIMDAL_MUTEX_unlock(&plugin_mutex);
-}
-
-/*
- *
- */
-
-struct common_plugin_method {
-    int			version;
-    krb5_error_code	(*init)(krb5_context, void **);
-    void		(*fini)(void *);
-};
-
-struct plug {
-    void *dataptr;
-    void *ctx;
-};
-
-static void
-plug_free(void *ptr)
-{
-    struct plug *pl = ptr;
-    if (pl->dataptr) {
-	struct common_plugin_method *cpm = pl->dataptr;
-	cpm->fini(pl->ctx);
-    }
-}
-
-struct iter_ctx {
-    krb5_context context;
-    heim_string_t n;
-    const char *name;
-    int min_version;
-    int flags;
-    heim_array_t result;
-    krb5_error_code (KRB5_LIB_CALL *func)(krb5_context, const void *, void *, void *);
-    void *userctx;
-    krb5_error_code ret;
-};
-
-static void
-search_modules(heim_object_t key, heim_object_t value, void *ctx)
-{
-    struct iter_ctx *s = ctx;
-    struct plugin2 *p = value;
-    struct plug *pl = heim_dict_copy_value(p->names, s->n);
-    struct common_plugin_method *cpm;
-
-    if (pl == NULL) {
-	if (p->dsohandle == NULL)
-	    return;
-
-	pl = heim_alloc(sizeof(*pl), "struct-plug", plug_free);
-
-	cpm = pl->dataptr = dlsym(p->dsohandle, s->name);
-	if (cpm) {
-	    int ret;
-
-	    ret = cpm->init(s->context, &pl->ctx);
-	    if (ret)
-		cpm = pl->dataptr = NULL;
-	}
-	heim_dict_set_value(p->names, s->n, pl);
-    } else {
-	cpm = pl->dataptr;
-    }
-
-    if (cpm && cpm->version >= s->min_version)
-	heim_array_append_value(s->result, pl);
-    heim_release(pl);
-}
-
-static void
-eval_results(heim_object_t value, void *ctx, int *stop)
-{
-    struct plug *pl = value;
-    struct iter_ctx *s = ctx;
-
-    if (s->ret != KRB5_PLUGIN_NO_HANDLE)
-	return;
-
-    s->ret = s->func(s->context, pl->dataptr, pl->ctx, s->userctx);
-    if (s->ret != KRB5_PLUGIN_NO_HANDLE
-        && !(s->flags & KRB5_PLUGIN_INVOKE_ALL))
-        *stop = 1;
+    heim_unload_plugins(context->hcontext, name);
 }
 
 /**
  * Run plugins for the given @module (e.g., "krb5") and @name (e.g.,
  * "kuserok").  Specifically, the @func is invoked once per-plugin with
  * four arguments: the @context, the plugin symbol value (a pointer to a
- * struct whose first three fields are the same as struct common_plugin_method),
+ * struct whose first three fields are the same as common_plugin_ftable),
  * a context value produced by the plugin's init method, and @userctx.
  *
  * @func should unpack arguments for a plugin function and invoke it
@@ -527,80 +147,62 @@ eval_results(heim_object_t value, void *ctx, int *stop)
  */
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 _krb5_plugin_run_f(krb5_context context,
-		   const char *module,
-		   const char *name,
-		   int min_version,
+		   const struct heim_plugin_data *caller,
 		   int flags,
 		   void *userctx,
 		   krb5_error_code (KRB5_LIB_CALL *func)(krb5_context, const void *, void *, void *))
 {
-    heim_string_t m = heim_string_create(module);
-    heim_dict_t dict;
-    void *plug_ctx;
-    struct common_plugin_method *cpm;
-    struct iter_ctx s;
-    struct krb5_plugin *registered_plugins = NULL;
-    struct krb5_plugin *p;
-
-    /* Get registered plugins */
-    (void) _krb5_plugin_find(context, PLUGIN_TYPE_DATA, name, &registered_plugins);
-
-    HEIMDAL_MUTEX_lock(&plugin_mutex);
-
-    s.context = context;
-    s.name = name;
-    s.n = heim_string_create(name);
-    s.flags = flags;
-    s.min_version = min_version;
-    s.result = heim_array_create();
-    s.func = func;
-    s.userctx = userctx;
-    s.ret = KRB5_PLUGIN_NO_HANDLE;
-
-    /* Get loaded plugins */
-    dict = heim_dict_copy_value(modules, m);
-    heim_release(m);
-
-    /* Add loaded plugins to s.result array */
-    if (dict)
-	heim_dict_iterate_f(dict, &s, search_modules);
+    int32_t (HEIM_LIB_CALL *func2)(void *, const void *, void *, void *) = (void *)func;
+    return heim_plugin_run_f(context->hcontext, (heim_pcontext)context, caller,
+                             flags, KRB5_PLUGIN_NO_HANDLE, userctx, func2);
+}
 
-    /* We don't need to hold plugin_mutex during plugin invocation */
-    HEIMDAL_MUTEX_unlock(&plugin_mutex);
+/**
+ * Return a cookie identifying this instance of a library.
+ *
+ * Inputs:
+ *
+ * @context     A krb5_context
+ * @module      Our library name or a library we depend on
+ *
+ * Outputs:	The instance cookie
+ *
+ * @ingroup	krb5_support
+ */
 
-    /* Invoke registered plugins (old system) */
-    for (p = registered_plugins; p; p = p->next) {
-	/*
-	 * XXX This is the wrong way to handle registered plugins, as we
-	 * call init/fini on each invocation!  We do this because we
-	 * have nowhere in the struct plugin registered list to store
-	 * the context allocated by the plugin's init function.  (But at
-	 * least we do call init/fini!)
-	 *
-	 * What we should do is adapt the old plugin system to the new
-	 * one and change how we register plugins so that we use the new
-	 * struct plug to keep track of their context structures, that
-	 * way we can init once, invoke many times, then fini.
-	 */
-	cpm = (struct common_plugin_method *)p->symbol;
-	s.ret = cpm->init(context, &plug_ctx);
-	if (s.ret)
-	    continue;
-	s.ret = s.func(s.context, p->symbol, plug_ctx, s.userctx);
-	cpm->fini(plug_ctx);
-	if (s.ret != KRB5_PLUGIN_NO_HANDLE &&
-            !(flags & KRB5_PLUGIN_INVOKE_ALL))
-	    break;
-    }
-    _krb5_plugin_free(registered_plugins);
+#ifdef WIN32
+static uintptr_t
+djb2(uintptr_t hash, unsigned char *str)
+{
+    int c;
 
-    /* Invoke loaded plugins (new system) */
-    if (s.ret == KRB5_PLUGIN_NO_HANDLE)
-	heim_array_iterate_f(s.result, &s, eval_results);
+    while (c = *str++)
+	hash = ((hash << 5) + hash) + c; /* hash * 33 + c */
 
-    heim_release(s.result);
-    heim_release(s.n);
-    heim_release(dict);
+    return hash;
+}
+#endif
 
-    return s.ret;
+KRB5_LIB_FUNCTION uintptr_t KRB5_LIB_CALL
+krb5_get_instance(const char *libname)
+{
+#ifdef WIN32
+    char *version;
+    char *name;
+    uintptr_t instance;
+
+    if (win32_getLibraryVersion("heimdal", &name, &version))
+	return 0;
+    instance = djb2(5381, name);
+    instance = djb2(instance, version);
+    free(name);
+    free(version);
+    return instance;
+#else
+    static const char *instance = "libkrb5";
+
+    if (strcmp(libname, "krb5") == 0)
+	return (uintptr_t)instance;
+    return 0;
+#endif
 }
diff --git a/lib/krb5/principal.c b/lib/krb5/principal.c
index 937a9a7d59e4..690a725fbde6 100644
--- a/lib/krb5/principal.c
+++ b/lib/krb5/principal.c
@@ -103,6 +103,8 @@ krb5_free_principal(krb5_context context,
 		    krb5_principal p)
 {
     if(p){
+	if (p->nameattrs && p->nameattrs->pac)
+	    heim_release(p->nameattrs->pac);
 	free_Principal(p);
 	free(p);
     }
@@ -234,10 +236,10 @@ krb5_parse_name_flags(krb5_context context,
     *principal = NULL;
 
     if (no_realm && require_realm) {
-	krb5_set_error_message(context, KRB5_ERR_NO_SERVICE,
+	krb5_set_error_message(context, EINVAL,
 			       N_("Can't require both realm and "
 				  "no realm at the same time", ""));
-	return KRB5_ERR_NO_SERVICE;
+	return EINVAL;
     }
 
     /* count number of component,
@@ -279,9 +281,24 @@ krb5_parse_name_flags(krb5_context context,
 		c = '\t';
 	    else if (c == 'b')
 		c = '\b';
-	    else if (c == '0')
-		c = '\0';
-	    else if (c == '\0') {
+	    else if (c == '0') {
+                /*
+                 * We'll ignore trailing embedded NULs in components and
+                 * realms, but can't support any other embedded NULs.
+                 */
+                while (*p) {
+                    if ((*p == '/' || *p == '@') && !got_realm)
+                        break;
+                    if (*(p++) != '\\' || *(p++) != '0') {
+                        ret = KRB5_PARSE_MALFORMED;
+                        krb5_set_error_message(context, ret,
+                                               N_("embedded NULs in principal "
+                                                  "name not supported", ""));
+                        goto exit;
+                    }
+                }
+                continue;
+            } else if (c == '\0') {
 		ret = KRB5_PARSE_MALFORMED;
 		krb5_set_error_message(context, ret,
 				       N_("trailing \\ in principal name", ""));
@@ -442,6 +459,22 @@ unparse_name_fixed(krb5_context context,
     int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) != 0;
     int display = (flags & KRB5_PRINCIPAL_UNPARSE_DISPLAY) != 0;
 
+    if (name == NULL) {
+	krb5_set_error_message(context, EINVAL,
+			       N_("Invalid name buffer, "
+				  "can't unparse", ""));
+	return EINVAL;
+    }
+
+    if (len == 0) {
+	krb5_set_error_message(context, ERANGE,
+			       N_("Invalid name buffer length, "
+				  "can't unparse", ""));
+	return ERANGE;
+    }
+
+    name[0] = '\0';
+
     if (!no_realm && princ_realm(principal) == NULL) {
 	krb5_set_error_message(context, ERANGE,
 			       N_("Realm missing from principal, "
@@ -756,6 +789,9 @@ krb5_make_principal(krb5_context context,
     krb5_error_code ret;
     krb5_realm r = NULL;
     va_list ap;
+
+    *principal = NULL;
+
     if(realm == NULL) {
 	ret = krb5_get_default_realm(context, &r);
 	if(ret)
@@ -910,13 +946,20 @@ krb5_copy_principal(krb5_context context,
 		    krb5_const_principal inprinc,
 		    krb5_principal *outprinc)
 {
-    krb5_principal p = malloc(sizeof(*p));
+    krb5_principal p;
+
+    *outprinc = NULL;
+
+    p = malloc(sizeof(*p));
     if (p == NULL)
 	return krb5_enomem(context);
     if(copy_Principal(inprinc, p)) {
 	free(p);
 	return krb5_enomem(context);
     }
+    if (inprinc->nameattrs && inprinc->nameattrs->pac)
+	p->nameattrs->pac = heim_retain(inprinc->nameattrs->pac);
+
     *outprinc = p;
     return 0;
 }
@@ -1297,10 +1340,32 @@ krb5_principal_is_anonymous(krb5_context context,
     return strcmp(p->realm, KRB5_ANON_REALM) != 0;
 }
 
+/**
+ * Returns true iff name is WELLKNOWN/FEDERATED
+ *
+ * @ingroup krb5_principal
+ */
+
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
+krb5_principal_is_federated(krb5_context context,
+			     krb5_const_principal p)
+{
+    if (p->name.name_type != KRB5_NT_WELLKNOWN &&
+	p->name.name_type != KRB5_NT_UNKNOWN)
+	return FALSE;
+
+    if (p->name.name_string.len != 2 ||
+        strcmp(p->name.name_string.val[0], KRB5_WELLKNOWN_NAME) != 0 ||
+        strcmp(p->name.name_string.val[1], KRB5_FEDERATED_NAME) != 0)
+        return FALSE;
+
+    return TRUE;
+}
+
 static int
 tolower_ascii(int c)
 {
-    if (c >= 'A' || c <= 'Z')
+    if (c >= 'A' && c <= 'Z')
         return 'a' + (c - 'A');
     return c;
 }
@@ -1398,8 +1463,8 @@ krb5_sname_to_principal(krb5_context context,
 
 	/* Lower-case the hostname, because that's the convention */
 	for (cp = remote_host; *cp; cp++)
-	    if (isupper((int) (*cp)))
-		*cp = tolower((int) (*cp));
+	    if (isupper((unsigned char) (*cp)))
+		*cp = tolower((unsigned char) (*cp));
 
         /*
          * If there is only one name canon rule and it says to
@@ -1465,7 +1530,7 @@ static void
 tolower_str(char *s)
 {
     for (; *s != '\0'; s++) {
-        if (isupper(*s))
+        if (isupper((unsigned char)*s))
             *s = tolower_ascii(*s);
     }
 }
@@ -1720,12 +1785,14 @@ _krb5_get_name_canon_rules(krb5_context context, krb5_name_canon_rule *rules)
     krb5_config_free_strings(values);
     if (ret)
 	return ret;
+    if (*rules == NULL)
+        return krb5_enomem(context);
 
     if (krb5_config_get_bool_default(context, NULL, FALSE,
                                      "libdefaults", "safe_name_canon", NULL))
         make_rules_safe(context, *rules);
 
-    heim_assert(rules != NULL && (*rules)[0].type != KRB5_NCRT_BOGUS,
+    heim_assert((*rules)[0].type != KRB5_NCRT_BOGUS,
                 "internal error in parsing principal name "
                 "canonicalization rules");
 
@@ -1788,7 +1855,7 @@ apply_name_canon_rule(krb5_context context, krb5_name_canon_rule rules,
                       krb5_name_canon_rule_options *rule_opts)
 {
     krb5_name_canon_rule rule = &rules[rule_idx];
-    krb5_error_code ret;
+    krb5_error_code ret = 0;
     unsigned int ndots = 0;
     krb5_principal nss = NULL;
     const char *sname = NULL;
@@ -1833,17 +1900,17 @@ apply_name_canon_rule(krb5_context context, krb5_name_canon_rule rules,
             ndots++;
     }
     if (rule->mindots > 0 && ndots < rule->mindots)
-            return 0;
+        goto out;
     if (ndots > rule->maxdots)
-            return 0;
+        goto out;
 
     if (rule->match_domain != NULL &&
         !is_domain_suffix(orig_hostname, rule->match_domain))
-        return 0;
+        goto out;
 
     if (rule->match_realm != NULL &&
         strcmp(rule->match_realm, in_princ->realm) != 0)
-          return 0;
+        goto out;
 
     new_realm = rule->realm;
     switch (rule->type) {
@@ -1927,10 +1994,12 @@ apply_name_canon_rule(krb5_context context, krb5_name_canon_rule rules,
         new_hostname = hostname_with_port;
     }
 
-    if (new_realm != NULL)
-        krb5_principal_set_realm(context, *out_princ, new_realm);
-    if (new_hostname != NULL)
-        krb5_principal_set_comp_string(context, *out_princ, 1, new_hostname);
+    if (new_realm != NULL &&
+        (ret = krb5_principal_set_realm(context, *out_princ, new_realm)))
+        goto out;
+    if (new_hostname != NULL &&
+        (ret = krb5_principal_set_comp_string(context, *out_princ, 1, new_hostname)))
+        goto out;
     if (princ_type(*out_princ) == KRB5_NT_SRV_HST_NEEDS_CANON)
         princ_type(*out_princ) = KRB5_NT_SRV_HST;
 
diff --git a/lib/krb5/rd_cred.c b/lib/krb5/rd_cred.c
index e38882525ab4..f8d57362310b 100644
--- a/lib/krb5/rd_cred.c
+++ b/lib/krb5/rd_cred.c
@@ -96,7 +96,7 @@ krb5_rd_cred(krb5_context context,
 	goto out;
     }
 
-    if (cred.enc_part.etype == (krb5_enctype)ETYPE_NULL) {
+    if (cred.enc_part.etype == ETYPE_NULL) {
 	/* DK: MIT GSS-API Compatibility */
 	enc_krb_cred_part_data.length = cred.enc_part.cipher.length;
 	enc_krb_cred_part_data.data   = cred.enc_part.cipher.data;
@@ -222,7 +222,7 @@ krb5_rd_cred(krb5_context context,
 
 	if (enc_krb_cred_part.timestamp == NULL ||
 	    enc_krb_cred_part.usec      == NULL ||
-	    labs(*enc_krb_cred_part.timestamp - sec)
+	    krb5_time_abs(*enc_krb_cred_part.timestamp, sec)
 	    > context->max_skew) {
 	    krb5_clear_error_message (context);
 	    ret = KRB5KRB_AP_ERR_SKEW;
diff --git a/lib/krb5/rd_priv.c b/lib/krb5/rd_priv.c
index 3e49dd8b4634..ab1a165d5165 100644
--- a/lib/krb5/rd_priv.c
+++ b/lib/krb5/rd_priv.c
@@ -136,7 +136,7 @@ krb5_rd_priv(krb5_context context,
 	krb5_timeofday (context, &sec);
 	if (part.timestamp == NULL ||
 	    part.usec      == NULL ||
-	    labs(*part.timestamp - sec) > context->max_skew) {
+	    krb5_time_abs(*part.timestamp, sec) > context->max_skew) {
 	    krb5_clear_error_message (context);
 	    ret = KRB5KRB_AP_ERR_SKEW;
 	    goto failure_part;
diff --git a/lib/krb5/rd_req.c b/lib/krb5/rd_req.c
index 3937dc5ab3ac..012cfefc2d80 100644
--- a/lib/krb5/rd_req.c
+++ b/lib/krb5/rd_req.c
@@ -146,7 +146,7 @@ check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc)
     if(enc->transited.tr_type == 0 && enc->transited.contents.length == 0)
 	return 0;
 
-    if(enc->transited.tr_type != DOMAIN_X500_COMPRESS)
+    if(enc->transited.tr_type != domain_X500_Compress)
 	return KRB5KDC_ERR_TRTYPE_NOSUPP;
 
     if(enc->transited.contents.length == 0)
@@ -260,6 +260,8 @@ krb5_verify_authenticator_checksum(krb5_context context,
     ret = krb5_crypto_init(context, key, 0, &crypto);
     if (ret)
 	goto out;
+
+    _krb5_crypto_set_flags(context, crypto, KRB5_CRYPTO_FLAG_ALLOW_UNKEYED_CHECKSUM);
     ret = krb5_verify_checksum(context, crypto,
                                KRB5_KU_AP_REQ_AUTH_CKSUM,
                                data, len, authenticator->cksum);
@@ -307,6 +309,7 @@ krb5_verify_ap_req2(krb5_context context,
     krb5_auth_context ac;
     krb5_error_code ret;
     EtypeList etypes;
+    int badaddr = 0;
 
     memset(&etypes, 0, sizeof(etypes));
 
@@ -348,11 +351,6 @@ krb5_verify_ap_req2(krb5_context context,
 					     ap_req->ticket.sname,
 					     ap_req->ticket.realm);
     if (ret) goto out;
-    ret = _krb5_principalname2krb5_principal(context,
-					     &t->client,
-					     t->ticket.cname,
-					     t->ticket.crealm);
-    if (ret) goto out;
 
     ret = decrypt_authenticator (context,
 				 &t->ticket.key,
@@ -384,6 +382,27 @@ krb5_verify_ap_req2(krb5_context context,
 	}
     }
 
+    /*
+     * The ticket authenticates the client, and conveys naming attributes that
+     * we want to expose in GSS using RFC6680 APIs.
+     *
+     * So we same the ticket enc-part in the client's krb5_principal object
+     * (note though that the session key will be absent in that copy of the
+     * ticket enc-part).
+     */
+    ret = _krb5_ticket2krb5_principal(context, &t->client, &t->ticket,
+                                      ac->authenticator->authorization_data);
+    if (ret) goto out;
+
+    t->client->nameattrs->peer_realm =
+        calloc(1, sizeof(t->client->nameattrs->peer_realm[0]));
+    if (t->client->nameattrs->peer_realm == NULL) {
+        ret = krb5_enomem(context);
+        goto out;
+    }
+    ret = copy_Realm(&ap_req->ticket.realm, t->client->nameattrs->peer_realm);
+    if (ret) goto out;
+
     /* check addresses */
 
     if (t->ticket.caddr
@@ -391,9 +410,19 @@ krb5_verify_ap_req2(krb5_context context,
 	&& !krb5_address_search (context,
 				 ac->remote_address,
 				 t->ticket.caddr)) {
-	ret = KRB5KRB_AP_ERR_BADADDR;
-	krb5_clear_error_message (context);
-	goto out;
+        /*
+         * Hack alert.  If KRB5_VERIFY_AP_REQ_IGNORE_ADDRS and the client's
+         * address didn't check out then we'll return KRB5KRB_AP_ERR_BADADDR
+         * even on success, and we'll let the caller figure it out because
+         * `*ticket != NULL' or `*auth_context != NULL'.
+         */
+        if ((flags & KRB5_VERIFY_AP_REQ_IGNORE_ADDRS)) {
+            badaddr = 1;
+        } else {
+            ret = KRB5KRB_AP_ERR_BADADDR;
+            krb5_clear_error_message(context);
+            goto out;
+        }
     }
 
     /* check timestamp in authenticator */
@@ -402,7 +431,7 @@ krb5_verify_ap_req2(krb5_context context,
 
 	krb5_timeofday (context, &now);
 
-	if (labs(ac->authenticator->ctime - now) > context->max_skew) {
+	if (krb5_time_abs(ac->authenticator->ctime, now) > context->max_skew) {
 	    ret = KRB5KRB_AP_ERR_SKEW;
 	    krb5_clear_error_message (context);
 	    goto out;
@@ -445,7 +474,7 @@ krb5_verify_ap_req2(krb5_context context,
 
     if (ap_req_options) {
 	*ap_req_options = 0;
-	if (ac->keytype != (krb5_enctype)ETYPE_NULL)
+	if (ac->keytype != ETYPE_NULL)
 	    *ap_req_options |= AP_OPTS_USE_SUBKEY;
 	if (ap_req->ap_options.use_session_key)
 	    *ap_req_options |= AP_OPTS_USE_SESSION_KEY;
@@ -463,6 +492,11 @@ krb5_verify_ap_req2(krb5_context context,
     } else
 	krb5_auth_con_free (context, ac);
     free_EtypeList(&etypes);
+
+    if (badaddr) {
+        krb5_clear_error_message(context);
+        return KRB5KRB_AP_ERR_BADADDR;
+    }
     return 0;
  out:
     free_EtypeList(&etypes);
@@ -821,7 +855,8 @@ krb5_rd_req_ctx(krb5_context context,
     krb5_keytab id = NULL, keytab = NULL;
     krb5_principal service = NULL;
 
-    *outctx = NULL;
+    if (outctx)
+        *outctx = NULL;
 
     o = calloc(1, sizeof(*o));
     if (o == NULL)
@@ -1002,6 +1037,11 @@ krb5_rd_req_ctx(krb5_context context,
             goto out;
     }
 
+    if (krb5_ticket_get_authorization_data_type(context, o->ticket,
+						KRB5_AUTHDATA_KDC_ISSUED,
+						NULL) == 0)
+	o->ticket->client->nameattrs->kdc_issued_verified = 1;
+
     /* If there is a PAC, verify its server signature */
     if (inctx == NULL || inctx->check_pac) {
 	krb5_pac pac;
@@ -1023,17 +1063,36 @@ krb5_rd_req_ctx(krb5_context context,
 				  o->ticket->client,
 				  o->keyblock,
 				  NULL);
-	    krb5_pac_free(context, pac);
-	    if (ret)
+            if (ret == 0)
+                o->ticket->client->nameattrs->pac_verified = 1;
+	    if (ret == 0 && (context->flags & KRB5_CTX_F_REPORT_CANONICAL_CLIENT_NAME)) {
+		krb5_error_code ret2;
+		krb5_principal canon_name;
+
+		ret2 = _krb5_pac_get_canon_principal(context, pac, &canon_name);
+		if (ret2 == 0) {
+                    free_Realm(&o->ticket->client->realm);
+                    free_PrincipalName(&o->ticket->client->name);
+                    ret = copy_Realm(&canon_name->realm, &o->ticket->client->realm);
+                    if (ret == 0)
+                        ret = copy_PrincipalName(&canon_name->name, &o->ticket->client->name);
+                    krb5_free_principal(context, canon_name);
+		} else if (ret2 != ENOENT)
+		    ret = ret2;
+	    }
+	    if (ret) {
+		krb5_pac_free(context, pac);
 		goto out;
+	    }
+	    o->ticket->client->nameattrs->pac = pac;
 	} else
 	  ret = 0;
     }
 out:
 
-    if (ret || outctx == NULL) {
+    if (ret || outctx == NULL)
 	krb5_rd_req_out_ctx_free(context, o);
-    } else
+    else
 	*outctx = o;
 
     free_AP_REQ(&ap_req);
diff --git a/lib/krb5/rd_safe.c b/lib/krb5/rd_safe.c
index cfe1e9829c9c..24ed636d4059 100644
--- a/lib/krb5/rd_safe.c
+++ b/lib/krb5/rd_safe.c
@@ -159,7 +159,7 @@ krb5_rd_safe(krb5_context context,
 
 	if (safe.safe_body.timestamp == NULL ||
 	    safe.safe_body.usec      == NULL ||
-	    labs(*safe.safe_body.timestamp - sec) > context->max_skew) {
+	    krb5_time_abs(*safe.safe_body.timestamp, sec) > context->max_skew) {
 	    ret = KRB5KRB_AP_ERR_SKEW;
 	    krb5_clear_error_message (context);
 	    goto failure;
diff --git a/lib/krb5/recvauth.c b/lib/krb5/recvauth.c
index 785c4c9c5f1b..656378309db7 100644
--- a/lib/krb5/recvauth.c
+++ b/lib/krb5/recvauth.c
@@ -138,7 +138,7 @@ krb5_recvauth_match_version(krb5_context context,
 	len = ntohl(len);
 	if (len != sizeof(her_version)
 	    || krb5_net_read (context, p_fd, her_version, len) != len
-	    || strncmp (version, her_version, len)) {
+	    || strncmp (version, her_version, len) != 0) {
 	    repl = 1;
 	    krb5_net_write (context, p_fd, &repl, 1);
 	    krb5_clear_error_message (context);
@@ -160,6 +160,11 @@ krb5_recvauth_match_version(krb5_context context,
 	return KRB5_SENDAUTH_BADAPPLVERS;
     }
     len = ntohl(len);
+    if (len > 1024 * 1024) {
+        krb5_set_error_message(context, ret = KRB5_SENDAUTH_REJECTED,
+                               "AP-REQ too long");
+        return ret;
+    }
     her_appl_version = malloc (len);
     if (her_appl_version == NULL) {
 	repl = 2;
diff --git a/lib/krb5/replay.c b/lib/krb5/replay.c
index 6257311676f6..2fec8afd1043 100644
--- a/lib/krb5/replay.c
+++ b/lib/krb5/replay.c
@@ -58,7 +58,7 @@ krb5_rc_resolve_type(krb5_context context,
 		     const char *type)
 {
     *id = NULL;
-    if(strcmp(type, "FILE")) {
+    if (strcmp(type, "FILE") != 0) {
 	krb5_set_error_message (context, KRB5_RC_TYPE_NOTFOUND,
 				N_("replay cache type %s not supported", ""),
 				type);
@@ -82,7 +82,7 @@ krb5_rc_resolve_full(krb5_context context,
 
     *id = NULL;
 
-    if(strncmp(string_name, "FILE:", 5)) {
+    if (strncmp(string_name, "FILE:", 5) != 0) {
 	krb5_set_error_message(context, KRB5_RC_TYPE_NOTFOUND,
 			       N_("replay cache type %s not supported", ""),
 			       string_name);
@@ -220,8 +220,10 @@ krb5_rc_store(krb5_context context,
     }
     rk_cloexec_file(f);
     count = fread(&tmp, sizeof(ent), 1, f);
-    if(count != 1)
+    if (count != 1) {
+	fclose(f);
 	return KRB5_RC_IO_UNKNOWN;
+    }
     t = ent.stamp - tmp.stamp;
     while(fread(&tmp, sizeof(ent), 1, f)){
 	if(tmp.stamp < t)
diff --git a/lib/krb5/salt-aes-sha1.c b/lib/krb5/salt-aes-sha1.c
index edd066df404c..2c556f1cbefa 100644
--- a/lib/krb5/salt-aes-sha1.c
+++ b/lib/krb5/salt-aes-sha1.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-int _krb5_AES_SHA1_string_to_default_iterator = 4096;
+const int _krb5_AES_SHA1_string_to_default_iterator = 4096;
 
 static krb5_error_code
 AES_SHA1_string_to_key(krb5_context context,
diff --git a/lib/krb5/salt-aes-sha2.c b/lib/krb5/salt-aes-sha2.c
index bc674bd2dab7..9de1c280f77d 100644
--- a/lib/krb5/salt-aes-sha2.c
+++ b/lib/krb5/salt-aes-sha2.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-int _krb5_AES_SHA2_string_to_default_iterator = 32768;
+const int _krb5_AES_SHA2_string_to_default_iterator = 32768;
 
 static krb5_error_code
 AES_SHA2_string_to_key(krb5_context context,
diff --git a/lib/krb5/salt-arcfour.c b/lib/krb5/salt-arcfour.c
index 38aaa25024e6..033128ed803d 100644
--- a/lib/krb5/salt-arcfour.c
+++ b/lib/krb5/salt-arcfour.c
@@ -47,10 +47,8 @@ ARCFOUR_string_to_key(krb5_context context,
     EVP_MD_CTX *m;
 
     m = EVP_MD_CTX_create();
-    if (m == NULL) {
-	ret = krb5_enomem(context);
-	goto out;
-    }
+    if (m == NULL)
+	return krb5_enomem(context);
 
     EVP_DigestInit_ex(m, EVP_md4(), NULL);
 
diff --git a/lib/krb5/salt.c b/lib/krb5/salt.c
index a3e850fcb8cf..fa926f3d6c60 100644
--- a/lib/krb5/salt.c
+++ b/lib/krb5/salt.c
@@ -91,6 +91,69 @@ krb5_string_to_salttype (krb5_context context,
     return HEIM_ERR_SALTTYPE_NOSUPP;
 }
 
+/*
+ * Like MIT's krb5_string_to_keysalts(), but simpler and with a context
+ * argument.
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_string_to_keysalts2(krb5_context context, const char *string,
+                         size_t *nksaltp, krb5_key_salt_tuple **ksaltp)
+{
+    /* deleted: tupleseps, ksaltseps, dups */
+    krb5_key_salt_tuple *tmp = NULL;
+    krb5_error_code ret = 0;
+    char *copy, *token, *stype_str;
+    char *lasts = NULL;
+    krb5_enctype etype;
+    krb5_salttype stype;
+    size_t i;
+
+    *ksaltp = NULL;
+    *nksaltp = 0;
+    if ((copy = strdup(string)) == NULL)
+        return krb5_enomem(context);
+    for (token = strtok_r(copy, ", \t", &lasts), ret = 0;
+         token != NULL;
+         token = strtok_r(NULL, ", \t", &lasts)) {
+        if ((stype_str = strchr(token, ':')) != NULL)
+            *(stype_str++) = '\0';
+        if ((ret = krb5_string_to_enctype(context, token, &etype)))
+            continue;
+        if (stype_str == NULL)
+            stype = KRB5_PW_SALT;
+        else if ((ret = krb5_string_to_salttype(context, etype, stype_str, &stype)))
+            continue;
+        for (i = 0; i < *nksaltp; i++) {
+            if ((*ksaltp)[i].ks_enctype == etype &&
+                (*ksaltp)[i].ks_salttype == stype)
+                goto skip;
+        }
+        tmp = realloc(*ksaltp, ((*nksaltp) + 1) * sizeof(**ksaltp));
+        if (tmp == NULL) {
+            ret = krb5_enomem(context);
+            break;
+        }
+        *ksaltp = tmp;
+        (*ksaltp)[*nksaltp].ks_enctype = etype;
+        (*ksaltp)[*nksaltp].ks_salttype = stype;
+        (*nksaltp)++;
+skip:
+        (void)1;
+    }
+    free(copy);
+    if (ret == ENOMEM) {
+        free(*ksaltp);
+        *nksaltp = 0;
+        *ksaltp = NULL;
+    } else if (*nksaltp) {
+        return 0;
+    } else if (ret == 0) {
+        return KRB5_PROG_ETYPE_NOSUPP;
+    }
+    return ret;
+}
+
+
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_pw_salt(krb5_context context,
 		 krb5_const_principal principal,
@@ -132,7 +195,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_string_to_key_data (krb5_context context,
 			 krb5_enctype enctype,
 			 krb5_data password,
-			 krb5_principal principal,
+			 krb5_const_principal principal,
 			 krb5_keyblock *key)
 {
     krb5_error_code ret;
@@ -150,7 +213,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_string_to_key (krb5_context context,
 		    krb5_enctype enctype,
 		    const char *password,
-		    krb5_principal principal,
+		    krb5_const_principal principal,
 		    krb5_keyblock *key)
 {
     krb5_data pw;
diff --git a/lib/krb5/scache.c b/lib/krb5/scache.c
index 61a9b4fa1445..479c58b8ff11 100644
--- a/lib/krb5/scache.c
+++ b/lib/krb5/scache.c
@@ -40,6 +40,7 @@
 typedef struct krb5_scache {
     char *name;
     char *file;
+    char *sub;
     sqlite3 *db;
 
     sqlite_uint64 cid;
@@ -60,13 +61,19 @@ typedef struct krb5_scache {
 
 #define	SCACHE(X)	((krb5_scache *)(X)->data.data)
 
+/*
+ * Because we can't control what permissions SQLite3 (if not in-tree) will use,
+ * and we're a library and can't set the umask.  We can't even determine the
+ * current umask in a thread-safe way (not easily), and we can't tell if some
+ * other thread might change it.  So what we'll do is put the SQLite3-based
+ * ccache file in its own directory so we can create that directory with
+ * mkdir(2) and the correct permissions.
+ */
+
 #define SCACHE_DEF_NAME		"Default-cache"
-#ifdef KRB5_USE_PATH_TOKENS
-#define KRB5_SCACHE_DB	"%{TEMP}/krb5scc_%{uid}"
-#else
-#define KRB5_SCACHE_DB	"/tmp/krb5scc_%{uid}"
-#endif
-#define KRB5_SCACHE_NAME	"SCC:"  SCACHE_DEF_NAME ":" KRB5_SCACHE_DB
+#define KRB5_SCACHE_DIR		"%{TEMP}/krb5scc_%{uid}"
+#define KRB5_SCACHE_DB		KRB5_SCACHE_DIR "scc"
+#define KRB5_SCACHE_NAME	"SCC:"   KRB5_SCACHE_DB ":" SCACHE_DEF_NAME
 
 #define SCACHE_INVALID_CID	((sqlite_uint64)-1)
 
@@ -103,7 +110,8 @@ typedef struct krb5_scache {
 #define SQL_UCACHE_PRINCIPAL "UPDATE caches SET principal=? WHERE OID=?"
 #define SQL_DCACHE "DELETE FROM caches WHERE OID=?"
 #define SQL_SCACHE "SELECT principal,name FROM caches WHERE OID=?"
-#define SQL_SCACHE_NAME "SELECT oid FROM caches WHERE NAME=?"
+#define SQL_SCACHE_NAME "SELECT oid FROM caches WHERE NAME=? OR "   \
+                        "(PRINCIPAL IS NOT NULL AND PRINCIPAL=?)"
 
