212 files changed, 21535 insertions, 6077 deletions

diff --git a/lib/gssapi/ChangeLog b/lib/gssapi/ChangeLog
index 3a0c39f8763b..5c25d699c997 100644
--- a/lib/gssapi/ChangeLog
+++ b/lib/gssapi/ChangeLog
@@ -1,18 +1,125 @@
-2008-01-13  Love Hörnquist Åstrand  <lha@it.su.se>
+2008-08-14  Love Hornquist Astrand  <lha@10a140laptop.local>
+
+	* krb5/accept_sec_context.c: If there is a initiator subkey, copy
+	that to acceptor subkey to match windows behavior. From Metze.
+
+2008-08-02  Love Hörnquist Åstrand  <lha@h5l.org>
+
+	* ntlm/init_sec_context.c: Catch error
+
+	* krb5/inquire_sec_context_by_oid.c: Catch store failure.
+
+	* mech/gss_canonicalize_name.c: Not init m, return never
+	used (overwritten later).
+
+2008-07-25  Love Hörnquist Åstrand  <lha@kth.se>
+
+	* ntlm/init_sec_context.c: Use krb5_cc_get_config.
+
+2008-07-25  Love Hörnquist Åstrand  <lha@kth.se>
+
+	* krb5/init_sec_context.c: Match the orignal patch I got from
+	metze, seems that DCE-STYLE is even more weirer then what I though
+	when I merged the patch.
+
+2008-06-02  Love Hörnquist Åstrand  <lha@kth.se>
+
+	* krb5/init_sec_context.c: Don't add asn1 wrapping to token when
+	using DCE_STYLE.  Patch from Stefan Metzmacher.
+
+2008-05-27  Love Hörnquist Åstrand  <lha@kth.se>
+	
+	* ntlm/init_sec_context.c: use krb5_get_error_message
+
+2008-05-05  Love Hörnquist Åstrand  <lha@kth.se>
+	
+	* spnego/spnego_locl.h: Add back "mech/utils.h", its needed for
+	oid/buffer functions.
+
+2008-05-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* spnego: Changes from doug barton to make spnego indepedant of
+	the heimdal version of the plugin system.
+
+2008-04-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* krb5: use DES_set_key_unchecked()
+
+2008-04-17  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* add __declspec() for windows.
+
+2008-04-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* krb5/import_sec_context.c: Use tmp to read ac->flags value to
+	avoid warning.
+
+2008-04-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* mech/gss_mech_switch.c: Use unsigned where appropriate.
+
+2008-03-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_context.c: Add test for gsskrb5_register_acceptor_identity.
+
+2008-03-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* krb5/init_sec_context.c (init_auth): use right variable to
+	detect if we want to free or not.
+
+2008-02-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: add missing \
+
+	* Makefile.am: reshuffle depenencies
+
+	* Add flag to krb5 to not add GSS-API INT|CONF to the negotiation
+
+2008-02-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* make the SPNEGO mech store the error itself instead, works for
+	everything except other stackable mechs
+
+2008-02-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* spnego/init_sec_context.c (spnego_reply): if the reply token was
+	of length 0, make it the same as no token. Pointed out by Zeqing
+	Xia.
+
+	* krb5/acquire_cred.c (acquire_initiator_cred): handle the
+	credential cache better, use destroy/close when appriate and for
+	all cases. Thanks to Michael Allen for point out the memory-leak
+	that I also fixed.
+
+2008-02-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* spnego/accept_sec_context.c: Make error reporting somewhat more
+	correct for SPNEGO.
+
+2008-01-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* test_common.c: Improve the error message.
+
+2008-01-24  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* ntlm/accept_sec_context.c: Avoid free-ing type1 message before
+	its allocated.
+	
+2008-01-13  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* test_ntlm.c: Test source name (and make the acceptor in ntlm gss
 	mech useful).
 
-2007-12-30  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-12-30  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* ntlm/init_sec_context.c: Don't confuse target name and source
 	name, make regressiont tests pass again.
 	
-2007-12-29  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-12-29  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* ntlm: clean up name handling
 
-2007-12-04  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-12-04  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* ntlm/init_sec_context.c: Use credential if it was passed in.
 
@@ -30,26 +137,26 @@
 	* mech/gss_release_oid_set.c: Avoid trying to deref NULL, from
 	Phil Fisher.
 
-2007-12-03  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-12-03  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* test_acquire_cred.c: Always try to fetch cred (even with
 	GSS_C_NO_NAME).
 
-2007-08-09  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-08-09  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* mech/gss_krb5.c: Readd gss_krb5_get_tkt_flags.
 
-2007-08-08  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-08-08  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* spnego/compat.c (_gss_spnego_internal_delete_sec_context):
 	release ctx->target_name too From Rafal Malinowski.
 
-2007-07-26  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-07-26  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* mech/gss_mech_switch.c: Don't try to do dlopen if system doesn't
 	have dlopen. From Rune of Chalmers.
 
-2007-07-10  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-07-10  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* mech/gss_duplicate_name.c: New signature of _gss_find_mn.
 
@@ -73,7 +180,7 @@
 
 	* Makefile.am: New library version.
 
-2007-07-04  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-07-04  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* mech/gss_oid_to_str.c: Refuse to print GSS_C_NULL_OID, from
 	Rafal Malinowski.
@@ -81,7 +188,7 @@
 	* spnego/spnego.asn1: Indent and make NegTokenInit and
 	NegTokenResp extendable.
 
-2007-06-21  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-06-21  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* ntlm/inquire_cred.c: Implement _gss_ntlm_inquire_cred.
 
@@ -90,7 +197,7 @@
 	* mech/context.c: If the canned string is "", its no use to the
 	user, make it fall back to the default error string.
 	
-2007-06-20  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-06-20  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* mech/gss_display_name.c (gss_display_name): no name ->
 	fail. From Rafal Malinswski.
@@ -124,7 +231,7 @@
 	Rafal Malinowski, also while here moved to use NegotiationToken
 	for decoding.
 
-2007-06-18  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-06-18  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* krb5/prf.c (_gsskrb5_pseudo_random): add missing break.
 
@@ -142,14 +249,14 @@
 
 	* mech/gss_krb5.c: Free memory in error case, found by beam.
 
-2007-06-12  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-06-12  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* ntlm/inquire_context.c: Use ctx->gssflags for flags.
 
 	* krb5/display_name.c: Use KRB5_PRINCIPAL_UNPARSE_DISPLAY, this is
 	not ment for machine consumption.
 
-2007-06-09  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-06-09  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* ntlm/digest.c (kdc_alloc): free memory on failure, pointed out
 	by Rafal Malinowski.
@@ -160,11 +267,11 @@
 	* spnego/context_stubs.c (_gss_spnego_display_name): if input_name
 	is null, fail.  From Rafal Malinowski.
 	
-2007-06-04  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-06-04  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* ntlm/digest.c: Free memory when done.
 	
-2007-06-02  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-06-02  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* test_ntlm.c: Test both with and without keyex.
 
@@ -173,7 +280,7 @@
 
 	* test_ntlm.c: Set keyex flag and calculate session key.
 	
-2007-05-31  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-05-31  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* spnego/accept_sec_context.c: Use the return value before is
 	overwritten by later calls.  From Rafal Malinowski
@@ -181,14 +288,14 @@
 	* krb5/release_cred.c: Give an minor_status argument to
 	gss_release_oid_set.  From Rafal Malinowski
 	
-2007-05-30  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-05-30  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* ntlm/accept_sec_context.c: Catch errors and return the up the
 	stack.
 
 	* test_kcred.c: more testing of lifetimes
 	
-2007-05-17  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-05-17  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* Makefile.am: Drop the gss oid_set function for the krb5 mech,
 	use the mech glue versions instead. Pointed out by Rafal
@@ -196,22 +303,22 @@
 
 	* krb5: Use gss oid_set functions from mechglue
 
-2007-05-14  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-05-14  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* ntlm/accept_sec_context.c: Set session key only if we are
 	returned a session key. Found by David Love.
 	
-2007-05-13  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-05-13  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* krb5/prf.c: switched MIN to min to make compile on solaris,
 	pointed out by David Love.
 	
-2007-05-09 Love Hörnquist Åstrand <lha@it.su.se>
+2007-05-09 Love Hörnquist Åstrand <lha@it.su.se>
 
 	* krb5/inquire_cred_by_mech.c: Fill in all of the variables if
 	they are passed in. Pointed out by Phil Fisher.
 	
-2007-05-08  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-05-08  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* krb5/inquire_cred.c: Fix copy and paste error, bug spotted by
 	from Phil Fisher.
@@ -232,7 +339,7 @@
 
 	* krb5/inquire_cred_by_mech.c: reimplement
 	
-2007-05-07  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-05-07  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* ntlm/acquire_cred.c: drop unused variable.
 
@@ -242,19 +349,19 @@
 
 	* ntlm: split out backend ntlm server processing
 
-2007-04-24  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-04-24  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* ntlm/delete_sec_context.c (_gss_ntlm_delete_sec_context): free
 	credcache when done
 	
-2007-04-22  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-04-22  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* ntlm/init_sec_context.c: ntlm-key credential entry is prefix with @
 	
 	* ntlm/init_sec_context.c (get_user_ccache): pick up the ntlm
 	creds from the krb5 credential cache.
 	
-2007-04-21  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-04-21  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* ntlm/delete_sec_context.c: free the key stored in the context
 
@@ -262,14 +369,14 @@
 
 	* test_oid.c: Switch oid to one that is exported.
 	
-2007-04-20  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-04-20  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* ntlm/init_sec_context.c: move where hash is calculated to make
 	it easier to add ccache support.
 
 	* Makefile.am: Add version-script.map to EXTRA_DIST.
 	
-2007-04-19  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-04-19  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* Makefile.am: Unconfuse newer versions of automake that doesn't
 	know the diffrence between depenences and setting variables. foo:
@@ -283,7 +390,7 @@
 	
 	* version-script.map: add version script if ld supports it
 	
-2007-04-18  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-04-18  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* Makefile.am: test_acquire_cred need test_common.[ch]
 
@@ -298,7 +405,7 @@
 
 	* mech/gss_krb5.c: reimplement gss_krb5_ccache_name
 	
-2007-04-17  Love Hörnquist Åstrand <lha@it.su.se>
+2007-04-17  Love Hörnquist Åstrand <lha@it.su.se>
 	
 	* spnego/cred_stubs.c: Need to import spnego name before we can
 	use it as a gss_name_t.
@@ -309,27 +416,27 @@
 	* mech/gss_acquire_cred.c (gss_acquire_cred): dont init
 	cred->gc_mc every time in the loop.
 	
-2007-04-15  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-04-15  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* Makefile.am: add test_common.h
 	
-2007-02-16  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-02-16  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gss_acquire_cred.3: Add link for
 	gsskrb5_register_acceptor_identity.
 
-2007-02-08  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-02-08  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* krb5/copy_ccache.c: Try to leak less memory in the failure case.
 	
-2007-01-31  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-01-31  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* mech/gss_display_status.c: Use right printf formater.
 
 	* test_*.[ch]: split out the error printing function and try to
 	return better errors
 
-2007-01-30  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-01-30  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* krb5/init_sec_context.c: revert 1.75: (init_auth): only turn on
 	GSS_C_CONF_FLAG and GSS_C_INT_FLAG if the caller requseted it.
@@ -337,7 +444,7 @@
 	This is because Kerberos always support INT|CONF, matches behavior
 	with MS and MIT. The creates problems for the GSS-SPNEGO mech.
 	
-2007-01-24  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-01-24  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* krb5/prf.c: constrain desired_output_len
 
@@ -364,7 +471,7 @@
 
 	* gssapi_mech.h: Add hook for gm_pseudo_random.
 	
-2007-01-17  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-01-17  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* test_context.c: Don't assume bufer from gss_display_status is
 	ok.
@@ -443,7 +550,7 @@
 	* mech/mech_locl.h (_mg_buffer_zero): new macro that zaps a
 	gss_buffer_t
 
-2007-01-16  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-01-16  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* mech: sprinkel _gss_mg_error
 
@@ -463,17 +570,17 @@
 
 	* gss.c: Detect NTLM.
 	
-2007-01-11  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-01-11  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* mech/gss_accept_sec_context.c: spelling
 	
-2007-01-04  Love Hörnquist Åstrand  <lha@it.su.se>
+2007-01-04  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* Makefile.am: Include build (private) prototypes header files.
 
 	* Makefile.am (ntlmsrc): add ntlm/ntlm-private.h
 	
-2006-12-28  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-12-28  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* ntlm/accept_sec_context.c: Pass signseal argument to
 	_gss_ntlm_set_key.
@@ -495,7 +602,7 @@
 
 	* ntlm/crypto.c: NTLMv2 sign and verify.
 	
-2006-12-20  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-12-20  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* ntlm/accept_sec_context.c: Don't send targetinfo now.
 	
@@ -508,7 +615,7 @@
 	* ntlm/init_sec_context.c: Add NTLM_NEG_NTLM2_SESSION, NTLMv2
 	session security (disable because missing sign and seal).
 	
-2006-12-19  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-12-19  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* ntlm/accept_sec_context.c: split RC4 send and recv keystreams
 
@@ -540,7 +647,7 @@
 	on the opportunistic token instead of guessing the acceptor name
 	and do gss_acquire_cred, this make SPNEGO work like before.
 	
-2006-12-18  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-12-18  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* ntlm/init_sec_context.c: Calculate the NTLM version 1 "master"
 	key.
@@ -592,11 +699,11 @@
 	that there are no credentials for) split NegTokenInit and
 	NegTokenResp in acceptor
 
-2006-12-16  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-12-16  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* ntlm/import_name.c: Allocate the buffer from the right length.
 	
-2006-12-15  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-12-15  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* ntlm/init_sec_context.c (init_sec_context): Tell the other side
 	what domain we think we are talking to.
@@ -633,33 +740,33 @@
 
 	* ntlm/accept_sec_context.c: Check after a credential to use.
 	
-2006-12-14  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-12-14  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* krb5/set_sec_context_option.c (GSS_KRB5_SET_DEFAULT_REALM_X):
 	don't fail on success.  Bug report from Stefan Metzmacher.
 	
-2006-12-13  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-12-13  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* krb5/init_sec_context.c (init_auth): only turn on
 	GSS_C_CONF_FLAG and GSS_C_INT_FLAG if the caller requseted it.
 	From Stefan Metzmacher.
 	
-2006-12-11  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-12-11  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* Makefile.am (libgssapi_la_OBJECTS): depends on gssapi_asn1.h
 	spnego_asn1.h.
 
-2006-11-20  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-11-20  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* krb5/acquire_cred.c: Make krb5_get_init_creds_opt_free take a
 	context argument.
 	
-2006-11-16  Love Hörnquist Åstrand <lha@it.su.se>
+2006-11-16  Love Hörnquist Åstrand <lha@it.su.se>
 	
 	* test_context.c: Test that token keys are the same, return
 	actual_mech.
 	
-2006-11-15  Love Hörnquist Åstrand <lha@it.su.se>
+2006-11-15  Love Hörnquist Åstrand <lha@it.su.se>
 
 	* spnego/spnego_locl.h: Make bitfields unsigned, add maybe_open.
 
@@ -689,14 +796,14 @@
 	supported mechs list and make sure we don't select that for the
 	preferred mechamism.
 	
-2006-11-14  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-11-14  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* mech/gss_init_sec_context.c (_gss_mech_cred_find): break out the
 	cred finding to its own function
 
 	* krb5/wrap.c: Better error strings, from Andrew Bartlet.
 	
-2006-11-13  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-11-13  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* test_context.c: Create our own krb5_context.
 
@@ -708,13 +815,13 @@
 	* mech/gss_set_cred_option.c: When calling ->gm_set_cred_option
 	and checking for success, use GSS_S_COMPLETE. From Andrew Bartlet.
 	
-2006-11-12  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-11-12  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* Makefile.am: Help solaris make even more.
 
 	* Makefile.am: Help solaris make.
 	
-2006-11-09  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-11-09  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* Makefile.am: remove include $(srcdir)/Makefile-digest.am for now
 
@@ -738,7 +845,7 @@
 
 	* krb5/gkrb5_err.et: Move the GSS_KRB5_S error here.
 	
-2006-11-08  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-11-08  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* mech/gss_krb5.c: Add gsskrb5_set_default_realm.
 
@@ -749,7 +856,7 @@
 
 	* krb5/external.c: add GSS_KRB5_SET_DEFAULT_REALM_X
 	
-2006-11-07  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-11-07  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* test_context.c: rename krb5_[gs]et_time_wrap to
 	krb5_[gs]et_max_time_skew
@@ -784,12 +891,12 @@
 	* krb5/inquire_sec_context_by_oid.c: check if there is any key at
 	all
 	
-2006-11-06  Love Hörnquist Åstrand <lha@it.su.se>
+2006-11-06  Love Hörnquist Åstrand <lha@it.su.se>
 	
 	* krb5/inquire_sec_context_by_oid.c: Set more error strings, use
 	right enum for acceptor subkey.  From Andrew Bartlett.
 	
-2006-11-04  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-11-04  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* test_context.c: Test gsskrb5_extract_service_keyblock, needed in
 	PAC valication.  From Andrew Bartlett
@@ -802,7 +909,7 @@
 
 	* krb5/external.c: Add GSS_KRB5_GET_SERVICE_KEYBLOCK_X
 	
-2006-11-03  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-11-03  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* test_context.c: Rename various routines and constants from
 	canonize to canonicalize.  From Andrew Bartlett
@@ -819,12 +926,12 @@
 	* gssapi/gssapi_krb5.h: Rename various routines and constants from
 	canonize to canonicalize.  From Andrew Bartlett
 	
-2006-10-25  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-10-25  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* krb5/accept_sec_context.c (gsskrb5_accept_delegated_token): need
 	to free ccache
 	
-2006-10-24  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-10-24  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* test_context.c (loop): free target_name
 
@@ -843,7 +950,7 @@
 
 	* krb5/set_cred_option.c (import_cred): free sp
 	
-2006-10-22  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-10-22  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* mech/gss_add_oid_set_member.c: Use old implementation of
 	gss_add_oid_set_member, it leaks less memory.
@@ -855,7 +962,7 @@
 	* mech/gss_release_name.c (gss_release_name): free input_name
 	it-self.
 	
-2006-10-21  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-10-21  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* test_context.c: Call setprogname.
 
@@ -864,7 +971,7 @@
 	* gssapi/gssapi_krb5.h: add
 	gsskrb5_extract_authtime_from_sec_context
 	
-2006-10-20  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-10-20  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* krb5/inquire_sec_context_by_oid.c: Add get_authtime.
 
@@ -883,7 +990,7 @@
 
 	* Makefile.am: more files
 	
-2006-10-19  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-10-19  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* Makefile.am: remove spnego/gssapi_spnego.h, its now in gssapi/
 
@@ -894,7 +1001,7 @@
 	* gssapi/gssapi.h: Rename GSS_DIGEST_MECHANISM to
 	GSS_SASL_DIGEST_MD5_MECHANISM
 	
-2006-10-18  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-10-18  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* mech/gssapi.asn1: Make it into a heim_any_set, its doesn't
 	except a tag.
@@ -911,7 +1018,7 @@
 	* krb5/external.c: add GSS_KRB5_GET_INITIATOR_SUBKEY_X,
 	GSS_KRB5_GET_SUBKEY_X
 	
-2006-10-17  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-10-17  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* test_context.c: Support switching on name type oid's
 
@@ -932,7 +1039,7 @@
 
 	* mech/gss_krb5.c: add bits to make lucid context work
 	
-2006-10-14  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-10-14  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* mech/gss_oid_to_str.c: Prefix der primitives with der_.
 
@@ -943,7 +1050,7 @@
 
 	* mech/gss_oid_to_str.c: New der_print_heim_oid signature.
 	
-2006-10-12  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-10-12  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* Makefile.am: add test_context
 
@@ -964,11 +1071,11 @@
 
 	* spnego/spnego_locl.h: Maybe include <netdb.h>.
 	
-2006-10-09  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-10-09  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* mech/gss_mech_switch.c: define RTLD_LOCAL to 0 if not defined.
 	
-2006-10-08  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-10-08  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* Makefile.am: install gssapi_krb5.H and gssapi_spnego.h
 
@@ -982,7 +1089,7 @@
 
 	* krb5: reference all include files using 'krb5/'
 
-2006-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gssapi.h: Add file inclusion protection.
 
@@ -997,14 +1104,14 @@
 
 	* Makefile.am: split build files into dist_ and noinst_ SOURCES
 	
-2006-10-06  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-10-06  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gss.c: #if 0 out unused code.
 
 	* mech/gss_mech_switch.c: Cast argument to ctype(3) functions
 	to (unsigned char).
 	
-2006-10-05  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-10-05  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* mech/name.h: remove <sys/queue.h>
 
@@ -1012,7 +1119,7 @@
 	
 	* mech/cred.h: remove <sys/queue.h>
 
-2006-10-02  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-10-02  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* krb5/arcfour.c: Thinker more with header lengths.
 
@@ -1030,14 +1137,14 @@
 	* spnego/context_stubs.c: Make internal function static (and
 	rename).
 	
-2006-10-01  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-10-01  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* krb5/inquire_cred.c: Fix "if (x) lock(y)" bug. From Harald
 	Barth.
 
 	* spnego/spnego_locl.h: Include <sys/param.h> for MAXHOSTNAMELEN.
 	
-2006-09-25  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-09-25  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* krb5/arcfour.c: Add wrap support, interrop with itself but not
 	w2k3s-sp1
@@ -1055,7 +1162,7 @@
 	protocol. It should be possible to detach the Kerberos DCE-style
 	since it starts with a AP-REQ PDU, but that have to wait for now.
 	
-2006-09-22  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-09-22  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gssapi.h: Add GSS_C flags from
 	draft-brezak-win2k-krb-rc4-hmac-04.txt.
@@ -1072,18 +1179,18 @@
 	initiator part from the samba patch by Stefan Metzmacher and
 	Andrew Bartlet (still missing DCE/RPC support)
 
-2006-08-28  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-08-28  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gss.c (help): use sl_slc_help().
 	
-2006-07-22  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-07-22  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gss-commands.in: rename command to supported-mechanisms
 
 	* Makefile.am: Make gss objects depend on the slc built
 	gss-commands.h
 	
-2006-07-20  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-07-20  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* gss-commands.in: add slc commands for gss
 
@@ -1116,7 +1223,7 @@
 
 	* mech/name.h: no need to mark _gss_find_mn extern.
 	
-2006-07-19  Love Hörnquist Åstrand <lha@it.su.se>
+2006-07-19  Love Hörnquist Åstrand <lha@it.su.se>
 	
 	* krb5/cfx.c: Redo the wrap length calculations.
 
@@ -1124,7 +1231,7 @@
 
 	* mech/gss_display_status.c: Handle more error codes.
 	
-2006-07-07  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-07-07  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* mech/mech_locl.h: Include <krb5-types.h> and "mechqueue.h"
 
@@ -1146,7 +1253,7 @@
 	convert the name to a MN, fail with GSS_S_BAD_NAME rather then a
 	NULL de-reference.
 	
-2006-07-06  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-07-06  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* spnego/external.c: readd gss_spnego_inquire_names_for_mech
 
@@ -1171,7 +1278,7 @@
 	desired_mechs, get our own list with indicate_mechs and remove
 	ourself.
 	
-2006-07-05 Love Hörnquist Åstrand <lha@it.su.se>
+2006-07-05 Love Hörnquist Åstrand <lha@it.su.se>
 
 	* spnego/external.c: remove gss_spnego_inquire_names_for_mech, let
 	the mechglue layer implement it
@@ -1182,11 +1289,11 @@
 	* spnego/spnego_locl.c: remove gss_spnego_inquire_names_for_mech, let
 	the mechglue layer implement it
 
-2006-07-01  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-07-01  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* mech/gss_set_cred_option.c: fix argument to gss_release_cred
 	
-2006-06-30  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-06-30  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* krb5/init_sec_context.c: Make work on compilers that are
 	somewhat more picky then gcc4 (like gcc2.95)
@@ -1232,7 +1339,7 @@
 	preferred_mech_type and negotiated_mech_type, they where never
 	allocated from the begining.
 	
-2006-06-29  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-06-29  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* mech/gss_import_name.c (gss_import_name): avoid
 	type-punned/strict aliasing rules
@@ -1254,7 +1361,7 @@
 	* mech/gss_acquire_cred.c (gss_acquire_cred): if desired_mechs is
 	NO_OID_SET, there is a need to load the mechs, so always do that.
 	
-2006-06-28  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-06-28  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* krb5/inquire_cred_by_oid.c: Reimplement GSS_KRB5_COPY_CCACHE_X
 	to instead pass a fullname to the credential, then resolve and
@@ -1295,7 +1402,7 @@
 	
 	* spnego: Import Luke Howard's SPNEGO from the mechglue branch
 
-2006-06-22  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-06-22  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gssapi.h: Add oid_to_str.
 
@@ -1305,7 +1412,7 @@
 
 	* test_oid.c: Add test for gss_oid_to_str()
 	
-2006-05-13  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-05-13  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* verify_mic.c: Less pointer signedness warnings.
 
@@ -1331,21 +1438,21 @@
 
 	* import_sec_context.c: Less pointer signedness warnings.
 
-2006-05-09  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-05-09  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* accept_sec_context.c (gsskrb5_is_cfx): always set is_cfx. From
 	Andrew Abartlet.
 	
-2006-05-08  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-05-08  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* get_mic.c (mic_des3): make sure message_buffer doesn't point to
 	free()ed memory on failure. Pointed out by IBM checker.
 	
-2006-05-05  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-05-05  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* Rename u_intXX_t to uintXX_t
 	
-2006-05-04 Love Hörnquist Åstrand <lha@it.su.se>
+2006-05-04 Love Hörnquist Åstrand <lha@it.su.se>
 
 	* cfx.c: Less pointer signedness warnings.
 
@@ -1355,7 +1462,7 @@
 	
 	* 8003.c (gssapi_decode_*): make data argument const void *
 	
-2006-04-12  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-04-12  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* export_sec_context.c: Export sequence order element. From Wynn
 	Wilkes <wynn.wilkes@quest.com>.
@@ -1369,12 +1476,12 @@
 
 	* test_sequence.c: Add test for import/export sequence.
 	
-2006-04-09  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-04-09  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* add_cred.c: Check that cred != GSS_C_NO_CREDENTIAL, this is a
 	standard conformance failure, but much better then a crash.
 	
-2006-04-02  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-04-02  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* get_mic.c (get_mic*)_: make sure message_token is cleaned on
 	error, found by IBM checker.
@@ -1382,22 +1489,22 @@
 	* wrap.c (wrap*): Reset output_buffer on error, found by IBM
 	checker.
 	
-2006-02-15  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-02-15  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* import_name.c: Accept both GSS_C_NT_HOSTBASED_SERVICE and
 	GSS_C_NT_HOSTBASED_SERVICE_X as nametype for hostbased names.
 	
-2006-01-16  Love Hörnquist Åstrand  <lha@it.su.se>
+2006-01-16  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* delete_sec_context.c (gss_delete_sec_context): if the context
 	handle is GSS_C_NO_CONTEXT, don't fall over.
 
-2005-12-12  Love Hörnquist Åstrand  <lha@it.su.se>
+2005-12-12  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gss_acquire_cred.3: Replace gss_krb5_import_ccache with
 	gss_krb5_import_cred and add more references
 	
-2005-12-05  Love Hörnquist Åstrand  <lha@it.su.se>
+2005-12-05  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gssapi.h: Change gss_krb5_import_ccache to gss_krb5_import_cred,
 	it can handle keytabs too.
@@ -1407,7 +1514,7 @@
 	* context_time.c (gssapi_lifetime_left): define the 0 lifetime as
 	GSS_C_INDEFINITE.
 	
-2005-12-01  Love Hörnquist Åstrand  <lha@it.su.se>
+2005-12-01  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* acquire_cred.c (acquire_acceptor_cred): only check if principal
 	exists if we got called with principal as an argument.
@@ -1415,12 +1522,12 @@
 	* acquire_cred.c (acquire_acceptor_cred): check that the acceptor
 	exists in the keytab before returning ok.
 	
-2005-11-29  Love Hörnquist Åstrand  <lha@it.su.se>
+2005-11-29  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* copy_ccache.c (gss_krb5_import_cred): fix buglet, from Andrew
 	Bartlett.
 	
-2005-11-25  Love Hörnquist Åstrand  <lha@it.su.se>
+2005-11-25  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* test_kcred.c: Rename gss_krb5_import_ccache to
 	gss_krb5_import_cred.
@@ -1428,7 +1535,7 @@
 	* copy_ccache.c: Rename gss_krb5_import_ccache to
 	gss_krb5_import_cred and let it grow code to handle keytabs too.
 	
-2005-11-02  Love Hörnquist Åstrand  <lha@it.su.se>
+2005-11-02  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* init_sec_context.c: Change sematics of ok-as-delegate to match
 	windows if
@@ -1445,11 +1552,11 @@
 	* accept_sec_context.c (gsskrb5_accept_delegated_token): rewrite
 	to use gss_krb5_import_ccache
 	
-2005-11-01  Love Hörnquist Åstrand  <lha@it.su.se>
+2005-11-01  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* arcfour.c: Remove signedness warnings.
 	
-2005-10-31  Love Hörnquist Åstrand  <lha@it.su.se>
+2005-10-31  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gss_acquire_cred.3: Document that gss_krb5_import_ccache is copy
 	by reference.
@@ -1462,7 +1569,7 @@
 	
 	* test_kcred.c: Remove memory leaks.
 	
-2005-10-26  Love Hörnquist Åstrand  <lha@it.su.se>
+2005-10-26  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* Makefile.am: build test_kcred
 	
@@ -1484,13 +1591,13 @@
 
 	* test_kcred.c: test gss_krb5_import_ccache
 	
-2005-10-21  Love Hörnquist Åstrand  <lha@it.su.se>
+2005-10-21  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* acquire_cred.c (acquire_initiator_cred): use krb5_cc_cache_match
 	to find a matching creditial cache, if that failes, fallback to
 	the default cache.
 	
-2005-10-12  Love Hörnquist Åstrand  <lha@it.su.se>
+2005-10-12  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gssapi_locl.h: Add gssapi_krb5_set_status and
 	gssapi_krb5_clear_status
@@ -1501,17 +1608,17 @@
 	* display_status.c: Add gssapi_krb5_clear_status,
 	gssapi_krb5_set_status for handling error messages.
 	
-2005-08-23  Love Hörnquist Åstrand  <lha@it.su.se>
+2005-08-23  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* external.c: Use rk_UNCONST to avoid const warning.
 	
 	* display_status.c: Constify strings to avoid warnings.
 	
-2005-08-11 Love Hörnquist Åstrand  <lha@it.su.se>
+2005-08-11 Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* init_sec_context.c: avoid warnings, update (c)
 
-2005-07-13  Love Hörnquist Åstrand  <lha@it.su.se>
+2005-07-13  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* init_sec_context.c (spnego_initial): use NegotiationToken
 	encoder now that we have one with the new asn1. compiler.
@@ -1519,7 +1626,7 @@
 	* Makefile.am: the new asn.1 compiler includes the modules name in
 	the depend file
 
-2005-06-16  Love Hörnquist Åstrand  <lha@it.su.se>
+2005-06-16  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* decapsulate.c: use rk_UNCONST
 
@@ -1531,7 +1638,7 @@
 	
 	* test_cred.c: rename optind to optidx
 
-2005-05-30  Love Hörnquist Åstrand  <lha@it.su.se>
+2005-05-30  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* init_sec_context.c (init_auth): honor ok-as-delegate if local
 	configuration approves
@@ -1540,7 +1647,7 @@
 
 	* compat.c: export check_compat as _gss_check_compat
 
-2005-05-29  Love Hörnquist Åstrand  <lha@it.su.se>
+2005-05-29  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* init_sec_context.c: Prefix Der_class with ASN1_C_ to avoid
 	problems with system headerfiles that pollute the name space.
@@ -1548,13 +1655,13 @@
 	* accept_sec_context.c: Prefix Der_class with ASN1_C_ to avoid
 	problems with system headerfiles that pollute the name space.
 
-2005-05-17  Love Hörnquist Åstrand  <lha@it.su.se>
+2005-05-17  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* init_sec_context.c (init_auth): set
 	KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED (for java compatibility),
 	also while here, use krb5_auth_con_addflags
 
-2005-05-06  Love Hörnquist Åstrand  <lha@it.su.se>
+2005-05-06  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* arcfour.c (_gssapi_wrap_arcfour): fix calculating the encap
 	length. From: Tom Maher <tmaher@eecs.berkeley.edu>
@@ -1563,12 +1670,12 @@
 
 	* test_cred.c (main): Call setprogname.
 
-2005-04-27  Love Hörnquist Åstrand  <lha@it.su.se>
+2005-04-27  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* prefix all sequence symbols with _, they are not part of the
 	GSS-API api. By comment from Wynn Wilkes <wynnw@vintela.com>
 
-2005-04-10  Love Hörnquist Åstrand  <lha@it.su.se>
+2005-04-10  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* accept_sec_context.c: break out the processing of the delegated
 	credential to a separate function to make error handling easier,
@@ -1578,26 +1685,26 @@
 
 	* Makefile.am: add test_sequence to TESTS
 
-2005-04-01  Love Hörnquist Åstrand  <lha@it.su.se>
+2005-04-01  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* 8003.c (gssapi_krb5_verify_8003_checksum): check that cksum
 	isn't NULL From: Nicolas Pouvesle <npouvesle@tenablesecurity.com>
 
-2005-03-21  Love Hörnquist Åstrand  <lha@it.su.se>
+2005-03-21  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* Makefile.am: use $(LIB_roken)
 
-2005-03-16  Love Hörnquist Åstrand  <lha@it.su.se>
+2005-03-16  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* display_status.c (gssapi_krb5_set_error_string): pass in the
 	krb5_context to krb5_free_error_string
 	
-2005-03-15  Love Hörnquist Åstrand  <lha@it.su.se>
+2005-03-15  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* display_status.c (gssapi_krb5_set_error_string): don't misuse
 	the krb5_get_error_string api
 
-2005-03-01  Love Hörnquist Åstrand  <lha@it.su.se>
+2005-03-01  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* compat.c (_gss_DES3_get_mic_compat): don't unlock mutex
 	here. Bug reported by Stefan Metzmacher <metze@samba.org>
@@ -1643,33 +1750,33 @@
 	* wrap.c: use gss_krb5_get_subkey(),
 	  support KEYTYPE_ARCFOUR_56
 
-2004-11-30  Love Hörnquist Åstrand  <lha@it.su.se>
+2004-11-30  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* inquire_cred.c: Reverse order of HEIMDAL_MUTEX_unlock and
 	gss_release_cred to avoid deadlock, from Luke Howard
 	<lukeh@padl.com>.
 
-2004-09-06  Love Hörnquist Åstrand  <lha@it.su.se>
+2004-09-06  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gss_acquire_cred.3: gss_krb5_extract_authz_data_from_sec_context
 	was renamed to gsskrb5_extract_authz_data_from_sec_context
 	
-2004-08-07  Love Hörnquist Åstrand  <lha@it.su.se>
+2004-08-07  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* unwrap.c: mutex buglet, From: Luke Howard <lukeh@PADL.COM>
 	
 	* arcfour.c: mutex buglet, From: Luke Howard <lukeh@PADL.COM>
 	
-2004-05-06  Love Hörnquist Åstrand  <lha@it.su.se>
+2004-05-06  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gssapi.3: spelling from Josef El-Rayes <josef@FreeBSD.org> while
 	here, write some text about the SPNEGO situation
 	
-2004-04-08  Love Hörnquist Åstrand  <lha@it.su.se>
+2004-04-08  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* cfx.c: s/CTXAcceptorSubkey/CFXAcceptorSubkey/
 	
-2004-04-07  Love Hörnquist Åstrand  <lha@it.su.se>
+2004-04-07  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gssapi.h: add GSS_C_EXPECTING_MECH_LIST_MIC_FLAG From: Luke
 	Howard <lukeh@padl.com>
@@ -1688,7 +1795,7 @@
 	* compat.c: add _gss_spnego_require_mechlist_mic for compatibility
 	with MS SPNEGO, From: Luke Howard <lukeh@padl.com>
 	
-2004-04-05  Love Hörnquist Åstrand  <lha@it.su.se>
+2004-04-05  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* accept_sec_context.c (gsskrb5_is_cfx): krb5_keyblock->keytype is
 	an enctype, not keytype
@@ -1700,7 +1807,7 @@
 
 	* init_sec_context.c (spnego_initial): handle mech_token better
 	
-2004-03-19  Love Hörnquist Åstrand  <lha@it.su.se>
+2004-03-19  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gssapi.h: add gss_krb5_get_tkt_flags
 	
@@ -1711,7 +1818,7 @@
 	
 	* gss_acquire_cred.3: document gss_krb5_get_tkt_flags
 	
-2004-03-14  Love Hörnquist Åstrand  <lha@it.su.se>
+2004-03-14  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* acquire_cred.c (gss_acquire_cred): check usage before even
 	bothering to process it, add both keytab and initial tgt if
@@ -1744,7 +1851,7 @@
 
 	* test_acquire_cred.c: fix comment
 	
-2004-03-07  Love Hörnquist Åstrand  <lha@it.su.se>
+2004-03-07  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* arcfour.h: drop structures for message formats, no longer used
 	
@@ -1762,7 +1869,7 @@
 	
 	* Makefile.am: spnego_files += asn1_NegotiationToken.x
 	
-2004-01-25  Love Hörnquist Åstrand  <lha@it.su.se>
+2004-01-25  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gssapi.h: add gss_krb5_ccache_name
 	
@@ -1776,51 +1883,51 @@
 	
 	* gss_acquire_cred.3: document gss_krb5_ccache_name
 	
-2003-12-12  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-12-12  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* cfx.c: make rrc a modulus operation if its longer then the
 	length of the message, noticed by Sam Hartman
 
-2003-12-07  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-12-07  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* accept_sec_context.c: use krb5_auth_con_addflags
 	
-2003-12-05  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-12-05  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* cfx.c: Wrap token id was in wrong order, found by Sam Hartman
 	
-2003-12-04  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-12-04  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* cfx.c: add AcceptorSubkey (but no code understand it yet) ignore
 	unknown token flags
 	
-2003-11-22  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-11-22  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* accept_sec_context.c: Don't require timestamp to be set on
 	delegated token, its already protected by the outer token (and
 	windows doesn't alway send it) Pointed out by Zi-Bin Yang
 	<zbyang@decru.com> on heimdal-discuss
 
-2003-11-14  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-11-14  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* cfx.c: fix {} error, pointed out by Liqiang Zhu
 	
-2003-11-10  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-11-10  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* cfx.c: Sequence number should be stored in bigendian order From:
 	Luke Howard <lukeh@padl.com>
 	
-2003-11-09  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-11-09  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* delete_sec_context.c (gss_delete_sec_context): don't free
 	ticket, krb5_free_ticket does that now
 
-2003-11-06  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-11-06  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* cfx.c: checksum the header last in MIC token, update to -03
 	From: Luke Howard <lukeh@padl.com>
 	
-2003-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* add_cred.c: If its a MEMORY cc, make a copy. We need to do this
 	since now gss_release_cred will destroy the cred. This should be
@@ -1833,12 +1940,12 @@
 	* acquire_cred.c (acquire_initiator_cred): use kret instead of ret
 	where appropriate
 
-2003-09-30  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-09-30  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gss_acquire_cred.3: spelling
 	From: jmc <jmc@prioris.mini.pw.edu.pl>
 	
-2003-09-23  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-09-23  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* cfx.c: - EC and RRC are big-endian, not little-endian - The
 	default is now to rotate regardless of GSS_C_DCE_STYLE. There are
@@ -1846,7 +1953,7 @@
 	avoids allocating memory on the heap if rrc <= 256
 	From: Luke Howard <lukeh@padl.com>
 	
-2003-09-22  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-09-22  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* cfx.[ch]: rrc_rotate() was untested and broken, fix it.
 	Set and verify wrap Token->Filler.
@@ -1854,12 +1961,12 @@
 	were accidentally swapped with delete tokens.
 	From: Luke Howard <lukeh@PADL.COM>
 
-2003-09-21  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-09-21  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* cfx.[ch]: no ASN.1-ish header on per-message tokens
 	From: Luke Howard <lukeh@PADL.COM>
 	
-2003-09-19  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-09-19  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* arcfour.h: remove depenency on gss_arcfour_mic_token and
 	gss_arcfour_warp_token
@@ -1867,11 +1974,11 @@
 	* arcfour.c: remove depenency on gss_arcfour_mic_token and
 	gss_arcfour_warp_token
 
-2003-09-18  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-09-18  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* 8003.c: remove #if 0'ed code
 	
-2003-09-17  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-09-17  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* accept_sec_context.c (gsskrb5_accept_sec_context): set sequence
 	number when not requesting mutual auth From: Luke Howard
@@ -1880,7 +1987,7 @@
 	* init_sec_context.c (init_auth): set sequence number when not
 	requesting mutual auth From: Luke Howard <lukeh@PADL.COM>
 	
-2003-09-16  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-09-16  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* arcfour.c (*): set minor_status
 	(gss_wrap): set conf_state to conf_req_flags on success
@@ -1889,14 +1996,14 @@
 	* wrap.c (gss_wrap_size_limit): use existing function From: Luke
 	Howard <lukeh@PADL.COM>
 	
-2003-09-12  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-09-12  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* indicate_mechs.c (gss_indicate_mechs): in case of error, free
 	mech_set
 
 	* indicate_mechs.c (gss_indicate_mechs): add SPNEGO
 
-2003-09-10  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-09-10  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* init_sec_context.c (spnego_initial): catch errors and return
 	them
@@ -1905,7 +2012,7 @@
 	the CHOICE branch encoding, also where here, free no longer used
 	memory
 
-2003-09-09  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-09-09  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gss_acquire_cred.3: support GSS_SPNEGO_MECHANISM
 	
@@ -1934,22 +2041,22 @@
 	
 	* Makefile.am: build SPNEGO file
 	
-2003-09-08  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-09-08  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* external.c: SPENGO and IAKERB oids
 	
 	* spnego.asn1: SPENGO ASN1
 	
-2003-09-05  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-09-05  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* cfx.c: RRC also need to be zero before wraping them
 	From: Luke Howard <lukeh@PADL.COM>
 	
-2003-09-04  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-09-04  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* encapsulate.c (gssapi_krb5_encap_length): don't return void
 	
-2003-09-03  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-09-03  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* verify_mic.c: switch from the des_ to the DES_ api
 	
@@ -1965,7 +2072,7 @@
 	* acquire_cred.c: use
 	krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free
 
-2003-09-01  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-09-01  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* copy_ccache.c: rename
 	gss_krb5_extract_authz_data_from_sec_context to
@@ -1974,7 +2081,7 @@
 	* gssapi.h: rename gss_krb5_extract_authz_data_from_sec_context to
 	gsskrb5_extract_authz_data_from_sec_context
 	
-2003-08-31  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-08-31  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* copy_ccache.c (gss_krb5_extract_authz_data_from_sec_context):
 	check that we have a ticket before we start to use it
@@ -1991,12 +2098,12 @@
 	* verify_mic.c (gss_verify_mic_internal): switch type and key
 	argument
 
-2003-08-30  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-08-30  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* cfx.[ch]: draft-ietf-krb-wg-gssapi-cfx-01.txt implemetation
 	From: Luke Howard <lukeh@PADL.COM>
 	
-2003-08-28  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-08-28  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* arcfour.c (arcfour_mic_cksum): use free_Checksum to free the
 	checksum
@@ -2048,7 +2155,7 @@
 	
 	* 8003.c: add gssapi_{en,de}code_be_om_uint32
 	
-2003-08-27  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-08-27  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* arcfour.c (_gssapi_verify_mic_arcfour): Do the checksum on right
 	area. Swap filler check, it was reversed.
@@ -2061,7 +2168,7 @@
 
 	* arcfour.h: arcfour gss-api mech, get_mic/verify_mic working
 	
-2003-08-26  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-08-26  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gssapi_locl.h: always include cfx.h add prototype for
 	_gssapi_decapsulate
@@ -2072,7 +2179,7 @@
 	* decapsulate.c: add _gssapi_decapsulate, from Luke Howard
 	<lukeh@PADL.COM>
 	
-2003-08-25  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-08-25  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* unwrap.c: encap/decap now takes a oid if the enctype/keytype is
 	arcfour, return error add hook for cfx
@@ -2104,17 +2211,17 @@
 	* inquire_cred.c (gss_inquire_cred): handle cred_handle being
 	GSS_C_NO_CREDENTIAL and use the default cred then.
 	
-2003-08-19  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-08-19  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gss_acquire_cred.3: break out extensions and document
 	gsskrb5_register_acceptor_identity
 
-2003-08-18  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-08-18  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* test_acquire_cred.c (print_time): time is returned in seconds
 	from now, not unix time
 
-2003-08-17  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-08-17  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* compat.c (check_compat): avoid leaking principal when finding a
 	match
@@ -2125,7 +2232,7 @@
 	* acquire_cred.c (gss_acquire_cred): 4th argument to
 	gss_test_oid_set_member is a int
 
-2003-07-22  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-07-22  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* init_sec_context.c (repl_mutual): don't set kerberos error where
 	there was no kerberos error
@@ -2140,12 +2247,12 @@
 	krb5_context. Add destruction/creation functions for the thread
 	specific storage that the error string handling is using.
 	
-2003-07-20  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-07-20  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gss_acquire_cred.3: add missing prototype and missing .Ft
 	arguments
 
-2003-06-17  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-06-17  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* verify_mic.c: reorder code so sequence numbers can can be used
 	
@@ -2173,7 +2280,7 @@
 
 	* Makefile.am: can't have sequence.c in two different places
 
-2003-06-06  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-06-06  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* test_sequence.c: check rollover, print summery
 	
@@ -2184,7 +2291,7 @@
 	
 	From: Luke Howard <lukeh@PADL.COM>
 	
-2003-06-05  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-06-05  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gssapi_locl.h: add prototypes for sequence.c
 	
@@ -2194,7 +2301,7 @@
 	* sequence.c: sequence number checks, order and replay
 	* test_sequence.c: sequence number checks, order and replay
 
-2003-06-03  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-06-03  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* accept_sec_context.c (gss_accept_sec_context): make sure time is
 	returned in seconds from now, not in kerberos time
@@ -2213,7 +2320,7 @@
 	* verify_mic.c: make sure minor_status is always set, pointed out
 	by Luke Howard <lukeh@PADL.COM>
 
-2003-05-21  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-05-21  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* *.[ch]: do some basic locking (no reference counting so contexts 
 	  can be removed while still used)
@@ -2224,16 +2331,16 @@
 	* gss_acquire_cred.3: document argument lifetime_rec to function
 	gss_inquire_context
 
-2003-05-17  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-05-17  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* test_acquire_cred.c: test gss_add_cred more then once
 	
-2003-05-06  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-05-06  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gssapi.h: if __cplusplus, wrap the extern variable (just to be
 	safe) and functions in extern "C" { }
 	
-2003-04-30  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-04-30  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gssapi.3: more about the des3 mic mess
 	
@@ -2245,14 +2352,14 @@
 	* verify_mic.c (verify_mic_des3): If MIC verification fails,
 	retry using the `old' MIC computation (with zero IV).
 
-2003-04-26  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-04-26  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gss_acquire_cred.3: more about difference between comparing IN
 	and MN
 
 	* gss_acquire_cred.3: more about name type and access control
 	
-2003-04-25  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-04-25  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gss_acquire_cred.3: document gss_context_time
 	
@@ -2273,17 +2380,17 @@
 	(GSS_C_KRB5_COMPAT_DES3_MIC): cpp symbol that exists if
 	gss_krb5_compat_des3_mic exists
 	
-2003-04-24  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-04-24  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* Makefile.am:  (libgssapi_la_LDFLAGS): update major
 	version of gssapi for incompatiblity in 3des getmic support
 	
-2003-04-23  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-04-23  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* Makefile.am: test_acquire_cred_LDADD: use libgssapi.la not
 	./libgssapi.la (make make -jN work)
 
-2003-04-16  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-04-16  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gssapi.3: spelling
 	
@@ -2291,7 +2398,7 @@
 	header.h, from Thomas Klausner <wiz@netbsd.org>
 
 	
-2003-04-06  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-04-06  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gss_acquire_cred.3: spelling
 	
@@ -2307,26 +2414,26 @@
 
 	* test_acquire_cred.c: test gss_add_cred too
 	
-2003-04-03  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-04-03  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* Makefile.am: build test_acquire_cred
 	
 	* test_acquire_cred.c: simple gss_acquire_cred test
 	
-2003-04-02  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-04-02  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gss_acquire_cred.3: s/gssapi/GSS-API/
 	
-2003-03-19  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-03-19  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gss_acquire_cred.3: document v1 interface (and that they are
 	obsolete)
 
-2003-03-18  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-03-18  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gss_acquire_cred.3: list supported mechanism and nametypes
 	
-2003-03-16  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-03-16  Love Hörnquist Åstrand  <lha@it.su.se>
 	
 	* gss_acquire_cred.3: text about gss_display_name
 
@@ -2438,7 +2545,7 @@
 
 	* gssapi.h: comment out the argument names
 	
-2003-03-15  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-03-15  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gssapi.3: add LIST OF FUNCTIONS and copyright/license
 
@@ -2446,29 +2553,29 @@
 	
 	* Makefile.am: man_MANS += gss_aquire_cred.3
 	
-2003-03-14  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-03-14  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gss_aquire_cred.3: the gssapi api manpage
 	
-2003-03-03  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-03-03  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* inquire_context.c: (gss_inquire_context): rename argument open
 	to open_context
 
 	* gssapi.h (gss_inquire_context): rename argument open to open_context
 
-2003-02-27  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-02-27  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* init_sec_context.c (do_delegation): remove unused variable
 	subkey
 
 	* gssapi.3: all 0.5.x version had broken token delegation
 	
-2003-02-21  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-02-21  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* (init_auth): only generate one subkey
 
-2003-01-27  Love Hörnquist Åstrand  <lha@it.su.se>
+2003-01-27  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* verify_mic.c (verify_mic_des3): fix 3des verify_mic to conform
 	to rfc (and mit kerberos), provide backward compat hook
diff --git a/lib/gssapi/Makefile.am b/lib/gssapi/Makefile.am
index 23264828221c..919799fa80b2 100644
--- a/lib/gssapi/Makefile.am
+++ b/lib/gssapi/Makefile.am
@@ -1,12 +1,18 @@
-# $Id: Makefile.am 22399 2008-01-11 14:25:47Z lha $
+# $Id$
 
 include $(top_srcdir)/Makefile.am.common
 
 AUTOMAKE_OPTIONS = subdir-objects
 
-AM_CPPFLAGS += -I$(srcdir)/../krb5 \
+AM_CPPFLAGS += \
+	-I$(srcdir)/../krb5 \
 	-I$(srcdir) \
+	-I$(srcdir)/gssapi \
 	-I$(srcdir)/mech \
+	-I$(srcdir)/ntlm \
+	-I$(srcdir)/krb5 \
+	-I$(srcdir)/spnego \
+	$(INCLUDE_libintl) \
 	$(INCLUDE_hcrypto) \
 	$(INCLUDE_krb4)
 
@@ -18,8 +24,10 @@ krb5src = \
 	krb5/acquire_cred.c \
 	krb5/add_cred.c \
 	krb5/address_to_krb5addr.c \
+	krb5/aeap.c \
 	krb5/arcfour.c \
 	krb5/canonicalize_name.c \
+	krb5/creds.c \
 	krb5/ccache_name.c \
 	krb5/cfx.c \
 	krb5/cfx.h \
@@ -51,17 +59,19 @@ krb5src = \
 	krb5/inquire_mechs_for_name.c \
 	krb5/inquire_names_for_mech.c \
 	krb5/inquire_sec_context_by_oid.c \
+	krb5/pname_to_uid.c \
 	krb5/process_context_token.c \
 	krb5/prf.c \
 	krb5/release_buffer.c \
 	krb5/release_cred.c \
 	krb5/release_name.c \
 	krb5/sequence.c \
+	krb5/store_cred.c \
 	krb5/set_cred_option.c \
 	krb5/set_sec_context_option.c \
 	krb5/ticket_flags.c \
 	krb5/unwrap.c \
-	krb5/v1.c \
+	krb5/authorize_localname.c \
 	krb5/verify_mic.c \
 	krb5/wrap.c
 
@@ -69,25 +79,36 @@ mechsrc = \
 	mech/context.h \
 	mech/context.c \
 	mech/cred.h \
+	mech/compat.h \
+	mech/doxygen.c \
 	mech/gss_accept_sec_context.c \
 	mech/gss_acquire_cred.c \
+	mech/gss_acquire_cred_ext.c \
+	mech/gss_acquire_cred_with_password.c \
 	mech/gss_add_cred.c \
+	mech/gss_add_cred_with_password.c \
 	mech/gss_add_oid_set_member.c \
+	mech/gss_aeap.c \
 	mech/gss_buffer_set.c \
 	mech/gss_canonicalize_name.c \
 	mech/gss_compare_name.c \
 	mech/gss_context_time.c \
 	mech/gss_create_empty_oid_set.c \
+	mech/gss_cred.c \
 	mech/gss_decapsulate_token.c \
+	mech/gss_delete_name_attribute.c \
 	mech/gss_delete_sec_context.c \
 	mech/gss_display_name.c \
+	mech/gss_display_name_ext.c \
 	mech/gss_display_status.c \
 	mech/gss_duplicate_name.c \
 	mech/gss_duplicate_oid.c \
 	mech/gss_encapsulate_token.c \
 	mech/gss_export_name.c \
+	mech/gss_export_name_composite.c \
 	mech/gss_export_sec_context.c \
 	mech/gss_get_mic.c \
+	mech/gss_get_name_attribute.c \
 	mech/gss_import_name.c \
 	mech/gss_import_sec_context.c \
 	mech/gss_indicate_mechs.c \
@@ -97,12 +118,16 @@ mechsrc = \
 	mech/gss_inquire_cred_by_mech.c \
 	mech/gss_inquire_cred_by_oid.c \
 	mech/gss_inquire_mechs_for_name.c \
+	mech/gss_inquire_name.c \
 	mech/gss_inquire_names_for_mech.c \
 	mech/gss_krb5.c \
 	mech/gss_mech_switch.c \
+	mech/gss_mo.c \
 	mech/gss_names.c \
+	mech/gss_oid.c \
 	mech/gss_oid_equal.c \
 	mech/gss_oid_to_str.c \
+	mech/gss_pname_to_uid.c \
 	mech/gss_process_context_token.c \
 	mech/gss_pseudo_random.c \
 	mech/gss_release_buffer.c \
@@ -112,11 +137,14 @@ mechsrc = \
 	mech/gss_release_oid_set.c \
 	mech/gss_seal.c \
 	mech/gss_set_cred_option.c \
+	mech/gss_set_name_attribute.c \
 	mech/gss_set_sec_context_option.c \
 	mech/gss_sign.c \
+	mech/gss_store_cred.c \
 	mech/gss_test_oid_set_member.c \
 	mech/gss_unseal.c \
 	mech/gss_unwrap.c \
+	mech/gss_authorize_localname.c \
 	mech/gss_utils.c \
 	mech/gss_verify.c \
 	mech/gss_verify_mic.c \
@@ -146,6 +174,7 @@ ntlmsrc = \
 	ntlm/canonicalize_name.c \
 	ntlm/compare_name.c \
 	ntlm/context_time.c \
+	ntlm/creds.c \
 	ntlm/crypto.c \
 	ntlm/delete_sec_context.c \
 	ntlm/display_name.c \
@@ -161,14 +190,15 @@ ntlmsrc = \
 	ntlm/indicate_mechs.c \
 	ntlm/init_sec_context.c \
 	ntlm/inquire_context.c \
-	ntlm/inquire_cred.c \
 	ntlm/inquire_cred_by_mech.c \
 	ntlm/inquire_mechs_for_name.c \
 	ntlm/inquire_names_for_mech.c \
+	ntlm/inquire_sec_context_by_oid.c \
+	ntlm/iter_cred.c \
 	ntlm/process_context_token.c \
 	ntlm/release_cred.c \
 	ntlm/release_name.c \
-	ntlm/digest.c
+	ntlm/kdc.c
 
 $(srcdir)/ntlm/ntlm-private.h:
 	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p ntlm/ntlm-private.h $(ntlmsrc) || rm -f ntlm/ntlm-private.h
@@ -184,7 +214,9 @@ nodist_libgssapi_la_SOURCES  = \
 	gkrb5_err.h \
 	$(BUILT_SOURCES)
 
-libgssapi_la_LDFLAGS = -version-info 2:0:0
+libgssapi_la_DEPENDENCIES = version-script.map
+
+libgssapi_la_LDFLAGS = -version-info 3:0:0
 
 if versionscript
 libgssapi_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
@@ -206,9 +238,12 @@ noinst_HEADERS = \
 	ntlm/ntlm-private.h \
 	spnego/spnego-private.h \
 	krb5/gsskrb5-private.h
+
 nobase_include_HEADERS = \
 	gssapi/gssapi.h \
 	gssapi/gssapi_krb5.h \
+	gssapi/gssapi_ntlm.h \
+	gssapi/gssapi_oid.h \
 	gssapi/gssapi_spnego.h
 
 gssapidir = $(includedir)/gssapi
@@ -227,9 +262,13 @@ spnego_files =					\
 	asn1_NegTokenInitWin.x			\
 	asn1_NegTokenResp.x
 
-$(libgssapi_la_OBJECTS): $(srcdir)/krb5/gsskrb5-private.h
-$(libgssapi_la_OBJECTS): $(srcdir)/spnego/spnego-private.h
-$(libgssapi_la_OBJECTS): $(srcdir)/ntlm/ntlm-private.h
+BUILTHEADERS = \
+	$(srcdir)/krb5/gsskrb5-private.h \
+	$(srcdir)/spnego/spnego-private.h \
+	$(srcdir)/ntlm/ntlm-private.h
+
+$(libgssapi_la_OBJECTS): $(BUILTHEADERS)
+$(test_context_OBJECTS): $(BUILTHEADERS)
 
 $(libgssapi_la_OBJECTS): $(srcdir)/version-script.map
 
@@ -237,18 +276,18 @@ BUILT_SOURCES = $(spnego_files:.x=.c) $(gssapi_files:.x=.c)
 
 CLEANFILES = $(BUILT_SOURCES) \
 	gkrb5_err.h gkrb5_err.c \
-	$(spnego_files) spnego_asn1.h spnego_asn1_files \
-	$(gssapi_files) gssapi_asn1.h gssapi_asn1_files \
+	$(spnego_files) spnego_asn1*.h* spnego_asn1_files spnego_asn1-template.c \
+	$(gssapi_files) gssapi_asn1*.h* gssapi_asn1_files gssapi_asn1-template.c \
 	gss-commands.h gss-commands.c
 
-$(spnego_files) spnego_asn1.h: spnego_asn1_files
-$(gssapi_files) gssapi_asn1.h: gssapi_asn1_files
+$(spnego_files) spnego_asn1.hx spnego_asn1-priv.hx: spnego_asn1_files
+$(gssapi_files) gssapi_asn1.hx gssapi_asn1-priv.hx: gssapi_asn1_files
 
-spnego_asn1_files: ../asn1/asn1_compile$(EXEEXT) $(srcdir)/spnego/spnego.asn1
-	../asn1/asn1_compile$(EXEEXT) --sequence=MechTypeList $(srcdir)/spnego/spnego.asn1 spnego_asn1
+spnego_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/spnego/spnego.asn1 $(srcdir)/spnego/spnego.opt
+	$(ASN1_COMPILE) --option-file=$(srcdir)/spnego/spnego.opt $(srcdir)/spnego/spnego.asn1 spnego_asn1
 
-gssapi_asn1_files: ../asn1/asn1_compile$(EXEEXT) $(srcdir)/mech/gssapi.asn1
-	../asn1/asn1_compile$(EXEEXT) $(srcdir)/mech/gssapi.asn1 gssapi_asn1
+gssapi_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/mech/gssapi.asn1
+	$(ASN1_COMPILE) $(srcdir)/mech/gssapi.asn1 gssapi_asn1
 
 $(srcdir)/krb5/gsskrb5-private.h:
 	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p krb5/gsskrb5-private.h $(krb5src) || rm -f krb5/gsskrb5-private.h
@@ -264,7 +303,7 @@ test_cfx_SOURCES = krb5/test_cfx.c
 
 check_PROGRAMS = test_acquire_cred $(TESTS)
 
-bin_PROGRAMS = gss
+bin_PROGRAMS = gsstool
 noinst_PROGRAMS = test_cred test_kcred test_context test_ntlm
 
 test_context_SOURCES = test_context.c test_common.c test_common.h
@@ -281,33 +320,39 @@ LDADD = libgssapi.la \
 
 # gss
 
-dist_gss_SOURCES = gss.c
-nodist_gss_SOURCES = gss-commands.c gss-commands.h
+dist_gsstool_SOURCES = gsstool.c
+nodist_gsstool_SOURCES = gss-commands.c gss-commands.h
 
-gss_LDADD = libgssapi.la \
+gsstool_LDADD = libgssapi.la \
 	$(top_builddir)/lib/sl/libsl.la \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(LIB_readline) \
 	$(LIB_roken)
 
-SLC = $(top_builddir)/lib/sl/slc
-
 gss-commands.c gss-commands.h: gss-commands.in
 	$(SLC) $(srcdir)/gss-commands.in
 
-$(gss_OBJECTS): gss-commands.h
+$(gsstool_OBJECTS): gss-commands.h
 
 EXTRA_DIST = \
+	NTMakefile \
+	libgssapi-version.rc \
+	libgssapi-exports.def \
 	$(man_MANS) \
 	krb5/gkrb5_err.et \
 	mech/gssapi.asn1 \
 	spnego/spnego.asn1 \
+	spnego/spnego.opt \
 	version-script.map \
 	gss-commands.in
 
-# to help stupid solaris make
-
-$(libgssapi_la_OBJECTS): gkrb5_err.h gssapi_asn1.h spnego_asn1.h
+$(libgssapi_la_OBJECTS): gkrb5_err.h gssapi_asn1.h gssapi_asn1-priv.h
+$(libgssapi_la_OBJECTS): spnego_asn1.h spnego_asn1-priv.h
+$(libgssapi_la_OBJECTS): $(srcdir)/gssapi/gssapi_oid.h
 
 gkrb5_err.h gkrb5_err.c: $(srcdir)/krb5/gkrb5_err.et
 	$(COMPILE_ET) $(srcdir)/krb5/gkrb5_err.et
+
+$(srcdir)/gssapi/gssapi_oid.h $(srcdir)/mech/gss_oid.c:
+	perl $(srcdir)/gen-oid.pl -b base -h $(srcdir)/oid.txt > $(srcdir)/gssapi/gssapi_oid.h
+	perl $(srcdir)/gen-oid.pl -b base $(srcdir)/oid.txt > $(srcdir)/mech/gss_oid.c
diff --git a/lib/gssapi/Makefile.in b/lib/gssapi/Makefile.in
index 9886d49b185b..46499032d33d 100644
--- a/lib/gssapi/Makefile.in
+++ b/lib/gssapi/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
+# Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,18 +15,19 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am 22399 2008-01-11 14:25:47Z lha $
+# $Id$
 
-# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $
+# $Id$
 
-# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $
+# $Id$
 
 
 
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
@@ -47,13 +49,13 @@ DIST_COMMON = $(include_HEADERS) $(nobase_include_HEADERS) \
 @versionscript_TRUE@am__append_1 = $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
 TESTS = test_oid$(EXEEXT) test_names$(EXEEXT) test_cfx$(EXEEXT)
 check_PROGRAMS = test_acquire_cred$(EXEEXT) $(am__EXEEXT_1)
-bin_PROGRAMS = gss$(EXEEXT)
+bin_PROGRAMS = gsstool$(EXEEXT)
 noinst_PROGRAMS = test_cred$(EXEEXT) test_kcred$(EXEEXT) \
 	test_context$(EXEEXT) test_ntlm$(EXEEXT)
 subdir = lib/gssapi
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
-	$(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 \
 	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
 	$(top_srcdir)/cf/broken-glob.m4 \
 	$(top_srcdir)/cf/broken-realloc.m4 \
@@ -68,7 +70,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \
 	$(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \
 	$(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
-	$(top_srcdir)/cf/dlopen.m4 \
+	$(top_srcdir)/cf/dispatch.m4 $(top_srcdir)/cf/dlopen.m4 \
 	$(top_srcdir)/cf/find-func-no-libs.m4 \
 	$(top_srcdir)/cf/find-func-no-libs2.m4 \
 	$(top_srcdir)/cf/find-func.m4 \
@@ -82,9 +84,12 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
-	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \
-	$(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \
-	$(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \
+	$(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/libtool.m4 \
+	$(top_srcdir)/cf/ltoptions.m4 $(top_srcdir)/cf/ltsugar.m4 \
+	$(top_srcdir)/cf/ltversion.m4 $(top_srcdir)/cf/lt~obsolete.m4 \
+	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
+	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
+	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/pkg.m4 \
 	$(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \
 	$(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \
 	$(top_srcdir)/cf/roken-frag.m4 \
@@ -92,36 +97,47 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \
 	$(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \
 	$(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \
-	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in
+	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
     *) f=$$p;; \
   esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(bindir)" \
 	"$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" \
 	"$(DESTDIR)$(includedir)" "$(DESTDIR)$(includedir)" \
 	"$(DESTDIR)$(gssapidir)"
-libLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(lib_LTLIBRARIES)
 am__DEPENDENCIES_1 =
-libgssapi_la_DEPENDENCIES = $(top_builddir)/lib/ntlm/libheimntlm.la \
-	$(top_builddir)/lib/krb5/libkrb5.la \
-	$(top_builddir)/lib/asn1/libasn1.la $(am__DEPENDENCIES_1) \
-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
 am__dirstamp = $(am__leading_dot)dirstamp
 am__objects_1 = krb5/8003.lo krb5/accept_sec_context.lo \
 	krb5/acquire_cred.lo krb5/add_cred.lo \
-	krb5/address_to_krb5addr.lo krb5/arcfour.lo \
-	krb5/canonicalize_name.lo krb5/ccache_name.lo krb5/cfx.lo \
-	krb5/compare_name.lo krb5/compat.lo krb5/context_time.lo \
-	krb5/copy_ccache.lo krb5/decapsulate.lo \
+	krb5/address_to_krb5addr.lo krb5/aeap.lo krb5/arcfour.lo \
+	krb5/canonicalize_name.lo krb5/creds.lo krb5/ccache_name.lo \
+	krb5/cfx.lo krb5/compare_name.lo krb5/compat.lo \
+	krb5/context_time.lo krb5/copy_ccache.lo krb5/decapsulate.lo \
 	krb5/delete_sec_context.lo krb5/display_name.lo \
 	krb5/display_status.lo krb5/duplicate_name.lo \
 	krb5/encapsulate.lo krb5/export_name.lo \
@@ -131,54 +147,66 @@ am__objects_1 = krb5/8003.lo krb5/accept_sec_context.lo \
 	krb5/inquire_context.lo krb5/inquire_cred.lo \
 	krb5/inquire_cred_by_mech.lo krb5/inquire_cred_by_oid.lo \
 	krb5/inquire_mechs_for_name.lo krb5/inquire_names_for_mech.lo \
-	krb5/inquire_sec_context_by_oid.lo \
+	krb5/inquire_sec_context_by_oid.lo krb5/pname_to_uid.lo \
 	krb5/process_context_token.lo krb5/prf.lo \
 	krb5/release_buffer.lo krb5/release_cred.lo \
-	krb5/release_name.lo krb5/sequence.lo krb5/set_cred_option.lo \
-	krb5/set_sec_context_option.lo krb5/ticket_flags.lo \
-	krb5/unwrap.lo krb5/v1.lo krb5/verify_mic.lo krb5/wrap.lo
-am__objects_2 = mech/context.lo mech/gss_accept_sec_context.lo \
-	mech/gss_acquire_cred.lo mech/gss_add_cred.lo \
-	mech/gss_add_oid_set_member.lo mech/gss_buffer_set.lo \
-	mech/gss_canonicalize_name.lo mech/gss_compare_name.lo \
-	mech/gss_context_time.lo mech/gss_create_empty_oid_set.lo \
-	mech/gss_decapsulate_token.lo mech/gss_delete_sec_context.lo \
-	mech/gss_display_name.lo mech/gss_display_status.lo \
+	krb5/release_name.lo krb5/sequence.lo krb5/store_cred.lo \
+	krb5/set_cred_option.lo krb5/set_sec_context_option.lo \
+	krb5/ticket_flags.lo krb5/unwrap.lo \
+	krb5/authorize_localname.lo krb5/verify_mic.lo krb5/wrap.lo
+am__objects_2 = mech/context.lo mech/doxygen.lo \
+	mech/gss_accept_sec_context.lo mech/gss_acquire_cred.lo \
+	mech/gss_acquire_cred_ext.lo \
+	mech/gss_acquire_cred_with_password.lo mech/gss_add_cred.lo \
+	mech/gss_add_cred_with_password.lo \
+	mech/gss_add_oid_set_member.lo mech/gss_aeap.lo \
+	mech/gss_buffer_set.lo mech/gss_canonicalize_name.lo \
+	mech/gss_compare_name.lo mech/gss_context_time.lo \
+	mech/gss_create_empty_oid_set.lo mech/gss_cred.lo \
+	mech/gss_decapsulate_token.lo \
+	mech/gss_delete_name_attribute.lo \
+	mech/gss_delete_sec_context.lo mech/gss_display_name.lo \
+	mech/gss_display_name_ext.lo mech/gss_display_status.lo \
 	mech/gss_duplicate_name.lo mech/gss_duplicate_oid.lo \
 	mech/gss_encapsulate_token.lo mech/gss_export_name.lo \
+	mech/gss_export_name_composite.lo \
 	mech/gss_export_sec_context.lo mech/gss_get_mic.lo \
-	mech/gss_import_name.lo mech/gss_import_sec_context.lo \
-	mech/gss_indicate_mechs.lo mech/gss_init_sec_context.lo \
-	mech/gss_inquire_context.lo mech/gss_inquire_cred.lo \
-	mech/gss_inquire_cred_by_mech.lo \
+	mech/gss_get_name_attribute.lo mech/gss_import_name.lo \
+	mech/gss_import_sec_context.lo mech/gss_indicate_mechs.lo \
+	mech/gss_init_sec_context.lo mech/gss_inquire_context.lo \
+	mech/gss_inquire_cred.lo mech/gss_inquire_cred_by_mech.lo \
 	mech/gss_inquire_cred_by_oid.lo \
-	mech/gss_inquire_mechs_for_name.lo \
+	mech/gss_inquire_mechs_for_name.lo mech/gss_inquire_name.lo \
 	mech/gss_inquire_names_for_mech.lo mech/gss_krb5.lo \
-	mech/gss_mech_switch.lo mech/gss_names.lo \
-	mech/gss_oid_equal.lo mech/gss_oid_to_str.lo \
-	mech/gss_process_context_token.lo mech/gss_pseudo_random.lo \
-	mech/gss_release_buffer.lo mech/gss_release_cred.lo \
-	mech/gss_release_name.lo mech/gss_release_oid.lo \
-	mech/gss_release_oid_set.lo mech/gss_seal.lo \
-	mech/gss_set_cred_option.lo mech/gss_set_sec_context_option.lo \
-	mech/gss_sign.lo mech/gss_test_oid_set_member.lo \
-	mech/gss_unseal.lo mech/gss_unwrap.lo mech/gss_utils.lo \
+	mech/gss_mech_switch.lo mech/gss_mo.lo mech/gss_names.lo \
+	mech/gss_oid.lo mech/gss_oid_equal.lo mech/gss_oid_to_str.lo \
+	mech/gss_pname_to_uid.lo mech/gss_process_context_token.lo \
+	mech/gss_pseudo_random.lo mech/gss_release_buffer.lo \
+	mech/gss_release_cred.lo mech/gss_release_name.lo \
+	mech/gss_release_oid.lo mech/gss_release_oid_set.lo \
+	mech/gss_seal.lo mech/gss_set_cred_option.lo \
+	mech/gss_set_name_attribute.lo \
+	mech/gss_set_sec_context_option.lo mech/gss_sign.lo \
+	mech/gss_store_cred.lo mech/gss_test_oid_set_member.lo \
+	mech/gss_unseal.lo mech/gss_unwrap.lo \
+	mech/gss_authorize_localname.lo mech/gss_utils.lo \
 	mech/gss_verify.lo mech/gss_verify_mic.lo mech/gss_wrap.lo \
 	mech/gss_wrap_size_limit.lo \
 	mech/gss_inquire_sec_context_by_oid.lo
 am__objects_3 = ntlm/accept_sec_context.lo ntlm/acquire_cred.lo \
 	ntlm/add_cred.lo ntlm/canonicalize_name.lo \
-	ntlm/compare_name.lo ntlm/context_time.lo ntlm/crypto.lo \
-	ntlm/delete_sec_context.lo ntlm/display_name.lo \
+	ntlm/compare_name.lo ntlm/context_time.lo ntlm/creds.lo \
+	ntlm/crypto.lo ntlm/delete_sec_context.lo ntlm/display_name.lo \
 	ntlm/display_status.lo ntlm/duplicate_name.lo \
 	ntlm/export_name.lo ntlm/export_sec_context.lo \
 	ntlm/external.lo ntlm/import_name.lo \
 	ntlm/import_sec_context.lo ntlm/indicate_mechs.lo \
 	ntlm/init_sec_context.lo ntlm/inquire_context.lo \
-	ntlm/inquire_cred.lo ntlm/inquire_cred_by_mech.lo \
-	ntlm/inquire_mechs_for_name.lo ntlm/inquire_names_for_mech.lo \
+	ntlm/inquire_cred_by_mech.lo ntlm/inquire_mechs_for_name.lo \
+	ntlm/inquire_names_for_mech.lo \
+	ntlm/inquire_sec_context_by_oid.lo ntlm/iter_cred.lo \
 	ntlm/process_context_token.lo ntlm/release_cred.lo \
-	ntlm/release_name.lo ntlm/digest.lo
+	ntlm/release_name.lo ntlm/kdc.lo
 am__objects_4 = spnego/accept_sec_context.lo spnego/compat.lo \
 	spnego/context_stubs.lo spnego/cred_stubs.lo \
 	spnego/external.lo spnego/init_sec_context.lo
@@ -197,13 +225,12 @@ libgssapi_la_OBJECTS = $(dist_libgssapi_la_OBJECTS) \
 libgssapi_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libgssapi_la_LDFLAGS) $(LDFLAGS) -o $@
-binPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 am__EXEEXT_1 = test_oid$(EXEEXT) test_names$(EXEEXT) test_cfx$(EXEEXT)
 PROGRAMS = $(bin_PROGRAMS) $(noinst_PROGRAMS)
-dist_gss_OBJECTS = gss.$(OBJEXT)
-nodist_gss_OBJECTS = gss-commands.$(OBJEXT)
-gss_OBJECTS = $(dist_gss_OBJECTS) $(nodist_gss_OBJECTS)
-gss_DEPENDENCIES = libgssapi.la $(top_builddir)/lib/sl/libsl.la \
+dist_gsstool_OBJECTS = gsstool.$(OBJEXT)
+nodist_gsstool_OBJECTS = gss-commands.$(OBJEXT)
+gsstool_OBJECTS = $(dist_gsstool_OBJECTS) $(nodist_gsstool_OBJECTS)
+gsstool_DEPENDENCIES = libgssapi.la $(top_builddir)/lib/sl/libsl.la \
 	$(top_builddir)/lib/krb5/libkrb5.la $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1)
 am_test_acquire_cred_OBJECTS = test_acquire_cred.$(OBJEXT) \
@@ -248,9 +275,9 @@ test_oid_OBJECTS = test_oid.$(OBJEXT)
 test_oid_LDADD = $(LDADD)
 test_oid_DEPENDENCIES = libgssapi.la \
 	$(top_builddir)/lib/krb5/libkrb5.la $(am__DEPENDENCIES_1)
-DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@
-depcomp =
-am__depfiles_maybe =
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -261,72 +288,80 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(dist_libgssapi_la_SOURCES) $(nodist_libgssapi_la_SOURCES) \
-	$(dist_gss_SOURCES) $(nodist_gss_SOURCES) \
+	$(dist_gsstool_SOURCES) $(nodist_gsstool_SOURCES) \
 	$(test_acquire_cred_SOURCES) $(test_cfx_SOURCES) \
 	$(test_context_SOURCES) test_cred.c test_kcred.c test_names.c \
 	$(test_ntlm_SOURCES) test_oid.c
-DIST_SOURCES = $(dist_libgssapi_la_SOURCES) $(dist_gss_SOURCES) \
+DIST_SOURCES = $(dist_libgssapi_la_SOURCES) $(dist_gsstool_SOURCES) \
 	$(test_acquire_cred_SOURCES) $(test_cfx_SOURCES) \
 	$(test_context_SOURCES) test_cred.c test_kcred.c test_names.c \
 	$(test_ntlm_SOURCES) test_oid.c
 man3dir = $(mandir)/man3
 man5dir = $(mandir)/man5
 MANS = $(man_MANS)
-includeHEADERS_INSTALL = $(INSTALL_HEADER)
-nobase_includeHEADERS_INSTALL = $(install_sh_DATA)
-nodist_gssapiHEADERS_INSTALL = $(INSTALL_HEADER)
 HEADERS = $(include_HEADERS) $(nobase_include_HEADERS) \
 	$(nodist_gssapi_HEADERS) $(noinst_HEADERS)
 ETAGS = etags
 CTAGS = ctags
+am__tty_colors = \
+red=; grn=; lgn=; blu=; std=
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
 AMTAR = @AMTAR@
 AR = @AR@
+ASN1_COMPILE = @ASN1_COMPILE@
+ASN1_COMPILE_DEP = @ASN1_COMPILE_DEP@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
+CAPNG_CFLAGS = @CAPNG_CFLAGS@
+CAPNG_LIBS = @CAPNG_LIBS@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
 CC = @CC@
+CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
+DBHEADER = @DBHEADER@
 DBLIB = @DBLIB@
 DEFS = @DEFS@
+DEPDIR = @DEPDIR@
 DIR_com_err = @DIR_com_err@
 DIR_hcrypto = @DIR_hcrypto@
 DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
-ECHO = @ECHO@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
-F77 = @F77@
-FFLAGS = @FFLAGS@
+FGREP = @FGREP@
 GREP = @GREP@
 GROFF = @GROFF@
 INCLUDES_roken = @INCLUDES_roken@
 INCLUDE_hcrypto = @INCLUDE_hcrypto@
 INCLUDE_hesiod = @INCLUDE_hesiod@
 INCLUDE_krb4 = @INCLUDE_krb4@
+INCLUDE_libedit = @INCLUDE_libedit@
+INCLUDE_libintl = @INCLUDE_libintl@
 INCLUDE_openldap = @INCLUDE_openldap@
 INCLUDE_readline = @INCLUDE_readline@
+INCLUDE_sqlite3 = @INCLUDE_sqlite3@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
 LDFLAGS = @LDFLAGS@
 LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@
 LEX = @LEX@
@@ -350,10 +385,11 @@ LIB_crypt = @LIB_crypt@
 LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
+LIB_dispatch_async_f = @LIB_dispatch_async_f@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
+LIB_dns_search = @LIB_dns_search@
 LIB_door_create = @LIB_door_create@
-LIB_el_init = @LIB_el_init@
 LIB_freeaddrinfo = @LIB_freeaddrinfo@
 LIB_gai_strerror = @LIB_gai_strerror@
 LIB_getaddrinfo = @LIB_getaddrinfo@
@@ -370,6 +406,8 @@ LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
 LIB_krb4 = @LIB_krb4@
+LIB_libedit = @LIB_libedit@
+LIB_libintl = @LIB_libintl@
 LIB_loadquery = @LIB_loadquery@
 LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
@@ -385,31 +423,45 @@ LIB_roken = @LIB_roken@
 LIB_security = @LIB_security@
 LIB_setsockopt = @LIB_setsockopt@
 LIB_socket = @LIB_socket@
+LIB_sqlite3 = @LIB_sqlite3@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
+LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
 MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
+NM = @NM@
+NMEDIT = @NMEDIT@
+NO_AFS = @NO_AFS@
 NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
 PACKAGE_NAME = @PACKAGE_NAME@
 PACKAGE_STRING = @PACKAGE_STRING@
 PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
-PTHREADS_CFLAGS = @PTHREADS_CFLAGS@
-PTHREADS_LIBS = @PTHREADS_LIBS@
+PKG_CONFIG = @PKG_CONFIG@
+PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
+PTHREAD_LDADD = @PTHREAD_LDADD@
+PTHREAD_LIBADD = @PTHREAD_LIBADD@
 RANLIB = @RANLIB@
+SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SLC = @SLC@
+SLC_DEP = @SLC_DEP@
 STRIP = @STRIP@
 VERSION = @VERSION@
 VERSIONING = @VERSIONING@
-VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
@@ -424,10 +476,12 @@ abs_builddir = @abs_builddir@
 abs_srcdir = @abs_srcdir@
 abs_top_builddir = @abs_top_builddir@
 abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
 am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 bindir = @bindir@
@@ -468,31 +522,37 @@ psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
+subdirs = @subdirs@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
-SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
-AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \
-	-I$(srcdir)/../krb5 -I$(srcdir) -I$(srcdir)/mech \
+SUFFIXES = .et .h .x .z .hx .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -I$(top_srcdir)/include
+AM_CPPFLAGS = $(INCLUDES_roken) -I$(srcdir)/../krb5 -I$(srcdir) \
+	-I$(srcdir)/gssapi -I$(srcdir)/mech -I$(srcdir)/ntlm \
+	-I$(srcdir)/krb5 -I$(srcdir)/spnego $(INCLUDE_libintl) \
 	$(INCLUDE_hcrypto) $(INCLUDE_krb4)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
 buildinclude = $(top_builddir)/include
+LIB_el_init = @LIB_el_init@
 LIB_getattr = @LIB_getattr@
 LIB_getpwent_r = @LIB_getpwent_r@
 LIB_odm_initialize = @LIB_odm_initialize@
 LIB_setpcred = @LIB_setpcred@
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
+libexec_heimdaldir = $(libexecdir)/heimdal
 NROFF_MAN = groff -mandoc -Tascii
 LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 @KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
-@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la
+LIB_heimbase = $(top_builddir)/base/libheimbase.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 AUTOMAKE_OPTIONS = subdir-objects
 lib_LTLIBRARIES = libgssapi.la
@@ -502,8 +562,10 @@ krb5src = \
 	krb5/acquire_cred.c \
 	krb5/add_cred.c \
 	krb5/address_to_krb5addr.c \
+	krb5/aeap.c \
 	krb5/arcfour.c \
 	krb5/canonicalize_name.c \
+	krb5/creds.c \
 	krb5/ccache_name.c \
 	krb5/cfx.c \
 	krb5/cfx.h \
@@ -535,17 +597,19 @@ krb5src = \
 	krb5/inquire_mechs_for_name.c \
 	krb5/inquire_names_for_mech.c \
 	krb5/inquire_sec_context_by_oid.c \
+	krb5/pname_to_uid.c \
 	krb5/process_context_token.c \
 	krb5/prf.c \
 	krb5/release_buffer.c \
 	krb5/release_cred.c \
 	krb5/release_name.c \
 	krb5/sequence.c \
+	krb5/store_cred.c \
 	krb5/set_cred_option.c \
 	krb5/set_sec_context_option.c \
 	krb5/ticket_flags.c \
 	krb5/unwrap.c \
-	krb5/v1.c \
+	krb5/authorize_localname.c \
 	krb5/verify_mic.c \
 	krb5/wrap.c
 
@@ -553,25 +617,36 @@ mechsrc = \
 	mech/context.h \
 	mech/context.c \
 	mech/cred.h \
+	mech/compat.h \
+	mech/doxygen.c \
 	mech/gss_accept_sec_context.c \
 	mech/gss_acquire_cred.c \
+	mech/gss_acquire_cred_ext.c \
+	mech/gss_acquire_cred_with_password.c \
 	mech/gss_add_cred.c \
+	mech/gss_add_cred_with_password.c \
 	mech/gss_add_oid_set_member.c \
+	mech/gss_aeap.c \
 	mech/gss_buffer_set.c \
 	mech/gss_canonicalize_name.c \
 	mech/gss_compare_name.c \
 	mech/gss_context_time.c \
 	mech/gss_create_empty_oid_set.c \
+	mech/gss_cred.c \
 	mech/gss_decapsulate_token.c \
+	mech/gss_delete_name_attribute.c \
 	mech/gss_delete_sec_context.c \
 	mech/gss_display_name.c \
+	mech/gss_display_name_ext.c \
 	mech/gss_display_status.c \
 	mech/gss_duplicate_name.c \
 	mech/gss_duplicate_oid.c \
 	mech/gss_encapsulate_token.c \
 	mech/gss_export_name.c \
+	mech/gss_export_name_composite.c \
 	mech/gss_export_sec_context.c \
 	mech/gss_get_mic.c \
+	mech/gss_get_name_attribute.c \
 	mech/gss_import_name.c \
 	mech/gss_import_sec_context.c \
 	mech/gss_indicate_mechs.c \
@@ -581,12 +656,16 @@ mechsrc = \
 	mech/gss_inquire_cred_by_mech.c \
 	mech/gss_inquire_cred_by_oid.c \
 	mech/gss_inquire_mechs_for_name.c \
+	mech/gss_inquire_name.c \
 	mech/gss_inquire_names_for_mech.c \
 	mech/gss_krb5.c \
 	mech/gss_mech_switch.c \
+	mech/gss_mo.c \
 	mech/gss_names.c \
+	mech/gss_oid.c \
 	mech/gss_oid_equal.c \
 	mech/gss_oid_to_str.c \
+	mech/gss_pname_to_uid.c \
 	mech/gss_process_context_token.c \
 	mech/gss_pseudo_random.c \
 	mech/gss_release_buffer.c \
@@ -596,11 +675,14 @@ mechsrc = \
 	mech/gss_release_oid_set.c \
 	mech/gss_seal.c \
 	mech/gss_set_cred_option.c \
+	mech/gss_set_name_attribute.c \
 	mech/gss_set_sec_context_option.c \
 	mech/gss_sign.c \
+	mech/gss_store_cred.c \
 	mech/gss_test_oid_set_member.c \
 	mech/gss_unseal.c \
 	mech/gss_unwrap.c \
+	mech/gss_authorize_localname.c \
 	mech/gss_utils.c \
 	mech/gss_verify.c \
 	mech/gss_verify_mic.c \
@@ -630,6 +712,7 @@ ntlmsrc = \
 	ntlm/canonicalize_name.c \
 	ntlm/compare_name.c \
 	ntlm/context_time.c \
+	ntlm/creds.c \
 	ntlm/crypto.c \
 	ntlm/delete_sec_context.c \
 	ntlm/display_name.c \
@@ -645,14 +728,15 @@ ntlmsrc = \
 	ntlm/indicate_mechs.c \
 	ntlm/init_sec_context.c \
 	ntlm/inquire_context.c \
-	ntlm/inquire_cred.c \
 	ntlm/inquire_cred_by_mech.c \
 	ntlm/inquire_mechs_for_name.c \
 	ntlm/inquire_names_for_mech.c \
+	ntlm/inquire_sec_context_by_oid.c \
+	ntlm/iter_cred.c \
 	ntlm/process_context_token.c \
 	ntlm/release_cred.c \
 	ntlm/release_name.c \
-	ntlm/digest.c
+	ntlm/kdc.c
 
 dist_libgssapi_la_SOURCES = \
 	$(krb5src) \
@@ -665,7 +749,8 @@ nodist_libgssapi_la_SOURCES = \
 	gkrb5_err.h \
 	$(BUILT_SOURCES)
 
-libgssapi_la_LDFLAGS = -version-info 2:0:0 $(am__append_1)
+libgssapi_la_DEPENDENCIES = version-script.map
+libgssapi_la_LDFLAGS = -version-info 3:0:0 $(am__append_1)
 libgssapi_la_LIBADD = \
 	$(top_builddir)/lib/ntlm/libheimntlm.la \
 	$(top_builddir)/lib/krb5/libkrb5.la \
@@ -685,6 +770,8 @@ noinst_HEADERS = \
 nobase_include_HEADERS = \
 	gssapi/gssapi.h \
 	gssapi/gssapi_krb5.h \
+	gssapi/gssapi_ntlm.h \
+	gssapi/gssapi_oid.h \
 	gssapi/gssapi_spnego.h
 
 gssapidir = $(includedir)/gssapi
@@ -701,11 +788,16 @@ spnego_files = \
 	asn1_NegTokenInitWin.x			\
 	asn1_NegTokenResp.x
 
+BUILTHEADERS = \
+	$(srcdir)/krb5/gsskrb5-private.h \
+	$(srcdir)/spnego/spnego-private.h \
+	$(srcdir)/ntlm/ntlm-private.h
+
 BUILT_SOURCES = $(spnego_files:.x=.c) $(gssapi_files:.x=.c)
 CLEANFILES = $(BUILT_SOURCES) \
 	gkrb5_err.h gkrb5_err.c \
-	$(spnego_files) spnego_asn1.h spnego_asn1_files \
-	$(gssapi_files) gssapi_asn1.h gssapi_asn1_files \
+	$(spnego_files) spnego_asn1*.h* spnego_asn1_files spnego_asn1-template.c \
+	$(gssapi_files) gssapi_asn1*.h* gssapi_asn1_files gssapi_asn1-template.c \
 	gss-commands.h gss-commands.c
 
 # test_sequence 
@@ -723,20 +815,23 @@ LDADD = libgssapi.la \
 
 
 # gss
-dist_gss_SOURCES = gss.c
-nodist_gss_SOURCES = gss-commands.c gss-commands.h
-gss_LDADD = libgssapi.la \
+dist_gsstool_SOURCES = gsstool.c
+nodist_gsstool_SOURCES = gss-commands.c gss-commands.h
+gsstool_LDADD = libgssapi.la \
 	$(top_builddir)/lib/sl/libsl.la \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(LIB_readline) \
 	$(LIB_roken)
 
-SLC = $(top_builddir)/lib/sl/slc
 EXTRA_DIST = \
+	NTMakefile \
+	libgssapi-version.rc \
+	libgssapi-exports.def \
 	$(man_MANS) \
 	krb5/gkrb5_err.et \
 	mech/gssapi.asn1 \
 	spnego/spnego.asn1 \
+	spnego/spnego.opt \
 	version-script.map \
 	gss-commands.in
 
@@ -744,19 +839,19 @@ all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
+.SUFFIXES: .et .h .x .z .hx .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
 	    *$$dep*) \
-	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
-		&& exit 0; \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
 	      exit 1;; \
 	  esac; \
 	done; \
-	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign  --ignore-deps lib/gssapi/Makefile'; \
-	cd $(top_srcdir) && \
-	  $(AUTOMAKE) --foreign  --ignore-deps lib/gssapi/Makefile
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/gssapi/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign lib/gssapi/Makefile
 .PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
@@ -774,23 +869,28 @@ $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
 install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
 	test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)"
-	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
+	list2=; for p in $$list; do \
 	  if test -f $$p; then \
-	    f=$(am__strip_dir) \
-	    echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \
-	    $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \
+	    list2="$$list2 $$p"; \
 	  else :; fi; \
-	done
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \
+	}
 
 uninstall-libLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
-	  p=$(am__strip_dir) \
-	  echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \
-	  $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \
+	@list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \
 	done
 
 clean-libLTLIBRARIES:
@@ -804,202 +904,384 @@ clean-libLTLIBRARIES:
 krb5/$(am__dirstamp):
 	@$(MKDIR_P) krb5
 	@: > krb5/$(am__dirstamp)
-krb5/8003.lo: krb5/$(am__dirstamp)
-krb5/accept_sec_context.lo: krb5/$(am__dirstamp)
-krb5/acquire_cred.lo: krb5/$(am__dirstamp)
-krb5/add_cred.lo: krb5/$(am__dirstamp)
-krb5/address_to_krb5addr.lo: krb5/$(am__dirstamp)
-krb5/arcfour.lo: krb5/$(am__dirstamp)
-krb5/canonicalize_name.lo: krb5/$(am__dirstamp)
-krb5/ccache_name.lo: krb5/$(am__dirstamp)
-krb5/cfx.lo: krb5/$(am__dirstamp)
-krb5/compare_name.lo: krb5/$(am__dirstamp)
-krb5/compat.lo: krb5/$(am__dirstamp)
-krb5/context_time.lo: krb5/$(am__dirstamp)
-krb5/copy_ccache.lo: krb5/$(am__dirstamp)
-krb5/decapsulate.lo: krb5/$(am__dirstamp)
-krb5/delete_sec_context.lo: krb5/$(am__dirstamp)
-krb5/display_name.lo: krb5/$(am__dirstamp)
-krb5/display_status.lo: krb5/$(am__dirstamp)
-krb5/duplicate_name.lo: krb5/$(am__dirstamp)
-krb5/encapsulate.lo: krb5/$(am__dirstamp)
-krb5/export_name.lo: krb5/$(am__dirstamp)
-krb5/export_sec_context.lo: krb5/$(am__dirstamp)
-krb5/external.lo: krb5/$(am__dirstamp)
-krb5/get_mic.lo: krb5/$(am__dirstamp)
-krb5/import_name.lo: krb5/$(am__dirstamp)
-krb5/import_sec_context.lo: krb5/$(am__dirstamp)
-krb5/indicate_mechs.lo: krb5/$(am__dirstamp)
-krb5/init.lo: krb5/$(am__dirstamp)
-krb5/init_sec_context.lo: krb5/$(am__dirstamp)
-krb5/inquire_context.lo: krb5/$(am__dirstamp)
-krb5/inquire_cred.lo: krb5/$(am__dirstamp)
-krb5/inquire_cred_by_mech.lo: krb5/$(am__dirstamp)
-krb5/inquire_cred_by_oid.lo: krb5/$(am__dirstamp)
-krb5/inquire_mechs_for_name.lo: krb5/$(am__dirstamp)
-krb5/inquire_names_for_mech.lo: krb5/$(am__dirstamp)
-krb5/inquire_sec_context_by_oid.lo: krb5/$(am__dirstamp)
-krb5/process_context_token.lo: krb5/$(am__dirstamp)
-krb5/prf.lo: krb5/$(am__dirstamp)
-krb5/release_buffer.lo: krb5/$(am__dirstamp)
-krb5/release_cred.lo: krb5/$(am__dirstamp)
-krb5/release_name.lo: krb5/$(am__dirstamp)
-krb5/sequence.lo: krb5/$(am__dirstamp)
-krb5/set_cred_option.lo: krb5/$(am__dirstamp)
-krb5/set_sec_context_option.lo: krb5/$(am__dirstamp)
-krb5/ticket_flags.lo: krb5/$(am__dirstamp)
-krb5/unwrap.lo: krb5/$(am__dirstamp)
-krb5/v1.lo: krb5/$(am__dirstamp)
-krb5/verify_mic.lo: krb5/$(am__dirstamp)
-krb5/wrap.lo: krb5/$(am__dirstamp)
+krb5/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) krb5/$(DEPDIR)
+	@: > krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/8003.lo: krb5/$(am__dirstamp) krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/accept_sec_context.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/acquire_cred.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/add_cred.lo: krb5/$(am__dirstamp) krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/address_to_krb5addr.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/aeap.lo: krb5/$(am__dirstamp) krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/arcfour.lo: krb5/$(am__dirstamp) krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/canonicalize_name.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/creds.lo: krb5/$(am__dirstamp) krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/ccache_name.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/cfx.lo: krb5/$(am__dirstamp) krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/compare_name.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/compat.lo: krb5/$(am__dirstamp) krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/context_time.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/copy_ccache.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/decapsulate.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/delete_sec_context.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/display_name.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/display_status.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/duplicate_name.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/encapsulate.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/export_name.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/export_sec_context.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/external.lo: krb5/$(am__dirstamp) krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/get_mic.lo: krb5/$(am__dirstamp) krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/import_name.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/import_sec_context.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/indicate_mechs.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/init.lo: krb5/$(am__dirstamp) krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/init_sec_context.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/inquire_context.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/inquire_cred.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/inquire_cred_by_mech.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/inquire_cred_by_oid.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/inquire_mechs_for_name.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/inquire_names_for_mech.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/inquire_sec_context_by_oid.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/pname_to_uid.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/process_context_token.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/prf.lo: krb5/$(am__dirstamp) krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/release_buffer.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/release_cred.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/release_name.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/sequence.lo: krb5/$(am__dirstamp) krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/store_cred.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/set_cred_option.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/set_sec_context_option.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/ticket_flags.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/unwrap.lo: krb5/$(am__dirstamp) krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/authorize_localname.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/verify_mic.lo: krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
+krb5/wrap.lo: krb5/$(am__dirstamp) krb5/$(DEPDIR)/$(am__dirstamp)
 mech/$(am__dirstamp):
 	@$(MKDIR_P) mech
 	@: > mech/$(am__dirstamp)
-mech/context.lo: mech/$(am__dirstamp)
-mech/gss_accept_sec_context.lo: mech/$(am__dirstamp)
-mech/gss_acquire_cred.lo: mech/$(am__dirstamp)
-mech/gss_add_cred.lo: mech/$(am__dirstamp)
-mech/gss_add_oid_set_member.lo: mech/$(am__dirstamp)
-mech/gss_buffer_set.lo: mech/$(am__dirstamp)
-mech/gss_canonicalize_name.lo: mech/$(am__dirstamp)
-mech/gss_compare_name.lo: mech/$(am__dirstamp)
-mech/gss_context_time.lo: mech/$(am__dirstamp)
-mech/gss_create_empty_oid_set.lo: mech/$(am__dirstamp)
-mech/gss_decapsulate_token.lo: mech/$(am__dirstamp)
-mech/gss_delete_sec_context.lo: mech/$(am__dirstamp)
-mech/gss_display_name.lo: mech/$(am__dirstamp)
-mech/gss_display_status.lo: mech/$(am__dirstamp)
-mech/gss_duplicate_name.lo: mech/$(am__dirstamp)
-mech/gss_duplicate_oid.lo: mech/$(am__dirstamp)
-mech/gss_encapsulate_token.lo: mech/$(am__dirstamp)
-mech/gss_export_name.lo: mech/$(am__dirstamp)
-mech/gss_export_sec_context.lo: mech/$(am__dirstamp)
-mech/gss_get_mic.lo: mech/$(am__dirstamp)
-mech/gss_import_name.lo: mech/$(am__dirstamp)
-mech/gss_import_sec_context.lo: mech/$(am__dirstamp)
-mech/gss_indicate_mechs.lo: mech/$(am__dirstamp)
-mech/gss_init_sec_context.lo: mech/$(am__dirstamp)
-mech/gss_inquire_context.lo: mech/$(am__dirstamp)
-mech/gss_inquire_cred.lo: mech/$(am__dirstamp)
-mech/gss_inquire_cred_by_mech.lo: mech/$(am__dirstamp)
-mech/gss_inquire_cred_by_oid.lo: mech/$(am__dirstamp)
-mech/gss_inquire_mechs_for_name.lo: mech/$(am__dirstamp)
-mech/gss_inquire_names_for_mech.lo: mech/$(am__dirstamp)
-mech/gss_krb5.lo: mech/$(am__dirstamp)
-mech/gss_mech_switch.lo: mech/$(am__dirstamp)
-mech/gss_names.lo: mech/$(am__dirstamp)
-mech/gss_oid_equal.lo: mech/$(am__dirstamp)
-mech/gss_oid_to_str.lo: mech/$(am__dirstamp)
-mech/gss_process_context_token.lo: mech/$(am__dirstamp)
-mech/gss_pseudo_random.lo: mech/$(am__dirstamp)
-mech/gss_release_buffer.lo: mech/$(am__dirstamp)
-mech/gss_release_cred.lo: mech/$(am__dirstamp)
-mech/gss_release_name.lo: mech/$(am__dirstamp)
-mech/gss_release_oid.lo: mech/$(am__dirstamp)
-mech/gss_release_oid_set.lo: mech/$(am__dirstamp)
-mech/gss_seal.lo: mech/$(am__dirstamp)
-mech/gss_set_cred_option.lo: mech/$(am__dirstamp)
-mech/gss_set_sec_context_option.lo: mech/$(am__dirstamp)
-mech/gss_sign.lo: mech/$(am__dirstamp)
-mech/gss_test_oid_set_member.lo: mech/$(am__dirstamp)
-mech/gss_unseal.lo: mech/$(am__dirstamp)
-mech/gss_unwrap.lo: mech/$(am__dirstamp)
-mech/gss_utils.lo: mech/$(am__dirstamp)
-mech/gss_verify.lo: mech/$(am__dirstamp)
-mech/gss_verify_mic.lo: mech/$(am__dirstamp)
-mech/gss_wrap.lo: mech/$(am__dirstamp)
-mech/gss_wrap_size_limit.lo: mech/$(am__dirstamp)
-mech/gss_inquire_sec_context_by_oid.lo: mech/$(am__dirstamp)
+mech/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) mech/$(DEPDIR)
+	@: > mech/$(DEPDIR)/$(am__dirstamp)
+mech/context.lo: mech/$(am__dirstamp) mech/$(DEPDIR)/$(am__dirstamp)
+mech/doxygen.lo: mech/$(am__dirstamp) mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_accept_sec_context.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_acquire_cred.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_acquire_cred_ext.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_acquire_cred_with_password.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_add_cred.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_add_cred_with_password.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_add_oid_set_member.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_aeap.lo: mech/$(am__dirstamp) mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_buffer_set.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_canonicalize_name.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_compare_name.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_context_time.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_create_empty_oid_set.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_cred.lo: mech/$(am__dirstamp) mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_decapsulate_token.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_delete_name_attribute.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_delete_sec_context.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_display_name.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_display_name_ext.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_display_status.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_duplicate_name.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_duplicate_oid.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_encapsulate_token.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_export_name.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_export_name_composite.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_export_sec_context.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_get_mic.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_get_name_attribute.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_import_name.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_import_sec_context.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_indicate_mechs.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_init_sec_context.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_inquire_context.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_inquire_cred.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_inquire_cred_by_mech.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_inquire_cred_by_oid.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_inquire_mechs_for_name.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_inquire_name.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_inquire_names_for_mech.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_krb5.lo: mech/$(am__dirstamp) mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_mech_switch.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_mo.lo: mech/$(am__dirstamp) mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_names.lo: mech/$(am__dirstamp) mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_oid.lo: mech/$(am__dirstamp) mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_oid_equal.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_oid_to_str.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_pname_to_uid.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_process_context_token.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_pseudo_random.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_release_buffer.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_release_cred.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_release_name.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_release_oid.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_release_oid_set.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_seal.lo: mech/$(am__dirstamp) mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_set_cred_option.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_set_name_attribute.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_set_sec_context_option.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_sign.lo: mech/$(am__dirstamp) mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_store_cred.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_test_oid_set_member.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_unseal.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_unwrap.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_authorize_localname.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_utils.lo: mech/$(am__dirstamp) mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_verify.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_verify_mic.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_wrap.lo: mech/$(am__dirstamp) mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_wrap_size_limit.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
+mech/gss_inquire_sec_context_by_oid.lo: mech/$(am__dirstamp) \
+	mech/$(DEPDIR)/$(am__dirstamp)
 ntlm/$(am__dirstamp):
 	@$(MKDIR_P) ntlm
 	@: > ntlm/$(am__dirstamp)
-ntlm/accept_sec_context.lo: ntlm/$(am__dirstamp)
-ntlm/acquire_cred.lo: ntlm/$(am__dirstamp)
-ntlm/add_cred.lo: ntlm/$(am__dirstamp)
-ntlm/canonicalize_name.lo: ntlm/$(am__dirstamp)
-ntlm/compare_name.lo: ntlm/$(am__dirstamp)
-ntlm/context_time.lo: ntlm/$(am__dirstamp)
-ntlm/crypto.lo: ntlm/$(am__dirstamp)
-ntlm/delete_sec_context.lo: ntlm/$(am__dirstamp)
-ntlm/display_name.lo: ntlm/$(am__dirstamp)
-ntlm/display_status.lo: ntlm/$(am__dirstamp)
-ntlm/duplicate_name.lo: ntlm/$(am__dirstamp)
-ntlm/export_name.lo: ntlm/$(am__dirstamp)
-ntlm/export_sec_context.lo: ntlm/$(am__dirstamp)
-ntlm/external.lo: ntlm/$(am__dirstamp)
-ntlm/import_name.lo: ntlm/$(am__dirstamp)
-ntlm/import_sec_context.lo: ntlm/$(am__dirstamp)
-ntlm/indicate_mechs.lo: ntlm/$(am__dirstamp)
-ntlm/init_sec_context.lo: ntlm/$(am__dirstamp)
-ntlm/inquire_context.lo: ntlm/$(am__dirstamp)
-ntlm/inquire_cred.lo: ntlm/$(am__dirstamp)
-ntlm/inquire_cred_by_mech.lo: ntlm/$(am__dirstamp)
-ntlm/inquire_mechs_for_name.lo: ntlm/$(am__dirstamp)
-ntlm/inquire_names_for_mech.lo: ntlm/$(am__dirstamp)
-ntlm/process_context_token.lo: ntlm/$(am__dirstamp)
-ntlm/release_cred.lo: ntlm/$(am__dirstamp)
-ntlm/release_name.lo: ntlm/$(am__dirstamp)
-ntlm/digest.lo: ntlm/$(am__dirstamp)
+ntlm/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) ntlm/$(DEPDIR)
+	@: > ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/accept_sec_context.lo: ntlm/$(am__dirstamp) \
+	ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/acquire_cred.lo: ntlm/$(am__dirstamp) \
+	ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/add_cred.lo: ntlm/$(am__dirstamp) ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/canonicalize_name.lo: ntlm/$(am__dirstamp) \
+	ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/compare_name.lo: ntlm/$(am__dirstamp) \
+	ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/context_time.lo: ntlm/$(am__dirstamp) \
+	ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/creds.lo: ntlm/$(am__dirstamp) ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/crypto.lo: ntlm/$(am__dirstamp) ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/delete_sec_context.lo: ntlm/$(am__dirstamp) \
+	ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/display_name.lo: ntlm/$(am__dirstamp) \
+	ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/display_status.lo: ntlm/$(am__dirstamp) \
+	ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/duplicate_name.lo: ntlm/$(am__dirstamp) \
+	ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/export_name.lo: ntlm/$(am__dirstamp) \
+	ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/export_sec_context.lo: ntlm/$(am__dirstamp) \
+	ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/external.lo: ntlm/$(am__dirstamp) ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/import_name.lo: ntlm/$(am__dirstamp) \
+	ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/import_sec_context.lo: ntlm/$(am__dirstamp) \
+	ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/indicate_mechs.lo: ntlm/$(am__dirstamp) \
+	ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/init_sec_context.lo: ntlm/$(am__dirstamp) \
+	ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/inquire_context.lo: ntlm/$(am__dirstamp) \
+	ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/inquire_cred_by_mech.lo: ntlm/$(am__dirstamp) \
+	ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/inquire_mechs_for_name.lo: ntlm/$(am__dirstamp) \
+	ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/inquire_names_for_mech.lo: ntlm/$(am__dirstamp) \
+	ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/inquire_sec_context_by_oid.lo: ntlm/$(am__dirstamp) \
+	ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/iter_cred.lo: ntlm/$(am__dirstamp) ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/process_context_token.lo: ntlm/$(am__dirstamp) \
+	ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/release_cred.lo: ntlm/$(am__dirstamp) \
+	ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/release_name.lo: ntlm/$(am__dirstamp) \
+	ntlm/$(DEPDIR)/$(am__dirstamp)
+ntlm/kdc.lo: ntlm/$(am__dirstamp) ntlm/$(DEPDIR)/$(am__dirstamp)
 spnego/$(am__dirstamp):
 	@$(MKDIR_P) spnego
 	@: > spnego/$(am__dirstamp)
-spnego/accept_sec_context.lo: spnego/$(am__dirstamp)
-spnego/compat.lo: spnego/$(am__dirstamp)
-spnego/context_stubs.lo: spnego/$(am__dirstamp)
-spnego/cred_stubs.lo: spnego/$(am__dirstamp)
-spnego/external.lo: spnego/$(am__dirstamp)
-spnego/init_sec_context.lo: spnego/$(am__dirstamp)
+spnego/$(DEPDIR)/$(am__dirstamp):
+	@$(MKDIR_P) spnego/$(DEPDIR)
+	@: > spnego/$(DEPDIR)/$(am__dirstamp)
+spnego/accept_sec_context.lo: spnego/$(am__dirstamp) \
+	spnego/$(DEPDIR)/$(am__dirstamp)
+spnego/compat.lo: spnego/$(am__dirstamp) \
+	spnego/$(DEPDIR)/$(am__dirstamp)
+spnego/context_stubs.lo: spnego/$(am__dirstamp) \
+	spnego/$(DEPDIR)/$(am__dirstamp)
+spnego/cred_stubs.lo: spnego/$(am__dirstamp) \
+	spnego/$(DEPDIR)/$(am__dirstamp)
+spnego/external.lo: spnego/$(am__dirstamp) \
+	spnego/$(DEPDIR)/$(am__dirstamp)
+spnego/init_sec_context.lo: spnego/$(am__dirstamp) \
+	spnego/$(DEPDIR)/$(am__dirstamp)
 libgssapi.la: $(libgssapi_la_OBJECTS) $(libgssapi_la_DEPENDENCIES) 
 	$(libgssapi_la_LINK) -rpath $(libdir) $(libgssapi_la_OBJECTS) $(libgssapi_la_LIBADD) $(LIBS)
 install-binPROGRAMS: $(bin_PROGRAMS)
 	@$(NORMAL_INSTALL)
 	test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)"
-	@list='$(bin_PROGRAMS)'; for p in $$list; do \
-	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  if test -f $$p \
-	     || test -f $$p1 \
-	  ; then \
-	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
-	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \
-	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \
-	  else :; fi; \
-	done
+	@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p || test -f $$p1; \
+	  then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \
+	    } \
+	; done
 
 uninstall-binPROGRAMS:
 	@$(NORMAL_UNINSTALL)
-	@list='$(bin_PROGRAMS)'; for p in $$list; do \
-	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
-	  echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(bindir)/$$f"; \
-	done
+	@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' `; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(bindir)" && rm -f $$files
 
 clean-binPROGRAMS:
-	@list='$(bin_PROGRAMS)'; for p in $$list; do \
-	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  echo " rm -f $$p $$f"; \
-	  rm -f $$p $$f ; \
-	done
+	@list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
 
 clean-checkPROGRAMS:
-	@list='$(check_PROGRAMS)'; for p in $$list; do \
-	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  echo " rm -f $$p $$f"; \
-	  rm -f $$p $$f ; \
-	done
+	@list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
 
 clean-noinstPROGRAMS:
-	@list='$(noinst_PROGRAMS)'; for p in $$list; do \
-	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
-	  echo " rm -f $$p $$f"; \
-	  rm -f $$p $$f ; \
-	done
-gss$(EXEEXT): $(gss_OBJECTS) $(gss_DEPENDENCIES) 
-	@rm -f gss$(EXEEXT)
-	$(LINK) $(gss_OBJECTS) $(gss_LDADD) $(LIBS)
+	@list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+gsstool$(EXEEXT): $(gsstool_OBJECTS) $(gsstool_DEPENDENCIES) 
+	@rm -f gsstool$(EXEEXT)
+	$(LINK) $(gsstool_OBJECTS) $(gsstool_LDADD) $(LIBS)
 test_acquire_cred$(EXEEXT): $(test_acquire_cred_OBJECTS) $(test_acquire_cred_DEPENDENCIES) 
 	@rm -f test_acquire_cred$(EXEEXT)
 	$(LINK) $(test_acquire_cred_OBJECTS) $(test_acquire_cred_LDADD) $(LIBS)
-krb5/test_cfx.$(OBJEXT): krb5/$(am__dirstamp)
+krb5/test_cfx.$(OBJEXT): krb5/$(am__dirstamp) \
+	krb5/$(DEPDIR)/$(am__dirstamp)
 test_cfx$(EXEEXT): $(test_cfx_OBJECTS) $(test_cfx_DEPENDENCIES) 
 	@rm -f test_cfx$(EXEEXT)
 	$(LINK) $(test_cfx_OBJECTS) $(test_cfx_LDADD) $(LIBS)
@@ -1034,8 +1316,12 @@ mostlyclean-compile:
 	-rm -f krb5/add_cred.lo
 	-rm -f krb5/address_to_krb5addr.$(OBJEXT)
 	-rm -f krb5/address_to_krb5addr.lo
+	-rm -f krb5/aeap.$(OBJEXT)
+	-rm -f krb5/aeap.lo
 	-rm -f krb5/arcfour.$(OBJEXT)
 	-rm -f krb5/arcfour.lo
+	-rm -f krb5/authorize_localname.$(OBJEXT)
+	-rm -f krb5/authorize_localname.lo
 	-rm -f krb5/canonicalize_name.$(OBJEXT)
 	-rm -f krb5/canonicalize_name.lo
 	-rm -f krb5/ccache_name.$(OBJEXT)
@@ -1050,6 +1336,8 @@ mostlyclean-compile:
 	-rm -f krb5/context_time.lo
 	-rm -f krb5/copy_ccache.$(OBJEXT)
 	-rm -f krb5/copy_ccache.lo
+	-rm -f krb5/creds.$(OBJEXT)
+	-rm -f krb5/creds.lo
 	-rm -f krb5/decapsulate.$(OBJEXT)
 	-rm -f krb5/decapsulate.lo
 	-rm -f krb5/delete_sec_context.$(OBJEXT)
@@ -1094,6 +1382,8 @@ mostlyclean-compile:
 	-rm -f krb5/inquire_names_for_mech.lo
 	-rm -f krb5/inquire_sec_context_by_oid.$(OBJEXT)
 	-rm -f krb5/inquire_sec_context_by_oid.lo
+	-rm -f krb5/pname_to_uid.$(OBJEXT)
+	-rm -f krb5/pname_to_uid.lo
 	-rm -f krb5/prf.$(OBJEXT)
 	-rm -f krb5/prf.lo
 	-rm -f krb5/process_context_token.$(OBJEXT)
@@ -1110,27 +1400,39 @@ mostlyclean-compile:
 	-rm -f krb5/set_cred_option.lo
 	-rm -f krb5/set_sec_context_option.$(OBJEXT)
 	-rm -f krb5/set_sec_context_option.lo
+	-rm -f krb5/store_cred.$(OBJEXT)
+	-rm -f krb5/store_cred.lo
 	-rm -f krb5/test_cfx.$(OBJEXT)
 	-rm -f krb5/ticket_flags.$(OBJEXT)
 	-rm -f krb5/ticket_flags.lo
 	-rm -f krb5/unwrap.$(OBJEXT)
 	-rm -f krb5/unwrap.lo
-	-rm -f krb5/v1.$(OBJEXT)
-	-rm -f krb5/v1.lo
 	-rm -f krb5/verify_mic.$(OBJEXT)
 	-rm -f krb5/verify_mic.lo
 	-rm -f krb5/wrap.$(OBJEXT)
 	-rm -f krb5/wrap.lo
 	-rm -f mech/context.$(OBJEXT)
 	-rm -f mech/context.lo
+	-rm -f mech/doxygen.$(OBJEXT)
+	-rm -f mech/doxygen.lo
 	-rm -f mech/gss_accept_sec_context.$(OBJEXT)
 	-rm -f mech/gss_accept_sec_context.lo
 	-rm -f mech/gss_acquire_cred.$(OBJEXT)
 	-rm -f mech/gss_acquire_cred.lo
+	-rm -f mech/gss_acquire_cred_ext.$(OBJEXT)
+	-rm -f mech/gss_acquire_cred_ext.lo
+	-rm -f mech/gss_acquire_cred_with_password.$(OBJEXT)
+	-rm -f mech/gss_acquire_cred_with_password.lo
 	-rm -f mech/gss_add_cred.$(OBJEXT)
 	-rm -f mech/gss_add_cred.lo
+	-rm -f mech/gss_add_cred_with_password.$(OBJEXT)
+	-rm -f mech/gss_add_cred_with_password.lo
 	-rm -f mech/gss_add_oid_set_member.$(OBJEXT)
 	-rm -f mech/gss_add_oid_set_member.lo
+	-rm -f mech/gss_aeap.$(OBJEXT)
+	-rm -f mech/gss_aeap.lo
+	-rm -f mech/gss_authorize_localname.$(OBJEXT)
+	-rm -f mech/gss_authorize_localname.lo
 	-rm -f mech/gss_buffer_set.$(OBJEXT)
 	-rm -f mech/gss_buffer_set.lo
 	-rm -f mech/gss_canonicalize_name.$(OBJEXT)
@@ -1141,12 +1443,18 @@ mostlyclean-compile:
 	-rm -f mech/gss_context_time.lo
 	-rm -f mech/gss_create_empty_oid_set.$(OBJEXT)
 	-rm -f mech/gss_create_empty_oid_set.lo
+	-rm -f mech/gss_cred.$(OBJEXT)
+	-rm -f mech/gss_cred.lo
 	-rm -f mech/gss_decapsulate_token.$(OBJEXT)
 	-rm -f mech/gss_decapsulate_token.lo
+	-rm -f mech/gss_delete_name_attribute.$(OBJEXT)
+	-rm -f mech/gss_delete_name_attribute.lo
 	-rm -f mech/gss_delete_sec_context.$(OBJEXT)
 	-rm -f mech/gss_delete_sec_context.lo
 	-rm -f mech/gss_display_name.$(OBJEXT)
 	-rm -f mech/gss_display_name.lo
+	-rm -f mech/gss_display_name_ext.$(OBJEXT)
+	-rm -f mech/gss_display_name_ext.lo
 	-rm -f mech/gss_display_status.$(OBJEXT)
 	-rm -f mech/gss_display_status.lo
 	-rm -f mech/gss_duplicate_name.$(OBJEXT)
@@ -1157,10 +1465,14 @@ mostlyclean-compile:
 	-rm -f mech/gss_encapsulate_token.lo
 	-rm -f mech/gss_export_name.$(OBJEXT)
 	-rm -f mech/gss_export_name.lo
+	-rm -f mech/gss_export_name_composite.$(OBJEXT)
+	-rm -f mech/gss_export_name_composite.lo
 	-rm -f mech/gss_export_sec_context.$(OBJEXT)
 	-rm -f mech/gss_export_sec_context.lo
 	-rm -f mech/gss_get_mic.$(OBJEXT)
 	-rm -f mech/gss_get_mic.lo
+	-rm -f mech/gss_get_name_attribute.$(OBJEXT)
+	-rm -f mech/gss_get_name_attribute.lo
 	-rm -f mech/gss_import_name.$(OBJEXT)
 	-rm -f mech/gss_import_name.lo
 	-rm -f mech/gss_import_sec_context.$(OBJEXT)
@@ -1179,6 +1491,8 @@ mostlyclean-compile:
 	-rm -f mech/gss_inquire_cred_by_oid.lo
 	-rm -f mech/gss_inquire_mechs_for_name.$(OBJEXT)
 	-rm -f mech/gss_inquire_mechs_for_name.lo
+	-rm -f mech/gss_inquire_name.$(OBJEXT)
+	-rm -f mech/gss_inquire_name.lo
 	-rm -f mech/gss_inquire_names_for_mech.$(OBJEXT)
 	-rm -f mech/gss_inquire_names_for_mech.lo
 	-rm -f mech/gss_inquire_sec_context_by_oid.$(OBJEXT)
@@ -1187,12 +1501,18 @@ mostlyclean-compile:
 	-rm -f mech/gss_krb5.lo
 	-rm -f mech/gss_mech_switch.$(OBJEXT)
 	-rm -f mech/gss_mech_switch.lo
+	-rm -f mech/gss_mo.$(OBJEXT)
+	-rm -f mech/gss_mo.lo
 	-rm -f mech/gss_names.$(OBJEXT)
 	-rm -f mech/gss_names.lo
+	-rm -f mech/gss_oid.$(OBJEXT)
+	-rm -f mech/gss_oid.lo
 	-rm -f mech/gss_oid_equal.$(OBJEXT)
 	-rm -f mech/gss_oid_equal.lo
 	-rm -f mech/gss_oid_to_str.$(OBJEXT)
 	-rm -f mech/gss_oid_to_str.lo
+	-rm -f mech/gss_pname_to_uid.$(OBJEXT)
+	-rm -f mech/gss_pname_to_uid.lo
 	-rm -f mech/gss_process_context_token.$(OBJEXT)
 	-rm -f mech/gss_process_context_token.lo
 	-rm -f mech/gss_pseudo_random.$(OBJEXT)
@@ -1211,10 +1531,14 @@ mostlyclean-compile:
 	-rm -f mech/gss_seal.lo
 	-rm -f mech/gss_set_cred_option.$(OBJEXT)
 	-rm -f mech/gss_set_cred_option.lo
+	-rm -f mech/gss_set_name_attribute.$(OBJEXT)
+	-rm -f mech/gss_set_name_attribute.lo
 	-rm -f mech/gss_set_sec_context_option.$(OBJEXT)
 	-rm -f mech/gss_set_sec_context_option.lo
 	-rm -f mech/gss_sign.$(OBJEXT)
 	-rm -f mech/gss_sign.lo
+	-rm -f mech/gss_store_cred.$(OBJEXT)
+	-rm -f mech/gss_store_cred.lo
 	-rm -f mech/gss_test_oid_set_member.$(OBJEXT)
 	-rm -f mech/gss_test_oid_set_member.lo
 	-rm -f mech/gss_unseal.$(OBJEXT)
@@ -1243,12 +1567,12 @@ mostlyclean-compile:
 	-rm -f ntlm/compare_name.lo
 	-rm -f ntlm/context_time.$(OBJEXT)
 	-rm -f ntlm/context_time.lo
+	-rm -f ntlm/creds.$(OBJEXT)
+	-rm -f ntlm/creds.lo
 	-rm -f ntlm/crypto.$(OBJEXT)
 	-rm -f ntlm/crypto.lo
 	-rm -f ntlm/delete_sec_context.$(OBJEXT)
 	-rm -f ntlm/delete_sec_context.lo
-	-rm -f ntlm/digest.$(OBJEXT)
-	-rm -f ntlm/digest.lo
 	-rm -f ntlm/display_name.$(OBJEXT)
 	-rm -f ntlm/display_name.lo
 	-rm -f ntlm/display_status.$(OBJEXT)
@@ -1271,14 +1595,18 @@ mostlyclean-compile:
 	-rm -f ntlm/init_sec_context.lo
 	-rm -f ntlm/inquire_context.$(OBJEXT)
 	-rm -f ntlm/inquire_context.lo
-	-rm -f ntlm/inquire_cred.$(OBJEXT)
-	-rm -f ntlm/inquire_cred.lo
 	-rm -f ntlm/inquire_cred_by_mech.$(OBJEXT)
 	-rm -f ntlm/inquire_cred_by_mech.lo
 	-rm -f ntlm/inquire_mechs_for_name.$(OBJEXT)
 	-rm -f ntlm/inquire_mechs_for_name.lo
 	-rm -f ntlm/inquire_names_for_mech.$(OBJEXT)
 	-rm -f ntlm/inquire_names_for_mech.lo
+	-rm -f ntlm/inquire_sec_context_by_oid.$(OBJEXT)
+	-rm -f ntlm/inquire_sec_context_by_oid.lo
+	-rm -f ntlm/iter_cred.$(OBJEXT)
+	-rm -f ntlm/iter_cred.lo
+	-rm -f ntlm/kdc.$(OBJEXT)
+	-rm -f ntlm/kdc.lo
 	-rm -f ntlm/process_context_token.$(OBJEXT)
 	-rm -f ntlm/process_context_token.lo
 	-rm -f ntlm/release_cred.$(OBJEXT)
@@ -1301,14 +1629,211 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_ContextFlags.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_GSSAPIContextToken.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_MechType.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_MechTypeList.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_NegHints.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_NegTokenInit.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_NegTokenInitWin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_NegTokenResp.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_NegotiationToken.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_NegotiationTokenWin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gkrb5_err.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gss-commands.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gsstool.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_acquire_cred.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_common.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_context.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_cred.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_kcred.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_names.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_ntlm.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_oid.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/8003.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/accept_sec_context.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/acquire_cred.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/add_cred.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/address_to_krb5addr.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/aeap.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/arcfour.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/authorize_localname.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/canonicalize_name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/ccache_name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/cfx.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/compare_name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/compat.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/context_time.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/copy_ccache.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/creds.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/decapsulate.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/delete_sec_context.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/display_name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/display_status.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/duplicate_name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/encapsulate.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/export_name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/export_sec_context.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/external.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/get_mic.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/import_name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/import_sec_context.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/indicate_mechs.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/init.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/init_sec_context.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/inquire_context.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/inquire_cred.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/inquire_cred_by_mech.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/inquire_cred_by_oid.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/inquire_mechs_for_name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/inquire_names_for_mech.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/inquire_sec_context_by_oid.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/pname_to_uid.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/prf.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/process_context_token.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/release_buffer.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/release_cred.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/release_name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/sequence.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/set_cred_option.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/set_sec_context_option.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/store_cred.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/test_cfx.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/ticket_flags.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/unwrap.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/verify_mic.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@krb5/$(DEPDIR)/wrap.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/context.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/doxygen.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_accept_sec_context.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_acquire_cred.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_acquire_cred_ext.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_acquire_cred_with_password.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_add_cred.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_add_cred_with_password.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_add_oid_set_member.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_aeap.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_authorize_localname.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_buffer_set.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_canonicalize_name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_compare_name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_context_time.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_create_empty_oid_set.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_cred.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_decapsulate_token.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_delete_name_attribute.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_delete_sec_context.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_display_name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_display_name_ext.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_display_status.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_duplicate_name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_duplicate_oid.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_encapsulate_token.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_export_name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_export_name_composite.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_export_sec_context.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_get_mic.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_get_name_attribute.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_import_name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_import_sec_context.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_indicate_mechs.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_init_sec_context.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_inquire_context.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_inquire_cred.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_inquire_cred_by_mech.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_inquire_cred_by_oid.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_inquire_mechs_for_name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_inquire_name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_inquire_names_for_mech.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_inquire_sec_context_by_oid.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_krb5.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_mech_switch.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_mo.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_names.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_oid.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_oid_equal.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_oid_to_str.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_pname_to_uid.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_process_context_token.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_pseudo_random.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_release_buffer.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_release_cred.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_release_name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_release_oid.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_release_oid_set.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_seal.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_set_cred_option.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_set_name_attribute.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_set_sec_context_option.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_sign.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_store_cred.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_test_oid_set_member.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_unseal.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_unwrap.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_utils.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_verify.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_verify_mic.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_wrap.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@mech/$(DEPDIR)/gss_wrap_size_limit.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/accept_sec_context.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/acquire_cred.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/add_cred.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/canonicalize_name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/compare_name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/context_time.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/creds.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/crypto.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/delete_sec_context.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/display_name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/display_status.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/duplicate_name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/export_name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/export_sec_context.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/external.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/import_name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/import_sec_context.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/indicate_mechs.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/init_sec_context.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/inquire_context.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/inquire_cred_by_mech.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/inquire_mechs_for_name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/inquire_names_for_mech.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/inquire_sec_context_by_oid.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/iter_cred.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/kdc.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/process_context_token.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/release_cred.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@ntlm/$(DEPDIR)/release_name.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@spnego/$(DEPDIR)/accept_sec_context.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@spnego/$(DEPDIR)/compat.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@spnego/$(DEPDIR)/context_stubs.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@spnego/$(DEPDIR)/cred_stubs.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@spnego/$(DEPDIR)/external.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@spnego/$(DEPDIR)/init_sec_context.Plo@am__quote@
+
 .c.o:
-	$(COMPILE) -c -o $@ $<
+@am__fastdepCC_TRUE@	depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c -o $@ $<
 
 .c.obj:
-	$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
 
 .c.lo:
-	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_TRUE@	depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -1319,202 +1844,203 @@ clean-libtool:
 	-rm -rf mech/.libs mech/_libs
 	-rm -rf ntlm/.libs ntlm/_libs
 	-rm -rf spnego/.libs spnego/_libs
-install-man3: $(man3_MANS) $(man_MANS)
+install-man3: $(man_MANS)
 	@$(NORMAL_INSTALL)
 	test -z "$(man3dir)" || $(MKDIR_P) "$(DESTDIR)$(man3dir)"
-	@list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \
-	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
-	for i in $$l2; do \
-	  case "$$i" in \
-	    *.3*) list="$$list $$i" ;; \
-	  esac; \
+	@list=''; test -n "$(man3dir)" || exit 0; \
+	{ for i in $$list; do echo "$$i"; done; \
+	l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+	  sed -n '/\.3[a-z]*$$/p'; \
+	} | while read p; do \
+	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; echo "$$p"; \
+	done | \
+	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^3][0-9a-z]*$$,3,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+	sed 'N;N;s,\n, ,g' | { \
+	list=; while read file base inst; do \
+	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man3dir)/$$inst'"; \
+	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man3dir)/$$inst" || exit $$?; \
+	  fi; \
 	done; \
-	for i in $$list; do \
-	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
-	  else file=$$i; fi; \
-	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
-	  case "$$ext" in \
-	    3*) ;; \
-	    *) ext='3' ;; \
-	  esac; \
-	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
-	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
-	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
-	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man3dir)/$$inst'"; \
-	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man3dir)/$$inst"; \
-	done
+	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+	while read files; do \
+	  test -z "$$files" || { \
+	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man3dir)'"; \
+	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man3dir)" || exit $$?; }; \
+	done; }
+
 uninstall-man3:
 	@$(NORMAL_UNINSTALL)
-	@list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \
-	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
-	for i in $$l2; do \
-	  case "$$i" in \
-	    *.3*) list="$$list $$i" ;; \
-	  esac; \
-	done; \
-	for i in $$list; do \
-	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
-	  case "$$ext" in \
-	    3*) ;; \
-	    *) ext='3' ;; \
-	  esac; \
-	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
-	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
-	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
-	  echo " rm -f '$(DESTDIR)$(man3dir)/$$inst'"; \
-	  rm -f "$(DESTDIR)$(man3dir)/$$inst"; \
-	done
-install-man5: $(man5_MANS) $(man_MANS)
+	@list=''; test -n "$(man3dir)" || exit 0; \
+	files=`{ for i in $$list; do echo "$$i"; done; \
+	l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+	  sed -n '/\.3[a-z]*$$/p'; \
+	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^3][0-9a-z]*$$,3,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+	test -z "$$files" || { \
+	  echo " ( cd '$(DESTDIR)$(man3dir)' && rm -f" $$files ")"; \
+	  cd "$(DESTDIR)$(man3dir)" && rm -f $$files; }
+install-man5: $(man_MANS)
 	@$(NORMAL_INSTALL)
 	test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)"
-	@list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \
-	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
-	for i in $$l2; do \
-	  case "$$i" in \
-	    *.5*) list="$$list $$i" ;; \
-	  esac; \
+	@list=''; test -n "$(man5dir)" || exit 0; \
+	{ for i in $$list; do echo "$$i"; done; \
+	l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+	  sed -n '/\.5[a-z]*$$/p'; \
+	} | while read p; do \
+	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	  echo "$$d$$p"; echo "$$p"; \
+	done | \
+	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+	sed 'N;N;s,\n, ,g' | { \
+	list=; while read file base inst; do \
+	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \
+	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \
+	  fi; \
 	done; \
-	for i in $$list; do \
-	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
-	  else file=$$i; fi; \
-	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
-	  case "$$ext" in \
-	    5*) ;; \
-	    *) ext='5' ;; \
-	  esac; \
-	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
-	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
-	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
-	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \
-	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \
-	done
+	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+	while read files; do \
+	  test -z "$$files" || { \
+	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \
+	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \
+	done; }
+
 uninstall-man5:
 	@$(NORMAL_UNINSTALL)
-	@list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \
-	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
-	for i in $$l2; do \
-	  case "$$i" in \
-	    *.5*) list="$$list $$i" ;; \
-	  esac; \
-	done; \
-	for i in $$list; do \
-	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
-	  case "$$ext" in \
-	    5*) ;; \
-	    *) ext='5' ;; \
-	  esac; \
-	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
-	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
-	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
-	  echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \
-	  rm -f "$(DESTDIR)$(man5dir)/$$inst"; \
-	done
+	@list=''; test -n "$(man5dir)" || exit 0; \
+	files=`{ for i in $$list; do echo "$$i"; done; \
+	l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+	  sed -n '/\.5[a-z]*$$/p'; \
+	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
+	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+	test -z "$$files" || { \
+	  echo " ( cd '$(DESTDIR)$(man5dir)' && rm -f" $$files ")"; \
+	  cd "$(DESTDIR)$(man5dir)" && rm -f $$files; }
 install-includeHEADERS: $(include_HEADERS)
 	@$(NORMAL_INSTALL)
 	test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)"
-	@list='$(include_HEADERS)'; for p in $$list; do \
+	@list='$(include_HEADERS)'; test -n "$(includedir)" || list=; \
+	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f=$(am__strip_dir) \
-	  echo " $(includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \
-	  $(includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \
+	  echo "$$d$$p"; \
+	done | $(am__base_list) | \
+	while read files; do \
+	  echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(includedir)'"; \
+	  $(INSTALL_HEADER) $$files "$(DESTDIR)$(includedir)" || exit $$?; \
 	done
 
 uninstall-includeHEADERS:
 	@$(NORMAL_UNINSTALL)
-	@list='$(include_HEADERS)'; for p in $$list; do \
-	  f=$(am__strip_dir) \
-	  echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(includedir)/$$f"; \
-	done
+	@list='$(include_HEADERS)'; test -n "$(includedir)" || list=; \
+	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+	test -n "$$files" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(includedir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(includedir)" && rm -f $$files
 install-nobase_includeHEADERS: $(nobase_include_HEADERS)
 	@$(NORMAL_INSTALL)
 	test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)"
-	@$(am__vpath_adj_setup) \
-	list='$(nobase_include_HEADERS)'; for p in $$list; do \
-	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  $(am__vpath_adj) \
-	  echo " $(nobase_includeHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(includedir)/$$f'"; \
-	  $(nobase_includeHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(includedir)/$$f"; \
+	@list='$(nobase_include_HEADERS)'; test -n "$(includedir)" || list=; \
+	$(am__nobase_list) | while read dir files; do \
+	  xfiles=; for file in $$files; do \
+	    if test -f "$$file"; then xfiles="$$xfiles $$file"; \
+	    else xfiles="$$xfiles $(srcdir)/$$file"; fi; done; \
+	  test -z "$$xfiles" || { \
+	    test "x$$dir" = x. || { \
+	      echo "$(MKDIR_P) '$(DESTDIR)$(includedir)/$$dir'"; \
+	      $(MKDIR_P) "$(DESTDIR)$(includedir)/$$dir"; }; \
+	    echo " $(INSTALL_HEADER) $$xfiles '$(DESTDIR)$(includedir)/$$dir'"; \
+	    $(INSTALL_HEADER) $$xfiles "$(DESTDIR)$(includedir)/$$dir" || exit $$?; }; \
 	done
 
 uninstall-nobase_includeHEADERS:
 	@$(NORMAL_UNINSTALL)
-	@$(am__vpath_adj_setup) \
-	list='$(nobase_include_HEADERS)'; for p in $$list; do \
-	  $(am__vpath_adj) \
-	  echo " rm -f '$(DESTDIR)$(includedir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(includedir)/$$f"; \
-	done
+	@list='$(nobase_include_HEADERS)'; test -n "$(includedir)" || list=; \
+	$(am__nobase_strip_setup); files=`$(am__nobase_strip)`; \
+	test -n "$$files" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(includedir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(includedir)" && rm -f $$files
 install-nodist_gssapiHEADERS: $(nodist_gssapi_HEADERS)
 	@$(NORMAL_INSTALL)
 	test -z "$(gssapidir)" || $(MKDIR_P) "$(DESTDIR)$(gssapidir)"
-	@list='$(nodist_gssapi_HEADERS)'; for p in $$list; do \
+	@list='$(nodist_gssapi_HEADERS)'; test -n "$(gssapidir)" || list=; \
+	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
-	  f=$(am__strip_dir) \
-	  echo " $(nodist_gssapiHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(gssapidir)/$$f'"; \
-	  $(nodist_gssapiHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(gssapidir)/$$f"; \
+	  echo "$$d$$p"; \
+	done | $(am__base_list) | \
+	while read files; do \
+	  echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(gssapidir)'"; \
+	  $(INSTALL_HEADER) $$files "$(DESTDIR)$(gssapidir)" || exit $$?; \
 	done
 
 uninstall-nodist_gssapiHEADERS:
 	@$(NORMAL_UNINSTALL)
-	@list='$(nodist_gssapi_HEADERS)'; for p in $$list; do \
-	  f=$(am__strip_dir) \
-	  echo " rm -f '$(DESTDIR)$(gssapidir)/$$f'"; \
-	  rm -f "$(DESTDIR)$(gssapidir)/$$f"; \
-	done
+	@list='$(nodist_gssapi_HEADERS)'; test -n "$(gssapidir)" || list=; \
+	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+	test -n "$$files" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(gssapidir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(gssapidir)" && rm -f $$files
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '    { files[$$0] = 1; } \
-	       END { for (i in files) print i; }'`; \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
 
 TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
+	set x; \
 	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '    { files[$$0] = 1; } \
-	       END { for (i in files) print i; }'`; \
-	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
-	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
-	    $$tags $$unique; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
 	fi
 ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
-	tags=; \
-	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '    { files[$$0] = 1; } \
-	       END { for (i in files) print i; }'`; \
-	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
-	     $$tags $$unique
+	     $$unique
 
 GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
-	  && cd $(top_srcdir) \
-	  && gtags -i $(GTAGS_ARGS) $$here
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 check-TESTS: $(TESTS)
-	@failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[	 ]'; \
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; \
 	srcdir=$(srcdir); export srcdir; \
 	list=' $(TESTS) '; \
+	$(am__tty_colors); \
 	if test -n "$$list"; then \
 	  for tst in $$list; do \
 	    if test -f ./$$tst; then dir=./; \
@@ -1523,49 +2049,63 @@ check-TESTS: $(TESTS)
 	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
 	      all=`expr $$all + 1`; \
 	      case " $(XFAIL_TESTS) " in \
-	      *$$ws$$tst$$ws*) \
+	      *[\ \	]$$tst[\ \	]*) \
 		xpass=`expr $$xpass + 1`; \
 		failed=`expr $$failed + 1`; \
-		echo "XPASS: $$tst"; \
+		col=$$red; res=XPASS; \
 	      ;; \
 	      *) \
-		echo "PASS: $$tst"; \
+		col=$$grn; res=PASS; \
 	      ;; \
 	      esac; \
 	    elif test $$? -ne 77; then \
 	      all=`expr $$all + 1`; \
 	      case " $(XFAIL_TESTS) " in \
-	      *$$ws$$tst$$ws*) \
+	      *[\ \	]$$tst[\ \	]*) \
 		xfail=`expr $$xfail + 1`; \
-		echo "XFAIL: $$tst"; \
+		col=$$lgn; res=XFAIL; \
 	      ;; \
 	      *) \
 		failed=`expr $$failed + 1`; \
-		echo "FAIL: $$tst"; \
+		col=$$red; res=FAIL; \
 	      ;; \
 	      esac; \
 	    else \
 	      skip=`expr $$skip + 1`; \
-	      echo "SKIP: $$tst"; \
+	      col=$$blu; res=SKIP; \
 	    fi; \
+	    echo "$${col}$$res$${std}: $$tst"; \
 	  done; \
+	  if test "$$all" -eq 1; then \
+	    tests="test"; \
+	    All=""; \
+	  else \
+	    tests="tests"; \
+	    All="All "; \
+	  fi; \
 	  if test "$$failed" -eq 0; then \
 	    if test "$$xfail" -eq 0; then \
-	      banner="All $$all tests passed"; \
+	      banner="$$All$$all $$tests passed"; \
 	    else \
-	      banner="All $$all tests behaved as expected ($$xfail expected failures)"; \
+	      if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
+	      banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
 	    fi; \
 	  else \
 	    if test "$$xpass" -eq 0; then \
-	      banner="$$failed of $$all tests failed"; \
+	      banner="$$failed of $$all $$tests failed"; \
 	    else \
-	      banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \
+	      if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
+	      banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
 	    fi; \
 	  fi; \
 	  dashes="$$banner"; \
 	  skipped=""; \
 	  if test "$$skip" -ne 0; then \
-	    skipped="($$skip tests were not run)"; \
+	    if test "$$skip" -eq 1; then \
+	      skipped="($$skip test was not run)"; \
+	    else \
+	      skipped="($$skip tests were not run)"; \
+	    fi; \
 	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
 	      dashes="$$skipped"; \
 	  fi; \
@@ -1576,15 +2116,32 @@ check-TESTS: $(TESTS)
 	      dashes="$$report"; \
 	  fi; \
 	  dashes=`echo "$$dashes" | sed s/./=/g`; \
-	  echo "$$dashes"; \
+	  if test "$$failed" -eq 0; then \
+	    echo "$$grn$$dashes"; \
+	  else \
+	    echo "$$red$$dashes"; \
+	  fi; \
 	  echo "$$banner"; \
 	  test -z "$$skipped" || echo "$$skipped"; \
 	  test -z "$$report" || echo "$$report"; \
-	  echo "$$dashes"; \
+	  echo "$$dashes$$std"; \
 	  test "$$failed" -eq 0; \
 	else :; fi
 
 distdir: $(DISTFILES)
+	@list='$(MANS)'; if test -n "$$list"; then \
+	  list=`for p in $$list; do \
+	    if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+	    if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
+	  if test -n "$$list" && \
+	    grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
+	    echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
+	    grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/         /' >&2; \
+	    echo "       to fix them, install help2man, remove and regenerate the man pages;" >&2; \
+	    echo "       typically \`make maintainer-clean' will remove them" >&2; \
+	    exit 1; \
+	  else :; fi; \
+	else :; fi
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
 	list='$(DISTFILES)'; \
@@ -1600,13 +2157,17 @@ distdir: $(DISTFILES)
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
 	  if test -d $$d/$$file; then \
 	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
-	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
 	    fi; \
-	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
 	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
 	    || exit 1; \
 	  fi; \
 	done
@@ -1648,9 +2209,14 @@ clean-generic:
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-rm -f krb5/$(DEPDIR)/$(am__dirstamp)
 	-rm -f krb5/$(am__dirstamp)
+	-rm -f mech/$(DEPDIR)/$(am__dirstamp)
 	-rm -f mech/$(am__dirstamp)
+	-rm -f ntlm/$(DEPDIR)/$(am__dirstamp)
 	-rm -f ntlm/$(am__dirstamp)
+	-rm -f spnego/$(DEPDIR)/$(am__dirstamp)
 	-rm -f spnego/$(am__dirstamp)
 
 maintainer-clean-generic:
@@ -1664,6 +2230,7 @@ clean-am: clean-binPROGRAMS clean-checkPROGRAMS clean-generic \
 	mostlyclean-am
 
 distclean: distclean-am
+	-rm -rf ./$(DEPDIR) krb5/$(DEPDIR) mech/$(DEPDIR) ntlm/$(DEPDIR) spnego/$(DEPDIR)
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
 	distclean-tags
@@ -1674,6 +2241,8 @@ dvi-am:
 
 html: html-am
 
+html-am:
+
 info: info-am
 
 info-am:
@@ -1682,26 +2251,35 @@ install-data-am: install-includeHEADERS install-man \
 	install-nobase_includeHEADERS install-nodist_gssapiHEADERS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
-
 install-dvi: install-dvi-am
 
