6224704 core kerberos mechanism resync with MIT 1.4

--HG--
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc-proto.h => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc-proto.h
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc.h => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc.h
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_close.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_close.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_defops.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_defops.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_destry.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_destry.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_errs.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_errs.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_eseq.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_eseq.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_gennew.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_gennew.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_getnam.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_getnam.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_gprin.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_gprin.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_init.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_init.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_maybe.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_maybe.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_nseq.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_nseq.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_ops.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_ops.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_read.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_read.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_reslv.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_reslv.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_retrv.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_retrv.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_sflags.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_sflags.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_skip.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_skip.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_sseq.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_sseq.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_store.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_store.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_write.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_write.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc-proto.h => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc-proto.h
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc.h => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc.h
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_close.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_close.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_destry.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_destry.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_eseq.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_eseq.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_gennew.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_gennew.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_getnam.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_getnam.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_gprin.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_gprin.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_init.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_init.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_nseq.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_nseq.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_ops.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_ops.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_reslv.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_reslv.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_retrv.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_retrv.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_sflags.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_sflags.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_sseq.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_sseq.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_store.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_store.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc-proto.h => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc-proto.h
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc.h => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc.h
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_close.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_close.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_defops.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_defops.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_destry.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_destry.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_errs.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_errs.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_eseq.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_eseq.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_gennew.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_gennew.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_getnam.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_getnam.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_gprin.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_gprin.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_init.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_init.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_maybe.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_maybe.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_nseq.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_nseq.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_ops.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_ops.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_read.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_read.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_reslv.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_reslv.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_retrv.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_retrv.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_sflags.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_sflags.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_skip.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_skip.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_sseq.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_sseq.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_store.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_store.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_write.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_write.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_add.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_add.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_close.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_close.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_defops.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_defops.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_endget.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_endget.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_g_ent.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_g_ent.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_g_name.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_g_name.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_next.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_next.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_ops.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_ops.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_remove.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_remove.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_resolv.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_resolv.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_ssget.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_ssget.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_util.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_util.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_wops.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_wops.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_wreslv.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_wreslv.c
rename : usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ser_ktf.c => deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ser_ktf.c

361 files changed, 17242 insertions, 7620 deletions

diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc-proto.h b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc-proto.h
index 6a453b7b1c..6a453b7b1c 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc-proto.h
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc-proto.h
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc.h b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc.h
index 0fbebbb8b1..0fbebbb8b1 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc.h
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc.h
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_close.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_close.c
index 734637b1ba..734637b1ba 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_close.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_close.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_defops.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_defops.c
index 269b6886bb..269b6886bb 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_defops.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_defops.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_destry.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_destry.c
index 3c0c6f6ae3..3c0c6f6ae3 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_destry.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_destry.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_errs.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_errs.c
index acfdb9292f..acfdb9292f 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_errs.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_errs.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_eseq.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_eseq.c
index 7d1d5b55b3..7d1d5b55b3 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_eseq.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_eseq.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_gennew.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_gennew.c
index c8c2bcd275..c8c2bcd275 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_gennew.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_gennew.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_getnam.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_getnam.c
index 913409a142..913409a142 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_getnam.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_getnam.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_gprin.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_gprin.c
index 1f44d327e5..1f44d327e5 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_gprin.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_gprin.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_init.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_init.c
index 34f5a1b4dc..34f5a1b4dc 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_init.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_init.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_maybe.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_maybe.c
index 696d3426fe..696d3426fe 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_maybe.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_maybe.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_nseq.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_nseq.c
index c50f8309ef..c50f8309ef 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_nseq.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_nseq.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_ops.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_ops.c
index 65e892c524..65e892c524 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_ops.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_ops.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_read.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_read.c
index a910f0d4da..a910f0d4da 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_read.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_read.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_reslv.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_reslv.c
index de53d74abe..de53d74abe 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_reslv.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_reslv.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_retrv.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_retrv.c
index 3f9e3cd9a7..3f9e3cd9a7 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_retrv.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_retrv.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_sflags.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_sflags.c
index 2ed7477283..2ed7477283 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_sflags.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_sflags.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_skip.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_skip.c
index 17ac6e745c..17ac6e745c 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_skip.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_skip.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_sseq.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_sseq.c
index 2e6e052007..2e6e052007 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_sseq.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_sseq.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_store.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_store.c
index 71b78e7e0e..71b78e7e0e 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_store.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_store.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_write.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_write.c
index 744faa97fb..744faa97fb 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_write.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/file/fcc_write.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc-proto.h b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc-proto.h
index b7bf09fdd5..b7bf09fdd5 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc-proto.h
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc-proto.h
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc.h b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc.h
index 7e9ca18766..7e9ca18766 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc.h
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc.h
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_close.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_close.c
index 079a399fa8..079a399fa8 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_close.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_close.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_destry.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_destry.c
index edf02efe5c..edf02efe5c 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_destry.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_destry.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_eseq.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_eseq.c
index 27f372621f..27f372621f 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_eseq.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_eseq.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_gennew.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_gennew.c
index 884fae8ca3..884fae8ca3 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_gennew.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_gennew.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_getnam.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_getnam.c
index 427f49b045..427f49b045 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_getnam.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_getnam.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_gprin.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_gprin.c
index 6778c1ffc0..6778c1ffc0 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_gprin.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_gprin.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_init.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_init.c
index a1cf027b4c..a1cf027b4c 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_init.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_init.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_nseq.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_nseq.c
index ae6369e704..ae6369e704 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_nseq.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_nseq.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_ops.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_ops.c
index 74d1c320dc..74d1c320dc 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_ops.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_ops.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_reslv.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_reslv.c
index b542d1e4cb..b542d1e4cb 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_reslv.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_reslv.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_retrv.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_retrv.c
index ef281b3fef..ef281b3fef 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_retrv.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_retrv.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_sflags.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_sflags.c
index dfb811ba2e..dfb811ba2e 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_sflags.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_sflags.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_sseq.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_sseq.c
index 41087bfa44..41087bfa44 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_sseq.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_sseq.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_store.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_store.c
index 4642902317..4642902317 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_store.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/memory/mcc_store.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc-proto.h b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc-proto.h
index c15d0c70c1..c15d0c70c1 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc-proto.h
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc-proto.h
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc.h b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc.h
index e357420789..e357420789 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc.h
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc.h
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_close.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_close.c
index 7dd0f23b79..7dd0f23b79 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_close.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_close.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_defops.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_defops.c
index c92ddb869f..c92ddb869f 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_defops.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_defops.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_destry.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_destry.c
index 6218c5ab2f..6218c5ab2f 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_destry.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_destry.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_errs.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_errs.c
index 921f76780b..921f76780b 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_errs.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_errs.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_eseq.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_eseq.c
index 3ee8688d49..3ee8688d49 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_eseq.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_eseq.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_gennew.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_gennew.c
index fe21207a38..fe21207a38 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_gennew.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_gennew.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_getnam.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_getnam.c
index 363233ae1f..363233ae1f 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_getnam.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_getnam.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_gprin.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_gprin.c
index 2767e43c70..2767e43c70 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_gprin.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_gprin.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_init.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_init.c
index 6167dac9a7..6167dac9a7 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_init.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_init.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_maybe.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_maybe.c
index 1855988d61..1855988d61 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_maybe.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_maybe.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_nseq.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_nseq.c
index 90a5447264..90a5447264 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_nseq.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_nseq.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_ops.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_ops.c
index d85dd05c32..d85dd05c32 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_ops.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_ops.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_read.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_read.c
index 8a9d05026f..8a9d05026f 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_read.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_read.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_reslv.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_reslv.c
index 5a9ebdffd2..5a9ebdffd2 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_reslv.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_reslv.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_retrv.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_retrv.c
index f8c641047c..f8c641047c 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_retrv.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_retrv.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_sflags.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_sflags.c
index 8a2ff3c70b..8a2ff3c70b 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_sflags.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_sflags.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_skip.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_skip.c
index 79f17e1a8e..79f17e1a8e 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_skip.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_skip.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_sseq.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_sseq.c
index ed991f6475..ed991f6475 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_sseq.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_sseq.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_store.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_store.c
index 93e83b1080..93e83b1080 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_store.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_store.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_write.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_write.c
index 277044c644..277044c644 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_write.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/scc_write.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_add.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_add.c
index ae075c1c36..ae075c1c36 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_add.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_add.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_close.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_close.c
index 00da3981c1..00da3981c1 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_close.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_close.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_defops.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_defops.c
index 014dcc5c32..014dcc5c32 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_defops.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_defops.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_endget.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_endget.c
index 4eb7082d24..4eb7082d24 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_endget.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_endget.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_g_ent.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_g_ent.c
index bb3565727a..bb3565727a 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_g_ent.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_g_ent.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_g_name.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_g_name.c
index 7f2b46be38..7f2b46be38 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_g_name.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_g_name.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_next.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_next.c
index 8b4ef69deb..8b4ef69deb 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_next.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_next.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_ops.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_ops.c
index 73fd36dd4d..73fd36dd4d 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_ops.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_ops.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_remove.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_remove.c
index 7ab6562378..7ab6562378 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_remove.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_remove.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_resolv.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_resolv.c
index 308997ab21..308997ab21 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_resolv.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_resolv.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_ssget.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_ssget.c
index e405acbdf4..e405acbdf4 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_ssget.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_ssget.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_util.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_util.c
index d2a923117c..d2a923117c 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_util.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_util.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_wops.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_wops.c
index 3395dea979..3395dea979 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_wops.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_wops.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_wreslv.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_wreslv.c
index 577106ed0c..577106ed0c 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_wreslv.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ktf_wreslv.c
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ser_ktf.c b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ser_ktf.c
index fe11ed9924..fe11ed9924 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ser_ktf.c
+++ b/deleted_files/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/file/ser_ktf.c
diff --git a/usr/src/cmd/krb5/kadmin/dbutil/dump.c b/usr/src/cmd/krb5/kadmin/dbutil/dump.c
index 787a66fa0f..034c98f087 100644
--- a/usr/src/cmd/krb5/kadmin/dbutil/dump.c
+++ b/usr/src/cmd/krb5/kadmin/dbutil/dump.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -121,44 +121,44 @@ struct dump_args {
 };
 
 static krb5_error_code dump_k5beta_iterator
-PROTOTYPE((krb5_pointer,
-						       krb5_db_entry *));
+(krb5_pointer,
+						       krb5_db_entry *);
 static krb5_error_code dump_k5beta6_iterator
-PROTOTYPE((krb5_pointer,
-							krb5_db_entry *));
+(krb5_pointer,
+							krb5_db_entry *);
 static krb5_error_code dump_iprop_iterator
-PROTOTYPE((krb5_pointer,
-							krb5_db_entry *));
+(krb5_pointer,
+							krb5_db_entry *);
 static krb5_error_code dump_k5beta7_princ
-PROTOTYPE((krb5_pointer,
-						     krb5_db_entry *));
+(krb5_pointer,
+						     krb5_db_entry *);
 static krb5_error_code dump_iprop_princ
-PROTOTYPE((krb5_pointer,
-						     krb5_db_entry *));
+(krb5_pointer,
+						     krb5_db_entry *);
 static krb5_error_code dump_ov_princ
-PROTOTYPE((krb5_pointer,
-						krb5_db_entry *));
-static void dump_k5beta7_policy PROTOTYPE((void *, osa_policy_ent_t));
+(krb5_pointer,
+						krb5_db_entry *);
+static void dump_k5beta7_policy (void *, osa_policy_ent_t);
 
 typedef
-krb5_error_code(*dump_func) PROTOTYPE((krb5_pointer,
-					       krb5_db_entry *));
+krb5_error_code(*dump_func) (krb5_pointer,
+					       krb5_db_entry *);
 
 static int process_k5beta_record
-PROTOTYPE((char *, krb5_context,
-					    FILE *, int, int *, void *));
+(char *, krb5_context,
+					    FILE *, int, int *, void *);
 static int process_k5beta6_record
-PROTOTYPE((char *, krb5_context,
-					     FILE *, int, int *, void *));
+(char *, krb5_context,
+					     FILE *, int, int *, void *);
 static int process_k5beta7_record
-PROTOTYPE((char *, krb5_context,
-					     FILE *, int, int *, void *));
+(char *, krb5_context,
+					     FILE *, int, int *, void *);
 static int process_ov_record
-PROTOTYPE((char *, krb5_context,
-					FILE *, int, int *, void *));
+(char *, krb5_context,
+					FILE *, int, int *, void *);
 typedef
-krb5_error_code(*load_func) PROTOTYPE((char *, krb5_context,
-					       FILE *, int, int *, void *));
+krb5_error_code(*load_func) (char *, krb5_context,
+					       FILE *, int, int *, void *);
 
 typedef struct _dump_version {
      char *name;
diff --git a/usr/src/cmd/krb5/kadmin/dbutil/kdb5_stash.c b/usr/src/cmd/krb5/kadmin/dbutil/kdb5_stash.c
index f98f6cd98c..a29b2bbfd6 100644
--- a/usr/src/cmd/krb5/kadmin/dbutil/kdb5_stash.c
+++ b/usr/src/cmd/krb5/kadmin/dbutil/kdb5_stash.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -132,7 +132,7 @@ char *argv[];
 	}
     }
 
-    if (!valid_enctype(global_params.enctype)) {
+    if (!krb5_c_valid_enctype(global_params.enctype)) {
 	char tmp[32];
 
 	if (krb5_enctype_to_string(global_params.enctype,
diff --git a/usr/src/cmd/krb5/kadmin/dbutil/kdb5_util.c b/usr/src/cmd/krb5/kadmin/dbutil/kdb5_util.c
index 67977cb728..c0d1a141d8 100644
--- a/usr/src/cmd/krb5/kadmin/dbutil/kdb5_util.c
+++ b/usr/src/cmd/krb5/kadmin/dbutil/kdb5_util.c
@@ -288,7 +288,7 @@ main(argc, argv)
     (void) memset(&master_key, 0, sizeof (krb5_keyblock)); 
 
     if ((global_params.enctype != ENCTYPE_UNKNOWN) &&
-	(!valid_enctype(global_params.enctype))) {
+	(!krb5_c_valid_enctype(global_params.enctype))) {
 	com_err(argv[0], KRB5_PROG_KEYTYPE_NOSUPP,
 	    gettext("while setting up enctype %d"), global_params.enctype);
     }
@@ -441,7 +441,7 @@ open_db_and_mkey()
 	/* If no encryption type is set, use the default */
 	if (global_params.enctype == ENCTYPE_UNKNOWN) {
 	    global_params.enctype = DEFAULT_KDC_ENCTYPE;
-	    if (!valid_enctype(global_params.enctype))
+	    if (!krb5_c_valid_enctype(global_params.enctype))
 		com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP,
 			gettext("while setting up enctype %d"),
 			global_params.enctype);
diff --git a/usr/src/cmd/krb5/kadmin/dbutil/kdb5_util.h b/usr/src/cmd/krb5/kadmin/dbutil/kdb5_util.h
index 8266484161..84643664a3 100644
--- a/usr/src/cmd/krb5/kadmin/dbutil/kdb5_util.h
+++ b/usr/src/cmd/krb5/kadmin/dbutil/kdb5_util.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -63,24 +63,24 @@ extern char *progname;
 extern char *Err_no_database;
 
 void add_key
-PROTOTYPE((char const *, char const *,
+(char const *, char const *,
 	krb5_const_principal, const krb5_keyblock *,
-	krb5_kvno, krb5_keysalt *));
+	krb5_kvno, krb5_keysalt *);
 int set_dbname_help
-    PROTOTYPE((char *, char *));
+    (char *, char *);
 
-char *kdb5_util_Init PROTOTYPE((int, char **));
+char *kdb5_util_Init (int, char **);
 
 int quit();
 
 int check_for_match
-    PROTOTYPE((char *, int, krb5_db_entry *, int, int));
+    (char *, int, krb5_db_entry *, int, int);
 
 void parse_token
-    PROTOTYPE((char *, int *, int *, char *));
+    (char *, int *, int *, char *);
 
 int create_db_entry
-    PROTOTYPE((krb5_principal, krb5_db_entry *));
+    (krb5_principal, krb5_db_entry *);
 
 #ifdef	__cplusplus
 }
diff --git a/usr/src/cmd/krb5/kadmin/ktutil/ktutil.h b/usr/src/cmd/krb5/kadmin/ktutil/ktutil.h
index 63137abcc5..3cdd5d1d4d 100644
--- a/usr/src/cmd/krb5/kadmin/ktutil/ktutil.h
+++ b/usr/src/cmd/krb5/kadmin/ktutil/ktutil.h
@@ -51,40 +51,40 @@ typedef struct _krb5_kt_list {
 } *krb5_kt_list;
 
 krb5_error_code ktutil_free_kt_list
-KRB5_PROTOTYPE((krb5_context,
-	krb5_kt_list));
+(krb5_context,
+	krb5_kt_list);
 
 krb5_error_code ktutil_delete
-KRB5_PROTOTYPE((krb5_context,
+(krb5_context,
 	krb5_kt_list *,
-	int));
+	int);
 
 krb5_error_code ktutil_add
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 			krb5_kt_list *,
 			char *,
 			krb5_kvno,
 			char *,
-			int));
+			int);
 
 krb5_error_code ktutil_read_keytab
-KRB5_PROTOTYPE((krb5_context,
+(krb5_context,
 	char *,
-	krb5_kt_list *));
+	krb5_kt_list *);
 
 krb5_error_code ktutil_write_keytab
-KRB5_PROTOTYPE((krb5_context,
+(krb5_context,
 	krb5_kt_list,
-	char *));
+	char *);
 
 #ifdef KRB5_KRB4_COMPAT
 krb5_error_code ktutil_read_srvtab
-KRB5_PROTOTYPE((krb5_context,
+(krb5_context,
 	char *,
-	krb5_kt_list *));
+	krb5_kt_list *);
 krb5_error_code ktutil_write_srvtab
-KRB5_PROTOTYPE((krb5_context,
+(krb5_context,
 	krb5_kt_list,
-	char *));
+	char *);
 
 #endif
diff --git a/usr/src/cmd/krb5/klist/klist.c b/usr/src/cmd/krb5/klist/klist.c
index ba8b481722..9e1e938c30 100644
--- a/usr/src/cmd/krb5/klist/klist.c
+++ b/usr/src/cmd/krb5/klist/klist.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
@@ -73,20 +73,20 @@ size_t timestamp_width;
 
 krb5_context kcontext;
 
-char * etype_string KRB5_PROTOTYPE((krb5_enctype ));
-void show_credential KRB5_PROTOTYPE((char *,
+char * etype_string (krb5_enctype );
+void show_credential (char *,
 				krb5_context,
-				krb5_creds *));
+				krb5_creds *);
 	
-void do_ccache KRB5_PROTOTYPE((char *));
-void do_keytab KRB5_PROTOTYPE((char *));
-void printtime KRB5_PROTOTYPE((time_t));
-void one_addr KRB5_PROTOTYPE((krb5_address *));
-void fillit KRB5_PROTOTYPE((FILE *, int, int));
+void do_ccache (char *);
+void do_keytab (char *);
+void printtime (time_t);
+void one_addr (krb5_address *);
+void fillit (FILE *, int, int);
 void show_addr(krb5_address *a);
 
 #ifdef KRB5_KRB4_COMPAT
-void do_v4_ccache KRB5_PROTOTYPE((char *));
+void do_v4_ccache (char *);
 #endif /* KRB5_KRB4_COMPAT */
 
 #define DEFAULT 0
diff --git a/usr/src/cmd/krb5/krb5kdc/do_as_req.c b/usr/src/cmd/krb5/krb5kdc/do_as_req.c
index 576d3643d8..6e715caa69 100644
--- a/usr/src/cmd/krb5/krb5kdc/do_as_req.c
+++ b/usr/src/cmd/krb5/krb5kdc/do_as_req.c
@@ -52,10 +52,10 @@
 #include "adm_proto.h"
 #include "extern.h"
 
-static krb5_error_code prepare_error_as PROTOTYPE((krb5_kdc_req *,
+static krb5_error_code prepare_error_as (krb5_kdc_req *,
 						   int,
 						   krb5_data *, 
-						   krb5_data **));
+						   krb5_data **);
 
 /*ARGSUSED*/
 krb5_error_code
@@ -367,7 +367,7 @@ krb5_data **response;			/* filled in with a response packet */
     client_key = (krb5_key_data *) NULL;
     for (i = 0; i < request->nktypes; i++) {
 	useenctype = request->ktype[i];
-	if (!valid_enctype(useenctype))
+	if (!krb5_c_valid_enctype(useenctype))
 	    continue;
 
 	if (!krb5_dbe_find_enctype(kdc_context, &client, useenctype, -1,
@@ -554,9 +554,9 @@ krb5_data **response;
     retval = krb5_mk_error(kdc_context, &errpkt, scratch);
     free(errpkt.text.data);
     if (retval)
-    free(scratch);
-    else 
-    *response = scratch;
-    
+	free(scratch);
+    else
+	*response = scratch;
+
     return retval;
 }
diff --git a/usr/src/cmd/krb5/krb5kdc/do_tgs_req.c b/usr/src/cmd/krb5/krb5kdc/do_tgs_req.c
index ad531d1468..d09b29fedf 100644
--- a/usr/src/cmd/krb5/krb5kdc/do_tgs_req.c
+++ b/usr/src/cmd/krb5/krb5kdc/do_tgs_req.c
@@ -53,19 +53,19 @@
 
 extern krb5_error_code setup_server_realm(krb5_principal);
 
-static void find_alternate_tgs PROTOTYPE((krb5_kdc_req *,
+static void find_alternate_tgs (krb5_kdc_req *,
 					  krb5_db_entry *,
 					  krb5_boolean *,
 					  int *,
 					  const krb5_fulladdr *,
 					  int,
-					  char *));
+					  char *);
 
-static krb5_error_code prepare_error_tgs PROTOTYPE((krb5_kdc_req *,
+static krb5_error_code prepare_error_tgs (krb5_kdc_req *,
 						    krb5_ticket *,
 						    int,
 						    const char *,
-						    krb5_data **));
+						    krb5_data **);
 
 /*ARGSUSED*/
 krb5_error_code
@@ -254,7 +254,7 @@ tgt_again:
 	}
 	
 	etype = request->second_ticket[st_idx]->enc_part2->session->enctype;
-	if (!valid_enctype(etype)) {
+	if (!krb5_c_valid_enctype(etype)) {
 	    status = "BAD_ETYPE_IN_2ND_TKT";
 	    errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
 	    goto cleanup;
@@ -741,10 +741,10 @@ krb5_data **response;
     retval = krb5_mk_error(kdc_context, &errpkt, scratch);
     free(errpkt.text.data);
     if (retval)
-    free(scratch); 
+	free(scratch);
     else
-    *response = scratch;
-    
+	*response = scratch;
+
     return retval;
 }
 
diff --git a/usr/src/cmd/krb5/krb5kdc/kdc_util.c b/usr/src/cmd/krb5/krb5kdc/kdc_util.c
index 9ab7abafcf..9424a3fb09 100644
--- a/usr/src/cmd/krb5/krb5kdc/kdc_util.c
+++ b/usr/src/cmd/krb5/krb5kdc/kdc_util.c
@@ -182,11 +182,11 @@ comp_cksum(kcontext, source, ticket, his_cksum)
     krb5_error_code 	  retval;
     krb5_boolean	  valid;
 
-    if (!valid_cksumtype(his_cksum->checksum_type)) 
+    if (!krb5_c_valid_cksumtype(his_cksum->checksum_type)) 
 	return KRB5KDC_ERR_SUMTYPE_NOSUPP;
 
     /* must be collision proof */
-    if (!is_coll_proof_cksum(his_cksum->checksum_type))
+    if (!krb5_c_is_coll_proof_cksum(his_cksum->checksum_type))
 	return KRB5KRB_AP_ERR_INAPP_CKSUM;
 
     /* verify checksum */
@@ -1464,7 +1464,7 @@ select_session_keytype(context, server, nktypes, ktype)
     krb5_enctype dfl = 0;
     
     for (i = 0; i < nktypes; i++) {
-	if (!valid_enctype(ktype[i]))
+	if (!krb5_c_valid_enctype(ktype[i]))
 	    continue;
 
 	if (dbentry_supports_enctype(context, server, ktype[i]))
diff --git a/usr/src/cmd/krb5/krb5kdc/kdc_util.h b/usr/src/cmd/krb5/krb5kdc/kdc_util.h
index 9cd8944368..615b4558cb 100644
--- a/usr/src/cmd/krb5/krb5kdc/kdc_util.h
+++ b/usr/src/cmd/krb5/krb5kdc/kdc_util.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -45,127 +45,127 @@ typedef struct _krb5_fulladdr {
     krb5_ui_4		port;
 } krb5_fulladdr;
 
-krb5_error_code check_hot_list PROTOTYPE((krb5_ticket *));
-krb5_boolean realm_compare PROTOTYPE((krb5_principal, krb5_principal));
-krb5_boolean krb5_is_tgs_principal PROTOTYPE((krb5_principal));
-krb5_error_code add_to_transited PROTOTYPE((krb5_data *,
+krb5_error_code check_hot_list (krb5_ticket *);
+krb5_boolean realm_compare (krb5_principal, krb5_principal);
+krb5_boolean krb5_is_tgs_principal (krb5_principal);
+krb5_error_code add_to_transited (krb5_data *,
 					    krb5_data *,
 					    krb5_principal,
 					    krb5_principal,
-					    krb5_principal));
-krb5_error_code compress_transited PROTOTYPE((krb5_data *,
+					    krb5_principal);
+krb5_error_code compress_transited (krb5_data *,
 					      krb5_principal,
-					      krb5_data *));
-krb5_error_code concat_authorization_data PROTOTYPE((krb5_authdata **,
+					      krb5_data *);
+krb5_error_code concat_authorization_data (krb5_authdata **,
 						     krb5_authdata **,
-						     krb5_authdata ***));
-krb5_error_code fetch_last_req_info PROTOTYPE((krb5_db_entry *,
-					       krb5_last_req_entry ***));
+						     krb5_authdata ***);
+krb5_error_code fetch_last_req_info (krb5_db_entry *,
+					       krb5_last_req_entry ***);
 
-krb5_error_code kdc_convert_key PROTOTYPE((krb5_keyblock *,
+krb5_error_code kdc_convert_key (krb5_keyblock *,
 					   krb5_keyblock *,
-					   int));
+					   int);
 krb5_error_code kdc_process_tgs_req 
-	PROTOTYPE((krb5_kdc_req *,
+	(krb5_kdc_req *,
 	           const krb5_fulladdr *,
 	           krb5_data *,
 	           krb5_ticket **,
-	           krb5_keyblock **));
+	           krb5_keyblock **);
 
-krb5_error_code kdc_get_server_key PROTOTYPE((krb5_ticket *,
+krb5_error_code kdc_get_server_key (krb5_ticket *,
 					      krb5_keyblock **,
-					      krb5_kvno *));
+					      krb5_kvno *);
 
-int validate_as_request PROTOTYPE((krb5_kdc_req *, krb5_db_entry, 
+int validate_as_request (krb5_kdc_req *, krb5_db_entry, 
 					  krb5_db_entry, krb5_timestamp,
-					  const char **));
+					  const char **);
 
-int validate_tgs_request PROTOTYPE((krb5_kdc_req *, krb5_db_entry, 
+int validate_tgs_request (krb5_kdc_req *, krb5_db_entry, 
 					  krb5_ticket *, krb5_timestamp,
-					  const char **));
+					  const char **);
 
-int fetch_asn1_field PROTOTYPE((unsigned char *, unsigned int, unsigned int,
-				 krb5_data *));
+int fetch_asn1_field (unsigned char *, unsigned int, unsigned int,
+				 krb5_data *);
 
 int
-dbentry_has_key_for_enctype PROTOTYPE((krb5_context context,
+dbentry_has_key_for_enctype (krb5_context context,
 				       krb5_db_entry *client,
-				       krb5_enctype enctype));
+				       krb5_enctype enctype);
     
 int
-dbentry_supports_enctype PROTOTYPE((krb5_context context,
+dbentry_supports_enctype (krb5_context context,
 				    krb5_db_entry *client,
-				    krb5_enctype enctype));
+				    krb5_enctype enctype);
 
 krb5_enctype
-select_session_keytype PROTOTYPE((krb5_context context,
+select_session_keytype (krb5_context context,
 				  krb5_db_entry *server,
 				  int nktypes,
-				  krb5_enctype *ktypes));
+				  krb5_enctype *ktypes);
 
 krb5_error_code
-get_salt_from_key PROTOTYPE((krb5_context, krb5_principal,
-			     krb5_key_data *, krb5_data *));
+get_salt_from_key (krb5_context, krb5_principal,
+			     krb5_key_data *, krb5_data *);
 
-void limit_string PROTOTYPE((char *name));
+void limit_string (char *name);
 
 /* do_as_req.c */
-krb5_error_code process_as_req PROTOTYPE((krb5_kdc_req *,
+krb5_error_code process_as_req (krb5_kdc_req *,
 					  const krb5_fulladdr *,
 					  int,
-					  krb5_data ** ));
+					  krb5_data ** );
 
 /* do_tgs_req.c */
-krb5_error_code process_tgs_req PROTOTYPE((krb5_data *,
+krb5_error_code process_tgs_req (krb5_data *,
 					   const krb5_fulladdr *,
 					   int, 
-					   krb5_data ** ));
+					   krb5_data ** );
 /* dispatch.c */
-krb5_error_code dispatch PROTOTYPE((krb5_data *,
+krb5_error_code dispatch (krb5_data *,
 				    const krb5_fulladdr *,
 				    int,
-				    krb5_data **));
+				    krb5_data **);
 
 /* main.c */
-krb5_error_code kdc_initialize_rcache PROTOTYPE((krb5_context, char *));
+krb5_error_code kdc_initialize_rcache (krb5_context, char *);
 
-krb5_error_code setup_server_realm PROTOTYPE((krb5_principal));
+krb5_error_code setup_server_realm (krb5_principal);
 
 /* network.c */
-krb5_error_code listen_and_process PROTOTYPE((const char *));
-krb5_error_code setup_network PROTOTYPE((const char *));
-krb5_error_code closedown_network PROTOTYPE((const char *));
+krb5_error_code listen_and_process (const char *);
+krb5_error_code setup_network (const char *);
+krb5_error_code closedown_network (const char *);
 
 /* policy.c */
-int against_local_policy_as PROTOTYPE((krb5_kdc_req *, krb5_db_entry,
+int against_local_policy_as (krb5_kdc_req *, krb5_db_entry,
 					krb5_db_entry, krb5_timestamp,
-					const char **));
+					const char **);
 
-int against_local_policy_tgs PROTOTYPE((krb5_kdc_req *, krb5_db_entry,
-					krb5_ticket *, const char **));
+int against_local_policy_tgs (krb5_kdc_req *, krb5_db_entry,
+					krb5_ticket *, const char **);
 
 /* kdc_preauth.c */
 const char * missing_required_preauth
-    PROTOTYPE((krb5_db_entry *client, krb5_db_entry *server,
-	       krb5_enc_tkt_part *enc_tkt_reply));
-void get_preauth_hint_list PROTOTYPE((krb5_kdc_req * request,
+    (krb5_db_entry *client, krb5_db_entry *server,
+	       krb5_enc_tkt_part *enc_tkt_reply);
+void get_preauth_hint_list (krb5_kdc_req * request,
 				      krb5_db_entry *client,
 				      krb5_db_entry *server,
-				      krb5_data *e_data));
+				      krb5_data *e_data);
 krb5_error_code check_padata
-    PROTOTYPE((krb5_context context, krb5_db_entry *client,
-	       krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply));
+    (krb5_context context, krb5_db_entry *client,
+	       krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply);
     
 krb5_error_code return_padata
-    PROTOTYPE((krb5_context context, krb5_db_entry *client,
+    (krb5_context context, krb5_db_entry *client,
 	       krb5_kdc_req *request, krb5_kdc_rep *reply,
-	       krb5_key_data *client_key, krb5_keyblock *encrypting_key));
+	       krb5_key_data *client_key, krb5_keyblock *encrypting_key);
     
 /* replay.c */
-krb5_boolean kdc_check_lookaside PROTOTYPE((krb5_data *, const krb5_fulladdr *,
-					    krb5_data **));
-void kdc_insert_lookaside PROTOTYPE((krb5_data *, const krb5_fulladdr *,
-				     krb5_data *));
+krb5_boolean kdc_check_lookaside (krb5_data *, const krb5_fulladdr *,
+					    krb5_data **);
+void kdc_insert_lookaside (krb5_data *, const krb5_fulladdr *,
+				     krb5_data *);
 
 /* sock2p.c */
 #ifndef HAVE_INET_NTOP
@@ -183,10 +183,10 @@ extern void sockaddr2p (const struct sockaddr *, char *, size_t, int *);
 #define clear(flagfield, flag) (flagfield &= ~(flag))
 
 #ifdef KRB5_KRB4_COMPAT
-krb5_error_code process_v4 PROTOTYPE((const krb5_data *,
+krb5_error_code process_v4 (const krb5_data *,
 				      const krb5_fulladdr *,
 				      int is_secondary,
-				      krb5_data **));
+				      krb5_data **);
 #else
 #define process_v4(foo,bar,quux,foobar)	KRB5KRB_AP_ERR_BADVERSION
 #endif
diff --git a/usr/src/cmd/krb5/krb5kdc/main.c b/usr/src/cmd/krb5/krb5kdc/main.c
index 673888b5a8..0cf052f686 100644
--- a/usr/src/cmd/krb5/krb5kdc/main.c
+++ b/usr/src/cmd/krb5/krb5kdc/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -53,20 +53,20 @@
 #include <netinet/in.h>
 #endif
 
-kdc_realm_t *find_realm_data PROTOTYPE((char *, krb5_ui_4));
+kdc_realm_t *find_realm_data (char *, krb5_ui_4);
 
-void usage PROTOTYPE((char *));
+void usage (char *);
 
-krb5_sigtype request_exit PROTOTYPE((int));
-krb5_sigtype request_hup  PROTOTYPE((int));
+krb5_sigtype request_exit (int);
+krb5_sigtype request_hup  (int);
 
-void setup_signal_handlers PROTOTYPE((void));
+void setup_signal_handlers (void);
 
-krb5_error_code setup_sam PROTOTYPE((void));
+krb5_error_code setup_sam (void);
 
-void initialize_realms PROTOTYPE((krb5_context, int, char **));
+void initialize_realms (krb5_context, int, char **);
 
-void finish_realms PROTOTYPE((char *));
+void finish_realms (char *);
 
 static int nofork = 0;
 static int rkey_init_done = 0;
diff --git a/usr/src/cmd/krb5/krb5kdc/policy.h b/usr/src/cmd/krb5/krb5kdc/policy.h
index 052e65bbb2..02fe833bac 100644
--- a/usr/src/cmd/krb5/krb5kdc/policy.h
+++ b/usr/src/cmd/krb5/krb5kdc/policy.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 1997-2002 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -43,12 +43,12 @@ extern "C" {
  */
 
 
-extern int against_postdate_policy PROTOTYPE((krb5_timestamp));
+extern int against_postdate_policy (krb5_timestamp);
 
-extern int against_flag_policy_as PROTOTYPE((const krb5_kdc_req *));
+extern int against_flag_policy_as (const krb5_kdc_req *);
 
-extern int against_flag_policy_tgs PROTOTYPE((const krb5_kdc_req *,
-					      const krb5_ticket *));
+extern int against_flag_policy_tgs (const krb5_kdc_req *,
+					      const krb5_ticket *);
 
 #ifdef	__cplusplus
 }
diff --git a/usr/src/cmd/krb5/slave/kprop.c b/usr/src/cmd/krb5/slave/kprop.c
index 7ad65b8577..a4eb7e5a24 100644
--- a/usr/src/cmd/krb5/slave/kprop.c
+++ b/usr/src/cmd/krb5/slave/kprop.c
@@ -356,6 +356,11 @@ void get_tickets(context)
 	}
 }
 
+/* SUNW14resync - SOCKET is defed in 1.4 in port-sockets.h */
+#ifdef SOCKET
+#undef SOCKET
+#endif
+
 krb5_error_code
 open_connection(host, fd, Errmsg, ErrmsgSz)
 	char	*host;
diff --git a/usr/src/cmd/krb5/slave/kpropd.c b/usr/src/cmd/krb5/slave/kpropd.c
index 7f37caced7..189a99929e 100644
--- a/usr/src/cmd/krb5/slave/kpropd.c
+++ b/usr/src/cmd/krb5/slave/kpropd.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  * 
  * All rights reserved.
@@ -66,9 +66,6 @@
 #include <sys/file.h>
 #include <signal.h>
 #include <string.h>
-#ifndef POSIX_TERMIOS
-#include <sgtty.h>
-#endif
 #include <fcntl.h>
 #include <sys/types.h>
 #include <sys/time.h>
diff --git a/usr/src/lib/gss_mechs/mech_krb5/Makefile.com b/usr/src/lib/gss_mechs/mech_krb5/Makefile.com
index de39d73311..8a889eb5db 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/Makefile.com
+++ b/usr/src/lib/gss_mechs/mech_krb5/Makefile.com
@@ -97,37 +97,11 @@ K5_ASN1= asn1_decode.o asn1_k_decode.o asn1_encode.o \
 	asn1_k_encode.o asn1_misc.o
 
 # krb5/ccache
-K5_CC= ccbase.o ccdefault.o ccdefops.o ser_cc.o cc_retr.o cccopy.o
-
-# krb5/ccache/file
-K5_CC_FILE= \
-	fcc_close.o fcc_destry.o fcc_eseq.o fcc_gennew.o fcc_getnam.o \
-	fcc_gprin.o fcc_init.o fcc_nseq.o fcc_read.o fcc_reslv.o \
-	fcc_retrv.o fcc_sseq.o fcc_store.o fcc_skip.o fcc_ops.o \
-	fcc_write.o fcc_sflags.o fcc_defops.o fcc_errs.o fcc_maybe.o
-
-# krb5/ccache/memory
-K5_CC_MEM= \
-	mcc_close.o mcc_destry.o mcc_eseq.o mcc_gennew.o \
-	mcc_getnam.o mcc_gprin.o mcc_init.o mcc_nseq.o \
-	mcc_reslv.o mcc_retrv.o mcc_sseq.o mcc_store.o mcc_ops.o \
-	mcc_sflags.o
-
-# krb5/ccache/stdio
-K5_CC_STD= \
-	scc_close.o scc_destry.o scc_eseq.o \
-	scc_gennew.o scc_getnam.o scc_gprin.o scc_init.o \
-	scc_nseq.o scc_read.o scc_reslv.o scc_retrv.o \
-	scc_sseq.o scc_store.o scc_skip.o scc_ops.o scc_write.o \
-	scc_sflags.o scc_defops.o scc_errs.o scc_maybe.o
+K5_CC= cc_file.o cc_memory.o ccbase.o ccfns.o ccdefault.o ccdefops.o ser_cc.o cc_retr.o cccopy.o
 
 # krb5/keytab
 K5_KT=	ktadd.o ktbase.o ktdefault.o ktfr_entry.o \
-	ktremove.o read_servi.o
-
-K5_KT_FILE=ktf_add.o ktf_close.o ktf_endget.o ktf_g_ent.o ktf_g_name.o \
-	ktf_next.o ktf_resolv.o	ktf_remove.o ktf_ssget.o ktf_util.o \
-	ktf_ops.o ktf_wops.o ktf_wreslv.o ktf_defops.o ser_ktf.o
+	ktremove.o read_servi.o kt_file.o kt_srvtab.o ktfns.o
 
 K5_KRB= addr_comp.o  addr_order.o  addr_srch.o \
 	auth_con.o  bld_pr_ext.o  bld_princ.o  chk_trans.o \
@@ -141,7 +115,7 @@ K5_KRB= addr_comp.o  addr_order.o  addr_srch.o \
 	recvauth.o  send_tgs.o  sendauth.o  srv_rcache.o  str_conv.o \
 	tgtname.o  valid_times.o  walk_rtree.o appdefault.o deltat.o \
 	enc_helper.o gic_keytab.o gic_opt.o gic_pwd.o preauth2.o \
-	vfy_increds.o vic_opt.o
+	vfy_increds.o vic_opt.o krb5_libinit.o
 
 K5_KRB_UTS= copy_athctr.o copy_auth.o copy_cksum.o copy_key.o \
 	copy_princ.o init_ctx.o kfree.o parse.o ser_actx.o \
@@ -156,14 +130,15 @@ K5_OS=	an_to_ln.o def_realm.o ccdefname.o free_krbhs.o free_hstrl.o \
 	net_read.o net_write.o osconfig.o port2ip.o promptusr.o \
 	read_msg.o read_pwd.o realm_dom.o sendto_kdc.o sn2princ.o \
 	unlck_file.o ustime.o write_msg.o safechown.o \
-	prompter.o realm_iter.o foreachaddr.o
+	prompter.o realm_iter.o foreachaddr.o \
+	dnsglue.o dnssrv.o thread_safe.o
 
 K5_OS_UTS=init_os_ctx.o timeofday.o toffset.o c_ustime.o
 
 K5_POSIX= setenv.o daemon.o
 
 K5_RCACHE=rc_base.o rc_file.o rc_mem.o rc_common.o rc_io.o rcdef.o rc_conv.o \
-	ser_rc.o
+	ser_rc.o rcfns.o
 
 MECH= 	accept_sec_context.o store_cred.o \
 	add_cred.o disp_com_err_status.o  disp_major_status.o \
@@ -190,8 +165,11 @@ MECH_UTS= delete_sec_context.o gssapi_krb5.o \
 PROFILE_OBJS= prof_tree.o prof_file.o prof_parse.o prof_init.o \
 	prof_set.o prof_get.o
 
+SUPPORT_OBJS= fake-addrinfo.o  threads.o
+
 OBJECTS= \
 	$(MECH)  $(MECH_UTS) \
+	$(SUPPORT_OBJS) \
 	$(PROFILE_OBJS) \
 	$(CRYPTO) $(CRYPTO_UTS) \
 	$(CRYPTO_CRC32) \
@@ -208,8 +186,8 @@ OBJECTS= \
 	$(CRYPTO_RAW) \
 	$(ET) \
 	$(K5_ASN1) \
-	$(K5_CC) $(K5_CC_FILE) $(K5_CC_MEM) $(K5_CC_STD) \
-	$(K5_KT) $(K5_KT_FILE) \
+	$(K5_CC) \
+	$(K5_KT) \
 	$(K5_KRB) $(K5_KRB_UTS) \
 	$(K5_OS) $(K5_OS_UTS) \
 	$(K5_POSIX) $(K5_RCACHE)
@@ -233,6 +211,11 @@ CPPFLAGS += -I$(REL_PATH)/libgss -I../include  \
 		-I$(SRC)/uts/common/gssapi/include \
 		-I$(SRC)/lib/gss_mechs/mech_krb5/include/krb5 \
 		-I../include/krb5 \
+		-I../krb5/keytab \
+		-I../krb5/krb \
+		-I../krb5/os \
+		-I../krb5/ccache \
+		-I../krb5/rcache \
 		-I$(SRC)/lib/krb5 \
 		-I$(SRC)/lib/krb5/kadm5 \
 		-I$(SRC)/uts/common/gssapi/mechs/krb5/include \
@@ -456,6 +439,10 @@ objs/%.o pics/%.o: $(REL_PATH)/profile/%.c
 	$(COMPILE.c)  -o $@ $<
 	$(POST_PROCESS_O)
 
+objs/%.o pics/%.o: $(REL_PATH)/support/%.c
+	$(COMPILE.c)  -o $@ $<
+	$(POST_PROCESS_O)
+
 $(DYNLIB):	$(MAPFILE)
 
 $(MAPFILE):
@@ -476,9 +463,9 @@ OS_FLAGS = -DHAVE_LIBSOCKET -DHAVE_LIBNSL -DTIME_WITH_SYS_TIME \
 	-DHAVE_ERRNO -DHAVE_STRFTIME -DHAVE_STRPTIME -DHAVE_STRERROR \
 	-DHAVE_STAT -DSIZEOF_INT=4 -DPROVIDE_KERNEL_IMPORT \
 	-DHAVE_STDINT_H -DPOSIX_SIGNALS -DHAVE_GETENV -DHAVE_SETENV \
-	-DHAVE_UNSETENV
+	-DHAVE_UNSETENV -DHAVE_FCHMOD
 
-CPPFLAGS += -I$(REL_PATH)/krb5/ccache/file $(OS_FLAGS)
+CPPFLAGS += -I$(REL_PATH)krb5/ccache/file $(OS_FLAGS)
 
 SOURCES= \
 	$(CRYPTO_OS_UTS:%.o= $(SRC)/uts/common/gssapi/mechs/krb5/crypto/os/%.c)\
@@ -507,10 +494,7 @@ SOURCES= \
 	$(ET:%.o= $(SRC)/lib/gss_mechs/mech_krb5/et/%.c) \
 	$(K5_ASN1:%.o= $(SRC)/lib/gss_mechs/mech_krb5/krb5/asn.1/%.c) \
 	$(K5_CC:%.o= $(SRC)/lib/gss_mechs/mech_krb5/krb5/ccache/%.c) \
-	$(K5_CC_FILE:%.o= $(SRC)/lib/gss_mechs/mech_krb5/krb5/ccache/file/%.c) \
-	$(K5_CC_STD:%.o= $(SRC)/lib/gss_mechs/mech_krb5/krb5/ccache/stdio/%.c) \
 	$(K5_KT:%.o= $(SRC)/lib/gss_mechs/mech_krb5/krb5/keytab/%.c) \
-	$(K5_KT_FILE:%.o= $(SRC)/lib/gss_mechs/mech_krb5/krb5/keytab/file/%.c) \
 	$(K5_KRB:%.o= $(SRC)/lib/gss_mechs/mech_krb5/krb5/krb/%.c)\
 	$(K5_KRB_UTS:%.o= $(SRC)/uts/common/gssapi/mechs/krb5/krb5/krb/%.c)\
 	$(K5_OS:%.o= $(SRC)/lib/gss_mechs/mech_krb5/krb5/os/%.c)\
@@ -519,8 +503,8 @@ SOURCES= \
 	$(K5_RCACHE:%.o= $(SRC)/lib/gss_mechs/mech_krb5/krb5/rcache/%.c) \
 	$(MECH:%.o= $(SRC)/lib/gss_mechs/mech_krb5/mech/%.c) \
 	$(MECH_UTS:%.o= $(SRC)/uts/common/gssapi/mechs/krb5/mech/%.c) \
-	$(PROFILE_OBJS:%.o= $(SRC)/lib/gss_mechs/mech_krb5/profile/%.c)
-
+	$(PROFILE_OBJS:%.o= $(SRC)/lib/gss_mechs/mech_krb5/profile/%.c) \
+	$(SUPPORT_OBJS:%.o= $(SRC)/lib/gss_mechs/mech_krb5/support/%.c)
 
 # So lint.out won't be needlessly recreated
 lint: $(LINTOUT)
diff --git a/usr/src/lib/gss_mechs/mech_krb5/crypto/cksumtype_to_string.c b/usr/src/lib/gss_mechs/mech_krb5/crypto/cksumtype_to_string.c
index 10c8e0a422..3fd3e76b93 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/crypto/cksumtype_to_string.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/crypto/cksumtype_to_string.c
@@ -28,11 +28,8 @@
 #include <k5-int.h>
 #include <cksumtypes.h>
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_cksumtype_to_string(cksumtype, buffer, buflen)
-    krb5_cksumtype	cksumtype;
-    char		FAR * buffer;
-    size_t		buflen;
+krb5_error_code KRB5_CALLCONV
+krb5_cksumtype_to_string(krb5_cksumtype cksumtype, char *buffer, size_t buflen)
 {
     int i;
 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/crypto/coll_proof_cksum.c b/usr/src/lib/gss_mechs/mech_krb5/crypto/coll_proof_cksum.c
index 5f79ad6062..141e3c9cd5 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/crypto/coll_proof_cksum.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/crypto/coll_proof_cksum.c
@@ -28,9 +28,8 @@
 #include <k5-int.h>
 #include <cksumtypes.h>
 
-KRB5_DLLIMP krb5_boolean KRB5_CALLCONV
-is_coll_proof_cksum(ctype)
-     krb5_cksumtype ctype;
+krb5_boolean KRB5_CALLCONV
+krb5_c_is_coll_proof_cksum(krb5_cksumtype ctype)
 {
     int i;
 
@@ -44,3 +43,9 @@ is_coll_proof_cksum(ctype)
        old code would have done */
     return(0);
 }
+
+krb5_boolean KRB5_CALLCONV
+is_coll_proof_cksum(krb5_cksumtype ctype)
+{
+  return krb5_c_is_coll_proof_cksum (ctype);
+}
diff --git a/usr/src/lib/gss_mechs/mech_krb5/crypto/crc32/crc.c b/usr/src/lib/gss_mechs/mech_krb5/crypto/crc32/crc.c
index cb41460078..b330e7bae5 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/crypto/crc32/crc.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/crypto/crc32/crc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2003 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -8,7 +8,7 @@
 /*
  * lib/crypto/crc32/crc.c
  *
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990, 2002 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -153,20 +153,20 @@ static uint32_t const crc_table[256] = {
 /* Windows needs to these prototypes for crc32_cksumtable_entry below */
 
 static krb5_error_code
-crc32_sum_func PROTOTYPE((
+crc32_sum_func (
 	krb5_const krb5_pointer in,
 	krb5_const size_t in_length,
 	krb5_const krb5_pointer seed,
 	krb5_const size_t seed_length,
-	krb5_checksum FAR *outcksum));
+	krb5_checksum *outcksum);
 
 static krb5_error_code
-crc32_verify_func PROTOTYPE((
-	krb5_const krb5_checksum FAR *cksum,
+crc32_verify_func (
+	krb5_const krb5_checksum *cksum,
 	krb5_const krb5_pointer in,
 	krb5_const size_t in_length,
 	krb5_const krb5_pointer seed,
-	krb5_const size_t seed_length));
+	krb5_const size_t seed_length);
 
 /*ARGSUSED*/
 static krb5_error_code
@@ -175,7 +175,7 @@ crc32_sum_func(in, in_length, seed, seed_length, outcksum)
     krb5_const size_t in_length;
     krb5_const krb5_pointer seed;
     krb5_const size_t seed_length;
-    krb5_checksum FAR *outcksum;
+    krb5_checksum *outcksum;
 {
     register u_char *data;
     register u_long c = 0;
@@ -205,7 +205,7 @@ crc32_sum_func(in, in_length, seed, seed_length, outcksum)
 /*ARGSUSED*/
 static krb5_error_code
 crc32_verify_func(cksum, in, in_length, seed, seed_length)
-    krb5_const krb5_checksum FAR *cksum;
+    krb5_const krb5_checksum *cksum;
     krb5_const krb5_pointer in;
     krb5_const size_t in_length;
     krb5_const krb5_pointer seed;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/crypto/des/afsstring2key.c b/usr/src/lib/gss_mechs/mech_krb5/crypto/des/afsstring2key.c
index 2811f0343a..174d910c22 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/crypto/des/afsstring2key.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/crypto/des/afsstring2key.c
@@ -8,39 +8,102 @@
 /*
  * lib/crypto/des/string2key.c
  *
- * based on lib/crypto/des/string2key.c from MIT V5
+ * based on lib/crypto/des/string2key.c from MIT V5 
  * and on lib/des/afs_string_to_key.c from UMD.
  * constructed by Mark Eichin, Cygnus Support, 1995.
+ * made thread-safe by Ken Raeburn, MIT, 2001.
  */
 
-#include <k5-int.h>
-#include <des_int.h>
+/*
+ * Copyright 2001 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ * 
+ * All rights reserved.
+ * 
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government.  It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  FundsXpress makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include "k5-int.h"
+#include "des_int.h"
 #include <ctype.h>
 
-static char *afs_crypt PROTOTYPE((char*,char*));
+#define afs_crypt mit_afs_crypt
+char *afs_crypt (const char *, const char *, char *);
+
+#undef min
+#define min(a,b) ((a)>(b)?(b):(a))
 
 /*ARGSUSED*/
 krb5_error_code
-mit_afs_string_to_key (context, keyblock, data, salt)
-     krb5_context context;
-     krb5_keyblock FAR * keyblock;
-     const krb5_data FAR * data;
-     const krb5_data FAR * salt;
+mit_afs_string_to_key (krb5_context context,
+		    krb5_keyblock *keyblock, const krb5_data *data,
+		    const krb5_data *salt)
 {
     krb5_error_code retval = KRB5_PROG_ETYPE_NOSUPP;
 /* EXPORT DELETE START */
   /* totally different approach from MIT string2key. */
-  /* much of the work has already been done by the only caller
-     which is mit_des_string_to_key; in particular, *keyblock is already
+  /* much of the work has already been done by the only caller 
+     which is mit_des_string_to_key; in particular, *keyblock is already 
      set up. */
+  
     char *realm = salt->data;
-    int i;
+    unsigned int i, j;
     krb5_octet *key = keyblock->contents;
     krb5_keyblock usekey;
 
     if (data->length <= 8) {
-      char password[9];		/* trailing null for crypt() */
-      strncpy(password, realm, 8);
+      /* One block only.  Run afs_crypt and use the first eight
+	 returned bytes after the copy of the (fixed) salt.
+
+	 Since the returned bytes are alphanumeric, the output is
+	 limited to 2**48 possibilities; for each byte, only 64
+	 possible values can be used.  */
+      unsigned char password[9]; /* trailing nul for crypt() */
+      char afs_crypt_buf[16];
+
+      memset (password, 0, sizeof (password));
+      memcpy (password, realm, min (salt->length, 8));
       for (i=0; i<8; i++)
 	if (isupper(password[i]))
 	  password[i] = tolower(password[i]);
@@ -50,26 +113,31 @@ mit_afs_string_to_key (context, keyblock, data, salt)
 	if (password[i] == '\0')
 	  password[i] = 'X';
       password[8] = '\0';
-      strncpy((char *)key, (char *) afs_crypt(password, "#~") + 2, 8);
+      /* Out-of-bounds salt characters are equivalent to a salt string
+	 of "p1".  */
+      strncpy((char *) key,
+	      (char *) afs_crypt((char *) password, "#~", afs_crypt_buf) + 2,
+	      8);
       for (i=0; i<8; i++)
 	key[i] <<= 1;
-
       /* now fix up key parity again */
       mit_des_fixup_key_parity(key);
       /* clean & free the input string */
       memset(password, 0, (size_t) sizeof(password));
     } else {
+      /* Multiple blocks.  Do a CBC checksum, twice, and use the
+	 result as the new key.  */
       mit_des_cblock ikey, tkey;
+      unsigned int pw_len = salt->length+data->length;
+      unsigned char *password = malloc(pw_len+1);
 
-      int pw_len = strlen(realm)+data->length;
-      char *password = malloc(pw_len+1);
       if (!password) return ENOMEM;
 
-      /* some bound checks from the original code are elided here as
+      /* Some bound checks from the original code are elided here as
 	 the malloc above makes sure we have enough storage. */
-      strcpy (password, data->data);
-      for (i=data->length; *realm; i++) {
-	password[i] = *realm++;
+      memcpy (password, data->data, data->length);
+      for (i=data->length, j = 0; j < salt->length; i++, j++) {
+	password[i] = realm[j];
 	if (isupper(password[i]))
 	  password[i] = tolower(password[i]);
       }
@@ -81,9 +149,8 @@ mit_afs_string_to_key (context, keyblock, data, salt)
       usekey.enctype = ENCTYPE_DES_CBC_CRC;
       usekey.contents = tkey;
       usekey.length = 8;
-
       retval = mit_des_cbc_cksum (context, (unsigned char *)password,
-		tkey, i, &usekey, ikey);
+				tkey, i, &usekey, ikey);
 
       memcpy (ikey, tkey, sizeof(ikey));
       mit_des_fixup_key_parity (tkey);
@@ -94,13 +161,12 @@ mit_afs_string_to_key (context, keyblock, data, salt)
       }
       usekey.contents = tkey;
       usekey.length = 8;
-
       retval = mit_des_cbc_cksum (context, (unsigned char *) password,
-		key, i, &usekey, ikey);
-	
+				key, i, &usekey, ikey);
+
       /* now fix up key parity again */
       mit_des_fixup_key_parity(key);
-
+      
       if (usekey.hKey != CK_INVALID_HANDLE) {
          (void) C_DestroyObject(krb_ctx_hSession(context), usekey.hKey);
          usekey.hKey = CK_INVALID_HANDLE;
@@ -114,7 +180,6 @@ mit_afs_string_to_key (context, keyblock, data, salt)
     krb5_xfree(salt->data);
 #endif
 
-    retval = 0;
 /* EXPORT DELETE END */
     return retval;
 }
@@ -123,7 +188,7 @@ mit_afs_string_to_key (context, keyblock, data, salt)
 /* Portions of this code:
    Copyright 1989 by the Massachusetts Institute of Technology
    */
-
+ 
 /*
  * Copyright (c) 1990 Regents of The University of Michigan.
  * All Rights Reserved.
@@ -147,13 +212,14 @@ mit_afs_string_to_key (context, keyblock, data, salt)
  */
 
 /* EXPORT DELETE START */
-static void krb5_afs_crypt_setkey PROTOTYPE((char*));
-static void krb5_afs_encrypt PROTOTYPE((char*,long));
+
+static void krb5_afs_crypt_setkey (char*, char*, char(*)[48]);
+static void krb5_afs_encrypt (char*,char*,char (*)[48]);
 
 /*
  * Initial permutation,
  */
-static char	IP[] = {
+static const char	IP[] = {
 	58,50,42,34,26,18,10, 2,
 	60,52,44,36,28,20,12, 4,
 	62,54,46,38,30,22,14, 6,
@@ -163,11 +229,11 @@ static char	IP[] = {
 	61,53,45,37,29,21,13, 5,
 	63,55,47,39,31,23,15, 7,
 };
-
+ 
 /*
  * Final permutation, FP = IP^(-1)
  */
-static char	FP[] = {
+static const char	FP[] = {
 	40, 8,48,16,56,24,64,32,
 	39, 7,47,15,55,23,63,31,
 	38, 6,46,14,54,22,62,30,
@@ -177,55 +243,54 @@ static char	FP[] = {
 	34, 2,42,10,50,18,58,26,
 	33, 1,41, 9,49,17,57,25,
 };
-
+ 
 /*
  * Permuted-choice 1 from the key bits to yield C and D.
  * Note that bits 8,16... are left out: They are intended for a parity check.
  */
-static char	PC1_C[] = {
+static const char	PC1_C[] = {
 	57,49,41,33,25,17, 9,
 	 1,58,50,42,34,26,18,
 	10, 2,59,51,43,35,27,
 	19,11, 3,60,52,44,36,
 };
-
-static char	PC1_D[] = {
+ 
+static const char	PC1_D[] = {
 	63,55,47,39,31,23,15,
 	 7,62,54,46,38,30,22,
 	14, 6,61,53,45,37,29,
 	21,13, 5,28,20,12, 4,
 };
-
+ 
 /*
  * Sequence of shifts used for the key schedule.
  */
-static char	shifts[] = {
+static const char	shifts[] = {
 	1,1,2,2,2,2,2,2,1,2,2,2,2,2,2,1,
 };
-
+ 
 /*
  * Permuted-choice 2, to pick out the bits from
  * the CD array that generate the key schedule.
  */
-static char	PC2_C[] = {
+static const char	PC2_C[] = {
 	14,17,11,24, 1, 5,
 	 3,28,15, 6,21,10,
 	23,19,12, 4,26, 8,
 	16, 7,27,20,13, 2,
 };
-
-static char	PC2_D[] = {
+ 
+static const char	PC2_D[] = {
 	41,52,31,37,47,55,
 	30,40,51,45,33,48,
 	44,49,39,56,34,53,
 	46,42,50,36,29,32,
 };
-
+ 
 /*
  * The E bit-selection table.
  */
-static char	E[48];
-static char	e[] = {
+static const char	e[] = {
 	32, 1, 2, 3, 4, 5,
 	 4, 5, 6, 7, 8, 9,
 	 8, 9,10,11,12,13,
@@ -235,12 +300,12 @@ static char	e[] = {
 	24,25,26,27,28,29,
 	28,29,30,31,32, 1,
 };
-
+ 
 /*
  * P is a permutation on the selected combination
  * of the current L and key.
  */
-static char	P[] = {
+static const char	P[] = {
 	16, 7,20,21,
 	29,12,28,17,
 	 1,15,23,26,
@@ -250,88 +315,69 @@ static char	P[] = {
 	19,13,30, 6,
 	22,11, 4,25,
 };
-
+ 
 /*
  * The 8 selection functions.
  * For some reason, they give a 0-origin
  * index, unlike everything else.
  */
-static char	S[8][64] = {
-	14, 4,13, 1, 2,15,11, 8, 3,10, 6,12, 5, 9, 0, 7,
-	 0,15, 7, 4,14, 2,13, 1,10, 6,12,11, 9, 5, 3, 8,
-	 4, 1,14, 8,13, 6, 2,11,15,12, 9, 7, 3,10, 5, 0,
-	15,12, 8, 2, 4, 9, 1, 7, 5,11, 3,14,10, 0, 6,13,
-
-	15, 1, 8,14, 6,11, 3, 4, 9, 7, 2,13,12, 0, 5,10,
-	 3,13, 4, 7,15, 2, 8,14,12, 0, 1,10, 6, 9,11, 5,
-	 0,14, 7,11,10, 4,13, 1, 5, 8,12, 6, 9, 3, 2,15,
-	13, 8,10, 1, 3,15, 4, 2,11, 6, 7,12, 0, 5,14, 9,
-
-	10, 0, 9,14, 6, 3,15, 5, 1,13,12, 7,11, 4, 2, 8,
-	13, 7, 0, 9, 3, 4, 6,10, 2, 8, 5,14,12,11,15, 1,
-	13, 6, 4, 9, 8,15, 3, 0,11, 1, 2,12, 5,10,14, 7,
-	 1,10,13, 0, 6, 9, 8, 7, 4,15,14, 3,11, 5, 2,12,
-
-	 7,13,14, 3, 0, 6, 9,10, 1, 2, 8, 5,11,12, 4,15,
-	13, 8,11, 5, 6,15, 0, 3, 4, 7, 2,12, 1,10,14, 9,
-	10, 6, 9, 0,12,11, 7,13,15, 1, 3,14, 5, 2, 8, 4,
-	 3,15, 0, 6,10, 1,13, 8, 9, 4, 5,11,12, 7, 2,14,
-
-	 2,12, 4, 1, 7,10,11, 6, 8, 5, 3,15,13, 0,14, 9,
-	14,11, 2,12, 4, 7,13, 1, 5, 0,15,10, 3, 9, 8, 6,
-	 4, 2, 1,11,10,13, 7, 8,15, 9,12, 5, 6, 3, 0,14,
-	11, 8,12, 7, 1,14, 2,13, 6,15, 0, 9,10, 4, 5, 3,
-
-	12, 1,10,15, 9, 2, 6, 8, 0,13, 3, 4,14, 7, 5,11,
-	10,15, 4, 2, 7,12, 9, 5, 6, 1,13,14, 0,11, 3, 8,
-	 9,14,15, 5, 2, 8,12, 3, 7, 0, 4,10, 1,13,11, 6,
-	 4, 3, 2,12, 9, 5,15,10,11,14, 1, 7, 6, 0, 8,13,
-
-	 4,11, 2,14,15, 0, 8,13, 3,12, 9, 7, 5,10, 6, 1,
-	13, 0,11, 7, 4, 9, 1,10,14, 3, 5,12, 2,15, 8, 6,
-	 1, 4,11,13,12, 3, 7,14,10,15, 6, 8, 0, 5, 9, 2,
-	 6,11,13, 8, 1, 4,10, 7, 9, 5, 0,15,14, 2, 3,12,
-
-	13, 2, 8, 4, 6,15,11, 1,10, 9, 3,14, 5, 0,12, 7,
-	 1,15,13, 8,10, 3, 7, 4,12, 5, 6,11, 0,14, 9, 2,
-	 7,11, 4, 1, 9,12,14, 2, 0, 6,10,13,15, 3, 5, 8,
-	 2, 1,14, 7, 4,10, 8,13,15,12, 9, 0, 3, 5, 6,11,
+static const char	S[8][64] = {
+	{14, 4,13, 1, 2,15,11, 8, 3,10, 6,12, 5, 9, 0, 7,
+	  0,15, 7, 4,14, 2,13, 1,10, 6,12,11, 9, 5, 3, 8,
+	  4, 1,14, 8,13, 6, 2,11,15,12, 9, 7, 3,10, 5, 0,
+	 15,12, 8, 2, 4, 9, 1, 7, 5,11, 3,14,10, 0, 6,13},
+ 
+	{15, 1, 8,14, 6,11, 3, 4, 9, 7, 2,13,12, 0, 5,10,
+	  3,13, 4, 7,15, 2, 8,14,12, 0, 1,10, 6, 9,11, 5,
+	  0,14, 7,11,10, 4,13, 1, 5, 8,12, 6, 9, 3, 2,15,
+	 13, 8,10, 1, 3,15, 4, 2,11, 6, 7,12, 0, 5,14, 9},
+ 
+	{10, 0, 9,14, 6, 3,15, 5, 1,13,12, 7,11, 4, 2, 8,
+	 13, 7, 0, 9, 3, 4, 6,10, 2, 8, 5,14,12,11,15, 1,
+	 13, 6, 4, 9, 8,15, 3, 0,11, 1, 2,12, 5,10,14, 7,
+	  1,10,13, 0, 6, 9, 8, 7, 4,15,14, 3,11, 5, 2,12},
+ 
+	{ 7,13,14, 3, 0, 6, 9,10, 1, 2, 8, 5,11,12, 4,15,
+	 13, 8,11, 5, 6,15, 0, 3, 4, 7, 2,12, 1,10,14, 9,
+	 10, 6, 9, 0,12,11, 7,13,15, 1, 3,14, 5, 2, 8, 4,
+	  3,15, 0, 6,10, 1,13, 8, 9, 4, 5,11,12, 7, 2,14},
+ 
+	{ 2,12, 4, 1, 7,10,11, 6, 8, 5, 3,15,13, 0,14, 9,
+	 14,11, 2,12, 4, 7,13, 1, 5, 0,15,10, 3, 9, 8, 6,
+	  4, 2, 1,11,10,13, 7, 8,15, 9,12, 5, 6, 3, 0,14,
+	 11, 8,12, 7, 1,14, 2,13, 6,15, 0, 9,10, 4, 5, 3},
+ 
+	{12, 1,10,15, 9, 2, 6, 8, 0,13, 3, 4,14, 7, 5,11,
+	 10,15, 4, 2, 7,12, 9, 5, 6, 1,13,14, 0,11, 3, 8,
+	  9,14,15, 5, 2, 8,12, 3, 7, 0, 4,10, 1,13,11, 6,
+	  4, 3, 2,12, 9, 5,15,10,11,14, 1, 7, 6, 0, 8,13},
+ 
+	{ 4,11, 2,14,15, 0, 8,13, 3,12, 9, 7, 5,10, 6, 1,
+	 13, 0,11, 7, 4, 9, 1,10,14, 3, 5,12, 2,15, 8, 6,
+	  1, 4,11,13,12, 3, 7,14,10,15, 6, 8, 0, 5, 9, 2,
+	  6,11,13, 8, 1, 4,10, 7, 9, 5, 0,15,14, 2, 3,12},
+ 
+	{13, 2, 8, 4, 6,15,11, 1,10, 9, 3,14, 5, 0,12, 7,
+	  1,15,13, 8,10, 3, 7, 4,12, 5, 6,11, 0,14, 9, 2,
+	  7,11, 4, 1, 9,12,14, 2, 0, 6,10,13,15, 3, 5, 8,
+	  2, 1,14, 7, 4,10, 8,13,15,12, 9, 0, 3, 5, 6,11},
 };
-
-/*
- * The C and D arrays used to calculate the key schedule.
- */
-
-static char	C[28];
-static char	D[28];
-/*
- * The key schedule.
- * Generated from the key.
- */
-static char	KS[16][48];
-
-/*
- * The current block, divided into 2 halves.
- */
-static char	L[64];
-static char	*R=&L[32];
-
-static char	tempL[32];
-static char	f[32];
-
-/*
- * The combination of the key and the input, before selection.
- */
-static char	preS[48];
-
-static char *afs_crypt(pw, salt)
-     char *pw;
-     char *salt;
+ 
+ 
+char *afs_crypt(const char *pw, const char *salt,
+		/* must be at least 16 bytes */
+		char *iobuf)
 {
 	int i, j, c;
 	int temp;
-	static char block[66], iobuf[16];
-
+	char block[66];
+	char E[48];
+	/*
+	 * The key schedule.
+	 * Generated from the key.
+	 */
+	char KS[16][48];
+ 
 	for(i=0; i<66; i++)
 		block[i] = 0;
 	for(i=0; ((c= *pw) != NULL) && i<64; pw++){
@@ -340,8 +386,8 @@ static char *afs_crypt(pw, salt)
 		i++;
 	}
 	
-	krb5_afs_crypt_setkey(block);
-	
+	krb5_afs_crypt_setkey(block, E, KS);
+
 	for(i=0; i<66; i++)
 		block[i] = 0;
 
@@ -361,7 +407,7 @@ static char *afs_crypt(pw, salt)
 		}
 	
 	for(i=0; i<25; i++)
-		krb5_afs_encrypt(block,0);
+		krb5_afs_encrypt(block,E,KS);
 	
 	for(i=0; i<11; i++){
 		c = 0;
@@ -380,17 +426,19 @@ static char *afs_crypt(pw, salt)
 	return(iobuf);
 }
 
-
 /*
  * Set up the key schedule from the key.
  */
-
-static void krb5_afs_crypt_setkey(key)
-     char *key;
+ 
+static void krb5_afs_crypt_setkey(char *key, char *E, char (*KS)[48])
 {
 	int i, j, k;
 	int t;
-
+	/*
+	 * The C and D arrays used to calculate the key schedule.
+	 */
+	char C[28], D[28];
+ 
 	/*
 	 * First, generate C and D by permuting
 	 * the key.  The low order bit of each
@@ -428,22 +476,36 @@ static void krb5_afs_crypt_setkey(key)
 			KS[i][j+24] = D[PC2_D[j]-28-1];
 		}
 	}
-
+ 
+#if 0
 	for(i=0;i<48;i++) {
 		E[i] = e[i];
 	}
+#else
+	memcpy(E, e, 48);
+#endif
 }
-
+ 
 /*
  * The payoff: encrypt a block.
  */
-
-static void krb5_afs_encrypt(block, edflag)
-     char *block;
-     long edflag;
+ 
+static void krb5_afs_encrypt(char *block, char *E, char (*KS)[48])
 {
+	const long edflag = 0;
 	int i, ii;
 	int t, j, k;
+	char tempL[32];
+	char f[32];
+	/*
+	 * The current block, divided into 2 halves.
+	 */
+	char L[64];
+	char *const R = &L[32];
+	/*
+	 * The combination of the key and the input, before selection.
+	 */
+	char preS[48];
 
 	/*
 	 * First, permute the bits in the input
@@ -465,8 +527,12 @@ static void krb5_afs_encrypt(block, edflag)
 		 * Save the R array,
 		 * which will be the new L.
 		 */
+#if 0
 		for (j=0; j<32; j++)
 			tempL[j] = R[j];
+#else
+		memcpy(tempL, R, 32);
+#endif
 		/*
 		 * Expand R to 48 bits using the E selector;
 		 * exclusive-or with the current key bits.
@@ -508,8 +574,12 @@ static void krb5_afs_encrypt(block, edflag)
 		 * Finally, the new L (the original R)
 		 * is copied back.
 		 */
+#if 0
 		for (j=0; j<32; j++)
 			L[j] = tempL[j];
+#else
+		memcpy(L, tempL, 32);
+#endif
 	}
 	/*
 	 * The output L and R are reversed.
@@ -526,5 +596,4 @@ static void krb5_afs_encrypt(block, edflag)
 	for (j=0; j<64; j++)
 		block[j] = L[FP[j]-1];
 }
-
 /* EXPORT DELETE END */
diff --git a/usr/src/lib/gss_mechs/mech_krb5/crypto/dk/stringtokey.c b/usr/src/lib/gss_mechs/mech_krb5/crypto/dk/stringtokey.c
index f1cdf4b7fc..6f97457c40 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/crypto/dk/stringtokey.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/crypto/dk/stringtokey.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -37,13 +37,13 @@ static unsigned char kerberos[] = "kerberos";
 #define kerberos_len (sizeof(kerberos)-1)
 
 krb5_error_code
-krb5_dk_string_to_key(context, enc, string, salt, parms, key)
-     krb5_context context;
-     krb5_const struct krb5_enc_provider *enc;
-     krb5_const krb5_data *string;
-     krb5_const krb5_data *salt;
-     krb5_const krb5_data *parms;
-     krb5_keyblock *key;
+krb5_dk_string_to_key(
+	krb5_context context,
+	krb5_const struct krb5_enc_provider *enc,
+	krb5_const krb5_data *string,
+	krb5_const krb5_data *salt,
+	krb5_const krb5_data *parms,
+	krb5_keyblock *key)
 {
     krb5_error_code ret;
     size_t keybytes, keylength, concatlen;
@@ -53,7 +53,8 @@ krb5_dk_string_to_key(context, enc, string, salt, parms, key)
 
     /* key->length is checked by krb5_derive_key */
 
-    (*(enc->keysize))(&keybytes, &keylength);
+    keybytes = enc->keybytes;
+    keylength = enc->keylength;
 
     concatlen = string->length+(salt?salt->length:0);
 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/crypto/enctype_compare.c b/usr/src/lib/gss_mechs/mech_krb5/crypto/enctype_compare.c
index 08ac4f45f2..157c5b43ca 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/crypto/enctype_compare.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/crypto/enctype_compare.c
@@ -29,12 +29,9 @@
 #include <etypes.h>
 
 /*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_c_enctype_compare(context, e1, e2, similar)
-     krb5_context context;
-     krb5_enctype e1;
-     krb5_enctype e2;
-     krb5_boolean *similar;
+krb5_error_code KRB5_CALLCONV
+krb5_c_enctype_compare(krb5_context context, krb5_enctype e1, krb5_enctype e2,
+		    krb5_boolean *similar)
 {
     int i, j;
 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/crypto/enctype_to_string.c b/usr/src/lib/gss_mechs/mech_krb5/crypto/enctype_to_string.c
index 0c5a73cc68..f7b92bfff7 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/crypto/enctype_to_string.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/crypto/enctype_to_string.c
@@ -27,12 +27,8 @@
 
 #include <k5-int.h>
 #include <etypes.h>
-
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_enctype_to_string(enctype, buffer, buflen)
-    krb5_enctype	enctype;
-    char		FAR * buffer;
-    size_t		buflen;
+krb5_error_code KRB5_CALLCONV
+krb5_enctype_to_string(krb5_enctype enctype, char *buffer, size_t buflen)
 {
     int i;
 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/crypto/hash_provider/hash_md5.c b/usr/src/lib/gss_mechs/mech_krb5/crypto/hash_provider/hash_md5.c
index 78560c137c..c8d7b89ca8 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/crypto/hash_provider/hash_md5.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/crypto/hash_provider/hash_md5.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2003 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -34,18 +34,6 @@
 #include <k5-int.h>
 #include <hash_provider.h>
 
-static void
-k5_md5_hash_size(size_t *output)
-{
-    *output = MD5_CKSUM_LENGTH;
-}
-
-static void
-k5_md5_block_size(size_t *output)
-{
-    *output = MD5_BLOCKSIZE;
-}
-
 static krb5_error_code
 k5_md5_hash(krb5_context context,
 	unsigned int icount, krb5_const krb5_data *input,
@@ -61,7 +49,7 @@ k5_md5_hash(krb5_context context,
 }
 
 const struct krb5_hash_provider krb5int_hash_md5 = {
-    k5_md5_hash_size,
-    k5_md5_block_size,
+    MD5_CKSUM_LENGTH,
+    MD5_BLOCKSIZE,
     k5_md5_hash
 };
diff --git a/usr/src/lib/gss_mechs/mech_krb5/crypto/hash_provider/hash_sha1.c b/usr/src/lib/gss_mechs/mech_krb5/crypto/hash_provider/hash_sha1.c
index 9982eca9b3..71f441cbd4 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/crypto/hash_provider/hash_sha1.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/crypto/hash_provider/hash_sha1.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -34,20 +34,6 @@
 #include <k5-int.h>
 #include <hash_provider.h>
 
-static void
-k5_sha1_hash_size(size_t *output)
-{
-    KRB5_LOG0(KRB5_INFO, "k5_sha1_hash_size() start");
-    *output = SHS_DIGESTSIZE;
-}
-
-static void
-k5_sha1_block_size(size_t *output)
-{
-    KRB5_LOG0(KRB5_INFO, "k5_sha1_block_size() start");
-    *output = SHS_DATASIZE;
-}
-
 static krb5_error_code
 k5_sha1_hash(krb5_context context,
 	unsigned int icount, krb5_const krb5_data *input,
@@ -65,7 +51,7 @@ k5_sha1_hash(krb5_context context,
 }
 
 const struct krb5_hash_provider krb5_hash_sha1 = {
-    k5_sha1_hash_size,
-    k5_sha1_block_size,
+    SHS_DIGESTSIZE,
+    SHS_DATASIZE,
     k5_sha1_hash
 };
diff --git a/usr/src/lib/gss_mechs/mech_krb5/crypto/keyed_checksum_types.c b/usr/src/lib/gss_mechs/mech_krb5/crypto/keyed_checksum_types.c
index 8484025be0..f926c5b34a 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/crypto/keyed_checksum_types.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/crypto/keyed_checksum_types.c
@@ -48,12 +48,10 @@ static int etype_match(e1, e2)
 }
 
 /*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_c_keyed_checksum_types(context, enctype, count, cksumtypes)
-     krb5_context context;
-     krb5_enctype enctype;
-     unsigned int *count;
-     krb5_cksumtype **cksumtypes;
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_keyed_checksum_types(krb5_context context, krb5_enctype enctype,
+			    unsigned int *count, krb5_cksumtype **cksumtypes)
 {
     unsigned int i, c;
 
@@ -86,10 +84,8 @@ krb5_c_keyed_checksum_types(context, enctype, count, cksumtypes)
 }
 
 /*ARGSUSED*/
-KRB5_DLLIMP void KRB5_CALLCONV
-krb5_free_cksumtypes(context, val)
-    krb5_context context;
-    krb5_cksumtype FAR * val;
+void KRB5_CALLCONV
+krb5_free_cksumtypes(krb5_context context, krb5_cksumtype *val)
 {
     if (val)
 	krb5_xfree(val);
diff --git a/usr/src/lib/gss_mechs/mech_krb5/crypto/keyed_cksum.c b/usr/src/lib/gss_mechs/mech_krb5/crypto/keyed_cksum.c
index 393685ce6e..8af42e9f4a 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/crypto/keyed_cksum.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/crypto/keyed_cksum.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -34,9 +34,8 @@
 #include <k5-int.h>
 #include <cksumtypes.h>
 
-KRB5_DLLIMP krb5_boolean KRB5_CALLCONV
-is_keyed_cksum(ctype)
-     krb5_cksumtype ctype;
+krb5_boolean KRB5_CALLCONV
+krb5_c_is_keyed_cksum(krb5_cksumtype ctype)
 {
     int i;
 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/crypto/keyhash_provider/hmac_md5.c b/usr/src/lib/gss_mechs/mech_krb5/crypto/keyhash_provider/hmac_md5.c
index b2fe69bbe2..55450c15dd 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/crypto/keyhash_provider/hmac_md5.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/crypto/keyhash_provider/hmac_md5.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -42,12 +42,6 @@
 #include <hash_provider.h>
 #include <keyhash_provider.h>
 
-static void 
-k5_hmac_md5_hash_size (size_t *output) 
-{
-  *output = 16;
-}
-
 static  krb5_error_code
 k5_hmac_md5_hash (krb5_context context,
 	const krb5_keyblock *key, krb5_keyusage usage,
@@ -134,8 +128,8 @@ cleanup:
 
 const struct krb5_keyhash_provider 
 krb5int_keyhash_hmac_md5 = {
-			k5_hmac_md5_hash_size,
-			k5_hmac_md5_hash,
-			NULL /*checksum  again*/
+	16,
+	k5_hmac_md5_hash,
+	NULL /*checksum  again*/
 };
 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/crypto/keyhash_provider/k5_md5des.c b/usr/src/lib/gss_mechs/mech_krb5/crypto/keyhash_provider/k5_md5des.c
index 08909e9fc9..e347b062d2 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/crypto/keyhash_provider/k5_md5des.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/crypto/keyhash_provider/k5_md5des.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -40,22 +40,6 @@
 /* Force acceptance of krb5-beta5 md5des checksum for now. */
 #define KRB5_MD5DES_BETA5_COMPAT
 
-static const mit_des_cblock mit_des_zeroblock[8] = {
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00} };
-
-static void
-k5_md5des_hash_size(size_t *output)
-{
-    *output = CONFLENGTH + MD5_CKSUM_LENGTH;
-}
-
 /* des-cbc(xorkey, conf | rsa-md5(conf | data)) */
 
 /* this could be done in terms of the md5 and des providers, but
@@ -291,7 +275,7 @@ cleanup:
 }
 
 const struct krb5_keyhash_provider krb5_keyhash_md5des = {
-    k5_md5des_hash_size,
+    CONFLENGTH + MD5_CKSUM_LENGTH,
     k5_md5des_hash,
     k5_md5des_verify
 };
diff --git a/usr/src/lib/gss_mechs/mech_krb5/crypto/make_random_key.c b/usr/src/lib/gss_mechs/mech_krb5/crypto/make_random_key.c
index 2138aedcac..5afbb00c54 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/crypto/make_random_key.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/crypto/make_random_key.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -34,17 +34,15 @@
 #include <k5-int.h>
 #include <etypes.h>
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_c_make_random_key(context, enctype, random_key)
-     krb5_context context;
-     krb5_enctype enctype;
-     krb5_keyblock *random_key;
+krb5_error_code KRB5_CALLCONV
+krb5_c_make_random_key(krb5_context context, krb5_enctype enctype,
+		    krb5_keyblock *random_key)
 {
     int i;
     krb5_error_code ret;
     const struct krb5_enc_provider *enc;
     size_t keybytes, keylength;
-    krb5_data random;
+    krb5_data random_data;
     unsigned char *bytes;
 
     for (i=0; i<krb5_enctypes_length; i++) {
@@ -57,7 +55,8 @@ krb5_c_make_random_key(context, enctype, random_key)
 
     enc = krb5_enctypes_list[i].enc;
 
-    (*(enc->keysize))(&keybytes, &keylength);
+    keybytes = enc->keybytes;
+    keylength = enc->keylength;
 
     if ((bytes = (unsigned char *) malloc(keybytes)) == NULL)
 	return(ENOMEM);
@@ -66,10 +65,10 @@ krb5_c_make_random_key(context, enctype, random_key)
 	return(ENOMEM);
     }
 
-    random.data = (char *) bytes;
-    random.length = keybytes;
+    random_data.data = (char *) bytes;
+    random_data.length = keybytes;
 
-    if ((ret = krb5_c_random_make_octets(context, &random)))
+    if ((ret = krb5_c_random_make_octets(context, &random_data)))
 	goto cleanup;
 
     random_key->magic = KV5M_KEYBLOCK;
@@ -82,7 +81,7 @@ krb5_c_make_random_key(context, enctype, random_key)
     random_key->hKey = CK_INVALID_HANDLE;
 #endif
 
-    ret = ((*(enc->make_key))(context, &random, random_key));
+    ret = ((*(enc->make_key))(context, &random_data, random_key));
 
 cleanup:
     memset(bytes, 0, keybytes);
diff --git a/usr/src/lib/gss_mechs/mech_krb5/crypto/old/des_stringtokey.c b/usr/src/lib/gss_mechs/mech_krb5/crypto/old/des_stringtokey.c
index a1cf0515b0..0b6fe20e5a 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/crypto/old/des_stringtokey.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/crypto/old/des_stringtokey.c
@@ -27,23 +27,37 @@
 
 #include <k5-int.h>
 #include <old.h>
+#include <des_int.h>
 
 /* XXX */
 extern krb5_error_code mit_des_string_to_key_int
-KRB5_PROTOTYPE ((krb5_context context,
-		krb5_keyblock FAR * keyblock,
-		 const krb5_data FAR * data,
-		 const krb5_data FAR * salt));
+(krb5_context context,
+ krb5_keyblock * keyblock,
+ const krb5_data * data,
+ const krb5_data * salt);
 
 /*ARGSUSED*/
 krb5_error_code
-krb5_des_string_to_key(context, enc, string, salt, parms, key)
-     krb5_context context;
-     krb5_const struct krb5_enc_provider *enc;
-     krb5_const krb5_data *string;
-     krb5_const krb5_data *salt;
-     krb5_const krb5_data *parms;
-     krb5_keyblock *key;
+krb5_des_string_to_key(krb5_context context,
+		    const struct krb5_enc_provider *enc,
+		    const krb5_data *string,
+		    const krb5_data *salt,
+		    krb5_const krb5_data *parm,
+		    krb5_keyblock *key)
 {
-    return(mit_des_string_to_key_int(context, key, string, salt));
+    int type;
+    if (parm) {
+        if (parm->length != 1)
+	    return KRB5_ERR_BAD_S2K_PARAMS;
+	type = parm->data[0];
+    } else type = 0;
+
+    switch(type) {
+    case 0:
+        return mit_des_string_to_key_int(context, key, string, salt);
+    case 1:
+        return mit_afs_string_to_key(context, key, string, salt);
+    default:
+        return KRB5_ERR_BAD_S2K_PARAMS;
+    }
 }
diff --git a/usr/src/lib/gss_mechs/mech_krb5/crypto/pkcs11slot.c b/usr/src/lib/gss_mechs/mech_krb5/crypto/pkcs11slot.c
index 9c18a0228d..1e7ebaa903 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/crypto/pkcs11slot.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/crypto/pkcs11slot.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -155,8 +155,9 @@ slot_supports_krb5(CK_SLOT_ID_PTR slotid)
 			 * make sure it supports the correct key sizes.
 			 * If not, disable this enctype and continue.
 			 */
-			krb5_enctypes_list[i].enc->keysize(&keysize,
-				&keylength);
+			keysize = krb5_enctypes_list[i].enc->keybytes;
+			keylength = krb5_enctypes_list[i].enc->keylength;
+
 			if (keylength > info.ulMaxKeySize) {
 				krb5_enctypes_list[i].etype = -1;
 				krb5_enctypes_list[i].in_string =
diff --git a/usr/src/lib/gss_mechs/mech_krb5/crypto/string_to_cksumtype.c b/usr/src/lib/gss_mechs/mech_krb5/crypto/string_to_cksumtype.c
index e178928291..8fe5fcbdf2 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/crypto/string_to_cksumtype.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/crypto/string_to_cksumtype.c
@@ -28,10 +28,8 @@
 #include <k5-int.h>
 #include <cksumtypes.h>
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_string_to_cksumtype(string, cksumtypep)
-    char		FAR * string;
-    krb5_cksumtype	FAR * cksumtypep;
+krb5_error_code KRB5_CALLCONV
+krb5_string_to_cksumtype(char *string, krb5_cksumtype *cksumtypep)
 {
     int i;
 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/crypto/string_to_enctype.c b/usr/src/lib/gss_mechs/mech_krb5/crypto/string_to_enctype.c
index 46eb95d2f8..5a52832f7d 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/crypto/string_to_enctype.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/crypto/string_to_enctype.c
@@ -27,11 +27,8 @@
 
 #include <k5-int.h>
 #include <etypes.h>
-
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_string_to_enctype(string, enctypep)
-    char		FAR * string;
-    krb5_enctype	FAR * enctypep;
+krb5_error_code KRB5_CALLCONV
+krb5_string_to_enctype(char *string, krb5_enctype *enctypep)
 {
     int i;
 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/crypto/string_to_key.c b/usr/src/lib/gss_mechs/mech_krb5/crypto/string_to_key.c
index 8b266bc432..eb182f1736 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/crypto/string_to_key.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/crypto/string_to_key.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -34,13 +34,28 @@
 #include <etypes.h>
 
 krb5_error_code KRB5_CALLCONV
-krb5_c_string_to_key_with_params(context, enctype, string, salt, params, key)
-	krb5_context context;
-	krb5_enctype enctype;
-	const krb5_data *string;
-	const krb5_data *salt;
-	const krb5_data *params;
-	krb5_keyblock *key;
+krb5_c_string_to_key_with_params(krb5_context context,
+                                 krb5_enctype enctype,
+                                 const krb5_data *string,
+                                 const krb5_data *salt,
+                                 const krb5_data *params,
+                                 krb5_keyblock *key);
+
+/*ARGSUSED*/
+krb5_error_code KRB5_CALLCONV
+krb5_c_string_to_key(krb5_context context, krb5_enctype enctype,
+                     const krb5_data *string, const krb5_data *salt,
+                     krb5_keyblock *key)
+{
+    return krb5_c_string_to_key_with_params(context, enctype, string, salt,
+					    NULL, key);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_string_to_key_with_params(krb5_context context, krb5_enctype enctype,
+                                 const krb5_data *string,
+				 const krb5_data *salt,
+				 const krb5_data *params, krb5_keyblock *key)
 {
     int i;
     krb5_error_code ret;
@@ -56,8 +71,22 @@ krb5_c_string_to_key_with_params(context, enctype, string, salt, params, key)
 	return(KRB5_BAD_ENCTYPE);
 
     enc = krb5_enctypes_list[i].enc;
-
-    (*(enc->keysize))(&keybytes, &keylength);
+/* xxx AFS string2key function is indicated by a special length  in
+* the salt in much of the code.  However only the DES enctypes can
+* deal with this.  Using s2kparams would be a much better solution.*/
+    if (salt && salt->length == SALT_TYPE_AFS_LENGTH) {
+        switch (enctype) {
+        case ENCTYPE_DES_CBC_CRC:
+        case ENCTYPE_DES_CBC_MD4:
+        case ENCTYPE_DES_CBC_MD5:
+            break;
+        default:
+            return (KRB5_CRYPTO_INTERNAL);
+        }
+    }
+ 
+    keybytes = enc->keybytes; 
+    keylength = enc->keylength; 
 
     if ((key->contents = (krb5_octet *) malloc(keylength)) == NULL)
 	return(ENOMEM);
@@ -78,17 +107,3 @@ krb5_c_string_to_key_with_params(context, enctype, string, salt, params, key)
 
     return(ret);
 }
-
-/*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_c_string_to_key(context, enctype, string, salt, key)
-     krb5_context context;
-     krb5_enctype enctype;
-     krb5_const krb5_data *string;
-     krb5_const krb5_data *salt;
-     krb5_keyblock *key;
-{
-    return krb5_c_string_to_key_with_params(context, enctype, string, salt,
-                                            NULL, key);
-}
-
diff --git a/usr/src/lib/gss_mechs/mech_krb5/crypto/valid_cksumtype.c b/usr/src/lib/gss_mechs/mech_krb5/crypto/valid_cksumtype.c
index 09a1e72cab..9bed4d5639 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/crypto/valid_cksumtype.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/crypto/valid_cksumtype.c
@@ -28,9 +28,8 @@
 #include <k5-int.h>
 #include <cksumtypes.h>
 
-KRB5_DLLIMP krb5_boolean KRB5_CALLCONV
-valid_cksumtype(ctype)
-     krb5_cksumtype ctype;
+krb5_boolean KRB5_CALLCONV
+krb5_c_valid_cksumtype(krb5_cksumtype ctype)
 {
     int i;
 
@@ -41,3 +40,9 @@ valid_cksumtype(ctype)
 
     return(0);
 }
+
+krb5_boolean KRB5_CALLCONV
+valid_cksumtype(krb5_cksumtype ctype)
+{
+    return krb5_c_valid_cksumtype (ctype);
+}
diff --git a/usr/src/lib/gss_mechs/mech_krb5/crypto/valid_enctype.c b/usr/src/lib/gss_mechs/mech_krb5/crypto/valid_enctype.c
index e16e5c21a7..88ea50d0cc 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/crypto/valid_enctype.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/crypto/valid_enctype.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2003 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -34,9 +34,8 @@
 #include <k5-int.h>
 #include <etypes.h>
 
-KRB5_DLLIMP krb5_boolean KRB5_CALLCONV
-valid_enctype(etype)
-     krb5_enctype etype;
+krb5_boolean KRB5_CALLCONV
+krb5_c_valid_enctype(krb5_enctype etype)
 {
     int i;
 
@@ -48,12 +47,18 @@ valid_enctype(etype)
     return(0);
 }
 
+krb5_boolean KRB5_CALLCONV
+valid_enctype(krb5_enctype etype)
+{
+    return krb5_c_valid_enctype (etype);
+}
+
 /* Solaris kerberos:
  *
  * is_in_keytype(): returns 1 if enctype == one of the enctypes in keytype
  * otherwise 0 is returned.
  */
-KRB5_DLLIMP krb5_boolean KRB5_CALLCONV
+krb5_boolean KRB5_CALLCONV
 is_in_keytype(keytype, numkeytypes, enctype)
     krb5_const krb5_enctype	*keytype;
     int			numkeytypes;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/et/com_err.c b/usr/src/lib/gss_mechs/mech_krb5/et/com_err.c
index e77b077c36..d9ca89c0ed 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/et/com_err.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/et/com_err.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2002 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -26,6 +26,7 @@
  * provided "as is" without express or implied warranty.
  */
 
+
 #include <stdio.h>
 #include <string.h>
 #include <locale.h>
@@ -44,8 +45,8 @@ static void MacMessageBox(char *errbuf);
 static et_old_error_hook_func com_err_hook = 0;
 
 static void default_com_err_proc
-ET_P((const char FAR *whoami, errcode_t code,
-	const char FAR *fmt, va_list ap));
+(const char  *whoami, errcode_t code,
+	const char  *fmt, va_list ap);
 
 /* Solaris Kerberos specific fix start --------------------------- */
 
@@ -117,9 +118,9 @@ my_gettext(int msg_idx)
 /* Solaris Kerberos:  this code is significantly altered from
  * the MIT 1.2.1 version to work with internationalization */
 static void default_com_err_proc(whoami, code, fmt, ap)
-	const char FAR *whoami;
+	const char  *whoami;
 	errcode_t code;
-	const char FAR *fmt;
+	const char  *fmt;
 	va_list ap;
 {
 	char whilebuf[1024] = "";
@@ -189,10 +190,10 @@ static void default_com_err_proc(whoami, code, fmt, ap)
 	fflush(stderr);
 }
 
-KRB5_DLLIMP void KRB5_CALLCONV com_err_va(whoami, code, fmt, ap)
-	const char FAR *whoami;
+void KRB5_CALLCONV com_err_va(whoami, code, fmt, ap)
+	const char  *whoami;
 	errcode_t code;
-	const char FAR *fmt;
+	const char  *fmt;
 	va_list ap;
 {
 	if (!com_err_hook)
@@ -203,14 +204,14 @@ KRB5_DLLIMP void KRB5_CALLCONV com_err_va(whoami, code, fmt, ap)
 
 
 #ifndef ET_VARARGS
-KRB5_DLLIMP void KRB5_CALLCONV_C com_err(const char FAR *whoami,
+void KRB5_CALLCONV_C com_err(const char  *whoami,
 					 errcode_t code,
-					 const char FAR *fmt, ...)
+					 const char  *fmt, ...)
 #else
-KRB5_DLLIMP void KRB5_CALLCONV_C com_err(whoami, code, fmt, va_alist)
-	const char FAR *whoami;
+void KRB5_CALLCONV_C com_err(whoami, code, fmt, va_alist)
+	const char  *whoami;
 	errcode_t code;
-	const char FAR *fmt;
+	const char  *fmt;
 	va_dcl
 #endif
 {
diff --git a/usr/src/lib/gss_mechs/mech_krb5/et/error_message.c b/usr/src/lib/gss_mechs/mech_krb5/et/error_message.c
index 4d3a9642aa..919455523e 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/et/error_message.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/et/error_message.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (c) 1998-2000 by Sun Microsystems, Inc.
- * All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
  */
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
 
@@ -28,7 +28,7 @@ static char buffer[25];
 
 struct et_list * _et_list = (struct et_list *) NULL;
 
-KRB5_DLLIMP const char * KRB5_CALLCONV error_message (code)
+const char * KRB5_CALLCONV error_message (code)
 long code;
 {
     int offset;
@@ -108,3 +108,15 @@ oops:
     *cp = '\0';
     return(buffer);
 }
+
+int com_err_finish_init()
+{
+	/*
+	 * SUNW14resync
+	 * Since the original SEAM (Solaris Kerberos) error_message()
+	 * has deviated substantially from MIT let's disable
+	 * com_err_initialize for now and revisit if necessary.
+	 */
+	/* return CALL_INIT_FUNCTION(com_err_initialize); */
+	return 0;
+}
diff --git a/usr/src/lib/gss_mechs/mech_krb5/et/error_table.h b/usr/src/lib/gss_mechs/mech_krb5/et/error_table.h
index 999404d2f1..5a626bdf84 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/et/error_table.h
+++ b/usr/src/lib/gss_mechs/mech_krb5/et/error_table.h
@@ -1,5 +1,3 @@
-
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
 /*
  * Copyright 1988 by the Student Information Processing Board of the
  * Massachusetts Institute of Technology.
@@ -9,29 +7,37 @@
 
 #ifndef _ET_H
 
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
 #include <errno.h>
 
-#if defined(macintosh)
-#define ET_EBUFSIZ 256
-#else
 #define ET_EBUFSIZ 64
-#endif
 
 struct et_list {
-    struct et_list *next;
-    const struct error_table FAR *table;
+    /*@dependent@*//*@null@*/ struct et_list *next;
+    /*@dependent@*//*@null@*/ const struct error_table *table;
 };
 
-#if !defined(_MSDOS) && !defined(_WIN32) && !defined(macintosh)
-extern struct et_list * _et_list;
-#endif
+struct dynamic_et_list {
+    /*@only@*//*@null@*/ struct dynamic_et_list *next;
+    /*@dependent@*/ const struct error_table *table;
+};
 
 #define	ERRCODE_RANGE	8	/* # of bits to shift table number */
 #define	BITS_PER_CHAR	6	/* # bits to shift per character in name */
-#define ERRCODE_MAX   0xFFFFFFFF      /* Mask for maximum error table */
+#define ERRCODE_MAX   0xFFFFFFFFUL      /* Mask for maximum error table */
+
+#if 0 /* SUNW14resync */
+extern /*@observer@*/ const char *error_table_name (unsigned long)
+     /*@modifies internalState@*/;
+extern const char *error_table_name_r (unsigned long,
+					   /*@out@*/ /*@returned@*/ char *outbuf)
+     /*@modifies outbuf@*/;
+#endif
 
-extern const char FAR *error_table_name ET_P((unsigned long));
-extern const char FAR *error_table_name_r ET_P((unsigned long, char FAR *));
+#include "k5-thread.h"
+extern k5_mutex_t com_err_hook_lock;
+extern int com_err_finish_init(void);
 
 #define _ET_H
 #endif
diff --git a/usr/src/lib/gss_mechs/mech_krb5/et/krb5_err.c b/usr/src/lib/gss_mechs/mech_krb5/et/krb5_err.c
index a56c06203e..3fa140c718 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/et/krb5_err.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/et/krb5_err.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -761,6 +761,15 @@ switch (errorno) {
 		    "service not available"));
 	case 244: /* KRB5_RC_BADNAME */
 		return (dgettext(TEXT_DOMAIN, "Bad replay cache name"));
+	case 245: /* KRB5_CONF_NOT_CONFIGURED */
+		return (dgettext(TEXT_DOMAIN,
+				"krb5 conf file not configured"));
+	case 246: /* PKCS_ERR */
+		return (dgettext(TEXT_DOMAIN, "PKCS error"));
+		/* SUNW14resync start */
+	case 247: /* KRB5_DELTAT_BADFORMAT */
+		return (dgettext(TEXT_DOMAIN, "Delta time bad format"));
+		/* SUNW14resync end */
 	default:
 		return ("unknown error");
 	}
diff --git a/usr/src/lib/gss_mechs/mech_krb5/et/prof_err.c b/usr/src/lib/gss_mechs/mech_krb5/et/prof_err.c
index 14890d97d0..0f2b41493b 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/et/prof_err.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/et/prof_err.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1998-2002 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -94,6 +94,15 @@ switch (errorno) {
 	case 27:
 		return(dgettext(TEXT_DOMAIN,
 			"Section already exists"));
+	case 28:
+		return(dgettext(TEXT_DOMAIN,
+			"Invalid boolean value"));
+	case 29:
+		return(dgettext(TEXT_DOMAIN,
+			"Invalid integer value"));
+	case 30:
+		return(dgettext(TEXT_DOMAIN,
+			"Bad magic value in profile_file_data_t"));
 	default:
 		return("unknown error");
 	}
diff --git a/usr/src/lib/gss_mechs/mech_krb5/include/autoconf.h b/usr/src/lib/gss_mechs/mech_krb5/include/autoconf.h
index a1c19454a6..5b5bf0c520 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/include/autoconf.h
+++ b/usr/src/lib/gss_mechs/mech_krb5/include/autoconf.h
@@ -1,3 +1,8 @@
+/*
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
 /* autoconf.h.  Generated automatically by configure.  */
 /* autoconf.h.in.  Generated automatically from configure.in by autoheader.  */
@@ -136,3 +141,57 @@
 
 /* Define if you have sockaddr_storage */
 #define HAVE_STRUCT_SOCKADDR_STORAGE 1
+
+/* SUNW14resync start */ 
+
+/* Define if thread support enabled */
+#define ENABLE_THREADS 1
+
+/* Define if #pragma weak references work */
+#define HAVE_PRAGMA_WEAK_REF 1
+
+/* Define if you have POSIX threads libraries and header files. */
+#define HAVE_PTHREAD 1
+
+/* Define to 1 if you have the `pthread_mutexattr_setrobust_np' function. */
+#define HAVE_PTHREAD_MUTEXATTR_SETROBUST_NP 1
+
+/* Define if pthread_mutexattr_setrobust_np is provided in the thread library.
+   */
+#define HAVE_PTHREAD_MUTEXATTR_SETROBUST_NP_IN_THREAD_LIB 1
+
+/* Define to 1 if you have the `pthread_mutex_lock' function. */
+#define HAVE_PTHREAD_MUTEX_LOCK 1
+
+/* Define to 1 if you have the `pthread_once' function. */
+#define HAVE_PTHREAD_ONCE 1
+
+/* Define to 1 if you have the `pthread_rwlock_init' function. */
+#define HAVE_PTHREAD_RWLOCK_INIT 1
+
+/* Define if pthread_rwlock_init is provided in the thread library. */
+#define HAVE_PTHREAD_RWLOCK_INIT_IN_THREAD_LIB 1
+
+
+/* XXX */
+/* Define to the necessary symbol if this constant uses a non-standard name on
+   your system. */
+#undef PTHREAD_CREATE_JOINABLE
+
+/* Define if link-time options for library finalization will be used */
+#undef USE_LINKER_FINI_OPTION
+
+/* Define if link-time options for library initialization will be used */
+#undef USE_LINKER_INIT_OPTION
+
+/* from MIT 1.4 configure CC=.../cc */
+#define HAVE_PRAGMA_WEAK_REF 1
+#define DELAY_INITIALIZER 1
+#define USE_LINKER_INIT_OPTION 1
+#define USE_LINKER_FINI_OPTION 1
+
+#define USE_BUNDLE_ERROR_STRINGS 1
+#ifndef KRB5_PRIVATE
+#define KRB5_PRIVATE 1
+#endif
+/* SUNW14resync end */ 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/include/com_err.h b/usr/src/lib/gss_mechs/mech_krb5/include/com_err.h
index 6e4b0b0994..5042f46836 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/include/com_err.h
+++ b/usr/src/lib/gss_mechs/mech_krb5/include/com_err.h
@@ -14,55 +14,24 @@
 
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
 
-#if defined(_MSDOS) || defined(_WIN32) || defined(macintosh)
+#if defined(_WIN32)
 #include <win-mac.h>
-#if defined(macintosh) && defined(__CFM68K__) && !defined(__USING_STATIC_LIBS__)
-#pragma import on
-#endif
 #endif
 
 #ifndef KRB5_CALLCONV
 #define KRB5_CALLCONV
 #define KRB5_CALLCONV_C
-#define KRB5_DLLIMP
-#define GSS_DLLIMP
-#define KRB5_EXPORTVAR
-#endif
-
-#ifndef FAR
-#define FAR
-#define NEAR
-#endif
-
-#if defined(__STDC__) || defined(__cplusplus) || defined(_MSDOS) || defined(_WIN32) || defined(macintosh)
-
-/* End-user programs may need this -- oh well */
-#ifndef HAVE_STDARG_H
-#define HAVE_STDARG_H 1
 #endif
 
-#define ET_P(x) x
-
-#else
-#define ET_P(x) ()
-#endif /* __STDC__ */
-
-#ifdef HAVE_STDARG_H
 #include <stdarg.h>
-#define	ET_STDARG_P(x) x
-#else
-#include <varargs.h>
-#define ET_STDARG_P(x) ()
-#define ET_VARARGS
-#endif
 
 typedef long errcode_t;
-typedef void (*et_old_error_hook_func) ET_P((const char FAR *, errcode_t,
-					     const char FAR *, va_list ap));
+typedef void (*et_old_error_hook_func) (const char *, errcode_t,
+					const char *, va_list ap);
 	
 struct error_table {
-	char const FAR * const FAR * msgs;
-	unsigned long base;
+	/*@shared@*/ char const * const * msgs;
+        long base;
 	unsigned int n_msgs;
 };
 
@@ -70,38 +39,36 @@ struct error_table {
 extern "C" {
 #endif
 
-KRB5_DLLIMP extern void KRB5_CALLCONV_C com_err
-	ET_STDARG_P((const char FAR *, errcode_t, const char FAR *, ...));
-KRB5_DLLIMP extern void KRB5_CALLCONV com_err_va
-	ET_P((const char FAR *whoami, errcode_t code, const char FAR *fmt,
-	      va_list ap));
-KRB5_DLLIMP extern const char FAR * KRB5_CALLCONV error_message
-	ET_P((errcode_t));
-KRB5_DLLIMP extern errcode_t KRB5_CALLCONV add_error_table
-	ET_P((const struct error_table FAR *));
-KRB5_DLLIMP extern errcode_t KRB5_CALLCONV remove_error_table
-	ET_P((const struct error_table FAR *));
-
-#if !defined(_MSDOS) && !defined(_WIN32) && !defined(macintosh)
+/* Public interfaces */
+extern void KRB5_CALLCONV_C com_err
+	(const char *, errcode_t, const char *, ...);
+extern void KRB5_CALLCONV com_err_va
+	(const char *whoami, errcode_t code, const char *fmt,
+	 va_list ap);
+extern /*@observer@*//*@dependent@*/ const char * KRB5_CALLCONV error_message
+	(errcode_t)
+       /*@modifies internalState@*/;
+extern errcode_t KRB5_CALLCONV add_error_table
+	(/*@dependent@*/ const struct error_table *)
+       /*@modifies internalState@*/;
+extern errcode_t KRB5_CALLCONV remove_error_table
+	(const struct error_table *)
+       /*@modifies internalState@*/;
+
+#if !defined(_WIN32)
 /*
  * The display routine should be application specific.  A global hook,
  * may cause inappropriate display procedures to be called between
  * applications under non-Unix environments.
  */
 
-extern et_old_error_hook_func set_com_err_hook
-	ET_P((et_old_error_hook_func));
-extern et_old_error_hook_func reset_com_err_hook
-	ET_P((void));
+extern et_old_error_hook_func set_com_err_hook (et_old_error_hook_func);
+extern et_old_error_hook_func reset_com_err_hook (void);
 #endif
 
 #ifdef __cplusplus
 }
 #endif
 
-#if defined(macintosh) && defined(__CFM68K__) && !defined(__USING_STATIC_LIBS__)
-#pragma import reset
-#endif
-
 #define __COM_ERR_H
 #endif /* ! defined(__COM_ERR_H) */
diff --git a/usr/src/lib/gss_mechs/mech_krb5/include/fake-addrinfo.h b/usr/src/lib/gss_mechs/mech_krb5/include/fake-addrinfo.h
index 38845f8bbe..dbc03de925 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/include/fake-addrinfo.h
+++ b/usr/src/lib/gss_mechs/mech_krb5/include/fake-addrinfo.h
@@ -1,7 +1,5 @@
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 /*
- * Copyright (C) 2001,2002 by the Massachusetts Institute of Technology,
+ * Copyright (C) 2001,2002,2003,2004 by the Massachusetts Institute of Technology,
  * Cambridge, MA, USA.  All Rights Reserved.
  * 
  * This software is being provided to you, the LICENSEE, by the 
@@ -43,15 +41,24 @@
 
 /* Approach overview:
 
-   If a system version is available but buggy, save pointers to it,
-   redefine the names to refer to static functions defined here, and
-   in those functions, call the system versions and fix up the
-   returned data.  Use the native data structures and flag values.
+   If a system version is available but buggy, save handles to it (via
+   inline functions), redefine the names to refer to static functions
+   defined here, and in those functions, call the system versions and
+   fix up the returned data.  Use the native data structures and flag
+   values.
 
