vendor/heimdal/7.8.0

77 files changed, 3543 insertions, 2743 deletions

diff --git a/lib/krb5/Makefile.in b/lib/krb5/Makefile.in
index 8107e6bcd60e..cc7f98b0d8ab 100644
--- a/lib/krb5/Makefile.in
+++ b/lib/krb5/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.15.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.5 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2017 Free Software Foundation, Inc.
+# Copyright (C) 1994-2021 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -121,7 +121,6 @@ subdir = lib/krb5
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/auth-modules.m4 \
-	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
 	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
@@ -171,6 +170,23 @@ mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
+am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libdir)" \
+	"$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" \
+	"$(DESTDIR)$(man7dir)" "$(DESTDIR)$(man8dir)" \
+	"$(DESTDIR)$(includedir)" "$(DESTDIR)$(krb5dir)" \
+	"$(DESTDIR)$(includedir)"
+am__EXEEXT_1 = aes-test$(EXEEXT) derived-key-test$(EXEEXT) \
+	n-fold-test$(EXEEXT) parse-name-test$(EXEEXT) \
+	pseudo-random-test$(EXEEXT) store-test$(EXEEXT) \
+	string-to-key-test$(EXEEXT) test_acl$(EXEEXT) \
+	test_addr$(EXEEXT) test_cc$(EXEEXT) test_config$(EXEEXT) \
+	test_fx$(EXEEXT) test_prf$(EXEEXT) test_store$(EXEEXT) \
+	test_crypto_wrapping$(EXEEXT) test_keytab$(EXEEXT) \
+	test_mem$(EXEEXT) test_pac$(EXEEXT) test_plugin$(EXEEXT) \
+	test_princ$(EXEEXT) test_pkinit_dh2key$(EXEEXT) \
+	test_pknistkdf$(EXEEXT) test_time$(EXEEXT) \
+	test_expand_toks$(EXEEXT) test_x500$(EXEEXT)
+PROGRAMS = $(bin_PROGRAMS) $(noinst_PROGRAMS)
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@@ -198,11 +214,6 @@ am__uninstall_files_from_dir = { \
     || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
          $(am__cd) "$$dir" && rm -f $$files; }; \
   }
-am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" \
-	"$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" \
-	"$(DESTDIR)$(man7dir)" "$(DESTDIR)$(man8dir)" \
-	"$(DESTDIR)$(includedir)" "$(DESTDIR)$(krb5dir)" \
-	"$(DESTDIR)$(includedir)"
 LTLIBRARIES = $(lib_LTLIBRARIES) $(noinst_LTLIBRARIES)
 am__DEPENDENCIES_1 =
 @have_scc_TRUE@am__DEPENDENCIES_2 = $(am__DEPENDENCIES_1)
@@ -302,18 +313,6 @@ am_librfc3961_la_OBJECTS = librfc3961_la-crc.lo \
 	librfc3961_la-salt-des3.lo librfc3961_la-sp800-108-kdf.lo \
 	librfc3961_la-store-int.lo librfc3961_la-warn.lo
 librfc3961_la_OBJECTS = $(am_librfc3961_la_OBJECTS)
-am__EXEEXT_1 = aes-test$(EXEEXT) derived-key-test$(EXEEXT) \
-	n-fold-test$(EXEEXT) parse-name-test$(EXEEXT) \
-	pseudo-random-test$(EXEEXT) store-test$(EXEEXT) \
-	string-to-key-test$(EXEEXT) test_acl$(EXEEXT) \
-	test_addr$(EXEEXT) test_cc$(EXEEXT) test_config$(EXEEXT) \
-	test_fx$(EXEEXT) test_prf$(EXEEXT) test_store$(EXEEXT) \
-	test_crypto_wrapping$(EXEEXT) test_keytab$(EXEEXT) \
-	test_mem$(EXEEXT) test_pac$(EXEEXT) test_plugin$(EXEEXT) \
-	test_princ$(EXEEXT) test_pkinit_dh2key$(EXEEXT) \
-	test_pknistkdf$(EXEEXT) test_time$(EXEEXT) \
-	test_expand_toks$(EXEEXT) test_x500$(EXEEXT)
-PROGRAMS = $(bin_PROGRAMS) $(noinst_PROGRAMS)
 aes_test_SOURCES = aes-test.c
 aes_test_OBJECTS = aes-test.$(OBJEXT)
 aes_test_LDADD = $(LDADD)
@@ -599,7 +598,185 @@ am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
 am__v_at_0 = @
 am__v_at_1 = 
 depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
+am__maybe_remake_depfiles = depfiles
+am__depfiles_remade = ./$(DEPDIR)/aes-test.Po \
+	./$(DEPDIR)/derived-key-test.Po ./$(DEPDIR)/krbhst-test.Po \
+	./$(DEPDIR)/libkrb5_la-acache.Plo \
+	./$(DEPDIR)/libkrb5_la-acl.Plo \
+	./$(DEPDIR)/libkrb5_la-add_et_list.Plo \
+	./$(DEPDIR)/libkrb5_la-addr_families.Plo \
+	./$(DEPDIR)/libkrb5_la-aname_to_localname.Plo \
+	./$(DEPDIR)/libkrb5_la-appdefault.Plo \
+	./$(DEPDIR)/libkrb5_la-asn1_glue.Plo \
+	./$(DEPDIR)/libkrb5_la-auth_context.Plo \
+	./$(DEPDIR)/libkrb5_la-build_ap_req.Plo \
+	./$(DEPDIR)/libkrb5_la-build_auth.Plo \
+	./$(DEPDIR)/libkrb5_la-cache.Plo \
+	./$(DEPDIR)/libkrb5_la-changepw.Plo \
+	./$(DEPDIR)/libkrb5_la-codec.Plo \
+	./$(DEPDIR)/libkrb5_la-config_file.Plo \
+	./$(DEPDIR)/libkrb5_la-constants.Plo \
+	./$(DEPDIR)/libkrb5_la-context.Plo \
+	./$(DEPDIR)/libkrb5_la-convert_creds.Plo \
+	./$(DEPDIR)/libkrb5_la-copy_host_realm.Plo \
+	./$(DEPDIR)/libkrb5_la-crc.Plo \
+	./$(DEPDIR)/libkrb5_la-creds.Plo \
+	./$(DEPDIR)/libkrb5_la-crypto-aes-sha1.Plo \
+	./$(DEPDIR)/libkrb5_la-crypto-aes-sha2.Plo \
+	./$(DEPDIR)/libkrb5_la-crypto-algs.Plo \
+	./$(DEPDIR)/libkrb5_la-crypto-arcfour.Plo \
+	./$(DEPDIR)/libkrb5_la-crypto-des-common.Plo \
+	./$(DEPDIR)/libkrb5_la-crypto-des.Plo \
+	./$(DEPDIR)/libkrb5_la-crypto-des3.Plo \
+	./$(DEPDIR)/libkrb5_la-crypto-evp.Plo \
+	./$(DEPDIR)/libkrb5_la-crypto-null.Plo \
+	./$(DEPDIR)/libkrb5_la-crypto-pk.Plo \
+	./$(DEPDIR)/libkrb5_la-crypto-rand.Plo \
+	./$(DEPDIR)/libkrb5_la-crypto.Plo \
+	./$(DEPDIR)/libkrb5_la-data.Plo \
+	./$(DEPDIR)/libkrb5_la-db_plugin.Plo \
+	./$(DEPDIR)/libkrb5_la-dcache.Plo \
+	./$(DEPDIR)/libkrb5_la-deprecated.Plo \
+	./$(DEPDIR)/libkrb5_la-digest.Plo \
+	./$(DEPDIR)/libkrb5_la-doxygen.Plo \
+	./$(DEPDIR)/libkrb5_la-eai_to_heim_errno.Plo \
+	./$(DEPDIR)/libkrb5_la-enomem.Plo \
+	./$(DEPDIR)/libkrb5_la-error_string.Plo \
+	./$(DEPDIR)/libkrb5_la-expand_hostname.Plo \
+	./$(DEPDIR)/libkrb5_la-expand_path.Plo \
+	./$(DEPDIR)/libkrb5_la-fast.Plo \
+	./$(DEPDIR)/libkrb5_la-fcache.Plo \
+	./$(DEPDIR)/libkrb5_la-free.Plo \
+	./$(DEPDIR)/libkrb5_la-free_host_realm.Plo \
+	./$(DEPDIR)/libkrb5_la-generate_seq_number.Plo \
+	./$(DEPDIR)/libkrb5_la-generate_subkey.Plo \
+	./$(DEPDIR)/libkrb5_la-get_addrs.Plo \
+	./$(DEPDIR)/libkrb5_la-get_cred.Plo \
+	./$(DEPDIR)/libkrb5_la-get_default_principal.Plo \
+	./$(DEPDIR)/libkrb5_la-get_default_realm.Plo \
+	./$(DEPDIR)/libkrb5_la-get_for_creds.Plo \
+	./$(DEPDIR)/libkrb5_la-get_host_realm.Plo \
+	./$(DEPDIR)/libkrb5_la-get_in_tkt.Plo \
+	./$(DEPDIR)/libkrb5_la-get_port.Plo \
+	./$(DEPDIR)/libkrb5_la-heim_err.Plo \
+	./$(DEPDIR)/libkrb5_la-init_creds.Plo \
+	./$(DEPDIR)/libkrb5_la-init_creds_pw.Plo \
+	./$(DEPDIR)/libkrb5_la-k524_err.Plo \
+	./$(DEPDIR)/libkrb5_la-kcm.Plo \
+	./$(DEPDIR)/libkrb5_la-keyblock.Plo \
+	./$(DEPDIR)/libkrb5_la-keytab.Plo \
+	./$(DEPDIR)/libkrb5_la-keytab_any.Plo \
+	./$(DEPDIR)/libkrb5_la-keytab_file.Plo \
+	./$(DEPDIR)/libkrb5_la-keytab_keyfile.Plo \
+	./$(DEPDIR)/libkrb5_la-keytab_memory.Plo \
+	./$(DEPDIR)/libkrb5_la-krb5_err.Plo \
+	./$(DEPDIR)/libkrb5_la-krb_err.Plo \
+	./$(DEPDIR)/libkrb5_la-krbhst.Plo \
+	./$(DEPDIR)/libkrb5_la-kuserok.Plo \
+	./$(DEPDIR)/libkrb5_la-log.Plo \
+	./$(DEPDIR)/libkrb5_la-mcache.Plo \
+	./$(DEPDIR)/libkrb5_la-misc.Plo \
+	./$(DEPDIR)/libkrb5_la-mit_glue.Plo \
+	./$(DEPDIR)/libkrb5_la-mk_error.Plo \
+	./$(DEPDIR)/libkrb5_la-mk_priv.Plo \
+	./$(DEPDIR)/libkrb5_la-mk_rep.Plo \
+	./$(DEPDIR)/libkrb5_la-mk_req.Plo \
+	./$(DEPDIR)/libkrb5_la-mk_req_ext.Plo \
+	./$(DEPDIR)/libkrb5_la-mk_safe.Plo \
+	./$(DEPDIR)/libkrb5_la-n-fold.Plo \
+	./$(DEPDIR)/libkrb5_la-net_read.Plo \
+	./$(DEPDIR)/libkrb5_la-net_write.Plo \
+	./$(DEPDIR)/libkrb5_la-pac.Plo \
+	./$(DEPDIR)/libkrb5_la-padata.Plo \
+	./$(DEPDIR)/libkrb5_la-pcache.Plo \
+	./$(DEPDIR)/libkrb5_la-pkinit-ec.Plo \
+	./$(DEPDIR)/libkrb5_la-pkinit.Plo \
+	./$(DEPDIR)/libkrb5_la-plugin.Plo \
+	./$(DEPDIR)/libkrb5_la-principal.Plo \
+	./$(DEPDIR)/libkrb5_la-prog_setup.Plo \
+	./$(DEPDIR)/libkrb5_la-prompter_posix.Plo \
+	./$(DEPDIR)/libkrb5_la-rd_cred.Plo \
+	./$(DEPDIR)/libkrb5_la-rd_error.Plo \
+	./$(DEPDIR)/libkrb5_la-rd_priv.Plo \
+	./$(DEPDIR)/libkrb5_la-rd_rep.Plo \
+	./$(DEPDIR)/libkrb5_la-rd_req.Plo \
+	./$(DEPDIR)/libkrb5_la-rd_safe.Plo \
+	./$(DEPDIR)/libkrb5_la-read_message.Plo \
+	./$(DEPDIR)/libkrb5_la-recvauth.Plo \
+	./$(DEPDIR)/libkrb5_la-replay.Plo \
+	./$(DEPDIR)/libkrb5_la-salt-aes-sha1.Plo \
+	./$(DEPDIR)/libkrb5_la-salt-aes-sha2.Plo \
+	./$(DEPDIR)/libkrb5_la-salt-arcfour.Plo \
+	./$(DEPDIR)/libkrb5_la-salt-des.Plo \
+	./$(DEPDIR)/libkrb5_la-salt-des3.Plo \
+	./$(DEPDIR)/libkrb5_la-salt.Plo \
+	./$(DEPDIR)/libkrb5_la-scache.Plo \
+	./$(DEPDIR)/libkrb5_la-send_to_kdc.Plo \
+	./$(DEPDIR)/libkrb5_la-sendauth.Plo \
+	./$(DEPDIR)/libkrb5_la-set_default_realm.Plo \
+	./$(DEPDIR)/libkrb5_la-sock_principal.Plo \
+	./$(DEPDIR)/libkrb5_la-sp800-108-kdf.Plo \
+	./$(DEPDIR)/libkrb5_la-store-int.Plo \
+	./$(DEPDIR)/libkrb5_la-store.Plo \
+	./$(DEPDIR)/libkrb5_la-store_emem.Plo \
+	./$(DEPDIR)/libkrb5_la-store_fd.Plo \
+	./$(DEPDIR)/libkrb5_la-store_mem.Plo \
+	./$(DEPDIR)/libkrb5_la-store_sock.Plo \
+	./$(DEPDIR)/libkrb5_la-ticket.Plo \
+	./$(DEPDIR)/libkrb5_la-time.Plo \
+	./$(DEPDIR)/libkrb5_la-transited.Plo \
+	./$(DEPDIR)/libkrb5_la-verify_init.Plo \
+	./$(DEPDIR)/libkrb5_la-verify_user.Plo \
+	./$(DEPDIR)/libkrb5_la-version.Plo \
+	./$(DEPDIR)/libkrb5_la-warn.Plo \
+	./$(DEPDIR)/libkrb5_la-write_message.Plo \
+	./$(DEPDIR)/librfc3961_la-crc.Plo \
+	./$(DEPDIR)/librfc3961_la-crypto-aes-sha1.Plo \
+	./$(DEPDIR)/librfc3961_la-crypto-aes-sha2.Plo \
+	./$(DEPDIR)/librfc3961_la-crypto-algs.Plo \
+	./$(DEPDIR)/librfc3961_la-crypto-arcfour.Plo \
+	./$(DEPDIR)/librfc3961_la-crypto-des-common.Plo \
+	./$(DEPDIR)/librfc3961_la-crypto-des.Plo \
+	./$(DEPDIR)/librfc3961_la-crypto-des3.Plo \
+	./$(DEPDIR)/librfc3961_la-crypto-evp.Plo \
+	./$(DEPDIR)/librfc3961_la-crypto-null.Plo \
+	./$(DEPDIR)/librfc3961_la-crypto-pk.Plo \
+	./$(DEPDIR)/librfc3961_la-crypto-rand.Plo \
+	./$(DEPDIR)/librfc3961_la-crypto-stubs.Plo \
+	./$(DEPDIR)/librfc3961_la-crypto.Plo \
+	./$(DEPDIR)/librfc3961_la-data.Plo \
+	./$(DEPDIR)/librfc3961_la-enomem.Plo \
+	./$(DEPDIR)/librfc3961_la-error_string.Plo \
+	./$(DEPDIR)/librfc3961_la-keyblock.Plo \
+	./$(DEPDIR)/librfc3961_la-n-fold.Plo \
+	./$(DEPDIR)/librfc3961_la-salt-aes-sha1.Plo \
+	./$(DEPDIR)/librfc3961_la-salt-aes-sha2.Plo \
+	./$(DEPDIR)/librfc3961_la-salt-arcfour.Plo \
+	./$(DEPDIR)/librfc3961_la-salt-des.Plo \
+	./$(DEPDIR)/librfc3961_la-salt-des3.Plo \
+	./$(DEPDIR)/librfc3961_la-salt.Plo \
+	./$(DEPDIR)/librfc3961_la-sp800-108-kdf.Plo \
+	./$(DEPDIR)/librfc3961_la-store-int.Plo \
+	./$(DEPDIR)/librfc3961_la-warn.Plo ./$(DEPDIR)/n-fold-test.Po \
+	./$(DEPDIR)/parse-name-test.Po \
+	./$(DEPDIR)/pseudo-random-test.Po ./$(DEPDIR)/store-test.Po \
+	./$(DEPDIR)/string-to-key-test.Po ./$(DEPDIR)/test_acl.Po \
+	./$(DEPDIR)/test_addr.Po ./$(DEPDIR)/test_alname.Po \
+	./$(DEPDIR)/test_ap-req.Po ./$(DEPDIR)/test_canon.Po \
+	./$(DEPDIR)/test_cc.Po ./$(DEPDIR)/test_config.Po \
+	./$(DEPDIR)/test_crypto.Po ./$(DEPDIR)/test_crypto_wrapping.Po \
+	./$(DEPDIR)/test_expand_toks.Po ./$(DEPDIR)/test_forward.Po \
+	./$(DEPDIR)/test_fx.Po ./$(DEPDIR)/test_get_addrs.Po \
+	./$(DEPDIR)/test_gic.Po ./$(DEPDIR)/test_hostname.Po \
+	./$(DEPDIR)/test_keytab.Po ./$(DEPDIR)/test_kuserok.Po \
+	./$(DEPDIR)/test_mem.Po ./$(DEPDIR)/test_pac.Po \
+	./$(DEPDIR)/test_pkinit_dh2key.Po \
+	./$(DEPDIR)/test_pknistkdf.Po ./$(DEPDIR)/test_plugin.Po \
+	./$(DEPDIR)/test_prf.Po ./$(DEPDIR)/test_princ.Po \
+	./$(DEPDIR)/test_renew.Po ./$(DEPDIR)/test_rfc3961.Po \
+	./$(DEPDIR)/test_set_kvno0.Po ./$(DEPDIR)/test_store.Po \
+	./$(DEPDIR)/test_time.Po ./$(DEPDIR)/test_x500.Po \
+	./$(DEPDIR)/verify_krb5_conf.Po
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
@@ -672,8 +849,6 @@ am__define_uniq_tagged_files = \
   unique=`for i in $$list; do \
     if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
   done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
 am__tty_colors_dummy = \
   mgn= red= grn= lgn= blu= brg= std=; \
   am__color_tests=no
@@ -829,6 +1004,7 @@ am__set_TESTS_bases = \
   bases='$(TEST_LOGS)'; \
   bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \
   bases=`echo $$bases`
+AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)'
 RECHECK_LOGS = $(TEST_LOGS)
 AM_RECURSIVE_TARGETS = check recheck
 TEST_SUITE_LOG = test-suite.log
@@ -876,9 +1052,12 @@ CATMANEXT = @CATMANEXT@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CLANG_FORMAT = @CLANG_FORMAT@
 COMPILE_ET = @COMPILE_ET@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DB1LIB = @DB1LIB@
 DB3LIB = @DB3LIB@
@@ -896,8 +1075,10 @@ ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 ENABLE_AFS_STRING_TO_KEY = @ENABLE_AFS_STRING_TO_KEY@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+FILECMD = @FILECMD@
 GCD_MIG = @GCD_MIG@
 GREP = @GREP@
 GROFF = @GROFF@
@@ -1006,6 +1187,11 @@ PKG_CONFIG = @PKG_CONFIG@
 PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
 PTHREAD_LDADD = @PTHREAD_LDADD@
 PTHREAD_LIBADD = @PTHREAD_LIBADD@
+PYTHON = @PYTHON@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
@@ -1065,9 +1251,14 @@ mandir = @mandir@
 mkdir_p = @mkdir_p@
 oldincludedir = @oldincludedir@
 pdfdir = @pdfdir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+runstatedir = @runstatedir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
@@ -1457,8 +1648,8 @@ Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	  *config.status*) \
 	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
 	  *) \
-	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
-	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
 	esac;
 $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__empty):
 
@@ -1470,58 +1661,6 @@ $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
 $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
-
-install-libLTLIBRARIES: $(lib_LTLIBRARIES)
-	@$(NORMAL_INSTALL)
-	@list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
-	list2=; for p in $$list; do \
-	  if test -f $$p; then \
-	    list2="$$list2 $$p"; \
-	  else :; fi; \
-	done; \
-	test -z "$$list2" || { \
-	  echo " $(MKDIR_P) '$(DESTDIR)$(libdir)'"; \
-	  $(MKDIR_P) "$(DESTDIR)$(libdir)" || exit 1; \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \
-	}
-
-uninstall-libLTLIBRARIES:
-	@$(NORMAL_UNINSTALL)
-	@list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
-	for p in $$list; do \
-	  $(am__strip_dir) \
-	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \
-	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \
-	done
-
-clean-libLTLIBRARIES:
-	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
-	@list='$(lib_LTLIBRARIES)'; \
-	locs=`for p in $$list; do echo $$p; done | \
-	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
-	      sort -u`; \
-	test -z "$$locs" || { \
-	  echo rm -f $${locs}; \
-	  rm -f $${locs}; \
-	}
-
-clean-noinstLTLIBRARIES:
-	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
-	@list='$(noinst_LTLIBRARIES)'; \
-	locs=`for p in $$list; do echo $$p; done | \
-	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
-	      sort -u`; \
-	test -z "$$locs" || { \
-	  echo rm -f $${locs}; \
-	  rm -f $${locs}; \
-	}
-
-libkrb5.la: $(libkrb5_la_OBJECTS) $(libkrb5_la_DEPENDENCIES) $(EXTRA_libkrb5_la_DEPENDENCIES) 
-	$(AM_V_CCLD)$(libkrb5_la_LINK) -rpath $(libdir) $(libkrb5_la_OBJECTS) $(libkrb5_la_LIBADD) $(LIBS)
-
-librfc3961.la: $(librfc3961_la_OBJECTS) $(librfc3961_la_DEPENDENCIES) $(EXTRA_librfc3961_la_DEPENDENCIES) 
-	$(AM_V_CCLD)$(LINK)  $(librfc3961_la_OBJECTS) $(librfc3961_la_LIBADD) $(LIBS)
 install-binPROGRAMS: $(bin_PROGRAMS)
 	@$(NORMAL_INSTALL)
 	@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
@@ -1590,6 +1729,58 @@ clean-noinstPROGRAMS:
 	echo " rm -f" $$list; \
 	rm -f $$list
 
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(libdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(libdir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \
+	}
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \
+	done
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+	@list='$(lib_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+
+libkrb5.la: $(libkrb5_la_OBJECTS) $(libkrb5_la_DEPENDENCIES) $(EXTRA_libkrb5_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libkrb5_la_LINK) -rpath $(libdir) $(libkrb5_la_OBJECTS) $(libkrb5_la_LIBADD) $(LIBS)
+
+librfc3961.la: $(librfc3961_la_OBJECTS) $(librfc3961_la_DEPENDENCIES) $(EXTRA_librfc3961_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK)  $(librfc3961_la_OBJECTS) $(librfc3961_la_LIBADD) $(LIBS)
+
 aes-test$(EXEEXT): $(aes_test_OBJECTS) $(aes_test_DEPENDENCIES) $(EXTRA_aes_test_DEPENDENCIES) 
 	@rm -f aes-test$(EXEEXT)
 	$(AM_V_CCLD)$(LINK) $(aes_test_OBJECTS) $(aes_test_LDADD) $(LIBS)
@@ -1752,202 +1943,208 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes-test.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/derived-key-test.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/krbhst-test.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-acache.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-acl.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-add_et_list.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-addr_families.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-aname_to_localname.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-appdefault.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-asn1_glue.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-auth_context.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-build_ap_req.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-build_auth.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-cache.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-changepw.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-codec.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-config_file.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-constants.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-context.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-convert_creds.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-copy_host_realm.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crc.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-creds.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-aes-sha1.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-aes-sha2.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-algs.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-arcfour.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-des-common.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-des.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-des3.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-evp.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-null.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-pk.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-rand.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-data.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-db_plugin.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-dcache.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-deprecated.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-digest.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-doxygen.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-eai_to_heim_errno.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-enomem.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-error_string.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-expand_hostname.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-expand_path.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-fast.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-fcache.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-free.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-free_host_realm.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-generate_seq_number.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-generate_subkey.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_addrs.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_cred.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_default_principal.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_default_realm.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_for_creds.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_host_realm.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_in_tkt.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_port.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-heim_err.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-init_creds.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-init_creds_pw.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-k524_err.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-kcm.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keyblock.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keytab.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keytab_any.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keytab_file.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keytab_keyfile.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keytab_memory.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-krb5_err.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-krb_err.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-krbhst.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-kuserok.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-log.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mcache.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-misc.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mit_glue.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_error.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_priv.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_rep.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_req.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_req_ext.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_safe.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-n-fold.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-net_read.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-net_write.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-pac.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-padata.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-pcache.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-pkinit-ec.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-pkinit.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-plugin.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-principal.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-prog_setup.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-prompter_posix.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_cred.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_error.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_priv.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_rep.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_req.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_safe.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-read_message.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-recvauth.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-replay.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt-aes-sha1.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt-aes-sha2.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt-arcfour.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt-des.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt-des3.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-scache.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-send_to_kdc.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-sendauth.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-set_default_realm.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-sock_principal.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-sp800-108-kdf.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store-int.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store_emem.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store_fd.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store_mem.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store_sock.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-ticket.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-time.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-transited.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-verify_init.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-verify_user.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-version.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-warn.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-write_message.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crc.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-aes-sha1.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-aes-sha2.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-algs.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-arcfour.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-des-common.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-des.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-des3.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-evp.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-null.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-pk.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-rand.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-stubs.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-data.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-enomem.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-error_string.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-keyblock.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-n-fold.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt-aes-sha1.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt-aes-sha2.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt-arcfour.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt-des.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt-des3.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-sp800-108-kdf.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-store-int.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-warn.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/n-fold-test.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/parse-name-test.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pseudo-random-test.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/store-test.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/string-to-key-test.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_acl.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_addr.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_alname.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_ap-req.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_canon.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_cc.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_config.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_crypto.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_crypto_wrapping.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_expand_toks.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_forward.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_fx.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_get_addrs.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_gic.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_hostname.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_keytab.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_kuserok.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_mem.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_pac.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_pkinit_dh2key.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_pknistkdf.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_plugin.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_prf.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_princ.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_renew.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_rfc3961.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_set_kvno0.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_store.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_time.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_x500.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/verify_krb5_conf.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes-test.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/derived-key-test.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/krbhst-test.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-acache.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-acl.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-add_et_list.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-addr_families.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-aname_to_localname.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-appdefault.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-asn1_glue.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-auth_context.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-build_ap_req.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-build_auth.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-cache.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-changepw.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-codec.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-config_file.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-constants.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-context.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-convert_creds.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-copy_host_realm.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crc.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-creds.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-aes-sha1.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-aes-sha2.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-algs.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-arcfour.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-des-common.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-des.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-des3.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-evp.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-null.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-pk.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto-rand.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-crypto.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-data.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-db_plugin.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-dcache.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-deprecated.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-digest.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-doxygen.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-eai_to_heim_errno.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-enomem.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-error_string.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-expand_hostname.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-expand_path.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-fast.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-fcache.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-free.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-free_host_realm.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-generate_seq_number.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-generate_subkey.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_addrs.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_cred.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_default_principal.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_default_realm.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_for_creds.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_host_realm.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_in_tkt.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-get_port.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-heim_err.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-init_creds.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-init_creds_pw.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-k524_err.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-kcm.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keyblock.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keytab.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keytab_any.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keytab_file.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keytab_keyfile.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-keytab_memory.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-krb5_err.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-krb_err.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-krbhst.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-kuserok.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-log.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mcache.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-misc.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mit_glue.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_error.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_priv.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_rep.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_req.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_req_ext.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-mk_safe.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-n-fold.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-net_read.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-net_write.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-pac.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-padata.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-pcache.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-pkinit-ec.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-pkinit.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-plugin.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-principal.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-prog_setup.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-prompter_posix.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_cred.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_error.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_priv.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_rep.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_req.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-rd_safe.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-read_message.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-recvauth.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-replay.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt-aes-sha1.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt-aes-sha2.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt-arcfour.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt-des.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt-des3.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-salt.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-scache.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-send_to_kdc.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-sendauth.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-set_default_realm.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-sock_principal.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-sp800-108-kdf.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store-int.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store_emem.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store_fd.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store_mem.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-store_sock.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-ticket.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-time.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-transited.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-verify_init.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-verify_user.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-version.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-warn.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libkrb5_la-write_message.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crc.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-aes-sha1.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-aes-sha2.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-algs.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-arcfour.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-des-common.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-des.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-des3.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-evp.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-null.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-pk.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-rand.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto-stubs.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-crypto.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-data.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-enomem.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-error_string.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-keyblock.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-n-fold.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt-aes-sha1.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt-aes-sha2.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt-arcfour.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt-des.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt-des3.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-salt.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-sp800-108-kdf.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-store-int.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/librfc3961_la-warn.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/n-fold-test.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/parse-name-test.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pseudo-random-test.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/store-test.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/string-to-key-test.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_acl.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_addr.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_alname.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_ap-req.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_canon.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_cc.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_config.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_crypto.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_crypto_wrapping.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_expand_toks.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_forward.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_fx.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_get_addrs.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_gic.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_hostname.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_keytab.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_kuserok.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_mem.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_pac.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_pkinit_dh2key.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_pknistkdf.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_plugin.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_prf.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_princ.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_renew.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_rfc3961.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_set_kvno0.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_store.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_time.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_x500.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/verify_krb5_conf.Po@am__quote@ # am--include-marker
+
+$(am__depfiles_remade):
+	@$(MKDIR_P) $(@D)
+	@echo '# dummy' >$@-t && $(am__mv) $@-t $@
+
+am--depfiles: $(am__depfiles_remade)
 
 .c.o:
 @am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@@ -3469,7 +3666,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS)
 	  test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG);		\
 	fi;								\
 	echo "$${col}$$br$${std}"; 					\
-	echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}";	\
+	echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}";	\
 	echo "$${col}$$br$${std}"; 					\
 	create_testsuite_report --maybe-color;				\
 	echo "$$col$$br$$std";						\
@@ -3482,7 +3679,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS)
 	fi;								\
 	$$success || exit 1
 
-check-TESTS:
+check-TESTS: $(check_PROGRAMS) $(check_DATA)
 	@list='$(RECHECK_LOGS)';           test -z "$$list" || rm -f $$list
 	@list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list
 	@test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
@@ -3692,8 +3889,10 @@ test_x500.log: test_x500$(EXEEXT)
 @am__EXEEXT_TRUE@	--log-file $$b.log --trs-file $$b.trs \
 @am__EXEEXT_TRUE@	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
 @am__EXEEXT_TRUE@	"$$tst" $(AM_TESTS_FD_REDIRECT)
+distdir: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 
-distdir: $(DISTFILES)
+distdir-am: $(DISTFILES)
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	list='$(DISTFILES)'; \
@@ -3730,12 +3929,14 @@ check-am: all-am
 	$(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) $(check_DATA)
 	$(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local
 check: check-am
-all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(HEADERS) \
+all-am: Makefile $(PROGRAMS) $(LTLIBRARIES) $(MANS) $(HEADERS) \
 		all-local
 install-binPROGRAMS: install-libLTLIBRARIES
 
+install-checkPROGRAMS: install-libLTLIBRARIES
+
 installdirs:
-	for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man7dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(includedir)" "$(DESTDIR)$(krb5dir)" "$(DESTDIR)$(includedir)"; do \
+	for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(libdir)" "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man7dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(includedir)" "$(DESTDIR)$(krb5dir)" "$(DESTDIR)$(includedir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
@@ -3779,7 +3980,202 @@ clean-am: clean-binPROGRAMS clean-checkPROGRAMS clean-generic \
 	clean-noinstPROGRAMS mostlyclean-am
 
 distclean: distclean-am
-	-rm -rf ./$(DEPDIR)
+		-rm -f ./$(DEPDIR)/aes-test.Po
+	-rm -f ./$(DEPDIR)/derived-key-test.Po
+	-rm -f ./$(DEPDIR)/krbhst-test.Po
+	-rm -f ./$(DEPDIR)/libkrb5_la-acache.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-acl.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-add_et_list.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-addr_families.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-aname_to_localname.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-appdefault.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-asn1_glue.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-auth_context.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-build_ap_req.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-build_auth.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-cache.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-changepw.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-codec.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-config_file.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-constants.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-context.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-convert_creds.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-copy_host_realm.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-crc.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-creds.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-aes-sha1.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-aes-sha2.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-algs.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-arcfour.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-des-common.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-des.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-des3.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-evp.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-null.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-pk.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-rand.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-crypto.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-data.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-db_plugin.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-dcache.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-deprecated.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-digest.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-doxygen.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-eai_to_heim_errno.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-enomem.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-error_string.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-expand_hostname.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-expand_path.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-fast.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-fcache.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-free.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-free_host_realm.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-generate_seq_number.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-generate_subkey.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-get_addrs.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-get_cred.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-get_default_principal.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-get_default_realm.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-get_for_creds.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-get_host_realm.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-get_in_tkt.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-get_port.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-heim_err.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-init_creds.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-init_creds_pw.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-k524_err.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-kcm.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-keyblock.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-keytab.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-keytab_any.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-keytab_file.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-keytab_keyfile.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-keytab_memory.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-krb5_err.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-krb_err.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-krbhst.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-kuserok.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-log.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-mcache.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-misc.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-mit_glue.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-mk_error.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-mk_priv.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-mk_rep.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-mk_req.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-mk_req_ext.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-mk_safe.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-n-fold.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-net_read.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-net_write.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-pac.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-padata.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-pcache.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-pkinit-ec.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-pkinit.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-plugin.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-principal.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-prog_setup.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-prompter_posix.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-rd_cred.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-rd_error.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-rd_priv.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-rd_rep.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-rd_req.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-rd_safe.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-read_message.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-recvauth.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-replay.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-salt-aes-sha1.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-salt-aes-sha2.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-salt-arcfour.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-salt-des.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-salt-des3.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-salt.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-scache.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-send_to_kdc.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-sendauth.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-set_default_realm.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-sock_principal.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-sp800-108-kdf.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-store-int.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-store.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-store_emem.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-store_fd.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-store_mem.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-store_sock.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-ticket.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-time.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-transited.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-verify_init.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-verify_user.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-version.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-warn.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-write_message.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crc.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-aes-sha1.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-aes-sha2.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-algs.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-arcfour.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-des-common.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-des.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-des3.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-evp.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-null.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-pk.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-rand.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-stubs.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crypto.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-data.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-enomem.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-error_string.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-keyblock.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-n-fold.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-salt-aes-sha1.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-salt-aes-sha2.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-salt-arcfour.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-salt-des.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-salt-des3.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-salt.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-sp800-108-kdf.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-store-int.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-warn.Plo
+	-rm -f ./$(DEPDIR)/n-fold-test.Po
+	-rm -f ./$(DEPDIR)/parse-name-test.Po
+	-rm -f ./$(DEPDIR)/pseudo-random-test.Po
+	-rm -f ./$(DEPDIR)/store-test.Po
+	-rm -f ./$(DEPDIR)/string-to-key-test.Po
+	-rm -f ./$(DEPDIR)/test_acl.Po
+	-rm -f ./$(DEPDIR)/test_addr.Po
+	-rm -f ./$(DEPDIR)/test_alname.Po
+	-rm -f ./$(DEPDIR)/test_ap-req.Po
+	-rm -f ./$(DEPDIR)/test_canon.Po
+	-rm -f ./$(DEPDIR)/test_cc.Po
+	-rm -f ./$(DEPDIR)/test_config.Po
+	-rm -f ./$(DEPDIR)/test_crypto.Po
+	-rm -f ./$(DEPDIR)/test_crypto_wrapping.Po
+	-rm -f ./$(DEPDIR)/test_expand_toks.Po
+	-rm -f ./$(DEPDIR)/test_forward.Po
+	-rm -f ./$(DEPDIR)/test_fx.Po
+	-rm -f ./$(DEPDIR)/test_get_addrs.Po
+	-rm -f ./$(DEPDIR)/test_gic.Po
+	-rm -f ./$(DEPDIR)/test_hostname.Po
+	-rm -f ./$(DEPDIR)/test_keytab.Po
+	-rm -f ./$(DEPDIR)/test_kuserok.Po
+	-rm -f ./$(DEPDIR)/test_mem.Po
+	-rm -f ./$(DEPDIR)/test_pac.Po
+	-rm -f ./$(DEPDIR)/test_pkinit_dh2key.Po
+	-rm -f ./$(DEPDIR)/test_pknistkdf.Po
+	-rm -f ./$(DEPDIR)/test_plugin.Po
+	-rm -f ./$(DEPDIR)/test_prf.Po
+	-rm -f ./$(DEPDIR)/test_princ.Po
+	-rm -f ./$(DEPDIR)/test_renew.Po
+	-rm -f ./$(DEPDIR)/test_rfc3961.Po
+	-rm -f ./$(DEPDIR)/test_set_kvno0.Po
+	-rm -f ./$(DEPDIR)/test_store.Po
+	-rm -f ./$(DEPDIR)/test_time.Po
+	-rm -f ./$(DEPDIR)/test_x500.Po
+	-rm -f ./$(DEPDIR)/verify_krb5_conf.Po
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
 	distclean-tags
@@ -3828,7 +4224,202 @@ install-ps-am:
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
-	-rm -rf ./$(DEPDIR)
+		-rm -f ./$(DEPDIR)/aes-test.Po
+	-rm -f ./$(DEPDIR)/derived-key-test.Po
+	-rm -f ./$(DEPDIR)/krbhst-test.Po
+	-rm -f ./$(DEPDIR)/libkrb5_la-acache.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-acl.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-add_et_list.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-addr_families.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-aname_to_localname.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-appdefault.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-asn1_glue.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-auth_context.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-build_ap_req.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-build_auth.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-cache.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-changepw.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-codec.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-config_file.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-constants.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-context.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-convert_creds.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-copy_host_realm.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-crc.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-creds.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-aes-sha1.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-aes-sha2.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-algs.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-arcfour.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-des-common.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-des.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-des3.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-evp.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-null.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-pk.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-crypto-rand.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-crypto.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-data.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-db_plugin.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-dcache.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-deprecated.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-digest.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-doxygen.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-eai_to_heim_errno.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-enomem.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-error_string.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-expand_hostname.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-expand_path.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-fast.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-fcache.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-free.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-free_host_realm.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-generate_seq_number.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-generate_subkey.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-get_addrs.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-get_cred.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-get_default_principal.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-get_default_realm.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-get_for_creds.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-get_host_realm.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-get_in_tkt.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-get_port.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-heim_err.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-init_creds.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-init_creds_pw.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-k524_err.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-kcm.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-keyblock.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-keytab.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-keytab_any.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-keytab_file.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-keytab_keyfile.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-keytab_memory.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-krb5_err.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-krb_err.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-krbhst.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-kuserok.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-log.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-mcache.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-misc.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-mit_glue.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-mk_error.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-mk_priv.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-mk_rep.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-mk_req.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-mk_req_ext.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-mk_safe.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-n-fold.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-net_read.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-net_write.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-pac.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-padata.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-pcache.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-pkinit-ec.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-pkinit.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-plugin.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-principal.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-prog_setup.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-prompter_posix.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-rd_cred.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-rd_error.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-rd_priv.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-rd_rep.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-rd_req.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-rd_safe.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-read_message.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-recvauth.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-replay.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-salt-aes-sha1.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-salt-aes-sha2.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-salt-arcfour.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-salt-des.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-salt-des3.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-salt.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-scache.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-send_to_kdc.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-sendauth.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-set_default_realm.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-sock_principal.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-sp800-108-kdf.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-store-int.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-store.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-store_emem.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-store_fd.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-store_mem.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-store_sock.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-ticket.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-time.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-transited.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-verify_init.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-verify_user.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-version.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-warn.Plo
+	-rm -f ./$(DEPDIR)/libkrb5_la-write_message.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crc.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-aes-sha1.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-aes-sha2.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-algs.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-arcfour.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-des-common.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-des.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-des3.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-evp.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-null.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-pk.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-rand.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crypto-stubs.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-crypto.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-data.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-enomem.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-error_string.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-keyblock.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-n-fold.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-salt-aes-sha1.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-salt-aes-sha2.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-salt-arcfour.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-salt-des.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-salt-des3.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-salt.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-sp800-108-kdf.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-store-int.Plo
+	-rm -f ./$(DEPDIR)/librfc3961_la-warn.Plo
+	-rm -f ./$(DEPDIR)/n-fold-test.Po
+	-rm -f ./$(DEPDIR)/parse-name-test.Po
+	-rm -f ./$(DEPDIR)/pseudo-random-test.Po
+	-rm -f ./$(DEPDIR)/store-test.Po
+	-rm -f ./$(DEPDIR)/string-to-key-test.Po
+	-rm -f ./$(DEPDIR)/test_acl.Po
+	-rm -f ./$(DEPDIR)/test_addr.Po
+	-rm -f ./$(DEPDIR)/test_alname.Po
+	-rm -f ./$(DEPDIR)/test_ap-req.Po
+	-rm -f ./$(DEPDIR)/test_canon.Po
+	-rm -f ./$(DEPDIR)/test_cc.Po
+	-rm -f ./$(DEPDIR)/test_config.Po
+	-rm -f ./$(DEPDIR)/test_crypto.Po
+	-rm -f ./$(DEPDIR)/test_crypto_wrapping.Po
+	-rm -f ./$(DEPDIR)/test_expand_toks.Po
+	-rm -f ./$(DEPDIR)/test_forward.Po
+	-rm -f ./$(DEPDIR)/test_fx.Po
+	-rm -f ./$(DEPDIR)/test_get_addrs.Po
+	-rm -f ./$(DEPDIR)/test_gic.Po
+	-rm -f ./$(DEPDIR)/test_hostname.Po
+	-rm -f ./$(DEPDIR)/test_keytab.Po
+	-rm -f ./$(DEPDIR)/test_kuserok.Po
+	-rm -f ./$(DEPDIR)/test_mem.Po
+	-rm -f ./$(DEPDIR)/test_pac.Po
+	-rm -f ./$(DEPDIR)/test_pkinit_dh2key.Po
+	-rm -f ./$(DEPDIR)/test_pknistkdf.Po
+	-rm -f ./$(DEPDIR)/test_plugin.Po
+	-rm -f ./$(DEPDIR)/test_prf.Po
+	-rm -f ./$(DEPDIR)/test_princ.Po
+	-rm -f ./$(DEPDIR)/test_renew.Po
+	-rm -f ./$(DEPDIR)/test_rfc3961.Po
+	-rm -f ./$(DEPDIR)/test_set_kvno0.Po
+	-rm -f ./$(DEPDIR)/test_store.Po
+	-rm -f ./$(DEPDIR)/test_time.Po
+	-rm -f ./$(DEPDIR)/test_x500.Po
+	-rm -f ./$(DEPDIR)/verify_krb5_conf.Po
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 
@@ -3855,8 +4446,8 @@ uninstall-man: uninstall-man3 uninstall-man5 uninstall-man7 \
 
 .MAKE: check-am install-am install-data-am install-strip uninstall-am
 
-.PHONY: CTAGS GTAGS TAGS all all-am all-local check check-TESTS \
-	check-am check-local clean clean-binPROGRAMS \
+.PHONY: CTAGS GTAGS TAGS all all-am all-local am--depfiles check \
+	check-TESTS check-am check-local clean clean-binPROGRAMS \
 	clean-checkPROGRAMS clean-generic clean-libLTLIBRARIES \
 	clean-libtool clean-noinstLTLIBRARIES clean-noinstPROGRAMS \
 	cscopelist-am ctags ctags-am dist-hook distclean \
@@ -3960,11 +4551,20 @@ check-local::
 	  test "$$failed" -eq 0 || exit 1; \
 	fi
 
+# It's useful for debugging to format generated sources.  The default for all
+# clang-format styles is to sort includes, but in many cases in-tree we really
+# don't want to do that.
 .x.c:
-	@cmp -s $< $@ 2> /dev/null || cp $< $@
+	@if [ -z "$(CLANG_FORMAT)" ]; then \
+	    cmp -s $< $@ 2> /dev/null || cp $< $@; \
+	else \
+	    cp $< $@.tmp.c; \
+            $(CLANG_FORMAT) -style='{BasedOnStyle: Chromium, SortIncludes: false}' -i $@.tmp.c; \
+	    cmp -s $@.tmp.c $@ 2> /dev/null || mv $@.tmp.c $@; \
+	fi
 
 .hx.h:
-	@cmp -s $< $@ 2> /dev/null || cp $< $@
+	@cmp -s $< $@ 2> /dev/null || cp $< $@;
 #NROFF_MAN = nroff -man
 .1.cat1:
 	$(NROFF_MAN) $< > $@
diff --git a/lib/krb5/acl.c b/lib/krb5/acl.c
index 90c91e661c0d..4365a7a0f5d8 100644
--- a/lib/krb5/acl.c
+++ b/lib/krb5/acl.c
@@ -246,7 +246,7 @@ krb5_acl_match_file(krb5_context context,
 		    ...)
 {
     krb5_error_code ret;
-    struct acl_field *acl;
+    struct acl_field *acl = NULL;
     char buf[256];
     va_list ap;
     FILE *f;
diff --git a/lib/krb5/addr_families.c b/lib/krb5/addr_families.c
index 7ac0fa93f9d5..16fe4a8c1e46 100644
--- a/lib/krb5/addr_families.c
+++ b/lib/krb5/addr_families.c
@@ -525,7 +525,7 @@ arange_parse_addr (krb5_context context,
 	    return ret;
 	}
 
-	if(high.len != 1 && high.val[0].addr_type != low.val[0].addr_type) {
+	if(high.len != 1 || high.val[0].addr_type != low.val[0].addr_type) {
 	    krb5_free_addresses(context, &low);
 	    krb5_free_addresses(context, &high);
 	    return -1;
diff --git a/lib/krb5/aes-test.c b/lib/krb5/aes-test.c
index 7bca78ab6068..5526b910fe4f 100644
--- a/lib/krb5/aes-test.c
+++ b/lib/krb5/aes-test.c
@@ -328,7 +328,8 @@ krb_enc(krb5_context context,
     }
 
     if (decrypt.length != clear->length ||
-	memcmp(decrypt.data, clear->data, decrypt.length) != 0) {
+        (decrypt.length &&
+	 memcmp(decrypt.data, clear->data, decrypt.length) != 0)) {
 	krb5_warnx(context, "clear text not same");
 	return EINVAL;
     }
@@ -568,7 +569,8 @@ krb_enc_mit(krb5_context context,
 	return ret;
 
     if (decrypt.length != clear->length ||
-	memcmp(decrypt.data, clear->data, decrypt.length) != 0) {
+        (decrypt.length &&
+         memcmp(decrypt.data, clear->data, decrypt.length) != 0)) {
 	krb5_warnx(context, "clear text not same");
 	return EINVAL;
     }
diff --git a/lib/krb5/config_file.c b/lib/krb5/config_file.c
index b9e40666620b..6293bd72ddb9 100644
--- a/lib/krb5/config_file.c
+++ b/lib/krb5/config_file.c
@@ -353,6 +353,9 @@ krb5_config_parse_debug (struct fileptr *f,
     char buf[KRB5_BUFSIZ];
     krb5_error_code ret;
 
+    *lineno = 0;
+    *err_message = "";
+
     while (config_fgets(buf, sizeof(buf), f) != NULL) {
 	char *p;
 
diff --git a/lib/krb5/context.c b/lib/krb5/context.c
index 5660f7f36b9b..58ed4761056f 100644
--- a/lib/krb5/context.c
+++ b/lib/krb5/context.c
@@ -101,7 +101,7 @@ init_context_from_config_file(krb5_context context)
     krb5_error_code ret;
     const char * tmp;
     char **s;
-    krb5_enctype *tmptypes;
+    krb5_enctype *tmptypes = NULL;
 
     INIT_FIELD(context, time, max_skew, 5 * 60, "clockskew");
     INIT_FIELD(context, time, kdc_timeout, 30, "kdc_timeout");
diff --git a/lib/krb5/crypto.h b/lib/krb5/crypto.h
index 6b0fe8d85aab..ede0338442ec 100644
--- a/lib/krb5/crypto.h
+++ b/lib/krb5/crypto.h
@@ -130,9 +130,9 @@ struct _krb5_encryption_type {
 			   krb5_crypto, const krb5_data *, krb5_data *);
 };
 
-#define ENCRYPTION_USAGE(U) (((U) << 8) | 0xAA)
-#define INTEGRITY_USAGE(U) (((U) << 8) | 0x55)
-#define CHECKSUM_USAGE(U) (((U) << 8) | 0x99)
+#define ENCRYPTION_USAGE(U) ((int32_t)((((uint32_t)(U)) << 8)) | 0xAA)
+#define INTEGRITY_USAGE(U)  ((int32_t)((((uint32_t)(U)) << 8)) | 0x55)
+#define CHECKSUM_USAGE(U)   ((int32_t)((((uint32_t)(U)) << 8)) | 0x99)
 
 /* Checksums */
 
diff --git a/lib/krb5/deprecated.c b/lib/krb5/deprecated.c
index 5530e841b3b9..0871aaf71db3 100644
--- a/lib/krb5/deprecated.c
+++ b/lib/krb5/deprecated.c
@@ -324,15 +324,13 @@ krb5_keytab_key_proc (krb5_context context,
 
     ret = krb5_kt_get_entry (context, real_keytab, principal,
 			     0, enctype, &entry);
+    if (ret == 0) {
+        ret = krb5_copy_keyblock (context, &entry.keyblock, key);
+        krb5_kt_free_entry(context, &entry);
+    }
 
     if (keytab == NULL)
 	krb5_kt_close (context, real_keytab);
-
-    if (ret)
-	return ret;
-
-    ret = krb5_copy_keyblock (context, &entry.keyblock, key);
-    krb5_kt_free_entry(context, &entry);
     return ret;
 }
 
diff --git a/lib/krb5/enomem.c b/lib/krb5/enomem.c
index 0e67fa8794c2..7f0aaeb35f83 100644
--- a/lib/krb5/enomem.c
+++ b/lib/krb5/enomem.c
@@ -33,10 +33,10 @@
 
 #include "krb5_locl.h"
 
+#undef krb5_enomem
 krb5_error_code
 krb5_enomem(krb5_context context)
 {
     krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
     return ENOMEM;
 }
-
diff --git a/lib/krb5/get_cred.c b/lib/krb5/get_cred.c
index b5dae62b0210..70b3e5f41447 100644
--- a/lib/krb5/get_cred.c
+++ b/lib/krb5/get_cred.c
@@ -420,7 +420,7 @@ get_cred_kdc(krb5_context context,
     TGS_REQ req;
     krb5_data enc;
     krb5_data resp;
-    krb5_kdc_rep rep;
+    krb5_kdc_rep rep = {0};
     KRB_ERROR error;
     krb5_error_code ret;
     unsigned nonce;
@@ -540,7 +540,6 @@ get_cred_kdc(krb5_context context,
     if(ret)
 	goto out;
 
-    memset(&rep, 0, sizeof(rep));
     if(decode_TGS_REP(resp.data, resp.length, &rep.kdc_rep, &len) == 0) {
 	unsigned eflags = 0;
 
@@ -684,15 +683,16 @@ static int
 not_found(krb5_context context, krb5_const_principal p, krb5_error_code code)
 {
     krb5_error_code ret;
+    const char *err;
     char *str;
 
+    err = krb5_get_error_message(context, code);
     ret = krb5_unparse_name(context, p, &str);
     if(ret) {
 	krb5_clear_error_message(context);
 	return code;
     }
-    krb5_set_error_message(context, code,
-			   N_("Matching credential (%s) not found", ""), str);
+    krb5_set_error_message(context, code, N_("%s (%s)", ""), err, str);
     free(str);
     return code;
 }
diff --git a/lib/krb5/init_creds_pw.c b/lib/krb5/init_creds_pw.c
index a225a5f44280..4e1088be182b 100644
--- a/lib/krb5/init_creds_pw.c
+++ b/lib/krb5/init_creds_pw.c
@@ -1541,15 +1541,13 @@ keytab_key_proc(krb5_context context, krb5_enctype enctype,
 
     ret = krb5_kt_get_entry (context, real_keytab, principal,
 			     0, enctype, &entry);
+    if (ret == 0) {
+        ret = krb5_copy_keyblock(context, &entry.keyblock, key);
+        krb5_kt_free_entry(context, &entry);
+    }
 
     if (keytab == NULL)
 	krb5_kt_close (context, real_keytab);
-
-    if (ret)
-	return ret;
-
-    ret = krb5_copy_keyblock (context, &entry.keyblock, key);
-    krb5_kt_free_entry(context, &entry);
     return ret;
 }
 
diff --git a/lib/krb5/kerberos.cat8 b/lib/krb5/kerberos.cat8
index 1ea1675a46dd..65093c0dce4c 100644
--- a/lib/krb5/kerberos.cat8
+++ b/lib/krb5/kerberos.cat8
@@ -1,18 +1,17 @@
-
 KERBEROS(8)               BSD System Manager's Manual              KERBEROS(8)
 
-NNAAMMEE
-     kkeerrbbeerrooss -- introduction to the Kerberos system
+NAME
+     kerberos -- introduction to the Kerberos system
 
-DDEESSCCRRIIPPTTIIOONN
+DESCRIPTION
      Kerberos is a network authentication system. Its purpose is to securely
      authenticate users and services in an insecure network environment.
 
      This is done with a Kerberos server acting as a trusted third party,
      keeping a database with secret keys for all users and services (collec-
-     tively called _p_r_i_n_c_i_p_a_l_s).
+     tively called principals).
 
-     Each principal belongs to exactly one _r_e_a_l_m, which is the administrative
+     Each principal belongs to exactly one realm, which is the administrative
      domain in Kerberos. A realm usually corresponds to an organisation, and
      the realm should normally be derived from that organisation's domain
      name. A realm is served by one or more Kerberos servers.
@@ -21,21 +20,21 @@ DDEESSCCRRIIPPTTIIOONN
      `authenticators' which together prove the principal's identity.
 
      When you login to the Kerberos system, either through the normal system
-     login or with the kinit(1) program, you acquire a _t_i_c_k_e_t _g_r_a_n_t_i_n_g _t_i_c_k_e_t
-     which allows you to get new tickets for other services, such as tteellnneett or
-     ffttpp, without giving your password.
+     login or with the kinit(1) program, you acquire a ticket granting ticket
+     which allows you to get new tickets for other services, such as telnet or
+     ftp, without giving your password.
 
      For more information on how Kerberos works, and other general Kerberos
      questions see the Kerberos FAQ at
-           hhttttpp::////wwwwww..ccmmff..nnrrll..nnaavvyy..mmiill//kkrrbb//kkeerrbbeerrooss--ffaaqq..hhttmmll.
+     http://www.cmf.nrl.navy.mil/krb/kerberos-faq.html
 
      For setup instructions see the Heimdal Texinfo manual.
 
-SSEEEE AALLSSOO
+SEE ALSO
      ftp(1), kdestroy(1), kinit(1), klist(1), kpasswd(1), telnet(1), krb5(3),
      krb5.conf(5), kadmin(1), kdc(8), ktutil(1)
 
-HHIISSTTOORRYY
+HISTORY
      The Kerberos authentication system was developed in the late 1980's as
      part of the Athena Project at the Massachusetts Institute of Technology.
      Versions one through three never reached outside MIT, but version 4 was
@@ -51,7 +50,7 @@ HHIISSTTOORRYY
      on adding extensibility and internationalization have started (Kerberos
      extensions), and a new RFC will hopefully appear soon.
 