+install-dvi-am:
+
 install-exec-am: install-binPROGRAMS install-libLTLIBRARIES
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
-
 install-html: install-html-am
 
+install-html-am:
+
 install-info: install-info-am
 
+install-info-am:
+
 install-man: install-man3 install-man5
 
 install-pdf: install-pdf-am
 
+install-pdf-am:
+
 install-ps: install-ps-am
 
+install-ps-am:
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR) krb5/$(DEPDIR) mech/$(DEPDIR) ntlm/$(DEPDIR) spnego/$(DEPDIR)
 	-rm -f Makefile
 maintainer-clean-am: distclean-am maintainer-clean-generic
 
@@ -1723,11 +2301,10 @@ uninstall-am: uninstall-binPROGRAMS uninstall-includeHEADERS \
 	uninstall-nobase_includeHEADERS uninstall-nodist_gssapiHEADERS
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
-
 uninstall-man: uninstall-man3 uninstall-man5
 
-.MAKE: install-am install-data-am install-exec-am install-strip \
-	uninstall-am
+.MAKE: all check check-am install install-am install-data-am \
+	install-exec-am install-strip uninstall-am
 
 .PHONY: CTAGS GTAGS all all-am all-local check check-TESTS check-am \
 	check-local clean clean-binPROGRAMS clean-checkPROGRAMS \
@@ -1821,6 +2398,9 @@ check-local::
 
 .x.c:
 	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+.hx.h:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
 #NROFF_MAN = nroff -man
 .1.cat1:
 	$(NROFF_MAN) $< > $@
@@ -1906,7 +2486,7 @@ uninstall-hook: uninstall-cat-mans
 check-valgrind:
 	tobjdir=`cd $(top_builddir) && pwd` ; \
 	tsrcdir=`cd $(top_srcdir) && pwd` ; \
-	env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check
+	env TESTS_ENVIRONMENT="$${tsrcdir}/cf/maybe-valgrind.sh -s $${tsrcdir} -o $${tobjdir}" make check
 
 #
 # Target to please samba build farm, builds distfiles in-tree.
@@ -1923,20 +2503,19 @@ distdir-in-tree: $(DISTFILES) $(INFO_DEPS)
 $(srcdir)/ntlm/ntlm-private.h:
 	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p ntlm/ntlm-private.h $(ntlmsrc) || rm -f ntlm/ntlm-private.h
 
-$(libgssapi_la_OBJECTS): $(srcdir)/krb5/gsskrb5-private.h
-$(libgssapi_la_OBJECTS): $(srcdir)/spnego/spnego-private.h
-$(libgssapi_la_OBJECTS): $(srcdir)/ntlm/ntlm-private.h
+$(libgssapi_la_OBJECTS): $(BUILTHEADERS)
+$(test_context_OBJECTS): $(BUILTHEADERS)
 
 $(libgssapi_la_OBJECTS): $(srcdir)/version-script.map
 
-$(spnego_files) spnego_asn1.h: spnego_asn1_files
-$(gssapi_files) gssapi_asn1.h: gssapi_asn1_files
+$(spnego_files) spnego_asn1.hx spnego_asn1-priv.hx: spnego_asn1_files
+$(gssapi_files) gssapi_asn1.hx gssapi_asn1-priv.hx: gssapi_asn1_files
 
-spnego_asn1_files: ../asn1/asn1_compile$(EXEEXT) $(srcdir)/spnego/spnego.asn1
-	../asn1/asn1_compile$(EXEEXT) --sequence=MechTypeList $(srcdir)/spnego/spnego.asn1 spnego_asn1
+spnego_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/spnego/spnego.asn1 $(srcdir)/spnego/spnego.opt
+	$(ASN1_COMPILE) --option-file=$(srcdir)/spnego/spnego.opt $(srcdir)/spnego/spnego.asn1 spnego_asn1
 
-gssapi_asn1_files: ../asn1/asn1_compile$(EXEEXT) $(srcdir)/mech/gssapi.asn1
-	../asn1/asn1_compile$(EXEEXT) $(srcdir)/mech/gssapi.asn1 gssapi_asn1
+gssapi_asn1_files: $(ASN1_COMPILE_DEP) $(srcdir)/mech/gssapi.asn1
+	$(ASN1_COMPILE) $(srcdir)/mech/gssapi.asn1 gssapi_asn1
 
 $(srcdir)/krb5/gsskrb5-private.h:
 	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p krb5/gsskrb5-private.h $(krb5src) || rm -f krb5/gsskrb5-private.h
@@ -1947,14 +2526,19 @@ $(srcdir)/spnego/spnego-private.h:
 gss-commands.c gss-commands.h: gss-commands.in
 	$(SLC) $(srcdir)/gss-commands.in
 
-$(gss_OBJECTS): gss-commands.h
-
-# to help stupid solaris make
+$(gsstool_OBJECTS): gss-commands.h
 
-$(libgssapi_la_OBJECTS): gkrb5_err.h gssapi_asn1.h spnego_asn1.h
+$(libgssapi_la_OBJECTS): gkrb5_err.h gssapi_asn1.h gssapi_asn1-priv.h
+$(libgssapi_la_OBJECTS): spnego_asn1.h spnego_asn1-priv.h
+$(libgssapi_la_OBJECTS): $(srcdir)/gssapi/gssapi_oid.h
 
 gkrb5_err.h gkrb5_err.c: $(srcdir)/krb5/gkrb5_err.et
 	$(COMPILE_ET) $(srcdir)/krb5/gkrb5_err.et
+
+$(srcdir)/gssapi/gssapi_oid.h $(srcdir)/mech/gss_oid.c:
+	perl $(srcdir)/gen-oid.pl -b base -h $(srcdir)/oid.txt > $(srcdir)/gssapi/gssapi_oid.h
+	perl $(srcdir)/gen-oid.pl -b base $(srcdir)/oid.txt > $(srcdir)/mech/gss_oid.c
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/lib/gssapi/NTMakefile b/lib/gssapi/NTMakefile
new file mode 100644
index 000000000000..ecf44ba4d856
--- /dev/null
+++ b/lib/gssapi/NTMakefile
@@ -0,0 +1,639 @@
+########################################################################
+#
+# Copyright (c) 2009-2011, Secure Endpoints Inc.
+# All rights reserved.
+# 
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 
+# - Redistributions of source code must retain the above copyright
+#   notice, this list of conditions and the following disclaimer.
+# 
+# - Redistributions in binary form must reproduce the above copyright
+#   notice, this list of conditions and the following disclaimer in
+#   the documentation and/or other materials provided with the
+#   distribution.
+# 
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+# 
+
+RELDIR=lib\gssapi 
+
+!include ../../windows/NTMakefile.w32 
+
+krb5src = \
+	krb5/8003.c \
+	krb5/accept_sec_context.c \
+	krb5/acquire_cred.c \
+	krb5/add_cred.c \
+	krb5/address_to_krb5addr.c \
+	krb5/aeap.c \
+	krb5/arcfour.c \
+        krb5/authorize_localname.c \
+	krb5/canonicalize_name.c \
+	krb5/creds.c \
+	krb5/ccache_name.c \
+	krb5/cfx.c \
+	krb5/cfx.h \
+	krb5/compare_name.c \
+	krb5/compat.c \
+	krb5/context_time.c \
+	krb5/copy_ccache.c \
+	krb5/decapsulate.c \
+	krb5/delete_sec_context.c \
+	krb5/display_name.c \
+	krb5/display_status.c \
+	krb5/duplicate_name.c \
+	krb5/encapsulate.c \
+	krb5/export_name.c \
+	krb5/export_sec_context.c \
+	krb5/external.c \
+	krb5/get_mic.c \
+	krb5/gsskrb5_locl.h \
+	krb5/import_name.c \
+	krb5/import_sec_context.c \
+	krb5/indicate_mechs.c \
+	krb5/init.c \
+	krb5/init_sec_context.c \
+	krb5/inquire_context.c \
+	krb5/inquire_cred.c \
+	krb5/inquire_cred_by_mech.c \
+	krb5/inquire_cred_by_oid.c \
+	krb5/inquire_mechs_for_name.c \
+	krb5/inquire_names_for_mech.c \
+	krb5/inquire_sec_context_by_oid.c \
+        krb5/pname_to_uid.c \
+	krb5/process_context_token.c \
+	krb5/prf.c \
+	krb5/release_buffer.c \
+	krb5/release_cred.c \
+	krb5/release_name.c \
+	krb5/sequence.c \
+	krb5/store_cred.c \
+	krb5/set_cred_option.c \
+	krb5/set_sec_context_option.c \
+	krb5/ticket_flags.c \
+	krb5/unwrap.c \
+	krb5/verify_mic.c \
+	krb5/wrap.c
+
+mechsrc = \
+	mech/context.h \
+	mech/context.c \
+	mech/cred.h \
+	mech/gss_accept_sec_context.c \
+	mech/gss_acquire_cred.c \
+	mech/gss_acquire_cred_ext.c \
+	mech/gss_acquire_cred_with_password.c \
+	mech/gss_add_cred.c \
+	mech/gss_add_cred_with_password.c \
+	mech/gss_add_oid_set_member.c \
+	mech/gss_aeap.c \
+        mech/gss_authorize_localname.c \
+	mech/gss_buffer_set.c \
+	mech/gss_canonicalize_name.c \
+	mech/gss_compare_name.c \
+	mech/gss_context_time.c \
+	mech/gss_create_empty_oid_set.c \
+	mech/gss_cred.c \
+	mech/gss_decapsulate_token.c \
+	mech/gss_delete_name_attribute.c \
+	mech/gss_delete_sec_context.c \
+	mech/gss_display_name.c \
+	mech/gss_display_name_ext.c \
+	mech/gss_display_status.c \
+	mech/gss_duplicate_name.c \
+	mech/gss_duplicate_oid.c \
+	mech/gss_encapsulate_token.c \
+	mech/gss_export_name.c \
+	mech/gss_export_name_composite.c \
+	mech/gss_export_sec_context.c \
+	mech/gss_get_mic.c \
+	mech/gss_get_name_attribute.c \
+	mech/gss_import_name.c \
+	mech/gss_import_sec_context.c \
+	mech/gss_indicate_mechs.c \
+	mech/gss_init_sec_context.c \
+	mech/gss_inquire_context.c \
+	mech/gss_inquire_cred.c \
+	mech/gss_inquire_cred_by_mech.c \
+	mech/gss_inquire_cred_by_oid.c \
+	mech/gss_inquire_mechs_for_name.c \
+	mech/gss_inquire_name.c \
+	mech/gss_inquire_names_for_mech.c \
+	mech/gss_krb5.c \
+	mech/gss_mech_switch.c \
+	mech/gss_mo.c \
+	mech/gss_names.c \
+	mech/gss_oid.c \
+	mech/gss_oid_equal.c \
+	mech/gss_oid_to_str.c \
+	mech/gss_pname_to_uid.c \
+	mech/gss_process_context_token.c \
+	mech/gss_pseudo_random.c \
+	mech/gss_release_buffer.c \
+	mech/gss_release_cred.c \
+	mech/gss_release_name.c \
+	mech/gss_release_oid.c \
+	mech/gss_release_oid_set.c \
+	mech/gss_seal.c \
+	mech/gss_set_cred_option.c \
+	mech/gss_set_name_attribute.c \
+	mech/gss_set_sec_context_option.c \
+	mech/gss_sign.c \
+	mech/gss_store_cred.c \
+	mech/gss_test_oid_set_member.c \
+	mech/gss_unseal.c \
+	mech/gss_unwrap.c \
+	mech/gss_utils.c \
+	mech/gss_verify.c \
+	mech/gss_verify_mic.c \
+	mech/gss_wrap.c \
+	mech/gss_wrap_size_limit.c \
+	mech/gss_inquire_sec_context_by_oid.c \
+	mech/mech_switch.h \
+	mech/mechqueue.h \
+	mech/mech_locl.h \
+	mech/name.h \
+	mech/utils.h
+
+spnegosrc = \
+	spnego/accept_sec_context.c \
+	spnego/compat.c \
+	spnego/context_stubs.c \
+	spnego/cred_stubs.c \
+	spnego/external.c \
+	spnego/init_sec_context.c \
+	spnego/spnego_locl.h
+
+ntlmsrc = \
+	ntlm/accept_sec_context.c \
+	ntlm/acquire_cred.c \
+	ntlm/add_cred.c \
+	ntlm/canonicalize_name.c \
+	ntlm/compare_name.c \
+	ntlm/context_time.c \
+        ntlm/creds.c \
+	ntlm/crypto.c \
+	ntlm/delete_sec_context.c \
+	ntlm/display_name.c \
+	ntlm/display_status.c \
+	ntlm/duplicate_name.c \
+	ntlm/export_name.c \
+	ntlm/export_sec_context.c \
+	ntlm/external.c \
+	ntlm/ntlm.h \
+	ntlm/import_name.c \
+	ntlm/import_sec_context.c \
+	ntlm/indicate_mechs.c \
+	ntlm/init_sec_context.c \
+	ntlm/inquire_context.c \
+	ntlm/inquire_cred_by_mech.c \
+	ntlm/inquire_mechs_for_name.c \
+	ntlm/inquire_names_for_mech.c \
+        ntlm/inquire_sec_context_by_oid.c \
+        ntlm/iter_cred.c \
+	ntlm/process_context_token.c \
+	ntlm/release_cred.c \
+	ntlm/release_name.c \
+	ntlm/kdc.c
+
+$(OBJ)\ntlm\ntlm-private.h: $(ntlmsrc)
+	$(PERL) ../../cf/make-proto.pl -q -P remove -p $@ $(ntlmsrc)
+
+$(OBJ)\krb5\gsskrb5-private.h: $(krb5src)
+	$(PERL) ../../cf/make-proto.pl -q -P remove -p $@ $(krb5src)
+
+$(OBJ)\spnego\spnego-private.h: $(spnegosrc)
+	$(PERL) ../../cf/make-proto.pl -q -P remove -p $@ $(spnegosrc)
+
+gssapi_files = $(OBJ)\gssapi\asn1_gssapi_asn1.x
+
+spnego_files = $(OBJ)\spnego\asn1_spnego_asn1.x
+
+$(gssapi_files:.x=.c): $$(@R).x
+
+$(spnego_files:.x=.c): $$(@R).x
+
+$(gssapi_files) $(OBJ)\gssapi\gssapi_asn1.hx $(OBJ)\gssapi\gssapi_asn1-priv.hx: \
+$(BINDIR)\asn1_compile.exe mech\gssapi.asn1
+	cd $(OBJ)\gssapi
+	$(BINDIR)\asn1_compile.exe --one-code-file $(SRCDIR)\mech\gssapi.asn1 gssapi_asn1 \
+	|| ( $(RM) $(OBJ)\gssapi\gssapi_asn1.h ; exit /b 1 )
+	cd $(SRCDIR)
+
+$(spnego_files) $(OBJ)\spnego\spnego_asn1.hx $(OBJ)\spnego\spnego_asn1-priv.hx: \
+$(BINDIR)\asn1_compile.exe spnego\spnego.asn1
+	cd $(OBJ)\spnego
+	$(BINDIR)\asn1_compile --one-code-file --sequence=MechTypeList \
+		$(SRCDIR)\spnego\spnego.asn1 spnego_asn1 \
+	|| ( $(RM) $(OBJ)\spnego\spnego_asn1.h ; exit /b 1 )
+	cd $(SRCDIR)
+
+$(OBJ)\gkrb5_err.c $(OBJ)\gkrb5_err.h: krb5\gkrb5_err.et
+	cd $(OBJ)
+	$(BINDIR)\compile_et.exe $(SRCDIR)\krb5\gkrb5_err.et
+	cd $(SRCDIR)
+
+INCFILES=				\
+    $(INCDIR)\gssapi.h			\
+    $(INCDIR)\gssapi\gssapi.h		\
+    $(INCDIR)\gssapi\gssapi_krb5.h	\
+    $(INCDIR)\gssapi\gssapi_oid.h	\
+    $(INCDIR)\gssapi\gssapi_ntlm.h	\
+    $(INCDIR)\gssapi\gssapi_spnego.h	\
+    $(INCDIR)\gssapi\gkrb5_err.h	\
+    $(OBJ)\ntlm\ntlm-private.h		\
+    $(OBJ)\spnego\spnego-private.h	\
+    $(OBJ)\krb5\gsskrb5-private.h	\
+    $(OBJ)\gkrb5_err.h			\
+    $(OBJ)\gssapi\gssapi_asn1.h		\
+    $(OBJ)\gssapi\gssapi_asn1-priv.h	\
+    $(OBJ)\spnego\spnego_asn1.h		\
+    $(OBJ)\spnego\spnego_asn1-priv.h
+
+all:: $(INCFILES)
+
+libgssapi_OBJs = \
+	$(OBJ)\krb5/8003.obj \
+	$(OBJ)\krb5/accept_sec_context.obj \
+	$(OBJ)\krb5/acquire_cred.obj \
+	$(OBJ)\krb5/add_cred.obj \
+	$(OBJ)\krb5/address_to_krb5addr.obj \
+        $(OBJ)\krb5/authorize_localname.obj \
+	$(OBJ)\krb5/aeap.obj \
+	$(OBJ)\krb5/arcfour.obj \
+	$(OBJ)\krb5/canonicalize_name.obj \
+	$(OBJ)\krb5/creds.obj \
+	$(OBJ)\krb5/ccache_name.obj \
+	$(OBJ)\krb5/cfx.obj \
+	$(OBJ)\krb5/compare_name.obj \
+	$(OBJ)\krb5/compat.obj \
+	$(OBJ)\krb5/context_time.obj \
+	$(OBJ)\krb5/copy_ccache.obj \
+	$(OBJ)\krb5/decapsulate.obj \
+	$(OBJ)\krb5/delete_sec_context.obj \
+	$(OBJ)\krb5/display_name.obj \
+	$(OBJ)\krb5/display_status.obj \
+	$(OBJ)\krb5/duplicate_name.obj \
+	$(OBJ)\krb5/encapsulate.obj \
+	$(OBJ)\krb5/export_name.obj \
+	$(OBJ)\krb5/export_sec_context.obj \
+	$(OBJ)\krb5/external.obj \
+	$(OBJ)\krb5/get_mic.obj \
+	$(OBJ)\krb5/import_name.obj \
+	$(OBJ)\krb5/import_sec_context.obj \
+	$(OBJ)\krb5/indicate_mechs.obj \
+	$(OBJ)\krb5/init.obj \
+	$(OBJ)\krb5/init_sec_context.obj \
+	$(OBJ)\krb5/inquire_context.obj \
+	$(OBJ)\krb5/inquire_cred.obj \
+	$(OBJ)\krb5/inquire_cred_by_mech.obj \
+	$(OBJ)\krb5/inquire_cred_by_oid.obj \
+	$(OBJ)\krb5/inquire_mechs_for_name.obj \
+	$(OBJ)\krb5/inquire_names_for_mech.obj \
+	$(OBJ)\krb5/inquire_sec_context_by_oid.obj \
+        $(OBJ)\krb5/pname_to_uid.obj \
+	$(OBJ)\krb5/process_context_token.obj \
+	$(OBJ)\krb5/prf.obj \
+	$(OBJ)\krb5/release_buffer.obj \
+	$(OBJ)\krb5/release_cred.obj \
+	$(OBJ)\krb5/release_name.obj \
+	$(OBJ)\krb5/sequence.obj \
+	$(OBJ)\krb5/store_cred.obj \
+	$(OBJ)\krb5/set_cred_option.obj \
+	$(OBJ)\krb5/set_sec_context_option.obj \
+	$(OBJ)\krb5/ticket_flags.obj \
+	$(OBJ)\krb5/unwrap.obj \
+	$(OBJ)\krb5/verify_mic.obj \
+	$(OBJ)\krb5/wrap.obj \
+	$(OBJ)\mech/context.obj \
+	$(OBJ)\mech/gss_accept_sec_context.obj \
+	$(OBJ)\mech/gss_acquire_cred.obj \
+	$(OBJ)\mech/gss_acquire_cred_ext.obj \
+	$(OBJ)\mech/gss_acquire_cred_with_password.obj \
+	$(OBJ)\mech/gss_add_cred.obj \
+	$(OBJ)\mech/gss_add_cred_with_password.obj \
+	$(OBJ)\mech/gss_add_oid_set_member.obj \
+	$(OBJ)\mech/gss_aeap.obj \
+	$(OBJ)\mech/gss_authorize_localname.obj \
+	$(OBJ)\mech/gss_buffer_set.obj \
+	$(OBJ)\mech/gss_canonicalize_name.obj \
+	$(OBJ)\mech/gss_compare_name.obj \
+	$(OBJ)\mech/gss_context_time.obj \
+	$(OBJ)\mech/gss_create_empty_oid_set.obj \
+	$(OBJ)\mech/gss_cred.obj \
+	$(OBJ)\mech/gss_decapsulate_token.obj \
+	$(OBJ)\mech/gss_delete_name_attribute.obj \
+	$(OBJ)\mech/gss_delete_sec_context.obj \
+	$(OBJ)\mech/gss_display_name.obj \
+	$(OBJ)\mech/gss_display_name_ext.obj \
+	$(OBJ)\mech/gss_display_status.obj \
+	$(OBJ)\mech/gss_duplicate_name.obj \
+	$(OBJ)\mech/gss_duplicate_oid.obj \
+	$(OBJ)\mech/gss_encapsulate_token.obj \
+	$(OBJ)\mech/gss_export_name.obj \
+	$(OBJ)\mech/gss_export_name_composite.obj \
+	$(OBJ)\mech/gss_export_sec_context.obj \
+	$(OBJ)\mech/gss_get_mic.obj \
+	$(OBJ)\mech/gss_get_name_attribute.obj \
+	$(OBJ)\mech/gss_import_name.obj \
+	$(OBJ)\mech/gss_import_sec_context.obj \
+	$(OBJ)\mech/gss_indicate_mechs.obj \
+	$(OBJ)\mech/gss_init_sec_context.obj \
+	$(OBJ)\mech/gss_inquire_context.obj \
+	$(OBJ)\mech/gss_inquire_cred.obj \
+	$(OBJ)\mech/gss_inquire_cred_by_mech.obj \
+	$(OBJ)\mech/gss_inquire_cred_by_oid.obj \
+	$(OBJ)\mech/gss_inquire_mechs_for_name.obj \
+	$(OBJ)\mech/gss_inquire_name.obj \
+	$(OBJ)\mech/gss_inquire_names_for_mech.obj \
+	$(OBJ)\mech/gss_krb5.obj \
+	$(OBJ)\mech/gss_mech_switch.obj \
+	$(OBJ)\mech/gss_mo.obj \
+	$(OBJ)\mech/gss_names.obj \
+	$(OBJ)\mech/gss_oid.obj \
+	$(OBJ)\mech/gss_oid_equal.obj \
+	$(OBJ)\mech/gss_oid_to_str.obj \
+	$(OBJ)\mech/gss_pname_to_uid.obj \
+	$(OBJ)\mech/gss_process_context_token.obj \
+	$(OBJ)\mech/gss_pseudo_random.obj \
+	$(OBJ)\mech/gss_release_buffer.obj \
+	$(OBJ)\mech/gss_release_cred.obj \
+	$(OBJ)\mech/gss_release_name.obj \
+	$(OBJ)\mech/gss_release_oid.obj \
+	$(OBJ)\mech/gss_release_oid_set.obj \
+	$(OBJ)\mech/gss_seal.obj \
+	$(OBJ)\mech/gss_set_cred_option.obj \
+	$(OBJ)\mech/gss_set_name_attribute.obj \
+	$(OBJ)\mech/gss_set_sec_context_option.obj \
+	$(OBJ)\mech/gss_sign.obj \
+	$(OBJ)\mech/gss_store_cred.obj \
+	$(OBJ)\mech/gss_test_oid_set_member.obj \
+	$(OBJ)\mech/gss_unseal.obj \
+	$(OBJ)\mech/gss_unwrap.obj \
+	$(OBJ)\mech/gss_utils.obj \
+	$(OBJ)\mech/gss_verify.obj \
+	$(OBJ)\mech/gss_verify_mic.obj \
+	$(OBJ)\mech/gss_wrap.obj \
+	$(OBJ)\mech/gss_wrap_size_limit.obj \
+	$(OBJ)\mech/gss_inquire_sec_context_by_oid.obj \
+	$(OBJ)\spnego/accept_sec_context.obj \
+	$(OBJ)\spnego/compat.obj \
+	$(OBJ)\spnego/context_stubs.obj \
+	$(OBJ)\spnego/cred_stubs.obj \
+	$(OBJ)\spnego/external.obj \
+	$(OBJ)\spnego/init_sec_context.obj \
+	$(OBJ)\ntlm/accept_sec_context.obj \
+	$(OBJ)\ntlm/acquire_cred.obj \
+	$(OBJ)\ntlm/add_cred.obj \
+	$(OBJ)\ntlm/canonicalize_name.obj \
+	$(OBJ)\ntlm/compare_name.obj \
+	$(OBJ)\ntlm/context_time.obj \
+        $(OBJ)\ntlm/creds.obj \
+	$(OBJ)\ntlm/crypto.obj \
+	$(OBJ)\ntlm/delete_sec_context.obj \
+	$(OBJ)\ntlm/display_name.obj \
+	$(OBJ)\ntlm/display_status.obj \
+	$(OBJ)\ntlm/duplicate_name.obj \
+	$(OBJ)\ntlm/export_name.obj \
+	$(OBJ)\ntlm/export_sec_context.obj \
+	$(OBJ)\ntlm/external.obj \
+	$(OBJ)\ntlm/import_name.obj \
+	$(OBJ)\ntlm/import_sec_context.obj \
+	$(OBJ)\ntlm/indicate_mechs.obj \
+	$(OBJ)\ntlm/init_sec_context.obj \
+	$(OBJ)\ntlm/inquire_context.obj \
+	$(OBJ)\ntlm/inquire_cred_by_mech.obj \
+	$(OBJ)\ntlm/inquire_mechs_for_name.obj \
+	$(OBJ)\ntlm/inquire_names_for_mech.obj \
+        $(OBJ)\ntlm/inquire_sec_context_by_oid.obj \
+        $(OBJ)\ntlm/iter_cred.obj \
+	$(OBJ)\ntlm/process_context_token.obj \
+	$(OBJ)\ntlm/release_cred.obj \
+	$(OBJ)\ntlm/release_name.obj \
+	$(OBJ)\ntlm/kdc.obj \
+	$(OBJ)\gkrb5_err.obj \
+	$(spnego_files:.x=.obj) \
+	$(gssapi_files:.x=.obj)
+
+GCOPTS=-I$(SRCDIR) -I$(OBJ) -Igssapi -DBUILD_GSSAPI_LIB
+
+{$(OBJ)\krb5}.c{$(OBJ)\krb5}.obj::
+	$(C2OBJ_NP) -Fo$(OBJ)\krb5\ -Fd$(OBJ)\krb5\ -I$(OBJ)\krb5 $(GCOPTS)
+
+{krb5}.c{$(OBJ)\krb5}.obj::
+	$(C2OBJ_NP) -Fo$(OBJ)\krb5\ -Fd$(OBJ)\krb5\ -I$(OBJ)\krb5 $(GCOPTS) -DASN1_LIB
+
+{$(OBJ)\mech}.c{$(OBJ)\mech}.obj::
+	$(C2OBJ_NP) -Fo$(OBJ)\mech\ -Fd$(OBJ)\mech\ -I$(OBJ)\mech $(GCOPTS)
+
+{mech}.c{$(OBJ)\mech}.obj::
+	$(C2OBJ_NP) -Fo$(OBJ)\mech\ -Fd$(OBJ)\mech\ -I$(OBJ)\mech -I$(OBJ)\gssapi $(GCOPTS) -DASN1_LIB
+
+{$(OBJ)\ntlm}.c{$(OBJ)\ntlm}.obj::
+	$(C2OBJ_NP) -Fo$(OBJ)\ntlm\ -Fd$(OBJ)\ntlm\ -I$(OBJ)\ntlm $(GCOPTS)
+
+{ntlm}.c{$(OBJ)\ntlm}.obj::
+	$(C2OBJ_NP) -Fo$(OBJ)\ntlm\ -Fd$(OBJ)\ntlm\ -I$(OBJ)\ntlm $(GCOPTS) -DASN1_LIB
+
+{$(OBJ)\spnego}.c{$(OBJ)\spnego}.obj::
+	$(C2OBJ_NP) -Fo$(OBJ)\spnego\ -Fd$(OBJ)\spnego\ -I$(OBJ)\spnego $(GCOPTS)
+
+{spnego}.c{$(OBJ)\spnego}.obj::
+	$(C2OBJ_NP) -Fo$(OBJ)\spnego\ -Fd$(OBJ)\spnego\ -I$(OBJ)\spnego -Imech $(GCOPTS) -DASN1_LIB
+
+{$(OBJ)\gssapi}.c{$(OBJ)\gssapi}.obj::
+	$(C2OBJ_NP) -Fo$(OBJ)\gssapi\ -Fd$(OBJ)\gssapi\ -I$(OBJ)\gssapi $(GCOPTS)
+
+{$(OBJ)}.c{$(OBJ)}.obj::
+	$(C2OBJ_P) $(GCOPTS)
+
+{$(OBJ)\spnego}.x{$(OBJ)\spnego}.c:
+	$(CP) $** $@
+
+{$(OBJ)\gssapi}.x{$(OBJ)\gssapi}.c:
+	$(CP) $** $@
+
+{gssapi}.h{$(INCDIR)\gssapi}.h:
+	$(CP) $** $@
+
+{$(OBJ)}.h{$(INCDIR)\gssapi}.h:
+	$(CP) $** $@
+
+{$(OBJ)\gssapi}.hx{$(OBJ)\gssapi}.h:
+	$(CP) $** $@
+
+{$(OBJ)\spnego}.hx{$(OBJ)\spnego}.h:
+	$(CP) $** $@
+
+LIBGSSAPI_LIBS=\
+        $(LIBHEIMBASE)  \
+	$(LIBROKEN)	\
+	$(LIBHEIMDAL)	\
+	$(LIBHEIMNTLM)	\
+	$(LIBCOMERR)
+
+LIBGSSAPI_SDKLIBS=\
+	$(PTHREAD_LIB)
+
+!ifndef STATICLIBS
+
+RES=$(OBJ)\libgssapi-version.res
+
+$(BINDIR)\gssapi.dll: $(libgssapi_OBJs) $(RES)
+	$(DLLGUILINK_C) -implib:$(LIBGSSAPI)	\
+		-out:$(BINDIR)\gssapi.dll	\
+		-def:libgssapi-exports.def	\
+		$(LIBGSSAPI_LIBS) $(RES) $(LIBGSSAPI_SDKLIBS) @<<
+$(libgssapi_OBJs: =
+)
+<<
+	$(DLLPREP_NODIST)
+
+$(LIBGSSAPI): $(BINDIR)\gssapi.dll
+
+clean::
+	-$(RM) $(BINDIR)\gssapi.*
+
+!else
+
+$(LIBGSSAPI): $(libgssapi_OBJs)
+	$(LIBCON_C) -OUT:$@ $(LIBGSSAPI_LIBS) $(LIBGSSAPI_SDKLIBS) @<<
+$(libgssapi_OBJs: =
+)
+<<
+
+!endif
+
+all:: $(LIBGSSAPI)
+
+clean::
+	-$(RM) $(LIBGSSAPI)
+
+prep:: mkdirs-gss
+
+mkdirs-gss:
+!if !exist($(OBJ)\ntlm)
+	$(MKDIR) $(OBJ)\ntlm
+!endif
+!if !exist($(OBJ)\krb5)
+	$(MKDIR) $(OBJ)\krb5
+!endif
+!if !exist($(OBJ)\spnego)
+	$(MKDIR) $(OBJ)\spnego
+!endif
+!if !exist($(OBJ)\mech)
+	$(MKDIR) $(OBJ)\mech
+!endif
+!if !exist($(OBJ)\gssapi)
+	$(MKDIR) $(OBJ)\gssapi
+!endif
+
+clean::
+	-$(RM) $(OBJ)\ntlm\*.*
+	-$(RM) $(OBJ)\krb5\*.*
+	-$(RM) $(OBJ)\spnego\*.*
+	-$(RM) $(OBJ)\mech\*.*
+	-$(RM) $(OBJ)\gssapi\*.*
+
+all-tools:: $(BINDIR)\gsstool.exe
+
+$(BINDIR)\gsstool.exe: $(OBJ)\gsstool.obj $(OBJ)\gss-commands.obj $(LIBGSSAPI) $(LIBROKEN) $(LIBSL) $(LIBVERS)
+	$(EXECONLINK)
+
+$(OBJ)\gss-commands.c $(OBJ)\gss-commands.h: gss-commands.in
+	cd $(OBJ)
+	$(CP) $(SRCDIR)\gss-commands.in gss-commands.in
+	$(BINDIR)\slc.exe gss-commands.in
+	cd $(SRCDIR)
+
+!ifdef ELISP
+# This macro invocation is used to update the libgssapi_OBJs
+# definition below (generate-obj-macro is defined in maint.el):
+
+(generate-obj-macro "libgssapi_OBJs"
+	            (concat "\t$(OBJ)\\gkrb5_err.obj \\\n"
+                            "\t$(spnego_files:.x=.obj) \\\n"
+                            "\t$(gssapi_files:.x=.obj)")
+                    "krb5src" "mechsrc" "spnegosrc" "ntlmsrc")
+!endif
+
+test-exports:
+	$(PERL) ..\..\cf\w32-check-exported-symbols.pl --vs version-script.map --def libgssapi-exports.def
+
+test:: test-exports
+
+
+TEST_BINARIES=\
+	$(OBJ)\test_oid.exe	\
+	$(OBJ)\test_names.exe	\
+	$(OBJ)\test_cfx.exe	\
+	$(OBJ)\test_acquire_cred.exe	\
+	$(OBJ)\test_cred.exe	\
+	$(OBJ)\test_kcred.exe	\
+	$(OBJ)\test_context.exe	\
+	$(OBJ)\test_ntlm.exe
+
+$(OBJ)\test_oid.exe: $(OBJ)\test_oid.obj $(LIBGSSAPI) $(LIBROKEN)
+	$(EXECONLINK)
+	$(EXEPREP_NODIST)
+
+$(OBJ)\test_names.exe: $(OBJ)\test_names.obj $(LIBGSSAPI) $(LIBROKEN) $(LIBVERS)
+	$(EXECONLINK)
+	$(EXEPREP_NODIST)
+
+$(OBJ)\test_cfx.exe: $(OBJ)\krb5\test_cfx.obj $(LIBHEIMDAL) $(LIBGSSAPI) $(LIBROKEN)
+	$(EXECONLINK)
+	$(EXEPREP_NODIST)
+
+$(OBJ)\test_acquire_cred.exe: $(OBJ)\test_acquire_cred.obj $(OBJ)\test_common.obj \
+		$(LIBGSSAPI) $(LIBROKEN) $(LIBVERS)
+	$(EXECONLINK)
+	$(EXEPREP_NODIST)
+
+$(OBJ)\test_cred.exe: $(OBJ)\test_cred.obj $(LIBGSSAPI) $(LIBROKEN) $(LIBVERS)
+	$(EXECONLINK)
+	$(EXEPREP_NODIST)
+
+$(OBJ)\test_kcred.exe: $(OBJ)\test_kcred.obj $(LIBGSSAPI) $(LIBHEIMDAL)	\
+		$(LIBROKEN) $(LIBVERS)
+	$(EXECONLINK)
+	$(EXEPREP_NODIST)
+
+$(OBJ)\test_context.exe: $(OBJ)\test_context.obj $(OBJ)\test_common.obj	\
+		$(LIBGSSAPI) $(LIBHEIMDAL) $(LIBROKEN) $(LIBVERS)
+	$(EXECONLINK)
+	$(EXEPREP_NODIST)
+
+$(OBJ)\test_ntlm.exe: $(OBJ)\test_ntlm.obj $(OBJ)\test_common.obj	\
+		$(LIBGSSAPI) $(LIBHEIMNTLM) $(LIBROKEN) $(LIBVERS)
+	$(EXECONLINK)
+	$(EXEPREP_NODIST)
+
+{}.c{$(OBJ)}.obj::
+	$(C2OBJ_P) -I$(OBJ)\krb5 -I$(OBJ) -I$(SRCDIR) -I$(SRCDIR)\gssapi
+
+test-binaries: $(LIBGSSAPI) $(TEST_BINARIES)
+
+run-test:
+	cd $(OBJ)
+	test_oid
+	test_names
+	test_cfx
+	test_kcred
+	cd $(SRCDIR)
+
+test:: test-binaries run-test
diff --git a/lib/gssapi/gss-commands.in b/lib/gssapi/gss-commands.in
index 2204f2afa89a..a2fc2288ee43 100644
--- a/lib/gssapi/gss-commands.in
+++ b/lib/gssapi/gss-commands.in
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -30,13 +30,26 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
  * SUCH DAMAGE. 
  */
-/* $Id: gss-commands.in 17870 2006-07-22 14:48:58Z lha $ */
+/* $Id$ */
 
 command = {
 	name = "supported-mechanisms"
 	help = "Print the supported mechanisms"
 }
 command = {
+	name = "attrs-for-mech"
+	help = "Print the attributes for mechs"
+	option = {
+		long = "all"
+		type = "flag"
+	}
+	option = {
+		long = "mech"
+		type = "string"
+		argument = "mechanism"
+	}
+}
+command = {
 	name = "help"
 	name = "?"
 	argument = "[command]"
diff --git a/lib/gssapi/gss_acquire_cred.3 b/lib/gssapi/gss_acquire_cred.3
index d2a04d93fbb4..25d7b4d7ffdb 100644
--- a/lib/gssapi/gss_acquire_cred.3
+++ b/lib/gssapi/gss_acquire_cred.3
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan
+.\" Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan
 .\" (Royal Institute of Technology, Stockholm, Sweden).
 .\" All rights reserved.
 .\"
@@ -29,7 +29,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $Id: gss_acquire_cred.3 20235 2007-02-16 11:19:03Z lha $
+.\" $Id$
 .\"
 .Dd October 26, 2005
 .Dt GSS_ACQUIRE_CRED 3
@@ -513,7 +513,7 @@ In GSS-API an contiguous string name is stored in a
 .Dv gss_buffer_t .
 .Pp
 Exported names also have the property that they are specified by the
-mechanism itself and compatible between diffrent GSS-API
+mechanism itself and compatible between different GSS-API
 implementations.
 .El
 .Sh ACCESS CONTROL
diff --git a/lib/gssapi/gss_acquire_cred.cat3 b/lib/gssapi/gss_acquire_cred.cat3
new file mode 100644
index 000000000000..b793918c1850
--- /dev/null
+++ b/lib/gssapi/gss_acquire_cred.cat3
@@ -0,0 +1,406 @@
+
+GSS_ACQUIRE_CRED(3)      BSD Library Functions Manual      GSS_ACQUIRE_CRED(3)
+
+NNAAMMEE
+     ggssss__aacccceepptt__sseecc__ccoonntteexxtt, ggssss__aaccqquuiirree__ccrreedd, ggssss__aadddd__ccrreedd,
+     ggssss__aadddd__ooiidd__sseett__mmeemmbbeerr, ggssss__ccaannoonniiccaalliizzee__nnaammee, ggssss__ccoommppaarree__nnaammee,
+     ggssss__ccoonntteexxtt__ttiimmee, ggssss__ccrreeaattee__eemmppttyy__ooiidd__sseett, ggssss__ddeelleettee__sseecc__ccoonntteexxtt,
+     ggssss__ddiissppllaayy__nnaammee, ggssss__ddiissppllaayy__ssttaattuuss, ggssss__dduupplliiccaattee__nnaammee,
+     ggssss__eexxppoorrtt__nnaammee, ggssss__eexxppoorrtt__sseecc__ccoonntteexxtt, ggssss__ggeett__mmiicc, ggssss__iimmppoorrtt__nnaammee,
+     ggssss__iimmppoorrtt__sseecc__ccoonntteexxtt, ggssss__iinnddiiccaattee__mmeecchhss, ggssss__iinniitt__sseecc__ccoonntteexxtt,
+     ggssss__iinnqquuiirree__ccoonntteexxtt, ggssss__iinnqquuiirree__ccrreedd, ggssss__iinnqquuiirree__ccrreedd__bbyy__mmeecchh,
+     ggssss__iinnqquuiirree__mmeecchhss__ffoorr__nnaammee, ggssss__iinnqquuiirree__nnaammeess__ffoorr__mmeecchh,
+     ggssss__kkrrbb55__ccccaacchhee__nnaammee, ggssss__kkrrbb55__ccoommppaatt__ddeess33__mmiicc, ggssss__kkrrbb55__ccooppyy__ccccaacchhee,
+     ggssss__kkrrbb55__iimmppoorrtt__ccrreedd ggsssskkrrbb55__eexxttrraacctt__aauutthhzz__ddaattaa__ffrroomm__sseecc__ccoonntteexxtt,
+     ggsssskkrrbb55__rreeggiisstteerr__aacccceeppttoorr__iiddeennttiittyy, ggssss__kkrrbb55__iimmppoorrtt__ccccaacchhee,
+     ggssss__kkrrbb55__ggeett__ttkktt__ffllaaggss, ggssss__pprroocceessss__ccoonntteexxtt__ttookkeenn, ggssss__rreelleeaassee__bbuuffffeerr,
+     ggssss__rreelleeaassee__ccrreedd, ggssss__rreelleeaassee__nnaammee, ggssss__rreelleeaassee__ooiidd__sseett, ggssss__sseeaall,
+     ggssss__ssiiggnn, ggssss__tteesstt__ooiidd__sseett__mmeemmbbeerr, ggssss__uunnsseeaall, ggssss__uunnwwrraapp, ggssss__vveerriiffyy,
+     ggssss__vveerriiffyy__mmiicc, ggssss__wwrraapp, ggssss__wwrraapp__ssiizzee__lliimmiitt -- Generic Security Service
+     Application Program Interface library
+
+LLIIBBRRAARRYY
+     GSS-API library (libgssapi, -lgssapi)
+
+SSYYNNOOPPSSIISS
+     ##iinncclluuddee <<ggssssaappii..hh>>
+
+     _O_M___u_i_n_t_3_2
+     ggssss__aacccceepptt__sseecc__ccoonntteexxtt(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+         _g_s_s___c_t_x___i_d___t _* _c_o_n_t_e_x_t___h_a_n_d_l_e,
+         _c_o_n_s_t _g_s_s___c_r_e_d___i_d___t _a_c_c_e_p_t_o_r___c_r_e_d___h_a_n_d_l_e,
+         _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _i_n_p_u_t___t_o_k_e_n___b_u_f_f_e_r,
+         _c_o_n_s_t _g_s_s___c_h_a_n_n_e_l___b_i_n_d_i_n_g_s___t _i_n_p_u_t___c_h_a_n___b_i_n_d_i_n_g_s,
+         _g_s_s___n_a_m_e___t _* _s_r_c___n_a_m_e, _g_s_s___O_I_D _* _m_e_c_h___t_y_p_e,
+         _g_s_s___b_u_f_f_e_r___t _o_u_t_p_u_t___t_o_k_e_n, _O_M___u_i_n_t_3_2 _* _r_e_t___f_l_a_g_s,
+         _O_M___u_i_n_t_3_2 _* _t_i_m_e___r_e_c, _g_s_s___c_r_e_d___i_d___t _* _d_e_l_e_g_a_t_e_d___c_r_e_d___h_a_n_d_l_e);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__aaccqquuiirree__ccrreedd(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___n_a_m_e___t _d_e_s_i_r_e_d___n_a_m_e,
+         _O_M___u_i_n_t_3_2 _t_i_m_e___r_e_q, _c_o_n_s_t _g_s_s___O_I_D___s_e_t _d_e_s_i_r_e_d___m_e_c_h_s,
+         _g_s_s___c_r_e_d___u_s_a_g_e___t _c_r_e_d___u_s_a_g_e, _g_s_s___c_r_e_d___i_d___t _* _o_u_t_p_u_t___c_r_e_d___h_a_n_d_l_e,
+         _g_s_s___O_I_D___s_e_t _* _a_c_t_u_a_l___m_e_c_h_s, _O_M___u_i_n_t_3_2 _* _t_i_m_e___r_e_c);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__aadddd__ccrreedd(_O_M___u_i_n_t_3_2 _*_m_i_n_o_r___s_t_a_t_u_s,
+         _c_o_n_s_t _g_s_s___c_r_e_d___i_d___t _i_n_p_u_t___c_r_e_d___h_a_n_d_l_e, _c_o_n_s_t _g_s_s___n_a_m_e___t _d_e_s_i_r_e_d___n_a_m_e,
+         _c_o_n_s_t _g_s_s___O_I_D _d_e_s_i_r_e_d___m_e_c_h, _g_s_s___c_r_e_d___u_s_a_g_e___t _c_r_e_d___u_s_a_g_e,
+         _O_M___u_i_n_t_3_2 _i_n_i_t_i_a_t_o_r___t_i_m_e___r_e_q, _O_M___u_i_n_t_3_2 _a_c_c_e_p_t_o_r___t_i_m_e___r_e_q,
+         _g_s_s___c_r_e_d___i_d___t _*_o_u_t_p_u_t___c_r_e_d___h_a_n_d_l_e, _g_s_s___O_I_D___s_e_t _*_a_c_t_u_a_l___m_e_c_h_s,
+         _O_M___u_i_n_t_3_2 _*_i_n_i_t_i_a_t_o_r___t_i_m_e___r_e_c, _O_M___u_i_n_t_3_2 _*_a_c_c_e_p_t_o_r___t_i_m_e___r_e_c);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__aadddd__ooiidd__sseett__mmeemmbbeerr(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+         _c_o_n_s_t _g_s_s___O_I_D _m_e_m_b_e_r___o_i_d, _g_s_s___O_I_D___s_e_t _* _o_i_d___s_e_t);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__ccaannoonniiccaalliizzee__nnaammee(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+         _c_o_n_s_t _g_s_s___n_a_m_e___t _i_n_p_u_t___n_a_m_e, _c_o_n_s_t _g_s_s___O_I_D _m_e_c_h___t_y_p_e,
+         _g_s_s___n_a_m_e___t _* _o_u_t_p_u_t___n_a_m_e);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__ccoommppaarree__nnaammee(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___n_a_m_e___t _n_a_m_e_1,
+         _c_o_n_s_t _g_s_s___n_a_m_e___t _n_a_m_e_2, _i_n_t _* _n_a_m_e___e_q_u_a_l);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__ccoonntteexxtt__ttiimmee(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+         _c_o_n_s_t _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e, _O_M___u_i_n_t_3_2 _* _t_i_m_e___r_e_c);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__ccrreeaattee__eemmppttyy__ooiidd__sseett(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+         _g_s_s___O_I_D___s_e_t _* _o_i_d___s_e_t);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__ddeelleettee__sseecc__ccoonntteexxtt(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+         _g_s_s___c_t_x___i_d___t _* _c_o_n_t_e_x_t___h_a_n_d_l_e, _g_s_s___b_u_f_f_e_r___t _o_u_t_p_u_t___t_o_k_e_n);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__ddiissppllaayy__nnaammee(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___n_a_m_e___t _i_n_p_u_t___n_a_m_e,
+         _g_s_s___b_u_f_f_e_r___t _o_u_t_p_u_t___n_a_m_e___b_u_f_f_e_r, _g_s_s___O_I_D _* _o_u_t_p_u_t___n_a_m_e___t_y_p_e);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__ddiissppllaayy__ssttaattuuss(_O_M___u_i_n_t_3_2 _*_m_i_n_o_r___s_t_a_t_u_s, _O_M___u_i_n_t_3_2 _s_t_a_t_u_s___v_a_l_u_e,
+         _i_n_t _s_t_a_t_u_s___t_y_p_e, _c_o_n_s_t _g_s_s___O_I_D _m_e_c_h___t_y_p_e, _O_M___u_i_n_t_3_2 _*_m_e_s_s_a_g_e___c_o_n_t_e_x_t,
+         _g_s_s___b_u_f_f_e_r___t _s_t_a_t_u_s___s_t_r_i_n_g);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__dduupplliiccaattee__nnaammee(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___n_a_m_e___t _s_r_c___n_a_m_e,
+         _g_s_s___n_a_m_e___t _* _d_e_s_t___n_a_m_e);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__eexxppoorrtt__nnaammee(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___n_a_m_e___t _i_n_p_u_t___n_a_m_e,
+         _g_s_s___b_u_f_f_e_r___t _e_x_p_o_r_t_e_d___n_a_m_e);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__eexxppoorrtt__sseecc__ccoonntteexxtt(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+         _g_s_s___c_t_x___i_d___t _* _c_o_n_t_e_x_t___h_a_n_d_l_e, _g_s_s___b_u_f_f_e_r___t _i_n_t_e_r_p_r_o_c_e_s_s___t_o_k_e_n);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__ggeett__mmiicc(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e,
+         _g_s_s___q_o_p___t _q_o_p___r_e_q, _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _m_e_s_s_a_g_e___b_u_f_f_e_r,
+         _g_s_s___b_u_f_f_e_r___t _m_e_s_s_a_g_e___t_o_k_e_n);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__iimmppoorrtt__nnaammee(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+         _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _i_n_p_u_t___n_a_m_e___b_u_f_f_e_r, _c_o_n_s_t _g_s_s___O_I_D _i_n_p_u_t___n_a_m_e___t_y_p_e,
+         _g_s_s___n_a_m_e___t _* _o_u_t_p_u_t___n_a_m_e);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__iimmppoorrtt__sseecc__ccoonntteexxtt(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+         _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _i_n_t_e_r_p_r_o_c_e_s_s___t_o_k_e_n,
+         _g_s_s___c_t_x___i_d___t _* _c_o_n_t_e_x_t___h_a_n_d_l_e);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__iinnddiiccaattee__mmeecchhss(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___O_I_D___s_e_t _* _m_e_c_h___s_e_t);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__iinniitt__sseecc__ccoonntteexxtt(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+         _c_o_n_s_t _g_s_s___c_r_e_d___i_d___t _i_n_i_t_i_a_t_o_r___c_r_e_d___h_a_n_d_l_e,
+         _g_s_s___c_t_x___i_d___t _* _c_o_n_t_e_x_t___h_a_n_d_l_e, _c_o_n_s_t _g_s_s___n_a_m_e___t _t_a_r_g_e_t___n_a_m_e,
+         _c_o_n_s_t _g_s_s___O_I_D _m_e_c_h___t_y_p_e, _O_M___u_i_n_t_3_2 _r_e_q___f_l_a_g_s, _O_M___u_i_n_t_3_2 _t_i_m_e___r_e_q,
+         _c_o_n_s_t _g_s_s___c_h_a_n_n_e_l___b_i_n_d_i_n_g_s___t _i_n_p_u_t___c_h_a_n___b_i_n_d_i_n_g_s,
+         _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _i_n_p_u_t___t_o_k_e_n, _g_s_s___O_I_D _* _a_c_t_u_a_l___m_e_c_h___t_y_p_e,
+         _g_s_s___b_u_f_f_e_r___t _o_u_t_p_u_t___t_o_k_e_n, _O_M___u_i_n_t_3_2 _* _r_e_t___f_l_a_g_s,
+         _O_M___u_i_n_t_3_2 _* _t_i_m_e___r_e_c);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__iinnqquuiirree__ccoonntteexxtt(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+         _c_o_n_s_t _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e, _g_s_s___n_a_m_e___t _* _s_r_c___n_a_m_e,
+         _g_s_s___n_a_m_e___t _* _t_a_r_g___n_a_m_e, _O_M___u_i_n_t_3_2 _* _l_i_f_e_t_i_m_e___r_e_c,
+         _g_s_s___O_I_D _* _m_e_c_h___t_y_p_e, _O_M___u_i_n_t_3_2 _* _c_t_x___f_l_a_g_s, _i_n_t _* _l_o_c_a_l_l_y___i_n_i_t_i_a_t_e_d,
+         _i_n_t _* _o_p_e_n___c_o_n_t_e_x_t);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__iinnqquuiirree__ccrreedd(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+         _c_o_n_s_t _g_s_s___c_r_e_d___i_d___t _c_r_e_d___h_a_n_d_l_e, _g_s_s___n_a_m_e___t _* _n_a_m_e,
+         _O_M___u_i_n_t_3_2 _* _l_i_f_e_t_i_m_e, _g_s_s___c_r_e_d___u_s_a_g_e___t _* _c_r_e_d___u_s_a_g_e,
+         _g_s_s___O_I_D___s_e_t _* _m_e_c_h_a_n_i_s_m_s);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__iinnqquuiirree__ccrreedd__bbyy__mmeecchh(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+         _c_o_n_s_t _g_s_s___c_r_e_d___i_d___t _c_r_e_d___h_a_n_d_l_e, _c_o_n_s_t _g_s_s___O_I_D _m_e_c_h___t_y_p_e,
+         _g_s_s___n_a_m_e___t _* _n_a_m_e, _O_M___u_i_n_t_3_2 _* _i_n_i_t_i_a_t_o_r___l_i_f_e_t_i_m_e,
+         _O_M___u_i_n_t_3_2 _* _a_c_c_e_p_t_o_r___l_i_f_e_t_i_m_e, _g_s_s___c_r_e_d___u_s_a_g_e___t _* _c_r_e_d___u_s_a_g_e);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__iinnqquuiirree__mmeecchhss__ffoorr__nnaammee(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+         _c_o_n_s_t _g_s_s___n_a_m_e___t _i_n_p_u_t___n_a_m_e, _g_s_s___O_I_D___s_e_t _* _m_e_c_h___t_y_p_e_s);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__iinnqquuiirree__nnaammeess__ffoorr__mmeecchh(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+         _c_o_n_s_t _g_s_s___O_I_D _m_e_c_h_a_n_i_s_m, _g_s_s___O_I_D___s_e_t _* _n_a_m_e___t_y_p_e_s);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__kkrrbb55__ccccaacchhee__nnaammee(_O_M___u_i_n_t_3_2 _*_m_i_n_o_r, _c_o_n_s_t _c_h_a_r _*_n_a_m_e,
+         _c_o_n_s_t _c_h_a_r _*_*_o_l_d___n_a_m_e);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__kkrrbb55__ccooppyy__ccccaacchhee(_O_M___u_i_n_t_3_2 _*_m_i_n_o_r, _g_s_s___c_r_e_d___i_d___t _c_r_e_d,
+         _k_r_b_5___c_c_a_c_h_e _o_u_t);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__kkrrbb55__iimmppoorrtt__ccrreedd(_O_M___u_i_n_t_3_2 _*_m_i_n_o_r___s_t_a_t_u_s, _k_r_b_5___c_c_a_c_h_e _i_d,
+         _k_r_b_5___p_r_i_n_c_i_p_a_l _k_e_y_t_a_b___p_r_i_n_c_i_p_a_l, _k_r_b_5___k_e_y_t_a_b _k_e_y_t_a_b,
+         _g_s_s___c_r_e_d___i_d___t _*_c_r_e_d);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__kkrrbb55__ccoommppaatt__ddeess33__mmiicc(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+         _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e, _i_n_t _o_n_o_f_f);
+
+     _O_M___u_i_n_t_3_2
+     ggsssskkrrbb55__eexxttrraacctt__aauutthhzz__ddaattaa__ffrroomm__sseecc__ccoonntteexxtt(_O_M___u_i_n_t_3_2 _*_m_i_n_o_r___s_t_a_t_u_s,
+         _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e, _i_n_t _a_d___t_y_p_e, _g_s_s___b_u_f_f_e_r___t _a_d___d_a_t_a);
+
+     _O_M___u_i_n_t_3_2
+     ggsssskkrrbb55__rreeggiisstteerr__aacccceeppttoorr__iiddeennttiittyy(_c_o_n_s_t _c_h_a_r _*_i_d_e_n_t_i_t_y);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__kkrrbb55__iimmppoorrtt__ccaacchhee(_O_M___u_i_n_t_3_2 _*_m_i_n_o_r, _k_r_b_5___c_c_a_c_h_e _i_d,
+         _k_r_b_5___k_e_y_t_a_b _k_e_y_t_a_b, _g_s_s___c_r_e_d___i_d___t _*_c_r_e_d);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__kkrrbb55__ggeett__ttkktt__ffllaaggss(_O_M___u_i_n_t_3_2 _*_m_i_n_o_r___s_t_a_t_u_s,
+         _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e, _O_M___u_i_n_t_3_2 _*_t_k_t___f_l_a_g_s);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__pprroocceessss__ccoonntteexxtt__ttookkeenn(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+         _c_o_n_s_t _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e, _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _t_o_k_e_n___b_u_f_f_e_r);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__rreelleeaassee__bbuuffffeerr(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___b_u_f_f_e_r___t _b_u_f_f_e_r);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__rreelleeaassee__ccrreedd(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___c_r_e_d___i_d___t _* _c_r_e_d___h_a_n_d_l_e);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__rreelleeaassee__nnaammee(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___n_a_m_e___t _* _i_n_p_u_t___n_a_m_e);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__rreelleeaassee__ooiidd__sseett(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___O_I_D___s_e_t _* _s_e_t);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__sseeaall(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e,
+         _i_n_t _c_o_n_f___r_e_q___f_l_a_g, _i_n_t _q_o_p___r_e_q, _g_s_s___b_u_f_f_e_r___t _i_n_p_u_t___m_e_s_s_a_g_e___b_u_f_f_e_r,
+         _i_n_t _* _c_o_n_f___s_t_a_t_e, _g_s_s___b_u_f_f_e_r___t _o_u_t_p_u_t___m_e_s_s_a_g_e___b_u_f_f_e_r);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__ssiiggnn(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e,
+         _i_n_t _q_o_p___r_e_q, _g_s_s___b_u_f_f_e_r___t _m_e_s_s_a_g_e___b_u_f_f_e_r,
+         _g_s_s___b_u_f_f_e_r___t _m_e_s_s_a_g_e___t_o_k_e_n);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__tteesstt__ooiidd__sseett__mmeemmbbeerr(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___O_I_D _m_e_m_b_e_r,
+         _c_o_n_s_t _g_s_s___O_I_D___s_e_t _s_e_t, _i_n_t _* _p_r_e_s_e_n_t);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__uunnsseeaall(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e,
+         _g_s_s___b_u_f_f_e_r___t _i_n_p_u_t___m_e_s_s_a_g_e___b_u_f_f_e_r,
+         _g_s_s___b_u_f_f_e_r___t _o_u_t_p_u_t___m_e_s_s_a_g_e___b_u_f_f_e_r, _i_n_t _* _c_o_n_f___s_t_a_t_e,
+         _i_n_t _* _q_o_p___s_t_a_t_e);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__uunnwwrraapp(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e,
+         _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _i_n_p_u_t___m_e_s_s_a_g_e___b_u_f_f_e_r,
+         _g_s_s___b_u_f_f_e_r___t _o_u_t_p_u_t___m_e_s_s_a_g_e___b_u_f_f_e_r, _i_n_t _* _c_o_n_f___s_t_a_t_e,
+         _g_s_s___q_o_p___t _* _q_o_p___s_t_a_t_e);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__vveerriiffyy(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e,
+         _g_s_s___b_u_f_f_e_r___t _m_e_s_s_a_g_e___b_u_f_f_e_r, _g_s_s___b_u_f_f_e_r___t _t_o_k_e_n___b_u_f_f_e_r,
+         _i_n_t _* _q_o_p___s_t_a_t_e);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__vveerriiffyy__mmiicc(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+         _c_o_n_s_t _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e, _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _m_e_s_s_a_g_e___b_u_f_f_e_r,
+         _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _t_o_k_e_n___b_u_f_f_e_r, _g_s_s___q_o_p___t _* _q_o_p___s_t_a_t_e);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__wwrraapp(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e,
+         _i_n_t _c_o_n_f___r_e_q___f_l_a_g, _g_s_s___q_o_p___t _q_o_p___r_e_q,
+         _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _i_n_p_u_t___m_e_s_s_a_g_e___b_u_f_f_e_r, _i_n_t _* _c_o_n_f___s_t_a_t_e,
+         _g_s_s___b_u_f_f_e_r___t _o_u_t_p_u_t___m_e_s_s_a_g_e___b_u_f_f_e_r);
+
+     _O_M___u_i_n_t_3_2
+     ggssss__wwrraapp__ssiizzee__lliimmiitt(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+         _c_o_n_s_t _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e, _i_n_t _c_o_n_f___r_e_q___f_l_a_g,
+         _g_s_s___q_o_p___t _q_o_p___r_e_q, _O_M___u_i_n_t_3_2 _r_e_q___o_u_t_p_u_t___s_i_z_e,
+         _O_M___u_i_n_t_3_2 _* _m_a_x___i_n_p_u_t___s_i_z_e);
+
+DDEESSCCRRIIPPTTIIOONN
+     Generic Security Service API (GSS-API) version 2, and its C binding, is
+     described in RFC2743 and RFC2744.  Version 1 (deprecated) of the C bind-
+     ing is described in RFC1509.
+
+     Heimdals GSS-API implementation supports the following mechanisms
+
+     ++oo   GSS_KRB5_MECHANISM
+
+     ++oo   GSS_SPNEGO_MECHANISM
+
+     GSS-API have generic name types that all mechanism are supposed to imple-
+     ment (if possible):
+
+     ++oo   GSS_C_NT_USER_NAME
+
+     ++oo   GSS_C_NT_MACHINE_UID_NAME
+
+     ++oo   GSS_C_NT_STRING_UID_NAME
+
+     ++oo   GSS_C_NT_HOSTBASED_SERVICE
+
+     ++oo   GSS_C_NT_ANONYMOUS
+
+     ++oo   GSS_C_NT_EXPORT_NAME
+
+     GSS-API implementations that supports Kerberos 5 have some additional
+     name types:
+
+     ++oo   GSS_KRB5_NT_PRINCIPAL_NAME
+
+     ++oo   GSS_KRB5_NT_USER_NAME
+
+     ++oo   GSS_KRB5_NT_MACHINE_UID_NAME
+
+     ++oo   GSS_KRB5_NT_STRING_UID_NAME
+
+     In GSS-API, names have two forms, internal names and contiguous string
+     names.
+
+     ++oo   Internal name and mechanism name
+
+         Internal names are implementation specific representation of a GSS-
+         API name.  Mechanism names special form of internal names corresponds
+         to one and only one mechanism.
+
+         In GSS-API an internal name is stored in a gss_name_t.
+
+     ++oo   Contiguous string name and exported name
+
+         Contiguous string names are gssapi names stored in a OCTET STRING
+         that together with a name type identifier (OID) uniquely specifies a
+         gss-name.  A special form of the contiguous string name is the
+         exported name that have a OID embedded in the string to make it
+         unique.  Exported name have the nametype GSS_C_NT_EXPORT_NAME.
+
+         In GSS-API an contiguous string name is stored in a gss_buffer_t.
+
+         Exported names also have the property that they are specified by the
+         mechanism itself and compatible between different GSS-API implementa-
+         tions.
+
+AACCCCEESSSS CCOONNTTRROOLL
+     There are two ways of comparing GSS-API names, either comparing two
+     internal names with each other or two contiguous string names with either
+     other.
+
+     To compare two internal names with each other, import (if needed) the
+     names with ggssss__iimmppoorrtt__nnaammee() into the GSS-API implementation and the com-
+     pare the imported name with ggssss__ccoommppaarree__nnaammee().
+
+     Importing names can be slow, so when its possible to store exported names
+     in the access control list, comparing contiguous string name might be
+     better.
+
+     when comparing contiguous string name, first export them into a
+     GSS_C_NT_EXPORT_NAME name with ggssss__eexxppoorrtt__nnaammee() and then compare with
+     memcmp(3).
+
+     Note that there are might be a difference between the two methods of com-
+     paring names.  The first (using ggssss__ccoommppaarree__nnaammee()) will compare to
+     (unauthenticated) names are the same.  The second will compare if a mech-
+     anism will authenticate them as the same principal.
+
+     For example, if ggssss__iimmppoorrtt__nnaammee() name was used with GSS_C_NO_OID the
+     default syntax is used for all mechanism the GSS-API implementation sup-
+     ports.  When compare the imported name of GSS_C_NO_OID it may match
+     serveral mechanism names (MN).
+
+     The resulting name from ggssss__ddiissppllaayy__nnaammee() must not be used for acccess
+     control.
+
+FFUUNNCCTTIIOONNSS
+     ggssss__ddiissppllaayy__nnaammee() takes the gss name in _i_n_p_u_t___n_a_m_e and puts a printable
+     form in _o_u_t_p_u_t___n_a_m_e___b_u_f_f_e_r.  _o_u_t_p_u_t___n_a_m_e___b_u_f_f_e_r should be freed when done
+     using ggssss__rreelleeaassee__bbuuffffeerr().  _o_u_t_p_u_t___n_a_m_e___t_y_p_e can either be NULL or a
+     pointer to a gss_OID and will in the latter case contain the OID type of
+     the name.  The name must only be used for printing.  If access control is
+     needed, see section _A_C_C_E_S_S _C_O_N_T_R_O_L.
+
+     ggssss__iinnqquuiirree__ccoonntteexxtt() returns information about the context.  Information
+     is available even after the context have expired.  _l_i_f_e_t_i_m_e___r_e_c argument
+     is set to GSS_C_INDEFINITE (dont expire) or the number of seconds that
+     the context is still valid.  A value of 0 means that the context is
+     expired.  _m_e_c_h___t_y_p_e argument should be considered readonly and must not
+     be released.  _s_r_c___n_a_m_e and ddeesstt__nnaammee() are both mechanims names and must
+     be released with ggssss__rreelleeaassee__nnaammee() when no longer used.
+
+     ggssss__ccoonntteexxtt__ttiimmee will return the amount of time (in seconds) of the con-
+     text is still valid.  If its expired _t_i_m_e___r_e_c will be set to 0 and
+     GSS_S_CONTEXT_EXPIRED returned.
+
+     ggssss__ssiiggnn(), ggssss__vveerriiffyy(), ggssss__sseeaall(), and ggssss__uunnsseeaall() are part of the
+     GSS-API V1 interface and are obsolete.  The functions should not be used
+     for new applications.  They are provided so that version 1 applications
+     can link against the library.
+
+EEXXTTEENNSSIIOONNSS
+     ggssss__kkrrbb55__ccccaacchhee__nnaammee() sets the internal kerberos 5 credential cache name
+     to _n_a_m_e.  The old name is returned in _o_l_d___n_a_m_e, and must not be freed.
+     The data allocated for _o_l_d___n_a_m_e is free upon next call to
+     ggssss__kkrrbb55__ccccaacchhee__nnaammee().  This function is not threadsafe if _o_l_d___n_a_m_e
+     argument is used.
+
+     ggssss__kkrrbb55__ccooppyy__ccccaacchhee() will extract the krb5 credentials that are trans-
+     ferred from the initiator to the acceptor when using token delegation in
+     the Kerberos mechanism.  The acceptor receives the delegated token in the
+     last argument to ggssss__aacccceepptt__sseecc__ccoonntteexxtt().
+
+     ggssss__kkrrbb55__iimmppoorrtt__ccrreedd() will import the krb5 credentials (both keytab
+     and/or credential cache) into gss credential so it can be used withing
+     GSS-API.  The _c_c_a_c_h_e is copied by reference and thus shared, so if the
+     credential is destroyed with _k_r_b_5___c_c___d_e_s_t_r_o_y, all users of thep
+     _g_s_s___c_r_e_d___i_d___t returned by ggssss__kkrrbb55__iimmppoorrtt__ccccaacchhee() will fail.
+
+     ggsssskkrrbb55__rreeggiisstteerr__aacccceeppttoorr__iiddeennttiittyy() sets the Kerberos 5 filebased keytab
+     that the acceptor will use.  The _i_d_e_n_t_i_f_i_e_r is the file name.
+
+     ggsssskkrrbb55__eexxttrraacctt__aauutthhzz__ddaattaa__ffrroomm__sseecc__ccoonntteexxtt() extracts the Kerberos
+     authorizationdata that may be stored within the context.  Tha caller must
+     free the returned buffer _a_d___d_a_t_a with ggssss__rreelleeaassee__bbuuffffeerr() upon success.
+
+     ggssss__kkrrbb55__ggeett__ttkktt__ffllaaggss() return the ticket flags for the kerberos ticket
+     receive when authenticating the initiator.  Only valid on the acceptor
+     context.
+
+     ggssss__kkrrbb55__ccoommppaatt__ddeess33__mmiicc() turns on or off the compatibility with older
+     version of Heimdal using des3 get and verify mic, this is way to program-
+     matically set the [gssapi]broken_des3_mic and [gssapi]correct_des3_mic
+     flags (see COMPATIBILITY section in gssapi(3)).  If the CPP symbol
+     GSS_C_KRB5_COMPAT_DES3_MIC is present, ggssss__kkrrbb55__ccoommppaatt__ddeess33__mmiicc() exists.
+     ggssss__kkrrbb55__ccoommppaatt__ddeess33__mmiicc() will be removed in a later version of the GSS-
+     API library.
+
+SSEEEE AALLSSOO
+     gssapi(3), krb5(3), krb5_ccache(3), kerberos(8)
+
+HEIMDAL                        October 26, 2005                        HEIMDAL
diff --git a/lib/gssapi/gssapi.3 b/lib/gssapi/gssapi.3
index 0241ee786a16..089f751e9e6e 100644
--- a/lib/gssapi/gssapi.3
+++ b/lib/gssapi/gssapi.3
@@ -1,35 +1,35 @@
-.\" Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan
-.\" (Royal Institute of Technology, Stockholm, Sweden). 
-.\" All rights reserved. 
+.\" Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without 
-.\" modification, are permitted provided that the following conditions 
-.\" are met: 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
 .\"
-.\" 1. Redistributions of source code must retain the above copyright 
-.\"    notice, this list of conditions and the following disclaimer. 
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright 
-.\"    notice, this list of conditions and the following disclaimer in the 
-.\"    documentation and/or other materials provided with the distribution. 
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
 .\"
-.\" 3. Neither the name of the Institute nor the names of its contributors 
-.\"    may be used to endorse or promote products derived from this software 
-.\"    without specific prior written permission. 
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
 .\"
-.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
-.\" SUCH DAMAGE. 
-.\" 
-.\" $Id: gssapi.3 22071 2007-11-14 20:04:50Z lha $
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
 .\"
 .Dd April 20, 2005
 .Dt GSSAPI 3
@@ -53,57 +53,52 @@ These functions constitute the gssapi library,
 .Em libgssapi .
 Declarations for these functions may be obtained from the include file
 .Pa gssapi.h .
-.sp 2
-.nf
-.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u
-\fIName/Page\fP	\fIDescription\fP
-.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u+6nC
-.sp 5p
-gss_accept_sec_context.3
-gss_acquire_cred.3
-gss_add_cred.3
-gss_add_oid_set_member.3
-gss_canonicalize_name.3
-gss_compare_name.3
-gss_context_time.3
-gss_create_empty_oid_set.3
-gss_delete_sec_context.3
-gss_display_name.3
-gss_display_status.3
-gss_duplicate_name.3
-gss_export_name.3
-gss_export_sec_context.3
-gss_get_mic.3
-gss_import_name.3
-gss_import_sec_context.3
-gss_indicate_mechs.3
-gss_init_sec_context.3
-gss_inquire_context.3
-gss_inquire_cred.3
-gss_inquire_cred_by_mech.3
-gss_inquire_mechs_for_name.3
-gss_inquire_names_for_mech.3
-gss_krb5_ccache_name.3
-gss_krb5_compat_des3_mic.3
-gss_krb5_copy_ccache.3
-gss_krb5_extract_authz_data_from_sec_context.3
-gss_krb5_import_ccache.3
-gss_process_context_token.3
-gss_release_buffer.3
-gss_release_cred.3
-gss_release_name.3
-gss_release_oid_set.3
-gss_seal.3
-gss_sign.3
-gss_test_oid_set_member.3
-gss_unseal.3
-gss_unwrap.3
-gss_verify.3
-gss_verify_mic.3
-gss_wrap.3
-gss_wrap_size_limit.3
-.ta
-.Fi
+.Bl -column -compact
+.It Sy Name/Page
+.It Xr gss_accept_sec_context 3
+.It Xr gss_acquire_cred 3
+.It Xr gss_add_cred 3
+.It Xr gss_add_oid_set_member 3
+.It Xr gss_canonicalize_name 3
+.It Xr gss_compare_name 3
+.It Xr gss_context_time 3
+.It Xr gss_create_empty_oid_set 3
+.It Xr gss_delete_sec_context 3
+.It Xr gss_display_name 3
+.It Xr gss_display_status 3
+.It Xr gss_duplicate_name 3
+.It Xr gss_export_name 3
+.It Xr gss_export_sec_context 3
+.It Xr gss_get_mic 3
+.It Xr gss_import_name 3
+.It Xr gss_import_sec_context 3
+.It Xr gss_indicate_mechs 3
+.It Xr gss_init_sec_context 3
+.It Xr gss_inquire_context 3
+.It Xr gss_inquire_cred 3
+.It Xr gss_inquire_cred_by_mech 3
+.It Xr gss_inquire_mechs_for_name 3
+.It Xr gss_inquire_names_for_mech 3
+.It Xr gss_krb5_ccache_name 3
+.It Xr gss_krb5_compat_des3_mic 3
+.It Xr gss_krb5_copy_ccache 3
+.It Xr gss_krb5_extract_authz_data_from_sec_context 3
+.It Xr gss_krb5_import_ccache 3
+.It Xr gss_process_context_token 3
+.It Xr gss_release_buffer 3
+.It Xr gss_release_cred 3
+.It Xr gss_release_name 3
+.It Xr gss_release_oid_set 3
+.It Xr gss_seal 3
+.It Xr gss_sign 3
+.It Xr gss_test_oid_set_member 3
+.It Xr gss_unseal 3
+.It Xr gss_unwrap 3
+.It Xr gss_verify 3
+.It Xr gss_verify_mic 3
+.It Xr gss_wrap 3
+.It Xr gss_wrap_size_limit 3
+.El
 .Sh COMPATIBILITY
 The
 .Nm Heimdal
@@ -147,7 +142,7 @@ the later will override.
 .Pp
 This config option modifies behaviour for both clients and servers.
 .Pp
-Microsoft implemented SPNEGO to Windows2000, however, they manage to
+Microsoft implemented SPNEGO to Windows2000, however, they managed to
 get it wrong, their implementation didn't fill in the MechListMIC in
 the reply token with the right content.
 There is a work around for this problem, but not all implementation
diff --git a/lib/gssapi/gssapi.cat3 b/lib/gssapi/gssapi.cat3
new file mode 100644
index 000000000000..82901ad0efbd
--- /dev/null
+++ b/lib/gssapi/gssapi.cat3
@@ -0,0 +1,115 @@
+
+GSSAPI(3)                BSD Library Functions Manual                GSSAPI(3)
+
+NNAAMMEE
+     ggssssaappii -- Generic Security Service Application Program Interface library
+
+LLIIBBRRAARRYY
+     GSS-API Library (libgssapi, -lgssapi)
+
+DDEESSCCRRIIPPTTIIOONN
+     The Generic Security Service Application Program Interface (GSS-API) pro-
+     vides security services to callers in a generic fashion, supportable with
+     a range of underlying mechanisms and technologies and hence allowing
+     source-level portability of applications to different environments.
+
+     The GSS-API implementation in Heimdal implements the Kerberos 5 and the
+     SPNEGO GSS-API security mechanisms.
+
+LLIISSTT OOFF FFUUNNCCTTIIOONNSS
+     These functions constitute the gssapi library, _l_i_b_g_s_s_a_p_i.  Declarations
+     for these functions may be obtained from the include file _g_s_s_a_p_i_._h.
+     NNaammee//PPaaggee
+     gss_accept_sec_context(3)
+     gss_acquire_cred(3)
+     gss_add_cred(3)
+     gss_add_oid_set_member(3)
+     gss_canonicalize_name(3)
+     gss_compare_name(3)
+     gss_context_time(3)
+     gss_create_empty_oid_set(3)
+     gss_delete_sec_context(3)
+     gss_display_name(3)
+     gss_display_status(3)
+     gss_duplicate_name(3)
+     gss_export_name(3)
+     gss_export_sec_context(3)
+     gss_get_mic(3)
+     gss_import_name(3)
+     gss_import_sec_context(3)
+     gss_indicate_mechs(3)
+     gss_init_sec_context(3)
+     gss_inquire_context(3)
+     gss_inquire_cred(3)
+     gss_inquire_cred_by_mech(3)
+     gss_inquire_mechs_for_name(3)
+     gss_inquire_names_for_mech(3)
+     gss_krb5_ccache_name(3)
+     gss_krb5_compat_des3_mic(3)
+     gss_krb5_copy_ccache(3)
+     gss_krb5_extract_authz_data_from_sec_context(3)
+     gss_krb5_import_ccache(3)
+     gss_process_context_token(3)
+     gss_release_buffer(3)
+     gss_release_cred(3)
+     gss_release_name(3)
+     gss_release_oid_set(3)
+     gss_seal(3)
+     gss_sign(3)
+     gss_test_oid_set_member(3)
+     gss_unseal(3)
+     gss_unwrap(3)
+     gss_verify(3)
+     gss_verify_mic(3)
+     gss_wrap(3)
+     gss_wrap_size_limit(3)
+
+CCOOMMPPAATTIIBBIILLIITTYY
+     The HHeeiimmddaall GSS-API implementation had a bug in releases before 0.6 that
+     made it fail to inter-operate when using DES3 with other GSS-API imple-
+     mentations when using ggssss__ggeett__mmiicc() / ggssss__vveerriiffyy__mmiicc().  It is possible
+     to modify the behavior of the generator of the MIC with the _k_r_b_5_._c_o_n_f
+     configuration file so that old clients/servers will still work.
+
+     New clients/servers will try both the old and new MIC in Heimdal 0.6.  In
+     0.7 it will check only if configured - the compatibility code will be
+     removed in 0.8.
+
+     Heimdal 0.6 still generates by default the broken GSS-API DES3 mic, this
+     will change in 0.7 to generate correct des3 mic.
+
+     To turn on compatibility with older clients and servers, change the
+     [[ggssssaappii]] _b_r_o_k_e_n___d_e_s_3___m_i_c in _k_r_b_5_._c_o_n_f that contains a list of globbing
+     expressions that will be matched against the server name.  To turn off
+     generation of the old (incompatible) mic of the MIC use [[ggssssaappii]]
+     _c_o_r_r_e_c_t___d_e_s_3___m_i_c.
+
+     If a match for a entry is in both [[ggssssaappii]] _c_o_r_r_e_c_t___d_e_s_3___m_i_c and [[ggssssaappii]]
+     _b_r_o_k_e_n___d_e_s_3___m_i_c, the later will override.
+
+     This config option modifies behaviour for both clients and servers.
+
+     Microsoft implemented SPNEGO to Windows2000, however, they managed to get
+     it wrong, their implementation didn't fill in the MechListMIC in the
+     reply token with the right content.  There is a work around for this
+     problem, but not all implementation support it.
+
+     Heimdal defaults to correct SPNEGO when the the kerberos implementation
+     uses CFX, or when it is configured by the user.  To turn on compatibility
+     with peers, use option [[ggssssaappii]] _r_e_q_u_i_r_e___m_e_c_h_l_i_s_t___m_i_c.
+
+EEXXAAMMPPLLEESS
+           [gssapi]
+                   broken_des3_mic = cvs/*@SU.SE
+                   broken_des3_mic = host/*@E.KTH.SE
+                   correct_des3_mic = host/*@SU.SE
+                   require_mechlist_mic = host/*@SU.SE
+
+BBUUGGSS
+     All of 0.5.x versions of hheeiimmddaall had broken token delegations in the
+     client side, the server side was correct.
+
+SSEEEE AALLSSOO
+     krb5(3), krb5.conf(5), kerberos(8)
+
+BSD                             April 20, 2005                             BSD
diff --git a/lib/gssapi/gssapi.h b/lib/gssapi/gssapi.h
index ae0274fd6bba..d2f039a5d552 100644
--- a/lib/gssapi/gssapi.h
+++ b/lib/gssapi/gssapi.h
@@ -1,37 +1,37 @@
 /*
- * Copyright (c) 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-/* $Id: gssapi.h 18332 2006-10-07 20:57:15Z lha $ */
+/* $Id$ */
 
 #ifndef GSSAPI_H_
 #define GSSAPI_H_
diff --git a/lib/gssapi/gssapi/gssapi.h b/lib/gssapi/gssapi/gssapi.h
index fbc638c48fca..bbb2fd54c9bd 100644
--- a/lib/gssapi/gssapi/gssapi.h
+++ b/lib/gssapi/gssapi/gssapi.h
@@ -1,38 +1,36 @@
 /*
- * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-/* $Id: gssapi.h 21004 2007-06-08 01:53:10Z lha $ */
-
 #ifndef GSSAPI_GSSAPI_H_
 #define GSSAPI_GSSAPI_H_
 
@@ -43,6 +41,45 @@
 
 #include <krb5-types.h>
 
+#ifndef BUILD_GSSAPI_LIB
+#if defined(_WIN32)
+#define GSSAPI_LIB_FUNCTION __declspec(dllimport)
+#define GSSAPI_LIB_CALL     __stdcall
+#define GSSAPI_LIB_VARIABLE __declspec(dllimport)
+#else
+#define GSSAPI_LIB_FUNCTION
+#define GSSAPI_LIB_CALL
+#define GSSAPI_LIB_VARIABLE
+#endif
+#endif
+
+#ifndef GSSAPI_DEPRECATED_FUNCTION
+#if defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 )))
+#define GSSAPI_DEPRECATED_FUNCTION(X) __attribute__((deprecated))
+#else
+#define GSSAPI_DEPRECATED_FUNCTION(X)
+#endif
+#endif
+
+/* Compatiblity with MIT Kerberos on the Mac */
+#if defined(__APPLE__) && (defined(__ppc__) || defined(__ppc64__) || defined(__i386__) || defined(__x86_64__))
+#pragma pack(push,2)
+#endif
+
+#ifdef __cplusplus
+#define GSSAPI_CPP_START	extern "C" {
+#define GSSAPI_CPP_END		}
+#else
+#define GSSAPI_CPP_START
+#define GSSAPI_CPP_END
+#endif
+
+#ifdef _WIN32
+#define GSSAPI_CALLCONV __stdcall
+#else
+#define GSSAPI_CALLCONV
+#endif
+
 /*
  * Now define the three implementation-dependent types.
  */
@@ -54,29 +91,35 @@ typedef uint32_t gss_uint32;
 
 struct gss_name_t_desc_struct;
 typedef struct gss_name_t_desc_struct *gss_name_t;
+typedef const struct gss_name_t_desc_struct *gss_const_name_t;
 
 struct gss_ctx_id_t_desc_struct;
 typedef struct gss_ctx_id_t_desc_struct *gss_ctx_id_t;
+typedef const struct gss_ctx_id_t_desc_struct gss_const_ctx_id_t;
 
 typedef struct gss_OID_desc_struct {
       OM_uint32 length;
       void      *elements;
 } gss_OID_desc, *gss_OID;
+typedef const gss_OID_desc * gss_const_OID;
 
 typedef struct gss_OID_set_desc_struct  {
       size_t     count;
       gss_OID    elements;
 } gss_OID_set_desc, *gss_OID_set;
+typedef const gss_OID_set_desc * gss_const_OID_set;
 
 typedef int gss_cred_usage_t;
 
 struct gss_cred_id_t_desc_struct;
 typedef struct gss_cred_id_t_desc_struct *gss_cred_id_t;
+typedef const struct gss_cred_id_t_desc_struct *gss_const_cred_id_t;
 
 typedef struct gss_buffer_desc_struct {
       size_t length;
       void *value;
 } gss_buffer_desc, *gss_buffer_t;
+typedef const gss_buffer_desc * gss_const_buffer_t;
 
 typedef struct gss_channel_bindings_struct {
       OM_uint32 initiator_addrtype;
@@ -85,6 +128,7 @@ typedef struct gss_channel_bindings_struct {
       gss_buffer_desc acceptor_address;
       gss_buffer_desc application_data;
 } *gss_channel_bindings_t;
+typedef const struct gss_channel_bindings_struct *gss_const_channel_bindings_t;
 
 /* GGF extension data types */
 typedef struct gss_buffer_set_desc_struct {
@@ -92,11 +136,18 @@ typedef struct gss_buffer_set_desc_struct {
       gss_buffer_desc *elements;
 } gss_buffer_set_desc, *gss_buffer_set_t;
 
+typedef struct gss_iov_buffer_desc_struct {
+    OM_uint32 type;
+    gss_buffer_desc buffer;
+} gss_iov_buffer_desc, *gss_iov_buffer_t;
+
 /*
  * For now, define a QOP-type as an OM_uint32
  */
 typedef OM_uint32 gss_qop_t;
 
+
+
 /*
  * Flag bits for context-level services.
  */
@@ -113,6 +164,7 @@ typedef OM_uint32 gss_qop_t;
 #define GSS_C_DCE_STYLE 4096
 #define GSS_C_IDENTIFY_FLAG 8192
 #define GSS_C_EXTENDED_ERROR_FLAG 16384
+#define GSS_C_DELEG_POLICY_FLAG 32768
 
 /*
  * Credential usage options
@@ -167,6 +219,7 @@ typedef OM_uint32 gss_qop_t;
 #define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0)
 #define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0)
 #define GSS_C_EMPTY_BUFFER {0, NULL}
+#define GSS_C_NO_IOV_BUFFER ((gss_iov_buffer_t)0)
 
 /*
  * Some alternate names for a couple of the above
@@ -195,9 +248,33 @@ typedef OM_uint32 gss_qop_t;
  */
 #define GSS_C_INDEFINITE 0xfffffffful
 
-#ifdef __cplusplus
-extern "C" {
-#endif
+/*
+ * Type of gss_wrap_iov()/gss_unwrap_iov().
+ */
+
+#define GSS_IOV_BUFFER_TYPE_EMPTY 0
+#define GSS_IOV_BUFFER_TYPE_DATA 1
+#define GSS_IOV_BUFFER_TYPE_HEADER 2
+#define GSS_IOV_BUFFER_TYPE_MECH_PARAMS 3
+
+#define GSS_IOV_BUFFER_TYPE_TRAILER 7
+#define GSS_IOV_BUFFER_TYPE_PADDING 9
+#define GSS_IOV_BUFFER_TYPE_STREAM 10
+#define GSS_IOV_BUFFER_TYPE_SIGN_ONLY 11
+
+#define GSS_IOV_BUFFER_TYPE_FLAG_MASK		0xffff0000
+#define GSS_IOV_BUFFER_FLAG_ALLOCATE		0x00010000
+#define GSS_IOV_BUFFER_FLAG_ALLOCATED		0x00020000
+
+#define GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE	0x00010000 /* old name */
+#define GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED	0x00020000 /* old name */
+
+#define GSS_IOV_BUFFER_TYPE(_t) ((_t) & ~GSS_IOV_BUFFER_TYPE_FLAG_MASK)
+#define GSS_IOV_BUFFER_FLAGS(_t) ((_t) & GSS_IOV_BUFFER_TYPE_FLAG_MASK)
+
+GSSAPI_CPP_START
+
+#include <gssapi/gssapi_oid.h>
 
 /*
  * The implementation must reserve static storage for a
@@ -210,7 +287,8 @@ extern "C" {
  * GSS_C_NT_USER_NAME should be initialized to point
  * to that gss_OID_desc.
  */
-extern gss_OID GSS_C_NT_USER_NAME;
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_user_name_oid_desc;
+#define GSS_C_NT_USER_NAME (&__gss_c_nt_user_name_oid_desc)
 
 /*
  * The implementation must reserve static storage for a
@@ -223,7 +301,8 @@ extern gss_OID GSS_C_NT_USER_NAME;
  * The constant GSS_C_NT_MACHINE_UID_NAME should be
  * initialized to point to that gss_OID_desc.
  */
-extern gss_OID GSS_C_NT_MACHINE_UID_NAME;
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_machine_uid_name_oid_desc;
+#define GSS_C_NT_MACHINE_UID_NAME (&__gss_c_nt_machine_uid_name_oid_desc)
 
 /*
  * The implementation must reserve static storage for a
@@ -236,7 +315,8 @@ extern gss_OID GSS_C_NT_MACHINE_UID_NAME;
  * The constant GSS_C_NT_STRING_UID_NAME should be
  * initialized to point to that gss_OID_desc.
  */
-extern gss_OID GSS_C_NT_STRING_UID_NAME;
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_string_uid_name_oid_desc;
+#define GSS_C_NT_STRING_UID_NAME (&__gss_c_nt_string_uid_name_oid_desc)
 
 /*
  * The implementation must reserve static storage for a
@@ -255,7 +335,8 @@ extern gss_OID GSS_C_NT_STRING_UID_NAME;
  * parameter, but should not be emitted by GSS-API
  * implementations
  */
-extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X;
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_hostbased_service_x_oid_desc;
+#define GSS_C_NT_HOSTBASED_SERVICE_X (&__gss_c_nt_hostbased_service_x_oid_desc)
 
 /*
  * The implementation must reserve static storage for a
@@ -268,7 +349,8 @@ extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X;
  * GSS_C_NT_HOSTBASED_SERVICE should be initialized
  * to point to that gss_OID_desc.
  */
-extern gss_OID GSS_C_NT_HOSTBASED_SERVICE;
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_hostbased_service_oid_desc;
+#define GSS_C_NT_HOSTBASED_SERVICE (&__gss_c_nt_hostbased_service_oid_desc)
 
 /*
  * The implementation must reserve static storage for a
@@ -280,7 +362,8 @@ extern gss_OID GSS_C_NT_HOSTBASED_SERVICE;
  * and GSS_C_NT_ANONYMOUS should be initialized to point
  * to that gss_OID_desc.
  */
-extern gss_OID GSS_C_NT_ANONYMOUS;
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_anonymous_oid_desc;
+#define GSS_C_NT_ANONYMOUS (&__gss_c_nt_anonymous_oid_desc)
 
 /*
  * The implementation must reserve static storage for a
@@ -292,19 +375,8 @@ extern gss_OID GSS_C_NT_ANONYMOUS;
  * GSS_C_NT_EXPORT_NAME should be initialized to point
  * to that gss_OID_desc.
  */
-extern gss_OID GSS_C_NT_EXPORT_NAME;
-
-/*
- * Digest mechanism
- */
-
-extern gss_OID GSS_SASL_DIGEST_MD5_MECHANISM;
-
-/*
- * NTLM mechanism
- */
-
-extern gss_OID GSS_NTLM_MECHANISM;
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_export_name_oid_desc;
+#define GSS_C_NT_EXPORT_NAME (&__gss_c_nt_export_name_oid_desc)
 
 /* Major status codes */
 
@@ -373,6 +445,12 @@ extern gss_OID GSS_NTLM_MECHANISM;
 #define GSS_S_UNAVAILABLE (16ul << GSS_C_ROUTINE_ERROR_OFFSET)
 #define GSS_S_DUPLICATE_ELEMENT (17ul << GSS_C_ROUTINE_ERROR_OFFSET)
 #define GSS_S_NAME_NOT_MN (18ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_MECH_ATTR (19ul << GSS_C_ROUTINE_ERROR_OFFSET)
+
+/*
+ * Apparently awating spec fix.
+ */
+#define GSS_S_CRED_UNAVAIL GSS_S_FAILURE
 
 /*
  * Supplementary info bits:
@@ -387,7 +465,10 @@ extern gss_OID GSS_NTLM_MECHANISM;
  * Finally, function prototypes for the GSS-API routines.
  */
 
-OM_uint32 gss_acquire_cred
+#define GSS_C_OPTION_MASK 0xffff
+#define GSS_C_CRED_NO_UI  0x10000
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_acquire_cred
            (OM_uint32 * /*minor_status*/,
             const gss_name_t /*desired_name*/,
             OM_uint32 /*time_req*/,
@@ -398,12 +479,12 @@ OM_uint32 gss_acquire_cred
             OM_uint32 * /*time_rec*/
            );
 
-OM_uint32 gss_release_cred
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_release_cred
            (OM_uint32 * /*minor_status*/,
             gss_cred_id_t * /*cred_handle*/
            );
 
-OM_uint32 gss_init_sec_context
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_init_sec_context
            (OM_uint32 * /*minor_status*/,
             const gss_cred_id_t /*initiator_cred_handle*/,
             gss_ctx_id_t * /*context_handle*/,
@@ -419,7 +500,7 @@ OM_uint32 gss_init_sec_context
             OM_uint32 * /*time_rec*/
            );
 
-OM_uint32 gss_accept_sec_context
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_accept_sec_context
            (OM_uint32 * /*minor_status*/,
             gss_ctx_id_t * /*context_handle*/,
             const gss_cred_id_t /*acceptor_cred_handle*/,
@@ -433,25 +514,25 @@ OM_uint32 gss_accept_sec_context
             gss_cred_id_t * /*delegated_cred_handle*/
            );
 
-OM_uint32 gss_process_context_token
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_process_context_token
            (OM_uint32 * /*minor_status*/,
             const gss_ctx_id_t /*context_handle*/,
             const gss_buffer_t /*token_buffer*/
            );
 
-OM_uint32 gss_delete_sec_context
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_delete_sec_context
            (OM_uint32 * /*minor_status*/,
             gss_ctx_id_t * /*context_handle*/,
             gss_buffer_t /*output_token*/
            );
 
-OM_uint32 gss_context_time
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_context_time
            (OM_uint32 * /*minor_status*/,
             const gss_ctx_id_t /*context_handle*/,
             OM_uint32 * /*time_rec*/
            );
 
-OM_uint32 gss_get_mic
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_get_mic
            (OM_uint32 * /*minor_status*/,
             const gss_ctx_id_t /*context_handle*/,
             gss_qop_t /*qop_req*/,
@@ -459,7 +540,7 @@ OM_uint32 gss_get_mic
             gss_buffer_t /*message_token*/
            );
 
-OM_uint32 gss_verify_mic
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_verify_mic
            (OM_uint32 * /*minor_status*/,
             const gss_ctx_id_t /*context_handle*/,
             const gss_buffer_t /*message_buffer*/,
@@ -467,7 +548,7 @@ OM_uint32 gss_verify_mic
             gss_qop_t * /*qop_state*/
            );
 
-OM_uint32 gss_wrap
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_wrap
            (OM_uint32 * /*minor_status*/,
             const gss_ctx_id_t /*context_handle*/,
             int /*conf_req_flag*/,
@@ -477,7 +558,7 @@ OM_uint32 gss_wrap
             gss_buffer_t /*output_message_buffer*/
            );
 
-OM_uint32 gss_unwrap
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_unwrap
            (OM_uint32 * /*minor_status*/,
             const gss_ctx_id_t /*context_handle*/,
             const gss_buffer_t /*input_message_buffer*/,
@@ -486,7 +567,7 @@ OM_uint32 gss_unwrap
             gss_qop_t * /*qop_state*/
            );
 
-OM_uint32 gss_display_status
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_display_status
            (OM_uint32 * /*minor_status*/,
             OM_uint32 /*status_value*/,
             int /*status_type*/,
@@ -495,54 +576,54 @@ OM_uint32 gss_display_status
             gss_buffer_t /*status_string*/
            );
 
-OM_uint32 gss_indicate_mechs
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_indicate_mechs
            (OM_uint32 * /*minor_status*/,
             gss_OID_set * /*mech_set*/
            );
 
-OM_uint32 gss_compare_name
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_compare_name
            (OM_uint32 * /*minor_status*/,
             const gss_name_t /*name1*/,
             const gss_name_t /*name2*/,
             int * /*name_equal*/
            );
 
-OM_uint32 gss_display_name
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_display_name
            (OM_uint32 * /*minor_status*/,
             const gss_name_t /*input_name*/,
             gss_buffer_t /*output_name_buffer*/,
             gss_OID * /*output_name_type*/
            );
 
-OM_uint32 gss_import_name
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_import_name
            (OM_uint32 * /*minor_status*/,
             const gss_buffer_t /*input_name_buffer*/,
             const gss_OID /*input_name_type*/,
             gss_name_t * /*output_name*/
            );
 
-OM_uint32 gss_export_name
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_export_name
            (OM_uint32  * /*minor_status*/,
             const gss_name_t /*input_name*/,
             gss_buffer_t /*exported_name*/
            );
 
-OM_uint32 gss_release_name
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_release_name
            (OM_uint32 * /*minor_status*/,
             gss_name_t * /*input_name*/
            );
 
-OM_uint32 gss_release_buffer
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_release_buffer
            (OM_uint32 * /*minor_status*/,
             gss_buffer_t /*buffer*/
            );
 
-OM_uint32 gss_release_oid_set
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_release_oid_set
            (OM_uint32 * /*minor_status*/,
             gss_OID_set * /*set*/
            );
 
-OM_uint32 gss_inquire_cred
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_inquire_cred
            (OM_uint32 * /*minor_status*/,
             const gss_cred_id_t /*cred_handle*/,
             gss_name_t * /*name*/,
@@ -551,7 +632,7 @@ OM_uint32 gss_inquire_cred
             gss_OID_set * /*mechanisms*/
            );
 
-OM_uint32 gss_inquire_context (
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_inquire_context (
             OM_uint32 * /*minor_status*/,
             const gss_ctx_id_t /*context_handle*/,
             gss_name_t * /*src_name*/,
@@ -563,7 +644,7 @@ OM_uint32 gss_inquire_context (
             int * /*open_context*/
            );
 
-OM_uint32 gss_wrap_size_limit (
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_wrap_size_limit (
             OM_uint32 * /*minor_status*/,
             const gss_ctx_id_t /*context_handle*/,
             int /*conf_req_flag*/,
@@ -572,7 +653,7 @@ OM_uint32 gss_wrap_size_limit (
             OM_uint32 * /*max_input_size*/
            );
 
-OM_uint32 gss_add_cred (
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_add_cred (
             OM_uint32 * /*minor_status*/,
             const gss_cred_id_t /*input_cred_handle*/,
             const gss_name_t /*desired_name*/,
@@ -586,7 +667,7 @@ OM_uint32 gss_add_cred (
             OM_uint32 * /*acceptor_time_rec*/
            );
 
-OM_uint32 gss_inquire_cred_by_mech (
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_inquire_cred_by_mech (
             OM_uint32 * /*minor_status*/,
             const gss_cred_id_t /*cred_handle*/,
             const gss_OID /*mech_type*/,
@@ -596,80 +677,81 @@ OM_uint32 gss_inquire_cred_by_mech (
             gss_cred_usage_t * /*cred_usage*/
            );
 
-OM_uint32 gss_export_sec_context (
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_export_sec_context (
             OM_uint32 * /*minor_status*/,
             gss_ctx_id_t * /*context_handle*/,
             gss_buffer_t /*interprocess_token*/
            );
 
-OM_uint32 gss_import_sec_context (
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_import_sec_context (
             OM_uint32 * /*minor_status*/,
             const gss_buffer_t /*interprocess_token*/,
             gss_ctx_id_t * /*context_handle*/
            );
 
-OM_uint32 gss_create_empty_oid_set (
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_create_empty_oid_set (
             OM_uint32 * /*minor_status*/,
             gss_OID_set * /*oid_set*/
            );
 
-OM_uint32 gss_add_oid_set_member (
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_add_oid_set_member (
             OM_uint32 * /*minor_status*/,
             const gss_OID /*member_oid*/,
             gss_OID_set * /*oid_set*/
            );
 
-OM_uint32 gss_test_oid_set_member (
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_test_oid_set_member (
             OM_uint32 * /*minor_status*/,
             const gss_OID /*member*/,
             const gss_OID_set /*set*/,
             int * /*present*/
            );
 
-OM_uint32 gss_inquire_names_for_mech (
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_inquire_names_for_mech (
             OM_uint32 * /*minor_status*/,
             const gss_OID /*mechanism*/,
             gss_OID_set * /*name_types*/
            );
 
-OM_uint32 gss_inquire_mechs_for_name (
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_inquire_mechs_for_name (
             OM_uint32 * /*minor_status*/,
             const gss_name_t /*input_name*/,
             gss_OID_set * /*mech_types*/
            );
 
-OM_uint32 gss_canonicalize_name (
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_canonicalize_name (
             OM_uint32 * /*minor_status*/,
             const gss_name_t /*input_name*/,
             const gss_OID /*mech_type*/,
             gss_name_t * /*output_name*/
            );
 
-OM_uint32 gss_duplicate_name (
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_duplicate_name (
             OM_uint32 * /*minor_status*/,
             const gss_name_t /*src_name*/,
             gss_name_t * /*dest_name*/
            );
 
-OM_uint32 gss_duplicate_oid (
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_duplicate_oid (
 	    OM_uint32 * /* minor_status */,
 	    gss_OID /* src_oid */,
 	    gss_OID * /* dest_oid */
            );
-OM_uint32
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
 gss_release_oid
 	(OM_uint32 * /*minor_status*/,
 	 gss_OID * /* oid */
 	);
 
-OM_uint32
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
 gss_oid_to_str(
 	    OM_uint32 * /*minor_status*/,
 	    gss_OID /* oid */,
 	    gss_buffer_t /* str */
            );
 
-OM_uint32
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
 gss_inquire_sec_context_by_oid(
 	    OM_uint32 * minor_status,
             const gss_ctx_id_t context_handle,
@@ -677,38 +759,38 @@ gss_inquire_sec_context_by_oid(
             gss_buffer_set_t *data_set
            );
 
-OM_uint32
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
 gss_set_sec_context_option (OM_uint32 *minor_status,
 			    gss_ctx_id_t *context_handle,
 			    const gss_OID desired_object,
 			    const gss_buffer_t value);
 
-OM_uint32
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
 gss_set_cred_option (OM_uint32 *minor_status,
 		     gss_cred_id_t *cred_handle,
 		     const gss_OID object,
 		     const gss_buffer_t value);
 
-int
-gss_oid_equal(const gss_OID a, const gss_OID b);
+GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL
+gss_oid_equal(gss_const_OID a, gss_const_OID b);
 
-OM_uint32 
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
 gss_create_empty_buffer_set
 	   (OM_uint32 * minor_status,
 	    gss_buffer_set_t *buffer_set);
 
-OM_uint32
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
 gss_add_buffer_set_member
 	   (OM_uint32 * minor_status,
 	    const gss_buffer_t member_buffer,
 	    gss_buffer_set_t *buffer_set);
 
-OM_uint32
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
 gss_release_buffer_set
 	   (OM_uint32 * minor_status,
 	    gss_buffer_set_t *buffer_set);
 
-OM_uint32
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
 gss_inquire_cred_by_oid(OM_uint32 *minor_status,
 	                const gss_cred_id_t cred_handle,
 	                const gss_OID desired_object,
@@ -721,7 +803,7 @@ gss_inquire_cred_by_oid(OM_uint32 *minor_status,
 #define GSS_C_PRF_KEY_FULL 0
 #define GSS_C_PRF_KEY_PARTIAL 1
 
-OM_uint32
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
 gss_pseudo_random
 	(OM_uint32 *minor_status,
 	 gss_ctx_id_t context,
@@ -731,6 +813,41 @@ gss_pseudo_random
 	 gss_buffer_t prf_out
 	);
 
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_store_cred(OM_uint32         * /* minor_status */,
+	       gss_cred_id_t     /* input_cred_handle */,
+	       gss_cred_usage_t  /* cred_usage */,
+	       const gss_OID     /* desired_mech */,
+	       OM_uint32         /* overwrite_cred */,
+	       OM_uint32         /* default_cred */,
+	       gss_OID_set       * /* elements_stored */,
+	       gss_cred_usage_t  * /* cred_usage_stored */);
+
+
+/*
+ * Query functions
+ */
+
+typedef struct {
+    size_t header; /**< size of header */
+    size_t trailer; /**< size of trailer */
+    size_t max_msg_size; /**< maximum message size */
+    size_t buffers; /**< extra GSS_IOV_BUFFER_TYPE_EMPTY buffer to pass */
+    size_t blocksize; /**< Specificed optimal size of messages, also
+			 is the maximum padding size
+			 (GSS_IOV_BUFFER_TYPE_PADDING) */
+} gss_context_stream_sizes;
+
+extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_attr_stream_sizes_oid_desc;
+#define GSS_C_ATTR_STREAM_SIZES (&__gss_c_attr_stream_sizes_oid_desc)
+
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_context_query_attributes(OM_uint32 * /* minor_status */,
+			     const gss_ctx_id_t /* context_handle */,
+			     const gss_OID /* attribute */,
+			     void * /*data*/,
+			     size_t /* len */);
 /*
  * The following routines are obsolete variants of gss_get_mic,
  * gss_verify_mic, gss_wrap and gss_unwrap.  They should be
@@ -742,23 +859,23 @@ gss_pseudo_random
  * obsolete versions of these routines and their current forms.
  */
 
-OM_uint32 gss_sign
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_sign
            (OM_uint32 * /*minor_status*/,
             gss_ctx_id_t /*context_handle*/,
             int /*qop_req*/,
             gss_buffer_t /*message_buffer*/,
             gss_buffer_t /*message_token*/
-           );
+	    ) GSSAPI_DEPRECATED_FUNCTION("Use gss_get_mic");
 
-OM_uint32 gss_verify
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_verify
            (OM_uint32 * /*minor_status*/,
             gss_ctx_id_t /*context_handle*/,
             gss_buffer_t /*message_buffer*/,
             gss_buffer_t /*token_buffer*/,
             int * /*qop_state*/
-           );
+	    ) GSSAPI_DEPRECATED_FUNCTION("Use gss_verify_mic");
 
-OM_uint32 gss_seal
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_seal
            (OM_uint32 * /*minor_status*/,
             gss_ctx_id_t /*context_handle*/,
             int /*conf_req_flag*/,
@@ -766,44 +883,238 @@ OM_uint32 gss_seal
             gss_buffer_t /*input_message_buffer*/,
             int * /*conf_state*/,
             gss_buffer_t /*output_message_buffer*/
-           );
+           ) GSSAPI_DEPRECATED_FUNCTION("Use gss_wrap");
 
-OM_uint32 gss_unseal
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_unseal
            (OM_uint32 * /*minor_status*/,
             gss_ctx_id_t /*context_handle*/,
             gss_buffer_t /*input_message_buffer*/,
             gss_buffer_t /*output_message_buffer*/,
             int * /*conf_state*/,
             int * /*qop_state*/
-           );
+           )  GSSAPI_DEPRECATED_FUNCTION("Use gss_unwrap");
 
-/*
+/**
  *
  */
 
-OM_uint32
-gss_inquire_sec_context_by_oid (OM_uint32 *minor_status,
-	                        const gss_ctx_id_t context_handle,
-	                        const gss_OID desired_object,
-	                        gss_buffer_set_t *data_set);
-
-OM_uint32
-gss_encapsulate_token(gss_buffer_t /* input_token */,
-		      gss_OID /* oid */,
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_encapsulate_token(gss_const_buffer_t /* input_token */,
+		      gss_const_OID /* oid */,
 		      gss_buffer_t /* output_token */);
 
-OM_uint32
-gss_decapsulate_token(gss_buffer_t /* input_token */,
-		      gss_OID /* oid */,
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_decapsulate_token(gss_const_buffer_t /* input_token */,
+		      gss_const_OID /* oid */,
 		      gss_buffer_t /* output_token */);
 
 
 
-#ifdef __cplusplus
-}
+/*
+ * AEAD support
+ */
+
+/*
+ * GSS_IOV
+ */
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_wrap_iov(OM_uint32 *, gss_ctx_id_t, int, gss_qop_t, int *,
+	     gss_iov_buffer_desc *, int);
+
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_unwrap_iov(OM_uint32 *, gss_ctx_id_t, int *, gss_qop_t *,
+	       gss_iov_buffer_desc *, int);
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_wrap_iov_length(OM_uint32 *, gss_ctx_id_t, int, gss_qop_t, int *,
+		    gss_iov_buffer_desc *, int);
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_release_iov_buffer(OM_uint32 *, gss_iov_buffer_desc *, int);
+
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_export_cred(OM_uint32 * /* minor_status */,
+		gss_cred_id_t /* cred_handle */,
+		gss_buffer_t /* cred_token */);
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_import_cred(OM_uint32 * /* minor_status */,
+		gss_buffer_t /* cred_token */,
+		gss_cred_id_t * /* cred_handle */);
+
+/*
+ * mech option
+ */
+
+GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL
+gss_mo_set(gss_const_OID mech, gss_const_OID option,
+	   int enable, gss_buffer_t value);
+
+GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL
+gss_mo_get(gss_const_OID mech, gss_const_OID option, gss_buffer_t value);
+
+GSSAPI_LIB_FUNCTION void GSSAPI_LIB_CALL
+gss_mo_list(gss_const_OID mech, gss_OID_set *options);
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_mo_name(gss_const_OID mech, gss_const_OID options, gss_buffer_t name);
+
+/*
+ * SASL glue functions and mech inquire
+ */
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_inquire_saslname_for_mech(OM_uint32 *minor_status,
+			      const gss_OID desired_mech,
+			      gss_buffer_t sasl_mech_name,
+			      gss_buffer_t mech_name,
+			      gss_buffer_t mech_description);
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_inquire_mech_for_saslname(OM_uint32 *minor_status,
+			      const gss_buffer_t sasl_mech_name,
+			      gss_OID *mech_type);
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_indicate_mechs_by_attrs(OM_uint32 * minor_status,
+			    gss_const_OID_set desired_mech_attrs,
+			    gss_const_OID_set except_mech_attrs,
+			    gss_const_OID_set critical_mech_attrs,
+			    gss_OID_set *mechs);
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_inquire_attrs_for_mech(OM_uint32 * minor_status,
+			   gss_const_OID mech,
+			   gss_OID_set *mech_attr,
+			   gss_OID_set *known_mech_attrs);
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_display_mech_attr(OM_uint32 * minor_status,
+		      gss_const_OID mech_attr,
+		      gss_buffer_t name,
+		      gss_buffer_t short_desc,
+		      gss_buffer_t long_desc);
+
+/*
+ * Solaris compat
+ */
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_acquire_cred_with_password
+           (OM_uint32 * /*minor_status*/,
+            const gss_name_t /*desired_name*/,
+            const gss_buffer_t /*password*/,
+            OM_uint32 /*time_req*/,
+            const gss_OID_set /*desired_mechs*/,
+            gss_cred_usage_t /*cred_usage*/,
+            gss_cred_id_t * /*output_cred_handle*/,
+            gss_OID_set * /*actual_mechs*/,
+            OM_uint32 * /*time_rec*/
+           );
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_add_cred_with_password (
+            OM_uint32 * /*minor_status*/,
+            const gss_cred_id_t /*input_cred_handle*/,
+            const gss_name_t /*desired_name*/,
+            const gss_OID /*desired_mech*/,
+            const gss_buffer_t /*password*/,
+            gss_cred_usage_t /*cred_usage*/,
+            OM_uint32 /*initiator_time_req*/,
+            OM_uint32 /*acceptor_time_req*/,
+            gss_cred_id_t * /*output_cred_handle*/,
+            gss_OID_set * /*actual_mechs*/,
+            OM_uint32 * /*initiator_time_rec*/,
+            OM_uint32 * /*acceptor_time_rec*/
+           );
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_pname_to_uid(
+        OM_uint32 *minor,
+        const gss_name_t name,
+        const gss_OID mech_type,
+        uid_t *uidOut);
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_authorize_localname(
+        OM_uint32 *minor,
+        const gss_name_t name,
+        const gss_name_t user);
+
+GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL
+gss_userok(const gss_name_t name,
+           const char *user);
+
+extern GSSAPI_LIB_VARIABLE gss_buffer_desc __gss_c_attr_local_login_user;
+#define GSS_C_ATTR_LOCAL_LOGIN_USER (&__gss_c_attr_local_login_user)
+
+/*
+ * Naming extensions
+ */
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_display_name_ext (
+    OM_uint32 *,	/* minor_status */
+    gss_name_t,		/* name */
+    gss_OID,		/* display_as_name_type */
+    gss_buffer_t	/* display_name */
+    );
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_inquire_name (
+    OM_uint32 *,	/* minor_status */
+    gss_name_t,		/* name */
+    int *,		/* name_is_MN */
+    gss_OID *,		/* MN_mech */
+    gss_buffer_set_t *	/* attrs */
+    );
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_get_name_attribute (
+    OM_uint32 *,	/* minor_status */
+    gss_name_t,		/* name */
+    gss_buffer_t,	/* attr */
+    int *,		/* authenticated */
+    int *,		/* complete */
+    gss_buffer_t,	/* value */
+    gss_buffer_t,	/* display_value */
+    int *		/* more */
+    );
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_set_name_attribute (
+    OM_uint32 *,	/* minor_status */
+    gss_name_t,		/* name */
+    int,		/* complete */
+    gss_buffer_t,	/* attr */
+    gss_buffer_t	/* value */
+    );
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_delete_name_attribute (
+    OM_uint32 *,	/* minor_status */
+    gss_name_t,		/* name */
+    gss_buffer_t	/* attr */
+    );
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_export_name_composite (
+    OM_uint32 *,	/* minor_status */
+    gss_name_t,		/* name */
+    gss_buffer_t	/* exp_composite_name */
+    );
+
+/*
+ *
+ */
+
+GSSAPI_LIB_FUNCTION const char * GSSAPI_LIB_CALL
+gss_oid_to_name(gss_const_OID oid);
+
+GSSAPI_LIB_FUNCTION gss_OID GSSAPI_LIB_CALL
+gss_name_to_oid(const char *name);
+
+GSSAPI_CPP_END
+
+#if defined(__APPLE__) && (defined(__ppc__) || defined(__ppc64__) || defined(__i386__) || defined(__x86_64__))
+#pragma pack(pop)
 #endif
 
-#include <gssapi/gssapi_krb5.h>
-#include <gssapi/gssapi_spnego.h>
+#undef GSSAPI_DEPRECATED_FUNCTION
 
 #endif /* GSSAPI_GSSAPI_H_ */
diff --git a/lib/gssapi/gssapi/gssapi_krb5.h b/lib/gssapi/gssapi/gssapi_krb5.h
index cca529fe26ff..2f605f5ee113 100644
--- a/lib/gssapi/gssapi/gssapi_krb5.h
+++ b/lib/gssapi/gssapi/gssapi_krb5.h
@@ -1,86 +1,73 @@
 /*
- * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-/* $Id: gssapi_krb5.h 20385 2007-04-18 08:51:32Z lha $ */
+/* $Id$ */
 
 #ifndef GSSAPI_KRB5_H_
 #define GSSAPI_KRB5_H_
 
-#include <gssapi/gssapi.h>
+#include <gssapi.h>
 
-#ifdef __cplusplus
-extern "C" {
+GSSAPI_CPP_START
+
+#if !defined(__GNUC__) && !defined(__attribute__)
+#define __attribute__(x)
+#endif
+
+#ifndef GSSKRB5_FUNCTION_DEPRECATED
+#define GSSKRB5_FUNCTION_DEPRECATED __attribute__((deprecated))
 #endif
 
+
 /*
  * This is for kerberos5 names.
  */
 
-extern gss_OID GSS_KRB5_NT_PRINCIPAL_NAME;
-extern gss_OID GSS_KRB5_NT_USER_NAME;
-extern gss_OID GSS_KRB5_NT_MACHINE_UID_NAME;
-extern gss_OID GSS_KRB5_NT_STRING_UID_NAME;
+extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_nt_principal_name_oid_desc;
+#define GSS_KRB5_NT_PRINCIPAL_NAME (&__gss_krb5_nt_principal_name_oid_desc)
 
-extern gss_OID GSS_KRB5_MECHANISM;
+#define GSS_KRB5_NT_USER_NAME (&__gss_c_nt_user_name_oid_desc)
+#define GSS_KRB5_NT_MACHINE_UID_NAME (&__gss_c_nt_machine_uid_name_oid_desc)
+#define GSS_KRB5_NT_STRING_UID_NAME (&__gss_c_nt_string_uid_name_oid_desc)
+
+extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_mechanism_oid_desc;
+#define GSS_KRB5_MECHANISM (&__gss_krb5_mechanism_oid_desc)
 
 /* for compatibility with MIT api */
 
 #define gss_mech_krb5 GSS_KRB5_MECHANISM
 #define gss_krb5_nt_general_name GSS_KRB5_NT_PRINCIPAL_NAME
 
-/* Extensions set contexts options */
-extern gss_OID GSS_KRB5_COPY_CCACHE_X;
-extern gss_OID GSS_KRB5_COMPAT_DES3_MIC_X;
-extern gss_OID GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X;
-extern gss_OID GSS_KRB5_SET_DNS_CANONICALIZE_X;
-extern gss_OID GSS_KRB5_SEND_TO_KDC_X;
-extern gss_OID GSS_KRB5_SET_DEFAULT_REALM_X;
-extern gss_OID GSS_KRB5_CCACHE_NAME_X;
-/* Extensions inquire context */
-extern gss_OID GSS_KRB5_GET_TKT_FLAGS_X;
-extern gss_OID GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X;
-extern gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO;
-extern gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_X;
-extern gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X;
-extern gss_OID GSS_KRB5_GET_SUBKEY_X;
-extern gss_OID GSS_KRB5_GET_INITIATOR_SUBKEY_X;
-extern gss_OID GSS_KRB5_GET_ACCEPTOR_SUBKEY_X;
-extern gss_OID GSS_KRB5_GET_AUTHTIME_X;
-extern gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X;
-/* Extensions creds */
-extern gss_OID GSS_KRB5_IMPORT_CRED_X;
-extern gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X;
-
 /*
  * kerberos mechanism specific functions
  */
@@ -89,39 +76,42 @@ struct krb5_keytab_data;
 struct krb5_ccache_data;
 struct Principal;
 
-OM_uint32
-gss_krb5_ccache_name(OM_uint32 * /*minor_status*/, 
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_krb5_ccache_name(OM_uint32 * /*minor_status*/,
 		     const char * /*name */,
 		     const char ** /*out_name */);
 
-OM_uint32 gsskrb5_register_acceptor_identity
-        (const char */*identity*/);
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gsskrb5_register_acceptor_identity
+        (const char * /*identity*/);
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL krb5_gss_register_acceptor_identity
+	(const char * /*identity*/);
 
-OM_uint32 gss_krb5_copy_ccache
-	(OM_uint32 */*minor*/,
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_krb5_copy_ccache
+	(OM_uint32 * /*minor*/,
 	 gss_cred_id_t /*cred*/,
-	 struct krb5_ccache_data */*out*/);
+	 struct krb5_ccache_data * /*out*/);
 
-OM_uint32
-gss_krb5_import_cred(OM_uint32 */*minor*/,
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_krb5_import_cred(OM_uint32 * /*minor*/,
 		     struct krb5_ccache_data * /*in*/,
 		     struct Principal * /*keytab_principal*/,
 		     struct krb5_keytab_data * /*keytab*/,
-		     gss_cred_id_t */*out*/);
+		     gss_cred_id_t * /*out*/);
 
-OM_uint32 gss_krb5_get_tkt_flags
-	(OM_uint32 */*minor*/,
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_krb5_get_tkt_flags
+	(OM_uint32 * /*minor*/,
 	 gss_ctx_id_t /*context_handle*/,
-	 OM_uint32 */*tkt_flags*/);
+	 OM_uint32 * /*tkt_flags*/);
 
-OM_uint32
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
 gsskrb5_extract_authz_data_from_sec_context
 	(OM_uint32 * /*minor_status*/,
 	 gss_ctx_id_t /*context_handle*/,
 	 int /*ad_type*/,
 	 gss_buffer_t /*ad_data*/);
 
-OM_uint32
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
 gsskrb5_set_dns_canonicalize(int);
 
 struct gsskrb5_send_to_kdc {
@@ -129,30 +119,47 @@ struct gsskrb5_send_to_kdc {
     void *ptr;
 };
 
-OM_uint32
-gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *);
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *)
+    GSSKRB5_FUNCTION_DEPRECATED;
 
-OM_uint32
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
 gsskrb5_set_default_realm(const char *);
 
-OM_uint32
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
 gsskrb5_extract_authtime_from_sec_context(OM_uint32 *, gss_ctx_id_t, time_t *);
 
 struct EncryptionKey;
 
-OM_uint32 
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
 gsskrb5_extract_service_keyblock(OM_uint32 *minor_status,
 				 gss_ctx_id_t context_handle,
 				 struct EncryptionKey **out);
-OM_uint32 
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
 gsskrb5_get_initiator_subkey(OM_uint32 *minor_status,
 				 gss_ctx_id_t context_handle,
 				 struct EncryptionKey **out);
-OM_uint32 
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
 gsskrb5_get_subkey(OM_uint32 *minor_status,
 		   gss_ctx_id_t context_handle,
 		   struct EncryptionKey **out);
 
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gsskrb5_set_time_offset(int);
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gsskrb5_get_time_offset(int *);
+
+struct gsskrb5_krb5_plugin {
+    int type;
+    char *name;
+    void *symbol;
+};
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gsskrb5_plugin_register(struct gsskrb5_krb5_plugin *);
+
+
 /*
  * Lucid - NFSv4 interface to GSS-API KRB5 to expose key material to
  * do GSS content token handling in-kernel.
@@ -195,26 +202,24 @@ typedef struct gss_krb5_lucid_context_version {
  * Function declarations
  */
 
-OM_uint32
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
 gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
 				  gss_ctx_id_t *context_handle,
 				  OM_uint32 version,
 				  void **kctx);
 
 
-OM_uint32
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
 gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status,
 				void *kctx);
 
 
-OM_uint32
-gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status, 
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status,
 				gss_cred_id_t cred,
 				OM_uint32 num_enctypes,
 				int32_t *enctypes);
 
-#ifdef __cplusplus
-}
-#endif
+GSSAPI_CPP_END
 
 #endif /* GSSAPI_SPNEGO_H_ */
diff --git a/lib/gssapi/gssapi/gssapi_ntlm.h b/lib/gssapi/gssapi/gssapi_ntlm.h
new file mode 100644
index 000000000000..e37c003c7db0
--- /dev/null
+++ b/lib/gssapi/gssapi/gssapi_ntlm.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2006 - 2009 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+#ifndef GSSAPI_NTLM_H_
+#define GSSAPI_NTLM_H_
+
+#include <gssapi.h>
+
+#endif /* GSSAPI_NTLM_H_ */
diff --git a/lib/gssapi/gssapi/gssapi_oid.h b/lib/gssapi/gssapi/gssapi_oid.h
new file mode 100644
index 000000000000..9465efc77f44
--- /dev/null
+++ b/lib/gssapi/gssapi/gssapi_oid.h
@@ -0,0 +1,245 @@
+/* Generated file */
+#ifndef GSSAPI_GSSAPI_OID
+#define GSSAPI_GSSAPI_OID 1
+
+ /* contact Love Hörnquist Åstrand <lha@h5l.org> for new oid arcs */
+ /*
+  * 1.2.752.43.13 Heimdal GSS-API Extentions
+  */
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_copy_ccache_x_oid_desc;
+#define GSS_KRB5_COPY_CCACHE_X (&__gss_krb5_copy_ccache_x_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_get_tkt_flags_x_oid_desc;
+#define GSS_KRB5_GET_TKT_FLAGS_X (&__gss_krb5_get_tkt_flags_x_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_extract_authz_data_from_sec_context_x_oid_desc;
+#define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X (&__gss_krb5_extract_authz_data_from_sec_context_x_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_compat_des3_mic_x_oid_desc;
+#define GSS_KRB5_COMPAT_DES3_MIC_X (&__gss_krb5_compat_des3_mic_x_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_register_acceptor_identity_x_oid_desc;
+#define GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X (&__gss_krb5_register_acceptor_identity_x_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_export_lucid_context_x_oid_desc;
+#define GSS_KRB5_EXPORT_LUCID_CONTEXT_X (&__gss_krb5_export_lucid_context_x_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_export_lucid_context_v1_x_oid_desc;
+#define GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X (&__gss_krb5_export_lucid_context_v1_x_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_set_dns_canonicalize_x_oid_desc;
+#define GSS_KRB5_SET_DNS_CANONICALIZE_X (&__gss_krb5_set_dns_canonicalize_x_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_get_subkey_x_oid_desc;
+#define GSS_KRB5_GET_SUBKEY_X (&__gss_krb5_get_subkey_x_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_get_initiator_subkey_x_oid_desc;
+#define GSS_KRB5_GET_INITIATOR_SUBKEY_X (&__gss_krb5_get_initiator_subkey_x_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_get_acceptor_subkey_x_oid_desc;
+#define GSS_KRB5_GET_ACCEPTOR_SUBKEY_X (&__gss_krb5_get_acceptor_subkey_x_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_send_to_kdc_x_oid_desc;
+#define GSS_KRB5_SEND_TO_KDC_X (&__gss_krb5_send_to_kdc_x_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_get_authtime_x_oid_desc;
+#define GSS_KRB5_GET_AUTHTIME_X (&__gss_krb5_get_authtime_x_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_get_service_keyblock_x_oid_desc;
+#define GSS_KRB5_GET_SERVICE_KEYBLOCK_X (&__gss_krb5_get_service_keyblock_x_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_set_allowable_enctypes_x_oid_desc;
+#define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X (&__gss_krb5_set_allowable_enctypes_x_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_set_default_realm_x_oid_desc;
+#define GSS_KRB5_SET_DEFAULT_REALM_X (&__gss_krb5_set_default_realm_x_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_ccache_name_x_oid_desc;
+#define GSS_KRB5_CCACHE_NAME_X (&__gss_krb5_ccache_name_x_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_set_time_offset_x_oid_desc;
+#define GSS_KRB5_SET_TIME_OFFSET_X (&__gss_krb5_set_time_offset_x_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_get_time_offset_x_oid_desc;
+#define GSS_KRB5_GET_TIME_OFFSET_X (&__gss_krb5_get_time_offset_x_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_plugin_register_x_oid_desc;
+#define GSS_KRB5_PLUGIN_REGISTER_X (&__gss_krb5_plugin_register_x_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_ntlm_get_session_key_x_oid_desc;
+#define GSS_NTLM_GET_SESSION_KEY_X (&__gss_ntlm_get_session_key_x_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_ntlm_oid_desc;
+#define GSS_C_NT_NTLM (&__gss_c_nt_ntlm_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_dn_oid_desc;
+#define GSS_C_NT_DN (&__gss_c_nt_dn_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_nt_principal_name_referral_oid_desc;
+#define GSS_KRB5_NT_PRINCIPAL_NAME_REFERRAL (&__gss_krb5_nt_principal_name_referral_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ntlm_avguest_oid_desc;
+#define GSS_C_NTLM_AVGUEST (&__gss_c_ntlm_avguest_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ntlm_v1_oid_desc;
+#define GSS_C_NTLM_V1 (&__gss_c_ntlm_v1_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ntlm_v2_oid_desc;
+#define GSS_C_NTLM_V2 (&__gss_c_ntlm_v2_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ntlm_session_key_oid_desc;
+#define GSS_C_NTLM_SESSION_KEY (&__gss_c_ntlm_session_key_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ntlm_force_v1_oid_desc;
+#define GSS_C_NTLM_FORCE_V1 (&__gss_c_ntlm_force_v1_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_cred_no_ci_flags_x_oid_desc;
+#define GSS_KRB5_CRED_NO_CI_FLAGS_X (&__gss_krb5_cred_no_ci_flags_x_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_import_cred_x_oid_desc;
+#define GSS_KRB5_IMPORT_CRED_X (&__gss_krb5_import_cred_x_oid_desc)
+
+ /* glue for gss_inquire_saslname_for_mech */
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_sasl_mech_name_oid_desc;
+#define GSS_C_MA_SASL_MECH_NAME (&__gss_c_ma_sasl_mech_name_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_mech_name_oid_desc;
+#define GSS_C_MA_MECH_NAME (&__gss_c_ma_mech_name_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_mech_description_oid_desc;
+#define GSS_C_MA_MECH_DESCRIPTION (&__gss_c_ma_mech_description_oid_desc)
+
+ /* credential types */
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_cred_password_oid_desc;
+#define GSS_C_CRED_PASSWORD (&__gss_c_cred_password_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_cred_certificate_oid_desc;
+#define GSS_C_CRED_CERTIFICATE (&__gss_c_cred_certificate_oid_desc)
+
+/* Heimdal mechanisms - 1.2.752.43.14 */
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_sasl_digest_md5_mechanism_oid_desc;
+#define GSS_SASL_DIGEST_MD5_MECHANISM (&__gss_sasl_digest_md5_mechanism_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_netlogon_mechanism_oid_desc;
+#define GSS_NETLOGON_MECHANISM (&__gss_netlogon_mechanism_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_netlogon_set_session_key_x_oid_desc;
+#define GSS_NETLOGON_SET_SESSION_KEY_X (&__gss_netlogon_set_session_key_x_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_netlogon_set_sign_algorithm_x_oid_desc;
+#define GSS_NETLOGON_SET_SIGN_ALGORITHM_X (&__gss_netlogon_set_sign_algorithm_x_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_netlogon_nt_netbios_dns_name_oid_desc;
+#define GSS_NETLOGON_NT_NETBIOS_DNS_NAME (&__gss_netlogon_nt_netbios_dns_name_oid_desc)
+
+/* GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X.128 */
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_inq_win2k_pac_x_oid_desc;
+#define GSS_C_INQ_WIN2K_PAC_X (&__gss_c_inq_win2k_pac_x_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_inq_sspi_session_key_oid_desc;
+#define GSS_C_INQ_SSPI_SESSION_KEY (&__gss_c_inq_sspi_session_key_oid_desc)
+
+/*
+ * "Standard" mechs
+ */
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_krb5_mechanism_oid_desc;
+#define GSS_KRB5_MECHANISM (&__gss_krb5_mechanism_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_ntlm_mechanism_oid_desc;
+#define GSS_NTLM_MECHANISM (&__gss_ntlm_mechanism_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_spnego_mechanism_oid_desc;
+#define GSS_SPNEGO_MECHANISM (&__gss_spnego_mechanism_oid_desc)
+
+ /* From Luke Howard */
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_peer_has_updated_spnego_oid_desc;
+#define GSS_C_PEER_HAS_UPDATED_SPNEGO (&__gss_c_peer_has_updated_spnego_oid_desc)
+
+/*
+ * OID mappings with name and short description and and slightly longer description
+ */
+/*
+ * RFC5587
+ */
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_mech_concrete_oid_desc;
+#define GSS_C_MA_MECH_CONCRETE (&__gss_c_ma_mech_concrete_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_mech_pseudo_oid_desc;
+#define GSS_C_MA_MECH_PSEUDO (&__gss_c_ma_mech_pseudo_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_mech_composite_oid_desc;
+#define GSS_C_MA_MECH_COMPOSITE (&__gss_c_ma_mech_composite_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_mech_nego_oid_desc;
+#define GSS_C_MA_MECH_NEGO (&__gss_c_ma_mech_nego_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_mech_glue_oid_desc;
+#define GSS_C_MA_MECH_GLUE (&__gss_c_ma_mech_glue_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_not_mech_oid_desc;
+#define GSS_C_MA_NOT_MECH (&__gss_c_ma_not_mech_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_deprecated_oid_desc;
+#define GSS_C_MA_DEPRECATED (&__gss_c_ma_deprecated_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_not_dflt_mech_oid_desc;
+#define GSS_C_MA_NOT_DFLT_MECH (&__gss_c_ma_not_dflt_mech_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_itok_framed_oid_desc;
+#define GSS_C_MA_ITOK_FRAMED (&__gss_c_ma_itok_framed_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_auth_init_oid_desc;
+#define GSS_C_MA_AUTH_INIT (&__gss_c_ma_auth_init_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_auth_targ_oid_desc;
+#define GSS_C_MA_AUTH_TARG (&__gss_c_ma_auth_targ_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_auth_init_init_oid_desc;
+#define GSS_C_MA_AUTH_INIT_INIT (&__gss_c_ma_auth_init_init_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_auth_targ_init_oid_desc;
+#define GSS_C_MA_AUTH_TARG_INIT (&__gss_c_ma_auth_targ_init_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_auth_init_anon_oid_desc;
+#define GSS_C_MA_AUTH_INIT_ANON (&__gss_c_ma_auth_init_anon_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_auth_targ_anon_oid_desc;
+#define GSS_C_MA_AUTH_TARG_ANON (&__gss_c_ma_auth_targ_anon_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_deleg_cred_oid_desc;
+#define GSS_C_MA_DELEG_CRED (&__gss_c_ma_deleg_cred_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_integ_prot_oid_desc;
+#define GSS_C_MA_INTEG_PROT (&__gss_c_ma_integ_prot_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_conf_prot_oid_desc;
+#define GSS_C_MA_CONF_PROT (&__gss_c_ma_conf_prot_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_mic_oid_desc;
+#define GSS_C_MA_MIC (&__gss_c_ma_mic_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_wrap_oid_desc;
+#define GSS_C_MA_WRAP (&__gss_c_ma_wrap_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_prot_ready_oid_desc;
+#define GSS_C_MA_PROT_READY (&__gss_c_ma_prot_ready_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_replay_det_oid_desc;
+#define GSS_C_MA_REPLAY_DET (&__gss_c_ma_replay_det_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_oos_det_oid_desc;
+#define GSS_C_MA_OOS_DET (&__gss_c_ma_oos_det_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_cbindings_oid_desc;
+#define GSS_C_MA_CBINDINGS (&__gss_c_ma_cbindings_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_pfs_oid_desc;
+#define GSS_C_MA_PFS (&__gss_c_ma_pfs_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_compress_oid_desc;
+#define GSS_C_MA_COMPRESS (&__gss_c_ma_compress_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_ctx_trans_oid_desc;
+#define GSS_C_MA_CTX_TRANS (&__gss_c_ma_ctx_trans_oid_desc)
+
+#endif /* GSSAPI_GSSAPI_OID */
diff --git a/lib/gssapi/gssapi/gssapi_spnego.h b/lib/gssapi/gssapi/gssapi_spnego.h
index fbb7906369be..dd3b2a5c3f8b 100644
--- a/lib/gssapi/gssapi/gssapi_spnego.h
+++ b/lib/gssapi/gssapi/gssapi_spnego.h
@@ -1,46 +1,44 @@
 /*
- * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-/* $Id: gssapi_spnego.h 18335 2006-10-07 22:26:21Z lha $ */
+/* $Id$ */
 
 #ifndef GSSAPI_SPNEGO_H_
 #define GSSAPI_SPNEGO_H_
 
 #include <gssapi.h>
 
-#ifdef __cplusplus
-extern "C" {
-#endif
+GSSAPI_CPP_START
 
 /*
  * RFC2478, SPNEGO:
@@ -48,11 +46,10 @@ extern "C" {
  *  negotiation token is identified by the Object Identifier
  *  iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2).
  */
-extern gss_OID GSS_SPNEGO_MECHANISM;
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_spnego_mechanism_oid_desc;
+#define GSS_SPNEGO_MECHANISM (&__gss_spnego_mechanism_oid_desc)
 #define gss_mech_spnego GSS_SPNEGO_MECHANISM
 
-#ifdef __cplusplus
-}
-#endif
+GSSAPI_CPP_END
 
 #endif /* GSSAPI_SPNEGO_H_ */
diff --git a/lib/gssapi/gssapi_mech.h b/lib/gssapi/gssapi_mech.h
index 7737bf5837f4..e4ccfdb0cd99 100644
--- a/lib/gssapi/gssapi_mech.h
+++ b/lib/gssapi/gssapi_mech.h
@@ -23,7 +23,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- *	$FreeBSD: vendor-crypto/heimdal/dist/lib/gssapi/gssapi_mech.h 225864 2011-09-29 05:23:57Z stas $
+ *	$FreeBSD: src/lib/libgssapi/mech_switch.h,v 1.1 2005/12/29 14:40:20 dfr Exp $
  */
 
 #ifndef GSSAPI_MECH_H
@@ -31,7 +31,7 @@
 
 #include <gssapi.h>
 
-typedef OM_uint32 _gss_acquire_cred_t
+typedef OM_uint32 GSSAPI_CALLCONV _gss_acquire_cred_t
 	      (OM_uint32 *,            /* minor_status */
 	       const gss_name_t,       /* desired_name */
 	       OM_uint32,              /* time_req */
@@ -42,12 +42,12 @@ typedef OM_uint32 _gss_acquire_cred_t
 	       OM_uint32 *             /* time_rec */
 	      );
 
-typedef OM_uint32 _gss_release_cred_t
+typedef OM_uint32 GSSAPI_CALLCONV _gss_release_cred_t
 	      (OM_uint32 *,            /* minor_status */
 	       gss_cred_id_t *         /* cred_handle */
 	      );
 
-typedef OM_uint32 _gss_init_sec_context_t
+typedef OM_uint32 GSSAPI_CALLCONV _gss_init_sec_context_t
 	      (OM_uint32 *,            /* minor_status */
 	       const gss_cred_id_t,    /* initiator_cred_handle */
 	       gss_ctx_id_t *,         /* context_handle */
@@ -64,7 +64,7 @@ typedef OM_uint32 _gss_init_sec_context_t
 	       OM_uint32 *             /* time_rec */
 	      );
 
-typedef OM_uint32 _gss_accept_sec_context_t
+typedef OM_uint32 GSSAPI_CALLCONV _gss_accept_sec_context_t
 	      (OM_uint32 *,            /* minor_status */
 	       gss_ctx_id_t *,         /* context_handle */
 	       const gss_cred_id_t,    /* acceptor_cred_handle */
@@ -79,25 +79,25 @@ typedef OM_uint32 _gss_accept_sec_context_t
 	       gss_cred_id_t *         /* delegated_cred_handle */
 	      );
 
-typedef OM_uint32 _gss_process_context_token_t
+typedef OM_uint32 GSSAPI_CALLCONV _gss_process_context_token_t
 	      (OM_uint32 *,            /* minor_status */
 	       const gss_ctx_id_t,     /* context_handle */
 	       const gss_buffer_t      /* token_buffer */
 	      );
 
-typedef OM_uint32 _gss_delete_sec_context_t
+typedef OM_uint32 GSSAPI_CALLCONV _gss_delete_sec_context_t
 	      (OM_uint32 *,            /* minor_status */
 	       gss_ctx_id_t *,         /* context_handle */
 	       gss_buffer_t            /* output_token */
 	      );
 
-typedef OM_uint32 _gss_context_time_t
+typedef OM_uint32 GSSAPI_CALLCONV _gss_context_time_t
 	      (OM_uint32 *,            /* minor_status */
 	       const gss_ctx_id_t,     /* context_handle */
 	       OM_uint32 *             /* time_rec */
 	      );
 
-typedef OM_uint32 _gss_get_mic_t
+typedef OM_uint32 GSSAPI_CALLCONV _gss_get_mic_t
 	      (OM_uint32 *,            /* minor_status */
 	       const gss_ctx_id_t,     /* context_handle */
 	       gss_qop_t,              /* qop_req */
@@ -105,7 +105,7 @@ typedef OM_uint32 _gss_get_mic_t
 	       gss_buffer_t            /* message_token */
 	      );
 
-typedef OM_uint32 _gss_verify_mic_t
+typedef OM_uint32 GSSAPI_CALLCONV _gss_verify_mic_t
 	      (OM_uint32 *,            /* minor_status */
 	       const gss_ctx_id_t,     /* context_handle */
 	       const gss_buffer_t,     /* message_buffer */
@@ -113,7 +113,7 @@ typedef OM_uint32 _gss_verify_mic_t
 	       gss_qop_t *             /* qop_state */
 	      );
 
-typedef OM_uint32 _gss_wrap_t
+typedef OM_uint32 GSSAPI_CALLCONV _gss_wrap_t
 	      (OM_uint32 *,            /* minor_status */
 	       const gss_ctx_id_t,     /* context_handle */
 	       int,                    /* conf_req_flag */
@@ -123,7 +123,7 @@ typedef OM_uint32 _gss_wrap_t
 	       gss_buffer_t            /* output_message_buffer */
 	      );
 
-typedef OM_uint32 _gss_unwrap_t
+typedef OM_uint32 GSSAPI_CALLCONV _gss_unwrap_t
 	      (OM_uint32 *,            /* minor_status */
 	       const gss_ctx_id_t,     /* context_handle */
 	       const gss_buffer_t,     /* input_message_buffer */
@@ -132,7 +132,7 @@ typedef OM_uint32 _gss_unwrap_t
 	       gss_qop_t *             /* qop_state */
 	      );
 
-typedef OM_uint32 _gss_display_status_t
+typedef OM_uint32 GSSAPI_CALLCONV _gss_display_status_t
 	      (OM_uint32 *,            /* minor_status */
 	       OM_uint32,              /* status_value */
 	       int,                    /* status_type */
@@ -141,44 +141,44 @@ typedef OM_uint32 _gss_display_status_t
 	       gss_buffer_t            /* status_string */
 	      );
 