 #define SQL_CCREDS ""				\
 	"CREATE TABLE credentials ("		\
@@ -153,8 +161,12 @@ free_krb5(void *str)
 static void
 scc_free(krb5_scache *s)
 {
+    if (!s)
+        return;
     if (s->file)
 	free(s->file);
+    if (s->sub)
+	free(s->sub);
     if (s->name)
 	free(s->name);
 
@@ -224,39 +236,134 @@ exec_stmt(krb5_context context, sqlite3 *db, const char *str,
     return 0;
 }
 
+/* See block comment at the top of this file */
 static krb5_error_code
-default_db(krb5_context context, sqlite3 **db)
+make_dir(krb5_context context, const char *name)
 {
-    char *name;
-    int ret;
+    krb5_error_code ret = 0;
+    char *s, *p;
+
+    /* We really need a dirname() in roken; lib/krb5/fcache.c has one */
+    if ((s = strdup(name)) == NULL)
+        return krb5_enomem(context);
+    for (p = s + strlen(s); p > s; p--) {
+#ifdef WIN32
+        if (*p != '/' && *p != '\\')
+            continue;
+#else
+        if (*p != '/')
+            continue;
+#endif
+        *p = '\0';
+        break;
+    }
+
+    /* If p == s then DB in current directory -- nothing we can do */
+    if (p > s && mkdir(s, 0700) == -1)
+        ret = errno;
+    free(s);
 
-    ret = _krb5_expand_default_cc_name(context, KRB5_SCACHE_DB, &name);
+    /* If we created it, we're good, else there's nothing we can do */
+    if (ret == EEXIST)
+        return 0;
     if (ret)
-	return ret;
+        krb5_set_error_message(context, ret,
+                               N_("Error making directory for scache file %s", ""),
+                               name);
+    return ret;
+}
 
-    ret = sqlite3_open_v2(name, db, SQLITE_OPEN_READWRITE, NULL);
-    free(name);
-    if (ret != SQLITE_OK) {
-	krb5_clear_error_message(context);
-	return ENOENT;
+static krb5_error_code
+default_db(krb5_context context, const char *name, sqlite3 **db, char **file)
+{
+    krb5_error_code ret = 0;
+    char *s = NULL;
+    char *f = NULL;
+
+    if (file)
+        *file = NULL;
+
+    if (name == NULL) {
+        if ((name = krb5_cc_default_name(context))) {
+            if (strncmp(name, "SCC:", sizeof("SCC:") - 1) == 0)
+                name += sizeof("SCC:") - 1;
+        }
+        if (name == NULL) {
+            ret = _krb5_expand_default_cc_name(context, KRB5_SCACHE_DB, &s);
+            if (ret)
+                return ret;
+            name = s;
+        }
+    }
+
+    if (strncmp(name, "SCC:", sizeof("SCC:") - 1) == 0)
+        name += sizeof("SCC:") - 1;
+
+    if ((f = strdup(name)) == NULL) {
+        free(s);
+        return krb5_enomem(context);
     }
+    free(s);
+
+    /* Strip off any residue from default name */
+#ifdef WIN32
+    if (f[0] && f[1] == ':' && (s = strrchr(f, ':')) != &f[1])
+        *s = '\0';
+#else
+    if ((s = strrchr(f, ':')))
+        *s = '\0';
+#endif
+
+    ret = make_dir(context, f);
+    if (ret == 0) {
+        int sret;
+
+        sret = sqlite3_open_v2(f, db, SQLITE_OPEN_READWRITE, NULL);
+        if (sret != SQLITE_OK) {
+            if (*db) {
+                krb5_set_error_message(context, ENOENT,
+                                       N_("Error opening scache file %s: %s (%d)", ""),
+                                       f, sqlite3_errmsg(*db), sret);
+                sqlite3_close(*db);
+                *db = NULL;
+            } else
+                krb5_set_error_message(context, ENOENT,
+                                       N_("Error opening scache file %s: %s (%d)", ""),
+                                       f, sqlite3_errstr(sret), sret);
+            free(f);
+            return ENOENT;
+        }
+    }
+
+#ifndef WIN32
+    /*
+     * Just in case we're using an out-of-tree SQLite3.  See block comment at
+     * the top of this file, near KRB5_SCACHE_DIR's definition.
+     */
+    (void) chmod(f, 0600);
+#endif
+
+    if (file)
+        *file = f;
+    else
+        free(f);
 
 #ifdef TRACEME
     sqlite3_trace(*db, trace, NULL);
 #endif
 
-    return 0;
+    return ret;
 }
 
 static krb5_error_code
-get_def_name(krb5_context context, char **str)
+get_def_name(krb5_context context, char *filein, char **str, char **file)
 {
     krb5_error_code ret;
     sqlite3_stmt *stmt;
     const char *name;
     sqlite3 *db;
 
-    ret = default_db(context, &db);
+    ret = default_db(context, filein, &db, file);
     if (ret)
 	return ret;
 
@@ -294,10 +401,15 @@ out:
 
 
 static krb5_scache * KRB5_CALLCONV
-scc_alloc(krb5_context context, const char *name)
+scc_alloc(krb5_context context,
+          const char *name,
+          const char *sub,
+          int new_unique)
 {
-    krb5_error_code ret;
+    krb5_error_code ret = 0;
     krb5_scache *s;
+    char *freeme = NULL;
+    char *subsidiary;
 
     ALLOC(s, 1);
     if(s == NULL)
@@ -305,52 +417,105 @@ scc_alloc(krb5_context context, const char *name)
 
     s->cid = SCACHE_INVALID_CID;
 
-    if (name) {
-	char *file;
-
-	if (*name == '\0') {
-	    ret = get_def_name(context, &s->name);
-	    if (ret)
-		s->name = strdup(SCACHE_DEF_NAME);
-	} else
-	    s->name = strdup(name);
-
-	file = strrchr(s->name, ':');
-	if (file) {
-	    *file++ = '\0';
-	    s->file = strdup(file);
-	    ret = 0;
-	} else {
-	    ret = _krb5_expand_default_cc_name(context, KRB5_SCACHE_DB, &s->file);
-	}
+    if (name && *name && sub && *sub) {
+        if ((s->sub = strdup(sub)) == NULL ||
+            (s->file = strdup(name)) == NULL) {
+            free(s->file);
+            free(s);
+            (void) krb5_enomem(context);
+            return NULL;
+        }
     } else {
-	_krb5_expand_default_cc_name(context, KRB5_SCACHE_DB, &s->file);
-	ret = asprintf(&s->name, "unique-%p", s);
+        s->sub = NULL;
+        s->file = NULL;
+        s->name = NULL;
+
+        if (name == NULL)
+            name = krb5_cc_default_name(context);
+        if (name == NULL) {
+            ret = _krb5_expand_default_cc_name(context, KRB5_SCACHE_DB,
+                                               &freeme);
+            if (ret) {
+                free(s);
+                return NULL;
+            }
+            name = freeme;
+        }
+
+        if (strncmp(name, "SCC:", sizeof("SCC:") - 1) == 0)
+            name += sizeof("SCC:") - 1;
+
+        if ((s->file = strdup(name)) == NULL) {
+            ret = krb5_enomem(context);
+	    goto out;
+        }
+
+        if ((subsidiary = strrchr(s->file, ':'))) {
+#ifdef WIN32
+            if (subsidiary == s->file + 1)
+                subsidiary = NULL;
+            else
+#endif
+                *(subsidiary++) = '\0';
+        }
+
+        if (new_unique) {
+            ret = asprintf(&s->sub, "unique-%p", s) < 0 || s->sub == NULL ?
+                krb5_enomem(context) : 0;
+        } else if (subsidiary == NULL || *subsidiary == '\0') {
+            ret = get_def_name(context, s->file, &s->sub, NULL);
+            if (ret) {
+                if ((s->sub = strdup(SCACHE_DEF_NAME)) == NULL)
+                    ret = krb5_enomem(context);
+                else
+                    ret = 0;
+            }
+        } else if ((s->sub = strdup(subsidiary)) == NULL) {
+            ret = krb5_enomem(context);
+        }
     }
-    if (ret < 0 || s->file == NULL || s->name == NULL) {
+
+    if (ret == 0 && s->file && s->sub &&
+        (asprintf(&s->name, "%s:%s", s->file, s->sub) < 0 || s->name == NULL))
+        ret = krb5_enomem(context);
+
+ out:
+    if (ret || s->file == NULL || s->sub == NULL || s->name == NULL) {
 	scc_free(s);
-	return NULL;
+	s = NULL;
     }
 
+    free(freeme);
     return s;
 }
 
 static krb5_error_code
 open_database(krb5_context context, krb5_scache *s, int flags)
 {
-    int ret;
+    krb5_error_code ret;
+    struct stat st;
+    int sret;
 
-    ret = sqlite3_open_v2(s->file, &s->db, SQLITE_OPEN_READWRITE|flags, NULL);
-    if (ret) {
+
+    if (!(flags & SQLITE_OPEN_CREATE) && stat(s->file, &st) == 0 &&
+        st.st_size == 0)
+        return ENOENT;
+
+    ret = make_dir(context, s->file);
+    if (ret)
+        return ret;
+    sret = sqlite3_open_v2(s->file, &s->db, SQLITE_OPEN_READWRITE|flags, NULL);
+    if (sret != SQLITE_OK) {
 	if (s->db) {
 	    krb5_set_error_message(context, ENOENT,
-				   N_("Error opening scache file %s: %s", ""),
-				   s->file, sqlite3_errmsg(s->db));
+				   N_("Error opening scache file %s: %s (%d)", ""),
+				   s->file, sqlite3_errmsg(s->db), sret);
 	    sqlite3_close(s->db);
 	    s->db = NULL;
 	} else
 	    krb5_set_error_message(context, ENOENT,
-				   N_("malloc: out of memory", ""));
+				   N_("Error opening scache file %s: %s (%d)", ""),
+                                   s->file, sqlite3_errstr(sret), sret);
 	return ENOENT;
     }
     return 0;
@@ -361,7 +526,7 @@ create_cache(krb5_context context, krb5_scache *s)
 {
     int ret;
 
-    sqlite3_bind_text(s->icache, 1, s->name, -1, NULL);
+    sqlite3_bind_text(s->icache, 1, s->sub, -1, NULL);
     do {
 	ret = sqlite3_step(s->icache);
     } while (ret == SQLITE_ROW);
@@ -388,9 +553,7 @@ make_database(krb5_context context, krb5_scache *s)
 
     ret = open_database(context, s, 0);
     if (ret) {
-	mode_t oldumask = umask(077);
 	ret = open_database(context, s, SQLITE_OPEN_CREATE);
-	umask(oldumask);
 	if (ret) goto out;
 
 	created_file = 1;
@@ -437,6 +600,14 @@ make_database(krb5_context context, krb5_scache *s)
     ret = prepare_stmt(context, s->db, &s->umaster, SQL_UMASTER);
     if (ret) goto out;
 
+#ifndef WIN32
+    /*
+     * Just in case we're using an out-of-tree SQLite3.  See block comment at
+     * the top of this file, near KRB5_SCACHE_DIR's definition.
+     */
+    (void) chmod(s->file, 0600);
+#endif
+
     return 0;
 
 out:
@@ -477,20 +648,32 @@ bind_principal(krb5_context context,
  *
  */
 
-static const char* KRB5_CALLCONV
-scc_get_name(krb5_context context,
-	     krb5_ccache id)
+static krb5_error_code KRB5_CALLCONV
+scc_get_name_2(krb5_context context,
+	       krb5_ccache id,
+	       const char **name,
+	       const char **file,
+	       const char **sub)
 {
-    return SCACHE(id)->name;
+    if (name)
+        *name = SCACHE(id)->name;
+    if (file)
+        *file = SCACHE(id)->file;
+    if (sub)
+        *sub = SCACHE(id)->sub;
+    return 0;
 }
 
 static krb5_error_code KRB5_CALLCONV
-scc_resolve(krb5_context context, krb5_ccache *id, const char *res)
+scc_resolve_2(krb5_context context,
+	      krb5_ccache *id,
+	      const char *res,
+	      const char *sub)
 {
+    krb5_error_code ret;
     krb5_scache *s;
-    int ret;
 
-    s = scc_alloc(context, res);
+    s = scc_alloc(context, res, sub, 0);
     if (s == NULL) {
 	krb5_set_error_message(context, KRB5_CC_NOMEM,
 			       N_("malloc: out of memory", ""));
@@ -503,12 +686,12 @@ scc_resolve(krb5_context context, krb5_ccache *id, const char *res)
 	return ret;
     }
 
-    ret = sqlite3_bind_text(s->scache_name, 1, s->name, -1, NULL);
+    ret = sqlite3_bind_text(s->scache_name, 1, s->sub, -1, NULL);
     if (ret != SQLITE_OK) {
-	krb5_set_error_message(context, ENOMEM,
-			       "bind name: %s", sqlite3_errmsg(s->db));
-	scc_free(s);
-	return ENOMEM;
+        krb5_set_error_message(context, ENOMEM,
+                               "bind principal: %s", sqlite3_errmsg(s->db));
+        scc_free(s);
+        return ENOMEM;
     }
 
     if (sqlite3_step(s->scache_name) == SQLITE_ROW) {
@@ -540,7 +723,7 @@ scc_gen_new(krb5_context context, krb5_ccache *id)
 {
     krb5_scache *s;
 
-    s = scc_alloc(context, NULL);
+    s = scc_alloc(context, NULL, NULL, 1);
 
     if (s == NULL) {
 	krb5_set_error_message(context, KRB5_CC_NOMEM,
@@ -557,7 +740,7 @@ scc_gen_new(krb5_context context, krb5_ccache *id)
 static krb5_error_code KRB5_CALLCONV
 scc_initialize(krb5_context context,
 	       krb5_ccache id,
-	       krb5_principal primary_principal)
+	       krb5_principal principal)
 {
     krb5_scache *s = SCACHE(id);
     krb5_error_code ret;
@@ -589,7 +772,7 @@ scc_initialize(krb5_context context,
 	}
     }
 
-    ret = bind_principal(context, s->db, s->ucachep, 1, primary_principal);
+    ret = bind_principal(context, s->db, s->ucachep, 1, principal);
     if (ret)
 	goto rollback;
     sqlite3_bind_int(s->ucachep, 2, s->cid);
@@ -827,8 +1010,8 @@ scc_get_principal(krb5_context context,
     if (sqlite3_step(s->scache) != SQLITE_ROW) {
 	sqlite3_reset(s->scache);
 	krb5_set_error_message(context, KRB5_CC_END,
-			       N_("No principal for cache SCC:%s:%s", ""),
-			       s->name, s->file);
+			       N_("No principal for cache SCC:%s", ""),
+			       s->name);
 	return KRB5_CC_END;
     }
 
@@ -836,8 +1019,8 @@ scc_get_principal(krb5_context context,
 	sqlite3_reset(s->scache);
 	krb5_set_error_message(context, KRB5_CC_END,
 			       N_("Principal data of wrong type "
-				  "for SCC:%s:%s", ""),
-			       s->name, s->file);
+				  "for SCC:%s", ""),
+			       s->name);
 	return KRB5_CC_END;
     }
 
@@ -845,8 +1028,8 @@ scc_get_principal(krb5_context context,
     if (str == NULL) {
 	sqlite3_reset(s->scache);
 	krb5_set_error_message(context, KRB5_CC_END,
-			       N_("Principal not set for SCC:%s:%s", ""),
-			       s->name, s->file);
+			       N_("Principal not set for SCC:%s", ""),
+			       s->name);
 	return KRB5_CC_END;
     }
 
@@ -1001,8 +1184,8 @@ next:
 
     if (sqlite3_column_type(ctx->credstmt, 0) != SQLITE_BLOB) {
 	krb5_set_error_message(context, KRB5_CC_END,
-			       N_("credential of wrong type for SCC:%s:%s", ""),
-			       s->name, s->file);
+			       N_("credential of wrong type for SCC:%s", ""),
+			       s->name);
 	sqlite3_reset(ctx->credstmt);
 	return KRB5_CC_END;
     }
@@ -1079,8 +1262,8 @@ scc_remove_cred(krb5_context context,
 	    ret = KRB5_CC_END;
 	    krb5_set_error_message(context, ret,
 				   N_("Credential of wrong type "
-				      "for SCC:%s:%s", ""),
-				   s->name, s->file);
+				      "for SCC:%s", ""),
+				   s->name);
 	    break;
 	}
 
@@ -1102,24 +1285,25 @@ scc_remove_cred(krb5_context context,
 
     sqlite3_finalize(stmt);
 
-    if (id) {
-	ret = prepare_stmt(context, s->db, &stmt,
-			   "DELETE FROM credentials WHERE oid=?");
-	if (ret)
-	    return ret;
-	sqlite3_bind_int(stmt, 1, credid);
+    if (ret)
+        return ret;
 
-	do {
-	    ret = sqlite3_step(stmt);
-	} while (ret == SQLITE_ROW);
-	sqlite3_finalize(stmt);
-	if (ret != SQLITE_DONE) {
-	    ret = KRB5_CC_IO;
-	    krb5_set_error_message(context, ret,
-				   N_("failed to delete scache credental", ""));
-	} else
-	    ret = 0;
-    }
+    ret = prepare_stmt(context, s->db, &stmt,
+                       "DELETE FROM credentials WHERE oid=?");
+    if (ret)
+        return ret;
+    sqlite3_bind_int(stmt, 1, credid);
+
+    do {
+        ret = sqlite3_step(stmt);
+    } while (ret == SQLITE_ROW);
+    sqlite3_finalize(stmt);
+    if (ret != SQLITE_DONE) {
+        ret = KRB5_CC_IO;
+        krb5_set_error_message(context, ret,
+                               N_("failed to delete scache credental", ""));
+    } else
+        ret = 0;
 
     return ret;
 }
@@ -1134,6 +1318,7 @@ scc_set_flags(krb5_context context,
 
 struct cache_iter {
     char *drop;
+    char *file;
     sqlite3 *db;
     sqlite3_stmt *stmt;
 };
@@ -1151,8 +1336,8 @@ scc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor)
     if (ctx == NULL)
 	return krb5_enomem(context);
 
-    ret = default_db(context, &ctx->db);
-    if (ctx->db == NULL) {
+    ret = default_db(context, NULL, &ctx->db, &ctx->file);
+    if (ret) {
 	free(ctx);
 	return ret;
     }
@@ -1160,48 +1345,48 @@ scc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor)
     ret = asprintf(&name, "cacheIteration%pPid%d",
                    ctx, (int)getpid());
     if (ret < 0 || name == NULL) {
-	sqlite3_close(ctx->db);
-	free(ctx);
-	return krb5_enomem(context);
+       sqlite3_close(ctx->db);
+       free(ctx);
+       return krb5_enomem(context);
     }
 
     ret = asprintf(&ctx->drop, "DROP TABLE %s", name);
     if (ret < 0 || ctx->drop == NULL) {
-	sqlite3_close(ctx->db);
-	free(name);
-	free(ctx);
-	return krb5_enomem(context);
+       sqlite3_close(ctx->db);
+       free(name);
+       free(ctx);
+       return krb5_enomem(context);
     }
 
     ret = asprintf(&str, "CREATE TEMPORARY TABLE %s AS SELECT name FROM caches",
-	     name);
+            name);
     if (ret < 0 || str == NULL) {
-	sqlite3_close(ctx->db);
-	free(name);
-	free(ctx->drop);
-	free(ctx);
-	return krb5_enomem(context);
+       sqlite3_close(ctx->db);
+       free(name);
+       free(ctx->drop);
+       free(ctx);
+       return krb5_enomem(context);
     }
 
     ret = exec_stmt(context, ctx->db, str, KRB5_CC_IO);
     free(str);
     str = NULL;
     if (ret) {
-	sqlite3_close(ctx->db);
-	free(name);
-	free(ctx->drop);
-	free(ctx);
-	return ret;
+       sqlite3_close(ctx->db);
+       free(name);
+       free(ctx->drop);
+       free(ctx);
+       return ret;
     }
 
     ret = asprintf(&str, "SELECT name FROM %s", name);
     if (ret < 0 || str == NULL) {
-	exec_stmt(context, ctx->db, ctx->drop, 0);
-	sqlite3_close(ctx->db);
-	free(name);
-	free(ctx->drop);
-	free(ctx);
-	return krb5_enomem(context);
+       exec_stmt(context, ctx->db, ctx->drop, 0);
+       sqlite3_close(ctx->db);
+       free(name);
+       free(ctx->drop);
+       free(ctx);
+       return krb5_enomem(context);
     }
     free(name);
 
@@ -1249,10 +1434,13 @@ again:
 	goto again;
 
     ret = _krb5_cc_allocate(context, &krb5_scc_ops, id);
-    if (ret)
-	return ret;
-
-    return scc_resolve(context, id, name);
+    if (ret == 0)
+	ret = scc_resolve_2(context, id, ctx->file, name);
+    if (ret) {
+        free(*id);
+        *id = NULL;
+    }
+    return ret;
 }
 
 static krb5_error_code KRB5_CALLCONV
@@ -1263,6 +1451,7 @@ scc_end_cache_get(krb5_context context, krb5_cc_cursor cursor)
     exec_stmt(context, ctx->db, ctx->drop, 0);
     sqlite3_finalize(ctx->stmt);
     sqlite3_close(ctx->db);
+    free(ctx->file);
     free(ctx->drop);
     free(ctx);
     return 0;
@@ -1276,11 +1465,8 @@ scc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
     krb5_error_code ret;
 
     if (strcmp(sfrom->file, sto->file) != 0) {
-	krb5_set_error_message(context, KRB5_CC_BADNAME,
-			       N_("Can't handle cross database "
-				  "credential move: %s -> %s", ""),
-			       sfrom->file, sto->file);
-	return KRB5_CC_BADNAME;
+        /* Let upstairs handle the move */
+	return EXDEV;
     }
 
     ret = make_database(context, sfrom);
@@ -1307,7 +1493,7 @@ scc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
 	}
     }
 
-    sqlite3_bind_text(sfrom->ucachen, 1, sto->name, -1, NULL);
+    sqlite3_bind_text(sfrom->ucachen, 1, sto->sub, -1, NULL);
     sqlite3_bind_int(sfrom->ucachen, 2, sfrom->cid);
 
     do {
@@ -1326,34 +1512,19 @@ scc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
     ret = exec_stmt(context, sfrom->db, "COMMIT", KRB5_CC_IO);
     if (ret) return ret;
 
-    scc_free(sfrom);
-
+    krb5_cc_close(context, from);
     return 0;
 
 rollback:
     exec_stmt(context, sfrom->db, "ROLLBACK", 0);
-    scc_free(sfrom);
-
     return KRB5_CC_IO;
 }
 
 static krb5_error_code KRB5_CALLCONV
 scc_get_default_name(krb5_context context, char **str)
 {
-    krb5_error_code ret;
-    char *name;
-
     *str = NULL;
-
-    ret = get_def_name(context, &name);
-    if (ret)
-	return _krb5_expand_default_cc_name(context, KRB5_SCACHE_NAME, str);
-
-    ret = asprintf(str, "SCC:%s", name);
-    free(name);
-    if (ret < 0 || *str == NULL)
-	return krb5_enomem(context);
-    return 0;
+    return _krb5_expand_default_cc_name(context, KRB5_SCACHE_NAME, str);
 }
 
 static krb5_error_code KRB5_CALLCONV
@@ -1370,7 +1541,7 @@ scc_set_default(krb5_context context, krb5_ccache id)
 	return KRB5_CC_IO;
     }
 
-    ret = sqlite3_bind_text(s->umaster, 1, s->name, -1, NULL);
+    ret = sqlite3_bind_text(s->umaster, 1, s->sub, -1, NULL);
     if (ret) {
 	sqlite3_reset(s->umaster);
 	krb5_set_error_message(context, KRB5_CC_IO,
@@ -1398,10 +1569,10 @@ scc_set_default(krb5_context context, krb5_ccache id)
  */
 
 KRB5_LIB_VARIABLE const krb5_cc_ops krb5_scc_ops = {
-    KRB5_CC_OPS_VERSION,
+    KRB5_CC_OPS_VERSION_5,
     "SCC",
-    scc_get_name,
-    scc_resolve,
+    NULL,
+    NULL,
     scc_gen_new,
     scc_initialize,
     scc_destroy,
@@ -1423,7 +1594,9 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_scc_ops = {
     scc_set_default,
     NULL,
     NULL,
-    NULL
+    NULL,
+    scc_get_name_2,
+    scc_resolve_2
 };
 
 #endif
diff --git a/lib/krb5/send_to_kdc.c b/lib/krb5/send_to_kdc.c
index 104db9e26ee3..bcabdd4a1ceb 100644
--- a/lib/krb5/send_to_kdc.c
+++ b/lib/krb5/send_to_kdc.c
@@ -96,6 +96,17 @@ realmcallback(krb5_context context, const void *plug, void *plugctx, void *userc
 				  ctx->send_data, ctx->receive);
 }
 
+static const char *const send_to_kdc_plugin_deps[] = { "krb5", NULL };
+
+static const struct heim_plugin_data
+send_to_kdc_plugin_data = {
+    "krb5",
+    KRB5_PLUGIN_SEND_TO_KDC,
+    KRB5_PLUGIN_SEND_TO_KDC_VERSION_0,
+    send_to_kdc_plugin_deps,
+    krb5_get_instance
+};
+
 static krb5_error_code
 kdc_via_plugin(krb5_context context,
 	       krb5_krbhst_info *hi,
@@ -111,8 +122,7 @@ kdc_via_plugin(krb5_context context,
     userctx.send_data = send_data;
     userctx.receive = receive;
 
-    return _krb5_plugin_run_f(context, "krb5", KRB5_PLUGIN_SEND_TO_KDC,
-			      KRB5_PLUGIN_SEND_TO_KDC_VERSION_0, 0,
+    return _krb5_plugin_run_f(context, &send_to_kdc_plugin_data, 0,
 			      &userctx, kdccallback);
 }
 
@@ -131,8 +141,7 @@ realm_via_plugin(krb5_context context,
     userctx.send_data = send_data;
     userctx.receive = receive;
 
-    return _krb5_plugin_run_f(context, "krb5", KRB5_PLUGIN_SEND_TO_KDC,
-			      KRB5_PLUGIN_SEND_TO_KDC_VERSION_2, 0,
+    return _krb5_plugin_run_f(context, &send_to_kdc_plugin_data, 0,
 			      &userctx, realmcallback);
 }
 
@@ -142,6 +151,7 @@ struct krb5_sendto_ctx_data {
     krb5_sendto_ctx_func func;
     void *data;
     char *hostname;
+    char *sitename;
     krb5_krbhst_handle krbhst;
 
     /* context2 */
@@ -166,12 +176,14 @@ struct krb5_sendto_ctx_data {
     unsigned int stid;
 };
 
-static void
+static void KRB5_CALLCONV
 dealloc_sendto_ctx(void *ptr)
 {
     krb5_sendto_ctx ctx = (krb5_sendto_ctx)ptr;
     if (ctx->hostname)
 	free(ctx->hostname);
+    if (ctx->sitename)
+	free(ctx->sitename);
     heim_release(ctx->hosts);
     heim_release(ctx->krbhst);
 }
@@ -228,13 +240,32 @@ krb5_sendto_set_hostname(krb5_context context,
 			 krb5_sendto_ctx ctx,
 			 const char *hostname)
 {
-    if (ctx->hostname == NULL)
-	free(ctx->hostname);
-    ctx->hostname = strdup(hostname);
-    if (ctx->hostname == NULL) {
-	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
-	return ENOMEM;
-    }
+    char *newname;
+
+    /*
+     * Handle the case where hostname == ctx->hostname by copying it first, and
+     * disposing of any previous value after.
+     */
+    newname = strdup(hostname);
+    if (newname == NULL)
+	return krb5_enomem(context);
+    free(ctx->hostname);
+    ctx->hostname = newname;
+    return 0;
+}
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_sendto_set_sitename(krb5_context context,
+			 krb5_sendto_ctx ctx,
+			 const char *sitename)
+{
+    char *newname;
+
+    newname = strdup(sitename);
+    if (newname == NULL)
+	return krb5_enomem(context);
+    free(ctx->sitename);
+    ctx->sitename = newname;
     return 0;
 }
 
@@ -275,7 +306,7 @@ _krb5_kdc_retry(krb5_context context, krb5_sendto_ctx ctx, void *data,
 	break;
     }
     case KRB5KDC_ERR_SVC_UNAVAILABLE:
-	*action = KRB5_SENDTO_CONTINUE;
+	*action = KRB5_SENDTO_RESET;
 	break;
     }
     return 0;
@@ -299,7 +330,7 @@ struct host {
     krb5_krbhst_info *hi;
     struct addrinfo *ai;
     rk_socket_t fd;
-    struct host_fun *fun;
+    const struct host_fun *fun;
     unsigned int tries;
     time_t timeout;
     krb5_data data;
@@ -355,7 +386,7 @@ debug_host(krb5_context context, int level, struct host *host, const char *fmt,
 }
 
 
-static void
+static void HEIM_CALLCONV
 deallocate_host(void *ptr)
 {
     struct host *host = ptr;
@@ -684,19 +715,19 @@ recv_udp(krb5_context context, struct host *host, krb5_data *data)
     return 0;
 }
 
-static struct host_fun http_fun = {
+static const struct host_fun http_fun = {
     prepare_http,
     send_stream,
     recv_http,
     1
 };
-static struct host_fun tcp_fun = {
+static const struct host_fun tcp_fun = {
     prepare_tcp,
     send_stream,
     recv_tcp,
     1
 };
-static struct host_fun udp_fun = {
+static const struct host_fun udp_fun = {
     prepare_udp,
     send_udp,
     recv_udp,
@@ -1149,7 +1180,7 @@ krb5_sendto_context(krb5_context context,
 
     action = KRB5_SENDTO_INITIAL;
 
-    while (action != KRB5_SENDTO_DONE && action != KRB5_SENDTO_FAILED) {
+    while (1) {
 	krb5_krbhst_info *hi;
 
 	switch (action) {
@@ -1161,7 +1192,7 @@ krb5_sendto_context(krb5_context context,
 		break;
 	    }
 	    action = KRB5_SENDTO_KRBHST;
-	    /* FALLTHROUGH */
+            HEIM_FALLTHROUGH;
 	case KRB5_SENDTO_KRBHST:
 	    if (ctx->krbhst == NULL) {
 		ret = krb5_krbhst_init_flags(context, realm, type,
@@ -1174,12 +1205,16 @@ krb5_sendto_context(krb5_context context,
 		    if (ret)
 			goto out;
 		}
-
+		if (ctx->sitename) {
+		    ret = krb5_krbhst_set_sitename(context, handle, ctx->sitename);
+		    if (ret)
+			goto out;
+		}
 	    } else {
 		handle = heim_retain(ctx->krbhst);
 	    }
 	    action = KRB5_SENDTO_TIMEOUT;
-	    /* FALLTHROUGH */
+            HEIM_FALLTHROUGH;
 	case KRB5_SENDTO_TIMEOUT:
 
 	    /*
@@ -1251,14 +1286,32 @@ krb5_sendto_context(krb5_context context,
 				   &ctx->response, &action);
 		if (ret)
 		    goto out;
+
+		/*
+		 * If we are not done, ask to continue/reset
+		 */
+		switch (action) {
+		case KRB5_SENDTO_DONE:
+		    break;
+		case KRB5_SENDTO_RESET:
+		case KRB5_SENDTO_CONTINUE:
+		    /* free response to clear it out so we don't loop */
+		    krb5_data_free(&ctx->response);
+		    break;
+		default:
+		    ret = KRB5_KDC_UNREACH;
+		    krb5_set_error_message(context, ret,
+					   "sendto filter funcation return unsupported state: %d", (int)action);
+		    goto out;
+		}
 	    }
 	    break;
 	case KRB5_SENDTO_FAILED:
 	    ret = KRB5_KDC_UNREACH;
-	    break;
+	    goto out;
 	case KRB5_SENDTO_DONE:
 	    ret = 0;
-	    break;
+	    goto out;
 	default:
 	    heim_abort("invalid krb5_sendto_context state");
 	}
diff --git a/lib/krb5/send_to_kdc_plugin.h b/lib/krb5/send_to_kdc_plugin.h
index 0fa43d3aba90..30d6892e536d 100644
--- a/lib/krb5/send_to_kdc_plugin.h
+++ b/lib/krb5/send_to_kdc_plugin.h
@@ -37,6 +37,7 @@
 #define HEIMDAL_KRB5_SEND_TO_KDC_PLUGIN_H 1
 
 #include <krb5.h>
+#include <heimbase-svc.h>
 
 #define KRB5_PLUGIN_SEND_TO_KDC "send_to_kdc"
 
@@ -61,9 +62,7 @@ typedef krb5_error_code
 
 
 typedef struct krb5plugin_send_to_kdc_ftable {
-    int			minor_version;
-    krb5_error_code	(KRB5_CALLCONV *init)(krb5_context, void **);
-    void		(KRB5_CALLCONV *fini)(void *);
+    HEIM_PLUGIN_FTABLE_COMMON_ELEMENTS(krb5_context);
     krb5plugin_send_to_kdc_func send_to_kdc;
     krb5plugin_send_to_realm_func send_to_realm; /* added in version 2 */
 } krb5plugin_send_to_kdc_ftable;
diff --git a/lib/krb5/sendauth.c b/lib/krb5/sendauth.c
index 5011c2680892..a2c8aedb8ea7 100644
--- a/lib/krb5/sendauth.c
+++ b/lib/krb5/sendauth.c
@@ -109,6 +109,7 @@ krb5_sendauth(krb5_context context,
     ssize_t sret;
     krb5_boolean my_ccache = FALSE;
 
+    memset(&this_cred, 0, sizeof(this_cred));
     len = strlen(version) + 1;
     net_len = htonl(len);
     if (krb5_net_write (context, p_fd, &net_len, 4) != 4
@@ -159,7 +160,6 @@ krb5_sendauth(krb5_context context,
 	    }
 	    client = this_client;
 	}
-	memset(&this_cred, 0, sizeof(this_cred));
 	this_cred.client = client;
 	this_cred.server = server;
 	this_cred.times.endtime = 0;
@@ -185,13 +185,6 @@ krb5_sendauth(krb5_context context,
 				creds,
 				&ap_req);
 
-    if (out_creds)
-	*out_creds = creds;
-    else
-	krb5_free_creds(context, creds);
-    if(this_client)
-	krb5_free_principal(context, this_client);
-
     if (ret)
 	return ret;
 
@@ -251,5 +244,14 @@ krb5_sendauth(krb5_context context,
 	if (rep_result == NULL)
 	    krb5_free_ap_rep_enc_part (context, ignore);
     }
-    return 0;
+
+    if (out_creds)
+        ret = krb5_copy_creds(context, creds, out_creds);
+
+    this_cred.server = NULL;
+    if (creds == &this_cred)
+        krb5_free_cred_contents(context, creds);
+    else if (creds)
+        krb5_free_creds(context, creds);
+    return ret;
 }
diff --git a/lib/krb5/sp800-108-kdf.c b/lib/krb5/sp800-108-kdf.c
index 37e06dec3e84..4a12067c68bd 100755
--- a/lib/krb5/sp800-108-kdf.c
+++ b/lib/krb5/sp800-108-kdf.c
@@ -73,7 +73,10 @@ _krb5_SP800_108_HMAC_KDF(krb5_context context,
 	unsigned char tmp[4];
 	size_t len;
 
-	HMAC_Init_ex(&c, kdf_K1->data, kdf_K1->length, md, NULL);
+        if (HMAC_Init_ex(&c, kdf_K1->data, kdf_K1->length, md, NULL) == 0) {
+            HMAC_CTX_cleanup(&c);
+            return krb5_enomem(context);
+        }
 
 	_krb5_put_int(tmp, i + 1, 4);
 	HMAC_Update(&c, tmp, 4);
diff --git a/lib/krb5/store-int.c b/lib/krb5/store-int.c
index 542b99abc089..6fe7eb37fc69 100644
--- a/lib/krb5/store-int.c
+++ b/lib/krb5/store-int.c
@@ -49,7 +49,7 @@ KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
 _krb5_get_int64(void *buffer, uint64_t *value, size_t size)
 {
     unsigned char *p = buffer;
-    unsigned long v = 0;
+    uint64_t v = 0;
     size_t i;
     for (i = 0; i < size; i++)
 	v = (v << 8) + p[i];
diff --git a/lib/krb5/store.c b/lib/krb5/store.c
index c7355f6861bc..f95fd83aa952 100644
--- a/lib/krb5/store.c
+++ b/lib/krb5/store.c
@@ -39,6 +39,7 @@
 #define BYTEORDER_IS_BE(SP) BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_BE)
 #define BYTEORDER_IS_HOST(SP) (BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_HOST) || \
 			       krb5_storage_is_flags((SP), KRB5_STORAGE_HOST_BYTEORDER))
+#define BYTEORDER_IS_PACKED(SP) BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_PACKED)
 
 /**
  * Add the flags on a storage buffer by or-ing in the flags to the buffer.
@@ -299,7 +300,7 @@ krb5_storage_free(krb5_storage *sp)
 }
 
 /**
- * Copy the contnent of storage
+ * Copy the content of storage to a krb5_data.
  *
  * @param sp the storage to copy to a data
  * @param data the copied data, free with krb5_data_free()
@@ -328,9 +329,82 @@ krb5_storage_to_data(krb5_storage *sp, krb5_data *data)
 	return ret;
     }
     if (size) {
+        ssize_t bytes;
+
 	sp->seek(sp, 0, SEEK_SET);
-	sp->fetch(sp, data->data, data->length);
+	bytes = sp->fetch(sp, data->data, data->length);
 	sp->seek(sp, pos, SEEK_SET);
+
+        /* sp->fetch() really shouldn't fail */
+        if (bytes < 0)
+            return sp->eof_code;
+
+        /* Maybe the underlying file (or whatever) got truncated? */
+        data->length = bytes;
+    }
+    return 0;
+}
+
+static size_t
+pack_int(uint8_t *p, uint64_t val)
+{
+    size_t l = 0;
+
+    if (val < 128) {
+        *p = val;
+    } else {
+        while (val > 0) {
+            *p-- = val % 256;
+            val /= 256;
+            l++;
+        }
+        *p = 0x80 | l;
+    }
+    return l + 1;
+}
+
+static size_t
+unpack_int_length(uint8_t *v)
+{
+    size_t size;
+
+    if (*v < 128)
+        size = 0;
+    else
+        size = *v & 0x7f;
+
+    return size + 1;
+}
+
+static int
+unpack_int(uint8_t *p, size_t len, uint64_t *val, size_t *size)
+{
+    size_t v;
+
+    if (len == 0)
+        return EINVAL;
+    --len;
+    v = *p++;
+    if (v < 128) {
+        *val = v;
+        *size = 1;
+    } else {
+        int e;
+        size_t l;
+        uint64_t tmp;
+
+        if (v == 0x80) {
+            *size = 1;
+            return EINVAL;
+        }
+        v &= 0x7F;
+        if (len < v)
+            return ERANGE;
+        e = der_get_unsigned64(p, v, &tmp, &l);
+        if (e)
+            return ERANGE;
+        *val = tmp;
+        *size = l + 1;
     }
     return 0;
 }
@@ -341,12 +415,20 @@ krb5_store_int(krb5_storage *sp,
 	       size_t len)
 {
     int ret;
-    unsigned char v[8];
+    uint8_t v[9], *p = v;
 