-     This manual page is part of the HHeeiimmddaall Kerberos 5 distribution, which
+     This manual page is part of the Heimdal Kerberos 5 distribution, which
      has been in development at the Royal Institute of Technology in Stock-
      holm, Sweden, since about 1997.
 
diff --git a/lib/krb5/keytab.c b/lib/krb5/keytab.c
index ca37e292a4b3..4977a62f21c4 100644
--- a/lib/krb5/keytab.c
+++ b/lib/krb5/keytab.c
@@ -359,10 +359,11 @@ krb5_kt_read_service_key(krb5_context context,
 			 krb5_enctype enctype,
 			 krb5_keyblock **key)
 {
-    krb5_keytab keytab;
+    krb5_keytab keytab = NULL; /* Quiet lint */
     krb5_keytab_entry entry;
     krb5_error_code ret;
 
+    memset(&entry, 0, sizeof(entry));
     if (keyprocarg)
 	ret = krb5_kt_resolve (context, keyprocarg, &keytab);
     else
@@ -372,11 +373,11 @@ krb5_kt_read_service_key(krb5_context context,
 	return ret;
 
     ret = krb5_kt_get_entry (context, keytab, principal, vno, enctype, &entry);
+    if (ret == 0) {
+        ret = krb5_copy_keyblock (context, &entry.keyblock, key);
+        krb5_kt_free_entry(context, &entry);
+    }
     krb5_kt_close (context, keytab);
-    if (ret)
-	return ret;
-    ret = krb5_copy_keyblock (context, &entry.keyblock, key);
-    krb5_kt_free_entry(context, &entry);
     return ret;
 }
 
@@ -483,11 +484,13 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_kt_close(krb5_context context,
 	      krb5_keytab id)
 {
-    krb5_error_code ret;
+    krb5_error_code ret = 0;
 
-    ret = (*id->close)(context, id);
-    memset(id, 0, sizeof(*id));
-    free(id);
+    if (id) {
+        ret = (id->close)(context, id);
+        memset(id, 0, sizeof(*id));
+        free(id);
+    }
     return ret;
 }
 
@@ -621,6 +624,7 @@ krb5_kt_get_entry_wrapped(krb5_context context,
     if(id->get)
 	return (*id->get)(context, id, principal, kvno, enctype, entry);
 
+    memset(&tmp, 0, sizeof(tmp));
     ret = krb5_kt_start_seq_get (context, id, &cursor);
     if (ret) {
 	/* This is needed for krb5_verify_init_creds, but keep error
@@ -732,21 +736,21 @@ krb5_kt_copy_entry_contents(krb5_context context,
     krb5_error_code ret;
 
     memset(out, 0, sizeof(*out));
-    out->vno = in->vno;
 
     ret = krb5_copy_principal (context, in->principal, &out->principal);
     if (ret)
-	goto fail;
+	return ret;
     ret = krb5_copy_keyblock_contents (context,
 				       &in->keyblock,
 				       &out->keyblock);
-    if (ret)
-	goto fail;
+    if (ret) {
+        krb5_free_principal(context, out->principal);
+        memset(out, 0, sizeof(*out));
+        return ret;
+    }
+    out->vno = in->vno;
     out->timestamp = in->timestamp;
     return 0;
-fail:
-    krb5_kt_free_entry (context, out);
-    return ret;
 }
 
 /**
@@ -927,6 +931,7 @@ krb5_kt_have_content(krb5_context context,
     krb5_error_code ret;
     char *name;
 
+    memset(&entry, 0, sizeof(entry));
     ret = krb5_kt_start_seq_get(context, id, &cursor);
     if (ret)
 	goto notfound;
diff --git a/lib/krb5/krb5-plugin.7 b/lib/krb5/krb5-plugin.7
index 49204d2f6b46..5ba68c645134 100644
--- a/lib/krb5/krb5-plugin.7
+++ b/lib/krb5/krb5-plugin.7
@@ -169,16 +169,16 @@ follows:
 .Bd -literal -offset indent
 #include <krb5/an2ln_plugin.h>
 
-static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 nouser_plug_init(krb5_context context, void **ctx)
 {
     *ctx = NULL;
     return 0;
 }
 
-static void nouser_plug_fini(void *ctx) { }
+static void KRB5_CALLCONV nouser_plug_fini(void *ctx) { }
 
-static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 nouser_plug_an2ln(void *plug_ctx, krb5_context context,
                   const char *rule,
                   krb5_const_principal aname,
@@ -210,16 +210,16 @@ there exists a built-in plugin with this functionality; see
 .Bd -literal -offset indent
 #include <krb5/kuserok_plugin.h>
 
-static krb5_error_code
+static krb5_error_code KRB5_CALLCONV 
 reject_plug_init(krb5_context context, void **ctx)
 {
     *ctx = NULL;
     return 0;
 }
 
-static void reject_plug_fini(void *ctx) { }
+static void KRB5_CALLCONV reject_plug_fini(void *ctx) { }
 
-static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 reject_plug_kuserok(void *plug_ctx, krb5_context context, const char *rule,
                     unsigned int flags, const char *k5login_dir,
                     const char *luser, krb5_const_principal principal,
diff --git a/lib/krb5/krb5-plugin.cat7 b/lib/krb5/krb5-plugin.cat7
index 6d8ac426ace7..c691ebef47f1 100644
--- a/lib/krb5/krb5-plugin.cat7
+++ b/lib/krb5/krb5-plugin.cat7
@@ -1,26 +1,25 @@
-
 KRB5-PLUGIN(7)       BSD Miscellaneous Information Manual       KRB5-PLUGIN(7)
 
-NNAAMMEE
-     kkrrbb55--pplluuggiinn -- plugin interface for Heimdal
+NAME
+     krb5-plugin -- plugin interface for Heimdal
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
-     ##iinncclluuddee <<kkrrbb55//aann22llnn__pplluuggiinn..hh>>
-     ##iinncclluuddee <<kkrrbb55//ccccaacchhee__pplluuggiinn..hh>>
-     ##iinncclluuddee <<kkrrbb55//ddbb__pplluuggiinn..hh>>
-     ##iinncclluuddee <<kkrrbb55//kkuusseerrookk__pplluuggiinn..hh>>
-     ##iinncclluuddee <<kkrrbb55//llooccaattee__pplluuggiinn..hh>>
-     ##iinncclluuddee <<kkrrbb55//sseenndd__ttoo__kkddcc__pplluuggiinn..hh>>
+SYNOPSIS
+     #include <krb5.h>
+     #include <krb5/an2ln_plugin.h>
+     #include <krb5/ccache_plugin.h>
+     #include <krb5/db_plugin.h>
+     #include <krb5/kuserok_plugin.h>
+     #include <krb5/locate_plugin.h>
+     #include <krb5/send_to_kdc_plugin.h>
 
-DDEESSCCRRIIPPTTIIOONN
+DESCRIPTION
      Heimdal has a plugin interface.  Plugins may be statically linked into
      Heimdal and registered via the krb5_plugin_register(3) function, or they
      may be dynamically loaded from shared objects present in the Heimdal
      plugins directories.
 
      Plugins consist of a C struct whose struct name is given in the associ-
-     ated header file, such as, for example, _k_r_b_5_p_l_u_g_i_n___k_u_s_e_r_o_k___f_t_a_b_l_e and a
+     ated header file, such as, for example, krb5plugin_kuserok_ftable and a
      pointer to which is either registered via krb5_plugin_register(3) or
      found in a shared object via a symbol lookup for the symbol name defined
      in the associated header file (e.g., "kuserok" for the plugin for
@@ -28,13 +27,13 @@ DDEESSCCRRIIPPTTIIOONN
 
      The plugin structs for all plugin types always begin with the same three
      common fields:
-     1.   _m_i_n_o_r___v_e_r_s_i_o_n , an int.  Plugin minor versions are defined in each
+     1.   minor_version , an int.  Plugin minor versions are defined in each
           plugin type's associated header file.
-     2.   _i_n_i_t , a pointer to a function with two arguments, a krb5_context
+     2.   init , a pointer to a function with two arguments, a krb5_context
           and a void **, returning a krb5_error_code.  This function will be
           called to initialize a plugin-specific context in the form of a void
           * that will be output through the init function's second argument.
-     3.   _f_i_n_i , a pointer to a function of one argument, a void *, consisting
+     3.   fini , a pointer to a function of one argument, a void *, consisting
           of the plugin's context to be destroyed, and returning void.
 
      Each plugin type must add zero or more fields to this struct following
@@ -48,7 +47,7 @@ DDEESSCCRRIIPPTTIIOONN
 
      There is a database plugin system intended for many of the uses of data-
      bases in Heimdal.  The plugin is expected to call heim_db_register(3)
-     from its _i_n_i_t entry point to register a DB type.  The DB plugin's _f_i_n_i
+     from its init entry point to register a DB type.  The DB plugin's fini
      function must do nothing, and the plugin must not provide any other entry
      points.
 
@@ -61,12 +60,12 @@ DDEESSCCRRIIPPTTIIOONN
                    const char *luser, krb5_const_principal principal,
                    krb5_boolean *result)
 
-     The _l_u_s_e_r , _p_r_i_n_c_i_p_a_l and _r_e_s_u_l_t arguments are self-explanatory (see
-     krb5_kuserok(3) ).  The _p_l_u_g___c_t_x argument is the context output by the
-     plugin's init function.  The _r_u_l_e argument is a kuserok rule from the
+     The luser , principal and result arguments are self-explanatory (see
+     krb5_kuserok(3) ).  The plug_ctx argument is the context output by the
+     plugin's init function.  The rule argument is a kuserok rule from the
      krb5.conf file; each plugin is invoked once for each rule until all plug-
-     ins fail or one succeeds.  The _k_5_l_o_g_i_n___d_i_r argument provides an alterna-
-     tive k5login file location, if not NULL.  The _f_l_a_g_s argument indicates
+     ins fail or one succeeds.  The k5login_dir argument provides an alterna-
+     tive k5login file location, if not NULL.  The flags argument indicates
      whether the plugin may call krb5_aname_to_localname(3)
      (KUSEROK_ANAME_TO_LNAME_OK), and whether k5login databases are expected
      to be authoritative (KUSEROK_K5LOGIN_IS_AUTHORITATIVE).
@@ -80,31 +79,31 @@ DDEESSCCRRIIPPTTIIOONN
            an2ln(void *plug_ctx, krb5_context context, const char *rule,
                  krb5_const_principal aname, set_result_f set_res_f, void *set_res_ctx)
 
-     The arguments for the _a_n_2_l_n plugin are similar to those of the kuserok
-     plugin, but the result, being a string, is set by calling the _s_e_t___r_e_s___f
-     function argument with the _s_e_t___r_e_s___c_t_x and result string as arguments.
-     The _s_e_t___r_e_s___f function will make a copy of the string.
+     The arguments for the an2ln plugin are similar to those of the kuserok
+     plugin, but the result, being a string, is set by calling the set_res_f
+     function argument with the set_res_ctx and result string as arguments.
+     The set_res_f function will make a copy of the string.
 
-FFIILLEESS
-     libdir/plugin/krb5/*              Shared objects containing plugins for
-                                       Heimdal.
+FILES
+     libdir/plugin/krb5/*
+             Shared objects containing plugins for Heimdal.
 
-EEXXAAMMPPLLEESS
+EXAMPLES
      An example an2ln plugin that maps principals to a constant "nouser" fol-
      lows:
 
            #include <krb5/an2ln_plugin.h>
 
-           static krb5_error_code
+           static krb5_error_code KRB5_CALLCONV
            nouser_plug_init(krb5_context context, void **ctx)
            {
                *ctx = NULL;
                return 0;
            }
 
-           static void nouser_plug_fini(void *ctx) { }
+           static void KRB5_CALLCONV nouser_plug_fini(void *ctx) { }
 
-           static krb5_error_code
+           static krb5_error_code KRB5_CALLCONV
            nouser_plug_an2ln(void *plug_ctx, krb5_context context,
                              const char *rule,
                              krb5_const_principal aname,
@@ -133,16 +132,16 @@ EEXXAAMMPPLLEESS
 
            #include <krb5/kuserok_plugin.h>
 
-           static krb5_error_code
+           static krb5_error_code KRB5_CALLCONV
            reject_plug_init(krb5_context context, void **ctx)
            {
                *ctx = NULL;
                return 0;
            }
 
-           static void reject_plug_fini(void *ctx) { }
+           static void KRB5_CALLCONV reject_plug_fini(void *ctx) { }
 
-           static krb5_error_code
+           static krb5_error_code KRB5_CALLCONV
            reject_plug_kuserok(void *plug_ctx, krb5_context context, const char *rule,
                                unsigned int flags, const char *k5login_dir,
                                const char *luser, krb5_const_principal principal,
@@ -162,7 +161,7 @@ EEXXAAMMPPLLEESS
                reject_plug_kuserok,
            };
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5_plugin_register(3) krb5_kuserok(3) krb5_aname_to_localname(3)
 
 HEIMDAL                        December 21, 2011                       HEIMDAL
diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5
index e7a25af6100b..8a0f0847a487 100644
--- a/lib/krb5/krb5.conf.5
+++ b/lib/krb5/krb5.conf.5
@@ -135,6 +135,19 @@ Forward credentials to remote host (for
 .Xr rsh 1 ,
 .Xr telnet 1 ,
 etc).
+.It Li historical_anon_pkinit = Va boolean
+Enable legacy anonymous pkinit command-line syntax.
+With this option set to
+.Li true,
+the
+.Xr kinit 1
+.Fl Fl anonymous
+command with no principal argument specified will request an anonymous pkinit
+ticket from the default realm.
+If a principal argument is specified, it is used as an explicit realm name for
+anonymous pkinit even without an
+.Li @
+prefix.
 .El
 .It Li [libdefaults]
 .Bl -tag -width "xxx" -offset indent
@@ -641,8 +654,21 @@ Allow address-less tickets.
 .\" XXX
 .It Li allow-anonymous = Va BOOL
 If the kdc is allowed to hand out anonymous tickets.
+.It Li historical_anon_realm = Va boolean
+Enables pre-7.0 non-RFC-comformant KDC behavior.
+With this option set to
+.Li true
+the client realm in anonymous pkinit AS replies will be the requested realm,
+rather than the RFC-conformant
+.Li WELLKNOWN:ANONYMOUS
+realm.
+This can have a security impact on servers that expect to grant access to
+anonymous-but-authenticated to the KDC users of the realm in question:
+they would also grant access to unauthenticated anonymous users.
+As such, it is not recommend to set this option to
+.Li true.
 .It Li encode_as_rep_as_tgs_rep = Va BOOL
-Encode as-rep as tgs-rep tobe compatible with mistakes older DCE secd did.
+Encode as-rep as tgs-rep to be compatible with mistakes older DCE secd did.
 .\" XXX
 .It Li kdc_warn_pwexpire = Va TIME
 The time before expiration that the user should be warned that her
diff --git a/lib/krb5/krb5.conf.cat5 b/lib/krb5/krb5.conf.cat5
index 619fdc3cd25f..03a2c0ce42a6 100644
--- a/lib/krb5/krb5.conf.cat5
+++ b/lib/krb5/krb5.conf.cat5
@@ -1,14 +1,13 @@
-
 KRB5.CONF(5)                BSD File Formats Manual               KRB5.CONF(5)
 
-NNAAMMEE
-     kkrrbb55..ccoonnff -- configuration file for Kerberos 5
+NAME
+     krb5.conf -- configuration file for Kerberos 5
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-DDEESSCCRRIIPPTTIIOONN
-     The kkrrbb55..ccoonnff file specifies several configuration parameters for the
+DESCRIPTION
+     The krb5.conf file specifies several configuration parameters for the
      Kerberos 5 library, as well as for some programs.
 
      The file consists of one or more sections, containing a number of bind-
@@ -42,8 +41,8 @@ DDEESSCCRRIIPPTTIIOONN
 
      STRINGs consists of one or more non-whitespace characters.
 
-     STRINGs that are specified later in this man-page uses the following
-     notation.
+     STRINGs that are specified later in this man-page uses the following no-
+     tation.
 
            boolean
                 values can be either yes/true or no/false.
@@ -67,179 +66,188 @@ DDEESSCCRRIIPPTTIIOONN
                 Specifies the default values to be used for Kerberos applica-
                 tions.  You can specify defaults per application, realm, or a
                 combination of these.  The preference order is:
-                1.   _a_p_p_l_i_c_a_t_i_o_n _r_e_a_l_m _o_p_t_i_o_n
-                2.   _a_p_p_l_i_c_a_t_i_o_n _o_p_t_i_o_n
-                3.   _r_e_a_l_m _o_p_t_i_o_n
-                4.   _o_p_t_i_o_n
+                1.   application realm option
+                2.   application option
+                3.   realm option
+                4.   option
 
                 The supported options are:
 
-                      forwardable = _b_o_o_l_e_a_n
+                      forwardable = boolean
                            When obtaining initial credentials, make the cre-
                            dentials forwardable.
 
-                      proxiable = _b_o_o_l_e_a_n
+                      proxiable = boolean
                            When obtaining initial credentials, make the cre-
                            dentials proxiable.
 
-                      no-addresses = _b_o_o_l_e_a_n
+                      no-addresses = boolean
                            When obtaining initial credentials, request them
                            for an empty set of addresses, making the tickets
                            valid from any address.
 
-                      ticket_lifetime = _t_i_m_e
+                      ticket_lifetime = time
                            Default ticket lifetime.
 
-                      renew_lifetime = _t_i_m_e
+                      renew_lifetime = time
                            Default renewable ticket lifetime.
 
-                      encrypt = _b_o_o_l_e_a_n
+                      encrypt = boolean
                            Use encryption, when available.
 
-                      forward = _b_o_o_l_e_a_n
+                      forward = boolean
                            Forward credentials to remote host (for rsh(1),
                            telnet(1), etc).
 
+                      historical_anon_pkinit = boolean
+                           Enable legacy anonymous pkinit command-line syntax.
+                           With this option set to true, the kinit(1)
+                           --anonymous command with no principal argument
+                           specified will request an anonymous pkinit ticket
+                           from the default realm.  If a principal argument is
+                           specified, it is used as an explicit realm name for
+                           anonymous pkinit even without an @ prefix.
+
            [libdefaults]
 
-                      default_realm = _R_E_A_L_M
+                      default_realm = REALM
                            Default realm to use, this is also known as your
-                           ``local realm''.  The default is the result of
-                           kkrrbb55__ggeett__hhoosstt__rreeaallmm(_l_o_c_a_l _h_o_s_t_n_a_m_e).
+                           "local realm".  The default is the result of
+                           krb5_get_host_realm(local hostname).
 
-                      allow_weak_crypto = _b_o_o_l_e_a_n
+                      allow_weak_crypto = boolean
                            are weak crypto algorithms allowed to be used,
                            among others, DES is considered weak.
 
-                      clockskew = _t_i_m_e
+                      clockskew = time
                            Maximum time differential (in seconds) allowed when
                            comparing times.  Default is 300 seconds (five min-
                            utes).
 
-                      kdc_timeout = _t_i_m_e
-                           Maximum time to wait for a reply from the kdc,
-                           default is 3 seconds.
+                      kdc_timeout = time
+                           Maximum time to wait for a reply from the kdc, de-
+                           fault is 3 seconds.
 
                       capath = {
 
-                                 _d_e_s_t_i_n_a_t_i_o_n_-_r_e_a_l_m = _n_e_x_t_-_h_o_p_-_r_e_a_l_m
+                                 destination-realm = next-hop-realm
 
                                  ...
 
                                  }
                            This is deprecated, see the capaths section below.
 
-                      default_cc_type = _c_c_t_y_p_e
+                      default_cc_type = cctype
                            sets the default credentials type.
 
-                      default_cc_name = _c_c_n_a_m_e
+                      default_cc_name = ccname
                            the default credentials cache name.  If you want to
                            change the type only use default_cc_type.  The
                            string can contain variables that are expanded on
                            runtime.  The Only supported variable currently is
                            %{uid} which expands to the current user id.
 
-                      default_etypes = _e_t_y_p_e_s _._._.
-                           A list of default encryption types to use.
-                           (Default: all enctypes if allow_weak_crypto = TRUE,
+                      default_etypes = etypes ...
+                           A list of default encryption types to use. (De-
+                           fault: all enctypes if allow_weak_crypto = TRUE,
                            else all enctypes except single DES enctypes.)
 
-                      default_as_etypes = _e_t_y_p_e_s _._._.
-                           A list of default encryption types to use in AS
-                           requests.  (Default: the value of default_etypes.)
+                      default_as_etypes = etypes ...
+                           A list of default encryption types to use in AS re-
+                           quests.  (Default: the value of default_etypes.)
 
-                      default_tgs_etypes = _e_t_y_p_e_s _._._.
+                      default_tgs_etypes = etypes ...
                            A list of default encryption types to use in TGS
                            requests.  (Default: the value of default_etypes.)
 
-                      default_etypes_des = _e_t_y_p_e_s _._._.
-                           A list of default encryption types to use when
-                           requesting a DES credential.
+                      default_etypes_des = etypes ...
+                           A list of default encryption types to use when re-
+                           questing a DES credential.
 
-                      default_keytab_name = _k_e_y_t_a_b
+                      default_keytab_name = keytab
                            The keytab to use if no other is specified, default
-                           is ``FILE:/etc/krb5.keytab''.
+                           is "FILE:/etc/krb5.keytab".
 
-                      dns_lookup_kdc = _b_o_o_l_e_a_n
+                      dns_lookup_kdc = boolean
                            Use DNS SRV records to lookup KDC services loca-
                            tion.
 
-                      dns_lookup_realm = _b_o_o_l_e_a_n
+                      dns_lookup_realm = boolean
                            Use DNS TXT records to lookup domain to realm map-
                            pings.
 
-                      kdc_timesync = _b_o_o_l_e_a_n
+                      kdc_timesync = boolean
                            Try to keep track of the time differential between
                            the local machine and the KDC, and then compensate
                            for that when issuing requests.
 
-                      max_retries = _n_u_m_b_e_r
+                      max_retries = number
                            The max number of times to try to contact each KDC.
 
-                      large_msg_size = _n_u_m_b_e_r
+                      large_msg_size = number
                            The threshold where protocols with tiny maximum
                            message sizes are not considered usable to send
                            messages to the KDC.
 
-                      ticket_lifetime = _t_i_m_e
+                      ticket_lifetime = time
                            Default ticket lifetime.
 
-                      renew_lifetime = _t_i_m_e
+                      renew_lifetime = time
                            Default renewable ticket lifetime.
 
-                      forwardable = _b_o_o_l_e_a_n
+                      forwardable = boolean
                            When obtaining initial credentials, make the cre-
                            dentials forwardable.  This option is also valid in
                            the [realms] section.
 
-                      proxiable = _b_o_o_l_e_a_n
+                      proxiable = boolean
                            When obtaining initial credentials, make the cre-
                            dentials proxiable.  This option is also valid in
                            the [realms] section.
 
-                      verify_ap_req_nofail = _b_o_o_l_e_a_n
+                      verify_ap_req_nofail = boolean
                            If enabled, failure to verify credentials against a
                            local key is a fatal error.  The application has to
                            be able to read the corresponding service key for
-                           this to work.  Some applications, like su(1),
-                           enable this option unconditionally.
+                           this to work.  Some applications, like su(1), en-
+                           able this option unconditionally.
 
-                      warn_pwexpire = _t_i_m_e
+                      warn_pwexpire = time
                            How soon to warn for expiring password.  Default is
                            seven days.
 
-                      http_proxy = _p_r_o_x_y_-_s_p_e_c
+                      http_proxy = proxy-spec
                            A HTTP-proxy to use when talking to the KDC via
                            HTTP.
 
-                      dns_proxy = _p_r_o_x_y_-_s_p_e_c
+                      dns_proxy = proxy-spec
                            Enable using DNS via HTTP.
 
-                      extra_addresses = _a_d_d_r_e_s_s _._._.
+                      extra_addresses = address ...
                            A list of addresses to get tickets for along with
                            all local addresses.
 
-                      time_format = _s_t_r_i_n_g
+                      time_format = string
                            How to print time strings in logs, this string is
                            passed to strftime(3).
 
-                      date_format = _s_t_r_i_n_g
+                      date_format = string
                            How to print date strings in logs, this string is
                            passed to strftime(3).
 
-                      log_utc = _b_o_o_l_e_a_n
+                      log_utc = boolean
                            Write log-entries using UTC instead of your local
                            time zone.
 
-                      scan_interfaces = _b_o_o_l_e_a_n
-                           Scan all network interfaces for addresses, as
-                           opposed to simply using the address associated with
+                      scan_interfaces = boolean
+                           Scan all network interfaces for addresses, as op-
+                           posed to simply using the address associated with
                            the system's host name.
 
-                      fcache_version = _i_n_t
+                      fcache_version = int
                            Use file credential cache format version specified.
 
-                      fcc-mit-ticketflags = _b_o_o_l_e_a_n
+                      fcc-mit-ticketflags = boolean
                            Use MIT compatible format for file credential
                            cache.  It's the field ticketflags that is stored
                            in reverse bit order for older than Heimdal 0.7.
@@ -252,19 +260,19 @@ DDEESSCCRRIIPPTTIIOONN
                            useful when the GSS-API server input the wrong
                            server name into the gss_accept_sec_context call.
 
-                      k5login_directory = _d_i_r_e_c_t_o_r_y
+                      k5login_directory = directory
                            Alternative location for user .k5login files. This
                            option is provided for compatibility with MIT krb5
                            configuration files.
 
-                      k5login_authoritative = _b_o_o_l_e_a_n
+                      k5login_authoritative = boolean
                            If true then if a principal is not found in k5login
                            files then krb5_userok(3) will not fallback on
                            principal to username mapping. This option is pro-
                            vided for compatibility with MIT krb5 configuration
                            files.
 
-                      kuserok = _r_u_l_e _._._.
+                      kuserok = rule ...
                            Specifies krb5_userok(3) behavior.  If multiple
                            values are given, then krb5_userok(3) will evaluate
                            them in order until one succeeds or all fail.
@@ -272,22 +280,22 @@ DDEESSCCRRIIPPTTIIOONN
                            in plugins described below. Default: USER-K5LOGIN
                            SIMPLE DENY.
 
-                      kuserok = _D_E_N_Y
+                      kuserok = DENY
                            If set and evaluated then krb5_userok(3) will deny
                            access to the given username no matter what the
                            principal name might be.
 
-                      kuserok = _S_I_M_P_L_E
+                      kuserok = SIMPLE
                            If set and evaluated then krb5_userok(3) will use
                            principal to username mapping (see auth_to_local
                            below).  If the principal maps to the requested
                            username then access is allowed.
 
-                      kuserok = _S_Y_S_T_E_M_-_K_5_L_O_G_I_N_[_:_d_i_r_e_c_t_o_r_y_]
+                      kuserok = SYSTEM-K5LOGIN[:directory]
                            If set and evaluated then krb5_userok(3) will use
-                           k5login files named after the _l_u_s_e_r argument to
+                           k5login files named after the luser argument to
                            krb5_userok(3) in the given directory or in
-                           _/_e_t_c_/_k_5_l_o_g_i_n_._d_/.  K5login files are text files,
+                           /etc/k5login.d/.  K5login files are text files,
                            with each line containing just a principal name;
                            principals apearing in a user's k5login file are
                            permitted access to the user's account. Note: this
@@ -296,31 +304,31 @@ DDEESSCCRRIIPPTTIIOONN
                            sions/ACLs are expected due to the k5login location
                            being a system location.
 
-                      kuserok = _U_S_E_R_-_K_5_L_O_G_I_N
+                      kuserok = USER-K5LOGIN
                            If set and evaluated then krb5_userok(3) will use
-                           _~_l_u_s_e_r_/_._k_5_l_o_g_i_n and _~_l_u_s_e_r_/_._k_5_l_o_g_i_n_._d_/_*.  User
+                           ~luser/.k5login and ~luser/.k5login.d/*.  User
                            k5login files and directories must be owned by the
                            user and must not have world nor group write per-
                            missions.
 
-                      aname2lname-text-db = _f_i_l_e_n_a_m_e
-                           The named file must be a sorted (in increasing
-                           order) text file where every line consists of an
-                           unparsed principal name optionally followed by
-                           whitespace and a username.  The aname2lname func-
-                           tion will do a binary search on this file, if con-
-                           figured, looking for lines that match the given
-                           principal name, and if found the given username
-                           will be used, or, if the username is missing, an
-                           error will be returned.  If the file doesn't exist,
-                           or if no matching line is found then other plugins
-                           will be allowed to run.
+                      aname2lname-text-db = filename
+                           The named file must be a sorted (in increasing or-
+                           der) text file where every line consists of an un-
+                           parsed principal name optionally followed by white-
+                           space and a username.  The aname2lname function
+                           will do a binary search on this file, if config-
+                           ured, looking for lines that match the given prin-
+                           cipal name, and if found the given username will be
+                           used, or, if the username is missing, an error will
+                           be returned.  If the file doesn't exist, or if no
+                           matching line is found then other plugins will be
+                           allowed to run.
 
                       fcache_strict_checking
                            strict checking in FILE credential caches that
                            owner, no symlink and permissions is correct.
 
-                      name_canon_rules = _r_u_l_e_s
+                      name_canon_rules = rules
                            One or more service principal name canonicalization
                            rules.  Each rule consists of one or more tokens
                            separated by colon (':').  Currently these rules
@@ -334,17 +342,17 @@ DDEESSCCRRIIPPTTIIOONN
                            NOTE: Name canonicalization rules are an experimen-
                            tal feature.
 
-                           The first token is a rule type, one of: _a_s_-_i_s_,
-                           _q_u_a_l_i_f_y_, _o_r _n_s_s_.
+                           The first token is a rule type, one of: as-is,
+                           qualify, or nss.
 
                            Any remaining tokens must be options tokens:
-                           _u_s_e___f_a_s_t (use FAST to protect TGS exchanges; cur-
-                           rently not supported), _u_s_e___d_n_s_s_e_c (use DNSSEC to
+                           use_fast (use FAST to protect TGS exchanges; cur-
+                           rently not supported), use_dnssec (use DNSSEC to
                            protect hostname lookups; currently not supported),
-                           _c_c_a_c_h_e___o_n_l_y , _u_s_e___r_e_f_e_r_r_a_l_s_, _n_o___r_e_f_e_r_r_a_l_s_,
-                           _l_o_o_k_u_p___r_e_a_l_m_, _m_i_n_d_o_t_s_=_N_, _m_a_x_d_o_t_s_=_N_, _o_r_d_e_r_=_N_,
-                           domain= _d_o_m_a_i_n_, realm= _r_e_a_l_m_, match_domain= _d_o_m_a_i_n_,
-                           and match_realm= _r_e_a_l_m_.
+                           ccache_only , use_referrals, no_referrals,
+                           lookup_realm, mindots=N, maxdots=N, order=N, do-
+                           main= domain, realm= realm, match_domain= domain,
+                           and match_realm= realm.
 
                            When trying to obtain a service ticket for a host-
                            based service principal name, name canonicalization
@@ -356,18 +364,18 @@ DDEESSCCRRIIPPTTIIOONN
                            one.
 
                            For each rule the system checks that the hostname
-                           has at least _m_i_n_d_o_t_s periods (if given) in it, at
-                           most _m_a_x_d_o_t_s periods (if given), that the hostname
-                           ends in the given _m_a_t_c_h___d_o_m_a_i_n (if given), and that
-                           the realm of the principal matches the _m_a_t_c_h___r_e_a_l_m
+                           has at least mindots periods (if given) in it, at
+                           most maxdots periods (if given), that the hostname
+                           ends in the given match_domain (if given), and that
+                           the realm of the principal matches the match_realm
                            (if given).
 
-                           _A_s_-_i_s rules leave the hostname unmodified but may
-                           set a realm.  _Q_u_a_l_i_f_y rules qualify the hostname
-                           with the given _d_o_m_a_i_n and also may set the realm.
-                           The _n_s_s rule uses the system resolver to lookup the
+                           As-is rules leave the hostname unmodified but may
+                           set a realm.  Qualify rules qualify the hostname
+                           with the given domain and also may set the realm.
+                           The nss rule uses the system resolver to lookup the
                            host's canonical name and is usually not secure.
-                           Note that using the _n_s_s rule type implies having to
+                           Note that using the nss rule type implies having to
                            have principal aliases in the HDB (though not nec-
                            essarily in keytabs).
 
@@ -376,9 +384,9 @@ DDEESSCCRRIIPPTTIIOONN
                            matched.
 
                            The order in which rules are applied is as follows:
-                           first all the rules with explicit _o_r_d_e_r then all
+                           first all the rules with explicit order then all
                            other rules in the order in which they appear.  If
-                           any two rules have the same explicit _o_r_d_e_r, their
+                           any two rules have the same explicit order, their
                            order of appearance in krb5.conf breaks the tie.
                            Explicitly specifying order can be useful where
                            tools read and write the configuration file without
@@ -386,15 +394,15 @@ DDEESSCCRRIIPPTTIIOONN
 
                            Malformed rules are ignored.
 
-                      allow_hierarchical_capaths = _b_o_o_l_e_a_n
+                      allow_hierarchical_capaths = boolean
                            When validating cross-realm transit paths, absent
                            any explicit capath from the client realm to the
                            server realm, allow a hierarchical transit path via
-                           the common ancestor domain of the two realms.
-                           Defaults to true.  Note, absent an explicit set-
-                           ting, hierarchical capaths are always used by the
-                           KDC when generating a referral to a destination
-                           with which is no direct trust.
+                           the common ancestor domain of the two realms.  De-
+                           faults to true.  Note, absent an explicit setting,
+                           hierarchical capaths are always used by the KDC
+                           when generating a referral to a destination with
+                           which is no direct trust.
 
            [domain_realm]
                 This is a list of mappings from DNS domain to Kerberos realm.
@@ -405,39 +413,39 @@ DDEESSCCRRIIPPTTIIOONN
                 The domain can be either a full name of a host or a trailing
                 component, in the latter case the domain-string should start
                 with a period.  The trailing component only matches hosts that
-                are in the same domain, ie ``.example.com'' matches
-                ``foo.example.com'', but not ``foo.test.example.com''.
+                are in the same domain, ie ".example.com" matches
+                "foo.example.com", but not "foo.test.example.com".
 
-                The realm may be the token `dns_locate', in which case the
-                actual realm will be determined using DNS (independently of
-                the setting of the `dns_lookup_realm' option).
+                The realm may be the token `dns_locate', in which case the ac-
+                tual realm will be determined using DNS (independently of the
+                setting of the `dns_lookup_realm' option).
 
            [realms]
 
-                      _R_E_A_L_M = {
+                      REALM = {
 
-                                 kdc = _[_s_e_r_v_i_c_e_/_]_h_o_s_t_[_:_p_o_r_t_]
+                                 kdc = [service/]host[:port]
                                       Specifies a list of kdcs for this realm.
-                                      If the optional _p_o_r_t is absent, the
-                                      default value for the ``kerberos/udp''
-                                      ``kerberos/tcp'', and ``http/tcp'' port
-                                      (depending on service) will be used.
-                                      The kdcs will be used in the order that
-                                      they are specified.
-
-                                      The optional _s_e_r_v_i_c_e specifies over what
+                                      If the optional port is absent, the de-
+                                      fault value for the "kerberos/udp"
+                                      "kerberos/tcp", and "http/tcp" port (de-
+                                      pending on service) will be used.  The
+                                      kdcs will be used in the order that they
+                                      are specified.
+
+                                      The optional service specifies over what
                                       medium the kdc should be contacted.
-                                      Possible services are ``udp'', ``tcp'',
-                                      and ``http''.  Http can also be written
-                                      as ``http://''.  Default service is
-                                      ``udp'' and ``tcp''.
+                                      Possible services are "udp", "tcp", and
+                                      "http".  Http can also be written as
+                                      "http://".  Default service is "udp" and
+                                      "tcp".
 
-                                 admin_server = _h_o_s_t_[_:_p_o_r_t_]
+                                 admin_server = host[:port]
                                       Specifies the admin server for this
                                       realm, where all the modifications to
                                       the database are performed.
 
-                                 kpasswd_server = _h_o_s_t_[_:_p_o_r_t_]
+                                 kpasswd_server = host[:port]
                                       Points to the server where all the pass-
                                       word changes are performed.  If there is
                                       no such entry, the kpasswd port on the
@@ -450,10 +458,10 @@ DDEESSCCRRIIPPTTIIOONN
 
                                  auth_to_local_names = {
 
-                                            _p_r_i_n_c_i_p_a_l___n_a_m_e _= _u_s_e_r_n_a_m_e
-                                                 The given _p_r_i_n_c_i_p_a_l___n_a_m_e will
+                                            principal_name = username
+                                                 The given principal_name will
                                                  be mapped to the given
-                                                 _u_s_e_r_n_a_m_e if the _R_E_A_L_M is a
+                                                 username if the REALM is a
                                                  default realm.
 
                                  }
@@ -461,69 +469,69 @@ DDEESSCCRRIIPPTTIIOONN
                                  auth_to_local = HEIMDAL_DEFAULT
                                       Use the Heimdal default principal to
                                       username mapping.  Applies to principals
-                                      from the _R_E_A_L_M if and only if _R_E_A_L_M is a
+                                      from the REALM if and only if REALM is a
                                       default realm.
 
                                  auth_to_local = DEFAULT
                                       Use the MIT default principal to user-
                                       name mapping.  Applies to principals
-                                      from the _R_E_A_L_M if and only if _R_E_A_L_M is a
+                                      from the REALM if and only if REALM is a
                                       default realm.
 
                                  auth_to_local = DB:/path/to/db.txt
                                       Use a binary search of the given DB.
                                       The DB must be a flat-text file sortedf
-                                      in the "C" locale, with each record
-                                      being a line (separated by either LF or
+                                      in the "C" locale, with each record be-
+                                      ing a line (separated by either LF or
                                       CRLF) consisting of a principal name
                                       followed by whitespace followed by a
                                       username.  Applies to principals from
-                                      the _R_E_A_L_M if and only if _R_E_A_L_M is a
-                                      default realm.
+                                      the REALM if and only if REALM is a de-
+                                      fault realm.
 
                                  auth_to_local = DB:/path/to/db
                                       Use the given DB, if there's a plugin
                                       for it.  Applies to principals from the
-                                      _R_E_A_L_M if and only if _R_E_A_L_M is a default
+                                      REALM if and only if REALM is a default
                                       realm.
 
                                  auth_to_local = RULE:...
                                       Use the given rule, if there's a plugin
                                       for it.  Applies to principals from the
-                                      _R_E_A_L_M if and only if _R_E_A_L_M is a default
+                                      REALM if and only if REALM is a default
                                       realm.
 
                                  auth_to_local = NONE
                                       No additional principal to username map-
                                       ping is done. Note that
-                                      _a_u_t_h___t_o___l_o_c_a_l___n_a_m_e_s and any preceding
-                                      _a_u_t_h___t_o___l_o_c_a_l rules have precedence.
+                                      auth_to_local_names and any preceding
+                                      auth_to_local rules have precedence.
 
                       }
 
            [capaths]
 
-                      _c_l_i_e_n_t_-_r_e_a_l_m = {
+                      client-realm = {
 
-                                 _s_e_r_v_e_r_-_r_e_a_l_m = _h_o_p_-_r_e_a_l_m _._._.
+                                 server-realm = hop-realm ...
                                       This serves two purposes. First the
-                                      first listed _h_o_p_-_r_e_a_l_m tells a client
+                                      first listed hop-realm tells a client
                                       which realm it should contact in order
                                       to ultimately obtain credentials for a
-                                      service in the _s_e_r_v_e_r_-_r_e_a_l_m.  Secondly,
+                                      service in the server-realm.  Secondly,
                                       it tells the KDC (and other servers)
                                       which realms are allowed in a multi-hop
-                                      traversal from _c_l_i_e_n_t_-_r_e_a_l_m to
-                                      _s_e_r_v_e_r_-_r_e_a_l_m.  Except for the client
+                                      traversal from client-realm to
+                                      server-realm.  Except for the client
                                       case, the order of the realms are not
                                       important.
 
-                      _}
+                      }
 
            [logging]
 
-                      _e_n_t_i_t_y = _d_e_s_t_i_n_a_t_i_o_n
-                           Specifies that _e_n_t_i_t_y should use the specified
+                      entity = destination
+                           Specifies that entity should use the specified
                            destination for logging.  See the krb5_openlog(3)
                            manual page for a list of defined destinations.
 
@@ -531,71 +539,71 @@ DDEESSCCRRIIPPTTIIOONN
 
                       database = {
 
-                                 dbname = _[_D_A_T_B_A_S_E_T_Y_P_E_:_]_D_A_T_A_B_A_S_E_N_A_M_E
+                                 dbname = [DATBASETYPE:]DATABASENAME
                                       Use this database for this realm.  The
-                                      _D_A_T_A_B_A_S_E_T_Y_P_E should be one of 'lmdb',
+                                      DATABASETYPE should be one of 'lmdb',
                                       'db3', 'db1', 'db', 'sqlite', or 'ldap'.
                                       See the info documetation how to config-
                                       ure different database backends.
 
-                                 realm = _R_E_A_L_M
+                                 realm = REALM
                                       Specifies the realm that will be stored
                                       in this database.  It realm isn't set,
                                       it will used as the default database,
                                       there can only be one entry that doesn't
                                       have a realm stanza.
 
-                                 mkey_file = _F_I_L_E_N_A_M_E
+                                 mkey_file = FILENAME
                                       Use this keytab file for the master key
                                       of this database.  If not specified
-                                      _D_A_T_A_B_A_S_E_N_A_M_E.mkey will be used.
+                                      DATABASENAME.mkey will be used.
 
                                  acl_file = PA FILENAME
                                       Use this file for the ACL list of this
                                       database.
 
-                                 log_file = _F_I_L_E_N_A_M_E
+                                 log_file = FILENAME
                                       Use this file as the log of changes per-
                                       formed to the database.  This file is
-                                      used by iipprrooppdd--mmaasstteerr for propagating
+                                      used by ipropd-master for propagating
                                       changes to slaves.  It is also used by
-                                      kkaaddmmiinndd and kkaaddmmiinn (when used with the
-                                      -l option), and by all applications
-                                      using lliibbkkaaddmm55 with the local backend,
-                                      for two-phase commit functionality.
-                                      Slaves also use this.  Setting this to
-                                      //ddeevv//nnuullll disables two-phase commit and
-                                      incremental propagation.  Use iipprroopp--lloogg
+                                      kadmind and kadmin (when used with the
+                                      -l option), and by all applications us-
+                                      ing libkadm5 with the local backend, for
+                                      two-phase commit functionality.  Slaves
+                                      also use this.  Setting this to
+                                      /dev/null disables two-phase commit and
+                                      incremental propagation.  Use iprop-log
                                       to show the contents of this log file.
 
-                                 log-max-size = _n_u_m_b_e_r
+                                 log-max-size = number
                                       When the log reaches this size (in
                                       bytes), the log will be truncated, sav-
                                       ing some entries, and keeping the latest
-                                      version number so as to not disrupt
-                                      incremental propagation.  If set to a
-                                      negative value then automatic log trun-
-                                      cation will be disabled.  Defaults to
+                                      version number so as to not disrupt in-
+                                      cremental propagation.  If set to a neg-
+                                      ative value then automatic log trunca-
+                                      tion will be disabled.  Defaults to
                                       52428800 (50MB).
 
                       }
 
-                      max-request = _S_I_Z_E
+                      max-request = SIZE
                            Maximum size of a kdc request.
 
-                      require-preauth = _B_O_O_L
+                      require-preauth = BOOL
                            If set pre-authentication is required.
 
-                      ports = _l_i_s_t _o_f _p_o_r_t_s
+                      ports = list of ports
                            List of ports the kdc should listen to.
 
-                      addresses = _l_i_s_t _o_f _i_n_t_e_r_f_a_c_e_s
+                      addresses = list of interfaces
                            List of addresses the kdc should bind to.
 
-                      enable-http = _B_O_O_L
+                      enable-http = BOOL
                            Should the kdc answer kdc-requests over http.
 
-                      tgt-use-strongest-session-key = _B_O_O_L
+                      tgt-use-strongest-session-key = BOOL
                            If this is TRUE then the KDC will prefer the
                            strongest key from the client's AS-REQ or TGS-REQ
                            enctype list for the ticket session key that is
@@ -605,86 +613,98 @@ DDEESSCCRRIIPPTTIIOONN
                            REQ enctype list that is also supported by the KDC
                            and the target principal.  Defaults to FALSE.
 
-                      svc-use-strongest-session-key = _B_O_O_L
+                      svc-use-strongest-session-key = BOOL
                            Like tgt-use-strongest-session-key, but applies to
                            the session key enctype of tickets for services
                            other than krbtgt principals. Defaults to FALSE.
 
-                      preauth-use-strongest-session-key = _B_O_O_L
+                      preauth-use-strongest-session-key = BOOL
                            If TRUE then select the strongest possible enctype
                            from the client's AS-REQ for PA-ETYPE-INFO2 (i.e.,
                            for password-based pre-authentication).  Else pick
                            the first supported enctype from the client's AS-
                            REQ.  Defaults to FALSE.
 
-                      use-strongest-server-key = _B_O_O_L
-                           If TRUE then the KDC picks, for the ticket
-                           encrypted part's key, the first supported enctype
+                      use-strongest-server-key = BOOL
+                           If TRUE then the KDC picks, for the ticket en-
+                           crypted part's key, the first supported enctype
                            from the target service principal's hdb entry's
                            current keyset. Else the KDC picks the first sup-
                            ported enctype from the target service principal's
                            hdb entry's current keyset.  Defaults to TRUE.
 
-                      check-ticket-addresses = _B_O_O_L
-                           Verify the addresses in the tickets used in tgs
-                           requests.
+                      check-ticket-addresses = BOOL
+                           Verify the addresses in the tickets used in tgs re-
+                           quests.
 
-                      allow-null-ticket-addresses = _B_O_O_L
+                      allow-null-ticket-addresses = BOOL
                            Allow address-less tickets.
 
-                      allow-anonymous = _B_O_O_L
+                      allow-anonymous = BOOL
                            If the kdc is allowed to hand out anonymous tick-
                            ets.
 
-                      encode_as_rep_as_tgs_rep = _B_O_O_L
-                           Encode as-rep as tgs-rep tobe compatible with mis-
+                      historical_anon_realm = boolean
+                           Enables pre-7.0 non-RFC-comformant KDC behavior.
+                           With this option set to true the client realm in
+                           anonymous pkinit AS replies will be the requested
+                           realm, rather than the RFC-conformant
+                           WELLKNOWN:ANONYMOUS realm.  This can have a secu-
+                           rity impact on servers that expect to grant access
+                           to anonymous-but-authenticated to the KDC users of
+                           the realm in question: they would also grant access
+                           to unauthenticated anonymous users.  As such, it is
+                           not recommend to set this option to true.
+
+                      encode_as_rep_as_tgs_rep = BOOL
+                           Encode as-rep as tgs-rep to be compatible with mis-
                            takes older DCE secd did.
 
-                      kdc_warn_pwexpire = _T_I_M_E
+                      kdc_warn_pwexpire = TIME
                            The time before expiration that the user should be
                            warned that her password is about to expire.
 
-                      logging = _L_o_g_g_i_n_g
+                      logging = Logging
                            What type of logging the kdc should use, see also
                            [logging]/kdc.
 
-                      hdb-ldap-structural-object _s_t_r_u_c_t_u_r_a_l _o_b_j_e_c_t
+                      hdb-ldap-structural-object structural object
                            If the LDAP backend is used for storing principals,
                            this is the structural object that will be used
-                           when creating and when reading objects.  The
-                           default value is account .
+                           when creating and when reading objects.  The de-
+                           fault value is account .
 
-                      hdb-ldap-create-base _c_r_e_a_t_i_o_n _d_n
+                      hdb-ldap-create-base creation dn
                            is the dn that will be appended to the principal
                            when creating entries.  Default value is the search
                            dn.
 
-                      enable-digest = _B_O_O_L
+                      enable-digest = BOOL
                            Should the kdc answer digest requests. The default
                            is FALSE.
 
-                      digests_allowed = _l_i_s_t _o_f _d_i_g_e_s_t_s
+                      digests_allowed = list of digests
                            Specifies the digests the kdc will reply to. The
                            default is ntlm-v2.
 
-                      kx509_ca = _f_i_l_e
+                      kx509_ca = file
                            Specifies the PEM credentials for the kx509 certi-
                            fication authority.
 
-                      require_initial_kca_tickets = _b_o_o_l_e_a_n
+                      require_initial_kca_tickets = boolean
                            Specified whether to require that tickets for the
                            kca_service service principal be INITIAL.  This may
                            be set on a per-realm basis as well as globally.
                            Defaults to true for the global setting.
 
-                      kx509_include_pkinit_san = _b_o_o_l_e_a_n
+                      kx509_include_pkinit_san = boolean
                            If true then the kx509 client principal's name and
                            realm will be included in an id-pkinit-san certifi-
-                           cate extension.  This can be set on a per-realm
-                           basis as well as globally.  Defaults to true for
-                           the global setting.
+                           cate extension.  This can be set on a per-realm ba-
+                           sis as well as globally.  Defaults to true for the
+                           global setting.
 
-                      kx509_template = _f_i_l_e
+                      kx509_template = file
                            Specifies the PEM file with a template for the cer-
                            tificates to be issued.  The following variables
                            can be interpolated in the subject name using
@@ -707,49 +727,49 @@ DDEESSCCRRIIPPTTIIOONN
 
            [kadmin]
 
-                      password_lifetime = _t_i_m_e
+                      password_lifetime = time
                            If a principal already have its password set for
                            expiration, this is the time it will be valid for
                            after a change.
 
-                      default_keys = _k_e_y_t_y_p_e_s_._._.
-                           For each entry in _d_e_f_a_u_l_t___k_e_y_s try to parse it as a
-                           sequence of _e_t_y_p_e_:_s_a_l_t_t_y_p_e_:_s_a_l_t syntax of this if
+                      default_keys = keytypes...
+                           For each entry in default_keys try to parse it as a
+                           sequence of etype:salttype:salt syntax of this if
                            something like:
 
                            [(des|des3|etype):](pw-salt|afs3-salt)[:string]
 
-                           If _e_t_y_p_e is omitted it means everything, and if
+                           If etype is omitted it means everything, and if
                            string is omitted it means the default salt string
                            (for that principal and encryption type).  Addi-
                            tional special values of keytypes are:
 
-                                 v5   The Kerberos 5 salt _p_w_-_s_a_l_t
+                                 v5   The Kerberos 5 salt pw-salt
 
-                      default_key_rules = _{
+                      default_key_rules = {
 
-                                 _g_l_o_b_i_n_g_-_r_u_l_e = _k_e_y_t_y_p_e_s_._._.
+                                 globing-rule = keytypes...
                                       a globbing rule to matching a principal,
                                       and when true, use the keytypes as spec-
-                                      ified the same format as [kad-
-                                      min]default_keys .
+                                      ified the same format as [kadmin]de-
+                                      fault_keys .
 
                       }
 
-                      prune-key-history = _B_O_O_L
+                      prune-key-history = BOOL
                            When adding keys to the key history, drop keys that
                            are too old to match unexpired tickets (based on
                            the principal's maximum ticket lifetime).  If the
                            KDC keystore is later compromised traffic protected
                            with the discarded older keys may remain protected.
                            This also keeps the HDB records for principals with
-                           key history from growing without bound.  The
-                           default (backwards compatible) value is "false".
+                           key history from growing without bound.  The de-
+                           fault (backwards compatible) value is "false".
 
-                      use_v4_salt = _B_O_O_L
+                      use_v4_salt = BOOL
                            When true, this is the same as
 
-                           _d_e_f_a_u_l_t___k_e_y_s _= _d_e_s_3_:_p_w_-_s_a_l_t _v_4
+                           default_keys = des3:pw-salt v4
 
                            and is only left for backwards compatibility.
 
@@ -757,31 +777,31 @@ DDEESSCCRRIIPPTTIIOONN
                            Check the Password quality assurance in the info
                            documentation for more information.
 
-                                 check_library = _l_i_b_r_a_r_y_-_n_a_m_e
+                                 check_library = library-name
                                       Library name that contains the password
                                       check_function
 
-                                 check_function = _f_u_n_c_t_i_o_n_-_n_a_m_e
+                                 check_function = function-name
                                       Function name for checking passwords in
                                       check_library
 
-                                 policy_libraries = _l_i_b_r_a_r_y_1 _._._. _l_i_b_r_a_r_y_N
+                                 policy_libraries = library1 ... libraryN
                                       List of libraries that can do password
                                       policy checks
 
-                                 policies = _p_o_l_i_c_y_1 _._._. _p_o_l_i_c_y_N
+                                 policies = policy1 ... policyN
                                       List of policy names to apply to the
                                       password. Builtin policies are among
                                       other minimum-length, character-class,
                                       external-check.
 
-EENNVVIIRROONNMMEENNTT
+ENVIRONMENT
      KRB5_CONFIG points to the configuration file to read.
 
-FFIILLEESS
+FILES
      /etc/krb5.conf  configuration file for Kerberos 5.
 
-EEXXAAMMPPLLEESS
+EXAMPLES
            [libdefaults]
                    default_realm = FOO.SE
                    name_canon_rules = as-is:realm=FOO.SE
@@ -805,16 +825,16 @@ EEXXAAMMPPLLEESS
                            */ppp@* = arcfour-hmac-md5:pw-salt
                    }
 
-DDIIAAGGNNOOSSTTIICCSS
-     Since kkrrbb55..ccoonnff is read and parsed by the krb5 library, there is not a
+DIAGNOSTICS
+     Since krb5.conf is read and parsed by the krb5 library, there is not a
      lot of opportunities for programs to report parsing errors in any useful
      format.  To help overcome this problem, there is a program
-     vveerriiffyy__kkrrbb55__ccoonnff that reads kkrrbb55..ccoonnff and tries to emit useful diagnos-
+     verify_krb5_conf that reads krb5.conf and tries to emit useful diagnos-
      tics from parsing errors.  Note that this program does not have any way
-     of knowing what options are actually used and thus cannot warn about
-     unknown or misspelled ones.
+     of knowing what options are actually used and thus cannot warn about un-
+     known or misspelled ones.
 