-typedef OM_uint32 _gss_indicate_mechs_t
+typedef OM_uint32 GSSAPI_CALLCONV _gss_indicate_mechs_t
 	      (OM_uint32 *,            /* minor_status */
 	       gss_OID_set *           /* mech_set */
 	      );
 
-typedef OM_uint32 _gss_compare_name_t
+typedef OM_uint32 GSSAPI_CALLCONV _gss_compare_name_t
 	      (OM_uint32 *,            /* minor_status */
 	       const gss_name_t,       /* name1 */
 	       const gss_name_t,       /* name2 */
 	       int *                   /* name_equal */
 	      );
 
-typedef OM_uint32 _gss_display_name_t
+typedef OM_uint32 GSSAPI_CALLCONV _gss_display_name_t
 	      (OM_uint32 *,            /* minor_status */
 	       const gss_name_t,       /* input_name */
 	       gss_buffer_t,           /* output_name_buffer */
 	       gss_OID *               /* output_name_type */
 	      );
 
-typedef OM_uint32 _gss_import_name_t
+typedef OM_uint32 GSSAPI_CALLCONV _gss_import_name_t
 	      (OM_uint32 *,            /* minor_status */
 	       const gss_buffer_t,     /* input_name_buffer */
 	       const gss_OID,          /* input_name_type */
 	       gss_name_t *            /* output_name */
 	      );
 
-typedef OM_uint32 _gss_export_name_t
+typedef OM_uint32 GSSAPI_CALLCONV _gss_export_name_t
 	      (OM_uint32 *,            /* minor_status */
 	       const gss_name_t,       /* input_name */
 	       gss_buffer_t            /* exported_name */
 	      );
 
-typedef OM_uint32 _gss_release_name_t
+typedef OM_uint32 GSSAPI_CALLCONV _gss_release_name_t
 	      (OM_uint32 *,            /* minor_status */
 	       gss_name_t *            /* input_name */
 	      );
 
-typedef OM_uint32 _gss_inquire_cred_t
+typedef OM_uint32 GSSAPI_CALLCONV _gss_inquire_cred_t
 	      (OM_uint32 *,            /* minor_status */
 	       const gss_cred_id_t,    /* cred_handle */
 	       gss_name_t *,           /* name */
@@ -187,7 +187,7 @@ typedef OM_uint32 _gss_inquire_cred_t
 	       gss_OID_set *           /* mechanisms */
 	      );
 
-typedef OM_uint32 _gss_inquire_context_t
+typedef OM_uint32 GSSAPI_CALLCONV _gss_inquire_context_t
 	      (OM_uint32 *,            /* minor_status */
 	       const gss_ctx_id_t,     /* context_handle */
 	       gss_name_t *,           /* src_name */
@@ -199,7 +199,7 @@ typedef OM_uint32 _gss_inquire_context_t
 	       int *                   /* open */
 	      );
 
-typedef OM_uint32 _gss_wrap_size_limit_t
+typedef OM_uint32 GSSAPI_CALLCONV _gss_wrap_size_limit_t
 	      (OM_uint32 *,            /* minor_status */
 	       const gss_ctx_id_t,     /* context_handle */
 	       int,                    /* conf_req_flag */
@@ -208,7 +208,7 @@ typedef OM_uint32 _gss_wrap_size_limit_t
 	       OM_uint32 *             /* max_input_size */
 	      );
 
-typedef OM_uint32 _gss_add_cred_t (
+typedef OM_uint32 GSSAPI_CALLCONV _gss_add_cred_t (
 	       OM_uint32 *,            /* minor_status */
 	       const gss_cred_id_t,    /* input_cred_handle */
 	       const gss_name_t,       /* desired_name */
@@ -222,7 +222,7 @@ typedef OM_uint32 _gss_add_cred_t (
 	       OM_uint32 *             /* acceptor_time_rec */
 	      );
 
-typedef OM_uint32 _gss_inquire_cred_by_mech_t (
+typedef OM_uint32 GSSAPI_CALLCONV _gss_inquire_cred_by_mech_t (
 	       OM_uint32 *,            /* minor_status */
 	       const gss_cred_id_t,    /* cred_handle */
 	       const gss_OID,          /* mech_type */
@@ -232,65 +232,65 @@ typedef OM_uint32 _gss_inquire_cred_by_mech_t (
 	       gss_cred_usage_t *      /* cred_usage */
 	      );
 
-typedef OM_uint32 _gss_export_sec_context_t (
+typedef OM_uint32 GSSAPI_CALLCONV _gss_export_sec_context_t (
 	       OM_uint32 *,            /* minor_status */
 	       gss_ctx_id_t *,         /* context_handle */
 	       gss_buffer_t            /* interprocess_token */
 	      );
 
-typedef OM_uint32 _gss_import_sec_context_t (
+typedef OM_uint32 GSSAPI_CALLCONV _gss_import_sec_context_t (
 	       OM_uint32 *,            /* minor_status */
 	       const gss_buffer_t,     /* interprocess_token */
 	       gss_ctx_id_t *          /* context_handle */
 	      );
 
-typedef OM_uint32 _gss_inquire_names_for_mech_t (
+typedef OM_uint32 GSSAPI_CALLCONV _gss_inquire_names_for_mech_t (
 	       OM_uint32 *,            /* minor_status */
 	       const gss_OID,          /* mechanism */
 	       gss_OID_set *           /* name_types */
 	      );
 
-typedef OM_uint32 _gss_inquire_mechs_for_name_t (
+typedef OM_uint32 GSSAPI_CALLCONV _gss_inquire_mechs_for_name_t (
 	       OM_uint32 *,            /* minor_status */
 	       const gss_name_t,       /* input_name */
 	       gss_OID_set *           /* mech_types */
 	      );
 
-typedef OM_uint32 _gss_canonicalize_name_t (
+typedef OM_uint32 GSSAPI_CALLCONV _gss_canonicalize_name_t (
 	       OM_uint32 *,            /* minor_status */
 	       const gss_name_t,       /* input_name */
 	       const gss_OID,          /* mech_type */
 	       gss_name_t *            /* output_name */
 	      );
 
-typedef OM_uint32 _gss_duplicate_name_t (
+typedef OM_uint32 GSSAPI_CALLCONV _gss_duplicate_name_t (
 	       OM_uint32 *,            /* minor_status */
 	       const gss_name_t,       /* src_name */
 	       gss_name_t *            /* dest_name */
 	      );
 
-typedef OM_uint32 _gss_inquire_sec_context_by_oid (
+typedef OM_uint32 GSSAPI_CALLCONV _gss_inquire_sec_context_by_oid (
 	       OM_uint32 *minor_status,
 	       const gss_ctx_id_t context_handle,
 	       const gss_OID desired_object,
 	       gss_buffer_set_t *data_set
 	      );
 
-typedef OM_uint32 _gss_inquire_cred_by_oid (
+typedef OM_uint32 GSSAPI_CALLCONV _gss_inquire_cred_by_oid (
 	       OM_uint32 *minor_status,
 	       const gss_cred_id_t cred,
 	       const gss_OID desired_object,
 	       gss_buffer_set_t *data_set
 	      );
 
-typedef OM_uint32 _gss_set_sec_context_option (
+typedef OM_uint32 GSSAPI_CALLCONV _gss_set_sec_context_option (
 	       OM_uint32 *minor_status,
 	       gss_ctx_id_t *cred_handle,
 	       const gss_OID desired_object,
 	       const gss_buffer_t value
  	      );
 
-typedef OM_uint32 _gss_set_cred_option (
+typedef OM_uint32 GSSAPI_CALLCONV _gss_set_cred_option (
 	       OM_uint32 *minor_status,
 	       gss_cred_id_t *cred_handle,
 	       const gss_OID desired_object,
@@ -298,7 +298,7 @@ typedef OM_uint32 _gss_set_cred_option (
  	      );
 
 
-typedef OM_uint32 _gss_pseudo_random(
+typedef OM_uint32 GSSAPI_CALLCONV _gss_pseudo_random(
     	       OM_uint32 *minor_status,
 	       gss_ctx_id_t context,
 	       int prf_key,
@@ -307,12 +307,186 @@ typedef OM_uint32 _gss_pseudo_random(
 	       gss_buffer_t prf_out
               );
 
-#define GMI_VERSION 1
+typedef OM_uint32 GSSAPI_CALLCONV
+_gss_wrap_iov_t(OM_uint32 *minor_status,
+		gss_ctx_id_t  context_handle,
+		int conf_req_flag,
+		gss_qop_t qop_req,
+		int * conf_state,
+		gss_iov_buffer_desc *iov,
+		int iov_count);
+
+typedef OM_uint32 GSSAPI_CALLCONV
+_gss_unwrap_iov_t(OM_uint32 *minor_status,
+		  gss_ctx_id_t context_handle,
+		  int *conf_state,
+		  gss_qop_t *qop_state,
+		  gss_iov_buffer_desc *iov,
+		  int iov_count);
+
+typedef OM_uint32 GSSAPI_CALLCONV
+_gss_wrap_iov_length_t(OM_uint32 * minor_status,
+		       gss_ctx_id_t context_handle,
+		       int conf_req_flag,
+		       gss_qop_t qop_req,
+		       int *conf_state,
+		       gss_iov_buffer_desc *iov,
+		       int iov_count);
+
+typedef OM_uint32 GSSAPI_CALLCONV
+_gss_store_cred_t(OM_uint32         *minor_status,
+		  gss_cred_id_t     input_cred_handle,
+		  gss_cred_usage_t  cred_usage,
+		  const gss_OID     desired_mech,
+		  OM_uint32         overwrite_cred,
+		  OM_uint32         default_cred,
+		  gss_OID_set       *elements_stored,
+		  gss_cred_usage_t  *cred_usage_stored);
+
+typedef OM_uint32 GSSAPI_CALLCONV
+_gss_export_cred_t(OM_uint32 *minor_status,
+		   gss_cred_id_t cred_handle,
+		   gss_buffer_t cred_token);
+
+typedef OM_uint32 GSSAPI_CALLCONV
+_gss_import_cred_t(OM_uint32 * minor_status,
+		   gss_buffer_t cred_token,
+		   gss_cred_id_t * cred_handle);
+
+
+typedef OM_uint32 GSSAPI_CALLCONV
+_gss_acquire_cred_ext_t(OM_uint32 * /*minor_status */,
+		        const gss_name_t /* desired_name */,
+		        gss_const_OID /* credential_type */,
+		        const void * /* credential_data */,
+		        OM_uint32 /* time_req */,
+		        gss_const_OID /* desired_mech */,
+		        gss_cred_usage_t /* cred_usage */,
+		        gss_cred_id_t * /* output_cred_handle */);
+
+typedef void GSSAPI_CALLCONV
+_gss_iter_creds_t(OM_uint32 /* flags */,
+		  void * /* userctx */,
+		  void (* /*cred_iter */ )(void *, gss_OID, gss_cred_id_t));
+
+typedef OM_uint32 GSSAPI_CALLCONV
+_gss_destroy_cred_t(OM_uint32 * /* minor_status */,
+		    gss_cred_id_t * /* cred */);
+
+typedef OM_uint32 GSSAPI_CALLCONV
+_gss_cred_hold_t(OM_uint32 * /* minor_status */,
+		 gss_cred_id_t /* cred */);
+
+typedef OM_uint32 GSSAPI_CALLCONV
+_gss_cred_unhold_t(OM_uint32 * /* minor_status */,
+		   gss_cred_id_t /* cred */);
+
+typedef OM_uint32 GSSAPI_CALLCONV
+_gss_cred_label_set_t(OM_uint32 * /* minor_status */,
+		      gss_cred_id_t /* cred */,
+		      const char * /* label */,
+		      gss_buffer_t /* value */);
+
+typedef OM_uint32 GSSAPI_CALLCONV
+_gss_cred_label_get_t(OM_uint32 * /* minor_status */,
+		      gss_cred_id_t /* cred */,
+		      const char * /* label */,
+		      gss_buffer_t /* value */);
+
+typedef OM_uint32 GSSAPI_CALLCONV _gss_display_name_ext_t (
+	       OM_uint32 *,            /* minor_status */
+	       gss_name_t,             /* name */
+	       gss_OID,                /* display_as_name_type */
+	       gss_buffer_t            /* display_name */
+	      );
+
+typedef OM_uint32 GSSAPI_CALLCONV _gss_inquire_name_t (
+	       OM_uint32 *,            /* minor_status */
+	       gss_name_t,             /* name */
+	       int *,                  /* name_is_MN */
+	       gss_OID *,              /* MN_mech */
+	       gss_buffer_set_t *      /* attrs */
+	      );
+
+typedef OM_uint32 GSSAPI_CALLCONV _gss_get_name_attribute_t (
+	       OM_uint32 *,	      /* minor_status */
+	       gss_name_t,            /* name */
+	       gss_buffer_t,          /* attr */
+	       int *,                 /* authenticated */
+	       int *,                 /* complete */
+	       gss_buffer_t,          /* value */
+	       gss_buffer_t,          /* display_value */
+	       int *                  /* more */
+	    );
+
+typedef OM_uint32 GSSAPI_CALLCONV _gss_set_name_attribute_t (
+	       OM_uint32 *,           /* minor_status */
+	       gss_name_t,            /* name */
+	       int,                   /* complete */
+	       gss_buffer_t,          /* attr */
+	       gss_buffer_t           /* value */
+	    );
+
+typedef OM_uint32 GSSAPI_CALLCONV _gss_delete_name_attribute_t (
+	       OM_uint32 *,           /* minor_status */
+	       gss_name_t,            /* name */
+	       gss_buffer_t           /* attr */
+	    );
+
+typedef OM_uint32 GSSAPI_CALLCONV _gss_export_name_composite_t (
+	       OM_uint32 *,           /* minor_status */
+	       gss_name_t,            /* name */
+	       gss_buffer_t           /* exp_composite_name */
+	    );
+
+/*
+ *
+ */
+
+typedef struct gss_mo_desc_struct gss_mo_desc;
+
+typedef OM_uint32 GSSAPI_CALLCONV
+_gss_mo_init (OM_uint32 *, gss_OID, gss_mo_desc **, size_t *);
+
+
+struct gss_mo_desc_struct {
+    gss_OID option;
+    OM_uint32 flags;
+#define GSS_MO_MA		1
+#define GSS_MO_MA_CRITICAL	2
+    const char *name;
+    void *ctx;
+    int (*get)(gss_const_OID, gss_mo_desc *, gss_buffer_t);
+    int (*set)(gss_const_OID, gss_mo_desc *, int, gss_buffer_t);
+};
+
+typedef OM_uint32 GSSAPI_CALLCONV _gss_pname_to_uid_t (
+	       OM_uint32 *,		/* minor_status */
+	       const gss_name_t,	/* name */
+	       const gss_OID,		/* mech_type */
+	       uid_t *			/* uidOut */
+	      );
+
+typedef OM_uint32 GSSAPI_CALLCONV _gss_authorize_localname_t (
+	       OM_uint32 *,		/* minor_status */
+	       const gss_name_t,	/* name */
+	       gss_const_buffer_t,	/* user */
+	       gss_const_OID		/* user_name_type */
+	      );
+
+/* mechglue internal */
+struct gss_mech_compat_desc_struct;
+
+#define GMI_VERSION 5
+
+/* gm_flags */
+#define GM_USE_MG_CRED      	1	/* uses mech glue credentials */
 
 typedef struct gssapi_mech_interface_desc {
 	unsigned			gm_version;
 	const char			*gm_name;
 	gss_OID_desc			gm_mech_oid;
+        unsigned			gm_flags;
 	_gss_acquire_cred_t		*gm_acquire_cred;
 	_gss_release_cred_t		*gm_release_cred;
 	_gss_init_sec_context_t		*gm_init_sec_context;
@@ -347,13 +521,74 @@ typedef struct gssapi_mech_interface_desc {
 	_gss_set_sec_context_option	*gm_set_sec_context_option;
 	_gss_set_cred_option		*gm_set_cred_option;
 	_gss_pseudo_random		*gm_pseudo_random;
+	_gss_wrap_iov_t			*gm_wrap_iov;
+	_gss_unwrap_iov_t		*gm_unwrap_iov;
+	_gss_wrap_iov_length_t		*gm_wrap_iov_length;
+	_gss_store_cred_t		*gm_store_cred;
+	_gss_export_cred_t		*gm_export_cred;
+	_gss_import_cred_t		*gm_import_cred;
+	_gss_acquire_cred_ext_t		*gm_acquire_cred_ext;
+	_gss_iter_creds_t		*gm_iter_creds;
+	_gss_destroy_cred_t		*gm_destroy_cred;
+	_gss_cred_hold_t		*gm_cred_hold;
+	_gss_cred_unhold_t		*gm_cred_unhold;
+	_gss_cred_label_get_t		*gm_cred_label_get;
+	_gss_cred_label_set_t		*gm_cred_label_set;
+        gss_mo_desc			*gm_mo;
+        size_t				 gm_mo_num;
+        _gss_pname_to_uid_t             *gm_pname_to_uid;
+        _gss_authorize_localname_t      *gm_authorize_localname;
+        _gss_display_name_ext_t         *gm_display_name_ext;
+        _gss_inquire_name_t             *gm_inquire_name;
+        _gss_get_name_attribute_t       *gm_get_name_attribute;
+        _gss_set_name_attribute_t       *gm_set_name_attribute;
+        _gss_delete_name_attribute_t    *gm_delete_name_attribute;
+        _gss_export_name_composite_t    *gm_export_name_composite;
+        struct gss_mech_compat_desc_struct  *gm_compat;
 } gssapi_mech_interface_desc, *gssapi_mech_interface;
 
 gssapi_mech_interface
-__gss_get_mechanism(gss_OID /* oid */);
+__gss_get_mechanism(gss_const_OID /* oid */);
 
 gssapi_mech_interface __gss_spnego_initialize(void);
 gssapi_mech_interface __gss_krb5_initialize(void);
 gssapi_mech_interface __gss_ntlm_initialize(void);
 
+void		gss_mg_collect_error(gss_OID, OM_uint32, OM_uint32);
+
+int _gss_mo_get_option_1(gss_const_OID, gss_mo_desc *, gss_buffer_t);
+int _gss_mo_get_option_0(gss_const_OID, gss_mo_desc *, gss_buffer_t);
+int _gss_mo_get_ctx_as_string(gss_const_OID, gss_mo_desc *, gss_buffer_t);
+
+struct _gss_oid_name_table {
+    gss_OID oid;
+    const char *name;
+    const char *short_desc;
+    const char *long_desc;
+};
+
+extern struct _gss_oid_name_table _gss_ont_mech[];
+extern struct _gss_oid_name_table _gss_ont_ma[];
+
+/*
+ * Extended credentials acqusition API, not to be exported until
+ * it or something equivalent has been standardised.
+ */
+extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_password_oid_desc;
+#define GSS_C_CRED_PASSWORD (&__gss_c_cred_password_oid_desc)
+
+extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_certificate_oid_desc;
+#define GSS_C_CRED_CERTIFICATE (&__gss_c_cred_certificate_oid_desc)
+
+OM_uint32 _gss_acquire_cred_ext
+           (OM_uint32 * /*minor_status*/,
+            const gss_name_t /*desired_name*/,
+            gss_const_OID /*credential_type*/,
+            const void * /*credential_data*/,
+            OM_uint32 /*time_req*/,
+            gss_const_OID /*desired_mech*/,
+            gss_cred_usage_t /*cred_usage*/,
+            gss_cred_id_t * /*output_cred_handle*/
+           );
+
 #endif /* GSSAPI_MECH_H */
diff --git a/lib/gssapi/gss.c b/lib/gssapi/gsstool.c
index 739e8306363b..5ce3cb04a7d3 100644
--- a/lib/gssapi/gss.c
+++ b/lib/gssapi/gsstool.c
@@ -1,18 +1,20 @@
 /*
- * Copyright (c) 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Portions Copyright (c) 2009 - 2010 Apple Inc. All rights reserved.
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
  * 3. Neither the name of KTH nor the names of its contributors may be
  *    used to endorse or promote products derived from this software without
@@ -31,20 +33,19 @@
  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-#ifdef HAVE_CONFIG_H
 #include <config.h>
-#endif
+#include <roken.h>
 
 #include <stdio.h>
 #include <gssapi.h>
+#include <gssapi_krb5.h>
+#include <gssapi_spnego.h>
+#include <gssapi_ntlm.h>
 #include <err.h>
-#include <roken.h>
 #include <getarg.h>
 #include <rtbl.h>
 #include <gss-commands.h>
-#include <krb5.h>
 
-RCSID("$Id: gss.c 19922 2007-01-16 09:32:03Z lha $");
 
 static int version_flag = 0;
 static int help_flag	= 0;
@@ -64,6 +65,11 @@ usage (int ret)
 
 #define COL_OID		"OID"
 #define COL_NAME	"Name"
+#define COL_DESC	"Description"
+#define COL_VALUE	"Value"
+#define COL_MECH	"Mech"
+#define COL_EXPIRE	"Expire"
+#define COL_SASL	"SASL"
 
 int
 supported_mechanisms(void *argptr, int argc, char **argv)
@@ -86,24 +92,37 @@ supported_mechanisms(void *argptr, int argc, char **argv)
     rtbl_set_separator(ct, "  ");
     rtbl_add_column(ct, COL_OID, 0);
     rtbl_add_column(ct, COL_NAME, 0);
+    rtbl_add_column(ct, COL_DESC, 0);
+    rtbl_add_column(ct, COL_SASL, 0);
 
     for (i = 0; i < mechs->count; i++) {
-	gss_buffer_desc name;
+	gss_buffer_desc str, sasl_name, mech_name, mech_desc;
 
-	maj_stat = gss_oid_to_str(&min_stat, &mechs->elements[i], &name);
+	maj_stat = gss_oid_to_str(&min_stat, &mechs->elements[i], &str);
 	if (maj_stat != GSS_S_COMPLETE)
 	    errx(1, "gss_oid_to_str failed");
 
 	rtbl_add_column_entryv(ct, COL_OID, "%.*s",
-			       (int)name.length, (char *)name.value);
-	gss_release_buffer(&min_stat, &name);
-
-	if (gss_oid_equal(&mechs->elements[i], GSS_KRB5_MECHANISM))
-	    rtbl_add_column_entry(ct, COL_NAME, "Kerberos 5");
-	else if (gss_oid_equal(&mechs->elements[i], GSS_SPNEGO_MECHANISM))
-	    rtbl_add_column_entry(ct, COL_NAME, "SPNEGO");
-	else if (gss_oid_equal(&mechs->elements[i], GSS_NTLM_MECHANISM))
-	    rtbl_add_column_entry(ct, COL_NAME, "NTLM");
+			       (int)str.length, (char *)str.value);
+	gss_release_buffer(&min_stat, &str);
+
+	(void)gss_inquire_saslname_for_mech(&min_stat,
+					    &mechs->elements[i],
+					    &sasl_name,
+					    &mech_name,
+					    &mech_desc);
+
+	rtbl_add_column_entryv(ct, COL_NAME, "%.*s",
+			       (int)mech_name.length, (char *)mech_name.value);
+	rtbl_add_column_entryv(ct, COL_DESC, "%.*s",
+			       (int)mech_desc.length, (char *)mech_desc.value);
+	rtbl_add_column_entryv(ct, COL_SASL, "%.*s",
+			       (int)sasl_name.length, (char *)sasl_name.value);
+
+	gss_release_buffer(&min_stat, &mech_name);
+	gss_release_buffer(&min_stat, &mech_desc);
+	gss_release_buffer(&min_stat, &sasl_name);
+
     }
     gss_release_oid_set(&min_stat, &mechs);
 
@@ -113,57 +132,88 @@ supported_mechanisms(void *argptr, int argc, char **argv)
     return 0;
 }
 
-#if 0
-/*
- *
- */
+static void
+print_mech_attr(const char *mechname, gss_const_OID mech, gss_OID_set set)
+{
+    gss_buffer_desc name, desc;
+    OM_uint32 major, minor;
+    rtbl_t ct;
+    size_t n;
 
-#define DOVEDOT_MAJOR_VERSION 1
-#define DOVEDOT_MINOR_VERSION 0
+    ct = rtbl_create();
+    if (ct == NULL)
+	errx(1, "rtbl_create");
+
+    rtbl_set_separator(ct, "  ");
+    rtbl_add_column(ct, COL_OID, 0);
+    rtbl_add_column(ct, COL_DESC, 0);
+    if (mech)
+	rtbl_add_column(ct, COL_VALUE, 0);
+
+    for (n = 0; n < set->count; n++) {
+	major = gss_display_mech_attr(&minor, &set->elements[n], &name, &desc, NULL);
+	if (major)
+	    continue;
+
+	rtbl_add_column_entryv(ct, COL_OID, "%.*s",
+			       (int)name.length, (char *)name.value);
+	rtbl_add_column_entryv(ct, COL_DESC, "%.*s",
+			       (int)desc.length, (char *)desc.value);
+	if (mech) {
+	    gss_buffer_desc value;
+
+	    if (gss_mo_get(mech, &set->elements[n], &value) != 0)
+		value.length = 0;
+
+	    if (value.length)
+		rtbl_add_column_entryv(ct, COL_VALUE, "%.*s",
+				       (int)value.length, (char *)value.value);
+	    else
+		rtbl_add_column_entryv(ct, COL_VALUE, "<>");
+	    gss_release_buffer(&minor, &value);
+	}
+
+	gss_release_buffer(&minor, &name);
+	gss_release_buffer(&minor, &desc);
+    }
+
+    printf("attributes for: %s\n", mechname);
+    rtbl_format(ct, stdout);
+    rtbl_destroy(ct);
+}
 
-/*
-	S: MECH mech mech-parameters
-	S: MECH mech mech-parameters
-	S: VERSION major minor
-	S: CPID pid
-	S: CUID pid
-	S: ...
-	S: DONE
-	C: VERSION major minor
-	C: CPID pid
-
-	C: AUTH id method service= resp=
-	C: CONT id message
-
-	S: OK id user=
-	S: FAIL id reason=
-	S: CONTINUE id message
-*/
 
 int
-dovecot_server(void *argptr, int argc, char **argv)
+attrs_for_mech(struct attrs_for_mech_options *opt, int argc, char **argv)
 {
-    krb5_storage *sp;
-    int fd = 0;
-
-    sp = krb5_storage_from_fd(fd);
-    if (sp == NULL)
-	errx(1, "krb5_storage_from_fd");
-
-    krb5_store_stringnl(sp, "MECH\tGSSAPI");
-    krb5_store_stringnl(sp, "VERSION\t1\t0");
-    krb5_store_stringnl(sp, "DONE");
-
-    while (1) {
-	char *cmd;
-	if (krb5_ret_stringnl(sp, &cmd) != 0)
-	    break;
-	printf("cmd: %s\n", cmd);
-	free(cmd);
+    gss_OID_set mech_attr = NULL, known_mech_attrs = NULL;
+    gss_OID mech = GSS_C_NO_OID;
+    OM_uint32 major, minor;
+
+    if (opt->mech_string) {
+	mech = gss_name_to_oid(opt->mech_string);
+	if (mech == NULL)
+	    errx(1, "mech %s is unknown", opt->mech_string);
     }
+
+    major = gss_inquire_attrs_for_mech(&minor, mech, &mech_attr, &known_mech_attrs);
+    if (major)
+	errx(1, "gss_inquire_attrs_for_mech");
+
+    if (mech) {
+	print_mech_attr(opt->mech_string, mech, mech_attr);
+    }
+
+    if (opt->all_flag) {
+	print_mech_attr("all mechs", NULL, known_mech_attrs);
+    }
+
+    gss_release_oid_set(&minor, &mech_attr);
+    gss_release_oid_set(&minor, &known_mech_attrs);
+
     return 0;
 }
-#endif
+
 
 /*
  *
@@ -184,7 +234,7 @@ main(int argc, char **argv)
     setprogname(argv[0]);
     if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
 	usage(1);
-    
+
     if (help_flag)
 	usage (0);
 
diff --git a/lib/gssapi/krb5/8003.c b/lib/gssapi/krb5/8003.c
index 619cbf97fcbd..d4555c51042b 100644
--- a/lib/gssapi/krb5/8003.c
+++ b/lib/gssapi/krb5/8003.c
@@ -1,39 +1,37 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
-
-RCSID("$Id: 8003.c 18334 2006-10-07 22:16:04Z lha $");
+#include "gsskrb5_locl.h"
 
 krb5_error_code
 _gsskrb5_encode_om_uint32(OM_uint32 n, u_char *p)
@@ -76,32 +74,36 @@ hash_input_chan_bindings (const gss_channel_bindings_t b,
 			  u_char *p)
 {
   u_char num[4];
-  MD5_CTX md5;
+  EVP_MD_CTX *ctx;
+
+  ctx = EVP_MD_CTX_create();
+  EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
 
-  MD5_Init(&md5);
   _gsskrb5_encode_om_uint32 (b->initiator_addrtype, num);
-  MD5_Update (&md5, num, sizeof(num));
+  EVP_DigestUpdate(ctx, num, sizeof(num));
   _gsskrb5_encode_om_uint32 (b->initiator_address.length, num);
-  MD5_Update (&md5, num, sizeof(num));
+  EVP_DigestUpdate(ctx, num, sizeof(num));
   if (b->initiator_address.length)
-    MD5_Update (&md5,
-		b->initiator_address.value,
-		b->initiator_address.length);
+      EVP_DigestUpdate(ctx,
+		       b->initiator_address.value,
+		       b->initiator_address.length);
   _gsskrb5_encode_om_uint32 (b->acceptor_addrtype, num);
-  MD5_Update (&md5, num, sizeof(num));
+  EVP_DigestUpdate(ctx, num, sizeof(num));
   _gsskrb5_encode_om_uint32 (b->acceptor_address.length, num);
-  MD5_Update (&md5, num, sizeof(num));
+  EVP_DigestUpdate(ctx, num, sizeof(num));
   if (b->acceptor_address.length)
-    MD5_Update (&md5,
-		b->acceptor_address.value,
-		b->acceptor_address.length);
+      EVP_DigestUpdate(ctx,
+		       b->acceptor_address.value,
+		       b->acceptor_address.length);
   _gsskrb5_encode_om_uint32 (b->application_data.length, num);
-  MD5_Update (&md5, num, sizeof(num));
+  EVP_DigestUpdate(ctx, num, sizeof(num));
   if (b->application_data.length)
-    MD5_Update (&md5,
-		b->application_data.value,
-		b->application_data.length);
-  MD5_Final (p, &md5);
+      EVP_DigestUpdate(ctx,
+		       b->application_data.value,
+		       b->application_data.length);
+  EVP_DigestFinal_ex(ctx, p, NULL);
+  EVP_MD_CTX_destroy(ctx);
+
   return 0;
 }
 
@@ -113,7 +115,7 @@ hash_input_chan_bindings (const gss_channel_bindings_t b,
 
 OM_uint32
 _gsskrb5_create_8003_checksum (
-		      OM_uint32 *minor_status,    
+		      OM_uint32 *minor_status,
 		      const gss_channel_bindings_t input_chan_bindings,
 		      OM_uint32 flags,
 		      const krb5_data *fwd_data,
@@ -121,20 +123,20 @@ _gsskrb5_create_8003_checksum (
 {
     u_char *p;
 
-    /* 
-     * see rfc1964 (section 1.1.1 (Initial Token), and the checksum value 
+    /*
+     * see rfc1964 (section 1.1.1 (Initial Token), and the checksum value
      * field's format) */
     result->cksumtype = CKSUMTYPE_GSSAPI;
     if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG))
 	result->checksum.length = 24 + 4 + fwd_data->length;
-    else 
+    else
 	result->checksum.length = 24;
     result->checksum.data   = malloc (result->checksum.length);
     if (result->checksum.data == NULL) {
 	*minor_status = ENOMEM;
 	return GSS_S_FAILURE;
     }
-  
+
     p = result->checksum.data;
     _gsskrb5_encode_om_uint32 (16, p);
     p += 4;
@@ -157,7 +159,7 @@ _gsskrb5_create_8003_checksum (
 
 	p += fwd_data->length;
     }
-     
+
     return GSS_S_COMPLETE;
 }
 
@@ -168,7 +170,7 @@ _gsskrb5_create_8003_checksum (
 
 OM_uint32
 _gsskrb5_verify_8003_checksum(
-		      OM_uint32 *minor_status,    
+		      OM_uint32 *minor_status,
 		      const gss_channel_bindings_t input_chan_bindings,
 		      const Checksum *cksum,
 		      OM_uint32 *flags,
@@ -180,40 +182,35 @@ _gsskrb5_verify_8003_checksum(
     int DlgOpt;
     static unsigned char zeros[16];
 
-    if (cksum == NULL) {
-	*minor_status = 0;
-	return GSS_S_BAD_BINDINGS;
-    }
-
     /* XXX should handle checksums > 24 bytes */
     if(cksum->cksumtype != CKSUMTYPE_GSSAPI || cksum->checksum.length < 24) {
 	*minor_status = 0;
 	return GSS_S_BAD_BINDINGS;
     }
-    
+
     p = cksum->checksum.data;
     _gsskrb5_decode_om_uint32(p, &length);
     if(length != sizeof(hash)) {
 	*minor_status = 0;
 	return GSS_S_BAD_BINDINGS;
     }
-    
+
     p += 4;
-    
+
     if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS
 	&& memcmp(p, zeros, sizeof(zeros)) != 0) {
 	if(hash_input_chan_bindings(input_chan_bindings, hash) != 0) {
 	    *minor_status = 0;
 	    return GSS_S_BAD_BINDINGS;
 	}
-	if(memcmp(hash, p, sizeof(hash)) != 0) {
+	if(ct_memcmp(hash, p, sizeof(hash)) != 0) {
 	    *minor_status = 0;
 	    return GSS_S_BAD_BINDINGS;
 	}
     }
-    
+
     p += sizeof(hash);
-    
+
     _gsskrb5_decode_om_uint32(p, flags);
     p += 4;
 
@@ -222,7 +219,7 @@ _gsskrb5_verify_8003_checksum(
 	    *minor_status = 0;
 	    return GSS_S_BAD_BINDINGS;
 	}
-    
+
 	DlgOpt = (p[0] << 0) | (p[1] << 8);
 	p += 2;
 	if (DlgOpt != 1) {
@@ -243,6 +240,6 @@ _gsskrb5_verify_8003_checksum(
 	}
 	memcpy(fwd_data->data, p, fwd_data->length);
     }
-    
+
     return GSS_S_COMPLETE;
 }
diff --git a/lib/gssapi/krb5/accept_sec_context.c b/lib/gssapi/krb5/accept_sec_context.c
index 73b93ceba4c6..5a00e124c2cf 100644
--- a/lib/gssapi/krb5/accept_sec_context.c
+++ b/lib/gssapi/krb5/accept_sec_context.c
@@ -1,53 +1,71 @@
 /*
- * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
-
-RCSID("$Id: accept_sec_context.c 20199 2007-02-07 22:36:39Z lha $");
+#include "gsskrb5_locl.h"
 
 HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER;
 krb5_keytab _gsskrb5_keytab;
 
+static krb5_error_code
+validate_keytab(krb5_context context, const char *name, krb5_keytab *id)
+{
+    krb5_error_code ret;
+
+    ret = krb5_kt_resolve(context, name, id);
+    if (ret)
+	return ret;
+
+    ret = krb5_kt_have_content(context, *id);
+    if (ret) {
+	krb5_kt_close(context, *id);
+	*id = NULL;
+    }
+
+    return ret;
+}
+
 OM_uint32
-_gsskrb5_register_acceptor_identity (const char *identity)
+_gsskrb5_register_acceptor_identity(OM_uint32 *min_stat, const char *identity)
 {
     krb5_context context;
     krb5_error_code ret;
 
+    *min_stat = 0;
+
     ret = _gsskrb5_init(&context);
     if(ret)
 	return GSS_S_FAILURE;
-    
+
     HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex);
 
     if(_gsskrb5_keytab != NULL) {
@@ -57,29 +75,37 @@ _gsskrb5_register_acceptor_identity (const char *identity)
     if (identity == NULL) {
 	ret = krb5_kt_default(context, &_gsskrb5_keytab);
     } else {
-	char *p;
-
-	asprintf(&p, "FILE:%s", identity);
-	if(p == NULL) {
-	    HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
-	    return GSS_S_FAILURE;
+	/*
+	 * First check if we can the keytab as is and if it has content...
+	 */
+	ret = validate_keytab(context, identity, &_gsskrb5_keytab);
+	/*
+	 * if it doesn't, lets prepend FILE: and try again
+	 */
+	if (ret) {
+	    char *p = NULL;
+	    ret = asprintf(&p, "FILE:%s", identity);
+	    if(ret < 0 || p == NULL) {
+		HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
+		return GSS_S_FAILURE;
+	    }
+	    ret = validate_keytab(context, p, &_gsskrb5_keytab);
+	    free(p);
 	}
-	ret = krb5_kt_resolve(context, p, &_gsskrb5_keytab);
-	free(p);
     }
     HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
-    if(ret)
+    if(ret) {
+	*min_stat = ret;
 	return GSS_S_FAILURE;
+    }
     return GSS_S_COMPLETE;
 }
 
 void
-_gsskrb5i_is_cfx(gsskrb5_ctx ctx, int *is_cfx)
+_gsskrb5i_is_cfx(krb5_context context, gsskrb5_ctx ctx, int acceptor)
 {
+    krb5_error_code ret;
     krb5_keyblock *key;
-    int acceptor = (ctx->more_flags & LOCAL) == 0;
-
-    *is_cfx = 0;
 
     if (acceptor) {
 	if (ctx->auth_context->local_subkey)
@@ -97,23 +123,28 @@ _gsskrb5i_is_cfx(gsskrb5_ctx ctx, int *is_cfx)
 
     if (key == NULL)
 	return;
-	    
+
     switch (key->keytype) {
     case ETYPE_DES_CBC_CRC:
     case ETYPE_DES_CBC_MD4:
     case ETYPE_DES_CBC_MD5:
     case ETYPE_DES3_CBC_MD5:
+    case ETYPE_OLD_DES3_CBC_SHA1:
     case ETYPE_DES3_CBC_SHA1:
     case ETYPE_ARCFOUR_HMAC_MD5:
     case ETYPE_ARCFOUR_HMAC_MD5_56:
 	break;
     default :
-	*is_cfx = 1;
+        ctx->more_flags |= IS_CFX;
+
 	if ((acceptor && ctx->auth_context->local_subkey) ||
 	    (!acceptor && ctx->auth_context->remote_subkey))
 	    ctx->more_flags |= ACCEPTOR_SUBKEY;
 	break;
     }
+    if (ctx->crypto)
+        krb5_crypto_destroy(context, ctx->crypto);
+    ret = krb5_crypto_init(context, key, 0, &ctx->crypto);
 }
 
 
@@ -128,7 +159,7 @@ gsskrb5_accept_delegated_token
     krb5_ccache ccache = NULL;
     krb5_error_code kret;
     int32_t ac_flags, ret = GSS_S_COMPLETE;
-      
+
     *minor_status = 0;
 
     /* XXX Create a new delegated_cred_handle? */
@@ -136,7 +167,8 @@ gsskrb5_accept_delegated_token
 	kret = krb5_cc_default (context, &ccache);
     } else {
 	*delegated_cred_handle = NULL;
-	kret = krb5_cc_gen_new (context, &krb5_mcc_ops, &ccache);
+	kret = krb5_cc_new_unique (context, krb5_cc_type_memory,
+				   NULL, &ccache);
     }
     if (kret) {
 	ctx->flags &= ~GSS_C_DELEG_FLAG;
@@ -148,7 +180,7 @@ gsskrb5_accept_delegated_token
 	ctx->flags &= ~GSS_C_DELEG_FLAG;
 	goto out;
     }
-      
+
     krb5_auth_con_removeflags(context,
 			      ctx->auth_context,
 			      KRB5_AUTH_CONTEXT_DO_TIME,
@@ -170,16 +202,16 @@ gsskrb5_accept_delegated_token
     if (delegated_cred_handle) {
 	gsskrb5_cred handle;
 
-	ret = _gsskrb5_import_cred(minor_status,
-				   ccache,
-				   NULL,
-				   NULL,
-				   delegated_cred_handle);
+	ret = _gsskrb5_krb5_import_cred(minor_status,
+					ccache,
+					NULL,
+					NULL,
+					delegated_cred_handle);
 	if (ret != GSS_S_COMPLETE)
 	    goto out;
 
 	handle = (gsskrb5_cred) *delegated_cred_handle;
-    
+
 	handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
 	krb5_cc_close(context, ccache);
 	ccache = NULL;
@@ -206,11 +238,12 @@ gsskrb5_acceptor_ready(OM_uint32 * minor_status,
     int32_t seq_number;
     int is_cfx = 0;
 
-    krb5_auth_getremoteseqnumber (context,
-				  ctx->auth_context,
-				  &seq_number);
+    krb5_auth_con_getremoteseqnumber (context,
+				      ctx->auth_context,
+				      &seq_number);
 
-    _gsskrb5i_is_cfx(ctx, &is_cfx);
+    _gsskrb5i_is_cfx(context, ctx, 1);
+    is_cfx = (ctx->more_flags & IS_CFX);
 
     ret = _gssapi_msg_order_create(minor_status,
 				   &ctx->order,
@@ -219,7 +252,7 @@ gsskrb5_acceptor_ready(OM_uint32 * minor_status,
     if (ret)
 	return ret;
 
-    /* 
+    /*
      * If requested, set local sequence num to remote sequence if this
      * isn't a mutual authentication context
      */
@@ -251,6 +284,66 @@ gsskrb5_acceptor_ready(OM_uint32 * minor_status,
 }
 
 static OM_uint32
+send_error_token(OM_uint32 *minor_status,
+		 krb5_context context,
+		 krb5_error_code kret,
+		 krb5_principal server,
+		 krb5_data *indata,
+		 gss_buffer_t output_token)
+{
+    krb5_principal ap_req_server = NULL;
+    krb5_error_code ret;
+    krb5_data outbuf;
+    /* this e_data value encodes KERB_AP_ERR_TYPE_SKEW_RECOVERY which
+       tells windows to try again with the corrected timestamp. See
+       [MS-KILE] 2.2.1 KERB-ERROR-DATA */
+    krb5_data e_data = { 7, rk_UNCONST("\x30\x05\xa1\x03\x02\x01\x02") };
+
+    /* build server from request if the acceptor had not selected one */
+    if (server == NULL) {
+	AP_REQ ap_req;
+
+	ret = krb5_decode_ap_req(context, indata, &ap_req);
+	if (ret) {
+	    *minor_status = ret;
+	    return GSS_S_FAILURE;
+	}
+	ret = _krb5_principalname2krb5_principal(context,
+						  &ap_req_server,
+						  ap_req.ticket.sname,
+						  ap_req.ticket.realm);
+	free_AP_REQ(&ap_req);
+	if (ret) {
+	    *minor_status = ret;
+	    return GSS_S_FAILURE;
+	}
+	server = ap_req_server;
+    }
+
+    ret = krb5_mk_error(context, kret, NULL, &e_data, NULL,
+			server, NULL, NULL, &outbuf);
+    if (ap_req_server)
+	krb5_free_principal(context, ap_req_server);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    ret = _gsskrb5_encapsulate(minor_status,
+			       &outbuf,
+			       output_token,
+			       "\x03\x00",
+			       GSS_KRB5_MECHANISM);
+    krb5_data_free (&outbuf);
+    if (ret)
+	return ret;
+
+    *minor_status = 0;
+    return GSS_S_CONTINUE_NEEDED;
+}
+
+
+static OM_uint32
 gsskrb5_acceptor_start(OM_uint32 * minor_status,
 		       gsskrb5_ctx ctx,
 		       krb5_context context,
@@ -296,7 +389,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
     } else if (acceptor_cred->keytab != NULL) {
 	keytab = acceptor_cred->keytab;
     }
-    
+
     /*
      * We need to check the ticket and create the AP-REP packet
      */
@@ -304,6 +397,10 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
     {
 	krb5_rd_req_in_ctx in = NULL;
 	krb5_rd_req_out_ctx out = NULL;
+	krb5_principal server = NULL;
+
+	if (acceptor_cred)
+	    server = acceptor_cred->principal;
 
 	kret = krb5_rd_req_in_ctx_alloc(context, &in);
 	if (kret == 0)
@@ -311,30 +408,37 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 	if (kret) {
 	    if (in)
 		krb5_rd_req_in_ctx_free(context, in);
-	    ret = GSS_S_FAILURE;
 	    *minor_status = kret;
-	    return ret;
+	    return GSS_S_FAILURE;
 	}
 
 	kret = krb5_rd_req_ctx(context,
 			       &ctx->auth_context,
 			       &indata,
-			       (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL : acceptor_cred->principal,
+			       server,
 			       in, &out);
 	krb5_rd_req_in_ctx_free(context, in);
-	if (kret) {
-	    ret = GSS_S_FAILURE;
+	if (kret == KRB5KRB_AP_ERR_SKEW || kret == KRB5KRB_AP_ERR_TKT_NYV) {
+	    /*
+	     * No reply in non-MUTUAL mode, but we don't know that its
+	     * non-MUTUAL mode yet, thats inside the 8003 checksum, so
+	     * lets only send the error token on clock skew, that
+	     * limit when send error token for non-MUTUAL.
+	     */
+	    return send_error_token(minor_status, context, kret,
+				    server, &indata, output_token);
+	} else if (kret) {
 	    *minor_status = kret;
-	    return ret;
+	    return GSS_S_FAILURE;
 	}
 
 	/*
-	 * We need to remember some data on the context_handle.
+	 * we need to remember some data on the context_handle.
 	 */
 	kret = krb5_rd_req_out_get_ap_req_options(context, out,
 						  &ap_options);
 	if (kret == 0)
-	    kret = krb5_rd_req_out_get_ticket(context, out, 
+	    kret = krb5_rd_req_out_get_ticket(context, out,
 					      &ctx->ticket);
 	if (kret == 0)
 	    kret = krb5_rd_req_out_get_keyblock(context, out,
@@ -348,8 +452,8 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 	    return ret;
 	}
     }
-    
-    
+
+
     /*
      * We need to copy the principal names to the context and the
      * calling layer.
@@ -362,7 +466,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 	*minor_status = kret;
     }
 
-    kret = krb5_copy_principal(context, 
+    kret = krb5_copy_principal(context,
 			       ctx->ticket->server,
 			       &ctx->target);
     if (kret) {
@@ -370,7 +474,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 	*minor_status = kret;
 	return ret;
     }
-    
+
     /*
      * We need to setup some compat stuff, this assumes that
      * context_handle->target is already set.
@@ -393,9 +497,10 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
     /*
      * We need to get the flags out of the 8003 checksum.
      */
+
     {
 	krb5_authenticator authenticator;
-      
+
 	kret = krb5_auth_con_getauthenticator(context,
 					      ctx->auth_context,
 					      &authenticator);
@@ -405,6 +510,12 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 	    return ret;
 	}
 
+	if (authenticator->cksum == NULL) {
+	    krb5_free_authenticator(context, &authenticator);
+	    *minor_status = 0;
+	    return GSS_S_BAD_BINDINGS;
+	}
+
         if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
             ret = _gsskrb5_verify_8003_checksum(minor_status,
 						input_chan_bindings,
@@ -419,8 +530,8 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
         } else {
 	    krb5_crypto crypto;
 
-	    kret = krb5_crypto_init(context, 
-				    ctx->auth_context->keyblock, 
+	    kret = krb5_crypto_init(context,
+				    ctx->auth_context->keyblock,
 				    0, &crypto);
 	    if(kret) {
 		krb5_free_authenticator(context, &authenticator);
@@ -430,9 +541,9 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 		return ret;
 	    }
 
-	    /* 
+	    /*
 	     * Windows accepts Samba3's use of a kerberos, rather than
-	     * GSSAPI checksum here 
+	     * GSSAPI checksum here
 	     */
 
 	    kret = krb5_verify_checksum(context,
@@ -447,28 +558,51 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 		return ret;
 	    }
 
-	    /* 
-	     * Samba style get some flags (but not DCE-STYLE)
+	    /*
+	     * Samba style get some flags (but not DCE-STYLE), use
+	     * ap_options to guess the mutual flag.
 	     */
-	    ctx->flags = 
-		GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+ 	    ctx->flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+	    if (ap_options & AP_OPTS_MUTUAL_REQUIRED)
+		ctx->flags |= GSS_C_MUTUAL_FLAG;
         }
     }
-    
+
     if(ctx->flags & GSS_C_MUTUAL_FLAG) {
 	krb5_data outbuf;
-	    
-	_gsskrb5i_is_cfx(ctx, &is_cfx);
-	    
-	if (is_cfx != 0 
-	    || (ap_options & AP_OPTS_USE_SUBKEY)) {
-	    kret = krb5_auth_con_addflags(context,
-					  ctx->auth_context,
-					  KRB5_AUTH_CONTEXT_USE_SUBKEY,
-					  NULL);
+	int use_subkey = 0;
+
+	_gsskrb5i_is_cfx(context, ctx, 1);
+	is_cfx = (ctx->more_flags & IS_CFX);
+
+	if (is_cfx || (ap_options & AP_OPTS_USE_SUBKEY)) {
+	    use_subkey = 1;
+	} else {
+	    krb5_keyblock *rkey;
+
+	    /*
+	     * If there is a initiator subkey, copy that to acceptor
+	     * subkey to match Windows behavior
+	     */
+	    kret = krb5_auth_con_getremotesubkey(context,
+						 ctx->auth_context,
+						 &rkey);
+	    if (kret == 0) {
+		kret = krb5_auth_con_setlocalsubkey(context,
+						    ctx->auth_context,
+						    rkey);
+		if (kret == 0)
+		    use_subkey = 1;
+		krb5_free_keyblock(context, rkey);
+	    }
+	}
+	if (use_subkey) {
 	    ctx->more_flags |= ACCEPTOR_SUBKEY;
+	    krb5_auth_con_addflags(context, ctx->auth_context,
+				   KRB5_AUTH_CONTEXT_USE_SUBKEY,
+				   NULL);
 	}
-	    
+
 	kret = krb5_mk_rep(context,
 			   ctx->auth_context,
 			   &outbuf);
@@ -476,7 +610,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 	    *minor_status = kret;
 	    return GSS_S_FAILURE;
 	}
-	    
+
 	if (IS_DCE_STYLE(ctx)) {
 	    output_token->length = outbuf.length;
 	    output_token->value = outbuf.data;
@@ -491,17 +625,17 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 		return ret;
 	}
     }
-    
+
     ctx->flags |= GSS_C_TRANS_FLAG;
 
     /* Remember the flags */
-    
+
     ctx->lifetime = ctx->ticket->ticket.endtime;
     ctx->more_flags |= OPEN;
-    
+
     if (mech_type)
 	*mech_type = GSS_KRB5_MECHANISM;
-    
+
     if (time_rec) {
 	ret = _gsskrb5_lifetime_left(minor_status,
 				     context,
@@ -528,7 +662,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 	return GSS_S_CONTINUE_NEEDED;
     }
 
-    ret = gsskrb5_acceptor_ready(minor_status, ctx, context, 
+    ret = gsskrb5_acceptor_ready(minor_status, ctx, context,
 				 delegated_cred_handle);
 
     if (ret_flags)
@@ -555,15 +689,15 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
     krb5_error_code kret;
     krb5_data inbuf;
     int32_t r_seq_number, l_seq_number;
-	
-    /* 
+
+    /*
      * We know it's GSS_C_DCE_STYLE so we don't need to decapsulate the AP_REP
      */
 
     inbuf.length = input_token_buffer->length;
     inbuf.data = input_token_buffer->value;
 
-    /* 
+    /*
      * We need to remeber the old remote seq_number, then check if the
      * client has replied with our local seq_number, and then reset
      * the remote seq_number to the old value
@@ -577,9 +711,9 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
 	    return GSS_S_FAILURE;
 	}
 
-	kret = krb5_auth_getremoteseqnumber(context,
-					    ctx->auth_context,
-					    &r_seq_number);
+	kret = krb5_auth_con_getremoteseqnumber(context,
+						ctx->auth_context,
+						&r_seq_number);
 	if (kret) {
 	    *minor_status = kret;
 	    return GSS_S_FAILURE;
@@ -594,15 +728,15 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
 	}
     }
 
-    /* 
+    /*
      * We need to verify the AP_REP, but we need to flag that this is
      * DCE_STYLE, so don't check the timestamps this time, but put the
      * flag DO_TIME back afterward.
-    */ 
+    */
     {
 	krb5_ap_rep_enc_part *repl;
 	int32_t auth_flags;
-		
+
 	krb5_auth_con_removeflags(context,
 				  ctx->auth_context,
 				  KRB5_AUTH_CONTEXT_DO_TIME,
@@ -631,7 +765,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
 	if (lifetime_rec == 0) {
 	    return GSS_S_CONTEXT_EXPIRED;
 	}
-	
+
 	if (time_rec) *time_rec = lifetime_rec;
     }
 
@@ -657,9 +791,9 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
     {
 	int32_t tmp_r_seq_number, tmp_l_seq_number;
 
-	kret = krb5_auth_getremoteseqnumber(context,
-					    ctx->auth_context,
-					    &tmp_r_seq_number);
+	kret = krb5_auth_con_getremoteseqnumber(context,
+						ctx->auth_context,
+						&tmp_r_seq_number);
 	if (kret) {
 	    *minor_status = kret;
 	    return GSS_S_FAILURE;
@@ -689,19 +823,19 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
     {
 	kret = krb5_auth_con_setremoteseqnumber(context,
 						ctx->auth_context,
-						r_seq_number);	
+						r_seq_number);
 	if (kret) {
 	    *minor_status = kret;
 	    return GSS_S_FAILURE;
 	}
     }
 
-    return gsskrb5_acceptor_ready(minor_status, ctx, context, 
+    return gsskrb5_acceptor_ready(minor_status, ctx, context,
 				  delegated_cred_handle);
 }
 
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_accept_sec_context(OM_uint32 * minor_status,
 			    gss_ctx_id_t * context_handle,
 			    const gss_cred_id_t acceptor_cred_handle,
@@ -737,17 +871,17 @@ _gsskrb5_accept_sec_context(OM_uint32 * minor_status,
 	if (ret)
 	    return ret;
     }
-    
+
     ctx = (gsskrb5_ctx)*context_handle;
 
-    
+
     /*
-     * TODO: check the channel_bindings 
+     * TODO: check the channel_bindings
      * (above just sets them to krb5 layer)
      */
 
     HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
-    
+
     switch (ctx->state) {
     case ACCEPTOR_START:
 	ret = gsskrb5_acceptor_start(minor_status,
@@ -778,7 +912,7 @@ _gsskrb5_accept_sec_context(OM_uint32 * minor_status,
 					 delegated_cred_handle);
 	break;
     case ACCEPTOR_READY:
-	/* 
+	/*
 	 * If we get there, the caller have called
 	 * gss_accept_sec_context() one time too many.
 	 */
@@ -789,9 +923,9 @@ _gsskrb5_accept_sec_context(OM_uint32 * minor_status,
 	ret =  GSS_S_BAD_STATUS;
 	break;
     }
-    
+
     HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
-    
+
     if (GSS_ERROR(ret)) {
 	OM_uint32 min2;
 	_gsskrb5_delete_sec_context(&min2, context_handle, GSS_C_NO_BUFFER);
diff --git a/lib/gssapi/krb5/acquire_cred.c b/lib/gssapi/krb5/acquire_cred.c
index 6e13a4287b62..0f1f5f81cffc 100644
--- a/lib/gssapi/krb5/acquire_cred.c
+++ b/lib/gssapi/krb5/acquire_cred.c
@@ -1,39 +1,37 @@
 /*
- * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
-
-RCSID("$Id: acquire_cred.c 22124 2007-12-04 00:03:52Z lha $");
+#include "gsskrb5_locl.h"
 
 OM_uint32
 __gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
@@ -42,13 +40,13 @@ __gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
 			  krb5_principal principal,
 			  OM_uint32 *lifetime)
 {
-    krb5_creds in_cred, *out_cred;
+    krb5_creds in_cred, out_cred;
     krb5_const_realm realm;
     krb5_error_code kret;
 
     memset(&in_cred, 0, sizeof(in_cred));
     in_cred.client = principal;
-	
+
     realm = krb5_principal_get_realm(context,  principal);
     if (realm == NULL) {
 	_gsskrb5_clear_status ();
@@ -56,23 +54,23 @@ __gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
 	return GSS_S_FAILURE;
     }
 
-    kret = krb5_make_principal(context, &in_cred.server, 
+    kret = krb5_make_principal(context, &in_cred.server,
 			       realm, KRB5_TGS_NAME, realm, NULL);
     if (kret) {
 	*minor_status = kret;
 	return GSS_S_FAILURE;
     }
 
-    kret = krb5_get_credentials(context, 0, 
-				id, &in_cred, &out_cred);
+    kret = krb5_cc_retrieve_cred(context, id, 0, &in_cred, &out_cred);
     krb5_free_principal(context, in_cred.server);
     if (kret) {
-	*minor_status = kret;
-	return GSS_S_FAILURE;
+	*minor_status = 0;
+	*lifetime = 0;
+	return GSS_S_COMPLETE;
     }
 
-    *lifetime = out_cred->times.endtime;
-    krb5_free_creds(context, out_cred);
+    *lifetime = out_cred.times.endtime;
+    krb5_free_cred_contents(context, &out_cred);
 
     return GSS_S_COMPLETE;
 }
@@ -83,17 +81,18 @@ __gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
 static krb5_error_code
 get_keytab(krb5_context context, krb5_keytab *keytab)
 {
-    char kt_name[256];
     krb5_error_code kret;
 
     HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex);
 
     if (_gsskrb5_keytab != NULL) {
-	kret = krb5_kt_get_name(context,
-				_gsskrb5_keytab,
-				kt_name, sizeof(kt_name));
-	if (kret == 0)
-	    kret = krb5_kt_resolve(context, kt_name, keytab);
+	char *name = NULL;
+
+	kret = krb5_kt_get_full_name(context, _gsskrb5_keytab, &name);
+	if (kret == 0) {
+	    kret = krb5_kt_resolve(context, name, keytab);
+	    krb5_xfree(name);
+	}
     } else
 	kret = krb5_kt_default(context, keytab);
 
@@ -105,13 +104,13 @@ get_keytab(krb5_context context, krb5_keytab *keytab)
 static OM_uint32 acquire_initiator_cred
 		  (OM_uint32 * minor_status,
 		   krb5_context context,
+		   gss_const_OID credential_type,
+		   const void *credential_data,
 		   const gss_name_t desired_name,
 		   OM_uint32 time_req,
-		   const gss_OID_set desired_mechs,
+		   gss_const_OID desired_mech,
 		   gss_cred_usage_t cred_usage,
-		   gsskrb5_cred handle,
-		   gss_OID_set * actual_mechs,
-		   OM_uint32 * time_rec
+		   gsskrb5_cred handle
 		  )
 {
     OM_uint32 ret;
@@ -128,70 +127,100 @@ static OM_uint32 acquire_initiator_cred
     ret = GSS_S_FAILURE;
     memset(&cred, 0, sizeof(cred));
 
-    /* If we have a preferred principal, lets try to find it in all
-     * caches, otherwise, fall back to default cache.  Ignore
-     * errors. */
-    if (handle->principal)
+    /*
+     * If we have a preferred principal, lets try to find it in all
+     * caches, otherwise, fall back to default cache, ignore all
+     * errors while searching.
+     */
+
+    if (credential_type != GSS_C_NO_OID &&
+	!gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) {
+	kret = KRB5_NOCREDS_SUPPLIED; /* XXX */
+	goto end;
+    }
+
+    if (handle->principal) {
 	kret = krb5_cc_cache_match (context,
 				    handle->principal,
-				    NULL,
 				    &ccache);
-    
+	if (kret == 0) {
+	    ret = GSS_S_COMPLETE;
+	    goto found;
+	}
+    }
+
     if (ccache == NULL) {
 	kret = krb5_cc_default(context, &ccache);
 	if (kret)
 	    goto end;
     }
-    kret = krb5_cc_get_principal(context, ccache,
-	&def_princ);
+    kret = krb5_cc_get_principal(context, ccache, &def_princ);
     if (kret != 0) {
 	/* we'll try to use a keytab below */
-	krb5_cc_destroy(context, ccache);
-	ccache = NULL;
+	krb5_cc_close(context, ccache);
+	def_princ = NULL;
 	kret = 0;
     } else if (handle->principal == NULL)  {
-	kret = krb5_copy_principal(context, def_princ,
-	    &handle->principal);
+	kret = krb5_copy_principal(context, def_princ, &handle->principal);
 	if (kret)
 	    goto end;
     } else if (handle->principal != NULL &&
-	krb5_principal_compare(context, handle->principal,
-	def_princ) == FALSE) {
-	/* Before failing, lets check the keytab */
+	       krb5_principal_compare(context, handle->principal,
+				      def_princ) == FALSE) {
 	krb5_free_principal(context, def_princ);
 	def_princ = NULL;
+	krb5_cc_close(context, ccache);
+	ccache = NULL;
     }
     if (def_princ == NULL) {
 	/* We have no existing credentials cache,
 	 * so attempt to get a TGT using a keytab.
 	 */
 	if (handle->principal == NULL) {
-	    kret = krb5_get_default_principal(context,
-		&handle->principal);
+	    kret = krb5_get_default_principal(context, &handle->principal);
 	    if (kret)
 		goto end;
 	}
-	kret = get_keytab(context, &keytab);
-	if (kret)
-	    goto end;
 	kret = krb5_get_init_creds_opt_alloc(context, &opt);
 	if (kret)
 	    goto end;
-	kret = krb5_get_init_creds_keytab(context, &cred,
-	    handle->principal, keytab, 0, NULL, opt);
+	if (credential_type != GSS_C_NO_OID &&
+	    gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) {
+	    gss_buffer_t password = (gss_buffer_t)credential_data;
+
+	    /* XXX are we requiring password to be NUL terminated? */
+
+	    kret = krb5_get_init_creds_password(context, &cred,
+						handle->principal,
+						password->value,
+						NULL, NULL, 0, NULL, opt);
+	} else {
+	    kret = get_keytab(context, &keytab);
+	    if (kret) {
+		krb5_get_init_creds_opt_free(context, opt);
+		goto end;
+	    }
+	    kret = krb5_get_init_creds_keytab(context, &cred,
+					      handle->principal, keytab,
+					      0, NULL, opt);
+	}
 	krb5_get_init_creds_opt_free(context, opt);
 	if (kret)
 	    goto end;
-	kret = krb5_cc_gen_new(context, &krb5_mcc_ops,
-		&ccache);
+	kret = krb5_cc_new_unique(context, krb5_cc_type_memory,
+				  NULL, &ccache);
 	if (kret)
 	    goto end;
 	kret = krb5_cc_initialize(context, ccache, cred.client);
-	if (kret)
+	if (kret) {
+	    krb5_cc_destroy(context, ccache);
 	    goto end;
+	}
 	kret = krb5_cc_store_cred(context, ccache, &cred);
-	if (kret)
+	if (kret) {
+	    krb5_cc_destroy(context, ccache);
 	    goto end;
+	}
 	handle->lifetime = cred.times.endtime;
 	handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
     } else {
@@ -201,11 +230,13 @@ static OM_uint32 acquire_initiator_cred
 					ccache,
 					handle->principal,
 					&handle->lifetime);
-	if (ret != GSS_S_COMPLETE)
+	if (ret != GSS_S_COMPLETE) {
+	    krb5_cc_close(context, ccache);
 	    goto end;
+	}
 	kret = 0;
     }
-
+ found:
     handle->ccache = ccache;
     ret = GSS_S_COMPLETE;
 
@@ -216,49 +247,49 @@ end:
 	krb5_free_principal(context, def_princ);
     if (keytab != NULL)
 	krb5_kt_close(context, keytab);
-    if (ret != GSS_S_COMPLETE) {
-	if (ccache != NULL)
-	    krb5_cc_close(context, ccache);
-	if (kret != 0) {
-	    *minor_status = kret;
-	}
-    }
+    if (ret != GSS_S_COMPLETE && kret != 0)
+	*minor_status = kret;
     return (ret);
 }
 
 static OM_uint32 acquire_acceptor_cred
 		  (OM_uint32 * minor_status,
 		   krb5_context context,
+		   gss_const_OID credential_type,
+		   const void *credential_data,
 		   const gss_name_t desired_name,
 		   OM_uint32 time_req,
-		   const gss_OID_set desired_mechs,
+		   gss_const_OID desired_mech,
 		   gss_cred_usage_t cred_usage,
-		   gsskrb5_cred handle,
-		   gss_OID_set * actual_mechs,
-		   OM_uint32 * time_rec
+		   gsskrb5_cred handle
 		  )
 {
     OM_uint32 ret;
     krb5_error_code kret;
 
-    kret = 0;
     ret = GSS_S_FAILURE;
+
+    if (credential_type != GSS_C_NO_OID) {
+	kret = EINVAL;
+	goto end;
+    }
+
     kret = get_keytab(context, &handle->keytab);
     if (kret)
 	goto end;
-    
+
     /* check that the requested principal exists in the keytab */
     if (handle->principal) {
 	krb5_keytab_entry entry;
 
-	kret = krb5_kt_get_entry(context, handle->keytab, 
+	kret = krb5_kt_get_entry(context, handle->keytab,
 				 handle->principal, 0, 0, &entry);
 	if (kret)
 	    goto end;
 	krb5_kt_free_entry(context, &entry);
 	ret = GSS_S_COMPLETE;
     } else {
-	/* 
+	/*
 	 * Check if there is at least one entry in the keytab before
 	 * declaring it as an useful keytab.
 	 */
@@ -273,7 +304,7 @@ static OM_uint32 acquire_acceptor_cred
 	    ret = GSS_S_COMPLETE; /* ok found one entry */
 	}
 	krb5_kt_end_seq_get (context, handle->keytab, &c);
-    } 
+    }
 end:
     if (ret != GSS_S_COMPLETE) {
 	if (handle->keytab != NULL)
@@ -285,7 +316,7 @@ end:
     return (ret);
 }
 
-OM_uint32 _gsskrb5_acquire_cred
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
 (OM_uint32 * minor_status,
  const gss_name_t desired_name,
  OM_uint32 time_req,
@@ -296,28 +327,13 @@ OM_uint32 _gsskrb5_acquire_cred
  OM_uint32 * time_rec
     )
 {
-    krb5_context context;
-    gsskrb5_cred handle;
     OM_uint32 ret;
 
-    if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) {
-	*minor_status = GSS_KRB5_S_G_BAD_USAGE;
-	return GSS_S_FAILURE;
-    }
-
-    GSSAPI_KRB5_INIT(&context);
-
-    *output_cred_handle = NULL;
-    if (time_rec)
-	*time_rec = 0;
-    if (actual_mechs)
-	*actual_mechs = GSS_C_NO_OID_SET;
-
     if (desired_mechs) {
 	int present = 0;
 
 	ret = gss_test_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
-				      desired_mechs, &present); 
+				      desired_mechs, &present);
 	if (ret)
 	    return ret;
 	if (!present) {
@@ -326,6 +342,54 @@ OM_uint32 _gsskrb5_acquire_cred
 	}
     }
 
+    ret = _gsskrb5_acquire_cred_ext(minor_status,
+				    desired_name,
+				    GSS_C_NO_OID,
+				    NULL,
+				    time_req,
+				    GSS_KRB5_MECHANISM,
+				    cred_usage,
+				    output_cred_handle);
+    if (ret)
+	return ret;
+
+
+    ret = _gsskrb5_inquire_cred(minor_status, *output_cred_handle,
+				NULL, time_rec, NULL, actual_mechs);
+    if (ret) {
+	OM_uint32 tmp;
+	_gsskrb5_release_cred(&tmp, output_cred_handle);
+    }
+
+    return ret;
+}
+
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_ext
+(OM_uint32 * minor_status,
+ const gss_name_t desired_name,
+ gss_const_OID credential_type,
+ const void *credential_data,
+ OM_uint32 time_req,
+ gss_const_OID desired_mech,
+ gss_cred_usage_t cred_usage,
+ gss_cred_id_t * output_cred_handle
+    )
+{
+    krb5_context context;
+    gsskrb5_cred handle;
+    OM_uint32 ret;
+
+    cred_usage &= GSS_C_OPTION_MASK;
+
+    if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) {
+	*minor_status = GSS_KRB5_S_G_BAD_USAGE;
+	return GSS_S_FAILURE;
+    }
+
+    GSSAPI_KRB5_INIT(&context);
+
+    *output_cred_handle = NULL;
+
     handle = calloc(1, sizeof(*handle));
     if (handle == NULL) {
 	*minor_status = ENOMEM;
@@ -335,20 +399,19 @@ OM_uint32 _gsskrb5_acquire_cred
     HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
 
     if (desired_name != GSS_C_NO_NAME) {
-	krb5_principal name = (krb5_principal)desired_name;
-	ret = krb5_copy_principal(context, name, &handle->principal);
+	ret = _gsskrb5_canon_name(minor_status, context, 1, NULL,
+				  desired_name, &handle->principal);
 	if (ret) {
 	    HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
-	    *minor_status = ret;
 	    free(handle);
-	    return GSS_S_FAILURE;
+	    return ret;
 	}
     }
     if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
 	ret = acquire_initiator_cred(minor_status, context,
+				     credential_type, credential_data,
 				     desired_name, time_req,
-				     desired_mechs, cred_usage, handle,
-				     actual_mechs, time_rec);
+				     desired_mech, cred_usage, handle);
     	if (ret != GSS_S_COMPLETE) {
 	    HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
 	    krb5_free_principal(context, handle->principal);
@@ -358,8 +421,9 @@ OM_uint32 _gsskrb5_acquire_cred
     }
     if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) {
 	ret = acquire_acceptor_cred(minor_status, context,
+				    credential_type, credential_data,
 				    desired_name, time_req,
-				    desired_mechs, cred_usage, handle, actual_mechs, time_rec);
+				    desired_mech, cred_usage, handle);
 	if (ret != GSS_S_COMPLETE) {
 	    HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
 	    krb5_free_principal(context, handle->principal);
@@ -371,9 +435,6 @@ OM_uint32 _gsskrb5_acquire_cred
     if (ret == GSS_S_COMPLETE)
     	ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
 				     &handle->mechanisms);
-    if (ret == GSS_S_COMPLETE)
-    	ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)handle, 
-				    NULL, time_rec, NULL, actual_mechs);
     if (ret != GSS_S_COMPLETE) {
 	if (handle->mechanisms != NULL)
 	    gss_release_oid_set(NULL, &handle->mechanisms);
@@ -381,18 +442,9 @@ OM_uint32 _gsskrb5_acquire_cred
 	krb5_free_principal(context, handle->principal);
 	free(handle);
 	return (ret);
-    } 
-    *minor_status = 0;
-    if (time_rec) {
-	ret = _gsskrb5_lifetime_left(minor_status,
-				     context,
-				     handle->lifetime,
-				     time_rec);
-
-	if (ret)
-	    return ret;
     }
     handle->usage = cred_usage;
+    *minor_status = 0;
     *output_cred_handle = (gss_cred_id_t)handle;
     return (GSS_S_COMPLETE);
 }
diff --git a/lib/gssapi/krb5/add_cred.c b/lib/gssapi/krb5/add_cred.c
index 9a1045a889f6..00cf55f62d65 100644
--- a/lib/gssapi/krb5/add_cred.c
+++ b/lib/gssapi/krb5/add_cred.c
@@ -1,41 +1,39 @@
 /*
- * Copyright (c) 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
+#include "gsskrb5_locl.h"
 
-RCSID("$Id: add_cred.c 20688 2007-05-17 18:44:31Z lha $");
-
-OM_uint32 _gsskrb5_add_cred (
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred (
      OM_uint32           *minor_status,
      const gss_cred_id_t input_cred_handle,
      const gss_name_t    desired_name,
@@ -74,7 +72,7 @@ OM_uint32 _gsskrb5_add_cred (
 	return GSS_S_NO_CRED;
     }
 
-    /* check if requested output usage is compatible with output usage */ 
+    /* check if requested output usage is compatible with output usage */
     if (output_cred_handle != NULL) {
 	HEIMDAL_MUTEX_lock(&cred->cred_id_mutex);
 	if (cred->usage != cred_usage && cred->usage != GSS_C_BOTH) {
@@ -83,10 +81,10 @@ OM_uint32 _gsskrb5_add_cred (
 	    return(GSS_S_FAILURE);
 	}
     }
-	
+
     /* check that we have the same name */
     if (dname != NULL &&
-	krb5_principal_compare(context, dname, 
+	krb5_principal_compare(context, dname,
 			       cred->principal) != FALSE) {
 	if (output_cred_handle)
 	    HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
@@ -112,7 +110,7 @@ OM_uint32 _gsskrb5_add_cred (
 	handle->ccache = NULL;
 	handle->mechanisms = NULL;
 	HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
-	
+
 	ret = GSS_S_FAILURE;
 
 	kret = krb5_copy_principal(context, cred->principal,
@@ -125,23 +123,11 @@ OM_uint32 _gsskrb5_add_cred (
 	}
 
 	if (cred->keytab) {
-	    char name[KRB5_KT_PREFIX_MAX_LEN + MAXPATHLEN];
-	    int len;
-	    
-	    ret = GSS_S_FAILURE;
+	    char *name = NULL;
 
-	    kret = krb5_kt_get_type(context, cred->keytab,
-				    name, KRB5_KT_PREFIX_MAX_LEN);
-	    if (kret) {
-		*minor_status = kret;
-		goto failure;
-	    }
-	    len = strlen(name);
-	    name[len++] = ':';
+	    ret = GSS_S_FAILURE;
 
-	    kret = krb5_kt_get_name(context, cred->keytab,
-				    name + len, 
-				    sizeof(name) - len);
+	    kret = krb5_kt_get_full_name(context, cred->keytab, &name);
 	    if (kret) {
 		*minor_status = kret;
 		goto failure;
@@ -149,6 +135,7 @@ OM_uint32 _gsskrb5_add_cred (
 
 	    kret = krb5_kt_resolve(context, name,
 				   &handle->keytab);
+	    krb5_xfree(name);
 	    if (kret){
 		*minor_status = kret;
 		goto failure;
@@ -157,7 +144,7 @@ OM_uint32 _gsskrb5_add_cred (
 
 	if (cred->ccache) {
 	    const char *type, *name;
-	    char *type_name;
+	    char *type_name = NULL;
 
 	    ret = GSS_S_FAILURE;
 
@@ -168,8 +155,8 @@ OM_uint32 _gsskrb5_add_cred (
 	    }
 
 	    if (strcmp(type, "MEMORY") == 0) {
-		ret = krb5_cc_gen_new(context, &krb5_mcc_ops,
-				      &handle->ccache);
+		ret = krb5_cc_new_unique(context, type,
+					 NULL, &handle->ccache);
 		if (ret) {
 		    *minor_status = ret;
 		    goto failure;
@@ -188,20 +175,20 @@ OM_uint32 _gsskrb5_add_cred (
 		    *minor_status = ENOMEM;
 		    goto failure;
 		}
-		
-		asprintf(&type_name, "%s:%s", type, name);
-		if (type_name == NULL) {
+
+		kret = asprintf(&type_name, "%s:%s", type, name);
+		if (kret < 0 || type_name == NULL) {
 		    *minor_status = ENOMEM;
 		    goto failure;
 		}
-		
+
 		kret = krb5_cc_resolve(context, type_name,
 				       &handle->ccache);
 		free(type_name);
 		if (kret) {
 		    *minor_status = kret;
 		    goto failure;
-		}	    
+		}
 	    }
 	}
 	ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
@@ -216,7 +203,7 @@ OM_uint32 _gsskrb5_add_cred (
 
     HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
 
-    ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)cred, 
+    ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)cred,
 				NULL, &lifetime, NULL, actual_mechs);
     if (ret)
 	goto failure;
diff --git a/lib/gssapi/krb5/address_to_krb5addr.c b/lib/gssapi/krb5/address_to_krb5addr.c
index 18a90fe9a762..fa115d964a89 100644
--- a/lib/gssapi/krb5/address_to_krb5addr.c
+++ b/lib/gssapi/krb5/address_to_krb5addr.c
@@ -1,37 +1,37 @@
 /*
- * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
+#include "gsskrb5_locl.h"
 
 #include <roken.h>
 
@@ -46,32 +46,32 @@ _gsskrb5i_address_to_krb5addr(krb5_context context,
    struct sockaddr sa;
    krb5_socklen_t sa_size = sizeof(sa);
    krb5_error_code problem;
-   
+
    if (gss_addr == NULL)
-      return GSS_S_FAILURE; 
-   
+      return GSS_S_FAILURE;
+
    switch (gss_addr_type) {
 #ifdef HAVE_IPV6
       case GSS_C_AF_INET6: addr_type = AF_INET6;
                            break;
 #endif /* HAVE_IPV6 */
-                           
+
       case GSS_C_AF_INET:  addr_type = AF_INET;
                            break;
       default:
                            return GSS_S_FAILURE;
    }
-                      
+
    problem = krb5_h_addr2sockaddr (context,
 				   addr_type,
-                                   gss_addr->value, 
-                                   &sa, 
-                                   &sa_size, 
+                                   gss_addr->value,
+                                   &sa,
+                                   &sa_size,
                                    port);
    if (problem)
       return GSS_S_FAILURE;
 
    problem = krb5_sockaddr2address (context, &sa, address);
 
-   return problem;  
+   return problem;
 }
diff --git a/lib/gssapi/krb5/aeap.c b/lib/gssapi/krb5/aeap.c
new file mode 100644
index 000000000000..47913e4aec03
--- /dev/null
+++ b/lib/gssapi/krb5/aeap.c
@@ -0,0 +1,100 @@
+/*
+ * Copyright (c) 2008  Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "gsskrb5_locl.h"
+
+#include <roken.h>
+
+OM_uint32 GSSAPI_CALLCONV
+_gk_wrap_iov(OM_uint32 * minor_status,
+	     gss_ctx_id_t  context_handle,
+	     int conf_req_flag,
+	     gss_qop_t qop_req,
+	     int * conf_state,
+	     gss_iov_buffer_desc *iov,
+	     int iov_count)
+{
+  const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
+  krb5_context context;
+
+  GSSAPI_KRB5_INIT (&context);
+
+  if (ctx->more_flags & IS_CFX)
+      return _gssapi_wrap_cfx_iov(minor_status, ctx, context,
+				  conf_req_flag, conf_state,
+				  iov, iov_count);
+
+    return GSS_S_FAILURE;
+}
+
+OM_uint32 GSSAPI_CALLCONV
+_gk_unwrap_iov(OM_uint32 *minor_status,
+	       gss_ctx_id_t context_handle,
+	       int *conf_state,
+	       gss_qop_t *qop_state,
+	       gss_iov_buffer_desc *iov,
+	       int iov_count)
+{
+    const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
+    krb5_context context;
+
+    GSSAPI_KRB5_INIT (&context);
+
+    if (ctx->more_flags & IS_CFX)
+	return _gssapi_unwrap_cfx_iov(minor_status, ctx, context,
+				      conf_state, qop_state, iov, iov_count);
+
+    return GSS_S_FAILURE;
+}
+
+OM_uint32 GSSAPI_CALLCONV
+_gk_wrap_iov_length(OM_uint32 * minor_status,
+		    gss_ctx_id_t context_handle,
+		    int conf_req_flag,
+		    gss_qop_t qop_req,
+		    int *conf_state,
+		    gss_iov_buffer_desc *iov,
+		    int iov_count)
+{
+    const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
+    krb5_context context;
+
+    GSSAPI_KRB5_INIT (&context);
+
+    if (ctx->more_flags & IS_CFX)
+	return _gssapi_wrap_iov_length_cfx(minor_status, ctx, context,
+					   conf_req_flag, qop_req, conf_state,
+					   iov, iov_count);
+
+    return GSS_S_FAILURE;
+}
diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
index 032da36ebc86..15b1b343409a 100644
--- a/lib/gssapi/krb5/arcfour.c
+++ b/lib/gssapi/krb5/arcfour.c
@@ -1,39 +1,37 @@
 /*
- * Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
-
-RCSID("$Id: arcfour.c 19031 2006-11-13 18:02:57Z lha $");
+#include "gsskrb5_locl.h"
 
 /*
  * Implements draft-brezak-win2k-krb-rc4-hmac-04.txt
@@ -75,20 +73,20 @@ arcfour_mic_key(krb5_context context, krb5_keyblock *key,
 		void *key6_data, size_t key6_size)
 {
     krb5_error_code ret;
-    
+
     Checksum cksum_k5;
     krb5_keyblock key5;
     char k5_data[16];
-    
+
     Checksum cksum_k6;
-    
+
     char T[4];
 
     memset(T, 0, 4);
     cksum_k5.checksum.data = k5_data;
     cksum_k5.checksum.length = sizeof(k5_data);
 
-    if (key->keytype == KEYTYPE_ARCFOUR_56) {
+    if (key->keytype == ENCTYPE_ARCFOUR_HMAC_MD5_56) {
 	char L40[14] = "fortybits";
 
 	memcpy(L40 + 10, T, sizeof(T));
@@ -102,7 +100,7 @@ arcfour_mic_key(krb5_context context, krb5_keyblock *key,
     if (ret)
 	return ret;
 
-    key5.keytype = KEYTYPE_ARCFOUR;
+    key5.keytype = ENCTYPE_ARCFOUR_HMAC_MD5;
     key5.keyvalue = cksum_k5.checksum;
 
     cksum_k6.checksum.data = key6_data;
@@ -126,7 +124,7 @@ arcfour_mic_cksum(krb5_context context,
     size_t len;
     krb5_crypto crypto;
     krb5_error_code ret;
-    
+
     assert(sgn_cksum_sz == 8);
 
     len = l1 + l2 + l3;
@@ -138,13 +136,13 @@ arcfour_mic_cksum(krb5_context context,
     memcpy(ptr, v1, l1);
     memcpy(ptr + l1, v2, l2);
     memcpy(ptr + l1 + l2, v3, l3);
-    
+
     ret = krb5_crypto_init(context, key, 0, &crypto);
     if (ret) {
 	free(ptr);
 	return ret;
     }
-    
+
     ret = krb5_create_checksum(context,
 			       crypto,
 			       usage,
@@ -175,22 +173,22 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status,
     int32_t seq_number;
     size_t len, total_len;
     u_char k6_data[16], *p0, *p;
-    RC4_KEY rc4_key;
-    
+    EVP_CIPHER_CTX rc4_key;
+
     _gsskrb5_encap_length (22, &len, &total_len, GSS_KRB5_MECHANISM);
-    
+
     message_token->length = total_len;
     message_token->value  = malloc (total_len);
     if (message_token->value == NULL) {
 	*minor_status = ENOMEM;
 	return GSS_S_FAILURE;
     }
-    
+
     p0 = _gssapi_make_mech_header(message_token->value,
 				  len,
 				  GSS_KRB5_MECHANISM);
     p = p0;
-    
+
     *p++ = 0x01; /* TOK_ID */
     *p++ = 0x01;
     *p++ = 0x11; /* SGN_ALG */
@@ -229,20 +227,21 @@ _gssapi_get_mic_arcfour(OM_uint32 * minor_status,
 				     &seq_number);
     p = p0 + 8; /* SND_SEQ */
     _gsskrb5_encode_be_om_uint32(seq_number, p);
-    
+
     krb5_auth_con_setlocalseqnumber (context,
 				     context_handle->auth_context,
 				     ++seq_number);
     HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
-    
+
     memset (p + 4, (context_handle->more_flags & LOCAL) ? 0 : 0xff, 4);
 
-    RC4_set_key (&rc4_key, sizeof(k6_data), k6_data);
-    RC4 (&rc4_key, 8, p, p);
-	
-    memset(&rc4_key, 0, sizeof(rc4_key));
+    EVP_CIPHER_CTX_init(&rc4_key);
+    EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
+    EVP_Cipher(&rc4_key, p, p, 8);
+    EVP_CIPHER_CTX_cleanup(&rc4_key);
+
     memset(k6_data, 0, sizeof(k6_data));
-    
+
     *minor_status = 0;
     return GSS_S_COMPLETE;
 }
@@ -256,7 +255,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
 			   const gss_buffer_t token_buffer,
 			   gss_qop_t * qop_state,
 			   krb5_keyblock *key,
-			   char *type)
+			   const char *type)
 {
     krb5_error_code ret;
     uint32_t seq_number;
@@ -264,18 +263,18 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
     u_char SND_SEQ[8], cksum_data[8], *p;
     char k6_data[16];
     int cmp;
-    
+
     if (qop_state)
 	*qop_state = 0;
 
     p = token_buffer->value;
     omret = _gsskrb5_verify_header (&p,
 				       token_buffer->length,
-				       (u_char *)type,
+				       type,
 				       GSS_KRB5_MECHANISM);
     if (omret)
 	return omret;
-    
+
     if (memcmp(p, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */
 	return GSS_S_BAD_SIG;
     p += 2;
@@ -302,19 +301,20 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
 	return GSS_S_FAILURE;
     }
 
-    cmp = memcmp(cksum_data, p + 8, 8);
+    cmp = ct_memcmp(cksum_data, p + 8, 8);
     if (cmp) {
 	*minor_status = 0;
 	return GSS_S_BAD_MIC;
     }
 
     {
-	RC4_KEY rc4_key;
-	
-	RC4_set_key (&rc4_key, sizeof(k6_data), (void*)k6_data);
-	RC4 (&rc4_key, 8, p, SND_SEQ);
-	
-	memset(&rc4_key, 0, sizeof(rc4_key));
+	EVP_CIPHER_CTX rc4_key;
+
+	EVP_CIPHER_CTX_init(&rc4_key);
+	EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, (void *)k6_data, NULL, 0);
+	EVP_Cipher(&rc4_key, SND_SEQ, p, 8);
+	EVP_CIPHER_CTX_cleanup(&rc4_key);
+
 	memset(k6_data, 0, sizeof(k6_data));
     }
 
@@ -330,7 +330,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
 	*minor_status = 0;
 	return GSS_S_BAD_MIC;
     }
-    
+
     HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
     omret = _gssapi_msg_order_check(context_handle->order, seq_number);
     HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
@@ -379,7 +379,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
 	*minor_status = ENOMEM;
 	return GSS_S_FAILURE;
     }
-    
+
     p0 = _gssapi_make_mech_header(output_message_buffer->value,
 				  len,
 				  GSS_KRB5_MECHANISM);
@@ -418,7 +418,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
 	    4);
 
     krb5_generate_random_block(p0 + 24, 8); /* fill in Confounder */
-    
+
     /* p points to data */
     p = p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE;
     memcpy(p, input_message_buffer->value, input_message_buffer->length);
@@ -428,10 +428,10 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
 
     ret = arcfour_mic_cksum(context,
 			    key, KRB5_KU_USAGE_SEAL,
-			    p0 + 16, 8, /* SGN_CKSUM */ 
+			    p0 + 16, 8, /* SGN_CKSUM */
 			    p0, 8, /* TOK_ID, SGN_ALG, SEAL_ALG, Filler */
 			    p0 + 24, 8, /* Confounder */
-			    p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, 
+			    p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE,
 			    datalen);
     if (ret) {
 	*minor_status = ret;
@@ -461,12 +461,12 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
 
 
     if(conf_req_flag) {
-	RC4_KEY rc4_key;
+	EVP_CIPHER_CTX rc4_key;
 
-	RC4_set_key (&rc4_key, sizeof(k6_data), (void *)k6_data);
-	/* XXX ? */
-	RC4 (&rc4_key, 8 + datalen, p0 + 24, p0 + 24); /* Confounder + data */
-	memset(&rc4_key, 0, sizeof(rc4_key));
+	EVP_CIPHER_CTX_init(&rc4_key);
+	EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
+	EVP_Cipher(&rc4_key, p0 + 24, p0 + 24, 8 + datalen);
+	EVP_CIPHER_CTX_cleanup(&rc4_key);
     }
     memset(k6_data, 0, sizeof(k6_data));
 
@@ -480,11 +480,12 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
     }
 
     {
-	RC4_KEY rc4_key;
-	
-	RC4_set_key (&rc4_key, sizeof(k6_data), k6_data);
-	RC4 (&rc4_key, 8, p0 + 8, p0 + 8); /* SND_SEQ */
-	memset(&rc4_key, 0, sizeof(rc4_key));
+	EVP_CIPHER_CTX rc4_key;
+
+	EVP_CIPHER_CTX_init(&rc4_key);
+	EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
+	EVP_Cipher(&rc4_key, p0 + 8, p0 + 8 /* SND_SEQ */, 8);
+	EVP_CIPHER_CTX_cleanup(&rc4_key);
 	memset(k6_data, 0, sizeof(k6_data));
     }
 
@@ -516,7 +517,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
     int cmp;
     int conf_flag;
     size_t padlen = 0, len;
-    
+
     if (conf_state)
 	*conf_state = 0;
     if (qop_state)
@@ -525,7 +526,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
     p0 = input_message_buffer->value;
 
     if (IS_DCE_STYLE(context_handle)) {
-	len = GSS_ARCFOUR_WRAP_TOKEN_SIZE + 
+	len = GSS_ARCFOUR_WRAP_TOKEN_SIZE +
 	    GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE;
 	if (input_message_buffer->length < len)
 	    return GSS_S_BAD_MECH;
@@ -540,7 +541,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
 	return omret;
 
     /* length of mech header */
-    len = (p0 - (u_char *)input_message_buffer->value) + 
+    len = (p0 - (u_char *)input_message_buffer->value) +
 	GSS_ARCFOUR_WRAP_TOKEN_SIZE;
 
     if (len > input_message_buffer->length)
@@ -579,11 +580,12 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
     }
 
     {
-	RC4_KEY rc4_key;
-	
-	RC4_set_key (&rc4_key, sizeof(k6_data), k6_data);
-	RC4 (&rc4_key, 8, p0 + 8, SND_SEQ); /* SND_SEQ */
-	memset(&rc4_key, 0, sizeof(rc4_key));
+	EVP_CIPHER_CTX rc4_key;
+
+	EVP_CIPHER_CTX_init(&rc4_key);
+	EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
+	EVP_Cipher(&rc4_key, SND_SEQ, p0 + 8, 8);
+	EVP_CIPHER_CTX_cleanup(&rc4_key);
 	memset(k6_data, 0, sizeof(k6_data));
     }
 
@@ -626,16 +628,16 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
     output_message_buffer->length = datalen;
 
     if(conf_flag) {
-	RC4_KEY rc4_key;
+	EVP_CIPHER_CTX rc4_key;
 
-	RC4_set_key (&rc4_key, sizeof(k6_data), k6_data);
-	RC4 (&rc4_key, 8, p0 + 24, Confounder); /* Confounder */
-	RC4 (&rc4_key, datalen, p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE,
-	     output_message_buffer->value);
-	memset(&rc4_key, 0, sizeof(rc4_key));
+	EVP_CIPHER_CTX_init(&rc4_key);
+	EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
+	EVP_Cipher(&rc4_key, Confounder, p0 + 24, 8);
+	EVP_Cipher(&rc4_key, output_message_buffer->value, p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, datalen);
+	EVP_CIPHER_CTX_cleanup(&rc4_key);
     } else {
 	memcpy(Confounder, p0 + 24, 8); /* Confounder */
-	memcpy(output_message_buffer->value, 
+	memcpy(output_message_buffer->value,
 	       p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE,
 	       datalen);
     }
@@ -654,9 +656,9 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
     ret = arcfour_mic_cksum(context,
 			    key, KRB5_KU_USAGE_SEAL,
 			    cksum_data, sizeof(cksum_data),
-			    p0, 8, 
+			    p0, 8,
 			    Confounder, sizeof(Confounder),
-			    output_message_buffer->value, 
+			    output_message_buffer->value,
 			    output_message_buffer->length + padlen);
     if (ret) {
 	_gsskrb5_release_buffer(minor_status, output_message_buffer);
@@ -664,7 +666,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
 	return GSS_S_FAILURE;
     }
 
-    cmp = memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */
+    cmp = ct_memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */
     if (cmp) {
 	_gsskrb5_release_buffer(minor_status, output_message_buffer);
 	*minor_status = 0;
@@ -690,10 +692,10 @@ max_wrap_length_arcfour(const gsskrb5_ctx ctx,
 			size_t input_length,
 			OM_uint32 *max_input_size)
 {
-    /* 
+    /*
      * if GSS_C_DCE_STYLE is in use:
      *  - we only need to encapsulate the WRAP token
-     * However, since this is a fixed since, we just 
+     * However, since this is a fixed since, we just
      */
     if (IS_DCE_STYLE(ctx)) {
 	size_t len, total_len;
diff --git a/lib/gssapi/krb5/authorize_localname.c b/lib/gssapi/krb5/authorize_localname.c
new file mode 100644
index 000000000000..4bab062ac4ce
--- /dev/null
+++ b/lib/gssapi/krb5/authorize_localname.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 2011, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "gsskrb5_locl.h"
+
+OM_uint32 GSSAPI_CALLCONV
+_gsskrb5_authorize_localname(OM_uint32 *minor_status,
+                             const gss_name_t input_name,
+                             gss_const_buffer_t user_name,
+                             gss_const_OID user_name_type)
+{
+    krb5_context context;
+    krb5_principal princ = (krb5_principal)input_name;
+    char *user;
+    int user_ok;
+
+    if (!gss_oid_equal(user_name_type, GSS_C_NT_USER_NAME))
+        return GSS_S_BAD_NAMETYPE;
+
+    GSSAPI_KRB5_INIT(&context);
+
+    user = malloc(user_name->length + 1);
+    if (user == NULL) {
+        *minor_status = ENOMEM;
+        return GSS_S_FAILURE;
+    }
+
+    memcpy(user, user_name->value, user_name->length);
+    user[user_name->length] = '\0';
+
+    *minor_status = 0;
+    user_ok = krb5_kuserok(context, princ, user);
+
+    free(user);
+
+    return user_ok ? GSS_S_COMPLETE : GSS_S_UNAUTHORIZED;
+}
diff --git a/lib/gssapi/krb5/canonicalize_name.c b/lib/gssapi/krb5/canonicalize_name.c
index c1744abd3bec..7fc921bac095 100644
--- a/lib/gssapi/krb5/canonicalize_name.c
+++ b/lib/gssapi/krb5/canonicalize_name.c
@@ -1,46 +1,58 @@
 /*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
+#include "gsskrb5_locl.h"
 
-RCSID("$Id: canonicalize_name.c 18334 2006-10-07 22:16:04Z lha $");
-
-OM_uint32 _gsskrb5_canonicalize_name (
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_canonicalize_name (
             OM_uint32 * minor_status,
             const gss_name_t input_name,
             const gss_OID mech_type,
             gss_name_t * output_name
            )
 {
-    return _gsskrb5_duplicate_name (minor_status, input_name, output_name);
+    krb5_context context;
+    krb5_principal name;
+    OM_uint32 ret;
+
+    *output_name = NULL;
+
+    GSSAPI_KRB5_INIT (&context);
+
+    ret = _gsskrb5_canon_name(minor_status, context, 1, NULL, input_name, &name);
+    if (ret)
+	return ret;
+
+    *output_name = (gss_name_t)name;
+
+    return GSS_S_COMPLETE;
 }
diff --git a/lib/gssapi/krb5/ccache_name.c b/lib/gssapi/krb5/ccache_name.c
index 6f332463553c..1577fb20ddb3 100644
--- a/lib/gssapi/krb5/ccache_name.c
+++ b/lib/gssapi/krb5/ccache_name.c
@@ -1,44 +1,42 @@
 /*
- * Copyright (c) 2004 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
-
-RCSID("$Id: ccache_name.c 19031 2006-11-13 18:02:57Z lha $");
+#include "gsskrb5_locl.h"
 
 char *last_out_name;
 
 OM_uint32
-_gsskrb5_krb5_ccache_name(OM_uint32 *minor_status, 
+_gsskrb5_krb5_ccache_name(OM_uint32 *minor_status,
 			  const char *name,
 			  const char **out_name)
 {
diff --git a/lib/gssapi/krb5/cfx.c b/lib/gssapi/krb5/cfx.c
index 6452f802ab84..3c1536b60ea5 100644
--- a/lib/gssapi/krb5/cfx.c
+++ b/lib/gssapi/krb5/cfx.c
@@ -30,12 +30,10 @@
  * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
-
-RCSID("$Id: cfx.c 19031 2006-11-13 18:02:57Z lha $");
+#include "gsskrb5_locl.h"
 
 /*
- * Implementation of draft-ietf-krb-wg-gssapi-cfx-06.txt
+ * Implementation of RFC 4121
  */
 
 #define CFXSentByAcceptor	(1 << 0)
@@ -46,6 +44,7 @@ krb5_error_code
 _gsskrb5cfx_wrap_length_cfx(krb5_context context,
 			    krb5_crypto crypto,
 			    int conf_req_flag,
+			    int dce_style,
 			    size_t input_length,
 			    size_t *output_length,
 			    size_t *cksumsize,
@@ -72,7 +71,11 @@ _gsskrb5cfx_wrap_length_cfx(krb5_context context,
 	/* Header is concatenated with data before encryption */
 	input_length += sizeof(gss_cfx_wrap_token_desc);
 
-	ret = krb5_crypto_getpadsize(context, crypto, &padsize);
+	if (dce_style) {
+		ret = krb5_crypto_getblocksize(context, crypto, &padsize);
+	} else {
+		ret = krb5_crypto_getpadsize(context, crypto, &padsize);
+	}
 	if (ret) {
 	    return ret;
 	}
@@ -96,49 +99,48 @@ _gsskrb5cfx_wrap_length_cfx(krb5_context context,
     return 0;
 }
 
-krb5_error_code
-_gsskrb5cfx_max_wrap_length_cfx(krb5_context context,
-				krb5_crypto crypto,
-				int conf_req_flag,
-				size_t input_length,
-				OM_uint32 *output_length)
+OM_uint32
+_gssapi_wrap_size_cfx(OM_uint32 *minor_status,
+		      const gsskrb5_ctx ctx,
+		      krb5_context context,
+		      int conf_req_flag,
+		      gss_qop_t qop_req,
+		      OM_uint32 req_output_size,
+		      OM_uint32 *max_input_size)
 {
     krb5_error_code ret;
 
-    *output_length = 0;
+    *max_input_size = 0;
 
     /* 16-byte header is always first */
-    if (input_length < 16)
+    if (req_output_size < 16)
 	return 0;
-    input_length -= 16;
+    req_output_size -= 16;
 
     if (conf_req_flag) {
 	size_t wrapped_size, sz;
 
-	wrapped_size = input_length + 1;
+	wrapped_size = req_output_size + 1;
 	do {
 	    wrapped_size--;
-	    sz = krb5_get_wrapped_length(context, 
-					 crypto, wrapped_size);
-	} while (wrapped_size && sz > input_length);
-	if (wrapped_size == 0) {
-	    *output_length = 0;
+	    sz = krb5_get_wrapped_length(context,
+					 ctx->crypto, wrapped_size);
+	} while (wrapped_size && sz > req_output_size);
+	if (wrapped_size == 0)
 	    return 0;
-	}
 
 	/* inner header */
-	if (wrapped_size < 16) {
-	    *output_length = 0;
+	if (wrapped_size < 16)
 	    return 0;
-	}
+
 	wrapped_size -= 16;
 
-	*output_length = wrapped_size;
+	*max_input_size = wrapped_size;
     } else {
 	krb5_cksumtype type;
 	size_t cksumsize;
 
-	ret = krb5_crypto_get_checksum_type(context, crypto, &type);
+	ret = krb5_crypto_get_checksum_type(context, ctx->crypto, &type);
 	if (ret)
 	    return ret;
 
@@ -146,48 +148,16 @@ _gsskrb5cfx_max_wrap_length_cfx(krb5_context context,
 	if (ret)
 	    return ret;
 
-	if (input_length < cksumsize)
+	if (req_output_size < cksumsize)
 	    return 0;
 
 	/* Checksum is concatenated with data */
-	*output_length = input_length - cksumsize;
+	*max_input_size = req_output_size - cksumsize;
     }
 
     return 0;
 }
 
-
-OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
-				const gsskrb5_ctx context_handle,
-				krb5_context context,
-				int conf_req_flag,
-				gss_qop_t qop_req,
-				OM_uint32 req_output_size,
-				OM_uint32 *max_input_size,
-				krb5_keyblock *key)
-{
-    krb5_error_code ret;
-    krb5_crypto crypto;
-
-    ret = krb5_crypto_init(context, key, 0, &crypto);
-    if (ret != 0) {
-	*minor_status = ret;
-	return GSS_S_FAILURE;
-    }
-
-    ret = _gsskrb5cfx_max_wrap_length_cfx(context, crypto, conf_req_flag, 
-					  req_output_size, max_input_size);
-    if (ret != 0) {
-	*minor_status = ret;
-	krb5_crypto_destroy(context, crypto);
-	return GSS_S_FAILURE;
-    }
-
-    krb5_crypto_destroy(context, crypto);
-
-    return GSS_S_COMPLETE;
-}
-
 /*
  * Rotate "rrc" bytes to the front or back
  */
@@ -212,10 +182,10 @@ rrc_rotate(void *data, size_t len, uint16_t rrc, krb5_boolean unrotate)
 	tmp = buf;
     } else {
 	tmp = malloc(rrc);
-	if (tmp == NULL) 
+	if (tmp == NULL)
 	    return ENOMEM;
     }
- 
+
     if (unrotate) {
 	memcpy(tmp, data, rrc);
 	memmove(data, (u_char *)data + rrc, left);
@@ -226,23 +196,971 @@ rrc_rotate(void *data, size_t len, uint16_t rrc, krb5_boolean unrotate)
 	memcpy(data, tmp, rrc);
     }
 
-    if (rrc > sizeof(buf)) 
+    if (rrc > sizeof(buf))
 	free(tmp);
 
     return 0;
 }
 
+gss_iov_buffer_desc *
+_gk_find_buffer(gss_iov_buffer_desc *iov, int iov_count, OM_uint32 type)
+{
+    int i;
+
+    for (i = 0; i < iov_count; i++)
+	if (type == GSS_IOV_BUFFER_TYPE(iov[i].type))
+	    return &iov[i];
+    return NULL;
+}
+
+OM_uint32
+_gk_allocate_buffer(OM_uint32 *minor_status, gss_iov_buffer_desc *buffer, size_t size)
+{
+    if (buffer->type & GSS_IOV_BUFFER_FLAG_ALLOCATED) {
+	if (buffer->buffer.length == size)
+	    return GSS_S_COMPLETE;
+	free(buffer->buffer.value);
+    }
+
+    buffer->buffer.value = malloc(size);
+    buffer->buffer.length = size;
+    if (buffer->buffer.value == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+    buffer->type |= GSS_IOV_BUFFER_FLAG_ALLOCATED;
+
+    return GSS_S_COMPLETE;
+}
+
+
+OM_uint32
+_gk_verify_buffers(OM_uint32 *minor_status,
+		   const gsskrb5_ctx ctx,
+		   const gss_iov_buffer_desc *header,
+		   const gss_iov_buffer_desc *padding,
+		   const gss_iov_buffer_desc *trailer)
+{
+    if (header == NULL) {
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    if (IS_DCE_STYLE(ctx)) {
+	/*
+	 * In DCE style mode we reject having a padding or trailer buffer
+	 */
+	if (padding) {
+	    *minor_status = EINVAL;
+	    return GSS_S_FAILURE;
+	}
+	if (trailer) {
+	    *minor_status = EINVAL;
+	    return GSS_S_FAILURE;
+	}
+    } else {
+	/*
+	 * In non-DCE style mode we require having a padding buffer
+	 */
+	if (padding == NULL) {
+	    *minor_status = EINVAL;
+	    return GSS_S_FAILURE;
+	}
+    }
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32
+_gssapi_wrap_cfx_iov(OM_uint32 *minor_status,
+		     gsskrb5_ctx ctx,
+		     krb5_context context,
+		     int conf_req_flag,
+		     int *conf_state,
+		     gss_iov_buffer_desc *iov,
+		     int iov_count)
+{
+    OM_uint32 major_status, junk;
+    gss_iov_buffer_desc *header, *trailer, *padding;
+    size_t gsshsize, k5hsize;
+    size_t gsstsize, k5tsize;
+    size_t rrc = 0, ec = 0;
+    int i;
+    gss_cfx_wrap_token token;
+    krb5_error_code ret;
+    int32_t seq_number;
+    unsigned usage;
+    krb5_crypto_iov *data = NULL;
+
+    header = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER);
+    if (header == NULL) {
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    padding = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING);
+    if (padding != NULL) {
+	padding->buffer.length = 0;
+    }
+
+    trailer = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
+
+    major_status = _gk_verify_buffers(minor_status, ctx, header, padding, trailer);
+    if (major_status != GSS_S_COMPLETE) {
+	    return major_status;
+    }
+
+    if (conf_req_flag) {
+	size_t k5psize = 0;
+	size_t k5pbase = 0;
+	size_t k5bsize = 0;
+	size_t size = 0;
+
+	for (i = 0; i < iov_count; i++) {
+	    switch (GSS_IOV_BUFFER_TYPE(iov[i].type)) {
+	    case GSS_IOV_BUFFER_TYPE_DATA:
+		size += iov[i].buffer.length;
+		break;
+	    default:
+		break;
+	    }
+	}
+
+	size += sizeof(gss_cfx_wrap_token_desc);
+
+	*minor_status = krb5_crypto_length(context, ctx->crypto,
+					   KRB5_CRYPTO_TYPE_HEADER,
+					   &k5hsize);
+	if (*minor_status)
+	    return GSS_S_FAILURE;
+
+	*minor_status = krb5_crypto_length(context, ctx->crypto,
+					   KRB5_CRYPTO_TYPE_TRAILER,
+					   &k5tsize);
+	if (*minor_status)
+	    return GSS_S_FAILURE;
+
+	*minor_status = krb5_crypto_length(context, ctx->crypto,
+					   KRB5_CRYPTO_TYPE_PADDING,
+					   &k5pbase);
+	if (*minor_status)
+	    return GSS_S_FAILURE;
+
+	if (k5pbase > 1) {
+	    k5psize = k5pbase - (size % k5pbase);
+	} else {
+	    k5psize = 0;
+	}
+
+	if (k5psize == 0 && IS_DCE_STYLE(ctx)) {
+	    *minor_status = krb5_crypto_getblocksize(context, ctx->crypto,
+						     &k5bsize);
+	    if (*minor_status)
+		return GSS_S_FAILURE;
+	    ec = k5bsize;
+	} else {
+	    ec = k5psize;
+	}
+
+	gsshsize = sizeof(gss_cfx_wrap_token_desc) + k5hsize;
+	gsstsize = sizeof(gss_cfx_wrap_token_desc) + ec + k5tsize;
+    } else {
+	if (IS_DCE_STYLE(ctx)) {
+	    *minor_status = EINVAL;
+	    return GSS_S_FAILURE;
+	}
+
+	k5hsize = 0;
+	*minor_status = krb5_crypto_length(context, ctx->crypto,
+					   KRB5_CRYPTO_TYPE_CHECKSUM,
+					   &k5tsize);
+	if (*minor_status)
+	    return GSS_S_FAILURE;
+
+	gsshsize = sizeof(gss_cfx_wrap_token_desc);
+	gsstsize = k5tsize;
+    }
+
+    /*
+     *
+     */
+
+    if (trailer == NULL) {
+	rrc = gsstsize;
+	if (IS_DCE_STYLE(ctx))
+	    rrc -= ec;
+	gsshsize += gsstsize;
+	gsstsize = 0;
+    } else if (GSS_IOV_BUFFER_FLAGS(trailer->type) & GSS_IOV_BUFFER_FLAG_ALLOCATE) {
+	major_status = _gk_allocate_buffer(minor_status, trailer, gsstsize);
+	if (major_status)
+	    goto failure;
+    } else if (trailer->buffer.length < gsstsize) {
+	*minor_status = KRB5_BAD_MSIZE;
+	major_status = GSS_S_FAILURE;
+	goto failure;
+    } else
+	trailer->buffer.length = gsstsize;
+
+    /*
+     *
+     */
+
+    if (GSS_IOV_BUFFER_FLAGS(header->type) & GSS_IOV_BUFFER_FLAG_ALLOCATE) {
+	major_status = _gk_allocate_buffer(minor_status, header, gsshsize);
+	if (major_status != GSS_S_COMPLETE)
+	    goto failure;
+    } else if (header->buffer.length < gsshsize) {
+	*minor_status = KRB5_BAD_MSIZE;
+	major_status = GSS_S_FAILURE;
+	goto failure;
+    } else
+	header->buffer.length = gsshsize;
+
+    token = (gss_cfx_wrap_token)header->buffer.value;
+
+    token->TOK_ID[0] = 0x05;
+    token->TOK_ID[1] = 0x04;
+    token->Flags     = 0;
+    token->Filler    = 0xFF;
+
+    if ((ctx->more_flags & LOCAL) == 0)
+	token->Flags |= CFXSentByAcceptor;
+
+    if (ctx->more_flags & ACCEPTOR_SUBKEY)
+	token->Flags |= CFXAcceptorSubkey;
+
+    if (ctx->more_flags & LOCAL)
+	usage = KRB5_KU_USAGE_INITIATOR_SEAL;
+    else
+	usage = KRB5_KU_USAGE_ACCEPTOR_SEAL;
+
+    if (conf_req_flag) {
+	/*
+	 * In Wrap tokens with confidentiality, the EC field is
+	 * used to encode the size (in bytes) of the random filler.
+	 */
+	token->Flags |= CFXSealed;
+	token->EC[0] = (ec >> 8) & 0xFF;
+	token->EC[1] = (ec >> 0) & 0xFF;
+
+    } else {
+	/*
+	 * In Wrap tokens without confidentiality, the EC field is
+	 * used to encode the size (in bytes) of the trailing
+	 * checksum.
+	 *
+	 * This is not used in the checksum calcuation itself,
+	 * because the checksum length could potentially vary
+	 * depending on the data length.
+	 */
+	token->EC[0] = 0;
+	token->EC[1] = 0;
+    }
+
+    /*
+     * In Wrap tokens that provide for confidentiality, the RRC
+     * field in the header contains the hex value 00 00 before
+     * encryption.
+     *
+     * In Wrap tokens that do not provide for confidentiality,
+     * both the EC and RRC fields in the appended checksum
+     * contain the hex value 00 00 for the purpose of calculating
+     * the checksum.
+     */
+    token->RRC[0] = 0;
+    token->RRC[1] = 0;
+
+    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+    krb5_auth_con_getlocalseqnumber(context,
+				    ctx->auth_context,
+				    &seq_number);
+    _gsskrb5_encode_be_om_uint32(0,          &token->SND_SEQ[0]);
+    _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
+    krb5_auth_con_setlocalseqnumber(context,
+				    ctx->auth_context,
+				    ++seq_number);
+    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+
+    data = calloc(iov_count + 3, sizeof(data[0]));
+    if (data == NULL) {
+	*minor_status = ENOMEM;
+	major_status = GSS_S_FAILURE;
+	goto failure;
+    }
+
+    if (conf_req_flag) {
+	/*
+	  plain packet:
+
+	  {"header" | encrypt(plaintext-data | ec-padding | E"header")}
+
+	  Expanded, this is with with RRC = 0:
+
+	  {"header" | krb5-header | plaintext-data | ec-padding | E"header" | krb5-trailer }
+
+	  In DCE-RPC mode == no trailer: RRC = gss "trailer" == length(ec-padding | E"header" | krb5-trailer)
+
+	  {"header" | ec-padding | E"header" | krb5-trailer | krb5-header | plaintext-data  }
+	 */
+
+	i = 0;
+	data[i].flags = KRB5_CRYPTO_TYPE_HEADER;
+	data[i].data.data = ((uint8_t *)header->buffer.value) + header->buffer.length - k5hsize;
+	data[i].data.length = k5hsize;
+
+	for (i = 1; i < iov_count + 1; i++) {
+	    switch (GSS_IOV_BUFFER_TYPE(iov[i - 1].type)) {
+	    case GSS_IOV_BUFFER_TYPE_DATA:
+		data[i].flags = KRB5_CRYPTO_TYPE_DATA;
+		break;
+	    case GSS_IOV_BUFFER_TYPE_SIGN_ONLY:
+		data[i].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY;
+		break;
+	    default:
+		data[i].flags = KRB5_CRYPTO_TYPE_EMPTY;
+		break;
+	    }
+	    data[i].data.length = iov[i - 1].buffer.length;
+	    data[i].data.data = iov[i - 1].buffer.value;
+	}
+
+	/*
+	 * Any necessary padding is added here to ensure that the
+	 * encrypted token header is always at the end of the
+	 * ciphertext.
+	 */
+
+	/* encrypted CFX header in trailer (or after the header if in
+	   DCE mode). Copy in header into E"header"
+	*/
+	data[i].flags = KRB5_CRYPTO_TYPE_DATA;
+	if (trailer)
+	    data[i].data.data = trailer->buffer.value;
+	else
+	    data[i].data.data = ((uint8_t *)header->buffer.value) + sizeof(*token);
+
+	data[i].data.length = ec + sizeof(*token);
+	memset(data[i].data.data, 0xFF, ec);
+	memcpy(((uint8_t *)data[i].data.data) + ec, token, sizeof(*token));
+	i++;
+
+	/* Kerberos trailer comes after the gss trailer */
+	data[i].flags = KRB5_CRYPTO_TYPE_TRAILER;
+	data[i].data.data = ((uint8_t *)data[i-1].data.data) + ec + sizeof(*token);
+	data[i].data.length = k5tsize;
+	i++;
+
+	ret = krb5_encrypt_iov_ivec(context, ctx->crypto, usage, data, i, NULL);
+	if (ret != 0) {
+	    *minor_status = ret;
+	    major_status = GSS_S_FAILURE;
+	    goto failure;
+	}
+
+	if (rrc) {
+	    token->RRC[0] = (rrc >> 8) & 0xFF;
+	    token->RRC[1] = (rrc >> 0) & 0xFF;
+	}
+
+    } else {
+	/*
+	  plain packet:
+
+	  {data | "header" | gss-trailer (krb5 checksum)
+
+	  don't do RRC != 0
+
+	 */
+
+	for (i = 0; i < iov_count; i++) {
+	    switch (GSS_IOV_BUFFER_TYPE(iov[i].type)) {
+	    case GSS_IOV_BUFFER_TYPE_DATA:
+		data[i].flags = KRB5_CRYPTO_TYPE_DATA;
+		break;
+	    case GSS_IOV_BUFFER_TYPE_SIGN_ONLY:
+		data[i].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY;
+		break;
+	    default:
+		data[i].flags = KRB5_CRYPTO_TYPE_EMPTY;
+		break;
+	    }
+	    data[i].data.length = iov[i].buffer.length;
+	    data[i].data.data = iov[i].buffer.value;
+	}
+
+	data[i].flags = KRB5_CRYPTO_TYPE_DATA;
+	data[i].data.data = header->buffer.value;
+	data[i].data.length = sizeof(gss_cfx_wrap_token_desc);
+	i++;
+
+	data[i].flags = KRB5_CRYPTO_TYPE_CHECKSUM;
+	if (trailer) {
+		data[i].data.data = trailer->buffer.value;
+	} else {
+		data[i].data.data = (uint8_t *)header->buffer.value +
+				     sizeof(gss_cfx_wrap_token_desc);
+	}
+	data[i].data.length = k5tsize;
+	i++;
+
+	ret = krb5_create_checksum_iov(context, ctx->crypto, usage, data, i, NULL);
+	if (ret) {
+	    *minor_status = ret;
+	    major_status = GSS_S_FAILURE;
+	    goto failure;
+	}
+
+	if (rrc) {
+	    token->RRC[0] = (rrc >> 8) & 0xFF;
+	    token->RRC[1] = (rrc >> 0) & 0xFF;
+	}
+
+	token->EC[0] =  (k5tsize >> 8) & 0xFF;
+	token->EC[1] =  (k5tsize >> 0) & 0xFF;
+    }
+
+    if (conf_state != NULL)
+	*conf_state = conf_req_flag;
+
+    free(data);
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+
+ failure:
+    if (data)
+	free(data);
+
+    gss_release_iov_buffer(&junk, iov, iov_count);
+
+    return major_status;
+}
+
+/* This is slowpath */
+static OM_uint32
+unrotate_iov(OM_uint32 *minor_status, size_t rrc, gss_iov_buffer_desc *iov, int iov_count)
+{
+    uint8_t *p, *q;
+    size_t len = 0, skip;
+    int i;
+
+    for (i = 0; i < iov_count; i++)
+	if (GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_DATA ||
+	    GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_PADDING ||
+	    GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_TRAILER)
+	    len += iov[i].buffer.length;
+
+    p = malloc(len);
+    if (p == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+    q = p;
+
+    /* copy up */
+
+    for (i = 0; i < iov_count; i++) {
+	if (GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_DATA ||
+	    GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_PADDING ||
+	    GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_TRAILER)
+	{
+	    memcpy(q, iov[i].buffer.value, iov[i].buffer.length);
+	    q += iov[i].buffer.length;
+	}
+    }
+    assert((size_t)(q - p) == len);
+
+    /* unrotate first part */
+    q = p + rrc;
+    skip = rrc;
+    for (i = 0; i < iov_count; i++) {
+	if (GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_DATA ||
+	    GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_PADDING ||
+	    GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_TRAILER)
+	{
+	    if (iov[i].buffer.length <= skip) {
+		skip -= iov[i].buffer.length;
+	    } else {
+		memcpy(((uint8_t *)iov[i].buffer.value) + skip, q, iov[i].buffer.length - skip);
+		q += iov[i].buffer.length - skip;
+		skip = 0;
+	    }
+	}
+    }
+    /* copy trailer */
+    q = p;
+    skip = rrc;
+    for (i = 0; i < iov_count; i++) {
+	if (GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_DATA ||
+	    GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_PADDING ||
+	    GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_TRAILER)
+	{
+	    memcpy(q, iov[i].buffer.value, min(iov[i].buffer.length, skip));
+	    if (iov[i].buffer.length > skip)
+		break;
+	    skip -= iov[i].buffer.length;
+	    q += iov[i].buffer.length;
+	}
+    }
+    return GSS_S_COMPLETE;
+}
+
+
+OM_uint32
+_gssapi_unwrap_cfx_iov(OM_uint32 *minor_status,
+		       gsskrb5_ctx ctx,
+		       krb5_context context,
+		       int *conf_state,
+		       gss_qop_t *qop_state,
+		       gss_iov_buffer_desc *iov,
+		       int iov_count)
+{
+    OM_uint32 seq_number_lo, seq_number_hi, major_status, junk;
+    gss_iov_buffer_desc *header, *trailer, *padding;
+    gss_cfx_wrap_token token, ttoken;
+    u_char token_flags;
+    krb5_error_code ret;
+    unsigned usage;
+    uint16_t ec, rrc;
+    krb5_crypto_iov *data = NULL;
+    int i, j;
+
+    *minor_status = 0;
+
+    header = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_HEADER);
+    if (header == NULL) {
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    if (header->buffer.length < sizeof(*token)) /* we check exact below */
+	return GSS_S_DEFECTIVE_TOKEN;
+
+    padding = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_PADDING);
+    if (padding != NULL && padding->buffer.length != 0) {
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    trailer = _gk_find_buffer(iov, iov_count, GSS_IOV_BUFFER_TYPE_TRAILER);
+
+    major_status = _gk_verify_buffers(minor_status, ctx, header, padding, trailer);
+    if (major_status != GSS_S_COMPLETE) {
+	    return major_status;
+    }
+
+    token = (gss_cfx_wrap_token)header->buffer.value;
+
+    if (token->TOK_ID[0] != 0x05 || token->TOK_ID[1] != 0x04)
+	return GSS_S_DEFECTIVE_TOKEN;
+
+    /* Ignore unknown flags */
+    token_flags = token->Flags &
+	(CFXSentByAcceptor | CFXSealed | CFXAcceptorSubkey);
+
+    if (token_flags & CFXSentByAcceptor) {
+	if ((ctx->more_flags & LOCAL) == 0)
+	    return GSS_S_DEFECTIVE_TOKEN;
+    }
+
+    if (ctx->more_flags & ACCEPTOR_SUBKEY) {
+	if ((token_flags & CFXAcceptorSubkey) == 0)
+	    return GSS_S_DEFECTIVE_TOKEN;
+    } else {
+	if (token_flags & CFXAcceptorSubkey)
+	    return GSS_S_DEFECTIVE_TOKEN;
+    }
+
+    if (token->Filler != 0xFF)
+	return GSS_S_DEFECTIVE_TOKEN;
+
+    if (conf_state != NULL)
+	*conf_state = (token_flags & CFXSealed) ? 1 : 0;
+
+    ec  = (token->EC[0]  << 8) | token->EC[1];
+    rrc = (token->RRC[0] << 8) | token->RRC[1];
+
+    /*
+     * Check sequence number
+     */
+    _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[0], &seq_number_hi);
+    _gsskrb5_decode_be_om_uint32(&token->SND_SEQ[4], &seq_number_lo);
+    if (seq_number_hi) {
+	/* no support for 64-bit sequence numbers */
+	*minor_status = ERANGE;
+	return GSS_S_UNSEQ_TOKEN;
+    }
+
+    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+    ret = _gssapi_msg_order_check(ctx->order, seq_number_lo);
+    if (ret != 0) {
+	*minor_status = 0;
+	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+	return ret;
+    }
+    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+
+    /*
+     * Decrypt and/or verify checksum
+     */
+
+    if (ctx->more_flags & LOCAL) {
+	usage = KRB5_KU_USAGE_ACCEPTOR_SEAL;
+    } else {
+	usage = KRB5_KU_USAGE_INITIATOR_SEAL;
+    }
+
+    data = calloc(iov_count + 3, sizeof(data[0]));
+    if (data == NULL) {
+	*minor_status = ENOMEM;
+	major_status = GSS_S_FAILURE;
+	goto failure;
+    }
+
+    if (token_flags & CFXSealed) {
+	size_t k5tsize, k5hsize;
+
+	krb5_crypto_length(context, ctx->crypto, KRB5_CRYPTO_TYPE_HEADER, &k5hsize);
+	krb5_crypto_length(context, ctx->crypto, KRB5_CRYPTO_TYPE_TRAILER, &k5tsize);
+
+	/* Rotate by RRC; bogus to do this in-place XXX */
+	/* Check RRC */
+
+	if (trailer == NULL) {
+	    size_t gsstsize = k5tsize + sizeof(*token);
+	    size_t gsshsize = k5hsize + sizeof(*token);
+
+	    if (rrc != gsstsize) {
+		major_status = GSS_S_DEFECTIVE_TOKEN;
+		goto failure;
+	    }
+
+	    if (IS_DCE_STYLE(ctx))
+		gsstsize += ec;
+
+	    gsshsize += gsstsize;
+
+	    if (header->buffer.length != gsshsize) {
+		major_status = GSS_S_DEFECTIVE_TOKEN;
+		goto failure;
+	    }
+	} else if (trailer->buffer.length != sizeof(*token) + k5tsize) {
+	    major_status = GSS_S_DEFECTIVE_TOKEN;
+	    goto failure;
+	} else if (header->buffer.length != sizeof(*token) + k5hsize) {
+	    major_status = GSS_S_DEFECTIVE_TOKEN;
+	    goto failure;
+	} else if (rrc != 0) {
+	    /* go though slowpath */
+	    major_status = unrotate_iov(minor_status, rrc, iov, iov_count);
+	    if (major_status)
+		goto failure;
+	}
+
+	i = 0;
+	data[i].flags = KRB5_CRYPTO_TYPE_HEADER;
+	data[i].data.data = ((uint8_t *)header->buffer.value) + header->buffer.length - k5hsize;
+	data[i].data.length = k5hsize;
+	i++;
+
+	for (j = 0; j < iov_count; i++, j++) {
+	    switch (GSS_IOV_BUFFER_TYPE(iov[j].type)) {
+	    case GSS_IOV_BUFFER_TYPE_DATA:
+		data[i].flags = KRB5_CRYPTO_TYPE_DATA;
+		break;
+	    case GSS_IOV_BUFFER_TYPE_SIGN_ONLY:
+		data[i].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY;
+		break;
+	    default:
+		data[i].flags = KRB5_CRYPTO_TYPE_EMPTY;
+		break;
+	    }
+	    data[i].data.length = iov[j].buffer.length;
+	    data[i].data.data = iov[j].buffer.value;
+	}
+
+	/* encrypted CFX header in trailer (or after the header if in
+	   DCE mode). Copy in header into E"header"
+	*/
+	data[i].flags = KRB5_CRYPTO_TYPE_DATA;
+	if (trailer) {
+	    data[i].data.data = trailer->buffer.value;
+	} else {
+	    data[i].data.data = ((uint8_t *)header->buffer.value) +
+		header->buffer.length - k5hsize - k5tsize - ec- sizeof(*token);
+	}
+
+	data[i].data.length = ec + sizeof(*token);
+	ttoken = (gss_cfx_wrap_token)(((uint8_t *)data[i].data.data) + ec);
+	i++;
+
+	/* Kerberos trailer comes after the gss trailer */
+	data[i].flags = KRB5_CRYPTO_TYPE_TRAILER;
+	data[i].data.data = ((uint8_t *)data[i-1].data.data) + ec + sizeof(*token);
+	data[i].data.length = k5tsize;
+	i++;
+
+	ret = krb5_decrypt_iov_ivec(context, ctx->crypto, usage, data, i, NULL);
+	if (ret != 0) {
+	    *minor_status = ret;
+	    major_status = GSS_S_FAILURE;
+	    goto failure;
+	}
+
+	ttoken->RRC[0] = token->RRC[0];
+	ttoken->RRC[1] = token->RRC[1];
+
+	/* Check the integrity of the header */
+	if (ct_memcmp(ttoken, token, sizeof(*token)) != 0) {
+	    major_status = GSS_S_BAD_MIC;
+	    goto failure;
+	}
+    } else {
+	size_t gsstsize = ec;
+	size_t gsshsize = sizeof(*token);
+
+	if (trailer == NULL) {
+	    /* Check RRC */
+	    if (rrc != gsstsize) {
+	       *minor_status = EINVAL;
+	       major_status = GSS_S_FAILURE;
+	       goto failure;
+	    }
+
+	    gsshsize += gsstsize;
+	    gsstsize = 0;
+	} else if (trailer->buffer.length != gsstsize) {
+	    major_status = GSS_S_DEFECTIVE_TOKEN;
+	    goto failure;
+	} else if (rrc != 0) {
+	    /* Check RRC */
+	    *minor_status = EINVAL;
+	    major_status = GSS_S_FAILURE;
+	    goto failure;
+	}
+
+	if (header->buffer.length != gsshsize) {
+	    major_status = GSS_S_DEFECTIVE_TOKEN;
+	    goto failure;
+	}
+
+	for (i = 0; i < iov_count; i++) {
+	    switch (GSS_IOV_BUFFER_TYPE(iov[i].type)) {
+	    case GSS_IOV_BUFFER_TYPE_DATA:
+		data[i].flags = KRB5_CRYPTO_TYPE_DATA;
+		break;
+	    case GSS_IOV_BUFFER_TYPE_SIGN_ONLY:
+		data[i].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY;
+		break;
+	    default:
+		data[i].flags = KRB5_CRYPTO_TYPE_EMPTY;
+		break;
+	    }
+	    data[i].data.length = iov[i].buffer.length;
+	    data[i].data.data = iov[i].buffer.value;
+	}
+
+	data[i].flags = KRB5_CRYPTO_TYPE_DATA;
+	data[i].data.data = header->buffer.value;
+	data[i].data.length = sizeof(*token);
+	i++;
+
+	data[i].flags = KRB5_CRYPTO_TYPE_CHECKSUM;
+	if (trailer) {
+		data[i].data.data = trailer->buffer.value;
+	} else {
+		data[i].data.data = (uint8_t *)header->buffer.value +
+				     sizeof(*token);
+	}
+	data[i].data.length = ec;
+	i++;
+
+	token = (gss_cfx_wrap_token)header->buffer.value;
+	token->EC[0]  = 0;
+	token->EC[1]  = 0;
+	token->RRC[0] = 0;
+	token->RRC[1] = 0;
+
+	ret = krb5_verify_checksum_iov(context, ctx->crypto, usage, data, i, NULL);
+	if (ret) {
+	    *minor_status = ret;
+	    major_status = GSS_S_FAILURE;
+	    goto failure;
+	}
+    }
+
+    if (qop_state != NULL) {
+	*qop_state = GSS_C_QOP_DEFAULT;
+    }
+
+    free(data);
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+
+ failure:
+    if (data)
+	free(data);
+
+    gss_release_iov_buffer(&junk, iov, iov_count);
+
+    return major_status;
+}
+
+OM_uint32
+_gssapi_wrap_iov_length_cfx(OM_uint32 *minor_status,
+			    gsskrb5_ctx ctx,
+			    krb5_context context,
+			    int conf_req_flag,
+			    gss_qop_t qop_req,
+			    int *conf_state,
+			    gss_iov_buffer_desc *iov,
+			    int iov_count)
+{
+    OM_uint32 major_status;
+    size_t size;
+    int i;
+    gss_iov_buffer_desc *header = NULL;
+    gss_iov_buffer_desc *padding = NULL;
+    gss_iov_buffer_desc *trailer = NULL;
+    size_t gsshsize = 0;
+    size_t gsstsize = 0;
+    size_t k5hsize = 0;
+    size_t k5tsize = 0;
+
+    GSSAPI_KRB5_INIT (&context);
+    *minor_status = 0;
+
+    for (size = 0, i = 0; i < iov_count; i++) {
+	switch(GSS_IOV_BUFFER_TYPE(iov[i].type)) {
+	case GSS_IOV_BUFFER_TYPE_EMPTY:
+	    break;
+	case GSS_IOV_BUFFER_TYPE_DATA:
+	    size += iov[i].buffer.length;
+	    break;
+	case GSS_IOV_BUFFER_TYPE_HEADER:
+	    if (header != NULL) {
+		*minor_status = 0;
+		return GSS_S_FAILURE;
+	    }
+	    header = &iov[i];
+	    break;
+	case GSS_IOV_BUFFER_TYPE_TRAILER:
+	    if (trailer != NULL) {
+		*minor_status = 0;
+		return GSS_S_FAILURE;
+	    }
+	    trailer = &iov[i];
+	    break;
+	case GSS_IOV_BUFFER_TYPE_PADDING:
+	    if (padding != NULL) {
+		*minor_status = 0;
+		return GSS_S_FAILURE;
+	    }
+	    padding = &iov[i];
+	    break;
+	case GSS_IOV_BUFFER_TYPE_SIGN_ONLY:
+	    break;
+	default:
+	    *minor_status = EINVAL;
+	    return GSS_S_FAILURE;
+	}
+    }
+
+    major_status = _gk_verify_buffers(minor_status, ctx, header, padding, trailer);
+    if (major_status != GSS_S_COMPLETE) {
+	    return major_status;
+    }
+
+    if (conf_req_flag) {
+	size_t k5psize = 0;
+	size_t k5pbase = 0;
+	size_t k5bsize = 0;
+	size_t ec = 0;
+
+	size += sizeof(gss_cfx_wrap_token_desc);
+
+	*minor_status = krb5_crypto_length(context, ctx->crypto,
+					   KRB5_CRYPTO_TYPE_HEADER,
+					   &k5hsize);
+	if (*minor_status)
+	    return GSS_S_FAILURE;
+
+	*minor_status = krb5_crypto_length(context, ctx->crypto,
+					   KRB5_CRYPTO_TYPE_TRAILER,
+					   &k5tsize);
+	if (*minor_status)
+	    return GSS_S_FAILURE;
+
+	*minor_status = krb5_crypto_length(context, ctx->crypto,
+					   KRB5_CRYPTO_TYPE_PADDING,
+					   &k5pbase);
+	if (*minor_status)
+	    return GSS_S_FAILURE;
+
+	if (k5pbase > 1) {
+	    k5psize = k5pbase - (size % k5pbase);
+	} else {
+	    k5psize = 0;
+	}
+
+	if (k5psize == 0 && IS_DCE_STYLE(ctx)) {
+	    *minor_status = krb5_crypto_getblocksize(context, ctx->crypto,
+						     &k5bsize);
+	    if (*minor_status)
+		return GSS_S_FAILURE;
+
+	    ec = k5bsize;
+	} else {
+	    ec = k5psize;
+	}
+
+	gsshsize = sizeof(gss_cfx_wrap_token_desc) + k5hsize;
+	gsstsize = sizeof(gss_cfx_wrap_token_desc) + ec + k5tsize;
+    } else {
+	*minor_status = krb5_crypto_length(context, ctx->crypto,
+					   KRB5_CRYPTO_TYPE_CHECKSUM,
+					   &k5tsize);
+	if (*minor_status)
+	    return GSS_S_FAILURE;
+
+	gsshsize = sizeof(gss_cfx_wrap_token_desc);
+	gsstsize = k5tsize;
+    }
+
+    if (trailer != NULL) {
+	trailer->buffer.length = gsstsize;
+    } else {
+	gsshsize += gsstsize;
+    }
+
+    header->buffer.length = gsshsize;
+
+    if (padding) {
+	/* padding is done via EC and is contained in the header or trailer */
+	padding->buffer.length = 0;
+    }
+
+    if (conf_state) {
+	*conf_state = conf_req_flag;
+    }
+
+    return GSS_S_COMPLETE;
+}
+
+
+
+
 OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
-			   const gsskrb5_ctx context_handle,
+			   const gsskrb5_ctx ctx,
 			   krb5_context context,
 			   int conf_req_flag,
-			   gss_qop_t qop_req,
 			   const gss_buffer_t input_message_buffer,
 			   int *conf_state,
-			   gss_buffer_t output_message_buffer,
-			   krb5_keyblock *key)
+			   gss_buffer_t output_message_buffer)
 {
-    krb5_crypto crypto;
     gss_cfx_wrap_token token;
     krb5_error_code ret;
     unsigned usage;
@@ -252,19 +1170,13 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
     int32_t seq_number;
     u_char *p;
 
-    ret = krb5_crypto_init(context, key, 0, &crypto);
-    if (ret != 0) {
-	*minor_status = ret;
-	return GSS_S_FAILURE;
-    }
-
     ret = _gsskrb5cfx_wrap_length_cfx(context,
-				      crypto, conf_req_flag, 
+				      ctx->crypto, conf_req_flag,
+				      IS_DCE_STYLE(ctx),
 				      input_message_buffer->length,
 				      &wrapped_len, &cksumsize, &padlength);
     if (ret != 0) {
 	*minor_status = ret;
-	krb5_crypto_destroy(context, crypto);
 	return GSS_S_FAILURE;
     }
 
@@ -275,7 +1187,6 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
     output_message_buffer->value = malloc(output_message_buffer->length);
     if (output_message_buffer->value == NULL) {
 	*minor_status = ENOMEM;
-	krb5_crypto_destroy(context, crypto);
 	return GSS_S_FAILURE;
     }
 
@@ -285,9 +1196,9 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
     token->TOK_ID[1] = 0x04;
     token->Flags     = 0;
     token->Filler    = 0xFF;
-    if ((context_handle->more_flags & LOCAL) == 0)
+    if ((ctx->more_flags & LOCAL) == 0)
 	token->Flags |= CFXSentByAcceptor;
-    if (context_handle->more_flags & ACCEPTOR_SUBKEY)
+    if (ctx->more_flags & ACCEPTOR_SUBKEY)
 	token->Flags |= CFXAcceptorSubkey;
     if (conf_req_flag) {
 	/*
@@ -324,16 +1235,16 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
     token->RRC[0] = 0;
     token->RRC[1] = 0;
 
-    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
     krb5_auth_con_getlocalseqnumber(context,
-				    context_handle->auth_context,
+				    ctx->auth_context,
 				    &seq_number);
     _gsskrb5_encode_be_om_uint32(0,          &token->SND_SEQ[0]);
     _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
     krb5_auth_con_setlocalseqnumber(context,
-				    context_handle->auth_context,
+				    ctx->auth_context,
 				    ++seq_number);
-    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
 
     /*
      * If confidentiality is requested, the token header is
@@ -344,7 +1255,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
      * calculated over the plaintext concatenated with the
      * token header.
      */
-    if (context_handle->more_flags & LOCAL) {
+    if (ctx->more_flags & LOCAL) {
 	usage = KRB5_KU_USAGE_INITIATOR_SEAL;
     } else {
 	usage = KRB5_KU_USAGE_ACCEPTOR_SEAL;
@@ -365,25 +1276,31 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
 	memcpy(p + input_message_buffer->length + padlength,
 	       token, sizeof(*token));
 
-	ret = krb5_encrypt(context, crypto,
+	ret = krb5_encrypt(context, ctx->crypto,
 			   usage, p,
 			   input_message_buffer->length + padlength +
 				sizeof(*token),
 			   &cipher);
 	if (ret != 0) {
 	    *minor_status = ret;
-	    krb5_crypto_destroy(context, crypto);
 	    _gsskrb5_release_buffer(minor_status, output_message_buffer);
 	    return GSS_S_FAILURE;
 	}
 	assert(sizeof(*token) + cipher.length == wrapped_len);
-	token->RRC[0] = (rrc >> 8) & 0xFF;  
+	token->RRC[0] = (rrc >> 8) & 0xFF;
 	token->RRC[1] = (rrc >> 0) & 0xFF;
 
-	ret = rrc_rotate(cipher.data, cipher.length, rrc, FALSE);
+	/*
+	 * this is really ugly, but needed against windows
+	 * for DCERPC, as windows rotates by EC+RRC.
+	 */
+	if (IS_DCE_STYLE(ctx)) {
+		ret = rrc_rotate(cipher.data, cipher.length, rrc+padlength, FALSE);
+	} else {
+		ret = rrc_rotate(cipher.data, cipher.length, rrc, FALSE);
+	}
 	if (ret != 0) {
 	    *minor_status = ret;
-	    krb5_crypto_destroy(context, crypto);
 	    _gsskrb5_release_buffer(minor_status, output_message_buffer);
 	    return GSS_S_FAILURE;
 	}
@@ -396,21 +1313,19 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
 	buf = malloc(input_message_buffer->length + sizeof(*token));
 	if (buf == NULL) {
 	    *minor_status = ENOMEM;
-	    krb5_crypto_destroy(context, crypto);
 	    _gsskrb5_release_buffer(minor_status, output_message_buffer);
 	    return GSS_S_FAILURE;
 	}
 	memcpy(buf, input_message_buffer->value, input_message_buffer->length);
 	memcpy(buf + input_message_buffer->length, token, sizeof(*token));
 
-	ret = krb5_create_checksum(context, crypto,
-				   usage, 0, buf, 
+	ret = krb5_create_checksum(context, ctx->crypto,
+				   usage, 0, buf,
 				   input_message_buffer->length +
-					sizeof(*token), 
+					sizeof(*token),
 				   &cksum);
 	if (ret != 0) {
 	    *minor_status = ret;
-	    krb5_crypto_destroy(context, crypto);
 	    _gsskrb5_release_buffer(minor_status, output_message_buffer);
 	    free(buf);
 	    return GSS_S_FAILURE;
@@ -421,7 +1336,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
 	assert(cksum.checksum.length == cksumsize);
 	token->EC[0] =  (cksum.checksum.length >> 8) & 0xFF;
 	token->EC[1] =  (cksum.checksum.length >> 0) & 0xFF;
-	token->RRC[0] = (rrc >> 8) & 0xFF;  
+	token->RRC[0] = (rrc >> 8) & 0xFF;
 	token->RRC[1] = (rrc >> 0) & 0xFF;
 
 	p += sizeof(*token);
@@ -433,7 +1348,6 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
 	    input_message_buffer->length + cksum.checksum.length, rrc, FALSE);
 	if (ret != 0) {
 	    *minor_status = ret;
-	    krb5_crypto_destroy(context, crypto);
 	    _gsskrb5_release_buffer(minor_status, output_message_buffer);
 	    free_Checksum(&cksum);
 	    return GSS_S_FAILURE;
@@ -441,8 +1355,6 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
 	free_Checksum(&cksum);
     }
 
-    krb5_crypto_destroy(context, crypto);
-
     if (conf_state != NULL) {
 	*conf_state = conf_req_flag;
     }
@@ -452,15 +1364,13 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
 }
 
 OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
-			     const gsskrb5_ctx context_handle,
+			     const gsskrb5_ctx ctx,
 			     krb5_context context,
 			     const gss_buffer_t input_message_buffer,
 			     gss_buffer_t output_message_buffer,
 			     int *conf_state,
-			     gss_qop_t *qop_state,
-			     krb5_keyblock *key)
+			     gss_qop_t *qop_state)
 {
-    krb5_crypto crypto;
     gss_cfx_wrap_token token;
     u_char token_flags;
     krb5_error_code ret;
@@ -490,11 +1400,11 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
 	(CFXSentByAcceptor | CFXSealed | CFXAcceptorSubkey);
 
     if (token_flags & CFXSentByAcceptor) {
-	if ((context_handle->more_flags & LOCAL) == 0)
+	if ((ctx->more_flags & LOCAL) == 0)
 	    return GSS_S_DEFECTIVE_TOKEN;
     }
 
-    if (context_handle->more_flags & ACCEPTOR_SUBKEY) {
+    if (ctx->more_flags & ACCEPTOR_SUBKEY) {
 	if ((token_flags & CFXAcceptorSubkey) == 0)
 	    return GSS_S_DEFECTIVE_TOKEN;
     } else {
@@ -524,26 +1434,21 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
 	return GSS_S_UNSEQ_TOKEN;
     }
 
-    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
-    ret = _gssapi_msg_order_check(context_handle->order, seq_number_lo);
+    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+    ret = _gssapi_msg_order_check(ctx->order, seq_number_lo);
     if (ret != 0) {
 	*minor_status = 0;
-	HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
 	_gsskrb5_release_buffer(minor_status, output_message_buffer);
 	return ret;
     }
-    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
 
     /*
      * Decrypt and/or verify checksum
      */
-    ret = krb5_crypto_init(context, key, 0, &crypto);
-    if (ret != 0) {
-	*minor_status = ret;
-	return GSS_S_FAILURE;
-    }
 
