Import of heimdal-0.4e

125 files changed, 4856 insertions, 1226 deletions

diff --git a/kerberosV/src/ChangeLog b/kerberosV/src/ChangeLog
index bab7d0b7c0d..5442e497cdd 100644
--- a/kerberosV/src/ChangeLog
+++ b/kerberosV/src/ChangeLog
@@ -1,3 +1,514 @@
+2001-09-03  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.4e
+
+2001-09-02  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kuser/Makefile.am: install kauth as a symlink to kinit
+
+	* kuser/kinit.c: get v4_tickets by default
+
+	* lib/asn1/Makefile.am: fix for broken automake
+
+2001-08-31  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/hdb/hdb-ldap.c: some pretty much untested changes from Luke
+	Howard
+
+	* kuser/kinit.1: remove references to kauth
+
+	* kuser/Makefile.am: kauth is no more
+
+	* kuser/kinit.c: use appdefaults for everything. defaults are now
+	as in kauth.
+
+	* lib/krb5/appdefault.c: also check libdefaults, and realms/realm
+
+	* lib/krb5/context.c (krb5_free_context): free more stuff
+
+2001-08-30  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/verify_krb5_conf.c: do some checks of the values in the
+	file
+
+	* lib/krb5/krb5.conf.5: remove srv_try_txt, fix spelling
+
+	* lib/krb5/context.c: don't init srv_try_txt, since it isn't used
+	anymore
+
+2001-08-29  Jacques Vidrine  <n@nectar.com>
+
+	* configure.in: Check for already-installed com_err.
+
+2001-08-28  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set versoin to 18:2:1
+
+2001-08-24  Assar Westerlund  <assar@sics.se>
+
+	* kuser/Makefile.am: remove CHECK_LOCAL - non bin programs require
+	no special treatment now
+
+	* kuser/generate-requests.c: parse arguments in a useful way
+	* kuser/kverify.c: add --help/--verify
+
+2001-08-22  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: bump prereq to 2.52 remove unused test_LIB_KRB4
+
+	* configure.in: re-write the handling of crypto libraries.  try to
+	use the one of openssl's libcrypto or krb4's libdes that has all
+	the required functionality (md4, md5, sha1, des, rc4).  if there
+	is no such library, the included lib/des is built.
+
+	* kdc/headers.h: include libutil.h if it exists
+	* kpasswd/kpasswd_locl.h: include libutil.h if it exists
+	* kdc/kerberos4.c (get_des_key): check for null keys even if
+	is_server
+
+2001-08-21  Assar Westerlund  <assar@sics.se>
+
+	* lib/asn1/asn1_print.c: print some size_t correctly
+	* configure.in: remove extra space after -L check for libutil.h
+
+2001-08-17  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/kdc_locl.h: fix prototype for get_des_key
+
+	* kdc/kaserver.c: fix call to get_des_key
+
+	* kdc/524.c: fix call to get_des_key
+
+	* kdc/kerberos4.c (get_des_key): if getting a key for a server,
+	return any des-key not just keys that can be string-to-keyed by
+	the client
+
+2001-08-10  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.4d
+
+2001-08-10  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: check for openpty
+	* lib/hdb/Makefile.am (libhdb_la_LDFLAGS): update to 7:4:0
+
+2001-08-08  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: just add -L (if required) from krb4 when testing
+	for libdes/libcrypto
+
+2001-08-04  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am (man_MANS): add some missing man pages
+	* fix-export: fix the sed expression for finding the man pages
+
+2001-07-31  Assar Westerlund  <assar@sics.se>
+
+	* kpasswd/kpasswd-generator.c (main): implement --version and
+	--help
+
+	* lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): update version to
+	18:1:1
+
+2001-07-27  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/context.c (init_context_from_config_file): check
+	parsing of addresses
+
+2001-07-26  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/sock_principal.c (krb5_sock_to_principal): rename
+	sa_len -> salen to avoid the macro that's defined on irix.  noted
+	by "Jacques A. Vidrine" <n@nectar.com>
+
+2001-07-24  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/addr_families.c: add support for type
+	KRB5_ADDRESS_ADDRPORT
+
+	* lib/krb5/addr_families.c (krb5_address_order): complain about
+	unsuppored address types
+
+2001-07-23  Johan Danielsson  <joda@pdc.kth.se>
+
+	* admin/get.c: don't open connection to server until we loop over
+	the principals, at that time we know the realm of the (first)
+	principal and we can default to that admin server
+
+	* admin: add a rename command
+
+2001-07-19  Assar Westerlund  <assar@sics.se>
+
+	* kdc/hprop.c (usage): clarify a tiny bit
+
+2001-07-19  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.4c
+
+2001-07-19  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): bump version to
+	18:0:1
+
+	* lib/krb5/get_for_creds.c (krb5_fwd_tgt_creds): make it behave
+	the same way as the MIT function
+
+	* lib/hdb/Makefile.am (libhdb_la_LDFLAGS): update to 7:3:0
+	* lib/krb5/sock_principal.c (krb5_sock_to_principal): use
+	getnameinfo
+
+	* lib/krb5/krbhst.c (srv_find_realm): handle port numbers
+	consistenly in local byte order
+
+	* lib/krb5/get_default_realm.c (krb5_get_default_realm): set an
+	error string
+
+	* kuser/kinit.c (renew_validate): invert condition correctly.  get
+	v4 tickets if we succeed renewing
+	* lib/krb5/principal.c (krb5_principal_get_type): add
+	(default_v4_name_convert): add "smtp"
+
+2001-07-13  Assar Westerlund  <assar@sics.se>
+
+	* configure.in: remove make-print-version from LIBOBJS, it's no
+	longer in lib/roken but always built in lib/vers
+
+2001-07-12  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/hdb/mkey.c: more set_error_string
+
+2001-07-12  Assar Westerlund  <assar@sics.se>
+
+	* lib/hdb/Makefile.am (libhdb_la_LIBADD): add required library
+	dependencies
+
+	* lib/asn1/Makefile.am (libasn1_la_LIBADD): add required library
+	dependencies
+
+2001-07-11  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/hprop.c: remove v4 master key handling; remove old v4-db and
+	ka-db flags; add defaults for v4_realm and afs_cell
+
+2001-07-09  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/sock_principal.c (krb5_sock_to_principal): copy hname
+	before calling krb5_sname_to_principal.  from "Jacques A. Vidrine"
+	<n@nectar.com>
+
+2001-07-08  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/context.c: use krb5_copy_addresses instead of
+	copy_HostAddresses
+
+2001-07-06  Assar Westerlund  <assar@sics.se>
+
+	* configure.in (LIB_des_a, LIB_des_so): add these so that they can
+	be used by lib/auth/sia
+
+	* kuser/kinit.c: re-do some of the v4 fallbacks: look at
+	get-tokens flag do not print extra errors do not try to do 524 if
+	we got tickets from a v4 server
+
+2001-07-03  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/replay.c (krb5_get_server_rcache): cast argument to
+	printf
+
+	* lib/krb5/get_addrs.c (find_all_addresses): call free_addresses
+	on ignore_addresses correctly
+	* lib/krb5/init_creds.c
+	(krb5_get_init_creds_opt_set_default_flags): change to take a
+	const realm
+
+	* lib/krb5/principal.c (krb5_425_conv_principal_ext): if the
+	instance is the first component of the local hostname, the
+	converted host should be the long hostname.  from
+	<shadow@dementia.org>
+
+2001-07-02  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/Makefile.am: address.c is no more; add a couple of
+	manpages
+
+	* lib/krb5/krb5_timeofday.3: new manpage
+
+	* lib/krb5/krb5_get_all_client_addrs.3: new manpage
+
+	* lib/krb5/get_in_tkt.c (init_as_req): treat no addresses as
+	wildcard
+
+	* lib/krb5/get_cred.c (get_cred_kdc_la): treat no addresses as
+	wildcard
+
+	* lib/krb5/get_addrs.c: don't include client addresses that match
+	ignore_addresses
+
+	* lib/krb5/context.c: initialise ignore_addresses
+
+	* lib/krb5/addr_families.c: add new `arange' fake address type,
+	that matches more than one address; this required some internal
+	changes to many functions, so all of address.c got moved here
+	(wasn't much left there)
+
+	* lib/krb5/krb5.h: add list of ignored addresses to context
+
+2001-07-03  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.4b
+
+2001-07-03  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/Makefile.am (libkrb5_la_LDFLAGS): set version to 17:0:0
+	* lib/hdb/Makefile.am (libhdb_la_LDFLAGS): set version to 7:2:0
+
+2001-07-03  Assar Westerlund  <assar@sics.se>
+
+	* Release 0.4a
+
+2001-07-02  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kuser/kinit.c: make this compile without krb4 support
+
+	* lib/krb5/write_message.c: remove priv parameter from
+	write_safe_message; don't know why it was there in the first place
+
+	* doc/install.texi: remove kaserver switches, it's always compiled
+	in now
+
+	* kdc/hprop.c: always include kadb support
+
+	* kdc/kaserver.c: always include kaserver support
+
+2001-07-02  Assar Westerlund  <assar@sics.se>
+
+	* kpasswd/kpasswdd.c (doit): make failing to bind a socket a
+	non-fatal error, and abort if no sockets were bound
+
+2001-07-01  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krbhst.c: remember the real port number when falling
+	back from kpasswd -> kadmin, and krb524 -> kdc
+
+2001-06-29  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/get_for_creds.c (krb5_get_forwarded_creds): if
+	no_addresses is set, do not add any local addresses to KRB_CRED
+
+	* kuser/kinit.c: remove extra clearing of password and some
+	redundant code
+
+2001-06-29  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kuser/kinit.c: move ticket conversion code to separate function,
+	and call that from a couple of places, like when renewing a
+	ticket; also add a flag for just converting a ticket
+
+	* lib/krb5/init_creds_pw.c: set renew-life to some sane value
+
+	* kdc/524.c: don't send more data than required
+
+2001-06-24  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/store_fd.c (krb5_storage_from_fd): check malloc returns
+
+	* lib/krb5/keytab_any.c (any_resolve); improving parsing of ANY:
+	(any_start_seq_get): remove a double free
+	(any_next_entry): iterate over all (sub) keytabs and avoid leave data
+	around to be freed again
+
+	* kdc/kdc_locl.h: add a define for des_new_random_key when using
+	openssl's libcrypto
+
+	* configure.in: move v6 tests down
+
+	* lib/krb5/krb5.h (krb5_context_data): remove srv_try_rfc2052
+
+	* update to libtool 1.4 and autoconf 2.50
+
+2001-06-22  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/hdb/hdb.c: use krb5_add_et_list
+
+2001-06-21  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/hdb/Makefile.am: add generation number
+	* lib/hdb/common.c: add generation number code
+	* lib/hdb/hdb.asn1: add generation number
+	* lib/hdb/print.c: use krb5_storage to make it more dynamic
+
+2001-06-21  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krb5.conf.5: update to changed names used by
+	krb5_get_init_creds_opt_set_default_flags
+	* lib/krb5/init_creds.c
+	(krb5_get_init_creds_opt_set_default_flags): make the appdefault
+	keywords have the same names
+
+	* configure.in: only add -L and -R to the krb4 libdir if we are
+	actually using it
+
+	* lib/krb5/krbhst.c (fallback_get_hosts): do not copy trailing
+	dot of hostname add some comments
+	* lib/krb5/krbhst.c: use getaddrinfo instead of dns_lookup when
+	testing for kerberos.REALM.  this allows reusing that information
+	when actually contacting the server and thus avoids one DNS lookup
+
+2001-06-20  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/krb5.h: include k524_err.h
+
+	* lib/krb5/convert_creds.c (krb524_convert_creds_kdc): don't test
+	for keytype, the server will do this for us if it has anything to
+	complain about
+
+	* lib/krb5/context.c: add protocol compatible krb524 error codes
+
+	* lib/krb5/Makefile.am: add protocol compatible krb524 error codes
+
+	* lib/krb5/k524_err.et: add protocol compatible krb524 error codes
+
+	* lib/krb5/krb5_principal_get_realm.3: manpage
+
+	* lib/krb5/principal.c: add functions `krb5_principal_get_realm'
+	and `krb5_principal_get_comp_string' that returns parts of a
+	principal; this is a replacement for the internal
+	`krb5_princ_realm' and `krb5_princ_component' macros that everyone
+	seem to use
+
+2001-06-19  Assar Westerlund  <assar@sics.se>
+
+	* kuser/kinit.c (main): dereference result from krb5_princ_realm.
+	from Thomas Nystrom <thn@saeab.se>
+
+2001-06-18  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/mk_req.c (krb5_mk_req_exact): free creds when done
+	* lib/krb5/crypto.c (krb5_string_to_key_derived): fix memory leak
+	* lib/krb5/krbhst.c (config_get_hosts): free hostlist
+	* kuser/kinit.c: free principal
+
+2001-06-18  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/send_to_kdc.c (krb5_sendto): remove an extra
+	freeaddrinfo
+
+	* lib/krb5/convert_creds.c (krb524_convert_creds_kdc_ccache):
+	remove some unused variables
+
+	* lib/krb5/krbhst.c (admin_get_next): spell kerberos correctly
+	* kdc/kerberos5.c: update to new krb5_auth_con* names
+	* kdc/hpropd.c: update to new krb5_auth_con* names
+	* lib/krb5/rd_req.c (krb5_rd_req): use krb5_auth_con* functions
+	and remove some comments
+	* lib/krb5/rd_safe.c (krb5_rd_safe): pick the keys in the right
+	order: remote - local - session
+	* lib/krb5/rd_rep.c (krb5_rd_rep): save the remote sub key in the
+	auth_context
+	* lib/krb5/rd_priv.c (krb5_rd_priv): pick keys in the correct
+	order: remote - local - session
+	* lib/krb5/mk_safe.c (krb5_mk_safe): pick keys in the right order,
+	local - remote - session
+
+2001-06-18  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/convert_creds.c: use starttime instead of authtime,
+	from Chris Chiappa
+
+	* lib/krb5/convert_creds.c: make krb524_convert_creds_kdc match
+	the MIT function by the same name; add
+	krb524_convert_creds_kdc_ccache that does what the old version did
+
+	* admin/list.c (do_list): make sure list of keys is NULL
+	terminated; similar to patch sent by Chris Chiappa
+
+2001-06-18  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/mcache.c (mcc_remove_cred): use
+	krb5_free_creds_contents
+
+	* lib/krb5/auth_context.c: name function krb5_auth_con more
+	consistenly
+	* lib/krb5/rd_req.c (krb5_verify_authenticator_checksum): use
+	renamed krb5_auth_con_getauthenticator
+
+	* lib/krb5/convert_creds.c (krb524_convert_creds_kdc): update to
+	use krb5_krbhst API
+	* lib/krb5/changepw.c (krb5_change_password): update to use
+	krb5_krbhst API
+	* lib/krb5/send_to_kdc.c: update to use krb5_krbhst API
+	* lib/krb5/krbhst.c (krb5_krbhst_get_addrinfo): add set def_port
+	in krb5_krbhst_info
+	(krb5_krbhst_free): free everything
+
+	* lib/krb5/krb5.h (KRB5_VERIFY_NO_ADDRESSES): add
+	(krb5_krbhst_info): add def_port (default port for this service)
+
+	* lib/krb5/krbhst-test.c: make it more verbose and useful
+	* lib/krb5/krbhst.c: remove some more memory leaks do not try any
+	dns operations if there is local configuration admin: fallback to
+	kerberos.REALM 524: fallback to kdcs kpasswd: fallback to admin
+	add some comments
+
+	* configure.in: remove initstate and setstate, they should be in
+	cf/roken-frag.m4
+
+	* lib/krb5/Makefile.am (noinst_PROGRAMS): add krbhst-test
+	* lib/krb5/krbhst-test.c: new program for testing krbhst
+	* lib/krb5/krbhst.c (common_init): remove memory leak
+	(main): move test program into krbhst-test
+
+2001-06-17  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/krb5_krbhst_init.3: manpage
+
+	* lib/krb5/krb5_get_krbhst.3: manpage
+
+2001-06-16  Johan Danielsson  <joda@pdc.kth.se>
+
+	* lib/krb5/krb5.h: add opaque krb5_krbhst_handle type
+
+	* lib/krb5/krbhst.c: change void* to krb5_krbhst_handle
+
+	* lib/krb5/krb5.h: types for new krbhst api
+
+	* lib/krb5/krbhst.c: implement a new api that looks up one host at
+	a time, instead of making a list of hosts
+
+2001-06-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* configure.in: test for initstate and setstate
+
+	* lib/krb5/krbhst.c: remove rfc2052 support
+
+2001-06-08  Johan Danielsson  <joda@pdc.kth.se>
+
+	* fix some manpages for broken mdoc.old grog test
+
+2001-05-28  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/krb5.conf.5: add [appdefaults]
+	* lib/krb5/init_creds_pw.c: remove configuration reading that is
+	now done in krb5_get_init_creds_opt_set_default_flags
+	* lib/krb5/init_creds.c
+	(krb5_get_init_creds_opt_set_default_flags): add reading of
+	libdefaults versions of these and add no_addresses
+
+	* lib/krb5/get_in_tkt.c (krb5_get_in_cred): clear error string
+	when preauth was required and we retry
+
+2001-05-25  Assar Westerlund  <assar@sics.se>
+
+	* lib/krb5/convert_creds.c (krb524_convert_creds_kdc): call
+	krb5_get_krb524hst
+	* lib/krb5/krbhst.c (krb5_get_krb524hst): add and restructure the
+	support functions
+
+2001-05-22  Assar Westerlund  <assar@sics.se>
+
+	* kdc/kerberos5.c (tgs_rep2): alloc and free csec and cusec
+	properly
+
 2001-05-17  Assar Westerlund  <assar@sics.se>
 
 	* Release 0.3f
@@ -10,6 +521,10 @@
 	* lib/krb5/keytab_krb4.c: add SRVTAB as an alias for krb4
 	* lib/krb5/codec.c: remove dead code
 
+2001-05-17  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kdc/config.c: actually check the ticket addresses
+
 2001-05-15  Assar Westerlund  <assar@sics.se>
 
 	* lib/krb5/rd_error.c (krb5_error_from_rd_error): use correct
@@ -21,6 +536,10 @@
 
 2001-05-14  Johan Danielsson  <joda@pdc.kth.se>
 
+	* lib/krb5/verify_user.c: krb5_verify_user_opt
+
+	* lib/krb5/krb5.h: verify_opt
+
 	* kdc/kerberos5.c: pass context to krb5_domain_x500_decode
 
 2001-05-14  Assar Westerlund  <assar@sics.se>
diff --git a/kerberosV/src/Makefile.in b/kerberosV/src/Makefile.in
index e1043f46f94..e2ba670d751 100644
--- a/kerberosV/src/Makefile.in
+++ b/kerberosV/src/Makefile.in
@@ -69,26 +69,36 @@ CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+COMPILE_ET = @COMPILE_ET@
 CPP = @CPP@
 CXX = @CXX@
 CXXCPP = @CXXCPP@
 DBLIB = @DBLIB@
 DEPDIR = @DEPDIR@
+DIR_com_err = @DIR_com_err@
 DIR_des = @DIR_des@
 DIR_roken = @DIR_roken@
 DLLTOOL = @DLLTOOL@
+ECHO = @ECHO@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
 GROFF = @GROFF@
 INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_ = @INCLUDE_@
+INCLUDE_des = @INCLUDE_des@
 LEX = @LEX@
 LIBOBJS = @LIBOBJS@
 LIBTOOL = @LIBTOOL@
 LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_NDBM = @LIB_NDBM@
+LIB_com_err = @LIB_com_err@
+LIB_com_err_a = @LIB_com_err_a@
+LIB_com_err_so = @LIB_com_err_so@
 LIB_des = @LIB_des@
+LIB_des_a = @LIB_des_a@
 LIB_des_appl = @LIB_des_appl@
+LIB_des_so = @LIB_des_so@
 LIB_kdb = @LIB_kdb@
 LIB_otp = @LIB_otp@
 LIB_roken = @LIB_roken@
@@ -120,21 +130,19 @@ install_sh = @install_sh@
 # $KTH: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
 
 
-# $KTH: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+# $KTH: Makefile.am.common,v 1.31 2001/09/01 11:12:18 assar Exp $
 
 
-AUTOMAKE_OPTIONS = foreign no-dependencies
+AUTOMAKE_OPTIONS = foreign no-dependencies 1.4b
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
 INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
 
-AM_CFLAGS =  $(WFLAGS)
+AM_CFLAGS = $(WFLAGS)
 
 CP = cp
 
-COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
-
 buildinclude = $(top_builddir)/include
 
 LIB_XauReadAuth = @LIB_XauReadAuth@
@@ -152,8 +160,8 @@ LIB_getsockopt = @LIB_getsockopt@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
+LIB_openpty = @LIB_openpty@
 LIB_pidfile = @LIB_pidfile@
-LIB_readline = @LIB_readline@
 LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
 LIB_setsockopt = @LIB_setsockopt@
@@ -175,6 +183,7 @@ INCLUDE_openldap = @INCLUDE_openldap@
 LIB_openldap = @LIB_openldap@
 
 INCLUDE_readline = @INCLUDE_readline@
+LIB_readline = @LIB_readline@
 
 LEXLIB = @LEXLIB@
 
@@ -227,28 +236,30 @@ Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
 	  && CONFIG_FILES=$@ CONFIG_HEADERS= $(SHELL) ./config.status
 
 $(ACLOCAL_M4):  configure.in  acinclude.m4 cf/aix.m4 cf/auth-modules.m4 \
-		cf/broken-getnameinfo.m4 cf/broken-glob.m4 \
-		cf/broken-realloc.m4 cf/broken-snprintf.m4 cf/broken.m4 \
-		cf/broken2.m4 cf/c-attribute.m4 cf/c-function.m4 \
-		cf/capabilities.m4 cf/check-declaration.m4 \
+		cf/broken-getaddrinfo.m4 cf/broken-getnameinfo.m4 \
+		cf/broken-glob.m4 cf/broken-realloc.m4 \
+		cf/broken-snprintf.m4 cf/broken.m4 cf/broken2.m4 \
+		cf/c-attribute.m4 cf/c-function.m4 cf/capabilities.m4 \
+		cf/check-compile-et.m4 cf/check-declaration.m4 \
 		cf/check-getpwnam_r-posix.m4 cf/check-man.m4 \
 		cf/check-netinet-ip-and-tcp.m4 cf/check-type-extra.m4 \
-		cf/check-var.m4 cf/check-x.m4 cf/check-xau.m4 cf/db.m4 \
-		cf/find-func-no-libs.m4 cf/find-func-no-libs2.m4 \
-		cf/find-func.m4 cf/find-if-not-broken.m4 \
-		cf/grok-type.m4 cf/have-pragma-weak.m4 \
-		cf/have-struct-field.m4 cf/have-type.m4 \
-		cf/have-types.m4 cf/krb-bigendian.m4 cf/krb-find-db.m4 \
-		cf/krb-func-getcwd-broken.m4 cf/krb-func-getlogin.m4 \
-		cf/krb-ipv6.m4 cf/krb-irix.m4 cf/krb-prog-ln-s.m4 \
-		cf/krb-prog-ranlib.m4 cf/krb-prog-yacc.m4 \
-		cf/krb-readline.m4 cf/krb-struct-spwd.m4 \
-		cf/krb-struct-winsize.m4 cf/krb-sys-aix.m4 \
-		cf/krb-sys-nextstep.m4 cf/krb-version.m4 cf/mips-abi.m4 \
-		cf/misc.m4 cf/need-proto.m4 cf/osfc2.m4 \
-		cf/proto-compat.m4 cf/retsigtype.m4 cf/roken-frag.m4 \
-		cf/roken.m4 cf/shared-libs.m4 cf/test-package.m4 \
-		cf/wflags.m4
+		cf/check-var.m4 cf/check-x.m4 cf/check-xau.m4 \
+		cf/crypto.m4 cf/db.m4 cf/find-func-no-libs.m4 \
+		cf/find-func-no-libs2.m4 cf/find-func.m4 \
+		cf/find-if-not-broken.m4 cf/grok-type.m4 \
+		cf/have-pragma-weak.m4 cf/have-struct-field.m4 \
+		cf/have-type.m4 cf/have-types.m4 cf/krb-bigendian.m4 \
+		cf/krb-find-db.m4 cf/krb-func-getcwd-broken.m4 \
+		cf/krb-func-getlogin.m4 cf/krb-ipv6.m4 cf/krb-irix.m4 \
+		cf/krb-prog-ln-s.m4 cf/krb-prog-ranlib.m4 \
+		cf/krb-prog-yacc.m4 cf/krb-readline.m4 \
+		cf/krb-struct-spwd.m4 cf/krb-struct-winsize.m4 \
+		cf/krb-sys-aix.m4 cf/krb-sys-nextstep.m4 \
+		cf/krb-version.m4 cf/mips-abi.m4 cf/misc.m4 \
+		cf/need-proto.m4 cf/osfc2.m4 cf/proto-compat.m4 \
+		cf/retsigtype.m4 cf/roken-frag.m4 cf/roken.m4 \
+		cf/shared-libs.m4 cf/test-package.m4 cf/wflags.m4 \
+		cf/with-all.m4
 	cd $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS)
 
 config.status: $(srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
diff --git a/kerberosV/src/NEWS b/kerberosV/src/NEWS
index a53da3abdcc..1e0ccc015b8 100644
--- a/kerberosV/src/NEWS
+++ b/kerberosV/src/NEWS
@@ -1,3 +1,74 @@
+Changes in release 0.4e
+
+ * improve libcrypto and database autoconf tests
+
+ * do not care about salting of server principals when serving v4 requests
+
+ * some improvements to gssapi library
+
+ * test for existing compile_et/libcom_err
+
+ * portability fixes
+
+ * bug fixes
+
+Changes in release 0.4d
+
+ * fix some problems when using libcrypto from openssl
+
+ * handle /dev/ptmx `unix98' ptys on Linux
+
+ * add some forgotten man pages
+
+ * rsh: clean-up and add man page
+
+ * fix -A and -a in builtin-ls in tpd
+
+ * fix building problem on Irix
+
+ * make `ktutil get' more efficient
+
+ * bug fixes
+
+Changes in release 0.4c
+
+ * fix buffer overrun in telnetd
+
+ * repair some of the v4 fallback code in kinit
+
+ * add more shared library dependencies
+
+ * simplify and fix hprop handling of v4 databases
+
+ * fix some building problems (osf's sia and osfc2 login)
+
+ * bug fixes
+
+Changes in release 0.4b
+
+ * update the shared library version numbers correctly
+
+Changes in release 0.4a
+
+ * corrected key used for checksum in mk_safe, unfortunately this
+   makes it backwards incompatible
+
+ * update to autoconf 2.50, libtool 1.4
+
+ * re-write dns/config lookups (krb5_krbhst API)
+
+ * make order of using subkeys consistent
+
+ * add man page links
+
+ * add more man pages
+
+ * remove rfc2052 support, now only rfc2782 is supported
+
+ * always build with kaserver protocol support in the KDC (assuming
+   KRB4 is enabled) and support for reading kaserver databases in
+   hprop
+
 Changes in release 0.3f
 
  * change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab,
diff --git a/kerberosV/src/TODO b/kerberosV/src/TODO
index 2ceafdd71e2..a5fd1e2ea0e 100644
--- a/kerberosV/src/TODO
+++ b/kerberosV/src/TODO
@@ -1,13 +1,9 @@
 -*- indented-text -*-
 
-$KTH: TODO,v 1.55 2001/01/30 22:51:32 assar Exp $
+$KTH: TODO,v 1.66 2001/08/09 08:43:42 assar Exp $
 
 * configure
 
-use more careful checking before starting to use berkeley db.  it only
-makes sense to do so if we have the appropriate library and the header
-file.
-
 handle readline hiding in readline/readline.h
 
 * appl
@@ -38,6 +34,8 @@ prepend a prefix on all generated symbols
 
 ** lib/auth
 
+** lib/auth/sia
+
 PAM
 
 ** lib/com_err
@@ -70,21 +68,18 @@ fix to use rpc?
 
 ** lib/krb5
 
-rewrite the lookup of KDCs to handle kerberos-<n> and not do any DNS
-requests if the information can be found locally.  this requires stop
-using krb5_get_krbhst.
-
 the replay cache is, in its current state, not very useful
 
-always generates a new subkey in an authenticator
-
-should the sequence numbers be XORed?
-
 OTP?
 
 make checksum/encryption type configuration more realm-specific.  make
 some simple way of handling the w2k situtation
 
-crypto: allow scather/gather creation of checksums
+crypto: allow scatter/gather creation of checksums
+
+verify_user: handle non-secure verification failing because of
+host->realm mapping
+
+config_file: do it in case-sensitive and/or insensitive
 
 ** lib/roken
diff --git a/kerberosV/src/TODO-1.0 b/kerberosV/src/TODO-1.0
new file mode 100644
index 00000000000..ade5a79639e
--- /dev/null
+++ b/kerberosV/src/TODO-1.0
@@ -0,0 +1,12 @@
+- sort out hprop:ing
+- figure out hostname case sensitive issues
+- verify_user: handle non-secure verification failing because of
+  host->realm mapping
+- gssapi rc4 mechanism
+- PAM?
+- kadmin: make it happy with reading and parsing kdc.conf
+- handle readline hiding in readline/readline.h
+- berkeley db circus
+- v4->v5 conversion in kdc
+
+include TODO-shadow
diff --git a/kerberosV/src/TODO-shadow b/kerberosV/src/TODO-shadow
new file mode 100644
index 00000000000..313438d1afe
--- /dev/null
+++ b/kerberosV/src/TODO-shadow
@@ -0,0 +1,6 @@
+-krb5_fwd_tgt_creds() is still broken
+-the 4 to 5 principal thing
+-gss_acquire_cred still doesn't allow an alternate keytab
+-and the db lib versus headers thing
+
+/afs/andrew.cmu.edu/usr/shadow/ka2heim.txt
diff --git a/kerberosV/src/acconfig.h b/kerberosV/src/acconfig.h
index 4ef0398bee0..9dabe370e34 100644
--- a/kerberosV/src/acconfig.h
+++ b/kerberosV/src/acconfig.h
@@ -48,14 +48,6 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
 #define SGTTY
 #endif
 
-/*
- * Define NDBM if you are using the 4.3 ndbm library (which is part of
- * libc).  If not defined, 4.2 dbm will be assumed.
- */
-#if defined(HAVE_DBM_FIRSTKEY)
-#define NDBM
-#endif
-
 /* telnet stuff ----------------------------------------------- */
 
 #if defined(ENCRYPTION) && !defined(AUTHENTICATION)
diff --git a/kerberosV/src/admin/add.c b/kerberosV/src/admin/add.c
index c7713918630..dabc37767cf 100644
--- a/kerberosV/src/admin/add.c
+++ b/kerberosV/src/admin/add.c
@@ -33,7 +33,7 @@
 
 #include "ktutil_locl.h"
 
-RCSID("$KTH: add.c,v 1.2 2001/05/10 15:39:15 assar Exp $");
+RCSID("$KTH: add.c,v 1.3 2001/07/23 09:46:40 joda Exp $");
 
 int
 kt_add(int argc, char **argv)
@@ -78,24 +78,9 @@ kt_add(int argc, char **argv)
 	arg_printusage(args, num_args, "ktutil add", "");
 	return 1;
     }
-    if (keytab_string == NULL) {
-	ret = krb5_kt_default_modify_name (context, keytab_buf,
-					   sizeof(keytab_buf));
-	if (ret) {
-	    krb5_warn(context, ret, "krb5_kt_default_modify_name");
-	    return 1;
-	}
-	keytab_string = keytab_buf;
-    }
-    ret = krb5_kt_resolve(context, keytab_string, &keytab);
-    if (ret) {
-	krb5_warn(context, ret, "resolving keytab %s", keytab_string);
+    if((keytab = ktutil_open_keytab()) == NULL)
 	return 1;
-    }
 
-    if (verbose_flag)
-	fprintf (stderr, "Using keytab %s\n", keytab_string);
-	
     memset(&entry, 0, sizeof(entry));
     if(principal_string == NULL) {
 	printf("Principal: ");
diff --git a/kerberosV/src/admin/change.c b/kerberosV/src/admin/change.c
index e1f0530867e..1e89db4fc8f 100644
--- a/kerberosV/src/admin/change.c
+++ b/kerberosV/src/admin/change.c
@@ -33,7 +33,7 @@
 
 #include "ktutil_locl.h"
 
-RCSID("$KTH: change.c,v 1.3 2001/05/10 15:40:07 assar Exp $");
+RCSID("$KTH: change.c,v 1.4 2001/07/23 09:46:40 joda Exp $");
 
 static void
 change_entry (krb5_context context, krb5_keytab keytab,
@@ -150,24 +150,9 @@ kt_change (int argc, char **argv)
 	return 1;
     }
     
-    if (keytab_string == NULL) {
-	ret = krb5_kt_default_modify_name (context, keytab_buf,
-					   sizeof(keytab_buf));
-	if (ret) {
-	    krb5_warn(context, ret, "krb5_kt_default_modify_name");
-	    return 1;
-	}
-	keytab_string = keytab_buf;
-    }
-    ret = krb5_kt_resolve(context, keytab_string, &keytab);
-    if (ret) {
-	krb5_warn(context, ret, "resolving keytab %s", keytab_string);
+    if((keytab = ktutil_open_keytab()) == NULL)
 	return 1;
-    }
 
-    if (verbose_flag)
-	fprintf (stderr, "Using keytab %s\n", keytab_string);
-	
     j = 0;
     max = 10;
     princs = malloc (max * sizeof(*princs));
diff --git a/kerberosV/src/admin/get.c b/kerberosV/src/admin/get.c
index c5112265709..d800cefa7d4 100644
--- a/kerberosV/src/admin/get.c
+++ b/kerberosV/src/admin/get.c
@@ -33,14 +33,55 @@
 
 #include "ktutil_locl.h"
 
-RCSID("$KTH: get.c,v 1.18 2001/05/10 15:42:01 assar Exp $");
+RCSID("$KTH: get.c,v 1.20 2001/07/23 14:30:09 joda Exp $");
+
+static void*
+open_kadmin_connection(char *principal,
+		       const char *realm, 
+		       char *admin_server, 
+		       int server_port)
+{
+    krb5_error_code ret;
+    kadm5_config_params conf;
+    void *kadm_handle;
+    memset(&conf, 0, sizeof(conf));
+
+    if(realm) {
+	conf.realm = (char*)realm;
+	conf.mask |= KADM5_CONFIG_REALM;
+    }
+    
+    if (admin_server) {
+	conf.admin_server = admin_server;
+	conf.mask |= KADM5_CONFIG_ADMIN_SERVER;
+    }
+
+    if (server_port) {
+	conf.kadmind_port = htons(server_port);
+	conf.mask |= KADM5_CONFIG_KADMIND_PORT;
+    }
+
+    /* should get realm from each principal, instead of doing
+       everything with the same (local) realm */
+
+    ret = kadm5_init_with_password_ctx(context, 
+				       principal,
+				       NULL,
+				       KADM5_ADMIN_SERVICE,
+				       &conf, 0, 0, 
+				       &kadm_handle);
+    if(ret) {
+	krb5_warn(context, ret, "kadm5_init_with_password");
+	return NULL;
+    }
+    return kadm_handle;
+}
 
 int
 kt_get(int argc, char **argv)
 {
     krb5_error_code ret = 0;
     krb5_keytab keytab;
-    kadm5_config_params conf;
     void *kadm_handle = NULL;
     char *principal = NULL;
     char *realm = NULL;
@@ -78,29 +119,24 @@ kt_get(int argc, char **argv)
     args[4].value = &server_port;
     args[5].value = &help_flag;
 
-    memset(&conf, 0, sizeof(conf));
-
     if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)
        || help_flag) {
 	arg_printusage(args, sizeof(args) / sizeof(args[0]), 
 		       "ktutil get", "principal...");
 	return 1;
     }
-    
-    if (keytab_string == NULL) {
-	ret = krb5_kt_default_modify_name (context, keytab_buf,
-					   sizeof(keytab_buf));
-	if (ret) {
-	    krb5_warn(context, ret, "krb5_kt_default_modify_name");
-	    return 1;
-	}
-	keytab_string = keytab_buf;
-    }
-    ret = krb5_kt_resolve(context, keytab_string, &keytab);
-    if (ret) {
-	krb5_warn(context, ret, "resolving keytab %s", keytab_string);
+    if(optind == argc) {
+	krb5_warnx(context, "no principals specified");
+	arg_printusage(args, sizeof(args) / sizeof(args[0]), 
+		       "ktutil get", "principal...");
 	return 1;
     }
+    
+    if((keytab = ktutil_open_keytab()) == NULL)
+	return 1;
+
+    if(realm)
+	krb5_set_default_realm(context, realm);
 
     if (etype_strs.num_strings) {
 	int i;
@@ -123,33 +159,6 @@ kt_get(int argc, char **argv)
 	}
     }
 
-    if(realm) {
-	krb5_set_default_realm(context, realm); /* XXX should be fixed
-						   some other way */
-	conf.realm = realm;
-	conf.mask |= KADM5_CONFIG_REALM;
-    }
-    
-    if (admin_server) {
-	conf.admin_server = admin_server;
-	conf.mask |= KADM5_CONFIG_ADMIN_SERVER;
-    }
-
-    if (server_port) {
-	conf.kadmind_port = htons(server_port);
-	conf.mask |= KADM5_CONFIG_KADMIND_PORT;
-    }
-
-    ret = kadm5_init_with_password_ctx(context, 
-				       principal,
-				       NULL,
-				       KADM5_ADMIN_SERVICE,
-				       &conf, 0, 0, 
-				       &kadm_handle);
-    if(ret) {
-	krb5_warn(context, ret, "kadm5_init_with_password");
-	goto out;
-    }
     
     for(i = optind; i < argc; i++){
 	krb5_principal princ_ent;
@@ -168,6 +177,21 @@ kt_get(int argc, char **argv)
 	mask |= KADM5_ATTRIBUTES;
 	princ.princ_expire_time = 0;
 	mask |= KADM5_PRINC_EXPIRE_TIME;
+
+	if(kadm_handle == NULL) {
+	    const char *r;
+	    if(realm != NULL)
+		r = realm;
+	    else
+		r = krb5_principal_get_realm(context, princ_ent);
+	    kadm_handle = open_kadmin_connection(principal, 
+						 r, 
+						 admin_server, 
+						 server_port);
+	    if(kadm_handle == NULL) {
+		break;
+	    }
+	}
 	
 	ret = kadm5_create_principal(kadm_handle, &princ, mask, "x");
 	if(ret == 0)
diff --git a/kerberosV/src/admin/ktutil.8 b/kerberosV/src/admin/ktutil.8
index b1f39df6fae..e208909e1d4 100644
--- a/kerberosV/src/admin/ktutil.8
+++ b/kerberosV/src/admin/ktutil.8
@@ -1,4 +1,4 @@
-.\" $KTH: ktutil.8,v 1.12 2001/06/08 21:35:31 joda Exp $
+.\" $KTH: ktutil.8,v 1.14 2001/07/23 14:47:31 joda Exp $
 .\"
 .Dd December 16, 2000
 .Dt KTUTIL 8
@@ -22,7 +22,7 @@
 is a program for managing keytabs.
 .Ar command
 can be one of the following:
-.Bl -tag -width Ds
+.Bl -tag -width srvconvert
 .It add Xo
 .Op Fl p Ar principal
 .Op Fl -principal= Ns Ar principal
@@ -38,7 +38,11 @@ can be one of the following:
 .Op Fl -no-salt
 .Xc
 Adds a key to the keytab. Options that are not specified will be
-prompted for.
+prompted for. This requires that you know the password of the
+principal to add; if what you really want is to add a new principal to
+the keytab, you should consider the
+.Ar get
+command, which talks to the kadmin server.
 .It change Xo
 .Op Fl r Ar realm
 .Op Fl -realm= Ns Ar realm
@@ -63,21 +67,25 @@ to
 .It get Xo
 .Op Fl p Ar admin principal
 .Op Fl -principal= Ns Ar admin principal
-.Oo Fl e Ar enctype \*(Ba Xo
-.Fl -enctypes= Ns Ar enctype
-.Xc
-.Oc
+.Op Fl e Ar enctype
+.Op Fl -enctypes= Ns Ar enctype
 .Op Fl r Ar realm
 .Op Fl -realm= Ns Ar realm
 .Op Fl a Ar admin server
 .Op Fl -admin-server= Ns Ar admin server
 .Op Fl s Ar server port
 .Op Fl -server-port= Ns Ar server port
-.Ar principal
+.Ar principal ...
 .Xc
-Get a key for
-.Nm principal
-and store it in a keytab.
+For each
+.Ar principal ,
+generate a new key for it (creating it if it doesn't already exist),
+and put that key in the keytab.
+.Pp
+If no
+.Ar realm
+is specified, the realm to operate on is taken from the first
+principal.
 .It list Xo
 .Op Fl -keys
 .Op Fl -timestamp
@@ -96,6 +104,14 @@ Removes the specified key or keys. Not specifying a
 removes keys with any version number. Not specifying a
 .Ar enctype
 removes keys of any type.
+.It rename Xo
+.Ar from-principal
+.Ar to-principal
+.Xc
+Renames all entries in the keytab that match the
+.Ar from-principal
+to 
+.Ar to-principal .
 .It purge Xo
 .Op Fl -age= Ns Ar age
 .Xc
diff --git a/kerberosV/src/admin/purge.c b/kerberosV/src/admin/purge.c
index 0cc96b3c9b2..9086cd7bdc2 100644
--- a/kerberosV/src/admin/purge.c
+++ b/kerberosV/src/admin/purge.c
@@ -33,7 +33,7 @@
 
