33 files changed, 3373 insertions, 0 deletions

diff --git a/crypto/heimdal/admin/rename.c b/crypto/heimdal/admin/rename.c
new file mode 100644
index 000000000000..dcfb35244f72
--- /dev/null
+++ b/crypto/heimdal/admin/rename.c
@@ -0,0 +1,133 @@
+/*
+ * Copyright (c) 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "ktutil_locl.h"
+
+RCSID("$Id: rename.c,v 1.1 2001/07/23 10:17:32 joda Exp $");
+
+int
+kt_rename(int argc, char **argv)
+{
+    krb5_error_code ret = 0;
+    krb5_keytab_entry entry;
+    krb5_keytab keytab;
+    krb5_kt_cursor cursor;
+    krb5_principal from_princ, to_princ;
+    int help_flag = 0;
+
+    struct getargs args[] = {
+	{ "help", 'h', arg_flag, NULL }
+    };
+    int num_args = sizeof(args) / sizeof(args[0]);
+    int optind = 0;
+    int i = 0;
+
+    args[i++].value = &help_flag;
+    if(getarg(args, num_args, argc, argv, &optind)) {
+	arg_printusage(args, num_args, "ktutil rename", "from to");
+	return 1;
+    }
+    if(help_flag) {
+	arg_printusage(args, num_args, "ktutil rename", "from to");
+	return 0;
+    }
+    argv += optind;
+    argc -= optind;
+    if(argc != 2) {
+	arg_printusage(args, num_args, "ktutil rename", "from to");
+	return 0;
+    }
+
+    ret = krb5_parse_name(context, argv[0], &from_princ);
+    if(ret != 0) {
+	krb5_warn(context, ret, "%s", argv[0]);
+	return 0;
+    }
+
+    ret = krb5_parse_name(context, argv[1], &to_princ);
+    if(ret != 0) {
+	krb5_free_principal(context, from_princ);
+	krb5_warn(context, ret, "%s", argv[1]);
+	return 0;
+    }
+
+    if((keytab = ktutil_open_keytab()) == NULL) {
+	krb5_free_principal(context, from_princ);
+	krb5_free_principal(context, to_princ);
+	return 1;
+    }
+
+    ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+    if(ret) {
+	krb5_kt_close(context, keytab);
+	krb5_free_principal(context, from_princ);
+	krb5_free_principal(context, to_princ);
+	return 1;
+    }
+    while(1) {
+	ret = krb5_kt_next_entry(context, keytab, &entry, &cursor);
+	if(ret != 0) {
+	    if(ret != KRB5_CC_END && ret != KRB5_KT_END)
+		krb5_warn(context, ret, "getting entry from keytab");
+	    break;
+	}
+	if(krb5_principal_compare(context, entry.principal, from_princ)) {
+	    krb5_free_principal(context, entry.principal);
+	    entry.principal = to_princ;
+	    ret = krb5_kt_add_entry(context, keytab, &entry);
+	    if(ret) {
+		entry.principal = NULL;
+		krb5_kt_free_entry(context, &entry);
+		krb5_warn(context, ret, "adding entry");
+		break;
+	    }
+	    entry.principal = from_princ;
+	    ret = krb5_kt_remove_entry(context, keytab, &entry);
+	    if(ret) {
+		entry.principal = NULL;
+		krb5_kt_free_entry(context, &entry);
+		krb5_warn(context, ret, "removing entry");
+		break;
+	    }
+	    entry.principal = NULL;
+	}
+	krb5_kt_free_entry(context, &entry);
+    }
+    krb5_kt_end_seq_get(context, keytab, &cursor);
+
+    krb5_free_principal(context, from_princ);
+    krb5_free_principal(context, to_princ);
+
+    return 0;
+}
+
diff --git a/crypto/heimdal/appl/rsh/rsh.1 b/crypto/heimdal/appl/rsh/rsh.1
new file mode 100644
index 000000000000..5bc031f87162
--- /dev/null
+++ b/crypto/heimdal/appl/rsh/rsh.1
@@ -0,0 +1,218 @@
+.\"	$Id: rsh.1,v 1.1 2001/07/31 08:13:41 joda Exp $
+.\"
+.Dd July 31, 2001
+.Dt RSH 1
+.Os HEIMDAL
+.Sh NAME
+.Nm rsh
+.Nd
+remote shell
+.Sh SYNOPSIS
+.Nm
+.Op Fl 45FGKdefnuxz
+.Op Fl U Pa string 
+.Op Fl p Ar port
+.Op Fl l Ar username
+.Ar host [command]
+.Sh DESCRIPTION
+.Nm
+authenticates to the 
+.Xr rshd 8 
+daemon on the remote
+.Ar host ,
+and then executes the specified 
+.Ar command .
+.Pp
+.Nm
+copies its standard input to the remote command, and the standard
+output and error of the remote command to its own.
+.Pp
+Valid options are:
+.Bl -tag -width Ds
+.It Xo
+.Fl 4 Ns ,
+.Fl -krb4
+.Xc
+The 
+.Fl 4 
+option requests Kerberos 4 authentication. Normally all supported
+authentication mechanisms will be tried, but in some cases more
+explicit control is desired.
+.It Xo
+.Fl 5 Ns ,
+.Fl -krb5
+.Xc
+The 
+.Fl 5
+option requests Kerberos 5 authentication. This is analogous to the 
+.Fl 4
+option.
+.It Xo
+.Fl K Ns ,
+.Fl -broken
+.Xc
+The 
+.Fl K
+option turns off all Kerberos authentication. The long name implies
+that this is more or less totally unsecure. The security in this mode
+relies on reserved ports, which is not very secure.
+.It Xo
+.Fl n Ns ,
+.Fl -no-input
+.Xc
+The 
+.Fl n
+option directs the input from the 
+.Pa /dev/null
+device (see the
+.Sx BUGS
+section of this manual page).
+.It Xo
+.Fl e Ns ,
+.Fl -no-stderr
+.Xc
+Don't use a separate socket for the stderr stream. This can be
+necessary if rsh-ing through a NAT bridge.
+.It Xo
+.Fl x Ns ,
+.Fl -encrypt
+.Xc
+The
+.Fl x
+option enables encryption for all data exchange. This is only valid
+for Kerberos authenticated connections (see the
+.Sx BUGS
+section for limitations).
+.It Xo
+.Fl z
+.Xc
+The opposite of
+.Fl x .
+This is the default, but encryption can be enabled when using
+Kerberos 5, by setting the 
+.Li libdefaults/encrypt
+option in
+.Xr krb5.conf 5 .
+.It Xo
+.Fl f Ns ,
+.Fl -forward
+.Xc
+Forward Kerberos 5 credentials to the remote host. Also controlled by 
+.Li libdefaults/forward
+in 
+.Xr krb5.conf 5 .
+.It Xo
+.Fl G
+.Xc
+The opposite of 
+.Fl f .
+.It Xo
+.Fl F Ns ,
+.Fl -forwardable
+.Xc
+Make the forwarded credentials re-forwardable. Also controlled by 
+.Li libdefaults/forwardable
+in 
+.Xr krb5.conf 5 .
+.It Xo
+.Fl u Ns ,
+.Fl -unique
+.Xc
+Make sure the remote credentials cache is unique, that is, don't reuse
+any existing cache. Mutually exclusive to
+.Fl U .
+.It Xo
+.Fl U Pa string Ns ,
+.Fl -tkfile= Ns Pa string
+.Xc
+Name of the remote credentials cache. Mutually exclusive to
+.Fl u .
+.It Xo
+.Fl p Ar number-or-service Ns ,
+.Fl -port= Ns Ar number-or-service
+.Xc
+Connect to this port instead of the default (which is 514 when using
+old port based authentication, 544 for Kerberos 5 and non-encrypted
+Kerberos 4, and 545 for encrytpted Kerberos 4; subject of course to
+the contents of
+.Pa /etc/services ) .
+.It Xo
+.Fl l Ar string Ns ,
+.Fl -user= Ns Ar string
+.Xc
+By default the remote username is the same as the local. The
+.Fl l
+option or the
+.Pa username@host
+format allow the remote name to be specified.
+.El
+.\".Pp
+.\"Without a 
+.\".Ar command 
+.\".Nm
+.\"will just exec
+.\".Xr rlogin 1
+.\"with the same arguments.
+.Sh EXAMPLES
+Care should be taken when issuing commands containing shell meta
+characters. Without quoting these will be expanded on the local
+machine.
+.Pp
+The following command:
+.Pp
+.Dl rsh otherhost cat remotefile > localfile
+.Pp
+will write the contents of the remote
+.Pa remotefile
+to the local
+.Pa localfile ,
+but:
+.Pp
+.Dl rsh otherhost 'cat remotefile > remotefile2'
+.Pp
+will write it to the remote
+.Pa remotefile2 .
+.\".Sh ENVIRONMENT
+.Sh FILES
+.Bl -tag -width /etc/hosts -compact
+.It Pa /etc/hosts
+.El
+.\".Sh DIAGNOSTICS
+.Sh SEE ALSO
+.Xr rlogin 1 ,
+.Xr krb_realmofhost 3 ,
+.Xr krb_sendauth 3 ,
+.Xr hosts.equiv 5 ,
+.Xr krb5.conf 5 ,
+.Xr rhosts 5 ,
+.Xr kerberos 8
+.Xr rshd 8
+.\".Sh STANDARDS
+.Sh HISTORY
+The
+.Nm
+command appeared in
+.Bx 4.2 .
+.Sh AUTHORS
+This implementation of
+.Nm
+was written as part of the Heimdal Kerberos 5 implementation.
+.Sh BUGS
+Some shells (notably
+.Xr csh 1 )
+will cause 
+.Nm 
+to block if run in the background, unless the standard input is directed away from the terminal. This is what the 
+.Fl n
+option is for.
+.Pp
+The 
+.Fl x
+options enables encryption for the session, but for both Kerberos 4
+and 5 the actual command is sent unencrypted, so you should not send
+any secret information in the command line (which is probably a bad
+idea anyway, since the command line can usually be read with tools
+like
+.Xr ps 1 ) .
+Forthermore in Kerberos 4 the command is not even integrity
+protected, so anyone with the right tools can modify the command.
diff --git a/crypto/heimdal/appl/rsh/rshd.8 b/crypto/heimdal/appl/rsh/rshd.8
new file mode 100644
index 000000000000..5b65e1b7fa1f
--- /dev/null
+++ b/crypto/heimdal/appl/rsh/rshd.8
@@ -0,0 +1,130 @@
+.\" Things to fix:
+.\"   * remove Op from mandatory flags
+.\"   * use better macros for arguments (like .Pa for files)
+.\"
+.Dd July 31, 2001
+.Dt RSHD 8
+.Os HEIMDAL
+.Sh NAME
+.Nm rshd
+.Nd
+remote shell server
+.Sh SYNOPSIS
+.Nm
+.Op Fl aiklnvxPL
+.Op Fl p Ar port
+.Sh DESCRIPTION
+.Nm
+is the server for
+the
+.Xr rsh 1
+program. It provides an authenticated remote command execution
+service.  Supported options are:
+.Bl -tag -width Ds
+.It Xo
+.Fl n Ns ,
+.Fl -no-keepalive
+.Xc
+Disables keep-alive messages. Keep-alives are packets sent a certain
+interval to make sure that the client is still there, even when it
+doesn't send any data.
+.It Xo
+.Fl k Ns ,
+.Fl -kerberos
+.Xc
+Assume that clients connecting to this server will use some form of
+Kerberos authentication. See the
+.Sx EXAMPLES
+section for a sample 
+.Xr inetd.conf 5 
+configuration.
+.It Xo
+.Fl x Ns ,
+.Fl -encrypt
+.Xc
+For Kerberos 4 this means that the connections are encrypted. Kerberos
+5 will negotiate encryption inline. This option implies
+.Fl k .
+.\".It Xo
+.\".Fl l Ns ,
+.\".Fl -no-rhosts
+.\".Xc
+.\"When using old port-based authentication, the user's
+.\".Pa .rhosts
+.\"files are normally checked. This options disables this.
+.It Xo
+.Fl v Ns ,
+.Fl -vacuous
+.Xc
+If the connecting client does not use any Kerberised authentication,
+print a message that complains about this fact, and exit. This is
+helpful if you want to move away from old port-based authentication.
+.It Xo
+.Fl P
+.Xc
+When using the AFS filesystem, users' authentication tokens are put in
+something called a PAG (Process Authentication Group). Multiple
+processes can share a PAG, but normally each login session has its own
+PAG. This option disables the
+.Fn setpag
+call, so all tokens will be put in the default (uid-based) PAG, making
+it possible to share tokens between sessions. This is only useful in
+peculiar environments, such as some batch systems.
+.It Xo
+.Fl i Ns ,
+.Fl -no-inetd
+.Xc
+The 
+.Fl i 
+option will cause
+.Nm 
+to create a socket, instead of assuming that its stdin came from 
+.Xr inetd 8 .
+This is mostly useful for debugging.