-    if (context_handle->more_flags & LOCAL) {
+    if (ctx->more_flags & LOCAL) {
 	usage = KRB5_KU_USAGE_ACCEPTOR_SEAL;
     } else {
 	usage = KRB5_KU_USAGE_INITIATOR_SEAL;
@@ -553,25 +1458,29 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
     len = input_message_buffer->length;
     len -= (p - (u_char *)input_message_buffer->value);
 
-    /* Rotate by RRC; bogus to do this in-place XXX */
-    *minor_status = rrc_rotate(p, len, rrc, TRUE);
-    if (*minor_status != 0) {
-	krb5_crypto_destroy(context, crypto);
-	return GSS_S_FAILURE;
-    }
-
     if (token_flags & CFXSealed) {
-	ret = krb5_decrypt(context, crypto, usage,
+	/*
+	 * this is really ugly, but needed against windows
+	 * for DCERPC, as windows rotates by EC+RRC.
+	 */
+	if (IS_DCE_STYLE(ctx)) {
+		*minor_status = rrc_rotate(p, len, rrc+ec, TRUE);
+	} else {
+		*minor_status = rrc_rotate(p, len, rrc, TRUE);
+	}
+	if (*minor_status != 0) {
+	    return GSS_S_FAILURE;
+	}
+
+	ret = krb5_decrypt(context, ctx->crypto, usage,
 	    p, len, &data);
 	if (ret != 0) {
 	    *minor_status = ret;
-	    krb5_crypto_destroy(context, crypto);
 	    return GSS_S_BAD_MIC;
 	}
 
 	/* Check that there is room for the pad and token header */
 	if (data.length < ec + sizeof(*token)) {
-	    krb5_crypto_destroy(context, crypto);
 	    krb5_data_free(&data);
 	    return GSS_S_DEFECTIVE_TOKEN;
 	}
@@ -583,8 +1492,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
 	((gss_cfx_wrap_token)p)->RRC[1] = token->RRC[1];
 
 	/* Check the integrity of the header */
-	if (memcmp(p, token, sizeof(*token)) != 0) {
-	    krb5_crypto_destroy(context, crypto);
+	if (ct_memcmp(p, token, sizeof(*token)) != 0) {
 	    krb5_data_free(&data);
 	    return GSS_S_BAD_MIC;
 	}
@@ -594,12 +1502,18 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
     } else {
 	Checksum cksum;
 
+	/* Rotate by RRC; bogus to do this in-place XXX */
+	*minor_status = rrc_rotate(p, len, rrc, TRUE);
+	if (*minor_status != 0) {
+	    return GSS_S_FAILURE;
+	}
+
 	/* Determine checksum type */
 	ret = krb5_crypto_get_checksum_type(context,
-					    crypto, &cksum.cksumtype);
+					    ctx->crypto,
+					    &cksum.cksumtype);
 	if (ret != 0) {
 	    *minor_status = ret;
-	    krb5_crypto_destroy(context, crypto);
 	    return GSS_S_FAILURE;
 	}
 
@@ -608,7 +1522,6 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
 	/* Check we have at least as much data as the checksum */
 	if (len < cksum.checksum.length) {
 	    *minor_status = ERANGE;
-	    krb5_crypto_destroy(context, crypto);
 	    return GSS_S_BAD_MIC;
 	}
 
@@ -620,13 +1533,12 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
 	output_message_buffer->value = malloc(len + sizeof(*token));
 	if (output_message_buffer->value == NULL) {
 	    *minor_status = ENOMEM;
-	    krb5_crypto_destroy(context, crypto);
 	    return GSS_S_FAILURE;
 	}
 
 	/* Checksum is over (plaintext-data | "header") */
 	memcpy(output_message_buffer->value, p, len);
-	memcpy((u_char *)output_message_buffer->value + len, 
+	memcpy((u_char *)output_message_buffer->value + len,
 	       token, sizeof(*token));
 
 	/* EC is not included in checksum calculation */
@@ -637,21 +1549,18 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
 	token->RRC[0] = 0;
 	token->RRC[1] = 0;
 
-	ret = krb5_verify_checksum(context, crypto,
+	ret = krb5_verify_checksum(context, ctx->crypto,
 				   usage,
 				   output_message_buffer->value,
 				   len + sizeof(*token),
 				   &cksum);
 	if (ret != 0) {
 	    *minor_status = ret;
-	    krb5_crypto_destroy(context, crypto);
 	    _gsskrb5_release_buffer(minor_status, output_message_buffer);
 	    return GSS_S_BAD_MIC;
 	}
     }
 
-    krb5_crypto_destroy(context, crypto);
-
     if (qop_state != NULL) {
 	*qop_state = GSS_C_QOP_DEFAULT;
     }
@@ -661,14 +1570,12 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
 }
 
 OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
-			  const gsskrb5_ctx context_handle,
+			  const gsskrb5_ctx ctx,
 			  krb5_context context,
 			  gss_qop_t qop_req,
 			  const gss_buffer_t message_buffer,
-			  gss_buffer_t message_token,
-			  krb5_keyblock *key)
+			  gss_buffer_t message_token)
 {
-    krb5_crypto crypto;
     gss_cfx_mic_token token;
     krb5_error_code ret;
     unsigned usage;
@@ -677,17 +1584,10 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
     size_t len;
     int32_t seq_number;
 
-    ret = krb5_crypto_init(context, key, 0, &crypto);
-    if (ret != 0) {
-	*minor_status = ret;
-	return GSS_S_FAILURE;
-    }
-
     len = message_buffer->length + sizeof(*token);
     buf = malloc(len);
     if (buf == NULL) {
 	*minor_status = ENOMEM;
-	krb5_crypto_destroy(context, crypto);
 	return GSS_S_FAILURE;
     }
 
@@ -697,38 +1597,36 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
     token->TOK_ID[0] = 0x04;
     token->TOK_ID[1] = 0x04;
     token->Flags = 0;
-    if ((context_handle->more_flags & LOCAL) == 0)
+    if ((ctx->more_flags & LOCAL) == 0)
 	token->Flags |= CFXSentByAcceptor;
-    if (context_handle->more_flags & ACCEPTOR_SUBKEY)
+    if (ctx->more_flags & ACCEPTOR_SUBKEY)
 	token->Flags |= CFXAcceptorSubkey;
     memset(token->Filler, 0xFF, 5);
 
-    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
     krb5_auth_con_getlocalseqnumber(context,
-				    context_handle->auth_context,
+				    ctx->auth_context,
 				    &seq_number);
     _gsskrb5_encode_be_om_uint32(0,          &token->SND_SEQ[0]);
     _gsskrb5_encode_be_om_uint32(seq_number, &token->SND_SEQ[4]);
     krb5_auth_con_setlocalseqnumber(context,
-				    context_handle->auth_context,
+				    ctx->auth_context,
 				    ++seq_number);
-    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
 
-    if (context_handle->more_flags & LOCAL) {
+    if (ctx->more_flags & LOCAL) {
 	usage = KRB5_KU_USAGE_INITIATOR_SIGN;
     } else {
 	usage = KRB5_KU_USAGE_ACCEPTOR_SIGN;
     }
 
-    ret = krb5_create_checksum(context, crypto,
+    ret = krb5_create_checksum(context, ctx->crypto,
 	usage, 0, buf, len, &cksum);
     if (ret != 0) {
 	*minor_status = ret;
-	krb5_crypto_destroy(context, crypto);
 	free(buf);
 	return GSS_S_FAILURE;
     }
-    krb5_crypto_destroy(context, crypto);
 
     /* Determine MIC length */
     message_token->length = sizeof(*token) + cksum.checksum.length;
@@ -753,14 +1651,12 @@ OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
 }
 
 OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
-				 const gsskrb5_ctx context_handle,
+				 const gsskrb5_ctx ctx,
 				 krb5_context context,
 				 const gss_buffer_t message_buffer,
 				 const gss_buffer_t token_buffer,
-				 gss_qop_t *qop_state,
-				 krb5_keyblock *key)
+				 gss_qop_t *qop_state)
 {
-    krb5_crypto crypto;
     gss_cfx_mic_token token;
     u_char token_flags;
     krb5_error_code ret;
@@ -787,10 +1683,10 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
     token_flags = token->Flags & (CFXSentByAcceptor | CFXAcceptorSubkey);
 
     if (token_flags & CFXSentByAcceptor) {
-	if ((context_handle->more_flags & LOCAL) == 0)
+	if ((ctx->more_flags & LOCAL) == 0)
 	    return GSS_S_DEFECTIVE_TOKEN;
     }
-    if (context_handle->more_flags & ACCEPTOR_SUBKEY) {
+    if (ctx->more_flags & ACCEPTOR_SUBKEY) {
 	if ((token_flags & CFXAcceptorSubkey) == 0)
 	    return GSS_S_DEFECTIVE_TOKEN;
     } else {
@@ -798,7 +1694,7 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
 	    return GSS_S_DEFECTIVE_TOKEN;
     }
 
-    if (memcmp(token->Filler, "\xff\xff\xff\xff\xff", 5) != 0) {
+    if (ct_memcmp(token->Filler, "\xff\xff\xff\xff\xff", 5) != 0) {
 	return GSS_S_DEFECTIVE_TOKEN;
     }
 
@@ -812,36 +1708,29 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
 	return GSS_S_UNSEQ_TOKEN;
     }
 
-    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
-    ret = _gssapi_msg_order_check(context_handle->order, seq_number_lo);
+    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+    ret = _gssapi_msg_order_check(ctx->order, seq_number_lo);
     if (ret != 0) {
 	*minor_status = 0;
-	HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
 	return ret;
     }
-    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
 
     /*
      * Verify checksum
      */
-    ret = krb5_crypto_init(context, key, 0, &crypto);
-    if (ret != 0) {
-	*minor_status = ret;
-	return GSS_S_FAILURE;
-    }
-
-    ret = krb5_crypto_get_checksum_type(context, crypto,
+    ret = krb5_crypto_get_checksum_type(context, ctx->crypto,
 					&cksum.cksumtype);
     if (ret != 0) {
 	*minor_status = ret;
-	krb5_crypto_destroy(context, crypto);
 	return GSS_S_FAILURE;
     }
 
     cksum.checksum.data = p + sizeof(*token);
     cksum.checksum.length = token_buffer->length - sizeof(*token);
 
-    if (context_handle->more_flags & LOCAL) {
+    if (ctx->more_flags & LOCAL) {
 	usage = KRB5_KU_USAGE_ACCEPTOR_SIGN;
     } else {
 	usage = KRB5_KU_USAGE_INITIATOR_SIGN;
@@ -850,18 +1739,16 @@ OM_uint32 _gssapi_verify_mic_cfx(OM_uint32 *minor_status,
     buf = malloc(message_buffer->length + sizeof(*token));
     if (buf == NULL) {
 	*minor_status = ENOMEM;
-	krb5_crypto_destroy(context, crypto);
 	return GSS_S_FAILURE;
     }
     memcpy(buf, message_buffer->value, message_buffer->length);
     memcpy(buf + message_buffer->length, token, sizeof(*token));
 
-    ret = krb5_verify_checksum(context, crypto,
+    ret = krb5_verify_checksum(context, ctx->crypto,
 			       usage,
 			       buf,
 			       sizeof(*token) + message_buffer->length,
 			       &cksum);
-    krb5_crypto_destroy(context, crypto);
     if (ret != 0) {
 	*minor_status = ret;
 	free(buf);
diff --git a/lib/gssapi/krb5/cfx.h b/lib/gssapi/krb5/cfx.h
index 672704a8418d..c30ed07840ef 100644
--- a/lib/gssapi/krb5/cfx.h
+++ b/lib/gssapi/krb5/cfx.h
@@ -30,7 +30,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: cfx.h 19031 2006-11-13 18:02:57Z lha $ */
+/* $Id$ */
 
 #ifndef GSSAPI_CFX_H_
 #define GSSAPI_CFX_H_ 1
diff --git a/lib/gssapi/krb5/compare_name.c b/lib/gssapi/krb5/compare_name.c
index 3f3b59d11621..7409d45fcb89 100644
--- a/lib/gssapi/krb5/compare_name.c
+++ b/lib/gssapi/krb5/compare_name.c
@@ -1,41 +1,39 @@
 /*
- * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
+#include "gsskrb5_locl.h"
 
-RCSID("$Id: compare_name.c 19031 2006-11-13 18:02:57Z lha $");
-
-OM_uint32 _gsskrb5_compare_name
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_compare_name
            (OM_uint32 * minor_status,
             const gss_name_t name1,
             const gss_name_t name2,
diff --git a/lib/gssapi/krb5/compat.c b/lib/gssapi/krb5/compat.c
index a0f075621a49..3381dffa19ee 100644
--- a/lib/gssapi/krb5/compat.c
+++ b/lib/gssapi/krb5/compat.c
@@ -1,45 +1,42 @@
 /*
- * Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
-
-RCSID("$Id: compat.c 19031 2006-11-13 18:02:57Z lha $");
-
+#include "gsskrb5_locl.h"
 
 static krb5_error_code
-check_compat(OM_uint32 *minor_status, 
-	     krb5_context context, krb5_const_principal name, 
-	     const char *option, krb5_boolean *compat, 
+check_compat(OM_uint32 *minor_status,
+	     krb5_context context, krb5_const_principal name,
+	     const char *option, krb5_boolean *compat,
 	     krb5_boolean match_val)
 {
     krb5_error_code ret = 0;
@@ -62,7 +59,7 @@ check_compat(OM_uint32 *minor_status,
 	    *compat = match_val;
 	    break;
 	}
-	
+
 	krb5_free_principal(context, match);
 	match = NULL;
     }
@@ -92,11 +89,11 @@ _gss_DES3_get_mic_compat(OM_uint32 *minor_status,
     OM_uint32 ret;
 
     if ((ctx->more_flags & COMPAT_OLD_DES3_SELECTED) == 0) {
-	ret = check_compat(minor_status, context, ctx->target, 
+	ret = check_compat(minor_status, context, ctx->target,
 			   "broken_des3_mic", &use_compat, TRUE);
 	if (ret)
 	    return ret;
-	ret = check_compat(minor_status, context, ctx->target, 
+	ret = check_compat(minor_status, context, ctx->target,
 			   "correct_des3_mic", &use_compat, FALSE);
 	if (ret)
 	    return ret;
diff --git a/lib/gssapi/krb5/context_time.c b/lib/gssapi/krb5/context_time.c
index b57ac7854e69..cb1550011cd7 100644
--- a/lib/gssapi/krb5/context_time.c
+++ b/lib/gssapi/krb5/context_time.c
@@ -1,42 +1,40 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
-
-RCSID("$Id: context_time.c 19031 2006-11-13 18:02:57Z lha $");
+#include "gsskrb5_locl.h"
 
 OM_uint32
-_gsskrb5_lifetime_left(OM_uint32 *minor_status, 
+_gsskrb5_lifetime_left(OM_uint32 *minor_status,
 		       krb5_context context,
 		       OM_uint32 lifetime,
 		       OM_uint32 *lifetime_rec)
@@ -55,7 +53,7 @@ _gsskrb5_lifetime_left(OM_uint32 *minor_status,
 	return GSS_S_FAILURE;
     }
 
-    if (lifetime < timeret) 
+    if (lifetime < timeret)
 	*lifetime_rec = 0;
     else
 	*lifetime_rec = lifetime - timeret;
@@ -64,7 +62,7 @@ _gsskrb5_lifetime_left(OM_uint32 *minor_status,
 }
 
 
-OM_uint32 _gsskrb5_context_time
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_context_time
            (OM_uint32 * minor_status,
             const gss_ctx_id_t context_handle,
             OM_uint32 * time_rec
@@ -90,6 +88,6 @@ OM_uint32 _gsskrb5_context_time
 
     if (*time_rec == 0)
 	return GSS_S_CONTEXT_EXPIRED;
-	
+
     return GSS_S_COMPLETE;
 }
diff --git a/lib/gssapi/krb5/copy_ccache.c b/lib/gssapi/krb5/copy_ccache.c
index 66d797c19933..e332d29c84aa 100644
--- a/lib/gssapi/krb5/copy_ccache.c
+++ b/lib/gssapi/krb5/copy_ccache.c
@@ -1,39 +1,37 @@
 /*
- * Copyright (c) 2000 - 2001, 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2000 - 2001, 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
-
-RCSID("$Id: copy_ccache.c 20688 2007-05-17 18:44:31Z lha $");
+#include "gsskrb5_locl.h"
 
 #if 0
 OM_uint32
@@ -65,11 +63,11 @@ gss_krb5_copy_ccache(OM_uint32 *minor_status,
 
 
 OM_uint32
-_gsskrb5_import_cred(OM_uint32 *minor_status,
-		     krb5_ccache id,
-		     krb5_principal keytab_principal,
-		     krb5_keytab keytab,
-		     gss_cred_id_t *cred)
+_gsskrb5_krb5_import_cred(OM_uint32 *minor_status,
+			  krb5_ccache id,
+			  krb5_principal keytab_principal,
+			  krb5_keytab keytab,
+			  gss_cred_id_t *cred)
 {
     krb5_context context;
     krb5_error_code kret;
@@ -102,7 +100,7 @@ _gsskrb5_import_cred(OM_uint32 *minor_status,
 	    *minor_status = kret;
 	    return GSS_S_FAILURE;
 	}
-	
+
 	if (keytab_principal) {
 	    krb5_boolean match;
 
@@ -147,8 +145,8 @@ _gsskrb5_import_cred(OM_uint32 *minor_status,
 	handle->usage |= GSS_C_ACCEPT;
 
 	if (keytab_principal && handle->principal == NULL) {
-	    kret = krb5_copy_principal(context, 
-				       keytab_principal, 
+	    kret = krb5_copy_principal(context,
+				       keytab_principal,
 				       &handle->principal);
 	    if (kret)
 		goto out;
diff --git a/lib/gssapi/krb5/creds.c b/lib/gssapi/krb5/creds.c
new file mode 100644
index 000000000000..fa45d19b9812
--- /dev/null
+++ b/lib/gssapi/krb5/creds.c
@@ -0,0 +1,255 @@
+/*
+ * Copyright (c) 2009 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "gsskrb5_locl.h"
+
+OM_uint32 GSSAPI_CALLCONV
+_gsskrb5_export_cred(OM_uint32 *minor_status,
+		     gss_cred_id_t cred_handle,
+		     gss_buffer_t cred_token)
+{
+    gsskrb5_cred handle = (gsskrb5_cred)cred_handle;
+    krb5_context context;
+    krb5_error_code ret;
+    krb5_storage *sp;
+    krb5_data data, mech;
+    const char *type;
+    char *str;
+
+    GSSAPI_KRB5_INIT (&context);
+
+    if (handle->usage != GSS_C_INITIATE && handle->usage != GSS_C_BOTH) {
+	*minor_status = GSS_KRB5_S_G_BAD_USAGE;
+	return GSS_S_FAILURE;
+    }
+
+    sp = krb5_storage_emem();
+    if (sp == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    type = krb5_cc_get_type(context, handle->ccache);
+    if (strcmp(type, "MEMORY") == 0) {
+	krb5_creds *creds;
+	ret = krb5_store_uint32(sp, 0);
+	if (ret) {
+	    krb5_storage_free(sp);
+	    *minor_status = ret;
+	    return GSS_S_FAILURE;
+	}
+
+	ret = _krb5_get_krbtgt(context, handle->ccache,
+			       handle->principal->realm,
+			       &creds);
+	if (ret) {
+	    krb5_storage_free(sp);
+	    *minor_status = ret;
+	    return GSS_S_FAILURE;
+	}
+
+	ret = krb5_store_creds(sp, creds);
+	krb5_free_creds(context, creds);
+	if (ret) {
+	    krb5_storage_free(sp);
+	    *minor_status = ret;
+	    return GSS_S_FAILURE;
+	}
+
+    } else {
+	ret = krb5_store_uint32(sp, 1);
+	if (ret) {
+	    krb5_storage_free(sp);
+	    *minor_status = ret;
+	    return GSS_S_FAILURE;
+	}
+
+	ret = krb5_cc_get_full_name(context, handle->ccache, &str);
+	if (ret) {
+	    krb5_storage_free(sp);
+	    *minor_status = ret;
+	    return GSS_S_FAILURE;
+	}
+
+	ret = krb5_store_string(sp, str);
+	free(str);
+	if (ret) {
+	    krb5_storage_free(sp);
+	    *minor_status = ret;
+	    return GSS_S_FAILURE;
+	}
+    }
+    ret = krb5_storage_to_data(sp, &data);
+    krb5_storage_free(sp);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+    sp = krb5_storage_emem();
+    if (sp == NULL) {
+	krb5_data_free(&data);
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    mech.data = GSS_KRB5_MECHANISM->elements;
+    mech.length = GSS_KRB5_MECHANISM->length;
+
+    ret = krb5_store_data(sp, mech);
+    if (ret) {
+	krb5_data_free(&data);
+	krb5_storage_free(sp);
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    ret = krb5_store_data(sp, data);
+    krb5_data_free(&data);
+    if (ret) {
+	krb5_storage_free(sp);
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    ret = krb5_storage_to_data(sp, &data);
+    krb5_storage_free(sp);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    cred_token->value = data.data;
+    cred_token->length = data.length;
+
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32 GSSAPI_CALLCONV
+_gsskrb5_import_cred(OM_uint32 * minor_status,
+		     gss_buffer_t cred_token,
+		     gss_cred_id_t * cred_handle)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    gsskrb5_cred handle;
+    krb5_ccache id;
+    krb5_storage *sp;
+    char *str;
+    uint32_t type;
+    int flags = 0;
+
+    *cred_handle = GSS_C_NO_CREDENTIAL;
+
+    GSSAPI_KRB5_INIT (&context);
+
+    sp = krb5_storage_from_mem(cred_token->value, cred_token->length);
+    if (sp == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    ret = krb5_ret_uint32(sp, &type);
+    if (ret) {
+	krb5_storage_free(sp);
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+    switch (type) {
+    case 0: {
+	krb5_creds creds;
+
+	ret = krb5_ret_creds(sp, &creds);
+	krb5_storage_free(sp);
+	if (ret) {
+	    *minor_status = ret;
+	    return GSS_S_FAILURE;
+	}
+
+	ret = krb5_cc_new_unique(context, "MEMORY", NULL, &id);
+	if (ret) {
+	    *minor_status = ret;
+	    return GSS_S_FAILURE;
+	}
+
+	ret = krb5_cc_initialize(context, id, creds.client);
+	if (ret) {
+	    krb5_cc_destroy(context, id);
+	    *minor_status = ret;
+	    return GSS_S_FAILURE;
+	}
+
+	ret = krb5_cc_store_cred(context, id, &creds);
+	krb5_free_cred_contents(context, &creds);
+
+	flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
+
+	break;
+    }
+    case 1:
+	ret = krb5_ret_string(sp, &str);
+	krb5_storage_free(sp);
+	if (ret) {
+	    *minor_status = ret;
+	    return GSS_S_FAILURE;
+	}
+
+	ret = krb5_cc_resolve(context, str, &id);
+	krb5_xfree(str);
+	if (ret) {
+	    *minor_status = ret;
+	    return GSS_S_FAILURE;
+	}
+	break;
+
+    default:
+	krb5_storage_free(sp);
+	*minor_status = 0;
+	return GSS_S_NO_CRED;
+    }
+
+    handle = calloc(1, sizeof(*handle));
+    if (handle == NULL) {
+	krb5_cc_close(context, id);
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    handle->usage = GSS_C_INITIATE;
+    krb5_cc_get_principal(context, id, &handle->principal);
+    handle->ccache = id;
+    handle->cred_flags = flags;
+
+    *cred_handle = (gss_cred_id_t)handle;
+
+    return GSS_S_COMPLETE;
+}
diff --git a/lib/gssapi/krb5/decapsulate.c b/lib/gssapi/krb5/decapsulate.c
index 39176faff442..640c064d0bf1 100644
--- a/lib/gssapi/krb5/decapsulate.c
+++ b/lib/gssapi/krb5/decapsulate.c
@@ -1,39 +1,37 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
-
-RCSID("$Id: decapsulate.c 18334 2006-10-07 22:16:04Z lha $");
+#include "gsskrb5_locl.h"
 
 /*
  * return the length of the mechanism in token or -1
@@ -82,9 +80,9 @@ _gssapi_verify_mech_header(u_char **str,
 
     if (mech_len != mech->length)
 	return GSS_S_BAD_MECH;
-    if (memcmp(p,
-	       mech->elements,
-	       mech->length) != 0)
+    if (ct_memcmp(p,
+		  mech->elements,
+		  mech->length) != 0)
 	return GSS_S_BAD_MECH;
     p += mech_len;
     *str = rk_UNCONST(p);
@@ -110,7 +108,7 @@ _gsskrb5_verify_header(u_char **str,
     if (len < 2)
 	return GSS_S_DEFECTIVE_TOKEN;
 
-    if (memcmp (*str, type, 2) != 0)
+    if (ct_memcmp (*str, type, 2) != 0)
 	return GSS_S_DEFECTIVE_TOKEN;
     *str += 2;
 
@@ -154,7 +152,7 @@ _gssapi_decapsulate(
  */
 
 OM_uint32
-_gsskrb5_decapsulate(OM_uint32 *minor_status,    
+_gsskrb5_decapsulate(OM_uint32 *minor_status,
 			gss_buffer_t input_token_buffer,
 			krb5_data *out_data,
 			const void *type,
@@ -184,7 +182,7 @@ _gsskrb5_decapsulate(OM_uint32 *minor_status,
  */
 
 OM_uint32
-_gssapi_verify_pad(gss_buffer_t wrapped_token, 
+_gssapi_verify_pad(gss_buffer_t wrapped_token,
 		   size_t datalen,
 		   size_t *padlen)
 {
diff --git a/lib/gssapi/krb5/delete_sec_context.c b/lib/gssapi/krb5/delete_sec_context.c
index abad98655026..83a66cc0ca01 100644
--- a/lib/gssapi/krb5/delete_sec_context.c
+++ b/lib/gssapi/krb5/delete_sec_context.c
@@ -1,41 +1,39 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
+#include "gsskrb5_locl.h"
 
-RCSID("$Id: delete_sec_context.c 19031 2006-11-13 18:02:57Z lha $");
-
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_delete_sec_context(OM_uint32 * minor_status,
 			    gss_ctx_id_t * context_handle,
 			    gss_buffer_t output_token)
@@ -61,6 +59,9 @@ _gsskrb5_delete_sec_context(OM_uint32 * minor_status,
     HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
 
     krb5_auth_con_free (context, ctx->auth_context);
+    krb5_auth_con_free (context, ctx->deleg_auth_context);
+    if (ctx->kcred)
+	krb5_free_creds(context, ctx->kcred);
     if(ctx->source)
 	krb5_free_principal (context, ctx->source);
     if(ctx->target)
@@ -72,6 +73,8 @@ _gsskrb5_delete_sec_context(OM_uint32 * minor_status,
     if (ctx->service_keyblock)
 	krb5_free_keyblock (context, ctx->service_keyblock);
     krb5_data_free(&ctx->fwd_data);
+    if (ctx->crypto)
+    	krb5_crypto_destroy(context, ctx->crypto);
 
     HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
     HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
diff --git a/lib/gssapi/krb5/display_name.c b/lib/gssapi/krb5/display_name.c
index 727c447d2a06..a296399cecad 100644
--- a/lib/gssapi/krb5/display_name.c
+++ b/lib/gssapi/krb5/display_name.c
@@ -1,41 +1,39 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
+#include "gsskrb5_locl.h"
 
-RCSID("$Id: display_name.c 21077 2007-06-12 22:42:56Z lha $");
-
-OM_uint32 _gsskrb5_display_name
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_display_name
            (OM_uint32 * minor_status,
             const gss_name_t input_name,
             gss_buffer_t output_name_buffer,
diff --git a/lib/gssapi/krb5/display_status.c b/lib/gssapi/krb5/display_status.c
index c0192522a72a..c50200672aaf 100644
--- a/lib/gssapi/krb5/display_status.c
+++ b/lib/gssapi/krb5/display_status.c
@@ -1,39 +1,37 @@
 /*
- * Copyright (c) 1998 - 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1998 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
-
-RCSID("$Id: display_status.c 19031 2006-11-13 18:02:57Z lha $");
+#include "gsskrb5_locl.h"
 
 static const char *
 calling_error(OM_uint32 v)
@@ -118,29 +116,30 @@ _gsskrb5_clear_status (void)
 
     if (_gsskrb5_init (&context) != 0)
 	return;
-    krb5_clear_error_string(context);
+    krb5_clear_error_message(context);
 }
 
 void
-_gsskrb5_set_status (const char *fmt, ...)
+_gsskrb5_set_status (int ret, const char *fmt, ...)
 {
     krb5_context context;
     va_list args;
     char *str;
+    int e;
 
     if (_gsskrb5_init (&context) != 0)
 	return;
 
     va_start(args, fmt);
-    vasprintf(&str, fmt, args);
+    e = vasprintf(&str, fmt, args);
     va_end(args);
-    if (str) {
-	krb5_set_error_string(context, str);
+    if (e >= 0 && str) {
+	krb5_set_error_message(context, ret, "%s", str);
 	free(str);
     }
 }
 
-OM_uint32 _gsskrb5_display_status
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_display_status
 (OM_uint32		*minor_status,
  OM_uint32		 status_value,
  int			 status_type,
@@ -149,7 +148,8 @@ OM_uint32 _gsskrb5_display_status
  gss_buffer_t	 status_string)
 {
     krb5_context context;
-    char *buf;
+    char *buf = NULL;
+    int e = 0;
 
     GSSAPI_KRB5_INIT (&context);
 
@@ -164,28 +164,27 @@ OM_uint32 _gsskrb5_display_status
 
     if (status_type == GSS_C_GSS_CODE) {
 	if (GSS_SUPPLEMENTARY_INFO(status_value))
-	    asprintf(&buf, "%s", 
-		     supplementary_error(GSS_SUPPLEMENTARY_INFO(status_value)));
+	    e = asprintf(&buf, "%s",
+			 supplementary_error(GSS_SUPPLEMENTARY_INFO(status_value)));
 	else
-	    asprintf (&buf, "%s %s",
-		      calling_error(GSS_CALLING_ERROR(status_value)),
-		      routine_error(GSS_ROUTINE_ERROR(status_value)));
+	    e = asprintf (&buf, "%s %s",
+			  calling_error(GSS_CALLING_ERROR(status_value)),
+			  routine_error(GSS_ROUTINE_ERROR(status_value)));
     } else if (status_type == GSS_C_MECH_CODE) {
-	buf = krb5_get_error_string(context);
-	if (buf == NULL) {
-	    const char *tmp = krb5_get_err_text (context, status_value);
-	    if (tmp == NULL)
-		asprintf(&buf, "unknown mech error-code %u",
+	const char *buf2 = krb5_get_error_message(context, status_value);
+	if (buf2) {
+	    buf = strdup(buf2);
+	    krb5_free_error_message(context, buf2);
+	} else {
+	    e = asprintf(&buf, "unknown mech error-code %u",
 			 (unsigned)status_value);
-	    else
-		buf = strdup(tmp);
 	}
     } else {
 	*minor_status = EINVAL;
 	return GSS_S_BAD_STATUS;
     }
 
-    if (buf == NULL) {
+    if (e < 0 || buf == NULL) {
 	*minor_status = ENOMEM;
 	return GSS_S_FAILURE;
     }
@@ -195,6 +194,6 @@ OM_uint32 _gsskrb5_display_status
 
     status_string->length = strlen(buf);
     status_string->value  = buf;
-  
+
     return GSS_S_COMPLETE;
 }
diff --git a/lib/gssapi/krb5/duplicate_name.c b/lib/gssapi/krb5/duplicate_name.c
index 7337f1ab72b8..0bc57e8a03ed 100644
--- a/lib/gssapi/krb5/duplicate_name.c
+++ b/lib/gssapi/krb5/duplicate_name.c
@@ -1,58 +1,57 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
+#include "gsskrb5_locl.h"
 
-RCSID("$Id: duplicate_name.c 19031 2006-11-13 18:02:57Z lha $");
-
-OM_uint32 _gsskrb5_duplicate_name (
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_duplicate_name (
             OM_uint32 * minor_status,
             const gss_name_t src_name,
             gss_name_t * dest_name
            )
 {
-    krb5_context context;
     krb5_const_principal src = (krb5_const_principal)src_name;
-    krb5_principal *dest = (krb5_principal *)dest_name;
+    krb5_context context;
+    krb5_principal dest;
     krb5_error_code kret;
 
     GSSAPI_KRB5_INIT (&context);
 
-    kret = krb5_copy_principal (context, src, dest);
+    kret = krb5_copy_principal (context, src, &dest);
     if (kret) {
 	*minor_status = kret;
 	return GSS_S_FAILURE;
     } else {
+	*dest_name = (gss_name_t)dest;
 	*minor_status = 0;
 	return GSS_S_COMPLETE;
     }
diff --git a/lib/gssapi/krb5/encapsulate.c b/lib/gssapi/krb5/encapsulate.c
index 58dcb5c9c4b2..fe5dac7c60b2 100644
--- a/lib/gssapi/krb5/encapsulate.c
+++ b/lib/gssapi/krb5/encapsulate.c
@@ -1,39 +1,37 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
-
-RCSID("$Id: encapsulate.c 18459 2006-10-14 10:12:16Z lha $");
+#include "gsskrb5_locl.h"
 
 void
 _gssapi_encap_length (size_t data_len,
@@ -110,13 +108,13 @@ _gssapi_encapsulate(
     void *p;
 
     _gssapi_encap_length (in_data->length, &len, &outer_len, mech);
-    
+
     output_token->length = outer_len;
     output_token->value  = malloc (outer_len);
     if (output_token->value == NULL) {
 	*minor_status = ENOMEM;
 	return GSS_S_FAILURE;
-    }	
+    }
 
     p = _gssapi_make_mech_header (output_token->value, len, mech);
     memcpy (p, in_data->data, in_data->length);
@@ -130,7 +128,7 @@ _gssapi_encapsulate(
 
 OM_uint32
 _gsskrb5_encapsulate(
-			OM_uint32 *minor_status,    
+			OM_uint32 *minor_status,
 			const krb5_data *in_data,
 			gss_buffer_t output_token,
 			const void *type,
@@ -141,13 +139,13 @@ _gsskrb5_encapsulate(
     u_char *p;
 
     _gsskrb5_encap_length (in_data->length, &len, &outer_len, mech);
-    
+
     output_token->length = outer_len;
     output_token->value  = malloc (outer_len);
     if (output_token->value == NULL) {
 	*minor_status = ENOMEM;
 	return GSS_S_FAILURE;
-    }	
+    }
 
     p = _gsskrb5_make_header (output_token->value, len, type, mech);
     memcpy (p, in_data->data, in_data->length);
diff --git a/lib/gssapi/krb5/export_name.c b/lib/gssapi/krb5/export_name.c
index efa45a2638bf..32368d3ccefd 100644
--- a/lib/gssapi/krb5/export_name.c
+++ b/lib/gssapi/krb5/export_name.c
@@ -1,41 +1,39 @@
 /*
- * Copyright (c) 1997, 1999, 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997, 1999, 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
+#include "gsskrb5_locl.h"
 
-RCSID("$Id: export_name.c 19031 2006-11-13 18:02:57Z lha $");
-
-OM_uint32 _gsskrb5_export_name
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_export_name
            (OM_uint32  * minor_status,
             const gss_name_t input_name,
             gss_buffer_t exported_name
diff --git a/lib/gssapi/krb5/export_sec_context.c b/lib/gssapi/krb5/export_sec_context.c
index 00218617a07b..eeb2743b4322 100644
--- a/lib/gssapi/krb5/export_sec_context.c
+++ b/lib/gssapi/krb5/export_sec_context.c
@@ -1,41 +1,39 @@
 /*
- * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
+#include "gsskrb5_locl.h"
 
-RCSID("$Id: export_sec_context.c 19031 2006-11-13 18:02:57Z lha $");
-
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_export_sec_context (
     OM_uint32 * minor_status,
     gss_ctx_id_t * context_handle,
diff --git a/lib/gssapi/krb5/external.c b/lib/gssapi/krb5/external.c
index 03fe61dc5744..26ede2487d30 100644
--- a/lib/gssapi/krb5/external.c
+++ b/lib/gssapi/krb5/external.c
@@ -1,41 +1,39 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
+#include "gsskrb5_locl.h"
 #include <gssapi_mech.h>
 
-RCSID("$Id: external.c 22128 2007-12-04 00:56:55Z lha $");
-
 /*
  * The implementation must reserve static storage for a
  * gss_OID_desc object containing the value
@@ -48,10 +46,8 @@ RCSID("$Id: external.c 22128 2007-12-04 00:56:55Z lha $");
  * to that gss_OID_desc.
  */
 
-static gss_OID_desc gss_c_nt_user_name_oid_desc =
-{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x01")};
-
-gss_OID GSS_C_NT_USER_NAME = &gss_c_nt_user_name_oid_desc;
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_user_name_oid_desc =
+    {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x01")};
 
 /*
  * The implementation must reserve static storage for a
@@ -65,10 +61,8 @@ gss_OID GSS_C_NT_USER_NAME = &gss_c_nt_user_name_oid_desc;
  * initialized to point to that gss_OID_desc.
  */
 
-static gss_OID_desc gss_c_nt_machine_uid_name_oid_desc =
-{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x02")};
-
-gss_OID GSS_C_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc;
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_machine_uid_name_oid_desc =
+    {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x02")};
 
 /*
  * The implementation must reserve static storage for a
@@ -82,10 +76,8 @@ gss_OID GSS_C_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc;
  * initialized to point to that gss_OID_desc.
  */
 
-static gss_OID_desc gss_c_nt_string_uid_name_oid_desc =
-{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x03")};
-
-gss_OID GSS_C_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc;
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_string_uid_name_oid_desc =
+    {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x03")};
 
 /*
  * The implementation must reserve static storage for a
@@ -105,10 +97,8 @@ gss_OID GSS_C_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc;
  * implementations
  */
 
-static gss_OID_desc gss_c_nt_hostbased_service_x_oid_desc =
-{6, rk_UNCONST("\x2b\x06\x01\x05\x06\x02")};
-
-gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &gss_c_nt_hostbased_service_x_oid_desc;
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_hostbased_service_x_oid_desc =
+    {6, rk_UNCONST("\x2b\x06\x01\x05\x06\x02")};
 
 /*
  * The implementation must reserve static storage for a
@@ -121,10 +111,8 @@ gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &gss_c_nt_hostbased_service_x_oid_desc;
  * GSS_C_NT_HOSTBASED_SERVICE should be initialized
  * to point to that gss_OID_desc.
  */
-static gss_OID_desc gss_c_nt_hostbased_service_oid_desc =
-{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x04")};
-
-gss_OID GSS_C_NT_HOSTBASED_SERVICE = &gss_c_nt_hostbased_service_oid_desc;
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_hostbased_service_oid_desc =
+    {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12" "\x01\x02\x01\x04")};
 
 /*
  * The implementation must reserve static storage for a
@@ -137,10 +125,8 @@ gss_OID GSS_C_NT_HOSTBASED_SERVICE = &gss_c_nt_hostbased_service_oid_desc;
  * to that gss_OID_desc.
  */
 
-static gss_OID_desc gss_c_nt_anonymous_oid_desc =
-{6, rk_UNCONST("\x2b\x06\01\x05\x06\x03")};
-
-gss_OID GSS_C_NT_ANONYMOUS = &gss_c_nt_anonymous_oid_desc;
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_anonymous_oid_desc =
+    {6, rk_UNCONST("\x2b\x06\01\x05\x06\x03")};
 
 /*
  * The implementation must reserve static storage for a
@@ -153,10 +139,8 @@ gss_OID GSS_C_NT_ANONYMOUS = &gss_c_nt_anonymous_oid_desc;
  * to that gss_OID_desc.
  */
 
-static gss_OID_desc gss_c_nt_export_name_oid_desc =
-{6, rk_UNCONST("\x2b\x06\x01\x05\x06\x04") };
-
-gss_OID GSS_C_NT_EXPORT_NAME = &gss_c_nt_export_name_oid_desc;
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_export_name_oid_desc =
+    {6, rk_UNCONST("\x2b\x06\x01\x05\x06\x04") };
 
 /*
  *   This name form shall be represented by the Object Identifier {iso(1)
@@ -165,66 +149,8 @@ gss_OID GSS_C_NT_EXPORT_NAME = &gss_c_nt_export_name_oid_desc;
  *   is "GSS_KRB5_NT_PRINCIPAL_NAME".
  */
 
-static gss_OID_desc gss_krb5_nt_principal_name_oid_desc =
-{10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01") };
-
-gss_OID GSS_KRB5_NT_PRINCIPAL_NAME = &gss_krb5_nt_principal_name_oid_desc;
-
-/*
- *   This name form shall be represented by the Object Identifier {iso(1)
- *   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
- *   generic(1) user_name(1)}.  The recommended symbolic name for this
- *   type is "GSS_KRB5_NT_USER_NAME".
- */
-
-gss_OID GSS_KRB5_NT_USER_NAME = &gss_c_nt_user_name_oid_desc;
-
-/*
- *   This name form shall be represented by the Object Identifier {iso(1)
- *   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
- *   generic(1) machine_uid_name(2)}.  The recommended symbolic name for
- *   this type is "GSS_KRB5_NT_MACHINE_UID_NAME".
- */
-
-gss_OID GSS_KRB5_NT_MACHINE_UID_NAME = &gss_c_nt_machine_uid_name_oid_desc;
-
-/*
- *   This name form shall be represented by the Object Identifier {iso(1)
- *   member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
- *   generic(1) string_uid_name(3)}.  The recommended symbolic name for
- *   this type is "GSS_KRB5_NT_STRING_UID_NAME".
- */
-
-gss_OID GSS_KRB5_NT_STRING_UID_NAME = &gss_c_nt_string_uid_name_oid_desc;
-
-/*
- *   To support ongoing experimentation, testing, and evolution of the
- *   specification, the Kerberos V5 GSS-API mechanism as defined in this
- *   and any successor memos will be identified with the following Object
- *   Identifier, as defined in RFC-1510, until the specification is
- *   advanced to the level of Proposed Standard RFC:
- *
- *   {iso(1), org(3), dod(5), internet(1), security(5), kerberosv5(2)}
- *
- *   Upon advancement to the level of Proposed Standard RFC, the Kerberos
- *   V5 GSS-API mechanism will be identified by an Object Identifier
- *   having the value:
- *
- *   {iso(1) member-body(2) United States(840) mit(113554) infosys(1)
- *   gssapi(2) krb5(2)}
- */
-
-#if 0 /* This is the old OID */
-
-static gss_OID_desc gss_krb5_mechanism_oid_desc =
-{5, rk_UNCONST("\x2b\x05\x01\x05\x02")};
-
-#endif
-
-static gss_OID_desc gss_krb5_mechanism_oid_desc =
-{9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") };
-
-gss_OID GSS_KRB5_MECHANISM = &gss_krb5_mechanism_oid_desc;
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_nt_principal_name_oid_desc =
+    {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01") };
 
 /*
  * draft-ietf-cat-iakerb-09, IAKERB:
@@ -239,141 +165,107 @@ gss_OID GSS_KRB5_MECHANISM = &gss_krb5_mechanism_oid_desc;
  *   iakerbMinimumMessagesProtocol(2)}.
  */
 
-static gss_OID_desc gss_iakerb_proxy_mechanism_oid_desc =
-{7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0a\x01")};
-
-gss_OID GSS_IAKERB_PROXY_MECHANISM = &gss_iakerb_proxy_mechanism_oid_desc;
+gss_OID_desc GSSAPI_LIB_VARIABLE  __gss_iakerb_proxy_mechanism_oid_desc =
+    {7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0a\x01")};
 
-static gss_OID_desc gss_iakerb_min_msg_mechanism_oid_desc =
-{7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0a\x02") };
-
-gss_OID GSS_IAKERB_MIN_MSG_MECHANISM = &gss_iakerb_min_msg_mechanism_oid_desc;
-
-/*
- *
- */
-
-static gss_OID_desc gss_c_peer_has_updated_spnego_oid_desc =
-{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x05"};
-
-gss_OID GSS_C_PEER_HAS_UPDATED_SPNEGO = &gss_c_peer_has_updated_spnego_oid_desc;
-
-/*
- * 1.2.752.43.13 Heimdal GSS-API Extentions
- */
-
-/* 1.2.752.43.13.1 */
-static gss_OID_desc gss_krb5_copy_ccache_x_oid_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x01")};
-
-gss_OID GSS_KRB5_COPY_CCACHE_X = &gss_krb5_copy_ccache_x_oid_desc;
-
-/* 1.2.752.43.13.2 */
-static gss_OID_desc gss_krb5_get_tkt_flags_x_oid_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x02")};
-
-gss_OID GSS_KRB5_GET_TKT_FLAGS_X = &gss_krb5_get_tkt_flags_x_oid_desc;
-
-/* 1.2.752.43.13.3 */
-static gss_OID_desc gss_krb5_extract_authz_data_from_sec_context_x_oid_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03")};
-
-gss_OID GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X = &gss_krb5_extract_authz_data_from_sec_context_x_oid_desc;
-
-/* 1.2.752.43.13.4 */
-static gss_OID_desc gss_krb5_compat_des3_mic_x_oid_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x04")};
-
-gss_OID GSS_KRB5_COMPAT_DES3_MIC_X = &gss_krb5_compat_des3_mic_x_oid_desc;
-
-/* 1.2.752.43.13.5 */
-static gss_OID_desc gss_krb5_register_acceptor_identity_x_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05")};
-
-gss_OID GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X = &gss_krb5_register_acceptor_identity_x_desc;
-
-/* 1.2.752.43.13.6 */
-static gss_OID_desc gss_krb5_export_lucid_context_x_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06")};
-
-gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_X = &gss_krb5_export_lucid_context_x_desc;
-
-/* 1.2.752.43.13.6.1 */
-static gss_OID_desc gss_krb5_export_lucid_context_v1_x_desc =
-{7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06\x01")};
-
-gss_OID GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X = &gss_krb5_export_lucid_context_v1_x_desc;
-
-/* 1.2.752.43.13.7 */
-static gss_OID_desc gss_krb5_set_dns_canonicalize_x_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x07")};
-
-gss_OID GSS_KRB5_SET_DNS_CANONICALIZE_X = &gss_krb5_set_dns_canonicalize_x_desc;
-
-/* 1.2.752.43.13.8 */
-static gss_OID_desc gss_krb5_get_subkey_x_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x08")};
-
-gss_OID GSS_KRB5_GET_SUBKEY_X = &gss_krb5_get_subkey_x_desc;
-
-/* 1.2.752.43.13.9 */
-static gss_OID_desc gss_krb5_get_initiator_subkey_x_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x09")};
-
-gss_OID GSS_KRB5_GET_INITIATOR_SUBKEY_X = &gss_krb5_get_initiator_subkey_x_desc;
-
-/* 1.2.752.43.13.10 */
-static gss_OID_desc gss_krb5_get_acceptor_subkey_x_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0a")};
-
-gss_OID GSS_KRB5_GET_ACCEPTOR_SUBKEY_X = &gss_krb5_get_acceptor_subkey_x_desc;
-
-/* 1.2.752.43.13.11 */
-static gss_OID_desc gss_krb5_send_to_kdc_x_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0b")};
-
-gss_OID GSS_KRB5_SEND_TO_KDC_X = &gss_krb5_send_to_kdc_x_desc;
-
-/* 1.2.752.43.13.12 */
-static gss_OID_desc gss_krb5_get_authtime_x_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0c")};
-
-gss_OID GSS_KRB5_GET_AUTHTIME_X = &gss_krb5_get_authtime_x_desc;
-
-/* 1.2.752.43.13.13 */
-static gss_OID_desc gss_krb5_get_service_keyblock_x_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0d")};
-
-gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X = &gss_krb5_get_service_keyblock_x_desc;
-
-/* 1.2.752.43.13.14 */
-static gss_OID_desc gss_krb5_set_allowable_enctypes_x_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0e")};
-
-gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X = &gss_krb5_set_allowable_enctypes_x_desc;
-
-/* 1.2.752.43.13.15 */
-static gss_OID_desc gss_krb5_set_default_realm_x_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0f")};
-
-gss_OID GSS_KRB5_SET_DEFAULT_REALM_X = &gss_krb5_set_default_realm_x_desc;
-
-/* 1.2.752.43.13.16 */
-static gss_OID_desc gss_krb5_ccache_name_x_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x10")};
-
-gss_OID GSS_KRB5_CCACHE_NAME_X = &gss_krb5_ccache_name_x_desc;
-
-/* 1.2.752.43.14.1 */
-static gss_OID_desc gss_sasl_digest_md5_mechanism_desc =
-{6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") };
-
-gss_OID GSS_SASL_DIGEST_MD5_MECHANISM = &gss_sasl_digest_md5_mechanism_desc;
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_iakerb_min_msg_mechanism_oid_desc =
+    {7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0a\x02") };
 
 /*
  * Context for krb5 calls.
  */
 
+static gss_mo_desc krb5_mo[] = {
+    {
+	GSS_C_MA_SASL_MECH_NAME,
+	GSS_MO_MA,
+	"SASL mech name",
+	rk_UNCONST("GS2-KRB5"),
+	_gss_mo_get_ctx_as_string,
+	NULL
+    },
+    {
+	GSS_C_MA_MECH_NAME,
+	GSS_MO_MA,
+	"Mechanism name",
+	rk_UNCONST("KRB5"),
+	_gss_mo_get_ctx_as_string,
+	NULL
+    },
+    {
+	GSS_C_MA_MECH_DESCRIPTION,
+	GSS_MO_MA,
+	"Mechanism description",
+	rk_UNCONST("Heimdal Kerberos 5 mech"),
+	_gss_mo_get_ctx_as_string,
+	NULL
+    },
+    {
+	GSS_C_MA_MECH_CONCRETE,
+	GSS_MO_MA
+    },
+    {
+	GSS_C_MA_ITOK_FRAMED,
+	GSS_MO_MA
+    },
+    {
+	GSS_C_MA_AUTH_INIT,
+	GSS_MO_MA
+    },
+    {
+	GSS_C_MA_AUTH_TARG,
+	GSS_MO_MA
+    },
+    {
+	GSS_C_MA_AUTH_INIT_ANON,
+	GSS_MO_MA
+    },
+    {
+	GSS_C_MA_DELEG_CRED,
+	GSS_MO_MA
+    },
+    {
+	GSS_C_MA_INTEG_PROT,
+	GSS_MO_MA
+    },
+    {
+	GSS_C_MA_CONF_PROT,
+	GSS_MO_MA
+    },
+    {
+	GSS_C_MA_MIC,
+	GSS_MO_MA
+    },
+    {
+	GSS_C_MA_WRAP,
+	GSS_MO_MA
+    },
+    {
+	GSS_C_MA_PROT_READY,
+	GSS_MO_MA
+    },
+    {
+	GSS_C_MA_REPLAY_DET,
+	GSS_MO_MA
+    },
+    {
+	GSS_C_MA_OOS_DET,
+	GSS_MO_MA
+    },
+    {
+	GSS_C_MA_CBINDINGS,
+	GSS_MO_MA
+    },
+    {
+	GSS_C_MA_PFS,
+	GSS_MO_MA
+    },
+    {
+	GSS_C_MA_CTX_TRANS,
+	GSS_MO_MA
+    }
+};
+
 /*
  *
  */
@@ -381,7 +273,8 @@ gss_OID GSS_SASL_DIGEST_MD5_MECHANISM = &gss_sasl_digest_md5_mechanism_desc;
 static gssapi_mech_interface_desc krb5_mech = {
     GMI_VERSION,
     "kerberos 5",
-    {9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" },
+    {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") },
+    0,
     _gsskrb5_acquire_cred,
     _gsskrb5_release_cred,
     _gsskrb5_init_sec_context,
@@ -415,7 +308,31 @@ static gssapi_mech_interface_desc krb5_mech = {
     _gsskrb5_inquire_cred_by_oid,
     _gsskrb5_set_sec_context_option,
     _gsskrb5_set_cred_option,
-    _gsskrb5_pseudo_random
+    _gsskrb5_pseudo_random,
+    _gk_wrap_iov,
+    _gk_unwrap_iov,
+    _gk_wrap_iov_length,
+    _gsskrb5_store_cred,
+    _gsskrb5_export_cred,
+    _gsskrb5_import_cred,
+    _gsskrb5_acquire_cred_ext,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    krb5_mo,
+    sizeof(krb5_mo) / sizeof(krb5_mo[0]),
+    _gsskrb5_pname_to_uid,
+    _gsskrb5_authorize_localname,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL
 };
 
 gssapi_mech_interface
diff --git a/lib/gssapi/krb5/get_mic.c b/lib/gssapi/krb5/get_mic.c
index 133481ffe173..0109ca7c6e76 100644
--- a/lib/gssapi/krb5/get_mic.c
+++ b/lib/gssapi/krb5/get_mic.c
@@ -1,39 +1,39 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
+#include "gsskrb5_locl.h"
 
-RCSID("$Id: get_mic.c 19031 2006-11-13 18:02:57Z lha $");
+#ifdef HEIM_WEAK_CRYPTO
 
 static OM_uint32
 mic_des
@@ -47,9 +47,10 @@ mic_des
            )
 {
   u_char *p;
-  MD5_CTX md5;
+  EVP_MD_CTX *md5;
   u_char hash[16];
   DES_key_schedule schedule;
+  EVP_CIPHER_CTX des_ctx;
   DES_cblock deskey;
   DES_cblock zero;
   int32_t seq_number;
@@ -68,7 +69,7 @@ mic_des
   p = _gsskrb5_make_header(message_token->value,
 			      len,
 			      "\x01\x01", /* TOK_ID */
-			      GSS_KRB5_MECHANISM); 
+			      GSS_KRB5_MECHANISM);
 
   memcpy (p, "\x00\x00", 2);	/* SGN_ALG = DES MAC MD5 */
   p += 2;
@@ -81,14 +82,16 @@ mic_des
   p += 16;
 
   /* checksum */
-  MD5_Init (&md5);
-  MD5_Update (&md5, p - 24, 8);
-  MD5_Update (&md5, message_buffer->value, message_buffer->length);
-  MD5_Final (hash, &md5);
+  md5 = EVP_MD_CTX_create();
+  EVP_DigestInit_ex(md5, EVP_md5(), NULL);
+  EVP_DigestUpdate(md5, p - 24, 8);
+  EVP_DigestUpdate(md5, message_buffer->value, message_buffer->length);
+  EVP_DigestFinal_ex(md5, hash, NULL);
+  EVP_MD_CTX_destroy(md5);
 
   memset (&zero, 0, sizeof(zero));
   memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
-  DES_set_key (&deskey, &schedule);
+  DES_set_key_unchecked (&deskey, &schedule);
   DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
 		 &schedule, &zero);
   memcpy (p - 8, hash, 8);	/* SGN_CKSUM */
@@ -108,21 +111,23 @@ mic_des
 	  (ctx->more_flags & LOCAL) ? 0 : 0xFF,
 	  4);
 
-  DES_set_key (&deskey, &schedule);
-  DES_cbc_encrypt ((void *)p, (void *)p, 8,
-		   &schedule, (DES_cblock *)(p + 8), DES_ENCRYPT);
+  EVP_CIPHER_CTX_init(&des_ctx);
+  EVP_CipherInit_ex(&des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, p + 8, 1);
+  EVP_Cipher(&des_ctx, p, p, 8);
+  EVP_CIPHER_CTX_cleanup(&des_ctx);
 
   krb5_auth_con_setlocalseqnumber (context,
 			       ctx->auth_context,
 			       ++seq_number);
   HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
-  
+
   memset (deskey, 0, sizeof(deskey));
   memset (&schedule, 0, sizeof(schedule));
-  
+
   *minor_status = 0;
   return GSS_S_COMPLETE;
 }
+#endif
 
 static OM_uint32
 mic_des3
@@ -252,7 +257,7 @@ mic_des3
       *minor_status = kret;
       return GSS_S_FAILURE;
   }
-  
+
   assert (encdata.length == 8);
 
   memcpy (p, encdata.data, encdata.length);
@@ -262,13 +267,13 @@ mic_des3
 			       ctx->auth_context,
 			       ++seq_number);
   HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
-  
+
   free_Checksum (&cksum);
   *minor_status = 0;
   return GSS_S_COMPLETE;
 }
 
-OM_uint32 _gsskrb5_get_mic
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_get_mic
            (OM_uint32 * minor_status,
             const gss_ctx_id_t context_handle,
             gss_qop_t qop_req,
@@ -284,6 +289,10 @@ OM_uint32 _gsskrb5_get_mic
 
   GSSAPI_KRB5_INIT (&context);
 
+  if (ctx->more_flags & IS_CFX)
+      return _gssapi_mic_cfx (minor_status, ctx, context, qop_req,
+			      message_buffer, message_token);
+
   HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
   ret = _gsskrb5i_get_token_key(ctx, context, &key);
   HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
@@ -295,8 +304,12 @@ OM_uint32 _gsskrb5_get_mic
 
   switch (keytype) {
   case KEYTYPE_DES :
+#ifdef HEIM_WEAK_CRYPTO
       ret = mic_des (minor_status, ctx, context, qop_req,
 		     message_buffer, message_token, key);
+#else
+      ret = GSS_S_FAILURE;
+#endif
       break;
   case KEYTYPE_DES3 :
       ret = mic_des3 (minor_status, ctx, context, qop_req,
@@ -308,8 +321,7 @@ OM_uint32 _gsskrb5_get_mic
 				     message_buffer, message_token, key);
       break;
   default :
-      ret = _gssapi_mic_cfx (minor_status, ctx, context, qop_req,
-			     message_buffer, message_token, key);
+      abort();
       break;
   }
   krb5_free_keyblock (context, key);
diff --git a/lib/gssapi/krb5/gkrb5_err.et b/lib/gssapi/krb5/gkrb5_err.et
index dbfdbdf2f122..3c23412a6aee 100644
--- a/lib/gssapi/krb5/gkrb5_err.et
+++ b/lib/gssapi/krb5/gkrb5_err.et
@@ -2,7 +2,7 @@
 # extended gss krb5 error messages
 #
 
-id "$Id: gkrb5_err.et 20049 2007-01-24 00:14:24Z lha $"
+id "$Id$"
 
 error_table gk5
 
diff --git a/lib/gssapi/krb5/gsskrb5-private.h b/lib/gssapi/krb5/gsskrb5-private.h
index c2239f134625..2a669d867f16 100644
--- a/lib/gssapi/krb5/gsskrb5-private.h
+++ b/lib/gssapi/krb5/gsskrb5-private.h
@@ -16,6 +16,55 @@ __gsskrb5_ccache_lifetime (
 	OM_uint32 */*lifetime*/);
 
 OM_uint32
+_gk_allocate_buffer (
+	OM_uint32 */*minor_status*/,
+	gss_iov_buffer_desc */*buffer*/,
+	size_t /*size*/);
+
+gss_iov_buffer_desc *
+_gk_find_buffer (
+	gss_iov_buffer_desc */*iov*/,
+	int /*iov_count*/,
+	OM_uint32 /*type*/);
+
+OM_uint32 GSSAPI_CALLCONV
+_gk_unwrap_iov (
+	OM_uint32 */*minor_status*/,
+	gss_ctx_id_t /*context_handle*/,
+	int */*conf_state*/,
+	gss_qop_t */*qop_state*/,
+	gss_iov_buffer_desc */*iov*/,
+	int /*iov_count*/);
+
+OM_uint32
+_gk_verify_buffers (
+	OM_uint32 */*minor_status*/,
+	const gsskrb5_ctx /*ctx*/,
+	const gss_iov_buffer_desc */*header*/,
+	const gss_iov_buffer_desc */*padding*/,
+	const gss_iov_buffer_desc */*trailer*/);
+
+OM_uint32 GSSAPI_CALLCONV
+_gk_wrap_iov (
+	OM_uint32 * /*minor_status*/,
+	gss_ctx_id_t /*context_handle*/,
+	int /*conf_req_flag*/,
+	gss_qop_t /*qop_req*/,
+	int * /*conf_state*/,
+	gss_iov_buffer_desc */*iov*/,
+	int /*iov_count*/);
+
+OM_uint32 GSSAPI_CALLCONV
+_gk_wrap_iov_length (
+	OM_uint32 * /*minor_status*/,
+	gss_ctx_id_t /*context_handle*/,
+	int /*conf_req_flag*/,
+	gss_qop_t /*qop_req*/,
+	int */*conf_state*/,
+	gss_iov_buffer_desc */*iov*/,
+	int /*iov_count*/);
+
+OM_uint32
 _gss_DES3_get_mic_compat (
 	OM_uint32 */*minor_status*/,
 	gsskrb5_ctx /*ctx*/,
@@ -61,12 +110,11 @@ _gssapi_make_mech_header (
 OM_uint32
 _gssapi_mic_cfx (
 	OM_uint32 */*minor_status*/,
-	const gsskrb5_ctx /*context_handle*/,
+	const gsskrb5_ctx /*ctx*/,
 	krb5_context /*context*/,
 	gss_qop_t /*qop_req*/,
 	const gss_buffer_t /*message_buffer*/,
-	gss_buffer_t /*message_token*/,
-	krb5_keyblock */*key*/);
+	gss_buffer_t /*message_token*/);
 
 OM_uint32
 _gssapi_msg_order_check (
@@ -113,13 +161,22 @@ _gssapi_unwrap_arcfour (
 OM_uint32
 _gssapi_unwrap_cfx (
 	OM_uint32 */*minor_status*/,
-	const gsskrb5_ctx /*context_handle*/,
+	const gsskrb5_ctx /*ctx*/,
 	krb5_context /*context*/,
 	const gss_buffer_t /*input_message_buffer*/,
 	gss_buffer_t /*output_message_buffer*/,
 	int */*conf_state*/,
+	gss_qop_t */*qop_state*/);
+
+OM_uint32
+_gssapi_unwrap_cfx_iov (
+	OM_uint32 */*minor_status*/,
+	gsskrb5_ctx /*ctx*/,
+	krb5_context /*context*/,
+	int */*conf_state*/,
 	gss_qop_t */*qop_state*/,
-	krb5_keyblock */*key*/);
+	gss_iov_buffer_desc */*iov*/,
+	int /*iov_count*/);
 
 OM_uint32
 _gssapi_verify_mech_header (
@@ -136,17 +193,16 @@ _gssapi_verify_mic_arcfour (
 	const gss_buffer_t /*token_buffer*/,
 	gss_qop_t * /*qop_state*/,
 	krb5_keyblock */*key*/,
-	char */*type*/);
+	const char */*type*/);
 
 OM_uint32
 _gssapi_verify_mic_cfx (
 	OM_uint32 */*minor_status*/,
-	const gsskrb5_ctx /*context_handle*/,
+	const gsskrb5_ctx /*ctx*/,
 	krb5_context /*context*/,
 	const gss_buffer_t /*message_buffer*/,
 	const gss_buffer_t /*token_buffer*/,
-	gss_qop_t */*qop_state*/,
-	krb5_keyblock */*key*/);
+	gss_qop_t */*qop_state*/);
 
 OM_uint32
 _gssapi_verify_pad (
@@ -169,14 +225,33 @@ _gssapi_wrap_arcfour (
 OM_uint32
 _gssapi_wrap_cfx (
 	OM_uint32 */*minor_status*/,
-	const gsskrb5_ctx /*context_handle*/,
+	const gsskrb5_ctx /*ctx*/,
 	krb5_context /*context*/,
 	int /*conf_req_flag*/,
-	gss_qop_t /*qop_req*/,
 	const gss_buffer_t /*input_message_buffer*/,
 	int */*conf_state*/,
-	gss_buffer_t /*output_message_buffer*/,
-	krb5_keyblock */*key*/);
+	gss_buffer_t /*output_message_buffer*/);
+
+OM_uint32
+_gssapi_wrap_cfx_iov (
+	OM_uint32 */*minor_status*/,
+	gsskrb5_ctx /*ctx*/,
+	krb5_context /*context*/,
+	int /*conf_req_flag*/,
+	int */*conf_state*/,
+	gss_iov_buffer_desc */*iov*/,
+	int /*iov_count*/);
+
+OM_uint32
+_gssapi_wrap_iov_length_cfx (
+	OM_uint32 */*minor_status*/,
+	gsskrb5_ctx /*ctx*/,
+	krb5_context /*context*/,
+	int /*conf_req_flag*/,
+	gss_qop_t /*qop_req*/,
+	int */*conf_state*/,
+	gss_iov_buffer_desc */*iov*/,
+	int /*iov_count*/);
 
 OM_uint32
 _gssapi_wrap_size_arcfour (
@@ -192,15 +267,14 @@ _gssapi_wrap_size_arcfour (
 OM_uint32
 _gssapi_wrap_size_cfx (
 	OM_uint32 */*minor_status*/,
-	const gsskrb5_ctx /*context_handle*/,
+	const gsskrb5_ctx /*ctx*/,
 	krb5_context /*context*/,
 	int /*conf_req_flag*/,
 	gss_qop_t /*qop_req*/,
 	OM_uint32 /*req_output_size*/,
-	OM_uint32 */*max_input_size*/,
-	krb5_keyblock */*key*/);
+	OM_uint32 */*max_input_size*/);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_accept_sec_context (
 	OM_uint32 * /*minor_status*/,
 	gss_ctx_id_t * /*context_handle*/,
@@ -214,7 +288,7 @@ _gsskrb5_accept_sec_context (
 	OM_uint32 * /*time_rec*/,
 	gss_cred_id_t * /*delegated_cred_handle*/);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_acquire_cred (
 	OM_uint32 * /*minor_status*/,
 	const gss_name_t /*desired_name*/,
@@ -225,7 +299,18 @@ _gsskrb5_acquire_cred (
 	gss_OID_set * /*actual_mechs*/,
 	OM_uint32 * time_rec );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
+_gsskrb5_acquire_cred_ext (
+	OM_uint32 * /*minor_status*/,
+	const gss_name_t /*desired_name*/,
+	gss_const_OID /*credential_type*/,
+	const void */*credential_data*/,
+	OM_uint32 /*time_req*/,
+	gss_const_OID /*desired_mech*/,
+	gss_cred_usage_t /*cred_usage*/,
+	gss_cred_id_t * output_cred_handle );
+
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_add_cred (
 	 OM_uint32 */*minor_status*/,
 	const gss_cred_id_t /*input_cred_handle*/,
@@ -239,7 +324,23 @@ _gsskrb5_add_cred (
 	OM_uint32 */*initiator_time_rec*/,
 	OM_uint32 */*acceptor_time_rec*/);
 
+OM_uint32 GSSAPI_CALLCONV
+_gsskrb5_authorize_localname (
+	OM_uint32 */*minor_status*/,
+	const gss_name_t /*input_name*/,
+	gss_const_buffer_t /*user_name*/,
+	gss_const_OID /*user_name_type*/);
+
 OM_uint32
+_gsskrb5_canon_name (
+	OM_uint32 */*minor_status*/,
+	krb5_context /*context*/,
+	int /*use_dns*/,
+	krb5_const_principal /*sourcename*/,
+	gss_name_t /*targetname*/,
+	krb5_principal */*out*/);
+
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_canonicalize_name (
 	 OM_uint32 * /*minor_status*/,
 	const gss_name_t /*input_name*/,
@@ -249,14 +350,14 @@ _gsskrb5_canonicalize_name (
 void
 _gsskrb5_clear_status (void);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_compare_name (
 	OM_uint32 * /*minor_status*/,
 	const gss_name_t /*name1*/,
 	const gss_name_t /*name2*/,
 	int * name_equal );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_context_time (
 	OM_uint32 * /*minor_status*/,
 	const gss_ctx_id_t /*context_handle*/,
@@ -296,20 +397,20 @@ _gsskrb5_decode_om_uint32 (
 	const void */*ptr*/,
 	OM_uint32 */*n*/);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_delete_sec_context (
 	OM_uint32 * /*minor_status*/,
 	gss_ctx_id_t * /*context_handle*/,
 	gss_buffer_t /*output_token*/);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_display_name (
 	OM_uint32 * /*minor_status*/,
 	const gss_name_t /*input_name*/,
 	gss_buffer_t /*output_name_buffer*/,
 	gss_OID * output_name_type );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_display_status (
 	OM_uint32 */*minor_status*/,
 	OM_uint32 /*status_value*/,
@@ -318,7 +419,7 @@ _gsskrb5_display_status (
 	OM_uint32 */*message_context*/,
 	gss_buffer_t /*status_string*/);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_duplicate_name (
 	 OM_uint32 * /*minor_status*/,
 	const gss_name_t /*src_name*/,
@@ -349,13 +450,19 @@ _gsskrb5_encode_om_uint32 (
 	OM_uint32 /*n*/,
 	u_char */*p*/);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
+_gsskrb5_export_cred (
+	OM_uint32 */*minor_status*/,
+	gss_cred_id_t /*cred_handle*/,
+	gss_buffer_t /*cred_token*/);
+
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_export_name (
 	OM_uint32 * /*minor_status*/,
 	const gss_name_t /*input_name*/,
 	gss_buffer_t exported_name );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_export_sec_context (
 	 OM_uint32 * /*minor_status*/,
 	gss_ctx_id_t * /*context_handle*/,
@@ -367,7 +474,7 @@ _gsskrb5_get_mech (
 	size_t /*total_len*/,
 	const u_char **/*mech_ret*/);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_get_mic (
 	OM_uint32 * /*minor_status*/,
 	const gss_ctx_id_t /*context_handle*/,
@@ -381,28 +488,26 @@ _gsskrb5_get_tkt_flags (
 	gsskrb5_ctx /*ctx*/,
 	OM_uint32 */*tkt_flags*/);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_import_cred (
-	OM_uint32 */*minor_status*/,
-	krb5_ccache /*id*/,
-	krb5_principal /*keytab_principal*/,
-	krb5_keytab /*keytab*/,
-	gss_cred_id_t */*cred*/);
+	OM_uint32 * /*minor_status*/,
+	gss_buffer_t /*cred_token*/,
+	gss_cred_id_t * /*cred_handle*/);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_import_name (
 	OM_uint32 * /*minor_status*/,
 	const gss_buffer_t /*input_name_buffer*/,
 	const gss_OID /*input_name_type*/,
 	gss_name_t * output_name );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_import_sec_context (
 	 OM_uint32 * /*minor_status*/,
 	const gss_buffer_t /*interprocess_token*/,
 	gss_ctx_id_t * context_handle );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_indicate_mechs (
 	OM_uint32 * /*minor_status*/,
 	gss_OID_set * mech_set );
@@ -410,10 +515,10 @@ _gsskrb5_indicate_mechs (
 krb5_error_code
 _gsskrb5_init (krb5_context */*context*/);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_init_sec_context (
 	OM_uint32 * /*minor_status*/,
-	const gss_cred_id_t /*initiator_cred_handle*/,
+	const gss_cred_id_t /*cred_handle*/,
 	gss_ctx_id_t * /*context_handle*/,
 	const gss_name_t /*target_name*/,
 	const gss_OID /*mech_type*/,
@@ -426,7 +531,7 @@ _gsskrb5_init_sec_context (
 	OM_uint32 * /*ret_flags*/,
 	OM_uint32 * time_rec );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_inquire_context (
 	 OM_uint32 * /*minor_status*/,
 	const gss_ctx_id_t /*context_handle*/,
@@ -438,7 +543,7 @@ _gsskrb5_inquire_context (
 	int * /*locally_initiated*/,
 	int * open_context );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_inquire_cred (
 	OM_uint32 * /*minor_status*/,
 	const gss_cred_id_t /*cred_handle*/,
@@ -447,7 +552,7 @@ _gsskrb5_inquire_cred (
 	gss_cred_usage_t * /*cred_usage*/,
 	gss_OID_set * mechanisms );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_inquire_cred_by_mech (
 	 OM_uint32 * /*minor_status*/,
 	const gss_cred_id_t /*cred_handle*/,
@@ -457,26 +562,26 @@ _gsskrb5_inquire_cred_by_mech (
 	OM_uint32 * /*acceptor_lifetime*/,
 	gss_cred_usage_t * cred_usage );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_inquire_cred_by_oid (
 	OM_uint32 * /*minor_status*/,
 	const gss_cred_id_t /*cred_handle*/,
 	const gss_OID /*desired_object*/,
 	gss_buffer_set_t */*data_set*/);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_inquire_mechs_for_name (
 	 OM_uint32 * /*minor_status*/,
 	const gss_name_t /*input_name*/,
 	gss_OID_set * mech_types );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_inquire_names_for_mech (
 	 OM_uint32 * /*minor_status*/,
 	const gss_OID /*mechanism*/,
 	gss_OID_set * name_types );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_inquire_sec_context_by_oid (
 	OM_uint32 */*minor_status*/,
 	const gss_ctx_id_t /*context_handle*/,
@@ -490,6 +595,14 @@ _gsskrb5_krb5_ccache_name (
 	const char **/*out_name*/);
 
 OM_uint32
+_gsskrb5_krb5_import_cred (
+	OM_uint32 */*minor_status*/,
+	krb5_ccache /*id*/,
+	krb5_principal /*keytab_principal*/,
+	krb5_keytab /*keytab*/,
+	gss_cred_id_t */*cred*/);
+
+OM_uint32
 _gsskrb5_lifetime_left (
 	OM_uint32 */*minor_status*/,
 	krb5_context /*context*/,
@@ -503,13 +616,20 @@ _gsskrb5_make_header (
 	const void */*type*/,
 	const gss_OID /*mech*/);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
+_gsskrb5_pname_to_uid (
+	OM_uint32 */*minor_status*/,
+	const gss_name_t /*pname*/,
+	const gss_OID /*mech_type*/,
+	uid_t */*uidp*/);
+
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_process_context_token (
 	 OM_uint32 */*minor_status*/,
 	const gss_ctx_id_t /*context_handle*/,
 	const gss_buffer_t token_buffer );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_pseudo_random (
 	OM_uint32 */*minor_status*/,
 	gss_ctx_id_t /*context_handle*/,
@@ -519,41 +639,33 @@ _gsskrb5_pseudo_random (
 	gss_buffer_t /*prf_out*/);
 
 OM_uint32
-_gsskrb5_register_acceptor_identity (const char */*identity*/);
+_gsskrb5_register_acceptor_identity (
+	OM_uint32 */*min_stat*/,
+	const char */*identity*/);
 
 OM_uint32
 _gsskrb5_release_buffer (
 	OM_uint32 * /*minor_status*/,
 	gss_buffer_t buffer );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_release_cred (
 	OM_uint32 * /*minor_status*/,
 	gss_cred_id_t * cred_handle );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_release_name (
 	OM_uint32 * /*minor_status*/,
 	gss_name_t * input_name );
 
-OM_uint32
-_gsskrb5_seal (
-	OM_uint32 * /*minor_status*/,
-	gss_ctx_id_t /*context_handle*/,
-	int /*conf_req_flag*/,
-	int /*qop_req*/,
-	gss_buffer_t /*input_message_buffer*/,
-	int * /*conf_state*/,
-	gss_buffer_t output_message_buffer );
-
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_set_cred_option (
 	OM_uint32 */*minor_status*/,
 	gss_cred_id_t */*cred_handle*/,
 	const gss_OID /*desired_object*/,
 	const gss_buffer_t /*value*/);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_set_sec_context_option (
 	OM_uint32 */*minor_status*/,
 	gss_ctx_id_t */*context_handle*/,
@@ -562,27 +674,22 @@ _gsskrb5_set_sec_context_option (
 
 void
 _gsskrb5_set_status (
+	int /*ret*/,
 	const char */*fmt*/,
 	...);
 
-OM_uint32
-_gsskrb5_sign (
-	OM_uint32 * /*minor_status*/,
-	gss_ctx_id_t /*context_handle*/,
-	int /*qop_req*/,
-	gss_buffer_t /*message_buffer*/,
-	gss_buffer_t message_token );
-
-OM_uint32
-_gsskrb5_unseal (
-	OM_uint32 * /*minor_status*/,
-	gss_ctx_id_t /*context_handle*/,
-	gss_buffer_t /*input_message_buffer*/,
-	gss_buffer_t /*output_message_buffer*/,
-	int * /*conf_state*/,
-	int * qop_state );
+OM_uint32 GSSAPI_CALLCONV
+_gsskrb5_store_cred (
+	OM_uint32 */*minor_status*/,
+	gss_cred_id_t /*input_cred_handle*/,
+	gss_cred_usage_t /*cred_usage*/,
+	const gss_OID /*desired_mech*/,
+	OM_uint32 /*overwrite_cred*/,
+	OM_uint32 /*default_cred*/,
+	gss_OID_set */*elements_stored*/,
+	gss_cred_usage_t */*cred_usage_stored*/);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_unwrap (
 	OM_uint32 * /*minor_status*/,
 	const gss_ctx_id_t /*context_handle*/,
@@ -592,14 +699,6 @@ _gsskrb5_unwrap (
 	gss_qop_t * qop_state );
 
 OM_uint32
-_gsskrb5_verify (
-	OM_uint32 * /*minor_status*/,
-	gss_ctx_id_t /*context_handle*/,
-	gss_buffer_t /*message_buffer*/,
-	gss_buffer_t /*token_buffer*/,
-	int * qop_state );
-
-OM_uint32
 _gsskrb5_verify_8003_checksum (
 	 OM_uint32 */*minor_status*/,
 	const gss_channel_bindings_t /*input_chan_bindings*/,
@@ -614,7 +713,7 @@ _gsskrb5_verify_header (
 	const void */*type*/,
 	gss_OID /*oid*/);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_verify_mic (
 	OM_uint32 * /*minor_status*/,
 	const gss_ctx_id_t /*context_handle*/,
@@ -625,14 +724,14 @@ _gsskrb5_verify_mic (
 OM_uint32
 _gsskrb5_verify_mic_internal (
 	OM_uint32 * /*minor_status*/,
-	const gsskrb5_ctx /*context_handle*/,
+	const gsskrb5_ctx /*ctx*/,
 	krb5_context /*context*/,
 	const gss_buffer_t /*message_buffer*/,
 	const gss_buffer_t /*token_buffer*/,
 	gss_qop_t * /*qop_state*/,
-	char * type );
+	const char * type );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_wrap (
 	OM_uint32 * /*minor_status*/,
 	const gss_ctx_id_t /*context_handle*/,
@@ -642,7 +741,7 @@ _gsskrb5_wrap (
 	int * /*conf_state*/,
 	gss_buffer_t output_message_buffer );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_wrap_size_limit (
 	 OM_uint32 * /*minor_status*/,
 	const gss_ctx_id_t /*context_handle*/,
@@ -652,18 +751,11 @@ _gsskrb5_wrap_size_limit (
 	OM_uint32 * max_input_size );
 
 krb5_error_code
-_gsskrb5cfx_max_wrap_length_cfx (
-	krb5_context /*context*/,
-	krb5_crypto /*crypto*/,
-	int /*conf_req_flag*/,
-	size_t /*input_length*/,
-	OM_uint32 */*output_length*/);
-
-krb5_error_code
 _gsskrb5cfx_wrap_length_cfx (
 	krb5_context /*context*/,
 	krb5_crypto /*crypto*/,
 	int /*conf_req_flag*/,
+	int /*dce_style*/,
 	size_t /*input_length*/,
 	size_t */*output_length*/,
 	size_t */*cksumsize*/,
@@ -697,7 +789,8 @@ _gsskrb5i_get_token_key (
 
 void
 _gsskrb5i_is_cfx (
+	krb5_context /*context*/,
 	gsskrb5_ctx /*ctx*/,
-	int */*is_cfx*/);
+	int /*acceptor*/);
 
 #endif /* __gsskrb5_private_h__ */
diff --git a/lib/gssapi/krb5/gsskrb5_locl.h b/lib/gssapi/krb5/gsskrb5_locl.h
index 6ffb6070352f..6b9b03f34908 100644
--- a/lib/gssapi/krb5/gsskrb5_locl.h
+++ b/lib/gssapi/krb5/gsskrb5_locl.h
@@ -1,49 +1,48 @@
 /*
- * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-/* $Id: gsskrb5_locl.h 20324 2007-04-12 16:46:01Z lha $ */
+/* $Id$ */
 
 #ifndef GSSKRB5_LOCL_H
 #define GSSKRB5_LOCL_H
 
-#ifdef HAVE_CONFIG_H
 #include <config.h>
-#endif
 
 #include <krb5_locl.h>
 #include <gkrb5_err.h>
 #include <gssapi.h>
 #include <gssapi_mech.h>
+#include <gssapi_krb5.h>
 #include <assert.h>
 
 #include "cfx.h"
@@ -54,19 +53,24 @@
 
 struct gss_msg_order;
 
-typedef struct {
+typedef struct gsskrb5_ctx {
   struct krb5_auth_context_data *auth_context;
+  struct krb5_auth_context_data *deleg_auth_context;
   krb5_principal source, target;
 #define IS_DCE_STYLE(ctx) (((ctx)->flags & GSS_C_DCE_STYLE) != 0)
   OM_uint32 flags;
-  enum { LOCAL = 1, OPEN = 2, 
+  enum { LOCAL = 1, OPEN = 2,
 	 COMPAT_OLD_DES3 = 4,
          COMPAT_OLD_DES3_SELECTED = 8,
-	 ACCEPTOR_SUBKEY = 16
+	 ACCEPTOR_SUBKEY = 16,
+	 RETRIED = 32,
+	 CLOSE_CCACHE = 64,
+	 IS_CFX = 128
   } more_flags;
   enum gss_ctx_id_t_state {
       /* initiator states */
       INITIATOR_START,
+      INITIATOR_RESTART,
       INITIATOR_WAIT_FOR_MUTAL,
       INITIATOR_READY,
       /* acceptor states */
@@ -74,18 +78,22 @@ typedef struct {
       ACCEPTOR_WAIT_FOR_DCESTYLE,
       ACCEPTOR_READY
   } state;
+  krb5_creds *kcred;
+  krb5_ccache ccache;
   struct krb5_ticket *ticket;
   OM_uint32 lifetime;
   HEIMDAL_MUTEX ctx_id_mutex;
   struct gss_msg_order *order;
   krb5_keyblock *service_keyblock;
   krb5_data fwd_data;
+  krb5_crypto crypto;
 } *gsskrb5_ctx;
 
 typedef struct {
   krb5_principal principal;
   int cred_flags;
 #define GSS_CF_DESTROY_CRED_ON_RELEASE	1
+#define GSS_CF_NO_CI_FLAGS		2
   struct krb5_keytab_data *keytab;
   OM_uint32 lifetime;
   gss_cred_usage_t usage;
@@ -104,16 +112,11 @@ typedef struct Principal *gsskrb5_name;
 extern krb5_keytab _gsskrb5_keytab;
 extern HEIMDAL_MUTEX gssapi_keytab_mutex;
 
-struct gssapi_thr_context {
-    HEIMDAL_MUTEX mutex;
-    char *error_string;
-};
-
 /*
  * Prototypes
  */
 
-#include <krb5/gsskrb5-private.h>
+#include <gsskrb5-private.h>
 
 #define GSSAPI_KRB5_INIT(ctx) do {				\
     krb5_error_code kret_gss_init;				\
@@ -131,4 +134,7 @@ struct gssapi_thr_context {
 #define SC_LOCAL_SUBKEY	  0x08
 #define SC_REMOTE_SUBKEY  0x10
 
+/* type to signal that that dns canon maybe should be done */
+#define MAGIC_HOSTBASED_NAME_TYPE 4711
+
 #endif
diff --git a/lib/gssapi/krb5/import_name.c b/lib/gssapi/krb5/import_name.c
index bf31db923256..5fe512672f95 100644
--- a/lib/gssapi/krb5/import_name.c
+++ b/lib/gssapi/krb5/import_name.c
@@ -1,39 +1,37 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
-
-RCSID("$Id: import_name.c 19031 2006-11-13 18:02:57Z lha $");
+#include "gsskrb5_locl.h"
 
 static OM_uint32
 parse_krb5_name (OM_uint32 *minor_status,
@@ -83,18 +81,61 @@ import_krb5_name (OM_uint32 *minor_status,
     return ret;
 }
 
+OM_uint32
+_gsskrb5_canon_name(OM_uint32 *minor_status, krb5_context context,
+		    int use_dns, krb5_const_principal sourcename, gss_name_t targetname,
+		    krb5_principal *out)
+{
+    krb5_principal p = (krb5_principal)targetname;
+    krb5_error_code ret;
+    char *hostname = NULL, *service;
+
+    *minor_status = 0;
+
+    /* If its not a hostname */
+    if (krb5_principal_get_type(context, p) != MAGIC_HOSTBASED_NAME_TYPE) {
+	ret = krb5_copy_principal(context, p, out);
+    } else if (!use_dns) {
+	ret = krb5_copy_principal(context, p, out);
+	if (ret)
+	    goto out;
+	krb5_principal_set_type(context, *out, KRB5_NT_SRV_HST);
+	if (sourcename)
+	    ret = krb5_principal_set_realm(context, *out, sourcename->realm);
+    } else {
+	if (p->name.name_string.len == 0)
+	    return GSS_S_BAD_NAME;
+	else if (p->name.name_string.len > 1)
+	    hostname = p->name.name_string.val[1];
+
+	service = p->name.name_string.val[0];
+
+	ret = krb5_sname_to_principal(context,
+				      hostname,
+				      service,
+				      KRB5_NT_SRV_HST,
+				      out);
+    }
+
+ out:
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    return 0;
+}
+
+
 static OM_uint32
 import_hostbased_name (OM_uint32 *minor_status,
 		       krb5_context context,
 		       const gss_buffer_t input_name_buffer,
 		       gss_name_t *output_name)
 {
-    krb5_error_code kerr;
-    char *tmp;
-    char *p;
-    char *host;
-    char local_hostname[MAXHOSTNAMELEN];
     krb5_principal princ = NULL;
+    krb5_error_code kerr;
+    char *tmp, *p, *host = NULL;
 
     tmp = malloc (input_name_buffer->length + 1);
     if (tmp == NULL) {
@@ -110,31 +151,20 @@ import_hostbased_name (OM_uint32 *minor_status,
     if (p != NULL) {
 	*p = '\0';
 	host = p + 1;
-    } else {
-	if (gethostname(local_hostname, sizeof(local_hostname)) < 0) {
-	    *minor_status = errno;
-	    free (tmp);
-	    return GSS_S_FAILURE;
-	}
-	host = local_hostname;
     }
 
-    kerr = krb5_sname_to_principal (context,
-				    host,
-				    tmp,
-				    KRB5_NT_SRV_HST,
-				    &princ);
+    kerr = krb5_make_principal(context, &princ, NULL, tmp, host, NULL);
     free (tmp);
     *minor_status = kerr;
-    if (kerr == 0) {
-	*output_name = (gss_name_t)princ;
-	return GSS_S_COMPLETE;
-    }
-
     if (kerr == KRB5_PARSE_ILLCHAR || kerr == KRB5_PARSE_MALFORMED)
 	return GSS_S_BAD_NAME;
+    else if (kerr)
+	return GSS_S_FAILURE;
 
-    return GSS_S_FAILURE;
+    krb5_principal_set_type(context, princ, MAGIC_HOSTBASED_NAME_TYPE);
+    *output_name = (gss_name_t)princ;
+
+    return 0;
 }
 
 static OM_uint32
@@ -159,7 +189,7 @@ import_export_name (OM_uint32 *minor_status,
 	p[3] != GSS_KRB5_MECHANISM->length + 2 ||
 	p[4] != 0x06 ||
 	p[5] != GSS_KRB5_MECHANISM->length ||
-	memcmp(&p[6], GSS_KRB5_MECHANISM->elements, 
+	memcmp(&p[6], GSS_KRB5_MECHANISM->elements,
 	       GSS_KRB5_MECHANISM->length) != 0)
 	return GSS_S_BAD_NAME;
 
@@ -185,7 +215,7 @@ import_export_name (OM_uint32 *minor_status,
     return ret;
 }
 
-OM_uint32 _gsskrb5_import_name
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_import_name
            (OM_uint32 * minor_status,
             const gss_buffer_t input_name_buffer,
             const gss_OID input_name_type,
@@ -196,7 +226,7 @@ OM_uint32 _gsskrb5_import_name
 
     *minor_status = 0;
     *output_name = GSS_C_NO_NAME;
-    
+
     GSSAPI_KRB5_INIT (&context);
 
     if (gss_oid_equal(input_name_type, GSS_C_NT_HOSTBASED_SERVICE) ||
@@ -205,7 +235,7 @@ OM_uint32 _gsskrb5_import_name
 				      context,
 				      input_name_buffer,
 				      output_name);
-    else if (gss_oid_equal(input_name_type, GSS_C_NO_OID)
+    else if (input_name_type == GSS_C_NO_OID
 	     || gss_oid_equal(input_name_type, GSS_C_NT_USER_NAME)
 	     || gss_oid_equal(input_name_type, GSS_KRB5_NT_PRINCIPAL_NAME))
  	/* default printable syntax */
@@ -216,7 +246,7 @@ OM_uint32 _gsskrb5_import_name
     else if (gss_oid_equal(input_name_type, GSS_C_NT_EXPORT_NAME)) {
 	return import_export_name(minor_status,
 				  context,
-				  input_name_buffer, 
+				  input_name_buffer,
 				  output_name);
     } else {
 	*minor_status = 0;
diff --git a/lib/gssapi/krb5/import_sec_context.c b/lib/gssapi/krb5/import_sec_context.c
index 3300036a81b3..3bab1802b3c9 100644
--- a/lib/gssapi/krb5/import_sec_context.c
+++ b/lib/gssapi/krb5/import_sec_context.c
@@ -1,41 +1,39 @@
 /*
- * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
+#include "gsskrb5_locl.h"
 
-RCSID("$Id: import_sec_context.c 19031 2006-11-13 18:02:57Z lha $");
-
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_import_sec_context (
     OM_uint32 * minor_status,
     const gss_buffer_t interprocess_token,
@@ -52,8 +50,7 @@ _gsskrb5_import_sec_context (
     krb5_data data;
     gss_buffer_desc buffer;
     krb5_keyblock keyblock;
-    int32_t tmp;
-    int32_t flags;
+    int32_t flags, tmp;
     gsskrb5_ctx ctx;
     gss_name_t name;
 
@@ -96,8 +93,9 @@ _gsskrb5_import_sec_context (
     /* retrieve the auth context */
 
     ac = ctx->auth_context;
-    if (krb5_ret_uint32 (sp, &ac->flags) != 0)
+    if (krb5_ret_int32 (sp, &tmp) != 0)
 	goto failure;
+    ac->flags = tmp;
     if (flags & SC_LOCAL_ADDRESS) {
 	if (krb5_ret_address (sp, localp = &local) != 0)
 	    goto failure;
@@ -184,7 +182,7 @@ _gsskrb5_import_sec_context (
 	    krb5_data_free (&data);
 	    goto failure;
 	}
-    }    
+    }
     ctx->target = (krb5_principal)name;
     krb5_data_free (&data);
 
@@ -200,10 +198,12 @@ _gsskrb5_import_sec_context (
 
     ret = _gssapi_msg_order_import(minor_status, sp, &ctx->order);
     if (ret)
-        goto failure;    
-    
+        goto failure;
+
     krb5_storage_free (sp);
 
+    _gsskrb5i_is_cfx(context, ctx, (ctx->more_flags & LOCAL) == 0);
+
     *context_handle = (gss_ctx_id_t)ctx;
 
     return GSS_S_COMPLETE;
diff --git a/lib/gssapi/krb5/indicate_mechs.c b/lib/gssapi/krb5/indicate_mechs.c
index eb886c24d347..620137884ae4 100644
--- a/lib/gssapi/krb5/indicate_mechs.c
+++ b/lib/gssapi/krb5/indicate_mechs.c
@@ -1,41 +1,39 @@
 /*
- * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
+#include "gsskrb5_locl.h"
 
-RCSID("$Id: indicate_mechs.c 20688 2007-05-17 18:44:31Z lha $");
-
-OM_uint32 _gsskrb5_indicate_mechs
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_indicate_mechs
            (OM_uint32 * minor_status,
             gss_OID_set * mech_set
            )
diff --git a/lib/gssapi/krb5/init.c b/lib/gssapi/krb5/init.c
index 3bbdcc8ff1a2..3a22c33ed69f 100644
--- a/lib/gssapi/krb5/init.c
+++ b/lib/gssapi/krb5/init.c
@@ -1,39 +1,37 @@
 /*
- * Copyright (c) 1997 - 2001, 2003, 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2001, 2003, 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
-
-RCSID("$Id: init.c 19031 2006-11-13 18:02:57Z lha $");
+#include "gsskrb5_locl.h"
 
 static HEIMDAL_MUTEX context_mutex = HEIMDAL_MUTEX_INITIALIZER;
 static int created_key;
diff --git a/lib/gssapi/krb5/init_sec_context.c b/lib/gssapi/krb5/init_sec_context.c
index 05f7978e4337..5f8b01b72707 100644
--- a/lib/gssapi/krb5/init_sec_context.c
+++ b/lib/gssapi/krb5/init_sec_context.c
@@ -1,39 +1,37 @@
 /*
- * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
-
-RCSID("$Id: init_sec_context.c 22071 2007-11-14 20:04:50Z lha $");
+#include "gsskrb5_locl.h"
 
 /*
  * copy the addresses from `input_chan_bindings' (if any) to
@@ -43,14 +41,14 @@ RCSID("$Id: init_sec_context.c 22071 2007-11-14 20:04:50Z lha $");
 static OM_uint32
 set_addresses (krb5_context context,
 	       krb5_auth_context ac,
-	       const gss_channel_bindings_t input_chan_bindings)	       
+	       const gss_channel_bindings_t input_chan_bindings)
 {
-    /* Port numbers are expected to be in application_data.value, 
-     * initator's port first */ 
+    /* Port numbers are expected to be in application_data.value,
+     * initator's port first */
 
     krb5_address initiator_addr, acceptor_addr;
     krb5_error_code kret;
-       
+
     if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS
 	|| input_chan_bindings->application_data.length !=
 	2 * sizeof(ac->local_port))
@@ -58,13 +56,13 @@ set_addresses (krb5_context context,
 
     memset(&initiator_addr, 0, sizeof(initiator_addr));
     memset(&acceptor_addr, 0, sizeof(acceptor_addr));
-       
+
     ac->local_port =
 	*(int16_t *) input_chan_bindings->application_data.value;
-       
+
     ac->remote_port =
 	*((int16_t *) input_chan_bindings->application_data.value + 1);
-       
+
     kret = _gsskrb5i_address_to_krb5addr(context,
 					 input_chan_bindings->acceptor_addrtype,
 					 &input_chan_bindings->acceptor_address,
@@ -72,7 +70,7 @@ set_addresses (krb5_context context,
 					 &acceptor_addr);
     if (kret)
 	return kret;
-           
+
     kret = _gsskrb5i_address_to_krb5addr(context,
 					 input_chan_bindings->initiator_addrtype,
 					 &input_chan_bindings->initiator_address,
@@ -82,15 +80,15 @@ set_addresses (krb5_context context,
 	krb5_free_address (context, &acceptor_addr);
 	return kret;
     }
-       
+
     kret = krb5_auth_con_setaddrs(context,
 				  ac,
 				  &initiator_addr,  /* local address */
 				  &acceptor_addr);  /* remote address */
-       
+
     krb5_free_address (context, &initiator_addr);
     krb5_free_address (context, &acceptor_addr);
-       
+
 #if 0
     free(input_chan_bindings->application_data.value);
     input_chan_bindings->application_data.value = NULL;
@@ -119,8 +117,11 @@ _gsskrb5_create_ctx(
 	return GSS_S_FAILURE;
     }
     ctx->auth_context		= NULL;
+    ctx->deleg_auth_context	= NULL;
     ctx->source			= NULL;
     ctx->target			= NULL;
+    ctx->kcred			= NULL;
+    ctx->ccache			= NULL;
     ctx->state			= state;
     ctx->flags			= 0;
     ctx->more_flags		= 0;
@@ -129,14 +130,21 @@ _gsskrb5_create_ctx(
     krb5_data_zero(&ctx->fwd_data);
     ctx->lifetime		= GSS_C_INDEFINITE;
     ctx->order			= NULL;
+    ctx->crypto			= NULL;
     HEIMDAL_MUTEX_init(&ctx->ctx_id_mutex);
 
     kret = krb5_auth_con_init (context, &ctx->auth_context);
     if (kret) {
 	*minor_status = kret;
+	HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
+	return GSS_S_FAILURE;
+    }
 
+    kret = krb5_auth_con_init (context, &ctx->deleg_auth_context);
+    if (kret) {
+	*minor_status = kret;
+	krb5_auth_con_free(context, ctx->auth_context);
 	HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
-		
 	return GSS_S_FAILURE;
     }
 
@@ -144,9 +152,22 @@ _gsskrb5_create_ctx(
     if (kret) {
 	*minor_status = kret;
 
+	krb5_auth_con_free(context, ctx->auth_context);
+	krb5_auth_con_free(context, ctx->deleg_auth_context);
+
 	HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
 
+	return GSS_S_BAD_BINDINGS;
+    }
+
+    kret = set_addresses(context, ctx->deleg_auth_context, input_chan_bindings);
+    if (kret) {
+	*minor_status = kret;
+
 	krb5_auth_con_free(context, ctx->auth_context);
+	krb5_auth_con_free(context, ctx->deleg_auth_context);
+
+	HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
 
 	return GSS_S_BAD_BINDINGS;
     }
@@ -161,6 +182,16 @@ _gsskrb5_create_ctx(
 			   KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED,
 			   NULL);
 
+    /*
+     * We need a sequence number
+     */
+
+    krb5_auth_con_addflags(context,
+			   ctx->deleg_auth_context,
+			   KRB5_AUTH_CONTEXT_DO_SEQUENCE |
+			   KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED,
+			   NULL);
+
     *context_handle = (gss_ctx_id_t)ctx;
 
     return GSS_S_COMPLETE;
@@ -173,17 +204,29 @@ gsskrb5_get_creds(
 	krb5_context context,
 	krb5_ccache ccache,
 	gsskrb5_ctx ctx,
-	krb5_const_principal target_name,
+	const gss_name_t target_name,
+	int use_dns,
 	OM_uint32 time_req,
-	OM_uint32 * time_rec,
-	krb5_creds ** cred)
+	OM_uint32 * time_rec)
 {
     OM_uint32 ret;
     krb5_error_code kret;
     krb5_creds this_cred;
     OM_uint32 lifetime_rec;
 
-    *cred = NULL;
+    if (ctx->target) {
+	krb5_free_principal(context, ctx->target);
+	ctx->target = NULL;
+    }
+    if (ctx->kcred) {
+	krb5_free_creds(context, ctx->kcred);
+	ctx->kcred = NULL;
+    }
+
+    ret = _gsskrb5_canon_name(minor_status, context, use_dns,
+			      ctx->source, target_name, &ctx->target);
+    if (ret)
+	return ret;
 
     memset(&this_cred, 0, sizeof(this_cred));
     this_cred.client = ctx->source;
@@ -204,13 +247,13 @@ gsskrb5_get_creds(
 				0,
 				ccache,
 				&this_cred,
-				cred);
+				&ctx->kcred);
     if (kret) {
 	*minor_status = kret;
 	return GSS_S_FAILURE;
     }
 
-    ctx->lifetime = (*cred)->times.endtime;
+    ctx->lifetime = ctx->kcred->times.endtime;
 
     ret = _gsskrb5_lifetime_left(minor_status, context,
 				 ctx->lifetime, &lifetime_rec);
@@ -232,27 +275,33 @@ gsskrb5_initiator_ready(
 	gsskrb5_ctx ctx,
 	krb5_context context)
 {
-	OM_uint32 ret;
-	int32_t seq_number;
-	int is_cfx = 0;
-	OM_uint32 flags = ctx->flags;
+    OM_uint32 ret;
+    int32_t seq_number;
+    int is_cfx = 0;
+    OM_uint32 flags = ctx->flags;
+
+    krb5_free_creds(context, ctx->kcred);
+    ctx->kcred = NULL;
 
-	krb5_auth_getremoteseqnumber (context,
-				      ctx->auth_context,
-				      &seq_number);
+    if (ctx->more_flags & CLOSE_CCACHE)
+	krb5_cc_close(context, ctx->ccache);
+    ctx->ccache = NULL;
 
-	_gsskrb5i_is_cfx(ctx, &is_cfx);
+    krb5_auth_con_getremoteseqnumber (context, ctx->auth_context, &seq_number);
 
-	ret = _gssapi_msg_order_create(minor_status,
-				       &ctx->order,
-				       _gssapi_msg_order_f(flags),
-				       seq_number, 0, is_cfx);
-	if (ret) return ret;
+    _gsskrb5i_is_cfx(context, ctx, 0);
+    is_cfx = (ctx->more_flags & IS_CFX);
 
-	ctx->state	= INITIATOR_READY;
-	ctx->more_flags	|= OPEN;
+    ret = _gssapi_msg_order_create(minor_status,
+				   &ctx->order,
+				   _gssapi_msg_order_f(flags),
+				   seq_number, 0, is_cfx);
+    if (ret) return ret;
 
-	return GSS_S_COMPLETE;
+    ctx->state	= INITIATOR_READY;
+    ctx->more_flags	|= OPEN;
+
+    return GSS_S_COMPLETE;
 }
 
 /*
@@ -266,39 +315,39 @@ do_delegation (krb5_context context,
 	       krb5_creds *cred,
 	       krb5_const_principal name,
 	       krb5_data *fwd_data,
+	       uint32_t flagmask,
 	       uint32_t *flags)
 {
     krb5_creds creds;
     KDCOptions fwd_flags;
     krb5_error_code kret;
-       
+
     memset (&creds, 0, sizeof(creds));
     krb5_data_zero (fwd_data);
-       
+
     kret = krb5_cc_get_principal(context, ccache, &creds.client);
-    if (kret) 
+    if (kret)
 	goto out;
-       
-    kret = krb5_build_principal(context,
-				&creds.server,
-				strlen(creds.client->realm),
-				creds.client->realm,
-				KRB5_TGS_NAME,
-				creds.client->realm,
-				NULL);
+
+    kret = krb5_make_principal(context,
+			       &creds.server,
+			       creds.client->realm,
+			       KRB5_TGS_NAME,
+			       creds.client->realm,
+			       NULL);
     if (kret)
-	goto out; 
-       
+	goto out;
+
     creds.times.endtime = 0;
-       
+
     memset(&fwd_flags, 0, sizeof(fwd_flags));
     fwd_flags.forwarded = 1;
     fwd_flags.forwardable = 1;
-       
+
     if ( /*target_name->name.name_type != KRB5_NT_SRV_HST ||*/
-	name->name.name_string.len < 2) 
+	name->name.name_string.len < 2)
 	goto out;
-       
+
     kret = krb5_get_forwarded_creds(context,
 				    ac,
 				    ccache,
@@ -306,13 +355,13 @@ do_delegation (krb5_context context,
 				    name->name.name_string.val[1],
 				    &creds,
 				    fwd_data);
-       
+
  out:
     if (kret)
-	*flags &= ~GSS_C_DELEG_FLAG;
+	*flags &= ~flagmask;
     else
-	*flags |= GSS_C_DELEG_FLAG;
-       
+	*flags |= flagmask;
+
     if (creds.client)
 	krb5_free_principal(context, creds.client);
     if (creds.server)
@@ -326,14 +375,13 @@ do_delegation (krb5_context context,
 static OM_uint32
 init_auth
 (OM_uint32 * minor_status,
- gsskrb5_cred initiator_cred_handle,
+ gsskrb5_cred cred,
  gsskrb5_ctx ctx,
  krb5_context context,
- krb5_const_principal name,
+ gss_name_t name,
  const gss_OID mech_type,
  OM_uint32 req_flags,
  OM_uint32 time_req,
- const gss_channel_bindings_t input_chan_bindings,
  const gss_buffer_t input_token,
  gss_OID * actual_mech_type,
  gss_buffer_t output_token,
@@ -343,16 +391,10 @@ init_auth
 {
     OM_uint32 ret = GSS_S_FAILURE;
     krb5_error_code kret;
-    krb5_flags ap_options;
-    krb5_creds *cred = NULL;
     krb5_data outbuf;
-    krb5_ccache ccache = NULL;
-    uint32_t flags;
-    krb5_data authenticator;
-    Checksum cksum;
-    krb5_enctype enctype;
     krb5_data fwd_data;
     OM_uint32 lifetime_rec;
+    int allow_dns = 1;
 
     krb5_data_zero(&outbuf);
     krb5_data_zero(&fwd_data);
@@ -362,35 +404,24 @@ init_auth
     if (actual_mech_type)
 	*actual_mech_type = GSS_KRB5_MECHANISM;
 
-    if (initiator_cred_handle == NULL) {
-	kret = krb5_cc_default (context, &ccache);
+    if (cred == NULL) {
+	kret = krb5_cc_default (context, &ctx->ccache);
 	if (kret) {
 	    *minor_status = kret;
 	    ret = GSS_S_FAILURE;
 	    goto failure;
 	}
+	ctx->more_flags |= CLOSE_CCACHE;
     } else
-	ccache = initiator_cred_handle->ccache;
-
-    kret = krb5_cc_get_principal (context, ccache, &ctx->source);
-    if (kret) {
-	*minor_status = kret;
-	ret = GSS_S_FAILURE;
-	goto failure;
-    }
+	ctx->ccache = cred->ccache;
 
-    kret = krb5_copy_principal (context, name, &ctx->target);
+    kret = krb5_cc_get_principal (context, ctx->ccache, &ctx->source);
     if (kret) {
 	*minor_status = kret;
 	ret = GSS_S_FAILURE;
 	goto failure;
     }
 
-    ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
-    if (ret)
-	goto failure;
-
-
     /*
      * This is hideous glue for (NFS) clients that wants to limit the
      * available enctypes to what it can support (encryption in
@@ -400,31 +431,49 @@ init_auth
     {
 	krb5_enctype *enctypes = NULL;
 
-	if (initiator_cred_handle && initiator_cred_handle->enctypes)
-	    enctypes = initiator_cred_handle->enctypes;
+	if (cred && cred->enctypes)
+	    enctypes = cred->enctypes;
 	krb5_set_default_in_tkt_etypes(context, enctypes);
     }
 
-    ret = gsskrb5_get_creds(minor_status,
-			    context,
-			    ccache,
-			    ctx,
-			    ctx->target,
-			    time_req,
-			    time_rec,
-			    &cred);
+    /* canon name if needed for client + target realm */
+    kret = krb5_cc_get_config(context, ctx->ccache, NULL,
+			      "realm-config", &outbuf);
+    if (kret == 0) {
+	/* XXX 2 is no server canon */
+	if (outbuf.length < 1 || ((((unsigned char *)outbuf.data)[0]) & 2))
+	    allow_dns = 0;
+	krb5_data_free(&outbuf);
+    }
+
+    /*
+     * First we try w/o dns, hope that the KDC have register alias
+     * (and referrals if cross realm) for this principal. If that
+     * fails and if we are allowed to using this realm try again with
+     * DNS canonicalizion.
+     */
+    ret = gsskrb5_get_creds(minor_status, context, ctx->ccache,
+			    ctx, name, 0, time_req,
+			    time_rec);
+    if (ret && allow_dns)
+	ret = gsskrb5_get_creds(minor_status, context, ctx->ccache,
+				ctx, name, 1, time_req,
+				time_rec);
     if (ret)
 	goto failure;
 
-    ctx->lifetime = cred->times.endtime;
+    ctx->lifetime = ctx->kcred->times.endtime;
+
+    ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
+    if (ret)
+	goto failure;
 
     ret = _gsskrb5_lifetime_left(minor_status,
 				 context,
 				 ctx->lifetime,
 				 &lifetime_rec);
-    if (ret) {
+    if (ret)
 	goto failure;
-    }
 
     if (lifetime_rec == 0) {
 	*minor_status = 0;
@@ -432,54 +481,112 @@ init_auth
 	goto failure;
     }
 
-    krb5_auth_con_setkey(context, 
-			 ctx->auth_context, 
-			 &cred->session);
+    krb5_auth_con_setkey(context,
+			 ctx->auth_context,
+			 &ctx->kcred->session);
 
-    kret = krb5_auth_con_generatelocalsubkey(context, 
+    kret = krb5_auth_con_generatelocalsubkey(context,
 					     ctx->auth_context,
-					     &cred->session);
+					     &ctx->kcred->session);
     if(kret) {
 	*minor_status = kret;
 	ret = GSS_S_FAILURE;
 	goto failure;
     }
-    
-    /* 
-     * If the credential doesn't have ok-as-delegate, check what local
-     * policy say about ok-as-delegate, default is FALSE that makes
-     * code ignore the KDC setting and follow what the application
-     * requested. If it is TRUE, strip of the GSS_C_DELEG_FLAG if the
-     * KDC doesn't set ok-as-delegate.
+
+    return GSS_S_COMPLETE;
+
+failure:
+    if (ctx->ccache && (ctx->more_flags & CLOSE_CCACHE))
+	krb5_cc_close(context, ctx->ccache);
+    ctx->ccache = NULL;
+
+    return ret;
+
+}
+
+static OM_uint32
+init_auth_restart
+(OM_uint32 * minor_status,
+ gsskrb5_cred cred,
+ gsskrb5_ctx ctx,
+ krb5_context context,
+ OM_uint32 req_flags,
+ const gss_channel_bindings_t input_chan_bindings,
+ const gss_buffer_t input_token,
+ gss_OID * actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 * ret_flags,
+ OM_uint32 * time_rec
+    )
+{
+    OM_uint32 ret = GSS_S_FAILURE;
+    krb5_error_code kret;
+    krb5_flags ap_options;
+    krb5_data outbuf;
+    uint32_t flags;
+    krb5_data authenticator;
+    Checksum cksum;
+    krb5_enctype enctype;
+    krb5_data fwd_data, timedata;
+    int32_t offset = 0, oldoffset = 0;
+    uint32_t flagmask;
+
+    krb5_data_zero(&outbuf);
+    krb5_data_zero(&fwd_data);
+
+    *minor_status = 0;
+
+    /*
+     * If the credential doesn't have ok-as-delegate, check if there
+     * is a realm setting and use that.
      */
-    if (!cred->flags.b.ok_as_delegate) {
-	krb5_boolean delegate;
-    
-	krb5_appdefault_boolean(context,
-				"gssapi", name->realm,
-				"ok-as-delegate", FALSE, &delegate);
-	if (delegate)
-	    req_flags &= ~GSS_C_DELEG_FLAG;
+    if (!ctx->kcred->flags.b.ok_as_delegate) {
+	krb5_data data;
+
+	ret = krb5_cc_get_config(context, ctx->ccache, NULL,
+				 "realm-config", &data);
+	if (ret == 0) {
+	    /* XXX 1 is use ok-as-delegate */
+	    if (data.length < 1 || ((((unsigned char *)data.data)[0]) & 1) == 0)
+		req_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
+	    krb5_data_free(&data);
+	}
     }
 
+    flagmask = 0;
+
+    /* if we used GSS_C_DELEG_POLICY_FLAG, trust KDC */
+    if ((req_flags & GSS_C_DELEG_POLICY_FLAG)
+	&& ctx->kcred->flags.b.ok_as_delegate)
+	flagmask |= GSS_C_DELEG_FLAG | GSS_C_DELEG_POLICY_FLAG;
+    /* if there still is a GSS_C_DELEG_FLAG, use that */
+    if (req_flags & GSS_C_DELEG_FLAG)
+	flagmask |= GSS_C_DELEG_FLAG;
+
+
     flags = 0;
     ap_options = 0;
-    if (req_flags & GSS_C_DELEG_FLAG)
+    if (flagmask & GSS_C_DELEG_FLAG) {
 	do_delegation (context,
-		       ctx->auth_context,
-		       ccache, cred, name, &fwd_data, &flags);
-    
+		       ctx->deleg_auth_context,
+		       ctx->ccache, ctx->kcred, ctx->target,
+		       &fwd_data, flagmask, &flags);
+    }
+
     if (req_flags & GSS_C_MUTUAL_FLAG) {
 	flags |= GSS_C_MUTUAL_FLAG;
 	ap_options |= AP_OPTS_MUTUAL_REQUIRED;
     }
-    
+
     if (req_flags & GSS_C_REPLAY_FLAG)
 	flags |= GSS_C_REPLAY_FLAG;
     if (req_flags & GSS_C_SEQUENCE_FLAG)
 	flags |= GSS_C_SEQUENCE_FLAG;
+#if 0
     if (req_flags & GSS_C_ANON_FLAG)
 	;                               /* XXX */
+#endif
     if (req_flags & GSS_C_DCE_STYLE) {
 	/* GSS_C_DCE_STYLE implies GSS_C_MUTUAL_FLAG */
 	flags |= GSS_C_DCE_STYLE | GSS_C_MUTUAL_FLAG;
@@ -490,15 +597,23 @@ init_auth
     if (req_flags & GSS_C_EXTENDED_ERROR_FLAG)
 	flags |= GSS_C_EXTENDED_ERROR_FLAG;
 
-    flags |= GSS_C_CONF_FLAG;
-    flags |= GSS_C_INTEG_FLAG;
+    if (req_flags & GSS_C_CONF_FLAG) {
+	flags |= GSS_C_CONF_FLAG;
+    }
+    if (req_flags & GSS_C_INTEG_FLAG) {
+	flags |= GSS_C_INTEG_FLAG;
+    }
+    if (cred == NULL || !(cred->cred_flags & GSS_CF_NO_CI_FLAGS)) {
+	flags |= GSS_C_CONF_FLAG;
+	flags |= GSS_C_INTEG_FLAG;
+    }
     flags |= GSS_C_TRANS_FLAG;
-    
+
     if (ret_flags)
 	*ret_flags = flags;
     ctx->flags = flags;
     ctx->more_flags |= LOCAL;
-    
+
     ret = _gsskrb5_create_8003_checksum (minor_status,
 					 input_chan_bindings,
 					 flags,
@@ -510,16 +625,32 @@ init_auth
 
     enctype = ctx->auth_context->keyblock->keytype;
 
-    kret = krb5_build_authenticator (context,
+    ret = krb5_cc_get_config(context, ctx->ccache, ctx->target,
+			     "time-offset", &timedata);
+    if (ret == 0) {
+	if (timedata.length == 4) {
+	    const u_char *p = timedata.data;
+	    offset = (p[0] <<24) | (p[1] << 16) | (p[2] << 8) | (p[3] << 0);
+	}
+	krb5_data_free(&timedata);
+    }
+
+    if (offset) {
+	krb5_get_kdc_sec_offset (context, &oldoffset, NULL);
+	krb5_set_kdc_sec_offset (context, offset, -1);
+    }
+
+    kret = _krb5_build_authenticator(context,
 				     ctx->auth_context,
 				     enctype,
-				     cred,
+				     ctx->kcred,
 				     &cksum,
-				     NULL,
 				     &authenticator,
 				     KRB5_KU_AP_REQ_AUTH);
 
     if (kret) {
+	if (offset)
+	    krb5_set_kdc_sec_offset (context, oldoffset, -1);
 	*minor_status = kret;
 	ret = GSS_S_FAILURE;
 	goto failure;
@@ -527,27 +658,31 @@ init_auth
 
     kret = krb5_build_ap_req (context,
 			      enctype,
-			      cred,
+			      ctx->kcred,
 			      ap_options,
 			      authenticator,
 			      &outbuf);
-
+    if (offset)
+	krb5_set_kdc_sec_offset (context, oldoffset, -1);
     if (kret) {
 	*minor_status = kret;
 	ret = GSS_S_FAILURE;
 	goto failure;
     }
 
-    ret = _gsskrb5_encapsulate (minor_status, &outbuf, output_token,
-				   (u_char *)"\x01\x00", GSS_KRB5_MECHANISM);
-    if (ret)
-	goto failure;
+    if (flags & GSS_C_DCE_STYLE) {
+	output_token->value = outbuf.data;
+	output_token->length = outbuf.length;
+    } else {
+        ret = _gsskrb5_encapsulate (minor_status, &outbuf, output_token,
+				    (u_char *)(intptr_t)"\x01\x00",
+				    GSS_KRB5_MECHANISM);
+	krb5_data_free (&outbuf);
+	if (ret)
+	    goto failure;
+    }
 
-    krb5_data_free (&outbuf);
-    krb5_free_creds(context, cred);
     free_Checksum(&cksum);
-    if (initiator_cred_handle == NULL)
-	krb5_cc_close(context, ccache);
 
     if (flags & GSS_C_MUTUAL_FLAG) {
 	ctx->state = INITIATOR_WAIT_FOR_MUTAL;
@@ -556,15 +691,52 @@ init_auth
 
     return gsskrb5_initiator_ready(minor_status, ctx, context);
 failure:
-    if(cred)
-	krb5_free_creds(context, cred);
-    if (ccache && initiator_cred_handle == NULL)
-	krb5_cc_close(context, ccache);
+    if (ctx->ccache && (ctx->more_flags & CLOSE_CCACHE))
+	krb5_cc_close(context, ctx->ccache);
+    ctx->ccache = NULL;
 
     return ret;
+}
+
+static krb5_error_code
+handle_error_packet(krb5_context context,
+		    gsskrb5_ctx ctx,
+		    krb5_data indata)
+{
+    krb5_error_code kret;
+    KRB_ERROR error;
 
+    kret = krb5_rd_error(context, &indata, &error);
+    if (kret == 0) {
+	kret = krb5_error_from_rd_error(context, &error, NULL);
+
+	/* save the time skrew for this host */
+	if (kret == KRB5KRB_AP_ERR_SKEW) {
+	    krb5_data timedata;
+	    unsigned char p[4];
+	    int32_t t = error.stime - time(NULL);
+
+	    p[0] = (t >> 24) & 0xFF;
+	    p[1] = (t >> 16) & 0xFF;
+	    p[2] = (t >> 8)  & 0xFF;
+	    p[3] = (t >> 0)  & 0xFF;
+
+	    timedata.data = p;
+	    timedata.length = sizeof(p);
+
+	    krb5_cc_set_config(context, ctx->ccache, ctx->target,
+			       "time-offset", &timedata);
+
+	    if ((ctx->more_flags & RETRIED) == 0)
+		 ctx->state = INITIATOR_RESTART;
+	    ctx->more_flags |= RETRIED;
+	}
+	free_KRB_ERROR (&error);
+    }
+    return kret;
 }
 
+
 static OM_uint32
 repl_mutual
 (OM_uint32 * minor_status,
@@ -585,7 +757,6 @@ repl_mutual
     krb5_error_code kret;
     krb5_data indata;
     krb5_ap_rep_enc_part *repl;
-    int is_cfx = 0;
 
     output_token->length = 0;
     output_token->value = NULL;
@@ -593,46 +764,57 @@ repl_mutual
     if (actual_mech_type)
 	*actual_mech_type = GSS_KRB5_MECHANISM;
 
-    if (ctx->flags & GSS_C_DCE_STYLE) {
+    if (IS_DCE_STYLE(ctx)) {
 	/* There is no OID wrapping. */
 	indata.length	= input_token->length;
 	indata.data	= input_token->value;
+	kret = krb5_rd_rep(context,
+			   ctx->auth_context,
+			   &indata,
+			   &repl);
+	if (kret) {
+	    ret = _gsskrb5_decapsulate(minor_status,
+				       input_token,
+				       &indata,
+				       "\x03\x00",
+				       GSS_KRB5_MECHANISM);
+	    if (ret == GSS_S_COMPLETE) {
+		*minor_status = handle_error_packet(context, ctx, indata);
+	    } else {
+		*minor_status = kret;
+	    }
+	    return GSS_S_FAILURE;
+	}
     } else {
 	ret = _gsskrb5_decapsulate (minor_status,
 				    input_token,
 				    &indata,
 				    "\x02\x00",
 				    GSS_KRB5_MECHANISM);
-	if (ret) {
-	    /* XXX - Handle AP_ERROR */
-	    return ret;
+	if (ret == GSS_S_DEFECTIVE_TOKEN) {
+	    /* check if there is an error token sent instead */
+	    ret = _gsskrb5_decapsulate (minor_status,
+					input_token,
+					&indata,
+					"\x03\x00",
+					GSS_KRB5_MECHANISM);
+	    if (ret == GSS_S_COMPLETE) {
+		*minor_status = handle_error_packet(context, ctx, indata);
+		return GSS_S_FAILURE;
+	    }
+	}
+	kret = krb5_rd_rep (context,
+			    ctx->auth_context,
+			    &indata,
+			    &repl);
+	if (kret) {
+	    *minor_status = kret;
+	    return GSS_S_FAILURE;
 	}
     }
 
-    kret = krb5_rd_rep (context,
-			ctx->auth_context,
-			&indata,
-			&repl);
-    if (kret) {
-	*minor_status = kret;
-	return GSS_S_FAILURE;
-    }
     krb5_free_ap_rep_enc_part (context,
 			       repl);
-    
-    _gsskrb5i_is_cfx(ctx, &is_cfx);
-    if (is_cfx) {
-	krb5_keyblock *key = NULL;
-
-	kret = krb5_auth_con_getremotesubkey(context,
-					     ctx->auth_context, 
-					     &key);
-	if (kret == 0 && key != NULL) {
-    	    ctx->more_flags |= ACCEPTOR_SUBKEY;
-	    krb5_free_keyblock (context, key);
-	}
-    }
-
 
     *minor_status = 0;
     if (time_rec) {
@@ -647,30 +829,31 @@ repl_mutual
 	*ret_flags = ctx->flags;
 
     if (req_flags & GSS_C_DCE_STYLE) {
-	int32_t con_flags;
+	int32_t local_seq, remote_seq;
 	krb5_data outbuf;
 
-	/* Do don't do sequence number for the mk-rep */
-	krb5_auth_con_removeflags(context,
-				  ctx->auth_context,
-				  KRB5_AUTH_CONTEXT_DO_SEQUENCE,
-				  &con_flags);
+	/*
+	 * So DCE_STYLE is strange. The client echos the seq number
+	 * that the server used in the server's mk_rep in its own
+	 * mk_rep(). After when done, it resets to it's own seq number
+	 * for the gss_wrap calls.
+	 */
 
-	kret = krb5_mk_rep(context,
-			   ctx->auth_context,
-			   &outbuf);
+	krb5_auth_con_getremoteseqnumber(context, ctx->auth_context, &remote_seq);
+	krb5_auth_con_getlocalseqnumber(context, ctx->auth_context, &local_seq);
+	krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, remote_seq);
+
+	kret = krb5_mk_rep(context, ctx->auth_context, &outbuf);
 	if (kret) {
 	    *minor_status = kret;
 	    return GSS_S_FAILURE;
 	}
-	
+
+	/* reset local seq number */
+	krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, local_seq);
+
 	output_token->length = outbuf.length;
 	output_token->value  = outbuf.data;
-
-	krb5_auth_con_removeflags(context,
-				  ctx->auth_context,
-				  KRB5_AUTH_CONTEXT_DO_SEQUENCE,
-				  NULL);
     }
 
     return gsskrb5_initiator_ready(minor_status, ctx, context);
@@ -680,9 +863,9 @@ repl_mutual
  * gss_init_sec_context
  */
 
-OM_uint32 _gsskrb5_init_sec_context
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_init_sec_context
 (OM_uint32 * minor_status,
- const gss_cred_id_t initiator_cred_handle,
+ const gss_cred_id_t cred_handle,
  gss_ctx_id_t * context_handle,
  const gss_name_t target_name,
  const gss_OID mech_type,
@@ -697,8 +880,7 @@ OM_uint32 _gsskrb5_init_sec_context
     )
 {
     krb5_context context;
-    gsskrb5_cred cred = (gsskrb5_cred)initiator_cred_handle;
-    krb5_const_principal name = (krb5_const_principal)target_name;
+    gsskrb5_cred cred = (gsskrb5_cred)cred_handle;
     gsskrb5_ctx ctx;
     OM_uint32 ret;
 
@@ -724,25 +906,25 @@ OM_uint32 _gsskrb5_init_sec_context
 	return GSS_S_BAD_NAME;
     }
 
-    if (mech_type != GSS_C_NO_OID && 
+    if (mech_type != GSS_C_NO_OID &&
 	!gss_oid_equal(mech_type, GSS_KRB5_MECHANISM))
 	return GSS_S_BAD_MECH;
 
     if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) {
-	OM_uint32 ret;
+	OM_uint32 ret1;
 
 	if (*context_handle != GSS_C_NO_CONTEXT) {
 	    *minor_status = 0;
 	    return GSS_S_FAILURE | GSS_S_CALL_BAD_STRUCTURE;
 	}
-    
-	ret = _gsskrb5_create_ctx(minor_status,
+
+	ret1 = _gsskrb5_create_ctx(minor_status,
 				  context_handle,
 				  context,
 				  input_chan_bindings,
 				  INITIATOR_START);
-	if (ret)
-	    return ret;
+	if (ret1)
+	    return ret1;
     }
 
     if (*context_handle == GSS_C_NO_CONTEXT) {
@@ -754,22 +936,37 @@ OM_uint32 _gsskrb5_init_sec_context
 
     HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
 
+ again:
     switch (ctx->state) {
     case INITIATOR_START:
 	ret = init_auth(minor_status,
 			cred,
 			ctx,
 			context,
-			name,
+			target_name,
 			mech_type,
 			req_flags,
 			time_req,
-			input_chan_bindings,
 			input_token,
 			actual_mech_type,
 			output_token,
 			ret_flags,
 			time_rec);
+	if (ret != GSS_S_COMPLETE)
+	    break;
+	/* FALL THOUGH */
+    case INITIATOR_RESTART:
+	ret = init_auth_restart(minor_status,
+				cred,
+				ctx,
+				context,
+				req_flags,
+				input_chan_bindings,
+				input_token,
+				actual_mech_type,
+				output_token,
+				ret_flags,
+				time_rec);
 	break;
     case INITIATOR_WAIT_FOR_MUTAL:
 	ret = repl_mutual(minor_status,
@@ -784,17 +981,24 @@ OM_uint32 _gsskrb5_init_sec_context
 			  output_token,
 			  ret_flags,
 			  time_rec);
+	if (ctx->state == INITIATOR_RESTART)
+	    goto again;
 	break;
     case INITIATOR_READY:
-	/* 
+	/*
 	 * If we get there, the caller have called
 	 * gss_init_sec_context() one time too many.
 	 */
-	*minor_status = 0;
+	_gsskrb5_set_status(EINVAL, "init_sec_context "
+			    "called one time too many");
+	*minor_status = EINVAL;
 	ret = GSS_S_BAD_STATUS;
 	break;
     default:
-	*minor_status = 0;
+	_gsskrb5_set_status(EINVAL, "init_sec_context "
+			    "invalid state %d for client",
+			    (int)ctx->state);
+	*minor_status = EINVAL;
 	ret = GSS_S_BAD_STATUS;
 	break;
     }
diff --git a/lib/gssapi/krb5/inquire_context.c b/lib/gssapi/krb5/inquire_context.c
index 41430568b005..ade8ec4b9cb6 100644
--- a/lib/gssapi/krb5/inquire_context.c
+++ b/lib/gssapi/krb5/inquire_context.c
@@ -1,41 +1,39 @@
 /*
- * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
+#include "gsskrb5_locl.h"
 
-RCSID("$Id: inquire_context.c 19031 2006-11-13 18:02:57Z lha $");
-
-OM_uint32 _gsskrb5_inquire_context (
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_context (
     OM_uint32 * minor_status,
 	const gss_ctx_id_t context_handle,
 	gss_name_t * src_name,
@@ -76,7 +74,7 @@ OM_uint32 _gsskrb5_inquire_context (
     }
 
     if (lifetime_rec) {
-	ret = _gsskrb5_lifetime_left(minor_status, 
+	ret = _gsskrb5_lifetime_left(minor_status,
 				     context,
 				     ctx->lifetime,
 				     lifetime_rec);
diff --git a/lib/gssapi/krb5/inquire_cred.c b/lib/gssapi/krb5/inquire_cred.c
index 47bf71e686ff..f88199692cd7 100644
--- a/lib/gssapi/krb5/inquire_cred.c
+++ b/lib/gssapi/krb5/inquire_cred.c
@@ -1,41 +1,39 @@
 /*
- * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997, 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
+#include "gsskrb5_locl.h"
 
-RCSID("$Id: inquire_cred.c 20688 2007-05-17 18:44:31Z lha $");
-
-OM_uint32 _gsskrb5_inquire_cred
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_cred
 (OM_uint32 * minor_status,
  const gss_cred_id_t cred_handle,
  gss_name_t * output_name,
@@ -60,7 +58,7 @@ OM_uint32 _gsskrb5_inquire_cred
     GSSAPI_KRB5_INIT (&context);
 
     if (cred_handle == GSS_C_NO_CREDENTIAL) {
-	ret = _gsskrb5_acquire_cred(minor_status, 
+	ret = _gsskrb5_acquire_cred(minor_status,
 				    GSS_C_NO_NAME,
 				    GSS_C_INDEFINITE,
 				    GSS_C_NO_OID_SET,
@@ -71,7 +69,7 @@ OM_uint32 _gsskrb5_inquire_cred
 	if (ret == GSS_S_COMPLETE)
 	    acred = (gsskrb5_cred)aqcred_accept;
 
-	ret = _gsskrb5_acquire_cred(minor_status, 
+	ret = _gsskrb5_acquire_cred(minor_status,
 				    GSS_C_NO_NAME,
 				    GSS_C_INDEFINITE,
 				    GSS_C_NO_OID_SET,
@@ -97,19 +95,19 @@ OM_uint32 _gsskrb5_inquire_cred
     if (output_name != NULL) {
 	if (icred && icred->principal != NULL) {
 	    gss_name_t name;
-	    
+
 	    if (acred && acred->principal)
 		name = (gss_name_t)acred->principal;
 	    else
 		name = (gss_name_t)icred->principal;
-		
+
             ret = _gsskrb5_duplicate_name(minor_status, name, output_name);
             if (ret)
 		goto out;
 	} else if (acred && acred->usage == GSS_C_ACCEPT) {
 	    krb5_principal princ;
 	    *minor_status = krb5_sname_to_principal(context, NULL,
-						    NULL, KRB5_NT_SRV_HST, 
+						    NULL, KRB5_NT_SRV_HST,
 						    &princ);
 	    if (*minor_status) {
 		ret = GSS_S_FAILURE;
@@ -133,7 +131,7 @@ OM_uint32 _gsskrb5_inquire_cred
 	if (acred) alife = acred->lifetime;
 	if (icred) ilife = icred->lifetime;
 
-	ret = _gsskrb5_lifetime_left(minor_status, 
+	ret = _gsskrb5_lifetime_left(minor_status,
 				     context,
 				     min(alife,ilife),
 				     lifetime);
diff --git a/lib/gssapi/krb5/inquire_cred_by_mech.c b/lib/gssapi/krb5/inquire_cred_by_mech.c
index a8af2145bea8..7bd9c11c6056 100644
--- a/lib/gssapi/krb5/inquire_cred_by_mech.c
+++ b/lib/gssapi/krb5/inquire_cred_by_mech.c
@@ -1,41 +1,39 @@
 /*
- * Copyright (c) 2003, 2006, 2007 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2003, 2006, 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
+#include "gsskrb5_locl.h"
 
-RCSID("$Id: inquire_cred_by_mech.c 20634 2007-05-09 15:33:01Z lha $");
-
-OM_uint32 _gsskrb5_inquire_cred_by_mech (
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_cred_by_mech (
     OM_uint32 * minor_status,
 	const gss_cred_id_t cred_handle,
 	const gss_OID mech_type,
@@ -49,7 +47,7 @@ OM_uint32 _gsskrb5_inquire_cred_by_mech (
     OM_uint32 maj_stat;
     OM_uint32 lifetime;
 
-    maj_stat = 
+    maj_stat =
 	_gsskrb5_inquire_cred (minor_status, cred_handle,
 			       name, &lifetime, &usage, NULL);
     if (maj_stat)
@@ -61,7 +59,7 @@ OM_uint32 _gsskrb5_inquire_cred_by_mech (
 	else
 	    *initiator_lifetime = 0;
     }
-   
+
     if (acceptor_lifetime) {
 	if (usage == GSS_C_ACCEPT || usage == GSS_C_BOTH)
 	    *acceptor_lifetime = lifetime;
diff --git a/lib/gssapi/krb5/inquire_cred_by_oid.c b/lib/gssapi/krb5/inquire_cred_by_oid.c
index da50b11d934a..d560ed4ba1c6 100644
--- a/lib/gssapi/krb5/inquire_cred_by_oid.c
+++ b/lib/gssapi/krb5/inquire_cred_by_oid.c
@@ -30,11 +30,9 @@
  * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
+#include "gsskrb5_locl.h"
 
-RCSID("$Id: inquire_cred_by_oid.c 19031 2006-11-13 18:02:57Z lha $");
-
-OM_uint32 _gsskrb5_inquire_cred_by_oid
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_cred_by_oid
 	   (OM_uint32 * minor_status,
 	    const gss_cred_id_t cred_handle,
 	    const gss_OID desired_object,
diff --git a/lib/gssapi/krb5/inquire_mechs_for_name.c b/lib/gssapi/krb5/inquire_mechs_for_name.c
index 0ce051f19c0c..6197a81b40a7 100644
--- a/lib/gssapi/krb5/inquire_mechs_for_name.c
+++ b/lib/gssapi/krb5/inquire_mechs_for_name.c
@@ -1,41 +1,39 @@
 /*
- * Copyright (c) 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
+#include "gsskrb5_locl.h"
 
-RCSID("$Id: inquire_mechs_for_name.c 20688 2007-05-17 18:44:31Z lha $");
-
-OM_uint32 _gsskrb5_inquire_mechs_for_name (
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_mechs_for_name (
             OM_uint32 * minor_status,
             const gss_name_t input_name,
             gss_OID_set * mech_types
diff --git a/lib/gssapi/krb5/inquire_names_for_mech.c b/lib/gssapi/krb5/inquire_names_for_mech.c
index 64abd3c34a9f..65bd49c971ba 100644
--- a/lib/gssapi/krb5/inquire_names_for_mech.c
+++ b/lib/gssapi/krb5/inquire_names_for_mech.c
@@ -1,50 +1,47 @@
 /*
- * Copyright (c) 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
+#include "gsskrb5_locl.h"
 
-RCSID("$Id: inquire_names_for_mech.c 20688 2007-05-17 18:44:31Z lha $");
-
-
-static gss_OID *name_list[] = {
-    &GSS_C_NT_HOSTBASED_SERVICE,
-    &GSS_C_NT_USER_NAME,
-    &GSS_KRB5_NT_PRINCIPAL_NAME,
-    &GSS_C_NT_EXPORT_NAME,
+static gss_OID name_list[] = {
+    GSS_C_NT_HOSTBASED_SERVICE,
+    GSS_C_NT_USER_NAME,
+    GSS_KRB5_NT_PRINCIPAL_NAME,
+    GSS_C_NT_EXPORT_NAME,
     NULL
 };
 
-OM_uint32 _gsskrb5_inquire_names_for_mech (
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_names_for_mech (
             OM_uint32 * minor_status,
             const gss_OID mechanism,
             gss_OID_set * name_types
@@ -64,10 +61,10 @@ OM_uint32 _gsskrb5_inquire_names_for_mech (
     ret = gss_create_empty_oid_set(minor_status, name_types);
     if (ret != GSS_S_COMPLETE)
 	return ret;
-    
+
     for (i = 0; name_list[i] != NULL; i++) {
-	ret = gss_add_oid_set_member(minor_status, 
-				     *(name_list[i]),
+	ret = gss_add_oid_set_member(minor_status,
+				     name_list[i],
 				     name_types);
 	if (ret != GSS_S_COMPLETE)
 	    break;
@@ -75,6 +72,6 @@ OM_uint32 _gsskrb5_inquire_names_for_mech (
 
     if (ret != GSS_S_COMPLETE)
 	gss_release_oid_set(NULL, name_types);
-	
+
     return GSS_S_COMPLETE;
 }
diff --git a/lib/gssapi/krb5/inquire_sec_context_by_oid.c b/lib/gssapi/krb5/inquire_sec_context_by_oid.c
index 5ca7536e6a39..b57217a4e830 100644
--- a/lib/gssapi/krb5/inquire_sec_context_by_oid.c
+++ b/lib/gssapi/krb5/inquire_sec_context_by_oid.c
@@ -30,9 +30,7 @@
  * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
-
-RCSID("$Id: inquire_sec_context_by_oid.c 19031 2006-11-13 18:02:57Z lha $");
+#include "gsskrb5_locl.h"
 
 static int
 oid_prefix_equal(gss_OID oid_enc, gss_OID prefix_enc, unsigned *suffix)
@@ -40,7 +38,7 @@ oid_prefix_equal(gss_OID oid_enc, gss_OID prefix_enc, unsigned *suffix)
     int ret;
     heim_oid oid;
     heim_oid prefix;
- 
+
     *suffix = 0;
 
     ret = der_get_oid(oid_enc->elements, oid_enc->length,
@@ -84,7 +82,7 @@ static OM_uint32 inquire_sec_context_tkt_flags
 
     if (context_handle->ticket == NULL) {
 	HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
-	_gsskrb5_set_status("No ticket from which to obtain flags");
+	_gsskrb5_set_status(EINVAL, "No ticket from which to obtain flags");
 	*minor_status = EINVAL;
 	return GSS_S_BAD_MECH;
     }
@@ -137,15 +135,15 @@ static OM_uint32 inquire_sec_context_get_subkey
 	ret = _gsskrb5i_get_token_key(context_handle, context, &key);
 	break;
     default:
-	_gsskrb5_set_status("%d is not a valid subkey type", keytype);
+	_gsskrb5_set_status(EINVAL, "%d is not a valid subkey type", keytype);
 	ret = EINVAL;
 	break;
    }
     HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
-    if (ret) 
+    if (ret)
 	goto out;
     if (key == NULL) {
-	_gsskrb5_set_status("have no subkey of type %d", keytype);
+	_gsskrb5_set_status(EINVAL, "have no subkey of type %d", keytype);
 	ret = EINVAL;
 	goto out;
     }
@@ -161,10 +159,10 @@ static OM_uint32 inquire_sec_context_get_subkey
 
     {
 	gss_buffer_desc value;
-	
+
 	value.length = data.length;
 	value.value = data.data;
-	
+
 	maj_stat = gss_add_buffer_set_member(minor_status,
 					     &value,
 					     data_set);
@@ -181,6 +179,46 @@ out:
     return maj_stat;
 }
 
+static OM_uint32 inquire_sec_context_get_sspi_session_key
+            (OM_uint32 *minor_status,
+             const gsskrb5_ctx context_handle,
+             krb5_context context,
+             gss_buffer_set_t *data_set)
+{
+    krb5_keyblock *key;
+    OM_uint32 maj_stat = GSS_S_COMPLETE;
+    krb5_error_code ret;
+    gss_buffer_desc value;
+
+    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+    ret = _gsskrb5i_get_token_key(context_handle, context, &key);
+    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+
+    if (ret)
+        goto out;
+    if (key == NULL) {
+        ret = EINVAL;
+        goto out;
+    }
+
+    value.length = key->keyvalue.length;
+    value.value = key->keyvalue.data;
+
+    maj_stat = gss_add_buffer_set_member(minor_status,
+                                         &value,
+                                         data_set);
+    krb5_free_keyblock(context, key);
+
+    /* MIT also returns the enctype encoded as an OID in data_set[1] */
+
+out:
+    if (ret) {
+        *minor_status = ret;
+        maj_stat = GSS_S_FAILURE;
+    }
+    return maj_stat;
+}
+
 static OM_uint32 inquire_sec_context_authz_data
            (OM_uint32 *minor_status,
             const gsskrb5_ctx context_handle,
@@ -199,7 +237,7 @@ static OM_uint32 inquire_sec_context_authz_data
     if (context_handle->ticket == NULL) {
 	HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
 	*minor_status = EINVAL;
-	_gsskrb5_set_status("No ticket to obtain authz data from");
+	_gsskrb5_set_status(EINVAL, "No ticket to obtain authz data from");
 	return GSS_S_NO_CONTEXT;
     }
 
@@ -242,7 +280,7 @@ static OM_uint32 inquire_sec_context_has_updated_spnego
      * mechanism.
      */
     HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
-    _gsskrb5i_is_cfx(context_handle, &is_updated);
+    is_updated = (context_handle->more_flags & IS_CFX);
     if (is_updated == 0) {
 	krb5_keyblock *acceptor_subkey;
 
@@ -277,12 +315,12 @@ export_lucid_sec_context_v1(OM_uint32 *minor_status,
     int32_t number;
     int is_cfx;
     krb5_data data;
-    
+
     *minor_status = 0;
 
     HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
 
-    _gsskrb5i_is_cfx(context_handle, &is_cfx);
+    is_cfx = (context_handle->more_flags & IS_CFX);
 
     sp = krb5_storage_emem();
     if (sp == NULL) {
@@ -301,12 +339,16 @@ export_lucid_sec_context_v1(OM_uint32 *minor_status,
 				     context_handle->auth_context,
 				     &number);
     ret = krb5_store_uint32(sp, (uint32_t)0); /* store top half as zero */
+    if (ret) goto out;
     ret = krb5_store_uint32(sp, (uint32_t)number);
-    krb5_auth_getremoteseqnumber (context,
-				  context_handle->auth_context,
-				  &number);
+    if (ret) goto out;
+    krb5_auth_con_getremoteseqnumber (context,
+				      context_handle->auth_context,
+				      &number);
     ret = krb5_store_uint32(sp, (uint32_t)0); /* store top half as zero */
+    if (ret) goto out;
     ret = krb5_store_uint32(sp, (uint32_t)number);
+    if (ret) goto out;
     ret = krb5_store_int32(sp, (is_cfx) ? 1 : 0);
     if (ret) goto out;
 
@@ -390,7 +432,7 @@ out:
 
 static OM_uint32
 get_authtime(OM_uint32 *minor_status,
-	     gsskrb5_ctx ctx, 
+	     gsskrb5_ctx ctx,
 	     gss_buffer_set_t *data_set)
 