 #include "ktutil_locl.h"
 
-RCSID("$KTH: purge.c,v 1.5 2001/05/11 00:54:01 assar Exp $");
+RCSID("$KTH: purge.c,v 1.6 2001/07/23 09:46:41 joda Exp $");
 
 /*
  * keep track of the highest version for every principal.
@@ -132,20 +132,8 @@ kt_purge(int argc, char **argv)
 	return 1;
     }
 
-    if (keytab_string == NULL) {
-	ret = krb5_kt_default_modify_name (context, keytab_buf,
-					   sizeof(keytab_buf));
-	if (ret) {
-	    krb5_warn(context, ret, "krb5_kt_default_modify_name");
-	    return 1;
-	}
-	keytab_string = keytab_buf;
-    }
-    ret = krb5_kt_resolve(context, keytab_string, &keytab);
-    if (ret) {
-	krb5_warn(context, ret, "resolving keytab %s", keytab_string);
+    if((keytab = ktutil_open_keytab()) == NULL)
 	return 1;
-    }
 
     ret = krb5_kt_start_seq_get(context, keytab, &cursor);
     if(ret){
@@ -153,9 +141,6 @@ kt_purge(int argc, char **argv)
 	goto out;
     }
 
-    if (verbose_flag)
-	fprintf (stderr, "Using keytab %s\n", keytab_string);
-	
     while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) {
 	add_entry (entry.principal, entry.vno, &head);
 	krb5_kt_free_entry(context, &entry);
diff --git a/kerberosV/src/admin/remove.c b/kerberosV/src/admin/remove.c
index 0031eb64b83..c78e4ad609f 100644
--- a/kerberosV/src/admin/remove.c
+++ b/kerberosV/src/admin/remove.c
@@ -33,7 +33,7 @@
 
 #include "ktutil_locl.h"
 
-RCSID("$KTH: remove.c,v 1.2 2001/05/10 15:44:58 assar Exp $");
+RCSID("$KTH: remove.c,v 1.3 2001/07/23 09:46:41 joda Exp $");
 
 int
 kt_remove(int argc, char **argv)
@@ -96,24 +96,9 @@ kt_remove(int argc, char **argv)
 	return 1;
     }
 
-    if (keytab_string == NULL) {
-	ret = krb5_kt_default_modify_name (context, keytab_buf,
-					   sizeof(keytab_buf));
-	if (ret) {
-	    krb5_warn(context, ret, "krb5_kt_default_modify_name");
-	    return 1;
-	}
-	keytab_string = keytab_buf;
-    }
-    ret = krb5_kt_resolve(context, keytab_string, &keytab);
-    if (ret) {
-	krb5_warn(context, ret, "resolving keytab %s", keytab_string);
+    if((keytab = ktutil_open_keytab()) == NULL)
 	return 1;
-    }
 
-    if (verbose_flag)
-	fprintf (stderr, "Using keytab %s\n", keytab_string);
-	
     entry.principal = principal;
     entry.keyblock.keytype = enctype;
     entry.vno = kvno;
diff --git a/kerberosV/src/admin/rename.c b/kerberosV/src/admin/rename.c
new file mode 100644
index 00000000000..a0c9dedeff4
--- /dev/null
+++ b/kerberosV/src/admin/rename.c
@@ -0,0 +1,133 @@
+/*
+ * Copyright (c) 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ktutil_locl.h"
+
+RCSID("$KTH: rename.c,v 1.1 2001/07/23 10:17:32 joda Exp $");
+
+int
+kt_rename(int argc, char **argv)
+{
+    krb5_error_code ret = 0;
+    krb5_keytab_entry entry;
+    krb5_keytab keytab;
+    krb5_kt_cursor cursor;
+    krb5_principal from_princ, to_princ;
+    int help_flag = 0;
+
+    struct getargs args[] = {
+	{ "help", 'h', arg_flag, NULL }
+    };
+    int num_args = sizeof(args) / sizeof(args[0]);
+    int optind = 0;
+    int i = 0;
+
+    args[i++].value = &help_flag;
+    if(getarg(args, num_args, argc, argv, &optind)) {
+	arg_printusage(args, num_args, "ktutil rename", "from to");
+	return 1;
+    }
+    if(help_flag) {
+	arg_printusage(args, num_args, "ktutil rename", "from to");
+	return 0;
+    }
+    argv += optind;
+    argc -= optind;
+    if(argc != 2) {
+	arg_printusage(args, num_args, "ktutil rename", "from to");
+	return 0;
+    }
+
+    ret = krb5_parse_name(context, argv[0], &from_princ);
+    if(ret != 0) {
+	krb5_warn(context, ret, "%s", argv[0]);
+	return 0;
+    }
+
+    ret = krb5_parse_name(context, argv[1], &to_princ);
+    if(ret != 0) {
+	krb5_free_principal(context, from_princ);
+	krb5_warn(context, ret, "%s", argv[1]);
+	return 0;
+    }
+
+    if((keytab = ktutil_open_keytab()) == NULL) {
+	krb5_free_principal(context, from_princ);
+	krb5_free_principal(context, to_princ);
+	return 1;
+    }
+
+    ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+    if(ret) {
+	krb5_kt_close(context, keytab);
+	krb5_free_principal(context, from_princ);
+	krb5_free_principal(context, to_princ);
+	return 1;
+    }
+    while(1) {
+	ret = krb5_kt_next_entry(context, keytab, &entry, &cursor);
+	if(ret != 0) {
+	    if(ret != KRB5_CC_END && ret != KRB5_KT_END)
+		krb5_warn(context, ret, "getting entry from keytab");
+	    break;
+	}
+	if(krb5_principal_compare(context, entry.principal, from_princ)) {
+	    krb5_free_principal(context, entry.principal);
+	    entry.principal = to_princ;
+	    ret = krb5_kt_add_entry(context, keytab, &entry);
+	    if(ret) {
+		entry.principal = NULL;
+		krb5_kt_free_entry(context, &entry);
+		krb5_warn(context, ret, "adding entry");
+		break;
+	    }
+	    entry.principal = from_princ;
+	    ret = krb5_kt_remove_entry(context, keytab, &entry);
+	    if(ret) {
+		entry.principal = NULL;
+		krb5_kt_free_entry(context, &entry);
+		krb5_warn(context, ret, "removing entry");
+		break;
+	    }
+	    entry.principal = NULL;
+	}
+	krb5_kt_free_entry(context, &entry);
+    }
+    krb5_kt_end_seq_get(context, keytab, &cursor);
+
+    krb5_free_principal(context, from_princ);
+    krb5_free_principal(context, to_princ);
+
+    return 0;
+}
+
diff --git a/kerberosV/src/appl/rsh/rsh.1 b/kerberosV/src/appl/rsh/rsh.1
new file mode 100644
index 00000000000..487e55656cf
--- /dev/null
+++ b/kerberosV/src/appl/rsh/rsh.1
@@ -0,0 +1,218 @@
+.\"	$KTH: rsh.1,v 1.1 2001/07/31 08:13:41 joda Exp $
+.\"
+.Dd July 31, 2001
+.Dt RSH 1
+.Os HEIMDAL
+.Sh NAME
+.Nm rsh
+.Nd
+remote shell
+.Sh SYNOPSIS
+.Nm
+.Op Fl 45FGKdefnuxz
+.Op Fl U Pa string 
+.Op Fl p Ar port
+.Op Fl l Ar username
+.Ar host [command]
+.Sh DESCRIPTION
+.Nm
+authenticates to the 
+.Xr rshd 8 
+daemon on the remote
+.Ar host ,
+and then executes the specified 
+.Ar command .
+.Pp
+.Nm
+copies its standard input to the remote command, and the standard
+output and error of the remote command to its own.
+.Pp
+Valid options are:
+.Bl -tag -width Ds
+.It Xo
+.Fl 4 Ns ,
+.Fl -krb4
+.Xc
+The 
+.Fl 4 
+option requests Kerberos 4 authentication. Normally all supported
+authentication mechanisms will be tried, but in some cases more
+explicit control is desired.
+.It Xo
+.Fl 5 Ns ,
+.Fl -krb5
+.Xc
+The 
+.Fl 5
+option requests Kerberos 5 authentication. This is analogous to the 
+.Fl 4
+option.
+.It Xo
+.Fl K Ns ,
+.Fl -broken
+.Xc
+The 
+.Fl K
+option turns off all Kerberos authentication. The long name implies
+that this is more or less totally unsecure. The security in this mode
+relies on reserved ports, which is not very secure.
+.It Xo
+.Fl n Ns ,
+.Fl -no-input
+.Xc
+The 
+.Fl n
+option directs the input from the 
+.Pa /dev/null
+device (see the
+.Sx BUGS
+section of this manual page).
+.It Xo
+.Fl e Ns ,
+.Fl -no-stderr
+.Xc
+Don't use a separate socket for the stderr stream. This can be
+necessary if rsh-ing through a NAT bridge.
+.It Xo
+.Fl x Ns ,
+.Fl -encrypt
+.Xc
+The
+.Fl x
+option enables encryption for all data exchange. This is only valid
+for Kerberos authenticated connections (see the
+.Sx BUGS
+section for limitations).
+.It Xo
+.Fl z
+.Xc
+The opposite of
+.Fl x .
+This is the default, but encryption can be enabled when using
+Kerberos 5, by setting the 
+.Li libdefaults/encrypt
+option in
+.Xr krb5.conf 5 .
+.It Xo
+.Fl f Ns ,
+.Fl -forward
+.Xc
+Forward Kerberos 5 credentials to the remote host. Also controlled by 
+.Li libdefaults/forward
+in 
+.Xr krb5.conf 5 .
+.It Xo
+.Fl G
+.Xc
+The opposite of 
+.Fl f .
+.It Xo
+.Fl F Ns ,
+.Fl -forwardable
+.Xc
+Make the forwarded credentials re-forwardable. Also controlled by 
+.Li libdefaults/forwardable
+in 
+.Xr krb5.conf 5 .
+.It Xo
+.Fl u Ns ,
+.Fl -unique
+.Xc
+Make sure the remote credentials cache is unique, that is, don't reuse
+any existing cache. Mutually exclusive to
+.Fl U .
+.It Xo
+.Fl U Pa string Ns ,
+.Fl -tkfile= Ns Pa string
+.Xc
+Name of the remote credentials cache. Mutually exclusive to
+.Fl u .
+.It Xo
+.Fl p Ar number-or-service Ns ,
+.Fl -port= Ns Ar number-or-service
+.Xc
+Connect to this port instead of the default (which is 514 when using
+old port based authentication, 544 for Kerberos 5 and non-encrypted
+Kerberos 4, and 545 for encrytpted Kerberos 4; subject of course to
+the contents of
+.Pa /etc/services ) .
+.It Xo
+.Fl l Ar string Ns ,
+.Fl -user= Ns Ar string
+.Xc
+By default the remote username is the same as the local. The
+.Fl l
+option or the
+.Pa username@host
+format allow the remote name to be specified.
+.El
+.\".Pp
+.\"Without a 
+.\".Ar command 
+.\".Nm
+.\"will just exec
+.\".Xr rlogin 1
+.\"with the same arguments.
+.Sh EXAMPLES
+Care should be taken when issuing commands containing shell meta
+characters. Without quoting these will be expanded on the local
+machine.
+.Pp
+The following command:
+.Pp
+.Dl rsh otherhost cat remotefile > localfile
+.Pp
+will write the contents of the remote
+.Pa remotefile
+to the local
+.Pa localfile ,
+but:
+.Pp
+.Dl rsh otherhost 'cat remotefile > remotefile2'
+.Pp
+will write it to the remote
+.Pa remotefile2 .
+.\".Sh ENVIRONMENT
+.Sh FILES
+.Bl -tag -width /etc/hosts -compact
+.It Pa /etc/hosts
+.El
+.\".Sh DIAGNOSTICS
+.Sh SEE ALSO
+.Xr rlogin 1 ,
+.Xr krb_realmofhost 3 ,
+.Xr krb_sendauth 3 ,
+.Xr hosts.equiv 5 ,
+.Xr krb5.conf 5 ,
+.Xr rhosts 5 ,
+.Xr kerberos 8
+.Xr rshd 8
+.\".Sh STANDARDS
+.Sh HISTORY
+The
+.Nm
+command appeared in
+.Bx 4.2 .
+.Sh AUTHORS
+This implementation of
+.Nm
+was written as part of the Heimdal Kerberos 5 implementation.
+.Sh BUGS
+Some shells (notably
+.Xr csh 1 )
+will cause 
+.Nm 
+to block if run in the background, unless the standard input is directed away from the terminal. This is what the 
+.Fl n
+option is for.
+.Pp
+The 
+.Fl x
+options enables encryption for the session, but for both Kerberos 4
+and 5 the actual command is sent unencrypted, so you should not send
+any secret information in the command line (which is probably a bad
+idea anyway, since the command line can usually be read with tools
+like
+.Xr ps 1 ) .
+Forthermore in Kerberos 4 the command is not even integrity
+protected, so anyone with the right tools can modify the command.
diff --git a/kerberosV/src/appl/rsh/rshd.8 b/kerberosV/src/appl/rsh/rshd.8
new file mode 100644
index 00000000000..5b65e1b7fa1
--- /dev/null
+++ b/kerberosV/src/appl/rsh/rshd.8
@@ -0,0 +1,130 @@
+.\" Things to fix:
+.\"   * remove Op from mandatory flags
+.\"   * use better macros for arguments (like .Pa for files)
+.\"
+.Dd July 31, 2001
+.Dt RSHD 8
+.Os HEIMDAL
+.Sh NAME
+.Nm rshd
+.Nd
+remote shell server
+.Sh SYNOPSIS
+.Nm
+.Op Fl aiklnvxPL
+.Op Fl p Ar port
+.Sh DESCRIPTION
+.Nm
+is the server for
+the
+.Xr rsh 1
+program. It provides an authenticated remote command execution
+service.  Supported options are:
+.Bl -tag -width Ds
+.It Xo
+.Fl n Ns ,
+.Fl -no-keepalive
+.Xc
+Disables keep-alive messages. Keep-alives are packets sent a certain
+interval to make sure that the client is still there, even when it
+doesn't send any data.
+.It Xo
+.Fl k Ns ,
+.Fl -kerberos
+.Xc
+Assume that clients connecting to this server will use some form of
+Kerberos authentication. See the
+.Sx EXAMPLES
+section for a sample 
+.Xr inetd.conf 5 
+configuration.
+.It Xo
+.Fl x Ns ,
+.Fl -encrypt
+.Xc
+For Kerberos 4 this means that the connections are encrypted. Kerberos
+5 will negotiate encryption inline. This option implies
+.Fl k .
+.\".It Xo
+.\".Fl l Ns ,
+.\".Fl -no-rhosts
+.\".Xc
+.\"When using old port-based authentication, the user's
+.\".Pa .rhosts
+.\"files are normally checked. This options disables this.
+.It Xo
+.Fl v Ns ,
+.Fl -vacuous
+.Xc
+If the connecting client does not use any Kerberised authentication,
+print a message that complains about this fact, and exit. This is
+helpful if you want to move away from old port-based authentication.
+.It Xo
+.Fl P
+.Xc
+When using the AFS filesystem, users' authentication tokens are put in
+something called a PAG (Process Authentication Group). Multiple
+processes can share a PAG, but normally each login session has its own
+PAG. This option disables the
+.Fn setpag
+call, so all tokens will be put in the default (uid-based) PAG, making
+it possible to share tokens between sessions. This is only useful in
+peculiar environments, such as some batch systems.
+.It Xo
+.Fl i Ns ,
+.Fl -no-inetd
+.Xc
+The 
+.Fl i 
+option will cause
+.Nm 
+to create a socket, instead of assuming that its stdin came from 
+.Xr inetd 8 .
+This is mostly useful for debugging.
+.It Xo
+.Fl p Ar port Ns ,
+.Fl -port= Ns Ar port
+.Xc
+Port to use with 
+.Fl i .
+.It Xo
+.Fl a
+.Xc
+This flag is for backwards compatibility only.
+.It Xo
+.Fl L
+.Xc
+This flag enables logging of connections to
+.Xr syslogd 8 . 
+This option is always on in this implementation.
+.El
+.\".Sh ENVIRONMENT
+.Sh FILES
+.Bl -tag -width /etc/hosts.equiv -compact
+.It Pa /etc/hosts.equiv
+.It Pa ~/.rhosts
+.El
+.Sh EXAMPLES
+The following can be used to enable Kerberised rsh in
+.Xr inetd.cond 5 , 
+while disabling non-Kerberised connections:
+.Bd -literal
+shell   stream  tcp  nowait  root  /usr/libexec/rshd  rshd -v
+kshell  stream  tcp  nowait  root  /usr/libexec/rshd  rshd -k
+ekshell stream  tcp  nowait  root  /usr/libexec/rshd  rshd -kx
+.Ed
+.\".Sh DIAGNOSTICS
+.Sh SEE ALSO
+.Xr rsh 1 ,
+.Xr iruserok 3
+.\".Sh STANDARDS
+.Sh HISTORY
+The
+.Nm
+command appeared in
+.Bx 4.2 .
+.Sh AUTHORS
+This implementation of
+.Nm
+was written as part of the Heimdal Kerberos 5 implementation.
+.\".Sh BUGS
diff --git a/kerberosV/src/cf/broken-getaddrinfo.m4 b/kerberosV/src/cf/broken-getaddrinfo.m4
new file mode 100644
index 00000000000..6a4d96cef18
--- /dev/null
+++ b/kerberosV/src/cf/broken-getaddrinfo.m4
@@ -0,0 +1,24 @@
+dnl $KTH: broken-getaddrinfo.m4,v 1.2 2001/08/22 01:05:29 assar Exp $
+dnl
+dnl test if getaddrinfo can handle numeric services
+
+AC_DEFUN(rk_BROKEN_GETADDRINFO,[
+AC_CACHE_CHECK([if getaddrinfo handles numeric services], ac_cv_func_getaddrinfo_numserv,
+AC_TRY_RUN([[#include <stdio.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
+
+int
+main(int argc, char **argv)
+{
+	struct addrinfo hints, *ai;
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_flags = AI_PASSIVE;
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_family = PF_UNSPEC;
+	if(getaddrinfo(NULL, "17", &hints, &ai) == EAI_SERVICE)
+		return 1;
+	return 0;
+}
+]], ac_cv_func_getaddrinfo_numserv=yes, ac_cv_func_getaddrinfo_numserv=no))])
diff --git a/kerberosV/src/cf/check-compile-et.m4 b/kerberosV/src/cf/check-compile-et.m4
new file mode 100644
index 00000000000..3c97d19a8cd
--- /dev/null
+++ b/kerberosV/src/cf/check-compile-et.m4
@@ -0,0 +1,77 @@
+dnl $KTH: check-compile-et.m4,v 1.6 2001/09/02 17:08:48 assar Exp $
+dnl
+dnl CHECK_COMPILE_ET
+AC_DEFUN([CHECK_COMPILE_ET], [
+
+AC_CHECK_PROG(COMPILE_ET, compile_et, [compile_et])
+
+krb_cv_compile_et="no"
+if test "${COMPILE_ET}" = "compile_et"; then
+
+dnl We have compile_et.  Now let's see if it supports `prefix' and `index'.
+AC_MSG_CHECKING(whether compile_et has the features we need)
+cat > conftest_et.et <<'EOF'
+error_table conf
+prefix CONFTEST
+index 1
+error_code CODE1, "CODE1"
+index 128
+error_code CODE2, "CODE2"
+end
+EOF
+if ${COMPILE_ET} conftest_et.et >/dev/null 2>&1; then
+  dnl XXX Some systems have <et/com_err.h>.
+  save_CPPFLAGS="${save_CPPFLAGS}"
+  if test -d "/usr/include/et"; then
+    CPPFLAGS="-I/usr/include/et ${CPPFLAGS}"
+  fi
+  dnl Check that the `prefix' and `index' directives were honored.
+  AC_TRY_RUN([
+#include <com_err.h>
+#include <string.h>
+#include "conftest_et.h"
+int main(){return (CONFTEST_CODE2 - CONFTEST_CODE1) != 127;}
+  ], [krb_cv_compile_et="yes"],[CPPFLAGS="${save_CPPFLAGS}"])
+fi
+AC_MSG_RESULT(${krb_cv_compile_et})
+rm -fr conftest*
+fi
+
+if test "${krb_cv_compile_et}" = "yes"; then
+  dnl Since compile_et seems to work, let's check libcom_err
+  krb_cv_save_LIBS="${LIBS}"
+  LIBS="${LIBS} -lcom_err"
+  AC_MSG_CHECKING(for com_err)
+  AC_TRY_LINK([#include <com_err.h>],[
+    const char *p;
+    p = error_message(0);
+  ],[krb_cv_com_err="yes"],[krb_cv_com_err="no"; CPPFLAGS="${save_CPPFLAGS}"])
+  AC_MSG_RESULT(${krb_cv_com_err})
+  LIBS="${krb_cv_save_LIBS}"
+else
+  dnl Since compile_et doesn't work, forget about libcom_err
+  krb_cv_com_err="no"
+fi
+
+dnl Only use the system's com_err if we found compile_et, libcom_err, and
+dnl com_err.h.
+if test "${krb_cv_com_err}" = "yes"; then
+    DIR_com_err=""
+    LIB_com_err="-lcom_err"
+    LIB_com_err_a=""
+    LIB_com_err_so=""
+    AC_MSG_NOTICE(Using the already-installed com_err)
+else
+    COMPILE_ET="\$(top_builddir)/lib/com_err/compile_et"
+    DIR_com_err="com_err"
+    LIB_com_err="\$(top_builddir)/lib/com_err/libcom_err.la"
+    LIB_com_err_a="\$(top_builddir)/lib/com_err/.libs/libcom_err.a"
+    LIB_com_err_so="\$(top_builddir)/lib/com_err/.libs/libcom_err.so"
+    AC_MSG_NOTICE(Using our own com_err)
+fi
+AC_SUBST(DIR_com_err)
+AC_SUBST(LIB_com_err)
+AC_SUBST(LIB_com_err_a)
+AC_SUBST(LIB_com_err_so)
+
+])
diff --git a/kerberosV/src/cf/crypto.m4 b/kerberosV/src/cf/crypto.m4
new file mode 100644
index 00000000000..a2a3670d211
--- /dev/null
+++ b/kerberosV/src/cf/crypto.m4
@@ -0,0 +1,119 @@
+dnl $KTH: crypto.m4,v 1.7 2001/08/29 17:02:48 assar Exp $
+dnl
+dnl test for crypto libraries:
+dnl - libcrypto (from openssl)
+dnl - libdes (from krb4)
+dnl - own-built libdes
+
+AC_DEFUN([KRB_CRYPTO],[
+crypto_lib=unknown
+AC_WITH_ALL([openssl])
+
+DIR_des=
+
+AC_MSG_CHECKING([for crypto library])
+
+if test "$crypto_lib" = "unknown" -a "$with_openssl" != "no"; then
+
+  save_CPPFLAGS="$CPPFLAGS"
+  save_LIBS="$LIBS"
+  INCLUDE_des=
+  LIB_des=
+  if test "$with_openssl_include" != ""; then
+    INCLUDE_des="-I${with_openssl}/include"
+  fi
+  if test "$with_openssl_lib" != ""; then
+    LIB_des="-L${with_openssl}/lib"
+  fi
+  CPPFLAGS="${INCLUDE_des} ${CPPFLAGS}"
+  LIB_des="${LIB_des} -lcrypto"
+  LIB_des_a="$LIB_des"
+  LIB_des_so="$LIB_des"
+  LIB_des_appl="$LIB_des"
+  LIBS="${LIBS} ${LIB_des}"
+  AC_TRY_LINK([
+  #include <openssl/md4.h>
+  #include <openssl/md5.h>
+  #include <openssl/sha.h>
+  #include <openssl/des.h>
+  #include <openssl/rc4.h>
+  ],
+  [
+    MD4_CTX md4;
+    MD5_CTX md5;
+    SHA_CTX sha1;
+
+    MD4_Init(&md4);
+    MD5_Init(&md5);
+    SHA1_Init(&sha1);
+
+    des_cbc_encrypt(0, 0, 0, 0, 0, 0);
+    RC4(0, 0, 0, 0);
+  ], [
+  crypto_lib=libcrypto
+  AC_DEFINE([HAVE_OPENSSL], 1, [define to use openssl's libcrypto])
+  AC_MSG_RESULT([libcrypto])])
+  CPPFLAGS="$save_CPPFLAGS"
+  LIBS="$save_LIBS"
+fi
+
+if test "$crypto_lib" = "unknown" -a "$with_krb4" != "no"; then
+
+  save_CPPFLAGS="$CPPFLAGS"
+  save_LIBS="$LIBS"
+  INCLUDE_des="${INCLUDE_krb4}"
+  LIB_des=
+  if test "$krb4_libdir"; then
+    LIB_des="-L${krb4_libdir}"
+  fi
+  LIB_des="${LIB_des} -ldes"
+  CPPFLAGS="${CPPFLAGS} ${INCLUDE_des}"
+  LIBS="${LIBS} ${LIB_des}"
+  LIB_des_a="$LIB_des"
+  LIB_des_so="$LIB_des"
+  LIB_des_appl="$LIB_des"
+  LIBS="${LIBS} ${LIB_des}"
+  AC_TRY_LINK([
+  #undef KRB5 /* makes md4.h et al unhappy */
+  #define KRB4
+  #include <md4.h>
+  #include <md5.h>
+  #include <sha.h>
+  #include <des.h>
+  #include <rc4.h>
+  ],
+  [
+    MD4_CTX md4;
+    MD5_CTX md5;
+    SHA_CTX sha1;
+
+    MD4_Init(&md4);
+    MD5_Init(&md5);
+    SHA1_Init(&sha1);
+
+    des_cbc_encrypt(0, 0, 0, 0, 0, 0);
+    RC4(0, 0, 0, 0);
+  ], [crypto_lib=krb4; AC_MSG_RESULT([krb4's libdes])])
+  CPPFLAGS="$save_CPPFLAGS"
+  LIBS="$save_LIBS"
+fi
+
+if test "$crypto_lib" = "unknown"; then
+
+  DIR_des='des'
+  LIB_des='$(top_builddir)/lib/des/libdes.la'
+  LIB_des_a='$(top_builddir)/lib/des/.libs/libdes.a'
+  LIB_des_so='$(top_builddir)/lib/des/.libs/libdes.so'
+  LIB_des_appl="-ldes"
+
+  AC_MSG_RESULT([included libdes])
+
+fi
+
+AC_SUBST(DIR_des)
+AC_SUBST(INCLUDE_des)
+AC_SUBST(LIB_des)
+AC_SUBST(LIB_des_a)
+AC_SUBST(LIB_des_so)
+AC_SUBST(LIB_des_appl)
+])
diff --git a/kerberosV/src/cf/with-all.m4 b/kerberosV/src/cf/with-all.m4
new file mode 100644
index 00000000000..29eade31a38
--- /dev/null
+++ b/kerberosV/src/cf/with-all.m4
@@ -0,0 +1,42 @@
+dnl
+dnl $KTH: with-all.m4,v 1.1 2001/08/29 17:01:23 assar Exp $
+dnl
+
+dnl AC_WITH_ALL(name)
+
+AC_DEFUN([AC_WITH_ALL], [
+AC_ARG_WITH($1,
+	AC_HELP_STRING([--with-$1=dir],
+		[use $1 in dir]))
+
+AC_ARG_WITH($1-lib,
+	AC_HELP_STRING([--with-$1-lib=dir],
+		[use $1 libraries in dir]),
+[if test "$withval" = "yes" -o "$withval" = "no"; then
+  AC_MSG_ERROR([No argument for --with-$1-lib])
+elif test "X$with_$1" = "X"; then
+  with_$1=yes
+fi])
+
+AC_ARG_WITH($1-include,
+	AC_HELP_STRING([--with-$1-include=dir],
+		[use $1 headers in dir]),
+[if test "$withval" = "yes" -o "$withval" = "no"; then
+  AC_MSG_ERROR([No argument for --with-$1-include])
+elif test "X$with_$1" = "X"; then
+  with_$1=yes
+fi])
+
+case "$with_$1" in
+yes)	;;
+no)	;;
+"")	;;
+*)	if test "$with_$1_include" = ""; then
+		with_$1_include="$with_$1/include"
+	fi
+	if test "$with_$1_lib" = ""; then
+		with_$1_lib="$with_$1/lib$abilibdirext"
+	fi
+	;;
+esac
+])
\ No newline at end of file
diff --git a/kerberosV/src/doc/heimdal.info b/kerberosV/src/doc/heimdal.info
index 2a4be24d75c..54475c3f9cd 100644
--- a/kerberosV/src/doc/heimdal.info
+++ b/kerberosV/src/doc/heimdal.info
@@ -288,15 +288,6 @@ following options:
      You will need a fairly recent version of our Kerberos 4
      distribution for `rshd' and `popper' to support version 4 clients.
 
-`--enable-kaserver'
-     Enables experimental kaserver support in the KDC. This is the
-     protocol used by the "KDC" in AFS. Requires Kerberos 4 support.
-
-`--enable-kaserver-db'
-     Enables experimental support for reading kaserver databases in
-     hprop.  This is useful when migrating from a kaserver to a Heimdal
-     KDC.
-
 `--enable-dce'
      Enables support for getting DCE credentials and tokens.  See the
      README files in `appl/dceutils' for more information.
@@ -543,6 +534,10 @@ Access to the admin server is controlled by an acl-file, (default
 following syntax:
      principal       [priv1,priv2,...]       [glob-pattern]
 
+The matching is from top to bottom for matching principal (and if given,
+glob-pattern).  When there is a match, the rights of that lines are
+used.
+
 The privileges you can assign to a principal are: `add',
 `change-password' (or `cpw' for short), `delete', `get', `list', and
 `modify', or the special privilege `all'. All of these roughly
@@ -602,9 +597,10 @@ and if so return `NULL'.  If it is deemed to be of low quality, it
 should return a string explaining why that password should not be used.
 
 Code for a password quality checking function that uses the cracklib
-library can be found in `kpasswd/sample_password_check.c' in the source
-code distribution.  It requires the cracklib library built with the
-patch available at <ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch>.
+library can be found in `lib/kadm5/sample_password_check.c' in the
+source code distribution.  It requires the cracklib library built with
+the patch available at
+<ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch>.
 
 If no password quality checking function is configured, it is only
 verified that it is at least six characters of length.
@@ -718,12 +714,21 @@ Salting
 
 Salting is used to make it harder to precalculate all possible keys.
 Using a salt increases the search space to make it almost impossible to
-precalculate all keys. In salting you just append the salt to the
-password, or somehow merge the password with the salt.
+precalculate all keys. Salting is the process of mixing a public string
+(the salt) with the password, then sending it through an
+encryption-type specific string-to-key function that will output the
+fixed size encryption key.
+
+In Kerberos 5 the salt is determined by the encryption-type, except in
+some special cases.
+
+In `des' there is the Kerberos 4 salt (none at all) or the afs-salt
+(using the cell (realm in afs-lingo)).
+
+In `arcfour' (the encryption type that Microsoft Windows 2000 uses)
+there is no salt. This is to be compatible with NTLM keys in Windows NT
+4.
 
-In Kerberos 5 the salting is determined by the encryption-type, except
-in case of `des'. In `des' there is the kerberos 4 salting (none at
-all) or the afs-salting (using the cell (realm in afs-lingo)).
 `[kadmin]default_keys' in `krb5.conf' controls what salting to use,
 
 The syntax of `[kadmin]default_keys' is
@@ -826,8 +831,8 @@ Kerberos 4 issues
 If compiled with version 4 support, the KDC can serve requests from a
 Kerberos 4 client. There are a few things you must do for this to work.
 
-You might also want use the built in kaserver emulation in the kdc when
-you have AFS-clients that use `klog'.
+The KDC will also have kaserver emulation and be able to handle
+AFS-clients that use `klog'.
 
 * Menu:
 
@@ -987,12 +992,12 @@ The database conversion is done with `hprop'. You can run this command
 to propagate the database to the machine called `slave-server' (which
 should be running a `hpropd').
 
-     hprop --source=krb4-db -E slave-server
+     hprop --source=krb4-db --master-key=/.m slave-server
 
 This command can also be to use for converting the v4 database on the
 server:
 
-     hprop -n --source=krb4-db -d /var/kerberos/principal -E | hpropd -n
+     hprop -n --source=krb4-db -d /var/kerberos/principal --master-key=/.m | hpropd -n
 
 Version 4 Kadmin
 ================
@@ -1027,7 +1032,7 @@ contains a minimalistic Rx implementation.
 There are three parts of the kaserver; KAA (Authentication), KAT (Ticket
 Granting), and KAM (Maintenance). The KAA interface and KAT interface
 both passes over DES encrypted data-blobs (just like the
-Kerberos-protocol) and thus o not need any other protection.  The KAM
+Kerberos-protocol) and thus do not need any other protection.  The KAM
 interface uses `rxkad' (Kerberos authentication layer for Rx) for
 security and data protection, and is used for example for changing
 passwords.  This part is not implemented in the kdc.
@@ -1173,7 +1178,7 @@ understand Kerberos 4 salted hashes you might need to turn off anything
 similar to the following if you have it, at least while adding the
 principals that are going to share keys with Windows 2000.
 
-     	[kadmin]default_keys = des3:pw-salt des:pw-salt des:pw-salt:
+     	[kadmin]default_keys = v5 v4
 
 You must also set:
 
@@ -1289,6 +1294,10 @@ File: heimdal.info,  Node: Useful links when reading about the Windows 2000,  Pr
 Useful links when reading about the Windows 2000
 ================================================
 
+See also our paper presented at the 2001 usenix Annual Technical
+Conference, available in the proceedings or at
+<http://www.usenix.org/publications/library/proceedings/usenix01/freenix01/westerlund.html>.
+
 There are lots of text about Kerberos on Microsoft's web site, here is a
 short list of the interesting documents that we have managed to find.
 
@@ -1718,36 +1727,36 @@ Node: Top210
 Node: Introduction565
 Node: What is Kerberos?3207
 Node: Building and Installing8281
-Node: Setting up a realm12015
-Node: Configuration file12676
-Node: Creating the database15366
-Node: keytabs17869
-Node: Remote administration18703
-Node: Password changing20457
-Node: Testing clients and servers22264
-Node: Slave Servers22584
-Node: Incremental propagation24216
-Node: Salting26744
-Node: Things in search for a better place28133
-Node: Kerberos 4 issues31018
-Node: Principal conversion issues31537
-Ref: Principal conversion issues-Footnote-133760
-Ref: Principal conversion issues-Footnote-233828
-Node: Converting a version 4 database33881
-Node: kaserver38881
-Node: Windows 2000 compatability40619
-Node: Configuring Windows 2000 to use a Heimdal KDC41805
-Node: Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC43557
-Node: Create account mappings46037
-Node: Encryption types46627
-Node: Authorization data47368
-Node: Quirks of Windows 2000 KDC48512
-Node: Useful links when reading about the Windows 200049753
-Node: Programming with Kerberos51581
-Node: Kerberos 5 API Overview51994
-Node: Walkthru a sample Kerberos 5 client53546
-Node: Validating a password in a server application61362
-Node: Migration61643
-Node: Acknowledgments62897
+Node: Setting up a realm11684
+Node: Configuration file12345
+Node: Creating the database15035
+Node: keytabs17538
+Node: Remote administration18372
+Node: Password changing20274
+Node: Testing clients and servers22083
+Node: Slave Servers22403
+Node: Incremental propagation24035
+Node: Salting26563
+Node: Things in search for a better place28198
+Node: Kerberos 4 issues31083
+Node: Principal conversion issues31585
+Ref: Principal conversion issues-Footnote-133808
+Ref: Principal conversion issues-Footnote-233876
+Node: Converting a version 4 database33929
+Node: kaserver38957
+Node: Windows 2000 compatability40696
+Node: Configuring Windows 2000 to use a Heimdal KDC41882
+Node: Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC43634
+Node: Create account mappings46082
+Node: Encryption types46672
+Node: Authorization data47413
+Node: Quirks of Windows 2000 KDC48557
+Node: Useful links when reading about the Windows 200049798
+Node: Programming with Kerberos51832
+Node: Kerberos 5 API Overview52245
+Node: Walkthru a sample Kerberos 5 client53797
+Node: Validating a password in a server application61613
+Node: Migration61894
+Node: Acknowledgments63148
 
 End Tag Table
diff --git a/kerberosV/src/doc/install.texi b/kerberosV/src/doc/install.texi
index 222e168f699..4bd64bf064c 100644
--- a/kerberosV/src/doc/install.texi
+++ b/kerberosV/src/doc/install.texi
@@ -1,4 +1,4 @@
-@c $KTH: install.texi,v 1.16 2001/01/28 22:11:22 assar Exp $
+@c $KTH: install.texi,v 1.17 2001/07/02 18:06:02 joda Exp $
 
 @node Building and Installing, Setting up a realm, What is Kerberos?, Top
 @comment  node-name,  next,  previous,  up
@@ -54,14 +54,6 @@ path to each with the @kbd{--with-krb4-lib=@file{dir}}, and
 You will need a fairly recent version of our Kerberos 4 distribution for
 @code{rshd} and @code{popper} to support version 4 clients.
 
-@item @kbd{--enable-kaserver}
-Enables experimental kaserver support in the KDC. This is the protocol
-used by the ``KDC'' in AFS. Requires Kerberos 4 support.
-
-@item @kbd{--enable-kaserver-db}
-Enables experimental support for reading kaserver databases in hprop.
-This is useful when migrating from a kaserver to a Heimdal KDC.
-
 @item @kbd{--enable-dce}
 Enables support for getting DCE credentials and tokens.  See the README
 files in @file{appl/dceutils} for more information.
diff --git a/kerberosV/src/doc/kerberos4.texi b/kerberosV/src/doc/kerberos4.texi
index 09a587b7923..8539e32bf23 100644
--- a/kerberosV/src/doc/kerberos4.texi
+++ b/kerberosV/src/doc/kerberos4.texi
@@ -1,4 +1,4 @@
-@c $KTH: kerberos4.texi,v 1.13 2001/02/24 05:09:24 assar Exp $
+@c $KTH: kerberos4.texi,v 1.16 2001/07/19 17:17:46 assar Exp $
 
 @node Kerberos 4 issues, Windows 2000 compatability, Things in search for a better place, Top
 @comment  node-name,  next,  previous,  up
@@ -7,8 +7,8 @@
 If compiled with version 4 support, the KDC can serve requests from a
 Kerberos 4 client. There are a few things you must do for this to work.
 
-You might also want use the built in kaserver emulation in the kdc
-when you have AFS-clients that use @code{klog}.
+The KDC will also have kaserver emulation and be able to handle
+AFS-clients that use @code{klog}.
 
 @menu
 * Principal conversion issues::  
@@ -164,14 +164,14 @@ command to propagate the database to the machine called
 @samp{slave-server} (which should be running a @samp{hpropd}).
 