-    if (len > sizeof(v))
+    if (len > sizeof(value))
 	return EINVAL;
-    _krb5_put_int(v, value, len);
-    ret = sp->store(sp, v, len);
+
+    if (BYTEORDER_IS_PACKED(sp)) {
+        uint64_t mask = ~0ULL >> (64 - len * 8);
+        value &= mask;
+        p += sizeof(v) - 1;
+        len = pack_int(p, value);
+        p = v + sizeof(v) - len;
+    } else
+        _krb5_put_int(v, value, len);
+    ret = sp->store(sp, p, len);
     if (ret < 0)
 	return errno;
     if ((size_t)ret != len)
@@ -448,9 +530,32 @@ krb5_ret_int(krb5_storage *sp,
 	     size_t len)
 {
     int ret;
-    unsigned char v[8];
-    uint64_t w;
+    unsigned char v[9];
+    uint64_t w = 0;
     *value = 0; /* quiets warnings */
+    if (BYTEORDER_IS_PACKED(sp)) {
+        ret = sp->fetch(sp, v, 1);
+        if (ret < 0)
+            return errno;
+        if (ret != 1)
+            return sp->eof_code;
+
+        len = unpack_int_length(v);
+        if (len < 1)
+            return ERANGE;
+        else if (len > 1) {
+            ret = sp->fetch(sp, v + 1, len - 1);
+            if (ret < 0)
+                return errno;
+            if (ret != len - 1)
+                return sp->eof_code;
+        }
+        ret = unpack_int(v, len, &w, &len);
+        if (ret)
+            return ret;
+        *value = w;
+        return 0;
+    }
     ret = sp->fetch(sp, v, len);
     if (ret < 0)
 	return errno;
@@ -724,10 +829,10 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_ret_int8(krb5_storage *sp,
 	      int8_t *value)
 {
-    int ret;
+    ssize_t ret;
 
     ret = sp->fetch(sp, value, sizeof(*value));
-    if (ret != sizeof(*value))
+    if (ret < 0 || (size_t)ret != sizeof(*value))
 	return (ret<0)?errno:sp->eof_code;
     return 0;
 }
@@ -786,6 +891,51 @@ krb5_store_data(krb5_storage *sp,
 }
 
 /**
+ * Store a data blob to the storage. The data is stored with an int32 as
+ * length plus the data (not padded).  This function only differs from
+ * krb5_store_data() insofar as it takes a void * and a length as parameters.
+ *
+ * @param sp the storage buffer to write to
+ * @param s the string to store.
+ * @param len length of the string to be stored.
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_store_datalen(krb5_storage *sp, const void *d, size_t len)
+{
+    krb5_data data;
+    data.length = len;
+    data.data = (void *)d;
+    return krb5_store_data(sp, data);
+}
+
+/**
+ * Store a data blob to the storage. The data is stored without a length.
+ *
+ * @param sp the storage buffer to write to
+ * @param s the string to store.
+ * @param len length of the string to be stored.
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_store_bytes(krb5_storage *sp, const void *d, size_t len)
+{
+    ssize_t ssize;
+
+    ssize = krb5_storage_write(sp, d, len);
+    if (ssize != len)
+	return ENOMEM;
+
+    return 0;
+}
+
+/**
  * Parse a data from the storage.
  *
  * @param sp the storage buffer to read from
@@ -800,7 +950,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_ret_data(krb5_storage *sp,
 	      krb5_data *data)
 {
-    int ret;
+    krb5_error_code ret;
     int32_t size;
 
     ret = krb5_ret_int32(sp, &size);
@@ -813,8 +963,10 @@ krb5_ret_data(krb5_storage *sp,
     if (ret)
 	return ret;
     if (size) {
-	ret = sp->fetch(sp, data->data, size);
-	if(ret != size) {
+        ssize_t bytes;
+
+	bytes = sp->fetch(sp, data->data, size);
+	if (bytes < 0 || bytes != size) {
             krb5_data_free(data);
 	    return (ret < 0)? errno : sp->eof_code;
 	}
@@ -838,6 +990,10 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_store_string(krb5_storage *sp, const char *s)
 {
     krb5_data data;
+
+    if (s == NULL)
+	return EINVAL;
+
     data.length = strlen(s);
     data.data = rk_UNCONST(s);
     return krb5_store_data(sp, data);
@@ -861,6 +1017,8 @@ krb5_ret_string(krb5_storage *sp,
 {
     int ret;
     krb5_data data;
+
+    *string = NULL;
     ret = krb5_ret_data(sp, &data);
     if(ret)
 	return ret;
@@ -888,9 +1046,13 @@ krb5_ret_string(krb5_storage *sp,
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_store_stringz(krb5_storage *sp, const char *s)
 {
-    size_t len = strlen(s) + 1;
+    size_t len;
     ssize_t ret;
 
+    if (s == NULL)
+	return EINVAL;
+
+    len = strlen(s) + 1;
     ret = sp->store(sp, s, len);
     if(ret < 0)
 	return ret;
@@ -952,9 +1114,13 @@ krb5_ret_stringz(krb5_storage *sp,
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_store_stringnl(krb5_storage *sp, const char *s)
 {
-    size_t len = strlen(s);
+    size_t len;
     ssize_t ret;
 
+    if (s == NULL)
+	return EINVAL;
+
+    len = strlen(s);
     ret = sp->store(sp, s, len);
     if(ret < 0)
 	return ret;
@@ -1233,16 +1399,18 @@ krb5_ret_times(krb5_storage *sp, krb5_times *times)
 {
     int ret;
     int32_t tmp;
+
     ret = krb5_ret_int32(sp, &tmp);
+    if (ret) return ret;
     times->authtime = tmp;
-    if(ret) return ret;
     ret = krb5_ret_int32(sp, &tmp);
+    if (ret) return ret;
     times->starttime = tmp;
-    if(ret) return ret;
     ret = krb5_ret_int32(sp, &tmp);
+    if (ret) return ret;
     times->endtime = tmp;
-    if(ret) return ret;
     ret = krb5_ret_int32(sp, &tmp);
+    if (ret) return ret;
     times->renew_till = tmp;
     return ret;
 }
@@ -1686,3 +1854,205 @@ cleanup:
     }
     return ret;
 }
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_ret_data_at_offset(krb5_storage *sp,
+			 size_t offset,
+			 size_t length,
+			 krb5_data *data)
+{
+    krb5_error_code ret;
+    off_t cur, size;
+
+    krb5_data_zero(data);
+
+    cur = sp->seek(sp, 0, SEEK_CUR);
+    if (cur < 0)
+	return HEIM_ERR_NOT_SEEKABLE;
+
+    size = sp->seek(sp, 0, SEEK_END);
+    if (offset + length > size) {
+	ret = ERANGE;
+	goto cleanup;
+    }
+
+    ret = krb5_data_alloc(data, length);
+    if (ret)
+	goto cleanup;
+
+    if (length) {
+	sp->seek(sp, offset, SEEK_SET);
+
+	size = sp->fetch(sp, data->data, length);
+        if (size < 0 || (size_t)size != length)
+            return sp->eof_code;
+    }
+
+cleanup:
+    sp->seek(sp, cur, SEEK_SET);
+
+    return ret;
+}
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_ret_utf8_from_ucs2le_at_offset(krb5_storage *sp,
+				     off_t offset,
+				     size_t length,
+				     char **utf8)
+{
+    krb5_error_code ret;
+    krb5_data data;
+    size_t ucs2len = length / 2;
+    uint16_t *ucs2 = NULL;
+    size_t u8len;
+    unsigned int flags = WIND_RW_LE;
+
+    *utf8 = NULL;
+
+    krb5_data_zero(&data);
+
+    ret = _krb5_ret_data_at_offset(sp, offset, length, &data);
+    if (ret)
+	goto out;
+
+    ucs2 = malloc(sizeof(ucs2[0]) * ucs2len);
+    if (ucs2 == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+
+    ret = wind_ucs2read(data.data, data.length, &flags, ucs2, &ucs2len);
+    if (ret)
+	goto out;
+
+    ret = wind_ucs2utf8_length(ucs2, ucs2len, &u8len);
+    if (ret)
+	goto out;
+
+    u8len += 1; /* Add space for NUL */
+
+    *utf8 = malloc(u8len);
+    if (*utf8 == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+
+    ret = wind_ucs2utf8(ucs2, ucs2len, *utf8, &u8len);
+    if (ret)
+	goto out;
+
+out:
+    if (ret && *utf8) {
+	free(*utf8);
+	*utf8 = NULL;
+    }
+    free(ucs2);
+    krb5_data_free(&data);
+
+    return ret;
+}
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_store_data_at_offset(krb5_storage *sp,
+			   size_t offset,
+			   const krb5_data *data)
+{
+    krb5_error_code ret;
+    krb5_ssize_t nbytes;
+    off_t pos;
+
+    if (offset == (size_t)-1) {
+	if (data == NULL || data->data == NULL) {
+	    offset = 0;
+	} else {
+	    pos = sp->seek(sp, 0, SEEK_CUR);
+	    offset = sp->seek(sp, 0, SEEK_END);
+	    sp->seek(sp, pos, SEEK_SET);
+
+	    if (offset == (size_t)-1)
+		return HEIM_ERR_NOT_SEEKABLE;
+	}
+    }
+
+    if (offset > 0xFFFF)
+	return ERANGE;
+    else if ((offset != 0) != (data && data->data))
+	return EINVAL;
+    else if (data && data->length > 0xFFFF)
+	return ERANGE;
+
+    ret = krb5_store_uint16(sp, data ? (uint16_t)data->length : 0);
+    if (ret == 0)
+	ret = krb5_store_uint16(sp, (uint16_t)offset);
+    if (ret == 0 && offset) {
+	pos = sp->seek(sp, 0, SEEK_CUR);
+	sp->seek(sp, offset, SEEK_SET);
+	nbytes = krb5_storage_write(sp, data->data, data->length);
+	if ((size_t)nbytes != data->length)
+	    ret = sp->eof_code;
+	sp->seek(sp, pos, SEEK_SET);
+    }
+
+    return ret;
+}
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_store_utf8_as_ucs2le_at_offset(krb5_storage *sp,
+				     off_t offset,
+				     const char *utf8)
+{
+    krb5_error_code ret;
+    size_t ucs2_len, ucs2le_size;
+    uint16_t *ucs2, *ucs2le;
+    unsigned int flags;
+
+    if (utf8) {
+	ret = wind_utf8ucs2_length(utf8, &ucs2_len);
+	if (ret)
+	    return ret;
+
+	ucs2 = malloc(sizeof(ucs2[0]) * ucs2_len);
+	if (ucs2 == NULL)
+	    return ENOMEM;
+
+	ret = wind_utf8ucs2(utf8, ucs2, &ucs2_len);
+	if (ret) {
+	    free(ucs2);
+	    return ret;
+	}
+
+	ucs2le_size = (ucs2_len + 1) * 2;
+	ucs2le = malloc(ucs2le_size);
+	    if (ucs2le == NULL) {
+		free(ucs2);
+		return ENOMEM;
+	}
+
+	flags = WIND_RW_LE;
+	ret = wind_ucs2write(ucs2, ucs2_len, &flags, ucs2le, &ucs2le_size);
+	free(ucs2);
+	if (ret) {
+	    free(ucs2le);
+	    return ret;
+	}
+
+	ucs2le_size = ucs2_len * 2;
+    } else {
+	ucs2le = NULL;
+	ucs2le_size = 0;
+	offset = 0;
+    }
+
+    {
+	krb5_data data;
+
+	data.data = ucs2le;
+	data.length = ucs2le_size;
+
+	ret = _krb5_store_data_at_offset(sp, offset, &data);
+    }
+
+    free(ucs2le);
+
+    return ret;
+}
diff --git a/lib/krb5/store_emem.c b/lib/krb5/store_emem.c
index 985aba9d1272..daef4d793e03 100644
--- a/lib/krb5/store_emem.c
+++ b/lib/krb5/store_emem.c
@@ -33,6 +33,7 @@
 
 #include "krb5_locl.h"
 #include "store-int.h"
+#include <assert.h>
 
 typedef struct emem_storage{
     unsigned char *base;
@@ -45,6 +46,9 @@ static ssize_t
 emem_fetch(krb5_storage *sp, void *data, size_t size)
 {
     emem_storage *s = (emem_storage*)sp->data;
+
+    assert(data != NULL && s->ptr != NULL);
+
     if((size_t)(s->base + s->len - s->ptr) < size)
 	size = s->base + s->len - s->ptr;
     memmove(data, s->ptr, size);
@@ -55,7 +59,17 @@ emem_fetch(krb5_storage *sp, void *data, size_t size)
 static ssize_t
 emem_store(krb5_storage *sp, const void *data, size_t size)
 {
-    emem_storage *s = (emem_storage*)sp->data;
+    emem_storage *s;
+
+    if (size == 0) {
+	sp->seek(sp, 0, SEEK_CUR);
+	return 0;
+    }
+
+    s = (emem_storage*)sp->data;
+
+    assert(data != NULL);
+
     if(size > (size_t)(s->base + s->size - s->ptr)){
 	void *base;
 	size_t sz, off;
@@ -112,10 +126,17 @@ emem_trunc(krb5_storage *sp, off_t offset)
      * shrunk more then half of the current size, adjust buffer.
      */
     if (offset == 0) {
-	free(s->base);
-	s->size = 0;
-	s->base = NULL;
-	s->ptr = NULL;
+        if (s->size > 1024) {
+            void *base;
+
+            base = realloc(s->base, 1024);
+            if (base) {
+                s->base = base;
+                s->size = 1024;
+            }
+        }
+        s->len = 0;
+        s->ptr = s->base;
     } else if ((size_t)offset > s->size || (s->size / 2) > (size_t)offset) {
 	void *base;
 	size_t off;
@@ -140,7 +161,10 @@ static void
 emem_free(krb5_storage *sp)
 {
     emem_storage *s = sp->data;
-    memset(s->base, 0, s->len);
+
+    assert(s->base != NULL);
+
+    memset_s(s->base, s->len, 0, s->len);
     free(s->base);
 }
 
@@ -179,7 +203,7 @@ krb5_storage_emem(void)
     sp->flags = 0;
     sp->eof_code = HEIM_ERR_EOF;
     s->size = 1024;
-    s->base = malloc(s->size);
+    s->base = calloc(1, s->size);
     if (s->base == NULL) {
 	free(sp);
 	free(s);
@@ -193,6 +217,6 @@ krb5_storage_emem(void)
     sp->trunc = emem_trunc;
     sp->fsync = NULL;
     sp->free = emem_free;
-    sp->max_alloc = UINT_MAX/8;
+    sp->max_alloc = UINT32_MAX/64;
     return sp;
 }
diff --git a/lib/krb5/store_fd.c b/lib/krb5/store_fd.c
index ead18be67aa2..9184e593ab68 100644
--- a/lib/krb5/store_fd.c
+++ b/lib/krb5/store_fd.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2017 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  *
@@ -53,8 +53,10 @@ fd_fetch(krb5_storage * sp, void *data, size_t size)
 	if (count < 0) {
 	    if (errno == EINTR)
 		continue;
-	    else
+	    else if (rem == size)
 		return count;
+            else
+                return size - rem;
 	} else if (count == 0) {
 	    return count;
 	}
@@ -78,7 +80,7 @@ fd_store(krb5_storage * sp, const void *data, size_t size)
 	    if (errno == EINTR)
 		continue;
 	    else
-		return count;
+		return size - rem;
 	}
 	cbuf += count;
 	rem -= count;
@@ -95,8 +97,21 @@ fd_seek(krb5_storage * sp, off_t offset, int whence)
 static int
 fd_trunc(krb5_storage * sp, off_t offset)
 {
+    off_t tmpoff;
+
     if (ftruncate(FD(sp), offset) == -1)
 	return errno;
+
+    tmpoff = lseek(FD(sp), 0, SEEK_CUR);
+    if (tmpoff == -1)
+	return errno;
+
+    if (tmpoff > offset) {
+	tmpoff = lseek(FD(sp), offset, SEEK_SET);
+	if (tmpoff == -1)
+	    return errno;
+    }
+
     return 0;
 }
 
@@ -180,6 +195,6 @@ krb5_storage_from_fd(int fd_in)
     sp->trunc = fd_trunc;
     sp->fsync = fd_sync;
     sp->free = fd_free;
-    sp->max_alloc = UINT_MAX/8;
+    sp->max_alloc = UINT32_MAX/64;
     return sp;
 }
diff --git a/lib/krb5/store_mem.c b/lib/krb5/store_mem.c
index ff2a570ca62c..638c341a64ff 100644
--- a/lib/krb5/store_mem.c
+++ b/lib/krb5/store_mem.c
@@ -147,7 +147,7 @@ krb5_storage_from_mem(void *buf, size_t len)
     sp->trunc = mem_trunc;
     sp->fsync = NULL;
     sp->free = NULL;
-    sp->max_alloc = UINT_MAX/8;
+    sp->max_alloc = UINT32_MAX/64;
     return sp;
 }
 
@@ -207,6 +207,6 @@ krb5_storage_from_readonly_mem(const void *buf, size_t len)
     sp->trunc = mem_no_trunc;
     sp->fsync = NULL;
     sp->free = NULL;
-    sp->max_alloc = UINT_MAX/8;
+    sp->max_alloc = UINT32_MAX/64;
     return sp;
 }
diff --git a/lib/krb5/store_sock.c b/lib/krb5/store_sock.c
index f7dc2256d729..72d3e9d22bd2 100644
--- a/lib/krb5/store_sock.c
+++ b/lib/krb5/store_sock.c
@@ -82,10 +82,13 @@ static void
 socket_free(krb5_storage * sp)
 {
     int save_errno = errno;
-    if (rk_IS_SOCKET_ERROR(rk_closesocket(SOCK(sp))))
+    if (rk_IS_SOCKET_ERROR(rk_closesocket(SOCK(sp)))) {
+#ifdef WIN32
         errno = rk_SOCK_ERRNO;
-    else
+#endif
+    } else {
         errno = save_errno;
+    }
 }
 
 /**
@@ -112,6 +115,7 @@ krb5_storage_from_socket(krb5_socket_t sock_in)
 #ifdef _WIN32
     WSAPROTOCOL_INFO info;
 
+    sock = rk_INVALID_SOCKET;
     if (WSADuplicateSocket(sock_in, GetCurrentProcessId(), &info) == 0)
     {
 
@@ -154,6 +158,6 @@ krb5_storage_from_socket(krb5_socket_t sock_in)
     sp->trunc = socket_trunc;
     sp->fsync = socket_sync;
     sp->free = socket_free;
-    sp->max_alloc = UINT_MAX/8;
+    sp->max_alloc = UINT32_MAX/64;
     return sp;
 }
diff --git a/lib/krb5/store_stdio.c b/lib/krb5/store_stdio.c
new file mode 100644
index 000000000000..9244b9e7f5fa
--- /dev/null
+++ b/lib/krb5/store_stdio.c
@@ -0,0 +1,271 @@
+/*
+ * Copyright (c) 2017 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb5_locl.h"
+#include "store-int.h"
+
+#ifndef HAVE_FSEEKO
+#define fseeko fseek
+#define ftello ftell
+#endif
+
+typedef struct stdio_storage {
+    FILE *f;
+    off_t pos;
+} stdio_storage;
+
+#define F(S) (((stdio_storage*)(S)->data)->f)
+#define POS(S) (((stdio_storage*)(S)->data)->pos)
+
+static ssize_t
+stdio_fetch(krb5_storage * sp, void *data, size_t size)
+{
+    char *cbuf = (char *)data;
+    ssize_t count;
+    size_t rem = size;
+
+    /* similar pattern to net_read() to support pipes */
+    while (rem > 0) {
+	count = fread(cbuf, 1, rem, F(sp));
+	if (count < 0) {
+	    POS(sp) = -1;
+	    if (errno == EINTR)
+		continue;
+	    else
+		return count;
+	} else if (count == 0) {
+	    if (POS(sp) >= 0)
+		POS(sp) += size - rem;
+	    return size - rem;
+	}
+	cbuf += count;
+	rem -= count;
+    }
+    if (POS(sp) >= 0)
+	POS(sp) += size;
+    return size;
+}
+
+static ssize_t
+stdio_store(krb5_storage * sp, const void *data, size_t size)
+{
+    const char *cbuf = (const char *)data;
+    ssize_t count;
+    size_t rem = size;
+
+    /*
+     * It's possible we just went from reading to writing if the file was open
+     * for both.  Per C99 (N869 final draft) section 7.18.5.3, point 6, when
+     * going from reading to writing [a file opened for both] one must seek.
+     */
+    (void) fseeko(F(sp), 0, SEEK_CUR);
+
+    /* similar pattern to net_write() to support pipes */
+    while (rem > 0) {
+	count = fwrite(cbuf, 1, rem, F(sp));
+	if (count < 0) {
+	    if (errno == EINTR)
+		continue;
+            /*
+             * What does it mean to have a short write when using stdio?
+             *
+             * It can't mean much.  After all stdio is buffering, so
+             * earlier writes that appeared complete may have failed,
+             * and so we don't know how much we really failed to write.
+             */
+	    POS(sp) = -1;
+            return -1;
+	}
+        if (count == 0) {
+	    POS(sp) = -1;
+            return -1;
+	}
+	cbuf += count;
+	rem -= count;
+    }
+    if (POS(sp) >= 0)
+	POS(sp) += size;
+    return size;
+}
+
+static off_t
+stdio_seek(krb5_storage * sp, off_t offset, int whence)
+{
+    int save_errno = errno;
+
+    if (whence == SEEK_SET && POS(sp) == offset)
+	return POS(sp);
+
+    if (whence == SEEK_CUR && POS(sp) >= 0 && offset == 0)
+	return POS(sp);
+
+    if (fseeko(F(sp), offset, whence) != 0)
+        return -1;
+    errno = save_errno;
+    return POS(sp) = ftello(F(sp));
+}
+
+static int
+stdio_trunc(krb5_storage * sp, off_t offset)
+{
+    off_t tmpoff;
+    int save_errno = errno;
+
+    if (fflush(F(sp)) == EOF)
+        return errno;
+    tmpoff = ftello(F(sp));
+    if (tmpoff < 0)
+	return errno;
+    if (tmpoff > offset)
+	tmpoff = offset;
+    if (ftruncate(fileno(F(sp)), offset) == -1)
+	return errno;
+    if (fseeko(F(sp), 0, SEEK_END) == -1)
+        return errno;
+    if (fseeko(F(sp), tmpoff, SEEK_SET) == -1)
+	return errno;
+    errno = save_errno;
+    POS(sp) = tmpoff;
+    return 0;
+}
+
+static int
+stdio_sync(krb5_storage * sp)
+{
+    if (fflush(F(sp)) == EOF)
+	return errno;
+    if (fsync(fileno(F(sp))) == -1)
+	return errno;
+    return 0;
+}
+
+static void
+stdio_free(krb5_storage * sp)
+{
+    int save_errno = errno;
+
+    if (F(sp) != NULL && fclose(F(sp)) == 0)
+        errno = save_errno;
+    F(sp) = NULL;
+}
+
+/**
+ * Open a krb5_storage using stdio for buffering.
+ *
+ * @return A krb5_storage on success, or NULL on out of memory error.
+ *
+ * @ingroup krb5_storage
+ *
+ * @sa krb5_storage_emem()
+ * @sa krb5_storage_from_fd()
+ * @sa krb5_storage_from_mem()
+ * @sa krb5_storage_from_readonly_mem()
+ * @sa krb5_storage_from_data()
+ * @sa krb5_storage_from_socket()
+ */
+
+KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL
+krb5_storage_stdio_from_fd(int fd_in, const char *mode)
+{
+    krb5_storage *sp;
+    off_t off;
+    FILE *f;
+    int saved_errno = errno;
+    int fd;
+
+    off = lseek(fd_in, 0, SEEK_CUR);
+    if (off == -1)
+        return NULL;
+
+#ifdef _MSC_VER
+    /*
+     * This function used to try to pass the input to
+     * _get_osfhandle() to test if the value is a HANDLE
+     * but this doesn't work because doing so throws an
+     * exception that will result in Watson being triggered
+     * to file a Windows Error Report.
+     */
+    fd = _dup(fd_in);
+#else
+    fd = dup(fd_in);
+#endif
+
+    if (fd < 0)
+        return NULL;
+
+    f = fdopen(fd, mode);
+    if (f == NULL) {
+        (void) close(fd);
+        return NULL;
+    }
+
+    errno = saved_errno;
+
+    if (fseeko(f, off, SEEK_SET) == -1) {
+        saved_errno = errno;
+        (void) fclose(f);
+        errno = saved_errno;
+	return NULL;
+    }
+
+    errno = ENOMEM;
+    sp = malloc(sizeof(krb5_storage));
+    if (sp == NULL) {
+	saved_errno = errno;
+	(void) fclose(f);
+	errno = saved_errno;
+	return NULL;
+    }
+
+    errno = ENOMEM;
+    sp->data = malloc(sizeof(stdio_storage));
+    if (sp->data == NULL) {
+	saved_errno = errno;
+	(void) fclose(f);
+	free(sp);
+	errno = saved_errno;
+	return NULL;
+    }
+    sp->flags = 0;
+    sp->eof_code = HEIM_ERR_EOF;
+    F(sp) = f;
+    POS(sp) = off;
+    sp->fetch = stdio_fetch;
+    sp->store = stdio_store;
+    sp->seek = stdio_seek;
+    sp->trunc = stdio_trunc;
+    sp->fsync = stdio_sync;
+    sp->free = stdio_free;
+    sp->max_alloc = UINT32_MAX/64;
+    return sp;
+}
diff --git a/lib/krb5/test_acl.c b/lib/krb5/test_acl.c
index 9e27c0408643..a11ff3f8a97c 100644
--- a/lib/krb5/test_acl.c
+++ b/lib/krb5/test_acl.c
@@ -37,7 +37,7 @@
 	do { if (r != e) krb5_errx(c, 1, "%s", s); } while (0)
 #define STRINGMATCH(c, s, _s1, _s2) \
 	do {							\
-		if (_s1 == NULL || _s2 == NULL) 		\
+		if (_s1 == NULL)				\
 			krb5_errx(c, 1, "s1 or s2 is NULL");	\
 		if (strcmp(_s1,_s2) != 0) 			\
 			krb5_errx(c, 1, "%s", s);		\
diff --git a/lib/krb5/test_alname.c b/lib/krb5/test_alname.c
index 120143e51e7b..36775adef1b4 100644
--- a/lib/krb5/test_alname.c
+++ b/lib/krb5/test_alname.c
@@ -81,8 +81,8 @@ test_alname(krb5_context context, krb5_const_realm realm,
 	}
 	krb5_err(context, 1, ret, "krb5_aname_to_localname: %s -> %s",
 		 princ, localuser);
-	free(princ);
     }
+    free(princ);
 
     if (strcmp(localname, localuser) != 0) {
 	if (ok)
diff --git a/lib/krb5/test_ap-req.c b/lib/krb5/test_ap-req.c
index dcdddb814981..0fd107833976 100644
--- a/lib/krb5/test_ap-req.c
+++ b/lib/krb5/test_ap-req.c
@@ -39,7 +39,7 @@
 #include <getarg.h>
 #include <roken.h>
 
-static int verify_pac = 0;
+static int verify_pac = 1;
 static int server_any = 0;
 static int version_flag = 0;
 static int help_flag	= 0;
@@ -153,6 +153,7 @@ test_ap(krb5_context context,
 	    krb5_err(context, 1, ret, "pac parse");
 
 	krb5_pac_free(context, pac);
+        krb5_data_free(&data);
     }
 
     krb5_free_ticket(context, ticket);
diff --git a/lib/krb5/test_cc.c b/lib/krb5/test_cc.c
index fa7ee37dde6b..0ca582eaaca6 100644
--- a/lib/krb5/test_cc.c
+++ b/lib/krb5/test_cc.c
@@ -30,26 +30,132 @@
  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
 
+/*
+ * If this test fails with
+ *
+ *      krb5_cc_gen_new: KEYRING: Key has been revoked
+ *
+ * then run
+ *
+ *      keyctl new_session
+ */
+
 #include "krb5_locl.h"
 #include <getarg.h>
 #include <err.h>
 
+#ifdef HAVE_KEYUTILS_H
+#include <keyutils.h>
+#endif
+
+static const char *unlink_this;
+static const char *unlink_this2;
+static char *tmpdir;
 static int debug_flag	= 0;
 static int version_flag = 0;
 static int help_flag	= 0;
 
-#ifdef KRB5_USE_PATH_TOKENS
-#define TEST_CC_NAME "%{TEMP}/krb5-cc-test-foo"
-#else
-#define TEST_CC_NAME "/tmp/krb5-cc-test-foo"
-#endif
+#define TEST_CC_TEMPLATE "%{TEMP}/krb5-cc-test-XXXXXX"
+
+static void
+cleanup(void)
+{
+    char *s = NULL;
+
+    if (asprintf(&s, "%s/cc", tmpdir) > -1 && s != NULL)
+        unlink(s);
+    free(s);
+
+    if (asprintf(&s, "%s/scc", tmpdir) > -1 && s != NULL)
+        unlink(s);
+    free(s);
+
+    if (asprintf(&s, "%s/cccol/foobar+lha@H5L.SE", tmpdir) > -1 && s != NULL)
+        unlink(s);
+    free(s);
+
+    if (asprintf(&s, "%s/cccol/foobar+lha@SU.SE", tmpdir) > -1 && s != NULL)
+        unlink(s);
+    free(s);
+
+    if (asprintf(&s, "%s/cccol/foobar", tmpdir) > -1 && s != NULL)
+        unlink(s);
+    free(s);
+
+    if (asprintf(&s, "%s/cccol", tmpdir) > -1 && s != NULL)
+        rmdir(s);
+    free(s);
+
+    if (asprintf(&s, "%s/dcc/tkt.lha@H5L.SE", tmpdir) > -1 && s != NULL)
+        unlink(s);
+    free(s);
+
+    if (asprintf(&s, "%s/dcc/tkt.lha@SU.SE", tmpdir) > -1 && s != NULL)
+        unlink(s);
+    free(s);
+
+    if (asprintf(&s, "%s/dcc/tkt", tmpdir) > -1 && s != NULL)
+        unlink(s);
+    free(s);
+
+    if (asprintf(&s, "%s/dcc/primary", tmpdir) > -1 && s != NULL)
+        unlink(s);
+    free(s);
+
+    if (asprintf(&s, "%s/dcc", tmpdir) > -1 && s != NULL)
+        rmdir(s);
+    free(s);
+
+    if (unlink_this)
+        unlink(unlink_this);
+    unlink_this = NULL;
+    if (unlink_this2)
+        unlink(unlink_this2);
+    unlink_this2 = NULL;
+
+    rmdir(tmpdir);
+}
+
+static void
+make_dir(krb5_context context)
+{
+    krb5_error_code ret;
+    char *template = NULL;
+    char *dcc = NULL;
+
+    ret = _krb5_expand_path_tokens(context, TEST_CC_TEMPLATE, 1, &template);
+    if (ret)
+        krb5_err(context, 1, ret, "_krb5_expand_path_tokens(%s) failed",
+                 TEST_CC_TEMPLATE);
+    if ((tmpdir = mkdtemp(template)) == NULL)
+        krb5_err(context, 1, errno, "mkdtemp(%s) failed", template);
+    if (asprintf(&dcc, "%s/dcc", tmpdir) == -1 || dcc == NULL)
+        krb5_err(context, 1, errno, "asprintf failed");
+    free(dcc);
+    atexit(cleanup);
+}
 
 static void
 test_default_name(krb5_context context)
 {
     krb5_error_code ret;
-    const char *p, *test_cc_name = TEST_CC_NAME;
-    char *p1, *p2, *p3;
+    const char *p;
+    char *test_cc_name = NULL;
+    const char *p3;
+    char *p1, *p2;
+    char *exp_test_cc_name;
+
+    if (asprintf(&test_cc_name, "%s/cc", tmpdir) == -1 || test_cc_name == NULL)
+        krb5_err(context, 1, errno, "out of memory");
+
+    /* Convert slashes to backslashes */
+    ret = _krb5_expand_path_tokens(context, test_cc_name, 1,
+                                   &exp_test_cc_name);
+    if (ret)
+        krb5_err(context, 1, ret, "_krb5_expand_path_tokens(%s) failed",
+                 test_cc_name);
+    free(test_cc_name);
+    test_cc_name = NULL;
 
     p = krb5_cc_default_name(context);
     if (p == NULL)
@@ -58,7 +164,7 @@ test_default_name(krb5_context context)
 
     ret = krb5_cc_set_default_name(context, NULL);
     if (ret)
-	krb5_errx (context, 1, "krb5_cc_set_default_name failed");
+	krb5_err(context, 1, ret, "krb5_cc_set_default_name(NULL) failed");
 
     p = krb5_cc_default_name(context);
     if (p == NULL)
@@ -68,26 +174,35 @@ test_default_name(krb5_context context)
     if (strcmp(p1, p2) != 0)
 	krb5_errx (context, 1, "krb5_cc_default_name no longer same");
 
-    ret = krb5_cc_set_default_name(context, test_cc_name);
+    ret = krb5_cc_set_default_name(context, exp_test_cc_name);
     if (ret)
-	krb5_errx (context, 1, "krb5_cc_set_default_name 1 failed");
+        krb5_err(context, 1, ret, "krb5_cc_set_default_name(%s) failed",
+                 exp_test_cc_name);
 
     p = krb5_cc_default_name(context);
     if (p == NULL)
 	krb5_errx (context, 1, "krb5_cc_default_name 2 failed");
-    p3 = estrdup(p);
-
-#ifndef KRB5_USE_PATH_TOKENS
-    /* If we are using path tokens, we don't expect the p3 and
-       test_cc_name to match since p3 is going to have expanded
-       tokens. */
-    if (strcmp(p3, test_cc_name) != 0)
-	krb5_errx (context, 1, "krb5_cc_set_default_name 1 failed");
+
+    if (strncmp(p, "FILE:", sizeof("FILE:") - 1) == 0)
+        p3 = p + sizeof("FILE:") - 1;
+    else
+        p3 = p;
+
+    if (strcmp(exp_test_cc_name, p3) != 0) {
+#ifdef WIN32
+	krb5_warnx(context, 1,
+                   "krb5_cc_default_name() returned %s; expected %s",
+                   p, exp_test_cc_name);
+#else
+	krb5_errx(context, 1,
+                  "krb5_cc_default_name() returned %s; expected %s",
+                  p, exp_test_cc_name);
 #endif
+    }
 
+    free(exp_test_cc_name);
     free(p1);
     free(p2);
-    free(p3);
 }
 
 /*
@@ -181,6 +296,8 @@ test_init_vs_destroy(krb5_context context, const char *type)
 		 krb5_cc_get_name(context, id)) < 0 || n == NULL)
 	errx(1, "malloc");
 
+    if (strcmp(krb5_cc_get_type(context, id), "FILE") == 0)
+        unlink_this = krb5_cc_get_name(context, id);
 
     ret = krb5_cc_resolve(context, n, &id2);
     free(n);
@@ -198,6 +315,7 @@ test_init_vs_destroy(krb5_context context, const char *type)
 	krb5_err(context, 1, ret, "krb5_cc_get_principal");
 
     krb5_cc_destroy(context, id2);
+    unlink_this = NULL;
     krb5_free_principal(context, p);
     krb5_free_principal(context, p2);
 }
@@ -208,7 +326,7 @@ test_cache_remove(krb5_context context, const char *type)
     krb5_error_code ret;
     krb5_ccache id;
     krb5_principal p;
-    krb5_creds cred;
+    krb5_creds cred, found;
 
     ret = krb5_parse_name(context, "lha@SU.SE", &p);
     if (ret)
@@ -218,6 +336,9 @@ test_cache_remove(krb5_context context, const char *type)
     if (ret)
 	krb5_err(context, 1, ret, "krb5_cc_gen_new: %s", type);
 
+    if (strcmp(krb5_cc_get_type(context, id), "FILE") == 0)
+        unlink_this = krb5_cc_get_name(context, id);
+
     ret = krb5_cc_initialize(context, id, p);
     if (ret)
 	krb5_err(context, 1, ret, "krb5_cc_initialize");
@@ -230,6 +351,7 @@ test_cache_remove(krb5_context context, const char *type)
     ret = krb5_parse_name(context, "lha@SU.SE", &cred.client);
     if (ret)
 	krb5_err(context, 1, ret, "krb5_parse_name");
+    cred.times.endtime = time(NULL) + 300;
 
     ret = krb5_cc_store_cred(context, id, &cred);
     if (ret)
@@ -239,9 +361,16 @@ test_cache_remove(krb5_context context, const char *type)
     if (ret)
 	krb5_err(context, 1, ret, "krb5_cc_remove_cred");
 
+    memset(&found, 0, sizeof(found));
+    ret = krb5_cc_retrieve_cred(context, id, KRB5_TC_MATCH_TIMES,
+                                &cred, &found);
+    if (ret == 0)
+	krb5_err(context, 1, ret, "krb5_cc_remove_cred didn't");
+
     ret = krb5_cc_destroy(context, id);
     if (ret)
 	krb5_err(context, 1, ret, "krb5_cc_destroy");
+    unlink_this = NULL;
 
     krb5_free_principal(context, p);
     krb5_free_principal(context, cred.server);
@@ -294,6 +423,8 @@ struct {
     { "foo", 0, "foo" },
     { "foo%}", 0, "foo%}" },
     { "%{uid}", 0, NULL },
+    { "%{euid}", 0, NULL },
+    { "%{username}", 0, NULL },
     { "foo%{null}", 0, "foo" },
     { "foo%{null}bar", 0, "foobar" },
     { "%{", 1, NULL },
@@ -303,7 +434,7 @@ struct {
     { "%{nulll}", 1, NULL },
     { "%{does not exist}", 1, NULL },
     { "%{}", 1, NULL },
-#ifdef KRB5_USE_PATH_TOKENS
+#ifdef WIN32
     { "%{APPDATA}", 0, NULL },
     { "%{COMMON_APPDATA}", 0, NULL},
     { "%{LOCAL_APPDATA}", 0, NULL},
@@ -389,6 +520,7 @@ test_cache_iter(krb5_context context, const char *type, int destroy)
 	krb5_principal principal;
 	char *name;
 