 {
@@ -401,13 +443,13 @@ get_authtime(OM_uint32 *minor_status,
     HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
     if (ctx->ticket == NULL) {
 	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
-	_gsskrb5_set_status("No ticket to obtain auth time from");
+	_gsskrb5_set_status(EINVAL, "No ticket to obtain auth time from");
 	*minor_status = EINVAL;
 	return GSS_S_FAILURE;
     }
-    
+
     authtime = ctx->ticket->ticket.authtime;
-    
+
     HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
 
     _gsskrb5_encode_om_uint32(authtime, buf);
@@ -420,17 +462,17 @@ get_authtime(OM_uint32 *minor_status,
 }
 
 
-static OM_uint32 
+static OM_uint32
 get_service_keyblock
         (OM_uint32 *minor_status,
-	 gsskrb5_ctx ctx, 
+	 gsskrb5_ctx ctx,
 	 gss_buffer_set_t *data_set)
 {
     krb5_storage *sp = NULL;
     krb5_data data;
     OM_uint32 maj_stat = GSS_S_COMPLETE;
     krb5_error_code ret = EINVAL;
-    
+
     sp = krb5_storage_emem();
     if (sp == NULL) {
 	_gsskrb5_clear_status();
@@ -441,9 +483,10 @@ get_service_keyblock
     HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
     if (ctx->service_keyblock == NULL) {
 	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
-	_gsskrb5_set_status("No service keyblock on gssapi context");
+	krb5_storage_free(sp);
+	_gsskrb5_set_status(EINVAL, "No service keyblock on gssapi context");
 	*minor_status = EINVAL;
-	return GSS_S_FAILURE; 
+	return GSS_S_FAILURE;
     }
 
     krb5_data_zero(&data);
@@ -461,10 +504,10 @@ get_service_keyblock
 
     {
 	gss_buffer_desc value;
-	
+
 	value.length = data.length;
 	value.value = data.data;
-	
+
 	maj_stat = gss_add_buffer_set_member(minor_status,
 					     &value,
 					     data_set);
@@ -484,7 +527,7 @@ out:
  *
  */
 
-OM_uint32 _gsskrb5_inquire_sec_context_by_oid
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_sec_context_by_oid
            (OM_uint32 *minor_status,
             const gss_ctx_id_t context_handle,
             const gss_OID desired_object,
@@ -527,6 +570,11 @@ OM_uint32 _gsskrb5_inquire_sec_context_by_oid
 					      context,
 					      ACCEPTOR_KEY,
 					      data_set);
+    } else if (gss_oid_equal(desired_object, GSS_C_INQ_SSPI_SESSION_KEY)) {
+        return inquire_sec_context_get_sspi_session_key(minor_status,
+                                                        ctx,
+                                                        context,
+                                                        data_set);
     } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_AUTHTIME_X)) {
 	return get_authtime(minor_status, ctx, data_set);
     } else if (oid_prefix_equal(desired_object,
diff --git a/lib/gssapi/krb5/pname_to_uid.c b/lib/gssapi/krb5/pname_to_uid.c
new file mode 100644
index 000000000000..ff754e779813
--- /dev/null
+++ b/lib/gssapi/krb5/pname_to_uid.c
@@ -0,0 +1,85 @@
+/*
+ * Copyright (c) 2011, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "gsskrb5_locl.h"
+
+OM_uint32 GSSAPI_CALLCONV
+_gsskrb5_pname_to_uid(OM_uint32 *minor_status,
+                      const gss_name_t pname,
+                      const gss_OID mech_type,
+                      uid_t *uidp)
+{
+#ifdef NO_LOCALNAME
+    *minor_status = KRB5_NO_LOCALNAME;
+    return GSS_S_FAILURE;
+#else
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_const_principal princ = (krb5_const_principal)pname;
+    char localname[256];
+#ifdef POSIX_GETPWNAM_R
+    char pwbuf[2048];
+    struct passwd pw, *pwd;
+#else
+    struct passwd *pwd;
+#endif
+
+    GSSAPI_KRB5_INIT(&context);
+
+    *minor_status = 0;
+
+    ret = krb5_aname_to_localname(context, princ,
+                                  sizeof(localname), localname);
+    if (ret != 0) {
+        *minor_status = ret;
+        return GSS_S_FAILURE;
+    }
+
+#ifdef POSIX_GETPWNAM_R
+    if (getpwnam_r(localname, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0) {
+        *minor_status = KRB5_NO_LOCALNAME;
+        return GSS_S_FAILURE;
+    }
+#else
+    pwd = getpwnam(localname);
+#endif
+
+    if (pwd == NULL) {
+        *minor_status = KRB5_NO_LOCALNAME;
+        return GSS_S_FAILURE;
+    }
+
+    *uidp = pwd->pw_uid;
+
+    return GSS_S_COMPLETE;
+#endif /* NO_LOCALNAME */
+}
diff --git a/lib/gssapi/krb5/prf.c b/lib/gssapi/krb5/prf.c
index f79c9374a9c7..162a3097099f 100644
--- a/lib/gssapi/krb5/prf.c
+++ b/lib/gssapi/krb5/prf.c
@@ -1,41 +1,39 @@
 /*
- * Copyright (c) 2007 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
+#include "gsskrb5_locl.h"
 
-RCSID("$Id: prf.c 21129 2007-06-18 20:28:44Z lha $");
-
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_pseudo_random(OM_uint32 *minor_status,
 		       gss_ctx_id_t context_handle,
 		       int prf_key,
@@ -49,18 +47,21 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
     krb5_crypto crypto;
     krb5_data input, output;
     uint32_t num;
+    OM_uint32 junk;
     unsigned char *p;
     krb5_keyblock *key = NULL;
+    size_t dol;
 
     if (ctx == NULL) {
 	*minor_status = 0;
 	return GSS_S_NO_CONTEXT;
     }
 
-    if (desired_output_len <= 0) {
+    if (desired_output_len <= 0 || prf_in->length + 4 < prf_in->length) {
 	*minor_status = 0;
 	return GSS_S_FAILURE;
     }
+    dol = desired_output_len;
 
     GSSAPI_KRB5_INIT (&context);
 
@@ -72,14 +73,14 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
 	_gsskrb5i_get_initiator_subkey(ctx, context, &key);
 	break;
     default:
-	_gsskrb5_set_status("unknown kerberos prf_key");
-	*minor_status = 0;
+	_gsskrb5_set_status(EINVAL, "unknown kerberos prf_key");
+	*minor_status = EINVAL;
 	return GSS_S_FAILURE;
     }
 
     if (key == NULL) {
-	_gsskrb5_set_status("no prf_key found");
-	*minor_status = 0;
+	_gsskrb5_set_status(EINVAL, "no prf_key found");
+	*minor_status = EINVAL;
 	return GSS_S_FAILURE;
     }
 
@@ -90,37 +91,38 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
 	return GSS_S_FAILURE;
     }
 
-    prf_out->value = malloc(desired_output_len);
+    prf_out->value = malloc(dol);
     if (prf_out->value == NULL) {
-	_gsskrb5_set_status("Out of memory");
+	_gsskrb5_set_status(GSS_KRB5_S_KG_INPUT_TOO_LONG, "Out of memory");
 	*minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG;
 	krb5_crypto_destroy(context, crypto);
 	return GSS_S_FAILURE;
     }
-    prf_out->length = desired_output_len;
+    prf_out->length = dol;
 
     HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
 
     input.length = prf_in->length + 4;
     input.data = malloc(prf_in->length + 4);
     if (input.data == NULL) {
-	OM_uint32 junk;
-	_gsskrb5_set_status("Out of memory");
+	_gsskrb5_set_status(GSS_KRB5_S_KG_INPUT_TOO_LONG, "Out of memory");
 	*minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG;
 	gss_release_buffer(&junk, prf_out);
 	krb5_crypto_destroy(context, crypto);
 	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
 	return GSS_S_FAILURE;
     }
-    memcpy(((unsigned char *)input.data) + 4, prf_in->value, prf_in->length);
+    memcpy(((uint8_t *)input.data) + 4, prf_in->value, prf_in->length);
 
     num = 0;
     p = prf_out->value;
-    while(desired_output_len > 0) {
+    while(dol > 0) {
+	size_t tsize;
+
 	_gsskrb5_encode_om_uint32(num, input.data);
+
 	ret = krb5_crypto_prf(context, crypto, &input, &output);
 	if (ret) {
-	    OM_uint32 junk;
 	    *minor_status = ret;
 	    free(input.data);
 	    gss_release_buffer(&junk, prf_out);
@@ -128,12 +130,15 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
 	    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
 	    return GSS_S_FAILURE;
 	}
-	memcpy(p, output.data, min(desired_output_len, output.length));
+
+	tsize = min(dol, output.length);
+	memcpy(p, output.data, tsize);
 	p += output.length;
-	desired_output_len -= output.length;
+	dol -= tsize;
 	krb5_data_free(&output);
 	num++;
     }
+    free(input.data);
 
     krb5_crypto_destroy(context, crypto);
 
diff --git a/lib/gssapi/krb5/process_context_token.c b/lib/gssapi/krb5/process_context_token.c
index 15638f57fcc5..0cc1c07cfbe9 100644
--- a/lib/gssapi/krb5/process_context_token.c
+++ b/lib/gssapi/krb5/process_context_token.c
@@ -1,41 +1,39 @@
 /*
- * Copyright (c) 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
+#include "gsskrb5_locl.h"
 
-RCSID("$Id: process_context_token.c 19031 2006-11-13 18:02:57Z lha $");
-
-OM_uint32 _gsskrb5_process_context_token (
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_process_context_token (
 	OM_uint32          *minor_status,
 	const gss_ctx_id_t context_handle,
 	const gss_buffer_t token_buffer
@@ -44,20 +42,18 @@ OM_uint32 _gsskrb5_process_context_token (
     krb5_context context;
     OM_uint32 ret = GSS_S_FAILURE;
     gss_buffer_desc empty_buffer;
-    gss_qop_t qop_state;
 
     empty_buffer.length = 0;
     empty_buffer.value = NULL;
 
     GSSAPI_KRB5_INIT (&context);
 
-    qop_state = GSS_C_QOP_DEFAULT;
-
-    ret = _gsskrb5_verify_mic_internal(minor_status, 
+    ret = _gsskrb5_verify_mic_internal(minor_status,
 				       (gsskrb5_ctx)context_handle,
 				       context,
 				       token_buffer, &empty_buffer,
-				       GSS_C_QOP_DEFAULT, "\x01\x02");
+				       GSS_C_QOP_DEFAULT,
+				       "\x01\x02");
 
     if (ret == GSS_S_COMPLETE)
 	ret = _gsskrb5_delete_sec_context(minor_status,
diff --git a/lib/gssapi/krb5/release_buffer.c b/lib/gssapi/krb5/release_buffer.c
index 5dff62631ab4..b704e001ebd1 100644
--- a/lib/gssapi/krb5/release_buffer.c
+++ b/lib/gssapi/krb5/release_buffer.c
@@ -1,39 +1,37 @@
 /*
- * Copyright (c) 1997 - 2000, 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2000, 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
-
-RCSID("$Id: release_buffer.c 18334 2006-10-07 22:16:04Z lha $");
+#include "gsskrb5_locl.h"
 
 OM_uint32 _gsskrb5_release_buffer
            (OM_uint32 * minor_status,
diff --git a/lib/gssapi/krb5/release_cred.c b/lib/gssapi/krb5/release_cred.c
index ab5695b097b1..105a7a6eb223 100644
--- a/lib/gssapi/krb5/release_cred.c
+++ b/lib/gssapi/krb5/release_cred.c
@@ -1,41 +1,39 @@
 /*
- * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
+#include "gsskrb5_locl.h"
 
-RCSID("$Id: release_cred.c 20753 2007-05-31 22:50:06Z lha $");
-
-OM_uint32 _gsskrb5_release_cred
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_release_cred
            (OM_uint32 * minor_status,
             gss_cred_id_t * cred_handle
            )
@@ -46,7 +44,7 @@ OM_uint32 _gsskrb5_release_cred
 
     *minor_status = 0;
 
-    if (*cred_handle == NULL) 
+    if (*cred_handle == NULL)
         return GSS_S_COMPLETE;
 
     cred = (gsskrb5_cred)*cred_handle;
@@ -61,11 +59,9 @@ OM_uint32 _gsskrb5_release_cred
     if (cred->keytab != NULL)
 	krb5_kt_close(context, cred->keytab);
     if (cred->ccache != NULL) {
-	const krb5_cc_ops *ops;
-	ops = krb5_cc_get_ops(context, cred->ccache);
 	if (cred->cred_flags & GSS_CF_DESTROY_CRED_ON_RELEASE)
 	    krb5_cc_destroy(context, cred->ccache);
-	else 
+	else
 	    krb5_cc_close(context, cred->ccache);
     }
     gss_release_oid_set(&junk, &cred->mechanisms);
diff --git a/lib/gssapi/krb5/release_name.c b/lib/gssapi/krb5/release_name.c
index 80b91930fd37..57fc8a4e45eb 100644
--- a/lib/gssapi/krb5/release_name.c
+++ b/lib/gssapi/krb5/release_name.c
@@ -1,41 +1,39 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
+#include "gsskrb5_locl.h"
 
-RCSID("$Id: release_name.c 21128 2007-06-18 20:26:50Z lha $");
-
-OM_uint32 _gsskrb5_release_name
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_release_name
            (OM_uint32 * minor_status,
             gss_name_t * input_name
            )
diff --git a/lib/gssapi/krb5/sequence.c b/lib/gssapi/krb5/sequence.c
index 677a3c8d0778..2e0e7b20f922 100644
--- a/lib/gssapi/krb5/sequence.c
+++ b/lib/gssapi/krb5/sequence.c
@@ -1,39 +1,37 @@
 /*
- * Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
-
-RCSID("$Id: sequence.c 18334 2006-10-07 22:16:04Z lha $");
+#include "gsskrb5_locl.h"
 
 #define DEFAULT_JITTER_WINDOW 20
 
@@ -57,19 +55,19 @@ msg_order_alloc(OM_uint32 *minor_status,
 		OM_uint32 jitter_window)
 {
     size_t len;
-    
+
     len = jitter_window * sizeof((*o)->elem[0]);
     len += sizeof(**o);
     len -= sizeof((*o)->elem[0]);
-    
+
     *o = calloc(1, len);
     if (*o == NULL) {
 	*minor_status = ENOMEM;
 	return GSS_S_FAILURE;
-    }	
-    
+    }
+
     *minor_status = 0;
-    return GSS_S_COMPLETE;    
+    return GSS_S_COMPLETE;
 }
 
 /*
@@ -78,9 +76,9 @@ msg_order_alloc(OM_uint32 *minor_status,
 
 OM_uint32
 _gssapi_msg_order_create(OM_uint32 *minor_status,
-			 struct gss_msg_order **o, 
-			 OM_uint32 flags, 
-			 OM_uint32 seq_num, 
+			 struct gss_msg_order **o,
+			 OM_uint32 flags,
+			 OM_uint32 seq_num,
 			 OM_uint32 jitter_window,
 			 int use_64)
 {
@@ -118,7 +116,7 @@ elem_set(struct gss_msg_order *o, unsigned int slot, OM_uint32 val)
 }
 
 static void
-elem_insert(struct gss_msg_order *o, 
+elem_insert(struct gss_msg_order *o,
 	    unsigned int after_slot,
 	    OM_uint32 seq_num)
 {
@@ -143,7 +141,7 @@ OM_uint32
 _gssapi_msg_order_check(struct gss_msg_order *o, OM_uint32 seq_num)
 {
     OM_uint32 r;
-    int i;
+    size_t i;
 
     if (o == NULL)
 	return GSS_S_COMPLETE;
@@ -159,11 +157,11 @@ _gssapi_msg_order_check(struct gss_msg_order *o, OM_uint32 seq_num)
 
     r = (o->flags & (GSS_C_REPLAY_FLAG|GSS_C_SEQUENCE_FLAG))==GSS_C_REPLAY_FLAG;
 
-    /* sequence number larger then largest sequence number 
+    /* sequence number larger then largest sequence number
      * or smaller then the first sequence number */
     if (seq_num > o->elem[0]
 	|| seq_num < o->first_seq
-	|| o->length == 0) 
+	|| o->length == 0)
     {
 	elem_insert(o, 0, seq_num);
 	if (r) {
@@ -217,7 +215,7 @@ _gssapi_msg_order_export(krb5_storage *sp, struct gss_msg_order *o)
 {
     krb5_error_code kret;
     OM_uint32 i;
-    
+
     kret = krb5_store_int32(sp, o->flags);
     if (kret)
         return kret;
@@ -233,51 +231,51 @@ _gssapi_msg_order_export(krb5_storage *sp, struct gss_msg_order *o)
     kret = krb5_store_int32(sp, o->first_seq);
     if (kret)
         return kret;
-    
+
     for (i = 0; i < o->jitter_window; i++) {
         kret = krb5_store_int32(sp, o->elem[i]);
 	if (kret)
 	    return kret;
     }
-    
+
     return 0;
 }
 
 OM_uint32
 _gssapi_msg_order_import(OM_uint32 *minor_status,
-			 krb5_storage *sp, 
+			 krb5_storage *sp,
 			 struct gss_msg_order **o)
 {
     OM_uint32 ret;
     krb5_error_code kret;
     int32_t i, flags, start, length, jitter_window, first_seq;
-    
+
     kret = krb5_ret_int32(sp, &flags);
     if (kret)
 	goto failed;
-    ret = krb5_ret_int32(sp, &start);
+    kret = krb5_ret_int32(sp, &start);
     if (kret)
 	goto failed;
-    ret = krb5_ret_int32(sp, &length);
+    kret = krb5_ret_int32(sp, &length);
     if (kret)
 	goto failed;
-    ret = krb5_ret_int32(sp, &jitter_window);
+    kret = krb5_ret_int32(sp, &jitter_window);
     if (kret)
 	goto failed;
-    ret = krb5_ret_int32(sp, &first_seq);
+    kret = krb5_ret_int32(sp, &first_seq);
     if (kret)
 	goto failed;
-    
+
     ret = msg_order_alloc(minor_status, o, jitter_window);
     if (ret != GSS_S_COMPLETE)
         return ret;
-    
+
     (*o)->flags = flags;
     (*o)->start = start;
     (*o)->length = length;
     (*o)->jitter_window = jitter_window;
     (*o)->first_seq = first_seq;
-    
+
     for( i = 0; i < jitter_window; i++ ) {
         kret = krb5_ret_int32(sp, (int32_t*)&((*o)->elem[i]));
 	if (kret)
diff --git a/lib/gssapi/krb5/set_cred_option.c b/lib/gssapi/krb5/set_cred_option.c
index d0ca1c4d95dd..bd3871675109 100644
--- a/lib/gssapi/krb5/set_cred_option.c
+++ b/lib/gssapi/krb5/set_cred_option.c
@@ -30,14 +30,7 @@
  * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
-
-RCSID("$Id: set_cred_option.c 20325 2007-04-12 16:49:17Z lha $");
-
-static gss_OID_desc gss_krb5_import_cred_x_oid_desc =
-{9, (void *)"\x2b\x06\x01\x04\x01\xa9\x4a\x13\x04"}; /* XXX */
-
-gss_OID GSS_KRB5_IMPORT_CRED_X = &gss_krb5_import_cred_x_oid_desc;
+#include "gsskrb5_locl.h"
 
 static OM_uint32
 import_cred(OM_uint32 *minor_status,
@@ -112,8 +105,8 @@ import_cred(OM_uint32 *minor_status,
     free(str);
     str = NULL;
 
-    major_stat = _gsskrb5_import_cred(minor_status, id, keytab_principal,
-				      keytab, cred_handle);
+    major_stat = _gsskrb5_krb5_import_cred(minor_status, id, keytab_principal,
+					   keytab, cred_handle);
 out:
     if (id)
 	krb5_cc_close(context, id);
@@ -201,8 +194,29 @@ out:
     return major_stat;
 }
 
+static OM_uint32
+no_ci_flags(OM_uint32 *minor_status,
+	    krb5_context context,
+	    gss_cred_id_t *cred_handle,
+	    const gss_buffer_t value)
+{
+    gsskrb5_cred cred;
+
+    if (cred_handle == NULL || *cred_handle == GSS_C_NO_CREDENTIAL) {
+	*minor_status = 0;
+	return GSS_S_FAILURE;
+    }
+
+    cred = (gsskrb5_cred)*cred_handle;
+    cred->cred_flags |= GSS_CF_NO_CI_FLAGS;
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+
+}
+
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_set_cred_option
            (OM_uint32 *minor_status,
             gss_cred_id_t *cred_handle,
@@ -224,6 +238,11 @@ _gsskrb5_set_cred_option
     if (gss_oid_equal(desired_object, GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X))
 	return allowed_enctypes(minor_status, context, cred_handle, value);
 
+    if (gss_oid_equal(desired_object, GSS_KRB5_CRED_NO_CI_FLAGS_X)) {
+	return no_ci_flags(minor_status, context, cred_handle, value);
+    }
+
+
     *minor_status = EINVAL;
     return GSS_S_FAILURE;
 }
diff --git a/lib/gssapi/krb5/set_sec_context_option.c b/lib/gssapi/krb5/set_sec_context_option.c
index 50441a11ad3c..141ff722fb64 100644
--- a/lib/gssapi/krb5/set_sec_context_option.c
+++ b/lib/gssapi/krb5/set_sec_context_option.c
@@ -34,9 +34,7 @@
  *  glue routine for _gsskrb5_inquire_sec_context_by_oid
  */
 
-#include "krb5/gsskrb5_locl.h"
-
-RCSID("$Id: set_sec_context_option.c 20384 2007-04-18 08:51:06Z lha $");
+#include "gsskrb5_locl.h"
 
 static OM_uint32
 get_bool(OM_uint32 *minor_status,
@@ -70,7 +68,37 @@ get_string(OM_uint32 *minor_status,
     return GSS_S_COMPLETE;
 }
 
-OM_uint32
+static OM_uint32
+get_int32(OM_uint32 *minor_status,
+	  const gss_buffer_t value,
+	  OM_uint32 *ret)
+{
+    *minor_status = 0;
+    if (value == NULL || value->length == 0)
+	*ret = 0;
+    else if (value->length == sizeof(*ret))
+	memcpy(ret, value->value, sizeof(*ret));
+    else
+	return GSS_S_UNAVAILABLE;
+
+    return GSS_S_COMPLETE;
+}
+
+static OM_uint32
+set_int32(OM_uint32 *minor_status,
+	  const gss_buffer_t value,
+	  OM_uint32 set)
+{
+    *minor_status = 0;
+    if (value->length == sizeof(set))
+	memcpy(value->value, &set, sizeof(set));
+    else
+	return GSS_S_UNAVAILABLE;
+
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_set_sec_context_option
            (OM_uint32 *minor_status,
             gss_ctx_id_t *context_handle,
@@ -126,11 +154,10 @@ _gsskrb5_set_sec_context_option
 	if (maj_stat != GSS_S_COMPLETE)
 	    return maj_stat;
 
-	_gsskrb5_register_acceptor_identity(str);
+	maj_stat = _gsskrb5_register_acceptor_identity(minor_status, str);
 	free(str);
 
-	*minor_status = 0;
-	return GSS_S_COMPLETE;
+	return maj_stat;
 
     } else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DEFAULT_REALM_X)) {
 	char *str;
@@ -162,7 +189,7 @@ _gsskrb5_set_sec_context_option
 	    }
 	    memcpy(&c, value->value, sizeof(c));
 	    krb5_set_send_to_kdc_func(context,
-				      (krb5_send_to_kdc_func)c.func, 
+				      (krb5_send_to_kdc_func)c.func,
 				      c.ptr);
 	}
 
@@ -185,6 +212,47 @@ _gsskrb5_set_sec_context_option
 	    return GSS_S_FAILURE;
 
 	return GSS_S_COMPLETE;
+    } else if (gss_oid_equal(desired_object, GSS_KRB5_SET_TIME_OFFSET_X)) {
+	OM_uint32 offset;
+	time_t t;
+
+	maj_stat = get_int32(minor_status, value, &offset);
+	if (maj_stat != GSS_S_COMPLETE)
+	    return maj_stat;
+
+	t = time(NULL) + offset;
+
+	krb5_set_real_time(context, t, 0);
+
+	*minor_status = 0;
+	return GSS_S_COMPLETE;
+    } else if (gss_oid_equal(desired_object, GSS_KRB5_GET_TIME_OFFSET_X)) {
+	krb5_timestamp sec;
+	int32_t usec;
+	time_t t;
+
+	t = time(NULL);
+
+	krb5_us_timeofday (context, &sec, &usec);
+
+	maj_stat = set_int32(minor_status, value, sec - t);
+	if (maj_stat != GSS_S_COMPLETE)
+	    return maj_stat;
+
+	*minor_status = 0;
+	return GSS_S_COMPLETE;
+    } else if (gss_oid_equal(desired_object, GSS_KRB5_PLUGIN_REGISTER_X)) {
+	struct gsskrb5_krb5_plugin c;
+
+	if (value->length != sizeof(c)) {
+	    *minor_status = EINVAL;
+	    return GSS_S_FAILURE;
+	}
+	memcpy(&c, value->value, sizeof(c));
+	krb5_plugin_register(context, c.type, c.name, c.symbol);
+
+	*minor_status = 0;
+	return GSS_S_COMPLETE;
     }
 
     *minor_status = EINVAL;
diff --git a/lib/gssapi/krb5/store_cred.c b/lib/gssapi/krb5/store_cred.c
new file mode 100644
index 000000000000..a3aa2fb83e71
--- /dev/null
+++ b/lib/gssapi/krb5/store_cred.c
@@ -0,0 +1,116 @@
+/*
+ * Copyright (c) 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "gsskrb5_locl.h"
+
+OM_uint32 GSSAPI_CALLCONV
+_gsskrb5_store_cred(OM_uint32         *minor_status,
+		    gss_cred_id_t     input_cred_handle,
+		    gss_cred_usage_t  cred_usage,
+		    const gss_OID     desired_mech,
+		    OM_uint32         overwrite_cred,
+		    OM_uint32         default_cred,
+		    gss_OID_set       *elements_stored,
+		    gss_cred_usage_t  *cred_usage_stored)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    gsskrb5_cred cred;
+    krb5_ccache id;
+    int destroy = 0;
+
+    *minor_status = 0;
+
+    if (cred_usage != GSS_C_INITIATE) {
+	*minor_status = GSS_KRB5_S_G_BAD_USAGE;
+	return GSS_S_FAILURE;
+    }
+
+    if (gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0)
+	return GSS_S_BAD_MECH;
+
+    cred = (gsskrb5_cred)input_cred_handle;
+    if (cred == NULL)
+	return GSS_S_NO_CRED;
+
+    GSSAPI_KRB5_INIT (&context);
+
+    HEIMDAL_MUTEX_lock(&cred->cred_id_mutex);
+    if (cred->usage != cred_usage && cred->usage != GSS_C_BOTH) {
+	HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
+	*minor_status = GSS_KRB5_S_G_BAD_USAGE;
+	return(GSS_S_FAILURE);
+    }
+
+    if (cred->principal == NULL) {
+	HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
+	*minor_status = GSS_KRB5_S_KG_TGT_MISSING;
+	return(GSS_S_FAILURE);
+    }
+
+    /* write out cred to credential cache */
+
+    ret = krb5_cc_cache_match(context, cred->principal, &id);
+    if (ret) {
+	ret = krb5_cc_new_unique(context, NULL, NULL, &id);
+	if (ret) {
+	    HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
+	    *minor_status = ret;
+	    return(GSS_S_FAILURE);
+	}
+	destroy = 1;
+    }
+
+    ret = krb5_cc_initialize(context, id, cred->principal);
+    if (ret == 0)
+	ret = krb5_cc_copy_match_f(context, cred->ccache, id, NULL, NULL, NULL);
+    if (ret) {
+	if (destroy)
+	    krb5_cc_destroy(context, id);
+	else
+	    krb5_cc_close(context, id);
+	HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
+	*minor_status = ret;
+	return(GSS_S_FAILURE);
+    }
+
+    if (default_cred)
+	krb5_cc_switch(context, id);
+
+    krb5_cc_close(context, id);
+
+    HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
diff --git a/lib/gssapi/krb5/test_cfx.c b/lib/gssapi/krb5/test_cfx.c
index b4536228a6e1..0b196fcad24d 100644
--- a/lib/gssapi/krb5/test_cfx.c
+++ b/lib/gssapi/krb5/test_cfx.c
@@ -1,18 +1,18 @@
 /*
- * Copyright (c) 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
  * 3. Neither the name of KTH nor the names of its contributors may be
  *    used to endorse or promote products derived from this software without
@@ -31,9 +31,7 @@
  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
-
-RCSID("$Id: test_cfx.c 19031 2006-11-13 18:02:57Z lha $");
+#include "gsskrb5_locl.h"
 
 struct range {
     size_t lower;
@@ -49,22 +47,28 @@ struct range tests[] = {
 };
 
 static void
-test_range(const struct range *r, int integ, 
+test_range(const struct range *r, int integ,
 	   krb5_context context, krb5_crypto crypto)
 {
     krb5_error_code ret;
     size_t size, rsize;
+    struct gsskrb5_ctx ctx;
 
     for (size = r->lower; size < r->upper; size++) {
-	OM_uint32 max_wrap_size;
 	size_t cksumsize;
 	uint16_t padsize;
+	OM_uint32 minor;
+	OM_uint32 max_wrap_size;
 
-	ret = _gsskrb5cfx_max_wrap_length_cfx(context,
-					      crypto,
-					      integ,
-					      size,
-					      &max_wrap_size);
+	ctx.crypto = crypto;
+
+	ret = _gssapi_wrap_size_cfx(&minor,
+				    &ctx,
+				    context,
+				    integ,
+				    0,
+				    size,
+				    &max_wrap_size);
 	if (ret)
 	    krb5_errx(context, 1, "_gsskrb5cfx_max_wrap_length_cfx: %d", ret);
 	if (max_wrap_size == 0)
@@ -73,13 +77,14 @@ test_range(const struct range *r, int integ,
 	ret = _gsskrb5cfx_wrap_length_cfx(context,
 					  crypto,
 					  integ,
+					  0,
 					  max_wrap_size,
 					  &rsize, &cksumsize, &padsize);
 	if (ret)
 	    krb5_errx(context, 1, "_gsskrb5cfx_wrap_length_cfx: %d", ret);
 
 	if (size < rsize)
-	    krb5_errx(context, 1, 
+	    krb5_errx(context, 1,
 		      "size (%d) < rsize (%d) for max_wrap_size %d",
 		      (int)size, (int)rsize, (int)max_wrap_size);
     }
@@ -94,25 +99,34 @@ test_special(krb5_context context, krb5_crypto crypto,
     OM_uint32 max_wrap_size;
     size_t cksumsize;
     uint16_t padsize;
-
-    ret = _gsskrb5cfx_max_wrap_length_cfx(context,
-					  crypto,
-					  integ,
-					  testsize,
-					  &max_wrap_size);
+    struct gsskrb5_ctx ctx;
+    OM_uint32 minor;
+
+    ctx.crypto = crypto;
+
+    ret = _gssapi_wrap_size_cfx(&minor,
+				&ctx,
+				context,
+				integ,
+				0,
+				testsize,
+				&max_wrap_size);
+    if (ret)
+      krb5_errx(context, 1, "_gsskrb5cfx_max_wrap_length_cfx: %d", ret);
     if (ret)
 	krb5_errx(context, 1, "_gsskrb5cfx_max_wrap_length_cfx: %d", ret);
-    
+
     ret = _gsskrb5cfx_wrap_length_cfx(context,
 				      crypto,
 				      integ,
+				      0,
 				      max_wrap_size,
 				      &rsize, &cksumsize, &padsize);
     if (ret)
 	krb5_errx(context, 1, "_gsskrb5cfx_wrap_length_cfx: %d", ret);
-    
+
     if (testsize < rsize)
-	krb5_errx(context, 1, 
+	krb5_errx(context, 1,
 		  "testsize (%d) < rsize (%d) for max_wrap_size %d",
 		  (int)testsize, (int)rsize, (int)max_wrap_size);
 }
@@ -132,8 +146,8 @@ main(int argc, char **argv)
     ret = krb5_init_context(&context);
     if (ret)
 	errx(1, "krb5_context_init: %d", ret);
-    
-    ret = krb5_generate_random_keyblock(context, 
+
+    ret = krb5_generate_random_keyblock(context,
 					ENCTYPE_AES256_CTS_HMAC_SHA1_96,
 					&keyblock);
     if (ret)
diff --git a/lib/gssapi/krb5/ticket_flags.c b/lib/gssapi/krb5/ticket_flags.c
index 51d8159262af..df5f11d8f737 100644
--- a/lib/gssapi/krb5/ticket_flags.c
+++ b/lib/gssapi/krb5/ticket_flags.c
@@ -1,39 +1,37 @@
 /*
- * Copyright (c) 2004 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
-
-RCSID("$Id: ticket_flags.c 18334 2006-10-07 22:16:04Z lha $");
+#include "gsskrb5_locl.h"
 
 OM_uint32
 _gsskrb5_get_tkt_flags(OM_uint32 *minor_status,
diff --git a/lib/gssapi/krb5/unwrap.c b/lib/gssapi/krb5/unwrap.c
index d0a33d86fbfc..d6bc20477787 100644
--- a/lib/gssapi/krb5/unwrap.c
+++ b/lib/gssapi/krb5/unwrap.c
@@ -1,39 +1,39 @@
 /*
- * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
+#include "gsskrb5_locl.h"
 
-RCSID("$Id: unwrap.c 19031 2006-11-13 18:02:57Z lha $");
+#ifdef HEIM_WEAK_CRYPTO
 
 static OM_uint32
 unwrap_des
@@ -48,21 +48,29 @@ unwrap_des
 {
   u_char *p, *seq;
   size_t len;
-  MD5_CTX md5;
+  EVP_MD_CTX *md5;
   u_char hash[16];
+  EVP_CIPHER_CTX des_ctx;
   DES_key_schedule schedule;
   DES_cblock deskey;
   DES_cblock zero;
-  int i;
+  size_t i;
   uint32_t seq_number;
   size_t padlength;
   OM_uint32 ret;
   int cstate;
   int cmp;
+  int token_len;
+
+  if (IS_DCE_STYLE(context_handle)) {
+     token_len = 22 + 8 + 15; /* 45 */
+  } else {
+     token_len = input_message_buffer->length;
+  }
 
   p = input_message_buffer->value;
   ret = _gsskrb5_verify_header (&p,
-				   input_message_buffer->length,
+				   token_len,
 				   "\x02\x01",
 				   GSS_KRB5_MECHANISM);
   if (ret)
@@ -90,49 +98,56 @@ unwrap_des
   if(cstate) {
       /* decrypt data */
       memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
+      memset (&zero, 0, sizeof(zero));
 
       for (i = 0; i < sizeof(deskey); ++i)
 	  deskey[i] ^= 0xf0;
-      DES_set_key (&deskey, &schedule);
-      memset (&zero, 0, sizeof(zero));
-      DES_cbc_encrypt ((void *)p,
-		       (void *)p,
-		       input_message_buffer->length - len,
-		       &schedule,
-		       &zero,
-		       DES_DECRYPT);
-      
-      memset (deskey, 0, sizeof(deskey));
+
+
+      EVP_CIPHER_CTX_init(&des_ctx);
+      EVP_CipherInit_ex(&des_ctx, EVP_des_cbc(), NULL, deskey, zero, 0);
+      EVP_Cipher(&des_ctx, p, p, input_message_buffer->length - len);
+      EVP_CIPHER_CTX_cleanup(&des_ctx);
+
       memset (&schedule, 0, sizeof(schedule));
   }
-  /* check pad */
-  ret = _gssapi_verify_pad(input_message_buffer, 
-			   input_message_buffer->length - len,
-			   &padlength);
-  if (ret)
-      return ret;
 
-  MD5_Init (&md5);
-  MD5_Update (&md5, p - 24, 8);
-  MD5_Update (&md5, p, input_message_buffer->length - len);
-  MD5_Final (hash, &md5);
+  if (IS_DCE_STYLE(context_handle)) {
+    padlength = 0;
+  } else {
+    /* check pad */
+    ret = _gssapi_verify_pad(input_message_buffer,
+			     input_message_buffer->length - len,
+			     &padlength);
+    if (ret)
+        return ret;
+  }
+
+  md5 = EVP_MD_CTX_create();
+  EVP_DigestInit_ex(md5, EVP_md5(), NULL);
+  EVP_DigestUpdate(md5, p - 24, 8);
+  EVP_DigestUpdate(md5, p, input_message_buffer->length - len);
+  EVP_DigestFinal_ex(md5, hash, NULL);
+  EVP_MD_CTX_destroy(md5);
 
   memset (&zero, 0, sizeof(zero));
   memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
-  DES_set_key (&deskey, &schedule);
+  DES_set_key_unchecked (&deskey, &schedule);
   DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
 		 &schedule, &zero);
-  if (memcmp (p - 8, hash, 8) != 0)
+  if (ct_memcmp (p - 8, hash, 8) != 0)
     return GSS_S_BAD_MIC;
 
   /* verify sequence number */
-  
+
   HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
 
   p -= 16;
-  DES_set_key (&deskey, &schedule);
-  DES_cbc_encrypt ((void *)p, (void *)p, 8,
-		   &schedule, (DES_cblock *)hash, DES_DECRYPT);
+
+  EVP_CIPHER_CTX_init(&des_ctx);
+  EVP_CipherInit_ex(&des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, hash, 0);
+  EVP_Cipher(&des_ctx, p, p, 8);
+  EVP_CIPHER_CTX_cleanup(&des_ctx);
 
   memset (deskey, 0, sizeof(deskey));
   memset (&schedule, 0, sizeof(schedule));
@@ -141,9 +156,9 @@ unwrap_des
   _gsskrb5_decode_om_uint32(seq, &seq_number);
 
   if (context_handle->more_flags & LOCAL)
-      cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4);
+      cmp = ct_memcmp(&seq[4], "\xff\xff\xff\xff", 4);
   else
-      cmp = memcmp(&seq[4], "\x00\x00\x00\x00", 4);
+      cmp = ct_memcmp(&seq[4], "\x00\x00\x00\x00", 4);
 
   if (cmp != 0) {
     HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
@@ -170,6 +185,7 @@ unwrap_des
 	  output_message_buffer->length);
   return GSS_S_COMPLETE;
 }
+#endif
 
 static OM_uint32
 unwrap_des3
@@ -195,10 +211,17 @@ unwrap_des3
   krb5_crypto crypto;
   Checksum csum;
   int cmp;
+  int token_len;
+
+  if (IS_DCE_STYLE(context_handle)) {
+     token_len = 34 + 8 + 15; /* 57 */
+  } else {
+     token_len = input_message_buffer->length;
+  }
 
   p = input_message_buffer->value;
   ret = _gsskrb5_verify_header (&p,
-				   input_message_buffer->length,
+				   token_len,
 				   "\x02\x01",
 				   GSS_KRB5_MECHANISM);
   if (ret)
@@ -207,16 +230,16 @@ unwrap_des3
   if (memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
     return GSS_S_BAD_SIG;
   p += 2;
-  if (memcmp (p, "\x02\x00", 2) == 0) {
+  if (ct_memcmp (p, "\x02\x00", 2) == 0) {
     cstate = 1;
-  } else if (memcmp (p, "\xff\xff", 2) == 0) {
+  } else if (ct_memcmp (p, "\xff\xff", 2) == 0) {
     cstate = 0;
   } else
     return GSS_S_BAD_MIC;
   p += 2;
   if(conf_state != NULL)
     *conf_state = cstate;
-  if (memcmp (p, "\xff\xff", 2) != 0)
+  if (ct_memcmp (p, "\xff\xff", 2) != 0)
     return GSS_S_DEFECTIVE_TOKEN;
   p += 2;
   p += 28;
@@ -245,15 +268,20 @@ unwrap_des3
       memcpy (p, tmp.data, tmp.length);
       krb5_data_free(&tmp);
   }
-  /* check pad */
-  ret = _gssapi_verify_pad(input_message_buffer, 
-			   input_message_buffer->length - len,
-			   &padlength);
-  if (ret)
-      return ret;
+
+  if (IS_DCE_STYLE(context_handle)) {
+    padlength = 0;
+  } else {
+    /* check pad */
+    ret = _gssapi_verify_pad(input_message_buffer,
+			     input_message_buffer->length - len,
+			     &padlength);
+    if (ret)
+        return ret;
+  }
 
   /* verify sequence number */
-  
+
   HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
 
   p -= 28;
@@ -292,10 +320,10 @@ unwrap_des3
   _gsskrb5_decode_om_uint32(seq, &seq_number);
 
   if (context_handle->more_flags & LOCAL)
-      cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4);
+      cmp = ct_memcmp(&seq[4], "\xff\xff\xff\xff", 4);
   else
-      cmp = memcmp(&seq[4], "\x00\x00\x00\x00", 4);
-  
+      cmp = ct_memcmp(&seq[4], "\x00\x00\x00\x00", 4);
+
   krb5_data_free (&seq_data);
   if (cmp != 0) {
       *minor_status = 0;
@@ -352,7 +380,7 @@ unwrap_des3
   return GSS_S_COMPLETE;
 }
 
-OM_uint32 _gsskrb5_unwrap
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_unwrap
            (OM_uint32 * minor_status,
             const gss_ctx_id_t context_handle,
             const gss_buffer_t input_message_buffer,
@@ -369,11 +397,16 @@ OM_uint32 _gsskrb5_unwrap
 
   output_message_buffer->value = NULL;
   output_message_buffer->length = 0;
+  if (qop_state != NULL)
+      *qop_state = GSS_C_QOP_DEFAULT;
 
   GSSAPI_KRB5_INIT (&context);
 
-  if (qop_state != NULL)
-      *qop_state = GSS_C_QOP_DEFAULT;
+  if (ctx->more_flags & IS_CFX)
+      return _gssapi_unwrap_cfx (minor_status, ctx, context,
+				 input_message_buffer, output_message_buffer,
+				 conf_state, qop_state);
+
   HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
   ret = _gsskrb5i_get_token_key(ctx, context, &key);
   HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
@@ -387,9 +420,13 @@ OM_uint32 _gsskrb5_unwrap
 
   switch (keytype) {
   case KEYTYPE_DES :
+#ifdef HEIM_WEAK_CRYPTO
       ret = unwrap_des (minor_status, ctx,
 			input_message_buffer, output_message_buffer,
 			conf_state, qop_state, key);
+#else
+      ret = GSS_S_FAILURE;
+#endif
       break;
   case KEYTYPE_DES3 :
       ret = unwrap_des3 (minor_status, ctx, context,
@@ -403,9 +440,7 @@ OM_uint32 _gsskrb5_unwrap
 				    conf_state, qop_state, key);
       break;
   default :
-      ret = _gssapi_unwrap_cfx (minor_status, ctx, context,
-				input_message_buffer, output_message_buffer,
-				conf_state, qop_state, key);
+      abort();
       break;
   }
   krb5_free_keyblock (context, key);
diff --git a/lib/gssapi/krb5/v1.c b/lib/gssapi/krb5/v1.c
deleted file mode 100644
index c5ebeb9dd77e..000000000000
--- a/lib/gssapi/krb5/v1.c
+++ /dev/null
@@ -1,104 +0,0 @@
-/*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
- *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
- *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
- *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
- */
-
-#include "krb5/gsskrb5_locl.h"
-
-RCSID("$Id: v1.c 18334 2006-10-07 22:16:04Z lha $");
-
-/* These functions are for V1 compatibility */
-
-OM_uint32 _gsskrb5_sign
-           (OM_uint32 * minor_status,
-            gss_ctx_id_t context_handle,
-            int qop_req,
-            gss_buffer_t message_buffer,
-            gss_buffer_t message_token
-           )
-{
-  return _gsskrb5_get_mic(minor_status,
-	context_handle,
-	(gss_qop_t)qop_req,
-	message_buffer,
-	message_token);
-}
-
-OM_uint32 _gsskrb5_verify
-           (OM_uint32 * minor_status,
-            gss_ctx_id_t context_handle,
-            gss_buffer_t message_buffer,
-            gss_buffer_t token_buffer,
-            int * qop_state
-           )
-{
-  return _gsskrb5_verify_mic(minor_status,
-	context_handle,
-	message_buffer,
-	token_buffer,
-	(gss_qop_t *)qop_state);
-}
-
-OM_uint32 _gsskrb5_seal
-           (OM_uint32 * minor_status,
-            gss_ctx_id_t context_handle,
-            int conf_req_flag,
-            int qop_req,
-            gss_buffer_t input_message_buffer,
-            int * conf_state,
-            gss_buffer_t output_message_buffer
-           )
-{
-  return _gsskrb5_wrap(minor_status,
-	context_handle,
-	conf_req_flag,
-	(gss_qop_t)qop_req,
-	input_message_buffer,
-	conf_state,
-	output_message_buffer);
-}
-
-OM_uint32 _gsskrb5_unseal
-           (OM_uint32 * minor_status,
-            gss_ctx_id_t context_handle,
-            gss_buffer_t input_message_buffer,
-            gss_buffer_t output_message_buffer,
-            int * conf_state,
-            int * qop_state
-           )
-{
-  return _gsskrb5_unwrap(minor_status,
-	context_handle,
-	input_message_buffer,
-	output_message_buffer,
-	conf_state,
-	(gss_qop_t *)qop_state);
-}
diff --git a/lib/gssapi/krb5/verify_mic.c b/lib/gssapi/krb5/verify_mic.c
index 52381afcc28a..3123787ff474 100644
--- a/lib/gssapi/krb5/verify_mic.c
+++ b/lib/gssapi/krb5/verify_mic.c
@@ -1,39 +1,39 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
+#include "gsskrb5_locl.h"
 
-RCSID("$Id: verify_mic.c 19031 2006-11-13 18:02:57Z lha $");
+#ifdef HEIM_WEAK_CRYPTO
 
 static OM_uint32
 verify_mic_des
@@ -44,13 +44,14 @@ verify_mic_des
             const gss_buffer_t token_buffer,
             gss_qop_t * qop_state,
 	    krb5_keyblock *key,
-	    char *type
+	    const char *type
 	    )
 {
   u_char *p;
-  MD5_CTX md5;
+  EVP_MD_CTX *md5;
   u_char hash[16], *seq;
   DES_key_schedule schedule;
+  EVP_CIPHER_CTX des_ctx;
   DES_cblock zero;
   DES_cblock deskey;
   uint32_t seq_number;
@@ -74,32 +75,35 @@ verify_mic_des
   p += 16;
 
   /* verify checksum */
-  MD5_Init (&md5);
-  MD5_Update (&md5, p - 24, 8);
-  MD5_Update (&md5, message_buffer->value,
-	     message_buffer->length);
-  MD5_Final (hash, &md5);
+  md5 = EVP_MD_CTX_create();
+  EVP_DigestInit_ex(md5, EVP_md5(), NULL);
+  EVP_DigestUpdate(md5, p - 24, 8);
+  EVP_DigestUpdate(md5, message_buffer->value, message_buffer->length);
+  EVP_DigestFinal_ex(md5, hash, NULL);
+  EVP_MD_CTX_destroy(md5);
 
   memset (&zero, 0, sizeof(zero));
   memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
 
-  DES_set_key (&deskey, &schedule);
+  DES_set_key_unchecked (&deskey, &schedule);
   DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
 		 &schedule, &zero);
-  if (memcmp (p - 8, hash, 8) != 0) {
+  if (ct_memcmp (p - 8, hash, 8) != 0) {
     memset (deskey, 0, sizeof(deskey));
     memset (&schedule, 0, sizeof(schedule));
     return GSS_S_BAD_MIC;
   }
 
   /* verify sequence number */
-  
+
   HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
 
   p -= 16;
-  DES_set_key (&deskey, &schedule);
-  DES_cbc_encrypt ((void *)p, (void *)p, 8,
-		   &schedule, (DES_cblock *)hash, DES_DECRYPT);
+
+  EVP_CIPHER_CTX_init(&des_ctx);
+  EVP_CipherInit_ex(&des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, hash, 0);
+  EVP_Cipher(&des_ctx, p, p, 8);
+  EVP_CIPHER_CTX_cleanup(&des_ctx);
 
   memset (deskey, 0, sizeof(deskey));
   memset (&schedule, 0, sizeof(schedule));
@@ -108,9 +112,9 @@ verify_mic_des
   _gsskrb5_decode_om_uint32(seq, &seq_number);
 
   if (context_handle->more_flags & LOCAL)
-      cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4);
+      cmp = ct_memcmp(&seq[4], "\xff\xff\xff\xff", 4);
   else
-      cmp = memcmp(&seq[4], "\x00\x00\x00\x00", 4);
+      cmp = ct_memcmp(&seq[4], "\x00\x00\x00\x00", 4);
 
   if (cmp != 0) {
     HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
@@ -127,6 +131,7 @@ verify_mic_des
 
   return GSS_S_COMPLETE;
 }
+#endif
 
 static OM_uint32
 verify_mic_des3
@@ -137,7 +142,7 @@ verify_mic_des3
             const gss_buffer_t token_buffer,
             gss_qop_t * qop_state,
 	    krb5_keyblock *key,
-	    char *type
+	    const char *type
 	    )
 {
   u_char *p;
@@ -150,7 +155,7 @@ verify_mic_des3
   Checksum csum;
   char *tmp;
   char ivec[8];
-  
+
   p = token_buffer->value;
   ret = _gsskrb5_verify_header (&p,
 				   token_buffer->length,
@@ -209,9 +214,9 @@ retry:
   _gsskrb5_decode_om_uint32(seq, &seq_number);
 
   if (context_handle->more_flags & LOCAL)
-      cmp = memcmp(&seq[4], "\xff\xff\xff\xff", 4);
+      cmp = ct_memcmp(&seq[4], "\xff\xff\xff\xff", 4);
   else
-      cmp = memcmp(&seq[4], "\x00\x00\x00\x00", 4);
+      cmp = ct_memcmp(&seq[4], "\x00\x00\x00\x00", 4);
 
   krb5_data_free (&seq_data);
   if (cmp != 0) {
@@ -266,21 +271,26 @@ retry:
 OM_uint32
 _gsskrb5_verify_mic_internal
            (OM_uint32 * minor_status,
-            const gsskrb5_ctx context_handle,
+            const gsskrb5_ctx ctx,
 	    krb5_context context,
             const gss_buffer_t message_buffer,
             const gss_buffer_t token_buffer,
             gss_qop_t * qop_state,
-	    char * type
+	    const char * type
 	    )
 {
     krb5_keyblock *key;
     OM_uint32 ret;
     krb5_keytype keytype;
 
-    HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
-    ret = _gsskrb5i_get_token_key(context_handle, context, &key);
-    HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+    if (ctx->more_flags & IS_CFX)
+        return _gssapi_verify_mic_cfx (minor_status, ctx,
+				       context, message_buffer, token_buffer,
+				       qop_state);
+
+    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
+    ret = _gsskrb5i_get_token_key(ctx, context, &key);
+    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
     if (ret) {
 	*minor_status = ret;
 	return GSS_S_FAILURE;
@@ -289,35 +299,35 @@ _gsskrb5_verify_mic_internal
     krb5_enctype_to_keytype (context, key->keytype, &keytype);
     switch (keytype) {
     case KEYTYPE_DES :
-	ret = verify_mic_des (minor_status, context_handle, context,
+#ifdef HEIM_WEAK_CRYPTO
+	ret = verify_mic_des (minor_status, ctx, context,
 			      message_buffer, token_buffer, qop_state, key,
 			      type);
+#else
+      ret = GSS_S_FAILURE;
+#endif
 	break;
     case KEYTYPE_DES3 :
-	ret = verify_mic_des3 (minor_status, context_handle, context,
+	ret = verify_mic_des3 (minor_status, ctx, context,
 			       message_buffer, token_buffer, qop_state, key,
 			       type);
 	break;
     case KEYTYPE_ARCFOUR :
     case KEYTYPE_ARCFOUR_56 :
-	ret = _gssapi_verify_mic_arcfour (minor_status, context_handle,
+	ret = _gssapi_verify_mic_arcfour (minor_status, ctx,
 					  context,
 					  message_buffer, token_buffer,
 					  qop_state, key, type);
 	break;
     default :
-	ret = _gssapi_verify_mic_cfx (minor_status, context_handle,
-				      context,
-				      message_buffer, token_buffer, qop_state,
-				      key);
-	break;
+        abort();
     }
     krb5_free_keyblock (context, key);
-    
+
     return ret;
 }
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_verify_mic
            (OM_uint32 * minor_status,
             const gss_ctx_id_t context_handle,
@@ -334,11 +344,11 @@ _gsskrb5_verify_mic
     if (qop_state != NULL)
 	*qop_state = GSS_C_QOP_DEFAULT;
 
-    ret = _gsskrb5_verify_mic_internal(minor_status, 
+    ret = _gsskrb5_verify_mic_internal(minor_status,
 				       (gsskrb5_ctx)context_handle,
 				       context,
 				       message_buffer, token_buffer,
-				       qop_state, "\x01\x01");
+				       qop_state, (void *)(intptr_t)"\x01\x01");
 
     return ret;
 }
diff --git a/lib/gssapi/krb5/wrap.c b/lib/gssapi/krb5/wrap.c
index d41379870ae9..1026e41914e9 100644
--- a/lib/gssapi/krb5/wrap.c
+++ b/lib/gssapi/krb5/wrap.c
@@ -1,39 +1,37 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "krb5/gsskrb5_locl.h"
-
-RCSID("$Id: wrap.c 19035 2006-11-14 09:49:56Z lha $");
+#include "gsskrb5_locl.h"
 
 /*
  * Return initiator subkey, or if that doesn't exists, the subkey.
@@ -49,19 +47,19 @@ _gsskrb5i_get_initiator_subkey(const gsskrb5_ctx ctx,
 
     if (ctx->more_flags & LOCAL) {
 	ret = krb5_auth_con_getlocalsubkey(context,
-				     ctx->auth_context, 
+				     ctx->auth_context,
 				     key);
     } else {
 	ret = krb5_auth_con_getremotesubkey(context,
-				      ctx->auth_context, 
+				      ctx->auth_context,
 				      key);
     }
     if (ret == 0 && *key == NULL)
 	ret = krb5_auth_con_getkey(context,
-				   ctx->auth_context, 
+				   ctx->auth_context,
 				   key);
     if (ret == 0 && *key == NULL) {
-	krb5_set_error_string(context, "No initiator subkey available");
+	krb5_set_error_message(context, 0, "No initiator subkey available");
 	return GSS_KRB5_S_KG_NO_SUBKEY;
     }
     return ret;
@@ -77,15 +75,15 @@ _gsskrb5i_get_acceptor_subkey(const gsskrb5_ctx ctx,
 
     if (ctx->more_flags & LOCAL) {
 	ret = krb5_auth_con_getremotesubkey(context,
-				      ctx->auth_context, 
+				      ctx->auth_context,
 				      key);
     } else {
 	ret = krb5_auth_con_getlocalsubkey(context,
-				     ctx->auth_context, 
+				     ctx->auth_context,
 				     key);
     }
     if (ret == 0 && *key == NULL) {
-	krb5_set_error_string(context, "No acceptor subkey available");
+	krb5_set_error_message(context, 0, "No acceptor subkey available");
 	return GSS_KRB5_S_KG_NO_SUBKEY;
     }
     return ret;
@@ -106,7 +104,7 @@ _gsskrb5i_get_token_key(const gsskrb5_ctx ctx,
 	    _gsskrb5i_get_initiator_subkey(ctx, context, key);
     }
     if (*key == NULL) {
-	krb5_set_error_string(context, "No token key available");
+	krb5_set_error_message(context, 0, "No token key available");
 	return GSS_KRB5_S_KG_NO_SUBKEY;
     }
     return 0;
@@ -120,7 +118,7 @@ sub_wrap_size (
 	    int extrasize
            )
 {
-    size_t len, total_len; 
+    size_t len, total_len;
 
     len = 8 + req_output_size + blocksize + extrasize;
 
@@ -136,7 +134,7 @@ sub_wrap_size (
     return GSS_S_COMPLETE;
 }
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gsskrb5_wrap_size_limit (
             OM_uint32 * minor_status,
             const gss_ctx_id_t context_handle,
@@ -154,6 +152,11 @@ _gsskrb5_wrap_size_limit (
 
   GSSAPI_KRB5_INIT (&context);
 
+  if (ctx->more_flags & IS_CFX)
+      return _gssapi_wrap_size_cfx(minor_status, ctx, context,
+				   conf_req_flag, qop_req,
+				   req_output_size, max_input_size);
+
   HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
   ret = _gsskrb5i_get_token_key(ctx, context, &key);
   HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
@@ -165,21 +168,23 @@ _gsskrb5_wrap_size_limit (
 
   switch (keytype) {
   case KEYTYPE_DES :
+#ifdef HEIM_WEAK_CRYPTO
       ret = sub_wrap_size(req_output_size, max_input_size, 8, 22);
+#else
+      ret = GSS_S_FAILURE;
+#endif
       break;
-  case KEYTYPE_ARCFOUR:
-  case KEYTYPE_ARCFOUR_56:
+  case ENCTYPE_ARCFOUR_HMAC_MD5:
+  case ENCTYPE_ARCFOUR_HMAC_MD5_56:
       ret = _gssapi_wrap_size_arcfour(minor_status, ctx, context,
-				      conf_req_flag, qop_req, 
+				      conf_req_flag, qop_req,
 				      req_output_size, max_input_size, key);
       break;
   case KEYTYPE_DES3 :
       ret = sub_wrap_size(req_output_size, max_input_size, 8, 34);
       break;
   default :
-      ret = _gssapi_wrap_size_cfx(minor_status, ctx, context,
-				  conf_req_flag, qop_req, 
-				  req_output_size, max_input_size, key);
+      abort();
       break;
   }
   krb5_free_keyblock (context, key);
@@ -187,6 +192,8 @@ _gsskrb5_wrap_size_limit (
   return ret;
 }
 
+#ifdef HEIM_WEAK_CRYPTO
+
 static OM_uint32
 wrap_des
            (OM_uint32 * minor_status,
@@ -201,19 +208,29 @@ wrap_des
            )
 {
   u_char *p;
-  MD5_CTX md5;
+  EVP_MD_CTX *md5;
   u_char hash[16];
   DES_key_schedule schedule;
+  EVP_CIPHER_CTX des_ctx;
   DES_cblock deskey;
   DES_cblock zero;
-  int i;
+  size_t i;
   int32_t seq_number;
   size_t len, total_len, padlength, datalen;
 
-  padlength = 8 - (input_message_buffer->length % 8);
-  datalen = input_message_buffer->length + padlength + 8;
-  len = datalen + 22;
-  _gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM);
+  if (IS_DCE_STYLE(ctx)) {
+    padlength = 0;
+    datalen = input_message_buffer->length;
+    len = 22 + 8;
+    _gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM);
+    total_len += datalen;
+    datalen += 8;
+  } else {
+    padlength = 8 - (input_message_buffer->length % 8);
+    datalen = input_message_buffer->length + padlength + 8;
+    len = datalen + 22;
+    _gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM);
+  }
 
   output_message_buffer->length = total_len;
   output_message_buffer->value  = malloc (total_len);
@@ -252,14 +269,16 @@ wrap_des
   memset (p + 8 + input_message_buffer->length, padlength, padlength);
 
   /* checksum */
-  MD5_Init (&md5);
-  MD5_Update (&md5, p - 24, 8);
-  MD5_Update (&md5, p, datalen);
-  MD5_Final (hash, &md5);
+  md5 = EVP_MD_CTX_create();
+  EVP_DigestInit_ex(md5, EVP_md5(), NULL);
+  EVP_DigestUpdate(md5, p - 24, 8);
+  EVP_DigestUpdate(md5, p, datalen);
+  EVP_DigestFinal_ex(md5, hash, NULL);
+  EVP_MD_CTX_destroy(md5);
 
   memset (&zero, 0, sizeof(zero));
   memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
-  DES_set_key (&deskey, &schedule);
+  DES_set_key_unchecked (&deskey, &schedule);
   DES_cbc_cksum ((void *)hash, (void *)hash, sizeof(hash),
 		 &schedule, &zero);
   memcpy (p - 8, hash, 8);
@@ -279,9 +298,10 @@ wrap_des
 	  (ctx->more_flags & LOCAL) ? 0 : 0xFF,
 	  4);
 
-  DES_set_key (&deskey, &schedule);
-  DES_cbc_encrypt ((void *)p, (void *)p, 8,
-		   &schedule, (DES_cblock *)(p + 8), DES_ENCRYPT);
+  EVP_CIPHER_CTX_init(&des_ctx);
+  EVP_CipherInit_ex(&des_ctx, EVP_des_cbc(), NULL, key->keyvalue.data, p + 8, 1);
+  EVP_Cipher(&des_ctx, p, p, 8);
+  EVP_CIPHER_CTX_cleanup(&des_ctx);
 
   krb5_auth_con_setlocalseqnumber (context,
 			       ctx->auth_context,
@@ -296,14 +316,11 @@ wrap_des
 
       for (i = 0; i < sizeof(deskey); ++i)
 	  deskey[i] ^= 0xf0;
-      DES_set_key (&deskey, &schedule);
-      memset (&zero, 0, sizeof(zero));
-      DES_cbc_encrypt ((void *)p,
-		       (void *)p,
-		       datalen,
-		       &schedule,
-		       &zero,
-		       DES_ENCRYPT);
+
+      EVP_CIPHER_CTX_init(&des_ctx);
+      EVP_CipherInit_ex(&des_ctx, EVP_des_cbc(), NULL, deskey, zero, 1);
+      EVP_Cipher(&des_ctx, p, p, datalen);
+      EVP_CIPHER_CTX_cleanup(&des_ctx);
   }
   memset (deskey, 0, sizeof(deskey));
   memset (&schedule, 0, sizeof(schedule));
@@ -314,6 +331,8 @@ wrap_des
   return GSS_S_COMPLETE;
 }
 
+#endif
+
 static OM_uint32
 wrap_des3
            (OM_uint32 * minor_status,
@@ -336,10 +355,19 @@ wrap_des3
   Checksum cksum;
   krb5_data encdata;
 
-  padlength = 8 - (input_message_buffer->length % 8);
-  datalen = input_message_buffer->length + padlength + 8;
-  len = datalen + 34;
-  _gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM);
+  if (IS_DCE_STYLE(ctx)) {
+    padlength = 0;
+    datalen = input_message_buffer->length;
+    len = 34 + 8;
+    _gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM);
+    total_len += datalen;
+    datalen += 8;
+  } else {
+    padlength = 8 - (input_message_buffer->length % 8);
+    datalen = input_message_buffer->length + padlength + 8;
+    len = datalen + 34;
+    _gsskrb5_encap_length (len, &len, &total_len, GSS_KRB5_MECHANISM);
+  }
 
   output_message_buffer->length = total_len;
   output_message_buffer->value  = malloc (total_len);
@@ -352,7 +380,7 @@ wrap_des3
   p = _gsskrb5_make_header(output_message_buffer->value,
 			      len,
 			      "\x02\x01", /* TOK_ID */
-			      GSS_KRB5_MECHANISM); 
+			      GSS_KRB5_MECHANISM);
 
   /* SGN_ALG */
   memcpy (p, "\x04\x00", 2);	/* HMAC SHA1 DES3-KD */
@@ -449,7 +477,7 @@ wrap_des3
       *minor_status = ret;
       return GSS_S_FAILURE;
   }
-  
+
   assert (encdata.length == 8);
 
   memcpy (p, encdata.data, encdata.length);
@@ -496,7 +524,8 @@ wrap_des3
   return GSS_S_COMPLETE;
 }
 
-OM_uint32 _gsskrb5_wrap
+OM_uint32 GSSAPI_CALLCONV
+_gsskrb5_wrap
            (OM_uint32 * minor_status,
             const gss_ctx_id_t context_handle,
             int conf_req_flag,
@@ -512,8 +541,16 @@ OM_uint32 _gsskrb5_wrap
   krb5_keytype keytype;
   const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
 
+  output_message_buffer->value = NULL;
+  output_message_buffer->length = 0;
+
   GSSAPI_KRB5_INIT (&context);
 
+  if (ctx->more_flags & IS_CFX)
+      return _gssapi_wrap_cfx (minor_status, ctx, context, conf_req_flag,
+			       input_message_buffer, conf_state,
+			       output_message_buffer);
+
   HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
   ret = _gsskrb5i_get_token_key(ctx, context, &key);
   HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
@@ -525,9 +562,13 @@ OM_uint32 _gsskrb5_wrap
 