 @example
-hprop --source=krb4-db -E slave-server
+hprop --source=krb4-db --master-key=/.m slave-server
 @end example
 
 This command can also be to use for converting the v4 database on the
 server:
 
 @example
-hprop -n --source=krb4-db -d /var/kerberos/principal -E | hpropd -n
+hprop -n --source=krb4-db -d /var/kerberos/principal --master-key=/.m | hpropd -n
 @end example
 
 @section Version 4 Kadmin
@@ -202,7 +202,7 @@ contains a minimalistic Rx implementation.
 There are three parts of the kaserver; KAA (Authentication), KAT (Ticket
 Granting), and KAM (Maintenance). The KAA interface and KAT interface
 both passes over DES encrypted data-blobs (just like the
-Kerberos-protocol) and thus o not need any other protection.  The KAM
+Kerberos-protocol) and thus do not need any other protection.  The KAM
 interface uses @code{rxkad} (Kerberos authentication layer for Rx) for
 security and data protection, and is used for example for changing
 passwords.  This part is not implemented in the kdc.
diff --git a/kerberosV/src/doc/standardisation/draft-ietf-krb-wg-krb-dns-locate-02.txt b/kerberosV/src/doc/standardisation/draft-ietf-krb-wg-krb-dns-locate-02.txt
new file mode 100644
index 00000000000..a6dec9d1e07
--- /dev/null
+++ b/kerberosV/src/doc/standardisation/draft-ietf-krb-wg-krb-dns-locate-02.txt
@@ -0,0 +1,339 @@
+
+
+
+
+
+
+INTERNET-DRAFT                                             Ken Hornstein
+<draft-ietf-krb-wg-krb-dns-locate-02.txt>                            NRL
+February 28, 2001                                         Jeffrey Altman
+Expires: August 28, 2001                             Columbia University
+
+
+
+          Distributing Kerberos KDC and Realm Information with DNS
+
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet- Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   Distribution of this memo is unlimited.  It is filed as <draft-ietf-
+   krb-wg-krb-dns-locate-02.txt>, and expires on August 28, 2001.
+   Please send comments to the authors.
+
+Abstract
+
+   Neither the Kerberos V5 protocol [RFC1510] nor the Kerberos V4 proto-
+   col [RFC????] describe any mechanism for clients to learn critical
+   configuration information necessary for proper operation of the pro-
+   tocol.  Such information includes the location of Kerberos key dis-
+   tribution centers or a mapping between DNS domains and Kerberos
+   realms.
+
+   Current Kerberos implementations generally store such configuration
+   information in a file on each client machine.  Experience has shown
+   this method of storing configuration information presents problems
+   with out-of-date information and scaling problems, especially when
+
+
+
+Hornstein, Altman                                               [Page 1]
+
+RFC DRAFT                                              February 28, 2001
+
+
+   using cross-realm authentication.
+
+   This memo describes a method for using the Domain Name System
+   [RFC1035] for storing such configuration information.  Specifically,
+   methods for storing KDC location and hostname/domain name to realm
+   mapping information are discussed.
+
+DNS vs. Kerberos - Case Sensitivity of Realm Names
+
+   In Kerberos, realm names are case sensitive.  While it is strongly
+   encouraged that all realm names be all upper case this recommendation
+   has not been adopted by all sites.  Some sites use all lower case
+   names and other use mixed case.  DNS on the other hand is case insen-
+   sitive for queries but is case preserving for responses to TXT
+   queries.  Since "MYREALM", "myrealm", and "MyRealm" are all different
+   it is necessary that only one of the possible combinations of upper
+   and lower case characters be used.  This restriction may be lifted in
+   the future as the DNS naming scheme is expanded to support non-ASCII
+   names.
+
+Overview - KDC location information
+
+   KDC location information is to be stored using the DNS SRV RR [RFC
+   2052].  The format of this RR is as follows:
+
+   Service.Proto.Realm TTL Class SRV Priority Weight Port Target
+
+   The Service name for Kerberos is always "_kerberos".
+
+   The Proto can be either "_udp" or "_tcp".  If these records are to be
+   used, a "_udp" record MUST be included.  If the Kerberos implementa-
+   tion supports TCP transport, a "_tcp" record SHOULD be included.
+
+   The Realm is the Kerberos realm that this record corresponds to.
+
+   TTL, Class, SRV, Priority, Weight, and Target have the standard mean-
+   ing as defined in RFC 2052.
+
+   As per RFC 2052 the Port number should be the value assigned to "ker-
+   beros" by the Internet Assigned Number Authority (88).
+
+Example - KDC location information
+
+   These are DNS records for a Kerberos realm ASDF.COM.  It has two Ker-
+   beros servers, kdc1.asdf.com and kdc2.asdf.com.  Queries should be
+   directed to kdc1.asdf.com first as per the specified priority.
+   Weights are not used in these records.
+
+
+
+
+Hornstein, Altman                                               [Page 2]
+
+RFC DRAFT                                              February 28, 2001
+
+
+   _kerberos._udp.ASDF.COM.        IN      SRV     0 0 88 kdc1.asdf.com.
+   _kerberos._udp.ASDF.COM.        IN      SRV     1 0 88 kdc2.asdf.com.
+
+Overview - Kerberos password changing server location information
+
+   Kerberos password changing server [KERB-CHG] location is to be stored
+   using the DNS SRV RR [RFC 2052].  The format of this RR is as fol-
+   lows:
+
+   Service.Proto.Realm TTL Class SRV Priority Weight Port Target
+
+   The Service name for the password server is always "_kpasswd".
+
+   The Proto MUST be "_udp".
+
+   The Realm is the Kerberos realm that this record corresponds to.
+
+   TTL, Class, SRV, Priority, Weight, and Target have the standard mean-
+   ing as defined in RFC 2052.
+
+   As per RFC 2052 the Port number should be the value assigned to
+   "kpasswd" by the Internet Assigned Number Authority (464).
+
+Overview - Kerberos admin server location information
+
+   Kerberos admin location information is to be stored using the DNS SRV
+   RR [RFC 2052].  The format of this RR is as follows:
+
+   Service.Proto.Realm TTL Class SRV Priority Weight Port Target
+
+   The Service name for the admin server is always "_kerberos-adm".
+
+   The Proto can be either "_udp" or "_tcp".  If these records are to be
+   used, a "_tcp" record MUST be included.  If the Kerberos admin imple-
+   mentation supports UDP transport, a "_udp" record SHOULD be included.
+
+   The Realm is the Kerberos realm that this record corresponds to.
+
+   TTL, Class, SRV, Priority, Weight, and Target have the standard mean-
+   ing as defined in RFC 2052.
+
+   As per RFC 2052 the Port number should be the value assigned to
+   "kerberos-adm" by the Internet Assigned Number Authority (749).
+
+   Note that there is no formal definition of a Kerberos admin protocol,
+   so the use of this record is optional and implementation-dependent.
+
+
+
+
+
+Hornstein, Altman                                               [Page 3]
+
+RFC DRAFT                                              February 28, 2001
+
+
+Example - Kerberos administrative server location information
+
+   These are DNS records for a Kerberos realm ASDF.COM.  It has one
+   administrative server, kdc1.asdf.com.
+
+   _kerberos-adm._tcp.ASDF.COM.    IN      SRV     0 0 749 kdc1.asdf.com.
+
+Overview - Hostname/domain name to Kerberos realm mapping
+
+   Information on the mapping of DNS hostnames and domain names to Ker-
+   beros realms is stored using DNS TXT records [RFC 1035].  These
+   records have the following format.
+
+   Service.Name TTL Class TXT Realm
+
+   The Service field is always "_kerberos", and prefixes all entries of
+   this type.
+
+   The Name is a DNS hostname or domain name.  This is explained in
+   greater detail below.
+
+   TTL, Class, and TXT have the standard DNS meaning as defined in RFC
+   1035.
+
+   The Realm is the data for the TXT RR, and consists simply of the Ker-
+   beros realm that corresponds to the Name specified.
+
+   When a Kerberos client wishes to utilize a host-specific service, it
+   will perform a DNS TXT query, using the hostname in the Name field of
+   the DNS query.  If the record is not found, the first label of the
+   name is stripped and the query is retried.
+
+   Compliant implementations MUST query the full hostname and the most
+   specific domain name (the hostname with the first label removed).
+   Compliant implementations SHOULD try stripping all subsequent labels
+   until a match is found or the Name field is empty.
+
+Example - Hostname/domain name to Kerberos realm mapping
+
+   For the previously mentioned ASDF.COM realm and domain, some sample
+   records might be as follows:
+
+   _kerberos.asdf.com.             IN      TXT     "ASDF.COM"
+   _kerberos.mrkserver.asdf.com.   IN      TXT     "MARKETING.ASDF.COM"
+   _kerberos.salesserver.asdf.com. IN      TXT     "SALES.ASDF.COM"
+
+   Let us suppose that in this case, a Kerberos client wishes to use a
+   Kerberized service on the host foo.asdf.com.  It would first query:
+
+
+
+Hornstein, Altman                                               [Page 4]
+
+RFC DRAFT                                              February 28, 2001
+
+
+   _kerberos.foo.asdf.com. IN TXT
+
+   Finding no match, it would then query:
+
+   _kerberos.asdf.com. IN TXT
+
+   And find an answer of ASDF.COM.  This would be the realm that
+   foo.asdf.com resides in.
+
+   If another Kerberos client wishes to use a Kerberized service on the
+   host salesserver.asdf.com, it would query:
+
+   _kerberos.salesserver.asdf.com IN TXT
+
+   And find an answer of SALES.ASDF.COM.
+
+Security considerations
+
+   As DNS is deployed today, it is an unsecure service.  Thus the infor-
+   mation returned by it cannot be trusted.
+
+   Current practice for REALM to KDC mapping is to use hostnames to
+   indicate KDC hosts (stored in some implementation-dependent location,
+   but generally a local config file).  These hostnames are vulnerable
+   to the standard set of DNS attacks (denial of service, spoofed
+   entries, etc).  The design of the Kerberos protocol limits attacks of
+   this sort to denial of service.  However, the use of SRV records does
+   not change this attack in any way.  They have the same vulnerabili-
+   ties that already exist in the common practice of using hostnames for
+   KDC locations.
+
+   Current practice for HOSTNAME to REALM mapping is to provide a local
+   configuration of mappings of hostname or domain name to realm which
+   are then mapped to KDCs.  But this again is vulnerable to spoofing
+   via CNAME records that point to hosts in other domains.  This has the
+   same effect as when a TXT record is spoofed.  In a realm with no
+   cross-realm trusts this is a DoS attack.  However, when cross-realm
+   trusts are used it is possible to redirect a client to use a comprom-
+   ised realm.
+
+   This is not an exploit of the Kerberos protocol but of the Kerberos
+   trust model.  The same can be done to any application that must
+   resolve the hostname in order to determine which domain a non-FQDN
+   belongs to.
+
+   Implementations SHOULD provide a way of specifying this information
+   locally without the use of DNS.  However, to make this feature
+   worthwhile a lack of any configuration information on a client should
+
+
+
+Hornstein, Altman                                               [Page 5]
+
+RFC DRAFT                                              February 28, 2001
+
+
+   be interpretted as permission to use DNS.
+
+Expiration
+
+   This Internet-Draft expires on August 28, 2001.
+
+References
+
+
+   [RFC1510]
+        The Kerberos Network Authentication System; Kohl, Newman; Sep-
+        tember 1993.
+
+   [RFC1035]
+        Domain Names - Implementation and Specification; Mockapetris;
+        November 1987
+
+   [RFC2782]
+        A DNS RR for specifying the location of services (DNS SRV); Gul-
+        brandsen, Vixie; Feburary 2000
+
+   [KERB-CHG]
+        Kerberos Change Password Protocol; Horowitz;
+        ftp://ds.internic.net/internet-drafts/draft-ietf-cat-kerb-chg-
+        password-02.txt
+
+Authors' Addresses
+
+   Ken Hornstein
+   US Naval Research Laboratory
+   Bldg A-49, Room 2
+   4555 Overlook Avenue
+   Washington DC  20375 USA
+
+   Phone: +1 (202) 404-4765
+   EMail: kenh@cmf.nrl.navy.mil
+
+   Jeffrey Altman
+   The Kermit Project
+   Columbia University
+   612 West 115th Street #716
+   New York NY 10025-7799 USA
+
+   Phone: +1 (212) 854-1344
+   EMail: jaltman@columbia.edu
+
+
+
+
+
+
+Hornstein, Altman                                               [Page 6]
+
diff --git a/kerberosV/src/doc/win2k.texi b/kerberosV/src/doc/win2k.texi
index e1325c6c1d0..2c1f59dc434 100644
--- a/kerberosV/src/doc/win2k.texi
+++ b/kerberosV/src/doc/win2k.texi
@@ -1,4 +1,4 @@
-@c $KTH: win2k.texi,v 1.13 2001/02/24 05:09:24 assar Exp $
+@c $KTH: win2k.texi,v 1.15 2001/07/19 16:44:41 assar Exp $
 
 @node Windows 2000 compatability, Programming with Kerberos, Kerberos 4 issues, Top
 @comment  node-name,  next,  previous,  up
@@ -130,7 +130,7 @@ similar to the following if you have it, at least while adding the
 principals that are going to share keys with Windows 2000.
 
 @example
-	[kadmin]default_keys = des3:pw-salt des:pw-salt des:pw-salt:
+	[kadmin]default_keys = v5 v4
 @end example
 
 You must also set:
@@ -240,6 +240,10 @@ unsupported types are generated.
 @comment  node-name,  next,  previous,  up
 @section Useful links when reading about the Windows 2000
 
+See also our paper presented at the 2001 usenix Annual Technical
+Conference, available in the proceedings or at
+@url{http://www.usenix.org/publications/library/proceedings/usenix01/freenix01/westerlund.html}.
+
 There are lots of text about Kerberos on Microsoft's web site, here is a
 short list of the interesting documents that we have managed to find.
 
diff --git a/kerberosV/src/etc/services.append b/kerberosV/src/etc/services.append
index acac18d2a0c..6deaf27ef69 100644
--- a/kerberosV/src/etc/services.append
+++ b/kerberosV/src/etc/services.append
@@ -1,12 +1,12 @@
 #
-# $KTH: services.append,v 1.5 2000/06/07 02:52:51 assar Exp $
+# $KTH: services.append,v 1.6 2001/08/08 15:48:37 assar Exp $
 #
 # Kerberos services
 #
 kerberos	88/udp		kerberos-sec	# Kerberos v5 UDP
 kerberos	88/tcp		kerberos-sec	# Kerberos v5 TCP
 kpasswd		464/udp				# password changing
-kpasswd		464/tdp				# password changing
+kpasswd		464/tcp				# password changing
 klogin		543/tcp				# Kerberos authenticated rlogin
 kshell		544/tcp		krcmd		# and remote shell
 ekshell		545/tcp		      # Kerberos encrypted remote shell -kfall
diff --git a/kerberosV/src/include/config.h.in b/kerberosV/src/include/config.h.in
index 151344dccdd..8f06ea385e9 100644
--- a/kerberosV/src/include/config.h.in
+++ b/kerberosV/src/include/config.h.in
@@ -1,7 +1,8 @@
 /* include/config.h.in.  Generated automatically from configure.in by autoheader.  */
 
 #ifndef RCSID
-#define RCSID(msg) static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
+#define RCSID(msg) \
+static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
 #endif
 
 #undef BINDIR 
@@ -124,6 +125,12 @@
 /* Define if you have the `daemon' function. */
 #undef HAVE_DAEMON
 
+/* define if you have a berkeley db1/2 library */
+#undef HAVE_DB1
+
+/* define if you have a berkeley db3 library */
+#undef HAVE_DB3
+
 /* Define if you have the `dbm_firstkey' function. */
 #undef HAVE_DBM_FIRSTKEY
 
@@ -142,8 +149,8 @@
 /* Define if you have the <db.h> header file. */
 #undef HAVE_DB_H
 
-/* Define if you have the `des_cbc_encrypt' function. */
-#undef HAVE_DES_CBC_ENCRYPT
+/* define if you have ndbm compat in db */
+#undef HAVE_DB_NDBM
 
 /* Define if you have the <dirent.h> header file. */
 #undef HAVE_DIRENT_H
@@ -157,12 +164,21 @@
 /* Define if you have the `dn_expand' function. */
 #undef HAVE_DN_EXPAND
 
+/* Define if you have the `ecalloc' function. */
+#undef HAVE_ECALLOC
+
 /* Define if you have the `el_init' function. */
 #undef HAVE_EL_INIT
 
+/* Define if you have the `emalloc' function. */
+#undef HAVE_EMALLOC
+
 /* define if your system declares environ */
 #undef HAVE_ENVIRON_DECLARATION
 
+/* Define if you have the `erealloc' function. */
+#undef HAVE_EREALLOC
+
 /* Define if you have the `err' function. */
 #undef HAVE_ERR
 
@@ -175,6 +191,9 @@
 /* Define if you have the <err.h> header file. */
 #undef HAVE_ERR_H
 
+/* Define if you have the `estrdup' function. */
+#undef HAVE_ESTRDUP
+
 /* Define if you have the `fchown' function. */
 #undef HAVE_FCHOWN
 
@@ -323,6 +342,9 @@
 /* Define if you have the <ifaddrs.h> header file. */
 #undef HAVE_IFADDRS_H
 
+/* Define if you have the in6addr_loopback variable */
+#undef HAVE_IN6ADDR_LOOPBACK
+
 /* Define if you have the `inet_aton' function. */
 #undef HAVE_INET_ATON
 
@@ -335,6 +357,9 @@
 /* Define if you have the `initgroups' function. */
 #undef HAVE_INITGROUPS
 
+/* Define if you have the `initstate' function. */
+#undef HAVE_INITSTATE
+
 /* Define if you have the `innetgr' function. */
 #undef HAVE_INNETGR
 
@@ -350,6 +375,9 @@
 /* Define if you have the `iruserok' function. */
 #undef HAVE_IRUSEROK
 
+/* Define if you have the `issetugid' function. */
+#undef HAVE_ISSETUGID
+
 /* Define if you have the `krb_disable_debug' function. */
 #undef HAVE_KRB_DISABLE_DEBUG
 
@@ -359,9 +387,15 @@
 /* Define if you have the `krb_get_our_ip_for_realm' function. */
 #undef HAVE_KRB_GET_OUR_IP_FOR_REALM
 
+/* Define if you have the <libutil.h> header file. */
+#undef HAVE_LIBUTIL_H
+
 /* Define if you have the <limits.h> header file. */
 #undef HAVE_LIMITS_H
 
+/* Define if you have the `logout' function. */
+#undef HAVE_LOGOUT
+
 /* Define if you have the `logwtmp' function. */
 #undef HAVE_LOGWTMP
 
@@ -374,21 +408,21 @@
 /* Define if you have the <maillock.h> header file. */
 #undef HAVE_MAILLOCK_H
 
-/* Define if you have the `MD4_Init' function. */
-#undef HAVE_MD4_INIT
-
-/* Define if you have the `MD5_Init' function. */
-#undef HAVE_MD5_INIT
-
 /* Define if you have the `memmove' function. */
 #undef HAVE_MEMMOVE
 
+/* Define if you have the <memory.h> header file. */
+#undef HAVE_MEMORY_H
+
 /* Define if you have the `mkstemp' function. */
 #undef HAVE_MKSTEMP
 
 /* Define if you have the `mktime' function. */
 #undef HAVE_MKTIME
 
+/* define if you have a ndbm library */
+#undef HAVE_NDBM
+
 /* Define if you have the <ndbm.h> header file. */
 #undef HAVE_NDBM_H
 
@@ -431,20 +465,11 @@
 /* Define if you have the <net/if.h> header file. */
 #undef HAVE_NET_IF_H
 
-/* Define if you have the <openssl/des.h> header file. */
-#undef HAVE_OPENSSL_DES_H
-
-/* Define if you have the <openssl/md4.h> header file. */
-#undef HAVE_OPENSSL_MD4_H
+/* Define if you have the `openpty' function. */
+#undef HAVE_OPENPTY
 
-/* Define if you have the <openssl/md5.h> header file. */
-#undef HAVE_OPENSSL_MD5_H
-
-/* Define if you have the <openssl/rc4.h> header file. */
-#undef HAVE_OPENSSL_RC4_H
-
-/* Define if you have the <openssl/sha.h> header file. */
-#undef HAVE_OPENSSL_SHA_H
+/* define to use openssl's libcrypto */
+#undef HAVE_OPENSSL
 
 /* define if your system declares optarg */
 #undef HAVE_OPTARG_DECLARATION
@@ -488,9 +513,6 @@
 /* Define if you have the `random' function. */
 #undef HAVE_RANDOM
 
-/* Define if you have the `RC4' function. */
-#undef HAVE_RC4
-
 /* Define if you have the `rcmd' function. */
 #undef HAVE_RCMD
 
@@ -512,9 +534,6 @@
 /* Define if you have the `revoke' function. */
 #undef HAVE_REVOKE
 
-/* Define if you have the <rpcsvc/dbm.h> header file. */
-#undef HAVE_RPCSVC_DBM_H
-
 /* Define if you have the <rpcsvc/ypclnt.h> header file. */
 #undef HAVE_RPCSVC_YPCLNT_H
 
@@ -581,6 +600,9 @@
 /* Define if you have the `setsockopt' function. */
 #undef HAVE_SETSOCKOPT
 
+/* Define if you have the `setstate' function. */
+#undef HAVE_SETSTATE
+
 /* Define if you have the `setutent' function. */
 #undef HAVE_SETUTENT
 
@@ -590,9 +612,6 @@
 /* Define if you have the <sgtty.h> header file. */
 #undef HAVE_SGTTY_H
 
-/* Define if you have the `SHA1_Init' function. */
-#undef HAVE_SHA1_INIT
-
 /* Define if you have the <shadow.h> header file. */
 #undef HAVE_SHADOW_H
 
@@ -617,6 +636,12 @@
 /* Define if you have the <standards.h> header file. */
 #undef HAVE_STANDARDS_H
 
+/* Define if you have the <stdint.h> header file. */
+#undef HAVE_STDINT_H
+
+/* Define if you have the <stdlib.h> header file. */
+#undef HAVE_STDLIB_H
+
 /* Define if you have the `strcasecmp' function. */
 #undef HAVE_STRCASECMP
 
@@ -629,6 +654,12 @@
 /* Define if you have the `strftime' function. */
 #undef HAVE_STRFTIME
 
+/* Define if you have the <strings.h> header file. */
+#undef HAVE_STRINGS_H
+
+/* Define if you have the <string.h> header file. */
+#undef HAVE_STRING_H
+
 /* Define if you have the `strlcat' function. */
 #undef HAVE_STRLCAT
 
@@ -959,9 +990,6 @@
 /* Define if you have the `warnx' function. */
 #undef HAVE_WARNX
 
-/* Define if you have the <winsock.h> header file. */
-#undef HAVE_WINSOCK_H
-
 /* Define if you have the `writev' function. */
 #undef HAVE_WRITEV
 
@@ -1001,12 +1029,6 @@
 /* Define if you have the hesiod package. */
 #undef HESIOD
 
-/* Define if you want to use the KDC as a kaserver. */
-#undef KASERVER
-
-/* Define if you want support in hprop for reading kaserver databases */
-#undef KASERVER_DB
-
 /* Define if you have the krb4 package. */
 #undef KRB4
 
@@ -1248,14 +1270,6 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg }
 #define SGTTY
 #endif
 
-/*
- * Define NDBM if you are using the 4.3 ndbm library (which is part of
- * libc).  If not defined, 4.2 dbm will be assumed.
- */
-#if defined(HAVE_DBM_FIRSTKEY)
-#define NDBM
-#endif
-
 /* telnet stuff ----------------------------------------------- */
 
 #if defined(ENCRYPTION) && !defined(AUTHENTICATION)
diff --git a/kerberosV/src/kadmin/ChangeLog b/kerberosV/src/kadmin/ChangeLog
index ccc615edcaa..60b539b3a69 100644
--- a/kerberosV/src/kadmin/ChangeLog
+++ b/kerberosV/src/kadmin/ChangeLog
@@ -1,3 +1,47 @@
+2001-08-24  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: rename variable name to avoid error from current
+	automake
+
+2001-08-22  Assar Westerlund  <assar@sics.se>
+
+	* kadmin_locl.h: include libutil.h if it exists
+
+2001-08-10  Johan Danielsson  <joda@pdc.kth.se>
+
+	* util.c: do something to handle C-c in prompts
+
+	* load.c: remove unused etypes code, and add parsing of the
+	generation field
+
+	* ank.c: add a --use-defaults option to just use default values
+	without questions
+
+	* kadmin.c: add "del" alias for delete
+
+	* cpw.c: call this operation "passwd" in usage
+
+	* kadmin_locl.h: prototype for set_defaults
+
+	* util.c (edit_entry): move setting of default values to a
+	separate function, set_defaults
+
+2001-08-01  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kadmin.c: print help message on bad options
+
+2001-07-31  Assar Westerlund  <assar@sics.se>
+
+	* add-random-users.c (main): handle --version
+
+2001-07-30  Johan Danielsson  <joda@pdc.kth.se>
+
+	* load.c: increase line buffer to 8k
+
+2001-06-12  Assar Westerlund  <assar@sics.se>
+
+	* ext.c (ext_keytab): use the default modify keytab per default
+
 2001-05-17  Assar Westerlund  <assar@sics.se>
 
 	* kadm_conn.c (start_server): fix krb5_eai_to_heim_errno call
diff --git a/kerberosV/src/kadmin/ank.c b/kerberosV/src/kadmin/ank.c
index 9a457e6e10e..607f6906640 100644
--- a/kerberosV/src/kadmin/ank.c
+++ b/kerberosV/src/kadmin/ank.c
@@ -33,7 +33,7 @@
 
 #include "kadmin_locl.h"
 
-RCSID("$KTH: ank.c,v 1.21 2000/09/10 19:16:39 joda Exp $");
+RCSID("$KTH: ank.c,v 1.22 2001/08/10 08:08:22 joda Exp $");
 
 /*
  * fetch the default principal corresponding to `princ'
@@ -67,6 +67,7 @@ static krb5_error_code
 add_one_principal (const char *name,
 		   int rand_key,
 		   int rand_password,
+		   int use_defaults, 
 		   char *password,
 		   krb5_key_data *key_data,
 		   const char *max_ticket_life,
@@ -108,7 +109,10 @@ add_one_principal (const char *name,
 	    KADM5_PRINC_EXPIRE_TIME | KADM5_PW_EXPIRATION;
     }
 
-    edit_entry(&princ, &mask, default_ent, default_mask);
+    if(use_defaults) 
+	set_defaults(&princ, &mask, default_ent, default_mask);
+    else
+	edit_entry(&princ, &mask, default_ent, default_mask);
     if(rand_key || key_data) {
 	princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
 	mask |= KADM5_ATTRIBUTES;
@@ -200,10 +204,11 @@ static struct getargs args[] = {
       "max renewable lifetime", "lifetime" },
     { "attributes",	0,	arg_string,	NULL, "principal attributes",
       "attributes"},
-    { "expiration-time",0,	arg_string,	NULL, "Expiration time",
+    { "expiration-time",0,	arg_string,	NULL, "expiration time",
       "time"},
     { "pw-expiration-time", 0,  arg_string,	NULL,
-      "Password expiration time", "time"}
+      "password expiration time", "time"},
+    { "use-defaults",	0,	arg_flag,	NULL, "use default values" }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);
@@ -232,6 +237,7 @@ add_new_key(int argc, char **argv)
     char *attributes		= NULL;
     char *expiration		= NULL;
     char *pw_expiration		= NULL;
+    int use_defaults = 0;
     int i;
     int num;
     krb5_key_data key_data[3];
@@ -246,6 +252,7 @@ add_new_key(int argc, char **argv)
     args[6].value = &attributes;
     args[7].value = &expiration;
     args[8].value = &pw_expiration;
+    args[9].value = &use_defaults;
     
     if(getarg(args, num_args, argc, argv, &optind)) {
 	usage ();
@@ -284,6 +291,7 @@ add_new_key(int argc, char **argv)
 
     for (i = optind; i < argc; ++i) {
 	ret = add_one_principal (argv[i], random_key, random_password,
+				 use_defaults, 
 				 password,
 				 kdp,
 				 max_ticket_life,
diff --git a/kerberosV/src/kadmin/cpw.c b/kerberosV/src/kadmin/cpw.c
index 7292e7b61a2..756555658c7 100644
--- a/kerberosV/src/kadmin/cpw.c
+++ b/kerberosV/src/kadmin/cpw.c
@@ -33,7 +33,7 @@
 
 #include "kadmin_locl.h"
 
-RCSID("$KTH: cpw.c,v 1.12 2001/05/07 05:30:23 assar Exp $");
+RCSID("$KTH: cpw.c,v 1.13 2001/08/10 08:05:35 joda Exp $");
 
 struct cpw_entry_data {
     int random_key;
@@ -54,7 +54,7 @@ static int num_args = sizeof(args) / sizeof(args[0]);
 static void
 usage(void)
 {
-    arg_printusage(args, num_args, "cpw", "principal...");
+    arg_printusage(args, num_args, "passwd", "principal...");
 }
 
 static int
diff --git a/kerberosV/src/kadmin/ext.c b/kerberosV/src/kadmin/ext.c
index c28568f8d5f..c89774cf07e 100644
--- a/kerberosV/src/kadmin/ext.c
+++ b/kerberosV/src/kadmin/ext.c
@@ -33,7 +33,7 @@
 
 #include "kadmin_locl.h"
 
-RCSID("$KTH: ext.c,v 1.6 2001/05/07 05:31:12 assar Exp $");
+RCSID("$KTH: ext.c,v 1.7 2001/06/12 12:15:15 assar Exp $");
 
 struct ext_keytab_data {
     krb5_keytab keytab;
@@ -87,6 +87,7 @@ ext_keytab(int argc, char **argv)
     int i;
     int optind = 0;
     char *keytab = NULL;
+    char keytab_buf[256];
     struct ext_keytab_data data;
     
     args[0].value = &keytab;
@@ -94,10 +95,17 @@ ext_keytab(int argc, char **argv)
 	usage();
 	return 0;
     }
-    if(keytab)
-	ret = krb5_kt_resolve(context, keytab, &data.keytab);
-    else
-	ret = krb5_kt_default(context, &data.keytab);
+    if (keytab == NULL) {
+	ret = krb5_kt_default_modify_name (context, keytab_buf,
+					   sizeof(keytab_buf));
+	if (ret) {
+	    krb5_warn(context, ret, "krb5_kt_default_modify_name");
+	    return 0;
+	}
+	keytab = keytab_buf;
+    }
+
+    ret = krb5_kt_resolve(context, keytab, &data.keytab);
     if(ret){
 	krb5_warn(context, ret, "krb5_kt_resolve");
 	return 0;
diff --git a/kerberosV/src/kadmin/server.c b/kerberosV/src/kadmin/server.c
index 5c4356feb00..27211c29850 100644
--- a/kerberosV/src/kadmin/server.c
+++ b/kerberosV/src/kadmin/server.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -34,7 +34,7 @@
 #include "kadmin_locl.h"
 #include <krb5-private.h>
 
-RCSID("$KTH: server.c,v 1.32 2000/09/19 12:46:01 assar Exp $");
+RCSID("$KTH: server.c,v 1.33 2001/07/23 13:46:47 joda Exp $");
 
 static kadm5_ret_t
 kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
@@ -483,7 +483,7 @@ handle_v5(krb5_context context,
 				      NULL, KRB5_RECVAUTH_IGNORE_VERSION, 
 				      keytab, &ticket);
     if(ret == KRB5_KT_NOTFOUND)
-	krb5_errx(context, 1, "krb5_recvauth: key no found");
+	krb5_errx(context, 1, "krb5_recvauth: key not found");
     if(ret)
 	krb5_err(context, 1, ret, "krb5_recvauth");
 
diff --git a/kerberosV/src/lib/45/get_ad_tkt.c b/kerberosV/src/lib/45/get_ad_tkt.c
index 12995f205c8..54d43bbaef1 100644
--- a/kerberosV/src/lib/45/get_ad_tkt.c
+++ b/kerberosV/src/lib/45/get_ad_tkt.c
@@ -33,7 +33,7 @@
 
 #include "45_locl.h"
 
-RCSID("$KTH: get_ad_tkt.c,v 1.3 1999/12/02 17:05:01 joda Exp $");
+RCSID("$KTH: get_ad_tkt.c,v 1.4 2001/06/18 13:11:05 assar Exp $");
 
 /* get an additional version 4 ticket via the 524 protocol */
 
@@ -100,7 +100,7 @@ get_ad_tkt(char *service, char *sinstance, char *realm, int lifetime)
 	krb5_free_context(context);
 	return KFAILURE;
     }
-    ret = krb524_convert_creds_kdc(context, id, out_creds, &cred);
+    ret = krb524_convert_creds_kdc_ccache(context, id, out_creds, &cred);
     krb5_cc_close(context, id);
     krb5_free_context(context);
     krb5_free_creds(context, out_creds);
diff --git a/kerberosV/src/lib/auth/sia/make-rpath b/kerberosV/src/lib/auth/sia/make-rpath
new file mode 100644
index 00000000000..621967f485b
--- /dev/null
+++ b/kerberosV/src/lib/auth/sia/make-rpath
@@ -0,0 +1,34 @@
+#!/bin/sh
+# $KTH: make-rpath,v 1.1 2001/07/17 15:15:31 assar Exp $
+rlist=
+rest=
+while test $# -gt 0; do
+case $1 in
+-R|-rpath)
+  if test "$rlist"; then
+    rlist="${rlist}:$2"
+  else
+    rlist="$2"
+  fi
+  shift 2
+  ;;
+-R*) 
+  d=`echo $1 | sed 's,^-R,,'`
+  if test "$rlist"; then
+    rlist="${rlist}:${d}"
+  else
+    rlist="${d}"
+  fi
+  shift
+  ;;
+*)
+  rest="${rest} $1"
+  shift
+  ;;
+esac
+done
+rpath=
+if test "$rlist"; then
+  rpath="-rpath $rlist "
+fi
+echo "${rpath}${rest}"
diff --git a/kerberosV/src/lib/editline/edit_compat.h b/kerberosV/src/lib/editline/edit_compat.h
new file mode 100644
index 00000000000..55f66ff67f0
--- /dev/null
+++ b/kerberosV/src/lib/editline/edit_compat.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $KTH: edit_compat.h,v 1.1 2001/08/29 00:24:33 assar Exp $ */
+
+#ifndef _EDIT_COMPAT_H
+#define _EDIT_COMPAT_H
+
+void rl_reset_terminal(char *p);
+void rl_initialize(void);
+char *readline(const char *prompt);
+void add_history(char *p);
+
+#endif /* _EDIT_COMPAT_H */
diff --git a/kerberosV/src/lib/gssapi/8003.c b/kerberosV/src/lib/gssapi/8003.c
index 913da5a01d7..7fd1edec3d9 100644
--- a/kerberosV/src/lib/gssapi/8003.c
+++ b/kerberosV/src/lib/gssapi/8003.c
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$KTH: 8003.c,v 1.8 2001/01/29 02:08:58 assar Exp $");
+RCSID("$KTH: 8003.c,v 1.10 2001/08/29 02:21:09 assar Exp $");
 
 static krb5_error_code
 encode_om_uint32(OM_uint32 n, u_char *p)
@@ -86,27 +86,35 @@ hash_input_chan_bindings (const gss_channel_bindings_t b,
   return 0;
 }
 
-krb5_error_code
+/*
+ * create a checksum over the chanel bindings in
+ * `input_chan_bindings', `flags' and `fwd_data' and return it in
+ * `result'
+ */
+
+OM_uint32
 gssapi_krb5_create_8003_checksum (
+		      OM_uint32 *minor_status,    
 		      const gss_channel_bindings_t input_chan_bindings,
 		      OM_uint32 flags,
-		      krb5_data *fwd_data,
+		      const krb5_data *fwd_data,
 		      Checksum *result)
 {
   u_char *p;
 
   /* 
    * see rfc1964 (section 1.1.1 (Initial Token), and the checksum value 
-   * field's format)
-   */
+   * field's format) */
   result->cksumtype = 0x8003;
   if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG))
     result->checksum.length = 24 + 4 + fwd_data->length;
   else 
     result->checksum.length = 24;
   result->checksum.data   = malloc (result->checksum.length);
-  if (result->checksum.data == NULL)
-    return ENOMEM;
+  if (result->checksum.data == NULL) {
+    *minor_status = ENOMEM;
+    return GSS_S_FAILURE;
+  }
   
   p = result->checksum.data;
   encode_om_uint32 (16, p);
@@ -139,18 +147,21 @@ gssapi_krb5_create_8003_checksum (
      memcpy(p, (unsigned char *) fwd_data->data, fwd_data->length);
 
      p += fwd_data->length;
-     
-  if (p - (u_char *)result->checksum.data != result->checksum.length)
-        abort();
   }
-  
-  return 0;
+     
+  return GSS_S_COMPLETE;
 }
 
-krb5_error_code
+/*
+ * verify the checksum in `cksum' over `input_chan_bindings'
+ * returning  `flags' and `fwd_data'
+ */
+
+OM_uint32
 gssapi_krb5_verify_8003_checksum(
+		      OM_uint32 *minor_status,    
 		      const gss_channel_bindings_t input_chan_bindings,
-		      Checksum *cksum,
+		      const Checksum *cksum,
 		      OM_uint32 *flags,
 		      krb5_data *fwd_data)
 {
@@ -160,21 +171,29 @@ gssapi_krb5_verify_8003_checksum(
     int DlgOpt;
 
     /* XXX should handle checksums > 24 bytes */
-    if(cksum->cksumtype != 0x8003)
+    if(cksum->cksumtype != 0x8003) {
+	*minor_status = 0;
 	return GSS_S_BAD_BINDINGS;
+    }
     
     p = cksum->checksum.data;
     decode_om_uint32(p, &length);
-    if(length != sizeof(hash))
-	return GSS_S_FAILURE;
+    if(length != sizeof(hash)) {
+	*minor_status = 0;
+	return GSS_S_BAD_BINDINGS;
+    }
     
     p += 4;
     
     if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) {
-	if(hash_input_chan_bindings(input_chan_bindings, hash) != 0)
-	    return GSS_S_FAILURE;
-	if(memcmp(hash, p, sizeof(hash)) != 0)
-	    return GSS_S_FAILURE;
+	if(hash_input_chan_bindings(input_chan_bindings, hash) != 0) {
+	    *minor_status = 0;
+	    return GSS_S_BAD_BINDINGS;
+	}
+	if(memcmp(hash, p, sizeof(hash)) != 0) {
+	    *minor_status = 0;
+	    return GSS_S_BAD_BINDINGS;
+	}
     }
     
     p += sizeof(hash);
@@ -186,18 +205,22 @@ gssapi_krb5_verify_8003_checksum(
       p += 4;
     