-SSEEEE AALLSSOO
+SEE ALSO
      kinit(1), krb5_openlog(3), strftime(3), verify_krb5_conf(8)
 
 HEIMDAL                           May 4, 2005                          HEIMDAL
diff --git a/lib/krb5/krb5.h b/lib/krb5/krb5.h
index b6745a5b7758..c37af35933b2 100644
--- a/lib/krb5/krb5.h
+++ b/lib/krb5/krb5.h
@@ -117,55 +117,52 @@ typedef struct krb5_enc_data {
 } krb5_enc_data;
 
 /* alternative names */
-enum {
-    ENCTYPE_NULL		= KRB5_ENCTYPE_NULL,
-    ENCTYPE_DES_CBC_CRC		= KRB5_ENCTYPE_DES_CBC_CRC,
-    ENCTYPE_DES_CBC_MD4		= KRB5_ENCTYPE_DES_CBC_MD4,
-    ENCTYPE_DES_CBC_MD5		= KRB5_ENCTYPE_DES_CBC_MD5,
-    ENCTYPE_DES3_CBC_MD5	= KRB5_ENCTYPE_DES3_CBC_MD5,
-    ENCTYPE_OLD_DES3_CBC_SHA1	= KRB5_ENCTYPE_OLD_DES3_CBC_SHA1,
-    ENCTYPE_SIGN_DSA_GENERATE	= KRB5_ENCTYPE_SIGN_DSA_GENERATE,
-    ENCTYPE_ENCRYPT_RSA_PRIV	= KRB5_ENCTYPE_ENCRYPT_RSA_PRIV,
-    ENCTYPE_ENCRYPT_RSA_PUB	= KRB5_ENCTYPE_ENCRYPT_RSA_PUB,
-    ENCTYPE_DES3_CBC_SHA1	= KRB5_ENCTYPE_DES3_CBC_SHA1,
-    ENCTYPE_AES128_CTS_HMAC_SHA1_96 = KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96,
-    ENCTYPE_AES256_CTS_HMAC_SHA1_96 = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
-    ENCTYPE_ARCFOUR_HMAC	= KRB5_ENCTYPE_ARCFOUR_HMAC_MD5,
-    ENCTYPE_ARCFOUR_HMAC_MD5	= KRB5_ENCTYPE_ARCFOUR_HMAC_MD5,
-    ENCTYPE_ARCFOUR_HMAC_MD5_56	= KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56,
-    ENCTYPE_ENCTYPE_PK_CROSS	= KRB5_ENCTYPE_ENCTYPE_PK_CROSS,
-    ENCTYPE_DES_CBC_NONE	= KRB5_ENCTYPE_DES_CBC_NONE,
-    ENCTYPE_DES3_CBC_NONE	= KRB5_ENCTYPE_DES3_CBC_NONE,
-    ENCTYPE_DES_CFB64_NONE	= KRB5_ENCTYPE_DES_CFB64_NONE,
-    ENCTYPE_DES_PCBC_NONE	= KRB5_ENCTYPE_DES_PCBC_NONE,
-    ETYPE_NULL			= KRB5_ENCTYPE_NULL,
-    ETYPE_DES_CBC_CRC		= KRB5_ENCTYPE_DES_CBC_CRC,
-    ETYPE_DES_CBC_MD4		= KRB5_ENCTYPE_DES_CBC_MD4,
-    ETYPE_DES_CBC_MD5		= KRB5_ENCTYPE_DES_CBC_MD5,
-    ETYPE_DES3_CBC_MD5		= KRB5_ENCTYPE_DES3_CBC_MD5,
-    ETYPE_OLD_DES3_CBC_SHA1	= KRB5_ENCTYPE_OLD_DES3_CBC_SHA1,
-    ETYPE_SIGN_DSA_GENERATE	= KRB5_ENCTYPE_SIGN_DSA_GENERATE,
-    ETYPE_ENCRYPT_RSA_PRIV	= KRB5_ENCTYPE_ENCRYPT_RSA_PRIV,
-    ETYPE_ENCRYPT_RSA_PUB	= KRB5_ENCTYPE_ENCRYPT_RSA_PUB,
-    ETYPE_DES3_CBC_SHA1		= KRB5_ENCTYPE_DES3_CBC_SHA1,
-    ETYPE_AES128_CTS_HMAC_SHA1_96	= KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96,
-    ETYPE_AES256_CTS_HMAC_SHA1_96	= KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
-    ETYPE_AES128_CTS_HMAC_SHA256_128	= KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128,
-    ETYPE_AES256_CTS_HMAC_SHA384_192	= KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192,
-    ETYPE_ARCFOUR_HMAC_MD5	= KRB5_ENCTYPE_ARCFOUR_HMAC_MD5,
-    ETYPE_ARCFOUR_HMAC_MD5_56	= KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56,
-    ETYPE_ENCTYPE_PK_CROSS	= KRB5_ENCTYPE_ENCTYPE_PK_CROSS,
-    ETYPE_ARCFOUR_MD4		= KRB5_ENCTYPE_ARCFOUR_MD4,
-    ETYPE_ARCFOUR_HMAC_OLD	= KRB5_ENCTYPE_ARCFOUR_HMAC_OLD,
-    ETYPE_ARCFOUR_HMAC_OLD_EXP	= KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP,
-    ETYPE_DES_CBC_NONE		= KRB5_ENCTYPE_DES_CBC_NONE,
-    ETYPE_DES3_CBC_NONE		= KRB5_ENCTYPE_DES3_CBC_NONE,
-    ETYPE_DES_CFB64_NONE	= KRB5_ENCTYPE_DES_CFB64_NONE,
-    ETYPE_DES_PCBC_NONE		= KRB5_ENCTYPE_DES_PCBC_NONE,
-    ETYPE_DIGEST_MD5_NONE	= KRB5_ENCTYPE_DIGEST_MD5_NONE,
-    ETYPE_CRAM_MD5_NONE		= KRB5_ENCTYPE_CRAM_MD5_NONE
-
-};
+#define ENCTYPE_NULL KRB5_ENCTYPE_NULL
+#define ENCTYPE_DES_CBC_CRC KRB5_ENCTYPE_DES_CBC_CRC
+#define ENCTYPE_DES_CBC_MD4 KRB5_ENCTYPE_DES_CBC_MD4
+#define ENCTYPE_DES_CBC_MD5 KRB5_ENCTYPE_DES_CBC_MD5
+#define ENCTYPE_DES3_CBC_MD5 KRB5_ENCTYPE_DES3_CBC_MD5
+#define ENCTYPE_OLD_DES3_CBC_SHA1 KRB5_ENCTYPE_OLD_DES3_CBC_SHA1
+#define ENCTYPE_SIGN_DSA_GENERATE KRB5_ENCTYPE_SIGN_DSA_GENERATE
+#define ENCTYPE_ENCRYPT_RSA_PRIV KRB5_ENCTYPE_ENCRYPT_RSA_PRIV
+#define ENCTYPE_ENCRYPT_RSA_PUB KRB5_ENCTYPE_ENCRYPT_RSA_PUB
+#define ENCTYPE_DES3_CBC_SHA1 KRB5_ENCTYPE_DES3_CBC_SHA1
+#define ENCTYPE_AES128_CTS_HMAC_SHA1_96 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+#define ENCTYPE_AES256_CTS_HMAC_SHA1_96 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+#define ENCTYPE_ARCFOUR_HMAC KRB5_ENCTYPE_ARCFOUR_HMAC_MD5
+#define ENCTYPE_ARCFOUR_HMAC_MD5 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5
+#define ENCTYPE_ARCFOUR_HMAC_MD5_56 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56
+#define ENCTYPE_ENCTYPE_PK_CROSS KRB5_ENCTYPE_ENCTYPE_PK_CROSS
+#define ENCTYPE_DES_CBC_NONE KRB5_ENCTYPE_DES_CBC_NONE
+#define ENCTYPE_DES3_CBC_NONE KRB5_ENCTYPE_DES3_CBC_NONE
+#define ENCTYPE_DES_CFB64_NONE KRB5_ENCTYPE_DES_CFB64_NONE
+#define ENCTYPE_DES_PCBC_NONE KRB5_ENCTYPE_DES_PCBC_NONE
+#define ETYPE_NULL KRB5_ENCTYPE_NULL
+#define ETYPE_DES_CBC_CRC KRB5_ENCTYPE_DES_CBC_CRC
+#define ETYPE_DES_CBC_MD4 KRB5_ENCTYPE_DES_CBC_MD4
+#define ETYPE_DES_CBC_MD5 KRB5_ENCTYPE_DES_CBC_MD5
+#define ETYPE_DES3_CBC_MD5 KRB5_ENCTYPE_DES3_CBC_MD5
+#define ETYPE_OLD_DES3_CBC_SHA1 KRB5_ENCTYPE_OLD_DES3_CBC_SHA1
+#define ETYPE_SIGN_DSA_GENERATE KRB5_ENCTYPE_SIGN_DSA_GENERATE
+#define ETYPE_ENCRYPT_RSA_PRIV KRB5_ENCTYPE_ENCRYPT_RSA_PRIV
+#define ETYPE_ENCRYPT_RSA_PUB KRB5_ENCTYPE_ENCRYPT_RSA_PUB
+#define ETYPE_DES3_CBC_SHA1 KRB5_ENCTYPE_DES3_CBC_SHA1
+#define ETYPE_AES128_CTS_HMAC_SHA1_96 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+#define ETYPE_AES256_CTS_HMAC_SHA1_96 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+#define ETYPE_AES128_CTS_HMAC_SHA256_128 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128
+#define ETYPE_AES256_CTS_HMAC_SHA384_192 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192
+#define ETYPE_ARCFOUR_HMAC_MD5 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5
+#define ETYPE_ARCFOUR_HMAC_MD5_56 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56
+#define ETYPE_ENCTYPE_PK_CROSS KRB5_ENCTYPE_ENCTYPE_PK_CROSS
+#define ETYPE_ARCFOUR_MD4 KRB5_ENCTYPE_ARCFOUR_MD4
+#define ETYPE_ARCFOUR_HMAC_OLD KRB5_ENCTYPE_ARCFOUR_HMAC_OLD
+#define ETYPE_ARCFOUR_HMAC_OLD_EXP KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP
+#define ETYPE_DES_CBC_NONE KRB5_ENCTYPE_DES_CBC_NONE
+#define ETYPE_DES3_CBC_NONE KRB5_ENCTYPE_DES3_CBC_NONE
+#define ETYPE_DES_CFB64_NONE KRB5_ENCTYPE_DES_CFB64_NONE
+#define ETYPE_DES_PCBC_NONE KRB5_ENCTYPE_DES_PCBC_NONE
+#define ETYPE_DIGEST_MD5_NONE KRB5_ENCTYPE_DIGEST_MD5_NONE
+#define ETYPE_CRAM_MD5_NONE KRB5_ENCTYPE_CRAM_MD5_NONE
 
 /* PDU types */
 typedef enum krb5_pdu {
@@ -955,8 +952,11 @@ typedef struct krb5_name_canon_iterator_data *krb5_name_canon_iterator;
  */
 #define KRB5_ANON_MATCH_AUTHENTICATED	1 /* authenticated with anon flag */
 #define KRB5_ANON_MATCH_UNAUTHENTICATED	2 /* anonymous PKINIT */
-#define KRB5_ANON_MATCH_ANY		( KRB5_ANON_MATCH_AUTHENTICATED | KRB5_ANON_MATCH_UNAUTHENTICATED )
-
+#define KRB5_ANON_IGNORE_NAME_TYPE	4 /* don't check the name type */
+#define KRB5_ANON_MATCH_ANY	        ( KRB5_ANON_MATCH_AUTHENTICATED | \
+                                          KRB5_ANON_MATCH_UNAUTHENTICATED )
+#define KRB5_ANON_MATCH_ANY_NONT	( KRB5_ANON_MATCH_ANY | \
+                                          KRB5_ANON_IGNORE_NAME_TYPE )
 
 /*
  *
@@ -994,5 +994,24 @@ extern KRB5_LIB_VARIABLE const char *krb5_cc_type_kcm;
 extern KRB5_LIB_VARIABLE const char *krb5_cc_type_scc;
 extern KRB5_LIB_VARIABLE const char *krb5_cc_type_dcc;
 
+/* clang analyzer workarounds */
+
+#ifdef __clang_analyzer__
+/*
+ * The clang analyzer (lint) can't know that krb5_enomem() always returns
+ * non-zero, so code like:
+ *
+ *      if ((x = malloc(...)) == NULL)
+ *          ret = krb5_enomem(context)
+ *      if (ret == 0)
+ *          *x = ...;
+ *
+ * causes false positives.
+ *
+ * The fix is to make krb5_enomem() a macro that always evaluates to ENOMEM.
+ */
+#define krb5_enomem(c) (krb5_enomem(c), ENOMEM)
+#endif
+
 #endif /* __KRB5_H__ */
 
diff --git a/lib/krb5/krb524_convert_creds_kdc.cat3 b/lib/krb5/krb524_convert_creds_kdc.cat3
index 84d48c34489f..b6992ec07f53 100644
--- a/lib/krb5/krb524_convert_creds_kdc.cat3
+++ b/lib/krb5/krb524_convert_creds_kdc.cat3
@@ -1,35 +1,34 @@
-
 KRB524_CONVERT_CREDS_... BSD Library Functions Manual KRB524_CONVERT_CREDS_...
 
-NNAAMMEE
-     kkrrbb552244__ccoonnvveerrtt__ccrreeddss__kkddcc, kkrrbb552244__ccoonnvveerrtt__ccrreeddss__kkddcc__ccccaacchhee -- converts
+NAME
+     krb524_convert_creds_kdc, krb524_convert_creds_kdc_ccache -- converts
      Kerberos 5 credentials to Kerberos 4 credentials
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb552244__ccoonnvveerrtt__ccrreeddss__kkddcc(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_e_d_s _*_i_n___c_r_e_d,
-         _s_t_r_u_c_t _c_r_e_d_e_n_t_i_a_l_s _*_v_4_c_r_e_d_s);
+     krb5_error_code
+     krb524_convert_creds_kdc(krb5_context context, krb5_creds *in_cred,
+         struct credentials *v4creds);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb552244__ccoonnvveerrtt__ccrreeddss__kkddcc__ccccaacchhee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _c_c_a_c_h_e,
-         _k_r_b_5___c_r_e_d_s _*_i_n___c_r_e_d, _s_t_r_u_c_t _c_r_e_d_e_n_t_i_a_l_s _*_v_4_c_r_e_d_s);
+     krb5_error_code
+     krb524_convert_creds_kdc_ccache(krb5_context context, krb5_ccache ccache,
+         krb5_creds *in_cred, struct credentials *v4creds);
 
-DDEESSCCRRIIPPTTIIOONN
+DESCRIPTION
      Convert the Kerberos 5 credential to Kerberos 4 credential.  This is done
      by sending them to the 524 service in the KDC.
 
-     kkrrbb552244__ccoonnvveerrtt__ccrreeddss__kkddcc() converts the Kerberos 5 credential in _i_n___c_r_e_d
-     to Kerberos 4 credential that is stored in _c_r_e_d_e_n_t_i_a_l_s.
+     krb524_convert_creds_kdc() converts the Kerberos 5 credential in in_cred
+     to Kerberos 4 credential that is stored in credentials.
 
-     kkrrbb552244__ccoonnvveerrtt__ccrreeddss__kkddcc__ccccaacchhee() is different from
-     kkrrbb552244__ccoonnvveerrtt__ccrreeddss__kkddcc() in that way that if _i_n___c_r_e_d doesn't contain a
+     krb524_convert_creds_kdc_ccache() is different from
+     krb524_convert_creds_kdc() in that way that if in_cred doesn't contain a
      DES session key, then a new one is fetched from the KDC and stored in the
-     cred cache _c_c_a_c_h_e, and then the KDC is queried to convert the credential.
+     cred cache ccache, and then the KDC is queried to convert the credential.
 
      This interfaces are used to make the migration to Kerberos 5 from Ker-
      beros 4 easier.  There are few services that still need Kerberos 4, and
@@ -37,7 +36,7 @@ DDEESSCCRRIIPPTTIIOONN
      AFS, really have Kerberos 5 supports, but still uses the 524 interface to
      make the migration easier.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5(3), krb5.conf(5)
 
 HEIMDAL                         March 20, 2004                         HEIMDAL
diff --git a/lib/krb5/krb5_425_conv_principal.cat3 b/lib/krb5/krb5_425_conv_principal.cat3
index abef9b0db8ff..3845106ca656 100644
--- a/lib/krb5/krb5_425_conv_principal.cat3
+++ b/lib/krb5/krb5_425_conv_principal.cat3
@@ -1,63 +1,62 @@
-
 KRB5_425_CONV_PRINCIP... BSD Library Functions Manual KRB5_425_CONV_PRINCIP...
 
-NNAAMMEE
-     kkrrbb55__442255__ccoonnvv__pprriinncciippaall, kkrrbb55__442255__ccoonnvv__pprriinncciippaall__eexxtt,
-     kkrrbb55__552244__ccoonnvv__pprriinncciippaall -- converts to and from version 4 principals
+NAME
+     krb5_425_conv_principal, krb5_425_conv_principal_ext,
+     krb5_524_conv_principal -- converts to and from version 4 principals
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__442255__ccoonnvv__pprriinncciippaall(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_n_a_m_e,
-         _c_o_n_s_t _c_h_a_r _*_i_n_s_t_a_n_c_e, _c_o_n_s_t _c_h_a_r _*_r_e_a_l_m, _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l);
+     krb5_error_code
+     krb5_425_conv_principal(krb5_context context, const char *name,
+         const char *instance, const char *realm, krb5_principal *principal);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__442255__ccoonnvv__pprriinncciippaall__eexxtt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_n_a_m_e,
-         _c_o_n_s_t _c_h_a_r _*_i_n_s_t_a_n_c_e, _c_o_n_s_t _c_h_a_r _*_r_e_a_l_m,
-         _k_r_b_5___b_o_o_l_e_a_n _(_*_f_u_n_c_)_(_k_r_b_5___c_o_n_t_e_x_t_, _k_r_b_5___p_r_i_n_c_i_p_a_l_),
-         _k_r_b_5___b_o_o_l_e_a_n _r_e_s_o_l_v_e, _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l);
+     krb5_error_code
+     krb5_425_conv_principal_ext(krb5_context context, const char *name,
+         const char *instance, const char *realm,
+         krb5_boolean (*func)(krb5_context, krb5_principal),
+         krb5_boolean resolve, krb5_principal *principal);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__552244__ccoonnvv__pprriinncciippaall(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _c_o_n_s_t _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l, _c_h_a_r _*_n_a_m_e, _c_h_a_r _*_i_n_s_t_a_n_c_e,
-         _c_h_a_r _*_r_e_a_l_m);
+     krb5_error_code
+     krb5_524_conv_principal(krb5_context context,
+         const krb5_principal principal, char *name, char *instance,
+         char *realm);
 
-DDEESSCCRRIIPPTTIIOONN
-     Converting between version 4 and version 5 principals can at best be
-     described as a mess.
+DESCRIPTION
+     Converting between version 4 and version 5 principals can at best be de-
+     scribed as a mess.
 
      A version 4 principal consists of a name, an instance, and a realm. A
      version 5 principal consists of one or more components, and a realm. In
      some cases also the first component/name will differ between version 4
      and version 5.  Furthermore the second component of a host principal will
-     be the fully qualified domain name of the host in question, while the
-     instance of a version 4 principal will only contain the first part (short
+     be the fully qualified domain name of the host in question, while the in-
+     stance of a version 4 principal will only contain the first part (short
      hostname).  Because of these problems the conversion between principals
      will have to be site customized.
 
-     kkrrbb55__442255__ccoonnvv__pprriinncciippaall__eexxtt() will try to convert a version 4 principal,
-     given by _n_a_m_e, _i_n_s_t_a_n_c_e, and _r_e_a_l_m, to a version 5 principal. This can
-     result in several possible principals, and if _f_u_n_c is non-NULL, it will
-     be called for each candidate principal.  _f_u_n_c should return true if the
-     principal was ``good''.  To accomplish this,
-     kkrrbb55__442255__ccoonnvv__pprriinncciippaall__eexxtt() will look up the name in _k_r_b_5_._c_o_n_f.  It
-     first looks in the v4_name_convert/host subsection, which should contain
-     a list of version 4 names whose instance should be treated as a hostname.
-     This list can be specified for each realm (in the realms section), or in
-     the libdefaults section.  If the name is found the resulting name of the
-     principal will be the value of this binding. The instance is then first
-     looked up in v4_instance_convert for the specified realm. If found the
-     resulting value will be used as instance (this can be used for special
-     cases), no further attempts will be made to find a conversion if this
-     fails (with _f_u_n_c).  If the _r_e_s_o_l_v_e parameter is true, the instance will
-     be looked up with ggeetthhoossttbbyynnaammee().  This can be a time consuming, error
-     prone, and unsafe operation.  Next a list of hostnames will be created
-     from the instance and the v4_domains variable, which should contain a
-     list of possible domains for the specific realm.
+     krb5_425_conv_principal_ext() will try to convert a version 4 principal,
+     given by name, instance, and realm, to a version 5 principal. This can
+     result in several possible principals, and if func is non-NULL, it will
+     be called for each candidate principal.  func should return true if the
+     principal was "good".  To accomplish this, krb5_425_conv_principal_ext()
+     will look up the name in krb5.conf.  It first looks in the
+     v4_name_convert/host subsection, which should contain a list of version 4
+     names whose instance should be treated as a hostname. This list can be
+     specified for each realm (in the realms section), or in the libdefaults
+     section.  If the name is found the resulting name of the principal will
+     be the value of this binding. The instance is then first looked up in
+     v4_instance_convert for the specified realm. If found the resulting value
+     will be used as instance (this can be used for special cases), no further
+     attempts will be made to find a conversion if this fails (with func).  If
+     the resolve parameter is true, the instance will be looked up with
+     gethostbyname().  This can be a time consuming, error prone, and unsafe
+     operation.  Next a list of hostnames will be created from the instance
+     and the v4_domains variable, which should contain a list of possible do-
+     mains for the specific realm.
 
      On the other hand, if the name is not found in a host section, it is
      looked up in a v4_name_convert/plain binding. If found here the name will
@@ -79,27 +78,27 @@ DDEESSCCRRIIPPTTIIOONN
      It will only be used if there isn't an entry for these names in the con-
      fig file, so you can override these defaults.
 
-     kkrrbb55__442255__ccoonnvv__pprriinncciippaall() will call kkrrbb55__442255__ccoonnvv__pprriinncciippaall__eexxtt() with
-     NULL as _f_u_n_c, and the value of v4_instance_resolve (from the libdefaults
-     section) as _r_e_s_o_l_v_e.
+     krb5_425_conv_principal() will call krb5_425_conv_principal_ext() with
+     NULL as func, and the value of v4_instance_resolve (from the libdefaults
+     section) as resolve.
 
-     kkrrbb55__552244__ccoonnvv__pprriinncciippaall() basically does the opposite of
-     kkrrbb55__442255__ccoonnvv__pprriinncciippaall(), it just doesn't have to look up any names, but
+     krb5_524_conv_principal() basically does the opposite of
+     krb5_425_conv_principal(), it just doesn't have to look up any names, but
      will instead truncate instances found to belong to a host principal. The
-     _n_a_m_e, _i_n_s_t_a_n_c_e, and _r_e_a_l_m should be at least 40 characters long.
+     name, instance, and realm should be at least 40 characters long.
 
-EEXXAAMMPPLLEESS
+EXAMPLES
      Since this is confusing an example is in place.
 
-     Assume that we have the ``foo.com'', and ``bar.com'' domains that have
-     shared a single version 4 realm, FOO.COM. The version 4 _k_r_b_._r_e_a_l_m_s file
-     looked like:
+     Assume that we have the "foo.com", and "bar.com" domains that have shared
+     a single version 4 realm, FOO.COM. The version 4 krb.realms file looked
+     like:
 
            foo.com         FOO.COM
            .foo.com        FOO.COM
            .bar.com        FOO.COM
 
-     A _k_r_b_5_._c_o_n_f file that covers this case might look like:
+     A krb5.conf file that covers this case might look like:
 
            [libdefaults]
                    v4_instance_resolve = yes
@@ -125,16 +124,15 @@ EEXXAAMMPPLLEESS
            ftp.other       -> ftp/other.foo.com
            other.a-host    -> other/a-host
 
-     The first three are what you expect. If you remove the ``v4_domains'',
-     the fourth entry will result in an error (since the host ``other'' can't
-     be found). Even if ``a-host'' is a valid host name, the last entry will
-     not be converted, since the ``other'' name is not known to represent a
-     host-type principal.  If you turn off ``v4_instance_resolve'' the second
-     example will result in ``ftp/b-host.foo.com'' (because of the default
-     domain). And all of this is of course only valid if you have working name
-     resolving.
+     The first three are what you expect. If you remove the "v4_domains", the
+     fourth entry will result in an error (since the host "other" can't be
+     found). Even if "a-host" is a valid host name, the last entry will not be
+     converted, since the "other" name is not known to represent a host-type
+     principal.  If you turn off "v4_instance_resolve" the second example will
+     result in "ftp/b-host.foo.com" (because of the default domain). And all
+     of this is of course only valid if you have working name resolving.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5_build_principal(3), krb5_free_principal(3), krb5_parse_name(3),
      krb5_sname_to_principal(3), krb5_unparse_name(3), krb5.conf(5)
 
diff --git a/lib/krb5/krb5_acl_match_file.cat3 b/lib/krb5/krb5_acl_match_file.cat3
index 8aebb87a949e..40b09c1f16f2 100644
--- a/lib/krb5/krb5_acl_match_file.cat3
+++ b/lib/krb5/krb5_acl_match_file.cat3
@@ -1,26 +1,25 @@
-
 KRB5_ACL_MATCH_FILE(3)   BSD Library Functions Manual   KRB5_ACL_MATCH_FILE(3)
 
-NNAAMMEE
-     kkrrbb55__aaccll__mmaattcchh__ffiillee, kkrrbb55__aaccll__mmaattcchh__ssttrriinngg -- ACL matching functions
+NAME
+     krb5_acl_match_file, krb5_acl_match_string -- ACL matching functions
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__aaccll__mmaattcchh__ffiillee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_f_i_l_e,
-         _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, _._._.);
+SYNOPSIS
+     krb5_error_code
+     krb5_acl_match_file(krb5_context context, const char *file,
+         const char *format, ...);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__aaccll__mmaattcchh__ssttrriinngg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_s_t_r_i_n_g,
-         _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, _._._.);
+     krb5_error_code
+     krb5_acl_match_string(krb5_context context, const char *string,
+         const char *format, ...);
 
-DDEESSCCRRIIPPTTIIOONN
-     kkrrbb55__aaccll__mmaattcchh__ffiillee matches ACL format against each line in a file.
+DESCRIPTION
+     krb5_acl_match_file matches ACL format against each line in a file.
      Lines starting with # are treated like comments and ignored.
 
-     kkrrbb55__aaccll__mmaattcchh__ssttrriinngg matches ACL format against a string.
+     krb5_acl_match_string matches ACL format against a string.
 
      The ACL format has three format specifiers: s, f, and r.  Each specifier
      will retrieve one argument from the variable arguments for either match-
@@ -30,7 +29,7 @@ DDEESSCCRRIIPPTTIIOONN
 
            s    Matches a string using strcmp(3) (case sensitive).
 
-           f    Matches the string with fnmatch(3).  The _f_l_a_g_s argument (the
+           f    Matches the string with fnmatch(3).  The flags argument (the
                 last argument) passed to the fnmatch function is 0.
 
            r    Returns a copy of the string in the char ** passed in; the
@@ -40,7 +39,7 @@ DDEESSCCRRIIPPTTIIOONN
 
      All unknown format specifiers cause an error.
 
-EEXXAAMMPPLLEESS
+EXAMPLES
            char *s;
 
            ret = krb5_acl_match_string(context, "foo", "s", "foo");
@@ -55,7 +54,7 @@ EEXXAAMMPPLLEESS
            }
            free(s);
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5(3)
 
 HEIMDAL                          May 12, 2006                          HEIMDAL
diff --git a/lib/krb5/krb5_aname_to_localname.cat3 b/lib/krb5/krb5_aname_to_localname.cat3
index 03565c1eaafe..6c134bc3995e 100644
--- a/lib/krb5/krb5_aname_to_localname.cat3
+++ b/lib/krb5/krb5_aname_to_localname.cat3
@@ -1,39 +1,38 @@
-
 KRB5_ANAME_TO_LOCALNA... BSD Library Functions Manual KRB5_ANAME_TO_LOCALNA...
 
-NNAAMMEE
-     kkrrbb55__aannaammee__ttoo__llooccaallnnaammee -- converts a principal to a system local name
+NAME
+     krb5_aname_to_localname -- converts a principal to a system local name
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _k_r_b_5___b_o_o_l_e_a_n
-     kkrrbb55__aannaammee__ttoo__llooccaallnnaammee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _n_a_m_e,
-         _s_i_z_e___t _l_n_s_i_z_e, _c_h_a_r _*_l_n_a_m_e);
+     krb5_boolean
+     krb5_aname_to_localname(krb5_context context, krb5_const_principal name,
+         size_t lnsize, char *lname);
 
-DDEESSCCRRIIPPTTIIOONN
-     This function takes a principal _n_a_m_e, verifies that it is in the local
-     realm (using kkrrbb55__ggeett__ddeeffaauulltt__rreeaallmmss()) and then returns the local name
+DESCRIPTION
+     This function takes a principal name, verifies that it is in the local
+     realm (using krb5_get_default_realms()) and then returns the local name
      of the principal.
 
-     If _n_a_m_e isn't in one of the local realms an error is returned.
+     If name isn't in one of the local realms an error is returned.
 
-     If the size (_l_n_s_i_z_e) of the local name (_l_n_a_m_e) is too small, an error is
+     If the size (lnsize) of the local name (lname) is too small, an error is
      returned.
 
-     kkrrbb55__aannaammee__ttoo__llooccaallnnaammee() should only be use by an application that
-     implements protocols that don't transport the login name and thus needs
-     to convert a principal to a local name.
+     krb5_aname_to_localname() should only be use by an application that im-
+     plements protocols that don't transport the login name and thus needs to
+     convert a principal to a local name.
 
      Protocols should be designed so that they authenticate using Kerberos,
      send over the login name and then verify the principal that is authenti-
      cated is allowed to login and the login name.  A way to check if a user
-     is allowed to login is using the function kkrrbb55__kkuusseerrookk().
+     is allowed to login is using the function krb5_kuserok().
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5_get_default_realms(3), krb5_kuserok(3)
 
 HEIMDAL                        February 18, 2006                       HEIMDAL
diff --git a/lib/krb5/krb5_appdefault.cat3 b/lib/krb5/krb5_appdefault.cat3
index 5000115c20a3..41674112d170 100644
--- a/lib/krb5/krb5_appdefault.cat3
+++ b/lib/krb5/krb5_appdefault.cat3
@@ -1,32 +1,31 @@
-
 KRB5_APPDEFAULT(3)       BSD Library Functions Manual       KRB5_APPDEFAULT(3)
 
-NNAAMMEE
-     kkrrbb55__aappppddeeffaauulltt__bboooolleeaann, kkrrbb55__aappppddeeffaauulltt__ssttrriinngg, kkrrbb55__aappppddeeffaauulltt__ttiimmee --
+NAME
+     krb5_appdefault_boolean, krb5_appdefault_string, krb5_appdefault_time --
      get application configuration value
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _v_o_i_d
-     kkrrbb55__aappppddeeffaauulltt__bboooolleeaann(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_a_p_p_n_a_m_e,
-         _k_r_b_5___r_e_a_l_m _r_e_a_l_m, _c_o_n_s_t _c_h_a_r _*_o_p_t_i_o_n, _k_r_b_5___b_o_o_l_e_a_n _d_e_f___v_a_l,
-         _k_r_b_5___b_o_o_l_e_a_n _*_r_e_t___v_a_l);
+     void
+     krb5_appdefault_boolean(krb5_context context, const char *appname,
+         krb5_realm realm, const char *option, krb5_boolean def_val,
+         krb5_boolean *ret_val);
 
-     _v_o_i_d
-     kkrrbb55__aappppddeeffaauulltt__ssttrriinngg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_a_p_p_n_a_m_e,
-         _k_r_b_5___r_e_a_l_m _r_e_a_l_m, _c_o_n_s_t _c_h_a_r _*_o_p_t_i_o_n, _c_o_n_s_t _c_h_a_r _*_d_e_f___v_a_l,
-         _c_h_a_r _*_*_r_e_t___v_a_l);
+     void
+     krb5_appdefault_string(krb5_context context, const char *appname,
+         krb5_realm realm, const char *option, const char *def_val,
+         char **ret_val);
 
-     _v_o_i_d
-     kkrrbb55__aappppddeeffaauulltt__ttiimmee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_a_p_p_n_a_m_e,
-         _k_r_b_5___r_e_a_l_m _r_e_a_l_m, _c_o_n_s_t _c_h_a_r _*_o_p_t_i_o_n, _t_i_m_e___t _d_e_f___v_a_l,
-         _t_i_m_e___t _*_r_e_t___v_a_l);
+     void
+     krb5_appdefault_time(krb5_context context, const char *appname,
+         krb5_realm realm, const char *option, time_t def_val,
+         time_t *ret_val);
 
-DDEESSCCRRIIPPTTIIOONN
+DESCRIPTION
      These functions get application defaults from the appdefaults section of
      the krb5.conf(5) configuration file. These defaults can be specified per
      application, and/or per realm.
@@ -47,11 +46,11 @@ DDEESSCCRRIIPPTTIIOONN
                            option = value
                    }
                    option = value
-     _a_p_p_n_a_m_e is the name of the application, and _r_e_a_l_m is the realm name. If
-     the realm is omitted it will not be used for resolving values.  _d_e_f___v_a_l
+     appname is the name of the application, and realm is the realm name. If
+     the realm is omitted it will not be used for resolving values.  def_val
      is the value to return if no value is found in krb5.conf(5).
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5_config(3), krb5.conf(5)
 
 HEIMDAL                          July 25, 2000                         HEIMDAL
diff --git a/lib/krb5/krb5_auth_context.cat3 b/lib/krb5/krb5_auth_context.cat3
index 85458a8f287f..7b0366e42777 100644
--- a/lib/krb5/krb5_auth_context.cat3
+++ b/lib/krb5/krb5_auth_context.cat3
@@ -1,116 +1,115 @@
-
 KRB5_AUTH_CONTEXT(3)     BSD Library Functions Manual     KRB5_AUTH_CONTEXT(3)
 
-NNAAMMEE
-     kkrrbb55__aauutthh__ccoonn__aaddddffllaaggss, kkrrbb55__aauutthh__ccoonn__ffrreeee, kkrrbb55__aauutthh__ccoonn__ggeennaaddddrrss,
-     kkrrbb55__aauutthh__ccoonn__ggeenneerraatteellooccaallssuubbkkeeyy, kkrrbb55__aauutthh__ccoonn__ggeettaaddddrrss,
-     kkrrbb55__aauutthh__ccoonn__ggeettaauutthheennttiiccaattoorr, kkrrbb55__aauutthh__ccoonn__ggeettffllaaggss,
-     kkrrbb55__aauutthh__ccoonn__ggeettkkeeyy, kkrrbb55__aauutthh__ccoonn__ggeettllooccaallssuubbkkeeyy,
-     kkrrbb55__aauutthh__ccoonn__ggeettrrccaacchhee, kkrrbb55__aauutthh__ccoonn__ggeettrreemmootteessuubbkkeeyy,
-     kkrrbb55__aauutthh__ccoonn__ggeettuusseerrkkeeyy, kkrrbb55__aauutthh__ccoonn__iinniitt, kkrrbb55__aauutthh__ccoonn__iinniittiivveeccttoorr,
-     kkrrbb55__aauutthh__ccoonn__rreemmoovveeffllaaggss, kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss,
-     kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss__ffrroomm__ffdd, kkrrbb55__aauutthh__ccoonn__sseettffllaaggss,
-     kkrrbb55__aauutthh__ccoonn__sseettiivveeccttoorr, kkrrbb55__aauutthh__ccoonn__sseettkkeeyy,
-     kkrrbb55__aauutthh__ccoonn__sseettllooccaallssuubbkkeeyy, kkrrbb55__aauutthh__ccoonn__sseettrrccaacchhee,
-     kkrrbb55__aauutthh__ccoonn__sseettrreemmootteessuubbkkeeyy, kkrrbb55__aauutthh__ccoonn__sseettuusseerrkkeeyy,
-     kkrrbb55__aauutthh__ccoonntteexxtt, kkrrbb55__aauutthh__ggeettcckkssuummttyyppee, kkrrbb55__aauutthh__ggeettkkeeyyttyyppee,
-     kkrrbb55__aauutthh__ggeettllooccaallsseeqqnnuummbbeerr, kkrrbb55__aauutthh__ggeettrreemmootteesseeqqnnuummbbeerr,
-     kkrrbb55__aauutthh__sseettcckkssuummttyyppee, kkrrbb55__aauutthh__sseettkkeeyyttyyppee,
-     kkrrbb55__aauutthh__sseettllooccaallsseeqqnnuummbbeerr, kkrrbb55__aauutthh__sseettrreemmootteesseeqqnnuummbbeerr,
-     kkrrbb55__ffrreeee__aauutthheennttiiccaattoorr -- manage authentication on connection level
-
-LLIIBBRRAARRYY
+NAME
+     krb5_auth_con_addflags, krb5_auth_con_free, krb5_auth_con_genaddrs,
+     krb5_auth_con_generatelocalsubkey, krb5_auth_con_getaddrs,
+     krb5_auth_con_getauthenticator, krb5_auth_con_getflags,
+     krb5_auth_con_getkey, krb5_auth_con_getlocalsubkey,
+     krb5_auth_con_getrcache, krb5_auth_con_getremotesubkey,
+     krb5_auth_con_getuserkey, krb5_auth_con_init, krb5_auth_con_initivector,
+     krb5_auth_con_removeflags, krb5_auth_con_setaddrs,
+     krb5_auth_con_setaddrs_from_fd, krb5_auth_con_setflags,
+     krb5_auth_con_setivector, krb5_auth_con_setkey,
+     krb5_auth_con_setlocalsubkey, krb5_auth_con_setrcache,
+     krb5_auth_con_setremotesubkey, krb5_auth_con_setuserkey,
+     krb5_auth_context, krb5_auth_getcksumtype, krb5_auth_getkeytype,
+     krb5_auth_getlocalseqnumber, krb5_auth_getremoteseqnumber,
+     krb5_auth_setcksumtype, krb5_auth_setkeytype,
+     krb5_auth_setlocalseqnumber, krb5_auth_setremoteseqnumber,
+     krb5_free_authenticator -- manage authentication on connection level
+
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__aauutthh__ccoonn__iinniitt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _*_a_u_t_h___c_o_n_t_e_x_t);
+     krb5_error_code
+     krb5_auth_con_init(krb5_context context,
+         krb5_auth_context *auth_context);
 
-     _v_o_i_d
-     kkrrbb55__aauutthh__ccoonn__ffrreeee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t);
+     void
+     krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__aauutthh__ccoonn__sseettffllaaggss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _i_n_t_3_2___t _f_l_a_g_s);
+     krb5_error_code
+     krb5_auth_con_setflags(krb5_context context,
+         krb5_auth_context auth_context, int32_t flags);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__aauutthh__ccoonn__ggeettffllaaggss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _i_n_t_3_2___t _*_f_l_a_g_s);
+     krb5_error_code
+     krb5_auth_con_getflags(krb5_context context,
+         krb5_auth_context auth_context, int32_t *flags);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__aauutthh__ccoonn__aaddddffllaaggss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _i_n_t_3_2___t _a_d_d_f_l_a_g_s, _i_n_t_3_2___t _*_f_l_a_g_s);
+     krb5_error_code
+     krb5_auth_con_addflags(krb5_context context,
+         krb5_auth_context auth_context, int32_t addflags, int32_t *flags);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__aauutthh__ccoonn__rreemmoovveeffllaaggss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _i_n_t_3_2___t _r_e_m_o_v_e_l_a_g_s, _i_n_t_3_2___t _*_f_l_a_g_s);
+     krb5_error_code
+     krb5_auth_con_removeflags(krb5_context context,
+         krb5_auth_context auth_context, int32_t removelags, int32_t *flags);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___a_d_d_r_e_s_s _*_l_o_c_a_l___a_d_d_r,
-         _k_r_b_5___a_d_d_r_e_s_s _*_r_e_m_o_t_e___a_d_d_r);
+     krb5_error_code
+     krb5_auth_con_setaddrs(krb5_context context,
+         krb5_auth_context auth_context, krb5_address *local_addr,
+         krb5_address *remote_addr);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__aauutthh__ccoonn__ggeettaaddddrrss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___a_d_d_r_e_s_s _*_*_l_o_c_a_l___a_d_d_r,
-         _k_r_b_5___a_d_d_r_e_s_s _*_*_r_e_m_o_t_e___a_d_d_r);
+     krb5_error_code
+     krb5_auth_con_getaddrs(krb5_context context,
+         krb5_auth_context auth_context, krb5_address **local_addr,
+         krb5_address **remote_addr);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__aauutthh__ccoonn__ggeennaaddddrrss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _i_n_t _f_d, _i_n_t _f_l_a_g_s);
+     krb5_error_code
+     krb5_auth_con_genaddrs(krb5_context context,
+         krb5_auth_context auth_context, int fd, int flags);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss__ffrroomm__ffdd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _v_o_i_d _*_p___f_d);
+     krb5_error_code
+     krb5_auth_con_setaddrs_from_fd(krb5_context context,
+         krb5_auth_context auth_context, void *p_fd);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__aauutthh__ccoonn__ggeettkkeeyy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___k_e_y_b_l_o_c_k _*_*_k_e_y_b_l_o_c_k);
+     krb5_error_code
+     krb5_auth_con_getkey(krb5_context context,
+         krb5_auth_context auth_context, krb5_keyblock **keyblock);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__aauutthh__ccoonn__ggeettllooccaallssuubbkkeeyy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___k_e_y_b_l_o_c_k _*_*_k_e_y_b_l_o_c_k);
+     krb5_error_code
+     krb5_auth_con_getlocalsubkey(krb5_context context,
+         krb5_auth_context auth_context, krb5_keyblock **keyblock);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__aauutthh__ccoonn__ggeettrreemmootteessuubbkkeeyy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___k_e_y_b_l_o_c_k _*_*_k_e_y_b_l_o_c_k);
+     krb5_error_code
+     krb5_auth_con_getremotesubkey(krb5_context context,
+         krb5_auth_context auth_context, krb5_keyblock **keyblock);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__aauutthh__ccoonn__ggeenneerraatteellooccaallssuubbkkeeyy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___k_e_y_b_l_o_c_k, _*_k_e_y_");
+     krb5_error_code
+     krb5_auth_con_generatelocalsubkey(krb5_context context,
+         krb5_auth_context auth_context, krb5_keyblock, *key");
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__aauutthh__ccoonn__iinniittiivveeccttoorr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t);
+     krb5_error_code
+     krb5_auth_con_initivector(krb5_context context,
+         krb5_auth_context auth_context);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__aauutthh__ccoonn__sseettiivveeccttoorr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _*_a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___p_o_i_n_t_e_r _i_v_e_c_t_o_r);
+     krb5_error_code
+     krb5_auth_con_setivector(krb5_context context,
+         krb5_auth_context *auth_context, krb5_pointer ivector);
 
-     _v_o_i_d
-     kkrrbb55__ffrreeee__aauutthheennttiiccaattoorr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___a_u_t_h_e_n_t_i_c_a_t_o_r _*_a_u_t_h_e_n_t_i_c_a_t_o_r);
+     void
+     krb5_free_authenticator(krb5_context context,
+         krb5_authenticator *authenticator);
 
-DDEESSCCRRIIPPTTIIOONN
-     The kkrrbb55__aauutthh__ccoonntteexxtt structure holds all context related to an authenti-
-     cated connection, in a similar way to kkrrbb55__ccoonntteexxtt that holds the context
-     for the thread or process.  kkrrbb55__aauutthh__ccoonntteexxtt is used by various func-
+DESCRIPTION
+     The krb5_auth_context structure holds all context related to an authenti-
+     cated connection, in a similar way to krb5_context that holds the context
+     for the thread or process.  krb5_auth_context is used by various func-
      tions that are directly related to authentication between the
      server/client. Example of data that this structure contains are various
      flags, addresses of client and server, port numbers, keyblocks (and sub-
      keys), sequence numbers, replay cache, and checksum-type.
 
-     kkrrbb55__aauutthh__ccoonn__iinniitt() allocates and initializes the kkrrbb55__aauutthh__ccoonntteexxtt
+     krb5_auth_con_init() allocates and initializes the krb5_auth_context
      structure. Default values can be changed with
-     kkrrbb55__aauutthh__ccoonn__sseettcckkssuummttyyppee() and kkrrbb55__aauutthh__ccoonn__sseettffllaaggss().  The
-     aauutthh__ccoonntteexxtt structure must be freed by kkrrbb55__aauutthh__ccoonn__ffrreeee().
+     krb5_auth_con_setcksumtype() and krb5_auth_con_setflags().  The
+     auth_context structure must be freed by krb5_auth_con_free().
 
-     kkrrbb55__aauutthh__ccoonn__ggeettffllaaggss(), kkrrbb55__aauutthh__ccoonn__sseettffllaaggss(),
-     kkrrbb55__aauutthh__ccoonn__aaddddffllaaggss() and kkrrbb55__aauutthh__ccoonn__rreemmoovveeffllaaggss() gets and modi-
-     fies the flags for a kkrrbb55__aauutthh__ccoonntteexxtt structure. Possible flags to set
+     krb5_auth_con_getflags(), krb5_auth_con_setflags(),
+     krb5_auth_con_addflags() and krb5_auth_con_removeflags() gets and modi-
+     fies the flags for a krb5_auth_context structure. Possible flags to set
      are:
 
      KRB5_AUTH_CONTEXT_DO_SEQUENCE
@@ -124,7 +123,7 @@ DDEESSCCRRIIPPTTIIOONN
              ters.
 
      KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED
-             will force kkrrbb55__ggeett__ffoorrwwaarrddeedd__ccrreeddss() and kkrrbb55__ffwwdd__ttggtt__ccrreeddss() to
+             will force krb5_get_forwarded_creds() and krb5_fwd_tgt_creds() to
              create unencrypted ) KRB5_ENCTYPE_NULL) credentials.  This is for
              use with old MIT server and JAVA based servers as they can't han-
              dle encrypted KRB-CRED.  Note that sending such KRB-CRED is clear
@@ -135,7 +134,7 @@ DDEESSCCRRIIPPTTIIOONN
              passed to these functions.
 
              The flags KRB5_AUTH_CONTEXT_DO_TIME also modifies the behavior
-             the function kkrrbb55__ggeett__ffoorrwwaarrddeedd__ccrreeddss() by removing the timestamp
+             the function krb5_get_forwarded_creds() by removing the timestamp
              in the forward credential message, this have backward compatibil-
              ity problems since not all versions of the heimdal supports time-
              less credentional messages.  Is very useful since it always the
@@ -144,78 +143,78 @@ DDEESSCCRRIIPPTTIIOONN
              The same functionality can be obtained by using address-less
              tickets.
 
-     kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss(), kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss__ffrroomm__ffdd() and
-     kkrrbb55__aauutthh__ccoonn__ggeettaaddddrrss() gets and sets the addresses that are checked
-     when a packet is received.  It is mandatory to set an address for the
-     remote host. If the local address is not set, it iss deduced from the
-     underlaying operating system.  kkrrbb55__aauutthh__ccoonn__ggeettaaddddrrss() will call
-     kkrrbb55__ffrreeee__aaddddrreessss() on any address that is passed in _l_o_c_a_l___a_d_d_r or
-     _r_e_m_o_t_e___a_d_d_r.  kkrrbb55__aauutthh__ccoonn__sseettaaddddrr() allows passing in a NULL pointer as
-     _l_o_c_a_l___a_d_d_r and _r_e_m_o_t_e___a_d_d_r, in that case it will just not set that
-     address.
+     krb5_auth_con_setaddrs(), krb5_auth_con_setaddrs_from_fd() and
+     krb5_auth_con_getaddrs() gets and sets the addresses that are checked
+     when a packet is received.  It is mandatory to set an address for the re-
+     mote host. If the local address is not set, it iss deduced from the un-
+     derlaying operating system.  krb5_auth_con_getaddrs() will call
+     krb5_free_address() on any address that is passed in local_addr or
+     remote_addr.  krb5_auth_con_setaddr() allows passing in a NULL pointer as
+     local_addr and remote_addr, in that case it will just not set that ad-
+     dress.
 
-     kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss__ffrroomm__ffdd() fetches the addresses from a file
-     descriptor.
+     krb5_auth_con_setaddrs_from_fd() fetches the addresses from a file de-
+     scriptor.
 
-     kkrrbb55__aauutthh__ccoonn__ggeennaaddddrrss() fetches the address information from the given
-     file descriptor _f_d depending on the bitmap argument _f_l_a_g_s.
+     krb5_auth_con_genaddrs() fetches the address information from the given
+     file descriptor fd depending on the bitmap argument flags.
 
-     Possible values on _f_l_a_g_s are:
+     Possible values on flags are:
 
-     _K_R_B_5___A_U_T_H___C_O_N_T_E_X_T___G_E_N_E_R_A_T_E___L_O_C_A_L___A_D_D_R
-             fetches the local address from _f_d.
+     KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR
+             fetches the local address from fd.
 
-     _K_R_B_5___A_U_T_H___C_O_N_T_E_X_T___G_E_N_E_R_A_T_E___R_E_M_O_T_E___A_D_D_R
-             fetches the remote address from _f_d.
+     KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR
+             fetches the remote address from fd.
 
-     kkrrbb55__aauutthh__ccoonn__sseettkkeeyy(), kkrrbb55__aauutthh__ccoonn__sseettuusseerrkkeeyy() and
-     kkrrbb55__aauutthh__ccoonn__ggeettkkeeyy() gets and sets the key used for this auth context.
-     The keyblock returned by kkrrbb55__aauutthh__ccoonn__ggeettkkeeyy() should be freed with
-     kkrrbb55__ffrreeee__kkeeyybblloocckk().  The keyblock send into kkrrbb55__aauutthh__ccoonn__sseettkkeeyy() is
-     copied into the kkrrbb55__aauutthh__ccoonntteexxtt, and thus no special handling is
-     needed.  NULL is not a valid keyblock to kkrrbb55__aauutthh__ccoonn__sseettkkeeyy().
+     krb5_auth_con_setkey(), krb5_auth_con_setuserkey() and
+     krb5_auth_con_getkey() gets and sets the key used for this auth context.
+     The keyblock returned by krb5_auth_con_getkey() should be freed with
+     krb5_free_keyblock().  The keyblock send into krb5_auth_con_setkey() is
+     copied into the krb5_auth_context, and thus no special handling is
+     needed.  NULL is not a valid keyblock to krb5_auth_con_setkey().
 
-     kkrrbb55__aauutthh__ccoonn__sseettuusseerrkkeeyy() is only useful when doing user to user authen-
-     tication.  kkrrbb55__aauutthh__ccoonn__sseettkkeeyy() is equivalent to
-     kkrrbb55__aauutthh__ccoonn__sseettuusseerrkkeeyy().
+     krb5_auth_con_setuserkey() is only useful when doing user to user authen-
+     tication.  krb5_auth_con_setkey() is equivalent to
+     krb5_auth_con_setuserkey().
 
-     kkrrbb55__aauutthh__ccoonn__ggeettllooccaallssuubbkkeeyy(), kkrrbb55__aauutthh__ccoonn__sseettllooccaallssuubbkkeeyy(),
-     kkrrbb55__aauutthh__ccoonn__ggeettrreemmootteessuubbkkeeyy() and kkrrbb55__aauutthh__ccoonn__sseettrreemmootteessuubbkkeeyy() gets
-     and sets the keyblock for the local and remote subkey.  The keyblock
-     returned by kkrrbb55__aauutthh__ccoonn__ggeettllooccaallssuubbkkeeyy() and
-     kkrrbb55__aauutthh__ccoonn__ggeettrreemmootteessuubbkkeeyy() must be freed with kkrrbb55__ffrreeee__kkeeyybblloocckk().
+     krb5_auth_con_getlocalsubkey(), krb5_auth_con_setlocalsubkey(),
+     krb5_auth_con_getremotesubkey() and krb5_auth_con_setremotesubkey() gets
+     and sets the keyblock for the local and remote subkey.  The keyblock re-
+     turned by krb5_auth_con_getlocalsubkey() and
+     krb5_auth_con_getremotesubkey() must be freed with krb5_free_keyblock().
 
-     kkrrbb55__aauutthh__sseettcckkssuummttyyppee() and kkrrbb55__aauutthh__ggeettcckkssuummttyyppee() sets and gets the
+     krb5_auth_setcksumtype() and krb5_auth_getcksumtype() sets and gets the
      checksum type that should be used for this connection.
 
-     kkrrbb55__aauutthh__ccoonn__ggeenneerraatteellooccaallssuubbkkeeyy() generates a local subkey that have
-     the same encryption type as _k_e_y.
+     krb5_auth_con_generatelocalsubkey() generates a local subkey that have
+     the same encryption type as key.
 
-     kkrrbb55__aauutthh__ggeettrreemmootteesseeqqnnuummbbeerr() kkrrbb55__aauutthh__sseettrreemmootteesseeqqnnuummbbeerr(),
-     kkrrbb55__aauutthh__ggeettllooccaallsseeqqnnuummbbeerr() and kkrrbb55__aauutthh__sseettllooccaallsseeqqnnuummbbeerr() gets and
+     krb5_auth_getremoteseqnumber() krb5_auth_setremoteseqnumber(),
+     krb5_auth_getlocalseqnumber() and krb5_auth_setlocalseqnumber() gets and
      sets the sequence-number for the local and remote sequence-number
      counter.
 
-     kkrrbb55__aauutthh__sseettkkeeyyttyyppee() and kkrrbb55__aauutthh__ggeettkkeeyyttyyppee() gets and gets the key-
-     type of the keyblock in kkrrbb55__aauutthh__ccoonntteexxtt.
+     krb5_auth_setkeytype() and krb5_auth_getkeytype() gets and gets the key-
+     type of the keyblock in krb5_auth_context.
 
-     kkrrbb55__aauutthh__ccoonn__ggeettaauutthheennttiiccaattoorr() Retrieves the authenticator that was
+     krb5_auth_con_getauthenticator() Retrieves the authenticator that was
      used during mutual authentication. The authenticator returned should be
-     freed by calling kkrrbb55__ffrreeee__aauutthheennttiiccaattoorr().
+     freed by calling krb5_free_authenticator().
 
-     kkrrbb55__aauutthh__ccoonn__ggeettrrccaacchhee() and kkrrbb55__aauutthh__ccoonn__sseettrrccaacchhee() gets and sets the
+     krb5_auth_con_getrcache() and krb5_auth_con_setrcache() gets and sets the
      replay-cache.
 
-     kkrrbb55__aauutthh__ccoonn__iinniittiivveeccttoorr() allocates memory for and zeros the initial
-     vector in the _a_u_t_h___c_o_n_t_e_x_t keyblock.
+     krb5_auth_con_initivector() allocates memory for and zeros the initial
+     vector in the auth_context keyblock.
 
-     kkrrbb55__aauutthh__ccoonn__sseettiivveeccttoorr() sets the i_vector portion of _a_u_t_h___c_o_n_t_e_x_t to
-     _i_v_e_c_t_o_r.
+     krb5_auth_con_setivector() sets the i_vector portion of auth_context to
+     ivector.
 
-     kkrrbb55__ffrreeee__aauutthheennttiiccaattoorr() free the content of _a_u_t_h_e_n_t_i_c_a_t_o_r and
-     _a_u_t_h_e_n_t_i_c_a_t_o_r itself.
+     krb5_free_authenticator() free the content of authenticator and
+     authenticator itself.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5_context(3), kerberos(8)
 
 HEIMDAL                          May 17, 2005                          HEIMDAL
diff --git a/lib/krb5/krb5_c_make_checksum.cat3 b/lib/krb5/krb5_c_make_checksum.cat3
index 4d6c31a58973..b83c0e29065a 100644
--- a/lib/krb5/krb5_c_make_checksum.cat3
+++ b/lib/krb5/krb5_c_make_checksum.cat3
@@ -1,142 +1,141 @@
-
 KRB5_C_MAKE_CHECKSUM(3)  BSD Library Functions Manual  KRB5_C_MAKE_CHECKSUM(3)
 
-NNAAMMEE
-     kkrrbb55__cc__bblloocckk__ssiizzee, kkrrbb55__cc__ddeeccrryypptt, kkrrbb55__cc__eennccrryypptt, kkrrbb55__cc__eennccrryypptt__lleennggtthh,
-     kkrrbb55__cc__eennccttyyppee__ccoommppaarree, kkrrbb55__cc__ggeett__cchheecckkssuumm, kkrrbb55__cc__iiss__ccoollll__pprrooooff__cckkssuumm,
-     kkrrbb55__cc__iiss__kkeeyyeedd__cckkssuumm, kkrrbb55__cc__kkeeyylleennggtthh, kkrrbb55__cc__mmaakkee__cchheecckkssuumm,
-     kkrrbb55__cc__mmaakkee__rraannddoomm__kkeeyy, kkrrbb55__cc__sseett__cchheecckkssuumm, kkrrbb55__cc__vvaalliidd__cckkssuummttyyppee,
-     kkrrbb55__cc__vvaalliidd__eennccttyyppee, kkrrbb55__cc__vveerriiffyy__cchheecckkssuumm, kkrrbb55__cc__cchheecckkssuumm__lleennggtthh --
+NAME
+     krb5_c_block_size, krb5_c_decrypt, krb5_c_encrypt, krb5_c_encrypt_length,
+     krb5_c_enctype_compare, krb5_c_get_checksum, krb5_c_is_coll_proof_cksum,
+     krb5_c_is_keyed_cksum, krb5_c_keylength, krb5_c_make_checksum,
+     krb5_c_make_random_key, krb5_c_set_checksum, krb5_c_valid_cksumtype,
+     krb5_c_valid_enctype, krb5_c_verify_checksum, krb5_c_checksum_length --
      Kerberos 5 crypto API
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__cc__bblloocckk__ssiizzee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___e_n_c_t_y_p_e _e_n_c_t_y_p_e,
-         _s_i_z_e___t _*_b_l_o_c_k_s_i_z_e);
+     krb5_error_code
+     krb5_c_block_size(krb5_context context, krb5_enctype enctype,
+         size_t *blocksize);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__cc__ddeeccrryypptt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___k_e_y_b_l_o_c_k _k_e_y,
-         _k_r_b_5___k_e_y_u_s_a_g_e _u_s_a_g_e, _c_o_n_s_t _k_r_b_5___d_a_t_a _*_i_v_e_c, _k_r_b_5___e_n_c___d_a_t_a _*_i_n_p_u_t,
-         _k_r_b_5___d_a_t_a _*_o_u_t_p_u_t);
+     krb5_error_code
+     krb5_c_decrypt(krb5_context context, const krb5_keyblock key,
+         krb5_keyusage usage, const krb5_data *ivec, krb5_enc_data *input,
+         krb5_data *output);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__cc__eennccrryypptt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___k_e_y_b_l_o_c_k _*_k_e_y,
-         _k_r_b_5___k_e_y_u_s_a_g_e _u_s_a_g_e, _c_o_n_s_t _k_r_b_5___d_a_t_a _*_i_v_e_c, _c_o_n_s_t _k_r_b_5___d_a_t_a _*_i_n_p_u_t,
-         _k_r_b_5___e_n_c___d_a_t_a _*_o_u_t_p_u_t);
+     krb5_error_code
+     krb5_c_encrypt(krb5_context context, const krb5_keyblock *key,
+         krb5_keyusage usage, const krb5_data *ivec, const krb5_data *input,
+         krb5_enc_data *output);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__cc__eennccrryypptt__lleennggtthh(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___e_n_c_t_y_p_e _e_n_c_t_y_p_e,
-         _s_i_z_e___t _i_n_p_u_t_l_e_n, _s_i_z_e___t _*_l_e_n_g_t_h);
+     krb5_error_code
+     krb5_c_encrypt_length(krb5_context context, krb5_enctype enctype,
+         size_t inputlen, size_t *length);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__cc__eennccttyyppee__ccoommppaarree(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___e_n_c_t_y_p_e _e_1,
-         _k_r_b_5___e_n_c_t_y_p_e _e_2, _k_r_b_5___b_o_o_l_e_a_n _*_s_i_m_i_l_a_r);
+     krb5_error_code
+     krb5_c_enctype_compare(krb5_context context, krb5_enctype e1,
+         krb5_enctype e2, krb5_boolean *similar);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__cc__mmaakkee__rraannddoomm__kkeeyy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___e_n_c_t_y_p_e _e_n_c_t_y_p_e,
-         _k_r_b_5___k_e_y_b_l_o_c_k _*_r_a_n_d_o_m___k_e_y);
+     krb5_error_code
+     krb5_c_make_random_key(krb5_context context, krb5_enctype enctype,
+         krb5_keyblock *random_key);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__cc__mmaakkee__cchheecckkssuumm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_k_s_u_m_t_y_p_e _c_k_s_u_m_t_y_p_e,
-         _c_o_n_s_t _k_r_b_5___k_e_y_b_l_o_c_k _*_k_e_y, _k_r_b_5___k_e_y_u_s_a_g_e _u_s_a_g_e,
-         _c_o_n_s_t _k_r_b_5___d_a_t_a _*_i_n_p_u_t, _k_r_b_5___c_h_e_c_k_s_u_m _*_c_k_s_u_m);
+     krb5_error_code
+     krb5_c_make_checksum(krb5_context context, krb5_cksumtype cksumtype,
+         const krb5_keyblock *key, krb5_keyusage usage,
+         const krb5_data *input, krb5_checksum *cksum);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__cc__vveerriiffyy__cchheecckkssuumm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___k_e_y_b_l_o_c_k _*_k_e_y,
-         _k_r_b_5___k_e_y_u_s_a_g_e _u_s_a_g_e, _c_o_n_s_t _k_r_b_5___d_a_t_a _*_d_a_t_a,
-         _c_o_n_s_t _k_r_b_5___c_h_e_c_k_s_u_m _*_c_k_s_u_m, _k_r_b_5___b_o_o_l_e_a_n _*_v_a_l_i_d);
+     krb5_error_code
+     krb5_c_verify_checksum(krb5_context context, const krb5_keyblock *key,
+         krb5_keyusage usage, const krb5_data *data,
+         const krb5_checksum *cksum, krb5_boolean *valid);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__cc__cchheecckkssuumm__lleennggtthh(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_k_s_u_m_t_y_p_e _c_k_s_u_m_t_y_p_e,
-         _s_i_z_e___t _*_l_e_n_g_t_h);
+     krb5_error_code
+     krb5_c_checksum_length(krb5_context context, krb5_cksumtype cksumtype,
+         size_t *length);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__cc__ggeett__cchheecckkssuumm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___c_h_e_c_k_s_u_m _*_c_k_s_u_m,
-         _k_r_b_5___c_k_s_u_m_t_y_p_e _*_t_y_p_e, _k_r_b_5___d_a_t_a _*_*_d_a_t_a);
+     krb5_error_code
+     krb5_c_get_checksum(krb5_context context, const krb5_checksum *cksum,
+         krb5_cksumtype *type, krb5_data **data);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__cc__sseett__cchheecckkssuumm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_h_e_c_k_s_u_m _*_c_k_s_u_m,
-         _k_r_b_5___c_k_s_u_m_t_y_p_e _t_y_p_e, _c_o_n_s_t _k_r_b_5___d_a_t_a _*_d_a_t_a);
+     krb5_error_code
+     krb5_c_set_checksum(krb5_context context, krb5_checksum *cksum,
+         krb5_cksumtype type, const krb5_data *data);
 
-     _k_r_b_5___b_o_o_l_e_a_n
-     kkrrbb55__cc__vvaalliidd__eennccttyyppee(_k_r_b_5___e_n_c_t_y_p_e, _e_t_y_p_e_");
+     krb5_boolean
+     krb5_c_valid_enctype(krb5_enctype, etype");
 
-     _k_r_b_5___b_o_o_l_e_a_n
-     kkrrbb55__cc__vvaalliidd__cckkssuummttyyppee(_k_r_b_5___c_k_s_u_m_t_y_p_e _c_t_y_p_e);
+     krb5_boolean
+     krb5_c_valid_cksumtype(krb5_cksumtype ctype);
 
-     _k_r_b_5___b_o_o_l_e_a_n
-     kkrrbb55__cc__iiss__ccoollll__pprrooooff__cckkssuumm(_k_r_b_5___c_k_s_u_m_t_y_p_e _c_t_y_p_e);
+     krb5_boolean
+     krb5_c_is_coll_proof_cksum(krb5_cksumtype ctype);
 
-     _k_r_b_5___b_o_o_l_e_a_n
-     kkrrbb55__cc__iiss__kkeeyyeedd__cckkssuumm(_k_r_b_5___c_k_s_u_m_t_y_p_e _c_t_y_p_e);
+     krb5_boolean
+     krb5_c_is_keyed_cksum(krb5_cksumtype ctype);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__cc__kkeeyylleennggtthhss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___e_n_c_t_y_p_e _e_n_c_t_y_p_e,
-         _s_i_z_e___t _*_i_n_l_e_n_g_t_h, _s_i_z_e___t _*_k_e_y_l_e_n_g_t_h);
+     krb5_error_code
+     krb5_c_keylengths(krb5_context context, krb5_enctype enctype,
+         size_t *inlength, size_t *keylength);
 
-DDEESSCCRRIIPPTTIIOONN
+DESCRIPTION
      The functions starting with krb5_c are compat functions with MIT ker-
      beros.
 