+.It Xo
+.Fl p Ar port Ns ,
+.Fl -port= Ns Ar port
+.Xc
+Port to use with 
+.Fl i .
+.It Xo
+.Fl a
+.Xc
+This flag is for backwards compatibility only.
+.It Xo
+.Fl L
+.Xc
+This flag enables logging of connections to
+.Xr syslogd 8 . 
+This option is always on in this implementation.
+.El
+.\".Sh ENVIRONMENT
+.Sh FILES
+.Bl -tag -width /etc/hosts.equiv -compact
+.It Pa /etc/hosts.equiv
+.It Pa ~/.rhosts
+.El
+.Sh EXAMPLES
+The following can be used to enable Kerberised rsh in
+.Xr inetd.cond 5 , 
+while disabling non-Kerberised connections:
+.Bd -literal
+shell   stream  tcp  nowait  root  /usr/libexec/rshd  rshd -v
+kshell  stream  tcp  nowait  root  /usr/libexec/rshd  rshd -k
+ekshell stream  tcp  nowait  root  /usr/libexec/rshd  rshd -kx
+.Ed
+.\".Sh DIAGNOSTICS
+.Sh SEE ALSO
+.Xr rsh 1 ,
+.Xr iruserok 3
+.\".Sh STANDARDS
+.Sh HISTORY
+The
+.Nm
+command appeared in
+.Bx 4.2 .
+.Sh AUTHORS
+This implementation of
+.Nm
+was written as part of the Heimdal Kerberos 5 implementation.
+.\".Sh BUGS
diff --git a/crypto/heimdal/cf/broken-getaddrinfo.m4 b/crypto/heimdal/cf/broken-getaddrinfo.m4
new file mode 100644
index 000000000000..9a3f77660cee
--- /dev/null
+++ b/crypto/heimdal/cf/broken-getaddrinfo.m4
@@ -0,0 +1,24 @@
+dnl $Id: broken-getaddrinfo.m4,v 1.2 2001/08/22 01:05:29 assar Exp $
+dnl
+dnl test if getaddrinfo can handle numeric services
+
+AC_DEFUN(rk_BROKEN_GETADDRINFO,[
+AC_CACHE_CHECK([if getaddrinfo handles numeric services], ac_cv_func_getaddrinfo_numserv,
+AC_TRY_RUN([[#include <stdio.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
+
+int
+main(int argc, char **argv)
+{
+	struct addrinfo hints, *ai;
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_flags = AI_PASSIVE;
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_family = PF_UNSPEC;
+	if(getaddrinfo(NULL, "17", &hints, &ai) == EAI_SERVICE)
+		return 1;
+	return 0;
+}
+]], ac_cv_func_getaddrinfo_numserv=yes, ac_cv_func_getaddrinfo_numserv=no))])
diff --git a/crypto/heimdal/cf/check-compile-et.m4 b/crypto/heimdal/cf/check-compile-et.m4
new file mode 100644
index 000000000000..080faeb34582
--- /dev/null
+++ b/crypto/heimdal/cf/check-compile-et.m4
@@ -0,0 +1,77 @@
+dnl $Id: check-compile-et.m4,v 1.6 2001/09/02 17:08:48 assar Exp $
+dnl
+dnl CHECK_COMPILE_ET
+AC_DEFUN([CHECK_COMPILE_ET], [
+
+AC_CHECK_PROG(COMPILE_ET, compile_et, [compile_et])
+
+krb_cv_compile_et="no"
+if test "${COMPILE_ET}" = "compile_et"; then
+
+dnl We have compile_et.  Now let's see if it supports `prefix' and `index'.
+AC_MSG_CHECKING(whether compile_et has the features we need)
+cat > conftest_et.et <<'EOF'
+error_table conf
+prefix CONFTEST
+index 1
+error_code CODE1, "CODE1"
+index 128
+error_code CODE2, "CODE2"
+end
+EOF
+if ${COMPILE_ET} conftest_et.et >/dev/null 2>&1; then
+  dnl XXX Some systems have <et/com_err.h>.
+  save_CPPFLAGS="${save_CPPFLAGS}"
+  if test -d "/usr/include/et"; then
+    CPPFLAGS="-I/usr/include/et ${CPPFLAGS}"
+  fi
+  dnl Check that the `prefix' and `index' directives were honored.
+  AC_TRY_RUN([
+#include <com_err.h>
+#include <string.h>
+#include "conftest_et.h"
+int main(){return (CONFTEST_CODE2 - CONFTEST_CODE1) != 127;}
+  ], [krb_cv_compile_et="yes"],[CPPFLAGS="${save_CPPFLAGS}"])
+fi
+AC_MSG_RESULT(${krb_cv_compile_et})
+rm -fr conftest*
+fi
+
+if test "${krb_cv_compile_et}" = "yes"; then
+  dnl Since compile_et seems to work, let's check libcom_err
+  krb_cv_save_LIBS="${LIBS}"
+  LIBS="${LIBS} -lcom_err"
+  AC_MSG_CHECKING(for com_err)
+  AC_TRY_LINK([#include <com_err.h>],[
+    const char *p;
+    p = error_message(0);
+  ],[krb_cv_com_err="yes"],[krb_cv_com_err="no"; CPPFLAGS="${save_CPPFLAGS}"])
+  AC_MSG_RESULT(${krb_cv_com_err})
+  LIBS="${krb_cv_save_LIBS}"
+else
+  dnl Since compile_et doesn't work, forget about libcom_err
+  krb_cv_com_err="no"
+fi
+
+dnl Only use the system's com_err if we found compile_et, libcom_err, and
+dnl com_err.h.
+if test "${krb_cv_com_err}" = "yes"; then
+    DIR_com_err=""
+    LIB_com_err="-lcom_err"
+    LIB_com_err_a=""
+    LIB_com_err_so=""
+    AC_MSG_NOTICE(Using the already-installed com_err)
+else
+    COMPILE_ET="\$(top_builddir)/lib/com_err/compile_et"
+    DIR_com_err="com_err"
+    LIB_com_err="\$(top_builddir)/lib/com_err/libcom_err.la"
+    LIB_com_err_a="\$(top_builddir)/lib/com_err/.libs/libcom_err.a"
+    LIB_com_err_so="\$(top_builddir)/lib/com_err/.libs/libcom_err.so"
+    AC_MSG_NOTICE(Using our own com_err)
+fi
+AC_SUBST(DIR_com_err)
+AC_SUBST(LIB_com_err)
+AC_SUBST(LIB_com_err_a)
+AC_SUBST(LIB_com_err_so)
+
+])
diff --git a/crypto/heimdal/cf/crypto.m4 b/crypto/heimdal/cf/crypto.m4
new file mode 100644
index 000000000000..d16d348ec8fa
--- /dev/null
+++ b/crypto/heimdal/cf/crypto.m4
@@ -0,0 +1,119 @@
+dnl $Id: crypto.m4,v 1.7 2001/08/29 17:02:48 assar Exp $
+dnl
+dnl test for crypto libraries:
+dnl - libcrypto (from openssl)
+dnl - libdes (from krb4)
+dnl - own-built libdes
+
+AC_DEFUN([KRB_CRYPTO],[
+crypto_lib=unknown
+AC_WITH_ALL([openssl])
+
+DIR_des=
+
+AC_MSG_CHECKING([for crypto library])
+
+if test "$crypto_lib" = "unknown" -a "$with_openssl" != "no"; then
+
+  save_CPPFLAGS="$CPPFLAGS"
+  save_LIBS="$LIBS"
+  INCLUDE_des=
+  LIB_des=
+  if test "$with_openssl_include" != ""; then
+    INCLUDE_des="-I${with_openssl}/include"
+  fi
+  if test "$with_openssl_lib" != ""; then
+    LIB_des="-L${with_openssl}/lib"
+  fi
+  CPPFLAGS="${INCLUDE_des} ${CPPFLAGS}"
+  LIB_des="${LIB_des} -lcrypto"
+  LIB_des_a="$LIB_des"
+  LIB_des_so="$LIB_des"
+  LIB_des_appl="$LIB_des"
+  LIBS="${LIBS} ${LIB_des}"
+  AC_TRY_LINK([
+  #include <openssl/md4.h>
+  #include <openssl/md5.h>
+  #include <openssl/sha.h>
+  #include <openssl/des.h>
+  #include <openssl/rc4.h>
+  ],
+  [
+    MD4_CTX md4;
+    MD5_CTX md5;
+    SHA_CTX sha1;
+
+    MD4_Init(&md4);
+    MD5_Init(&md5);
+    SHA1_Init(&sha1);
+
+    des_cbc_encrypt(0, 0, 0, 0, 0, 0);
+    RC4(0, 0, 0, 0);
+  ], [
+  crypto_lib=libcrypto
+  AC_DEFINE([HAVE_OPENSSL], 1, [define to use openssl's libcrypto])
+  AC_MSG_RESULT([libcrypto])])
+  CPPFLAGS="$save_CPPFLAGS"
+  LIBS="$save_LIBS"
+fi
+
+if test "$crypto_lib" = "unknown" -a "$with_krb4" != "no"; then
+
+  save_CPPFLAGS="$CPPFLAGS"
+  save_LIBS="$LIBS"
+  INCLUDE_des="${INCLUDE_krb4}"
+  LIB_des=
+  if test "$krb4_libdir"; then
+    LIB_des="-L${krb4_libdir}"
+  fi
+  LIB_des="${LIB_des} -ldes"
+  CPPFLAGS="${CPPFLAGS} ${INCLUDE_des}"
+  LIBS="${LIBS} ${LIB_des}"
+  LIB_des_a="$LIB_des"
+  LIB_des_so="$LIB_des"
+  LIB_des_appl="$LIB_des"
+  LIBS="${LIBS} ${LIB_des}"
+  AC_TRY_LINK([
+  #undef KRB5 /* makes md4.h et al unhappy */
+  #define KRB4
+  #include <md4.h>
+  #include <md5.h>
+  #include <sha.h>
+  #include <des.h>
+  #include <rc4.h>
+  ],
+  [
+    MD4_CTX md4;
+    MD5_CTX md5;
+    SHA_CTX sha1;
+
+    MD4_Init(&md4);
+    MD5_Init(&md5);
+    SHA1_Init(&sha1);
+
+    des_cbc_encrypt(0, 0, 0, 0, 0, 0);
+    RC4(0, 0, 0, 0);
+  ], [crypto_lib=krb4; AC_MSG_RESULT([krb4's libdes])])
+  CPPFLAGS="$save_CPPFLAGS"
+  LIBS="$save_LIBS"
+fi
+
+if test "$crypto_lib" = "unknown"; then
+
+  DIR_des='des'
+  LIB_des='$(top_builddir)/lib/des/libdes.la'
+  LIB_des_a='$(top_builddir)/lib/des/.libs/libdes.a'
+  LIB_des_so='$(top_builddir)/lib/des/.libs/libdes.so'
+  LIB_des_appl="-ldes"
+
+  AC_MSG_RESULT([included libdes])
+
+fi
+
+AC_SUBST(DIR_des)
+AC_SUBST(INCLUDE_des)
+AC_SUBST(LIB_des)
+AC_SUBST(LIB_des_a)
+AC_SUBST(LIB_des_so)
+AC_SUBST(LIB_des_appl)
+])
diff --git a/crypto/heimdal/cf/with-all.m4 b/crypto/heimdal/cf/with-all.m4
new file mode 100644
index 000000000000..1b9d39ff146d
--- /dev/null
+++ b/crypto/heimdal/cf/with-all.m4
@@ -0,0 +1,42 @@
+dnl
+dnl $Id: with-all.m4,v 1.1 2001/08/29 17:01:23 assar Exp $
+dnl
+
+dnl AC_WITH_ALL(name)
+
+AC_DEFUN([AC_WITH_ALL], [
+AC_ARG_WITH($1,
+	AC_HELP_STRING([--with-$1=dir],
+		[use $1 in dir]))
+
+AC_ARG_WITH($1-lib,
+	AC_HELP_STRING([--with-$1-lib=dir],
+		[use $1 libraries in dir]),
+[if test "$withval" = "yes" -o "$withval" = "no"; then
+  AC_MSG_ERROR([No argument for --with-$1-lib])
+elif test "X$with_$1" = "X"; then
+  with_$1=yes
+fi])
+
+AC_ARG_WITH($1-include,
+	AC_HELP_STRING([--with-$1-include=dir],
+		[use $1 headers in dir]),
+[if test "$withval" = "yes" -o "$withval" = "no"; then
+  AC_MSG_ERROR([No argument for --with-$1-include])
+elif test "X$with_$1" = "X"; then
+  with_$1=yes
+fi])
+
+case "$with_$1" in
+yes)	;;
+no)	;;
+"")	;;
+*)	if test "$with_$1_include" = ""; then
+		with_$1_include="$with_$1/include"
+	fi
+	if test "$with_$1_lib" = ""; then
+		with_$1_lib="$with_$1/lib$abilibdirext"
+	fi
+	;;
+esac
+])
\ No newline at end of file
diff --git a/crypto/heimdal/compile b/crypto/heimdal/compile
new file mode 100755
index 000000000000..9bb997a6a9b4
--- /dev/null
+++ b/crypto/heimdal/compile
@@ -0,0 +1,99 @@
+#! /bin/sh
+
+# Wrapper for compilers which do not understand `-c -o'.