       DlgOpt = (p[0] << 0) | (p[1] << 8 );
-      if (DlgOpt != 1)
-         return GSS_S_BAD_BINDINGS;
+      if (DlgOpt != 1) {
+	  *minor_status = 0;
+	  return GSS_S_BAD_BINDINGS;
+      }
       
       p += 2;
       fwd_data->length = (p[0] << 0) | (p[1] << 8);
       fwd_data->data = malloc(fwd_data->length);
-      if (fwd_data->data == NULL)
-         return ENOMEM;
+      if (fwd_data->data == NULL) {
+	  *minor_status = ENOMEM;
+	  return GSS_S_FAILURE;
+      }
 
       p += 2;
       memcpy(fwd_data->data, p, fwd_data->length);
     }
     
-    return 0;
+    return GSS_S_COMPLETE;
 }
diff --git a/kerberosV/src/lib/gssapi/ChangeLog b/kerberosV/src/lib/gssapi/ChangeLog
index 99ab2710881..c1735acb77e 100644
--- a/kerberosV/src/lib/gssapi/ChangeLog
+++ b/kerberosV/src/lib/gssapi/ChangeLog
@@ -1,3 +1,69 @@
+2001-08-29  Assar Westerlund  <assar@sics.se>
+
+	* 8003.c (gssapi_krb5_verify_8003_checksum,
+	gssapi_krb5_create_8003_checksum): make more consistent by always
+	returning an gssapi error and setting minor status.  update
+	callers
+
+2001-08-28  Jacques Vidrine  <n@nectar.com>
+
+	* accept_sec_context.c: Create a cache for delegated credentials
+	  when needed.
+
+2001-08-28  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libgssapi_la_LDFLAGS): set version to 3:4:2
+
+2001-08-23  Assar Westerlund  <assar@sics.se>
+
+	*  *.c: handle minor_status more consistently
+
+	* display_status.c (gss_display_status): handle krb5_get_err_text
+	failing
+
+2001-08-15  Johan Danielsson  <joda@pdc.kth.se>
+
+	* gssapi_locl.h: fix prototype for gssapi_krb5_init
+
+2001-08-13  Johan Danielsson  <joda@pdc.kth.se>
+
+	* accept_sec_context.c (gsskrb5_register_acceptor_identity): init
+	context and check return value from kt_resolve
+
+	* init.c: return error code
+
+2001-07-19  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libgssapi_la_LDFLAGS): update to 3:3:2
+
+2001-07-12  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libgssapi_la_LIBADD): add required library
+	dependencies
+
+2001-07-06  Assar Westerlund  <assar@sics.se>
+
+	* accept_sec_context.c (gsskrb5_register_acceptor_identity): set
+	the keytab to be used for gss_acquire_cred too'
+
+2001-07-03  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libgssapi_la_LDFLAGS): set version to 3:2:2
+
+2001-06-18  Assar Westerlund  <assar@sics.se>
+
+	* wrap.c: replace gss_krb5_getsomekey with gss_krb5_get_localkey
+	and gss_krb5_get_remotekey
+	* verify_mic.c: update krb5_auth_con function names use
+	gss_krb5_get_remotekey
+	* unwrap.c: replace gss_krb5_getsomekey with gss_krb5_get_localkey
+	and gss_krb5_get_remotekey
+	* gssapi_locl.h (gss_krb5_get_remotekey, gss_krb5_get_localkey):
+	add prototypes
+	* get_mic.c: update krb5_auth_con function names. use
+	gss_krb5_get_localkey
+	* accept_sec_context.c: update krb5_auth_con function names
+
 2001-05-17  Assar Westerlund  <assar@sics.se>
 
 	* Makefile.am: bump version to 3:1:2
diff --git a/kerberosV/src/lib/gssapi/accept_sec_context.c b/kerberosV/src/lib/gssapi/accept_sec_context.c
index 6c34e3129be..0114eabf555 100644
--- a/kerberosV/src/lib/gssapi/accept_sec_context.c
+++ b/kerberosV/src/lib/gssapi/accept_sec_context.c
@@ -33,23 +33,31 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$KTH: accept_sec_context.c,v 1.24 2001/05/11 09:16:45 assar Exp $");
+RCSID("$KTH: accept_sec_context.c,v 1.30 2001/08/29 02:21:09 assar Exp $");
 
-static krb5_keytab gss_keytab;
+krb5_keytab gssapi_krb5_keytab;
 
 OM_uint32
 gsskrb5_register_acceptor_identity (char *identity)
 {
+    krb5_error_code ret;
     char *p;
-    if(gss_keytab != NULL) {
-	krb5_kt_close(gssapi_krb5_context, gss_keytab);
-	gss_keytab = NULL;
+
+    ret = gssapi_krb5_init();
+    if(ret)
+	return GSS_S_FAILURE;
+    
+    if(gssapi_krb5_keytab != NULL) {
+	krb5_kt_close(gssapi_krb5_context, gssapi_krb5_keytab);
+	gssapi_krb5_keytab = NULL;
     }
     asprintf(&p, "FILE:%s", identity);
     if(p == NULL)
 	return GSS_S_FAILURE;
-    krb5_kt_resolve(gssapi_krb5_context, p, &gss_keytab);
+    ret = krb5_kt_resolve(gssapi_krb5_context, p, &gssapi_krb5_keytab);
     free(p);
+    if(ret)
+	return GSS_S_FAILURE;
     return GSS_S_COMPLETE;
 }
 
@@ -78,6 +86,7 @@ gss_accept_sec_context
   krb5_data fwd_data;
   OM_uint32 minor;
 
+  ret = 0;
   gssapi_krb5_init ();
 
   krb5_data_zero (&fwd_data);
@@ -136,9 +145,9 @@ gss_accept_sec_context
                                (*context_handle)->auth_context->local_port,
                                &acceptor_addr); 
      if (kret) {
-        *minor_status = kret;
 	gssapi_krb5_set_error_string ();
         ret = GSS_S_BAD_BINDINGS;
+	*minor_status = kret;
         goto failure;
      }
                              
@@ -148,9 +157,9 @@ gss_accept_sec_context
                                &initiator_addr); 
      if (kret) {
         krb5_free_address (gssapi_krb5_context, &acceptor_addr);
-        *minor_status = kret;
 	gssapi_krb5_set_error_string ();
         ret = GSS_S_BAD_BINDINGS;
+	*minor_status = kret;
         goto failure;
      }
      
@@ -169,9 +178,9 @@ gss_accept_sec_context
 #endif
      
      if (kret) {
-        *minor_status = kret;
 	gssapi_krb5_set_error_string ();
         ret = GSS_S_BAD_BINDINGS;
+	*minor_status = kret;
         goto failure;
      }
   }
@@ -190,17 +199,16 @@ gss_accept_sec_context
 			   tmp);
   }
 
-  ret = gssapi_krb5_decapsulate (input_token_buffer,
+  ret = gssapi_krb5_decapsulate (minor_status,
+				 input_token_buffer,
 				 &indata,
 				 "\x01\x00");
-  if (ret) {
-      kret = 0;
-      goto failure;
-  }
+  if (ret)
+    goto failure;
 
   if (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) {
-      if (gss_keytab != NULL) {
-	  keytab = gss_keytab;
+      if (gssapi_krb5_keytab != NULL) {
+	  keytab = gssapi_krb5_keytab;
      }
   } else if (acceptor_cred_handle->keytab != NULL) {
      keytab = acceptor_cred_handle->keytab;
@@ -256,7 +264,7 @@ gss_accept_sec_context
   {
       krb5_authenticator authenticator;
       
-      kret = krb5_auth_getauthenticator(gssapi_krb5_context,
+      kret = krb5_auth_con_getauthenticator(gssapi_krb5_context,
 					(*context_handle)->auth_context,
 					&authenticator);
       if(kret) {
@@ -266,35 +274,59 @@ gss_accept_sec_context
 	  goto failure;
       }
 
-      kret = gssapi_krb5_verify_8003_checksum(input_chan_bindings,
-					      authenticator->cksum,
-					      &flags,
-					      &fwd_data);
+      ret = gssapi_krb5_verify_8003_checksum(minor_status,
+					     input_chan_bindings,
+					     authenticator->cksum,
+					     &flags,
+					     &fwd_data);
       krb5_free_authenticator(gssapi_krb5_context, &authenticator);
-      if (kret) {
-	  ret = GSS_S_FAILURE;
-	  *minor_status = kret;
-	  gssapi_krb5_set_error_string ();
-	  goto failure;
-      }
+      if (ret)
+	goto failure;
   }
 
   if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) {
       
       krb5_ccache ccache;
       
-      if (delegated_cred_handle == NULL || *delegated_cred_handle == NULL)
+      if (delegated_cred_handle == NULL)
          /* XXX Create a new delegated_cred_handle? */
          kret = krb5_cc_default (gssapi_krb5_context, &ccache);
-      
-      else {
-         if ((*delegated_cred_handle)->ccache == NULL)
+      else if (*delegated_cred_handle == NULL) {
+	 if ((*delegated_cred_handle =
+	      calloc(1, sizeof(**delegated_cred_handle))) == NULL) {
+	    ret = GSS_S_FAILURE;
+	    *minor_status = ENOMEM;
+	    krb5_set_error_string(gssapi_krb5_context, "out of memory");
+	    gssapi_krb5_set_error_string();
+	    goto failure;
+	 }
+	 if ((ret = gss_duplicate_name(minor_status, ticket->client,
+				&(*delegated_cred_handle)->principal)) != 0) {
+	    flags &= ~GSS_C_DELEG_FLAG;
+	    free(*delegated_cred_handle);
+	    *delegated_cred_handle = NULL;
+	    goto end_fwd;
+	 }
+      }
+      if (delegated_cred_handle != NULL &&
+	  (*delegated_cred_handle)->ccache == NULL) {
             kret = krb5_cc_gen_new (gssapi_krb5_context,
                                     &krb5_mcc_ops,
                                     &(*delegated_cred_handle)->ccache);
          ccache = (*delegated_cred_handle)->ccache;
       }
-      
+      if (delegated_cred_handle != NULL &&
+	  (*delegated_cred_handle)->mechanisms == NULL) {
+	    ret = gss_create_empty_oid_set(minor_status, 
+			&(*delegated_cred_handle)->mechanisms);
+            if (ret)
+              goto failure;
+	    ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
+			&(*delegated_cred_handle)->mechanisms);
+	    if (ret)
+	      goto failure;
+      }
+
       if (kret) {
          flags &= ~GSS_C_DELEG_FLAG;
          goto end_fwd;
@@ -347,14 +379,13 @@ end_fwd:
       gssapi_krb5_set_error_string ();
       goto failure;
     }
-    ret = gssapi_krb5_encapsulate (&outbuf,
+    ret = gssapi_krb5_encapsulate (minor_status,
+				   &outbuf,
 				   output_token,
 				   "\x02\x00");
     krb5_data_free (&outbuf);
-    if (ret) {
-	kret = 0;
+    if (ret)
       goto failure;
-    }
   } else {
     output_token->length = 0;
   }
@@ -387,6 +418,5 @@ failure:
       *src_name = NULL;
   }
   *context_handle = GSS_C_NO_CONTEXT;
-  *minor_status = kret;
-  return GSS_S_FAILURE;
+  return ret;
 }
diff --git a/kerberosV/src/lib/gssapi/acquire_cred.c b/kerberosV/src/lib/gssapi/acquire_cred.c
index a547d5f0665..fc998c59752 100644
--- a/kerberosV/src/lib/gssapi/acquire_cred.c
+++ b/kerberosV/src/lib/gssapi/acquire_cred.c
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$KTH: acquire_cred.c,v 1.6 2001/05/11 09:16:45 assar Exp $");
+RCSID("$KTH: acquire_cred.c,v 1.7 2001/07/06 15:33:28 assar Exp $");
 
 OM_uint32 gss_acquire_cred
            (OM_uint32 * minor_status,
@@ -85,9 +85,23 @@ OM_uint32 gss_acquire_cred
     	krb5_get_init_creds_opt opt;
 
  try_keytab:
-	kret = krb5_kt_default(gssapi_krb5_context, &handle->keytab);
-	if (kret != 0)
-	    goto krb5_bad;
+	if (gssapi_krb5_keytab != NULL) {
+	    char kt_name[256];
+
+	    kret = krb5_kt_get_name(gssapi_krb5_context,
+				    gssapi_krb5_keytab,
+				    kt_name, sizeof(kt_name));
+	    if (kret)
+		goto krb5_bad;
+	    kret = krb5_kt_resolve(gssapi_krb5_context, kt_name,
+				   &handle->keytab);
+	    if (kret)
+		goto krb5_bad;
+	} else {
+	    kret = krb5_kt_default(gssapi_krb5_context, &handle->keytab);
+	    if (kret != 0)
+		goto krb5_bad;
+	}
 
 	krb5_get_init_creds_opt_init(&opt);
 	memset(&cred, 0, sizeof(cred));
diff --git a/kerberosV/src/lib/gssapi/decapsulate.c b/kerberosV/src/lib/gssapi/decapsulate.c
index 28a75f14b20..dfc44c87ab2 100644
--- a/kerberosV/src/lib/gssapi/decapsulate.c
+++ b/kerberosV/src/lib/gssapi/decapsulate.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$KTH: decapsulate.c,v 1.6 2000/07/29 05:48:13 assar Exp $");
+RCSID("$KTH: decapsulate.c,v 1.7 2001/08/23 04:35:54 assar Exp $");
 
 OM_uint32
 gssapi_krb5_verify_header(u_char **str,
@@ -80,6 +80,7 @@ gssapi_krb5_verify_header(u_char **str,
 
 OM_uint32
 gssapi_krb5_decapsulate(
+			OM_uint32 *minor_status,    
 			gss_buffer_t input_token_buffer,
 			krb5_data *out_data,
 			char *type
@@ -92,8 +93,10 @@ gssapi_krb5_decapsulate(
     ret = gssapi_krb5_verify_header(&p,
 				    input_token_buffer->length,
 				    type);
-    if (ret)
+    if (ret) {
+	*minor_status = 0;
 	return ret;
+    }
 
     out_data->length = input_token_buffer->length -
 	(p - (u_char *)input_token_buffer->value);
diff --git a/kerberosV/src/lib/gssapi/display_status.c b/kerberosV/src/lib/gssapi/display_status.c
index bf20f64deb1..b529afecab9 100644
--- a/kerberosV/src/lib/gssapi/display_status.c
+++ b/kerberosV/src/lib/gssapi/display_status.c
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$KTH: display_status.c,v 1.6 2001/05/11 09:16:46 assar Exp $");
+RCSID("$KTH: display_status.c,v 1.7 2001/08/23 04:34:41 assar Exp $");
 
 static char *krb5_error_string;
 
@@ -129,21 +129,25 @@ OM_uint32 gss_display_status
       asprintf (&buf, "%s %s",
 		calling_error(GSS_CALLING_ERROR(status_value)),
 		routine_error(GSS_ROUTINE_ERROR(status_value)));
-      if (buf == NULL) {
-	  *minor_status = ENOMEM;
-	  return GSS_S_FAILURE;
-      }
   } else if (status_type == GSS_C_MECH_CODE) {
       buf = gssapi_krb5_get_error_string ();
-      if (buf == NULL)
-	  buf = strdup(krb5_get_err_text (gssapi_krb5_context, status_value));
       if (buf == NULL) {
-	  *minor_status = ENOMEM;
-	  return GSS_S_FAILURE;
+	  const char *tmp = krb5_get_err_text (gssapi_krb5_context,
+					       status_value);
+	  if (tmp == NULL)
+	      asprintf(&buf, "unknown mech error-code %u",
+		       (unsigned)status_value);
+	  else
+	      buf = strdup(tmp);
       }
   } else
       return GSS_S_BAD_STATUS;
 
+  if (buf == NULL) {
+      *minor_status = ENOMEM;
+      return GSS_S_FAILURE;
+  }
+
   *message_context = 0;
 
   status_string->length = strlen(buf);
diff --git a/kerberosV/src/lib/gssapi/encapsulate.c b/kerberosV/src/lib/gssapi/encapsulate.c
index 7f94f2d80c6..cde4d85dca2 100644
--- a/kerberosV/src/lib/gssapi/encapsulate.c
+++ b/kerberosV/src/lib/gssapi/encapsulate.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$KTH: encapsulate.c,v 1.5 2000/08/27 02:46:23 assar Exp $");
+RCSID("$KTH: encapsulate.c,v 1.6 2001/08/23 04:35:54 assar Exp $");
 
 void
 gssapi_krb5_encap_length (size_t data_len,
@@ -78,6 +78,7 @@ gssapi_krb5_make_header (u_char *p,
 
 OM_uint32
 gssapi_krb5_encapsulate(
+			OM_uint32 *minor_status,    
 			const krb5_data *in_data,
 			gss_buffer_t output_token,
 			u_char *type
@@ -90,8 +91,10 @@ gssapi_krb5_encapsulate(
     
     output_token->length = outer_len;
     output_token->value  = malloc (outer_len);
-    if (output_token->value == NULL)
+    if (output_token->value == NULL) {
+	*minor_status = ENOMEM;
 	return GSS_S_FAILURE;
+    }	
 
     p = gssapi_krb5_make_header (output_token->value, len, type);
     memcpy (p, in_data->data, in_data->length);
diff --git a/kerberosV/src/lib/gssapi/get_mic.c b/kerberosV/src/lib/gssapi/get_mic.c
index f3d2aad92ef..360367a036d 100644
--- a/kerberosV/src/lib/gssapi/get_mic.c
+++ b/kerberosV/src/lib/gssapi/get_mic.c
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$KTH: get_mic.c,v 1.17 2001/05/11 09:16:46 assar Exp $");
+RCSID("$KTH: get_mic.c,v 1.18 2001/06/18 02:50:15 assar Exp $");
 
 static OM_uint32
 mic_des
@@ -91,7 +91,7 @@ mic_des
   memcpy (p - 8, hash, 8);	/* SGN_CKSUM */
 
   /* sequence number */
-  krb5_auth_getlocalseqnumber (gssapi_krb5_context,
+  krb5_auth_con_getlocalseqnumber (gssapi_krb5_context,
 			       context_handle->auth_context,
 			       &seq_number);
 
@@ -108,7 +108,7 @@ mic_des
   des_cbc_encrypt ((void *)p, (void *)p, 8,
 		   schedule, (des_cblock *)(p + 8), DES_ENCRYPT);
 
-  krb5_auth_setlocalseqnumber (gssapi_krb5_context,
+  krb5_auth_con_setlocalseqnumber (gssapi_krb5_context,
 			       context_handle->auth_context,
 			       ++seq_number);
   
@@ -198,7 +198,7 @@ mic_des3
   memcpy (p + 8, cksum.checksum.data, cksum.checksum.length);
 
   /* sequence number */
-  krb5_auth_getlocalseqnumber (gssapi_krb5_context,
+  krb5_auth_con_getlocalseqnumber (gssapi_krb5_context,
 			       context_handle->auth_context,
 			       &seq_number);
 
@@ -240,7 +240,7 @@ mic_des3
 
   memcpy (p, message_buffer->value, message_buffer->length);
 
-  krb5_auth_setlocalseqnumber (gssapi_krb5_context,
+  krb5_auth_con_setlocalseqnumber (gssapi_krb5_context,
 			       context_handle->auth_context,
 			       ++seq_number);
   
@@ -260,7 +260,7 @@ OM_uint32 gss_get_mic
   OM_uint32 ret;
   krb5_keytype keytype;
 
-  ret = gss_krb5_getsomekey(context_handle, &key);
+  ret = gss_krb5_get_localkey(context_handle, &key);
   if (ret) {
       gssapi_krb5_set_error_string ();
       *minor_status = ret;
diff --git a/kerberosV/src/lib/gssapi/gssapi_locl.h b/kerberosV/src/lib/gssapi/gssapi_locl.h
index 466939fba57..be19b0be76a 100644
--- a/kerberosV/src/lib/gssapi/gssapi_locl.h
+++ b/kerberosV/src/lib/gssapi/gssapi_locl.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $KTH: gssapi_locl.h,v 1.16 2001/05/11 09:16:46 assar Exp $ */
+/* $KTH: gssapi_locl.h,v 1.21 2001/08/29 02:21:09 assar Exp $ */
 
 #ifndef GSSAPI_LOCL_H
 #define GSSAPI_LOCL_H
@@ -46,30 +46,36 @@
 
 extern krb5_context gssapi_krb5_context;
 
-void gssapi_krb5_init (void);
+extern krb5_keytab gssapi_krb5_keytab;
 
-krb5_error_code
+krb5_error_code gssapi_krb5_init (void);
+
+OM_uint32
 gssapi_krb5_create_8003_checksum (
+		      OM_uint32 *minor_status,
 		      const gss_channel_bindings_t input_chan_bindings,
 		      OM_uint32 flags,
-                      krb5_data *fwd_data,
+                      const krb5_data *fwd_data,
 		      Checksum *result);
 
-krb5_error_code
+OM_uint32
 gssapi_krb5_verify_8003_checksum (
+		      OM_uint32 *minor_status,
 		      const gss_channel_bindings_t input_chan_bindings,
-		      Checksum *cksum,
+		      const Checksum *cksum,
 		      OM_uint32 *flags,
                       krb5_data *fwd_data);
 
 OM_uint32
 gssapi_krb5_encapsulate(
+			OM_uint32 *minor_status,
 			const krb5_data *in_data,
 			gss_buffer_t output_token,
 			u_char *type);
 
 OM_uint32
 gssapi_krb5_decapsulate(
+			OM_uint32 *minor_status,
 			gss_buffer_t input_token_buffer,
 			krb5_data *out_data,
 			char *type);
@@ -90,8 +96,12 @@ gssapi_krb5_verify_header(u_char **str,
 			  char *type);
 
 OM_uint32
-gss_krb5_getsomekey(const gss_ctx_id_t context_handle,
-		    krb5_keyblock **key);
+gss_krb5_get_remotekey(const gss_ctx_id_t context_handle,
+		       krb5_keyblock **key);
+
+OM_uint32
+gss_krb5_get_localkey(const gss_ctx_id_t context_handle,
+		      krb5_keyblock **key);
 
 krb5_error_code
 gss_address_to_krb5addr(OM_uint32 gss_addr_type,
diff --git a/kerberosV/src/lib/gssapi/init.c b/kerberosV/src/lib/gssapi/init.c
index 6db723ce8a4..0e61fc7efff 100644
--- a/kerberosV/src/lib/gssapi/init.c
+++ b/kerberosV/src/lib/gssapi/init.c
@@ -33,15 +33,12 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$KTH: init.c,v 1.5 2000/12/31 07:58:37 assar Exp $");
+RCSID("$KTH: init.c,v 1.6 2001/08/13 13:14:07 joda Exp $");
 
-void
+krb5_error_code
 gssapi_krb5_init (void)
 {
-    krb5_error_code ret;
-
-    if(gssapi_krb5_context == NULL) {
-	ret = krb5_init_context (&gssapi_krb5_context);
-	/* and what do we do when that failed? */
-    }
+    if(gssapi_krb5_context == NULL)
+	return krb5_init_context (&gssapi_krb5_context);
+    return 0;
 }
diff --git a/kerberosV/src/lib/gssapi/init_sec_context.c b/kerberosV/src/lib/gssapi/init_sec_context.c
index b9c5e8c1925..f0fa467c583 100644
--- a/kerberosV/src/lib/gssapi/init_sec_context.c
+++ b/kerberosV/src/lib/gssapi/init_sec_context.c
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$KTH: init_sec_context.c,v 1.27 2001/05/11 09:16:46 assar Exp $");
+RCSID("$KTH: init_sec_context.c,v 1.29 2001/08/29 02:21:09 assar Exp $");
 
 /*
  * copy the addresses from `input_chan_bindings' (if any) to
@@ -344,17 +344,14 @@ init_auth
     (*context_handle)->flags = flags;
     (*context_handle)->more_flags = LOCAL;
     
-    kret = gssapi_krb5_create_8003_checksum (input_chan_bindings,
-					     flags,
-					     &fwd_data,
-					     &cksum);
+    ret = gssapi_krb5_create_8003_checksum (minor_status,
+					    input_chan_bindings,
+					    flags,
+					    &fwd_data,
+					    &cksum);
     krb5_data_free (&fwd_data);
-    if (kret) {
-	gssapi_krb5_set_error_string ();
-	*minor_status = kret;
-	ret = GSS_S_FAILURE;
+    if (ret)
 	goto failure;
-    }
 
 #if 1
     enctype = (*context_handle)->auth_context->keyblock->keytype;
@@ -400,11 +397,10 @@ init_auth
 	goto failure;
     }
 
-    ret = gssapi_krb5_encapsulate (&outbuf, output_token, "\x01\x00");
-    if (ret) {
-	*minor_status = kret;
+    ret = gssapi_krb5_encapsulate (minor_status, &outbuf, output_token,
+				   "\x01\x00");
+    if (ret)
 	goto failure;
-    }
 
     krb5_data_free (&outbuf);
 
@@ -452,12 +448,11 @@ repl_mutual
     krb5_data indata;
     krb5_ap_rep_enc_part *repl;
 
-    ret = gssapi_krb5_decapsulate (input_token, &indata, "\x02\x00");
-    if (ret) {
+    ret = gssapi_krb5_decapsulate (minor_status, input_token, &indata,
+				   "\x02\x00");
+    if (ret)
 				/* XXX - Handle AP_ERROR */
-	*minor_status = 0;
-	return GSS_S_FAILURE;
-    }
+	return ret;
 
     kret = krb5_rd_rep (gssapi_krb5_context,
 			(*context_handle)->auth_context,
diff --git a/kerberosV/src/lib/gssapi/unwrap.c b/kerberosV/src/lib/gssapi/unwrap.c
index 772964891fe..a0019cba8e0 100644
--- a/kerberosV/src/lib/gssapi/unwrap.c
+++ b/kerberosV/src/lib/gssapi/unwrap.c
@@ -33,21 +33,21 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$KTH: unwrap.c,v 1.17 2001/05/11 09:16:47 assar Exp $");
+RCSID("$KTH: unwrap.c,v 1.19 2001/08/23 04:35:55 assar Exp $");
 
 OM_uint32
-gss_krb5_getsomekey(const gss_ctx_id_t context_handle,
-		    krb5_keyblock **key)
+gss_krb5_get_remotekey(const gss_ctx_id_t context_handle,
+		       krb5_keyblock **key)
 {
-    /* XXX this is ugly, and probably incorrect... */
     krb5_keyblock *skey;
-    krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
-				 context_handle->auth_context, 
-				 &skey);
+
+    krb5_auth_con_getremotesubkey(gssapi_krb5_context,
+				  context_handle->auth_context, 
+				  &skey);
     if(skey == NULL)
-	krb5_auth_con_getremotesubkey(gssapi_krb5_context,
-				      context_handle->auth_context, 
-				      &skey);
+	krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
+				     context_handle->auth_context, 
+				     &skey);
     if(skey == NULL)
 	krb5_auth_con_getkey(gssapi_krb5_context,
 			     context_handle->auth_context, 
@@ -176,7 +176,7 @@ unwrap_des
     return GSS_S_BAD_MIC;
   }
 
-  krb5_auth_setremoteseqnumber (gssapi_krb5_context,
+  krb5_auth_con_setremoteseqnumber (gssapi_krb5_context,
 				context_handle->auth_context,
 				++seq_number);
 
@@ -222,8 +222,10 @@ unwrap_des3
   ret = gssapi_krb5_verify_header (&p,
 				   input_message_buffer->length,
 				   "\x02\x01");
-  if (ret)
+  if (ret) {
+      *minor_status = 0;
       return ret;
+  }
 
   if (memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
     return GSS_S_BAD_SIG;
@@ -327,7 +329,7 @@ unwrap_des3
       return GSS_S_BAD_MIC;
   }
 
-  krb5_auth_setremoteseqnumber (gssapi_krb5_context,
+  krb5_auth_con_setremoteseqnumber (gssapi_krb5_context,
 				context_handle->auth_context,
 				++seq_number);
 
@@ -386,7 +388,7 @@ OM_uint32 gss_unwrap
   OM_uint32 ret;
   krb5_keytype keytype;
 
-  ret = gss_krb5_getsomekey(context_handle, &key);
+  ret = gss_krb5_get_remotekey(context_handle, &key);
   if (ret) {
       gssapi_krb5_set_error_string ();
       *minor_status = ret;
diff --git a/kerberosV/src/lib/gssapi/verify_mic.c b/kerberosV/src/lib/gssapi/verify_mic.c
index 3a20a5ad3b4..df123739c9f 100644
--- a/kerberosV/src/lib/gssapi/verify_mic.c
+++ b/kerberosV/src/lib/gssapi/verify_mic.c
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$KTH: verify_mic.c,v 1.13 2001/05/11 09:16:47 assar Exp $");
+RCSID("$KTH: verify_mic.c,v 1.15 2001/08/23 04:35:55 assar Exp $");
 
 static OM_uint32
 verify_mic_des
@@ -58,8 +58,10 @@ verify_mic_des
   ret = gssapi_krb5_verify_header (&p,
 				   token_buffer->length,
 				   "\x01\x01");
-  if (ret)
+  if (ret) {
+      *minor_status = 0;
       return ret;
+  }
 
   if (memcmp(p, "\x00\x00", 2) != 0)
       return GSS_S_BAD_SIG;
@@ -113,7 +115,7 @@ verify_mic_des
     return GSS_S_BAD_MIC;
   }
 
-  krb5_auth_setremoteseqnumber (gssapi_krb5_context,
+  krb5_auth_con_setremoteseqnumber (gssapi_krb5_context,
 				context_handle->auth_context,
 				++seq_number);
 
@@ -144,8 +146,10 @@ verify_mic_des3
   ret = gssapi_krb5_verify_header (&p,
 				   token_buffer->length,
 				   "\x01\x01");
-  if (ret)
+  if (ret) {
+      *minor_status = 0;
       return ret;
+  }
 
   if (memcmp(p, "\x04\x00", 2) != 0) /* SGN_ALG = HMAC SHA1 DES3-KD */
       return GSS_S_BAD_SIG;
@@ -226,7 +230,7 @@ verify_mic_des3
       return GSS_S_BAD_MIC;
   }
 
-  krb5_auth_setremoteseqnumber (gssapi_krb5_context,
+  krb5_auth_con_setremoteseqnumber (gssapi_krb5_context,
 				context_handle->auth_context,
 				++seq_number);
 
@@ -247,9 +251,7 @@ gss_verify_mic
     OM_uint32 ret;
     krb5_keytype keytype;
 
-    ret = krb5_auth_con_getremotesubkey (gssapi_krb5_context,
-					 context_handle->auth_context,
-					 &key);
+    ret = gss_krb5_get_remotekey(context_handle, &key);
     if (ret) {
 	gssapi_krb5_set_error_string ();
 	*minor_status = ret;
diff --git a/kerberosV/src/lib/gssapi/wrap.c b/kerberosV/src/lib/gssapi/wrap.c
index ed17e90b727..dd2ce5d7549 100644
--- a/kerberosV/src/lib/gssapi/wrap.c
+++ b/kerberosV/src/lib/gssapi/wrap.c
@@ -33,7 +33,30 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$KTH: wrap.c,v 1.18 2001/05/11 09:16:47 assar Exp $");
+RCSID("$KTH: wrap.c,v 1.19 2001/06/18 02:53:52 assar Exp $");
+
+OM_uint32
+gss_krb5_get_localkey(const gss_ctx_id_t context_handle,
+		       krb5_keyblock **key)
+{
+    krb5_keyblock *skey;
+
+    krb5_auth_con_getlocalsubkey(gssapi_krb5_context,
+				 context_handle->auth_context, 
+				 &skey);
+    if(skey == NULL)
+	krb5_auth_con_getremotesubkey(gssapi_krb5_context,
+				      context_handle->auth_context, 
+				      &skey);
+    if(skey == NULL)
+	krb5_auth_con_getkey(gssapi_krb5_context,
+			     context_handle->auth_context, 
+			     &skey);
+    if(skey == NULL)
+	return GSS_S_FAILURE;
+    *key = skey;
+    return 0;
+}
 
 static OM_uint32
 sub_wrap_size (
@@ -65,7 +88,7 @@ gss_wrap_size_limit (
   OM_uint32 ret;
   krb5_keytype keytype;
 
-  ret = gss_krb5_getsomekey(context_handle, &key);
+  ret = gss_krb5_get_localkey(context_handle, &key);
   if (ret) {
       gssapi_krb5_set_error_string ();
       *minor_status = ret;
@@ -162,7 +185,7 @@ wrap_des
   memcpy (p - 8, hash, 8);
 
   /* sequence number */
-  krb5_auth_getlocalseqnumber (gssapi_krb5_context,
+  krb5_auth_con_getlocalseqnumber (gssapi_krb5_context,
 			       context_handle->auth_context,
 			       &seq_number);
 
@@ -179,7 +202,7 @@ wrap_des
   des_cbc_encrypt ((void *)p, (void *)p, 8,
 		   schedule, (des_cblock *)(p + 8), DES_ENCRYPT);
 
-  krb5_auth_setlocalseqnumber (gssapi_krb5_context,
+  krb5_auth_con_setlocalseqnumber (gssapi_krb5_context,
 			       context_handle->auth_context,
 			       ++seq_number);
 
@@ -294,7 +317,7 @@ wrap_des3
   free_Checksum (&cksum);
 
   /* sequence number */
-  krb5_auth_getlocalseqnumber (gssapi_krb5_context,
+  krb5_auth_con_getlocalseqnumber (gssapi_krb5_context,
 			       context_handle->auth_context,
 			       &seq_number);
 
@@ -338,7 +361,7 @@ wrap_des3
   memcpy (p, encdata.data, encdata.length);
   krb5_data_free (&encdata);
 
-  krb5_auth_setlocalseqnumber (gssapi_krb5_context,
+  krb5_auth_con_setlocalseqnumber (gssapi_krb5_context,
 			       context_handle->auth_context,
 			       ++seq_number);
 
@@ -389,7 +412,7 @@ OM_uint32 gss_wrap
   OM_uint32 ret;
   krb5_keytype keytype;
 
-  ret = gss_krb5_getsomekey(context_handle, &key);
+  ret = gss_krb5_get_localkey(context_handle, &key);
   if (ret) {
       gssapi_krb5_set_error_string ();
       *minor_status = ret;
diff --git a/kerberosV/src/lib/hdb/common.c b/kerberosV/src/lib/hdb/common.c
index fe9b5e7f076..4c6fcf35619 100644
--- a/kerberosV/src/lib/hdb/common.c
+++ b/kerberosV/src/lib/hdb/common.c
@@ -33,7 +33,7 @@
 
 #include "hdb_locl.h"
 
-RCSID("$KTH: common.c,v 1.8 2001/01/30 01:22:17 assar Exp $");
+RCSID("$KTH: common.c,v 1.10 2001/07/13 06:30:41 assar Exp $");
 
 int
 hdb_principal2key(krb5_context context, krb5_principal p, krb5_data *key)
@@ -50,6 +50,7 @@ hdb_principal2key(krb5_context context, krb5_principal p, krb5_data *key)
     len = length_Principal(&new);
     buf  = malloc(len);
     if(buf == NULL){
+	krb5_set_error_string(context, "malloc: out of memory");
 	ret = ENOMEM;
 	goto out;
     }
@@ -80,8 +81,10 @@ hdb_entry2value(krb5_context context, hdb_entry *ent, krb5_data *value)
 
     len = length_hdb_entry(ent);
     buf = malloc(len);
-    if(buf == NULL)
+    if(buf == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
 	return ENOMEM;
+    }
     ret = encode_hdb_entry(buf + len - 1, len, ent, &len);
     if(ret){
 	free(buf);
@@ -125,6 +128,19 @@ _hdb_store(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
     krb5_data key, value;
     int code;
 
+    if(entry->generation == NULL) {
+	struct timeval t;
+	entry->generation = malloc(sizeof(*entry->generation));
+	if(entry->generation == NULL) {
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    return ENOMEM;
+	}
+	gettimeofday(&t, NULL);
+	entry->generation->time = t.tv_sec;
+	entry->generation->usec = t.tv_usec;
+	entry->generation->gen = 0;
+    } else
+	entry->generation->gen++;
     hdb_principal2key(context, entry->principal, &key);
     code = hdb_seal_keys(context, db, entry);
     if (code) {
diff --git a/kerberosV/src/lib/hdb/db.c b/kerberosV/src/lib/hdb/db.c
index 64c741c91fb..da0040af516 100644
--- a/kerberosV/src/lib/hdb/db.c
+++ b/kerberosV/src/lib/hdb/db.c
@@ -33,9 +33,15 @@
 
 #include "hdb_locl.h"
 
-RCSID("$KTH: db.c,v 1.28 2001/01/30 01:24:00 assar Exp $");
+RCSID("$KTH: db.c,v 1.30 2001/08/09 08:41:48 assar Exp $");
 
-#if defined(HAVE_DB_H) && DB_VERSION_MAJOR < 3
+#if HAVE_DB1
+
+#if defined(HAVE_DB_185_H)
+#include <db_185.h>
+#elif defined(HAVE_DB_H)
+#include <db.h>
+#endif
 
 static krb5_error_code
 DB_close(krb5_context context, HDB *db)
@@ -110,6 +116,7 @@ DB_seq(krb5_context context, HDB *db,
     if (code == 0 && entry->principal == NULL) {
 	entry->principal = malloc(sizeof(*entry->principal));
 	if (entry->principal == NULL) {
+	    krb5_set_error_string(context, "malloc: out of memory");
 	    code = ENOMEM;
 	    hdb_free_entry (context, entry);
 	} else {
@@ -226,21 +233,29 @@ DB_open(krb5_context context, HDB *db, int flags, mode_t mode)
     krb5_error_code ret;
 
     asprintf(&fn, "%s.db", db->name);
-    if (fn == NULL)
+    if (fn == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
 	return ENOMEM;
+    }
     db->db = dbopen(fn, flags, mode, DB_BTREE, NULL);
     free(fn);
     /* try to open without .db extension */
     if(db->db == NULL && errno == ENOENT)
 	db->db = dbopen(db->name, flags, mode, DB_BTREE, NULL);
-    if(db->db == NULL)
-	return errno;
+    if(db->db == NULL) {
+	ret = errno;
+	krb5_set_error_string(context, "dbopen (%s): %s",
+			      db->name, strerror(ret));
+	return ret;
+    }
     if((flags & O_ACCMODE) == O_RDONLY)
 	ret = hdb_check_db_format(context, db);
     else
 	ret = hdb_init_db(context, db);
-    if(ret == HDB_ERR_NOENTRY)
+    if(ret == HDB_ERR_NOENTRY) {
+	krb5_clear_error_string(context);
 	return 0;
+    }
     return ret;
 }
 
@@ -249,11 +264,19 @@ hdb_db_create(krb5_context context, HDB **db,
 	      const char *filename)
 {
     *db = malloc(sizeof(**db));
-    if (*db == NULL)
+    if (*db == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
 	return ENOMEM;
+    }
 
     (*db)->db = NULL;
     (*db)->name = strdup(filename);
+    if ((*db)->name == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	free(*db);
+	*db = NULL;
+	return ENOMEM;
+    }
     (*db)->master_key_set = 0;
     (*db)->openp = 0;
     (*db)->open  = DB_open;
@@ -273,4 +296,4 @@ hdb_db_create(krb5_context context, HDB **db,
     return 0;
 }
 
-#endif
+#endif /* HAVE_DB1 */
diff --git a/kerberosV/src/lib/hdb/db3.c b/kerberosV/src/lib/hdb/db3.c
index 89aba9bd2ae..ee88026a618 100644
--- a/kerberosV/src/lib/hdb/db3.c
+++ b/kerberosV/src/lib/hdb/db3.c
@@ -33,9 +33,12 @@
 
 #include "hdb_locl.h"
 
-RCSID("$KTH: db3.c,v 1.6 2001/01/30 01:24:00 assar Exp $");
+RCSID("$KTH: db3.c,v 1.8 2001/08/09 08:41:48 assar Exp $");
+
+#if HAVE_DB3
+
+#include <db.h>
 
-#if defined(HAVE_DB_H) && DB_VERSION_MAJOR == 3
 static krb5_error_code
 DB_close(krb5_context context, HDB *db)
 {
@@ -115,8 +118,9 @@ DB_seq(krb5_context context, HDB *db,
     if (entry->principal == NULL) {
 	entry->principal = malloc(sizeof(*entry->principal));
 	if (entry->principal == NULL) {
-	    code = ENOMEM;
 	    hdb_free_entry (context, entry);
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    return ENOMEM;
 	} else {
 	    hdb_key2principal(context, &key_data, entry->principal);
 	}
@@ -252,8 +256,10 @@ DB_open(krb5_context context, HDB *db, int flags, mode_t mode)
       myflags |= DB_TRUNCATE;
 
     asprintf(&fn, "%s.db", db->name);
-    if (fn == NULL)
+    if (fn == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
 	return ENOMEM;
+    }
     db_create(&d, NULL, 0);
     db->db = d;
     if ((ret = d->open(db->db, fn, NULL, DB_BTREE, myflags, mode))) {
@@ -261,14 +267,18 @@ DB_open(krb5_context context, HDB *db, int flags, mode_t mode)
 	/* try to open without .db extension */
 	if (d->open(db->db, db->name, NULL, DB_BTREE, myflags, mode)) {
 	  free(fn);
+	  krb5_set_error_string(context, "opening %s: %s",
+				db->name, strerror(ret));
 	  return ret;
 	}
     }
     free(fn);
 
     ret = d->cursor(d, NULL, (DBC **)&db->dbc, 0);
-    if (ret)
+    if (ret) {
+	krb5_set_error_string(context, "d->cursor: %s", strerror(ret));
         return ret;
+    }
 
     if((flags & O_ACCMODE) == O_RDONLY)
 	ret = hdb_check_db_format(context, db);
@@ -284,11 +294,19 @@ hdb_db_create(krb5_context context, HDB **db,
 	      const char *filename)
 {
     *db = malloc(sizeof(**db));
-    if (*db == NULL)
+    if (*db == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
 	return ENOMEM;
+    }
 