    If no system version exists, use gethostby* and fake it.  Define
    the data structures and flag values locally.
 
 
+   On Mac OS X, getaddrinfo results aren't cached (though
+   gethostbyname results are), so we need to build a cache here.  Now
+   things are getting really messy.  Because the cache is in use, we
+   use getservbyname, and throw away thread safety.  (Not that the
+   cache is thread safe, but when we get locking support, that'll be
+   dealt with.)  This code needs tearing down and rebuilding, soon.
+
+
    Note that recent Windows developers' code has an interesting hack:
    When you include the right header files, with the right set of
    macros indicating system versions, you'll get an inline function
@@ -84,13 +91,24 @@
 
    + inet_ntop, inet_pton
 
+   + Conditionally export/import the function definitions, so a
+     library can have a single copy instead of multiple.
+
    + Upgrade host requirements to include working implementations of
      these functions, and throw all this away.  Pleeease?  :-)  */
 
 #ifndef FAI_DEFINED
 #define FAI_DEFINED
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
 #include "port-sockets.h"
 #include "socket-utils.h"
+#include "k5-platform.h"
+#include "k5-thread.h"
+
+#include <stdio.h>		/* for sprintf */
+#include <errno.h>
 
 #ifdef S_SPLINT_S
 /*@-incondefs@*/
@@ -117,16 +135,15 @@ extern /*@dependent@*/ char *gai_strerror (int code) /*@*/;
 
 
 #if defined (__APPLE__) && defined (__MACH__)
-#undef HAVE_GETADDRINFO
+#define FAI_CACHE
 #endif
 
-#if defined (__linux__) || defined (_AIX)
+#if (defined (__linux__) && defined(HAVE_GETADDRINFO)) || defined (_AIX)
 /* See comments below.  */
 #  define WRAP_GETADDRINFO
-/* #  define WRAP_GETNAMEINFO */
 #endif
 
-#ifdef __linux__
+#if defined (__linux__) && defined(HAVE_GETADDRINFO)
 # define COPY_FIRST_CANONNAME
 #endif
 
@@ -268,11 +285,10 @@ extern /*@dependent@*/ char *gai_strerror (int code) /*@*/;
 #define GET_SERV_BY_NAME(NAME, PROTO, SP, ERR) \
     {									\
 	struct servent my_s_ent;					\
-	int my_s_err;							\
 	char my_s_buf[8192];						\
 	(SP) = getservbyname_r((NAME), (PROTO), &my_s_ent,		\
-			       my_s_buf, sizeof (my_s_buf), &my_s_err);	\
-	(ERR) = my_s_err;						\
+			       my_s_buf, sizeof (my_s_buf));		\
+	(ERR) = (SP) == NULL;						\
     }
 
 #define GET_SERV_BY_PORT(PORT, PROTO, SP, ERR) \
@@ -288,20 +304,36 @@ extern /*@dependent@*/ char *gai_strerror (int code) /*@*/;
 #endif
 #endif
 
-#ifdef WRAP_GETADDRINFO
-static int (*const gaiptr) (const char *, const char *,
-			    const struct addrinfo *,
-			    struct addrinfo **) = &getaddrinfo;
-static void (*const faiptr) (struct addrinfo *) = &freeaddrinfo;
-#endif
+#if defined(WRAP_GETADDRINFO) || defined(FAI_CACHE)
+static inline int
+system_getaddrinfo (const char *name, const char *serv,
+		    const struct addrinfo *hint,
+		    struct addrinfo **res)
+{
+    return getaddrinfo(name, serv, hint, res);
+}
 
-#ifdef WRAP_GETNAMEINFO
-static int (*const gniptr) (const struct sockaddr *, socklen_t,
-			    char *, socklen_t, char *, socklen_t,
-			    int) = &getnameinfo;
+static inline void
+system_freeaddrinfo (struct addrinfo *ai)
+{
+    freeaddrinfo(ai);
+}
+
+/* Note: Implementations written to RFC 2133 use size_t, while RFC
+   2553 implementations use socklen_t, for the second parameter.
+
+   Mac OS X (10.2) and AIX 4.3.3 appear to be in the RFC 2133 camp,
+   but we don't have an autoconf test for that right now.  */
+static inline int
+system_getnameinfo (const struct sockaddr *sa, socklen_t salen,
+		    char *host, size_t hostlen, char *serv, size_t servlen,
+		    int flags)
+{
+    return getnameinfo(sa, salen, host, hostlen, serv, servlen, flags);
+}
 #endif
 
-#if !defined (HAVE_GETADDRINFO) || defined(WRAP_GETADDRINFO)
+#if !defined (HAVE_GETADDRINFO) || defined(WRAP_GETADDRINFO) || defined(FAI_CACHE)
 
 #undef  getaddrinfo
 #define getaddrinfo	my_fake_getaddrinfo
@@ -310,13 +342,6 @@ static int (*const gniptr) (const struct sockaddr *, socklen_t,
 
 #endif
 
-#if !defined (HAVE_GETADDRINFO) || defined(WRAP_GETNAMEINFO)
-
-#undef  getnameinfo
-#define getnameinfo	my_fake_getnameinfo
-
-#endif
-
 #if !defined (HAVE_GETADDRINFO)
 
 #undef  gai_strerror
@@ -341,17 +366,18 @@ struct addrinfo {
 #define	AI_CANONNAME	0x02
 #undef	AI_NUMERICHOST
 #define	AI_NUMERICHOST	0x04
-/* N.B.: AI_V4MAPPED, AI_ADDRCONFIG, AI_ALL, and AI_DEFAULT are part
-   of the spec for getipnodeby*, and *not* part of the spec for
-   getaddrinfo.  Don't use them!  */
+/* RFC 2553 says these are part of the interface for getipnodebyname,
+   not for getaddrinfo.  RFC 3493 says they're part of the interface
+   for getaddrinfo, and getipnodeby* are deprecated.  Our fake
+   getaddrinfo implementation here does IPv4 only anyways.  */
 #undef	AI_V4MAPPED
-#define	AI_V4MAPPED	eeeevil!
+#define	AI_V4MAPPED	0
 #undef	AI_ADDRCONFIG
-#define	AI_ADDRCONFIG	eeeevil!
+#define	AI_ADDRCONFIG	0
 #undef	AI_ALL
-#define	AI_ALL		eeeevil!
+#define	AI_ALL		0
 #undef	AI_DEFAULT
-#define AI_DEFAULT	eeeevil!
+#define	AI_DEFAULT	(AI_V4MAPPED|AI_ADDRCONFIG)
 
 #ifndef NI_MAXHOST
 #define NI_MAXHOST 1025
@@ -400,9 +426,7 @@ struct addrinfo {
 #if (!defined (HAVE_GETADDRINFO) || defined (WRAP_GETADDRINFO)) && defined(DEBUG_ADDRINFO)
 /* Some debug routines.  */
 
-static const char *protoname (int p) {
-    static char buf[30];
-
+static const char *protoname (int p, char *buf) {
 #define X(N) if (p == IPPROTO_ ## N) return #N
 
     X(TCP);
@@ -422,8 +446,7 @@ static const char *protoname (int p) {
     return buf;
 }	
 
-static const char *socktypename (int t) {
-    static char buf[30];
+static const char *socktypename (int t, char *buf) {
     switch (t) {
     case SOCK_DGRAM: return "DGRAM";
     case SOCK_STREAM: return "STREAM";
@@ -435,8 +458,7 @@ static const char *socktypename (int t) {
     return buf;
 }
 
-static const char *familyname (int f) {
-    static char buf[30];
+static const char *familyname (int f, char *buf) {
     switch (f) {
     default:
 	sprintf(buf, "AF %d", f);
@@ -458,6 +480,7 @@ static void debug_dump_getaddrinfo_args (const char *name, const char *serv,
 	    "            hints { ",
 	    name ? name : "(null)", serv ? serv : "(null)");
     if (hint) {
+	char buf[30];
 	sep = "";
 #define Z(FLAG) if (hint->ai_flags & AI_##FLAG) fprintf(stderr, "%s%s", sep, #FLAG), sep = "|"
 	Z(CANONNAME);
@@ -468,11 +491,11 @@ static void debug_dump_getaddrinfo_args (const char *name, const char *serv,
 	if (sep[0] == 0)
 	    fprintf(stderr, "no-flags");
 	if (hint->ai_family)
-	    fprintf(stderr, " %s", familyname(hint->ai_family));
+	    fprintf(stderr, " %s", familyname(hint->ai_family, buf));
 	if (hint->ai_socktype)
-	    fprintf(stderr, " SOCK_%s", socktypename(hint->ai_socktype));
+	    fprintf(stderr, " SOCK_%s", socktypename(hint->ai_socktype, buf));
 	if (hint->ai_protocol)
-	    fprintf(stderr, " IPPROTO_%s", protoname(hint->ai_protocol));
+	    fprintf(stderr, " IPPROTO_%s", protoname(hint->ai_protocol, buf));
     } else
 	fprintf(stderr, "(null)");
     fprintf(stderr, " }):\n");
@@ -514,49 +537,52 @@ void freeaddrinfo (struct addrinfo *ai);
 
 #endif
 
-#if !defined (HAVE_GETADDRINFO) || defined (WRAP_GETNAMEINFO)
-static
-int getnameinfo (const struct sockaddr *addr, socklen_t len,
-		 char *host, socklen_t hostlen,
-		 char *service, socklen_t servicelen,
-		 int flags);
-#endif
-
 #if !defined (HAVE_GETADDRINFO)
 
 #define HAVE_FAKE_GETADDRINFO /* was not originally HAVE_GETADDRINFO */
 #define HAVE_GETADDRINFO
+#define NEED_FAKE_GETNAMEINFO
 #undef  HAVE_GETNAMEINFO
 #define HAVE_GETNAMEINFO 1
 
+#undef  getnameinfo
+#define getnameinfo	my_fake_getnameinfo
+
 static
 char *gai_strerror (int code);
 
 #endif
 
+#if !defined (HAVE_GETADDRINFO)
+static
+int getnameinfo (const struct sockaddr *addr, socklen_t len,
+		 char *host, socklen_t hostlen,
+		 char *service, socklen_t servicelen,
+		 int flags);
+#endif
+
 /* Fudge things on older gai implementations.  */
 /* AIX 4.3.3 is based on RFC 2133; no AI_NUMERICHOST.  */
 #ifndef AI_NUMERICHOST
 # define AI_NUMERICHOST 0
 #endif
-
-#if !defined(inline)
-# if !defined(__GNUC__)
-#  define inline /* nothing, just static */
-# else
-#  define inline __inline__
-# endif
-# define ADDRINFO_UNDEF_INLINE
+/* Partial RFC 2553 implementations may not have AI_ADDRCONFIG and
+   friends, which RFC 3493 says are now part of the getaddrinfo
+   interface, and we'll want to use.  */
+#ifndef AI_ADDRCONFIG
+# define AI_ADDRCONFIG 0
 #endif
-
-#if !defined(_XOPEN_SOURCE_EXTENDED) && !defined(HAVE_MACSOCK_H) && !defined(_WIN32)
-/* Hack for HPUX, to get h_errno.  */
-# define _XOPEN_SOURCE_EXTENDED 1
-# include <netdb.h>
-# undef _XOPEN_SOURCE_EXTENDED
+#ifndef AI_V4MAPPED
+# define AI_V4MAPPED 0
+#endif
+#ifndef AI_ALL
+# define AI_ALL 0
+#endif
+#ifndef AI_DEFAULT
+# define AI_DEFAULT (AI_ADDRCONFIG|AI_V4MAPPED)
 #endif
 
-#ifdef HAVE_FAKE_GETADDRINFO
+#if defined(HAVE_FAKE_GETADDRINFO) || defined(FAI_CACHE)
 #define NEED_FAKE_GETADDRINFO
 #endif
 
@@ -564,6 +590,22 @@ char *gai_strerror (int code);
 #include <stdlib.h>
 #endif
 
+struct face {
+    struct in_addr *addrs4;
+    struct in6_addr *addrs6;
+    unsigned int naddrs4, naddrs6;
+    time_t expiration;
+    char *canonname, *name;
+    struct face *next;
+};
+
+/* fake addrinfo cache */
+struct fac {
+    k5_mutex_t lock;
+    struct face *data;
+};
+extern struct fac krb5int_fac;
+
 #ifdef NEED_FAKE_GETADDRINFO
 #include <string.h> /* for strspn */
 
@@ -573,39 +615,233 @@ static inline int fai_add_entry (struct addrinfo **result, void *addr,
 				 int port, const struct addrinfo *template)
 {
     struct addrinfo *n = malloc (sizeof (struct addrinfo));
-    struct sockaddr_in *sin4;
     if (n == 0)
 	return EAI_MEMORY;
-    if (template->ai_family != AF_INET)
+    if (template->ai_family != AF_INET
+#ifdef KRB5_USE_INET6
+	&& template->ai_family != AF_INET6
+#endif
+	)
 	return EAI_FAMILY;
     *n = *template;
-    sin4 = malloc (sizeof (struct sockaddr_in));
-    if (sin4 == 0)
-	return EAI_MEMORY;
-    n->ai_addr = (struct sockaddr *) sin4;
-    sin4->sin_family = AF_INET;
-    sin4->sin_addr = *(struct in_addr *)addr;
-    sin4->sin_port = port;
+    if (template->ai_family == AF_INET) {
+	struct sockaddr_in *sin4;
+	sin4 = malloc (sizeof (struct sockaddr_in));
+	if (sin4 == 0)
+	    return EAI_MEMORY;
+	n->ai_addr = (struct sockaddr *) sin4;
+	sin4->sin_family = AF_INET;
+	sin4->sin_addr = *(struct in_addr *)addr;
+	sin4->sin_port = port;
+#ifdef HAVE_SA_LEN
+	sin4->sin_len = sizeof (struct sockaddr_in);
+#endif
+    }
+#ifdef KRB5_USE_INET6
+    if (template->ai_family == AF_INET6) {
+	struct sockaddr_in6 *sin6;
+	sin6 = malloc (sizeof (struct sockaddr_in6));
+	if (sin6 == 0)
+	    return EAI_MEMORY;
+	n->ai_addr = (struct sockaddr *) sin6;
+	sin6->sin6_family = AF_INET6;
+	sin6->sin6_addr = *(struct in6_addr *)addr;
+	sin6->sin6_port = port;
 #ifdef HAVE_SA_LEN
-    sin4->sin_len = sizeof (struct sockaddr_in);
+	sin6->sin6_len = sizeof (struct sockaddr_in6);
+#endif
+    }
 #endif
     n->ai_next = *result;
     *result = n;
     return 0;
 }
 
-static inline int fai_add_hosts_by_name (const char *name, int af,
+#ifdef FAI_CACHE
+/* fake addrinfo cache entries */
+#define CACHE_ENTRY_LIFETIME	15 /* seconds */
+
+static void plant_face (const char *name, struct face *entry)
+{
+    entry->name = strdup(name);
+    if (entry->name == NULL)
+	/* @@ Wastes memory.  */
+	return;
+    k5_mutex_assert_locked(&krb5int_fac.lock);
+    entry->next = krb5int_fac.data;
+    entry->expiration = time(0) + CACHE_ENTRY_LIFETIME;
+    krb5int_fac.data = entry;
+#ifdef DEBUG_ADDRINFO
+    printf("added cache entry '%s' at %p: %d ipv4, %d ipv6; expire %d\n",
+	   name, entry, entry->naddrs4, entry->naddrs6, entry->expiration);
+#endif
+}
+
+static int find_face (const char *name, struct face **entry)
+{
+    struct face *fp, **fpp;
+    time_t now = time(0);
+
+    /* First, scan for expired entries and free them.
+       (Future improvement: Integrate these two loops.)  */
+#ifdef DEBUG_ADDRINFO
+    printf("scanning cache at %d for '%s'...\n", now, name);
+#endif
+    k5_mutex_assert_locked(&krb5int_fac.lock);
+    for (fpp = &krb5int_fac.data; *fpp; ) {
+	fp = *fpp;
+#ifdef DEBUG_ADDRINFO
+	printf("  checking expiration time of @%p: %d\n",
+	       fp, fp->expiration);
+#endif
+	if (fp->expiration < now) {
+#ifdef DEBUG_ADDRINFO
+	    printf("\texpiring cache entry\n");
+#endif
+	    free(fp->name);
+	    free(fp->canonname);
+	    free(fp->addrs4);
+	    free(fp->addrs6);
+	    *fpp = fp->next;
+	    free(fp);
+	    /* Stay at this point in the list, and check again.  */
+	} else
+	    /* Move forward.  */
+	    fpp = &(*fpp)->next;
+    }
+
+    for (fp = krb5int_fac.data; fp; fp = fp->next) {
+#ifdef DEBUG_ADDRINFO
+	printf("  comparing entry @%p\n", fp);
+#endif
+	if (!strcasecmp(fp->name, name)) {
+#ifdef DEBUG_ADDRINFO
+	    printf("\tMATCH!\n");
+#endif
+	    *entry = fp;
+	    return 1;
+	}
+    }
+    return 0;
+}
+
+#endif
+
+extern int krb5int_lock_fac(void), krb5int_unlock_fac(void);
+
+static inline int fai_add_hosts_by_name (const char *name,
 					 struct addrinfo *template,
 					 int portnum, int flags,
 					 struct addrinfo **result)
 {
+#ifdef FAI_CACHE
+
+    struct face *ce;
+    int i, r, err;
+
+    err = krb5int_lock_fac();
+    if (err) {
+	errno = err;
+	return EAI_SYSTEM;
+    }
+    if (!find_face(name, &ce)) {
+	struct addrinfo myhints = { 0 }, *ai, *ai2;
+	int i4, i6, aierr;
+
+#ifdef DEBUG_ADDRINFO
+	printf("looking up new data for '%s'...\n", name);
+#endif
+	myhints.ai_socktype = SOCK_STREAM;
+	myhints.ai_flags = AI_CANONNAME;
+	/* Don't set ai_family -- we want to cache all address types,
+	   because the next lookup may not use the same constraints as
+	   the current one.  We *could* cache them separately, so that
+	   we never have to look up an IPv6 address if we are always
+	   asked for IPv4 only, but let's deal with that later, if we
+	   have to.  */
+	aierr = system_getaddrinfo(name, "telnet", &myhints, &ai);
+	if (aierr) {
+	    krb5int_unlock_fac();
+	    return aierr;
+	}
+	ce = malloc(sizeof(struct face));
+	memset(ce, 0, sizeof(*ce));
+	ce->expiration = time(0) + 30;
+	for (ai2 = ai; ai2; ai2 = ai2->ai_next) {
+#ifdef DEBUG_ADDRINFO
+	    printf("  found an address in family %d...\n", ai2->ai_family);
+#endif
+	    switch (ai2->ai_family) {
+	    case AF_INET:
+		ce->naddrs4++;
+		break;
+	    case AF_INET6:
+		ce->naddrs6++;
+		break;
+	    default:
+		break;
+	    }
+	}
+	ce->addrs4 = calloc(ce->naddrs4, sizeof(*ce->addrs4));
+	if (ce->addrs4 == NULL && ce->naddrs4 != 0) {
+	    krb5int_unlock_fac();
+	    system_freeaddrinfo(ai);
+	    return EAI_MEMORY;
+	}
+	ce->addrs6 = calloc(ce->naddrs6, sizeof(*ce->addrs6));
+	if (ce->addrs6 == NULL && ce->naddrs6 != 0) {
+	    krb5int_unlock_fac();
+	    free(ce->addrs4);
+	    system_freeaddrinfo(ai);
+	    return EAI_MEMORY;
+	}
+	for (ai2 = ai, i4 = i6 = 0; ai2; ai2 = ai2->ai_next) {
+	    switch (ai2->ai_family) {
+	    case AF_INET:
+		ce->addrs4[i4++] = ((struct sockaddr_in *)ai2->ai_addr)->sin_addr;
+		break;
+	    case AF_INET6:
+		ce->addrs6[i6++] = ((struct sockaddr_in6 *)ai2->ai_addr)->sin6_addr;
+		break;
+	    default:
+		break;
+	    }
+	}
+	ce->canonname = ai->ai_canonname ? strdup(ai->ai_canonname) : 0;
+	system_freeaddrinfo(ai);
+	plant_face(name, ce);
+    }
+    template->ai_family = AF_INET6;
+    template->ai_addrlen = sizeof(struct sockaddr_in6);
+    for (i = 0; i < ce->naddrs6; i++) {
+	r = fai_add_entry (result, &ce->addrs6[i], portnum, template);
+	if (r) {
+	    krb5int_unlock_fac();
+	    return r;
+	}
+    }
+    template->ai_family = AF_INET;
+    template->ai_addrlen = sizeof(struct sockaddr_in);
+    for (i = 0; i < ce->naddrs4; i++) {
+	r = fai_add_entry (result, &ce->addrs4[i], portnum, template);
+	if (r) {
+	    krb5int_unlock_fac();
+	    return r;
+	}
+    }
+    if (*result && (flags & AI_CANONNAME))
+	(*result)->ai_canonname = (ce->canonname
+				   ? strdup(ce->canonname)
+				   : NULL);
+    krb5int_unlock_fac();
+    return 0;
+
+#else
+
     struct hostent *hp;
     int i, r;
     int herr;
 
-    if (af != AF_INET)
-	/* For now, real ipv6 support needs real getaddrinfo.  */
-	return EAI_FAMILY;
     GET_HOST_BY_NAME (name, hp, herr);
     if (hp == 0)
 	return translate_h_errno (herr);
@@ -617,6 +853,8 @@ static inline int fai_add_hosts_by_name (const char *name, int af,
     if (*result && (flags & AI_CANONNAME))
 	(*result)->ai_canonname = strdup (hp->h_name);
     return 0;
+
+#endif
 }
 
 static inline void
@@ -668,23 +906,15 @@ fake_getaddrinfo (const char *name, const char *serv,
 	    port = htons (p);
 	} else {
 	    struct servent *sp;
-	    int try_dgram_too = 0;
+	    int try_dgram_too = 0, s_err;
+
 	    if (socktype == 0) {
 		try_dgram_too = 1;
 		socktype = SOCK_STREAM;
 	    }
 	try_service_lookup:
-#ifdef HAVE_GETSERVBYNAME_R
-	    {
-		char my_s_buf[1024];
-		struct servent my_s_ent;
-		sp = getservbyname_r(serv,
-				     socktype == SOCK_STREAM ? "tcp" : "udp",
-				     &my_s_ent, my_s_buf, sizeof(my_s_buf));
-	    }
-#else
-	    sp = getservbyname (serv, socktype == SOCK_STREAM ? "tcp" : "udp");
-#endif
+	    GET_SERV_BY_NAME(serv, socktype == SOCK_STREAM ? "tcp" : "udp",
+			     sp, s_err);
 	    if (sp == 0) {
 		if (try_dgram_too) {
 		    socktype = SOCK_DGRAM;
@@ -726,7 +956,7 @@ fake_getaddrinfo (const char *name, const char *serv,
 #endif
 	ret = fai_add_entry (&res, &addr4, port, &template);
     } else {
-	ret = fai_add_hosts_by_name (name, AF_INET, &template, port, flags,
+	ret = fai_add_hosts_by_name (name, &template, port, flags,
 				     &res);
     }
 
@@ -740,7 +970,7 @@ fake_getaddrinfo (const char *name, const char *serv,
     return 0;
 }
 
-#include <errno.h>
+#ifdef NEED_FAKE_GETNAMEINFO
 static inline int
 fake_getnameinfo (const struct sockaddr *sa, socklen_t len,
 		  char *host, socklen_t hostlen,
@@ -829,8 +1059,9 @@ fake_getnameinfo (const struct sockaddr *sa, socklen_t len,
 
     return 0;
 }
+#endif
 
-#include <errno.h>
+#if defined(HAVE_FAKE_GETADDRINFO) || defined(NEED_FAKE_GETNAMEINFO)
 
 static inline
 char *gai_strerror (int code)
@@ -850,6 +1081,7 @@ char *gai_strerror (int code)
     default:		return "bogus getaddrinfo error?";
     }
 }
+#endif
 
 static inline int translate_h_errno (int h)
 {
@@ -878,7 +1110,7 @@ static inline int translate_h_errno (int h)
     }
 }
 
-#ifdef HAVE_FAKE_GETADDRINFO
+#if defined(HAVE_FAKE_GETADDRINFO) || defined(FAI_CACHE)
 static inline
 int getaddrinfo (const char *name, const char *serv,
 		 const struct addrinfo *hint, struct addrinfo **result)
@@ -892,6 +1124,7 @@ void freeaddrinfo (struct addrinfo *ai)
     fake_freeaddrinfo(ai);
 }
 
+#ifdef NEED_FAKE_GETNAMEINFO
 static inline
 int getnameinfo (const struct sockaddr *sa, socklen_t len,
 		 char *host, socklen_t hostlen,
@@ -901,6 +1134,7 @@ int getnameinfo (const struct sockaddr *sa, socklen_t len,
     return fake_getnameinfo(sa, len, host, hostlen, service, servicelen,
 			    flags);
 }
+#endif /* NEED_FAKE_GETNAMEINFO */
 #endif /* HAVE_FAKE_GETADDRINFO */
 #endif /* NEED_FAKE_GETADDRINFO */
 
@@ -949,7 +1183,7 @@ getaddrinfo (const char *name, const char *serv, const struct addrinfo *hint,
     }
 #endif
 
-    aierr = (*gaiptr) (name, serv, hint, result);
+    aierr = system_getaddrinfo (name, serv, hint, result);
     if (aierr || *result == 0) {
 #ifdef DEBUG_ADDRINFO
 	debug_dump_error(aierr);
@@ -996,7 +1230,9 @@ getaddrinfo (const char *name, const char *serv, const struct addrinfo *hint,
        set, the returned ai_canonname field can be null.  The NetBSD
        1.5 implementation also does this, if the input hostname is a
        numeric host address string.  That case isn't handled well at
-       the moment.  */
+       the moment.
+
+       Libc version 5 didn't have getaddrinfo at all.  */
 
 #ifdef COPY_FIRST_CANONNAME
     /*
@@ -1045,7 +1281,7 @@ getaddrinfo (const char *name, const char *serv, const struct addrinfo *hint,
 
 	ai->ai_canonname = strdup(name2);
 	if (name2 != 0 && ai->ai_canonname == 0) {
-	    (*faiptr)(ai);
+	    system_freeaddrinfo(ai);
 	    *result = 0;
 #ifdef DEBUG_ADDRINFO
 	    debug_dump_error(EAI_MEMORY);
@@ -1112,27 +1348,18 @@ void freeaddrinfo (struct addrinfo *ai)
     if (ai) {
       free(ai->ai_canonname);
 	ai->ai_canonname = 0;
-	(*faiptr)(ai);
+	system_freeaddrinfo(ai);
     }
 #else
-    (*faiptr)(ai);
+    system_freeaddrinfo(ai);
 #endif
 }
 #endif /* WRAP_GETADDRINFO */
 
-#ifdef WRAP_GETNAMEINFO
-static inline
-int getnameinfo (const struct sockaddr *sa, socklen_t len,
-		 char *host, socklen_t hostlen,
-		 char *service, socklen_t servicelen,
-		 int flags)
-{
-    return (*gniptr)(sa, len, host, hostlen, service, servicelen, flags);
-}
-#endif /* WRAP_GETNAMEINFO */
-
 #if defined(KRB5_USE_INET6) && defined(NEED_INSIXADDR_ANY) 
 /* If compiling with IPv6 support and C library does not define in6addr_any */
+#undef in6addr_any
+#define in6addr_any krb5int_in6addr_any
 static const struct in6_addr in6addr_any = IN6ADDR_ANY_INIT;
 #endif
 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/include/foreachaddr.h b/usr/src/lib/gss_mechs/mech_krb5/include/foreachaddr.h
new file mode 100644
index 0000000000..bbccc61d05
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/include/foreachaddr.h
@@ -0,0 +1,66 @@
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+/*
+ * include/foreachaddr.c
+ *
+ * Copyright 1990,1991,2000,2001,2002,2004 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ *
+ * Iterate over the protocol addresses supported by this host, invoking
+ * a callback function or three supplied by the caller.
+ *
+ * XNS support is untested, but "should just work".  (Hah!)
+ */
+
+/* This function iterates over all the addresses it can find for the
+   local system, in one or two passes.  In each pass, and between the
+   two, it can invoke callback functions supplied by the caller.  The
+   two passes should operate on the same information, though not
+   necessarily in the same order each time.  Duplicate and local
+   addresses should be eliminated.  Storage passed to callback
+   functions should not be assumed to be valid after foreach_localaddr
+   returns.
+
+   The int return value is an errno value (XXX or krb5_error_code
+   returned for a socket error) if something internal to
+   foreach_localaddr fails.  If one of the callback functions wants to
+   indicate an error, it should store something via the 'data' handle.
+   If any callback function returns a non-zero value,
+   foreach_localaddr will clean up and return immediately.
+
+   Multiple definitions are provided below, dependent on various
+   system facilities for extracting the necessary information.  */
+
+extern int
+krb5int_foreach_localaddr (/*@null@*/ void *data,
+			   int (*pass1fn) (/*@null@*/ void *,
+					   struct sockaddr *) /*@*/,
+			   /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
+			   /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
+						      struct sockaddr *) /*@*/)
+#if defined(DEBUG) || defined(TEST)
+     /*@modifies fileSystem@*/
+#endif
+    ;
+
+#define foreach_localaddr krb5int_foreach_localaddr
diff --git a/usr/src/lib/gss_mechs/mech_krb5/include/krb5/adm_proto.h b/usr/src/lib/gss_mechs/mech_krb5/include/krb5/adm_proto.h
index 2bb794579a..202341a63e 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/include/krb5/adm_proto.h
+++ b/usr/src/lib/gss_mechs/mech_krb5/include/krb5/adm_proto.h
@@ -57,8 +57,8 @@ typedef struct ___krb5_key_salt_tuple krb5_key_salt_tuple;
  */
 
 /* adm_conn.c */
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_adm_connect
-	KRB5_PROTOTYPE((krb5_context,
+krb5_error_code KRB5_CALLCONV krb5_adm_connect
+	(krb5_context,
 		   char *,
 		   char *,
 		   char *,
@@ -66,154 +66,154 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_adm_connect
 		   krb5_auth_context *,
 		   krb5_ccache *,
 		   char *,
-		   krb5_timestamp));
-KRB5_DLLIMP void KRB5_CALLCONV krb5_adm_disconnect
-	KRB5_PROTOTYPE((krb5_context,
+		   krb5_timestamp);
+ void KRB5_CALLCONV krb5_adm_disconnect
+	(krb5_context,
 		   int *,
 		   krb5_auth_context,
-		   krb5_ccache));
+		   krb5_ccache);
 
 #if !defined(_MSDOS) && !defined(_WIN32) && !defined(macintosh)
 /* adm_kw_dec.c */
 krb5_error_code krb5_adm_proto_to_dbent
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		   krb5_int32,
 		   krb5_data *,
 		   krb5_ui_4 *,
 		   krb5_db_entry *,
-		   char **));
+		   char **);
 
 /* adm_kw_enc.c */
 krb5_error_code krb5_adm_dbent_to_proto
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		   krb5_ui_4,
 		   krb5_db_entry *,
 		   char *,
 		   krb5_int32 *,
-		   krb5_data **));
+		   krb5_data **);
 #endif /* !(windows or macintosh) */
 
 /* adm_kt_dec.c */
 krb5_error_code krb5_adm_proto_to_ktent
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		   krb5_int32,
 		   krb5_data *,
-		   krb5_keytab_entry *));
+		   krb5_keytab_entry *);
 
 /* adm_kt_enc.c */
 krb5_error_code krb5_adm_ktent_to_proto
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		   krb5_keytab_entry *,
 		   krb5_int32 *,
-		   krb5_data **));
+		   krb5_data **);
 
 /* adm_rw.c */
-KRB5_DLLIMP void KRB5_CALLCONV krb5_free_adm_data
-	KRB5_PROTOTYPE((krb5_context,
+void KRB5_CALLCONV krb5_free_adm_data
+	(krb5_context,
 		   krb5_int32,
-		   krb5_data *));
+		   krb5_data *);
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_send_adm_cmd
-	KRB5_PROTOTYPE((krb5_context,
+krb5_error_code KRB5_CALLCONV krb5_send_adm_cmd
+	(krb5_context,
 		   krb5_pointer,
 		   krb5_auth_context,
 		   krb5_int32,
-		   krb5_data *));
+		   krb5_data *);
 krb5_error_code krb5_send_adm_reply
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		   krb5_pointer,
 		   krb5_auth_context,
 		   krb5_int32,
 		   krb5_int32,
-		   krb5_data *));
+		   krb5_data *);
 krb5_error_code krb5_read_adm_cmd
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		   krb5_pointer,
 		   krb5_auth_context,
 		   krb5_int32 *,
-		   krb5_data **));
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_read_adm_reply
-	KRB5_PROTOTYPE((krb5_context,
+		   krb5_data **);
+krb5_error_code KRB5_CALLCONV krb5_read_adm_reply
+	(krb5_context,
 		   krb5_pointer,
 		   krb5_auth_context,
 		   krb5_int32 *,
 		   krb5_int32 *,
-		   krb5_data **));
+		   krb5_data **);
 
 /* logger.c */
 krb5_error_code krb5_klog_init
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		   char *,
 		   char *,
-		   krb5_boolean));
-void krb5_klog_close KRB5_PROTOTYPE((krb5_context));
-int krb5_klog_syslog KRB5_PROTOTYPE((int, const char *, ...));
-void krb5_klog_reopen KRB5_PROTOTYPE((krb5_context));
+		   krb5_boolean);
+void krb5_klog_close (krb5_context);
+int krb5_klog_syslog (int, const char *, ...);
+void krb5_klog_reopen (krb5_context);
 
 /* alt_prof.c */
 krb5_error_code krb5_aprof_init
-	KRB5_PROTOTYPE((char *, char *, krb5_pointer *));
+	(char *, char *, krb5_pointer *);
 krb5_error_code krb5_aprof_getvals
-	KRB5_PROTOTYPE((krb5_pointer, const char **, char ***));
+	(krb5_pointer, const char **, char ***);
 krb5_error_code krb5_aprof_get_deltat
-	KRB5_PROTOTYPE((krb5_pointer,
+	(krb5_pointer,
 			const char **,
 			krb5_boolean,
-			krb5_deltat *));
+			krb5_deltat *);
 krb5_error_code krb5_aprof_get_string
-	KRB5_PROTOTYPE((krb5_pointer, const char **, krb5_boolean, char **));
+	(krb5_pointer, const char **, krb5_boolean, char **);
 krb5_error_code krb5_aprof_get_int32
-	KRB5_PROTOTYPE((krb5_pointer,
+	(krb5_pointer,
 			const char **,
 			krb5_boolean,
-			krb5_int32 *));
-krb5_error_code krb5_aprof_finish KRB5_PROTOTYPE((krb5_pointer));
+			krb5_int32 *);
+krb5_error_code krb5_aprof_finish (krb5_pointer);
 
-krb5_error_code krb5_read_realm_params KRB5_PROTOTYPE((krb5_context,
+krb5_error_code krb5_read_realm_params (krb5_context,
 						       char *,
 						       char *,
 						       char *,
-						       krb5_realm_params **));
-krb5_error_code krb5_free_realm_params KRB5_PROTOTYPE((krb5_context,
-						       krb5_realm_params *));
+						       krb5_realm_params **);
+krb5_error_code krb5_free_realm_params (krb5_context,
+						       krb5_realm_params *);
 
 /* str_conv.c */
 krb5_error_code
-krb5_string_to_flags KRB5_PROTOTYPE((char *,
+krb5_string_to_flags (char *,
 				     const char *,
 				     const char *,
-				     krb5_flags *));
+				     krb5_flags *);
 krb5_error_code
-krb5_flags_to_string KRB5_PROTOTYPE((krb5_flags,
+krb5_flags_to_string (krb5_flags,
 				     const char *,
 				     char *,
-				     size_t));
+				     size_t);
 krb5_error_code
-krb5_input_flag_to_string KRB5_PROTOTYPE((int, 
+krb5_input_flag_to_string (int, 
 					char *,
-					size_t));
+					size_t);
 
 /* keysalt.c */
 krb5_boolean
-krb5_keysalt_is_present KRB5_PROTOTYPE((krb5_key_salt_tuple *,
+krb5_keysalt_is_present (krb5_key_salt_tuple *,
 					krb5_int32,
 					krb5_enctype,
-					krb5_int32));
+					krb5_int32);
 krb5_error_code
 krb5_keysalt_iterate
-	KRB5_PROTOTYPE((krb5_key_salt_tuple *,
+	(krb5_key_salt_tuple *,
 			krb5_int32,
 			krb5_boolean,
 			krb5_error_code (*)
-				KRB5_NPROTOTYPE((krb5_key_salt_tuple *,
-						 krb5_pointer)),
-			krb5_pointer));
+				(krb5_key_salt_tuple *,
+						 krb5_pointer),
+			krb5_pointer);
 				     
 krb5_error_code
-krb5_string_to_keysalts KRB5_PROTOTYPE((char *,
+krb5_string_to_keysalts (char *,
 					const char *,
 					const char *,
 					krb5_boolean,
 					krb5_key_salt_tuple **,
-					krb5_int32 *));
+					krb5_int32 *);
 #endif	/* KRB5_ADM_PROTO_H__ */
diff --git a/usr/src/lib/gss_mechs/mech_krb5/include/krb5/kdb.h b/usr/src/lib/gss_mechs/mech_krb5/include/krb5/kdb.h
index b487ca6d2e..333fb541b0 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/include/krb5/kdb.h
+++ b/usr/src/lib/gss_mechs/mech_krb5/include/krb5/kdb.h
@@ -1,4 +1,8 @@
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
+/*
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
 /*
  * include/krb5/kdb.h
  *
@@ -57,6 +61,8 @@
 #ifndef KRB5_KDB5__
 #define KRB5_KDB5__
 
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
 /* Salt types */
 #define KRB5_KDB_SALTTYPE_NORMAL	0
 #define KRB5_KDB_SALTTYPE_V4		1
@@ -85,7 +91,7 @@
 #define KRB5_KDB_CREATE_BTREE		0x00000001
 #define KRB5_KDB_CREATE_HASH		0x00000002
 
-#if !defined(macintosh) && !defined(_MSDOS) && !defined(_WIN32)
+#if !defined(_WIN32)
 
 /*
  * Note --- these structures cannot be modified without changing the
@@ -95,7 +101,7 @@
 typedef struct _krb5_tl_data {
     struct _krb5_tl_data* tl_data_next;		/* NOT saved */
     krb5_int16 		  tl_data_type;		
-    krb5_int16		  tl_data_length;	
+    krb5_ui_2		  tl_data_length;	
     krb5_octet 	        * tl_data_contents;	
 } krb5_tl_data;
 
@@ -109,6 +115,14 @@ typedef struct _krb5_key_data {
     krb5_int16 		  key_data_ver;		/* Version */
     krb5_int16		  key_data_kvno;	/* Key Version */
     krb5_int16		  key_data_type[2];	/* Array of types */
+#if 0 
+     /*
+      * SUNW14resync (mech)
+      * This has changed in the mech so we change it here also
+      * prior to the admin resync.
+      */
+     krb5_ui_2      key_data_length[2];  Array of lengths
+#endif
     krb5_int16		  key_data_length[2];	/* Array of lengths */
     krb5_octet 	        * key_data_contents[2];	/* Array of pointers */
 } krb5_key_data;
@@ -122,7 +136,7 @@ typedef struct _krb5_keysalt {
 
 typedef struct _krb5_db_entry_new {
     krb5_magic 		  magic;		/* NOT saved */
-    krb5_int16		  len;			
+    krb5_ui_2		  len;			
     krb5_flags 		  attributes;
     krb5_deltat		  max_life;
     krb5_deltat		  max_renewable_life;
@@ -133,7 +147,7 @@ typedef struct _krb5_db_entry_new {
     krb5_kvno 	 	  fail_auth_count; 	/* # of failed passwd attempt */
     krb5_int16 		  n_tl_data;
     krb5_int16 		  n_key_data;
-    krb5_int16		  e_length;		/* Length of extra data */
+    krb5_ui_2		  e_length;		/* Length of extra data */
     krb5_octet		* e_data;		/* Extra data to be saved */
 
     krb5_principal 	  princ;		/* Length, data */	
@@ -163,8 +177,8 @@ typedef struct _krb5_db_entry_new {
 #define KRB5_KDB_M_NAME		"K/M"	/* Kerberos/Master */
 
 /* prompts used by default when reading the KDC password from the keyboard. */
-#define KRB5_KDC_MKEY_1	"Enter KDC database master key:"
-#define KRB5_KDC_MKEY_2	"Re-enter KDC database master key to verify:"
+#define KRB5_KDC_MKEY_1	"Enter KDC database master key"
+#define KRB5_KDC_MKEY_2	"Re-enter KDC database master key to verify"
 
 extern char *krb5_mkey_pwd_prompt1;
 extern char *krb5_mkey_pwd_prompt2;
@@ -196,291 +210,140 @@ extern char *krb5_mkey_pwd_prompt2;
 	}
 
 /* libkdb.spec */
-krb5_error_code krb5_db_set_name
-	KRB5_PROTOTYPE((krb5_context,
-		   char * ));
-krb5_error_code krb5_db_init
-	KRB5_PROTOTYPE((krb5_context));
-krb5_error_code krb5_db_fini
-	KRB5_PROTOTYPE((krb5_context));
-krb5_error_code krb5_db_get_age
-	KRB5_PROTOTYPE((krb5_context,
-		   char *,
-		   time_t * ));
-krb5_error_code krb5_db_create
-	KRB5_PROTOTYPE((krb5_context,
-		   char *,
-		   krb5_int32 ));
-krb5_error_code krb5_db_rename
-	KRB5_PROTOTYPE((krb5_context,
-		   char *,
-		   char * ));
-krb5_error_code krb5_db_get_principal
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_const_principal ,
-		   krb5_db_entry *,
-		   int *,
-		   krb5_boolean * ));
-void krb5_db_free_principal
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_db_entry *,
-		   int  ));
-krb5_error_code krb5_db_put_principal
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_db_entry *,
-		   int * ));
-krb5_error_code krb5_db_delete_principal
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_const_principal,
-		   int * ));
-krb5_error_code krb5_db_iterate
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_error_code (* ) KRB5_PROTOTYPE((krb5_pointer,
-						   krb5_db_entry *)),
-		   krb5_pointer ));
-krb5_error_code krb5_db_verify_master_key
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_principal, 
-		   krb5_keyblock *));
-krb5_error_code krb5_db_store_mkey 
-	KRB5_PROTOTYPE((krb5_context,
-		   char *,
-		   krb5_principal,
-		   krb5_keyblock *));
-
-krb5_error_code krb5_db_setup_mkey_name
-	KRB5_PROTOTYPE((krb5_context,
-		   const char *, 
-		   const char *, 
-		   char **, 
-		   krb5_principal *));
-
-krb5_error_code krb5_db_set_mkey
-        KRB5_PROTOTYPE((krb5_context, krb5_keyblock *));
-
-krb5_error_code krb5_db_get_mkey
-        KRB5_PROTOTYPE((krb5_context, krb5_keyblock **));
-krb5_error_code krb5_db_destroy 
-	KRB5_PROTOTYPE((krb5_context,
-		   char * ));
-krb5_error_code krb5_db_lock
-	KRB5_PROTOTYPE((krb5_context,
-		   int ));
-krb5_error_code krb5_db_unlock
-	KRB5_PROTOTYPE((krb5_context));
-krb5_error_code krb5_db_set_nonblocking
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_boolean,
-		   krb5_boolean * ));
-krb5_boolean krb5_db_set_lockmode
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_boolean));
-krb5_error_code	krb5_db_fetch_mkey
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_principal, 
-		   krb5_enctype, 
-		   krb5_boolean,
-		   krb5_boolean, 
-		   char *,
-		   krb5_data *, 
-		   krb5_keyblock * ));
-
-krb5_error_code krb5_db_open_database
-	KRB5_PROTOTYPE((krb5_context));
-krb5_error_code krb5_db_close_database
-	KRB5_PROTOTYPE((krb5_context));
-
-krb5_error_code krb5_dbekd_encrypt_key_data
-	KRB5_PROTOTYPE((krb5_context,
-		   const krb5_keyblock *,
-		   const krb5_keyblock *,
-		   const krb5_keysalt *,
-		   int,
-		   krb5_key_data *));
-krb5_error_code krb5_dbekd_decrypt_key_data
-	KRB5_PROTOTYPE((krb5_context,
-		   const krb5_keyblock *,
-		   const krb5_key_data *,
-		   krb5_keyblock *,
-		   krb5_keysalt *));
-krb5_error_code krb5_dbe_create_key_data
-	KRB5_PROTOTYPE((krb5_context,
-			krb5_db_entry *));
-krb5_error_code krb5_dbe_update_tl_data
-	KRB5_PROTOTYPE((krb5_context,
-			krb5_db_entry *,
-			krb5_tl_data *));
-krb5_error_code krb5_dbe_lookup_tl_data
-	KRB5_PROTOTYPE((krb5_context,
-			krb5_db_entry *,
-			krb5_tl_data *));
-krb5_error_code krb5_dbe_update_last_pwd_change
-	KRB5_PROTOTYPE((krb5_context,
-			krb5_db_entry *,
-			krb5_timestamp));
-krb5_error_code krb5_dbe_lookup_last_pwd_change
-	KRB5_PROTOTYPE((krb5_context,
-			krb5_db_entry *,
-			krb5_timestamp *));
-krb5_error_code krb5_dbe_update_mod_princ_data
-	KRB5_PROTOTYPE((krb5_context,
-			krb5_db_entry *,
-			krb5_timestamp,
-			krb5_const_principal));
-krb5_error_code krb5_dbe_lookup_mod_princ_data
-	KRB5_PROTOTYPE((krb5_context,
-			krb5_db_entry *,
-			krb5_timestamp *,
-			krb5_principal *));
-int krb5_encode_princ_dbkey
-	KRB5_PROTOTYPE((krb5_context,
-    		   krb5_data  *,
-    		   krb5_const_principal));
-void krb5_free_princ_dbkey
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_data *));
-krb5_error_code krb5_encode_princ_contents
-	KRB5_PROTOTYPE((krb5_context,
-    		   krb5_data  *,
-    		   krb5_db_entry *));
-void krb5_free_princ_contents
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_data  *));
-krb5_error_code krb5_decode_princ_contents
-	KRB5_PROTOTYPE((krb5_context,
-    		   krb5_data  *,
-    		   krb5_db_entry *));
-void krb5_dbe_free_contents
-	KRB5_PROTOTYPE((krb5_context,
-    		   krb5_db_entry *));
-
-krb5_error_code krb5_dbe_find_enctype
-	KRB5_PROTOTYPE((krb5_context,
-			krb5_db_entry *,
-			krb5_int32,
-			krb5_int32,
-			krb5_int32,
-			krb5_key_data **));
-
-krb5_error_code krb5_dbe_search_enctype
-	KRB5_PROTOTYPE((krb5_context,
-			krb5_db_entry *,
-			krb5_int32 *,
-			krb5_int32,
-			krb5_int32,
-			krb5_int32,
-			krb5_key_data **));
+krb5_error_code krb5_db_set_name (krb5_context, char * );
+krb5_error_code krb5_db_init (krb5_context);
+krb5_error_code krb5_db_fini (krb5_context);
+krb5_error_code krb5_db_get_age (krb5_context, char *, time_t * );
+krb5_error_code krb5_db_create (krb5_context, char *, krb5_int32 );
+krb5_error_code krb5_db_rename (krb5_context, char *, char * );
+krb5_error_code krb5_db_get_principal (krb5_context, krb5_const_principal ,
+				       krb5_db_entry *, int *,
+				       krb5_boolean * );
+void krb5_db_free_principal (krb5_context, krb5_db_entry *, int  );
+krb5_error_code krb5_db_put_principal (krb5_context, krb5_db_entry *, int * );
+krb5_error_code krb5_db_delete_principal (krb5_context, krb5_const_principal,
+					  int * );
+krb5_error_code krb5_db_iterate (krb5_context,
+				 krb5_error_code (* ) (krb5_pointer,
+						       krb5_db_entry *),
+				 krb5_pointer);
+krb5_error_code krb5_db_iterate_ext (krb5_context,
+				     krb5_error_code (* ) (krb5_pointer,
+					  	           krb5_db_entry *),
+				     krb5_pointer, int, int);
+krb5_error_code krb5_db_verify_master_key (krb5_context, krb5_principal, 
+					   krb5_keyblock *);
+krb5_error_code krb5_db_store_mkey (krb5_context, char *, krb5_principal,
+				    krb5_keyblock *);
+
+krb5_error_code krb5_db_setup_mkey_name (krb5_context, const char *, 
+					 const char *, char **,
+					 krb5_principal *);
+
+krb5_error_code krb5_db_set_mkey (krb5_context, krb5_keyblock *);
+
+krb5_error_code krb5_db_get_mkey (krb5_context, krb5_keyblock **);
+krb5_error_code krb5_db_destroy (krb5_context, char * );
+krb5_error_code krb5_db_lock (krb5_context, int );
+krb5_error_code krb5_db_unlock (krb5_context);
+krb5_error_code krb5_db_set_nonblocking (krb5_context, krb5_boolean,
+					 krb5_boolean * );
+krb5_boolean krb5_db_set_lockmode (krb5_context, krb5_boolean);
+krb5_error_code	krb5_db_fetch_mkey (krb5_context, krb5_principal, krb5_enctype,
+				    krb5_boolean, krb5_boolean, char *,
+				    krb5_data *, 
+				    krb5_keyblock * );
+
+krb5_error_code krb5_db_open_database (krb5_context);
+krb5_error_code krb5_db_close_database (krb5_context);
+
+krb5_error_code krb5_dbekd_encrypt_key_data (krb5_context,
+					     const krb5_keyblock *,
+					     const krb5_keyblock *,
+					     const krb5_keysalt *,
+					     int,
+					     krb5_key_data *);
+krb5_error_code krb5_dbekd_decrypt_key_data (krb5_context,
+					     const krb5_keyblock *,
+					     const krb5_key_data *,
+					     krb5_keyblock *,
+					     krb5_keysalt *);
+krb5_error_code krb5_dbe_create_key_data (krb5_context,
+					  krb5_db_entry *);
+krb5_error_code krb5_dbe_update_tl_data (krb5_context,
+					 krb5_db_entry *,
+					 krb5_tl_data *);
+krb5_error_code krb5_dbe_lookup_tl_data (krb5_context,
+					 krb5_db_entry *,
+					 krb5_tl_data *);
+krb5_error_code krb5_dbe_update_last_pwd_change (krb5_context,
+						 krb5_db_entry *,
+						 krb5_timestamp);
+krb5_error_code krb5_dbe_lookup_last_pwd_change (krb5_context,
+						 krb5_db_entry *,
+						 krb5_timestamp *);
+krb5_error_code krb5_dbe_update_mod_princ_data (krb5_context,
+						krb5_db_entry *,
+						krb5_timestamp,
+						krb5_const_principal);
+krb5_error_code krb5_dbe_lookup_mod_princ_data (krb5_context,
+						krb5_db_entry *,
+						krb5_timestamp *,
+						krb5_principal *);
+int krb5_encode_princ_dbkey (krb5_context, krb5_data  *, krb5_const_principal);
+void krb5_free_princ_dbkey (krb5_context, krb5_data *);
+krb5_error_code krb5_encode_princ_contents (krb5_context, krb5_data *,
+					    krb5_db_entry *);
+void krb5_free_princ_contents (krb5_context, krb5_data  *);
+krb5_error_code krb5_decode_princ_contents (krb5_context, krb5_data  *,
+					    krb5_db_entry *);
+void krb5_dbe_free_contents (krb5_context, krb5_db_entry *);
+
+krb5_error_code krb5_dbe_find_enctype (krb5_context, krb5_db_entry *,
+				       krb5_int32,
+				       krb5_int32,
+				       krb5_int32,
+				       krb5_key_data **);
+
+krb5_error_code krb5_dbe_search_enctype (krb5_context,
+					 krb5_db_entry *,
+					 krb5_int32 *,
+					 krb5_int32,
+					 krb5_int32,
+					 krb5_int32,
+					 krb5_key_data **);
 
 struct __krb5_key_salt_tuple;
 
-krb5_error_code krb5_dbe_cpw
-        KRB5_PROTOTYPE((krb5_context,
-			krb5_keyblock  *,
-			struct __krb5_key_salt_tuple *,
-			int,
-			char *,
-			int,
-			krb5_boolean,
-			krb5_db_entry *));
-krb5_error_code krb5_dbe_apw
-        KRB5_PROTOTYPE((krb5_context,
-                   krb5_keyblock  *,
-                   struct __krb5_key_salt_tuple *,
-                   int,
-                   char *,
-                   krb5_db_entry *));
-krb5_error_code krb5_dbe_crk
-        KRB5_PROTOTYPE((krb5_context,
-                   krb5_keyblock  *,
-                   struct __krb5_key_salt_tuple *,
-                   int,
-		   krb5_boolean,
-                   krb5_db_entry *));
-krb5_error_code krb5_dbe_ark
-        KRB5_PROTOTYPE((krb5_context,
-                   krb5_keyblock  *,
-                   struct __krb5_key_salt_tuple *,
-                   int,
-                   krb5_db_entry *));
-
-krb5_error_code krb5_ser_db_context_init KRB5_PROTOTYPE((krb5_context));
+krb5_error_code krb5_dbe_cpw (krb5_context,
+			      krb5_keyblock  *,
+			      struct __krb5_key_salt_tuple *,
+			      int,
+			      char *,
+			      int,
+			      krb5_boolean,
+			      krb5_db_entry *);
+krb5_error_code krb5_dbe_apw (krb5_context,
+			      krb5_keyblock  *,
+			      struct __krb5_key_salt_tuple *,
+			      int,
+			      char *,
+			      krb5_db_entry *);
+krb5_error_code krb5_dbe_crk (krb5_context,
+			      krb5_keyblock  *,
+			      struct __krb5_key_salt_tuple *,
+			      int,
+			      krb5_boolean,
+			      krb5_db_entry *);
+krb5_error_code krb5_dbe_ark (krb5_context,
+			      krb5_keyblock  *,
+			      struct __krb5_key_salt_tuple *,
+			      int,
+			      krb5_db_entry *);
+
+krb5_error_code krb5_ser_db_context_init (krb5_context);
  
 #define KRB5_KDB_DEF_FLAGS	0
 
-#ifdef KRB5_OLD_AND_KRUFTY
-/* this is the same structure as krb5_keyblock, but with a different name to
-   enable compile-time catching of programmer confusion between encrypted &
-   decrypted keys in the database */
-
-typedef struct _krb5_encrypted_keyblock {
-    krb5_magic magic;
-    short enctype;			/* XXX this is SO ugly --- proven */
-    int length;
-    krb5_octet *contents;
-} krb5_encrypted_keyblock;
-
-typedef struct _krb5_db_entry {
-    krb5_magic magic;
-    krb5_principal principal;
-    krb5_encrypted_keyblock key;
-    krb5_kvno kvno;
-    krb5_deltat	max_life;
-    krb5_deltat	max_renewable_life;
-    krb5_kvno mkvno;			/* master encryption key vno */
-    
-    krb5_timestamp expiration;		/* This is when the client expires */
-    krb5_timestamp pw_expiration; 	/* This is when its password does */
-    krb5_timestamp last_pwd_change; 	/* Last time of password change  */
-    krb5_timestamp last_success;	/* Last successful password */
-    
-    krb5_timestamp last_failed;		/* Last failed password attempt */
-    krb5_kvno fail_auth_count; 		/* # of failed password attempts */
-    
-    krb5_principal mod_name;
-    krb5_timestamp mod_date;
-    krb5_flags attributes;
-    krb5_int32 salt_type:8,
- 	       salt_length:24;
-    krb5_octet *salt;
-    krb5_encrypted_keyblock alt_key;
-    krb5_int32 alt_salt_type:8,
- 	       alt_salt_length:24;
-    krb5_octet *alt_salt;
-    
-    krb5_int32 expansion[8];
-} krb5_db_entry_OLD;
-
-#endif	/* OLD_AND_KRUFTY */
-
-/* This is now a structure that is private to the database backend. */
-#ifdef notdef
-#ifdef	KDB5_DISPATCH
-/*
- * Database operation dispatch table.  This table determines the procedures
- * to be used to access the KDC database.  Replacement of this structure is
- * not supported.
- */
-typedef struct _kdb5_dispatch_table {
-    char *	kdb5_db_mech_name;
-    char *	kdb5_db_index_ext;
-    char *	kdb5_db_data_ext;
-    char *	kdb5_db_lock_ext;
-    DBM *	(*kdb5_dbm_open) KRB5_NPROTOTYPE((const char *, int, int));
-    void	(*kdb5_dbm_close) KRB5_NPROTOTYPE((DBM *));
-    datum	(*kdb5_dbm_fetch) KRB5_NPROTOTYPE((DBM *, datum));
-    datum	(*kdb5_dbm_firstkey) KRB5_NPROTOTYPE((DBM *));
-    datum	(*kdb5_dbm_nextkey) KRB5_NPROTOTYPE((DBM *));
-    int		(*kdb5_dbm_delete) KRB5_NPROTOTYPE((DBM *, datum));
-    int		(*kdb5_dbm_store) KRB5_NPROTOTYPE((DBM *, datum, datum, int));
-    int		(*kdb5_dbm_dirfno) KRB5_NPROTOTYPE((DBM *));
-    int		(*kdb5_dbm_pagfno) KRB5_NPROTOTYPE((DBM *));
-} kdb5_dispatch_table;
-
-krb5_error_code kdb5_db_set_dbops KRB5_PROTOTYPE((krb5_context,
-						  kdb5_dispatch_table *));
-#else
-typedef	struct _kdb5_dispatch_table kdb5_dispatch_table;
-#endif	/* KDB5_DISPATCH */
-#endif /* notdef */
-#endif /* !defined(macintosh) && !defined(_MSDOS) &&!defined(_WIN32) */
+#endif /* !defined(_WIN32) */
 #endif /* KRB5_KDB5__ */
diff --git a/usr/src/lib/gss_mechs/mech_krb5/include/krb5_libinit.h b/usr/src/lib/gss_mechs/mech_krb5/include/krb5_libinit.h
new file mode 100755
index 0000000000..120712df48
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/include/krb5_libinit.h
@@ -0,0 +1,11 @@
+#ifndef KRB5_LIBINIT_H
+#define KRB5_LIBINIT_H
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+#include "krb5.h"
+
+krb5_error_code krb5int_initialize_library (void);
+void krb5int_cleanup_library (void);
+
+#endif /* KRB5_LIBINIT_H */
diff --git a/usr/src/lib/gss_mechs/mech_krb5/include/osconf.h b/usr/src/lib/gss_mechs/mech_krb5/include/osconf.h
index 601713bbd6..77a56a3055 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/include/osconf.h
+++ b/usr/src/lib/gss_mechs/mech_krb5/include/osconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -45,7 +45,8 @@ extern "C" {
 #include "autoconf.h"
 #endif
 
-#define	DEFAULT_PROFILE_PATH	"/etc/krb5/krb5.conf"
+#define	DEFAULT_SECURE_PROFILE_PATH	"/etc/krb5/krb5.conf"
+#define DEFAULT_PROFILE_PATH	DEFAULT_SECURE_PROFILE_PATH 
 #define	DEFAULT_KEYTAB_NAME	"FILE:/etc/krb5/krb5.keytab"
 #define	DEFAULT_KEYTAB		"WRFILE:/etc/krb5/krb5.keytab"
 
@@ -58,7 +59,12 @@ extern "C" {
 #define	DEFAULT_KDC_PROFILE	"/etc/krb5/kdc.conf"
 #define	KDC_PROFILE_ENV		"KRB5_KDC_PROFILE"
 
-#define	DEFAULT_KDC_ENCTYPE	ENCTYPE_DES_CBC_CRC
+/*
+ * SUNW14resync
+ * MIT 1.4 has changed to ENCTYPE_DES3_CBC_SHA1 but we stick with the old one
+ * for backward compat.
+ */
+#define DEFAULT_KDC_ENCTYPE	ENCTYPE_DES_CBC_CRC
 #define	KDCRCACHE		"dfl:krb5kdc_rcache"
 
 #define	KDC_PORTNAME		"kerberos" /* for /etc/services or equiv. */
diff --git a/usr/src/lib/gss_mechs/mech_krb5/include/port-sockets.h b/usr/src/lib/gss_mechs/mech_krb5/include/port-sockets.h
index 1ee435cd0b..02b39d4e33 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/include/port-sockets.h
+++ b/usr/src/lib/gss_mechs/mech_krb5/include/port-sockets.h
@@ -72,16 +72,17 @@ typedef WSABUF sg_buf;
 /* If this source file requires it, define struct sockaddr_in
    (and possibly other things related to network I/O).  */
 
-#ifdef HAVE_MACSOCK_H		/* Sockets stuff differs on Mac */
-#include "macsock.h"		/* Macintosh sockets emulation library */
-#else  /* ! HAVE_MACSOCK_H */	/* Sockets stuff for Unix machines */
-
 #include "autoconf.h"
 
 #include <sys/types.h>
 #include <netinet/in.h>		/* For struct sockaddr_in and in_addr */
 #include <arpa/inet.h>		/* For inet_ntoa */
-#include <netdb.h>		/* For struct hostent, gethostbyname, etc */
+#include <netdb.h>
+
+#ifndef HAVE_NETDB_H_H_ERRNO
+extern int h_errno;		/* In case it's missing, e.g., HP-UX 10.20. */
+#endif
+
 #include <sys/param.h>		/* For MAXHOSTNAMELEN */
 #include <sys/socket.h>		/* For SOCK_*, AF_*, etc */
 #include <sys/time.h>		/* For struct timeval */
@@ -89,7 +90,6 @@ typedef WSABUF sg_buf;
 #ifdef HAVE_SYS_UIO_H
 #include <sys/uio.h>		/* For struct iovec, for sg_buf */
 #endif
-
 #ifdef HAVE_SYS_FILIO_H
 #include <sys/filio.h>		/* For FIONBIO on Solaris.  */
 #endif
@@ -160,19 +160,17 @@ typedef struct iovec sg_buf;
 #define inet_ntop(AF,SRC,DST,CNT)					    \
     ((AF) == AF_INET							    \
      ? ((CNT) < 16							    \
-	? (SOCKET_SET_ERRNO(ENOSPC), NULL)				    \
+	? (SOCKET_SET_ERRNO(ENOSPC), (const char *)NULL)		    \
 	: (sprintf((DST), "%d.%d.%d.%d",				    \
 		   ((const unsigned char *)(const void *)(SRC))[0] & 0xff,  \
 		   ((const unsigned char *)(const void *)(SRC))[1] & 0xff,  \
 		   ((const unsigned char *)(const void *)(SRC))[2] & 0xff,  \
 		   ((const unsigned char *)(const void *)(SRC))[3] & 0xff), \
 	   (DST)))							    \
-     : (SOCKET_SET_ERRNO(EAFNOSUPPORT), NULL))
+     : (SOCKET_SET_ERRNO(EAFNOSUPPORT), (const char *)NULL))
 #define HAVE_INET_NTOP
 #endif
 
-#endif /* HAVE_MACSOCK_H */
-
 #endif /* _WIN32 */
 
 #if !defined(_WIN32)
diff --git a/usr/src/lib/gss_mechs/mech_krb5/include/profile.h b/usr/src/lib/gss_mechs/mech_krb5/include/profile.h
index c97e7f6874..1aabcc8b8b 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/include/profile.h
+++ b/usr/src/lib/gss_mechs/mech_krb5/include/profile.h
@@ -1,36 +1,38 @@
 /*
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+/*
  * profile.h
  */
 
 #ifndef _KRB5_PROFILE_H
 #define _KRB5_PROFILE_H
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
+/* SUNW14resync */
+#include "../profile/prof_err.h"
 
-#if defined(_MSDOS) || defined(_WIN32) || defined(MACINTOSH)
+#if defined(_WIN32)
 #include <win-mac.h>
 #endif
 
+#if defined(__MACH__) && defined(__APPLE__)
+#    include <TargetConditionals.h>
+#    if TARGET_RT_MAC_CFM
+#        error "Use KfM 4.0 SDK headers for CFM compilation."
+#    endif
+#endif
+
 #ifndef KRB5_CALLCONV
 #define KRB5_CALLCONV
 #define KRB5_CALLCONV_C
-#define KRB5_DLLIMP
-#define GSS_DLLIMP
-#define KRB5_EXPORTVAR
-#define FAR
-#define NEAR
 #endif
 
 typedef struct _profile_t *profile_t;
 
-#if !defined(PROTOTYPE)
-#if defined(__STDC__) || defined(__cplusplus) || defined(_MSDOS) || defined(_WIN32)
-#define PROTOTYPE(x) x
-#else
-#define PROTOTYPE(x) ()
-#endif
-#endif
-
 /*
  * Used by the profile iterator in prof_get.c
  */
@@ -38,149 +40,96 @@ typedef struct _profile_t *profile_t;
 #define PROFILE_ITER_SECTIONS_ONLY	0x0002
 #define PROFILE_ITER_RELATIONS_ONLY	0x0004
 
-/* Macintoh CFM-68K magic incantation */
-#if defined(macintosh) && defined(__CFM68K__) && !defined(__USING_STATIC_LIBS__)
-#pragma import on
-#endif
-
 #ifdef __cplusplus
 extern "C" {
 #endif /* __cplusplus */
 
-/* On everything but MacOS, we use file paths as unique file identifiers */
-#ifndef macintosh
-#define PROFILE_USES_PATHS
-/*
- * Solaris: This is to let prof_file.c know that Solaris is
- * not a substandard OS
- */
-#define HAVE_ACCESS
-#endif
-
-#ifdef PROFILE_USES_PATHS
 typedef char* profile_filespec_t;	/* path as C string */
 typedef char* profile_filespec_list_t;	/* list of : separated paths, C string */
-typedef const char* const_profile_filespec_t;	/* path as C string */
-typedef const char* const_profile_filespec_list_t;	/* list of : separated paths, C string */
-#else
-/* On MacOS, we use native file specifiers as unique file identifiers */
-#include <Files.h>
-typedef FSSpec profile_filespec_t;
-typedef FSSpec* profile_filespec_list_t;
-/* array should be terminated with {0, 0, ""} */
-typedef FSSpec const_profile_filespec_t;
-typedef FSSpec* const_profile_filespec_list_t;	
-#endif
+typedef const char * const_profile_filespec_t;	/* path as C string */
+typedef const char * const_profile_filespec_list_t;	/* list of : separated paths, C string */
 
-KRB5_DLLIMP long KRB5_CALLCONV profile_init
-	PROTOTYPE ((const_profile_filespec_t *files, profile_t *ret_profile));
+long KRB5_CALLCONV profile_init
+	(const_profile_filespec_t *files, profile_t *ret_profile);
 
-KRB5_DLLIMP long KRB5_CALLCONV profile_init_path
-	PROTOTYPE ((const_profile_filespec_list_t filelist, profile_t *ret_profile));
+long KRB5_CALLCONV profile_init_path
+	(const_profile_filespec_list_t filelist, profile_t *ret_profile);
 
-KRB5_DLLIMP long KRB5_CALLCONV profile_flush
-	PROTOTYPE ((profile_t profile));
+long KRB5_CALLCONV profile_flush
+	(profile_t profile);
+long KRB5_CALLCONV profile_flush_to_file
+	(profile_t profile, const_profile_filespec_t outfile);
+long KRB5_CALLCONV profile_flush_to_buffer
+	(profile_t profile, char **bufp);
+void KRB5_CALLCONV profile_free_buffer
+	(profile_t profile, char *buf);
 
-KRB5_DLLIMP void KRB5_CALLCONV profile_abandon
-	PROTOTYPE ((profile_t profile));
+long KRB5_CALLCONV profile_is_writable
+	(profile_t profile, int *writable);
+long KRB5_CALLCONV profile_is_modified
+	(profile_t profile, int *modified);
 
-KRB5_DLLIMP void KRB5_CALLCONV profile_release
-	PROTOTYPE ((profile_t profile));
+void KRB5_CALLCONV profile_abandon
+	(profile_t profile);
 
-KRB5_DLLIMP long KRB5_CALLCONV profile_get_values
-	PROTOTYPE ((profile_t profile, const char **names, char ***ret_values));
+void KRB5_CALLCONV profile_release
+	(profile_t profile);
 
-KRB5_DLLIMP void KRB5_CALLCONV profile_free_list
-	PROTOTYPE ((char **list));
+long KRB5_CALLCONV profile_get_values
+	(profile_t profile, const char *const *names, char ***ret_values);
 
-KRB5_DLLIMP long KRB5_CALLCONV profile_get_string
-	PROTOTYPE((profile_t profile, const char *name, const char *subname, 
+void KRB5_CALLCONV profile_free_list
+	(char **list);
+
+long KRB5_CALLCONV profile_get_string
+	(profile_t profile, const char *name, const char *subname, 
 			const char *subsubname, const char *def_val,
-			char **ret_string));
-KRB5_DLLIMP long KRB5_CALLCONV profile_get_integer
-	PROTOTYPE((profile_t profile, const char *name, const char *subname,
+			char **ret_string);
+long KRB5_CALLCONV profile_get_integer
+	(profile_t profile, const char *name, const char *subname,
+			const char *subsubname, int def_val,
+			int *ret_default);
+
+long KRB5_CALLCONV profile_get_boolean
+	(profile_t profile, const char *name, const char *subname,
 			const char *subsubname, int def_val,
-			int *ret_default));
+			int *ret_default);
 
-KRB5_DLLIMP long KRB5_CALLCONV profile_get_relation_names
-	PROTOTYPE((profile_t profile, const char **names, char ***ret_names));
+long KRB5_CALLCONV profile_get_relation_names
+	(profile_t profile, const char **names, char ***ret_names);
 
-KRB5_DLLIMP long KRB5_CALLCONV profile_get_subsection_names
-	PROTOTYPE((profile_t profile, const char **names, char ***ret_names));
+long KRB5_CALLCONV profile_get_subsection_names
+	(profile_t profile, const char **names, char ***ret_names);
 
-KRB5_DLLIMP long KRB5_CALLCONV profile_iterator_create
-	PROTOTYPE((profile_t profile, const char **names,
-		   int flags, void **ret_iter));
+long KRB5_CALLCONV profile_iterator_create
+	(profile_t profile, const char *const *names,
+		   int flags, void **ret_iter);
 
-KRB5_DLLIMP void KRB5_CALLCONV profile_iterator_free
-	PROTOTYPE((void **iter_p));
+void KRB5_CALLCONV profile_iterator_free
+	(void **iter_p);
 	
-KRB5_DLLIMP long KRB5_CALLCONV profile_iterator
-	PROTOTYPE((void	**iter_p, char **ret_name, char **ret_value));
+long KRB5_CALLCONV profile_iterator
+	(void	**iter_p, char **ret_name, char **ret_value);
 
-KRB5_DLLIMP void KRB5_CALLCONV profile_release_string PROTOTYPE((char *str));
+void KRB5_CALLCONV profile_release_string (char *str);
 
-KRB5_DLLIMP long KRB5_CALLCONV profile_update_relation
-	PROTOTYPE((profile_t profile, const char **names, 
-		   const char *old_value, const char *new_value));
+long KRB5_CALLCONV profile_update_relation
+	(profile_t profile, const char **names, 
+		   const char *old_value, const char *new_value);
 
-KRB5_DLLIMP long KRB5_CALLCONV profile_clear_relation
-	PROTOTYPE((profile_t profile, const char **names));
+long KRB5_CALLCONV profile_clear_relation
+	(profile_t profile, const char **names);
 
-KRB5_DLLIMP long KRB5_CALLCONV profile_rename_section
-	PROTOTYPE((profile_t profile, const char **names, 
-		   const char *new_name));
+long KRB5_CALLCONV profile_rename_section
+	(profile_t profile, const char **names, 
+		   const char *new_name);
 
-KRB5_DLLIMP long KRB5_CALLCONV profile_add_relation
-	PROTOTYPE((profile_t profile, const char **names, 
-		   const char *new_value));
+long KRB5_CALLCONV profile_add_relation
+	(profile_t profile, const char **names, 
+		   const char *new_value);
 
 #ifdef __cplusplus
 }
 #endif /* __cplusplus */
 
-/* Macintoh CFM-68K magic incantation */
-#if defined(macintosh) && defined(__CFM68K__) && !defined(__USING_STATIC_LIBS__)
-#pragma import reset
-#endif
-
-
-/*
- * prof_err.h:
- * This file is automatically generated; please do not edit it.
- */
-
-#define PROF_VERSION                             (-1429577728L)
-#define PROF_MAGIC_NODE                          (-1429577727L)
-#define PROF_NO_SECTION                          (-1429577726L)
-#define PROF_NO_RELATION                         (-1429577725L)
-#define PROF_ADD_NOT_SECTION                     (-1429577724L)
-#define PROF_SECTION_WITH_VALUE                  (-1429577723L)
-#define PROF_BAD_LINK_LIST                       (-1429577722L)
-#define PROF_BAD_GROUP_LVL                       (-1429577721L)
-#define PROF_BAD_PARENT_PTR                      (-1429577720L)
-#define PROF_MAGIC_ITERATOR                      (-1429577719L)
-#define PROF_SET_SECTION_VALUE                   (-1429577718L)
-#define PROF_EINVAL                              (-1429577717L)
-#define PROF_READ_ONLY                           (-1429577716L)
-#define PROF_SECTION_NOTOP                       (-1429577715L)
-#define PROF_SECTION_SYNTAX                      (-1429577714L)
-#define PROF_RELATION_SYNTAX                     (-1429577713L)
-#define PROF_EXTRA_CBRACE                        (-1429577712L)
-#define PROF_MISSING_OBRACE                      (-1429577711L)
-#define PROF_MAGIC_PROFILE                       (-1429577710L)
-#define PROF_MAGIC_SECTION                       (-1429577709L)
-#define PROF_TOPSECTION_ITER_NOSUPP              (-1429577708L)
-#define PROF_INVALID_SECTION                     (-1429577707L)
-#define PROF_END_OF_SECTIONS                     (-1429577706L)
-#define PROF_BAD_NAMESET                         (-1429577705L)
-#define PROF_NO_PROFILE                          (-1429577704L)
-#define PROF_MAGIC_FILE                          (-1429577703L)
-#define PROF_FAIL_OPEN                           (-1429577702L)
-#define PROF_EXISTS                              (-1429577701L)
-#define ERROR_TABLE_BASE_prof (-1429577728L)
-
-/* for compatibility with older versions... */
-#define prof_err_base ERROR_TABLE_BASE_prof
-
 #endif /* _KRB5_PROFILE_H */
diff --git a/usr/src/lib/gss_mechs/mech_krb5/include/socket-utils.h b/usr/src/lib/gss_mechs/mech_krb5/include/socket-utils.h
index 0a6e164f61..8785c37a58 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/include/socket-utils.h
+++ b/usr/src/lib/gss_mechs/mech_krb5/include/socket-utils.h
@@ -1,3 +1,8 @@
+/*
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
 
 /*
@@ -54,6 +59,11 @@
 
 /* for HAVE_SOCKLEN_T, KRB5_USE_INET6, etc */
 #include "autoconf.h"
+#if 0   /* SUNW14resync */
+#include "krb5/autoconf.h"
+/* for sockaddr_storage */
+#include "port-sockets.h"
+#endif   /* SUNW14resync */
 
 #if defined (__GNUC__)
 /*
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1_decode.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1_decode.c
index df25288aa6..0c7996cc1b 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1_decode.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1_decode.c
@@ -238,6 +238,11 @@ asn1_error_code asn1_decode_generaltime(asn1buf *buf, time_t *val)
       free(s);
       return ASN1_BAD_FORMAT;
   }
+  if(s[0] == '1' && !memcmp("19700101000000Z", s, 15)) {
+      t = 0;
+      free(s);
+      goto done;
+  }
 #define c2i(c) ((c)-'0')
   ts.tm_year = 1000*c2i(s[0]) + 100*c2i(s[1]) + 10*c2i(s[2]) + c2i(s[3])
     - 1900;
@@ -252,6 +257,7 @@ asn1_error_code asn1_decode_generaltime(asn1buf *buf, time_t *val)
 
   if(t == -1) return ASN1_BAD_TIMEFORMAT;
 
+done:
   *val = t;
   cleanup();
 }
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1_encode.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1_encode.c
index a7f67d7f24..8c874a6116 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1_encode.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1_encode.c
@@ -232,38 +232,53 @@ asn1_error_code asn1_encode_generaltime(asn1buf *buf, time_t val,
 					unsigned int *retlen)
 {
   asn1_error_code retval;
-  struct tm *gtime;
-  char s[16];
+  struct tm *gtime, gtimebuf;
+  char s[16], *sp;
   unsigned int length, sum=0;
   time_t gmt_time = val;
 
-  gtime = gmtime(&gmt_time);
-
   /*
    * Time encoding: YYYYMMDDhhmmssZ
-   *
-   * Sanity check this just to be paranoid, as gmtime can return NULL,
-   * and some bogus implementations might overrun on the sprintf.
    */
-  if (gtime == NULL ||
-      gtime->tm_year > 8099 || gtime->tm_mon > 11 ||
-      gtime->tm_mday > 31 || gtime->tm_hour > 23 ||
-      gtime->tm_min > 59 || gtime->tm_sec > 59)
-    return ASN1_BAD_GMTIME;
-  sprintf(s, "%04d%02d%02d%02d%02d%02dZ",
-	  1900+gtime->tm_year, gtime->tm_mon+1, gtime->tm_mday,
-	  gtime->tm_hour, gtime->tm_min, gtime->tm_sec);
-
-  retval = asn1buf_insert_charstring(buf,15,s);
+  if (gmt_time == 0) {
+	sp = "19700101000000Z";
+  } else { 
+	
+	/*
+        * Sanity check this just to be paranoid, as gmtime can return NULL,
+        * and some bogus implementations might overrun on the sprintf.
+        */
+#ifdef HAVE_GMTIME_R
+	if (gmtime_r(&gmt_time, &gtimebuf) == NULL)
+		return ASN1_BAD_GMTIME;
+#else
+	gtime = gmtime(&gmt_time);
+	if (gtime == NULL)
+		return ASN1_BAD_GMTIME;
+	memcpy(&gtimebuf, gtime, sizeof(gtimebuf));
+#endif
+	gtime = &gtimebuf;
+	
+	if (gtime->tm_year > 8099 || gtime->tm_mon > 11 ||
+	    gtime->tm_mday > 31 || gtime->tm_hour > 23 ||
+	    gtime->tm_min > 59 || gtime->tm_sec > 59)
+		return ASN1_BAD_GMTIME;
+	sprintf(s, "%04d%02d%02d%02d%02d%02dZ",
+		1900+gtime->tm_year, gtime->tm_mon+1, gtime->tm_mday,
+		gtime->tm_hour, gtime->tm_min, gtime->tm_sec);
+	sp = s;
+ }
+
+  retval = asn1buf_insert_charstring(buf,15,sp);
   if(retval) return retval;
   sum = 15;
 
-  retval = asn1_make_tag(buf,UNIVERSAL,PRIMITIVE,ASN1_GENERALTIME,sum,&length);
-  if(retval) return retval;
-  sum += length;
-
-  *retlen = sum;
-  return 0;
+   retval = asn1_make_tag(buf,UNIVERSAL,PRIMITIVE,ASN1_GENERALTIME,sum,&length);
+   if(retval) return retval;
+   sum += length;
+   
+   *retlen = sum;
+   return 0;
 }
 
 asn1_error_code asn1_encode_generalstring(asn1buf *buf, unsigned int len,
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1_k_decode.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1_k_decode.c
index d62a01a52a..78723fb3e4 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1_k_decode.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1_k_decode.c
@@ -1,3 +1,8 @@
+/*
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
 /*
  * src/lib/krb5/asn.1/asn1_k_decode.c
@@ -73,9 +78,6 @@
   var = (type*)calloc(1, sizeof(type));		\
   if ((var) == NULL) return ENOMEM
 
-#define free_field(var)			\
-  if ((var) != NULL) { free(var); var = NULL; }
-
 /* Fetch an expected APPLICATION class tag and verify. */
 #define apptag(tagexpect)								\
   {											\
@@ -352,7 +354,7 @@ asn1_error_code asn1_decode_msgtype(asn1buf *buf, krb5_msgtype *val)
 asn1_error_code asn1_decode_realm(asn1buf *buf, krb5_principal *val)
 {
   return asn1_decode_generalstring(buf,
-				   (uint32_t *)&((*val)->realm.length),
+				   &((*val)->realm.length),
 				   &((*val)->realm.data));
 }
 
@@ -372,7 +374,7 @@ asn1_error_code asn1_decode_principal_name(asn1buf *buf, krb5_principal *val)
 					     size*sizeof(krb5_data));
 	if((*val)->data == NULL) return ENOMEM;
 	retval = asn1_decode_generalstring(&seqbuf,
-			   (uint32_t *)&((*val)->data[size-1].length),
+					   &((*val)->data[size-1].length),
 			   &((*val)->data[size-1].data));
 	if(retval) return retval;
       }
@@ -532,11 +534,8 @@ asn1_error_code asn1_decode_ticket(asn1buf *buf, krb5_ticket *val)
   if (!applen) {
       taginfo t;
       retval = asn1_get_tag_2(buf, &t);
-      if (retval) {
-	  free_field(val->server);
-	  return retval;
+      if (retval) return retval;
       }
-  }
   cleanup();
 }
 
@@ -569,12 +568,7 @@ asn1_error_code asn1_decode_kdc_req_body(asn1buf *buf, krb5_kdc_req *val)
     get_field(val->server,2,asn1_decode_realm);
     if(val->client != NULL){
       retval = asn1_krb5_realm_copy(val->client,val->server);
-      if(retval) {
-	  free_field(val->server);
-	  free_field(val->client);
-	  return retval; }
-      }
-
+      if(retval) return retval; }
 
     /* If opt_field server is missing, memory reference to server is
        lost and results in memory leak */
@@ -821,12 +815,13 @@ asn1_error_code asn1_decode_sequence_of_checksum(asn1buf *buf, krb5_checksum ***
 
 static asn1_error_code asn1_decode_etype_info2_entry(asn1buf *buf, krb5_etype_info_entry *val )
 {
+  char *tmpp;
   setup();
   { begin_structure();
     get_field(val->etype,0,asn1_decode_enctype);
     if (tagnum == 1) {
-	    char *s = (char *)val->salt;
-	    get_lenfield(val->length, s, 1, asn1_decode_generalstring);
+      tmpp = (char *)val->salt; /* SUNW14resync hack */
+      get_lenfield(val->length,tmpp,1,asn1_decode_generalstring);
     } else {
 	    val->length = KRB5_ETYPE_NO_SALT;
 	    val->salt = 0;
@@ -872,7 +867,8 @@ static asn1_error_code asn1_decode_etype_info2_entry_1_3(asn1buf *buf, krb5_etyp
   cleanup();
 }
 
-asn1_error_code asn1_decode_etype_info_entry(asn1buf *buf, krb5_etype_info_entry *val )
+
+static asn1_error_code asn1_decode_etype_info_entry(asn1buf *buf, krb5_etype_info_entry *val )
 {
   setup();
   { begin_structure();
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1_k_decode.h b/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1_k_decode.h
index 8d4fbe01c0..a93af704b0 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1_k_decode.h
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1_k_decode.h
@@ -143,8 +143,6 @@ asn1_error_code asn1_decode_pa_data
 	(asn1buf *buf, krb5_pa_data *val);
 asn1_error_code asn1_decode_passwdsequence
 	(asn1buf *buf, passwd_phrase_element *val);
-asn1_error_code asn1_decode_etype_info_entry
-	(asn1buf *buf, krb5_etype_info_entry *val);
 asn1_error_code asn1_decode_sam_challenge
 	(asn1buf *buf, krb5_sam_challenge *val);
 asn1_error_code asn1_decode_sam_challenge_2
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1_misc.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1_misc.c
index 587fc0e88c..df6934cc00 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1_misc.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1_misc.c
@@ -17,16 +17,17 @@
  * this permission notice appear in supporting documentation, and that
  * the name of M.I.T. not be used in advertising or publicity pertaining
  * to distribution of the software without specific, written prior
- * permission.  M.I.T. makes no representations about the suitability of
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
  * this software for any purpose.  It is provided "as is" without express
  * or implied warranty.
  */
 
 #include "asn1_misc.h"
 
-asn1_error_code asn1_krb5_realm_copy(target, source)
-     krb5_principal target;
-     krb5_principal source;
+asn1_error_code asn1_krb5_realm_copy(krb5_principal target, krb5_principal source)
 {
   target->realm.length = source->realm.length;
   target->realm.data = (char*)malloc(target->realm.length); /* copy realm */
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1_misc.h b/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1_misc.h
index 3bafc7c614..83c4cc741a 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1_misc.h
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1_misc.h
@@ -17,7 +17,10 @@
  * this permission notice appear in supporting documentation, and that
  * the name of M.I.T. not be used in advertising or publicity pertaining
  * to distribution of the software without specific, written prior
- * permission.  M.I.T. makes no representations about the suitability of
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
  * this software for any purpose.  It is provided "as is" without express
  * or implied warranty.
  */
@@ -29,7 +32,7 @@
 #include "krbasn1.h"
 
 asn1_error_code asn1_krb5_realm_copy
-	PROTOTYPE((krb5_principal target, krb5_principal source));
+	(krb5_principal target, krb5_principal source);
 /* requires  target, source, and source->realm are allocated
    effects   Copies source->realm into target->realm.
              Returns ENOMEM if memory is exhausted. */
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1buf.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1buf.c
index 534cb10d12..5f543d727a 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1buf.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/asn1buf.c
@@ -52,7 +52,7 @@
    base points to a valid, allocated octet array or is NULL
    bound, if non-NULL, points to the last valid octet
    next >= base
-   next <= bound+1  (i.e. next should be able to step just past the bound,
+   next <= bound+2  (i.e. next should be able to step just past the bound,
                      but no further.  (The bound should move out in response
 		     to being crossed by next.)) */
 
@@ -129,17 +129,10 @@ asn1_error_code asn1buf_skiptail(asn1buf *buf, const unsigned int length, const
       return ASN1_OVERRUN;
   }
   while (nestlevel > 0) {
+    if (buf->bound - buf->next + 1 <= 0)
+      return ASN1_OVERRUN;
     retval = asn1_get_tag_2(buf, &t);
     if (retval) return retval;
-
-    /* 
-     * asn1_get_tag_2() sets tagnum=ASN1_TAGNUM_CEILING if there is a problem
-     * with the buffer, including overrun.
-     */
-
-    if (t.tagnum == ASN1_TAGNUM_CEILING)
-	return ASN1_OVERRUN;
-
     if (!t.indef) {
       if (t.length <= buf->bound - buf->next + 1)
 	buf->next += t.length;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/krb5_decode.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/krb5_decode.c
index eabdc11ed6..9fec5ecee1 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/krb5_decode.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/krb5_decode.c
@@ -242,7 +242,7 @@ error_out:
       free_field(*rep,checksum);
       free_field(*rep,client);
       free(*rep);
-      *rep = NULL; /* Solaris: prevent double free's and bogus derefs */
+      *rep = NULL;
   }
   return retval;
 }
@@ -278,7 +278,7 @@ error_out:
   if (rep && *rep) {
       free_field(*rep,server);
       free(*rep);
-      *rep = NULL; /* Solaris: prevent double free's and bogus derefs */
+      *rep = NULL;
   }
   return retval;
 }
@@ -331,7 +331,7 @@ error_out:
       free_field(*rep,session);
       free_field(*rep,client);
       free(*rep);
-      *rep = NULL; /* Solaris: prevent double free's and bogus derefs */
+      *rep = NULL;
   }
   return retval;
 }
@@ -415,7 +415,7 @@ error_out:
   if (rep && *rep) {
       free_field(*rep,ticket);
       free(*rep);
-      *rep = NULL; /* Solaris: prevent double free's and bogus derefs */
+      *rep = NULL;
   }
   return retval;
 }
@@ -464,7 +464,7 @@ error_out:
   if (rep && *rep) {
       free_field(*rep,subkey);
       free(*rep);
-      *rep = NULL; /* Solaris: prevent double free's and bogus derefs */
+      *rep = NULL;
   }
   return retval;
 }
@@ -570,7 +570,7 @@ error_out:
   if (rep && *rep) {
       free_field(*rep,checksum);
       free(*rep);
-      *rep = NULL; /* Solaris: prevent double free's and bogus derefs */
+      *rep = NULL;
   }
   return retval;
 }
@@ -629,7 +629,7 @@ error_out:
       free_field(*rep,r_address);
       free_field(*rep,s_address);
       free(*rep);
-      *rep = NULL; /* Solaris: prevent double free's and bogus derefs */
+      *rep = NULL;
   }
   return retval;
 }
@@ -684,7 +684,7 @@ error_out:
       free_field(*rep,r_address);
       free_field(*rep,s_address);
       free(*rep);
-      *rep = NULL; /* Solaris: prevent double free's and bogus derefs */
+      *rep = NULL;
   }
   return retval;
 }
@@ -730,7 +730,7 @@ error_out:
       free_field(*rep,server);
       free_field(*rep,client);
       free(*rep);
-      *rep = NULL; /* Solaris: prevent double free's and bogus derefs */
+      *rep = NULL;
   }
   return retval;
 }
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/krb5_encode.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/krb5_encode.c
index 68cf802bf2..4b1d62dd9d 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/krb5_encode.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/krb5_encode.c
@@ -883,7 +883,7 @@ krb5_error_code encode_krb5_setpw_req(const krb5_principal target,
 
   krb5_addfield(target,2,asn1_encode_realm);
   krb5_addfield(target,1,asn1_encode_principal_name);
-  krb5_addlenfield(strlen(password), (const uchar_t *)password,0,asn1_encode_octetstring);
+  krb5_addlenfield(strlen(password), (const unsigned char *)password,0,asn1_encode_octetstring);
   krb5_makeseq();
 