      The krb5_enc_data structure holds and encrypted data.  There are two pub-
      lic accessible members of krb5_enc_data.  enctype that holds the encryp-
-     tion type of the data encrypted and ciphertext that is a _k_r_b_5___d_a_t_a that
+     tion type of the data encrypted and ciphertext that is a krb5_data that
      might contain the encrypted data.
 
-     kkrrbb55__cc__bblloocckk__ssiizzee() returns the blocksize of the encryption type.
+     krb5_c_block_size() returns the blocksize of the encryption type.
 
-     kkrrbb55__cc__ddeeccrryypptt() decrypts _i_n_p_u_t and store the data in _o_u_t_p_u_t_. If _i_v_e_c is
+     krb5_c_decrypt() decrypts input and store the data in output. If ivec is
      NULL the default initialization vector for that encryption type will be
      used.
 
-     kkrrbb55__cc__eennccrryypptt() encrypts the plaintext in _i_n_p_u_t and store the ciphertext
-     in _o_u_t_p_u_t.
+     krb5_c_encrypt() encrypts the plaintext in input and store the ciphertext
+     in output.
 
-     kkrrbb55__cc__eennccrryypptt__lleennggtthh() returns the length the encrypted data given the
+     krb5_c_encrypt_length() returns the length the encrypted data given the
      plaintext length.
 
-     kkrrbb55__cc__eennccttyyppee__ccoommppaarree() compares to encryption types and returns if they
+     krb5_c_enctype_compare() compares to encryption types and returns if they
      use compatible encryption key types.
 
-     kkrrbb55__cc__mmaakkee__cchheecckkssuumm() creates a checksum _c_k_s_u_m with the checksum type
-     _c_k_s_u_m_t_y_p_e of the data in _d_a_t_a.  _k_e_y and _u_s_a_g_e are used if the checksum is
+     krb5_c_make_checksum() creates a checksum cksum with the checksum type
+     cksumtype of the data in data.  key and usage are used if the checksum is
      a keyed checksum type.  Returns 0 or an error code.
 
-     kkrrbb55__cc__vveerriiffyy__cchheecckkssuumm() verifies the checksum of _d_a_t_a in _c_k_s_u_m that was
-     created with _k_e_y using the key usage _u_s_a_g_e.  _v_e_r_i_f_y is set to non-zero if
+     krb5_c_verify_checksum() verifies the checksum of data in cksum that was
+     created with key using the key usage usage.  verify is set to non-zero if
      the checksum verifies correctly and zero if not.  Returns 0 or an error
      code.
 
-     kkrrbb55__cc__cchheecckkssuumm__lleennggtthh() returns the length of the checksum.
+     krb5_c_checksum_length() returns the length of the checksum.
 
-     kkrrbb55__cc__sseett__cchheecckkssuumm() sets the krb5_checksum structure given _t_y_p_e and
-     _d_a_t_a.  The content of _c_k_s_u_m should be freeed with
-     kkrrbb55__cc__ffrreeee__cchheecckkssuumm__ccoonntteennttss().
+     krb5_c_set_checksum() sets the krb5_checksum structure given type and
+     data.  The content of cksum should be freeed with
+     krb5_c_free_checksum_contents().
 
-     kkrrbb55__cc__ggeett__cchheecckkssuumm() retrieves the components of the krb5_checksum.
-     structure.  _d_a_t_a should be free with kkrrbb55__ffrreeee__ddaattaa().  If some either of
-     _d_a_t_a or _c_h_e_c_k_s_u_m is not needed for the application, NULL can be passed
+     krb5_c_get_checksum() retrieves the components of the krb5_checksum.
+     structure.  data should be free with krb5_free_data().  If some either of
+     data or checksum is not needed for the application, NULL can be passed
      in.
 
-     kkrrbb55__cc__vvaalliidd__eennccttyyppee() returns true if _e_t_y_p_e is a valid encryption type.
+     krb5_c_valid_enctype() returns true if etype is a valid encryption type.
 
-     kkrrbb55__cc__vvaalliidd__cckkssuummttyyppee() returns true if _c_t_y_p_e is a valid checksum type.
+     krb5_c_valid_cksumtype() returns true if ctype is a valid checksum type.
 
-     kkrrbb55__cc__iiss__kkeeyyeedd__cckkssuumm() return true if _c_t_y_p_e is a keyed checksum type.
+     krb5_c_is_keyed_cksum() return true if ctype is a keyed checksum type.
 
-     kkrrbb55__cc__iiss__ccoollll__pprrooooff__cckkssuumm() returns true if _c_t_y_p_e is a collision proof
+     krb5_c_is_coll_proof_cksum() returns true if ctype is a collision proof
      checksum type.
 
-     kkrrbb55__cc__kkeeyylleennggtthhss() return the minimum length (_i_n_l_e_n_g_t_h) bytes needed to
-     create a key and the length (_k_e_y_l_e_n_g_t_h) of the resulting key for the
-     _e_n_c_t_y_p_e.
+     krb5_c_keylengths() return the minimum length (inlength) bytes needed to
+     create a key and the length (keylength) of the resulting key for the
+     enctype.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5(3), krb5_create_checksum(3), krb5_free_data(3), kerberos(8)
 
 HEIMDAL                          Nov 17, 2006                          HEIMDAL
diff --git a/lib/krb5/krb5_ccapi.h b/lib/krb5/krb5_ccapi.h
index 5a7fe6a41334..06d8886145af 100644
--- a/lib/krb5/krb5_ccapi.h
+++ b/lib/krb5/krb5_ccapi.h
@@ -38,7 +38,7 @@
 
 #include <krb5-types.h>
 
- #ifdef __APPLE__
+#ifdef __APPLE__
 #pragma pack(push,2)
 #endif
 
@@ -231,7 +231,7 @@ struct cc_context_t {
 typedef cc_int32
 (*cc_initialize_func)(cc_context_t*, cc_int32, cc_int32 *, char const **);
 
-#ifdef __APPLE__
+#if defined(__APPLE__)
 #pragma pack(pop)
 #endif
 
diff --git a/lib/krb5/krb5_check_transited.cat3 b/lib/krb5/krb5_check_transited.cat3
index 97a97e72b6bf..9907d6cc27c1 100644
--- a/lib/krb5/krb5_check_transited.cat3
+++ b/lib/krb5/krb5_check_transited.cat3
@@ -1,49 +1,48 @@
-
 KRB5_CHECK_TRANSITED(3)  BSD Library Functions Manual  KRB5_CHECK_TRANSITED(3)
 
-NNAAMMEE
-     kkrrbb55__cchheecckk__ttrraannssiitteedd, kkrrbb55__cchheecckk__ttrraannssiitteedd__rreeaallmmss,
-     kkrrbb55__ddoommaaiinn__xx550000__ddeeccooddee, kkrrbb55__ddoommaaiinn__xx550000__eennccooddee -- realm transit verifi-
+NAME
+     krb5_check_transited, krb5_check_transited_realms,
+     krb5_domain_x500_decode, krb5_domain_x500_encode -- realm transit verifi-
      cation and encoding/decoding functions
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__cchheecckk__ttrraannssiitteedd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_o_n_s_t___r_e_a_l_m _c_l_i_e_n_t___r_e_a_l_m,
-         _k_r_b_5___c_o_n_s_t___r_e_a_l_m _s_e_r_v_e_r___r_e_a_l_m, _k_r_b_5___r_e_a_l_m _*_r_e_a_l_m_s, _i_n_t _n_u_m___r_e_a_l_m_s,
-         _i_n_t _*_b_a_d___r_e_a_l_m);
+     krb5_error_code
+     krb5_check_transited(krb5_context context, krb5_const_realm client_realm,
+         krb5_const_realm server_realm, krb5_realm *realms, int num_realms,
+         int *bad_realm);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__cchheecckk__ttrraannssiitteedd__rreeaallmmss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _c_o_n_s_t _c_h_a_r _*_c_o_n_s_t _*_r_e_a_l_m_s, _i_n_t _n_u_m___r_e_a_l_m_s, _i_n_t _*_b_a_d___r_e_a_l_m);
+     krb5_error_code
+     krb5_check_transited_realms(krb5_context context,
+         const char *const *realms, int num_realms, int *bad_realm);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddoommaaiinn__xx550000__ddeeccooddee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_a_t_a _t_r,
-         _c_h_a_r _*_*_*_r_e_a_l_m_s, _i_n_t _*_n_u_m___r_e_a_l_m_s, _c_o_n_s_t _c_h_a_r _*_c_l_i_e_n_t___r_e_a_l_m,
-         _c_o_n_s_t _c_h_a_r _*_s_e_r_v_e_r___r_e_a_l_m);
+     krb5_error_code
+     krb5_domain_x500_decode(krb5_context context, krb5_data tr,
+         char ***realms, int *num_realms, const char *client_realm,
+         const char *server_realm);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddoommaaiinn__xx550000__eennccooddee(_c_h_a_r _*_*_r_e_a_l_m_s, _i_n_t _n_u_m___r_e_a_l_m_s,
-         _k_r_b_5___d_a_t_a _*_e_n_c_o_d_i_n_g);
+     krb5_error_code
+     krb5_domain_x500_encode(char **realms, int num_realms,
+         krb5_data *encoding);
 
-DDEESSCCRRIIPPTTIIOONN
-     kkrrbb55__cchheecckk__ttrraannssiitteedd() checks the path from _c_l_i_e_n_t___r_e_a_l_m to _s_e_r_v_e_r___r_e_a_l_m
-     where _r_e_a_l_m_s and _n_u_m___r_e_a_l_m_s is the realms between them.  If the function
-     returns an error value, _b_a_d___r_e_a_l_m will be set to the realm in the list
-     causing the error.  kkrrbb55__cchheecckk__ttrraannssiitteedd() is used internally by the KDC
+DESCRIPTION
+     krb5_check_transited() checks the path from client_realm to server_realm
+     where realms and num_realms is the realms between them.  If the function
+     returns an error value, bad_realm will be set to the realm in the list
+     causing the error.  krb5_check_transited() is used internally by the KDC
      and libkrb5 and should not be called by client applications.
 
-     kkrrbb55__cchheecckk__ttrraannssiitteedd__rreeaallmmss() is deprecated.
+     krb5_check_transited_realms() is deprecated.
 
-     kkrrbb55__ddoommaaiinn__xx550000__eennccooddee() and kkrrbb55__ddoommaaiinn__xx550000__ddeeccooddee() encodes and
-     decodes the realm names in the X500 format that Kerberos uses to describe
+     krb5_domain_x500_encode() and krb5_domain_x500_decode() encodes and de-
+     codes the realm names in the X500 format that Kerberos uses to describe
      the transited realms in krbtgts.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5(3), krb5.conf(5)
 
 HEIMDAL                           May 1, 2006                          HEIMDAL
diff --git a/lib/krb5/krb5_create_checksum.cat3 b/lib/krb5/krb5_create_checksum.cat3
index e2050b141a4d..673f56d708b6 100644
--- a/lib/krb5/krb5_create_checksum.cat3
+++ b/lib/krb5/krb5_create_checksum.cat3
@@ -1,113 +1,112 @@
-
 NAME(3)                  BSD Library Functions Manual                  NAME(3)
 
-NNAAMMEE
-     kkrrbb55__cchheecckkssuumm, kkrrbb55__cchheecckkssuumm__ddiissaabbllee, kkrrbb55__cchheecckkssuumm__iiss__ccoolllliissiioonn__pprrooooff,
-     kkrrbb55__cchheecckkssuumm__iiss__kkeeyyeedd, kkrrbb55__cchheecckkssuummssiizzee, kkrrbb55__cckkssuummttyyppee__vvaalliidd,
-     kkrrbb55__ccooppyy__cchheecckkssuumm, kkrrbb55__ccrreeaattee__cchheecckkssuumm, kkrrbb55__ccrryyppttoo__ggeett__cchheecckkssuumm__ttyyppee
-     kkrrbb55__ffrreeee__cchheecckkssuumm, kkrrbb55__ffrreeee__cchheecckkssuumm__ccoonntteennttss, kkrrbb55__hhmmaacc,
-     kkrrbb55__vveerriiffyy__cchheecckkssuumm -- creates, handles and verifies checksums
+NAME
+     krb5_checksum, krb5_checksum_disable, krb5_checksum_is_collision_proof,
+     krb5_checksum_is_keyed, krb5_checksumsize, krb5_cksumtype_valid,
+     krb5_copy_checksum, krb5_create_checksum, krb5_crypto_get_checksum_type
+     krb5_free_checksum, krb5_free_checksum_contents, krb5_hmac,
+     krb5_verify_checksum -- creates, handles and verifies checksums
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
      typedef Checksum krb5_checksum;
 
-     _v_o_i_d
-     kkrrbb55__cchheecckkssuumm__ddiissaabbllee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_k_s_u_m_t_y_p_e _t_y_p_e);
+     void
+     krb5_checksum_disable(krb5_context context, krb5_cksumtype type);
 
-     _k_r_b_5___b_o_o_l_e_a_n
-     kkrrbb55__cchheecckkssuumm__iiss__ccoolllliissiioonn__pprrooooff(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___c_k_s_u_m_t_y_p_e _t_y_p_e);
+     krb5_boolean
+     krb5_checksum_is_collision_proof(krb5_context context,
+         krb5_cksumtype type);
 
-     _k_r_b_5___b_o_o_l_e_a_n
-     kkrrbb55__cchheecckkssuumm__iiss__kkeeyyeedd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_k_s_u_m_t_y_p_e _t_y_p_e);
+     krb5_boolean
+     krb5_checksum_is_keyed(krb5_context context, krb5_cksumtype type);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__cckkssuummttyyppee__vvaalliidd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_k_s_u_m_t_y_p_e _c_t_y_p_e);
+     krb5_error_code
+     krb5_cksumtype_valid(krb5_context context, krb5_cksumtype ctype);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__cchheecckkssuummssiizzee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_k_s_u_m_t_y_p_e _t_y_p_e,
-         _s_i_z_e___t _*_s_i_z_e);
+     krb5_error_code
+     krb5_checksumsize(krb5_context context, krb5_cksumtype type,
+         size_t *size);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ccrreeaattee__cchheecckkssuumm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_y_p_t_o _c_r_y_p_t_o,
-         _k_r_b_5___k_e_y___u_s_a_g_e _u_s_a_g_e, _i_n_t _t_y_p_e, _v_o_i_d _*_d_a_t_a, _s_i_z_e___t _l_e_n,
-         _C_h_e_c_k_s_u_m _*_r_e_s_u_l_t);
+     krb5_error_code
+     krb5_create_checksum(krb5_context context, krb5_crypto crypto,
+         krb5_key_usage usage, int type, void *data, size_t len,
+         Checksum *result);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__vveerriiffyy__cchheecckkssuumm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_y_p_t_o _c_r_y_p_t_o,
-         _k_r_b_5___k_e_y___u_s_a_g_e _u_s_a_g_e, _v_o_i_d _*_d_a_t_a, _s_i_z_e___t _l_e_n, _C_h_e_c_k_s_u_m _*_c_k_s_u_m);
+     krb5_error_code
+     krb5_verify_checksum(krb5_context context, krb5_crypto crypto,
+         krb5_key_usage usage, void *data, size_t len, Checksum *cksum);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ccrryyppttoo__ggeett__cchheecckkssuumm__ttyyppee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_y_p_t_o _c_r_y_p_t_o,
-         _k_r_b_5___c_k_s_u_m_t_y_p_e _*_t_y_p_e);
+     krb5_error_code
+     krb5_crypto_get_checksum_type(krb5_context context, krb5_crypto crypto,
+         krb5_cksumtype *type);
 
-     _v_o_i_d
-     kkrrbb55__ffrreeee__cchheecckkssuumm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_h_e_c_k_s_u_m _*_c_k_s_u_m);
+     void
+     krb5_free_checksum(krb5_context context, krb5_checksum *cksum);
 
-     _v_o_i_d
-     kkrrbb55__ffrreeee__cchheecckkssuumm__ccoonntteennttss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_h_e_c_k_s_u_m _*_c_k_s_u_m);
+     void
+     krb5_free_checksum_contents(krb5_context context, krb5_checksum *cksum);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__hhmmaacc(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_k_s_u_m_t_y_p_e _c_k_t_y_p_e, _c_o_n_s_t _v_o_i_d _*_d_a_t_a,
-         _s_i_z_e___t _l_e_n, _u_n_s_i_g_n_e_d _u_s_a_g_e, _k_r_b_5___k_e_y_b_l_o_c_k _*_k_e_y, _C_h_e_c_k_s_u_m _*_r_e_s_u_l_t);
+     krb5_error_code
+     krb5_hmac(krb5_context context, krb5_cksumtype cktype, const void *data,
+         size_t len, unsigned usage, krb5_keyblock *key, Checksum *result);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ccooppyy__cchheecckkssuumm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___c_h_e_c_k_s_u_m _*_o_l_d,
-         _k_r_b_5___c_h_e_c_k_s_u_m _*_*_n_e_w);
+     krb5_error_code
+     krb5_copy_checksum(krb5_context context, const krb5_checksum *old,
+         krb5_checksum **new);
 
-DDEESSCCRRIIPPTTIIOONN
+DESCRIPTION
      The krb5_checksum structure holds a Kerberos checksum.  There is no com-
      ponent inside krb5_checksum that is directly referable.
 
      The functions are used to create and verify checksums.
-     kkrrbb55__ccrreeaattee__cchheecckkssuumm() creates a checksum of the specified data, and puts
-     it in _r_e_s_u_l_t.  If _c_r_y_p_t_o is NULL, _u_s_a_g_e___o_r___t_y_p_e specifies the checksum
-     type to use; it must not be keyed. Otherwise _c_r_y_p_t_o is an encryption con-
-     text created by kkrrbb55__ccrryyppttoo__iinniitt(), and _u_s_a_g_e___o_r___t_y_p_e specifies a key-
-     usage.
+     krb5_create_checksum() creates a checksum of the specified data, and puts
+     it in result.  If crypto is NULL, usage_or_type specifies the checksum
+     type to use; it must not be keyed. Otherwise crypto is an encryption con-
+     text created by krb5_crypto_init(), and usage_or_type specifies a key-us-
+     age.
 
-     kkrrbb55__vveerriiffyy__cchheecckkssuumm() verifies the _c_h_e_c_k_s_u_m against the provided data.
+     krb5_verify_checksum() verifies the checksum against the provided data.
 
-     kkrrbb55__cchheecckkssuumm__iiss__ccoolllliissiioonn__pprrooooff() returns true is the specified checksum
+     krb5_checksum_is_collision_proof() returns true is the specified checksum
      is collision proof (that it's very unlikely that two strings has the same
      hash value, and that it's hard to find two strings that has the same
      hash). Examples of collision proof checksums are MD5, and SHA1, while
      CRC32 is not.
 
-     kkrrbb55__cchheecckkssuumm__iiss__kkeeyyeedd() returns true if the specified checksum type is
+     krb5_checksum_is_keyed() returns true if the specified checksum type is
      keyed (that the hash value is a function of both the data, and a separate
      key). Examples of keyed hash algorithms are HMAC-SHA1-DES3, and RSA-
-     MD5-DES. The ``plain'' hash functions MD5, and SHA1 are not keyed.
+     MD5-DES. The "plain" hash functions MD5, and SHA1 are not keyed.
 
-     kkrrbb55__ccrryyppttoo__ggeett__cchheecckkssuumm__ttyyppee() returns the checksum type that will be
-     used when creating a checksum for the given _c_r_y_p_t_o context.  This func-
-     tion is useful in combination with kkrrbb55__cchheecckkssuummssiizzee() when you want to
+     krb5_crypto_get_checksum_type() returns the checksum type that will be
+     used when creating a checksum for the given crypto context.  This func-
+     tion is useful in combination with krb5_checksumsize() when you want to
      know the size a checksum will use when you create it.
 
-     kkrrbb55__cckkssuummttyyppee__vvaalliidd() returns 0 or an error if the checksumtype is
-     implemented and not currently disabled in this kerberos library.
+     krb5_cksumtype_valid() returns 0 or an error if the checksumtype is im-
+     plemented and not currently disabled in this kerberos library.
 
-     kkrrbb55__cchheecckkssuummssiizzee() returns the size of the outdata of checksum function.
+     krb5_checksumsize() returns the size of the outdata of checksum function.
 
-     kkrrbb55__ccooppyy__cchheecckkssuumm() returns a copy of the checksum kkrrbb55__ffrreeee__cchheecckkssuumm()
-     should use used to free the _n_e_w checksum.
+     krb5_copy_checksum() returns a copy of the checksum krb5_free_checksum()
+     should use used to free the new checksum.
 
-     kkrrbb55__ffrreeee__cchheecckkssuumm() free the checksum and the content of the checksum.
+     krb5_free_checksum() free the checksum and the content of the checksum.
 
-     kkrrbb55__ffrreeee__cchheecckkssuumm__ccoonntteennttss() frees the content of checksum in _c_k_s_u_m.
+     krb5_free_checksum_contents() frees the content of checksum in cksum.
 
-     kkrrbb55__hhmmaacc() calculates the HMAC over _d_a_t_a (with length _l_e_n) using the
-     keyusage _u_s_a_g_e and keyblock _k_e_y.  Note that keyusage is not always used
+     krb5_hmac() calculates the HMAC over data (with length len) using the
+     keyusage usage and keyblock key.  Note that keyusage is not always used
      in checksums.
 
-     kkrrbb55__cchheecckkssuumm__ddiissaabbllee globally disables the checksum type.
+     krb5_checksum_disable globally disables the checksum type.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5_crypto_init(3), krb5_c_encrypt(3), krb5_encrypt(3)
 
 HEIMDAL                         August 12, 2005                        HEIMDAL
diff --git a/lib/krb5/krb5_creds.cat3 b/lib/krb5/krb5_creds.cat3
index f7b07dd54d20..a7254961e9af 100644
--- a/lib/krb5/krb5_creds.cat3
+++ b/lib/krb5/krb5_creds.cat3
@@ -1,32 +1,31 @@
-
 KRB5_CREDS(3)            BSD Library Functions Manual            KRB5_CREDS(3)
 
-NNAAMMEE
-     kkrrbb55__ccrreeddss, kkrrbb55__ccooppyy__ccrreeddss, kkrrbb55__ccooppyy__ccrreeddss__ccoonntteennttss, kkrrbb55__ffrreeee__ccrreeddss,
-     kkrrbb55__ffrreeee__ccrreedd__ccoonntteennttss -- Kerberos 5 credential handling functions
+NAME
+     krb5_creds, krb5_copy_creds, krb5_copy_creds_contents, krb5_free_creds,
+     krb5_free_cred_contents -- Kerberos 5 credential handling functions
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ccooppyy__ccrreeddss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___c_r_e_d_s _*_i_n_c_r_e_d,
-         _k_r_b_5___c_r_e_d_s _*_*_o_u_t_c_r_e_d);
+     krb5_error_code
+     krb5_copy_creds(krb5_context context, const krb5_creds *incred,
+         krb5_creds **outcred);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ccooppyy__ccrreeddss__ccoonntteennttss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___c_r_e_d_s _*_i_n_c_r_e_d,
-         _k_r_b_5___c_r_e_d_s _*_o_u_t_c_r_e_d);
+     krb5_error_code
+     krb5_copy_creds_contents(krb5_context context, const krb5_creds *incred,
+         krb5_creds *outcred);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ffrreeee__ccrreeddss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_e_d_s _*_o_u_t_c_r_e_d);
+     krb5_error_code
+     krb5_free_creds(krb5_context context, krb5_creds *outcred);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ffrreeee__ccrreedd__ccoonntteennttss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_e_d_s _*_c_r_e_d);
+     krb5_error_code
+     krb5_free_cred_contents(krb5_context context, krb5_creds *cred);
 
-DDEESSCCRRIIPPTTIIOONN
-     _k_r_b_5___c_r_e_d_s holds Kerberos credentials:
+DESCRIPTION
+     krb5_creds holds Kerberos credentials:
 
      typedef struct krb5_creds {
          krb5_principal      client;
@@ -40,19 +39,19 @@ DDEESSCCRRIIPPTTIIOONN
          krb5_ticket_flags   flags;
      } krb5_creds;
 
-     kkrrbb55__ccooppyy__ccrreeddss() makes a copy of _i_n_c_r_e_d to _o_u_t_c_r_e_d.  _o_u_t_c_r_e_d should be
-     freed with kkrrbb55__ffrreeee__ccrreeddss() by the caller.
+     krb5_copy_creds() makes a copy of incred to outcred.  outcred should be
+     freed with krb5_free_creds() by the caller.
 
-     kkrrbb55__ccooppyy__ccrreeddss__ccoonntteennttss() makes a copy of the content of _i_n_c_r_e_d to
-     _o_u_t_c_r_e_d_s.  _o_u_t_c_r_e_d_s should be freed by the called with
-     kkrrbb55__ffrreeee__ccrreeddss__ccoonntteennttss().
+     krb5_copy_creds_contents() makes a copy of the content of incred to
+     outcreds.  outcreds should be freed by the called with
+     krb5_free_creds_contents().
 
-     kkrrbb55__ffrreeee__ccrreeddss() frees the content of the _c_r_e_d structure and the struc-
+     krb5_free_creds() frees the content of the cred structure and the struc-
      ture itself.
 
-     kkrrbb55__ffrreeee__ccrreedd__ccoonntteennttss() frees the content of the _c_r_e_d structure.
+     krb5_free_cred_contents() frees the content of the cred structure.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5(3), krb5_compare_creds(3), krb5_get_init_creds(3), kerberos(8)
 
 HEIMDAL                           May 1, 2006                          HEIMDAL
diff --git a/lib/krb5/krb5_digest.cat3 b/lib/krb5/krb5_digest.cat3
index 3d3c53b528b3..ac69a1305b86 100644
--- a/lib/krb5/krb5_digest.cat3
+++ b/lib/krb5/krb5_digest.cat3
@@ -1,146 +1,145 @@
-
 KRB5_DIGEST(3)           BSD Library Functions Manual           KRB5_DIGEST(3)
 
-NNAAMMEE
-     kkrrbb55__ddiiggeesstt, kkrrbb55__ddiiggeesstt__aalllloocc, kkrrbb55__ddiiggeesstt__ffrreeee,
-     kkrrbb55__ddiiggeesstt__sseett__sseerrvveerr__ccbb, kkrrbb55__ddiiggeesstt__sseett__ttyyppee,
-     kkrrbb55__ddiiggeesstt__sseett__hhoossttnnaammee, kkrrbb55__ddiiggeesstt__ggeett__sseerrvveerr__nnoonnccee,
-     kkrrbb55__ddiiggeesstt__sseett__sseerrvveerr__nnoonnccee, kkrrbb55__ddiiggeesstt__ggeett__ooppaaqquuee,
-     kkrrbb55__ddiiggeesstt__sseett__ooppaaqquuee, kkrrbb55__ddiiggeesstt__ggeett__iiddeennttiiffiieerr,
-     kkrrbb55__ddiiggeesstt__sseett__iiddeennttiiffiieerr, kkrrbb55__ddiiggeesstt__iinniitt__rreeqquueesstt,
-     kkrrbb55__ddiiggeesstt__sseett__cclliieenntt__nnoonnccee, kkrrbb55__ddiiggeesstt__sseett__ddiiggeesstt,
-     kkrrbb55__ddiiggeesstt__sseett__uusseerrnnaammee, kkrrbb55__ddiiggeesstt__sseett__aauutthhiidd,
-     kkrrbb55__ddiiggeesstt__sseett__aauutthheennttiiccaattiioonn__uusseerr, kkrrbb55__ddiiggeesstt__sseett__rreeaallmm,
-     kkrrbb55__ddiiggeesstt__sseett__mmeetthhoodd, kkrrbb55__ddiiggeesstt__sseett__uurrii, kkrrbb55__ddiiggeesstt__sseett__nnoonncceeCCoouunntt,
-     kkrrbb55__ddiiggeesstt__sseett__qqoopp, kkrrbb55__ddiiggeesstt__rreeqquueesstt, kkrrbb55__ddiiggeesstt__ggeett__rreessppoonnsseeDDaattaa,
-     kkrrbb55__ddiiggeesstt__ggeett__rrsspp, kkrrbb55__ddiiggeesstt__ggeett__ttiicckkeettss,
-     kkrrbb55__ddiiggeesstt__ggeett__cclliieenntt__bbiinnddiinngg, kkrrbb55__ddiiggeesstt__ggeett__aa11__hhaasshh -- remote digest
+NAME
+     krb5_digest, krb5_digest_alloc, krb5_digest_free,
+     krb5_digest_set_server_cb, krb5_digest_set_type,
+     krb5_digest_set_hostname, krb5_digest_get_server_nonce,
+     krb5_digest_set_server_nonce, krb5_digest_get_opaque,
+     krb5_digest_set_opaque, krb5_digest_get_identifier,
+     krb5_digest_set_identifier, krb5_digest_init_request,
+     krb5_digest_set_client_nonce, krb5_digest_set_digest,
+     krb5_digest_set_username, krb5_digest_set_authid,
+     krb5_digest_set_authentication_user, krb5_digest_set_realm,
+     krb5_digest_set_method, krb5_digest_set_uri, krb5_digest_set_nonceCount,
+     krb5_digest_set_qop, krb5_digest_request, krb5_digest_get_responseData,
+     krb5_digest_get_rsp, krb5_digest_get_tickets,
+     krb5_digest_get_client_binding, krb5_digest_get_a1_hash -- remote digest
      (HTTP-DIGEST, SASL, CHAP) support
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
      typedef struct krb5_digest *krb5_digest;
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddiiggeesstt__aalllloocc(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_i_g_e_s_t _*_d_i_g_e_s_t);
+     krb5_error_code
+     krb5_digest_alloc(krb5_context context, krb5_digest *digest);
 
-     _v_o_i_d
-     kkrrbb55__ddiiggeesstt__ffrreeee(_k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t);
+     void
+     krb5_digest_free(krb5_digest digest);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddiiggeesstt__sseett__ttyyppee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t,
-         _c_o_n_s_t _c_h_a_r _*_t_y_p_e);
+     krb5_error_code
+     krb5_digest_set_type(krb5_context context, krb5_digest digest,
+         const char *type);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddiiggeesstt__sseett__sseerrvveerr__ccbb(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t,
-         _c_o_n_s_t _c_h_a_r _*_t_y_p_e, _c_o_n_s_t _c_h_a_r _*_b_i_n_d_i_n_g);
+     krb5_error_code
+     krb5_digest_set_server_cb(krb5_context context, krb5_digest digest,
+         const char *type, const char *binding);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddiiggeesstt__sseett__hhoossttnnaammee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t,
-         _c_o_n_s_t _c_h_a_r _*_h_o_s_t_n_a_m_e);
+     krb5_error_code
+     krb5_digest_set_hostname(krb5_context context, krb5_digest digest,
+         const char *hostname);
 
-     _c_o_n_s_t _c_h_a_r _*
-     kkrrbb55__ddiiggeesstt__ggeett__sseerrvveerr__nnoonnccee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t);
+     const char *
+     krb5_digest_get_server_nonce(krb5_context context, krb5_digest digest);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddiiggeesstt__sseett__sseerrvveerr__nnoonnccee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t,
-         _c_o_n_s_t _c_h_a_r _*_n_o_n_c_e);
+     krb5_error_code
+     krb5_digest_set_server_nonce(krb5_context context, krb5_digest digest,
+         const char *nonce);
 
-     _c_o_n_s_t _c_h_a_r _*
-     kkrrbb55__ddiiggeesstt__ggeett__ooppaaqquuee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t);
+     const char *
+     krb5_digest_get_opaque(krb5_context context, krb5_digest digest);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddiiggeesstt__sseett__ooppaaqquuee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t,
-         _c_o_n_s_t _c_h_a_r _*_o_p_a_q_u_e);
+     krb5_error_code
+     krb5_digest_set_opaque(krb5_context context, krb5_digest digest,
+         const char *opaque);
 
-     _c_o_n_s_t _c_h_a_r _*
-     kkrrbb55__ddiiggeesstt__ggeett__iiddeennttiiffiieerr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t);
+     const char *
+     krb5_digest_get_identifier(krb5_context context, krb5_digest digest);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddiiggeesstt__sseett__iiddeennttiiffiieerr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t,
-         _c_o_n_s_t _c_h_a_r _*_i_d);
+     krb5_error_code
+     krb5_digest_set_identifier(krb5_context context, krb5_digest digest,
+         const char *id);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddiiggeesstt__iinniitt__rreeqquueesstt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t,
-         _k_r_b_5___r_e_a_l_m _r_e_a_l_m, _k_r_b_5___c_c_a_c_h_e _c_c_a_c_h_e);
+     krb5_error_code
+     krb5_digest_init_request(krb5_context context, krb5_digest digest,
+         krb5_realm realm, krb5_ccache ccache);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddiiggeesstt__sseett__cclliieenntt__nnoonnccee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t,
-         _c_o_n_s_t _c_h_a_r _*_n_o_n_c_e);
+     krb5_error_code
+     krb5_digest_set_client_nonce(krb5_context context, krb5_digest digest,
+         const char *nonce);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddiiggeesstt__sseett__ddiiggeesstt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t,
-         _c_o_n_s_t _c_h_a_r _*_d_g_s_t);
+     krb5_error_code
+     krb5_digest_set_digest(krb5_context context, krb5_digest digest,
+         const char *dgst);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddiiggeesstt__sseett__uusseerrnnaammee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t,
-         _c_o_n_s_t _c_h_a_r _*_u_s_e_r_n_a_m_e);
+     krb5_error_code
+     krb5_digest_set_username(krb5_context context, krb5_digest digest,
+         const char *username);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddiiggeesstt__sseett__aauutthhiidd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t,
-         _c_o_n_s_t _c_h_a_r _*_a_u_t_h_i_d);
+     krb5_error_code
+     krb5_digest_set_authid(krb5_context context, krb5_digest digest,
+         const char *authid);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddiiggeesstt__sseett__aauutthheennttiiccaattiioonn__uusseerr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _a_u_t_h_e_n_t_i_c_a_t_i_o_n___u_s_e_r);
+     krb5_error_code
+     krb5_digest_set_authentication_user(krb5_context context,
+         krb5_digest digest, krb5_principal authentication_user);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddiiggeesstt__sseett__rreeaallmm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t,
-         _c_o_n_s_t _c_h_a_r _*_r_e_a_l_m);
+     krb5_error_code
+     krb5_digest_set_realm(krb5_context context, krb5_digest digest,
+         const char *realm);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddiiggeesstt__sseett__mmeetthhoodd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t,
-         _c_o_n_s_t _c_h_a_r _*_m_e_t_h_o_d);
+     krb5_error_code
+     krb5_digest_set_method(krb5_context context, krb5_digest digest,
+         const char *method);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddiiggeesstt__sseett__uurrii(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t,
-         _c_o_n_s_t _c_h_a_r _*_u_r_i);
+     krb5_error_code
+     krb5_digest_set_uri(krb5_context context, krb5_digest digest,
+         const char *uri);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddiiggeesstt__sseett__nnoonncceeCCoouunntt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t,
-         _c_o_n_s_t _c_h_a_r _*_n_o_n_c_e___c_o_u_n_t);
+     krb5_error_code
+     krb5_digest_set_nonceCount(krb5_context context, krb5_digest digest,
+         const char *nonce_count);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddiiggeesstt__sseett__qqoopp(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t,
-         _c_o_n_s_t _c_h_a_r _*_q_o_p);
+     krb5_error_code
+     krb5_digest_set_qop(krb5_context context, krb5_digest digest,
+         const char *qop);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddiiggeesstt__rreeqquueesstt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t,
-         _k_r_b_5___r_e_a_l_m _r_e_a_l_m, _k_r_b_5___c_c_a_c_h_e _c_c_a_c_h_e);
+     krb5_error_code
+     krb5_digest_request(krb5_context context, krb5_digest digest,
+         krb5_realm realm, krb5_ccache ccache);
 
-     _c_o_n_s_t _c_h_a_r _*
-     kkrrbb55__ddiiggeesstt__ggeett__rreessppoonnsseeDDaattaa(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t);
+     const char *
+     krb5_digest_get_responseData(krb5_context context, krb5_digest digest);
 
-     _c_o_n_s_t _c_h_a_r _*
-     kkrrbb55__ddiiggeesstt__ggeett__rrsspp(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t);
+     const char *
+     krb5_digest_get_rsp(krb5_context context, krb5_digest digest);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddiiggeesstt__ggeett__ttiicckkeettss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t,
-         _T_i_c_k_e_t _*_*_t_i_c_k_e_t_s);
+     krb5_error_code
+     krb5_digest_get_tickets(krb5_context context, krb5_digest digest,
+         Ticket **tickets);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddiiggeesstt__ggeett__cclliieenntt__bbiinnddiinngg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t,
-         _c_h_a_r _*_*_t_y_p_e, _c_h_a_r _*_*_b_i_n_d_i_n_g);
+     krb5_error_code
+     krb5_digest_get_client_binding(krb5_context context, krb5_digest digest,
+         char **type, char **binding);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddiiggeesstt__ggeett__aa11__hhaasshh(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_i_g_e_s_t _d_i_g_e_s_t,
-         _k_r_b_5___d_a_t_a _*_d_a_t_a);
+     krb5_error_code
+     krb5_digest_get_a1_hash(krb5_context context, krb5_digest digest,
+         krb5_data *data);
 
-DDEESSCCRRIIPPTTIIOONN
-     The kkrrbb55__ddiiggeesstt__aalllloocc() function allocatates the _d_i_g_e_s_t structure.  The
-     structure should be freed with kkrrbb55__ddiiggeesstt__ffrreeee() when it is no longer
+DESCRIPTION
+     The krb5_digest_alloc() function allocatates the digest structure.  The
+     structure should be freed with krb5_digest_free() when it is no longer
      being used.
 
-     kkrrbb55__ddiiggeesstt__aalllloocc() returns 0 to indicate success.  Otherwise an kerberos
-     code is returned and the pointer that _d_i_g_e_s_t points to is set to NULL.
+     krb5_digest_alloc() returns 0 to indicate success.  Otherwise an kerberos
+     code is returned and the pointer that digest points to is set to NULL.
 
-     kkrrbb55__ddiiggeesstt__ffrreeee() free the structure _d_i_g_e_s_t.
+     krb5_digest_free() free the structure digest.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5(3), kerberos(8)
 
 HEIMDAL                        February 18, 2007                       HEIMDAL
diff --git a/lib/krb5/krb5_eai_to_heim_errno.cat3 b/lib/krb5/krb5_eai_to_heim_errno.cat3
index a71698b49fe6..721914050761 100644
--- a/lib/krb5/krb5_eai_to_heim_errno.cat3
+++ b/lib/krb5/krb5_eai_to_heim_errno.cat3
@@ -1,29 +1,28 @@
-
 KRB5_EAI_TO_HEIM_ERRN... BSD Library Functions Manual KRB5_EAI_TO_HEIM_ERRN...
 
-NNAAMMEE
-     kkrrbb55__eeaaii__ttoo__hheeiimm__eerrrrnnoo, kkrrbb55__hh__eerrrrnnoo__ttoo__hheeiimm__eerrrrnnoo -- convert resolver
+NAME
+     krb5_eai_to_heim_errno, krb5_h_errno_to_heim_errno -- convert resolver
      error code to com_err error codes
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__eeaaii__ttoo__hheeiimm__eerrrrnnoo(_i_n_t _e_a_i___e_r_r_n_o, _i_n_t _s_y_s_t_e_m___e_r_r_o_r);
+     krb5_error_code
+     krb5_eai_to_heim_errno(int eai_errno, int system_error);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__hh__eerrrrnnoo__ttoo__hheeiimm__eerrrrnnoo(_i_n_t _e_a_i___e_r_r_n_o);
+     krb5_error_code
+     krb5_h_errno_to_heim_errno(int eai_errno);
 
-DDEESSCCRRIIPPTTIIOONN
-     kkrrbb55__eeaaii__ttoo__hheeiimm__eerrrrnnoo() and kkrrbb55__hh__eerrrrnnoo__ttoo__hheeiimm__eerrrrnnoo() convert
+DESCRIPTION
+     krb5_eai_to_heim_errno() and krb5_h_errno_to_heim_errno() convert
      getaddrinfo(3), getnameinfo(3), and h_errno(3) to com_err error code that
      are used by Heimdal, this is useful for for function returning kerberos
      errors and needs to communicate failures from resolver function.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5(3), kerberos(8)
 
 HEIMDAL                         April 13, 2004                         HEIMDAL
diff --git a/lib/krb5/krb5_encrypt.cat3 b/lib/krb5/krb5_encrypt.cat3
index 052af50d99ad..dd0c0c04e002 100644
--- a/lib/krb5/krb5_encrypt.cat3
+++ b/lib/krb5/krb5_encrypt.cat3
@@ -1,138 +1,137 @@
-
 KRB5_ENCRYPT(3)          BSD Library Functions Manual          KRB5_ENCRYPT(3)
 
-NNAAMMEE
-     kkrrbb55__ccrryyppttoo__ggeettbblloocckkssiizzee, kkrrbb55__ccrryyppttoo__ggeettccoonnffoouunnddeerrssiizzee
-     kkrrbb55__ccrryyppttoo__ggeetteennccttyyppee, kkrrbb55__ccrryyppttoo__ggeettppaaddssiizzee, kkrrbb55__ccrryyppttoo__oovveerrhheeaadd,
-     kkrrbb55__ddeeccrryypptt, kkrrbb55__ddeeccrryypptt__EEnnccrryypptteeddDDaattaa, kkrrbb55__ddeeccrryypptt__iivveecc,
-     kkrrbb55__ddeeccrryypptt__ttiicckkeett, kkrrbb55__eennccrryypptt, kkrrbb55__eennccrryypptt__EEnnccrryypptteeddDDaattaa,
-     kkrrbb55__eennccrryypptt__iivveecc, kkrrbb55__eennccttyyppee__ddiissaabbllee, kkrrbb55__eennccttyyppee__kkeeyyssiizzee,
-     kkrrbb55__eennccttyyppee__ttoo__ssttrriinngg, kkrrbb55__eennccttyyppee__vvaalliidd, kkrrbb55__ggeett__wwrraappppeedd__lleennggtthh,
-     kkrrbb55__ssttrriinngg__ttoo__eennccttyyppee -- encrypt and decrypt data, set and get encryp-
+NAME
+     krb5_crypto_getblocksize, krb5_crypto_getconfoundersize
+     krb5_crypto_getenctype, krb5_crypto_getpadsize, krb5_crypto_overhead,
+     krb5_decrypt, krb5_decrypt_EncryptedData, krb5_decrypt_ivec,
+     krb5_decrypt_ticket, krb5_encrypt, krb5_encrypt_EncryptedData,
+     krb5_encrypt_ivec, krb5_enctype_disable, krb5_enctype_keysize,
+     krb5_enctype_to_string, krb5_enctype_valid, krb5_get_wrapped_length,
+     krb5_string_to_enctype -- encrypt and decrypt data, set and get encryp-
      tion type parameters
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__eennccrryypptt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_y_p_t_o _c_r_y_p_t_o, _u_n_s_i_g_n_e_d _u_s_a_g_e,
-         _v_o_i_d _*_d_a_t_a, _s_i_z_e___t _l_e_n, _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t);
+     krb5_error_code
+     krb5_encrypt(krb5_context context, krb5_crypto crypto, unsigned usage,
+         void *data, size_t len, krb5_data *result);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__eennccrryypptt__EEnnccrryypptteeddDDaattaa(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_y_p_t_o _c_r_y_p_t_o,
-         _u_n_s_i_g_n_e_d _u_s_a_g_e, _v_o_i_d _*_d_a_t_a, _s_i_z_e___t _l_e_n, _i_n_t _k_v_n_o,
-         _E_n_c_r_y_p_t_e_d_D_a_t_a _*_r_e_s_u_l_t);
+     krb5_error_code
+     krb5_encrypt_EncryptedData(krb5_context context, krb5_crypto crypto,
+         unsigned usage, void *data, size_t len, int kvno,
+         EncryptedData *result);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__eennccrryypptt__iivveecc(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_y_p_t_o _c_r_y_p_t_o,
-         _u_n_s_i_g_n_e_d _u_s_a_g_e, _v_o_i_d _*_d_a_t_a, _s_i_z_e___t _l_e_n, _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t,
-         _v_o_i_d _*_i_v_e_c);
+     krb5_error_code
+     krb5_encrypt_ivec(krb5_context context, krb5_crypto crypto,
+         unsigned usage, void *data, size_t len, krb5_data *result,
+         void *ivec);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddeeccrryypptt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_y_p_t_o _c_r_y_p_t_o, _u_n_s_i_g_n_e_d _u_s_a_g_e,
-         _v_o_i_d _*_d_a_t_a, _s_i_z_e___t _l_e_n, _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t);
+     krb5_error_code
+     krb5_decrypt(krb5_context context, krb5_crypto crypto, unsigned usage,
+         void *data, size_t len, krb5_data *result);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddeeccrryypptt__EEnnccrryypptteeddDDaattaa(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_y_p_t_o _c_r_y_p_t_o,
-         _u_n_s_i_g_n_e_d _u_s_a_g_e, _E_n_c_r_y_p_t_e_d_D_a_t_a _*_e, _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t);
+     krb5_error_code
+     krb5_decrypt_EncryptedData(krb5_context context, krb5_crypto crypto,
+         unsigned usage, EncryptedData *e, krb5_data *result);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddeeccrryypptt__iivveecc(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_y_p_t_o _c_r_y_p_t_o,
-         _u_n_s_i_g_n_e_d _u_s_a_g_e, _v_o_i_d _*_d_a_t_a, _s_i_z_e___t _l_e_n, _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t,
-         _v_o_i_d _*_i_v_e_c);
+     krb5_error_code
+     krb5_decrypt_ivec(krb5_context context, krb5_crypto crypto,
+         unsigned usage, void *data, size_t len, krb5_data *result,
+         void *ivec);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ddeeccrryypptt__ttiicckkeett(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _T_i_c_k_e_t _*_t_i_c_k_e_t,
-         _k_r_b_5___k_e_y_b_l_o_c_k _*_k_e_y, _E_n_c_T_i_c_k_e_t_P_a_r_t _*_o_u_t, _k_r_b_5___f_l_a_g_s _f_l_a_g_s);
+     krb5_error_code
+     krb5_decrypt_ticket(krb5_context context, Ticket *ticket,
+         krb5_keyblock *key, EncTicketPart *out, krb5_flags flags);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ccrryyppttoo__ggeettbblloocckkssiizzee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _s_i_z_e___t _*_b_l_o_c_k_s_i_z_e);
+     krb5_error_code
+     krb5_crypto_getblocksize(krb5_context context, size_t *blocksize);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ccrryyppttoo__ggeetteennccttyyppee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_y_p_t_o _c_r_y_p_t_o,
-         _k_r_b_5___e_n_c_t_y_p_e _*_e_n_c_t_y_p_e);
+     krb5_error_code
+     krb5_crypto_getenctype(krb5_context context, krb5_crypto crypto,
+         krb5_enctype *enctype);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ccrryyppttoo__ggeettppaaddssiizzee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _s_i_z_e___t, _*_p_a_d_s_i_z_e_");
+     krb5_error_code
+     krb5_crypto_getpadsize(krb5_context context, size_t, *padsize");
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ccrryyppttoo__ggeettccoonnffoouunnddeerrssiizzee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_y_p_t_o _c_r_y_p_t_o,
-         _s_i_z_e___t, _*_c_o_n_f_o_u_n_d_e_r_s_i_z_e_");
+     krb5_error_code
+     krb5_crypto_getconfoundersize(krb5_context context, krb5_crypto crypto,
+         size_t, *confoundersize");
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__eennccttyyppee__kkeeyyssiizzee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___e_n_c_t_y_p_e _t_y_p_e,
-         _s_i_z_e___t _*_k_e_y_s_i_z_e);
+     krb5_error_code
+     krb5_enctype_keysize(krb5_context context, krb5_enctype type,
+         size_t *keysize);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ccrryyppttoo__oovveerrhheeaadd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _s_i_z_e___t, _*_p_a_d_s_i_z_e_");
+     krb5_error_code
+     krb5_crypto_overhead(krb5_context context, size_t, *padsize");
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ssttrriinngg__ttoo__eennccttyyppee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_s_t_r_i_n_g,
-         _k_r_b_5___e_n_c_t_y_p_e _*_e_t_y_p_e);
+     krb5_error_code
+     krb5_string_to_enctype(krb5_context context, const char *string,
+         krb5_enctype *etype);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__eennccttyyppee__ttoo__ssttrriinngg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___e_n_c_t_y_p_e _e_t_y_p_e,
-         _c_h_a_r _*_*_s_t_r_i_n_g);
+     krb5_error_code
+     krb5_enctype_to_string(krb5_context context, krb5_enctype etype,
+         char **string);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__eennccttyyppee__vvaalliidd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___e_n_c_t_y_p_e _e_t_y_p_e);
+     krb5_error_code
+     krb5_enctype_valid(krb5_context context, krb5_enctype etype);
 
-     _v_o_i_d
-     kkrrbb55__eennccttyyppee__ddiissaabbllee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___e_n_c_t_y_p_e _e_t_y_p_e);
+     void
+     krb5_enctype_disable(krb5_context context, krb5_enctype etype);
 
-     _s_i_z_e___t
-     kkrrbb55__ggeett__wwrraappppeedd__lleennggtthh(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_y_p_t_o _c_r_y_p_t_o,
-         _s_i_z_e___t _d_a_t_a___l_e_n);
+     size_t
+     krb5_get_wrapped_length(krb5_context context, krb5_crypto crypto,
+         size_t data_len);
 
-DDEESSCCRRIIPPTTIIOONN
+DESCRIPTION
      These functions are used to encrypt and decrypt data.
 
-     kkrrbb55__eennccrryypptt__iivveecc() puts the encrypted version of _d_a_t_a (of size _l_e_n) in
-     _r_e_s_u_l_t.  If the encryption type supports using derived keys, _u_s_a_g_e should
-     be the appropriate key-usage.  _i_v_e_c is a pointer to a initial IV, it is
+     krb5_encrypt_ivec() puts the encrypted version of data (of size len) in
+     result.  If the encryption type supports using derived keys, usage should
+     be the appropriate key-usage.  ivec is a pointer to a initial IV, it is
      modified to the end IV at the end of the round.  Ivec should be the size
-     of If NULL is passed in, the default IV is used.  kkrrbb55__eennccrryypptt() does the
-     same as kkrrbb55__eennccrryypptt__iivveecc() but with _i_v_e_c being NULL.
-     kkrrbb55__eennccrryypptt__EEnnccrryypptteeddDDaattaa() does the same as kkrrbb55__eennccrryypptt(), but it puts
-     the encrypted data in a _E_n_c_r_y_p_t_e_d_D_a_t_a structure instead. If _k_v_n_o is not
-     zero, it will be put in the (optional) _k_v_n_o field in the _E_n_c_r_y_p_t_e_d_D_a_t_a.
+     of If NULL is passed in, the default IV is used.  krb5_encrypt() does the
+     same as krb5_encrypt_ivec() but with ivec being NULL.
+     krb5_encrypt_EncryptedData() does the same as krb5_encrypt(), but it puts
+     the encrypted data in a EncryptedData structure instead. If kvno is not
+     zero, it will be put in the (optional) kvno field in the EncryptedData.
 
-     kkrrbb55__ddeeccrryypptt__iivveecc(), kkrrbb55__ddeeccrryypptt(), and kkrrbb55__ddeeccrryypptt__EEnnccrryypptteeddDDaattaa()
+     krb5_decrypt_ivec(), krb5_decrypt(), and krb5_decrypt_EncryptedData()
      works similarly.
 
-     kkrrbb55__ddeeccrryypptt__ttiicckkeett() decrypts the encrypted part of _t_i_c_k_e_t with _k_e_y.
-     kkrrbb55__ddeeccrryypptt__ttiicckkeett() also verifies the timestamp in the ticket, invalid
+     krb5_decrypt_ticket() decrypts the encrypted part of ticket with key.
+     krb5_decrypt_ticket() also verifies the timestamp in the ticket, invalid
      flag and if the KDC haven't verified the transited path, the transit
      path.
 
-     kkrrbb55__eennccttyyppee__kkeeyyssiizzee(), kkrrbb55__ccrryyppttoo__ggeettccoonnffoouunnddeerrssiizzee(),
-     kkrrbb55__ccrryyppttoo__ggeettbblloocckkssiizzee(), kkrrbb55__ccrryyppttoo__ggeetteennccttyyppee(),
-     kkrrbb55__ccrryyppttoo__ggeettppaaddssiizzee(), kkrrbb55__ccrryyppttoo__oovveerrhheeaadd() all returns various
+     krb5_enctype_keysize(), krb5_crypto_getconfoundersize(),
+     krb5_crypto_getblocksize(), krb5_crypto_getenctype(),
+     krb5_crypto_getpadsize(), krb5_crypto_overhead() all returns various
      (sometimes) useful information from a crypto context.
-     kkrrbb55__ccrryyppttoo__oovveerrhheeaadd() is the combination of krb5_crypto_getconfounder-
+     krb5_crypto_overhead() is the combination of krb5_crypto_getconfounder-
      size, krb5_crypto_getblocksize and krb5_crypto_getpadsize and return the
      maximum overhead size.
 
-     kkrrbb55__eennccttyyppee__ttoo__ssttrriinngg() converts a encryption type number to a string
+     krb5_enctype_to_string() converts a encryption type number to a string
      that can be printable and stored. The strings returned should be freed
      with free(3).
 
-     kkrrbb55__ssttrriinngg__ttoo__eennccttyyppee() converts a encryption type strings to a encryp-
+     krb5_string_to_enctype() converts a encryption type strings to a encryp-
      tion type number that can use used for other Kerberos crypto functions.
 
-     kkrrbb55__eennccttyyppee__vvaalliidd() returns 0 if the encrypt is supported and not dis-
+     krb5_enctype_valid() returns 0 if the encrypt is supported and not dis-
      abled, otherwise and error code is returned.
 
-     kkrrbb55__eennccttyyppee__ddiissaabbllee() (globally, for all contextes) disables the
-     _e_n_c_t_y_p_e.
+     krb5_enctype_disable() (globally, for all contextes) disables the
+     enctype.
 