     (*db)->db = NULL;
     (*db)->name = strdup(filename);
+    if ((*db)->name == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	free(*db);
+	*db = NULL;
+	return ENOMEM;
+    }
     (*db)->master_key_set = 0;
     (*db)->openp = 0;
     (*db)->open  = DB_open;
@@ -307,4 +325,4 @@ hdb_db_create(krb5_context context, HDB **db,
     (*db)->destroy = DB_destroy;
     return 0;
 }
-#endif
+#endif /* HAVE_DB3 */
diff --git a/kerberosV/src/lib/hdb/hdb-protos.h b/kerberosV/src/lib/hdb/hdb-protos.h
index dbb00a50212..93f4d79d8cb 100644
--- a/kerberosV/src/lib/hdb/hdb-protos.h
+++ b/kerberosV/src/lib/hdb/hdb-protos.h
@@ -96,7 +96,7 @@ krb5_error_code
 hdb_ldap_create __P((
 	krb5_context context,
 	HDB ** db,
-	const char *filename));
+	const char *arg));
 
 krb5_error_code
 hdb_lock __P((
diff --git a/kerberosV/src/lib/hdb/hdb.asn1 b/kerberosV/src/lib/hdb/hdb.asn1
index fcaa23d3c5b..f91760b4791 100644
--- a/kerberosV/src/lib/hdb/hdb.asn1
+++ b/kerberosV/src/lib/hdb/hdb.asn1
@@ -1,4 +1,4 @@
--- $KTH: hdb.asn1,v 1.8 2000/06/19 15:22:22 joda Exp $
+-- $KTH: hdb.asn1,v 1.9 2001/06/21 14:54:53 joda Exp $
 HDB DEFINITIONS ::=
 BEGIN
 
@@ -7,7 +7,7 @@ IMPORTS EncryptionKey, KerberosTime, Principal FROM krb5;
 HDB_DB_FORMAT INTEGER ::= 2	-- format of database, 
 				-- update when making changes
 
--- these should have the same value as the pa-* counterparts
+-- these must have the same value as the pa-* counterparts
 hdb-pw-salt	INTEGER	::= 3
 hdb-afs3-salt	INTEGER	::= 10
 
@@ -44,6 +44,12 @@ HDBFlags ::= BIT STRING {
 	immutable(13)		-- may not be deleted
 }
 
+GENERATION ::= SEQUENCE {
+	time[0]		KerberosTime,	-- timestamp
+	usec[1]		INTEGER,	-- microseconds
+	gen[2]		INTEGER		-- generation number
+}
+
 hdb_entry ::= SEQUENCE {
 	principal[0]	Principal  OPTIONAL, -- this is optional only 
 					     -- for compatibility with libkrb5
@@ -57,7 +63,8 @@ hdb_entry ::= SEQUENCE {
 	max-life[8]	INTEGER OPTIONAL,
 	max-renew[9]	INTEGER OPTIONAL,
 	flags[10]	HDBFlags,
-	etypes[11]	SEQUENCE OF INTEGER OPTIONAL
+	etypes[11]	SEQUENCE OF INTEGER OPTIONAL,
+	generation[12]	GENERATION OPTIONAL
 }
 
 END
diff --git a/kerberosV/src/lib/hdb/hdb.c b/kerberosV/src/lib/hdb/hdb.c
index 43371332af5..c208758513b 100644
--- a/kerberosV/src/lib/hdb/hdb.c
+++ b/kerberosV/src/lib/hdb/hdb.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "hdb_locl.h"
 
-RCSID("$KTH: hdb.c,v 1.42 2000/11/15 23:12:15 assar Exp $");
+RCSID("$KTH: hdb.c,v 1.44 2001/08/09 08:41:48 assar Exp $");
 
 struct hdb_method {
     const char *prefix;
@@ -41,18 +41,18 @@ struct hdb_method {
 };
 
 static struct hdb_method methods[] = {
-#ifdef HAVE_DB_H
+#if HAVE_DB1 || HAVE_DB3
     {"db:",	hdb_db_create},
 #endif
-#if defined(HAVE_NDBM_H) || defined(HAVE_GDBM_NDBM_H)
+#if HAVE_NDBM
     {"ndbm:",	hdb_ndbm_create},
 #endif
 #ifdef OPENLDAP
     {"ldap:",	hdb_ldap_create},
 #endif
-#ifdef HAVE_DB_H
+#if HAVE_DB1 || HAVE_DB3
     {"",	hdb_db_create},
-#elif defined(HAVE_NDBM_H)
+#elif defined(HAVE_NDBM)
     {"",	hdb_ndbm_create},
 #elif defined(OPENLDAP)
     {"",	hdb_ldap_create},
@@ -232,7 +232,7 @@ hdb_create(krb5_context context, HDB **db, const char *filename)
 
     if(filename == NULL)
 	filename = HDB_DEFAULT_DB;
-    initialize_hdb_error_table_r(&context->et_list);
+    krb5_add_et_list(context, initialize_hdb_error_table_r);
     h = find_method (filename, &residual);
     if (h == NULL)
 	krb5_errx(context, 1, "No database support! (hdb_create)");
diff --git a/kerberosV/src/lib/hdb/keytab.c b/kerberosV/src/lib/hdb/keytab.c
index 5fc6bb95976..8cb4b1f6d49 100644
--- a/kerberosV/src/lib/hdb/keytab.c
+++ b/kerberosV/src/lib/hdb/keytab.c
@@ -35,7 +35,7 @@
 
 /* keytab backend for HDB databases */
 
-RCSID("$KTH: keytab.c,v 1.3 2000/08/27 04:31:42 assar Exp $");
+RCSID("$KTH: keytab.c,v 1.4 2001/07/13 06:30:41 assar Exp $");
 
 struct hdb_data {
     char *dbname;
@@ -54,8 +54,10 @@ hdb_resolve(krb5_context context, const char *name, krb5_keytab id)
     const char *db, *mkey;
 
     d = malloc(sizeof(*d));
-    if(d == NULL)
+    if(d == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
 	return ENOMEM;
+    }
     db = name;
     mkey = strchr(name, ':');
     if(mkey == NULL || mkey[1] == '\0') {
@@ -65,6 +67,7 @@ hdb_resolve(krb5_context context, const char *name, krb5_keytab id)
 	    d->dbname = strdup(name);
 	    if(d->dbname == NULL) {
 		free(d);
+		krb5_set_error_string(context, "malloc: out of memory");
 		return ENOMEM;
 	    }
 	}
@@ -76,6 +79,7 @@ hdb_resolve(krb5_context context, const char *name, krb5_keytab id)
 	    d->dbname = malloc(mkey - db);
 	    if(d->dbname == NULL) {
 		free(d);
+		krb5_set_error_string(context, "malloc: out of memory");
 		return ENOMEM;
 	    }
 	    memmove(d->dbname, db, mkey - db);
@@ -85,6 +89,7 @@ hdb_resolve(krb5_context context, const char *name, krb5_keytab id)
 	if(d->mkey == NULL) {
 	    free(d->dbname);
 	    free(d);
+	    krb5_set_error_string(context, "malloc: out of memory");
 	    return ENOMEM;
 	}
     }
diff --git a/kerberosV/src/lib/hdb/libasn1.h b/kerberosV/src/lib/hdb/libasn1.h
index a5761736880..e425f5adebb 100644
--- a/kerberosV/src/lib/hdb/libasn1.h
+++ b/kerberosV/src/lib/hdb/libasn1.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $KTH: libasn1.h,v 1.5 2001/04/18 16:21:33 joda Exp $ */
+/* $KTH: libasn1.h,v 1.7 2001/06/23 23:18:50 assar Exp $ */
 
 #ifndef __LIBASN1_H__
 #define __LIBASN1_H__
@@ -41,6 +41,7 @@
 #endif
 
 #include <stdlib.h>
+#include <string.h>
 #include <errno.h>
 #include <krb5_asn1.h>
 #include <der.h>
diff --git a/kerberosV/src/lib/hdb/ndbm.c b/kerberosV/src/lib/hdb/ndbm.c
index 97f1a43394f..8a6cd65490f 100644
--- a/kerberosV/src/lib/hdb/ndbm.c
+++ b/kerberosV/src/lib/hdb/ndbm.c
@@ -33,9 +33,17 @@
 
 #include "hdb_locl.h"
 
-RCSID("$KTH: ndbm.c,v 1.30 2001/01/30 01:24:00 assar Exp $");
+RCSID("$KTH: ndbm.c,v 1.33 2001/09/03 05:03:01 assar Exp $");
 
-#if defined(HAVE_NDBM_H) || defined(HAVE_GDBM_NDBM_H)
+#if HAVE_NDBM
+
+#if defined(HAVE_GDBM_NDBM_H)
+#include <gdbm/ndbm.h>
+#elif defined(HAVE_NDBM_H)
+#include <ndbm.h>
+#elif defined(HAVE_DBM_H)
+#include <dbm.h>
+#endif
 
 struct ndbm_db {
     DBM *db;
@@ -103,6 +111,7 @@ NDBM_seq(krb5_context context, HDB *db,
 	if (entry->principal == NULL) {
 	    ret = ENOMEM;
 	    hdb_free_entry (context, entry);
+	    krb5_set_error_string(context, "malloc: out of memory");
 	} else {
 	    hdb_key2principal (context, &key_data, entry->principal);
 	}
@@ -137,15 +146,24 @@ NDBM_rename(krb5_context context, HDB *db, const char *new_name)
 
     /* lock old and new databases */
     ret = db->lock(context, db, HDB_WLOCK);
-    if(ret) return ret;
+    if(ret)
+	return ret;
     asprintf(&new_lock, "%s.lock", new_name);
+    if(new_lock == NULL) {
+	db->unlock(context, db);
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
     lock_fd = open(new_lock, O_RDWR | O_CREAT, 0600);
-    free(new_lock);
     if(lock_fd < 0) {
 	ret = errno;
 	db->unlock(context, db);
+	krb5_set_error_string(context, "open(%s): %s", new_lock,
+			      strerror(ret));
+	free(new_lock);
 	return ret;
     }
+    free(new_lock);
     ret = hdb_lock(lock_fd, HDB_WLOCK);
     if(ret) {
 	db->unlock(context, db);
@@ -167,8 +185,10 @@ NDBM_rename(krb5_context context, HDB *db, const char *new_name)
     db->unlock(context, db);
 
     if(ret) {
+	ret = errno;
 	close(lock_fd);
-	return errno;
+	krb5_set_error_string(context, "rename: %s", strerror(ret));
+	return ret;
     }
 
     close(d->lock_fd);
@@ -251,26 +271,36 @@ NDBM_open(krb5_context context, HDB *db, int flags, mode_t mode)
     struct ndbm_db *d = malloc(sizeof(*d));
     char *lock_file;
 
-    if(d == NULL)
+    if(d == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
 	return ENOMEM;
+    }
     asprintf(&lock_file, "%s.lock", (char*)db->name);
     if(lock_file == NULL) {
 	free(d);
+	krb5_set_error_string(context, "malloc: out of memory");
 	return ENOMEM;
     }
     d->db = dbm_open((char*)db->name, flags, mode);
     if(d->db == NULL){
+	ret = errno;
 	free(d);
 	free(lock_file);
-	return errno;
+	krb5_set_error_string(context, "dbm_open(%s): %s", db->name,
+			      strerror(ret));
+	return ret;
     }
     d->lock_fd = open(lock_file, O_RDWR | O_CREAT, 0600);
-    free(lock_file);
     if(d->lock_fd < 0){
+	ret = errno;
 	dbm_close(d->db);
 	free(d);
-	return errno;
+	krb5_set_error_string(context, "open(%s): %s", lock_file,
+			      strerror(ret));
+	free(lock_file);
+	return ret;
     }
+    free(lock_file);
     db->db = d;
     if((flags & O_ACCMODE) == O_RDONLY)
 	ret = hdb_check_db_format(context, db);
@@ -296,11 +326,19 @@ hdb_ndbm_create(krb5_context context, HDB **db,
 		const char *filename)
 {
     *db = malloc(sizeof(**db));
-    if (*db == NULL)
+    if (*db == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
 	return ENOMEM;
+    }
 
     (*db)->db = NULL;
     (*db)->name = strdup(filename);
+    if ((*db)->name == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	free(*db);
+	*db = NULL;
+	return ENOMEM;
+    }
     (*db)->master_key_set = 0;
     (*db)->openp = 0;
     (*db)->open = NDBM_open;
@@ -320,4 +358,4 @@ hdb_ndbm_create(krb5_context context, HDB **db,
     return 0;
 }
 
-#endif
+#endif /* HAVE_NDBM */
diff --git a/kerberosV/src/lib/hdb/print.c b/kerberosV/src/lib/hdb/print.c
index 521499becae..f0f46b788a6 100644
--- a/kerberosV/src/lib/hdb/print.c
+++ b/kerberosV/src/lib/hdb/print.c
@@ -33,7 +33,7 @@
 #include "hdb_locl.h"
 #include <ctype.h>
 
-RCSID("$KTH: print.c,v 1.5 2001/01/26 15:08:36 joda Exp $");
+RCSID("$KTH: print.c,v 1.7 2001/07/13 06:30:42 assar Exp $");
 
 /* 
    This is the present contents of a dump line. This might change at
@@ -55,37 +55,45 @@ RCSID("$KTH: print.c,v 1.5 2001/01/26 15:08:36 joda Exp $");
   max ticket life
   max renewable life
   flags
+  generation number
   */
 
-static void
-append_hex(char *str, krb5_data *data)
+static krb5_error_code
+append_string(krb5_context context, krb5_storage *sp, const char *fmt, ...)
+{
+    krb5_error_code ret;
+    char *s;
+    va_list ap;
+    va_start(ap, fmt);
+    vasprintf(&s, fmt, ap);
+    va_end(ap);
+    if(s == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    ret = sp->store(sp, s, strlen(s));
+    free(s);
+    return ret;
+}
+
+static krb5_error_code
+append_hex(krb5_context context, krb5_storage *sp, krb5_data *data)
 {
-    int i, s = 1;
+    int i, printable = 1;
     char *p;
 
     p = data->data;
     for(i = 0; i < data->length; i++)
 	if(!isalnum((unsigned char)p[i]) && p[i] != '.'){
-	    s = 0;
+	    printable = 0;
 	    break;
 	}
-    if(s){
-	p = calloc(1, data->length + 2 + 1);
-	p[0] = '\"';
-	p[data->length + 1] = '\"';
-	memcpy(p + 1, data->data, data->length);
-    }else{
-	const char *xchars = "0123456789abcdef";
-	char *q = p = malloc(data->length * 2 + 1);
-	for(i = 0; i < data->length; i++) {
-	    unsigned char c = ((u_char*)data->data)[i];
-	    *q++ = xchars[(c & 0xf0) >> 4];
-	    *q++ = xchars[(c & 0xf)];
-	}
-	*q = '\0';
-    }
-    strcat(str, p);
-    free(p);
+    if(printable)
+	return append_string(context, sp, "\"%.*s\"",
+			     data->length, data->data);
+    for(i = 0; i < data->length; i++) 
+	append_string(context, sp, "%02x", ((unsigned char*)data->data)[i]);
+    return 0;
 }
 
 static char *
@@ -97,38 +105,27 @@ time2str(time_t t)
 }
 
 static krb5_error_code
-event2string(krb5_context context, Event *ev, char **str)
+append_event(krb5_context context, krb5_storage *sp, Event *ev)
 {
-    char *p;
-    char *pr;
+    char *pr = NULL;
     krb5_error_code ret;
-    if(ev == NULL){
-	*str = strdup("-");
-	return (*str == NULL) ? ENOMEM : 0;
-    }
-    if (ev->principal == NULL) {
-       pr = strdup("UNKNOWN");
-       if (pr == NULL)
-	   return ENOMEM;
-    } else {
+    if(ev == NULL)
+	return append_string(context, sp, "- ");
+    if (ev->principal != NULL) {
        ret = krb5_unparse_name(context, ev->principal, &pr);
        if(ret)
            return ret;
     }
-    ret = asprintf(&p, "%s:%s", time2str(ev->time), pr);
+    ret = append_string(context, sp, "%s:%s ",
+			time2str(ev->time), pr ? pr : "UNKNOWN");
     free(pr);
-    if(ret < 0)
-	return ENOMEM;
-    *str = p;
-    return 0;
+    return ret;
 }
 
-krb5_error_code
-hdb_entry2string(krb5_context context, hdb_entry *ent, char **str)
+static krb5_error_code
+entry2string_int (krb5_context context, krb5_storage *sp, hdb_entry *ent)
 {
     char *p;
-    char buf[1024] = "";
-    char tmp[32];
     int i;
     krb5_error_code ret;
 
@@ -136,90 +133,103 @@ hdb_entry2string(krb5_context context, hdb_entry *ent, char **str)
     ret = krb5_unparse_name(context, ent->principal, &p);
     if(ret)
 	return ret;
-    strlcat(buf, p, sizeof(buf));
-    strlcat(buf, " ", sizeof(buf));
+    append_string(context, sp, "%s ", p);
     free(p);
     /* --- kvno */
-    snprintf(tmp, sizeof(tmp), "%d", ent->kvno);
-    strlcat(buf, tmp, sizeof(buf));
+    append_string(context, sp, "%d", ent->kvno);
     /* --- keys */
     for(i = 0; i < ent->keys.len; i++){
 	/* --- mkvno, keytype */
 	if(ent->keys.val[i].mkvno)
-	    snprintf(tmp, sizeof(tmp), ":%d:%d:", 
-		     *ent->keys.val[i].mkvno, 
-		     ent->keys.val[i].key.keytype);
+	    append_string(context, sp, ":%d:%d:", 
+			  *ent->keys.val[i].mkvno, 
+			  ent->keys.val[i].key.keytype);
 	else
-	    snprintf(tmp, sizeof(tmp), "::%d:", 
-		     ent->keys.val[i].key.keytype);
-	strlcat(buf, tmp, sizeof(buf));
+	    append_string(context, sp, "::%d:", 
+			  ent->keys.val[i].key.keytype);
 	/* --- keydata */
-	append_hex(buf, &ent->keys.val[i].key.keyvalue);
-	strlcat(buf, ":", sizeof(buf));
+	append_hex(context, sp, &ent->keys.val[i].key.keyvalue);
+	append_string(context, sp, ":");
 	/* --- salt */
 	if(ent->keys.val[i].salt){
-	    snprintf(tmp, sizeof(tmp), "%u/", ent->keys.val[i].salt->type);
-	    strlcat(buf, tmp, sizeof(buf));
-	    append_hex(buf, &ent->keys.val[i].salt->salt);
+	    append_string(context, sp, "%u/", ent->keys.val[i].salt->type);
+	    append_hex(context, sp, &ent->keys.val[i].salt->salt);
 	}else
-	    strlcat(buf, "-", sizeof(buf));
+	    append_string(context, sp, "-");
     }
-    strlcat(buf, " ", sizeof(buf));
+    append_string(context, sp, " ");
     /* --- created by */
-    event2string(context, &ent->created_by, &p);
-    strlcat(buf, p, sizeof(buf));
-    strlcat(buf, " ", sizeof(buf));
-    free(p);
+    append_event(context, sp, &ent->created_by);
     /* --- modified by */
-    event2string(context, ent->modified_by, &p);
-    strlcat(buf, p, sizeof(buf));
-    strlcat(buf, " ", sizeof(buf));
-    free(p);
+    append_event(context, sp, ent->modified_by);
 
     /* --- valid start */
     if(ent->valid_start)
-	strlcat(buf, time2str(*ent->valid_start), sizeof(buf));
+	append_string(context, sp, "%s ", time2str(*ent->valid_start));
     else
-	strlcat(buf, "-", sizeof(buf));
-    strlcat(buf, " ", sizeof(buf));
+	append_string(context, sp, "- ");
 
     /* --- valid end */
     if(ent->valid_end)
-	strlcat(buf, time2str(*ent->valid_end), sizeof(buf));
+	append_string(context, sp, "%s ", time2str(*ent->valid_end));
     else
-	strlcat(buf, "-", sizeof(buf));
-    strlcat(buf, " ", sizeof(buf));
+	append_string(context, sp, "- ");
     
     /* --- password ends */
     if(ent->pw_end)
-	strlcat(buf, time2str(*ent->pw_end), sizeof(buf));
+	append_string(context, sp, "%s ", time2str(*ent->pw_end));
     else
-	strlcat(buf, "-", sizeof(buf));
-    strlcat(buf, " ", sizeof(buf));
+	append_string(context, sp, "- ");
 
     /* --- max life */
-    if(ent->max_life){
-	snprintf(tmp, sizeof(tmp), "%d", *ent->max_life);
-	strlcat(buf, tmp, sizeof(buf));
-    }else
-	strlcat(buf, "-", sizeof(buf));
-    strlcat(buf, " ", sizeof(buf));
+    if(ent->max_life)
+	append_string(context, sp, "%d ", *ent->max_life);
+    else
+	append_string(context, sp, "- ");
 
     /* --- max renewable life */
-    if(ent->max_renew){
-	snprintf(tmp, sizeof(tmp), "%d", *ent->max_renew);
-	strlcat(buf, tmp, sizeof(buf));
-    }else
-	strlcat(buf, "-", sizeof(buf));
+    if(ent->max_renew)
+	append_string(context, sp, "%d ", *ent->max_renew);
+    else
+	append_string(context, sp, "- ");
     
-    strlcat(buf, " ", sizeof(buf));
-
     /* --- flags */
-    snprintf(tmp, sizeof(tmp), "%d", HDBFlags2int(ent->flags));
-    strlcat(buf, tmp, sizeof(buf));
+    append_string(context, sp, "%d ", HDBFlags2int(ent->flags));
+
+    /* --- generation number */
+    if(ent->generation) {
+	append_string(context, sp, "%s:%d:%d", time2str(ent->generation->time),
+		      ent->generation->usec,
+		      ent->generation->gen);
+    } else
+	append_string(context, sp, "-");
     
-    *str = strdup(buf);
+    return 0;
+}
+
+krb5_error_code
+hdb_entry2string (krb5_context context, hdb_entry *ent, char **str)
+{
+    krb5_error_code ret;
+    krb5_data data;
+    krb5_storage *sp;
+
+    sp = krb5_storage_emem();
+    if(sp == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
     
+    ret = entry2string_int(context, sp, ent);
+    if(ret) {
+	krb5_storage_free(sp);
+	return ret;
+    }
+
+    sp->store(sp, "\0", 1);
+    krb5_storage_to_data(sp, &data);
+    krb5_storage_free(sp);
+    *str = data.data;
     return 0;
 }
 
@@ -228,9 +238,25 @@ hdb_entry2string(krb5_context context, hdb_entry *ent, char **str)
 krb5_error_code
 hdb_print_entry(krb5_context context, HDB *db, hdb_entry *entry, void *data)
 {
-    char *p;
-    hdb_entry2string(context, entry, &p);
-    fprintf((FILE*)data, "%s\n", p);
-    free(p);
+    krb5_error_code ret;
+    krb5_storage *sp;
+
+    FILE *f = data;
+
+    fflush(f);
+    sp = krb5_storage_from_fd(fileno(f));
+    if(sp == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    
+    ret = entry2string_int(context, sp, entry);
+    if(ret) {
+	krb5_storage_free(sp);
+	return ret;
+    }
+
+    sp->store(sp, "\n", 1);
+    krb5_storage_free(sp);
     return 0;
 }
diff --git a/kerberosV/src/lib/kadm5/ChangeLog b/kerberosV/src/lib/kadm5/ChangeLog
index 605a97026ea..49e95b7a343 100644
--- a/kerberosV/src/lib/kadm5/ChangeLog
+++ b/kerberosV/src/lib/kadm5/ChangeLog
@@ -1,3 +1,40 @@
+2001-08-31  Assar Westerlund  <assar@sics.se>
+
+	* ipropd_slave.c (main): syslog with the correct name
+
+2001-08-30  Jacques Vidrine <n@nectar.com>
+
+	* ipropd_slave.c, ipropd_master.c (main): call pidfile
+
+2001-08-28  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libkadm5srv_la_LDFLAGS): set version to 7:4:0
+
+2001-08-24  Assar Westerlund  <assar@sics.se>
+
+	* acl.c (fetch_acl): do not return bogus flags and re-organize
+	function
+
+	* Makefile.am: rename variable name to avoid error from current
+	automake
+
+2001-08-13  Johan Danielsson  <joda@pdc.kth.se>
+
+	* set_keys.c: add easier afs configuration, defaulting to the
+	local realm in lower case; also try to remove duplicate salts
+
+2001-07-12  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: add required library dependencies
+
+2001-07-03  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libkadm5clnt_la_LDFLAGS): set version to 6:2:2
+
+2001-06-29  Johan Danielsson  <joda@pdc.kth.se>
+
+	* init_c.c: call krb5_get_init_creds_opt_set_default_flags
+
 2001-02-19  Johan Danielsson  <joda@pdc.kth.se>
 
 	* replay_log.c: add --{start-end}-version flags to replay just
@@ -523,4 +560,4 @@
 	* kadm5_locl.h: move stuff to private.h
 
 	* private.h: move stuff from kadm5_locl.h
-	
\ No newline at end of file
+	
diff --git a/kerberosV/src/lib/kadm5/acl.c b/kerberosV/src/lib/kadm5/acl.c
index 08217410c00..c2761909996 100644
--- a/kerberosV/src/lib/kadm5/acl.c
+++ b/kerberosV/src/lib/kadm5/acl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$KTH: acl.c,v 1.12 2000/08/10 19:24:08 assar Exp $");
+RCSID("$KTH: acl.c,v 1.13 2001/08/24 04:01:42 assar Exp $");
 
 static struct units acl_units[] = {
     { "all",		KADM5_PRIV_ALL },
@@ -79,63 +79,64 @@ fetch_acl (kadm5_server_context *context,
 	   krb5_const_principal princ,
 	   unsigned *ret_flags)
 {
-    unsigned flags = -1;
-    FILE *f = fopen(context->config.acl_file, "r");
+    FILE *f;
     krb5_error_code ret = 0;
+    char buf[256];
 
-    if(f != NULL) {
-	char buf[256];
-
-	while(fgets(buf, sizeof(buf), f) != NULL){
-	    char *foo = NULL, *p;
-	    krb5_principal this_princ;
-
-	    flags = -1;
-	    p = strtok_r(buf, " \t\n", &foo);
-	    if(p == NULL)
-		continue;
-	    ret = krb5_parse_name(context->context, p, &this_princ);
-	    if(ret)
-		continue;
-	    if(!krb5_principal_compare(context->context, 
-				       context->caller, this_princ)) {
-		krb5_free_principal(context->context, this_princ);
-		continue;
-	    }
+    *ret_flags = 0;
+
+    /* no acl file -> no rights */
+    f = fopen(context->config.acl_file, "r");
+    if (f == NULL)
+	return 0;
+
+    while(fgets(buf, sizeof(buf), f) != NULL) {
+	char *foo = NULL, *p;
+	krb5_principal this_princ;
+	unsigned flags = 0;
+
+	p = strtok_r(buf, " \t\n", &foo);
+	if(p == NULL)
+	    continue;
+	if (*p == '#')		/* comment */
+	    continue;
+	ret = krb5_parse_name(context->context, p, &this_princ);
+	if(ret)
+	    break;
+	if(!krb5_principal_compare(context->context, 
+				   context->caller, this_princ)) {
 	    krb5_free_principal(context->context, this_princ);
-	    p = strtok_r(NULL, " \t\n", &foo);
-	    if(p == NULL)
-		continue;
-	    ret = _kadm5_string_to_privs(p, &flags);
+	    continue;
+	}
+	krb5_free_principal(context->context, this_princ);
+	p = strtok_r(NULL, " \t\n", &foo);
+	if(p == NULL)
+	    continue;
+	ret = _kadm5_string_to_privs(p, &flags);
+	if (ret)
+	    break;
+	p = strtok_r(NULL, "\n", &foo);
+	if (p == NULL) {
+	    *ret_flags = flags;
+	    break;
+	}
+	if (princ != NULL) {
+	    krb5_principal pattern_princ;
+	    krb5_boolean match;
+
+	    ret = krb5_parse_name (context->context, p, &pattern_princ);
 	    if (ret)
 		break;
-	    p = strtok_r(NULL, "\n", &foo);
-	    if (p == NULL) {
-		ret = 0;
+	    match = krb5_principal_match (context->context,
+					  princ, pattern_princ);
+	    krb5_free_principal (context->context, pattern_princ);
+	    if (match) {
+		*ret_flags = flags;
 		break;
 	    }
-	    if (princ != NULL) {
-		krb5_principal pattern_princ;
-		krb5_boolean tmp;
-
-		ret = krb5_parse_name (context->context, p, &pattern_princ);
-		if (ret)
-		    break;
-		tmp = krb5_principal_match (context->context,
-					    princ, pattern_princ);
-		krb5_free_principal (context->context, pattern_princ);
-		if (tmp) {
-		    ret = 0;
-		    break;
-		}
-	    }
 	}
-	fclose(f);
     }
-    if(flags == -1)
-	flags = 0;
-    if (ret == 0)
-	*ret_flags = flags;
+    fclose(f);
     return ret;
 }
 
diff --git a/kerberosV/src/lib/kadm5/context_s.c b/kerberosV/src/lib/kadm5/context_s.c
index af6df36d21d..499bb845788 100644
--- a/kerberosV/src/lib/kadm5/context_s.c
+++ b/kerberosV/src/lib/kadm5/context_s.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$KTH: context_s.c,v 1.15 2000/05/12 15:22:33 assar Exp $");
+RCSID("$KTH: context_s.c,v 1.16 2001/08/13 14:42:13 joda Exp $");
 
 static void
 set_funcs(kadm5_server_context *c)
@@ -116,7 +116,6 @@ set_config(kadm5_server_context *ctx,
     if(ctx->config.acl_file == NULL)
 	set_field(ctx->context, binding, ctx->config.dbname, 
 		  "acl_file", "acl", &ctx->config.acl_file);
-    /* XXX calling a file a `stash file' isn't very clever */
     if(ctx->config.stash_file == NULL)
 	set_field(ctx->context, binding, ctx->config.dbname, 
 		  "mkey_file", "mkey", &ctx->config.stash_file);
diff --git a/kerberosV/src/lib/kadm5/set_keys.c b/kerberosV/src/lib/kadm5/set_keys.c
index 4609e9102bd..077d2cf0b06 100644
--- a/kerberosV/src/lib/kadm5/set_keys.c
+++ b/kerberosV/src/lib/kadm5/set_keys.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$KTH: set_keys.c,v 1.23 2000/11/15 23:13:30 assar Exp $");
+RCSID("$KTH: set_keys.c,v 1.25 2001/08/13 15:12:16 joda Exp $");
 
 /*
  * the known and used DES enctypes
@@ -72,10 +72,11 @@ make_keys(krb5_context context, krb5_principal principal, const char *password,
     /* for each entry in `default_keys' try to parse it as a sequence
        of etype:salttype:salt, syntax of this if something like:
        [(des|des3|etype):](pw|afs3)[:string], if etype is omitted it
-       means everything, and if string is omitted is means the default
+       means all etypes, and if string is omitted is means the default
        string (for that principal). Additional special values:
        v5 == pw-salt, and
-       v4 == pw-salt:
+       v4 == des:pw-salt:
+       afs or afs3 == des:afs3-salt
     */
 
     if (ktypes == NULL
@@ -98,6 +99,8 @@ make_keys(krb5_context context, krb5_principal principal, const char *password,
 	    p = "pw-salt";
 	else if(strcmp(p, "v4") == 0)
 	    p = "des:pw-salt:";
+	else if(strcmp(p, "afs") == 0 || strcmp(p, "afs3") == 0)
+	    p = "des:afs3-salt";
 	
 	/* split p in a list of :-separated strings */
 	for(num_buf = 0; num_buf < 3; num_buf++)
@@ -165,11 +168,40 @@ make_keys(krb5_context context, krb5_principal principal, const char *password,
 	    continue;
 	}
 
-	if(!salt_set && salt.salttype == KRB5_PW_SALT)
+	if(!salt_set) {
 	    /* make up default salt */
-	    ret = krb5_get_pw_salt(context, principal, &salt);
+	    if(salt.salttype == KRB5_PW_SALT)
+		ret = krb5_get_pw_salt(context, principal, &salt);
+	    else if(salt.salttype == KRB5_AFS3_SALT) {
+		krb5_realm *realm = krb5_princ_realm(context, principal);
+		salt.saltvalue.data = strdup(*realm);
+		if(salt.saltvalue.data == NULL) {
+		    krb5_set_error_string(context, "out of memory while "
+					  "parsinig salt specifiers");
+		    ret = ENOMEM;
+		    goto out;
+		}
+		strlwr(salt.saltvalue.data);
+		salt.saltvalue.length = strlen(*realm);
+		salt_set = 1;
+	    }
+	}
 	memset(&key, 0, sizeof(key));
 	for(i = 0; i < num_etypes; i++) {
+	    Key *k;
+	    for(k = keys; k < keys + num_keys; k++) {
+		if(k->key.keytype == etypes[i] &&
+		   ((k->salt != NULL && 
+		     k->salt->type == salt.salttype &&
+		     k->salt->salt.length == salt.saltvalue.length &&
+		     memcmp(k->salt->salt.data, salt.saltvalue.data, 
+			    salt.saltvalue.length) == 0) ||
+		    (k->salt == NULL && 
+		     salt.salttype == KRB5_PW_SALT && 
+		     !salt_set)))
+		    goto next_etype;
+	    }
+		       
 	    ret = krb5_string_to_key_salt (context,
 					   etypes[i],
 					   password,
@@ -210,6 +242,7 @@ make_keys(krb5_context context, krb5_principal principal, const char *password,
 	    }
 	    keys = tmp;
 	    keys[num_keys++] = key;
+	  next_etype:;
 	}
     }
 
diff --git a/kerberosV/src/lib/kafs/ChangeLog b/kerberosV/src/lib/kafs/ChangeLog
index 32b7728698f..e6dccd6efe3 100644
--- a/kerberosV/src/lib/kafs/ChangeLog
+++ b/kerberosV/src/lib/kafs/ChangeLog
@@ -1,3 +1,28 @@
+2001-08-26  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: handle both krb5 and krb4 cases
+
+2001-07-19  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libkafs_la_LDFLAGS): set version to 3:0:3
+
+2001-07-12  Assar Westerlund  <assar@sics.se>
+
+	* common.c: look in /etc/openafs for debian openafs
+	* kafs.h: add paths for openafs debian (/etc/openafs)
+
+	* Makefile.am: add required library dependencies
+
+2001-07-03  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libkafs_la_LDFLAGS): set versoin to 2:4:2
+
+2001-06-19  Assar Westerlund  <assar@sics.se>
+
+	* common.c (_kafs_realm_of_cell): changed to first try exact match
+	in CellServDB, then exact match in DNS, and finally in-exact match
+	in CellServDB
+
 2001-05-18  Johan Danielsson  <joda@pdc.kth.se>
 
 	* Makefile.am: only build resolve.c if doing renaming
diff --git a/kerberosV/src/lib/kafs/afskrb5.c b/kerberosV/src/lib/kafs/afskrb5.c
index 99524b6b58f..502fa821515 100644
--- a/kerberosV/src/lib/kafs/afskrb5.c
+++ b/kerberosV/src/lib/kafs/afskrb5.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,7 +33,7 @@
 
 #include "kafs_locl.h"
 
-RCSID("$KTH: afskrb5.c,v 1.13 1999/12/02 16:58:39 joda Exp $");
+RCSID("$KTH: afskrb5.c,v 1.14 2001/06/18 13:11:32 assar Exp $");
 
 struct krb5_kafs_data {
     krb5_context context;
@@ -65,7 +65,7 @@ get_cred(kafs_data *data, const char *name, const char *inst,
     krb5_free_principal(d->context, in_creds.client);
     if(ret)
 	return ret;
-    ret = krb524_convert_creds_kdc(d->context, d->id, out_creds, c);
+    ret = krb524_convert_creds_kdc_ccache(d->context, d->id, out_creds, c);
     krb5_free_creds(d->context, out_creds);
     return ret;
 }
diff --git a/kerberosV/src/lib/kafs/roken_rename.h b/kerberosV/src/lib/kafs/roken_rename.h
index 5a6dd41c241..2c202e0d16b 100644
--- a/kerberosV/src/lib/kafs/roken_rename.h
+++ b/kerberosV/src/lib/kafs/roken_rename.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $KTH: roken_rename.h,v 1.1 2001/02/12 22:01:27 assar Exp $ */
+/* $KTH: roken_rename.h,v 1.2 2001/08/26 00:48:57 assar Exp $ */
 
 #ifndef __roken_rename_h__
 #define __roken_rename_h__
@@ -46,5 +46,6 @@
 #define dns_lookup _kafs_dns_lookup
 #define dns_string_to_type _kafs_dns_string_to_type
 #define dns_type_to_string _kafs_dns_type_to_string
+#define dns_srv_order _krb_dns_srv_order
 
 #endif /* __roken_rename_h__ */
diff --git a/kerberosV/src/lib/krb5/auth_context.c b/kerberosV/src/lib/krb5/auth_context.c
index b87554147e4..bff8737b374 100644
--- a/kerberosV/src/lib/krb5/auth_context.c
+++ b/kerberosV/src/lib/krb5/auth_context.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$KTH: auth_context.c,v 1.56 2001/05/14 06:14:44 assar Exp $");
+RCSID("$KTH: auth_context.c,v 1.57 2001/06/17 23:12:34 assar Exp $");
 
 krb5_error_code
 krb5_auth_con_init(krb5_context context,
@@ -300,36 +300,36 @@ krb5_auth_con_setremotesubkey(krb5_context context,
 }
 
 krb5_error_code
-krb5_auth_setcksumtype(krb5_context context,
-		       krb5_auth_context auth_context,
-		       krb5_cksumtype cksumtype)
+krb5_auth_con_setcksumtype(krb5_context context,
+			   krb5_auth_context auth_context,
+			   krb5_cksumtype cksumtype)
 {
     auth_context->cksumtype = cksumtype;
     return 0;
 }
 
 krb5_error_code
-krb5_auth_getcksumtype(krb5_context context,
-		       krb5_auth_context auth_context,
-		       krb5_cksumtype *cksumtype)
+krb5_auth_con_getcksumtype(krb5_context context,
+			   krb5_auth_context auth_context,
+			   krb5_cksumtype *cksumtype)
 {
     *cksumtype = auth_context->cksumtype;
     return 0;
 }
 
 krb5_error_code
-krb5_auth_setkeytype (krb5_context context,
-		      krb5_auth_context auth_context,
-		      krb5_keytype keytype)
+krb5_auth_con_setkeytype (krb5_context context,
+			  krb5_auth_context auth_context,
+			  krb5_keytype keytype)
 {
     auth_context->keytype = keytype;
     return 0;
 }
 
 krb5_error_code
-krb5_auth_getkeytype (krb5_context context,
-		      krb5_auth_context auth_context,
-		      krb5_keytype *keytype)
+krb5_auth_con_getkeytype (krb5_context context,
+			  krb5_auth_context auth_context,
+			  krb5_keytype *keytype)
 {
     *keytype = auth_context->keytype;
     return 0;
@@ -337,9 +337,9 @@ krb5_auth_getkeytype (krb5_context context,
 