 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/krbasn1.h b/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/krbasn1.h
index 3e4bb6a420..df3237260b 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/krbasn1.h
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/asn.1/krbasn1.h
@@ -29,6 +29,15 @@
  */
 /* #define KRB5_MSGTYPE_STRICT */
 
+/*
+ * If KRB5_GENEROUS_LR_TYPE is defined, then we are generous about
+ * accepting a one byte negative lr_type - which is not sign
+ * extended. Prior to July 2000, we were sending a negative lr_type as
+ * a positve single byte value - instead of a signed integer. This
+ * allows us to receive the old value and deal
+ */
+#define KRB5_GENEROUS_LR_TYPE
+
 typedef krb5_octet asn1_octet;
 typedef krb5_error_code asn1_error_code;
 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/cc-int.h b/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/cc-int.h
new file mode 100644
index 0000000000..eac6ed7295
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/cc-int.h
@@ -0,0 +1,50 @@
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+/*
+ * lib/krb5/ccache/file/cc-int.h
+ *
+ * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ *
+ * This file contains constant and function declarations used in the
+ * file-based credential cache routines.
+ */
+
+#ifndef __KRB5_CCACHE_H__
+#define __KRB5_CCACHE_H__
+
+#include "k5-int.h"
+
+krb5_boolean
+krb5int_cc_creds_match_request(krb5_context, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds);
+
+int
+krb5int_cc_initialize(void);
+
+void
+krb5int_cc_finalize(void);
+
+extern k5_mutex_t krb5int_mcc_mutex;
+extern k5_mutex_t krb5int_cc_file_mutex;
+
+#endif /* __KRB5_CCACHE_H__ */
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/cc_file.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/cc_file.c
new file mode 100644
index 0000000000..72842c0d47
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/cc_file.c
@@ -0,0 +1,2525 @@
+/*
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+/*
+ * lib/krb5/ccache/cc_file.c
+ *
+ * Copyright 1990,1991,1992,1993,1994,2000,2004 Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Original stdio support copyright 1995 by Cygnus Support.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ *
+ * implementation of file-based credentials cache
+ */
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+/*
+If OPENCLOSE is defined, each of the functions opens and closes the
+file whenever it needs to access it.  Otherwise, the file is opened
+once in initialize and closed once is close.
+
+This library depends on UNIX-like file descriptors, and UNIX-like
+behavior from the functions: open, close, read, write, lseek.
+
+The quasi-BNF grammar for a credentials cache:
+
+file ::= 
+        principal list-of-credentials
+
+credential ::=
+	client (principal)
+	server (principal)
+	keyblock (keyblock)
+	times (ticket_times)
+	is_skey (boolean)
+	ticket_flags (flags)
+	ticket (data)
+	second_ticket (data)
+
+principal ::= 
+	number of components (int32)
+	component 1 (data)
+	component 2 (data)
+	...
+	
+data ::=
+	length (int32)
+	string of length bytes
+
+etc.
+ */
+/* todo:
+   Make sure that each time a function returns KRB5_NOMEM, everything
+   allocated earlier in the function and stack tree is freed.
+
+   File locking
+
+   Use pread/pwrite if available, so multiple threads can read
+   simultaneously.  (That may require reader/writer locks.)
+
+   fcc_nseq.c and fcc_read don't check return values a lot.
+ */
+#include "k5-int.h"
+#include <syslog.h>	/* SUNW */
+
+#define NEED_SOCKETS    /* Only for ntohs, etc. */
+#define NEED_LOWLEVEL_IO
+
+#include <stdio.h>
+#include <errno.h>
+
+#if HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+/* How long to block if flock fails with EAGAIN */
+#define	LOCK_RETRIES	100
+#define	WAIT_LENGTH	20	/* in milliseconds */
+
+#ifdef HAVE_NETINET_IN_H
+#if !defined(_WIN32)
+#include <netinet/in.h>
+#else
+#include "port-sockets.h"
+#endif
+#else
+# error find some way to use net-byte-order file version numbers.
+#endif
+
+static krb5_error_code KRB5_CALLCONV krb5_fcc_close
+        (krb5_context, krb5_ccache id);
+
+static krb5_error_code KRB5_CALLCONV krb5_fcc_destroy
+        (krb5_context, krb5_ccache id);
+
+static krb5_error_code KRB5_CALLCONV krb5_fcc_end_seq_get
+        (krb5_context, krb5_ccache id, krb5_cc_cursor *cursor);
+
+static krb5_error_code KRB5_CALLCONV krb5_fcc_generate_new
+        (krb5_context, krb5_ccache *id);
+
+static const char * KRB5_CALLCONV krb5_fcc_get_name
+        (krb5_context, krb5_ccache id);
+
+static krb5_error_code KRB5_CALLCONV krb5_fcc_get_principal
+        (krb5_context, krb5_ccache id, krb5_principal *princ);
+
+static krb5_error_code KRB5_CALLCONV krb5_fcc_initialize
+        (krb5_context, krb5_ccache id, krb5_principal princ);
+
+static krb5_error_code KRB5_CALLCONV krb5_fcc_next_cred
+        (krb5_context, krb5_ccache id, krb5_cc_cursor *cursor,
+	 krb5_creds *creds);
+
+static krb5_error_code krb5_fcc_read
+        (krb5_context, krb5_ccache id, krb5_pointer buf, unsigned int len);
+static krb5_error_code krb5_fcc_read_principal
+        (krb5_context, krb5_ccache id, krb5_principal *princ);
+static krb5_error_code krb5_fcc_read_keyblock
+        (krb5_context, krb5_ccache id, krb5_keyblock *keyblock);
+static krb5_error_code krb5_fcc_read_data
+        (krb5_context, krb5_ccache id, krb5_data *data);
+static krb5_error_code krb5_fcc_read_int32
+        (krb5_context, krb5_ccache id, krb5_int32 *i);
+static krb5_error_code krb5_fcc_read_ui_2
+        (krb5_context, krb5_ccache id, krb5_ui_2 *i);
+static krb5_error_code krb5_fcc_read_octet
+        (krb5_context, krb5_ccache id, krb5_octet *i);
+static krb5_error_code krb5_fcc_read_times
+        (krb5_context, krb5_ccache id, krb5_ticket_times *t);
+static krb5_error_code krb5_fcc_read_addrs
+        (krb5_context, krb5_ccache, krb5_address ***);
+static krb5_error_code krb5_fcc_read_addr
+        (krb5_context, krb5_ccache, krb5_address *);
+static krb5_error_code krb5_fcc_read_authdata
+        (krb5_context, krb5_ccache, krb5_authdata ***);
+static krb5_error_code krb5_fcc_read_authdatum
+        (krb5_context, krb5_ccache, krb5_authdata *);
+
+static krb5_error_code KRB5_CALLCONV krb5_fcc_resolve
+        (krb5_context, krb5_ccache *id, const char *residual);
+
+static krb5_error_code KRB5_CALLCONV krb5_fcc_retrieve
+        (krb5_context, krb5_ccache id, krb5_flags whichfields,
+	 krb5_creds *mcreds, krb5_creds *creds);
+
+static krb5_error_code KRB5_CALLCONV krb5_fcc_start_seq_get
+        (krb5_context, krb5_ccache id, krb5_cc_cursor *cursor);
+
+static krb5_error_code KRB5_CALLCONV krb5_fcc_store
+        (krb5_context, krb5_ccache id, krb5_creds *creds);
+
+static krb5_error_code krb5_fcc_skip_header
+        (krb5_context, krb5_ccache);
+static krb5_error_code krb5_fcc_skip_principal
+        (krb5_context, krb5_ccache id);
+
+static krb5_error_code KRB5_CALLCONV krb5_fcc_set_flags
+        (krb5_context, krb5_ccache id, krb5_flags flags);
+
+extern const krb5_cc_ops krb5_cc_file_ops;
+
+krb5_error_code krb5_change_cache (void);
+
+static krb5_error_code krb5_fcc_write
+        (krb5_context, krb5_ccache id, krb5_pointer buf, unsigned int len);
+static krb5_error_code krb5_fcc_store_principal
+        (krb5_context, krb5_ccache id, krb5_principal princ);
+static krb5_error_code krb5_fcc_store_keyblock
+        (krb5_context, krb5_ccache id, krb5_keyblock *keyblock);
+static krb5_error_code krb5_fcc_store_data
+        (krb5_context, krb5_ccache id, krb5_data *data);
+static krb5_error_code krb5_fcc_store_int32
+        (krb5_context, krb5_ccache id, krb5_int32 i);
+static krb5_error_code krb5_fcc_store_ui_4
+        (krb5_context, krb5_ccache id, krb5_ui_4 i);
+static krb5_error_code krb5_fcc_store_ui_2
+        (krb5_context, krb5_ccache id, krb5_int32 i);
+static krb5_error_code krb5_fcc_store_octet
+        (krb5_context, krb5_ccache id, krb5_int32 i);
+static krb5_error_code krb5_fcc_store_times
+        (krb5_context, krb5_ccache id, krb5_ticket_times *t);
+static krb5_error_code krb5_fcc_store_addrs
+        (krb5_context, krb5_ccache, krb5_address **);
+static krb5_error_code krb5_fcc_store_addr
+        (krb5_context, krb5_ccache, krb5_address *);
+static krb5_error_code krb5_fcc_store_authdata
+        (krb5_context, krb5_ccache, krb5_authdata **);
+static krb5_error_code krb5_fcc_store_authdatum
+        (krb5_context, krb5_ccache, krb5_authdata *);
+
+static krb5_error_code krb5_fcc_interpret
+        (krb5_context, int);
+
+struct _krb5_fcc_data;
+static krb5_error_code krb5_fcc_close_file
+        (krb5_context, struct _krb5_fcc_data *data);
+static krb5_error_code krb5_fcc_open_file
+        (krb5_context, krb5_ccache, int);
+
+
+#define KRB5_OK 0
+
+#define KRB5_FCC_MAXLEN 100
+
+/*
+ * FCC version 2 contains type information for principals.  FCC
+ * version 1 does not.
+ *  
+ * FCC version 3 contains keyblock encryption type information, and is
+ * architecture independent.  Previous versions are not.
+ *
+ * The code will accept version 1, 2, and 3 ccaches, and depending 
+ * what KRB5_FCC_DEFAULT_FVNO is set to, it will create version 1, 2,
+ * or 3 FCC caches.
+ *
+ * The default credentials cache should be type 3 for now (see
+ * init_ctx.c).
+ */
+
+#define KRB5_FCC_FVNO_1 0x0501		/* krb v5, fcc v1 */
+#define KRB5_FCC_FVNO_2 0x0502		/* krb v5, fcc v2 */
+#define KRB5_FCC_FVNO_3 0x0503		/* krb v5, fcc v3 */
+#define KRB5_FCC_FVNO_4 0x0504		/* krb v5, fcc v4 */
+
+#define	FCC_OPEN_AND_ERASE	1
+#define	FCC_OPEN_RDWR		2
+#define	FCC_OPEN_RDONLY		3
+#define	FCC_OPEN_AND_ERASE_NOUNLINK	255	/* SUNW */
+
+/* Credential file header tags.
+ * The header tags are constructed as:
+ *	krb5_ui_2	tag
+ *	krb5_ui_2	len
+ *	krb5_octet	data[len]
+ * This format allows for older versions of the fcc processing code to skip
+ * past unrecognized tag formats.
+ */
+#define FCC_TAG_DELTATIME	1
+
+#ifndef TKT_ROOT
+#ifdef MSDOS_FILESYSTEM
+#define TKT_ROOT "\\tkt"
+#else
+#define TKT_ROOT "/tmp/tkt"
+#endif
+#endif
+
+/* macros to make checking flags easier */
+#define OPENCLOSE(id) (((krb5_fcc_data *)id->data)->flags & KRB5_TC_OPENCLOSE)
+
+typedef struct _krb5_fcc_data {
+    char *filename;
+    /* Lock this one before reading or modifying the data stored here
+       that can be changed.  (Filename is fixed after
+       initialization.)  */
+    k5_mutex_t lock;
+    int file;
+    krb5_flags flags;
+    int mode;				/* needed for locking code */
+    int version;	      		/* version number of the file */
+
+    /* Buffer data on reading, for performance.
+       We used to have a stdio option, but we get more precise control
+       by using the POSIX I/O functions.  */
+#define FCC_BUFSIZ 1024
+    int valid_bytes;
+    int cur_offset;
+    char buf[FCC_BUFSIZ];
+} krb5_fcc_data;
+
+static inline void invalidate_cache(krb5_fcc_data *data)
+{
+    data->valid_bytes = 0;
+}
+
+static off_t fcc_lseek(krb5_fcc_data *data, off_t offset, int whence)
+{
+    /* If we read some extra data in advance, and then want to know or
+       use our "current" position, we need to back up a little.  */
+    if (whence == SEEK_CUR && data->valid_bytes) {
+	assert(data->valid_bytes > 0);
+	assert(data->cur_offset > 0);
+	assert(data->cur_offset <= data->valid_bytes);
+	offset -= (data->valid_bytes - data->cur_offset);
+    }
+    invalidate_cache(data);
+    return lseek(data->file, offset, whence);
+}
+
+struct fcc_set {
+    struct fcc_set *next;
+    krb5_fcc_data *data;
+    unsigned int refcount;
+};
+
+k5_mutex_t krb5int_cc_file_mutex = K5_MUTEX_PARTIAL_INITIALIZER;
+static struct fcc_set *fccs = NULL;
+
+/* An off_t can be arbitrarily complex */
+typedef struct _krb5_fcc_cursor {
+    off_t pos;
+} krb5_fcc_cursor;
+
+#define MAYBE_OPEN(CONTEXT, ID, MODE)					\
+{									\
+    k5_assert_locked(&((krb5_fcc_data *)(ID)->data)->lock);		\
+    if (OPENCLOSE (ID)) {						\
+	krb5_error_code maybe_open_ret;					\
+	maybe_open_ret = krb5_fcc_open_file (CONTEXT,ID,MODE);		\
+	if (maybe_open_ret) {						\
+	    k5_mutex_unlock(&((krb5_fcc_data *)(ID)->data)->lock);	\
+	    return maybe_open_ret;					\
+	}								\
+    }									\
+}
+
+#define MAYBE_CLOSE(CONTEXT, ID, RET)					\
+{									\
+    if (OPENCLOSE (ID)) {						\
+	krb5_error_code maybe_close_ret;				\
+        maybe_close_ret = krb5_fcc_close_file (CONTEXT,			\
+					       (krb5_fcc_data *)(ID)->data); \
+	if (!(RET)) RET = maybe_close_ret; } }
+
+#define MAYBE_CLOSE_IGNORE(CONTEXT, ID) \
+{                                                                       \
+    if (OPENCLOSE (ID)) {                                               \
+        (void) krb5_fcc_close_file (CONTEXT,(krb5_fcc_data *)(ID)->data); } }
+
+#define CHECK(ret) if (ret != KRB5_OK) goto errout;
+
+#define NO_FILE -1
+
+/*
+ * Effects:
+ * Reads len bytes from the cache id, storing them in buf.
+ *
+ * Requires:
+ * Must be called with mutex locked.
+ *
+ * Errors:
+ * KRB5_CC_END - there were not len bytes available
+ * system errors (read)
+ */
+static krb5_error_code
+krb5_fcc_read(krb5_context context, krb5_ccache id, krb5_pointer buf, unsigned int len)
+{
+#if 0
+     int ret;
+
+     k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+
+     ret = read(((krb5_fcc_data *) id->data)->file, (char *) buf, len);
+     if (ret == -1)
+	  return krb5_fcc_interpret(context, errno);
+     if (ret != len)
+	  return KRB5_CC_END;
+     else
+	  return KRB5_OK;
+#else
+     krb5_fcc_data *data = (krb5_fcc_data *) id->data;
+
+     k5_assert_locked(&data->lock);
+
+     while (len > 0) {
+	 int nread, e;
+	 size_t ncopied;
+
+	 assert (data->valid_bytes >= 0);
+	 if (data->valid_bytes > 0)
+	     assert(data->cur_offset <= data->valid_bytes);
+	 if (data->valid_bytes == 0
+	     || data->cur_offset == data->valid_bytes) {
+	     /* Fill buffer from current file position.  */
+	     nread = read(data->file, data->buf, sizeof(data->buf));
+	     e = errno;
+	     if (nread < 0)
+		 return krb5_fcc_interpret(context, e);
+	     if (nread == 0)
+		 /* EOF */
+		 return KRB5_CC_END;
+	     data->valid_bytes = nread;
+	     data->cur_offset = 0;
+	 }
+	 assert(data->cur_offset < data->valid_bytes);
+	 ncopied = len;
+	 assert(ncopied == len);
+	 if (data->valid_bytes - data->cur_offset < ncopied)
+	     ncopied = data->valid_bytes - data->cur_offset;
+	 memcpy(buf, data->buf + data->cur_offset, ncopied);
+	 data->cur_offset += ncopied;
+	 assert(data->cur_offset > 0);
+	 assert(data->cur_offset <= data->valid_bytes);
+	 len -= ncopied;
+	 assert(len >= 0);
+	 /* Don't do arithmetic on void pointers.  */
+	 buf = (char*)buf + ncopied;
+     }
+     return 0;
+#endif
+}
+
+/*
+ * FOR ALL OF THE FOLLOWING FUNCTIONS:
+ *
+ * Requires:
+ * id is open and set to read at the appropriate place in the file
+ *
+ * mutex is locked
+ *
+ * Effects:
+ * Fills in the second argument with data of the appropriate type from
+ * the file.  In some cases, the functions have to allocate space for
+ * variable length fields; therefore, krb5_destroy_<type> must be
+ * called for each filled in structure.
+ *
+ * Errors:
+ * system errors (read errors)
+ * KRB5_CC_NOMEM
+ */
+
+#define ALLOC(NUM,TYPE) \
+    (((NUM) <= (((size_t)0-1)/ sizeof(TYPE)))		\
+     ? (TYPE *) calloc((NUM), sizeof(TYPE))		\
+     : (errno = ENOMEM,(TYPE *) 0))
+
+static krb5_error_code
+krb5_fcc_read_principal(krb5_context context, krb5_ccache id, krb5_principal *princ)
+{
+    krb5_fcc_data *data = (krb5_fcc_data *)id->data;
+    krb5_error_code kret;
+    register krb5_principal tmpprinc;
+    krb5_int32 length, type;
+    int i;
+
+    k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+
+    if (data->version == KRB5_FCC_FVNO_1) {
+	type = KRB5_NT_UNKNOWN;
+    } else {
+        /* Read principal type */
+        kret = krb5_fcc_read_int32(context, id, &type);
+        if (kret != KRB5_OK)
+	    return kret;
+    }
+
+    /* Read the number of components */
+    kret = krb5_fcc_read_int32(context, id, &length);
+    if (kret != KRB5_OK)
+	return kret;
+
+    /*
+     * DCE includes the principal's realm in the count; the new format
+     * does not.
+     */
+    if (data->version == KRB5_FCC_FVNO_1)
+	length--;
+    if (length < 0)
+	return KRB5_CC_NOMEM;
+
+    tmpprinc = (krb5_principal) malloc(sizeof(krb5_principal_data));
+    if (tmpprinc == NULL)
+	return KRB5_CC_NOMEM;
+    if (length) {
+	size_t msize = length;
+	if (msize != length) {
+	    free(tmpprinc);
+	    return KRB5_CC_NOMEM;
+	}
+	tmpprinc->data = ALLOC (msize, krb5_data);
+	if (tmpprinc->data == 0) {
+	    free((char *)tmpprinc);
+	    return KRB5_CC_NOMEM;
+	}
+    } else
+	tmpprinc->data = 0;
+    tmpprinc->magic = KV5M_PRINCIPAL;
+    tmpprinc->length = length;
+    tmpprinc->type = type;
+
+    kret = krb5_fcc_read_data(context, id, krb5_princ_realm(context, tmpprinc));
+
+    i = 0;
+    CHECK(kret);
+
+    for (i=0; i < length; i++) {
+	kret = krb5_fcc_read_data(context, id, krb5_princ_component(context, tmpprinc, i));
+	CHECK(kret);
+    }
+    *princ = tmpprinc;
+    return KRB5_OK;
+
+ errout:
+    while(--i >= 0)
+	free(krb5_princ_component(context, tmpprinc, i)->data);
+    free((char *)tmpprinc->data);
+    free((char *)tmpprinc);
+    return kret;
+}
+
+static krb5_error_code
+krb5_fcc_read_addrs(krb5_context context, krb5_ccache id, krb5_address ***addrs)
+{
+     krb5_error_code kret;
+     krb5_int32 length;
+     size_t msize;
+     int i;
+
+     k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+
+     *addrs = 0;
+
+     /* Read the number of components */
+     kret = krb5_fcc_read_int32(context, id, &length);
+     CHECK(kret);
+
+     /* Make *addrs able to hold length pointers to krb5_address structs
+      * Add one extra for a null-terminated list
+      */
+     msize = length;
+     msize += 1;
+     if (msize == 0 || msize - 1 != length || length < 0)
+	 return KRB5_CC_NOMEM;
+     *addrs = ALLOC (msize, krb5_address *);
+     if (*addrs == NULL)
+	  return KRB5_CC_NOMEM;
+
+     for (i=0; i < length; i++) {
+	  (*addrs)[i] = (krb5_address *) malloc(sizeof(krb5_address));
+	  if ((*addrs)[i] == NULL) {
+	      krb5_free_addresses(context, *addrs);
+	      return KRB5_CC_NOMEM;
+	  }	  
+	  kret = krb5_fcc_read_addr(context, id, (*addrs)[i]);
+	  CHECK(kret);
+     }
+
+     return KRB5_OK;
+ errout:
+     if (*addrs)
+	 krb5_free_addresses(context, *addrs);
+     return kret;
+}
+
+static krb5_error_code
+krb5_fcc_read_keyblock(krb5_context context, krb5_ccache id, krb5_keyblock *keyblock)
+{
+     krb5_fcc_data *data = (krb5_fcc_data *)id->data;
+     krb5_error_code kret;
+     krb5_ui_2 ui2;
+     krb5_int32 int32;
+
+     k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+
+     keyblock->magic = KV5M_KEYBLOCK;
+     keyblock->contents = 0;
+
+     kret = krb5_fcc_read_ui_2(context, id, &ui2);
+     keyblock->enctype = ui2;
+     CHECK(kret);
+     if (data->version == KRB5_FCC_FVNO_3) {
+	 /* This works because the old etype is the same as the new enctype. */
+	     kret = krb5_fcc_read_ui_2(context, id, &ui2);
+	     /* keyblock->enctype = ui2; */
+	     CHECK(kret);
+     }
+
+     kret = krb5_fcc_read_int32(context, id, &int32);
+     CHECK(kret);
+     if (int32 < 0)
+	  return KRB5_CC_NOMEM;
+     keyblock->length = int32;
+     /* Overflow check.  */
+     if (keyblock->length != int32)
+	 return KRB5_CC_NOMEM;
+     if ( keyblock->length == 0 )
+	 return KRB5_OK;
+     keyblock->contents = ALLOC (keyblock->length, krb5_octet);
+     if (keyblock->contents == NULL)
+	 return KRB5_CC_NOMEM;
+     
+     kret = krb5_fcc_read(context, id, keyblock->contents, keyblock->length);
+     if (kret)
+	 goto errout;
+
+     return KRB5_OK;
+ errout:
+     if (keyblock->contents)
+	 krb5_xfree(keyblock->contents);
+     return kret;
+}
+
+static krb5_error_code
+krb5_fcc_read_data(krb5_context context, krb5_ccache id, krb5_data *data)
+{
+     krb5_error_code kret;
+     krb5_int32 len;
+
+     k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+
+     data->magic = KV5M_DATA;
+     data->data = 0;
+
+     kret = krb5_fcc_read_int32(context, id, &len);
+     CHECK(kret);
+     if (len < 0)
+        return KRB5_CC_NOMEM;
+     data->length = len;
+     if (data->length != len || data->length + 1 == 0)
+	 return KRB5_CC_NOMEM;
+
+     if (data->length == 0) {
+	data->data = 0;
+	return KRB5_OK;
+     }
+
+     data->data = (char *) malloc(data->length+1);
+     if (data->data == NULL)
+	  return KRB5_CC_NOMEM;
+
+     kret = krb5_fcc_read(context, id, data->data, (unsigned) data->length);
+     CHECK(kret);
+     
+     data->data[data->length] = 0; /* Null terminate, just in case.... */
+     return KRB5_OK;
+ errout:
+     if (data->data)
+	 krb5_xfree(data->data);
+     return kret;
+}
+
+static krb5_error_code
+krb5_fcc_read_addr(krb5_context context, krb5_ccache id, krb5_address *addr)
+{
+     krb5_error_code kret;
+     krb5_ui_2 ui2;
+     krb5_int32 int32;
+
+     k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+
+     addr->magic = KV5M_ADDRESS;
+     addr->contents = 0;
+
+     kret = krb5_fcc_read_ui_2(context, id, &ui2);
+     CHECK(kret);
+     addr->addrtype = ui2;
+     
+     kret = krb5_fcc_read_int32(context, id, &int32);
+     CHECK(kret);
+     if ((int32 & VALID_INT_BITS) != int32)     /* Overflow int??? */
+	  return KRB5_CC_NOMEM;
+     addr->length = int32;
+     /* Length field is "unsigned int", which may be smaller than 32
+        bits.  */
+     if (addr->length != int32)
+	 return KRB5_CC_NOMEM;	/* XXX */
+
+     if (addr->length == 0)
+	     return KRB5_OK;
+
+     addr->contents = (krb5_octet *) malloc(addr->length);
+     if (addr->contents == NULL)
+	  return KRB5_CC_NOMEM;
+
+     kret = krb5_fcc_read(context, id, addr->contents, addr->length);
+     CHECK(kret);
+
+     return KRB5_OK;
+ errout:
+     if (addr->contents)
+	 krb5_xfree(addr->contents);
+     return kret;
+}
+
+static krb5_error_code
+krb5_fcc_read_int32(krb5_context context, krb5_ccache id, krb5_int32 *i)
+{
+    krb5_fcc_data *data = (krb5_fcc_data *)id->data;
+    krb5_error_code retval;
+    unsigned char buf[4];
+    krb5_int32 val;
+
+    k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+
+    if ((data->version == KRB5_FCC_FVNO_1) ||
+	(data->version == KRB5_FCC_FVNO_2)) 
+	return krb5_fcc_read(context, id, (krb5_pointer) i, sizeof(krb5_int32));
+    else {
+	retval = krb5_fcc_read(context, id, buf, 4);
+	if (retval)
+	    return retval;
+        val = buf[0];
+        val = (val << 8) | buf[1];
+        val = (val << 8) | buf[2];
+        val = (val << 8) | buf[3];
+        *i = val;
+	return 0;
+    }
+}
+
+static krb5_error_code
+krb5_fcc_read_ui_2(krb5_context context, krb5_ccache id, krb5_ui_2 *i)
+{
+    krb5_fcc_data *data = (krb5_fcc_data *)id->data;
+    krb5_error_code retval;
+    unsigned char buf[2];
+    
+    k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+
+    if ((data->version == KRB5_FCC_FVNO_1) ||
+	(data->version == KRB5_FCC_FVNO_2))
+	return krb5_fcc_read(context, id, (krb5_pointer) i, sizeof(krb5_ui_2));
+    else {
+	retval = krb5_fcc_read(context, id, buf, 2);
+	if (retval)
+	    return retval;
+	*i = (buf[0] << 8) + buf[1];
+	return 0;
+    }
+}    
+
+static krb5_error_code
+krb5_fcc_read_octet(krb5_context context, krb5_ccache id, krb5_octet *i)
+{
+    k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+    return krb5_fcc_read(context, id, (krb5_pointer) i, 1);
+}    
+
+
+static krb5_error_code
+krb5_fcc_read_times(krb5_context context, krb5_ccache id, krb5_ticket_times *t)
+{
+    krb5_fcc_data *data = (krb5_fcc_data *)id->data;
+    krb5_error_code retval;
+    krb5_int32 i;
+    
+    k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+
+    if ((data->version == KRB5_FCC_FVNO_1) ||
+	(data->version == KRB5_FCC_FVNO_2))
+	return krb5_fcc_read(context, id, (krb5_pointer) t, sizeof(krb5_ticket_times));
+    else {
+	retval = krb5_fcc_read_int32(context, id, &i);
+	CHECK(retval);
+	t->authtime = i;
+	
+	retval = krb5_fcc_read_int32(context, id, &i);
+	CHECK(retval);
+	t->starttime = i;
+
+	retval = krb5_fcc_read_int32(context, id, &i);
+	CHECK(retval);
+	t->endtime = i;
+
+	retval = krb5_fcc_read_int32(context, id, &i);
+	CHECK(retval);
+	t->renew_till = i;
+    }
+    return 0;
+errout:
+    return retval;
+}
+
+static krb5_error_code
+krb5_fcc_read_authdata(krb5_context context, krb5_ccache id, krb5_authdata ***a)
+{
+     krb5_error_code kret;
+     krb5_int32 length;
+     size_t msize;
+     int i;
+
+     k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+
+     *a = 0;
+
+     /* Read the number of components */
+     kret = krb5_fcc_read_int32(context, id, &length);
+     CHECK(kret);
+
+     if (length == 0)
+	 return KRB5_OK;
+
+     /* Make *a able to hold length pointers to krb5_authdata structs
+      * Add one extra for a null-terminated list
+      */
+     msize = length;
+     msize += 1;
+     if (msize == 0 || msize - 1 != length || length < 0)
+	 return KRB5_CC_NOMEM;
+     *a = ALLOC (msize, krb5_authdata *);
+     if (*a == NULL)
+	  return KRB5_CC_NOMEM;
+
+     for (i=0; i < length; i++) {
+	  (*a)[i] = (krb5_authdata *) malloc(sizeof(krb5_authdata));
+	  if ((*a)[i] == NULL) {
+	      krb5_free_authdata(context, *a);
+	      return KRB5_CC_NOMEM;
+	  }	  
+	  kret = krb5_fcc_read_authdatum(context, id, (*a)[i]);
+	  CHECK(kret);
+     }
+
+     return KRB5_OK;
+ errout:
+     if (*a)
+	 krb5_free_authdata(context, *a);
+     return kret;
+}
+
+static krb5_error_code
+krb5_fcc_read_authdatum(krb5_context context, krb5_ccache id, krb5_authdata *a)
+{
+    krb5_error_code kret;
+    krb5_int32 int32;
+    krb5_ui_2 ui2;
+    
+    k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+
+    a->magic = KV5M_AUTHDATA;
+    a->contents = NULL;
+
+    kret = krb5_fcc_read_ui_2(context, id, &ui2);
+    CHECK(kret);
+    a->ad_type = (krb5_authdatatype)ui2;
+    kret = krb5_fcc_read_int32(context, id, &int32);
+    CHECK(kret);
+    if ((int32 & VALID_INT_BITS) != int32)     /* Overflow int??? */
+          return KRB5_CC_NOMEM;
+    a->length = int32;
+    /* Value could have gotten truncated if int is smaller than 32
+       bits.  */
+    if (a->length != int32)
+	return KRB5_CC_NOMEM;	/* XXX */
+    
+    if (a->length == 0 )
+	    return KRB5_OK;
+
+    a->contents = (krb5_octet *) malloc(a->length);
+    if (a->contents == NULL)
+	return KRB5_CC_NOMEM;
+
+    kret = krb5_fcc_read(context, id, a->contents, a->length);
+    CHECK(kret);
+    
+     return KRB5_OK;
+ errout:
+     if (a->contents)
+	 krb5_xfree(a->contents);
+     return kret;
+    
+}
+#undef CHECK
+
+#define CHECK(ret) if (ret != KRB5_OK) return ret;
+
+/*
+ * Requires:
+ * id is open
+ *
+ * Effects:
+ * Writes len bytes from buf into the file cred cache id.
+ *
+ * Errors:
+ * system errors
+ */
+static krb5_error_code
+krb5_fcc_write(krb5_context context, krb5_ccache id, krb5_pointer buf, unsigned int len)
+{
+     int ret;
+
+     k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+     invalidate_cache((krb5_fcc_data *) id->data);
+
+     ret = write(((krb5_fcc_data *)id->data)->file, (char *) buf, len);
+     if (ret < 0)
+	  return krb5_fcc_interpret(context, errno);
+     if (ret != len)
+         return KRB5_CC_WRITE;
+     return KRB5_OK;
+}
+
+/*
+ * FOR ALL OF THE FOLLOWING FUNCTIONS:
+ * 
+ * Requires:
+ * ((krb5_fcc_data *) id->data)->file is open and at the right position.
+ *
+ * mutex is locked
+ * 
+ * Effects:
+ * Stores an encoded version of the second argument in the
+ * cache file.
+ *
+ * Errors:
+ * system errors
+ */
+
+static krb5_error_code
+krb5_fcc_store_principal(krb5_context context, krb5_ccache id, krb5_principal princ)
+{
+    krb5_fcc_data *data = (krb5_fcc_data *)id->data;
+    krb5_error_code ret;
+    krb5_int32 i, length, tmp, type;
+
+    k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+
+    type = krb5_princ_type(context, princ);
+    tmp = length = krb5_princ_size(context, princ);
+
+    if (data->version == KRB5_FCC_FVNO_1) {
+	/*
+	 * DCE-compatible format means that the length count
+	 * includes the realm.  (It also doesn't include the
+	 * principal type information.)
+	 */
+	tmp++;
+    } else {
+	ret = krb5_fcc_store_int32(context, id, type);
+	CHECK(ret);
+    }
+    
+    ret = krb5_fcc_store_int32(context, id, tmp);
+    CHECK(ret);
+
+    ret = krb5_fcc_store_data(context, id, krb5_princ_realm(context, princ));
+    CHECK(ret);
+
+    for (i=0; i < length; i++) {
+	ret = krb5_fcc_store_data(context, id, krb5_princ_component(context, princ, i));
+	CHECK(ret);
+    }
+
+    return KRB5_OK;
+}
+
+static krb5_error_code
+krb5_fcc_store_addrs(krb5_context context, krb5_ccache id, krb5_address **addrs)
+{
+     krb5_error_code ret;
+     krb5_address **temp;
+     krb5_int32 i, length = 0;
+
+     k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+
+     /* Count the number of components */
+     if (addrs) {
+	     temp = addrs;
+	     while (*temp++)
+		     length += 1;
+     }
+
+     ret = krb5_fcc_store_int32(context, id, length);
+     CHECK(ret);
+     for (i=0; i < length; i++) {
+	  ret = krb5_fcc_store_addr(context, id, addrs[i]);
+	  CHECK(ret);
+     }
+
+     return KRB5_OK;
+}
+
+static krb5_error_code
+krb5_fcc_store_keyblock(krb5_context context, krb5_ccache id, krb5_keyblock *keyblock)
+{
+     krb5_fcc_data *data = (krb5_fcc_data *)id->data;
+     krb5_error_code ret;
+
+     k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+
+     ret = krb5_fcc_store_ui_2(context, id, keyblock->enctype);
+     CHECK(ret);
+     if (data->version == KRB5_FCC_FVNO_3) {
+	 ret = krb5_fcc_store_ui_2(context, id, keyblock->enctype);
+	 CHECK(ret);
+     }
+     ret = krb5_fcc_store_ui_4(context, id, keyblock->length);
+     CHECK(ret);
+     return krb5_fcc_write(context, id, (char *) keyblock->contents, keyblock->length);
+}
+
+static krb5_error_code
+krb5_fcc_store_addr(krb5_context context, krb5_ccache id, krb5_address *addr)
+{
+     krb5_error_code ret;
+
+     k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+
+     ret = krb5_fcc_store_ui_2(context, id, addr->addrtype);
+     CHECK(ret);
+     ret = krb5_fcc_store_ui_4(context, id, addr->length);
+     CHECK(ret);
+     return krb5_fcc_write(context, id, (char *) addr->contents, addr->length);
+}
+
+
+static krb5_error_code
+krb5_fcc_store_data(krb5_context context, krb5_ccache id, krb5_data *data)
+{
+     krb5_error_code ret;
+
+     k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+
+     ret = krb5_fcc_store_ui_4(context, id, data->length);
+     CHECK(ret);
+     return krb5_fcc_write(context, id, data->data, data->length);
+}
+
+static krb5_error_code
+krb5_fcc_store_int32(krb5_context context, krb5_ccache id, krb5_int32 i)
+{
+    krb5_fcc_data *data = (krb5_fcc_data *)id->data;
+    unsigned char buf[4];
+
+    k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+
+    if ((data->version == KRB5_FCC_FVNO_1) ||
+	(data->version == KRB5_FCC_FVNO_2)) 
+	return krb5_fcc_write(context, id, (char *) &i, sizeof(krb5_int32));
+    else {
+        buf[3] = (unsigned char) (i & 0xFF);
+	i >>= 8;
+        buf[2] = (unsigned char) (i & 0xFF);
+	i >>= 8;
+        buf[1] = (unsigned char) (i & 0xFF);
+	i >>= 8;
+        buf[0] = (unsigned char) (i & 0xFF);
+	return krb5_fcc_write(context, id, buf, 4);
+    }
+}
+
+static krb5_error_code
+krb5_fcc_store_ui_4(krb5_context context, krb5_ccache id, krb5_ui_4 i)
+{
+    krb5_fcc_data *data = (krb5_fcc_data *)id->data;
+    unsigned char buf[4];
+
+    k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+
+    if ((data->version == KRB5_FCC_FVNO_1) ||
+	(data->version == KRB5_FCC_FVNO_2)) 
+	return krb5_fcc_write(context, id, (char *) &i, sizeof(krb5_int32));
+    else {
+        buf[3] = (unsigned char) (i & 0xFF);
+	i >>= 8;
+        buf[2] = (unsigned char) (i & 0xFF);
+	i >>= 8;
+        buf[1] = (unsigned char) (i & 0xFF);
+	i >>= 8;
+        buf[0] = (unsigned char) (i & 0xFF);
+	return krb5_fcc_write(context, id, buf, 4);
+    }
+}
+
+static krb5_error_code
+krb5_fcc_store_ui_2(krb5_context context, krb5_ccache id, krb5_int32 i)
+{
+    krb5_fcc_data *data = (krb5_fcc_data *)id->data;
+    krb5_ui_2 ibuf;
+    unsigned char buf[2];
+    
+    k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+
+    if ((data->version == KRB5_FCC_FVNO_1) ||
+	(data->version == KRB5_FCC_FVNO_2)) {
+        ibuf = (krb5_ui_2) i;
+	return krb5_fcc_write(context, id, (char *) &ibuf, sizeof(krb5_ui_2));
+    } else {
+        buf[1] = (unsigned char) (i & 0xFF);
+	i >>= 8;
+        buf[0] = (unsigned char) (i & 0xFF);
+	return krb5_fcc_write(context, id, buf, 2);
+    }
+}
+   
+static krb5_error_code
+krb5_fcc_store_octet(krb5_context context, krb5_ccache id, krb5_int32 i)
+{
+    krb5_octet ibuf;
+
+    k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+
+    ibuf = (krb5_octet) i;
+    return krb5_fcc_write(context, id, (char *) &ibuf, 1);
+}
+   
+static krb5_error_code
+krb5_fcc_store_times(krb5_context context, krb5_ccache id, krb5_ticket_times *t)
+{
+    krb5_fcc_data *data = (krb5_fcc_data *)id->data;
+    krb5_error_code retval;
+
+    k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+
+    if ((data->version == KRB5_FCC_FVNO_1) ||
+	(data->version == KRB5_FCC_FVNO_2))
+	return krb5_fcc_write(context, id, (char *) t, sizeof(krb5_ticket_times));
+    else {
+	retval = krb5_fcc_store_int32(context, id, t->authtime);
+	CHECK(retval);
+	retval = krb5_fcc_store_int32(context, id, t->starttime);
+	CHECK(retval);
+	retval = krb5_fcc_store_int32(context, id, t->endtime);
+	CHECK(retval);
+	retval = krb5_fcc_store_int32(context, id, t->renew_till);
+	CHECK(retval);
+	return 0;
+    }
+}
+   
+static krb5_error_code
+krb5_fcc_store_authdata(krb5_context context, krb5_ccache id, krb5_authdata **a)
+{
+    krb5_error_code ret;
+    krb5_authdata **temp;
+    krb5_int32 i, length=0;
+
+    k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+
+    if (a != NULL) {
+	for (temp=a; *temp; temp++)
+	    length++;
+    }
+
+    ret = krb5_fcc_store_int32(context, id, length);
+    CHECK(ret);
+    for (i=0; i<length; i++) {
+	ret = krb5_fcc_store_authdatum (context, id, a[i]);
+	CHECK(ret);
+    }
+    return KRB5_OK;
+}
+
+static krb5_error_code
+krb5_fcc_store_authdatum (krb5_context context, krb5_ccache id, krb5_authdata *a)
+{
+    krb5_error_code ret;
+
+    k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+
+    ret = krb5_fcc_store_ui_2(context, id, a->ad_type);
+    CHECK(ret);
+    ret = krb5_fcc_store_ui_4(context, id, a->length);
+    CHECK(ret);
+    return krb5_fcc_write(context, id, (krb5_pointer) a->contents, a->length);
+}
+#undef CHECK
+
+static krb5_error_code
+krb5_fcc_close_file (krb5_context context, krb5_fcc_data *data)
+{
+     int ret;
+     krb5_error_code retval;
+
+     k5_assert_locked(&data->lock);
+
+     if (data->file == NO_FILE)
+	 return KRB5_FCC_INTERNAL;
+
+     retval = krb5_unlock_file(context, data->file);
+     ret = close (data->file);
+     data->file = NO_FILE;
+     if (retval)
+	 return retval;
+
+     return ret ? krb5_fcc_interpret (context, errno) : 0;
+}
+
+#if defined(ANSI_STDIO) || defined(_WIN32)
+#define BINARY_MODE "b"
+#else
+#define BINARY_MODE ""
+#endif
+
+#ifndef HAVE_SETVBUF
+#undef setvbuf
+#define setvbuf(FILE,BUF,MODE,SIZE) \
+  ((SIZE) < BUFSIZE ? (abort(),0) : setbuf(FILE, BUF))
+#endif
+
+
+
+static krb5_error_code
+krb5_fcc_open_nounlink(char *filename, int open_flag, int *ret_fd, int *new)
+{
+     struct stat lres;
+     struct stat fres;
+     int error;
+     uid_t uid, euid;
+     int fd;
+     int newfile = 0;
+
+     *ret_fd = -1;
+     /*
+      * SUNW
+      * If we are opening in NOUNLINK mode, we have to check that the
+      * existing file, if any, is not a symlink. If it is, we try to
+      * delete and re-create it.
+      */
+     error = lstat(filename, &lres);
+     if (error == -1 && errno != ENOENT) {
+	  syslog(LOG_ERR, "lstat failed for %s [%m]", filename);
+	  return (-1);
+     }
+
+     if (error == 0 && !S_ISREG(lres.st_mode)) {
+	  syslog(LOG_WARNING, "%s is not a plain file!", filename);
+	  syslog(LOG_WARNING, "trying to unlink %s", filename);
+	  if (unlink(filename) != 0) {
+	       syslog(LOG_ERR, "could not unlink %s [%m]", filename);
+	       return (-1);
+	  }
+     }
+
+     fd = THREEPARAMOPEN(filename, open_flag | O_NONBLOCK, 0600);
+     if (fd == -1) {
+	  if (errno == ENOENT) {
+	       fd = THREEPARAMOPEN(filename,
+				   open_flag | O_EXCL | O_CREAT, 0600);
+	       if (fd != -1) {
+		    newfile = 1;
+	       } else {
+		    /* If the file got created after the open we must retry */
+		    if (errno == EEXIST)
+			 return (0);
+	       }
+	  } else if (errno == EACCES) {
+		    /*
+		     * We failed since the file existed with wrong permissions.
+		     * Let's try to unlink it and if that succeeds retry.
+		     */
+		    syslog(LOG_WARNING, "Insufficient permissions on %s",
+			   filename);
+		    syslog(LOG_WARNING, "trying to unlink %s", filename);
+		    if (unlink(filename) != 0) {
+			 syslog(LOG_ERR, "could not unlink %s [%m]", filename);
+			 return (-1);
+		    }
+		    return (0);
+	  }
+     }
+     /* If we still don't have a valid fd, we stop trying */
+     if (fd == -1)
+	  return (-1);
+
+     /*
+      * SUNW
+      * If the file was not created now with a O_CREAT | O_EXCL open,
+      * we have opened an existing file. We should check if the file
+      * owner is us, if not, unlink and retry. If unlink fails we log
+      * the error and return.
+      */
+     if (!newfile) {
+	  if (fstat(fd, &fres) == -1) {
+	       syslog(LOG_ERR, "lstat failed for %s [%m]", filename);
+	       close(fd);
+	       return (-1);
+	  }
+	  /* Check if this is the same file we lstat'd earlier */
+	  if (lres.st_dev != fres.st_dev || lres.st_ino != fres.st_ino) {
+	       syslog(LOG_ERR, "%s changed between stat and open!", filename);
+	       close(fd);
+	       return (-1);
+	  }
+
+	  uid = getuid();
+	  euid = geteuid();
+	  /*
+	   * Some apps (gssd, via a priv version of getuid())
+	   * "set" the real uid only, others
+	   * (telnetd/login/pam_krb5, etc) set effective uid only.
+	   */
+	  if (fres.st_uid != uid && fres.st_uid != euid) {
+	       close(fd);
+	       syslog(LOG_WARNING,
+		    "%s owned by %d instead of %d (euid=%d, uid=%d)",
+		    filename, fres.st_uid, euid, euid, uid);
+	       syslog(LOG_WARNING, "trying to unlink %s", filename);
+	       if (unlink(filename) != 0) {
+		    syslog(LOG_ERR, "could not unlink %s [%m]", filename);
+		    return (-1);
+	       }
+	       return (0);
+	  }
+     }
+
+     *new = newfile;
+     *ret_fd = fd;
+     return (0);
+}
+
+
+static krb5_error_code
+krb5_fcc_open_file (krb5_context context, krb5_ccache id, int mode)
+{
+    krb5_os_context os_ctx = (krb5_os_context)context->os_context;
+    krb5_fcc_data *data = (krb5_fcc_data *)id->data;
+    krb5_ui_2 fcc_fvno;
+    krb5_ui_2 fcc_flen;
+    krb5_ui_2 fcc_tag;
+    krb5_ui_2 fcc_taglen;
+    int f, open_flag;
+    int lock_flag;
+    krb5_error_code retval = 0;
+    int retries;
+    int newfile = 0;
+
+    k5_assert_locked(&data->lock);
+    invalidate_cache(data);
+
+    if (data->file != NO_FILE) {
+	/* Don't know what state it's in; shut down and start anew.  */
+	(void) krb5_unlock_file(context, data->file);
+	(void) close (data->file);
+	data->file = NO_FILE;
+    }
+
+    switch(mode) {
+    case FCC_OPEN_AND_ERASE_NOUNLINK:
+        open_flag = O_RDWR;
+        break;
+    case FCC_OPEN_AND_ERASE:
+	unlink(data->filename);
+	open_flag = O_CREAT|O_EXCL|O_TRUNC|O_RDWR;
+	break;
+    case FCC_OPEN_RDWR:
+	open_flag = O_RDWR;
+	break;
+    case FCC_OPEN_RDONLY:
+    default:
+	open_flag = O_RDONLY;
+	break;
+    }
+
+fcc_retry:
+    /*
+     * SUNW
+     * If we are opening in NOUNLINK mode, check whether we are opening a
+     * symlink or a file owned by some other user and take preventive action.
+     */
+     newfile = 0;
+     if (mode == FCC_OPEN_AND_ERASE_NOUNLINK) {
+	  retval = krb5_fcc_open_nounlink(data->filename, open_flag,
+					  &f, &newfile);
+	  if (retval == 0 && f == -1)
+	       goto fcc_retry;
+     } else {
+	  f = THREEPARAMOPEN (data->filename, open_flag | O_BINARY, 0600);
+     }
+    if (f == NO_FILE)
+	return krb5_fcc_interpret (context, errno);
+
+    data->mode = mode;
+
+    if (data->mode == FCC_OPEN_RDONLY)
+	lock_flag = KRB5_LOCKMODE_SHARED;
+    else 
+	lock_flag = KRB5_LOCKMODE_EXCLUSIVE;
+
+    if ((retval = krb5_lock_file(context, f, lock_flag))) {
+       (void) close(f);
+        if (retval == EAGAIN && retries++ < LOCK_RETRIES) {
+	    /* SUNW wait some time before retrying */
+	    if (poll(NULL, 0, WAIT_LENGTH) == 0)
+	        goto fcc_retry;
+	}
+	syslog(LOG_ERR, "Failed to lock %s [%m]", data->filename);
+	return retval;
+    }
+
+    if (mode == FCC_OPEN_AND_ERASE || mode == FCC_OPEN_AND_ERASE_NOUNLINK) {
+        int cnt;
+
+	/*
+	 * SUNW
+	 * If this file was not created, we have to flush existing data.
+	 * This will happen only if we are doing an ERASE_NOUNLINK open.
+	 */
+	if (newfile == 0 && (ftruncate(f, 0) == -1)) {
+	    syslog(LOG_ERR, "ftruncate failed for %s [%m]", data->filename);
+	    close(f);
+	    return (krb5_fcc_interpret(context, errno));
+	}
+
+	/* write the version number */
+	fcc_fvno = htons(context->fcc_default_format);
+	data->version = context->fcc_default_format;
+	if ((cnt = write(f, (char *)&fcc_fvno, sizeof(fcc_fvno))) !=
+	    sizeof(fcc_fvno)) {
+	    retval = ((cnt == -1) ? krb5_fcc_interpret(context, errno) :
+		    KRB5_CC_IO);
+             goto done;
+         }
+	data->file = f;
+
+	 if (data->version == KRB5_FCC_FVNO_4) {
+             /* V4 of the credentials cache format allows for header tags */
+	     fcc_flen = 0;
+
+	     if (os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)
+		 fcc_flen += (2*sizeof(krb5_ui_2) + 2*sizeof(krb5_int32));
+
+	     /* Write header length */
+	     retval = krb5_fcc_store_ui_2(context, id, (krb5_int32)fcc_flen);
+	     if (retval) goto done;
+
+	     if (os_ctx->os_flags & KRB5_OS_TOFFSET_VALID) {
+		 /* Write time offset tag */
+		 fcc_tag = FCC_TAG_DELTATIME;
+		 fcc_taglen = 2*sizeof(krb5_int32);
+		 
+		 retval = krb5_fcc_store_ui_2(context,id,(krb5_int32)fcc_tag);
+		 if (retval) goto done;
+		 retval = krb5_fcc_store_ui_2(context,id,(krb5_int32)fcc_taglen);
+		 if (retval) goto done;
+		 retval = krb5_fcc_store_int32(context,id,os_ctx->time_offset);
+		 if (retval) goto done;
+		 retval = krb5_fcc_store_int32(context,id,os_ctx->usec_offset);
+		 if (retval) goto done;
+	     }
+	 }
+	 invalidate_cache(data);
+	 goto done;
+     }
+
+     /* verify a valid version number is there */
+    invalidate_cache(data);
+     if (read(f, (char *)&fcc_fvno, sizeof(fcc_fvno)) != sizeof(fcc_fvno)) {
+	 retval = KRB5_CC_FORMAT;
+	 goto done;
+     }
+     data->version = ntohs(fcc_fvno);
+    if ((data->version != KRB5_FCC_FVNO_4) &&
+	(data->version != KRB5_FCC_FVNO_3) &&
+	(data->version != KRB5_FCC_FVNO_2) &&
+	(data->version != KRB5_FCC_FVNO_1)) {
+	retval = KRB5_CCACHE_BADVNO;
+	goto done;
+    }
+
+    data->file = f;
+
+     if (data->version == KRB5_FCC_FVNO_4) {
+	 char buf[1024];
+
+	 if (krb5_fcc_read_ui_2(context, id, &fcc_flen) ||
+	     (fcc_flen > sizeof(buf)))
+	 {
+	     retval = KRB5_CC_FORMAT;
+	     goto done;
+	 }
+
+	 while (fcc_flen) {
+	     if ((fcc_flen < (2 * sizeof(krb5_ui_2))) ||
+		 krb5_fcc_read_ui_2(context, id, &fcc_tag) ||
+		 krb5_fcc_read_ui_2(context, id, &fcc_taglen) ||
+		 (fcc_taglen > (fcc_flen - 2*sizeof(krb5_ui_2))))
+	     {
+		 retval = KRB5_CC_FORMAT;
+		 goto done;
+	     }
+
+	     switch (fcc_tag) {
+	     case FCC_TAG_DELTATIME:
+		 if (fcc_taglen != 2*sizeof(krb5_int32)) {
+		     retval = KRB5_CC_FORMAT;
+		     goto done;
+		 }
+		 if (!(context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) ||
+		     (os_ctx->os_flags & KRB5_OS_TOFFSET_VALID))
+		 {
+		     if (krb5_fcc_read(context, id, buf, fcc_taglen)) {
+			 retval = KRB5_CC_FORMAT;
+			 goto done;
+		     }
+		     break;
+		 }
+		 if (krb5_fcc_read_int32(context, id, &os_ctx->time_offset) ||
+		     krb5_fcc_read_int32(context, id, &os_ctx->usec_offset))
+		 {
+		     retval = KRB5_CC_FORMAT;
+		     goto done;
+		 }
+		 os_ctx->os_flags =
+		     ((os_ctx->os_flags & ~KRB5_OS_TOFFSET_TIME) |
+		      KRB5_OS_TOFFSET_VALID);
+		 break;
+	     default:
+		 if (fcc_taglen && krb5_fcc_read(context,id,buf,fcc_taglen)) {
+		     retval = KRB5_CC_FORMAT;
+		     goto done;
+		 }
+		 break;
+	     }
+	     fcc_flen -= (2*sizeof(krb5_ui_2) + fcc_taglen);
+	 }
+     }
+
+done:
+     if (retval) {
+         data->file = -1;
+         (void) krb5_unlock_file(context, f);
+         (void) close(f);
+     }
+     return retval;
+}
+
+static krb5_error_code
+krb5_fcc_skip_header(krb5_context context, krb5_ccache id)
+{
+     krb5_fcc_data *data = (krb5_fcc_data *)id->data;
+     krb5_error_code kret;
+     krb5_ui_2 fcc_flen;
+
+     k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+
+     fcc_lseek(data, (off_t) sizeof(krb5_ui_2), SEEK_SET);
+     if (data->version == KRB5_FCC_FVNO_4) {
+	 kret = krb5_fcc_read_ui_2(context, id, &fcc_flen);
+	 if (kret) return kret;
+         if(fcc_lseek(data, (off_t) fcc_flen, SEEK_CUR) < 0)
+		return errno;
+     }
+     return KRB5_OK;
+}
+
+static krb5_error_code
+krb5_fcc_skip_principal(krb5_context context, krb5_ccache id)
+{
+     krb5_error_code kret;
+     krb5_principal princ;
+
+     k5_assert_locked(&((krb5_fcc_data *) id->data)->lock);
+
+     kret = krb5_fcc_read_principal(context, id, &princ);
+     if (kret != KRB5_OK)
+	  return kret;
+
+     krb5_free_principal(context, princ);
+     return KRB5_OK;
+}
+
+
+/*
+ * Modifies:
+ * id
+ *
+ * Effects:
+ * Creates/refreshes the file cred cache id.  If the cache exists, its
+ * contents are destroyed.
+ *
+ * Errors:
+ * system errors
+ * permission errors
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_fcc_initialize(krb5_context context, krb5_ccache id, krb5_principal princ)
+{
+     krb5_error_code kret = 0;
+     int reti = 0;
+
+     kret = k5_mutex_lock(&((krb5_fcc_data *) id->data)->lock);
+     if (kret)
+	 return kret;
+
+     MAYBE_OPEN(context, id, FCC_OPEN_AND_ERASE_NOUNLINK); /* SUNW */
+
+     /*
+      * SUN14resync
+      * This is not needed and can cause problems with ktkt_warnd(1M)
+      * because it does tricks with getuid and if we enable this fchmod
+      * we get EPERM [file_owner] failures on fchmod.
+      */
+#if 0
+#if defined(HAVE_FCHMOD) || defined(HAVE_CHMOD)
+     {
+#ifdef HAVE_FCHMOD
+         reti = fchmod(((krb5_fcc_data *) id->data)->file, S_IREAD | S_IWRITE);
+#else
+         reti = chmod(((krb5_fcc_data *) id->data)->filename, S_IREAD | S_IWRITE);
+#endif
+#endif
+         if (reti == -1) {
+             kret = krb5_fcc_interpret(context, errno);
+             MAYBE_CLOSE(context, id, kret);
+	     k5_mutex_unlock(&((krb5_fcc_data *) id->data)->lock);
+             return kret;
+         }
+     }
+#endif
+     kret = krb5_fcc_store_principal(context, id, princ);
+
+     MAYBE_CLOSE(context, id, kret);
+     k5_mutex_unlock(&((krb5_fcc_data *) id->data)->lock);
+     krb5_change_cache ();
+     return kret;
+}
+
+/*
+ * Drop the ref count; if it hits zero, remove the entry from the
+ * fcc_set list and free it.
+ */
+static krb5_error_code dereference(krb5_context context, krb5_fcc_data *data)
+{
+    krb5_error_code kerr;
+    struct fcc_set **fccsp;
+
+    kerr = k5_mutex_lock(&krb5int_cc_file_mutex);
+    if (kerr)
+	return kerr;
+    for (fccsp = &fccs; *fccsp != NULL; fccsp = &(*fccsp)->next)
+	if ((*fccsp)->data == data)
+	    break;
+    assert(*fccsp != NULL);
+    assert((*fccsp)->data == data);
+    (*fccsp)->refcount--;
+    if ((*fccsp)->refcount == 0) {
+        struct fcc_set *temp;
+	data = (*fccsp)->data;
+	temp = *fccsp;
+	*fccsp = (*fccsp)->next;
+	free(temp);
+	k5_mutex_unlock(&krb5int_cc_file_mutex);
+	k5_mutex_assert_unlocked(&data->lock);
+	free(data->filename);
+	zap(data->buf, sizeof(data->buf));
+	if (data->file >= 0) {
+	    k5_mutex_lock(&data->lock);
+	    krb5_fcc_close_file(context, data);
+	    k5_mutex_unlock(&data->lock);
+	}
+	k5_mutex_destroy(&data->lock);
+	free(data);
+    } else
+	k5_mutex_unlock(&krb5int_cc_file_mutex);
+    return 0;
+}
+
+/*
+ * Modifies:
+ * id
+ *
+ * Effects:
+ * Closes the file cache, invalidates the id, and frees any resources
+ * associated with the cache.
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_fcc_close(krb5_context context, krb5_ccache id)
+{
+     dereference(context, (krb5_fcc_data *) id->data);
+     krb5_xfree(id);
+     return KRB5_OK;
+}
+
+/*
+ * Effects:
+ * Destroys the contents of id.
+ *
+ * Errors:
+ * system errors
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_fcc_destroy(krb5_context context, krb5_ccache id)
+{
+     krb5_error_code kret = 0;
+     krb5_fcc_data *data = (krb5_fcc_data *) id->data;
+     register int ret;
+
+     struct stat buf;
+     unsigned long i, size;
+     unsigned int wlen;
+     char zeros[BUFSIZ];
+
+     kret = k5_mutex_lock(&data->lock);
+     if (kret)
+	 return kret;
+
+     if (OPENCLOSE(id)) {
+	 invalidate_cache(data);
+	  ret = THREEPARAMOPEN(data->filename,
+			       O_RDWR | O_BINARY, 0);
+	  if (ret < 0) {
+	      kret = krb5_fcc_interpret(context, errno);
+	      goto cleanup;
+	  }
+	  data->file = ret;
+     }
+     else
+	  fcc_lseek(data, (off_t) 0, SEEK_SET);
+
+#ifdef MSDOS_FILESYSTEM
+/* "disgusting bit of UNIX trivia" - that's how the writers of NFS describe
+** the ability of UNIX to still write to a file which has been unlinked.
+** Naturally, the PC can't do this. As a result, we have to delete the file
+** after we wipe it clean but that throws off all the error handling code.
+** So we have do the work ourselves.
+*/
+    ret = fstat(data->file, &buf);
+    if (ret == -1) {
+        kret = krb5_fcc_interpret(context, errno);
+        size = 0;                               /* Nothing to wipe clean */
+    } else
+        size = (unsigned long) buf.st_size;
+
+    memset(zeros, 0, BUFSIZ);
+    while (size > 0) {
+        wlen = (int) ((size > BUFSIZ) ? BUFSIZ : size); /* How much to write */
+        i = write(data->file, zeros, wlen);
+        if (i < 0) {
+            kret = krb5_fcc_interpret(context, errno);
+            /* Don't jump to cleanup--we still want to delete the file. */
+            break;
+        }
+        size -= i;                              /* We've read this much */
+    }
+
+    if (OPENCLOSE(id)) {
+        (void) close(((krb5_fcc_data *)id->data)->file);
+        data->file = -1;
+    }
+
+    ret = unlink(data->filename);
+    if (ret < 0) {
+        kret = krb5_fcc_interpret(context, errno);
+        goto cleanup;
+    }
+
+#else /* MSDOS_FILESYSTEM */
+
+     ret = unlink(data->filename);
+     if (ret < 0) {
+	 kret = krb5_fcc_interpret(context, errno);
+	 if (OPENCLOSE(id)) {
+	     (void) close(((krb5_fcc_data *)id->data)->file);
+	     data->file = -1;
+             kret = ret;
+	 }
+	 goto cleanup;
+     }
+     
+     ret = fstat(data->file, &buf);
+     if (ret < 0) {
+	 kret = krb5_fcc_interpret(context, errno);
+	 if (OPENCLOSE(id)) {
+	     (void) close(((krb5_fcc_data *)id->data)->file);
+	     data->file = -1;
+	 }
+	 goto cleanup;
+     }
+
+     /* XXX This may not be legal XXX */
+     size = (unsigned long) buf.st_size;
+     memset(zeros, 0, BUFSIZ);
+     for (i=0; i < size / BUFSIZ; i++)
+	  if (write(data->file, zeros, BUFSIZ) < 0) {
+	      kret = krb5_fcc_interpret(context, errno);
+	      if (OPENCLOSE(id)) {
+		  (void) close(((krb5_fcc_data *)id->data)->file);
+		  data->file = -1;
+	      }
+	      goto cleanup;
+	  }
+
+     wlen = (unsigned int) (size % BUFSIZ);
+     if (write(data->file, zeros, wlen) < 0) {
+	 kret = krb5_fcc_interpret(context, errno);
+	 if (OPENCLOSE(id)) {
+	     (void) close(((krb5_fcc_data *)id->data)->file);
+	     data->file = -1;
+	 }
+	 goto cleanup;
+     }
+
+     ret = close(data->file);
+     data->file = -1;
+
+     if (ret)
+	 kret = krb5_fcc_interpret(context, errno);
+
+#endif /* MSDOS_FILESYSTEM */
+
+  cleanup:
+     k5_mutex_unlock(&data->lock);
+     dereference(context, data);
+     krb5_xfree(id);
+
+     krb5_change_cache ();
+     return kret;
+}
+
+extern const krb5_cc_ops krb5_fcc_ops;
+
+/*
+ * Requires:
+ * residual is a legal path name, and a null-terminated string
+ *
+ * Modifies:
+ * id
+ * 
+ * Effects:
+ * creates a file-based cred cache that will reside in the file
+ * residual.  The cache is not opened, but the filename is reserved.
+ * 
+ * Returns:
+ * A filled in krb5_ccache structure "id".
+ *
+ * Errors:
+ * KRB5_CC_NOMEM - there was insufficient memory to allocate the
+ * 		krb5_ccache.  id is undefined.
+ * permission errors
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_fcc_resolve (krb5_context context, krb5_ccache *id, const char *residual)
+{
+     krb5_ccache lid;
+     krb5_error_code kret;
+     krb5_fcc_data *data;
+     struct fcc_set *setptr;
+
+     kret = k5_mutex_lock(&krb5int_cc_file_mutex);
+     if (kret)
+	 return kret;
+     for (setptr = fccs; setptr; setptr = setptr->next) {
+	 if (!strcmp(setptr->data->filename, residual))
+	     break;
+     }
+     if (setptr) {
+	 data = setptr->data;
+	 assert(setptr->refcount != 0);
+	 setptr->refcount++;
+	 assert(setptr->refcount != 0);
+	 kret = k5_mutex_lock(&data->lock);
+	 if (kret) {
+	     k5_mutex_unlock(&krb5int_cc_file_mutex);
+	     return kret;
+	 }
+	 k5_mutex_unlock(&krb5int_cc_file_mutex);
+     } else {
+	 data = malloc(sizeof(krb5_fcc_data));
+	 if (data == NULL) {
+	     k5_mutex_unlock(&krb5int_cc_file_mutex);
+	     return KRB5_CC_NOMEM;
+	 }
+	 data->filename = strdup(residual);
+	 if (data->filename == NULL) {
+	     k5_mutex_unlock(&krb5int_cc_file_mutex);
+	     free(data);
+	     return KRB5_CC_NOMEM;
+	 }
+	 kret = k5_mutex_init(&data->lock);
+	 if (kret) {
+	     k5_mutex_unlock(&krb5int_cc_file_mutex);
+	     free(data->filename);
+	     free(data);
+	     return kret;
+	 }
+	 kret = k5_mutex_lock(&data->lock);
+	 if (kret) {
+	     k5_mutex_unlock(&krb5int_cc_file_mutex);
+	     k5_mutex_destroy(&data->lock);
+	     free(data->filename);
+	     free(data);
+	     return kret;
+	 }
+	 /* data->version,mode filled in for real later */
+	 data->version = data->mode = 0;
+	 data->flags = KRB5_TC_OPENCLOSE;
+	 data->file = -1;
+	 data->valid_bytes = 0;
+	 setptr = malloc(sizeof(struct fcc_set));
+	 if (setptr == NULL) {
+	     k5_mutex_unlock(&krb5int_cc_file_mutex);
+	     k5_mutex_destroy(&data->lock);
+	     free(data->filename);
+	     free(data);
+	     return KRB5_CC_NOMEM;
+	 }
+	 setptr->refcount = 1;
+	 setptr->data = data;
+	 setptr->next = fccs;
+	 fccs = setptr;
+	 k5_mutex_unlock(&krb5int_cc_file_mutex);
+     }
+
+     k5_mutex_assert_locked(&data->lock);
+     k5_mutex_unlock(&data->lock);
+     lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache));
+     if (lid == NULL) {
+	 dereference(context, data);
+	 return KRB5_CC_NOMEM;
+     }
+
+     lid->ops = &krb5_fcc_ops;
+     lid->data = data;
+     lid->magic = KV5M_CCACHE;
+
+     /* other routines will get errors on open, and callers must expect them,
+	if cache is non-existent/unusable */
+     *id = lid;
+     return KRB5_OK;
+}
+
+/*
+ * Effects:
+ * Prepares for a sequential search of the credentials cache.
+ * Returns and krb5_cc_cursor to be used with krb5_fcc_next_cred and
+ * krb5_fcc_end_seq_get.
+ *
+ * If the cache is modified between the time of this call and the time
+ * of the final krb5_fcc_end_seq_get, the results are undefined.
+ *
+ * Errors:
+ * KRB5_CC_NOMEM
+ * system errors
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_fcc_start_seq_get(krb5_context context, krb5_ccache id,
+		       krb5_cc_cursor *cursor)
+{
+     krb5_fcc_cursor *fcursor;
+     krb5_error_code kret = KRB5_OK;
+     krb5_fcc_data *data = (krb5_fcc_data *)id->data;
+
+     kret = k5_mutex_lock(&data->lock);
+     if (kret)
+	 return kret;
+
+     fcursor = (krb5_fcc_cursor *) malloc(sizeof(krb5_fcc_cursor));
+     if (fcursor == NULL) {
+	 k5_mutex_unlock(&data->lock);
+	 return KRB5_CC_NOMEM;
+     }
+     if (OPENCLOSE(id)) {
+          kret = krb5_fcc_open_file(context, id, FCC_OPEN_RDONLY);
+          if (kret) {
+              krb5_xfree(fcursor);
+	      k5_mutex_unlock(&data->lock);
+              return kret;
+          }
+     }
+
+     /* Make sure we start reading right after the primary principal */
+     kret = krb5_fcc_skip_header(context, id);
+     if (kret) {
+	    /* SUNW14resync - fix mem leak */
+	    krb5_xfree(fcursor);
+	    goto done;
+     }
+     kret = krb5_fcc_skip_principal(context, id);
+     if (kret) {
+	    /* SUNW14resync - fix mem leak */
+	    krb5_xfree(fcursor);
+	    goto done;
+     }
+
+     fcursor->pos = fcc_lseek(data, (off_t) 0, SEEK_CUR);
+     *cursor = (krb5_cc_cursor) fcursor;
+
+done:
+     MAYBE_CLOSE(context, id, kret);
+     k5_mutex_unlock(&data->lock);
+     return kret;
+}
+
+
+/*
+ * Requires:
+ * cursor is a krb5_cc_cursor originally obtained from
+ * krb5_fcc_start_seq_get.
+ *
+ * Modifes:
+ * cursor, creds
+ * 
+ * Effects:
+ * Fills in creds with the "next" credentals structure from the cache
+ * id.  The actual order the creds are returned in is arbitrary.
+ * Space is allocated for the variable length fields in the
+ * credentials structure, so the object returned must be passed to
+ * krb5_destroy_credential.
+ *
+ * The cursor is updated for the next call to krb5_fcc_next_cred.
+ *
+ * Errors:
+ * system errors
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_fcc_next_cred(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor,
+		   krb5_creds *creds)
+{
+#define TCHECK(ret) if (ret != KRB5_OK) goto lose;
+     krb5_error_code kret;
+     krb5_fcc_cursor *fcursor;
+     krb5_int32 int32;
+     krb5_octet octet;
+     krb5_fcc_data *d = (krb5_fcc_data *) id->data;
+
+     kret = k5_mutex_lock(&d->lock);
+     if (kret)
+	 return kret;
+
+     memset((char *)creds, 0, sizeof(*creds));
+     MAYBE_OPEN(context, id, FCC_OPEN_RDONLY);
+     fcursor = (krb5_fcc_cursor *) *cursor;
+
+     kret = (fcc_lseek(d, fcursor->pos, SEEK_SET) == (off_t) -1);
+     if (kret) {
+	 kret = krb5_fcc_interpret(context, errno);
+	 MAYBE_CLOSE(context, id, kret);
+	 k5_mutex_unlock(&d->lock);
+	 return kret;
+     }
+
+     kret = krb5_fcc_read_principal(context, id, &creds->client);
+     TCHECK(kret);
+     kret = krb5_fcc_read_principal(context, id, &creds->server);
+     TCHECK(kret);
+     kret = krb5_fcc_read_keyblock(context, id, &creds->keyblock);
+     TCHECK(kret);
+     kret = krb5_fcc_read_times(context, id, &creds->times);
+     TCHECK(kret);
+     kret = krb5_fcc_read_octet(context, id, &octet);
+     TCHECK(kret);
+     creds->is_skey = octet;
+     kret = krb5_fcc_read_int32(context, id, &int32);
+     TCHECK(kret);
+     creds->ticket_flags = int32;
+     kret = krb5_fcc_read_addrs(context, id, &creds->addresses);
+     TCHECK(kret);
+     kret = krb5_fcc_read_authdata(context, id, &creds->authdata);
+     TCHECK(kret);
+     kret = krb5_fcc_read_data(context, id, &creds->ticket);
+     TCHECK(kret);
+     kret = krb5_fcc_read_data(context, id, &creds->second_ticket);
+     TCHECK(kret);
+     
+     fcursor->pos = fcc_lseek(d, (off_t) 0, SEEK_CUR);
+     cursor = (krb5_cc_cursor *) fcursor;
+
+lose:
+     MAYBE_CLOSE (context, id, kret);
+     k5_mutex_unlock(&d->lock);
+     if (kret != KRB5_OK)
+	 krb5_free_cred_contents(context, creds);
+     return kret;
+}
+
+/*
+ * Requires:
+ * cursor is a krb5_cc_cursor originally obtained from
+ * krb5_fcc_start_seq_get.
+ *
+ * Modifies:
+ * id, cursor
+ *
+ * Effects:
+ * Finishes sequential processing of the file credentials ccache id,
+ * and invalidates the cursor (it must never be used after this call).
+ */
+/* ARGSUSED */
+static krb5_error_code KRB5_CALLCONV
+krb5_fcc_end_seq_get(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor)
+{
+     /* We don't do anything with the file cache itself, so
+	no need to lock anything.  */
+
+     /* don't close; it may be left open by the caller,
+        and if not, fcc_start_seq_get and/or fcc_next_cred will do the
+        MAYBE_CLOSE.
+     MAYBE_CLOSE(context, id, kret); */
+     krb5_xfree((krb5_fcc_cursor *) *cursor);
+     return 0;
+}
+
+
+/*
+ * Effects:
+ * Creates a new file cred cache whose name is guaranteed to be
+ * unique.  The name begins with the string TKT_ROOT (from fcc.h).
+ * The cache is not opened, but the new filename is reserved.
+ *  
+ * Returns:
+ * The filled in krb5_ccache id.
+ *
+ * Errors:
+ * KRB5_CC_NOMEM - there was insufficient memory to allocate the
+ * 		krb5_ccache.  id is undefined.
+ * system errors (from open)
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_fcc_generate_new (krb5_context context, krb5_ccache *id)
+{
+     krb5_ccache lid;
+     int ret;
+     krb5_error_code    retcode = 0;
+     char scratch[sizeof(TKT_ROOT)+6+1]; /* +6 for the scratch part, +1 for
+					    NUL */
+     krb5_fcc_data *data;
+     
+     /* Allocate memory */
+     lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache));
+     if (lid == NULL)
+	  return KRB5_CC_NOMEM;
+
+     lid->ops = &krb5_fcc_ops;
+
+     (void) strcpy(scratch, TKT_ROOT);
+     (void) strcat(scratch, "XXXXXX");
+#ifdef HAVE_MKSTEMP
+     ret = mkstemp(scratch);
+     if (ret == -1) {
+	 return krb5_fcc_interpret(context, errno);
+     } else close(ret);
+#else /*HAVE_MKSTEMP*/
+     mktemp(scratch);
+#endif
+
+     lid->data = (krb5_pointer) malloc(sizeof(krb5_fcc_data));
+     if (lid->data == NULL) {
+	  krb5_xfree(lid);
+	  return KRB5_CC_NOMEM;
+     }
+
+     ((krb5_fcc_data *) lid->data)->filename = (char *)
+	  malloc(strlen(scratch) + 1);
+     if (((krb5_fcc_data *) lid->data)->filename == NULL) {
+	  krb5_xfree(((krb5_fcc_data *) lid->data));
+	  krb5_xfree(lid);
+	  return KRB5_CC_NOMEM;
+     }
+
+     /*
+      * The file is initially closed at the end of this call...
+      */
+     ((krb5_fcc_data *) lid->data)->flags = 0;
+     ((krb5_fcc_data *) lid->data)->file = -1;
+     ((krb5_fcc_data *) lid->data)->valid_bytes = 0;
+     data = (krb5_fcc_data *) lid->data;
+
+     retcode = k5_mutex_init(&data->lock);
+     if (retcode)
+	 goto err_out;
+
+     /* Set up the filename */
+     strcpy(((krb5_fcc_data *) lid->data)->filename, scratch);
+
+     /* Make sure the file name is reserved */
+     ret = THREEPARAMOPEN(((krb5_fcc_data *) lid->data)->filename,
+                O_CREAT | O_EXCL | O_WRONLY | O_BINARY, 0);
+     if (ret == -1) {
+	  retcode = krb5_fcc_interpret(context, errno);
+          goto err_out;
+     } else {
+          krb5_int16 fcc_fvno = htons(context->fcc_default_format);
+          krb5_int16 fcc_flen = 0;
+          int errsave, cnt;
+
+          /* Ignore user's umask, set mode = 0600 */
+#ifndef HAVE_FCHMOD
+#ifdef HAVE_CHMOD
+          chmod(((krb5_fcc_data *) lid->data)->filename, S_IRUSR | S_IWUSR);
+#endif
+#else
+          fchmod(ret, S_IRUSR | S_IWUSR);
+#endif
+          if ((cnt = write(ret, (char *)&fcc_fvno, sizeof(fcc_fvno)))
+              != sizeof(fcc_fvno)) {
+              errsave = errno;
+              (void) close(ret);
+              (void) unlink(((krb5_fcc_data *) lid->data)->filename);
+              retcode = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO;
+              goto err_out;
+	  }
+	  /* For version 4 we save a length for the rest of the header */
+          if (context->fcc_default_format == KRB5_FCC_FVNO_4) {
+            if ((cnt = write(ret, (char *)&fcc_flen, sizeof(fcc_flen)))
+                != sizeof(fcc_flen)) {
+                errsave = errno;
+                (void) close(ret);
+                (void) unlink(((krb5_fcc_data *) lid->data)->filename);
+                retcode = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO;
+                goto err_out;
+	    }
+	  }
+          if (close(ret) == -1) {
+              errsave = errno;
+              (void) unlink(((krb5_fcc_data *) lid->data)->filename);
+              retcode = krb5_fcc_interpret(context, errsave);
+              goto err_out;
+	  }
+	  *id = lid;
+          /* default to open/close on every trn - otherwise destroy 
+             will get as to state confused */
+          ((krb5_fcc_data *) lid->data)->flags = KRB5_TC_OPENCLOSE;
+	  krb5_change_cache ();
+	  return KRB5_OK;
+     }
+
+err_out:
+     krb5_xfree(((krb5_fcc_data *) lid->data)->filename);
+     krb5_xfree(((krb5_fcc_data *) lid->data));
+     krb5_xfree(lid);
+     return retcode;
+}
+
+/*
+ * Requires:
+ * id is a file credential cache
+ * 
+ * Returns:
+ * The name of the file cred cache id.
+ */
+static const char * KRB5_CALLCONV
+krb5_fcc_get_name (krb5_context context, krb5_ccache id)
+{
+     return (char *) ((krb5_fcc_data *) id->data)->filename;
+}
+
+/*
+ * Modifies:
+ * id, princ
+ *
+ * Effects:
+ * Retrieves the primary principal from id, as set with
+ * krb5_fcc_initialize.  The principal is returned is allocated
+ * storage that must be freed by the caller via krb5_free_principal.
+ *
+ * Errors:
+ * system errors
+ * KRB5_CC_NOMEM
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_fcc_get_principal(krb5_context context, krb5_ccache id, krb5_principal *princ)
+{
+     krb5_error_code kret = KRB5_OK;
+
+     kret = k5_mutex_lock(&((krb5_fcc_data *) id->data)->lock);
+     if (kret)
+	 return kret;
+
+     MAYBE_OPEN(context, id, FCC_OPEN_RDONLY);
+     
+     /* make sure we're beyond the header */
+     kret = krb5_fcc_skip_header(context, id);
+     if (kret) goto done;
+     kret = krb5_fcc_read_principal(context, id, princ);
+
+done:
+     MAYBE_CLOSE(context, id, kret);
+     k5_mutex_unlock(&((krb5_fcc_data *) id->data)->lock);
+     return kret;
+}
+
+     
+static krb5_error_code KRB5_CALLCONV
+krb5_fcc_retrieve(krb5_context context, krb5_ccache id, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds)
+{
+    return krb5_cc_retrieve_cred_default (context, id, whichfields,
+					  mcreds, creds);
+}
+
+
+/*
+ * Modifies:
+ * the file cache
+ *
+ * Effects:
+ * stores creds in the file cred cache
+ *
+ * Errors:
+ * system errors
+ * storage failure errors
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_fcc_store(krb5_context context, krb5_ccache id, krb5_creds *creds)
+{
+#define TCHECK(ret) if (ret != KRB5_OK) goto lose;
+     krb5_error_code ret;
+
+     ret = k5_mutex_lock(&((krb5_fcc_data *) id->data)->lock);
+     if (ret)
+	 return ret;
+
+     /* Make sure we are writing to the end of the file */
+     MAYBE_OPEN(context, id, FCC_OPEN_RDWR);
+
+     /* Make sure we are writing to the end of the file */
+     ret = fcc_lseek((krb5_fcc_data *) id->data, (off_t) 0, SEEK_END);
+     if (ret < 0) {
+          MAYBE_CLOSE_IGNORE(context, id);
+	  k5_mutex_unlock(&((krb5_fcc_data *) id->data)->lock);
+	  return krb5_fcc_interpret(context, errno);
+     }
+
+     ret = krb5_fcc_store_principal(context, id, creds->client);
+     TCHECK(ret);
+     ret = krb5_fcc_store_principal(context, id, creds->server);
+     TCHECK(ret);
+     ret = krb5_fcc_store_keyblock(context, id, &creds->keyblock);
+     TCHECK(ret);
+     ret = krb5_fcc_store_times(context, id, &creds->times);
+     TCHECK(ret);
+     ret = krb5_fcc_store_octet(context, id, (krb5_int32) creds->is_skey);
+     TCHECK(ret);
+     ret = krb5_fcc_store_int32(context, id, creds->ticket_flags);
+     TCHECK(ret);
+     ret = krb5_fcc_store_addrs(context, id, creds->addresses);
+     TCHECK(ret);
+     ret = krb5_fcc_store_authdata(context, id, creds->authdata);
+     TCHECK(ret);
+     ret = krb5_fcc_store_data(context, id, &creds->ticket);
+     TCHECK(ret);
+     ret = krb5_fcc_store_data(context, id, &creds->second_ticket);
+     TCHECK(ret);
+
+lose:
+     MAYBE_CLOSE(context, id, ret);
+     k5_mutex_unlock(&((krb5_fcc_data *) id->data)->lock);
+     krb5_change_cache ();
+     return ret;
+#undef TCHECK
+}
+
+/* 
+ * Non-functional stub implementation for krb5_fcc_remove
+ * 
+ * Errors:
+ *    KRB5_CC_NOSUPP - not implemented
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_fcc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags,
+                     krb5_creds *creds)
+{
+    return KRB5_CC_NOSUPP;
+}
+
+/*
+ * Requires:
+ * id is a cred cache returned by krb5_fcc_resolve or
+ * krb5_fcc_generate_new, but has not been opened by krb5_fcc_initialize.
+ *
+ * Modifies:
+ * id
+ * 
+ * Effects:
+ * Sets the operational flags of id to flags.
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_fcc_set_flags(krb5_context context, krb5_ccache id, krb5_flags flags)
+{
+    krb5_error_code ret = KRB5_OK;
+
+    ret = k5_mutex_lock(&((krb5_fcc_data *) id->data)->lock);
+    if (ret)
+	return ret;
+
+    /* XXX This should check for illegal combinations, if any.. */
+    if (flags & KRB5_TC_OPENCLOSE) {
+	/* asking to turn on OPENCLOSE mode */
+	if (!OPENCLOSE(id)
+	    /* XXX Is this test necessary? */
+	    && ((krb5_fcc_data *) id->data)->file != NO_FILE)
+            (void) krb5_fcc_close_file (context, ((krb5_fcc_data *) id->data));
+    } else {
+	/* asking to turn off OPENCLOSE mode, meaning it must be
+	   left open.  We open if it's not yet open */
+        MAYBE_OPEN(context, id, FCC_OPEN_RDONLY);
+    }
+
+    ((krb5_fcc_data *) id->data)->flags = flags;
+    k5_mutex_unlock(&((krb5_fcc_data *) id->data)->lock);
+    return ret;
+}
+
+
+static krb5_error_code
+krb5_fcc_interpret(krb5_context context, int errnum)
+{
+    register krb5_error_code retval;
+    switch (errnum) {
+    case ENOENT:
+	retval = KRB5_FCC_NOFILE;
+	break;
+    case EPERM:
+    case EACCES:
+#ifdef EISDIR
+    case EISDIR:                        /* Mac doesn't have EISDIR */
+#endif
+    case ENOTDIR:
+#ifdef ELOOP
+    case ELOOP:                         /* Bad symlink is like no file. */
+#endif
+#ifdef ETXTBSY
+    case ETXTBSY:
+#endif
+    case EBUSY:
+    case EROFS:
+	retval = KRB5_FCC_PERM;
+	break;
+    case EINVAL:
+    case EEXIST:			/* XXX */
+    case EFAULT:
+    case EBADF:
+#ifdef ENAMETOOLONG
+    case ENAMETOOLONG:
+#endif
+#ifdef EWOULDBLOCK
+    case EWOULDBLOCK:
+#endif
+	retval = KRB5_FCC_INTERNAL;
+	break;
+#ifdef EDQUOT
+    case EDQUOT:
+#endif
+    case ENOSPC:
+    case EIO:
+    case ENFILE:
+    case EMFILE:
+    case ENXIO:
+    default:
+	retval = KRB5_CC_IO;		/* XXX */
+    }
+    return retval;
+}
+
+const krb5_cc_ops krb5_fcc_ops = {
+     0,
+     "FILE",
+     krb5_fcc_get_name,
+     krb5_fcc_resolve,
+     krb5_fcc_generate_new,
+     krb5_fcc_initialize,
+     krb5_fcc_destroy,
+     krb5_fcc_close,
+     krb5_fcc_store,
+     krb5_fcc_retrieve,
+     krb5_fcc_get_principal,
+     krb5_fcc_start_seq_get,
+     krb5_fcc_next_cred,
+     krb5_fcc_end_seq_get,
+     krb5_fcc_remove_cred,
+     krb5_fcc_set_flags,
+};
+
+#if defined(_WIN32)
+/*
+ * krb5_change_cache should be called after the cache changes.
+ * A notification message is is posted out to all top level
+ * windows so that they may recheck the cache based on the
+ * changes made.  We register a unique message type with which
+ * we'll communicate to all other processes. 
+ */
+
+krb5_error_code 
+krb5_change_cache (void) {
+
+    PostMessage(HWND_BROADCAST, krb5_get_notification_message(), 0, 0);
+
+    return 0;
+}
+
+unsigned int KRB5_CALLCONV
+krb5_get_notification_message (void) {
+    static unsigned int message = 0;
+
+    if (message == 0)
+        message = RegisterWindowMessage(WM_KERBEROS5_CHANGED);
+
+    return message;
+}
+#else /* _WIN32 */
+
+krb5_error_code
+krb5_change_cache (void)
+{
+    return 0;
+}
+unsigned int
+krb5_get_notification_message (void)
+{
+    return 0;
+}
+
+#endif /* _WIN32 */
+
+const krb5_cc_ops krb5_cc_file_ops = {
+     0,
+     "FILE",
+     krb5_fcc_get_name,
+     krb5_fcc_resolve,
+     krb5_fcc_generate_new,
+     krb5_fcc_initialize,
+     krb5_fcc_destroy,
+     krb5_fcc_close,
+     krb5_fcc_store,
+     krb5_fcc_retrieve,
+     krb5_fcc_get_principal,
+     krb5_fcc_start_seq_get,
+     krb5_fcc_next_cred,
+     krb5_fcc_end_seq_get,
+     krb5_fcc_remove_cred,
+     krb5_fcc_set_flags,
+};
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/cc_memory.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/cc_memory.c
new file mode 100644
index 0000000000..0d7b7e02cd
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/cc_memory.c
@@ -0,0 +1,623 @@
+/*
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+/*
+ * lib/krb5/ccache/cc_memory.c
+ *
+ * Copyright 1990,1991,2000,2004 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ *
+ * implementation of memory-based credentials cache
+ */
+#include "k5-int.h"
+#include <errno.h>
+
+static krb5_error_code KRB5_CALLCONV krb5_mcc_close
+	(krb5_context, krb5_ccache id );
+
+static krb5_error_code KRB5_CALLCONV krb5_mcc_destroy 
+	(krb5_context, krb5_ccache id );
+
+static krb5_error_code KRB5_CALLCONV krb5_mcc_end_seq_get 
+	(krb5_context, krb5_ccache id , krb5_cc_cursor *cursor );
+
+static krb5_error_code KRB5_CALLCONV krb5_mcc_generate_new 
+	(krb5_context, krb5_ccache *id );
+
+static const char * KRB5_CALLCONV krb5_mcc_get_name 
+	(krb5_context, krb5_ccache id );
+
+static krb5_error_code KRB5_CALLCONV krb5_mcc_get_principal 
+	(krb5_context, krb5_ccache id , krb5_principal *princ );
+
+static krb5_error_code KRB5_CALLCONV krb5_mcc_initialize 
+	(krb5_context, krb5_ccache id , krb5_principal princ );
+
+static krb5_error_code KRB5_CALLCONV krb5_mcc_next_cred 
+	(krb5_context, 
+		   krb5_ccache id , 
+		   krb5_cc_cursor *cursor , 
+		   krb5_creds *creds );
+
+static krb5_error_code KRB5_CALLCONV krb5_mcc_resolve 
+	(krb5_context, krb5_ccache *id , const char *residual );
+
+static krb5_error_code KRB5_CALLCONV krb5_mcc_retrieve 
+	(krb5_context, 
+		   krb5_ccache id , 
+		   krb5_flags whichfields , 
+		   krb5_creds *mcreds , 
+		   krb5_creds *creds );
+
+static krb5_error_code KRB5_CALLCONV krb5_mcc_start_seq_get 
+	(krb5_context, krb5_ccache id , krb5_cc_cursor *cursor );
+
+static krb5_error_code KRB5_CALLCONV krb5_mcc_store 
+	(krb5_context, krb5_ccache id , krb5_creds *creds );
+
+static krb5_error_code KRB5_CALLCONV krb5_mcc_set_flags 
+	(krb5_context, krb5_ccache id , krb5_flags flags );
+
+extern const krb5_cc_ops krb5_mcc_ops;
+extern krb5_error_code krb5_change_cache (void);
+
+#define KRB5_OK 0
+
+typedef struct _krb5_mcc_link {
+    struct _krb5_mcc_link *next;
+    krb5_creds *creds;
+} krb5_mcc_link, *krb5_mcc_cursor;
+
+typedef struct _krb5_mcc_data {
+    char *name;
+    k5_mutex_t lock;
+    krb5_principal prin;
+    krb5_mcc_cursor link;
+} krb5_mcc_data;
+
+typedef struct krb5_mcc_list_node {
+    struct krb5_mcc_list_node *next;
+    krb5_mcc_data *cache;
+} krb5_mcc_list_node;
+
+k5_mutex_t krb5int_mcc_mutex = K5_MUTEX_PARTIAL_INITIALIZER;
+static krb5_mcc_list_node *mcc_head = 0;
+
+/*
+ * Modifies:
+ * id
+ *
+ * Effects:
+ * Creates/refreshes the file cred cache id.  If the cache exists, its
+ * contents are destroyed.
+ *
+ * Errors:
+ * system errors
+ * permission errors
+ */
+static void krb5_mcc_free (krb5_context context, krb5_ccache id);
+
+krb5_error_code KRB5_CALLCONV
+krb5_mcc_initialize(krb5_context context, krb5_ccache id, krb5_principal princ)
+{
+    krb5_error_code ret; 
+
+    krb5_mcc_free(context, id);
+    ret = krb5_copy_principal(context, princ,
+			      &((krb5_mcc_data *)id->data)->prin);
+    if (ret == KRB5_OK)
+        krb5_change_cache();
+    return ret;
+}
+
+/*
+ * Modifies:
+ * id
+ *
+ * Effects:
+ * Closes the file cache, invalidates the id, and frees any resources
+ * associated with the cache.
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_mcc_close(krb5_context context, krb5_ccache id)
+{
+     krb5_xfree(id);
+     return KRB5_OK;
+}
+
+void
+krb5_mcc_free(krb5_context context, krb5_ccache id)
+{
+    krb5_mcc_cursor curr,next;
+    krb5_mcc_data *d;
+
+    d = (krb5_mcc_data *) id->data;
+    for (curr = d->link; curr;) {
+	krb5_free_creds(context, curr->creds);
+	next = curr->next;
+	krb5_xfree(curr);
+	curr = next;
+    }
+    d->link = NULL;
+    krb5_free_principal(context, d->prin);
+}
+
+/*
+ * Effects:
+ * Destroys the contents of id.
+ *
+ * Errors:
+ * none
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_mcc_destroy(krb5_context context, krb5_ccache id)
+{
+    krb5_mcc_list_node **curr, *node;
+    krb5_mcc_data *d;
+    krb5_error_code err;
+
+    err = k5_mutex_lock(&krb5int_mcc_mutex);
+    if (err)
+	return err;
+
+    d = (krb5_mcc_data *)id->data;
+    for (curr = &mcc_head; *curr; curr = &(*curr)->next) {
+	if ((*curr)->cache == d) {
+	    node = *curr;
+	    *curr = node->next;
+	    free(node);
+	    break;
+	}
+    }
+    k5_mutex_unlock(&krb5int_mcc_mutex);
+
+    krb5_mcc_free(context, id);
+    krb5_xfree(d->name);
+    k5_mutex_destroy(&d->lock);
+    krb5_xfree(d); 
+    krb5_xfree(id);
+
+    krb5_change_cache ();
+    return KRB5_OK;
+}
+
+/*
+ * Requires:
+ * residual is a legal path name, and a null-terminated string
+ *
+ * Modifies:
+ * id
+ * 
+ * Effects:
+ * creates a file-based cred cache that will reside in the file
+ * residual.  The cache is not opened, but the filename is reserved.
+ * 
+ * Returns:
+ * A filled in krb5_ccache structure "id".
+ *
+ * Errors:
+ * KRB5_CC_NOMEM - there was insufficient memory to allocate the
+ *              krb5_ccache.  id is undefined.
+ * permission errors
+ */
+static krb5_error_code new_mcc_data (const char *, krb5_mcc_data **);
+
+krb5_error_code KRB5_CALLCONV
+krb5_mcc_resolve (krb5_context context, krb5_ccache *id, const char *residual)
+{
+    krb5_ccache lid;
+    krb5_mcc_list_node *ptr;
+    krb5_error_code err;
+    krb5_mcc_data *d;
+
+    lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache));
+    if (lid == NULL)
+	return KRB5_CC_NOMEM;
+
+    lid->ops = &krb5_mcc_ops;
+
+    err = k5_mutex_lock(&krb5int_mcc_mutex);
+    if (err) {
+        /* SUNW14resync - fix mem leak */
+        krb5_xfree(lid);
+	return err;
+    }
+    for (ptr = mcc_head; ptr; ptr=ptr->next)
+	if (!strcmp(ptr->cache->name, residual))
+	    break;
+    if (ptr)
+	d = ptr->cache;
+    else {
+	err = new_mcc_data(residual, &d);
+	if (err) {
+	    k5_mutex_unlock(&krb5int_mcc_mutex);
+	    krb5_xfree(lid);
+	    return err;
+	}
+    }
+    k5_mutex_unlock(&krb5int_mcc_mutex);
+    lid->data = d;
+    *id = lid; 
+    return KRB5_OK;
+}
+
+/*
+ * Effects:
+ * Prepares for a sequential search of the credentials cache.
+ * Returns a krb5_cc_cursor to be used with krb5_mcc_next_cred and
+ * krb5_mcc_end_seq_get.
+ *
+ * If the cache is modified between the time of this call and the time
+ * of the final krb5_mcc_end_seq_get, the results are undefined.
+ *
+ * Errors:
+ * KRB5_CC_NOMEM
+ * system errors
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_mcc_start_seq_get(krb5_context context, krb5_ccache id,
+		       krb5_cc_cursor *cursor)
+{
+     krb5_mcc_cursor mcursor;
+     krb5_error_code err;
+     krb5_mcc_data *d;
+
+     d = id->data;
+     err = k5_mutex_lock(&d->lock);
+     if (err)
+	 return err;
+     mcursor = d->link;
+     k5_mutex_unlock(&d->lock);
+     *cursor = (krb5_cc_cursor) mcursor;
+     return KRB5_OK;
+}
+
+/*
+ * Requires:
+ * cursor is a krb5_cc_cursor originally obtained from
+ * krb5_mcc_start_seq_get.
+ *
+ * Modifes:
+ * cursor, creds
+ * 
+ * Effects:
+ * Fills in creds with the "next" credentals structure from the cache
+ * id.  The actual order the creds are returned in is arbitrary.
+ * Space is allocated for the variable length fields in the
+ * credentials structure, so the object returned must be passed to
+ * krb5_destroy_credential.
+ *
+ * The cursor is updated for the next call to krb5_mcc_next_cred.
+ *
+ * Errors:
+ * system errors
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_mcc_next_cred(krb5_context context, krb5_ccache id,
+		   krb5_cc_cursor *cursor, krb5_creds *creds)
+{
+     krb5_mcc_cursor mcursor;
+     krb5_error_code retval;
+     krb5_data *scratch;
+
+     /* Once the node in the linked list is created, it's never
+	modified, so we don't need to worry about locking here.  (Note
+	that we don't support _remove_cred.)  */
+     mcursor = (krb5_mcc_cursor) *cursor;
+     if (mcursor == NULL)
+	return KRB5_CC_END;
+     memset(creds, 0, sizeof(krb5_creds));     
+     if (mcursor->creds) {
+	*creds = *mcursor->creds;
+	retval = krb5_copy_principal(context, mcursor->creds->client, &creds->client);
+	if (retval)
+		return retval;
+	retval = krb5_copy_principal(context, mcursor->creds->server,
+		&creds->server);
+	if (retval)
+		goto cleanclient;
+	retval = krb5_copy_keyblock_contents(context, &mcursor->creds->keyblock,
+		&creds->keyblock);
+	if (retval)
+		goto cleanserver;
+	retval = krb5_copy_addresses(context, mcursor->creds->addresses,
+		&creds->addresses);
+	if (retval)
+		goto cleanblock;
+	retval = krb5_copy_data(context, &mcursor->creds->ticket, &scratch);
+	if (retval)
+		goto cleanaddrs;
+	creds->ticket = *scratch;
+	krb5_xfree(scratch);
+	retval = krb5_copy_data(context, &mcursor->creds->second_ticket, &scratch);
+	if (retval)
+		goto cleanticket;
+	creds->second_ticket = *scratch;
+	krb5_xfree(scratch);
+	retval = krb5_copy_authdata(context, mcursor->creds->authdata,
+		&creds->authdata);
+	if (retval)
+		goto clearticket;
+     }
+     *cursor = (krb5_cc_cursor)mcursor->next;
+     return KRB5_OK;
+
+clearticket:
+	memset(creds->ticket.data,0, (unsigned) creds->ticket.length);
+cleanticket:
+	krb5_xfree(creds->ticket.data);
+cleanaddrs:
+	krb5_free_addresses(context, creds->addresses);
+cleanblock:
+	krb5_xfree(creds->keyblock.contents);
+cleanserver:
+	krb5_free_principal(context, creds->server);
+cleanclient:
+	krb5_free_principal(context, creds->client);
+	return retval;
+}
+
+/*
+ * Requires:
+ * cursor is a krb5_cc_cursor originally obtained from
+ * krb5_mcc_start_seq_get.
+ *
+ * Modifies:
+ * id, cursor
+ *
+ * Effects:
+ * Finishes sequential processing of the file credentials ccache id,
+ * and invalidates the cursor (it must never be used after this call).
+ */
+/* ARGSUSED */
+krb5_error_code KRB5_CALLCONV
+krb5_mcc_end_seq_get(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor)
+{
+     *cursor = 0L;
+     return KRB5_OK;
+}
+
+/* Utility routine: Creates the back-end data for a memory cache, and
+   threads it into the global linked list.
+
+   Call with the global list lock held.  */
+static krb5_error_code
+new_mcc_data (const char *name, krb5_mcc_data **dataptr)
+{
+    krb5_error_code err;
+    krb5_mcc_data *d;
+    krb5_mcc_list_node *n;
+
+    d = malloc(sizeof(krb5_mcc_data));
+    if (d == NULL)
+	return KRB5_CC_NOMEM;
+
+    err = k5_mutex_init(&d->lock);
+    if (err) {
+	krb5_xfree(d);
+	return err;
+    }
+
+    d->name = malloc(strlen(name) + 1);
+    if (d->name == NULL) {
+	k5_mutex_destroy(&d->lock);
+	krb5_xfree(d);
+	return KRB5_CC_NOMEM;
+    }
+    d->link = NULL;
+    d->prin = NULL;
+
+    /* Set up the filename */
+    strcpy(d->name, name);
+
+    n = malloc(sizeof(krb5_mcc_list_node));
+    if (n == NULL) {
+	free(d->name);
+	k5_mutex_destroy(&d->lock);
+	free(d);
+	return KRB5_CC_NOMEM;
+    }
+
+    n->cache = d;
+    n->next = mcc_head;
+    mcc_head = n;
+
+    *dataptr = d;
+    return 0;
+}
+
+/*
+ * Effects:
+ * Creates a new file cred cache whose name is guaranteed to be
+ * unique.  The name begins with the string TKT_ROOT (from mcc.h).
+ * The cache is not opened, but the new filename is reserved.
+ *  
+ * Returns:
+ * The filled in krb5_ccache id.
+ *
+ * Errors:
+ * KRB5_CC_NOMEM - there was insufficient memory to allocate the
+ *              krb5_ccache.  id is undefined.
+ * system errors (from open)
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_mcc_generate_new (krb5_context context, krb5_ccache *id)
+{
+    krb5_ccache lid;
+    char scratch[6+1]; /* 6 for the scratch part, +1 for NUL */
+    krb5_error_code err;
+    krb5_mcc_data *d;
+
+    /* Allocate memory */
+    lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache));
+    if (lid == NULL)
+	return KRB5_CC_NOMEM;
+
+    lid->ops = &krb5_mcc_ops;
+
+    (void) strcpy(scratch, "XXXXXX");
+    mktemp(scratch);
+
+    err = k5_mutex_lock(&krb5int_mcc_mutex);
+    if (err) {
+	free(lid);
+	return err;
+    }
+    err = new_mcc_data(scratch, &d);
+    k5_mutex_unlock(&krb5int_mcc_mutex);
+    if (err) {
+	krb5_xfree(lid);
+	return err;
+    }
+    lid->data = d;
+    *id = lid; /* SUNW14resync - fix to 1.4.2 */
+    krb5_change_cache ();
+    return KRB5_OK;
+}
+
+/*
+ * Requires:
+ * id is a file credential cache
+ * 
+ * Returns:
+ * The name of the file cred cache id.
+ */
+const char * KRB5_CALLCONV
+krb5_mcc_get_name (krb5_context context, krb5_ccache id)
+{
+     return (char *) ((krb5_mcc_data *) id->data)->name;
+}
+
+/*
+ * Modifies:
+ * id, princ
+ *
+ * Effects:
+ * Retrieves the primary principal from id, as set with
+ * krb5_mcc_initialize.  The principal is returned is allocated
+ * storage that must be freed by the caller via krb5_free_principal.
+ *
+ * Errors:
+ * system errors
+ * KRB5_CC_NOMEM
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_mcc_get_principal(krb5_context context, krb5_ccache id, krb5_principal *princ)
+{
+     krb5_mcc_data *ptr = (krb5_mcc_data *)id->data;
+     if (!ptr->prin) {
+        *princ = 0L;
+        return KRB5_FCC_NOFILE;
+     }
+     return krb5_copy_principal(context, ptr->prin, princ);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_mcc_retrieve(krb5_context context, krb5_ccache id, krb5_flags whichfields,
+		  krb5_creds *mcreds, krb5_creds *creds)
+{
+    return krb5_cc_retrieve_cred_default (context, id, whichfields,
+					  mcreds, creds);
+}
+
+/* 
+ * Non-functional stub implementation for krb5_mcc_remove
+ * 
+ * Errors:
+ *    KRB5_CC_NOSUPP - not implemented
+ */
+static krb5_error_code KRB5_CALLCONV
+krb5_mcc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags,
+                     krb5_creds *creds)
+{
+    return KRB5_CC_NOSUPP;
+}
+
+
+/*
+ * Requires:
+ * id is a cred cache returned by krb5_mcc_resolve or
+ * krb5_mcc_generate_new, but has not been opened by krb5_mcc_initialize.
+ *
+ * Modifies:
+ * id
+ * 
+ * Effects:
+ * Sets the operational flags of id to flags.
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_mcc_set_flags(krb5_context context, krb5_ccache id, krb5_flags flags)
+{
+    return KRB5_OK;
+}
+
+/* store: Save away creds in the ccache.  */
+krb5_error_code KRB5_CALLCONV
+krb5_mcc_store(krb5_context ctx, krb5_ccache id, krb5_creds *creds)
+{
+    krb5_error_code err;
+    krb5_mcc_link *new_node;
+    krb5_mcc_data *mptr = (krb5_mcc_data *)id->data;
+
+    new_node = malloc(sizeof(krb5_mcc_link));
+    if (new_node == NULL)
+	return errno;
+    err = krb5_copy_creds(ctx, creds, &new_node->creds);
+    if (err) {
+	free(new_node);
+	return err;
+    }
+    err = k5_mutex_lock(&mptr->lock);
+    if (err) {
+        /* SUNW14resync - fix mem leak */
+	free(new_node);
+	return err;
+    }
+    new_node->next = mptr->link;
+    mptr->link = new_node;
+    k5_mutex_unlock(&mptr->lock);
+    return 0;
+}
+
+const krb5_cc_ops krb5_mcc_ops = {
+     0,
+     "MEMORY",
+     krb5_mcc_get_name,
+     krb5_mcc_resolve,
+     krb5_mcc_generate_new,
+     krb5_mcc_initialize,
+     krb5_mcc_destroy,
+     krb5_mcc_close,
+     krb5_mcc_store,
+     krb5_mcc_retrieve,
+     krb5_mcc_get_principal,
+     krb5_mcc_start_seq_get,
+     krb5_mcc_next_cred,
+     krb5_mcc_end_seq_get,
+     krb5_mcc_remove_cred,
+     krb5_mcc_set_flags,
+};
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/cc_retr.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/cc_retr.c
index 63a3d24142..c1dd94d76d 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/cc_retr.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/cc_retr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -34,6 +34,7 @@
  */
 