+	heim_assert(id != NULL, "credentials cache is non-NULL");
 	if (debug_flag)
 	    printf("name: %s\n", krb5_cc_get_name(context, id));
 	ret = krb5_cc_get_principal(context, id, &principal);
@@ -460,6 +592,9 @@ test_copy(krb5_context context, const char *from, const char *to)
     if (ret)
 	krb5_err(context, 1, ret, "krb5_cc_new_unique: %s", from);
 
+    if (strcmp(krb5_cc_get_type(context, fromid), "FILE") == 0)
+        unlink_this = krb5_cc_get_name(context, fromid);
+
     ret = krb5_cc_initialize(context, fromid, p);
     if (ret)
 	krb5_err(context, 1, ret, "krb5_cc_initialize");
@@ -468,6 +603,9 @@ test_copy(krb5_context context, const char *from, const char *to)
     if (ret)
 	krb5_err(context, 1, ret, "krb5_cc_gen_new: %s", to);
 
+    if (strcmp(krb5_cc_get_type(context, toid), "FILE") == 0)
+        unlink_this2 = krb5_cc_get_name(context, toid);
+
     ret = krb5_cc_copy_cache(context, fromid, toid);
     if (ret)
 	krb5_err(context, 1, ret, "krb5_cc_copy_cache");
@@ -484,6 +622,7 @@ test_copy(krb5_context context, const char *from, const char *to)
 
     krb5_cc_destroy(context, fromid);
     krb5_cc_destroy(context, toid);
+    unlink_this = unlink_this2 = NULL;
 }
 
 static void
@@ -493,6 +632,7 @@ test_move(krb5_context context, const char *type)
     krb5_ccache fromid, toid;
     krb5_error_code ret;
     krb5_principal p, p2;
+    krb5_creds cred, tocred;
 
     ops = krb5_cc_get_prefix_ops(context, type);
     if (ops == NULL)
@@ -512,13 +652,26 @@ test_move(krb5_context context, const char *type)
     if (ret)
 	krb5_err(context, 1, ret, "krb5_cc_initialize");
 
+    memset(&cred, 0, sizeof(cred));
+    ret = krb5_parse_name(context, "krbtgt/SU.SE@SU.SE", &cred.server);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+    ret = krb5_parse_name(context, "lha@SU.SE", &cred.client);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_parse_name");
+
+    ret = krb5_cc_store_cred(context, fromid, &cred);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_cc_store_cred");
+
+
     ret = krb5_cc_new_unique(context, type, NULL, &toid);
     if (ret)
 	krb5_err(context, 1, ret, "krb5_cc_new_unique");
 
-    ret = krb5_cc_initialize(context, toid, p);
+    ret = krb5_cc_move(context, fromid, toid);
     if (ret)
-	krb5_err(context, 1, ret, "krb5_cc_initialize");
+	krb5_err(context, 1, ret, "krb5_cc_move");
 
     ret = krb5_cc_get_principal(context, toid, &p2);
     if (ret)
@@ -527,11 +680,15 @@ test_move(krb5_context context, const char *type)
     if (krb5_principal_compare(context, p, p2) == FALSE)
 	krb5_errx(context, 1, "p != p2");
 
+    ret = krb5_cc_retrieve_cred(context, toid, 0, &cred, &tocred);
+    if (ret)
+	krb5_errx(context, 1, "move failed");
+    krb5_free_cred_contents(context, &cred);
+    krb5_free_cred_contents(context, &tocred);
+
     krb5_free_principal(context, p);
     krb5_free_principal(context, p2);
-
     krb5_cc_destroy(context, toid);
-    krb5_cc_destroy(context, fromid);
 }
 
 
@@ -631,6 +788,160 @@ test_cc_config(krb5_context context, const char *cc_type,
     krb5_free_principal(context, p);
 }
 
+static krb5_error_code
+test_cccol(krb5_context context, const char *def_cccol, const char **what)
+{
+    krb5_cc_cache_cursor cursor;
+    krb5_error_code ret;
+    krb5_principal p1, p2;
+    krb5_ccache id, id1, id2;
+    krb5_creds cred1, cred2;
+    size_t match1 = 0;
+    size_t match2 = 0;
+
+    memset(&cred1, 0, sizeof(cred1));
+    memset(&cred2, 0, sizeof(cred2));
+
+    *what = "krb5_parse_name";
+    ret = krb5_parse_name(context, "krbtgt/SU.SE@SU.SE", &cred1.server);
+    if (ret) return ret;
+    ret = krb5_parse_name(context, "lha@SU.SE", &cred1.client);
+    if (ret) return ret;
+    ret = krb5_parse_name(context, "krbtgt/H5L.SE@H5L.SE", &cred2.server);
+    if (ret) return ret;
+    ret = krb5_parse_name(context, "lha@H5L.SE", &cred2.client);
+    if (ret) return ret;
+    *what = "krb5_cc_set_default_name";
+    ret = krb5_cc_set_default_name(context, def_cccol);
+    if (ret) return ret;
+    *what = "krb5_cc_default";
+    ret = krb5_cc_default(context, &id1);
+    if (ret) return ret;
+    *what = "krb5_cc_initialize";
+    ret = krb5_cc_initialize(context, id1, cred1.client);
+    if (ret) return ret;
+    *what = "krb5_cc_store_cred";
+    ret = krb5_cc_store_cred(context, id1, &cred1);
+    if (ret) return ret;
+    *what = "krb5_cc_resolve";
+    ret = krb5_cc_resolve_for(context, NULL, def_cccol, cred2.client, &id2);
+    if (ret) return ret;
+    *what = "krb5_cc_initialize";
+    ret = krb5_cc_initialize(context, id2, cred2.client);
+    if (ret) return ret;
+    *what = "krb5_cc_store_cred";
+    ret = krb5_cc_store_cred(context, id2, &cred2);
+    if (ret) return ret;
+
+    krb5_cc_close(context, id1);
+    krb5_cc_close(context, id2);
+    id1 = id2 = NULL;
+
+    *what = "krb5_cc_default";
+    ret = krb5_cc_default(context, &id1);
+    if (ret) return ret;
+    *what = "krb5_cc_resolve";
+    ret = krb5_cc_resolve_for(context, NULL, def_cccol, cred2.client, &id2);
+    if (ret) return ret;
+
+    *what = "krb5_cc_get_principal";
+    ret = krb5_cc_get_principal(context, id1, &p1);
+    if (ret) return ret;
+    ret = krb5_cc_get_principal(context, id2, &p2);
+    if (ret) return ret;
+
+    if (!krb5_principal_compare(context, p1, cred1.client)) {
+        char *u1 = NULL;
+        char *u2 = NULL;
+
+        (void) krb5_unparse_name(context, p1, &u1);
+        (void) krb5_unparse_name(context, cred1.client, &u2);
+        warnx("Inconsistent principals for ccaches in %s: %s vs %s "
+              "(expected lha@SU.SE)", def_cccol, u1, u2);
+        return EINVAL;
+    }
+    if (!krb5_principal_compare(context, p2, cred2.client)) {
+        char *u1 = NULL;
+        char *u2 = NULL;
+
+        (void) krb5_unparse_name(context, p2, &u1);
+        (void) krb5_unparse_name(context, cred2.client, &u2);
+        warnx("Inconsistent principals for ccaches in %s: %s and %s "
+              "(expected lha@H5L.SE)", def_cccol, u1, u2);
+        return EINVAL;
+    }
+    krb5_free_principal(context, p1);
+    krb5_free_principal(context, p2);
+
+    *what = "krb5_cc_cache_get_first";
+    ret = krb5_cc_cache_get_first(context, NULL, &cursor);
+    if (ret) return ret;
+    *what = "krb5_cc_cache_next";
+    while (krb5_cc_cache_next(context, cursor, &id) == 0) {
+        krb5_principal p;
+
+        *what = "krb5_cc_get_principal";
+        ret = krb5_cc_get_principal(context, id, &p);
+        if (ret) return ret;
+        if (krb5_principal_compare(context, p, cred1.client))
+            match1++;
+        else if (krb5_principal_compare(context, p, cred2.client))
+            match2++;
+	krb5_free_principal(context, p);
+        krb5_cc_close(context, id);
+    }
+    (void) krb5_cc_cache_end_seq_get(context, cursor);
+
+    *what = "cccol iteration inconsistency";
+    if (match1 != 1 || match2 != 1)
+        return EINVAL;
+
+    krb5_cc_close(context, id1);
+    krb5_cc_close(context, id2);
+
+    krb5_free_cred_contents(context, &cred1);
+    krb5_free_cred_contents(context, &cred2);
+
+    return 0;
+}
+
+static void
+test_cccol_dcache(krb5_context context)
+{
+    krb5_error_code ret;
+    char *dcc = NULL;
+    const char *what;
+
+    if (asprintf(&dcc, "DIR:%s/dcc", tmpdir) == -1 || dcc == NULL)
+        krb5_err(context, 1, errno, "asprintf");
+
+    ret = test_cccol(context, dcc, &what);
+    free(dcc);
+    if (ret)
+        krb5_err(context, 1, ret, "%s", what);
+}
+
+static void
+test_cccol_scache(krb5_context context)
+{
+    krb5_error_code ret;
+    char *scache = NULL;
+    const char *what;
+    int fd;
+
+    if (asprintf(&scache, "SCC:%s/scache", tmpdir) == -1 || scache == NULL)
+        krb5_err(context, 1, errno, "asprintf");
+    if ((fd = open(scache + sizeof("SCC:") - 1, O_CREAT | O_RDWR, 0600)) == -1)
+        krb5_err(context, 1, errno, "open(%s)", scache + sizeof("SCC:") - 1);
+    (void) close(fd);
+
+    ret = test_cccol(context, scache, &what);
+    (void) unlink(scache + sizeof("SCC:") - 1);
+    free(scache);
+    if (ret)
+        krb5_err(context, 1, ret, "%s", what);
+}
+
 
 static struct getargs args[] = {
     {"debug",	'd',	arg_flag,	&debug_flag,
@@ -676,21 +987,52 @@ main(int argc, char **argv)
     if (ret)
 	errx (1, "krb5_init_context failed: %d", ret);
 
+    make_dir(context);
+
     test_cache_remove(context, krb5_cc_type_file);
     test_cache_remove(context, krb5_cc_type_memory);
 #ifdef USE_SQLITE
     test_cache_remove(context, krb5_cc_type_scc);
 #endif
+#ifdef HAVE_KEYUTILS_H
+    keyctl_join_session_keyring(NULL);
+    test_cache_remove(context, krb5_cc_type_keyring);
+#endif
 
     test_default_name(context);
     test_mcache(context);
+    /*
+     * XXX Make sure to set default ccache names for each cc type!
+     * Otherwise we clobber the user's ccaches.
+     */
     test_init_vs_destroy(context, krb5_cc_type_memory);
     test_init_vs_destroy(context, krb5_cc_type_file);
 #if 0
     test_init_vs_destroy(context, krb5_cc_type_api);
 #endif
+    /*
+     * Cleanup so we can check that the permissions on the directory created by
+     * scc are correct.
+     */
+    cleanup();
     test_init_vs_destroy(context, krb5_cc_type_scc);
+
+#if defined(S_IRWXG) && defined(S_IRWXO)
+    {
+        struct stat st;
+
+        if (stat(tmpdir, &st) == 0) {
+            if ((st.st_mode & S_IRWXG) ||
+                (st.st_mode & S_IRWXO))
+                krb5_errx(context, 1,
+                          "SQLite3 ccache dir perms wrong: %d", st.st_mode);
+        }
+    }
+#endif
     test_init_vs_destroy(context, krb5_cc_type_dcc);
+#ifdef HAVE_KEYUTILS_H
+    test_init_vs_destroy(context, krb5_cc_type_keyring);
+#endif
     test_mcc_default();
     test_def_cc_name(context);
 
@@ -709,6 +1051,14 @@ main(int argc, char **argv)
     test_cache_find(context, "lha@SU.SE", 1);
     test_cache_find(context, "hulabundulahotentot@SU.SE", 0);
 
+    /*
+     * XXX We should compose and krb5_cc_set_default_name() a default ccache
+     * for each cc type that we test with test_cache_iter(), and we should do
+     * that inside test_cache_iter().
+     *
+     * Alternatively we should remove test_cache_iter() in favor of
+     * test_cccol(), which is a much more complete test.
+     */
     test_cache_iter(context, krb5_cc_type_memory, 0);
     test_cache_iter(context, krb5_cc_type_memory, 1);
     test_cache_iter(context, krb5_cc_type_memory, 0);
@@ -720,6 +1070,10 @@ main(int argc, char **argv)
     test_cache_iter(context, krb5_cc_type_dcc, 0);
     test_cache_iter(context, krb5_cc_type_dcc, 1);
 #endif
+#ifdef HAVE_KEYUTILS_H
+    test_cache_iter(context, krb5_cc_type_keyring, 0);
+    test_cache_iter(context, krb5_cc_type_keyring, 1);
+#endif
 
     test_copy(context, krb5_cc_type_file, krb5_cc_type_file);
     test_copy(context, krb5_cc_type_memory, krb5_cc_type_memory);
@@ -734,16 +1088,56 @@ main(int argc, char **argv)
     test_copy(context, krb5_cc_type_dcc, krb5_cc_type_file);
     test_copy(context, krb5_cc_type_dcc, krb5_cc_type_scc);
 #endif
+#ifdef HAVE_KEYUTILS_H
+    test_copy(context, krb5_cc_type_keyring, krb5_cc_type_file);
+    test_copy(context, krb5_cc_type_file, krb5_cc_type_file);
+    test_copy(context, "KEYRING:", "KEYRING:bar");
+    test_copy(context, "KEYRING:bar", "KEYRING:baz");
+# ifdef HAVE_KEYCTL_GET_PERSISTENT
+    test_copy(context, krb5_cc_type_file, "KEYRING:persistent");
+    test_copy(context, "KEYRING:persistent:", krb5_cc_type_file);
+    test_copy(context, krb5_cc_type_file, "KEYRING:persistent:foo");
+    test_copy(context, "KEYRING:persistent:foo", krb5_cc_type_file);
+# endif
+    test_copy(context, krb5_cc_type_memory, "KEYRING:process:");
+    test_copy(context, "KEYRING:process:", krb5_cc_type_memory);
+    test_copy(context, krb5_cc_type_memory, "KEYRING:process:foo");
+    test_copy(context, "KEYRING:process:foo", krb5_cc_type_memory);
+    test_copy(context, krb5_cc_type_memory, "KEYRING:thread:");
+    test_copy(context, "KEYRING:thread:", krb5_cc_type_memory);
+    test_copy(context, krb5_cc_type_memory, "KEYRING:thread:foo");
+    test_copy(context, "KEYRING:thread:foo", krb5_cc_type_memory);
+    test_copy(context, krb5_cc_type_memory, "KEYRING:session:");
+    test_copy(context, "KEYRING:session:", krb5_cc_type_memory);
+    test_copy(context, krb5_cc_type_memory, "KEYRING:session:foo");
+    test_copy(context, "KEYRING:session:foo", krb5_cc_type_memory);
+    test_copy(context, krb5_cc_type_file, "KEYRING:user:");
+    test_copy(context, "KEYRING:user:", krb5_cc_type_file);
+    test_copy(context, krb5_cc_type_file, "KEYRING:user:foo");
+    test_copy(context, "KEYRING:user:foo", krb5_cc_type_memory);
+#endif /* HAVE_KEYUTILS_H */
 
     test_move(context, krb5_cc_type_file);
     test_move(context, krb5_cc_type_memory);
-#ifdef HAVE_KCM
-    test_move(context, krb5_cc_type_kcm);
-#endif
     test_move(context, krb5_cc_type_scc);
 #if 0
     test_move(context, krb5_cc_type_dcc);
 #endif
+#ifdef HAVE_KEYUTILS_H
+    test_move(context, krb5_cc_type_keyring);
+# ifdef HAVE_KEYCTL_GET_PERSISTENT
+    test_move(context, "KEYRING:persistent:");
+    test_move(context, "KEYRING:persistent:foo");
+# endif
+    test_move(context, "KEYRING:process:");
+    test_move(context, "KEYRING:process:foo");
+    test_move(context, "KEYRING:thread:");
+    test_move(context, "KEYRING:thread:foo");
+    test_move(context, "KEYRING:session:");
+    test_move(context, "KEYRING:session:foo");
+    test_move(context, "KEYRING:user:");
+    test_move(context, "KEYRING:user:foo");
+#endif /* HAVE_KEYUTILS_H */
 
     test_prefix_ops(context, "FILE:/tmp/foo", &krb5_fcc_ops);
     test_prefix_ops(context, "FILE", &krb5_fcc_ops);
@@ -758,6 +1152,10 @@ main(int argc, char **argv)
     test_prefix_ops(context, "DIR:", &krb5_dcc_ops);
     test_prefix_ops(context, "DIR:tkt1", &krb5_dcc_ops);
 #endif
+#ifdef HAVE_KEYUTILS_H
+    test_prefix_ops(context, "KEYRING:", &krb5_krcc_ops);
+    test_prefix_ops(context, "KEYRING:foo", &krb5_krcc_ops);
+#endif /* HAVE_KEYUTILS_H */
 
     krb5_cc_destroy(context, id1);
     krb5_cc_destroy(context, id2);
@@ -765,6 +1163,51 @@ main(int argc, char **argv)
     test_cc_config(context, "MEMORY", "bar", 1000);  /* 1000 because fast */
     test_cc_config(context, "FILE", "/tmp/foocc", 30); /* 30 because slower */
 
+    test_cccol_dcache(context);
+    test_cccol_scache(context);
+#ifdef HAVE_KEYUTILS_H
+    {
+        const char *what;
+
+        ret = test_cccol(context, "KEYRING:legacy:fooccol", &what);
+        if (ret)
+            krb5_err(context, 1, ret, "%s", what);
+
+        ret = test_cccol(context, "MEMORY:fooccol", &what);
+        if (ret)
+            krb5_err(context, 1, ret, "%s", what);
+    }
+#endif /* HAVE_KEYUTILS_H */
+
+    {
+        const char *what;
+        char *config = NULL;
+        char *fname = NULL;
+        char *d = NULL;
+
+        if (asprintf(&d, "%s/cccol", tmpdir) == -1 || d == NULL)
+            krb5_err(context, 1, errno, "asprintf");
+        if (mkdir(d, 0700) == -1)
+            krb5_err(context, 1, errno, "mkdir(%s)", d);
+        if (asprintf(&fname, "%s/foobar", d) == -1 || fname == NULL ||
+            asprintf(&config,
+                     "[libdefaults]\n"
+                     "\tdefault_file_cache_collections = FILE:%1$s/cccol/foobar\n"
+                     "\tenable_file_cache_iteration = true\n",
+                     tmpdir) == -1 || config == NULL)
+            krb5_err(context, 1, errno, "asprintf");
+        ret = krb5_set_config(context, config);
+        if (ret)
+            krb5_err(context, 1, ret,
+                     "Could not configure context from string:\n%s\n", config);
+        ret = test_cccol(context, fname, &what);
+        if (ret)
+            krb5_err(context, 1, ret, "%s", what);
+        free(config);
+        free(fname);
+        free(d);
+    }
+
     krb5_free_context(context);
 
 #if 0
diff --git a/lib/krb5/test_expand_toks.c b/lib/krb5/test_expand_toks.c
index 7f3d79f0d112..9b105fbc39fb 100644
--- a/lib/krb5/test_expand_toks.c
+++ b/lib/krb5/test_expand_toks.c
@@ -95,7 +95,7 @@ main(int argc, char **argv)
 #define EXPANDED_SHOULD_BE "/tmp/abc/dcefgh/x"
 #endif
 
-    if (strcmp(expanded, EXPANDED_SHOULD_BE))
+    if (strcmp(expanded, EXPANDED_SHOULD_BE) != 0)
         krb5_errx(context, 1, "Token expansion incorrect");
 
     krb5_free_context(context);
diff --git a/lib/krb5/test_gic.c b/lib/krb5/test_gic.c
index f22a6930fcff..f11777e466bb 100644
--- a/lib/krb5/test_gic.c
+++ b/lib/krb5/test_gic.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009 Kungliga Tekniska Högskolan
+ * Copyright (c) 2009 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  *
diff --git a/lib/krb5/test_hostname.c b/lib/krb5/test_hostname.c
index fbdb5c9c322a..f722353f664a 100644
--- a/lib/krb5/test_hostname.c
+++ b/lib/krb5/test_hostname.c
@@ -48,11 +48,11 @@ expand_hostname(krb5_context context, const char *host)
     if (ret)
 	krb5_err(context, 1, ret, "krb5_expand_hostname(%s)", host);
 
-    free(h);
-
     if (debug_flag)
 	printf("hostname: %s -> %s\n", host, h);
 
+    free(h);
+
     ret = krb5_expand_hostname_realms(context, host, &h, &r);
     if (ret)
 	krb5_err(context, 1, ret, "krb5_expand_hostname_realms(%s)", host);
diff --git a/lib/krb5/test_mkforwardable.c b/lib/krb5/test_mkforwardable.c
new file mode 100644
index 000000000000..3f25f13549d2
--- /dev/null
+++ b/lib/krb5/test_mkforwardable.c
@@ -0,0 +1,191 @@
+/*
+ * Copyright (c) 1997-2021 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * Copyright (c) 2021 Isaac Boukris
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "krb5_locl.h"
+
+/*
+ * Usage: mkforwardable server out_ccache
+ *
+ * The default cache contains a ticket to server and the default keytab
+ * contains a key to decrypt it, the ticket is decrypted and the forwardable
+ * flag is added, the ticket is then re-encrypted and stored in out_cache.
+ *
+ */
+
+static krb5_context context;
+
+static void
+check(krb5_error_code code)
+{
+    const char *errmsg;
+
+    if (code == 0)
+	return;
+
+    errmsg = krb5_get_error_message(context, code);
+    fprintf(stderr, "%s\n", errmsg);
+    krb5_free_error_message(context, errmsg);
+
+    abort();
+}
+
+static void
+decrypt_ticket_enc_part(EncryptionKey *key,
+			krb5_enctype etype,
+			Ticket *ticket,
+			EncTicketPart *et)
+{
+    krb5_error_code ret;
+    krb5_data plain;
+    size_t len;
+    krb5_crypto crypto;
+
+    check(krb5_crypto_init(context, key, etype, &crypto));
+
+    ret = krb5_decrypt_EncryptedData (context,
+				      crypto,
+				      KRB5_KU_TICKET,
+				      &ticket->enc_part,
+				      &plain);
+    check(ret);
+
+    check(decode_EncTicketPart(plain.data, plain.length, et, &len));
+
+    krb5_data_free (&plain);
+    krb5_crypto_destroy(context, crypto);
+}
+
+static void
+encrypt_ticket_enc_part(EncryptionKey *key,
+			krb5_enctype etype,
+			krb5_kvno skvno,
+			EncTicketPart *et,
+			Ticket *ticket)
+{
+    size_t len, size;
+    char *buf;
+    krb5_error_code ret;
+    krb5_crypto crypto;
+
+    ASN1_MALLOC_ENCODE(EncTicketPart, buf, len, et, &size, ret);
+    check(ret);
+
+    check(krb5_crypto_init(context, key, etype, &crypto));
+    ret = krb5_encrypt_EncryptedData(context,
+				      crypto,
+				      KRB5_KU_TICKET,
+				      buf,
+				      len,
+				      skvno,
+				      &ticket->enc_part);
+    check(ret);
+
+    free(buf);
+    krb5_crypto_destroy(context, crypto);
+}
+
+
+int
+main(int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_keytab kt;
+    krb5_keytab_entry entry;
+    krb5_enctype etype;
+    krb5_creds mc, cred;
+    krb5_ccache ccache;
+    EncTicketPart et;
+    Ticket ticket;
+    size_t size;
+    krb5_kvno kvno = 0;
+
+    memset(&cred, 0, sizeof(cred));
+
+    if (argc != 3)
+	errx(1, "Usage: mkforwardable server out_ccache");
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	errx(1, "krb5_init_context failed: %u", ret);
+
+    check(krb5_cc_default(context, &ccache));
+
+    krb5_cc_clear_mcred(&mc);
+
+    check(krb5_parse_name(context, argv[1], &mc.server));
+
+    check(krb5_cc_retrieve_cred(context, ccache, 0, &mc, &cred));
+
+    check(decode_Ticket(cred.ticket.data, cred.ticket.length, &ticket, NULL));
+
+    etype = ticket.enc_part.etype;
+
+    if (ticket.enc_part.kvno != NULL)
+	kvno = *ticket.enc_part.kvno;
+
+    check(krb5_kt_default(context, &kt));
+
+    check(krb5_kt_get_entry(context, kt, mc.server, kvno, etype, &entry));
+
+    decrypt_ticket_enc_part(&entry.keyblock, etype, &ticket, &et);
+
+    et.flags.forwardable = 1;
+    cred.flags.b = et.flags;
+
+    free_EncryptedData(&ticket.enc_part);
+
+    encrypt_ticket_enc_part(&entry.keyblock, etype, kvno, &et, &ticket);
+
+    krb5_data_free(&cred.ticket);
+    ASN1_MALLOC_ENCODE(Ticket, cred.ticket.data, cred.ticket.length, &ticket,
+		       &size, ret);
+    check(ret);
+
+    krb5_cc_close(context, ccache);
+
+    check(krb5_cc_resolve(context, argv[2], &ccache));
+    check(krb5_cc_initialize(context, ccache, cred.client));
+
+    check(krb5_cc_store_cred(context, ccache, &cred));
+
+    free_Ticket(&ticket);
+    free_EncTicketPart(&et);
+    krb5_cc_close(context, ccache);
+    krb5_free_principal(context, mc.server);
+    krb5_free_cred_contents(context, &cred);
+    krb5_kt_free_entry(context, &entry);
+    krb5_kt_close(context, kt);
+
+    return 0;
+}
diff --git a/lib/krb5/test_pac.c b/lib/krb5/test_pac.c
index 983294ecf90c..70da1cb62665 100644
--- a/lib/krb5/test_pac.c
+++ b/lib/krb5/test_pac.c
@@ -157,6 +157,803 @@ static time_t authtime2 = 1225304188;
 static const char *user2 = "openmsp";
 