 #if 0
 krb5_error_code
-krb5_auth_setenctype(krb5_context context,
-		     krb5_auth_context auth_context,
-		     krb5_enctype etype)
+krb5_auth_con_setenctype(krb5_context context,
+			 krb5_auth_context auth_context,
+			 krb5_enctype etype)
 {
     if(auth_context->keyblock)
 	krb5_free_keyblock(context, auth_context->keyblock);
@@ -351,16 +351,16 @@ krb5_auth_setenctype(krb5_context context,
 }
 
 krb5_error_code
-krb5_auth_getenctype(krb5_context context,
-		     krb5_auth_context auth_context,
-		     krb5_enctype *etype)
+krb5_auth_con_getenctype(krb5_context context,
+			 krb5_auth_context auth_context,
+			 krb5_enctype *etype)
 {
     krb5_abortx(context, "unimplemented krb5_auth_getenctype called");
 }
 #endif
 
 krb5_error_code
-krb5_auth_getlocalseqnumber(krb5_context context,
+krb5_auth_con_getlocalseqnumber(krb5_context context,
 			    krb5_auth_context auth_context,
 			    int32_t *seqnumber)
 {
@@ -369,7 +369,7 @@ krb5_auth_getlocalseqnumber(krb5_context context,
 }
 
 krb5_error_code
-krb5_auth_setlocalseqnumber (krb5_context context,
+krb5_auth_con_setlocalseqnumber (krb5_context context,
 			     krb5_auth_context auth_context,
 			     int32_t seqnumber)
 {
@@ -387,7 +387,7 @@ krb5_auth_getremoteseqnumber(krb5_context context,
 }
 
 krb5_error_code
-krb5_auth_setremoteseqnumber (krb5_context context,
+krb5_auth_con_setremoteseqnumber (krb5_context context,
 			      krb5_auth_context auth_context,
 			      int32_t seqnumber)
 {
@@ -397,7 +397,7 @@ krb5_auth_setremoteseqnumber (krb5_context context,
 
 
 krb5_error_code
-krb5_auth_getauthenticator(krb5_context context,
+krb5_auth_con_getauthenticator(krb5_context context,
 			   krb5_auth_context auth_context,
 			   krb5_authenticator *authenticator)
 {
diff --git a/kerberosV/src/lib/krb5/changepw.c b/kerberosV/src/lib/krb5/changepw.c
index 7a2211dcac0..31d713900a3 100644
--- a/kerberosV/src/lib/krb5/changepw.c
+++ b/kerberosV/src/lib/krb5/changepw.c
@@ -33,46 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$KTH: changepw.c,v 1.32 2001/05/14 22:49:55 assar Exp $");
-
-static krb5_error_code
-get_kdc_address (krb5_context context,
-		 krb5_realm realm,
-		 struct addrinfo **ai,
-		 char **ret_host)
-{
-    krb5_error_code ret;
-    char **hostlist;
-    int port = 0;
-    int error;
-    char *host;
-    int save_errno;
-
-    ret = krb5_get_krb_changepw_hst (context,
-				     &realm,
-				     &hostlist);
-    if (ret)
-	return ret;
-
-    host = strdup(*hostlist);
-    krb5_free_krbhst(context, hostlist);
-    if (host == NULL) {
-	krb5_set_error_string (context, "malloc: out of memory");
-	return ENOMEM;
-    }
-
-    port = ntohs(krb5_getportbyname (context, "kpasswd", "udp", KPASSWD_PORT));
-    error = roken_getaddrinfo_hostspec2(host, SOCK_DGRAM, port, ai);
-
-    if(error) {
-	save_errno = errno;
-	krb5_set_error_string(context, "resolving %s: %s",
-			      host, gai_strerror(error));
-	return krb5_eai_to_heim_errno(error, save_errno);
-    }
-    *ret_host = host;
-    return 0;
-}
+RCSID("$KTH: changepw.c,v 1.33 2001/06/17 23:11:06 assar Exp $");
 
 static krb5_error_code
 send_request (krb5_context context,
@@ -294,96 +255,102 @@ krb5_change_password (krb5_context	context,
 {
     krb5_error_code ret;
     krb5_auth_context auth_context = NULL;
+    krb5_krbhst_handle handle = NULL;
+    krb5_krbhst_info *hi;
     int sock;
     int i;
-    struct addrinfo *ai, *a;
     int done = 0;
-    char *host = NULL;
+    krb5_realm realm = creds->client->realm;
 
     ret = krb5_auth_con_init (context, &auth_context);
     if (ret)
 	return ret;
 
-    ret = get_kdc_address (context, creds->client->realm, &ai, &host);
+    ret = krb5_krbhst_init (context, realm, KRB5_KRBHST_CHANGEPW, &handle);
     if (ret)
 	goto out;
 
-    for (a = ai; !done && a != NULL; a = a->ai_next) {
-	int replied = 0;
+    while (krb5_krbhst_next(context, handle, &hi) == 0) {
+	struct addrinfo *ai, *a;
 
-	sock = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
-	if (sock < 0)
+	ret = krb5_krbhst_get_addrinfo(context, hi, &ai);
+	if (ret)
 	    continue;
 
-	for (i = 0; !done && i < 5; ++i) {
-	    fd_set fdset;
-	    struct timeval tv;
-
-	    if (!replied) {
-		replied = 0;
-		ret = send_request (context,
-				    &auth_context,
-				    creds,
-				    sock,
-				    a->ai_addr,
-				    a->ai_addrlen,
-				    newpw,
-				    host);
-		if (ret) {
-		    close(sock);
-		    goto out;
+	for (a = ai; !done && a != NULL; a = a->ai_next) {
+	    int replied = 0;
+
+	    sock = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	    if (sock < 0)
+		continue;
+
+	    for (i = 0; !done && i < 5; ++i) {
+		fd_set fdset;
+		struct timeval tv;
+
+		if (!replied) {
+		    replied = 0;
+		    ret = send_request (context,
+					&auth_context,
+					creds,
+					sock,
+					a->ai_addr,
+					a->ai_addrlen,
+					newpw,
+					hi->hostname);
+		    if (ret) {
+			close(sock);
+			goto out;
+		    }
 		}
-	    }
 	    
-	    if (sock >= FD_SETSIZE) {
-		krb5_set_error_string(context, "fd %d too large", sock);
-		ret = ERANGE;
-		close (sock);
-		goto out;
-	    }
+		if (sock >= FD_SETSIZE) {
+		    krb5_set_error_string(context, "fd %d too large", sock);
+		    ret = ERANGE;
+		    close (sock);
+		    goto out;
+		}
 
-	    FD_ZERO(&fdset);
-	    FD_SET(sock, &fdset);
-	    tv.tv_usec = 0;
-	    tv.tv_sec  = 1 + (1 << i);
+		FD_ZERO(&fdset);
+		FD_SET(sock, &fdset);
+		tv.tv_usec = 0;
+		tv.tv_sec  = 1 + (1 << i);
 
-	    ret = select (sock + 1, &fdset, NULL, NULL, &tv);
-	    if (ret < 0 && errno != EINTR) {
-		close(sock);
-		goto out;
-	    }
-	    if (ret == 1) {
-		ret = process_reply (context,
-				     auth_context,
-				     sock,
-				     result_code,
-				     result_code_string,
-				     result_string,
-				     host);
-		if (ret == 0)
-		    done = 1;
-		else if (i > 0 && ret == KRB5KRB_AP_ERR_MUT_FAIL)
-		    replied = 1;
-	    } else {
-		ret = KRB5_KDC_UNREACH;
+		ret = select (sock + 1, &fdset, NULL, NULL, &tv);
+		if (ret < 0 && errno != EINTR) {
+		    close(sock);
+		    goto out;
+		}
+		if (ret == 1) {
+		    ret = process_reply (context,
+					 auth_context,
+					 sock,
+					 result_code,
+					 result_code_string,
+					 result_string,
+					 hi->hostname);
+		    if (ret == 0)
+			done = 1;
+		    else if (i > 0 && ret == KRB5KRB_AP_ERR_MUT_FAIL)
+			replied = 1;
+		} else {
+		    ret = KRB5_KDC_UNREACH;
+		}
 	    }
+	    close (sock);
 	}
-	close (sock);
     }
-    freeaddrinfo (ai);
 
-out:
+ out:
+    krb5_krbhst_free (context, handle);
     krb5_auth_con_free (context, auth_context);
-    free (host);
     if (done)
 	return 0;
     else {
 	if (ret == KRB5_KDC_UNREACH)
 	    krb5_set_error_string(context,
-				  "failed to reach kpasswd server %s "
-				  "in realm %s",
-				  host, creds->client->realm);
-
+				  "unable to reach any changepw server "
+				  " in realm %s", realm);
 	return ret;
     }
 }
diff --git a/kerberosV/src/lib/krb5/convert_creds.c b/kerberosV/src/lib/krb5/convert_creds.c
index 3697a6dd032..16256439879 100644
--- a/kerberosV/src/lib/krb5/convert_creds.c
+++ b/kerberosV/src/lib/krb5/convert_creds.c
@@ -32,7 +32,7 @@
  */
 
 #include "krb5_locl.h"
-RCSID("$KTH: convert_creds.c,v 1.17 2001/05/14 06:14:45 assar Exp $");
+RCSID("$KTH: convert_creds.c,v 1.24 2001/06/20 02:49:21 joda Exp $");
 
 static krb5_error_code
 check_ticket_flags(TicketFlags f)
@@ -121,7 +121,6 @@ _krb_time_to_life(time_t start, time_t end)
 
 krb5_error_code
 krb524_convert_creds_kdc(krb5_context context, 
-			 krb5_ccache ccache,
 			 krb5_creds *in_cred,
 			 struct credentials *v4creds)
 {
@@ -132,67 +131,30 @@ krb524_convert_creds_kdc(krb5_context context,
     krb5_data ticket;
     char realm[REALM_SZ];
     krb5_creds *v5_creds = in_cred;
-    krb5_keytype keytype;
-
-    keytype = v5_creds->session.keytype;
-
-    if (keytype != ENCTYPE_DES_CBC_CRC) {
-	/* MIT krb524d doesn't like nothing but des-cbc-crc tickets,
-           so go get one */
-	krb5_creds template;
-
-	memset (&template, 0, sizeof(template));
-	template.session.keytype = ENCTYPE_DES_CBC_CRC;
-	ret = krb5_copy_principal (context, in_cred->client, &template.client);
-	if (ret) {
-	    krb5_free_creds_contents (context, &template);
-	    return ret;
-	}
-	ret = krb5_copy_principal (context, in_cred->server, &template.server);
-	if (ret) {
-	    krb5_free_creds_contents (context, &template);
-	    return ret;
-	}
-
-	ret = krb5_get_credentials (context, 0, ccache,
-				    &template, &v5_creds);
-	krb5_free_creds_contents (context, &template);
-	if (ret)
-	    return ret;
-    }
 
     ret = check_ticket_flags(v5_creds->flags.b);
     if(ret)
 	goto out2;
 
     {
-	char **hostlist;
-	int port;
-	port = krb5_getportbyname (context, "krb524", "udp", 4444);
-	
-	ret = krb5_get_krbhst (context, krb5_princ_realm(context, 
-							 v5_creds->server), 
-			       &hostlist);
-	if(ret)
+	krb5_krbhst_handle handle;
+
+	ret = krb5_krbhst_init(context,
+			       *krb5_princ_realm(context, 
+						v5_creds->server),
+			       KRB5_KRBHST_KRB524,
+			       &handle);
+	if (ret)
 	    goto out2;
-	
+
 	ret = krb5_sendto (context,
 			   &v5_creds->ticket,
-			   hostlist,
-			   port,
+			   handle,
 			   &reply);
-	if(ret == KRB5_KDC_UNREACH) {
-	    port = krb5_getportbyname (context, "kerberos", "udp", 88);
-	    ret = krb5_sendto (context,
-			       &v5_creds->ticket,
-			       hostlist,
-			       port,
-			       &reply);
-	}
-	krb5_free_krbhst (context, hostlist);
+	krb5_krbhst_free(context, handle);
+	if (ret)
+	    goto out2;
     }
-    if (ret)
-	goto out2;
     sp = krb5_storage_from_mem(reply.data, reply.length);
     if(sp == NULL) {
 	ret = ENOMEM;
@@ -220,7 +182,7 @@ krb524_convert_creds_kdc(krb5_context context,
 				      v4creds->realm);
 	if(ret)
 	    goto out;
-	v4creds->issue_date = v5_creds->times.authtime;
+	v4creds->issue_date = v5_creds->times.starttime;
 	v4creds->lifetime = _krb_time_to_life(v4creds->issue_date,
 					      v5_creds->times.endtime);
 	ret = krb5_524_conv_principal(context, v5_creds->client, 
@@ -230,6 +192,9 @@ krb524_convert_creds_kdc(krb5_context context,
 	if(ret)
 	    goto out;
 	memcpy(v4creds->session, v5_creds->session.keyvalue.data, 8);
+    } else {
+	krb5_set_error_string(context, "converting credentials: %s", 
+			      krb5_get_err_text(context, ret));
     }
 out:
     krb5_storage_free(sp);
@@ -239,3 +204,47 @@ out2:
 	krb5_free_creds (context, v5_creds);
     return ret;
 }
+
+krb5_error_code
+krb524_convert_creds_kdc_ccache(krb5_context context, 
+				krb5_ccache ccache,
+				krb5_creds *in_cred,
+				struct credentials *v4creds)
+{
+    krb5_error_code ret;
+    krb5_creds *v5_creds = in_cred;
+    krb5_keytype keytype;
+
+    keytype = v5_creds->session.keytype;
+
+    if (keytype != ENCTYPE_DES_CBC_CRC) {
+	/* MIT krb524d doesn't like nothing but des-cbc-crc tickets,
+           so go get one */
+	krb5_creds template;
+
+	memset (&template, 0, sizeof(template));
+	template.session.keytype = ENCTYPE_DES_CBC_CRC;
+	ret = krb5_copy_principal (context, in_cred->client, &template.client);
+	if (ret) {
+	    krb5_free_creds_contents (context, &template);
+	    return ret;
+	}
+	ret = krb5_copy_principal (context, in_cred->server, &template.server);
+	if (ret) {
+	    krb5_free_creds_contents (context, &template);
+	    return ret;
+	}
+
+	ret = krb5_get_credentials (context, 0, ccache,
+				    &template, &v5_creds);
+	krb5_free_creds_contents (context, &template);
+	if (ret)
+	    return ret;
+    }
+
+    ret = krb524_convert_creds_kdc(context, v5_creds, v4creds);
+
+    if (v5_creds != in_cred)
+	krb5_free_creds (context, v5_creds);
+    return ret;
+}
diff --git a/kerberosV/src/lib/krb5/get_addrs.c b/kerberosV/src/lib/krb5/get_addrs.c
index b8332367018..cd1ebaa8378 100644
--- a/kerberosV/src/lib/krb5/get_addrs.c
+++ b/kerberosV/src/lib/krb5/get_addrs.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$KTH: get_addrs.c,v 1.41 2001/05/14 06:14:46 assar Exp $");
+RCSID("$KTH: get_addrs.c,v 1.43 2001/07/03 18:43:57 assar Exp $");
 
 #ifdef __osf__
 /* hate */
@@ -102,6 +102,7 @@ find_all_addresses (krb5_context context, krb5_addresses *res, int flags)
     struct ifaddrs *ifa0, *ifa;
     krb5_error_code ret = ENXIO; 
     int num, idx;
+    krb5_addresses ignore_addresses;
 
     res->val = NULL;
 
@@ -123,9 +124,17 @@ find_all_addresses (krb5_context context, krb5_addresses *res, int flags)
 	return (ENXIO);
     }
 
+    if (flags & EXTRA_ADDRESSES) {
+	/* we'll remove the addresses we don't care about */
+	ret = krb5_get_ignore_addresses(context, &ignore_addresses);
+	if(ret)
+	    return ret;
+    }
+
     /* Allocate storage for them. */
     res->val = calloc(num, sizeof(*res->val));
     if (res->val == NULL) {
+	krb5_free_addresses(context, &ignore_addresses);
 	freeifaddrs(ifa0);
 	krb5_set_error_string (context, "malloc: out of memory");
 	return (ENOMEM);
@@ -139,7 +148,6 @@ find_all_addresses (krb5_context context, krb5_addresses *res, int flags)
 	    continue;
 	if (krb5_sockaddr_uninteresting(ifa->ifa_addr))
 	    continue;
-
 	if ((ifa->ifa_flags & IFF_LOOPBACK) != 0) {
 	    /* We'll deal with the LOOP_IF_NONE case later. */
 	    if ((flags & LOOP) == 0)
@@ -156,6 +164,16 @@ find_all_addresses (krb5_context context, krb5_addresses *res, int flags)
 	     */
 	    continue;
 	}
+	/* possibly skip this address? */
+	if((flags & EXTRA_ADDRESSES) && 
+	   krb5_address_search(context, &res->val[idx], &ignore_addresses)) {
+	    krb5_free_address(context, &res->val[idx]);
+	    flags &= ~LOOP_IF_NONE; /* we actually found an address,
+                                       so don't add any loop-back
+                                       addresses */
+	    continue;
+	}
+
 	idx++;
     }
 
@@ -181,11 +199,19 @@ find_all_addresses (krb5_context context, krb5_addresses *res, int flags)
 		     */
 		    continue;
 		}
+		if((flags & EXTRA_ADDRESSES) && 
+		   krb5_address_search(context, &res->val[idx], 
+				       &ignore_addresses)) {
+		    krb5_free_address(context, &res->val[idx]);
+		    continue;
+		}
 		idx++;
 	    }
 	}
     }
 
+    if (flags & EXTRA_ADDRESSES)
+	krb5_free_addresses(context, &ignore_addresses);
     freeifaddrs(ifa0);
     if (ret)
 	free(res->val);
@@ -207,8 +233,8 @@ get_addrs_int (krb5_context context, krb5_addresses *res, int flags)
 	ret = 0;
 
     if(ret == 0 && (flags & EXTRA_ADDRESSES)) {
-	/* append user specified addresses */
 	krb5_addresses a;
+	/* append user specified addresses */
 	ret = krb5_get_extra_addresses(context, &a);
 	if(ret) {
 	    krb5_free_addresses(context, res);
@@ -221,6 +247,10 @@ get_addrs_int (krb5_context context, krb5_addresses *res, int flags)
 	}
 	krb5_free_addresses(context, &a);
     }
+    if(res->len == 0) {
+	free(res->val);
+	res->val = NULL;
+    }
     return ret;
 }
 
diff --git a/kerberosV/src/lib/krb5/get_cred.c b/kerberosV/src/lib/krb5/get_cred.c
index d20607f244f..69a1d3eb9a9 100644
--- a/kerberosV/src/lib/krb5/get_cred.c
+++ b/kerberosV/src/lib/krb5/get_cred.c
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$KTH: get_cred.c,v 1.85 2001/05/14 06:14:46 assar Exp $");
+RCSID("$KTH: get_cred.c,v 1.87 2001/07/03 18:45:03 assar Exp $");
 
 /*
  * Take the `body' and encode it into `padata' using the credentials
@@ -558,10 +558,13 @@ get_cred_kdc_la(krb5_context context, krb5_ccache id, krb5_kdc_flags flags,
 		krb5_creds *out_creds)
 {
     krb5_error_code ret;
-    krb5_addresses addresses;
+    krb5_addresses addresses, *addrs = &addresses;
     
     krb5_get_all_client_addrs(context, &addresses);
-    ret = get_cred_kdc(context, id, flags, &addresses, 
+    /* XXX this sucks. */
+    if(addresses.len == 0)
+	addrs = NULL;
+    ret = get_cred_kdc(context, id, flags, addrs, 
 		       in_creds, krbtgt, out_creds);
     krb5_free_addresses(context, &addresses);
     return ret;
diff --git a/kerberosV/src/lib/krb5/get_default_realm.c b/kerberosV/src/lib/krb5/get_default_realm.c
index ffd17c8168a..0806e656ba9 100644
--- a/kerberosV/src/lib/krb5/get_default_realm.c
+++ b/kerberosV/src/lib/krb5/get_default_realm.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$KTH: get_default_realm.c,v 1.9 2001/05/14 06:14:47 assar Exp $");
+RCSID("$KTH: get_default_realm.c,v 1.10 2001/07/19 16:55:27 assar Exp $");
 
 /*
  * Return a NULL-terminated list of default realms in `realms'.
@@ -68,8 +68,10 @@ krb5_get_default_realm(krb5_context context,
     if (context->default_realms == NULL
 	|| context->default_realms[0] == NULL) {
 	krb5_error_code ret = krb5_set_default_realm (context, NULL);
-	if (ret)
+	if (ret) {
+	    krb5_set_error_string(context, "no default realm configured");
 	    return KRB5_CONFIG_NODEFREALM;
+	}
     }
 
     res = strdup (context->default_realms[0]);
diff --git a/kerberosV/src/lib/krb5/get_for_creds.c b/kerberosV/src/lib/krb5/get_for_creds.c
index ac482c7af66..97c70af33d9 100644
--- a/kerberosV/src/lib/krb5/get_for_creds.c
+++ b/kerberosV/src/lib/krb5/get_for_creds.c
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$KTH: get_for_creds.c,v 1.29 2001/05/14 22:49:55 assar Exp $");
+RCSID("$KTH: get_for_creds.c,v 1.31 2001/07/19 17:33:22 assar Exp $");
 
 static krb5_error_code
 add_addrs(krb5_context context,
@@ -79,7 +79,10 @@ fail:
 }
 
 /*
- *
+ * Forward credentials for `client' to host `hostname`,
+ * making them forwardable if `forwardable', and returning the
+ * blob of data to sent in `out_data'.
+ * If hostname == NULL, pick it from `server'
  */
 
 krb5_error_code
@@ -95,16 +98,39 @@ krb5_fwd_tgt_creds (krb5_context	context,
     krb5_flags flags = 0;
     krb5_creds creds;
     krb5_error_code ret;
+    krb5_const_realm client_realm;
 
     flags |= KDC_OPT_FORWARDED;
 
     if (forwardable)
 	flags |= KDC_OPT_FORWARDABLE;
 
+    if (hostname == NULL &&
+	krb5_principal_get_type(context, server) == KRB5_NT_SRV_HST) {
+	const char *inst = krb5_principal_get_comp_string(context, server, 0);
+	const char *host = krb5_principal_get_comp_string(context, server, 1);
+
+	if (inst != NULL &&
+	    strcmp(inst, "host") == 0 &&
+	    host != NULL && 
+	    krb5_principal_get_comp_string(context, server, 2) == NULL)
+	    hostname = host;
+    }
+
+    client_realm = krb5_principal_get_realm(context, client);
     
     memset (&creds, 0, sizeof(creds));
     creds.client = client;
-    creds.server = server;
+
+    ret = krb5_build_principal(context,
+			       &creds.server,
+			       strlen(client_realm),
+			       client_realm,
+			       KRB5_TGS_NAME,
+			       client_realm,
+			       NULL);
+    if (ret)
+	return ret;
 
     ret = krb5_get_forwarded_creds (context,
 				    auth_context,
@@ -214,12 +240,20 @@ krb5_get_forwarded_creds (krb5_context	    context,
     *enc_krb_cred_part.usec      = usec;
 
     if (auth_context->local_address && auth_context->local_port) {
-	ret = krb5_make_addrport (context,
-				  &enc_krb_cred_part.s_address,
-				  auth_context->local_address,
-				  auth_context->local_port);
-	if (ret)
-	    goto out4;
+	krb5_boolean noaddr;
+	const krb5_realm *realm;
+
+	realm = krb5_princ_realm(context, out_creds->server);
+	krb5_appdefault_boolean(context, NULL, *realm, "no-addresses", FALSE,
+				&noaddr);
+	if (!noaddr) {
+	    ret = krb5_make_addrport (context,
+				      &enc_krb_cred_part.s_address,
+				      auth_context->local_address,
+				      auth_context->local_port);
+	    if (ret)
+		goto out4;
+	}
     }
 
     if (auth_context->remote_address) {
diff --git a/kerberosV/src/lib/krb5/get_in_tkt.c b/kerberosV/src/lib/krb5/get_in_tkt.c
index 050398899eb..5cd937c9ec5 100644
--- a/kerberosV/src/lib/krb5/get_in_tkt.c
+++ b/kerberosV/src/lib/krb5/get_in_tkt.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$KTH: get_in_tkt.c,v 1.100 2001/05/14 06:14:48 assar Exp $");
+RCSID("$KTH: get_in_tkt.c,v 1.102 2001/07/02 22:30:48 joda Exp $");
 
 krb5_error_code
 krb5_init_etype (krb5_context context,
@@ -505,8 +505,13 @@ init_as_req (krb5_context context,
 
 	if (addrs)
 	    ret = krb5_copy_addresses(context, addrs, a->req_body.addresses);
-	else
+	else {
 	    ret = krb5_get_all_client_addrs (context, a->req_body.addresses);
+	    if(ret == 0 && a->req_body.addresses->len == 0) {
+		free(a->req_body.addresses);
+		a->req_body.addresses = NULL;
+	    }
+	}
 	if (ret)
 	    return ret;
     }
@@ -726,6 +731,7 @@ krb5_get_in_cred(krb5_context context,
 		    done = 0;
 		    preauth = my_preauth;
 		    krb5_free_error_contents(context, &error);
+		    krb5_clear_error_string(context);
 		    continue;
 		}
 		if(ret_as_reply)
diff --git a/kerberosV/src/lib/krb5/heim_err.et b/kerberosV/src/lib/krb5/heim_err.et
index 76b34d3086a..28af59f62bc 100644
--- a/kerberosV/src/lib/krb5/heim_err.et
+++ b/kerberosV/src/lib/krb5/heim_err.et
@@ -3,7 +3,7 @@
 #
 # This might look like a com_err file, but is not
 #
-id "$KTH: heim_err.et,v 1.10 2000/07/08 13:02:11 joda Exp $"
+id "$KTH: heim_err.et,v 1.12 2001/06/21 03:51:36 assar Exp $"
 
 error_table heim
 
@@ -16,6 +16,7 @@ error_code NOHOST,		"Host not found"
 error_code OPNOTSUPP,		"Operation not supported"
 error_code EOF,			"End of file"
 error_code BAD_MKEY,		"Failed to get the master key"
+error_code SERVICE_NOMATCH,	"Unacceptable service used"
 
 index 128
 prefix HEIM_EAI
@@ -32,5 +33,4 @@ error_code NONAME,		"nodename nor servname provided, or not known"
 error_code SERVICE,		"servname not supported for ai_socktype"
 error_code SOCKTYPE,		"ai_socktype not supported"
 error_code SYSTEM,		"system error returned in errno"
-
 end
diff --git a/kerberosV/src/lib/krb5/init_creds_pw.c b/kerberosV/src/lib/krb5/init_creds_pw.c
index 77e94d908b2..4615d276901 100644
--- a/kerberosV/src/lib/krb5/init_creds_pw.c
+++ b/kerberosV/src/lib/krb5/init_creds_pw.c
@@ -33,12 +33,12 @@
 
 #include "krb5_locl.h"
 
-RCSID("$KTH: init_creds_pw.c,v 1.47 2001/05/14 06:14:48 assar Exp $");
+RCSID("$KTH: init_creds_pw.c,v 1.50 2001/09/05 17:40:03 nectar Exp $");
 
 static int
 get_config_time (krb5_context context,
-		 char *realm,
-		 char *name,
+		 const char *realm,
+		 const char *name,
 		 int def)
 {
     int ret;
@@ -59,24 +59,6 @@ get_config_time (krb5_context context,
     return def;
 }
 
-static krb5_boolean
-get_config_bool (krb5_context context,
-		 char *realm,
-		 char *name)
-{
-    return krb5_config_get_bool (context,
-				 NULL,
-				 "realms",
-				 realm,
-				 name,
-				 NULL)
-	|| krb5_config_get_bool (context,
-				 NULL,
-				 "libdefaults",
-				 name,
-				 NULL);
-}
-
 static krb5_error_code
 init_cred (krb5_context context,
 	   krb5_creds *cred,
@@ -111,22 +93,13 @@ init_cred (krb5_context context,
     if (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE)
 	tmp = options->tkt_life;
     else
-	tmp = get_config_time (context,
-			       *client_realm,
-			       "ticket_lifetime",
-			       10 * 60 * 60);
+	tmp = 10 * 60 * 60;
     cred->times.endtime = now + tmp;
 
-    tmp = 0;
-    if (options->flags & KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE)
-	tmp = options->renew_life;
-    else
-	tmp = get_config_time (context,
-			       *client_realm,
-			       "renew_lifetime",
-			       0);
-    if (tmp)
-	cred->times.renew_till = now + tmp;
+    if ((options->flags & KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE) &&
+	options->renew_life > 0) {
+	cred->times.renew_till = now + options->renew_life;
+    }
 
     if (in_tkt_service) {
 	krb5_realm server_realm;
@@ -231,17 +204,9 @@ get_init_creds_common(krb5_context context,
 
     if (options->flags & KRB5_GET_INIT_CREDS_OPT_FORWARDABLE)
 	flags->b.forwardable = options->forwardable;
-    else
-	flags->b.forwardable = get_config_bool (context,
-						*client_realm,
-						"forwardable");
 
     if (options->flags & KRB5_GET_INIT_CREDS_OPT_PROXIABLE)
 	flags->b.proxiable = options->proxiable;
-    else
-	flags->b.proxiable = get_config_bool (context,
-					      *client_realm,
-					      "proxiable");
 
     if (start_time)
 	flags->b.postdated = 1;
@@ -292,7 +257,7 @@ change_password (krb5_context context,
     krb5_error_code ret;
     krb5_creds cpw_cred;
     char buf1[BUFSIZ], buf2[BUFSIZ];
-    krb5_data password_data;
+    krb5_data password_data[2];
     int result_code;
     krb5_data result_code_string;
     krb5_data result_string;
@@ -326,20 +291,20 @@ change_password (krb5_context context,
 	goto out;
 
     for(;;) {
-	password_data.data   = buf1;
-	password_data.length = sizeof(buf1);
+	password_data[0].data   = buf1;
+	password_data[0].length = sizeof(buf1);
 
 	prompts[0].hidden = 1;
 	prompts[0].prompt = "New password: ";
-	prompts[0].reply  = &password_data;
+	prompts[0].reply  = &password_data[0];
 	prompts[0].type   = KRB5_PROMPT_TYPE_NEW_PASSWORD;
 
-	password_data.data   = buf2;
-	password_data.length = sizeof(buf2);
+	password_data[1].data   = buf2;
+	password_data[1].length = sizeof(buf2);
 
 	prompts[1].hidden = 1;
 	prompts[1].prompt = "Repeat new password: ";
-	prompts[1].reply  = &password_data;
+	prompts[1].reply  = &password_data[1];
 	prompts[1].type   = KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN;
 
 	ret = (*prompter) (context, data, NULL, "Changing password",
diff --git a/kerberosV/src/lib/krb5/k524_err.et b/kerberosV/src/lib/krb5/k524_err.et
new file mode 100644
index 00000000000..20dffd415d3
--- /dev/null
+++ b/kerberosV/src/lib/krb5/k524_err.et
@@ -0,0 +1,20 @@
+#
+# Error messages for the k524 functions
+#
+# This might look like a com_err file, but is not
+#
+id "$KTH: k524_err.et,v 1.1 2001/06/20 02:44:11 joda Exp $"
+
+error_table k524
+
+prefix KRB524
+error_code BADKEY,		"wrong keytype in ticket"
+error_code BADADDR,		"incorrect network address"
+error_code BADPRINC,		"cannot convert V5 principal"		#unused
+error_code BADREALM,		"V5 realm name longer than V4 maximum"	#unused
+error_code V4ERR,		"kerberos V4 error server"
+error_code ENCFULL,		"encoding too large at server"
+error_code DECEMPTY,		"decoding out of data"			#unused
+error_code NOTRESP,		"service not responding"		#unused
+end
+
diff --git a/kerberosV/src/lib/krb5/krb5_appdefault.3 b/kerberosV/src/lib/krb5/krb5_appdefault.3
index 0f2868c9830..e0162e4a3c1 100644
--- a/kerberosV/src/lib/krb5/krb5_appdefault.3
+++ b/kerberosV/src/lib/krb5/krb5_appdefault.3
@@ -1,5 +1,5 @@
 .\" Copyright (c) 2000 Kungliga Tekniska Högskolan
-.\" $KTH: krb5_appdefault.3,v 1.4 2001/05/02 08:59:23 assar Exp $
+.\" $KTH: krb5_appdefault.3,v 1.5 2001/06/23 22:35:19 assar Exp $
 .Dd July 25, 2000
 .Dt KRB5_APPDEFAULT 3
 .Os HEIMDAL
@@ -42,11 +42,14 @@ in order of descending importance.
 	}
 	option = value
 .Ed
-.Pp
-If the realm is omitted it will not be used for resolving values.  If
-no value can be found,
+.Fa appname
+is the name of the application, and
+.Fa realm
+is the realm name. If the realm is omitted it will not be used for
+resolving values. 
 .Fa def_val
-is returned instead.
+is the value to return if no value is found in
+.Xr krb5.conf 5 .
 .Sh SEE ALSO
 .Xr krb5_config 3 ,
 .Xr krb5.conf 5
diff --git a/kerberosV/src/lib/krb5/krb5_get_all_client_addrs.3 b/kerberosV/src/lib/krb5/krb5_get_all_client_addrs.3
new file mode 100644
index 00000000000..7ecaa77235f
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_get_all_client_addrs.3
@@ -0,0 +1,39 @@
+.\" $KTH: krb5_get_all_client_addrs.3,v 1.1 2001/07/02 22:31:36 joda Exp $
+.Dd July  1, 2001
+.Dt KRB5_GET_ADDRS 3
+.Sh NAME
+.Nm krb5_get_all_client_addrs ,
+.Nm krb5_get_all_server_addrs
+.Nd return local addresses
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Ft "krb5_error_code"
+.Fn krb5_get_all_client_addrs "krb5_context context" "krb5_addresses *addrs" 
+.Ft "krb5_error_code"
+.Fn krb5_get_all_server_addrs "krb5_context context" "krb5_addresses *addrs" 
+.Sh DESCRIPTION
+These functions return in 
+.Fa addrs
+a list of addresses associated with the local
+host.
+.Pp
+The server variant returns all configured interface addresses (if
+possible), including loop-back addresses. This is useful if you want
+to create sockets to listen to.
+.Pp
+The client version will also scan local interfaces (can be turned off
+by setting
+.Li libdefaults/scan_interfaces
+to false in 
+.Pa krb5.conf ) , 
+but will not include loop-back addresses, unless there are no other
+addresses found. It will remove all addresses included in
+.Li libdefaults/ignore_addresses
+but will unconditionally include addresses in
+.Li libdefaults/extra_addresses .
+.Pp
+The returned addresses should be freed by calling 
+.Fn krb5_free_addresses .
+.\".Sh EXAMPLE
+.Sh SEE ALSO
+.Xr krb5_free_addresses
diff --git a/kerberosV/src/lib/krb5/krb5_get_krbhst.3 b/kerberosV/src/lib/krb5/krb5_get_krbhst.3
new file mode 100644
index 00000000000..c0bd3c2ffd0
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_get_krbhst.3
@@ -0,0 +1,58 @@
+.\" Copyright (c) 2001 Kungliga Tekniska Högskolan
+.\" $KTH: krb5_get_krbhst.3,v 1.1 2001/06/16 23:00:43 joda Exp $
+.Dd June 17, 2001
+.Dt KRB5_GET_KRBHST 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_get_krbhst
+.Nm krb5_get_krb_admin_hst
+.Nm krb5_get_krb_changepw_hst
+.Nm krb5_get_krb524hst
+.Nm krb5_free_krbhst
+.Nd lookup Kerberos KDC hosts
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+
+.Ft krb5_error_code
+.Fn krb5_get_krbhst "krb5_context context" "const krb5_realm *realm" "char ***hostlist"
+.Ft krb5_error_code
+.Fn krb5_get_krb_admin_hst "krb5_context context" "const krb5_realm *realm" "char ***hostlist"
+.Ft krb5_error_code
+.Fn krb5_get_krb_changepw_hst "krb5_context context" "const krb5_realm *realm" "char ***hostlist"
+.Ft krb5_error_code
+.Fn krb5_get_krb524hst "krb5_context context" "const krb5_realm *realm" "char ***hostlist"
+.Ft krb5_error_code
+.Fn krb5_free_krbhst "krb5_context context" "char **hostlist"
+
+.Sh DESCRIPTION
+
+These functions implement the old API to get a list of Kerberos hosts,
+and are thus similar to the
+.Fn krb5_krbhst_init 
+functions. However, since these functions returns 
+.Em all
+hosts in one go, they potentially have to do more lookups than
+necessary. These functions remain for compatibility reasons.
+.Pp
+After a call to one of these functions,
+.Fa hostlist 
+is a
+.Dv NULL
+terminated list of strings, pointing to the requested Kerberos hosts. These should be freed with
+.Fn krb5_free_krbhst 
+when done with.
+
+
+.Sh EXAMPLE
+The following code will print the KDCs of the realm 
+.Dq MY.REALM .
+.Bd -literal -offset indent
+char **hosts, **p;
+krb5_get_krbhst(context, "MY.REALM", &hosts);
+for(p = hosts; *p; p++)
+    printf("%s\\n", *p);
+krb5_free_krbhst(context, hosts);
+.Ed
+.\" .Sh BUGS
+.Sh SEE ALSO
+.Xr krb5_krbhst_init 3
diff --git a/kerberosV/src/lib/krb5/krb5_krbhst_init.3 b/kerberosV/src/lib/krb5/krb5_krbhst_init.3
new file mode 100644
index 00000000000..5c28b56cca2
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_krbhst_init.3
@@ -0,0 +1,120 @@
+.\" Copyright (c) 2001 Kungliga Tekniska Högskolan
+.\" $KTH: krb5_krbhst_init.3,v 1.2 2001/06/21 14:35:21 assar Exp $
+.Dd June 17, 2001
+.Dt KRB5_KRBHST_INIT 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_krbhst_init ,
+.Nm krb5_krbhst_next ,
+.Nm krb5_krbhst_next_as_string ,
+.Nm krb5_krbhst_reset ,
+.Nm krb5_krbhst_free ,
+.Nm krb5_krbhst_format_string ,
+.Nm krb5_krbhst_get_addrinfo
+.Nd lookup Kerberos KDC hosts
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+
+.Ft krb5_error_code
+.Fn krb5_krbhst_init "krb5_context context" "const char *realm" "unsigned int type" "krb5_krbhst_handle *handle"
+.Ft krb5_error_code
+.Fn "krb5_krbhst_next" "krb5_context context" "krb5_krbhst_handle handle" "krb5_krbhst_info **host"
+.Ft krb5_error_code
+.Fn krb5_krbhst_next_as_string "krb5_context context" "krb5_krbhst_handle handle" "char *hostname" "size_t hostlen"
+.Ft void
+.Fn krb5_krbhst_reset "krb5_context context" "krb5_krbhst_handle handle"
+.Ft void
+.Fn krb5_krbhst_free "krb5_context context" "krb5_krbhst_handle handle"
+.Ft krb5_error_code
+.Fn krb5_krbhst_format_string "krb5_context context" "const krb5_krbhst_info *host" "char *hostname" "size_t hostlen"
+.Ft krb5_error_code
+.Fn krb5_krbhst_get_addrinfo "krb5_context context" "krb5_krbhst_info *host" "struct addrinfo **ai"
+.Sh DESCRIPTION
+These functions are used to sequence through all Kerberos hosts of a
+particular realm and service. The service type can be the KDCs, the
+administrative servers, the password changing servers, or the servers
+for Kerberos 4 ticket conversion.
+.Pp
+First a handle to a particular service is obtained by calling
+.Fn krb5_krbhst_init 
+with the 
+.Fa realm
+of interest and the type of service to lookup. The 
+.Fa type
+can be one of:
+.Pp
+.Bl -hang -compact -offset indent
+.It KRB5_KRBHST_KDC
+.It KRB5_KRBHST_ADMIN
+.It KRB5_KRBHST_CHANGEPW
+.It KRB5_KRBHST_KRB524
+.El
+.Pp
+The
+.Fa handle
+is returned to the caller, and should be passed to the other
+functions.
+.Pp
+For each call to 
+.Fn krb5_krbhst_next
+information a new host is returned. The former function returns in
+.Fa host
+a pointer to a structure containing information about the host, such
+as protocol, hostname, and port:
+.Bd -literal -offset indent
+typedef struct krb5_krbhst_info {
+    enum { KRB5_KRBHST_UDP,
+	   KRB5_KRBHST_TCP,
+	   KRB5_KRBHST_HTTP } proto;
+    unsigned short port;
+    struct addrinfo *ai;
+    struct krb5_krbhst_info *next;
+    char hostname[1];
+} krb5_krbhst_info;
+.Ed
+.Pp
+The related function, 
+.Fn krb5_krbhst_next_as_string ,
+return the same information as a url-like string.
+.Pp
+When there are no more hosts, these functions return
+.Dv KRB5_KDC_UNREACH .
+.Pp
+To re-iterate over all hosts, call
+.Fn krb5_krbhst_reset
+and the next call to 
+.Fn krb5_krbhst_next
+will return the first host.
+.Pp
+When done with the handle, 
+.Fn krb5_krbhst_free
+should be called.
+.Pp
+To use a
+.Va krb5_krbhst_info ,
+there are two functions:
+.Fn krb5_krbhst_format_string
+that will return a printable representation of that struct
+and
+.Fn krb5_krbhst_get_addrinfo
+that will return a
+.Va struct addrinfo
+that can then be used for communicating with the server mentioned.
+.Sh EXAMPLE
+The following code will print the KDCs of the realm 
+.Dq MY.REALM .
+.Bd -literal -offset indent
+krb5_krbhst_handle handle;
+char host[MAXHOSTNAMELEN];
+krb5_krbhst_init(context, "MY.REALM", KRB5_KRBHST_KDC, &handle);
+while(krb5_krbhst_next_as_string(context, handle, 
+				 host, sizeof(host)) == 0)
+    printf("%s\\n", host);
+krb5_krbhst_free(context, handle);
+.Ed
+.\" .Sh BUGS
+.Sh HISTORY
+These functions first appeared in Heimdal 0.3g.
+.Sh SEE ALSO
+.Xr krb5_get_krbhst 3 ,
+.Xr getaddrinfo 3
diff --git a/kerberosV/src/lib/krb5/krb5_principal_get_realm.3 b/kerberosV/src/lib/krb5/krb5_principal_get_realm.3
new file mode 100644
index 00000000000..b3965d26ac9
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_principal_get_realm.3
@@ -0,0 +1,48 @@
+.\" Copyright (c) 2001 Kungliga Tekniska Högskolan
+.\" $KTH: krb5_principal_get_realm.3,v 1.1 2001/06/20 01:14:49 joda Exp $
+.Dd June 20, 2001
+.Dt KRB5_PRINCIPAL_GET_REALM 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_principal_get_realm ,
+.Nm krb5_principal_get_comp_string
+.Nd decompose a principal
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Ft "const char *"
+.Fn krb5_principal_get_realm "krb5_context context" "krb5_principal principal"
+.Ft "const char *"
+.Fn krb5_principal_get_comp_string "krb5_context context" "krb5_principal principal" "unsigned int component"
+.Sh DESCRIPTION
+These functions return parts of the
+.Fa principal ,
+either the realm or a specific component. The returned string points
+to data inside the principal, so they are valid only as long as the
+principal exists.
+.Pp
+The 
+.Fa component
+argument to
+.Fn krb5_principal_get_comp_string
+is the component number to return, from zero to the total number of
+components minus one. If a the requested component number is out of range, 
+.Dv NULL
+is returned.
+.Pp
+These functions can be seen as a replacement for the 
+.Fn krb5_princ_realm ,
+.Fn krb5_princ_component
+and related macros, described as intermal in the MIT API
+specification. A difference is that these functions return strings,
+not
+.Dv krb5_data .
+A reason to return 
+.Dv krb5_data 
+was that it was believed that principal components could contain
+binary data, but this belief was unfounded, and it has been decided
+that principal components are infact UTF8, so it's safe to use zero
+terminated strings.
+.Pp
+It's generally not necessary to look at the components of a principal.
+.Sh SEE ALSO
+.Xr krb5_unparse_name
diff --git a/kerberosV/src/lib/krb5/krb5_timeofday.3 b/kerberosV/src/lib/krb5/krb5_timeofday.3
new file mode 100644
index 00000000000..8b7777c2f8f
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_timeofday.3
@@ -0,0 +1,23 @@
+.\" $KTH: krb5_timeofday.3,v 1.1 2001/07/02 22:32:03 joda Exp $
+.Dd July  1, 2001
+.Dt KRB5_TIMEOFDAY 3
+.Sh NAME
+.Nm krb5_timeofday ,
+.Nm krb5_us_timeofday
+.Nd whatever these functions do
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Ft "krb5_error_code"
+.Fn krb5_timeofday "krb5_context context" "krb5_timestamp *timeret" 
+.Ft "krb5_error_code"
+.Fn krb5_us_timeofday "krb5_context context" "int32_t *sec" "int32_t *usec" 
+.Sh DESCRIPTION
+.Fn krb5_timeofday
+returns the current time, but adjusted with the time difference
+between the local host and the KDC.
+.Fn krb5_us_timeofday
+also returns microseconds.
+.Pp
+.\".Sh EXAMPLE
+.Sh SEE ALSO
+.Xr gettimeofday 2
diff --git a/kerberosV/src/lib/krb5/krbhst-test.c b/kerberosV/src/lib/krb5/krbhst-test.c
new file mode 100644
index 00000000000..a987e3a81f6
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krbhst-test.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$KTH: krbhst-test.c,v 1.2 2001/06/17 12:22:59 assar Exp $");
+
+int
+main(int argc, char **argv)
+{
+    int i, j;
+    krb5_context context;
+    int types[] = {KRB5_KRBHST_KDC, KRB5_KRBHST_ADMIN, KRB5_KRBHST_CHANGEPW,
+		   KRB5_KRBHST_KRB524};
+    const char *type_str[] = {"kdc", "admin", "changepw", "krb524"};
+    
+    krb5_init_context (&context);
+    for(i = 1; i < argc; i++) {
+	krb5_krbhst_handle handle;
+	char host[MAXHOSTNAMELEN];
+
+	for (j = 0; j < sizeof(types)/sizeof(*types); ++j) {
+	    printf ("%s for %s:\n", type_str[j], argv[i]);
+
+	    krb5_krbhst_init(context, argv[i], types[j], &handle);
+	    while(krb5_krbhst_next_as_string(context, handle,
+					     host, sizeof(host)) == 0)
+		printf("%s\n", host);
+	    krb5_krbhst_reset(context, handle);
+	    printf ("\n");
+	}
+    }
+    return 0;
+}
diff --git a/kerberosV/src/lib/krb5/mcache.c b/kerberosV/src/lib/krb5/mcache.c
index 85581204f92..5db29b4a669 100644
--- a/kerberosV/src/lib/krb5/mcache.c
+++ b/kerberosV/src/lib/krb5/mcache.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$KTH: mcache.c,v 1.13 2001/05/14 06:14:49 assar Exp $");
+RCSID("$KTH: mcache.c,v 1.14 2001/06/17 23:13:02 assar Exp $");
 