 #include <k5-int.h>
+#include "cc-int.h"
 
 #define KRB5_OK 0
 
@@ -42,9 +43,7 @@
 #define times_match_exact(t1,t2) (memcmp((char *)(t1), (char *)(t2), sizeof(*(t1))) == 0)
 
 static krb5_boolean
-times_match(t1, t2)
-     const krb5_ticket_times *t1;
-     const krb5_ticket_times *t2;
+times_match(const krb5_ticket_times *t1, const krb5_ticket_times *t2)
 {
     if (t1->renew_till) {
 	if (t1->renew_till > t2->renew_till)
@@ -59,10 +58,7 @@ times_match(t1, t2)
 }
 
 static krb5_boolean
-standard_fields_match(context, mcreds, creds)
-krb5_context		context;
-const krb5_creds	*mcreds;
-const krb5_creds	*creds;
+standard_fields_match(krb5_context context, const krb5_creds *mcreds, const krb5_creds *creds)
 {
   return (krb5_principal_compare(context, mcreds->client,creds->client)
 	  && krb5_principal_compare(context, mcreds->server,creds->server));
@@ -71,9 +67,7 @@ const krb5_creds	*creds;
 /* only match the server name portion, not the server realm portion */
 
 static krb5_boolean
-srvname_match(context, mcreds, creds)
-   krb5_context context;
-   const krb5_creds *mcreds, *creds;
+srvname_match(krb5_context context, const krb5_creds *mcreds, const krb5_creds *creds)
 {
     krb5_boolean retval;
     krb5_principal_data p1, p2;
@@ -91,8 +85,7 @@ srvname_match(context, mcreds, creds)
 }
 
 static krb5_boolean
-authdata_match(mdata, data)
-     krb5_authdata * const *mdata, * const *data;
+authdata_match(krb5_authdata *const *mdata, krb5_authdata *const *data) 
 {
     const krb5_authdata *mdatap, *datap;
 
@@ -110,7 +103,7 @@ authdata_match(mdata, data)
       if ((mdatap->ad_type != datap->ad_type) ||
           (mdatap->length != datap->length) ||
           (memcmp ((char *)mdatap->contents,
-		 (char *)datap->contents, mdatap->length) != 0))
+		(char *)datap->contents, (unsigned) mdatap->length) != 0))
           return FALSE;
       mdata++;
       data++;
@@ -119,8 +112,7 @@ authdata_match(mdata, data)
 }
 
 static krb5_boolean
-data_match(data1, data2)
-     const krb5_data *data1, *data2;
+data_match(const krb5_data *data1, const krb5_data *data2)
 {
     if (!data1) {
 	if (!data2)
@@ -133,7 +125,8 @@ data_match(data1, data2)
     if (data1->length != data2->length)
 	return FALSE;
     else
-	return memcmp(data1->data, data2->data, data1->length) ? FALSE : TRUE;
+	return memcmp(data1->data, data2->data, (unsigned) data1->length)
+		? FALSE : TRUE;
 }
 
 static int
@@ -173,16 +166,42 @@ pref (krb5_enctype my_ktype, int nktypes, krb5_enctype *ktypes)
  * KRB5_CC_NOT_KTYPE
  */
 
+krb5_boolean
+krb5int_cc_creds_match_request(krb5_context context, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds)
+{
+    if (((set(KRB5_TC_MATCH_SRV_NAMEONLY) &&
+		   srvname_match(context, mcreds, creds)) ||
+	       standard_fields_match(context, mcreds, creds))
+	      &&
+	      (! set(KRB5_TC_MATCH_IS_SKEY) ||
+	       mcreds->is_skey == creds->is_skey)
+	      &&
+	      (! set(KRB5_TC_MATCH_FLAGS_EXACT) ||
+	       mcreds->ticket_flags == creds->ticket_flags)
+	      &&
+	      (! set(KRB5_TC_MATCH_FLAGS) ||
+	       flags_match(mcreds->ticket_flags, creds->ticket_flags))
+	      &&
+	      (! set(KRB5_TC_MATCH_TIMES_EXACT) ||
+	       times_match_exact(&mcreds->times, &creds->times))
+	      &&
+	      (! set(KRB5_TC_MATCH_TIMES) ||
+	       times_match(&mcreds->times, &creds->times))
+	      &&
+	      ( ! set(KRB5_TC_MATCH_AUTHDATA) ||
+	       authdata_match(mcreds->authdata, creds->authdata))
+	      &&
+	      (! set(KRB5_TC_MATCH_2ND_TKT) ||
+	       data_match (&mcreds->second_ticket, &creds->second_ticket))
+	      &&
+	     ((! set(KRB5_TC_MATCH_KTYPE))||
+		(mcreds->keyblock.enctype == creds->keyblock.enctype)))
+        return TRUE;
+    return FALSE;
+}
+
 static krb5_error_code
-krb5_cc_retrieve_cred_seq (context, id, whichfields,
-			   mcreds, creds, nktypes, ktypes)
-   krb5_context context;
-   krb5_ccache id;
-   krb5_flags whichfields;
-   krb5_creds *mcreds;
-   krb5_creds *creds;
-   int nktypes;
-   krb5_enctype *ktypes;
+krb5_cc_retrieve_cred_seq (krb5_context context, krb5_ccache id, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds, int nktypes, krb5_enctype *ktypes)
 {
      /* This function could be considerably faster if it kept indexing */
      /* information.. sounds like a "next version" idea to me. :-) */
@@ -205,33 +224,7 @@ krb5_cc_retrieve_cred_seq (context, id, whichfields,
 	  return kret;
 
      while ((kret = krb5_cc_next_cred(context, id, &cursor, &fetchcreds)) == KRB5_OK) {
-	 if (((set(KRB5_TC_MATCH_SRV_NAMEONLY) &&
-		   srvname_match(context, mcreds, &fetchcreds)) ||
-	       standard_fields_match(context, mcreds, &fetchcreds))
-	      &&
-	      (! set(KRB5_TC_MATCH_IS_SKEY) ||
-	       mcreds->is_skey == fetchcreds.is_skey)
-	      &&
-	      (! set(KRB5_TC_MATCH_FLAGS_EXACT) ||
-	       mcreds->ticket_flags == fetchcreds.ticket_flags)
-	      &&
-	      (! set(KRB5_TC_MATCH_FLAGS) ||
-	       flags_match(mcreds->ticket_flags, fetchcreds.ticket_flags))
-	      &&
-	      (! set(KRB5_TC_MATCH_TIMES_EXACT) ||
-	       times_match_exact(&mcreds->times, &fetchcreds.times))
-	      &&
-	      (! set(KRB5_TC_MATCH_TIMES) ||
-	       times_match(&mcreds->times, &fetchcreds.times))
-	      &&
-	      ( ! set(KRB5_TC_MATCH_AUTHDATA) ||
-	       authdata_match(mcreds->authdata, fetchcreds.authdata))
-	      &&
-	      (! set(KRB5_TC_MATCH_2ND_TKT) ||
-	       data_match (&mcreds->second_ticket, &fetchcreds.second_ticket))
-	      &&
-	     ((! set(KRB5_TC_MATCH_KTYPE))||
-		(mcreds->keyblock.enctype == fetchcreds.keyblock.enctype)))
+	    if (krb5int_cc_creds_match_request(context, whichfields, mcreds, &fetchcreds))
 	  {
 	      if (ktypes) {
 		  fetched.pref = pref (fetchcreds.keyblock.enctype,
@@ -269,12 +262,7 @@ krb5_cc_retrieve_cred_seq (context, id, whichfields,
 }
 
 krb5_error_code KRB5_CALLCONV
-krb5_cc_retrieve_cred_default (context, id, flags, mcreds, creds)
-   krb5_context context;
-   krb5_ccache id;
-   krb5_flags flags;
-   krb5_creds *mcreds;
-   krb5_creds *creds;
+krb5_cc_retrieve_cred_default (krb5_context context, krb5_ccache id, krb5_flags flags, krb5_creds *mcreds, krb5_creds *creds)
 {
     krb5_enctype *ktypes;
     int nktypes;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/ccbase.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/ccbase.c
index 1251da9468..6c5f1e12a2 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/ccbase.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/ccbase.c
@@ -1,21 +1,16 @@
-/*
- * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
- */
-
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
 
 /*
  * lib/krb5/ccache/ccbase.c
  *
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990,2004 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
  *   require a specific license from the United States Government.
  *   It is the responsibility of any person or organization contemplating
  *   export to obtain such a license before exporting.
- *
+ * 
  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  * distribute this software and its documentation for any purpose and
  * without fee is hereby granted, provided that the above copyright
@@ -29,52 +24,102 @@
  * M.I.T. makes no representations about the suitability of
  * this software for any purpose.  It is provided "as is" without express
  * or implied warranty.
- *
+ * 
  *
  * Registration functions for ccache.
  */
 
-#include <k5-int.h>
+#include "k5-int.h"
+#include "k5-thread.h"
+
+#include "fcc.h"
+#include "cc-int.h"
+
+struct krb5_cc_typelist {
+    const krb5_cc_ops *ops;
+    struct krb5_cc_typelist *next;
+};
+extern const krb5_cc_ops krb5_mcc_ops;
 
-extern krb5_cc_ops *krb5_cc_dfl_ops;
-struct krb5_cc_typelist
- {
-  krb5_cc_ops *ops;
-  struct krb5_cc_typelist *next;
- };
-extern krb5_cc_ops krb5_mcc_ops;
+#ifdef _WIN32
+extern const krb5_cc_ops krb5_lcc_ops;
+static struct krb5_cc_typelist cc_lcc_entry = { &krb5_lcc_ops, NULL };
+static struct krb5_cc_typelist cc_mcc_entry = { &krb5_mcc_ops, &cc_lcc_entry };
+#else
+static struct krb5_cc_typelist cc_mcc_entry = { &krb5_mcc_ops, NULL };
+#endif
 
-static struct krb5_cc_typelist cc_entry = { &krb5_mcc_ops, NULL };
+static struct krb5_cc_typelist cc_fcc_entry = { &krb5_cc_file_ops,
+						&cc_mcc_entry };
+
+static struct krb5_cc_typelist *cc_typehead = &cc_fcc_entry;
+static k5_mutex_t cc_typelist_lock = K5_MUTEX_PARTIAL_INITIALIZER;
+
+int
+krb5int_cc_initialize(void)
+{
+    int err;
+
+    err = k5_mutex_finish_init(&krb5int_mcc_mutex);
+    if (err)
+	return err;
+    err = k5_mutex_finish_init(&cc_typelist_lock);
+    if (err)
+	return err;
+    err = k5_mutex_finish_init(&krb5int_cc_file_mutex);
+    if (err)
+	return err;
+    return 0;
+}
+
+void
+krb5int_cc_finalize(void)
+{
+    struct krb5_cc_typelist *t, *t_next;
+    k5_mutex_destroy(&cc_typelist_lock);
+    k5_mutex_destroy(&krb5int_cc_file_mutex);
+    k5_mutex_destroy(&krb5int_mcc_mutex);
+    for (t = cc_typehead; t != &cc_fcc_entry; t = t_next) {
+	t_next = t->next;
+	free(t);
+    }
+}
 
-static struct krb5_cc_typelist *cc_typehead = &cc_entry;
 
 /*
  * Register a new credentials cache type
  * If override is set, replace any existing ccache with that type tag
  */
 
-/*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_cc_register(context, ops, override)
-   krb5_context context;
-   krb5_cc_ops FAR *ops;
-   krb5_boolean override;
+krb5_error_code KRB5_CALLCONV
+krb5_cc_register(krb5_context context, krb5_cc_ops *ops, krb5_boolean override)
 {
     struct krb5_cc_typelist *t;
+    krb5_error_code err;
+
+    err = k5_mutex_lock(&cc_typelist_lock);
+    if (err)
+	return err;
     for (t = cc_typehead;t && strcmp(t->ops->prefix,ops->prefix);t = t->next)
 	;
     if (t) {
 	if (override) {
 	    t->ops = ops;
+	    k5_mutex_unlock(&cc_typelist_lock);
 	    return 0;
-	} else
+	} else {
+	    k5_mutex_unlock(&cc_typelist_lock);
 	    return KRB5_CC_TYPE_EXISTS;
+	}
     }
-    if (!(t = (struct krb5_cc_typelist *) malloc(sizeof(*t))))
+    if (!(t = (struct krb5_cc_typelist *) malloc(sizeof(*t)))) {
+	k5_mutex_unlock(&cc_typelist_lock);
 	return ENOMEM;
+    }
     t->next = cc_typehead;
     t->ops = ops;
     cc_typehead = t;
+    k5_mutex_unlock(&cc_typelist_lock);
     return 0;
 }
 
@@ -88,43 +133,60 @@ krb5_cc_register(context, ops, override)
  * particular cache type.
  */
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_cc_resolve (context, name, cache)
-   krb5_context context;
-   const char *name;
-   krb5_ccache *cache;
+#include <ctype.h>
+krb5_error_code KRB5_CALLCONV
+krb5_cc_resolve (krb5_context context, const char *name, krb5_ccache *cache)
 {
     struct krb5_cc_typelist *tlist;
     char *pfx, *cp;
-    char *resid;
-    int pfxlen;
-
+    const char *resid;
+    unsigned int pfxlen;
+    krb5_error_code err;
+    
     cp = strchr (name, ':');
     if (!cp) {
 	if (krb5_cc_dfl_ops)
-	    return (*krb5_cc_dfl_ops->resolve)(context, cache, (char *)name);
+	    return (*krb5_cc_dfl_ops->resolve)(context, cache, name);
 	else
 	    return KRB5_CC_BADNAME;
     }
 
     pfxlen = cp - name;
-    resid = (char *)name + pfxlen + 1;
-	
-    pfx = malloc (pfxlen+1);
-    if (!pfx)
-	return ENOMEM;
 
-    memcpy (pfx, name, pfxlen);
-    pfx[pfxlen] = '\0';
+    if ( pfxlen == 1 && isalpha(name[0]) ) {
+        /* We found a drive letter not a prefix - use FILE: */
+        pfx = strdup("FILE:");
+        if (!pfx)
+            return ENOMEM;
+
+        resid = name;
+    } else {
+        resid = name + pfxlen + 1;
+
+        pfx = malloc (pfxlen+1);
+        if (!pfx)
+            return ENOMEM;
+
+        memcpy (pfx, name, pfxlen);
+        pfx[pfxlen] = '\0';
+    }
 
     *cache = (krb5_ccache) 0;
 
+    err = k5_mutex_lock(&cc_typelist_lock);
+    if (err) {
+	free(pfx);
+	return err;
+    }
     for (tlist = cc_typehead; tlist; tlist = tlist->next) {
 	if (strcmp (tlist->ops->prefix, pfx) == 0) {
+	    krb5_error_code (KRB5_CALLCONV *ccresolver)() = tlist->ops->resolve;
+	    k5_mutex_unlock(&cc_typelist_lock);
 	    free(pfx);
-	    return (*tlist->ops->resolve)(context, cache, resid);
+	    return (*ccresolver)(context, cache, resid);
 	}
     }
+    k5_mutex_unlock(&cc_typelist_lock);
     if (krb5_cc_dfl_ops && !strcmp (pfx, krb5_cc_dfl_ops->prefix)) {
 	free (pfx);
 	return (*krb5_cc_dfl_ops->resolve)(context, cache, resid);
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/cccopy.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/cccopy.c
index 82bd625d62..f0413e7775 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/cccopy.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/cccopy.c
@@ -1,25 +1,17 @@
-/*
- * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
- */
-
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
 
-#include <k5-int.h>
+#include "k5-int.h"
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_cc_copy_creds(context, incc, outcc)
-   krb5_context context;
-   krb5_ccache incc;
-   krb5_ccache outcc;
+krb5_error_code KRB5_CALLCONV
+krb5_cc_copy_creds(krb5_context context, krb5_ccache incc, krb5_ccache outcc)
 {
     krb5_error_code code;
     krb5_flags flags;
-    krb5_cc_cursor cur;
+    krb5_cc_cursor cur = 0;
     krb5_creds creds;
 
     flags = 0;				/* turns off OPENCLOSE mode */
-    if ((code = krb5_cc_set_flags(context, incc, flags)) != NULL)
+    if ((code = krb5_cc_set_flags(context, incc, flags)))
 	return(code);
     /* the code for this will open the file for reading only, which
        is not what I had in mind.  So I won't turn off OPENCLOSE
@@ -29,10 +21,10 @@ krb5_cc_copy_creds(context, incc, outcc)
 	return(code);
 #endif
 
-    if ((code = krb5_cc_start_seq_get(context, incc, &cur)) != NULL)
+    if ((code = krb5_cc_start_seq_get(context, incc, &cur)))
 	goto cleanup;
 
-    while ((code = krb5_cc_next_cred(context, incc, &cur, &creds)) == NULL) {
+    while (!(code = krb5_cc_next_cred(context, incc, &cur, &creds))) {
 	code = krb5_cc_store_cred(context, outcc, &creds);
 	krb5_free_cred_contents(context, &creds);
 	if (code)
@@ -42,13 +34,22 @@ krb5_cc_copy_creds(context, incc, outcc)
     if (code != KRB5_CC_END)
 	goto cleanup;
 
+    code = krb5_cc_end_seq_get(context, incc, &cur);
+    cur = 0;
+    if (code)
+        goto cleanup;
+
     code = 0;
 
 cleanup:
     flags = KRB5_TC_OPENCLOSE;
 
+    /* If set then we are in an error pathway */
+    if (cur) 
+      krb5_cc_end_seq_get(context, incc, &cur);
+
     if (code)
-	(void) krb5_cc_set_flags(context, incc, flags);
+	krb5_cc_set_flags(context, incc, flags);
     else
 	code = krb5_cc_set_flags(context, incc, flags);
 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/ccdefault.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/ccdefault.c
index 94e883a36b..2c232ded50 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/ccdefault.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/ccdefault.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -43,12 +43,10 @@
 #include <KerberosLoginInternal.h>
 #endif
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_cc_default(context, ccache)
-   krb5_context context;
-   krb5_ccache FAR *ccache;
+krb5_error_code KRB5_CALLCONV
+krb5_cc_default(krb5_context context, krb5_ccache *ccache)
 {
-    krb5_error_code retval;
+	krb5_error_code retval;
 	krb5_os_context	os_ctx;
 
 	if (!context || context->magic != KV5M_CONTEXT)
@@ -56,13 +54,7 @@ krb5_cc_default(context, ccache)
 	
 	os_ctx = context->os_context;
 	
-    retval = krb5_cc_resolve(context, krb5_cc_default_name(context), ccache);
-    if (!retval && ccache && !os_ctx->default_ccprincipal) {
-    	/* We got a ccache... remember what principal is associated with it */
-    	if (krb5_cc_get_principal (context, *ccache, &os_ctx->default_ccprincipal) != 0)
-    		os_ctx->default_ccprincipal = 0;
-    }
-    return retval;
+	return krb5_cc_resolve(context, krb5_cc_default_name(context), ccache);
 }
 
 /* This is the internal function which opens the default ccache.  On platforms supporting
@@ -72,61 +64,22 @@ krb5_cc_default(context, ccache)
    All krb5 and GSS functions which need to open a cache to get a tgt to obtain service tickets
    should call this function, not krb5_cc_default() */
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5int_cc_default(context, ccache)
-	krb5_context context;
-	krb5_ccache FAR *ccache;
+krb5_error_code KRB5_CALLCONV
+krb5int_cc_default(krb5_context context, krb5_ccache *ccache)
 {
+
+	if (!context || context->magic != KV5M_CONTEXT) {
+		return KV5M_CONTEXT;
+	}
+
 /*
  * Solaris Kerberos:  the following is specific to the Macintosh
  */
-#if defined(USE_LOGIN_LIBRARY) && defined(macintosh)
-	{
-		/* make sure the default cache has tix before you open it */
-		char 				*outCacheName;
-		KLPrincipal			desiredPrincipal = nil;
-		krb5_principal		desiredKrb5Principal;
-		krb5_error_code 	err;
-		krb5_os_context		os_ctx;
+#ifdef USE_LOGIN_LIBRARY
 
-		if (!context || context->magic != KV5M_CONTEXT)
-			return KV5M_CONTEXT;
-	
-		os_ctx = context->os_context;
-				
-		desiredKrb5Principal = os_ctx->default_ccprincipal;
-		
-		/* do we want a specific client principal? */
-		if (desiredKrb5Principal != NULL) {
-			char		*desiredName;
-			
-			err = krb5_unparse_name (context, desiredKrb5Principal, &desiredName);
-			if (!err) {
-				err = KLCreatePrincipalFromString (desiredName,
-								kerberosVersion_V5, &desiredPrincipal);
-				krb5_free_unparsed_name (context, desiredName);
-				if (err != klNoErr)
-					desiredPrincipal = nil;
-			}
-		}
-		
-		/* Try to make sure a krb5 tgt is in the cache */
-		err = __KLInternalAcquireTicketsForCache (desiredPrincipal, krb5_cc_default_name(context),
-			kerberosVersion_V5, nil, &outCacheName);
-		if (err == klNoErr) {
-			/* This function tries to get tickets and put them in the specified
-			   cache, however, if the cache does not exist, it may choose to put
-			   them elsewhere (ie: the system default) so we set that here */
-			if (strcmp (krb5_cc_default_name (context), outCacheName) != 0) {
-				krb5_cc_set_default_name (context, outCacheName);
-			}
-			KLDisposeString (outCacheName);
-		}
-		
-		if (desiredPrincipal != nil)
-			KLDisposePrincipal (desiredPrincipal);
-	}
+	/* MIT14resync; not needed for Solaris Kerberos */
 #endif
 
+
     return krb5_cc_default (context, ccache);
 }
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/ccdefops.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/ccdefops.c
index 5576aba257..b4dc34569f 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/ccdefops.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/ccdefops.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -37,7 +37,7 @@
 
 #include <k5-int.h>
 
-#if defined(macintosh)
+#if defined(USE_CCAPI)
 
 /*
  * Macs use the shared, memory based credentials cache
@@ -47,23 +47,11 @@
  */
 #include "stdcc.h" /* from ccapi subdir */
 
-krb5_cc_ops *krb5_cc_dfl_ops = &krb5_cc_stdcc_ops;
+const krb5_cc_ops *krb5_cc_dfl_ops = &krb5_cc_stdcc_ops;
 
 #else
 
-#ifdef HAVE_SYS_TYPES_H
-/* Systems that have <sys/types.h> probably have Unix-like files (off_t,
-   for example, which is needed by fcc.h).  */
-
 #include "fcc.h"		/* From file subdir */
-krb5_cc_ops *krb5_cc_dfl_ops = &krb5_cc_file_ops;
-
-#else
-/* Systems that don't have <sys/types.h> probably have stdio anyway.  */
-
-#include "scc.h"		/* From stdio subdir */
-krb5_cc_ops *krb5_cc_dfl_ops = &krb5_scc_ops;
-
-#endif
+const krb5_cc_ops *krb5_cc_dfl_ops = &krb5_cc_file_ops;
 
 #endif
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/ccfns.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/ccfns.c
new file mode 100644
index 0000000000..a40db67868
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/ccfns.c
@@ -0,0 +1,126 @@
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+/*
+ * lib/krb5/ccache/ccfns.c
+ *
+ * Copyright 2000 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/*
+ * Dispatch methods for credentials cache code.
+ */
+
+#include "k5-int.h"
+
+const char * KRB5_CALLCONV
+krb5_cc_get_name (krb5_context context, krb5_ccache cache)
+{
+    return cache->ops->get_name(context, cache);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_gen_new (krb5_context context, krb5_ccache *cache)
+{
+    return (*cache)->ops->gen_new(context, cache);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_initialize(krb5_context context, krb5_ccache cache,
+		   krb5_principal principal)
+{
+    return cache->ops->init(context, cache, principal);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_destroy (krb5_context context, krb5_ccache cache)
+{
+    return cache->ops->destroy(context, cache);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_close (krb5_context context, krb5_ccache cache)
+{
+    return cache->ops->close(context, cache);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_store_cred (krb5_context context, krb5_ccache cache,
+		    krb5_creds *creds)
+{
+    return cache->ops->store(context, cache, creds);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_retrieve_cred (krb5_context context, krb5_ccache cache,
+		       krb5_flags flags, krb5_creds *mcreds,
+		       krb5_creds *creds)
+{
+    return cache->ops->retrieve(context, cache, flags, mcreds, creds);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_get_principal (krb5_context context, krb5_ccache cache,
+		       krb5_principal *principal)
+{
+    return cache->ops->get_princ(context, cache, principal);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_start_seq_get (krb5_context context, krb5_ccache cache,
+		       krb5_cc_cursor *cursor)
+{
+    return cache->ops->get_first(context, cache, cursor);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_next_cred (krb5_context context, krb5_ccache cache,
+		   krb5_cc_cursor *cursor, krb5_creds *creds)
+{
+    return cache->ops->get_next(context, cache, cursor, creds);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_end_seq_get (krb5_context context, krb5_ccache cache,
+		     krb5_cc_cursor *cursor)
+{
+    return cache->ops->end_get(context, cache, cursor);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_remove_cred (krb5_context context, krb5_ccache cache, krb5_flags flags,
+		     krb5_creds *creds)
+{
+    return cache->ops->remove_cred(context, cache, flags, creds);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_set_flags (krb5_context context, krb5_ccache cache, krb5_flags flags)
+{
+    return cache->ops->set_flags(context, cache, flags);
+}
+
+const char * KRB5_CALLCONV
+krb5_cc_get_type (krb5_context context, krb5_ccache cache)
+{
+    return cache->ops->prefix;
+}
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/fcc.h b/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/fcc.h
new file mode 100644
index 0000000000..157ff77320
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/fcc.h
@@ -0,0 +1,38 @@
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+/*
+ * lib/krb5/ccache/fcc.h
+ *
+ * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ *
+ * This file contains constant and function declarations used in the
+ * file-based credential cache routines.
+ */
+
+#ifndef __KRB5_FILE_CCACHE__
+#define __KRB5_FILE_CCACHE__
+
+extern const krb5_cc_ops krb5_cc_file_ops;
+
+#endif /* __KRB5_FILE_CCACHE__ */
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/scc.h b/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/scc.h
new file mode 100644
index 0000000000..05728322ba
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/scc.h
@@ -0,0 +1,103 @@
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+/*
+ * lib/krb5/ccache/stdio/scc.h
+ *
+ * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ *
+ * This file contains constant and function declarations used in the
+ * file-based credential cache routines.
+ */
+
+#ifndef __KRB5_FILE_CCACHE__
+#define __KRB5_FILE_CCACHE__
+
+#include "k5-int.h"
+#include <stdio.h>
+
+#define KRB5_OK 0
+
+#define KRB5_SCC_MAXLEN 100
+
+/*
+ * SCC version 2 contains type information for principals.  SCC
+ * version 1 does not.  The code will accept either, and depending on
+ * what KRB5_SCC_DEFAULT_FVNO is set to, it will create version 1 or
+ * version 2 SCC caches.
+ *
+ */
+
+#define KRB5_SCC_FVNO_1   0x0501	/* krb v5, scc v1 */
+#define KRB5_SCC_FVNO_2   0x0502	/* krb v5, scc v2 */
+#define KRB5_SCC_FVNO_3   0x0503	/* krb v5, scc v3 */
+#define KRB5_SCC_FVNO_4   0x0504	/* krb v5, scc v4 */
+
+#define	SCC_OPEN_AND_ERASE	1
+#define	SCC_OPEN_RDWR		2
+#define	SCC_OPEN_RDONLY		3
+
+/* Credential file header tags.
+ * The header tags are constructed as:
+ *     krb5_ui_2       tag
+ *     krb5_ui_2       len
+ *     krb5_octet      data[len]
+ * This format allows for older versions of the fcc processing code to skip
+ * past unrecognized tag formats.
+ */
+#define SCC_TAG_DELTATIME	1
+
+#ifndef TKT_ROOT
+#define TKT_ROOT "/tmp/tkt"
+#endif
+
+/* macros to make checking flags easier */
+#define OPENCLOSE(id) (((krb5_scc_data *)id->data)->flags & KRB5_TC_OPENCLOSE)
+
+typedef struct _krb5_scc_data {
+     char *filename;
+     FILE *file;
+     krb5_flags flags;
+     char stdio_buffer[BUFSIZ];
+     int version;
+} krb5_scc_data;
+
+/* An off_t can be arbitrarily complex */
+typedef struct _krb5_scc_cursor {
+    long pos;
+} krb5_scc_cursor;
+
+#define MAYBE_OPEN(context, ID, MODE) \
+{									\
+    if (OPENCLOSE (ID)) {						\
+	krb5_error_code maybe_open_ret = krb5_scc_open_file (context, ID,MODE);	\
+	if (maybe_open_ret) return maybe_open_ret; } }
+
+#define MAYBE_CLOSE(context, ID, RET) \
+{									\
+    if (OPENCLOSE (ID)) {						\
+	krb5_error_code maybe_close_ret = krb5_scc_close_file (context, ID);	\
+	if (!(RET)) RET = maybe_close_ret; } }
+
+/* DO NOT ADD ANYTHING AFTER THIS #endif */
+#endif /* __KRB5_FILE_CCACHE__ */
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/ser_cc.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/ser_cc.c
index 08561e6d73..b1027dc2f4 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/ser_cc.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/ccache/ser_cc.c
@@ -1,8 +1,3 @@
-/*
- * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
- */
-
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
 
 /*
@@ -35,7 +30,7 @@
 /*
  * ser_rcdfl.c - Serialize replay cache context.
  */
-#include <k5-int.h>
+#include "k5-int.h"
 
 /*
  * Routines to deal with externalizing krb5_ccache.
@@ -44,11 +39,11 @@
  *	krb5_ccache_internalize();
  */
 static krb5_error_code krb5_ccache_size
-	KRB5_PROTOTYPE((krb5_context, krb5_pointer, size_t *));
+	(krb5_context, krb5_pointer, size_t *);
 static krb5_error_code krb5_ccache_externalize
-	KRB5_PROTOTYPE((krb5_context, krb5_pointer, krb5_octet **, size_t *));
+	(krb5_context, krb5_pointer, krb5_octet **, size_t *);
 static krb5_error_code krb5_ccache_internalize
-	KRB5_PROTOTYPE((krb5_context,krb5_pointer *, krb5_octet **, size_t *));
+	(krb5_context,krb5_pointer *, krb5_octet **, size_t *);
 
 /*
  * Serialization entry for this type.
@@ -65,17 +60,14 @@ static const krb5_ser_entry krb5_ccache_ser_entry = {
  *				  this krb5_ccache variant.
  */
 static krb5_error_code
-krb5_ccache_size(kcontext, arg, sizep)
-    krb5_context	kcontext;
-    krb5_pointer	arg;
-    size_t		*sizep;
+krb5_ccache_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
 {
     krb5_error_code	kret;
     krb5_ccache		ccache;
     size_t		required;
 
     kret = EINVAL;
-    if ((ccache = (krb5_ccache) arg) != NULL) {
+    if ((ccache = (krb5_ccache) arg)) {
 	/*
 	 * Saving FILE: variants of krb5_ccache requires at minimum:
 	 *	krb5_int32	for KV5M_CCACHE
@@ -90,7 +82,7 @@ krb5_ccache_size(kcontext, arg, sizep)
 	 * The ccache name is formed as follows:
 	 *	<prefix>:<name>
 	 */
-	required += strlen(krb5_rc_get_name(kcontext, ccache));
+	required += strlen(krb5_cc_get_name(kcontext, ccache));
 
 	kret = 0;
 	*sizep += required;
@@ -102,11 +94,7 @@ krb5_ccache_size(kcontext, arg, sizep)
  * krb5_ccache_externalize()	- Externalize the krb5_ccache.
  */
 static krb5_error_code
-krb5_ccache_externalize(kcontext, arg, buffer, lenremain)
-    krb5_context	kcontext;
-    krb5_pointer	arg;
-    krb5_octet		**buffer;
-    size_t		*lenremain;
+krb5_ccache_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain)
 {
     krb5_error_code	kret;
     krb5_ccache		ccache;
@@ -115,13 +103,13 @@ krb5_ccache_externalize(kcontext, arg, buffer, lenremain)
     size_t		remain;
     char		*ccname;
     size_t		namelen;
-    char		*fnamep;
+    const char		*fnamep;
 
     required = 0;
     bp = *buffer;
     remain = *lenremain;
     kret = EINVAL;
-    if ((ccache = (krb5_ccache) arg) != NULL) {
+    if ((ccache = (krb5_ccache) arg)) {
 	kret = ENOMEM;
 	if (!krb5_ccache_size(kcontext, arg, &required) &&
 	    (required <= remain)) {
@@ -131,7 +119,7 @@ krb5_ccache_externalize(kcontext, arg, buffer, lenremain)
 	    /* Calculate the length of the name */
 	    namelen = (ccache->ops && ccache->ops->prefix) ?
 		strlen(ccache->ops->prefix)+1 : 0;
-	    fnamep = krb5_rc_get_name(kcontext, ccache);
+	    fnamep = krb5_cc_get_name(kcontext, ccache);
 	    namelen += (strlen(fnamep)+1);
 
 	    if ((ccname = (char *) malloc(namelen))) {
@@ -166,11 +154,7 @@ krb5_ccache_externalize(kcontext, arg, buffer, lenremain)
  * krb5_ccache_internalize()	- Internalize the krb5_ccache.
  */
 static krb5_error_code
-krb5_ccache_internalize(kcontext, argp, buffer, lenremain)
-    krb5_context	kcontext;
-    krb5_pointer	*argp;
-    krb5_octet		**buffer;
-    size_t		*lenremain;
+krb5_ccache_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain)
 {
     krb5_error_code	kret;
     krb5_ccache		ccache;
@@ -213,9 +197,8 @@ krb5_ccache_internalize(kcontext, argp, buffer, lenremain)
 /*
  * Register the ccache serializer.
  */
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_ser_ccache_init(kcontext)
-    krb5_context	kcontext;
+krb5_error_code KRB5_CALLCONV
+krb5_ser_ccache_init(krb5_context kcontext)
 {
     return(krb5_register_serializer(kcontext, &krb5_ccache_ser_entry));
 }
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/kt-int.h b/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/kt-int.h
new file mode 100644
index 0000000000..e544ce7bef
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/kt-int.h
@@ -0,0 +1,41 @@
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+/*
+ * lib/krb5/keytab/kt-int.h
+ *
+ * Copyright 2004 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ *
+ * This file contains constant and function declarations used in the
+ * file-based credential cache routines.
+ */
+
+#ifndef __KRB5_KEYTAB_INT_H__
+#define __KRB5_KEYTAB_INT_H__
+
+
+int krb5int_kt_initialize(void);
+
+void krb5int_kt_finalize(void);
+
+#endif /* __KRB5_KEYTAB_INT_H__ */
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/kt_file.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/kt_file.c
new file mode 100644
index 0000000000..e2feb149d0
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/kt_file.c
@@ -0,0 +1,1724 @@
+/*
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+/*
+ * lib/krb5/keytab/kt_file.c
+ *
+ * Copyright 1990,1991,1995 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ */
+
+#define NEED_SOCKETS
+#include "k5-int.h"
+#include <stdio.h>
+
+/*
+ * Information needed by internal routines of the file-based ticket
+ * cache implementation.
+ */
+
+
+/*
+ * Constants
+ */
+#define IGNORE_VNO 0
+#define IGNORE_ENCTYPE 0
+
+#define KRB5_KT_VNO_1	0x0501	/* krb v5, keytab version 1 (DCE compat) */
+#define KRB5_KT_VNO	0x0502	/* krb v5, keytab version 2 (standard)  */
+
+#define KRB5_KT_DEFAULT_VNO KRB5_KT_VNO
+
+/* 
+ * Types
+ */
+typedef struct _krb5_ktfile_data {
+    char *name;			/* Name of the file */
+    FILE *openf;		/* open file, if any. */
+    char iobuf[BUFSIZ];		/* so we can zap it later */
+    int	version;		/* Version number of keytab */
+    k5_mutex_t lock;		/* Protect openf, version */
+} krb5_ktfile_data;
+
+/*
+ * Macros
+ */
+#define KTPRIVATE(id) ((krb5_ktfile_data *)(id)->data)
+#define KTFILENAME(id) (((krb5_ktfile_data *)(id)->data)->name)
+#define KTFILEP(id) (((krb5_ktfile_data *)(id)->data)->openf)
+#define KTFILEBUFP(id) (((krb5_ktfile_data *)(id)->data)->iobuf)
+#define KTVERSION(id) (((krb5_ktfile_data *)(id)->data)->version)
+#define KTLOCK(id) k5_mutex_lock(&((krb5_ktfile_data *)(id)->data)->lock)
+#define KTUNLOCK(id) k5_mutex_unlock(&((krb5_ktfile_data *)(id)->data)->lock)
+#define KTCHECKLOCK(id) k5_mutex_assert_locked(&((krb5_ktfile_data *)(id)->data)->lock)
+
+extern const struct _krb5_kt_ops krb5_ktf_ops;
+extern const struct _krb5_kt_ops krb5_ktf_writable_ops;
+
+krb5_error_code KRB5_CALLCONV krb5_ktfile_resolve 
+	(krb5_context,
+		   const char *,
+		   krb5_keytab *);
+
+krb5_error_code KRB5_CALLCONV krb5_ktfile_wresolve 
+	(krb5_context,
+		   const char *,
+		   krb5_keytab *);
+
+krb5_error_code KRB5_CALLCONV krb5_ktfile_get_name 
+	(krb5_context,
+		   krb5_keytab,
+		   char *,
+		   unsigned int);
+
+krb5_error_code KRB5_CALLCONV krb5_ktfile_close 
+	(krb5_context,
+		   krb5_keytab);
+
+krb5_error_code KRB5_CALLCONV krb5_ktfile_get_entry 
+	(krb5_context,
+		   krb5_keytab,
+		   krb5_const_principal,
+		   krb5_kvno,
+		   krb5_enctype,
+		   krb5_keytab_entry *);
+
+krb5_error_code KRB5_CALLCONV krb5_ktfile_start_seq_get 
+	(krb5_context,
+		   krb5_keytab,
+		   krb5_kt_cursor *);
+
+krb5_error_code KRB5_CALLCONV krb5_ktfile_get_next 
+	(krb5_context,
+		   krb5_keytab,
+		   krb5_keytab_entry *,
+		   krb5_kt_cursor *);
+
+krb5_error_code KRB5_CALLCONV krb5_ktfile_end_get 
+	(krb5_context,
+		   krb5_keytab,
+		   krb5_kt_cursor *);
+
+/* routines to be included on extended version (write routines) */
+krb5_error_code KRB5_CALLCONV krb5_ktfile_add 
+	(krb5_context,
+		   krb5_keytab,
+		   krb5_keytab_entry *);
+
+krb5_error_code KRB5_CALLCONV krb5_ktfile_remove 
+	(krb5_context,
+		   krb5_keytab,
+		   krb5_keytab_entry *);
+
+krb5_error_code krb5_ktfileint_openr 
+	(krb5_context,
+		   krb5_keytab);
+
+krb5_error_code krb5_ktfileint_openw 
+	(krb5_context,
+		   krb5_keytab);
+
+krb5_error_code krb5_ktfileint_close 
+	(krb5_context,
+		   krb5_keytab);
+
+krb5_error_code krb5_ktfileint_read_entry 
+	(krb5_context,
+		   krb5_keytab,
+		   krb5_keytab_entry *);
+
+krb5_error_code krb5_ktfileint_write_entry 
+	(krb5_context,
+		   krb5_keytab,
+		   krb5_keytab_entry *);
+
+krb5_error_code krb5_ktfileint_delete_entry 
+	(krb5_context,
+		   krb5_keytab,
+                   krb5_int32);
+
+krb5_error_code krb5_ktfileint_internal_read_entry 
+	(krb5_context,
+		   krb5_keytab,
+		   krb5_keytab_entry *,
+                   krb5_int32 *);
+
+krb5_error_code krb5_ktfileint_size_entry 
+	(krb5_context,
+		   krb5_keytab_entry *,
+                   krb5_int32 *);
+
+krb5_error_code krb5_ktfileint_find_slot 
+	(krb5_context,
+		   krb5_keytab,
+                   krb5_int32 *,
+                   krb5_int32 *);
+
+
+/*
+ * This is an implementation specific resolver.  It returns a keytab id 
+ * initialized with file keytab routines.
+ */
+
+krb5_error_code KRB5_CALLCONV 
+krb5_ktfile_resolve(krb5_context context, const char *name, krb5_keytab *id)
+{
+    krb5_ktfile_data *data;
+    krb5_error_code err;
+
+    if ((*id = (krb5_keytab) malloc(sizeof(**id))) == NULL)
+	return(ENOMEM);
+    
+    (*id)->ops = &krb5_ktf_ops;
+    if ((data = (krb5_ktfile_data *)malloc(sizeof(krb5_ktfile_data))) == NULL) {
+	krb5_xfree(*id);
+	return(ENOMEM);
+    }
+
+    err = k5_mutex_init(&data->lock);
+    if (err) {
+	krb5_xfree(*id);
+	return err;
+    }
+
+    if ((data->name = (char *)calloc(strlen(name) + 1, sizeof(char))) == NULL) {
+	k5_mutex_destroy(&data->lock);
+	krb5_xfree(data);
+	krb5_xfree(*id);
+	return(ENOMEM);
+    }
+
+    (void) strcpy(data->name, name);
+    data->openf = 0;
+    data->version = 0;
+
+    (*id)->data = (krb5_pointer)data;
+    (*id)->magic = KV5M_KEYTAB;
+    return(0);
+}
+
+
+/*
+ * "Close" a file-based keytab and invalidate the id.  This means
+ * free memory hidden in the structures.
+ */
+
+krb5_error_code KRB5_CALLCONV 
+krb5_ktfile_close(krb5_context context, krb5_keytab id)
+  /*
+   * This routine is responsible for freeing all memory allocated 
+   * for this keytab.  There are no system resources that need
+   * to be freed nor are there any open files.
+   *
+   * This routine should undo anything done by krb5_ktfile_resolve().
+   */
+{
+    krb5_xfree(KTFILENAME(id));
+    zap(KTFILEBUFP(id), BUFSIZ);
+    k5_mutex_destroy(&((krb5_ktfile_data *)id->data)->lock);
+    krb5_xfree(id->data);
+    id->ops = 0;
+    krb5_xfree(id);
+    return (0);
+}
+
+/*
+ * This is the get_entry routine for the file based keytab implementation.
+ * It opens the keytab file, and either retrieves the entry or returns
+ * an error.
+ */
+
+krb5_error_code KRB5_CALLCONV
+krb5_ktfile_get_entry(krb5_context context, krb5_keytab id,
+		      krb5_const_principal principal, krb5_kvno kvno,
+		      krb5_enctype enctype, krb5_keytab_entry *entry)
+{
+    krb5_keytab_entry cur_entry, new_entry;
+    krb5_error_code kerror = 0;
+    int found_wrong_kvno = 0;
+    krb5_boolean similar;
+    int kvno_offset = 0;
+
+    kerror = KTLOCK(id);
+    if (kerror)
+	return kerror;
+
+    /* Open the keyfile for reading */
+    if ((kerror = krb5_ktfileint_openr(context, id))) {
+	KTUNLOCK(id);
+	return(kerror);
+    }
+    
+    /* 
+     * For efficiency and simplicity, we'll use a while true that 
+     * is exited with a break statement.
+     */
+    cur_entry.principal = 0;
+    cur_entry.vno = 0;
+    cur_entry.key.contents = 0;
+
+    while (TRUE) {
+	if ((kerror = krb5_ktfileint_read_entry(context, id, &new_entry)))
+	    break;
+
+	/* by the time this loop exits, it must either free cur_entry,
+	   and copy new_entry there, or free new_entry.  Otherwise, it
+	   leaks. */
+
+	/* if the principal isn't the one requested, free new_entry
+	   and continue to the next. */
+
+	if (!krb5_principal_compare(context, principal, new_entry.principal)) {
+	    krb5_kt_free_entry(context, &new_entry);
+	    continue;
+	}
+
+	/* if the enctype is not ignored and doesn't match, free new_entry
+	   and continue to the next */
+
+	if (enctype != IGNORE_ENCTYPE) {
+	    if ((kerror = krb5_c_enctype_compare(context, enctype, 
+						 new_entry.key.enctype,
+						 &similar))) {
+		krb5_kt_free_entry(context, &new_entry);
+		break;
+	    }
+
+	    if (!similar) {
+		krb5_kt_free_entry(context, &new_entry);
+		continue;
+	    }
+	    /*
+	     * Coerce the enctype of the output keyblock in case we
+	     * got an inexact match on the enctype.
+	     */
+	    new_entry.key.enctype = enctype;
+
+	}
+
+	if (kvno == IGNORE_VNO) {
+	    /* if this is the first match, or if the new vno is
+	       bigger, free the current and keep the new.  Otherwise,
+	       free the new. */
+	    /* A 1.2.x keytab contains only the low 8 bits of the key
+	       version number.  Since it can be much bigger, and thus
+	       the 8-bit value can wrap, we need some heuristics to
+	       figure out the "highest" numbered key if some numbers
+	       close to 255 and some near 0 are used.
+
+	       The heuristic here:
+
+	       If we have any keys with versions over 240, then assume
+	       that all version numbers 0-127 refer to 256+N instead.
+	       Not perfect, but maybe good enough?  */
+
+#define M(VNO) (((VNO) - kvno_offset + 256) % 256)
+
+	    if (new_entry.vno > 240)
+		kvno_offset = 128;
+	    if (! cur_entry.principal ||
+		M(new_entry.vno) > M(cur_entry.vno)) {
+		krb5_kt_free_entry(context, &cur_entry);
+		cur_entry = new_entry;
+	    } else {
+		krb5_kt_free_entry(context, &new_entry);
+	    }
+	} else {
+	    /* if this kvno matches, free the current (will there ever
+	       be one?), keep the new, and break out.  Otherwise, remember
+	       that we were here so we can return the right error, and
+	       free the new */
+	    /* Yuck.  The krb5-1.2.x keytab format only stores one byte
+	       for the kvno, so we're toast if the kvno requested is
+	       higher than that.  Short-term workaround: only compare
+	       the low 8 bits.  */
+
+	    if (new_entry.vno == (kvno & 0xff)) {
+		krb5_kt_free_entry(context, &cur_entry);
+		cur_entry = new_entry;
+		break;
+	    } else {
+		found_wrong_kvno++;
+		krb5_kt_free_entry(context, &new_entry);
+	    }
+	}
+    }
+
+    if (kerror == KRB5_KT_END) {
+	 if (cur_entry.principal)
+	      kerror = 0;
+	 else if (found_wrong_kvno)
+	      kerror = KRB5_KT_KVNONOTFOUND;
+	 else
+	      kerror = KRB5_KT_NOTFOUND;
+    }
+    if (kerror) {
+	(void) krb5_ktfileint_close(context, id);
+	KTUNLOCK(id);
+	krb5_kt_free_entry(context, &cur_entry);
+	return kerror;
+    }
+    if ((kerror = krb5_ktfileint_close(context, id)) != 0) {
+	KTUNLOCK(id);
+	krb5_kt_free_entry(context, &cur_entry);
+	return kerror;
+    }
+    KTUNLOCK(id);
+    *entry = cur_entry;
+    return 0;
+}
+
+/*
+ * Get the name of the file containing a file-based keytab.
+ */
+
+krb5_error_code KRB5_CALLCONV
+krb5_ktfile_get_name(krb5_context context, krb5_keytab id, char *name, unsigned int len)
+  /* 
+   * This routine returns the name of the name of the file associated with
+   * this file-based keytab.  name is zeroed and the filename is truncated
+   * to fit in name if necessary.  The name is prefixed with PREFIX:, so that
+   * trt will happen if the name is passed back to resolve.
+   */
+{
+    memset(name, 0, len);
+
+    if (len < strlen(id->ops->prefix)+2)
+	return(KRB5_KT_NAME_TOOLONG);
+    strcpy(name, id->ops->prefix);
+    name += strlen(id->ops->prefix);
+    name[0] = ':';
+    name++;
+    len -= strlen(id->ops->prefix)+1;
+
+    if (len < strlen(KTFILENAME(id)+1))
+	return(KRB5_KT_NAME_TOOLONG);
+    strcpy(name, KTFILENAME(id));
+    /* strcpy will NUL-terminate the destination */
+
+    return(0);
+}
+
+/*
+ * krb5_ktfile_start_seq_get()
+ */
+
+krb5_error_code KRB5_CALLCONV
+krb5_ktfile_start_seq_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursorp)
+{
+    krb5_error_code retval;
+    long *fileoff;
+
+    retval = KTLOCK(id);
+    if (retval)
+	return retval;
+
+    if ((retval = krb5_ktfileint_openr(context, id))) {
+	KTUNLOCK(id);
+	return retval;
+    }
+
+    if (!(fileoff = (long *)malloc(sizeof(*fileoff)))) {
+	krb5_ktfileint_close(context, id);
+	KTUNLOCK(id);
+	return ENOMEM;
+    }
+    *fileoff = ftell(KTFILEP(id));
+    *cursorp = (krb5_kt_cursor)fileoff;
+    KTUNLOCK(id);
+
+    return 0;
+}
+
+/*
+ * krb5_ktfile_get_next()
+ */
+
+krb5_error_code KRB5_CALLCONV 
+krb5_ktfile_get_next(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry, krb5_kt_cursor *cursor)
+{
+    long *fileoff = (long *)*cursor;
+    krb5_keytab_entry cur_entry;
+    krb5_error_code kerror;
+
+    kerror = KTLOCK(id);
+    if (kerror)
+	return kerror;
+    if (fseek(KTFILEP(id), *fileoff, 0) == -1) {
+	KTUNLOCK(id);
+	return KRB5_KT_END;
+    }
+    if ((kerror = krb5_ktfileint_read_entry(context, id, &cur_entry))) {
+	KTUNLOCK(id);
+	return kerror;
+    }
+    *fileoff = ftell(KTFILEP(id));
+    *entry = cur_entry;
+    KTUNLOCK(id);
+    return 0;
+}
+
+/*
+ * krb5_ktfile_end_get()
+ */
+
+krb5_error_code KRB5_CALLCONV 
+krb5_ktfile_end_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursor)
+{
+    krb5_error_code kerror;
+
+    krb5_xfree(*cursor);
+    KTLOCK(id);
+    kerror = krb5_ktfileint_close(context, id);
+    KTUNLOCK(id);
+    return kerror;
+}
+
+/*
+ * ser_ktf.c - Serialize keytab file context for subsequent reopen.
+ */
+
+static const char ktfile_def_name[] = ".";
+
+/*
+ * Routines to deal with externalizing krb5_keytab for [WR]FILE: variants.
+ *	krb5_ktf_keytab_size();
+ *	krb5_ktf_keytab_externalize();
+ *	krb5_ktf_keytab_internalize();
+ */
+static krb5_error_code krb5_ktf_keytab_size
+	(krb5_context, krb5_pointer, size_t *);
+static krb5_error_code krb5_ktf_keytab_externalize
+	(krb5_context, krb5_pointer, krb5_octet **, size_t *);
+static krb5_error_code krb5_ktf_keytab_internalize
+	(krb5_context,krb5_pointer *, krb5_octet **, size_t *);
+
+/*
+ * Serialization entry for this type.
+ */
+const krb5_ser_entry krb5_ktfile_ser_entry = {
+    KV5M_KEYTAB,			/* Type			*/
+    krb5_ktf_keytab_size,		/* Sizer routine	*/
+    krb5_ktf_keytab_externalize,	/* Externalize routine	*/
+    krb5_ktf_keytab_internalize		/* Internalize routine	*/
+};
+
+/*
+ * krb5_ktf_keytab_size()	- Determine the size required to externalize
+ *				  this krb5_keytab variant.
+ */
+static krb5_error_code
+krb5_ktf_keytab_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
+{
+    krb5_error_code	kret;
+    krb5_keytab		keytab;
+    size_t		required;
+    krb5_ktfile_data	*ktdata;
+
+    kret = EINVAL;
+    if ((keytab = (krb5_keytab) arg)) {
+	/*
+	 * Saving FILE: variants of krb5_keytab requires at minimum:
+	 *	krb5_int32	for KV5M_KEYTAB
+	 *	krb5_int32	for length of keytab name.
+	 *	krb5_int32	for file status.
+	 *	krb5_int32	for file position.
+	 *	krb5_int32	for file position.
+	 *	krb5_int32	for version.
+	 *	krb5_int32	for KV5M_KEYTAB
+	 */
+	required = sizeof(krb5_int32) * 7;
+	if (keytab->ops && keytab->ops->prefix)
+	    required += (strlen(keytab->ops->prefix)+1);
+
+	/*
+	 * The keytab name is formed as follows:
+	 *	<prefix>:<name>
+	 * If there's no name, we use a default name so that we have something
+	 * to call krb5_keytab_resolve with.
+	 */
+	ktdata = (krb5_ktfile_data *) keytab->data;
+	required += strlen((ktdata && ktdata->name) ?
+			   ktdata->name : ktfile_def_name);
+	kret = 0;
+
+	*sizep += required;
+    }
+    return(kret);
+}
+
+/*
+ * krb5_ktf_keytab_externalize()	- Externalize the krb5_keytab.
+ */
+static krb5_error_code
+krb5_ktf_keytab_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain)
+{
+    krb5_error_code	kret;
+    krb5_keytab		keytab;
+    size_t		required;
+    krb5_octet		*bp;
+    size_t		remain;
+    krb5_ktfile_data	*ktdata;
+    krb5_int32		file_is_open;
+    krb5_int32		file_pos[2];
+    char		*ktname;
+    size_t		namelen;
+    const char		*fnamep;
+
+    required = 0;
+    bp = *buffer;
+    remain = *lenremain;
+    kret = EINVAL;
+    if ((keytab = (krb5_keytab) arg)) {
+	kret = ENOMEM;
+	if (!krb5_ktf_keytab_size(kcontext, arg, &required) &&
+	    (required <= remain)) {
+	    /* Our identifier */
+	    (void) krb5_ser_pack_int32(KV5M_KEYTAB, &bp, &remain);
+
+	    ktdata = (krb5_ktfile_data *) keytab->data;
+	    file_is_open = 0;
+	    file_pos[0] = 0;
+	    file_pos[1] = 0;
+
+	    /* Calculate the length of the name */
+	    namelen = (keytab->ops && keytab->ops->prefix) ?
+		strlen(keytab->ops->prefix)+1 : 0;
+	    if (ktdata && ktdata->name)
+		fnamep = ktdata->name;
+	    else
+		fnamep = ktfile_def_name;
+	    namelen += (strlen(fnamep)+1);
+
+	    if ((ktname = (char *) malloc(namelen))) {
+		/* Format the keytab name. */
+		if (keytab->ops && keytab->ops->prefix)
+		    sprintf(ktname, "%s:%s", keytab->ops->prefix, fnamep);
+
+		else
+		    strcpy(ktname, fnamep);
+
+		/* Fill in the file-specific keytab information. */
+		if (ktdata) {
+		    if (ktdata->openf) {
+			long	fpos;
+			int	fflags = 0;
+
+			file_is_open = 1;
+#if !defined(_WIN32)
+			fflags = fcntl(fileno(ktdata->openf), F_GETFL, 0);
+			if (fflags > 0)
+			    file_is_open |= ((fflags & O_ACCMODE) << 1);
+#else
+			file_is_open = 0;
+#endif
+			fpos = ftell(ktdata->openf);
+#if	SIZEOF_LONG == 4
+			file_pos[0] = fpos;
+#else	/* SIZEOF_LONG == 4 */
+			file_pos[0] = fpos & 0xffffffff;
+			file_pos[1] = (fpos >> 32) & 0xffffffff;
+#endif	/* SIZEOF_LONG == 4 */
+		    }
+		}
+
+		/* Put the length of the file name */
+		(void) krb5_ser_pack_int32((krb5_int32) strlen(ktname),
+					   &bp, &remain);
+		
+		/* Put the name */
+		(void) krb5_ser_pack_bytes((krb5_octet *) ktname,
+					   strlen(ktname),
+					   &bp, &remain);
+
+		/* Put the file open flag */
+		(void) krb5_ser_pack_int32(file_is_open, &bp, &remain);
+
+		/* Put the file position */
+		(void) krb5_ser_pack_int32(file_pos[0], &bp, &remain);
+		(void) krb5_ser_pack_int32(file_pos[1], &bp, &remain);
+
+		/* Put the version */
+		(void) krb5_ser_pack_int32((krb5_int32) ((ktdata) ?
+							 ktdata->version : 0),
+					   &bp, &remain);
+
+		/* Put the trailer */
+		(void) krb5_ser_pack_int32(KV5M_KEYTAB, &bp, &remain);
+		kret = 0;
+		*buffer = bp;
+		*lenremain = remain;
+		free(ktname);
+	    }
+	}
+    }
+    return(kret);
+}
+
+/*
+ * krb5_ktf_keytab_internalize()	- Internalize the krb5_ktf_keytab.
+ */
+static krb5_error_code
+krb5_ktf_keytab_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain)
+{
+    krb5_error_code	kret;
+    krb5_keytab		keytab;
+    krb5_int32		ibuf;
+    krb5_octet		*bp;
+    size_t		remain;
+    char		*ktname;
+    krb5_ktfile_data	*ktdata;
+    krb5_int32		file_is_open;
+    krb5_int32		foffbuf[2];
+
+    bp = *buffer;
+    remain = *lenremain;
+    kret = EINVAL;
+    /* Read our magic number */
+    if (krb5_ser_unpack_int32(&ibuf, &bp, &remain))
+	ibuf = 0;
+    if (ibuf == KV5M_KEYTAB) {
+	kret = ENOMEM;
+
+	/* Get the length of the keytab name */
+	kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+
+	if (!kret &&
+	    (ktname = (char *) malloc((size_t) (ibuf+1))) &&
+	    !(kret = krb5_ser_unpack_bytes((krb5_octet *) ktname,
+					   (size_t) ibuf,
+					   &bp, &remain))) {
+	    ktname[ibuf] = '\0';
+	    kret = krb5_kt_resolve(kcontext, ktname, &keytab);
+	    if (!kret) {
+		kret = ENOMEM;
+		ktdata = (krb5_ktfile_data *) keytab->data;
+		if (!ktdata) {
+		    /* XXX */
+		    keytab->data = (void *) malloc(sizeof(krb5_ktfile_data));
+		    ktdata = (krb5_ktfile_data *) keytab->data;
+		    memset(ktdata, 0, sizeof(krb5_ktfile_data));
+		    if (strchr(ktname, (int) ':'))
+			ktdata->name = strdup(strchr(ktname, (int) ':')+1);
+		    else
+			ktdata->name = strdup(ktname);
+		}
+		if (ktdata) {
+		    if (remain >= (sizeof(krb5_int32)*5)) {
+			(void) krb5_ser_unpack_int32(&file_is_open,
+						     &bp, &remain);
+			(void) krb5_ser_unpack_int32(&foffbuf[0],
+						     &bp, &remain);
+			(void) krb5_ser_unpack_int32(&foffbuf[1],
+						     &bp, &remain);
+			(void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+			ktdata->version = (int) ibuf;
+
+			(void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+			if (ibuf == KV5M_KEYTAB) {
+			    if (file_is_open) {
+				int 	fmode;
+				long	fpos;
+
+#if !defined(_WIN32)
+				fmode = (file_is_open >> 1) & O_ACCMODE;
+#else
+				fmode = 0;
+#endif
+				if (fmode)
+				    kret = krb5_ktfileint_openw(kcontext,
+								keytab);
+				else
+				    kret = krb5_ktfileint_openr(kcontext,
+								keytab);
+				if (!kret) {
+#if	SIZEOF_LONG == 4
+				    fpos = foffbuf[0];
+#else	/* SIZEOF_LONG == 4 */
+				    fpos = foffbuf[0] | ((long) foffbuf[1] << 32);
+#endif	/* SIZEOF_LONG == 4 */
+				    fseek(KTFILEP(keytab), fpos, SEEK_SET);
+				}
+			    }
+			    kret = 0;
+			}
+			else
+			    kret = EINVAL;
+		    }
+		}
+		if (kret) {
+		    if (keytab->data) {
+			if (KTFILENAME(keytab))
+			    krb5_xfree(KTFILENAME(keytab));
+			krb5_xfree(keytab->data);
+		    }
+		    krb5_xfree(keytab);
+		}
+		else {
+		    *buffer = bp;
+		    *lenremain = remain;
+		    *argp = (krb5_pointer) keytab;
+		}
+	    }
+	    free(ktname);
+	}
+    }
+    return(kret);
+}
+
+/*
+ * This is an implementation specific resolver.  It returns a keytab id 
+ * initialized with file keytab routines.
+ */
+
+krb5_error_code KRB5_CALLCONV
+krb5_ktfile_wresolve(krb5_context context, const char *name, krb5_keytab *id)
+{
+    krb5_ktfile_data *data;
+    krb5_error_code err;
+
+    if ((*id = (krb5_keytab) malloc(sizeof(**id))) == NULL)
+	return(ENOMEM);
+    
+    (*id)->ops = &krb5_ktf_writable_ops;
+    if ((data = (krb5_ktfile_data *)malloc(sizeof(krb5_ktfile_data))) == NULL) {
+	krb5_xfree(*id);
+	return(ENOMEM);
+    }
+
+    err = k5_mutex_init(&data->lock);
+    if (err) {
+	krb5_xfree(*id);
+	return err;
+    }
+
+    if ((data->name = (char *)calloc(strlen(name) + 1, sizeof(char))) == NULL) {
+	k5_mutex_destroy(&data->lock);
+	krb5_xfree(data);
+	krb5_xfree(*id);
+	return(ENOMEM);
+    }
+
+    (void) strcpy(data->name, name);
+    data->openf = 0;
+    data->version = 0;
+
+    (*id)->data = (krb5_pointer)data;
+    (*id)->magic = KV5M_KEYTAB;
+    return(0);
+}
+
+
+/*
+ * krb5_ktfile_add()
+ */
+
+krb5_error_code KRB5_CALLCONV 
+krb5_ktfile_add(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry)
+{
+    krb5_error_code retval;
+
+    retval = KTLOCK(id);
+    if (retval)
+	return retval;
+    if ((retval = krb5_ktfileint_openw(context, id))) {
+	KTUNLOCK(id);
+	return retval;
+    }
+    if (fseek(KTFILEP(id), 0, 2) == -1) {
+	KTUNLOCK(id);
+	return KRB5_KT_END;
+    }
+    retval = krb5_ktfileint_write_entry(context, id, entry);
+    krb5_ktfileint_close(context, id);
+    KTUNLOCK(id);
+    return retval;
+}
+
+/*
+ * krb5_ktfile_remove()
+ */
+
+krb5_error_code KRB5_CALLCONV 
+krb5_ktfile_remove(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry)
+{
+    krb5_keytab_entry   cur_entry;
+    krb5_error_code     kerror;
+    krb5_int32          delete_point;
+
+    kerror = KTLOCK(id);
+    if (kerror)
+	return kerror;
+
+    if ((kerror = krb5_ktfileint_openw(context, id))) {
+	KTUNLOCK(id);
+	return kerror;
+    }
+
+    /* 
+     * For efficiency and simplicity, we'll use a while true that 
+     * is exited with a break statement.
+     */
+    while (TRUE) {
+	if ((kerror = krb5_ktfileint_internal_read_entry(context, id,
+							 &cur_entry,
+							 &delete_point)))
+  	    break;
+
+	if ((entry->vno == cur_entry.vno) &&
+            (entry->key.enctype == cur_entry.key.enctype) &&
+	    krb5_principal_compare(context, entry->principal, cur_entry.principal)) {
+	    /* found a match */
+            krb5_kt_free_entry(context, &cur_entry);
+	    break;
+	}
+	krb5_kt_free_entry(context, &cur_entry);
+    }
+
+    if (kerror == KRB5_KT_END)
+	kerror = KRB5_KT_NOTFOUND;
+
+    if (kerror) {
+	(void) krb5_ktfileint_close(context, id);
+	KTUNLOCK(id);
+	return kerror;
+    }
+
+    kerror = krb5_ktfileint_delete_entry(context, id, delete_point);
+
+    if (kerror) {
+	(void) krb5_ktfileint_close(context, id);
+    } else {
+        kerror = krb5_ktfileint_close(context, id);
+    }
+    KTUNLOCK(id);
+    return kerror;
+}
+
+/*
+ * krb5_ktf_ops
+ */
+
+const struct _krb5_kt_ops krb5_ktf_ops = {
+    0,
+    "FILE", 	/* Prefix -- this string should not appear anywhere else! */
+    krb5_ktfile_resolve,
+    krb5_ktfile_get_name, 
+    krb5_ktfile_close,
+    krb5_ktfile_get_entry,
+    krb5_ktfile_start_seq_get,
+    krb5_ktfile_get_next,
+    krb5_ktfile_end_get,
+    0,
+    0,
+    &krb5_ktfile_ser_entry
+};
+
+/*
+ * krb5_ktf_writable_ops
+ */
+
+const struct _krb5_kt_ops krb5_ktf_writable_ops = {
+    0,
+    "WRFILE", 	/* Prefix -- this string should not appear anywhere else! */
+    krb5_ktfile_wresolve,
+    krb5_ktfile_get_name, 
+    krb5_ktfile_close,
+    krb5_ktfile_get_entry,
+    krb5_ktfile_start_seq_get,
+    krb5_ktfile_get_next,
+    krb5_ktfile_end_get,
+    krb5_ktfile_add,
+    krb5_ktfile_remove,
+    &krb5_ktfile_ser_entry
+};
+
+/*
+ * krb5_kt_dfl_ops
+ */
+
+const krb5_kt_ops krb5_kt_dfl_ops = {
+    0,
+    "FILE", 	/* Prefix -- this string should not appear anywhere else! */
+    krb5_ktfile_resolve,
+    krb5_ktfile_get_name, 
+    krb5_ktfile_close,
+    krb5_ktfile_get_entry,
+    krb5_ktfile_start_seq_get,
+    krb5_ktfile_get_next,
+    krb5_ktfile_end_get,
+    0,
+    0,
+    &krb5_ktfile_ser_entry
+};
+
+/*
+ * lib/krb5/keytab/file/ktf_util.c
+ *
+ * Copyright (c) Hewlett-Packard Company 1991
+ * Released to the Massachusetts Institute of Technology for inclusion
+ * in the Kerberos source code distribution.
+ *
+ * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ *
+ * This function contains utilities for the file based implementation of 
+ * the keytab.  There are no public functions in this file.
+ *
+ * This file is the only one that has knowledge of the format of a
+ * keytab file.
+ *
+ * The format is as follows:
+ * 
+ * <file format vno>
+ * <record length>
+ * principal timestamp vno key
+ * <record length>
+ * principal timestamp vno key
+ * ....
+ *
+ * A length field (sizeof(krb5_int32)) exists between entries.  When this
+ * length is positive it indicates an active entry, when negative a hole.
+ * The length indicates the size of the block in the file (this may be 
+ * larger than the size of the next record, since we are using a first
+ * fit algorithm for re-using holes and the first fit may be larger than
+ * the entry we are writing).  Another (compatible) implementation could
+ * break up holes when allocating them to smaller entries to minimize 
+ * wasted space.  (Such an implementation should also coalesce adjacent
+ * holes to reduce fragmentation).  This implementation does neither.
+ *
+ * There are no separators between fields of an entry.  
+ * A principal is a length-encoded array of length-encoded strings.  The
+ * length is a krb5_int16 in each case.  The specific format, then, is 
+ * multiple entries concatinated with no separators.  An entry has this 
+ * exact format:
+ *
+ * sizeof(krb5_int16) bytes for number of components in the principal; 
+ * then, each component listed in ordser.
+ * For each component, sizeof(krb5_int16) bytes for the number of bytes
+ * in the component, followed by the component.
+ * sizeof(krb5_int32) for the principal type (for KEYTAB V2 and higher)
+ * sizeof(krb5_int32) bytes for the timestamp
+ * sizeof(krb5_octet) bytes for the key version number
+ * sizeof(krb5_int16) bytes for the enctype
+ * sizeof(krb5_int32) bytes for the key length, followed by the key
+ */
+
+#ifndef SEEK_SET
+#define SEEK_SET 0
+#define SEEK_CUR 1
+#endif
+
+typedef krb5_int16  krb5_kt_vno;
+
+#define krb5_kt_default_vno ((krb5_kt_vno)KRB5_KT_DEFAULT_VNO)
+
+#define xfwrite(a, b, c, d) fwrite((char *)a, b, (unsigned) c, d)
+#define xfread(a, b, c, d) fread((char *)a, b, (unsigned) c, d)
+
+#ifdef ANSI_STDIO
+static char *const fopen_mode_rbplus= "rb+";
+static char *const fopen_mode_rb = "rb";
+#else
+static char *const fopen_mode_rbplus= "r+";
+static char *const fopen_mode_rb = "r";
+#endif
+
+static krb5_error_code
+krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
+{
+    krb5_error_code kerror;
+    krb5_kt_vno kt_vno;
+    int writevno = 0;
+
+    KTCHECKLOCK(id);
+    errno = 0;
+    KTFILEP(id) = fopen(KTFILENAME(id),
+			(mode == KRB5_LOCKMODE_EXCLUSIVE) ?
+			  fopen_mode_rbplus : fopen_mode_rb);
+    if (!KTFILEP(id)) {
+	if ((mode == KRB5_LOCKMODE_EXCLUSIVE) && (errno == ENOENT)) {
+	    /* try making it first time around */
+            krb5_create_secure_file(context, KTFILENAME(id));
+	    errno = 0;
+	    KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus);
+	    if (!KTFILEP(id))
+		return errno ? errno : EMFILE;
+	    writevno = 1;
+	} else				/* some other error */
+	    return errno ? errno : EMFILE;
+    }
+    if ((kerror = krb5_lock_file(context, fileno(KTFILEP(id)), mode))) {
+	(void) fclose(KTFILEP(id));
+	KTFILEP(id) = 0;
+	return kerror;
+    }
+    /* assume ANSI or BSD-style stdio */
+    setbuf(KTFILEP(id), KTFILEBUFP(id));
+
+    /* get the vno and verify it */
+    if (writevno) {
+	kt_vno = htons(krb5_kt_default_vno);
+	KTVERSION(id) = krb5_kt_default_vno;
+	if (!xfwrite(&kt_vno, sizeof(kt_vno), 1, KTFILEP(id))) {
+	    kerror = errno;
+	    (void) krb5_unlock_file(context, fileno(KTFILEP(id)));
+	    (void) fclose(KTFILEP(id));
+	    return kerror;
+	}
+    } else {
+	/* gotta verify it instead... */
+	if (!xfread(&kt_vno, sizeof(kt_vno), 1, KTFILEP(id))) {
+	    kerror = errno;
+	    (void) krb5_unlock_file(context, fileno(KTFILEP(id)));
+	    (void) fclose(KTFILEP(id));
+	    return kerror;
+	}
+	kt_vno = KTVERSION(id) = ntohs(kt_vno);
+	if ((kt_vno != KRB5_KT_VNO) &&
+	    (kt_vno != KRB5_KT_VNO_1)) {
+	    (void) krb5_unlock_file(context, fileno(KTFILEP(id)));
+	    (void) fclose(KTFILEP(id));
+	    return KRB5_KEYTAB_BADVNO;
+	}
+    }
+    return 0;
+}
+
+krb5_error_code
+krb5_ktfileint_openr(krb5_context context, krb5_keytab id)
+{
+    return krb5_ktfileint_open(context, id, KRB5_LOCKMODE_SHARED);
+}
+
+krb5_error_code
+krb5_ktfileint_openw(krb5_context context, krb5_keytab id)
+{
+    return krb5_ktfileint_open(context, id, KRB5_LOCKMODE_EXCLUSIVE);
+}
+
+krb5_error_code
+krb5_ktfileint_close(krb5_context context, krb5_keytab id)
+{
+    krb5_error_code kerror;
+
+    KTCHECKLOCK(id);
+    if (!KTFILEP(id))
+	return 0;
+    kerror = krb5_unlock_file(context, fileno(KTFILEP(id)));
+    (void) fclose(KTFILEP(id));
+    KTFILEP(id) = 0;
+    return kerror;
+}
+
+krb5_error_code
+krb5_ktfileint_delete_entry(krb5_context context, krb5_keytab id, krb5_int32 delete_point)
+{
+    krb5_int32  size;
+    krb5_int32  len;
+    char        iobuf[BUFSIZ];
+
+    KTCHECKLOCK(id);
+    if (fseek(KTFILEP(id), delete_point, SEEK_SET)) {
+        return errno;
+    }
+    if (!xfread(&size, sizeof(size), 1, KTFILEP(id))) {
+        return KRB5_KT_END;
+    }
+    if (KTVERSION(id) != KRB5_KT_VNO_1)
+	size = ntohl(size);
+
+    if (size > 0) {
+        krb5_int32 minus_size = -size;
+	if (KTVERSION(id) != KRB5_KT_VNO_1)
+	    minus_size = htonl(minus_size);
+
+        if (fseek(KTFILEP(id), delete_point, SEEK_SET)) {
+            return errno;
+        }
+
+        if (!xfwrite(&minus_size, sizeof(minus_size), 1, KTFILEP(id))) {
+            return KRB5_KT_IOERR;
+        }
+
+        if (size < BUFSIZ) {
+            len = size;
+        } else {
+            len = BUFSIZ;
+        }
+
+        memset(iobuf, 0, (size_t) len);
+        while (size > 0) {
+            xfwrite(iobuf, 1, (size_t) len, KTFILEP(id));
+            size -= len;
+            if (size < len) {
+                len = size;
+            }
+        }
+
+        return krb5_sync_disk_file(context, KTFILEP(id));
+    }
+
+    return 0;
+}
+
+krb5_error_code
+krb5_ktfileint_internal_read_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *ret_entry, krb5_int32 *delete_point)
+{
+    krb5_octet vno;
+    krb5_int16 count;
+    unsigned int u_count, u_princ_size;
+    krb5_int16 enctype;
+    krb5_int16 princ_size;
+    register int i;
+    krb5_int32 size;
+    krb5_int32 start_pos;
+    krb5_error_code error;
+    char	*tmpdata;
+    krb5_data	*princ;
+
+    KTCHECKLOCK(id);
+    memset(ret_entry, 0, sizeof(krb5_keytab_entry));
+    ret_entry->magic = KV5M_KEYTAB_ENTRY;
+
+    /* fseek to synchronise buffered I/O on the key table. */
+
+    if (fseek(KTFILEP(id), 0L, SEEK_CUR) < 0)
+    {
+        return errno;
+    }
+
+    do {
+        *delete_point = ftell(KTFILEP(id));
+        if (!xfread(&size, sizeof(size), 1, KTFILEP(id))) {
+            return KRB5_KT_END;
+        }
+	if (KTVERSION(id) != KRB5_KT_VNO_1)
+		size = ntohl(size);
+
+        if (size < 0) {
+            if (fseek(KTFILEP(id), -size, SEEK_CUR)) {
+                return errno;
+            }
+        }
+    } while (size < 0);
+
+    if (size == 0) {
+        return KRB5_KT_END;
+    }
+
+    start_pos = ftell(KTFILEP(id));
+
+    /* deal with guts of parsing... */
+
+    /* first, int16 with #princ components */
+    if (!xfread(&count, sizeof(count), 1, KTFILEP(id)))
+	return KRB5_KT_END;
+    if (KTVERSION(id) == KRB5_KT_VNO_1) {
+	    count -= 1;		/* V1 includes the realm in the count */
+    } else {
+	    count = ntohs(count);
+    }
+    if (!count || (count < 0))
+	return KRB5_KT_END;
+    ret_entry->principal = (krb5_principal)malloc(sizeof(krb5_principal_data));
+    if (!ret_entry->principal)
+        return ENOMEM;
+    
+    u_count = count;
+    ret_entry->principal->magic = KV5M_PRINCIPAL;
+    ret_entry->principal->length = u_count;
+    ret_entry->principal->data = (krb5_data *) 
+                                 calloc(u_count, sizeof(krb5_data));
+    if (!ret_entry->principal->data) {
+	free(ret_entry->principal);
+	ret_entry->principal = 0;
+	return ENOMEM;
+    }
+
+    /* Now, get the realm data */
+    if (!xfread(&princ_size, sizeof(princ_size), 1, KTFILEP(id))) {
+	    error = KRB5_KT_END;
+	    goto fail;
+    }
+    if (KTVERSION(id) != KRB5_KT_VNO_1)
+	    princ_size = ntohs(princ_size);
+    if (!princ_size || (princ_size < 0)) {
+	    error = KRB5_KT_END;
+	    goto fail;
+    }
+    u_princ_size = princ_size;
+
+    krb5_princ_set_realm_length(context, ret_entry->principal, u_princ_size);
+    tmpdata = malloc(u_princ_size+1);
+    if (!tmpdata) {
+	    error = ENOMEM;
+	    goto fail;
+    }
+    if (fread(tmpdata, 1, u_princ_size, KTFILEP(id)) != (size_t) princ_size) {
+	    free(tmpdata);
+	    error = KRB5_KT_END;
+	    goto fail;
+    }
+    tmpdata[princ_size] = 0;	/* Some things might be expecting null */
+				/* termination...  ``Be conservative in */
+				/* what you send out'' */
+    krb5_princ_set_realm_data(context, ret_entry->principal, tmpdata);
+    
+    for (i = 0; i < count; i++) {
+	princ = krb5_princ_component(context, ret_entry->principal, i);
+	if (!xfread(&princ_size, sizeof(princ_size), 1, KTFILEP(id))) {
+	    error = KRB5_KT_END;
+	    goto fail;
+        }
+	if (KTVERSION(id) != KRB5_KT_VNO_1)
+	    princ_size = ntohs(princ_size);
+	if (!princ_size || (princ_size < 0)) {
+	    error = KRB5_KT_END;
+	    goto fail;
+        }
+
+	u_princ_size = princ_size; 
+	princ->length = u_princ_size;
+	princ->data = malloc(u_princ_size+1);
+	if (!princ->data) {
+	    error = ENOMEM;
+	    goto fail;
+        }
+	if (!xfread(princ->data, sizeof(char), u_princ_size, KTFILEP(id))) {
+	    error = KRB5_KT_END;
+	    goto fail;
+        }
+	princ->data[princ_size] = 0; /* Null terminate */
+    }
+
+    /* read in the principal type, if we can get it */
+    if (KTVERSION(id) != KRB5_KT_VNO_1) {
+	    if (!xfread(&ret_entry->principal->type,
+			sizeof(ret_entry->principal->type), 1, KTFILEP(id))) {
+		    error = KRB5_KT_END;
+		    goto fail;
+	    }
+	    ret_entry->principal->type = ntohl(ret_entry->principal->type);
+    }
+    
+    /* read in the timestamp */
+    if (!xfread(&ret_entry->timestamp, sizeof(ret_entry->timestamp), 1, KTFILEP(id))) {
+	error = KRB5_KT_END;
+	goto fail;
+    }
+    if (KTVERSION(id) != KRB5_KT_VNO_1)
+	ret_entry->timestamp = ntohl(ret_entry->timestamp);
+    
+    /* read in the version number */
+    if (!xfread(&vno, sizeof(vno), 1, KTFILEP(id))) {
+	error = KRB5_KT_END;
+	goto fail;
+    }
+    ret_entry->vno = (krb5_kvno)vno;
+    
+    /* key type */
+    if (!xfread(&enctype, sizeof(enctype), 1, KTFILEP(id))) {
+	error = KRB5_KT_END;
+	goto fail;
+    }
+    ret_entry->key.enctype = (krb5_enctype)enctype;
+
+    if (KTVERSION(id) != KRB5_KT_VNO_1)
+	ret_entry->key.enctype = ntohs(ret_entry->key.enctype);
+    
+    /* key contents */
+    ret_entry->key.magic = KV5M_KEYBLOCK;
+    
+    if (!xfread(&count, sizeof(count), 1, KTFILEP(id))) {
+	error = KRB5_KT_END;
+	goto fail;
+    }
+    if (KTVERSION(id) != KRB5_KT_VNO_1)
+	count = ntohs(count);
+    if (!count || (count < 0)) {
+	error = KRB5_KT_END;
+	goto fail;
+    }
+
+    u_count = count;
+    ret_entry->key.length = u_count;
+    
+    ret_entry->key.contents = (krb5_octet *)malloc(u_count);
+    if (!ret_entry->key.contents) {
+	error = ENOMEM;
+	goto fail;
+    }		
+    if (!xfread(ret_entry->key.contents, sizeof(krb5_octet), count,
+		KTFILEP(id))) {
+	error = KRB5_KT_END;
+	goto fail;
+    }
+
+    /*
+     * Reposition file pointer to the next inter-record length field.
+     */
+    fseek(KTFILEP(id), start_pos + size, SEEK_SET);
+    return 0;
+fail:
+    
+    for (i = 0; i < krb5_princ_size(context, ret_entry->principal); i++) {
+	    princ = krb5_princ_component(context, ret_entry->principal, i);
+	    if (princ->data)
+		    free(princ->data);
+    }
+    free(ret_entry->principal->data);
+    ret_entry->principal->data = 0;
+    free(ret_entry->principal);
+    ret_entry->principal = 0;
+    return error;
+}
+
+krb5_error_code
+krb5_ktfileint_read_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entryp)
+{
+    krb5_int32 delete_point;
+
+    return krb5_ktfileint_internal_read_entry(context, id, entryp, &delete_point);
+}
+
+krb5_error_code
+krb5_ktfileint_write_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry)
+{
+    krb5_octet vno;
+    krb5_data *princ;
+    krb5_int16 count, size, enctype;
+    krb5_error_code retval = 0;
+    krb5_timestamp timestamp;
+    krb5_int32	princ_type;
+    krb5_int32  size_needed;
+    krb5_int32  commit_point;
+    int		i;
+
+    KTCHECKLOCK(id);
+    retval = krb5_ktfileint_size_entry(context, entry, &size_needed);
+    if (retval)
+        return retval;
+    retval = krb5_ktfileint_find_slot(context, id, &size_needed, &commit_point);
+    if (retval)
+        return retval;
+
+    /* fseek to synchronise buffered I/O on the key table. */
+    /* XXX Without the weird setbuf crock, can we get rid of this now?  */
+    if (fseek(KTFILEP(id), 0L, SEEK_CUR) < 0)
+    {
+        return errno;
+    }
+
+    if (KTVERSION(id) == KRB5_KT_VNO_1) {
+	    count = (krb5_int16) krb5_princ_size(context, entry->principal) + 1;
+    } else {
+	    count = htons((u_short) krb5_princ_size(context, entry->principal));
+    }
+    
+    if (!xfwrite(&count, sizeof(count), 1, KTFILEP(id))) {
+    abend:
+	return KRB5_KT_IOERR;
+    }
+    size = krb5_princ_realm(context, entry->principal)->length;
+    if (KTVERSION(id) != KRB5_KT_VNO_1)
+	    size = htons(size);
+    if (!xfwrite(&size, sizeof(size), 1, KTFILEP(id))) {
+	    goto abend;
+    }
+    if (!xfwrite(krb5_princ_realm(context, entry->principal)->data, sizeof(char),
+		 krb5_princ_realm(context, entry->principal)->length, KTFILEP(id))) {
+	    goto abend;
+    }
+
+    count = (krb5_int16) krb5_princ_size(context, entry->principal);
+    for (i = 0; i < count; i++) {
+	princ = krb5_princ_component(context, entry->principal, i);
+	size = princ->length;
+	if (KTVERSION(id) != KRB5_KT_VNO_1)
+		size = htons(size);
+	if (!xfwrite(&size, sizeof(size), 1, KTFILEP(id))) {
+	    goto abend;
+	}
+	if (!xfwrite(princ->data, sizeof(char), princ->length, KTFILEP(id))) {
+	    goto abend;
+	}
+    }
+
+    /*
+     * Write out the principal type
+     */
+    if (KTVERSION(id) != KRB5_KT_VNO_1) {
+	    princ_type = htonl(krb5_princ_type(context, entry->principal));
+	    if (!xfwrite(&princ_type, sizeof(princ_type), 1, KTFILEP(id))) {
+		    goto abend;
+	    }
+    }
+    
+    /*
+     * Fill in the time of day the entry was written to the keytab.
+     */
+    if (krb5_timeofday(context, &entry->timestamp)) {
+        entry->timestamp = 0;
+    }
+    if (KTVERSION(id) == KRB5_KT_VNO_1)
+	    timestamp = entry->timestamp;
+    else
+	    timestamp = htonl(entry->timestamp);
+    if (!xfwrite(&timestamp, sizeof(timestamp), 1, KTFILEP(id))) {
+	goto abend;
+    }
+    
+    /* key version number */
+    vno = (krb5_octet)entry->vno;
+    if (!xfwrite(&vno, sizeof(vno), 1, KTFILEP(id))) {
+	goto abend;
+    }
+    /* key type */
+    if (KTVERSION(id) == KRB5_KT_VNO_1)
+	    enctype = entry->key.enctype;
+    else
+	    enctype = htons(entry->key.enctype);
+    if (!xfwrite(&enctype, sizeof(enctype), 1, KTFILEP(id))) {
+	goto abend;
+    }
+    /* key length */
+    if (KTVERSION(id) == KRB5_KT_VNO_1)
+	    size = entry->key.length;
+    else
+	    size = htons(entry->key.length);
+    if (!xfwrite(&size, sizeof(size), 1, KTFILEP(id))) {
+	goto abend;
+    }
+    if (!xfwrite(entry->key.contents, sizeof(krb5_octet),
+		 entry->key.length, KTFILEP(id))) {
+	goto abend;
+    }	
+
+    if (fflush(KTFILEP(id)))
+	goto abend;
+
+    retval = krb5_sync_disk_file(context, KTFILEP(id));
+
+    if (retval) {
+        return retval;
+    }
+
+    if (fseek(KTFILEP(id), commit_point, SEEK_SET)) {
+        return errno;
+    }
+    if (KTVERSION(id) != KRB5_KT_VNO_1)
+	    size_needed = htonl(size_needed);
+    if (!xfwrite(&size_needed, sizeof(size_needed), 1, KTFILEP(id))) {
+        goto abend;
+    }
+    if (fflush(KTFILEP(id)))
+	goto abend;
+    retval = krb5_sync_disk_file(context, KTFILEP(id));
+
+    return retval;
+}
+
+/*
+ * Determine the size needed for a file entry for the given
+ * keytab entry.
+ */
+krb5_error_code
+krb5_ktfileint_size_entry(krb5_context context, krb5_keytab_entry *entry, krb5_int32 *size_needed)
+{
+    krb5_int16 count;
+    krb5_int32 total_size, i;
+    krb5_error_code retval = 0;
+
+    count = (krb5_int16) krb5_princ_size(context, entry->principal);
+        
+    total_size = sizeof(count);
+    total_size += krb5_princ_realm(context, entry->principal)->length + (sizeof(krb5_int16));
+    
+    for (i = 0; i < count; i++) {
+	    total_size += krb5_princ_component(context, entry->principal,i)->length
+		    + (sizeof(krb5_int16));
+    }
+
+    total_size += sizeof(entry->principal->type);
+    total_size += sizeof(entry->timestamp);
+    total_size += sizeof(krb5_octet);
+    total_size += sizeof(krb5_int16);
+    total_size += sizeof(krb5_int16) + entry->key.length;
+
+    *size_needed = total_size;
+    return retval;
+}
+
+/*
+ * Find and reserve a slot in the file for an entry of the needed size.
+ * The commit point will be set to the position in the file where the
+ * the length (sizeof(krb5_int32) bytes) of this node should be written
+ * when commiting the write.  The file position left as a result of this
+ * call is the position where the actual data should be written.
+ *
+ * The size_needed argument may be adjusted if we find a hole that is
+ * larger than the size needed.  (Recall that size_needed will be used
+ * to commit the write, but that this field must indicate the size of the
+ * block in the file rather than the size of the actual entry)  
+ */
+krb5_error_code
+krb5_ktfileint_find_slot(krb5_context context, krb5_keytab id, krb5_int32 *size_needed, krb5_int32 *commit_point)
+{
+    krb5_int32      size;
+    krb5_int32      remainder;
+    krb5_int32      zero_point;
+    krb5_kt_vno     kt_vno;
+    krb5_boolean    found = FALSE;
+    char            iobuf[BUFSIZ];
+
+    KTCHECKLOCK(id);
+    /*
+     * Skip over file version number
+     */
+    if (fseek(KTFILEP(id), 0, SEEK_SET)) {
+        return errno;
+    }
+    if (!xfread(&kt_vno, sizeof(kt_vno), 1, KTFILEP(id))) {
+        return KRB5_KT_IOERR;
+    }
+
+    while (!found) {
+        *commit_point = ftell(KTFILEP(id));
+        if (!xfread(&size, sizeof(size), 1, KTFILEP(id))) {
+            /*
+             * Hit the end of file, reserve this slot.
+             */
+            size = 0;
+
+            /* fseek to synchronise buffered I/O on the key table. */
+	    /* XXX Without the weird setbuf hack, can we nuke this now?  */
+            if (fseek(KTFILEP(id), 0L, SEEK_CUR) < 0)
+            {
+                return errno;
+            }
+	    
+#ifdef notdef
+	    /* We don't have to do this because htonl(0) == 0 */
+	    if (KTVERSION(id) != KRB5_KT_VNO_1)
+		    size = htonl(size);
+#endif
+	    
+            if (!xfwrite(&size, sizeof(size), 1, KTFILEP(id))) {
+                return KRB5_KT_IOERR;
+            }
+            found = TRUE;
+        }
+
+	if (KTVERSION(id) != KRB5_KT_VNO_1)
+		size = ntohl(size);
+
+        if (size > 0) {
+            if (fseek(KTFILEP(id), size, SEEK_CUR)) {
+                return errno;
+            }
+        } else if (!found) {
+            size = -size;
+            if (size >= *size_needed) {
+                *size_needed = size;
+                found = TRUE;	
+            } else if (size > 0) {
+                /*
+                 * The current hole is not large enough, so skip it
+                 */
+                if (fseek(KTFILEP(id), size, SEEK_CUR)) {
+                    return errno;
+                }
+            } else {
+
+                 /* fseek to synchronise buffered I/O on the key table. */
+
+                 if (fseek(KTFILEP(id), 0L, SEEK_CUR) < 0)
+                 {
+                     return errno;
+                 }
+
+                /*
+                 * Found the end of the file (marked by a 0 length buffer)
+                 * Make sure we zero any trailing data.
+                 */
+                zero_point = ftell(KTFILEP(id));
+                while ((size = xfread(iobuf, 1, sizeof(iobuf), KTFILEP(id)))) {
+                    if (size != sizeof(iobuf)) {
+                        remainder = size % sizeof(krb5_int32);
+                        if (remainder) {
+                            size += sizeof(krb5_int32) - remainder;
+                        }
+                    }
+
+                    if (fseek(KTFILEP(id), 0L, SEEK_CUR) < 0)
+                    {
+                        return errno;
+                    }
+
+                    memset(iobuf, 0, (size_t) size);
+                    xfwrite(iobuf, 1, (size_t) size, KTFILEP(id));
+		    fflush(KTFILEP(id));
+                    if (feof(KTFILEP(id))) {
+                        break;
+                    }
+
+                    if (fseek(KTFILEP(id), 0L, SEEK_CUR) < 0)
+                    {
+                        return errno;
+                    }
+
+                }
+                if (fseek(KTFILEP(id), zero_point, SEEK_SET)) {
+                    return errno;
+                }
+            }
+        }
+    }
+
+    return 0;
+}
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/kt_srvtab.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/kt_srvtab.c
new file mode 100644
index 0000000000..b312acc4ea
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/kt_srvtab.c
@@ -0,0 +1,485 @@
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+/*
+ * lib/krb5/keytab/srvtab/kts_resolv.c
+ *
+ * Copyright 1990,1991,2002 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#define NEED_SOCKETS
+#include "k5-int.h"
+#include <stdio.h>
+
+/*
+ * Constants
+ */
+#define IGNORE_VNO 0
+#define IGNORE_ENCTYPE 0
+
+#define KRB5_KT_VNO_1	0x0501	/* krb v5, keytab version 1 (DCE compat) */
+#define KRB5_KT_VNO	0x0502	/* krb v5, keytab version 2 (standard)  */
+
+#define KRB5_KT_DEFAULT_VNO KRB5_KT_VNO
+
+/* 
+ * Types
+ */
+typedef struct _krb5_ktsrvtab_data {
+    char *name;			/* Name of the file */
+    FILE *openf;		/* open file, if any. */
+} krb5_ktsrvtab_data;
+
+/*
+ * Macros
+ */
+#define KTPRIVATE(id) ((krb5_ktsrvtab_data *)(id)->data)
+#define KTFILENAME(id) (((krb5_ktsrvtab_data *)(id)->data)->name)
+#define KTFILEP(id) (((krb5_ktsrvtab_data *)(id)->data)->openf)
+
+extern const struct _krb5_kt_ops krb5_kts_ops;
+
+static krb5_error_code KRB5_CALLCONV krb5_ktsrvtab_resolve
+	(krb5_context,
+		   const char *,
+		   krb5_keytab *);
+
+static krb5_error_code KRB5_CALLCONV krb5_ktsrvtab_get_name
+	(krb5_context,
+		   krb5_keytab,
+		   char *,
+		   unsigned int);
+
+static krb5_error_code KRB5_CALLCONV krb5_ktsrvtab_close
+	(krb5_context,
+		   krb5_keytab);
+
+static krb5_error_code KRB5_CALLCONV krb5_ktsrvtab_get_entry
+	(krb5_context,
+		   krb5_keytab,
+		   krb5_const_principal,
+		   krb5_kvno,
+		   krb5_enctype,
+		   krb5_keytab_entry *);
+
+static krb5_error_code KRB5_CALLCONV krb5_ktsrvtab_start_seq_get
+	(krb5_context,
+		   krb5_keytab,
+		   krb5_kt_cursor *);
+
+static krb5_error_code KRB5_CALLCONV krb5_ktsrvtab_get_next
+	(krb5_context,
+		   krb5_keytab,
+		   krb5_keytab_entry *,
+		   krb5_kt_cursor *);
+
+static krb5_error_code KRB5_CALLCONV krb5_ktsrvtab_end_get
+	(krb5_context,
+		   krb5_keytab,
+		   krb5_kt_cursor *);
+
+static krb5_error_code krb5_ktsrvint_open
+	(krb5_context,
+		   krb5_keytab);
+
+static krb5_error_code krb5_ktsrvint_close
+	(krb5_context,
+		   krb5_keytab);
+
+static krb5_error_code krb5_ktsrvint_read_entry 
+	(krb5_context,
+		   krb5_keytab,
+		   krb5_keytab_entry *);
+
+/*
+ * This is an implementation specific resolver.  It returns a keytab id 
+ * initialized with srvtab keytab routines.
+ */
+
+static krb5_error_code KRB5_CALLCONV
+krb5_ktsrvtab_resolve(krb5_context context, const char *name, krb5_keytab *id)
+{
+    krb5_ktsrvtab_data *data;
+    FILE *fp;
+
+    /* Make sure we can open the srvtab file for reading. */
+    fp = fopen(name, "r");
+    if (!fp)
+	return(errno);
+    fclose(fp);
+
+    if ((*id = (krb5_keytab) malloc(sizeof(**id))) == NULL)
+	return(ENOMEM);
+    
+    (*id)->ops = &krb5_kts_ops;
+    data = (krb5_ktsrvtab_data *)malloc(sizeof(krb5_ktsrvtab_data));
+    if (data == NULL) {
+	krb5_xfree(*id);
+	return(ENOMEM);
+    }
+
+    data->name = (char *)malloc(strlen(name) + 1);
+    if (data->name == NULL) {
+	krb5_xfree(data);
+	krb5_xfree(*id);
+	return(ENOMEM);
+    }
+
+    (void) strcpy(data->name, name);
+    data->openf = 0;
+
+    (*id)->data = (krb5_pointer)data;
+    (*id)->magic = KV5M_KEYTAB;
+    return(0);
+}
+
+/*
+ * "Close" a file-based keytab and invalidate the id.  This means
+ * free memory hidden in the structures.
+ */
+
+krb5_error_code KRB5_CALLCONV
+krb5_ktsrvtab_close(krb5_context context, krb5_keytab id)
+  /*
+   * This routine is responsible for freeing all memory allocated 
+   * for this keytab.  There are no system resources that need
+   * to be freed nor are there any open files.
+   *
+   * This routine should undo anything done by krb5_ktsrvtab_resolve().
+   */
+{
+    krb5_xfree(KTFILENAME(id));
+    krb5_xfree(id->data);
+    id->ops = 0;
+    krb5_xfree(id);
+    return (0);
+}
+
+/*
+ * This is the get_entry routine for the file based keytab implementation.
+ * It opens the keytab file, and either retrieves the entry or returns
+ * an error.
+ */
+
+krb5_error_code KRB5_CALLCONV
+krb5_ktsrvtab_get_entry(krb5_context context, krb5_keytab id, krb5_const_principal principal, krb5_kvno kvno, krb5_enctype enctype, krb5_keytab_entry *entry)
+{
+    krb5_keytab_entry best_entry, ent;
+    krb5_error_code kerror = 0;
+    int found_wrong_kvno = 0;
+
+    /* Open the srvtab. */
+    if ((kerror = krb5_ktsrvint_open(context, id)))
+	return(kerror);
+
+    /* srvtab files only have DES_CBC_CRC keys. */
+    switch (enctype) {
+    case ENCTYPE_DES_CBC_CRC:
+    case ENCTYPE_DES_CBC_MD5:
+    case ENCTYPE_DES_CBC_MD4:
+    case ENCTYPE_DES_CBC_RAW:
+    case IGNORE_ENCTYPE:
+	break;
+    default:
+	return KRB5_KT_NOTFOUND;
+    }
+
+    best_entry.principal = 0;
+    best_entry.vno = 0;
+    best_entry.key.contents = 0;
+    while ((kerror = krb5_ktsrvint_read_entry(context, id, &ent)) == 0) {
+	ent.key.enctype = enctype;
+	if (krb5_principal_compare(context, principal, ent.principal)) {
+	    if (kvno == IGNORE_VNO) {
+		if (!best_entry.principal || (best_entry.vno < ent.vno)) {
+		    krb5_kt_free_entry(context, &best_entry);
+		    best_entry = ent;
+		}
+	    } else {
+		if (ent.vno == kvno) {
+		    best_entry = ent;
+		    break;
+		} else {
+		    found_wrong_kvno = 1;
+		}
+	    }
+	} else {
+	    krb5_kt_free_entry(context, &ent);
+	}
+    }
+    if (kerror == KRB5_KT_END) {
+	 if (best_entry.principal)
+	      kerror = 0;
+	 else if (found_wrong_kvno)
+	      kerror = KRB5_KT_KVNONOTFOUND;
+	 else
+	      kerror = KRB5_KT_NOTFOUND;
+    }
+    if (kerror) {
+	(void) krb5_ktsrvint_close(context, id);
+	krb5_kt_free_entry(context, &best_entry);
+	return kerror;
+    }
+    if ((kerror = krb5_ktsrvint_close(context, id)) != 0) {
+	krb5_kt_free_entry(context, &best_entry);
+	return kerror;
+    }
+    *entry = best_entry;
+    return 0;
+}
+
+/*
+ * Get the name of the file containing a srvtab-based keytab.
+ */
+
+krb5_error_code KRB5_CALLCONV
+krb5_ktsrvtab_get_name(krb5_context context, krb5_keytab id, char *name, unsigned int len)
+  /* 
+   * This routine returns the name of the name of the file associated with
+   * this srvtab-based keytab.  The name is prefixed with PREFIX:, so that
+   * trt will happen if the name is passed back to resolve.
+   */
+{
+    memset(name, 0, len);
+
+    if (len < strlen(id->ops->prefix)+2)
+	return(KRB5_KT_NAME_TOOLONG);
+    strcpy(name, id->ops->prefix);
+    name += strlen(id->ops->prefix);
+    name[0] = ':';
+    name++;
+    len -= strlen(id->ops->prefix)+1;
+
+    if (len < strlen(KTFILENAME(id)+1))
+	return(KRB5_KT_NAME_TOOLONG);
+    strcpy(name, KTFILENAME(id));
+    /* strcpy will NUL-terminate the destination */
+
+    return(0);
+}
+
+/*
+ * krb5_ktsrvtab_start_seq_get()
+ */
+
+krb5_error_code KRB5_CALLCONV
+krb5_ktsrvtab_start_seq_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursorp)
+{
+    krb5_error_code retval;
+    long *fileoff;
+
+    if ((retval = krb5_ktsrvint_open(context, id)))
+	return retval;
+
+    if (!(fileoff = (long *)malloc(sizeof(*fileoff)))) {
+	krb5_ktsrvint_close(context, id);
+	return ENOMEM;
+    }
+    *fileoff = ftell(KTFILEP(id));
+    *cursorp = (krb5_kt_cursor)fileoff;
+
+    return 0;
+}
+
+/*
+ * krb5_ktsrvtab_get_next()
+ */
+
+krb5_error_code KRB5_CALLCONV
+krb5_ktsrvtab_get_next(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry, krb5_kt_cursor *cursor)
+{
+    long *fileoff = (long *)*cursor;
+    krb5_keytab_entry cur_entry;
+    krb5_error_code kerror;
+
+    if (fseek(KTFILEP(id), *fileoff, 0) == -1)
+	return KRB5_KT_END;
+    if ((kerror = krb5_ktsrvint_read_entry(context, id, &cur_entry)))
+	return kerror;
+    *fileoff = ftell(KTFILEP(id));
+    *entry = cur_entry;
+    return 0;
+}
+
+/*
+ * krb5_ktsrvtab_end_get()
+ */
+
+krb5_error_code KRB5_CALLCONV
+krb5_ktsrvtab_end_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursor)
+{
+    krb5_xfree(*cursor);
+    return krb5_ktsrvint_close(context, id);
+}
+
+/*
+ * krb5_kts_ops
+ */
+
+const struct _krb5_kt_ops krb5_kts_ops = {
+    0,
+    "SRVTAB", 	/* Prefix -- this string should not appear anywhere else! */
+    krb5_ktsrvtab_resolve,
+    krb5_ktsrvtab_get_name, 
+    krb5_ktsrvtab_close,
+    krb5_ktsrvtab_get_entry,
+    krb5_ktsrvtab_start_seq_get,
+    krb5_ktsrvtab_get_next,
+    krb5_ktsrvtab_end_get,
+    0,
+    0,
+    0
+};
+
+/*
+ * formerly: lib/krb5/keytab/srvtab/kts_util.c
+ *
+ * Copyright (c) Hewlett-Packard Company 1991
+ * Released to the Massachusetts Institute of Technology for inclusion
+ * in the Kerberos source code distribution.
+ *
+ * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ *
+ * This function contains utilities for the srvtab based implementation
+ * of the keytab.  There are no public functions in this file.
+ */
+
+#include <stdio.h>
+
+#ifdef ANSI_STDIO
+#define		READ_MODE	"rb"
+#else
+#define		READ_MODE	"r"
+#endif
+
+/* The maximum sizes for V4 aname, realm, sname, and instance +1 */
+/* Taken from krb.h */
+#define 	ANAME_SZ	40
+#define		REALM_SZ	40
+#define		SNAME_SZ	40
+#define		INST_SZ		40
+
+static krb5_error_code
+read_field(FILE *fp, char *s, int len)
+{
+    int c;
+
+    while ((c = getc(fp)) != 0) {
+	if (c == EOF || len <= 1)
+	    return KRB5_KT_END;
+	*s = c;
+	s++;
+	len--;
+    }
+    *s = 0;
+    return 0;
+}
+
+krb5_error_code
+krb5_ktsrvint_open(krb5_context context, krb5_keytab id)
+{
+    KTFILEP(id) = fopen(KTFILENAME(id), READ_MODE);
+    if (!KTFILEP(id))
+	return errno;
+    return 0;
+}
+
+krb5_error_code
+krb5_ktsrvint_close(krb5_context context, krb5_keytab id)
+{
+    if (!KTFILEP(id))
+	return 0;
+    (void) fclose(KTFILEP(id));
+    KTFILEP(id) = 0;
+    return 0;
+}
+
+krb5_error_code
+krb5_ktsrvint_read_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *ret_entry)
+{
+    FILE *fp;
+    char name[SNAME_SZ], instance[INST_SZ], realm[REALM_SZ];
+    unsigned char key[8];
+    int vno;
+    krb5_error_code kerror;
+
+    /* Read in an entry from the srvtab file. */
+    fp = KTFILEP(id);
+    kerror = read_field(fp, name, sizeof(name));
+    if (kerror != 0)
+	return kerror;
+    kerror = read_field(fp, instance, sizeof(instance));
+    if (kerror != 0)
+	return kerror;
+    kerror = read_field(fp, realm, sizeof(realm));
+    if (kerror != 0)
+	return kerror;
+    vno = getc(fp);
+    if (vno == EOF)
+	return KRB5_KT_END;
+    if (fread(key, 1, sizeof(key), fp) != sizeof(key))
+	return KRB5_KT_END;
+
+    /* Fill in ret_entry with the data we read.  Everything maps well
+     * except for the timestamp, which we don't have a value for.  For
+     * now we just set it to 0. */
+    memset(ret_entry, 0, sizeof(*ret_entry));
+    ret_entry->magic = KV5M_KEYTAB_ENTRY;
+    kerror = krb5_425_conv_principal(context, name, instance, realm,
+				     &ret_entry->principal);
+    if (kerror != 0)
+	return kerror;
+    ret_entry->vno = vno;
+    ret_entry->timestamp = 0;
+    ret_entry->key.enctype = ENCTYPE_DES_CBC_CRC;
+    ret_entry->key.magic = KV5M_KEYBLOCK;
+    ret_entry->key.length = sizeof(key);
+    ret_entry->key.contents = malloc(sizeof(key));
+    if (!ret_entry->key.contents) {
+	krb5_free_principal(context, ret_entry->principal);
+	return ENOMEM;
+    }
+    memcpy(ret_entry->key.contents, key, sizeof(key));
+
+    return 0;
+}
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/ktadd.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/ktadd.c
index be0f50038a..ec808596c2 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/ktadd.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/ktadd.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -36,11 +36,8 @@
 