+
+# Copyright 1999, 2000 Free Software Foundation, Inc.
+# Written by Tom Tromey <tromey@cygnus.com>.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# Usage:
+# compile PROGRAM [ARGS]...
+# `-o FOO.o' is removed from the args passed to the actual compile.
+
+prog=$1
+shift
+
+ofile=
+cfile=
+args=
+while test $# -gt 0; do
+   case "$1" in
+    -o)
+       # configure might choose to run compile as `compile cc -o foo foo.c'.
+       # So we do something ugly here.
+       ofile=$2
+       shift
+       case "$ofile" in
+	*.o | *.obj)
+	   ;;
+	*)
+	   args="$args -o $ofile"
+	   ofile=
+	   ;;
+       esac
+       ;;
+    *.c)
+       cfile=$1
+       args="$args $1"
+       ;;
+    *)
+       args="$args $1"
+       ;;
+   esac
+   shift
+done
+
+if test -z "$ofile" || test -z "$cfile"; then
+   # If no `-o' option was seen then we might have been invoked from a
+   # pattern rule where we don't need one.  That is ok -- this is a
+   # normal compilation that the losing compiler can handle.  If no
+   # `.c' file was seen then we are probably linking.  That is also
+   # ok.
+   exec "$prog" $args
+fi
+
+# Name of file we expect compiler to create.
+cofile=`echo $cfile | sed -e 's|^.*/||' -e 's/\.c$/.o/'`
+
+# Create the lock directory.
+# Note: use `[/.-]' here to ensure that we don't use the same name
+# that we are using for the .o file.  Also, base the name on the expected
+# object file name, since that is what matters with a parallel build.
+lockdir=`echo $cofile | sed -e 's|[/.-]|_|g'`.d
+while true; do
+   if mkdir $lockdir > /dev/null 2>&1; then
+      break
+   fi
+   sleep 1
+done
+# FIXME: race condition here if user kills between mkdir and trap.
+trap "rmdir $lockdir; exit 1" 1 2 15
+
+# Run the compile.
+"$prog" $args
+status=$?
+
+if test -f "$cofile"; then
+   mv "$cofile" "$ofile"
+fi
+
+rmdir $lockdir
+exit $status
diff --git a/crypto/heimdal/doc/standardisation/draft-ietf-krb-wg-krb-dns-locate-02.txt b/crypto/heimdal/doc/standardisation/draft-ietf-krb-wg-krb-dns-locate-02.txt
new file mode 100644
index 000000000000..a6dec9d1e076
--- /dev/null
+++ b/crypto/heimdal/doc/standardisation/draft-ietf-krb-wg-krb-dns-locate-02.txt
@@ -0,0 +1,339 @@
+
+
+
+
+
+
+INTERNET-DRAFT                                             Ken Hornstein
+<draft-ietf-krb-wg-krb-dns-locate-02.txt>                            NRL
+February 28, 2001                                         Jeffrey Altman
+Expires: August 28, 2001                             Columbia University
+
+
+
+          Distributing Kerberos KDC and Realm Information with DNS
+
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet- Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   Distribution of this memo is unlimited.  It is filed as <draft-ietf-
+   krb-wg-krb-dns-locate-02.txt>, and expires on August 28, 2001.
+   Please send comments to the authors.
+
+Abstract
+
+   Neither the Kerberos V5 protocol [RFC1510] nor the Kerberos V4 proto-
+   col [RFC????] describe any mechanism for clients to learn critical
+   configuration information necessary for proper operation of the pro-
+   tocol.  Such information includes the location of Kerberos key dis-
+   tribution centers or a mapping between DNS domains and Kerberos
+   realms.
+
+   Current Kerberos implementations generally store such configuration
+   information in a file on each client machine.  Experience has shown
+   this method of storing configuration information presents problems
+   with out-of-date information and scaling problems, especially when
+
+
+
+Hornstein, Altman                                               [Page 1]
+
+RFC DRAFT                                              February 28, 2001
+
+
+   using cross-realm authentication.
+
+   This memo describes a method for using the Domain Name System
+   [RFC1035] for storing such configuration information.  Specifically,
+   methods for storing KDC location and hostname/domain name to realm
+   mapping information are discussed.
+
+DNS vs. Kerberos - Case Sensitivity of Realm Names
+
+   In Kerberos, realm names are case sensitive.  While it is strongly
+   encouraged that all realm names be all upper case this recommendation
+   has not been adopted by all sites.  Some sites use all lower case
+   names and other use mixed case.  DNS on the other hand is case insen-
+   sitive for queries but is case preserving for responses to TXT
+   queries.  Since "MYREALM", "myrealm", and "MyRealm" are all different
+   it is necessary that only one of the possible combinations of upper
+   and lower case characters be used.  This restriction may be lifted in
+   the future as the DNS naming scheme is expanded to support non-ASCII
+   names.
+
+Overview - KDC location information
+
+   KDC location information is to be stored using the DNS SRV RR [RFC
+   2052].  The format of this RR is as follows:
+
+   Service.Proto.Realm TTL Class SRV Priority Weight Port Target
+
+   The Service name for Kerberos is always "_kerberos".
+
+   The Proto can be either "_udp" or "_tcp".  If these records are to be
+   used, a "_udp" record MUST be included.  If the Kerberos implementa-
+   tion supports TCP transport, a "_tcp" record SHOULD be included.
+
+   The Realm is the Kerberos realm that this record corresponds to.
+
+   TTL, Class, SRV, Priority, Weight, and Target have the standard mean-
+   ing as defined in RFC 2052.
+
+   As per RFC 2052 the Port number should be the value assigned to "ker-
+   beros" by the Internet Assigned Number Authority (88).
+
+Example - KDC location information
+
+   These are DNS records for a Kerberos realm ASDF.COM.  It has two Ker-
+   beros servers, kdc1.asdf.com and kdc2.asdf.com.  Queries should be
+   directed to kdc1.asdf.com first as per the specified priority.
+   Weights are not used in these records.
+
+
+
+
+Hornstein, Altman                                               [Page 2]
+
+RFC DRAFT                                              February 28, 2001
+
+
+   _kerberos._udp.ASDF.COM.        IN      SRV     0 0 88 kdc1.asdf.com.
+   _kerberos._udp.ASDF.COM.        IN      SRV     1 0 88 kdc2.asdf.com.
+
+Overview - Kerberos password changing server location information
+
+   Kerberos password changing server [KERB-CHG] location is to be stored
+   using the DNS SRV RR [RFC 2052].  The format of this RR is as fol-
+   lows:
+
+   Service.Proto.Realm TTL Class SRV Priority Weight Port Target
+
+   The Service name for the password server is always "_kpasswd".
+
+   The Proto MUST be "_udp".
+
+   The Realm is the Kerberos realm that this record corresponds to.
+
+   TTL, Class, SRV, Priority, Weight, and Target have the standard mean-
+   ing as defined in RFC 2052.
+
+   As per RFC 2052 the Port number should be the value assigned to
+   "kpasswd" by the Internet Assigned Number Authority (464).
+
+Overview - Kerberos admin server location information
+
+   Kerberos admin location information is to be stored using the DNS SRV
+   RR [RFC 2052].  The format of this RR is as follows:
+
+   Service.Proto.Realm TTL Class SRV Priority Weight Port Target
+
+   The Service name for the admin server is always "_kerberos-adm".
+
+   The Proto can be either "_udp" or "_tcp".  If these records are to be
+   used, a "_tcp" record MUST be included.  If the Kerberos admin imple-
+   mentation supports UDP transport, a "_udp" record SHOULD be included.
+
+   The Realm is the Kerberos realm that this record corresponds to.
+
+   TTL, Class, SRV, Priority, Weight, and Target have the standard mean-
+   ing as defined in RFC 2052.
+
+   As per RFC 2052 the Port number should be the value assigned to
+   "kerberos-adm" by the Internet Assigned Number Authority (749).
+
+   Note that there is no formal definition of a Kerberos admin protocol,
+   so the use of this record is optional and implementation-dependent.
+
+
+
+
+
+Hornstein, Altman                                               [Page 3]
+
+RFC DRAFT                                              February 28, 2001
+
+
+Example - Kerberos administrative server location information
+
+   These are DNS records for a Kerberos realm ASDF.COM.  It has one
+   administrative server, kdc1.asdf.com.
+
+   _kerberos-adm._tcp.ASDF.COM.    IN      SRV     0 0 749 kdc1.asdf.com.
+
+Overview - Hostname/domain name to Kerberos realm mapping
+
+   Information on the mapping of DNS hostnames and domain names to Ker-
+   beros realms is stored using DNS TXT records [RFC 1035].  These
+   records have the following format.
+
+   Service.Name TTL Class TXT Realm
+
+   The Service field is always "_kerberos", and prefixes all entries of
+   this type.
+
+   The Name is a DNS hostname or domain name.  This is explained in
+   greater detail below.
+
+   TTL, Class, and TXT have the standard DNS meaning as defined in RFC
+   1035.
+
+   The Realm is the data for the TXT RR, and consists simply of the Ker-
+   beros realm that corresponds to the Name specified.
+
+   When a Kerberos client wishes to utilize a host-specific service, it
+   will perform a DNS TXT query, using the hostname in the Name field of
+   the DNS query.  If the record is not found, the first label of the
+   name is stripped and the query is retried.
+
+   Compliant implementations MUST query the full hostname and the most
+   specific domain name (the hostname with the first label removed).
+   Compliant implementations SHOULD try stripping all subsequent labels
+   until a match is found or the Name field is empty.
+
+Example - Hostname/domain name to Kerberos realm mapping
+
+   For the previously mentioned ASDF.COM realm and domain, some sample
+   records might be as follows:
+
+   _kerberos.asdf.com.             IN      TXT     "ASDF.COM"
+   _kerberos.mrkserver.asdf.com.   IN      TXT     "MARKETING.ASDF.COM"
+   _kerberos.salesserver.asdf.com. IN      TXT     "SALES.ASDF.COM"
+
+   Let us suppose that in this case, a Kerberos client wishes to use a
+   Kerberized service on the host foo.asdf.com.  It would first query:
+
+
+
+Hornstein, Altman                                               [Page 4]
+
+RFC DRAFT                                              February 28, 2001
+
+
+   _kerberos.foo.asdf.com. IN TXT
+
+   Finding no match, it would then query:
+
+   _kerberos.asdf.com. IN TXT
+
+   And find an answer of ASDF.COM.  This would be the realm that
+   foo.asdf.com resides in.
+
+   If another Kerberos client wishes to use a Kerberized service on the
+   host salesserver.asdf.com, it would query:
+
+   _kerberos.salesserver.asdf.com IN TXT
+
+   And find an answer of SALES.ASDF.COM.
+
+Security considerations
+
+   As DNS is deployed today, it is an unsecure service.  Thus the infor-
+   mation returned by it cannot be trusted.
+
+   Current practice for REALM to KDC mapping is to use hostnames to
+   indicate KDC hosts (stored in some implementation-dependent location,
+   but generally a local config file).  These hostnames are vulnerable
+   to the standard set of DNS attacks (denial of service, spoofed
+   entries, etc).  The design of the Kerberos protocol limits attacks of
+   this sort to denial of service.  However, the use of SRV records does
+   not change this attack in any way.  They have the same vulnerabili-
+   ties that already exist in the common practice of using hostnames for
+   KDC locations.
+
+   Current practice for HOSTNAME to REALM mapping is to provide a local
+   configuration of mappings of hostname or domain name to realm which
+   are then mapped to KDCs.  But this again is vulnerable to spoofing
+   via CNAME records that point to hosts in other domains.  This has the
+   same effect as when a TXT record is spoofed.  In a realm with no
+   cross-realm trusts this is a DoS attack.  However, when cross-realm
+   trusts are used it is possible to redirect a client to use a comprom-
+   ised realm.
+
+   This is not an exploit of the Kerberos protocol but of the Kerberos
+   trust model.  The same can be done to any application that must
+   resolve the hostname in order to determine which domain a non-FQDN
+   belongs to.
+
+   Implementations SHOULD provide a way of specifying this information
+   locally without the use of DNS.  However, to make this feature
+   worthwhile a lack of any configuration information on a client should
+
+
+
+Hornstein, Altman                                               [Page 5]
+
+RFC DRAFT                                              February 28, 2001
+
+
+   be interpretted as permission to use DNS.
+
+Expiration
+
+   This Internet-Draft expires on August 28, 2001.
+
+References
+
+
+   [RFC1510]
+        The Kerberos Network Authentication System; Kohl, Newman; Sep-
+        tember 1993.