   switch (keytype) {
   case KEYTYPE_DES :
+#ifdef HEIM_WEAK_CRYPTO
       ret = wrap_des (minor_status, ctx, context, conf_req_flag,
 		      qop_req, input_message_buffer, conf_state,
 		      output_message_buffer, key);
+#else
+      ret = GSS_S_FAILURE;
+#endif
       break;
   case KEYTYPE_DES3 :
       ret = wrap_des3 (minor_status, ctx, context, conf_req_flag,
@@ -541,9 +582,7 @@ OM_uint32 _gsskrb5_wrap
 				  output_message_buffer, key);
       break;
   default :
-      ret = _gssapi_wrap_cfx (minor_status, ctx, context, conf_req_flag,
-			      qop_req, input_message_buffer, conf_state,
-			      output_message_buffer, key);
+      abort();
       break;
   }
   krb5_free_keyblock (context, key);
diff --git a/lib/gssapi/libgssapi-exports.def b/lib/gssapi/libgssapi-exports.def
new file mode 100644
index 000000000000..3cbcc4eb1844
--- /dev/null
+++ b/lib/gssapi/libgssapi-exports.def
@@ -0,0 +1,189 @@
+EXPORTS
+	__gss_c_nt_anonymous_oid_desc	DATA
+	__gss_c_nt_export_name_oid_desc	DATA
+	__gss_c_nt_hostbased_service_oid_desc	DATA
+	__gss_c_nt_hostbased_service_x_oid_desc	DATA
+	__gss_c_nt_machine_uid_name_oid_desc	DATA
+	__gss_c_nt_string_uid_name_oid_desc	DATA
+	__gss_c_nt_user_name_oid_desc	DATA
+	__gss_krb5_nt_principal_name_oid_desc	DATA
+	__gss_c_attr_stream_sizes_oid_desc	DATA
+        __gss_c_attr_local_login_user           DATA
+        __gss_c_cred_certificate_oid_desc       DATA
+        __gss_c_cred_password_oid_desc          DATA
+	gss_accept_sec_context
+	gss_acquire_cred
+	gss_acquire_cred_with_password
+	gss_add_buffer_set_member
+	gss_add_cred
+	gss_add_cred_with_password
+	gss_add_oid_set_member
+        gss_authorize_localname
+	gss_canonicalize_name
+	gss_compare_name
+	gss_context_query_attributes
+	gss_context_time
+	gss_create_empty_buffer_set
+	gss_create_empty_oid_set
+	gss_decapsulate_token
+	gss_delete_name_attribute
+	gss_delete_sec_context
+        gss_display_mech_attr
+	gss_display_name
+	gss_display_name_ext
+	gss_display_status
+	gss_duplicate_name
+	gss_duplicate_oid
+	gss_encapsulate_token
+        gss_export_cred
+	gss_export_name
+	gss_export_name_composite
+	gss_export_sec_context
+	gss_get_mic
+	gss_get_name_attribute
+        gss_import_cred
+	gss_import_name
+	gss_import_sec_context
+	gss_indicate_mechs
+        gss_indicate_mechs_by_attrs
+	gss_init_sec_context
+        gss_inquire_attrs_for_mech
+	gss_inquire_context
+	gss_inquire_cred
+	gss_inquire_cred_by_mech
+	gss_inquire_cred_by_oid
+        gss_inquire_mech_for_saslname
+	gss_inquire_mechs_for_name
+	gss_inquire_name
+	gss_inquire_names_for_mech
+        gss_inquire_saslname_for_mech
+	gss_inquire_sec_context_by_oid  ;!
+	gss_krb5_ccache_name
+	gss_krb5_copy_ccache
+	gss_krb5_export_lucid_sec_context
+	gss_krb5_free_lucid_sec_context
+	gss_krb5_get_tkt_flags
+	gss_krb5_import_cred
+	gss_krb5_set_allowable_enctypes
+	gss_mg_collect_error
+        gss_mo_get
+        gss_mo_set
+        gss_mo_list
+        gss_mo_name
+        gss_name_to_oid
+        gss_oid_to_name
+	gss_oid_equal
+	gss_oid_to_str
+	gss_pname_to_uid
+	gss_process_context_token
+	gss_pseudo_random
+	gss_release_buffer
+	gss_release_buffer_set
+	gss_release_cred
+	gss_release_iov_buffer
+	gss_release_name
+	gss_release_oid
+	gss_release_oid_set
+	gss_seal
+	gss_set_cred_option
+	gss_set_name_attribute
+	gss_set_sec_context_option
+	gss_sign
+	gss_store_cred
+	gss_test_oid_set_member
+	gss_unseal
+	gss_unwrap
+	gss_unwrap_iov
+	gss_userok
+	gss_verify
+	gss_verify_mic
+	gss_wrap
+	gss_wrap_iov
+	gss_wrap_iov_length
+	gss_wrap_size_limit
+	gsskrb5_extract_authtime_from_sec_context
+	gsskrb5_extract_authz_data_from_sec_context
+	gsskrb5_extract_service_keyblock
+	gsskrb5_get_initiator_subkey
+	gsskrb5_get_subkey
+	gsskrb5_get_time_offset
+	gsskrb5_register_acceptor_identity
+	gsskrb5_set_default_realm
+	gsskrb5_set_dns_canonicalize
+	gsskrb5_set_send_to_kdc
+	gsskrb5_set_time_offset
+	krb5_gss_register_acceptor_identity
+
+; _gsskrb5cfx_ are really internal symbols, but export
+; then now to make testing easier.
+	_gsskrb5cfx_wrap_length_cfx
+	_gssapi_wrap_size_cfx
+
+        initialize_gk5_error_table_r    ;!
+
+	__gss_krb5_copy_ccache_x_oid_desc	DATA
+	__gss_krb5_get_tkt_flags_x_oid_desc	DATA
+	__gss_krb5_extract_authz_data_from_sec_context_x_oid_desc	DATA
+	__gss_krb5_compat_des3_mic_x_oid_desc	DATA
+	__gss_krb5_register_acceptor_identity_x_oid_desc	DATA
+	__gss_krb5_export_lucid_context_x_oid_desc	DATA
+	__gss_krb5_export_lucid_context_v1_x_oid_desc	DATA
+	__gss_krb5_set_dns_canonicalize_x_oid_desc	DATA
+	__gss_krb5_get_subkey_x_oid_desc	DATA
+	__gss_krb5_get_initiator_subkey_x_oid_desc	DATA
+	__gss_krb5_get_acceptor_subkey_x_oid_desc	DATA
+	__gss_krb5_send_to_kdc_x_oid_desc	DATA
+	__gss_krb5_get_authtime_x_oid_desc	DATA
+	__gss_krb5_get_service_keyblock_x_oid_desc	DATA
+	__gss_krb5_set_allowable_enctypes_x_oid_desc	DATA
+	__gss_krb5_set_default_realm_x_oid_desc	DATA
+	__gss_krb5_ccache_name_x_oid_desc	DATA
+	__gss_krb5_set_time_offset_x_oid_desc	DATA
+	__gss_krb5_get_time_offset_x_oid_desc	DATA
+	__gss_krb5_plugin_register_x_oid_desc	DATA
+	__gss_ntlm_get_session_key_x_oid_desc	DATA
+	__gss_c_nt_ntlm_oid_desc	DATA
+	__gss_c_nt_dn_oid_desc	DATA
+	__gss_krb5_nt_principal_name_referral_oid_desc	DATA
+	__gss_c_ntlm_avguest_oid_desc	DATA
+	__gss_c_ntlm_v1_oid_desc	DATA
+	__gss_c_ntlm_v2_oid_desc	DATA
+	__gss_c_ntlm_session_key_oid_desc	DATA
+	__gss_c_ntlm_force_v1_oid_desc	DATA
+	__gss_krb5_cred_no_ci_flags_x_oid_desc	DATA
+	__gss_krb5_import_cred_x_oid_desc	DATA
+	__gss_c_ma_sasl_mech_name_oid_desc	DATA
+	__gss_c_ma_mech_name_oid_desc	DATA
+	__gss_c_ma_mech_description_oid_desc	DATA
+	__gss_sasl_digest_md5_mechanism_oid_desc	DATA
+	__gss_krb5_mechanism_oid_desc	DATA
+	__gss_ntlm_mechanism_oid_desc	DATA
+	__gss_spnego_mechanism_oid_desc	DATA
+	__gss_c_peer_has_updated_spnego_oid_desc	DATA
+	__gss_c_ma_mech_concrete_oid_desc	DATA
+	__gss_c_ma_mech_pseudo_oid_desc	DATA
+	__gss_c_ma_mech_composite_oid_desc	DATA
+	__gss_c_ma_mech_nego_oid_desc	DATA
+	__gss_c_ma_mech_glue_oid_desc	DATA
+	__gss_c_ma_not_mech_oid_desc	DATA
+	__gss_c_ma_deprecated_oid_desc	DATA
+	__gss_c_ma_not_dflt_mech_oid_desc	DATA
+	__gss_c_ma_itok_framed_oid_desc	DATA
+	__gss_c_ma_auth_init_oid_desc	DATA
+	__gss_c_ma_auth_targ_oid_desc	DATA
+	__gss_c_ma_auth_init_init_oid_desc	DATA
+	__gss_c_ma_auth_targ_init_oid_desc	DATA
+	__gss_c_ma_auth_init_anon_oid_desc	DATA
+	__gss_c_ma_auth_targ_anon_oid_desc	DATA
+	__gss_c_ma_deleg_cred_oid_desc	DATA
+	__gss_c_ma_integ_prot_oid_desc	DATA
+	__gss_c_ma_conf_prot_oid_desc	DATA
+	__gss_c_ma_mic_oid_desc	DATA
+	__gss_c_ma_wrap_oid_desc	DATA
+	__gss_c_ma_prot_ready_oid_desc	DATA
+	__gss_c_ma_replay_det_oid_desc	DATA
+	__gss_c_ma_oos_det_oid_desc	DATA
+	__gss_c_ma_cbindings_oid_desc	DATA
+	__gss_c_ma_pfs_oid_desc	DATA
+	__gss_c_ma_compress_oid_desc	DATA
+	__gss_c_ma_ctx_trans_oid_desc	DATA
diff --git a/lib/gssapi/libgssapi-version.rc b/lib/gssapi/libgssapi-version.rc
new file mode 100644
index 000000000000..074066f06825
--- /dev/null
+++ b/lib/gssapi/libgssapi-version.rc
@@ -0,0 +1,36 @@
+/***********************************************************************
+ * Copyright (c) 2010, Secure Endpoints Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * - Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ * - Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in
+ *   the documentation and/or other materials provided with the
+ *   distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ **********************************************************************/
+
+#define RC_FILE_TYPE VFT_DLL
+#define RC_FILE_DESC_0409 "Generic Security Service Application Program Interface library"
+#define RC_FILE_ORIG_0409 "gssapi.dll"
+
+#include "../../windows/version.rc"
diff --git a/lib/gssapi/mech/compat.h b/lib/gssapi/mech/compat.h
new file mode 100644
index 000000000000..e63f1e534306
--- /dev/null
+++ b/lib/gssapi/mech/compat.h
@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 2010, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+typedef OM_uint32 GSSAPI_CALLCONV _gss_inquire_saslname_for_mech_t (
+	       OM_uint32 *,           /* minor_status */
+	       const gss_OID,         /* desired_mech */
+	       gss_buffer_t,          /* sasl_mech_name */
+	       gss_buffer_t,          /* mech_name */
+	       gss_buffer_t           /* mech_description */
+	    );
+
+typedef OM_uint32 GSSAPI_CALLCONV _gss_inquire_mech_for_saslname_t (
+	       OM_uint32 *,           /* minor_status */
+	       const gss_buffer_t,    /* sasl_mech_name */
+	       gss_OID *              /* mech_type */
+	    );
+
+typedef OM_uint32 GSSAPI_CALLCONV _gss_inquire_attrs_for_mech_t (
+	       OM_uint32 *,           /* minor_status */
+	       gss_const_OID,         /* mech */
+	       gss_OID_set *,         /* mech_attrs */
+	       gss_OID_set *          /* known_mech_attrs */
+	    );
+
+typedef OM_uint32 GSSAPI_CALLCONV _gss_acquire_cred_with_password_t
+	      (OM_uint32 *,            /* minor_status */
+	       const gss_name_t,       /* desired_name */
+	       const gss_buffer_t,     /* password */
+	       OM_uint32,              /* time_req */
+	       const gss_OID_set,      /* desired_mechs */
+	       gss_cred_usage_t,       /* cred_usage */
+	       gss_cred_id_t *,        /* output_cred_handle */
+	       gss_OID_set *,          /* actual_mechs */
+	       OM_uint32 *             /* time_rec */
+	      );
+
+typedef OM_uint32 GSSAPI_CALLCONV _gss_add_cred_with_password_t (
+	       OM_uint32 *,            /* minor_status */
+	       const gss_cred_id_t,    /* input_cred_handle */
+	       const gss_name_t,       /* desired_name */
+	       const gss_OID,          /* desired_mech */
+	       const gss_buffer_t,     /* password */
+	       gss_cred_usage_t,       /* cred_usage */
+	       OM_uint32,              /* initiator_time_req */
+	       OM_uint32,              /* acceptor_time_req */
+	       gss_cred_id_t *,        /* output_cred_handle */
+	       gss_OID_set *,          /* actual_mechs */
+	       OM_uint32 *,            /* initiator_time_rec */
+	       OM_uint32 *             /* acceptor_time_rec */
+	      );
+
+/*
+ * API-as-SPI compatibility for compatibility with MIT mechanisms;
+ * native Heimdal mechanisms should not use these.
+ */
+struct gss_mech_compat_desc_struct {
+	_gss_inquire_saslname_for_mech_t    *gmc_inquire_saslname_for_mech;
+	_gss_inquire_mech_for_saslname_t    *gmc_inquire_mech_for_saslname;
+	_gss_inquire_attrs_for_mech_t       *gmc_inquire_attrs_for_mech;
+	_gss_acquire_cred_with_password_t   *gmc_acquire_cred_with_password;
+#if 0
+	_gss_add_cred_with_password_t       *gmc_add_cred_with_password;
+#endif
+};
+
diff --git a/lib/gssapi/mech/context.c b/lib/gssapi/mech/context.c
new file mode 100644
index 000000000000..5ea0ac466b76
--- /dev/null
+++ b/lib/gssapi/mech/context.c
@@ -0,0 +1,163 @@
+#include "mech_locl.h"
+#include "heim_threads.h"
+
+struct mg_thread_ctx {
+    gss_OID mech;
+    OM_uint32 maj_stat;
+    OM_uint32 min_stat;
+    gss_buffer_desc maj_error;
+    gss_buffer_desc min_error;
+};
+
+static HEIMDAL_MUTEX context_mutex = HEIMDAL_MUTEX_INITIALIZER;
+static int created_key;
+static HEIMDAL_thread_key context_key;
+
+
+static void
+destroy_context(void *ptr)
+{
+    struct mg_thread_ctx *mg = ptr;
+    OM_uint32 junk;
+
+    if (mg == NULL)
+	return;
+
+    gss_release_buffer(&junk, &mg->maj_error);
+    gss_release_buffer(&junk, &mg->min_error);
+    free(mg);
+}
+
+
+static struct mg_thread_ctx *
+_gss_mechglue_thread(void)
+{
+    struct mg_thread_ctx *ctx;
+    int ret = 0;
+
+    HEIMDAL_MUTEX_lock(&context_mutex);
+
+    if (!created_key) {
+	HEIMDAL_key_create(&context_key, destroy_context, ret);
+	if (ret) {
+	    HEIMDAL_MUTEX_unlock(&context_mutex);
+	    return NULL;
+	}
+	created_key = 1;
+    }
+    HEIMDAL_MUTEX_unlock(&context_mutex);
+
+    ctx = HEIMDAL_getspecific(context_key);
+    if (ctx == NULL) {
+
+	ctx = calloc(1, sizeof(*ctx));
+	if (ctx == NULL)
+	    return NULL;
+	HEIMDAL_setspecific(context_key, ctx, ret);
+	if (ret) {
+	    free(ctx);
+	    return NULL;
+	}
+    }
+    return ctx;
+}
+
+OM_uint32
+_gss_mg_get_error(const gss_OID mech, OM_uint32 type,
+		  OM_uint32 value, gss_buffer_t string)
+{
+    struct mg_thread_ctx *mg;
+
+    mg = _gss_mechglue_thread();
+    if (mg == NULL)
+	return GSS_S_BAD_STATUS;
+
+#if 0
+    /*
+     * We cant check the mech here since a pseudo-mech might have
+     * called an lower layer and then the mech info is all broken
+     */
+    if (mech != NULL && gss_oid_equal(mg->mech, mech) == 0)
+	return GSS_S_BAD_STATUS;
+#endif
+
+    switch (type) {
+    case GSS_C_GSS_CODE: {
+	if (value != mg->maj_stat || mg->maj_error.length == 0)
+	    break;
+	string->value = malloc(mg->maj_error.length + 1);
+	string->length = mg->maj_error.length;
+	memcpy(string->value, mg->maj_error.value, mg->maj_error.length);
+        ((char *) string->value)[string->length] = '\0';
+	return GSS_S_COMPLETE;
+    }
+    case GSS_C_MECH_CODE: {
+	if (value != mg->min_stat || mg->min_error.length == 0)
+	    break;
+	string->value = malloc(mg->min_error.length + 1);
+	string->length = mg->min_error.length;
+	memcpy(string->value, mg->min_error.value, mg->min_error.length);
+        ((char *) string->value)[string->length] = '\0';
+	return GSS_S_COMPLETE;
+    }
+    }
+    string->value = NULL;
+    string->length = 0;
+    return GSS_S_BAD_STATUS;
+}
+
+void
+_gss_mg_error(gssapi_mech_interface m, OM_uint32 maj, OM_uint32 min)
+{
+    OM_uint32 major_status, minor_status;
+    OM_uint32 message_content;
+    struct mg_thread_ctx *mg;
+
+    /*
+     * Mechs without gss_display_status() does
+     * gss_mg_collect_error() by themself.
+     */
+    if (m->gm_display_status == NULL)
+	return ;
+
+    mg = _gss_mechglue_thread();
+    if (mg == NULL)
+	return;
+
+    gss_release_buffer(&minor_status, &mg->maj_error);
+    gss_release_buffer(&minor_status, &mg->min_error);
+
+    mg->mech = &m->gm_mech_oid;
+    mg->maj_stat = maj;
+    mg->min_stat = min;
+
+    major_status = m->gm_display_status(&minor_status,
+					maj,
+					GSS_C_GSS_CODE,
+					&m->gm_mech_oid,
+					&message_content,
+					&mg->maj_error);
+    if (GSS_ERROR(major_status)) {
+	mg->maj_error.value = NULL;
+	mg->maj_error.length = 0;
+    }
+    major_status = m->gm_display_status(&minor_status,
+					min,
+					GSS_C_MECH_CODE,
+					&m->gm_mech_oid,
+					&message_content,
+					&mg->min_error);
+    if (GSS_ERROR(major_status)) {
+	mg->min_error.value = NULL;
+	mg->min_error.length = 0;
+    }
+}
+
+void
+gss_mg_collect_error(gss_OID mech, OM_uint32 maj, OM_uint32 min)
+{
+    gssapi_mech_interface m = __gss_get_mechanism(mech);
+    if (m == NULL)
+	return;
+    _gss_mg_error(m, maj, min);
+}
diff --git a/lib/gssapi/mech/context.h b/lib/gssapi/mech/context.h
new file mode 100644
index 000000000000..f2a7009cdad4
--- /dev/null
+++ b/lib/gssapi/mech/context.h
@@ -0,0 +1,41 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/context.h,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ *	$Id$
+ */
+
+#include <gssapi_mech.h>
+
+struct _gss_context {
+	gssapi_mech_interface	gc_mech;
+	gss_ctx_id_t		gc_ctx;
+};
+
+void
+_gss_mg_error(gssapi_mech_interface, OM_uint32, OM_uint32);
+
+OM_uint32
+_gss_mg_get_error(const gss_OID, OM_uint32, OM_uint32, gss_buffer_t);
diff --git a/lib/gssapi/mech/cred.h b/lib/gssapi/mech/cred.h
new file mode 100644
index 000000000000..5661b5323951
--- /dev/null
+++ b/lib/gssapi/mech/cred.h
@@ -0,0 +1,57 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/cred.h,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ *	$Id$
+ */
+
+struct _gss_mechanism_cred {
+	HEIM_SLIST_ENTRY(_gss_mechanism_cred) gmc_link;
+	gssapi_mech_interface	gmc_mech;	/* mechanism ops for MC */
+	gss_OID			gmc_mech_oid;	/* mechanism oid for MC */
+	gss_cred_id_t		gmc_cred;	/* underlying MC */
+};
+HEIM_SLIST_HEAD(_gss_mechanism_cred_list, _gss_mechanism_cred);
+
+struct _gss_cred {
+	struct _gss_mechanism_cred_list gc_mc;
+};
+
+struct _gss_mechanism_cred *
+_gss_copy_cred(struct _gss_mechanism_cred *mc);
+
+struct _gss_mechanism_name;
+
+OM_uint32
+_gss_acquire_mech_cred(OM_uint32 *minor_status,
+		       gssapi_mech_interface m,
+		       const struct _gss_mechanism_name *mn,
+		       gss_const_OID credential_type,
+		       const void *credential_data,
+		       OM_uint32 time_req,
+		       gss_const_OID desired_mech,
+		       gss_cred_usage_t cred_usage,
+		       struct _gss_mechanism_cred **output_cred_handle);
+
diff --git a/lib/gssapi/mech/doxygen.c b/lib/gssapi/mech/doxygen.c
new file mode 100644
index 000000000000..a341cba2dac1
--- /dev/null
+++ b/lib/gssapi/mech/doxygen.c
@@ -0,0 +1,132 @@
+/*
+ * Copyright (c) 2009 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*! @mainpage Heimdal GSS-API Library
+ *
+ * Heimdal implements the following mechanisms:
+ *
+ * - Kerberos 5
+ * - SPNEGO
+ * - NTLM
+ *
+ * See @ref gssapi_mechs for more describtion about these mechanisms.
+ *
+ * The project web page: http://www.h5l.org/
+ *
+ * - @ref gssapi_services_intro
+ * - @ref gssapi_mechs
+ * - @ref gssapi_api_INvsMN
+ */
+
+/**
+ * @page gssapi_services_intro Introduction to GSS-API services
+ * @section gssapi_services GSS-API services
+ *
+ * @subsection gssapi_services_context Context creation
+ *
+ *  - delegation
+ *  - mutual authentication
+ *  - anonymous
+ *  - use per message before context creation has completed
+ *
+ *  return status:
+ *  - support conf
+ *  - support int
+ *
+ * @subsection gssapi_context_flags Context creation flags
+ *
+ * - GSS_C_DELEG_FLAG
+ * - GSS_C_MUTUAL_FLAG
+ * - GSS_C_REPLAY_FLAG
+ * - GSS_C_SEQUENCE_FLAG
+ * - GSS_C_CONF_FLAG
+ * - GSS_C_INTEG_FLAG
+ * - GSS_C_ANON_FLAG
+ * - GSS_C_PROT_READY_FLAG
+ * - GSS_C_TRANS_FLAG
+ * - GSS_C_DCE_STYLE
+ * - GSS_C_IDENTIFY_FLAG
+ * - GSS_C_EXTENDED_ERROR_FLAG
+ * - GSS_C_DELEG_POLICY_FLAG
+ *
+ *
+ * @subsection gssapi_services_permessage Per-message services
+ *
+ *  - conf
+ *  - int
+ *  - message integrity
+ *  - replay detection
+ *  - out of sequence
+ *
+ */
+
+/**
+ * @page gssapi_mechs_intro GSS-API mechanisms
+ * @section gssapi_mechs GSS-API mechanisms
+ *
+ * - Kerberos 5 - GSS_KRB5_MECHANISM
+ * - SPNEGO - GSS_SPNEGO_MECHANISM
+ * - NTLM - GSS_NTLM_MECHANISM
+
+ */
+
+
+/**
+ * @page internalVSmechname Internal names and mechanism names
+ * @section gssapi_api_INvsMN Name forms
+ *
+ * There are two forms of name in GSS-API, Internal form and
+ * Contiguous string ("flat") form. gss_export_name() and
+ * gss_import_name() can be used to convert between the two forms.
+ *
+ * - The contiguous string form is described by an oid specificing the
+ *   type and an octet string. A special form of the contiguous
+ *   string form is the exported name object. The exported name
+ *   defined for each mechanism, is something that can be stored and
+ *   complared later. The exported name is what should be used for
+ *   ACLs comparisons.
+ *
+ * - The Internal form
+ *
+ *   There is also special form of the Internal Name (IN), and that is
+ *   the Mechanism Name (MN). In the mechanism name all the generic
+ *   information is stripped of and only contain the information for
+ *   one mechanism.  In GSS-API some function return MN and some
+ *   require MN as input. Each of these function is marked up as such.
+ *
+ *
+ * Describe relationship between import_name, canonicalize_name,
+ * export_name and friends.
+ */
+
+/** @defgroup gssapi Heimdal GSS-API functions */
diff --git a/lib/gssapi/mech/gss_accept_sec_context.c b/lib/gssapi/mech/gss_accept_sec_context.c
new file mode 100644
index 000000000000..bf7ea03f72e4
--- /dev/null
+++ b/lib/gssapi/mech/gss_accept_sec_context.c
@@ -0,0 +1,308 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_accept_sec_context.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+static OM_uint32
+parse_header(const gss_buffer_t input_token, gss_OID mech_oid)
+{
+	unsigned char *p = input_token->value;
+	size_t len = input_token->length;
+	size_t a, b;
+
+	/*
+	 * Token must start with [APPLICATION 0] SEQUENCE.
+	 * But if it doesn't assume it is DCE-STYLE Kerberos!
+	 */
+	if (len == 0)
+		return (GSS_S_DEFECTIVE_TOKEN);
+
+	p++;
+	len--;
+
+	/*
+	 * Decode the length and make sure it agrees with the
+	 * token length.
+	 */
+	if (len == 0)
+		return (GSS_S_DEFECTIVE_TOKEN);
+	if ((*p & 0x80) == 0) {
+		a = *p;
+		p++;
+		len--;
+	} else {
+		b = *p & 0x7f;
+		p++;
+		len--;
+		if (len < b)
+		    return (GSS_S_DEFECTIVE_TOKEN);
+		a = 0;
+		while (b) {
+		    a = (a << 8) | *p;
+		    p++;
+		    len--;
+		    b--;
+		}
+	}
+	if (a != len)
+		return (GSS_S_DEFECTIVE_TOKEN);
+
+	/*
+	 * Decode the OID for the mechanism. Simplify life by
+	 * assuming that the OID length is less than 128 bytes.
+	 */
+	if (len < 2 || *p != 0x06)
+		return (GSS_S_DEFECTIVE_TOKEN);
+	if ((p[1] & 0x80) || p[1] > (len - 2))
+		return (GSS_S_DEFECTIVE_TOKEN);
+	mech_oid->length = p[1];
+	p += 2;
+	len -= 2;
+	mech_oid->elements = p;
+
+	return GSS_S_COMPLETE;
+}
+
+static gss_OID_desc krb5_mechanism =
+    {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")};
+static gss_OID_desc ntlm_mechanism =
+    {10, rk_UNCONST("\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a")};
+static gss_OID_desc spnego_mechanism =
+    {6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02")};
+
+static OM_uint32
+choose_mech(const gss_buffer_t input, gss_OID mech_oid)
+{
+	OM_uint32 status;
+
+	/*
+	 * First try to parse the gssapi token header and see if it's a
+	 * correct header, use that in the first hand.
+	 */
+
+	status = parse_header(input, mech_oid);
+	if (status == GSS_S_COMPLETE)
+	    return GSS_S_COMPLETE;
+
+	/*
+	 * Lets guess what mech is really is, callback function to mech ??
+	 */
+
+	if (input->length > 8 &&
+	    memcmp((const char *)input->value, "NTLMSSP\x00", 8) == 0)
+	{
+		*mech_oid = ntlm_mechanism;
+		return GSS_S_COMPLETE;
+	} else if (input->length != 0 &&
+		   ((const char *)input->value)[0] == 0x6E)
+	{
+		/* Could be a raw AP-REQ (check for APPLICATION tag) */
+		*mech_oid = krb5_mechanism;
+		return GSS_S_COMPLETE;
+	} else if (input->length == 0) {
+		/*
+		 * There is the a wierd mode of SPNEGO (in CIFS and
+		 * SASL GSS-SPENGO where the first token is zero
+		 * length and the acceptor returns a mech_list, lets
+		 * hope that is what is happening now.
+		 *
+		 * http://msdn.microsoft.com/en-us/library/cc213114.aspx
+		 * "NegTokenInit2 Variation for Server-Initiation"
+		 */
+		*mech_oid = spnego_mechanism;
+		return GSS_S_COMPLETE;
+	}
+	return status;
+}
+
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_accept_sec_context(OM_uint32 *minor_status,
+    gss_ctx_id_t *context_handle,
+    const gss_cred_id_t acceptor_cred_handle,
+    const gss_buffer_t input_token,
+    const gss_channel_bindings_t input_chan_bindings,
+    gss_name_t *src_name,
+    gss_OID *mech_type,
+    gss_buffer_t output_token,
+    OM_uint32 *ret_flags,
+    OM_uint32 *time_rec,
+    gss_cred_id_t *delegated_cred_handle)
+{
+	OM_uint32 major_status, mech_ret_flags, junk;
+	gssapi_mech_interface m;
+	struct _gss_context *ctx = (struct _gss_context *) *context_handle;
+	struct _gss_cred *cred = (struct _gss_cred *) acceptor_cred_handle;
+	struct _gss_mechanism_cred *mc;
+	gss_cred_id_t acceptor_mc, delegated_mc;
+	gss_name_t src_mn;
+	gss_OID mech_ret_type = NULL;
+
+	*minor_status = 0;
+	if (src_name)
+	    *src_name = GSS_C_NO_NAME;
+	if (mech_type)
+	    *mech_type = GSS_C_NO_OID;
+	if (ret_flags)
+	    *ret_flags = 0;
+	if (time_rec)
+	    *time_rec = 0;
+	if (delegated_cred_handle)
+	    *delegated_cred_handle = GSS_C_NO_CREDENTIAL;
+	_mg_buffer_zero(output_token);
+
+
+	/*
+	 * If this is the first call (*context_handle is NULL), we must
+	 * parse the input token to figure out the mechanism to use.
+	 */
+	if (*context_handle == GSS_C_NO_CONTEXT) {
+		gss_OID_desc mech_oid;
+
+		major_status = choose_mech(input_token, &mech_oid);
+		if (major_status != GSS_S_COMPLETE)
+			return major_status;
+
+		/*
+		 * Now that we have a mechanism, we can find the
+		 * implementation.
+		 */
+		ctx = malloc(sizeof(struct _gss_context));
+		if (!ctx) {
+			*minor_status = ENOMEM;
+			return (GSS_S_DEFECTIVE_TOKEN);
+		}
+		memset(ctx, 0, sizeof(struct _gss_context));
+		m = ctx->gc_mech = __gss_get_mechanism(&mech_oid);
+		if (!m) {
+			free(ctx);
+			return (GSS_S_BAD_MECH);
+		}
+		*context_handle = (gss_ctx_id_t) ctx;
+	} else {
+		m = ctx->gc_mech;
+	}
+
+	if (cred) {
+		HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link)
+			if (mc->gmc_mech == m)
+				break;
+		if (!mc) {
+		        gss_delete_sec_context(&junk, context_handle, NULL);
+			return (GSS_S_BAD_MECH);
+		}
+		acceptor_mc = mc->gmc_cred;
+	} else {
+		acceptor_mc = GSS_C_NO_CREDENTIAL;
+	}
+	delegated_mc = GSS_C_NO_CREDENTIAL;
+
+	mech_ret_flags = 0;
+	major_status = m->gm_accept_sec_context(minor_status,
+	    &ctx->gc_ctx,
+	    acceptor_mc,
+	    input_token,
+	    input_chan_bindings,
+	    &src_mn,
+	    &mech_ret_type,
+	    output_token,
+	    &mech_ret_flags,
+	    time_rec,
+	    &delegated_mc);
+	if (major_status != GSS_S_COMPLETE &&
+	    major_status != GSS_S_CONTINUE_NEEDED)
+	{
+		_gss_mg_error(m, major_status, *minor_status);
+		gss_delete_sec_context(&junk, context_handle, NULL);
+		return (major_status);
+	}
+
+	if (mech_type)
+	    *mech_type = mech_ret_type;
+
+	if (src_name && src_mn) {
+		/*
+		 * Make a new name and mark it as an MN.
+		 */
+		struct _gss_name *name = _gss_make_name(m, src_mn);
+
+		if (!name) {
+			m->gm_release_name(minor_status, &src_mn);
+		        gss_delete_sec_context(&junk, context_handle, NULL);
+			return (GSS_S_FAILURE);
+		}
+		*src_name = (gss_name_t) name;
+	} else if (src_mn) {
+		m->gm_release_name(minor_status, &src_mn);
+	}
+
+	if (mech_ret_flags & GSS_C_DELEG_FLAG) {
+		if (!delegated_cred_handle) {
+			m->gm_release_cred(minor_status, &delegated_mc);
+			mech_ret_flags &=
+			    ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
+		} else if (gss_oid_equal(mech_ret_type, &m->gm_mech_oid) == 0) {
+			/*
+			 * If the returned mech_type is not the same
+			 * as the mech, assume its pseudo mech type
+			 * and the returned type is already a
+			 * mech-glue object
+			 */
+			*delegated_cred_handle = delegated_mc;
+
+		} else if (delegated_mc) {
+			struct _gss_cred *dcred;
+			struct _gss_mechanism_cred *dmc;
+
+			dcred = malloc(sizeof(struct _gss_cred));
+			if (!dcred) {
+				*minor_status = ENOMEM;
+				gss_delete_sec_context(&junk, context_handle, NULL);
+				return (GSS_S_FAILURE);
+			}
+			HEIM_SLIST_INIT(&dcred->gc_mc);
+			dmc = malloc(sizeof(struct _gss_mechanism_cred));
+			if (!dmc) {
+				free(dcred);
+				*minor_status = ENOMEM;
+				gss_delete_sec_context(&junk, context_handle, NULL);
+				return (GSS_S_FAILURE);
+			}
+			dmc->gmc_mech = m;
+			dmc->gmc_mech_oid = &m->gm_mech_oid;
+			dmc->gmc_cred = delegated_mc;
+			HEIM_SLIST_INSERT_HEAD(&dcred->gc_mc, dmc, gmc_link);
+
+			*delegated_cred_handle = (gss_cred_id_t) dcred;
+		}
+	}
+
+	if (ret_flags)
+	    *ret_flags = mech_ret_flags;
+	return (major_status);
+}
diff --git a/lib/gssapi/mech/gss_acquire_cred.c b/lib/gssapi/mech/gss_acquire_cred.c
new file mode 100644
index 000000000000..ade65df8ec86
--- /dev/null
+++ b/lib/gssapi/mech/gss_acquire_cred.c
@@ -0,0 +1,168 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_acquire_cred.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_acquire_cred(OM_uint32 *minor_status,
+    const gss_name_t desired_name,
+    OM_uint32 time_req,
+    const gss_OID_set desired_mechs,
+    gss_cred_usage_t cred_usage,
+    gss_cred_id_t *output_cred_handle,
+    gss_OID_set *actual_mechs,
+    OM_uint32 *time_rec)
+{
+	OM_uint32 major_status;
+	gss_OID_set mechs = desired_mechs;
+	gss_OID_set_desc set;
+	struct _gss_name *name = (struct _gss_name *) desired_name;
+	gssapi_mech_interface m;
+	struct _gss_cred *cred;
+	struct _gss_mechanism_cred *mc;
+	OM_uint32 min_time, cred_time;
+	size_t i;
+
+	*minor_status = 0;
+	if (output_cred_handle == NULL)
+	    return GSS_S_CALL_INACCESSIBLE_READ;
+	if (actual_mechs)
+	    *actual_mechs = GSS_C_NO_OID_SET;
+	if (time_rec)
+	    *time_rec = 0;
+
+	_gss_load_mech();
+
+	/*
+	 * First make sure that at least one of the requested
+	 * mechanisms is one that we support.
+	 */
+	if (mechs) {
+		for (i = 0; i < mechs->count; i++) {
+			int t;
+			gss_test_oid_set_member(minor_status,
+			    &mechs->elements[i], _gss_mech_oids, &t);
+			if (t)
+				break;
+		}
+		if (i == mechs->count) {
+			*minor_status = 0;
+			return (GSS_S_BAD_MECH);
+		}
+	}
+
+	if (actual_mechs) {
+		major_status = gss_create_empty_oid_set(minor_status,
+		    actual_mechs);
+		if (major_status)
+			return (major_status);
+	}
+
+	cred = malloc(sizeof(struct _gss_cred));
+	if (!cred) {
+		if (actual_mechs)
+			gss_release_oid_set(minor_status, actual_mechs);
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+	HEIM_SLIST_INIT(&cred->gc_mc);
+
+	if (mechs == GSS_C_NO_OID_SET)
+		mechs = _gss_mech_oids;
+
+	set.count = 1;
+	min_time = GSS_C_INDEFINITE;
+	for (i = 0; i < mechs->count; i++) {
+		struct _gss_mechanism_name *mn = NULL;
+
+		m = __gss_get_mechanism(&mechs->elements[i]);
+		if (!m)
+			continue;
+
+		if (desired_name != GSS_C_NO_NAME) {
+			major_status = _gss_find_mn(minor_status, name,
+						    &mechs->elements[i], &mn);
+			if (major_status != GSS_S_COMPLETE)
+				continue;
+		}
+
+		mc = malloc(sizeof(struct _gss_mechanism_cred));
+		if (!mc) {
+			continue;
+		}
+		mc->gmc_mech = m;
+		mc->gmc_mech_oid = &m->gm_mech_oid;
+
+		/*
+		 * XXX Probably need to do something with actual_mechs.
+		 */
+		set.elements = &mechs->elements[i];
+		major_status = m->gm_acquire_cred(minor_status,
+		    (desired_name != GSS_C_NO_NAME
+			? mn->gmn_name : GSS_C_NO_NAME),
+		    time_req, &set, cred_usage,
+		    &mc->gmc_cred, NULL, &cred_time);
+		if (major_status) {
+			free(mc);
+			continue;
+		}
+		if (cred_time < min_time)
+			min_time = cred_time;
+
+		if (actual_mechs) {
+			major_status = gss_add_oid_set_member(minor_status,
+			    mc->gmc_mech_oid, actual_mechs);
+			if (major_status) {
+				m->gm_release_cred(minor_status,
+				    &mc->gmc_cred);
+				free(mc);
+				continue;
+			}
+		}
+
+		HEIM_SLIST_INSERT_HEAD(&cred->gc_mc, mc, gmc_link);
+	}
+
+	/*
+	 * If we didn't manage to create a single credential, return
+	 * an error.
+	 */
+	if (!HEIM_SLIST_FIRST(&cred->gc_mc)) {
+		free(cred);
+		if (actual_mechs)
+			gss_release_oid_set(minor_status, actual_mechs);
+		*minor_status = 0;
+		return (GSS_S_NO_CRED);
+	}
+
+	if (time_rec)
+		*time_rec = min_time;
+	*output_cred_handle = (gss_cred_id_t) cred;
+	*minor_status = 0;
+	return (GSS_S_COMPLETE);
+}
diff --git a/lib/gssapi/mech/gss_acquire_cred_ext.c b/lib/gssapi/mech/gss_acquire_cred_ext.c
new file mode 100644
index 000000000000..1cbb29f141f3
--- /dev/null
+++ b/lib/gssapi/mech/gss_acquire_cred_ext.c
@@ -0,0 +1,193 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Portions Copyright (c) 2011 PADL Software Pty Ltd.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_acquire_cred.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+OM_uint32
+_gss_acquire_mech_cred(OM_uint32 *minor_status,
+		       gssapi_mech_interface m,
+		       const struct _gss_mechanism_name *mn,
+		       gss_const_OID credential_type,
+		       const void *credential_data,
+		       OM_uint32 time_req,
+		       gss_const_OID desired_mech,
+		       gss_cred_usage_t cred_usage,
+		       struct _gss_mechanism_cred **output_cred_handle)
+{
+    OM_uint32 major_status;
+    struct _gss_mechanism_cred *mc;
+    gss_OID_set_desc set2;
+
+    *output_cred_handle = NULL;
+
+    mc = calloc(1, sizeof(struct _gss_mechanism_cred));
+    if (mc == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    mc->gmc_mech = m;
+    mc->gmc_mech_oid = &m->gm_mech_oid;
+
+    set2.count = 1;
+    set2.elements = mc->gmc_mech_oid;
+
+    if (m->gm_acquire_cred_ext) {
+	major_status = m->gm_acquire_cred_ext(minor_status,
+					      mn->gmn_name,
+					      credential_type,
+					      credential_data,
+					      time_req,
+					      mc->gmc_mech_oid,
+					      cred_usage,
+					      &mc->gmc_cred);
+    } else if (gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD) &&
+		m->gm_compat &&
+		m->gm_compat->gmc_acquire_cred_with_password) {
+	/*
+	 * Shim for mechanisms that adhere to API-as-SPI and do not
+	 * implement gss_acquire_cred_ext().
+	 */
+
+	major_status = m->gm_compat->gmc_acquire_cred_with_password(minor_status,
+				mn->gmn_name,
+				(const gss_buffer_t)credential_data,
+				time_req,
+				&set2,
+				cred_usage,
+				&mc->gmc_cred,
+				NULL,
+				NULL);
+    } else if (credential_type == GSS_C_NO_OID) {
+	major_status = m->gm_acquire_cred(minor_status,
+					  mn->gmn_name,
+					  time_req,
+					  &set2,
+					  cred_usage,
+					  &mc->gmc_cred,
+					  NULL,
+					  NULL);
+    } else {
+	major_status = GSS_S_UNAVAILABLE;
+	free(mc);
+	mc= NULL;
+    }
+
+    *output_cred_handle = mc;
+    return major_status;
+}
+
+OM_uint32
+_gss_acquire_cred_ext(OM_uint32 *minor_status,
+    const gss_name_t desired_name,
+    gss_const_OID credential_type,
+    const void *credential_data,
+    OM_uint32 time_req,
+    gss_const_OID desired_mech,
+    gss_cred_usage_t cred_usage,
+    gss_cred_id_t *output_cred_handle)
+{
+    OM_uint32 major_status;
+    struct _gss_name *name = (struct _gss_name *) desired_name;
+    gssapi_mech_interface m;
+    struct _gss_cred *cred;
+    gss_OID_set_desc set, *mechs;
+    size_t i;
+
+    *minor_status = 0;
+    if (output_cred_handle == NULL)
+	return GSS_S_CALL_INACCESSIBLE_READ;
+
+    _gss_load_mech();
+
+    if (desired_mech != GSS_C_NO_OID) {
+	int match = 0;
+
+	gss_test_oid_set_member(minor_status, (gss_OID)desired_mech,
+				_gss_mech_oids, &match);
+	if (!match)
+	    return GSS_S_BAD_MECH;
+
+	set.count = 1;
+	set.elements = (gss_OID)desired_mech;
+	mechs = &set;
+    } else
+	mechs = _gss_mech_oids;
+
+    cred = calloc(1, sizeof(*cred));
+    if (cred == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    HEIM_SLIST_INIT(&cred->gc_mc);
+
+    for (i = 0; i < mechs->count; i++) {
+	struct _gss_mechanism_name *mn = NULL;
+	struct _gss_mechanism_cred *mc = NULL;
+	gss_name_t desired_mech_name = GSS_C_NO_NAME;
+
+	m = __gss_get_mechanism(&mechs->elements[i]);
+	if (!m)
+	    continue;
+
+	if (desired_name != GSS_C_NO_NAME) {
+	    major_status = _gss_find_mn(minor_status, name,
+					&mechs->elements[i], &mn);
+	    if (major_status != GSS_S_COMPLETE)
+		continue;
+
+	    desired_mech_name = mn->gmn_name;
+	}
+
+	major_status = _gss_acquire_mech_cred(minor_status, m, mn,
+					      credential_type, credential_data,
+					      time_req, desired_mech, cred_usage,
+					      &mc);
+	if (GSS_ERROR(major_status))
+	    continue;
+
+	HEIM_SLIST_INSERT_HEAD(&cred->gc_mc, mc, gmc_link);
+    }
+
+    /*
+     * If we didn't manage to create a single credential, return
+     * an error.
+     */
+    if (!HEIM_SLIST_FIRST(&cred->gc_mc)) {
+	free(cred);
+	*minor_status = 0;
+	return GSS_S_NO_CRED;
+    }
+
+    *output_cred_handle = (gss_cred_id_t) cred;
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
diff --git a/lib/gssapi/mech/gss_acquire_cred_with_password.c b/lib/gssapi/mech/gss_acquire_cred_with_password.c
new file mode 100644
index 000000000000..8c2a6488f8ad
--- /dev/null
+++ b/lib/gssapi/mech/gss_acquire_cred_with_password.c
@@ -0,0 +1,118 @@
+/*
+ * Copyright (c) 2011, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_acquire_cred_with_password(OM_uint32 *minor_status,
+			       const gss_name_t desired_name,
+			       const gss_buffer_t password,
+			       OM_uint32 time_req,
+			       const gss_OID_set desired_mechs,
+			       gss_cred_usage_t cred_usage,
+			       gss_cred_id_t *output_cred_handle,
+			       gss_OID_set *actual_mechs,
+			       OM_uint32 *time_rec)
+{
+    OM_uint32 major_status, tmp_minor;
+
+    if (desired_mechs == GSS_C_NO_OID_SET) {
+	major_status = _gss_acquire_cred_ext(minor_status,
+					     desired_name,
+					     GSS_C_CRED_PASSWORD,
+					     password,
+					     time_req,
+					     GSS_C_NO_OID,
+					     cred_usage,
+					     output_cred_handle);
+	if (GSS_ERROR(major_status))
+	    return major_status;
+    } else {
+	size_t i;
+	struct _gss_cred *new_cred;
+
+	new_cred = calloc(1, sizeof(*new_cred));
+	if (new_cred == NULL) {
+	    *minor_status = ENOMEM;
+	    return GSS_S_FAILURE;
+	}
+	HEIM_SLIST_INIT(&new_cred->gc_mc);
+
+	for (i = 0; i < desired_mechs->count; i++) {
+	    struct _gss_cred *tmp_cred = NULL;
+	    struct _gss_mechanism_cred *mc;
+
+	    major_status = _gss_acquire_cred_ext(minor_status,
+						 desired_name,
+						 GSS_C_CRED_PASSWORD,
+						 password,
+						 time_req,
+						 &desired_mechs->elements[i],
+						 cred_usage,
+						 (gss_cred_id_t *)&tmp_cred);
+	    if (GSS_ERROR(major_status))
+		continue;
+
+	    mc = HEIM_SLIST_FIRST(&tmp_cred->gc_mc);
+	    if (mc) {
+		HEIM_SLIST_REMOVE_HEAD(&tmp_cred->gc_mc, gmc_link);
+		HEIM_SLIST_INSERT_HEAD(&new_cred->gc_mc, mc, gmc_link);
+	    }
+
+	    gss_release_cred(&tmp_minor, (gss_cred_id_t *)&tmp_cred);
+	}
+
+	if (!HEIM_SLIST_FIRST(&new_cred->gc_mc)) {
+	    free(new_cred);
+	    *minor_status = 0;
+	    return GSS_S_NO_CRED;
+	}
+
+	*output_cred_handle = (gss_cred_id_t)new_cred;
+    }
+
+    if (actual_mechs != NULL || time_rec != NULL) {
+	major_status = gss_inquire_cred(minor_status,
+					*output_cred_handle,
+					NULL,
+					time_rec,
+					NULL,
+					actual_mechs);
+	if (GSS_ERROR(major_status)) {
+	    gss_release_cred(&tmp_minor, output_cred_handle);
+	    return major_status;
+	}
+    }
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
diff --git a/lib/gssapi/mech/gss_add_cred.c b/lib/gssapi/mech/gss_add_cred.c
new file mode 100644
index 000000000000..a998bc60ff80
--- /dev/null
+++ b/lib/gssapi/mech/gss_add_cred.c
@@ -0,0 +1,186 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_add_cred.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+struct _gss_mechanism_cred *
+_gss_copy_cred(struct _gss_mechanism_cred *mc)
+{
+	struct _gss_mechanism_cred *new_mc;
+	gssapi_mech_interface m = mc->gmc_mech;
+	OM_uint32 major_status, minor_status;
+	gss_name_t name;
+	gss_cred_id_t cred;
+	OM_uint32 initiator_lifetime, acceptor_lifetime;
+	gss_cred_usage_t cred_usage;
+
+	major_status = m->gm_inquire_cred_by_mech(&minor_status,
+	    mc->gmc_cred, mc->gmc_mech_oid,
+	    &name, &initiator_lifetime, &acceptor_lifetime, &cred_usage);
+	if (major_status) {
+		_gss_mg_error(m, major_status, minor_status);
+		return (0);
+	}
+
+	major_status = m->gm_add_cred(&minor_status,
+	    GSS_C_NO_CREDENTIAL, name, mc->gmc_mech_oid,
+	    cred_usage, initiator_lifetime, acceptor_lifetime,
+	    &cred, 0, 0, 0);
+	m->gm_release_name(&minor_status, &name);
+
+	if (major_status) {
+		_gss_mg_error(m, major_status, minor_status);
+		return (0);
+	}
+
+	new_mc = malloc(sizeof(struct _gss_mechanism_cred));
+	if (!new_mc) {
+		m->gm_release_cred(&minor_status, &cred);
+		return (0);
+	}
+	new_mc->gmc_mech = m;
+	new_mc->gmc_mech_oid = &m->gm_mech_oid;
+	new_mc->gmc_cred = cred;
+
+	return (new_mc);
+}
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_add_cred(OM_uint32 *minor_status,
+    const gss_cred_id_t input_cred_handle,
+    const gss_name_t desired_name,
+    const gss_OID desired_mech,
+    gss_cred_usage_t cred_usage,
+    OM_uint32 initiator_time_req,
+    OM_uint32 acceptor_time_req,
+    gss_cred_id_t *output_cred_handle,
+    gss_OID_set *actual_mechs,
+    OM_uint32 *initiator_time_rec,
+    OM_uint32 *acceptor_time_rec)
+{
+	OM_uint32 major_status;
+	gssapi_mech_interface m;
+	struct _gss_cred *cred = (struct _gss_cred *) input_cred_handle;
+	struct _gss_cred *new_cred;
+	gss_cred_id_t release_cred;
+	struct _gss_mechanism_cred *mc, *target_mc, *copy_mc;
+	struct _gss_mechanism_name *mn;
+	OM_uint32 junk;
+
+	*minor_status = 0;
+	*output_cred_handle = GSS_C_NO_CREDENTIAL;
+	if (initiator_time_rec)
+	    *initiator_time_rec = 0;
+	if (acceptor_time_rec)
+	    *acceptor_time_rec = 0;
+	if (actual_mechs)
+	    *actual_mechs = GSS_C_NO_OID_SET;
+
+	new_cred = malloc(sizeof(struct _gss_cred));
+	if (!new_cred) {
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+	HEIM_SLIST_INIT(&new_cred->gc_mc);
+
+	/*
+	 * We go through all the mc attached to the input_cred_handle
+	 * and check the mechanism. If it matches, we call
+	 * gss_add_cred for that mechanism, otherwise we copy the mc
+	 * to new_cred.
+	 */
+	target_mc = 0;
+	if (cred) {
+		HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
+			if (gss_oid_equal(mc->gmc_mech_oid, desired_mech)) {
+				target_mc = mc;
+			}
+			copy_mc = _gss_copy_cred(mc);
+			if (!copy_mc) {
+				release_cred = (gss_cred_id_t)new_cred;
+				gss_release_cred(&junk, &release_cred);
+				*minor_status = ENOMEM;
+				return (GSS_S_FAILURE);
+			}
+			HEIM_SLIST_INSERT_HEAD(&new_cred->gc_mc, copy_mc, gmc_link);
+		}
+	}
+
+	/*
+	 * Figure out a suitable mn, if any.
+	 */
+	if (desired_name) {
+		major_status = _gss_find_mn(minor_status,
+					    (struct _gss_name *) desired_name,
+					    desired_mech,
+					    &mn);
+		if (major_status != GSS_S_COMPLETE) {
+			free(new_cred);
+			return major_status;
+		}
+	} else {
+		mn = 0;
+	}
+
+	m = __gss_get_mechanism(desired_mech);
+
+	mc = malloc(sizeof(struct _gss_mechanism_cred));
+	if (!mc) {
+		release_cred = (gss_cred_id_t)new_cred;
+		gss_release_cred(&junk, &release_cred);
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+	mc->gmc_mech = m;
+	mc->gmc_mech_oid = &m->gm_mech_oid;
+
+	major_status = m->gm_add_cred(minor_status,
+	    target_mc ? target_mc->gmc_cred : GSS_C_NO_CREDENTIAL,
+	    desired_name ? mn->gmn_name : GSS_C_NO_NAME,
+	    desired_mech,
+	    cred_usage,
+	    initiator_time_req,
+	    acceptor_time_req,
+	    &mc->gmc_cred,
+	    actual_mechs,
+	    initiator_time_rec,
+	    acceptor_time_rec);
+
+	if (major_status) {
+		_gss_mg_error(m, major_status, *minor_status);
+		release_cred = (gss_cred_id_t)new_cred;
+		gss_release_cred(&junk, &release_cred);
+		free(mc);
+		return (major_status);
+	}
+	HEIM_SLIST_INSERT_HEAD(&new_cred->gc_mc, mc, gmc_link);
+	*output_cred_handle = (gss_cred_id_t) new_cred;
+
+	return (GSS_S_COMPLETE);
+}
+
diff --git a/lib/gssapi/mech/gss_add_cred_with_password.c b/lib/gssapi/mech/gss_add_cred_with_password.c
new file mode 100644
index 000000000000..f966305cfb16
--- /dev/null
+++ b/lib/gssapi/mech/gss_add_cred_with_password.c
@@ -0,0 +1,150 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_add_cred.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_add_cred_with_password(OM_uint32 *minor_status,
+    const gss_cred_id_t input_cred_handle,
+    const gss_name_t desired_name,
+    const gss_OID desired_mech,
+    const gss_buffer_t password,
+    gss_cred_usage_t cred_usage,
+    OM_uint32 initiator_time_req,
+    OM_uint32 acceptor_time_req,
+    gss_cred_id_t *output_cred_handle,
+    gss_OID_set *actual_mechs,
+    OM_uint32 *initiator_time_rec,
+    OM_uint32 *acceptor_time_rec)
+{
+	OM_uint32 major_status;
+	gssapi_mech_interface m;
+	struct _gss_cred *cred = (struct _gss_cred *) input_cred_handle;
+	struct _gss_cred *new_cred;
+	struct _gss_mechanism_cred *mc;
+	struct _gss_mechanism_name *mn = NULL;
+	OM_uint32 junk, time_req;
+
+	*minor_status = 0;
+	*output_cred_handle = GSS_C_NO_CREDENTIAL;
+	if (initiator_time_rec)
+	    *initiator_time_rec = 0;
+	if (acceptor_time_rec)
+	    *acceptor_time_rec = 0;
+	if (actual_mechs)
+	    *actual_mechs = GSS_C_NO_OID_SET;
+
+	m = __gss_get_mechanism(desired_mech);
+	if (m == NULL) {
+		*minor_status = 0;
+		return (GSS_S_BAD_MECH);
+	}
+
+	new_cred = calloc(1, sizeof(struct _gss_cred));
+	if (new_cred == NULL) {
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+	HEIM_SLIST_INIT(&new_cred->gc_mc);
+
+	/*
+	 * Copy credentials from un-desired mechanisms to the new credential.
+	 */
+	if (cred) {
+		HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
+			struct _gss_mechanism_cred *copy_mc;
+
+			if (gss_oid_equal(mc->gmc_mech_oid, desired_mech)) {
+				continue;
+			}
+			copy_mc = _gss_copy_cred(mc);
+			if (copy_mc == NULL) {
+				gss_release_cred(&junk, (gss_cred_id_t *)&new_cred);
+				*minor_status = ENOMEM;
+				return (GSS_S_FAILURE);
+			}
+			HEIM_SLIST_INSERT_HEAD(&new_cred->gc_mc, copy_mc, gmc_link);
+		}
+	}
+
+	/*
+	 * Figure out a suitable mn, if any.
+	 */
+	if (desired_name != GSS_C_NO_NAME) {
+		major_status = _gss_find_mn(minor_status,
+					    (struct _gss_name *) desired_name,
+					    desired_mech,
+					    &mn);
+		if (major_status != GSS_S_COMPLETE) {
+			gss_release_cred(&junk, (gss_cred_id_t *)&new_cred);
+			return (major_status);
+		}
+	}
+
+	if (cred_usage == GSS_C_BOTH)
+		time_req = initiator_time_req > acceptor_time_req ? acceptor_time_req : initiator_time_req;
+	else if (cred_usage == GSS_C_INITIATE)
+		time_req = initiator_time_req;
+	else
+		time_req = acceptor_time_req;
+
+	major_status = _gss_acquire_mech_cred(minor_status, m, mn,
+					      GSS_C_CRED_PASSWORD, password,
+					      time_req, desired_mech,
+					      cred_usage, &mc);
+	if (major_status != GSS_S_COMPLETE) {
+		gss_release_cred(&junk, (gss_cred_id_t *)&new_cred);
+		return (major_status);
+	}
+
+	HEIM_SLIST_INSERT_HEAD(&new_cred->gc_mc, mc, gmc_link);
+
+	if (actual_mechs || initiator_time_rec || acceptor_time_rec) {
+		OM_uint32 time_rec;
+
+		major_status = gss_inquire_cred(minor_status,
+						(gss_cred_id_t)new_cred,
+						NULL,
+						&time_rec,
+						NULL,
+						actual_mechs);
+		if (GSS_ERROR(major_status)) {
+			gss_release_cred(&junk, (gss_cred_id_t *)&new_cred);
+			return (major_status);
+		}
+		if (initiator_time_rec &&
+		    (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH))
+			*initiator_time_rec = time_rec;
+		if (acceptor_time_rec &&
+		    (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH))
+			*acceptor_time_rec = time_rec;
+	}
+
+	*output_cred_handle = (gss_cred_id_t) new_cred;
+	return (GSS_S_COMPLETE);
+}
diff --git a/lib/gssapi/mech/gss_add_oid_set_member.c b/lib/gssapi/mech/gss_add_oid_set_member.c
new file mode 100644
index 000000000000..a23270511ebe
--- /dev/null
+++ b/lib/gssapi/mech/gss_add_oid_set_member.c
@@ -0,0 +1,84 @@
+/*
+ * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "mech_locl.h"
+
+/**
+ * Add a oid to the oid set, function does not make a copy of the oid,
+ * so the pointer to member_oid needs to be stable for the whole time
+ * oid_set is used.
+ *
+ * If there is a duplicate member of the oid, the new member is not
+ * added to to the set.
+ *
+ * @param minor_status minor status code.
+ * @param member_oid member to add to the oid set
+ * @param oid_set oid set to add the member too
+ *
+ * @returns a gss_error code, see gss_display_status() about printing
+ *          the error code.
+ *
+ * @ingroup gssapi
+ */
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_add_oid_set_member (OM_uint32 * minor_status,
+			const gss_OID member_oid,
+			gss_OID_set * oid_set)
+{
+    gss_OID tmp;
+    size_t n;
+    OM_uint32 res;
+    int present;
+
+    res = gss_test_oid_set_member(minor_status, member_oid, *oid_set, &present);
+    if (res != GSS_S_COMPLETE)
+	return res;
+
+    if (present) {
+	*minor_status = 0;
+	return GSS_S_COMPLETE;
+    }
+
+    n = (*oid_set)->count + 1;
+    tmp = realloc ((*oid_set)->elements, n * sizeof(gss_OID_desc));
+    if (tmp == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+    (*oid_set)->elements = tmp;
+    (*oid_set)->count = n;
+    (*oid_set)->elements[n-1] = *member_oid;
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
diff --git a/lib/gssapi/mech/gss_aeap.c b/lib/gssapi/mech/gss_aeap.c
new file mode 100644
index 000000000000..3008c0d34484
--- /dev/null
+++ b/lib/gssapi/mech/gss_aeap.c
@@ -0,0 +1,216 @@
+/*
+ * AEAD support
+ */
+
+#include "mech_locl.h"
+
+/**
+ * Encrypts or sign the data.
+ *
+ * This is a more complicated version of gss_wrap(), it allows the
+ * caller to use AEAD data (signed header/trailer) and allow greater
+ * controll over where the encrypted data is placed.
+ *
+ * The maximum packet size is gss_context_stream_sizes.max_msg_size.
+ *
+ * The caller needs provide the folloing buffers when using in conf_req_flag=1 mode:
+ *
+ * - HEADER (of size gss_context_stream_sizes.header)
+ *   { DATA or SIGN_ONLY } (optional, zero or more)
+ *   PADDING (of size gss_context_stream_sizes.blocksize, if zero padding is zero, can be omitted)
+ *   TRAILER (of size gss_context_stream_sizes.trailer)
+ *
+ * - on DCE-RPC mode, the caller can skip PADDING and TRAILER if the
+ *   DATA elements is padded to a block bountry and header is of at
+ *   least size gss_context_stream_sizes.header + gss_context_stream_sizes.trailer.
+ *
+ * HEADER, PADDING, TRAILER will be shrunken to the size required to transmit any of them too large.
+ *
+ * To generate gss_wrap() compatible packets, use: HEADER | DATA | PADDING | TRAILER
+ *
+ * When used in conf_req_flag=0,
+ *
+ * - HEADER (of size gss_context_stream_sizes.header)
+ *   { DATA or SIGN_ONLY } (optional, zero or more)
+ *   PADDING (of size gss_context_stream_sizes.blocksize, if zero padding is zero, can be omitted)
+ *   TRAILER (of size gss_context_stream_sizes.trailer)
+ *
+ *
+ * The input sizes of HEADER, PADDING and TRAILER can be fetched using gss_wrap_iov_length() or
+ * gss_context_query_attributes().
+ *
+ * @ingroup gssapi
+ */
+
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_wrap_iov(OM_uint32 * minor_status,
+	     gss_ctx_id_t  context_handle,
+	     int conf_req_flag,
+	     gss_qop_t qop_req,
+	     int * conf_state,
+	     gss_iov_buffer_desc *iov,
+	     int iov_count)
+{
+	struct _gss_context *ctx = (struct _gss_context *) context_handle;
+	gssapi_mech_interface m;
+
+	if (minor_status)
+	    *minor_status = 0;
+	if (conf_state)
+	    *conf_state = 0;
+	if (ctx == NULL)
+	    return GSS_S_NO_CONTEXT;
+	if (iov == NULL && iov_count != 0)
+	    return GSS_S_CALL_INACCESSIBLE_READ;
+
+	m = ctx->gc_mech;
+
+	if (m->gm_wrap_iov == NULL)
+	    return GSS_S_UNAVAILABLE;
+
+	return (m->gm_wrap_iov)(minor_status, ctx->gc_ctx,
+				conf_req_flag, qop_req, conf_state,
+				iov, iov_count);
+}
+
+/**
+ * Decrypt or verifies the signature on the data.
+ *
+ *
+ * @ingroup gssapi
+ */
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_unwrap_iov(OM_uint32 *minor_status,
+	       gss_ctx_id_t context_handle,
+	       int *conf_state,
+	       gss_qop_t *qop_state,
+	       gss_iov_buffer_desc *iov,
+	       int iov_count)
+{
+	struct _gss_context *ctx = (struct _gss_context *) context_handle;
+	gssapi_mech_interface m;
+
+	if (minor_status)
+	    *minor_status = 0;
+	if (conf_state)
+	    *conf_state = 0;
+	if (qop_state)
+	    *qop_state = 0;
+	if (ctx == NULL)
+	    return GSS_S_NO_CONTEXT;
+	if (iov == NULL && iov_count != 0)
+	    return GSS_S_CALL_INACCESSIBLE_READ;
+
+	m = ctx->gc_mech;
+
+	if (m->gm_unwrap_iov == NULL)
+	    return GSS_S_UNAVAILABLE;
+
+	return (m->gm_unwrap_iov)(minor_status, ctx->gc_ctx,
+				  conf_state, qop_state,
+				  iov, iov_count);
+}
+
+/**
+ * Update the length fields in iov buffer for the types:
+ * - GSS_IOV_BUFFER_TYPE_HEADER
+ * - GSS_IOV_BUFFER_TYPE_PADDING
+ * - GSS_IOV_BUFFER_TYPE_TRAILER
+ *
+ * Consider using gss_context_query_attributes() to fetch the data instead.
+ *
+ * @ingroup gssapi
+ */
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_wrap_iov_length(OM_uint32 * minor_status,
+		    gss_ctx_id_t context_handle,
+		    int conf_req_flag,
+		    gss_qop_t qop_req,
+		    int *conf_state,
+		    gss_iov_buffer_desc *iov,
+		    int iov_count)
+{
+	struct _gss_context *ctx = (struct _gss_context *) context_handle;
+	gssapi_mech_interface m;
+
+	if (minor_status)
+	    *minor_status = 0;
+	if (conf_state)
+	    *conf_state = 0;
+	if (ctx == NULL)
+	    return GSS_S_NO_CONTEXT;
+	if (iov == NULL && iov_count != 0)
+	    return GSS_S_CALL_INACCESSIBLE_READ;
+
+	m = ctx->gc_mech;
+
+	if (m->gm_wrap_iov_length == NULL)
+	    return GSS_S_UNAVAILABLE;
+
+	return (m->gm_wrap_iov_length)(minor_status, ctx->gc_ctx,
+				       conf_req_flag, qop_req, conf_state,
+				       iov, iov_count);
+}
+
+/**
+ * Free all buffer allocated by gss_wrap_iov() or gss_unwrap_iov() by
+ * looking at the GSS_IOV_BUFFER_FLAG_ALLOCATED flag.
+ *
+ * @ingroup gssapi
+ */
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_release_iov_buffer(OM_uint32 *minor_status,
+		       gss_iov_buffer_desc *iov,
+		       int iov_count)
+{
+    OM_uint32 junk;
+    int i;
+
+    if (minor_status)
+	*minor_status = 0;
+    if (iov == NULL && iov_count != 0)
+	return GSS_S_CALL_INACCESSIBLE_READ;
+
+    for (i = 0; i < iov_count; i++) {
+	if ((iov[i].type & GSS_IOV_BUFFER_FLAG_ALLOCATED) == 0)
+	    continue;
+	gss_release_buffer(&junk, &iov[i].buffer);
+	iov[i].type &= ~GSS_IOV_BUFFER_FLAG_ALLOCATED;
+    }
+    return GSS_S_COMPLETE;
+}
+
+/**
+ * Query the context for parameters.
+ *
+ * SSPI equivalent if this function is QueryContextAttributes.
+ *
+ * - GSS_C_ATTR_STREAM_SIZES data is a gss_context_stream_sizes.
+ *
+ * @ingroup gssapi
+ */
+
+gss_OID_desc GSSAPI_LIB_FUNCTION __gss_c_attr_stream_sizes_oid_desc =
+    {10, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x03")};
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_context_query_attributes(OM_uint32 *minor_status,
+			     const gss_ctx_id_t context_handle,
+			     const gss_OID attribute,
+			     void *data,
+			     size_t len)
+{
+    if (minor_status)
+	*minor_status = 0;
+
+    if (gss_oid_equal(GSS_C_ATTR_STREAM_SIZES, attribute)) {
+	memset(data, 0, len);
+	return GSS_S_COMPLETE;
+    }
+
+    return GSS_S_FAILURE;
+}
diff --git a/lib/gssapi/mech/gss_authorize_localname.c b/lib/gssapi/mech/gss_authorize_localname.c
new file mode 100644
index 000000000000..a0ad065da887
--- /dev/null
+++ b/lib/gssapi/mech/gss_authorize_localname.c
@@ -0,0 +1,187 @@
+/*
+ * Copyright (c) 2011, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "mech_locl.h"
+
+gss_buffer_desc GSSAPI_LIB_VARIABLE __gss_c_attr_local_login_user =  {
+    sizeof("local-login-user") - 1,
+    "local-login-user"
+};
+
+static OM_uint32
+mech_authorize_localname(OM_uint32 *minor_status,
+	                 const struct _gss_name *name,
+	                 const struct _gss_name *user)
+{
+    OM_uint32 major_status = GSS_S_NAME_NOT_MN;
+    struct _gss_mechanism_name *mn;
+
+    HEIM_SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
+        gssapi_mech_interface m = mn->gmn_mech;
+
+        if (m->gm_authorize_localname == NULL) {
+            major_status = GSS_S_UNAVAILABLE;
+            continue;
+        }
+
+        major_status = m->gm_authorize_localname(minor_status,
+                                                 mn->gmn_name,
+                                                 &user->gn_value,
+                                                 &user->gn_type);
+        if (major_status != GSS_S_UNAUTHORIZED)
+            break;
+    }
+
+    return major_status;
+}
+
+/*
+ * Naming extensions based local login authorization.
+ */
+static OM_uint32
+attr_authorize_localname(OM_uint32 *minor_status,
+	                 const struct _gss_name *name,
+	                 const struct _gss_name *user)
+{
+    OM_uint32 major_status = GSS_S_UNAVAILABLE;
+    int more = -1;
+
+    if (!gss_oid_equal(&user->gn_type, GSS_C_NT_USER_NAME))
+        return GSS_S_BAD_NAMETYPE;
+
+    while (more != 0 && major_status != GSS_S_COMPLETE) {
+	OM_uint32 tmpMajor, tmpMinor;
+	gss_buffer_desc value;
+	gss_buffer_desc display_value;
+	int authenticated = 0, complete = 0;
+
+	tmpMajor = gss_get_name_attribute(minor_status,
+					  (gss_name_t)name,
+					  GSS_C_ATTR_LOCAL_LOGIN_USER,
+					  &authenticated,
+					  &complete,
+					  &value,
+					  &display_value,
+					  &more);
+	if (GSS_ERROR(tmpMajor)) {
+	    major_status = tmpMajor;
+	    break;
+	}
+
+	/* If attribute is present, return an authoritative error code. */
+	if (authenticated &&
+	    value.length == user->gn_value.length &&
+	    memcmp(value.value, user->gn_value.value, user->gn_value.length) == 0)
+	    major_status = GSS_S_COMPLETE;
+	else
+	    major_status = GSS_S_UNAUTHORIZED;
+
+	gss_release_buffer(&tmpMinor, &value);
+	gss_release_buffer(&tmpMinor, &display_value);
+    }
+
+    return major_status;
+}
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_authorize_localname(OM_uint32 *minor_status,
+	                const gss_name_t gss_name,
+	                const gss_name_t gss_user)
+
+{
+    OM_uint32 major_status;
+    const struct _gss_name *name = (const struct _gss_name *) gss_name;
+    const struct _gss_name *user = (const struct _gss_name *) gss_user;
+    int mechAvailable = 0;
+
+    *minor_status = 0;
+
+    if (gss_name == GSS_C_NO_NAME || gss_user == GSS_C_NO_NAME)
+        return GSS_S_CALL_INACCESSIBLE_READ;
+
+    /*
+     * We should check that the user name is not a mechanism name, but
+     * as Heimdal always calls the mechanism's gss_import_name(), it's
+     * not possible to make this check.
+     */
+#if 0
+    if (HEIM_SLIST_FIRST(&user->gn_mn) != NULL)
+        return GSS_S_BAD_NAME;
+#endif
+
+    /* If mech returns yes, we return yes */
+    major_status = mech_authorize_localname(minor_status, name, user);
+    if (major_status == GSS_S_COMPLETE)
+	return GSS_S_COMPLETE;
+    else if (major_status != GSS_S_UNAVAILABLE)
+	mechAvailable = 1;
+
+    /* If attribute exists, it is authoritative */
+    major_status = attr_authorize_localname(minor_status, name, user);
+    if (major_status == GSS_S_COMPLETE || major_status == GSS_S_UNAUTHORIZED)
+	return major_status;
+
+    /* If mechanism did not implement SPI, compare the local name */
+    if (mechAvailable == 0) {
+	int match = 0;
+
+        major_status = gss_compare_name(minor_status, gss_name,
+                                        gss_user, &match);
+	if (major_status == GSS_S_COMPLETE && match == 0)
+	    major_status = GSS_S_UNAUTHORIZED;
+    }
+
+    return major_status;
+}
+
+GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL
+gss_userok(const gss_name_t name,
+           const char *user)
+{
+    OM_uint32 major_status, minor_status;
+    gss_buffer_desc userBuf;
+    gss_name_t userName;
+
+    userBuf.value = (void *)user;
+    userBuf.length = strlen(user);
+
+    major_status = gss_import_name(&minor_status, &userBuf,
+                                   GSS_C_NT_USER_NAME, &userName);
+    if (GSS_ERROR(major_status))
+        return 0;
+
+    major_status = gss_authorize_localname(&minor_status, name, userName);
+
+    gss_release_name(&minor_status, &userName);
+
+    return (major_status == GSS_S_COMPLETE);
+}
diff --git a/lib/gssapi/mech/gss_buffer_set.c b/lib/gssapi/mech/gss_buffer_set.c
new file mode 100644
index 000000000000..48fb720ad09b
--- /dev/null
+++ b/lib/gssapi/mech/gss_buffer_set.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 2004, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_create_empty_buffer_set
+	   (OM_uint32 * minor_status,
+	    gss_buffer_set_t *buffer_set)
+{
+    gss_buffer_set_t set;
+
+    set = (gss_buffer_set_desc *) malloc(sizeof(*set));
+    if (set == GSS_C_NO_BUFFER_SET) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    set->count = 0;
+    set->elements = NULL;
+
+    *buffer_set = set;
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_add_buffer_set_member
+	   (OM_uint32 * minor_status,
+	    const gss_buffer_t member_buffer,
+	    gss_buffer_set_t *buffer_set)
+{
+    gss_buffer_set_t set;
+    gss_buffer_t p;
+    OM_uint32 ret;
+
+    if (*buffer_set == GSS_C_NO_BUFFER_SET) {
+	ret = gss_create_empty_buffer_set(minor_status,
+					  buffer_set);
+	if (ret) {
+	    return ret;
+	}
+    }
+
+    set = *buffer_set;
+    set->elements = realloc(set->elements,
+			    (set->count + 1) * sizeof(set->elements[0]));
+    if (set->elements == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    p = &set->elements[set->count];
+
+    p->value = malloc(member_buffer->length);
+    if (p->value == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+    memcpy(p->value, member_buffer->value, member_buffer->length);
+    p->length = member_buffer->length;
+
+    set->count++;
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_release_buffer_set(OM_uint32 * minor_status,
+		       gss_buffer_set_t *buffer_set)
+{
+    size_t i;
+    OM_uint32 minor;
+
+    *minor_status = 0;
+
+    if (*buffer_set == GSS_C_NO_BUFFER_SET)
+	return GSS_S_COMPLETE;
+
+    for (i = 0; i < (*buffer_set)->count; i++)
+	gss_release_buffer(&minor, &((*buffer_set)->elements[i]));
+
+    free((*buffer_set)->elements);
+
+    (*buffer_set)->elements = NULL;
+    (*buffer_set)->count = 0;
+
+    free(*buffer_set);
+    *buffer_set = GSS_C_NO_BUFFER_SET;
+
+    return GSS_S_COMPLETE;
+}
+
diff --git a/lib/gssapi/mech/gss_canonicalize_name.c b/lib/gssapi/mech/gss_canonicalize_name.c
new file mode 100644
index 000000000000..bd8ff5212071
--- /dev/null
+++ b/lib/gssapi/mech/gss_canonicalize_name.c
@@ -0,0 +1,111 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_canonicalize_name.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+/**
+ *  gss_canonicalize_name takes a Internal Name (IN) and converts in into a
+ *  mechanism specific Mechanism Name (MN).
+ *
+ *  The input name may multiple name, or generic name types.
+ *
+ *  If the input_name if of the GSS_C_NT_USER_NAME, and the Kerberos
+ *  mechanism is specified, the resulting MN type is a
+ *  GSS_KRB5_NT_PRINCIPAL_NAME.
+ *
+ *  For more information about @ref internalVSmechname.
+ *
+ *  @param minor_status minor status code.
+ *  @param input_name name to covert, unchanged by gss_canonicalize_name().
+ *  @param mech_type the type to convert Name too.
+ *  @param output_name the resulting type, release with
+ *         gss_release_name(), independent of input_name.
+ *
+ *  @returns a gss_error code, see gss_display_status() about printing
+ *         the error code.
+ *
+ *  @ingroup gssapi
+ */
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_canonicalize_name(OM_uint32 *minor_status,
+    const gss_name_t input_name,
+    const gss_OID mech_type,
+    gss_name_t *output_name)
+{
+	OM_uint32 major_status;
+	struct _gss_name *name = (struct _gss_name *) input_name;
+	struct _gss_mechanism_name *mn;
+	gssapi_mech_interface m;
+	gss_name_t new_canonical_name;
+
+	*minor_status = 0;
+	*output_name = 0;
+
+	major_status = _gss_find_mn(minor_status, name, mech_type, &mn);
+	if (major_status)
+		return major_status;
+
+	m = mn->gmn_mech;
+	major_status = m->gm_canonicalize_name(minor_status,
+	    mn->gmn_name, mech_type, &new_canonical_name);
+	if (major_status) {
+		_gss_mg_error(m, major_status, *minor_status);
+		return (major_status);
+	}
+
+	/*
+	 * Now we make a new name and mark it as an MN.
+	 */
+	*minor_status = 0;
+	name = malloc(sizeof(struct _gss_name));
+	if (!name) {
+		m->gm_release_name(minor_status, &new_canonical_name);
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+	memset(name, 0, sizeof(struct _gss_name));
+
+	mn = malloc(sizeof(struct _gss_mechanism_name));
+	if (!mn) {
+		m->gm_release_name(minor_status, &new_canonical_name);
+		free(name);
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+
+	HEIM_SLIST_INIT(&name->gn_mn);
+	mn->gmn_mech = m;
+	mn->gmn_mech_oid = &m->gm_mech_oid;
+	mn->gmn_name = new_canonical_name;
+	HEIM_SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link);
+
+	*output_name = (gss_name_t) name;
+
+	return (GSS_S_COMPLETE);
+}
diff --git a/lib/gssapi/mech/gss_compare_name.c b/lib/gssapi/mech/gss_compare_name.c
new file mode 100644
index 000000000000..70b4b1c20673
--- /dev/null
+++ b/lib/gssapi/mech/gss_compare_name.c
@@ -0,0 +1,76 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_compare_name.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_compare_name(OM_uint32 *minor_status,
+    const gss_name_t name1_arg,
+    const gss_name_t name2_arg,
+    int *name_equal)
+{
+	struct _gss_name *name1 = (struct _gss_name *) name1_arg;
+	struct _gss_name *name2 = (struct _gss_name *) name2_arg;
+
+	/*
+	 * First check the implementation-independant name if both
+	 * names have one. Otherwise, try to find common mechanism
+	 * names and compare them.
+	 */
+	if (name1->gn_value.value && name2->gn_value.value) {
+		*name_equal = 1;
+		if (!gss_oid_equal(&name1->gn_type, &name2->gn_type)) {
+			*name_equal = 0;
+		} else if (name1->gn_value.length != name2->gn_value.length ||
+		    memcmp(name1->gn_value.value, name1->gn_value.value,
+			name1->gn_value.length)) {
+			*name_equal = 0;
+		}
+	} else {
+		struct _gss_mechanism_name *mn1;
+		struct _gss_mechanism_name *mn2;
+
+		HEIM_SLIST_FOREACH(mn1, &name1->gn_mn, gmn_link) {
+			OM_uint32 major_status;
+
+			major_status = _gss_find_mn(minor_status, name2,
+						    mn1->gmn_mech_oid, &mn2);
+			if (major_status == GSS_S_COMPLETE) {
+				return (mn1->gmn_mech->gm_compare_name(
+						minor_status,
+						mn1->gmn_name,
+						mn2->gmn_name,
+						name_equal));
+			}
+		}
+		*name_equal = 0;
+	}
+
+	*minor_status = 0;
+	return (GSS_S_COMPLETE);
+}
diff --git a/lib/gssapi/mech/gss_context_time.c b/lib/gssapi/mech/gss_context_time.c
new file mode 100644
index 000000000000..69434ee898e5
--- /dev/null
+++ b/lib/gssapi/mech/gss_context_time.c
@@ -0,0 +1,40 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_context_time.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_context_time(OM_uint32 *minor_status,
+    const gss_ctx_id_t context_handle,
+    OM_uint32 *time_rec)
+{
+	struct _gss_context *ctx = (struct _gss_context *) context_handle;
+	gssapi_mech_interface m = ctx->gc_mech;
+
+	return (m->gm_context_time(minor_status, ctx->gc_ctx, time_rec));
+}
diff --git a/lib/gssapi/mech/gss_create_empty_oid_set.c b/lib/gssapi/mech/gss_create_empty_oid_set.c
new file mode 100644
index 000000000000..8d880f551161
--- /dev/null
+++ b/lib/gssapi/mech/gss_create_empty_oid_set.c
@@ -0,0 +1,51 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_create_empty_oid_set.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_create_empty_oid_set(OM_uint32 *minor_status,
+    gss_OID_set *oid_set)
+{
+	gss_OID_set set;
+
+	*minor_status = 0;
+	*oid_set = GSS_C_NO_OID_SET;
+
+	set = malloc(sizeof(gss_OID_set_desc));
+	if (!set) {
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+
+	set->count = 0;
+	set->elements = 0;
+	*oid_set = set;
+
+	return (GSS_S_COMPLETE);
+}
diff --git a/lib/gssapi/mech/gss_cred.c b/lib/gssapi/mech/gss_cred.c
new file mode 100644
index 000000000000..99de68776e26
--- /dev/null
+++ b/lib/gssapi/mech/gss_cred.c
@@ -0,0 +1,224 @@
+/*
+ * Copyright (c) 2009 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *    used to endorse or promote products derived from this software without
+ *    specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "mech_locl.h"
+#include <krb5.h>
+
+/*
+ * format: any number of:
+ *     mech-len: int32
+ *     mech-data: char * (not alligned)
+ *     cred-len: int32
+ *     cred-data char * (not alligned)
+*/
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_export_cred(OM_uint32 * minor_status,
+		gss_cred_id_t cred_handle,
+		gss_buffer_t token)
+{
+    struct _gss_cred *cred = (struct _gss_cred *)cred_handle;
+    struct _gss_mechanism_cred *mc;
+    gss_buffer_desc buffer;
+    krb5_error_code ret;
+    krb5_storage *sp;
+    OM_uint32 major;
+    krb5_data data;
+
+    _mg_buffer_zero(token);
+
+    if (cred == NULL) {
+	*minor_status = 0;
+	return GSS_S_NO_CRED;
+    }
+
+    HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
+	if (mc->gmc_mech->gm_export_cred == NULL) {
+	    *minor_status = 0;
+	    return GSS_S_NO_CRED;
+	}
+    }
+
+    sp = krb5_storage_emem();
+    if (sp == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
+
+	major = mc->gmc_mech->gm_export_cred(minor_status,
+					     mc->gmc_cred, &buffer);
+	if (major) {
+	    krb5_storage_free(sp);
+	    return major;
+	}
+
+	ret = krb5_storage_write(sp, buffer.value, buffer.length);
+	if (ret < 0 || (size_t)ret != buffer.length) {
+	    gss_release_buffer(minor_status, &buffer);
+	    krb5_storage_free(sp);
+	    *minor_status = EINVAL;
+	    return GSS_S_FAILURE;
+	}
+	gss_release_buffer(minor_status, &buffer);
+    }
+
+    ret = krb5_storage_to_data(sp, &data);
+    krb5_storage_free(sp);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    token->value = data.data;
+    token->length = data.length;
+
+    return GSS_S_COMPLETE;
+}
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_import_cred(OM_uint32 * minor_status,
+		gss_buffer_t token,
+		gss_cred_id_t * cred_handle)
+{
+    gssapi_mech_interface m;
+    krb5_error_code ret;
+    struct _gss_cred *cred;
+    krb5_storage *sp = NULL;
+    OM_uint32 major, junk;
+    krb5_data data;
+
+    *cred_handle = GSS_C_NO_CREDENTIAL;
+
+    if (token->length == 0) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    sp = krb5_storage_from_readonly_mem(token->value, token->length);
+    if (sp == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    cred = calloc(1, sizeof(struct _gss_cred));
+    if (cred == NULL) {
+	krb5_storage_free(sp);
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+    HEIM_SLIST_INIT(&cred->gc_mc);
+
+    *cred_handle = (gss_cred_id_t)cred;
+
+    while(1) {
+	struct _gss_mechanism_cred *mc;
+	gss_buffer_desc buffer;
+	gss_cred_id_t mcred;
+	gss_OID_desc oid;
+
+	ret = krb5_ret_data(sp, &data);
+	if (ret == HEIM_ERR_EOF) {
+	    break;
+	} else if (ret) {
+	    *minor_status = ret;
+	    major = GSS_S_FAILURE;
+	    goto out;
+	}
+	oid.elements = data.data;
+	oid.length = data.length;
+
+	m = __gss_get_mechanism(&oid);
+	krb5_data_free(&data);
+	if (!m) {
+	    *minor_status = 0;
+	    major = GSS_S_BAD_MECH;
+	    goto out;
+	}
+
+	if (m->gm_import_cred == NULL) {
+	    *minor_status = 0;
+	    major = GSS_S_BAD_MECH;
+	    goto out;
+	}
+
+	ret = krb5_ret_data(sp, &data);
+	if (ret) {
+	    *minor_status = ret;
+	    major = GSS_S_FAILURE;
+	    goto out;
+	}
+
+	buffer.value = data.data;
+	buffer.length = data.length;
+
+	major = m->gm_import_cred(minor_status,
+				  &buffer, &mcred);
+	krb5_data_free(&data);
+	if (major) {
+	    goto out;
+	}
+
+	mc = malloc(sizeof(struct _gss_mechanism_cred));
+	if (mc == NULL) {
+	    *minor_status = EINVAL;
+	    major = GSS_S_FAILURE;
+	    goto out;
+	}
+
+	mc->gmc_mech = m;
+	mc->gmc_mech_oid = &m->gm_mech_oid;
+	mc->gmc_cred = mcred;
+
+	HEIM_SLIST_INSERT_HEAD(&cred->gc_mc, mc, gmc_link);
+    }
+    krb5_storage_free(sp);
+    sp = NULL;
+
+    if (HEIM_SLIST_EMPTY(&cred->gc_mc)) {
+	major = GSS_S_NO_CRED;
+	goto out;
+    }
+
+    return GSS_S_COMPLETE;
+
+ out:
+    if (sp)
+	krb5_storage_free(sp);
+
+    gss_release_cred(&junk, cred_handle);
+
+    return major;
+
+}
diff --git a/lib/gssapi/mech/gss_decapsulate_token.c b/lib/gssapi/mech/gss_decapsulate_token.c
new file mode 100644
index 000000000000..3f2974e8ca5b
--- /dev/null
+++ b/lib/gssapi/mech/gss_decapsulate_token.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_decapsulate_token(gss_const_buffer_t input_token,
+		      gss_const_OID oid,
+		      gss_buffer_t output_token)
+{
+    GSSAPIContextToken ct;
+    heim_oid o;
+    OM_uint32 status;
+    int ret;
+    size_t size;
+
+    _mg_buffer_zero(output_token);
+
+    ret = der_get_oid (oid->elements, oid->length, &o, &size);
+    if (ret)
+	return GSS_S_FAILURE;
+
+    ret = decode_GSSAPIContextToken(input_token->value, input_token->length,
+				    &ct, NULL);
+    if (ret) {
+	der_free_oid(&o);
+	return GSS_S_FAILURE;
+    }
+
+    if (der_heim_oid_cmp(&ct.thisMech, &o) == 0) {
+	status = GSS_S_COMPLETE;
+	output_token->value = ct.innerContextToken.data;
+	output_token->length = ct.innerContextToken.length;
+	der_free_oid(&ct.thisMech);
+    } else {
+	free_GSSAPIContextToken(&ct);
+ 	status = GSS_S_FAILURE;
+    }
+    der_free_oid(&o);
+
+    return status;
+}
diff --git a/lib/gssapi/mech/gss_delete_name_attribute.c b/lib/gssapi/mech/gss_delete_name_attribute.c
new file mode 100644
index 000000000000..cb35dd0eb16b
--- /dev/null
+++ b/lib/gssapi/mech/gss_delete_name_attribute.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 2010, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_delete_name_attribute(OM_uint32 *minor_status,
+		          gss_name_t input_name,
+		          gss_buffer_t attr)
+{
+    OM_uint32 major_status = GSS_S_UNAVAILABLE;
+    struct _gss_name *name = (struct _gss_name *) input_name;
+    struct _gss_mechanism_name *mn;
+
+    *minor_status = 0;
+
+    if (input_name == GSS_C_NO_NAME)
+        return GSS_S_BAD_NAME;
+
+    HEIM_SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
+        gssapi_mech_interface m = mn->gmn_mech;
+
+        if (!m->gm_delete_name_attribute)
+            continue;
+
+        major_status = m->gm_delete_name_attribute(minor_status,
+                                                   mn->gmn_name,
+                                                   attr);
+        if (GSS_ERROR(major_status))
+            _gss_mg_error(m, major_status, *minor_status);
+        else
+            break;
+    }
+
+    return major_status;
+}
diff --git a/lib/gssapi/mech/gss_delete_sec_context.c b/lib/gssapi/mech/gss_delete_sec_context.c
new file mode 100644
index 000000000000..ce57a76682ab
--- /dev/null
+++ b/lib/gssapi/mech/gss_delete_sec_context.c
@@ -0,0 +1,57 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_delete_sec_context.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_delete_sec_context(OM_uint32 *minor_status,
+    gss_ctx_id_t *context_handle,
+    gss_buffer_t output_token)
+{
+	OM_uint32 major_status;
+	struct _gss_context *ctx = (struct _gss_context *) *context_handle;
+
+	if (output_token)
+	    _mg_buffer_zero(output_token);
+
+	*minor_status = 0;
+	if (ctx) {
+		/*
+		 * If we have an implementation ctx, delete it,
+		 * otherwise fake an empty token.
+		 */
+		if (ctx->gc_ctx) {
+			major_status = ctx->gc_mech->gm_delete_sec_context(
+				minor_status, &ctx->gc_ctx, output_token);
+		}
+		free(ctx);
+		*context_handle = GSS_C_NO_CONTEXT;
+	}
+
+	return (GSS_S_COMPLETE);
+}
diff --git a/lib/gssapi/mech/gss_display_name.c b/lib/gssapi/mech/gss_display_name.c
new file mode 100644
index 000000000000..524a586fbef8
--- /dev/null
+++ b/lib/gssapi/mech/gss_display_name.c
@@ -0,0 +1,82 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_display_name.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_display_name(OM_uint32 *minor_status,
+    const gss_name_t input_name,
+    gss_buffer_t output_name_buffer,
+    gss_OID *output_name_type)
+{
+	OM_uint32 major_status;
+	struct _gss_name *name = (struct _gss_name *) input_name;
+	struct _gss_mechanism_name *mn;
+
+	_mg_buffer_zero(output_name_buffer);
+	if (output_name_type)
+	    *output_name_type = GSS_C_NO_OID;
+
+	if (name == NULL) {
+		*minor_status = 0;
+		return (GSS_S_BAD_NAME);
+	}
+
+	/*
+	 * If we know it, copy the buffer used to import the name in
+	 * the first place. Otherwise, ask all the MNs in turn if
+	 * they can display the thing.
+	 */
+	if (name->gn_value.value) {
+		output_name_buffer->value = malloc(name->gn_value.length);
+		if (!output_name_buffer->value) {
+			*minor_status = ENOMEM;
+			return (GSS_S_FAILURE);
+		}
+		output_name_buffer->length = name->gn_value.length;
+		memcpy(output_name_buffer->value, name->gn_value.value,
+		    output_name_buffer->length);
+		if (output_name_type)
+			*output_name_type = &name->gn_type;
+
+		*minor_status = 0;
+		return (GSS_S_COMPLETE);
+	} else {
+		HEIM_SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
+			major_status = mn->gmn_mech->gm_display_name(
+				minor_status, mn->gmn_name,
+				output_name_buffer,
+				output_name_type);
+			if (major_status == GSS_S_COMPLETE)
+				return (GSS_S_COMPLETE);
+		}
+	}
+
+	*minor_status = 0;
+	return (GSS_S_FAILURE);
+}
diff --git a/lib/gssapi/mech/gss_display_name_ext.c b/lib/gssapi/mech/gss_display_name_ext.c
new file mode 100644
index 000000000000..6c0e5f332cae
--- /dev/null
+++ b/lib/gssapi/mech/gss_display_name_ext.c
@@ -0,0 +1,68 @@
+/*
+ * Copyright (c) 2010, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_display_name_ext(OM_uint32 *minor_status,
+		     gss_name_t input_name,
+		     gss_OID display_as_name_type,
+		     gss_buffer_t display_name)
+{
+    OM_uint32 major_status = GSS_S_UNAVAILABLE;
+    struct _gss_name *name = (struct _gss_name *) input_name;
+    struct _gss_mechanism_name *mn;
+
+    *minor_status = 0;
+    _mg_buffer_zero(display_name);
+
+    if (input_name == GSS_C_NO_NAME)
+        return GSS_S_BAD_NAME;
+
+    HEIM_SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
+        gssapi_mech_interface m = mn->gmn_mech;
+
+        if (!m->gm_display_name_ext)
+            continue;
+
+        major_status = m->gm_display_name_ext(minor_status,
+                                              mn->gmn_name,
+                                              display_as_name_type,
+                                              display_name);
+        if (GSS_ERROR(major_status))
+            _gss_mg_error(m, major_status, *minor_status);
+        else
+            break;
+    }
+
+    return major_status;
+}
diff --git a/lib/gssapi/mech/gss_display_status.c b/lib/gssapi/mech/gss_display_status.c
new file mode 100644
index 000000000000..1e508caa9baf
--- /dev/null
+++ b/lib/gssapi/mech/gss_display_status.c
@@ -0,0 +1,211 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_display_status.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+/*
+ * Copyright (c) 1998 - 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "mech_locl.h"
+
+static const char *
+calling_error(OM_uint32 v)
+{
+    static const char *msgs[] = {
+	NULL,			/* 0 */
+	"A required input parameter could not be read.", /*  */
+	"A required output parameter could not be written.", /*  */
+	"A parameter was malformed"
+    };
+
+    v >>= GSS_C_CALLING_ERROR_OFFSET;
+
+    if (v == 0)
+	return "";
+    else if (v >= sizeof(msgs)/sizeof(*msgs))
+	return "unknown calling error";
+    else
+	return msgs[v];
+}
+
+static const char *
+routine_error(OM_uint32 v)
+{
+    static const char *msgs[] = {
+	"Function completed successfully",			/* 0 */
+	"An unsupported mechanism was requested",
+	"An invalid name was supplied",
+	"A supplied name was of an unsupported type",
+	"Incorrect channel bindings were supplied",
+	"An invalid status code was supplied",
+	"A token had an invalid MIC",
+	"No credentials were supplied, "
+	"or the credentials were unavailable or inaccessible.",
+	"No context has been established",
+	"A token was invalid",
+	"A credential was invalid",
+	"The referenced credentials have expired",
+	"The context has expired",
+	"Miscellaneous failure (see text)",
+	"The quality-of-protection requested could not be provide",
+	"The operation is forbidden by local security policy",
+	"The operation or option is not available",
+	"The requested credential element already exists",
+	"The provided name was not a mechanism name.",
+    };
+
+    v >>= GSS_C_ROUTINE_ERROR_OFFSET;
+
+    if (v >= sizeof(msgs)/sizeof(*msgs))
+	return "unknown routine error";
+    else
+	return msgs[v];
+}
+
+static const char *
+supplementary_error(OM_uint32 v)
+{
+    static const char *msgs[] = {
+	"normal completion",
+	"continuation call to routine required",
+	"duplicate per-message token detected",
+	"timed-out per-message token detected",
+	"reordered (early) per-message token detected",
+	"skipped predecessor token(s) detected"
+    };
+
+    v >>= GSS_C_SUPPLEMENTARY_OFFSET;
+
+    if (v >= sizeof(msgs)/sizeof(*msgs))
+	return "unknown routine error";
+    else
+	return msgs[v];
+}
+
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_display_status(OM_uint32 *minor_status,
+    OM_uint32 status_value,
+    int status_type,
+    const gss_OID mech_type,
+    OM_uint32 *message_content,
+    gss_buffer_t status_string)
+{
+	OM_uint32 major_status;
+
+	_mg_buffer_zero(status_string);
+	*message_content = 0;
+
+	major_status = _gss_mg_get_error(mech_type, status_type,
+					 status_value, status_string);
+	if (major_status == GSS_S_COMPLETE) {
+
+	    *message_content = 0;
+	    *minor_status = 0;
+	    return GSS_S_COMPLETE;
+	}
+
+	*minor_status = 0;
+	switch (status_type) {
+	case GSS_C_GSS_CODE: {
+	    	char *buf = NULL;
+		int e;
+
+		if (GSS_SUPPLEMENTARY_INFO(status_value))
+		    e = asprintf(&buf, "%s", supplementary_error(
+		        GSS_SUPPLEMENTARY_INFO(status_value)));
+		else
+		    e = asprintf (&buf, "%s %s",
+		        calling_error(GSS_CALLING_ERROR(status_value)),
+			routine_error(GSS_ROUTINE_ERROR(status_value)));
+
+		if (e < 0 || buf == NULL)
+		    break;
+
+		status_string->length = strlen(buf);
+		status_string->value  = buf;
+
+		return GSS_S_COMPLETE;
+	}
+	case GSS_C_MECH_CODE: {
+		OM_uint32 maj_junk, min_junk;
+		gss_buffer_desc oid;
+		char *buf = NULL;
+		int e;
+
+		maj_junk = gss_oid_to_str(&min_junk, mech_type, &oid);
+		if (maj_junk != GSS_S_COMPLETE) {
+		    oid.value = rk_UNCONST("unknown");
+		    oid.length = 7;
+		}
+
+		e = asprintf (&buf, "unknown mech-code %lu for mech %.*s",
+			  (unsigned long)status_value,
+			  (int)oid.length, (char *)oid.value);
+		if (maj_junk == GSS_S_COMPLETE)
+		    gss_release_buffer(&min_junk, &oid);
+
+		if (e < 0 || buf == NULL)
+		    break;
+
+		status_string->length = strlen(buf);
+		status_string->value  = buf;
+
+		return GSS_S_COMPLETE;
+	}
+	}
+	_mg_buffer_zero(status_string);
+	return (GSS_S_BAD_STATUS);
+}
diff --git a/lib/gssapi/mech/gss_duplicate_name.c b/lib/gssapi/mech/gss_duplicate_name.c
new file mode 100644
index 000000000000..a76c87cb852a
--- /dev/null
+++ b/lib/gssapi/mech/gss_duplicate_name.c
@@ -0,0 +1,95 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_duplicate_name.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_duplicate_name(OM_uint32 *minor_status,
+    const gss_name_t src_name,
+    gss_name_t *dest_name)
+{
+	OM_uint32		major_status;
+	struct _gss_name	*name = (struct _gss_name *) src_name;
+	struct _gss_name	*new_name;
+	struct _gss_mechanism_name *mn;
+
+	*minor_status = 0;
+	*dest_name = GSS_C_NO_NAME;
+
+	/*
+	 * If this name has a value (i.e. it didn't come from
+	 * gss_canonicalize_name(), we re-import the thing. Otherwise,
+	 * we make copy of each mech names.
+	 */
+	if (name->gn_value.value) {
+		major_status = gss_import_name(minor_status,
+		    &name->gn_value, &name->gn_type, dest_name);
+		if (major_status != GSS_S_COMPLETE)
+			return (major_status);
+		new_name = (struct _gss_name *) *dest_name;
+
+		HEIM_SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
+		    struct _gss_mechanism_name *mn2;
+		    _gss_find_mn(minor_status, new_name,
+				 mn->gmn_mech_oid, &mn2);
+		}
+	} else {
+		new_name = malloc(sizeof(struct _gss_name));
+		if (!new_name) {
+			*minor_status = ENOMEM;
+			return (GSS_S_FAILURE);
+		}
+		memset(new_name, 0, sizeof(struct _gss_name));
+		HEIM_SLIST_INIT(&new_name->gn_mn);
+		*dest_name = (gss_name_t) new_name;
+
+		HEIM_SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
+			struct _gss_mechanism_name *new_mn;
+
+			new_mn = malloc(sizeof(*new_mn));
+			if (!new_mn) {
+				*minor_status = ENOMEM;
+				return GSS_S_FAILURE;
+			}
+			new_mn->gmn_mech = mn->gmn_mech;
+			new_mn->gmn_mech_oid = mn->gmn_mech_oid;
+
+			major_status =
+			    mn->gmn_mech->gm_duplicate_name(minor_status,
+				mn->gmn_name, &new_mn->gmn_name);
+			if (major_status != GSS_S_COMPLETE) {
+				free(new_mn);
+				continue;
+			}
+			HEIM_SLIST_INSERT_HEAD(&new_name->gn_mn, new_mn, gmn_link);
+		}
+
+	}
+
+	return (GSS_S_COMPLETE);
+}
diff --git a/lib/gssapi/mech/gss_duplicate_oid.c b/lib/gssapi/mech/gss_duplicate_oid.c
new file mode 100644
index 000000000000..10a200048690
--- /dev/null
+++ b/lib/gssapi/mech/gss_duplicate_oid.c
@@ -0,0 +1,68 @@
+/*
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_duplicate_oid (
+        OM_uint32 *minor_status,
+	gss_OID src_oid,
+	gss_OID *dest_oid
+     )
+{
+    *minor_status = 0;
+
+    if (src_oid == GSS_C_NO_OID) {
+	*dest_oid = GSS_C_NO_OID;
+	return GSS_S_COMPLETE;
+    }
+
+    *dest_oid = malloc(sizeof(**dest_oid));
+    if (*dest_oid == GSS_C_NO_OID) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    (*dest_oid)->elements = malloc(src_oid->length);
+    if ((*dest_oid)->elements == NULL) {
+	free(*dest_oid);
+	*dest_oid = GSS_C_NO_OID;
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+    memcpy((*dest_oid)->elements, src_oid->elements, src_oid->length);
+    (*dest_oid)->length = src_oid->length;
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
diff --git a/lib/gssapi/mech/gss_encapsulate_token.c b/lib/gssapi/mech/gss_encapsulate_token.c
new file mode 100644
index 000000000000..1b1f973eaaa8
--- /dev/null
+++ b/lib/gssapi/mech/gss_encapsulate_token.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_encapsulate_token(gss_const_buffer_t input_token,
+		      gss_const_OID oid,
+		      gss_buffer_t output_token)
+{
+    GSSAPIContextToken ct;
+    int ret;
+    size_t size;
+
+    ret = der_get_oid (oid->elements, oid->length, &ct.thisMech, &size);
+    if (ret) {
+	_mg_buffer_zero(output_token);
+	return GSS_S_FAILURE;
+    }
+
+    ct.innerContextToken.data = input_token->value;
+    ct.innerContextToken.length = input_token->length;
+
+    ASN1_MALLOC_ENCODE(GSSAPIContextToken,
+		       output_token->value, output_token->length,
+		       &ct, &size, ret);
+    der_free_oid(&ct.thisMech);
+    if (ret) {
+	_mg_buffer_zero(output_token);
+	return GSS_S_FAILURE;
+    }
+    if (output_token->length != size)
+	abort();
+
+    return GSS_S_COMPLETE;
+}
diff --git a/lib/gssapi/mech/gss_export_name.c b/lib/gssapi/mech/gss_export_name.c
new file mode 100644
index 000000000000..3e6e62681913
--- /dev/null
+++ b/lib/gssapi/mech/gss_export_name.c
@@ -0,0 +1,54 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_export_name.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_export_name(OM_uint32 *minor_status,
+    const gss_name_t input_name,
+    gss_buffer_t exported_name)
+{
+	struct _gss_name *name = (struct _gss_name *) input_name;
+	struct _gss_mechanism_name *mn;
+
+	_mg_buffer_zero(exported_name);
+
+	/*
+	 * If this name already has any attached MNs, export the first
+	 * one, otherwise export based on the first mechanism in our
+	 * list.
+	 */
+	mn = HEIM_SLIST_FIRST(&name->gn_mn);
+	if (!mn) {
+		*minor_status = 0;
+		return (GSS_S_NAME_NOT_MN);
+	}
+
+	return mn->gmn_mech->gm_export_name(minor_status,
+	    mn->gmn_name, exported_name);
+}
diff --git a/lib/gssapi/mech/gss_export_name_composite.c b/lib/gssapi/mech/gss_export_name_composite.c
new file mode 100644
index 000000000000..530a905aa7e8
--- /dev/null
+++ b/lib/gssapi/mech/gss_export_name_composite.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 2010, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_export_name_composite(OM_uint32 *minor_status,
+		          gss_name_t input_name,
+		          gss_buffer_t exp_composite_name)
+{
+    OM_uint32 major_status = GSS_S_UNAVAILABLE;
+    struct _gss_name *name = (struct _gss_name *) input_name;
+    struct _gss_mechanism_name *mn;
+
+    *minor_status = 0;
+    _mg_buffer_zero(exp_composite_name);
+
+    if (input_name == GSS_C_NO_NAME)
+        return GSS_S_BAD_NAME;
+
+    HEIM_SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
+        gssapi_mech_interface m = mn->gmn_mech;
+
+        if (!m->gm_export_name_composite)
+            continue;
+
+        major_status = m->gm_export_name_composite(minor_status,
+                                                   mn->gmn_name,
+                                                   exp_composite_name);
+        if (GSS_ERROR(major_status))
+            _gss_mg_error(m, major_status, *minor_status);
+        else
+            break;
+    }
+
+    return major_status;
+}
diff --git a/lib/gssapi/mech/gss_export_sec_context.c b/lib/gssapi/mech/gss_export_sec_context.c
new file mode 100644
index 000000000000..369f3a22570e
--- /dev/null
+++ b/lib/gssapi/mech/gss_export_sec_context.c
@@ -0,0 +1,77 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_export_sec_context.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_export_sec_context(OM_uint32 *minor_status,
+    gss_ctx_id_t *context_handle,
+    gss_buffer_t interprocess_token)
+{
+	OM_uint32 major_status;
+	struct _gss_context *ctx = (struct _gss_context *) *context_handle;
+	gssapi_mech_interface m = ctx->gc_mech;
+	gss_buffer_desc buf;
+
+	_mg_buffer_zero(interprocess_token);
+
+	major_status = m->gm_export_sec_context(minor_status,
+	    &ctx->gc_ctx, &buf);
+
+	if (major_status == GSS_S_COMPLETE) {
+		unsigned char *p;
+
+		free(ctx);
+		*context_handle = GSS_C_NO_CONTEXT;
+		interprocess_token->length = buf.length
+			+ 2 + m->gm_mech_oid.length;
+		interprocess_token->value = malloc(interprocess_token->length);
+		if (!interprocess_token->value) {
+			/*
+			 * We are in trouble here - the context is
+			 * already gone. This is allowed as long as we
+			 * set the caller's context_handle to
+			 * GSS_C_NO_CONTEXT, which we did above.
+			 * Return GSS_S_FAILURE.
+			 */
+			_mg_buffer_zero(interprocess_token);
+			*minor_status = ENOMEM;
+			return (GSS_S_FAILURE);
+		}
+		p = interprocess_token->value;
+		p[0] = m->gm_mech_oid.length >> 8;
+		p[1] = m->gm_mech_oid.length;
+		memcpy(p + 2, m->gm_mech_oid.elements, m->gm_mech_oid.length);
+		memcpy(p + 2 + m->gm_mech_oid.length, buf.value, buf.length);
+		gss_release_buffer(minor_status, &buf);
+	} else {
+		_gss_mg_error(m, major_status, *minor_status);
+	}
+
+	return (major_status);
+}
diff --git a/lib/gssapi/mech/gss_get_mic.c b/lib/gssapi/mech/gss_get_mic.c
new file mode 100644
index 000000000000..6eebfe0bbb03
--- /dev/null
+++ b/lib/gssapi/mech/gss_get_mic.c
@@ -0,0 +1,51 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_get_mic.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_get_mic(OM_uint32 *minor_status,
+    const gss_ctx_id_t context_handle,
+    gss_qop_t qop_req,
+    const gss_buffer_t message_buffer,
+    gss_buffer_t message_token)
+{
+	struct _gss_context *ctx = (struct _gss_context *) context_handle;
+	gssapi_mech_interface m;
+
+	_mg_buffer_zero(message_token);
+	if (ctx == NULL) {
+	    *minor_status = 0;
+	    return GSS_S_NO_CONTEXT;
+	}
+
+	m = ctx->gc_mech;
+
+	return (m->gm_get_mic(minor_status, ctx->gc_ctx, qop_req,
+		    message_buffer, message_token));
+}
diff --git a/lib/gssapi/mech/gss_get_name_attribute.c b/lib/gssapi/mech/gss_get_name_attribute.c
new file mode 100644
index 000000000000..450bbac46e93
--- /dev/null
+++ b/lib/gssapi/mech/gss_get_name_attribute.c
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 2010, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_get_name_attribute(OM_uint32 *minor_status,
+		       gss_name_t input_name,
+		       gss_buffer_t attr,
+		       int *authenticated,
+		       int *complete,
+		       gss_buffer_t value,
+		       gss_buffer_t display_value,
+		       int *more)
+{
+    OM_uint32 major_status = GSS_S_UNAVAILABLE;
+    struct _gss_name *name = (struct _gss_name *) input_name;
+    struct _gss_mechanism_name *mn;
+
+    *minor_status = 0;
+    if (authenticated != NULL)
+        *authenticated = 0;
+    if (complete != NULL)
+        *complete = 0;
+    _mg_buffer_zero(value);
+    _mg_buffer_zero(display_value);
+
+    if (input_name == GSS_C_NO_NAME)
+        return GSS_S_BAD_NAME;
+
+    HEIM_SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
+        gssapi_mech_interface m = mn->gmn_mech;
+
+        if (!m->gm_get_name_attribute)
+            continue;
+
+        major_status = m->gm_get_name_attribute(minor_status,
+                                                mn->gmn_name,
+                                                attr,
+                                                authenticated,
+                                                complete,
+                                                value,
+                                                display_value,
+                                                more);
+        if (GSS_ERROR(major_status))
+            _gss_mg_error(m, major_status, *minor_status);
+        else
+            break;
+    }
+
+    return major_status;
+}
diff --git a/lib/gssapi/mech/gss_import_name.c b/lib/gssapi/mech/gss_import_name.c
new file mode 100644
index 000000000000..d1b3dc95b4a4
--- /dev/null
+++ b/lib/gssapi/mech/gss_import_name.c
@@ -0,0 +1,291 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_import_name.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+static OM_uint32
+_gss_import_export_name(OM_uint32 *minor_status,
+    const gss_buffer_t input_name_buffer,
+    gss_name_t *output_name)
+{
+	OM_uint32 major_status;
+	unsigned char *p = input_name_buffer->value;
+	size_t len = input_name_buffer->length;
+	size_t t;
+	gss_OID_desc mech_oid;
+	gssapi_mech_interface m;
+	struct _gss_name *name;
+	gss_name_t new_canonical_name;
+	int composite = 0;
+
+	*minor_status = 0;
+	*output_name = 0;
+
+	/*
+	 * Make sure that TOK_ID is {4, 1}.
+	 */
+	if (len < 2)
+		return (GSS_S_BAD_NAME);
+	if (p[0] != 4)
+		return (GSS_S_BAD_NAME);
+	switch (p[1]) {
+	case 1:	/* non-composite name */
+		break;
+	case 2:	/* composite name */
+		composite = 1;
+		break;
+	default:
+		return (GSS_S_BAD_NAME);
+	}
+	p += 2;
+	len -= 2;
+
+	/*
+	 * Get the mech length and the name length and sanity
+	 * check the size of of the buffer.
+	 */
+	if (len < 2)
+		return (GSS_S_BAD_NAME);
+	t = (p[0] << 8) + p[1];
+	p += 2;
+	len -= 2;
+
+	/*
+	 * Check the DER encoded OID to make sure it agrees with the
+	 * length we just decoded.
+	 */
+	if (p[0] != 6)		/* 6=OID */
+		return (GSS_S_BAD_NAME);
+	p++;
+	len--;
+	t--;
+	if (p[0] & 0x80) {
+		int digits = p[0];
+		p++;
+		len--;
+		t--;
+		mech_oid.length = 0;
+		while (digits--) {
+			mech_oid.length = (mech_oid.length << 8) | p[0];
+			p++;
+			len--;
+			t--;
+		}
+	} else {
+		mech_oid.length = p[0];
+		p++;
+		len--;
+		t--;
+	}
+	if (mech_oid.length != t)
+		return (GSS_S_BAD_NAME);
+
+	mech_oid.elements = p;
+
+	if (len < t + 4)
+		return (GSS_S_BAD_NAME);
+	p += t;
+	len -= t;
+
+	t = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
+	p += 4;
+	len -= 4;
+
+	if (!composite && len != t)
+		return (GSS_S_BAD_NAME);
+
+	m = __gss_get_mechanism(&mech_oid);
+	if (!m)
+		return (GSS_S_BAD_MECH);
+
+	/*
+	 * Ask the mechanism to import the name.
+	 */
+	major_status = m->gm_import_name(minor_status,
+	    input_name_buffer, GSS_C_NT_EXPORT_NAME, &new_canonical_name);
+	if (major_status != GSS_S_COMPLETE) {
+		_gss_mg_error(m, major_status, *minor_status);
+		return major_status;
+	}
+
+	/*
+	 * Now we make a new name and mark it as an MN.
+	 */
+	name = _gss_make_name(m, new_canonical_name);
+	if (!name) {
+		m->gm_release_name(minor_status, &new_canonical_name);
+		return (GSS_S_FAILURE);
+	}
+
+	*output_name = (gss_name_t) name;
+
+	*minor_status = 0;
+	return (GSS_S_COMPLETE);
+}
+
+/**
+ * Import a name internal or mechanism name
+ *
+ * Type of name and their format:
+ * - GSS_C_NO_OID
+ * - GSS_C_NT_USER_NAME
+ * - GSS_C_NT_HOSTBASED_SERVICE
+ * - GSS_C_NT_EXPORT_NAME
+ * - GSS_C_NT_ANONYMOUS
+ * - GSS_KRB5_NT_PRINCIPAL_NAME
+ *
+ * For more information about @ref internalVSmechname.
+ *
+ * @param minor_status minor status code
+ * @param input_name_buffer import name buffer
+ * @param input_name_type type of the import name buffer
+ * @param output_name the resulting type, release with
+ *        gss_release_name(), independent of input_name
+ *
+ * @returns a gss_error code, see gss_display_status() about printing
+ *        the error code.
+ *
+ * @ingroup gssapi
+ */
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_import_name(OM_uint32 *minor_status,
+    const gss_buffer_t input_name_buffer,
+    const gss_OID input_name_type,
+    gss_name_t *output_name)
+{
+        struct _gss_mechanism_name *mn;
+	gss_OID			name_type = input_name_type;
+	OM_uint32		major_status, ms;
+	struct _gss_name	*name;
+        struct _gss_mech_switch	*m;
+	gss_name_t		rname;
+
+	*output_name = GSS_C_NO_NAME;
+
+	if (input_name_buffer->length == 0) {
+		*minor_status = 0;
+		return (GSS_S_BAD_NAME);
+	}
+
+	_gss_load_mech();
+
+	/*
+	 * Use GSS_NT_USER_NAME as default name type.
+	 */
+	if (name_type == GSS_C_NO_OID)
+		name_type = GSS_C_NT_USER_NAME;
+
+	/*
+	 * If this is an exported name, we need to parse it to find
+	 * the mechanism and then import it as an MN. See RFC 2743
+	 * section 3.2 for a description of the format.
+	 */
+	if (gss_oid_equal(name_type, GSS_C_NT_EXPORT_NAME)) {
+		return _gss_import_export_name(minor_status,
+		    input_name_buffer, output_name);
+	}
+
+
+	*minor_status = 0;
+	name = calloc(1, sizeof(struct _gss_name));
+	if (!name) {
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+
+	HEIM_SLIST_INIT(&name->gn_mn);
+
+	major_status = _gss_copy_oid(minor_status,
+	    name_type, &name->gn_type);
+	if (major_status) {
+		free(name);
+		return (GSS_S_FAILURE);
+	}
+
+	major_status = _gss_copy_buffer(minor_status,
+	    input_name_buffer, &name->gn_value);
+	if (major_status)
+		goto out;
+
+	/*
+	 * Walk over the mechs and import the name into a mech name
+	 * for those supported this nametype.
+	 */
+
+	HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
+		int present = 0;
+
+		major_status = gss_test_oid_set_member(minor_status,
+		    name_type, m->gm_name_types, &present);
+
+		if (major_status || present == 0)
+			continue;
+
+		mn = malloc(sizeof(struct _gss_mechanism_name));
+		if (!mn) {
+			*minor_status = ENOMEM;
+			major_status = GSS_S_FAILURE;
+			goto out;
+		}
+
+		major_status = (*m->gm_mech.gm_import_name)(minor_status,
+		    &name->gn_value,
+		    (name->gn_type.elements
+			? &name->gn_type : GSS_C_NO_OID),
+		    &mn->gmn_name);
+		if (major_status != GSS_S_COMPLETE) {
+			_gss_mg_error(&m->gm_mech, major_status, *minor_status);
+			free(mn);
+			goto out;
+		}
+
+		mn->gmn_mech = &m->gm_mech;
+		mn->gmn_mech_oid = &m->gm_mech_oid;
+		HEIM_SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link);
+	}
+
+	/*
+	 * If we can't find a mn for the name, bail out already here.
+	 */
+
+	mn = HEIM_SLIST_FIRST(&name->gn_mn);
+	if (!mn) {
+		*minor_status = 0;
+		major_status = GSS_S_NAME_NOT_MN;
+		goto out;
+	}
+
+	*output_name = (gss_name_t) name;
+	return (GSS_S_COMPLETE);
+
+ out:
+	rname = (gss_name_t)name;
+	gss_release_name(&ms, &rname);
+	return major_status;
+}
diff --git a/lib/gssapi/mech/gss_import_sec_context.c b/lib/gssapi/mech/gss_import_sec_context.c
new file mode 100644
index 000000000000..9865db78d419
--- /dev/null
+++ b/lib/gssapi/mech/gss_import_sec_context.c
@@ -0,0 +1,82 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_import_sec_context.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_import_sec_context(OM_uint32 *minor_status,
+    const gss_buffer_t interprocess_token,
+    gss_ctx_id_t *context_handle)
+{
+	OM_uint32 major_status;
+	gssapi_mech_interface m;
+	struct _gss_context *ctx;
+	gss_OID_desc mech_oid;
+	gss_buffer_desc buf;
+	unsigned char *p;
+	size_t len;
+
+	*minor_status = 0;
+	*context_handle = GSS_C_NO_CONTEXT;
+
+	/*
+	 * We added an oid to the front of the token in
+	 * gss_export_sec_context.
+	 */
+	p = interprocess_token->value;
+	len = interprocess_token->length;
+	if (len < 2)
+		return (GSS_S_DEFECTIVE_TOKEN);
+	mech_oid.length = (p[0] << 8) | p[1];
+	if (len < mech_oid.length + 2)
+		return (GSS_S_DEFECTIVE_TOKEN);
+	mech_oid.elements = p + 2;
+	buf.length = len - 2 - mech_oid.length;
+	buf.value = p + 2 + mech_oid.length;
+
+	m = __gss_get_mechanism(&mech_oid);
+	if (!m)
+		return (GSS_S_DEFECTIVE_TOKEN);
+
+	ctx = malloc(sizeof(struct _gss_context));
+	if (!ctx) {
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+	ctx->gc_mech = m;
+	major_status = m->gm_import_sec_context(minor_status,
+	    &buf, &ctx->gc_ctx);
+	if (major_status != GSS_S_COMPLETE) {
+		_gss_mg_error(m, major_status, *minor_status);
+		free(ctx);
+	} else {
+		*context_handle = (gss_ctx_id_t) ctx;
+	}
+
+	return (major_status);
+}
diff --git a/lib/gssapi/mech/gss_indicate_mechs.c b/lib/gssapi/mech/gss_indicate_mechs.c
new file mode 100644
index 000000000000..8fd53d956d58
--- /dev/null
+++ b/lib/gssapi/mech/gss_indicate_mechs.c
@@ -0,0 +1,64 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_indicate_mechs.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_indicate_mechs(OM_uint32 *minor_status,
+    gss_OID_set *mech_set)
+{
+	struct _gss_mech_switch *m;
+	OM_uint32 major_status;
+	gss_OID_set set;
+	size_t i;
+
+	_gss_load_mech();
+
+	major_status = gss_create_empty_oid_set(minor_status, mech_set);
+	if (major_status)
+		return (major_status);
+
+	HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
+		if (m->gm_mech.gm_indicate_mechs) {
+			major_status = m->gm_mech.gm_indicate_mechs(
+			    minor_status, &set);
+			if (major_status)
+				continue;
+			for (i = 0; i < set->count; i++)
+				major_status = gss_add_oid_set_member(
+				    minor_status, &set->elements[i], mech_set);
+			gss_release_oid_set(minor_status, &set);
+		} else {
+			major_status = gss_add_oid_set_member(
+			    minor_status, &m->gm_mech_oid, mech_set);
+		}
+	}
+
+	*minor_status = 0;
+	return (GSS_S_COMPLETE);
+}
diff --git a/lib/gssapi/mech/gss_init_sec_context.c b/lib/gssapi/mech/gss_init_sec_context.c
new file mode 100644
index 000000000000..af0170a50a51
--- /dev/null
+++ b/lib/gssapi/mech/gss_init_sec_context.c
@@ -0,0 +1,212 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_init_sec_context.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+static gss_cred_id_t
+_gss_mech_cred_find(gss_cred_id_t cred_handle, gss_OID mech_type)
+{
+	struct _gss_cred *cred = (struct _gss_cred *)cred_handle;
+	struct _gss_mechanism_cred *mc;
+
+	if (cred == NULL)
+		return GSS_C_NO_CREDENTIAL;
+
+	HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
+		if (gss_oid_equal(mech_type, mc->gmc_mech_oid))
+			return mc->gmc_cred;
+	}
+	return GSS_C_NO_CREDENTIAL;
+}
+
+/**
+ * As the initiator build a context with an acceptor.
+ *
+ * Returns in the major
+ * - GSS_S_COMPLETE - if the context if build
+ * - GSS_S_CONTINUE_NEEDED -  if the caller needs  to continue another
+ *	round of gss_i nit_sec_context
+ * - error code - any other error code
+ *
+ * @param minor_status minor status code.
+ *
+ * @param initiator_cred_handle the credential to use when building
+ *        the context, if GSS_C_NO_CREDENTIAL is passed, the default
+ *        credential for the mechanism will be used.
+ *
+ * @param context_handle a pointer to a context handle, will be
+ * 	  returned as long as there is not an error.
+ *
+ * @param target_name the target name of acceptor, created using
+ * 	  gss_import_name(). The name is can be of any name types the
+ * 	  mechanism supports, check supported name types with
+ * 	  gss_inquire_names_for_mech().
+ *
+ * @param input_mech_type mechanism type to use, if GSS_C_NO_OID is
+ *        used, Kerberos (GSS_KRB5_MECHANISM) will be tried. Other
+ *        available mechanism are listed in the @ref gssapi_mechs_intro
+ *        section.
+ *
+ * @param req_flags flags using when building the context, see @ref
+ *        gssapi_context_flags
+ *
+ * @param time_req time requested this context should be valid in
+ *        seconds, common used value is GSS_C_INDEFINITE
+ *
+ * @param input_chan_bindings Channel bindings used, if not exepected
+ *        otherwise, used GSS_C_NO_CHANNEL_BINDINGS
+ *
+ * @param input_token input token sent from the acceptor, for the
+ * 	  initial packet the buffer of { NULL, 0 } should be used.
+ *
+ * @param actual_mech_type the actual mech used, MUST NOT be freed
+ *        since it pointing to static memory.
+ *
+ * @param output_token if there is an output token, regardless of
+ * 	  complete, continue_needed, or error it should be sent to the
+ * 	  acceptor
+ *
+ * @param ret_flags return what flags was negotitated, caller should
+ * 	  check if they are accetable. For example, if
+ * 	  GSS_C_MUTUAL_FLAG was negotiated with the acceptor or not.
+ *
+ * @param time_rec amount of time this context is valid for
+ *
+ * @returns a gss_error code, see gss_display_status() about printing
+ *          the error code.
+ *
+ * @ingroup gssapi
+ */
+
+
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_init_sec_context(OM_uint32 * minor_status,
+    const gss_cred_id_t initiator_cred_handle,
+    gss_ctx_id_t * context_handle,
+    const gss_name_t target_name,
+    const gss_OID input_mech_type,
+    OM_uint32 req_flags,
+    OM_uint32 time_req,
+    const gss_channel_bindings_t input_chan_bindings,
+    const gss_buffer_t input_token,
+    gss_OID * actual_mech_type,
+    gss_buffer_t output_token,
+    OM_uint32 * ret_flags,
+    OM_uint32 * time_rec)
+{
+	OM_uint32 major_status;
+	gssapi_mech_interface m;
+	struct _gss_name *name = (struct _gss_name *) target_name;
+	struct _gss_mechanism_name *mn;
+	struct _gss_context *ctx = (struct _gss_context *) *context_handle;
+	gss_cred_id_t cred_handle;
+	int allocated_ctx;
+	gss_OID mech_type = input_mech_type;
+
+	*minor_status = 0;
+
+	_mg_buffer_zero(output_token);
+	if (actual_mech_type)
+	    *actual_mech_type = GSS_C_NO_OID;
+	if (ret_flags)
+	    *ret_flags = 0;
+	if (time_rec)
+	    *time_rec = 0;
+
+	/*
+	 * If we haven't allocated a context yet, do so now and lookup
+	 * the mechanism switch table. If we have one already, make
+	 * sure we use the same mechanism switch as before.
+	 */
+	if (!ctx) {
+		if (mech_type == NULL)
+			mech_type = GSS_KRB5_MECHANISM;
+
+		ctx = malloc(sizeof(struct _gss_context));
+		if (!ctx) {
+			*minor_status = ENOMEM;
+			return (GSS_S_FAILURE);
+		}
+		memset(ctx, 0, sizeof(struct _gss_context));
+		m = ctx->gc_mech = __gss_get_mechanism(mech_type);
+		if (!m) {
+			free(ctx);
+			return (GSS_S_BAD_MECH);
+		}
+		allocated_ctx = 1;
+	} else {
+		m = ctx->gc_mech;
+		mech_type = &ctx->gc_mech->gm_mech_oid;
+		allocated_ctx = 0;
+	}
+
+	/*
+	 * Find the MN for this mechanism.
+	 */
+	major_status = _gss_find_mn(minor_status, name, mech_type, &mn);
+	if (major_status != GSS_S_COMPLETE) {
+		if (allocated_ctx)
+			free(ctx);
+		return major_status;
+	}
+
+	/*
+	 * If we have a cred, find the cred for this mechanism.
+	 */
+	if (m->gm_flags & GM_USE_MG_CRED)
+		cred_handle = initiator_cred_handle;
+	else
+		cred_handle = _gss_mech_cred_find(initiator_cred_handle, mech_type);
+
+	major_status = m->gm_init_sec_context(minor_status,
+	    cred_handle,
+	    &ctx->gc_ctx,
+	    mn->gmn_name,
+	    mech_type,
+	    req_flags,
+	    time_req,
+	    input_chan_bindings,
+	    input_token,
+	    actual_mech_type,
+	    output_token,
+	    ret_flags,
+	    time_rec);
+
+	if (major_status != GSS_S_COMPLETE
+	    && major_status != GSS_S_CONTINUE_NEEDED) {
+		if (allocated_ctx)
+			free(ctx);
+		_mg_buffer_zero(output_token);
+		_gss_mg_error(m, major_status, *minor_status);
+	} else {
+		*context_handle = (gss_ctx_id_t) ctx;
+	}
+
+	return (major_status);
+}
diff --git a/lib/gssapi/mech/gss_inquire_context.c b/lib/gssapi/mech/gss_inquire_context.c
new file mode 100644
index 000000000000..2568075988f1
--- /dev/null
+++ b/lib/gssapi/mech/gss_inquire_context.c
@@ -0,0 +1,105 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_inquire_context.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_inquire_context(OM_uint32 *minor_status,
+    const gss_ctx_id_t context_handle,
+    gss_name_t *src_name,
+    gss_name_t *targ_name,
+    OM_uint32 *lifetime_rec,
+    gss_OID *mech_type,
+    OM_uint32 *ctx_flags,
+    int *locally_initiated,
+    int *xopen)
+{
+	OM_uint32 major_status;
+	struct _gss_context *ctx = (struct _gss_context *) context_handle;
+	gssapi_mech_interface m = ctx->gc_mech;
+	struct _gss_name *name;
+	gss_name_t src_mn, targ_mn;
+
+	if (locally_initiated)
+	    *locally_initiated = 0;
+	if (xopen)
+	    *xopen = 0;
+	if (lifetime_rec)
+	    *lifetime_rec = 0;
+
+	if (src_name)
+	    *src_name = GSS_C_NO_NAME;
+	if (targ_name)
+	    *targ_name = GSS_C_NO_NAME;
+	if (mech_type)
+	    *mech_type = GSS_C_NO_OID;
+	src_mn = targ_mn = GSS_C_NO_NAME;
+
+	major_status = m->gm_inquire_context(minor_status,
+	    ctx->gc_ctx,
+	    src_name ? &src_mn : NULL,
+	    targ_name ? &targ_mn : NULL,
+	    lifetime_rec,
+	    mech_type,
+	    ctx_flags,
+	    locally_initiated,
+	    xopen);
+
+	if (major_status != GSS_S_COMPLETE) {
+		_gss_mg_error(m, major_status, *minor_status);
+		return (major_status);
+	}
+
+	if (src_name) {
+		name = _gss_make_name(m, src_mn);
+		if (!name) {
+			if (mech_type)
+				*mech_type = GSS_C_NO_OID;
+			m->gm_release_name(minor_status, &src_mn);
+			*minor_status = 0;
+			return (GSS_S_FAILURE);
+		}
+		*src_name = (gss_name_t) name;
+	}
+
+	if (targ_name) {
+		name = _gss_make_name(m, targ_mn);
+		if (!name) {
+			if (mech_type)
+				*mech_type = GSS_C_NO_OID;
+			if (src_name)
+				gss_release_name(minor_status, src_name);
+			m->gm_release_name(minor_status, &targ_mn);
+			*minor_status = 0;
+			return (GSS_S_FAILURE);
+		}
+		*targ_name = (gss_name_t) name;
+	}
+
+	return (GSS_S_COMPLETE);
+}
diff --git a/lib/gssapi/mech/gss_inquire_cred.c b/lib/gssapi/mech/gss_inquire_cred.c
new file mode 100644
index 000000000000..1db0f233033c
--- /dev/null
+++ b/lib/gssapi/mech/gss_inquire_cred.c
@@ -0,0 +1,195 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_inquire_cred.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+#define AUSAGE 1
+#define IUSAGE 2
+
+static void
+updateusage(gss_cred_usage_t usage, int *usagemask)
+{
+    if (usage == GSS_C_BOTH)
+	*usagemask |= AUSAGE | IUSAGE;
+    else if (usage == GSS_C_ACCEPT)
+	*usagemask |= AUSAGE;
+    else if (usage == GSS_C_INITIATE)
+	*usagemask |= IUSAGE;
+}
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_inquire_cred(OM_uint32 *minor_status,
+    const gss_cred_id_t cred_handle,
+    gss_name_t *name_ret,
+    OM_uint32 *lifetime,
+    gss_cred_usage_t *cred_usage,
+    gss_OID_set *mechanisms)
+{
+	OM_uint32 major_status;
+	struct _gss_mech_switch *m;
+	struct _gss_cred *cred = (struct _gss_cred *) cred_handle;
+	struct _gss_name *name;
+	struct _gss_mechanism_name *mn;
+	OM_uint32 min_lifetime;
+	int found = 0;
+	int usagemask = 0;
+	gss_cred_usage_t usage;
+
+	_gss_load_mech();
+
+	*minor_status = 0;
+	if (name_ret)
+		*name_ret = GSS_C_NO_NAME;
+	if (lifetime)
+		*lifetime = 0;
+	if (cred_usage)
+		*cred_usage = 0;
+	if (mechanisms)
+		*mechanisms = GSS_C_NO_OID_SET;
+
+	if (name_ret) {
+		name = calloc(1, sizeof(*name));
+		if (name == NULL) {
+			*minor_status = ENOMEM;
+			return (GSS_S_FAILURE);
+		}
+		HEIM_SLIST_INIT(&name->gn_mn);
+	} else {
+		name = NULL;
+	}
+
+	if (mechanisms) {
+		major_status = gss_create_empty_oid_set(minor_status,
+		    mechanisms);
+		if (major_status) {
+			if (name) free(name);
+			return (major_status);
+		}
+	}
+
+	min_lifetime = GSS_C_INDEFINITE;
+	if (cred) {
+		struct _gss_mechanism_cred *mc;
+
+		HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
+			gss_name_t mc_name;
+			OM_uint32 mc_lifetime;
+
+			major_status = mc->gmc_mech->gm_inquire_cred(minor_status,
+			    mc->gmc_cred, &mc_name, &mc_lifetime, &usage, NULL);
+			if (major_status)
+				continue;
+
+			updateusage(usage, &usagemask);
+			if (name) {
+				mn = malloc(sizeof(struct _gss_mechanism_name));
+				if (!mn) {
+					mc->gmc_mech->gm_release_name(minor_status,
+					    &mc_name);
+					continue;
+				}
+				mn->gmn_mech = mc->gmc_mech;
+				mn->gmn_mech_oid = mc->gmc_mech_oid;
+				mn->gmn_name = mc_name;
+				HEIM_SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link);
+			} else {
+				mc->gmc_mech->gm_release_name(minor_status,
+				    &mc_name);
+			}
+
+			if (mc_lifetime < min_lifetime)
+				min_lifetime = mc_lifetime;
+
+			if (mechanisms)
+				gss_add_oid_set_member(minor_status,
+				    mc->gmc_mech_oid, mechanisms);
+			found++;
+		}
+	} else {
+		HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
+			gss_name_t mc_name;
+			OM_uint32 mc_lifetime;
+
+			major_status = m->gm_mech.gm_inquire_cred(minor_status,
+			    GSS_C_NO_CREDENTIAL, &mc_name, &mc_lifetime,
+			    &usage, NULL);
+			if (major_status)
+				continue;
+
+			updateusage(usage, &usagemask);
+			if (name && mc_name) {
+				mn = malloc(
+					sizeof(struct _gss_mechanism_name));
+				if (!mn) {
+					m->gm_mech.gm_release_name(
+						minor_status, &mc_name);
+					continue;
+				}
+				mn->gmn_mech = &m->gm_mech;
+				mn->gmn_mech_oid = &m->gm_mech_oid;
+				mn->gmn_name = mc_name;
+				HEIM_SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link);
+			} else if (mc_name) {
+				m->gm_mech.gm_release_name(minor_status,
+				    &mc_name);
+			}
+
+			if (mc_lifetime < min_lifetime)
+				min_lifetime = mc_lifetime;
+
+			if (mechanisms)
+				gss_add_oid_set_member(minor_status,
+				    &m->gm_mech_oid, mechanisms);
+			found++;
+		}
+	}
+
+	if (found == 0) {
+		gss_name_t n = (gss_name_t)name;
+		if (n)
+			gss_release_name(minor_status, &n);
+		gss_release_oid_set(minor_status, mechanisms);
+		*minor_status = 0;
+		return (GSS_S_NO_CRED);
+	}
+
+	*minor_status = 0;
+	if (name_ret)
+		*name_ret = (gss_name_t) name;
+	if (lifetime)
+		*lifetime = min_lifetime;
+	if (cred_usage) {
+		if ((usagemask & (AUSAGE|IUSAGE)) == (AUSAGE|IUSAGE))
+			*cred_usage = GSS_C_BOTH;
+		else if (usagemask & IUSAGE)
+			*cred_usage = GSS_C_INITIATE;
+		else if (usagemask & AUSAGE)
+			*cred_usage = GSS_C_ACCEPT;
+	}
+	return (GSS_S_COMPLETE);
+}
diff --git a/lib/gssapi/mech/gss_inquire_cred_by_mech.c b/lib/gssapi/mech/gss_inquire_cred_by_mech.c
new file mode 100644
index 000000000000..e7746e46578d
--- /dev/null
+++ b/lib/gssapi/mech/gss_inquire_cred_by_mech.c
@@ -0,0 +1,92 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_inquire_cred_by_mech.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_inquire_cred_by_mech(OM_uint32 *minor_status,
+    const gss_cred_id_t cred_handle,
+    const gss_OID mech_type,
+    gss_name_t *cred_name,
+    OM_uint32 *initiator_lifetime,
+    OM_uint32 *acceptor_lifetime,
+    gss_cred_usage_t *cred_usage)
+{
+	OM_uint32 major_status;
+	gssapi_mech_interface m;
+	struct _gss_mechanism_cred *mcp;
+	gss_cred_id_t mc;
+	gss_name_t mn;
+	struct _gss_name *name;
+
+	*minor_status = 0;
+	if (cred_name)
+	    *cred_name = GSS_C_NO_NAME;
+	if (initiator_lifetime)
+	    *initiator_lifetime = 0;
+	if (acceptor_lifetime)
+	    *acceptor_lifetime = 0;
+	if (cred_usage)
+	    *cred_usage = 0;
+
+	m = __gss_get_mechanism(mech_type);
+	if (!m)
+		return (GSS_S_NO_CRED);
+
+	if (cred_handle != GSS_C_NO_CREDENTIAL) {
+		struct _gss_cred *cred = (struct _gss_cred *) cred_handle;
+		HEIM_SLIST_FOREACH(mcp, &cred->gc_mc, gmc_link)
+			if (mcp->gmc_mech == m)
+				break;
+		if (!mcp)
+			return (GSS_S_NO_CRED);
+		mc = mcp->gmc_cred;
+	} else {
+		mc = GSS_C_NO_CREDENTIAL;
+	}
+
+	major_status = m->gm_inquire_cred_by_mech(minor_status, mc, mech_type,
+	    &mn, initiator_lifetime, acceptor_lifetime, cred_usage);
+	if (major_status != GSS_S_COMPLETE) {
+		_gss_mg_error(m, major_status, *minor_status);
+		return (major_status);
+	}
+
+	if (cred_name) {
+	    name = _gss_make_name(m, mn);
+	    if (!name) {
+		m->gm_release_name(minor_status, &mn);
+		return (GSS_S_NO_CRED);
+	    }
+	    *cred_name = (gss_name_t) name;
+	} else
+	    m->gm_release_name(minor_status, &mn);
+
+
+	return (GSS_S_COMPLETE);
+}
diff --git a/lib/gssapi/mech/gss_inquire_cred_by_oid.c b/lib/gssapi/mech/gss_inquire_cred_by_oid.c
new file mode 100644
index 000000000000..e674dd48f3e4
--- /dev/null
+++ b/lib/gssapi/mech/gss_inquire_cred_by_oid.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 2004, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_inquire_cred_by_oid (OM_uint32 *minor_status,
+			 const gss_cred_id_t cred_handle,
+			 const gss_OID desired_object,
+			 gss_buffer_set_t *data_set)
+{
+	struct _gss_cred *cred = (struct _gss_cred *) cred_handle;
+	OM_uint32		status = GSS_S_COMPLETE;
+	struct _gss_mechanism_cred *mc;
+	gssapi_mech_interface	m;
+	gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;
+
+	*minor_status = 0;
+	*data_set = GSS_C_NO_BUFFER_SET;
+
+	if (cred == NULL)
+		return GSS_S_NO_CRED;
+
+	HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
+		gss_buffer_set_t rset = GSS_C_NO_BUFFER_SET;
+		size_t i;
+
+		m = mc->gmc_mech;
+		if (m == NULL) {
+	       		gss_release_buffer_set(minor_status, &set);
+			*minor_status = 0;
+			return GSS_S_BAD_MECH;
+		}
+
+		if (m->gm_inquire_cred_by_oid == NULL)
+			continue;
+
+		status = m->gm_inquire_cred_by_oid(minor_status,
+		    mc->gmc_cred, desired_object, &rset);
+		if (status != GSS_S_COMPLETE)
+			continue;
+
+		for (i = 0; i < rset->count; i++) {
+			status = gss_add_buffer_set_member(minor_status,
+			     &rset->elements[i], &set);
+			if (status != GSS_S_COMPLETE)
+				break;
+		}
+		gss_release_buffer_set(minor_status, &rset);
+	}
+	if (set == GSS_C_NO_BUFFER_SET)
+		status = GSS_S_FAILURE;
+	*data_set = set;
+	*minor_status = 0;
+	return status;
+}
+
diff --git a/lib/gssapi/mech/gss_inquire_mechs_for_name.c b/lib/gssapi/mech/gss_inquire_mechs_for_name.c
new file mode 100644
index 000000000000..f8eab82dc1cd
--- /dev/null
+++ b/lib/gssapi/mech/gss_inquire_mechs_for_name.c
@@ -0,0 +1,76 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_inquire_mechs_for_name.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_inquire_mechs_for_name(OM_uint32 *minor_status,
+    const gss_name_t input_name,
+    gss_OID_set *mech_types)
+{
+	OM_uint32		major_status;
+	struct _gss_name	*name = (struct _gss_name *) input_name;
+	struct _gss_mech_switch	*m;
+	gss_OID_set		name_types;
+	int			present;
+
+	*minor_status = 0;
+
+	_gss_load_mech();
+
+	major_status = gss_create_empty_oid_set(minor_status, mech_types);
+	if (major_status)
+		return (major_status);
+
+	/*
+	 * We go through all the loaded mechanisms and see if this
+	 * name's type is supported by the mechanism. If it is, add
+	 * the mechanism to the set.
+	 */
+	HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
+		major_status = gss_inquire_names_for_mech(minor_status,
+		    &m->gm_mech_oid, &name_types);
+		if (major_status) {
+			gss_release_oid_set(minor_status, mech_types);
+			return (major_status);
+		}
+		gss_test_oid_set_member(minor_status,
+		    &name->gn_type, name_types, &present);
+		gss_release_oid_set(minor_status, &name_types);
+		if (present) {
+			major_status = gss_add_oid_set_member(minor_status,
+			    &m->gm_mech_oid, mech_types);
+			if (major_status) {
+				gss_release_oid_set(minor_status, mech_types);
+				return (major_status);
+			}
+		}
+	}
+
+	return (GSS_S_COMPLETE);
+}
diff --git a/lib/gssapi/mech/gss_inquire_name.c b/lib/gssapi/mech/gss_inquire_name.c
new file mode 100644
index 000000000000..10acaaae19c7
--- /dev/null
+++ b/lib/gssapi/mech/gss_inquire_name.c
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 2010, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_inquire_name(OM_uint32 *minor_status,
+		 gss_name_t input_name,
+		 int *name_is_MN,
+		 gss_OID *MN_mech,
+		 gss_buffer_set_t *attrs)
+{
+    OM_uint32 major_status = GSS_S_UNAVAILABLE;
+    struct _gss_name *name = (struct _gss_name *) input_name;
+    struct _gss_mechanism_name *mn;
+
+    *minor_status = 0;
+    if (name_is_MN != NULL)
+        *name_is_MN = 0;
+    if (MN_mech != NULL)
+        *MN_mech = GSS_C_NO_OID;
+    if (attrs != NULL)
+        *attrs = GSS_C_NO_BUFFER_SET;
+
+    if (input_name == GSS_C_NO_NAME)
+        return GSS_S_BAD_NAME;
+
+    HEIM_SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
+        gssapi_mech_interface m = mn->gmn_mech;
+
+        if (!m->gm_inquire_name)
+            continue;
+
+        major_status = m->gm_inquire_name(minor_status,
+                                          mn->gmn_name,
+                                          NULL,
+                                          MN_mech,
+                                          attrs);
+        if (major_status == GSS_S_COMPLETE) {
+            if (name_is_MN != NULL)
+                *name_is_MN = 1;
+            if (MN_mech != NULL && *MN_mech == GSS_C_NO_OID)
+                *MN_mech = &m->gm_mech_oid;
+            break;
+        }
+        _gss_mg_error(m, major_status, *minor_status);
+    }
+
+    return major_status;
+}
diff --git a/lib/gssapi/mech/gss_inquire_names_for_mech.c b/lib/gssapi/mech/gss_inquire_names_for_mech.c
new file mode 100644
index 000000000000..595ab737f967
--- /dev/null
+++ b/lib/gssapi/mech/gss_inquire_names_for_mech.c
@@ -0,0 +1,73 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_inquire_names_for_mech.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_inquire_names_for_mech(OM_uint32 *minor_status,
+    const gss_OID mechanism,
+    gss_OID_set *name_types)
+{
+	OM_uint32 major_status;
+	gssapi_mech_interface m = __gss_get_mechanism(mechanism);
+
+	*minor_status = 0;
+	*name_types = GSS_C_NO_OID_SET;
+	if (!m)
+		return (GSS_S_BAD_MECH);
+
+	/*
+	 * If the implementation can do it, ask it for a list of
+	 * names, otherwise fake it.
+	 */
+	if (m->gm_inquire_names_for_mech) {
+		return (m->gm_inquire_names_for_mech(minor_status,
+			    mechanism, name_types));
+	} else {
+		major_status = gss_create_empty_oid_set(minor_status,
+		    name_types);
+		if (major_status)
+			return (major_status);
+		major_status = gss_add_oid_set_member(minor_status,
+		    GSS_C_NT_HOSTBASED_SERVICE, name_types);
+		if (major_status) {
+			OM_uint32 junk;
+			gss_release_oid_set(&junk, name_types);
+			return (major_status);
+		}
+		major_status = gss_add_oid_set_member(minor_status,
+		    GSS_C_NT_USER_NAME, name_types);
+		if (major_status) {
+			OM_uint32 junk;
+			gss_release_oid_set(&junk, name_types);
+			return (major_status);
+		}
+	}
+
+	return (GSS_S_COMPLETE);
+}
diff --git a/lib/gssapi/mech/gss_inquire_sec_context_by_oid.c b/lib/gssapi/mech/gss_inquire_sec_context_by_oid.c
new file mode 100644
index 000000000000..cc6e5c9cb6e2
--- /dev/null
+++ b/lib/gssapi/mech/gss_inquire_sec_context_by_oid.c
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) 2004, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_inquire_sec_context_by_oid (OM_uint32 *minor_status,
+	                        const gss_ctx_id_t context_handle,
+	                        const gss_OID desired_object,
+	                        gss_buffer_set_t *data_set)
+{
+	struct _gss_context	*ctx = (struct _gss_context *) context_handle;
+	OM_uint32		major_status;
+	gssapi_mech_interface	m;
+
+	*minor_status = 0;
+	*data_set = GSS_C_NO_BUFFER_SET;
+	if (ctx == NULL)
+		return GSS_S_NO_CONTEXT;
+
+	/*
+	 * select the approprate underlying mechanism routine and
+	 * call it.
+	 */
+
+	m = ctx->gc_mech;
+
+	if (m == NULL)
+		return GSS_S_BAD_MECH;
+
+	if (m->gm_inquire_sec_context_by_oid != NULL) {
+		major_status = m->gm_inquire_sec_context_by_oid(minor_status,
+		    ctx->gc_ctx, desired_object, data_set);
+		if (major_status != GSS_S_COMPLETE)
+			_gss_mg_error(m, major_status, *minor_status);
+	} else
+		major_status = GSS_S_BAD_MECH;
+
+	return major_status;
+}
+
diff --git a/lib/gssapi/mech/gss_krb5.c b/lib/gssapi/mech/gss_krb5.c
new file mode 100644
index 000000000000..fe88a384b5f1
--- /dev/null
+++ b/lib/gssapi/mech/gss_krb5.c
@@ -0,0 +1,941 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_krb5.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+#include <krb5.h>
+#include <roken.h>
+
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_krb5_copy_ccache(OM_uint32 *minor_status,
+		     gss_cred_id_t cred,
+		     krb5_ccache out)
+{
+    gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
+    krb5_context context;
+    krb5_error_code kret;
+    krb5_ccache id;
+    OM_uint32 ret;
+    char *str = NULL;
+
+    ret = gss_inquire_cred_by_oid(minor_status,
+				  cred,
+				  GSS_KRB5_COPY_CCACHE_X,
+				  &data_set);
+    if (ret)
+	return ret;
+
+    if (data_set == GSS_C_NO_BUFFER_SET || data_set->count < 1) {
+	gss_release_buffer_set(minor_status, &data_set);
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    kret = krb5_init_context(&context);
+    if (kret) {
+	*minor_status = kret;
+	gss_release_buffer_set(minor_status, &data_set);
+	return GSS_S_FAILURE;
+    }
+
+    kret = asprintf(&str, "%.*s", (int)data_set->elements[0].length,
+		    (char *)data_set->elements[0].value);
+    gss_release_buffer_set(minor_status, &data_set);
+    if (kret < 0 || str == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    kret = krb5_cc_resolve(context, str, &id);
+    free(str);
+    if (kret) {
+	*minor_status = kret;
+	return GSS_S_FAILURE;
+    }
+
+    kret = krb5_cc_copy_cache(context, id, out);
+    krb5_cc_close(context, id);
+    krb5_free_context(context);
+    if (kret) {
+	*minor_status = kret;
+	return GSS_S_FAILURE;
+    }
+
+    return ret;
+}
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_krb5_import_cred(OM_uint32 *minor_status,
+		     krb5_ccache id,
+		     krb5_principal keytab_principal,
+		     krb5_keytab keytab,
+		     gss_cred_id_t *cred)
+{
+    gss_buffer_desc buffer;
+    OM_uint32 major_status;
+    krb5_context context;
+    krb5_error_code ret;
+    krb5_storage *sp;
+    krb5_data data;
+    char *str;
+
+    *cred = GSS_C_NO_CREDENTIAL;
+
+    ret = krb5_init_context(&context);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    sp = krb5_storage_emem();
+    if (sp == NULL) {
+	*minor_status = ENOMEM;
+	major_status = GSS_S_FAILURE;
+	goto out;
+    }
+
+    if (id) {
+	ret = krb5_cc_get_full_name(context, id, &str);
+	if (ret == 0) {
+	    ret = krb5_store_string(sp, str);
+	    free(str);
+	}
+    } else
+	ret = krb5_store_string(sp, "");
+    if (ret) {
+	*minor_status = ret;
+	major_status = GSS_S_FAILURE;
+	goto out;
+    }
+
+    if (keytab_principal) {
+	ret = krb5_unparse_name(context, keytab_principal, &str);
+	if (ret == 0) {
+	    ret = krb5_store_string(sp, str);
+	    free(str);
+	}
+    } else
+	krb5_store_string(sp, "");
+    if (ret) {
+	*minor_status = ret;
+	major_status = GSS_S_FAILURE;
+	goto out;
+    }
+
+
+    if (keytab) {
+	ret = krb5_kt_get_full_name(context, keytab, &str);
+	if (ret == 0) {
+	    ret = krb5_store_string(sp, str);
+	    free(str);
+	}
+    } else
+	krb5_store_string(sp, "");
+    if (ret) {
+	*minor_status = ret;
+	major_status = GSS_S_FAILURE;
+	goto out;
+    }
+
+    ret = krb5_storage_to_data(sp, &data);
+    if (ret) {
+	*minor_status = ret;
+	major_status = GSS_S_FAILURE;
+	goto out;
+    }
+
+    buffer.value = data.data;
+    buffer.length = data.length;
+
+    major_status = gss_set_cred_option(minor_status,
+				       cred,
+				       GSS_KRB5_IMPORT_CRED_X,
+				       &buffer);
+    krb5_data_free(&data);
+out:
+    if (sp)
+	krb5_storage_free(sp);
+    krb5_free_context(context);
+    return major_status;
+}
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gsskrb5_register_acceptor_identity(const char *identity)
+{
+	gssapi_mech_interface m;
+	gss_buffer_desc buffer;
+	OM_uint32 junk;
+
+	_gss_load_mech();
+
+	buffer.value = rk_UNCONST(identity);
+	buffer.length = strlen(identity);
+
+	m = __gss_get_mechanism(GSS_KRB5_MECHANISM);
+	if (m == NULL || m->gm_set_sec_context_option == NULL)
+	    return GSS_S_FAILURE;
+
+	return m->gm_set_sec_context_option(&junk, NULL,
+	        GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X, &buffer);
+}
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+krb5_gss_register_acceptor_identity(const char *identity)
+{
+    return gsskrb5_register_acceptor_identity(identity);
+}
+
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gsskrb5_set_dns_canonicalize(int flag)
+{
+        struct _gss_mech_switch	*m;
+	gss_buffer_desc buffer;
+	OM_uint32 junk;
+	char b = (flag != 0);
+
+	_gss_load_mech();
+
+	buffer.value = &b;
+	buffer.length = sizeof(b);
+
+	HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
+		if (m->gm_mech.gm_set_sec_context_option == NULL)
+			continue;
+		m->gm_mech.gm_set_sec_context_option(&junk, NULL,
+		    GSS_KRB5_SET_DNS_CANONICALIZE_X, &buffer);
+	}
+
+	return (GSS_S_COMPLETE);
+}
+
+
+
+static krb5_error_code
+set_key(krb5_keyblock *keyblock, gss_krb5_lucid_key_t *key)
+{
+    key->type = keyblock->keytype;
+    key->length = keyblock->keyvalue.length;
+    key->data = malloc(key->length);
+    if (key->data == NULL && key->length != 0)
+	return ENOMEM;
+    memcpy(key->data, keyblock->keyvalue.data, key->length);
+    return 0;
+}
+
+static void
+free_key(gss_krb5_lucid_key_t *key)
+{
+    memset(key->data, 0, key->length);
+    free(key->data);
+    memset(key, 0, sizeof(*key));
+}
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
+				  gss_ctx_id_t *context_handle,
+				  OM_uint32 version,
+				  void **rctx)
+{
+    krb5_context context = NULL;
+    krb5_error_code ret;
+    gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
+    OM_uint32 major_status;
+    gss_krb5_lucid_context_v1_t *ctx = NULL;
+    krb5_storage *sp = NULL;
+    uint32_t num;
+
+    if (context_handle == NULL
+	|| *context_handle == GSS_C_NO_CONTEXT
+	|| version != 1)
+    {
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    major_status =
+	gss_inquire_sec_context_by_oid (minor_status,
+					*context_handle,
+					GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X,
+					&data_set);
+    if (major_status)
+	return major_status;
+
+    if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) {
+	gss_release_buffer_set(minor_status, &data_set);
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	goto out;
+
+    ctx = calloc(1, sizeof(*ctx));
+    if (ctx == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+
+    sp = krb5_storage_from_mem(data_set->elements[0].value,
+			       data_set->elements[0].length);
+    if (sp == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+
+    ret = krb5_ret_uint32(sp, &num);
+    if (ret) goto out;
+    if (num != 1) {
+	ret = EINVAL;
+	goto out;
+    }
+    ctx->version = 1;
+    /* initiator */
+    ret = krb5_ret_uint32(sp, &ctx->initiate);
+    if (ret) goto out;
+    /* endtime */
+    ret = krb5_ret_uint32(sp, &ctx->endtime);
+    if (ret) goto out;
+    /* send_seq */
+    ret = krb5_ret_uint32(sp, &num);
+    if (ret) goto out;
+    ctx->send_seq = ((uint64_t)num) << 32;
+    ret = krb5_ret_uint32(sp, &num);
+    if (ret) goto out;
+    ctx->send_seq |= num;
+    /* recv_seq */
+    ret = krb5_ret_uint32(sp, &num);
+    if (ret) goto out;
+    ctx->recv_seq = ((uint64_t)num) << 32;
+    ret = krb5_ret_uint32(sp, &num);
+    if (ret) goto out;
+    ctx->recv_seq |= num;
+    /* protocol */
+    ret = krb5_ret_uint32(sp, &ctx->protocol);
+    if (ret) goto out;
+    if (ctx->protocol == 0) {
+	krb5_keyblock key;
+
+	/* sign_alg */
+	ret = krb5_ret_uint32(sp, &ctx->rfc1964_kd.sign_alg);
+	if (ret) goto out;
+	/* seal_alg */
+	ret = krb5_ret_uint32(sp, &ctx->rfc1964_kd.seal_alg);
+	if (ret) goto out;
+	/* ctx_key */
+	ret = krb5_ret_keyblock(sp, &key);
+	if (ret) goto out;
+	ret = set_key(&key, &ctx->rfc1964_kd.ctx_key);
+	krb5_free_keyblock_contents(context, &key);
+	if (ret) goto out;
+    } else if (ctx->protocol == 1) {
+	krb5_keyblock key;
+
+	/* acceptor_subkey */
+	ret = krb5_ret_uint32(sp, &ctx->cfx_kd.have_acceptor_subkey);
+	if (ret) goto out;
+	/* ctx_key */
+	ret = krb5_ret_keyblock(sp, &key);
+	if (ret) goto out;
+	ret = set_key(&key, &ctx->cfx_kd.ctx_key);
+	krb5_free_keyblock_contents(context, &key);
+	if (ret) goto out;
+	/* acceptor_subkey */
+	if (ctx->cfx_kd.have_acceptor_subkey) {
+	    ret = krb5_ret_keyblock(sp, &key);
+	    if (ret) goto out;
+	    ret = set_key(&key, &ctx->cfx_kd.acceptor_subkey);
+	    krb5_free_keyblock_contents(context, &key);
+	    if (ret) goto out;
+	}
+    } else {
+	ret = EINVAL;
+	goto out;
+    }
+
+    *rctx = ctx;
+
+out:
+    gss_release_buffer_set(minor_status, &data_set);
+    if (sp)
+	krb5_storage_free(sp);
+    if (context)
+	krb5_free_context(context);
+
+    if (ret) {
+	if (ctx)
+	    gss_krb5_free_lucid_sec_context(NULL, ctx);
+
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, void *c)
+{
+    gss_krb5_lucid_context_v1_t *ctx = c;
+
+    if (ctx->version != 1) {
+	if (minor_status)
+	    *minor_status = 0;
+	return GSS_S_FAILURE;
+    }
+
+    if (ctx->protocol == 0) {
+	free_key(&ctx->rfc1964_kd.ctx_key);
+    } else if (ctx->protocol == 1) {
+	free_key(&ctx->cfx_kd.ctx_key);
+	if (ctx->cfx_kd.have_acceptor_subkey)
+	    free_key(&ctx->cfx_kd.acceptor_subkey);
+    }
+    free(ctx);
+    if (minor_status)
+	*minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
+/*
+ *
+ */
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status,
+				gss_cred_id_t cred,
+				OM_uint32 num_enctypes,
+				int32_t *enctypes)
+{
+    krb5_error_code ret;
+    OM_uint32 maj_status;
+    gss_buffer_desc buffer;
+    krb5_storage *sp;
+    krb5_data data;
+    size_t i;
+
+    sp = krb5_storage_emem();
+    if (sp == NULL) {
+	*minor_status = ENOMEM;
+	maj_status = GSS_S_FAILURE;
+	goto out;
+    }
+
+    for (i = 0; i < num_enctypes; i++) {
+	ret = krb5_store_int32(sp, enctypes[i]);
+	if (ret) {
+	    *minor_status = ret;
+	    maj_status = GSS_S_FAILURE;
+	    goto out;
+	}
+    }
+
+    ret = krb5_storage_to_data(sp, &data);
+    if (ret) {
+	*minor_status = ret;
+	maj_status = GSS_S_FAILURE;
+	goto out;
+    }
+
+    buffer.value = data.data;
+    buffer.length = data.length;
+
+    maj_status = gss_set_cred_option(minor_status,
+				     &cred,
+				     GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X,
+				     &buffer);
+    krb5_data_free(&data);
+out:
+    if (sp)
+	krb5_storage_free(sp);
+    return maj_status;
+}
+
+/*
+ *
+ */
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gsskrb5_set_send_to_kdc(struct gsskrb5_send_to_kdc *c)
+{
+    struct _gss_mech_switch *m;
+    gss_buffer_desc buffer;
+    OM_uint32 junk;
+
+    _gss_load_mech();
+
+    if (c) {
+	buffer.value = c;
+	buffer.length = sizeof(*c);
+    } else {
+	buffer.value = NULL;
+	buffer.length = 0;
+    }
+
+    HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
+	if (m->gm_mech.gm_set_sec_context_option == NULL)
+	    continue;
+	m->gm_mech.gm_set_sec_context_option(&junk, NULL,
+	    GSS_KRB5_SEND_TO_KDC_X, &buffer);
+    }
+
+    return (GSS_S_COMPLETE);
+}
+
+/*
+ *
+ */
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_krb5_ccache_name(OM_uint32 *minor_status,
+		     const char *name,
+		     const char **out_name)
+{
+    struct _gss_mech_switch *m;
+    gss_buffer_desc buffer;
+    OM_uint32 junk;
+
+    _gss_load_mech();
+
+    if (out_name)
+	*out_name = NULL;
+
+    buffer.value = rk_UNCONST(name);
+    buffer.length = strlen(name);
+
+    HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
+	if (m->gm_mech.gm_set_sec_context_option == NULL)
+	    continue;
+	m->gm_mech.gm_set_sec_context_option(&junk, NULL,
+	    GSS_KRB5_CCACHE_NAME_X, &buffer);
+    }
+
+    return (GSS_S_COMPLETE);
+}
+
+
+/*
+ *
+ */
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gsskrb5_extract_authtime_from_sec_context(OM_uint32 *minor_status,
+					  gss_ctx_id_t context_handle,
+					  time_t *authtime)
+{
+    gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
+    OM_uint32 maj_stat;
+
+    if (context_handle == GSS_C_NO_CONTEXT) {
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    maj_stat =
+	gss_inquire_sec_context_by_oid (minor_status,
+					context_handle,
+					GSS_KRB5_GET_AUTHTIME_X,
+					&data_set);
+    if (maj_stat)
+	return maj_stat;
+
+    if (data_set == GSS_C_NO_BUFFER_SET) {
+	gss_release_buffer_set(minor_status, &data_set);
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    if (data_set->count != 1) {
+	gss_release_buffer_set(minor_status, &data_set);
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    if (data_set->elements[0].length != 4) {
+	gss_release_buffer_set(minor_status, &data_set);
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    {
+	unsigned char *buf = data_set->elements[0].value;
+	*authtime = (buf[3] <<24) | (buf[2] << 16) |
+	    (buf[1] << 8) | (buf[0] << 0);
+    }
+
+    gss_release_buffer_set(minor_status, &data_set);
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
+/*
+ *
+ */
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
+					    gss_ctx_id_t context_handle,
+					    int ad_type,
+					    gss_buffer_t ad_data)
+{
+    gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
+    OM_uint32 maj_stat;
+    gss_OID_desc oid_flat;
+    heim_oid baseoid, oid;
+    size_t size;
+
+    if (context_handle == GSS_C_NO_CONTEXT) {
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    /* All this to append an integer to an oid... */
+
+    if (der_get_oid(GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X->elements,
+		    GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X->length,
+		    &baseoid, NULL) != 0) {
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    oid.length = baseoid.length + 1;
+    oid.components = calloc(oid.length, sizeof(*oid.components));
+    if (oid.components == NULL) {
+	der_free_oid(&baseoid);
+
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    memcpy(oid.components, baseoid.components,
+	   baseoid.length * sizeof(*baseoid.components));
+
+    der_free_oid(&baseoid);
+
+    oid.components[oid.length - 1] = ad_type;
+
+    oid_flat.length = der_length_oid(&oid);
+    oid_flat.elements = malloc(oid_flat.length);
+    if (oid_flat.elements == NULL) {
+	free(oid.components);
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    if (der_put_oid((unsigned char *)oid_flat.elements + oid_flat.length - 1,
+		    oid_flat.length, &oid, &size) != 0) {
+	free(oid.components);
+	free(oid_flat.elements);
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+    if (oid_flat.length != size)
+	abort();
+
+    free(oid.components);
+
+    /* FINALLY, we have the OID */
+
+    maj_stat = gss_inquire_sec_context_by_oid (minor_status,
+					       context_handle,
+					       &oid_flat,
+					       &data_set);
+
+    free(oid_flat.elements);
+
+    if (maj_stat)
+	return maj_stat;
+
+    if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) {
+	gss_release_buffer_set(minor_status, &data_set);
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    ad_data->value = malloc(data_set->elements[0].length);
+    if (ad_data->value == NULL) {
+	gss_release_buffer_set(minor_status, &data_set);
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+
+    ad_data->length = data_set->elements[0].length;
+    memcpy(ad_data->value, data_set->elements[0].value, ad_data->length);
+    gss_release_buffer_set(minor_status, &data_set);
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
+/*
+ *
+ */
+
+static OM_uint32
+gsskrb5_extract_key(OM_uint32 *minor_status,
+		    gss_ctx_id_t context_handle,
+		    const gss_OID oid,
+		    krb5_keyblock **keyblock)
+{
+    krb5_error_code ret;
+    gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
+    OM_uint32 major_status;
+    krb5_context context = NULL;
+    krb5_storage *sp = NULL;
+
+    if (context_handle == GSS_C_NO_CONTEXT) {
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    ret = krb5_init_context(&context);
+    if(ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    major_status =
+	gss_inquire_sec_context_by_oid (minor_status,
+					context_handle,
+					oid,
+					&data_set);
+    if (major_status)
+	return major_status;
+
+    if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) {
+	gss_release_buffer_set(minor_status, &data_set);
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    sp = krb5_storage_from_mem(data_set->elements[0].value,
+			       data_set->elements[0].length);
+    if (sp == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+
+    *keyblock = calloc(1, sizeof(**keyblock));
+    if (keyblock == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
+
+    ret = krb5_ret_keyblock(sp, *keyblock);
+
+out:
+    gss_release_buffer_set(minor_status, &data_set);
+    if (sp)
+	krb5_storage_free(sp);
+    if (ret && keyblock) {
+	krb5_free_keyblock(context, *keyblock);
+	*keyblock = NULL;
+    }
+    if (context)
+	krb5_free_context(context);
+
+    *minor_status = ret;
+    if (ret)
+	return GSS_S_FAILURE;
+
+    return GSS_S_COMPLETE;
+}
+
+/*
+ *
+ */
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gsskrb5_extract_service_keyblock(OM_uint32 *minor_status,
+				 gss_ctx_id_t context_handle,
+				 krb5_keyblock **keyblock)
+{
+    return gsskrb5_extract_key(minor_status,
+			       context_handle,
+			       GSS_KRB5_GET_SERVICE_KEYBLOCK_X,
+			       keyblock);
+}
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gsskrb5_get_initiator_subkey(OM_uint32 *minor_status,
+			     gss_ctx_id_t context_handle,
+			     krb5_keyblock **keyblock)
+{
+    return gsskrb5_extract_key(minor_status,
+			       context_handle,
+			       GSS_KRB5_GET_INITIATOR_SUBKEY_X,
+			       keyblock);
+}
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gsskrb5_get_subkey(OM_uint32 *minor_status,
+		   gss_ctx_id_t context_handle,
+		   krb5_keyblock **keyblock)
+{
+    return gsskrb5_extract_key(minor_status,
+			       context_handle,
+			       GSS_KRB5_GET_SUBKEY_X,
+			       keyblock);
+}
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gsskrb5_set_default_realm(const char *realm)
+{
+        struct _gss_mech_switch	*m;
+	gss_buffer_desc buffer;
+	OM_uint32 junk;
+
+	_gss_load_mech();
+
+	buffer.value = rk_UNCONST(realm);
+	buffer.length = strlen(realm);
+
+	HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
+		if (m->gm_mech.gm_set_sec_context_option == NULL)
+			continue;
+		m->gm_mech.gm_set_sec_context_option(&junk, NULL,
+		    GSS_KRB5_SET_DEFAULT_REALM_X, &buffer);
+	}
+
+	return (GSS_S_COMPLETE);
+}
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_krb5_get_tkt_flags(OM_uint32 *minor_status,
+		       gss_ctx_id_t context_handle,
+		       OM_uint32 *tkt_flags)
+{
+
+    OM_uint32 major_status;
+    gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
+
+    if (context_handle == GSS_C_NO_CONTEXT) {
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    major_status =
+	gss_inquire_sec_context_by_oid (minor_status,
+					context_handle,
+					GSS_KRB5_GET_TKT_FLAGS_X,
+					&data_set);
+    if (major_status)
+	return major_status;
+
+    if (data_set == GSS_C_NO_BUFFER_SET ||
+	data_set->count != 1 ||
+	data_set->elements[0].length < 4) {
+	gss_release_buffer_set(minor_status, &data_set);
+	*minor_status = EINVAL;
+	return GSS_S_FAILURE;
+    }
+
+    {
+	const u_char *p = data_set->elements[0].value;
+	*tkt_flags = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
+    }
+
+    gss_release_buffer_set(minor_status, &data_set);
+    return GSS_S_COMPLETE;
+}
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gsskrb5_set_time_offset(int offset)
+{
+        struct _gss_mech_switch	*m;
+	gss_buffer_desc buffer;
+	OM_uint32 junk;
+	int32_t o = offset;
+
+	_gss_load_mech();
+
+	buffer.value = &o;
+	buffer.length = sizeof(o);
+
+	HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
+		if (m->gm_mech.gm_set_sec_context_option == NULL)
+			continue;
+		m->gm_mech.gm_set_sec_context_option(&junk, NULL,
+		    GSS_KRB5_SET_TIME_OFFSET_X, &buffer);
+	}
+
+	return (GSS_S_COMPLETE);
+}
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gsskrb5_get_time_offset(int *offset)
+{
+        struct _gss_mech_switch	*m;
+	gss_buffer_desc buffer;
+	OM_uint32 maj_stat, junk;
+	int32_t o;
+
+	_gss_load_mech();
+
+	buffer.value = &o;
+	buffer.length = sizeof(o);
+
+	HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
+		if (m->gm_mech.gm_set_sec_context_option == NULL)
+			continue;
+		maj_stat = m->gm_mech.gm_set_sec_context_option(&junk, NULL,
+		    GSS_KRB5_GET_TIME_OFFSET_X, &buffer);
+
+		if (maj_stat == GSS_S_COMPLETE) {
+			*offset = o;
+			return maj_stat;
+		}
+	}
+
+	return (GSS_S_UNAVAILABLE);
+}
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gsskrb5_plugin_register(struct gsskrb5_krb5_plugin *c)
+{
+    struct _gss_mech_switch *m;
+    gss_buffer_desc buffer;
+    OM_uint32 junk;
+
+    _gss_load_mech();
+
+    buffer.value = c;
+    buffer.length = sizeof(*c);
+
+    HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
+	if (m->gm_mech.gm_set_sec_context_option == NULL)
+	    continue;
+	m->gm_mech.gm_set_sec_context_option(&junk, NULL,
+	    GSS_KRB5_PLUGIN_REGISTER_X, &buffer);
+    }
+
+    return (GSS_S_COMPLETE);
+}
diff --git a/lib/gssapi/mech/gss_mech_switch.c b/lib/gssapi/mech/gss_mech_switch.c
new file mode 100644
index 000000000000..55e01094ff91
--- /dev/null
+++ b/lib/gssapi/mech/gss_mech_switch.c
@@ -0,0 +1,438 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_mech_switch.c,v 1.2 2006/02/04 09:40:21 dfr Exp $
+ */
+
+#include "mech_locl.h"
+#include <heim_threads.h>
+
+#ifndef _PATH_GSS_MECH
+#define _PATH_GSS_MECH	"/etc/gss/mech"
+#endif
+
+struct _gss_mech_switch_list _gss_mechs = { NULL } ;
+gss_OID_set _gss_mech_oids;
+static HEIMDAL_MUTEX _gss_mech_mutex = HEIMDAL_MUTEX_INITIALIZER;
+
+/*
+ * Convert a string containing an OID in 'dot' form
+ * (e.g. 1.2.840.113554.1.2.2) to a gss_OID.
+ */
+static int
+_gss_string_to_oid(const char* s, gss_OID oid)
+{
+	int			number_count, i, j;
+	size_t			byte_count;
+	const char		*p, *q;
+	char			*res;
+
+	oid->length = 0;
+	oid->elements = NULL;
+
+	/*
+	 * First figure out how many numbers in the oid, then
+	 * calculate the compiled oid size.
+	 */
+	number_count = 0;
+	for (p = s; p; p = q) {
+		q = strchr(p, '.');
+		if (q) q = q + 1;
+		number_count++;
+	}
+
+	/*
+	 * The first two numbers are in the first byte and each
+	 * subsequent number is encoded in a variable byte sequence.
+	 */
+	if (number_count < 2)
+		return (EINVAL);
+
+	/*
+	 * We do this in two passes. The first pass, we just figure
+	 * out the size. Second time around, we actually encode the
+	 * number.
+	 */
+	res = 0;
+	for (i = 0; i < 2; i++) {
+		byte_count = 0;
+		for (p = s, j = 0; p; p = q, j++) {
+			unsigned int number = 0;
+
+			/*
+			 * Find the end of this number.
+			 */
+			q = strchr(p, '.');
+			if (q) q = q + 1;
+
+			/*
+			 * Read the number of of the string. Don't
+			 * bother with anything except base ten.
+			 */
+			while (*p && *p != '.') {
+				number = 10 * number + (*p - '0');
+				p++;
+			}
+
+			/*
+			 * Encode the number. The first two numbers
+			 * are packed into the first byte. Subsequent
+			 * numbers are encoded in bytes seven bits at
+			 * a time with the last byte having the high
+			 * bit set.
+			 */
+			if (j == 0) {
+				if (res)
+					*res = number * 40;
+			} else if (j == 1) {
+				if (res) {
+					*res += number;
+					res++;
+				}
+				byte_count++;
+			} else if (j >= 2) {
+				/*
+				 * The number is encoded in seven bit chunks.
+				 */
+				unsigned int t;
+				unsigned int bytes;
+
+				bytes = 0;
+				for (t = number; t; t >>= 7)
+					bytes++;
+				if (bytes == 0) bytes = 1;
+				while (bytes) {
+					if (res) {
+						int bit = 7*(bytes-1);
+
+						*res = (number >> bit) & 0x7f;
+						if (bytes != 1)
+							*res |= 0x80;
+						res++;
+					}
+					byte_count++;
+					bytes--;
+				}
+			}
+		}
+		if (!res) {
+			res = malloc(byte_count);
+			if (!res)
+				return (ENOMEM);
+			oid->length = byte_count;
+			oid->elements = res;
+		}
+	}
+
+	return (0);
+}
+
+#define SYM(name)							\
+do {									\
+	m->gm_mech.gm_ ## name = dlsym(so, "gss_" #name);		\
+	if (!m->gm_mech.gm_ ## name ||					\
+	    m->gm_mech.gm_ ##name == gss_ ## name) {			\
+		fprintf(stderr, "can't find symbol gss_" #name "\n");	\
+		goto bad;						\
+	}								\
+} while (0)
+
+#define OPTSYM(name)							\
+do {									\
+	m->gm_mech.gm_ ## name = dlsym(so, "gss_" #name);		\
+	if (m->gm_mech.gm_ ## name == gss_ ## name)			\
+		m->gm_mech.gm_ ## name = NULL;				\
+} while (0)
+
+#define OPTSPISYM(name)							\
+do {									\
+	m->gm_mech.gm_ ## name = dlsym(so, "gssspi_" #name);		\
+} while (0)
+
+#define COMPATSYM(name)							\
+do {									\
+	m->gm_mech.gm_compat->gmc_ ## name = dlsym(so, "gss_" #name);	\
+	if (m->gm_mech.gm_compat->gmc_ ## name == gss_ ## name)		\
+		m->gm_mech.gm_compat->gmc_ ## name = NULL;		\
+} while (0)
+
+#define COMPATSPISYM(name)						\
+do {									\
+	m->gm_mech.gm_compat->gmc_ ## name = dlsym(so, "gssspi_" #name);\
+	if (m->gm_mech.gm_compat->gmc_ ## name == gss_ ## name)		\
+		m->gm_mech.gm_compat->gmc_ ## name = NULL;		\
+} while (0)
+
+/*
+ *
+ */
+static int
+add_builtin(gssapi_mech_interface mech)
+{
+    struct _gss_mech_switch *m;
+    OM_uint32 minor_status;
+
+    /* not registering any mech is ok */
+    if (mech == NULL)
+	return 0;
+
+    m = calloc(1, sizeof(*m));
+    if (m == NULL)
+	return ENOMEM;
+    m->gm_so = NULL;
+    m->gm_mech = *mech;
+    m->gm_mech_oid = mech->gm_mech_oid; /* XXX */
+    gss_add_oid_set_member(&minor_status,
+			   &m->gm_mech.gm_mech_oid, &_gss_mech_oids);
+
+    /* pick up the oid sets of names */
+
+    if (m->gm_mech.gm_inquire_names_for_mech)
+	(*m->gm_mech.gm_inquire_names_for_mech)(&minor_status,
+	    &m->gm_mech.gm_mech_oid, &m->gm_name_types);
+
+    if (m->gm_name_types == NULL)
+	gss_create_empty_oid_set(&minor_status, &m->gm_name_types);
+
+    HEIM_SLIST_INSERT_HEAD(&_gss_mechs, m, gm_link);
+    return 0;
+}
+
+/*
+ * Load the mechanisms file (/etc/gss/mech).
+ */
+void
+_gss_load_mech(void)
+{
+	OM_uint32	major_status, minor_status;
+	FILE		*fp;
+	char		buf[256];
+	char		*p;
+	char		*name, *oid, *lib, *kobj;
+	struct _gss_mech_switch *m;
+	void		*so;
+	gss_OID_desc	mech_oid;
+	int		found;
+
+
+	HEIMDAL_MUTEX_lock(&_gss_mech_mutex);
+
+	if (HEIM_SLIST_FIRST(&_gss_mechs)) {
+		HEIMDAL_MUTEX_unlock(&_gss_mech_mutex);
+		return;
+	}
+
+	major_status = gss_create_empty_oid_set(&minor_status,
+	    &_gss_mech_oids);
+	if (major_status) {
+		HEIMDAL_MUTEX_unlock(&_gss_mech_mutex);
+		return;
+	}
+
+	add_builtin(__gss_krb5_initialize());
+	add_builtin(__gss_spnego_initialize());
+	add_builtin(__gss_ntlm_initialize());
+
+#ifdef HAVE_DLOPEN
+	fp = fopen(_PATH_GSS_MECH, "r");
+	if (!fp) {
+		HEIMDAL_MUTEX_unlock(&_gss_mech_mutex);
+		return;
+	}
+	rk_cloexec_file(fp);
+
+	while (fgets(buf, sizeof(buf), fp)) {
+		_gss_mo_init *mi;
+
+		if (*buf == '#')
+			continue;
+		p = buf;
+		name = strsep(&p, "\t\n ");
+		if (p) while (isspace((unsigned char)*p)) p++;
+		oid = strsep(&p, "\t\n ");
+		if (p) while (isspace((unsigned char)*p)) p++;
+		lib = strsep(&p, "\t\n ");
+		if (p) while (isspace((unsigned char)*p)) p++;
+		kobj = strsep(&p, "\t\n ");
+		if (!name || !oid || !lib || !kobj)
+			continue;
+
+		if (_gss_string_to_oid(oid, &mech_oid))
+			continue;
+
+		/*
+		 * Check for duplicates, already loaded mechs.
+		 */
+		found = 0;
+		HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
+			if (gss_oid_equal(&m->gm_mech.gm_mech_oid, &mech_oid)) {
+				found = 1;
+				free(mech_oid.elements);
+				break;
+			}
+		}
+		if (found)
+			continue;
+
+#ifndef RTLD_LOCAL
+#define RTLD_LOCAL 0
+#endif
+
+#ifndef RTLD_GROUP
+#define RTLD_GROUP 0
+#endif
+
+		so = dlopen(lib, RTLD_LAZY | RTLD_LOCAL | RTLD_GROUP);
+		if (so == NULL) {
+/*			fprintf(stderr, "dlopen: %s\n", dlerror()); */
+			goto bad;
+		}
+
+		m = calloc(1, sizeof(*m));
+		if (m == NULL)
+			goto bad;
+
+		m->gm_so = so;
+		m->gm_mech.gm_mech_oid = mech_oid;
+		m->gm_mech.gm_flags = 0;
+		m->gm_mech.gm_compat = calloc(1, sizeof(struct gss_mech_compat_desc_struct));
+		if (m->gm_mech.gm_compat == NULL)
+			goto bad;
+
+		major_status = gss_add_oid_set_member(&minor_status,
+		    &m->gm_mech.gm_mech_oid, &_gss_mech_oids);
+		if (GSS_ERROR(major_status))
+			goto bad;
+
+		SYM(acquire_cred);
+		SYM(release_cred);
+		SYM(init_sec_context);
+		SYM(accept_sec_context);
+		SYM(process_context_token);
+		SYM(delete_sec_context);
+		SYM(context_time);
+		SYM(get_mic);
+		SYM(verify_mic);
+		SYM(wrap);
+		SYM(unwrap);
+		SYM(display_status);
+		SYM(indicate_mechs);
+		SYM(compare_name);
+		SYM(display_name);
+		SYM(import_name);
+		SYM(export_name);
+		SYM(release_name);
+		SYM(inquire_cred);
+		SYM(inquire_context);
+		SYM(wrap_size_limit);
+		SYM(add_cred);
+		SYM(inquire_cred_by_mech);
+		SYM(export_sec_context);
+		SYM(import_sec_context);
+		SYM(inquire_names_for_mech);
+		SYM(inquire_mechs_for_name);
+		SYM(canonicalize_name);
+		SYM(duplicate_name);
+		OPTSYM(inquire_cred_by_oid);
+		OPTSYM(inquire_sec_context_by_oid);
+		OPTSYM(set_sec_context_option);
+		OPTSPISYM(set_cred_option);
+		OPTSYM(pseudo_random);
+		OPTSYM(wrap_iov);
+		OPTSYM(unwrap_iov);
+		OPTSYM(wrap_iov_length);
+		OPTSYM(store_cred);
+		OPTSYM(export_cred);
+		OPTSYM(import_cred);
+#if 0
+		OPTSYM(acquire_cred_ext);
+		OPTSYM(iter_creds);
+		OPTSYM(destroy_cred);
+		OPTSYM(cred_hold);
+		OPTSYM(cred_unhold);
+		OPTSYM(cred_label_get);
+		OPTSYM(cred_label_set);
+#endif
+		OPTSYM(display_name_ext);
+		OPTSYM(inquire_name);
+		OPTSYM(get_name_attribute);
+		OPTSYM(set_name_attribute);
+		OPTSYM(delete_name_attribute);
+		OPTSYM(export_name_composite);
+		OPTSYM(pname_to_uid);
+		OPTSPISYM(authorize_localname);
+
+		mi = dlsym(so, "gss_mo_init");
+		if (mi != NULL) {
+			major_status = mi(&minor_status, &mech_oid,
+					  &m->gm_mech.gm_mo, &m->gm_mech.gm_mo_num);
+			if (GSS_ERROR(major_status))
+				goto bad;
+		} else {
+			/* API-as-SPI compatibility */
+			COMPATSYM(inquire_saslname_for_mech);
+			COMPATSYM(inquire_mech_for_saslname);
+			COMPATSYM(inquire_attrs_for_mech);
+			COMPATSPISYM(acquire_cred_with_password);
+		}
+
+		/* pick up the oid sets of names */
+
+		if (m->gm_mech.gm_inquire_names_for_mech)
+			(*m->gm_mech.gm_inquire_names_for_mech)(&minor_status,
+			&m->gm_mech.gm_mech_oid, &m->gm_name_types);
+
+		if (m->gm_name_types == NULL)
+			gss_create_empty_oid_set(&minor_status, &m->gm_name_types);
+
+		HEIM_SLIST_INSERT_HEAD(&_gss_mechs, m, gm_link);
+		continue;
+
+	bad:
+		if (m != NULL) {
+			free(m->gm_mech.gm_compat);
+			free(m->gm_mech.gm_mech_oid.elements);
+			free(m);
+		}
+		dlclose(so);
+		continue;
+	}
+	fclose(fp);
+#endif
+	HEIMDAL_MUTEX_unlock(&_gss_mech_mutex);
+}
+
+gssapi_mech_interface
+__gss_get_mechanism(gss_const_OID mech)
+{
+        struct _gss_mech_switch	*m;
+
+	_gss_load_mech();
+	HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
+		if (gss_oid_equal(&m->gm_mech.gm_mech_oid, mech))
+			return &m->gm_mech;
+	}
+	return NULL;
+}
diff --git a/lib/gssapi/mech/gss_mo.c b/lib/gssapi/mech/gss_mo.c
new file mode 100644
index 000000000000..ad74d9237a2d
--- /dev/null
+++ b/lib/gssapi/mech/gss_mo.c
@@ -0,0 +1,635 @@
+/*
+ * Copyright (c) 2010 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Portions Copyright (c) 2010 Apple Inc. All rights reserved.
+ * Portions Copyright (c) 2010 PADL Software Pty Ltd. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "mech_locl.h"
+
+#include <crypto-headers.h>
+
+static int
+get_option_def(int def, gss_const_OID mech, gss_mo_desc *mo, gss_buffer_t value)
+{
+    return def;
+}
+
+int
+_gss_mo_get_option_1(gss_const_OID mech, gss_mo_desc *mo, gss_buffer_t value)
+{
+    return get_option_def(1, mech, mo, value);
+}
+
+int
+_gss_mo_get_option_0(gss_const_OID mech, gss_mo_desc *mo, gss_buffer_t value)
+{
+    return get_option_def(0, mech, mo, value);
+}
+
+int
+_gss_mo_get_ctx_as_string(gss_const_OID mech, gss_mo_desc *mo, gss_buffer_t value)
+{
+    if (value) {
+	value->value = strdup((char *)mo->ctx);
+	if (value->value == NULL)
+	    return GSS_S_FAILURE;
+	value->length = strlen((char *)mo->ctx);
+    }
+    return GSS_S_COMPLETE;
+}
+
+GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL
+gss_mo_set(gss_const_OID mech, gss_const_OID option,
+	   int enable, gss_buffer_t value)
+{
+    gssapi_mech_interface m;
+    size_t n;
+
+    if ((m = __gss_get_mechanism(mech)) == NULL)
+	return GSS_S_BAD_MECH;
+
+    for (n = 0; n < m->gm_mo_num; n++)
+	if (gss_oid_equal(option, m->gm_mo[n].option) && m->gm_mo[n].set)
+	    return m->gm_mo[n].set(mech, &m->gm_mo[n], enable, value);
+
+    return GSS_S_UNAVAILABLE;
+}
+
+GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL
+gss_mo_get(gss_const_OID mech, gss_const_OID option, gss_buffer_t value)
+{
+    gssapi_mech_interface m;
+    size_t n;
+
+    _mg_buffer_zero(value);
+
+    if ((m = __gss_get_mechanism(mech)) == NULL)
+	return GSS_S_BAD_MECH;
+
+    for (n = 0; n < m->gm_mo_num; n++)
+	if (gss_oid_equal(option, m->gm_mo[n].option) && m->gm_mo[n].get)
+	    return m->gm_mo[n].get(mech, &m->gm_mo[n], value);
+
+    return GSS_S_UNAVAILABLE;
+}
+
+static void
+add_all_mo(gssapi_mech_interface m, gss_OID_set *options, OM_uint32 mask)
+{
+    OM_uint32 minor;
+    size_t n;
+
+    for (n = 0; n < m->gm_mo_num; n++)
+	if ((m->gm_mo[n].flags & mask) == mask)
+	    gss_add_oid_set_member(&minor, m->gm_mo[n].option, options);
+}
+
+GSSAPI_LIB_FUNCTION void GSSAPI_LIB_CALL
+gss_mo_list(gss_const_OID mech, gss_OID_set *options)
+{
+    gssapi_mech_interface m;
+    OM_uint32 major, minor;
+
+    if (options == NULL)
+	return;
+
+    *options = GSS_C_NO_OID_SET;
+
+    if ((m = __gss_get_mechanism(mech)) == NULL)
+	return;
+
+    major = gss_create_empty_oid_set(&minor, options);
+    if (major != GSS_S_COMPLETE)
+	return;
+
+    add_all_mo(m, options, 0);
+}
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_mo_name(gss_const_OID mech, gss_const_OID option, gss_buffer_t name)
+{
+    gssapi_mech_interface m;
+    size_t n;
+
+    if (name == NULL)
+	return GSS_S_BAD_NAME;
+
+    if ((m = __gss_get_mechanism(mech)) == NULL)
+	return GSS_S_BAD_MECH;
+
+    for (n = 0; n < m->gm_mo_num; n++) {
+	if (gss_oid_equal(option, m->gm_mo[n].option)) {
+	    /*
+	     * If there is no name, its because its a GSS_C_MA and
+	     * there is already a table for that.
+	     */
+	    if (m->gm_mo[n].name) {
+		name->value = strdup(m->gm_mo[n].name);
+		if (name->value == NULL)
+		    return GSS_S_BAD_NAME;
+		name->length = strlen(m->gm_mo[n].name);
+		return GSS_S_COMPLETE;
+	    } else {
+		OM_uint32 junk;
+		return gss_display_mech_attr(&junk, option,
+					     NULL, name, NULL);
+	    }
+	}
+    }
+    return GSS_S_BAD_NAME;
+}
+
+/*
+ * Helper function to allow NULL name
+ */
+
+static OM_uint32
+mo_value(const gss_const_OID mech, gss_const_OID option, gss_buffer_t name)
+{
+    if (name == NULL)
+	return GSS_S_COMPLETE;
+
+    return gss_mo_get(mech, option, name);
+}
+
+/* code derived from draft-ietf-cat-sasl-gssapi-01 */
+static char basis_32[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+
+static OM_uint32
+make_sasl_name(OM_uint32 *minor, const gss_OID mech, char sasl_name[16])
+{
+    EVP_MD_CTX *ctx;
+    char *p = sasl_name;
+    u_char hdr[2], hash[20], *h = hash;
+
+    if (mech->length > 127)
+        return GSS_S_BAD_MECH;
+
+    hdr[0] = 0x06;
+    hdr[1] = mech->length;
+
+    ctx = EVP_MD_CTX_create();
+    EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
+    EVP_DigestUpdate(ctx, hdr, 2);
+    EVP_DigestUpdate(ctx, mech->elements, mech->length);
+    EVP_DigestFinal_ex(ctx, hash, NULL);
+
+    memcpy(p, "GS2-", 4);
+    p += 4;
+
+    *p++ = basis_32[(h[0] >> 3)];
+    *p++ = basis_32[((h[0] & 7) << 2) | (h[1] >> 6)];
+    *p++ = basis_32[(h[1] & 0x3f) >> 1];
+    *p++ = basis_32[((h[1] & 1) << 4) | (h[2] >> 4)];
+    *p++ = basis_32[((h[2] & 0xf) << 1) | (h[3] >> 7)];
+    *p++ = basis_32[(h[3] & 0x7f) >> 2];
+    *p++ = basis_32[((h[3] & 3) << 3) | (h[4] >> 5)];
+    *p++ = basis_32[(h[4] & 0x1f)];
+    *p++ = basis_32[(h[5] >> 3)];
+    *p++ = basis_32[((h[5] & 7) << 2) | (h[6] >> 6)];
+    *p++ = basis_32[(h[6] & 0x3f) >> 1];
+
+    *p = '\0';
+
+    return GSS_S_COMPLETE;
+}
+
+/*
+ * gss_inquire_saslname_for_mech() wrapper that uses MIT SPI
+ */
+static OM_uint32
+inquire_saslname_for_mech_compat(OM_uint32 *minor,
+                                 const gss_OID desired_mech,
+                                 gss_buffer_t sasl_mech_name,
+                                 gss_buffer_t mech_name,
+                                 gss_buffer_t mech_description)
+{
+    struct gss_mech_compat_desc_struct *gmc;
+    gssapi_mech_interface m;
+    OM_uint32 major;
+
+    m = __gss_get_mechanism(desired_mech);
+    if (m == NULL)
+        return GSS_S_BAD_MECH;
+
+    gmc = m->gm_compat;
+
+    if (gmc != NULL && gmc->gmc_inquire_saslname_for_mech != NULL) {
+        major = gmc->gmc_inquire_saslname_for_mech(minor,
+                                                   desired_mech,
+                                                   sasl_mech_name,
+                                                   mech_name,
+                                                   mech_description);
+    } else {
+        major = GSS_S_UNAVAILABLE;
+    }
+
+    return major;
+}
+
+/**
+ * Returns different protocol names and description of the mechanism.
+ *
+ * @param minor_status minor status code
+ * @param desired_mech mech list query
+ * @param sasl_mech_name SASL GS2 protocol name
+ * @param mech_name gssapi protocol name
+ * @param mech_description description of gssapi mech
+ *
+ * @return returns GSS_S_COMPLETE or a error code.
+ *
+ * @ingroup gssapi
+ */
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_inquire_saslname_for_mech(OM_uint32 *minor_status,
+			      const gss_OID desired_mech,
+			      gss_buffer_t sasl_mech_name,
+			      gss_buffer_t mech_name,
+			      gss_buffer_t mech_description)
+{
+    OM_uint32 major;
+
+    _mg_buffer_zero(sasl_mech_name);
+    _mg_buffer_zero(mech_name);
+    _mg_buffer_zero(mech_description);
+
+    if (minor_status)
+	*minor_status = 0;
+
+    if (desired_mech == NULL)
+	return GSS_S_BAD_MECH;
+
+    major = mo_value(desired_mech, GSS_C_MA_SASL_MECH_NAME, sasl_mech_name);
+    if (major == GSS_S_COMPLETE) {
+        /* Native SPI */
+        major = mo_value(desired_mech, GSS_C_MA_MECH_NAME, mech_name);
+        if (GSS_ERROR(major))
+            return major;
+
+        major = mo_value(desired_mech, GSS_C_MA_MECH_DESCRIPTION, mech_description);
+        if (GSS_ERROR(major))
+            return major;
+    }
+
+    if (GSS_ERROR(major)) {
+        /* API-as-SPI compatibility */
+        major = inquire_saslname_for_mech_compat(minor_status,
+                                                 desired_mech,
+                                                 sasl_mech_name,
+                                                 mech_name,
+                                                 mech_description);
+    }
+
+    if (GSS_ERROR(major)) {
+        /* Algorithmically dervied SASL mechanism name */
+        char buf[16];
+        gss_buffer_desc tmp = { sizeof(buf) - 1, buf };
+
+        major = make_sasl_name(minor_status, desired_mech, buf);
+        if (GSS_ERROR(major))
+            return major;
+
+        major = _gss_copy_buffer(minor_status, &tmp, sasl_mech_name);
+        if (GSS_ERROR(major))
+            return major;
+    }
+
+    return major;
+}
+
+/**
+ * Find a mech for a sasl name
+ *
+ * @param minor_status minor status code
+ * @param sasl_mech_name
+ * @param mech_type
+ *
+ * @return returns GSS_S_COMPLETE or an error code.
+ */
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_inquire_mech_for_saslname(OM_uint32 *minor_status,
+			      const gss_buffer_t sasl_mech_name,
+			      gss_OID *mech_type)
+{
+    struct _gss_mech_switch *m;
+    gss_buffer_desc name;
+    OM_uint32 major, junk;
+    char buf[16];
+
+    _gss_load_mech();
+
+    *mech_type = NULL;
+
+    HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
+        struct gss_mech_compat_desc_struct *gmc;
+
+        /* Native SPI */
+        major = mo_value(&m->gm_mech_oid, GSS_C_MA_SASL_MECH_NAME, &name);
+        if (major == GSS_S_COMPLETE &&
+            name.length == sasl_mech_name->length &&
+            memcmp(name.value, sasl_mech_name->value, name.length) == 0) {
+                gss_release_buffer(&junk, &name);
+                *mech_type = &m->gm_mech_oid;
+                return GSS_S_COMPLETE;
+	}
+	gss_release_buffer(&junk, &name);
+
+        if (GSS_ERROR(major)) {
+            /* API-as-SPI compatibility */
+            gmc = m->gm_mech.gm_compat;
+            if (gmc && gmc->gmc_inquire_mech_for_saslname) {
+                major = gmc->gmc_inquire_mech_for_saslname(minor_status,
+                                                           sasl_mech_name,
+                                                           mech_type);
+                if (major == GSS_S_COMPLETE)
+                    return GSS_S_COMPLETE;
+            }
+        }
+
+        if (GSS_ERROR(major)) {
+            /* Algorithmically dervied SASL mechanism name */
+            if (sasl_mech_name->length == 16 &&
+                make_sasl_name(minor_status, &m->gm_mech_oid, buf) == GSS_S_COMPLETE &&
+                memcmp(buf, sasl_mech_name->value, 16) == 0) {
+                    *mech_type = &m->gm_mech_oid;
+                    return GSS_S_COMPLETE;
+            }
+        }
+    }
+
+    return GSS_S_BAD_MECH;
+}
+
+/*
+ * Test mechanism against indicated attributes using both Heimdal and
+ * MIT SPIs.
+ */
+static int
+test_mech_attrs(gssapi_mech_interface mi,
+                gss_const_OID_set mech_attrs,
+                gss_const_OID_set against_attrs,
+                int except)
+{
+    size_t n, m;
+    int eq = 0;
+
+    if (against_attrs == GSS_C_NO_OID_SET)
+        return 1;
+
+    for (n = 0; n < against_attrs->count; n++) {
+        for (m = 0; m < mi->gm_mo_num; m++) {
+            eq = gss_oid_equal(mi->gm_mo[m].option,
+                               &against_attrs->elements[n]);
+            if (eq)
+                break;
+        }
+        if (mech_attrs != GSS_C_NO_OID_SET) {
+            for (m = 0; m < mech_attrs->count; m++) {
+                eq = gss_oid_equal(&mech_attrs->elements[m],
+                                   &against_attrs->elements[n]);
+                if (eq)
+                    break;
+            }
+        }
+        if (!eq ^ except)
+            return 0;
+    }
+
+    return 1;
+}
+
+/**
+ * Return set of mechanism that fullfill the criteria
+ *
+ * @param minor_status minor status code
+ * @param desired_mech_attrs
+ * @param except_mech_attrs
+ * @param critical_mech_attrs
+ * @param mechs returned mechs, free with gss_release_oid_set().
+ *
+ * @return returns GSS_S_COMPLETE or an error code.
+ */
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_indicate_mechs_by_attrs(OM_uint32 * minor_status,
+			    gss_const_OID_set desired_mech_attrs,
+			    gss_const_OID_set except_mech_attrs,
+			    gss_const_OID_set critical_mech_attrs,
+			    gss_OID_set *mechs)
+{
+    struct _gss_mech_switch *ms;
+    gss_OID_set mech_attrs = GSS_C_NO_OID_SET;
+    gss_OID_set known_mech_attrs = GSS_C_NO_OID_SET;
+    OM_uint32 major;
+
+    major = gss_create_empty_oid_set(minor_status, mechs);
+    if (GSS_ERROR(major))
+	return major;
+
+    _gss_load_mech();
+
+    HEIM_SLIST_FOREACH(ms, &_gss_mechs, gm_link) {
+	gssapi_mech_interface mi = &ms->gm_mech;
+        struct gss_mech_compat_desc_struct *gmc = mi->gm_compat;
+        OM_uint32 tmp;
+
+        if (gmc && gmc->gmc_inquire_attrs_for_mech) {
+            major = gmc->gmc_inquire_attrs_for_mech(minor_status,
+                                                    &mi->gm_mech_oid,
+                                                    &mech_attrs,
+                                                    &known_mech_attrs);
+            if (GSS_ERROR(major))
+                continue;
+        }
+
+        /*
+         * Test mechanism supports all of desired_mech_attrs;
+         * none of except_mech_attrs;
+         * and knows of all critical_mech_attrs.
+         */
+        if (test_mech_attrs(mi, mech_attrs,       desired_mech_attrs,  0) &&
+            test_mech_attrs(mi, mech_attrs,       except_mech_attrs,   1) &&
+            test_mech_attrs(mi, known_mech_attrs, critical_mech_attrs, 0)) {
+            major = gss_add_oid_set_member(minor_status, &mi->gm_mech_oid, mechs);
+        }
+
+        gss_release_oid_set(&tmp, &mech_attrs);
+        gss_release_oid_set(&tmp, &known_mech_attrs);
+
+        if (GSS_ERROR(major))
+            break;
+    }
+
+    return major;
+}
+
+/**
+ * List support attributes for a mech and/or all mechanisms.
+ *
+ * @param minor_status minor status code
+ * @param mech given together with mech_attr will return the list of
+ *        attributes for mechanism, can optionally be GSS_C_NO_OID.
+ * @param mech_attr see mech parameter, can optionally be NULL,
+ *        release with gss_release_oid_set().
+ * @param known_mech_attrs all attributes for mechanisms supported,
+ *        release with gss_release_oid_set().
+ *
+ * @ingroup gssapi
+ */
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_inquire_attrs_for_mech(OM_uint32 * minor_status,
+			   gss_const_OID mech,
+			   gss_OID_set *mech_attr,
+			   gss_OID_set *known_mech_attrs)
+{
+    OM_uint32 major, junk;
+
+    if (known_mech_attrs)
+        *known_mech_attrs = GSS_C_NO_OID_SET;
+
+    if (mech_attr && mech) {
+	gssapi_mech_interface m;
+        struct gss_mech_compat_desc_struct *gmc;
+
+	if ((m = __gss_get_mechanism(mech)) == NULL) {
+	    *minor_status = 0;
+	    return GSS_S_BAD_MECH;
+	}
+
+        gmc = m->gm_compat;
+
+        if (gmc && gmc->gmc_inquire_attrs_for_mech) {
+            major = gmc->gmc_inquire_attrs_for_mech(minor_status,
+                                                    mech,
+                                                    mech_attr,
+                                                    known_mech_attrs);
+        } else {
+	    major = gss_create_empty_oid_set(minor_status, mech_attr);
+            if (major == GSS_S_COMPLETE)
+	        add_all_mo(m, mech_attr, GSS_MO_MA);
+        }
+	if (GSS_ERROR(major))
+	    return major;
+    }
+
+    if (known_mech_attrs) {
+	struct _gss_mech_switch *m;
+
+        if (*known_mech_attrs == GSS_C_NO_OID_SET) {
+	    major = gss_create_empty_oid_set(minor_status, known_mech_attrs);
+	    if (GSS_ERROR(major)) {
+	        if (mech_attr)
+		    gss_release_oid_set(&junk, mech_attr);
+	        return major;
+	    }
+        }
+
+	_gss_load_mech();
+
+	HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link)
+	    add_all_mo(&m->gm_mech, known_mech_attrs, GSS_MO_MA);
+    }
+
+
+    return GSS_S_COMPLETE;
+}
+
+/**
+ * Return names and descriptions of mech attributes
+ *
+ * @param minor_status minor status code
+ * @param mech_attr
+ * @param name
+ * @param short_desc
+ * @param long_desc
+ *
+ * @return returns GSS_S_COMPLETE or an error code.
+ */
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_display_mech_attr(OM_uint32 * minor_status,
+		      gss_const_OID mech_attr,
+		      gss_buffer_t name,
+		      gss_buffer_t short_desc,
+		      gss_buffer_t long_desc)
+{
+    struct _gss_oid_name_table *ma = NULL;
+    OM_uint32 major;
+    size_t n;
+
+    _mg_buffer_zero(name);
+    _mg_buffer_zero(short_desc);
+    _mg_buffer_zero(long_desc);
+
+    if (minor_status)
+	*minor_status = 0;
+
+    for (n = 0; ma == NULL && _gss_ont_ma[n].oid; n++)
+	if (gss_oid_equal(mech_attr, _gss_ont_ma[n].oid))
+	    ma = &_gss_ont_ma[n];
+
+    if (ma == NULL)
+	return GSS_S_BAD_MECH_ATTR;
+
+    if (name) {
+	gss_buffer_desc bd;
+	bd.value = rk_UNCONST(ma->name);
+	bd.length = strlen(ma->name);
+	major = _gss_copy_buffer(minor_status, &bd, name);
+	if (major != GSS_S_COMPLETE)
+	    return major;
+    }
+
+    if (short_desc) {
+	gss_buffer_desc bd;
+	bd.value = rk_UNCONST(ma->short_desc);
+	bd.length = strlen(ma->short_desc);
+	major = _gss_copy_buffer(minor_status, &bd, short_desc);
+	if (major != GSS_S_COMPLETE)
+	    return major;
+    }
+
+    if (long_desc) {
+	gss_buffer_desc bd;
+	bd.value = rk_UNCONST(ma->long_desc);
+	bd.length = strlen(ma->long_desc);
+	major = _gss_copy_buffer(minor_status, &bd, long_desc);
+	if (major != GSS_S_COMPLETE)
+	    return major;
+    }
+
+    return GSS_S_COMPLETE;
+}
diff --git a/lib/gssapi/mech/gss_names.c b/lib/gssapi/mech/gss_names.c
new file mode 100644
index 000000000000..43e0e2a85cb2
--- /dev/null
+++ b/lib/gssapi/mech/gss_names.c
@@ -0,0 +1,110 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_names.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+OM_uint32
+_gss_find_mn(OM_uint32 *minor_status, struct _gss_name *name, gss_OID mech,
+	     struct _gss_mechanism_name **output_mn)
+{
+	OM_uint32 major_status;
+	gssapi_mech_interface m;
+	struct _gss_mechanism_name *mn;
+
+	*output_mn = NULL;
+
+	HEIM_SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
+		if (gss_oid_equal(mech, mn->gmn_mech_oid))
+			break;
+	}
+
+	if (!mn) {
+		/*
+		 * If this name is canonical (i.e. there is only an
+		 * MN but it is from a different mech), give up now.
+		 */
+		if (!name->gn_value.value)
+			return GSS_S_BAD_NAME;
+
+		m = __gss_get_mechanism(mech);
+		if (!m)
+			return (GSS_S_BAD_MECH);
+
+		mn = malloc(sizeof(struct _gss_mechanism_name));
+		if (!mn)
+			return GSS_S_FAILURE;
+
+		major_status = m->gm_import_name(minor_status,
+		    &name->gn_value,
+		    (name->gn_type.elements
+			? &name->gn_type : GSS_C_NO_OID),
+		    &mn->gmn_name);
+		if (major_status != GSS_S_COMPLETE) {
+			_gss_mg_error(m, major_status, *minor_status);
+			free(mn);
+			return major_status;
+		}
+
+		mn->gmn_mech = m;
+		mn->gmn_mech_oid = &m->gm_mech_oid;
+		HEIM_SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link);
+	}
+	*output_mn = mn;
+	return 0;
+}
+
+
+/*
+ * Make a name from an MN.
+ */
+struct _gss_name *
+_gss_make_name(gssapi_mech_interface m, gss_name_t new_mn)
+{
+	struct _gss_name *name;
+	struct _gss_mechanism_name *mn;
+
+	name = malloc(sizeof(struct _gss_name));
+	if (!name)
+		return (0);
+	memset(name, 0, sizeof(struct _gss_name));
+
+	mn = malloc(sizeof(struct _gss_mechanism_name));
+	if (!mn) {
+		free(name);
+		return (0);
+	}
+
+	HEIM_SLIST_INIT(&name->gn_mn);
+	mn->gmn_mech = m;
+	mn->gmn_mech_oid = &m->gm_mech_oid;
+	mn->gmn_name = new_mn;
+	HEIM_SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link);
+
+	return (name);
+}
+
diff --git a/lib/gssapi/mech/gss_oid.c b/lib/gssapi/mech/gss_oid.c
new file mode 100644
index 000000000000..916d1e4dda5e
--- /dev/null
+++ b/lib/gssapi/mech/gss_oid.c
@@ -0,0 +1,266 @@
+/* Generated file */
+#include "mech_locl.h"
+
+/* GSS_KRB5_COPY_CCACHE_X - 1.2.752.43.13.1 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_copy_ccache_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x01") };
+
+/* GSS_KRB5_GET_TKT_FLAGS_X - 1.2.752.43.13.2 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_tkt_flags_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x02") };
+
+/* GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X - 1.2.752.43.13.3 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_extract_authz_data_from_sec_context_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03") };
+
+/* GSS_KRB5_COMPAT_DES3_MIC_X - 1.2.752.43.13.4 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_compat_des3_mic_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x04") };
+
+/* GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X - 1.2.752.43.13.5 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_register_acceptor_identity_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05") };
+
+/* GSS_KRB5_EXPORT_LUCID_CONTEXT_X - 1.2.752.43.13.6 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06") };
+
+/* GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X - 1.2.752.43.13.6.1 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_v1_x_oid_desc = { 7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06\x01") };
+
+/* GSS_KRB5_SET_DNS_CANONICALIZE_X - 1.2.752.43.13.7 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_dns_canonicalize_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x07") };
+
+/* GSS_KRB5_GET_SUBKEY_X - 1.2.752.43.13.8 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_subkey_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x08") };
+
+/* GSS_KRB5_GET_INITIATOR_SUBKEY_X - 1.2.752.43.13.9 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_initiator_subkey_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x09") };
+
+/* GSS_KRB5_GET_ACCEPTOR_SUBKEY_X - 1.2.752.43.13.10 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_acceptor_subkey_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0a") };
+
+/* GSS_KRB5_SEND_TO_KDC_X - 1.2.752.43.13.11 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_send_to_kdc_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0b") };
+
+/* GSS_KRB5_GET_AUTHTIME_X - 1.2.752.43.13.12 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_authtime_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0c") };
+
+/* GSS_KRB5_GET_SERVICE_KEYBLOCK_X - 1.2.752.43.13.13 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_service_keyblock_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0d") };
+
+/* GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X - 1.2.752.43.13.14 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_allowable_enctypes_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0e") };
+
+/* GSS_KRB5_SET_DEFAULT_REALM_X - 1.2.752.43.13.15 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_default_realm_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0f") };
+
+/* GSS_KRB5_CCACHE_NAME_X - 1.2.752.43.13.16 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_ccache_name_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x10") };
+
+/* GSS_KRB5_SET_TIME_OFFSET_X - 1.2.752.43.13.17 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_time_offset_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x11") };
+
+/* GSS_KRB5_GET_TIME_OFFSET_X - 1.2.752.43.13.18 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_time_offset_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x12") };
+
+/* GSS_KRB5_PLUGIN_REGISTER_X - 1.2.752.43.13.19 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_plugin_register_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x13") };
+
+/* GSS_NTLM_GET_SESSION_KEY_X - 1.2.752.43.13.20 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_get_session_key_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x14") };
+
+/* GSS_C_NT_NTLM - 1.2.752.43.13.21 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_ntlm_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x15") };
+
+/* GSS_C_NT_DN - 1.2.752.43.13.22 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_dn_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x16") };
+
+/* GSS_KRB5_NT_PRINCIPAL_NAME_REFERRAL - 1.2.752.43.13.23 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_nt_principal_name_referral_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x17") };
+
+/* GSS_C_NTLM_AVGUEST - 1.2.752.43.13.24 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_avguest_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x18") };
+
+/* GSS_C_NTLM_V1 - 1.2.752.43.13.25 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v1_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x19") };
+
+/* GSS_C_NTLM_V2 - 1.2.752.43.13.26 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v2_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1a") };
+
+/* GSS_C_NTLM_SESSION_KEY - 1.2.752.43.13.27 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_session_key_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1b") };
+
+/* GSS_C_NTLM_FORCE_V1 - 1.2.752.43.13.28 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_force_v1_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1c") };
+
+/* GSS_KRB5_CRED_NO_CI_FLAGS_X - 1.2.752.43.13.29 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_cred_no_ci_flags_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1d") };
+
+/* GSS_KRB5_IMPORT_CRED_X - 1.2.752.43.13.30 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_import_cred_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1e") };
+
+/* GSS_C_MA_SASL_MECH_NAME - 1.2.752.43.13.100 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_sasl_mech_name_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x64") };
+
+/* GSS_C_MA_MECH_NAME - 1.2.752.43.13.101 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_name_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x65") };
+
+/* GSS_C_MA_MECH_DESCRIPTION - 1.2.752.43.13.102 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_description_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x66") };
+
+/* GSS_C_CRED_PASSWORD - 1.2.752.43.13.200 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_password_oid_desc = { 7, "\x2a\x85\x70\x2b\x0d\x81\x48" };
+
+/* GSS_C_CRED_CERTIFICATE - 1.2.752.43.13.201 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_certificate_oid_desc = { 7, "\x2a\x85\x70\x2b\x0d\x81\x49" };
+
+/* GSS_SASL_DIGEST_MD5_MECHANISM - 1.2.752.43.14.1 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_sasl_digest_md5_mechanism_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") };
+
+/* GSS_NETLOGON_MECHANISM - 1.2.752.43.14.2 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_mechanism_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x02") };
+
+/* GSS_NETLOGON_SET_SESSION_KEY_X - 1.2.752.43.14.3 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_session_key_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x03") };
+
+/* GSS_NETLOGON_SET_SIGN_ALGORITHM_X - 1.2.752.43.14.4 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_sign_algorithm_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x04") };
+
+/* GSS_NETLOGON_NT_NETBIOS_DNS_NAME - 1.2.752.43.14.5 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_nt_netbios_dns_name_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x05") };
+
+/* GSS_C_INQ_WIN2K_PAC_X - 1.2.752.43.13.3.128 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_win2k_pac_x_oid_desc = { 8, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03\x81\x00") };
+
+/* GSS_C_INQ_SSPI_SESSION_KEY - 1.2.840.113554.1.2.2.5.5 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_sspi_session_key_oid_desc = { 11, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05") };
+
+/* GSS_KRB5_MECHANISM - 1.2.840.113554.1.2.2 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_mechanism_oid_desc = { 9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") };
+
+/* GSS_NTLM_MECHANISM - 1.3.6.1.4.1.311.2.2.10 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_mechanism_oid_desc = { 10, rk_UNCONST("\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a") };
+
+/* GSS_SPNEGO_MECHANISM - 1.3.6.1.5.5.2 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_spnego_mechanism_oid_desc = { 6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02") };
+
+/* GSS_C_PEER_HAS_UPDATED_SPNEGO - 1.3.6.1.4.1.9513.19.5 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_peer_has_updated_spnego_oid_desc = { 9, rk_UNCONST("\x2b\x06\x01\x04\x01\xca\x29\x13\x05") };
+
+/* GSS_C_MA_MECH_CONCRETE - 1.3.6.1.5.5.13.1 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_concrete_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x01") };
+
+/* GSS_C_MA_MECH_PSEUDO - 1.3.6.1.5.5.13.2 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_pseudo_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x02") };
+
+/* GSS_C_MA_MECH_COMPOSITE - 1.3.6.1.5.5.13.3 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_composite_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x03") };
+
+/* GSS_C_MA_MECH_NEGO - 1.3.6.1.5.5.13.4 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_nego_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x04") };
+
+/* GSS_C_MA_MECH_GLUE - 1.3.6.1.5.5.13.5 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_glue_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x05") };
+
+/* GSS_C_MA_NOT_MECH - 1.3.6.1.5.5.13.6 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_mech_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x06") };
+
+/* GSS_C_MA_DEPRECATED - 1.3.6.1.5.5.13.7 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deprecated_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x07") };
+
+/* GSS_C_MA_NOT_DFLT_MECH - 1.3.6.1.5.5.13.8 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_dflt_mech_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x08") };
+
+/* GSS_C_MA_ITOK_FRAMED - 1.3.6.1.5.5.13.9 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_itok_framed_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x09") };
+
+/* GSS_C_MA_AUTH_INIT - 1.3.6.1.5.5.13.10 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0a") };
+
+/* GSS_C_MA_AUTH_TARG - 1.3.6.1.5.5.13.11 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0b") };
+
+/* GSS_C_MA_AUTH_INIT_INIT - 1.3.6.1.5.5.13.12 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_init_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0c") };
+
+/* GSS_C_MA_AUTH_TARG_INIT - 1.3.6.1.5.5.13.13 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_init_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0d") };
+
+/* GSS_C_MA_AUTH_INIT_ANON - 1.3.6.1.5.5.13.14 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_anon_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0e") };
+
+/* GSS_C_MA_AUTH_TARG_ANON - 1.3.6.1.5.5.13.15 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_anon_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0f") };
+
+/* GSS_C_MA_DELEG_CRED - 1.3.6.1.5.5.13.16 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deleg_cred_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x10") };
+
+/* GSS_C_MA_INTEG_PROT - 1.3.6.1.5.5.13.17 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_integ_prot_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x11") };
+
+/* GSS_C_MA_CONF_PROT - 1.3.6.1.5.5.13.18 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_conf_prot_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x12") };
+
+/* GSS_C_MA_MIC - 1.3.6.1.5.5.13.19 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mic_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x13") };
+
+/* GSS_C_MA_WRAP - 1.3.6.1.5.5.13.20 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_wrap_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x14") };
+
+/* GSS_C_MA_PROT_READY - 1.3.6.1.5.5.13.21 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_prot_ready_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x15") };
+
+/* GSS_C_MA_REPLAY_DET - 1.3.6.1.5.5.13.22 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_replay_det_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x16") };
+
+/* GSS_C_MA_OOS_DET - 1.3.6.1.5.5.13.23 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_oos_det_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x17") };
+
+/* GSS_C_MA_CBINDINGS - 1.3.6.1.5.5.13.24 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_cbindings_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x18") };
+
+/* GSS_C_MA_PFS - 1.3.6.1.5.5.13.25 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_pfs_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x19") };
+
+/* GSS_C_MA_COMPRESS - 1.3.6.1.5.5.13.26 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_compress_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x1a") };
+
+/* GSS_C_MA_CTX_TRANS - 1.3.6.1.5.5.13.27 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_ctx_trans_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x1b") };
+
+struct _gss_oid_name_table _gss_ont_ma[] = {
+  { GSS_C_MA_COMPRESS, "GSS_C_MA_COMPRESS", "compress", "" },
+  { GSS_C_MA_AUTH_TARG_INIT, "GSS_C_MA_AUTH_TARG_INIT", "auth-targ-princ-initial", "" },
+  { GSS_C_MA_CBINDINGS, "GSS_C_MA_CBINDINGS", "channel-bindings", "" },
+  { GSS_C_MA_WRAP, "GSS_C_MA_WRAP", "wrap", "" },
+  { GSS_C_MA_ITOK_FRAMED, "GSS_C_MA_ITOK_FRAMED", "initial-is-framed", "" },
+  { GSS_C_MA_MECH_NEGO, "GSS_C_MA_MECH_NEGO", "mech-negotiation-mech", "" },
+  { GSS_C_MA_MECH_COMPOSITE, "GSS_C_MA_MECH_COMPOSITE", "composite-mech", "" },
+  { GSS_C_MA_REPLAY_DET, "GSS_C_MA_REPLAY_DET", "replay-detection", "" },
+  { GSS_C_MA_AUTH_INIT_ANON, "GSS_C_MA_AUTH_INIT_ANON", "auth-init-princ-anon", "" },
+  { GSS_C_MA_PROT_READY, "GSS_C_MA_PROT_READY", "prot-ready", "" },
+  { GSS_C_MA_AUTH_INIT, "GSS_C_MA_AUTH_INIT", "auth-init-princ", "" },
+  { GSS_C_MA_PFS, "GSS_C_MA_PFS", "pfs", "" },
+  { GSS_C_MA_CONF_PROT, "GSS_C_MA_CONF_PROT", "conf-prot", "" },
+  { GSS_C_MA_MECH_PSEUDO, "GSS_C_MA_MECH_PSEUDO", "pseudo-mech", "" },
+  { GSS_C_MA_AUTH_TARG, "GSS_C_MA_AUTH_TARG", "auth-targ-princ", "" },
+  { GSS_C_MA_MECH_NAME, "GSS_C_MA_MECH_NAME", "GSS mech name", "The name of the GSS-API mechanism" },
+  { GSS_C_MA_NOT_MECH, "GSS_C_MA_NOT_MECH", "not-mech", "" },
+  { GSS_C_MA_MIC, "GSS_C_MA_MIC", "mic", "" },
+  { GSS_C_MA_DEPRECATED, "GSS_C_MA_DEPRECATED", "mech-deprecated", "" },
+  { GSS_C_MA_MECH_GLUE, "GSS_C_MA_MECH_GLUE", "mech-glue", "" },
+  { GSS_C_MA_DELEG_CRED, "GSS_C_MA_DELEG_CRED", "deleg-cred", "" },
+  { GSS_C_MA_NOT_DFLT_MECH, "GSS_C_MA_NOT_DFLT_MECH", "mech-not-default", "" },
+  { GSS_C_MA_AUTH_TARG_ANON, "GSS_C_MA_AUTH_TARG_ANON", "auth-targ-princ-anon", "" },
+  { GSS_C_MA_INTEG_PROT, "GSS_C_MA_INTEG_PROT", "integ-prot", "" },
+  { GSS_C_MA_CTX_TRANS, "GSS_C_MA_CTX_TRANS", "context-transfer", "" },
+  { GSS_C_MA_MECH_DESCRIPTION, "GSS_C_MA_MECH_DESCRIPTION", "Mech description", "The long description of the mechanism" },
+  { GSS_C_MA_OOS_DET, "GSS_C_MA_OOS_DET", "oos-detection", "" },
+  { GSS_C_MA_AUTH_INIT_INIT, "GSS_C_MA_AUTH_INIT_INIT", "auth-init-princ-initial", "" },
+  { GSS_C_MA_MECH_CONCRETE, "GSS_C_MA_MECH_CONCRETE", "concrete-mech", "Indicates that a mech is neither a pseudo-mechanism nor a composite mechanism" },
+  { GSS_C_MA_SASL_MECH_NAME, "GSS_C_MA_SASL_MECH_NAME", "SASL mechanism name", "The name of the SASL mechanism" },
+  { NULL }
+};
+
+struct _gss_oid_name_table _gss_ont_mech[] = {
+  { GSS_KRB5_MECHANISM, "GSS_KRB5_MECHANISM", "Kerberos 5", "Heimdal Kerberos 5 mechanism" },
+  { GSS_SPNEGO_MECHANISM, "GSS_SPNEGO_MECHANISM", "SPNEGO", "Heimdal SPNEGO mechanism" },
+  { GSS_NTLM_MECHANISM, "GSS_NTLM_MECHANISM", "NTLM", "Heimdal NTLM mechanism" },
+  { NULL }
+};
+
diff --git a/lib/gssapi/mech/gss_oid_equal.c b/lib/gssapi/mech/gss_oid_equal.c
new file mode 100644
index 000000000000..b125ede66fa3
--- /dev/null
+++ b/lib/gssapi/mech/gss_oid_equal.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "mech_locl.h"
+
+/**
+ * Compare two GSS-API OIDs with each other.
+ *
+ * GSS_C_NO_OID matches nothing, not even it-self.
+ *
+ * @param a first oid to compare
+ * @param b second oid to compare
+ *
+ * @return non-zero when both oid are the same OID, zero when they are
+ *         not the same.
+ *
+ * @ingroup gssapi
+ */
+
+GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL
+gss_oid_equal(gss_const_OID a, gss_const_OID b)
+{
+    if (a == b && a != GSS_C_NO_OID)
+	return 1;
+    if (a == GSS_C_NO_OID || b == GSS_C_NO_OID || a->length != b->length)
+	return 0;
+    return memcmp(a->elements, b->elements, a->length) == 0;
+}
diff --git a/lib/gssapi/mech/gss_oid_to_str.c b/lib/gssapi/mech/gss_oid_to_str.c
new file mode 100644
index 000000000000..a1d776877245
--- /dev/null
+++ b/lib/gssapi/mech/gss_oid_to_str.c
@@ -0,0 +1,98 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_oid_to_str(OM_uint32 *minor_status, gss_OID oid, gss_buffer_t oid_str)
+{
+    int ret;
+    size_t size;
+    heim_oid o;
+    char *p;
+
+    _mg_buffer_zero(oid_str);
+
+    if (oid == GSS_C_NULL_OID)
+	return GSS_S_FAILURE;
+
+    ret = der_get_oid (oid->elements, oid->length, &o, &size);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    ret = der_print_heim_oid(&o, ' ', &p);
+    der_free_oid(&o);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    oid_str->value = p;
+    oid_str->length = strlen(p);
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
+GSSAPI_LIB_FUNCTION const char * GSSAPI_LIB_CALL
+gss_oid_to_name(gss_const_OID oid)
+{
+    size_t i;
+
+    for (i = 0; _gss_ont_mech[i].oid; i++) {
+	if (gss_oid_equal(oid, _gss_ont_mech[i].oid))
+	    return _gss_ont_mech[i].name;
+    }
+    return NULL;
+}
+
+GSSAPI_LIB_FUNCTION gss_OID GSSAPI_LIB_CALL
+gss_name_to_oid(const char *name)
+{
+    size_t i, partial = (size_t)-1;
+
+    for (i = 0; _gss_ont_mech[i].oid; i++) {
+	if (strcasecmp(name, _gss_ont_mech[i].short_desc) == 0)
+	    return _gss_ont_mech[i].oid;
+	if (strncasecmp(name, _gss_ont_mech[i].short_desc, strlen(name)) == 0) {
+	    if (partial != (size_t)-1)
+		return NULL;
+	    partial = i;
+	}
+    }
+    if (partial != (size_t)-1)
+	return _gss_ont_mech[partial].oid;
+    return NULL;
+}
diff --git a/lib/gssapi/mech/gss_pname_to_uid.c b/lib/gssapi/mech/gss_pname_to_uid.c
new file mode 100644
index 000000000000..c5f26949f2ae
--- /dev/null
+++ b/lib/gssapi/mech/gss_pname_to_uid.c
@@ -0,0 +1,167 @@
+/*
+ * Copyright (c) 2011, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "mech_locl.h"
+
+static OM_uint32
+mech_pname_to_uid(OM_uint32 *minor_status,
+                  struct _gss_mechanism_name *mn,
+                  uid_t *uidp)
+{
+    OM_uint32 major_status = GSS_S_UNAVAILABLE;
+
+    *minor_status = 0;
+
+    if (mn->gmn_mech->gm_pname_to_uid == NULL)
+        return GSS_S_UNAVAILABLE;
+
+    major_status = mn->gmn_mech->gm_pname_to_uid(minor_status,
+                                                 mn->gmn_name,
+                                                 mn->gmn_mech_oid,
+                                                 uidp);
+    if (GSS_ERROR(major_status))
+        _gss_mg_error(mn->gmn_mech, major_status, *minor_status);
+
+    return major_status;
+}
+
+static OM_uint32
+attr_pname_to_uid(OM_uint32 *minor_status,
+                  struct _gss_mechanism_name *mn,
+                  uid_t *uidp)
+{
+#ifdef NO_LOCALNAME
+    return GSS_S_UNAVAILABLE;
+#else
+    OM_uint32 major_status = GSS_S_UNAVAILABLE;
+    OM_uint32 tmpMinor;
+    int more = -1;
+
+    *minor_status = 0;
+
+    if (mn->gmn_mech->gm_get_name_attribute == NULL)
+        return GSS_S_UNAVAILABLE;
+
+    while (more != 0) {
+        gss_buffer_desc value;
+        gss_buffer_desc display_value;
+        int authenticated = 0, complete = 0;
+#ifdef POSIX_GETPWNAM_R
+        char pwbuf[2048];
+        struct passwd pw, *pwd;
+#else
+        struct passwd *pwd;
+#endif
+        char *localname;
+
+        major_status = mn->gmn_mech->gm_get_name_attribute(minor_status,
+                                                           mn->gmn_name,
+                                                           GSS_C_ATTR_LOCAL_LOGIN_USER,
+                                                           &authenticated,
+                                                           &complete,
+                                                           &value,
+                                                           &display_value,
+                                                           &more);
+        if (GSS_ERROR(major_status)) {
+            _gss_mg_error(mn->gmn_mech, major_status, *minor_status);
+            break;
+        }
+
+        localname = malloc(value.length + 1);
+        if (localname == NULL) {
+            major_status = GSS_S_FAILURE;
+            *minor_status = ENOMEM;
+            break;
+        }
+
+        memcpy(localname, value.value, value.length);
+        localname[value.length] = '\0';
+
+#ifdef POSIX_GETPWNAM_R
+        if (getpwnam_r(localname, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0)
+            pwd = NULL;
+#else
+        pwd = getpwnam(localname);
+#endif
+
+        free(localname);
+        gss_release_buffer(&tmpMinor, &value);
+        gss_release_buffer(&tmpMinor, &display_value);
+
+        if (pwd != NULL) {
+            *uidp = pwd->pw_uid;
+            major_status = GSS_S_COMPLETE;
+            *minor_status = 0;
+            break;
+        } else
+            major_status = GSS_S_UNAVAILABLE;
+    }
+
+    return major_status;
+#endif /* NO_LOCALNAME */
+}
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_pname_to_uid(OM_uint32 *minor_status,
+                 const gss_name_t pname,
+                 const gss_OID mech_type,
+                 uid_t *uidp)
+{
+    OM_uint32 major_status = GSS_S_UNAVAILABLE;
+    struct _gss_name *name = (struct _gss_name *) pname;
+    struct _gss_mechanism_name *mn = NULL;
+
+    *minor_status = 0;
+
+    if (mech_type != GSS_C_NO_OID) {
+        major_status = _gss_find_mn(minor_status, name, mech_type, &mn);
+        if (GSS_ERROR(major_status))
+            return major_status;
+
+        major_status = mech_pname_to_uid(minor_status, mn, uidp);
+        if (major_status != GSS_S_COMPLETE)
+            major_status = attr_pname_to_uid(minor_status, mn, uidp);
+    } else {
+        HEIM_SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
+            major_status = mech_pname_to_uid(minor_status, mn, uidp);
+            if (major_status != GSS_S_COMPLETE)
+                major_status = attr_pname_to_uid(minor_status, mn, uidp);
+            if (major_status != GSS_S_UNAVAILABLE)
+                break;
+        }
+    }
+
+    if (major_status != GSS_S_COMPLETE && mn != NULL)
+        _gss_mg_error(mn->gmn_mech, major_status, *minor_status);
+
+    return major_status;
+}
diff --git a/lib/gssapi/mech/gss_process_context_token.c b/lib/gssapi/mech/gss_process_context_token.c
new file mode 100644
index 000000000000..e8e9b56cdc7f
--- /dev/null
+++ b/lib/gssapi/mech/gss_process_context_token.c
@@ -0,0 +1,41 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_process_context_token.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_process_context_token(OM_uint32 *minor_status,
+    const gss_ctx_id_t context_handle,
+    const gss_buffer_t token_buffer)
+{
+	struct _gss_context *ctx = (struct _gss_context *) context_handle;
+	gssapi_mech_interface m = ctx->gc_mech;
+
+	return (m->gm_process_context_token(minor_status, ctx->gc_ctx,
+		    token_buffer));
+}
diff --git a/lib/gssapi/mech/gss_pseudo_random.c b/lib/gssapi/mech/gss_pseudo_random.c
new file mode 100644
index 000000000000..ce4f9a4136a5
--- /dev/null
+++ b/lib/gssapi/mech/gss_pseudo_random.c
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_pseudo_random(OM_uint32 *minor_status,
+		  gss_ctx_id_t context,
+		  int prf_key,
+		  const gss_buffer_t prf_in,
+		  ssize_t desired_output_len,
+		  gss_buffer_t prf_out)
+{
+    struct _gss_context *ctx = (struct _gss_context *) context;
+    gssapi_mech_interface m;
+    OM_uint32 major_status;
+
+    _mg_buffer_zero(prf_out);
+    *minor_status = 0;
+
+    if (ctx == NULL) {
+	*minor_status = 0;
+	return GSS_S_NO_CONTEXT;
+    }
+
+    m = ctx->gc_mech;
+
+    if (m->gm_pseudo_random == NULL)
+	return GSS_S_UNAVAILABLE;
+
+    major_status = (*m->gm_pseudo_random)(minor_status, ctx->gc_ctx,
+					  prf_key, prf_in, desired_output_len,
+					  prf_out);
+    if (major_status != GSS_S_COMPLETE)
+	_gss_mg_error(m, major_status, *minor_status);
+
+    return major_status;
+}
diff --git a/lib/gssapi/mech/gss_release_buffer.c b/lib/gssapi/mech/gss_release_buffer.c
new file mode 100644
index 000000000000..c3dd4575b6f4
--- /dev/null
+++ b/lib/gssapi/mech/gss_release_buffer.c
@@ -0,0 +1,42 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_release_buffer.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_release_buffer(OM_uint32 *minor_status,
+		   gss_buffer_t buffer)
+{
+
+	*minor_status = 0;
+	if (buffer->value)
+		free(buffer->value);
+	_mg_buffer_zero(buffer);
+
+	return (GSS_S_COMPLETE);
+}
diff --git a/lib/gssapi/mech/gss_release_cred.c b/lib/gssapi/mech/gss_release_cred.c
new file mode 100644
index 000000000000..341f9f658cc3
--- /dev/null
+++ b/lib/gssapi/mech/gss_release_cred.c
@@ -0,0 +1,73 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_release_cred.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+/**
+ * Release a credentials
+ *
+ * Its ok to release the GSS_C_NO_CREDENTIAL/NULL credential, it will
+ * return a GSS_S_COMPLETE error code. On return cred_handle is set ot
+ * GSS_C_NO_CREDENTIAL.
+ *
+ * Example:
+ *
+ * @code
+ * gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
+ * major = gss_release_cred(&minor, &cred);
+ * @endcode
+ *
+ * @param minor_status minor status return code, mech specific
+ * @param cred_handle a pointer to the credential too release
+ *
+ * @return an gssapi error code
+ *
+ * @ingroup gssapi
+ */
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_release_cred(OM_uint32 *minor_status, gss_cred_id_t *cred_handle)
+{
+	struct _gss_cred *cred = (struct _gss_cred *) *cred_handle;
+	struct _gss_mechanism_cred *mc;
+
+	if (*cred_handle == GSS_C_NO_CREDENTIAL)
+	    return (GSS_S_COMPLETE);
+
+	while (HEIM_SLIST_FIRST(&cred->gc_mc)) {
+		mc = HEIM_SLIST_FIRST(&cred->gc_mc);
+		HEIM_SLIST_REMOVE_HEAD(&cred->gc_mc, gmc_link);
+		mc->gmc_mech->gm_release_cred(minor_status, &mc->gmc_cred);
+		free(mc);
+	}
+	free(cred);
+
+	*minor_status = 0;
+	*cred_handle = GSS_C_NO_CREDENTIAL;
+	return (GSS_S_COMPLETE);
+}
diff --git a/lib/gssapi/mech/gss_release_name.c b/lib/gssapi/mech/gss_release_name.c
new file mode 100644
index 000000000000..fd0b5df36bed
--- /dev/null
+++ b/lib/gssapi/mech/gss_release_name.c
@@ -0,0 +1,74 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_release_name.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+/**
+ * Free a name
+ *
+ * import_name can point to NULL or be NULL, or a pointer to a
+ * gss_name_t structure. If it was a pointer to gss_name_t, the
+ * pointer will be set to NULL on success and failure.
+ *
+ * @param minor_status minor status code
+ * @param input_name name to free
+ *
+ * @returns a gss_error code, see gss_display_status() about printing
+ *        the error code.
+ *
+ * @ingroup gssapi
+ */
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_release_name(OM_uint32 *minor_status,
+    gss_name_t *input_name)
+{
+	struct _gss_name *name;
+
+	*minor_status = 0;
+
+	if (input_name == NULL || *input_name == NULL)
+	    return GSS_S_COMPLETE;
+
+	name = (struct _gss_name *) *input_name;
+
+	if (name->gn_type.elements)
+		free(name->gn_type.elements);
+	while (HEIM_SLIST_FIRST(&name->gn_mn)) {
+		struct _gss_mechanism_name *mn;
+		mn = HEIM_SLIST_FIRST(&name->gn_mn);
+		HEIM_SLIST_REMOVE_HEAD(&name->gn_mn, gmn_link);
+		mn->gmn_mech->gm_release_name(minor_status,
+					      &mn->gmn_name);
+		free(mn);
+	}
+	gss_release_buffer(minor_status, &name->gn_value);
+	free(name);
+	*input_name = GSS_C_NO_NAME;
+
+	return (GSS_S_COMPLETE);
+}
diff --git a/lib/gssapi/mech/gss_release_oid.c b/lib/gssapi/mech/gss_release_oid.c
new file mode 100644
index 000000000000..610daf229c42
--- /dev/null
+++ b/lib/gssapi/mech/gss_release_oid.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "mech_locl.h"
+
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_release_oid(OM_uint32 *minor_status, gss_OID *oid)
+{
+    gss_OID o = *oid;
+
+    *oid = GSS_C_NO_OID;
+
+    if (minor_status != NULL)
+	*minor_status = 0;
+
+    if (o == GSS_C_NO_OID)
+	return GSS_S_COMPLETE;
+
+    if (o->elements != NULL) {
+	free(o->elements);
+	o->elements = NULL;
+    }
+    o->length = 0;
+    free(o);
+
+    return GSS_S_COMPLETE;
+}
diff --git a/lib/gssapi/mech/gss_release_oid_set.c b/lib/gssapi/mech/gss_release_oid_set.c
new file mode 100644
index 000000000000..183ddf8c751a
--- /dev/null
+++ b/lib/gssapi/mech/gss_release_oid_set.c
@@ -0,0 +1,44 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_release_oid_set.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_release_oid_set(OM_uint32 *minor_status,
+    gss_OID_set *set)
+{
+
+	*minor_status = 0;
+	if (set && *set) {
+		if ((*set)->elements)
+			free((*set)->elements);
+		free(*set);
+		*set = GSS_C_NO_OID_SET;
+	}
+	return (GSS_S_COMPLETE);
+}
diff --git a/lib/gssapi/mech/gss_seal.c b/lib/gssapi/mech/gss_seal.c
new file mode 100644
index 000000000000..26c65dafc984
--- /dev/null
+++ b/lib/gssapi/mech/gss_seal.c
@@ -0,0 +1,45 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_seal.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_seal(OM_uint32 *minor_status,
+    gss_ctx_id_t context_handle,
+    int conf_req_flag,
+    int qop_req,
+    gss_buffer_t input_message_buffer,
+    int *conf_state,
+    gss_buffer_t output_message_buffer)
+{
+
+	return (gss_wrap(minor_status,
+		    context_handle, conf_req_flag, qop_req,
+		    input_message_buffer, conf_state,
+		    output_message_buffer));
+}
diff --git a/lib/gssapi/mech/gss_set_cred_option.c b/lib/gssapi/mech/gss_set_cred_option.c
new file mode 100644
index 000000000000..d33453d92feb
--- /dev/null
+++ b/lib/gssapi/mech/gss_set_cred_option.c
@@ -0,0 +1,118 @@
+/*
+ * Copyright (c) 2004, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_set_cred_option (OM_uint32 *minor_status,
+		     gss_cred_id_t *cred_handle,
+		     const gss_OID object,
+		     const gss_buffer_t value)
+{
+	struct _gss_cred *cred = (struct _gss_cred *) *cred_handle;
+	OM_uint32	major_status = GSS_S_COMPLETE;
+	struct _gss_mechanism_cred *mc;
+	int one_ok = 0;
+
+	*minor_status = 0;
+
+	_gss_load_mech();
+
+	if (cred == NULL) {
+		struct _gss_mech_switch *m;
+
+		cred = malloc(sizeof(*cred));
+		if (cred == NULL)
+		    return GSS_S_FAILURE;
+
+		HEIM_SLIST_INIT(&cred->gc_mc);
+
+		HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
+
+			if (m->gm_mech.gm_set_cred_option == NULL)
+				continue;
+
+			mc = malloc(sizeof(*mc));
+			if (mc == NULL) {
+			    *cred_handle = (gss_cred_id_t)cred;
+			    gss_release_cred(minor_status, cred_handle);
+			    *minor_status = ENOMEM;
+			    return GSS_S_FAILURE;
+			}
+
+			mc->gmc_mech = &m->gm_mech;
+			mc->gmc_mech_oid = &m->gm_mech_oid;
+			mc->gmc_cred = GSS_C_NO_CREDENTIAL;
+
+			major_status = m->gm_mech.gm_set_cred_option(
+			    minor_status, &mc->gmc_cred, object, value);
+
+			if (major_status) {
+				free(mc);
+				continue;
+			}
+			one_ok = 1;
+			HEIM_SLIST_INSERT_HEAD(&cred->gc_mc, mc, gmc_link);
+		}
+		*cred_handle = (gss_cred_id_t)cred;
+		if (!one_ok) {
+			OM_uint32 junk;
+			gss_release_cred(&junk, cred_handle);
+		}
+	} else {
+		gssapi_mech_interface	m;
+
+		HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
+			m = mc->gmc_mech;
+
+			if (m == NULL)
+				return GSS_S_BAD_MECH;
+
+			if (m->gm_set_cred_option == NULL)
+				continue;
+
+			major_status = m->gm_set_cred_option(minor_status,
+			    &mc->gmc_cred, object, value);
+			if (major_status == GSS_S_COMPLETE)
+				one_ok = 1;
+			else
+				_gss_mg_error(m, major_status, *minor_status);
+
+		}
+	}
+	if (one_ok) {
+		*minor_status = 0;
+		return GSS_S_COMPLETE;
+	}
+	return major_status;
+}
+
diff --git a/lib/gssapi/mech/gss_set_name_attribute.c b/lib/gssapi/mech/gss_set_name_attribute.c
new file mode 100644
index 000000000000..ada7a0612ec7
--- /dev/null
+++ b/lib/gssapi/mech/gss_set_name_attribute.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 2010, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_set_name_attribute(OM_uint32 *minor_status,
+		       gss_name_t input_name,
+		       int complete,
+		       gss_buffer_t attr,
+		       gss_buffer_t value)
+{
+    OM_uint32 major_status = GSS_S_UNAVAILABLE;
+    struct _gss_name *name = (struct _gss_name *) input_name;
+    struct _gss_mechanism_name *mn;
+
+    *minor_status = 0;
+
+    if (input_name == GSS_C_NO_NAME)
+        return GSS_S_BAD_NAME;
+
+    HEIM_SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
+        gssapi_mech_interface m = mn->gmn_mech;
+
+        if (!m->gm_set_name_attribute)
+            continue;
+
+        major_status = m->gm_set_name_attribute(minor_status,
+                                                mn->gmn_name,
+                                                complete,
+                                                attr,
+                                                value);
+        if (GSS_ERROR(major_status))
+            _gss_mg_error(m, major_status, *minor_status);
+        else
+            break;
+    }
+
+    return major_status;
+}
diff --git a/lib/gssapi/mech/gss_set_sec_context_option.c b/lib/gssapi/mech/gss_set_sec_context_option.c
new file mode 100644
index 000000000000..6efe1a0b1718
--- /dev/null
+++ b/lib/gssapi/mech/gss_set_sec_context_option.c
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) 2004, PADL Software Pty Ltd.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of PADL Software nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_set_sec_context_option (OM_uint32 *minor_status,
+			    gss_ctx_id_t *context_handle,
+			    const gss_OID object,
+			    const gss_buffer_t value)
+{
+	struct _gss_context	*ctx;
+	OM_uint32		major_status;
+	gssapi_mech_interface	m;
+
+	*minor_status = 0;
+
+	if (context_handle == NULL)
+		return GSS_S_NO_CONTEXT;
+
+	ctx = (struct _gss_context *) *context_handle;
+
+	if (ctx == NULL)
+		return GSS_S_NO_CONTEXT;
+
+	m = ctx->gc_mech;
+
+	if (m == NULL)
+		return GSS_S_BAD_MECH;
+
+	if (m->gm_set_sec_context_option != NULL) {
+		major_status = m->gm_set_sec_context_option(minor_status,
+		    &ctx->gc_ctx, object, value);
+		if (major_status != GSS_S_COMPLETE)
+			_gss_mg_error(m, major_status, *minor_status);
+	} else
+		major_status = GSS_S_BAD_MECH;
+
+	return major_status;
+}
+
diff --git a/lib/gssapi/mech/gss_sign.c b/lib/gssapi/mech/gss_sign.c
new file mode 100644
index 000000000000..4ef99c19878c
--- /dev/null
+++ b/lib/gssapi/mech/gss_sign.c
@@ -0,0 +1,41 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_sign.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_sign(OM_uint32 *minor_status,
+    gss_ctx_id_t context_handle,
+    int qop_req,
+    gss_buffer_t message_buffer,
+    gss_buffer_t message_token)
+{
+
+	return gss_get_mic(minor_status,
+	    context_handle, qop_req, message_buffer, message_token);
+}
diff --git a/lib/gssapi/mech/gss_store_cred.c b/lib/gssapi/mech/gss_store_cred.c
new file mode 100644
index 000000000000..4d2bfdec8b1a
--- /dev/null
+++ b/lib/gssapi/mech/gss_store_cred.c
@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 2009 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_store_cred(OM_uint32         *minor_status,
+	       gss_cred_id_t     input_cred_handle,
+	       gss_cred_usage_t  cred_usage,
+	       const gss_OID     desired_mech,
+	       OM_uint32         overwrite_cred,
+	       OM_uint32         default_cred,
+	       gss_OID_set       *elements_stored,
+	       gss_cred_usage_t  *cred_usage_stored)
+{
+    struct _gss_cred *cred = (struct _gss_cred *) input_cred_handle;
+    struct _gss_mechanism_cred *mc;
+    OM_uint32 maj, junk;
+
+    if (minor_status == NULL)
+	return GSS_S_FAILURE;
+    if (elements_stored)
+	*elements_stored = NULL;
+    if (cred_usage_stored)
+	*cred_usage_stored = 0;
+
+    if (cred == NULL)
+	return GSS_S_NO_CONTEXT;
+
+    if (elements_stored) {
+	maj = gss_create_empty_oid_set(minor_status, elements_stored);
+	if (maj != GSS_S_COMPLETE)
+	    return maj;
+    }
+
+    HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
+	gssapi_mech_interface m = mc->gmc_mech;
+
+	if (m == NULL || m->gm_store_cred == NULL)
+	    continue;
+
+	if (desired_mech) {
+	    maj = gss_oid_equal(&m->gm_mech_oid, desired_mech);
+	    if (maj != 0)
+		continue;
+	}
+
+	maj = (m->gm_store_cred)(minor_status, mc->gmc_cred,
+				 cred_usage, desired_mech, overwrite_cred,
+				 default_cred, NULL, cred_usage_stored);
+	if (maj != GSS_S_COMPLETE) {
+	    gss_release_oid_set(&junk, elements_stored);
+	    return maj;
+	}
+
+	if (elements_stored) {
+	    gss_add_oid_set_member(&junk,
+				   &m->gm_mech_oid,
+				   elements_stored);
+	}
+
+    }
+    return GSS_S_COMPLETE;
+}
diff --git a/lib/gssapi/mech/gss_test_oid_set_member.c b/lib/gssapi/mech/gss_test_oid_set_member.c
new file mode 100644
index 000000000000..715d34bf0666
--- /dev/null
+++ b/lib/gssapi/mech/gss_test_oid_set_member.c
@@ -0,0 +1,46 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_test_oid_set_member.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_test_oid_set_member(OM_uint32 *minor_status,
+    const gss_OID member,
+    const gss_OID_set set,
+    int *present)
+{
+	size_t i;
+
+	*present = 0;
+	for (i = 0; i < set->count; i++)
+		if (gss_oid_equal(member, &set->elements[i]))
+			*present = 1;
+
+	*minor_status = 0;
+	return (GSS_S_COMPLETE);
+}
diff --git a/lib/gssapi/mech/gss_unseal.c b/lib/gssapi/mech/gss_unseal.c
new file mode 100644
index 000000000000..0add03d4ddb9
--- /dev/null
+++ b/lib/gssapi/mech/gss_unseal.c
@@ -0,0 +1,43 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_unseal.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_unseal(OM_uint32 *minor_status,
+    gss_ctx_id_t context_handle,
+    gss_buffer_t input_message_buffer,
+    gss_buffer_t output_message_buffer,
+    int *conf_state,
+    int *qop_state)
+{
+
+	return (gss_unwrap(minor_status,
+		    context_handle, input_message_buffer,
+		    output_message_buffer, conf_state, (gss_qop_t *)qop_state));
+}
diff --git a/lib/gssapi/mech/gss_unwrap.c b/lib/gssapi/mech/gss_unwrap.c
new file mode 100644
index 000000000000..d0d18aca25b1
--- /dev/null
+++ b/lib/gssapi/mech/gss_unwrap.c
@@ -0,0 +1,45 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_unwrap.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_unwrap(OM_uint32 *minor_status,
+    const gss_ctx_id_t context_handle,
+    const gss_buffer_t input_message_buffer,
+    gss_buffer_t output_message_buffer,
+    int *conf_state,
+    gss_qop_t *qop_state)
+{
+	struct _gss_context *ctx = (struct _gss_context *) context_handle;
+	gssapi_mech_interface m = ctx->gc_mech;
+
+	return (m->gm_unwrap(minor_status, ctx->gc_ctx,
+		    input_message_buffer, output_message_buffer,
+		    conf_state, qop_state));
+}
diff --git a/lib/gssapi/mech/gss_utils.c b/lib/gssapi/mech/gss_utils.c
new file mode 100644
index 000000000000..2071621b2304
--- /dev/null
+++ b/lib/gssapi/mech/gss_utils.c
@@ -0,0 +1,78 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_utils.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+OM_uint32
+_gss_copy_oid(OM_uint32 *minor_status,
+    const gss_OID from_oid, gss_OID to_oid)
+{
+	size_t len = from_oid->length;
+
+	*minor_status = 0;
+	to_oid->elements = malloc(len);
+	if (!to_oid->elements) {
+		to_oid->length = 0;
+		*minor_status = ENOMEM;
+		return GSS_S_FAILURE;
+	}
+	to_oid->length = len;
+	memcpy(to_oid->elements, from_oid->elements, len);
+	return (GSS_S_COMPLETE);
+}
+
+OM_uint32
+_gss_free_oid(OM_uint32 *minor_status, gss_OID oid)
+{
+	*minor_status = 0;
+	if (oid->elements) {
+	    free(oid->elements);
+	    oid->elements = NULL;
+	    oid->length = 0;
+	}
+	return (GSS_S_COMPLETE);
+}
+
+OM_uint32
+_gss_copy_buffer(OM_uint32 *minor_status,
+    const gss_buffer_t from_buf, gss_buffer_t to_buf)
+{
+	size_t len = from_buf->length;
+
+	*minor_status = 0;
+	to_buf->value = malloc(len);
+	if (!to_buf->value) {
+		*minor_status = ENOMEM;
+		to_buf->length = 0;
+		return GSS_S_FAILURE;
+	}
+	to_buf->length = len;
+	memcpy(to_buf->value, from_buf->value, len);
+	return (GSS_S_COMPLETE);
+}
+
diff --git a/lib/gssapi/mech/gss_verify.c b/lib/gssapi/mech/gss_verify.c
new file mode 100644
index 000000000000..dd53ddbae909
--- /dev/null
+++ b/lib/gssapi/mech/gss_verify.c
@@ -0,0 +1,42 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_verify.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_verify(OM_uint32 *minor_status,
+    gss_ctx_id_t context_handle,
+    gss_buffer_t message_buffer,
+    gss_buffer_t token_buffer,
+    int *qop_state)
+{
+
+	return (gss_verify_mic(minor_status,
+		    context_handle, message_buffer, token_buffer,
+		    (gss_qop_t *)qop_state));
+}
diff --git a/lib/gssapi/mech/gss_verify_mic.c b/lib/gssapi/mech/gss_verify_mic.c
new file mode 100644
index 000000000000..a791dc732761
--- /dev/null
+++ b/lib/gssapi/mech/gss_verify_mic.c
@@ -0,0 +1,52 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_verify_mic.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_verify_mic(OM_uint32 *minor_status,
+    const gss_ctx_id_t context_handle,
+    const gss_buffer_t message_buffer,
+    const gss_buffer_t token_buffer,
+    gss_qop_t *qop_state)
+{
+	struct _gss_context *ctx = (struct _gss_context *) context_handle;
+	gssapi_mech_interface m;
+
+	if (qop_state)
+	    *qop_state = 0;
+	if (ctx == NULL) {
+	    *minor_status = 0;
+	    return GSS_S_NO_CONTEXT;
+	}
+
+	m = ctx->gc_mech;
+
+	return (m->gm_verify_mic(minor_status, ctx->gc_ctx,
+		    message_buffer, token_buffer, qop_state));
+}
diff --git a/lib/gssapi/mech/gss_wrap.c b/lib/gssapi/mech/gss_wrap.c
new file mode 100644
index 000000000000..d9864b36ccb4
--- /dev/null
+++ b/lib/gssapi/mech/gss_wrap.c
@@ -0,0 +1,71 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_wrap.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+/**
+ * Wrap a message using either confidentiality (encryption +
+ * signature) or sealing (signature).
+ *
+ * @param minor_status minor status code.
+ * @param context_handle context handle.
+ * @param conf_req_flag if non zero, confidentiality is requestd.
+ * @param qop_req type of protection needed, in most cases it GSS_C_QOP_DEFAULT should be passed in.
+ * @param input_message_buffer messages to wrap
+ * @param conf_state returns non zero if confidentiality was honoured.
+ * @param output_message_buffer the resulting buffer, release with gss_release_buffer().
+ *
+ * @ingroup gssapi
+ */
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_wrap(OM_uint32 *minor_status,
+    const gss_ctx_id_t context_handle,
+    int conf_req_flag,
+    gss_qop_t qop_req,
+    const gss_buffer_t input_message_buffer,
+    int *conf_state,
+    gss_buffer_t output_message_buffer)
+{
+	struct _gss_context *ctx = (struct _gss_context *) context_handle;
+	gssapi_mech_interface m;
+
+	if (conf_state)
+	    *conf_state = 0;
+	_mg_buffer_zero(output_message_buffer);
+	if (ctx == NULL) {
+	    *minor_status = 0;
+	    return GSS_S_NO_CONTEXT;
+	}
+
+	m = ctx->gc_mech;
+
+	return (m->gm_wrap(minor_status, ctx->gc_ctx,
+		    conf_req_flag, qop_req, input_message_buffer,
+		    conf_state, output_message_buffer));
+}
diff --git a/lib/gssapi/mech/gss_wrap_size_limit.c b/lib/gssapi/mech/gss_wrap_size_limit.c
new file mode 100644
index 000000000000..9bebcf6cf08e
--- /dev/null
+++ b/lib/gssapi/mech/gss_wrap_size_limit.c
@@ -0,0 +1,52 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/gss_wrap_size_limit.c,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ */
+
+#include "mech_locl.h"
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_wrap_size_limit(OM_uint32 *minor_status,
+    const gss_ctx_id_t context_handle,
+    int conf_req_flag,
+    gss_qop_t qop_req,
+    OM_uint32 req_output_size,
+    OM_uint32 *max_input_size)
+{
+	struct _gss_context *ctx = (struct _gss_context *) context_handle;
+	gssapi_mech_interface m;
+
+	*max_input_size = 0;
+	if (ctx == NULL) {
+	    *minor_status = 0;
+	    return GSS_S_NO_CONTEXT;
+	}
+
+	m = ctx->gc_mech;
+
+	return (m->gm_wrap_size_limit(minor_status, ctx->gc_ctx,
+		    conf_req_flag, qop_req, req_output_size, max_input_size));
+}
diff --git a/lib/gssapi/mech/gssapi.asn1 b/lib/gssapi/mech/gssapi.asn1
new file mode 100644
index 000000000000..1ba7b40637b0
--- /dev/null
+++ b/lib/gssapi/mech/gssapi.asn1
@@ -0,0 +1,12 @@
+-- $Id$
+
+GSS-API DEFINITIONS ::= BEGIN
+
+IMPORTS heim_any_set FROM heim;
+
+GSSAPIContextToken ::= [APPLICATION 0] IMPLICIT SEQUENCE {
+	thisMech OBJECT IDENTIFIER,
+	innerContextToken heim_any_set
+}
+
+END
\ No newline at end of file
diff --git a/lib/gssapi/mech/mech.5 b/lib/gssapi/mech/mech.5
new file mode 100644
index 000000000000..e7b083d3158a
--- /dev/null
+++ b/lib/gssapi/mech/mech.5
@@ -0,0 +1,94 @@
+.\" Copyright (c) 2005 Doug Rabson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD: src/lib/libgssapi/mech.5,v 1.1 2005/12/29 14:40:20 dfr Exp $
+.Dd November 14, 2005
+.Dt MECH 5
+.Os
+.Sh NAME
+.Nm mech ,
+.Nm qop
+.Nd "GSS-API Mechanism and QOP files"
+.Sh SYNOPSIS
+.Pa "/etc/gss/mech"
+.Pa "/etc/gss/qop"
+.Sh DESCRIPTION
+The
+.Pa "/etc/gss/mech"
+file contains a list of installed GSS-API security mechanisms.
+Each line of the file either contains a comment if the first character
+is '#' or it contains five fields with the following meanings:
+.Bl -tag
+.It Name
+The name of this GSS-API mechanism.
+.It Object identifier
+The OID for this mechanism.
+.It Library
+A shared library containing the implementation of this mechanism.
+.It Kernel module (optional)
+A kernel module containing the implementation of this mechanism (not
+yet supported in FreeBSD).
+.It Library options (optional)
+Optionsal parameters interpreted by the mechanism. Library options
+must be enclosed in brackets ([ ]) to differentiate them from the
+optional kernel module entry.
+.El
+.Pp
+The
+.Pa "/etc/gss/qop"
+file contains a list of Quality of Protection values for use with
+GSS-API.
+Each line of the file either contains a comment if the first character
+is '#' or it contains three fields with the following meanings:
+.Bl -tag
+.It QOP string
+The name of this Quality of Protection algorithm.
+.It QOP value
+The numeric value used to select this algorithm for use with GSS-API
+functions such as
+.Xr gss_get_mic 3 .
+.It Mechanism name
+The GSS-API mechanism name that corresponds to this algorithm.
+.El
+.Sh EXAMPLES
+This is a typical entry from
+.Pa "/etc/gss/mech" :
+.Bd -literal
+kerberosv5	1.2.840.113554.1.2.2	/usr/lib/libgssapi_krb5.so.8	-
+.Ed
+.Pp
+This is a typical entry from
+.Pa "/etc/gss/qop" :
+.Bd -literal
+GSS_KRB5_CONF_C_QOP_DES		0x0100	kerberosv5
+.Ed
+.Sh HISTORY
+The
+.Nm
+manual page example first appeared in
+.Fx 7.0 .
+.Sh AUTHORS
+This
+manual page was written by
+.An Doug Rabson Aq dfr@FreeBSD.org .
diff --git a/lib/gssapi/mech/mech.cat5 b/lib/gssapi/mech/mech.cat5
new file mode 100644
index 000000000000..821a193df6e1
--- /dev/null
+++ b/lib/gssapi/mech/mech.cat5
@@ -0,0 +1,61 @@
+
+MECH(5)                     BSD File Formats Manual                    MECH(5)
+
+NNAAMMEE
+     mmeecchh, qqoopp -- GSS-API Mechanism and QOP files
+
+SSYYNNOOPPSSIISS
+     _/_e_t_c_/_g_s_s_/_m_e_c_h _/_e_t_c_/_g_s_s_/_q_o_p
+
+DDEESSCCRRIIPPTTIIOONN
+     The _/_e_t_c_/_g_s_s_/_m_e_c_h file contains a list of installed GSS-API security
+     mechanisms.  Each line of the file either contains a comment if the first
+     character is '#' or it contains five fields with the following meanings:
+
+     Name          The name of this GSS-API mechanism.
+
+     Object identifier
+                   The OID for this mechanism.
+
+     Library       A shared library containing the implementation of this
+                   mechanism.
+
+     Kernel module (optional)
+                   A kernel module containing the implementation of this mech-
+                   anism (not yet supported in FreeBSD).
+
+     Library options (optional)
+                   Optionsal parameters interpreted by the mechanism. Library
+                   options must be enclosed in brackets ([ ]) to differentiate
+                   them from the optional kernel module entry.
+
+     The _/_e_t_c_/_g_s_s_/_q_o_p file contains a list of Quality of Protection values for
+     use with GSS-API.  Each line of the file either contains a comment if the
+     first character is '#' or it contains three fields with the following
+     meanings:
+
+     QOP string    The name of this Quality of Protection algorithm.
+
+     QOP value     The numeric value used to select this algorithm for use
+                   with GSS-API functions such as gss_get_mic(3).
+
+     Mechanism name
+                   The GSS-API mechanism name that corresponds to this algo-
+                   rithm.
+
+EEXXAAMMPPLLEESS
+     This is a typical entry from _/_e_t_c_/_g_s_s_/_m_e_c_h:
+
+     kerberosv5      1.2.840.113554.1.2.2    /usr/lib/libgssapi_krb5.so.8    -
+
+     This is a typical entry from _/_e_t_c_/_g_s_s_/_q_o_p:
+
+     GSS_KRB5_CONF_C_QOP_DES         0x0100  kerberosv5
+
+HHIISSTTOORRYY
+     The mmeecchh manual page example first appeared in FreeBSD 7.0.
+
+AAUUTTHHOORRSS
+     This manual page was written by Doug Rabson <dfr@FreeBSD.org>.
+
+BSD                            November 14, 2005                           BSD
diff --git a/lib/gssapi/mech/mech_locl.h b/lib/gssapi/mech/mech_locl.h
new file mode 100644
index 000000000000..6c23ac5256b1
--- /dev/null
+++ b/lib/gssapi/mech/mech_locl.h
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+#include <config.h>
+
+#include <krb5-types.h>
+
+#include <sys/types.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <dlfcn.h>
+#include <errno.h>
+
+#include <gssapi_asn1.h>
+#include <der.h>
+
+#include <roken.h>
+
+#include <gssapi.h>
+#include <gssapi_mech.h>
+#include <gssapi_krb5.h>
+
+#include "mechqueue.h"
+
+#include "context.h"
+#include "cred.h"
+#include "mech_switch.h"
+#include "name.h"
+#include "utils.h"
+#include "compat.h"
+
+#define _mg_buffer_zero(buffer) \
+	do {					\
+		if (buffer) {			\
+			(buffer)->value = NULL;	\
+			(buffer)->length = 0;	\
+		 }				\
+	} while(0)
+
+#define _mg_oid_set_zero(oid_set) \
+	do {						\
+		if (oid_set) {				\
+			(oid_set)->elements = NULL;	\
+			(oid_set)->count = 0;		\
+		 }					\
+	} while(0)
diff --git a/lib/gssapi/mech/mech_switch.h b/lib/gssapi/mech/mech_switch.h
new file mode 100644
index 000000000000..7ed3d4d4aa34
--- /dev/null
+++ b/lib/gssapi/mech/mech_switch.h
@@ -0,0 +1,43 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/mech_switch.h,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ *	$Id$
+ */
+
+#include <gssapi_mech.h>
+
+struct _gss_mech_switch {
+	HEIM_SLIST_ENTRY(_gss_mech_switch)	gm_link;
+	gss_OID_desc			gm_mech_oid;
+	gss_OID_set			gm_name_types;
+	void				*gm_so;
+	gssapi_mech_interface_desc	gm_mech;
+};
+HEIM_SLIST_HEAD(_gss_mech_switch_list, _gss_mech_switch);
+extern struct _gss_mech_switch_list _gss_mechs;
+extern gss_OID_set _gss_mech_oids;
+
+void	_gss_load_mech(void);
diff --git a/lib/gssapi/mech/mechqueue.h b/lib/gssapi/mech/mechqueue.h
new file mode 100644
index 000000000000..95941bab7e87
--- /dev/null
+++ b/lib/gssapi/mech/mechqueue.h
@@ -0,0 +1,97 @@
+/*	$NetBSD: queue.h,v 1.39 2004/04/18 14:25:34 lukem Exp $	*/
+
+/*
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)queue.h	8.5 (Berkeley) 8/20/94
+ */
+
+#ifndef	_MECHQUEUE_H_
+#define	_MECHQUEUE_H_
+
+/*
+ * Singly-linked List definitions.
+ */
+#define	HEIM_SLIST_HEAD(name, type)						\
+struct name {								\
+	struct type *slh_first;	/* first element */			\
+}
+
+#define	HEIM_SLIST_HEAD_INITIALIZER(head)					\
+	{ NULL }
+
+#define	HEIM_SLIST_ENTRY(type)						\
+struct {								\
+	struct type *sle_next;	/* next element */			\
+}
+
+/*
+ * Singly-linked List functions.
+ */
+#define	HEIM_SLIST_INIT(head) do {						\
+	(head)->slh_first = NULL;					\
+} while (/*CONSTCOND*/0)
+
+#define	HEIM_SLIST_INSERT_AFTER(slistelm, elm, field) do {			\
+	(elm)->field.sle_next = (slistelm)->field.sle_next;		\
+	(slistelm)->field.sle_next = (elm);				\
+} while (/*CONSTCOND*/0)
+
+#define	HEIM_SLIST_INSERT_HEAD(head, elm, field) do {			\
+	(elm)->field.sle_next = (head)->slh_first;			\
+	(head)->slh_first = (elm);					\
+} while (/*CONSTCOND*/0)
+
+#define	HEIM_SLIST_REMOVE_HEAD(head, field) do {				\
+	(head)->slh_first = (head)->slh_first->field.sle_next;		\
+} while (/*CONSTCOND*/0)
+
+#define	HEIM_SLIST_REMOVE(head, elm, type, field) do {			\
+	if ((head)->slh_first == (elm)) {				\
+		HEIM_SLIST_REMOVE_HEAD((head), field);			\
+	}								\
+	else {								\
+		struct type *curelm = (head)->slh_first;		\
+		while(curelm->field.sle_next != (elm))			\
+			curelm = curelm->field.sle_next;		\
+		curelm->field.sle_next =				\
+		    curelm->field.sle_next->field.sle_next;		\
+	}								\
+} while (/*CONSTCOND*/0)
+
+#define	HEIM_SLIST_FOREACH(var, head, field)					\
+	for((var) = (head)->slh_first; (var); (var) = (var)->field.sle_next)
+
+/*
+ * Singly-linked List access methods.
+ */
+#define	HEIM_SLIST_EMPTY(head)	((head)->slh_first == NULL)
+#define	HEIM_SLIST_FIRST(head)	((head)->slh_first)
+#define	HEIM_SLIST_NEXT(elm, field)	((elm)->field.sle_next)
+
+#endif	/* !_MECHQUEUE_H_ */
diff --git a/lib/gssapi/mech/name.h b/lib/gssapi/mech/name.h
new file mode 100644
index 000000000000..4baeebf36a82
--- /dev/null
+++ b/lib/gssapi/mech/name.h
@@ -0,0 +1,48 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/name.h,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ *	$Id$
+ */
+
+struct _gss_mechanism_name {
+	HEIM_SLIST_ENTRY(_gss_mechanism_name) gmn_link;
+	gssapi_mech_interface	gmn_mech;	/* mechanism ops for MN */
+	gss_OID			gmn_mech_oid;	/* mechanism oid for MN */
+	gss_name_t		gmn_name;	/* underlying MN */
+};
+HEIM_SLIST_HEAD(_gss_mechanism_name_list, _gss_mechanism_name);
+
+struct _gss_name {
+	gss_OID_desc		gn_type;	/* type of name */
+	gss_buffer_desc		gn_value;	/* value (as imported) */
+	struct _gss_mechanism_name_list gn_mn;	/* list of MNs */
+};
+
+OM_uint32
+	_gss_find_mn(OM_uint32 *, struct _gss_name *, gss_OID,
+	      struct _gss_mechanism_name **);
+struct _gss_name *
+	_gss_make_name(gssapi_mech_interface m, gss_name_t new_mn);
diff --git a/lib/gssapi/mech/utils.h b/lib/gssapi/mech/utils.h
new file mode 100644
index 000000000000..7b27d38f3cd0
--- /dev/null
+++ b/lib/gssapi/mech/utils.h
@@ -0,0 +1,33 @@
+/*-
+ * Copyright (c) 2005 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	$FreeBSD: src/lib/libgssapi/utils.h,v 1.1 2005/12/29 14:40:20 dfr Exp $
+ *	$Id$
+ */
+
+OM_uint32 _gss_free_oid(OM_uint32 *, gss_OID);
+OM_uint32 _gss_copy_oid(OM_uint32 *, const gss_OID, gss_OID);
+OM_uint32 _gss_copy_buffer(OM_uint32 *minor_status,
+    const gss_buffer_t from_buf, gss_buffer_t to_buf);
diff --git a/lib/gssapi/ntlm/accept_sec_context.c b/lib/gssapi/ntlm/accept_sec_context.c
index 79fc53826dec..533fc15df8f3 100644
--- a/lib/gssapi/ntlm/accept_sec_context.c
+++ b/lib/gssapi/ntlm/accept_sec_context.c
@@ -1,39 +1,37 @@
 /*
- * Copyright (c) 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "ntlm/ntlm.h"
-
-RCSID("$Id: accept_sec_context.c 22521 2008-01-24 11:53:18Z lha $");
+#include "ntlm.h"
 