 #include <k5-int.h>
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_kt_add_entry (context, id, entry)
-    krb5_context context;
-    krb5_keytab id;
-    krb5_keytab_entry FAR *entry;
+krb5_error_code KRB5_CALLCONV
+krb5_kt_add_entry (krb5_context context, krb5_keytab id, krb5_keytab_entry *entry)
 {
     if (id->ops->add)
 	return (*id->ops->add)(context, id, entry);
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/ktbase.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/ktbase.c
index ae837a81f3..607519b834 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/ktbase.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/ktbase.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -35,38 +35,87 @@
  */
 
 #include <k5-int.h>
+#include <k5-thread.h>
+#include <kt-int.h>
 
-extern krb5_kt_ops krb5_ktf_ops;
-extern krb5_kt_ops krb5_kts_ops;
+extern const krb5_kt_ops krb5_ktf_ops;
+extern const krb5_kt_ops krb5_ktf_writable_ops;
+extern const krb5_kt_ops krb5_kts_ops;
 
 struct krb5_kt_typelist {
-    krb5_kt_ops *ops;
-    struct krb5_kt_typelist *next;
+    const krb5_kt_ops *ops;
+    const struct krb5_kt_typelist *next;
 };
-static struct krb5_kt_typelist krb5_kt_typelist_dfl = { &krb5_kt_dfl_ops, 0 };
-static struct krb5_kt_typelist *kt_typehead = &krb5_kt_typelist_dfl;
+static const struct krb5_kt_typelist krb5_kt_typelist_dfl = { &krb5_kt_dfl_ops, 0 };
+static const struct krb5_kt_typelist *kt_typehead = &krb5_kt_typelist_dfl;
+
+static const struct krb5_kt_typelist krb5_kt_typelist_wrfile  = {
+    &krb5_ktf_writable_ops,
+    0
+};
+static const struct krb5_kt_typelist krb5_kt_typelist_file  = {
+    &krb5_ktf_ops,
+    &krb5_kt_typelist_wrfile
+};
+static const struct krb5_kt_typelist krb5_kt_typelist_srvtab = {
+    &krb5_kts_ops,
+    &krb5_kt_typelist_file
+};
+
+/* SUNW14resync */
+/*
+static const struct krb5_kt_typelist *kt_typehead = &krb5_kt_typelist_srvtab;*/
+
+/* Lock for protecting the type list.  */
+static k5_mutex_t kt_typehead_lock = K5_MUTEX_PARTIAL_INITIALIZER;
+
+int krb5int_kt_initialize(void)
+{
+    return k5_mutex_finish_init(&kt_typehead_lock);
+}
+
+void
+krb5int_kt_finalize(void)
+{
+    struct krb5_kt_typelist *t, *t_next;
+    k5_mutex_destroy(&kt_typehead_lock);
+    for (t = (struct krb5_kt_typelist *)kt_typehead; t != &krb5_kt_typelist_srvtab;
+	t = t_next) {
+        t_next = (struct krb5_kt_typelist *)t->next;
+	free(t);
+    }
+}
+
 
 /*
  * Register a new key table type
  * don't replace if it already exists; return an error instead.
  */
 /*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_kt_register(context, ops)
-    krb5_context context;
-    krb5_kt_ops FAR *ops;
+krb5_error_code KRB5_CALLCONV
+krb5_kt_register(krb5_context context, const krb5_kt_ops *ops)
 {
-    struct krb5_kt_typelist *t;
-    for (t = kt_typehead;t && strcmp(t->ops->prefix,ops->prefix);t = t->next)
+    const struct krb5_kt_typelist *t;
+    struct krb5_kt_typelist *newt;
+    krb5_error_code err;
+
+    err = k5_mutex_lock(&kt_typehead_lock);
+    if (err)
+	return err;
+    for (t = kt_typehead; t && strcmp(t->ops->prefix,ops->prefix);t = t->next)
 	;
     if (t) {
+	k5_mutex_unlock(&kt_typehead_lock);
 	return KRB5_KT_TYPE_EXISTS;
     }
-    if (!(t = (struct krb5_kt_typelist *) malloc(sizeof(*t))))
+    if (!(newt = (struct krb5_kt_typelist *) malloc(sizeof(*t)))) {
+	k5_mutex_unlock(&kt_typehead_lock);
 	return ENOMEM;
-    t->next = kt_typehead;
-    t->ops = ops;
-    kt_typehead = t;
+    }
+    newt->next = kt_typehead;
+    newt->ops = ops;
+    kt_typehead = newt;
+    k5_mutex_unlock(&kt_typehead_lock);
     return 0;
 }
 
@@ -80,34 +129,52 @@ krb5_kt_register(context, ops)
  * particular keytab type.
  */
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_kt_resolve (context, name, ktid)
-    krb5_context context;
-    krb5_const char FAR *name;
-    krb5_keytab FAR *ktid;
+#include <ctype.h>
+krb5_error_code KRB5_CALLCONV
+krb5_kt_resolve (krb5_context context, const char *name, krb5_keytab *ktid)
 {
-    struct krb5_kt_typelist *tlist;
-    char *pfx, *resid, *cp;
-    int pfxlen;
-
+    const struct krb5_kt_typelist *tlist;
+    char *pfx;
+    unsigned int pfxlen;
+    const char *cp, *resid;
+    krb5_error_code err;
+    
     cp = strchr (name, ':');
     if (!cp) {
 	    return (*krb5_kt_dfl_ops.resolve)(context, name, ktid);
     }
 
-    pfxlen = cp - (char *)name;
-    resid = (char *)name + pfxlen + 1;
+    pfxlen = cp - name;
+
+    if ( pfxlen == 1 && isalpha(name[0]) ) {
+        /* We found a drive letter not a prefix - use FILE: */
+        pfx = strdup("FILE:");
+        if (!pfx)
+            return ENOMEM;
+
+        resid = name;
+    } else {
+        resid = name + pfxlen + 1;
 	
-    pfx = malloc (pfxlen+1);
-    if (!pfx)
-	return ENOMEM;
+        pfx = malloc (pfxlen+1);
+        if (!pfx)
+            return ENOMEM;
 
-    memcpy (pfx, name, pfxlen);
-    pfx[pfxlen] = '\0';
+        memcpy (pfx, name, pfxlen);
+        pfx[pfxlen] = '\0';
+    }
 
     *ktid = (krb5_keytab) 0;
 
-    for (tlist = kt_typehead; tlist; tlist = tlist->next) {
+    err = k5_mutex_lock(&kt_typehead_lock);
+    if (err)
+	return err;
+    tlist = kt_typehead;
+    /* Don't need to hold the lock, since entries are never modified
+       or removed once they're in the list.  Just need to protect
+       access to the list head variable itself.  */
+    k5_mutex_unlock(&kt_typehead_lock);
+    for (; tlist; tlist = tlist->next) {
 	if (strcmp (tlist->ops->prefix, pfx) == 0) {
 	    free(pfx);
 	    return (*tlist->ops->resolve)(context, resid, ktid);
@@ -117,6 +184,7 @@ krb5_kt_resolve (context, name, ktid)
     return KRB5_KT_UNKNOWN_TYPE;
 }
 
+
 /*
  * Routines to deal with externalizingt krb5_keytab.
  *	krb5_keytab_size();
@@ -124,11 +192,11 @@ krb5_kt_resolve (context, name, ktid)
  *	krb5_keytab_internalize();
  */
 static krb5_error_code krb5_keytab_size
-	KRB5_PROTOTYPE((krb5_context, krb5_pointer, size_t *));
+	(krb5_context, krb5_pointer, size_t *);
 static krb5_error_code krb5_keytab_externalize
-	KRB5_PROTOTYPE((krb5_context, krb5_pointer, krb5_octet **, size_t *));
+	(krb5_context, krb5_pointer, krb5_octet **, size_t *);
 static krb5_error_code krb5_keytab_internalize
-	KRB5_PROTOTYPE((krb5_context,krb5_pointer *, krb5_octet **, size_t *));
+	(krb5_context,krb5_pointer *, krb5_octet **, size_t *);
 
 /*
  * Serialization entry for this type.
@@ -141,10 +209,7 @@ static const krb5_ser_entry krb5_keytab_ser_entry = {
 };
 
 static krb5_error_code
-krb5_keytab_size(kcontext, arg, sizep)
-    krb5_context	kcontext;
-    krb5_pointer	arg;
-    size_t		*sizep;
+krb5_keytab_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
 {
     krb5_error_code	kret;
     krb5_keytab		keytab;
@@ -160,11 +225,7 @@ krb5_keytab_size(kcontext, arg, sizep)
 }
 
 static krb5_error_code
-krb5_keytab_externalize(kcontext, arg, buffer, lenremain)
-    krb5_context	kcontext;
-    krb5_pointer	arg;
-    krb5_octet		**buffer;
-    size_t		*lenremain;
+krb5_keytab_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain)
 {
     krb5_error_code	kret;
     krb5_keytab		keytab;
@@ -180,11 +241,7 @@ krb5_keytab_externalize(kcontext, arg, buffer, lenremain)
 }
 
 static krb5_error_code
-krb5_keytab_internalize(kcontext, argp, buffer, lenremain)
-    krb5_context	kcontext;
-    krb5_pointer	*argp;
-    krb5_octet		**buffer;
-    size_t		*lenremain;
+krb5_keytab_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain)
 {
     krb5_error_code	kret;
     krb5_ser_handle	shandle;
@@ -196,9 +253,8 @@ krb5_keytab_internalize(kcontext, argp, buffer, lenremain)
     return(kret);
 }
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_ser_keytab_init(kcontext)
-    krb5_context	kcontext;
+krb5_error_code KRB5_CALLCONV
+krb5_ser_keytab_init(krb5_context kcontext)
 {
     return(krb5_register_serializer(kcontext, &krb5_keytab_ser_entry));
 }
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/ktdefault.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/ktdefault.c
index 2c0bb8a05c..57c6b28505 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/ktdefault.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/ktdefault.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -15,7 +15,7 @@
  *   require a specific license from the United States Government.
  *   It is the responsibility of any person or organization contemplating
  *   export to obtain such a license before exporting.
- *
+ * 
  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  * distribute this software and its documentation for any purpose and
  * without fee is hereby granted, provided that the above copyright
@@ -37,10 +37,8 @@
 #include <k5-int.h>
 #include <stdio.h>
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_kt_default(context, id)
-    krb5_context context;
-    krb5_keytab FAR *id;
+krb5_error_code KRB5_CALLCONV
+krb5_kt_default(krb5_context context, krb5_keytab *id)
 {
     char defname[BUFSIZ];
     krb5_error_code retval;
@@ -49,3 +47,6 @@ krb5_kt_default(context, id)
 	return retval;
     return krb5_kt_resolve(context, defname, id);
 }
+
+
+
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/ktfns.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/ktfns.c
new file mode 100644
index 0000000000..538b9b2dcf
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/ktfns.c
@@ -0,0 +1,81 @@
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+/*
+ * lib/krb5/keytab/ktfns.c
+ *
+ * Copyright 2001 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/*
+ * Dispatch methods for keytab code.
+ */
+
+#include "k5-int.h"
+
+char * KRB5_CALLCONV
+krb5_kt_get_type (krb5_context context, krb5_keytab keytab)
+{
+    return keytab->ops->prefix;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_kt_get_name(krb5_context context, krb5_keytab keytab, char *name,
+		 unsigned int namelen)
+{
+    return krb5_x((keytab)->ops->get_name,(context, keytab,name,namelen));
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_kt_close(krb5_context context, krb5_keytab keytab)
+{
+    return krb5_x((keytab)->ops->close,(context, keytab));
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_kt_get_entry(krb5_context context, krb5_keytab keytab,
+		  krb5_const_principal principal, krb5_kvno vno,
+		  krb5_enctype enctype, krb5_keytab_entry *entry)
+{
+    return krb5_x((keytab)->ops->get,(context, keytab, principal, vno, enctype, entry));
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_kt_start_seq_get(krb5_context context, krb5_keytab keytab,
+		      krb5_kt_cursor *cursor)
+{
+    return krb5_x((keytab)->ops->start_seq_get,(context, keytab, cursor));
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_kt_next_entry(krb5_context context, krb5_keytab keytab,
+		   krb5_keytab_entry *entry, krb5_kt_cursor *cursor)
+{
+    return krb5_x((keytab)->ops->get_next,(context, keytab, entry, cursor));
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_kt_end_seq_get(krb5_context context, krb5_keytab keytab,
+		    krb5_kt_cursor *cursor)
+{
+    return krb5_x((keytab)->ops->end_get,(context, keytab, cursor));
+}
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/ktfr_entry.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/ktfr_entry.c
index 28b52305ff..e8dff34054 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/ktfr_entry.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/ktfr_entry.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2003 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -15,7 +15,7 @@
  *   require a specific license from the United States Government.
  *   It is the responsibility of any person or organization contemplating
  *   export to obtain such a license before exporting.
- *
+ * 
  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  * distribute this software and its documentation for any purpose and
  * without fee is hereby granted, provided that the above copyright
@@ -36,10 +36,10 @@
 
 #include <k5-int.h>
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_kt_free_entry (context, entry)
-    krb5_context context;
-    krb5_keytab_entry FAR *entry;
+krb5_error_code KRB5_CALLCONV
+krb5_free_keytab_entry_contents (krb5_context context, krb5_keytab_entry *entry)
+
+
 {
     if (!entry)
 	return 0;
@@ -51,3 +51,9 @@ krb5_kt_free_entry (context, entry)
     }
     return 0;
 }
+
+krb5_error_code KRB5_CALLCONV
+krb5_kt_free_entry (krb5_context context, krb5_keytab_entry *entry)
+{
+    return krb5_free_keytab_entry_contents (context, entry);
+}
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/ktremove.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/ktremove.c
index 5a6117bc6d..a37418fb18 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/ktremove.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/ktremove.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -36,11 +36,8 @@
 
 #include <k5-int.h>
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_kt_remove_entry (context, id, entry)
-    krb5_context context;
-    krb5_keytab id;
-    krb5_keytab_entry FAR *entry;
+krb5_error_code KRB5_CALLCONV
+krb5_kt_remove_entry (krb5_context context, krb5_keytab id, krb5_keytab_entry *entry)
 {
     if (id->ops->remove)
 	return (*id->ops->remove)(context, id, entry);
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/read_servi.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/read_servi.c
index 3115bbe6fe..47f2a8e753 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/read_servi.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/keytab/read_servi.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -50,14 +50,8 @@
  * returns: Either KSUCCESS or error code.
  * errors: error code if not found or keyprocarg is invalid.
  */
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_kt_read_service_key(context, keyprocarg, principal, vno, enctype, key)
-    krb5_context context;
-    krb5_pointer keyprocarg;
-    krb5_principal principal;
-    krb5_kvno vno;
-    krb5_enctype enctype;
-    krb5_keyblock FAR * FAR * key;
+krb5_error_code KRB5_CALLCONV
+krb5_kt_read_service_key(krb5_context context, krb5_pointer keyprocarg, krb5_principal principal, krb5_kvno vno, krb5_enctype enctype, krb5_keyblock **key)
 {
     krb5_error_code kerror = KSUCCESS;
     char keytabname[MAX_KEYTAB_NAME_LEN + 1]; /* + 1 for NULL termination */
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/addr_comp.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/addr_comp.c
index df5e9e54e7..a8767bf2d7 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/addr_comp.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/addr_comp.c
@@ -41,11 +41,9 @@
  * If the two addresses are the same, return TRUE, else return FALSE
  */
 /*ARGSUSED*/
-krb5_boolean
-krb5_address_compare(context, addr1, addr2)
-    krb5_context context;
-    krb5_const krb5_address *addr1;
-    krb5_const krb5_address *addr2;
+krb5_boolean KRB5_CALLCONV
+krb5_address_compare(krb5_context context, krb5_const krb5_address *addr1,
+	krb5_const krb5_address *addr2)
 {
     KRB5_LOG0(KRB5_INFO, "krb5_address_compare() start");
 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/addr_order.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/addr_order.c
index f7f6fedbb8..f70535d73b 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/addr_order.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/addr_order.c
@@ -39,11 +39,9 @@
  * < 0 if first is less than 2nd, > 0 if first is greater than 2nd.
  */
 /*ARGSUSED*/
-int
-krb5_address_order(context, addr1, addr2)
-    krb5_context context;
-    register krb5_const krb5_address *addr1;
-    register krb5_const krb5_address *addr2;
+int KRB5_CALLCONV
+krb5_address_order(krb5_context context, krb5_const krb5_address *addr1,
+	krb5_const krb5_address *addr2)
 {
     int dir;
     register int i;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/addr_srch.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/addr_srch.c
index d4f9d83185..820ce0781e 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/addr_srch.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/addr_srch.c
@@ -35,10 +35,8 @@
  * if not listed, return FALSE
  */
 krb5_boolean
-krb5_address_search(context, addr, addrlist)
-    krb5_context context;
-    krb5_const krb5_address *addr;
-    krb5_address * krb5_const * addrlist;
+krb5_address_search(krb5_context context, krb5_const krb5_address *addr,
+	krb5_address *krb5_const *addrlist)
 {
     if (!addrlist)
 	return TRUE;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/appdefault.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/appdefault.c
index 0fa1a5fe16..5a24a4c77c 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/appdefault.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/appdefault.c
@@ -1,9 +1,14 @@
+/*
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
+
 /*
  * appdefault - routines designed to be called from applications to
  *		 handle the [appdefaults] profile section
  */
-
 #include <stdio.h>
 #include <string.h>
 #include <k5-int.h>
@@ -11,20 +16,19 @@
 
 
  /*xxx Duplicating this is annoying; try to work on a better way.*/
-static char *conf_yes[] = {
+static const char *conf_yes[] = {
 	"y", "yes", "true", "t", "1", "on",
 	0,
 };
 
-static char *conf_no[] = {
+static const char *conf_no[] = {
 	"n", "no", "false", "nil", "0", "off",
 	0,
 };
 
-static int conf_boolean(s)
-	char *s;
+static int conf_boolean(char *s)
 {
-	char **p;
+	const char * const *p;
 	for(p=conf_yes; *p; p++) {
 		if (!strcasecmp(*p,s))
 			return 1;
@@ -37,12 +41,9 @@ static int conf_boolean(s)
 	return 0;
 }
 
-static krb5_error_code appdefault_get(context, appname, realm, option,
-				ret_value)
-        krb5_context context;
-	const char *appname, *option;
-        const krb5_data *realm;
-	char **ret_value;
+static krb5_error_code appdefault_get(krb5_context context,
+			const char *appname, const krb5_data *realm,
+			const char *option, char **ret_value)
 {
         profile_t profile;
         const char *names[5];
@@ -142,14 +143,11 @@ goodbye:
 	return 0;
 }
 
-KRB5_DLLIMP void KRB5_CALLCONV 
-krb5_appdefault_boolean(context, appname, realm, option,
-			default_value, ret_value)
-        krb5_context context;
-	const char *appname,  *option;
-        const krb5_data *realm;
-	int default_value;
-	int *ret_value;
+void KRB5_CALLCONV 
+krb5_appdefault_boolean(krb5_context context,
+		const char *appname, const krb5_data *realm,
+		const char *option, int default_value,
+		int *ret_value)
 {
 	char *string = NULL;
 	krb5_error_code retval;
@@ -163,14 +161,11 @@ krb5_appdefault_boolean(context, appname, realm, option,
 		*ret_value = default_value;
 }
 
-KRB5_DLLIMP void KRB5_CALLCONV 
-krb5_appdefault_string(context, appname, realm, option, default_value,
-		       ret_value)
-     krb5_context context;
-	const char *appname, *option, *default_value;
-	char **ret_value;
-     const krb5_data *realm;
-	{
+void KRB5_CALLCONV 
+krb5_appdefault_string(krb5_context context, const char *appname,
+		const krb5_data *realm, const char *option,
+		const char *default_value, char **ret_value)
+{
 	krb5_error_code retval;
 	char *string;
 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/auth_con.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/auth_con.c
index 22b07317b1..b4f6a8cb2a 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/auth_con.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/auth_con.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -8,6 +8,8 @@
 #include <k5-int.h>
 #include <auth_con.h>
 
+static krb5_boolean chk_heimdal_seqnum(krb5_ui_4, krb5_ui_4);
+
 /*ARGSUSED*/
 static krb5_error_code
 actx_copy_addr(krb5_context context, const krb5_address *inad,
@@ -47,6 +49,8 @@ krb5_auth_con_init(krb5_context context, krb5_auth_context *auth_context)
 
     (*auth_context)->req_cksumtype = context->default_ap_req_sumtype;
     (*auth_context)->safe_cksumtype = context->default_safe_sumtype;
+    (*auth_context) -> checksum_func = NULL;
+    (*auth_context)->checksum_func_data = NULL;
     (*auth_context)->magic = KV5M_AUTH_CONTEXT;
     return 0;
 }
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/bld_pr_ext.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/bld_pr_ext.c
index b5c60764a0..ed7159a9cb 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/bld_pr_ext.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/bld_pr_ext.c
@@ -30,37 +30,22 @@
 
 #include <k5-int.h>
 
-#ifdef HAVE_STDARG_H
 #include <stdarg.h>
-#else
-#include <varargs.h>
-#endif
 
 /*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV_C
-#ifdef HAVE_STDARG_H
-krb5_build_principal_ext(krb5_context context,  krb5_principal FAR * princ, int rlen, krb5_const char FAR * realm, ...)
-#else
-krb5_build_principal_ext(context, princ, rlen, realm, va_alist)
-    krb5_context context;
-    krb5_principal FAR *princ;
-    int rlen;
-    krb5_const char FAR *realm;
-    va_dcl
-#endif
+krb5_error_code KRB5_CALLCONV_C
+krb5_build_principal_ext(krb5_context context,  krb5_principal * princ,
+	unsigned int rlen, const char * realm, ...)
 {
     va_list ap;
-    register int i, count = 0, size;
+    register int i, count = 0;
+    register unsigned int size;
     register char *next;
     char *tmpdata;
     krb5_data *princ_data;
     krb5_principal princ_ret;
 
-#ifdef HAVE_STDARG_H
     va_start(ap, realm);
-#else
-    va_start(ap);
-#endif
     /* count up */
     while (va_arg(ap, int) != 0) {
 	(void)va_arg(ap, char *);		/* pass one up */
@@ -93,13 +78,9 @@ krb5_build_principal_ext(context, princ, rlen, realm, va_alist)
     tmpdata[rlen] = 0;
 
     /* process rest of components */
-#ifdef HAVE_STDARG_H
     va_start(ap, realm);
-#else
-    va_start(ap);
-#endif
     for (i = 0; i < count; i++) {
-	size = va_arg(ap, int);
+	size = va_arg(ap, unsigned int);
 	next = va_arg(ap, char *);
 	princ_data[i].length = size;
 	princ_data[i].data = malloc(size+1);
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/bld_princ.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/bld_princ.c
index ef542a7e2c..62948a44e0 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/bld_princ.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/bld_princ.c
@@ -28,23 +28,13 @@
  * Build a principal from a list of strings
  */
 
-/* Need <krb5/k5-config.h> for HAVE_STDARG_H */
-#include <k5-int.h>
-
-#ifdef HAVE_STDARG_H
 #include <stdarg.h>
-#else
-#include <varargs.h>
-#endif
+#include <k5-int.h>
 
 /*ARGSUSED*/
 krb5_error_code
-krb5_build_principal_va(context, princ, rlen, realm, ap)
-    krb5_context context;
-    krb5_principal princ;
-    int rlen;
-    krb5_const char *realm;
-    va_list ap;
+krb5_build_principal_va(krb5_context context, krb5_principal princ,
+	unsigned int rlen, const char *realm, va_list ap)
 {
     register int i, count = 0;
     register char *next;
@@ -101,18 +91,10 @@ krb5_build_principal_va(context, princ, rlen, realm, ap)
     return 0;
 }
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV_C
-#ifdef HAVE_STDARG_H
-krb5_build_principal(krb5_context context,  krb5_principal * princ, int rlen,
-    krb5_const char FAR * realm, ...)
-#else
-krb5_build_principal(context, princ, rlen, realm, va_alist)
-    krb5_context context;
-    krb5_principal *princ;
-    int rlen;
-    krb5_const char FAR *realm;
-    va_dcl
-#endif
+krb5_error_code KRB5_CALLCONV_C
+krb5_build_principal(krb5_context context,  krb5_principal * princ,
+		unsigned int rlen,
+		const char * realm, ...)
 {
     va_list ap;
     krb5_error_code retval;
@@ -121,11 +103,7 @@ krb5_build_principal(context, princ, rlen, realm, va_alist)
     if (!pr_ret)
 	return ENOMEM;
 
-#ifdef HAVE_STDARG_H
     va_start(ap, realm);
-#else
-    va_start(ap);
-#endif
     retval = krb5_build_principal_va(context, pr_ret, rlen, realm, ap);
     va_end(ap);
     if (retval == 0)
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/chk_trans.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/chk_trans.c
index 195b866559..8e5dd23223 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/chk_trans.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/chk_trans.c
@@ -274,7 +274,7 @@ check_realm_in_list (krb5_data *realm, void *data)
 }
 
 krb5_error_code
-krb5_check_transited_list (krb5_context ctx, krb5_data *trans_in,
+krb5_check_transited_list (krb5_context ctx, const krb5_data *trans_in,
 			   const krb5_data *crealm, const krb5_data *srealm)
 {
     krb5_data trans;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/cleanup.h b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/cleanup.h
index 2c30591ddc..67a709689a 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/cleanup.h
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/cleanup.h
@@ -5,7 +5,7 @@
 
 struct cleanup {
     void 		* arg;
-    void		(*func)();
+    void		(*func)(void *);
 };
 
 #define CLEANUP_INIT(x)							\
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/conv_princ.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/conv_princ.c
index 99ccb97c13..a6d60ea88e 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/conv_princ.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/conv_princ.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -52,54 +52,74 @@
 #define		INST_SZ		40
 
 struct krb_convert {
-	char	*v4_str;
-	char	*v5_str;
-	int	flags;
+	char		*v4_str;
+	char		*v5_str;
+	unsigned int	flags : 8; 
+	unsigned int	len : 8;
 };
 
 #define DO_REALM_CONVERSION 0x00000001
 
 /*
  * Kadmin doesn't do realm conversion because it's currently
- * kadmin/REALM.NAME.  It should be kadmin/kerberos.master.host, but
- * we'll fix that in the next release.
+ * kadmin/REALM.NAME.  Zephyr doesn't because it's just zephyr/zephyr.
+ *
+ * "Realm conversion" is a bit of a misnomer; really, the v5 name is
+ * using a FQDN or something that looks like it, where the v4 name is
+ * just using the first label.  Sometimes that second principal name
+ * component is a hostname, sometimes the realm name, sometimes it's
+ * neither.
+ *
+ * This list should probably be more configurable, and more than
+ * likely on a per-realm basis, so locally-defined services can be
+ * added, or not.
  */
 static const struct krb_convert sconv_list[] = {
-    {"kadmin",	"kadmin",	0},
-    {"rcmd",	"host",		DO_REALM_CONVERSION},
-    {"discuss",	"discuss",	DO_REALM_CONVERSION},
-    {"rvdsrv",	"rvdsrv",	DO_REALM_CONVERSION},
-    {"sample",	"sample",	DO_REALM_CONVERSION},
-    {"olc",	"olc",		DO_REALM_CONVERSION},
-    {"pop",	"pop",		DO_REALM_CONVERSION},
-    {"sis",	"sis",		DO_REALM_CONVERSION},
-    {"rfs",	"rfs",		DO_REALM_CONVERSION},
-    {"imap",	"imap",		DO_REALM_CONVERSION},
-    {"ftp",	"ftp",		DO_REALM_CONVERSION},
-    {"ecat",	"ecat",		DO_REALM_CONVERSION},
-    {"daemon",        "daemon",       DO_REALM_CONVERSION},
-    {"gnats", "gnats",        DO_REALM_CONVERSION},
-    {"moira", "moira",        DO_REALM_CONVERSION},
-    {"prms",  "prms",         DO_REALM_CONVERSION},
-    {"mandarin",      "mandarin",     DO_REALM_CONVERSION},
-    {"register",      "register",     DO_REALM_CONVERSION},
-    {"changepw",      "changepw",     DO_REALM_CONVERSION},
-    {"sms",   "sms",          DO_REALM_CONVERSION},
-    {"afpserver",     "afpserver",    DO_REALM_CONVERSION},
-    {"gdss",  "gdss",         DO_REALM_CONVERSION},
-    {"news",  "news",         DO_REALM_CONVERSION},
-    {"abs",   "abs",          DO_REALM_CONVERSION},
-    {"nfs",   "nfs",          DO_REALM_CONVERSION},
-    {"tftp",  "tftp",         DO_REALM_CONVERSION},
-    {"zephyr",        "zephyr",       0},
-    {"http",  "http",         DO_REALM_CONVERSION},
-    {"khttp", "khttp",        DO_REALM_CONVERSION},
-    {"pgpsigner", "pgpsigner",        DO_REALM_CONVERSION},
-    {"irc",   "irc",          DO_REALM_CONVERSION},
-    {"mandarin-agent",        "mandarin-agent",       DO_REALM_CONVERSION},
-    {"write", "write",        DO_REALM_CONVERSION},
-    {"palladium", "palladium",        DO_REALM_CONVERSION},
-    {0,		0,		0},
+    /* Realm conversion, Change service name */
+#define RC(V5NAME,V4NAME) { V5NAME, V4NAME, DO_REALM_CONVERSION, sizeof(V5NAME)-1 }
+    /* Realm conversion */
+#define R(NAME)		{ NAME, NAME, DO_REALM_CONVERSION, sizeof(NAME)-1 }
+    /* No Realm conversion */
+#define NR(NAME)	{ NAME, NAME, 0, sizeof(NAME)-1 }
+
+    NR("kadmin"),
+    RC("rcmd", "host"),
+    R("discuss"),
+    R("rvdsrv"),
+    R("sample"),
+    R("olc"),
+    R("pop"),
+    R("sis"),
+    R("rfs"),
+    R("imap"),
+    R("ftp"),
+    R("ecat"),
+    R("daemon"),
+    R("gnats"),
+    R("moira"),
+    R("prms"),
+    R("mandarin"),
+    R("register"),
+    R("changepw"),
+    R("sms"),
+    R("afpserver"),
+    R("gdss"),
+    R("news"),
+    R("abs"),
+    R("nfs"),
+    R("tftp"),
+    NR("zephyr"),
+    R("http"),
+    R("khttp"),
+    R("pgpsigner"),
+    R("irc"),
+    R("mandarin-agent"),
+    R("write"),
+    R("palladium"),
+    {0, 0, 0, 0},
+#undef R
+#undef RC
+#undef NR
 };
 
 /*
@@ -115,9 +135,8 @@ static const struct krb_convert sconv_list[] = {
  * This falls in the "should have been in the ANSI C library"
  * category. :-)
  */
-static char *strnchr(s, c, n)
-   register char *s, c;
-   register int n;
+static char *strnchr(register char *s, register char c,
+			register unsigned int n)
 {
      if (n < 1)
 	  return 0;
@@ -135,18 +154,15 @@ static char *strnchr(s, c, n)
 #define KRB5_INVALID_PRINCIPAL KRB5_LNAME_BADFORMAT
 
 /*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_524_conv_principal(context, princ, name, inst, realm)
-    krb5_context context;
-    const krb5_principal princ;
-    char FAR *name;
-    char FAR *inst;
-    char FAR *realm;
+krb5_error_code KRB5_CALLCONV
+krb5_524_conv_principal(krb5_context context, krb5_const_principal princ,
+		char *name, char *inst, char *realm)
 {
      const struct krb_convert *p;
-     krb5_data *compo;
+     const krb5_data *compo;
      char *c, *tmp_realm, *tmp_prealm;
-     int tmp_realm_len, retval;
+     unsigned int tmp_realm_len;
+     int retval;
 
      *name = *inst = '\0';
      switch (krb5_princ_size(context, princ)) {
@@ -155,7 +171,8 @@ krb5_524_conv_principal(context, princ, name, inst, realm)
 	  compo = krb5_princ_component(context, princ, 0);
 	  p = sconv_list;
 	  while (p->v4_str) {
-	       if (strncmp(p->v5_str, compo->data, compo->length) == 0) {
+	       if (p->len == compo->length
+		   && memcmp(p->v5_str, compo->data, compo->length) == 0) {
 		   /*
 		    * It is, so set the new name now, and chop off
 		    * instance's domain name if requested.
@@ -168,7 +185,7 @@ krb5_524_conv_principal(context, princ, name, inst, realm)
 		       c = strnchr(compo->data, '.', compo->length);
 		       if (!c || (c - compo->data) >= INST_SZ - 1)
 			   return KRB5_INVALID_PRINCIPAL;
-		       memcpy(inst, compo->data, c - compo->data);
+		       memcpy(inst, compo->data, (size_t) (c - compo->data));
 		       inst[c - compo->data] = '\0';
 		   }
 		   break;
@@ -238,13 +255,8 @@ krb5_524_conv_principal(context, princ, name, inst, realm)
 }
 
 /*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_425_conv_principal(context, name, instance, realm, princ)
-   krb5_context context;
-   const char	FAR *name;
-   const char	FAR *instance;
-   const char	FAR *realm;
-   krb5_principal	FAR *princ;
+krb5_error_code KRB5_CALLCONV
+krb5_425_conv_principal(krb5_context context, const char *name, const char *instance, const char *realm, krb5_principal *princ)
 {
      const struct krb_convert *p;
      char buf[256];		/* V4 instances are limited to 40 characters */
@@ -282,6 +294,10 @@ krb5_425_conv_principal(context, name, instance, realm, princ)
      	} else if ((retval == 0) && (realm_name == NULL)) {
      		break;
      	}
+	if (v4realms != NULL) {
+	        profile_free_list(v4realms);
+		v4realms = NULL;
+	}
      	if (realm_name != NULL) {
      		profile_release_string (realm_name);
      		realm_name = NULL;
@@ -324,8 +340,8 @@ krb5_425_conv_principal(context, name, instance, realm, princ)
 		      return retval;
 		  if (domain) {
 		      for (cp = domain; *cp; cp++)
-			  if (isupper(*cp))
-			      *cp = tolower(*cp);
+			  if (isupper((int) (*cp)))
+			      *cp = tolower((int) *cp);
 		      strncat(buf, ".", sizeof(buf) - 1 - strlen(buf));
 		      strncat(buf, domain, sizeof(buf) - 1 - strlen(buf));
 		      krb5_xfree(domain);
@@ -337,11 +353,11 @@ krb5_425_conv_principal(context, name, instance, realm, princ)
 
 not_service:	
      retval = krb5_build_principal(context, princ, strlen(realm), realm, name,
-				   instance, 0);
-     profile_iterator_free (&iterator);
-     profile_free_list(full_name);
-     profile_free_list(v4realms);
-     profile_release_string (realm_name);
-     profile_release_string (dummy_value);
+				   instance, NULL);
+     if (iterator) profile_iterator_free (&iterator);
+     if (full_name) profile_free_list(full_name);
+     if (v4realms) profile_free_list(v4realms);
+     if (realm_name) profile_release_string (realm_name);
+     if (dummy_value) profile_release_string (dummy_value);
      return retval;
 }
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/copy_addrs.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/copy_addrs.c
index 9fee452f82..bc31ecab20 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/copy_addrs.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/copy_addrs.c
@@ -31,15 +31,12 @@
 #include <k5-int.h>
 
 /*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_copy_addr(context, inad, outad)
-    krb5_context context;
-    const krb5_address FAR *inad;
-    krb5_address FAR * FAR *outad;
+krb5_error_code KRB5_CALLCONV
+krb5_copy_addr(krb5_context context, const krb5_address *inad, krb5_address **outad)
 {
-    krb5_address FAR *tmpad;
+    krb5_address *tmpad;
 
-    if (!(tmpad = (krb5_address FAR *)malloc(sizeof(*tmpad))))
+    if (!(tmpad = (krb5_address *)malloc(sizeof(*tmpad))))
 	return ENOMEM;
 #ifdef HAVE_C_STRUCTURE_ASSIGNMENT
     *tmpad = *inad;
@@ -58,15 +55,12 @@ krb5_copy_addr(context, inad, outad)
 /*
  * Copy an address array, with fresh allocation.
  */
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_copy_addresses(context, inaddr, outaddr)
-    krb5_context context;
-    krb5_address FAR * const FAR * inaddr;
-    krb5_address FAR * FAR * FAR *outaddr;
+krb5_error_code KRB5_CALLCONV
+krb5_copy_addresses(krb5_context context, krb5_address *const *inaddr, krb5_address ***outaddr)
 {
     krb5_error_code retval;
     krb5_address ** tempaddr;
-    register int nelems = 0;
+    register unsigned int nelems = 0;
 
     if (!inaddr) {
 	    *outaddr = 0;
@@ -106,7 +100,7 @@ krb5_append_addresses(context, inaddr, outaddr)
     krb5_error_code retval;
     krb5_address ** tempaddr;
     krb5_address ** tempaddr2;
-    register int nelems = 0;
+    register unsigned int nelems = 0;
     register int norigelems = 0;
 
     if (!inaddr)
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/copy_creds.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/copy_creds.c
index bdb411597f..d277543362 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/copy_creds.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/copy_creds.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -40,11 +40,8 @@
  * Copy credentials, allocating fresh storage where needed.
  */
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_copy_creds(context, incred, outcred)
-    krb5_context context;
-    const krb5_creds *incred;
-    krb5_creds **outcred;
+krb5_error_code KRB5_CALLCONV
+krb5_copy_creds(krb5_context context, const krb5_creds *incred, krb5_creds **outcred)
 {
     krb5_creds *tempcred;
     krb5_error_code retval;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/copy_data.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/copy_data.c
index 42b23c4d11..183956a502 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/copy_data.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/copy_data.c
@@ -34,11 +34,8 @@
  * Copy a data structure, with fresh allocation.
  */
 /*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_copy_data(context, indata, outdata)
-    krb5_context context;
-    const krb5_data FAR *indata;
-    krb5_data FAR * FAR *outdata;
+krb5_error_code KRB5_CALLCONV
+krb5_copy_data(krb5_context context, const krb5_data *indata, krb5_data **outdata)
 {
     krb5_data *tempdata;
 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/copy_tick.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/copy_tick.c
index 67d533d18d..1fbeefa24c 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/copy_tick.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/copy_tick.c
@@ -31,10 +31,7 @@
 #include <k5-int.h>
 
 static krb5_error_code
-krb5_copy_enc_tkt_part(context, partfrom, partto)
-    krb5_context context;
-    const krb5_enc_tkt_part *partfrom;
-    krb5_enc_tkt_part **partto;
+krb5_copy_enc_tkt_part(krb5_context context, const krb5_enc_tkt_part *partfrom, krb5_enc_tkt_part **partto)
 {
     krb5_error_code retval;
     krb5_enc_tkt_part *tempto;
@@ -99,11 +96,8 @@ krb5_copy_enc_tkt_part(context, partfrom, partto)
     return 0;
 }
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_copy_ticket(context, from, pto)
-    krb5_context context;
-    const krb5_ticket *from;
-    krb5_ticket **pto;
+krb5_error_code KRB5_CALLCONV
+krb5_copy_ticket(krb5_context context, const krb5_ticket *from, krb5_ticket **pto)
 {
     krb5_error_code retval;
     krb5_ticket *tempto;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/decode_kdc.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/decode_kdc.c
index 7151512085..8ce9e8d489 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/decode_kdc.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/decode_kdc.c
@@ -44,11 +44,7 @@
  */
 
 krb5_error_code
-krb5_decode_kdc_rep(context, enc_rep, key, dec_rep)
-    krb5_context context;
-    krb5_data * enc_rep;
-    const krb5_keyblock * key;
-    krb5_kdc_rep ** dec_rep;
+krb5_decode_kdc_rep(krb5_context context, krb5_data *enc_rep, const krb5_keyblock *key, krb5_kdc_rep **dec_rep)
 {
     krb5_error_code retval;
     krb5_kdc_rep *local_dec_rep;
@@ -72,8 +68,8 @@ krb5_decode_kdc_rep(context, enc_rep, key, dec_rep)
     if (retval)
 	return retval;
 
-    if (retval = krb5_kdc_rep_decrypt_proc(context, key, &usage,
-					   local_dec_rep)) 
+    if ((retval = krb5_kdc_rep_decrypt_proc(context, key, &usage,
+					    local_dec_rep)))
 	krb5_free_kdc_rep(context, local_dec_rep);
     else
     	*dec_rep = local_dec_rep;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/decrypt_tk.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/decrypt_tk.c
index 336b443db2..1a7647c884 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/decrypt_tk.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/decrypt_tk.c
@@ -40,17 +40,14 @@
 */
 
 /*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_decrypt_tkt_part(context, srv_key, ticket)
-    krb5_context context;
-    const krb5_keyblock FAR *srv_key;
-    register krb5_ticket FAR *ticket;
+krb5_error_code KRB5_CALLCONV
+krb5_decrypt_tkt_part(krb5_context context, const krb5_keyblock *srv_key, register krb5_ticket *ticket)
 {
     krb5_enc_tkt_part *dec_tkt_part;
     krb5_data scratch;
     krb5_error_code retval;
 
-    if (!valid_enctype(ticket->enc_part.enctype))
+    if (!krb5_c_valid_enctype(ticket->enc_part.enctype))
 	return KRB5_PROG_ETYPE_NOSUPP;
 
     scratch.length = ticket->enc_part.ciphertext.length;
@@ -58,9 +55,9 @@ krb5_decrypt_tkt_part(context, srv_key, ticket)
 	return(ENOMEM);
 
     /* call the encryption routine */
-    if (retval = krb5_c_decrypt(context, srv_key,
+    if ((retval = krb5_c_decrypt(context, srv_key,
 				KRB5_KEYUSAGE_KDC_REP_TICKET, 0,
-				&ticket->enc_part, &scratch)) {
+				&ticket->enc_part, &scratch))) {
 	free(scratch.data);
 	return retval;
     }
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/deltat.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/deltat.c
index e44129276e..b7ea5cdce2 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/deltat.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/deltat.c
@@ -1,39 +1,87 @@
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
 
-/*  A Bison parser, made from ../../../../asrc/lib/krb5/krb/x-deltat.y
- by  GNU Bison version 1.27
-  */
+/*  A Bison parser, made from ./x-deltat.y
+    by GNU Bison version 1.28  */
 
 #define YYBISON 1  /* Identify Bison output.  */
 
 #define	NUM	257
 #define	LONGNUM	258
-#define	WS	259
+#define	OVERFLOW	259
+#define	WS	260
 
-#line 38 "../../../../asrc/lib/krb5/krb/x-deltat.y"
+#line 38 "./x-deltat.y"
 
 
 #include <ctype.h>
 #include <errno.h>
 #include <k5-int.h>
 
-#if 0
-#define NBITS(TYPE) (8*sizeof(TYPE))
-#define LOG10_2 0.30103
-#define LOG10_MAX(TYPE) (LOG10_2 * NBITS(TYPE))
-#define BUFFERSIZE(TYPE) (1 /* \0 */ + (int) (1 + LOG10_MAX(TYPE)))
-#endif
-
 struct param {
-    krb5_deltat delta;
+    krb5_int32 delta;
     char *p;
 };
 
 #define YYPARSE_PARAM tmv
 
+#define MAX_TIME KRB5_INT32_MAX
+#define MIN_TIME KRB5_INT32_MIN
+
+#define DAY (24 * 3600)
+#define HOUR 3600
+
+#define MAX_DAY (MAX_TIME / DAY)
+#define MIN_DAY (MIN_TIME / DAY)
+#define MAX_HOUR (MAX_TIME / HOUR)
+#define MIN_HOUR (MIN_TIME / HOUR)
+#define MAX_MIN (MAX_TIME / 60)
+#define MIN_MIN (MIN_TIME / 60)
+
+/* An explanation of the tests being performed. 
+   We do not want to overflow a 32 bit integer with out manipulations, 
+   even for testing for overflow. Therefore we rely on the following:
+
+   The lex parser will not return a number > MAX_TIME (which is out 32
+   bit limit).
+
+   Therefore, seconds (s) will require 
+       MIN_TIME < s < MAX_TIME
+
+   For subsequent tests, the logic is as follows:
+
+      If A < MAX_TIME and  B < MAX_TIME
+
+      If we want to test if A+B < MAX_TIME, there are two cases
+        if (A > 0) 
+         then A + B < MAX_TIME if B < MAX_TIME - A
+	else A + B < MAX_TIME  always.
+
+      if we want to test if MIN_TIME < A + B
+          if A > 0 - then nothing to test
+          otherwise, we test if MIN_TIME - A < B.
+
+   We of course are testing for:
+          MIN_TIME < A + B < MAX_TIME
+*/
+
+
+#define DAY_NOT_OK(d) (d) > MAX_DAY || (d) < MIN_DAY
+#define HOUR_NOT_OK(h) (h) > MAX_HOUR || (h) < MIN_HOUR
+#define MIN_NOT_OK(m) (m) > MAX_MIN || (m) < MIN_MIN
+#define SUM_OK(a, b) (((a) > 0) ? ( (b) <= MAX_TIME - (a)) : (MIN_TIME - (a) <= (b)))
+#define DO_SUM(res, a, b) if (!SUM_OK((a), (b))) YYERROR; \
+                          res = (a) + (b)
+
+
+#define OUT_D ((struct param *)tmv)->delta 
 #define DO(D,H,M,S) \
  { \
-     ((struct param *)tmv)->delta = (((D * 24) + H) * 60 + M) * 60 + S; \
+     /* Overflow testing - this does not handle negative values well.. */ \
+     if (DAY_NOT_OK(D) || HOUR_NOT_OK(H) || MIN_NOT_OK(M)) YYERROR; \
+     OUT_D = D * DAY; \
+     DO_SUM(OUT_D, OUT_D, H * HOUR); \
+     DO_SUM(OUT_D, OUT_D, M * 60); \
+     DO_SUM(OUT_D, OUT_D, S); \
  }
 
 static int mylex (int *, char **);
@@ -47,7 +95,7 @@ static int mylex (int *, char **);
 static int yyparse (void *);
 
 
-#line 77 "../../../../asrc/lib/krb5/krb/x-deltat.y"
+#line 125 "./x-deltat.y"
 typedef union { int val; } YYSTYPE;
 #include <stdio.h>
 
@@ -59,25 +107,25 @@ typedef union { int val; } YYSTYPE;
 
 
 
-#define	YYFINAL		41
+#define	YYFINAL		42
 #define	YYFLAG		-32768
-#define	YYNTBASE	12
+#define	YYNTBASE	13
 
-#define YYTRANSLATE(x) ((unsigned)(x) <= 259 ? yytranslate[x] : 21)
+#define YYTRANSLATE(x) ((unsigned)(x) <= 260 ? yytranslate[x] : 22)
 
 static const char yytranslate[] = {     0,
      2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
      2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
      2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
      2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-     2,     2,     2,     2,     5,     2,     2,     2,     2,     2,
-     2,     2,     2,     2,     2,     2,     2,     6,     2,     2,
+     2,     2,     2,     2,     6,     2,     2,     2,     2,     2,
+     2,     2,     2,     2,     2,     2,     2,     7,     2,     2,
      2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
      2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
      2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-     2,     2,     2,     2,     2,     2,     2,     2,     2,     7,
-     2,     2,     2,     8,     2,     2,     2,     2,     9,     2,
-     2,     2,     2,     2,    10,     2,     2,     2,     2,     2,
+     2,     2,     2,     2,     2,     2,     2,     2,     2,     8,
+     2,     2,     2,     9,     2,     2,     2,     2,    10,     2,
+     2,     2,     2,     2,    11,     2,     2,     2,     2,     2,
      2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
      2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
      2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
@@ -91,33 +139,34 @@ static const char yytranslate[] = {     0,
      2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
      2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
      2,     2,     2,     2,     2,     2,     2,     2,     2,     2,
-     2,     2,     2,     2,     2,     1,     3,     4,    11
+     2,     2,     2,     2,     2,     1,     3,     4,     5,    12
 };
 
 #if YYDEBUG != 0
 static const short yyprhs[] = {     0,
-     0,     2,     4,     6,     8,    11,    12,    14,    17,    21,
-    25,    29,    32,    40,    46,    50,    52,    56,    58,    62,
-    64
+     0,     2,     4,     6,     8,    11,    12,    14,    17,    20,
+    24,    28,    32,    35,    43,    49,    53,    55,    57,    61,
+    63,    67,    69
 };
 
-static const short yyrhs[] = {    17,
-     0,     3,     0,     4,     0,    13,     0,     5,    13,     0,
-     0,    11,     0,    15,    14,     0,    16,     7,    18,     0,
-    16,     8,    19,     0,    16,     9,    20,     0,    16,    10,
-     0,    16,     5,     3,     6,     3,     6,     3,     0,    16,
-     6,     3,     6,     3,     0,    16,     6,     3,     0,    19,
-     0,    16,     8,    19,     0,    20,     0,    16,     9,    20,
-     0,    15,     0,    16,    10,     0
+static const short yyrhs[] = {    18,
+     0,     3,     0,     4,     0,    14,     0,     6,    14,     0,
+     0,    12,     0,    16,    15,     0,    16,     5,     0,    17,
+     8,    19,     0,    17,     9,    20,     0,    17,    10,    21,
+     0,    17,    11,     0,    17,     6,     3,     7,     3,     7,
+     3,     0,    17,     7,     3,     7,     3,     0,    17,     7,
+     3,     0,    17,     0,    20,     0,    17,     9,    20,     0,
+    21,     0,    17,    10,    21,     0,    16,     0,    17,    11,
+     0
 };
 
 #endif
 
 #if YYDEBUG != 0
 static const short yyrline[] = { 0,
-    88,    89,    89,    90,    90,    91,    91,    92,    93,    95,
-    96,    97,    98,    99,   100,   103,   105,   106,   108,   109,
-   111
+   136,   137,   137,   138,   138,   139,   139,   140,   141,   142,
+   144,   145,   146,   147,   148,   149,   150,   153,   155,   157,
+   159,   161,   163
 };
 #endif
 
@@ -125,69 +174,69 @@ static const short yyrline[] = { 0,
 #if YYDEBUG != 0 || defined (YYERROR_VERBOSE)
 
 static const char * const yytname[] = {   "$","error","$undefined.","NUM","LONGNUM",
-"'-'","':'","'d'","'h'","'m'","'s'","WS","start","posnum","num","ws","wsnum",
-"deltat","opt_hms","opt_ms","opt_s", NULL
+"OVERFLOW","'-'","':'","'d'","'h'","'m'","'s'","WS","start","posnum","num","ws",
+"wsnum","deltat","opt_hms","opt_ms","opt_s", NULL
 };
 #endif
 
 static const short yyr1[] = {     0,
-    12,    13,    13,    14,    14,    15,    15,    16,    17,    17,
-    17,    17,    17,    17,    17,    18,    18,    19,    19,    20,
-    20
+    13,    14,    14,    15,    15,    16,    16,    17,    17,    18,
+    18,    18,    18,    18,    18,    18,    18,    19,    19,    20,
+    20,    21,    21
 };
 
 static const short yyr2[] = {     0,
-     1,     1,     1,     1,     2,     0,     1,     2,     3,     3,
-     3,     2,     7,     5,     3,     1,     3,     1,     3,     1,
-     2
+     1,     1,     1,     1,     2,     0,     1,     2,     2,     3,
+     3,     3,     2,     7,     5,     3,     1,     1,     3,     1,
+     3,     1,     2
 };
 
 static const short yydefact[] = {     6,
-     7,     0,     0,     1,     2,     3,     0,     4,     8,     0,
-     0,     6,     6,     6,    12,     5,     0,    15,    20,     0,
-     9,    16,    18,     0,    10,     0,    11,     0,     0,     6,
-     6,    21,     0,    14,    17,    19,     0,    13,     0,     0,
-     0
+     7,     0,    17,     1,     2,     3,     9,     0,     4,     8,
+     0,     0,     6,     6,     6,    13,     5,     0,    16,    22,
+     0,    10,    18,    20,     0,    11,     0,    12,     0,     0,
+     6,     6,    23,     0,    15,    19,    21,     0,    14,     0,
+     0,     0
 };
 
-static const short yydefgoto[] = {    39,
-     8,     9,    19,    24,     4,    21,    22,    23
+static const short yydefgoto[] = {    40,
+     9,    10,    20,    25,     4,    22,    23,    24
 };
 
-static const short yypact[] = {    -9,
--32768,    12,    -1,-32768,-32768,-32768,     7,-32768,-32768,    10,
-    16,    -9,    -9,    -9,-32768,-32768,    20,    21,    12,    13,
--32768,-32768,-32768,    15,-32768,    18,-32768,    26,    27,    -9,
-    -9,-32768,    28,-32768,-32768,-32768,    29,-32768,    33,    35,
--32768
+static const short yypact[] = {   -10,
+-32768,    18,    -2,-32768,-32768,-32768,-32768,    13,-32768,-32768,
+    11,    16,   -10,   -10,   -10,-32768,-32768,    20,    21,    18,
+     1,-32768,-32768,-32768,    15,-32768,    19,-32768,    26,    28,
+   -10,   -10,-32768,    27,-32768,-32768,-32768,    30,-32768,    35,
+    36,-32768
 };
 
 static const short yypgoto[] = {-32768,
-    30,-32768,    36,     0,-32768,-32768,   -12,   -11
+    29,-32768,    38,     0,-32768,-32768,   -13,   -12
 };
 
 
-#define	YYLAST		37
+#define	YYLAST		38
 
 
 static const short yytable[] = {     3,
-    25,     1,    27,    10,    11,    12,    13,    14,    15,     5,
-     6,    20,    17,    26,     5,     6,     7,    35,    18,    36,
-    30,    31,    32,    31,    32,    28,    29,    32,    33,    34,
-    26,    38,    40,    37,    41,     2,    16
+    26,     1,    28,    11,    12,    13,    14,    15,    16,    31,
+    32,    33,    21,    18,    27,     5,     6,    36,    19,    37,
+     5,     6,     7,     8,    32,    33,    29,    30,    34,    33,
+    35,    27,    39,    38,    41,    42,    17,     2
 };
 
 static const short yycheck[] = {     0,
-    13,    11,    14,     5,     6,     7,     8,     9,    10,     3,
-     4,    12,     3,    14,     3,     4,     5,    30,     3,    31,
-     8,     9,    10,     9,    10,     6,     6,    10,     3,     3,
-    31,     3,     0,     6,     0,     0,     7
+    14,    12,    15,     6,     7,     8,     9,    10,    11,     9,
+    10,    11,    13,     3,    15,     3,     4,    31,     3,    32,
+     3,     4,     5,     6,    10,    11,     7,     7,     3,    11,
+     3,    32,     3,     7,     0,     0,     8,     0
 };
 #define YYPURE 1
 
 /* -*-C-*-  Note some compilers choke on comments on `#line' lines.  */
-#line 3 "/mit/gnu/share/bison.simple"
-/* This file comes from bison-1.27.  */
+#line 3 "/usr/share/bison.simple"
+/* This file comes from bison-1.28.  */
 
 /* Skeleton output parser for bison,
    Copyright (C) 1984, 1989, 1990 Free Software Foundation, Inc.
@@ -400,7 +449,7 @@ __yy_memcpy (char *to, char *from, unsigned int count)
 #endif
 #endif
 
-#line 216 "/mit/gnu/share/bison.simple"
+#line 217 "/usr/share/bison.simple"
 
 /* The user can define YYPARSE_PARAM as the name of an argument to be passed
    into yyparse.  The argument should have type void *.
@@ -729,56 +778,66 @@ yyreduce:
   switch (yyn) {
 
 case 5:
-#line 90 "../../../../asrc/lib/krb5/krb/x-deltat.y"
+#line 138 "./x-deltat.y"
 { yyval.val = - yyvsp[0].val; ;
     break;}
 case 8:
-#line 92 "../../../../asrc/lib/krb5/krb/x-deltat.y"
+#line 140 "./x-deltat.y"
 { yyval.val = yyvsp[0].val; ;
     break;}
 case 9:
-#line 94 "../../../../asrc/lib/krb5/krb/x-deltat.y"
-{ DO (yyvsp[-2].val,  0,  0, yyvsp[0].val); ;
+#line 141 "./x-deltat.y"
+{ YYERROR ;
     break;}
 case 10:
-#line 95 "../../../../asrc/lib/krb5/krb/x-deltat.y"
-{ DO ( 0, yyvsp[-2].val,  0, yyvsp[0].val); ;
+#line 143 "./x-deltat.y"
+{ DO (yyvsp[-2].val,  0,  0, yyvsp[0].val); ;
     break;}
 case 11:
-#line 96 "../../../../asrc/lib/krb5/krb/x-deltat.y"
-{ DO ( 0,  0, yyvsp[-2].val, yyvsp[0].val); ;
+#line 144 "./x-deltat.y"
+{ DO ( 0, yyvsp[-2].val,  0, yyvsp[0].val); ;
     break;}
 case 12:
-#line 97 "../../../../asrc/lib/krb5/krb/x-deltat.y"
-{ DO ( 0,  0,  0, yyvsp[-1].val); ;
+#line 145 "./x-deltat.y"
+{ DO ( 0,  0, yyvsp[-2].val, yyvsp[0].val); ;
     break;}
 case 13:
-#line 98 "../../../../asrc/lib/krb5/krb/x-deltat.y"
-{ DO (yyvsp[-6].val, yyvsp[-4].val, yyvsp[-2].val, yyvsp[0].val); ;
+#line 146 "./x-deltat.y"
+{ DO ( 0,  0,  0, yyvsp[-1].val); ;
     break;}
 case 14:
-#line 99 "../../../../asrc/lib/krb5/krb/x-deltat.y"
-{ DO ( 0, yyvsp[-4].val, yyvsp[-2].val, yyvsp[0].val); ;
+#line 147 "./x-deltat.y"
+{ DO (yyvsp[-6].val, yyvsp[-4].val, yyvsp[-2].val, yyvsp[0].val); ;
     break;}
 case 15:
-#line 100 "../../../../asrc/lib/krb5/krb/x-deltat.y"
+#line 148 "./x-deltat.y"
+{ DO ( 0, yyvsp[-4].val, yyvsp[-2].val, yyvsp[0].val); ;
+    break;}
+case 16:
+#line 149 "./x-deltat.y"
 { DO ( 0, yyvsp[-2].val, yyvsp[0].val,  0); ;
     break;}
 case 17:
-#line 105 "../../../../asrc/lib/krb5/krb/x-deltat.y"
-{ yyval.val = yyvsp[-2].val * 3600 + yyvsp[0].val; ;
+#line 150 "./x-deltat.y"
+{ DO ( 0,  0,  0, yyvsp[0].val); ;
     break;}
 case 19:
-#line 108 "../../../../asrc/lib/krb5/krb/x-deltat.y"
-{ yyval.val = yyvsp[-2].val * 60 + yyvsp[0].val; ;
+#line 155 "./x-deltat.y"
+{ if (HOUR_NOT_OK(yyvsp[-2].val)) YYERROR;
+	                                  DO_SUM(yyval.val, yyvsp[-2].val * 3600, yyvsp[0].val); ;
+    break;}
+case 21:
+#line 159 "./x-deltat.y"
+{ if (MIN_NOT_OK(yyvsp[-2].val)) YYERROR;
+	                                  DO_SUM(yyval.val, yyvsp[-2].val * 60, yyvsp[0].val); ;
     break;}
-case 20:
-#line 110 "../../../../asrc/lib/krb5/krb/x-deltat.y"
+case 22:
+#line 162 "./x-deltat.y"
 { yyval.val = 0; ;
     break;}
 }
    /* the action file gets copied in in place of this dollarsign */
-#line 542 "/mit/gnu/share/bison.simple"
+#line 543 "/usr/share/bison.simple"
 
   yyvsp -= yylen;
   yyssp -= yylen;
@@ -998,11 +1057,11 @@ yyerrhandle:
     }
   return 1;
 }
-#line 113 "../../../../asrc/lib/krb5/krb/x-deltat.y"
+#line 165 "./x-deltat.y"
 
 
 static int
-mylex (int *intp, char **pp)
+mylex (krb5_int32 *intp, char **pp)
 {
     int num, c;
 #define P (*pp)
@@ -1032,8 +1091,12 @@ mylex (int *intp, char **pp)
     case '9':
 	/* XXX assumes ASCII */
 	num = c - '0';
-	while (isdigit (*P)) {
+	while (isdigit ((int) *P)) {
+	  if (num > MAX_TIME / 10) 
+	    return OVERFLOW;
 	    num *= 10;
+	    if (num > MAX_TIME - (*P - '0')) 
+	      return OVERFLOW;
 	    num += *P++ - '0';
 	}
 	*intp = num;
@@ -1041,7 +1104,7 @@ mylex (int *intp, char **pp)
     case ' ':
     case '\t':
     case '\n':
-	while (isspace (*P))
+	while (isspace ((int) *P))
 	    P++;
 	return WS;
     default:
@@ -1049,16 +1112,14 @@ mylex (int *intp, char **pp)
     }
 }
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_string_to_deltat(string, deltatp)
-    char	FAR * string;
-    krb5_deltat	FAR * deltatp;
+krb5_error_code KRB5_CALLCONV
+krb5_string_to_deltat(char *string, krb5_deltat *deltatp)
 {
     struct param p;
     p.delta = 0;
     p.p = string;
     if (yyparse (&p))
-	return EINVAL;
+	return KRB5_DELTAT_BADFORMAT;
     *deltatp = p.delta;
     return 0;
 }
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/enc_helper.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/enc_helper.c
index d3cab887b7..dc274620da 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/enc_helper.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/enc_helper.c
@@ -28,18 +28,13 @@
 #include <k5-int.h>
 
 krb5_error_code
-krb5_encrypt_helper(context, key, usage, plain, cipher)
-     krb5_context context;
-     krb5_const krb5_keyblock *key;
-     krb5_keyusage usage;
-     krb5_const krb5_data *plain;
-     krb5_enc_data *cipher;
+krb5_encrypt_helper(krb5_context context, const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *plain, krb5_enc_data *cipher)
 {
     krb5_error_code ret;
     size_t enclen;
 
-    if (ret = krb5_c_encrypt_length(context, key->enctype, plain->length,
-				    &enclen))
+    if ((ret = krb5_c_encrypt_length(context, key->enctype, plain->length,
+				     &enclen)))
 	return(ret);
 
     cipher->ciphertext.length = enclen;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/encode_kdc.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/encode_kdc.c
index 9bb0ca02b6..d0df5605e4 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/encode_kdc.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/encode_kdc.c
@@ -45,15 +45,10 @@
 /* due to argument promotion rules, we need to use the DECLARG/OLDDECLARG
    stuff... */
 krb5_error_code
-krb5_encode_kdc_rep(context, type, encpart, using_subkey, client_key,
-		    dec_rep, enc_rep)
-    krb5_context context;
-    const krb5_msgtype type;
-    const krb5_enc_kdc_rep_part * encpart;
-    int using_subkey;
-    const krb5_keyblock * client_key;
-    krb5_kdc_rep * dec_rep;
-    krb5_data ** enc_rep;
+krb5_encode_kdc_rep(krb5_context context, krb5_msgtype type,
+		    const krb5_enc_kdc_rep_part *encpart,
+		    int using_subkey, const krb5_keyblock *client_key,
+		    krb5_kdc_rep *dec_rep, krb5_data **enc_rep)
 {
     krb5_data *scratch;
     krb5_error_code retval;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/encrypt_tk.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/encrypt_tk.c
index 8e30e02dbd..5b6621ec8b 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/encrypt_tk.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/encrypt_tk.c
@@ -43,10 +43,7 @@
 */
 
 krb5_error_code
-krb5_encrypt_tkt_part(context, srv_key, dec_ticket)
-    krb5_context context;
-    krb5_const krb5_keyblock *srv_key;
-    register krb5_ticket *dec_ticket;
+krb5_encrypt_tkt_part(krb5_context context, const krb5_keyblock *srv_key, register krb5_ticket *dec_ticket)
 {
     krb5_data *scratch;
     krb5_error_code retval;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/free_rtree.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/free_rtree.c
index 5e631b24e0..cc861b0652 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/free_rtree.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/free_rtree.c
@@ -28,9 +28,7 @@
 #include "k5-int.h"
 
 void
-krb5_free_realm_tree(context, realms)
-    krb5_context context;
-    krb5_principal *realms;
+krb5_free_realm_tree(krb5_context context, krb5_principal *realms)
 {
     register krb5_principal *nrealms = realms;
     while (*nrealms) {
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/fwd_tgt.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/fwd_tgt.c
index 72da5d857b..7a3944aa13 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/fwd_tgt.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/fwd_tgt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -39,7 +39,7 @@
 #define flags2options(flags) (flags & KDC_TKT_COMMON_MASK)
 
 /* Get a TGT for use at the remote host */
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_error_code KRB5_CALLCONV
 krb5_fwd_tgt_creds(
     krb5_context context,
     krb5_auth_context auth_context,
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gc_frm_kdc.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gc_frm_kdc.c
index 4b73a15c0a..a286c6b932 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gc_frm_kdc.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gc_frm_kdc.c
@@ -1,12 +1,12 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
 
 /*
- * Copyright (c) 1994 by the Massachusetts Institute of Technology.
+ * Copyright (c) 1994,2003 by the Massachusetts Institute of Technology.
  * Copyright (c) 1994 CyberSAFE Corporation
  * Copyright (c) 1993 Open Computing Security Group
  * Copyright (c) 1990,1991 by the Massachusetts Institute of Technology.
@@ -70,13 +70,7 @@
 #define FLAGS2OPTS(flags) (flags & KDC_TKT_COMMON_MASK)
 
 static krb5_error_code
-krb5_get_cred_from_kdc_opt(context, ccache, in_cred, out_cred, tgts, kdcopt)
-    krb5_context context;
-    krb5_ccache ccache;
-    krb5_creds  *in_cred;
-    krb5_creds  **out_cred;
-    krb5_creds  ***tgts;
-    int		kdcopt;
+krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds *in_cred, krb5_creds **out_cred, krb5_creds ***tgts, int kdcopt)
 {
   krb5_creds      **ret_tgts = NULL;
   int             ntgts = 0;
@@ -88,7 +82,7 @@ krb5_get_cred_from_kdc_opt(context, ccache, in_cred, out_cred, tgts, kdcopt)
   krb5_principal  *tgs_list = NULL;
   krb5_principal  *top_server = NULL;
   krb5_principal  *next_server = NULL;
-  int             nservers = 0;
+  unsigned int             nservers = 0;
   krb5_boolean	  old_use_conf_ktypes = context->use_conf_ktypes;
 
   /* in case we never get a TGT, zero the return */
@@ -258,18 +252,14 @@ krb5_get_cred_from_kdc_opt(context, ccache, in_cred, out_cred, tgts, kdcopt)
 	/* didn't find it in the cache so try and get one */
 	/* with current tgt.                              */
 
-	if (!valid_enctype(tgt.keyblock.enctype)) {
+	if (!krb5_c_valid_enctype(tgt.keyblock.enctype)) {
 	    retval = KRB5_PROG_ETYPE_NOSUPP;
 	    goto cleanup;
 	}
 
 	krb5_free_cred_contents(context, &tgtq);
 	memset(&tgtq, 0, sizeof(tgtq));
-#ifdef HAVE_C_STRUCTURE_ASSIGNMENT
 	tgtq.times        = tgt.times;
-#else
-	memcpy(&tgtq.times, &tgt.times, sizeof(krb5_ticket_times));
-#endif
 
 	if ((retval = krb5_copy_principal(context, tgt.client, &tgtq.client)))
 	    goto cleanup;
@@ -277,10 +267,11 @@ krb5_get_cred_from_kdc_opt(context, ccache, in_cred, out_cred, tgts, kdcopt)
 	    goto cleanup;
 	tgtq.is_skey      = FALSE;
 	tgtq.ticket_flags = tgt.ticket_flags;
-	if ((retval = krb5_get_cred_via_tkt(context, &tgt,
+	retval = krb5_get_cred_via_tkt(context, &tgt,
 					    FLAGS2OPTS(tgtq.ticket_flags),
-					    tgt.addresses, &tgtq, &tgtr))) {
-	
+				            tgt.addresses, &tgtq, &tgtr);
+	if (retval) {
+
        /*
 	* couldn't get one so now loop backwards through the realms
 	* list and try and get a tgt for a realm as close to the
@@ -326,7 +317,7 @@ krb5_get_cred_from_kdc_opt(context, ccache, in_cred, out_cred, tgts, kdcopt)
 
 	      /* not in the cache so try and get one with our current tgt. */
 
-	      if (!valid_enctype(tgt.keyblock.enctype)) {
+	      if (!krb5_c_valid_enctype(tgt.keyblock.enctype)) {
 		  retval = KRB5_PROG_ETYPE_NOSUPP;
 		  goto cleanup;
 	      }
@@ -342,12 +333,12 @@ krb5_get_cred_from_kdc_opt(context, ccache, in_cred, out_cred, tgts, kdcopt)
 		  goto cleanup;
 	      tgtq.is_skey      = FALSE;
 	      tgtq.ticket_flags = tgt.ticket_flags;
-	      if ((retval = krb5_get_cred_via_tkt(context, &tgt,
-						  FLAGS2OPTS(tgtq.ticket_flags),
-						  tgt.addresses,
-						  &tgtq, &tgtr))) {
+	      retval = krb5_get_cred_via_tkt(context, &tgt,
+					     FLAGS2OPTS(tgtq.ticket_flags),
+					     tgt.addresses,
+					     &tgtq, &tgtr);
+	      if (retval)
 		  continue;
-	      }
 	
 	      /* save tgt in return array */
 	      if ((retval = krb5_copy_creds(context, tgtr,
@@ -382,7 +373,9 @@ krb5_get_cred_from_kdc_opt(context, ccache, in_cred, out_cred, tgts, kdcopt)
 	for (next_server = top_server; *next_server; next_server++) {
             krb5_data *realm_1 = krb5_princ_component(context, next_server[0], 1);
             krb5_data *realm_2 = krb5_princ_component(context, tgtr->server, 1);
-            if (realm_1->length == realm_2->length &&
+            if (realm_1 != NULL &&
+		realm_2 != NULL &&
+		realm_1->length == realm_2->length &&
                 !memcmp(realm_1->data, realm_2->data, realm_1->length)) {
 		break;
             }
@@ -410,16 +403,17 @@ krb5_get_cred_from_kdc_opt(context, ccache, in_cred, out_cred, tgts, kdcopt)
 
   /* got/finally have tgt!  try for the creds */
 
-  if (!valid_enctype(tgt.keyblock.enctype)) {
+  if (!krb5_c_valid_enctype(tgt.keyblock.enctype)) {
     retval = KRB5_PROG_ETYPE_NOSUPP;
     goto cleanup;
   }
 
   context->use_conf_ktypes = old_use_conf_ktypes;
-  retval = krb5_get_cred_via_tkt(context, &tgt, FLAGS2OPTS(tgt.ticket_flags) |
+  retval = krb5_get_cred_via_tkt(context, &tgt,
+				 FLAGS2OPTS(tgt.ticket_flags) |
 				 kdcopt |
-  				 	(in_cred->second_ticket.length ?
-				  	 KDC_OPT_ENC_TKT_IN_SKEY : 0),
+  				 (in_cred->second_ticket.length ?
+				  KDC_OPT_ENC_TKT_IN_SKEY : 0),
 				 tgt.addresses, in_cred, out_cred);
 
   /* cleanup and return */
@@ -440,12 +434,7 @@ cleanup:
 }
 
 krb5_error_code
-krb5_get_cred_from_kdc(context, ccache, in_cred, out_cred, tgts)
-    krb5_context context;
-    krb5_ccache ccache;
-    krb5_creds  *in_cred;
-    krb5_creds  **out_cred;
-    krb5_creds  ***tgts;
+krb5_get_cred_from_kdc(krb5_context context, krb5_ccache ccache, krb5_creds *in_cred, krb5_creds **out_cred, krb5_creds ***tgts)
 {
 
   return krb5_get_cred_from_kdc_opt(context, ccache, in_cred, out_cred, tgts,
@@ -453,12 +442,7 @@ krb5_get_cred_from_kdc(context, ccache, in_cred, out_cred, tgts)
 }
 
 krb5_error_code
-krb5_get_cred_from_kdc_validate(context, ccache, in_cred, out_cred, tgts)
-    krb5_context context;
-    krb5_ccache ccache;
-    krb5_creds  *in_cred;
-    krb5_creds  **out_cred;
-    krb5_creds  ***tgts;
+krb5_get_cred_from_kdc_validate(krb5_context context, krb5_ccache ccache, krb5_creds *in_cred, krb5_creds **out_cred, krb5_creds ***tgts)
 {
 
   return krb5_get_cred_from_kdc_opt(context, ccache, in_cred, out_cred, tgts,
@@ -466,12 +450,7 @@ krb5_get_cred_from_kdc_validate(context, ccache, in_cred, out_cred, tgts)
 }
 
 krb5_error_code
-krb5_get_cred_from_kdc_renew(context, ccache, in_cred, out_cred, tgts)
-    krb5_context context;
-    krb5_ccache ccache;
-    krb5_creds  *in_cred;
-    krb5_creds  **out_cred;
-    krb5_creds  ***tgts;
+krb5_get_cred_from_kdc_renew(krb5_context context, krb5_ccache ccache, krb5_creds *in_cred, krb5_creds **out_cred, krb5_creds ***tgts)
 {
 
   return krb5_get_cred_from_kdc_opt(context, ccache, in_cred, out_cred, tgts,
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gc_via_tkt.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gc_via_tkt.c
index 8bef9aec39..e80364cdfc 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gc_via_tkt.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gc_via_tkt.c
@@ -35,12 +35,7 @@
 #define in_clock_skew(date, now) (labs((date)-(now)) < context->clockskew)
 
 static krb5_error_code
-krb5_kdcrep2creds(context, pkdcrep, address, psectkt, ppcreds)
-    krb5_context          context;
-    krb5_kdc_rep        * pkdcrep;
-    krb5_address *const * address;
-    krb5_data		* psectkt;
-    krb5_creds         ** ppcreds;
+krb5_kdcrep2creds(krb5_context context, krb5_kdc_rep *pkdcrep, krb5_address *const *address, krb5_data *psectkt, krb5_creds **ppcreds)
 {
     krb5_error_code retval;  
     krb5_data *pdata;
@@ -103,13 +98,9 @@ cleanup:
 }
  
 krb5_error_code
-krb5_get_cred_via_tkt (context, tkt, kdcoptions, address, in_cred, out_cred)
-    krb5_context 	  context;
-    krb5_creds 		* tkt;
-    const krb5_flags 	  kdcoptions;
-    krb5_address *const * address;
-    krb5_creds 		* in_cred;
-    krb5_creds 	       ** out_cred;
+krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt,
+		       krb5_flags kdcoptions, krb5_address *const *address,
+		       krb5_creds *in_cred, krb5_creds **out_cred)
 {
     krb5_error_code retval;
     krb5_kdc_rep *dec_rep;
@@ -180,7 +171,7 @@ krb5_get_cred_via_tkt (context, tkt, kdcoptions, address, in_cred, out_cred)
 	if (retval) 			/* neither proper reply nor error! */
 	    goto error_4;
 
-	retval = err_reply->error + ERROR_TABLE_BASE_krb5;
+	retval = (krb5_error_code) err_reply->error + ERROR_TABLE_BASE_krb5;
 
 	krb5_free_error(context, err_reply);
 	goto error_4;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gen_seqnum.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gen_seqnum.c
index 626088d511..23a8a34ec8 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gen_seqnum.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gen_seqnum.c
@@ -1,3 +1,8 @@
+/*
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
 /*
  * lib/krb5/krb/gen_seqnum.c
@@ -37,20 +42,39 @@
 #endif
 
 krb5_error_code
-krb5_generate_seq_number(context, key, seqno)
-    krb5_context context;
-    krb5_const krb5_keyblock *key;
-    krb5_int32 *seqno;
+krb5_generate_seq_number(krb5_context context, const krb5_keyblock *key, krb5_ui_4 *seqno)
 {
     krb5_data seed;
     krb5_error_code retval;
+#if 0
+/* 
+ * Solaris Kerberos:  Don't bother with this PRNG stuff,
+ * we have /dev/random and PKCS#11 to handle Random Numbers.
+ */
+
 
     seed.length = key->length;
     seed.data = (char *)key->contents;
-    if ((retval = krb5_c_random_seed(context, &seed)))
+    if ((retval = krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_TRUSTEDPARTY, &seed)))
 	return(retval);
+#endif /* 0 */
 
     seed.length = sizeof(*seqno);
     seed.data = (char *) seqno;
-    return(krb5_c_random_make_octets(context, &seed));
+    retval = krb5_c_random_make_octets(context, &seed);
+    if (retval)
+	return retval;
+    /*
+     * Work around implementation incompatibilities by not generating
+     * initial sequence numbers greater than 2^30.  Previous MIT
+     * implementations use signed sequence numbers, so initial
+     * sequence numbers 2^31 to 2^32-1 inclusive will be rejected.
+     * Letting the maximum initial sequence number be 2^30-1 allows
+     * for about 2^30 messages to be sent before wrapping into
+     * "negative" numbers.
+     */
+    *seqno &= 0x3fffffff;
+    if (*seqno == 0)
+	*seqno = 1;
+    return 0;
 }
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gen_subkey.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gen_subkey.c
index a9a6fb2066..3fa1a80ce7 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gen_subkey.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gen_subkey.c
@@ -32,18 +32,23 @@
 
 /*ARGSUSED*/
 krb5_error_code
-krb5_generate_subkey(context, key, subkey)
-    krb5_context context;
-    krb5_const krb5_keyblock *key;
-    krb5_keyblock **subkey;
+krb5_generate_subkey(krb5_context context, const krb5_keyblock *key, krb5_keyblock **subkey)
 {
     krb5_error_code retval;
+
+#if 0
+/* 
+ * Solaris Kerberos:  Don't bother with this PRNG stuff,
+ * we have /dev/random and PKCS#11 to handle Random Numbers.
+ */
+
     krb5_data seed;
 
     seed.length = key->length;
     seed.data = (char *)key->contents;
-    if ((retval = krb5_c_random_seed(context, &seed)))
+    if ((retval = krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_TRUSTEDPARTY, &seed)))
 	return(retval);
+#endif /* 0 */
 
     if ((*subkey = (krb5_keyblock *) malloc(sizeof(krb5_keyblock))) == NULL)
 	return(ENOMEM);
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/get_creds.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/get_creds.c
index 87a4470622..e0a9834271 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/get_creds.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/get_creds.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -54,14 +54,9 @@
 
 /*ARGSUSED*/
 static krb5_error_code
-krb5_get_credentials_core(
-    krb5_context context,
-    const krb5_flags options,
-    krb5_ccache ccache,
-    krb5_creds *in_creds,
-    krb5_creds **out_creds, /* not used */
-    krb5_creds *mcreds,
-    krb5_flags *fields)
+krb5_get_credentials_core(krb5_context context, krb5_flags options,
+			  krb5_creds *in_creds, krb5_creds *mcreds,
+			  krb5_flags *fields)
 {
     krb5_error_code ret = 0;
 
@@ -127,13 +122,10 @@ krb5_get_credentials_core(
     return 0;
 }
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_get_credentials(
-    krb5_context context,
-    const krb5_flags options,
-    krb5_ccache ccache,
-    krb5_creds *in_creds,
-    krb5_creds **out_creds)
+krb5_error_code KRB5_CALLCONV
+krb5_get_credentials(krb5_context context, krb5_flags options,
+		     krb5_ccache ccache, krb5_creds *in_creds,
+		     krb5_creds **out_creds)
 {
     krb5_error_code retval;
     krb5_creds mcreds;
@@ -142,8 +134,8 @@ krb5_get_credentials(
     krb5_flags fields;
     int not_ktype;
 
-    retval = krb5_get_credentials_core(context, options, ccache,
-				       in_creds, out_creds,
+    retval = krb5_get_credentials_core(context, options,
+				       in_creds,
 				       &mcreds, &fields);
 
     if (retval) return retval;
@@ -210,14 +202,9 @@ krb5_get_credentials(
 
 /*ARGSUSED*/
 static krb5_error_code
-krb5_get_credentials_val_renew_core(context, options, ccache,
-				    in_creds, out_creds, which)
-    krb5_context context;
-    const krb5_flags options;
-    krb5_ccache ccache;
-    krb5_creds *in_creds;
-    krb5_creds **out_creds;
-    int which;
+krb5_get_credentials_val_renew_core(krb5_context context, krb5_flags options,
+				    krb5_ccache ccache, krb5_creds *in_creds,
+				    krb5_creds **out_creds, int which)
 {
     krb5_error_code retval;
     krb5_principal tmp;
@@ -254,26 +241,20 @@ krb5_get_credentials_val_renew_core(context, options, ccache,
     return retval;
 }
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_get_credentials_validate(context, options, ccache, in_creds, out_creds)
-    krb5_context context;
-    const krb5_flags options;
-    krb5_ccache ccache;
-    krb5_creds *in_creds;
-    krb5_creds **out_creds;
+krb5_error_code KRB5_CALLCONV
+krb5_get_credentials_validate(krb5_context context, krb5_flags options,
+			      krb5_ccache ccache, krb5_creds *in_creds,
+			      krb5_creds **out_creds)
 {
     return(krb5_get_credentials_val_renew_core(context, options, ccache,
 					       in_creds, out_creds,
 					       INT_GC_VALIDATE));
 }
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_get_credentials_renew(context, options, ccache, in_creds, out_creds)
-    krb5_context context;
-    const krb5_flags options;
-    krb5_ccache ccache;
-    krb5_creds *in_creds;
-    krb5_creds **out_creds;
+krb5_error_code KRB5_CALLCONV
+krb5_get_credentials_renew(krb5_context context, krb5_flags options,
+			   krb5_ccache ccache, krb5_creds *in_creds,
+			   krb5_creds **out_creds)
 {
 
     return(krb5_get_credentials_val_renew_core(context, options, ccache,
@@ -282,14 +263,9 @@ krb5_get_credentials_renew(context, options, ccache, in_creds, out_creds)
 }
 
 static krb5_error_code
-krb5_validate_or_renew_creds(context, creds, client, ccache, in_tkt_service,
-			     validate)
-     krb5_context context;
-     krb5_creds *creds;
-     krb5_principal client;
-     krb5_ccache ccache;
-     char *in_tkt_service;
-     int validate;
+krb5_validate_or_renew_creds(krb5_context context, krb5_creds *creds,
+			     krb5_principal client, krb5_ccache ccache,
+			     char *in_tkt_service, int validate)
 {
     krb5_error_code ret;
     krb5_creds in_creds; /* only client and server need to be filled in */
@@ -308,7 +284,7 @@ krb5_validate_or_renew_creds(context, creds, client, ccache, in_tkt_service,
 	   in the library, so I'm going to manipulate the data structures
 	   directly, otherwise, it will be worse. */
 