 
+/* PAC ticket-signature test data. */
+
+static const krb5_keyblock rwdc_tgt_key = {
+    ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+    { 32, "\x27\x86\x34\x1d\xd3\x15\x06\x0d\x6f\xd6\x40\xfa\x03\xb1\x95\x32"
+          "\x91\x22\xe8\x6b\x0f\x47\xe0\xb5\xfe\xda\xef\x54\x98\xdc\x07\x5a" }
+};
+
+static const krb5_keyblock rwdc_tgt_pac_key = {
+    ENCTYPE_ARCFOUR_HMAC,
+    { 16,  "\xb9\xf0\x39\x8d\xe9\x60\xb8\x40\x8c\x54\x0b\x61\xf9\xd2\xf1\x16" }
+};
+
+static const krb5_keyblock rodc_tgt_key = {
+    ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+    { 32, "\x0c\x7e\x63\x47\xc8\x70\x7f\x58\x7c\x91\x59\xba\xc9\xbf\x50\xb4"
+          "\xe2\xd6\x49\xb6\x85\xd3\xd9\xf3\x80\xba\xe9\x02\x46\x51\xab\x23" }
+};
+
+static const krb5_keyblock rodc_tgt_pac_key = {
+    ENCTYPE_ARCFOUR_HMAC,
+    { 16,  "\x80\x5d\x66\xb9\x5f\x66\xd6\x80\xc3\x5a\x07\x41\xe8\x97\xcc\x66" }
+};
+
+static const krb5_keyblock server_key = {
+    ENCTYPE_ARCFOUR_HMAC,
+    { 16, "\xed\x23\x11\x20\x7a\x21\x44\x20\xbf\xc0\x8d\x36\xf7\xf6\xb2\x3e" }
+};
+
+
+static const unsigned char tgt_ticket[] =
+    "\x61\x82\x03\xe1\x30\x82\x03\xdd\xa0\x03\x02\x01\x05\xa1\x0a\x1b"
+    "\x08\x41\x43\x4d\x45\x2e\x43\x4f\x4d\xa2\x1d\x30\x1b\xa0\x03\x02"
+    "\x01\x02\xa1\x14\x30\x12\x1b\x06\x6b\x72\x62\x74\x67\x74\x1b\x08"
+    "\x41\x43\x4d\x45\x2e\x43\x4f\x4d\xa3\x82\x03\xa9\x30\x82\x03\xa5"
+    "\xa0\x03\x02\x01\x12\xa1\x03\x02\x01\x02\xa2\x82\x03\x97\x04\x82"
+    "\x03\x93\xfb\x16\x6b\x43\xca\x54\x6a\xed\xc8\xa4\x1f\x9e\xde\x88"
+    "\xa0\xa2\xc8\x86\x50\x17\x67\xbc\x0b\x13\xb8\x00\x80\x48\x54\x77"
+    "\xb2\x4c\x5f\xff\x34\xb6\x05\xc4\xff\xdb\x68\x00\x7c\xf4\x4f\x65"
+    "\x56\x69\x1a\x2f\x32\x24\x19\xef\x0a\xf8\xcd\x22\x4a\xe9\xcc\x2b"
+    "\x65\xfb\x3a\xff\x3d\xb3\xdc\xea\x5a\x9b\xb0\x14\xd0\xa6\x1d\x7c"
+    "\x82\xa7\x18\x23\xad\xd3\x43\x6c\x23\x41\x6e\x7c\x84\x01\xc7\xd6"
+    "\x60\xdf\xbb\x19\xac\xf3\x5b\x52\xea\xd1\xdb\xa5\x49\xc6\xf1\x44"
+    "\x59\x41\x15\x78\x13\xbc\x85\x73\xba\xd7\xde\x55\xe9\x84\x30\x11"
+    "\x5e\x00\x47\xff\x01\x87\x46\xda\xe3\xb4\xe3\xef\xac\x67\xa8\x8d"
+    "\x06\xf4\x04\xa3\x15\x5f\x51\x59\xe9\xb4\x65\x00\x1f\x45\x7c\x2a"
+    "\xcf\x17\x78\x75\xad\xc8\x65\x92\xe7\x20\x89\x41\x43\x5e\x08\x1d"
+    "\xc9\x4b\xa1\x57\x26\x7f\x9a\x64\xc7\xe3\x90\xbf\xa8\x9f\x86\x89"
+    "\xbf\x37\xd0\x1a\x9c\xe7\x32\xbb\x9f\x8d\x38\xfd\xe8\xf4\x88\x54"
+    "\x3d\xe7\xd0\xfb\x73\x1a\x97\xee\xa5\x32\x67\x62\x4d\x1c\x28\x85"
+    "\x01\x4f\x76\x4c\xf6\xe5\x73\x93\x0e\xd8\x0a\xf1\x6f\xf0\x8c\xbf"
+    "\x65\x80\x87\xd1\xe8\xbc\xc5\x8f\x03\xb8\xfe\x7e\xd6\xde\x80\xa5"
+    "\x27\x8c\x26\x14\x66\xf3\xd2\x4d\x51\x51\xe7\x47\xac\xa5\x93\xd7"
+    "\x01\x5b\x6b\xca\x6c\xd5\x19\x7b\xad\x97\xf2\xa6\x18\x0e\xe3\xea"
+    "\x5e\x81\xe4\xd7\xf5\xb0\xca\x0f\x04\x13\xc4\xed\x5b\x0c\xb2\xc4"
+    "\x5e\xd3\xc2\xb6\x0f\x0a\x76\x8a\x7d\x1c\x79\x62\xb5\x68\x47\x33"
+    "\x5e\x28\x3a\xd6\x78\x89\xb3\xbd\x34\x72\x7f\xe1\x8e\x5e\xa9\x89"
+    "\xfe\xc5\xba\x5f\x76\x00\x27\x29\x88\x79\xb4\x42\x33\xe7\x4c\xce"
+    "\x47\x39\xac\xfa\x8e\x93\x7a\x92\x7f\xbd\x91\xc8\xff\xe4\x7b\x04"
+    "\xe8\xf7\x29\x3b\xb4\x41\xb9\xe0\x61\x14\x2a\xc9\x5b\x02\xc2\x01"
+    "\x6f\x61\xa8\x1a\x5e\x2d\x0b\x3f\xc3\x1d\x6a\xb0\x9e\xf1\x41\xaf"
+    "\xc6\xe0\x11\xb3\x47\xb2\x43\x42\xb4\x6e\xdb\x16\x41\x6a\x7b\x53"
+    "\x97\x01\x7f\x3e\x9d\x47\x27\x14\x29\x7d\xc7\xa5\x40\xaf\x77\xcb"
+    "\xc9\x3e\x2e\x1f\xa3\xc8\x69\x98\xf7\xb2\x18\xa7\xcf\x45\x87\xba"
+    "\x48\x0b\xb8\x03\x10\x46\x2d\x95\x59\x5b\x9e\xe3\xe4\x20\x08\x80"
+    "\x97\x39\x16\x0c\x34\x27\x35\xd3\xd9\x71\x7b\xc2\x7d\x16\x36\xad"
+    "\xa0\x95\x12\x49\x5a\x3b\xea\xcf\x85\x75\x9e\xa4\x96\x51\x6c\x34"
+    "\x60\xd5\x3a\x9d\x60\x80\x53\x71\xac\x21\xfe\xea\xb3\xc5\x74\x65"
+    "\x7b\x98\xb6\x63\x58\xb7\xc9\x0c\x80\xad\x54\x9b\x1c\xdf\x84\xf9"
+    "\x97\xac\x73\x72\x4f\xbe\x10\x72\x6a\xec\x36\xfc\x7c\x98\xc6\x98"
+    "\x81\xde\xab\x2b\x8a\x68\x17\xd6\xb0\xac\xfd\xed\x5d\x67\xd3\x5a"
+    "\xbe\x7e\x88\x63\x5f\xc3\x1f\xf7\x04\xd9\xcd\x0a\xc7\x70\x83\x93"
+    "\x60\x86\x0c\x08\x21\xbb\x2f\x29\x28\xaf\x3f\x93\x24\x5f\x3a\x1d"
+    "\xf3\x81\x95\xb4\xef\xd6\x8c\x79\xdf\xf7\x9d\x4a\x0a\x49\xa7\x46"
+    "\xcd\x05\x30\x6e\x92\xa2\x26\x23\x8e\xf3\xe1\x38\x41\x63\x2f\xe6"
+    "\xd1\x59\x99\x8d\x7a\x8c\x4d\x57\x19\x5c\xee\x75\x7a\xd8\x0a\x53"
+    "\x43\xb0\x92\x01\x4a\xf7\xc4\x54\x8e\xe8\xc6\x43\x0b\x43\x9a\xa3"
+    "\xfd\x5c\x0c\x47\x52\xdf\xc6\x47\xa0\x14\xef\x45\xcf\xdf\xb7\x04"
+    "\xca\x3e\x5d\x8b\x32\x9b\x81\xa3\x8b\x9d\x7c\x0f\x11\x13\xf1\x0d"
+    "\xc0\xd0\xe2\xc1\xf7\x65\x03\xe0\x50\x6c\xbb\x3c\xd2\xc1\xad\x15"
+    "\xa3\xcd\x24\x85\xc0\x94\x54\x12\x2d\x63\x01\x47\x8b\x51\xee\xd1"
+    "\x46\xc0\x47\xcf\xce\xa1\x81\x5a\x5c\xe6\x59\x99\xb1\xaf\x80\x05"
+    "\xc3\x22\x69\xb3\x19\xec\x0e\xdd\x72\x0a\xcb\xf5\x4e\x90\x65\x41"
+    "\x68\x46\x8e\xab\xb3\xcc\xb6\xe2\xbd\xbf\xc0\x04\x12\x35\x84\xe5"
+    "\xef\xa5\x7f\x98\x8e\x0d\xac\x92\xae\x8f\x9c\x41\xce\x41\xb5\xcc"
+    "\x59\x00\xa5\x2c\x71\xe3\xdd\x25\x29\xd2\xac\x0f\x9b\x23\xbd\x1e"
+    "\x25\xe5\x06\xbd\x43\x46\x46\x4f\x81\x08\x1f\x57\xa9\x93\x24\xe4"
+    "\x83\x42\x13\x00\xce\x95\xdb\xde\x95\xc5\x8c\xd8\x29\x4e\x43\xb2"
+    "\x64\xe6\x6c\x0e\x40\x86\x35\xef\xac\x5b\x15\x92\xfb\x3c\xf0\x94"
+    "\xd8\x1f\xf9\x90\x8a\xd2\xa8\x4a\x1d\x77\x57\x4c\x65\xb3\x4f\xe4"
+    "\x03\x13\x3d\x52\x8b\xe4\x9e\x98\x53\xf1\xad\xc1\x2a\x3c\xda\x4f"
+    "\x24\xbf\x24\xb2\xb7\x34\xc7\xde\xfb\xe6\xe9\x82\x05\x07\x25\xd9"
+    "\x8e\xea\xd8\xb7\x0d\x1d\x0d\xf1\x0c\x99\x1a\x6a\xa7\xe7\x27\x49"
+    "\x26\x2a\x75\xd5\x84";
+
+static const unsigned char service_ticket[] =
+    "\x61\x82\x03\xf3\x30\x82\x03\xef\xa0\x03\x02\x01\x05\xa1\x0a\x1b"
+    "\x08\x41\x43\x4d\x45\x2e\x43\x4f\x4d\xa2\x13\x30\x11\xa0\x03\x02"
+    "\x01\x01\xa1\x0a\x30\x08\x1b\x06\x61\x70\x61\x63\x68\x65\xa3\x82"
+    "\x03\xc5\x30\x82\x03\xc1\xa0\x03\x02\x01\x17\xa1\x03\x02\x01\x02"
+    "\xa2\x82\x03\xb3\x04\x82\x03\xaf\x7e\x88\x85\x77\x22\x5e\x30\x7a"
+    "\xaf\x63\xc4\x2b\xc1\xae\x88\x87\x27\x65\x0e\x1e\xa7\x94\x67\xf9"
+    "\x9d\x49\x5b\x6b\xba\xfb\x51\x04\xc4\xe8\x44\xc9\xdf\x8d\x8d\x58"
+    "\x61\xdb\x1e\x82\x98\xc7\x68\x9e\x81\xf0\xc4\x88\x87\xd6\xf5\x7b"
+    "\x44\x8e\x4a\x65\x4f\x37\x49\x8a\x81\x67\x00\x7e\xf3\x7e\x75\x9d"
+    "\x61\x18\x6d\x6f\x21\x73\xe3\xab\xe2\x86\xc0\xf1\x8b\x9f\x25\xc2"
+    "\xdc\xc4\x65\xeb\xba\x24\x3d\x2d\x5a\x9b\xbe\xc1\x24\x8c\xf1\x78"
+    "\xfc\xf9\xca\x14\x8e\xd4\xe3\xb3\x54\x87\xce\x97\x0c\x7b\x11\x2e"
+    "\x38\x30\xed\x8c\x41\x28\x90\x5b\xc6\x3d\xba\x29\x7b\x11\xfa\x85"
+    "\x54\x13\xab\x22\xe9\x52\xdd\xad\x5a\xdc\xa7\xca\x4f\x19\x49\x81"
+    "\x53\x09\x10\xca\x6b\x1a\x44\x13\xe6\x88\xec\x14\xd2\x15\x5a\x65"
+    "\x8a\xef\x55\x6a\xb1\xda\xc4\xe6\x0d\xc8\x2d\x8b\x0c\x00\x71\x6a"
+    "\x7b\x06\x34\xe0\x93\xa4\x5d\x5b\xa9\x43\x65\x42\xc5\x13\x64\xee"
+    "\x51\xd3\xd9\xc8\x3d\x52\xe2\xba\xb2\x81\xe6\x86\x25\x6f\xa6\x22"
+    "\x25\x97\xbb\xf1\xe4\x6e\xe1\x9a\xfa\xa4\xa0\x8b\xd6\x7b\x4a\x8a"
+    "\x62\x3d\x21\x1c\x08\x16\x8d\x29\x58\x7e\xfd\x43\x48\xba\xd7\x19"
+    "\x7c\xdd\x57\xe4\x8f\x94\x6e\x97\xed\x8d\xf2\x68\xe4\x89\xde\xc3"
+    "\xed\xa6\x7b\xcd\xff\x0c\xcf\xac\xad\xfa\x54\x89\xfc\xd0\x94\xd9"
+    "\x48\x25\x61\x71\x89\x32\xb8\xdb\xf9\xfb\xb9\xf4\x8b\x7e\x9c\x95"
+    "\x5d\xa3\x03\x13\xaa\x50\x28\xfa\x0b\x54\x5e\x0a\x3a\xb6\x4e\x58"
+    "\xee\x3f\xbc\xd2\x23\x81\x82\x82\xab\xef\x6a\xf8\x10\x56\x0e\x43"
+    "\xc2\x4a\x30\xa9\x17\x1a\x46\xb2\xdd\xcf\x7d\x20\x46\x0e\xc8\xff"
+    "\x54\xf5\xa1\xa1\x43\x8b\x02\x00\x0c\x31\xbb\x66\xcd\x17\xf0\x12"
+    "\x83\x39\x6c\xcf\x9c\xe9\x68\x26\x68\x86\xd4\xa4\xe6\x33\xa1\xdb"
+    "\x74\x1d\x56\x1c\x2b\xff\x5e\xdd\xe7\xdd\x3a\x3e\x3a\x13\xbf\x36"
+    "\x5a\x3f\x0d\x21\x9d\x9c\xd5\x20\x13\x1d\x86\xb4\xb2\xa5\x34\xa2"
+    "\x0b\x9a\x0c\xa0\xac\x92\x9b\x02\xf2\x68\x19\x9e\x1c\x66\x40\x29"
+    "\x81\x13\xf3\x06\x49\xa4\xf5\xd9\xe9\xd1\x2f\x89\xac\x1d\x20\x9e"
+    "\xb1\x2e\xf3\xde\x09\x7c\xf4\xe6\x2b\x61\x3f\x35\x0f\x83\xa9\x24"
+    "\xd3\xbd\x14\x0f\x48\xcb\xe4\x98\x02\x7c\x83\x1b\x61\x59\x34\x7d"
+    "\x32\x59\xbc\xb8\xe2\xb3\x99\x80\x75\x4b\x4b\xb5\x2b\x6d\x07\x66"
+    "\x3c\x8a\xbc\x6d\x61\x6e\xcb\x12\x53\xe2\x07\x38\x4e\x2f\xdb\xe0"
+    "\x15\x4c\x8b\xdb\x7e\xeb\x61\x96\xfb\x4f\x3d\x5f\xbe\xdb\x34\xb0"
+    "\x73\x7a\xe6\x10\x8a\xe7\x37\xa3\x15\x68\x44\x85\xc2\xc1\x4f\x3e"
+    "\x4c\xc8\x51\x54\x2c\x7d\x50\x86\xf2\xbd\x19\x63\x51\x4c\xb4\xd4"
+    "\x29\x6a\x03\xae\x38\x77\x25\xbc\x15\xba\xa8\x65\x29\x29\xdd\xb1"
+    "\xaa\xe8\x9a\xbf\x4c\x15\xcf\x13\x11\x0b\x86\x5c\x44\xca\x82\x49"
+    "\x8c\x1b\x77\x28\x36\x87\xf9\xad\x6d\xe0\x05\x0f\x93\x00\x1f\xaf"
+    "\xe4\xe9\x5a\x8f\x61\x41\x46\x2f\x52\x4d\x16\x4f\x9c\xca\x94\xff"
+    "\x19\x2e\xa5\x65\x09\x4f\x58\xfb\x4b\xbe\x89\xb3\x1a\x3b\x9b\xe4"
+    "\xb9\x7b\x58\xcd\xa3\x73\x41\xe0\xcb\xbd\xce\x97\x87\x1f\x60\xc8"
+    "\xbb\x8c\xe9\xd7\x4f\x9a\x2d\xb5\xd4\x73\x4e\x25\xf3\x36\xbc\x3f"
+    "\x81\x23\x82\x1e\xde\xbe\x9b\x35\x67\x99\x9f\x9c\x02\x9c\x75\x0c"
+    "\xed\xb1\xcb\x82\x7f\xf5\x31\x66\x76\x01\x5a\x61\x3c\xa4\xe9\xae"
+    "\x1a\xc1\x3f\x35\x7d\xd4\x41\xdb\x7f\xd2\xc5\x5f\xbe\x8c\x13\xa6"
+    "\x1a\xd3\x2e\xf6\x0f\x91\xd5\x20\xd5\x36\x57\xa8\x40\x17\x3b\x49"
+    "\xf6\xe5\x55\x04\xcf\xf3\x72\x3d\xa6\x99\x3a\x40\x49\xdf\x5a\x69"
+    "\xfb\x35\x43\x3a\x49\x8e\xb9\x6d\x1b\xd3\xb9\x6a\xcb\xcd\x6c\xda"
+    "\x68\x3f\xc1\xd4\x0e\xdb\x7a\xd5\x05\x77\xac\xc2\x95\xf4\x7c\x83"
+    "\x3c\xaf\x55\x9f\x29\x52\xee\xe4\x34\x2d\x4c\x5f\xfa\x76\x0a\xe2"
+    "\x8e\xe3\xb7\x12\x37\x79\x9e\xfb\xe2\xaf\x3f\xbc\x2a\x2e\x35\x79"
+    "\xd4\x65\x05\x88\xb7\x1d\xc6\xf8\x89\xe7\xe9\xa1\xe0\xf0\x18\x3a"
+    "\xd4\x06\x47\x22\xf2\xb7\xbf\x67\x41\x24\xaf\x19\x85\x32\xf5\x91"
+    "\x8a\x16\xd8\x99\xd5\x27\x0e\x08\xfd\x07\x42\xdd\xd9\x41\xd7\x1c"
+    "\x7e\x64\x09\x9b\xe7\x51\xff\x02\x37\x32\x12\x6d\x60\x3f\x36\x25"
+    "\xd0\x53\xd8\xbd\x22\x6f\x2c\xec\x7c\xe4\x65\x7b\xd4\xcc\xce\xc4"
+    "\x8d\xee\x53\x48\x26\x8c\x97\x18\x0a\x06\x62\xaf\x31\x0c\x85\xc8"
+    "\x27\x11\xb3\x18\x9b\x24\x57\x38\x20\xf6\xe5\x42\x72\x1c\x3c\xfb"
+    "\xce\xd4\x26\x65\x92\x21\x49\x0b\x5d\x62\x72\xeb\xb3\x53\x89\x55"
+    "\xb6\x81\xef\xfd\xd2\xb6\xed";
+
+static const unsigned char s4u2self_ticket[] =
+    "\x61\x82\x03\xf2\x30\x82\x03\xee\xa0\x03\x02\x01\x05\xa1\x0a\x1b"
+    "\x08\x41\x43\x4d\x45\x2e\x43\x4f\x4d\xa2\x13\x30\x11\xa0\x03\x02"
+    "\x01\x01\xa1\x0a\x30\x08\x1b\x06\x61\x70\x61\x63\x68\x65\xa3\x82"
+    "\x03\xc4\x30\x82\x03\xc0\xa0\x03\x02\x01\x17\xa1\x03\x02\x01\x02"
+    "\xa2\x82\x03\xb2\x04\x82\x03\xae\x41\x12\xbe\x9e\x19\x0b\x27\xfe"
+    "\x38\xd3\x9b\x98\x8d\xcf\xc4\xe5\x34\x43\x64\x4a\x96\x00\x12\x52"
+    "\x92\x24\xcc\x8a\xe2\x80\x2a\x9e\xc1\x67\x6d\xd2\x77\x41\xe3\xc3"
+    "\xb7\xde\xf9\xdf\x8f\xdb\xe8\xd6\x78\x84\x83\xa0\x99\x2a\xbb\x24"
+    "\x25\x9d\x3a\x4d\xb0\x89\xe8\xa7\x67\xbe\x4e\x7b\xd4\x20\xad\xa6"
+    "\xb5\xa2\xab\xf4\x07\xf9\x14\x2e\x08\xc5\xa8\x43\xc2\xaf\x24\x53"
+    "\xb3\xaf\x7b\x83\xb5\xd1\xca\x8a\x99\x83\x14\x08\x37\x1f\x20\x03"
+    "\xfc\xd4\xb4\xce\xb3\x9a\xc1\xbd\x31\x54\x21\xb6\xbe\x7c\x82\xbc"
+    "\x30\x61\x0d\x9a\x10\x90\x00\x69\xee\xd5\xd3\xf6\x7c\xfa\x70\xa7"
+    "\xd4\xa1\xe6\xbd\x0b\xb1\xe2\xcc\x4e\xc6\x53\xc7\x89\x39\x57\x63"
+    "\xca\xfb\x4f\x0d\x73\xf7\x2a\xda\x94\x40\xdd\x0a\xd6\x00\x14\xc2"
+    "\x7b\x5f\xda\x27\x7c\x95\x32\xab\xcf\xd1\xac\xd0\xfc\x4a\xb4\x82"
+    "\x80\x5f\x56\xa5\xac\xb9\xb4\xc8\xb9\x08\x0a\x52\x9b\x2e\x80\xf4"
+    "\x9d\x85\x73\x09\xb1\x9a\xd6\x50\x59\x47\x0f\x8f\x72\xd5\x91\x76"
+    "\x89\xba\x49\xe3\x5e\x76\x07\x84\x8b\xf2\xc0\x57\xd4\xd2\x31\xfe"
+    "\xfd\xa3\xcd\x96\x5a\xbe\x19\x18\x97\x8e\xbf\x18\x1b\xdf\xf9\x78"
+    "\x5b\xac\x3c\x1f\xff\x4c\x64\xef\x1d\x5e\x69\x04\xcf\x68\xf6\x97"
+    "\xc4\xff\x16\x8e\xb2\x22\xf3\xc5\x84\x67\x41\x04\xce\x72\xdd\x76"
+    "\x65\x2e\xee\x84\xfb\x85\x83\x4b\x41\xdf\x24\x1e\xc7\x31\xf0\xc4"
+    "\xf1\xf7\x83\xfe\x46\x6d\x6f\x45\xf6\xb4\x40\xbb\x2f\x09\xf7\xe2"
+    "\x6f\x19\xd3\x3e\xa6\x94\x76\x46\x6b\x78\x43\x08\x4c\xfc\x15\xc2"
+    "\x4d\xef\x12\xe0\x38\x6a\xdb\x49\x7a\x71\x6c\xeb\xe3\xdf\xe7\x57"
+    "\x25\x23\x09\x4d\x74\xac\x93\x95\x8a\x6c\x01\x70\x0a\xb7\x42\xee"
+    "\xf5\x5c\x65\x64\xc6\xd7\x3e\x57\x7e\x0f\x9b\xdd\xf0\xfb\xdb\x92"
+    "\xa6\x1c\x75\x18\x88\x29\x03\xf9\x58\xf0\xd0\xc2\x91\x9c\xf6\x58"
+    "\x4e\x15\xe1\xab\x46\x1e\x23\x7c\xdc\xa5\xdd\xaf\x59\xae\x22\xbb"
+    "\xc3\x6d\x02\x0f\x02\x9e\x4a\xc1\x6d\x55\x4b\x35\x69\xd5\xaa\x92"
+    "\x61\xef\x0d\x50\x42\x49\xc0\xb5\x9d\x57\x3f\x50\x4d\xc2\x17\xda"
+    "\xc4\x43\xd1\x1f\x8c\x77\x4c\xa1\x37\x5c\x39\xe7\x51\x7e\x52\x68"
+    "\x0f\x6d\x8e\x1e\xb7\x81\x14\xc1\x11\x17\xa9\x37\x75\x48\x72\x35"
+    "\xca\xeb\xcb\x0d\x84\xbb\xf1\x08\x79\xde\x31\x00\x7f\x54\xc8\xbc"
+    "\x38\x1f\x2c\x56\x3b\xfc\x9d\x8a\xbc\x2d\x72\x8b\x32\x29\xf7\x52"
+    "\x96\x60\x34\x70\x13\x6f\x5a\x98\x7f\x69\xdc\x00\x21\x4c\x9d\x21"
+    "\x52\xd9\x71\xa3\xc6\xea\xd9\xdb\xeb\xd5\x78\xe5\x8f\x5e\x1d\xa8"
+    "\xa6\x0a\x58\x9c\xc9\x45\xc0\xb6\xb1\xe5\xfb\x49\xd2\x71\x41\x52"
+    "\xae\x52\x84\xd6\x90\x1e\x9a\xc2\xdb\x5b\xf8\x18\xf8\x47\x25\x70"
+    "\x1b\x07\x64\x8c\x4a\x94\xb0\x52\x50\xf0\x99\x3b\x0d\x11\x33\xb9"
+    "\xd6\xdf\x43\xfe\x34\x92\x3f\xa9\x1c\x9e\xfc\x89\x11\xdb\xe5\x15"
+    "\xae\x74\xd2\x1b\xd0\x42\x5a\x19\x0c\x03\x8e\x09\x16\xd2\xcf\xe8"
+    "\xd5\x02\xa4\x58\xe3\xca\xef\xe3\xa5\x36\x4f\x79\x6e\xc2\x57\x7f"
+    "\x97\xcf\x87\xec\x10\x57\x35\x15\xd8\x67\x4c\xaf\x2c\x6b\x50\x04"
+    "\xd6\xf7\x5f\x83\x1a\x4d\xfe\x44\x67\x60\x3f\x98\xfe\xa5\xd0\x56"
+    "\xf1\x46\x1e\xa0\x38\x21\x62\x0e\xce\xd5\x9a\x41\x4b\xb1\x9a\x7d"
+    "\xfe\x7d\x2d\x88\x16\x82\x73\x27\x4d\x9f\xad\x06\x1e\x93\x0f\xe7"
+    "\xd0\x98\xc5\x2e\xd8\xfc\x97\x4c\xed\x3b\x89\x94\xf4\x71\x88\x9f"
+    "\xc6\x5a\x73\x6e\x00\x4a\xd4\x99\xe2\x87\x32\x62\x03\x20\x73\xe3"
+    "\xba\xcc\x5d\x35\xa8\x20\x10\xb8\x60\xff\xed\x8c\x44\x21\x31\x1a"
+    "\x41\xb1\x3b\xa3\x44\x15\x45\x99\xa2\x89\x47\xd1\x80\xfd\xee\xc7"
+    "\xe8\xa2\xaa\xb3\x90\x2b\x04\x3c\x78\xf9\xcd\x0a\x90\xd5\x46\x28"
+    "\x52\x62\xbb\x08\x46\x19\x82\xb6\xe6\x2d\x3e\x04\x95\xd5\x0e\x7e"
+    "\xb3\x5f\x0e\x30\xbe\xf0\xdb\x36\x15\x69\xd5\x2d\x38\x95\x17\x27"
+    "\x2b\xa3\xc8\x68\x00\x55\xde\x2e\xd6\x07\xb4\x7a\x89\x1c\xe7\xc2"
+    "\x3c\xc4\x57\x9f\x45\xea\x77\xaf\xd8\xf1\xbe\x2a\x05\x46\x04\x51"
+    "\x83\x21\xa7\x1a\xa8\x23\x2f\x62\xa9\x67\xe6\xf3\xab\x47\xb9\xa6"
+    "\xec\x98\x7c\x7b\xd3\x42\x5d\x73\x37\xab\x46\x75\x2b\x33\xda\xf8"
+    "\xad\x2c\x62\x36\x2a\x91\x8f\x2c\x12\x4d\x00\xd5\x02\x98\x58\xfe"
+    "\xd2\x3d\x38\xc1\xe0\x2d\xeb\x7f\x22\xe6\x12\x72\xcd\xc7\x4b\xac"
+    "\x6d\x70\xc1\xcc\xda\x6d\xf1\x21\x44\xb4\x92\xec\xce\xd7\x6a\xde"
+    "\xea\x62\x63\xa9\x15\xe8\xf3\xea\xc6\xc8\x26\x39\xef\xa0\x76\x66"
+    "\x54\x45\xb6\xdd\x4b\xff";
+
+static const unsigned char s4u2proxy_ticket[] =
+    "\x61\x82\x04\x9f\x30\x82\x04\x9b\xa0\x03\x02\x01\x05\xa1\x0a\x1b"
+    "\x08\x41\x43\x4d\x45\x2e\x43\x4f\x4d\xa2\x20\x30\x1e\xa0\x03\x02"
+    "\x01\x03\xa1\x17\x30\x15\x1b\x03\x73\x71\x6c\x1b\x0e\x6d\x79\x73"
+    "\x71\x6c\x2e\x61\x63\x6d\x65\x2e\x63\x6f\x6d\xa3\x82\x04\x64\x30"
+    "\x82\x04\x60\xa0\x03\x02\x01\x17\xa1\x03\x02\x01\x02\xa2\x82\x04"
+    "\x52\x04\x82\x04\x4e\xaa\x63\x2e\xe0\x3a\x24\xed\x98\x29\x42\xa4"
+    "\x17\x2b\x4a\x17\x1d\xea\x46\x2a\xc9\xeb\x10\xeb\x02\xe3\xa2\x40"
+    "\xf5\x79\xaa\x1c\x83\x20\xe0\x24\x9b\x6f\x06\xc4\x31\x82\xc8\x52"
+    "\xdb\x9a\x04\x36\xff\x5c\x7a\xa5\xfe\x5c\xf3\x40\xcf\x7c\x31\x0f"
+    "\xda\x2a\x20\xa1\x7e\xdb\xf4\x05\x54\xcb\x51\xa0\x54\x25\xc8\x9f"
+    "\x4d\x23\x0a\xef\x56\x4e\xa0\xdf\xf5\x0b\xce\x75\x93\x5b\xf9\xe5"
+    "\x3a\xdf\x08\x3f\xce\x1c\x75\x6b\x4f\x38\x1a\x90\x4c\x3e\x99\x49"
+    "\x6c\x7a\x55\xf5\xdd\x59\x64\xab\x43\xfd\x3f\x45\x5a\xd3\x0f\x4f"
+    "\x37\x44\x03\x42\x0e\x83\xac\xf9\x04\x83\x43\xfc\x60\xc3\x1b\xc4"
+    "\xc0\x2a\x6c\x6e\x65\xf4\x8f\x2d\x52\x1f\x18\xbe\x09\x17\x10\x1d"
+    "\xd4\xc7\xe6\xa9\x9f\x70\x90\x65\x8a\x30\x63\x26\xfd\xb4\x63\xd0"
+    "\xaa\x3d\x80\x03\x79\x74\xc7\x5d\xe8\x50\x9e\x1b\x0a\xa7\x69\x62"
+    "\x91\xda\xcb\x80\xe8\xa3\x0d\xd8\xef\x05\x46\x2a\xb8\x14\x6f\x45"
+    "\x4e\xa6\x76\x28\x1b\xbe\x50\x0b\x5b\xf9\xe1\x61\x66\x5b\xe8\xb7"
+    "\xa1\x9c\xea\x2a\x8b\x28\x63\x8e\x20\x41\xaa\xdc\xca\x61\xa9\x1f"
+    "\x1b\xf1\xf3\x39\x47\xdf\x1f\xc3\x0d\xdd\xe7\x40\xb1\x8d\xbf\x28"
+    "\x22\xd4\x5d\x82\x63\x80\xc6\x75\x45\xa3\xe2\x79\x71\xa9\x5d\x9a"
+    "\x29\xa4\xc5\x3d\x1a\x56\x99\x2a\x3f\x4c\x97\x02\x85\xd8\x21\x15"
+    "\xd7\xaa\x8c\x6e\xa9\x0f\xb8\xa7\x1b\x43\xa4\xb5\xf0\xab\x2f\x77"
+    "\xa0\xa9\x23\xb2\x81\xf4\x0d\x02\x0e\x17\xa5\xb7\xa6\x54\xc6\x3b"
+    "\x12\xd9\x2e\x30\xdc\xb7\x84\x46\x9b\x28\x89\x15\x48\xd0\xe4\x44"
+    "\xd5\x22\x67\x3e\x58\x96\xcf\xd1\x0f\x5e\xd1\x5c\xa5\xdd\x5a\x60"
+    "\xf2\xf9\x36\xad\xe0\x39\x2a\x56\x98\x71\x37\x67\xca\x3a\xc4\x7f"
+    "\xda\x43\x22\x7b\xe9\xf3\x8c\x0d\x31\x9e\xc3\x8d\xf8\x49\xf1\x81"
+    "\xe0\xb3\x4d\x47\xfa\x91\xdd\x46\xfb\x03\x84\x13\x37\x9c\x12\x0c"
+    "\x80\x4f\x01\xc6\x19\x62\x0e\xba\x94\x0d\x89\x24\x0c\x14\xbe\x0f"
+    "\x06\xc2\x8d\x54\xfb\x84\x64\xa2\x57\x9e\x85\x54\x98\xad\x25\x2c"
+    "\xa0\x73\x39\x14\x47\xf4\xa6\x1d\xf8\x1e\x94\x4c\x2e\x0f\xd6\x33"
+    "\xa6\x1b\x58\x7a\xc1\x29\x8d\xc8\x7e\x79\xb7\x44\x92\x8a\xf3\x69"
+    "\x37\x34\x74\xe6\x29\xf7\x38\xb1\xb5\xad\x4a\x2a\x56\x86\xa5\xc5"
+    "\x65\xcf\x0b\x9b\x2a\x54\x31\x1d\xad\xc0\xac\xd0\xf3\xaf\x41\x9a"
+    "\x4c\x5b\x42\x2c\x4c\x38\x72\xa4\x74\xcb\xfb\x77\xe1\xc7\x08\xba"
+    "\x72\xc1\x8e\xa7\x60\xeb\x6a\x63\xeb\x75\x0f\xe6\xd0\x82\x43\xa3"
+    "\x49\x7c\x74\xac\x50\xbb\x30\xf8\x59\x31\xa6\xcf\xaf\xc9\x08\x1c"
+    "\x21\x6d\x42\xa6\x84\x7a\xc9\x3e\x1d\x65\xc8\x8a\x6f\x28\xaa\x54"
+    "\x0a\x87\xed\x09\xa4\x90\xe1\x4a\xda\x71\x9c\x3d\x06\x82\x86\xf6"
+    "\xc9\x0d\xe6\xcd\xdc\xe7\xe8\x9f\x07\x4b\x6b\xf3\x50\x30\xee\xdb"
+    "\xd6\x7c\x97\xa5\x53\x09\x91\xa8\xc1\x06\xed\xc2\x30\xd5\x66\x07"
+    "\x5c\x1c\xb2\x04\x81\x09\x9f\x7c\xdf\x47\xc7\xfa\x04\x4d\x73\xbd"
+    "\x1a\x28\x8c\x83\x2a\x4b\xcd\xcc\x93\x41\xc9\x9f\x05\x7a\xb6\xff"
+    "\x98\x58\xa4\x11\xf1\x3d\xca\x94\x71\xb6\x0e\x6e\xeb\x30\x3c\xfc"
+    "\x5a\xf6\x0e\x0b\x1a\x0a\x3d\xd0\x9a\x08\xd4\x43\xaf\x06\xbe\x8f"
+    "\xc0\xf2\xfb\xe7\x94\xa0\x5d\x9c\x44\x7f\xca\xbd\x1e\x83\xf8\x22"
+    "\xe8\x6e\x7f\xd4\xc6\xaa\x8a\x45\x76\x37\xf7\x45\xdb\xcb\x20\xa9"
+    "\xcc\x74\x62\x52\xe2\x88\xbf\x95\x4d\xe8\x1e\xac\x30\xfa\x9c\x1e"
+    "\xe7\xe6\xeb\x18\x75\xe3\x0f\xb8\xfc\xbf\x6c\x6f\x59\x51\xd4\x38"
+    "\xb0\xab\x85\x73\x16\x51\x5d\x27\x94\x83\x03\xd2\x86\x28\x99\xa1"
+    "\x8c\x04\x4c\xfb\x21\x79\x7b\x95\x96\x21\x47\x81\xc9\xba\xef\x13"
+    "\x18\xd6\x8f\xa9\xf4\x89\x25\x5b\xa4\xae\xbc\x6a\x59\x1e\x7b\x15"
+    "\xc9\xa5\xc8\x8a\x8c\x35\xec\xee\xe2\x8a\x0e\x1b\x8e\xaf\x4b\x51"
+    "\x9e\x66\xe7\x94\x56\xf6\x37\x93\x22\x5d\xe3\x9e\x33\x5e\xb4\x74"
+    "\xf1\x69\xe3\x93\xc3\xe8\xc7\x61\x09\x6a\xc1\xb7\x42\xcc\x3b\x5b"
+    "\x24\x40\x28\xf7\x9b\xef\x5c\x98\xb9\xe7\x2c\x01\xed\x99\x66\xa7"
+    "\x06\xeb\x08\x89\xd6\x5e\xce\x85\x08\x1a\x90\xc4\x92\x40\x53\xc5"
+    "\x53\x8b\xcb\x1a\xe9\x30\x8c\x48\xdb\x66\xc3\x98\x24\x1d\x5f\xee"
+    "\x6c\x2c\xc1\x3e\xcd\xcd\xb9\x1a\x5d\x8d\xb9\x64\xd9\x4c\x33\x83"
+    "\xa4\xa5\x08\x0a\xe3\x73\x0c\xe9\xd9\x6f\xb8\x78\x9a\x46\xdf\x6f"
+    "\x7f\x9f\x38\x69\x4b\x44\x00\x7e\x5b\xee\xf6\x2b\xba\xdd\xf7\x8a"
+    "\x0e\xa3\xff\xfc\x09\x5a\xd0\x44\x7e\x58\x2f\xfa\xe9\x1d\x1d\xc8"
+    "\x39\xc7\x2c\x62\xff\xf5\x22\xca\x8d\xae\xfd\x86\xef\x3b\x8f\xac"
+    "\x1b\x11\xb8\x6a\x4e\xf9\x6a\x93\xb1\xda\x8d\x80\xb9\xfa\xca\x52"
+    "\x0d\x4a\x45\xf1\x43\x5b\xca\x74\x1f\x94\xe6\x2a\x83\x2f\x76\x8c"
+    "\x70\x00\xcf\xa5\x95\x3c\x31\x10\x75\xd2\x75\xf8\x83\x09\x58\x11"
+    "\xff\xf9\x82\x32\x26\xad\x72\x85\x13\x64\x6e\xf6\xc1\x71\x55\xe3"
+    "\x51\x98\xda\x03\x76\xf0\x5b\x5f\xbe\x5c\xf3\x12\xe5\x6f\x03\xc4"
+    "\x36\x84\x66\xb7\xf8\xd5\xb9\x99\xeb\x66\x84\xbc\xf2\x78\x23\x87"
+    "\xb2\xa5\x64\xc4\x4a\xa1\x30\x93\x7f\x3a\x48\xe1\xad\xc0\x14\xc2"
+    "\x28\x14\x77\x7f\x23\xc7\xa8\xa2\x6c\xab\xd4\x74\xdf\xb1\x42\x84"
+    "\xa7\x11\x73\xef\x2d\xf6\x7a\xfb\xe1\xe6\xdb\xac\x57\x3b\xc7\xba"
+    "\x8c\x83\x19";
+
+static const unsigned char tgt_rodc[] =
+    "\x61\x82\x03\xe4\x30\x82\x03\xe0\xa0\x03\x02\x01\x05\xa1\x0a\x1b"
+    "\x08\x41\x43\x4d\x45\x2e\x43\x4f\x4d\xa2\x1d\x30\x1b\xa0\x03\x02"
+    "\x01\x02\xa1\x14\x30\x12\x1b\x06\x6b\x72\x62\x74\x67\x74\x1b\x08"
+    "\x41\x43\x4d\x45\x2e\x43\x4f\x4d\xa3\x82\x03\xac\x30\x82\x03\xa8"
+    "\xa0\x03\x02\x01\x12\xa1\x06\x02\x04\xb6\x51\x00\x01\xa2\x82\x03"
+    "\x97\x04\x82\x03\x93\xe2\x97\x36\xa2\x9f\x18\x79\x44\x87\xbf\xc8"
+    "\x27\x59\x40\xd1\x9d\x3b\x3d\x1d\x8b\xc8\x86\xfb\xc5\x4a\xf8\x27"
+    "\x5b\xee\x59\xcc\x3a\xcd\x2f\x0d\xb3\x9f\xb7\x87\xe2\x83\xdb\x36"
+    "\xee\xa0\x1c\xdb\x91\x9b\xe1\x50\x3e\xaa\x3d\xea\xae\x93\x65\xdf"
+    "\xb3\x23\xfb\xa6\x00\xaf\x55\x49\xf5\x6e\xd9\x2c\xc1\x61\x97\x37"
+    "\x19\x83\xe6\x60\xd8\x46\x2d\xdb\x0c\xc4\x55\x2e\x0a\x52\x0d\x64"
+    "\xb4\x80\xa9\x3d\x37\xb6\xed\x06\xdc\x32\xfd\x6a\x40\x20\xc4\x69"
+    "\x59\xf5\x80\x9c\x7f\x7a\x68\x88\x1c\x67\x37\x52\x85\x1a\x2f\x01"
+    "\xf8\x46\xd7\x7a\x24\xfb\x14\x31\xa8\x23\xd0\xac\x13\x85\x1c\xef"
+    "\xb1\xe4\x26\x20\x4f\x0c\xbb\xcc\xbb\x86\x40\xb3\x2e\x76\x25\x26"
+    "\x2e\x0f\x33\xec\xca\xac\x32\xa2\x35\x98\x1a\x9d\x34\x30\xe8\xaa"
+    "\x85\x8c\xa0\x0a\xf6\xe9\x60\x4f\x59\x20\xed\x51\x9d\xcf\xb4\xc1"
+    "\xdf\x1e\x8f\x91\x3e\xe2\x32\x9f\x68\x14\x41\x22\x2e\x05\xa7\x6d"
+    "\x1d\xa5\x55\xd8\x3b\x1c\xa4\x0b\x80\xf1\x43\x5f\xf7\xc2\xef\xa6"
+    "\x28\xcf\xbb\x2a\xbc\x0f\xbc\x20\x11\xff\xc1\x1b\x75\x5b\x49\x6f"
+    "\xc5\xc4\xa8\x3c\x46\xb3\xfd\x41\x70\x2a\xd8\x8b\xa6\xc1\x54\xad"
+    "\x15\x3e\x96\xca\x28\x3e\xca\x06\xe6\x0d\xad\xc8\x74\x32\x9a\x0d"
+    "\x80\x65\xd6\x49\x35\xc0\xd8\x75\xed\xb7\x4b\x9d\xb5\xd5\x3b\x3b"
+    "\xd3\x2e\x9f\xed\xbe\xd3\x83\x68\xe1\x3a\x25\x2c\xb5\xfe\xbd\x89"
+    "\xf3\x0e\xe3\x5e\xb3\x15\x2e\x0e\xb5\x2b\x97\x47\x6c\x6d\x88\x82"
+    "\x42\x54\x0d\x97\x52\x17\x56\x16\x9b\x5e\xaa\x63\xb0\xcb\x6f\xe6"
+    "\x0f\x9c\x9e\x6f\x3f\x49\x31\x60\x88\x2f\x25\xae\xff\x1c\x90\x55"
+    "\x9d\x63\x50\x56\x4d\x6e\x55\x5c\x48\x84\x1d\xf1\x0a\x03\xa6\x99"
+    "\x90\x13\xd6\x9a\xf1\x43\x5d\x0d\x69\x74\x3d\x60\xf5\xa0\x58\x29"
+    "\x98\x74\x10\x35\x2f\x6b\x35\x0b\x9a\xed\x3d\x7c\x4f\x00\x55\xec"
+    "\x0e\x20\xd0\x77\x46\x45\x7c\x0f\xfa\xf6\x55\xd9\x9f\xf8\x4b\x81"
+    "\xfa\x7a\x36\x05\xb9\x8e\xaf\xd8\xd3\x40\x6c\x0f\x72\x0d\x06\xba"
+    "\x91\x65\xbe\x5a\xfd\xf4\xb4\x49\xfa\x41\x83\xcb\xcf\x8d\x8a\xb0"
+    "\xf6\x3b\xcc\x08\xf8\x26\x41\x0d\x7e\xc6\xb3\x29\x8c\x33\x32\xb3"
+    "\x44\x7c\xbd\x0a\xc7\x0a\x58\x75\xfb\x2d\xf0\x53\x6c\xba\x89\x77"
+    "\xfd\x71\x7f\xe2\x9d\x9d\x35\x1d\x6b\xb2\x6f\x72\x27\x9b\xe5\x9e"
+    "\xc0\x21\x6f\x4a\x5f\x15\xf3\x13\xa4\xd9\x76\x96\xc1\xb3\xcf\x95"
+    "\xad\x47\x39\xa7\x10\x39\x7b\xfd\x9d\x71\xe3\xb8\xc4\xdf\xea\x96"
+    "\x40\x5e\xbb\x91\xfe\x99\x78\xc7\x97\x89\xca\x38\xd5\xdc\x7f\xad"
+    "\x3c\xf8\x59\x46\x05\x54\xb0\xfd\x33\x00\xd8\xa8\xb2\xf6\x44\xad"
+    "\xd5\xfc\x2d\xce\x92\x59\x85\x61\x5c\x53\xba\xf9\xe6\xc8\x47\x2f"
+    "\x50\xa3\x4a\xa6\x69\x70\xc2\x03\x5a\x44\x84\x20\x4b\x0a\x37\xa1"
+    "\x3b\xa8\x46\x96\xa6\x95\xfa\x59\x01\x38\xb5\xc7\xdb\x7c\xa8\x24"
+    "\xf9\x75\x90\xa9\x3d\x56\x5f\x95\x14\x17\xc7\xa3\x6f\xe7\xed\x0f"
+    "\x6b\xc9\x24\xfa\x0e\x4b\x33\x32\x0f\xd4\xe8\x3d\xae\x03\x9d\xfd"
+    "\xbf\x68\xef\x1b\x5a\xfa\x4b\x2e\x7f\x70\xd8\x95\x69\x03\x58\x1b"
+    "\xae\xf2\xde\xdb\x1e\xbd\x8a\xb0\xe5\xb3\x1a\x19\xe6\x1c\xf3\xf1"
+    "\xa5\xea\x8e\x61\x47\xd6\x4a\x5c\xb1\x2d\x4c\xcb\x22\xb5\x5a\x41"
+    "\xac\xad\xdc\x94\x71\xd4\x53\xcf\x67\xc6\xfa\xd4\x6b\x60\xe7\xf6"
+    "\x8e\xaf\xae\x98\x1c\x55\xd8\xed\xff\x48\x05\x69\xf4\x63\x4b\x0b"
+    "\x1a\xa4\x50\x3e\xff\x61\x72\x23\x5d\x8a\x19\x9e\x7b\x32\x79\x81"
+    "\xab\x4e\x5b\x5d\x06\x89\x2a\x26\x13\x20\x6d\xeb\xb2\x69\xb0\xd9"
+    "\xa3\x17\x04\xfd\x85\xfb\x54\x12\x02\xa8\x1d\xc4\xd8\x17\x15\xe0"
+    "\x67\xc0\x17\x81\x91\xab\x8a\x4b\x72\xe0\x10\x17\xc2\xd3\xe2\x5e"
+    "\x08\x24\xfe\x6f\x9d\xc0\x57\x03\x19\x4b\x62\x0a\xee\x3c\xd3\xc6"
+    "\xa7\x70\xe6\xca\x02\xea\x91\xf6\x31\xcd\x02\x5b\x55\xd2\xf4\x76"
+    "\x2b\x24\xbd\x09\x45\xe8\x00\x63\xbd\x3b\xf8\xeb\xe7\x17\x20\x24"
+    "\xaf\x11\x65\xaa\x52\xd1\xf5\x74\xf5\xed\xd2\x5b\x60\x86\x9a\xfc"
+    "\xa4\x63\x10\x25\x50\xb4\x40\x14\x97\x20\xf0\x53\xbe\x0f\x2a\x28"