+
+   [RFC1035]
+        Domain Names - Implementation and Specification; Mockapetris;
+        November 1987
+
+   [RFC2782]
+        A DNS RR for specifying the location of services (DNS SRV); Gul-
+        brandsen, Vixie; Feburary 2000
+
+   [KERB-CHG]
+        Kerberos Change Password Protocol; Horowitz;
+        ftp://ds.internic.net/internet-drafts/draft-ietf-cat-kerb-chg-
+        password-02.txt
+
+Authors' Addresses
+
+   Ken Hornstein
+   US Naval Research Laboratory
+   Bldg A-49, Room 2
+   4555 Overlook Avenue
+   Washington DC  20375 USA
+
+   Phone: +1 (202) 404-4765
+   EMail: kenh@cmf.nrl.navy.mil
+
+   Jeffrey Altman
+   The Kermit Project
+   Columbia University
+   612 West 115th Street #716
+   New York NY 10025-7799 USA
+
+   Phone: +1 (212) 854-1344
+   EMail: jaltman@columbia.edu
+
+
+
+
+
+
+Hornstein, Altman                                               [Page 6]
+
diff --git a/crypto/heimdal/lib/auth/sia/make-rpath b/crypto/heimdal/lib/auth/sia/make-rpath
new file mode 100755
index 000000000000..2223aa00b00e
--- /dev/null
+++ b/crypto/heimdal/lib/auth/sia/make-rpath
@@ -0,0 +1,34 @@
+#!/bin/sh
+# $Id: make-rpath,v 1.1 2001/07/17 15:15:31 assar Exp $
+rlist=
+rest=
+while test $# -gt 0; do
+case $1 in
+-R|-rpath)
+  if test "$rlist"; then
+    rlist="${rlist}:$2"
+  else
+    rlist="$2"
+  fi
+  shift 2
+  ;;
+-R*) 
+  d=`echo $1 | sed 's,^-R,,'`
+  if test "$rlist"; then
+    rlist="${rlist}:${d}"
+  else
+    rlist="${d}"
+  fi
+  shift
+  ;;
+*)
+  rest="${rest} $1"
+  shift
+  ;;
+esac
+done
+rpath=
+if test "$rlist"; then
+  rpath="-rpath $rlist "
+fi
+echo "${rpath}${rest}"
diff --git a/crypto/heimdal/lib/kafs/roken_rename.h b/crypto/heimdal/lib/kafs/roken_rename.h
new file mode 100644
index 000000000000..34f278c4b83b
--- /dev/null
+++ b/crypto/heimdal/lib/kafs/roken_rename.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $Id: roken_rename.h,v 1.5 2001/11/01 22:33:40 assar Exp $ */
+
+#ifndef __roken_rename_h__
+#define __roken_rename_h__
+
+/*
+ * Libroken routines that are added libkafs
+ */
+
+#define _resolve_debug _roken_resolve_debug
+
+#define dns_free_data _kafs_dns_free_data
+#define dns_lookup _kafs_dns_lookup
+#define dns_string_to_type _kafs_dns_string_to_type
+#define dns_type_to_string _kafs_dns_type_to_string
+#define dns_srv_order _kafs_dns_srv_order
+
+#define strtok_r _kafs_strtok_r
+#define strlcpy _kafs_strlcpy
+#define strsep _kafs_strsep
+
+#endif /* __roken_rename_h__ */
diff --git a/crypto/heimdal/lib/krb5/k524_err.et b/crypto/heimdal/lib/krb5/k524_err.et
new file mode 100644
index 000000000000..2dc60f46ae2b
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/k524_err.et
@@ -0,0 +1,20 @@
+#
+# Error messages for the k524 functions
+#
+# This might look like a com_err file, but is not
+#
+id "$Id: k524_err.et,v 1.1 2001/06/20 02:44:11 joda Exp $"
+
+error_table k524
+
+prefix KRB524
+error_code BADKEY,		"wrong keytype in ticket"
+error_code BADADDR,		"incorrect network address"
+error_code BADPRINC,		"cannot convert V5 principal"		#unused
+error_code BADREALM,		"V5 realm name longer than V4 maximum"	#unused
+error_code V4ERR,		"kerberos V4 error server"
+error_code ENCFULL,		"encoding too large at server"
+error_code DECEMPTY,		"decoding out of data"			#unused
+error_code NOTRESP,		"service not responding"		#unused
+end
+
diff --git a/crypto/heimdal/lib/krb5/keytab_any.c b/crypto/heimdal/lib/krb5/keytab_any.c
new file mode 100644
index 000000000000..5c6dde84a488
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/keytab_any.c
@@ -0,0 +1,254 @@
+/*
+ * Copyright (c) 2001, 2002 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: keytab_any.c,v 1.5 2002/02/11 14:05:37 joda Exp $");
+
+struct any_data {
+    krb5_keytab kt;
+    char *name;
+    struct any_data *next;
+};
+
+static void
+free_list (struct any_data *a)
+{
+    struct any_data *next;
+
+    for (; a != NULL; a = next) {
+	next = a->next;
+	free (a->name);
+	free (a);
+    }
+}
+
+static krb5_error_code
+any_resolve(krb5_context context, const char *name, krb5_keytab id)
+{
+    struct any_data *a, *a0 = NULL, *prev = NULL;
+    krb5_error_code ret;
+    char buf[256];
+
+    while (strsep_copy(&name, ",", buf, sizeof(buf)) != -1) {
+	a = malloc(sizeof(*a));
+	if (a == NULL) {
+	    ret = ENOMEM;
+	    goto fail;
+	}
+	if (a0 == NULL) {
+	    a0 = a;
+	    a->name = strdup(buf);
+	    if (a->name == NULL) {
+		krb5_set_error_string(context, "malloc: out of memory");
+		ret = ENOMEM;
+		goto fail;
+	    }
+	} else
+	    a->name = NULL;
+	if (prev != NULL)
+	    prev->next = a;
+	a->next = NULL;
+	ret = krb5_kt_resolve (context, buf, &a->kt);
+	if (ret)
+	    goto fail;
+	prev = a;
+    }
+    if (a0 == NULL) {
+	krb5_set_error_string(context, "empty ANY: keytab");
+	return ENOENT;
+    }
+    id->data = a0;
+    return 0;
+ fail:
+    free_list (a0);
+    return ret;
+}
+
+static krb5_error_code
+any_get_name (krb5_context context,
+	      krb5_keytab id,
+	      char *name,
+	      size_t namesize)
+{
+    struct any_data *a = id->data;
+    strlcpy(name, a->name, namesize);
+    return 0;
+}
+
+static krb5_error_code
+any_close (krb5_context context,
+	   krb5_keytab id)
+{
+    struct any_data *a = id->data;
+
+    free_list (a);
+    return 0;
+}
+
+struct any_cursor_extra_data {
+    struct any_data *a;
+    krb5_kt_cursor cursor;
+};
+
+static krb5_error_code
+any_start_seq_get(krb5_context context, 
+		  krb5_keytab id, 
+		  krb5_kt_cursor *c)
+{
+    struct any_data *a = id->data;
+    struct any_cursor_extra_data *ed;
+    krb5_error_code ret;
+
+    c->data = malloc (sizeof(struct any_cursor_extra_data));
+    if(c->data == NULL){
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    ed = (struct any_cursor_extra_data *)c->data;
+    ed->a = a;
+    ret = krb5_kt_start_seq_get(context, ed->a->kt, &ed->cursor);
+    if (ret) {
+	free (c->data);
+	c->data = NULL;
+	return ret;
+    }
+    return 0;
+}
+
+static krb5_error_code
+any_next_entry (krb5_context context,
+		krb5_keytab id,
+		krb5_keytab_entry *entry,
+		krb5_kt_cursor *cursor)
+{
+    krb5_error_code ret, ret2;
+    struct any_cursor_extra_data *ed;
+
+    ed = (struct any_cursor_extra_data *)cursor->data;
+    do {
+	ret = krb5_kt_next_entry(context, ed->a->kt, entry, &ed->cursor);
+	if (ret == 0)
+	    return 0;
+	else if (ret == KRB5_CC_END) {
+	    ret2 = krb5_kt_end_seq_get (context, ed->a->kt, &ed->cursor);
+	    if (ret2)
+		return ret2;
+	    while ((ed->a = ed->a->next) != NULL) {
+		ret2 = krb5_kt_start_seq_get(context, ed->a->kt, &ed->cursor);
+		if (ret2 == 0)
+		    break;
+	    }
+	    if (ed->a == NULL) {
+		krb5_clear_error_string (context);
+		return KRB5_CC_END;
+	    }
+	} else
+	    return ret;
+    } while (ret == KRB5_CC_END);
+    return ret;
+}
+
+static krb5_error_code
+any_end_seq_get(krb5_context context,
+		krb5_keytab id,
+		krb5_kt_cursor *cursor)
+{
+    krb5_error_code ret = 0;
+    struct any_cursor_extra_data *ed;
+
+    ed = (struct any_cursor_extra_data *)cursor->data;
+    if (ed->a != NULL)
+	ret = krb5_kt_end_seq_get(context, ed->a->kt, &ed->cursor);
+    free (ed);
+    cursor->data = NULL;
+    return ret;
+}
+
+static krb5_error_code
+any_add_entry(krb5_context context,
+	      krb5_keytab id,
+	      krb5_keytab_entry *entry)
+{
+    struct any_data *a = id->data;
+    krb5_error_code ret;
+    while(a != NULL) {
+	ret = krb5_kt_add_entry(context, a->kt, entry);
+	if(ret != 0 && ret != KRB5_KT_NOWRITE) {
+	    krb5_set_error_string(context, "failed to add entry to %s", 
+				  a->name);
+	    return ret;
+	}
+	a = a->next;
+    }
+    return 0;
+}
+
+static krb5_error_code
+any_remove_entry(krb5_context context,
+		 krb5_keytab id,
+		 krb5_keytab_entry *entry)
+{
+    struct any_data *a = id->data;
+    krb5_error_code ret;
+    int found = 0;
+    while(a != NULL) {
+	ret = krb5_kt_remove_entry(context, a->kt, entry);
+	if(ret == 0)
+	    found++;
+	else {
+	    if(ret != KRB5_KT_NOWRITE && ret != KRB5_KT_NOTFOUND) {
+		krb5_set_error_string(context, "failed to remove entry from %s", 
+				      a->name);
+		return ret;
+	    }
+	}
+	a = a->next;
+    }
+    if(!found)
+	return KRB5_KT_NOTFOUND;
+    return 0;
+}
+
+const krb5_kt_ops krb5_any_ops = {
+    "ANY",
+    any_resolve,
+    any_get_name,
+    any_close,
+    NULL, /* get */
+    any_start_seq_get,
+    any_next_entry,
+    any_end_seq_get,
+    any_add_entry,
+    any_remove_entry
+};
diff --git a/crypto/heimdal/lib/krb5/krb5.3 b/crypto/heimdal/lib/krb5/krb5.3
new file mode 100644
index 000000000000..830ee66ed2a3
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5.3
@@ -0,0 +1,150 @@
+.\" $Id: krb5.3,v 1.1 2001/11/20 22:19:10 assar Exp $
+.\"
+.Dd November 8, 2001
+.Dt KRB5 3
+.Os
+.Sh NAME
+.Nm krb5
+.Nd kerberos 5 library
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh DESCRIPTION
+These functions constitute the kerberos 5 library,
+.Em libkrb5 .
+Declarations for these functions may be obtained from the include file
+.Pa krb5/krb5.h .