-     kkrrbb55__ggeett__wwrraappppeedd__lleennggtthh() returns the size of an encrypted packet by
-     _c_r_y_p_t_o of length _d_a_t_a___l_e_n.
+     krb5_get_wrapped_length() returns the size of an encrypted packet by
+     crypto of length data_len.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5_create_checksum(3), krb5_crypto_init(3)
 
 HEIMDAL                         March 20, 2004                         HEIMDAL
diff --git a/lib/krb5/krb5_find_padata.cat3 b/lib/krb5/krb5_find_padata.cat3
index 9d8c8393fb61..2b7f5f288d54 100644
--- a/lib/krb5/krb5_find_padata.cat3
+++ b/lib/krb5/krb5_find_padata.cat3
@@ -1,33 +1,32 @@
-
 KRB5_FIND_PADATA(3)      BSD Library Functions Manual      KRB5_FIND_PADATA(3)
 
-NNAAMMEE
-     kkrrbb55__ffiinndd__ppaaddaattaa, kkrrbb55__ppaaddaattaa__aadddd -- Kerberos 5 pre-authentication data
+NAME
+     krb5_find_padata, krb5_padata_add -- Kerberos 5 pre-authentication data
      handling functions
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _P_A___D_A_T_A _*
-     kkrrbb55__ffiinndd__ppaaddaattaa(_P_A___D_A_T_A _*_v_a_l, _u_n_s_i_g_n_e_d _l_e_n, _i_n_t _t_y_p_e, _i_n_t _*_i_n_d_e_x);
+     PA_DATA *
+     krb5_find_padata(PA_DATA *val, unsigned len, int type, int *index);
 
-     _i_n_t
-     kkrrbb55__ppaaddaattaa__aadddd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _M_E_T_H_O_D___D_A_T_A _*_m_d, _i_n_t _t_y_p_e,
-         _v_o_i_d _*_b_u_f, _s_i_z_e___t _l_e_n);
+     int
+     krb5_padata_add(krb5_context context, METHOD_DATA *md, int type,
+         void *buf, size_t len);
 
-DDEESSCCRRIIPPTTIIOONN
-     kkrrbb55__ffiinndd__ppaaddaattaa() tries to find the pre-authentication data entry of
-     type _t_y_p_e in the array _v_a_l of length _l_e_n.  The search is started at entry
-     pointed out by _*_i_n_d_e_x (zero based indexing).  If the type isn't found,
+DESCRIPTION
+     krb5_find_padata() tries to find the pre-authentication data entry of
+     type type in the array val of length len.  The search is started at entry
+     pointed out by *index (zero based indexing).  If the type isn't found,
      NULL is returned.
 
-     kkrrbb55__ppaaddaattaa__aadddd() adds a pre-authentication data entry of type _t_y_p_e
-     pointed out by _b_u_f and _l_e_n to _m_d.
+     krb5_padata_add() adds a pre-authentication data entry of type type
+     pointed out by buf and len to md.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5(3), kerberos(8)
 
 HEIMDAL                         March 21, 2004                         HEIMDAL
diff --git a/lib/krb5/krb5_generate_random_block.cat3 b/lib/krb5/krb5_generate_random_block.cat3
index 10c33b359dcc..ca4848d1d654 100644
--- a/lib/krb5/krb5_generate_random_block.cat3
+++ b/lib/krb5/krb5_generate_random_block.cat3
@@ -1,23 +1,22 @@
-
 KRB5_GENERATE_RANDOM_... BSD Library Functions Manual KRB5_GENERATE_RANDOM_...
 
-NNAAMMEE
-     kkrrbb55__ggeenneerraattee__rraannddoomm__bblloocckk -- Kerberos 5 random functions
+NAME
+     krb5_generate_random_block -- Kerberos 5 random functions
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _v_o_i_d
-     kkrrbb55__ggeenneerraattee__rraannddoomm__bblloocckk(_v_o_i_d _*_b_u_f, _s_i_z_e___t _l_e_n);
+     void
+     krb5_generate_random_block(void *buf, size_t len);
 
-DDEESSCCRRIIPPTTIIOONN
-     kkrrbb55__ggeenneerraattee__rraannddoomm__bblloocckk() generates a cryptographically strong pseudo-
-     random block into the buffer _b_u_f of length _l_e_n.
+DESCRIPTION
+     krb5_generate_random_block() generates a cryptographically strong pseudo-
+     random block into the buffer buf of length len.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5(3), krb5.conf(5)
 
 HEIMDAL                         March 21, 2004                         HEIMDAL
diff --git a/lib/krb5/krb5_get_all_client_addrs.cat3 b/lib/krb5/krb5_get_all_client_addrs.cat3
index ba33859fa4bb..8538a6d6c619 100644
--- a/lib/krb5/krb5_get_all_client_addrs.cat3
+++ b/lib/krb5/krb5_get_all_client_addrs.cat3
@@ -1,24 +1,23 @@
-
 KRB5_GET_ADDRS(3)        BSD Library Functions Manual        KRB5_GET_ADDRS(3)
 
-NNAAMMEE
-     kkrrbb55__ggeett__aallll__cclliieenntt__aaddddrrss, kkrrbb55__ggeett__aallll__sseerrvveerr__aaddddrrss -- return local
-     addresses
+NAME
+     krb5_get_all_client_addrs, krb5_get_all_server_addrs -- return local ad-
+     dresses
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__aallll__cclliieenntt__aaddddrrss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_s);
+     krb5_error_code
+     krb5_get_all_client_addrs(krb5_context context, krb5_addresses *addrs);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__aallll__sseerrvveerr__aaddddrrss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_s);
+     krb5_error_code
+     krb5_get_all_server_addrs(krb5_context context, krb5_addresses *addrs);
 
-DDEESSCCRRIIPPTTIIOONN
-     These functions return in _a_d_d_r_s a list of addresses associated with the
+DESCRIPTION
+     These functions return in addrs a list of addresses associated with the
      local host.
 
      The server variant returns all configured interface addresses (if possi-
@@ -26,14 +25,14 @@ DDEESSCCRRIIPPTTIIOONN
      sockets to listen to.
 
      The client version will also scan local interfaces (can be turned off by
-     setting libdefaults/scan_interfaces to false in _k_r_b_5_._c_o_n_f), but will not
+     setting libdefaults/scan_interfaces to false in krb5.conf), but will not
      include loop-back addresses, unless there are no other addresses found.
      It will remove all addresses included in libdefaults/ignore_addresses but
      will unconditionally include addresses in libdefaults/extra_addresses.
 
-     The returned addresses should be freed by calling kkrrbb55__ffrreeee__aaddddrreesssseess().
+     The returned addresses should be freed by calling krb5_free_addresses().
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5_free_addresses(3)
 
 HEIMDAL                          July 1, 2001                          HEIMDAL
diff --git a/lib/krb5/krb5_get_credentials.cat3 b/lib/krb5/krb5_get_credentials.cat3
index 57ad184a7c06..595484d72397 100644
--- a/lib/krb5/krb5_get_credentials.cat3
+++ b/lib/krb5/krb5_get_credentials.cat3
@@ -1,70 +1,69 @@
-
 KRB5_GET_CREDENTIALS(3)  BSD Library Functions Manual  KRB5_GET_CREDENTIALS(3)
 
-NNAAMMEE
-     kkrrbb55__ggeett__ccrreeddeennttiiaallss, kkrrbb55__ggeett__ccrreeddeennttiiaallss__wwiitthh__ffllaaggss, kkrrbb55__ggeett__kkddcc__ccrreedd,
-     kkrrbb55__ggeett__rreenneewweedd__ccrreeddss -- get credentials from the KDC using krbtgt
+NAME
+     krb5_get_credentials, krb5_get_credentials_with_flags, krb5_get_kdc_cred,
+     krb5_get_renewed_creds -- get credentials from the KDC using krbtgt
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__ccrreeddeennttiiaallss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___f_l_a_g_s _o_p_t_i_o_n_s,
-         _k_r_b_5___c_c_a_c_h_e _c_c_a_c_h_e, _k_r_b_5___c_r_e_d_s _*_i_n___c_r_e_d_s, _k_r_b_5___c_r_e_d_s _*_*_o_u_t___c_r_e_d_s);
+     krb5_error_code
+     krb5_get_credentials(krb5_context context, krb5_flags options,
+         krb5_ccache ccache, krb5_creds *in_creds, krb5_creds **out_creds);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__ccrreeddeennttiiaallss__wwiitthh__ffllaaggss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___f_l_a_g_s _o_p_t_i_o_n_s,
-         _k_r_b_5___k_d_c___f_l_a_g_s _f_l_a_g_s, _k_r_b_5___c_c_a_c_h_e _c_c_a_c_h_e, _k_r_b_5___c_r_e_d_s _*_i_n___c_r_e_d_s,
-         _k_r_b_5___c_r_e_d_s _*_*_o_u_t___c_r_e_d_s);
+     krb5_error_code
+     krb5_get_credentials_with_flags(krb5_context context, krb5_flags options,
+         krb5_kdc_flags flags, krb5_ccache ccache, krb5_creds *in_creds,
+         krb5_creds **out_creds);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__kkddcc__ccrreedd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _i_d,
-         _k_r_b_5___k_d_c___f_l_a_g_s _f_l_a_g_s, _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_e_s_s_e_s,
-         _T_i_c_k_e_t _*_s_e_c_o_n_d___t_i_c_k_e_t, _k_r_b_5___c_r_e_d_s _*_i_n___c_r_e_d_s, _k_r_b_5___c_r_e_d_s _*_*_o_u_t___c_r_e_d_s);
+     krb5_error_code
+     krb5_get_kdc_cred(krb5_context context, krb5_ccache id,
+         krb5_kdc_flags flags, krb5_addresses *addresses,
+         Ticket *second_ticket, krb5_creds *in_creds, krb5_creds **out_creds);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__rreenneewweedd__ccrreeddss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_e_d_s _*_c_r_e_d_s,
-         _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _c_l_i_e_n_t, _k_r_b_5___c_c_a_c_h_e _c_c_a_c_h_e,
-         _c_o_n_s_t _c_h_a_r _*_i_n___t_k_t___s_e_r_v_i_c_e);
+     krb5_error_code
+     krb5_get_renewed_creds(krb5_context context, krb5_creds *creds,
+         krb5_const_principal client, krb5_ccache ccache,
+         const char *in_tkt_service);
 
-DDEESSCCRRIIPPTTIIOONN
-     kkrrbb55__ggeett__ccrreeddeennttiiaallss__wwiitthh__ffllaaggss() get credentials specified by
-     _i_n___c_r_e_d_s_-_>_s_e_r_v_e_r and _i_n___c_r_e_d_s_-_>_c_l_i_e_n_t (the rest of the _i_n___c_r_e_d_s structure
-     is ignored) by first looking in the _c_c_a_c_h_e and if doesn't exists or is
-     expired, fetch the credential from the KDC using the krbtgt in _c_c_a_c_h_e.
-     The credential is returned in _o_u_t___c_r_e_d_s and should be freed using the
-     function kkrrbb55__ffrreeee__ccrreeddss().
+DESCRIPTION
+     krb5_get_credentials_with_flags() get credentials specified by
+     in_creds->server and in_creds->client (the rest of the in_creds structure
+     is ignored) by first looking in the ccache and if doesn't exists or is
+     expired, fetch the credential from the KDC using the krbtgt in ccache.
+     The credential is returned in out_creds and should be freed using the
+     function krb5_free_creds().
 
-     Valid flags to pass into _o_p_t_i_o_n_s argument are:
+     Valid flags to pass into options argument are:
 
-     KRB5_GC_CACHED      Only check the _c_c_a_c_h_e, don't got out on network to
+     KRB5_GC_CACHED      Only check the ccache, don't got out on network to
                          fetch credential.
      KRB5_GC_USER_USER   Request a user to user ticket.  This option doesn't
                          store the resulting user to user credential in the
-                         _c_c_a_c_h_e.
+                         ccache.
      KRB5_GC_EXPIRED_OK  returns the credential even if it is expired, default
                          behavior is trying to refetch the credential from the
                          KDC.
 
-     _F_l_a_g_s are KDCOptions, note the caller must fill in the bit-field and not
+     Flags are KDCOptions, note the caller must fill in the bit-field and not
      use the integer associated structure.
 
-     kkrrbb55__ggeett__ccrreeddeennttiiaallss() works the same way as
-     kkrrbb55__ggeett__ccrreeddeennttiiaallss__wwiitthh__ffllaaggss() except that the _f_l_a_g_s field is missing.
+     krb5_get_credentials() works the same way as
+     krb5_get_credentials_with_flags() except that the flags field is missing.
 
-     kkrrbb55__ggeett__kkddcc__ccrreedd() does the same as the functions above, but the caller
+     krb5_get_kdc_cred() does the same as the functions above, but the caller
      must fill in all the information andits closer to the wire protocol.
 
-     kkrrbb55__ggeett__rreenneewweedd__ccrreeddss() renews a credential given by _i_n___t_k_t___s_e_r_v_i_c_e (if
-     NULL the default krbtgt) using the credential cache _c_c_a_c_h_e.  The result
-     is stored in _c_r_e_d_s and should be freed using _k_r_b_5___f_r_e_e___c_r_e_d_s.
+     krb5_get_renewed_creds() renews a credential given by in_tkt_service (if
+     NULL the default krbtgt) using the credential cache ccache.  The result
+     is stored in creds and should be freed using krb5_free_creds.
 
-EEXXAAMMPPLLEESS
+EXAMPLES
      Here is a example function that get a credential from a credential cache
-     _i_d or the KDC and returns it to the caller.
+     id or the KDC and returns it to the caller.
 
      #include <krb5.h>
 
@@ -91,7 +90,7 @@ EEXXAAMMPPLLEESS
          return 0;
      }
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5(3), krb5_get_forwarded_creds(3), krb5.conf(5)
 
 HEIMDAL                          July 26, 2004                         HEIMDAL
diff --git a/lib/krb5/krb5_get_creds.cat3 b/lib/krb5/krb5_get_creds.cat3
index 7e9f2683a556..88f4aa2d16ca 100644
--- a/lib/krb5/krb5_get_creds.cat3
+++ b/lib/krb5/krb5_get_creds.cat3
@@ -1,93 +1,92 @@
-
 KRB5_GET_CREDS(3)        BSD Library Functions Manual        KRB5_GET_CREDS(3)
 
-NNAAMMEE
-     kkrrbb55__ggeett__ccrreeddss, kkrrbb55__ggeett__ccrreeddss__oopptt__aadddd__ooppttiioonnss, kkrrbb55__ggeett__ccrreeddss__oopptt__aalllloocc,
-     kkrrbb55__ggeett__ccrreeddss__oopptt__ffrreeee, kkrrbb55__ggeett__ccrreeddss__oopptt__sseett__eennccttyyppee,
-     kkrrbb55__ggeett__ccrreeddss__oopptt__sseett__iimmppeerrssoonnaattee, kkrrbb55__ggeett__ccrreeddss__oopptt__sseett__ooppttiioonnss,
-     kkrrbb55__ggeett__ccrreeddss__oopptt__sseett__ttiicckkeett -- get credentials from the KDC
+NAME
+     krb5_get_creds, krb5_get_creds_opt_add_options, krb5_get_creds_opt_alloc,
+     krb5_get_creds_opt_free, krb5_get_creds_opt_set_enctype,
+     krb5_get_creds_opt_set_impersonate, krb5_get_creds_opt_set_options,
+     krb5_get_creds_opt_set_ticket -- get credentials from the KDC
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__ccrreeddss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___g_e_t___c_r_e_d_s___o_p_t _o_p_t,
-         _k_r_b_5___c_c_a_c_h_e _c_c_a_c_h_e, _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _i_n_p_r_i_n_c,
-         _k_r_b_5___c_r_e_d_s _*_*_o_u_t___c_r_e_d_s);
+     krb5_error_code
+     krb5_get_creds(krb5_context context, krb5_get_creds_opt opt,
+         krb5_ccache ccache, krb5_const_principal inprinc,
+         krb5_creds **out_creds);
 
-     _v_o_i_d
-     kkrrbb55__ggeett__ccrreeddss__oopptt__aadddd__ooppttiioonnss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___g_e_t___c_r_e_d_s___o_p_t _o_p_t, _k_r_b_5___f_l_a_g_s _o_p_t_i_o_n_s);
+     void
+     krb5_get_creds_opt_add_options(krb5_context context,
+         krb5_get_creds_opt opt, krb5_flags options);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__ccrreeddss__oopptt__aalllloocc(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___g_e_t___c_r_e_d_s___o_p_t _*_o_p_t);
+     krb5_error_code
+     krb5_get_creds_opt_alloc(krb5_context context, krb5_get_creds_opt *opt);
 
-     _v_o_i_d
-     kkrrbb55__ggeett__ccrreeddss__oopptt__ffrreeee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___g_e_t___c_r_e_d_s___o_p_t _o_p_t);
+     void
+     krb5_get_creds_opt_free(krb5_context context, krb5_get_creds_opt opt);
 
-     _v_o_i_d
-     kkrrbb55__ggeett__ccrreeddss__oopptt__sseett__eennccttyyppee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___g_e_t___c_r_e_d_s___o_p_t _o_p_t, _k_r_b_5___e_n_c_t_y_p_e _e_n_c_t_y_p_e);
+     void
+     krb5_get_creds_opt_set_enctype(krb5_context context,
+         krb5_get_creds_opt opt, krb5_enctype enctype);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__ccrreeddss__oopptt__sseett__iimmppeerrssoonnaattee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___g_e_t___c_r_e_d_s___o_p_t _o_p_t, _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _s_e_l_f);
+     krb5_error_code
+     krb5_get_creds_opt_set_impersonate(krb5_context context,
+         krb5_get_creds_opt opt, krb5_const_principal self);
 
-     _v_o_i_d
-     kkrrbb55__ggeett__ccrreeddss__oopptt__sseett__ooppttiioonnss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___g_e_t___c_r_e_d_s___o_p_t _o_p_t, _k_r_b_5___f_l_a_g_s _o_p_t_i_o_n_s);
+     void
+     krb5_get_creds_opt_set_options(krb5_context context,
+         krb5_get_creds_opt opt, krb5_flags options);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__ccrreeddss__oopptt__sseett__ttiicckkeett(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___g_e_t___c_r_e_d_s___o_p_t _o_p_t, _c_o_n_s_t _T_i_c_k_e_t _*_t_i_c_k_e_t);
+     krb5_error_code
+     krb5_get_creds_opt_set_ticket(krb5_context context,
+         krb5_get_creds_opt opt, const Ticket *ticket);
 
-DDEESSCCRRIIPPTTIIOONN
-     kkrrbb55__ggeett__ccrreeddss() fetches credentials specified by _o_p_t by first looking in
-     the _c_c_a_c_h_e, and then it doesn't exists, fetch the credential from the KDC
-     using the krbtgts in _c_c_a_c_h_e.  The credential is returned in _o_u_t___c_r_e_d_s and
-     should be freed using the function kkrrbb55__ffrreeee__ccrreeddss().
+DESCRIPTION
+     krb5_get_creds() fetches credentials specified by opt by first looking in
+     the ccache, and then it doesn't exists, fetch the credential from the KDC
+     using the krbtgts in ccache.  The credential is returned in out_creds and
+     should be freed using the function krb5_free_creds().
 
      The structure krb5_get_creds_opt controls the behavior of
-     kkrrbb55__ggeett__ccrreeddss().  The structure is opaque to consumers that can set the
+     krb5_get_creds().  The structure is opaque to consumers that can set the
      content of the structure with accessors functions. All accessor functions
      make copies of the data that is passed into accessor functions, so exter-
-     nal consumers free the memory before calling kkrrbb55__ggeett__ccrreeddss().
+     nal consumers free the memory before calling krb5_get_creds().
 
      The structure krb5_get_creds_opt is allocated with
-     kkrrbb55__ggeett__ccrreeddss__oopptt__aalllloocc() and freed with kkrrbb55__ggeett__ccrreeddss__oopptt__ffrreeee().  The
+     krb5_get_creds_opt_alloc() and freed with krb5_get_creds_opt_free().  The
      free function also frees the content of the structure set by the accessor
      functions.
 
-     kkrrbb55__ggeett__ccrreeddss__oopptt__aadddd__ooppttiioonnss() and kkrrbb55__ggeett__ccrreeddss__oopptt__sseett__ooppttiioonnss()
+     krb5_get_creds_opt_add_options() and krb5_get_creds_opt_set_options()
      adds and sets options to the krb5_get_creds_opt structure .  The possible
      options to set are
-     KRB5_GC_CACHED     Only check the _c_c_a_c_h_e, don't got out on network to
+     KRB5_GC_CACHED     Only check the ccache, don't got out on network to
                         fetch credential.
      KRB5_GC_USER_USER  request a user to user ticket.  This options doesn't
                         store the resulting user to user credential in the
-                        _c_c_a_c_h_e.
+                        ccache.
      KRB5_GC_EXPIRED_OK
                         returns the credential even if it is expired, default
                         behavior is trying to refetch the credential from the
                         KDC.
-     KRB5_GC_NO_STORE   Do not store the resulting credentials in the _c_c_a_c_h_e.
+     KRB5_GC_NO_STORE   Do not store the resulting credentials in the ccache.
 
-     kkrrbb55__ggeett__ccrreeddss__oopptt__sseett__eennccttyyppee() sets the preferred encryption type of
+     krb5_get_creds_opt_set_enctype() sets the preferred encryption type of
      the application. Don't set this unless you have to since if there is no
      match in the KDC, the function call will fail.
 
-     kkrrbb55__ggeett__ccrreeddss__oopptt__sseett__iimmppeerrssoonnaattee() sets the principal to impersonate.,
+     krb5_get_creds_opt_set_impersonate() sets the principal to impersonate.,
      Returns a ticket that have the impersonation principal as a client and
      the requestor as the service. Note that the requested principal have to
      be the same as the client principal in the krbtgt.
 
-     kkrrbb55__ggeett__ccrreeddss__oopptt__sseett__ttiicckkeett() sets the extra ticket used in user-to-
+     krb5_get_creds_opt_set_ticket() sets the extra ticket used in user-to-
      user or contrained delegation use case.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5(3), krb5_get_credentials(3), krb5.conf(5)
 
 HEIMDAL                          June 15, 2006                         HEIMDAL
diff --git a/lib/krb5/krb5_get_forwarded_creds.cat3 b/lib/krb5/krb5_get_forwarded_creds.cat3
index 659006d77042..0cf9282437a7 100644
--- a/lib/krb5/krb5_get_forwarded_creds.cat3
+++ b/lib/krb5/krb5_get_forwarded_creds.cat3
@@ -1,33 +1,32 @@
-
 KRB5_GET_FORWARDED_CR... BSD Library Functions Manual KRB5_GET_FORWARDED_CR...
 
-NNAAMMEE
-     kkrrbb55__ggeett__ffoorrwwaarrddeedd__ccrreeddss, kkrrbb55__ffwwdd__ttggtt__ccrreeddss -- get forwarded credentials
+NAME
+     krb5_get_forwarded_creds, krb5_fwd_tgt_creds -- get forwarded credentials
      from the KDC
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__ffoorrwwaarrddeedd__ccrreeddss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _c_c_a_c_h_e, _k_r_b_5___f_l_a_g_s _f_l_a_g_s,
-         _c_o_n_s_t _c_h_a_r _*_h_o_s_t_n_a_m_e, _k_r_b_5___c_r_e_d_s _*_i_n___c_r_e_d_s, _k_r_b_5___d_a_t_a _*_o_u_t___d_a_t_a);
+     krb5_error_code
+     krb5_get_forwarded_creds(krb5_context context,
+         krb5_auth_context auth_context, krb5_ccache ccache, krb5_flags flags,
+         const char *hostname, krb5_creds *in_creds, krb5_data *out_data);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ffwwdd__ttggtt__ccrreeddss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t,
-         _c_o_n_s_t _c_h_a_r _*_h_o_s_t_n_a_m_e, _k_r_b_5___p_r_i_n_c_i_p_a_l _c_l_i_e_n_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _s_e_r_v_e_r,
-         _k_r_b_5___c_c_a_c_h_e _c_c_a_c_h_e, _i_n_t _f_o_r_w_a_r_d_a_b_l_e, _k_r_b_5___d_a_t_a _*_o_u_t___d_a_t_a);
+     krb5_error_code
+     krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context,
+         const char *hostname, krb5_principal client, krb5_principal server,
+         krb5_ccache ccache, int forwardable, krb5_data *out_data);
 
-DDEESSCCRRIIPPTTIIOONN
-     kkrrbb55__ggeett__ffoorrwwaarrddeedd__ccrreeddss() and kkrrbb55__ffwwdd__ttggtt__ccrreeddss() get tickets forwarded
-     to _h_o_s_t_n_a_m_e_. If the tickets that are forwarded are address-less, the for-
-     warded tickets will also be address-less, otherwise _h_o_s_t_n_a_m_e will be used
+DESCRIPTION
+     krb5_get_forwarded_creds() and krb5_fwd_tgt_creds() get tickets forwarded
+     to hostname. If the tickets that are forwarded are address-less, the for-
+     warded tickets will also be address-less, otherwise hostname will be used
      for figure out the address to forward the ticket too.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5(3), krb5_get_credentials(3), krb5.conf(5)
 
 HEIMDAL                          July 26, 2004                         HEIMDAL
diff --git a/lib/krb5/krb5_get_in_cred.cat3 b/lib/krb5/krb5_get_in_cred.cat3
index 6506c18f46fe..e0f0fcea0c93 100644
--- a/lib/krb5/krb5_get_in_cred.cat3
+++ b/lib/krb5/krb5_get_in_cred.cat3
@@ -1,64 +1,63 @@
-
 KRB5_GET_IN_TKT(3)       BSD Library Functions Manual       KRB5_GET_IN_TKT(3)
 
-NNAAMMEE
-     kkrrbb55__ggeett__iinn__ttkktt, kkrrbb55__ggeett__iinn__ccrreedd, kkrrbb55__ggeett__iinn__ttkktt__wwiitthh__ppaasssswwoorrdd,
-     kkrrbb55__ggeett__iinn__ttkktt__wwiitthh__kkeeyyttaabb, kkrrbb55__ggeett__iinn__ttkktt__wwiitthh__sskkeeyy,
-     kkrrbb55__ffrreeee__kkddcc__rreepp, kkrrbb55__ppaasssswwoorrdd__kkeeyy__pprroocc -- deprecated initial authenti-
+NAME
+     krb5_get_in_tkt, krb5_get_in_cred, krb5_get_in_tkt_with_password,
+     krb5_get_in_tkt_with_keytab, krb5_get_in_tkt_with_skey,
+     krb5_free_kdc_rep, krb5_password_key_proc -- deprecated initial authenti-
      cation functions
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
-
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__iinn__ttkktt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___f_l_a_g_s _o_p_t_i_o_n_s,
-         _c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_s, _c_o_n_s_t _k_r_b_5___e_n_c_t_y_p_e _*_e_t_y_p_e_s,
-         _c_o_n_s_t _k_r_b_5___p_r_e_a_u_t_h_t_y_p_e _*_p_t_y_p_e_s, _k_r_b_5___k_e_y___p_r_o_c _k_e_y___p_r_o_c,
-         _k_r_b_5___c_o_n_s_t___p_o_i_n_t_e_r _k_e_y_s_e_e_d, _k_r_b_5___d_e_c_r_y_p_t___p_r_o_c _d_e_c_r_y_p_t___p_r_o_c,
-         _k_r_b_5___c_o_n_s_t___p_o_i_n_t_e_r _d_e_c_r_y_p_t_a_r_g, _k_r_b_5___c_r_e_d_s _*_c_r_e_d_s, _k_r_b_5___c_c_a_c_h_e _c_c_a_c_h_e,
-         _k_r_b_5___k_d_c___r_e_p _*_r_e_t___a_s___r_e_p_l_y);
-
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__iinn__ccrreedd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___f_l_a_g_s _o_p_t_i_o_n_s,
-         _c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_s, _c_o_n_s_t _k_r_b_5___e_n_c_t_y_p_e _*_e_t_y_p_e_s,
-         _c_o_n_s_t _k_r_b_5___p_r_e_a_u_t_h_t_y_p_e _*_p_t_y_p_e_s, _c_o_n_s_t _k_r_b_5___p_r_e_a_u_t_h_d_a_t_a _*_p_r_e_a_u_t_h,
-         _k_r_b_5___k_e_y___p_r_o_c _k_e_y___p_r_o_c, _k_r_b_5___c_o_n_s_t___p_o_i_n_t_e_r _k_e_y_s_e_e_d,
-         _k_r_b_5___d_e_c_r_y_p_t___p_r_o_c _d_e_c_r_y_p_t___p_r_o_c, _k_r_b_5___c_o_n_s_t___p_o_i_n_t_e_r _d_e_c_r_y_p_t_a_r_g,
-         _k_r_b_5___c_r_e_d_s _*_c_r_e_d_s, _k_r_b_5___k_d_c___r_e_p _*_r_e_t___a_s___r_e_p_l_y);
-
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__iinn__ttkktt__wwiitthh__ppaasssswwoorrdd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___f_l_a_g_s _o_p_t_i_o_n_s,
-         _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_s, _c_o_n_s_t _k_r_b_5___e_n_c_t_y_p_e _*_e_t_y_p_e_s,
-         _c_o_n_s_t _k_r_b_5___p_r_e_a_u_t_h_t_y_p_e _*_p_r_e___a_u_t_h___t_y_p_e_s, _c_o_n_s_t _c_h_a_r _*_p_a_s_s_w_o_r_d,
-         _k_r_b_5___c_c_a_c_h_e _c_c_a_c_h_e, _k_r_b_5___c_r_e_d_s _*_c_r_e_d_s, _k_r_b_5___k_d_c___r_e_p _*_r_e_t___a_s___r_e_p_l_y);
-
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__iinn__ttkktt__wwiitthh__kkeeyyttaabb(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___f_l_a_g_s _o_p_t_i_o_n_s,
-         _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_s, _c_o_n_s_t _k_r_b_5___e_n_c_t_y_p_e _*_e_t_y_p_e_s,
-         _c_o_n_s_t _k_r_b_5___p_r_e_a_u_t_h_t_y_p_e _*_p_r_e___a_u_t_h___t_y_p_e_s, _k_r_b_5___k_e_y_t_a_b _k_e_y_t_a_b,
-         _k_r_b_5___c_c_a_c_h_e _c_c_a_c_h_e, _k_r_b_5___c_r_e_d_s _*_c_r_e_d_s, _k_r_b_5___k_d_c___r_e_p _*_r_e_t___a_s___r_e_p_l_y);
-
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__iinn__ttkktt__wwiitthh__sskkeeyy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___f_l_a_g_s _o_p_t_i_o_n_s,
-         _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_s, _c_o_n_s_t _k_r_b_5___e_n_c_t_y_p_e _*_e_t_y_p_e_s,
-         _c_o_n_s_t _k_r_b_5___p_r_e_a_u_t_h_t_y_p_e _*_p_r_e___a_u_t_h___t_y_p_e_s, _c_o_n_s_t _k_r_b_5___k_e_y_b_l_o_c_k _*_k_e_y,
-         _k_r_b_5___c_c_a_c_h_e _c_c_a_c_h_e, _k_r_b_5___c_r_e_d_s _*_c_r_e_d_s, _k_r_b_5___k_d_c___r_e_p _*_r_e_t___a_s___r_e_p_l_y);
-
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ffrreeee__kkddcc__rreepp(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_d_c___r_e_p _*_r_e_p);
-
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ppaasssswwoorrdd__kkeeyy__pprroocc(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___e_n_c_t_y_p_e _t_y_p_e,
-         _k_r_b_5___s_a_l_t _s_a_l_t, _k_r_b_5___c_o_n_s_t___p_o_i_n_t_e_r _k_e_y_s_e_e_d, _k_r_b_5___k_e_y_b_l_o_c_k _*_*_k_e_y);
-
-DDEESSCCRRIIPPTTIIOONN
-     _A_l_l _t_h_e _f_u_n_c_t_i_o_n_s _i_n _t_h_i_s _m_a_n_u_a_l _p_a_g_e _a_r_e _d_e_p_r_e_c_a_t_e_d _i_n _t_h_e _M_I_T _i_m_p_l_e_m_e_n_-
-     _t_a_t_i_o_n_, _a_n_d _w_i_l_l _s_o_o_n _b_e _d_e_p_r_e_c_a_t_e_d _i_n _H_e_i_m_d_a_l _t_o_o_, _d_o_n_'_t _u_s_e _t_h_e_m_.
-
-     Getting initial credential ticket for a principal.  kkrrbb55__ggeett__iinn__ccrreedd is
+SYNOPSIS
+     #include <krb5.h>
+
+     krb5_error_code
+     krb5_get_in_tkt(krb5_context context, krb5_flags options,
+         const krb5_addresses *addrs, const krb5_enctype *etypes,
+         const krb5_preauthtype *ptypes, krb5_key_proc key_proc,
+         krb5_const_pointer keyseed, krb5_decrypt_proc decrypt_proc,
+         krb5_const_pointer decryptarg, krb5_creds *creds, krb5_ccache ccache,
+         krb5_kdc_rep *ret_as_reply);
+
+     krb5_error_code
+     krb5_get_in_cred(krb5_context context, krb5_flags options,
+         const krb5_addresses *addrs, const krb5_enctype *etypes,
+         const krb5_preauthtype *ptypes, const krb5_preauthdata *preauth,
+         krb5_key_proc key_proc, krb5_const_pointer keyseed,
+         krb5_decrypt_proc decrypt_proc, krb5_const_pointer decryptarg,
+         krb5_creds *creds, krb5_kdc_rep *ret_as_reply);
+
+     krb5_error_code
+     krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options,
+         krb5_addresses *addrs, const krb5_enctype *etypes,
+         const krb5_preauthtype *pre_auth_types, const char *password,
+         krb5_ccache ccache, krb5_creds *creds, krb5_kdc_rep *ret_as_reply);
+
+     krb5_error_code
+     krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options,
+         krb5_addresses *addrs, const krb5_enctype *etypes,
+         const krb5_preauthtype *pre_auth_types, krb5_keytab keytab,
+         krb5_ccache ccache, krb5_creds *creds, krb5_kdc_rep *ret_as_reply);
+
+     krb5_error_code
+     krb5_get_in_tkt_with_skey(krb5_context context, krb5_flags options,
+         krb5_addresses *addrs, const krb5_enctype *etypes,
+         const krb5_preauthtype *pre_auth_types, const krb5_keyblock *key,
+         krb5_ccache ccache, krb5_creds *creds, krb5_kdc_rep *ret_as_reply);
+
+     krb5_error_code
+     krb5_free_kdc_rep(krb5_context context, krb5_kdc_rep *rep);
+
+     krb5_error_code
+     krb5_password_key_proc(krb5_context context, krb5_enctype type,
+         krb5_salt salt, krb5_const_pointer keyseed, krb5_keyblock **key);
+
+DESCRIPTION
+     All the functions in this manual page are deprecated in the MIT implemen-
+     tation, and will soon be deprecated in Heimdal too, don't use them.
+
+     Getting initial credential ticket for a principal.  krb5_get_in_cred is
      the function all other krb5_get_in function uses to fetch tickets.  The
      other krb5_get_in function are more specialized and therefor somewhat
      easier to use.
@@ -66,67 +65,67 @@ DDEESSCCRRIIPPTTIIOONN
      If your need is only to verify a user and password, consider using
      krb5_verify_user(3) instead, it have a much simpler interface.
 
-     kkrrbb55__ggeett__iinn__ttkktt and kkrrbb55__ggeett__iinn__ccrreedd fetches initial credential, queries
-     after key using the _k_e_y___p_r_o_c argument.  The differences between the two
-     function is that kkrrbb55__ggeett__iinn__ttkktt stores the credential in a krb5_creds
-     while kkrrbb55__ggeett__iinn__ccrreedd stores the credential in a krb5_ccache.
+     krb5_get_in_tkt and krb5_get_in_cred fetches initial credential, queries
+     after key using the key_proc argument.  The differences between the two
+     function is that krb5_get_in_tkt stores the credential in a krb5_creds
+     while krb5_get_in_cred stores the credential in a krb5_ccache.
 
-     kkrrbb55__ggeett__iinn__ttkktt__wwiitthh__ppaasssswwoorrdd, kkrrbb55__ggeett__iinn__ttkktt__wwiitthh__kkeeyyttaabb, and
-     kkrrbb55__ggeett__iinn__ttkktt__wwiitthh__sskkeeyy does the same work as kkrrbb55__ggeett__iinn__ccrreedd but are
+     krb5_get_in_tkt_with_password, krb5_get_in_tkt_with_keytab, and
+     krb5_get_in_tkt_with_skey does the same work as krb5_get_in_cred but are
      more specialized.
 
-     kkrrbb55__ggeett__iinn__ttkktt__wwiitthh__ppaasssswwoorrdd uses the clients password to authenticate.
+     krb5_get_in_tkt_with_password uses the clients password to authenticate.
      If the password argument is NULL the user user queried with the default
      password query function.
 
-     kkrrbb55__ggeett__iinn__ttkktt__wwiitthh__kkeeyyttaabb searches the given keytab for a service entry
+     krb5_get_in_tkt_with_keytab searches the given keytab for a service entry
      for the client principal.  If the keytab is NULL the default keytab is
      used.
 
-     kkrrbb55__ggeett__iinn__ttkktt__wwiitthh__sskkeeyy uses a key to get the initial credential.
+     krb5_get_in_tkt_with_skey uses a key to get the initial credential.
 
      There are some common arguments to the krb5_get_in functions, these are:
 
-     _o_p_t_i_o_n_s are the KDC_OPT flags.
+     options are the KDC_OPT flags.
 
-     _e_t_y_p_e_s is a NULL terminated array of encryption types that the client
-     approves.
+     etypes is a NULL terminated array of encryption types that the client ap-
+     proves.
 
-     _a_d_d_r_s a list of the addresses that the initial ticket.  If it is NULL the
+     addrs a list of the addresses that the initial ticket.  If it is NULL the
      list will be generated by the library.
 
-     _p_r_e___a_u_t_h___t_y_p_e_s a NULL terminated array of pre-authentication types.  If
-     _p_r_e___a_u_t_h___t_y_p_e_s is NULL the function will try without pre-authentication
+     pre_auth_types a NULL terminated array of pre-authentication types.  If
+     pre_auth_types is NULL the function will try without pre-authentication
      and return those pre-authentication that the KDC returned.
 
-     _r_e_t___a_s___r_e_p_l_y will (if not NULL) be filled in with the response of the KDC
-     and should be free with kkrrbb55__ffrreeee__kkddcc__rreepp().
+     ret_as_reply will (if not NULL) be filled in with the response of the KDC
+     and should be free with krb5_free_kdc_rep().
 
-     _k_e_y___p_r_o_c is a pointer to a function that should return a key salted
-     appropriately.  Using NULL will use the default password query function.
+     key_proc is a pointer to a function that should return a key salted ap-
+     propriately.  Using NULL will use the default password query function.
 
-     _d_e_c_r_y_p_t___p_r_o_c Using NULL will use the default decryption function.
+     decrypt_proc Using NULL will use the default decryption function.
 
-     _d_e_c_r_y_p_t_a_r_g will be passed to the decryption function _d_e_c_r_y_p_t___p_r_o_c.
+     decryptarg will be passed to the decryption function decrypt_proc.
 
-     _c_r_e_d_s creds should be filled in with the template for a credential that
+     creds creds should be filled in with the template for a credential that
      should be requested.  The client and server elements of the creds struc-
      ture must be filled in.  Upon return of the function it will be contain
-     the content of the requested credential (_k_r_b_5___g_e_t___i_n___c_r_e_d), or it will be
+     the content of the requested credential (krb5_get_in_cred), or it will be
      freed with krb5_free_creds(3) (all the other krb5_get_in functions).
 
-     _c_c_a_c_h_e will store the credential in the credential cache _c_c_a_c_h_e.  The
+     ccache will store the credential in the credential cache ccache.  The
      credential cache will not be initialized, thats up the the caller.
 
-     kkrrbb55__ppaasssswwoorrdd__kkeeyy__pprroocc is a library function that is suitable using as
-     the _k_r_b_5___k_e_y___p_r_o_c argument to kkrrbb55__ggeett__iinn__ccrreedd or kkrrbb55__ggeett__iinn__ttkktt.
-     _k_e_y_s_e_e_d should be a pointer to a NUL terminated string or NULL.
-     kkrrbb55__ppaasssswwoorrdd__kkeeyy__pprroocc will query the user for the pass on the console if
-     the password isn't given as the argument _k_e_y_s_e_e_d.
+     krb5_password_key_proc is a library function that is suitable using as
+     the krb5_key_proc argument to krb5_get_in_cred or krb5_get_in_tkt.
+     keyseed should be a pointer to a NUL terminated string or NULL.
+     krb5_password_key_proc will query the user for the pass on the console if
+     the password isn't given as the argument keyseed.
 
-     kkrrbb55__ffrreeee__kkddcc__rreepp() frees the content of _r_e_p.
+     krb5_free_kdc_rep() frees the content of rep.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5(3), krb5_verify_user(3), krb5.conf(5), kerberos(8)
 
 HEIMDAL                          May 31, 2003                          HEIMDAL
diff --git a/lib/krb5/krb5_get_init_creds.cat3 b/lib/krb5/krb5_get_init_creds.cat3
index 52b3468a1852..c92749926ded 100644
--- a/lib/krb5/krb5_get_init_creds.cat3
+++ b/lib/krb5/krb5_get_init_creds.cat3
@@ -1,161 +1,160 @@
-
 KRB5_GET_INIT_CREDS(3)   BSD Library Functions Manual   KRB5_GET_INIT_CREDS(3)
 
-NNAAMMEE
-     kkrrbb55__ggeett__iinniitt__ccrreeddss, kkrrbb55__ggeett__iinniitt__ccrreeddss__kkeeyyttaabb, kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt,
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__aalllloocc, kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__ffrreeee,
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__iinniitt, kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__aaddddrreessss__lliisstt,
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__aaddddrreesssslleessss,
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__aannoonnyymmoouuss,
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__ddeeffaauulltt__ffllaaggss,
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__eettyyppee__lliisstt,
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__ffoorrwwaarrddaabbllee,
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__ppaa__ppaasssswwoorrdd,
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__ppaaqq__rreeqquueesstt,
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__pprreeaauutthh__lliisstt,
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__pprrooxxiiaabbllee,
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__rreenneeww__lliiffee, kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__ssaalltt,
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__ttkktt__lliiffee,
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__ccaannoonniiccaalliizzee,
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__wwiinn22kk, kkrrbb55__ggeett__iinniitt__ccrreeddss__ppaasssswwoorrdd,
-     kkrrbb55__pprroommpptt, kkrrbb55__pprroommpptteerr__ppoossiixx -- Kerberos 5 initial authentication
+NAME
+     krb5_get_init_creds, krb5_get_init_creds_keytab, krb5_get_init_creds_opt,
+     krb5_get_init_creds_opt_alloc, krb5_get_init_creds_opt_free,
+     krb5_get_init_creds_opt_init, krb5_get_init_creds_opt_set_address_list,
+     krb5_get_init_creds_opt_set_addressless,
+     krb5_get_init_creds_opt_set_anonymous,
+     krb5_get_init_creds_opt_set_default_flags,
+     krb5_get_init_creds_opt_set_etype_list,
+     krb5_get_init_creds_opt_set_forwardable,
+     krb5_get_init_creds_opt_set_pa_password,
+     krb5_get_init_creds_opt_set_paq_request,
+     krb5_get_init_creds_opt_set_preauth_list,
+     krb5_get_init_creds_opt_set_proxiable,
+     krb5_get_init_creds_opt_set_renew_life, krb5_get_init_creds_opt_set_salt,
+     krb5_get_init_creds_opt_set_tkt_life,
+     krb5_get_init_creds_opt_set_canonicalize,
+     krb5_get_init_creds_opt_set_win2k, krb5_get_init_creds_password,
+     krb5_prompt, krb5_prompter_posix -- Kerberos 5 initial authentication
      functions
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
-
-     _k_r_b_5___g_e_t___i_n_i_t___c_r_e_d_s___o_p_t_;
-
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__aalllloocc(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___g_e_t___i_n_i_t___c_r_e_d_s___o_p_t _*_*_o_p_t);
-
-     _v_o_i_d
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__ffrreeee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___g_e_t___i_n_i_t___c_r_e_d_s___o_p_t _*_o_p_t);
-
-     _v_o_i_d
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__iinniitt(_k_r_b_5___g_e_t___i_n_i_t___c_r_e_d_s___o_p_t _*_o_p_t);
-
-     _v_o_i_d
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__aaddddrreessss__lliisstt(_k_r_b_5___g_e_t___i_n_i_t___c_r_e_d_s___o_p_t _*_o_p_t,
-         _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_e_s_s_e_s);
-
-     _v_o_i_d
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__aaddddrreesssslleessss(_k_r_b_5___g_e_t___i_n_i_t___c_r_e_d_s___o_p_t _*_o_p_t,
-         _k_r_b_5___b_o_o_l_e_a_n _a_d_d_r_e_s_s_l_e_s_s);
-
-     _v_o_i_d
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__aannoonnyymmoouuss(_k_r_b_5___g_e_t___i_n_i_t___c_r_e_d_s___o_p_t _*_o_p_t,
-         _i_n_t _a_n_o_n_y_m_o_u_s);
-
-     _v_o_i_d
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__cchhaannggee__ppaasssswwoorrdd__pprroommpptt(_k_r_b_5___g_e_t___i_n_i_t___c_r_e_d_s___o_p_t _*_o_p_t,
-         _i_n_t _c_h_a_n_g_e___p_a_s_s_w_o_r_d___p_r_o_m_p_t);
-
-     _v_o_i_d
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__ddeeffaauulltt__ffllaaggss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _c_o_n_s_t _c_h_a_r _*_a_p_p_n_a_m_e, _k_r_b_5___c_o_n_s_t___r_e_a_l_m _r_e_a_l_m,
-         _k_r_b_5___g_e_t___i_n_i_t___c_r_e_d_s___o_p_t _*_o_p_t);
-
-     _v_o_i_d
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__eettyyppee__lliisstt(_k_r_b_5___g_e_t___i_n_i_t___c_r_e_d_s___o_p_t _*_o_p_t,
-         _k_r_b_5___e_n_c_t_y_p_e _*_e_t_y_p_e___l_i_s_t, _i_n_t _e_t_y_p_e___l_i_s_t___l_e_n_g_t_h);
-
-     _v_o_i_d
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__ffoorrwwaarrddaabbllee(_k_r_b_5___g_e_t___i_n_i_t___c_r_e_d_s___o_p_t _*_o_p_t,
-         _i_n_t _f_o_r_w_a_r_d_a_b_l_e);
-
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__ppaa__ppaasssswwoorrdd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___g_e_t___i_n_i_t___c_r_e_d_s___o_p_t _*_o_p_t, _c_o_n_s_t _c_h_a_r _*_p_a_s_s_w_o_r_d,
-         _k_r_b_5___s_2_k___p_r_o_c _k_e_y___p_r_o_c);
-
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__ppaaqq__rreeqquueesstt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___g_e_t___i_n_i_t___c_r_e_d_s___o_p_t _*_o_p_t, _k_r_b_5___b_o_o_l_e_a_n _r_e_q___p_a_c);
-
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__ppkkiinniitt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___g_e_t___i_n_i_t___c_r_e_d_s___o_p_t _*_o_p_t, _c_o_n_s_t _c_h_a_r _*_c_e_r_t___f_i_l_e,
-         _c_o_n_s_t _c_h_a_r _*_k_e_y___f_i_l_e, _c_o_n_s_t _c_h_a_r _*_x_5_0_9___a_n_c_h_o_r_s, _i_n_t _f_l_a_g_s,
-         _c_h_a_r _*_p_a_s_s_w_o_r_d);
-
-     _v_o_i_d
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__pprreeaauutthh__lliisstt(_k_r_b_5___g_e_t___i_n_i_t___c_r_e_d_s___o_p_t _*_o_p_t,
-         _k_r_b_5___p_r_e_a_u_t_h_t_y_p_e _*_p_r_e_a_u_t_h___l_i_s_t, _i_n_t _p_r_e_a_u_t_h___l_i_s_t___l_e_n_g_t_h);
-
-     _v_o_i_d
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__pprrooxxiiaabbllee(_k_r_b_5___g_e_t___i_n_i_t___c_r_e_d_s___o_p_t _*_o_p_t,
-         _i_n_t _p_r_o_x_i_a_b_l_e);
-
-     _v_o_i_d
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__rreenneeww__lliiffee(_k_r_b_5___g_e_t___i_n_i_t___c_r_e_d_s___o_p_t _*_o_p_t,
-         _k_r_b_5___d_e_l_t_a_t _r_e_n_e_w___l_i_f_e);
-
-     _v_o_i_d
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__ssaalltt(_k_r_b_5___g_e_t___i_n_i_t___c_r_e_d_s___o_p_t _*_o_p_t,
-         _k_r_b_5___d_a_t_a _*_s_a_l_t);
-
-     _v_o_i_d
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__ttkktt__lliiffee(_k_r_b_5___g_e_t___i_n_i_t___c_r_e_d_s___o_p_t _*_o_p_t,
-         _k_r_b_5___d_e_l_t_a_t _t_k_t___l_i_f_e);
-
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__ccaannoonniiccaalliizzee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___g_e_t___i_n_i_t___c_r_e_d_s___o_p_t _*_o_p_t, _k_r_b_5___b_o_o_l_e_a_n _r_e_q);
-
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__wwiinn22kk(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___g_e_t___i_n_i_t___c_r_e_d_s___o_p_t _*_o_p_t, _k_r_b_5___b_o_o_l_e_a_n _r_e_q);
-
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__iinniitt__ccrreeddss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_e_d_s _*_c_r_e_d_s,
-         _k_r_b_5___p_r_i_n_c_i_p_a_l _c_l_i_e_n_t, _k_r_b_5___p_r_o_m_p_t_e_r___f_c_t _p_r_o_m_p_t_e_r,
-         _v_o_i_d _*_p_r_o_m_p_t_e_r___d_a_t_a, _k_r_b_5___d_e_l_t_a_t _s_t_a_r_t___t_i_m_e,
-         _c_o_n_s_t _c_h_a_r _*_i_n___t_k_t___s_e_r_v_i_c_e, _k_r_b_5___g_e_t___i_n_i_t___c_r_e_d_s___o_p_t _*_o_p_t_i_o_n_s);
-
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__ppaasssswwoorrdd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_e_d_s _*_c_r_e_d_s,
-         _k_r_b_5___p_r_i_n_c_i_p_a_l _c_l_i_e_n_t, _c_o_n_s_t _c_h_a_r _*_p_a_s_s_w_o_r_d,
-         _k_r_b_5___p_r_o_m_p_t_e_r___f_c_t _p_r_o_m_p_t_e_r, _v_o_i_d _*_p_r_o_m_p_t_e_r___d_a_t_a,
-         _k_r_b_5___d_e_l_t_a_t _s_t_a_r_t___t_i_m_e, _c_o_n_s_t _c_h_a_r _*_i_n___t_k_t___s_e_r_v_i_c_e,
-         _k_r_b_5___g_e_t___i_n_i_t___c_r_e_d_s___o_p_t _*_i_n___o_p_t_i_o_n_s);
-
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__kkeeyyttaabb(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_e_d_s _*_c_r_e_d_s,
-         _k_r_b_5___p_r_i_n_c_i_p_a_l _c_l_i_e_n_t, _k_r_b_5___k_e_y_t_a_b _k_e_y_t_a_b, _k_r_b_5___d_e_l_t_a_t _s_t_a_r_t___t_i_m_e,
-         _c_o_n_s_t _c_h_a_r _*_i_n___t_k_t___s_e_r_v_i_c_e, _k_r_b_5___g_e_t___i_n_i_t___c_r_e_d_s___o_p_t _*_o_p_t_i_o_n_s);
-
-     _i_n_t
-     kkrrbb55__pprroommpptteerr__ppoossiixx(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _v_o_i_d _*_d_a_t_a, _c_o_n_s_t _c_h_a_r _*_n_a_m_e,
-         _c_o_n_s_t _c_h_a_r _*_b_a_n_n_e_r, _i_n_t _n_u_m___p_r_o_m_p_t_s, _k_r_b_5___p_r_o_m_p_t _p_r_o_m_p_t_s_[_]);
-
-DDEESSCCRRIIPPTTIIOONN
+SYNOPSIS
+     #include <krb5.h>
+
+     krb5_get_init_creds_opt;
+
+     krb5_error_code
+     krb5_get_init_creds_opt_alloc(krb5_context context,
+         krb5_get_init_creds_opt **opt);
+
+     void
+     krb5_get_init_creds_opt_free(krb5_context context,
+         krb5_get_init_creds_opt *opt);
+
+     void
+     krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt);
+
+     void
+     krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt,
+         krb5_addresses *addresses);
+
+     void
+     krb5_get_init_creds_opt_set_addressless(krb5_get_init_creds_opt *opt,
+         krb5_boolean addressless);
+
+     void
+     krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt *opt,
+         int anonymous);
+
+     void
+     krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt *opt,
+         int change_password_prompt);
+
+     void
+     krb5_get_init_creds_opt_set_default_flags(krb5_context context,
+         const char *appname, krb5_const_realm realm,
+         krb5_get_init_creds_opt *opt);
+
+     void
+     krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt,
+         krb5_enctype *etype_list, int etype_list_length);
+
+     void
+     krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt,
+         int forwardable);
+
+     krb5_error_code
+     krb5_get_init_creds_opt_set_pa_password(krb5_context context,
+         krb5_get_init_creds_opt *opt, const char *password,
+         krb5_s2k_proc key_proc);
+
+     krb5_error_code
+     krb5_get_init_creds_opt_set_paq_request(krb5_context context,
+         krb5_get_init_creds_opt *opt, krb5_boolean req_pac);
+
+     krb5_error_code
+     krb5_get_init_creds_opt_set_pkinit(krb5_context context,
+         krb5_get_init_creds_opt *opt, const char *cert_file,
+         const char *key_file, const char *x509_anchors, int flags,
+         char *password);
+
+     void
+     krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt,
+         krb5_preauthtype *preauth_list, int preauth_list_length);
+
+     void
+     krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt,
+         int proxiable);
+
+     void
+     krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt,
+         krb5_deltat renew_life);
+
+     void
+     krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt,
+         krb5_data *salt);
+
+     void
+     krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt,
+         krb5_deltat tkt_life);
+
+     krb5_error_code
+     krb5_get_init_creds_opt_set_canonicalize(krb5_context context,
+         krb5_get_init_creds_opt *opt, krb5_boolean req);
+
+     krb5_error_code
+     krb5_get_init_creds_opt_set_win2k(krb5_context context,
+         krb5_get_init_creds_opt *opt, krb5_boolean req);
+
+     krb5_error_code
+     krb5_get_init_creds(krb5_context context, krb5_creds *creds,
+         krb5_principal client, krb5_prompter_fct prompter,
+         void *prompter_data, krb5_deltat start_time,
+         const char *in_tkt_service, krb5_get_init_creds_opt *options);
+
+     krb5_error_code
+     krb5_get_init_creds_password(krb5_context context, krb5_creds *creds,
+         krb5_principal client, const char *password,
+         krb5_prompter_fct prompter, void *prompter_data,
+         krb5_deltat start_time, const char *in_tkt_service,
+         krb5_get_init_creds_opt *in_options);
+
+     krb5_error_code
+     krb5_get_init_creds_keytab(krb5_context context, krb5_creds *creds,
+         krb5_principal client, krb5_keytab keytab, krb5_deltat start_time,
+         const char *in_tkt_service, krb5_get_init_creds_opt *options);
+
+     int
+     krb5_prompter_posix(krb5_context context, void *data, const char *name,
+         const char *banner, int num_prompts, krb5_prompt prompts[]);
+
+DESCRIPTION
      Getting initial credential ticket for a principal.  That may include
      changing an expired password, and doing preauthentication.  This inter-
-     face that replaces the deprecated _k_r_b_5___i_n___t_k_t and _k_r_b_5___i_n___c_r_e_d functions.
+     face that replaces the deprecated krb5_in_tkt and krb5_in_cred functions.
 
      If you only want to verify a username and password, consider using
      krb5_verify_user(3) instead, since it also verifies that initial creden-
      tials with using a keytab to make sure the response was from the KDC.
 
      First a krb5_get_init_creds_opt structure is initialized with
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__aalllloocc() or kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__iinniitt().
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__aalllloocc() allocates a extendible structures that
-     needs to be freed with kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__ffrreeee().  The structure may
-     be modified by any of the kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett() functions to
+     krb5_get_init_creds_opt_alloc() or krb5_get_init_creds_opt_init().
+     krb5_get_init_creds_opt_alloc() allocates a extendible structures that
+     needs to be freed with krb5_get_init_creds_opt_free().  The structure may
+     be modified by any of the krb5_get_init_creds_opt_set() functions to
      change request parameters and authentication information.
 
-     If the caller want to use the default options, NULL can be passed
-     instead.
+     If the caller want to use the default options, NULL can be passed in-
+     stead.
 
      The the actual request to the KDC is done by any of the
-     kkrrbb55__ggeett__iinniitt__ccrreeddss(), kkrrbb55__ggeett__iinniitt__ccrreeddss__ppaasssswwoorrdd(), or
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__kkeeyyttaabb() functions.  kkrrbb55__ggeett__iinniitt__ccrreeddss() is the
+     krb5_get_init_creds(), krb5_get_init_creds_password(), or
+     krb5_get_init_creds_keytab() functions.  krb5_get_init_creds() is the
      least specialized function and can, with the right in data, behave like
      the latter two.  The latter two are there for compatibility with older
      releases and they are slightly easier to use.
@@ -169,10 +168,10 @@ DDEESSCCRRIIPPTTIIOONN
          krb5_prompt_type type
      } krb5_prompt;
 
-     _p_r_o_m_p_t is the prompt that should shown to the user If _h_i_d_d_e_n is set, the
-     prompter function shouldn't echo the output to the display device.  _r_e_p_l_y
+     prompt is the prompt that should shown to the user If hidden is set, the
+     prompter function shouldn't echo the output to the display device.  reply
      must be preallocated; it will not be allocated by the prompter function.
-     Possible values for the _t_y_p_e element are:
+     Possible values for the type element are:
 
            KRB5_PROMPT_TYPE_PASSWORD
            KRB5_PROMPT_TYPE_NEW_PASSWORD
@@ -180,16 +179,16 @@ DDEESSCCRRIIPPTTIIOONN
            KRB5_PROMPT_TYPE_PREAUTH
            KRB5_PROMPT_TYPE_INFO
 
-     kkrrbb55__pprroommpptteerr__ppoossiixx() is the default prompter function in a POSIX envi-
-     ronment.  It matches the _k_r_b_5___p_r_o_m_p_t_e_r___f_c_t and can be used in the
-     _k_r_b_5___g_e_t___i_n_i_t___c_r_e_d_s functions.  kkrrbb55__pprroommpptteerr__ppoossiixx() doesn't require
-     _p_r_o_m_p_t_e_r___d_a_t_a_.
+     krb5_prompter_posix() is the default prompter function in a POSIX envi-
+     ronment.  It matches the krb5_prompter_fct and can be used in the
+     krb5_get_init_creds functions.  krb5_prompter_posix() doesn't require
+     prompter_data.
 