+    "\x09\xac\x4d\x9d\x45\x52\x77\xcd\x65\x9a\x2c\xf2\x49\xfe\x92\x1a"
+    "\x6d\xb9\xf3\x29\x6c\xcd\x5b\xee\x73\x28\x6b\x2c\x14\xec\x6a\x25"
+    "\x64\xac\xcb\xdf\x1a\xe0\xaf\x56\xf6\x49\xea\xad\x06\x9c\xa3\x60"
+    "\xb2\xcf\x2c\xad\x19\xeb\xc3\x0f";
+
+static const unsigned char service_rodc[] =
+    "\x61\x82\x03\xf3\x30\x82\x03\xef\xa0\x03\x02\x01\x05\xa1\x0a\x1b"
+    "\x08\x41\x43\x4d\x45\x2e\x43\x4f\x4d\xa2\x13\x30\x11\xa0\x03\x02"
+    "\x01\x01\xa1\x0a\x30\x08\x1b\x06\x61\x70\x61\x63\x68\x65\xa3\x82"
+    "\x03\xc5\x30\x82\x03\xc1\xa0\x03\x02\x01\x17\xa1\x03\x02\x01\x02"
+    "\xa2\x82\x03\xb3\x04\x82\x03\xaf\xaf\x34\x2b\xc2\xe0\x1a\x4d\x2d"
+    "\xb9\xda\x8c\x44\x52\xa3\xc1\xbf\xe2\xb3\xc9\x27\x29\xd2\x90\xa4"
+    "\xca\x87\xd7\xae\x3d\x10\x1a\xc4\x88\x6c\x22\x78\x9a\xb8\xd9\xb0"
+    "\x64\xa8\xfc\x49\x8b\xcd\x95\xf6\xc0\xeb\x32\xaa\x70\x06\xdf\xa8"
+    "\x98\x9f\xa5\x56\x42\xdf\x33\xd5\x6d\x15\x9d\xea\x6c\x04\x0d\xef"
+    "\x06\x13\x52\xe2\xa7\xc3\x76\xb9\xec\x95\x94\xc4\xad\xad\xb5\xa0"
+    "\xf5\x44\x69\x69\x96\xf3\xfb\x9e\x99\x48\xca\x5d\x85\x34\x10\xfb"
+    "\x51\xb1\x6f\x59\x70\x98\x06\x39\x55\xdc\xa3\x1f\xc8\x36\x63\x47"
+    "\xc8\xfc\xc7\x8e\x44\xaf\x5c\x20\x79\x3c\x8f\x54\xb5\x3b\x38\xb4"
+    "\xda\xcf\x6c\xea\xcd\x33\x0d\xc6\x86\x07\x08\xa7\x37\x3f\xed\xc4"
+    "\x3a\xa6\x98\xcd\x5e\xf8\x06\x3c\x47\xea\x04\xaf\x1e\xd3\x88\x1e"
+    "\x17\xf9\xac\xa7\x9e\xf2\x92\x70\xef\xd3\xb7\x39\x24\x65\x0c\x32"
+    "\x7e\x03\x2f\x36\x31\xa1\x9b\xe4\x58\x8f\x78\xde\xec\xa5\xba\x54"
+    "\x68\xb4\x4c\x17\x23\x0a\x62\xc6\xb0\x22\x3d\x21\x35\xfa\x4f\xf4"
+    "\x6d\x9e\x46\xb7\xf5\xcc\x28\xe4\x78\x3a\x36\x6a\x44\xc5\x34\xb7"
+    "\x34\x0d\xac\x4f\x02\x41\x8f\xfd\xcb\xd4\x4c\xb6\x4e\xf1\xd1\xe7"
+    "\x4a\x1b\xf1\x96\xa5\xd3\x15\x74\xd4\x52\xbe\x1b\xbd\xe1\x17\xe8"
+    "\x77\x79\xf6\x51\xc4\xc3\xd9\x6a\xe9\x4c\x70\x10\x33\xed\x59\xa5"
+    "\x7d\x05\x17\xde\x61\x65\x5f\xf5\xde\x06\xa4\xd6\x39\xe4\x3f\x83"
+    "\xdd\x95\xa3\xb3\x57\x60\x1c\xf3\x42\xdb\xdc\xd5\x39\x76\x68\xd3"
+    "\x6e\xc8\x06\xff\x6b\x5b\x1d\x72\x7d\xb4\x4d\xec\x3e\xb8\x6d\x09"
+    "\xff\xa5\x0e\x30\xe8\x12\x72\x31\xce\xf3\xdd\x78\xee\x43\x53\x75"
+    "\x26\x43\xc2\x29\x1f\x78\x2f\x03\x4f\x2d\x82\xe3\x7c\x82\xb0\x1d"
+    "\x64\xdc\x67\xb3\x53\xa6\x7f\x17\xd5\x11\xc1\x0d\xde\x79\x28\x07"
+    "\x40\x08\xe0\xfa\x41\x2b\xeb\x3e\xa9\xf0\x92\xdd\x4f\xfe\x13\x05"
+    "\x73\x1a\xc7\xfe\x14\x56\x86\x32\x27\x4d\xe5\x4e\x15\x35\x1e\xe5"
+    "\x54\x87\x8f\x75\x2a\xcb\x48\x5d\xc4\xce\xd3\x71\x25\x3b\xc6\x51"
+    "\xe2\x4f\x83\x87\x05\x97\xc9\x35\x4a\xce\xd7\x5a\x82\xcc\xe5\xc1"
+    "\xf6\xf6\x40\x8a\x91\xce\x05\x3a\x6a\xba\x9b\x43\xc6\x9f\x3b\x59"
+    "\xb4\xb7\x9b\x24\x6e\xad\x98\xdf\x3e\x12\x9f\x17\x31\x0c\xc7\x7d"
+    "\x31\x0b\x6c\xc0\x7b\x72\x1f\xb3\xcf\x24\x80\x64\x49\x95\x5d\xc0"
+    "\x0a\x84\xfc\x66\xf7\xcc\xc6\x82\x78\xf4\x23\x69\xfd\x34\x09\x94"
+    "\x9e\xd6\x26\xd3\xb6\x4f\x61\x50\xd0\x38\x72\x6d\x06\xef\xa1\x0f"
+    "\x3d\x3d\x46\xb0\x4b\xd9\xe8\xe9\x76\x73\xfe\x53\x82\x84\xbd\xea"
+    "\x4b\x1b\x97\x5e\x23\x55\x8d\xe6\x2d\x14\xe2\x9c\xbd\x07\xd2\xc2"
+    "\x98\x18\xbe\x02\xda\x19\x89\x95\x05\x06\xdb\x59\x4b\xd3\xfc\x18"
+    "\x9a\xf7\x39\x98\x9b\x79\x9c\xe1\xbe\x96\xf5\x55\xd7\x2c\x1b\xbb"
+    "\x84\x1b\xd3\xad\x8c\x26\x50\xbf\x86\x1b\x59\xfa\xab\xf5\xaf\x2b"
+    "\x04\x75\xf9\x33\xcf\xed\x01\x46\xbc\x5c\xd8\x9a\x3c\x1e\x11\x9e"
+    "\x03\x86\xf7\xed\x72\x93\xde\xf4\x5f\xb7\x63\x9c\x13\x0a\xa9\xba"
+    "\x51\x12\x3d\x13\xa5\xcf\x3e\x4b\x0d\x09\xfe\x97\x87\xde\xdf\x23"
+    "\x8d\x2a\x5a\x97\x7d\xfc\xe0\x40\x1a\x99\x75\x02\x7a\xb9\xae\xb4"
+    "\x51\x5d\x48\xcd\x98\xb1\xa7\x1e\x91\x06\xf5\xb7\x85\xb5\xd3\xe0"
+    "\x9e\xa2\x44\x08\xd7\xed\xbf\x3f\x6c\x39\x19\xfe\xd9\x80\x24\xe4"
+    "\x16\x7d\xd8\x66\x1f\xbb\x85\xc1\x38\x03\x1f\x36\xce\x77\x18\x11"
+    "\x99\x22\x7e\xb1\x7c\x47\x19\xd7\x8d\x79\x39\xef\xf5\xbd\xa0\xf7"
+    "\xca\x88\x79\x7e\xc9\x2b\xd7\x99\x2c\x87\x78\x7b\x4f\x4c\x38\xd8"
+    "\x02\xcd\x7c\xd4\x07\x33\x74\x89\x61\xa7\x11\x04\x98\xb2\x5f\x95"
+    "\x0c\xc3\x17\x35\xf6\xc3\x38\xee\xc3\xf6\xcf\x46\x68\xeb\x95\xb4"
+    "\xa3\x92\xbb\xe9\xd7\x7c\x92\x7f\xd0\x67\x64\x7d\x93\xc6\x37\xb3"
+    "\xb4\xe2\xf6\x31\x89\x22\x4b\xd7\xa6\x9d\xad\x14\x0c\x00\xc4\x7c"
+    "\x44\xfa\x2c\x89\x3a\x78\xc0\xe8\xb2\x6e\x4f\xde\x37\x07\xca\x5e"
+    "\x4a\x7f\x27\xbc\x2e\x96\x5b\xaf\xd0\x6b\xa4\x31\xad\x21\x2d\x0e"
+    "\x4c\x25\x97\xde\x42\x07\xc3\x97\xf0\xf5\x3b\x69\x8c\x89\x34\x8f"
+    "\xd4\xe7\x7c\xca\x45\x83\x7f\xf7\x7b\x4e\x75\x86\x39\x3b\x67\xbe"
+    "\x57\x76\xa1\x26\x65\x1d\x49\x8c\x33\x5c\xdf\x05\x9b\xcf\x4d\xce"
+    "\x06\xc9\xaa\xd5\xee\xf0\x3a\x42\x75\x02\x93\xf5\xeb\x00\xa7\xa4"
+    "\xfc\xe6\xff\x9e\xda\xb6\xbd\xc9\xe0\x67\xac\x99\x74\x99\xd8\x3e"
+    "\xf1\x13\xa8\x2f\xd7\x9c\x26\x95\x0e\xbe\x52\x79\x9b\xda\x8a\x78"
+    "\x7e\x2b\x9f\x22\xf3\xfb\x0f";
+
+static const unsigned char s4u2self_rodc[] =
+    "\x61\x82\x03\xf2\x30\x82\x03\xee\xa0\x03\x02\x01\x05\xa1\x0a\x1b"
+    "\x08\x41\x43\x4d\x45\x2e\x43\x4f\x4d\xa2\x13\x30\x11\xa0\x03\x02"
+    "\x01\x01\xa1\x0a\x30\x08\x1b\x06\x61\x70\x61\x63\x68\x65\xa3\x82"
+    "\x03\xc4\x30\x82\x03\xc0\xa0\x03\x02\x01\x17\xa1\x03\x02\x01\x02"
+    "\xa2\x82\x03\xb2\x04\x82\x03\xae\x4d\x90\xed\x46\x56\x94\x72\x5e"
+    "\x2a\x3d\x13\xad\xfa\xfa\x0e\xd6\x75\x91\x38\x57\xd4\x31\x6b\x07"
+    "\x75\x4b\x5c\x3c\x2c\x7a\xdc\x71\xd9\x36\x27\xf9\x27\xbf\xf0\xa9"
+    "\xb5\x16\xa0\x12\x3c\x36\x36\x16\x6e\xa5\x19\xcb\x28\xf9\xbb\xe3"
+    "\x66\xf7\x02\xad\xa8\xf9\xca\xe0\x84\x27\x7e\x9f\x81\x02\xea\xba"
+    "\x85\x6c\x57\x56\x39\x59\xfd\xce\x0f\xb6\x7d\x11\x1c\xc4\x9c\x92"
+    "\xb7\xbc\xe0\xc9\x51\xb8\x0f\xd4\x03\x84\xc4\x25\x0b\x9d\x44\x56"
+    "\x3f\xc2\xf3\x63\x7b\x8d\x2b\x61\xf2\x5f\x5b\x51\x46\x9f\x81\x1e"
+    "\xfc\xc6\x96\x71\x81\x63\xf9\xd8\x20\x57\x08\x6a\xf2\xce\xf7\x4b"
+    "\x7f\x92\x3b\x20\x21\xac\x1e\x30\x9e\x88\x71\x55\x00\x12\xef\xe4"
+    "\xfe\xf1\x6c\xe1\xab\x2f\x7c\xd9\xea\x53\xac\xd8\x74\x36\x04\xe7"
+    "\x40\x9e\x2d\x49\xc4\x9a\x6d\xdb\x95\xd1\xa1\x41\x27\xf9\x9d\xa7"
+    "\x16\x44\xd3\x58\x50\x95\x93\xdd\xba\xd0\x81\x17\xaf\x37\x19\x99"
+    "\x66\x3d\xc8\x3b\x75\xa0\xef\xd8\xa6\x8d\xa5\xe9\x94\xba\x53\x1c"
+    "\x0f\xc7\xcc\x34\x34\x23\x4f\xd5\x63\xda\x33\x49\x9c\x89\xd9\xb7"
+    "\xef\x3d\xf3\x9b\x44\x44\xcf\x84\x72\x0d\x54\xca\x40\x67\x42\x81"
+    "\xd9\xd8\xd4\x83\x6c\x52\x94\x1b\xdc\x36\x81\xee\x51\x9f\x82\x1c"
+    "\xda\x04\x84\x26\x0c\x83\xd2\xe0\x56\xbe\x53\x6b\x50\x43\xc2\x1e"
+    "\xaa\x08\xce\x37\x6b\xa8\xa8\xf8\xf2\x03\x69\xfb\xfa\xcb\xfc\xa4"
+    "\x89\x47\xbb\xd2\x68\xe5\x2d\x00\x3e\xb2\x06\x71\xda\x4c\x35\xe9"
+    "\x6d\xfc\x17\x2a\xdf\xc2\xd5\x96\x67\x03\x39\x75\xe9\xa7\x1f\x77"
+    "\xb2\xa8\x0d\xc1\x50\xc2\xe5\xed\x1a\x88\xc3\x73\x81\xa9\x86\xd2"
+    "\xc6\x34\xc7\xaa\x1c\x7f\xe6\x47\xbf\x47\xc9\x90\x39\xb3\x2c\x31"
+    "\xa0\x26\xee\x7d\xbc\x61\xe0\x26\xaa\xf6\xce\x73\x6f\xdc\xed\x27"
+    "\xdd\x13\x53\x0e\x21\x52\x1f\xd3\x75\xdb\x07\x62\x14\x00\xda\x85"
+    "\x76\x77\x16\x34\x30\x90\x7f\x94\xc5\x54\x9d\xc6\xce\xab\x11\x0b"
+    "\x98\xa9\xe6\x5f\x82\xb7\x1b\x13\xcd\xb0\xcc\xa6\xb8\x27\xb3\xd7"
+    "\x0f\x1f\xd8\x75\x56\x0e\xc5\x73\x95\x6f\x90\xda\x49\x12\xd8\x2d"
+    "\x23\x49\x13\x43\x49\x1e\xe3\xbf\x80\x4a\xde\xd6\x97\x1e\x33\x50"
+    "\x44\x6b\x7b\x00\x05\x90\xab\xfe\x94\xa8\x7c\x40\x86\x42\x4a\x6b"
+    "\xc7\x26\x21\x12\x19\x98\x01\xd5\x64\x7d\xdb\xf7\xe3\xf7\xea\xca"
+    "\x5d\xf8\xcb\x0a\x3f\x83\xf2\x6b\xe7\x2e\x3c\x71\x73\xc9\x3c\xc0"
+    "\x82\xc5\x2d\x7b\xd0\x03\xa2\xe2\xd9\x6d\xcd\x15\xd5\xd4\xbf\x90"
+    "\xc6\xf4\x19\x5b\x72\x0f\xaf\x42\xd4\x28\x58\x4f\xbe\xff\x63\x6a"
+    "\x0d\x42\x9f\x05\xfe\xbd\xdb\x81\x18\xaa\x73\x4b\x16\x96\x1b\x62"
+    "\xe8\x21\x88\xde\x9a\x57\x70\xcc\xab\x49\x4e\x0c\x31\xec\x8d\xce"
+    "\x82\x20\x3c\x44\x9b\xbc\x36\xb2\x8f\x7d\xe5\xea\x11\xf6\x71\x16"
+    "\x8e\x66\xcb\xfb\xc2\x92\xf5\xc1\x09\xac\x90\x68\xc6\xd7\x93\x21"
+    "\xcb\xb8\x57\x47\x56\x8c\x13\x7e\x78\x81\x08\x25\x3d\x4c\x1d\xeb"
+    "\x39\x2c\xf5\x9b\x67\x5d\xb4\xee\xb5\x71\xba\xcf\x29\x7a\x6b\xa5"
+    "\x30\x4a\xfd\x16\x33\x5d\x68\x95\x62\xe7\x76\xca\x06\xb8\x94\x51"
+    "\x1f\x9a\x71\x99\x78\xaa\xec\xcf\x27\xc9\x16\xcb\x91\xa0\xbe\xca"
+    "\xf9\x9c\xbe\x4d\xb0\xb9\x98\x21\x01\xb2\xa7\x7a\x8a\x0d\x1c\x62"
+    "\xeb\x7d\x52\x81\xf9\xf5\x94\x0b\x27\x6a\x1c\xfc\xb6\xb2\x3a\x52"
+    "\x39\xd2\x6c\xca\x23\x43\xd1\xbf\x44\x54\x85\xb6\xd5\xb9\x93\xb9"
+    "\x91\x86\x59\x7f\xd2\x23\x1c\xeb\x2c\x5d\xb0\xcd\x09\x2d\x83\x62"
+    "\x24\x94\x65\x64\x13\x00\xe0\x1d\xd0\xf5\x56\x79\xff\xcc\xa9\xb9"
+    "\xda\xd4\x6a\xab\xe9\x2a\x91\x40\x44\xed\x7b\x8c\xed\xb1\x39\x70"
+    "\xd0\x51\x51\x6c\x45\x5f\xd4\xed\x0d\x36\x17\xf0\x69\xf6\x92\x72"
+    "\xca\xc8\x90\x1e\xe0\x44\xf0\x19\x2e\x2c\x1f\x12\x42\xa3\x15\x9d"
+    "\x37\x86\xa3\xa3\x6e\x04\xfc\x84\x73\xf8\x1d\x13\x30\xe5\x0f\x32"
+    "\x58\xab\x51\x0e\xad\x0a\xcc\xb9\x32\x81\x44\x7c\x6e\xc1\xec\xcd"
+    "\x5d\x6a\x9a\xb7\x27\x53\x98\xcc\x2b\x8d\x3c\xac\xbe\x12\xcb\x01"
+    "\xeb\xe7\xbe\xb5\x10\x16\x22\xc1\x92\x86\xe7\xa6\x1f\x88\xfa\x6a"
+    "\x70\xec\xd8\x38\x31\x85\x6f\x08\x33\x3c\x1b\x49\x68\xd4\xa5\x4c"
+    "\x7e\xf1\xbc\x25\x4f\x2f\xef\x39\xad\x78\x19\x23\x31\x47\xa1\x96"
+    "\xae\x7b\x8d\x8b\xf1\xf4\xc4\x3b\x06\xc0\xf6\x6e\x0f\xd2\xe0\x18"
+    "\xca\xc4\x09\x1b\x34\xbe\x1f\x12\x21\x69\x79\x9c\xaf\xe2\x78\xb4"
+    "\x19\x85\x83\xb7\x9c\x2d\x1a\x14\x1d\x64\xc8\x36\x48\xf2\x3d\xf6"
+    "\x26\x8c\x5a\x4c\x03\xae";
+
+static const unsigned char s4u2proxy_rodc[] =
+    "\x61\x82\x04\x9f\x30\x82\x04\x9b\xa0\x03\x02\x01\x05\xa1\x0a\x1b"
+    "\x08\x41\x43\x4d\x45\x2e\x43\x4f\x4d\xa2\x20\x30\x1e\xa0\x03\x02"
+    "\x01\x03\xa1\x17\x30\x15\x1b\x03\x73\x71\x6c\x1b\x0e\x6d\x79\x73"
+    "\x71\x6c\x2e\x61\x63\x6d\x65\x2e\x63\x6f\x6d\xa3\x82\x04\x64\x30"
+    "\x82\x04\x60\xa0\x03\x02\x01\x17\xa1\x03\x02\x01\x02\xa2\x82\x04"
+    "\x52\x04\x82\x04\x4e\xd2\x92\xec\x00\xf9\xc9\x37\xde\x46\xf6\x35"
+    "\x62\xb7\xa1\x77\x0c\x9a\x4f\x6d\x17\x2e\xfd\x59\x24\xfe\x85\x32"
+    "\x3f\xf2\x40\x1e\xcd\xf1\xa6\xd2\xeb\xba\x26\xa1\x87\xee\x0b\xee"
+    "\xbf\x3e\xad\x73\x07\xf1\xc8\xb9\x2b\xc7\x16\x31\xf3\x63\x95\x56"
+    "\x5d\x5d\x00\x6a\xff\xa0\x20\x05\x14\x0b\x50\x0b\x1e\x1a\xf2\x61"
+    "\x29\x1b\x49\x54\xf9\xac\x6c\x08\x91\xdf\x44\x3e\x43\x42\xbe\x4a"
+    "\x5a\x7d\xaf\xd5\xb9\x26\xe4\x91\x5f\xf0\xcc\x55\x3d\xc7\xc4\xc0"
+    "\x46\x3b\x32\x1f\xca\xcf\x16\xec\x18\x1b\x29\xe9\xb1\x4c\xdd\x0f"
+    "\xb3\x53\x2b\x0a\x7a\x5a\xff\xa0\xf4\x62\xcf\xf1\x2c\xc9\x64\xfa"
+    "\x35\xad\xb7\x18\x9b\x53\xb2\xe4\xdc\x81\x59\x8b\x2a\xb7\x94\xe0"
+    "\xf5\x99\x7d\x04\xb6\x49\xa2\x9a\x6a\xcc\x17\x62\x63\x5d\x2e\xf2"
+    "\x24\x56\x58\x00\x68\x6a\x60\x37\xf9\xa7\x55\xac\xb8\x95\xcb\x22"
+    "\x6a\xd6\x6c\x91\x99\x22\xc4\x33\x38\xfa\xf4\x7f\xf0\xf1\xae\x2e"
+    "\x5c\xa5\x6c\x6b\x98\x3e\x82\x94\xee\x2e\x4c\xbd\x41\xb8\x4f\xeb"
+    "\x0a\xca\xb1\x0b\x88\xfb\x51\x76\x87\x69\x7c\x0b\x61\xc3\xe6\xe1"
+    "\xd8\x2a\xc3\xee\xde\x13\x70\xbf\x6a\x9f\x7d\x2a\x6f\x7b\x57\x28"
+    "\xd3\x9e\x39\xf8\xc7\x05\xd5\xc0\xe3\x11\x11\x05\xeb\x2f\x08\x14"
+    "\x1c\x98\xae\x7e\x56\x8a\xb7\xcc\x2b\x74\xda\x01\x69\xeb\x56\x3c"
+    "\x89\x4f\x5d\xf8\xf7\xdb\x73\xa4\x84\x29\x91\x79\x32\xcc\xa0\xc1"
+    "\x28\xad\x9d\x4e\xcf\x45\x00\x6e\x8a\xe7\xf8\xd5\xeb\x87\x51\x37"
+    "\xcb\xb9\x4f\xc7\x08\x27\x2a\xf3\xaa\x24\x26\x0b\xed\x40\xcf\x74"
+    "\xae\xa9\xa3\xed\x1e\x97\xd0\x05\xb5\xae\xdf\x37\xb5\x24\x52\xa1"
+    "\xac\xd7\x31\xa2\xef\xc8\xab\x8a\xc4\x8c\x3d\x7c\xf3\x00\xf0\xc3"
+    "\xe7\xa3\x6d\x93\x83\xe4\x08\x2e\xa1\xb5\xc4\xdc\x4b\x3f\x06\x23"
+    "\x40\xaa\x0a\x72\xe6\x5a\xad\x65\x53\x3d\x48\x6c\x6f\xe3\xc5\x8b"
+    "\xa3\xba\x54\x73\x78\x07\xf8\x88\xd5\xf4\x87\x04\x5d\x88\x1b\xba"
+    "\x4e\x67\x9f\x92\xe8\x9c\xf0\xc4\xba\xfb\xe3\x78\xe2\xd9\xa3\x38"
+    "\xdb\xd6\x41\x4c\xa4\x76\x92\x36\xc1\xd7\x30\x05\x3f\xf8\x9f\xd1"
+    "\xf8\x79\x13\xeb\x98\xc2\x7a\xa3\x25\xab\x32\x1e\x14\x10\x87\xc0"
+    "\x00\x68\x26\xf8\x8d\x4d\xb5\x96\xb7\x35\x81\xe5\x0c\x3f\x45\x2c"
+    "\xcf\x4e\xdd\xda\xe6\xd4\xb3\xcb\x50\xf1\xe5\x48\x4c\xec\xcc\x10"
+    "\x33\xa0\x11\x53\x0d\xf3\x2c\x98\xcb\x76\xbf\x6e\xd7\xe9\x20\xe7"
+    "\xdb\xbd\xae\xcf\x69\x0e\xd1\xce\x47\xae\x5a\xe1\x21\x0d\xe9\xd5"
+    "\x2f\x09\xc4\x36\x53\x24\x4a\x5c\xac\x07\xff\xd8\xac\xfe\xae\x91"
+    "\x93\x92\xbf\xc6\x3b\xa4\xdb\x28\x52\x23\x58\x7d\xcb\xbd\x39\x34"
+    "\x07\xeb\x56\x1a\xf9\x47\xf8\x70\xee\x60\x51\x2e\x80\x92\xd4\xcf"
+    "\xd8\x9d\x75\x16\x50\xf1\xb0\x02\x61\x99\x51\x7c\x46\x48\xf9\x6b"
+    "\x84\xdf\x5c\xef\xe1\x1f\x0c\x22\x9b\xdc\xbc\x76\x7f\x3f\x6d\xfe"
+    "\xb8\x2f\x93\xb9\x27\x58\xa9\x93\x42\xda\xf2\x67\xf7\x01\xbe\xd8"
+    "\xa2\x18\xec\x1e\x40\x3d\x3b\x6f\xfe\x50\xab\xb9\x35\xb7\xdd\x2a"
+    "\xe1\x51\xf9\xce\xea\xf5\x1d\xed\x6c\x2b\xbc\x86\xc9\x53\x41\x8b"
+    "\x2e\x06\xc8\xc0\x08\x48\x37\x40\x8c\xf8\xe9\x4b\xc7\xc0\x6f\x1b"
+    "\xe1\x0c\x8c\x0e\xf4\x73\x19\x7e\xc6\x36\x84\xa2\x8f\x72\x2e\x59"
+    "\x53\x25\x2c\x92\x95\x04\x9b\x13\x97\x7a\xc7\x53\xa4\xa6\x0f\xf3"
+    "\x06\x59\x25\xe7\xd5\x35\x0e\xe9\x10\x95\x60\x0f\x53\xd4\x24\x13"
+    "\x72\xf6\x6d\x17\xb8\x43\xb2\xac\x40\x15\x11\xb6\x1b\xbb\x13\xb3"
+    "\x90\x66\x85\x92\xcb\xb4\xf5\x9c\x15\x89\x41\xbc\x07\xb0\x37\x21"
+    "\xff\x13\x93\x55\xe9\xe0\x2d\x32\x64\x62\x40\x45\xb5\x41\x80\xdd"
+    "\xb8\xf2\xe9\x64\x3e\xfb\xe6\x69\x1c\xd0\xb4\xb1\xa2\x58\x95\xe5"
+    "\xf7\x48\x8e\x10\x4c\x8b\x05\x96\xfa\x6f\x36\x34\xe1\x29\x1c\x65"
+    "\x65\x8d\xb0\x39\x50\x27\x00\xac\xa6\x4f\x5b\xd2\xb0\xfe\x69\x17"
+    "\xa2\xa8\x19\x34\x78\x9b\xef\x8c\xc2\xb9\xf1\xb6\xee\x28\xf4\x74"
+    "\xd6\x18\xe0\x0f\x36\x91\xf4\x56\xbc\x5d\x16\x21\x0e\x14\xb2\x5e"
+    "\x42\x38\xe2\x10\x81\x31\x54\x4b\xf5\xfd\x62\x72\xb0\x05\x16\x19"
+    "\x88\xe0\xd4\x5d\x5f\x10\x5c\x0d\x1f\x6a\x9f\x27\x48\x58\x18\xd1"
+    "\x60\x46\x17\xf3\x5e\xbc\xf1\x3a\xcd\x4b\x01\x08\x2e\x34\x5e\xa6"
+    "\x91\xa3\x87\x0f\xe7\x34\x9c\xcb\x87\x95\x40\xee\x22\x1c\x41\x55"
+    "\xc1\x6b\x36\x22\xa2\xbb\xf2\x55\x04\xb7\x79\x0f\xe1\xb8\x95\xcf"
+    "\x7b\x8a\x37\x6d\x1e\x78\x09\x5c\x1a\x6c\xa3\x93\x13\x70\xfe\x37"
+    "\xcc\x4a\xe7\x58\xda\xaa\x14\xe1\x32\xac\x64\xdb\x52\xef\x33\x71"
+    "\xf3\x27\xa5\x2e\x2c\x69\xe3\xa6\xab\x15\xe5\xdc\x27\xf4\xe8\x6d"
+    "\x7a\x66\x9a\x1e\x69\x46\xa9\xfa\x02\xbb\x35\x6e\x16\xc0\x06\xdf"
+    "\xd7\xcf\x8b\xab\x3e\xfc\x62\x7d\x35\x95\xb8\x15\xe2\xee\x6d\x61"
+    "\x5b\x7b\xb5\x88\x03\x45\x1c\xa0\x79\xff\x81\x4f\x75\xa9\xe7\x0a"
+    "\xed\x81\xac\xe6\x2f\x86\xb2\x23\x9b\x5a\xfe\x5c\xee\x18\x5a\x4a"
+    "\x0f\x4a\xf4\x49\x8d\xbc\x7f\x3f\xc4\xbc\x7f\xbf\x41\x95\x62\x9e"
+    "\xc6\x73\x5f\x5a\x5d\x41\x53\xe2\xaa\x03\xc8\x00\x68\xad\x26\xf2"
+    "\x8f\x66\x78\x10\x3f\xa8\x56\x4b\x77\xb9\x0d\x94\x49\x54\x47\xd5"
+    "\x69\x9d\x4f\x44\xce\xc3\x6d\xae\x51\x20\x24\x61\xb6\x6f\xff\x27"
+    "\xc4\x36\xb1";
+
+static const unsigned char extra_logon_info[] =
+    "\x08\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\xf0\x01\x00\x00"
+    "\x88\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00\x1e\x00\x00\x00"
+    "\x78\x02\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x98\x00\x00\x00"
+    "\x98\x02\x00\x00\x00\x00\x00\x00\x0d\x00\x00\x00\x00\x00\x00\x00"
+    "\x30\x03\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x08\x00\x00\x00"
+    "\x30\x03\x00\x00\x00\x00\x00\x00\x12\x00\x00\x00\x1c\x00\x00\x00"
+    "\x38\x03\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x10\x00\x00\x00"
+    "\x58\x03\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x10\x00\x00\x00"
+    "\x68\x03\x00\x00\x00\x00\x00\x00\x01\x10\x08\x00\xcc\xcc\xcc\xcc"
+    "\xe0\x01\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00"
+    "\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\x7f\xff\xff\xff\xff"
+    "\xff\xff\xff\x7f\x59\xa1\x0f\x59\x77\xf5\xd7\x01\x59\xa1\x0f\x59"
+    "\x77\xf5\xd7\x01\x59\x21\x69\x4e\x78\x16\xd8\x01\x14\x00\x14\x00"
+    "\x04\x00\x02\x00\x00\x00\x00\x00\x08\x00\x02\x00\x00\x00\x00\x00"
+    "\x0c\x00\x02\x00\x00\x00\x00\x00\x10\x00\x02\x00\x00\x00\x00\x00"
+    "\x14\x00\x02\x00\x00\x00\x00\x00\x18\x00\x02\x00\x00\x00\x00\x00"
+    "\x4d\x04\x00\x00\x01\x02\x00\x00\x01\x00\x00\x00\x1c\x00\x02\x00"
+    "\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    "\x00\x00\x00\x00\x0e\x00\x10\x00\x20\x00\x02\x00\x0e\x00\x10\x00"
+    "\x24\x00\x02\x00\x28\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    "\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    "\x02\x00\x00\x00\x2c\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    "\x00\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x00\x00"
+    "\x63\x00\x39\x00\x64\x00\x38\x00\x30\x00\x31\x00\x61\x00\x38\x00"
+    "\x5f\x00\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    "\x01\x00\x00\x00\x01\x02\x00\x00\x07\x00\x00\x00\x08\x00\x00\x00"
+    "\x00\x00\x00\x00\x07\x00\x00\x00\x54\x00\x45\x00\x53\x00\x54\x00"
+    "\x2d\x00\x44\x00\x43\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00"
+    "\x07\x00\x00\x00\x45\x00\x58\x00\x41\x00\x4d\x00\x50\x00\x4c\x00"
+    "\x45\x00\x00\x00\x04\x00\x00\x00\x01\x04\x00\x00\x00\x00\x00\x05"
+    "\x15\x00\x00\x00\xa1\xa5\x92\x7f\x29\x19\xc5\x3b\xbb\x56\xb0\x05"
+    "\x02\x00\x00\x00\x30\x00\x02\x00\x07\x00\x00\x00\x34\x00\x02\x00"
+    "\x07\x00\x00\x00\x05\x00\x00\x00\x01\x05\x00\x00\x00\x00\x00\x05"
+    "\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    "\xf1\x01\x00\x00\x01\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x12"
+    "\x01\x00\x00\x00\x00\x00\x00\x00\x00\xb6\x8f\x5a\x77\xf5\xd7\x01"
+    "\x14\x00\x63\x00\x39\x00\x64\x00\x38\x00\x30\x00\x31\x00\x61\x00"
+    "\x38\x00\x5f\x00\x30\x00\x00\x00\x2c\x00\x18\x00\x16\x00\x48\x00"
+    "\x03\x00\x00\x00\x14\x00\x60\x00\x1c\x00\x78\x00\x00\x00\x00\x00"
+    "\x63\x00\x39\x00\x64\x00\x38\x00\x30\x00\x31\x00\x61\x00\x38\x00"
+    "\x5f\x00\x30\x00\x40\x00\x45\x00\x58\x00\x41\x00\x4d\x00\x50\x00"
+    "\x4c\x00\x45\x00\x2e\x00\x43\x00\x4f\x00\x4d\x00\x00\x00\x00\x00"
+    "\x45\x00\x58\x00\x41\x00\x4d\x00\x50\x00\x4c\x00\x45\x00\x2e\x00"
+    "\x43\x00\x4f\x00\x4d\x00\x00\x00\x63\x00\x39\x00\x64\x00\x38\x00"
+    "\x30\x00\x31\x00\x61\x00\x38\x00\x5f\x00\x30\x00\x00\x00\x00\x00"
+    "\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\xa1\xa5\x92\x7f"
+    "\x29\x19\xc5\x3b\xbb\x56\xb0\x05\x4d\x04\x00\x00\x00\x00\x00\x00"
+    "\x02\x00\x00\x00\x01\x00\x00\x00\x01\x05\x00\x00\x00\x00\x00\x05"
+    "\x15\x00\x00\x00\xa1\xa5\x92\x7f\x29\x19\xc5\x3b\xbb\x56\xb0\x05"
+    "\x4d\x04\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\xfd\x39\xd8\x32"
+    "\x3b\x8c\xa5\xfe\x6b\x3d\x27\xff\x10\x00\x00\x00\x2f\x99\x7e\x57"
+    "\xca\xe4\xe1\xc7\x1b\xc0\xbd\xee";
+
+struct test_pac_ticket {
+    const char *name;
+    const unsigned char *ticket;
+    size_t ticket_len;
+    uint16_t rodc_id;
+    const krb5_keyblock *key;
+    const krb5_keyblock *kdc_key;
+};
+
+static const struct test_pac_ticket pac_tickets[] = {
+    { "tgt_ticket", tgt_ticket, sizeof(tgt_ticket), 0, &rwdc_tgt_key, &rwdc_tgt_pac_key },
+    { "service_ticket", service_ticket, sizeof(service_ticket), 0, &server_key, &rwdc_tgt_pac_key },
+    { "s4u2self_ticket", s4u2self_ticket, sizeof(s4u2self_ticket), 0, &server_key, &rwdc_tgt_pac_key },
+    { "s4u2proxy_ticket", s4u2proxy_ticket, sizeof(s4u2proxy_ticket), 0, &server_key, &rwdc_tgt_pac_key },
+    { "tgt_rodc", tgt_rodc, sizeof(tgt_rodc), 46673, &rodc_tgt_key, &rodc_tgt_pac_key },
+    { "service_rodc", service_rodc, sizeof(service_rodc), 46673, &server_key, &rodc_tgt_pac_key },
+    { "s4u2self_rodc", s4u2self_rodc, sizeof(s4u2self_rodc), 46673, &server_key, &rodc_tgt_pac_key },
+    { "s4u2proxy_rodc", s4u2proxy_rodc, sizeof(s4u2proxy_rodc), 46673, &server_key, &rodc_tgt_pac_key },
+    { NULL, NULL, 0, 0, NULL, NULL }
+};
+
+static void
+t_err(krb5_context context,
+      const char *test,
+      const char *func,
+      krb5_error_code error)
+{
+   krb5_err(context, 1, error, "test %s failed in %s", test, func);
+}
+
+static krb5_boolean
+is_krbtgt(const PrincipalName *p)
+{
+    return (p->name_string.len == 2 &&
+	    strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0);
+}
+
+static void
+check_ticket_signature(krb5_context context,
+		       const struct test_pac_ticket *tkt)
+{
+    krb5_error_code ret;
+    krb5_crypto crypto;
+    krb5_data data, orig_pac_ad;
+    Ticket ticket;
+    AuthorizationDataElement ad;
+    EncTicketPart et;
+    krb5_principal client;
+    krb5_pac pac;
+    krb5_boolean signedticket;
+    krb5_cksumtype cstype;
+    uint16_t rodc_id;
+
+    ret = decode_Ticket(tkt->ticket, tkt->ticket_len, &ticket, NULL);
+    if (ret)
+	t_err(context, tkt->name, "decode_Ticket", ret);
+
+    ret = krb5_crypto_init(context, tkt->key, tkt->key->keytype, &crypto);
+    if (ret)
+	t_err(context, tkt->name, "krb5_crypto_init", ret);
+
+    ret = krb5_decrypt_EncryptedData(context,
+				     crypto,
+				     KRB5_KU_TICKET,
+				     &ticket.enc_part,
+				     &data);
+    if (ret)
+	t_err(context, tkt->name, "krb5_decrypt_EncryptedData", ret);
+
+    ret = decode_EncTicketPart(data.data, data.length, &et, NULL);
+    if (ret)
+	t_err(context, tkt->name, "decode_EncTicketPart", ret);
+
+    ret = _krb5_principalname2krb5_principal(context, &client, et.cname,
+					     et.crealm);
+    if (ret)
+	t_err(context, tkt->name, "_krb5_principalname2krb5_principal", ret);
+
+    ret = _krb5_kdc_pac_ticket_parse(context, &et, &signedticket, &pac);
+    if (ret)
+	t_err(context, tkt->name, "_krb5_kdc_pac_ticket_parse", ret);
+
+    heim_assert(!is_krbtgt(&ticket.sname) == !!signedticket, "ticket-signature");
+
+    ret = krb5_pac_verify(context, pac, et.authtime, client,
+			  tkt->key, tkt->kdc_key);
+    if (ret)
+	t_err(context, tkt->name, "krb5_pac_verify ticket-sig", ret);
+
+    ret = krb5_pac_get_kdc_checksum_info(context, pac, &cstype, &rodc_id);
+    if (ret)
+	t_err(context, tkt->name, "krb5_pac_get_kdc_checksum_info", ret);
+
+    heim_assert(cstype == CKSUMTYPE_HMAC_MD5, "Wrong checksum type");
+    heim_assert(rodc_id == tkt->rodc_id, "Wrong RODCIdentifier");
+
+    /* Try to resign the PAC */
+    ret = copy_AuthorizationDataElement(&et.authorization_data->val[0], &ad);
+    if (ret)
+	t_err(context, tkt->name, "remove_AuthorizationData", ret);
+    orig_pac_ad = ad.ad_data;
+
+    ret = remove_AuthorizationData(et.authorization_data, 0);
+    if (ret)
+	t_err(context, tkt->name, "remove_AuthorizationData", ret);
+
+    ret = _krb5_kdc_pac_sign_ticket(context, pac, client, tkt->key,
+				    tkt->kdc_key, tkt->rodc_id,
+				    NULL, NULL, signedticket, &et, NULL);
+    if (ret)
+	t_err(context, tkt->name, "_krb5_kdc_pac_sign_ticket", ret);
+
+    heim_assert(krb5_data_cmp(&et.authorization_data->val[0].ad_data,
+			      &orig_pac_ad) == 0, "PACs differ");
+
+    free_AuthorizationDataElement(&ad);
+
+    /* Sign and verify a clean PAC */
+    krb5_pac_free(context, pac);
+    ret = krb5_pac_init(context, &pac);
+    if (ret)
+	t_err(context, tkt->name, "krb5_pac_init", ret);
+
+    ret = remove_AuthorizationData(et.authorization_data, 0);
+    if (ret)
+	t_err(context, tkt->name, "remove_AuthorizationData 2", ret);
+
+    ret = _krb5_kdc_pac_sign_ticket(context, pac, client, tkt->key,
+				    tkt->kdc_key, tkt->rodc_id,
+				    NULL, NULL, signedticket, &et, NULL);
+    if (ret)
+	t_err(context, tkt->name, "_krb5_kdcsignedticketsign_ticket 2", ret);
+
+    krb5_pac_free(context, pac);
+
+    ret = _krb5_kdc_pac_ticket_parse(context, &et, &signedticket, &pac);
+    if (ret)
+	t_err(context, tkt->name, "_krb5_kdc_pac_ticket_parse 2", ret);
+
+    heim_assert(!is_krbtgt(&ticket.sname) == !!signedticket, "ticket-signature");
+
+    ret = krb5_pac_verify(context, pac, et.authtime, client, tkt->key,
+			  tkt->kdc_key);
+    if (ret)
+	t_err(context, tkt->name, "krb5_pac_verify ticket-sig 2", ret);
+
+    ret = krb5_pac_get_kdc_checksum_info(context, pac, &cstype, &rodc_id);
+    if (ret)
+	t_err(context, tkt->name, "krb5_pac_get_kdc_checksum_info 2", ret);
+
+    heim_assert(cstype == CKSUMTYPE_HMAC_MD5, "Wrong checksum type 2");
+    heim_assert(rodc_id == tkt->rodc_id, "Wrong RODCIdentifier 2");
+
+    krb5_pac_free(context, pac);
+    krb5_free_principal(context, client);
+    krb5_crypto_destroy(context, crypto);
+    free_EncTicketPart(&et);
+    krb5_data_free(&data);
+    free_Ticket(&ticket);
+}
+
 