 typedef struct krb5_mcache {
     char *name;
@@ -294,7 +294,7 @@ mcc_remove_cred(krb5_context context,
     for(q = &m->creds, p = *q; p; p = *q) {
 	if(krb5_compare_creds(context, which, mcreds, &p->cred)) {
 	    *q = p->next;
-	    krb5_free_cred_contents(context, &p->cred);
+	    krb5_free_creds_contents(context, &p->cred);
 	    free(p);
 	} else
 	    q = &p->next;
diff --git a/kerberosV/src/lib/krb5/mk_priv.c b/kerberosV/src/lib/krb5/mk_priv.c
index b03aee74a1a..f5057f8eaf3 100644
--- a/kerberosV/src/lib/krb5/mk_priv.c
+++ b/kerberosV/src/lib/krb5/mk_priv.c
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$KTH: mk_priv.c,v 1.29 2001/05/14 06:14:49 assar Exp $");
+RCSID("$KTH: mk_priv.c,v 1.30 2001/06/18 02:44:54 assar Exp $");
 
 /*
  *
@@ -59,8 +59,6 @@ krb5_mk_priv(krb5_context context,
   int usec2;
   krb5_crypto crypto;
 
-  /* XXX - Is this right? */
-
   if (auth_context->local_subkey)
       key = auth_context->local_subkey;
   else if (auth_context->remote_subkey)
diff --git a/kerberosV/src/lib/krb5/mk_req.c b/kerberosV/src/lib/krb5/mk_req.c
index 7546ea362bc..fff0e7c18f7 100644
--- a/kerberosV/src/lib/krb5/mk_req.c
+++ b/kerberosV/src/lib/krb5/mk_req.c
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$KTH: mk_req.c,v 1.23 2001/05/14 06:14:49 assar Exp $");
+RCSID("$KTH: mk_req.c,v 1.24 2001/06/18 20:05:52 joda Exp $");
 
 krb5_error_code
 krb5_mk_req_exact(krb5_context context,
@@ -69,12 +69,14 @@ krb5_mk_req_exact(krb5_context context,
     if (ret)
 	return ret;
 
-    return krb5_mk_req_extended (context,
-				 auth_context,
-				 ap_req_options,
-				 in_data,
-				 cred,
-				 outbuf);
+    ret = krb5_mk_req_extended (context,
+				auth_context,
+				ap_req_options,
+				in_data,
+				cred,
+				outbuf);
+    krb5_free_creds(context, cred);
+    return ret;
 }
 
 krb5_error_code
diff --git a/kerberosV/src/lib/krb5/mk_safe.c b/kerberosV/src/lib/krb5/mk_safe.c
index 3209e738d2a..41acdc03ed3 100644
--- a/kerberosV/src/lib/krb5/mk_safe.c
+++ b/kerberosV/src/lib/krb5/mk_safe.c
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$KTH: mk_safe.c,v 1.26 2001/05/14 06:14:50 assar Exp $");
+RCSID("$KTH: mk_safe.c,v 1.27 2001/06/18 02:45:15 assar Exp $");
 
 krb5_error_code
 krb5_mk_safe(krb5_context context,
@@ -53,6 +53,14 @@ krb5_mk_safe(krb5_context context,
   size_t len;
   u_int32_t tmp_seq;
   krb5_crypto crypto;
+  krb5_keyblock *key;
+
+  if (auth_context->local_subkey)
+      key = auth_context->local_subkey;
+  else if (auth_context->remote_subkey)
+      key = auth_context->remote_subkey;
+  else
+      key = auth_context->keyblock;
 
   s.pvno = 5;
   s.msg_type = krb_safe;
@@ -88,7 +96,7 @@ krb5_mk_safe(krb5_context context,
       free (buf);
       return ret;
   }
-  ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
+  ret = krb5_crypto_init(context, key, 0, &crypto);
   if (ret) {
       free (buf);
       return ret;
diff --git a/kerberosV/src/lib/krb5/rd_cred.c b/kerberosV/src/lib/krb5/rd_cred.c
index 40b0ec11436..f5f4e920dc5 100644
--- a/kerberosV/src/lib/krb5/rd_cred.c
+++ b/kerberosV/src/lib/krb5/rd_cred.c
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$KTH: rd_cred.c,v 1.14 2001/05/14 06:14:50 assar Exp $");
+RCSID("$KTH: rd_cred.c,v 1.15 2001/06/29 14:53:44 assar Exp $");
 
 krb5_error_code
 krb5_rd_cred(krb5_context context,
@@ -181,6 +181,12 @@ krb5_rd_cred(krb5_context context,
     *ret_creds = calloc(enc_krb_cred_part.ticket_info.len + 1, 
 		       sizeof(**ret_creds));
 
+    if (*ret_creds == NULL) {
+	ret = ENOMEM;
+	krb5_set_error_string (context, "malloc: out of memory");
+	goto out;
+    }
+
     for (i = 0; i < enc_krb_cred_part.ticket_info.len; ++i) {
 	KrbCredInfo *kci = &enc_krb_cred_part.ticket_info.val[i];
 	krb5_creds *creds;
diff --git a/kerberosV/src/lib/krb5/rd_priv.c b/kerberosV/src/lib/krb5/rd_priv.c
index 7181de5634d..0a94a1665bd 100644
--- a/kerberosV/src/lib/krb5/rd_priv.c
+++ b/kerberosV/src/lib/krb5/rd_priv.c
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$KTH: rd_priv.c,v 1.28 2001/05/14 06:14:50 assar Exp $");
+RCSID("$KTH: rd_priv.c,v 1.29 2001/06/18 02:46:15 assar Exp $");
 
 krb5_error_code
 krb5_rd_priv(krb5_context context,
@@ -65,12 +65,10 @@ krb5_rd_priv(krb5_context context,
       goto failure;
   }
 
-  /* XXX - Is this right? */
-
-  if (auth_context->local_subkey)
-      key = auth_context->local_subkey;
-  else if (auth_context->remote_subkey)
+  if (auth_context->remote_subkey)
       key = auth_context->remote_subkey;
+  else if (auth_context->local_subkey)
+      key = auth_context->local_subkey;
   else
       key = auth_context->keyblock;
 
diff --git a/kerberosV/src/lib/krb5/rd_rep.c b/kerberosV/src/lib/krb5/rd_rep.c
index 63fad750278..416f6b77ca6 100644
--- a/kerberosV/src/lib/krb5/rd_rep.c
+++ b/kerberosV/src/lib/krb5/rd_rep.c
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$KTH: rd_rep.c,v 1.21 2001/05/14 06:14:50 assar Exp $");
+RCSID("$KTH: rd_rep.c,v 1.22 2001/06/18 02:46:53 assar Exp $");
 
 krb5_error_code
 krb5_rd_rep(krb5_context context,
@@ -97,7 +97,10 @@ krb5_rd_rep(krb5_context context,
     goto out;
   }
   if ((*repl)->seq_number)
-    auth_context->remote_seqnumber = *((*repl)->seq_number);
+      krb5_auth_con_setremoteseqnumber(context, auth_context,
+				       *((*repl)->seq_number));
+  if ((*repl)->subkey)
+    krb5_auth_con_setremotesubkey(context, auth_context, (*repl)->subkey);
   
 out:
   krb5_data_free (&data);
diff --git a/kerberosV/src/lib/krb5/rd_safe.c b/kerberosV/src/lib/krb5/rd_safe.c
index 09bb607432a..e26a32a2682 100644
--- a/kerberosV/src/lib/krb5/rd_safe.c
+++ b/kerberosV/src/lib/krb5/rd_safe.c
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$KTH: rd_safe.c,v 1.24 2001/05/14 06:14:51 assar Exp $");
+RCSID("$KTH: rd_safe.c,v 1.25 2001/06/18 02:47:30 assar Exp $");
 
 static krb5_error_code
 verify_checksum(krb5_context context,
@@ -46,13 +46,13 @@ verify_checksum(krb5_context context,
     size_t len;
     Checksum c;
     krb5_crypto crypto;
+    krb5_keyblock *key;
 
     c = safe->cksum;
     safe->cksum.cksumtype       = 0;
     safe->cksum.checksum.data   = NULL;
     safe->cksum.checksum.length = 0;
 
-
     buf_size = length_KRB_SAFE(safe);
     buf = malloc(buf_size);
 
@@ -66,6 +66,14 @@ verify_checksum(krb5_context context,
 			   buf_size,
 			   safe,
 			   &len);
+
+    if (auth_context->remote_subkey)
+	key = auth_context->remote_subkey;
+    else if (auth_context->local_subkey)
+	key = auth_context->local_subkey;
+    else
+	key = auth_context->keyblock;
+
     ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
     if (ret)
 	goto out;
diff --git a/kerberosV/src/lib/krb5/replay.c b/kerberosV/src/lib/krb5/replay.c
index ec953c19b28..3efe668704b 100644
--- a/kerberosV/src/lib/krb5/replay.c
+++ b/kerberosV/src/lib/krb5/replay.c
@@ -34,7 +34,7 @@
 #include "krb5_locl.h"
 #include <vis.h>
 
-RCSID("$KTH: replay.c,v 1.8 2001/05/14 06:14:51 assar Exp $");
+RCSID("$KTH: replay.c,v 1.9 2001/07/03 19:33:13 assar Exp $");
 
 struct krb5_rcache_data {
     char *name;
@@ -285,7 +285,7 @@ krb5_get_server_rcache(krb5_context context,
     }
     strvisx(tmp, piece->data, piece->length, VIS_WHITE | VIS_OCTAL);
 #ifdef HAVE_GETEUID
-    asprintf(&name, "FILE:rc_%s_%u", tmp, geteuid());
+    asprintf(&name, "FILE:rc_%s_%u", tmp, (unsigned)geteuid());
 #else
     asprintf(&name, "FILE:rc_%s", tmp);
 #endif
diff --git a/kerberosV/src/lib/krb5/send_to_kdc.c b/kerberosV/src/lib/krb5/send_to_kdc.c
index 4571299e80a..1c6627634b8 100644
--- a/kerberosV/src/lib/krb5/send_to_kdc.c
+++ b/kerberosV/src/lib/krb5/send_to_kdc.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$KTH: send_to_kdc.c,v 1.44 2001/05/14 22:49:56 assar Exp $");
+RCSID("$KTH: send_to_kdc.c,v 1.47 2001/07/03 19:35:46 assar Exp $");
 
 /*
  * send the data in `req' on the socket `fd' (which is datagram iff udp)
@@ -237,7 +237,7 @@ init_port(const char *s, int fallback)
 
 static int
 send_via_proxy (krb5_context context,
-		const char *hostname,
+		const krb5_krbhst_info *hi,
 		const krb5_data *send,
 		krb5_data *receive)
 {
@@ -248,7 +248,7 @@ send_via_proxy (krb5_context context,
     struct addrinfo hints;
     struct addrinfo *ai, *a;
     int ret;
-    int s;
+    int s = -1;
     char portstr[NI_MAXSERV];
 		 
     if (proxy == NULL)
@@ -285,7 +285,7 @@ send_via_proxy (krb5_context context,
     }
     freeaddrinfo (ai);
 
-    asprintf(&prefix, "http://%s/", hostname);
+    asprintf(&prefix, "http://%s/", hi->hostname);
     if(prefix == NULL) {
 	close(s);
 	return 1;
@@ -300,66 +300,38 @@ send_via_proxy (krb5_context context,
 }
 
 /*
- * Send the data `send' to one hots in `hostlist' and get back the reply
+ * Send the data `send' to one host from `handle` and get back the reply
  * in `receive'.
  */
 
 krb5_error_code
 krb5_sendto (krb5_context context,
 	     const krb5_data *send,
-	     char **hostlist,
-	     int port,
+	     krb5_krbhst_handle handle,	     
 	     krb5_data *receive)
 {
      krb5_error_code ret = 0;
-     char **hp, *p;
      int fd;
      int i;
 
      for (i = 0; i < context->max_retries; ++i) {
-	 for (hp = hostlist; (p = *hp); ++hp) {
-	     char *colon;
-	     int http_flag = 0;
-	     int tcp_flag = 0;
+	 krb5_krbhst_info *hi;
+
+	 while (krb5_krbhst_next(context, handle, &hi) == 0) {
+	     int ret;
 	     struct addrinfo *ai, *a;
-	     struct addrinfo hints;
-	     char portstr[NI_MAXSERV];
-
-	     if(strncmp(p, "http://", 7) == 0){
-		 p += 7;
-		 http_flag = 1;
-		 port = htons(80);
-	     } else if(strncmp(p, "http/", 5) == 0) {
-		 p += 5;
-		 http_flag = 1;
-		 port = htons(80);
-	     }else if(strncmp(p, "tcp/", 4) == 0){
-		 p += 4;
-		 tcp_flag = 1;
-	     } else if(strncmp(p, "udp/", 4) == 0) {
-		 p += 4;
-	     }
-	     if(http_flag && context->http_proxy) {
-		 if (send_via_proxy (context, p, send, receive))
+
+	     if(hi->proto == KRB5_KRBHST_HTTP && context->http_proxy) {
+		 if (send_via_proxy (context, hi, send, receive))
 		     continue;
 		 else
 		     goto out;
 	     }
-	     colon = strchr (p, ':');
-	     if (colon)
-		 *colon++ = '\0';
-
-	     memset (&hints, 0, sizeof(hints));
-	     hints.ai_family = PF_UNSPEC;
-	     if (tcp_flag || http_flag)
-		 hints.ai_socktype = SOCK_STREAM;
-	     else
-		 hints.ai_socktype = SOCK_DGRAM;
-	     snprintf (portstr, sizeof(portstr), "%d",
-		       ntohs(init_port (colon, port)));
-	     ret = getaddrinfo (p, portstr, &hints, &ai);
+
+	     ret = krb5_krbhst_get_addrinfo(context, hi, &ai);
 	     if (ret)
 		 continue;
+
 	     for (a = ai; a != NULL; a = a->ai_next) {
 		 fd = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
 		 if (fd < 0)
@@ -368,23 +340,26 @@ krb5_sendto (krb5_context context,
 		     close (fd);
 		     continue;
 		 }
-		 if(http_flag)
+		 switch (hi->proto) {
+		 case KRB5_KRBHST_HTTP :
 		     ret = send_and_recv_http(fd, context->kdc_timeout,
 					      "", send, receive);
-		 else if(tcp_flag)
+		     break;
+		 case KRB5_KRBHST_TCP :
 		     ret = send_and_recv_tcp (fd, context->kdc_timeout,
 					      send, receive);
-		 else
+		     break;
+		 case KRB5_KRBHST_UDP :
 		     ret = send_and_recv_udp (fd, context->kdc_timeout,
 					      send, receive);
+		     break;
+		 }
 		 close (fd);
-		 if(ret == 0 && receive->length != 0) {
-		     freeaddrinfo(ai);
+		 if(ret == 0 && receive->length != 0)
 		     goto out;
-		 }
 	     }
-	     freeaddrinfo(ai);
 	 }
+	 krb5_krbhst_reset(context, handle);
      }
      krb5_clear_error_string (context);
      ret = KRB5_KDC_UNREACH;
@@ -400,19 +375,20 @@ krb5_sendto_kdc2(krb5_context context,
 		 krb5_boolean master)
 {
     krb5_error_code ret;
-    char **hostlist;
-    int port;
-    
-    port = krb5_getportbyname (context, "kerberos", "udp", 88);
-    
+    krb5_krbhst_handle handle;
+    int type;
+
     if (master || context->use_admin_kdc)
-	ret = krb5_get_krb_admin_hst (context, realm, &hostlist);
+	type = KRB5_KRBHST_ADMIN;
     else
-	ret = krb5_get_krbhst (context, realm, &hostlist);
+	type = KRB5_KRBHST_KDC;
+
+    ret = krb5_krbhst_init(context, *realm, type, &handle);
     if (ret)
 	return ret;
-    ret = krb5_sendto(context, send, hostlist, port, receive);
-    krb5_free_krbhst (context, hostlist);
+
+    ret = krb5_sendto(context, send, handle, receive);
+    krb5_krbhst_free(context, handle);
     if (ret == KRB5_KDC_UNREACH)
 	krb5_set_error_string(context,
 			      "unable to reach any KDC in realm %s", *realm);
diff --git a/kerberosV/src/lib/krb5/sock_principal.c b/kerberosV/src/lib/krb5/sock_principal.c
index e94fd483411..d66617db319 100644
--- a/kerberosV/src/lib/krb5/sock_principal.c
+++ b/kerberosV/src/lib/krb5/sock_principal.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$KTH: sock_principal.c,v 1.13 2001/05/14 06:14:51 assar Exp $");
+RCSID("$KTH: sock_principal.c,v 1.16 2001/07/26 09:05:30 assar Exp $");
 			
 krb5_error_code
 krb5_sock_to_principal (krb5_context context,
@@ -43,48 +43,28 @@ krb5_sock_to_principal (krb5_context context,
 			krb5_principal *ret_princ)
 {
     krb5_error_code ret;
-    krb5_address address;
     struct sockaddr_storage __ss;
     struct sockaddr *sa = (struct sockaddr *)&__ss;
-    socklen_t len = sizeof(__ss);
-    struct hostent *hostent;
-    int family;
-    char *hname = NULL;
+    socklen_t salen = sizeof(__ss);
+    char hostname[NI_MAXHOST];
 
-    if (getsockname (sock, sa, &len) < 0) {
+    if (getsockname (sock, sa, &salen) < 0) {
 	ret = errno;
 	krb5_set_error_string (context, "getsockname: %s", strerror(ret));
 	return ret;
     }
-    family = sa->sa_family;
-    
-    ret = krb5_sockaddr2address (context, sa, &address);
-    if (ret)
-	return ret;
-
-    hostent = roken_gethostbyaddr (address.address.data,
-				   address.address.length,
-				   family);
-
-    if (hostent == NULL) {
-	krb5_set_error_string (context, "gethostbyaddr: %s",
-			       hstrerror(h_errno));
-	return krb5_h_errno_to_heim_errno(h_errno);
-    }
-    hname = hostent->h_name;
-    if (strchr(hname, '.') == NULL) {
-	char **a;
+    ret = getnameinfo (sa, salen, hostname, sizeof(hostname), NULL, 0, 0);
+    if (ret) {
+	int save_errno = errno;
 
-	for (a = hostent->h_aliases; a != NULL && *a != NULL; ++a)
-	    if (strchr(*a, '.') != NULL) {
-		hname = *a;
-		break;
-	    }
+	krb5_set_error_string (context, "getnameinfo: %s", gai_strerror(ret));
+	return krb5_eai_to_heim_errno(ret, save_errno);
     }
 
-    return krb5_sname_to_principal (context,
-				    hname,
-				    sname,
-				    type,
-				    ret_princ);
+    ret = krb5_sname_to_principal (context,
+				   hostname,
+				   sname,
+				   type,
+				   ret_princ);
+    return ret;
 }
diff --git a/kerberosV/src/lib/krb5/store_fd.c b/kerberosV/src/lib/krb5/store_fd.c
index 521d2cb792a..52b934ec660 100644
--- a/kerberosV/src/lib/krb5/store_fd.c
+++ b/kerberosV/src/lib/krb5/store_fd.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$KTH: store_fd.c,v 1.8 2001/01/29 02:32:35 assar Exp $");
+RCSID("$KTH: store_fd.c,v 1.9 2001/06/24 05:39:51 assar Exp $");
 
 typedef struct fd_storage{
     int fd;
@@ -63,7 +63,15 @@ krb5_storage *
 krb5_storage_from_fd(int fd)
 {
     krb5_storage *sp = malloc(sizeof(krb5_storage));
+
+    if (sp == NULL)
+	return NULL;
+
     sp->data = malloc(sizeof(fd_storage));
+    if (sp->data == NULL) {
+	free(sp);
+	return NULL;
+    }
     sp->flags = 0;
     FD(sp) = fd;
     sp->fetch = fd_fetch;
diff --git a/kerberosV/src/lib/krb5/write_message.c b/kerberosV/src/lib/krb5/write_message.c
index 06c458ce085..809a84d0326 100644
--- a/kerberosV/src/lib/krb5/write_message.c
+++ b/kerberosV/src/lib/krb5/write_message.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$KTH: write_message.c,v 1.7 2001/05/14 06:14:52 assar Exp $");
+RCSID("$KTH: write_message.c,v 1.8 2001/07/02 18:43:06 joda Exp $");
 
 krb5_error_code
 krb5_write_message (krb5_context context,
@@ -75,7 +75,6 @@ krb5_write_priv_message(krb5_context context,
 krb5_error_code
 krb5_write_safe_message(krb5_context context,
 			krb5_auth_context ac,
-			krb5_boolean priv,
 			krb5_pointer p_fd,
 			krb5_data *data)
 {
diff --git a/kerberosV/src/lib/roken/ChangeLog b/kerberosV/src/lib/roken/ChangeLog
index cbc73933f27..99c45168af7 100644
--- a/kerberosV/src/lib/roken/ChangeLog
+++ b/kerberosV/src/lib/roken/ChangeLog
@@ -1,5 +1,167 @@
+2001-09-03  Johan Danielsson  <joda@pdc.kth.se>
+
+	* socket.c: restrict is a keyword
+
+2001-09-03  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (EXTRA_libroken_la_SOURCES): add vis.hin to help
+	solaris make
+
+2001-08-30  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: use LDADD directly
+
+2001-08-28  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libroken_la_LDFLAGS): set to 14:3:5
+
+	* issuid.c (issuid): call issetugid if it exists
+
+2001-08-24  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: make it play better with recent automake
+
+2001-08-21  Assar Westerlund  <assar@sics.se>
+
+	* glob.c: provide a fallback for ARG_MAX.  from <tol@stacken.kth.se>
+
+	* roken.h.in: remove all winsock.h
+	for now, it does more harm than good under cygwin and if it should be
+	used, the correct conditional needs to be found
+	from <tol@stacken.kth.se>
+
+2001-08-17  Johan Danielsson  <joda@pdc.kth.se>
+
+	* getaddrinfo.c: include a definition of in6addr_loopback if it
+	doesn't exist
+
+2001-08-10  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libroken_la_LDFLAGS): update to 14:2:5
+
+2001-08-08  Assar Westerlund  <assar@sics.se>
+
+	* hstrerror.c: move h_errno to its own file (h_errno.c)
+
+2001-08-04  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: add getarg.3
+
+2001-08-01  Assar Westerlund  <assar@sics.se>
+
+	* mini_inetd.c (mini_inetd): explicitly use PF_UNSPEC.  be more
+	resilient to bind/listen failing.
+
+2001-07-31  Assar Westerlund  <assar@sics.se>
+
+	* getifaddrs.c (getifaddrs2): remove unused variables
+
+2001-07-31  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libroken_la_LDFLAGS): update version to 14:1:5
+
+2001-07-23  Assar Westerlund  <assar@sics.se>
+
+	* getarg.c (arg_match_long): fix parsing of arg_counter optional
+	argument
+
+2001-07-19  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (libroken_la_LDFLAGS): bump version to 14:0:5
+	
+2001-07-17  Assar Westerlund  <assar@sics.se>
+
+	* snprintf-test.h: add a file with renaming of the snprintf
+	functions, to be used for running the tests
+
+2001-07-11  Assar Westerlund  <assar@sics.se>
+
+	* snprintf-test.c: add more %X tests, and long and conditional
+	long long tests
+	* snprintf.c: add support for printing long long (if available)
+
+2001-07-10  Assar Westerlund  <assar@sics.se>
+
+	* getaddrinfo.c (add_hostent): adapt to const hostent_find_fqdn
+	* hostent_find_fqdn.c (hostent_find_fqdn): const-ize
+
+2001-07-09  Assar Westerlund  <assar@sics.se>
+
+	* roken-common.h (hostent_find_fqdn): add
+	* hostent_find_fqdn.c: separate out hostent_find_fqdn
+
+	* warnerr.c: move out getprogname, setprogname
+
+2001-07-03  Assar Westerlund  <assar@sics.se>
+
+	* warnerr.c (setprogname): add const cast
+	* vis.c (SVIS): add some (unsigned char) before calling isfoo*
+	* Makefile.am (libroken_la_LDFLAGS:) set version to 13:0:4
+
+	* Makefile.am: add snprintf_test
+	* snprintf.c: rewrite so that it does not stop as soon as there
+	are no more characters to print, we need to figure out how long
+	the string would have to be.  this also fixes snprintf(NULL, 0
+
+2001-06-21  Assar Westerlund  <assar@sics.se>
+
+	* simple_exec.c (pipe_execv): remove unused variable
+
+2001-06-20  Johan Danielsson  <joda@pdc.kth.se>
+
+	* getdtablesize.c: fix typo in obviously never used sysctl case
+
+	* simple_exec.c: rename check_status to wait_for_process, and
+	export it; function pipe_execv similar to popen, but with more
+	control over input and output
+
+	* roken-common.h: prototypes for wait_for_process and pipe_execv
+
+2001-06-17  Assar Westerlund  <assar@sics.se>
+
+	* roken-common.h: move emalloc et al to roken.h.in
+	* Makefile.am: make emalloc,ecalloc,erealloc,estrdup conditional
+	* emalloc.c, erealloc.c, estrup.c: use errx, since errno might not
+	be set reliably
+	* ecalloc.c: add for symmetry
+
+2001-06-09  Johan Danielsson  <joda@pdc.kth.se>
+
+	* resolve.c: dns_srv_order to order srv records
+
+2001-06-08  Johan Danielsson  <joda@pdc.kth.se>
+
+	* getarg.c: Grog tries to figure out if to use mdoc.old instead of
+	mdoc by looking at some macros that were only present in the old
+	version, and by looking at the number of .Oo's present. In
+	mdoc.old .Oo was a toggle, but in mdoc it's closed by .Oc, so if
+	the number of .Oo's is bigger than the number of .Oc's, it figures
+	it must be mdoc.old. This doesn't however account for called Oc's,
+	and thus grog thinks that valid pages are mdoc.old when they
+	infact are mdoc. So let's make sure that Oc's are not called by
+	other macros.
+
+2001-05-29  Assar Westerlund  <assar@sics.se>
+
+	* base64-test.c (main): initialize numerr
+
+2001-05-28  Johan Danielsson  <joda@pdc.kth.se>
+
+	* base64.c: clean up the decode mess somewhat
+
+	* base64-test.c: base64 tests
+
+2001-05-18  Johan Danielsson  <joda@pdc.kth.se>
+
+	* roken.h.in: just use standard C types with bswap*
+
+	* bswap.c: just use standard C types
+
 2001-05-17  Assar Westerlund  <assar@sics.se>
 
+	* roken.h.in: include all the headers that AC_GROK_TYPES tries for
+	finding u_int17_t et al
+
 	* Makefile.am: bump version to 12:0:3
 	* roken.h.in: re-add set_progname and get_progname for backwards
 	compatability
diff --git a/kerberosV/src/lib/roken/base64-test.c b/kerberosV/src/lib/roken/base64-test.c
new file mode 100644
index 00000000000..00e4c9e0453
--- /dev/null
+++ b/kerberosV/src/lib/roken/base64-test.c
@@ -0,0 +1,99 @@
+/*
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$KTH: base64-test.c,v 1.2 2001/05/29 13:12:21 assar Exp $");
+#endif
+
+#include <roken.h>
+#include <base64.h>
+
+int
+main(int argc, char **argv)
+{
+    int numerr = 0;
+    int numtest = 1;
+    struct test {
+	void *data;
+	size_t len;
+	const char *result;
+    } *t, tests[] = {
+	{ "", 0 , "" },
+	{ "1", 1, "MQ==" },
+	{ "22", 2, "MjI=" },
+	{ "333", 3, "MzMz" },
+	{ "4444", 4, "NDQ0NA==" },
+	{ "55555", 5, "NTU1NTU=" },
+	{ "abc:def", 7, "YWJjOmRlZg==" },
+	{ NULL }
+    };
+    for(t = tests; t->data; t++) {
+	char *str;
+	int len;
+	len = base64_encode(t->data, t->len, &str);
+	if(strcmp(str, t->result) != 0) {
+	    fprintf(stderr, "failed test %d: %s != %s\n", numtest, 
+		    str, t->result);
+	    numerr++;
+	}
+	free(str);
+	str = strdup(t->result);
+	len = base64_decode(t->result, str);
+	if(len != t->len) {
+	    fprintf(stderr, "failed test %d: len %d != %d\n", numtest,
+		    len, t->len);
+	    numerr++;
+	} else if(memcmp(str, t->data, t->len) != 0) {
+	    fprintf(stderr, "failed test %d: data\n", numtest);
+	    numerr++;
+	}
+	free(str);
+	numtest++;
+    }
+
+    {
+	char str[32];
+	if(base64_decode("M=M=", str) != -1) {
+	    fprintf(stderr, "failed test %d: successful decode of `M=M='\n", 
+		    numtest++);
+	    numerr++;
+	}
+	if(base64_decode("MQ===", str) != -1) {
+	    fprintf(stderr, "failed test %d: successful decode of `MQ==='\n", 
+		    numtest++);
+	    numerr++;
+	}
+    }
+    return numerr;
+}
diff --git a/kerberosV/src/lib/roken/base64.c b/kerberosV/src/lib/roken/base64.c
index 0cb9c159508..b6bfbd5b98c 100644
--- a/kerberosV/src/lib/roken/base64.c
+++ b/kerberosV/src/lib/roken/base64.c
@@ -1,23 +1,23 @@
 /*
- * Copyright (c) 1995 - 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995-2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
- * 
+ *
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
- * 
+ *
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 
+ *
  * 3. Neither the name of the Institute nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -33,114 +33,104 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$KTH: base64.c,v 1.4 1999/12/02 16:58:45 joda Exp $");
+RCSID("$KTH: base64.c,v 1.5 2001/05/28 17:33:41 joda Exp $");
 #endif
 #include <stdlib.h>
 #include <string.h>
 #include "base64.h"
 
-static char base64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+static char base64_chars[] = 
+    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
 
-static int pos(char c)
+static int 
+pos(char c)
 {
-  char *p;
-  for(p = base64; *p; p++)
-    if(*p == c)
-      return p - base64;
-  return -1;
+    char *p;
+    for (p = base64_chars; *p; p++)
+	if (*p == c)
+	    return p - base64_chars;
+    return -1;
 }
 
-int base64_encode(const void *data, int size, char **str)
+int 
+base64_encode(const void *data, int size, char **str)
 {
-  char *s, *p;
-  int i;
-  int c;
-  const unsigned char *q;
+    char *s, *p;
+    int i;
+    int c;
+    const unsigned char *q;
 
-  p = s = (char*)malloc(size*4/3+4);
-  if (p == NULL)
-      return -1;
-  q = (const unsigned char*)data;
-  i=0;
-  for(i = 0; i < size;){
-    c=q[i++];
-    c*=256;
-    if(i < size)
-      c+=q[i];
-    i++;
-    c*=256;
-    if(i < size)
-      c+=q[i];
-    i++;
-    p[0]=base64[(c&0x00fc0000) >> 18];
-    p[1]=base64[(c&0x0003f000) >> 12];
-    p[2]=base64[(c&0x00000fc0) >> 6];
-    p[3]=base64[(c&0x0000003f) >> 0];
-    if(i > size)
-      p[3]='=';
-    if(i > size+1)
-      p[2]='=';
-    p+=4;
-  }
-  *p=0;
-  *str = s;
-  return strlen(s);
+    p = s = (char *) malloc(size * 4 / 3 + 4);
+    if (p == NULL)
+	return -1;
+    q = (const unsigned char *) data;
+    i = 0;
+    for (i = 0; i < size;) {
+	c = q[i++];
+	c *= 256;
+	if (i < size)
+	    c += q[i];
+	i++;
+	c *= 256;
+	if (i < size)
+	    c += q[i];
+	i++;
+	p[0] = base64_chars[(c & 0x00fc0000) >> 18];
+	p[1] = base64_chars[(c & 0x0003f000) >> 12];
+	p[2] = base64_chars[(c & 0x00000fc0) >> 6];
+	p[3] = base64_chars[(c & 0x0000003f) >> 0];
+	if (i > size)
+	    p[3] = '=';
+	if (i > size + 1)
+	    p[2] = '=';
+	p += 4;
+    }
+    *p = 0;
+    *str = s;
+    return strlen(s);
 }
 