-     If the _s_t_a_r_t___t_i_m_e is zero, then the requested ticket will be valid begin-
-     ning immediately.  Otherwise, the _s_t_a_r_t___t_i_m_e indicates how far in the
-     future the ticket should be postdated.
+     If the start_time is zero, then the requested ticket will be valid begin-
+     ning immediately.  Otherwise, the start_time indicates how far in the fu-
+     ture the ticket should be postdated.
 
-     If the _i_n___t_k_t___s_e_r_v_i_c_e name is non-NULL, that principal name will be used
+     If the in_tkt_service name is non-NULL, that principal name will be used
      as the server name for the initial ticket request.  The realm of the name
      specified will be ignored and will be set to the realm of the client
      name.  If no in_tkt_service name is specified, krbtgt/CLIENT-
@@ -198,52 +197,52 @@ DDEESSCCRRIIPPTTIIOONN
      For the rest of arguments, a configuration or library default will be
      used if no value is specified in the options structure.
 
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__aaddddrreessss__lliisstt() sets the list of _a_d_d_r_e_s_s_e_s
+     krb5_get_init_creds_opt_set_address_list() sets the list of addresses
      that is should be stored in the ticket.
 
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__aaddddrreesssslleessss() controls if the ticket is
-     requested with addresses or not,
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__aaddddrreessss__lliisstt() overrides this option.
+     krb5_get_init_creds_opt_set_addressless() controls if the ticket is re-
+     quested with addresses or not, krb5_get_init_creds_opt_set_address_list()
+     overrides this option.
 
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__aannoonnyymmoouuss() make the request anonymous if the
-     _a_n_o_n_y_m_o_u_s parameter is non-zero.
+     krb5_get_init_creds_opt_set_anonymous() make the request anonymous if the
+     anonymous parameter is non-zero.
 
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__ddeeffaauulltt__ffllaaggss() sets the default flags using
+     krb5_get_init_creds_opt_set_default_flags() sets the default flags using
      the configuration file.
 
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__eettyyppee__lliisstt() set a list of enctypes that the
+     krb5_get_init_creds_opt_set_etype_list() set a list of enctypes that the
      client is willing to support in the request.
 
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__ffoorrwwaarrddaabbllee() request a forwardable ticket.
+     krb5_get_init_creds_opt_set_forwardable() request a forwardable ticket.
 
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__ppaa__ppaasssswwoorrdd() set the _p_a_s_s_w_o_r_d and _k_e_y___p_r_o_c
-     that is going to be used to get a new ticket.  _p_a_s_s_w_o_r_d or _k_e_y___p_r_o_c can
-     be NULL if the caller wants to use the default values.  If the _p_a_s_s_w_o_r_d
+     krb5_get_init_creds_opt_set_pa_password() set the password and key_proc
+     that is going to be used to get a new ticket.  password or key_proc can
+     be NULL if the caller wants to use the default values.  If the password
      is unset and needed, the user will be prompted for it.
 
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__ppaaqq__rreeqquueesstt() sets the password that is going
+     krb5_get_init_creds_opt_set_paq_request() sets the password that is going
      to be used to get a new ticket.
 
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__pprreeaauutthh__lliisstt() sets the list of client-sup-
+     krb5_get_init_creds_opt_set_preauth_list() sets the list of client-sup-
      ported preauth types.
 
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__pprrooxxiiaabbllee() makes the request proxiable.
+     krb5_get_init_creds_opt_set_proxiable() makes the request proxiable.
 
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__rreenneeww__lliiffee() sets the requested renewable
+     krb5_get_init_creds_opt_set_renew_life() sets the requested renewable
      lifetime.
 
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__ssaalltt() sets the salt that is going to be used
+     krb5_get_init_creds_opt_set_salt() sets the salt that is going to be used
      in the request.
 
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__ttkktt__lliiffee() sets requested ticket lifetime.
+     krb5_get_init_creds_opt_set_tkt_life() sets requested ticket lifetime.
 
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__ccaannoonniiccaalliizzee() requests that the KDC canoni-
+     krb5_get_init_creds_opt_set_canonicalize() requests that the KDC canoni-
      calize the client principal if possible.
 
-     kkrrbb55__ggeett__iinniitt__ccrreeddss__oopptt__sseett__wwiinn22kk() turns on compatibility with Windows
+     krb5_get_init_creds_opt_set_win2k() turns on compatibility with Windows
      2000.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5(3), krb5_creds(3), krb5_verify_user(3), krb5.conf(5), kerberos(8)
 
 HEIMDAL                          Sep 16, 2006                          HEIMDAL
diff --git a/lib/krb5/krb5_get_krbhst.cat3 b/lib/krb5/krb5_get_krbhst.cat3
index bb538993f476..27d544807e73 100644
--- a/lib/krb5/krb5_get_krbhst.cat3
+++ b/lib/krb5/krb5_get_krbhst.cat3
@@ -1,48 +1,47 @@
-
 KRB5_GET_KRBHST(3)       BSD Library Functions Manual       KRB5_GET_KRBHST(3)
 
-NNAAMMEE
-     kkrrbb55__ggeett__kkrrbbhhsstt, kkrrbb55__ggeett__kkrrbb__aaddmmiinn__hhsstt, kkrrbb55__ggeett__kkrrbb__cchhaannggeeppww__hhsstt,
-     kkrrbb55__ggeett__kkrrbb552244hhsstt, kkrrbb55__ffrreeee__kkrrbbhhsstt -- lookup Kerberos KDC hosts
+NAME
+     krb5_get_krbhst, krb5_get_krb_admin_hst, krb5_get_krb_changepw_hst,
+     krb5_get_krb524hst, krb5_free_krbhst -- lookup Kerberos KDC hosts
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__kkrrbbhhsstt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___r_e_a_l_m _*_r_e_a_l_m,
-         _c_h_a_r _*_*_*_h_o_s_t_l_i_s_t);
+     krb5_error_code
+     krb5_get_krbhst(krb5_context context, const krb5_realm *realm,
+         char ***hostlist);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__kkrrbb__aaddmmiinn__hhsstt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___r_e_a_l_m _*_r_e_a_l_m,
-         _c_h_a_r _*_*_*_h_o_s_t_l_i_s_t);
+     krb5_error_code
+     krb5_get_krb_admin_hst(krb5_context context, const krb5_realm *realm,
+         char ***hostlist);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__kkrrbb__cchhaannggeeppww__hhsstt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___r_e_a_l_m _*_r_e_a_l_m,
-         _c_h_a_r _*_*_*_h_o_s_t_l_i_s_t);
+     krb5_error_code
+     krb5_get_krb_changepw_hst(krb5_context context, const krb5_realm *realm,
+         char ***hostlist);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__kkrrbb552244hhsstt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___r_e_a_l_m _*_r_e_a_l_m,
-         _c_h_a_r _*_*_*_h_o_s_t_l_i_s_t);
+     krb5_error_code
+     krb5_get_krb524hst(krb5_context context, const krb5_realm *realm,
+         char ***hostlist);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ffrreeee__kkrrbbhhsstt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_h_a_r _*_*_h_o_s_t_l_i_s_t);
+     krb5_error_code
+     krb5_free_krbhst(krb5_context context, char **hostlist);
 
-DDEESSCCRRIIPPTTIIOONN
+DESCRIPTION
      These functions implement the old API to get a list of Kerberos hosts,
-     and are thus similar to the kkrrbb55__kkrrbbhhsstt__iinniitt() functions. However, since
-     these functions returns _a_l_l hosts in one go, they potentially have to do
+     and are thus similar to the krb5_krbhst_init() functions. However, since
+     these functions returns all hosts in one go, they potentially have to do
      more lookups than necessary. These functions remain for compatibility
      reasons.
 
-     After a call to one of these functions, _h_o_s_t_l_i_s_t is a NULL terminated
+     After a call to one of these functions, hostlist is a NULL terminated
      list of strings, pointing to the requested Kerberos hosts. These should
-     be freed with kkrrbb55__ffrreeee__kkrrbbhhsstt() when done with.
+     be freed with krb5_free_krbhst() when done with.
 
-EEXXAAMMPPLLEESS
-     The following code will print the KDCs of the realm ``MY.REALM''.
+EXAMPLES
+     The following code will print the KDCs of the realm "MY.REALM".
 
            char **hosts, **p;
            krb5_get_krbhst(context, "MY.REALM", &hosts);
@@ -50,7 +49,7 @@ EEXXAAMMPPLLEESS
                printf("%s\n", *p);
            krb5_free_krbhst(context, hosts);
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5_krbhst_init(3)
 
 HEIMDAL                         April 24, 2005                         HEIMDAL
diff --git a/lib/krb5/krb5_getportbyname.cat3 b/lib/krb5/krb5_getportbyname.cat3
index 80124f36cc00..106177186413 100644
--- a/lib/krb5/krb5_getportbyname.cat3
+++ b/lib/krb5/krb5_getportbyname.cat3
@@ -1,29 +1,28 @@
-
 NAME(3)                  BSD Library Functions Manual                  NAME(3)
 
-NNAAMMEE
-     kkrrbb55__ggeettppoorrttbbyynnaammee -- get port number by name
+NAME
+     krb5_getportbyname -- get port number by name
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _i_n_t
-     kkrrbb55__ggeettppoorrttbbyynnaammee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_s_e_r_v_i_c_e,
-         _c_o_n_s_t _c_h_a_r _*_p_r_o_t_o, _i_n_t _d_e_f_a_u_l_t___p_o_r_t);
+     int
+     krb5_getportbyname(krb5_context context, const char *service,
+         const char *proto, int default_port);
 
-DDEESSCCRRIIPPTTIIOONN
-     kkrrbb55__ggeettppoorrttbbyynnaammee() gets the port number for _s_e_r_v_i_c_e _/ _p_r_o_t_o pair from
+DESCRIPTION
+     krb5_getportbyname() gets the port number for service / proto pair from
      the global service table for and returns it in network order.  If it
-     isn't found in the global table, the _d_e_f_a_u_l_t___p_o_r_t (given in host order)
+     isn't found in the global table, the default_port (given in host order)
      is returned.
 
-EEXXAAMMPPLLEE
+EXAMPLE
      int port = krb5_getportbyname(context, "kerberos", "tcp", 88);
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5(3)
 
 HEIMDAL                         August 15, 2004                        HEIMDAL
diff --git a/lib/krb5/krb5_init_context.cat3 b/lib/krb5/krb5_init_context.cat3
index d5676b31422c..6bc70e974423 100644
--- a/lib/krb5/krb5_init_context.cat3
+++ b/lib/krb5/krb5_init_context.cat3
@@ -1,185 +1,184 @@
-
 KRB5_CONTEXT(3)          BSD Library Functions Manual          KRB5_CONTEXT(3)
 
-NNAAMMEE
-     kkrrbb55__aadddd__eett__lliisstt, kkrrbb55__aadddd__eexxttrraa__aaddddrreesssseess, kkrrbb55__aadddd__iiggnnoorree__aaddddrreesssseess,
-     kkrrbb55__ccoonntteexxtt, kkrrbb55__ffrreeee__ccoonnffiigg__ffiilleess, kkrrbb55__ffrreeee__ccoonntteexxtt,
-     kkrrbb55__ggeett__ddeeffaauulltt__ccoonnffiigg__ffiilleess, kkrrbb55__ggeett__ddnnss__ccaannoonniizzee__hhoossttnnaammee,
-     kkrrbb55__ggeett__eexxttrraa__aaddddrreesssseess, kkrrbb55__ggeett__ffccaacchhee__vveerrssiioonn,
-     kkrrbb55__ggeett__iiggnnoorree__aaddddrreesssseess, kkrrbb55__ggeett__kkddcc__sseecc__ooffffsseett,
-     kkrrbb55__ggeett__mmaaxx__ttiimmee__sskkeeww, kkrrbb55__ggeett__uussee__aaddmmiinn__kkddcc kkrrbb55__iinniitt__ccoonntteexxtt,
-     kkrrbb55__iinniitt__eettss, kkrrbb55__pprreeppeenndd__ccoonnffiigg__ffiilleess,
-     kkrrbb55__pprreeppeenndd__ccoonnffiigg__ffiilleess__ddeeffaauulltt, kkrrbb55__sseett__ccoonnffiigg__ffiilleess,
-     kkrrbb55__sseett__ddnnss__ccaannoonniizzee__hhoossttnnaammee, kkrrbb55__sseett__eexxttrraa__aaddddrreesssseess,
-     kkrrbb55__sseett__ffccaacchhee__vveerrssiioonn, kkrrbb55__sseett__iiggnnoorree__aaddddrreesssseess,
-     kkrrbb55__sseett__mmaaxx__ttiimmee__sskkeeww, kkrrbb55__sseett__uussee__aaddmmiinn__kkddcc, -- create, modify and
+NAME
+     krb5_add_et_list, krb5_add_extra_addresses, krb5_add_ignore_addresses,
+     krb5_context, krb5_free_config_files, krb5_free_context,
+     krb5_get_default_config_files, krb5_get_dns_canonize_hostname,
+     krb5_get_extra_addresses, krb5_get_fcache_version,
+     krb5_get_ignore_addresses, krb5_get_kdc_sec_offset,
+     krb5_get_max_time_skew, krb5_get_use_admin_kdc krb5_init_context,
+     krb5_init_ets, krb5_prepend_config_files,
+     krb5_prepend_config_files_default, krb5_set_config_files,
+     krb5_set_dns_canonize_hostname, krb5_set_extra_addresses,
+     krb5_set_fcache_version, krb5_set_ignore_addresses,
+     krb5_set_max_time_skew, krb5_set_use_admin_kdc, -- create, modify and
      delete krb5_context structures
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
      struct krb5_context;
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__iinniitt__ccoonntteexxtt(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t);
+     krb5_error_code
+     krb5_init_context(krb5_context *context);
 
-     _v_o_i_d
-     kkrrbb55__ffrreeee__ccoonntteexxtt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t);
+     void
+     krb5_free_context(krb5_context context);
 
-     _v_o_i_d
-     kkrrbb55__iinniitt__eettss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t);
+     void
+     krb5_init_ets(krb5_context context);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__aadddd__eett__lliisstt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _v_o_i_d _(_*_f_u_n_c_)_(_s_t_r_u_c_t _e_t___l_i_s_t _*_*_));
+     krb5_error_code
+     krb5_add_et_list(krb5_context context, void (*func)(struct et_list **));
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__aadddd__eexxttrraa__aaddddrreesssseess(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_e_s_s_e_s);
+     krb5_error_code
+     krb5_add_extra_addresses(krb5_context context,
+         krb5_addresses *addresses);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__sseett__eexxttrraa__aaddddrreesssseess(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_e_s_s_e_s);
+     krb5_error_code
+     krb5_set_extra_addresses(krb5_context context,
+         const krb5_addresses *addresses);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__eexxttrraa__aaddddrreesssseess(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_e_s_s_e_s);
+     krb5_error_code
+     krb5_get_extra_addresses(krb5_context context,
+         krb5_addresses *addresses);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__aadddd__iiggnnoorree__aaddddrreesssseess(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_e_s_s_e_s);
+     krb5_error_code
+     krb5_add_ignore_addresses(krb5_context context,
+         krb5_addresses *addresses);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__sseett__iiggnnoorree__aaddddrreesssseess(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_e_s_s_e_s);
+     krb5_error_code
+     krb5_set_ignore_addresses(krb5_context context,
+         const krb5_addresses *addresses);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__iiggnnoorree__aaddddrreesssseess(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_e_s_s_e_s);
+     krb5_error_code
+     krb5_get_ignore_addresses(krb5_context context,
+         krb5_addresses *addresses);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__sseett__ffccaacchhee__vveerrssiioonn(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _i_n_t _v_e_r_s_i_o_n);
+     krb5_error_code
+     krb5_set_fcache_version(krb5_context context, int version);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__ffccaacchhee__vveerrssiioonn(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _i_n_t _*_v_e_r_s_i_o_n);
+     krb5_error_code
+     krb5_get_fcache_version(krb5_context context, int *version);
 
-     _v_o_i_d
-     kkrrbb55__sseett__ddnnss__ccaannoonniizzee__hhoossttnnaammee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___b_o_o_l_e_a_n _f_l_a_g);
+     void
+     krb5_set_dns_canonize_hostname(krb5_context context, krb5_boolean flag);
 
-     _k_r_b_5___b_o_o_l_e_a_n
-     kkrrbb55__ggeett__ddnnss__ccaannoonniizzee__hhoossttnnaammee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t);
+     krb5_boolean
+     krb5_get_dns_canonize_hostname(krb5_context context);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__kkddcc__sseecc__ooffffsseett(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _i_n_t_3_2___t _*_s_e_c,
-         _i_n_t_3_2___t _*_u_s_e_c);
+     krb5_error_code
+     krb5_get_kdc_sec_offset(krb5_context context, int32_t *sec,
+         int32_t *usec);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__sseett__ccoonnffiigg__ffiilleess(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_h_a_r _*_*_f_i_l_e_n_a_m_e_s);
+     krb5_error_code
+     krb5_set_config_files(krb5_context context, char **filenames);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__pprreeppeenndd__ccoonnffiigg__ffiilleess(_c_o_n_s_t _c_h_a_r _*_f_i_l_e_l_i_s_t, _c_h_a_r _*_*_p_q,
-         _c_h_a_r _*_*_*_r_e_t___p_p);
+     krb5_error_code
+     krb5_prepend_config_files(const char *filelist, char **pq,
+         char ***ret_pp);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__pprreeppeenndd__ccoonnffiigg__ffiilleess__ddeeffaauulltt(_c_o_n_s_t _c_h_a_r _*_f_i_l_e_l_i_s_t,
-         _c_h_a_r _*_*_*_p_f_i_l_e_n_a_m_e_s);
+     krb5_error_code
+     krb5_prepend_config_files_default(const char *filelist,
+         char ***pfilenames);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__ddeeffaauulltt__ccoonnffiigg__ffiilleess(_c_h_a_r _*_*_*_p_f_i_l_e_n_a_m_e_s);
+     krb5_error_code
+     krb5_get_default_config_files(char ***pfilenames);
 
-     _v_o_i_d
-     kkrrbb55__ffrreeee__ccoonnffiigg__ffiilleess(_c_h_a_r _*_*_f_i_l_e_n_a_m_e_s);
+     void
+     krb5_free_config_files(char **filenames);
 
-     _v_o_i_d
-     kkrrbb55__sseett__uussee__aaddmmiinn__kkddcc(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___b_o_o_l_e_a_n _f_l_a_g);
+     void
+     krb5_set_use_admin_kdc(krb5_context context, krb5_boolean flag);
 
-     _k_r_b_5___b_o_o_l_e_a_n
-     kkrrbb55__ggeett__uussee__aaddmmiinn__kkddcc(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t);
+     krb5_boolean
+     krb5_get_use_admin_kdc(krb5_context context);
 
-     _t_i_m_e___t
-     kkrrbb55__ggeett__mmaaxx__ttiimmee__sskkeeww(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t);
+     time_t
+     krb5_get_max_time_skew(krb5_context context);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__sseett__mmaaxx__ttiimmee__sskkeeww(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _t_i_m_e___t _t_i_m_e);
+     krb5_error_code
+     krb5_set_max_time_skew(krb5_context context, time_t time);
 
-DDEESSCCRRIIPPTTIIOONN
-     The kkrrbb55__iinniitt__ccoonntteexxtt() function initializes the _c_o_n_t_e_x_t structure and
-     reads the configuration file _/_e_t_c_/_k_r_b_5_._c_o_n_f.
+DESCRIPTION
+     The krb5_init_context() function initializes the context structure and
+     reads the configuration file /etc/krb5.conf.
 
-     The structure should be freed by calling kkrrbb55__ffrreeee__ccoonntteexxtt() when it is
+     The structure should be freed by calling krb5_free_context() when it is
      no longer being used.
 
-     kkrrbb55__iinniitt__ccoonntteexxtt() returns 0 to indicate success.  Otherwise an errno
+     krb5_init_context() returns 0 to indicate success.  Otherwise an errno
      code is returned.  Failure means either that something bad happened dur-
      ing initialization (typically [ENOMEM]) or that Kerberos should not be
      used [ENXIO].
 
-     kkrrbb55__iinniitt__eettss() adds all com_err(3) libs to _c_o_n_t_e_x_t.  This is done by
-     kkrrbb55__iinniitt__ccoonntteexxtt().
+     krb5_init_ets() adds all com_err(3) libs to context.  This is done by
+     krb5_init_context().
 
-     kkrrbb55__aadddd__eett__lliisstt() adds a com_err(3) error-code handler _f_u_n_c to the spec-
-     ified _c_o_n_t_e_x_t.  The error handler must generated by the the re-rentrant
-     version of the compile_et(1) program.  kkrrbb55__aadddd__eexxttrraa__aaddddrreesssseess() add a
+     krb5_add_et_list() adds a com_err(3) error-code handler func to the spec-
+     ified context.  The error handler must generated by the the re-rentrant
+     version of the compile_et(1) program.  krb5_add_extra_addresses() add a
      list of addresses that should be added when requesting tickets.
 
-     kkrrbb55__aadddd__iiggnnoorree__aaddddrreesssseess() add a list of addresses that should be
-     ignored when requesting tickets.
+     krb5_add_ignore_addresses() add a list of addresses that should be ig-
+     nored when requesting tickets.
 
-     kkrrbb55__ggeett__eexxttrraa__aaddddrreesssseess() get the list of addresses that should be added
+     krb5_get_extra_addresses() get the list of addresses that should be added
      when requesting tickets.
 
-     kkrrbb55__ggeett__iiggnnoorree__aaddddrreesssseess() get the list of addresses that should be
-     ignored when requesting tickets.
+     krb5_get_ignore_addresses() get the list of addresses that should be ig-
+     nored when requesting tickets.
 
-     kkrrbb55__sseett__iiggnnoorree__aaddddrreesssseess() set the list of addresses that should be
-     ignored when requesting tickets.
+     krb5_set_ignore_addresses() set the list of addresses that should be ig-
+     nored when requesting tickets.
 
-     kkrrbb55__sseett__eexxttrraa__aaddddrreesssseess() set the list of addresses that should be added
+     krb5_set_extra_addresses() set the list of addresses that should be added
      when requesting tickets.
 
-     kkrrbb55__sseett__ffccaacchhee__vveerrssiioonn() sets the version of file credentials caches
+     krb5_set_fcache_version() sets the version of file credentials caches
      that should be used.
 
-     kkrrbb55__ggeett__ffccaacchhee__vveerrssiioonn() gets the version of file credentials caches
+     krb5_get_fcache_version() gets the version of file credentials caches
      that should be used.
 
-     kkrrbb55__sseett__ddnnss__ccaannoonniizzee__hhoossttnnaammee() sets if the context is configured to
+     krb5_set_dns_canonize_hostname() sets if the context is configured to
      canonicalize hostnames using DNS.
 
-     kkrrbb55__ggeett__ddnnss__ccaannoonniizzee__hhoossttnnaammee() returns if the context is configured to
+     krb5_get_dns_canonize_hostname() returns if the context is configured to
      canonicalize hostnames using DNS.
 
-     kkrrbb55__ggeett__kkddcc__sseecc__ooffffsseett() returns the offset between the localtime and
-     the KDC's time.  _s_e_c and _u_s_e_c are both optional argument and NULL can be
+     krb5_get_kdc_sec_offset() returns the offset between the localtime and
+     the KDC's time.  sec and usec are both optional argument and NULL can be
      passed in.
 
-     kkrrbb55__sseett__ccoonnffiigg__ffiilleess() set the list of configuration files to use and
+     krb5_set_config_files() set the list of configuration files to use and
      re-initialize the configuration from the files.
 
-     kkrrbb55__pprreeppeenndd__ccoonnffiigg__ffiilleess() parse the _f_i_l_e_l_i_s_t and prepend the result to
-     the already existing list _p_q The result is returned in _r_e_t___p_p and should
-     be freed with kkrrbb55__ffrreeee__ccoonnffiigg__ffiilleess().
+     krb5_prepend_config_files() parse the filelist and prepend the result to
+     the already existing list pq The result is returned in ret_pp and should
+     be freed with krb5_free_config_files().
 
-     kkrrbb55__pprreeppeenndd__ccoonnffiigg__ffiilleess__ddeeffaauulltt() parse the _f_i_l_e_l_i_s_t and append that to
+     krb5_prepend_config_files_default() parse the filelist and append that to
      the default list of configuration files.
 
-     kkrrbb55__ggeett__ddeeffaauulltt__ccoonnffiigg__ffiilleess() get a list of default configuration
+     krb5_get_default_config_files() get a list of default configuration
      files.
 
-     kkrrbb55__ffrreeee__ccoonnffiigg__ffiilleess() free a list of configuration files returned by
-     kkrrbb55__ggeett__ddeeffaauulltt__ccoonnffiigg__ffiilleess(), kkrrbb55__pprreeppeenndd__ccoonnffiigg__ffiilleess__ddeeffaauulltt(), or
-     kkrrbb55__pprreeppeenndd__ccoonnffiigg__ffiilleess().
+     krb5_free_config_files() free a list of configuration files returned by
+     krb5_get_default_config_files(), krb5_prepend_config_files_default(), or
+     krb5_prepend_config_files().
 
-     kkrrbb55__sseett__uussee__aaddmmiinn__kkddcc() sets if all KDC requests should go admin KDC.
+     krb5_set_use_admin_kdc() sets if all KDC requests should go admin KDC.
 
-     kkrrbb55__ggeett__uussee__aaddmmiinn__kkddcc() gets if all KDC requests should go admin KDC.
+     krb5_get_use_admin_kdc() gets if all KDC requests should go admin KDC.
 
-     kkrrbb55__ggeett__mmaaxx__ttiimmee__sskkeeww() and kkrrbb55__sseett__mmaaxx__ttiimmee__sskkeeww() get and sets the
+     krb5_get_max_time_skew() and krb5_set_max_time_skew() get and sets the
      maximum allowed time skew between client and server.
 
-SSEEEE AALLSSOO
+SEE ALSO
      errno(2), krb5(3), krb5_config(3), krb5_context(3), kerberos(8)
 
 HEIMDAL                        December 8, 2004                        HEIMDAL
diff --git a/lib/krb5/krb5_is_thread_safe.cat3 b/lib/krb5/krb5_is_thread_safe.cat3
index 37383c8d35bf..bd9b37940c9f 100644
--- a/lib/krb5/krb5_is_thread_safe.cat3
+++ b/lib/krb5/krb5_is_thread_safe.cat3
@@ -1,26 +1,25 @@
-
 KRB5_IS_THREAD_SAFE(3)   BSD Library Functions Manual   KRB5_IS_THREAD_SAFE(3)
 
-NNAAMMEE
-     kkrrbb55__iiss__tthhrreeaadd__ssaaffee -- is the Kerberos library compiled with multithread
+NAME
+     krb5_is_thread_safe -- is the Kerberos library compiled with multithread
      support
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _k_r_b_5___b_o_o_l_e_a_n
-     kkrrbb55__iiss__tthhrreeaadd__ssaaffee(_v_o_i_d);
+     krb5_boolean
+     krb5_is_thread_safe(void);
 
-DDEESSCCRRIIPPTTIIOONN
-     kkrrbb55__iiss__tthhrreeaadd__ssaaffee returns TRUE if the library was compiled with with
+DESCRIPTION
+     krb5_is_thread_safe returns TRUE if the library was compiled with with
      multithread support.  If the library isn't compiled, the consumer have to
      use a global lock to make sure Kerboros functions are not called at the
      same time by different threads.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5_create_checksum(3), krb5_encrypt(3)
 
 HEIMDAL                           May 5, 2006                          HEIMDAL
diff --git a/lib/krb5/krb5_krbhst_init.cat3 b/lib/krb5/krb5_krbhst_init.cat3
index 22bf5b250778..44ddb4d2c8f2 100644
--- a/lib/krb5/krb5_krbhst_init.cat3
+++ b/lib/krb5/krb5_krbhst_init.cat3
@@ -1,77 +1,75 @@
-
 KRB5_KRBHST_INIT(3)      BSD Library Functions Manual      KRB5_KRBHST_INIT(3)
 
-NNAAMMEE
-     kkrrbb55__kkrrbbhhsstt__iinniitt, kkrrbb55__kkrrbbhhsstt__iinniitt__ffllaaggss, kkrrbb55__kkrrbbhhsstt__nneexxtt,
-     kkrrbb55__kkrrbbhhsstt__nneexxtt__aass__ssttrriinngg, kkrrbb55__kkrrbbhhsstt__rreesseett, kkrrbb55__kkrrbbhhsstt__ffrreeee,
-     kkrrbb55__kkrrbbhhsstt__ffoorrmmaatt__ssttrriinngg, kkrrbb55__kkrrbbhhsstt__ggeett__aaddddrriinnffoo -- lookup Kerberos
+NAME
+     krb5_krbhst_init, krb5_krbhst_init_flags, krb5_krbhst_next,
+     krb5_krbhst_next_as_string, krb5_krbhst_reset, krb5_krbhst_free,
+     krb5_krbhst_format_string, krb5_krbhst_get_addrinfo -- lookup Kerberos
      KDC hosts
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__kkrrbbhhsstt__iinniitt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_r_e_a_l_m,
-         _u_n_s_i_g_n_e_d _i_n_t _t_y_p_e, _k_r_b_5___k_r_b_h_s_t___h_a_n_d_l_e _*_h_a_n_d_l_e);
+     krb5_error_code
+     krb5_krbhst_init(krb5_context context, const char *realm,
+         unsigned int type, krb5_krbhst_handle *handle);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__kkrrbbhhsstt__iinniitt__ffllaaggss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_r_e_a_l_m,
-         _u_n_s_i_g_n_e_d _i_n_t _t_y_p_e, _i_n_t _f_l_a_g_s, _k_r_b_5___k_r_b_h_s_t___h_a_n_d_l_e _*_h_a_n_d_l_e);
+     krb5_error_code
+     krb5_krbhst_init_flags(krb5_context context, const char *realm,
+         unsigned int type, int flags, krb5_krbhst_handle *handle);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__kkrrbbhhsstt__nneexxtt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_r_b_h_s_t___h_a_n_d_l_e _h_a_n_d_l_e,
-         _k_r_b_5___k_r_b_h_s_t___i_n_f_o _*_*_h_o_s_t);
+     krb5_error_code
+     krb5_krbhst_next(krb5_context context, krb5_krbhst_handle handle,
+         krb5_krbhst_info **host);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__kkrrbbhhsstt__nneexxtt__aass__ssttrriinngg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___k_r_b_h_s_t___h_a_n_d_l_e _h_a_n_d_l_e, _c_h_a_r _*_h_o_s_t_n_a_m_e, _s_i_z_e___t _h_o_s_t_l_e_n);
+     krb5_error_code
+     krb5_krbhst_next_as_string(krb5_context context,
+         krb5_krbhst_handle handle, char *hostname, size_t hostlen);
 
-     _v_o_i_d
-     kkrrbb55__kkrrbbhhsstt__rreesseett(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_r_b_h_s_t___h_a_n_d_l_e _h_a_n_d_l_e);
+     void
+     krb5_krbhst_reset(krb5_context context, krb5_krbhst_handle handle);
 
-     _v_o_i_d
-     kkrrbb55__kkrrbbhhsstt__ffrreeee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_r_b_h_s_t___h_a_n_d_l_e _h_a_n_d_l_e);
+     void
+     krb5_krbhst_free(krb5_context context, krb5_krbhst_handle handle);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__kkrrbbhhsstt__ffoorrmmaatt__ssttrriinngg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _c_o_n_s_t _k_r_b_5___k_r_b_h_s_t___i_n_f_o _*_h_o_s_t, _c_h_a_r _*_h_o_s_t_n_a_m_e, _s_i_z_e___t _h_o_s_t_l_e_n);
+     krb5_error_code
+     krb5_krbhst_format_string(krb5_context context,
+         const krb5_krbhst_info *host, char *hostname, size_t hostlen);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__kkrrbbhhsstt__ggeett__aaddddrriinnffoo(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_r_b_h_s_t___i_n_f_o _*_h_o_s_t,
-         _s_t_r_u_c_t _a_d_d_r_i_n_f_o _*_*_a_i);
+     krb5_error_code
+     krb5_krbhst_get_addrinfo(krb5_context context, krb5_krbhst_info *host,
+         struct addrinfo **ai);
 
-DDEESSCCRRIIPPTTIIOONN
+DESCRIPTION
      These functions are used to sequence through all Kerberos hosts of a par-
      ticular realm and service. The service type can be the KDCs, the adminis-
      trative servers, the password changing servers, or the servers for Ker-
      beros 4 ticket conversion.
 
      First a handle to a particular service is obtained by calling
-     kkrrbb55__kkrrbbhhsstt__iinniitt() (or kkrrbb55__kkrrbbhhsstt__iinniitt__ffllaaggss()) with the _r_e_a_l_m of inter-
-     est and the type of service to lookup. The _t_y_p_e can be one of:
+     krb5_krbhst_init() (or krb5_krbhst_init_flags()) with the realm of inter-
+     est and the type of service to lookup. The type can be one of:
 
            KRB5_KRBHST_KDC
            KRB5_KRBHST_ADMIN
            KRB5_KRBHST_CHANGEPW
            KRB5_KRBHST_KRB524
 
-     The _h_a_n_d_l_e is returned to the caller, and should be passed to the other
+     The handle is returned to the caller, and should be passed to the other
      functions.
 
-     The _f_l_a_g argument to kkrrbb55__kkrrbbhhsstt__iinniitt__ffllaaggss is the same flags as
-     kkrrbb55__sseenndd__ttoo__kkddcc__ffllaaggss() uses.  Possible values are:
+     The flag argument to krb5_krbhst_init_flags is the same flags as
+     krb5_send_to_kdc_flags() uses.  Possible values are:
 
            KRB5_KRBHST_FLAGS_MASTER     only talk to master (readwrite) KDC
            KRB5_KRBHST_FLAGS_LARGE_MSG  this is a large message, so use trans-
                                         port that can handle that.
 
-     For each call to kkrrbb55__kkrrbbhhsstt__nneexxtt() information on a new host is
-     returned. The former function returns in _h_o_s_t a pointer to a structure
-     containing information about the host, such as protocol, hostname, and
-     port:
+     For each call to krb5_krbhst_next() information on a new host is re-
+     turned. The former function returns in host a pointer to a structure con-
+     taining information about the host, such as protocol, hostname, and port:
 
            typedef struct krb5_krbhst_info {
                enum { KRB5_KRBHST_UDP,
@@ -83,24 +81,24 @@ DDEESSCCRRIIPPTTIIOONN
                char hostname[1];
            } krb5_krbhst_info;
 
-     The related function, kkrrbb55__kkrrbbhhsstt__nneexxtt__aass__ssttrriinngg(), return the same
-     information as a URL-like string.
+     The related function, krb5_krbhst_next_as_string(), return the same in-
+     formation as a URL-like string.
 
      When there are no more hosts, these functions return KRB5_KDC_UNREACH.
 
-     To re-iterate over all hosts, call kkrrbb55__kkrrbbhhsstt__rreesseett() and the next call
-     to kkrrbb55__kkrrbbhhsstt__nneexxtt() will return the first host.
+     To re-iterate over all hosts, call krb5_krbhst_reset() and the next call
+     to krb5_krbhst_next() will return the first host.
 
-     When done with the handle, kkrrbb55__kkrrbbhhsstt__ffrreeee() should be called.
+     When done with the handle, krb5_krbhst_free() should be called.
 
-     To use a _k_r_b_5___k_r_b_h_s_t___i_n_f_o, there are two functions:
-     kkrrbb55__kkrrbbhhsstt__ffoorrmmaatt__ssttrriinngg() that will return a printable representation
-     of that struct and kkrrbb55__kkrrbbhhsstt__ggeett__aaddddrriinnffoo() that will return a _s_t_r_u_c_t
-     _a_d_d_r_i_n_f_o that can then be used for communicating with the server men-
+     To use a krb5_krbhst_info, there are two functions:
+     krb5_krbhst_format_string() that will return a printable representation
+     of that struct and krb5_krbhst_get_addrinfo() that will return a struct
+     addrinfo that can then be used for communicating with the server men-
      tioned.
 
-EEXXAAMMPPLLEESS
-     The following code will print the KDCs of the realm ``MY.REALM'':
+EXAMPLES
+     The following code will print the KDCs of the realm "MY.REALM":
 
            krb5_krbhst_handle handle;
            char host[MAXHOSTNAMELEN];
@@ -110,10 +108,10 @@ EEXXAAMMPPLLEESS
                printf("%s\n", host);
            krb5_krbhst_free(context, handle);
 
-SSEEEE AALLSSOO
+SEE ALSO
      getaddrinfo(3), krb5_get_krbhst(3), krb5_send_to_kdc_flags(3)
 
-HHIISSTTOORRYY
+HISTORY
      These functions first appeared in Heimdal 0.3g.
 
 HEIMDAL                          May 10, 2005                          HEIMDAL
diff --git a/lib/krb5/krb5_mk_req.cat3 b/lib/krb5/krb5_mk_req.cat3
index 9d36e6a2bb82..266f1a052e9a 100644
--- a/lib/krb5/krb5_mk_req.cat3
+++ b/lib/krb5/krb5_mk_req.cat3
@@ -1,89 +1,88 @@
-
 KRB5_MK_REQ(3)           BSD Library Functions Manual           KRB5_MK_REQ(3)
 
-NNAAMMEE
-     kkrrbb55__mmkk__rreeqq, kkrrbb55__mmkk__rreeqq__eexxaacctt, kkrrbb55__mmkk__rreeqq__eexxtteennddeedd, kkrrbb55__rrdd__rreeqq,
-     kkrrbb55__rrdd__rreeqq__wwiitthh__kkeeyybblloocckk, kkrrbb55__mmkk__rreepp, kkrrbb55__mmkk__rreepp__eexxaacctt,
-     kkrrbb55__mmkk__rreepp__eexxtteennddeedd, kkrrbb55__rrdd__rreepp, kkrrbb55__bbuuiilldd__aapp__rreeqq, kkrrbb55__vveerriiffyy__aapp__rreeqq
+NAME
+     krb5_mk_req, krb5_mk_req_exact, krb5_mk_req_extended, krb5_rd_req,
+     krb5_rd_req_with_keyblock, krb5_mk_rep, krb5_mk_rep_exact,
+     krb5_mk_rep_extended, krb5_rd_rep, krb5_build_ap_req, krb5_verify_ap_req
      -- create and read application authentication request
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
-
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__mmkk__rreeqq(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _*_a_u_t_h___c_o_n_t_e_x_t,
-         _c_o_n_s_t _k_r_b_5___f_l_a_g_s _a_p___r_e_q___o_p_t_i_o_n_s, _c_o_n_s_t _c_h_a_r _*_s_e_r_v_i_c_e,
-         _c_o_n_s_t _c_h_a_r _*_h_o_s_t_n_a_m_e, _k_r_b_5___d_a_t_a _*_i_n___d_a_t_a, _k_r_b_5___c_c_a_c_h_e _c_c_a_c_h_e,
-         _k_r_b_5___d_a_t_a _*_o_u_t_b_u_f);
-
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__mmkk__rreeqq__eexxtteennddeedd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _*_a_u_t_h___c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___f_l_a_g_s _a_p___r_e_q___o_p_t_i_o_n_s,
-         _k_r_b_5___d_a_t_a _*_i_n___d_a_t_a, _k_r_b_5___c_r_e_d_s _*_i_n___c_r_e_d_s, _k_r_b_5___d_a_t_a _*_o_u_t_b_u_f);
-
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__rrdd__rreeqq(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _*_a_u_t_h___c_o_n_t_e_x_t,
-         _c_o_n_s_t _k_r_b_5___d_a_t_a _*_i_n_b_u_f, _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _s_e_r_v_e_r,
-         _k_r_b_5___k_e_y_t_a_b _k_e_y_t_a_b, _k_r_b_5___f_l_a_g_s _*_a_p___r_e_q___o_p_t_i_o_n_s,
-         _k_r_b_5___t_i_c_k_e_t _*_*_t_i_c_k_e_t);
-
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__bbuuiilldd__aapp__rreeqq(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___e_n_c_t_y_p_e _e_n_c_t_y_p_e,
-         _k_r_b_5___c_r_e_d_s _*_c_r_e_d, _k_r_b_5___f_l_a_g_s _a_p___o_p_t_i_o_n_s, _k_r_b_5___d_a_t_a _a_u_t_h_e_n_t_i_c_a_t_o_r,
-         _k_r_b_5___d_a_t_a _*_r_e_t_d_a_t_a);
-
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__vveerriiffyy__aapp__rreeqq(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _*_a_u_t_h___c_o_n_t_e_x_t,
-         _k_r_b_5___a_p___r_e_q _*_a_p___r_e_q, _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _s_e_r_v_e_r,
-         _k_r_b_5___k_e_y_b_l_o_c_k _*_k_e_y_b_l_o_c_k, _k_r_b_5___f_l_a_g_s _f_l_a_g_s,
-         _k_r_b_5___f_l_a_g_s _*_a_p___r_e_q___o_p_t_i_o_n_s, _k_r_b_5___t_i_c_k_e_t _*_*_t_i_c_k_e_t);
-
-DDEESSCCRRIIPPTTIIOONN
+SYNOPSIS
+     #include <krb5.h>
+
+     krb5_error_code
+     krb5_mk_req(krb5_context context, krb5_auth_context *auth_context,
+         const krb5_flags ap_req_options, const char *service,
+         const char *hostname, krb5_data *in_data, krb5_ccache ccache,
+         krb5_data *outbuf);
+
+     krb5_error_code
+     krb5_mk_req_extended(krb5_context context,
+         krb5_auth_context *auth_context, const krb5_flags ap_req_options,
+         krb5_data *in_data, krb5_creds *in_creds, krb5_data *outbuf);
+
+     krb5_error_code
+     krb5_rd_req(krb5_context context, krb5_auth_context *auth_context,
+         const krb5_data *inbuf, krb5_const_principal server,
+         krb5_keytab keytab, krb5_flags *ap_req_options,
+         krb5_ticket **ticket);
+
+     krb5_error_code
+     krb5_build_ap_req(krb5_context context, krb5_enctype enctype,
+         krb5_creds *cred, krb5_flags ap_options, krb5_data authenticator,
+         krb5_data *retdata);
+
+     krb5_error_code
+     krb5_verify_ap_req(krb5_context context, krb5_auth_context *auth_context,
+         krb5_ap_req *ap_req, krb5_const_principal server,
+         krb5_keyblock *keyblock, krb5_flags flags,
+         krb5_flags *ap_req_options, krb5_ticket **ticket);
+
+DESCRIPTION
      The functions documented in this manual page document the functions that
      facilitates the exchange between a Kerberos client and server.  They are
      the core functions used in the authentication exchange between the client
      and the server.
 
-     The kkrrbb55__mmkk__rreeqq and kkrrbb55__mmkk__rreeqq__eexxtteennddeedd creates the Kerberos message
+     The krb5_mk_req and krb5_mk_req_extended creates the Kerberos message
      KRB_AP_REQ that is sent from the client to the server as the first packet
      in a client/server exchange.  The result that should be sent to server is
-     stored in _o_u_t_b_u_f.
+     stored in outbuf.
 
-     _a_u_t_h___c_o_n_t_e_x_t should be allocated with kkrrbb55__aauutthh__ccoonn__iinniitt() or NULL passed
+     auth_context should be allocated with krb5_auth_con_init() or NULL passed
      in, in that case, it will be allocated and freed internally.
 
-     The input data _i_n___d_a_t_a will have a checksum calculated over it and check-
+     The input data in_data will have a checksum calculated over it and check-
      sum will be transported in the message to the server.
 
-     _a_p___r_e_q___o_p_t_i_o_n_s can be set to one or more of the following flags:
+     ap_req_options can be set to one or more of the following flags:
 
      AP_OPTS_USE_SESSION_KEY
              Use the session key when creating the request, used for user to
              user authentication.
 
      AP_OPTS_MUTUAL_REQUIRED
-             Mark the request as mutual authenticate required so that the
-             receiver returns a mutual authentication packet.
+             Mark the request as mutual authenticate required so that the re-
+             ceiver returns a mutual authentication packet.
 
-     The kkrrbb55__rrdd__rreeqq read the AP_REQ in _i_n_b_u_f and verify and extract the con-
-     tent.  If _s_e_r_v_e_r is specified, that server will be fetched from the
-     _k_e_y_t_a_b and used unconditionally.  If _s_e_r_v_e_r is NULL, the _k_e_y_t_a_b will be
+     The krb5_rd_req read the AP_REQ in inbuf and verify and extract the con-
+     tent.  If server is specified, that server will be fetched from the
+     keytab and used unconditionally.  If server is NULL, the keytab will be
      search for a matching principal.
 
-     The _k_e_y_t_a_b argument specifies what keytab to search for receiving princi-
-     pals.  The arguments _a_p___r_e_q___o_p_t_i_o_n_s and _t_i_c_k_e_t returns the content.
+     The keytab argument specifies what keytab to search for receiving princi-
+     pals.  The arguments ap_req_options and ticket returns the content.
 
-     When the AS-REQ is a user to user request, neither of _k_e_y_t_a_b or _p_r_i_n_c_i_p_a_l
-     are used, instead kkrrbb55__rrdd__rreeqq() expects the session key to be set in
-     _a_u_t_h___c_o_n_t_e_x_t.
+     When the AS-REQ is a user to user request, neither of keytab or principal
+     are used, instead krb5_rd_req() expects the session key to be set in
+     auth_context.
 
-     The kkrrbb55__vveerriiffyy__aapp__rreeqq and kkrrbb55__bbuuiilldd__aapp__rreeqq both constructs and verify
+     The krb5_verify_ap_req and krb5_build_ap_req both constructs and verify
      the AP_REQ message, should not be used by external code.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5(3), krb5.conf(5)
 
 HEIMDAL                         August 27, 2005                        HEIMDAL
diff --git a/lib/krb5/krb5_mk_safe.cat3 b/lib/krb5/krb5_mk_safe.cat3
index 5a26fd72d041..a517fefd8412 100644
--- a/lib/krb5/krb5_mk_safe.cat3
+++ b/lib/krb5/krb5_mk_safe.cat3
@@ -1,36 +1,35 @@
-
 KRB5_MK_SAFE(3)          BSD Library Functions Manual          KRB5_MK_SAFE(3)
 
-NNAAMMEE
-     kkrrbb55__mmkk__ssaaffee, kkrrbb55__mmkk__pprriivv -- generates integrity protected and/or
-     encrypted messages
+NAME
+     krb5_mk_safe, krb5_mk_priv -- generates integrity protected and/or en-
+     crypted messages
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__mmkk__pprriivv(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t,
-         _c_o_n_s_t _k_r_b_5___d_a_t_a _*_u_s_e_r_d_a_t_a, _k_r_b_5___d_a_t_a _*_o_u_t_b_u_f,
-         _k_r_b_5___r_e_p_l_a_y___d_a_t_a _*_o_u_t_d_a_t_a);
+     krb5_error_code
+     krb5_mk_priv(krb5_context context, krb5_auth_context auth_context,
+         const krb5_data *userdata, krb5_data *outbuf,
+         krb5_replay_data *outdata);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__mmkk__ssaaffee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t,
-         _c_o_n_s_t _k_r_b_5___d_a_t_a _*_u_s_e_r_d_a_t_a, _k_r_b_5___d_a_t_a _*_o_u_t_b_u_f,
-         _k_r_b_5___r_e_p_l_a_y___d_a_t_a _*_o_u_t_d_a_t_a);
+     krb5_error_code
+     krb5_mk_safe(krb5_context context, krb5_auth_context auth_context,
+         const krb5_data *userdata, krb5_data *outbuf,
+         krb5_replay_data *outdata);
 
-DDEESSCCRRIIPPTTIIOONN
-     kkrrbb55__mmkk__ssaaffee() and kkrrbb55__mmkk__pprriivv() formats KRB-SAFE (integrity protected)
-     and KRB-PRIV (also encrypted) messages into _o_u_t_b_u_f.  The actual message
-     data is taken from _u_s_e_r_d_a_t_a.  If the KRB5_AUTH_CONTEXT_DO_SEQUENCE or
-     KRB5_AUTH_CONTEXT_DO_TIME flags are set in the _a_u_t_h___c_o_n_t_e_x_t, sequence
+DESCRIPTION
+     krb5_mk_safe() and krb5_mk_priv() formats KRB-SAFE (integrity protected)
+     and KRB-PRIV (also encrypted) messages into outbuf.  The actual message
+     data is taken from userdata.  If the KRB5_AUTH_CONTEXT_DO_SEQUENCE or
+     KRB5_AUTH_CONTEXT_DO_TIME flags are set in the auth_context, sequence
      numbers and time stamps are generated.  If the
      KRB5_AUTH_CONTEXT_RET_SEQUENCE or KRB5_AUTH_CONTEXT_RET_TIME flags are
-     set they are also returned in the _o_u_t_d_a_t_a parameter.
+     set they are also returned in the outdata parameter.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5_auth_con_init(3), krb5_rd_priv(3), krb5_rd_safe(3)
 
 HEIMDAL                           May 1, 2006                          HEIMDAL
diff --git a/lib/krb5/krb5_openlog.cat3 b/lib/krb5/krb5_openlog.cat3
index 2b53b3b8d74b..e976a1174fa5 100644
--- a/lib/krb5/krb5_openlog.cat3
+++ b/lib/krb5/krb5_openlog.cat3
@@ -1,106 +1,105 @@
-
 KRB5_OPENLOG(3)          BSD Library Functions Manual          KRB5_OPENLOG(3)
 
-NNAAMMEE
-     kkrrbb55__iinniittlloogg, kkrrbb55__ooppeennlloogg, kkrrbb55__cclloosseelloogg, kkrrbb55__aaddddlloogg__ddeesstt,
-     kkrrbb55__aaddddlloogg__ffuunncc, kkrrbb55__lloogg, kkrrbb55__vvlloogg, kkrrbb55__lloogg__mmssgg, kkrrbb55__vvlloogg__mmssgg --
+NAME
+     krb5_initlog, krb5_openlog, krb5_closelog, krb5_addlog_dest,
+     krb5_addlog_func, krb5_log, krb5_vlog, krb5_log_msg, krb5_vlog_msg --
      Heimdal logging functions
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _t_y_p_e_d_e_f _v_o_i_d
-     (**kkrrbb55__lloogg__lloogg__ffuunncc__tt)(_c_o_n_s_t _c_h_a_r _*_t_i_m_e, _c_o_n_s_t _c_h_a_r _*_m_e_s_s_a_g_e,
-         _v_o_i_d _*_d_a_t_a);
+     typedef void
+     (*krb5_log_log_func_t)(const char *time, const char *message,
+         void *data);
 
-     _t_y_p_e_d_e_f _v_o_i_d
-     (**kkrrbb55__lloogg__cclloossee__ffuunncc__tt)(_v_o_i_d _*_d_a_t_a);
+     typedef void
+     (*krb5_log_close_func_t)(void *data);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__aaddddlloogg__ddeesstt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_f_a_c_i_l_i_t_y,
-         _c_o_n_s_t _c_h_a_r _*_d_e_s_t_i_n_a_t_i_o_n);
+     krb5_error_code
+     krb5_addlog_dest(krb5_context context, krb5_log_facility *facility,
+         const char *destination);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__aaddddlloogg__ffuunncc(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_f_a_c_i_l_i_t_y,
-         _i_n_t _m_i_n, _i_n_t _m_a_x, _k_r_b_5___l_o_g___l_o_g___f_u_n_c___t _l_o_g,
-         _k_r_b_5___l_o_g___c_l_o_s_e___f_u_n_c___t _c_l_o_s_e, _v_o_i_d _*_d_a_t_a);
+     krb5_error_code
+     krb5_addlog_func(krb5_context context, krb5_log_facility *facility,
+         int min, int max, krb5_log_log_func_t log,
+         krb5_log_close_func_t close, void *data);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__cclloosseelloogg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_f_a_c_i_l_i_t_y);
+     krb5_error_code
+     krb5_closelog(krb5_context context, krb5_log_facility *facility);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__iinniittlloogg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_p_r_o_g_r_a_m,
-         _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_*_f_a_c_i_l_i_t_y);
+     krb5_error_code
+     krb5_initlog(krb5_context context, const char *program,
+         krb5_log_facility **facility);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__lloogg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_f_a_c_i_l_i_t_y, _i_n_t _l_e_v_e_l,
-         _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, _._._.);
+     krb5_error_code
+     krb5_log(krb5_context context, krb5_log_facility *facility, int level,
+         const char *format, ...);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__lloogg__mmssgg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_f_a_c_i_l_i_t_y,
-         _c_h_a_r _*_*_r_e_p_l_y, _i_n_t _l_e_v_e_l, _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, _._._.);
+     krb5_error_code
+     krb5_log_msg(krb5_context context, krb5_log_facility *facility,
+         char **reply, int level, const char *format, ...);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ooppeennlloogg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_p_r_o_g_r_a_m,
-         _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_*_f_a_c_i_l_i_t_y);
+     krb5_error_code
+     krb5_openlog(krb5_context context, const char *program,
+         krb5_log_facility **facility);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__vvlloogg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_f_a_c_i_l_i_t_y, _i_n_t _l_e_v_e_l,
-         _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, _v_a___l_i_s_t _a_r_g_l_i_s_t);
+     krb5_error_code
+     krb5_vlog(krb5_context context, krb5_log_facility *facility, int level,
+         const char *format, va_list arglist);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__vvlloogg__mmssgg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_f_a_c_i_l_i_t_y,
-         _c_h_a_r _*_*_r_e_p_l_y, _i_n_t _l_e_v_e_l, _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, _v_a___l_i_s_t _a_r_g_l_i_s_t);
+     krb5_error_code
+     krb5_vlog_msg(krb5_context context, krb5_log_facility *facility,
+         char **reply, int level, const char *format, va_list arglist);
 
-DDEESSCCRRIIPPTTIIOONN
+DESCRIPTION
      These functions logs messages to one or more destinations.
 
-     The kkrrbb55__ooppeennlloogg() function creates a logging _f_a_c_i_l_i_t_y, that is used to
+     The krb5_openlog() function creates a logging facility, that is used to
      log messages. A facility consists of one or more destinations (which can
-     be files or syslog or some other device). The _p_r_o_g_r_a_m parameter should be
+     be files or syslog or some other device). The program parameter should be
      the generic name of the program that is doing the logging. This name is
      used to lookup which destinations to use. This information is contained
-     in the logging section of the _k_r_b_5_._c_o_n_f configuration file.  If no entry
-     is found for _p_r_o_g_r_a_m, the entry for default is used, or if that is miss-
+     in the logging section of the krb5.conf configuration file.  If no entry
+     is found for program, the entry for default is used, or if that is miss-
      ing too, SYSLOG will be used as destination.
 
-     To close a logging facility, use the kkrrbb55__cclloosseelloogg() function.
+     To close a logging facility, use the krb5_closelog() function.
 
-     To log a message to a facility use one of the functions kkrrbb55__lloogg(),
-     kkrrbb55__lloogg__mmssgg(), kkrrbb55__vvlloogg(), or kkrrbb55__vvlloogg__mmssgg().  The functions ending in
-     _msg return in _r_e_p_l_y a pointer to the message that just got logged. This
-     string is allocated, and should be freed with ffrreeee().  The _f_o_r_m_a_t is a
-     standard pprriinnttff() style format string (but see the BUGS section).
+     To log a message to a facility use one of the functions krb5_log(),
+     krb5_log_msg(), krb5_vlog(), or krb5_vlog_msg().  The functions ending in
+     _msg return in reply a pointer to the message that just got logged. This
+     string is allocated, and should be freed with free().  The format is a
+     standard printf() style format string (but see the BUGS section).
 
      If you want better control of where things gets logged, you can instead
-     of using kkrrbb55__ooppeennlloogg() call kkrrbb55__iinniittlloogg(), which just initializes a
-     facility, but doesn't define any actual logging destinations. You can
-     then add destinations with the kkrrbb55__aaddddlloogg__ddeesstt() and kkrrbb55__aaddddlloogg__ffuunncc()
-     functions.  The first of these takes a string specifying a logging desti-
-     nation, and adds this to the facility. If you want to do some non-stan-
-     dard logging you can use the kkrrbb55__aaddddlloogg__ffuunncc() function, which takes a
-     function to use when logging.  The _l_o_g function is called for each mes-
-     sage with _t_i_m_e being a string specifying the current time, and _m_e_s_s_a_g_e
-     the message to log.  _c_l_o_s_e is called when the facility is closed. You can
-     pass application specific data in the _d_a_t_a parameter. The _m_i_n and _m_a_x
-     parameter are the same as in a destination (defined below). To specify a
+     of using krb5_openlog() call krb5_initlog(), which just initializes a fa-
+     cility, but doesn't define any actual logging destinations. You can then
+     add destinations with the krb5_addlog_dest() and krb5_addlog_func() func-
+     tions.  The first of these takes a string specifying a logging destina-
+     tion, and adds this to the facility. If you want to do some non-standard
+     logging you can use the krb5_addlog_func() function, which takes a func-
+     tion to use when logging.  The log function is called for each message
+     with time being a string specifying the current time, and message the
+     message to log.  close is called when the facility is closed. You can
+     pass application specific data in the data parameter. The min and max pa-
+     rameter are the same as in a destination (defined below). To specify a
      max of infinity, pass -1.
 
-     kkrrbb55__ooppeennlloogg() calls kkrrbb55__iinniittlloogg() and then calls kkrrbb55__aaddddlloogg__ddeesstt() for
+     krb5_openlog() calls krb5_initlog() and then calls krb5_addlog_dest() for
      each destination found.
 