-	if (ret = krb5_parse_name(context, in_tkt_service, &in_creds.server))
+        if ((ret = krb5_parse_name(context, in_tkt_service, &in_creds.server)))
 	    goto cleanup;
 
 	/* stuff the client realm into the server principal.
@@ -325,14 +301,14 @@ krb5_validate_or_renew_creds(context, creds, client, ccache, in_tkt_service,
 	memcpy(in_creds.server->realm.data, in_creds.client->realm.data,
 	       in_creds.client->realm.length);
     } else {
-	if (ret = krb5_build_principal_ext(context, &in_creds.server,
+	if ((ret = krb5_build_principal_ext(context, &in_creds.server,
 					   in_creds.client->realm.length,
 					   in_creds.client->realm.data,
 					   KRB5_TGS_NAME_SIZE,
 					   KRB5_TGS_NAME,
 					   in_creds.client->realm.length,
 					   in_creds.client->realm.data,
-					   0))
+					    0)))
 	    goto cleanup;
     }
 
@@ -359,25 +335,15 @@ cleanup:
     return(ret);
 }
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_get_validated_creds(context, creds, client, ccache, in_tkt_service)
-     krb5_context context;
-     krb5_creds *creds;
-     krb5_principal client;
-     krb5_ccache ccache;
-     char *in_tkt_service;
+krb5_error_code KRB5_CALLCONV
+krb5_get_validated_creds(krb5_context context, krb5_creds *creds, krb5_principal client, krb5_ccache ccache, char *in_tkt_service)
 {
     return(krb5_validate_or_renew_creds(context, creds, client, ccache,
 					in_tkt_service, 1));
 }
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_get_renewed_creds(context, creds, client, ccache, in_tkt_service)
-     krb5_context context;
-     krb5_creds *creds;
-     krb5_principal client;
-     krb5_ccache ccache;
-     char *in_tkt_service;
+krb5_error_code KRB5_CALLCONV
+krb5_get_renewed_creds(krb5_context context, krb5_creds *creds, krb5_principal client, krb5_ccache ccache, char *in_tkt_service)
 {
     return(krb5_validate_or_renew_creds(context, creds, client, ccache,
 					in_tkt_service, 0));
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/get_in_tkt.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/get_in_tkt.c
index d87cbe38d6..a3b62d4633 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/get_in_tkt.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/get_in_tkt.c
@@ -37,6 +37,9 @@
 #include <string.h>
 
 #include <k5-int.h>
+#include <krb5.h>
+#include <int-proto.h>
+#include <os-proto.h>
 
 /*
  All-purpose initial ticket routine, usually called via
@@ -69,20 +72,38 @@
 
 /* some typedef's for the function args to make things look a bit cleaner */
 
-typedef krb5_error_code (*git_key_proc) PROTOTYPE((krb5_context,
+typedef krb5_error_code (*git_key_proc) (krb5_context,
 						   const krb5_enctype,
 						   krb5_data *,
 						   krb5_const_pointer,
-						   krb5_keyblock **));
+						   krb5_keyblock **);
 
-typedef krb5_error_code (*git_decrypt_proc) PROTOTYPE((krb5_context,
+typedef krb5_error_code (*git_decrypt_proc) (krb5_context,
 						       const krb5_keyblock *,
 						       krb5_const_pointer,
-						       krb5_kdc_rep * ));
+						       krb5_kdc_rep *);
 
-static krb5_error_code make_preauth_list PROTOTYPE((krb5_context,
+static krb5_error_code make_preauth_list (krb5_context,
 						    krb5_preauthtype *,
-						    int, krb5_pa_data ***));
+						    int, krb5_pa_data ***);
+
+/*
+ * This function performs 32 bit bounded addition so we can generate
+ * lifetimes without overflowing krb5_int32
+ */
+static krb5_int32 krb5int_addint32 (krb5_int32 x, krb5_int32 y)
+{
+    if ((x > 0) && (y > (KRB5_INT32_MAX - x))) {
+        /* sum will be be greater than KRB5_INT32_MAX */
+        return KRB5_INT32_MAX;
+    } else if ((x < 0) && (y < (KRB5_INT32_MIN - x))) {
+        /* sum will be less than KRB5_INT32_MIN */
+        return KRB5_INT32_MIN;
+    }
+    
+    return x + y;
+}
+
 /*
  * This function sends a request to the KDC, and gets back a response;
  * the response is parsed into ret_err_reply or ret_as_reply if the
@@ -90,14 +111,12 @@ static krb5_error_code make_preauth_list PROTOTYPE((krb5_context,
  * unexpected response, an error is returned.
  */
 static krb5_error_code
-send_as_request(context, request, time_now, ret_err_reply, ret_as_reply,
-		use_master)
-    krb5_context 		context;
-    krb5_kdc_req		*request;
-    krb5_timestamp 		*time_now;
-    krb5_error ** 		ret_err_reply;
-    krb5_kdc_rep ** 		ret_as_reply;
-    int 			use_master;
+send_as_request(krb5_context 		context,
+		krb5_kdc_req		*request,
+		krb5_timestamp 		*time_now,
+		krb5_error ** 		ret_err_reply,
+		krb5_kdc_rep ** 	ret_as_reply,
+		int 			*use_master)
 {
     krb5_kdc_rep *as_reply = 0;
     krb5_error_code retval;
@@ -203,16 +222,14 @@ cleanup:
 }
 
 static krb5_error_code
-decrypt_as_reply(context, request, as_reply, key_proc, keyseed, key,
-		 decrypt_proc, decryptarg)
-    krb5_context 		context;
-    krb5_kdc_req		*request;
-    krb5_kdc_rep		*as_reply;
-    git_key_proc 		key_proc;
-    krb5_const_pointer 		keyseed;
-    krb5_keyblock *		key;	
-    git_decrypt_proc 		decrypt_proc;
-    krb5_const_pointer 		decryptarg;
+decrypt_as_reply(krb5_context 		context,
+		 krb5_kdc_req		*request,
+		 krb5_kdc_rep		*as_reply,
+		 git_key_proc 		key_proc,
+		 krb5_const_pointer 	keyseed,
+		 krb5_keyblock *	key,
+		 git_decrypt_proc 	decrypt_proc,
+		 krb5_const_pointer 	decryptarg)
 {
     krb5_error_code		retval;
     krb5_keyblock *		decrypt_key = 0;
@@ -279,11 +296,10 @@ cleanup:
 }
 
 static krb5_error_code
-verify_as_reply(context, time_now, request, as_reply)
-    krb5_context 		context;
-    krb5_timestamp 		time_now;
-    krb5_kdc_req		*request;
-    krb5_kdc_rep		*as_reply;
+verify_as_reply(krb5_context 		context,
+		krb5_timestamp 		time_now,
+		krb5_kdc_req		*request,
+		krb5_kdc_rep		*as_reply)
 {
     krb5_error_code		retval;
 
@@ -330,13 +346,12 @@ verify_as_reply(context, time_now, request, as_reply)
 
 /*ARGSUSED*/
 static krb5_error_code
-stash_as_reply(context, time_now, request, as_reply, creds, ccache)
-    krb5_context 		context;
-    krb5_timestamp 		time_now;
-    krb5_kdc_req		*request;
-    krb5_kdc_rep		*as_reply;
-    krb5_creds * 		creds;
-    krb5_ccache 		ccache;
+stash_as_reply(krb5_context 		context,
+	       krb5_timestamp 		time_now,
+	       krb5_kdc_req		*request,
+	       krb5_kdc_rep		*as_reply,
+	       krb5_creds * 		creds,
+	       krb5_ccache 		ccache)
 {
     krb5_error_code 		retval;
     krb5_data *			packet;
@@ -347,12 +362,12 @@ stash_as_reply(context, time_now, request, as_reply, creds, ccache)
     server = NULL;
 
     if (!creds->client)
-        if (retval = krb5_copy_principal(context, as_reply->client, &client))
+        if ((retval = krb5_copy_principal(context, as_reply->client, &client)))
 	    goto cleanup;
 
     if (!creds->server)
-	if (retval = krb5_copy_principal(context, as_reply->enc_part2->server,
-					  &server))
+	if ((retval = krb5_copy_principal(context, as_reply->enc_part2->server,
+					  &server)))
 	    goto cleanup;
 
     /* fill in the credentials */
@@ -415,11 +430,10 @@ cleanup:
 
 /*ARGSUSED*/
 static krb5_error_code
-make_preauth_list(context, ptypes, nptypes, ret_list)
-    krb5_context	context;
-    krb5_preauthtype *	ptypes;
-    int			nptypes;
-    krb5_pa_data ***	ret_list;
+make_preauth_list(krb5_context	context,
+		  krb5_preauthtype *	ptypes,
+		  int			nptypes,
+		  krb5_pa_data ***	ret_list)
 {
     krb5_preauthtype *		ptypep;
     krb5_pa_data **		preauthp;
@@ -459,27 +473,37 @@ make_preauth_list(context, ptypes, nptypes, ret_list)
 }
 
 #define MAX_IN_TKT_LOOPS 16
+/* SUNW14resync - Solaris krb does not use this (appearently) */
+#if 0
+static const krb5_enctype get_in_tkt_enctypes[] = {
+    ENCTYPE_DES3_CBC_SHA1,
+    ENCTYPE_ARCFOUR_HMAC,
+    ENCTYPE_DES_CBC_MD5,
+    ENCTYPE_DES_CBC_MD4,
+    ENCTYPE_DES_CBC_CRC,
+    0
+};
+#endif
 
 /* begin libdefaults parsing code.  This should almost certainly move
    somewhere else, but I don't know where the correct somewhere else
    is yet. */
 
 /* XXX Duplicating this is annoying; try to work on a better way.*/
-static char *conf_yes[] = {
+static const char *const conf_yes[] = {
     "y", "yes", "true", "t", "1", "on",
     0,
 };
 
-static char *conf_no[] = {
+static const char *const conf_no[] = {
     "n", "no", "false", "nil", "0", "off",
     0,
 };
 
 int
-_krb5_conf_boolean(s)
-     char *s;
+_krb5_conf_boolean(const char *s)
 {
-    char **p;
+    const char *const *p;
 
     for(p=conf_yes; *p; p++) {
 	if (!strcasecmp(*p,s))
@@ -496,11 +520,8 @@ _krb5_conf_boolean(s)
 }
 
 static krb5_error_code
-krb5_libdefault_string(context, realm, option, ret_value)
-     krb5_context context;
-     const krb5_data *realm;
-     const char *option;
-     char **ret_value;
+krb5_libdefault_string(krb5_context context, const krb5_data *realm,
+		       const char *option, char **ret_value)
 {
     profile_t profile;
     const char *names[5];
@@ -574,11 +595,8 @@ goodbye:
 /* as well as the DNS code */
 
 krb5_error_code
-krb5_libdefault_boolean(context, realm, option, ret_value)
-     krb5_context context;
-     const char *option;
-     const krb5_data *realm;
-     int *ret_value;
+krb5_libdefault_boolean(krb5_context context, const krb5_data *realm,
+			const char *option, int *ret_value)
 {
     char *string = NULL;
     krb5_error_code retval;
@@ -594,28 +612,26 @@ krb5_libdefault_boolean(context, realm, option, ret_value)
     return(0);
 }
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_get_init_creds(context, creds, client, prompter, prompter_data,
-		    start_time, in_tkt_service, options, gak_fct, gak_data,
-		    use_master, as_reply)
-     krb5_context context;
-     krb5_creds *creds;
-     krb5_principal client;
-     krb5_prompter_fct prompter;
-     void *prompter_data;
-     krb5_deltat start_time;
-     char *in_tkt_service;
-     krb5_get_init_creds_opt *options;
-     krb5_gic_get_as_key_fct gak_fct;
-     void *gak_data;
-     int  use_master;
-     krb5_kdc_rep **as_reply;
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds(krb5_context context,
+		    krb5_creds *creds,
+		    krb5_principal client,
+		    krb5_prompter_fct prompter,
+		    void *prompter_data,
+		    krb5_deltat start_time,
+		    char *in_tkt_service,
+		    krb5_get_init_creds_opt *options,
+		    krb5_gic_get_as_key_fct gak_fct,
+		    void *gak_data,
+		    int  *use_master,
+		    krb5_kdc_rep **as_reply)
 {
     krb5_error_code ret;
     krb5_kdc_req request;
     krb5_pa_data **padata;
     int tempint;
-    char *tempstr;
+    char *tempstr = NULL;
+    krb5_deltat tkt_life;
     krb5_deltat renew_life;
     krb5_deltat max_life;
     int loopcount;
@@ -679,38 +695,82 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data,
     if (tempint)
 	request.kdc_options |= KDC_OPT_PROXIABLE;
 
-    /* renewable */
+    /* allow_postdate */
 
+    if (start_time > 0)
+	request.kdc_options |= (KDC_OPT_ALLOW_POSTDATE|KDC_OPT_POSTDATED);
+    
+    /* ticket lifetime */
+    
+    if ((ret = krb5_timeofday(context, &request.from)))
+	goto cleanup;
+    request.from = krb5int_addint32(request.from, start_time);
+    
+    if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE)) {
+        tkt_life = options->tkt_life;
+    } else if ((ret = krb5_libdefault_string(context, &client->realm,
+					     "ticket_lifetime", &tempstr))
+	       == 0) {
+	if ((ret = krb5_string_to_deltat(tempstr, &tkt_life))) {
+	    free(tempstr);
+	    tempstr = NULL;
+	    goto cleanup;
+	}
+	if (tempstr) {
+	    free(tempstr);
+	    tempstr = NULL;
+	}
+    } else {
+	/* this used to be hardcoded in kinit.c */
+	tkt_life = 24*60*60;
+    }
+    request.till = krb5int_addint32(request.from, tkt_life);
+    
+    /* renewable lifetime */
+    
     if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE)) {
 	renew_life = options->renew_life;
     } else if ((ret = krb5_libdefault_string(context, &client->realm,
 					     "renew_lifetime", &tempstr))
 	       == 0) {
-	if (ret = krb5_string_to_deltat(tempstr, &renew_life)) {
+	if ((ret = krb5_string_to_deltat(tempstr, &renew_life))) {
 	    free(tempstr);
 	    goto cleanup;
 	}
+	if (tempstr) {
+	    free(tempstr);
+	    tempstr = NULL;
+	}
     } else {
 	renew_life = 0;
     }
     if (renew_life > 0)
 	request.kdc_options |= KDC_OPT_RENEWABLE;
 
-    /* allow_postdate */
-
-    if (start_time > 0)
-	request.kdc_options |= (KDC_OPT_ALLOW_POSTDATE|KDC_OPT_POSTDATED);
+    if (renew_life > 0) {
+	request.rtime = krb5int_addint32(request.from, renew_life);
+        if (request.rtime < request.till) {
+            /* don't ask for a smaller renewable time than the lifetime */
+            request.rtime = request.till;
+        }
+        /* we are already asking for renewable tickets so strip this option */
+	request.kdc_options &= ~(KDC_OPT_RENEWABLE_OK);
+    } else {
+	request.rtime = 0;
+    }
 
     /* client */
 
     request.client = client;
 
+    /* service */
+
     if (in_tkt_service) {
 	/* this is ugly, because so are the data structures involved.  I'm
 	   in the library, so I'm going to manipulate the data structures
 	   directly, otherwise, it will be worse. */
 
-	if (ret = krb5_parse_name(context, in_tkt_service, &request.server))
+        if ((ret = krb5_parse_name(context, in_tkt_service, &request.server)))
 	    goto cleanup;
 
 	/* stuff the client realm into the server principal.
@@ -727,46 +787,17 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data,
 	memcpy(request.server->realm.data, request.client->realm.data,
 	       request.client->realm.length);
     } else {
-	if (ret = krb5_build_principal_ext(context, &request.server,
+	if ((ret = krb5_build_principal_ext(context, &request.server,
 					   request.client->realm.length,
 					   request.client->realm.data,
 					   KRB5_TGS_NAME_SIZE,
 					   KRB5_TGS_NAME,
 					   request.client->realm.length,
 					   request.client->realm.data,
-					   0))
+					   0)))
 	    goto cleanup;
     }
 
-    if (ret = krb5_timeofday(context, &request.from))
-	goto cleanup;
-    request.from += start_time;
-
-    request.till = request.from;
-    if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE))
-	request.till += options->tkt_life;
-    else if ((ret = krb5_libdefault_string(context, &client->realm,
-					     "max_lifetime", &tempstr)) == 0) {
-	/* Solaris Kerberos: max_lifetime parameter support (tkt lifetime) */
-	if (ret = krb5_string_to_deltat(tempstr, &max_life)) {
-	    free(tempstr);
-	    goto cleanup;
-	}
-	request.till += max_life;
-    } else {
-	/* Solaris Kerberos: defaulting to infinity.  Note 0 == infinity (ASN1
-	 * encoding will do the right thing). 
-	 */
-	request.till = 0;
-    }
-
-    if (renew_life > 0) {
-	request.rtime = request.from;
-	request.rtime += renew_life;
-    } else {
-	request.rtime = 0;
-    }
-
     /* nonce is filled in by send_as_request */
 
     if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST)) {
@@ -790,12 +821,12 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data,
        that would be work. */
     else if (((ret = krb5_libdefault_boolean(context, &client->realm,
 					    "no_addresses", &tempint)) == 0)
-	     && tempint) {
+	     || (tempint == 1)) {
 	    /*EMPTY*/
 	    ;
     } else if (((ret = krb5_libdefault_boolean(context, &client->realm,
 					    "noaddresses", &tempint)) == 0)
-	     && tempint) {
+	     || (tempint == 1)) {
 	    /*EMPTY*/
 	    ;
     } else {
@@ -811,9 +842,9 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data,
     /* set up the other state.  */
 
     if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST)) {
-	if (ret = make_preauth_list(context, options->preauth_list,
+	if ((ret = make_preauth_list(context, options->preauth_list,
 				    options->preauth_list_length,
-				    &padata))
+				    &padata)))
 	    goto cleanup;
     }
 
@@ -835,10 +866,10 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data,
 	    request.padata = NULL;
 	}
 
-	if (ret = krb5_do_preauth(context, &request,
+	if ((ret = krb5_do_preauth(context, &request,
 			  padata, &request.padata,
 			  &salt, &s2kparams, &etype, &as_key, prompter,
-			  prompter_data, gak_fct, gak_data))
+			  prompter_data, gak_fct, gak_data)))
 	    goto cleanup;
 
 	if (padata) {
@@ -861,7 +892,8 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data,
 		if (ret)
 		    goto cleanup;
 	    } else {
-		ret = err_reply->error + ERROR_TABLE_BASE_krb5;
+		ret = (krb5_error_code) err_reply->error
+			+ ERROR_TABLE_BASE_krb5;
 		krb5_free_error(context, err_reply);
 		goto cleanup;
 	    }
@@ -880,10 +912,10 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data,
 
     /* process any preauth data in the as_reply */
 
-    if (ret = krb5_do_preauth(context, &request,
+    if ((ret = krb5_do_preauth(context, &request,
 		      local_as_reply->padata, &padata,
 		      &salt, &s2kparams, &etype, &as_key, prompter,
-		      prompter_data, gak_fct, gak_data))
+		      prompter_data, gak_fct, gak_data)))
 	goto cleanup;
 
     /* XXX if there's padata on output, something is wrong, but it's
@@ -913,20 +945,21 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data,
     if (ret) {
 	/* if we haven't get gotten a key, get it now */
 
-	if (ret = ((*gak_fct)(context, request.client,
+	if ((ret = ((*gak_fct)(context, request.client,
 			      local_as_reply->enc_part.enctype,
 			      prompter, prompter_data, &salt, &s2kparams,
-			      &as_key, gak_data)))
+			      &as_key, gak_data))))
 	    goto cleanup;
 
-	if (ret=decrypt_as_reply(context, (krb5_kdc_req *)NULL, local_as_reply,
-				   (git_key_proc)NULL, (krb5_const_pointer)NULL,
-				   &as_key, krb5_kdc_rep_decrypt_proc,
-				   (krb5_const_pointer)NULL))
+	if ((ret=decrypt_as_reply(context, (krb5_kdc_req *)NULL,
+				  local_as_reply, (git_key_proc)NULL,
+				  (krb5_const_pointer)NULL, &as_key,
+				  krb5_kdc_rep_decrypt_proc,
+				  (krb5_const_pointer)NULL)))
 	    goto cleanup;
     }
 
-    if (ret = verify_as_reply(context, time_now, &request, local_as_reply))
+    if ((ret = verify_as_reply(context, time_now, &request, local_as_reply)))
 	goto cleanup;
 
 	/*
@@ -936,8 +969,8 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data,
 	 */
 	(void) memset(creds, 0, sizeof(*creds));
 
-    if (ret = stash_as_reply(context, time_now, &request, local_as_reply,
-			     creds, (krb5_ccache)NULL))
+    if ((ret = stash_as_reply(context, time_now, &request, local_as_reply,
+			      creds, (krb5_ccache)NULL)))
 	goto cleanup;
 
     /* success */
@@ -963,6 +996,7 @@ cleanup:
     if (salt.data &&
 	(!(options && (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT))))
 	krb5_xfree(salt.data);
+    krb5_free_data_contents(context, &s2kparams);
     if (as_reply)
 	*as_reply = local_as_reply;
     else if (local_as_reply)
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gic_keytab.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gic_keytab.c
index 6249a9a674..d2c90b6e76 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gic_keytab.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gic_keytab.c
@@ -1,9 +1,36 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+/*
+ * lib/krb5/krb/gic_keytab.c
+ *
+ * Copyright (C) 2002, 2003 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
 #include <k5-int.h>
 
 /*ARGSUSED*/
@@ -32,7 +59,7 @@ krb5_get_as_key_keytab(
 	if (as_key->enctype == etype)
 	    return(0);
 
-	krb5_free_keyblock(context, as_key);
+	krb5_free_keyblock_contents(context, as_key);
 	as_key->length = 0;
     }
 
@@ -71,10 +98,10 @@ krb5_get_init_creds_keytab(
    krb5_keytab keytab;
 
    if (arg_keytab == NULL) {
-       if (ret = krb5_kt_default(context, &keytab))
+	if ((ret = krb5_kt_default(context, &keytab)))
 	   return ret;
    } else {
-       keytab = arg_keytab;
+	keytab = arg_keytab;
    }
 
    use_master = 0;
@@ -84,7 +111,7 @@ krb5_get_init_creds_keytab(
    ret = krb5_get_init_creds(context, creds, client, NULL, NULL,
 			     start_time, in_tkt_service, options,
 			     krb5_get_as_key_keytab, (void *) keytab,
-			     use_master,NULL);
+			     &use_master,NULL);
 
    /* check for success */
 
@@ -105,7 +132,7 @@ krb5_get_init_creds_keytab(
       ret2 = krb5_get_init_creds(context, creds, client, NULL, NULL,
 				 start_time, in_tkt_service, options,
 				 krb5_get_as_key_keytab, (void *) keytab,
-				 use_master, NULL);
+				 &use_master, NULL);
       
       if (ret2 == 0) {
 	 ret = 0;
@@ -115,7 +142,7 @@ krb5_get_init_creds_keytab(
       /* if the master is unreachable, return the error from the
 	 slave we were able to contact */
 
-      if ((ret2 == KRB5_KDC_UNREACH) || (ret == KRB5_REALM_CANT_RESOLVE))
+      if ((ret2 == KRB5_KDC_UNREACH) || (ret2 == KRB5_REALM_CANT_RESOLVE))
 	 goto cleanup;
 
       ret = ret2;
@@ -131,3 +158,57 @@ cleanup:
    return(ret);
 }
 
+krb5_error_code KRB5_CALLCONV
+krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options,
+			      krb5_address *const *addrs, krb5_enctype *ktypes,
+			      krb5_preauthtype *pre_auth_types,
+			      krb5_keytab arg_keytab, krb5_ccache ccache,
+			      krb5_creds *creds, krb5_kdc_rep **ret_as_reply)
+{
+    krb5_error_code retval;
+    krb5_get_init_creds_opt opt;
+    char * server = NULL;
+    krb5_keytab keytab;
+    krb5_principal client_princ, server_princ;
+    int use_master = 0;
+    
+    krb5int_populate_gic_opt(context, &opt,
+			     options, addrs, ktypes,
+			     pre_auth_types, creds);
+    if (arg_keytab == NULL) {
+	retval = krb5_kt_default(context, &keytab);
+	if (retval)
+	    return retval;
+    }
+    else keytab = arg_keytab;
+    
+    retval = krb5_unparse_name( context, creds->server, &server);
+    if (retval)
+	goto cleanup;
+    server_princ = creds->server;
+    client_princ = creds->client;
+    retval = krb5_get_init_creds (context,
+				  creds, creds->client,  
+				  krb5_prompter_posix,  NULL,
+				  0, server, &opt,
+				  krb5_get_as_key_keytab, (void *)keytab,
+				  &use_master, ret_as_reply);
+    krb5_free_unparsed_name( context, server);
+    if (retval) {
+	goto cleanup;
+    }
+	if (creds->server)
+	    krb5_free_principal( context, creds->server);
+	if (creds->client)
+	    krb5_free_principal( context, creds->client);
+	creds->client = client_princ;
+	creds->server = server_princ;
+	
+    /* store it in the ccache! */
+    if (ccache)
+	if ((retval = krb5_cc_store_cred(context, ccache, creds)))
+	    goto cleanup;
+ cleanup:    if (arg_keytab == NULL)
+     krb5_kt_close(context, keytab);
+    return retval;
+}
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gic_opt.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gic_opt.c
index 98007aa817..87e92d7b75 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gic_opt.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gic_opt.c
@@ -1,85 +1,65 @@
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
 #include <k5-int.h>
 
-KRB5_DLLIMP void KRB5_CALLCONV
-krb5_get_init_creds_opt_init(opt)
-     krb5_get_init_creds_opt *opt;
+void KRB5_CALLCONV
+krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt)
 {
    opt->flags = 0;
 }
 
-KRB5_DLLIMP void KRB5_CALLCONV
-krb5_get_init_creds_opt_set_tkt_life(opt, tkt_life)
-     krb5_get_init_creds_opt *opt;
-     krb5_deltat tkt_life;
+void KRB5_CALLCONV
+krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt, krb5_deltat tkt_life)
 {
    opt->flags |= KRB5_GET_INIT_CREDS_OPT_TKT_LIFE;
    opt->tkt_life = tkt_life;
 }
 
-KRB5_DLLIMP void KRB5_CALLCONV
-krb5_get_init_creds_opt_set_renew_life(opt, renew_life)
-     krb5_get_init_creds_opt *opt;
-     krb5_deltat renew_life;
+void KRB5_CALLCONV
+krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt, krb5_deltat renew_life)
 {
    opt->flags |= KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE;
    opt->renew_life = renew_life;
 }
 
-KRB5_DLLIMP void KRB5_CALLCONV
-krb5_get_init_creds_opt_set_forwardable(opt, forwardable)
-     krb5_get_init_creds_opt *opt;
-     int forwardable;
+void KRB5_CALLCONV
+krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt, int forwardable)
 {
    opt->flags |= KRB5_GET_INIT_CREDS_OPT_FORWARDABLE;
    opt->forwardable = forwardable;
 }
 
-KRB5_DLLIMP void KRB5_CALLCONV
-krb5_get_init_creds_opt_set_proxiable(opt, proxiable)
-     krb5_get_init_creds_opt *opt;
-     int proxiable;
+void KRB5_CALLCONV
+krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt, int proxiable)
 {
    opt->flags |= KRB5_GET_INIT_CREDS_OPT_PROXIABLE;
    opt->proxiable = proxiable;
 }
 
-KRB5_DLLIMP void KRB5_CALLCONV
-krb5_get_init_creds_opt_set_etype_list(opt, etype_list, etype_list_length)
-     krb5_get_init_creds_opt *opt;
-     krb5_enctype *etype_list;
-     int etype_list_length;
+void KRB5_CALLCONV
+krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt, krb5_enctype *etype_list, int etype_list_length)
 {
    opt->flags |= KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST;
    opt->etype_list = etype_list;
    opt->etype_list_length = etype_list_length;
 }
 
-KRB5_DLLIMP void KRB5_CALLCONV
-krb5_get_init_creds_opt_set_address_list(opt, addresses)
-     krb5_get_init_creds_opt *opt;
-     krb5_address **addresses;
+void KRB5_CALLCONV
+krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt, krb5_address **addresses)
 {
    opt->flags |= KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST;
    opt->address_list = addresses;
 }
 
-KRB5_DLLIMP void KRB5_CALLCONV
-krb5_get_init_creds_opt_set_preauth_list(opt, preauth_list,
-					 preauth_list_length)
-     krb5_get_init_creds_opt *opt;
-     krb5_preauthtype *preauth_list;
-     int preauth_list_length;
+void KRB5_CALLCONV
+krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt, krb5_preauthtype *preauth_list, int preauth_list_length)
 {
    opt->flags |= KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST;
    opt->preauth_list = preauth_list;
    opt->preauth_list_length = preauth_list_length;
 }
 
-KRB5_DLLIMP void KRB5_CALLCONV
-krb5_get_init_creds_opt_set_salt(opt, salt)
-     krb5_get_init_creds_opt *opt;
-     krb5_data *salt;
+void KRB5_CALLCONV
+krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, krb5_data *salt)
 {
    opt->flags |= KRB5_GET_INIT_CREDS_OPT_SALT;
    opt->salt = salt;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gic_pwd.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gic_pwd.c
index 6530c19cfd..704eabd01d 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gic_pwd.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/gic_pwd.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -92,15 +92,16 @@ krb5_get_as_key_password(
 
 	/* PROMPTER_INVOCATION */
 	krb5int_set_prompt_types(context, &prompt_type);
-	if (ret = (((*prompter)(context, prompter_data, NULL, NULL,
-				1, &prompt)))) {
+	if ((ret = (((*prompter)(context, prompter_data, NULL, NULL,
+				1, &prompt))))) {
 	    krb5int_set_prompt_types(context, 0);
 	    return(ret);
 	}
 	krb5int_set_prompt_types(context, 0);
     }
 
-    if ((salt->length == -1) && (salt->data == NULL)) {
+    if ((salt->length == -1 || salt->length == SALT_TYPE_AFS_LENGTH) &&
+		(salt->data == NULL)) {
 	if ((ret = krb5_principal2salt(context, client, &defsalt)))
 	    return(ret);
 
@@ -171,7 +172,7 @@ krb5_get_init_creds_password(
    ret = krb5_get_init_creds(context, creds, client, prompter, data,
 			     start_time, in_tkt_service, options,
 			     krb5_get_as_key_password, (void *) &pw0,
-			     use_master, &as_reply);
+			     &use_master, &as_reply);
 
    /* check for success */
 
@@ -179,7 +180,7 @@ krb5_get_init_creds_password(
       goto cleanup;
 
    /* If all the kdc's are unavailable, or if the error was due to a
-      user interrupt, fail */
+      user interrupt, or preauth errored out, fail */
 
    if ((ret == KRB5_KDC_UNREACH) ||
        (ret == KRB5_PREAUTH_FAILED) ||
@@ -201,7 +202,7 @@ krb5_get_init_creds_password(
       ret2 = krb5_get_init_creds(context, creds, client, prompter, data,
 				 start_time, in_tkt_service, options,
 				 krb5_get_as_key_password, (void *) &pw0,
-				 use_master, &as_reply);
+				 &use_master, &as_reply);
 
       if (ret2 == 0) {
 	 ret = 0;
@@ -290,8 +291,8 @@ krb5_get_init_creds_password(
 
       /* PROMPTER_INVOCATION */
       krb5int_set_prompt_types(context, prompt_types);
-      if (ret = ((*prompter)(context, data, 0, banner,
-			     sizeof(prompt)/sizeof(prompt[0]), prompt)))
+      if ((ret = ((*prompter)(context, data, 0, banner,
+			     sizeof(prompt)/sizeof(prompt[0]), prompt))))
 	 goto cleanup;
       krb5int_set_prompt_types(context, 0);
 
@@ -337,7 +338,7 @@ krb5_get_init_creds_password(
    ret = krb5_get_init_creds(context, creds, client, prompter, data,
 			     start_time, in_tkt_service, options,
 			     krb5_get_as_key_password, (void *) &pw0,
-			     use_master, &as_reply);
+			     &use_master, &as_reply);
 
 cleanup:
    krb5int_set_prompt_types(context, 0);
@@ -425,3 +426,114 @@ cleanup:
    return(ret);
 }
 
+void krb5int_populate_gic_opt (
+    krb5_context context, krb5_get_init_creds_opt *opt,
+    krb5_flags options, krb5_address * const *addrs, krb5_enctype *ktypes,
+    krb5_preauthtype *pre_auth_types, krb5_creds *creds)
+{
+  int i;
+  krb5_int32 starttime;
+
+    krb5_get_init_creds_opt_init(opt);
+    if (addrs)
+      krb5_get_init_creds_opt_set_address_list(opt, (krb5_address **) addrs);
+    if (ktypes) {
+	for (i=0; ktypes[i]; i++);
+	if (i)
+	    krb5_get_init_creds_opt_set_etype_list(opt, ktypes, i);
+    }
+    if (pre_auth_types) {
+	for (i=0; pre_auth_types[i]; i++);
+	if (i)
+	    krb5_get_init_creds_opt_set_preauth_list(opt, pre_auth_types, i);
+    }
+    if (options&KDC_OPT_FORWARDABLE)
+	krb5_get_init_creds_opt_set_forwardable(opt, 1);
+    else krb5_get_init_creds_opt_set_forwardable(opt, 0);
+    if (options&KDC_OPT_PROXIABLE)
+	krb5_get_init_creds_opt_set_proxiable(opt, 1);
+    else krb5_get_init_creds_opt_set_proxiable(opt, 0);
+    if (creds && creds->times.endtime) {
+        krb5_timeofday(context, &starttime);
+        if (creds->times.starttime) starttime = creds->times.starttime;
+        krb5_get_init_creds_opt_set_tkt_life(opt, creds->times.endtime - starttime);
+    }
+}
+
+/*
+  Rewrites get_in_tkt in terms of newer get_init_creds API.
+ Attempts to get an initial ticket for creds->client to use server
+ creds->server, (realm is taken from creds->client), with options
+ options, and using creds->times.starttime, creds->times.endtime,
+ creds->times.renew_till as from, till, and rtime.  
+ creds->times.renew_till is ignored unless the RENEWABLE option is requested.
+
+ If addrs is non-NULL, it is used for the addresses requested.  If it is
+ null, the system standard addresses are used.
+
+ If password is non-NULL, it is converted using the cryptosystem entry
+ point for a string conversion routine, seeded with the client's name.
+ If password is passed as NULL, the password is read from the terminal,
+ and then converted into a key.
+
+ A succesful call will place the ticket in the credentials cache ccache.
+
+ returns system errors, encryption errors
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options,
+			      krb5_address *const *addrs, krb5_enctype *ktypes,
+			      krb5_preauthtype *pre_auth_types,
+			      const char *password, krb5_ccache ccache,
+			      krb5_creds *creds, krb5_kdc_rep **ret_as_reply)
+{
+    krb5_error_code retval;
+    krb5_data pw0;
+    char pw0array[1024];
+    krb5_get_init_creds_opt opt;
+    char * server;
+    krb5_principal server_princ, client_princ;
+    int use_master = 0;
+
+    pw0array[0] = '\0';
+    pw0.data = pw0array;
+    if (password) {
+	pw0.length = strlen(password);
+	if (pw0.length > sizeof(pw0array))
+	    return EINVAL;
+	strncpy(pw0.data, password, sizeof(pw0array));
+	if (pw0.length == 0)
+	    pw0.length = sizeof(pw0array);
+    } else {
+	pw0.length = sizeof(pw0array);
+    }
+    krb5int_populate_gic_opt(context, &opt,
+			     options, addrs, ktypes,
+			     pre_auth_types, creds);
+    retval = krb5_unparse_name( context, creds->server, &server);
+    if (retval)
+      return (retval);
+    server_princ = creds->server;
+    client_princ = creds->client;
+        retval = krb5_get_init_creds (context,
+					   creds, creds->client,  
+					   krb5_prompter_posix,  NULL,
+					   0, server, &opt,
+				      krb5_get_as_key_password, &pw0,
+				      &use_master, ret_as_reply);
+	  krb5_free_unparsed_name( context, server);
+	if (retval) {
+	  return (retval);
+	}
+	if (creds->server)
+	    krb5_free_principal( context, creds->server);
+	if (creds->client)
+	    krb5_free_principal( context, creds->client);
+	creds->client = client_princ;
+	creds->server = server_princ;
+	/* store it in the ccache! */
+	if (ccache)
+	  if ((retval = krb5_cc_store_cred(context, ccache, creds)))
+	    return (retval);
+	return retval;
+}
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/init_keyblock.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/init_keyblock.c
new file mode 100644
index 0000000000..d402793c46
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/init_keyblock.c
@@ -0,0 +1,69 @@
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+/*
+ * lib/krb5/krb/init_keyblock.c
+ *
+ * Copyright (C) 2002 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ * 
+ *
+ * krb5_init_keyblock- a function to set up 
+ *  an empty keyblock
+ */
+
+
+#include "k5-int.h"
+#include <assert.h>
+
+krb5_error_code KRB5_CALLCONV  krb5_init_keyblock
+	(krb5_context context, krb5_enctype enctype,
+	 size_t length, krb5_keyblock **out)
+{
+    krb5_keyblock *kb;
+    kb = malloc (sizeof(krb5_keyblock));
+    assert (out);
+    *out = NULL;
+    if (!kb) {
+	return ENOMEM;
+    }
+    kb->magic = KV5M_KEYBLOCK;
+    kb->enctype = enctype;
+    kb->length = length;
+    if(length) {
+	kb->contents = malloc (length);
+	if(!kb->contents) {
+	    free (kb);
+	    return ENOMEM;
+	}
+    } else {
+	kb->contents = NULL;
+    }
+    kb->dk_list = NULL;
+#ifdef _KERNEL
+    kb->kef_key = NULL;
+#else
+    kb->hKey = CK_INVALID_HANDLE;
+#endif
+
+    *out = kb;
+    return 0;
+}
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/int-proto.h b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/int-proto.h
index 4a21de1247..e0f1ba1a8a 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/int-proto.h
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/int-proto.h
@@ -30,10 +30,21 @@
 #define KRB5_INT_FUNC_PROTO__
 
 krb5_error_code krb5_tgtname
-    	PROTOTYPE((krb5_context context,
+    	(krb5_context context,
 	           const krb5_data *,
 	           const krb5_data *,
-	           krb5_principal *));
+	           krb5_principal *);
+
+krb5_error_code krb5_libdefault_boolean
+        (krb5_context, const krb5_data *, const char *,
+			int *);
+
+krb5_error_code krb5_ser_authdata_init (krb5_context);
+krb5_error_code krb5_ser_address_init (krb5_context);
+krb5_error_code krb5_ser_authenticator_init (krb5_context);
+krb5_error_code krb5_ser_checksum_init (krb5_context);
+krb5_error_code krb5_ser_keyblock_init (krb5_context);
+krb5_error_code krb5_ser_principal_init (krb5_context);
 
 #endif /* KRB5_INT_FUNC_PROTO__ */
 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/kdc_rep_dc.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/kdc_rep_dc.c
index 3ce3ea62fa..60104c0a65 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/kdc_rep_dc.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/kdc_rep_dc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -44,11 +44,7 @@
 
 /*ARGSUSED*/
 krb5_error_code
-krb5_kdc_rep_decrypt_proc(context, key, decryptarg, dec_rep)
-    krb5_context context;
-    const krb5_keyblock * key;
-    krb5_const_pointer decryptarg;
-    krb5_kdc_rep * dec_rep;
+krb5_kdc_rep_decrypt_proc(krb5_context context, const krb5_keyblock *key, krb5_const_pointer decryptarg, krb5_kdc_rep *dec_rep)
 {
     krb5_error_code retval;
     krb5_data scratch;
@@ -68,7 +64,7 @@ krb5_kdc_rep_decrypt_proc(context, key, decryptarg, dec_rep)
 	return(ENOMEM);
     }
 
-    (void) (dec_rep->enc_part.enctype);
+    /*(void) (dec_rep->enc_part.enctype);*/
 
     retval = krb5_c_decrypt(context, key, usage, 0, &dec_rep->enc_part,
 				 &scratch);
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/krb5_libinit.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/krb5_libinit.c
new file mode 100755
index 0000000000..183959dd3f
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/krb5_libinit.c
@@ -0,0 +1,103 @@
+/*
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+#include <assert.h>
+
+#include "autoconf.h"
+#include "com_err.h"
+#include "krb5.h"
+#if 0 /* SUNW14resync */
+#include "krb5_err.h"
+#include "kv5m_err.h"
+#include "asn1_err.h"
+#include "kdb5_err.h"
+#endif
+
+#if defined(_WIN32) || defined(USE_CCAPI)
+#include "stdcc.h"
+#endif
+
+#include "krb5_libinit.h"
+#include "k5-platform.h"
+#include "cc-int.h"
+#include "kt-int.h"
+#include "rc-int.h"
+#include "os-proto.h"
+
+/*
+ * Initialize the Kerberos v5 library.
+ */
+
+MAKE_INIT_FUNCTION(krb5int_lib_init);
+MAKE_FINI_FUNCTION(krb5int_lib_fini);
+
+/* Possibly load-time initialization -- mutexes, etc.  */
+int krb5int_lib_init(void)
+{
+    int err;
+
+#if !USE_BUNDLE_ERROR_STRINGS
+    add_error_table(&et_krb5_error_table);
+    add_error_table(&et_kv5m_error_table);
+    add_error_table(&et_kdb5_error_table);
+    add_error_table(&et_asn1_error_table);
+    add_error_table(&et_k524_error_table);
+#endif
+
+    err = krb5int_rc_finish_init();
+    if (err)
+	return err;
+    err = krb5int_kt_initialize();
+    if (err)
+	return err;
+    err = krb5int_cc_initialize();
+    if (err)
+	return err;
+    err = k5_mutex_finish_init(&krb5int_us_time_mutex);
+    if (err)
+	return err;
+    return 0;
+}
+
+/* Always-delayed initialization -- error table linkage, etc.  */
+krb5_error_code krb5int_initialize_library (void)
+{
+    return CALL_INIT_FUNCTION(krb5int_lib_init);
+}
+
+/*
+ * Clean up the Kerberos v5 library state
+ */
+
+void krb5int_lib_fini(void)
+{
+    if (!INITIALIZER_RAN(krb5int_lib_init) || PROGRAM_EXITING())
+	return;
+
+    krb5int_rc_terminate();
+    krb5int_kt_finalize();
+    krb5int_cc_finalize();
+
+#if defined(_WIN32) || defined(USE_CCAPI)
+    krb5_stdcc_shutdown();
+#endif
+
+#if !USE_BUNDLE_ERROR_STRINGS
+    remove_error_table(&et_krb5_error_table);
+    remove_error_table(&et_kv5m_error_table);
+    remove_error_table(&et_kdb5_error_table);
+    remove_error_table(&et_asn1_error_table);
+    remove_error_table(&et_k524_error_table);
+#endif
+}
+
+/* Still exists because it went into the export list on Windows.  But
+   since the above function should be invoked at unload time, we don't
+   actually want to do anything here.  */
+void krb5int_cleanup_library (void)
+{
+}
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_cred.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_cred.c
index 48d787bcf6..ad63f299a6 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_cred.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_cred.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -28,12 +28,8 @@
 /*
  * encrypt the enc_part of krb5_cred
  */
-static krb5_error_code
-encrypt_credencpart(
-    krb5_context	  context,
-    krb5_cred_enc_part 	* pcredpart,
-    krb5_keyblock 	* pkeyblock,
-    krb5_enc_data 	* pencdata)
+static krb5_error_code 
+encrypt_credencpart(krb5_context context, krb5_cred_enc_part *pcredpart, krb5_keyblock *pkeyblock, krb5_enc_data *pencdata)
 {
     krb5_error_code 	  retval;
     krb5_data 		* scratch;
@@ -74,15 +70,7 @@ encrypt_credencpart(
 /*----------------------- krb5_mk_ncred_basic -----------------------*/
 
 static krb5_error_code
-krb5_mk_ncred_basic(
-    krb5_context 	context,
-    krb5_creds 	        ** ppcreds,
-    krb5_int32 		nppcreds,
-    krb5_keyblock 	* keyblock,
-    krb5_replay_data    * replaydata,
-    krb5_address  	* local_addr,
-    krb5_address  	* remote_addr,
-    krb5_cred 		* pcred)
+krb5_mk_ncred_basic(krb5_context context, krb5_creds **ppcreds, krb5_int32 nppcreds, krb5_keyblock *keyblock, krb5_replay_data *replaydata, krb5_address *local_addr, krb5_address *remote_addr, krb5_cred *pcred)
 {
     krb5_cred_enc_part 	  credenc;
     krb5_error_code	  retval;
@@ -101,8 +89,8 @@ krb5_mk_ncred_basic(
     credenc.timestamp = replaydata->timestamp;
 
     /* Get memory for creds and initialize it */
-    size = sizeof(krb5_cred_info  *) * (nppcreds + 1);
-    credenc.ticket_info = (krb5_cred_info  *  *) malloc(size);
+    size = sizeof(krb5_cred_info *) * (nppcreds + 1);
+    credenc.ticket_info = (krb5_cred_info **) malloc(size);
     if (credenc.ticket_info == NULL)
 	return ENOMEM;
     memset(credenc.ticket_info, 0, size);
@@ -165,12 +153,7 @@ cleanup:
  * outputs an encoded KRB_CRED message suitable for krb5_rd_cred
  */
 krb5_error_code KRB5_CALLCONV
-krb5_mk_ncred(
-    krb5_context 	  context,
-    krb5_auth_context	  auth_context,
-    krb5_creds 	       ** ppcreds,
-    krb5_data 	       ** ppdata,
-    krb5_replay_data	* outdata)
+krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, krb5_creds **ppcreds, krb5_data **ppdata, krb5_replay_data *outdata)
 {
     krb5_address  * premote_fulladdr = NULL;
     krb5_address  * plocal_fulladdr = NULL;
@@ -200,11 +183,11 @@ krb5_mk_ncred(
     memset(pcred, 0, sizeof(krb5_cred));
 
     if ((pcred->tickets
-      = (krb5_ticket  *  *)malloc(sizeof(krb5_ticket  *) * (ncred + 1))) == NULL) {
+      = (krb5_ticket **)malloc(sizeof(krb5_ticket *) * (ncred + 1))) == NULL) {
 	retval = ENOMEM;
 	free(pcred);
     }
-    memset(pcred->tickets, 0, sizeof(krb5_ticket  *) * (ncred +1));
+    memset(pcred->tickets, 0, sizeof(krb5_ticket *) * (ncred +1));
 
     /* Get keyblock */
     if ((keyblock = auth_context->send_subkey) == NULL)
@@ -312,12 +295,7 @@ error:
  * A convenience function that calls krb5_mk_ncred.
  */
 krb5_error_code KRB5_CALLCONV
-krb5_mk_1cred(
-    krb5_context 	  context,
-    krb5_auth_context	  auth_context,
-    krb5_creds 		* pcreds,
-    krb5_data 	        ** ppdata,
-    krb5_replay_data  	* outdata)
+krb5_mk_1cred(krb5_context context, krb5_auth_context auth_context, krb5_creds *pcreds, krb5_data **ppdata, krb5_replay_data *outdata)
 {
     krb5_error_code retval;
     krb5_creds  **ppcreds;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_error.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_error.c
index fab65566ac..eb37e5defd 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_error.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_error.c
@@ -39,11 +39,8 @@
  returns system errors
  */
 /*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_mk_error(context, dec_err, enc_err)
-    krb5_context context;
-    const krb5_error FAR *dec_err;
-    krb5_data FAR *enc_err;
+krb5_error_code KRB5_CALLCONV
+krb5_mk_error(krb5_context context, const krb5_error *dec_err, krb5_data *enc_err)
 {
     krb5_error_code retval;
     krb5_data *new_enc_err;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_priv.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_priv.c
index 0fbbd223cb..591e8c943f 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_priv.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_priv.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -126,9 +126,9 @@ krb5_error_code KRB5_CALLCONV
 krb5_mk_priv(
     krb5_context 	  context,
     krb5_auth_context 	  auth_context,
-    const krb5_data   	FAR * userdata,
-    krb5_data         	FAR * outbuf,
-    krb5_replay_data  	FAR * outdata)
+    const krb5_data   	  *userdata,
+    krb5_data         	  *outbuf,
+    krb5_replay_data  	  *outdata)
 {
     krb5_error_code 	  retval;
     krb5_keyblock       * keyblock;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_rep.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_rep.c
index 74b202e936..9f85f73066 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_rep.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_rep.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -46,11 +46,8 @@
  returns system errors
 */
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_mk_rep(context, auth_context, outbuf)
-    krb5_context 	  context;
-    krb5_auth_context	  auth_context;
-    krb5_data 		FAR * outbuf;
+krb5_error_code KRB5_CALLCONV
+krb5_mk_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *outbuf)
 {
     krb5_error_code 	  retval;
     krb5_ap_rep_enc_part  repl;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_req.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_req.c
index 3ed2613a15..50aa32e7e1 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_req.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_req.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -56,17 +56,10 @@
  returns system errors
 */
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_mk_req(context, auth_context, ap_req_options, service, hostname, in_data,
-	      ccache, outbuf)
-    krb5_context          context;
-    krb5_auth_context   FAR * auth_context;
-    const krb5_flags      ap_req_options;
-    char		FAR * service;
-    char		FAR * hostname;
-    krb5_data           FAR * in_data;
-    krb5_ccache 	  ccache;
-    krb5_data 		FAR * outbuf;
+krb5_error_code KRB5_CALLCONV
+krb5_mk_req(krb5_context context, krb5_auth_context *auth_context,
+	    krb5_flags ap_req_options, char *service, char *hostname,
+	    krb5_data *in_data, krb5_ccache ccache, krb5_data *outbuf)
 {
     krb5_error_code 	  retval;
     krb5_principal	  server;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_req_ext.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_req_ext.c
index 1d3b131077..f09ae4843c 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_req_ext.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_req_ext.c
@@ -72,10 +72,10 @@
 */
 
 static krb5_error_code
-krb5_generate_authenticator PROTOTYPE((krb5_context,
+krb5_generate_authenticator (krb5_context,
 				       krb5_authenticator *, krb5_principal,
-				       const krb5_checksum *, krb5_keyblock *,
-				       krb5_int32, krb5_authdata ** ));
+				       krb5_checksum *, krb5_keyblock *,
+				       krb5_ui_4, krb5_authdata ** );
 
 krb5_error_code
 krb5int_generate_and_save_subkey (krb5_context context,
@@ -287,15 +287,15 @@ krb5_generate_authenticator(
     krb5_context context,
     krb5_authenticator *authent,
     krb5_principal client,
-    const krb5_checksum *cksum,
+    krb5_checksum *cksum,
     krb5_keyblock *key,
-    krb5_int32 seq_number,
+    krb5_ui_4 seq_number,
     krb5_authdata **authorization)
 {
     krb5_error_code retval;
 
     authent->client = client;
-    authent->checksum = (krb5_checksum *)cksum;
+    authent->checksum = cksum;
     if (key) {
 	retval = krb5_copy_keyblock(context, key, &authent->subkey);
 	if (retval)
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_safe.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_safe.c
index 431c523159..22b179ca50 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_safe.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/mk_safe.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -142,9 +142,9 @@ krb5_error_code KRB5_CALLCONV
 krb5_mk_safe(
     krb5_context 	  context,
     krb5_auth_context 	  auth_context,
-    const krb5_data   	FAR * userdata,
-    krb5_data         	FAR * outbuf,
-    krb5_replay_data  	FAR * outdata)
+    const krb5_data   	  *userdata,
+    krb5_data         	  *outbuf,
+    krb5_replay_data  	  *outdata)
 {
     krb5_error_code 	  retval;
     krb5_keyblock       * keyblock;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/pr_to_salt.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/pr_to_salt.c
index eee6888c2b..b476817ff6 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/pr_to_salt.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/pr_to_salt.c
@@ -30,18 +30,17 @@
 
 #include <k5-int.h>
 
+static krb5_error_code krb5_principal2salt_internal
+    (krb5_context, krb5_const_principal, krb5_data *ret, int);
+
 /*
  * Convert a krb5_principal into the default salt for that principal.
  */
 /*ARGSUSED*/
-krb5_error_code
-krb5_principal2salt_internal(context, pr, ret, use_realm)
-    krb5_context context;
-    register krb5_const_principal pr;
-    krb5_data *ret;
-    int use_realm;
+static krb5_error_code
+krb5_principal2salt_internal(krb5_context context, register krb5_const_principal pr, krb5_data *ret, int use_realm)
 {
-    int size = 0, offset = 0;
+    unsigned int size = 0, offset = 0;
     krb5_int32 nelem;
     register int i;
 
@@ -77,19 +76,13 @@ krb5_principal2salt_internal(context, pr, ret, use_realm)
 }
 
 krb5_error_code
-krb5_principal2salt(context, pr, ret)
-    krb5_context context;
-    register krb5_const_principal pr;
-    krb5_data *ret;
+krb5_principal2salt(krb5_context context, register krb5_const_principal pr, krb5_data *ret)
 {
 	return krb5_principal2salt_internal(context, pr, ret, 1);
 }
 
 krb5_error_code
-krb5_principal2salt_norealm(context, pr, ret)
-    krb5_context context;
-    register krb5_const_principal pr;
-    krb5_data *ret;
+krb5_principal2salt_norealm(krb5_context context, register krb5_const_principal pr, krb5_data *ret)
 {
 	return krb5_principal2salt_internal(context, pr, ret, 0);
 }
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/preauth2.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/preauth2.c
index 8904cc074d..f1e2794d44 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/preauth2.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/preauth2.c
@@ -1,12 +1,12 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
 
 /*
- * Copyright 1995 by the Massachusetts Institute of Technology.  All
+ * Copyright 1995, 2003 by the Massachusetts Institute of Technology.  All
  * Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -118,19 +118,19 @@ krb5_error_code pa_enc_timestamp(krb5_context context,
 		 *etype, request->ktype[0]);
 	}
 #endif
-       if (ret = ((*gak_fct)(context, request->client,
+       if ((ret = ((*gak_fct)(context, request->client,
 			     *etype ? *etype : request->ktype[0],
 			     prompter, prompter_data,
-			     salt, s2kparams, as_key, gak_data)))
+			     salt, s2kparams, as_key, gak_data))))
            return(ret);
     }
 
     /* now get the time of day, and encrypt it accordingly */
 
-    if (ret = krb5_us_timeofday(context, &pa_enc.patimestamp, &pa_enc.pausec))
+    if ((ret = krb5_us_timeofday(context, &pa_enc.patimestamp, &pa_enc.pausec)))
 	return(ret);
 
-    if (ret = encode_krb5_pa_enc_ts(&pa_enc, &tmp))
+    if ((ret = encode_krb5_pa_enc_ts(&pa_enc, &tmp)))
 	return(ret);
 
 #ifdef DEBUG
@@ -266,7 +266,7 @@ krb5_error_code pa_sam(krb5_context context,
 
     tmpsam.length = in_padata->length;
     tmpsam.data = (char *) in_padata->contents;
-    if (ret = decode_krb5_sam_challenge(&tmpsam, &sam_challenge))
+    if ((ret = decode_krb5_sam_challenge(&tmpsam, &sam_challenge)))
 	return(ret);
 
     if (sam_challenge->sam_flags & KRB5_SAM_MUST_PK_ENCRYPT_SAD) {
@@ -312,14 +312,14 @@ krb5_error_code pa_sam(krb5_context context,
     response_data.length = sizeof(response);
 
     kprompt.prompt = prompt;
-    kprompt.hidden = sam_challenge->sam_challenge.length?0:1;
+    kprompt.hidden = 1;
     kprompt.reply = &response_data;
     prompt_type = KRB5_PROMPT_TYPE_PREAUTH;
 
     /* PROMPTER_INVOCATION */
     krb5int_set_prompt_types(context, &prompt_type);
-    if (ret = ((*prompter)(context, prompter_data, name,
-			   banner, 1, &kprompt))) {
+    if ((ret = ((*prompter)(context, prompter_data, name,
+			   banner, 1, &kprompt)))) {
 	krb5_xfree(sam_challenge);
 	krb5int_set_prompt_types(context, 0);
 	return(ret);
@@ -328,9 +328,9 @@ krb5_error_code pa_sam(krb5_context context,
 
     enc_sam_response_enc.sam_nonce = sam_challenge->sam_nonce;
     if (sam_challenge->sam_nonce == 0) {
-	if (ret = krb5_us_timeofday(context, 
+	if ((ret = krb5_us_timeofday(context, 
 				&enc_sam_response_enc.sam_timestamp,
-				&enc_sam_response_enc.sam_usec)) {
+				&enc_sam_response_enc.sam_usec))) {
 		krb5_xfree(sam_challenge);
 		return(ret);
 	}
@@ -354,8 +354,8 @@ krb5_error_code pa_sam(krb5_context context,
 	/* generate a salt using the requested principal */
 
 	if ((salt->length == -1) && (salt->data == NULL)) {
-	    if (ret = krb5_principal2salt(context, request->client,
-					  &defsalt)) {
+	    if ((ret = krb5_principal2salt(context, request->client,
+					  &defsalt))) {
 		krb5_xfree(sam_challenge);
 		return(ret);
 	    }
@@ -439,8 +439,8 @@ krb5_error_code pa_sam(krb5_context context,
     krb5_xfree(sam_challenge);
 
     /* encode the encoded part of the response */
-    if (ret = encode_krb5_enc_sam_response_enc(&enc_sam_response_enc,
-					       &scratch))
+    if ((ret = encode_krb5_enc_sam_response_enc(&enc_sam_response_enc,
+					       &scratch)))
 	return(ret);
 
     /*
@@ -484,7 +484,7 @@ krb5_error_code pa_sam(krb5_context context,
     if ((pa = malloc(sizeof(krb5_pa_data))) == NULL)
 	return(ENOMEM);
 
-    if (ret = encode_krb5_sam_response(&sam_response, &scratch)) {
+    if ((ret = encode_krb5_sam_response(&sam_response, &scratch))) {
 	free(pa);
 	return(ret);
     }
@@ -1011,11 +1011,11 @@ krb5_do_preauth(krb5_context context,
 		    (pa_types[j].flags & paorder[h])) {
 		    out_pa = NULL;
 
-		    if (ret = ((*pa_types[j].fct)(context, request,
+		    if ((ret = ((*pa_types[j].fct)(context, request,
 					in_padata[i], &out_pa,
 					salt, s2kparams, etype, as_key,
 					prompter, prompter_data,
-					gak_fct, gak_data))) {
+					gak_fct, gak_data)))) {
 			goto cleanup;
 		    }
 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/princ_comp.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/princ_comp.c
index 80dca2e878..9e07f64078 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/princ_comp.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/princ_comp.c
@@ -32,11 +32,8 @@
 #include <k5-int.h>
 
 /*ARGSUSED*/
-krb5_boolean
-krb5_realm_compare(context, princ1, princ2)
-    krb5_context context;
-    krb5_const_principal princ1;
-    krb5_const_principal princ2;
+krb5_boolean KRB5_CALLCONV
+krb5_realm_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2)
 {
     if (krb5_princ_realm(context, princ1)->length != 
 	krb5_princ_realm(context, princ2)->length ||
@@ -48,11 +45,8 @@ krb5_realm_compare(context, princ1, princ2)
     return TRUE;
 }
 
-KRB5_DLLIMP krb5_boolean KRB5_CALLCONV
-krb5_principal_compare(context, princ1, princ2)
-    krb5_context context;
-    krb5_const_principal princ1;
-    krb5_const_principal princ2;
+krb5_boolean KRB5_CALLCONV
+krb5_principal_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2)
 {
     register int i;
     krb5_int32 nelem;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/rd_error.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/rd_error.c
index 1af9a37a85..e3fe0e47a2 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/rd_error.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/rd_error.c
@@ -41,14 +41,10 @@
  */
 
 /*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_rd_error(context,  enc_errbuf, dec_error)
-    krb5_context context;
-    const krb5_data FAR *enc_errbuf;
-    krb5_error FAR * FAR *dec_error;
+krb5_error_code KRB5_CALLCONV
+krb5_rd_error(krb5_context context, const krb5_data *enc_errbuf, krb5_error **dec_error)
 {
     if (!krb5_is_krb_error(enc_errbuf))
 	return KRB5KRB_AP_ERR_MSG_TYPE;
     return(decode_krb5_error(enc_errbuf, dec_error));
 }
-
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/rd_priv.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/rd_priv.c
index 454a3a0723..585ea34593 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/rd_priv.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/rd_priv.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -267,7 +267,8 @@ krb5_rd_priv(
     }
 
     if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
-	if (auth_context->remote_seq_number != replaydata.seq) {
+	if (!krb5int_auth_con_chkseqnum(context, auth_context,
+					replaydata.seq)) {
 	    retval =  KRB5KRB_AP_ERR_BADORDER;
 	    goto error;
 	}
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/rd_req.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/rd_req.c
index 1111dc0611..425b75fba3 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/rd_req.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/rd_req.c
@@ -45,17 +45,8 @@
  * 
  *  returns system errors, encryption errors, replay errors
  */
-
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_rd_req(context, auth_context, inbuf, server, keytab, 
-	    ap_req_options, ticket)
-    krb5_context 	  context;
-    krb5_auth_context   FAR * auth_context;
-    const krb5_data 	FAR * inbuf;
-    krb5_const_principal  server;	/* XXX do we really need this */
-    krb5_keytab		  keytab;
-    krb5_flags		FAR * ap_req_options;
-    krb5_ticket	       FAR *FAR * ticket;
+krb5_error_code KRB5_CALLCONV
+krb5_rd_req(krb5_context context, krb5_auth_context *auth_context, const krb5_data *inbuf, krb5_const_principal server, krb5_keytab keytab, krb5_flags *ap_req_options, krb5_ticket **ticket)
 {
     krb5_error_code 	  retval;
     krb5_ap_req 	* request;
@@ -81,8 +72,13 @@ krb5_rd_req(context, auth_context, inbuf, server, keytab,
         *auth_context = new_auth_context;
     }
 
+    if (!server) {
+	server = request->ticket->server;
+    }
     /* Get an rcache if necessary. */
-    if (((*auth_context)->rcache == NULL) && server) {
+    if (((*auth_context)->rcache == NULL)
+	&& ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME)
+	&& server) {
 	if ((retval = krb5_get_server_rcache(context,
      krb5_princ_component(context,server,0), &(*auth_context)->rcache)))
 	    goto cleanup_auth_context;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/rd_req_dec.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/rd_req_dec.c
index 9a3ee1ae1a..625cc8ce53 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/rd_req_dec.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/rd_req_dec.c
@@ -67,8 +67,8 @@
  */
 
 static krb5_error_code decrypt_authenticator
-	PROTOTYPE((krb5_context, const krb5_ap_req *, krb5_authenticator **,
-		   int));
+	(krb5_context, const krb5_ap_req *, krb5_authenticator **,
+		   int);
 
 #define in_clock_skew(date) (labs((date)-currenttime) < context->clockskew)
 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/rd_safe.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/rd_safe.c
index c46f719d48..f07523a9f2 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/rd_safe.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/rd_safe.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -54,15 +54,7 @@
  returns system errors, integrity errors
  */
 static krb5_error_code
-krb5_rd_safe_basic(context, inbuf, keyblock, recv_addr, sender_addr,
-	     	   replaydata, outbuf)
-    krb5_context          context;
-    const krb5_data     * inbuf;
-    const krb5_keyblock * keyblock;
-    const krb5_address  * recv_addr;
-    const krb5_address  * sender_addr;
-    krb5_replay_data    * replaydata;
-    krb5_data           * outbuf;
+krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, const krb5_keyblock *keyblock, const krb5_address *recv_addr, const krb5_address *sender_addr, krb5_replay_data *replaydata, krb5_data *outbuf)
 {
     krb5_error_code 	  retval;
     krb5_safe 		* message;
@@ -196,13 +188,8 @@ cleanup:
     return retval;
 }
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_rd_safe(context, auth_context, inbuf, outbuf, outdata)
-    krb5_context 	  context;
-    krb5_auth_context 	  auth_context;
-    const krb5_data   	* inbuf;
-    krb5_data 	      	* outbuf;
-    krb5_replay_data  	* outdata;
+krb5_error_code KRB5_CALLCONV
+krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, const krb5_data *inbuf, krb5_data *outbuf, krb5_replay_data *outdata)
 {
     krb5_error_code 	  retval;
     krb5_keyblock	* keyblock;
@@ -297,7 +284,8 @@ krb5_rd_safe(context, auth_context, inbuf, outbuf, outdata)
     }
 
     if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
-	if (auth_context->remote_seq_number != replaydata.seq) {
+	if (!krb5int_auth_con_chkseqnum(context, auth_context,
+					replaydata.seq)) {
 	    retval =  KRB5KRB_AP_ERR_BADORDER;
 	    goto error;
 	}
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/recvauth.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/recvauth.c
index c6ed8cc3ff..b09e4101de 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/recvauth.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/recvauth.c
@@ -42,20 +42,20 @@
 #include <stdio.h>
 #include <string.h>
 
-static char *sendauth_version = "KRB5_SENDAUTH_V1.0";
+static const char sendauth_version[] = "KRB5_SENDAUTH_V1.0";
 
-krb5_error_code
+static krb5_error_code
 recvauth_common(krb5_context context,
-		krb5_auth_context FAR * auth_context,
+		krb5_auth_context * auth_context,
 		/* IN */
 		krb5_pointer fd,
-		char FAR *appl_version,
+		char *appl_version,
 		krb5_principal server,
 		krb5_int32 flags,
 		krb5_keytab keytab,
 		/* OUT */
-		krb5_ticket FAR * FAR * ticket,
-		krb5_data FAR *version)
+		krb5_ticket ** ticket,
+		krb5_data *version)
 {
     krb5_auth_context	  new_auth_context;
     krb5_flags		  ap_option;
@@ -250,36 +250,24 @@ cleanup:;
     return retval;
 }
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_recvauth(context, auth_context,
-	      /* IN */
-	      fd, appl_version, server, flags, keytab,
-	      /* OUT */
-	      ticket)
-    krb5_context 	  context;
-    krb5_auth_context   FAR * auth_context;
-    krb5_pointer	  fd;
-    char		FAR * appl_version;
-    krb5_principal	  server;
-    krb5_int32		  flags;
-    krb5_keytab		  keytab;
-    krb5_ticket	       FAR * FAR * ticket;
+krb5_error_code KRB5_CALLCONV
+krb5_recvauth(krb5_context context, krb5_auth_context *auth_context, krb5_pointer fd, char *appl_version, krb5_principal server, krb5_int32 flags, krb5_keytab keytab, krb5_ticket **ticket)
 {
-    return recvauth_common (context, auth_context, fd, appl_version,
+    return recvauth_common(context, auth_context, fd, appl_version,
 			    server, flags, keytab, ticket, 0);
 }
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_error_code KRB5_CALLCONV
 krb5_recvauth_version(krb5_context context,
-		      krb5_auth_context FAR *auth_context,
+		      krb5_auth_context *auth_context,
 		      /* IN */
 		      krb5_pointer fd,
 		      krb5_principal server,
 		      krb5_int32 flags,
 		      krb5_keytab keytab,
 		      /* OUT */
-		      krb5_ticket FAR * FAR *ticket,
-		      krb5_data FAR *version)
+		      krb5_ticket **ticket,
+		      krb5_data *version)
 {
     return recvauth_common (context, auth_context, fd, 0,
 			    server, flags, keytab, ticket, version);
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/send_tgs.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/send_tgs.c
index 25cbd12d98..6fd00f6ae4 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/send_tgs.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/send_tgs.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -55,11 +55,7 @@
  returns system errors
  */
 static krb5_error_code
-krb5_send_tgs_basic(context, in_data, in_cred, outbuf)
-    krb5_context          context;
-    krb5_data           * in_data;
-    krb5_creds          * in_cred;
-    krb5_data           * outbuf;
+krb5_send_tgs_basic(krb5_context context, krb5_data *in_data, krb5_creds *in_cred, krb5_data *outbuf)
 {
     krb5_error_code       retval;
     krb5_checksum         checksum;
@@ -136,19 +132,12 @@ cleanup_scratch:
 }
 
 krb5_error_code
-krb5_send_tgs(context, kdcoptions, timestruct, ktypes, sname, addrs,
-	      authorization_data, padata, second_ticket, in_cred, rep)
-    krb5_context context;
-    const krb5_flags kdcoptions;
-    const krb5_ticket_times * timestruct;
-    const krb5_enctype * ktypes;
-    krb5_const_principal sname;
-    krb5_address * const * addrs;
-    krb5_authdata * const * authorization_data;
-    krb5_pa_data * const * padata;
-    const krb5_data * second_ticket;
-    krb5_creds * in_cred;
-    krb5_response * rep;
+krb5_send_tgs(krb5_context context, krb5_flags kdcoptions,
+	      const krb5_ticket_times *timestruct, const krb5_enctype *ktypes,
+	      krb5_const_principal sname, krb5_address *const *addrs,
+	      krb5_authdata *const *authorization_data,
+	      krb5_pa_data *const *padata, const krb5_data *second_ticket,
+	      krb5_creds *in_cred, krb5_response *rep)
 {
     krb5_error_code retval;
     krb5_kdc_req tgsreq;
@@ -158,7 +147,7 @@ krb5_send_tgs(context, kdcoptions, timestruct, ktypes, sname, addrs,
     krb5_timestamp time_now;
     krb5_pa_data **combined_padata;
     krb5_pa_data ap_req_padata;
-    int tcp_only = 0;
+    int tcp_only = 0, use_master;
 
     /*
      * in_creds MUST be a valid credential NOT just a partially filled in
@@ -207,7 +196,7 @@ krb5_send_tgs(context, kdcoptions, timestruct, ktypes, sname, addrs,
     if (ktypes) {
 	/* Check passed ktypes and make sure they're valid. */
    	for (tgsreq.nktypes = 0; ktypes[tgsreq.nktypes]; tgsreq.nktypes++) {
-    	    if (!valid_enctype(ktypes[tgsreq.nktypes]))
+    	    if (!krb5_c_valid_enctype(ktypes[tgsreq.nktypes]))
 		return KRB5_PROG_ETYPE_NOSUPP;
 	}
     	tgsreq.ktype = (krb5_enctype *)ktypes;
@@ -281,9 +270,10 @@ krb5_send_tgs(context, kdcoptions, timestruct, ktypes, sname, addrs,
 
     /* now send request & get response from KDC */
 send_again:
+    use_master = 0;
     retval = krb5_sendto_kdc(context, scratch, 
 			     krb5_princ_realm(context, sname),
-			     &rep->response, NULL, tcp_only);
+			     &rep->response, &use_master, tcp_only);
     if (retval == 0) {
 	if (krb5_is_krb_error(&rep->response)) {
 	    if (!tcp_only) {
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/sendauth.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/sendauth.c
index e9c7d3a669..5498150ba3 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/sendauth.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/sendauth.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -43,35 +43,15 @@
 #include <stdio.h>
 #include <string.h>
 
-static char *sendauth_version = "KRB5_SENDAUTH_V1.0";
+static const char sendauth_version[] = "KRB5_SENDAUTH_V1.0";
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_sendauth(context, auth_context,
-	      /* IN */
-	      fd, appl_version, client, server, ap_req_options, in_data,
-	      in_creds,
-	      /* IN/OUT */
-	      ccache,
-	      /* OUT */
-	      error, rep_result, out_creds)
-    	krb5_context 		  context;
-    	krb5_auth_context       FAR * auth_context;
-	krb5_pointer		  fd;
-	char			FAR * appl_version;
-	krb5_principal		  client;
-	krb5_principal		  server;
-	krb5_flags		  ap_req_options;
-	krb5_data		FAR * in_data;
-	krb5_creds		FAR * in_creds;
-	krb5_ccache	  	  ccache;
-	krb5_error             FAR * FAR * error;
-	krb5_ap_rep_enc_part   FAR * FAR * rep_result;
-	krb5_creds	       FAR * FAR * out_creds;
+krb5_error_code KRB5_CALLCONV
+krb5_sendauth(krb5_context context, krb5_auth_context *auth_context, krb5_pointer fd, char *appl_version, krb5_principal client, krb5_principal server, krb5_flags ap_req_options, krb5_data *in_data, krb5_creds *in_creds, krb5_ccache ccache, krb5_error **error, krb5_ap_rep_enc_part **rep_result, krb5_creds **out_creds)
 {
 	krb5_octet		result;
 	krb5_creds 		creds;
-	krb5_creds		FAR * credsp = NULL;
-	krb5_creds		FAR * credspout = NULL;
+	krb5_creds		* credsp = NULL;
+	krb5_creds		* credspout = NULL;
 	krb5_error_code		retval = 0;
 	krb5_data		inbuf, outbuf;
 	int			len;
@@ -87,7 +67,7 @@ krb5_sendauth(context, auth_context,
 	 * by the string itself.
 	 */
 	outbuf.length = strlen(sendauth_version) + 1;
-	outbuf.data = sendauth_version;
+	outbuf.data = (char *) sendauth_version;
 	if ((retval = krb5_write_message(context, fd, &outbuf)))
 		return(retval);
 	outbuf.length = strlen(appl_version) + 1;
@@ -98,9 +78,6 @@ krb5_sendauth(context, auth_context,
 	 * Now, read back a byte: 0 means no error, 1 means bad sendauth
 	 * version, 2 means bad application version
 	 */
-#ifndef ECONNABORTED
-#define ECONNABORTED WSAECONNABORTED
-#endif
     if ((len = krb5_net_read(context, *((int *) fd), (char *)&result, 1)) != 1)
 	return((len < 0) ? errno : ECONNABORTED);
     if (result == 1)
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/srv_rcache.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/srv_rcache.c
index 510dbb515f..18326aaaeb 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/srv_rcache.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/srv_rcache.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -38,25 +38,24 @@
 #include <ctype.h>
 #include <stdio.h>
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_get_server_rcache(context, piece, rcptr)
-    krb5_context context;
-    const krb5_data *piece;
-    krb5_rcache *rcptr;
+#define isvalidrcname(x) ((!ispunct(x))&&isgraph(x))
+krb5_error_code KRB5_CALLCONV
+krb5_get_server_rcache(krb5_context context, const krb5_data *piece,
+		       krb5_rcache *rcptr)
 {
     krb5_rcache rcache = 0;
-    char *cachename = 0, *def_env = 0;
+    char *cachename = 0, *def_env = 0, *cachetype;
     char tmp[4];
     krb5_error_code retval;
-    int len, p, i;
+    int p, i;
+    unsigned int len;
 
 #ifdef HAVE_GETEUID
     unsigned long tens;
     unsigned long uid = geteuid();
 #endif
-
-    rcache = (krb5_rcache) malloc(sizeof(*rcache));
-    if (!rcache)
+    
+    if (piece == NULL)
 	return ENOMEM;
 
 /*
@@ -67,17 +66,18 @@ krb5_get_server_rcache(context, piece, rcptr)
     if ((def_env = krb5_rc_default_name(context)) != 0) {
 	cachename = strdup(def_env);
 	if (!cachename) {
-		free(rcache);
 		return (ENOMEM);
 	}
 	goto skip_create;
     }
+    
+    cachetype = krb5_rc_default_type(context);
 
     len = piece->length + 3 + 1;
     for (i = 0; i < piece->length; i++) {
-	if (piece->data[i] == '\\')
+	if (piece->data[i] == '-')
 	    len++;
-	else if (!isgraph(piece->data[i]))
+	else if (!isvalidrcname((int) piece->data[i]))
 	    len += 3;
     }
 
@@ -86,23 +86,25 @@ krb5_get_server_rcache(context, piece, rcptr)
     for (tens = 1; (uid / tens) > 9 ; tens *= 10)
 	len++;
 #endif
-
-    cachename = malloc(len);
+    
+    cachename = malloc(strlen(cachetype) + 5 + len);
     if (!cachename) {
 	retval = ENOMEM;
 	goto cleanup;
     }
-    strcpy(cachename, "rc_");
-    p = 3;
+    strcpy(cachename, cachetype);
+
+    p = strlen(cachename);
+    cachename[p++] = ':';
     for (i = 0; i < piece->length; i++) {
-	if (piece->data[i] == '\\') {
-	    cachename[p++] = '\\';
-	    cachename[p++] = '\\';
+	if (piece->data[i] == '-') {
+	    cachename[p++] = '-';
+	    cachename[p++] = '-';
 	    continue;
 	}
-	if (!isgraph(piece->data[i])) {
+	if (!isvalidrcname((int) piece->data[i])) {
 	    sprintf(tmp, "%03o", piece->data[i]);
-	    cachename[p++] = '\\';
+	    cachename[p++] = '-';
 	    cachename[p++] = tmp[0];
 	    cachename[p++] = tmp[1];
 	    cachename[p++] = tmp[2];
@@ -122,20 +124,19 @@ krb5_get_server_rcache(context, piece, rcptr)
     cachename[p++] = '\0';
 
 skip_create:
-    if ((retval = krb5_rc_resolve(context, rcache, cachename)) != 0)
+    retval = krb5_rc_resolve_full(context, &rcache, cachename);
+    if (retval)
 	goto cleanup;
 
     /*
      * First try to recover the replay cache; if that doesn't work,
      * initialize it.
      */
-    if (krb5_rc_recover(context, rcache)) {
-	retval = krb5_rc_initialize(context, rcache, context->clockskew);
-	if (retval) {
-	    (void) krb5_rc_close(context, rcache);
-	    rcache = 0;
-	    goto cleanup;
-	}
+    retval = krb5_rc_recover_or_initialize(context, rcache, context->clockskew);
+    if (retval) {
+	krb5_rc_close(context, rcache);
+	rcache = 0;
+	goto cleanup;
     }
 
     *rcptr = rcache;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/str_conv.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/str_conv.c
index 32c214cf0a..e3cc858f49 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/str_conv.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/str_conv.c
@@ -53,7 +53,8 @@
  * krb5_deltat_to_string()	- Convert krb5_deltat to string.
  */
 
-#include <k5-int.h>
+#include "k5-int.h"
+#include <ctype.h>
 
 /* Salt type conversions */
 
@@ -83,10 +84,8 @@ static const struct salttype_lookup_entry salttype_table[] = {
 static const int salttype_table_nents = sizeof(salttype_table)/
 					sizeof(salttype_table[0]);
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_string_to_salttype(string, salttypep)
-    char	FAR * string;
-    krb5_int32	FAR * salttypep;
+krb5_error_code KRB5_CALLCONV
+krb5_string_to_salttype(char *string, krb5_int32 *salttypep)
 {
     int i;
     int found;
@@ -108,11 +107,8 @@ krb5_string_to_salttype(string, salttypep)
  * These routines return 0 for success, EINVAL for invalid parameter, ENOMEM
  * if the supplied buffer/length will not contain the output.
  */
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_salttype_to_string(salttype, buffer, buflen)
-    krb5_int32	salttype;
-    char	FAR * buffer;
-    size_t	buflen;
+krb5_error_code KRB5_CALLCONV
+krb5_salttype_to_string(krb5_int32 salttype, char *buffer, size_t buflen)
 {
     int i;
     const char *out;
@@ -143,29 +139,36 @@ krb5_salttype_to_string(salttype, buffer, buflen)
 static size_t strftime (char *, size_t, const char *, const struct tm *);
 #endif
 
-#ifndef HAVE_STRPTIME
+#ifdef HAVE_STRPTIME
+#ifdef NEED_STRPTIME_PROTO
+extern char *strptime (const char *, const char *,
+			    struct tm *)
+#ifdef __cplusplus
+    throw()
+#endif
+    ;
+#endif
+#else /* HAVE_STRPTIME */
 #undef strptime
 #define strptime my_strptime
 static char *strptime (const char *, const char *, struct tm *);
 #endif
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_string_to_timestamp(string, timestampp)
-    char		FAR * string;
-    krb5_timestamp	FAR * timestampp;
+krb5_error_code KRB5_CALLCONV
+krb5_string_to_timestamp(char *string, krb5_timestamp *timestampp)
 {
-    int i,found;
-    struct tm timebuf, nowbuf;
-    time_t now;
+    int i;
+    struct tm timebuf;
+    time_t now, ret_time;
     char *s;
     static const char * const atime_format_table[] = {
-	"%Y" "%m%d%H" "%M" "%S",/* yyyymmddhhmmss		*/
+	"%Y%m%d%H%M%S",		/* yyyymmddhhmmss		*/
 	"%Y.%m.%d.%H.%M.%S",	/* yyyy.mm.dd.hh.mm.ss		*/
-	"%y%m%d%H" "%M" "%S",	/* yymmddhhmmss			*/
+	"%y%m%d%H%M%S",		/* yymmddhhmmss			*/
 	"%y.%m.%d.%H.%M.%S",	/* yy.mm.dd.hh.mm.ss		*/
-	"%y%m%d%H" "%M",	/* yymmddhhmm			*/
-	"%H" "%M" "%S",		/* hhmmss			*/
-	"%H" "%M",		/* hhmm				*/
+	"%y%m%d%H%M",		/* yymmddhhmm			*/
+	"%H%M%S",		/* hhmmss			*/
+	"%H%M",			/* hhmm				*/
 	"%T",			/* hh:mm:ss			*/
 	"%R",			/* hh:mm			*/
 	/* The following not really supported unless native strptime present */
@@ -176,61 +179,64 @@ krb5_string_to_timestamp(string, timestampp)
     static const int atime_format_table_nents =
 	sizeof(atime_format_table)/sizeof(atime_format_table[0]);
 
-    found = 0;
+
+    now = time((time_t *) NULL);
     for (i=0; i<atime_format_table_nents; i++) {
-	s = strptime(string, atime_format_table[i], &timebuf);
-	/* make sure the entire string was parsed */
-	if (s && (*s == '\0')) {
-		/* If only time and no date was provided, assume today */
-		if ((timebuf.tm_mday == 0) && (timebuf.tm_mon == 0) &&
-			(timebuf.tm_year == 0)) {
-			now = time((time_t *) NULL);
-			(void) memcpy(&nowbuf, localtime(&now), sizeof(timebuf));
-			timebuf.tm_mday = nowbuf.tm_mday;
-			timebuf.tm_mon = nowbuf.tm_mon;
-			timebuf.tm_year = nowbuf.tm_year;
-		}
-		found = 1;
-		break;
-	}
-    }
-    if (found) {
-	if ((*timestampp = (krb5_timestamp) mktime(&timebuf)) != -1) {
-		if (timebuf.tm_isdst == 1) {
-			*timestampp -= (timezone - altzone);
-		}
-		return (0);
+        /* We reset every time throughout the loop as the manual page
+	 * indicated that no guarantees are made as to preserving timebuf
+	 * when parsing fails
+	 */
+#ifdef HAVE_LOCALTIME_R
+	(void) localtime_r(&now, &timebuf);
+#else
+	memcpy(&timebuf, localtime(&now), sizeof(timebuf));
+#endif
+	if ((s = strptime(string, atime_format_table[i], &timebuf))
+	    && (s != string)) {
+ 	    /* See if at end of buffer - otherwise partial processing */
+	    while(*s != 0 && isspace((int) *s)) s++;
+	    if (*s != 0)
+	        continue;
+	    if (timebuf.tm_year <= 0)
+		continue;	/* clearly confused */
+	    ret_time = mktime(&timebuf);
+	    if (ret_time == (time_t) -1)
+		continue;	/* clearly confused */
+	    *timestampp = (krb5_timestamp) ret_time;
+	    return 0;
 	}
     }
-    return(EINVAL);	
+    return(EINVAL);
 }
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_timestamp_to_string(timestamp, buffer, buflen)
-    krb5_timestamp	timestamp;
-    char		FAR * buffer;
-    size_t		buflen;
+krb5_error_code KRB5_CALLCONV
+krb5_timestamp_to_string(krb5_timestamp timestamp, char *buffer, size_t buflen)
 {
     int ret;
     time_t timestamp2 = timestamp;
-
-    ret = strftime(buffer, buflen, "%c", localtime(&timestamp2));
+    struct tm tmbuf;
+    const char *fmt = "%c"; /* This is to get around gcc -Wall warning that 
+			       the year returned might be two digits */
+
+#ifdef HAVE_LOCALTIME_R
+    (void) localtime_r(&timestamp2, &tmbuf);
+#else
+    memcpy(&tmbuf, localtime(&timestamp2), sizeof(tmbuf));
+#endif
+    ret = strftime(buffer, buflen, fmt, &tmbuf);
     if (ret == 0 || ret == buflen)
 	return(ENOMEM);
     return(0);
 }
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_timestamp_to_sfstring(timestamp, buffer, buflen, pad)
-    krb5_timestamp	timestamp;
-    char		FAR * buffer;
-    size_t		buflen;
-    char		FAR * pad;
+krb5_error_code KRB5_CALLCONV
+krb5_timestamp_to_sfstring(krb5_timestamp timestamp, char *buffer, size_t buflen, char *pad)
 {
     struct tm	*tmp;
     size_t i;
     size_t	ndone;
     time_t timestamp2 = timestamp;
+    struct tm tmbuf;
 
     static const char * const sftime_format_table[] = {
 	"%c",			/* Default locale-dependent date and time */
@@ -241,7 +247,11 @@ krb5_timestamp_to_sfstring(timestamp, buffer, buflen, pad)
     static const int sftime_format_table_nents =
 	sizeof(sftime_format_table)/sizeof(sftime_format_table[0]);
 
-    tmp = localtime(&timestamp2);
+#ifdef HAVE_LOCALTIME_R
+    tmp = localtime_r(&timestamp2, &tmbuf);
+#else
+    memcpy((tmp = &tmbuf), localtime(&timestamp2), sizeof(tmbuf));
+#endif
     ndone = 0;
     for (i=0; i<sftime_format_table_nents; i++) {
 	if ((ndone = strftime(buffer, buflen, sftime_format_table[i], tmp)))
@@ -263,17 +273,14 @@ krb5_timestamp_to_sfstring(timestamp, buffer, buflen, pad)
     }
     return((ndone) ? 0 : ENOMEM);
 }
-
+
 #ifdef SUNW_INC_DEAD_CODE
 /* relative time (delta-t) conversions */
 
 /* string->deltat is in deltat.y */
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_deltat_to_string(deltat, buffer, buflen)
-    krb5_deltat	deltat;
-    char	FAR * buffer;
-    size_t	buflen;
+krb5_error_code KRB5_CALLCONV
+krb5_deltat_to_string(krb5_deltat deltat, char *buffer, size_t buflen)
 {
     int			days, hours, minutes, seconds;
     krb5_deltat		dt;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/tgtname.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/tgtname.c
index 7371d96c95..2df606adb6 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/tgtname.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/tgtname.c
@@ -26,14 +26,12 @@
  */
 
 #include "k5-int.h"
+#include "int-proto.h"
 
 /* This is an internal-only function, used by krb5_get_cred_from_kdc() */
 
 krb5_error_code
-krb5_tgtname(context, server, client, tgtprinc)
-    krb5_context context;
-    const krb5_data *server, *client;
-    krb5_principal *tgtprinc;
+krb5_tgtname(krb5_context context, const krb5_data *server, const krb5_data *client, krb5_principal *tgtprinc)
 {
     return krb5_build_principal_ext(context, tgtprinc, client->length, client->data,
 				    KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME, 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/vfy_increds.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/vfy_increds.c
index 98e120731b..0e111f4db1 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/vfy_increds.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/vfy_increds.c
@@ -5,15 +5,12 @@
  */
 
 #include <k5-int.h>
+#include "int-proto.h"
 
 extern krb5_error_code krb5_libdefault_boolean();
 
 static krb5_error_code
-krb5_cc_copy_creds_except(context, incc, outcc, princ)
-     krb5_context context;
-     krb5_ccache incc;
-     krb5_ccache outcc;
-     krb5_principal princ;
+krb5_cc_copy_creds_except(krb5_context context, krb5_ccache incc, krb5_ccache outcc, krb5_principal princ)
 {
    krb5_error_code code;
    krb5_flags flags;
@@ -60,7 +57,7 @@ cleanup:
    return(code);
 }
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_error_code KRB5_CALLCONV
 krb5_verify_init_creds(krb5_context context,
 		       krb5_creds *creds,
 		       krb5_principal server_arg,
@@ -89,8 +86,8 @@ krb5_verify_init_creds(krb5_context context,
    if (server_arg) {
       server = server_arg;
    } else {
-      if (ret = krb5_sname_to_principal(context, NULL, NULL, 
-					KRB5_NT_SRV_HST, &server)) {
+      if ((ret = krb5_sname_to_principal(context, NULL, NULL, 
+					KRB5_NT_SRV_HST, &server))) {
 	goto cleanup;
       } else {
 	/*
@@ -128,7 +125,7 @@ krb5_verify_init_creds(krb5_context context,
    if (keytab_arg) {
       keytab = keytab_arg;
    } else {
-      if (ret = krb5_kt_default(context, &keytab))
+      if ((ret = krb5_kt_default(context, &keytab)))
 	 goto cleanup;
    }
 
@@ -149,8 +146,8 @@ krb5_verify_init_creds(krb5_context context,
 
    if (krb5_principal_compare(context, server, creds->server)) {
       /* make an ap_req */
-      if (ret = krb5_mk_req_extended(context, &authcon, 0, NULL, creds,
-				     &ap_req))
+      if ((ret = krb5_mk_req_extended(context, &authcon, 0, NULL, creds,
+				     &ap_req)))
 	 goto cleanup;
    } else {
       /* this is unclean, but it's the easiest way without ripping the
@@ -162,7 +159,7 @@ krb5_verify_init_creds(krb5_context context,
 
       /* insert the initial cred into the ccache */
 
-      if (ret = krb5_cc_resolve(context, "MEMORY:rd_req", &ccache))
+      if ((ret = krb5_cc_resolve(context, "MEMORY:rd_req", &ccache)))
 	 goto cleanup;
 
       if ((ret = krb5_cc_initialize(context, ccache, creds->client)) != NULL)
@@ -175,17 +172,17 @@ krb5_verify_init_creds(krb5_context context,
       memset(&in_creds, 0, sizeof(in_creds));
       in_creds.client = creds->client;
       in_creds.server = server;
-      if (ret = krb5_timeofday(context, &in_creds.times.endtime))
+      if ((ret = krb5_timeofday(context, &in_creds.times.endtime)))
 	 goto cleanup;
       in_creds.times.endtime += 5*60;
 
-      if (ret = krb5_get_credentials(context, 0, ccache, &in_creds,
-				     &out_creds))
+      if ((ret = krb5_get_credentials(context, 0, ccache, &in_creds,
+				     &out_creds)))
 	 goto cleanup;
 
       /* make an ap_req */
-      if (ret = krb5_mk_req_extended(context, &authcon, 0, NULL, out_creds,
-				     &ap_req))
+      if ((ret = krb5_mk_req_extended(context, &authcon, 0, NULL, out_creds,
+				     &ap_req)))
 	 goto cleanup;
    }
 
@@ -197,8 +194,8 @@ krb5_verify_init_creds(krb5_context context,
 
    /* verify the ap_req */
 
-   if (ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab,
-			 NULL, NULL))
+   if ((ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab,
+			 NULL, NULL)))
       goto cleanup;
 
    /* if we get this far, then the verification succeeded.  We can
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/vic_opt.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/vic_opt.c
index b0211f4ab8..6ce6f4812a 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/vic_opt.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/vic_opt.c
@@ -1,17 +1,14 @@
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
 #include <k5-int.h>
 
-KRB5_DLLIMP void KRB5_CALLCONV
-krb5_verify_init_creds_opt_init(opt)
-     krb5_verify_init_creds_opt *opt;
+void KRB5_CALLCONV
+krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *opt)
 {
    opt->flags = 0;
 }
 
-KRB5_DLLIMP void KRB5_CALLCONV
-krb5_verify_init_creds_opt_set_ap_req_nofail(opt, ap_req_nofail)
-     krb5_verify_init_creds_opt *opt;
-     int ap_req_nofail;
+void KRB5_CALLCONV
+krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt *opt, int ap_req_nofail)
 {
    opt->flags |= KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL;
    opt->ap_req_nofail = ap_req_nofail;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/an_to_ln.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/an_to_ln.c
index 4ae1693874..51aeb7d0db 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/an_to_ln.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/an_to_ln.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -48,6 +48,7 @@
 #if	HAVE_REGEX_H
 #include <regex.h>
 #endif	/* HAVE_REGEX_H */
+#include <string.h>
 /*
  * Use compile(3) if no regcomp present.
  */
@@ -68,9 +69,9 @@
 #define	KDBM_CLOSE(db)		dbm_close(db)
 #define	KDBM_FETCH(db, key)	dbm_fetch(db, key)
 #else /*ANAME_DB*/
-extern DBM	*db_dbm_open KRB5_PROTOTYPE((char *, int, int));
-extern void	db_dbm_close KRB5_PROTOTYPE((DBM *));
-extern datum	db_dbm_fetch KRB5_PROTOTYPE((DBM *, datum));
+extern DBM	*db_dbm_open (char *, int, int);
+extern void	db_dbm_close (DBM *);
+extern datum	db_dbm_fetch (DBM *, datum);
 #define KDBM_OPEN(db, fl, mo)	db_dbm_open(db, fl, mo)
 #define KDBM_CLOSE(db)		db_dbm_close(db)
 #define KDBM_FETCH(db, key)	db_dbm_fetch(db, key)
@@ -114,10 +115,10 @@ db_an_to_ln(context, dbname, aname, lnsize, lname)
     krb5_context context;
     char *dbname;
     krb5_const_principal aname;
-    const int lnsize;
+    const unsigned int lnsize;
     char *lname;
 {
-#if	(!defined(_MSDOS) && !defined(_WIN32) && !defined(macintosh))
+#if !defined(_WIN32)
     DBM *db;
     krb5_error_code retval;
     datum key, contents;
@@ -153,13 +154,13 @@ db_an_to_ln(context, dbname, aname, lnsize, lname)
     /* can't close until we copy the contents. */
     (void) KDBM_CLOSE(db);
     return retval;
-#else	/* !_MSDOS && !_WIN32 && !MACINTOSH */
+#else	/* !_WIN32 && !MACINTOSH */
     /*
      * If we don't have support for a database mechanism, then we can't
      * translate this now, can we?
      */
     return KRB5_LNAME_NOTRANS;
-#endif	/* !_MSDOS && !_WIN32 && !MACINTOSH */
+#endif	/* !_WIN32 && !MACINTOSH */
 }
 #endif /*ANAME_DB*/
 
@@ -562,17 +563,17 @@ rule_an_to_ln(krb5_context context, char *rule,
 					     < MAX_FORMAT_BUFFER)) {
 					selstring_used += datap->length;
 				    } else {
-					kret = KRB5_LNAME_NOTRANS;
+					kret = ENOMEM;
 					goto errout;
 				    }
 				    strncpy(cout,
 					    datap->data,
-					    datap->length);
+					    (unsigned) datap->length);
 				    cout += datap->length;
 				    *cout = '\0';
 				    current++;
 				    /* Point past number */
-				    while (isdigit(*current))
+				    while (isdigit((int) *current))
 					current++;
 				}
 				else
@@ -695,7 +696,7 @@ default_an_to_ln(krb5_context context, krb5_const_principal aname,
 {
     krb5_error_code retval;
     char *def_realm;
-    int realm_length;
+    unsigned int realm_length;
 
     realm_length = krb5_princ_realm(context, aname)->length;
 
@@ -756,7 +757,7 @@ default_an_to_ln(krb5_context context, krb5_const_principal aname,
 
 krb5_error_code
 krb5_aname_to_localname(krb5_context context,
-	krb5_const_principal aname, const int lnsize, char *lname)
+	krb5_const_principal aname, const int lnsize_in, char *lname)
 {
     krb5_error_code	kret;
     char		*realm;
@@ -767,10 +768,13 @@ krb5_aname_to_localname(krb5_context context,
     int			i, nvalid;
     char		*cp, *s;
     char		*typep, *argp;
+    unsigned int        lnsize;
 
-    if (lnsize < 0)
+    if (lnsize_in < 0)
 	return KRB5_CONFIG_NOTENUFSPACE;
 
+    lnsize = lnsize_in; /* Unsigned */
+
     /*
      * First get the default realm.
      */
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/ccdefname.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/ccdefname.c
index 511afc5d43..39022bc7c9 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/ccdefname.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/ccdefname.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -34,6 +34,11 @@
  * Return default cred. cache name.
  */
 
+/*
+ * SUNW14resync - because of changes specific to Solaris, future
+ * resyncs should leave this file "as is" if possible.
+ */
+
 #include <k5-int.h>
 #include <stdio.h>
 
@@ -42,7 +47,9 @@
  */
 #include <dirent.h>
 
-static krb5_error_code get_from_os(char *name_buf, int name_size)
+static krb5_error_code get_from_os(
+	char *name_buf,
+	int name_size)
 {
 	krb5_error_code retval;
 
@@ -55,10 +62,10 @@ static krb5_error_code get_from_os(char *name_buf, int name_size)
 }
 
 /*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_cc_set_default_name(context, name)
-	krb5_context context;
-	const char *name;
+krb5_error_code KRB5_CALLCONV
+krb5_cc_set_default_name(
+	krb5_context context,
+	const char *name)
 {
 	char name_buf[MAXNAMLEN];
 	char *new_name = getenv(KRB5_ENV_CCNAME);
@@ -103,14 +110,6 @@ krb5_cc_set_default_name(context, name)
 		return ENOMEM;
 	strcpy(new_name, name);
 
-	if (!os_ctx->default_ccname
-	    || (strcmp(os_ctx->default_ccname, new_name) != 0)) {
-		/* the ccache changed... forget the old principal */
-		if (os_ctx->default_ccprincipal)
-			krb5_free_principal (context, os_ctx->default_ccprincipal);
-		os_ctx->default_ccprincipal = 0;  /* we don't care until we use it */
-	}
-	
 	if (os_ctx->default_ccname)
 		free(os_ctx->default_ccname);
 