-int base64_decode(const char *str, void *data)
+#define DECODE_ERROR 0xffffffff
+
+static unsigned int
+token_decode(const char *token)
 {
-  const char *p;
-  unsigned char *q;
-  int c;
-  int x;
-  int done = 0;
-  q=(unsigned char*)data;
-  for(p=str; *p && !done; p+=4){
-    x = pos(p[0]);
-    if(x >= 0)
-      c = x;
-    else{
-      done = 3;
-      break;
+    int i;
+    unsigned int val = 0;
+    int marker = 0;
+    if (strlen(token) < 4)
+	return DECODE_ERROR;
+    for (i = 0; i < 4; i++) {
+	val *= 64;
+	if (token[i] == '=')
+	    marker++;
+	else if (marker > 0)
+	    return DECODE_ERROR;
+	else
+	    val += pos(token[i]);
     }
-    c*=64;
-    
-    x = pos(p[1]);
-    if(x >= 0)
-      c += x;
-    else
-      return -1;
-    c*=64;
-    
-    if(p[2] == '=')
-      done++;
-    else{
-      x = pos(p[2]);
-      if(x >= 0)
-	c += x;
-      else
-	return -1;
-    }
-    c*=64;
-    
-    if(p[3] == '=')
-      done++;
-    else{
-      if(done)
-	return -1;
-      x = pos(p[3]);
-      if(x >= 0)
-	c += x;
-      else
-	return -1;
+    if (marker > 2)
+	return DECODE_ERROR;
+    return (marker << 24) | val;
+}
+
+int
+base64_decode(const char *str, void *data)
+{
+    const char *p;
+    unsigned char *q;
+
+    q = data;
+    for (p = str; *p && (*p == '=' || strchr(base64_chars, *p)); p += 4) {
+	unsigned int val = token_decode(p);
+	unsigned int marker = (val >> 24) & 0xff;
+	if (val == DECODE_ERROR)
+	    return -1;
+	*q++ = (val >> 16) & 0xff;
+	if (marker < 2)
+	    *q++ = (val >> 8) & 0xff;
+	if (marker < 1)
+	    *q++ = val & 0xff;
     }
-    if(done < 3)
-      *q++=(c&0x00ff0000)>>16;
-      
-    if(done < 2)
-      *q++=(c&0x0000ff00)>>8;
-    if(done < 1)
-      *q++=(c&0x000000ff)>>0;
-  }
-  return q - (unsigned char*)data;
+    return q - (unsigned char *) data;
 }
diff --git a/kerberosV/src/lib/roken/compile b/kerberosV/src/lib/roken/compile
new file mode 100644
index 00000000000..d4a34aa0ef9
--- /dev/null
+++ b/kerberosV/src/lib/roken/compile
@@ -0,0 +1,82 @@
+#! /bin/sh
+
+# Wrapper for compilers which do not understand `-c -o'.
+
+# Copyright 1999, 2000 Free Software Foundation, Inc.
+# Written by Tom Tromey <tromey@cygnus.com>.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+# Usage:
+# compile PROGRAM [ARGS]...
+# `-o FOO.o' is removed from the args passed to the actual compile.
+
+prog=$1
+shift
+
+ofile=
+cfile=
+args=
+while test $# -gt 0; do
+   case "$1" in
+    -o)
+       ofile=$2
+       shift
+       ;;
+    *.c)
+       cfile=$1
+       args="$args $1"
+       ;;
+    *)
+       args="$args $1"
+       ;;
+   esac
+   shift
+done
+
+test -z "$ofile" && {
+   echo "compile: no \`-o' option seen" 1>&2
+   exit 1
+}
+
+test -z "$cfile" && {
+   echo "compile: no \`.c' file seen" 1>&2
+   exit 1
+}
+
+# Name of file we expect compiler to create.
+cofile=`echo $cfile | sed -e 's|^.*/||' -e 's/\.c$/.o/'`
+
+# Create the lock directory.
+lockdir=`echo $ofile | sed -e 's|/|_|g'`
+while true; do
+   if mkdir $lockdir > /dev/null 2>&1; then
+      break
+   fi
+   sleep 1
+done
+# FIXME: race condition here if user kills between mkdir and trap.
+trap "rmdir $lockdir; exit 1" 1 2 15
+
+# Run the compile.
+"$prog" $args
+status=$?
+
+if test -f "$cofile"; then
+   mv "$cofile" "$ofile"
+fi
+
+rmdir $lockdir
+exit $status
diff --git a/kerberosV/src/lib/roken/ecalloc.c b/kerberosV/src/lib/roken/ecalloc.c
new file mode 100644
index 00000000000..a03b8bd3edb
--- /dev/null
+++ b/kerberosV/src/lib/roken/ecalloc.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$KTH: ecalloc.c,v 1.1 2001/06/17 12:09:37 assar Exp $");
+#endif
+
+#include <stdlib.h>
+#include <err.h>
+
+#include <roken.h>
+
+/*
+ * Like calloc but never fails.
+ */
+
+void *
+ecalloc (size_t number, size_t size)
+{
+    void *tmp = calloc (number, size);
+
+    if (tmp == NULL && number * size != 0)
+	errx (1, "calloc %lu failed", (unsigned long)number * size);
+    return tmp;
+}
diff --git a/kerberosV/src/lib/roken/emalloc.c b/kerberosV/src/lib/roken/emalloc.c
index b9d3c8fe5aa..7a45cfc809c 100644
--- a/kerberosV/src/lib/roken/emalloc.c
+++ b/kerberosV/src/lib/roken/emalloc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$KTH: emalloc.c,v 1.4 1999/12/02 16:58:45 joda Exp $");
+RCSID("$KTH: emalloc.c,v 1.5 2001/06/17 12:07:48 assar Exp $");
 #endif
 
 #include <stdlib.h>
@@ -51,6 +51,6 @@ emalloc (size_t sz)
     void *tmp = malloc (sz);
 
     if (tmp == NULL && sz != 0)
-	err (1, "malloc %lu", (unsigned long)sz);
+	errx (1, "malloc %lu failed", (unsigned long)sz);
     return tmp;
 }
diff --git a/kerberosV/src/lib/roken/erealloc.c b/kerberosV/src/lib/roken/erealloc.c
index 30542425a6e..fc3e0ae33cb 100644
--- a/kerberosV/src/lib/roken/erealloc.c
+++ b/kerberosV/src/lib/roken/erealloc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$KTH: erealloc.c,v 1.4 1999/12/02 16:58:45 joda Exp $");
+RCSID("$KTH: erealloc.c,v 1.5 2001/06/17 12:08:05 assar Exp $");
 #endif
 
 #include <stdlib.h>
@@ -51,6 +51,6 @@ erealloc (void *ptr, size_t sz)
     void *tmp = realloc (ptr, sz);
 
     if (tmp == NULL && sz != 0)
-	err (1, "realloc %lu", (unsigned long)sz);
+	errx (1, "realloc %lu failed", (unsigned long)sz);
     return tmp;
 }
diff --git a/kerberosV/src/lib/roken/estrdup.c b/kerberosV/src/lib/roken/estrdup.c
index 271772eac0f..1b1d85aabce 100644
--- a/kerberosV/src/lib/roken/estrdup.c
+++ b/kerberosV/src/lib/roken/estrdup.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$KTH: estrdup.c,v 1.2 1999/12/02 16:58:45 joda Exp $");
+RCSID("$KTH: estrdup.c,v 1.3 2001/06/17 12:07:56 assar Exp $");
 #endif
 
 #include <stdlib.h>
@@ -51,6 +51,6 @@ estrdup (const char *str)
     char *tmp = strdup (str);
 
     if (tmp == NULL)
-	err (1, "strdup");
+	errx (1, "strdup failed");
     return tmp;
 }
diff --git a/kerberosV/src/lib/roken/getaddrinfo.c b/kerberosV/src/lib/roken/getaddrinfo.c
index c130148127f..1b7e97deb52 100644
--- a/kerberosV/src/lib/roken/getaddrinfo.c
+++ b/kerberosV/src/lib/roken/getaddrinfo.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$KTH: getaddrinfo.c,v 1.9 2000/07/24 02:34:20 assar Exp $");
+RCSID("$KTH: getaddrinfo.c,v 1.12 2001/08/17 13:06:57 joda Exp $");
 #endif
 
 #include "roken.h"
@@ -172,6 +172,13 @@ const_v6 (struct addrinfo *a, void *data, int port)
 }
 #endif
 
+/* this is mostly a hack for some versions of AIX that has a prototype
+   for in6addr_loopback but no actual symbol in libc */
+#if defined(HAVE_IPV6) && !defined(HAVE_IN6ADDR_LOOPBACK) && defined(IN6ADDR_LOOPBACK_INIT)
+#define in6addr_loopback _roken_in6addr_loopback
+struct in6_addr in6addr_loopback = IN6ADDR_LOOPBACK_INIT;
+#endif
+
 static int
 get_null (const struct addrinfo *hints,
 	  int port, int protocol, int socktype,
@@ -215,26 +222,6 @@ get_null (const struct addrinfo *hints,
     return 0;
 }
 
-/*
- * Try to find a fqdn (with `.') in he if possible, else return h_name
- */
-
-static char *
-find_fqdn (const struct hostent *he)
-{
-    char *ret = he->h_name;
-    char **h;
-
-    if (strchr (ret, '.') == NULL)
-	for (h = he->h_aliases; *h; ++h) {
-	    if (strchr (*h, '.') != NULL) {
-		ret = *h;
-		break;
-	    }
-	}
-    return ret;
-}
-
 static int
 add_hostent (int port, int protocol, int socktype,
 	     struct addrinfo ***current,
@@ -247,22 +234,23 @@ add_hostent (int port, int protocol, int socktype,
 
     if (*flags & AI_CANONNAME) {
 	struct hostent *he2 = NULL;
+	const char *tmp_canon;
 
-	canonname = find_fqdn (he);
-	if (strchr (canonname, '.') == NULL) {
+	tmp_canon = hostent_find_fqdn (he);
+	if (strchr (tmp_canon, '.') == NULL) {
 	    int error;
 
 	    he2 = getipnodebyaddr (he->h_addr_list[0], he->h_length,
 				   he->h_addrtype, &error);
 	    if (he2 != NULL) {
-		char *tmp = find_fqdn (he2);
+		const char *tmp = hostent_find_fqdn (he2);
 
 		if (strchr (tmp, '.') != NULL)
-		    canonname = tmp;
+		    tmp_canon = tmp;
 	    }
 	}
 
-	canonname = strdup (canonname);
+	canonname = strdup (tmp_canon);
 	if (he2 != NULL)
 	    freehostent (he2);
 	if (canonname == NULL)
diff --git a/kerberosV/src/lib/roken/getdtablesize.c b/kerberosV/src/lib/roken/getdtablesize.c
index 64eb57e4aaf..4665b84a2f4 100644
--- a/kerberosV/src/lib/roken/getdtablesize.c
+++ b/kerberosV/src/lib/roken/getdtablesize.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995-2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$KTH: getdtablesize.c,v 1.10 1999/12/02 16:58:46 joda Exp $");
+RCSID("$KTH: getdtablesize.c,v 1.11 2001/06/20 00:00:38 joda Exp $");
 #endif
 
 #include "roken.h"
@@ -82,7 +82,7 @@ int getdtablesize(void)
   mib[0] = CTL_KERN;
   mib[1] = KERN_MAXFILES;
   len = sizeof(files);
-  sysctl(&mib, 2, &files, sizeof(nfil), NULL, 0);
+  sysctl(&mib, 2, &files, sizeof(files), NULL, 0);
 #endif /* defined(HAVE_SYSCTL) */
 #endif /* !definded(HAVE_GETRLIMIT) */
 #endif /* !defined(HAVE_SYSCONF) */
diff --git a/kerberosV/src/lib/roken/getifaddrs.c b/kerberosV/src/lib/roken/getifaddrs.c
index 5afa4d8e5be..2e547393f36 100644
--- a/kerberosV/src/lib/roken/getifaddrs.c
+++ b/kerberosV/src/lib/roken/getifaddrs.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$KTH: getifaddrs.c,v 1.5 2001/04/17 08:27:47 joda Exp $");
+RCSID("$KTH: getifaddrs.c,v 1.6 2001/07/31 01:15:41 assar Exp $");
 #endif
 #include "roken.h"
 
@@ -66,7 +66,6 @@ getifaddrs2(struct ifaddrs **ifap,
     size_t buf_size;
     char *buf;
     struct ifconf ifconf;
-    int num, j = 0;
     char *p;
     size_t sz;
     struct sockaddr sa_zero;
@@ -109,8 +108,6 @@ getifaddrs2(struct ifaddrs **ifap,
 	buf_size *= 2;
     }
 
-    num = ifconf.ifc_len / ifreq_sz;
-    j = 0;
     for (p = ifconf.ifc_buf;
 	 p < ifconf.ifc_buf + ifconf.ifc_len;
 	 p += sz) {
diff --git a/kerberosV/src/lib/roken/getnameinfo.c b/kerberosV/src/lib/roken/getnameinfo.c
index c2f350264c9..ae92c59142c 100644
--- a/kerberosV/src/lib/roken/getnameinfo.c
+++ b/kerberosV/src/lib/roken/getnameinfo.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$KTH: getnameinfo.c,v 1.3 2001/02/09 14:45:30 assar Exp $");
+RCSID("$KTH: getnameinfo.c,v 1.4 2001/07/09 15:14:19 assar Exp $");
 #endif
 
 #include "roken.h"
@@ -56,7 +56,7 @@ doit (int af,
 						addrlen,
 						af);
 	    if (he != NULL) {
-		strlcpy (host, he->h_name, hostlen);
+		strlcpy (host, hostent_find_fqdn(he), hostlen);
 		if (flags & NI_NOFQDN) {
 		    char *dot = strchr (host, '.');
 		    if (dot != NULL)
diff --git a/kerberosV/src/lib/roken/getprogname.c b/kerberosV/src/lib/roken/getprogname.c
new file mode 100644
index 00000000000..b48dda13e26
--- /dev/null
+++ b/kerberosV/src/lib/roken/getprogname.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$KTH: getprogname.c,v 1.1 2001/07/09 14:56:51 assar Exp $");
+#endif
+
+#include "roken.h"
+
+#ifndef HAVE___PROGNAME
+const char *__progname;
+#endif
+
+#ifndef HAVE_GETPROGNAME
+const char *
+getprogname(void)
+{
+    return __progname;
+}
+#endif /* HAVE_GETPROGNAME */
+
+const char *
+get_progname (void)
+{
+    return getprogname ();
+}
+
diff --git a/kerberosV/src/lib/roken/h_errno.c b/kerberosV/src/lib/roken/h_errno.c
new file mode 100644
index 00000000000..eb89cb339b6
--- /dev/null
+++ b/kerberosV/src/lib/roken/h_errno.c
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$KTH: h_errno.c,v 1.1 2001/08/08 03:47:23 assar Exp $");
+#endif
+
+#ifndef HAVE_H_ERRNO
+int h_errno = -17; /* Some magic number */
+#endif
diff --git a/kerberosV/src/lib/roken/hostent_find_fqdn.c b/kerberosV/src/lib/roken/hostent_find_fqdn.c
new file mode 100644
index 00000000000..d945b2f37ea
--- /dev/null
+++ b/kerberosV/src/lib/roken/hostent_find_fqdn.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$KTH: hostent_find_fqdn.c,v 1.2 2001/07/10 11:58:23 assar Exp $");
+#endif
+
+#include "roken.h"
+
+/*
+ * Try to find a fqdn (with `.') in he if possible, else return h_name
+ */
+
+const char *
+hostent_find_fqdn (const struct hostent *he)
+{
+    const char *ret = he->h_name;
+    const char **h;
+
+    if (strchr (ret, '.') == NULL)
+	for (h = (const char **)he->h_aliases; *h != NULL; ++h) {
+	    if (strchr (*h, '.') != NULL) {
+		ret = *h;
+		break;
+	    }
+	}
+    return ret;
+}
diff --git a/kerberosV/src/lib/roken/hstrerror.c b/kerberosV/src/lib/roken/hstrerror.c
index 362a3069de9..e1151de98dd 100644
--- a/kerberosV/src/lib/roken/hstrerror.c
+++ b/kerberosV/src/lib/roken/hstrerror.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$KTH: hstrerror.c,v 1.23 1999/12/05 13:18:55 assar Exp $");
+RCSID("$KTH: hstrerror.c,v 1.24 2001/08/08 03:47:23 assar Exp $");
 #endif
 
 #ifndef HAVE_HSTRERROR
@@ -46,10 +46,6 @@ RCSID("$KTH: hstrerror.c,v 1.23 1999/12/05 13:18:55 assar Exp $");
 #undef hstrerror
 #endif
 
-#ifndef HAVE_H_ERRNO
-int h_errno = -17; /* Some magic number */
-#endif
-
 #if !(defined(HAVE_H_ERRLIST) && defined(HAVE_H_NERR))
 static const char *const h_errlist[] = {
     "Resolver Error 0 (no error)",
diff --git a/kerberosV/src/lib/roken/issuid.c b/kerberosV/src/lib/roken/issuid.c
index f4d3ab4256b..5f0a5809e79 100644
--- a/kerberosV/src/lib/roken/issuid.c
+++ b/kerberosV/src/lib/roken/issuid.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * Copyright (c) 1998 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$KTH: issuid.c,v 1.3 1999/12/02 16:58:47 joda Exp $");
+RCSID("$KTH: issuid.c,v 1.4 2001/08/27 23:08:34 assar Exp $");
 #endif
 
 #include "roken.h"
@@ -41,6 +41,9 @@ RCSID("$KTH: issuid.c,v 1.3 1999/12/02 16:58:47 joda Exp $");
 int
 issuid(void)
 {
+#if defined(HAVE_ISSETUGID)
+    return issetugid();
+#endif
 #if defined(HAVE_GETUID) && defined(HAVE_GETEUID)
     if(getuid() != geteuid())
 	return 1;
diff --git a/kerberosV/src/lib/roken/resolve.h b/kerberosV/src/lib/roken/resolve.h
index f729abdf7f4..08d8f361aec 100644
--- a/kerberosV/src/lib/roken/resolve.h
+++ b/kerberosV/src/lib/roken/resolve.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  */
 
-/* $KTH: resolve.h,v 1.12 2000/10/15 21:28:56 assar Exp $ */
+/* $KTH: resolve.h,v 1.13 2001/06/09 01:35:04 joda Exp $ */
 
 #ifndef __RESOLVE_H__
 #define __RESOLVE_H__
@@ -142,5 +142,6 @@ struct dns_reply* dns_lookup(const char *, const char *);
 void dns_free_data(struct dns_reply *);
 int dns_string_to_type(const char *name);
 const char *dns_type_to_string(int type);
+void dns_srv_order(struct dns_reply*);
 
 #endif /* __RESOLVE_H__ */
diff --git a/kerberosV/src/lib/roken/roken-common.h b/kerberosV/src/lib/roken/roken-common.h
index cb507d702e7..6cd21c47602 100644
--- a/kerberosV/src/lib/roken/roken-common.h
+++ b/kerberosV/src/lib/roken/roken-common.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  */
 
-/* $KTH: roken-common.h,v 1.42 2001/01/29 02:09:09 assar Exp $ */
+/* $KTH: roken-common.h,v 1.48 2001/09/03 12:04:34 joda Exp $ */
 
 #ifndef __ROKEN_COMMON_H__
 #define __ROKEN_COMMON_H__
@@ -264,15 +264,19 @@ int ROKEN_LIB_FUNCTION simple_execlp(const char*, ...);
 int ROKEN_LIB_FUNCTION simple_execle(const char*, ...);
 int ROKEN_LIB_FUNCTION simple_execl(const char *file, ...);
 
-void ROKEN_LIB_FUNCTION print_version(const char *);
+int ROKEN_LIB_FUNCTION wait_for_process(pid_t);
+int ROKEN_LIB_FUNCTION pipe_execv(FILE**, FILE**, FILE**, const char*, ...);
 
-void *ROKEN_LIB_FUNCTION emalloc (size_t);
-void *ROKEN_LIB_FUNCTION erealloc (void *, size_t);
-char *ROKEN_LIB_FUNCTION estrdup (const char *);
+void ROKEN_LIB_FUNCTION print_version(const char *);
 
 ssize_t ROKEN_LIB_FUNCTION eread (int fd, void *buf, size_t nbytes);
 ssize_t ROKEN_LIB_FUNCTION ewrite (int fd, const void *buf, size_t nbytes);
 
+struct hostent;
+
+const char *
+hostent_find_fqdn (const struct hostent *he);
+
 void
 esetenv(const char *var, const char *val, int rewrite);
 
@@ -298,6 +302,9 @@ void
 socket_set_port (struct sockaddr *sa, int port);
 
 void
+socket_set_portrange (int sock, int restr, int af);
+
+void
 socket_set_debug (int sock);
 
 void
diff --git a/kerberosV/src/lib/roken/roken.h.in b/kerberosV/src/lib/roken/roken.h.in
index d67413b25f0..26b13f4cc50 100644
--- a/kerberosV/src/lib/roken/roken.h.in
+++ b/kerberosV/src/lib/roken/roken.h.in
@@ -32,7 +32,7 @@
  * SUCH DAMAGE.
  */
 
-/* $KTH: roken.h.in,v 1.157 2001/05/18 18:00:12 assar Exp $ */
+/* $KTH: roken.h.in,v 1.159 2001/08/21 15:32:05 assar Exp $ */
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -95,9 +95,6 @@ struct sockaddr_dl;
 #ifdef HAVE_SYSLOG_H
 #include <syslog.h>
 #endif
-#ifdef HAVE_WINSOCK_H
-#include <winsock.h>
-#endif
 #ifdef HAVE_FCNTL_H
 #include <fcntl.h>
 #endif
@@ -567,6 +564,19 @@ char *
 strptime (const char *buf, const char *format, struct tm *timeptr);
 #endif
 
+#ifndef HAVE_EMALLOC
+void *emalloc (size_t);
+#endif
+#ifndef HAVE_ECALLOC
+void *ecalloc(size_t num, size_t sz);
+#endif
+#ifndef HAVE_EREALLOC
+void *erealloc (void *, size_t);
+#endif
+#ifndef HAVE_ESTRDUP
+char *estrdup (const char *);
+#endif
+
 /*
  * kludges and such
  */
diff --git a/kerberosV/src/lib/roken/setprogname.c b/kerberosV/src/lib/roken/setprogname.c
new file mode 100644
index 00000000000..19b70fbed9e
--- /dev/null
+++ b/kerberosV/src/lib/roken/setprogname.c
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$KTH: setprogname.c,v 1.1 2001/07/09 14:56:51 assar Exp $");
+#endif
+
+#include "roken.h"
+
+#ifndef HAVE___PROGNAME
+extern const char *__progname;
+#endif
+
+#ifndef HAVE_SETPROGNAME
+void
+setprogname(const char *argv0)
+{
+#ifndef HAVE___PROGNAME
+    char *p;
+    if(argv0 == NULL)
+	return;
+    p = strrchr(argv0, '/');
+    if(p == NULL)
+	p = (char *)argv0;
+    else
+	p++;
+    __progname = p;
+#endif
+}
+#endif /* HAVE_SETPROGNAME */
+
+void
+set_progname(char *argv0)
+{
+    setprogname ((const char *)argv0);
+}
diff --git a/kerberosV/src/lib/roken/simple_exec.c b/kerberosV/src/lib/roken/simple_exec.c
index 2f6e711c75e..23096a72a97 100644
--- a/kerberosV/src/lib/roken/simple_exec.c
+++ b/kerberosV/src/lib/roken/simple_exec.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1998 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$KTH: simple_exec.c,v 1.8 2000/11/05 16:41:06 joda Exp $");
+RCSID("$KTH: simple_exec.c,v 1.10 2001/06/21 03:38:03 assar Exp $");
 #endif
 
 #include <stdarg.h>
@@ -64,8 +64,8 @@ RCSID("$KTH: simple_exec.c,v 1.8 2000/11/05 16:41:06 joda Exp $");
    128- is 128 + signal that killed subprocess
    */
 
-static int
-check_status(pid_t pid)
+int
+wait_for_process(pid_t pid)
 {
     while(1) {
 	int status;
@@ -83,6 +83,93 @@ check_status(pid_t pid)
 }
 
 int
+pipe_execv(FILE **stdin_fd, FILE **stdout_fd, FILE **stderr_fd, 
+	   const char *file, ...)
+{
+    int in_fd[2], out_fd[2], err_fd[2];
+    pid_t pid;
+    va_list ap;
+    char **argv;
+
+    if(stdin_fd != NULL)
+	pipe(in_fd);
+    if(stdout_fd != NULL)
+	pipe(out_fd);
+    if(stderr_fd != NULL)
+	pipe(err_fd);
+    pid = fork();
+    switch(pid) {
+    case 0:
+	va_start(ap, file);
+	argv = vstrcollect(&ap);
+	va_end(ap);
+	if(argv == NULL)
+	    exit(-1);
+
+	/* close pipes we're not interested in */
+	if(stdin_fd != NULL)
+	    close(in_fd[1]);
+	if(stdout_fd != NULL)
+	    close(out_fd[0]);
+	if(stderr_fd != NULL)
+	    close(err_fd[0]);
+
+	/* pipe everything caller doesn't care about to /dev/null */
+	if(stdin_fd == NULL)
+	    in_fd[0] = open(_PATH_DEVNULL, O_RDONLY);
+	if(stdout_fd == NULL)
+	    out_fd[1] = open(_PATH_DEVNULL, O_WRONLY);
+	if(stderr_fd == NULL)
+	    err_fd[1] = open(_PATH_DEVNULL, O_WRONLY);
+
+	/* move to proper descriptors */
+	if(in_fd[0] != STDIN_FILENO) {
+	    dup2(in_fd[0], STDIN_FILENO);
+	    close(in_fd[0]);
+	}
+	if(out_fd[1] != STDOUT_FILENO) {
+	    dup2(out_fd[1], STDOUT_FILENO);
+	    close(out_fd[1]);
+	}
+	if(err_fd[1] != STDERR_FILENO) {
+	    dup2(err_fd[1], STDERR_FILENO);
+	    close(err_fd[1]);
+	}
+
+	execv(file, argv);
+	exit((errno == ENOENT) ? EX_NOTFOUND : EX_NOEXEC);
+    case -1:
+	if(stdin_fd != NULL) {
+	    close(in_fd[0]);
+	    close(in_fd[1]);
+	}
+	if(stdout_fd != NULL) {
+	    close(out_fd[0]);
+	    close(out_fd[1]);
+	}
+	if(stderr_fd != NULL) {
+	    close(err_fd[0]);
+	    close(err_fd[1]);
+	}
+	return -2;
+    default:
+	if(stdin_fd != NULL) {
+	    close(in_fd[0]);
+	    *stdin_fd = fdopen(in_fd[1], "w");
+	}
+	if(stdout_fd != NULL) {
+	    close(out_fd[1]);
+	    *stdout_fd = fdopen(out_fd[0], "r");
+	}
+	if(stderr_fd != NULL) {
+	    close(err_fd[1]);
+	    *stderr_fd = fdopen(err_fd[0], "r");
+	}
+    }
+    return pid;
+}
+
+int
 simple_execvp(const char *file, char *const args[])
 {
     pid_t pid = fork();
@@ -93,7 +180,7 @@ simple_execvp(const char *file, char *const args[])
 	execvp(file, args);
 	exit((errno == ENOENT) ? EX_NOTFOUND : EX_NOEXEC);
     default: 
-	return check_status(pid);
+	return wait_for_process(pid);
     }
 }
 
@@ -109,7 +196,7 @@ simple_execve(const char *file, char *const args[], char *const envp[])
 	execve(file, args, envp);
 	exit((errno == ENOENT) ? EX_NOTFOUND : EX_NOEXEC);
     default: 
-	return check_status(pid);
+	return wait_for_process(pid);
     }
 }
 
diff --git a/kerberosV/src/lib/roken/snprintf-test.c b/kerberosV/src/lib/roken/snprintf-test.c
new file mode 100644
index 00000000000..f896d578033
--- /dev/null
+++ b/kerberosV/src/lib/roken/snprintf-test.c
@@ -0,0 +1,238 @@
+/*
+ * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+#include <limits.h>
+
+#include "snprintf-test.h"
+
+RCSID("$KTH: snprintf-test.c,v 1.4 2001/07/17 15:27:00 assar Exp $");
+
+static int
+try (const char *format, ...)
+{
+    int ret;
+    va_list ap;
+    char buf1[256], buf2[256];
+
+    va_start (ap, format);
+    ret = vsnprintf (buf1, sizeof(buf1), format, ap);
+    if (ret >= sizeof(buf1))
+	errx (1, "increase buf and try again");
+    vsprintf (buf2, format, ap);
+    ret = strcmp (buf1, buf2);
+    if (ret)
+	printf ("failed: format = \"%s\", \"%s\" != \"%s\"\n",
+		format, buf1, buf2);
+    va_end (ap);
+    return ret;
+}
+
+static int
+cmp_with_sprintf_int (void)
+{
+    int tot = 0;
+    int int_values[] = {INT_MIN, -17, -1, 0, 1, 17, 4711, 65535, INT_MAX};
+    int i;
+
+    for (i = 0; i < sizeof(int_values) / sizeof(int_values[0]); ++i) {
+	tot += try ("%d", int_values[i]);
+	tot += try ("%x", int_values[i]);
+	tot += try ("%X", int_values[i]);
+	tot += try ("%o", int_values[i]);
+	tot += try ("%#x", int_values[i]);
+	tot += try ("%#X", int_values[i]);
+	tot += try ("%#o", int_values[i]);
+	tot += try ("%10d", int_values[i]);
+	tot += try ("%10x", int_values[i]);
+	tot += try ("%10X", int_values[i]);
+	tot += try ("%10o", int_values[i]);
+	tot += try ("%#10x", int_values[i]);
+	tot += try ("%#10X", int_values[i]);
+	tot += try ("%#10o", int_values[i]);
+	tot += try ("%-10d", int_values[i]);
+	tot += try ("%-10x", int_values[i]);
+	tot += try ("%-10X", int_values[i]);
+	tot += try ("%-10o", int_values[i]);
+	tot += try ("%-#10x", int_values[i]);
+	tot += try ("%-#10X", int_values[i]);
+	tot += try ("%-#10o", int_values[i]);
+    }
+    return tot;
+}
+
+static int
+cmp_with_sprintf_long (void)
+{
+    int tot = 0;
+    long long_values[] = {LONG_MIN, -17, -1, 0, 1, 17, 4711, 65535, LONG_MAX};
+    int i;
+
+    for (i = 0; i < sizeof(long_values) / sizeof(long_values[0]); ++i) {
+	tot += try ("%ld", long_values[i]);
+	tot += try ("%lx", long_values[i]);
+	tot += try ("%lX", long_values[i]);
+	tot += try ("%lo", long_values[i]);
+	tot += try ("%#lx", long_values[i]);
+	tot += try ("%#lX", long_values[i]);
+	tot += try ("%#lo", long_values[i]);
+	tot += try ("%10ld", long_values[i]);
+	tot += try ("%10lx", long_values[i]);
+	tot += try ("%10lX", long_values[i]);
+	tot += try ("%10lo", long_values[i]);
+	tot += try ("%#10lx", long_values[i]);
+	tot += try ("%#10lX", long_values[i]);
+	tot += try ("%#10lo", long_values[i]);
+	tot += try ("%-10ld", long_values[i]);
+	tot += try ("%-10lx", long_values[i]);
+	tot += try ("%-10lX", long_values[i]);
+	tot += try ("%-10lo", long_values[i]);
+	tot += try ("%-#10lx", long_values[i]);
+	tot += try ("%-#10lX", long_values[i]);
+	tot += try ("%-#10lo", long_values[i]);
+    }
+    return tot;
+}
+
+#ifdef HAVE_LONG_LONG
+
+static int
+cmp_with_sprintf_long_long (void)
+{
+    int tot = 0;
+    long long long_long_values[] = {
+	(long long)LONG_MIN -1, LONG_MIN, -17, -1,
+	0,
+	1, 17, 4711, 65535, LONG_MAX, (long long)LONG_MAX + 1};
+    int i;
+
+    for (i = 0; i < sizeof(long_long_values) / sizeof(long_long_values[0]); ++i) {
+	tot += try ("%lld", long_long_values[i]);
+	tot += try ("%llx", long_long_values[i]);
+	tot += try ("%llX", long_long_values[i]);
+	tot += try ("%llo", long_long_values[i]);
+	tot += try ("%#llx", long_long_values[i]);
+	tot += try ("%#llX", long_long_values[i]);
+	tot += try ("%#llo", long_long_values[i]);
+	tot += try ("%10lld", long_long_values[i]);
+	tot += try ("%10llx", long_long_values[i]);
+	tot += try ("%10llX", long_long_values[i]);
+	tot += try ("%10llo", long_long_values[i]);
+	tot += try ("%#10llx", long_long_values[i]);
+	tot += try ("%#10llX", long_long_values[i]);
+	tot += try ("%#10llo", long_long_values[i]);
+	tot += try ("%-10lld", long_long_values[i]);
+	tot += try ("%-10llx", long_long_values[i]);
+	tot += try ("%-10llX", long_long_values[i]);
+	tot += try ("%-10llo", long_long_values[i]);
+	tot += try ("%-#10llx", long_long_values[i]);
+	tot += try ("%-#10llX", long_long_values[i]);
+	tot += try ("%-#10llo", long_long_values[i]);
+    }
+    return tot;
+}
+
+#endif
+
+#if 0
+static int
+cmp_with_sprintf_float (void)
+{
+    int tot = 0;
+    double double_values[] = {-99999, -999, -17.4, -4.3, -3.0, -1.5, -1,
+			      0, 0.1, 0.2342374852, 0.2340007,
+			      3.1415926, 14.7845, 34.24758, 9999, 9999999};
+    int i;
+
+    for (i = 0; i < sizeof(double_values) / sizeof(double_values[0]); ++i) {
+	tot += try ("%f", double_values[i]);
+	tot += try ("%10f", double_values[i]);
+	tot += try ("%.2f", double_values[i]);
+	tot += try ("%7.0f", double_values[i]);
+	tot += try ("%5.2f", double_values[i]);
+	tot += try ("%0f", double_values[i]);
+	tot += try ("%#f", double_values[i]);
+	tot += try ("%e", double_values[i]);
+	tot += try ("%10e", double_values[i]);
+	tot += try ("%.2e", double_values[i]);
+	tot += try ("%7.0e", double_values[i]);
+	tot += try ("%5.2e", double_values[i]);
+	tot += try ("%0e", double_values[i]);
+	tot += try ("%#e", double_values[i]);
+	tot += try ("%E", double_values[i]);
+	tot += try ("%10E", double_values[i]);
+	tot += try ("%.2E", double_values[i]);
+	tot += try ("%7.0E", double_values[i]);
+	tot += try ("%5.2E", double_values[i]);
+	tot += try ("%0E", double_values[i]);
+	tot += try ("%#E", double_values[i]);
+	tot += try ("%g", double_values[i]);
+	tot += try ("%10g", double_values[i]);
+	tot += try ("%.2g", double_values[i]);
+	tot += try ("%7.0g", double_values[i]);
+	tot += try ("%5.2g", double_values[i]);
+	tot += try ("%0g", double_values[i]);
+	tot += try ("%#g", double_values[i]);
+	tot += try ("%G", double_values[i]);
+	tot += try ("%10G", double_values[i]);
+	tot += try ("%.2G", double_values[i]);
+	tot += try ("%7.0G", double_values[i]);
+	tot += try ("%5.2G", double_values[i]);
+	tot += try ("%0G", double_values[i]);
+	tot += try ("%#G", double_values[i]);
+    }
+    return tot;
+}
+#endif
+
+static int
+test_null (void)
+{
+    return snprintf (NULL, 0, "foo") != 3;
+}
+
+int
+main (int argc, char **argv)
+{
+    int ret = 0;
+
+    ret += cmp_with_sprintf_int ();
+    ret += cmp_with_sprintf_long ();
+#ifdef HAVE_LONG_LONG
+    ret += cmp_with_sprintf_long_long ();
+#endif
+    ret += test_null ();
+    return ret;
+}
diff --git a/kerberosV/src/lib/roken/snprintf-test.h b/kerberosV/src/lib/roken/snprintf-test.h
new file mode 100644
index 00000000000..fa75691cc22
--- /dev/null
+++ b/kerberosV/src/lib/roken/snprintf-test.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $KTH: snprintf-test.h,v 1.2 2001/07/19 18:39:14 assar Exp $ */
+
+#ifndef __SNPRINTF_TEST_H__
+#define __SNPRINTF_TEST_H__
+
+/*
+ * we cannot use the real names of the functions when testing, since
+ * they might have different prototypes as the system functions, hence
+ * these evil hacks
+ */
+
+#define snprintf test_snprintf
+#define asprintf test_asprintf
+#define asnprintf test_asnprintf
+#define vasprintf test_vasprintf
+#define vasnprintf test_vasnprintf
+#define vsnprintf test_vsnprintf
+
+#endif /* __SNPRINTF_TEST_H__ */
diff --git a/kerberosV/src/lib/roken/socket.c b/kerberosV/src/lib/roken/socket.c
index 427b375f085..513448d7dfa 100644
--- a/kerberosV/src/lib/roken/socket.c
+++ b/kerberosV/src/lib/roken/socket.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$KTH: socket.c,v 1.5 2000/07/27 04:41:06 assar Exp $");
+RCSID("$KTH: socket.c,v 1.7 2001/09/03 12:04:23 joda Exp $");
 #endif
 
 #include <roken.h>
@@ -222,6 +222,31 @@ socket_set_port (struct sockaddr *sa, int port)
 }
 
 /*
+ * Set the range of ports to use when binding with port = 0.
+ */
+void
+socket_set_portrange (int sock, int restr, int af)
+{
+#if defined(IP_PORTRANGE)
+	if (af == AF_INET) {
+		int on = restr ? IP_PORTRANGE_HIGH : IP_PORTRANGE_DEFAULT;
+		if (setsockopt (sock, IPPROTO_IP, IP_PORTRANGE, &on,
+		    sizeof(on)) < 0)
+			warn ("setsockopt IP_PORTRANGE (ignored)");
+	}
+#endif
+#if defined(IPV6_PORTRANGE)
+	if (af == AF_INET6) {
+		int on = restr ? IPV6_PORTRANGE_HIGH : 
+		    IPV6_PORTRANGE_DEFAULT;
+		if (setsockopt (sock, IPPROTO_IPV6, IPV6_PORTRANGE, &on,
+		    sizeof(on)) < 0)
+			warn ("setsockopt IPV6_PORTRANGE (ignored)");
+	}
+#endif
+}
+	
+/*
  * Enable debug on `sock'.
  */
 
diff --git a/kerberosV/src/lib/roken/xdbm.h b/kerberosV/src/lib/roken/xdbm.h
index f7fb8c1dcab..c11c4446483 100644
--- a/kerberosV/src/lib/roken/xdbm.h
+++ b/kerberosV/src/lib/roken/xdbm.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -31,30 +31,27 @@
  * SUCH DAMAGE.
  */
 
-/* $KTH: xdbm.h,v 1.12 2000/08/16 03:57:21 assar Exp $ */
+/* $KTH: xdbm.h,v 1.14 2001/09/03 05:03:00 assar Exp $ */
 
 /* Generic *dbm include file */
 
 #ifndef __XDBM_H__
 #define __XDBM_H__
 
-#if defined(HAVE_DB_H)
+#if HAVE_DB_NDBM
 #define DB_DBM_HSEARCH 1
 #include <db.h>
-#endif
-
-#ifndef DBM_INSERT
-#if defined(HAVE_NDBM_H)
-#include <ndbm.h>
-#elif defined(HAVE_GDBM_NDBM_H)
+#elif HAVE_NDBM
+#if defined(HAVE_GDBM_NDBM_H)
 #include <gdbm/ndbm.h>
+#elif defined(HAVE_NDBM_H)
+#include <ndbm.h>
 #elif defined(HAVE_DBM_H)
 #include <dbm.h>
-#elif defined(HAVE_RPCSVC_DBM_H)
-#include <rpcsvc/dbm.h>
-#endif
 #endif
+#endif /* HAVE_NDBM */
 
+#if 0
 /* Macros to convert ndbm names to dbm names.
  * Note that dbm_nextkey() cannot be simply converted using a macro, since
  * it is invoked giving the database, and nextkey() needs the previous key.
@@ -75,5 +72,6 @@ typedef char DBM;
 #else
 #define dbm_next(db,key) dbm_nextkey(db)
 #endif
+#endif
 
 #endif /* __XDBM_H__ */
diff --git a/kerberosV/src/lib/sl/ChangeLog b/kerberosV/src/lib/sl/ChangeLog
index 249ac09374f..ea3d76ff50f 100644
--- a/kerberosV/src/lib/sl/ChangeLog
+++ b/kerberosV/src/lib/sl/ChangeLog
@@ -1,3 +1,8 @@
+2001-07-09  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: add getprogname.c libss.la:add libcom_err.la noted
+	by Leif Johansson <leifj@it.su.se>
+
 2001-05-17  Assar Westerlund  <assar@sics.se>
 
 	* Makefile.am: bump versions to 1:2:1 and 1:4:1
diff --git a/kerberosV/src/lib/vers/ChangeLog b/kerberosV/src/lib/vers/ChangeLog
index 0de5d152a1f..93d0731b712 100644
--- a/kerberosV/src/lib/vers/ChangeLog
+++ b/kerberosV/src/lib/vers/ChangeLog
@@ -1,3 +1,8 @@
+2001-08-24  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (make_print_version_LDADD): use = instead of += (be
+	nice to current automake)
+
 2001-04-21  Johan Danielsson  <joda@pdc.kth.se>
 
 	* print_version.c: 2001