+.Sh LIST OF FUNCTIONS
+.sp 2
+.nf
+.ta \w'krb5_checksum_is_collision_proof.3'u+2n +\w'Description goes here'u
+\fIName/Page\fP	\fIDescription\fP
+.ta \w'krb5_checksum_is_collision_proof.3'u+2n +\w'Description goes here'u+6nC
+.sp 5p
+krb5_425_conv_principal.3
+krb5_425_conv_principal_ext.3
+krb5_524_conv_principal.3
+krb5_addlog_dest.3
+krb5_addlog_func.3
+krb5_appdefault_boolean.3
+krb5_appdefault_string.3
+krb5_appdefault_time.3
+krb5_auth_con_free.3
+krb5_auth_con_genaddrs.3
+krb5_auth_con_getaddrs.3
+krb5_auth_con_getflags.3
+krb5_auth_con_getkey.3
+krb5_auth_con_getlocalsubkey.3
+krb5_auth_con_getrcache.3
+krb5_auth_con_getremotesubkey.3
+krb5_auth_con_getuserkey.3
+krb5_auth_con_init.3
+krb5_auth_con_initivector.3
+krb5_auth_con_setaddrs.3
+krb5_auth_con_setaddrs_from_fd.3
+krb5_auth_con_setflags.3
+krb5_auth_con_setivector.3
+krb5_auth_con_setkey.3
+krb5_auth_con_setlocalsubkey.3
+krb5_auth_con_setrcache.3
+krb5_auth_con_setremotesubkey.3
+krb5_auth_con_setuserkey.3
+krb5_auth_context.3
+krb5_auth_getauthenticator.3
+krb5_auth_getcksumtype.3
+krb5_auth_getkeytype.3
+krb5_auth_getlocalseqnumber.3
+krb5_auth_getremoteseqnumber.3
+krb5_auth_setcksumtype.3
+krb5_auth_setkeytype.3
+krb5_auth_setlocalseqnumber.3
+krb5_auth_setremoteseqnumber.3
+krb5_build_principal.3
+krb5_build_principal_ext.3
+krb5_build_principal_va.3
+krb5_build_principal_va_ext.3
+krb5_checksum_is_collision_proof.3
+krb5_checksum_is_keyed.3
+krb5_checksumsize.3
+krb5_closelog.3
+krb5_config_get_bool_default.3
+krb5_config_get_int_default.3
+krb5_config_get_string_default.3
+krb5_config_get_time_default.3
+krb5_context.3
+krb5_create_checksum.3
+krb5_crypto_destroy.3
+krb5_crypto_init.3
+krb5_decrypt.3
+krb5_decrypt_EncryptedData.3
+krb5_encrypt.3
+krb5_encrypt_EncryptedData.3
+krb5_err.3
+krb5_errx.3
+krb5_free_context.3
+krb5_free_krbhst.3
+krb5_free_principal.3
+krb5_get_all_client_addrs.3
+krb5_get_all_server_addrs.3
+krb5_get_krb524hst.3
+krb5_get_krb_admin_hst.3
+krb5_get_krb_changepw_hst.3
+krb5_get_krbhst.3
+krb5_init_context.3
+krb5_initlog.3
+krb5_keytab_entry.3
+krb5_krbhst_format_string.3
+krb5_krbhst_free.3
+krb5_krbhst_get_addrinfo.3
+krb5_krbhst_init.3
+krb5_krbhst_next.3
+krb5_krbhst_next_as_string.3
+krb5_krbhst_reset.3
+krb5_kt_add_entry.3
+krb5_kt_close.3
+krb5_kt_compare.3
+krb5_kt_copy_entry_contents.3
+krb5_kt_cursor.3
+krb5_kt_cursor.3
+krb5_kt_default.3
+krb5_kt_default_name.3
+krb5_kt_end_seq_get.3
+krb5_kt_free_entry.3
+krb5_kt_get_entry.3
+krb5_kt_get_name.3
+krb5_kt_next_entry.3
+krb5_kt_ops.3
+krb5_kt_read_service_key.3
+krb5_kt_register.3
+krb5_kt_remove_entry.3
+krb5_kt_resolve.3.3
+krb5_kt_start_seq_get
+krb5_log.3
+krb5_log_msg.3
+krb5_make_principal.3
+krb5_openlog.3
+krb5_parse_name.3
+krb5_principal.3
+krb5_principal_get_comp_string.3
+krb5_principal_get_realm.3
+krb5_set_warn_dest.3
+krb5_sname_to_principal.3
+krb5_sock_to_principal.3
+krb5_timeofday.3
+krb5_unparse_name.3
+krb5_us_timeofday.3
+krb5_verify_checksum.3
+krb5_verify_user.3
+krb5_verify_user_lrealm.3
+krb5_verr.3
+krb5_verrx.3
+krb5_vlog.3
+krb5_vlog_msg.3
+krb5_vwarn.3
+krb5_vwarnx.3
+krb5_warn.3
+krb5_warnx.3
+.ta
+.Fi
+.Sh SEE ALSO
+.Xr krb5.conf 5 ,
+.Xr kerberos 8
diff --git a/crypto/heimdal/lib/krb5/krb5_free_addresses.3 b/crypto/heimdal/lib/krb5/krb5_free_addresses.3
new file mode 100644
index 000000000000..8148d94b79d4
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_free_addresses.3
@@ -0,0 +1,20 @@
+.\" Copyright (c) 2001 Kungliga Tekniska Högskolan
+.\" $Id: krb5_free_addresses.3,v 1.1 2001/11/20 20:50:52 assar Exp $
+.Dd November 20, 2001
+.Dt KRB5_FREE_ADDRESSES 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_free_addresses
+.Nd free list of addresses
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Ft void
+.Fn krb5_free_addresses "krb5_context context" "krb5_addresses *addresses"
+.Sh DESCRIPTION
+The 
+.Fn krb5_free_addresses
+will free a list of addresses that has been created with
+.Fn krb5_get_all_client_addrs
+or with some other function. 
+.Sh SEE ALSO
+.Xr krb5_get_all_client_addrs 3
diff --git a/crypto/heimdal/lib/krb5/krb5_get_all_client_addrs.3 b/crypto/heimdal/lib/krb5/krb5_get_all_client_addrs.3
new file mode 100644
index 000000000000..eb1ac4b99216
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_get_all_client_addrs.3
@@ -0,0 +1,39 @@
+.\" $Id: krb5_get_all_client_addrs.3,v 1.2 2001/11/09 09:33:52 joda Exp $
+.Dd July  1, 2001
+.Dt KRB5_GET_ADDRS 3
+.Sh NAME
+.Nm krb5_get_all_client_addrs ,
+.Nm krb5_get_all_server_addrs
+.Nd return local addresses
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Ft "krb5_error_code"
+.Fn krb5_get_all_client_addrs "krb5_context context" "krb5_addresses *addrs" 
+.Ft "krb5_error_code"
+.Fn krb5_get_all_server_addrs "krb5_context context" "krb5_addresses *addrs" 
+.Sh DESCRIPTION
+These functions return in 
+.Fa addrs
+a list of addresses associated with the local
+host.
+.Pp
+The server variant returns all configured interface addresses (if
+possible), including loop-back addresses. This is useful if you want
+to create sockets to listen to.
+.Pp
+The client version will also scan local interfaces (can be turned off
+by setting
+.Li libdefaults/scan_interfaces
+to false in 
+.Pa krb5.conf ) , 
+but will not include loop-back addresses, unless there are no other
+addresses found. It will remove all addresses included in
+.Li libdefaults/ignore_addresses
+but will unconditionally include addresses in
+.Li libdefaults/extra_addresses .
+.Pp
+The returned addresses should be freed by calling 
+.Fn krb5_free_addresses .
+.\".Sh EXAMPLE
+.Sh SEE ALSO
+.Xr krb5_free_addresses 3
diff --git a/crypto/heimdal/lib/krb5/krb5_get_krbhst.3 b/crypto/heimdal/lib/krb5/krb5_get_krbhst.3
new file mode 100644
index 000000000000..f1918a8015a2
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_get_krbhst.3
@@ -0,0 +1,54 @@
+.\" Copyright (c) 2001 Kungliga Tekniska Högskolan
+.\" $Id: krb5_get_krbhst.3,v 1.2 2001/11/09 09:34:46 joda Exp $
+.Dd June 17, 2001
+.Dt KRB5_GET_KRBHST 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_get_krbhst
+.Nm krb5_get_krb_admin_hst
+.Nm krb5_get_krb_changepw_hst
+.Nm krb5_get_krb524hst
+.Nm krb5_free_krbhst
+.Nd lookup Kerberos KDC hosts
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+
+.Ft krb5_error_code
+.Fn krb5_get_krbhst "krb5_context context" "const krb5_realm *realm" "char ***hostlist"
+.Ft krb5_error_code
+.Fn krb5_get_krb_admin_hst "krb5_context context" "const krb5_realm *realm" "char ***hostlist"
+.Ft krb5_error_code
+.Fn krb5_get_krb_changepw_hst "krb5_context context" "const krb5_realm *realm" "char ***hostlist"
+.Ft krb5_error_code
+.Fn krb5_get_krb524hst "krb5_context context" "const krb5_realm *realm" "char ***hostlist"
+.Ft krb5_error_code
+.Fn krb5_free_krbhst "krb5_context context" "char **hostlist"
+.Sh DESCRIPTION
+These functions implement the old API to get a list of Kerberos hosts,
+and are thus similar to the
+.Fn krb5_krbhst_init 
+functions. However, since these functions returns 
+.Em all
+hosts in one go, they potentially have to do more lookups than
+necessary. These functions remain for compatibility reasons.
+.Pp
+After a call to one of these functions,
+.Fa hostlist 
+is a
+.Dv NULL
+terminated list of strings, pointing to the requested Kerberos hosts. These should be freed with
+.Fn krb5_free_krbhst 
+when done with.
+.Sh EXAMPLE
+The following code will print the KDCs of the realm 
+.Dq MY.REALM .
+.Bd -literal -offset indent
+char **hosts, **p;
+krb5_get_krbhst(context, "MY.REALM", &hosts);
+for(p = hosts; *p; p++)
+    printf("%s\\n", *p);
+krb5_free_krbhst(context, hosts);
+.Ed
+.\" .Sh BUGS
+.Sh SEE ALSO
+.Xr krb5_krbhst_init 3
diff --git a/crypto/heimdal/lib/krb5/krb5_keytab.3 b/crypto/heimdal/lib/krb5/krb5_keytab.3
new file mode 100644
index 000000000000..9aa9ffff99fa
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_keytab.3
@@ -0,0 +1,358 @@
+.\" Copyright (c) 2001 Kungliga Tekniska Högskolan
+.\" $Id: krb5_keytab.3,v 1.3 2001/11/09 09:35:45 joda Exp $
+.Dd February 5, 2001
+.Dt KRB5_KEYTAB 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_kt_ops ,
+.Nm krb5_keytab_entry ,
+.Nm krb5_kt_cursor ,
+.Nm krb5_kt_add_entry ,
+.Nm krb5_kt_close ,
+.Nm krb5_kt_compare ,
+.Nm krb5_kt_copy_entry_contents ,
+.Nm krb5_kt_default ,
+.Nm krb5_kt_default_name ,
+.Nm krb5_kt_end_seq_get ,
+.Nm krb5_kt_free_entry ,
+.Nm krb5_kt_get_entry ,
+.Nm krb5_kt_get_name ,
+.Nm krb5_kt_next_entry ,
+.Nm krb5_kt_read_service_key ,
+.Nm krb5_kt_register ,
+.Nm krb5_kt_remove_entry ,
+.Nm krb5_kt_resolve ,
+.Nm krb5_kt_start_seq_get
+.Nd manage keytab (key storage) files
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Pp
+.Ft krb5_error_code
+.Fo krb5_kt_add_entry
+.Fa "krb5_context context"
+.Fa "krb5_keytab id"
+.Fa "krb5_keytab_entry *entry"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_close
+.Fa "krb5_context context"
+.Fa "krb5_keytab id"
+.Fc
+.Ft krb5_boolean
+.Fo krb5_kt_compare
+.Fa "krb5_context context"
+.Fa "krb5_keytab_entry *entry"
+.Fa "krb5_const_principal principal"
+.Fa "krb5_kvno vno"
+.Fa "krb5_enctype enctype"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_copy_entry_contents
+.Fa "krb5_context context"
+.Fa "const krb5_keytab_entry *in"
+.Fa "krb5_keytab_entry *out"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_default
+.Fa "krb5_context context"
+.Fa "krb5_keytab *id"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_default_name
+.Fa "krb5_context context"
+.Fa "char *name"
+.Fa "size_t namesize"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_end_seq_get
+.Fa "krb5_context context"
+.Fa "krb5_keytab id"
+.Fa "krb5_kt_cursor *cursor"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_free_entry
+.Fa "krb5_context context"
+.Fa "krb5_keytab_entry *entry"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_get_entry
+.Fa "krb5_context context"
+.Fa "krb5_keytab id"
+.Fa "krb5_const_principal principal"
+.Fa "krb5_kvno kvno"
+.Fa "krb5_enctype enctype"
+.Fa "krb5_keytab_entry *entry"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_get_name
+.Fa "krb5_context context"
+.Fa "krb5_keytab keytab"
+.Fa "char *name"
+.Fa "size_t namesize"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_next_entry
+.Fa "krb5_context context"
+.Fa "krb5_keytab id"
+.Fa "krb5_keytab_entry *entry"
+.Fa "krb5_kt_cursor *cursor"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_read_service_key
+.Fa "krb5_context context"
+.Fa "krb5_pointer keyprocarg"
+.Fa "krb5_principal principal"
+.Fa "krb5_kvno vno"
+.Fa "krb5_enctype enctype"
+.Fa "krb5_keyblock **key"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_register
+.Fa "krb5_context context"
+.Fa "const krb5_kt_ops *ops"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_remove_entry
+.Fa "krb5_context context"
+.Fa "krb5_keytab id"
+.Fa "krb5_keytab_entry *entry"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_resolve
+.Fa "krb5_context context"
+.Fa "const char *name"
+.Fa "krb5_keytab *id"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_kt_start_seq_get
+.Fa "krb5_context context"
+.Fa "krb5_keytab id"
+.Fa "krb5_kt_cursor *cursor"
+.Fc
+.Sh DESCRIPTION
+A keytab name is on the form
+.Li type:residual .
+The
+.Li residual
+part is specific to each keytab-type.
+.Pp
+When a keytab-name is resolved, the type is matched with an interal
+list of keytab types. If there is no matching keytab type,
+the default keytab is used. The current default type is
+.Nm file .
+The default value can be changed in the configuration file
+.Pa /etc/krb5.conf
+by setting the variable 
+.Li [defaults]default_keytab_name .