 int
 main(int argc, char **argv)
@@ -166,10 +963,11 @@ main(int argc, char **argv)
     krb5_pac pac;
     krb5_data data;
     krb5_principal p, p2;
+    unsigned char bad_pac[sizeof(saved_pac)];
 
     ret = krb5_init_context(&context);
     if (ret)
-	errx(1, "krb5_init_contex");
+	errx(1, "krb5_init_context");
 
     krb5_enctype_enable(context, ETYPE_DES_CBC_MD5);
 
@@ -178,6 +976,44 @@ main(int argc, char **argv)
     if (ret)
 	krb5_err(context, 1, ret, "krb5_parse_name");
 
+    /* Attempt to parse a truncated PAC */
+    ret = krb5_pac_parse(context, saved_pac, sizeof(saved_pac) >> 1, &pac);
+    if (ret == 0)
+	krb5_err(context, 1, ret, "krb5_pac_parse parsed a short PAC");
+
+    /* Attempt to parse a PAC with a buffer claiming too large a length */
+    memcpy(bad_pac, saved_pac, sizeof(saved_pac));
+    bad_pac[13] += 1;
+
+    ret = krb5_pac_parse(context, bad_pac, sizeof(saved_pac), &pac);
+    if (ret == 0)
+	krb5_err(context, 1, ret, "krb5_pac_parse parsed a malicious PAC");
+
+    /* Attempt to parse a PAC with a buffer offset too far in */
+    memcpy(bad_pac, saved_pac, sizeof(saved_pac));
+    bad_pac[16] += 1;
+
+    ret = krb5_pac_parse(context, bad_pac, sizeof(saved_pac), &pac);
+    if (ret == 0)
+	krb5_err(context, 1, ret, "krb5_pac_parse parsed a malicious PAC");
+
+    /* Attempt to parse a PAC with a buffer offset too far back */
+    memcpy(bad_pac, saved_pac, sizeof(saved_pac));
+    bad_pac[16] -= 1;
+
+    ret = krb5_pac_parse(context, bad_pac, sizeof(saved_pac), &pac);
+    if (ret == 0)
+	krb5_err(context, 1, ret, "krb5_pac_parse parsed a malicious PAC");
+
+    /* Attempt to parse a PAC with an incorrect buffer count */
+    memcpy(bad_pac, saved_pac, sizeof(saved_pac));
+    bad_pac[0] += 1;
+
+    ret = krb5_pac_parse(context, bad_pac, sizeof(saved_pac), &pac);
+    if (ret == 0)
+	krb5_err(context, 1, ret, "krb5_pac_parse parsed a malicious PAC");
+
+    /* Parse a well-formed PAC */
     ret = krb5_pac_parse(context, saved_pac, sizeof(saved_pac), &pac);
     if (ret)
 	krb5_err(context, 1, ret, "krb5_pac_parse");
@@ -188,7 +1024,8 @@ main(int argc, char **argv)
 	krb5_err(context, 1, ret, "krb5_pac_verify");
 
     ret = _krb5_pac_sign(context, pac, authtime, p,
-			 &member_keyblock, &kdc_keyblock, &data);
+			 &member_keyblock, &kdc_keyblock, 0, NULL, NULL,
+			 NULL, &data);
     if (ret)
 	krb5_err(context, 1, ret, "_krb5_pac_sign");
 
@@ -244,7 +1081,8 @@ main(int argc, char **argv)
 	free(list);
 
 	ret = _krb5_pac_sign(context, pac2, authtime, p,
-			     &member_keyblock, &kdc_keyblock, &data);
+			     &member_keyblock, &kdc_keyblock, 0,
+			     NULL, NULL, NULL, &data);
 	if (ret)
 	    krb5_err(context, 1, ret, "_krb5_pac_sign 4");
 
@@ -343,7 +1181,8 @@ main(int argc, char **argv)
     }
 
     ret = _krb5_pac_sign(context, pac, authtime, p,
-			 &member_keyblock, &kdc_keyblock, &data);
+			 &member_keyblock, &kdc_keyblock, 0,
+			 NULL, NULL, NULL, &data);
     if (ret)
 	krb5_err(context, 1, ret, "_krb5_pac_sign");
 
@@ -373,8 +1212,43 @@ main(int argc, char **argv)
     }
 
     krb5_pac_free(context, pac);
+    krb5_free_principal(context, p);
+
+    /*
+     * check extra logon info PAC
+     */
+    ret = krb5_pac_parse(context, extra_logon_info,
+			 sizeof(extra_logon_info) - 1, &pac);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_pac_parse");
 
+    ret = krb5_pac_verify(context, pac, 0, NULL, NULL, NULL);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_pac_verify");
+
+    ret = krb5_parse_name(context, "c9d801a8_0@EXAMPLE.COM", &p);
+    if (ret)
+	krb5_err(context, 1, ret, "_krb5_pac_get_canon_principal");
+
+    ret = _krb5_pac_get_canon_principal(context, pac, &p2);
+    if (ret)
+	krb5_err(context, 1, ret, "_krb5_pac_get_canon_principal");
+
+    if (!krb5_principal_compare(context, p, p2))
+	krb5_errx(context, 1, "canon principal doesn't match");
+
+    krb5_pac_free(context, pac);
     krb5_free_principal(context, p);
+    krb5_free_principal(context, p2);
+
+    /* Test PAC ticket-signature */
+    {
+	const struct test_pac_ticket *tkt;
+
+	for (tkt = pac_tickets; tkt->name != NULL; tkt++)
+	    check_ticket_signature(context, tkt);
+    }
+
     krb5_free_context(context);
 
     return 0;
diff --git a/lib/krb5/test_plugin.c b/lib/krb5/test_plugin.c
index cfc3b6c04df1..6aedfa25b9b9 100644
--- a/lib/krb5/test_plugin.c
+++ b/lib/krb5/test_plugin.c
@@ -66,10 +66,12 @@ resolve_lookup(void *ctx,
     s.sin_port = htons(88);
     s.sin_addr.s_addr = htonl(0x7f000002);
 
-    if (strcmp(realm, "NOTHERE.H5L.SE") == 0)
+    if (strcmp(realm, "NOTHERE.H5L.SE") == 0) {
 	(*add)(addctx, type, (struct sockaddr *)&s);
+	return 0;
+    }
 
-    return 0;
+    return KRB5_PLUGIN_NO_HANDLE;
 }
 
 
diff --git a/lib/krb5/test_princ.c b/lib/krb5/test_princ.c
index 98e61e3d8bf8..e61a60395f1a 100644
--- a/lib/krb5/test_princ.c
+++ b/lib/krb5/test_princ.c
@@ -59,7 +59,7 @@ test_princ(krb5_context context)
     if (ret)
 	krb5_err(context, 1, ret, "krb5_parse_name");
 
-    if (strcmp(princ, princ_unparsed)) {
+    if (strcmp(princ, princ_unparsed) != 0) {
 	krb5_errx(context, 1, "%s != %s", princ, princ_unparsed);
     }
 
@@ -71,7 +71,7 @@ test_princ(krb5_context context)
     if (ret)
 	krb5_err(context, 1, ret, "krb5_parse_name");
 
-    if (strcmp(princ_short, princ_unparsed))
+    if (strcmp(princ_short, princ_unparsed) != 0)
 	krb5_errx(context, 1, "%s != %s", princ_short, princ_unparsed);
     free(princ_unparsed);
 
@@ -101,7 +101,7 @@ test_princ(krb5_context context)
     if (ret)
 	krb5_err(context, 1, ret, "krb5_parse_name");
 
-    if (strcmp(princ_short, princ_unparsed))
+    if (strcmp(princ_short, princ_unparsed) != 0)
 	krb5_errx(context, 1, "'%s' != '%s'", princ_short, princ_unparsed);
     free(princ_unparsed);
 
@@ -117,7 +117,7 @@ test_princ(krb5_context context)
     if (ret)
 	krb5_err(context, 1, ret, "krb5_parse_name");
 
-    if (strcmp(princ, princ_unparsed))
+    if (strcmp(princ, princ_unparsed) != 0)
 	krb5_errx(context, 1, "'%s' != '%s'", princ, princ_unparsed);
     free(princ_unparsed);
 
@@ -156,7 +156,7 @@ test_princ(krb5_context context)
     if (ret)
 	krb5_err(context, 1, ret, "krb5_parse_name");
 
-    if (strcmp(princ, princ_unparsed))
+    if (strcmp(princ, princ_unparsed) != 0)
 	krb5_errx(context, 1, "'%s' != '%s'", princ, princ_unparsed);
     free(princ_unparsed);
 
@@ -176,7 +176,7 @@ test_princ(krb5_context context)
     if (ret)
 	krb5_err(context, 1, ret, "krb5_unparse_name_short");
 
-    if (strcmp(princ, princ_unparsed))
+    if (strcmp(princ, princ_unparsed) != 0)
 	krb5_errx(context, 1, "'%s' != '%s'", princ, princ_unparsed);
     free(princ_unparsed);
 
@@ -200,7 +200,7 @@ test_princ(krb5_context context)
     if (ret)
 	krb5_err(context, 1, ret, "krb5_unparse_name_norealm");
 
-    if (strcmp(princ_short, princ_unparsed))
+    if (strcmp(princ_short, princ_unparsed) != 0)
 	krb5_errx(context, 1, "'%s' != '%s'", princ_short, princ_unparsed);
     free(princ_unparsed);
 
@@ -227,7 +227,7 @@ test_princ(krb5_context context)
     if (ret)
 	krb5_err(context, 1, ret, "krb5_unparse_name_norealm");
 
-    if (strcmp(princ_short, princ_unparsed))
+    if (strcmp(princ_short, princ_unparsed) != 0)
 	krb5_errx(context, 1, "'%s' != '%s'", princ_short, princ_unparsed);
     free(princ_unparsed);
 
@@ -246,7 +246,7 @@ test_princ(krb5_context context)
     if (ret)
 	krb5_err(context, 1, ret, "krb5_unparse_name_flags");
 
-    if (strcmp(princ, princ_unparsed))
+    if (strcmp(princ, princ_unparsed) != 0)
 	krb5_errx(context, 1, "q '%s' != '%s'", princ, princ_unparsed);
     free(princ_unparsed);
 
@@ -255,7 +255,7 @@ test_princ(krb5_context context)
     if (ret)
 	krb5_err(context, 1, ret, "krb5_unparse_name_flags");
 
-    if (strcmp(noquote, princ_unparsed))
+    if (strcmp(noquote, princ_unparsed) != 0)
 	krb5_errx(context, 1, "nq '%s' != '%s'", noquote, princ_unparsed);
     free(princ_unparsed);
 
diff --git a/lib/krb5/test_rfc3961.c b/lib/krb5/test_rfc3961.c
index f86b8bb3a446..ed8ee9b5f3f4 100644
--- a/lib/krb5/test_rfc3961.c
+++ b/lib/krb5/test_rfc3961.c
@@ -35,6 +35,108 @@
 #include <getarg.h>
 
 static void
+time_hmac(krb5_context context, size_t size, int iterations)
+{
+    struct timeval tv1, tv2;
+    krb5_error_code ret;
+    krb5_keyblock key;
+    char sha1_data[20];
+    Checksum result;
+    char *buf;
+    int i;
+
+    ret = krb5_generate_random_keyblock(context,
+					ETYPE_AES128_CTS_HMAC_SHA1_96,
+					&key);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_generate_random_keyblock");
+
+    buf = calloc(1, size);
+    if (buf == NULL)
+	krb5_errx(context, 1, "out of memory");
+
+    gettimeofday(&tv1, NULL);
+
+    result.checksum.data = &sha1_data;
+    result.checksum.length = sizeof(sha1_data);
+    for (i = 0; i < iterations; i++) {
+	ret = krb5_hmac(context, CKSUMTYPE_SHA1, buf, size, 0, &key, &result);
+	if (ret)
+	    krb5_err(context, 1, ret, "hmac: %d", i);
+    }
+
+    gettimeofday(&tv2, NULL);
+
+    timevalsub(&tv2, &tv1);
+
+    printf("HMAC-SHA1 size: %7lu iterations: %d time: %3ld.%06ld\n",
+	   (unsigned long)size, iterations,
+	   (long)tv2.tv_sec, (long)tv2.tv_usec);
+
+    free(buf);
+    krb5_free_keyblock_contents(context, &key);
+}
+
+static void
+time_hmac_evp(krb5_context context, size_t size, int iterations)
+{
+    struct timeval tv1, tv2;
+    struct krb5_crypto_iov iov;
+    struct _krb5_key_data kd;
+    krb5_error_code ret;
+    krb5_keyblock key;
+    krb5_crypto crypto;
+    char sha1_data[20];
+    Checksum result;
+    char *buf;
+    int i;
+
+    ret = krb5_generate_random_keyblock(context,
+					ETYPE_AES128_CTS_HMAC_SHA1_96,
+					&key);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_generate_random_keyblock");
+
+    buf = calloc(1, size);
+    if (buf == NULL)
+	krb5_errx(context, 1, "out of memory");
+
+    gettimeofday(&tv1, NULL);
+
+    result.checksum.data = &sha1_data;
+    result.checksum.length = sizeof(sha1_data);
+    iov.data.data = buf;
+    iov.data.length = size;
+    iov.flags = KRB5_CRYPTO_TYPE_DATA;
+    kd.key = &key;
+    kd.schedule = NULL;
+
+    ret = krb5_crypto_init(context, &key, ETYPE_AES128_CTS_HMAC_SHA1_96,
+                           &crypto);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_crypto_init");
+
+    for (i = 0; i < iterations; i++) {
+        ret = _krb5_SP_HMAC_SHA1_checksum(context, crypto, &kd, 0,
+                                          &iov, 1, &result);
+	if (ret)
+	    krb5_err(context, 1, ret, "hmac: %d", i);
+    }
+
+    gettimeofday(&tv2, NULL);
+
+    timevalsub(&tv2, &tv1);
+
+    printf("HMAC-SHA1 (evp) size: %7lu iterations: %d time: %3ld.%06ld\n",
+	   (unsigned long)size, iterations,
+	   (long)tv2.tv_sec, (long)tv2.tv_usec);
+
+    free(buf);
+    krb5_free_keyblock_contents(context, &key);
+    krb5_crypto_destroy(context, crypto);
+}
+
+static void
 time_encryption(krb5_context context, size_t size,
 		krb5_enctype etype, int iterations)
 {
@@ -148,12 +250,195 @@ usage (int ret)
     exit (ret);
 }
 
+/* SHA1 test vectors from RFC2202 */
+
+struct rfc2202 {
+    char key[80];
+    int keylen;
+    char data[80];
+    int datalen;
+    char digest[20];
+    int digestlen;
+};
+
+static struct rfc2202 rfc2202_vectors[] =
+{
+    {
+	{0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+	 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+	 0x0b, 0x0b, 0x0b, 0x0b},
+	20,
+	"Hi There",
+	8,
+	{0xb6, 0x17, 0x31, 0x86, 0x55, 0x05, 0x72, 0x64,
+	 0xe2, 0x8b, 0xc0, 0xb6, 0xfb, 0x37, 0x8c, 0x8e,
+	 0xf1, 0x46, 0xbe, 0x00},
+	20
+    },
+    {
+	"Jefe",
+	4,
+	"what do ya want for nothing?",
+	28,
+	{0xef, 0xfc, 0xdf, 0x6a, 0xe5, 0xeb, 0x2f, 0xa2,
+	 0xd2, 0x74, 0x16, 0xd5, 0xf1, 0x84, 0xdf, 0x9c,
+	 0x25, 0x9a, 0x7c, 0x79},
+	20
+    },
+    {
+	{0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+	 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+	 0xaa, 0xaa, 0xaa, 0xaa},
+	 20,
+	{0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+	 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+	 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+	 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+	 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+	 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
+	 0xdd, 0xdd},
+	50,
+	{0x12, 0x5d, 0x73, 0x42, 0xb9, 0xac, 0x11, 0xcd,
+	 0x91, 0xa3, 0x9a, 0xf4, 0x8a, 0xa1, 0x7b, 0x4f,
+	 0x63, 0xf1, 0x75, 0xd3},
+	20
+    },
+    {
+	{0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+	 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
+	 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
+	 0x19},
+	25,
+	{0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+	 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+	 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+	 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+	 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+	 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+	 0xcd, 0xcd},
+	50,
+	{0x4c, 0x90, 0x07, 0xf4, 0x02, 0x62, 0x50, 0xc6,
+	 0xbc, 0x84, 0x14, 0xf9, 0xbf, 0x50, 0xc8, 0x6c,
+	 0x2d, 0x72, 0x35, 0xda},
+	20
+    },
+    {
+	{0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
+	 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
+	 0x0c, 0x0c, 0x0c, 0x0c},
+	20,
+	"Test With Truncation",
+	20,
+	{0x4c, 0x1a, 0x03, 0x42, 0x4b, 0x55, 0xe0, 0x7f,
+	 0xe7, 0xf2, 0x7b, 0xe1, 0xd5, 0x8b, 0xb9, 0x32,
+	 0x4a, 0x9a, 0x5a, 0x04},
+	20
+    },
+    {
+	{0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+	 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+	 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+	 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+	 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+	 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+	 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+	 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+	 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+	 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa},
+	80,
+	"Test Using Larger Than Block-Size Key - Hash Key First",
+	54,
+	{0xaa, 0x4a, 0xe5, 0xe1, 0x52, 0x72, 0xd0, 0x0e,
+	 0x95, 0x70, 0x56, 0x37, 0xce, 0x8a, 0x3b, 0x55,
+	 0xed, 0x40, 0x21, 0x12},
+	20
+    },
+    {
+	{0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+	 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+	 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+	 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+	 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+	 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+	 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+	 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+	 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
+	 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa},
+	80,
+	"Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data",
+	73,
+	{0xe8, 0xe9, 0x9d, 0x0f, 0x45, 0x23, 0x7d, 0x78,
+	 0x6d, 0x6b, 0xba, 0xa7, 0x96, 0x5c, 0x78, 0x08,
+	 0xbb, 0xff, 0x1a, 0x91},
+	20
+    }
+};
+
+/* RFC 2202 test vectors for HMAC-SHA1 */
+static void
+test_rfc2202(krb5_context context)
+{
+    int num_tests;
+    int i;
+
+    num_tests = sizeof(rfc2202_vectors) / sizeof(struct rfc2202);
+
+    printf("Running %d RFC2202 HMAC-SHA1 tests\n", num_tests);
+    for (i = 0; i < num_tests; i++) {
+	krb5_keyblock keyblock;
+	Checksum result;
+	struct krb5_crypto_iov iov;
+	struct _krb5_key_data kd;
+	char sha1_data[20];
+	int code;
+
+	memset(&keyblock, 0, sizeof(keyblock));
+	memset(&result, 0, sizeof(result));
+
+	keyblock.keyvalue.length = rfc2202_vectors[i].keylen;
+	keyblock.keyvalue.data = &rfc2202_vectors[i].key;
+
+	result.checksum.data = &sha1_data;
+	result.checksum.length = sizeof(sha1_data);
+
+	code = krb5_hmac(context, CKSUMTYPE_SHA1,
+			 &rfc2202_vectors[i].data, rfc2202_vectors[i].datalen,
+			 0, &keyblock, &result);
+
+	if (code != 0)
+	    errx(1, "HMAC-SHA1 failed with %d on test %d", code, i + 1);
+
+	if (memcmp(&sha1_data, rfc2202_vectors[i].digest, sizeof(sha1_data)) !=0)
+	    errx(1, "Digests don't match on test %d", i);
+
+	printf("Test %d okay\n", (i * 2) + 1);
+
+	/* Now check the same using the internal HMAC function */
+
+	iov.data.data = rfc2202_vectors[i].data;
+	iov.data.length = rfc2202_vectors[i].datalen;
+	iov.flags = KRB5_CRYPTO_TYPE_DATA;
+	kd.key = &keyblock;
+	kd.schedule = NULL;
+	code = _krb5_SP_HMAC_SHA1_checksum(context, NULL, &kd, 0,
+					   &iov, 1, &result);
+
+	if (code != 0)
+	    errx(1, "HMAC-SHA1 failed with %d on test %d", code, i + 1);
+
+	if (memcmp(&sha1_data, rfc2202_vectors[i].digest, sizeof(sha1_data)) !=0)
+	    errx(1, "Digests don't match on test %d", i);
+
+	printf("Test %d okay\n", (i * 2) + 2);
+    }
+}
+
 int
 main(int argc, char **argv)
 {
     krb5_context context;
     krb5_error_code ret;
-    int i, enciter, s2kiter;
+    int i, enciter, s2kiter, hmaciter;
     int optidx = 0;
     krb5_salt salt;
 
@@ -188,9 +473,32 @@ main(int argc, char **argv)
     if (ret)
 	errx (1, "krb5_init_context failed: %d", ret);
 
+    test_rfc2202(context);
+
     enciter = 1000;
+    hmaciter = 10000;
     s2kiter = 100;
 
+    time_hmac(context, 16, hmaciter);
+    time_hmac(context, 32, hmaciter);
+    time_hmac(context, 512, hmaciter);
+    time_hmac(context, 1024, hmaciter);
+    time_hmac(context, 2048, hmaciter);
+    time_hmac(context, 4096, hmaciter);
+    time_hmac(context, 8192, hmaciter);
+    time_hmac(context, 16384, hmaciter);
+    time_hmac(context, 32768, hmaciter);
+
+    time_hmac_evp(context, 16, hmaciter);
+    time_hmac_evp(context, 32, hmaciter);
+    time_hmac_evp(context, 512, hmaciter);
+    time_hmac_evp(context, 1024, hmaciter);
+    time_hmac_evp(context, 2048, hmaciter);
+    time_hmac_evp(context, 4096, hmaciter);
+    time_hmac_evp(context, 8192, hmaciter);
+    time_hmac_evp(context, 16384, hmaciter);
+    time_hmac_evp(context, 32768, hmaciter);
+
     for (i = 0; i < sizeof(enctypes)/sizeof(enctypes[0]); i++) {
 
 	krb5_enctype_enable(context, enctypes[i]);
diff --git a/lib/krb5/test_set_kvno0.c b/lib/krb5/test_set_kvno0.c
index 526c240f1c4b..0c7e6b447ae8 100644
--- a/lib/krb5/test_set_kvno0.c
+++ b/lib/krb5/test_set_kvno0.c
@@ -119,8 +119,11 @@ main(int argc, char **argv)
 	during = "decode_Ticket";
 	memset(&t, 0, sizeof (t));
 	ret = decode_Ticket(cred.ticket.data, cred.ticket.length, &t, &len);
-	if (ret == ASN1_MISSING_FIELD)
+	if (ret == ASN1_MISSING_FIELD) {
+            krb5_free_cred_contents(context, &cred);
+            memset(&cred, 0, sizeof (cred));
 	    continue;
+        }
 	if (ret) goto err;
 	if (t.enc_part.kvno) {
 	    *t.enc_part.kvno = 0;
diff --git a/lib/krb5/test_store.c b/lib/krb5/test_store.c
index 6876cc1db279..163022c561be 100644
--- a/lib/krb5/test_store.c
+++ b/lib/krb5/test_store.c
@@ -201,6 +201,7 @@ test_truncate(krb5_context context, krb5_storage *sp, int fd)
 {
     struct stat sb;
 
+    krb5_storage_truncate(sp, 0);
     krb5_store_string(sp, "hej");
     krb5_storage_truncate(sp, 2);
 
@@ -214,7 +215,33 @@ test_truncate(krb5_context context, krb5_storage *sp, int fd)
     if (fstat(fd, &sb) != 0)
 	krb5_err(context, 1, errno, "fstat");
     if (sb.st_size != 1024)
-	krb5_errx(context, 1, "length not 2");
+	krb5_errx(context, 1, "length not 1024");
+}
+
+static void
+test_buffer_issues(krb5_context context, krb5_storage *sp)
+{
+    krb5_error_code ret;
+    size_t i;
+    uint32_t v;
+
+    krb5_storage_set_eof_code(sp, -1);
+    krb5_storage_truncate(sp, 0);
+    for (i=0; i < 4096; i++) {
+	krb5_store_uint32(sp, i);
+    }
+
+    krb5_storage_truncate(sp, 1024);
+    ret = krb5_ret_uint32(sp, &v);
+    if (ret != -1)
+	krb5_errx(context, 1, "Should have received EOF");
+
+    krb5_storage_seek(sp, 8, SEEK_SET);
+    ret = krb5_ret_uint32(sp, &v);
+    if (ret == -1)
+	krb5_errx(context, 1, "Should not have received EOF");
+    if (v != 2)
+	krb5_errx(context, 1, "uint32 should have been 2");
 }
 
 static void
@@ -306,27 +333,27 @@ main(int argc, char **argv)
 	krb5_err(context, 1, errno, "open(%s)", fn);
 
     sp = krb5_storage_from_fd(fd);
-    close(fd);
     if (sp == NULL)
 	krb5_errx(context, 1, "krb5_storage_from_fd: %s no mem", fn);
 
     test_storage(context, sp);
+    test_truncate(context, sp, fd);
+    test_buffer_issues(context, sp);
     krb5_storage_free(sp);
+    close(fd);
     unlink(fn);
 
-    /*
-     * test truncate behavior
-     */
-
     fd = open(fn, O_RDWR|O_CREAT|O_TRUNC, 0600);
     if (fd < 0)
 	krb5_err(context, 1, errno, "open(%s)", fn);
 
-    sp = krb5_storage_from_fd(fd);
+    sp = krb5_storage_stdio_from_fd(fd, "r+");
     if (sp == NULL)
-	krb5_errx(context, 1, "krb5_storage_from_fd: %s no mem", fn);
+	krb5_errx(context, 1, "krb5_storage_stdio_from_fd: %s no mem", fn);
 
+    test_storage(context, sp);
     test_truncate(context, sp, fd);
+    test_buffer_issues(context, sp);
     krb5_storage_free(sp);
     close(fd);
     unlink(fn);
diff --git a/lib/krb5/test_time.c b/lib/krb5/test_time.c
index 36c78088bfec..9c6d1cc9a44d 100644
--- a/lib/krb5/test_time.c
+++ b/lib/krb5/test_time.c
@@ -54,11 +54,11 @@ check_set_time(krb5_context context)
     if (ret)
 	krb5_err(context, 1, ret, "krb5_us_timeofday");
 
-    diff2 = labs(sec - tv.tv_sec);
+    diff2 = krb5_time_abs(sec, tv.tv_sec);
 
     if (diff2 < 9 || diff > 11)
 	krb5_errx(context, 1, "set time error: diff: %ld",
-		  labs(sec - tv.tv_sec));
+		  krb5_time_abs(sec, tv.tv_sec));
 }
 
 
diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
index ef9965060516..d19fcc64f9f4 100644
--- a/lib/krb5/ticket.c
+++ b/lib/krb5/ticket.c
@@ -147,7 +147,7 @@ krb5_ticket_get_server(krb5_context context,
 }
 
 /**
- * Return end time of ticket
+ * Return end time of a ticket
  *
  * @param context a Kerberos 5 context
  * @param ticket ticket to copy
@@ -165,6 +165,29 @@ krb5_ticket_get_endtime(krb5_context context,
 }
 
 /**
+ * Return authentication, start, end, and renew limit times of a ticket
+ *
+ * @param context a Kerberos 5 context
+ * @param ticket ticket to copy
+ * @param t pointer to krb5_times structure
+ *
+ * @ingroup krb5
+ */
+
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
+krb5_ticket_get_times(krb5_context context,
+                      const krb5_ticket *ticket,
+                      krb5_times *t)
+{
+    t->authtime   = ticket->ticket.authtime;
+    t->starttime  = ticket->ticket.starttime  ? *ticket->ticket.starttime  :
+                                                t->authtime;
+    t->endtime    = ticket->ticket.endtime;
+    t->renew_till = ticket->ticket.renew_till ? *ticket->ticket.renew_till :
+                                                t->endtime;
+}
+
+/**
  * Get the flags from the Kerberos ticket
  *
  * @param context Kerberos context
@@ -181,13 +204,38 @@ krb5_ticket_get_flags(krb5_context context,
     return TicketFlags2int(ticket->ticket.flags);
 }
 
+/*
+ * Find an authz-data element in the given `ad'.  If `failp', then validate any
+ * containing AD-KDC-ISSUED's keyed checksum with the `sessionkey' (if given).
+ *
+ * All AD-KDC-ISSUED will be validated (if requested) even when `type' is
+ * `KRB5_AUTHDATA_KDC_ISSUED'.
+ *
+ * Only the first matching element will be output (via `data').
+ *
+ * Note that all AD-KDC-ISSUEDs found while traversing the authz-data will be
+ * validated, though only the first one will be returned.
+ *
+ * XXX We really need a better interface though.  First, forget AD-AND-OR --
+ * just remove it.  Second, probably forget AD-KDC-ISSUED, but still, between
+ * that, the PAC, and the CAMMAC, we need an interface that can:
+ *
+ * a) take the derived keys instead of the service key or the session key,
+ * b) can indicate whether the element was marked critical,
+ * c) can indicate whether the element was authenticated to the KDC,
+ * d) can iterate over all the instances found (if more than one is found).
+ *
+ * Also, we need to know here if the authz-data is from a Ticket or from an
+ * Authenticator -- if the latter then we must refuse to find AD-KDC-ISSUED /
+ * PAC / CAMMAC or anything of the sort, ever.
+ */
 static int
 find_type_in_ad(krb5_context context,
 		int type,
-		krb5_data *data,
+		krb5_data *data,                /* optional */
 		krb5_boolean *found,
-		krb5_boolean failp,
-		krb5_keyblock *sessionkey,
+		krb5_boolean failp,             /* validate AD-KDC-ISSUED */
+		krb5_keyblock *sessionkey,      /* ticket session key */
 		const AuthorizationData *ad,
 		int level)
 {
@@ -210,14 +258,19 @@ find_type_in_ad(krb5_context context,
      */
     for (i = 0; i < ad->len; i++) {
 	if (!*found && ad->val[i].ad_type == type) {
-	    ret = der_copy_octet_string(&ad->val[i].ad_data, data);
-	    if (ret) {
-		krb5_set_error_message(context, ret,
-				       N_("malloc: out of memory", ""));
-		goto out;
-	    }
+            if (data) {
+                ret = der_copy_octet_string(&ad->val[i].ad_data, data);
+                if (ret) {
+                    krb5_set_error_message(context, ret,
+                                           N_("malloc: out of memory", ""));
+                    goto out;
+                }
+            }
 	    *found = TRUE;
-	    continue;
+            if (type != KRB5_AUTHDATA_KDC_ISSUED ||
+                !failp || !sessionkey || !sessionkey->keyvalue.length)
+                continue;
+            /* else go on to validate the AD-KDC-ISSUED's keyed checksum */
 	}
 	switch (ad->val[i].ad_type) {
 	case KRB5_AUTHDATA_IF_RELEVANT: {
@@ -240,7 +293,6 @@ find_type_in_ad(krb5_context context,
 		goto out;
 	    break;
 	}
-#if 0 /* XXX test */
 	case KRB5_AUTHDATA_KDC_ISSUED: {
 	    AD_KDCIssued child;
 