 /*
  *
@@ -43,10 +41,17 @@ OM_uint32
 _gss_ntlm_allocate_ctx(OM_uint32 *minor_status, ntlm_ctx *ctx)
 {
     OM_uint32 maj_stat;
+    struct ntlm_server_interface *ns_interface = NULL;
+
+#ifdef DIGEST
+    ns_interface = &ntlmsspi_kdc_digest;
+#endif
+    if (ns_interface == NULL)
+	return GSS_S_FAILURE;
 
     *ctx = calloc(1, sizeof(**ctx));
 
-    (*ctx)->server = &ntlmsspi_kdc_digest;
+    (*ctx)->server = ns_interface;
 
     maj_stat = (*(*ctx)->server->nsi_init)(minor_status, &(*ctx)->ictx);
     if (maj_stat != GSS_S_COMPLETE)
@@ -59,7 +64,7 @@ _gss_ntlm_allocate_ctx(OM_uint32 *minor_status, ntlm_ctx *ctx)
  *
  */
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_accept_sec_context
 (OM_uint32 * minor_status,
  gss_ctx_id_t * context_handle,
@@ -76,6 +81,7 @@ _gss_ntlm_accept_sec_context
 {
     krb5_error_code ret;
     struct ntlm_buf data;
+    OM_uint32 junk;
     ntlm_ctx ctx;
 
     output_token->value = NULL;
@@ -85,7 +91,7 @@ _gss_ntlm_accept_sec_context
 
     if (context_handle == NULL)
 	return GSS_S_FAILURE;
-	
+
     if (input_token_buffer == GSS_C_NO_BUFFER)
 	return GSS_S_FAILURE;
 
@@ -110,7 +116,7 @@ _gss_ntlm_accept_sec_context
 	if (major_status)
 	    return major_status;
 	*context_handle = (gss_ctx_id_t)ctx;
-	
+
 	/* check if the mechs is allowed by remote service */
 	major_status = (*ctx->server->nsi_probe)(minor_status, ctx->ictx, NULL);
 	if (major_status) {
@@ -120,7 +126,7 @@ _gss_ntlm_accept_sec_context
 
 	data.data = input_token_buffer->value;
 	data.length = input_token_buffer->length;
-	
+
 	ret = heim_ntlm_decode_type1(&data, &type1);
 	if (ret) {
 	    _gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
@@ -149,15 +155,15 @@ _gss_ntlm_accept_sec_context
 						 &out);
 	heim_ntlm_free_type1(&type1);
 	if (major_status != GSS_S_COMPLETE) {
-	    OM_uint32 junk;
-	    _gss_ntlm_delete_sec_context(&junk, context_handle, NULL);
+	    OM_uint32 gunk;
+	    _gss_ntlm_delete_sec_context(&gunk, context_handle, NULL);
 	    return major_status;
 	}
 
 	output_token->value = malloc(out.length);
-	if (output_token->value == NULL) {
-	    OM_uint32 junk;
-	    _gss_ntlm_delete_sec_context(&junk, context_handle, NULL);
+	if (output_token->value == NULL && out.length != 0) {
+	    OM_uint32 gunk;
+	    _gss_ntlm_delete_sec_context(&gunk, context_handle, NULL);
 	    *minor_status = ENOMEM;
 	    return GSS_S_FAILURE;
 	}
@@ -201,27 +207,31 @@ _gss_ntlm_accept_sec_context
 		n->domain = strdup(type3.targetname);
 	    }
 	    if (n == NULL || n->user == NULL || n->domain == NULL) {
+		gss_name_t tempn =  (gss_name_t)n;
+		_gss_ntlm_release_name(&junk, &tempn);
 		heim_ntlm_free_type3(&type3);
-		_gss_ntlm_delete_sec_context(minor_status, 
+		_gss_ntlm_delete_sec_context(minor_status,
 					     context_handle, NULL);
 		return maj_stat;
 	    }
 	    *src_name = (gss_name_t)n;
-	}	    
+	}
 
 	heim_ntlm_free_type3(&type3);
 
-	ret = krb5_data_copy(&ctx->sessionkey, 
+	ret = krb5_data_copy(&ctx->sessionkey,
 			     session.data, session.length);
-	if (ret) {	
+	if (ret) {
+	    if (src_name)
+		_gss_ntlm_release_name(&junk, src_name);
 	    _gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
 	    *minor_status = ret;
 	    return GSS_S_FAILURE;
 	}
-	
+
 	if (session.length != 0) {
 
-	    ctx->status |= STATUS_SESSIONKEY; 
+	    ctx->status |= STATUS_SESSIONKEY;
 
 	    if (ctx->flags & NTLM_NEG_NTLM2_SESSION) {
 		_gss_ntlm_set_key(&ctx->u.v2.send, 1,
@@ -233,10 +243,10 @@ _gss_ntlm_accept_sec_context
 				  ctx->sessionkey.data,
 				  ctx->sessionkey.length);
 	    } else {
-		RC4_set_key(&ctx->u.v1.crypto_send.key, 
+		RC4_set_key(&ctx->u.v1.crypto_send.key,
 			    ctx->sessionkey.length,
 			    ctx->sessionkey.data);
-		RC4_set_key(&ctx->u.v1.crypto_recv.key, 
+		RC4_set_key(&ctx->u.v1.crypto_recv.key,
 			    ctx->sessionkey.length,
 			    ctx->sessionkey.data);
 	    }
diff --git a/lib/gssapi/ntlm/acquire_cred.c b/lib/gssapi/ntlm/acquire_cred.c
index 8e17d4fb182b..b186271f590f 100644
--- a/lib/gssapi/ntlm/acquire_cred.c
+++ b/lib/gssapi/ntlm/acquire_cred.c
@@ -1,41 +1,39 @@
 /*
- * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "ntlm/ntlm.h"
+#include "ntlm.h"
 
-RCSID("$Id: acquire_cred.c 22380 2007-12-29 18:42:56Z lha $");
-
-OM_uint32 _gss_ntlm_acquire_cred
+OM_uint32 GSSAPI_CALLCONV _gss_ntlm_acquire_cred
            (OM_uint32 * min_stat,
             const gss_name_t desired_name,
             OM_uint32 time_req,
@@ -51,8 +49,7 @@ OM_uint32 _gss_ntlm_acquire_cred
     ntlm_ctx ctx;
 
     *min_stat = 0;
-    if (output_cred_handle)
-	*output_cred_handle = GSS_C_NO_CREDENTIAL;
+    *output_cred_handle = GSS_C_NO_CREDENTIAL;
     if (actual_mechs)
 	*actual_mechs = GSS_C_NO_OID_SET;
     if (time_rec)
@@ -66,19 +63,17 @@ OM_uint32 _gss_ntlm_acquire_cred
 	maj_stat = _gss_ntlm_allocate_ctx(min_stat, &ctx);
 	if (maj_stat != GSS_S_COMPLETE)
 	    return maj_stat;
-	
-	maj_stat = (*ctx->server->nsi_probe)(min_stat, ctx->ictx, 
-					     name->domain);
-
-	if (maj_stat)
-	    return maj_stat;
 
+	maj_stat = (*ctx->server->nsi_probe)(min_stat, ctx->ictx,
+					     name->domain);
 	{
 	    gss_ctx_id_t context = (gss_ctx_id_t)ctx;
-	    _gss_ntlm_delete_sec_context(min_stat, &context, NULL);
-	    *min_stat = 0;
+	    OM_uint32 junk;
+	    _gss_ntlm_delete_sec_context(&junk, &context, NULL);
 	}
-    }	
+	if (maj_stat)
+	    return maj_stat;
+    }
     if (cred_usage == GSS_C_BOTH || cred_usage == GSS_C_INITIATE) {
 	ntlm_cred cred;
 
diff --git a/lib/gssapi/ntlm/add_cred.c b/lib/gssapi/ntlm/add_cred.c
index 11a25811116a..7c6b5ba255a0 100644
--- a/lib/gssapi/ntlm/add_cred.c
+++ b/lib/gssapi/ntlm/add_cred.c
@@ -1,41 +1,39 @@
 /*
- * Copyright (c) 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "ntlm/ntlm.h"
+#include "ntlm.h"
 
-RCSID("$Id: add_cred.c 19334 2006-12-14 12:17:34Z lha $");
-
-OM_uint32 _gss_ntlm_add_cred (
+OM_uint32 GSSAPI_CALLCONV _gss_ntlm_add_cred (
      OM_uint32           *minor_status,
      const gss_cred_id_t input_cred_handle,
      const gss_name_t    desired_name,
diff --git a/lib/gssapi/ntlm/canonicalize_name.c b/lib/gssapi/ntlm/canonicalize_name.c
index 8eaa8702fb8e..0ea64299dd0c 100644
--- a/lib/gssapi/ntlm/canonicalize_name.c
+++ b/lib/gssapi/ntlm/canonicalize_name.c
@@ -1,41 +1,40 @@
 /*
- * Copyright (c) 1997 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "ntlm/ntlm.h"
+#include "ntlm.h"
 
-RCSID("$Id: canonicalize_name.c 19334 2006-12-14 12:17:34Z lha $");
-
-OM_uint32 _gss_ntlm_canonicalize_name (
+OM_uint32 GSSAPI_CALLCONV
+_gss_ntlm_canonicalize_name (
             OM_uint32 * minor_status,
             const gss_name_t input_name,
             const gss_OID mech_type,
diff --git a/lib/gssapi/ntlm/compare_name.c b/lib/gssapi/ntlm/compare_name.c
index d2c2d8b21327..6e095bdee2a7 100644
--- a/lib/gssapi/ntlm/compare_name.c
+++ b/lib/gssapi/ntlm/compare_name.c
@@ -1,41 +1,39 @@
 /*
- * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "ntlm/ntlm.h"
+#include "ntlm.h"
 
-RCSID("$Id: compare_name.c 19334 2006-12-14 12:17:34Z lha $");
-
-OM_uint32 _gss_ntlm_compare_name
+OM_uint32 GSSAPI_CALLCONV _gss_ntlm_compare_name
            (OM_uint32 * minor_status,
             const gss_name_t name1,
             const gss_name_t name2,
diff --git a/lib/gssapi/ntlm/context_time.c b/lib/gssapi/ntlm/context_time.c
index a6895cbe8727..73debda48326 100644
--- a/lib/gssapi/ntlm/context_time.c
+++ b/lib/gssapi/ntlm/context_time.c
@@ -1,41 +1,39 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "ntlm/ntlm.h"
+#include "ntlm.h"
 
-RCSID("$Id: context_time.c 19334 2006-12-14 12:17:34Z lha $");
-
-OM_uint32 _gss_ntlm_context_time
+OM_uint32 GSSAPI_CALLCONV _gss_ntlm_context_time
            (OM_uint32 * minor_status,
             const gss_ctx_id_t context_handle,
             OM_uint32 * time_rec
diff --git a/lib/gssapi/ntlm/creds.c b/lib/gssapi/ntlm/creds.c
new file mode 100644
index 000000000000..ffbf35504eea
--- /dev/null
+++ b/lib/gssapi/ntlm/creds.c
@@ -0,0 +1,160 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "ntlm.h"
+
+OM_uint32 GSSAPI_CALLCONV
+_gss_ntlm_inquire_cred
+           (OM_uint32 * minor_status,
+            const gss_cred_id_t cred_handle,
+            gss_name_t * name,
+            OM_uint32 * lifetime,
+            gss_cred_usage_t * cred_usage,
+            gss_OID_set * mechanisms
+           )
+{
+    OM_uint32 ret, junk;
+
+    *minor_status = 0;
+
+    if (cred_handle == NULL)
+	return GSS_S_NO_CRED;
+
+    if (name) {
+	ntlm_name n = calloc(1, sizeof(*n));
+	ntlm_cred c = (ntlm_cred)cred_handle;
+	if (n) {
+	    n->user = strdup(c->username);
+	    n->domain = strdup(c->domain);
+	}
+	if (n == NULL || n->user == NULL || n->domain == NULL) {
+	    if (n)
+		free(n->user);
+	    *minor_status = ENOMEM;
+	    return GSS_S_FAILURE;
+	}
+	*name = (gss_name_t)n;
+    }
+    if (lifetime)
+	*lifetime = GSS_C_INDEFINITE;
+    if (cred_usage)
+	*cred_usage = 0;
+    if (mechanisms)
+	*mechanisms = GSS_C_NO_OID_SET;
+
+    if (cred_handle == GSS_C_NO_CREDENTIAL)
+	return GSS_S_NO_CRED;
+
+    if (mechanisms) {
+        ret = gss_create_empty_oid_set(minor_status, mechanisms);
+        if (ret)
+	    goto out;
+	ret = gss_add_oid_set_member(minor_status,
+				     GSS_NTLM_MECHANISM,
+				     mechanisms);
+        if (ret)
+	    goto out;
+    }
+
+    return GSS_S_COMPLETE;
+out:
+    gss_release_oid_set(&junk, mechanisms);
+    return ret;
+}
+
+#ifdef HAVE_KCM
+static OM_uint32
+_gss_ntlm_destroy_kcm_cred(gss_cred_id_t *cred_handle)
+{
+    krb5_storage *request, *response;
+    krb5_data response_data;
+    krb5_context context;
+    krb5_error_code ret;
+    ntlm_cred cred;
+
+    cred = (ntlm_cred)*cred_handle;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+        return ret;
+
+    ret = krb5_kcm_storage_request(context, KCM_OP_DEL_NTLM_CRED, &request);
+    if (ret)
+	goto out;
+
+    ret = krb5_store_stringz(request, cred->username);
+    if (ret)
+	goto out;
+
+    ret = krb5_store_stringz(request, cred->domain);
+    if (ret)
+	goto out;
+
+    ret = krb5_kcm_call(context, request, &response, &response_data);
+    if (ret)
+	goto out;
+
+    krb5_storage_free(request);
+    krb5_storage_free(response);
+    krb5_data_free(&response_data);
+
+ out:
+    krb5_free_context(context);
+
+    return ret;
+}
+#endif /* HAVE_KCM */
+
+OM_uint32 GSSAPI_CALLCONV
+_gss_ntlm_destroy_cred(OM_uint32 *minor_status,
+		       gss_cred_id_t *cred_handle)
+{
+#ifdef HAVE_KCM
+    krb5_error_code ret;
+#endif
+
+    if (cred_handle == NULL || *cred_handle == GSS_C_NO_CREDENTIAL)
+	return GSS_S_COMPLETE;
+
+#ifdef HAVE_KCM
+    ret = _gss_ntlm_destroy_kcm_cred(cred_handle);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+#endif
+
+    return _gss_ntlm_release_cred(minor_status, cred_handle);
+}
diff --git a/lib/gssapi/ntlm/crypto.c b/lib/gssapi/ntlm/crypto.c
index b05246ca52f4..85dc638dda58 100644
--- a/lib/gssapi/ntlm/crypto.c
+++ b/lib/gssapi/ntlm/crypto.c
@@ -1,39 +1,37 @@
 /*
- * Copyright (c) 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "ntlm/ntlm.h"
-
-RCSID("$Id: crypto.c 19535 2006-12-28 14:49:01Z lha $");
+#include "ntlm.h"
 
 uint32_t
 _krb5_crc_update (const char *p, size_t len, uint32_t res);
@@ -80,7 +78,7 @@ _gss_ntlm_set_key(struct ntlmv2_key *key, int acceptor, int sealsign,
 		  unsigned char *data, size_t len)
 {
     unsigned char out[16];
-    MD5_CTX ctx;
+    EVP_MD_CTX *ctx;
     const char *signmagic;
     const char *sealmagic;
 
@@ -94,15 +92,17 @@ _gss_ntlm_set_key(struct ntlmv2_key *key, int acceptor, int sealsign,
 
     key->seq = 0;
 
-    MD5_Init(&ctx);
-    MD5_Update(&ctx, data, len);
-    MD5_Update(&ctx, signmagic, strlen(signmagic) + 1);
-    MD5_Final(key->signkey, &ctx);
+    ctx = EVP_MD_CTX_create();
+    EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
+    EVP_DigestUpdate(ctx, data, len);
+    EVP_DigestUpdate(ctx, signmagic, strlen(signmagic) + 1);
+    EVP_DigestFinal_ex(ctx, key->signkey, NULL);
 
-    MD5_Init(&ctx);
-    MD5_Update(&ctx, data, len);
-    MD5_Update(&ctx, sealmagic, strlen(sealmagic) + 1);
-    MD5_Final(out, &ctx);
+    EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
+    EVP_DigestUpdate(ctx, data, len);
+    EVP_DigestUpdate(ctx, sealmagic, strlen(sealmagic) + 1);
+    EVP_DigestFinal_ex(ctx, out, NULL);
+    EVP_MD_CTX_destroy(ctx);
 
     RC4_set_key(&key->sealkey, 16, out);
     if (sealsign)
@@ -121,20 +121,20 @@ v1_sign_message(gss_buffer_t in,
 {
     unsigned char sigature[12];
     uint32_t crc;
-    
+
     _krb5_crc_init_table();
     crc = _krb5_crc_update(in->value, in->length, 0);
-    
+
     encode_le_uint32(0, &sigature[0]);
     encode_le_uint32(crc, &sigature[4]);
     encode_le_uint32(seq, &sigature[8]);
-    
+
     encode_le_uint32(1, out); /* version */
     RC4(signkey, sizeof(sigature), sigature, out + 4);
-    
+
     if (RAND_bytes(out + 4, 4) != 1)
 	return GSS_S_UNAVAILABLE;
-    
+
     return 0;
 }
 
@@ -152,7 +152,7 @@ v2_sign_message(gss_buffer_t in,
 
     HMAC_CTX_init(&c);
     HMAC_Init_ex(&c, signkey, 16, EVP_md5(), NULL);
-    
+
     encode_le_uint32(seq, hmac);
     HMAC_Update(&c, hmac, 4);
     HMAC_Update(&c, in->value, in->length);
@@ -188,7 +188,7 @@ v2_verify_message(gss_buffer_t in,
 	return GSS_S_BAD_MIC;
 
     return GSS_S_COMPLETE;
-}    
+}
 
 static OM_uint32
 v2_seal_message(const gss_buffer_t in,
@@ -259,8 +259,9 @@ v2_unseal_message(gss_buffer_t in,
 /*
  *
  */
- 
-OM_uint32 _gss_ntlm_get_mic
+
+OM_uint32 GSSAPI_CALLCONV
+_gss_ntlm_get_mic
            (OM_uint32 * minor_status,
             const gss_ctx_id_t context_handle,
             gss_qop_t qop_req,
@@ -271,12 +272,7 @@ OM_uint32 _gss_ntlm_get_mic
     ntlm_ctx ctx = (ntlm_ctx)context_handle;
     OM_uint32 junk;
 
-    if (minor_status)
-	*minor_status = 0;
-    if (message_token) {
-	message_token->length = 0;
-	message_token->value = NULL;
-    }
+    *minor_status = 0;
 
     message_token->value = malloc(16);
     message_token->length = 16;
@@ -339,7 +335,7 @@ OM_uint32 _gss_ntlm_get_mic
  *
  */
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_verify_mic
            (OM_uint32 * minor_status,
             const gss_ctx_id_t context_handle,
@@ -388,7 +384,7 @@ _gss_ntlm_verify_mic
 	    ((unsigned char *)token_buffer->value) + 4, sigature);
 
 	_krb5_crc_init_table();
-	crc = _krb5_crc_update(message_buffer->value, 
+	crc = _krb5_crc_update(message_buffer->value,
 			       message_buffer->length, 0);
 	/* skip first 4 bytes in the encrypted checksum */
 	decode_le_uint32(&sigature[4], &num);
@@ -425,7 +421,7 @@ _gss_ntlm_verify_mic
  *
  */
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_wrap_size_limit (
             OM_uint32 * minor_status,
             const gss_ctx_id_t context_handle,
@@ -456,7 +452,8 @@ _gss_ntlm_wrap_size_limit (
  *
  */
 
-OM_uint32 _gss_ntlm_wrap
+OM_uint32 GSSAPI_CALLCONV
+_gss_ntlm_wrap
 (OM_uint32 * minor_status,
  const gss_ctx_id_t context_handle,
  int conf_req_flag,
@@ -469,14 +466,13 @@ OM_uint32 _gss_ntlm_wrap
     ntlm_ctx ctx = (ntlm_ctx)context_handle;
     OM_uint32 ret;
 
-    if (minor_status)
-	*minor_status = 0;
+    *minor_status = 0;
     if (conf_state)
 	*conf_state = 0;
     if (output_message_buffer == GSS_C_NO_BUFFER)
 	return GSS_S_FAILURE;
 
-    
+
     if (CTX_FLAGS_ISSET(ctx, NTLM_NEG_SEAL|NTLM_NEG_NTLM2_SESSION)) {
 
 	return v2_seal_message(input_message_buffer,
@@ -499,7 +495,7 @@ OM_uint32 _gss_ntlm_wrap
 
 	RC4(&ctx->u.v1.crypto_send.key, input_message_buffer->length,
 	    input_message_buffer->value, output_message_buffer->value);
-	
+
 	ret = _gss_ntlm_get_mic(minor_status, context_handle,
 				0, input_message_buffer,
 				&trailer);
@@ -512,7 +508,7 @@ OM_uint32 _gss_ntlm_wrap
 	    gss_release_buffer(&junk, &trailer);
 	    return GSS_S_FAILURE;
 	}
-	memcpy(((unsigned char *)output_message_buffer->value) + 
+	memcpy(((unsigned char *)output_message_buffer->value) +
 	       input_message_buffer->length,
 	       trailer.value, trailer.length);
 	gss_release_buffer(&junk, &trailer);
@@ -527,7 +523,8 @@ OM_uint32 _gss_ntlm_wrap
  *
  */
 
-OM_uint32 _gss_ntlm_unwrap
+OM_uint32 GSSAPI_CALLCONV
+_gss_ntlm_unwrap
            (OM_uint32 * minor_status,
             const gss_ctx_id_t context_handle,
             const gss_buffer_t input_message_buffer,
@@ -539,12 +536,10 @@ OM_uint32 _gss_ntlm_unwrap
     ntlm_ctx ctx = (ntlm_ctx)context_handle;
     OM_uint32 ret;
 
-    if (minor_status)
-	*minor_status = 0;
-    if (output_message_buffer) {
-	output_message_buffer->value = NULL;
-	output_message_buffer->length = 0;
-    }
+    *minor_status = 0;
+    output_message_buffer->value = NULL;
+    output_message_buffer->length = 0;
+
     if (conf_state)
 	*conf_state = 0;
     if (qop_state)
@@ -572,10 +567,10 @@ OM_uint32 _gss_ntlm_unwrap
 	    output_message_buffer->length = 0;
 	    return GSS_S_FAILURE;
 	}
-	
+
 	RC4(&ctx->u.v1.crypto_recv.key, output_message_buffer->length,
 	    input_message_buffer->value, output_message_buffer->value);
-	
+
 	trailer.value = ((unsigned char *)input_message_buffer->value) +
 	    output_message_buffer->length;
 	trailer.length = 16;
diff --git a/lib/gssapi/ntlm/delete_sec_context.c b/lib/gssapi/ntlm/delete_sec_context.c
index c51f227051fe..41c30b76f1a8 100644
--- a/lib/gssapi/ntlm/delete_sec_context.c
+++ b/lib/gssapi/ntlm/delete_sec_context.c
@@ -1,41 +1,39 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "ntlm/ntlm.h"
+#include "ntlm.h"
 
-RCSID("$Id: delete_sec_context.c 22163 2007-12-04 21:25:06Z lha $");
-
-OM_uint32 _gss_ntlm_delete_sec_context
+OM_uint32 GSSAPI_CALLCONV _gss_ntlm_delete_sec_context
            (OM_uint32 * minor_status,
             gss_ctx_id_t * context_handle,
             gss_buffer_t output_token
diff --git a/lib/gssapi/ntlm/display_name.c b/lib/gssapi/ntlm/display_name.c
index a04d96c4510f..4f8e3e6828c4 100644
--- a/lib/gssapi/ntlm/display_name.c
+++ b/lib/gssapi/ntlm/display_name.c
@@ -1,41 +1,40 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "ntlm/ntlm.h"
+#include "ntlm.h"
 
-RCSID("$Id: display_name.c 22373 2007-12-28 18:36:06Z lha $");
-
-OM_uint32 _gss_ntlm_display_name
+OM_uint32 GSSAPI_CALLCONV
+_gss_ntlm_display_name
            (OM_uint32 * minor_status,
             const gss_name_t input_name,
             gss_buffer_t output_name_buffer,
@@ -49,9 +48,9 @@ OM_uint32 _gss_ntlm_display_name
 
     if (output_name_buffer) {
 	ntlm_name n = (ntlm_name)input_name;
-	char *str;
+	char *str = NULL;
 	int len;
-	
+
 	output_name_buffer->length = 0;
 	output_name_buffer->value = NULL;
 
@@ -61,7 +60,7 @@ OM_uint32 _gss_ntlm_display_name
 	}
 
 	len = asprintf(&str, "%s@%s", n->user, n->domain);
-	if (str == NULL) {
+	if (len < 0 || str == NULL) {
 	    *minor_status = ENOMEM;
 	    return GSS_S_FAILURE;
 	}
diff --git a/lib/gssapi/ntlm/display_status.c b/lib/gssapi/ntlm/display_status.c
index 70be5ebe4985..c9e1792d31f8 100644
--- a/lib/gssapi/ntlm/display_status.c
+++ b/lib/gssapi/ntlm/display_status.c
@@ -1,41 +1,40 @@
 /*
- * Copyright (c) 1998 - 2005 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1998 - 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "ntlm/ntlm.h"
+#include "ntlm.h"
 
-RCSID("$Id: display_status.c 19334 2006-12-14 12:17:34Z lha $");
-
-OM_uint32 _gss_ntlm_display_status
+OM_uint32 GSSAPI_CALLCONV
+_gss_ntlm_display_status
            (OM_uint32		*minor_status,
 	    OM_uint32		 status_value,
 	    int			 status_type,
diff --git a/lib/gssapi/ntlm/duplicate_name.c b/lib/gssapi/ntlm/duplicate_name.c
index 2b2f7dd65fe1..4ef574fb50ee 100644
--- a/lib/gssapi/ntlm/duplicate_name.c
+++ b/lib/gssapi/ntlm/duplicate_name.c
@@ -1,41 +1,40 @@
 /*
- * Copyright (c) 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "ntlm/ntlm.h"
+#include "ntlm.h"
 
-RCSID("$Id: duplicate_name.c 19334 2006-12-14 12:17:34Z lha $");
-
-OM_uint32 _gss_ntlm_duplicate_name (
+OM_uint32 GSSAPI_CALLCONV
+_gss_ntlm_duplicate_name (
             OM_uint32 * minor_status,
             const gss_name_t src_name,
             gss_name_t * dest_name
diff --git a/lib/gssapi/ntlm/export_name.c b/lib/gssapi/ntlm/export_name.c
index f0941b1ce625..8fe69aaaf45e 100644
--- a/lib/gssapi/ntlm/export_name.c
+++ b/lib/gssapi/ntlm/export_name.c
@@ -1,41 +1,40 @@
 /*
- * Copyright (c) 1997, 1999, 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997, 1999, 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "ntlm/ntlm.h"
+#include "ntlm.h"
 
-RCSID("$Id: export_name.c 19334 2006-12-14 12:17:34Z lha $");
-
-OM_uint32 _gss_ntlm_export_name
+OM_uint32 GSSAPI_CALLCONV
+_gss_ntlm_export_name
            (OM_uint32  * minor_status,
             const gss_name_t input_name,
             gss_buffer_t exported_name
diff --git a/lib/gssapi/ntlm/export_sec_context.c b/lib/gssapi/ntlm/export_sec_context.c
index 99a7be19ab27..027a9210ebdb 100644
--- a/lib/gssapi/ntlm/export_sec_context.c
+++ b/lib/gssapi/ntlm/export_sec_context.c
@@ -1,41 +1,39 @@
 /*
- * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "ntlm/ntlm.h"
+#include "ntlm.h"
 
-RCSID("$Id: export_sec_context.c 19334 2006-12-14 12:17:34Z lha $");
-
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_export_sec_context (
     OM_uint32 * minor_status,
     gss_ctx_id_t * context_handle,
diff --git a/lib/gssapi/ntlm/external.c b/lib/gssapi/ntlm/external.c
index 8f86032796a9..d0474f4ec812 100644
--- a/lib/gssapi/ntlm/external.c
+++ b/lib/gssapi/ntlm/external.c
@@ -1,44 +1,70 @@
 /*
- * Copyright (c) 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "ntlm/ntlm.h"
+#include "ntlm.h"
 
-RCSID("$Id: external.c 19359 2006-12-15 20:01:48Z lha $");
+static gss_mo_desc ntlm_mo[] = {
+    {
+	GSS_C_MA_SASL_MECH_NAME,
+	GSS_MO_MA,
+	"SASL mech name",
+	rk_UNCONST("NTLM"),
+	_gss_mo_get_ctx_as_string,
+	NULL
+    },
+    {
+	GSS_C_MA_MECH_NAME,
+	GSS_MO_MA,
+	"Mechanism name",
+	rk_UNCONST("NTLMSPP"),
+	_gss_mo_get_ctx_as_string,
+	NULL
+    },
+    {
+	GSS_C_MA_MECH_DESCRIPTION,
+	GSS_MO_MA,
+	"Mechanism description",
+	rk_UNCONST("Heimdal NTLMSSP Mechanism"),
+	_gss_mo_get_ctx_as_string,
+	NULL
+    }
+};
 
 static gssapi_mech_interface_desc ntlm_mech = {
     GMI_VERSION,
     "ntlm",
     {10, rk_UNCONST("\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a") },
+    0,
     _gss_ntlm_acquire_cred,
     _gss_ntlm_release_cred,
     _gss_ntlm_init_sec_context,
@@ -67,7 +93,33 @@ static gssapi_mech_interface_desc ntlm_mech = {
     _gss_ntlm_inquire_names_for_mech,
     _gss_ntlm_inquire_mechs_for_name,
     _gss_ntlm_canonicalize_name,
-    _gss_ntlm_duplicate_name
+    _gss_ntlm_duplicate_name,
+    _gss_ntlm_inquire_sec_context_by_oid,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    _gss_ntlm_iter_creds_f,
+    _gss_ntlm_destroy_cred,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    ntlm_mo,
+    sizeof(ntlm_mo) / sizeof(ntlm_mo[0]),
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
 };
 
 gssapi_mech_interface
@@ -75,8 +127,3 @@ __gss_ntlm_initialize(void)
 {
 	return &ntlm_mech;
 }
-
-static gss_OID_desc _gss_ntlm_mechanism_desc = 
-{10, rk_UNCONST("\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a") };
-
-gss_OID GSS_NTLM_MECHANISM = &_gss_ntlm_mechanism_desc;
diff --git a/lib/gssapi/ntlm/import_name.c b/lib/gssapi/ntlm/import_name.c
index 91cba082eadf..e75388d91e76 100644
--- a/lib/gssapi/ntlm/import_name.c
+++ b/lib/gssapi/ntlm/import_name.c
@@ -1,41 +1,40 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "ntlm/ntlm.h"
+#include "ntlm.h"
 
-RCSID("$Id: import_name.c 22373 2007-12-28 18:36:06Z lha $");
-
-OM_uint32 _gss_ntlm_import_name
+OM_uint32 GSSAPI_CALLCONV
+_gss_ntlm_import_name
            (OM_uint32 * minor_status,
             const gss_buffer_t input_name_buffer,
             const gss_OID input_name_type,
@@ -43,14 +42,21 @@ OM_uint32 _gss_ntlm_import_name
            )
 {
     char *name, *p, *p2;
+    int is_hostnamed;
+    int is_username;
     ntlm_name n;
 
     *minor_status = 0;
 
-    if (output_name)
-	*output_name = GSS_C_NO_NAME;
+    if (output_name == NULL)
+	return GSS_S_CALL_INACCESSIBLE_WRITE;
+
+    *output_name = GSS_C_NO_NAME;
+
+    is_hostnamed = gss_oid_equal(input_name_type, GSS_C_NT_HOSTBASED_SERVICE);
+    is_username = gss_oid_equal(input_name_type, GSS_C_NT_USER_NAME);
 
-    if (!gss_oid_equal(input_name_type, GSS_C_NT_HOSTBASED_SERVICE))
+    if (!is_hostnamed && !is_username)
 	return GSS_S_BAD_NAMETYPE;
 
     name = malloc(input_name_buffer->length + 1);
@@ -63,21 +69,25 @@ OM_uint32 _gss_ntlm_import_name
 
     /* find "domain" part of the name and uppercase it */
     p = strchr(name, '@');
-    if (p == NULL)
+    if (p == NULL) {
+        free(name);
 	return GSS_S_BAD_NAME;
+    }
     p[0] = '\0';
     p++;
     p2 = strchr(p, '.');
     if (p2 && p2[1] != '\0') {
-	p = p2 + 1;
-	p2 = strchr(p, '.');
+	if (is_hostnamed) {
+	    p = p2 + 1;
+	    p2 = strchr(p, '.');
+	}
 	if (p2)
 	    *p2 = '\0';
     }
     strupr(p);
-    
+
     n = calloc(1, sizeof(*n));
-    if (name == NULL) {
+    if (n == NULL) {
 	free(name);
 	*minor_status = ENOMEM;
 	return GSS_S_FAILURE;
diff --git a/lib/gssapi/ntlm/import_sec_context.c b/lib/gssapi/ntlm/import_sec_context.c
index cde0a011f0ce..fe637c0775e5 100644
--- a/lib/gssapi/ntlm/import_sec_context.c
+++ b/lib/gssapi/ntlm/import_sec_context.c
@@ -1,41 +1,39 @@
 /*
- * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "ntlm/ntlm.h"
+#include "ntlm.h"
 
-RCSID("$Id: import_sec_context.c 19334 2006-12-14 12:17:34Z lha $");
-
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_import_sec_context (
     OM_uint32 * minor_status,
     const gss_buffer_t interprocess_token,
diff --git a/lib/gssapi/ntlm/indicate_mechs.c b/lib/gssapi/ntlm/indicate_mechs.c
index 64171631edc9..7cda47580993 100644
--- a/lib/gssapi/ntlm/indicate_mechs.c
+++ b/lib/gssapi/ntlm/indicate_mechs.c
@@ -1,39 +1,37 @@
 /*
- * Copyright (c) 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "ntlm/ntlm.h"
-
-RCSID("$Id: indicate_mechs.c 19334 2006-12-14 12:17:34Z lha $");
+#include "ntlm.h"
 
 OM_uint32 _gss_ntlm_indicate_mechs
 (OM_uint32 * minor_status,
diff --git a/lib/gssapi/ntlm/init_sec_context.c b/lib/gssapi/ntlm/init_sec_context.c
index 140dbece8435..bae04e174060 100644
--- a/lib/gssapi/ntlm/init_sec_context.c
+++ b/lib/gssapi/ntlm/init_sec_context.c
@@ -1,50 +1,49 @@
 /*
- * Copyright (c) 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "ntlm/ntlm.h"
-
-RCSID("$Id: init_sec_context.c 22382 2007-12-30 12:13:17Z lha $");
+#include "ntlm.h"
 
 static int
-from_file(const char *fn, const char *target_domain, 
+from_file(const char *fn, const char *target_domain,
 	  char **username, struct ntlm_buf *key)
-{	  
+{
     char *str, buf[1024];
     FILE *f;
 
     f = fopen(fn, "r");
     if (f == NULL)
 	return ENOENT;
+    rk_cloexec_file(f);
 
     while (fgets(buf, sizeof(buf), f) != NULL) {
 	char *d, *u, *p;
@@ -74,7 +73,7 @@ from_file(const char *fn, const char *target_domain,
 }
 
 static int
-get_user_file(const ntlm_name target_name, 
+get_user_file(const ntlm_name target_name,
 	      char **username, struct ntlm_buf *key)
 {
     const char *fn;
@@ -98,19 +97,18 @@ get_user_file(const ntlm_name target_name,
 static int
 get_user_ccache(const ntlm_name name, char **username, struct ntlm_buf *key)
 {
-    krb5_principal client;
     krb5_context context = NULL;
-    krb5_error_code ret;
+    krb5_principal client;
     krb5_ccache id = NULL;
-    krb5_creds mcreds, creds;
+    krb5_error_code ret;
+    char *confname;
+    krb5_data data;
 
     *username = NULL;
+    krb5_data_zero(&data);
     key->length = 0;
     key->data = NULL;
 
-    memset(&creds, 0, sizeof(creds));
-    memset(&mcreds, 0, sizeof(mcreds));
-
     ret = krb5_init_context(&context);
     if (ret)
 	return ret;
@@ -126,47 +124,36 @@ get_user_ccache(const ntlm_name name, char **username, struct ntlm_buf *key)
     ret = krb5_unparse_name_flags(context, client,
 				  KRB5_PRINCIPAL_UNPARSE_NO_REALM,
 				  username);
-    if (ret)
-	goto out;
-
-    ret = krb5_make_principal(context, &mcreds.server,
-			      krb5_principal_get_realm(context, client),
-			      "@ntlm-key", name->domain, NULL);
     krb5_free_principal(context, client);
     if (ret)
 	goto out;
 
-    mcreds.session.keytype = ENCTYPE_ARCFOUR_HMAC_MD5;
-    ret = krb5_cc_retrieve_cred(context, id, KRB5_TC_MATCH_KEYTYPE, 
-				&mcreds, &creds);
-    if (ret) {
-	char *s = krb5_get_error_message(context, ret);
-	krb5_free_error_string(context, s);
+    asprintf(&confname, "ntlm-key-%s", name->domain);
+    if (confname == NULL) {
+	krb5_clear_error_message(context);
+	ret = ENOMEM;
 	goto out;
     }
 
-    key->data = malloc(creds.session.keyvalue.length);
-    if (key->data == NULL)
+    ret = krb5_cc_get_config(context, id, NULL,
+			     confname, &data);
+    if (ret)
 	goto out;
-    key->length = creds.session.keyvalue.length;
-    memcpy(key->data, creds.session.keyvalue.data, key->length);
-
-    krb5_free_cred_contents(context, &creds);
 
-    return 0;
-
-out:
-    if (*username) {
-	free(*username);
-	*username = NULL;
+    key->data = malloc(data.length);
+    if (key->data == NULL) {
+	ret = ENOMEM;
+	goto out;
     }
-    krb5_free_cred_contents(context, &creds);
-    if (mcreds.server)
-	krb5_free_principal(context, mcreds.server);
+    key->length = data.length;
+    memcpy(key->data, data.data, data.length);
+
+ out:
+    krb5_data_free(&data);
     if (id)
 	krb5_cc_close(context, id);
-    if (context)
-	krb5_free_context(context);
+
+    krb5_free_context(context);
 
     return ret;
 }
@@ -177,11 +164,11 @@ _gss_ntlm_get_user_cred(const ntlm_name target_name,
 {
     ntlm_cred cred;
     int ret;
- 
+
     cred = calloc(1, sizeof(*cred));
     if (cred == NULL)
 	return ENOMEM;
-    
+
     ret = get_user_file(target_name, &cred->username, &cred->key);
     if (ret)
 	ret = get_user_ccache(target_name, &cred->username, &cred->key);
@@ -189,7 +176,7 @@ _gss_ntlm_get_user_cred(const ntlm_name target_name,
 	free(cred);
 	return ret;
     }
-    
+
     cred->domain = strdup(target_name->domain);
     *rcred = cred;
 
@@ -199,7 +186,7 @@ _gss_ntlm_get_user_cred(const ntlm_name target_name,
 static int
 _gss_copy_cred(ntlm_cred from, ntlm_cred *to)
 {
-    *to = calloc(1, sizeof(*to));
+    *to = calloc(1, sizeof(**to));
     if (*to == NULL)
 	return ENOMEM;
     (*to)->username = strdup(from->username);
@@ -226,7 +213,7 @@ _gss_copy_cred(ntlm_cred from, ntlm_cred *to)
     return 0;
 }
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_init_sec_context
            (OM_uint32 * minor_status,
             const gss_cred_id_t initiator_cred_handle,
@@ -260,7 +247,7 @@ _gss_ntlm_init_sec_context
 	struct ntlm_buf data;
 	uint32_t flags = 0;
 	int ret;
-	
+
 	ctx = calloc(1, sizeof(*ctx));
 	if (ctx == NULL) {
 	    *minor_status = EINVAL;
@@ -293,23 +280,23 @@ _gss_ntlm_init_sec_context
 	flags |= NTLM_NEG_KEYEX;
 
 	memset(&type1, 0, sizeof(type1));
-	
+
 	type1.flags = flags;
 	type1.domain = name->domain;
 	type1.hostname = NULL;
 	type1.os[0] = 0;
 	type1.os[1] = 0;
-	
+
 	ret = heim_ntlm_encode_type1(&type1, &data);
 	if (ret) {
 	    _gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
 	    *minor_status = ret;
 	    return GSS_S_FAILURE;
 	}
-	
+
 	output_token->value = data.data;
 	output_token->length = data.length;
-	
+
 	return GSS_S_CONTINUE_NEEDED;
     } else {
 	krb5_error_code ret;
@@ -331,7 +318,7 @@ _gss_ntlm_init_sec_context
 
 	ctx->flags = type2.flags;
 
-	/* XXX check that type2.targetinfo matches `target_name´ */
+	/* XXX check that type2.targetinfo matches `target_name´ */
 	/* XXX check verify targetinfo buffer */
 
 	memset(&type3, 0, sizeof(type3));
@@ -352,21 +339,21 @@ _gss_ntlm_init_sec_context
 		unsigned char nonce[8];
 
 		if (RAND_bytes(nonce, sizeof(nonce)) != 1) {
-		    _gss_ntlm_delete_sec_context(minor_status, 
+		    _gss_ntlm_delete_sec_context(minor_status,
 						 context_handle, NULL);
 		    *minor_status = EINVAL;
 		    return GSS_S_FAILURE;
 		}
 
 		ret = heim_ntlm_calculate_ntlm2_sess(nonce,
-						     type2.challange,
+						     type2.challenge,
 						     ctx->client->key.data,
 						     &type3.lm,
 						     &type3.ntlm);
 	    } else {
-		ret = heim_ntlm_calculate_ntlm1(ctx->client->key.data, 
+		ret = heim_ntlm_calculate_ntlm1(ctx->client->key.data,
 						ctx->client->key.length,
-						type2.challange,
+						type2.challenge,
 						&type3.ntlm);
 
 	    }
@@ -376,7 +363,7 @@ _gss_ntlm_init_sec_context
 		return GSS_S_FAILURE;
 	    }
 
-	    ret = heim_ntlm_build_ntlm1_master(ctx->client->key.data, 
+	    ret = heim_ntlm_build_ntlm1_master(ctx->client->key.data,
 					       ctx->client->key.length,
 					       &sessionkey,
 					       &type3.sessionkey);
@@ -390,7 +377,7 @@ _gss_ntlm_init_sec_context
 		return GSS_S_FAILURE;
 	    }
 
-	    ret = krb5_data_copy(&ctx->sessionkey, 
+	    ret = krb5_data_copy(&ctx->sessionkey,
 				 sessionkey.data, sessionkey.length);
 	    free(sessionkey.data);
 	    if (ret) {
@@ -402,7 +389,7 @@ _gss_ntlm_init_sec_context
 		*minor_status = ret;
 		return GSS_S_FAILURE;
 	    }
-	    ctx->status |= STATUS_SESSIONKEY; 
+	    ctx->status |= STATUS_SESSIONKEY;
 
 	} else {
 	    struct ntlm_buf sessionkey;
@@ -410,17 +397,17 @@ _gss_ntlm_init_sec_context
 	    struct ntlm_targetinfo ti;
 
 	    /* verify infotarget */
-	    
+
 	    ret = heim_ntlm_decode_targetinfo(&type2.targetinfo, 1, &ti);
 	    if(ret) {
-		_gss_ntlm_delete_sec_context(minor_status, 
+		_gss_ntlm_delete_sec_context(minor_status,
 					     context_handle, NULL);
 		*minor_status = ret;
 		return GSS_S_FAILURE;
 	    }
 
 	    if (ti.domainname && strcmp(ti.domainname, name->domain) != 0) {
-		_gss_ntlm_delete_sec_context(minor_status, 
+		_gss_ntlm_delete_sec_context(minor_status,
 					     context_handle, NULL);
 		*minor_status = EINVAL;
 		return GSS_S_FAILURE;
@@ -430,12 +417,12 @@ _gss_ntlm_init_sec_context
 					    ctx->client->key.length,
 					    ctx->client->username,
 					    name->domain,
-					    type2.challange,
+					    type2.challenge,
 					    &type2.targetinfo,
 					    ntlmv2,
 					    &type3.ntlm);
 	    if (ret) {
-		_gss_ntlm_delete_sec_context(minor_status, 
+		_gss_ntlm_delete_sec_context(minor_status,
 					     context_handle, NULL);
 		*minor_status = ret;
 		return GSS_S_FAILURE;
@@ -446,21 +433,27 @@ _gss_ntlm_init_sec_context
 					       &type3.sessionkey);
 	    memset(ntlmv2, 0, sizeof(ntlmv2));
 	    if (ret) {
-		_gss_ntlm_delete_sec_context(minor_status, 
+		_gss_ntlm_delete_sec_context(minor_status,
 					     context_handle, NULL);
 		*minor_status = ret;
 		return GSS_S_FAILURE;
 	    }
-	    
+
 	    ctx->flags |= NTLM_NEG_NTLM2_SESSION;
 
-	    ret = krb5_data_copy(&ctx->sessionkey, 
+	    ret = krb5_data_copy(&ctx->sessionkey,
 				 sessionkey.data, sessionkey.length);
 	    free(sessionkey.data);
+	    if (ret) {
+		_gss_ntlm_delete_sec_context(minor_status,
+					     context_handle, NULL);
+		*minor_status = ret;
+		return GSS_S_FAILURE;
+	    }
 	}
 
 	if (ctx->flags & NTLM_NEG_NTLM2_SESSION) {
-	    ctx->status |= STATUS_SESSIONKEY; 
+	    ctx->status |= STATUS_SESSIONKEY;
 	    _gss_ntlm_set_key(&ctx->u.v2.send, 0, (ctx->flags & NTLM_NEG_KEYEX),
 			      ctx->sessionkey.data,
 			      ctx->sessionkey.length);
@@ -468,15 +461,15 @@ _gss_ntlm_init_sec_context
 			      ctx->sessionkey.data,
 			      ctx->sessionkey.length);
 	} else {
-	    ctx->status |= STATUS_SESSIONKEY; 
-	    RC4_set_key(&ctx->u.v1.crypto_recv.key, 
+	    ctx->status |= STATUS_SESSIONKEY;
+	    RC4_set_key(&ctx->u.v1.crypto_recv.key,
 			ctx->sessionkey.length,
 			ctx->sessionkey.data);
-	    RC4_set_key(&ctx->u.v1.crypto_send.key, 
+	    RC4_set_key(&ctx->u.v1.crypto_send.key,
 			ctx->sessionkey.length,
 			ctx->sessionkey.data);
 	}
-	
+
 
 
 	ret = heim_ntlm_encode_type3(&type3, &data);
diff --git a/lib/gssapi/ntlm/inquire_context.c b/lib/gssapi/ntlm/inquire_context.c
index fe6b32272f70..fd0cb8799637 100644
--- a/lib/gssapi/ntlm/inquire_context.c
+++ b/lib/gssapi/ntlm/inquire_context.c
@@ -1,41 +1,40 @@
 /*
- * Copyright (c) 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "ntlm/ntlm.h"
+#include "ntlm.h"
 
-RCSID("$Id: inquire_context.c 21079 2007-06-13 00:25:25Z lha $");
-
-OM_uint32 _gss_ntlm_inquire_context (
+OM_uint32 GSSAPI_CALLCONV
+_gss_ntlm_inquire_context (
             OM_uint32 * minor_status,
             const gss_ctx_id_t context_handle,
             gss_name_t * src_name,
diff --git a/lib/gssapi/ntlm/inquire_cred.c b/lib/gssapi/ntlm/inquire_cred.c
deleted file mode 100644
index 1d49b5070d87..000000000000
--- a/lib/gssapi/ntlm/inquire_cred.c
+++ /dev/null
@@ -1,78 +0,0 @@
-/*
- * Copyright (c) 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
- *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
- *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
- *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
- */
-
-#include "ntlm/ntlm.h"
-
-RCSID("$Id: inquire_cred.c 22148 2007-12-04 17:59:29Z lha $");
-
-OM_uint32 _gss_ntlm_inquire_cred
-           (OM_uint32 * minor_status,
-            const gss_cred_id_t cred_handle,
-            gss_name_t * name,
-            OM_uint32 * lifetime,
-            gss_cred_usage_t * cred_usage,
-            gss_OID_set * mechanisms
-           )
-{
-    OM_uint32 ret, junk;
-
-    if (minor_status)
-	*minor_status = 0;
-    if (name)
-	*name = GSS_C_NO_NAME;
-    if (lifetime)
-	*lifetime = GSS_C_INDEFINITE;
-    if (cred_usage)
-	*cred_usage = 0;
-    if (mechanisms)
-	*mechanisms = GSS_C_NO_OID_SET;
-
-    if (cred_handle == GSS_C_NO_CREDENTIAL)
-	return GSS_S_NO_CRED;
-
-    if (mechanisms) {
-        ret = gss_create_empty_oid_set(minor_status, mechanisms);
-        if (ret)
-	    goto out;
-	ret = gss_add_oid_set_member(minor_status,
-				     GSS_NTLM_MECHANISM,
-				     mechanisms);
-        if (ret)
-	    goto out;
-    }
-
-    return GSS_S_COMPLETE;
-out:
-    gss_release_oid_set(&junk, mechanisms);
-    return ret;
-}
diff --git a/lib/gssapi/ntlm/inquire_cred_by_mech.c b/lib/gssapi/ntlm/inquire_cred_by_mech.c
index 572c6fef759c..b5976b99d728 100644
--- a/lib/gssapi/ntlm/inquire_cred_by_mech.c
+++ b/lib/gssapi/ntlm/inquire_cred_by_mech.c
@@ -1,41 +1,40 @@
 /*
- * Copyright (c) 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "ntlm/ntlm.h"
+#include "ntlm.h"
 
-RCSID("$Id: inquire_cred_by_mech.c 19334 2006-12-14 12:17:34Z lha $");
-
-OM_uint32 _gss_ntlm_inquire_cred_by_mech (
+OM_uint32 GSSAPI_CALLCONV
+_gss_ntlm_inquire_cred_by_mech (
             OM_uint32 * minor_status,
             const gss_cred_id_t cred_handle,
             const gss_OID mech_type,
diff --git a/lib/gssapi/ntlm/inquire_mechs_for_name.c b/lib/gssapi/ntlm/inquire_mechs_for_name.c
index 8bee4836d3fb..4fd5380946a4 100644
--- a/lib/gssapi/ntlm/inquire_mechs_for_name.c
+++ b/lib/gssapi/ntlm/inquire_mechs_for_name.c
@@ -1,41 +1,40 @@
 /*
- * Copyright (c) 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "ntlm/ntlm.h"
+#include "ntlm.h"
 
-RCSID("$Id: inquire_mechs_for_name.c 19334 2006-12-14 12:17:34Z lha $");
-
-OM_uint32 _gss_ntlm_inquire_mechs_for_name (
+OM_uint32 GSSAPI_CALLCONV
+_gss_ntlm_inquire_mechs_for_name (
             OM_uint32 * minor_status,
             const gss_name_t input_name,
             gss_OID_set * mech_types
diff --git a/lib/gssapi/ntlm/inquire_names_for_mech.c b/lib/gssapi/ntlm/inquire_names_for_mech.c
index ebf624de7628..7f49b33caa47 100644
--- a/lib/gssapi/ntlm/inquire_names_for_mech.c
+++ b/lib/gssapi/ntlm/inquire_names_for_mech.c
@@ -1,42 +1,40 @@
 /*
- * Copyright (c) 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "ntlm/ntlm.h"
+#include "ntlm.h"
 
-RCSID("$Id: inquire_names_for_mech.c 19334 2006-12-14 12:17:34Z lha $");
-
-
-OM_uint32 _gss_ntlm_inquire_names_for_mech (
+OM_uint32 GSSAPI_CALLCONV
+_gss_ntlm_inquire_names_for_mech (
             OM_uint32 * minor_status,
             const gss_OID mechanism,
             gss_OID_set * name_types
diff --git a/lib/gssapi/ntlm/inquire_sec_context_by_oid.c b/lib/gssapi/ntlm/inquire_sec_context_by_oid.c
new file mode 100644
index 000000000000..ee791b15adf2
--- /dev/null
+++ b/lib/gssapi/ntlm/inquire_sec_context_by_oid.c
@@ -0,0 +1,90 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "ntlm.h"
+
+OM_uint32 GSSAPI_CALLCONV
+_gss_ntlm_inquire_sec_context_by_oid(OM_uint32 *minor_status,
+				     const gss_ctx_id_t context_handle,
+				     const gss_OID desired_object,
+				     gss_buffer_set_t *data_set)
+{
+    ntlm_ctx ctx = (ntlm_ctx)context_handle;
+
+    if (ctx == NULL) {
+	*minor_status = 0;
+	return GSS_S_NO_CONTEXT;
+    }
+
+    if (gss_oid_equal(desired_object, GSS_NTLM_GET_SESSION_KEY_X) ||
+        gss_oid_equal(desired_object, GSS_C_INQ_SSPI_SESSION_KEY)) {
+	gss_buffer_desc value;
+
+	value.length = ctx->sessionkey.length;
+	value.value = ctx->sessionkey.data;
+
+	return gss_add_buffer_set_member(minor_status,
+					 &value,
+					 data_set);
+    } else if (gss_oid_equal(desired_object, GSS_C_INQ_WIN2K_PAC_X)) {
+	if (ctx->pac.length == 0) {
+	    *minor_status = ENOENT;
+	    return GSS_S_FAILURE;
+	}
+
+	return gss_add_buffer_set_member(minor_status,
+					 &ctx->pac,
+					 data_set);
+
+    } else if (gss_oid_equal(desired_object, GSS_C_NTLM_AVGUEST)) {
+	gss_buffer_desc value;
+	uint32_t num;
+
+	if (ctx->kcmflags & KCM_NTLM_FLAG_AV_GUEST)
+	    num = 1;
+	else
+	    num = 0;
+
+	value.length = sizeof(num);
+	value.value = &num;
+
+	return gss_add_buffer_set_member(minor_status,
+					 &value,
+					 data_set);
+    } else {
+	*minor_status = 0;
+	return GSS_S_FAILURE;
+    }
+}
diff --git a/lib/gssapi/ntlm/iter_cred.c b/lib/gssapi/ntlm/iter_cred.c
new file mode 100644
index 000000000000..34456db5da8f
--- /dev/null
+++ b/lib/gssapi/ntlm/iter_cred.c
@@ -0,0 +1,99 @@
+/*
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "ntlm.h"
+
+void GSSAPI_CALLCONV
+_gss_ntlm_iter_creds_f(OM_uint32 flags,
+		       void *userctx ,
+		       void (*cred_iter)(void *, gss_OID, gss_cred_id_t))
+{
+#ifdef HAVE_KCM
+    krb5_error_code ret;
+    krb5_context context = NULL;
+    krb5_storage *request, *response;
+    krb5_data response_data;
+
+    ret = krb5_init_context(&context);
+    if (ret)
+	goto done;
+
+    ret = krb5_kcm_storage_request(context, KCM_OP_GET_NTLM_USER_LIST, &request);
+    if (ret)
+	goto done;
+
+    ret = krb5_kcm_call(context, request, &response, &response_data);
+    krb5_storage_free(request);
+    if (ret)
+	goto done;
+
+    while (1) {
+	uint32_t morep;
+	char *user = NULL, *domain = NULL;
+	ntlm_cred dn;
+
+	ret = krb5_ret_uint32(response, &morep);
+	if (ret) goto out;
+
+	if (!morep) goto out;
+
+	ret = krb5_ret_stringz(response, &user);
+	if (ret) goto out;
+	ret = krb5_ret_stringz(response, &domain);
+	if (ret) {
+	    free(user);
+	    goto out;
+	}
+
+	dn = calloc(1, sizeof(*dn));
+	if (dn == NULL) {
+	    free(user);
+	    free(domain);
+	    goto out;
+	}
+	dn->username = user;
+	dn->domain = domain;
+
+	cred_iter(userctx, GSS_NTLM_MECHANISM, (gss_cred_id_t)dn);
+    }
+ out:
+    krb5_storage_free(response);
+    krb5_data_free(&response_data);
+ done:
+    if (context)
+	krb5_free_context(context);
+#endif /* HAVE_KCM */
+    (*cred_iter)(userctx, NULL, NULL);
+}
diff --git a/lib/gssapi/ntlm/digest.c b/lib/gssapi/ntlm/kdc.c
index fecf4a5b2799..7d56c7510fbb 100644
--- a/lib/gssapi/ntlm/digest.c
+++ b/lib/gssapi/ntlm/kdc.c
@@ -1,39 +1,39 @@
 /*
- * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "ntlm/ntlm.h"
+#include "ntlm.h"
 
-RCSID("$Id: digest.c 22169 2007-12-04 22:19:16Z lha $");
+#ifdef DIGEST
 
 /*
  *
@@ -66,7 +66,7 @@ get_ccache(krb5_context context, int *destroy, krb5_ccache *id)
     krb5_keytab kt = NULL;
 
     *id = NULL;
-    
+
     if (!issuid()) {
 	const char *cache;
 
@@ -79,15 +79,15 @@ get_ccache(krb5_context context, int *destroy, krb5_ccache *id)
 	}
     }
 
-    ret = krb5_sname_to_principal(context, NULL, "host", 
+    ret = krb5_sname_to_principal(context, NULL, "host",
 				  KRB5_NT_SRV_HST, &principal);
     if (ret)
 	goto out;
-    
-    ret = krb5_cc_cache_match(context, principal, NULL, id);
+
+    ret = krb5_cc_cache_match(context, principal, id);
     if (ret == 0)
 	return 0;
-    
+
     /* did not find in default credcache, lets try default keytab */
     ret = krb5_kt_default(context, &kt);
     if (ret)
@@ -129,16 +129,17 @@ get_ccache(krb5_context context, int *destroy, krb5_ccache *id)
     }
 
     krb5_kt_close(context, kt);
-    
+
     return 0;
 
 out:
-    if (*destroy)
-	krb5_cc_destroy(context, *id);
-    else
-	krb5_cc_close(context, *id);
-
-    *id = NULL;
+    if (*id) {
+	if (*destroy)
+	    krb5_cc_destroy(context, *id);
+	else
+	    krb5_cc_close(context, *id);
+	*id = NULL;
+    }
 
     if (kt)
 	krb5_kt_close(context, kt);
@@ -201,7 +202,7 @@ kdc_probe(OM_uint32 *minor, void *ctx, const char *realm)
     ret = krb5_digest_probe(c->context, rk_UNCONST(realm), c->id, &flags);
     if (ret)
 	return ret;
-    
+
     if ((flags & (1|2|4)) == 0)
 	return EINVAL;
 
@@ -253,13 +254,13 @@ kdc_type2(OM_uint32 *minor_status,
     krb5_data challange;
     struct ntlm_buf data;
     krb5_data ti;
-    
+
     memset(&type2, 0, sizeof(type2));
-    
+
     /*
      * Request data for type 2 packet from the KDC.
      */
-    ret = krb5_ntlm_init_request(c->context, 
+    ret = krb5_ntlm_init_request(c->context,
 				 c->ntlm,
 				 NULL,
 				 c->id,
@@ -298,11 +299,11 @@ kdc_type2(OM_uint32 *minor_status,
 	return GSS_S_FAILURE;
     }
 
-    if (challange.length != sizeof(type2.challange)) {
+    if (challange.length != sizeof(type2.challenge)) {
 	*minor_status = EINVAL;
 	return GSS_S_FAILURE;
     }
-    memcpy(type2.challange, challange.data, sizeof(type2.challange));
+    memcpy(type2.challenge, challange.data, sizeof(type2.challenge));
     krb5_data_free(&challange);
 
     ret = krb5_ntlm_init_get_targetname(c->context, c->ntlm,
@@ -321,7 +322,7 @@ kdc_type2(OM_uint32 *minor_status,
 
     type2.targetinfo.data = ti.data;
     type2.targetinfo.length = ti.length;
-	
+
     ret = heim_ntlm_encode_type2(&type2, &data);
     free(type2.targetname);
     krb5_data_free(&ti);
@@ -329,7 +330,7 @@ kdc_type2(OM_uint32 *minor_status,
 	*minor_status = ret;
 	return GSS_S_FAILURE;
     }
-	
+
     out->data = data.data;
     out->length = data.length;
 
@@ -356,13 +357,13 @@ kdc_type3(OM_uint32 *minor_status,
     if (ret) goto out;
     ret = krb5_ntlm_req_set_username(c->context, c->ntlm, type3->username);
     if (ret) goto out;
-    ret = krb5_ntlm_req_set_targetname(c->context, c->ntlm, 
+    ret = krb5_ntlm_req_set_targetname(c->context, c->ntlm,
 				       type3->targetname);
     if (ret) goto out;
-    ret = krb5_ntlm_req_set_lm(c->context, c->ntlm, 
+    ret = krb5_ntlm_req_set_lm(c->context, c->ntlm,
 			       type3->lm.data, type3->lm.length);
     if (ret) goto out;
-    ret = krb5_ntlm_req_set_ntlm(c->context, c->ntlm, 
+    ret = krb5_ntlm_req_set_ntlm(c->context, c->ntlm,
 				 type3->ntlm.data, type3->ntlm.length);
     if (ret) goto out;
     ret = krb5_ntlm_req_set_opaque(c->context, c->ntlm, &c->opaque);
@@ -378,7 +379,7 @@ kdc_type3(OM_uint32 *minor_status,
     /*
      * Verify with the KDC the type3 packet is ok
      */
-    ret = krb5_ntlm_request(c->context, 
+    ret = krb5_ntlm_request(c->context,
 			    c->ntlm,
 			    NULL,
 			    c->id);
@@ -391,7 +392,7 @@ kdc_type3(OM_uint32 *minor_status,
     }
 
     if (type3->sessionkey.length) {
-	ret = krb5_ntlm_rep_get_sessionkey(c->context, 
+	ret = krb5_ntlm_rep_get_sessionkey(c->context,
 					   c->ntlm,
 					   &c->sessionkey);
 	if (ret)
@@ -433,3 +434,5 @@ struct ntlm_server_interface ntlmsspi_kdc_digest = {
     kdc_type3,
     kdc_free_buffer
 };
+
+#endif /* DIGEST */
diff --git a/lib/gssapi/ntlm/ntlm-private.h b/lib/gssapi/ntlm/ntlm-private.h
index cc6c4007856d..0c62b3533937 100644
--- a/lib/gssapi/ntlm/ntlm-private.h
+++ b/lib/gssapi/ntlm/ntlm-private.h
@@ -7,7 +7,7 @@
 gssapi_mech_interface
 __gss_ntlm_initialize (void);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_accept_sec_context (
 	OM_uint32 * /*minor_status*/,
 	gss_ctx_id_t * /*context_handle*/,
@@ -21,7 +21,7 @@ _gss_ntlm_accept_sec_context (
 	OM_uint32 * /*time_rec*/,
 	gss_cred_id_t * delegated_cred_handle );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_acquire_cred (
 	OM_uint32 * /*min_stat*/,
 	const gss_name_t /*desired_name*/,
@@ -32,7 +32,7 @@ _gss_ntlm_acquire_cred (
 	gss_OID_set * /*actual_mechs*/,
 	OM_uint32 * time_rec );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_add_cred (
 	 OM_uint32 */*minor_status*/,
 	const gss_cred_id_t /*input_cred_handle*/,
@@ -51,40 +51,45 @@ _gss_ntlm_allocate_ctx (
 	OM_uint32 */*minor_status*/,
 	ntlm_ctx */*ctx*/);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_canonicalize_name (
 	 OM_uint32 * /*minor_status*/,
 	const gss_name_t /*input_name*/,
 	const gss_OID /*mech_type*/,
 	gss_name_t * output_name );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_compare_name (
 	OM_uint32 * /*minor_status*/,
 	const gss_name_t /*name1*/,
 	const gss_name_t /*name2*/,
 	int * name_equal );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_context_time (
 	OM_uint32 * /*minor_status*/,
 	const gss_ctx_id_t /*context_handle*/,
 	OM_uint32 * time_rec );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_delete_sec_context (
 	OM_uint32 * /*minor_status*/,
 	gss_ctx_id_t * /*context_handle*/,
 	gss_buffer_t output_token );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
+_gss_ntlm_destroy_cred (
+	OM_uint32 */*minor_status*/,
+	gss_cred_id_t */*cred_handle*/);
+
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_display_name (
 	OM_uint32 * /*minor_status*/,
 	const gss_name_t /*input_name*/,
 	gss_buffer_t /*output_name_buffer*/,
 	gss_OID * output_name_type );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_display_status (
 	OM_uint32 */*minor_status*/,
 	OM_uint32 /*status_value*/,
@@ -93,25 +98,25 @@ _gss_ntlm_display_status (
 	OM_uint32 */*message_context*/,
 	gss_buffer_t /*status_string*/);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_duplicate_name (
 	 OM_uint32 * /*minor_status*/,
 	const gss_name_t /*src_name*/,
 	gss_name_t * dest_name );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_export_name (
 	OM_uint32 * /*minor_status*/,
 	const gss_name_t /*input_name*/,
 	gss_buffer_t exported_name );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_export_sec_context (
 	 OM_uint32 * /*minor_status*/,
 	gss_ctx_id_t * /*context_handle*/,
 	gss_buffer_t interprocess_token );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_get_mic (
 	OM_uint32 * /*minor_status*/,
 	const gss_ctx_id_t /*context_handle*/,
@@ -124,14 +129,14 @@ _gss_ntlm_get_user_cred (
 	const ntlm_name /*target_name*/,
 	ntlm_cred */*rcred*/);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_import_name (
 	OM_uint32 * /*minor_status*/,
 	const gss_buffer_t /*input_name_buffer*/,
 	const gss_OID /*input_name_type*/,
 	gss_name_t * output_name );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_import_sec_context (
 	 OM_uint32 * /*minor_status*/,
 	const gss_buffer_t /*interprocess_token*/,
@@ -142,7 +147,7 @@ _gss_ntlm_indicate_mechs (
 	OM_uint32 * /*minor_status*/,
 	gss_OID_set * mech_set );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_init_sec_context (
 	OM_uint32 * /*minor_status*/,
 	const gss_cred_id_t /*initiator_cred_handle*/,
@@ -158,7 +163,7 @@ _gss_ntlm_init_sec_context (
 	OM_uint32 * /*ret_flags*/,
 	OM_uint32 * time_rec );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_inquire_context (
 	 OM_uint32 * /*minor_status*/,
 	const gss_ctx_id_t /*context_handle*/,
@@ -170,7 +175,7 @@ _gss_ntlm_inquire_context (
 	int * /*locally_initiated*/,
 	int * open_context );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_inquire_cred (
 	OM_uint32 * /*minor_status*/,
 	const gss_cred_id_t /*cred_handle*/,
@@ -179,7 +184,7 @@ _gss_ntlm_inquire_cred (
 	gss_cred_usage_t * /*cred_usage*/,
 	gss_OID_set * mechanisms );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_inquire_cred_by_mech (
 	 OM_uint32 * /*minor_status*/,
 	const gss_cred_id_t /*cred_handle*/,
@@ -189,30 +194,43 @@ _gss_ntlm_inquire_cred_by_mech (
 	OM_uint32 * /*acceptor_lifetime*/,
 	gss_cred_usage_t * cred_usage );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_inquire_mechs_for_name (
 	 OM_uint32 * /*minor_status*/,
 	const gss_name_t /*input_name*/,
 	gss_OID_set * mech_types );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_inquire_names_for_mech (
 	 OM_uint32 * /*minor_status*/,
 	const gss_OID /*mechanism*/,
 	gss_OID_set * name_types );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
+_gss_ntlm_inquire_sec_context_by_oid (
+	OM_uint32 */*minor_status*/,
+	const gss_ctx_id_t /*context_handle*/,
+	const gss_OID /*desired_object*/,
+	gss_buffer_set_t */*data_set*/);
+
+void GSSAPI_CALLCONV
+_gss_ntlm_iter_creds_f (
+	OM_uint32 /*flags*/,
+	void *userctx ,
+	void (*/*cred_iter*/)(void *, gss_OID, gss_cred_id_t));
+
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_process_context_token (
 	 OM_uint32 */*minor_status*/,
 	const gss_ctx_id_t /*context_handle*/,
 	const gss_buffer_t token_buffer );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_release_cred (
 	OM_uint32 * /*minor_status*/,
 	gss_cred_id_t * cred_handle );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_release_name (
 	OM_uint32 * /*minor_status*/,
 	gss_name_t * input_name );
@@ -225,7 +243,7 @@ _gss_ntlm_set_key (
 	unsigned char */*data*/,
 	size_t /*len*/);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_unwrap (
 	OM_uint32 * /*minor_status*/,
 	const gss_ctx_id_t /*context_handle*/,
@@ -234,7 +252,7 @@ _gss_ntlm_unwrap (
 	int * /*conf_state*/,
 	gss_qop_t * qop_state );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_verify_mic (
 	OM_uint32 * /*minor_status*/,
 	const gss_ctx_id_t /*context_handle*/,
@@ -242,7 +260,7 @@ _gss_ntlm_verify_mic (
 	const gss_buffer_t /*token_buffer*/,
 	gss_qop_t * qop_state );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_wrap (
 	OM_uint32 * /*minor_status*/,
 	const gss_ctx_id_t /*context_handle*/,
@@ -252,7 +270,7 @@ _gss_ntlm_wrap (
 	int * /*conf_state*/,
 	gss_buffer_t output_message_buffer );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_ntlm_wrap_size_limit (
 	 OM_uint32 * /*minor_status*/,
 	const gss_ctx_id_t /*context_handle*/,
diff --git a/lib/gssapi/ntlm/ntlm.h b/lib/gssapi/ntlm/ntlm.h
index 5713b72e2b33..1ed12d5ca6d7 100644
--- a/lib/gssapi/ntlm/ntlm.h
+++ b/lib/gssapi/ntlm/ntlm.h
@@ -1,44 +1,42 @@
 /*
- * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-/* $Id: ntlm.h 22373 2007-12-28 18:36:06Z lha $ */
+/* $Id$ */
 
 #ifndef NTLM_NTLM_H
 #define NTLM_NTLM_H
 
-#ifdef HAVE_CONFIG_H
 #include <config.h>
-#endif
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -46,15 +44,20 @@
 #include <string.h>
 #include <errno.h>
 
+#include <roken.h>
+
 #include <gssapi.h>
+#include <gssapi_ntlm.h>
 #include <gssapi_mech.h>
+#include <gssapi_oid.h>
 
 #include <krb5.h>
-#include <roken.h>
+#include <kcm.h>
 #include <heim_threads.h>
 
 #include <heimntlm.h>
 
+#define HC_DEPRECATED_CRYPTO
 #include "crypto-headers.h"
 
 typedef OM_uint32
@@ -108,6 +111,7 @@ typedef struct {
     void *ictx;
     ntlm_cred client;
     OM_uint32 gssflags;
+    uint32_t kcmflags;
     uint32_t flags;
     uint32_t status;
 #define STATUS_OPEN 1
@@ -115,6 +119,8 @@ typedef struct {
 #define STATUS_SESSIONKEY 4
     krb5_data sessionkey;
 
+    gss_buffer_desc pac;
+
     union {
 	struct {
 	    struct {
@@ -133,7 +139,7 @@ typedef struct {
     char *domain;
 } *ntlm_name;
 
-#include <ntlm/ntlm-private.h>
+#include <ntlm-private.h>
 
 
 #endif /* NTLM_NTLM_H */
diff --git a/lib/gssapi/ntlm/process_context_token.c b/lib/gssapi/ntlm/process_context_token.c
index 33c1072208a4..16efcd1525d7 100644
--- a/lib/gssapi/ntlm/process_context_token.c
+++ b/lib/gssapi/ntlm/process_context_token.c
@@ -1,41 +1,39 @@
 /*
- * Copyright (c) 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "ntlm/ntlm.h"
+#include "ntlm.h"
 
-RCSID("$Id: process_context_token.c 19334 2006-12-14 12:17:34Z lha $");
-
-OM_uint32 _gss_ntlm_process_context_token (
+OM_uint32 GSSAPI_CALLCONV _gss_ntlm_process_context_token (
 	OM_uint32          *minor_status,
 	const gss_ctx_id_t context_handle,
 	const gss_buffer_t token_buffer
diff --git a/lib/gssapi/ntlm/release_cred.c b/lib/gssapi/ntlm/release_cred.c
index a63e5687408e..49d88a2b26e5 100644
--- a/lib/gssapi/ntlm/release_cred.c
+++ b/lib/gssapi/ntlm/release_cred.c
@@ -1,41 +1,39 @@
 /*
- * Copyright (c) 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "ntlm/ntlm.h"
+#include "ntlm.h"
 
-RCSID("$Id: release_cred.c 22163 2007-12-04 21:25:06Z lha $");
-
-OM_uint32 _gss_ntlm_release_cred
+OM_uint32 GSSAPI_CALLCONV _gss_ntlm_release_cred
            (OM_uint32 * minor_status,
             gss_cred_id_t * cred_handle
            )
diff --git a/lib/gssapi/ntlm/release_name.c b/lib/gssapi/ntlm/release_name.c
index 687d9fde50c5..86c1da364733 100644
--- a/lib/gssapi/ntlm/release_name.c
+++ b/lib/gssapi/ntlm/release_name.c
@@ -1,41 +1,40 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "ntlm/ntlm.h"
+#include "ntlm.h"
 
-RCSID("$Id: release_name.c 22373 2007-12-28 18:36:06Z lha $");
-
-OM_uint32 _gss_ntlm_release_name
+OM_uint32 GSSAPI_CALLCONV
+_gss_ntlm_release_name
            (OM_uint32 * minor_status,
             gss_name_t * input_name
            )
diff --git a/lib/gssapi/spnego/accept_sec_context.c b/lib/gssapi/spnego/accept_sec_context.c
index 1afe26f1e39d..3a51dd3a0a61 100644
--- a/lib/gssapi/spnego/accept_sec_context.c
+++ b/lib/gssapi/spnego/accept_sec_context.c
@@ -1,39 +1,37 @@
 /*
- * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
  * Portions Copyright (c) 2004 PADL Software Pty Ltd.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "spnego/spnego_locl.h"
-
-RCSID("$Id: accept_sec_context.c 21461 2007-07-10 14:01:13Z lha $");
+#include "spnego_locl.h"
 
 static OM_uint32
 send_reject (OM_uint32 *minor_status,
@@ -53,7 +51,7 @@ send_reject (OM_uint32 *minor_status,
     nt.u.negTokenResp.supportedMech = NULL;
     nt.u.negTokenResp.responseToken = NULL;
     nt.u.negTokenResp.mechListMIC   = NULL;
-    
+
     ASN1_MALLOC_ENCODE(NegotiationToken,
 		       output_token->value, output_token->length, &nt,
 		       &size, *minor_status);
@@ -76,14 +74,14 @@ acceptor_approved(gss_name_t target_name, gss_OID mech)
 
     gss_create_empty_oid_set(&junk, &oidset);
     gss_add_oid_set_member(&junk, mech, &oidset);
-    
+
     ret = gss_acquire_cred(&junk, target_name, GSS_C_INDEFINITE, oidset,
 			   GSS_C_ACCEPT, &cred, NULL, NULL);
     gss_release_oid_set(&junk, &oidset);
     if (ret != GSS_S_COMPLETE)
 	return ret;
     gss_release_cred(&junk, &cred);
-    
+
     return GSS_S_COMPLETE;
 }
 
@@ -92,13 +90,7 @@ send_supported_mechs (OM_uint32 *minor_status,
 		      gss_buffer_t output_token)
 {
     NegotiationTokenWin nt;
-    char hostname[MAXHOSTNAMELEN + 1], *p;
-    gss_buffer_desc name_buf;
-    gss_OID name_type;
-    gss_name_t target_princ;
-    gss_name_t canon_princ;
-    OM_uint32 minor;
-    size_t buf_len;
+    size_t buf_len = 0;
     gss_buffer_desc data;
     OM_uint32 ret;
 
@@ -116,62 +108,9 @@ send_supported_mechs (OM_uint32 *minor_status,
 	return ret;
     }
 
-    memset(&target_princ, 0, sizeof(target_princ));
-    if (gethostname(hostname, sizeof(hostname) - 2) != 0) {
-	*minor_status = errno;
-	free_NegotiationTokenWin(&nt);
-	return GSS_S_FAILURE;
-    }
-    hostname[sizeof(hostname) - 1] = '\0';
-
-    /* Send the constructed SAM name for this host */
-    for (p = hostname; *p != '\0' && *p != '.'; p++) {
-	*p = toupper((unsigned char)*p);
-    }
-    *p++ = '$';
-    *p = '\0';
-
-    name_buf.length = strlen(hostname);
-    name_buf.value = hostname;
-
-    ret = gss_import_name(minor_status, &name_buf,
-			  GSS_C_NO_OID,
-			  &target_princ);
-    if (ret != GSS_S_COMPLETE) {
-	free_NegotiationTokenWin(&nt);
-	return ret;
-    }
-
-    name_buf.length = 0;
-    name_buf.value = NULL;
-
-    /* Canonicalize the name using the preferred mechanism */
-    ret = gss_canonicalize_name(minor_status,
-				target_princ,
-				GSS_C_NO_OID,
-				&canon_princ);
-    if (ret != GSS_S_COMPLETE) {
-	free_NegotiationTokenWin(&nt);
-	gss_release_name(&minor, &target_princ);
-	return ret;
-    }
-
-    ret = gss_display_name(minor_status, canon_princ,
-			   &name_buf, &name_type);
-    if (ret != GSS_S_COMPLETE) {
-	free_NegotiationTokenWin(&nt);
-	gss_release_name(&minor, &canon_princ);
-	gss_release_name(&minor, &target_princ);
-	return ret;
-    }
-
-    gss_release_name(&minor, &canon_princ);
-    gss_release_name(&minor, &target_princ);
-
     ALLOC(nt.u.negTokenInit.negHints, 1);
     if (nt.u.negTokenInit.negHints == NULL) {
 	*minor_status = ENOMEM;
-	gss_release_buffer(&minor, &name_buf);
 	free_NegotiationTokenWin(&nt);
 	return GSS_S_FAILURE;
     }
@@ -179,23 +118,24 @@ send_supported_mechs (OM_uint32 *minor_status,
     ALLOC(nt.u.negTokenInit.negHints->hintName, 1);
     if (nt.u.negTokenInit.negHints->hintName == NULL) {
 	*minor_status = ENOMEM;
-	gss_release_buffer(&minor, &name_buf);
 	free_NegotiationTokenWin(&nt);
 	return GSS_S_FAILURE;
     }
 
-    *(nt.u.negTokenInit.negHints->hintName) = name_buf.value;
-    name_buf.value = NULL;
+    *nt.u.negTokenInit.negHints->hintName = strdup("not_defined_in_RFC4178@please_ignore");
     nt.u.negTokenInit.negHints->hintAddress = NULL;
 
-    ASN1_MALLOC_ENCODE(NegotiationTokenWin, 
+    ASN1_MALLOC_ENCODE(NegotiationTokenWin,
 		       data.value, data.length, &nt, &buf_len, ret);
     free_NegotiationTokenWin(&nt);
     if (ret) {
-	return ret;
+	*minor_status = ret;
+	return GSS_S_FAILURE;
     }
-    if (data.length != buf_len)
+    if (data.length != buf_len) {
 	abort();
+        UNREACHABLE(return GSS_S_FAILURE);
+    }
 
     ret = gss_encapsulate_token(&data, GSS_SPNEGO_MECHANISM, output_token);
 
@@ -307,7 +247,7 @@ send_accept (OM_uint32 *minor_status,
 
     } else
 	nt.u.negTokenResp.mechListMIC = NULL;
- 
+
     ASN1_MALLOC_ENCODE(NegotiationToken,
 		       output_token->value, output_token->length,
 		       &nt, &size, ret);
@@ -376,6 +316,9 @@ select_mech(OM_uint32 *minor_status, MechType *mechType, int verify_p,
     char mechbuf[64];
     size_t mech_len;
     gss_OID_desc oid;
+    gss_OID oidp;
+    gss_OID_set mechs;
+    size_t i;
     OM_uint32 ret, junk;
 
     ret = der_put_oid ((unsigned char *)mechbuf + sizeof(mechbuf) - 1,
@@ -396,27 +339,29 @@ select_mech(OM_uint32 *minor_status, MechType *mechType, int verify_p,
     *minor_status = 0;
 
     /* Translate broken MS Kebreros OID */
-    if (gss_oid_equal(&oid, &_gss_spnego_mskrb_mechanism_oid_desc)) {
-	gssapi_mech_interface mech;
+    if (gss_oid_equal(&oid, &_gss_spnego_mskrb_mechanism_oid_desc))
+	    oidp = &_gss_spnego_krb5_mechanism_oid_desc;
+    else
+	    oidp = &oid;
 
-	mech = __gss_get_mechanism(&_gss_spnego_krb5_mechanism_oid_desc);
-	if (mech == NULL)
-	    return GSS_S_BAD_MECH;
 
-	ret = gss_duplicate_oid(minor_status,
-				&_gss_spnego_mskrb_mechanism_oid_desc,
-				mech_p);
-    } else {
-	gssapi_mech_interface mech;
+    ret = gss_indicate_mechs(&junk, &mechs);
+    if (ret)
+	    return (ret);
 
-	mech = __gss_get_mechanism(&oid);
-	if (mech == NULL)
-	    return GSS_S_BAD_MECH;
+    for (i = 0; i < mechs->count; i++)
+	    if (gss_oid_equal(&mechs->elements[i], oidp))
+		    break;
 
-	ret = gss_duplicate_oid(minor_status,
-				&mech->gm_mech_oid,
-				mech_p);
+    if (i == mechs->count) {
+	    gss_release_oid_set(&junk, &mechs);
+	    return GSS_S_BAD_MECH;
     }
+    gss_release_oid_set(&junk, &mechs);
+
+    ret = gss_duplicate_oid(minor_status,
+			    &oid, /* possibly this should be oidp */
+			    mech_p);
 
     if (verify_p) {
 	gss_name_t name = GSS_C_NO_NAME;
@@ -425,11 +370,16 @@ select_mech(OM_uint32 *minor_status, MechType *mechType, int verify_p,
 
 	host = getenv("GSSAPI_SPNEGO_NAME");
 	if (host == NULL || issuid()) {
+	    int rv;
 	    if (gethostname(hostname, sizeof(hostname)) != 0) {
 		*minor_status = errno;
 		return GSS_S_FAILURE;
 	    }
-	    asprintf(&str, "host@%s", hostname);
+	    rv = asprintf(&str, "host@%s", hostname);
+	    if (rv < 0 || str == NULL) {
+		*minor_status = ENOMEM;
+		return GSS_S_FAILURE;
+	    }
 	    host = str;
 	}
 
@@ -463,20 +413,16 @@ acceptor_complete(OM_uint32 * minor_status,
 {
     OM_uint32 ret;
     int require_mic, verify_mic;
-    gss_buffer_desc buf;
-
-    buf.length = 0;
-    buf.value = NULL;
 
     ret = _gss_spnego_require_mechlist_mic(minor_status, ctx, &require_mic);
     if (ret)
 	return ret;
-    
+
     ctx->require_mic = require_mic;
 
     if (mic != NULL)
 	require_mic = 1;
-    
+
     if (ctx->open && require_mic) {
 	if (mech_input_token == GSS_C_NO_BUFFER) { /* Even/One */
 	    verify_mic = 1;
@@ -488,44 +434,39 @@ acceptor_complete(OM_uint32 * minor_status,
 	    verify_mic = 0;
 	    *get_mic = 1;
 	}
-	
-	if (verify_mic || get_mic) {
+
+	if (verify_mic || *get_mic) {
 	    int eret;
-	    size_t buf_len;
-	    
-	    ASN1_MALLOC_ENCODE(MechTypeList, 
+	    size_t buf_len = 0;
+
+	    ASN1_MALLOC_ENCODE(MechTypeList,
 			       mech_buf->value, mech_buf->length,
 			       &ctx->initiator_mech_types, &buf_len, eret);
 	    if (eret) {
 		*minor_status = eret;
 		return GSS_S_FAILURE;
 	    }
-	    if (buf.length != buf_len)
-		abort();
+	    heim_assert(mech_buf->length == buf_len, "Internal ASN.1 error");
+	    UNREACHABLE(return GSS_S_FAILURE);
 	}
-	
+
 	if (verify_mic) {
 	    ret = verify_mechlist_mic(minor_status, ctx, mech_buf, mic);
 	    if (ret) {
-		if (get_mic)
+		if (*get_mic)
 		    send_reject (minor_status, output_token);
-		if (buf.value)
-		    free(buf.value);
 		return ret;
 	    }
 	    ctx->verified_mic = 1;
 	}
-	if (buf.value)
-	    free(buf.value);
-
     } else
-	*get_mic = verify_mic = 0;
-    
+	*get_mic = 0;
+
     return GSS_S_COMPLETE;
 }
 
 
-static OM_uint32
+static OM_uint32 GSSAPI_CALLCONV
 acceptor_start
 	   (OM_uint32 * minor_status,
 	    gss_ctx_id_t * context_handle,
@@ -540,18 +481,16 @@ acceptor_start
 	    gss_cred_id_t *delegated_cred_handle
 	   )
 {
-    OM_uint32 ret, junk, minor;
+    OM_uint32 ret, junk;
     NegotiationToken nt;
     size_t nt_len;
     NegTokenInit *ni;
-    int i;
     gss_buffer_desc data;
     gss_buffer_t mech_input_token = GSS_C_NO_BUFFER;
     gss_buffer_desc mech_output_token;
     gss_buffer_desc mech_buf;
     gss_OID preferred_mech_type = GSS_C_NO_OID;
     gssspnego_ctx ctx;
-    gssspnego_cred acceptor_cred = (gssspnego_cred)acceptor_cred_handle;
     int get_mic = 0;
     int first_ok = 0;
 
@@ -561,7 +500,7 @@ acceptor_start
 
     if (input_token_buffer->length == 0)
 	return send_supported_mechs (minor_status, output_token);
-	
+
     ret = _gss_spnego_alloc_sec_context(minor_status, context_handle);
     if (ret != GSS_S_COMPLETE)
 	return ret;
@@ -609,38 +548,28 @@ acceptor_start
     /*
      * First we try the opportunistic token if we have support for it,
      * don't try to verify we have credential for the token,
-     * gss_accept_sec_context will (hopefully) tell us that.
-     * If that failes, 
+     * gss_accept_sec_context() will (hopefully) tell us that.
+     * If that failes,
      */
 
     ret = select_mech(minor_status,
-		      &ni->mechTypes.val[0], 
+		      &ni->mechTypes.val[0],
 		      0,
 		      &preferred_mech_type);
 
     if (ret == 0 && ni->mechToken != NULL) {
-	gss_cred_id_t mech_delegated_cred = GSS_C_NO_CREDENTIAL;
-	gss_cred_id_t mech_cred;
 	gss_buffer_desc ibuf;
 
 	ibuf.length = ni->mechToken->length;
 	ibuf.value = ni->mechToken->data;
 	mech_input_token = &ibuf;
 
-	if (acceptor_cred != NULL)
-	    mech_cred = acceptor_cred->negotiated_cred_id;
-	else
-	    mech_cred = GSS_C_NO_CREDENTIAL;
-	
 	if (ctx->mech_src_name != GSS_C_NO_NAME)
-	    gss_release_name(&minor, &ctx->mech_src_name);
-	
-	if (ctx->delegated_cred_id != GSS_C_NO_CREDENTIAL)
-	    _gss_spnego_release_cred(&minor, &ctx->delegated_cred_id);
-	
-	ret = gss_accept_sec_context(&minor,
+	    gss_release_name(&junk, &ctx->mech_src_name);
+
+	ret = gss_accept_sec_context(minor_status,
 				     &ctx->negotiated_ctx_id,
-				     mech_cred,
+				     acceptor_cred_handle,
 				     mech_input_token,
 				     input_chan_bindings,
 				     &ctx->mech_src_name,
@@ -648,20 +577,13 @@ acceptor_start
 				     &mech_output_token,
 				     &ctx->mech_flags,
 				     &ctx->mech_time_rec,
-				     &mech_delegated_cred);
+				     delegated_cred_handle);
+
 	if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) {
 	    ctx->preferred_mech_type = preferred_mech_type;
-	    ctx->negotiated_mech_type = preferred_mech_type;
 	    if (ret == GSS_S_COMPLETE)
 		ctx->open = 1;
 
-	    if (mech_delegated_cred && delegated_cred_handle)
-		ret = _gss_spnego_alloc_cred(minor_status,
-					     mech_delegated_cred,
-					     delegated_cred_handle);
-	    else
-		gss_release_cred(&junk, &mech_delegated_cred);
-
 	    ret = acceptor_complete(minor_status,
 				    ctx,
 				    &get_mic,
@@ -674,6 +596,8 @@ acceptor_start
 		goto out;
 
 	    first_ok = 1;
+	} else {
+	    gss_mg_collect_error(preferred_mech_type, ret, *minor_status);
 	}
     }
 
@@ -681,12 +605,15 @@ acceptor_start
      * If opportunistic token failed, lets try the other mechs.
      */
 
-    if (!first_ok) {
+    if (!first_ok && ni->mechToken != NULL) {
+	size_t j;
+
+	preferred_mech_type = GSS_C_NO_OID;
 
 	/* Call glue layer to find first mech we support */
-	for (i = 1; i < ni->mechTypes.len; ++i) {
+	for (j = 1; j < ni->mechTypes.len; ++j) {
 	    ret = select_mech(minor_status,
-			      &ni->mechTypes.val[i],
+			      &ni->mechTypes.val[j],
 			      1,
 			      &preferred_mech_type);
 	    if (ret == 0)
@@ -695,11 +622,10 @@ acceptor_start
 	if (preferred_mech_type == GSS_C_NO_OID) {
 	    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
 	    free_NegotiationToken(&nt);
-	    return GSS_S_BAD_MECH;
+	    return ret;
 	}
 
 	ctx->preferred_mech_type = preferred_mech_type;
-	ctx->negotiated_mech_type = preferred_mech_type;
     }
 
     /*
@@ -714,10 +640,10 @@ acceptor_start
 		       output_token);
     if (ret)
 	goto out;
-    
+
 out:
     if (mech_output_token.value != NULL)
-	gss_release_buffer(&minor, &mech_output_token);
+	gss_release_buffer(&junk, &mech_output_token);
     if (mech_buf.value != NULL) {
 	free(mech_buf.value);
 	mech_buf.value = NULL;
@@ -736,12 +662,8 @@ out:
 		*src_name = (gss_name_t)name;
 	    }
 	}
-        if (delegated_cred_handle != NULL) {
-	    *delegated_cred_handle = ctx->delegated_cred_id;
-	    ctx->delegated_cred_id = GSS_C_NO_CREDENTIAL;
-	}
     }
-    
+
     if (mech_type != NULL)
 	*mech_type = ctx->negotiated_mech_type;
     if (ret_flags != NULL)
@@ -754,14 +676,14 @@ out:
  	return ret;
     }
 
-    _gss_spnego_internal_delete_sec_context(&minor, context_handle,
+    _gss_spnego_internal_delete_sec_context(&junk, context_handle,
 					    GSS_C_NO_BUFFER);
-    
+
     return ret;
 }
 
 
-static OM_uint32
+static OM_uint32 GSSAPI_CALLCONV
 acceptor_continue
 	   (OM_uint32 * minor_status,
 	    gss_ctx_id_t * context_handle,
@@ -785,7 +707,6 @@ acceptor_continue
     gss_buffer_t mech_output_token = GSS_C_NO_BUFFER;
     gss_buffer_desc mech_buf;
     gssspnego_ctx ctx;
-    gssspnego_cred acceptor_cred = (gssspnego_cred)acceptor_cred_handle;
 
     mech_buf.value = NULL;
 
@@ -796,7 +717,7 @@ acceptor_continue
      * context token (negTokenInit).
      */
 