+.Pp
+The keytab types that are implemented in Heimdal
+are:
+.Bl -tag -width Ds
+.It Nm file
+store the keytab in a file, the type's name is
+.Li KEYFILE .
+The residual part is a filename.
+.It Nm keyfile
+store the keytab in a
+.Li AFS 
+keyfile (usually
+.Pa /usr/afs/etc/KeyFile ) ,
+the type's name is
+.Li AFSKEYFILE .
+The residual part is a filename.
+.It Nm krb4
+the keytab is a Kerberos 4
+.Pa srvtab
+that is on-the-fly converted to a keytab. The type's name is
+.Li krb4 .
+The residual part is a filename.
+.It Nm memory
+The keytab is stored in a memory segment. This allows sensitive and/or
+temporary data not to be stored on disk. The type's name is
+.Li MEMORY .
+There are no residual part, the only pointer back to the keytab is the
+.Fa id
+returned by
+.Fn krb5_kt_resolve .
+.El
+.Pp
+.Nm krb5_keytab_entry
+holds all data for an entry in a keytab file, like principal name,
+key-type, key, key-version number, etc.
+.Nm krb5_kt_cursor
+holds the current position that is used when iterating through a
+keytab entry with
+.Fn krb5_kt_start_seq_get , 
+.Fn krb5_kt_next_entry ,
+and
+.Fn krb5_kt_end_seq_get .
+.Pp
+.Nm krb5_kt_ops
+contains the different operations that can be done to a keytab. This
+structure is normally only used when doing a new keytab-type
+implementation.
+.Pp
+.Fn krb5_kt_resolve
+is the equvalent of an
+.Xr open 2
+on keytab. Resolve the keytab name in 
+.Fa name
+into a keytab in 
+.Fa id .
+Returns 0 or an error. The opposite of
+.Fn krb5_kt_resolve 
+is 
+.Fn krb5_kt_close .
+.Fn krb5_kt_close
+frees all resources allocated to the keytab.
+.Pp
+.Fn krb5_kt_default
+sets the argument 
+.Fa id
+to the default keytab.
+Returns 0 or an error.
+.Pp
+.Fn krb5_kt_default_name
+copy the name of the default keytab into
+.Fa name .
+Return 0 or KRB5_CONFIG_NOTENUFSPACE if 
+.Fa namesize
+is too short.
+.Pp
+.Fn krb5_kt_add_entry
+Add a new
+.Fa entry
+to the keytab 
+.Fa id .
+.Li KRB5_KT_NOWRITE
+is returned if the keytab is a readonly keytab.
+.Pp
+.Fn krb5_kt_compare
+compares the passed in 
+.Fa entry
+against
+.Fa principal ,
+.Fa vno ,
+and
+.Fa enctype .
+Any of 
+.Fa principal ,
+.Fa vno
+or
+.Fa enctype
+might be 0 which acts as a wildcard. Return TRUE if they compare the
+same, FALSE otherwise.
+.Pp
+.Fn krb5_kt_copy_entry_contents
+copies the contents of 
+.Fa in
+into 
+.Fa out .
+Returns 0 or an error.
+.Pp
+.Fn krb5_kt_get_name
+retrieves the name of the keytab 
+.Fa keytab
+into 
+.Fa name ,
+.Fa namesize .
+Returns 0 or an error.
+.Pp
+.Fn krb5_kt_free_entry
+frees the contents of 
+.Fa entry .
+.Pp
+.Fn krb5_kt_start_seq_get
+sets
+.Fa cursor
+to point at the beginning of 
+.Fa id .
+Returns 0 or an error.
+.Pp
+.Fn krb5_kt_next_entry
+gets the next entry from 
+.Fa id
+pointed to by 
+.Fa cursor
+and advance the
+.Fa cursor .
+Returns 0 or an error.
+.Pp
+.Fn krb5_kt_end_seq_get
+releases all resources associated with 
+.Fa cursor .
+.Pp
+.Fn krb5_kt_get_entry
+retrieves the keytab entry for 
+.Fa principal ,
+.Fa kvno, 
+.Fa enctype
+into 
+.Fa entry
+from the keytab 
+.Fa id .
+Returns 0 or an error.
+.Pp
+.Fn krb5_kt_read_service_key
+reads the key identified by
+.Ns ( Fa principal ,
+.Fa vno ,
+.Fa enctype )
+from the keytab in 
+.Fa keyprocarg
+(the default if == NULL) into 
+.Fa *key .
+Returns 0 or an error.
+.Pp
+.Fn krb5_kt_remove_entry
+removes the entry 
+.Fa entry
+from the keytab 
+.Fa id .
+Returns 0 or an error.
+.Pp
+.Fn krb5_kt_register
+registers a new keytab type
+.Fa ops .
+Returns 0 or an error.
+.Sh EXAMPLE
+This is a minimalistic version of
+.Nm ktutil .
+.Pp
+.Bd -literal
+int
+main (int argc, char **argv)
+{
+    krb5_context context;
+    krb5_keytab keytab;
+    krb5_kt_cursor cursor;
+    krb5_keytab_entry entry;
+    krb5_error_code ret;
+    char *principal;
+
+    if (krb5_init_context (&context) != 0)
+	errx(1, "krb5_context");
+    
+    ret = krb5_kt_default (context, &keytab);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_kt_default");
+
+    ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_kt_start_seq_get");	
+    while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){
+	krb5_unparse_name_short(context, entry.principal, &principal);
+	printf("principal: %s\\n", principal);
+	free(principal);
+	krb5_kt_free_entry(context, &entry);
+    }
+    ret = krb5_kt_end_seq_get(context, keytab, &cursor);
+    if (ret)
+	krb5_err(context, 1, ret, "krb5_kt_end_seq_get");	
+    krb5_free_context(context);
+    return 0;
+}
+.Ed
+.Sh SEE ALSO
+.Xr krb5.conf 5 ,
+.Xr kerberos 8
diff --git a/crypto/heimdal/lib/krb5/krb5_krbhst_init.3 b/crypto/heimdal/lib/krb5/krb5_krbhst_init.3
new file mode 100644
index 000000000000..109c64c9507c
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_krbhst_init.3
@@ -0,0 +1,120 @@
+.\" Copyright (c) 2001 Kungliga Tekniska Högskolan
+.\" $Id: krb5_krbhst_init.3,v 1.3 2001/11/09 09:36:24 joda Exp $
+.Dd June 17, 2001
+.Dt KRB5_KRBHST_INIT 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_krbhst_init ,
+.Nm krb5_krbhst_next ,
+.Nm krb5_krbhst_next_as_string ,
+.Nm krb5_krbhst_reset ,
+.Nm krb5_krbhst_free ,
+.Nm krb5_krbhst_format_string ,
+.Nm krb5_krbhst_get_addrinfo
+.Nd lookup Kerberos KDC hosts
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+
+.Ft krb5_error_code
+.Fn krb5_krbhst_init "krb5_context context" "const char *realm" "unsigned int type" "krb5_krbhst_handle *handle"
+.Ft krb5_error_code
+.Fn "krb5_krbhst_next" "krb5_context context" "krb5_krbhst_handle handle" "krb5_krbhst_info **host"
+.Ft krb5_error_code
+.Fn krb5_krbhst_next_as_string "krb5_context context" "krb5_krbhst_handle handle" "char *hostname" "size_t hostlen"
+.Ft void
+.Fn krb5_krbhst_reset "krb5_context context" "krb5_krbhst_handle handle"
+.Ft void
+.Fn krb5_krbhst_free "krb5_context context" "krb5_krbhst_handle handle"
+.Ft krb5_error_code
+.Fn krb5_krbhst_format_string "krb5_context context" "const krb5_krbhst_info *host" "char *hostname" "size_t hostlen"
+.Ft krb5_error_code
+.Fn krb5_krbhst_get_addrinfo "krb5_context context" "krb5_krbhst_info *host" "struct addrinfo **ai"
+.Sh DESCRIPTION
+These functions are used to sequence through all Kerberos hosts of a
+particular realm and service. The service type can be the KDCs, the
+administrative servers, the password changing servers, or the servers
+for Kerberos 4 ticket conversion.
+.Pp
+First a handle to a particular service is obtained by calling
+.Fn krb5_krbhst_init 
+with the 
+.Fa realm
+of interest and the type of service to lookup. The 
+.Fa type
+can be one of:
+.Pp
+.Bl -hang -compact -offset indent
+.It KRB5_KRBHST_KDC
+.It KRB5_KRBHST_ADMIN
+.It KRB5_KRBHST_CHANGEPW
+.It KRB5_KRBHST_KRB524
+.El
+.Pp
+The
+.Fa handle
+is returned to the caller, and should be passed to the other
+functions.
+.Pp
+For each call to 
+.Fn krb5_krbhst_next
+information a new host is returned. The former function returns in
+.Fa host
+a pointer to a structure containing information about the host, such
+as protocol, hostname, and port:
+.Bd -literal -offset indent
+typedef struct krb5_krbhst_info {
+    enum { KRB5_KRBHST_UDP,
+	   KRB5_KRBHST_TCP,
+	   KRB5_KRBHST_HTTP } proto;
+    unsigned short port;
+    struct addrinfo *ai;
+    struct krb5_krbhst_info *next;
+    char hostname[1];
+} krb5_krbhst_info;
+.Ed
+.Pp
+The related function, 
+.Fn krb5_krbhst_next_as_string ,
+return the same information as a url-like string.
+.Pp
+When there are no more hosts, these functions return
+.Dv KRB5_KDC_UNREACH .
+.Pp
+To re-iterate over all hosts, call
+.Fn krb5_krbhst_reset
+and the next call to 
+.Fn krb5_krbhst_next
+will return the first host.
+.Pp
+When done with the handle, 
+.Fn krb5_krbhst_free
+should be called.
+.Pp
+To use a
+.Va krb5_krbhst_info ,
+there are two functions:
+.Fn krb5_krbhst_format_string
+that will return a printable representation of that struct
+and
+.Fn krb5_krbhst_get_addrinfo
+that will return a
+.Va struct addrinfo
+that can then be used for communicating with the server mentioned.
+.Sh EXAMPLE
+The following code will print the KDCs of the realm 
+.Dq MY.REALM .
+.Bd -literal -offset indent
+krb5_krbhst_handle handle;
+char host[MAXHOSTNAMELEN];
+krb5_krbhst_init(context, "MY.REALM", KRB5_KRBHST_KDC, &handle);
+while(krb5_krbhst_next_as_string(context, handle, 
+				 host, sizeof(host)) == 0)
+    printf("%s\\n", host);
+krb5_krbhst_free(context, handle);
+.Ed
+.\" .Sh BUGS
+.Sh HISTORY
+These functions first appeared in Heimdal 0.3g.
+.Sh SEE ALSO
+.Xr getaddrinfo 3 ,
+.Xr krb5_get_krbhst 3
diff --git a/crypto/heimdal/lib/krb5/krb5_principal_get_realm.3 b/crypto/heimdal/lib/krb5/krb5_principal_get_realm.3
new file mode 100644
index 000000000000..07bffa47d86e
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_principal_get_realm.3
@@ -0,0 +1,48 @@
+.\" Copyright (c) 2001 Kungliga Tekniska Högskolan
+.\" $Id: krb5_principal_get_realm.3,v 1.2 2001/11/09 09:36:51 joda Exp $
+.Dd June 20, 2001
+.Dt KRB5_PRINCIPAL_GET_REALM 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_principal_get_realm ,
+.Nm krb5_principal_get_comp_string
+.Nd decompose a principal
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Ft "const char *"
+.Fn krb5_principal_get_realm "krb5_context context" "krb5_principal principal"
+.Ft "const char *"
+.Fn krb5_principal_get_comp_string "krb5_context context" "krb5_principal principal" "unsigned int component"
+.Sh DESCRIPTION
+These functions return parts of the
+.Fa principal ,
+either the realm or a specific component. The returned string points
+to data inside the principal, so they are valid only as long as the
+principal exists.
+.Pp
+The 
+.Fa component
+argument to
+.Fn krb5_principal_get_comp_string
+is the component number to return, from zero to the total number of
+components minus one. If a the requested component number is out of range, 
+.Dv NULL
+is returned.
+.Pp
+These functions can be seen as a replacement for the 
+.Fn krb5_princ_realm ,
+.Fn krb5_princ_component
+and related macros, described as intermal in the MIT API
+specification. A difference is that these functions return strings,
+not
+.Dv krb5_data .
+A reason to return 
+.Dv krb5_data 
+was that it was believed that principal components could contain
+binary data, but this belief was unfounded, and it has been decided
+that principal components are infact UTF8, so it's safe to use zero
+terminated strings.
+.Pp
+It's generally not necessary to look at the components of a principal.