@@ -255,7 +307,7 @@ find_type_in_ad(krb5_context context,
 				       ret);
 		goto out;
 	    }
-	    if (failp) {
+	    if (failp && sessionkey && sessionkey->keyvalue.length) {
 		krb5_boolean valid;
 		krb5_data buf;
 		size_t len;
@@ -283,7 +335,12 @@ find_type_in_ad(krb5_context context,
 		    free_AD_KDCIssued(&child);
 		    goto out;
 		}
-	    }
+	    } else if (failp) {
+		    krb5_clear_error_message(context);
+		    ret = ENOENT;
+		    free_AD_KDCIssued(&child);
+		    goto out;
+            }
 	    ret = find_type_in_ad(context, type, data, found, failp, sessionkey,
 				  &child.elements, level + 1);
 	    free_AD_KDCIssued(&child);
@@ -291,7 +348,6 @@ find_type_in_ad(krb5_context context,
 		goto out;
 	    break;
 	}
-#endif
 	case KRB5_AUTHDATA_AND_OR:
 	    if (!failp)
 		break;
@@ -315,7 +371,8 @@ find_type_in_ad(krb5_context context,
 out:
     if (ret) {
 	if (*found) {
-	    krb5_data_free(data);
+            if (data)
+                krb5_data_free(data);
 	    *found = 0;
 	}
     }
@@ -332,7 +389,8 @@ _krb5_get_ad(krb5_context context,
     krb5_boolean found = FALSE;
     krb5_error_code ret;
 
-    krb5_data_zero(data);
+    if (data)
+        krb5_data_zero(data);
 
     if (ad == NULL) {
 	krb5_set_error_message(context, ENOENT,
@@ -376,12 +434,13 @@ krb5_ticket_get_authorization_data_type(krb5_context context,
     krb5_error_code ret;
     krb5_boolean found = FALSE;
 
-    krb5_data_zero(data);
+    if (data)
+        krb5_data_zero(data);
 
     ad = ticket->ticket.authorization_data;
     if (ticket->ticket.authorization_data == NULL) {
 	krb5_set_error_message(context, ENOENT,
-			       N_("Ticket have not authorization data", ""));
+			       N_("Ticket has no authorization data", ""));
 	return ENOENT; /* XXX */
     }
 
@@ -391,7 +450,7 @@ krb5_ticket_get_authorization_data_type(krb5_context context,
 	return ret;
     if (!found) {
 	krb5_set_error_message(context, ENOENT,
-			       N_("Ticket have not "
+			       N_("Ticket has no "
 				  "authorization data of type %d", ""),
 			       type);
 	return ENOENT; /* XXX */
@@ -729,9 +788,9 @@ _krb5_extract_ticket(krb5_context context,
 
     /* compare client and save */
     ret = _krb5_principalname2krb5_principal(context,
-					     &tmp_principal,
-					     rep->kdc_rep.cname,
-					     rep->kdc_rep.crealm);
+                                             &tmp_principal,
+                                             rep->kdc_rep.cname,
+                                             rep->kdc_rep.crealm);
     if (ret)
 	goto out;
 
@@ -762,12 +821,19 @@ _krb5_extract_ticket(krb5_context context,
     creds->client = tmp_principal;
 
     /* check server referral and save principal */
-    ret = _krb5_principalname2krb5_principal (context,
-					      &tmp_principal,
-					      rep->enc_part.sname,
-					      rep->enc_part.srealm);
+    ret = _krb5_kdcrep2krb5_principal(context, &tmp_principal, &rep->enc_part);
     if (ret)
 	goto out;
+
+    tmp_principal->nameattrs->peer_realm =
+        calloc(1, sizeof(tmp_principal->nameattrs->peer_realm[0]));
+    if (tmp_principal->nameattrs->peer_realm == NULL) {
+        ret = krb5_enomem(context);
+        goto out;
+    }
+    ret = copy_Realm(&creds->client->realm, tmp_principal->nameattrs->peer_realm);
+    if (ret) goto out;
+
     if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
 	ret = check_server_referral(context,
 				    rep,
@@ -827,11 +893,11 @@ _krb5_extract_ticket(krb5_context context,
 	tmp_time = rep->enc_part.authtime;
 
     if (creds->times.starttime == 0
-	&& labs(tmp_time - sec_now) > context->max_skew) {
+	&& krb5_time_abs(tmp_time, sec_now) > context->max_skew) {
 	ret = KRB5KRB_AP_ERR_SKEW;
 	krb5_set_error_message (context, ret,
 				N_("time skew (%ld) larger than max (%ld)", ""),
-			       labs(tmp_time - sec_now),
+			       (long)krb5_time_abs(tmp_time, sec_now),
 			       (long)context->max_skew);
 	goto out;
     }
diff --git a/lib/krb5/time.c b/lib/krb5/time.c
index 247549ba2372..d0d4af1a4698 100644
--- a/lib/krb5/time.c
+++ b/lib/krb5/time.c
@@ -127,3 +127,12 @@ krb5_string_to_deltat(const char *string, krb5_deltat *deltat)
 	return KRB5_DELTAT_BADFORMAT;
     return 0;
 }
+
+krb5_deltat
+krb5_time_abs(krb5_deltat t1, krb5_deltat t2)
+{
+    krb5_deltat t = t1 - t2;
+    if (t < 0)
+	return -t;
+    return t;
+}
diff --git a/lib/krb5/transited.c b/lib/krb5/transited.c
index 8ad122afa92b..484fd398c296 100644
--- a/lib/krb5/transited.c
+++ b/lib/krb5/transited.c
@@ -274,8 +274,11 @@ decode_realms(krb5_context context,
 	}
 	if(tr[i] == ','){
 	    tmp = malloc(tr + i - start + 1);
-	    if(tmp == NULL)
+	    if(tmp == NULL) {
+		free_realms(*realms);
+                *realms = NULL;
 		return krb5_enomem(context);
+            }
 	    memcpy(tmp, start, tr + i - start);
 	    tmp[tr + i - start] = '\0';
 	    r = make_realm(tmp);
@@ -356,8 +359,6 @@ krb5_domain_x500_decode(krb5_context context,
     {
 	char **R;
 	R = malloc((*num_realms + 1) * sizeof(*R));
-	if (R == NULL)
-	    return krb5_enomem(context);
 	*realms = R;
 	while(r){
 	    *R++ = r->realm;
@@ -365,6 +366,8 @@ krb5_domain_x500_decode(krb5_context context,
 	    free(r);
 	    r = p;
 	}
+	if (*realms == NULL)
+	    return krb5_enomem(context);
     }
     return 0;
 }
@@ -624,11 +627,12 @@ krb5_check_transited(krb5_context context,
         return ret;
 
     for (i = 0; i < num_realms; i++) {
-	for (j = 0; j < num_capath; ++j) {
+	for (j = 0; j < num_capath && capath[j]; ++j) {
+            /* `capath[j]' can't be NULL, but compilers be dumb */
 	    if (strcmp(realms[i], capath[j]) == 0)
 		break;
 	}
-	if (j == num_capath) {
+	if (j == num_capath || !capath[j]) {
             _krb5_free_capath(context, capath);
 	    krb5_set_error_message (context, KRB5KRB_AP_ERR_ILL_CR_TKT,
 				    N_("no transit allowed "
diff --git a/lib/krb5/verify_krb5_conf.c b/lib/krb5/verify_krb5_conf.c
index 0db8807a4a12..c258a2bd3b99 100644
--- a/lib/krb5/verify_krb5_conf.c
+++ b/lib/krb5/verify_krb5_conf.c
@@ -37,7 +37,6 @@
 #include <err.h>
 
 /* verify krb5.conf */
-
 static int dumpconfig_flag = 0;
 static int version_flag = 0;
 static int help_flag	= 0;
@@ -217,6 +216,20 @@ check_host(krb5_context context, const char *path, char *data)
 }
 
 static int
+check_directory(krb5_context context, const char *path, char *data)
+{
+    DIR *d = opendir(data);
+    if (d == NULL) {
+	krb5_warn(context, errno, "%s: could not open directory `%s'",
+		  path, data);
+	return 1;
+    }
+
+    closedir(d);
+    return 0;
+}
+
+static int
 mit_entry(krb5_context context, const char *path, char *data)
 {
     if (warn_mit_syntax_flag)
@@ -278,7 +291,7 @@ static struct s2i syslogvals[] = {
 static int
 find_value(const char *s, struct s2i *table)
 {
-    while(table->s && strcasecmp(table->s, s))
+    while (table->s && strcasecmp(table->s, s) != 0)
 	table++;
     return table->val;
 }
@@ -389,8 +402,11 @@ struct entry libdefaults_entries[] = {
     { "clockskew", krb5_config_string, check_time, 0 },
     { "date_format", krb5_config_string, NULL, 0 },
     { "default_as_etypes", krb5_config_string, NULL, 0 },
+    { "default_ccache_name", krb5_config_string, NULL, 0 },
+    { "default_client_keytab_name", krb5_config_string, NULL, 0 },
     { "default_cc_name", krb5_config_string, NULL, 0 },
     { "default_cc_type", krb5_config_string, NULL, 0 },
+    { "default_cc_collection", krb5_config_string, NULL, 0 },
     { "default_etypes", krb5_config_string, NULL, 0 },
     { "default_etypes_des", krb5_config_string, NULL, 0 },
     { "default_keytab_modify_name", krb5_config_string, NULL, 0 },
@@ -398,7 +414,7 @@ struct entry libdefaults_entries[] = {
     { "default_keytab_modify_name", krb5_config_string, NULL, 0 },
     { "default_realm", krb5_config_string, NULL, 0 },
     { "default_tgs_etypes", krb5_config_string, NULL, 0 },
-    { "dns_canonize_hostname", krb5_config_string, check_boolean, 0 },
+    { "dns_canonicalize_hostname", krb5_config_string, check_boolean, 0 },
     { "dns_proxy", krb5_config_string, NULL, 0 },
     { "dns_lookup_kdc", krb5_config_string, check_boolean, 0 },
     { "dns_lookup_realm", krb5_config_string, check_boolean, 0 },
@@ -428,6 +444,7 @@ struct entry libdefaults_entries[] = {
     { "name_canon_rules", krb5_config_string, NULL, 0 },
     { "no-addresses", krb5_config_string, check_boolean, 0 },
     { "pkinit_dh_min_bits", krb5_config_string, NULL, 0 },
+    { "plugin_dir", krb5_config_string, check_directory, 0 },
     { "proxiable", krb5_config_string, check_boolean, 0 },
     { "renew_lifetime", krb5_config_string, check_time, 0 },
     { "scan_interfaces", krb5_config_string, check_boolean, 0 },
@@ -571,6 +588,7 @@ struct entry kdc_entries[] = {
     { "logging", krb5_config_string, check_log, 0 },
     { "max-kdc-datagram-reply-length", krb5_config_string, check_bytes, 0 },
     { "max-request", krb5_config_string, check_bytes, 0 },
+    { "num-kdc-processes", krb5_config_string, check_numeric, 0 },
     { "pkinit_allow_proxy_certificate", krb5_config_string, check_boolean, 0 },
     { "pkinit_anchors", krb5_config_string, NULL, 0 },
     { "pkinit_dh_min_bits", krb5_config_string, check_numeric, 0 },
@@ -586,6 +604,7 @@ struct entry kdc_entries[] = {
     { "preauth-use-strongest-session-key", krb5_config_string, check_boolean, 0 },
     { "require_initial_kca_tickets", krb5_config_string, check_boolean, 0 },
     { "require-preauth", krb5_config_string, check_boolean, 0 },
+    { "strict-nametypes", krb5_config_string, check_boolean, 0 },
     { "svc-use-strongest-session-key", krb5_config_string, check_boolean, 0 },
     { "tgt-use-strongest-session-key", krb5_config_string, check_boolean, 0 },
     { "transited-policy", krb5_config_string, NULL, 0 },
@@ -599,6 +618,7 @@ struct entry kadmin_entries[] = {
     { "allow_self_change_password", krb5_config_string, check_boolean, 0 },
     { "default_keys", krb5_config_string, NULL, 0 },
     { "password_lifetime", krb5_config_string, check_time, 0 },
+    { "plugin_dir", krb5_config_string, check_directory, 0 },
     { "require-preauth", krb5_config_string, check_boolean, 0 },
     { "save-password", krb5_config_string, check_boolean, 0 },
     { "use_v4_salt", krb5_config_string, NULL, 0 },
@@ -632,6 +652,7 @@ struct entry kcm_entries[] = {
 };
 
 struct entry password_quality_entries[] = {
+    { "enforce_on_admin_set", krb5_config_string, check_boolean, 0 },
     { "check_function", krb5_config_string, NULL, 0 },
     { "check_library", krb5_config_string, NULL, 0 },
     { "external_program", krb5_config_string, NULL, 0 },
diff --git a/lib/krb5/verify_krb5_conf.cat8 b/lib/krb5/verify_krb5_conf.cat8
deleted file mode 100644
index 289f2f1cb278..000000000000
--- a/lib/krb5/verify_krb5_conf.cat8
+++ /dev/null
@@ -1,56 +0,0 @@
-VERIFY_KRB5_CONF(8)       BSD System Manager's Manual      VERIFY_KRB5_CONF(8)
-
-NAME
-     verify_krb5_conf -- checks krb5.conf for obvious errors
-
-SYNOPSIS
-     verify_krb5_conf [config-file]
-
-DESCRIPTION
-     verify_krb5_conf reads the configuration file krb5.conf, or the file
-     given on the command line, parses it, checking verifying that the syntax
-     is not correctly wrong.
-
-     If the file is syntactically correct, verify_krb5_conf tries to verify
-     that the contents of the file is of relevant nature.
-
-ENVIRONMENT
-     KRB5_CONFIG points to the configuration file to read.
-
-FILES
-     /etc/krb5.conf  Kerberos 5 configuration file
-
-DIAGNOSTICS
-     Possible output from verify_krb5_conf include:
-
-     <path>: failed to parse <something> as size/time/number/boolean
-             Usually means that <something> is misspelled, or that it contains
-             weird characters. The parsing done by verify_krb5_conf is more
-             strict than the one performed by libkrb5, so strings that work in
-             real life might be reported as bad.
-
-     <path>: host not found (<hostname>)
-             Means that <path> is supposed to point to a host, but it can't be
-             recognised as one.
-
-     <path>: unknown or wrong type
-             Means that <path> is either a string when it should be a list,
-             vice versa, or just that verify_krb5_conf is confused.
-
-     <path>: unknown entry
-             Means that <string> is not known by verify_krb5_conf.
-
-SEE ALSO
-     krb5.conf(5)
-
-BUGS
-     Since each application can put almost anything in the config file, it's
-     hard to come up with a watertight verification process. Most of the de-
-     fault settings are sanity checked, but this does not mean that every
-     problem is discovered, or that everything that is reported as a possible
-     problem actually is one. This tool should thus be used with some care.
-
-     It should warn about obsolete data, or bad practice, but currently
-     doesn't.
-
-HEIMDAL                        December 8, 2004                        HEIMDAL
diff --git a/lib/krb5/verify_user.c b/lib/krb5/verify_user.c
index 663196b29b15..c6ead8e42b2d 100644
--- a/lib/krb5/verify_user.c
+++ b/lib/krb5/verify_user.c
@@ -40,7 +40,7 @@ verify_common (krb5_context context,
 	       krb5_keytab keytab,
 	       krb5_boolean secure,
 	       const char *service,
-	       krb5_creds cred)
+	       krb5_creds *cred)
 {
     krb5_error_code ret;
     krb5_principal server;
@@ -56,7 +56,7 @@ verify_common (krb5_context context,
     krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, secure);
 
     ret = krb5_verify_init_creds(context,
-				 &cred,
+				 cred,
 				 server,
 				 keytab,
 				 NULL,
@@ -71,12 +71,11 @@ verify_common (krb5_context context,
     if(ret == 0){
 	ret = krb5_cc_initialize(context, id, principal);
 	if(ret == 0){
-	    ret = krb5_cc_store_cred(context, id, &cred);
+	    ret = krb5_cc_store_cred(context, id, cred);
 	}
 	if(ccache == NULL)
 	    krb5_cc_close(context, id);
     }
-    krb5_free_cred_contents(context, &cred);
     return ret;
 }
 
@@ -172,10 +171,12 @@ verify_user_opt_int(krb5_context context,
     if(ret)
 	return ret;
 #define OPT(V, D) ((vopt && (vopt->V)) ? (vopt->V) : (D))
-    return verify_common (context, principal, OPT(ccache, NULL),
+    ret = verify_common (context, principal, OPT(ccache, NULL),
 			  OPT(keytab, NULL), vopt ? vopt->secure : TRUE,
-			  OPT(service, "host"), cred);
+			  OPT(service, "host"), &cred);
 #undef OPT
+    krb5_free_cred_contents(context, &cred);
+    return ret;
 }
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
diff --git a/lib/krb5/version-script.map b/lib/krb5/version-script.map
index 4e7225612a7a..f6278e9ecbf6 100644
--- a/lib/krb5/version-script.map
+++ b/lib/krb5/version-script.map
@@ -24,6 +24,8 @@ HEIMDAL_KRB5_2.0 {
 		krb5_appdefault_time;
 		krb5_append_addresses;
 		krb5_auth_con_addflags;
+		krb5_auth_con_add_AuthorizationData;
+		krb5_auth_con_add_AuthorizationDataIfRelevant;
 		krb5_auth_con_free;
 		krb5_auth_con_genaddrs;
 		krb5_auth_con_generatelocalsubkey;
@@ -83,9 +85,12 @@ HEIMDAL_KRB5_2.0 {
 		krb5_cc_cache_next;
 		krb5_cc_clear_mcred;
 		krb5_cc_close;
+		krb5_cc_configured_default_name;
 		krb5_cc_copy_cache;
 		krb5_cc_copy_match_f;
 		krb5_cc_default;
+		krb5_cc_default_for;
+		krb5_cc_default_sub;
 		krb5_cc_default_name;
 		krb5_cc_destroy;
 		krb5_cc_end_seq_get;
@@ -110,6 +115,8 @@ HEIMDAL_KRB5_2.0 {
 		krb5_cc_register;
 		krb5_cc_remove_cred;
 		krb5_cc_resolve;
+		krb5_cc_resolve_for;
+		krb5_cc_resolve_sub;
 		krb5_cc_retrieve_cred;
 		krb5_cc_set_config;
 		krb5_cc_set_default_name;
@@ -183,6 +190,7 @@ HEIMDAL_KRB5_2.0 {
 		krb5_crypto_init;
 		krb5_crypto_overhead;
 		krb5_crypto_prf;
+		krb5_crypto_prfplus;
 		krb5_crypto_prf_length;
 		krb5_crypto_length;
 		krb5_crypto_length_iov;
@@ -196,6 +204,7 @@ HEIMDAL_KRB5_2.0 {
 		krb5_data_free;
 		krb5_data_realloc;
 		krb5_data_zero;
+		krb5_debug;
 		krb5_decode_Authenticator;
 		krb5_decode_ETYPE_INFO2;
 		krb5_decode_ETYPE_INFO;
@@ -362,11 +371,13 @@ HEIMDAL_KRB5_2.0 {
 		krb5_get_init_creds_opt_set_tkt_life;
 		krb5_get_init_creds_opt_set_win2k;
 		krb5_get_init_creds_password;
+		krb5_get_instance;
 		krb5_get_kdc_cred;
 		krb5_get_kdc_sec_offset;
 		krb5_get_krb524hst;
 		krb5_get_krb_admin_hst;
 		krb5_get_krb_changepw_hst;
+		krb5_get_krb_readonly_admin_hst;
 		krb5_get_krbhst;
 		krb5_get_max_time_skew;
 		krb5_get_pw_salt;
@@ -379,12 +390,14 @@ HEIMDAL_KRB5_2.0 {
 		krb5_h_addr2addr;
 		krb5_h_addr2sockaddr;
 		krb5_h_errno_to_heim_errno;
+		krb5_have_debug;
 		krb5_have_error_string;
 		krb5_hmac;
 		krb5_init_context;
 		krb5_init_ets;
 		krb5_initlog;
 		krb5_is_config_principal;
+		krb5_is_enctype_old;
 		krb5_is_enctype_weak;
 		krb5_is_thread_safe;
 		krb5_kcm_call;
@@ -428,13 +441,29 @@ HEIMDAL_KRB5_2.0 {
 		krb5_kt_resolve;
 		krb5_kt_start_seq_get;
 		krb5_kuserok;
+		krb5_kx509;
+		krb5_kx509_ctx_add_eku;
+		krb5_kx509_ctx_add_san_dns_name;
+		krb5_kx509_ctx_add_san_ms_upn;
+		krb5_kx509_ctx_add_san_pkinit;
+		krb5_kx509_ctx_add_san_registeredID;
+		krb5_kx509_ctx_add_san_rfc822Name;
+		krb5_kx509_ctx_add_san_xmpp;
+		krb5_kx509_ctx_free;
+		krb5_kx509_ctx_init;
+		krb5_kx509_ctx_set_csr_der;
+		krb5_kx509_ctx_set_key;
+		krb5_kx509_ctx_set_realm;
+		krb5_kx509_ext;
 		krb5_log;
 		krb5_log_msg;
 		krb5_make_addrport;
 		krb5_make_principal;
 		krb5_max_sockaddr_size;
+		krb5_mk_1cred;
 		krb5_mk_error;
 		krb5_mk_error_ext;
+		krb5_mk_ncred;
 		krb5_mk_priv;
 		krb5_mk_rep;
 		krb5_mk_req;
@@ -466,11 +495,14 @@ HEIMDAL_KRB5_2.0 {
 		krb5_pac_add_buffer;
 		krb5_pac_free;
 		krb5_pac_get_buffer;
+		_krb5_pac_get_buffer_by_name;
+		krb5_pac_get_kdc_checksum_info;
 		krb5_pac_get_types;
 		krb5_pac_init;
 		krb5_pac_parse;
 		krb5_pac_verify;
 		krb5_padata_add;
+		_krb5_parse_address_no_lookup;
 		krb5_parse_address;
 		krb5_parse_name;
 		krb5_parse_name_flags;
@@ -495,7 +527,9 @@ HEIMDAL_KRB5_2.0 {
 		krb5_principal_set_realm;
 		krb5_principal_set_type;
 		krb5_principal_is_anonymous;
+		krb5_principal_is_federated;
 		krb5_principal_is_krbtgt;
+		krb5_principal_is_root_krbtgt;
 		krb5_print_address;
 		krb5_program_setup;
 		krb5_prompter_posix;
@@ -571,6 +605,9 @@ HEIMDAL_KRB5_2.0 {
 		krb5_sendto_ctx_set_type;
 		krb5_sendto_kdc;
 		krb5_sendto_kdc_flags;
+		krb5_sendto_set_hostname;
+		krb5_sendto_set_sitename;
+		krb5_set_config;
 		krb5_set_config_files;
 		krb5_set_debug_dest;
 		krb5_set_default_in_tkt_etypes;
@@ -583,6 +620,7 @@ HEIMDAL_KRB5_2.0 {
 		krb5_set_home_dir_access;
 		krb5_set_ignore_addresses;
 		krb5_set_kdc_sec_offset;
+		krb5_set_log_dest;
 		krb5_set_max_time_skew;
 		krb5_set_password;
 		krb5_set_password_using_ccache;
@@ -609,6 +647,7 @@ HEIMDAL_KRB5_2.0 {
 		krb5_storage_get_eof_code;
 		krb5_storage_is_flags;
 		krb5_storage_read;
+		krb5_storage_stdio_from_fd;
 		krb5_storage_seek;
 		krb5_storage_set_byteorder;
 		krb5_storage_set_eof_code;
@@ -620,9 +659,11 @@ HEIMDAL_KRB5_2.0 {
 		krb5_store_address;
 		krb5_store_addrs;
 		krb5_store_authdata;
+		krb5_store_bytes;
 		krb5_store_creds;
 		krb5_store_creds_tag;
 		krb5_store_data;
+		krb5_store_datalen;
 		krb5_store_int16;
 		krb5_store_int32;
 		krb5_store_int64;
@@ -646,11 +687,13 @@ HEIMDAL_KRB5_2.0 {
 		krb5_string_to_key_derived;
 		krb5_string_to_key_salt;
 		krb5_string_to_key_salt_opaque;
+		krb5_string_to_keysalts2;
 		krb5_string_to_keytype;
 		krb5_string_to_salttype;
 		krb5_ticket_get_authorization_data_type;
 		krb5_ticket_get_client;
 		krb5_ticket_get_endtime;
+		krb5_ticket_get_times;
 		krb5_ticket_get_server;
 		krb5_timeofday;
 		krb5_unparse_name;
@@ -699,6 +742,7 @@ HEIMDAL_KRB5_2.0 {
 		krb5_cccol_cursor_new;
 		krb5_cccol_cursor_next;
 		krb5_cccol_cursor_free;
+		krb5_cccol_get_default_ccname;
 
 		# com_err error tables
 		initialize_krb5_error_table_r;
@@ -709,12 +753,15 @@ HEIMDAL_KRB5_2.0 {
 		initialize_heim_error_table;
 		initialize_k524_error_table_r;
 		initialize_k524_error_table;
+		initialize_k5e1_error_table_r;
+		initialize_k5e1_error_table;
 
 		# variables
 		krb5_dcc_ops;
 		krb5_mcc_ops;
 		krb5_acc_ops;
 		krb5_fcc_ops;
+		krb5_krcc_ops;
 		krb5_scc_ops;
 		krb5_kcm_ops;
 		krb5_wrfkt_ops;
@@ -730,6 +777,7 @@ HEIMDAL_KRB5_2.0 {
 		krb5_cc_type_file;
 		krb5_cc_type_memory;
 		krb5_cc_type_kcm;
+		krb5_cc_type_keyring;
 		krb5_cc_type_scc;
 
 		# shared with HDB
@@ -741,6 +789,26 @@ HEIMDAL_KRB5_2.0 {
 		_krb5_crc_update;		
 		_krb5_get_krbtgt;
 		_krb5_build_authenticator;
+		_krb5_kt_client_default_name;
+		_krb5_have_debug;
+		_krb5_SP800_108_HMAC_KDF;
+		_krb5_get_ad;
+
+		# Shared with GSSAPI preauth wrapper
+		_krb5_init_creds_set_gss_mechanism;
+		_krb5_init_creds_get_gss_mechanism;
+		_krb5_init_creds_set_gss_cred;
+		_krb5_init_creds_get_gss_cred;
+		_krb5_init_creds_init_gss;
+
+		# Private init_creds API
+		_krb5_init_creds_get_cred_starttime;
+		_krb5_init_creds_get_cred_endtime;
+		_krb5_init_creds_get_cred_client;
+
+		# Shared with libkadm5
+		_krb5_load_plugins;
+		_krb5_unload_plugins;
 
 		# Shared with libkdc
 		_krb5_AES_SHA1_string_to_default_iterator;
@@ -750,19 +818,28 @@ HEIMDAL_KRB5_2.0 {
 		_krb5_get_int;
 		_krb5_get_int64;
 		_krb5_pac_sign;
+		_krb5_pac_get_attributes_info;
+		_krb5_pac_get_canon_principal;
+		_krb5_kdc_pac_sign_ticket;
+		_krb5_kdc_pac_ticket_parse;
+		_kdc_tkt_insert_pac;
+		_kdc_tkt_add_if_relevant_ad;
 		_krb5_parse_moduli;
 		_krb5_pk_kdf;
 		_krb5_pk_load_id;
 		_krb5_pk_mk_ContentInfo;
 		_krb5_pk_octetstring2key;
-		_krb5_plugin_find;
-		_krb5_plugin_free;
 		_krb5_plugin_run_f;
 		_krb5_principal2principalname;
 		_krb5_principalname2krb5_principal;
+		_krb5_kdcrep2krb5_principal;
+		_krb5_ticket2krb5_principal;
 		_krb5_put_int;
 		_krb5_s4u2self_to_checksumdata;
 		_krb5_HMAC_MD5_checksum;
+		_krb5_crypto_set_flags;
+		_krb5_make_pa_enc_challenge;
+		_krb5_validate_pa_enc_challenge;
 
 		# kinit helper
 		krb5_get_init_creds_opt_set_pkinit_user_certs;
@@ -770,24 +847,35 @@ HEIMDAL_KRB5_2.0 {
 		krb5_process_last_request;
 		krb5_init_creds_init;
 		krb5_init_creds_set_service;
+		krb5_init_creds_set_fast_anon_pkinit;
+		_krb5_init_creds_set_fast_anon_pkinit_optimistic;
 		krb5_init_creds_set_fast_ccache;
 		krb5_init_creds_set_keytab;
+		krb5_init_creds_set_kdc_hostname;
 		krb5_init_creds_get;
+		krb5_init_creds_get_as_reply_key;
 		krb5_init_creds_get_creds;
 		krb5_init_creds_get_error;
 		krb5_init_creds_set_password;
+		krb5_init_creds_set_sitename;
+		krb5_init_creds_step;
 		krb5_init_creds_store;
+		krb5_init_creds_store_config;
 		krb5_init_creds_free;
+		krb5_init_creds_warn_user;
 
 		# testing
+		krb5_time_abs;
 		_krb5_aes_cts_encrypt;
 		_krb5_n_fold;
 		_krb5_expand_default_cc_name;
 		_krb5_expand_path_tokensv;
+		_krb5_expand_path_tokens;
 		
 		# FAST
 		_krb5_fast_cf2;
 		_krb5_fast_armor_key;
+		_krb5_fast_explicit_armor_key;
 
                 # TGS
                 _krb5_find_capath;
diff --git a/lib/krb5/warn.c b/lib/krb5/warn.c
index 8269aff7416e..65a7db6b8ce1 100644
--- a/lib/krb5/warn.c
+++ b/lib/krb5/warn.c
@@ -31,6 +31,11 @@
  * SUCH DAMAGE.
  */
 
+#if defined(_MSC_VER)
+# pragma warning(disable: 4646)
+# pragma warning(disable: 4716)
+#endif
+
 #include "krb5_locl.h"
 #include <err.h>
 
@@ -42,54 +47,16 @@ static krb5_error_code
 _warnerr(krb5_context context, int do_errtext,
 	 krb5_error_code code, int level, const char *fmt, va_list ap)
 {
-    char xfmt[7] = "";
-    const char *args[2], **arg;
-    char *msg = NULL;
-    const char *err_str = NULL;
-    krb5_error_code ret;
-
-    args[0] = args[1] = NULL;
-    arg = args;
-    if(fmt){
-	strlcat(xfmt, "%s", sizeof(xfmt));
-	if(do_errtext)
-	    strlcat(xfmt, ": ", sizeof(xfmt));
-	ret = vasprintf(&msg, fmt, ap);
-	if(ret < 0 || msg == NULL)
-	    return ENOMEM;
-	*arg++ = msg;
-    }
-    if(context && do_errtext){
-	strlcat(xfmt, "%s", sizeof(xfmt));
-
-	err_str = krb5_get_error_message(context, code);
-	if (err_str != NULL) {
-	    *arg = err_str;
-	} else {
-	    *arg= "<unknown error>";
-	}
-    }
-
-    if(context && context->warn_dest)
-	krb5_log(context, context->warn_dest, level, xfmt, args[0], args[1]);
+    if (do_errtext)
+        return heim_vwarn(context ? context->hcontext : NULL, code, fmt, ap);
     else
-	warnx(xfmt, args[0], args[1]);
-    free(msg);
-    krb5_free_error_message(context, err_str);
-    return 0;
+        return heim_vwarnx(context ? context->hcontext : NULL, fmt, ap);
 }
 
-#define FUNC(ETEXT, CODE, LEVEL)					\
-    krb5_error_code ret;						\
-    va_list ap;								\
-    va_start(ap, fmt);							\
-    ret = _warnerr(context, ETEXT, CODE, LEVEL, fmt, ap); 		\
-    va_end(ap);
-
-#define FUNC_NORET(ETEXT, CODE, LEVEL)					\
-    va_list ap;								\
-    va_start(ap, fmt);							\
-    (void) _warnerr(context, ETEXT, CODE, LEVEL, fmt, ap); 		\
+#define FUNC_NORET(ETEXT, CODE, LEVEL)                                 \
+    va_list ap;                                                        \
+    va_start(ap, fmt);                                                 \
+    (void) _warnerr(context, ETEXT, CODE, LEVEL, fmt, ap);             \
     va_end(ap);
 
 #undef __attribute__
@@ -112,7 +79,7 @@ krb5_vwarn(krb5_context context, krb5_error_code code,
 	   const char *fmt, va_list ap)
      __attribute__ ((__format__ (__printf__, 3, 0)))
 {
-    return _warnerr(context, 1, code, 1, fmt, ap);
+    return heim_vwarn(context ? context->hcontext : NULL, code, fmt, ap);
 }
 
 /**
@@ -130,7 +97,12 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_warn(krb5_context context, krb5_error_code code, const char *fmt, ...)
      __attribute__ ((__format__ (__printf__, 3, 4)))
 {
-    FUNC(1, code, 1);
+    krb5_error_code ret;
+    va_list ap;
+
+    va_start(ap, fmt);
+    ret = krb5_vwarn(context, code, fmt, ap);
+    va_end(ap);
     return ret;
 }
 
@@ -148,7 +120,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_vwarnx(krb5_context context, const char *fmt, va_list ap)
      __attribute__ ((__format__ (__printf__, 2, 0)))
 {
-    return _warnerr(context, 0, 0, 1, fmt, ap);
+    return heim_vwarnx(context ? context->hcontext : NULL, fmt, ap);
 }
 
 /**
@@ -164,7 +136,12 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_warnx(krb5_context context, const char *fmt, ...)
      __attribute__ ((__format__ (__printf__, 2, 3)))
 {
-    FUNC(0, 0, 1);
+    krb5_error_code ret;
+    va_list ap;
+
+    va_start(ap, fmt);
+    ret = krb5_vwarnx(context, fmt, ap);
+    va_end(ap);
     return ret;
 }
 
@@ -181,7 +158,7 @@ krb5_warnx(krb5_context context, const char *fmt, ...)
  * @ingroup krb5_error
  */
 
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+KRB5_LIB_NORETURN_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_verr(krb5_context context, int eval, krb5_error_code code,
 	  const char *fmt, va_list ap)
      __attribute__ ((__noreturn__, __format__ (__printf__, 4, 0)))
@@ -203,7 +180,7 @@ krb5_verr(krb5_context context, int eval, krb5_error_code code,
  * @ingroup krb5_error
  */
 
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+KRB5_LIB_NORETURN_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_err(krb5_context context, int eval, krb5_error_code code,
 	 const char *fmt, ...)
      __attribute__ ((__noreturn__, __format__ (__printf__, 4, 5)))
@@ -224,7 +201,7 @@ krb5_err(krb5_context context, int eval, krb5_error_code code,
  * @ingroup krb5_error
  */
 
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+KRB5_LIB_NORETURN_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_verrx(krb5_context context, int eval, const char *fmt, va_list ap)
      __attribute__ ((__noreturn__, __format__ (__printf__, 3, 0)))
 {
@@ -243,7 +220,7 @@ krb5_verrx(krb5_context context, int eval, const char *fmt, va_list ap)
  * @ingroup krb5_error
  */
 
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+KRB5_LIB_NORETURN_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_errx(krb5_context context, int eval, const char *fmt, ...)
      __attribute__ ((__noreturn__, __format__ (__printf__, 3, 4)))
 {
@@ -264,7 +241,7 @@ krb5_errx(krb5_context context, int eval, const char *fmt, ...)
  * @ingroup krb5_error
  */
 
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+KRB5_LIB_NORETURN_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_vabort(krb5_context context, krb5_error_code code,
 	    const char *fmt, va_list ap)
      __attribute__ ((__noreturn__, __format__ (__printf__, 3, 0)))
@@ -286,7 +263,7 @@ krb5_vabort(krb5_context context, krb5_error_code code,
  * @ingroup krb5_error
  */
 
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+KRB5_LIB_NORETURN_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_abort(krb5_context context, krb5_error_code code, const char *fmt, ...)
      __attribute__ ((__noreturn__, __format__ (__printf__, 3, 4)))
 {
@@ -295,7 +272,7 @@ krb5_abort(krb5_context context, krb5_error_code code, const char *fmt, ...)
     UNREACHABLE(return 0);
 }
 
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+KRB5_LIB_NORETURN_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_vabortx(krb5_context context, const char *fmt, va_list ap)
      __attribute__ ((__noreturn__, __format__ (__printf__, 2, 0)))
 {
@@ -314,7 +291,7 @@ krb5_vabortx(krb5_context context, const char *fmt, va_list ap)
  * @ingroup krb5_error
  */
 
-KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+KRB5_LIB_NORETURN_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_abortx(krb5_context context, const char *fmt, ...)
      __attribute__ ((__noreturn__, __format__ (__printf__, 2, 3)))
 {
@@ -335,8 +312,7 @@ krb5_abortx(krb5_context context, const char *fmt, ...)
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_set_warn_dest(krb5_context context, krb5_log_facility *fac)
 {
-    context->warn_dest = fac;
-    return 0;
+    return heim_set_warn_dest(context->hcontext, fac);
 }
 
 /**
@@ -350,5 +326,5 @@ krb5_set_warn_dest(krb5_context context, krb5_log_facility *fac)
 KRB5_LIB_FUNCTION krb5_log_facility * KRB5_LIB_CALL
 krb5_get_warn_dest(krb5_context context)
 {
-    return context->warn_dest;
+    return heim_get_warn_dest(context->hcontext);
 }