@@ -119,9 +118,8 @@ krb5_cc_set_default_name(context, name)
 }
 
 	
-KRB5_DLLIMP const char FAR * KRB5_CALLCONV
-krb5_cc_default_name(context)
-    krb5_context context;
+const char * KRB5_CALLCONV
+krb5_cc_default_name(krb5_context context)
 {
 	krb5_os_context os_ctx;
 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/dnsglue.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/dnsglue.c
new file mode 100644
index 0000000000..28f31d8ec5
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/dnsglue.c
@@ -0,0 +1,324 @@
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+/*
+ * lib/krb5/os/dnsglue.c
+ *
+ * Copyright 2004 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ */
+#ifdef KRB5_DNS_LOOKUP
+
+#include "dnsglue.h"
+
+/*
+ * Opaque handle
+ */
+struct krb5int_dns_state {
+    int nclass;
+    int ntype;
+    void *ansp;
+    int anslen;
+    int ansmax;
+#if HAVE_NS_INITPARSE
+    int cur_ans;
+    ns_msg msg;
+#else
+    unsigned char *ptr;
+    unsigned short nanswers;
+#endif
+};
+
+#if !HAVE_NS_INITPARSE
+static int initparse(struct krb5int_dns_state *);
+#endif
+
+/*
+ * krb5int_dns_init()
+ *
+ * Initialize an opaue handl.  Do name lookup and initial parsing of
+ * reply, skipping question section.  Prepare to iterate over answer
+ * section.  Returns -1 on error, 0 on success.
+ */
+int
+krb5int_dns_init(struct krb5int_dns_state **dsp,
+		 char *host, int nclass, int ntype)
+{
+#if HAVE_RES_NSEARCH
+    struct __res_state statbuf;
+#endif
+    struct krb5int_dns_state *ds;
+    int len, ret;
+    size_t nextincr, maxincr;
+    unsigned char *p;
+
+    *dsp = ds = malloc(sizeof(*ds));
+    if (ds == NULL)
+	return -1;
+
+    ret = -1;
+    ds->nclass = nclass;
+    ds->ntype = ntype;
+    ds->ansp = NULL;
+    ds->anslen = 0;
+    ds->ansmax = 0;
+    nextincr = 2048;
+    maxincr = INT_MAX;
+
+#if HAVE_NS_INITPARSE
+    ds->cur_ans = 0;
+#endif
+
+#if HAVE_RES_NSEARCH
+    ret = res_ninit(&statbuf);
+    if (ret < 0)
+	return -1;
+#endif
+
+    do {
+	p = (ds->ansp == NULL)
+	    ? malloc(nextincr) : realloc(ds->ansp, nextincr);
+
+	if (p == NULL && ds->ansp != NULL) {
+	    ret = -1;
+	    goto errout;
+	}
+	ds->ansp = p;
+	ds->ansmax = nextincr;
+
+#if HAVE_RES_NSEARCH
+	len = res_nsearch(&statbuf, host, ds->nclass, ds->ntype,
+			  ds->ansp, ds->ansmax);
+#else
+	len = res_search(host, ds->nclass, ds->ntype,
+			 ds->ansp, ds->ansmax);
+#endif
+	if (len > maxincr) {
+	    ret = -1;
+	    goto errout;
+	}
+	while (nextincr < len)
+	    nextincr *= 2;
+	if (len < 0 || nextincr > maxincr) {
+	    ret = -1;
+	    goto errout;
+	}
+    } while (len > ds->ansmax);
+
+    ds->anslen = len;
+#if HAVE_NS_INITPARSE
+    ret = ns_initparse(ds->ansp, ds->anslen, &ds->msg);
+#else
+    ret = initparse(ds);
+#endif
+    if (ret < 0)
+	goto errout;
+
+    ret = 0;
+
+errout:
+#if HAVE_RES_NSEARCH
+#if HAVE_RES_NDESTROY
+    res_ndestroy(&statbuf);
+#else
+    res_nclose(&statbuf);
+#endif
+#endif
+    if (ret < 0) {
+	if (ds->ansp != NULL) {
+	    free(ds->ansp);
+	    ds->ansp = NULL;
+	}
+    }
+
+    return ret;
+}
+
+#if HAVE_NS_INITPARSE
+/*
+ * krb5int_dns_nextans - get next matching answer record
+ *
+ * Sets pp to NULL if no more records.  Returns -1 on error, 0 on
+ * success.
+ */
+int
+krb5int_dns_nextans(struct krb5int_dns_state *ds,
+		    const unsigned char **pp, int *lenp)
+{
+    int len;
+    ns_rr rr;
+
+    *pp = NULL;
+    *lenp = 0;
+    while (ds->cur_ans < ns_msg_count(ds->msg, ns_s_an)) {
+	len = ns_parserr(&ds->msg, ns_s_an, ds->cur_ans, &rr);
+	if (len < 0)
+	    return -1;
+	ds->cur_ans++;
+	if (ds->nclass == ns_rr_class(rr)
+	    && ds->ntype == ns_rr_type(rr)) {
+	    *pp = ns_rr_rdata(rr);
+	    *lenp = ns_rr_rdlen(rr);
+	    return 0;
+	}
+    }
+    return 0;
+}
+#endif
+
+/*
+ * krb5int_dns_expand - wrapper for dn_expand()
+ */
+int krb5int_dns_expand(struct krb5int_dns_state *ds,
+		       const unsigned char *p,
+		       char *buf, int len)
+{
+
+#if HAVE_NS_NAME_UNCOMPRESS
+    return ns_name_uncompress(ds->ansp,
+			      (unsigned char *)ds->ansp + ds->anslen,
+			      p, buf, (size_t)len);
+#else
+    return dn_expand(ds->ansp,
+		     (unsigned char *)ds->ansp + ds->anslen,
+		     p, buf, len);
+#endif
+}
+
+/*
+ * Free stuff.
+ */
+void
+krb5int_dns_fini(struct krb5int_dns_state *ds)
+{
+    if (ds == NULL)
+	return;
+    if (ds->ansp != NULL)
+	free(ds->ansp);
+    free(ds);
+}
+
+/*
+ * Compat routines for BIND 4
+ */
+#if !HAVE_NS_INITPARSE
+
+/*
+ * initparse
+ *
+ * Skip header and question section of reply.  Set a pointer to the
+ * beginning of the answer section, and prepare to iterate over
+ * answer records.
+ */
+static int
+initparse(struct krb5int_dns_state *ds)
+{
+    HEADER *hdr;
+    unsigned char *p;
+    unsigned short nqueries, nanswers;
+    int len;
+#if !HAVE_DN_SKIPNAME
+    char host[MAXDNAME];
+#endif
+
+    if (ds->anslen < sizeof(HEADER))
+	return -1;
+
+    hdr = (HEADER *)ds->ansp;
+    p = ds->ansp;
+    nqueries = ntohs((unsigned short)hdr->qdcount);
+    nanswers = ntohs((unsigned short)hdr->ancount);
+    p += sizeof(HEADER);
+
+    /*
+     * Skip query records.
+     */
+    while (nqueries--) {
+#if HAVE_DN_SKIPNAME
+	len = dn_skipname(p, (unsigned char *)ds->ansp + ds->anslen);
+#else
+	len = dn_expand(ds->ansp, (unsigned char *)ds->ansp + ds->anslen,
+			p, host, sizeof(host));
+#endif
+	if (len < 0 || !INCR_OK(ds->ansp, ds->anslen, p, len + 4))
+	    return -1;
+	p += len + 4;
+    }
+    ds->ptr = p;
+    ds->nanswers = nanswers;
+    return 0;
+}
+
+/*
+ * krb5int_dns_nextans() - get next answer record
+ *
+ * Sets pp to NULL if no more records.
+ */
+int
+krb5int_dns_nextans(struct krb5int_dns_state *ds,
+		    const unsigned char **pp, int *lenp)
+{
+    int len;
+    unsigned char *p;
+    unsigned short ntype, nclass, rdlen;
+#if !HAVE_DN_SKIPNAME
+    char host[MAXDNAME];
+#endif
+
+    *pp = NULL;
+    *lenp = 0;
+    p = ds->ptr;
+
+    while (ds->nanswers--) {
+#if HAVE_DN_SKIPNAME
+	len = dn_skipname(p, (unsigned char *)ds->ansp + ds->anslen);
+#else
+	len = dn_expand(ds->ansp, (unsigned char *)ds->ansp + ds->anslen,
+			p, host, sizeof(host));
+#endif
+	if (len < 0 || !INCR_OK(ds->ansp, ds->anslen, p, len))
+	    return -1;
+	p += len;
+	SAFE_GETUINT16(ds->ansp, ds->anslen, p, 2, ntype, out);
+	/* Also skip 4 bytes of TTL */
+	SAFE_GETUINT16(ds->ansp, ds->anslen, p, 6, nclass, out);
+	SAFE_GETUINT16(ds->ansp, ds->anslen, p, 2, rdlen, out);
+
+	if (!INCR_OK(ds->ansp, ds->anslen, p, rdlen))
+	    return -1;
+	if (rdlen > INT_MAX)
+	    return -1;
+	if (nclass == ds->nclass && ntype == ds->ntype) {
+	    *pp = p;
+	    *lenp = rdlen;
+	    ds->ptr = p + rdlen;
+	    return 0;
+	}
+	p += rdlen;
+    }
+    return 0;
+out:
+    return -1;
+}
+
+#endif
+
+#endif /* KRB5_DNS_LOOKUP */
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/dnsglue.h b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/dnsglue.h
new file mode 100644
index 0000000000..a0927c3593
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/dnsglue.h
@@ -0,0 +1,149 @@
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+/*
+ * lib/krb5/os/dnsglue.h
+ *
+ * Copyright 2004 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ *
+ * Glue layer for DNS resolver, to make parsing of replies easier
+ * whether we are using BIND 4, 8, or 9.
+ */
+
+/*
+ * BIND 4 doesn't have the ns_initparse() API, so we need to do some
+ * manual parsing via the HEADER struct.  BIND 8 does have
+ * ns_initparse(), but has enums for the various protocol constants
+ * rather than the BIND 4 macros.  BIND 9 (at least on Mac OS X
+ * Panther) appears to disable res_nsearch() if BIND_8_COMPAT is
+ * defined (which is necessary to obtain the HEADER struct).
+ *
+ * We use ns_initparse() if available at all, and never define
+ * BIND_8_COMPAT.  If there is no ns_initparse(), we do manual parsing
+ * by using the HEADER struct.
+ */
+
+#ifndef KRB5_DNSGLUE_H
+#define KRB5_DNSGLUE_H
+
+#ifdef KRB5_DNS_LOOKUP
+
+#define NEED_SOCKETS
+#include "k5-int.h"
+#include "os-proto.h"
+#ifdef WSHELPER
+#include <wshelper.h>
+#else /* WSHELPER */
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+#include <netdb.h>
+#endif /* WSHELPER */
+
+#if HAVE_SYS_PARAM_H
+#include <sys/param.h>		/* for MAXHOSTNAMELEN */
+#endif
+
+#ifndef MAXHOSTNAMELEN
+#define MAXHOSTNAMELEN 64	/* if we can't find it elswhere */
+#endif
+
+#ifndef MAXDNAME
+
+#ifdef NS_MAXDNAME
+#define MAXDNAME NS_MAXDNAME
+#else
+#ifdef MAXLABEL
+#define MAXDNAME (16 * MAXLABEL)
+#else
+#define MAXDNAME (16 * MAXHOSTNAMELEN)
+#endif
+#endif
+
+#endif
+
+#if HAVE_RES_NSEARCH
+/*
+ * Some BIND 8 / BIND 9 implementations disable the BIND 4 style
+ * constants.
+ */
+#ifndef C_IN
+#define C_IN ns_c_in
+#endif
+#ifndef T_SRV
+#define T_SRV ns_t_srv
+#endif
+#ifndef T_TXT
+#define T_TXT ns_t_txt
+#endif
+
+#else  /* !HAVE_RES_NSEARCH */
+
+/*
+ * Some BIND implementations might be old enough to lack these.
+ */
+#ifndef T_TXT
+#define T_TXT 15
+#endif
+#ifndef T_SRV
+#define T_SRV 33
+#endif
+
+#endif /* HAVE_RES_NSEARCH */
+
+/*
+ * INCR_OK
+ *
+ * Given moving pointer PTR offset from BASE, return true if adding
+ * INCR to PTR doesn't move it PTR than MAX bytes from BASE.
+ */
+#define INCR_OK(base, max, ptr, incr)				\
+    ((incr) <= (max) - ((const unsigned char *)(ptr)		\
+			- (const unsigned char *)(base)))
+
+/*
+ * SAFE_GETUINT16
+ *
+ * Given PTR offset from BASE, if at least INCR bytes are safe to
+ * read, get network byte order uint16 into S, and increment PTR.  On
+ * failure, goto LABEL.
+ */
+
+#define SAFE_GETUINT16(base, max, ptr, incr, s, label)	\
+    do {						\
+	if (!INCR_OK(base, max, ptr, incr)) goto label;	\
+	(s) = (unsigned short)(p)[0] << 8		\
+	    | (unsigned short)(p)[1];			\
+	(p) += (incr);					\
+    } while (0)
+
+struct krb5int_dns_state;
+
+int krb5int_dns_init(struct krb5int_dns_state **, char *, int, int);
+int krb5int_dns_nextans(struct krb5int_dns_state *,
+			const unsigned char **, int *);
+int krb5int_dns_expand(struct krb5int_dns_state *,
+		       const unsigned char *, char *, int);
+void krb5int_dns_fini(struct krb5int_dns_state *);
+
+#endif /* KRB5_DNS_LOOKUP */
+#endif /* !defined(KRB5_DNSGLUE_H) */
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/dnssrv.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/dnssrv.c
new file mode 100644
index 0000000000..d865522fc4
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/dnssrv.c
@@ -0,0 +1,185 @@
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+/*
+ * lib/krb5/os/dnssrv.c
+ *
+ * Copyright 1990,2000,2001,2002,2003 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ *
+ * do DNS SRV RR queries
+ */
+
+#ifdef KRB5_DNS_LOOKUP
+
+#include "dnsglue.h"
+
+/*
+ * Lookup a KDC via DNS SRV records
+ */
+
+void krb5int_free_srv_dns_data (struct srv_dns_entry *p)
+{
+    struct srv_dns_entry *next;
+    while (p) {
+	next = p->next;
+	free(p->host);
+	free(p);
+	p = next;
+    }
+}
+
+/* Do DNS SRV query, return results in *answers.
+
+   Make best effort to return all the data we can.  On memory or
+   decoding errors, just return what we've got.  Always return 0,
+   currently.  */
+
+krb5_error_code
+krb5int_make_srv_query_realm(const krb5_data *realm,
+			     const char *service,
+			     const char *protocol,
+			     struct srv_dns_entry **answers)
+{
+    const unsigned char *p = NULL, *base = NULL;
+    char host[MAXDNAME], *h;
+    int size, ret, rdlen, nlen;
+    unsigned short priority, weight, port;
+    struct krb5int_dns_state *ds = NULL;
+
+    struct srv_dns_entry *head = NULL;
+    struct srv_dns_entry *srv = NULL, *entry = NULL;
+
+    /*
+     * First off, build a query of the form:
+     *
+     * service.protocol.realm
+     *
+     * which will most likely be something like:
+     *
+     * _kerberos._udp.REALM
+     *
+     */
+
+    if (memchr(realm->data, 0, realm->length))
+	return 0;
+    if ( strlen(service) + strlen(protocol) + realm->length + 6 
+         > MAXDNAME )
+	return 0;
+    sprintf(host, "%s.%s.%.*s", service, protocol, (int) realm->length,
+	    realm->data);
+
+    /* Realm names don't (normally) end with ".", but if the query
+       doesn't end with "." and doesn't get an answer as is, the
+       resolv code will try appending the local domain.  Since the
+       realm names are absolutes, let's stop that.  
+
+       But only if a name has been specified.  If we are performing
+       a search on the prefix alone then the intention is to allow
+       the local domain or domain search lists to be expanded.  */
+
+    h = host + strlen (host);
+    if ((h[-1] != '.') && ((h - host + 1) < sizeof(host)))
+        strcpy (h, ".");
+
+#ifdef TEST
+    fprintf (stderr, "sending DNS SRV query for %s\n", host);
+#endif
+
+    size = krb5int_dns_init(&ds, host, C_IN, T_SRV);
+    if (size < 0)
+	goto out;
+
+    for (;;) {
+	ret = krb5int_dns_nextans(ds, &base, &rdlen);
+	if (ret < 0 || base == NULL)
+	    goto out;
+
+	p = base;
+
+	SAFE_GETUINT16(base, rdlen, p, 2, priority, out);
+	SAFE_GETUINT16(base, rdlen, p, 2, weight, out);
+	SAFE_GETUINT16(base, rdlen, p, 2, port, out);
+
+	/*
+	 * RFC 2782 says the target is never compressed in the reply;
+	 * do we believe that?  We need to flatten it anyway, though.
+	 */
+	nlen = krb5int_dns_expand(ds, p, host, sizeof(host));
+	if (nlen < 0 || !INCR_OK(base, rdlen, p, nlen))
+	    goto out;
+
+	/*
+	 * We got everything!  Insert it into our list, but make sure
+	 * it's in the right order.  Right now we don't do anything
+	 * with the weight field
+	 */
+
+	srv = (struct srv_dns_entry *) malloc(sizeof(struct srv_dns_entry));
+	if (srv == NULL)
+	    goto out;
+	
+	srv->priority = priority;
+	srv->weight = weight;
+	srv->port = port;
+	/* The returned names are fully qualified.  Don't let the
+	   local resolver code do domain search path stuff.  */
+	if (strlen(host) + 2 < sizeof(host))
+	    strcat(host, ".");
+	srv->host = strdup(host);
+	if (srv->host == NULL) {
+	    free(srv);
+	    goto out;
+	}
+
+	if (head == NULL || head->priority > srv->priority) {
+	    srv->next = head;
+	    head = srv;
+	} else {
+	    /*
+	     * This is confusing.  Only insert an entry into this
+	     * spot if:
+	     * The next person has a higher priority (lower priorities
+	     * are preferred).
+	     * Or
+	     * There is no next entry (we're at the end)
+	     */
+	    for (entry = head; entry != NULL; entry = entry->next) {
+		if ((entry->next &&
+		     entry->next->priority > srv->priority) ||
+		    entry->next == NULL) {
+		    srv->next = entry->next;
+		    entry->next = srv;
+		    break;
+		}
+	    }
+	}
+    }
+
+out:
+    if (ds != NULL) {
+	krb5int_dns_fini(ds);
+	ds = NULL;
+    }
+    *answers = head;
+    return 0;
+}
+#endif
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/free_hstrl.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/free_hstrl.c
index eddb0b552d..159f371a50 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/free_hstrl.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/free_hstrl.c
@@ -35,10 +35,8 @@
  Frees the storage taken by a realm list returned by krb5_get_local_realm.
  */
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_free_host_realm(context, realmlist)
-    krb5_context context;
-    char FAR * const FAR *realmlist;
+krb5_error_code KRB5_CALLCONV
+krb5_free_host_realm(krb5_context context, char *const *realmlist)
 {
     /* same format, so why duplicate code? */
     return krb5_free_krbhst(context, realmlist);
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/free_krbhs.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/free_krbhs.c
index 75c3147fd2..e84875666c 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/free_krbhs.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/free_krbhs.c
@@ -30,11 +30,9 @@
 /*
  Frees the storage taken by a host list returned by krb5_get_krbhst.
  */
-/*ARGSUSED*/
+
 krb5_error_code
-krb5_free_krbhst(context, hostlist)
-    krb5_context context;
-    char * const *hostlist;
+krb5_free_krbhst(krb5_context context, char *const *hostlist)
 {
     register char * const *cp;
 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/full_ipadr.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/full_ipadr.c
index dcecd71c38..73ea02f0ab 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/full_ipadr.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/full_ipadr.c
@@ -35,13 +35,9 @@
 
 #include "os-proto.h"
 
-/*ARGSUSED*/
 krb5_error_code
-krb5_make_full_ipaddr(context, adr, port, outaddr)
-    krb5_context context;
-    krb5_int32 adr;
-    krb5_int16 port;
-    krb5_address ** outaddr;
+krb5_make_full_ipaddr(krb5_context context, krb5_int32 adr, 
+		      /*krb5_int16*/int port, krb5_address **outaddr)
 {
     unsigned long smushaddr = (unsigned long) adr; /* already in net order */
     unsigned short smushport = (unsigned short) port; /* ditto */
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/gen_port.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/gen_port.c
index b401a4d6af..649759581d 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/gen_port.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/gen_port.c
@@ -32,11 +32,7 @@
 #include "os-proto.h"
 
 krb5_error_code
-krb5_gen_portaddr(context, addr, ptr, outaddr)
-    krb5_context context;
-    const krb5_address *addr;
-    krb5_const_pointer ptr;
-    krb5_address **outaddr;
+krb5_gen_portaddr(krb5_context context, const krb5_address *addr, krb5_const_pointer ptr, krb5_address **outaddr)
 {
 #ifdef HAVE_NETINET_IN_H
     krb5_int32 adr;
@@ -44,7 +40,7 @@ krb5_gen_portaddr(context, addr, ptr, outaddr)
 
     if (addr->addrtype != ADDRTYPE_INET)
 	return KRB5_PROG_ATYPE_NOSUPP;
-    port = *(krb5_int16 *)ptr;
+    port = *(const krb5_int16 *)ptr;
     
     memcpy((char *)&adr, (char *)addr->contents, sizeof(adr));
     return krb5_make_full_ipaddr(context, adr, port, outaddr);
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/gen_rname.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/gen_rname.c
index 76fad69128..df4d692e9f 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/gen_rname.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/gen_rname.c
@@ -30,13 +30,8 @@
 #include "k5-int.h"
 #include "os-proto.h"
 
-/*ARGSUSED*/
 krb5_error_code
-krb5_gen_replay_name(context, address, uniq, string)
-    krb5_context 	  context;
-    const krb5_address 	* address;
-    const char 		* uniq;
-    char 	       ** string;
+krb5_gen_replay_name(krb5_context context, const krb5_address *address, const char *uniq, char **string)
 {
     char * tmp;
     int i;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/get_krbhst.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/get_krbhst.c
index 4300e40e70..e39583fdc8 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/get_krbhst.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/get_krbhst.c
@@ -59,10 +59,7 @@
  */
 
 krb5_error_code
-krb5_get_krbhst(context, realm, hostlist)
-    krb5_context context;
-    const krb5_data *realm;
-    char ***hostlist;
+krb5_get_krbhst(krb5_context context, const krb5_data *realm, char ***hostlist)
 {
     char	**values, **cpp, *cp;
     const char	*realm_kdc_names[4];
@@ -110,7 +107,7 @@ krb5_get_krbhst(context, realm, hostlist)
         goto cleanup;
     }
     for (i = 0; i < count; i++) {
-	int len = strlen (values[i]) + 1;
+	unsigned int len = strlen (values[i]) + 1;
         rethosts[i] = malloc(len);
         if (!rethosts[i]) {
             retval = ENOMEM;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/gmt_mktime.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/gmt_mktime.c
index a8d8f3f0c8..b55e0946c9 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/gmt_mktime.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/gmt_mktime.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -43,14 +43,22 @@ static const int days_in_month[12] = {
 
 #define hasleapday(year) (year%400?(year%100?(year%4?0:1):0):1)
 
-time_t gmt_mktime(t)
-     struct tm* t;
+time_t gmt_mktime(struct tm *t)
 {
   time_t accum;
 
 #define assert_time(cnd) if(!(cnd)) return (time_t) -1
 
-  assert_time(t->tm_year>=70);
+  /*
+   * For 32-bit signed time_t centered on 1/1/1970, the range is:
+   * time 0x80000000 -> Fri Dec 13 16:45:52 1901
+   * time 0x7fffffff -> Mon Jan 18 22:14:07 2038
+   *
+   * So years 1901 and 2038 are allowable, but we can't encode all
+   * dates in those years, and we're not doing overflow/underflow
+   * checking for such cases.
+   */
+  assert_time(t->tm_year>=1);
   assert_time(t->tm_year<=138);
   assert_time(t->tm_mon>=0);
   assert_time(t->tm_mon<=11);
@@ -70,7 +78,10 @@ time_t gmt_mktime(t)
   accum *= 365;			/* 365 days/normal year */
 
   /* add in leap day for all previous years */
-  accum += (t->tm_year - 69) / 4;
+  if (t->tm_year >= 70)
+    accum += (t->tm_year - 69) / 4;
+  else
+    accum -= (72 - t->tm_year) / 4;
   /* add in leap day for this year */
   if(t->tm_mon >= 2)		/* march or later */
     if(hasleapday((t->tm_year + 1900))) accum += 1;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/hst_realm.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/hst_realm.c
index 4a62d7dd08..57e84f37e5 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/hst_realm.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/hst_realm.c
@@ -94,14 +94,10 @@
 
 #include <fake-addrinfo.h>
 
-/* for old Unixes and friends ... */
-#ifndef MAXHOSTNAMELEN
-#define MAXHOSTNAMELEN 64
-#endif
+#ifdef KRB5_DNS_LOOKUP
 
-#define MAX_DNS_NAMELEN (15*(MAXHOSTNAMELEN + 1)+1)
+#include "dnsglue.h"
 
-#ifdef KRB5_DNS_LOOKUP
 /*
  * Try to look up a TXT record pointing to a Kerberos realm
  */
@@ -109,14 +105,11 @@
 krb5_error_code
 krb5_try_realm_txt_rr(const char *prefix, const char *name, char **realm)
 {
-    union {
-        unsigned char bytes[2048];
-        HEADER hdr;
-    } answer;
-    unsigned char *p;
-    char host[MAX_DNS_NAMELEN], *h;
-    int size;
-    int type, rrclass, numanswers, numqueries, rdlen, len;
+    krb5_error_code retval = KRB5_ERR_HOST_REALM_UNKNOWN;
+    const unsigned char *p, *base;
+    char host[MAXDNAME], *h;
+    int ret, rdlen, len;
+    struct krb5int_dns_state *ds = NULL;
 
     /*
      * Form our query, and send it via DNS
@@ -127,7 +120,7 @@ krb5_try_realm_txt_rr(const char *prefix, const char *name, char **realm)
 	    return KRB5_ERR_HOST_REALM_UNKNOWN;
         strcpy(host,prefix);
     } else {
-        if ( strlen(prefix) + strlen(name) + 3 > MAX_DNS_NAMELEN )
+        if ( strlen(prefix) + strlen(name) + 3 > MAXDNAME )
             return KRB5_ERR_HOST_REALM_UNKNOWN;
 	/*LINTED*/
         sprintf(host,"%s.%s", prefix, name);
@@ -146,94 +139,45 @@ krb5_try_realm_txt_rr(const char *prefix, const char *name, char **realm)
         if ((h > host) && (h[-1] != '.') && ((h - host + 1) < sizeof(host)))
             strcpy (h, ".");
     }
-    size = res_search(host, C_IN, T_TXT, answer.bytes, sizeof(answer.bytes));
-
-    if ((size < sizeof(HEADER)) || (size > sizeof(answer.bytes)))
-	return KRB5_ERR_HOST_REALM_UNKNOWN;
-
-    p = answer.bytes;
-
-    numqueries = ntohs(answer.hdr.qdcount);
-    numanswers = ntohs(answer.hdr.ancount);
-
-    p += sizeof(HEADER);
-
-    /*
-     * We need to skip over the questions before we can get to the answers,
-     * which means we have to iterate over every query record.  We use
-     * dn_expand to tell us how long each compressed name is.
-     */
-
-#define INCR_CHECK(x, y) x += y; if (x > size + answer.bytes) \
-                         return KRB5_ERR_HOST_REALM_UNKNOWN
-#define CHECK(x, y) if (x + y > size + answer.bytes) \
-                         return KRB5_ERR_HOST_REALM_UNKNOWN
-#define NTOHSP(x, y) x[0] << 8 | x[1]; x += y
-
-    while (numqueries--) {
-	len = dn_expand(answer.bytes, answer.bytes + size, p, host, 
-                         sizeof(host));
-	if (len < 0)
-	    return KRB5_ERR_HOST_REALM_UNKNOWN;
-	INCR_CHECK(p, len + 4);		/* Name plus type plus class */
+    ret = krb5int_dns_init(&ds, host, C_IN, T_TXT);
+    if (ret < 0)
+      goto errout;
+
+    ret = krb5int_dns_nextans(ds, &base, &rdlen);
+    if (ret < 0 || base == NULL)
+      goto errout;
+
+    p = base;
+    if (!INCR_OK(base, rdlen, p, 1))
+      goto errout;
+
+    len = *p++;
+    *realm = malloc((size_t)len + 1);
+    if (*realm == NULL) {
+      retval = ENOMEM; 
+      goto errout;
     }
-
-    /*
-     * We're now pointing at the answer records.  Process the first
-     * TXT record we find.
-     */
-
-    while (numanswers--) {
-	
-	/* First the name; use dn_expand to get the compressed size */
-	len = dn_expand(answer.bytes, answer.bytes + size, p,
-			host, sizeof(host));
-	if (len < 0)
-	    return KRB5_ERR_HOST_REALM_UNKNOWN;
-	INCR_CHECK(p, len);
-
-	/* Next is the query type */
-        CHECK(p, 2);
-	type = NTOHSP(p,2);
-
-	/* Next is the query class; also skip over 4 byte TTL */
-        CHECK(p,6);
-	rrclass = NTOHSP(p,6);
-
-	/* Record data length - make sure we aren't truncated */
-
-        CHECK(p,2);
-	rdlen = NTOHSP(p,2);
-
-	if (p + rdlen > answer.bytes + size)
-	    return KRB5_ERR_HOST_REALM_UNKNOWN;
-
-	/*
-	 * If this is a TXT record, return the string.  Note that the
-	 * string has a 1-byte length in the front
-	 */
-	/* XXX What about flagging multiple TXT records as an error?  */
-
-	if (rrclass == C_IN && type == T_TXT) {
-	    len = *p++;
-	    if (p + len > answer.bytes + size)
-		return KRB5_ERR_HOST_REALM_UNKNOWN;
-	    *realm = malloc(len + 1);
-	    if (*realm == NULL)
-		return ENOMEM;
-	    strncpy(*realm, (char *) p, len);
-	    (*realm)[len] = '\0';
-            /* Avoid a common error. */
-            if ( (*realm)[len-1] == '.' )
-                (*realm)[len-1] = '\0';
-	    return 0;
-	}
+    strncpy(*realm, (const char *)p, (size_t)len);
+    (*realm)[len] = '\0';
+    /* Avoid a common error. */
+    if ( (*realm)[len-1] == '.' )
+      (*realm)[len-1] = '\0';
+    retval = 0;
+
+errout:
+    if (ds != NULL) {
+      krb5int_dns_fini(ds);
+      ds = NULL;
     }
-
-    return KRB5_ERR_HOST_REALM_UNKNOWN;
+    return retval;
 }
+#else /* KRB5_DNS_LOOKUP */
+#ifndef MAXDNAME
+#define MAXDNAME (16 * MAXHOSTNAMELEN)
+#endif /* MAXDNAME */
 #endif /* KRB5_DNS_LOOKUP */
 
+
 krb5_error_code krb5int_translate_gai_error (int);
 
 static krb5_error_code
@@ -276,7 +220,7 @@ krb5_get_host_realm(krb5_context context, const char *host, char ***realmsp)
     char *default_realm, *realm, *cp, *temp_realm;
     krb5_error_code retval;
     int l;
-    char local_host[MAX_DNS_NAMELEN+1];
+    char local_host[MAXDNAME+1];
 
     if (host) {
 	/* Filter out numeric addresses if the caller utterly failed to
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/krbfileio.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/krbfileio.c
index d8a1e4f64a..bad3ee0671 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/krbfileio.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/krbfileio.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (c) 1998 by Sun Microsystems, Inc.
- * All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
  */
 
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
@@ -14,11 +14,8 @@
 #define	O_BINARY	0
 #endif
 
-/*ARGSUSED*/
 krb5_error_code
-krb5_create_secure_file(context, pathname)
-	krb5_context context;
-	const char * pathname;
+krb5_create_secure_file(krb5_context context, const char *pathname)
 
 {
 	int 	fd;
@@ -42,11 +39,8 @@ krb5_create_secure_file(context, pathname)
 	}
 }
 
-/*ARGSUSED*/
 krb5_error_code
-krb5_sync_disk_file(context, fp)
-	krb5_context context;
-	FILE *fp;
+krb5_sync_disk_file(krb5_context context, FILE *fp)
 {
 	if (fp == NULL) {
 		(void) fclose(fp);
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/ktdefname.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/ktdefname.c
index f67f01a4d2..bd0628fb18 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/ktdefname.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/ktdefname.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -43,11 +43,8 @@ extern char *krb5_defkeyname;
 /* this is a an exceedinly gross thing. */
 char *krb5_overridekeyname = NULL;
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_kt_default_name(context, name, namesize)
-    krb5_context context;
-    char FAR *name;
-    int namesize;
+krb5_error_code KRB5_CALLCONV
+krb5_kt_default_name(krb5_context context, char *name, int namesize)
 {
     char *cp = 0;
     char *retval;
@@ -71,7 +68,7 @@ krb5_kt_default_name(context, name, namesize)
 	strncpy(name, retval, namesize);
 	profile_release_string(retval);
     } else {
-#if defined (_MSDOS) || defined(_WIN32)
+#if defined(_WIN32)
 	{
 	    char    defname[160];
 	    int     len;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/kuserok.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/kuserok.c
index b4e22b2f95..f1abe171ff 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/kuserok.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/kuserok.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -32,6 +32,7 @@
  */
 
 #include "k5-int.h"
+/* #if !defined(_WIN32)            Not yet for Windows */
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
@@ -52,10 +53,9 @@ gsscred_name_to_unix_cred_ext();
 extern int
 safechown(const char *src, uid_t uid, gid_t gid, int mode);
 
-extern char *
-error_message(krb5_error_code retval);
+extern const char *error_message(long);
 
-#define	MAX_USERNAME 10
+#define	MAX_USERNAME 65
 #define	CACHE_FILENAME_LEN 35
 
 krb5_data tgtname = {
@@ -242,11 +242,8 @@ krb5_gsscred(krb5_principal principal, uid_t *uid)
  *
  */
 
-krb5_boolean
-krb5_kuserok(context, principal, luser)
-    krb5_context context;
-    krb5_principal principal;
-    const char *luser;
+krb5_boolean KRB5_CALLCONV
+krb5_kuserok(krb5_context context, krb5_principal principal, const char *luser)
 {
     struct stat sbuf;
     struct passwd *pwd;
@@ -261,9 +258,23 @@ krb5_kuserok(context, principal, luser)
     int gobble;
 
     /* no account => no access */
-    if ((pwd = getpwnam(luser)) == NULL) {
+#ifdef HAVE_GETPWNAM_R
+    char pwbuf[BUFSIZ];
+    struct passwd pwx;
+#if !defined(GETPWNAM_R_4_ARGS)
+    /* POSIX */
+    if (getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0)
+	pwd = NULL;
+#else
+    /* draft POSIX */
+    pwd = getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf));
+#endif
+#else
+    pwd = getpwnam(luser);
+#endif
+    if (pwd == NULL)
 	return(FALSE);
-    }
+
     (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1);
     pbuf[sizeof(pbuf) - 1] = '\0';
     (void) strncat(pbuf, "/.k5login", sizeof(pbuf) - 1 - strlen(pbuf));
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/localaddr.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/localaddr.c
index 198c579d78..189b9bb897 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/localaddr.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/localaddr.c
@@ -1,14 +1,9 @@
-/*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
- */
-
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
 
 /*
  * lib/krb5/os/localaddr.c
  *
- * Copyright 1990,1991,2000,2001,2002 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991,2000,2001,2002,2004 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -32,12 +27,18 @@
  * 
  *
  * Return the protocol addresses supported by this host.
+ * Exports from this file:
+ *   krb5int_foreach_localaddr (does callbacks)
+ *   krb5int_local_addresses (includes krb5.conf extra_addresses)
+ *   krb5_os_localaddr (doesn't)
  *
  * XNS support is untested, but "Should just work".  (Hah!)
  */
 
 #define NEED_SOCKETS
-#include <k5-int.h>
+#include "k5-int.h"
+
+#if !defined(_WIN32)
 
 /* needed for solaris, harmless elsewhere... */
 #define BSD_COMP
@@ -47,9 +48,1056 @@
 #include <stddef.h>
 #include <ctype.h>
 
+#if defined(TEST) || defined(DEBUG)
+# include "fake-addrinfo.h"
+#endif
+
+#include "foreachaddr.h"
+
+/* Note: foreach_localaddr is exported from the library through
+   krb5int_accessor, for the KDC to use.
+
+   This function iterates over all the addresses it can find for the
+   local system, in one or two passes.  In each pass, and between the
+   two, it can invoke callback functions supplied by the caller.  The
+   two passes should operate on the same information, though not
+   necessarily in the same order each time.  Duplicate and local
+   addresses should be eliminated.  Storage passed to callback
+   functions should not be assumed to be valid after foreach_localaddr
+   returns.
+
+   The int return value is an errno value (XXX or krb5_error_code
+   returned for a socket error) if something internal to
+   foreach_localaddr fails.  If one of the callback functions wants to
+   indicate an error, it should store something via the 'data' handle.
+   If any callback function returns a non-zero value,
+   foreach_localaddr will clean up and return immediately.
+
+   Multiple definitions are provided below, dependent on various
+   system facilities for extracting the necessary information.  */
+
+/* Now, on to the implementations, and heaps of debugging code.  */
+
+#ifdef TEST
+# define Tprintf(X) printf X
+# define Tperror(X) perror(X)
+#else
+# define Tprintf(X) (void) X
+# define Tperror(X) (void)(X)
+#endif
+
+/*
+ * The SIOCGIF* ioctls require a socket.
+ * It doesn't matter *what* kind of socket they use, but it has to be
+ * a socket.
+ *
+ * Of course, you can't just ask the kernel for a socket of arbitrary
+ * type; you have to ask for one with a valid type.
+ *
+ */
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#ifndef USE_AF
+#define USE_AF AF_INET
+#define USE_TYPE SOCK_DGRAM
+#define USE_PROTO 0
+#endif
+#endif
+
+#ifdef KRB5_USE_NS
+#include <netns/ns.h>
+#ifndef USE_AF
+#define USE_AF AF_NS
+#define USE_TYPE SOCK_DGRAM
+#define USE_PROTO 0		/* guess */
+#endif
+#endif
+/*
+ * Add more address families here.
+ */
+
+
+#if defined(__linux__) && defined(KRB5_USE_INET6) && !defined(HAVE_IFADDRS_H)
+#define LINUX_IPV6_HACK
+#endif
+
+#include <errno.h>
+
+/*
+ * Return all the protocol addresses of this host.
+ *
+ * We could kludge up something to return all addresses, assuming that
+ * they're valid kerberos protocol addresses, but we wouldn't know the
+ * real size of the sockaddr or know which part of it was actually the
+ * host part.
+ *
+ * This uses the SIOCGIFCONF, SIOCGIFFLAGS, and SIOCGIFADDR ioctl's.
+ */
+
+/*
+ * BSD 4.4 defines the size of an ifreq to be
+ * max(sizeof(ifreq), sizeof(ifreq.ifr_name)+ifreq.ifr_addr.sa_len
+ * However, under earlier systems, sa_len isn't present, so the size is 
+ * just sizeof(struct ifreq).
+ */
+#ifdef HAVE_SA_LEN
+#ifndef max
+#define max(a,b) ((a) > (b) ? (a) : (b))
+#endif
+#define ifreq_size(i) max(sizeof(struct ifreq),\
+     sizeof((i).ifr_name)+(i).ifr_addr.sa_len)
+#else
+#define ifreq_size(i) sizeof(struct ifreq)
+#endif /* HAVE_SA_LEN*/
+
+#if defined(DEBUG) || defined(TEST)
+#include <netinet/in.h>
+#include <net/if.h>
+
+#include "socket-utils.h"
+#include "fake-addrinfo.h"
+
+void printaddr (struct sockaddr *);
+
+void printaddr (struct sockaddr *sa)
+    /*@modifies fileSystem@*/
+{
+    char buf[NI_MAXHOST];
+    int err;
+
+    printf ("%p ", (void *) sa);
+    err = getnameinfo (sa, socklen (sa), buf, sizeof (buf), 0, 0,
+		       NI_NUMERICHOST);
+    if (err)
+	printf ("<getnameinfo error %d: %s> family=%d",
+		err, gai_strerror (err),
+		sa->sa_family);
+    else
+	printf ("%s", buf);
+}
+#endif
+
+#ifdef HAVE_IFADDRS_H
+#include <ifaddrs.h>
+
+#ifdef DEBUG
+void printifaddr (struct ifaddrs *ifp)
+{
+    printf ("%p={\n", ifp);
+/*  printf ("\tnext=%p\n", ifp->ifa_next); */
+    printf ("\tname=%s\n", ifp->ifa_name);
+    printf ("\tflags=");
+    {
+	int ch, flags = ifp->ifa_flags;
+	printf ("%x", flags);
+	ch = '<';
+#define X(F) if (flags & IFF_##F) { printf ("%c%s", ch, #F); flags &= ~IFF_##F; ch = ','; }
+	X (UP); X (BROADCAST); X (DEBUG); X (LOOPBACK); X (POINTOPOINT);
+	X (NOTRAILERS); X (RUNNING); X (NOARP); X (PROMISC); X (ALLMULTI);
+#ifdef IFF_OACTIVE
+	X (OACTIVE);
+#endif
+#ifdef IFF_SIMPLE
+	X (SIMPLEX);
+#endif
+	X (MULTICAST);
+	printf (">");
+#undef X
+    }
+    if (ifp->ifa_addr)
+	printf ("\n\taddr="), printaddr (ifp->ifa_addr);
+    if (ifp->ifa_netmask)
+	printf ("\n\tnetmask="), printaddr (ifp->ifa_netmask);
+    if (ifp->ifa_broadaddr)
+	printf ("\n\tbroadaddr="), printaddr (ifp->ifa_broadaddr);
+    if (ifp->ifa_dstaddr)
+	printf ("\n\tdstaddr="), printaddr (ifp->ifa_dstaddr);
+    if (ifp->ifa_data)
+	printf ("\n\tdata=%p", ifp->ifa_data);
+    printf ("\n}\n");
+}
+#endif /* DEBUG */
+
+#include <string.h>
+#include <stdlib.h>
+
+static int
+addr_eq (const struct sockaddr *s1, const struct sockaddr *s2)
+{
+    if (s1->sa_family != s2->sa_family)
+	return 0;
+#ifdef HAVE_SA_LEN
+    if (s1->sa_len != s2->sa_len)
+	return 0;
+    return !memcmp (s1, s2, s1->sa_len);
+#else
+#define CMPTYPE(T,F) (!memcmp(&((const T*)s1)->F,&((const T*)s2)->F,sizeof(((const T*)s1)->F)))
+    switch (s1->sa_family) {
+    case AF_INET:
+	return CMPTYPE (struct sockaddr_in, sin_addr);
+    case AF_INET6:
+	return CMPTYPE (struct sockaddr_in6, sin6_addr);
+    default:
+	/* Err on side of duplicate listings.  */
+	return 0;
+    }
+#endif
+}
+#endif
+
+#ifndef HAVE_IFADDRS_H
+/*@-usereleased@*/ /* lclint doesn't understand realloc */
+static /*@null@*/ void *
+grow_or_free (/*@only@*/ void *ptr, size_t newsize)
+     /*@*/
+{
+    void *newptr;
+    newptr = realloc (ptr, newsize);
+    if (newptr == NULL && newsize != 0) {
+	free (ptr);		/* lclint complains but this is right */
+	return NULL;
+    }
+    return newptr;
+}
+/*@=usereleased@*/
+
+static int
+get_ifconf (int s, size_t *lenp, /*@out@*/ char *buf)
+    /*@modifies *buf,*lenp@*/
+{
+    int ret;
+    struct ifconf ifc;
+
+    /*@+matchanyintegral@*/
+    ifc.ifc_len = *lenp;
+    /*@=matchanyintegral@*/
+    ifc.ifc_buf = buf;
+    memset(buf, 0, *lenp);
+    /*@-moduncon@*/
+    ret = ioctl (s, SIOCGIFCONF, (char *)&ifc);
+    /*@=moduncon@*/
+    /*@+matchanyintegral@*/
+    *lenp = ifc.ifc_len;
+    /*@=matchanyintegral@*/
+    return ret;
+}
+
+/* Solaris uses SIOCGLIFCONF to return struct lifconf which is just
+   an extended version of struct ifconf.
+
+   HP-UX 11 also appears to have SIOCGLIFCONF, but uses struct
+   if_laddrconf, and struct if_laddrreq to be used with
+   SIOCGLIFADDR.  */
+#if defined(SIOCGLIFCONF) && defined(HAVE_STRUCT_LIFCONF)
+static int
+get_lifconf (int af, int s, size_t *lenp, /*@out@*/ char *buf)
+    /*@modifies *buf,*lenp@*/
+{
+    int ret;
+    struct lifconf lifc;
+
+    lifc.lifc_family = af;
+    lifc.lifc_flags = 0;
+    /*@+matchanyintegral@*/
+    lifc.lifc_len = *lenp;
+    /*@=matchanyintegral@*/
+    lifc.lifc_buf = buf;
+    memset(buf, 0, *lenp);
+    /*@-moduncon@*/
+    ret = ioctl (s, SIOCGLIFCONF, (char *)&lifc);
+    if (ret)
+	Tperror ("SIOCGLIFCONF");
+    /*@=moduncon@*/
+    /*@+matchanyintegral@*/
+    *lenp = lifc.lifc_len;
+    /*@=matchanyintegral@*/
+    return ret;
+}
+#endif
+#if defined(SIOCGLIFCONF) && defined(HAVE_STRUCT_IF_LADDRCONF) && 0
+/* I'm not sure if this is needed or if net/if.h will pull it in.  */
+/* #include <net/if6.h> */
+static int
+get_if_laddrconf (int af, int s, size_t *lenp, /*@out@*/ char *buf)
+    /*@modifies *buf,*lenp@*/
+{
+    int ret;
+    struct if_laddrconf iflc;
+
+    /*@+matchanyintegral@*/
+    iflc.iflc_len = *lenp;
+    /*@=matchanyintegral@*/
+    iflc.iflc_buf = buf;
+    memset(buf, 0, *lenp);
+    /*@-moduncon@*/
+    ret = ioctl (s, SIOCGLIFCONF, (char *)&iflc);
+    if (ret)
+	Tperror ("SIOCGLIFCONF");
+    /*@=moduncon@*/
+    /*@+matchanyintegral@*/
+    *lenp = iflc.iflc_len;
+    /*@=matchanyintegral@*/
+    return ret;
+}
+#endif
+#endif /* ! HAVE_IFADDRS_H */
+
+#ifdef LINUX_IPV6_HACK
+#include <stdio.h>
+/* Read IPv6 addresses out of /proc/net/if_inet6, since there isn't
+   (currently) any ioctl to return them.  */
+struct linux_ipv6_addr_list {
+    struct sockaddr_in6 addr;
+    struct linux_ipv6_addr_list *next;
+};
+static struct linux_ipv6_addr_list *
+get_linux_ipv6_addrs ()
+{
+    struct linux_ipv6_addr_list *lst = 0;
+    FILE *f;
+
+    /* _PATH_PROCNET_IFINET6 */
+    f = fopen("/proc/net/if_inet6", "r");
+    if (f) {
+	char ifname[21];
+	unsigned int idx, pfxlen, scope, dadstat;
+	struct in6_addr a6;
+	struct linux_ipv6_addr_list *nw;
+	int i;
+	unsigned int addrbyte[16];
+
+	while (fscanf(f,
+		      "%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x"
+		      " %2x %2x %2x %2x %20s\n",
+		      &addrbyte[0], &addrbyte[1], &addrbyte[2], &addrbyte[3],
+		      &addrbyte[4], &addrbyte[5], &addrbyte[6], &addrbyte[7],
+		      &addrbyte[8], &addrbyte[9], &addrbyte[10], &addrbyte[11],
+		      &addrbyte[12], &addrbyte[13], &addrbyte[14],
+		      &addrbyte[15],
+		      &idx, &pfxlen, &scope, &dadstat, ifname) != EOF) {
+	    for (i = 0; i < 16; i++)
+		a6.s6_addr[i] = addrbyte[i];
+	    if (scope != 0)
+		continue;
+#if 0 /* These symbol names are as used by ifconfig, but none of the
+	 system header files export them.  Dig up the kernel versions
+	 someday and see if they're exported.  */
+	    switch (scope) {
+	    case 0:
+	    default:
+		break;
+	    case IPV6_ADDR_LINKLOCAL:
+	    case IPV6_ADDR_SITELOCAL:
+	    case IPV6_ADDR_COMPATv4:
+	    case IPV6_ADDR_LOOPBACK:
+		continue;
+	    }
+#endif
+	    nw = malloc (sizeof (struct linux_ipv6_addr_list));
+	    if (nw == 0)
+		continue;
+	    memset (nw, 0, sizeof (*nw));
+	    nw->addr.sin6_addr = a6;
+	    nw->addr.sin6_family = AF_INET6;
+	    /* Ignore other fields, we don't actually use them here.  */
+	    nw->next = lst;
+	    lst = nw;
+	}
+	fclose (f);
+    }
+    return lst;
+}
+#endif
+
+/* Return value is errno if internal stuff failed, otherwise zero,
+   even in the case where a called function terminated the iteration.
+
+   If one of the callback functions wants to pass back an error
+   indication, it should do it via some field pointed to by the DATA
+   argument.  */
+
+#ifdef HAVE_IFADDRS_H
+
+int
+foreach_localaddr (/*@null@*/ void *data,
+		   int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
+		   /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
+		   /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
+					      struct sockaddr *) /*@*/)
+#if defined(DEBUG) || defined(TEST)
+     /*@modifies fileSystem@*/
+#endif
+{
+    struct ifaddrs *ifp_head, *ifp, *ifp2;
+    int match;
+
+    if (getifaddrs (&ifp_head) < 0)
+	return errno;
+    for (ifp = ifp_head; ifp; ifp = ifp->ifa_next) {
+#ifdef DEBUG
+	printifaddr (ifp);
+#endif
+	if ((ifp->ifa_flags & IFF_UP) == 0)
+	    continue;
+	if (ifp->ifa_flags & IFF_LOOPBACK) {
+	    /* Pretend it's not up, so the second pass will skip
+	       it.  */
+	    ifp->ifa_flags &= ~IFF_UP;
+	    continue;
+	}
+	if (ifp->ifa_addr == NULL) {
+	    /* Can't use an interface without an address.  Linux
+	       apparently does this sometimes.  [RT ticket 1770 from
+	       Maurice Massar, also Debian bug 206851, shows the
+	       problem with a PPP link on a newer kernel than I'm
+	       running.]
+
+	       Pretend it's not up, so the second pass will skip
+	       it.  */
+	    ifp->ifa_flags &= ~IFF_UP;
+	    continue;
+	}
+	/* If this address is a duplicate, punt.  */
+	match = 0;
+	for (ifp2 = ifp_head; ifp2 && ifp2 != ifp; ifp2 = ifp2->ifa_next) {
+	    if ((ifp2->ifa_flags & IFF_UP) == 0)
+		continue;
+	    if (ifp2->ifa_flags & IFF_LOOPBACK)
+		continue;
+	    if (addr_eq (ifp->ifa_addr, ifp2->ifa_addr)) {
+		match = 1;
+		ifp->ifa_flags &= ~IFF_UP;
+		break;
+	    }
+	}
+	if (match)
+	    continue;
+	if ((*pass1fn) (data, ifp->ifa_addr))
+	    goto punt;
+    }
+    if (betweenfn && (*betweenfn)(data))
+	goto punt;
+    if (pass2fn)
+	for (ifp = ifp_head; ifp; ifp = ifp->ifa_next) {
+	    if (ifp->ifa_flags & IFF_UP)
+		if ((*pass2fn) (data, ifp->ifa_addr))
+		    goto punt;
+	}
+ punt:
+    freeifaddrs (ifp_head);
+    return 0;
+}
+
+#elif defined (SIOCGLIFNUM) && defined(HAVE_STRUCT_LIFCONF) /* Solaris 8 and later; Sol 7? */
+
+int
+foreach_localaddr (/*@null@*/ void *data,
+		   int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
+		   /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
+		   /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
+					      struct sockaddr *) /*@*/)
+#if defined(DEBUG) || defined(TEST)
+     /*@modifies fileSystem@*/
+#endif
+{
+    /* Okay, this is kind of odd.  We have to use each of the address
+       families we care about, because with an AF_INET socket, extra
+       interfaces like hme0:1 that have only AF_INET6 addresses will
+       cause errors.  Similarly, if hme0 has more AF_INET addresses
+       than AF_INET6 addresses, we won't be able to retrieve all of
+       the AF_INET addresses if we use an AF_INET6 socket.  Since
+       neither family is guaranteed to have the greater number of
+       addresses, we should use both.
+
+       If it weren't for this little quirk, we could use one socket of
+       any type, and ask for addresses of all types.  At least, it
+       seems to work that way.  */
+
+    static const int afs[] = { AF_INET, AF_NS, AF_INET6 };
+#define N_AFS (sizeof (afs) / sizeof (afs[0]))
+    struct {
+	int af;
+	int sock;
+	void *buf;
+	size_t buf_size;
+	struct lifnum lifnum;
+    } afp[N_AFS];
+    int code, i, j;
+    int retval = 0, afidx;
+    krb5_error_code sock_err = 0;
+    struct lifreq *lifr, lifreq, *lifr2;
+
+#define FOREACH_AF() for (afidx = 0; afidx < N_AFS; afidx++)
+#define P (afp[afidx])
+
+    /* init */
+    FOREACH_AF () {
+	P.af = afs[afidx];
+	P.sock = -1;
+	P.buf = 0;
+    }
+
+    /* first pass: get raw data, discard uninteresting addresses, callback */
+    FOREACH_AF () {
+	Tprintf (("trying af %d...\n", P.af));
+	P.sock = socket (P.af, USE_TYPE, USE_PROTO);
+	if (P.sock < 0) {
+	    sock_err = SOCKET_ERROR;
+	    Tperror ("socket");
+	    continue;
+	}
+
+	P.lifnum.lifn_family = P.af;
+	P.lifnum.lifn_flags = 0;
+	P.lifnum.lifn_count = 0;
+	code = ioctl (P.sock, SIOCGLIFNUM, &P.lifnum);
+	if (code) {
+	    Tperror ("ioctl(SIOCGLIFNUM)");
+	    retval = errno;
+	    goto punt;
+	}
+
+	P.buf_size = P.lifnum.lifn_count * sizeof (struct lifreq) * 2;
+	P.buf = malloc (P.buf_size);
+	if (P.buf == NULL) {
+	    retval = errno;
+	    goto punt;
+	}
+
+	code = get_lifconf (P.af, P.sock, &P.buf_size, P.buf);
+	if (code < 0) {
+	    retval = errno;
+	    goto punt;
+	}
+
+	for (i = 0; i + sizeof(*lifr) <= P.buf_size; i+= sizeof (*lifr)) {
+	    lifr = (struct lifreq *)((caddr_t) P.buf+i);
+
+	    strncpy(lifreq.lifr_name, lifr->lifr_name,
+		    sizeof (lifreq.lifr_name));
+	    Tprintf (("interface %s\n", lifreq.lifr_name));
+	    /*@-moduncon@*/ /* ioctl unknown to lclint */
+	    if (ioctl (P.sock, SIOCGLIFFLAGS, (char *)&lifreq) < 0) {
+		Tperror ("ioctl(SIOCGLIFFLAGS)");
+	    skip:
+		/* mark for next pass */
+		lifr->lifr_name[0] = '\0';
+		continue;
+	    }
+	    /*@=moduncon@*/
+
+#ifdef IFF_LOOPBACK
+	    /* None of the current callers want loopback addresses.  */
+	    if (lifreq.lifr_flags & IFF_LOOPBACK) {
+		Tprintf (("  loopback\n"));
+		goto skip;
+	    }
+#endif
+	    /* Ignore interfaces that are down.  */
+	    if ((lifreq.lifr_flags & IFF_UP) == 0) {
+		Tprintf (("  down\n"));
+		goto skip;
+	    }
+
+	    /* Make sure we didn't process this address already.  */
+	    for (j = 0; j < i; j += sizeof (*lifr2)) {
+		lifr2 = (struct lifreq *)((caddr_t) P.buf+j);
+		if (lifr2->lifr_name[0] == '\0')
+		    continue;
+		if (lifr2->lifr_addr.ss_family == lifr->lifr_addr.ss_family
+		    /* Compare address info.  If this isn't good enough --
+		       i.e., if random padding bytes turn out to differ
+		       when the addresses are the same -- then we'll have
+		       to do it on a per address family basis.  */
+		    && !memcmp (&lifr2->lifr_addr, &lifr->lifr_addr,
+				sizeof (*lifr))) {
+		    Tprintf (("  duplicate addr\n"));
+		    goto skip;
+		}
+	    }
+
+	    /*@-moduncon@*/
+	    if ((*pass1fn) (data, ss2sa (&lifr->lifr_addr)))
+		goto punt;
+	    /*@=moduncon@*/
+	}
+    }
+
+    /* Did we actually get any working sockets?  */
+    FOREACH_AF ()
+	if (P.sock != -1)
+	    goto have_working_socket;
+    retval = sock_err;
+    goto punt;
+have_working_socket:
+
+    /*@-moduncon@*/
+    if (betweenfn != NULL && (*betweenfn)(data))
+	goto punt;
+    /*@=moduncon@*/
+
+    if (pass2fn)
+	FOREACH_AF ()
+	    if (P.sock >= 0) {
+		for (i = 0; i + sizeof (*lifr) <= P.buf_size; i+= sizeof (*lifr)) {
+		    lifr = (struct lifreq *)((caddr_t) P.buf+i);
+
+		    if (lifr->lifr_name[0] == '\0')
+			/* Marked in first pass to be ignored.  */
+			continue;
+
+		    /*@-moduncon@*/
+		    if ((*pass2fn) (data, ss2sa (&lifr->lifr_addr)))
+			goto punt;
+		    /*@=moduncon@*/
+		}
+	    }
+punt:
+    FOREACH_AF () {
+	/*@-moduncon@*/
+	closesocket(P.sock);
+	/*@=moduncon@*/
+	free (P.buf);
+    }
+
+    return retval;
+}
+
+#elif defined (SIOCGLIFNUM) && defined(HAVE_STRUCT_IF_LADDRCONF) && 0 /* HP-UX 11 support being debugged */
+
+int
+foreach_localaddr (/*@null@*/ void *data,
+		   int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
+		   /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
+		   /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
+					      struct sockaddr *) /*@*/)
+#if defined(DEBUG) || defined(TEST)
+     /*@modifies fileSystem@*/
+#endif
+{
+    /* Okay, this is kind of odd.  We have to use each of the address
+       families we care about, because with an AF_INET socket, extra
+       interfaces like hme0:1 that have only AF_INET6 addresses will
+       cause errors.  Similarly, if hme0 has more AF_INET addresses
+       than AF_INET6 addresses, we won't be able to retrieve all of
+       the AF_INET addresses if we use an AF_INET6 socket.  Since
+       neither family is guaranteed to have the greater number of
+       addresses, we should use both.
+
+       If it weren't for this little quirk, we could use one socket of
+       any type, and ask for addresses of all types.  At least, it
+       seems to work that way.  */
+
+    static const int afs[] = { AF_INET, AF_NS, AF_INET6 };
+#define N_AFS (sizeof (afs) / sizeof (afs[0]))
+    struct {
+	int af;
+	int sock;
+	void *buf;
+	size_t buf_size;
+	int if_num;
+    } afp[N_AFS];
+    int code, i, j;
+    int retval = 0, afidx;
+    krb5_error_code sock_err = 0;
+    struct if_laddrreq *lifr, lifreq, *lifr2;
+
+#define FOREACH_AF() for (afidx = 0; afidx < N_AFS; afidx++)
+#define P (afp[afidx])
+
+    /* init */
+    FOREACH_AF () {
+	P.af = afs[afidx];
+	P.sock = -1;
+	P.buf = 0;
+    }
+
+    /* first pass: get raw data, discard uninteresting addresses, callback */
+    FOREACH_AF () {
+	Tprintf (("trying af %d...\n", P.af));
+	P.sock = socket (P.af, USE_TYPE, USE_PROTO);
+	if (P.sock < 0) {
+	    sock_err = SOCKET_ERROR;
+	    Tperror ("socket");
+	    continue;
+	}
+
+	code = ioctl (P.sock, SIOCGLIFNUM, &P.if_num);
+	if (code) {
+	    Tperror ("ioctl(SIOCGLIFNUM)");
+	    retval = errno;
+	    goto punt;
+	}
+
+	P.buf_size = P.if_num * sizeof (struct if_laddrreq) * 2;
+	P.buf = malloc (P.buf_size);
+	if (P.buf == NULL) {
+	    retval = errno;
+	    goto punt;
+	}
+
+	code = get_if_laddrconf (P.af, P.sock, &P.buf_size, P.buf);
+	if (code < 0) {
+	    retval = errno;
+	    goto punt;
+	}
+
+	for (i = 0; i + sizeof(*lifr) <= P.buf_size; i+= sizeof (*lifr)) {
+	    lifr = (struct if_laddrreq *)((caddr_t) P.buf+i);
+
+	    strncpy(lifreq.iflr_name, lifr->iflr_name,
+		    sizeof (lifreq.iflr_name));
+	    Tprintf (("interface %s\n", lifreq.iflr_name));
+	    /*@-moduncon@*/ /* ioctl unknown to lclint */
+	    if (ioctl (P.sock, SIOCGLIFFLAGS, (char *)&lifreq) < 0) {
+		Tperror ("ioctl(SIOCGLIFFLAGS)");
+	    skip:
+		/* mark for next pass */
+		lifr->iflr_name[0] = '\0';
+		continue;
+	    }
+	    /*@=moduncon@*/
+
+#ifdef IFF_LOOPBACK
+	    /* None of the current callers want loopback addresses.  */
+	    if (lifreq.iflr_flags & IFF_LOOPBACK) {
+		Tprintf (("  loopback\n"));
+		goto skip;
+	    }
+#endif
+	    /* Ignore interfaces that are down.  */
+	    if ((lifreq.iflr_flags & IFF_UP) == 0) {
+		Tprintf (("  down\n"));
+		goto skip;
+	    }
+
+	    /* Make sure we didn't process this address already.  */
+	    for (j = 0; j < i; j += sizeof (*lifr2)) {
+		lifr2 = (struct if_laddrreq *)((caddr_t) P.buf+j);
+		if (lifr2->iflr_name[0] == '\0')
+		    continue;
+		if (lifr2->iflr_addr.sa_family == lifr->iflr_addr.sa_family
+		    /* Compare address info.  If this isn't good enough --
+		       i.e., if random padding bytes turn out to differ
+		       when the addresses are the same -- then we'll have
+		       to do it on a per address family basis.  */
+		    && !memcmp (&lifr2->iflr_addr, &lifr->iflr_addr,
+				sizeof (*lifr))) {
+		    Tprintf (("  duplicate addr\n"));
+		    goto skip;
+		}
+	    }
+
+	    /*@-moduncon@*/
+	    if ((*pass1fn) (data, ss2sa (&lifr->iflr_addr)))
+		goto punt;
+	    /*@=moduncon@*/
+	}
+    }
+
+    /* Did we actually get any working sockets?  */
+    FOREACH_AF ()
+	if (P.sock != -1)
+	    goto have_working_socket;
+    retval = sock_err;
+    goto punt;
+have_working_socket:
+
+    /*@-moduncon@*/
+    if (betweenfn != NULL && (*betweenfn)(data))
+	goto punt;
+    /*@=moduncon@*/
+
+    if (pass2fn)
+	FOREACH_AF ()
+	    if (P.sock >= 0) {
+		for (i = 0; i + sizeof(*lifr) <= P.buf_size; i+= sizeof (*lifr)) {
+		    lifr = (struct if_laddrreq *)((caddr_t) P.buf+i);
+
+		    if (lifr->iflr_name[0] == '\0')
+			/* Marked in first pass to be ignored.  */
+			continue;
+
+		    /*@-moduncon@*/
+		    if ((*pass2fn) (data, ss2sa (&lifr->iflr_addr)))
+			goto punt;
+		    /*@=moduncon@*/
+		}
+	    }
+punt:
+    FOREACH_AF () {
+	/*@-moduncon@*/
+	closesocket(P.sock);
+	/*@=moduncon@*/
+	free (P.buf);
+    }
+
+    return retval;
+}
+
+#else /* not defined (SIOCGLIFNUM) */
+
+#define SLOP (sizeof (struct ifreq) + 128)
+
+static int
+get_ifreq_array(char **bufp, size_t *np, int s)
+{
+    int code;
+    int est_if_count = 8;
+    size_t est_ifreq_size;
+    char *buf = 0;
+    size_t current_buf_size = 0, size, n;
+#ifdef SIOCGSIZIFCONF
+    int ifconfsize = -1;
+#endif
+#ifdef SIOCGIFNUM
+    int numifs = -1;
+#endif
+
+    /* At least on NetBSD, an ifreq can hold an IPv4 address, but
+       isn't big enough for an IPv6 or ethernet address.  So add a
+       little more space.  */
+    est_ifreq_size = sizeof (struct ifreq) + 8;
+#ifdef SIOCGSIZIFCONF
+    code = ioctl (s, SIOCGSIZIFCONF, &ifconfsize);
+    if (!code) {
+	current_buf_size = ifconfsize;
+	est_if_count = ifconfsize / est_ifreq_size;
+    }
+#elif defined (SIOCGIFNUM)
+    code = ioctl (s, SIOCGIFNUM, &numifs);
+    if (!code && numifs > 0)
+	est_if_count = numifs;
+#endif
+    if (current_buf_size == 0)
+	current_buf_size = est_ifreq_size * est_if_count + SLOP;
+    buf = malloc (current_buf_size);
+    if (buf == NULL)
+	return errno;
+
+ask_again:
+    size = current_buf_size;
+    code = get_ifconf (s, &size, buf);
+    if (code < 0) {
+	code = errno;
+	free (buf);
+	return code;
+    }
+    /* Test that the buffer was big enough that another ifreq could've
+       fit easily, if the OS wanted to provide one.  That seems to be
+       the only indication we get, complicated by the fact that the
+       associated address may make the required storage a little
+       bigger than the size of an ifreq.  */
+    if (current_buf_size - size < SLOP
+#ifdef SIOCGSIZIFCONF
+	/* Unless we hear SIOCGSIZIFCONF is broken somewhere, let's
+	   trust the value it returns.  */
+	&& ifconfsize <= 0
+#elif defined (SIOCGIFNUM)
+	&& numifs <= 0
+#endif
+	/* And we need *some* sort of bounds.  */
+	&& current_buf_size <= 100000
+	) {
+	size_t new_size;
+
+	est_if_count *= 2;
+	new_size = est_ifreq_size * est_if_count + SLOP;
+	buf = grow_or_free (buf, new_size);
+	if (buf == 0)
+	    return errno;
+	current_buf_size = new_size;
+	goto ask_again;
+    }
+
+    n = size;
+    if (n > current_buf_size)
+	n = current_buf_size;
+
+    *bufp = buf;
+    *np = n;
+    return 0;
+}
+
+int
+foreach_localaddr (/*@null@*/ void *data,
+		   int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
+		   /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
+		   /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
+					      struct sockaddr *) /*@*/)
+#if defined(DEBUG) || defined(TEST)
+     /*@modifies fileSystem@*/
+#endif
+{
+    struct ifreq *ifr, ifreq, *ifr2;
+    int s, code;
+    char *buf = 0;
+    size_t size, n, i, j;
+    int retval = 0;
+#ifdef LINUX_IPV6_HACK
+    struct linux_ipv6_addr_list *linux_ipv6_addrs = get_linux_ipv6_addrs ();
+    struct linux_ipv6_addr_list *lx_v6;
+#endif
+
+    s = socket (USE_AF, USE_TYPE, USE_PROTO);
+    if (s < 0)
+	return SOCKET_ERRNO;
+
+    retval = get_ifreq_array(&buf, &n, s);
+    if (retval) {
+	/*@-moduncon@*/ /* close() unknown to lclint */
+	closesocket(s);
+	/*@=moduncon@*/
+	return retval;
+    }
+
+    /* Note: Apparently some systems put the size (used or wanted?)
+       into the start of the buffer, just none that I'm actually
+       using.  Fix this when there's such a test system available.
+       The Samba mailing list archives mention that NTP looks for the
+       size on these systems: *-fujitsu-uxp* *-ncr-sysv4*
+       *-univel-sysv*.  */
+    for (i = 0; i + sizeof(struct ifreq) <= n; i+= ifreq_size(*ifr) ) {
+	ifr = (struct ifreq *)((caddr_t) buf+i);
+	/* In case ifreq_size is more than sizeof().  */
+	if (i + ifreq_size(*ifr) > n)
+	  break;
+
+	strncpy(ifreq.ifr_name, ifr->ifr_name, sizeof (ifreq.ifr_name));
+	Tprintf (("interface %s\n", ifreq.ifr_name));
+	/*@-moduncon@*/ /* ioctl unknown to lclint */
+	if (ioctl (s, SIOCGIFFLAGS, (char *)&ifreq) < 0) {
+	skip:
+	    /* mark for next pass */
+	    ifr->ifr_name[0] = '\0';
+	    continue;
+	}
+	/*@=moduncon@*/
+
+#ifdef IFF_LOOPBACK
+	/* None of the current callers want loopback addresses.  */
+	if (ifreq.ifr_flags & IFF_LOOPBACK) {
+	    Tprintf (("  loopback\n"));
+	    goto skip;
+	}
+#endif
+	/* Ignore interfaces that are down.  */
+	if ((ifreq.ifr_flags & IFF_UP) == 0) {
+	    Tprintf (("  down\n"));
+	    goto skip;
+	}
+
+	/* Make sure we didn't process this address already.  */
+	for (j = 0; j < i; j += ifreq_size(*ifr2)) {
+	    ifr2 = (struct ifreq *)((caddr_t) buf+j);
+	    if (ifr2->ifr_name[0] == '\0')
+		continue;
+	    if (ifr2->ifr_addr.sa_family == ifr->ifr_addr.sa_family
+		&& ifreq_size (*ifr) == ifreq_size (*ifr2)
+		/* Compare address info.  If this isn't good enough --
+		   i.e., if random padding bytes turn out to differ
+		   when the addresses are the same -- then we'll have
+		   to do it on a per address family basis.  */
+		&& !memcmp (&ifr2->ifr_addr.sa_data, &ifr->ifr_addr.sa_data,
+			    (ifreq_size (*ifr)
+			     - offsetof (struct ifreq, ifr_addr.sa_data)))) {
+		Tprintf (("  duplicate addr\n"));
+		goto skip;
+	    }
+	}
+
+	/*@-moduncon@*/
+	if ((*pass1fn) (data, &ifr->ifr_addr))
+	    goto punt;
+	/*@=moduncon@*/
+    }
+
+#ifdef LINUX_IPV6_HACK
+    for (lx_v6 = linux_ipv6_addrs; lx_v6; lx_v6 = lx_v6->next)
+	if ((*pass1fn) (data, (struct sockaddr *) &lx_v6->addr))
+	    goto punt;
+#endif
+
+    /*@-moduncon@*/
+    if (betweenfn != NULL && (*betweenfn)(data))
+	goto punt;
+    /*@=moduncon@*/
+
+    if (pass2fn) {
+	for (i = 0; i + sizeof(struct ifreq) <= n; i+= ifreq_size(*ifr) ) {
+	    ifr = (struct ifreq *)((caddr_t) buf+i);
+
+	    if (ifr->ifr_name[0] == '\0')
+		/* Marked in first pass to be ignored.  */
+		continue;
+
+	    /*@-moduncon@*/
+	    if ((*pass2fn) (data, &ifr->ifr_addr))
+		goto punt;
+	    /*@=moduncon@*/
+	}
+#ifdef LINUX_IPV6_HACK
+	for (lx_v6 = linux_ipv6_addrs; lx_v6; lx_v6 = lx_v6->next)
+	    if ((*pass2fn) (data, (struct sockaddr *) &lx_v6->addr))
+		goto punt;
+#endif
+    }
+ punt:
+    /*@-moduncon@*/
+    closesocket(s);
+    /*@=moduncon@*/
+    free (buf);
+#ifdef LINUX_IPV6_HACK
+    while (linux_ipv6_addrs) {
+	lx_v6 = linux_ipv6_addrs->next;
+	free (linux_ipv6_addrs);
+	linux_ipv6_addrs = lx_v6;
+    }
+#endif
+
+    return retval;
+}
+
+#endif /* not HAVE_IFADDRS_H and not SIOCGLIFNUM */
+
 static krb5_error_code
 get_localaddrs (krb5_context context, krb5_address ***addr, int use_profile);
 
+#ifdef TEST
+
+static int print_addr (/*@unused@*/ void *dataptr, struct sockaddr *sa)
+     /*@modifies fileSystem@*/
+{
+    char hostbuf[NI_MAXHOST];
+    int err;
+    socklen_t len;
+
+    printf ("  --> family %2d ", sa->sa_family);
+    len = socklen (sa);
+    err = getnameinfo (sa, len, hostbuf, (socklen_t) sizeof (hostbuf),
+		       (char *) NULL, 0, NI_NUMERICHOST);
+    if (err) {
+	int e = errno;
+	printf ("<getnameinfo error %d: %s>\n", err, gai_strerror (err));
+	if (err == EAI_SYSTEM)
+	    printf ("\t\t<errno is %d: %s>\n", e, strerror(e));
+    } else
+	printf ("addr %s\n", hostbuf);
+    return 0;
+}
+
+int main ()
+{
+    int r;
+
+    (void) setvbuf (stdout, (char *)NULL, _IONBF, 0);
+    r = foreach_localaddr (0, print_addr, NULL, NULL);
+    printf ("return value = %d\n", r);
+    return 0;
+}
+
+#else /* not TESTing */
+
 struct localaddr_data {
     int count, mem_err, cur_idx, cur_size;
     krb5_address **addr_temp;
@@ -78,6 +1126,7 @@ count_addrs (void *P_data, struct sockaddr *a)
 
 static int
 allocate (void *P_data)
+     /*@*/
 {
     struct localaddr_data *data = P_data;
     int i;
@@ -96,8 +1145,9 @@ allocate (void *P_data)
     return 0;
 }
 
-static krb5_address *
+static /*@null@*/ krb5_address *
 make_addr (int type, size_t length, const void *contents)
+    /*@*/
 {
     krb5_address *a;
     void *data;
@@ -123,23 +1173,13 @@ add_addr (void *P_data, struct sockaddr *a)
      /*@modifies *P_data@*/
 {
     struct localaddr_data *data = P_data;
-    krb5_address *address = 0;
-#ifdef KRB5_DEBUG
-    char buf[256];
-#endif
-
-    KRB5_LOG(KRB5_INFO, "add_addr() a->sa_family=%d", a->sa_family);
+    /*@null@*/ krb5_address *address = 0;
 
     switch (a->sa_family) {
 #ifdef HAVE_NETINET_IN_H
     case AF_INET:
 	address = make_addr (ADDRTYPE_INET, sizeof (struct in_addr),
-			    /*LINTED*/
 			     &((const struct sockaddr_in *) a)->sin_addr);
-#ifdef KRB5_DEBUG
-	inet_ntop(AF_INET, &sa2sin(a)->sin_addr, buf, sizeof(buf));
-#endif
-	KRB5_LOG(KRB5_INFO, "add_addr() AF_INET addr=%s", buf);
 	if (address == NULL)
 	    data->mem_err++;
 	break;
@@ -147,18 +1187,10 @@ add_addr (void *P_data, struct sockaddr *a)
 #ifdef KRB5_USE_INET6
     case AF_INET6:
     {
-	/*LINTED*/
 	const struct sockaddr_in6 *in = (const struct sockaddr_in6 *) a;
 	
-#ifdef KRB5_DEBUG
-	inet_ntop(AF_INET6, &sa2sin6(a)->sin6_addr, buf, sizeof(buf));
-#endif
-	KRB5_LOG(KRB5_INFO, "add_addr() AF_INET6 addr=%s", buf);
-
-	if (IN6_IS_ADDR_LINKLOCAL (&in->sin6_addr)) {
-	    KRB5_LOG0(KRB5_INFO, "add_addr() AF_INET6 linklocal, skipping");
+	if (IN6_IS_ADDR_LINKLOCAL (&in->sin6_addr))
 	    break;
-	}
 
 	address = make_addr (ADDRTYPE_INET6, sizeof (struct in6_addr),
 			     &in->sin6_addr);
@@ -173,11 +1205,6 @@ add_addr (void *P_data, struct sockaddr *a)
     case AF_XNS:
 	address = make_addr (ADDRTYPE_XNS, sizeof (struct ns_addr),
 			     &((const struct sockaddr_ns *)a)->sns_addr);
-#ifdef KRB5_DEBUG
-	inet_ntop(AF_XNS, &((const struct sockaddr_ns *)a)->sns_addr,
-		buf, sizeof(buf));
-#endif
-	KRB5_LOG(KRB5_INFO, "add_addr() AF_XNS addr=%s", buf);
 	if (address == NULL)
 	    data->mem_err++;
 	break;
@@ -211,13 +1238,17 @@ static krb5_error_code
 krb5_os_localaddr_profile (krb5_context context, struct localaddr_data *datap)
 {
     krb5_error_code err;
-    static const char *profile_name[] = {
+    static const char *const profile_name[] = {
 	"libdefaults", "extra_addresses", 0
     };
     char **values;
     char **iter;
     krb5_address **newaddrs;
 
+#ifdef DEBUG
+    fprintf (stderr, "looking up extra_addresses foo\n");
+#endif
+
     err = profile_get_values (context->profile, profile_name, &values);
     /* Ignore all errors for now?  */
     if (err)
@@ -227,12 +1258,19 @@ krb5_os_localaddr_profile (krb5_context context, struct localaddr_data *datap)
 	char *cp = *iter, *next, *current;
 	int i, count;
 
+#ifdef DEBUG
+	fprintf (stderr, "  found line: '%s'\n", cp);
+#endif
+
 	for (cp = *iter, next = 0; *cp; cp = next) {
 	    while (isspace ((int) *cp) || *cp == ',')
 		cp++;
 	    if (*cp == 0)
 		break;
 	    /* Start of an address.  */
+#ifdef DEBUG
+	    fprintf (stderr, "    addr found in '%s'\n", cp);
+#endif
 	    current = cp;
 	    while (*cp != 0 && !isspace((int) *cp) && *cp != ',')
 		cp++;
@@ -242,15 +1280,24 @@ krb5_os_localaddr_profile (krb5_context context, struct localaddr_data *datap)
 	    } else
 		next = cp;
 	    /* Got a single address, process it.  */
+#ifdef DEBUG
+	    fprintf (stderr, "    processing '%s'\n", current);
+#endif
 	    newaddrs = 0;
 	    err = krb5_os_hostaddr (context, current, &newaddrs);
 	    if (err)
 		continue;
 	    for (i = 0; newaddrs[i]; i++) {
+#ifdef DEBUG
+		fprintf (stderr, "    %d: family %d", i,
+			 newaddrs[i]->addrtype);
+		fprintf (stderr, "\n");
+#endif
 	    }
-
 	    count = i;
-
+#ifdef DEBUG
+	    fprintf (stderr, "    %d addresses\n", count);
+#endif
 	    if (datap->cur_idx + count >= datap->cur_size) {
 		krb5_address **bigger;
 		bigger = realloc (datap->addr_temp,
@@ -289,12 +1336,11 @@ get_localaddrs (krb5_context context, krb5_address ***addr, int use_profile)
 {
     struct localaddr_data data = { 0 };
     int r;
-    /* krb5_error_code err; */
+    krb5_error_code err;
 
     if (use_profile) {
-	/* err = krb5_os_localaddr_profile (context, &data); */
+	err = krb5_os_localaddr_profile (context, &data);
 	/* ignore err for now */
-	(void) krb5_os_localaddr_profile (context, &data);
     }
 
     r = foreach_localaddr (&data, count_addrs, allocate, add_addr);
@@ -328,6 +1374,195 @@ get_localaddrs (krb5_context context, krb5_address ***addr, int use_profile)
 	    *addr = data.addr_temp;
     }
 
+#ifdef DEBUG
+    {
+	int j;
+	fprintf (stderr, "addresses:\n");
+	for (j = 0; addr[0][j]; j++) {
+	    struct sockaddr_storage ss;
+	    int err2;
+	    char namebuf[NI_MAXHOST];
+	    void *addrp = 0;
+
+	    fprintf (stderr, "%2d: ", j);
+	    fprintf (stderr, "addrtype %2d, length %2d", addr[0][j]->addrtype,
+		     addr[0][j]->length);
+	    memset (&ss, 0, sizeof (ss));
+	    switch (addr[0][j]->addrtype) {
+	    case ADDRTYPE_INET:
+	    {
+		struct sockaddr_in *sinp = ss2sin (&ss);
+		sinp->sin_family = AF_INET;
+		addrp = &sinp->sin_addr;
+#ifdef HAVE_SA_LEN
+		sinp->sin_len = sizeof (struct sockaddr_in);
+#endif
+		break;
+	    }
+#ifdef KRB5_USE_INET6
+	    case ADDRTYPE_INET6:
+	    {
+		struct sockaddr_in6 *sin6p = ss2sin6 (&ss);
+		sin6p->sin6_family = AF_INET6;
+		addrp = &sin6p->sin6_addr;
+#ifdef HAVE_SA_LEN
+		sin6p->sin6_len = sizeof (struct sockaddr_in6);
+#endif
+		break;
+	    }
+#endif
+	    default:
+		ss2sa(&ss)->sa_family = 0;
+		break;
+	    }
+	    if (addrp)
+		memcpy (addrp, addr[0][j]->contents, addr[0][j]->length);
+	    err2 = getnameinfo (ss2sa(&ss), socklen (ss2sa (&ss)),
+				namebuf, sizeof (namebuf), 0, 0,
+				NI_NUMERICHOST);
+	    if (err2 == 0)
+		fprintf (stderr, ": addr %s\n", namebuf);
+	    else
+		fprintf (stderr, ": getnameinfo error %d\n", err2);
+	}
+    }
+#endif
+
     return 0;
 }
 
+#endif /* not TESTing */
+
+#else /* Windows/Mac version */
+
+/*
+ * Hold on to your lunch!  Backup kludge method of obtaining your
+ * local IP address, courtesy of Windows Socket Network Programming,
+ * by Robert Quinn
+ */
+#if defined(_WIN32)
+static struct hostent *local_addr_fallback_kludge()
+{
+	static struct hostent	host;
+	static SOCKADDR_IN	addr;
+	static char *		ip_ptrs[2];
+	SOCKET			sock;
+	int			size = sizeof(SOCKADDR);
+	int			err;
+
+	sock = socket(AF_INET, SOCK_DGRAM, 0);
+	if (sock == INVALID_SOCKET)
+		return NULL;
+
+	/* connect to arbitrary port and address (NOT loopback) */
+	addr.sin_family = AF_INET;
+	addr.sin_port = htons(IPPORT_ECHO);
+	addr.sin_addr.s_addr = inet_addr("204.137.220.51");
+
+	err = connect(sock, (LPSOCKADDR) &addr, sizeof(SOCKADDR));
+	if (err == SOCKET_ERROR)
+		return NULL;
+
+	err = getsockname(sock, (LPSOCKADDR) &addr, (int *) size);
+	if (err == SOCKET_ERROR)
+		return NULL;
+
+	closesocket(sock);
+
+	host.h_name = 0;
+	host.h_aliases = 0;
+	host.h_addrtype = AF_INET;
+	host.h_length = 4;
+	host.h_addr_list = ip_ptrs;
+	ip_ptrs[0] = (char *) &addr.sin_addr.s_addr;
+	ip_ptrs[1] = NULL;
+
+	return &host;
+}
+#endif
+
+/* No ioctls in winsock so we just assume there is only one networking 
+ * card per machine, so gethostent is good enough. 
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_os_localaddr (krb5_context context, krb5_address ***addr) {
+    char host[64];                              /* Name of local machine */
+    struct hostent *hostrec;
+    int err, count, i;
+    krb5_address ** paddr;
+
+    *addr = 0;
+    paddr = 0;
+    err = 0;
+    
+    if (gethostname (host, sizeof(host))) {
+        err = SOCKET_ERRNO;
+    }
+
+    if (!err) {
+	    hostrec = gethostbyname (host);
+	    if (hostrec == NULL) {
+		    err = SOCKET_ERRNO;
+	    }
+    }
+
+    if (err) {
+	    hostrec = local_addr_fallback_kludge();
+	    if (!hostrec)
+		    return err;
+		else
+			err = 0;  /* otherwise we will die at cleanup */
+    }
+
+    for (count = 0; hostrec->h_addr_list[count]; count++);
+
+
+    paddr = (krb5_address **)malloc(sizeof(krb5_address *) * (count+1));
+    if (!paddr) {
+        err = ENOMEM;
+        goto cleanup;
+    }
+
+    memset(paddr, 0, sizeof(krb5_address *) * (count+1));
+
+    for (i = 0; i < count; i++)
+    {
+        paddr[i] = (krb5_address *)malloc(sizeof(krb5_address));
+        if (paddr[i] == NULL) {
+            err = ENOMEM;
+            goto cleanup;
+        }
+
+        paddr[i]->magic = KV5M_ADDRESS;
+        paddr[i]->addrtype = hostrec->h_addrtype;
+        paddr[i]->length = hostrec->h_length;
+        paddr[i]->contents = (unsigned char *)malloc(paddr[i]->length);
+        if (!paddr[i]->contents) {
+            err = ENOMEM;
+            goto cleanup;
+        }
+        memcpy(paddr[i]->contents,
+               hostrec->h_addr_list[i],
+               paddr[i]->length);
+    }
+
+ cleanup:
+    if (err) {
+        if (paddr) {
+            for (i = 0; i < count; i++)
+            {
+                if (paddr[i]) {
+                    if (paddr[i]->contents)
+                        free(paddr[i]->contents);
+                    free(paddr[i]);
+                }
+            }
+            free(paddr);
+        }
+    }
+    else
+        *addr = paddr;
+
+    return(err);
+}
+#endif
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/locate_kdc.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/locate_kdc.c
index 9348a075b3..0b1f7e545c 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/locate_kdc.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/locate_kdc.c
@@ -1,3 +1,8 @@
+/*
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
 /*
  * lib/krb5/os/locate_kdc.c
@@ -37,6 +42,7 @@
 #ifdef WSHELPER
 #include <wshelper.h>
 #else /* WSHELPER */
+#include <netinet/in.h>
 #include <arpa/inet.h>
 #include <arpa/nameser.h>
 #include <resolv.h>
@@ -502,228 +508,8 @@ krb5_locate_srv_conf_1(krb5_context context, const krb5_data *realm,
 
 #ifdef KRB5_DNS_LOOKUP
 
-/*
- * Lookup a KDC via DNS SRV records
- */
-
-void krb5int_free_srv_dns_data (struct srv_dns_entry *p)
-{
-    struct srv_dns_entry *next;
-    while (p) {
-	next = p->next;
-	free(p->host);
-	free(p);
-	p = next;
-    }
-}
-
-/* Do DNS SRV query, return results in *answers.
-
-   Make best effort to return all the data we can.  On memory or
-   decoding errors, just return what we've got.  Always return 0,
-   currently.  */
 #define make_srv_query_realm krb5int_make_srv_query_realm
 
-krb5_error_code
-krb5int_make_srv_query_realm(const krb5_data *realm,
-			     const char *service,
-			     const char *protocol,
-			     struct srv_dns_entry **answers)
-{
-    union {
-        unsigned char bytes[2048];
-        HEADER hdr;
-    } answer;
-    unsigned char *p=NULL;
-    char host[MAX_DNS_NAMELEN], *h;
-    int type, rrclass;
-    int priority, weight, size, len, numanswers, numqueries, rdlen;
-    unsigned short port;
-    const int hdrsize = sizeof(HEADER);
-
-    struct srv_dns_entry *head = NULL;
-    struct srv_dns_entry *srv = NULL, *entry = NULL;
-
-    /*
-     * First off, build a query of the form:
-     *
-     * service.protocol.realm
-     *
-     * which will most likely be something like:
-     *
-     * _kerberos._udp.REALM
-     *
-     */
-
-    if (memchr(realm->data, 0, realm->length))
-	return 0;
-    if ( strlen(service) + strlen(protocol) + realm->length + 6 
-         > MAX_DNS_NAMELEN )
-	return 0;
-    /*LINTED*/
-    sprintf(host, "%s.%s.%.*s", service, protocol, (int) realm->length,
-	    realm->data);
-
-    /* Realm names don't (normally) end with ".", but if the query
-       doesn't end with "." and doesn't get an answer as is, the
-       resolv code will try appending the local domain.  Since the
-       realm names are absolutes, let's stop that.  
-
-       But only if a name has been specified.  If we are performing
-       a search on the prefix alone then the intention is to allow
-       the local domain or domain search lists to be expanded.  */
-
-    h = host + strlen (host);
-    if ((h[-1] != '.') && ((h - host + 1) < sizeof(host)))
-        strcpy (h, ".");
-
-#ifdef DEBUG
-    fprintf (stderr, "sending DNS SRV query for %s\n", host);
-#endif
-
-    size = res_search(host, C_IN, T_SRV, answer.bytes, sizeof(answer.bytes));
-
-    if ((size < hdrsize) || (size > sizeof(answer.bytes)))
-	goto out;
-
-    /*
-     * We got an answer!  First off, parse the header and figure out how
-     * many answers we got back.
-     */
-
-    p = answer.bytes;
-
-    numqueries = ntohs(answer.hdr.qdcount);
-    numanswers = ntohs(answer.hdr.ancount);
-
-    p += sizeof(HEADER);
-
-    /*
-     * We need to skip over all of the questions, so we have to iterate
-     * over every query record.  dn_expand() is able to tell us the size
-     * of compress DNS names, so we use it.
-     */
-
-#define INCR_CHECK(x,y) x += y; if (x > size + answer.bytes) goto out
-#define CHECK(x,y) if (x + y > size + answer.bytes) goto out
-#define NTOHSP(x,y) x[0] << 8 | x[1]; x += y
-
-    while (numqueries--) {
-	len = dn_expand(answer.bytes, answer.bytes + size, p, host, sizeof(host));
-	if (len < 0)
-	    goto out;
-	INCR_CHECK(p, len + 4);
-    }
-
-    /*
-     * We're now pointing at the answer records.  Only process them if
-     * they're actually T_SRV records (they might be CNAME records,
-     * for instance).
-     *
-     * But in a DNS reply, if you get a CNAME you always get the associated
-     * "real" RR for that CNAME.  RFC 1034, 3.6.2:
-     *
-     * CNAME RRs cause special action in DNS software.  When a name server
-     * fails to find a desired RR in the resource set associated with the
-     * domain name, it checks to see if the resource set consists of a CNAME
-     * record with a matching class.  If so, the name server includes the CNAME
-     * record in the response and restarts the query at the domain name
-     * specified in the data field of the CNAME record.  The one exception to
-     * this rule is that queries which match the CNAME type are not restarted.
-     *
-     * In other words, CNAMEs do not need to be expanded by the client.
-     */
-
-    while (numanswers--) {
-
-	/* First is the name; use dn_expand to get the compressed size */
-	len = dn_expand(answer.bytes, answer.bytes + size, p, host, sizeof(host));
-	if (len < 0)
-	    goto out;
-	INCR_CHECK(p, len);
-
-	/* Next is the query type */
-        CHECK(p, 2);
-	type = NTOHSP(p,2);
-
-	/* Next is the query class; also skip over 4 byte TTL */
-        CHECK(p, 6);
-	rrclass = NTOHSP(p,6);
-
-	/* Record data length */
-
-        CHECK(p,2);
-	rdlen = NTOHSP(p,2);
-
-	/*
-	 * If this is an SRV record, process it.  Record format is:
-	 *
-	 * Priority
-	 * Weight
-	 * Port
-	 * Server name
-	 */
-
-	if (rrclass == C_IN && type == T_SRV) {
-            CHECK(p,2);
-	    priority = NTOHSP(p,2);
-	    CHECK(p, 2);
-	    weight = NTOHSP(p,2);
-	    CHECK(p, 2);
-	    port = NTOHSP(p,2);
-	    len = dn_expand(answer.bytes, answer.bytes + size, p, host, sizeof(host));
-	    if (len < 0)
-		goto out;
-	    INCR_CHECK(p, len);
-
-	    /*
-	     * We got everything!  Insert it into our list, but make sure
-	     * it's in the right order.  Right now we don't do anything
-	     * with the weight field
-	     */
-
-	    srv = (struct srv_dns_entry *) malloc(sizeof(struct srv_dns_entry));
-	    if (srv == NULL)
-		goto out;
-	
-	    srv->priority = priority;
-	    srv->weight = weight;
-	    srv->port = port;
-	    srv->host = strdup(host);
-	    if (srv->host == NULL) {
-		free(srv);
-		goto out;
-	    }
-
-	    if (head == NULL || head->priority > srv->priority) {
-		srv->next = head;
-		head = srv;
-	    } else
-		/*
-		 * This is confusing.  Only insert an entry into this
-		 * spot if:
-		 * The next person has a higher priority (lower priorities
-		 * are preferred).
-		 * Or
-		 * There is no next entry (we're at the end)
-		 */
-		for (entry = head; entry != NULL; entry = entry->next)
-		    if ((entry->next &&
-			 entry->next->priority > srv->priority) ||
-			entry->next == NULL) {
-			srv->next = entry->next;
-			entry->next = srv;
-			break;
-		    }
-	} else
-	    INCR_CHECK(p, rdlen);
-    }
-	
-  out:
-    *answers = head;
-    return 0;
-}
-
 static krb5_error_code
 krb5_locate_srv_dns_1 (const krb5_data *realm,
 		       const char *service,
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/lock_file.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/lock_file.c
index d6815d19c0..3766136f07 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/lock_file.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/lock_file.c
@@ -31,7 +31,7 @@
 #include <k5-int.h>
 #include <stdio.h>
 
-#if !defined(_MSDOS) && !defined(_WIN32) && !defined(HAVE_MACSOCK_H)
+#if !defined(_WIN32)
 
 /* Unix version...  */
 
@@ -63,17 +63,14 @@
 
 /*ARGSUSED*/
 krb5_error_code
-krb5_lock_file(context, fd, mode)
-    krb5_context context;
-    int fd;
-    int mode;
+krb5_lock_file(krb5_context context, int fd, int mode)
 {
     int 		lock_flag = -1;
     krb5_error_code	retval = 0;
 #ifdef POSIX_FILE_LOCKS
     int lock_cmd = F_SETLKW;
     static struct flock flock_zero;
-    struct flock lock_arg;
+    struct flock lock_arg = { 0 };
 
     lock_arg = flock_zero;
 #endif
@@ -133,7 +130,7 @@ krb5_lock_file(context, fd, mode)
     
     return retval;
 }
-#else   /* MSDOS or Macintosh */
+#else   /* Windows or Macintosh */
 
 krb5_error_code
 krb5_lock_file(context, fd, mode)
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/mk_faddr.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/mk_faddr.c
index 042b8cba73..d18564100e 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/mk_faddr.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/mk_faddr.c
@@ -34,20 +34,16 @@
 #ifdef HAVE_NETINET_IN_H
    
 #include "os-proto.h"
-#if !defined(_WINSOCKAPI_) && !defined(HAVE_MACSOCK_H)
+#if !defined(_WINSOCKAPI_)
 
 #include <netinet/in.h>
 #endif
 
 /*ARGSUSED*/
 krb5_error_code
-krb5_make_fulladdr(context, kaddr, kport, raddr)
-    krb5_context 	context;
-    krb5_address	FAR * kaddr;
-    krb5_address	FAR * kport;
-    krb5_address        FAR * raddr;
+krb5_make_fulladdr(krb5_context context, krb5_address *kaddr, krb5_address *kport, krb5_address *raddr)
 {
-    register krb5_octet FAR * marshal;
+    register krb5_octet * marshal;
     krb5_int32 tmp32;
     krb5_int16 tmp16;
 
@@ -55,7 +51,7 @@ krb5_make_fulladdr(context, kaddr, kport, raddr)
 	return EINVAL;
 
     raddr->length = kaddr->length + kport->length + (4 * sizeof(krb5_int32));
-    if (!(raddr->contents = (krb5_octet FAR *)malloc(raddr->length)))
+    if (!(raddr->contents = (krb5_octet *)malloc(raddr->length)))
 	return ENOMEM;
 
     raddr->addrtype = ADDRTYPE_ADDRPORT;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/net_read.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/net_read.c
index e37e2ed4d4..cb90e81ba8 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/net_read.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/net_read.c
@@ -42,11 +42,7 @@
 
 /*ARGSUSED*/
 int
-krb5_net_read(context, fd, buf, len)
-    krb5_context context;
-    int fd;
-    register char *buf;
-    register int len;
+krb5_net_read(krb5_context context, int fd, register char *buf, register int len)
 {
     int cc, len2 = 0;
 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/net_write.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/net_write.c
index 30b41cb2ac..6f973b315b 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/net_write.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/net_write.c
@@ -41,11 +41,7 @@
 
 /*ARGSUSED*/
 int
-krb5_net_write(context, fd, buf, len)
-    krb5_context context;
-    int fd;
-    register const char *buf;
-    int len;
+krb5_net_write(krb5_context context, int fd, register const char *buf, int len)
 {
     int cc;
     register int wrlen = len;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/os-proto.h b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/os-proto.h
index 15cd15ff87..c93da827b8 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/os-proto.h
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/os-proto.h
@@ -1,8 +1,3 @@
-/*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
- */
-
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
 /*
  * lib/krb5/os/os-proto.h
@@ -36,42 +31,52 @@
 #ifndef KRB5_LIBOS_INT_PROTO__
 #define KRB5_LIBOS_INT_PROTO__
 
-#ifdef SOCK_DGRAM			/* XXX hack... */
+struct addrlist;
 krb5_error_code krb5_locate_kdc
-    PROTOTYPE((krb5_context,
-	       const krb5_data *,
-	       struct addrlist *,
-	       int ,
-	       int ,
-	       int));
+    (krb5_context, const krb5_data *, struct addrlist *, int, int, int);
+
+/* Solaris/SUNW14resync */
+krb5_error_code krb5_get_servername 
+	(krb5_context,
+	const krb5_data *,
+	const char *, const char *,
+	char *,
+	unsigned short *);
 