+.Sh SEE ALSO
+.Xr krb5_unparse_name 3
diff --git a/crypto/heimdal/lib/krb5/krb5_timeofday.3 b/crypto/heimdal/lib/krb5/krb5_timeofday.3
new file mode 100644
index 000000000000..7b061757643d
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_timeofday.3
@@ -0,0 +1,23 @@
+.\" $Id: krb5_timeofday.3,v 1.1 2001/07/02 22:32:03 joda Exp $
+.Dd July  1, 2001
+.Dt KRB5_TIMEOFDAY 3
+.Sh NAME
+.Nm krb5_timeofday ,
+.Nm krb5_us_timeofday
+.Nd whatever these functions do
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Ft "krb5_error_code"
+.Fn krb5_timeofday "krb5_context context" "krb5_timestamp *timeret" 
+.Ft "krb5_error_code"
+.Fn krb5_us_timeofday "krb5_context context" "int32_t *sec" "int32_t *usec" 
+.Sh DESCRIPTION
+.Fn krb5_timeofday
+returns the current time, but adjusted with the time difference
+between the local host and the KDC.
+.Fn krb5_us_timeofday
+also returns microseconds.
+.Pp
+.\".Sh EXAMPLE
+.Sh SEE ALSO
+.Xr gettimeofday 2
diff --git a/crypto/heimdal/lib/krb5/krb5_verify_user.3 b/crypto/heimdal/lib/krb5/krb5_verify_user.3
new file mode 100644
index 000000000000..53385504d425
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krb5_verify_user.3
@@ -0,0 +1,85 @@
+.\" Copyright (c) 2001 Kungliga Tekniska Högskolan
+.\" $Id: krb5_verify_user.3,v 1.2 2001/11/09 09:38:29 joda Exp $
+.Dd June 27, 2001
+.Dt KRB5_VERIFY_USER 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_verify_user ,
+.Nm krb5_verify_user_lrealm
+.Nd Heimdal password verifying functions
+.Sh SYNOPSIS
+.Fd #include <krb5.h>
+.Ft krb5_error_code
+.Fn "krb5_verify_user" "krb5_context context" " krb5_principal principal" "krb5_ccache ccache" "const char *password" "krb5_boolean secure" "const char *service"
+.Ft krb5_error_code
+.Fn "krb5_verify_user_lrealm" "krb5_context context" "krb5_principal principal" "krb5_ccache ccache" "const char *password" "krb5_boolean secure" "const char *service"
+.Sh DESCRIPTION
+The
+.Nm krb5_verify_user
+function verifies the password supplied by a user. 
+The principal whose
+password will be verified is specified in
+.Fa principal .
+New tickets will be obtained as a side-effect and stored in
+.Fa ccache
+(if NULL, the default ccache is used).
+If the password is not supplied in
+.Fa password
+(and is given as
+.Dv NULL )
+the user will be prompted for it.
+If
+.Fa secure
+the ticket will be verified against the locally stored service key
+.Fa service
+(by default
+.Ql host
+if given as
+.Dv NULL
+).
+.Pp
+The
+.Nm krb5_verify_user_lrealm
+function does the same, except that it ignores the realm in
+.Fa principal
+and tries all the local realms (see
+.Xr krb5.conf 5 ) .
+.Sh EXAMPLE
+Here is a example program that verifies a password. it uses the
+.Ql host/`hostname`
+service principal in
+.Pa krb5.keytab .
+.Bd -literal
+#include <krb5.h>
+
+int
+main(int argc, char **argv)
+{
+    char *user;
+    krb5_error_code error;
+    krb5_principal princ;
+    krb5_context context;
+
+    if (argc != 2)
+	errx(1, "usage: verify_passwd <principal-name>");
+
+    user = argv[1];
+
+    if (krb5_init_context(&context) < 0)
+	errx(1, "krb5_init_context");
+
+    if ((error = krb5_parse_name(context, user, &princ)) != 0)
+	krb5_err(context, 1, error, "krb5_parse_name");
+
+    error = krb5_verify_user(context, princ, NULL, NULL, TRUE, NULL);
+    if (error)
+        krb5_err(context, 1, error, "krb5_verify_user");
+	
+    return 0;
+}
+.Ed
+.Sh SEE ALSO
+.Xr krb5_err 3 ,
+.Xr krb5_init_context 3 ,
+.Xr krb5_kt_default 3 ,
+.Xr krb5.conf 5
diff --git a/crypto/heimdal/lib/krb5/krbhst-test.c b/crypto/heimdal/lib/krb5/krbhst-test.c
new file mode 100644
index 000000000000..de858eeb08d2
--- /dev/null
+++ b/crypto/heimdal/lib/krb5/krbhst-test.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "krb5_locl.h"
+
+RCSID("$Id: krbhst-test.c,v 1.2 2001/06/17 12:22:59 assar Exp $");
+
+int
+main(int argc, char **argv)
+{
+    int i, j;
+    krb5_context context;
+    int types[] = {KRB5_KRBHST_KDC, KRB5_KRBHST_ADMIN, KRB5_KRBHST_CHANGEPW,
+		   KRB5_KRBHST_KRB524};
+    const char *type_str[] = {"kdc", "admin", "changepw", "krb524"};
+    
+    krb5_init_context (&context);
+    for(i = 1; i < argc; i++) {
+	krb5_krbhst_handle handle;
+	char host[MAXHOSTNAMELEN];
+
+	for (j = 0; j < sizeof(types)/sizeof(*types); ++j) {
+	    printf ("%s for %s:\n", type_str[j], argv[i]);
+
+	    krb5_krbhst_init(context, argv[i], types[j], &handle);
+	    while(krb5_krbhst_next_as_string(context, handle,
+					     host, sizeof(host)) == 0)
+		printf("%s\n", host);
+	    krb5_krbhst_reset(context, handle);
+	    printf ("\n");
+	}
+    }
+    return 0;
+}
diff --git a/crypto/heimdal/lib/roken/base64-test.c b/crypto/heimdal/lib/roken/base64-test.c
new file mode 100644
index 000000000000..eace04b01a97
--- /dev/null
+++ b/crypto/heimdal/lib/roken/base64-test.c
@@ -0,0 +1,99 @@
+/*
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: base64-test.c,v 1.2 2001/05/29 13:12:21 assar Exp $");
+#endif
+
+#include <roken.h>
+#include <base64.h>
+
+int
+main(int argc, char **argv)
+{
+    int numerr = 0;
+    int numtest = 1;
+    struct test {
+	void *data;
+	size_t len;
+	const char *result;
+    } *t, tests[] = {
+	{ "", 0 , "" },
+	{ "1", 1, "MQ==" },
+	{ "22", 2, "MjI=" },
+	{ "333", 3, "MzMz" },
+	{ "4444", 4, "NDQ0NA==" },
+	{ "55555", 5, "NTU1NTU=" },
+	{ "abc:def", 7, "YWJjOmRlZg==" },
+	{ NULL }
+    };
+    for(t = tests; t->data; t++) {
+	char *str;
+	int len;
+	len = base64_encode(t->data, t->len, &str);
+	if(strcmp(str, t->result) != 0) {
+	    fprintf(stderr, "failed test %d: %s != %s\n", numtest, 
+		    str, t->result);
+	    numerr++;
+	}
+	free(str);
+	str = strdup(t->result);
+	len = base64_decode(t->result, str);
+	if(len != t->len) {
+	    fprintf(stderr, "failed test %d: len %d != %d\n", numtest,
+		    len, t->len);
+	    numerr++;
+	} else if(memcmp(str, t->data, t->len) != 0) {
+	    fprintf(stderr, "failed test %d: data\n", numtest);
+	    numerr++;
+	}
+	free(str);
+	numtest++;
+    }
+
+    {
+	char str[32];
+	if(base64_decode("M=M=", str) != -1) {
+	    fprintf(stderr, "failed test %d: successful decode of `M=M='\n", 
+		    numtest++);
+	    numerr++;
+	}
+	if(base64_decode("MQ===", str) != -1) {
+	    fprintf(stderr, "failed test %d: successful decode of `MQ==='\n", 
+		    numtest++);
+	    numerr++;
+	}
+    }
+    return numerr;
+}
diff --git a/crypto/heimdal/lib/roken/ecalloc.c b/crypto/heimdal/lib/roken/ecalloc.c
new file mode 100644
index 000000000000..142704f5afb8
--- /dev/null
+++ b/crypto/heimdal/lib/roken/ecalloc.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: ecalloc.c,v 1.1 2001/06/17 12:09:37 assar Exp $");
+#endif
+
+#include <stdlib.h>
+#include <err.h>
+
+#include <roken.h>
+
+/*
+ * Like calloc but never fails.
+ */
+
+void *
+ecalloc (size_t number, size_t size)
+{
+    void *tmp = calloc (number, size);
+
+    if (tmp == NULL && number * size != 0)
+	errx (1, "calloc %lu failed", (unsigned long)number * size);
+    return tmp;
+}
diff --git a/crypto/heimdal/lib/roken/getprogname.c b/crypto/heimdal/lib/roken/getprogname.c
new file mode 100644
index 000000000000..fcd4a40b5a29
--- /dev/null
+++ b/crypto/heimdal/lib/roken/getprogname.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: getprogname.c,v 1.1 2001/07/09 14:56:51 assar Exp $");
+#endif
+
+#include "roken.h"
+
+#ifndef HAVE___PROGNAME
+const char *__progname;
+#endif
+
+#ifndef HAVE_GETPROGNAME
+const char *
+getprogname(void)
+{
+    return __progname;
+}
+#endif /* HAVE_GETPROGNAME */
+
+const char *
+get_progname (void)
+{
+    return getprogname ();
+}
+
diff --git a/crypto/heimdal/lib/roken/h_errno.c b/crypto/heimdal/lib/roken/h_errno.c
new file mode 100644
index 000000000000..c2d4452c3280
--- /dev/null
+++ b/crypto/heimdal/lib/roken/h_errno.c
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: h_errno.c,v 1.1 2001/08/08 03:47:23 assar Exp $");
+#endif
+
+#ifndef HAVE_H_ERRNO
+int h_errno = -17; /* Some magic number */
+#endif
diff --git a/crypto/heimdal/lib/roken/hostent_find_fqdn.c b/crypto/heimdal/lib/roken/hostent_find_fqdn.c
new file mode 100644
index 000000000000..8e955a4c36f5
--- /dev/null
+++ b/crypto/heimdal/lib/roken/hostent_find_fqdn.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: hostent_find_fqdn.c,v 1.2 2001/07/10 11:58:23 assar Exp $");
+#endif
+
+#include "roken.h"
+
+/*
+ * Try to find a fqdn (with `.') in he if possible, else return h_name
+ */
+
+const char *
+hostent_find_fqdn (const struct hostent *he)
+{
+    const char *ret = he->h_name;
+    const char **h;
+
+    if (strchr (ret, '.') == NULL)
+	for (h = (const char **)he->h_aliases; *h != NULL; ++h) {
+	    if (strchr (*h, '.') != NULL) {
+		ret = *h;
+		break;
+	    }
+	}
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/localtime_r.c b/crypto/heimdal/lib/roken/localtime_r.c
new file mode 100644
index 000000000000..310e24b159fc
--- /dev/null
+++ b/crypto/heimdal/lib/roken/localtime_r.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: localtime_r.c,v 1.1 2001/10/21 23:24:33 assar Exp $");
+#endif
+
+#include <time.h>
+
+#ifndef HAVE_LOCALTIME_R
+
+struct tm *
+localtime_r(const time_t *timer, struct tm *result)
+{
+    struct tm *tm;
+    
+    tm = localtime((time_t *)timer);
+    if (tm == NULL)
+	return NULL;
+    *result = *tm;
+    return result;
+}
+
+#endif
diff --git a/crypto/heimdal/lib/roken/setprogname.c b/crypto/heimdal/lib/roken/setprogname.c
new file mode 100644
index 000000000000..e66deab8b17e
--- /dev/null
+++ b/crypto/heimdal/lib/roken/setprogname.c
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan 
+ * (Royal Institute of Technology, Stockholm, Sweden).  
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: setprogname.c,v 1.1 2001/07/09 14:56:51 assar Exp $");
+#endif
+
+#include "roken.h"
+
+#ifndef HAVE___PROGNAME
+extern const char *__progname;
+#endif
+
+#ifndef HAVE_SETPROGNAME
+void
+setprogname(const char *argv0)
+{
+#ifndef HAVE___PROGNAME
+    char *p;
+    if(argv0 == NULL)
+	return;
+    p = strrchr(argv0, '/');
+    if(p == NULL)
+	p = (char *)argv0;
+    else
+	p++;
+    __progname = p;
+#endif
+}
+#endif /* HAVE_SETPROGNAME */
+
+void
+set_progname(char *argv0)
+{
+    setprogname ((const char *)argv0);
+}
diff --git a/crypto/heimdal/lib/roken/snprintf-test.c b/crypto/heimdal/lib/roken/snprintf-test.c
new file mode 100644
index 000000000000..6904ba612fb9
--- /dev/null
+++ b/crypto/heimdal/lib/roken/snprintf-test.c
@@ -0,0 +1,238 @@
+/*
+ * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include "roken.h"
+#include <limits.h>
+
+#include "snprintf-test.h"
+
+RCSID("$Id: snprintf-test.c,v 1.5 2001/09/13 01:01:16 assar Exp $");
+
+static int
+try (const char *format, ...)