-   DDeessttiinnaattiioonnss
-     The defined destinations (as specified in _k_r_b_5_._c_o_n_f) follows:
+   Destinations
+     The defined destinations (as specified in krb5.conf) follows:
 
            STDERR
                 This logs to the program's stderr.
 
-           FILE:_/_f_i_l_e
+           FILE:/file
 
-           FILE=_/_f_i_l_e
+           FILE=/file
                 Log to the specified file. The form using a colon appends to
                 the file, the form with an equal truncates the file. The trun-
                 cating form keeps the file open, while the appending form
@@ -108,7 +107,7 @@ DDEESSCCRRIIPPTTIIOONN
                 rotate logs). The truncating form is mainly for compatibility
                 with the MIT libkrb5.
 
-           DEVICE=_/_d_e_v_i_c_e
+           DEVICE=/device
                 This logs to the specified device, at present this is the same
                 as FILE:/device.
 
@@ -121,39 +120,39 @@ DDEESSCCRRIIPPTTIIOONN
                 the macro passed to syslog(3), and remove the leading LOG_
                 (LOG_NOTICE becomes NOTICE).  The default values (as well as
                 the values used for unrecognised values), are ERR, and AUTH,
-                respectively.  See syslog(3) for a list of priorities and
-                facilities.
+                respectively.  See syslog(3) for a list of priorities and fa-
+                cilities.
 
      Each destination may optionally be prepended with a range of logging lev-
-     els, specified as min-max/.  If the _l_e_v_e_l parameter to kkrrbb55__lloogg() is
+     els, specified as min-max/.  If the level parameter to krb5_log() is
      within this range (inclusive) the message gets logged to this destina-
      tion, otherwise not. Either of the min and max valued may be omitted, in
      this case min is assumed to be zero, and max is assumed to be infinity.
      If you don't include a dash, both min and max gets set to the specified
      value. If no range is specified, all messages gets logged.
 
-EEXXAAMMPPLLEESS
+EXAMPLES
            [logging]
                    kdc = 0/FILE:/var/log/kdc.log
                    kdc = 1-/SYSLOG:INFO:USER
                    default = STDERR
 
-     This will log all messages from the kkddcc program with level 0 to
-     _/_v_a_r_/_l_o_g_/_k_d_c_._l_o_g, other messages will be logged to syslog with priority
+     This will log all messages from the kdc program with level 0 to
+     /var/log/kdc.log, other messages will be logged to syslog with priority
      LOG_INFO, and facility LOG_USER.  All other programs will log all mes-
      sages to their stderr.
 
-SSEEEE AALLSSOO
+SEE ALSO
      syslog(3), krb5.conf(5)
 
-BBUUGGSS
-     These functions use aasspprriinnttff() to format the message. If your operating
-     system does not have a working aasspprriinnttff(), a replacement will be used. At
+BUGS
+     These functions use asprintf() to format the message. If your operating
+     system does not have a working asprintf(), a replacement will be used. At
      present this replacement does not handle some correct conversion specifi-
      cations (like floating point numbers). Until this is fixed, the use of
      these conversions should be avoided.
 
      If logging is done to the syslog facility, these functions might not be
-     thread-safe, depending on the implementation of ooppeennlloogg(), and ssyysslloogg().
+     thread-safe, depending on the implementation of openlog(), and syslog().
 
 HEIMDAL                         August 6, 1997                         HEIMDAL
diff --git a/lib/krb5/krb5_parse_name.cat3 b/lib/krb5/krb5_parse_name.cat3
index f142b9e1f824..5799ef31bfee 100644
--- a/lib/krb5/krb5_parse_name.cat3
+++ b/lib/krb5/krb5_parse_name.cat3
@@ -1,30 +1,29 @@
-
 KRB5_PARSE_NAME(3)       BSD Library Functions Manual       KRB5_PARSE_NAME(3)
 
-NNAAMMEE
-     kkrrbb55__ppaarrssee__nnaammee -- string to principal conversion
+NAME
+     krb5_parse_name -- string to principal conversion
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ppaarrssee__nnaammee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_n_a_m_e,
-         _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l);
+     krb5_error_code
+     krb5_parse_name(krb5_context context, const char *name,
+         krb5_principal *principal);
 
-DDEESSCCRRIIPPTTIIOONN
-     kkrrbb55__ppaarrssee__nnaammee() converts a string representation of a principal name to
-     kkrrbb55__pprriinncciippaall.  The _p_r_i_n_c_i_p_a_l will point to allocated data that should
-     be freed with kkrrbb55__ffrreeee__pprriinncciippaall().
+DESCRIPTION
+     krb5_parse_name() converts a string representation of a principal name to
+     krb5_principal.  The principal will point to allocated data that should
+     be freed with krb5_free_principal().
 
      The string should consist of one or more name components separated with
-     slashes (``/''), optionally followed with an ``@'' and a realm name. A
-     slash or @ may be contained in a name component by quoting it with a
-     backslash (``\'').  A realm should not contain slashes or colons.
+     slashes ("/"), optionally followed with an "@" and a realm name. A slash
+     or @ may be contained in a name component by quoting it with a backslash
+     ("\").  A realm should not contain slashes or colons.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5_build_principal(3), krb5_free_principal(3),
      krb5_sname_to_principal(3), krb5_unparse_name(3)
 
diff --git a/lib/krb5/krb5_principal.cat3 b/lib/krb5/krb5_principal.cat3
index 98f7aa30f849..5488ad9dfb83 100644
--- a/lib/krb5/krb5_principal.cat3
+++ b/lib/krb5/krb5_principal.cat3
@@ -1,140 +1,139 @@
-
 KRB5_PRINCIPAL(3)        BSD Library Functions Manual        KRB5_PRINCIPAL(3)
 
-NNAAMMEE
-     kkrrbb55__ggeett__ddeeffaauulltt__pprriinncciippaall, kkrrbb55__pprriinncciippaall, kkrrbb55__bbuuiilldd__pprriinncciippaall,
-     kkrrbb55__bbuuiilldd__pprriinncciippaall__eexxtt, kkrrbb55__bbuuiilldd__pprriinncciippaall__vvaa,
-     kkrrbb55__bbuuiilldd__pprriinncciippaall__vvaa__eexxtt, kkrrbb55__ccooppyy__pprriinncciippaall, kkrrbb55__ffrreeee__pprriinncciippaall,
-     kkrrbb55__mmaakkee__pprriinncciippaall, kkrrbb55__ppaarrssee__nnaammee, kkrrbb55__ppaarrssee__nnaammee__ffllaaggss,
-     kkrrbb55__ppaarrssee__nnaammeettyyppee, kkrrbb55__pprriinncc__sseett__rreeaallmm, kkrrbb55__pprriinncciippaall__ccoommppaarree,
-     kkrrbb55__pprriinncciippaall__ccoommppaarree__aannyy__rreeaallmm, kkrrbb55__pprriinncciippaall__ggeett__ccoommpp__ssttrriinngg,
-     kkrrbb55__pprriinncciippaall__ggeett__rreeaallmm, kkrrbb55__pprriinncciippaall__ggeett__ttyyppee, kkrrbb55__pprriinncciippaall__mmaattcchh,
-     kkrrbb55__pprriinncciippaall__sseett__ttyyppee, kkrrbb55__rreeaallmm__ccoommppaarree, kkrrbb55__ssnnaammee__ttoo__pprriinncciippaall,
-     kkrrbb55__ssoocckk__ttoo__pprriinncciippaall, kkrrbb55__uunnppaarrssee__nnaammee, kkrrbb55__uunnppaarrssee__nnaammee__ffllaaggss,
-     kkrrbb55__uunnppaarrssee__nnaammee__ffiixxeedd, kkrrbb55__uunnppaarrssee__nnaammee__ffiixxeedd__ffllaaggss,
-     kkrrbb55__uunnppaarrssee__nnaammee__ffiixxeedd__sshhoorrtt, kkrrbb55__uunnppaarrssee__nnaammee__sshhoorrtt -- Kerberos 5
+NAME
+     krb5_get_default_principal, krb5_principal, krb5_build_principal,
+     krb5_build_principal_ext, krb5_build_principal_va,
+     krb5_build_principal_va_ext, krb5_copy_principal, krb5_free_principal,
+     krb5_make_principal, krb5_parse_name, krb5_parse_name_flags,
+     krb5_parse_nametype, krb5_princ_set_realm, krb5_principal_compare,
+     krb5_principal_compare_any_realm, krb5_principal_get_comp_string,
+     krb5_principal_get_realm, krb5_principal_get_type, krb5_principal_match,
+     krb5_principal_set_type, krb5_realm_compare, krb5_sname_to_principal,
+     krb5_sock_to_principal, krb5_unparse_name, krb5_unparse_name_flags,
+     krb5_unparse_name_fixed, krb5_unparse_name_fixed_flags,
+     krb5_unparse_name_fixed_short, krb5_unparse_name_short -- Kerberos 5
      principal handling functions
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
      krb5_principal;
 
-     _v_o_i_d
-     kkrrbb55__ffrreeee__pprriinncciippaall(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l);
+     void
+     krb5_free_principal(krb5_context context, krb5_principal principal);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ppaarrssee__nnaammee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_n_a_m_e,
-         _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l);
+     krb5_error_code
+     krb5_parse_name(krb5_context context, const char *name,
+         krb5_principal *principal);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ppaarrssee__nnaammee__ffllaaggss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_n_a_m_e, _i_n_t _f_l_a_g_s,
-         _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l);
+     krb5_error_code
+     krb5_parse_name_flags(krb5_context context, const char *name, int flags,
+         krb5_principal *principal);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__uunnppaarrssee__nnaammee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l,
-         _c_h_a_r _*_*_n_a_m_e);
+     krb5_error_code
+     krb5_unparse_name(krb5_context context, krb5_const_principal principal,
+         char **name);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__uunnppaarrssee__nnaammee__ffllaaggss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l, _i_n_t _f_l_a_g_s, _c_h_a_r _*_*_n_a_m_e);
+     krb5_error_code
+     krb5_unparse_name_flags(krb5_context context,
+         krb5_const_principal principal, int flags, char **name);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__uunnppaarrssee__nnaammee__ffiixxeedd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l, _c_h_a_r _*_n_a_m_e, _s_i_z_e___t _l_e_n);
+     krb5_error_code
+     krb5_unparse_name_fixed(krb5_context context,
+         krb5_const_principal principal, char *name, size_t len);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__uunnppaarrssee__nnaammee__ffiixxeedd__ffllaaggss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l, _i_n_t _f_l_a_g_s, _c_h_a_r _*_n_a_m_e, _s_i_z_e___t _l_e_n);
+     krb5_error_code
+     krb5_unparse_name_fixed_flags(krb5_context context,
+         krb5_const_principal principal, int flags, char *name, size_t len);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__uunnppaarrssee__nnaammee__sshhoorrtt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l, _c_h_a_r _*_*_n_a_m_e);
+     krb5_error_code
+     krb5_unparse_name_short(krb5_context context,
+         krb5_const_principal principal, char **name);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__uunnppaarrssee__nnaammee__ffiixxeedd__sshhoorrtt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l, _c_h_a_r _*_n_a_m_e, _s_i_z_e___t _l_e_n);
+     krb5_error_code
+     krb5_unparse_name_fixed_short(krb5_context context,
+         krb5_const_principal principal, char *name, size_t len);
 
-     _v_o_i_d
-     kkrrbb55__pprriinncc__sseett__rreeaallmm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l,
-         _k_r_b_5___r_e_a_l_m _*_r_e_a_l_m);
+     void
+     krb5_princ_set_realm(krb5_context context, krb5_principal principal,
+         krb5_realm *realm);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__bbuuiilldd__pprriinncciippaall(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l,
-         _i_n_t _r_l_e_n, _k_r_b_5___c_o_n_s_t___r_e_a_l_m _r_e_a_l_m, _._._.);
+     krb5_error_code
+     krb5_build_principal(krb5_context context, krb5_principal *principal,
+         int rlen, krb5_const_realm realm, ...);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__bbuuiilldd__pprriinncciippaall__vvaa(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l,
-         _i_n_t _r_l_e_n, _k_r_b_5___c_o_n_s_t___r_e_a_l_m _r_e_a_l_m, _v_a___l_i_s_t _a_p);
+     krb5_error_code
+     krb5_build_principal_va(krb5_context context, krb5_principal *principal,
+         int rlen, krb5_const_realm realm, va_list ap);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__bbuuiilldd__pprriinncciippaall__eexxtt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l,
-         _i_n_t _r_l_e_n, _k_r_b_5___c_o_n_s_t___r_e_a_l_m _r_e_a_l_m, _._._.);
+     krb5_error_code
+     krb5_build_principal_ext(krb5_context context, krb5_principal *principal,
+         int rlen, krb5_const_realm realm, ...);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__bbuuiilldd__pprriinncciippaall__vvaa__eexxtt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l, _i_n_t _r_l_e_n, _k_r_b_5___c_o_n_s_t___r_e_a_l_m _r_e_a_l_m,
-         _v_a___l_i_s_t _a_p);
+     krb5_error_code
+     krb5_build_principal_va_ext(krb5_context context,
+         krb5_principal *principal, int rlen, krb5_const_realm realm,
+         va_list ap);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__mmaakkee__pprriinncciippaall(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l,
-         _k_r_b_5___c_o_n_s_t___r_e_a_l_m _r_e_a_l_m, _._._.);
+     krb5_error_code
+     krb5_make_principal(krb5_context context, krb5_principal *principal,
+         krb5_const_realm realm, ...);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ccooppyy__pprriinncciippaall(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _i_n_p_r_i_n_c,
-         _k_r_b_5___p_r_i_n_c_i_p_a_l _*_o_u_t_p_r_i_n_c);
+     krb5_error_code
+     krb5_copy_principal(krb5_context context, krb5_const_principal inprinc,
+         krb5_principal *outprinc);
 
-     _k_r_b_5___b_o_o_l_e_a_n
-     kkrrbb55__pprriinncciippaall__ccoommppaarree(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _p_r_i_n_c_1,
-         _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _p_r_i_n_c_2);
+     krb5_boolean
+     krb5_principal_compare(krb5_context context, krb5_const_principal princ1,
+         krb5_const_principal princ2);
 
-     _k_r_b_5___b_o_o_l_e_a_n
-     kkrrbb55__pprriinncciippaall__ccoommppaarree__aannyy__rreeaallmm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _p_r_i_n_c_1, _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _p_r_i_n_c_2);
+     krb5_boolean
+     krb5_principal_compare_any_realm(krb5_context context,
+         krb5_const_principal princ1, krb5_const_principal princ2);
 
-     _c_o_n_s_t _c_h_a_r _*
-     kkrrbb55__pprriinncciippaall__ggeett__ccoommpp__ssttrriinngg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l, _u_n_s_i_g_n_e_d _i_n_t _c_o_m_p_o_n_e_n_t);
+     const char *
+     krb5_principal_get_comp_string(krb5_context context,
+         krb5_const_principal principal, unsigned int component);
 
-     _c_o_n_s_t _c_h_a_r _*
-     kkrrbb55__pprriinncciippaall__ggeett__rreeaallmm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l);
+     const char *
+     krb5_principal_get_realm(krb5_context context,
+         krb5_const_principal principal);
 
-     _i_n_t
-     kkrrbb55__pprriinncciippaall__ggeett__ttyyppee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l);
+     int
+     krb5_principal_get_type(krb5_context context,
+         krb5_const_principal principal);
 
-     _k_r_b_5___b_o_o_l_e_a_n
-     kkrrbb55__pprriinncciippaall__mmaattcchh(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l, _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _p_a_t_t_e_r_n);
+     krb5_boolean
+     krb5_principal_match(krb5_context context,
+         krb5_const_principal principal, krb5_const_principal pattern);
 
-     _v_o_i_d
-     kkrrbb55__pprriinncciippaall__sseett__ttyyppee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l,
-         _i_n_t _t_y_p_e);
+     void
+     krb5_principal_set_type(krb5_context context, krb5_principal principal,
+         int type);
 
-     _k_r_b_5___b_o_o_l_e_a_n
-     kkrrbb55__rreeaallmm__ccoommppaarree(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _p_r_i_n_c_1,
-         _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _p_r_i_n_c_2);
+     krb5_boolean
+     krb5_realm_compare(krb5_context context, krb5_const_principal princ1,
+         krb5_const_principal princ2);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ssnnaammee__ttoo__pprriinncciippaall(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_h_o_s_t_n_a_m_e,
-         _c_o_n_s_t _c_h_a_r _*_s_n_a_m_e, _i_n_t_3_2___t _t_y_p_e, _k_r_b_5___p_r_i_n_c_i_p_a_l _*_r_e_t___p_r_i_n_c);
+     krb5_error_code
+     krb5_sname_to_principal(krb5_context context, const char *hostname,
+         const char *sname, int32_t type, krb5_principal *ret_princ);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ssoocckk__ttoo__pprriinncciippaall(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _i_n_t _s_o_c_k_e_t,
-         _c_o_n_s_t _c_h_a_r _*_s_n_a_m_e, _i_n_t_3_2___t _t_y_p_e, _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l);
+     krb5_error_code
+     krb5_sock_to_principal(krb5_context context, int socket,
+         const char *sname, int32_t type, krb5_principal *principal);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__ddeeffaauulltt__pprriinncciippaall(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c);
+     krb5_error_code
+     krb5_get_default_principal(krb5_context context, krb5_principal *princ);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ppaarrssee__nnaammeettyyppee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_s_t_r,
-         _i_n_t_3_2___t _*_t_y_p_e);
+     krb5_error_code
+     krb5_parse_nametype(krb5_context context, const char *str,
+         int32_t *type);
 
-DDEESSCCRRIIPPTTIIOONN
+DESCRIPTION
      krb5_principal holds the name of a user or service in Kerberos.
 
      A principal has two parts, a PrincipalName and a realm.  The Principal-
@@ -142,21 +141,21 @@ DDEESSCCRRIIPPTTIIOONN
      are separated by /.  The PrincipalName also has a name-type.
 
      Examples of a principal are nisse/root@EXAMPLE.COM and
-     host/datan.kth.se@KTH.SE.  kkrrbb55__ppaarrssee__nnaammee() and kkrrbb55__ppaarrssee__nnaammee__ffllaaggss()
-     passes a principal name in _n_a_m_e to the kerberos principal structure.
-     kkrrbb55__ppaarrssee__nnaammee__ffllaaggss() takes an extra _f_l_a_g_s argument the following flags
+     host/datan.kth.se@KTH.SE.  krb5_parse_name() and krb5_parse_name_flags()
+     passes a principal name in name to the kerberos principal structure.
+     krb5_parse_name_flags() takes an extra flags argument the following flags
      can be passed in
 
      KRB5_PRINCIPAL_PARSE_NO_REALM
              requires the input string to be without a realm, and no realm is
-             stored in the _p_r_i_n_c_i_p_a_l return argument.
+             stored in the principal return argument.
 
      KRB5_PRINCIPAL_PARSE_REQUIRE_REALM
              requires the input string to with a realm.
 
-     kkrrbb55__uunnppaarrssee__nnaammee() and kkrrbb55__uunnppaarrssee__nnaammee__ffllaaggss() prints the principal
-     _p_r_i_n_c to the string _n_a_m_e.  _n_a_m_e should be freed with free(3).  To the
-     _f_l_a_g_s argument the following flags can be passed in
+     krb5_unparse_name() and krb5_unparse_name_flags() prints the principal
+     princ to the string name.  name should be freed with free(3).  To the
+     flags argument the following flags can be passed in
 
      KRB5_PRINCIPAL_UNPARSE_SHORT
              no realm if the realm is one of the local realms.
@@ -166,55 +165,55 @@ DDEESSCCRRIIPPTTIIOONN
 
      KRB5_PRINCIPAL_UNPARSE_DISPLAY
              don't quote
-     On failure _n_a_m_e is set to NULL.  kkrrbb55__uunnppaarrssee__nnaammee__ffiixxeedd() and
-     kkrrbb55__uunnppaarrssee__nnaammee__ffiixxeedd__ffllaaggss() behaves just like kkrrbb55__uunnppaarrssee(), but
-     instead unparses the principal into a fixed size buffer.
+     On failure name is set to NULL.  krb5_unparse_name_fixed() and
+     krb5_unparse_name_fixed_flags() behaves just like krb5_unparse(), but in-
+     stead unparses the principal into a fixed size buffer.
 
-     kkrrbb55__uunnppaarrssee__nnaammee__sshhoorrtt() just returns the principal without the realm if
+     krb5_unparse_name_short() just returns the principal without the realm if
      the principal is in the default realm. If the principal isn't, the full
-     name is returned.  kkrrbb55__uunnppaarrssee__nnaammee__ffiixxeedd__sshhoorrtt() works just like
-     kkrrbb55__uunnppaarrssee__nnaammee__sshhoorrtt() but on a fixed size buffer.
+     name is returned.  krb5_unparse_name_fixed_short() works just like
+     krb5_unparse_name_short() but on a fixed size buffer.
 
-     kkrrbb55__bbuuiilldd__pprriinncciippaall() builds a principal from the realm _r_e_a_l_m that has
-     the length _r_l_e_n.  The following arguments form the components of the
+     krb5_build_principal() builds a principal from the realm realm that has
+     the length rlen.  The following arguments form the components of the
      principal.  The list of components is terminated with NULL.
 
-     kkrrbb55__bbuuiilldd__pprriinncciippaall__vvaa() works like kkrrbb55__bbuuiilldd__pprriinncciippaall() using vargs.
+     krb5_build_principal_va() works like krb5_build_principal() using vargs.
 
-     kkrrbb55__bbuuiilldd__pprriinncciippaall__eexxtt() and kkrrbb55__bbuuiilldd__pprriinncciippaall__vvaa__eexxtt() take a list
+     krb5_build_principal_ext() and krb5_build_principal_va_ext() take a list
      of length-value pairs, the list is terminated with a zero length.
 
-     kkrrbb55__mmaakkee__pprriinncciippaall() works the same way as kkrrbb55__bbuuiilldd__pprriinncciippaall(),
-     except it figures out the length of the realm itself.
+     krb5_make_principal() works the same way as krb5_build_principal(), ex-
+     cept it figures out the length of the realm itself.
 
-     kkrrbb55__ccooppyy__pprriinncciippaall() makes a copy of a principal.  The copy needs to be
-     freed with kkrrbb55__ffrreeee__pprriinncciippaall().
+     krb5_copy_principal() makes a copy of a principal.  The copy needs to be
+     freed with krb5_free_principal().
 
-     kkrrbb55__pprriinncciippaall__ccoommppaarree() compares the two principals, including realm of
+     krb5_principal_compare() compares the two principals, including realm of
      the principals and returns TRUE if they are the same and FALSE if not.
 
-     kkrrbb55__pprriinncciippaall__ccoommppaarree__aannyy__rreeaallmm() works the same way as
-     kkrrbb55__pprriinncciippaall__ccoommppaarree() but doesn't compare the realm component of the
+     krb5_principal_compare_any_realm() works the same way as
+     krb5_principal_compare() but doesn't compare the realm component of the
      principal.
 
-     kkrrbb55__rreeaallmm__ccoommppaarree() compares the realms of the two principals and
-     returns TRUE is they are the same, and FALSE if not.
+     krb5_realm_compare() compares the realms of the two principals and re-
+     turns TRUE is they are the same, and FALSE if not.
 
-     kkrrbb55__pprriinncciippaall__mmaattcchh() matches a _p_r_i_n_c_i_p_a_l against a _p_a_t_t_e_r_n.  The pat-
+     krb5_principal_match() matches a principal against a pattern.  The pat-
      tern is a globbing expression, where each component (separated by /) is
      matched against the corresponding component of the principal.
 
-     The kkrrbb55__pprriinncciippaall__ggeett__rreeaallmm() and kkrrbb55__pprriinncciippaall__ggeett__ccoommpp__ssttrriinngg() func-
-     tions return parts of the _p_r_i_n_c_i_p_a_l, either the realm or a specific com-
+     The krb5_principal_get_realm() and krb5_principal_get_comp_string() func-
+     tions return parts of the principal, either the realm or a specific com-
      ponent.  Both functions return string pointers to data inside the princi-
      pal, so they are valid only as long as the principal exists.
 
-     The _c_o_m_p_o_n_e_n_t argument to kkrrbb55__pprriinncciippaall__ggeett__ccoommpp__ssttrriinngg() is the index
+     The component argument to krb5_principal_get_comp_string() is the index
      of the component to return, from zero to the total number of components
      minus one. If the index is out of range NULL is returned.
 
-     kkrrbb55__pprriinncciippaall__ggeett__rreeaallmm() and kkrrbb55__pprriinncciippaall__ggeett__ccoommpp__ssttrriinngg() are
-     replacements for kkrrbb55__pprriinncc__ccoommppoonneenntt() and related macros, described as
+     krb5_principal_get_realm() and krb5_principal_get_comp_string() are re-
+     placements for krb5_princ_component() and related macros, described as
      internal in the MIT API specification.  Unlike the macros, these func-
      tions return strings, not krb5_data.  A reason to return krb5_data was
      that it was believed that principal components could contain binary data,
@@ -223,36 +222,36 @@ DDEESSCCRRIIPPTTIIOONN
 
      It's generally not necessary to look at the components of a principal.
 
-     kkrrbb55__pprriinncciippaall__ggeett__ttyyppee() and kkrrbb55__pprriinncciippaall__sseett__ttyyppee() get and sets the
+     krb5_principal_get_type() and krb5_principal_set_type() get and sets the
      name type for a principal.  Name type handling is tricky and not often
      needed, don't use this unless you know what you do.
 
-     kkrrbb55__ssnnaammee__ttoo__pprriinncciippaall() and kkrrbb55__ssoocckk__ttoo__pprriinncciippaall() are for easy cre-
-     ation of ``service'' principals that can, for instance, be used to lookup
-     a key in a keytab.  For both functions the _s_n_a_m_e parameter will be used
-     for the first component of the created principal.  If _s_n_a_m_e is NULL,
-     ``host'' will be used instead.
+     krb5_sname_to_principal() and krb5_sock_to_principal() are for easy cre-
+     ation of "service" principals that can, for instance, be used to lookup a
+     key in a keytab.  For both functions the sname parameter will be used for
+     the first component of the created principal.  If sname is NULL, "host"
+     will be used instead.
 
-     kkrrbb55__ssnnaammee__ttoo__pprriinncciippaall() will use the passed _h_o_s_t_n_a_m_e for the second
-     component.  If _t_y_p_e is KRB5_NT_SRV_HST this name will be looked up with
-     ggeetthhoossttbbyynnaammee().  If _h_o_s_t_n_a_m_e is NULL, the local hostname will be used.
+     krb5_sname_to_principal() will use the passed hostname for the second
+     component.  If type is KRB5_NT_SRV_HST this name will be looked up with
+     gethostbyname().  If hostname is NULL, the local hostname will be used.
 
-     kkrrbb55__ssoocckk__ttoo__pprriinncciippaall() will use the ``sockname'' of the passed _s_o_c_k_e_t,
+     krb5_sock_to_principal() will use the "sockname" of the passed socket,
      which should be a bound AF_INET or AF_INET6 socket.  There must be a map-
-     ping between the address and ``sockname''.  The function may try to
-     resolve the name in DNS.
+     ping between the address and "sockname".  The function may try to resolve
+     the name in DNS.
 
-     kkrrbb55__ggeett__ddeeffaauulltt__pprriinncciippaall() tries to find out what's a reasonable
-     default principal by looking at the environment it is running in.
+     krb5_get_default_principal() tries to find out what's a reasonable de-
+     fault principal by looking at the environment it is running in.
 
-     kkrrbb55__ppaarrssee__nnaammeettyyppee() parses and returns the name type integer value in
-     _t_y_p_e.  On failure the function returns an error code and set the error
+     krb5_parse_nametype() parses and returns the name type integer value in
+     type.  On failure the function returns an error code and set the error
      string.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5_config(3), krb5.conf(5)
 
-BBUUGGSS
+BUGS
      You can not have a NUL in a component in some of the variable argument
      functions above.  Until someone can give a good example of where it would
      be a good idea to have NUL's in a component, this will not be fixed.
diff --git a/lib/krb5/krb5_rcache.cat3 b/lib/krb5/krb5_rcache.cat3
index 84631967a1fa..e16ad25e6b45 100644
--- a/lib/krb5/krb5_rcache.cat3
+++ b/lib/krb5/krb5_rcache.cat3
@@ -1,84 +1,83 @@
-
 KRB5_RCACHE(3)           BSD Library Functions Manual           KRB5_RCACHE(3)
 
-NNAAMMEE
-     kkrrbb55__rrccaacchhee, kkrrbb55__rrcc__cclloossee, kkrrbb55__rrcc__ddeeffaauulltt, kkrrbb55__rrcc__ddeeffaauulltt__nnaammee,
-     kkrrbb55__rrcc__ddeeffaauulltt__ttyyppee, kkrrbb55__rrcc__ddeessttrrooyy, kkrrbb55__rrcc__eexxppuunnggee,
-     kkrrbb55__rrcc__ggeett__lliiffeessppaann, kkrrbb55__rrcc__ggeett__nnaammee, kkrrbb55__rrcc__ggeett__ttyyppee,
-     kkrrbb55__rrcc__iinniittiiaalliizzee, kkrrbb55__rrcc__rreeccoovveerr, kkrrbb55__rrcc__rreessoollvvee,
-     kkrrbb55__rrcc__rreessoollvvee__ffuullll, kkrrbb55__rrcc__rreessoollvvee__ttyyppee, kkrrbb55__rrcc__ssttoorree,
-     kkrrbb55__ggeett__sseerrvveerr__rrccaacchhee -- Kerberos 5 replay cache
+NAME
+     krb5_rcache, krb5_rc_close, krb5_rc_default, krb5_rc_default_name,
+     krb5_rc_default_type, krb5_rc_destroy, krb5_rc_expunge,
+     krb5_rc_get_lifespan, krb5_rc_get_name, krb5_rc_get_type,
+     krb5_rc_initialize, krb5_rc_recover, krb5_rc_resolve,
+     krb5_rc_resolve_full, krb5_rc_resolve_type, krb5_rc_store,
+     krb5_get_server_rcache -- Kerberos 5 replay cache
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
      struct krb5_rcache;
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__rrcc__cclloossee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___r_c_a_c_h_e _i_d);
+     krb5_error_code
+     krb5_rc_close(krb5_context context, krb5_rcache id);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__rrcc__ddeeffaauulltt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___r_c_a_c_h_e _*_i_d);
+     krb5_error_code
+     krb5_rc_default(krb5_context context, krb5_rcache *id);
 
-     _c_o_n_s_t _c_h_a_r _*
-     kkrrbb55__rrcc__ddeeffaauulltt__nnaammee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t);
+     const char *
+     krb5_rc_default_name(krb5_context context);
 
-     _c_o_n_s_t _c_h_a_r _*
-     kkrrbb55__rrcc__ddeeffaauulltt__ttyyppee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t);
+     const char *
+     krb5_rc_default_type(krb5_context context);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__rrcc__ddeessttrrooyy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___r_c_a_c_h_e _i_d);
+     krb5_error_code
+     krb5_rc_destroy(krb5_context context, krb5_rcache id);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__rrcc__eexxppuunnggee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___r_c_a_c_h_e _i_d);
+     krb5_error_code
+     krb5_rc_expunge(krb5_context context, krb5_rcache id);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__rrcc__ggeett__lliiffeessppaann(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___r_c_a_c_h_e _i_d,
-         _k_r_b_5___d_e_l_t_a_t _*_a_u_t_h___l_i_f_e_s_p_a_n);
+     krb5_error_code
+     krb5_rc_get_lifespan(krb5_context context, krb5_rcache id,
+         krb5_deltat *auth_lifespan);
 
-     _c_o_n_s_t _c_h_a_r_*
-     kkrrbb55__rrcc__ggeett__nnaammee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___r_c_a_c_h_e _i_d);
+     const char*
+     krb5_rc_get_name(krb5_context context, krb5_rcache id);
 
-     _c_o_n_s_t _c_h_a_r_*
-     kkrrbb55__rrcc__ggeett__ttyyppee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___r_c_a_c_h_e _i_d);
+     const char*
+     krb5_rc_get_type(krb5_context context, krb5_rcache id);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__rrcc__iinniittiiaalliizzee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___r_c_a_c_h_e _i_d,
-         _k_r_b_5___d_e_l_t_a_t _a_u_t_h___l_i_f_e_s_p_a_n);
+     krb5_error_code
+     krb5_rc_initialize(krb5_context context, krb5_rcache id,
+         krb5_deltat auth_lifespan);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__rrcc__rreeccoovveerr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___r_c_a_c_h_e _i_d);
+     krb5_error_code
+     krb5_rc_recover(krb5_context context, krb5_rcache id);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__rrcc__rreessoollvvee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___r_c_a_c_h_e _i_d, _c_o_n_s_t _c_h_a_r _*_n_a_m_e);
+     krb5_error_code
+     krb5_rc_resolve(krb5_context context, krb5_rcache id, const char *name);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__rrcc__rreessoollvvee__ffuullll(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___r_c_a_c_h_e _*_i_d,
-         _c_o_n_s_t _c_h_a_r _*_s_t_r_i_n_g___n_a_m_e);
+     krb5_error_code
+     krb5_rc_resolve_full(krb5_context context, krb5_rcache *id,
+         const char *string_name);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__rrcc__rreessoollvvee__ttyyppee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___r_c_a_c_h_e _*_i_d,
-         _c_o_n_s_t _c_h_a_r _*_t_y_p_e);
+     krb5_error_code
+     krb5_rc_resolve_type(krb5_context context, krb5_rcache *id,
+         const char *type);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__rrcc__ssttoorree(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___r_c_a_c_h_e _i_d,
-         _k_r_b_5___d_o_n_o_t___r_e_p_l_a_y _*_r_e_p);
+     krb5_error_code
+     krb5_rc_store(krb5_context context, krb5_rcache id,
+         krb5_donot_replay *rep);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__sseerrvveerr__rrccaacchhee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___d_a_t_a _*_p_i_e_c_e,
-         _k_r_b_5___r_c_a_c_h_e _*_i_d);
+     krb5_error_code
+     krb5_get_server_rcache(krb5_context context, const krb5_data *piece,
+         krb5_rcache *id);
 
-DDEESSCCRRIIPPTTIIOONN
+DESCRIPTION
      The krb5_rcache structure holds a storage element that is used for data
      manipulation.  The structure contains no public accessible elements.
 
-     kkrrbb55__rrcc__iinniittiiaalliizzee() Creates the reply cache _i_d and sets it lifespan to
-     _a_u_t_h___l_i_f_e_s_p_a_n.  If the cache already exists, the content is destroyed.
+     krb5_rc_initialize() Creates the reply cache id and sets it lifespan to
+     auth_lifespan.  If the cache already exists, the content is destroyed.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5(3), krb5_data(3), kerberos(8)
 
 HEIMDAL                           May 1, 2006                          HEIMDAL
diff --git a/lib/krb5/krb5_rd_error.cat3 b/lib/krb5/krb5_rd_error.cat3
index 5b64c3daf2b5..a64ad0a172ef 100644
--- a/lib/krb5/krb5_rd_error.cat3
+++ b/lib/krb5/krb5_rd_error.cat3
@@ -1,52 +1,51 @@
-
 KRB5_RD_ERROR(3)         BSD Library Functions Manual         KRB5_RD_ERROR(3)
 
-NNAAMMEE
-     kkrrbb55__rrdd__eerrrroorr, kkrrbb55__ffrreeee__eerrrroorr, kkrrbb55__ffrreeee__eerrrroorr__ccoonntteennttss,
-     kkrrbb55__eerrrroorr__ffrroomm__rrdd__eerrrroorr -- parse, free and read error from KRB-ERROR
+NAME
+     krb5_rd_error, krb5_free_error, krb5_free_error_contents,
+     krb5_error_from_rd_error -- parse, free and read error from KRB-ERROR
      message
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__rrdd__eerrrroorr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___d_a_t_a _*_m_s_g,
-         _K_R_B___E_R_R_O_R _*_r_e_s_u_l_t);
+     krb5_error_code
+     krb5_rd_error(krb5_context context, const krb5_data *msg,
+         KRB_ERROR *result);
 
-     _v_o_i_d
-     kkrrbb55__ffrreeee__eerrrroorr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___e_r_r_o_r _*_e_r_r_o_r);
+     void
+     krb5_free_error(krb5_context context, krb5_error *error);
 
-     _v_o_i_d
-     kkrrbb55__ffrreeee__eerrrroorr__ccoonntteennttss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___e_r_r_o_r _*_e_r_r_o_r);
+     void
+     krb5_free_error_contents(krb5_context context, krb5_error *error);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__eerrrroorr__ffrroomm__rrdd__eerrrroorr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___e_r_r_o_r _*_e_r_r_o_r,
-         _c_o_n_s_t _k_r_b_5___c_r_e_d_s _*_c_r_e_d_s);
+     krb5_error_code
+     krb5_error_from_rd_error(krb5_context context, const krb5_error *error,
+         const krb5_creds *creds);
 
-DDEESSCCRRIIPPTTIIOONN
+DESCRIPTION
      Usually applications never needs to parse and understand Kerberos error
      messages since higher level functions will parse and push up the error in
      the krb5_context.  These functions are described for completeness.
 
-     kkrrbb55__rrdd__eerrrroorr() parses and returns the kerboeros error message, the
-     structure should be freed with kkrrbb55__ffrreeee__eerrrroorr__ccoonntteennttss() when the caller
+     krb5_rd_error() parses and returns the kerboeros error message, the
+     structure should be freed with krb5_free_error_contents() when the caller
      is done with the structure.
 
-     kkrrbb55__ffrreeee__eerrrroorr() frees the content and the memory region holding the
+     krb5_free_error() frees the content and the memory region holding the
      structure iself.
 
-     kkrrbb55__ffrreeee__eerrrroorr__ccoonntteennttss() free the content of the KRB-ERROR message.
+     krb5_free_error_contents() free the content of the KRB-ERROR message.
 
-     kkrrbb55__eerrrroorr__ffrroomm__rrdd__eerrrroorr() will parse the error message and set the error
+     krb5_error_from_rd_error() will parse the error message and set the error
      buffer in krb5_context to the error string passed back or the matching
      error code in the KRB-ERROR message.  Caller should pick up the message
-     with kkrrbb55__ggeett__eerrrroorr__ssttrriinngg(_3) (don't forget to free the returned string
-     with kkrrbb55__ffrreeee__eerrrroorr__ssttrriinngg()).
+     with krb5_get_error_string(3) (don't forget to free the returned string
+     with krb5_free_error_string()).
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5(3), krb5_set_error_string(3), krb5_get_error_string(3), krb5.conf(5)
 
 HEIMDAL                          July 26, 2004                         HEIMDAL
diff --git a/lib/krb5/krb5_rd_safe.cat3 b/lib/krb5/krb5_rd_safe.cat3
index 9eb55c83fe2f..0f4fd9fe9ea5 100644
--- a/lib/krb5/krb5_rd_safe.cat3
+++ b/lib/krb5/krb5_rd_safe.cat3
@@ -1,35 +1,34 @@
-
 KRB5_RD_SAFE(3)          BSD Library Functions Manual          KRB5_RD_SAFE(3)
 
-NNAAMMEE
-     kkrrbb55__rrdd__ssaaffee, kkrrbb55__rrdd__pprriivv -- verifies authenticity of messages
+NAME
+     krb5_rd_safe, krb5_rd_priv -- verifies authenticity of messages
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__rrdd__pprriivv(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t,
-         _c_o_n_s_t _k_r_b_5___d_a_t_a _*_i_n_b_u_f, _k_r_b_5___d_a_t_a _*_o_u_t_b_u_f,
-         _k_r_b_5___r_e_p_l_a_y___d_a_t_a _*_o_u_t_d_a_t_a);
+     krb5_error_code
+     krb5_rd_priv(krb5_context context, krb5_auth_context auth_context,
+         const krb5_data *inbuf, krb5_data *outbuf,
+         krb5_replay_data *outdata);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__rrdd__ssaaffee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t,
-         _c_o_n_s_t _k_r_b_5___d_a_t_a _*_i_n_b_u_f, _k_r_b_5___d_a_t_a _*_o_u_t_b_u_f,
-         _k_r_b_5___r_e_p_l_a_y___d_a_t_a _*_o_u_t_d_a_t_a);
+     krb5_error_code
+     krb5_rd_safe(krb5_context context, krb5_auth_context auth_context,
+         const krb5_data *inbuf, krb5_data *outbuf,
+         krb5_replay_data *outdata);
 
-DDEESSCCRRIIPPTTIIOONN
-     kkrrbb55__rrdd__ssaaffee() and kkrrbb55__rrdd__pprriivv() parses KRB-SAFE and KRB-PRIV messages
-     (as generated by krb5_mk_safe(3) and krb5_mk_priv(3)) from _i_n_b_u_f and ver-
-     ifies its integrity. The user data part of the message in put in _o_u_t_b_u_f.
+DESCRIPTION
+     krb5_rd_safe() and krb5_rd_priv() parses KRB-SAFE and KRB-PRIV messages
+     (as generated by krb5_mk_safe(3) and krb5_mk_priv(3)) from inbuf and ver-
+     ifies its integrity. The user data part of the message in put in outbuf.
      The encryption state, including keyblocks and addresses, is taken from
-     _a_u_t_h___c_o_n_t_e_x_t.  If the KRB5_AUTH_CONTEXT_RET_SEQUENCE or
-     KRB5_AUTH_CONTEXT_RET_TIME flags are set in the _a_u_t_h___c_o_n_t_e_x_t the sequence
-     number and time are returned in the _o_u_t_d_a_t_a parameter.
+     auth_context.  If the KRB5_AUTH_CONTEXT_RET_SEQUENCE or
+     KRB5_AUTH_CONTEXT_RET_TIME flags are set in the auth_context the sequence
+     number and time are returned in the outdata parameter.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5_auth_con_init(3), krb5_mk_priv(3), krb5_mk_safe(3)
 
 HEIMDAL                           May 1, 2006                          HEIMDAL
diff --git a/lib/krb5/krb5_set_default_realm.cat3 b/lib/krb5/krb5_set_default_realm.cat3
index ff645cc106f0..2bf0a5b825b8 100644
--- a/lib/krb5/krb5_set_default_realm.cat3
+++ b/lib/krb5/krb5_set_default_realm.cat3
@@ -1,70 +1,69 @@
-
 KRB5_SET_DEFAULT_REAL... BSD Library Functions Manual KRB5_SET_DEFAULT_REAL...
 
-NNAAMMEE
-     kkrrbb55__ccooppyy__hhoosstt__rreeaallmm, kkrrbb55__ffrreeee__hhoosstt__rreeaallmm, kkrrbb55__ggeett__ddeeffaauulltt__rreeaallmm,
-     kkrrbb55__ggeett__ddeeffaauulltt__rreeaallmmss, kkrrbb55__ggeett__hhoosstt__rreeaallmm, kkrrbb55__sseett__ddeeffaauulltt__rreeaallmm --
+NAME
+     krb5_copy_host_realm, krb5_free_host_realm, krb5_get_default_realm,
+     krb5_get_default_realms, krb5_get_host_realm, krb5_set_default_realm --
      default and host realm read and manipulation routines
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ccooppyy__hhoosstt__rreeaallmm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___r_e_a_l_m _*_f_r_o_m,
-         _k_r_b_5___r_e_a_l_m _*_*_t_o);
+     krb5_error_code
+     krb5_copy_host_realm(krb5_context context, const krb5_realm *from,
+         krb5_realm **to);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ffrreeee__hhoosstt__rreeaallmm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___r_e_a_l_m _*_r_e_a_l_m_l_i_s_t);
+     krb5_error_code
+     krb5_free_host_realm(krb5_context context, krb5_realm *realmlist);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__ddeeffaauulltt__rreeaallmm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___r_e_a_l_m _*_r_e_a_l_m);
+     krb5_error_code
+     krb5_get_default_realm(krb5_context context, krb5_realm *realm);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__ddeeffaauulltt__rreeaallmmss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___r_e_a_l_m _*_*_r_e_a_l_m);
+     krb5_error_code
+     krb5_get_default_realms(krb5_context context, krb5_realm **realm);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__hhoosstt__rreeaallmm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_h_o_s_t,
-         _k_r_b_5___r_e_a_l_m _*_*_r_e_a_l_m_s);
+     krb5_error_code
+     krb5_get_host_realm(krb5_context context, const char *host,
+         krb5_realm **realms);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__sseett__ddeeffaauulltt__rreeaallmm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_r_e_a_l_m);
+     krb5_error_code
+     krb5_set_default_realm(krb5_context context, const char *realm);
 
-DDEESSCCRRIIPPTTIIOONN
-     kkrrbb55__ccooppyy__hhoosstt__rreeaallmm() copies the list of realms from _f_r_o_m to _t_o.  _t_o
-     should be freed by the caller using _k_r_b_5___f_r_e_e___h_o_s_t___r_e_a_l_m.
+DESCRIPTION
+     krb5_copy_host_realm() copies the list of realms from from to to.  to
+     should be freed by the caller using krb5_free_host_realm.
 
-     kkrrbb55__ffrreeee__hhoosstt__rreeaallmm() frees all memory allocated by _r_e_a_l_m_l_i_s_t.
+     krb5_free_host_realm() frees all memory allocated by realmlist.
 
-     kkrrbb55__ggeett__ddeeffaauulltt__rreeaallmm() returns the first default realm for this host.
-     The realm returned should be freed with kkrrbb55__xxffrreeee().
+     krb5_get_default_realm() returns the first default realm for this host.
+     The realm returned should be freed with krb5_xfree().
 
-     kkrrbb55__ggeett__ddeeffaauulltt__rreeaallmmss() returns a NULL terminated list of default
-     realms for this context.  Realms returned by kkrrbb55__ggeett__ddeeffaauulltt__rreeaallmmss()
-     should be freed with kkrrbb55__ffrreeee__hhoosstt__rreeaallmm().
+     krb5_get_default_realms() returns a NULL terminated list of default
+     realms for this context.  Realms returned by krb5_get_default_realms()
+     should be freed with krb5_free_host_realm().
 
-     kkrrbb55__ggeett__hhoosstt__rreeaallmm() returns a NULL terminated list of realms for _h_o_s_t
-     by looking up the information in the [domain_realm] in _k_r_b_5_._c_o_n_f or in
+     krb5_get_host_realm() returns a NULL terminated list of realms for host
+     by looking up the information in the [domain_realm] in krb5.conf or in
      DNS.  If the mapping in [domain_realm] results in the string dns_locate,
      DNS is used to lookup the realm.
 
      When using DNS to a resolve the domain for the host a.b.c,
-     kkrrbb55__ggeett__hhoosstt__rreeaallmm() looks for a TXT resource record named
+     krb5_get_host_realm() looks for a TXT resource record named
      _kerberos.a.b.c, and if not found, it strips off the first component and
      tries a again (_kerberos.b.c) until it reaches the root.
 
      If there is no configuration or DNS information found,
-     kkrrbb55__ggeett__hhoosstt__rreeaallmm() assumes it can use the domain part of the _h_o_s_t to
-     form a realm.  Caller must free _r_e_a_l_m_l_i_s_t with kkrrbb55__ffrreeee__hhoosstt__rreeaallmm().
+     krb5_get_host_realm() assumes it can use the domain part of the host to
+     form a realm.  Caller must free realmlist with krb5_free_host_realm().
 
-     kkrrbb55__sseett__ddeeffaauulltt__rreeaallmm() sets the default realm for the _c_o_n_t_e_x_t.  If NULL
-     is used as a _r_e_a_l_m, the [libdefaults]default_realm stanza in _k_r_b_5_._c_o_n_f is
+     krb5_set_default_realm() sets the default realm for the context.  If NULL
+     is used as a realm, the [libdefaults]default_realm stanza in krb5.conf is
      used.  If there is no such stanza in the configuration file, the
-     kkrrbb55__ggeett__hhoosstt__rreeaallmm() function is used to form a default realm.
+     krb5_get_host_realm() function is used to form a default realm.
 
-SSEEEE AALLSSOO
+SEE ALSO
      free(3), krb5.conf(5)
 
 HEIMDAL                         April 24, 2005                         HEIMDAL
diff --git a/lib/krb5/krb5_set_password.cat3 b/lib/krb5/krb5_set_password.cat3
index 447c229c5cf8..f6b7f387487f 100644
--- a/lib/krb5/krb5_set_password.cat3
+++ b/lib/krb5/krb5_set_password.cat3
@@ -1,66 +1,65 @@
-
 KRB5_SET_PASSWORD(3)     BSD Library Functions Manual     KRB5_SET_PASSWORD(3)
 
-NNAAMMEE
-     kkrrbb55__cchhaannggee__ppaasssswwoorrdd, kkrrbb55__sseett__ppaasssswwoorrdd, kkrrbb55__sseett__ppaasssswwoorrdd__uussiinngg__ccccaacchhee,
-     kkrrbb55__ppaasssswwdd__rreessuulltt__ttoo__ssttrriinngg -- change password functions
+NAME
+     krb5_change_password, krb5_set_password, krb5_set_password_using_ccache,
+     krb5_passwd_result_to_string -- change password functions
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__cchhaannggee__ppaasssswwoorrdd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_e_d_s _*_c_r_e_d_s,
-         _c_h_a_r _*_n_e_w_p_w, _i_n_t _*_r_e_s_u_l_t___c_o_d_e, _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t___c_o_d_e___s_t_r_i_n_g,
-         _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t___s_t_r_i_n_g);
+     krb5_error_code
+     krb5_change_password(krb5_context context, krb5_creds *creds,
+         char *newpw, int *result_code, krb5_data *result_code_string,
+         krb5_data *result_string);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__sseett__ppaasssswwoorrdd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_e_d_s _*_c_r_e_d_s, _c_h_a_r _*_n_e_w_p_w,
-         _k_r_b_5___p_r_i_n_c_i_p_a_l _t_a_r_g_p_r_i_n_c, _i_n_t _*_r_e_s_u_l_t___c_o_d_e,
-         _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t___c_o_d_e___s_t_r_i_n_g, _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t___s_t_r_i_n_g);
+     krb5_error_code
+     krb5_set_password(krb5_context context, krb5_creds *creds, char *newpw,
+         krb5_principal targprinc, int *result_code,
+         krb5_data *result_code_string, krb5_data *result_string);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__sseett__ppaasssswwoorrdd__uussiinngg__ccccaacchhee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _c_c_a_c_h_e,
-         _c_h_a_r _*_n_e_w_p_w, _k_r_b_5___p_r_i_n_c_i_p_a_l _t_a_r_g_p_r_i_n_c, _i_n_t _*_r_e_s_u_l_t___c_o_d_e,
-         _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t___c_o_d_e___s_t_r_i_n_g, _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t___s_t_r_i_n_g);
+     krb5_error_code
+     krb5_set_password_using_ccache(krb5_context context, krb5_ccache ccache,
+         char *newpw, krb5_principal targprinc, int *result_code,
+         krb5_data *result_code_string, krb5_data *result_string);
 
-     _c_o_n_s_t _c_h_a_r _*
-     kkrrbb55__ppaasssswwdd__rreessuulltt__ttoo__ssttrriinngg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _i_n_t _r_e_s_u_l_t);
+     const char *
+     krb5_passwd_result_to_string(krb5_context context, int result);
 
-DDEESSCCRRIIPPTTIIOONN
+DESCRIPTION
      These functions change the password for a given principal.
 
-     kkrrbb55__sseett__ppaasssswwoorrdd() and kkrrbb55__sseett__ppaasssswwoorrdd__uussiinngg__ccccaacchhee() are the newer of
+     krb5_set_password() and krb5_set_password_using_ccache() are the newer of
      the three functions, and use a newer version of the protocol (and also
      fall back to the older set-password protocol if the newer protocol
      doesn't work).
 
-     kkrrbb55__cchhaannggee__ppaasssswwoorrdd() sets the password _n_e_w_p_a_s_s_w_d for the client princi-
-     pal in _c_r_e_d_s.  The server principal of creds must be kadmin/changepw.
+     krb5_change_password() sets the password newpasswd for the client princi-
+     pal in creds.  The server principal of creds must be kadmin/changepw.
 
-     kkrrbb55__sseett__ppaasssswwoorrdd() and kkrrbb55__sseett__ppaasssswwoorrdd__uussiinngg__ccccaacchhee() change the pass-
-     word for the principal _t_a_r_g_p_r_i_n_c.
+     krb5_set_password() and krb5_set_password_using_ccache() change the pass-
+     word for the principal targprinc.
 
-     kkrrbb55__sseett__ppaasssswwoorrdd() requires that the credential for
-     kadmin/changepw@REALM is in _c_r_e_d_s.  If the user caller isn't an adminis-
+     krb5_set_password() requires that the credential for
+     kadmin/changepw@REALM is in creds.  If the user caller isn't an adminis-
      trator, this credential needs to be an initial credential, see
      krb5_get_init_creds(3) how to get such credentials.
 
-     kkrrbb55__sseett__ppaasssswwoorrdd__uussiinngg__ccccaacchhee() will get the credential from _c_c_a_c_h_e.
+     krb5_set_password_using_ccache() will get the credential from ccache.
 
-     If _t_a_r_g_p_r_i_n_c is NULL, kkrrbb55__sseett__ppaasssswwoorrdd__uussiinngg__ccccaacchhee() uses the the
-     default principal in _c_c_a_c_h_e and kkrrbb55__sseett__ppaasssswwoorrdd() uses the global the
-     default principal.
+     If targprinc is NULL, krb5_set_password_using_ccache() uses the the de-
+     fault principal in ccache and krb5_set_password() uses the global the de-
+     fault principal.
 
-     All three functions return an error in _r_e_s_u_l_t___c_o_d_e and maybe an error
-     string to print in _r_e_s_u_l_t___s_t_r_i_n_g.
+     All three functions return an error in result_code and maybe an error
+     string to print in result_string.
 
-     kkrrbb55__ppaasssswwdd__rreessuulltt__ttoo__ssttrriinngg() returns an human readable string describ-
-     ing the error code in _r_e_s_u_l_t___c_o_d_e from the kkrrbb55__sseett__ppaasssswwoorrdd() functions.
+     krb5_passwd_result_to_string() returns an human readable string describ-
+     ing the error code in result_code from the krb5_set_password() functions.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5_ccache(3), krb5_init_context(3)
 
 HEIMDAL                          July 15, 2004                         HEIMDAL
diff --git a/lib/krb5/krb5_string_to_key.cat3 b/lib/krb5/krb5_string_to_key.cat3
index 3fe0b85b0671..3e3621880185 100644
--- a/lib/krb5/krb5_string_to_key.cat3
+++ b/lib/krb5/krb5_string_to_key.cat3
@@ -1,74 +1,73 @@
-
 KRB5_STRING_TO_KEY(3)    BSD Library Functions Manual    KRB5_STRING_TO_KEY(3)
 
-NNAAMMEE
-     kkrrbb55__ssttrriinngg__ttoo__kkeeyy, kkrrbb55__ssttrriinngg__ttoo__kkeeyy__ddaattaa,
-     kkrrbb55__ssttrriinngg__ttoo__kkeeyy__ddaattaa__ssaalltt, kkrrbb55__ssttrriinngg__ttoo__kkeeyy__ddaattaa__ssaalltt__ooppaaqquuee,
-     kkrrbb55__ssttrriinngg__ttoo__kkeeyy__ssaalltt, kkrrbb55__ssttrriinngg__ttoo__kkeeyy__ssaalltt__ooppaaqquuee,
-     kkrrbb55__ggeett__ppww__ssaalltt, kkrrbb55__ffrreeee__ssaalltt -- turns a string to a Kerberos key
+NAME
+     krb5_string_to_key, krb5_string_to_key_data,
+     krb5_string_to_key_data_salt, krb5_string_to_key_data_salt_opaque,
+     krb5_string_to_key_salt, krb5_string_to_key_salt_opaque,
+     krb5_get_pw_salt, krb5_free_salt -- turns a string to a Kerberos key
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ssttrriinngg__ttoo__kkeeyy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___e_n_c_t_y_p_e _e_n_c_t_y_p_e,
-         _c_o_n_s_t _c_h_a_r _*_p_a_s_s_w_o_r_d, _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l, _k_r_b_5___k_e_y_b_l_o_c_k _*_k_e_y);
+     krb5_error_code
+     krb5_string_to_key(krb5_context context, krb5_enctype enctype,
+         const char *password, krb5_principal principal, krb5_keyblock *key);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ssttrriinngg__ttoo__kkeeyy__ddaattaa(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___e_n_c_t_y_p_e _e_n_c_t_y_p_e,
-         _k_r_b_5___d_a_t_a _p_a_s_s_w_o_r_d, _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l, _k_r_b_5___k_e_y_b_l_o_c_k _*_k_e_y);
+     krb5_error_code
+     krb5_string_to_key_data(krb5_context context, krb5_enctype enctype,
+         krb5_data password, krb5_principal principal, krb5_keyblock *key);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ssttrriinngg__ttoo__kkeeyy__ddaattaa__ssaalltt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___e_n_c_t_y_p_e _e_n_c_t_y_p_e,
-         _k_r_b_5___d_a_t_a _p_a_s_s_w_o_r_d, _k_r_b_5___s_a_l_t _s_a_l_t, _k_r_b_5___k_e_y_b_l_o_c_k _*_k_e_y);
+     krb5_error_code
+     krb5_string_to_key_data_salt(krb5_context context, krb5_enctype enctype,
+         krb5_data password, krb5_salt salt, krb5_keyblock *key);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ssttrriinngg__ttoo__kkeeyy__ddaattaa__ssaalltt__ooppaaqquuee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___e_n_c_t_y_p_e _e_n_c_t_y_p_e, _k_r_b_5___d_a_t_a _p_a_s_s_w_o_r_d, _k_r_b_5___s_a_l_t _s_a_l_t,
-         _k_r_b_5___d_a_t_a _o_p_a_q_u_e, _k_r_b_5___k_e_y_b_l_o_c_k _*_k_e_y);
+     krb5_error_code
+     krb5_string_to_key_data_salt_opaque(krb5_context context,
+         krb5_enctype enctype, krb5_data password, krb5_salt salt,
+         krb5_data opaque, krb5_keyblock *key);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ssttrriinngg__ttoo__kkeeyy__ssaalltt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___e_n_c_t_y_p_e _e_n_c_t_y_p_e,
-         _c_o_n_s_t _c_h_a_r _*_p_a_s_s_w_o_r_d, _k_r_b_5___s_a_l_t _s_a_l_t, _k_r_b_5___k_e_y_b_l_o_c_k _*_k_e_y);
+     krb5_error_code
+     krb5_string_to_key_salt(krb5_context context, krb5_enctype enctype,
+         const char *password, krb5_salt salt, krb5_keyblock *key);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ssttrriinngg__ttoo__kkeeyy__ssaalltt__ooppaaqquuee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
-         _k_r_b_5___e_n_c_t_y_p_e _e_n_c_t_y_p_e, _c_o_n_s_t _c_h_a_r _*_p_a_s_s_w_o_r_d, _k_r_b_5___s_a_l_t _s_a_l_t,
-         _k_r_b_5___d_a_t_a _o_p_a_q_u_e, _k_r_b_5___k_e_y_b_l_o_c_k _*_k_e_y);
+     krb5_error_code
+     krb5_string_to_key_salt_opaque(krb5_context context,
+         krb5_enctype enctype, const char *password, krb5_salt salt,
+         krb5_data opaque, krb5_keyblock *key);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ggeett__ppww__ssaalltt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l,
-         _k_r_b_5___s_a_l_t _*_s_a_l_t);
+     krb5_error_code
+     krb5_get_pw_salt(krb5_context context, krb5_const_principal principal,
+         krb5_salt *salt);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ffrreeee__ssaalltt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___s_a_l_t _s_a_l_t);
+     krb5_error_code
+     krb5_free_salt(krb5_context context, krb5_salt salt);
 
-DDEESSCCRRIIPPTTIIOONN
+DESCRIPTION
      The string to key functions convert a string to a kerberos key.
 