-    ret = decode_NegotiationToken(input_token_buffer->value, 
+    ret = decode_NegotiationToken(input_token_buffer->value,
 				  input_token_buffer->length,
 				  &nt, &nt_len);
     if (ret) {
@@ -831,31 +752,13 @@ acceptor_continue
 	}
 
 	if (mech_input_token != GSS_C_NO_BUFFER) {
-	    gss_cred_id_t mech_cred;
-	    gss_cred_id_t mech_delegated_cred;
-	    gss_cred_id_t *mech_delegated_cred_p;
-
-	    if (acceptor_cred != NULL)
-		mech_cred = acceptor_cred->negotiated_cred_id;
-	    else
-		mech_cred = GSS_C_NO_CREDENTIAL;
-
-	    if (delegated_cred_handle != NULL) {
-		mech_delegated_cred = GSS_C_NO_CREDENTIAL;
-		mech_delegated_cred_p = &mech_delegated_cred;
-	    } else {
-		mech_delegated_cred_p = NULL;
-	    }
 
 	    if (ctx->mech_src_name != GSS_C_NO_NAME)
 		gss_release_name(&minor, &ctx->mech_src_name);
 
-	    if (ctx->delegated_cred_id != GSS_C_NO_CREDENTIAL)
-		_gss_spnego_release_cred(&minor, &ctx->delegated_cred_id);
-
 	    ret = gss_accept_sec_context(&minor,
 					 &ctx->negotiated_ctx_id,
-					 mech_cred,
+					 acceptor_cred_handle,
 					 mech_input_token,
 					 input_chan_bindings,
 					 &ctx->mech_src_name,
@@ -863,20 +766,14 @@ acceptor_continue
 					 &obuf,
 					 &ctx->mech_flags,
 					 &ctx->mech_time_rec,
-					 mech_delegated_cred_p);
+					 delegated_cred_handle);
+
 	    if (ret == GSS_S_COMPLETE || ret == GSS_S_CONTINUE_NEEDED) {
-		if (mech_delegated_cred_p != NULL &&
-		    mech_delegated_cred != GSS_C_NO_CREDENTIAL) {
-		    ret2 = _gss_spnego_alloc_cred(minor_status,
-						  mech_delegated_cred,
-						  &ctx->delegated_cred_id);
-		    if (ret2 != GSS_S_COMPLETE)
-			ret = ret2;
-		}
 		mech_output_token = &obuf;
 	    }
 	    if (ret != GSS_S_COMPLETE && ret != GSS_S_CONTINUE_NEEDED) {
 		free_NegotiationToken(&nt);
+		gss_mg_collect_error(ctx->negotiated_mech_type, ret, minor);
 		send_reject (minor_status, output_token);
 		HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
 		return ret;
@@ -886,7 +783,7 @@ acceptor_continue
 	} else
 	    ret = GSS_S_COMPLETE;
 
-	ret2 = _gss_spnego_require_mechlist_mic(minor_status, 
+	ret2 = _gss_spnego_require_mechlist_mic(minor_status,
 						ctx,
 						&require_mic);
 	if (ret2)
@@ -953,10 +850,6 @@ acceptor_continue
 		*src_name = (gss_name_t)name;
 	    }
 	}
-        if (delegated_cred_handle != NULL) {
-	    *delegated_cred_handle = ctx->delegated_cred_id;
-	    ctx->delegated_cred_id = GSS_C_NO_CREDENTIAL;
-	}
     }
 
     if (mech_type != NULL)
@@ -977,7 +870,7 @@ acceptor_continue
     return ret;
 }
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_accept_sec_context
 	   (OM_uint32 * minor_status,
 	    gss_ctx_id_t * context_handle,
@@ -1011,11 +904,11 @@ _gss_spnego_accept_sec_context
 	*delegated_cred_handle = GSS_C_NO_CREDENTIAL;
 
 
-    if (*context_handle == GSS_C_NO_CONTEXT) 
+    if (*context_handle == GSS_C_NO_CONTEXT)
 	func = acceptor_start;
     else
 	func = acceptor_continue;
-    
+
 
     return (*func)(minor_status, context_handle, acceptor_cred_handle,
 		   input_token_buffer, input_chan_bindings,
diff --git a/lib/gssapi/spnego/compat.c b/lib/gssapi/spnego/compat.c
index 287f4f760ed7..cf5ee30a84a9 100644
--- a/lib/gssapi/spnego/compat.c
+++ b/lib/gssapi/spnego/compat.c
@@ -30,9 +30,7 @@
  * SUCH DAMAGE.
  */
 
-#include "spnego/spnego_locl.h"
-
-RCSID("$Id: compat.c 21866 2007-08-08 11:31:29Z lha $");
+#include "spnego_locl.h"
 
 /*
  * Apparently Microsoft got the OID wrong, and used
@@ -43,16 +41,17 @@ RCSID("$Id: compat.c 21866 2007-08-08 11:31:29Z lha $");
  * Kerberos mechanism.
  */
 gss_OID_desc _gss_spnego_mskrb_mechanism_oid_desc =
-	{9, (void *)"\x2a\x86\x48\x82\xf7\x12\x01\x02\x02"};
+    {9, rk_UNCONST("\x2a\x86\x48\x82\xf7\x12\x01\x02\x02")};
 
 gss_OID_desc _gss_spnego_krb5_mechanism_oid_desc =
-	{9, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"};
+    {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")};
 
 /*
  * Allocate a SPNEGO context handle
  */
-OM_uint32 _gss_spnego_alloc_sec_context (OM_uint32 * minor_status,
-					 gss_ctx_id_t *context_handle)
+OM_uint32 GSSAPI_CALLCONV
+_gss_spnego_alloc_sec_context (OM_uint32 * minor_status,
+			       gss_ctx_id_t *context_handle)
 {
     gssspnego_ctx ctx;
 
@@ -76,7 +75,6 @@ OM_uint32 _gss_spnego_alloc_sec_context (OM_uint32 * minor_status,
     ctx->mech_flags = 0;
     ctx->mech_time_rec = 0;
     ctx->mech_src_name = GSS_C_NO_NAME;
-    ctx->delegated_cred_id = GSS_C_NO_CREDENTIAL;
 
     ctx->open = 0;
     ctx->local = 0;
@@ -94,7 +92,7 @@ OM_uint32 _gss_spnego_alloc_sec_context (OM_uint32 * minor_status,
  * Free a SPNEGO context handle. The caller must have acquired
  * the lock before this is called.
  */
-OM_uint32 _gss_spnego_internal_delete_sec_context
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_internal_delete_sec_context
            (OM_uint32 *minor_status,
             gss_ctx_id_t *context_handle,
             gss_buffer_t output_token
@@ -124,8 +122,6 @@ OM_uint32 _gss_spnego_internal_delete_sec_context
     if (ctx->initiator_mech_types.val != NULL)
 	free_MechTypeList(&ctx->initiator_mech_types);
 
-    _gss_spnego_release_cred(&minor, &ctx->delegated_cred_id);
-
     gss_release_oid(&minor, &ctx->preferred_mech_type);
     ctx->negotiated_mech_type = GSS_C_NO_OID;
 
@@ -145,7 +141,6 @@ OM_uint32 _gss_spnego_internal_delete_sec_context
     HEIMDAL_MUTEX_destroy(&ctx->ctx_id_mutex);
 
     free(ctx);
-    *context_handle = NULL;
 
     return ret;
 }
@@ -156,7 +151,7 @@ OM_uint32 _gss_spnego_internal_delete_sec_context
  * a non-preferred mechanism was negotiated
  */
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_require_mechlist_mic(OM_uint32 *minor_status,
 				 gssspnego_ctx ctx,
 				 int *require_mic)
@@ -234,26 +229,26 @@ add_mech_type(gss_OID mech_type,
 }
 
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_indicate_mechtypelist (OM_uint32 *minor_status,
 				   gss_name_t target_name,
 				   OM_uint32 (*func)(gss_name_t, gss_OID),
 				   int includeMSCompatOID,
-				   const gssspnego_cred cred_handle,
+				   const gss_cred_id_t cred_handle,
 				   MechTypeList *mechtypelist,
 				   gss_OID *preferred_mech)
 {
     gss_OID_set supported_mechs = GSS_C_NO_OID_SET;
     gss_OID first_mech = GSS_C_NO_OID;
     OM_uint32 ret;
-    int i;
+    size_t i;
 
     mechtypelist->len = 0;
     mechtypelist->val = NULL;
 
-    if (cred_handle != NULL) {
+    if (cred_handle) {
 	ret = gss_inquire_cred(minor_status,
-			       cred_handle->negotiated_cred_id,
+			       cred_handle,
 			       NULL,
 			       NULL,
 			       NULL,
diff --git a/lib/gssapi/spnego/context_stubs.c b/lib/gssapi/spnego/context_stubs.c
index 3535c7bb3596..60b348ec4676 100644
--- a/lib/gssapi/spnego/context_stubs.c
+++ b/lib/gssapi/spnego/context_stubs.c
@@ -30,16 +30,14 @@
  * SUCH DAMAGE.
  */
 
-#include "spnego/spnego_locl.h"
-
-RCSID("$Id: context_stubs.c 21035 2007-06-09 15:32:47Z lha $");
+#include "spnego_locl.h"
 
 static OM_uint32
 spnego_supported_mechs(OM_uint32 *minor_status, gss_OID_set *mechs)
 {
     OM_uint32 ret, junk;
     gss_OID_set m;
-    int i;
+    size_t i;
 
     ret = gss_indicate_mechs(minor_status, &m);
     if (ret != GSS_S_COMPLETE)
@@ -62,12 +60,13 @@ spnego_supported_mechs(OM_uint32 *minor_status, gss_OID_set *mechs)
 	    return ret;
 	}
     }
+    gss_release_oid_set(&junk, &m);
     return ret;
 }
 
 
 
-OM_uint32 _gss_spnego_process_context_token
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_process_context_token
            (OM_uint32 *minor_status,
             const gss_ctx_id_t context_handle,
             const gss_buffer_t token_buffer
@@ -100,7 +99,7 @@ OM_uint32 _gss_spnego_process_context_token
 					   GSS_C_NO_BUFFER);
 }
 
-OM_uint32 _gss_spnego_delete_sec_context
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_delete_sec_context
            (OM_uint32 *minor_status,
             gss_ctx_id_t *context_handle,
             gss_buffer_t output_token
@@ -120,7 +119,7 @@ OM_uint32 _gss_spnego_delete_sec_context
 						   output_token);
 }
 
-OM_uint32 _gss_spnego_context_time
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_context_time
            (OM_uint32 *minor_status,
             const gss_ctx_id_t context_handle,
             OM_uint32 *time_rec
@@ -144,7 +143,7 @@ OM_uint32 _gss_spnego_context_time
 			    time_rec);
 }
 
-OM_uint32 _gss_spnego_get_mic
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_get_mic
            (OM_uint32 *minor_status,
             const gss_ctx_id_t context_handle,
             gss_qop_t qop_req,
@@ -170,7 +169,7 @@ OM_uint32 _gss_spnego_get_mic
 		       qop_req, message_buffer, message_token);
 }
 
-OM_uint32 _gss_spnego_verify_mic
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_verify_mic
            (OM_uint32 * minor_status,
             const gss_ctx_id_t context_handle,
             const gss_buffer_t message_buffer,
@@ -199,7 +198,7 @@ OM_uint32 _gss_spnego_verify_mic
 			  qop_state);
 }
 
-OM_uint32 _gss_spnego_wrap
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_wrap
            (OM_uint32 * minor_status,
             const gss_ctx_id_t context_handle,
             int conf_req_flag,
@@ -232,7 +231,7 @@ OM_uint32 _gss_spnego_wrap
 		    output_message_buffer);
 }
 
-OM_uint32 _gss_spnego_unwrap
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_unwrap
            (OM_uint32 * minor_status,
             const gss_ctx_id_t context_handle,
             const gss_buffer_t input_message_buffer,
@@ -263,19 +262,7 @@ OM_uint32 _gss_spnego_unwrap
 		      qop_state);
 }
 
-OM_uint32 _gss_spnego_display_status
-           (OM_uint32 * minor_status,
-            OM_uint32 status_value,
-            int status_type,
-            const gss_OID mech_type,
-            OM_uint32 * message_context,
-            gss_buffer_t status_string
-           )
-{
-    return GSS_S_FAILURE;
-}
-
-OM_uint32 _gss_spnego_compare_name
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_compare_name
            (OM_uint32 *minor_status,
             const gss_name_t name1,
             const gss_name_t name2,
@@ -299,7 +286,7 @@ OM_uint32 _gss_spnego_compare_name
     return GSS_S_COMPLETE;
 }
 
-OM_uint32 _gss_spnego_display_name
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_display_name
            (OM_uint32 * minor_status,
             const gss_name_t input_name,
             gss_buffer_t output_name_buffer,
@@ -317,7 +304,7 @@ OM_uint32 _gss_spnego_display_name
 			    output_name_buffer, output_name_type);
 }
 
-OM_uint32 _gss_spnego_import_name
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_import_name
            (OM_uint32 * minor_status,
             const gss_buffer_t name_buffer,
             const gss_OID name_type,
@@ -334,13 +321,13 @@ OM_uint32 _gss_spnego_import_name
 	*minor_status = ENOMEM;
 	return GSS_S_FAILURE;
     }
-    
+
     maj_stat = _gss_copy_oid(minor_status, name_type, &name->type);
     if (maj_stat) {
 	free(name);
 	return GSS_S_FAILURE;
     }
-    
+
     maj_stat = _gss_copy_buffer(minor_status, name_buffer, &name->value);
     if (maj_stat) {
 	gss_name_t rname = (gss_name_t)name;
@@ -353,7 +340,7 @@ OM_uint32 _gss_spnego_import_name
     return GSS_S_COMPLETE;
 }
 
-OM_uint32 _gss_spnego_export_name
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_export_name
            (OM_uint32  * minor_status,
             const gss_name_t input_name,
             gss_buffer_t exported_name
@@ -372,7 +359,7 @@ OM_uint32 _gss_spnego_export_name
     return gss_export_name(minor_status, name->mech, exported_name);
 }
 
-OM_uint32 _gss_spnego_release_name
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_release_name
            (OM_uint32 * minor_status,
             gss_name_t * input_name
            )
@@ -393,7 +380,7 @@ OM_uint32 _gss_spnego_release_name
     return GSS_S_COMPLETE;
 }
 
-OM_uint32 _gss_spnego_inquire_context (
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_context (
             OM_uint32 * minor_status,
             const gss_ctx_id_t context_handle,
             gss_name_t * src_name,
@@ -406,31 +393,61 @@ OM_uint32 _gss_spnego_inquire_context (
            )
 {
     gssspnego_ctx ctx;
+    OM_uint32 maj_stat, junk;
+    gss_name_t src_mn, targ_mn;
 
     *minor_status = 0;
 
-    if (context_handle == GSS_C_NO_CONTEXT) {
+    if (context_handle == GSS_C_NO_CONTEXT)
 	return GSS_S_NO_CONTEXT;
-    }
 
     ctx = (gssspnego_ctx)context_handle;
 
-    if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
+    if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT)
 	return GSS_S_NO_CONTEXT;
-    }
 
-    return gss_inquire_context(minor_status,
-			       ctx->negotiated_ctx_id,
-			       src_name,
-			       targ_name,
-			       lifetime_rec,
-			       mech_type,
-			       ctx_flags,
-			       locally_initiated,
-			       open_context);
+    maj_stat = gss_inquire_context(minor_status,
+				   ctx->negotiated_ctx_id,
+				   &src_mn,
+				   &targ_mn,
+				   lifetime_rec,
+				   mech_type,
+				   ctx_flags,
+				   locally_initiated,
+				   open_context);
+    if (maj_stat != GSS_S_COMPLETE)
+	return maj_stat;
+
+    if (src_name) {
+	spnego_name name = calloc(1, sizeof(*name));
+	if (name == NULL)
+	    goto enomem;
+	name->mech = src_mn;
+	*src_name = (gss_name_t)name;
+    } else
+	gss_release_name(&junk, &src_mn);
+
+    if (targ_name) {
+	spnego_name name = calloc(1, sizeof(*name));
+	if (name == NULL) {
+	    gss_release_name(minor_status, src_name);
+	    goto enomem;
+	}
+	name->mech = targ_mn;
+	*targ_name = (gss_name_t)name;
+    } else
+	gss_release_name(&junk, &targ_mn);
+
+    return GSS_S_COMPLETE;
+
+enomem:
+    gss_release_name(&junk, &targ_mn);
+    gss_release_name(&junk, &src_mn);
+    *minor_status = ENOMEM;
+    return GSS_S_FAILURE;
 }
 
-OM_uint32 _gss_spnego_wrap_size_limit (
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_wrap_size_limit (
             OM_uint32 * minor_status,
             const gss_ctx_id_t context_handle,
             int conf_req_flag,
@@ -461,7 +478,7 @@ OM_uint32 _gss_spnego_wrap_size_limit (
 			       max_input_size);
 }
 
-OM_uint32 _gss_spnego_export_sec_context (
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_export_sec_context (
             OM_uint32 * minor_status,
             gss_ctx_id_t * context_handle,
             gss_buffer_t interprocess_token
@@ -504,7 +521,7 @@ OM_uint32 _gss_spnego_export_sec_context (
     return ret;
 }
 
-OM_uint32 _gss_spnego_import_sec_context (
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_import_sec_context (
             OM_uint32 * minor_status,
             const gss_buffer_t interprocess_token,
             gss_ctx_id_t *context_handle
@@ -540,7 +557,7 @@ OM_uint32 _gss_spnego_import_sec_context (
     return GSS_S_COMPLETE;
 }
 
-OM_uint32 _gss_spnego_inquire_names_for_mech (
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_names_for_mech (
             OM_uint32 * minor_status,
             const gss_OID mechanism,
             gss_OID_set * name_types
@@ -548,7 +565,7 @@ OM_uint32 _gss_spnego_inquire_names_for_mech (
 {
     gss_OID_set mechs, names, n;
     OM_uint32 ret, junk;
-    int i, j;
+    size_t i, j;
 
     *name_types = NULL;
 
@@ -580,10 +597,10 @@ out:
 
     gss_release_oid_set(&junk, &mechs);
 
-    return GSS_S_COMPLETE;
+    return ret;
 }
 
-OM_uint32 _gss_spnego_inquire_mechs_for_name (
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_mechs_for_name (
             OM_uint32 * minor_status,
             const gss_name_t input_name,
             gss_OID_set * mech_types
@@ -604,7 +621,7 @@ OM_uint32 _gss_spnego_inquire_mechs_for_name (
     return ret;
 }
 
-OM_uint32 _gss_spnego_canonicalize_name (
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_canonicalize_name (
             OM_uint32 * minor_status,
             const gss_name_t input_name,
             const gss_OID mech_type,
@@ -615,7 +632,7 @@ OM_uint32 _gss_spnego_canonicalize_name (
     return gss_duplicate_name(minor_status, input_name, output_name);
 }
 
-OM_uint32 _gss_spnego_duplicate_name (
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_duplicate_name (
             OM_uint32 * minor_status,
             const gss_name_t src_name,
             gss_name_t * dest_name
@@ -624,207 +641,71 @@ OM_uint32 _gss_spnego_duplicate_name (
     return gss_duplicate_name(minor_status, src_name, dest_name);
 }
 
-OM_uint32 _gss_spnego_sign
-           (OM_uint32 * minor_status,
-            gss_ctx_id_t context_handle,
-            int qop_req,
-            gss_buffer_t message_buffer,
-            gss_buffer_t message_token
-           )
+OM_uint32 GSSAPI_CALLCONV
+_gss_spnego_wrap_iov(OM_uint32 * minor_status,
+		     gss_ctx_id_t  context_handle,
+		     int conf_req_flag,
+		     gss_qop_t qop_req,
+		     int * conf_state,
+		     gss_iov_buffer_desc *iov,
+		     int iov_count)
 {
-    gssspnego_ctx ctx;
+    gssspnego_ctx ctx = (gssspnego_ctx)context_handle;
 
     *minor_status = 0;
 
-    if (context_handle == GSS_C_NO_CONTEXT) {
-	return GSS_S_NO_CONTEXT;
-    }
-
-    ctx = (gssspnego_ctx)context_handle;
-
-    if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
+    if (ctx == NULL || ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT)
 	return GSS_S_NO_CONTEXT;
-    }
 
-    return gss_sign(minor_status,
-		    ctx->negotiated_ctx_id,
-		    qop_req,
-		    message_buffer,
-		    message_token);
+    return gss_wrap_iov(minor_status, ctx->negotiated_ctx_id,
+			conf_req_flag, qop_req, conf_state,
+			iov, iov_count);
 }
 
-OM_uint32 _gss_spnego_verify
-           (OM_uint32 * minor_status,
-            gss_ctx_id_t context_handle,
-            gss_buffer_t message_buffer,
-            gss_buffer_t token_buffer,
-            int * qop_state
-           )
+OM_uint32 GSSAPI_CALLCONV
+_gss_spnego_unwrap_iov(OM_uint32 *minor_status,
+		       gss_ctx_id_t context_handle,
+		       int *conf_state,
+		       gss_qop_t *qop_state,
+		       gss_iov_buffer_desc *iov,
+		       int iov_count)
 {
-    gssspnego_ctx ctx;
+    gssspnego_ctx ctx = (gssspnego_ctx)context_handle;
 
     *minor_status = 0;
 
-    if (context_handle == GSS_C_NO_CONTEXT) {
-	return GSS_S_NO_CONTEXT;
-    }
-
-    ctx = (gssspnego_ctx)context_handle;
-
-    if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
+    if (ctx == NULL || ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT)
 	return GSS_S_NO_CONTEXT;
-    }
 
-    return gss_verify(minor_status,
-		      ctx->negotiated_ctx_id,
-		      message_buffer,
-		      token_buffer,
-		      qop_state);
+    return gss_unwrap_iov(minor_status,
+			  ctx->negotiated_ctx_id,
+			  conf_state, qop_state,
+			  iov, iov_count);
 }
 
-OM_uint32 _gss_spnego_seal
-           (OM_uint32 * minor_status,
-            gss_ctx_id_t context_handle,
-            int conf_req_flag,
-            int qop_req,
-            gss_buffer_t input_message_buffer,
-            int * conf_state,
-            gss_buffer_t output_message_buffer
-           )
+OM_uint32 GSSAPI_CALLCONV
+_gss_spnego_wrap_iov_length(OM_uint32 * minor_status,
+			    gss_ctx_id_t context_handle,
+			    int conf_req_flag,
+			    gss_qop_t qop_req,
+			    int *conf_state,
+			    gss_iov_buffer_desc *iov,
+			    int iov_count)
 {
-    gssspnego_ctx ctx;
+    gssspnego_ctx ctx = (gssspnego_ctx)context_handle;
 
     *minor_status = 0;
 
-    if (context_handle == GSS_C_NO_CONTEXT) {
-	return GSS_S_NO_CONTEXT;
-    }
-
-    ctx = (gssspnego_ctx)context_handle;
-
-    if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
+    if (ctx == NULL || ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT)
 	return GSS_S_NO_CONTEXT;
-    }
 
-    return gss_seal(minor_status,
-		    ctx->negotiated_ctx_id,
-		    conf_req_flag,
-		    qop_req,
-		    input_message_buffer,
-		    conf_state,
-		    output_message_buffer);
-}
-
-OM_uint32 _gss_spnego_unseal
-           (OM_uint32 * minor_status,
-            gss_ctx_id_t context_handle,
-            gss_buffer_t input_message_buffer,
-            gss_buffer_t output_message_buffer,
-            int * conf_state,
-            int * qop_state
-           )
-{
-    gssspnego_ctx ctx;
-
-    *minor_status = 0;
-
-    if (context_handle == GSS_C_NO_CONTEXT) {
-	return GSS_S_NO_CONTEXT;
-    }
-
-    ctx = (gssspnego_ctx)context_handle;
-
-    if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
-	return GSS_S_NO_CONTEXT;
-    }
-
-    return gss_unseal(minor_status,
-		      ctx->negotiated_ctx_id,
-		      input_message_buffer,
-		      output_message_buffer,
-		      conf_state,
-		      qop_state);
+    return gss_wrap_iov_length(minor_status, ctx->negotiated_ctx_id,
+			       conf_req_flag, qop_req, conf_state,
+			       iov, iov_count);
 }
 
 #if 0
-OM_uint32 _gss_spnego_unwrap_ex
-           (OM_uint32 * minor_status,
-            const gss_ctx_id_t context_handle,
-	    const gss_buffer_t token_header_buffer,
-	    const gss_buffer_t associated_data_buffer,
-	    const gss_buffer_t input_message_buffer,
-	    gss_buffer_t output_message_buffer,
-	    int * conf_state,
-	    gss_qop_t * qop_state)
-{
-    gssspnego_ctx ctx;
-
-    *minor_status = 0;
-
-    if (context_handle == GSS_C_NO_CONTEXT) {
-	return GSS_S_NO_CONTEXT;
-    }
-
-    ctx = (gssspnego_ctx)context_handle;
-
-    if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
-	return GSS_S_NO_CONTEXT;
-    }
-
-    return gss_unwrap_ex(minor_status,
-			 ctx->negotiated_ctx_id,
-			 token_header_buffer,
-			 associated_data_buffer,
-			 input_message_buffer,
-			 output_message_buffer,
-			 conf_state,
-			 qop_state);
-}
-
-OM_uint32 _gss_spnego_wrap_ex
-           (OM_uint32 * minor_status,
-            const gss_ctx_id_t context_handle,
-            int conf_req_flag,
-            gss_qop_t qop_req,
-            const gss_buffer_t associated_data_buffer,
-            const gss_buffer_t input_message_buffer,
-            int * conf_state,
-            gss_buffer_t output_token_buffer,
-            gss_buffer_t output_message_buffer
-	   )
-{
-    gssspnego_ctx ctx;
-
-    *minor_status = 0;
-
-    if (context_handle == GSS_C_NO_CONTEXT) {
-	return GSS_S_NO_CONTEXT;
-    }
-
-    ctx = (gssspnego_ctx)context_handle;
-
-    if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
-	return GSS_S_NO_CONTEXT;
-    }
-
-    if ((ctx->mech_flags & GSS_C_DCE_STYLE) == 0 &&
-	associated_data_buffer->length != input_message_buffer->length) {
-	*minor_status = EINVAL;
-	return GSS_S_BAD_QOP;
-    }
-
-    return gss_wrap_ex(minor_status,
-		       ctx->negotiated_ctx_id,
-		       conf_req_flag,
-		       qop_req,
-		       associated_data_buffer,
-		       input_message_buffer,
-		       conf_state,
-		       output_token_buffer,
-		       output_message_buffer);
-}
-
-OM_uint32 _gss_spnego_complete_auth_token
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_complete_auth_token
            (OM_uint32 * minor_status,
             const gss_ctx_id_t context_handle,
 	    gss_buffer_t input_message_buffer)
@@ -849,7 +730,7 @@ OM_uint32 _gss_spnego_complete_auth_token
 }
 #endif
 
-OM_uint32 _gss_spnego_inquire_sec_context_by_oid
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_sec_context_by_oid
            (OM_uint32 * minor_status,
             const gss_ctx_id_t context_handle,
             const gss_OID desired_object,
@@ -875,7 +756,7 @@ OM_uint32 _gss_spnego_inquire_sec_context_by_oid
 					  data_set);
 }
 
-OM_uint32 _gss_spnego_set_sec_context_option
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_set_sec_context_option
            (OM_uint32 * minor_status,
             gss_ctx_id_t * context_handle,
             const gss_OID desired_object,
@@ -889,7 +770,7 @@ OM_uint32 _gss_spnego_set_sec_context_option
 	return GSS_S_NO_CONTEXT;
     }
 
-    ctx = (gssspnego_ctx)context_handle;
+    ctx = (gssspnego_ctx)*context_handle;
 
     if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
 	return GSS_S_NO_CONTEXT;
@@ -901,3 +782,31 @@ OM_uint32 _gss_spnego_set_sec_context_option
 				      value);
 }
 
+
+OM_uint32 GSSAPI_CALLCONV
+_gss_spnego_pseudo_random(OM_uint32 *minor_status,
+			  gss_ctx_id_t context_handle,
+			  int prf_key,
+			  const gss_buffer_t prf_in,
+			  ssize_t desired_output_len,
+			  gss_buffer_t prf_out)
+{
+    gssspnego_ctx ctx;
+
+    *minor_status = 0;
+
+    if (context_handle == GSS_C_NO_CONTEXT)
+	return GSS_S_NO_CONTEXT;
+
+    ctx = (gssspnego_ctx)context_handle;
+
+    if (ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT)
+	return GSS_S_NO_CONTEXT;
+
+    return gss_pseudo_random(minor_status,
+			     ctx->negotiated_ctx_id,
+			     prf_key,
+			     prf_in,
+			     desired_output_len,
+			     prf_out);
+}
diff --git a/lib/gssapi/spnego/cred_stubs.c b/lib/gssapi/spnego/cred_stubs.c
index 2362e9901963..fc43d6a4a666 100644
--- a/lib/gssapi/spnego/cred_stubs.c
+++ b/lib/gssapi/spnego/cred_stubs.c
@@ -30,63 +30,31 @@
  * SUCH DAMAGE.
  */
 
-#include "spnego/spnego_locl.h"
+#include "spnego_locl.h"
 
-RCSID("$Id: cred_stubs.c 20619 2007-05-08 13:43:45Z lha $");
-
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_release_cred(OM_uint32 *minor_status, gss_cred_id_t *cred_handle)
 {
-    gssspnego_cred cred;
     OM_uint32 ret;
-    
+
     *minor_status = 0;
 
-    if (*cred_handle == GSS_C_NO_CREDENTIAL) {
+    if (cred_handle == NULL || *cred_handle == GSS_C_NO_CREDENTIAL)
 	return GSS_S_COMPLETE;
-    }
-    cred = (gssspnego_cred)*cred_handle;
 
-    ret = gss_release_cred(minor_status, &cred->negotiated_cred_id);
+    ret = gss_release_cred(minor_status, cred_handle);
 
-    free(cred);
     *cred_handle = GSS_C_NO_CREDENTIAL;
 
     return ret;
 }
 
-OM_uint32
-_gss_spnego_alloc_cred(OM_uint32 *minor_status,
-		       gss_cred_id_t mech_cred_handle,
-		       gss_cred_id_t *cred_handle)
-{
-    gssspnego_cred cred;
-
-    if (*cred_handle != GSS_C_NO_CREDENTIAL) {
-	*minor_status = EINVAL;
-	return GSS_S_FAILURE;
-    }
-
-    cred = calloc(1, sizeof(*cred));
-    if (cred == NULL) {
-	*cred_handle = GSS_C_NO_CREDENTIAL;
-	*minor_status = ENOMEM;
-	return GSS_S_FAILURE;
-    }
-
-    cred->negotiated_cred_id = mech_cred_handle;
-
-    *cred_handle = (gss_cred_id_t)cred;
-
-    return GSS_S_COMPLETE; 
-}
-
 /*
  * For now, just a simple wrapper that avoids recursion. When
  * we support gss_{get,set}_neg_mechs() we will need to expose
  * more functionality.
  */
-OM_uint32 _gss_spnego_acquire_cred
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_acquire_cred
 (OM_uint32 *minor_status,
  const gss_name_t desired_name,
  OM_uint32 time_req,
@@ -102,9 +70,7 @@ OM_uint32 _gss_spnego_acquire_cred
     OM_uint32 ret, tmp;
     gss_OID_set_desc actual_desired_mechs;
     gss_OID_set mechs;
-    int i, j;
-    gss_cred_id_t cred_handle = GSS_C_NO_CREDENTIAL;
-    gssspnego_cred cred;
+    size_t i, j;
 
     *output_cred_handle = GSS_C_NO_CREDENTIAL;
 
@@ -114,7 +80,7 @@ OM_uint32 _gss_spnego_acquire_cred
 	    return ret;
 	}
     }
-    
+
     ret = gss_indicate_mechs(minor_status, &mechs);
     if (ret != GSS_S_COMPLETE) {
 	gss_release_name(minor_status, &name);
@@ -140,22 +106,14 @@ OM_uint32 _gss_spnego_acquire_cred
     }
     actual_desired_mechs.count = j;
 
-    ret = _gss_spnego_alloc_cred(minor_status, GSS_C_NO_CREDENTIAL,
-				 &cred_handle);
-    if (ret != GSS_S_COMPLETE)
-	goto out;
-
-    cred = (gssspnego_cred)cred_handle;
     ret = gss_acquire_cred(minor_status, name,
 			   time_req, &actual_desired_mechs,
 			   cred_usage,
-			   &cred->negotiated_cred_id,
+			   output_cred_handle,
 			   actual_mechs, time_rec);
     if (ret != GSS_S_COMPLETE)
 	goto out;
 
-    *output_cred_handle = cred_handle;
-
 out:
     gss_release_name(minor_status, &name);
     gss_release_oid_set(&tmp, &mechs);
@@ -163,13 +121,13 @@ out:
 	free(actual_desired_mechs.elements);
     }
     if (ret != GSS_S_COMPLETE) {
-	_gss_spnego_release_cred(&tmp, &cred_handle);
+	_gss_spnego_release_cred(&tmp, output_cred_handle);
     }
 
     return ret;
 }
 
-OM_uint32 _gss_spnego_inquire_cred
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_cred
            (OM_uint32 * minor_status,
             const gss_cred_id_t cred_handle,
             gss_name_t * name,
@@ -178,7 +136,6 @@ OM_uint32 _gss_spnego_inquire_cred
             gss_OID_set * mechanisms
            )
 {
-    gssspnego_cred cred;
     spnego_name sname = NULL;
     OM_uint32 ret;
 
@@ -195,10 +152,8 @@ OM_uint32 _gss_spnego_inquire_cred
 	}
     }
 
-    cred = (gssspnego_cred)cred_handle;
-
     ret = gss_inquire_cred(minor_status,
-			   cred->negotiated_cred_id,
+			   cred_handle,
 			   sname ? &sname->mech : NULL,
 			   lifetime,
 			   cred_usage,
@@ -214,56 +169,7 @@ OM_uint32 _gss_spnego_inquire_cred
     return ret;
 }
 
-OM_uint32 _gss_spnego_add_cred (
-            OM_uint32 * minor_status,
-            const gss_cred_id_t input_cred_handle,
-            const gss_name_t desired_name,
-            const gss_OID desired_mech,
-            gss_cred_usage_t cred_usage,
-            OM_uint32 initiator_time_req,
-            OM_uint32 acceptor_time_req,
-            gss_cred_id_t * output_cred_handle,
-            gss_OID_set * actual_mechs,
-            OM_uint32 * initiator_time_rec,
-            OM_uint32 * acceptor_time_rec
-           )
-{
-    gss_cred_id_t spnego_output_cred_handle = GSS_C_NO_CREDENTIAL;
-    OM_uint32 ret, tmp;
-    gssspnego_cred input_cred, output_cred;
-
-    *output_cred_handle = GSS_C_NO_CREDENTIAL;
-
-    ret = _gss_spnego_alloc_cred(minor_status, GSS_C_NO_CREDENTIAL,
-				 &spnego_output_cred_handle);
-    if (ret)
-	return ret;
-
-    input_cred = (gssspnego_cred)input_cred_handle;
-    output_cred = (gssspnego_cred)spnego_output_cred_handle;
-
-    ret = gss_add_cred(minor_status,
-		       input_cred->negotiated_cred_id,
-		       desired_name,
-		       desired_mech,
-		       cred_usage,
-		       initiator_time_req,
-		       acceptor_time_req,
-		       &output_cred->negotiated_cred_id,
-		       actual_mechs,
-		       initiator_time_rec,
-		       acceptor_time_rec);
-    if (ret) {
-	_gss_spnego_release_cred(&tmp, &spnego_output_cred_handle);
-	return ret;
-    }
-
-    *output_cred_handle = spnego_output_cred_handle;
-
-    return GSS_S_COMPLETE;
-}
-
-OM_uint32 _gss_spnego_inquire_cred_by_mech (
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_cred_by_mech (
             OM_uint32 * minor_status,
             const gss_cred_id_t cred_handle,
             const gss_OID mech_type,
@@ -273,7 +179,6 @@ OM_uint32 _gss_spnego_inquire_cred_by_mech (
             gss_cred_usage_t * cred_usage
            )
 {
-    gssspnego_cred cred;
     spnego_name sname = NULL;
     OM_uint32 ret;
 
@@ -290,10 +195,8 @@ OM_uint32 _gss_spnego_inquire_cred_by_mech (
 	}
     }
 
-    cred = (gssspnego_cred)cred_handle;
-
     ret = gss_inquire_cred_by_mech(minor_status,
-				   cred->negotiated_cred_id,
+				   cred_handle,
 				   mech_type,
 				   sname ? &sname->mech : NULL,
 				   initiator_lifetime,
@@ -311,26 +214,58 @@ OM_uint32 _gss_spnego_inquire_cred_by_mech (
     return GSS_S_COMPLETE;
 }
 
-OM_uint32 _gss_spnego_inquire_cred_by_oid
+OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_cred_by_oid
            (OM_uint32 * minor_status,
             const gss_cred_id_t cred_handle,
             const gss_OID desired_object,
             gss_buffer_set_t *data_set)
 {
-    gssspnego_cred cred;
     OM_uint32 ret;
 
     if (cred_handle == GSS_C_NO_CREDENTIAL) {
 	*minor_status = 0;
 	return GSS_S_NO_CRED;
     }
-    cred = (gssspnego_cred)cred_handle;
 
     ret = gss_inquire_cred_by_oid(minor_status,
-				  cred->negotiated_cred_id,
+				  cred_handle,
 				  desired_object,
 				  data_set);
 
     return ret;
 }
 
+OM_uint32 GSSAPI_CALLCONV
+_gss_spnego_set_cred_option (OM_uint32 *minor_status,
+			     gss_cred_id_t *cred_handle,
+			     const gss_OID object,
+			     const gss_buffer_t value)
+{
+    if (cred_handle == NULL || *cred_handle == GSS_C_NO_CREDENTIAL) {
+	*minor_status = 0;
+	return GSS_S_NO_CRED;
+    }
+
+    return gss_set_cred_option(minor_status,
+			      cred_handle,
+			      object,
+			      value);
+}
+
+
+OM_uint32 GSSAPI_CALLCONV
+_gss_spnego_export_cred (OM_uint32 *minor_status,
+			 gss_cred_id_t cred_handle,
+			 gss_buffer_t value)
+{
+    return gss_export_cred(minor_status, cred_handle, value);
+}
+
+OM_uint32 GSSAPI_CALLCONV
+_gss_spnego_import_cred (OM_uint32 *minor_status,
+			 gss_buffer_t value,
+			 gss_cred_id_t *cred_handle)
+{
+    return gss_import_cred(minor_status, value, cred_handle);
+}
+
diff --git a/lib/gssapi/spnego/external.c b/lib/gssapi/spnego/external.c
index fbc231f3aebb..ca06d46e8211 100644
--- a/lib/gssapi/spnego/external.c
+++ b/lib/gssapi/spnego/external.c
@@ -30,22 +30,55 @@
  * SUCH DAMAGE.
  */
 
-#include "spnego/spnego_locl.h"
+#include "spnego_locl.h"
 #include <gssapi_mech.h>
 
-RCSID("$Id: external.c 18336 2006-10-07 22:27:13Z lha $");
-
 /*
  * RFC2478, SPNEGO:
  *  The security mechanism of the initial
  *  negotiation token is identified by the Object Identifier
  *  iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2).
  */
+static gss_mo_desc spnego_mo[] = {
+    {
+	GSS_C_MA_SASL_MECH_NAME,
+	GSS_MO_MA,
+	"SASL mech name",
+	rk_UNCONST("SPNEGO"),
+	_gss_mo_get_ctx_as_string,
+	NULL
+    },
+    {
+	GSS_C_MA_MECH_NAME,
+	GSS_MO_MA,
+	"Mechanism name",
+	rk_UNCONST("SPNEGO"),
+	_gss_mo_get_ctx_as_string,
+	NULL
+    },
+    {
+	GSS_C_MA_MECH_DESCRIPTION,
+	GSS_MO_MA,
+	"Mechanism description",
+	rk_UNCONST("Heimdal SPNEGO Mechanism"),
+	_gss_mo_get_ctx_as_string,
+	NULL
+    },
+    {
+	GSS_C_MA_MECH_NEGO,
+	GSS_MO_MA
+    },
+    {
+	GSS_C_MA_MECH_PSEUDO,
+	GSS_MO_MA
+    }
+};
 
 static gssapi_mech_interface_desc spnego_mech = {
     GMI_VERSION,
     "spnego",
-    {6, (void *)"\x2b\x06\x01\x05\x05\x02"},
+    {6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02") },
+    0,
     _gss_spnego_acquire_cred,
     _gss_spnego_release_cred,
     _gss_spnego_init_sec_context,
@@ -57,8 +90,8 @@ static gssapi_mech_interface_desc spnego_mech = {
     _gss_spnego_verify_mic,
     _gss_spnego_wrap,
     _gss_spnego_unwrap,
-    _gss_spnego_display_status,
-    NULL,
+    NULL, /* gm_display_status */
+    NULL, /* gm_indicate_mechs */
     _gss_spnego_compare_name,
     _gss_spnego_display_name,
     _gss_spnego_import_name,
@@ -67,14 +100,40 @@ static gssapi_mech_interface_desc spnego_mech = {
     _gss_spnego_inquire_cred,
     _gss_spnego_inquire_context,
     _gss_spnego_wrap_size_limit,
-    _gss_spnego_add_cred,
+    gss_add_cred,
     _gss_spnego_inquire_cred_by_mech,
     _gss_spnego_export_sec_context,
     _gss_spnego_import_sec_context,
-    _gss_spnego_inquire_names_for_mech,
+    NULL /* _gss_spnego_inquire_names_for_mech */,
     _gss_spnego_inquire_mechs_for_name,
     _gss_spnego_canonicalize_name,
-    _gss_spnego_duplicate_name
+    _gss_spnego_duplicate_name,
+    _gss_spnego_inquire_sec_context_by_oid,
+    _gss_spnego_inquire_cred_by_oid,
+    _gss_spnego_set_sec_context_option,
+    _gss_spnego_set_cred_option,
+    _gss_spnego_pseudo_random,
+    _gss_spnego_wrap_iov,
+    _gss_spnego_unwrap_iov,
+    _gss_spnego_wrap_iov_length,
+    NULL,
+    _gss_spnego_export_cred,
+    _gss_spnego_import_cred,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    spnego_mo,
+    sizeof(spnego_mo) / sizeof(spnego_mo[0]),
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
 };
 
 gssapi_mech_interface
@@ -82,8 +141,3 @@ __gss_spnego_initialize(void)
 {
 	return &spnego_mech;
 }
-
-static gss_OID_desc _gss_spnego_mechanism_desc = 
-    {6, (void *)"\x2b\x06\x01\x05\x05\x02"};
-
-gss_OID GSS_SPNEGO_MECHANISM = &_gss_spnego_mechanism_desc;
diff --git a/lib/gssapi/spnego/init_sec_context.c b/lib/gssapi/spnego/init_sec_context.c
index 7c74981e664e..b4b1bcefc5e5 100644
--- a/lib/gssapi/spnego/init_sec_context.c
+++ b/lib/gssapi/spnego/init_sec_context.c
@@ -1,42 +1,40 @@
 /*
- * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
  * Portions Copyright (c) 2004 PADL Software Pty Ltd.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
-#include "spnego/spnego_locl.h"
-
-RCSID("$Id: init_sec_context.c 19411 2006-12-18 15:42:03Z lha $");
+#include "spnego_locl.h"
 
 /*
- * Is target_name an sane target for `mech´.
+ * Is target_name an sane target for `mech´.
  */
 
 static OM_uint32
@@ -45,7 +43,7 @@ initiator_approved(gss_name_t target_name, gss_OID mech)
     OM_uint32 min_stat, maj_stat;
     gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
     gss_buffer_desc out;
-    
+
     maj_stat = gss_init_sec_context(&min_stat,
 				    GSS_C_NO_CREDENTIAL,
 				    &ctx,
@@ -59,8 +57,10 @@ initiator_approved(gss_name_t target_name, gss_OID mech)
 				    &out,
 				    NULL,
 				    NULL);
-    if (GSS_ERROR(maj_stat))
+    if (GSS_ERROR(maj_stat)) {
+	gss_mg_collect_error(mech, maj_stat, min_stat);
 	return GSS_S_BAD_MECH;
+    }
     gss_release_buffer(&min_stat, &out);
     gss_delete_sec_context(&min_stat, &ctx, NULL);
 
@@ -177,7 +177,7 @@ spnego_reply_internal(OM_uint32 *minor_status,
 static OM_uint32
 spnego_initial
            (OM_uint32 * minor_status,
-	    gssspnego_cred cred,
+	    gss_cred_id_t cred,
             gss_ctx_id_t * context_handle,
             const gss_name_t target_name,
             const gss_OID mech_type,
@@ -230,7 +230,7 @@ spnego_initial
 	return sub;
     }
 
-    sub = _gss_spnego_indicate_mechtypelist(&minor, 
+    sub = _gss_spnego_indicate_mechtypelist(&minor,
 					    ctx->target_name,
 					    initiator_approved,
 					    0,
@@ -252,8 +252,7 @@ spnego_initial
 
     /* generate optimistic token */
     sub = gss_init_sec_context(&minor,
-			       (cred != NULL) ? cred->negotiated_cred_id :
-			          GSS_C_NO_CREDENTIAL,
+			       cred,
 			       &ctx->negotiated_ctx_id,
 			       ctx->target_name,
 			       ctx->preferred_mech_type,
@@ -268,6 +267,7 @@ spnego_initial
     if (GSS_ERROR(sub)) {
 	free_NegTokenInit(&ni);
 	*minor_status = minor;
+	gss_mg_collect_error(ctx->preferred_mech_type, sub, minor);
 	_gss_spnego_internal_delete_sec_context(&minor, &context, GSS_C_NO_BUFFER);
 	return sub;
     }
@@ -344,7 +344,7 @@ spnego_initial
     ctx->initiator_mech_types.val = ni.mechTypes.val;
     ni.mechTypes.len = 0;
     ni.mechTypes.val = NULL;
- 
+
     free_NegTokenInit(&ni);
 
     sub = gss_encapsulate_token(&data,
@@ -374,7 +374,7 @@ spnego_initial
 static OM_uint32
 spnego_reply
            (OM_uint32 * minor_status,
-	    const gssspnego_cred cred,
+	    const gss_cred_id_t cred,
             gss_ctx_id_t * context_handle,
             const gss_name_t target_name,
             const gss_OID mech_type,
@@ -389,11 +389,10 @@ spnego_reply
     )
 {
     OM_uint32 ret, minor;
-    NegTokenResp resp;
-    size_t len, taglen;
+    NegotiationToken resp;
     gss_OID_desc mech;
     int require_mic;
-    size_t buf_len;
+    size_t buf_len = 0;
     gss_buffer_desc mic_buf, mech_buf;
     gss_buffer_desc mech_output_token;
     gssspnego_ctx ctx;
@@ -411,27 +410,23 @@ spnego_reply
     mech_buf.value = NULL;
     mech_buf.length = 0;
 
-    ret = der_match_tag_and_length(input_token->value, input_token->length,
-				   ASN1_C_CONTEXT, CONS, 1, &len, &taglen);
+    ret = decode_NegotiationToken(input_token->value, input_token->length,
+				  &resp, NULL);
     if (ret)
-	return ret;
-
-    if (len > input_token->length - taglen)
-	return ASN1_OVERRUN;
+      return ret;
 
-    ret = decode_NegTokenResp((const unsigned char *)input_token->value+taglen,
-			      len, &resp, NULL);
-    if (ret) {
-	*minor_status = ENOMEM;
-	return GSS_S_FAILURE;
+    if (resp.element != choice_NegotiationToken_negTokenResp) {
+	free_NegotiationToken(&resp);
+	*minor_status = 0;
+	return GSS_S_BAD_MECH;
     }
 
-    if (resp.negResult == NULL
-	|| *(resp.negResult) == reject
-	/* || resp.supportedMech == NULL */
+    if (resp.u.negTokenResp.negResult == NULL
+	|| *(resp.u.negTokenResp.negResult) == reject
+	/* || resp.u.negTokenResp.supportedMech == NULL */
 	)
     {
-	free_NegTokenResp(&resp);
+	free_NegotiationToken(&resp);
 	return GSS_S_BAD_MECH;
     }
 
@@ -442,16 +437,16 @@ spnego_reply
 
     HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
 
-    if (resp.supportedMech) {
+    if (resp.u.negTokenResp.supportedMech) {
 
 	if (ctx->oidlen) {
-	    free_NegTokenResp(&resp);
+	    free_NegotiationToken(&resp);
 	    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
 	    return GSS_S_BAD_MECH;
 	}
 	ret = der_put_oid(ctx->oidbuf + sizeof(ctx->oidbuf) - 1,
 			  sizeof(ctx->oidbuf),
-			  resp.supportedMech,
+			  resp.u.negTokenResp.supportedMech,
 			  &ctx->oidlen);
 	/* Avoid recursively embedded SPNEGO */
 	if (ret || (ctx->oidlen == GSS_SPNEGO_MECHANISM->length &&
@@ -459,7 +454,7 @@ spnego_reply
 			   GSS_SPNEGO_MECHANISM->elements,
 			   ctx->oidlen) == 0))
 	{
-	    free_NegTokenResp(&resp);
+	    free_NegotiationToken(&resp);
 	    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
 	    return GSS_S_BAD_MECH;
 	}
@@ -470,23 +465,24 @@ spnego_reply
 		   ctx->preferred_mech_type->elements,
 		   ctx->oidlen) != 0)
 	{
-	    gss_delete_sec_context(&minor, &ctx->negotiated_ctx_id, 
+	    gss_delete_sec_context(&minor, &ctx->negotiated_ctx_id,
 				   GSS_C_NO_BUFFER);
 	    ctx->negotiated_ctx_id = GSS_C_NO_CONTEXT;
 	}
     } else if (ctx->oidlen == 0) {
-	free_NegTokenResp(&resp);
+	free_NegotiationToken(&resp);
 	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
 	return GSS_S_BAD_MECH;
     }
 
-    if (resp.responseToken != NULL || 
+    /* if a token (of non zero length), or no context, pass to underlaying mech */
+    if ((resp.u.negTokenResp.responseToken != NULL && resp.u.negTokenResp.responseToken->length) ||
 	ctx->negotiated_ctx_id == GSS_C_NO_CONTEXT) {
 	gss_buffer_desc mech_input_token;
 
-	if (resp.responseToken) {
-	    mech_input_token.length = resp.responseToken->length;
-	    mech_input_token.value  = resp.responseToken->data;
+	if (resp.u.negTokenResp.responseToken) {
+	    mech_input_token.length = resp.u.negTokenResp.responseToken->length;
+	    mech_input_token.value  = resp.u.negTokenResp.responseToken->data;
 	} else {
 	    mech_input_token.length = 0;
 	    mech_input_token.value = NULL;
@@ -499,8 +495,7 @@ spnego_reply
 	/* Fall through as if the negotiated mechanism
 	   was requested explicitly */
 	ret = gss_init_sec_context(&minor,
-				   (cred != NULL) ? cred->negotiated_cred_id :
-				       GSS_C_NO_CREDENTIAL,
+				   cred,
 				   &ctx->negotiated_ctx_id,
 				   ctx->target_name,
 				   &mech,
@@ -514,19 +509,20 @@ spnego_reply
 				   &ctx->mech_time_rec);
 	if (GSS_ERROR(ret)) {
 	    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
-	    free_NegTokenResp(&resp);
+	    free_NegotiationToken(&resp);
+	    gss_mg_collect_error(&mech, ret, minor);
 	    *minor_status = minor;
 	    return ret;
 	}
 	if (ret == GSS_S_COMPLETE) {
 	    ctx->open = 1;
 	}
-    } else if (*(resp.negResult) == accept_completed) {
+    } else if (*(resp.u.negTokenResp.negResult) == accept_completed) {
 	if (ctx->maybe_open)
 	    ctx->open = 1;
     }
 
-    if (*(resp.negResult) == request_mic) {
+    if (*(resp.u.negTokenResp.negResult) == request_mic) {
 	ctx->require_mic = 1;
     }
 
@@ -535,14 +531,14 @@ spnego_reply
 	 * Verify the mechListMIC if one was provided or CFX was
 	 * used and a non-preferred mechanism was selected
 	 */
-	if (resp.mechListMIC != NULL) {
+	if (resp.u.negTokenResp.mechListMIC != NULL) {
 	    require_mic = 1;
 	} else {
 	    ret = _gss_spnego_require_mechlist_mic(minor_status, ctx,
 						   &require_mic);
 	    if (ret) {
 		HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
-		free_NegTokenResp(&resp);
+		free_NegotiationToken(&resp);
 		gss_release_buffer(&minor, &mech_output_token);
 		return ret;
 	    }
@@ -556,23 +552,25 @@ spnego_reply
 			   &ctx->initiator_mech_types, &buf_len, ret);
 	if (ret) {
 	    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
-	    free_NegTokenResp(&resp);
+	    free_NegotiationToken(&resp);
 	    gss_release_buffer(&minor, &mech_output_token);
 	    *minor_status = ret;
 	    return GSS_S_FAILURE;
 	}
-	if (mech_buf.length != buf_len)
+	if (mech_buf.length != buf_len) {
 	    abort();
+            UNREACHABLE(return GSS_S_FAILURE);
+        }
 
-	if (resp.mechListMIC == NULL) {
+	if (resp.u.negTokenResp.mechListMIC == NULL) {
 	    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
 	    free(mech_buf.value);
-	    free_NegTokenResp(&resp);
+	    free_NegotiationToken(&resp);
 	    *minor_status = 0;
 	    return GSS_S_DEFECTIVE_TOKEN;
 	}
-	mic_buf.length = resp.mechListMIC->length;
-	mic_buf.value  = resp.mechListMIC->data;
+	mic_buf.length = resp.u.negTokenResp.mechListMIC->length;
+	mic_buf.value  = resp.u.negTokenResp.mechListMIC->data;
 
 	if (mech_output_token.length == 0) {
 	    ret = gss_verify_mic(minor_status,
@@ -584,7 +582,7 @@ spnego_reply
 		HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
 		free(mech_buf.value);
 		gss_release_buffer(&minor, &mech_output_token);
-		free_NegTokenResp(&resp);
+		free_NegotiationToken(&resp);
 		return GSS_S_DEFECTIVE_TOKEN;
 	    }
 	    ctx->verified_mic = 1;
@@ -599,7 +597,7 @@ spnego_reply
     if (mech_buf.value != NULL)
 	free(mech_buf.value);
 
-    free_NegTokenResp(&resp);
+    free_NegotiationToken(&resp);
     gss_release_buffer(&minor, &mech_output_token);
 
     if (actual_mech_type)
@@ -613,7 +611,8 @@ spnego_reply
     return ret;
 }
 
-OM_uint32 _gss_spnego_init_sec_context
+OM_uint32 GSSAPI_CALLCONV
+_gss_spnego_init_sec_context
            (OM_uint32 * minor_status,
             const gss_cred_id_t initiator_cred_handle,
             gss_ctx_id_t * context_handle,
@@ -629,11 +628,9 @@ OM_uint32 _gss_spnego_init_sec_context
             OM_uint32 * time_rec
            )
 {
-    gssspnego_cred cred = (gssspnego_cred)initiator_cred_handle;
-
     if (*context_handle == GSS_C_NO_CONTEXT)
 	return spnego_initial (minor_status,
-			       cred,
+			       initiator_cred_handle,
 			       context_handle,
 			       target_name,
 			       mech_type,
@@ -647,7 +644,7 @@ OM_uint32 _gss_spnego_init_sec_context
 			       time_rec);
     else
 	return spnego_reply (minor_status,
-			     cred,
+			     initiator_cred_handle,
 			     context_handle,
 			     target_name,
 			     mech_type,
diff --git a/lib/gssapi/spnego/spnego-private.h b/lib/gssapi/spnego/spnego-private.h
index d80db0018adf..f50574d7ed37 100644
--- a/lib/gssapi/spnego/spnego-private.h
+++ b/lib/gssapi/spnego/spnego-private.h
@@ -7,7 +7,7 @@
 gssapi_mech_interface
 __gss_spnego_initialize (void);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_accept_sec_context (
 	OM_uint32 * /*minor_status*/,
 	gss_ctx_id_t * /*context_handle*/,
@@ -21,7 +21,7 @@ _gss_spnego_accept_sec_context (
 	OM_uint32 * /*time_rec*/,
 	gss_cred_id_t *delegated_cred_handle );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_acquire_cred (
 	OM_uint32 */*minor_status*/,
 	const gss_name_t /*desired_name*/,
@@ -32,92 +32,69 @@ _gss_spnego_acquire_cred (
 	gss_OID_set * /*actual_mechs*/,
 	OM_uint32 * time_rec );
 
-OM_uint32
-_gss_spnego_add_cred (
-	 OM_uint32 * /*minor_status*/,
-	const gss_cred_id_t /*input_cred_handle*/,
-	const gss_name_t /*desired_name*/,
-	const gss_OID /*desired_mech*/,
-	gss_cred_usage_t /*cred_usage*/,
-	OM_uint32 /*initiator_time_req*/,
-	OM_uint32 /*acceptor_time_req*/,
-	gss_cred_id_t * /*output_cred_handle*/,
-	gss_OID_set * /*actual_mechs*/,
-	OM_uint32 * /*initiator_time_rec*/,
-	OM_uint32 * acceptor_time_rec );
-
-OM_uint32
-_gss_spnego_alloc_cred (
-	OM_uint32 */*minor_status*/,
-	gss_cred_id_t /*mech_cred_handle*/,
-	gss_cred_id_t */*cred_handle*/);
-
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_alloc_sec_context (
 	OM_uint32 * /*minor_status*/,
 	gss_ctx_id_t */*context_handle*/);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_canonicalize_name (
 	 OM_uint32 * /*minor_status*/,
 	const gss_name_t /*input_name*/,
 	const gss_OID /*mech_type*/,
 	gss_name_t * output_name );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_compare_name (
 	OM_uint32 */*minor_status*/,
 	const gss_name_t /*name1*/,
 	const gss_name_t /*name2*/,
 	int * name_equal );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_context_time (
 	OM_uint32 */*minor_status*/,
 	const gss_ctx_id_t /*context_handle*/,
 	OM_uint32 *time_rec );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_delete_sec_context (
 	OM_uint32 */*minor_status*/,
 	gss_ctx_id_t */*context_handle*/,
 	gss_buffer_t output_token );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_display_name (
 	OM_uint32 * /*minor_status*/,
 	const gss_name_t /*input_name*/,
 	gss_buffer_t /*output_name_buffer*/,
 	gss_OID * output_name_type );
 
-OM_uint32
-_gss_spnego_display_status (
-	OM_uint32 * /*minor_status*/,
-	OM_uint32 /*status_value*/,
-	int /*status_type*/,
-	const gss_OID /*mech_type*/,
-	OM_uint32 * /*message_context*/,
-	gss_buffer_t status_string );
-
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_duplicate_name (
 	 OM_uint32 * /*minor_status*/,
 	const gss_name_t /*src_name*/,
 	gss_name_t * dest_name );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
+_gss_spnego_export_cred (
+	OM_uint32 */*minor_status*/,
+	gss_cred_id_t /*cred_handle*/,
+	gss_buffer_t /*value*/);
+
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_export_name (
 	OM_uint32 * /*minor_status*/,
 	const gss_name_t /*input_name*/,
 	gss_buffer_t exported_name );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_export_sec_context (
 	 OM_uint32 * /*minor_status*/,
 	gss_ctx_id_t * /*context_handle*/,
 	gss_buffer_t interprocess_token );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_get_mic (
 	OM_uint32 */*minor_status*/,
 	const gss_ctx_id_t /*context_handle*/,
@@ -125,30 +102,36 @@ _gss_spnego_get_mic (
 	const gss_buffer_t /*message_buffer*/,
 	gss_buffer_t message_token );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
+_gss_spnego_import_cred (
+	OM_uint32 */*minor_status*/,
+	gss_buffer_t /*value*/,
+	gss_cred_id_t */*cred_handle*/);
+
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_import_name (
 	OM_uint32 * /*minor_status*/,
 	const gss_buffer_t /*name_buffer*/,
 	const gss_OID /*name_type*/,
 	gss_name_t * output_name );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_import_sec_context (
 	 OM_uint32 * /*minor_status*/,
 	const gss_buffer_t /*interprocess_token*/,
 	gss_ctx_id_t *context_handle );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_indicate_mechtypelist (
 	OM_uint32 */*minor_status*/,
 	gss_name_t /*target_name*/,
 	OM_uint32 (*/*func*/)(gss_name_t, gss_OID),
 	int /*includeMSCompatOID*/,
-	const gssspnego_cred /*cred_handle*/,
+	const gss_cred_id_t /*cred_handle*/,
 	MechTypeList */*mechtypelist*/,
 	gss_OID */*preferred_mech*/);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_init_sec_context (
 	OM_uint32 * /*minor_status*/,
 	const gss_cred_id_t /*initiator_cred_handle*/,
@@ -164,7 +147,7 @@ _gss_spnego_init_sec_context (
 	OM_uint32 * /*ret_flags*/,
 	OM_uint32 * time_rec );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_inquire_context (
 	 OM_uint32 * /*minor_status*/,
 	const gss_ctx_id_t /*context_handle*/,
@@ -176,7 +159,7 @@ _gss_spnego_inquire_context (
 	int * /*locally_initiated*/,
 	int * open_context );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_inquire_cred (
 	OM_uint32 * /*minor_status*/,
 	const gss_cred_id_t /*cred_handle*/,
@@ -185,7 +168,7 @@ _gss_spnego_inquire_cred (
 	gss_cred_usage_t * /*cred_usage*/,
 	gss_OID_set * mechanisms );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_inquire_cred_by_mech (
 	 OM_uint32 * /*minor_status*/,
 	const gss_cred_id_t /*cred_handle*/,
@@ -195,95 +178,84 @@ _gss_spnego_inquire_cred_by_mech (
 	OM_uint32 * /*acceptor_lifetime*/,
 	gss_cred_usage_t * cred_usage );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_inquire_cred_by_oid (
 	OM_uint32 * /*minor_status*/,
 	const gss_cred_id_t /*cred_handle*/,
 	const gss_OID /*desired_object*/,
 	gss_buffer_set_t */*data_set*/);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_inquire_mechs_for_name (
 	 OM_uint32 * /*minor_status*/,
 	const gss_name_t /*input_name*/,
 	gss_OID_set * mech_types );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_inquire_names_for_mech (
 	 OM_uint32 * /*minor_status*/,
 	const gss_OID /*mechanism*/,
 	gss_OID_set * name_types );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_inquire_sec_context_by_oid (
 	OM_uint32 * /*minor_status*/,
 	const gss_ctx_id_t /*context_handle*/,
 	const gss_OID /*desired_object*/,
 	gss_buffer_set_t */*data_set*/);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_internal_delete_sec_context (
 	OM_uint32 */*minor_status*/,
 	gss_ctx_id_t */*context_handle*/,
 	gss_buffer_t output_token );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_process_context_token (
 	OM_uint32 */*minor_status*/,
 	const gss_ctx_id_t /*context_handle*/,
 	const gss_buffer_t token_buffer );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
+_gss_spnego_pseudo_random (
+	OM_uint32 */*minor_status*/,
+	gss_ctx_id_t /*context_handle*/,
+	int /*prf_key*/,
+	const gss_buffer_t /*prf_in*/,
+	ssize_t /*desired_output_len*/,
+	gss_buffer_t /*prf_out*/);
+
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_release_cred (
 	OM_uint32 */*minor_status*/,
 	gss_cred_id_t */*cred_handle*/);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_release_name (
 	OM_uint32 * /*minor_status*/,
 	gss_name_t * input_name );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_require_mechlist_mic (
 	OM_uint32 */*minor_status*/,
 	gssspnego_ctx /*ctx*/,
 	int */*require_mic*/);
 
-OM_uint32
-_gss_spnego_seal (
-	OM_uint32 * /*minor_status*/,
-	gss_ctx_id_t /*context_handle*/,
-	int /*conf_req_flag*/,
-	int /*qop_req*/,
-	gss_buffer_t /*input_message_buffer*/,
-	int * /*conf_state*/,
-	gss_buffer_t output_message_buffer );
+OM_uint32 GSSAPI_CALLCONV
+_gss_spnego_set_cred_option (
+	OM_uint32 */*minor_status*/,
+	gss_cred_id_t */*cred_handle*/,
+	const gss_OID /*object*/,
+	const gss_buffer_t /*value*/);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_set_sec_context_option (
 	OM_uint32 * /*minor_status*/,
 	gss_ctx_id_t * /*context_handle*/,
 	const gss_OID /*desired_object*/,
 	const gss_buffer_t /*value*/);
 
-OM_uint32
-_gss_spnego_sign (
-	OM_uint32 * /*minor_status*/,
-	gss_ctx_id_t /*context_handle*/,
-	int /*qop_req*/,
-	gss_buffer_t /*message_buffer*/,
-	gss_buffer_t message_token );
-
-OM_uint32
-_gss_spnego_unseal (
-	OM_uint32 * /*minor_status*/,
-	gss_ctx_id_t /*context_handle*/,
-	gss_buffer_t /*input_message_buffer*/,
-	gss_buffer_t /*output_message_buffer*/,
-	int * /*conf_state*/,
-	int * qop_state );
-
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_unwrap (
 	OM_uint32 * /*minor_status*/,
 	const gss_ctx_id_t /*context_handle*/,
@@ -292,15 +264,16 @@ _gss_spnego_unwrap (
 	int * /*conf_state*/,
 	gss_qop_t * qop_state );
 
-OM_uint32
-_gss_spnego_verify (
-	OM_uint32 * /*minor_status*/,
+OM_uint32 GSSAPI_CALLCONV
+_gss_spnego_unwrap_iov (
+	OM_uint32 */*minor_status*/,
 	gss_ctx_id_t /*context_handle*/,
-	gss_buffer_t /*message_buffer*/,
-	gss_buffer_t /*token_buffer*/,
-	int * qop_state );
+	int */*conf_state*/,
+	gss_qop_t */*qop_state*/,
+	gss_iov_buffer_desc */*iov*/,
+	int /*iov_count*/);
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_verify_mic (
 	OM_uint32 * /*minor_status*/,
 	const gss_ctx_id_t /*context_handle*/,
@@ -308,7 +281,7 @@ _gss_spnego_verify_mic (
 	const gss_buffer_t /*token_buffer*/,
 	gss_qop_t * qop_state );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_wrap (
 	OM_uint32 * /*minor_status*/,
 	const gss_ctx_id_t /*context_handle*/,
@@ -318,7 +291,27 @@ _gss_spnego_wrap (
 	int * /*conf_state*/,
 	gss_buffer_t output_message_buffer );
 
-OM_uint32
+OM_uint32 GSSAPI_CALLCONV
+_gss_spnego_wrap_iov (
+	OM_uint32 * /*minor_status*/,
+	gss_ctx_id_t /*context_handle*/,
+	int /*conf_req_flag*/,
+	gss_qop_t /*qop_req*/,
+	int * /*conf_state*/,
+	gss_iov_buffer_desc */*iov*/,
+	int /*iov_count*/);
+
+OM_uint32 GSSAPI_CALLCONV
+_gss_spnego_wrap_iov_length (
+	OM_uint32 * /*minor_status*/,
+	gss_ctx_id_t /*context_handle*/,
+	int /*conf_req_flag*/,
+	gss_qop_t /*qop_req*/,
+	int */*conf_state*/,
+	gss_iov_buffer_desc */*iov*/,
+	int /*iov_count*/);
+
+OM_uint32 GSSAPI_CALLCONV
 _gss_spnego_wrap_size_limit (
 	 OM_uint32 * /*minor_status*/,
 	const gss_ctx_id_t /*context_handle*/,
diff --git a/lib/gssapi/spnego/spnego.asn1 b/lib/gssapi/spnego/spnego.asn1
index 058f10ba3ad1..048e86bb43d5 100644
--- a/lib/gssapi/spnego/spnego.asn1
+++ b/lib/gssapi/spnego/spnego.asn1
@@ -1,4 +1,4 @@
--- $Id: spnego.asn1 21403 2007-07-04 08:13:12Z lha $
+-- $Id$
 
 SPNEGO DEFINITIONS ::=
 BEGIN
diff --git a/lib/gssapi/spnego/spnego.opt b/lib/gssapi/spnego/spnego.opt
new file mode 100644
index 000000000000..cbf2f2341dbf
--- /dev/null
+++ b/lib/gssapi/spnego/spnego.opt
@@ -0,0 +1 @@
+--sequence=MechTypeList
diff --git a/lib/gssapi/spnego/spnego_locl.h b/lib/gssapi/spnego/spnego_locl.h
index 44b24688e18f..3e151c7c2a4c 100644
--- a/lib/gssapi/spnego/spnego_locl.h
+++ b/lib/gssapi/spnego/spnego_locl.h
@@ -30,14 +30,12 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: spnego_locl.h 19411 2006-12-18 15:42:03Z lha $ */
+/* $Id$ */
 
 #ifndef SPNEGO_LOCL_H
 #define SPNEGO_LOCL_H
 
-#ifdef HAVE_CONFIG_H
 #include <config.h>
-#endif
 
 #ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>
@@ -46,12 +44,15 @@
 #include <sys/param.h>
 #endif
 
+#include <roken.h>
+
 #ifdef HAVE_PTHREAD_H
 #include <pthread.h>
 #endif
 
-#include <gssapi/gssapi_spnego.h>
 #include <gssapi.h>
+#include <gssapi_krb5.h>
+#include <gssapi_spnego.h>
 #include <assert.h>
 #include <stdlib.h>
 #include <string.h>
@@ -67,18 +68,14 @@
 #include <gssapi_mech.h>
 
 #include "spnego_asn1.h"
-#include "mech/utils.h"
+#include "utils.h"
 #include <der.h>
 
-#include <roken.h>
+#include <heimbase.h>
 
 #define ALLOC(X, N) (X) = calloc((N), sizeof(*(X)))
 
 typedef struct {
-	gss_cred_id_t		negotiated_cred_id;
-} *gssspnego_cred;
-
-typedef struct {
 	MechTypeList		initiator_mech_types;
 	gss_OID			preferred_mech_type;
 	gss_OID			negotiated_mech_type;
@@ -86,7 +83,6 @@ typedef struct {
 	OM_uint32		mech_flags;
 	OM_uint32		mech_time_rec;
 	gss_name_t		mech_src_name;
-	gss_cred_id_t		delegated_cred_id;
 	unsigned int		open : 1;
 	unsigned int		local : 1;
 	unsigned int		require_mic : 1;
@@ -110,6 +106,6 @@ typedef struct {
 extern gss_OID_desc _gss_spnego_mskrb_mechanism_oid_desc;
 extern gss_OID_desc _gss_spnego_krb5_mechanism_oid_desc;
 
-#include <spnego/spnego-private.h>
+#include <spnego-private.h>
 
 #endif /* SPNEGO_LOCL_H */
diff --git a/lib/gssapi/test_acquire_cred.c b/lib/gssapi/test_acquire_cred.c
index fd2bc32dd52b..e1a929bf9620 100644
--- a/lib/gssapi/test_acquire_cred.c
+++ b/lib/gssapi/test_acquire_cred.c
@@ -1,18 +1,18 @@
 /*
- * Copyright (c) 2003-2007 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2003-2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
  * 3. Neither the name of KTH nor the names of its contributors may be
  *    used to endorse or promote products derived from this software without
@@ -35,19 +35,19 @@
 #include <config.h>
 #endif
 
+#include <roken.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <stdarg.h>
 #include <gssapi.h>
+#include <gssapi_krb5.h>
+#include <gssapi_spnego.h>
 #include <err.h>
-#include <roken.h>
 #include <getarg.h>
 
 #include "test_common.h"
 
-RCSID("$Id: test_acquire_cred.c 22129 2007-12-04 01:13:13Z lha $");
-
 static void
 print_time(OM_uint32 time_rec)
 {
@@ -79,7 +79,7 @@ test_add(gss_cred_id_t cred_handle)
 				 NULL,
 				 &time_rec,
 				 NULL);
-			    
+
     if (GSS_ERROR(major_status))
 	errx(1, "add_cred failed");
 
@@ -98,7 +98,7 @@ copy_cred(void)
     gss_cred_id_t cred_handle;
     OM_uint32 time_rec;
 
-    major_status = gss_acquire_cred(&minor_status, 
+    major_status = gss_acquire_cred(&minor_status,
 				    GSS_C_NO_NAME,
 				    0,
 				    NULL,
@@ -108,7 +108,7 @@ copy_cred(void)
 				    &time_rec);
     if (GSS_ERROR(major_status))
 	errx(1, "acquire_cred failed");
-	
+
     print_time(time_rec);
 
     test_add(cred_handle);
@@ -122,9 +122,10 @@ copy_cred(void)
 }
 #endif
 
-static void
+static gss_cred_id_t
 acquire_cred_service(const char *service,
 		     gss_OID nametype,
+		     gss_OID_set oidset,
 		     int flags)
 {
     OM_uint32 major_status, minor_status;
@@ -136,7 +137,7 @@ acquire_cred_service(const char *service,
     if (service) {
 	name_buffer.value = rk_UNCONST(service);
 	name_buffer.length = strlen(service);
-	
+
 	major_status = gss_import_name(&minor_status,
 				       &name_buffer,
 				       nametype,
@@ -145,18 +146,18 @@ acquire_cred_service(const char *service,
 	    errx(1, "import_name failed");
     }
 
-    major_status = gss_acquire_cred(&minor_status, 
+    major_status = gss_acquire_cred(&minor_status,
 				    name,
 				    0,
-				    NULL,
+				    oidset,
 				    flags,
 				    &cred_handle,
 				    NULL,
 				    &time_rec);
     if (GSS_ERROR(major_status)) {
-	warnx("acquire_cred failed: %s", 
+	warnx("acquire_cred failed: %s",
 	     gssapi_err(major_status, minor_status, GSS_C_NO_OID));
-    } else {    
+    } else {
 	print_time(time_rec);
 	gss_release_cred(&minor_status, &cred_handle);
     }
@@ -166,18 +167,28 @@ acquire_cred_service(const char *service,
 
     if (GSS_ERROR(major_status))
 	exit(1);
+
+    return cred_handle;
 }
 
 static int version_flag = 0;
 static int help_flag	= 0;
+static int kerberos_flag = 0;
+static int enctype = 0;
 static char *acquire_name;
 static char *acquire_type;
+static char *target_name;
 static char *name_type;
 static char *ccache;
+static int num_loops = 1;
 
 static struct getargs args[] = {
     {"acquire-name", 0,	arg_string,	&acquire_name, "name", NULL },
     {"acquire-type", 0,	arg_string,	&acquire_type, "type", NULL },
+    {"enctype", 0,	arg_integer,	&enctype, "enctype-num", NULL },
+    {"loops", 0,	arg_integer,	&num_loops, "enctype-num", NULL },
+    {"kerberos", 0,	arg_flag,	&kerberos_flag, "enctype-num", NULL },
+    {"target-name", 0,	arg_string,	&target_name, "name", NULL },
     {"ccache", 0,	arg_string,	&ccache, "name", NULL },
     {"name-type", 0,	arg_string,	&name_type, "type", NULL },
     {"version",	0,	arg_flag,	&version_flag, "print version", NULL },
@@ -194,14 +205,19 @@ usage (int ret)
 int
 main(int argc, char **argv)
 {
-    int optidx = 0;
+    gss_OID_set oidset = GSS_C_NULL_OID_SET;
+    gss_OID mechoid = GSS_C_NO_OID;
+    OM_uint32 maj_stat, min_stat;
+    gss_cred_id_t cred;
+    gss_name_t target = GSS_C_NO_NAME;
+    int i, optidx = 0;
     OM_uint32 flag;
     gss_OID type;
 
     setprogname(argv[0]);
     if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
 	usage(1);
-    
+
     if (help_flag)
 	usage (0);
 
@@ -227,7 +243,7 @@ main(int argc, char **argv)
 	    errx(1, "unknown type %s", acquire_type);
     } else
 	flag = GSS_C_ACCEPT;
-	
+
     if (name_type) {
 	if (strcasecmp("hostbased-service", name_type) == 0)
 	    type = GSS_C_NT_HOSTBASED_SERVICE;
@@ -239,15 +255,75 @@ main(int argc, char **argv)
 	type = GSS_C_NT_HOSTBASED_SERVICE;
 
     if (ccache) {
-	OM_uint32 major_status, minor_status;
-	major_status = gss_krb5_ccache_name(&minor_status,
-					    ccache, NULL);
-	if (GSS_ERROR(major_status))
-	    errx(1, "gss_krb5_ccache_name %s", 
-		 gssapi_err(major_status, minor_status, GSS_C_NO_OID));
+	maj_stat = gss_krb5_ccache_name(&min_stat, ccache, NULL);
+	if (GSS_ERROR(maj_stat))
+	    errx(1, "gss_krb5_ccache_name %s",
+		 gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
+    }
+
+    if (kerberos_flag) {
+	mechoid = GSS_KRB5_MECHANISM;
+
+	maj_stat = gss_create_empty_oid_set(&min_stat, &oidset);
+	if (maj_stat != GSS_S_COMPLETE)
+	    errx(1, "gss_create_empty_oid_set: %s",
+		 gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
+
+	maj_stat = gss_add_oid_set_member(&min_stat, GSS_KRB5_MECHANISM, &oidset);
+	if (maj_stat != GSS_S_COMPLETE)
+	    errx(1, "gss_add_oid_set_member: %s",
+		 gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
+    }
+
+    if (target_name) {
+	gss_buffer_desc name;
+
+	name.value = target_name;
+	name.length = strlen(target_name);
+	maj_stat = gss_import_name(&min_stat, &name,
+				   GSS_C_NT_HOSTBASED_SERVICE, &target);
+	if (maj_stat != GSS_S_COMPLETE)
+	    errx(1, "gss_import_name: %s",
+		 gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
+    }
+
+    for (i = 0; i < num_loops; i++) {
+
+	cred = acquire_cred_service(acquire_name, type, oidset, flag);
+
+	if (enctype) {
+	    int32_t enctypelist = enctype;
+
+	    maj_stat = gss_krb5_set_allowable_enctypes(&min_stat, cred,
+						       1, &enctypelist);
+	    if (maj_stat)
+		errx(1, "gss_krb5_set_allowable_enctypes: %s",
+		     gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
+	}
+
+	if (target) {
+	    gss_ctx_id_t context = GSS_C_NO_CONTEXT;
+	    gss_buffer_desc out;
+
+	    out.length = 0;
+	    out.value = NULL;
+
+	    maj_stat = gss_init_sec_context(&min_stat,
+					    cred, &context,
+					    target, mechoid,
+					    GSS_C_MUTUAL_FLAG, 0, NULL,
+					    GSS_C_NO_BUFFER, NULL,
+					    &out, NULL, NULL);
+	    if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED)
+		errx(1, "init_sec_context failed: %s",
+		     gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
+
+	    gss_release_buffer(&min_stat, &out);
+	    gss_delete_sec_context(&min_stat, &context, NULL);
+	}
+	gss_release_cred(&min_stat, &cred);
     }
 
-    acquire_cred_service(acquire_name, type, flag);
 
     return 0;
 }
diff --git a/lib/gssapi/test_common.c b/lib/gssapi/test_common.c
index 329180f23387..8251aef867c5 100644
--- a/lib/gssapi/test_common.c
+++ b/lib/gssapi/test_common.c
@@ -1,18 +1,18 @@
 /*
- * Copyright (c) 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
  * 3. Neither the name of KTH nor the names of its contributors may be
  *    used to endorse or promote products derived from this software without
@@ -35,8 +35,6 @@
 #include <err.h>
 #include "test_common.h"
 
-RCSID("$Id: test_common.c 20075 2007-01-31 06:05:19Z lha $");
-
 char *
 gssapi_err(OM_uint32 maj_stat, OM_uint32 min_stat, gss_OID mech)
 {
@@ -51,20 +49,21 @@ gssapi_err(OM_uint32 maj_stat, OM_uint32 min_stat, gss_OID mech)
 	maj_error_message.value = NULL;
 	min_error_message.length = 0;
 	min_error_message.value = NULL;
-	
-	disp_maj_stat = gss_display_status(&disp_min_stat, maj_stat, 
+
+	disp_maj_stat = gss_display_status(&disp_min_stat, maj_stat,
 					   GSS_C_GSS_CODE,
 					   mech, &msg_ctx, &maj_error_message);
 	disp_maj_stat = gss_display_status(&disp_min_stat, min_stat,
 					   GSS_C_MECH_CODE,
 					   mech, &msg_ctx, &min_error_message);
-	asprintf(&ret, "gss-code: %lu %.*s\nmech-code: %lu %.*s", 
-		 (unsigned long)maj_stat,
-		 (int)maj_error_message.length, 
-		 (char *)maj_error_message.value, 
-		 (unsigned long)min_stat,
-		 (int)min_error_message.length, 
-		 (char *)min_error_message.value);
+	if (asprintf(&ret, "gss-code: %lu %.*s -- mech-code: %lu %.*s",
+		     (unsigned long)maj_stat,
+		     (int)maj_error_message.length,
+		     (char *)maj_error_message.value,
+		     (unsigned long)min_stat,
+		     (int)min_error_message.length,
+		     (char *)min_error_message.value) < 0 || ret == NULL)
+	    errx(1, "malloc");
 
 	gss_release_buffer(&disp_min_stat, &maj_error_message);
 	gss_release_buffer(&disp_min_stat, &min_error_message);
diff --git a/lib/gssapi/test_common.h b/lib/gssapi/test_common.h
index 8e78a5d30ec4..fda2949609a9 100644
--- a/lib/gssapi/test_common.h
+++ b/lib/gssapi/test_common.h
@@ -1,18 +1,18 @@
 /*
- * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
  * 3. Neither the name of KTH nor the names of its contributors may be
  *    used to endorse or promote products derived from this software without
@@ -31,6 +31,6 @@
  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-/* $Id: test_common.h 20075 2007-01-31 06:05:19Z lha $ */
+/* $Id$ */
 
 char * gssapi_err(OM_uint32, OM_uint32, gss_OID);
diff --git a/lib/gssapi/test_context.c b/lib/gssapi/test_context.c
index e02535aec22a..5bdf474d9b93 100644
--- a/lib/gssapi/test_context.c
+++ b/lib/gssapi/test_context.c
@@ -1,18 +1,18 @@
 /*
- * Copyright (c) 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
  * 3. Neither the name of KTH nor the names of its contributors may be
  *    used to endorse or promote products derived from this software without
@@ -34,41 +34,67 @@
 #include "krb5/gsskrb5_locl.h"
 #include <err.h>
 #include <getarg.h>
+#include <gssapi.h>
+#include <gssapi_krb5.h>
+#include <gssapi_spnego.h>
+#include <gssapi_ntlm.h>
 #include "test_common.h"
 
-RCSID("$Id: test_context.c 20075 2007-01-31 06:05:19Z lha $");
-
 static char *type_string;
 static char *mech_string;
 static char *ret_mech_string;
+static char *client_name;
+static char *client_password;
 static int dns_canon_flag = -1;
 static int mutual_auth_flag = 0;
 static int dce_style_flag = 0;
 static int wrapunwrap_flag = 0;
+static int iov_flag = 0;
 static int getverifymic_flag = 0;
 static int deleg_flag = 0;
+static int policy_deleg_flag = 0;
+static int server_no_deleg_flag = 0;
+static int ei_flag = 0;
+static char *gsskrb5_acceptor_identity = NULL;
+static char *session_enctype_string = NULL;
+static int client_time_offset = 0;
+static int server_time_offset = 0;
+static int max_loops = 0;
+static char *limit_enctype_string = NULL;
 static int version_flag = 0;
 static int verbose_flag = 0;
 static int help_flag	= 0;
 
+static krb5_context context;
+static krb5_enctype limit_enctype = 0;
+
 static struct {
     const char *name;
-    gss_OID *oid;
+    gss_OID oid;
 } o2n[] = {
-    { "krb5", &GSS_KRB5_MECHANISM },
-    { "spnego", &GSS_SPNEGO_MECHANISM },
-    { "ntlm", &GSS_NTLM_MECHANISM },
-    { "sasl-digest-md5", &GSS_SASL_DIGEST_MD5_MECHANISM }
+    { "krb5", NULL /* GSS_KRB5_MECHANISM */ },
+    { "spnego", NULL /* GSS_SPNEGO_MECHANISM */ },
+    { "ntlm", NULL /* GSS_NTLM_MECHANISM */ },
+    { "sasl-digest-md5", NULL /* GSS_SASL_DIGEST_MD5_MECHANISM */ }
 };
 
+static void
+init_o2n(void)
+{
+    o2n[0].oid = GSS_KRB5_MECHANISM;
+    o2n[1].oid = GSS_SPNEGO_MECHANISM;
+    o2n[2].oid = GSS_NTLM_MECHANISM;
+    o2n[3].oid = GSS_SASL_DIGEST_MD5_MECHANISM;
+}
+
 static gss_OID
 string_to_oid(const char *name)
 {
     int i;
     for (i = 0; i < sizeof(o2n)/sizeof(o2n[0]); i++)
 	if (strcasecmp(name, o2n[i].name) == 0)
-	    return *o2n[i].oid;
-    errx(1, "name %s not unknown", name);
+	    return o2n[i].oid;
+    errx(1, "name '%s' not unknown", name);
 }
 
 static const char *
@@ -76,7 +102,7 @@ oid_to_string(const gss_OID oid)
 {
     int i;
     for (i = 0; i < sizeof(o2n)/sizeof(o2n[0]); i++)
-	if (gss_oid_equal(oid, *o2n[i].oid))
+	if (gss_oid_equal(oid, o2n[i].oid))
 	    return o2n[i].name;
     return "unknown oid";
 }
@@ -86,16 +112,17 @@ loop(gss_OID mechoid,
      gss_OID nameoid, const char *target,
      gss_cred_id_t init_cred,
      gss_ctx_id_t *sctx, gss_ctx_id_t *cctx,
-     gss_OID *actual_mech, 
+     gss_OID *actual_mech,
      gss_cred_id_t *deleg_cred)
 {
     int server_done = 0, client_done = 0;
+    int num_loops = 0;
     OM_uint32 maj_stat, min_stat;
     gss_name_t gss_target_name;
     gss_buffer_desc input_token, output_token;
     OM_uint32 flags = 0, ret_cflags, ret_sflags;
-    gss_OID actual_mech_client; 
-    gss_OID actual_mech_server; 
+    gss_OID actual_mech_client;
+    gss_OID actual_mech_server;
 
     *actual_mech = GSS_C_NO_OID;
 
@@ -108,6 +135,8 @@ loop(gss_OID mechoid,
 	flags |= GSS_C_DCE_STYLE;
     if (deleg_flag)
 	flags |= GSS_C_DELEG_FLAG;
+    if (policy_deleg_flag)
+	flags |= GSS_C_DELEG_POLICY_FLAG;
 
     input_token.value = rk_UNCONST(target);
     input_token.length = strlen(target);
@@ -123,14 +152,17 @@ loop(gss_OID mechoid,
     input_token.value = NULL;
 
     while (!server_done || !client_done) {
+	num_loops++;
+
+	gsskrb5_set_time_offset(client_time_offset);
 
 	maj_stat = gss_init_sec_context(&min_stat,
 					init_cred,
 					cctx,
 					gss_target_name,
-					mechoid, 
+					mechoid,
 					flags,
-					0, 
+					0,
 					NULL,
 					&input_token,
 					&actual_mech_client,
@@ -145,12 +177,16 @@ loop(gss_OID mechoid,
 	else
 	    client_done = 1;
 
+	gsskrb5_get_time_offset(&client_time_offset);
+
 	if (client_done && server_done)
 	    break;
 
 	if (input_token.length != 0)
 	    gss_release_buffer(&min_stat, &input_token);
 
+	gsskrb5_set_time_offset(server_time_offset);
+
 	maj_stat = gss_accept_sec_context(&min_stat,
 					  sctx,
 					  GSS_C_NO_CREDENTIAL,
@@ -166,8 +202,7 @@ loop(gss_OID mechoid,
 		errx(1, "accept_sec_context: %s",
 		     gssapi_err(maj_stat, min_stat, actual_mech_server));
 
-	if (verbose_flag)
-	    printf("%.*s", (int)input_token.length, (char *)input_token.value);
+	gsskrb5_get_time_offset(&server_time_offset);
 
 	if (output_token.length != 0)
 	    gss_release_buffer(&min_stat, &output_token);
@@ -176,24 +211,42 @@ loop(gss_OID mechoid,
 	    ;
 	else
 	    server_done = 1;
-    }	
+    }
     if (output_token.length != 0)
 	gss_release_buffer(&min_stat, &output_token);
     if (input_token.length != 0)
 	gss_release_buffer(&min_stat, &input_token);
     gss_release_name(&min_stat, &gss_target_name);
 
+    if (deleg_flag || policy_deleg_flag) {
+	if (server_no_deleg_flag) {
+	    if (*deleg_cred != GSS_C_NO_CREDENTIAL)
+		errx(1, "got delegated cred but didn't expect one");
+	} else if (*deleg_cred == GSS_C_NO_CREDENTIAL)
+	    errx(1, "asked for delegarated cred but did get one");
+    } else if (*deleg_cred != GSS_C_NO_CREDENTIAL)
+	  errx(1, "got deleg_cred cred but didn't ask");
+
     if (gss_oid_equal(actual_mech_server, actual_mech_client) == 0)
 	errx(1, "mech mismatch");
     *actual_mech = actual_mech_server;
+
+    if (max_loops && num_loops > max_loops)
+	errx(1, "num loops %d was lager then max loops %d",
+	     num_loops, max_loops);
+
+    if (verbose_flag) {
+	printf("server time offset: %d\n", server_time_offset);
+	printf("client time offset: %d\n", client_time_offset);
+	printf("num loops %d\n", num_loops);
+    }
 }
 
 static void
-wrapunwrap(gss_ctx_id_t cctx, gss_ctx_id_t sctx, gss_OID mechoid)
+wrapunwrap(gss_ctx_id_t cctx, gss_ctx_id_t sctx, int flags, gss_OID mechoid)
 {
     gss_buffer_desc input_token, output_token, output_token2;
     OM_uint32 min_stat, maj_stat;
-    int32_t flags = 0;
     gss_qop_t qop_state;
     int conf_state;
 
@@ -211,6 +264,155 @@ wrapunwrap(gss_ctx_id_t cctx, gss_ctx_id_t sctx, gss_OID mechoid)
     if (maj_stat != GSS_S_COMPLETE)
 	errx(1, "gss_unwrap failed: %s",
 	     gssapi_err(maj_stat, min_stat, mechoid));
+
+    gss_release_buffer(&min_stat, &output_token);
+    gss_release_buffer(&min_stat, &output_token2);
+
+#if 0 /* doesn't work for NTLM yet */
+    if (!!conf_state != !!flags)
+	errx(1, "conf_state mismatch");
+#endif
+}
+
+#define USE_CONF		1
+#define USE_HEADER_ONLY		2
+#define USE_SIGN_ONLY		4
+#define FORCE_IOV		8
+
+static void
+wrapunwrap_iov(gss_ctx_id_t cctx, gss_ctx_id_t sctx, int flags, gss_OID mechoid)
+{
+    krb5_data token, header, trailer;
+    OM_uint32 min_stat, maj_stat;
+    gss_qop_t qop_state;
+    int conf_state, conf_state2;
+    gss_iov_buffer_desc iov[6];
+    unsigned char *p;
+    int iov_len;
+    char header_data[9] = "ABCheader";
+    char trailer_data[10] = "trailerXYZ";
+
+    char token_data[16] = "0123456789abcdef";
+
+    memset(&iov, 0, sizeof(iov));
+
+    if (flags & USE_SIGN_ONLY) {
+	header.data = header_data;
+	header.length = 9;
+	trailer.data = trailer_data;
+	trailer.length = 10;
+    } else {
+	header.data = NULL;
+	header.length = 0;
+	trailer.data = NULL;
+	trailer.length = 0;
+    }
+
+    token.data = token_data;
+    token.length = 16;
+
+    iov_len = sizeof(iov)/sizeof(iov[0]);
+
+    memset(iov, 0, sizeof(iov));
+
+    iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE;
+
+    if (header.length != 0) {
+	iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
+	iov[1].buffer.length = header.length;
+	iov[1].buffer.value = header.data;
+    } else {
+	iov[1].type = GSS_IOV_BUFFER_TYPE_EMPTY;
+	iov[1].buffer.length = 0;
+	iov[1].buffer.value = NULL;
+    }
+    iov[2].type = GSS_IOV_BUFFER_TYPE_DATA;
+    iov[2].buffer.length = token.length;
+    iov[2].buffer.value = token.data;
+    if (trailer.length != 0) {
+	iov[3].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
+	iov[3].buffer.length = trailer.length;
+	iov[3].buffer.value = trailer.data;
+    } else {
+	iov[3].type = GSS_IOV_BUFFER_TYPE_EMPTY;
+	iov[3].buffer.length = 0;
+	iov[3].buffer.value = NULL;
+    }
+    if (dce_style_flag) {
+	iov[4].type = GSS_IOV_BUFFER_TYPE_EMPTY;
+    } else {
+	iov[4].type = GSS_IOV_BUFFER_TYPE_PADDING | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE;
+    }
+    iov[4].buffer.length = 0;
+    iov[4].buffer.value = 0;
+    if (dce_style_flag) {
+	iov[5].type = GSS_IOV_BUFFER_TYPE_EMPTY;
+    } else if (flags & USE_HEADER_ONLY) {
+	iov[5].type = GSS_IOV_BUFFER_TYPE_EMPTY;
+    } else {
+	iov[5].type = GSS_IOV_BUFFER_TYPE_TRAILER | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE;
+    }
+    iov[5].buffer.length = 0;
+    iov[5].buffer.value = 0;
+
+    maj_stat = gss_wrap_iov(&min_stat, cctx, dce_style_flag || flags & USE_CONF, 0, &conf_state,
+			    iov, iov_len);
+    if (maj_stat != GSS_S_COMPLETE)
+	errx(1, "gss_wrap_iov failed");
+
+    token.length =
+	iov[0].buffer.length +
+	iov[1].buffer.length +
+	iov[2].buffer.length +
+	iov[3].buffer.length +
+	iov[4].buffer.length +
+	iov[5].buffer.length;
+    token.data = emalloc(token.length);
+
+    p = token.data;
+    memcpy(p, iov[0].buffer.value, iov[0].buffer.length);
+    p += iov[0].buffer.length;
+    memcpy(p, iov[1].buffer.value, iov[1].buffer.length);
+    p += iov[1].buffer.length;
+    memcpy(p, iov[2].buffer.value, iov[2].buffer.length);
+    p += iov[2].buffer.length;
+    memcpy(p, iov[3].buffer.value, iov[3].buffer.length);
+    p += iov[3].buffer.length;
+    memcpy(p, iov[4].buffer.value, iov[4].buffer.length);
+    p += iov[4].buffer.length;
+    memcpy(p, iov[5].buffer.value, iov[5].buffer.length);
+    p += iov[5].buffer.length;
+
+    assert(p - ((unsigned char *)token.data) == token.length);
+
+    if ((flags & (USE_SIGN_ONLY|FORCE_IOV)) == 0) {
+	gss_buffer_desc input, output;
+
+	input.value = token.data;
+	input.length = token.length;
+
+	maj_stat = gss_unwrap(&min_stat, sctx, &input,
+			      &output, &conf_state2, &qop_state);
+
+	if (maj_stat != GSS_S_COMPLETE)
+	    errx(1, "gss_unwrap from gss_wrap_iov failed: %s",
+		 gssapi_err(maj_stat, min_stat, mechoid));
+
+	gss_release_buffer(&min_stat, &output);
+    } else {
+	maj_stat = gss_unwrap_iov(&min_stat, sctx, &conf_state2, &qop_state,
+				  iov, iov_len);
+
+	if (maj_stat != GSS_S_COMPLETE)
+	    errx(1, "gss_unwrap_iov failed: %x %s", flags,
+		 gssapi_err(maj_stat, min_stat, mechoid));
+
+    }
+    if (conf_state2 != conf_state)
+	errx(1, "conf state wrong for iov: %x", flags);
+
+
+    free(token.data);
 }
 
 static void
@@ -234,8 +436,24 @@ getverifymic(gss_ctx_id_t cctx, gss_ctx_id_t sctx, gss_OID mechoid)
     if (maj_stat != GSS_S_COMPLETE)
 	errx(1, "gss_verify_mic failed: %s",
 	     gssapi_err(maj_stat, min_stat, mechoid));
+
+    gss_release_buffer(&min_stat, &output_token);
 }
 
+static void
+empty_release(void)
+{
+    gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
+    gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
+    gss_name_t name = GSS_C_NO_NAME;
+    gss_OID_set oidset = GSS_C_NO_OID_SET;
+    OM_uint32 junk;
+
+    gss_delete_sec_context(&junk, &ctx, NULL);
+    gss_release_cred(&junk, &cred);
+    gss_release_name(&junk, &name);
+    gss_release_oid_set(&junk, &oidset);
+}
 
 /*
  *
@@ -246,14 +464,27 @@ static struct getargs args[] = {
     {"mech-type",0,	arg_string, &mech_string,  "type of mech", NULL },
     {"ret-mech-type",0,	arg_string, &ret_mech_string,
      "type of return mech", NULL },
-    {"dns-canonicalize",0,arg_negative_flag, &dns_canon_flag, 
+    {"dns-canonicalize",0,arg_negative_flag, &dns_canon_flag,
      "use dns to canonicalize", NULL },
     {"mutual-auth",0,	arg_flag,	&mutual_auth_flag,"mutual auth", NULL },
+    {"client-name", 0,  arg_string,     &client_name, "client name", NULL },
+    {"client-password", 0,  arg_string, &client_password, "client password", NULL },
+    {"limit-enctype",0,	arg_string,	&limit_enctype_string, "enctype", NULL },
     {"dce-style",0,	arg_flag,	&dce_style_flag, "dce-style", NULL },
     {"wrapunwrap",0,	arg_flag,	&wrapunwrap_flag, "wrap/unwrap", NULL },
-    {"getverifymic",0,	arg_flag,	&getverifymic_flag, 
+    {"iov", 0, 		arg_flag,	&iov_flag, "wrap/unwrap iov", NULL },
+    {"getverifymic",0,	arg_flag,	&getverifymic_flag,
      "get and verify mic", NULL },
     {"delegate",0,	arg_flag,	&deleg_flag, "delegate credential", NULL },
+    {"policy-delegate",0,	arg_flag,	&policy_deleg_flag, "policy delegate credential", NULL },
+    {"server-no-delegate",0,	arg_flag,	&server_no_deleg_flag,
+     "server should get a credential", NULL },
+    {"export-import-cred",0,	arg_flag,	&ei_flag, "test export/import cred", NULL },
+    {"gsskrb5-acceptor-identity", 0, arg_string, &gsskrb5_acceptor_identity, "keytab", NULL },
+    {"session-enctype",	0, arg_string,	&session_enctype_string, "enctype", NULL },
+    {"client-time-offset",	0, arg_integer,	&client_time_offset, "time", NULL },
+    {"server-time-offset",	0, arg_integer,	&server_time_offset, "time", NULL },
+    {"max-loops",	0, arg_integer,	&max_loops, "time", NULL },
     {"version",	0,	arg_flag,	&version_flag, "print version", NULL },
     {"verbose",	'v',	arg_flag,	&verbose_flag, "verbose", NULL },
     {"help",	0,	arg_flag,	&help_flag,  NULL, NULL }
@@ -274,16 +505,23 @@ main(int argc, char **argv)
     OM_uint32 min_stat, maj_stat;
     gss_ctx_id_t cctx, sctx;
     void *ctx;
-    gss_OID nameoid, mechoid, actual_mech;
-    gss_cred_id_t deleg_cred = GSS_C_NO_CREDENTIAL;
+    gss_OID nameoid, mechoid, actual_mech, actual_mech2;
+    gss_cred_id_t client_cred = GSS_C_NO_CREDENTIAL, deleg_cred = GSS_C_NO_CREDENTIAL;
+    gss_name_t cname = GSS_C_NO_NAME;
+    gss_buffer_desc credential_data = GSS_C_EMPTY_BUFFER;
 
     setprogname(argv[0]);
 
+    init_o2n();
+
+    if (krb5_init_context(&context))
+	errx(1, "krb5_init_context");
+
     cctx = sctx = GSS_C_NO_CONTEXT;
 
     if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
 	usage(1);
-    
+
     if (help_flag)
 	usage (0);
 
@@ -312,12 +550,85 @@ main(int argc, char **argv)
 
     if (mech_string == NULL)
 	mechoid = GSS_KRB5_MECHANISM;
-    else 
+    else
 	mechoid = string_to_oid(mech_string);
 
-    loop(mechoid, nameoid, argv[0], GSS_C_NO_CREDENTIAL,
+    if (gsskrb5_acceptor_identity) {
+	maj_stat = gsskrb5_register_acceptor_identity(gsskrb5_acceptor_identity);
+	if (maj_stat)
+	    errx(1, "gsskrb5_acceptor_identity: %s",
+		 gssapi_err(maj_stat, 0, GSS_C_NO_OID));
+    }
+
+    if (client_password) {
+	credential_data.value = client_password;
+	credential_data.length = strlen(client_password);
+    }
+
+    if (client_name) {
+	gss_buffer_desc cn;
+
+	cn.value = client_name;
+	cn.length = strlen(client_name);
+
+	maj_stat = gss_import_name(&min_stat, &cn, GSS_C_NT_USER_NAME, &cname);
+	if (maj_stat)
+	    errx(1, "gss_import_name: %s",
+		 gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
+    }
+
+    if (client_password) {
+	maj_stat = gss_acquire_cred_with_password(&min_stat,
+						  cname,
+						  &credential_data,
+						  GSS_C_INDEFINITE,
+						  GSS_C_NO_OID_SET,
+						  GSS_C_INITIATE,
+						  &client_cred,
+						  NULL,
+						  NULL);
+	if (GSS_ERROR(maj_stat))
+	    errx(1, "gss_acquire_cred_with_password: %s",
+		 gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
+    } else {
+	maj_stat = gss_acquire_cred(&min_stat,
+				    cname,
+				    GSS_C_INDEFINITE,
+				    GSS_C_NO_OID_SET,
+				    GSS_C_INITIATE,
+				    &client_cred,
+				    NULL,
+				    NULL);
+	if (GSS_ERROR(maj_stat))
+	    errx(1, "gss_acquire_cred: %s",
+		 gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
+    }
+
+    if (limit_enctype_string) {
+	krb5_error_code ret;
+
+	ret = krb5_string_to_enctype(context,
+				     limit_enctype_string,
+				     &limit_enctype);
+	if (ret)
+	    krb5_err(context, 1, ret, "krb5_string_to_enctype");
+    }
+
+
+    if (limit_enctype) {
+	if (client_cred == NULL)
+	    errx(1, "client_cred missing");
+
+	maj_stat = gss_krb5_set_allowable_enctypes(&min_stat, client_cred,
+						   1, &limit_enctype);
+	if (maj_stat)
+	    errx(1, "gss_krb5_set_allowable_enctypes: %s",
+		 gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
+    }
+
+    loop(mechoid, nameoid, argv[0], client_cred,
 	 &sctx, &cctx, &actual_mech, &deleg_cred);
-    
+
     if (verbose_flag)
 	printf("resulting mech: %s\n", oid_to_string(actual_mech));
 
@@ -327,43 +638,38 @@ main(int argc, char **argv)
 	retoid = string_to_oid(ret_mech_string);
 
 	if (gss_oid_equal(retoid, actual_mech) == 0)
-	    errx(1, "actual_mech mech is not the expected type %s", 
+	    errx(1, "actual_mech mech is not the expected type %s",
 		 ret_mech_string);
     }
 
     /* XXX should be actual_mech */
-    if (gss_oid_equal(mechoid, GSS_KRB5_MECHANISM)) { 
-	krb5_context context;
-	time_t time, skew;
+    if (gss_oid_equal(mechoid, GSS_KRB5_MECHANISM)) {
+	time_t time;
 	gss_buffer_desc authz_data;
 	gss_buffer_desc in, out1, out2;
 	krb5_keyblock *keyblock, *keyblock2;
 	krb5_timestamp now;
 	krb5_error_code ret;
 
-	ret = krb5_init_context(&context);
+	ret = krb5_timeofday(context, &now);
 	if (ret)
-	    errx(1, "krb5_init_context");
+	    errx(1, "krb5_timeofday failed");
 
-	ret = krb5_timeofday(context, &now);
-	if (ret) 
-		errx(1, "krb5_timeofday failed");
-	
 	/* client */
 	maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
 						     &cctx,
 						     1, /* version */
 						     &ctx);
 	if (maj_stat != GSS_S_COMPLETE)
-		errx(1, "gss_krb5_export_lucid_sec_context failed: %s",
-		     gssapi_err(maj_stat, min_stat, actual_mech));
-	
-	
+	    errx(1, "gss_krb5_export_lucid_sec_context failed: %s",
+		 gssapi_err(maj_stat, min_stat, actual_mech));
+
+
 	maj_stat = gss_krb5_free_lucid_sec_context(&maj_stat, ctx);
 	if (maj_stat != GSS_S_COMPLETE)
 	    errx(1, "gss_krb5_free_lucid_sec_context failed: %s",
 		     gssapi_err(maj_stat, min_stat, actual_mech));
-	
+
 	/* server */
 	maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
 						     &sctx,
@@ -384,13 +690,10 @@ main(int argc, char **argv)
 	    errx(1, "gsskrb5_extract_authtime_from_sec_context failed: %s",
 		     gssapi_err(maj_stat, min_stat, actual_mech));
 
-	skew = abs(time - now);
-	if (skew > krb5_get_max_time_skew(context)) {
+	if (time > now)
 	    errx(1, "gsskrb5_extract_authtime_from_sec_context failed: "
-		 "time skew too great %llu > %llu", 
-		 (unsigned long long)skew, 
-		 (unsigned long long)krb5_get_max_time_skew(context));
-	}
+		 "time authtime is before now: %ld %ld",
+		 (long)time, (long)now);
 
  	maj_stat = gsskrb5_extract_service_keyblock(&min_stat,
 						    sctx,
@@ -404,24 +707,28 @@ main(int argc, char **argv)
  	maj_stat = gsskrb5_get_subkey(&min_stat,
 				      sctx,
 				      &keyblock);
-	if (maj_stat != GSS_S_COMPLETE 
+	if (maj_stat != GSS_S_COMPLETE
 	    && (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY)))
 	    errx(1, "gsskrb5_get_subkey server failed: %s",
 		     gssapi_err(maj_stat, min_stat, actual_mech));
 
 	if (maj_stat != GSS_S_COMPLETE)
 	    keyblock = NULL;
-	
+	else if (limit_enctype && keyblock->keytype != limit_enctype)
+	    errx(1, "gsskrb5_get_subkey wrong enctype");
+
  	maj_stat = gsskrb5_get_subkey(&min_stat,
 				      cctx,
 				      &keyblock2);
-	if (maj_stat != GSS_S_COMPLETE 
+	if (maj_stat != GSS_S_COMPLETE
 	    && (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY)))
 	    errx(1, "gsskrb5_get_subkey client failed: %s",
 		     gssapi_err(maj_stat, min_stat, actual_mech));
 
 	if (maj_stat != GSS_S_COMPLETE)
 	    keyblock2 = NULL;
+	else if (limit_enctype && keyblock->keytype != limit_enctype)
+	    errx(1, "gsskrb5_get_subkey wrong enctype");
 
 	if (keyblock || keyblock2) {
 	    if (keyblock == NULL)
@@ -433,11 +740,26 @@ main(int argc, char **argv)
 		errx(1, "enctype mismatch");
 	    if (keyblock->keyvalue.length != keyblock2->keyvalue.length)
 		errx(1, "key length mismatch");
-	    if (memcmp(keyblock->keyvalue.data, keyblock2->keyvalue.data, 
+	    if (memcmp(keyblock->keyvalue.data, keyblock2->keyvalue.data,
 		       keyblock2->keyvalue.length) != 0)
 		errx(1, "key data mismatch");
 	}
 
+	if (session_enctype_string) {
+	    krb5_enctype enctype;
+
+	    ret = krb5_string_to_enctype(context,
+					 session_enctype_string,
+					 &enctype);
+
+	    if (ret)
+		krb5_err(context, 1, ret, "krb5_string_to_enctype");
+
+	    if (enctype != keyblock->keytype)
+		errx(1, "keytype is not the expected %d != %d",
+		     (int)enctype, (int)keyblock2->keytype);
+	}
+
 	if (keyblock)
 	    krb5_free_keyblock(context, keyblock);
 	if (keyblock2)
@@ -446,13 +768,17 @@ main(int argc, char **argv)
  	maj_stat = gsskrb5_get_initiator_subkey(&min_stat,
 						sctx,
 						&keyblock);
-	if (maj_stat != GSS_S_COMPLETE 
+	if (maj_stat != GSS_S_COMPLETE
 	    && (!(maj_stat == GSS_S_FAILURE && min_stat == GSS_KRB5_S_KG_NO_SUBKEY)))
 	    errx(1, "gsskrb5_get_initiator_subkey failed: %s",
 		     gssapi_err(maj_stat, min_stat, actual_mech));
 
-	if (maj_stat == GSS_S_COMPLETE)
+	if (maj_stat == GSS_S_COMPLETE) {
+
+	    if (limit_enctype && keyblock->keytype != limit_enctype)
+		errx(1, "gsskrb5_get_initiator_subkey wrong enctype");
 	    krb5_free_keyblock(context, keyblock);
+	}
 
  	maj_stat = gsskrb5_extract_authz_data_from_sec_context(&min_stat,
 							       sctx,
@@ -461,8 +787,6 @@ main(int argc, char **argv)
 	if (maj_stat == GSS_S_COMPLETE)
 	    gss_release_buffer(&min_stat, &authz_data);
 
-	krb5_free_context(context);
-
 
 	memset(&out1, 0, sizeof(out1));
 	memset(&out2, 0, sizeof(out2));
@@ -470,19 +794,19 @@ main(int argc, char **argv)
 	in.value = "foo";
 	in.length = 3;
 
-	gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_FULL, &in, 
+	gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_FULL, &in,
 			  100, &out1);
-	gss_pseudo_random(&min_stat, cctx, GSS_C_PRF_KEY_FULL, &in, 
+	gss_pseudo_random(&min_stat, cctx, GSS_C_PRF_KEY_FULL, &in,
 			  100, &out2);
 
 	if (out1.length != out2.length)
 	    errx(1, "prf len mismatch");
 	if (memcmp(out1.value, out2.value, out1.length) != 0)
 	    errx(1, "prf data mismatch");
-	
+
 	gss_release_buffer(&min_stat, &out1);
 
-	gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_FULL, &in, 
+	gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_FULL, &in,
 			  100, &out1);
 
 	if (out1.length != out2.length)
@@ -496,9 +820,9 @@ main(int argc, char **argv)
 	in.value = "bar";
 	in.length = 3;
 
-	gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_PARTIAL, &in, 
+	gss_pseudo_random(&min_stat, sctx, GSS_C_PRF_KEY_PARTIAL, &in,
 			  100, &out1);
-	gss_pseudo_random(&min_stat, cctx, GSS_C_PRF_KEY_PARTIAL, &in, 
+	gss_pseudo_random(&min_stat, cctx, GSS_C_PRF_KEY_PARTIAL, &in,
 			  100, &out2);
 
 	if (out1.length != out2.length)
@@ -514,11 +838,48 @@ main(int argc, char **argv)
     }
 
     if (wrapunwrap_flag) {
-	wrapunwrap(cctx, sctx, actual_mech);
-	wrapunwrap(cctx, sctx, actual_mech);
-	wrapunwrap(sctx, cctx, actual_mech);
-	wrapunwrap(sctx, cctx, actual_mech);
+	wrapunwrap(cctx, sctx, 0, actual_mech);
+	wrapunwrap(cctx, sctx, 1, actual_mech);
+	wrapunwrap(sctx, cctx, 0, actual_mech);
+	wrapunwrap(sctx, cctx, 1, actual_mech);
     }
+
+    if (iov_flag) {
+	wrapunwrap_iov(cctx, sctx, 0, actual_mech);
+	wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY|FORCE_IOV, actual_mech);
+	wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY, actual_mech);
+	wrapunwrap_iov(cctx, sctx, USE_CONF, actual_mech);
+	wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY, actual_mech);
+
+	wrapunwrap_iov(cctx, sctx, FORCE_IOV, actual_mech);
+	wrapunwrap_iov(cctx, sctx, USE_CONF|FORCE_IOV, actual_mech);
+	wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY|FORCE_IOV, actual_mech);
+	wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY|FORCE_IOV, actual_mech);
+
+	wrapunwrap_iov(cctx, sctx, USE_SIGN_ONLY|FORCE_IOV, actual_mech);
+	wrapunwrap_iov(cctx, sctx, USE_CONF|USE_SIGN_ONLY|FORCE_IOV, actual_mech);
+	wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY|USE_SIGN_ONLY|FORCE_IOV, actual_mech);
+
+/* works */
+	wrapunwrap_iov(cctx, sctx, 0, actual_mech);
+	wrapunwrap_iov(cctx, sctx, FORCE_IOV, actual_mech);
+
+	wrapunwrap_iov(cctx, sctx, USE_CONF, actual_mech);
+	wrapunwrap_iov(cctx, sctx, USE_CONF|FORCE_IOV, actual_mech);
+
+	wrapunwrap_iov(cctx, sctx, USE_SIGN_ONLY, actual_mech);
+	wrapunwrap_iov(cctx, sctx, USE_SIGN_ONLY|FORCE_IOV, actual_mech);
+
+	wrapunwrap_iov(cctx, sctx, USE_CONF|USE_SIGN_ONLY, actual_mech);
+	wrapunwrap_iov(cctx, sctx, USE_CONF|USE_SIGN_ONLY|FORCE_IOV, actual_mech);
+
+	wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY, actual_mech);
+	wrapunwrap_iov(cctx, sctx, USE_HEADER_ONLY|FORCE_IOV, actual_mech);
+
+	wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY, actual_mech);
+	wrapunwrap_iov(cctx, sctx, USE_CONF|USE_HEADER_ONLY|FORCE_IOV, actual_mech);
+    }
+
     if (getverifymic_flag) {
 	getverifymic(cctx, sctx, actual_mech);
 	getverifymic(cctx, sctx, actual_mech);
@@ -526,17 +887,84 @@ main(int argc, char **argv)
 	getverifymic(sctx, cctx, actual_mech);
     }
 
+
     gss_delete_sec_context(&min_stat, &cctx, NULL);
     gss_delete_sec_context(&min_stat, &sctx, NULL);
 
     if (deleg_cred != GSS_C_NO_CREDENTIAL) {
+	gss_cred_id_t cred2 = GSS_C_NO_CREDENTIAL;
+	gss_buffer_desc cb;
+
+	if (verbose_flag)
+	    printf("checking actual mech (%s) on delegated cred\n",
+		   oid_to_string(actual_mech));
+	loop(actual_mech, nameoid, argv[0], deleg_cred, &sctx, &cctx, &actual_mech2, &cred2);
+
+	gss_delete_sec_context(&min_stat, &cctx, NULL);
+	gss_delete_sec_context(&min_stat, &sctx, NULL);
 
-	loop(mechoid, nameoid, argv[0], deleg_cred, &cctx, &sctx, &actual_mech, NULL);
+	gss_release_cred(&min_stat, &cred2);
+
+	/* try again using SPNEGO */
+	if (verbose_flag)
+	    printf("checking spnego on delegated cred\n");
+	loop(GSS_SPNEGO_MECHANISM, nameoid, argv[0], deleg_cred, &sctx, &cctx,
+	     &actual_mech2, &cred2);
 
 	gss_delete_sec_context(&min_stat, &cctx, NULL);
 	gss_delete_sec_context(&min_stat, &sctx, NULL);
 
+	gss_release_cred(&min_stat, &cred2);
+
+	/* check export/import */
+	if (ei_flag) {
+
+	    maj_stat = gss_export_cred(&min_stat, deleg_cred, &cb);
+	    if (maj_stat != GSS_S_COMPLETE)
+		errx(1, "export failed: %s",
+		     gssapi_err(maj_stat, min_stat, NULL));
+
+	    maj_stat = gss_import_cred(&min_stat, &cb, &cred2);
+	    if (maj_stat != GSS_S_COMPLETE)
+		errx(1, "import failed: %s",
+		     gssapi_err(maj_stat, min_stat, NULL));
+
+	    gss_release_buffer(&min_stat, &cb);
+	    gss_release_cred(&min_stat, &deleg_cred);
+
+	    if (verbose_flag)
+		printf("checking actual mech (%s) on export/imported cred\n",
+		       oid_to_string(actual_mech));
+	    loop(actual_mech, nameoid, argv[0], cred2, &sctx, &cctx,
+		 &actual_mech2, &deleg_cred);
+
+	    gss_release_cred(&min_stat, &deleg_cred);
+
+	    gss_delete_sec_context(&min_stat, &cctx, NULL);
+	    gss_delete_sec_context(&min_stat, &sctx, NULL);
+
+	    /* try again using SPNEGO */
+	    if (verbose_flag)
+		printf("checking SPNEGO on export/imported cred\n");
+	    loop(GSS_SPNEGO_MECHANISM, nameoid, argv[0], cred2, &sctx, &cctx,
+		 &actual_mech2, &deleg_cred);
+
+	    gss_release_cred(&min_stat, &deleg_cred);
+
+	    gss_delete_sec_context(&min_stat, &cctx, NULL);
+	    gss_delete_sec_context(&min_stat, &sctx, NULL);
+
+	    gss_release_cred(&min_stat, &cred2);
+
+	} else  {
+	    gss_release_cred(&min_stat, &deleg_cred);
+	}
+
     }
 
+    empty_release();
+
+    krb5_free_context(context);
+
     return 0;
 }
diff --git a/lib/gssapi/test_cred.c b/lib/gssapi/test_cred.c
index 5ecc89f360f9..23428050d1e8 100644
--- a/lib/gssapi/test_cred.c
+++ b/lib/gssapi/test_cred.c
@@ -1,18 +1,18 @@
 /*
- * Copyright (c) 2003-2004 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2003-2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
  * 3. Neither the name of KTH nor the names of its contributors may be
  *    used to endorse or promote products derived from this software without
@@ -35,17 +35,17 @@
 #include <config.h>
 #endif
 
+#include <roken.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <stdarg.h>
 #include <gssapi.h>
+#include <gssapi_krb5.h>
+#include <gssapi_spnego.h>
 #include <err.h>
-#include <roken.h>
 #include <getarg.h>
 
-RCSID("$Id: test_cred.c 17750 2006-06-30 11:55:28Z lha $");
-
 static void
 gss_print_errors (int min_stat)
 {
@@ -62,7 +62,8 @@ gss_print_errors (int min_stat)
 				  &msg_ctx,
 				  &status_string);
 	if (!GSS_ERROR(ret)) {
-	    fprintf (stderr, "%s\n", (char *)status_string.value);
+	    fprintf (stderr, "%.*s\n", (int)status_string.length,
+					(char *)status_string.value);
 	    gss_release_buffer (&new_stat, &status_string);
 	}
     } while (!GSS_ERROR(ret) && msg_ctx != 0);
@@ -96,12 +97,12 @@ acquire_release_loop(gss_name_t name, int counter, gss_cred_usage_t usage)
 				    NULL,
 				    NULL);
 	if (maj_stat != GSS_S_COMPLETE)
-	    gss_err(1, min_stat, "aquire %d %d != GSS_S_COMPLETE", 
+	    gss_err(1, min_stat, "aquire %d %d != GSS_S_COMPLETE",
 		    i, (int)maj_stat);
-				    
+
 	maj_stat = gss_release_cred(&min_stat, &cred);
 	if (maj_stat != GSS_S_COMPLETE)
-	    gss_err(1, min_stat, "release %d %d != GSS_S_COMPLETE", 
+	    gss_err(1, min_stat, "release %d %d != GSS_S_COMPLETE",
 		    i, (int)maj_stat);
     }
 }
@@ -122,7 +123,7 @@ acquire_add_release_add(gss_name_t name, gss_cred_usage_t usage)
 				NULL);
     if (maj_stat != GSS_S_COMPLETE)
 	gss_err(1, min_stat, "aquire %d != GSS_S_COMPLETE", (int)maj_stat);
-    
+
     maj_stat = gss_add_cred(&min_stat,
 			    cred,
 			    GSS_C_NO_NAME,
@@ -134,7 +135,7 @@ acquire_add_release_add(gss_name_t name, gss_cred_usage_t usage)
 			    NULL,
 			    NULL,
 			    NULL);
-			    
+
     if (maj_stat != GSS_S_COMPLETE)
 	gss_err(1, min_stat, "add_cred %d != GSS_S_COMPLETE", (int)maj_stat);
 
@@ -191,7 +192,7 @@ main(int argc, char **argv)
     setprogname(argv[0]);
     if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
 	usage(1);
-    
+
     if (help_flag)
 	usage (0);
 
diff --git a/lib/gssapi/test_kcred.c b/lib/gssapi/test_kcred.c
index b774b0431ff9..a22d4ec9b8be 100644
--- a/lib/gssapi/test_kcred.c
+++ b/lib/gssapi/test_kcred.c
@@ -1,18 +1,18 @@
 /*
- * Copyright (c) 2003-2004 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2003-2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
  * 3. Neither the name of KTH nor the names of its contributors may be
  *    used to endorse or promote products derived from this software without
@@ -35,18 +35,18 @@
 #include <config.h>
 #endif
 
+#include <roken.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <stdarg.h>
 #include <gssapi.h>
+#include <gssapi_krb5.h>
+#include <gssapi_spnego.h>
 #include <krb5.h>
 #include <err.h>
-#include <roken.h>
 #include <getarg.h>
 
-RCSID("$Id: test_kcred.c 20694 2007-05-30 13:58:46Z lha $");
-
 static int version_flag = 0;
 static int help_flag	= 0;
 
@@ -79,9 +79,9 @@ copy_import(void)
     if (ret)
 	errx(1, "krb5_init_context");
 
-    ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &id);
+    ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, &id);
     if (ret)
-	krb5_err(context, 1, ret, "krb5_cc_gen_new");
+	krb5_err(context, 1, ret, "krb5_cc_new_unique");
 
     maj_stat = gss_krb5_copy_ccache(&min_stat, cred1, id);
     if (maj_stat != GSS_S_COMPLETE)
@@ -101,7 +101,7 @@ copy_import(void)
 	errx(1, "gss_compare_name");
     if (!equal)
 	errx(1, "names not equal");
-	
+
     if (lifetime1 != lifetime2)
 	errx(1, "lifetime not equal %lu != %lu",
 	     (unsigned long)lifetime1, (unsigned long)lifetime2);
@@ -125,7 +125,7 @@ copy_import(void)
 	errx(1, "gss_compare_name");
     if (!equal)
 	errx(1, "names not equal");
-	
+
     if (lifetime1 != lifetime2)
 	errx(1, "lifetime not equal %lu != %lu",
 	     (unsigned long)lifetime1, (unsigned long)lifetime2);
@@ -168,7 +168,7 @@ main(int argc, char **argv)
     setprogname(argv[0]);
     if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
 	usage(1);
-    
+
     if (help_flag)
 	usage (0);
 
diff --git a/lib/gssapi/test_names.c b/lib/gssapi/test_names.c
index abc47690b008..654661153955 100644
--- a/lib/gssapi/test_names.c
+++ b/lib/gssapi/test_names.c
@@ -1,18 +1,18 @@
 /*
- * Copyright (c) 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
  * 3. Neither the name of KTH nor the names of its contributors may be
  *    used to endorse or promote products derived from this software without
@@ -35,17 +35,17 @@
 #include <config.h>
 #endif
 
+#include <roken.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <stdarg.h>
 #include <gssapi.h>
+#include <gssapi_krb5.h>
+#include <gssapi_spnego.h>
 #include <err.h>
-#include <roken.h>
 #include <getarg.h>
 
-RCSID("$Id: test_names.c 17856 2006-07-20 05:13:25Z lha $");
-
 static void
 gss_print_errors (int min_stat)
 {
@@ -62,7 +62,8 @@ gss_print_errors (int min_stat)
 				  &msg_ctx,
 				  &status_string);
 	if (!GSS_ERROR(ret)) {
-	    fprintf (stderr, "%s\n", (char *)status_string.value);
+	    fprintf (stderr, "%.*s\n", (int)status_string.length,
+					(char *)status_string.value);
 	    gss_release_buffer (&new_stat, &status_string);
 	}
     } while (!GSS_ERROR(ret) && msg_ctx != 0);
@@ -110,7 +111,7 @@ main(int argc, char **argv)
     setprogname(argv[0]);
     if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
 	usage(1);
-    
+
     if (help_flag)
 	usage (0);
 
@@ -122,12 +123,15 @@ main(int argc, char **argv)
     argc -= optidx;
     argv += optidx;
 
+    gsskrb5_set_default_realm("MIT.EDU");
+
     /*
      * test import/export
      */
 
+    str = NULL;
     len = asprintf(&str, "ftp@freeze-arrow.mit.edu");
-    if (len == -1)
+    if (len < 0 || str == NULL)
 	errx(1, "asprintf");
 
     name_buffer.value = str;
@@ -180,8 +184,9 @@ main(int argc, char **argv)
      * Dovecot SASL lib does this.
      */
 
+    str = NULL;
     len = asprintf(&str, "lha");
-    if (len == -1)
+    if (len < 0 || str == NULL)
 	errx(1, "asprintf");
 
     name_buffer.value = str;
diff --git a/lib/gssapi/test_ntlm.c b/lib/gssapi/test_ntlm.c
index 9bd0d1ee1cf0..9b289c27bd37 100644
--- a/lib/gssapi/test_ntlm.c
+++ b/lib/gssapi/test_ntlm.c
@@ -1,18 +1,18 @@
 /*
- * Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
  * 3. Neither the name of KTH nor the names of its contributors may be
  *    used to endorse or promote products derived from this software without
@@ -33,22 +33,20 @@
 
 #include "config.h"
 
+#include <roken.h>
 #include <stdio.h>
 #include <gssapi.h>
 #include <err.h>
-#include <roken.h>
 #include <getarg.h>
 #include "test_common.h"
 
-RCSID("$Id: test_ntlm.c 22423 2008-01-13 09:45:03Z lha $");
-
 #include <krb5.h>
 #include <heimntlm.h>
 
 static int
 test_libntlm_v1(int flags)
 {
-    const char *user = "foo", 
+    const char *user = "foo",
 	*domain = "mydomain",
 	*password = "digestpassword";
     OM_uint32 maj_stat, min_stat;
@@ -60,7 +58,7 @@ test_libntlm_v1(int flags)
     struct ntlm_buf data;
     krb5_error_code ret;
     gss_name_t src_name = GSS_C_NO_NAME;
-    
+
     memset(&type1, 0, sizeof(type1));
     memset(&type2, 0, sizeof(type2));
     memset(&type3, 0, sizeof(type3));
@@ -120,7 +118,7 @@ test_libntlm_v1(int flags)
 	heim_ntlm_nt_key(password, &key);
 
 	heim_ntlm_calculate_ntlm1(key.data, key.length,
-				  type2.challange,
+				  type2.challenge,
 				  &type3.ntlm);
 
 	if (flags & NTLM_NEG_KEYEX) {
@@ -175,7 +173,7 @@ test_libntlm_v1(int flags)
 static int
 test_libntlm_v2(int flags)
 {
-    const char *user = "foo", 
+    const char *user = "foo",
 	*domain = "mydomain",
 	*password = "digestpassword";
     OM_uint32 maj_stat, min_stat;
@@ -186,7 +184,7 @@ test_libntlm_v2(int flags)
     struct ntlm_type3 type3;
     struct ntlm_buf data;
     krb5_error_code ret;
-    
+
     memset(&type1, 0, sizeof(type1));
     memset(&type2, 0, sizeof(type2));
     memset(&type3, 0, sizeof(type3));
@@ -247,7 +245,7 @@ test_libntlm_v2(int flags)
 	heim_ntlm_calculate_ntlm2(key.data, key.length,
 				  user,
 				  type2.targetname,
-				  type2.challange,
+				  type2.challenge,
 				  &type2.targetinfo,
 				  ntlmv2,
 				  &type3.ntlm);
@@ -317,7 +315,7 @@ main(int argc, char **argv)
 
     if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
 	usage(1);
-    
+
     if (help_flag)
 	usage (0);
 
diff --git a/lib/gssapi/test_oid.c b/lib/gssapi/test_oid.c
index 3beb30cb0a21..db5b7f7d11b8 100644
--- a/lib/gssapi/test_oid.c
+++ b/lib/gssapi/test_oid.c
@@ -1,46 +1,46 @@
 /*
- * Copyright (c) 2006 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden). 
- * All rights reserved. 
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
  *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
  *
- * 1. Redistributions of source code must retain the above copyright 
- *    notice, this list of conditions and the following disclaimer. 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
  *
- * 2. Redistributions in binary form must reproduce the above copyright 
- *    notice, this list of conditions and the following disclaimer in the 
- *    documentation and/or other materials provided with the distribution. 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- * 3. Neither the name of the Institute nor the names of its contributors 
- *    may be used to endorse or promote products derived from this software 
- *    without specific prior written permission. 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
- * SUCH DAMAGE. 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  */
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 #endif
 
+#include <roken.h>
 #include <stdio.h>
 #include <gssapi.h>
+#include <gssapi_krb5.h>
+#include <gssapi_spnego.h>
 #include <err.h>
-#include <roken.h>
-
-RCSID("$Id: test_oid.c 20488 2007-04-21 06:29:11Z lha $");
 
 int
 main(int argc, char **argv)
@@ -53,7 +53,7 @@ main(int argc, char **argv)
     if (GSS_ERROR(maj_stat))
 	errx(1, "gss_oid_to_str failed");
 
-    ret = strcmp(data.value, "1 2 840 113554 1 2 2");
+    ret = strncmp(data.value, "1 2 840 113554 1 2 2", data.length);
     gss_release_buffer(&maj_stat, &data);
     if (ret)
 	return 1;
@@ -62,7 +62,7 @@ main(int argc, char **argv)
     if (GSS_ERROR(maj_stat))
 	errx(1, "gss_oid_to_str failed");
 
-    ret = strcmp(data.value, "1 3 6 1 5 6 4");
+    ret = strncmp(data.value, "1 3 6 1 5 6 4", data.length);
     gss_release_buffer(&maj_stat, &data);
     if (ret)
 	return 1;
diff --git a/lib/gssapi/version-script.map b/lib/gssapi/version-script.map
index 43ea73fdb094..bcb79bf8f76e 100644
--- a/lib/gssapi/version-script.map
+++ b/lib/gssapi/version-script.map
@@ -1,96 +1,195 @@
-# $Id: version-script.map 20493 2007-04-21 07:56:20Z lha $
+# $Id$
 
-HEIMDAL_GSS_1.0 {
+HEIMDAL_GSS_2.0 {
 	global:
-		GSS_KRB5_MECHANISM;
-		GSS_NTLM_MECHANISM;
-		GSS_SPNEGO_MECHANISM;
-		GSS_SASL_DIGEST_MD5_MECHANISM;
-		GSS_C_NT_ANONYMOUS;
-		GSS_C_NT_EXPORT_NAME;
-		GSS_C_NT_HOSTBASED_SERVICE;
-		GSS_C_NT_HOSTBASED_SERVICE_X;
-		GSS_C_NT_MACHINE_UID_NAME;
-		GSS_C_NT_STRING_UID_NAME;
-		GSS_C_NT_USER_NAME;
-		GSS_KRB5_NT_PRINCIPAL_NAME;
-		GSS_KRB5_NT_USER_NAME;
-		GSS_KRB5_NT_MACHINE_UID_NAME;
-		GSS_KRB5_NT_STRING_UID_NAME;
-		gss_acquire_cred;
-		gss_release_cred;
-		gss_init_sec_context;
+#		__gss_c_nt_anonymous;
+		__gss_c_nt_anonymous_oid_desc;
+		__gss_c_nt_export_name_oid_desc;
+		__gss_c_nt_hostbased_service_oid_desc;
+		__gss_c_nt_hostbased_service_x_oid_desc;
+		__gss_c_nt_machine_uid_name_oid_desc;
+		__gss_c_nt_string_uid_name_oid_desc;
+		__gss_c_nt_user_name_oid_desc;
+		__gss_krb5_nt_principal_name_oid_desc;
+		__gss_c_attr_stream_sizes_oid_desc;
+		__gss_c_cred_password_oid_desc;
+		__gss_c_cred_certificate_oid_desc;
+		__gss_c_attr_local_login_user;
 		gss_accept_sec_context;
-		gss_process_context_token;
-		gss_delete_sec_context;
-		gss_context_time;
-		gss_get_mic;
-		gss_verify_mic;
-		gss_wrap;
-		gss_unwrap;
-		gss_display_status;
-		gss_indicate_mechs;
+		gss_acquire_cred;
+		gss_acquire_cred_with_password;
+		gss_add_buffer_set_member;
+		gss_add_cred;
+		gss_add_cred_with_password;
+		gss_add_oid_set_member;
+		gss_authorize_localname;
+		gss_canonicalize_name;
 		gss_compare_name;
+		gss_context_query_attributes;
+		gss_context_time;
+		gss_create_empty_buffer_set;
+		gss_create_empty_oid_set;
+		gss_decapsulate_token;
+		gss_delete_name_attribute;
+		gss_delete_sec_context;
 		gss_display_name;
-		gss_import_name;
+		gss_display_name_ext;
+		gss_display_status;
+		gss_duplicate_name;
+		gss_duplicate_oid;
+		gss_encapsulate_token;
+		gss_export_cred;
 		gss_export_name;
-		gss_release_name;
-		gss_release_buffer;
-		gss_release_oid_set;
-		gss_inquire_cred;
-		gss_inquire_context;
-		gss_wrap_size_limit;
-		gss_add_cred;
-		gss_inquire_cred_by_mech;
+		gss_export_name_composite;
 		gss_export_sec_context;
+		gss_get_mic;
+		gss_get_name_attribute;
+		gss_import_cred;
+		gss_import_name;
 		gss_import_sec_context;
-		gss_create_empty_oid_set;
-		gss_add_oid_set_member;
-		gss_test_oid_set_member;
-		gss_inquire_names_for_mech;
+		gss_indicate_mechs;
+		gss_init_sec_context;
+		gss_inquire_context;
+		gss_inquire_cred;
+		gss_inquire_cred_by_mech;
+		gss_inquire_cred_by_oid;
 		gss_inquire_mechs_for_name;
-		gss_canonicalize_name;
-		gss_duplicate_name;
-		gss_duplicate_oid;
-		gss_release_oid;
-		gss_oid_to_str;
+		gss_inquire_name;
+		gss_inquire_names_for_mech;
 		gss_inquire_sec_context_by_oid;
-		gss_set_sec_context_option;
-		gss_set_cred_option;
-		gss_oid_equal;
-		gss_create_empty_buffer_set;
-		gss_add_buffer_set_member;
-		gss_release_buffer_set;
-		gss_inquire_cred_by_oid;
-		gss_pseudo_random;
-		gss_sign;
-		gss_verify;
-		gss_seal;
-		gss_unseal;
 		gss_inquire_sec_context_by_oid;
-		gss_encapsulate_token;
-		gss_decapsulate_token;
 		gss_krb5_ccache_name;
-		gsskrb5_register_acceptor_identity;
 		gss_krb5_copy_ccache;
-		gss_krb5_import_cred;
+		gss_krb5_export_lucid_sec_context;
+		gss_krb5_free_lucid_sec_context;
 		gss_krb5_get_tkt_flags;
-		gsskrb5_extract_authz_data_from_sec_context;
-		gsskrb5_set_dns_canonicalize;
-		gsskrb5_set_send_to_kdc;
-		gsskrb5_set_default_realm;
+		gss_krb5_import_cred;
+		gss_krb5_set_allowable_enctypes;
+		gss_mg_collect_error;
+		gss_oid_equal;
+		gss_oid_to_str;
+		gss_pname_to_uid;
+		gss_process_context_token;
+		gss_pseudo_random;
+		gss_release_buffer;
+		gss_release_buffer_set;
+		gss_release_cred;
+		gss_release_iov_buffer;
+		gss_release_name;
+		gss_release_oid;
+		gss_release_oid_set;
+		gss_seal;
+		gss_set_cred_option;
+		gss_set_name_attribute;
+		gss_set_sec_context_option;
+		gss_sign;
+		gss_store_cred;
+		gss_test_oid_set_member;
+		gss_unseal;
+		gss_unwrap;
+		gss_unwrap_iov;
+		gss_userok;
+		gss_verify;
+		gss_verify_mic;
+		gss_wrap;
+		gss_wrap_iov;
+		gss_wrap_iov_length;
+		gss_wrap_size_limit;
 		gsskrb5_extract_authtime_from_sec_context;
+		gsskrb5_extract_authz_data_from_sec_context;
 		gsskrb5_extract_service_keyblock;
 		gsskrb5_get_initiator_subkey;
 		gsskrb5_get_subkey;
-		gss_krb5_export_lucid_sec_context;
-		gss_krb5_free_lucid_sec_context;
-		gss_krb5_set_allowable_enctypes;
+		gsskrb5_get_time_offset;
+		gsskrb5_register_acceptor_identity;
+		gsskrb5_set_default_realm;
+		gsskrb5_set_dns_canonicalize;
+		gsskrb5_set_send_to_kdc;
+		gsskrb5_set_time_offset;
+		krb5_gss_register_acceptor_identity;
+		gss_display_mech_attr;
+		gss_inquire_attrs_for_mech;
+		gss_indicate_mechs_by_attrs;
+		gss_inquire_mech_for_saslname;
+		gss_inquire_saslname_for_mech;
+		gss_mo_get;
+		gss_mo_set;
+		gss_mo_list;
+		gss_mo_name;
+		gss_name_to_oid;
+		gss_oid_to_name;
 
 		# _gsskrb5cfx_ are really internal symbols, but export
 		# then now to make testing easier.
-		_gsskrb5cfx_max_wrap_length_cfx;
 		_gsskrb5cfx_wrap_length_cfx;
+		_gssapi_wrap_size_cfx;
+
+		__gss_krb5_copy_ccache_x_oid_desc;
+		__gss_krb5_get_tkt_flags_x_oid_desc;
+		__gss_krb5_extract_authz_data_from_sec_context_x_oid_desc;
+		__gss_krb5_compat_des3_mic_x_oid_desc;
+		__gss_krb5_register_acceptor_identity_x_oid_desc;
+		__gss_krb5_export_lucid_context_x_oid_desc;
+		__gss_krb5_export_lucid_context_v1_x_oid_desc;
+		__gss_krb5_set_dns_canonicalize_x_oid_desc;
+		__gss_krb5_get_subkey_x_oid_desc;
+		__gss_krb5_get_initiator_subkey_x_oid_desc;
+		__gss_krb5_get_acceptor_subkey_x_oid_desc;
+		__gss_krb5_send_to_kdc_x_oid_desc;
+		__gss_krb5_get_authtime_x_oid_desc;
+		__gss_krb5_get_service_keyblock_x_oid_desc;
+		__gss_krb5_set_allowable_enctypes_x_oid_desc;
+		__gss_krb5_set_default_realm_x_oid_desc;
+		__gss_krb5_ccache_name_x_oid_desc;
+		__gss_krb5_set_time_offset_x_oid_desc;
+		__gss_krb5_get_time_offset_x_oid_desc;
+		__gss_krb5_plugin_register_x_oid_desc;
+		__gss_ntlm_get_session_key_x_oid_desc;
+		__gss_c_nt_ntlm_oid_desc;
+		__gss_c_nt_dn_oid_desc;
+		__gss_krb5_nt_principal_name_referral_oid_desc;
+		__gss_c_ntlm_avguest_oid_desc;
+		__gss_c_ntlm_v1_oid_desc;
+		__gss_c_ntlm_v2_oid_desc;
+		__gss_c_ntlm_session_key_oid_desc;
+		__gss_c_ntlm_force_v1_oid_desc;
+		__gss_krb5_cred_no_ci_flags_x_oid_desc;
+		__gss_krb5_import_cred_x_oid_desc;
+		__gss_c_ma_sasl_mech_name_oid_desc;
+		__gss_c_ma_mech_name_oid_desc;
+		__gss_c_ma_mech_description_oid_desc;
+		__gss_sasl_digest_md5_mechanism_oid_desc;
+		__gss_krb5_mechanism_oid_desc;
+		__gss_ntlm_mechanism_oid_desc;
+		__gss_spnego_mechanism_oid_desc;
+		__gss_c_peer_has_updated_spnego_oid_desc;
+		__gss_c_ma_mech_concrete_oid_desc;
+		__gss_c_ma_mech_pseudo_oid_desc;
+		__gss_c_ma_mech_composite_oid_desc;
+		__gss_c_ma_mech_nego_oid_desc;
+		__gss_c_ma_mech_glue_oid_desc;
+		__gss_c_ma_not_mech_oid_desc;
+		__gss_c_ma_deprecated_oid_desc;
+		__gss_c_ma_not_dflt_mech_oid_desc;
+		__gss_c_ma_itok_framed_oid_desc;
+		__gss_c_ma_auth_init_oid_desc;
+		__gss_c_ma_auth_targ_oid_desc;
+		__gss_c_ma_auth_init_init_oid_desc;
+		__gss_c_ma_auth_targ_init_oid_desc;
+		__gss_c_ma_auth_init_anon_oid_desc;
+		__gss_c_ma_auth_targ_anon_oid_desc;
+		__gss_c_ma_deleg_cred_oid_desc;
+		__gss_c_ma_integ_prot_oid_desc;
+		__gss_c_ma_conf_prot_oid_desc;
+		__gss_c_ma_mic_oid_desc;
+		__gss_c_ma_wrap_oid_desc;
+		__gss_c_ma_prot_ready_oid_desc;
+		__gss_c_ma_replay_det_oid_desc;
+		__gss_c_ma_oos_det_oid_desc;
+		__gss_c_ma_cbindings_oid_desc;
+		__gss_c_ma_pfs_oid_desc;
+		__gss_c_ma_compress_oid_desc;
+		__gss_c_ma_ctx_trans_oid_desc;
 
 	local:
 		*;