+{
+    int ret;
+    va_list ap;
+    char buf1[256], buf2[256];
+
+    va_start (ap, format);
+    ret = vsnprintf (buf1, sizeof(buf1), format, ap);
+    if (ret >= sizeof(buf1))
+	errx (1, "increase buf and try again");
+    vsprintf (buf2, format, ap);
+    ret = strcmp (buf1, buf2);
+    if (ret)
+	printf ("failed: format = \"%s\", \"%s\" != \"%s\"\n",
+		format, buf1, buf2);
+    va_end (ap);
+    return ret;
+}
+
+static int
+cmp_with_sprintf_int (void)
+{
+    int tot = 0;
+    int int_values[] = {INT_MIN, -17, -1, 0, 1, 17, 4711, 65535, INT_MAX};
+    int i;
+
+    for (i = 0; i < sizeof(int_values) / sizeof(int_values[0]); ++i) {
+	tot += try ("%d", int_values[i]);
+	tot += try ("%x", int_values[i]);
+	tot += try ("%X", int_values[i]);
+	tot += try ("%o", int_values[i]);
+	tot += try ("%#x", int_values[i]);
+	tot += try ("%#X", int_values[i]);
+	tot += try ("%#o", int_values[i]);
+	tot += try ("%10d", int_values[i]);
+	tot += try ("%10x", int_values[i]);
+	tot += try ("%10X", int_values[i]);
+	tot += try ("%10o", int_values[i]);
+	tot += try ("%#10x", int_values[i]);
+	tot += try ("%#10X", int_values[i]);
+	tot += try ("%#10o", int_values[i]);
+	tot += try ("%-10d", int_values[i]);
+	tot += try ("%-10x", int_values[i]);
+	tot += try ("%-10X", int_values[i]);
+	tot += try ("%-10o", int_values[i]);
+	tot += try ("%-#10x", int_values[i]);
+	tot += try ("%-#10X", int_values[i]);
+	tot += try ("%-#10o", int_values[i]);
+    }
+    return tot;
+}
+
+static int
+cmp_with_sprintf_long (void)
+{
+    int tot = 0;
+    long long_values[] = {LONG_MIN, -17, -1, 0, 1, 17, 4711, 65535, LONG_MAX};
+    int i;
+
+    for (i = 0; i < sizeof(long_values) / sizeof(long_values[0]); ++i) {
+	tot += try ("%ld", long_values[i]);
+	tot += try ("%lx", long_values[i]);
+	tot += try ("%lX", long_values[i]);
+	tot += try ("%lo", long_values[i]);
+	tot += try ("%#lx", long_values[i]);
+	tot += try ("%#lX", long_values[i]);
+	tot += try ("%#lo", long_values[i]);
+	tot += try ("%10ld", long_values[i]);
+	tot += try ("%10lx", long_values[i]);
+	tot += try ("%10lX", long_values[i]);
+	tot += try ("%10lo", long_values[i]);
+	tot += try ("%#10lx", long_values[i]);
+	tot += try ("%#10lX", long_values[i]);
+	tot += try ("%#10lo", long_values[i]);
+	tot += try ("%-10ld", long_values[i]);
+	tot += try ("%-10lx", long_values[i]);
+	tot += try ("%-10lX", long_values[i]);
+	tot += try ("%-10lo", long_values[i]);
+	tot += try ("%-#10lx", long_values[i]);
+	tot += try ("%-#10lX", long_values[i]);
+	tot += try ("%-#10lo", long_values[i]);
+    }
+    return tot;
+}
+
+#ifdef HAVE_LONG_LONG
+
+static int
+cmp_with_sprintf_long_long (void)
+{
+    int tot = 0;
+    long long long_long_values[] = {
+	((long long)LONG_MIN) -1, LONG_MIN, -17, -1,
+	0,
+	1, 17, 4711, 65535, LONG_MAX, ((long long)LONG_MAX) + 1};
+    int i;
+
+    for (i = 0; i < sizeof(long_long_values) / sizeof(long_long_values[0]); ++i) {
+	tot += try ("%lld", long_long_values[i]);
+	tot += try ("%llx", long_long_values[i]);
+	tot += try ("%llX", long_long_values[i]);
+	tot += try ("%llo", long_long_values[i]);
+	tot += try ("%#llx", long_long_values[i]);
+	tot += try ("%#llX", long_long_values[i]);
+	tot += try ("%#llo", long_long_values[i]);
+	tot += try ("%10lld", long_long_values[i]);
+	tot += try ("%10llx", long_long_values[i]);
+	tot += try ("%10llX", long_long_values[i]);
+	tot += try ("%10llo", long_long_values[i]);
+	tot += try ("%#10llx", long_long_values[i]);
+	tot += try ("%#10llX", long_long_values[i]);
+	tot += try ("%#10llo", long_long_values[i]);
+	tot += try ("%-10lld", long_long_values[i]);
+	tot += try ("%-10llx", long_long_values[i]);
+	tot += try ("%-10llX", long_long_values[i]);
+	tot += try ("%-10llo", long_long_values[i]);
+	tot += try ("%-#10llx", long_long_values[i]);
+	tot += try ("%-#10llX", long_long_values[i]);
+	tot += try ("%-#10llo", long_long_values[i]);
+    }
+    return tot;
+}
+
+#endif
+
+#if 0
+static int
+cmp_with_sprintf_float (void)
+{
+    int tot = 0;
+    double double_values[] = {-99999, -999, -17.4, -4.3, -3.0, -1.5, -1,
+			      0, 0.1, 0.2342374852, 0.2340007,
+			      3.1415926, 14.7845, 34.24758, 9999, 9999999};
+    int i;
+
+    for (i = 0; i < sizeof(double_values) / sizeof(double_values[0]); ++i) {
+	tot += try ("%f", double_values[i]);
+	tot += try ("%10f", double_values[i]);
+	tot += try ("%.2f", double_values[i]);
+	tot += try ("%7.0f", double_values[i]);
+	tot += try ("%5.2f", double_values[i]);
+	tot += try ("%0f", double_values[i]);
+	tot += try ("%#f", double_values[i]);
+	tot += try ("%e", double_values[i]);
+	tot += try ("%10e", double_values[i]);
+	tot += try ("%.2e", double_values[i]);
+	tot += try ("%7.0e", double_values[i]);
+	tot += try ("%5.2e", double_values[i]);
+	tot += try ("%0e", double_values[i]);
+	tot += try ("%#e", double_values[i]);
+	tot += try ("%E", double_values[i]);
+	tot += try ("%10E", double_values[i]);
+	tot += try ("%.2E", double_values[i]);
+	tot += try ("%7.0E", double_values[i]);
+	tot += try ("%5.2E", double_values[i]);
+	tot += try ("%0E", double_values[i]);
+	tot += try ("%#E", double_values[i]);
+	tot += try ("%g", double_values[i]);
+	tot += try ("%10g", double_values[i]);
+	tot += try ("%.2g", double_values[i]);
+	tot += try ("%7.0g", double_values[i]);
+	tot += try ("%5.2g", double_values[i]);
+	tot += try ("%0g", double_values[i]);
+	tot += try ("%#g", double_values[i]);
+	tot += try ("%G", double_values[i]);
+	tot += try ("%10G", double_values[i]);
+	tot += try ("%.2G", double_values[i]);
+	tot += try ("%7.0G", double_values[i]);
+	tot += try ("%5.2G", double_values[i]);
+	tot += try ("%0G", double_values[i]);
+	tot += try ("%#G", double_values[i]);
+    }
+    return tot;
+}
+#endif
+
+static int
+test_null (void)
+{
+    return snprintf (NULL, 0, "foo") != 3;
+}
+
+int
+main (int argc, char **argv)
+{
+    int ret = 0;
+
+    ret += cmp_with_sprintf_int ();
+    ret += cmp_with_sprintf_long ();
+#ifdef HAVE_LONG_LONG
+    ret += cmp_with_sprintf_long_long ();
+#endif
+    ret += test_null ();
+    return ret;
+}
diff --git a/crypto/heimdal/lib/roken/snprintf-test.h b/crypto/heimdal/lib/roken/snprintf-test.h
new file mode 100644
index 000000000000..5eb591b2fe33
--- /dev/null
+++ b/crypto/heimdal/lib/roken/snprintf-test.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id: snprintf-test.h,v 1.2 2001/07/19 18:39:14 assar Exp $ */
+
+#ifndef __SNPRINTF_TEST_H__
+#define __SNPRINTF_TEST_H__
+
+/*
+ * we cannot use the real names of the functions when testing, since
+ * they might have different prototypes as the system functions, hence
+ * these evil hacks
+ */
+
+#define snprintf test_snprintf
+#define asprintf test_asprintf
+#define asnprintf test_asnprintf
+#define vasprintf test_vasprintf
+#define vasnprintf test_vasnprintf
+#define vsnprintf test_vsnprintf
+
+#endif /* __SNPRINTF_TEST_H__ */
diff --git a/crypto/heimdal/ylwrap b/crypto/heimdal/ylwrap
new file mode 100755
index 000000000000..5ea68e4fcd33
--- /dev/null
+++ b/crypto/heimdal/ylwrap
@@ -0,0 +1,143 @@
+#! /bin/sh
+# ylwrap - wrapper for lex/yacc invocations.
+# Copyright 1996, 1997, 1998, 1999 Free Software Foundation, Inc.
+# Written by Tom Tromey <tromey@cygnus.com>.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# Usage:
+#     ylwrap INPUT [OUTPUT DESIRED]... -- PROGRAM [ARGS]...
+# * INPUT is the input file
+# * OUTPUT is file PROG generates
+# * DESIRED is file we actually want
+# * PROGRAM is program to run
+# * ARGS are passed to PROG
+# Any number of OUTPUT,DESIRED pairs may be used.
+
+# The input.
+input="$1"
+shift
+case "$input" in
+ [\\/]* | ?:[\\/]*)
+    # Absolute path; do nothing.
+    ;;
+ *)
+    # Relative path.  Make it absolute.
+    input="`pwd`/$input"
+    ;;
+esac
+
+# The directory holding the input.
+input_dir=`echo "$input" | sed -e 's,\([\\/]\)[^\\/]*$,\1,'`
+# Quote $INPUT_DIR so we can use it in a regexp.
+# FIXME: really we should care about more than `.' and `\'.
+input_rx=`echo "$input_dir" | sed -e 's,\\\\,\\\\\\\\,g' -e 's,\\.,\\\\.,g'`
+
+echo "got $input_rx"
+
+pairlist=
+while test "$#" -ne 0; do
+   if test "$1" = "--"; then
+      shift
+      break
+   fi
+   pairlist="$pairlist $1"
+   shift
+done
+
+# The program to run.
+prog="$1"
+shift
+# Make any relative path in $prog absolute.
+case "$prog" in
+ [\\/]* | ?:[\\/]*) ;;
+ *[\\/]*) prog="`pwd`/$prog" ;;
+esac
+
+# FIXME: add hostname here for parallel makes that run commands on
+# other machines.  But that might take us over the 14-char limit.
+dirname=ylwrap$$
+trap "cd `pwd`; rm -rf $dirname > /dev/null 2>&1" 1 2 3 15
+mkdir $dirname || exit 1
+
+cd $dirname
+
+$prog ${1+"$@"} "$input"
+status=$?
+
+if test $status -eq 0; then
+   set X $pairlist
+   shift
+   first=yes
+   # Since DOS filename conventions don't allow two dots,
+   # the DOS version of Bison writes out y_tab.c instead of y.tab.c
+   # and y_tab.h instead of y.tab.h. Test to see if this is the case.
+   y_tab_nodot="no"
+   if test -f y_tab.c || test -f y_tab.h; then
+      y_tab_nodot="yes"
+   fi
+
+   while test "$#" -ne 0; do
+      from="$1"
+      # Handle y_tab.c and y_tab.h output by DOS
+      if test $y_tab_nodot = "yes"; then
+	 if test $from = "y.tab.c"; then
+	    from="y_tab.c"
+	 else
+	    if test $from = "y.tab.h"; then
+	       from="y_tab.h"
+	    fi
+	 fi
+      fi
+      if test -f "$from"; then
+         # If $2 is an absolute path name, then just use that,
+         # otherwise prepend `../'.
+         case "$2" in
+	   [\\/]* | ?:[\\/]*) target="$2";;
+	   *) target="../$2";;
+	 esac
+
+	 # Edit out `#line' or `#' directives.  We don't want the
+	 # resulting debug information to point at an absolute srcdir;
+	 # it is better for it to just mention the .y file with no
+	 # path.
+	 sed -e "/^#/ s,$input_rx,," "$from" > "$target" || status=$?
+      else
+	 # A missing file is only an error for the first file.  This
+	 # is a blatant hack to let us support using "yacc -d".  If -d
+	 # is not specified, we don't want an error when the header
+	 # file is "missing".
+	 if test $first = yes; then
+	    status=1
+	 fi
+      fi
+      shift
+      shift
+      first=no
+   done
+else
+   status=$?
+fi
+
+# Remove the directory.
+cd ..
+rm -rf $dirname
+
+exit $status