-     kkrrbb55__ssttrriinngg__ttoo__kkeeyy__ddaattaa__ssaalltt__ooppaaqquuee() is the function that does all the
+     krb5_string_to_key_data_salt_opaque() is the function that does all the
      work, the rest of the functions are just wrappers around
-     kkrrbb55__ssttrriinngg__ttoo__kkeeyy__ddaattaa__ssaalltt__ooppaaqquuee() that calls it with default values.
+     krb5_string_to_key_data_salt_opaque() that calls it with default values.
 
-     kkrrbb55__ssttrriinngg__ttoo__kkeeyy__ddaattaa__ssaalltt__ooppaaqquuee() transforms the _p_a_s_s_w_o_r_d with the
-     given salt-string _s_a_l_t and the opaque, encryption type specific parameter
-     _o_p_a_q_u_e to a encryption key _k_e_y according to the string to key function
-     associated with _e_n_c_t_y_p_e.
+     krb5_string_to_key_data_salt_opaque() transforms the password with the
+     given salt-string salt and the opaque, encryption type specific parameter
+     opaque to a encryption key key according to the string to key function
+     associated with enctype.
 
-     The _k_e_y should be freed with kkrrbb55__ffrreeee__kkeeyybblloocckk__ccoonntteennttss().
+     The key should be freed with krb5_free_keyblock_contents().
 
      If one of the functions that doesn't take a krb5_salt as it argument
-     kkrrbb55__ggeett__ppww__ssaalltt() is used to get the salt value.
+     krb5_get_pw_salt() is used to get the salt value.
 
-     kkrrbb55__ggeett__ppww__ssaalltt() get the default password salt for a principal, use
-     kkrrbb55__ffrreeee__ssaalltt() to free the salt when done.
+     krb5_get_pw_salt() get the default password salt for a principal, use
+     krb5_free_salt() to free the salt when done.
 
-     kkrrbb55__ffrreeee__ssaalltt() frees the content of _s_a_l_t.
+     krb5_free_salt() frees the content of salt.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5(3), krb5_data(3), krb5_keyblock(3), kerberos(8)
 
 HEIMDAL                          July 10, 2006                         HEIMDAL
diff --git a/lib/krb5/krb5_timeofday.cat3 b/lib/krb5/krb5_timeofday.cat3
index 7778956aab6c..bec02a410644 100644
--- a/lib/krb5/krb5_timeofday.cat3
+++ b/lib/krb5/krb5_timeofday.cat3
@@ -1,55 +1,54 @@
-
 KRB5_TIMEOFDAY(3)        BSD Library Functions Manual        KRB5_TIMEOFDAY(3)
 
-NNAAMMEE
-     kkrrbb55__ttiimmeeooffddaayy, kkrrbb55__sseett__rreeaall__ttiimmee, kkrrbb55__uuss__ttiimmeeooffddaayy, kkrrbb55__ffoorrmmaatt__ttiimmee,
-     kkrrbb55__ssttrriinngg__ttoo__ddeellttaatt -- Kerberos 5 time handling functions
+NAME
+     krb5_timeofday, krb5_set_real_time, krb5_us_timeofday, krb5_format_time,
+     krb5_string_to_deltat -- Kerberos 5 time handling functions
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
      krb5_timestamp;
 
      krb5_deltat;
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__sseett__rreeaall__ttiimmee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___t_i_m_e_s_t_a_m_p _s_e_c,
-         _i_n_t_3_2___t _u_s_e_c);
+     krb5_error_code
+     krb5_set_real_time(krb5_context context, krb5_timestamp sec,
+         int32_t usec);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ttiimmeeooffddaayy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___t_i_m_e_s_t_a_m_p _*_t_i_m_e_r_e_t);
+     krb5_error_code
+     krb5_timeofday(krb5_context context, krb5_timestamp *timeret);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__uuss__ttiimmeeooffddaayy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___t_i_m_e_s_t_a_m_p _*_s_e_c,
-         _i_n_t_3_2___t _*_u_s_e_c);
+     krb5_error_code
+     krb5_us_timeofday(krb5_context context, krb5_timestamp *sec,
+         int32_t *usec);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ffoorrmmaatt__ttiimmee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _t_i_m_e___t _t, _c_h_a_r _*_s, _s_i_z_e___t _l_e_n,
-         _k_r_b_5___b_o_o_l_e_a_n _i_n_c_l_u_d_e___t_i_m_e);
+     krb5_error_code
+     krb5_format_time(krb5_context context, time_t t, char *s, size_t len,
+         krb5_boolean include_time);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__ssttrriinngg__ttoo__ddeellttaatt(_c_o_n_s_t _c_h_a_r _*_s_t_r_i_n_g, _k_r_b_5___d_e_l_t_a_t _*_d_e_l_t_a_t);
+     krb5_error_code
+     krb5_string_to_deltat(const char *string, krb5_deltat *deltat);
 
-DDEESSCCRRIIPPTTIIOONN
-     kkrrbb55__sseett__rreeaall__ttiimmee sets the absolute time that the caller knows the KDC
+DESCRIPTION
+     krb5_set_real_time sets the absolute time that the caller knows the KDC
      has.  With this the Kerberos library can calculate the relative differ-
      ence between the KDC time and the local system time and store it in the
-     _c_o_n_t_e_x_t.  With this information the Kerberos library can adjust all time
+     context.  With this information the Kerberos library can adjust all time
      stamps in Kerberos packages.
 
-     kkrrbb55__ttiimmeeooffddaayy() returns the current time, but adjusted with the time
-     difference between the local host and the KDC.  kkrrbb55__uuss__ttiimmeeooffddaayy() also
+     krb5_timeofday() returns the current time, but adjusted with the time
+     difference between the local host and the KDC.  krb5_us_timeofday() also
      returns microseconds.
 
-     kkrrbb55__ffoorrmmaatt__ttiimmee formats the time _t into the string _s of length _l_e_n.  If
-     _i_n_c_l_u_d_e___t_i_m_e is set, the time is set include_time.
+     krb5_format_time formats the time t into the string s of length len.  If
+     include_time is set, the time is set include_time.
 
-     kkrrbb55__ssttrriinngg__ttoo__ddeellttaatt parses delta time _s_t_r_i_n_g into _d_e_l_t_a_t.
+     krb5_string_to_deltat parses delta time string into deltat.
 
-SSEEEE AALLSSOO
+SEE ALSO
      gettimeofday(2), krb5(3)
 
 HEIMDAL                       September 16, 2006                       HEIMDAL
diff --git a/lib/krb5/krb5_verify_init_creds.cat3 b/lib/krb5/krb5_verify_init_creds.cat3
index bfe8e08b32f6..05dcb76ce6e3 100644
--- a/lib/krb5/krb5_verify_init_creds.cat3
+++ b/lib/krb5/krb5_verify_init_creds.cat3
@@ -1,52 +1,51 @@
-
 KRB5_VERIFY_INIT_CRED... BSD Library Functions Manual KRB5_VERIFY_INIT_CRED...
 
-NNAAMMEE
-     kkrrbb55__vveerriiffyy__iinniitt__ccrreeddss__oopptt__iinniitt,
-     kkrrbb55__vveerriiffyy__iinniitt__ccrreeddss__oopptt__sseett__aapp__rreeqq__nnooffaaiill, kkrrbb55__vveerriiffyy__iinniitt__ccrreeddss --
+NAME
+     krb5_verify_init_creds_opt_init,
+     krb5_verify_init_creds_opt_set_ap_req_nofail, krb5_verify_init_creds --
      verifies a credential cache is correct by using a local keytab
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
      struct krb5_verify_init_creds_opt;
 
-     _v_o_i_d
-     kkrrbb55__vveerriiffyy__iinniitt__ccrreeddss__oopptt__iinniitt(_k_r_b_5___v_e_r_i_f_y___i_n_i_t___c_r_e_d_s___o_p_t _*_o_p_t_i_o_n_s);
+     void
+     krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *options);
 
-     _v_o_i_d
-     kkrrbb55__vveerriiffyy__iinniitt__ccrreeddss__oopptt__sseett__aapp__rreeqq__nnooffaaiill(_k_r_b_5___v_e_r_i_f_y___i_n_i_t___c_r_e_d_s___o_p_t _*_o_p_t_i_o_n_s,
-         _i_n_t _a_p___r_e_q___n_o_f_a_i_l);
+     void
+     krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt *options,
+         int ap_req_nofail);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__vveerriiffyy__iinniitt__ccrreeddss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_e_d_s _*_c_r_e_d_s,
-         _k_r_b_5___p_r_i_n_c_i_p_a_l _a_p___r_e_q___s_e_r_v_e_r, _k_r_b_5___c_c_a_c_h_e _*_c_c_a_c_h_e,
-         _k_r_b_5___v_e_r_i_f_y___i_n_i_t___c_r_e_d_s___o_p_t _*_o_p_t_i_o_n_s);
+     krb5_error_code
+     krb5_verify_init_creds(krb5_context context, krb5_creds *creds,
+         krb5_principal ap_req_server, krb5_ccache *ccache,
+         krb5_verify_init_creds_opt *options);
 
-DDEESSCCRRIIPPTTIIOONN
-     The kkrrbb55__vveerriiffyy__iinniitt__ccrreeddss function verifies the initial tickets with the
+DESCRIPTION
+     The krb5_verify_init_creds function verifies the initial tickets with the
      local keytab to make sure the response of the KDC was spoof-ed.
 
-     kkrrbb55__vveerriiffyy__iinniitt__ccrreeddss will use principal _a_p___r_e_q___s_e_r_v_e_r from the local
+     krb5_verify_init_creds will use principal ap_req_server from the local
      keytab, if NULL is passed in, the code will guess the local hostname and
-     use that to form host/hostname/GUESSED-REALM-FOR-HOSTNAME.  _c_r_e_d_s is the
-     credential that kkrrbb55__vveerriiffyy__iinniitt__ccrreeddss should verify.  If _c_c_a_c_h_e is given
-     kkrrbb55__vveerriiffyy__iinniitt__ccrreeddss() stores all credentials it fetched from the KDC
+     use that to form host/hostname/GUESSED-REALM-FOR-HOSTNAME.  creds is the
+     credential that krb5_verify_init_creds should verify.  If ccache is given
+     krb5_verify_init_creds() stores all credentials it fetched from the KDC
      there, otherwise it will use a memory credential cache that is destroyed
      when done.
 
-     kkrrbb55__vveerriiffyy__iinniitt__ccrreeddss__oopptt__iinniitt() cleans the the structure, must be used
-     before trying to pass it in to kkrrbb55__vveerriiffyy__iinniitt__ccrreeddss().
+     krb5_verify_init_creds_opt_init() cleans the the structure, must be used
+     before trying to pass it in to krb5_verify_init_creds().
 
-     kkrrbb55__vveerriiffyy__iinniitt__ccrreeddss__oopptt__sseett__aapp__rreeqq__nnooffaaiill() controls controls the
-     behavior if _a_p___r_e_q___s_e_r_v_e_r doesn't exists in the local keytab or in the
+     krb5_verify_init_creds_opt_set_ap_req_nofail() controls controls the be-
+     havior if ap_req_server doesn't exists in the local keytab or in the
      KDC's database, if it's true, the error will be ignored.  Note that this
      use is possible insecure.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5(3), krb5_get_init_creds(3), krb5_verify_user(3), krb5.conf(5)
 
 HEIMDAL                           May 1, 2006                          HEIMDAL
diff --git a/lib/krb5/krb5_verify_user.cat3 b/lib/krb5/krb5_verify_user.cat3
index 2d5747bc650f..df5d56d33427 100644
--- a/lib/krb5/krb5_verify_user.cat3
+++ b/lib/krb5/krb5_verify_user.cat3
@@ -1,109 +1,108 @@
-
 KRB5_VERIFY_USER(3)      BSD Library Functions Manual      KRB5_VERIFY_USER(3)
 
-NNAAMMEE
-     kkrrbb55__vveerriiffyy__uusseerr, kkrrbb55__vveerriiffyy__uusseerr__llrreeaallmm, kkrrbb55__vveerriiffyy__uusseerr__oopptt,
-     kkrrbb55__vveerriiffyy__oopptt__iinniitt, kkrrbb55__vveerriiffyy__oopptt__aalllloocc, kkrrbb55__vveerriiffyy__oopptt__ffrreeee,
-     kkrrbb55__vveerriiffyy__oopptt__sseett__ccccaacchhee, kkrrbb55__vveerriiffyy__oopptt__sseett__ffllaaggss,
-     kkrrbb55__vveerriiffyy__oopptt__sseett__sseerrvviiccee, kkrrbb55__vveerriiffyy__oopptt__sseett__sseeccuurree,
-     kkrrbb55__vveerriiffyy__oopptt__sseett__kkeeyyttaabb -- Heimdal password verifying functions
+NAME
+     krb5_verify_user, krb5_verify_user_lrealm, krb5_verify_user_opt,
+     krb5_verify_opt_init, krb5_verify_opt_alloc, krb5_verify_opt_free,
+     krb5_verify_opt_set_ccache, krb5_verify_opt_set_flags,
+     krb5_verify_opt_set_service, krb5_verify_opt_set_secure,
+     krb5_verify_opt_set_keytab -- Heimdal password verifying functions
 
-LLIIBBRRAARRYY
+LIBRARY
      Kerberos 5 Library (libkrb5, -lkrb5)
 
-SSYYNNOOPPSSIISS
-     ##iinncclluuddee <<kkrrbb55..hh>>
+SYNOPSIS
+     #include <krb5.h>
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__vveerriiffyy__uusseerr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l,
-         _k_r_b_5___c_c_a_c_h_e _c_c_a_c_h_e, _c_o_n_s_t _c_h_a_r _*_p_a_s_s_w_o_r_d, _k_r_b_5___b_o_o_l_e_a_n _s_e_c_u_r_e,
-         _c_o_n_s_t _c_h_a_r _*_s_e_r_v_i_c_e);
+     krb5_error_code
+     krb5_verify_user(krb5_context context, krb5_principal principal,
+         krb5_ccache ccache, const char *password, krb5_boolean secure,
+         const char *service);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__vveerriiffyy__uusseerr__llrreeaallmm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l,
-         _k_r_b_5___c_c_a_c_h_e _c_c_a_c_h_e, _c_o_n_s_t _c_h_a_r _*_p_a_s_s_w_o_r_d, _k_r_b_5___b_o_o_l_e_a_n _s_e_c_u_r_e,
-         _c_o_n_s_t _c_h_a_r _*_s_e_r_v_i_c_e);
+     krb5_error_code
+     krb5_verify_user_lrealm(krb5_context context, krb5_principal principal,
+         krb5_ccache ccache, const char *password, krb5_boolean secure,
+         const char *service);
 
-     _v_o_i_d
-     kkrrbb55__vveerriiffyy__oopptt__iinniitt(_k_r_b_5___v_e_r_i_f_y___o_p_t _*_o_p_t);
+     void
+     krb5_verify_opt_init(krb5_verify_opt *opt);
 
-     _v_o_i_d
-     kkrrbb55__vveerriiffyy__oopptt__aalllloocc(_k_r_b_5___v_e_r_i_f_y___o_p_t _*_*_o_p_t);
+     void
+     krb5_verify_opt_alloc(krb5_verify_opt **opt);
 
-     _v_o_i_d
-     kkrrbb55__vveerriiffyy__oopptt__ffrreeee(_k_r_b_5___v_e_r_i_f_y___o_p_t _*_o_p_t);
+     void
+     krb5_verify_opt_free(krb5_verify_opt *opt);
 
-     _v_o_i_d
-     kkrrbb55__vveerriiffyy__oopptt__sseett__ccccaacchhee(_k_r_b_5___v_e_r_i_f_y___o_p_t _*_o_p_t, _k_r_b_5___c_c_a_c_h_e _c_c_a_c_h_e);
+     void
+     krb5_verify_opt_set_ccache(krb5_verify_opt *opt, krb5_ccache ccache);
 
-     _v_o_i_d
-     kkrrbb55__vveerriiffyy__oopptt__sseett__kkeeyyttaabb(_k_r_b_5___v_e_r_i_f_y___o_p_t _*_o_p_t, _k_r_b_5___k_e_y_t_a_b _k_e_y_t_a_b);
+     void
+     krb5_verify_opt_set_keytab(krb5_verify_opt *opt, krb5_keytab keytab);
 
-     _v_o_i_d
-     kkrrbb55__vveerriiffyy__oopptt__sseett__sseeccuurree(_k_r_b_5___v_e_r_i_f_y___o_p_t _*_o_p_t, _k_r_b_5___b_o_o_l_e_a_n _s_e_c_u_r_e);
+     void
+     krb5_verify_opt_set_secure(krb5_verify_opt *opt, krb5_boolean secure);
 
-     _v_o_i_d
-     kkrrbb55__vveerriiffyy__oopptt__sseett__sseerrvviiccee(_k_r_b_5___v_e_r_i_f_y___o_p_t _*_o_p_t, _c_o_n_s_t _c_h_a_r _*_s_e_r_v_i_c_e);
+     void
+     krb5_verify_opt_set_service(krb5_verify_opt *opt, const char *service);
 
-     _v_o_i_d
-     kkrrbb55__vveerriiffyy__oopptt__sseett__ffllaaggss(_k_r_b_5___v_e_r_i_f_y___o_p_t _*_o_p_t, _u_n_s_i_g_n_e_d _i_n_t _f_l_a_g_s);
+     void
+     krb5_verify_opt_set_flags(krb5_verify_opt *opt, unsigned int flags);
 
-     _k_r_b_5___e_r_r_o_r___c_o_d_e
-     kkrrbb55__vveerriiffyy__uusseerr__oopptt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l,
-         _c_o_n_s_t _c_h_a_r _*_p_a_s_s_w_o_r_d, _k_r_b_5___v_e_r_i_f_y___o_p_t _*_o_p_t);
+     krb5_error_code
+     krb5_verify_user_opt(krb5_context context, krb5_principal principal,
+         const char *password, krb5_verify_opt *opt);
 
-DDEESSCCRRIIPPTTIIOONN
-     The kkrrbb55__vveerriiffyy__uusseerr function verifies the password supplied by a user.
-     The principal whose password will be verified is specified in _p_r_i_n_c_i_p_a_l.
-     New tickets will be obtained as a side-effect and stored in _c_c_a_c_h_e (if
-     NULL, the default ccache is used).  kkrrbb55__vveerriiffyy__uusseerr() will call
-     kkrrbb55__cccc__iinniittiiaalliizzee() on the given _c_c_a_c_h_e, so _c_c_a_c_h_e must only initialized
-     with kkrrbb55__cccc__rreessoollvvee() or kkrrbb55__cccc__ggeenn__nneeww().  If the password is not sup-
-     plied in _p_a_s_s_w_o_r_d (and is given as NULL) the user will be prompted for
-     it.  If _s_e_c_u_r_e the ticket will be verified against the locally stored
-     service key _s_e_r_v_i_c_e (by default `host' if given as NULL ).
+DESCRIPTION
+     The krb5_verify_user function verifies the password supplied by a user.
+     The principal whose password will be verified is specified in principal.
+     New tickets will be obtained as a side-effect and stored in ccache (if
+     NULL, the default ccache is used).  krb5_verify_user() will call
+     krb5_cc_initialize() on the given ccache, so ccache must only initialized
+     with krb5_cc_resolve() or krb5_cc_gen_new().  If the password is not sup-
+     plied in password (and is given as NULL) the user will be prompted for
+     it.  If secure the ticket will be verified against the locally stored
+     service key service (by default `host' if given as NULL ).
 
-     The kkrrbb55__vveerriiffyy__uusseerr__llrreeaallmm() function does the same, except that it
-     ignores the realm in _p_r_i_n_c_i_p_a_l and tries all the local realms (see
+     The krb5_verify_user_lrealm() function does the same, except that it ig-
+     nores the realm in principal and tries all the local realms (see
      krb5.conf(5)).  After a successful return, the principal is set to the
      authenticated realm. If the call fails, the principal will not be mean-
      ingful, and should only be freed with krb5_free_principal(3).
 
-     kkrrbb55__vveerriiffyy__oopptt__aalllloocc() and kkrrbb55__vveerriiffyy__oopptt__ffrreeee() allocates and frees a
+     krb5_verify_opt_alloc() and krb5_verify_opt_free() allocates and frees a
      krb5_verify_opt.  You should use the the alloc and free function instead
      of allocation the structure yourself, this is because in a future release
      the structure wont be exported.
 
-     kkrrbb55__vveerriiffyy__oopptt__iinniitt() resets all opt to default values.
+     krb5_verify_opt_init() resets all opt to default values.
 
      None of the krb5_verify_opt_set function makes a copy of the data struc-
      ture that they are called with. It's up the caller to free them after the
-     kkrrbb55__vveerriiffyy__uusseerr__oopptt() is called.
+     krb5_verify_user_opt() is called.
 
-     kkrrbb55__vveerriiffyy__oopptt__sseett__ccccaacchhee() sets the _c_c_a_c_h_e that user of _o_p_t will use.
+     krb5_verify_opt_set_ccache() sets the ccache that user of opt will use.
      If not set, the default credential cache will be used.
 
-     kkrrbb55__vveerriiffyy__oopptt__sseett__kkeeyyttaabb() sets the _k_e_y_t_a_b that user of _o_p_t will use.
+     krb5_verify_opt_set_keytab() sets the keytab that user of opt will use.
      If not set, the default keytab will be used.
 
-     kkrrbb55__vveerriiffyy__oopptt__sseett__sseeccuurree() if _s_e_c_u_r_e if true, the password verification
+     krb5_verify_opt_set_secure() if secure if true, the password verification
      will require that the ticket will be verified against the locally stored
      service key. If not set, default value is true.
 
-     kkrrbb55__vveerriiffyy__oopptt__sseett__sseerrvviiccee() sets the _s_e_r_v_i_c_e principal that user of _o_p_t
+     krb5_verify_opt_set_service() sets the service principal that user of opt
      will use. If not set, the `host' service will be used.
 
-     kkrrbb55__vveerriiffyy__oopptt__sseett__ffllaaggss() sets _f_l_a_g_s that user of _o_p_t will use.  If the
-     flag KRB5_VERIFY_LREALMS is used, the _p_r_i_n_c_i_p_a_l will be modified like
-     kkrrbb55__vveerriiffyy__uusseerr__llrreeaallmm() modifies it.
+     krb5_verify_opt_set_flags() sets flags that user of opt will use.  If the
+     flag KRB5_VERIFY_LREALMS is used, the principal will be modified like
+     krb5_verify_user_lrealm() modifies it.
 
-     kkrrbb55__vveerriiffyy__uusseerr__oopptt() function verifies the _p_a_s_s_w_o_r_d supplied by a user.
-     The principal whose password will be verified is specified in _p_r_i_n_c_i_p_a_l.
-     Options the to the verification process is pass in in _o_p_t.
+     krb5_verify_user_opt() function verifies the password supplied by a user.
+     The principal whose password will be verified is specified in principal.
+     Options the to the verification process is pass in in opt.
 
-EEXXAAMMPPLLEESS
+EXAMPLES
      Here is a example program that verifies a password. it uses the
-     `host/`hostname`' service principal in _k_r_b_5_._k_e_y_t_a_b.
+     `host/`hostname`' service principal in krb5.keytab.
 
      #include <krb5.h>
 
@@ -133,7 +132,7 @@ EEXXAAMMPPLLEESS
          return 0;
      }
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5_cc_gen_new(3), krb5_cc_initialize(3), krb5_cc_resolve(3),
      krb5_err(3), krb5_free_principal(3), krb5_init_context(3),
      krb5_kt_default(3), krb5.conf(5)
diff --git a/lib/krb5/krbhst.c b/lib/krb5/krbhst.c
index f5351288398c..36da64b0e469 100644
--- a/lib/krb5/krbhst.c
+++ b/lib/krb5/krbhst.c
@@ -106,6 +106,12 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count,
 	if(rr->type == rk_ns_t_srv)
 	    num_srv++;
 
+    if (num_srv == 0) {
+	_krb5_debug(context, 0,
+		    "DNS SRV RR lookup domain nodata: %s", domain);
+	return KRB5_KDC_UNREACH;
+    }
+
     *res = malloc(num_srv * sizeof(**res));
     if(*res == NULL) {
 	rk_dns_free_data(r);
diff --git a/lib/krb5/locate_plugin.h b/lib/krb5/locate_plugin.h
index 5a9c7bcb77ee..52ef0f380ee4 100644
--- a/lib/krb5/locate_plugin.h
+++ b/lib/krb5/locate_plugin.h
@@ -53,7 +53,8 @@ enum locate_service_type {
 };
 
 typedef krb5_error_code
-(*krb5plugin_service_locate_lookup) (void *, unsigned long, enum locate_service_type,
+(KRB5_CALLCONV *krb5plugin_service_locate_lookup)
+                                    (void *, unsigned long, enum locate_service_type,
 				     const char *, int, int,
 				     int (*)(void *,int,struct sockaddr *),
 				     void *);
@@ -61,7 +62,8 @@ typedef krb5_error_code
 #define KRB5_PLF_ALLOW_HOMEDIR	    1
 
 typedef krb5_error_code
-(*krb5plugin_service_locate_lookup_old) (void *, enum locate_service_type,
+(KRB5_CALLCONV *krb5plugin_service_locate_lookup_old)
+                                    (void *, enum locate_service_type,
 				     const char *, int, int,
 				     int (*)(void *,int,struct sockaddr *),
 				     void *);
@@ -69,8 +71,8 @@ typedef krb5_error_code
 
 typedef struct krb5plugin_service_locate_ftable {
     int			minor_version;
-    krb5_error_code	(*init)(krb5_context, void **);
-    void		(*fini)(void *);
+    krb5_error_code	(KRB5_CALLCONV *init)(krb5_context, void **);
+    void		(KRB5_CALLCONV *fini)(void *);
     krb5plugin_service_locate_lookup_old old_lookup;
     krb5plugin_service_locate_lookup lookup; /* version 2 */
 } krb5plugin_service_locate_ftable;
diff --git a/lib/krb5/mcache.c b/lib/krb5/mcache.c
index 474cb3a2bd2e..e45bc1b0a77f 100644
--- a/lib/krb5/mcache.c
+++ b/lib/krb5/mcache.c
@@ -248,27 +248,28 @@ mcc_destroy(krb5_context context,
 {
     krb5_mcache **n, *m = MCACHE(id);
 
+    HEIMDAL_MUTEX_lock(&mcc_mutex);
     HEIMDAL_MUTEX_lock(&(m->mutex));
     if (m->refcnt == 0)
     {
     	HEIMDAL_MUTEX_unlock(&(m->mutex));
+	HEIMDAL_MUTEX_unlock(&mcc_mutex);
     	krb5_abortx(context, "mcc_destroy: refcnt already 0");
     }
 
     if (!MISDEAD(m)) {
 	/* if this is an active mcache, remove it from the linked
            list, and free all data */
-	HEIMDAL_MUTEX_lock(&mcc_mutex);
 	for(n = &mcc_head; n && *n; n = &(*n)->next) {
 	    if(m == *n) {
 		*n = m->next;
 		break;
 	    }
 	}
-	HEIMDAL_MUTEX_unlock(&mcc_mutex);
 	mcc_destroy_internal(context, m);
     }
     HEIMDAL_MUTEX_unlock(&(m->mutex));
+    HEIMDAL_MUTEX_unlock(&mcc_mutex);
     return 0;
 }
 
diff --git a/lib/krb5/pac.c b/lib/krb5/pac.c
index c26201be9cd7..240845f72e38 100644
--- a/lib/krb5/pac.c
+++ b/lib/krb5/pac.c
@@ -112,6 +112,56 @@ HMAC_MD5_any_checksum(krb5_context context,
 }
 
 
+static krb5_error_code pac_header_size(krb5_context context,
+				       uint32_t num_buffers,
+				       uint32_t *result)
+{
+    krb5_error_code ret;
+    uint32_t header_size;
+
+    /* Guard against integer overflow on 32-bit systems. */
+    if (num_buffers > UINT32_MAX / PAC_INFO_BUFFER_SIZE) {
+	ret = EINVAL;
+	krb5_set_error_message(context, ret, "PAC has too many buffers");
+	return ret;
+    }
+    header_size = PAC_INFO_BUFFER_SIZE * num_buffers;
+
+    /* Guard against integer overflow on 32-bit systems. */
+    if (header_size > UINT32_MAX - PACTYPE_SIZE) {
+	ret = EINVAL;
+	krb5_set_error_message(context, ret, "PAC has too many buffers");
+	return ret;
+    }
+    header_size += PACTYPE_SIZE;
+
+    *result = header_size;
+
+    return 0;
+}
+
+static krb5_error_code pac_aligned_size(krb5_context context,
+					uint32_t size,
+					uint32_t *aligned_size)
+{
+    krb5_error_code ret;
+
+    /* Guard against integer overflow on 32-bit systems. */
+    if (size > UINT32_MAX - (PAC_ALIGNMENT - 1)) {
+	ret = EINVAL;
+	krb5_set_error_message(context, ret, "integer overrun");
+	return ret;
+    }
+    size += PAC_ALIGNMENT - 1;
+
+    /* align to PAC_ALIGNMENT */
+    size = (size / PAC_ALIGNMENT) * PAC_ALIGNMENT;
+
+    *aligned_size = size;
+
+    return 0;
+}
+
 /*
  *
  */
@@ -153,8 +203,12 @@ krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
 	goto out;
     }
 
-    p->pac = calloc(1,
-		    sizeof(*p->pac) + (sizeof(p->pac->buffers[0]) * (tmp - 1)));
+    ret = pac_header_size(context, tmp, &header_end);
+    if (ret) {
+	return ret;
+    }
+
+    p->pac = calloc(1, header_end);
     if (p->pac == NULL) {
 	ret = krb5_enomem(context);
 	goto out;
@@ -163,7 +217,6 @@ krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
     p->pac->numbuffers = tmp;
     p->pac->version = tmp2;
 
-    header_end = PACTYPE_SIZE + (PAC_INFO_BUFFER_SIZE * p->pac->numbuffers);
     if (header_end > len) {
 	ret = EINVAL;
 	goto out;
@@ -292,37 +345,65 @@ krb5_pac_add_buffer(krb5_context context, krb5_pac p,
 {
     krb5_error_code ret;
     void *ptr;
-    size_t len, offset, header_end, old_end;
+    uint32_t unaligned_len, num_buffers, len, offset, header_end, old_end;
     uint32_t i;
 
-    len = p->pac->numbuffers;
+    if (data->length > UINT32_MAX) {
+	ret = EINVAL;
+	krb5_set_error_message(context, ret, "integer overrun");
+	return ret;
+    }
+
+    num_buffers = p->pac->numbuffers;
+
+    if (num_buffers >= UINT32_MAX) {
+	ret = EINVAL;
+	krb5_set_error_message(context, ret, "integer overrun");
+	return ret;
+    }
+    ret = pac_header_size(context, num_buffers + 1, &header_end);
+    if (ret) {
+	return ret;
+    }
 
-    ptr = realloc(p->pac,
-		  sizeof(*p->pac) + (sizeof(p->pac->buffers[0]) * len));
+    ptr = realloc(p->pac, header_end);
     if (ptr == NULL)
 	return krb5_enomem(context);
 
     p->pac = ptr;
 
-    for (i = 0; i < len; i++)
+    for (i = 0; i < num_buffers; i++) {
+	if (p->pac->buffers[i].offset_lo > UINT32_MAX - PAC_INFO_BUFFER_SIZE) {
+	    ret = EINVAL;
+	    krb5_set_error_message(context, ret, "integer overrun");
+	    return ret;
+	}
+
 	p->pac->buffers[i].offset_lo += PAC_INFO_BUFFER_SIZE;
+    }
 
+    if (p->data.length > UINT32_MAX - PAC_INFO_BUFFER_SIZE) {
+	ret = EINVAL;
+	krb5_set_error_message(context, ret, "integer overrun");
+	return ret;
+    }
     offset = p->data.length + PAC_INFO_BUFFER_SIZE;
 
-    p->pac->buffers[len].type = type;
-    p->pac->buffers[len].buffersize = data->length;
-    p->pac->buffers[len].offset_lo = offset;
-    p->pac->buffers[len].offset_hi = 0;
+    p->pac->buffers[num_buffers].type = type;
+    p->pac->buffers[num_buffers].buffersize = data->length;
+    p->pac->buffers[num_buffers].offset_lo = offset;
+    p->pac->buffers[num_buffers].offset_hi = 0;
 
     old_end = p->data.length;
-    len = p->data.length + data->length + PAC_INFO_BUFFER_SIZE;
-    if (len < p->data.length) {
+    if (offset > UINT32_MAX - data->length) {
 	krb5_set_error_message(context, EINVAL, "integer overrun");
 	return EINVAL;
     }
+    unaligned_len = offset + data->length;
 
-    /* align to PAC_ALIGNMENT */
-    len = ((len + PAC_ALIGNMENT - 1) / PAC_ALIGNMENT) * PAC_ALIGNMENT;
+    ret = pac_aligned_size(context, unaligned_len, &len);
+    if (ret)
+	return ret;
 
     ret = krb5_data_realloc(&p->data, len);
     if (ret) {
@@ -333,7 +414,7 @@ krb5_pac_add_buffer(krb5_context context, krb5_pac p,
     /*
      * make place for new PAC INFO BUFFER header
      */
-    header_end = PACTYPE_SIZE + (PAC_INFO_BUFFER_SIZE * p->pac->numbuffers);
+    header_end -= PAC_INFO_BUFFER_SIZE;
     memmove((unsigned char *)p->data.data + header_end + PAC_INFO_BUFFER_SIZE,
 	    (unsigned char *)p->data.data + header_end ,
 	    old_end - header_end);
@@ -346,7 +427,7 @@ krb5_pac_add_buffer(krb5_context context, krb5_pac p,
     memcpy((unsigned char *)p->data.data + offset,
 	   data->data, data->length);
     memset((unsigned char *)p->data.data + offset + data->length,
-	   0, p->data.length - offset - data->length);
+ 	   0, p->data.length - unaligned_len);
 
     p->pac->numbuffers += 1;
 
@@ -375,8 +456,8 @@ krb5_pac_get_buffer(krb5_context context, krb5_pac p,
     uint32_t i;
 
     for (i = 0; i < p->pac->numbuffers; i++) {
-	const size_t len = p->pac->buffers[i].buffersize;
-	const size_t offset = p->pac->buffers[i].offset_lo;
+	const uint32_t len = p->pac->buffers[i].buffersize;
+	const uint32_t offset = p->pac->buffers[i].offset_lo;
 
 	if (p->pac->buffers[i].type != type)
 	    continue;
@@ -981,8 +1062,8 @@ _krb5_pac_sign(krb5_context context,
     size_t server_size, priv_size;
     uint32_t server_offset = 0, priv_offset = 0;
     uint32_t server_cksumtype = 0, priv_cksumtype = 0;
-    int num = 0;
-    size_t i;
+    uint32_t num = 0;
+    uint32_t i;
     krb5_data logon, d;
 
     krb5_data_zero(&logon);
@@ -1030,8 +1111,18 @@ _krb5_pac_sign(krb5_context context,
 
     if (num) {
 	void *ptr;
-
-	ptr = realloc(p->pac, sizeof(*p->pac) + (sizeof(p->pac->buffers[0]) * (p->pac->numbuffers + num - 1)));
+        uint32_t len;
+
+ 	if (p->pac->numbuffers > UINT32_MAX - num) {
+ 	    ret = EINVAL;
+ 	    krb5_set_error_message(context, ret, "integer overrun");
+ 	    goto out;
+ 	}
+ 	ret = pac_header_size(context, p->pac->numbuffers + num, &len);
+ 	if (ret)
+ 	    goto out;
+ 
+ 	ptr = realloc(p->pac, len);
 	if (ptr == NULL)
 	    return krb5_enomem(context);
 
@@ -1084,7 +1175,9 @@ _krb5_pac_sign(krb5_context context,
     CHECK(ret, krb5_store_uint32(sp, p->pac->numbuffers), out);
     CHECK(ret, krb5_store_uint32(sp, p->pac->version), out);
 
-    end = PACTYPE_SIZE + (PAC_INFO_BUFFER_SIZE * p->pac->numbuffers);
+    ret = pac_header_size(context, p->pac->numbuffers, &end);
+    if (ret)
+        goto out;
 
     for (i = 0; i < p->pac->numbuffers; i++) {
 	uint32_t len;
@@ -1094,11 +1187,31 @@ _krb5_pac_sign(krb5_context context,
 	/* store data */
 
 	if (p->pac->buffers[i].type == PAC_SERVER_CHECKSUM) {
+	    if (server_size > UINT32_MAX - 4) {
+		ret = EINVAL;
+		krb5_set_error_message(context, ret, "integer overrun");
+		goto out;
+	    }
+	    if (end > UINT32_MAX - 4) {
+		ret = EINVAL;
+		krb5_set_error_message(context, ret, "integer overrun");
+		goto out;
+	    }
 	    len = server_size + 4;
 	    server_offset = end + 4;
 	    CHECK(ret, krb5_store_uint32(spdata, server_cksumtype), out);
 	    CHECK(ret, fill_zeros(context, spdata, server_size), out);
 	} else if (p->pac->buffers[i].type == PAC_PRIVSVR_CHECKSUM) {
+	    if (priv_size > UINT32_MAX - 4) {
+		ret = EINVAL;
+		krb5_set_error_message(context, ret, "integer overrun");
+		goto out;
+	    }
+	    if (end > UINT32_MAX - 4) {
+		ret = EINVAL;
+		krb5_set_error_message(context, ret, "integer overrun");
+		goto out;
+	    }
 	    len = priv_size + 4;
 	    priv_offset = end + 4;
 	    CHECK(ret, krb5_store_uint32(spdata, priv_cksumtype), out);
@@ -1129,11 +1242,20 @@ _krb5_pac_sign(krb5_context context,
 
 	/* advance data endpointer and align */
 	{
-	    int32_t e;
+	    uint32_t e;
 
+	    if (end > UINT32_MAX - len) {
+		ret = EINVAL;
+		krb5_set_error_message(context, ret, "integer overrun");
+		goto out;
+	    }
 	    end += len;
-	    e = ((end + PAC_ALIGNMENT - 1) / PAC_ALIGNMENT) * PAC_ALIGNMENT;
-	    if ((int32_t)end != e) {
+
+	    ret = pac_aligned_size(context, end, &e);
+	    if (ret)
+		goto out;
+
+	    if (end != e) {
 		CHECK(ret, fill_zeros(context, spdata, e - end), out);
 	    }
 	    end = e;
diff --git a/lib/krb5/plugin.c b/lib/krb5/plugin.c
index 03f64000f239..f4bf99953ebb 100644
--- a/lib/krb5/plugin.c
+++ b/lib/krb5/plugin.c
@@ -543,7 +543,7 @@ _krb5_plugin_run_f(krb5_context context,
     struct krb5_plugin *p;
 
     /* Get registered plugins */
-    (void) _krb5_plugin_find(context, SYMBOL, name, &registered_plugins);
+    (void) _krb5_plugin_find(context, PLUGIN_TYPE_DATA, name, &registered_plugins);
 
     HEIMDAL_MUTEX_lock(&plugin_mutex);
 
diff --git a/lib/krb5/principal.c b/lib/krb5/principal.c
index 23c459281e5e..937a9a7d59e4 100644
--- a/lib/krb5/principal.c
+++ b/lib/krb5/principal.c
@@ -1258,19 +1258,43 @@ krb5_principal_is_anonymous(krb5_context context,
 			     krb5_const_principal p,
 			     unsigned int flags)
 {
-    int anon_realm;
+    /*
+     * Heimdal versions 7.5 and below left the name-type at KRB5_NT_PRINCIPAL
+     * even with anonymous pkinit responses.  To retain interoperability with
+     * legacy KDCs, the name-type is not checked by the client after requesting
+     * a fully anonymous ticket.
+     */
+    if (!(flags & KRB5_ANON_IGNORE_NAME_TYPE) &&
+        p->name.name_type != KRB5_NT_WELLKNOWN &&
+        p->name.name_type != KRB5_NT_UNKNOWN)
+        return FALSE;
 
-    if ((p->name.name_type != KRB5_NT_WELLKNOWN &&
-         p->name.name_type != KRB5_NT_UNKNOWN) ||
-        p->name.name_string.len != 2 ||
+    if (p->name.name_string.len != 2 ||
         strcmp(p->name.name_string.val[0], KRB5_WELLKNOWN_NAME) != 0 ||
         strcmp(p->name.name_string.val[1], KRB5_ANON_NAME) != 0)
         return FALSE;
 
-    anon_realm = strcmp(p->realm, KRB5_ANON_REALM) == 0;
+    /*
+     * While unauthenticated clients SHOULD get "WELLKNOWN:ANONYMOUS" as their
+     * realm, Heimdal KDCs prior to 7.0 returned the requested realm.  While
+     * such tickets might lead *servers* to unwittingly grant access to fully
+     * anonymous clients, trusting that the client was authenticated to the
+     * realm in question, doing it right is the KDC's job, the client should
+     * not refuse such a ticket.
+     *
+     * If we ever do decide to enforce WELLKNOWN:ANONYMOUS for unauthenticated
+     * clients, it is essential that calls that pass KRB5_ANON_MATCH_ANY still
+     * ignore the realm, as in that case either case matches one of the two
+     * possible conditions.
+     */
+    if (flags & KRB5_ANON_MATCH_UNAUTHENTICATED)
+        return TRUE;
 
-    return ((flags & KRB5_ANON_MATCH_AUTHENTICATED) && !anon_realm) ||
-	   ((flags & KRB5_ANON_MATCH_UNAUTHENTICATED) && anon_realm);
+    /*
+     * Finally, authenticated clients that asked to be only anonymized do
+     * legitimately expect a non-anon realm.
+     */
+    return strcmp(p->realm, KRB5_ANON_REALM) != 0;
 }
 
 static int
diff --git a/lib/krb5/rd_req.c b/lib/krb5/rd_req.c
index fbced144e723..3937dc5ab3ac 100644
--- a/lib/krb5/rd_req.c
+++ b/lib/krb5/rd_req.c
@@ -773,11 +773,10 @@ get_key_from_keytab(krb5_context context,
 			     kvno,
 			     ap_req->ticket.enc_part.etype,
 			     &entry);
-    if(ret)
-	goto out;
-    ret = krb5_copy_keyblock(context, &entry.keyblock, out_key);
-    krb5_kt_free_entry (context, &entry);
-out:
+    if(ret == 0) {
+        ret = krb5_copy_keyblock(context, &entry.keyblock, out_key);
+        krb5_kt_free_entry(context, &entry);
+    }
     if(keytab == NULL)
 	krb5_kt_close(context, real_keytab);
 
diff --git a/lib/krb5/salt-aes-sha2.c b/lib/krb5/salt-aes-sha2.c
index bfd726c34c19..bc674bd2dab7 100644
--- a/lib/krb5/salt-aes-sha2.c
+++ b/lib/krb5/salt-aes-sha2.c
@@ -92,8 +92,9 @@ AES_SHA2_string_to_key(krb5_context context,
 	goto cleanup;
     }
     memcpy(saltp.data, et->name, enctypesz);
-    memcpy((unsigned char *)saltp.data + enctypesz,
-	   salt.saltvalue.data, salt.saltvalue.length);
+    if (salt.saltvalue.length)
+        memcpy((unsigned char *)saltp.data + enctypesz,
+               salt.saltvalue.data, salt.saltvalue.length);
 
     ret = _krb5_aes_sha2_md_for_enctype(context, enctype, &md);
     if (ret)
diff --git a/lib/krb5/salt-des.c b/lib/krb5/salt-des.c
index d898d6c20574..474ba5d591d6 100644
--- a/lib/krb5/salt-des.c
+++ b/lib/krb5/salt-des.c
@@ -194,7 +194,8 @@ krb5_DES_string_to_key(krb5_context context,
     if (len > 0 && s == NULL)
 	return krb5_enomem(context);
     memcpy(s, password.data, password.length);
-    memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length);
+    if (salt.saltvalue.length)
+        memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length);
     DES_string_to_key_int(s, len, &tmp);
     key->keytype = enctype;
     krb5_data_copy(&key->keyvalue, tmp, sizeof(tmp));
diff --git a/lib/krb5/salt-des3.c b/lib/krb5/salt-des3.c
index 8cb73cf465a6..a9293ccec9c0 100644
--- a/lib/krb5/salt-des3.c
+++ b/lib/krb5/salt-des3.c
@@ -113,7 +113,8 @@ DES3_string_to_key_derived(krb5_context context,
     if (len != 0 && s == NULL)
 	return krb5_enomem(context);
     memcpy(s, password.data, password.length);
-    memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length);
+    if (salt.saltvalue.length)
+        memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length);
     ret = krb5_string_to_key_derived(context,
 				     s,
 				     len,
diff --git a/lib/krb5/send_to_kdc.c b/lib/krb5/send_to_kdc.c
index a920db78b649..104db9e26ee3 100644
--- a/lib/krb5/send_to_kdc.c
+++ b/lib/krb5/send_to_kdc.c
@@ -1161,7 +1161,7 @@ krb5_sendto_context(krb5_context context,
 		break;
 	    }
 	    action = KRB5_SENDTO_KRBHST;
-	    /* FALLTHOUGH */
+	    /* FALLTHROUGH */
 	case KRB5_SENDTO_KRBHST:
 	    if (ctx->krbhst == NULL) {
 		ret = krb5_krbhst_init_flags(context, realm, type,
@@ -1179,7 +1179,7 @@ krb5_sendto_context(krb5_context context,
 		handle = heim_retain(ctx->krbhst);
 	    }
 	    action = KRB5_SENDTO_TIMEOUT;
-	    /* FALLTHOUGH */
+	    /* FALLTHROUGH */
 	case KRB5_SENDTO_TIMEOUT:
 
 	    /*
diff --git a/lib/krb5/send_to_kdc_plugin.h b/lib/krb5/send_to_kdc_plugin.h
index 11712b2747ac..0fa43d3aba90 100644
--- a/lib/krb5/send_to_kdc_plugin.h
+++ b/lib/krb5/send_to_kdc_plugin.h
@@ -45,14 +45,14 @@
 #define KRB5_PLUGIN_SEND_TO_KDC_VERSION KRB5_PLUGIN_SEND_TO_KDC_VERSION_2
 
 typedef krb5_error_code
-(*krb5plugin_send_to_kdc_func)(krb5_context,
+(KRB5_CALLCONV *krb5plugin_send_to_kdc_func)(krb5_context,
 			       void *,
 			       krb5_krbhst_info *,
 			       time_t timeout,
 			       const krb5_data *,
 			       krb5_data *);
 typedef krb5_error_code
-(*krb5plugin_send_to_realm_func)(krb5_context,
+(KRB5_CALLCONV *krb5plugin_send_to_realm_func)(krb5_context,
 				 void *,
 				 krb5_const_realm,
 				 time_t timeout,
@@ -62,8 +62,8 @@ typedef krb5_error_code
 
 typedef struct krb5plugin_send_to_kdc_ftable {
     int			minor_version;
-    krb5_error_code	(*init)(krb5_context, void **);
-    void		(*fini)(void *);
+    krb5_error_code	(KRB5_CALLCONV *init)(krb5_context, void **);
+    void		(KRB5_CALLCONV *fini)(void *);
     krb5plugin_send_to_kdc_func send_to_kdc;
     krb5plugin_send_to_realm_func send_to_realm; /* added in version 2 */
 } krb5plugin_send_to_kdc_ftable;
diff --git a/lib/krb5/store_emem.c b/lib/krb5/store_emem.c
index 6d95bcf525a8..985aba9d1272 100644
--- a/lib/krb5/store_emem.c
+++ b/lib/krb5/store_emem.c
@@ -70,7 +70,8 @@ emem_store(krb5_storage *sp, const void *data, size_t size)
 	s->base = base;
 	s->ptr = (unsigned char*)base + off;
     }
-    memmove(s->ptr, data, size);
+    if (size)
+        memmove(s->ptr, data, size);
     sp->seek(sp, size, SEEK_CUR);
     return size;
 }
diff --git a/lib/krb5/test_plugin.c b/lib/krb5/test_plugin.c
index ed6a9e7f1568..cfc3b6c04df1 100644
--- a/lib/krb5/test_plugin.c
+++ b/lib/krb5/test_plugin.c
@@ -34,19 +34,19 @@
 #include <krb5_locl.h>
 #include "locate_plugin.h"
 
-static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 resolve_init(krb5_context context, void **ctx)
 {
     *ctx = NULL;
     return 0;
 }
 
-static void
+static void KRB5_CALLCONV
 resolve_fini(void *ctx)
 {
 }
 
-static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 resolve_lookup(void *ctx,
 	       enum locate_service_type service,
 	       const char *realm,
diff --git a/lib/krb5/test_store.c b/lib/krb5/test_store.c
index 5fac75cd1991..6876cc1db279 100644
--- a/lib/krb5/test_store.c
+++ b/lib/krb5/test_store.c
@@ -64,7 +64,7 @@ test_int16(krb5_context context, krb5_storage *sp)
     krb5_error_code ret;
     int i;
     int16_t val[] = {
-	0, 1, -1, 32768, -32767
+	0, 1, -1, 32767, -32768
     }, v;
 
     krb5_storage_truncate(sp, 0);
diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
index 8961c394a492..ef9965060516 100644
--- a/lib/krb5/ticket.c
+++ b/lib/krb5/ticket.c
@@ -541,10 +541,22 @@ check_client_anonymous(krb5_context context,
     if (!rep->enc_part.flags.anonymous)
 	return KRB5KDC_ERR_BADOPTION;
 
+    /*
+     * Here we must validate that the AS returned a ticket of the expected type
+     * for either a fully anonymous request, or authenticated request for an
+     * anonymous ticket.  If this is a TGS request, we're done.  Then if the
+     * 'requested' principal was anonymous, we'll check the 'mapped' principal
+     * accordingly (without enforcing the name type and perhaps the realm).
+     * Finally, if the 'requested' principal was not anonymous, well check
+     * that the 'mapped' principal has an anonymous name and type, in a
+     * non-anonymous realm.  (Should we also be checking for a realm match
+     * between the request and the mapped name in this case?)
+     */
     if (is_tgs_rep)
-	flags = KRB5_ANON_MATCH_ANY;
-    else if (krb5_principal_is_anonymous(context, requested, KRB5_ANON_MATCH_ANY))
-	flags = KRB5_ANON_MATCH_UNAUTHENTICATED;
+	flags = KRB5_ANON_MATCH_ANY_NONT;
+    else if (krb5_principal_is_anonymous(context, requested,
+                                         KRB5_ANON_MATCH_ANY_NONT))
+	flags = KRB5_ANON_MATCH_UNAUTHENTICATED | KRB5_ANON_IGNORE_NAME_TYPE;
     else
 	flags = KRB5_ANON_MATCH_AUTHENTICATED;
 
@@ -566,7 +578,8 @@ check_client_mismatch(krb5_context context,
 		      krb5_keyblock const * key)
 {
     if (rep->enc_part.flags.anonymous) {
-	if (!krb5_principal_is_anonymous(context, mapped, KRB5_ANON_MATCH_ANY)) {
+	if (!krb5_principal_is_anonymous(context, mapped,
+                                         KRB5_ANON_MATCH_ANY_NONT)) {
 	    krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
 				   N_("Anonymous ticket does not contain anonymous "
 				      "principal", ""));
diff --git a/lib/krb5/transited.c b/lib/krb5/transited.c
index 35c00e65add4..8ad122afa92b 100644
--- a/lib/krb5/transited.c
+++ b/lib/krb5/transited.c
@@ -281,6 +281,7 @@ decode_realms(krb5_context context,
 	    r = make_realm(tmp);
 	    if(r == NULL){
 		free_realms(*realms);
+                *realms = NULL;
 		return krb5_enomem(context);
 	    }
 	    *realms = append_realm(*realms, r);
@@ -289,7 +290,8 @@ decode_realms(krb5_context context,
     }
     tmp = malloc(tr + i - start + 1);
     if(tmp == NULL){
-	free(*realms);
+        free_realms(*realms);
+        *realms = NULL;
 	return krb5_enomem(context);
     }
     memcpy(tmp, start, tr + i - start);
@@ -297,6 +299,7 @@ decode_realms(krb5_context context,
     r = make_realm(tmp);
     if(r == NULL){
 	free_realms(*realms);
+        *realms = NULL;
 	return krb5_enomem(context);
     }
     *realms = append_realm(*realms, r);
diff --git a/lib/krb5/verify_krb5_conf.cat8 b/lib/krb5/verify_krb5_conf.cat8
index 25143916cfc9..289f2f1cb278 100644
--- a/lib/krb5/verify_krb5_conf.cat8
+++ b/lib/krb5/verify_krb5_conf.cat8
@@ -1,32 +1,31 @@
-
 VERIFY_KRB5_CONF(8)       BSD System Manager's Manual      VERIFY_KRB5_CONF(8)
 
-NNAAMMEE
-     vveerriiffyy__kkrrbb55__ccoonnff -- checks krb5.conf for obvious errors
+NAME
+     verify_krb5_conf -- checks krb5.conf for obvious errors
 
-SSYYNNOOPPSSIISS
-     vveerriiffyy__kkrrbb55__ccoonnff _[_c_o_n_f_i_g_-_f_i_l_e_]
+SYNOPSIS
+     verify_krb5_conf [config-file]
 
-DDEESSCCRRIIPPTTIIOONN
-     vveerriiffyy__kkrrbb55__ccoonnff reads the configuration file _k_r_b_5_._c_o_n_f, or the file
+DESCRIPTION
+     verify_krb5_conf reads the configuration file krb5.conf, or the file
      given on the command line, parses it, checking verifying that the syntax
      is not correctly wrong.
 
-     If the file is syntactically correct, vveerriiffyy__kkrrbb55__ccoonnff tries to verify
+     If the file is syntactically correct, verify_krb5_conf tries to verify
      that the contents of the file is of relevant nature.
 
-EENNVVIIRROONNMMEENNTT
+ENVIRONMENT
      KRB5_CONFIG points to the configuration file to read.
 
-FFIILLEESS
+FILES
      /etc/krb5.conf  Kerberos 5 configuration file
 
-DDIIAAGGNNOOSSTTIICCSS
-     Possible output from vveerriiffyy__kkrrbb55__ccoonnff include:
+DIAGNOSTICS
+     Possible output from verify_krb5_conf include:
 
      <path>: failed to parse <something> as size/time/number/boolean
              Usually means that <something> is misspelled, or that it contains
-             weird characters. The parsing done by vveerriiffyy__kkrrbb55__ccoonnff is more
+             weird characters. The parsing done by verify_krb5_conf is more
              strict than the one performed by libkrb5, so strings that work in
              real life might be reported as bad.
 
@@ -36,18 +35,18 @@ DDIIAAGGNNOOSSTTIICCSS
 
      <path>: unknown or wrong type
              Means that <path> is either a string when it should be a list,
-             vice versa, or just that vveerriiffyy__kkrrbb55__ccoonnff is confused.
+             vice versa, or just that verify_krb5_conf is confused.
 
      <path>: unknown entry
-             Means that <string> is not known by vveerriiffyy__kkrrbb55__ccoonnff.
+             Means that <string> is not known by verify_krb5_conf.
 
-SSEEEE AALLSSOO
+SEE ALSO
      krb5.conf(5)
 
-BBUUGGSS
+BUGS
      Since each application can put almost anything in the config file, it's
-     hard to come up with a watertight verification process. Most of the
-     default settings are sanity checked, but this does not mean that every
+     hard to come up with a watertight verification process. Most of the de-
+     fault settings are sanity checked, but this does not mean that every
      problem is discovered, or that everything that is reported as a possible
      problem actually is one. This tool should thus be used with some care.