-krb5_error_code krb5_get_servername
-    PROTOTYPE((krb5_context,
-		const krb5_data *,
-		const char *, const char *,
-	    	char *,
-		unsigned short *));
-#endif
 
 #ifdef HAVE_NETINET_IN_H
 krb5_error_code krb5_unpack_full_ipaddr
-    PROTOTYPE((krb5_context,
+	      (krb5_context,
 	       const krb5_address *,
 	       krb5_int32 *,
-	       krb5_int16 *));
+	       krb5_int16 *);
 
 krb5_error_code krb5_make_full_ipaddr
-    PROTOTYPE((krb5_context,
+              (krb5_context,
 	       krb5_int32,
 	       int,			/* unsigned short promotes to signed
 					   int */
-	       krb5_address **));
+	       krb5_address **);
 
 #endif /* HAVE_NETINET_IN_H */
 
 krb5_error_code krb5_try_realm_txt_rr(const char *, const char *, 
 				      char **realm);
 
+/* Obsolete interface - leave prototype here until code removed */
+krb5_error_code krb5_secure_config_files(krb5_context ctx);
+
+int _krb5_use_dns_realm (krb5_context);
+int _krb5_use_dns_kdc (krb5_context);
+int _krb5_conf_boolean (const char *);
+
+#include "k5-thread.h"
+extern k5_mutex_t krb5int_us_time_mutex;
+
+extern unsigned int krb5_max_skdc_timeout;
+extern unsigned int krb5_skdc_timeout_shift;
+extern unsigned int krb5_skdc_timeout_1;
 extern unsigned int krb5_max_dgram_size;
 
+
 #endif /* KRB5_LIBOS_INT_PROTO__ */
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/osconfig.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/osconfig.c
index c6dc129a20..a36e578d7a 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/osconfig.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/osconfig.c
@@ -34,10 +34,10 @@
 
 char *krb5_defkeyname  = DEFAULT_KEYTAB_NAME;
 
-int krb5_max_dgram_size = MAX_DGRAM_SIZE;
-int krb5_max_skdc_timeout = MAX_SKDC_TIMEOUT;
-int krb5_skdc_timeout_shift = SKDC_TIMEOUT_SHIFT;
-int krb5_skdc_timeout_1 = SKDC_TIMEOUT_1;
+unsigned int krb5_max_dgram_size = MAX_DGRAM_SIZE;
+unsigned int krb5_max_skdc_timeout = MAX_SKDC_TIMEOUT;
+unsigned int krb5_skdc_timeout_shift = SKDC_TIMEOUT_SHIFT;
+unsigned int krb5_skdc_timeout_1 = SKDC_TIMEOUT_1;
 
 char *krb5_default_pwd_prompt1 = DEFAULT_PWD_STRING1;
 char *krb5_default_pwd_prompt2 = DEFAULT_PWD_STRING2;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/port2ip.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/port2ip.c
index d0ac17c31e..ad9e6ce805 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/port2ip.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/port2ip.c
@@ -36,11 +36,7 @@
 
 /*ARGSUSED*/
 krb5_error_code
-krb5_unpack_full_ipaddr(context, inaddr, adr, port)
-    krb5_context context;
-    const krb5_address *inaddr;
-    krb5_int32 *adr;
-    krb5_int16 *port;
+krb5_unpack_full_ipaddr(krb5_context context, const krb5_address *inaddr, krb5_int32 *adr, krb5_int16 *port)
 {
     unsigned long smushaddr;
     unsigned short smushport;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/promptusr.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/promptusr.c
index 755e7a474e..768f14f2d1 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/promptusr.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/promptusr.c
@@ -4,7 +4,7 @@
  */
 
 #include <k5-int.h>
-#if !defined(_MSDOS) && !defined(_WIN32) && !defined(macintosh)
+#if !defined(_WIN32)
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -31,8 +31,7 @@ static jmp_buf pwd_jump;
 
 /*ARGSUSED*/
 static krb5_sigtype
-intr_routine(signo)
-    int signo;
+intr_routine(int signo)
 {
     longjmp(pwd_jump, 1);
     /*NOTREACHED*/
@@ -40,9 +39,7 @@ intr_routine(signo)
 
 /*ARGSUSED*/
 krb5_error_code
-krb5_os_get_tty_uio(context, uio)
-    krb5_context	context;
-    krb5_uio		uio;
+krb5_os_get_tty_uio(krb5_context context, krb5_uio uio)
 {
     volatile krb5_error_code 	retval;
     krb5_sigtype	(*volatile ointrfunc)();
@@ -130,9 +127,7 @@ krb5_os_get_tty_uio(context, uio)
 
 /*ARGSUSED*/
 void
-krb5_free_uio(context, uio)
-    krb5_context	context;
-    krb5_uio		uio;
+krb5_free_uio(krb5_context context, krb5_uio uio)
 {
     krb5_uio		p, next;
 
@@ -166,4 +161,4 @@ main(int argc, char **argv)
 
 #endif
 	
-#endif /* !_MSODS || _!MACINTOSH */
+#endif /* !_MSODS */
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/read_msg.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/read_msg.c
index e11ede7233..c9b86e1932 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/read_msg.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/read_msg.c
@@ -29,15 +29,8 @@
 #include "k5-int.h"
 #include <errno.h>
 
-#ifndef ECONNABORTED
-#define ECONNABORTED WSAECONNABORTED
-#endif
-
 krb5_error_code
-krb5_read_message(context, fdp, inbuf)
-    krb5_context context;
-	krb5_pointer fdp;
-	krb5_data	*inbuf;
+krb5_read_message(krb5_context context, krb5_pointer fdp, krb5_data *inbuf)
 {
 	krb5_int32	len;
    int      len2, ilen;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/read_pwd.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/read_pwd.c
index a09179e6a5..be00932936 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/read_pwd.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/read_pwd.c
@@ -1,10 +1,9 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 /*
  * lib/krb5/os/read_pwd.c
  *
@@ -34,153 +33,263 @@
  * libos: krb5_read_password for BSD 4.3
  */
 
-#include <k5-int.h>
+#include "k5-int.h"
 
-#if !defined(_MSDOS) && !defined(_WIN32) && !defined(macintosh)
+#if !defined(_WIN32)
 #define DEFINED_KRB5_READ_PASSWORD
 #include <stdio.h>
 #include <errno.h>
 #include <signal.h>
 #include <setjmp.h>
-/*
- * Solaris kerberos:  include this for internationalization
- */
-#include <libintl.h>
 
 #ifndef ECHO_PASSWORD
 #include <termios.h>
 #endif /* ECHO_PASSWORD */
 
-static jmp_buf pwd_jump;
-
-/*ARGSUSED*/
-static krb5_sigtype
-intr_routine(signo)
-    int signo;
+krb5_error_code
+krb5_read_password(krb5_context context, const char *prompt, const char *prompt2, char *return_pwd, unsigned int *size_return)
 {
-    longjmp(pwd_jump, 1);
-    /*NOTREACHED*/
+    krb5_data reply_data;      
+    krb5_prompt k5prompt;
+    krb5_error_code retval;
+    reply_data.length = *size_return; /* NB: size_return is also an input */
+    reply_data.data = return_pwd;
+    k5prompt.prompt = (char *)prompt;
+    k5prompt.hidden = 1;
+    k5prompt.reply = &reply_data;
+    retval =  krb5_prompter_posix(NULL,
+				  NULL, NULL, NULL, 1, &k5prompt);
+
+    if ((retval==0) && prompt2) {
+	krb5_data verify_data;
+	verify_data.data = malloc(*size_return);
+	verify_data.length = *size_return;
+	k5prompt.prompt = (char *)prompt2;
+	k5prompt.reply = &verify_data;
+	if (!verify_data.data)
+	    return ENOMEM;
+	retval = krb5_prompter_posix(NULL,
+				     NULL,NULL, NULL, 1, &k5prompt);
+	if (retval == 0) {
+	    /* compare */
+	    if (strncmp(return_pwd, (char *)verify_data.data, *size_return))
+		retval = KRB5_LIBOS_BADPWDMATCH;
+	}
+	free(verify_data.data);
+    }
+    if (!retval)
+	*size_return = k5prompt.reply->length;
+    else
+	memset(return_pwd, 0, *size_return);
+    return retval;
 }
+#endif
 
-/*ARGSUSED*/
-krb5_error_code
-krb5_read_password(context, prompt, prompt2, return_pwd, size_return)
-    krb5_context context;
-    const char *prompt;
-    const char *prompt2;
-    char *return_pwd;
-    unsigned int *size_return;
-{
-    /* adapted from Kerberos v4 des/read_password.c */
-    /* readin_string is used after a longjmp, so must be volatile */
-    char *volatile readin_string = 0;
-    register char *ptr;
-    int scratchchar;
-    krb5_sigtype (*volatile ointrfunc)();
-    krb5_error_code errcode;
-#ifndef ECHO_PASSWORD
-    struct termios echo_control, save_control;
-    int fd;
+#if defined(_WIN32)
+#define DEFINED_KRB5_READ_PASSWORD
 
-    /* get the file descriptor associated with stdin */
-    fd=fileno(stdin);
+#include <io.h>
 
-    if (tcgetattr(fd, &echo_control) == -1)
-	return errno;
+typedef struct {
+    char *pwd_prompt;
+    char *pwd_prompt2;
+    char *pwd_return_pwd;
+    int  *pwd_size_return;
+} pwd_params;
 
-    save_control = echo_control;
-    echo_control.c_lflag &= ~(ECHO|ECHONL);
+void center_dialog(HWND hwnd)
+{
+    int scrwidth, scrheight;
+    int dlgwidth, dlgheight;
+    RECT r;
+    HDC hdc;
     
-    if (tcsetattr(fd, TCSANOW, &echo_control) == -1)
-	return errno;
-#endif /* ECHO_PASSWORD */
+    if (hwnd == NULL)
+	return;
+    
+    GetWindowRect(hwnd, &r);
+    dlgwidth = r.right  - r.left;
+    dlgheight = r.bottom - r.top ;
+    hdc = GetDC(NULL);
+    scrwidth = GetDeviceCaps(hdc, HORZRES);
+    scrheight = GetDeviceCaps(hdc, VERTRES);
+    ReleaseDC(NULL, hdc);
+    r.left = (scrwidth - dlgwidth) / 2;
+    r.top  = (scrheight - dlgheight) / 2;
+    MoveWindow(hwnd, r.left, r.top, dlgwidth, dlgheight, TRUE);
+}
 
-    if (setjmp(pwd_jump)) {
-	errcode = KRB5_LIBOS_PWDINTR; 	/* we were interrupted... */
-	goto cleanup;
-    }
-    /* save intrfunc */
-    ointrfunc = signal(SIGINT, intr_routine);
+#ifdef _WIN32
+static krb5_error_code
+read_console_password(
+    krb5_context	context,
+    const char		* prompt,
+    const char		* prompt2,
+    char		* password,
+    int			* pwsize)
+{
+    HANDLE		handle;
+    DWORD		old_mode, new_mode;
+    char		*tmpstr = 0;
+    char		*ptr;
+    int			scratchchar;
+    krb5_error_code	errcode = 0;
+
+    handle = GetStdHandle(STD_INPUT_HANDLE);
+    if (handle == INVALID_HANDLE_VALUE)
+	return ENOTTY;
+    if (!GetConsoleMode(handle, &old_mode))
+	return ENOTTY;
+
+    new_mode = old_mode;
+    new_mode |=  ( ENABLE_LINE_INPUT | ENABLE_PROCESSED_INPUT );
+    new_mode &= ~( ENABLE_ECHO_INPUT );
 
-    /* put out the prompt */
-    (void) fputs(dgettext(TEXT_DOMAIN, prompt), stdout);
+    if (!SetConsoleMode(handle, new_mode))
+	return ENOTTY;
+
+    (void) fputs(prompt, stdout);
     (void) fflush(stdout);
-    (void) memset(return_pwd, 0, *size_return);
+    (void) memset(password, 0, *pwsize);
 
-    if (fgets(return_pwd, *size_return, stdin) == NULL) {
+    if (fgets(password, *pwsize, stdin) == NULL) {
 	(void) putchar('\n');
 	errcode = KRB5_LIBOS_CANTREADPWD;
 	goto cleanup;
     }
     (void) putchar('\n');
-    /* fgets always null-terminates the returned string */
 
-    /* replace newline with null */
-    if ((ptr = strchr(return_pwd, '\n')))
+    if ((ptr = strchr(password, '\n')))
 	*ptr = '\0';
-    else /* flush rest of input line */
+    else /* need to flush */
 	do {
 	    scratchchar = getchar();
 	} while (scratchchar != EOF && scratchchar != '\n');
 
     if (prompt2) {
-	/* put out the prompt */
-	(void) fputs(dgettext(TEXT_DOMAIN, prompt2), stdout);
-	(void) fflush(stdout);
-	readin_string = malloc(*size_return);
-	if (!readin_string) {
+	if (! (tmpstr = (char *)malloc(*pwsize))) {
 	    errcode = ENOMEM;
 	    goto cleanup;
 	}
-	(void) memset((char *)readin_string, 0, *size_return);
-	if (fgets((char *)readin_string, *size_return, stdin) == NULL) {
+	(void) fputs(prompt2, stdout);
+	(void) fflush(stdout);
+	if (fgets(tmpstr, *pwsize, stdin) == NULL) {
 	    (void) putchar('\n');
 	    errcode = KRB5_LIBOS_CANTREADPWD;
 	    goto cleanup;
 	}
 	(void) putchar('\n');
 
-	if ((ptr = strchr((char *)readin_string, '\n')))
+	if ((ptr = strchr(tmpstr, '\n')))
 	    *ptr = '\0';
-        else /* need to flush */
+	else /* need to flush */
 	    do {
 		scratchchar = getchar();
 	    } while (scratchchar != EOF && scratchchar != '\n');
-	    
-	/* compare */
-	if (strncmp(return_pwd, (char *)readin_string, *size_return)) {
+
+	if (strncmp(password, tmpstr, *pwsize)) {
 	    errcode = KRB5_LIBOS_BADPWDMATCH;
 	    goto cleanup;
 	}
     }
-    
-    errcode = 0;
-    
+
 cleanup:
-    (void) signal(SIGINT, ointrfunc);
-#ifndef ECHO_PASSWORD
-    if ((tcsetattr(fd, TCSANOW, &save_control) == -1) &&
-	errcode == 0)
-	    return errno;
-#endif
-    if (readin_string) {
-	    memset((char *)readin_string, 0, *size_return);
-	    krb5_xfree(readin_string);
+    (void) SetConsoleMode(handle, old_mode);
+    if (tmpstr) {
+	(void) memset(tmpstr, 0, *pwsize);
+	(void) free(tmpstr);
     }
     if (errcode)
-	    memset(return_pwd, 0, *size_return);
+	(void) memset(password, 0, *pwsize);
     else
-	    *size_return = strlen(return_pwd);
+	*pwsize = strlen(password);
     return errcode;
 }
-#else /* MSDOS */
+#endif
+
+static int CALLBACK
+read_pwd_proc(HWND hdlg, UINT msg, WPARAM wParam, LPARAM lParam)
+{
+    pwd_params *dp;
+    
+    switch(msg) {
+    case WM_INITDIALOG:
+	dp = (pwd_params *) lParam;
+	SetWindowLong(hdlg, DWL_USER, lParam);
+	SetDlgItemText(hdlg, ID_READ_PWD_PROMPT, dp->pwd_prompt);
+	SetDlgItemText(hdlg, ID_READ_PWD_PROMPT2, dp->pwd_prompt2);
+	SetDlgItemText(hdlg, ID_READ_PWD_PWD, "");
+	center_dialog(hdlg);
+	return TRUE;
+
+    case WM_COMMAND:
+	dp = (pwd_params *) GetWindowLong(hdlg, DWL_USER);
+        switch (wParam) {
+	case IDOK:
+	    *(dp->pwd_size_return) =
+		GetDlgItemText(hdlg, ID_READ_PWD_PWD, 
+			       dp->pwd_return_pwd, *(dp->pwd_size_return));
+	    EndDialog(hdlg, TRUE);
+	    break;
+	    
+	case IDCANCEL:
+	    memset(dp->pwd_return_pwd, 0 , *(dp->pwd_size_return));
+	    *(dp->pwd_size_return) = 0;
+	    EndDialog(hdlg, FALSE);
+	    break;
+        }
+        return TRUE;
+ 
+    default:
+        return FALSE;
+    }
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_read_password(context, prompt, prompt2, return_pwd, size_return)
+    krb5_context context;
+    const char *prompt;
+    const char *prompt2;
+    char *return_pwd;
+    int *size_return;
+{
+    DLGPROC dlgproc;
+    HINSTANCE hinst;
+    pwd_params dps;
+    int rc;
+
+#ifdef _WIN32
+    if (_isatty(_fileno(stdin)))
+	return(read_console_password
+	       (context, prompt, prompt2, return_pwd, size_return));
+#endif
+
+    dps.pwd_prompt = prompt;
+    dps.pwd_prompt2 = prompt2;
+    dps.pwd_return_pwd = return_pwd;
+    dps.pwd_size_return = size_return;
+
+    hinst = get_lib_instance();
+#ifdef _WIN32
+    dlgproc = read_pwd_proc;
+#else
+    dlgproc = (FARPROC) MakeProcInstance(read_pwd_proc, hinst);
+#endif
+    rc = DialogBoxParam(hinst, MAKEINTRESOURCE(ID_READ_PWD_DIALOG), 0,
+			dlgproc, (LPARAM) &dps);
+#ifndef _WIN32
+    FreeProcInstance ((FARPROC) dlgproc);
+#endif
+    return 0;
+}
+#endif
 
 #ifndef DEFINED_KRB5_READ_PASSWORD
 #define DEFINED_KRB5_READ_PASSWORD
 /*
  * Don't expect to be called, just define it for sanity and the linker.
  */
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_error_code KRB5_CALLCONV
 krb5_read_password(context, prompt, prompt2, return_pwd, size_return)
     krb5_context context;
     const char *prompt;
@@ -191,6 +300,4 @@ krb5_read_password(context, prompt, prompt2, return_pwd, size_return)
    *size_return = 0;
    return KRB5_LIBOS_CANTREADPWD;
 }
-#endif /* DEFINED_KRB5_READ_PASSWORD */
-
-#endif /* MSDOS */
+#endif
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/realm_dom.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/realm_dom.c
index ea0b9b0cc9..8af2e31ea3 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/realm_dom.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/realm_dom.c
@@ -1,4 +1,5 @@
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
+
 /*
  * lib/krb5/os/realm_dom.c
  *
@@ -42,15 +43,12 @@
  * This was hacked together from krb5_get_host_realm().
  */
 
-#include <k5-int.h>
+#include "k5-int.h"
 #include <ctype.h>
 #include <stdio.h>
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_get_realm_domain(context, realm, domain)
-    krb5_context context;
-    const char *realm;
-    char **domain;
+krb5_error_code KRB5_CALLCONV
+krb5_get_realm_domain(krb5_context context, const char *realm, char **domain)
 {
     krb5_error_code retval;
     char *temp_domain = 0;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/realm_iter.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/realm_iter.c
index 80fdfd63c6..9d933c0a3c 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/realm_iter.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/realm_iter.c
@@ -27,16 +27,14 @@
  * krb5_realm_iterate()
  */
 
-#include <k5-int.h>
+#include "k5-int.h"
 #include <ctype.h>
 #include <stdio.h>
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_realm_iterator_create(context, iter_p)
-    krb5_context context;
-    void **iter_p;
+krb5_error_code KRB5_CALLCONV
+krb5_realm_iterator_create(krb5_context context, void **iter_p)
 {
-    static const char *names[] = { "realms", 0 };
+    static const char *const names[] = { "realms", 0 };
 	
     return profile_iterator_create(context->profile, names,
 				   PROFILE_ITER_LIST_SECTION |
@@ -44,30 +42,20 @@ krb5_realm_iterator_create(context, iter_p)
 				   iter_p);
 }
 
-/*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_realm_iterator(context, iter_p, ret_realm)
-    krb5_context context;
-    void **iter_p;
-    char **ret_realm;
+krb5_error_code KRB5_CALLCONV
+krb5_realm_iterator(krb5_context context, void **iter_p, char **ret_realm)
 {
     return profile_iterator(iter_p, ret_realm, 0);
 }
 
-/*ARGSUSED*/
-KRB5_DLLIMP void KRB5_CALLCONV
-krb5_realm_iterator_free(context, iter_p)
-    krb5_context context;
-    void **iter_p;
+void KRB5_CALLCONV
+krb5_realm_iterator_free(krb5_context context, void **iter_p)
 {
     profile_iterator_free(iter_p);
 }
 
-/*ARGSUSED*/
-KRB5_DLLIMP void KRB5_CALLCONV
-krb5_free_realm_string(context, str)
-    krb5_context context;
-    char *str;
+void KRB5_CALLCONV
+krb5_free_realm_string(krb5_context context, char *str)
 {
     profile_release_string(str);
 }
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/sendto_kdc.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/sendto_kdc.c
index 552447b812..ffd8cdc07d 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/sendto_kdc.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/sendto_kdc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
@@ -60,10 +60,10 @@
 /* #define DEFAULT_UDP_PREF_LIMIT	 1465 */
 #define HARD_UDP_LIMIT		32700 /* could probably do 64K-epsilon ? */
 
-extern krb5_error_code
-krb5int_sendto (krb5_context context, const krb5_data *message,
-		const struct addrlist *addrs, krb5_data *reply,
-		struct sockaddr_storage *localaddr, socklen_t *localaddrlen);
+krb5_error_code krb5int_sendto(krb5_context, const krb5_data *,
+			    const struct addrlist *, krb5_data *,
+			    struct sockaddr_storage *,
+			    socklen_t *, int *);
 
 /* Solaris kerberos: leaving this here because other code depends on this. */
 static void default_debug_handler (const void *data, size_t len)
@@ -295,11 +295,11 @@ merge_addrlists (struct addrlist *dest, struct addrlist *src)
 krb5_error_code
 krb5_sendto_kdc (krb5_context context, const krb5_data *message,
 		 const krb5_data *realm, krb5_data *reply,
-		 int use_master, int tcp_only)
+		 int *use_master, int tcp_only)
 {
     krb5_error_code retval;
     struct addrlist addrs;
-    int socktype1 = 0, socktype2 = 0;
+    int socktype1 = 0, socktype2 = 0, addr_used;
 
     /*
      * find KDC location(s) for realm
@@ -317,7 +317,7 @@ krb5_sendto_kdc (krb5_context context, const krb5_data *message,
     /*LINTED*/
     dprint("krb5_sendto_kdc(%d@%p, \"%D\", use_master=%d, tcp_only=%d)\n",
     /*LINTED*/
-	   message->length, message->data, realm, use_master, tcp_only);
+	   message->length, message->data, realm, *use_master, tcp_only);
 
     /* 
      * Solaris Kerberos: keep it simple by not supporting a udp_preference_limit
@@ -342,7 +342,7 @@ krb5_sendto_kdc (krb5_context context, const krb5_data *message,
     }
 #endif /**************** END IFDEF'ed OUT *******************************/
 
-    retval = (use_master ? KRB5_KDC_UNREACH : KRB5_REALM_UNKNOWN);
+    retval = (*use_master ? KRB5_KDC_UNREACH : KRB5_REALM_UNKNOWN);
 
     if (tcp_only)
 	socktype1 = SOCK_STREAM, socktype2 = 0;
@@ -351,11 +351,11 @@ krb5_sendto_kdc (krb5_context context, const krb5_data *message,
     else
 	socktype1 = SOCK_STREAM, socktype2 = SOCK_DGRAM;
 
-    retval = krb5_locate_kdc(context, realm, &addrs, use_master, socktype1, 0);
+    retval = krb5_locate_kdc(context, realm, &addrs, *use_master, socktype1, 0);
     if (socktype2) {
 	struct addrlist addrs2;
 
-	retval = krb5_locate_kdc(context, realm, &addrs2, use_master,
+	retval = krb5_locate_kdc(context, realm, &addrs2, *use_master,
 				 socktype2, 0);
 	if (retval == 0) {
 	    (void) merge_addrlists(&addrs, &addrs2);
@@ -363,10 +363,38 @@ krb5_sendto_kdc (krb5_context context, const krb5_data *message,
 	}
     }
     if (addrs.naddrs > 0) {
-	retval = krb5int_sendto (context, message, &addrs, reply, 0, 0);
-	krb5int_free_addrlist (&addrs);
-	if (retval == 0)
+        retval = krb5int_sendto (context, message, &addrs, reply, 0, 0,
+		&addr_used);
+	if (retval == 0) { 
+            /*
+	     * Set use_master to 1 if we ended up talking to a master when 
+	     * didn't explicitly request to 
+	     */ 
+
+	    if (*use_master == 0) { 
+	        struct addrlist addrs3; 
+		retval = krb5_locate_kdc(context, realm, &addrs3, 1,  
+					addrs.addrs[addr_used]->ai_socktype,
+					addrs.addrs[addr_used]->ai_family);
+		if (retval == 0) { 
+		    int i; 
+		    for (i = 0; i < addrs3.naddrs; i++) { 
+			if (addrs.addrs[addr_used]->ai_addrlen == 
+			    addrs3.addrs[i]->ai_addrlen && 
+			    memcmp(addrs.addrs[addr_used]->ai_addr, 
+				addrs3.addrs[i]->ai_addr, 
+				addrs.addrs[addr_used]->ai_addrlen) == 0) { 
+				*use_master = 1;
+				break;
+			}
+		    }
+		    krb5int_free_addrlist (&addrs3);
+		}
+	    }
+	    krb5int_free_addrlist (&addrs);
 	    return 0;
+	}
+	krb5int_free_addrlist (&addrs);
     }
     return retval;
 }
@@ -984,7 +1012,8 @@ krb5_error_code
 /*ARGSUSED*/
 krb5int_sendto (krb5_context context, const krb5_data *message,
 		const struct addrlist *addrs, krb5_data *reply,
-		struct sockaddr_storage *localaddr, socklen_t *localaddrlen)
+		struct sockaddr_storage *localaddr, socklen_t *localaddrlen,
+		int *addr_used)
 {
     int i, pass;
     int delay_this_pass = 2;
@@ -1091,10 +1120,12 @@ krb5int_sendto (krb5_context context, const krb5_data *message,
     reply->length = (conns[winning_conn].x.in.pos
 		     - conns[winning_conn].x.in.buf);
     /*LINTED*/
-    dprint("returning %d bytes in buffer %p\n",
-	   (int) reply->length, reply->data);
+    dprint("returning %d bytes in buffer %p (winning_conn=%d)\n",
+	(int) reply->length, reply->data, winning_conn);
     retval = 0;
     conns[winning_conn].x.in.buf = 0;
+    if (addr_used)
+	    *addr_used = winning_conn;
     if (localaddr != 0 && localaddrlen != 0 && *localaddrlen > 0)
 	(void) getsockname(conns[winning_conn].fd, (struct sockaddr *)localaddr,
 			   localaddrlen);
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/sn2princ.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/sn2princ.c
index c30e6b6a6a..ef5e42b682 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/sn2princ.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/sn2princ.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -7,7 +7,7 @@
 /*
  * lib/krb5/os/sn2princ.c
  *
- * Copyright 1991 by the Massachusetts Institute of Technology.
+ * Copyright 1991,2002 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -36,6 +36,7 @@
 
 #define NEED_SOCKETS
 #include <k5-int.h>
+#include "fake-addrinfo.h"
 #include <ctype.h>
 #include <netdb.h>
 #ifdef HAVE_SYS_PARAM_H
@@ -53,13 +54,8 @@ extern void		res_freehostent(struct hostent *);
  * Note, krb5_sname_to_principal() allocates memory for ret_princ.  Be sure to
  * use krb5_free_principal() on ret_princ to free it when done referencing it.
  */
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_sname_to_principal(context, hostname, sname, type, ret_princ)
-    krb5_context context;
-    const char FAR * hostname;
-    const char FAR * sname;
-    krb5_int32 type;
-    krb5_principal FAR * ret_princ;
+krb5_error_code KRB5_CALLCONV 
+krb5_sname_to_principal(krb5_context context, const char *hostname, const char *sname, krb5_int32 type, krb5_principal *ret_princ)
 {
     char **hrealms, *realm, *remote_host;
     krb5_error_code retval;
@@ -183,8 +179,8 @@ krb5_sname_to_principal(context, hostname, sname, type, ret_princ)
 
 	if (type == KRB5_NT_SRV_HST)
 	    for (cp = remote_host; *cp; cp++)
-		if (isupper(*cp))
-		    *cp = tolower(*cp);
+		if (isupper((int) *cp))
+		    *cp = tolower((int) *cp);
 
 	/*
 	 * Windows NT5's broken resolver gratuitously tacks on a
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/thread_safe.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/thread_safe.c
new file mode 100644
index 0000000000..a259a8733f
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/thread_safe.c
@@ -0,0 +1,41 @@
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+/*
+ * lib/krb5/os/thread_safec
+ *
+ * Copyright 2005 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ *
+ * krb5_is_thread_safe() function.
+ */
+
+#include "k5-int.h"
+
+krb5_boolean KRB5_CALLCONV
+krb5_is_thread_safe(void)
+{
+#if defined(ENABLE_THREADS)
+    return 1;
+#else
+    return 0;
+#endif
+}
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/unlck_file.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/unlck_file.c
index 9227f236c9..cdfb6b2e6f 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/unlck_file.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/unlck_file.c
@@ -29,9 +29,7 @@
 #include <stdio.h>
 
 krb5_error_code
-krb5_unlock_file(context, fd)
-    krb5_context context;
-    int fd;
+krb5_unlock_file(krb5_context context, int fd)
 {
     return krb5_lock_file(context, fd, KRB5_LOCKMODE_UNLOCK);
 }
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/ustime.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/ustime.c
index dc7e4cf8d1..e38005d7bc 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/ustime.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/ustime.c
@@ -34,11 +34,8 @@
 
 #include <k5-int.h>
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_us_timeofday(context, seconds, microseconds)
-    krb5_context context;
-    krb5_int32 FAR *seconds;
-    krb5_int32 FAR *microseconds;
+krb5_error_code KRB5_CALLCONV
+krb5_us_timeofday(krb5_context context, krb5_int32 *seconds, krb5_int32 *microseconds)
 {
     krb5_os_context os_ctx = context->os_context;
     krb5_int32 sec, usec;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/write_msg.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/write_msg.c
index f6c781cf1c..c767b63c0f 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/write_msg.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/write_msg.c
@@ -30,10 +30,7 @@
 #include <errno.h>
 
 krb5_error_code
-krb5_write_message(context, fdp, outbuf)
-    krb5_context context;
-	krb5_pointer	fdp;
-	krb5_data	*outbuf;
+krb5_write_message(krb5_context context, krb5_pointer fdp, krb5_data *outbuf)
 {
 	krb5_int32	len;
 	int		fd = *( (int *) fdp);
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc-int.h b/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc-int.h
new file mode 100644
index 0000000000..00db4e386f
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc-int.h
@@ -0,0 +1,79 @@
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+/*
+ * lib/krb5/keytab/rc-int.h
+ *
+ * Copyright 2004 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ *
+ * This file contains constant and function declarations used in the
+ * file-based replay cache routines.
+ */
+
+#ifndef __KRB5_RCACHE_INT_H__
+#define __KRB5_RCACHE_INT_H__
+
+int krb5int_rc_finish_init(void);
+
+void krb5int_rc_terminate(void);
+
+struct krb5_rc_st {
+    krb5_magic magic;
+    const struct _krb5_rc_ops *ops;
+    krb5_pointer data;
+    k5_mutex_t lock;
+};
+
+struct _krb5_rc_ops {
+    krb5_magic magic;
+    char *type;
+    krb5_error_code (KRB5_CALLCONV *init)
+	(krb5_context, krb5_rcache,krb5_deltat); /* create */
+    krb5_error_code (KRB5_CALLCONV *recover)
+	(krb5_context, krb5_rcache); /* open */
+    krb5_error_code (KRB5_CALLCONV *recover_or_init)
+	(krb5_context, krb5_rcache,krb5_deltat);
+    krb5_error_code (KRB5_CALLCONV *destroy)
+	(krb5_context, krb5_rcache);
+    krb5_error_code (KRB5_CALLCONV *close)
+	(krb5_context, krb5_rcache);
+    krb5_error_code (KRB5_CALLCONV *store)
+	(krb5_context, krb5_rcache,krb5_donot_replay *);
+    krb5_error_code (KRB5_CALLCONV *expunge)
+	(krb5_context, krb5_rcache);
+    krb5_error_code (KRB5_CALLCONV *get_span)
+	(krb5_context, krb5_rcache,krb5_deltat *);
+    char *(KRB5_CALLCONV *get_name)
+	(krb5_context, krb5_rcache);
+    krb5_error_code (KRB5_CALLCONV *resolve)
+	(krb5_context, krb5_rcache, char *);
+};
+
+typedef struct _krb5_rc_ops krb5_rc_ops;
+
+krb5_error_code krb5_rc_register_type (krb5_context, const krb5_rc_ops *);
+
+extern krb5_rc_ops *krb5_rc_dfl_ops;
+extern const krb5_rc_ops krb5_rc_none_ops;
+
+#endif /* __KRB5_RCACHE_INT_H__ */
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_base.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_base.c
index c5b4c95fa4..243bf5cee2 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_base.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_base.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -17,71 +17,112 @@
  * Base "glue" functions for the replay cache.
  */
 
-#ifdef SEMAPHORE
-#include <semaphore.h>
-#endif
 #include "rc_base.h"
 #include "rc_common.h"
 #include "rc_mem.h"
 #include "rc_file.h"
+#include <k5-thread.h>
 
 #define FREE_RC(x) ((void) free((char *) (x)))
 
 struct krb5_rc_typelist
  {
-  krb5_rc_ops *ops;
+  const krb5_rc_ops *ops;
   struct krb5_rc_typelist *next;
  };
 static struct krb5_rc_typelist rc_mem_type = { &krb5_rc_mem_ops, 0 };
 static struct krb5_rc_typelist krb5_rc_typelist_dfl =
 	{ &krb5_rc_file_ops, &rc_mem_type };
 static struct krb5_rc_typelist *typehead = &krb5_rc_typelist_dfl;
+static k5_mutex_t rc_typelist_lock = K5_MUTEX_PARTIAL_INITIALIZER;
 
-#ifdef SEMAPHORE
-semaphore ex_typelist = 1;
-#endif
+int krb5int_rc_finish_init(void)
+{
+    return k5_mutex_finish_init(&rc_typelist_lock);
+}
+void krb5int_rc_terminate(void)
+{
+    struct krb5_rc_typelist *t, *t_next;
+    k5_mutex_destroy(&rc_typelist_lock);
+    for (t = typehead; t != &krb5_rc_typelist_dfl; t = t_next) {
+	t_next = t->next;
+	free(t);
+    }
+}
 
 /*ARGSUSED*/
-krb5_error_code krb5_rc_register_type(context, ops)
-    krb5_context context;
-    krb5_rc_ops *ops;
+krb5_error_code krb5_rc_register_type(krb5_context context,
+				      const krb5_rc_ops *ops)
 {
  struct krb5_rc_typelist *t;
-#ifdef SEMAPHORE
- down(&ex_typelist);
-#endif
+ krb5_error_code err;
+
+ err = k5_mutex_lock(&rc_typelist_lock);
+ if (err)
+	return err;
+
  for (t = typehead;t && strcmp(t->ops->type,ops->type);t = t->next)
    ;
-#ifdef SEMAPHORE
- up(&ex_typelist);
-#endif
- if (t)
+ if (t) {
+   k5_mutex_unlock(&rc_typelist_lock);
    return KRB5_RC_TYPE_EXISTS;
- if (!(t = (struct krb5_rc_typelist *) malloc(sizeof(struct krb5_rc_typelist))))
-   return KRB5_RC_MALLOC;
-#ifdef SEMAPHORE
- down(&ex_typelist);
-#endif
+ }
+
+ t = (struct krb5_rc_typelist *) malloc(sizeof(struct krb5_rc_typelist));
+ if (t == NULL) {
+	k5_mutex_unlock(&rc_typelist_lock);
+	return KRB5_RC_MALLOC;
+ }
  t->next = typehead;
  t->ops = ops;
  typehead = t;
-#ifdef SEMAPHORE
- up(&ex_typelist);
-#endif
+
+ k5_mutex_unlock(&rc_typelist_lock);
  return 0;
 }
 
 /*ARGSUSED*/
-char * krb5_rc_get_type(context, id)
-    krb5_context context;
-    krb5_rcache id;
+krb5_error_code krb5_rc_resolve_type(krb5_context context, krb5_rcache *id,
+				     char *type)
+{
+    struct krb5_rc_typelist *t;
+    krb5_error_code err;
+    err = k5_mutex_lock(&rc_typelist_lock);
+    if (err)
+	return err;
+    for (t = typehead;t && strcmp(t->ops->type,type);t = t->next)
+	;
+    if (!t) {
+	k5_mutex_unlock(&rc_typelist_lock);
+	return KRB5_RC_TYPE_NOTFOUND;
+    }
+    /* allocate *id? nah */
+    (*id)->ops = t->ops;
+    k5_mutex_unlock(&rc_typelist_lock);
+    return k5_mutex_init(&(*id)->lock);
+}
+
+/*ARGSUSED*/
+char * krb5_rc_get_type(krb5_context context, krb5_rcache id)
 {
  return id->ops->type;
 }
 
+char * krb5_rc_default_type(krb5_context context) 
+{
+	char *s;
+	if ((s = getenv("KRB5RCACHETYPE")))
+		return s;
+	else
+		/*
+		 * Solaris Kerberos/SUNW14resync
+		 * MIT's is "dfl" but we now have FILE and MEMORY instead.
+		 */
+		return "FILE";
+}
+
 /*ARGSUSED*/
-char * krb5_rc_default_name(context)
-    krb5_context context;
+char * krb5_rc_default_name(krb5_context context)
 {
  char *s;
  if ((s = getenv("KRB5RCNAME")))
@@ -91,49 +132,7 @@ char * krb5_rc_default_name(context)
 }
 
 krb5_error_code
-krb5_rc_resolve(krb5_context context, krb5_rcache id, char *name)
-{
-	struct krb5_rc_typelist *tlist;
-	char *cp, *pfx, *resid;
-	int pfxlen;
-
-	cp = strchr(name, ':');
-	if (!cp)
-		if (krb5_rc_dfl_ops) {
-			id->ops = krb5_rc_dfl_ops;
-			return ((*krb5_rc_dfl_ops->resolve)(context, id, name));
-		} else
-			return (KRB5_RC_BADNAME);
-
-	pfxlen = cp - name;
-	resid = name + pfxlen + 1;
-
-	pfx = malloc(pfxlen + 1);
-	if (!pfx)
-		return (ENOMEM);
-
-	memcpy(pfx, name, pfxlen);
-	pfx[pfxlen] = '\0';
-
-	for (tlist = typehead; tlist; tlist = tlist->next)
-		if (strcmp(tlist->ops->type, pfx) == 0) {
-			free(pfx);
-			id->ops = tlist->ops;
-			return ((*tlist->ops->resolve)(context, id, resid));
-		}
-	if (krb5_rc_dfl_ops && !strcmp(pfx, krb5_rc_dfl_ops->type)) {
-		free(pfx);
-		id->ops = krb5_rc_dfl_ops;
-		return ((*krb5_rc_dfl_ops->resolve)(context, id, resid));
-	}
-	free(pfx);
-	return (KRB5_RC_TYPE_NOTFOUND);
-}
-
-krb5_error_code
-krb5_rc_default(context, id)
-    krb5_context context;
-    krb5_rcache *id;
+krb5_rc_default(krb5_context context, krb5_rcache *id)
 {
     krb5_error_code retval;
 
@@ -142,28 +141,29 @@ krb5_rc_default(context, id)
 
     retval = krb5_rc_resolve(context, *id, 
 				 krb5_rc_default_name(context));
-    if (retval)
+    if (retval) {
+        k5_mutex_destroy(&(*id)->lock);
 	FREE_RC(*id);
+	return retval;
+    }
     (*id)->magic = KV5M_RCACHE;
     return retval;
 }
 
-
-krb5_error_code krb5_rc_resolve_full(context, id, string_name)
-    krb5_context context;
-    krb5_rcache *id;
-    char *string_name;
+krb5_error_code krb5_rc_resolve_full(krb5_context context, krb5_rcache *id, char *string_name)
 {
     char *type;
     char *residual;
     krb5_error_code retval;
+    unsigned int diff;
 
     if (!(residual = strchr(string_name,':')))
 	return KRB5_RC_PARSE;
- 
-    if (!(type = malloc(residual - string_name + 1)))
+
+    diff = residual - string_name;
+    if (!(type = malloc(diff + 1)))
 	return KRB5_RC_MALLOC;
-    (void) strncpy(type,string_name,residual - string_name);
+    (void) strncpy(type, string_name, diff);
     type[residual - string_name] = '\0';
 
     if (!(*id = (krb5_rcache) malloc(sizeof(**id)))) {
@@ -171,10 +171,19 @@ krb5_error_code krb5_rc_resolve_full(context, id, string_name)
 	return KRB5_RC_MALLOC;
     }
 
+    if ((retval = krb5_rc_resolve_type(context, id,type))) {
+	FREE_RC(type);
+	k5_mutex_destroy(&(*id)->lock);
+	FREE_RC(*id);
+	return retval;
+    }
     FREE_RC(type);
     retval = krb5_rc_resolve(context, *id, residual + 1);
-    if (retval)
+    if (retval) {
+        k5_mutex_destroy(&(*id)->lock);
 	FREE_RC(*id);
+	return retval;
+    }
     (*id)->magic = KV5M_RCACHE;
     return retval;
 }
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_conv.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_conv.c
index 8411b94016..111cec388e 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_conv.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_conv.c
@@ -22,10 +22,7 @@ Local stuff:
 */
 
 krb5_error_code
-krb5_auth_to_rep(context, auth, rep)
-    krb5_context context;
-    krb5_tkt_authent *auth;
-    krb5_donot_replay *rep;
+krb5_auth_to_rep(krb5_context context, krb5_tkt_authent *auth, krb5_donot_replay *rep)
 {
  krb5_error_code retval;
  rep->cusec = auth->authenticator->cusec;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_file.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_file.c
index 547889c5ed..be81658f9f 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_file.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_file.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -96,15 +96,23 @@ krb5_rc_file_get_span(context, id, lifespan)
     krb5_rcache id;
     krb5_deltat *lifespan;
 {
- *lifespan = ((struct file_data *) (id->data))->lifespan;
- return 0;
+    krb5_error_code err;
+    struct file_data *t;
+
+    err = k5_mutex_lock(&id->lock);
+    if (err)
+	return err;
+    t = (struct file_data *) id->data;
+    *lifespan = t->lifespan;
+    k5_mutex_unlock(&id->lock);
+    return 0;
 }
 
 krb5_error_code KRB5_CALLCONV
-krb5_rc_file_init(context, id, lifespan)
+krb5_rc_file_init_locked(context, id, lifespan)
     krb5_context context;
-krb5_rcache id;
-krb5_deltat lifespan;
+    krb5_rcache id;
+    krb5_deltat lifespan;
 {
     struct file_data *t = (struct file_data *)id->data;
     krb5_error_code retval;
@@ -120,6 +128,19 @@ krb5_deltat lifespan;
     return 0;
 }
 
+krb5_error_code KRB5_CALLCONV
+krb5_rc_file_init(krb5_context context, krb5_rcache id, krb5_deltat lifespan)
+{
+    krb5_error_code retval;
+
+    retval = k5_mutex_lock(&id->lock);
+    if (retval)
+	return retval;
+    retval = krb5_rc_file_init_locked(context, id, lifespan);
+    k5_mutex_unlock(&id->lock);
+    return retval;
+}
+
 krb5_error_code krb5_rc_file_close_no_free(context, id)
     krb5_context context;
     krb5_rcache id;
@@ -151,7 +172,13 @@ krb5_rc_file_close(context, id)
     krb5_context context;
     krb5_rcache id;
 {
+    krb5_error_code retval;
+    retval = k5_mutex_lock(&id->lock);
+    if (retval)
+	return retval;
     krb5_rc_file_close_no_free(context, id);
+    k5_mutex_unlock(&id->lock);
+    k5_mutex_destroy(&id->lock);
     free(id);
     return 0;
 }
@@ -159,7 +186,7 @@ krb5_rc_file_close(context, id)
 krb5_error_code KRB5_CALLCONV
 krb5_rc_file_destroy(context, id)
     krb5_context context;
-krb5_rcache id;
+    krb5_rcache id;
 {
  if (krb5_rc_io_destroy(context, &((struct file_data *) (id->data))->d))
    return KRB5_RC_IO;
@@ -300,10 +327,13 @@ errout:
     return retval;
 }
 
-krb5_error_code KRB5_CALLCONV
-krb5_rc_file_recover(context, id)
+static krb5_error_code
+krb5_rc_file_expunge_locked(krb5_context context, krb5_rcache id);
+
+static krb5_error_code
+krb5_rc_file_recover_locked(context, id)
     krb5_context context;
-krb5_rcache id;
+    krb5_rcache id;
 {
     struct file_data *t = (struct file_data *)id->data;
     krb5_donot_replay *rep = 0;
@@ -374,11 +404,41 @@ io_fail:
     if (retval)
 	krb5_rc_io_close(context, &t->d);
     else if (expired_entries > EXCESSREPS)
-	retval = krb5_rc_file_expunge(context, id);
+	retval = krb5_rc_file_expunge_locked(context, id);
     t->recovering = 0;
     return retval;
 }
 
+
+krb5_error_code KRB5_CALLCONV
+krb5_rc_file_recover(krb5_context context, krb5_rcache id)
+{
+    krb5_error_code ret;
+    ret = k5_mutex_lock(&id->lock);
+    if (ret)
+	return ret;
+    ret = krb5_rc_file_recover_locked(context, id);
+    k5_mutex_unlock(&id->lock);
+    return ret;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_rc_file_recover_or_init(krb5_context context, krb5_rcache id,
+			    krb5_deltat lifespan)
+{
+    krb5_error_code retval;
+
+    retval = k5_mutex_lock(&id->lock);
+    if (retval)
+	return retval;
+    retval = krb5_rc_file_recover_locked(context, id);
+    if (retval)
+	retval = krb5_rc_file_init_locked(context, id, lifespan);
+    k5_mutex_unlock(&id->lock);
+    return retval;
+}
+
+
 static krb5_error_code
 krb5_rc_io_store (context, t, rep)
     krb5_context context;
@@ -409,45 +469,63 @@ krb5_rc_io_store (context, t, rep)
     return ret;
 }
 
+static krb5_error_code krb5_rc_file_expunge_locked(krb5_context, krb5_rcache);
+
 krb5_error_code KRB5_CALLCONV
 krb5_rc_file_store(context, id, rep)
     krb5_context context;
-krb5_rcache id;
-krb5_donot_replay *rep;
+    krb5_rcache id;
+    krb5_donot_replay *rep;
 {
     krb5_error_code ret;
-    struct file_data *t = (struct file_data *)id->data;
+    struct file_data *t;
+
+    ret = k5_mutex_lock(&id->lock);
+    if (ret)
+	return ret;
+
+    t = (struct file_data *)id->data;
 
     switch(rc_store(context, id,rep)) {
     case CMP_MALLOC:
+	k5_mutex_unlock(&id->lock);
 	return KRB5_RC_MALLOC;
     case CMP_REPLAY:
+	k5_mutex_unlock(&id->lock);
 	return KRB5KRB_AP_ERR_REPEAT;
-    case CMP_EXPIRED: 
+    case CMP_EXPIRED:
+	k5_mutex_unlock(&id->lock);
 	return KRB5KRB_AP_ERR_SKEW;
     case CMP_HOHUM: break;
     default: /* wtf? */ ;
     }
     ret = krb5_rc_io_store (context, t, rep);
-    if (ret)
+    if (ret) {
+	k5_mutex_unlock(&id->lock);
 	return ret;
+    }
  /* Shall we automatically expunge? */
  if (t->nummisses > t->numhits + EXCESSREPS)
     {
-   return krb5_rc_file_expunge(context, id);
+	ret = krb5_rc_file_expunge_locked(context, id);
+	k5_mutex_unlock(&id->lock);
+	return ret;
     }
     else
     {
-	if (krb5_rc_io_sync(context, &t->d))
+	if (krb5_rc_io_sync(context, &t->d)) {
+	    k5_mutex_unlock(&id->lock);
 	    return KRB5_RC_IO;
+	}
     }
+ k5_mutex_unlock(&id->lock);
  return 0;
 }
 
-krb5_error_code KRB5_CALLCONV
-krb5_rc_file_expunge(context, id)
+static krb5_error_code
+krb5_rc_file_expunge_locked(context, id)
     krb5_context context;
-krb5_rcache id;
+    krb5_rcache id;
 {
     struct file_data *t = (struct file_data *)id->data;
     struct authlist *q;
@@ -464,7 +542,7 @@ krb5_rcache id;
 	free(name);
 	if (retval)
 	    return retval;
-	retval = krb5_rc_file_recover(context, id);
+	retval = krb5_rc_file_recover_locked(context, id);
 	if (retval)
 	    return retval;
 	t = (struct file_data *)id->data; /* point to recovered cache */
@@ -473,6 +551,13 @@ krb5_rcache id;
     tmp = (krb5_rcache) malloc(sizeof(*tmp));
     if (!tmp)
 	return ENOMEM;
+
+    retval = k5_mutex_init(&tmp->lock);
+    if (retval) {
+	free (tmp);
+	return retval;
+    }
+
     tmp->ops = &krb5_rc_file_ops;
     if ((retval = krb5_rc_file_resolve(context, tmp, 0)) != 0)
 	goto out;
@@ -500,3 +585,15 @@ out:
 
     return (retval);
 }
+
+krb5_error_code KRB5_CALLCONV
+krb5_rc_file_expunge(krb5_context context, krb5_rcache id)
+{
+    krb5_error_code ret;
+    ret = k5_mutex_lock(&id->lock);
+    if (ret)
+	return ret;
+    ret = krb5_rc_file_expunge_locked(context, id);
+    k5_mutex_unlock(&id->lock);
+    return ret;
+}
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_file.h b/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_file.h
index 3400c5812b..0a670f4cac 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_file.h
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_file.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 /*
@@ -24,6 +24,7 @@ extern "C" {
 
 #include "rc_common.h"
 #include "rc_io.h"
+#include "rc-int.h"
 
 #ifndef EXCESSREPS
 #define	EXCESSREPS 30
@@ -56,42 +57,46 @@ struct file_data {
 extern krb5_rc_ops krb5_rc_file_ops;
 
 krb5_error_code KRB5_CALLCONV krb5_rc_file_init 
-    	PROTOTYPE((krb5_context,
+    	(krb5_context,
 		   krb5_rcache,
-		   krb5_deltat));
+		   krb5_deltat);
 krb5_error_code KRB5_CALLCONV krb5_rc_file_recover 
-	PROTOTYPE((krb5_context,
-		   krb5_rcache)); 
+	(krb5_context,
+		   krb5_rcache);
+krb5_error_code KRB5_CALLCONV krb5_rc_file_recover_or_init 
+    	(krb5_context,
+		   krb5_rcache,
+		   krb5_deltat); 
 krb5_error_code KRB5_CALLCONV krb5_rc_file_destroy 
-	PROTOTYPE((krb5_context,
-		   krb5_rcache));
+	(krb5_context,
+		   krb5_rcache);
 krb5_error_code KRB5_CALLCONV krb5_rc_file_close 
-	PROTOTYPE((krb5_context,
-		   krb5_rcache));
+	(krb5_context,
+		   krb5_rcache);
 krb5_error_code KRB5_CALLCONV krb5_rc_file_store 
-	PROTOTYPE((krb5_context,
+	(krb5_context,
 		   krb5_rcache,
-		   krb5_donot_replay *));
+		   krb5_donot_replay *);
 krb5_error_code KRB5_CALLCONV krb5_rc_file_expunge 
-	PROTOTYPE((krb5_context,
-		   krb5_rcache));
+	(krb5_context,
+		   krb5_rcache);
 krb5_error_code KRB5_CALLCONV krb5_rc_file_get_span 
-	PROTOTYPE((krb5_context,
+	(krb5_context,
 		   krb5_rcache,
-		   krb5_deltat *));
+		   krb5_deltat *);
 char * KRB5_CALLCONV krb5_rc_file_get_name 
-	PROTOTYPE((krb5_context,
-		   krb5_rcache));
+	(krb5_context,
+		   krb5_rcache);
 krb5_error_code KRB5_CALLCONV krb5_rc_file_resolve 
-	PROTOTYPE((krb5_context,
+	(krb5_context,
 		   krb5_rcache,
-		   char *));
+		   char *);
 krb5_error_code krb5_rc_file_close_no_free
-	PROTOTYPE((krb5_context,
-		   krb5_rcache));
+	(krb5_context,
+		   krb5_rcache);
 void krb5_rc_free_entry 
-	PROTOTYPE((krb5_context,
-		   krb5_donot_replay **));
+	(krb5_context,
+		   krb5_donot_replay **);
 
 #ifdef __cplusplus
 }
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_io.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_io.c
index 800280f427..94d401f7a6 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_io.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_io.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -17,7 +17,7 @@
  * I/O functions for the replay cache default implementation.
  */
 
-#if defined(_MSDOS) || defined(_WIN32)
+#if defined(_WIN32)
 #  define PATH_SEPARATOR "\\"
 #else
 #  define PATH_SEPARATOR "/"
@@ -40,54 +40,45 @@
 #endif
 
 #ifdef HAVE_NETINET_IN_H
-#if !defined(_WINSOCKAPI_) && !defined(HAVE_MACSOCK_H)
+#if !defined(_WINSOCKAPI_)
 #include <netinet/in.h>
 #endif
 #else
- #error find some way to use net-byte-order file version numbers.
-#endif
-
-#ifndef HAVE_ERRNO
-extern int errno; /* this should be in errno.h, but isn't on some systems */
+#error find some way to use net-byte-order file version numbers.
 #endif
 
 #define free(x) ((void) free((char *) (x)))
 #define UNIQUE getpid() /* hopefully unique number */
 
-static int dirlen = 0;
-static char *dir;
-
-/* The do ... while(0) is required to insure that GETDIR looks like a
-   single statement in all situations (just {}'s may cause troubles in
-   certain situations, such as nested if/else clauses. */
-
-static int false = 0;
-#define GETDIR do { if (!dirlen) getdir(); } while(false)
+#define GETDIR (dir = getdir(), dirlen = strlen(dir) + sizeof(PATH_SEPARATOR) - 1)
 
-static void
+static char *
 getdir(void)
 {
-#if defined(_MSDOS) || defined(_WIN32)
+     char *dir;
+
+#if defined(_WIN32)
      if (!(dir = getenv("TEMP")))
 	 if (!(dir = getenv("TMP")))
-	     dir = "C:\\";
+	     dir = "C:";
 #else
      if (geteuid() == 0)
 	 dir = "/var/krb5/rcache/root";
      else
 	 dir = "/var/krb5/rcache";
 #endif
-   dirlen = strlen(dir) + sizeof(PATH_SEPARATOR);
+     return dir;
 }
 
-krb5_error_code krb5_rc_io_creat (context, d, fn)
-    krb5_context context;
-    krb5_rc_iostuff *d;
-    char **fn;
+krb5_error_code
+krb5_rc_io_creat(krb5_context context, krb5_rc_iostuff *d, char **fn)
 {
  char *c;
  krb5_int16 rc_vno = htons(KRB5_RC_VNO);
- krb5_error_code retval;
+ krb5_error_code retval = 0;
+ int do_not_unlink = 0;
+ char *dir;
+ size_t dirlen;
 
  GETDIR;
  if (fn && *fn)
@@ -101,9 +92,9 @@ krb5_error_code krb5_rc_io_creat (context, d, fn)
 		return KRB5_RC_IO_MALLOC;
 	(void) strcpy(d->fn, dir);
 	(void) strcat(d->fn, PATH_SEPARATOR);
-	(void) strcat(d->fn,*fn);
+	(void) strcat(d->fn, *fn);
    }
-   d->fd = THREEPARAMOPEN(d->fn,O_WRONLY|O_CREAT|O_TRUNC|O_EXCL|O_BINARY, 0600);
+   d->fd = THREEPARAMOPEN(d->fn, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL | O_BINARY, 0600);
   }
  else
   {
@@ -112,12 +103,14 @@ krb5_error_code krb5_rc_io_creat (context, d, fn)
    if (!(d->fn = malloc(30 + dirlen)))
      return KRB5_RC_IO_MALLOC;
    if (fn)
-     if (!(*fn = malloc(35)))
-      { free(d->fn); return KRB5_RC_IO_MALLOC; }
-   (void) sprintf(d->fn,"%s%skrb5_RC%d",dir,PATH_SEPARATOR,UNIQUE);
+     if (!(*fn = malloc(35))) {
+       free(d->fn);
+       return KRB5_RC_IO_MALLOC;
+     }
+   (void) sprintf(d->fn, "%s%skrb5_RC%d", dir, PATH_SEPARATOR, (int) UNIQUE);
    c = d->fn + strlen(d->fn);
-   (void) strcpy(c,"aaa");
-   while ((d->fd = THREEPARAMOPEN(d->fn,O_WRONLY|O_CREAT|O_TRUNC|O_EXCL|O_BINARY,0600)) == -1)
+   (void) strcpy(c, "aaa");
+   while ((d->fd = THREEPARAMOPEN(d->fn, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL | O_BINARY, 0600)) == -1)
     {
      if ((c[2]++) == 'z')
       {
@@ -131,10 +124,10 @@ krb5_error_code krb5_rc_io_creat (context, d, fn)
       }
     }
    if (fn)
-     (void) strcpy(*fn,d->fn + dirlen);
+     (void) strcpy(*fn, d->fn + dirlen);
   }
  if (d->fd == -1)
-    {
+ {
    switch(errno)
     {
 	case EFBIG:
@@ -143,45 +136,56 @@ krb5_error_code krb5_rc_io_creat (context, d, fn)
 #endif
 	case ENOSPC:
 	    retval = KRB5_RC_IO_SPACE;
-	    goto fail;
+	    goto cleanup;
 	case EIO:
-	    retval = KRB5_RC_IO_IO; goto fail;
+	    retval = KRB5_RC_IO_IO;
+	    goto cleanup;
 
 	case EPERM:
 	case EACCES:
 	case EROFS:
 	case EEXIST:
-	    retval = KRB5_RC_IO_PERM; goto no_unlink;
+	    retval = KRB5_RC_IO_PERM;
+	    do_not_unlink = 1;
+	    goto cleanup;
 
 	default:
-	    retval = KRB5_RC_IO_UNKNOWN; goto fail;
+	    retval = KRB5_RC_IO_UNKNOWN;
+	    goto cleanup;
     }
+  }
+
+    retval = krb5_rc_io_write(context, d, (krb5_pointer)&rc_vno,
+			      sizeof(rc_vno));
+    if (retval)
+	goto cleanup;
+
+    retval = krb5_rc_io_sync(context, d);
+
+ cleanup:
+    if (retval) {
+	if (d->fn) {
+	    if (!do_not_unlink)
+		(void) unlink(d->fn);
+	    free(d->fn);
+	    d->fn = NULL;
+	}
+	(void) close(d->fd);
     }
-    if (((retval = krb5_rc_io_write(context, d, (krb5_pointer)&rc_vno, sizeof(rc_vno))) != 0) ||
-	(retval = krb5_rc_io_sync(context, d) != 0))
-    {
-    fail:
-     (void) unlink(d->fn);
-    no_unlink:
-     syslog(LOG_ERR, "Could not create replay cache %s\n", d->fn); /* SUNW */
-     free(d->fn);
-	d->fn = NULL;
-     (void) close(d->fd);
-     return retval;
- }
- return 0;
+    return retval;
 }
 
-krb5_error_code krb5_rc_io_open (context, d, fn)
-    krb5_context context;
-    krb5_rc_iostuff *d;
-    char *fn;
+static krb5_error_code
+krb5_rc_io_open_internal(krb5_context context, krb5_rc_iostuff *d, char *fn,
+char* full_pathname)
 {
     krb5_int16 rc_vno;
     krb5_error_code retval = 0;
     int do_not_unlink = 1;
     struct stat lstatb, fstatb;
     int use_errno = 0;
+    char *dir;
+    size_t dirlen;
 
     GETDIR;
     if (fn[0] == '/') {
@@ -191,9 +195,9 @@ krb5_error_code krb5_rc_io_open (context, d, fn)
     } else {
 	if (!(d->fn = malloc(strlen(fn) + dirlen + 1)))
 		return KRB5_RC_IO_MALLOC;
-	(void) strcpy(d->fn,dir);
-	(void) strcat(d->fn,PATH_SEPARATOR);
-	(void) strcat(d->fn,fn);
+	(void) strcpy(d->fn, dir);
+	(void) strcat(d->fn, PATH_SEPARATOR);
+	(void) strcat(d->fn, fn);
     }
 
     /* Solaris: BEGIN made changes to be safer and better code structure */
@@ -248,6 +252,7 @@ krb5_error_code krb5_rc_io_open (context, d, fn)
 	goto cleanup;
     }
 
+    do_not_unlink = 0;
     retval = krb5_rc_io_read(context, d, (krb5_pointer) &rc_vno,
 	    sizeof(rc_vno));
     if (retval)
@@ -298,122 +303,162 @@ cleanup:
 }
 
 krb5_error_code
+krb5_rc_io_open(krb5_context context, krb5_rc_iostuff *d, char *fn)
+{
+    return krb5_rc_io_open_internal(context, d, fn, NULL);
+}
+
+krb5_error_code
 krb5_rc_io_move(krb5_context context, krb5_rc_iostuff *new1,
 		krb5_rc_iostuff *old)
 {
-    char *fn = NULL;
-
-#if defined(_MSDOS) || defined(_WIN32)
+#if defined(_WIN32)
+    char *new_fn = NULL;
+    char *old_fn = NULL;
+    off_t offset = 0;
+    krb5_error_code retval = 0;
     /*
-     * Work around provided by Tom Sanfilippo to work around poor
-     * Windows emulation of POSIX functions.  Rename and dup has
+     * Initial work around provided by Tom Sanfilippo to work around
+     * poor Windows emulation of POSIX functions.  Rename and dup has
      * different semantics!
+     *
+     * Additional fixes and explanation provided by dalmeida@mit.edu:
+     *
+     * First, we save the offset of "old".  Then, we close and remove
+     * the "new" file so we can do the rename.  We also close "old" to
+     * make sure the rename succeeds (though that might not be
+     * necessary on some systems).
+     *
+     * Next, we do the rename.  If all goes well, we seek the "new"
+     * file to the position "old" was at.
+     *
+     * --- WARNING!!! ---
+     *
+     * Since "old" is now gone, we mourn its disappearance, but we
+     * cannot emulate that Unix behavior...  THIS BEHAVIOR IS
+     * DIFFERENT FROM UNIX.  However, it is ok because this function
+     * gets called such that "old" gets closed right afterwards.
      */
-    char *fn = NULL;
-    GETDIR;
-    close(new->fd);
-    unlink(new->fn);
+    offset = lseek(old->fd, 0, SEEK_CUR);
+
+    new_fn = new1->fn;
+    new1->fn = NULL;
+    close(new1->fd);
+    new1->fd = -1;
+
+    unlink(new_fn);
+
+    old_fn = old->fn;
+    old->fn = NULL;
     close(old->fd);
-    if (rename(old->fn,new->fn) == -1) /* MUST be atomic! */
-	return KRB5_RC_IO_UNKNOWN;
-    if (!(fn = malloc(strlen(new->fn) - dirlen + 1)))
-	return KRB5_RC_IO_MALLOC;
-    strcpy(fn, new->fn + dirlen);
-    krb5_rc_io_close(context, new);
-    krb5_rc_io_open(context, new, fn);
-    free(fn);
+    old->fd = -1;
+
+    if (rename(old_fn, new_fn) == -1) { /* MUST be atomic! */
+	retval = KRB5_RC_IO_UNKNOWN;
+	goto cleanup;
+    }
+
+    retval = krb5_rc_io_open_internal(context, new1, 0, new_fn);
+    if (retval)
+	goto cleanup;
+
+    if (lseek(new1->fd, offset, SEEK_SET) == -1) {
+	retval = KRB5_RC_IO_UNKNOWN;
+	goto cleanup;
+    }
+
+ cleanup:
+    free(new_fn);
+    free(old_fn);
+    return retval;
 #else
+    char *fn = NULL;
     if (rename(old->fn, new1->fn) == -1) /* MUST be atomic! */
 	return KRB5_RC_IO_UNKNOWN;
     fn = new1->fn;
     new1->fn = NULL;		/* avoid clobbering */
     (void) krb5_rc_io_close(context, new1);
     new1->fn = fn;
-#ifdef macintosh
-    new1->fd = fcntl(old->fd, F_DUPFD);
-#else
     new1->fd = dup(old->fd);
-#endif
-#endif
     return 0;
+#endif
 }
 
-/*ARGSUSED*/
-krb5_error_code krb5_rc_io_write (context, d, buf, num)
-    krb5_context context;
-    krb5_rc_iostuff *d;
-    krb5_pointer buf;
-    int num;
+krb5_error_code
+krb5_rc_io_write(krb5_context context, krb5_rc_iostuff *d, krb5_pointer buf,
+		 unsigned int num)
 {
- if (write(d->fd,(char *) buf,num) == -1)
-   switch(errno)
-    {
-     case EBADF: return KRB5_RC_IO_UNKNOWN;
-     case EFBIG: return KRB5_RC_IO_SPACE;
+    if (write(d->fd, (char *) buf, num) == -1)
+	switch(errno)
+	{
+	case EBADF: return KRB5_RC_IO_UNKNOWN;
+	case EFBIG: return KRB5_RC_IO_SPACE;
 #ifdef EDQUOT
-     case EDQUOT: return KRB5_RC_IO_SPACE;
+	case EDQUOT: return KRB5_RC_IO_SPACE;
 #endif
-     case ENOSPC: return KRB5_RC_IO_SPACE;
-     case EIO: return KRB5_RC_IO_IO;
-     default: return KRB5_RC_IO_UNKNOWN;
-    }
- return 0;
+	case ENOSPC: return KRB5_RC_IO_SPACE;
+	case EIO: return KRB5_RC_IO_IO;
+	default: return KRB5_RC_IO_UNKNOWN;
+	}
+    return 0;
 }
 
-/*ARGSUSED*/
-krb5_error_code krb5_rc_io_sync (context, d)
-    krb5_context context;
-    krb5_rc_iostuff *d;
+krb5_error_code
+krb5_rc_io_sync(krb5_context context, krb5_rc_iostuff *d)
 {
-#if !defined(MSDOS_FILESYSTEM) && !defined(macintosh)
+#if defined(_WIN32)
+#ifndef fsync
+#define fsync _commit
+#endif
+#endif
     if (fsync(d->fd) == -1) {
-      switch(errno)
-      {
-      case EBADF: return KRB5_RC_IO_UNKNOWN;
-      case EIO: return KRB5_RC_IO_IO;
-      default: return KRB5_RC_IO_UNKNOWN;
-      }
+	switch(errno)
+	{
+	case EBADF: return KRB5_RC_IO_UNKNOWN;
+	case EIO: return KRB5_RC_IO_IO;
+	default: return KRB5_RC_IO_UNKNOWN;
+	}
     }
-#endif
     return 0;
 }
 
 /*ARGSUSED*/
-krb5_error_code krb5_rc_io_read (context, d, buf, num)
-    krb5_context context;
-    krb5_rc_iostuff *d;
-    krb5_pointer buf;
-    int num;
+krb5_error_code
+krb5_rc_io_read(krb5_context context, krb5_rc_iostuff *d, krb5_pointer buf,
+		unsigned int num)
 {
- int count;
- if ((count = read(d->fd,(char *) buf,num)) == -1)
-   switch(errno)
-    {
-     case EBADF: return KRB5_RC_IO_UNKNOWN;
-     case EIO: return KRB5_RC_IO_IO;
-     default: return KRB5_RC_IO_UNKNOWN;
-    }
- if (count == 0)
-     return KRB5_RC_IO_EOF;
- return 0;
+    int count;
+    if ((count = read(d->fd, (char *) buf, num)) == -1)
+	switch(errno)
+	{
+	case EBADF: return KRB5_RC_IO_UNKNOWN;
+	case EIO: return KRB5_RC_IO_IO;
+	default: return KRB5_RC_IO_UNKNOWN;
+	}
+    if (count == 0)
+	return KRB5_RC_IO_EOF;
+    return 0;
 }
 
 /*ARGSUSED*/
-krb5_error_code krb5_rc_io_close (context, d)
-    krb5_context context;
-    krb5_rc_iostuff *d;
+krb5_error_code
+krb5_rc_io_close(krb5_context context, krb5_rc_iostuff *d)
 {
- free(d->fn);
- d->fn = NULL;
- if (close(d->fd) == -1) /* can't happen */
-   return KRB5_RC_IO_UNKNOWN;
- return 0;
+    if (d->fn != NULL) {
+	free(d->fn);
+	d->fn = NULL;
+    }
+    if (d->fd != -1) {
+	if (close(d->fd) == -1) /* can't happen */
+	    return KRB5_RC_IO_UNKNOWN;
+	d->fd = -1;
+    }
+    return 0;
 }
 
 /*ARGSUSED*/
-krb5_error_code krb5_rc_io_destroy (context, d)
-    krb5_context context;
-    krb5_rc_iostuff *d;
+krb5_error_code
+krb5_rc_io_destroy(krb5_context context, krb5_rc_iostuff *d)
 {
  if (unlink(d->fn) == -1)
    switch(errno)
@@ -429,32 +474,28 @@ krb5_error_code krb5_rc_io_destroy (context, d)
 }
 
 /*ARGSUSED*/
-krb5_error_code krb5_rc_io_mark (context, d)
-    krb5_context context;
-    krb5_rc_iostuff *d;
+krb5_error_code
+krb5_rc_io_mark(krb5_context context, krb5_rc_iostuff *d)
 {
- d->mark = lseek(d->fd,0,SEEK_CUR); /* can't fail */
- return 0;
+    d->mark = lseek(d->fd, (off_t) 0, SEEK_CUR); /* can't fail */
+    return 0;
 }
 
 /*ARGSUSED*/
-krb5_error_code krb5_rc_io_unmark (context, d)
-    krb5_context context;
-    krb5_rc_iostuff *d;
+krb5_error_code
+krb5_rc_io_unmark(krb5_context context, krb5_rc_iostuff *d)
 {
- (void) lseek(d->fd,d->mark,SEEK_SET); /* if it fails, tough luck */
- return 0;
+    (void) lseek(d->fd, d->mark, SEEK_SET); /* if it fails, tough luck */
+    return 0;
 }
 
 /*ARGSUSED*/
 long
-krb5_rc_io_size (context, d)
-    krb5_context context;
-    krb5_rc_iostuff *d;
+krb5_rc_io_size(krb5_context context, krb5_rc_iostuff *d)
 {
     struct stat statb;
 
-    if (fstat (d->fd, &statb) == 0)
+    if (fstat(d->fd, &statb) == 0)
 	return statb.st_size;
     else
 	return 0;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_io.h b/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_io.h
index 45e4b4962d..df9254d75c 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_io.h
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_io.h
@@ -20,7 +20,7 @@ typedef struct krb5_rc_iostuff
 #ifdef MSDOS_FILESYSTEM
   long mark;
 #else
-  int mark; /* on newer systems, should be pos_t */
+  off_t mark; /* on newer systems, should be pos_t */
 #endif
   char *fn;
  }
@@ -29,43 +29,43 @@ krb5_rc_iostuff;
 /* first argument is always iostuff for result file */
 
 krb5_error_code krb5_rc_io_creat 
-	PROTOTYPE((krb5_context,
+	(krb5_context,
 		   krb5_rc_iostuff *,
-		   char **));
+		   char **);
 krb5_error_code krb5_rc_io_open 
-	PROTOTYPE((krb5_context,
+	(krb5_context,
 		   krb5_rc_iostuff *,
-		   char *));
+		   char *);
 krb5_error_code krb5_rc_io_move 
-	PROTOTYPE((krb5_context,
+	(krb5_context,
 		   krb5_rc_iostuff *,
-		   krb5_rc_iostuff *));
+		   krb5_rc_iostuff *);
 krb5_error_code krb5_rc_io_write 
-	PROTOTYPE((krb5_context,
+	(krb5_context,
 		   krb5_rc_iostuff *,
 		   krb5_pointer,
-		   int));
+		   unsigned int);
 krb5_error_code krb5_rc_io_read 
-	PROTOTYPE((krb5_context,
+	(krb5_context,
 		   krb5_rc_iostuff *,
 		   krb5_pointer,
-		   int));
+		   unsigned int);
 krb5_error_code krb5_rc_io_close 
-	PROTOTYPE((krb5_context,
-		   krb5_rc_iostuff *));
+	(krb5_context,
+		   krb5_rc_iostuff *);
 krb5_error_code krb5_rc_io_destroy 
-	PROTOTYPE((krb5_context,
-		   krb5_rc_iostuff *));
+	(krb5_context,
+		   krb5_rc_iostuff *);
 krb5_error_code krb5_rc_io_mark 
-	PROTOTYPE((krb5_context,
-		   krb5_rc_iostuff *));
+	(krb5_context,
+		   krb5_rc_iostuff *);
 krb5_error_code krb5_rc_io_unmark 
-	PROTOTYPE((krb5_context,
-		   krb5_rc_iostuff *));
+	(krb5_context,
+		   krb5_rc_iostuff *);
 krb5_error_code krb5_rc_io_sync
-	PROTOTYPE((krb5_context,
-		   krb5_rc_iostuff *));
+	(krb5_context,
+		   krb5_rc_iostuff *);
 long krb5_rc_io_size
-	PROTOTYPE((krb5_context,
-		   krb5_rc_iostuff *));
+	(krb5_context,
+		   krb5_rc_iostuff *);
 #endif
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_mem.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_mem.c
index 4acfaae464..6390c37e77 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_mem.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_mem.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -98,12 +98,20 @@ krb5_rc_mem_get_span(
 	krb5_rcache id,
 	krb5_deltat *lifespan)
 {
-	*lifespan = ((struct mem_data *)(id->data))->lifespan;
-	return (0);
+    krb5_error_code err;
+    struct mem_data *t;
+
+    err = k5_mutex_lock(&id->lock);
+    if (err)
+	return err;
+    t = (struct mem_data *) id->data;
+    *lifespan = t->lifespan;
+    k5_mutex_unlock(&id->lock);
+    return 0;
 }
 
 krb5_error_code KRB5_CALLCONV
-krb5_rc_mem_init(krb5_context context, krb5_rcache id, krb5_deltat lifespan)
+krb5_rc_mem_init_locked(krb5_context context, krb5_rcache id, krb5_deltat lifespan)
 {
 	struct mem_data *t = (struct mem_data *)id->data;
 	krb5_error_code retval;
@@ -114,6 +122,20 @@ krb5_rc_mem_init(krb5_context context, krb5_rcache id, krb5_deltat lifespan)
 }
 
 krb5_error_code KRB5_CALLCONV
+krb5_rc_mem_init(krb5_context context, krb5_rcache id, krb5_deltat lifespan)
+{
+    krb5_error_code retval;
+
+    retval = k5_mutex_lock(&id->lock);
+    if (retval)
+	return retval;
+    retval = krb5_rc_mem_init_locked(context, id, lifespan);
+    k5_mutex_unlock(&id->lock);
+    return retval;
+}
+
+
+krb5_error_code KRB5_CALLCONV
 krb5_rc_mem_close_no_free(krb5_context context, krb5_rcache id)
 {
 	struct mem_data *t = (struct mem_data *)id->data;
@@ -139,9 +161,15 @@ krb5_rc_mem_close_no_free(krb5_context context, krb5_rcache id)
 krb5_error_code KRB5_CALLCONV
 krb5_rc_mem_close(krb5_context context, krb5_rcache id)
 {
-	krb5_rc_mem_close_no_free(context, id);
-	free(id);
-	return (0);
+    krb5_error_code retval;
+    retval = k5_mutex_lock(&id->lock);
+    if (retval)
+	return retval;
+    krb5_rc_mem_close_no_free(context, id);
+    k5_mutex_unlock(&id->lock);
+    k5_mutex_destroy(&id->lock);
+    free(id);
+    return 0;
 }
 
 krb5_error_code KRB5_CALLCONV
@@ -195,10 +223,27 @@ cleanup:
 krb5_error_code KRB5_CALLCONV
 krb5_rc_mem_recover(krb5_context context, krb5_rcache id)
 {
+	/* SUNW14resync - No need for locking here, just returning RC_NOIO */
 	return (KRB5_RC_NOIO);
 }
 
 krb5_error_code KRB5_CALLCONV
+krb5_rc_mem_recover_or_init(krb5_context context, krb5_rcache id,
+			    krb5_deltat lifespan)
+{
+    krb5_error_code retval;
+
+    retval = k5_mutex_lock(&id->lock);
+    if (retval)
+	return retval;
+    retval = krb5_rc_mem_recover(context, id);
+    if (retval)
+	retval = krb5_rc_mem_init_locked(context, id, lifespan);
+    k5_mutex_unlock(&id->lock);
+    return retval;
+}
+
+krb5_error_code KRB5_CALLCONV
 krb5_rc_mem_store(krb5_context context, krb5_rcache id, krb5_donot_replay *rep)
 {
 	krb5_error_code ret;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_mem.h b/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_mem.h
index 9cfe2bf4ce..ea9de12f39 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_mem.h
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rc_mem.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -8,6 +8,8 @@
 
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
 
+#include "rc-int.h"
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -33,27 +35,29 @@ struct mem_data {
 extern krb5_rc_ops krb5_rc_mem_ops;
 
 krb5_error_code KRB5_CALLCONV krb5_rc_mem_init
-	PROTOTYPE((krb5_context, krb5_rcache, krb5_deltat));
+	(krb5_context, krb5_rcache, krb5_deltat);
 krb5_error_code KRB5_CALLCONV krb5_rc_mem_recover
-	PROTOTYPE((krb5_context, krb5_rcache));
+	(krb5_context, krb5_rcache);
+krb5_error_code KRB5_CALLCONV krb5_rc_mem_recover_or_init
+	(krb5_context, krb5_rcache, krb5_deltat);
 krb5_error_code KRB5_CALLCONV krb5_rc_mem_destroy
-	PROTOTYPE((krb5_context, krb5_rcache));
+	(krb5_context, krb5_rcache);
 krb5_error_code KRB5_CALLCONV krb5_rc_mem_close
-	PROTOTYPE((krb5_context, krb5_rcache));
+	(krb5_context, krb5_rcache);
 krb5_error_code KRB5_CALLCONV krb5_rc_mem_store
-	PROTOTYPE((krb5_context, krb5_rcache, krb5_donot_replay *));
+	(krb5_context, krb5_rcache, krb5_donot_replay *);
 krb5_error_code KRB5_CALLCONV krb5_rc_mem_expunge
-	PROTOTYPE((krb5_context, krb5_rcache));
+	(krb5_context, krb5_rcache);
 krb5_error_code KRB5_CALLCONV krb5_rc_mem_get_span
-	PROTOTYPE((krb5_context, krb5_rcache, krb5_deltat *));
+	(krb5_context, krb5_rcache, krb5_deltat *);
 char *KRB5_CALLCONV krb5_rc_mem_get_name
-	PROTOTYPE((krb5_context, krb5_rcache));
+	(krb5_context, krb5_rcache);
 krb5_error_code KRB5_CALLCONV krb5_rc_mem_resolve
-	PROTOTYPE((krb5_context, krb5_rcache, char *));
+	(krb5_context, krb5_rcache, char *);
 krb5_error_code krb5_rc_mem_close_no_free
-	PROTOTYPE((krb5_context, krb5_rcache));
+	(krb5_context, krb5_rcache);
 void krb5_rc_free_entry
-	PROTOTYPE((krb5_context, krb5_donot_replay **));
+	(krb5_context, krb5_donot_replay **);
 
 #ifdef __cplusplus
 }
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rcdef.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rcdef.c
index 95a1553cd4..8dc9fd0418 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rcdef.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rcdef.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -36,11 +36,16 @@
 #include "rc_mem.h"
 
 
+/*
+ * Solaris Kerberos
+ * MIT 1.4 just has "dfl" while we now have "FILE" and "MEMORY".
+ */
 krb5_rc_ops krb5_rc_file_ops = {
 	0,
 	"FILE",
 	krb5_rc_file_init,
 	krb5_rc_file_recover,
+	krb5_rc_file_recover_or_init,
 	krb5_rc_file_destroy,
 	krb5_rc_file_close,
 	krb5_rc_file_store,
@@ -55,6 +60,7 @@ krb5_rc_ops krb5_rc_mem_ops = {
 	"MEMORY",
 	krb5_rc_mem_init,
 	krb5_rc_mem_recover,
+	krb5_rc_mem_recover_or_init,
 	krb5_rc_mem_destroy,
 	krb5_rc_mem_close,
 	krb5_rc_mem_store,
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rcfns.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rcfns.c
new file mode 100644
index 0000000000..8162666755
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/rcfns.c
@@ -0,0 +1,97 @@
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+/*
+ * lib/krb5/rcache/rcfns.c
+ *
+ * Copyright 2001 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/*
+ * Dispatch methods for replay cache code.
+ */
+
+#include "k5-int.h"
+#include "rc-int.h"
+
+krb5_error_code KRB5_CALLCONV
+krb5_rc_initialize (krb5_context context, krb5_rcache id, krb5_deltat span)
+{
+    return krb5_x(id->ops->init,(context, id, span));
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_rc_recover_or_initialize (krb5_context context, krb5_rcache id,
+			       krb5_deltat span)
+{
+    return krb5_x(id->ops->recover_or_init,(context, id, span));
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_rc_recover (krb5_context context, krb5_rcache id)
+{
+    return krb5_x((id)->ops->recover,(context, id));
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_rc_destroy (krb5_context context, krb5_rcache id)
+{
+    return krb5_x((id)->ops->destroy,(context, id));
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_rc_close (krb5_context context, krb5_rcache id)
+{
+    return krb5_x((id)->ops->close,(context, id));
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_rc_store (krb5_context context, krb5_rcache id,
+	       krb5_donot_replay *dontreplay)
+{
+    return krb5_x((id)->ops->store,(context, id, dontreplay));
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_rc_expunge (krb5_context context, krb5_rcache id)
+{
+    return krb5_x((id)->ops->expunge,(context, id));
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_rc_get_lifespan (krb5_context context, krb5_rcache id,
+		      krb5_deltat *spanp)
+{
+    return krb5_x((id)->ops->get_span,(context, id, spanp));
+}
+
+char *KRB5_CALLCONV
+krb5_rc_get_name (krb5_context context, krb5_rcache id)
+{
+    return krb5_xc((id)->ops->get_name,(context, id));
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_rc_resolve (krb5_context context, krb5_rcache id, char *name)
+{
+    return krb5_x((id)->ops->resolve,(context, id, name));
+}
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/ser_rc.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/ser_rc.c
index e21d9224ad..06bb7a7831 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/ser_rc.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/rcache/ser_rc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -36,6 +36,7 @@
  * ser_rcdfl.c - Serialize replay cache context.
  */
 #include <k5-int.h>
+#include "rc-int.h"
 
 /*
  * Routines to deal with externalizing krb5_rcache.
@@ -44,11 +45,11 @@
  *	krb5_rcache_internalize();
  */
 static krb5_error_code krb5_rcache_size
-	KRB5_PROTOTYPE((krb5_context, krb5_pointer, size_t *));
+	(krb5_context, krb5_pointer, size_t *);
 static krb5_error_code krb5_rcache_externalize
-	KRB5_PROTOTYPE((krb5_context, krb5_pointer, krb5_octet **, size_t *));
+	(krb5_context, krb5_pointer, krb5_octet **, size_t *);
 static krb5_error_code krb5_rcache_internalize
-	KRB5_PROTOTYPE((krb5_context,krb5_pointer *, krb5_octet **, size_t *));
+	(krb5_context,krb5_pointer *, krb5_octet **, size_t *);
 
 /*
  * Serialization entry for this type.
@@ -65,10 +66,7 @@ static const krb5_ser_entry krb5_rcache_ser_entry = {
  *				  this krb5_rcache variant.
  */
 static krb5_error_code
-krb5_rcache_size(kcontext, arg, sizep)
-    krb5_context	kcontext;
-    krb5_pointer	arg;
-    size_t		*sizep;
+krb5_rcache_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
 {
     krb5_error_code	kret;
     krb5_rcache		rcache;
@@ -102,11 +100,7 @@ krb5_rcache_size(kcontext, arg, sizep)
  * krb5_rcache_externalize()	- Externalize the krb5_rcache.
  */
 static krb5_error_code
-krb5_rcache_externalize(kcontext, arg, buffer, lenremain)
-    krb5_context	kcontext;
-    krb5_pointer	arg;
-    krb5_octet		**buffer;
-    size_t		*lenremain;
+krb5_rcache_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain)
 {
     krb5_error_code	kret;
     krb5_rcache		rcache;
@@ -166,11 +160,7 @@ krb5_rcache_externalize(kcontext, arg, buffer, lenremain)
  * krb5_rcache_internalize()	- Internalize the krb5_rcache.
  */
 static krb5_error_code
-krb5_rcache_internalize(kcontext, argp, buffer, lenremain)
-    krb5_context	kcontext;
-    krb5_pointer	*argp;
-    krb5_octet		**buffer;
-    size_t		*lenremain;
+krb5_rcache_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain)
 {
     krb5_error_code	kret;
     krb5_rcache		rcache;
@@ -219,9 +209,8 @@ krb5_rcache_internalize(kcontext, argp, buffer, lenremain)
 /*
  * Register the rcache serializer.
  */
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_ser_rcache_init(kcontext)
-    krb5_context	kcontext;
+krb5_error_code KRB5_CALLCONV
+krb5_ser_rcache_init(krb5_context kcontext)
 {
     return(krb5_register_serializer(kcontext, &krb5_rcache_ser_entry));
 }
diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/acquire_cred.c b/usr/src/lib/gss_mechs/mech_krb5/mech/acquire_cred.c
index d2969a82ca..fe9f995d64 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/mech/acquire_cred.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/mech/acquire_cred.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -195,6 +195,13 @@ acquire_init_cred(context, minor_status, desired_name, output_princ, cred)
 
    cred->ccache = NULL;
 
+   /* SUNW14resync - do we need this? */
+#if 0
+   /* load the GSS ccache name into the kg_context */
+   if (GSS_ERROR(kg_sync_ccache_name(context, minor_status)))
+       return(GSS_S_FAILURE);
+#endif
+
    /* open the default credential cache */
 
    code = krb5int_cc_default(context, &ccache);
@@ -204,9 +211,15 @@ acquire_init_cred(context, minor_status, desired_name, output_princ, cred)
    }
 
    /* turn off OPENCLOSE mode while extensive frobbing is going on */
-
+   /*
+    * SUNW14resync
+    * Added calls to krb5_cc_set_flags(... KRB5_TC_OPENCLOSE)
+    * on the error returns cuz the 1.4 krb5_cc_close does not always close
+    * the file like it used to and caused STC test gss.27 to fail.
+    */
    flags = 0;		/* turns off OPENCLOSE mode */
    if ((code = krb5_cc_set_flags(context, ccache, flags)) != 0) {
+      (void)krb5_cc_close(context, ccache);
       *minor_status = code;
       return(GSS_S_NO_CRED);
    }
@@ -214,6 +227,7 @@ acquire_init_cred(context, minor_status, desired_name, output_princ, cred)
    /* get out the principal name and see if it matches */
 
    if ((code = krb5_cc_get_principal(context, ccache, &princ)) != 0) {
+      (void)krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE);
       (void)krb5_cc_close(context, ccache);
       *minor_status = code;
       return(GSS_S_FAILURE);
@@ -222,6 +236,7 @@ acquire_init_cred(context, minor_status, desired_name, output_princ, cred)
    if (desired_name != (gss_name_t) NULL) {
       if (! krb5_principal_compare(context, princ, (krb5_principal) desired_name)) {
 	 (void)krb5_free_principal(context, princ);
+         (void)krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE);
 	 (void)krb5_cc_close(context, ccache);
 	 *minor_status = KG_CCACHE_NOMATCH;
 	 return(GSS_S_NO_CRED);
@@ -235,6 +250,7 @@ acquire_init_cred(context, minor_status, desired_name, output_princ, cred)
    /* iterate over the ccache, find the tgt */
 
    if ((code = krb5_cc_start_seq_get(context, ccache, &cur)) != 0) {
+      (void)krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE);
       (void)krb5_cc_close(context, ccache);
       *minor_status = code;
       return(GSS_S_FAILURE);
@@ -254,6 +270,7 @@ acquire_init_cred(context, minor_status, desired_name, output_princ, cred)
 				   krb5_princ_realm(context, princ)->data,
 				   0);
    if (code) {
+      (void)krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE);
       (void)krb5_cc_close(context, ccache);
       *minor_status = code;
       return(GSS_S_FAILURE);
@@ -278,18 +295,21 @@ acquire_init_cred(context, minor_status, desired_name, output_princ, cred)
    if (code && code != KRB5_CC_END) {
       /* this means some error occurred reading the ccache */
       (void)krb5_cc_end_seq_get(context, ccache, &cur);
+      (void)krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE);
       (void)krb5_cc_close(context, ccache);
       *minor_status = code;
       return(GSS_S_FAILURE);
    } else if (! got_endtime) {
       /* this means the ccache was entirely empty */
       (void)krb5_cc_end_seq_get(context, ccache, &cur);
+      (void)krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE);
       (void)krb5_cc_close(context, ccache);
       *minor_status = KG_EMPTY_CCACHE;
       return(GSS_S_FAILURE);
    } else {
       /* this means that we found an endtime to use. */
       if ((code = krb5_cc_end_seq_get(context, ccache, &cur)) != 0) {
+	 (void)krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE);
 	 (void)krb5_cc_close(context, ccache);
 	 *minor_status = code;
 	 return(GSS_S_FAILURE);
@@ -352,7 +372,7 @@ krb5_gss_acquire_cred_no_lock(ctx, minor_status, desired_name, time_req,
    size_t i;
    krb5_gss_cred_id_t cred;
    gss_OID_set ret_mechs = GSS_C_NULL_OID_SET;
-   const gss_OID_set_desc FAR * valid_mechs;
+   const gss_OID_set_desc * valid_mechs;
    int req_old, req_new;
    OM_uint32 ret;
    krb5_error_code code;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/acquire_cred_with_pw.c b/usr/src/lib/gss_mechs/mech_krb5/mech/acquire_cred_with_pw.c
index 8744c43571..0ad9d0f8e2 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/mech/acquire_cred_with_pw.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/mech/acquire_cred_with_pw.c
@@ -223,7 +223,7 @@ OM_uint32 *time_rec;
 	size_t i;
 	krb5_gss_cred_id_t cred;
 	gss_OID_set ret_mechs = GSS_C_NULL_OID_SET;
-	const gss_OID_set_desc FAR * valid_mechs;
+	const gss_OID_set_desc  * valid_mechs;
 	int req_old, req_new;
 	OM_uint32 ret;
 	krb5_error_code code;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/add_cred.c b/usr/src/lib/gss_mechs/mech_krb5/mech/add_cred.c
index 99aca12b7f..ba025b7937 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/mech/add_cred.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/mech/add_cred.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -57,7 +57,7 @@
 
 #include <gssapiP_krb5.h>
 #include <gssapiP_generic.h>
-#include <krb5.h>
+#include <k5-int.h>
 #ifdef HAVE_STRING_H
 #include <string.h>
 #else
@@ -192,7 +192,8 @@ krb5_gss_add_cred(ct, minor_status, input_cred_handle,
 	/* make a copy */
 	krb5_gss_cred_id_t new_cred;
 	char *kttype, ktboth[1024];
-	char *cctype, *ccname, ccboth[1024];
+	const char *cctype, *ccname;
+	char ccboth[1024];
 
 	if ((new_cred =
 	     (krb5_gss_cred_id_t) xmalloc(sizeof(krb5_gss_cred_id_rec)))
diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/k5mech.c b/usr/src/lib/gss_mechs/mech_krb5/mech/k5mech.c
index c0eeb242d4..5d0e1e386d 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/mech/k5mech.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/mech/k5mech.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -82,8 +82,6 @@ static struct gss_config krb5_mechanism = {
 
 #include <k5-int.h>
 
-extern char *
-error_message(krb5_error_code errCode);
 
 OM_uint32
 krb5_gss_get_context(context)
@@ -125,7 +123,7 @@ error:
 			
 				"Kerberos mechanism library"
 				" initialization error: %s."),
-			error_message(errCode));
+		    error_message((long)errCode));
 	}
 	return (GSS_S_FAILURE);
 }
diff --git a/usr/src/lib/gss_mechs/mech_krb5/mech/rel_cred.c b/usr/src/lib/gss_mechs/mech_krb5/mech/rel_cred.c
index 77bffb3d6b..f196eff5f1 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/mech/rel_cred.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/mech/rel_cred.c
@@ -28,6 +28,7 @@
  */
 
 #include <gssapiP_krb5.h>
+#include <k5-int.h>
 
 OM_uint32
 krb5_gss_release_cred(ctx, minor_status, cred_handle)
diff --git a/usr/src/lib/gss_mechs/mech_krb5/profile/prof_err.h b/usr/src/lib/gss_mechs/mech_krb5/profile/prof_err.h
index cabc959c75..eda960dd4b 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/profile/prof_err.h
+++ b/usr/src/lib/gss_mechs/mech_krb5/profile/prof_err.h
@@ -32,6 +32,10 @@
 #define PROF_MAGIC_FILE                          (-1429577703L)
 #define PROF_FAIL_OPEN                           (-1429577702L)
 #define PROF_EXISTS                              (-1429577701L)
+#define PROF_BAD_BOOLEAN                         (-1429577700L)
+#define PROF_BAD_INTEGER                         (-1429577699L)
+#define PROF_MAGIC_FILE_DATA                     (-1429577698L)
+
 #define ERROR_TABLE_BASE_prof (-1429577728L)
 
 /* for compatibility with older versions... */
diff --git a/usr/src/lib/gss_mechs/mech_krb5/profile/prof_file.c b/usr/src/lib/gss_mechs/mech_krb5/profile/prof_file.c
index 871c7914ac..4e55c269a1 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/profile/prof_file.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/profile/prof_file.c
@@ -4,6 +4,7 @@
  */
 
 #include <autoconf.h>
+#include "prof_int.h"
 
 #include <stdio.h>
 #ifdef HAVE_STDLIB_H
@@ -13,35 +14,93 @@
 #include <unistd.h>
 #endif
 #include <string.h>
+#include <stddef.h>
 
-#include "prof_int.h"
-
-#ifndef NO_SYS_TYPES_H
 #include <sys/types.h>
-#endif
-#ifndef NO_SYS_STAT_H
 #include <sys/stat.h>
-#endif
 #include <errno.h>
 
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
 
-#if defined(_MSDOS) || defined(_WIN32)
+#if defined(_WIN32)
 #include <io.h>
 #define HAVE_STAT	
 #define stat _stat
 #endif
 
-#ifndef PROFILE_USES_PATHS
-#include <FSp_fopen.h>
+#include "k5-platform.h"
+
+struct global_shared_profile_data {
+	/* This is the head of the global list of shared trees */
+	prf_data_t trees;
+	/* Lock for above list.  */
+	k5_mutex_t mutex;
+};
+#define g_shared_trees		(krb5int_profile_shared_data.trees)
+#define g_shared_trees_mutex	(krb5int_profile_shared_data.mutex)
+
+static struct global_shared_profile_data krb5int_profile_shared_data = {
+    0,
+    K5_MUTEX_PARTIAL_INITIALIZER
+};
+
+MAKE_INIT_FUNCTION(profile_library_initializer);
+MAKE_FINI_FUNCTION(profile_library_finalizer);
+
+int profile_library_initializer(void)
+{
+#if !USE_BUNDLE_ERROR_STRINGS
+    add_error_table(&et_prof_error_table);
+#endif
+    return k5_mutex_finish_init(&g_shared_trees_mutex);
+}
+void profile_library_finalizer(void)
+{
+    if (! INITIALIZER_RAN(profile_library_initializer) || PROGRAM_EXITING())
+	return;
+    k5_mutex_destroy(&g_shared_trees_mutex);
+#if !USE_BUNDLE_ERROR_STRINGS
+    remove_error_table(&et_prof_error_table);
+#endif
+}
+
+static void profile_free_file_data(prf_data_t);
+
+#if 0
+
+#define scan_shared_trees_locked()				\
+	{							\
+	    prf_data_t d;					\
+	    k5_mutex_assert_locked(&g_shared_trees_mutex);	\
+	    for (d = g_shared_trees; d; d = d->next) {		\
+		assert(d->magic == PROF_MAGIC_FILE_DATA);	\
+		assert((d->flags & PROFILE_FILE_SHARED) != 0);	\
+		assert(d->filespec[0] != 0);			\
+		assert(d->fslen <= 1000); /* XXX */		\
+		assert(d->filespec[d->fslen] == 0);		\
+		assert(d->fslen = strlen(d->filespec));		\
+	    }							\
+	}
+
+#define scan_shared_trees_unlocked()			\
+	{						\
+	    int r;					\
+	    r = k5_mutex_lock(&g_shared_trees_mutex);	\
+	    assert (r == 0);				\
+	    scan_shared_trees_locked();			\
+	    k5_mutex_unlock(&g_shared_trees_mutex);	\
+	}
+
+#else
 
-static OSErr GetMacOSTempFilespec (
-	const	FSSpec*	inFilespec,
-			FSSpec*	outFilespec);
+#define scan_shared_trees_locked()	{ ; }
+#define scan_shared_trees_unlocked()	{ ; }
 
 #endif
 
-static int rw_access(filespec)
-	profile_filespec_t filespec;
+static int rw_access(const_profile_filespec_t filespec)
 {
 #ifdef HAVE_ACCESS
 	if (access(filespec, W_OK) == 0)
@@ -56,11 +115,31 @@ static int rw_access(filespec)
 	 */
 	FILE	*f;
 
-#ifdef PROFILE_USES_PATHS
 	f = fopen(filespec, "r+");
-#else
-	f = FSp_fopen(&filespec, "r+");
+	if (f) {
+		fclose(f);
+		return 1;
+	}
+	return 0;
 #endif
+}
+
+static int r_access(const_profile_filespec_t filespec)
+{
+#ifdef HAVE_ACCESS
+	if (access(filespec, R_OK) == 0)
+		return 1;
+	else
+		return 0;
+#else
+	/*
+	 * We're on a substandard OS that doesn't support access.  So
+	 * we kludge a test using stdio routines, and hope fopen
+	 * checks the r/w permissions.
+	 */
+	FILE	*f;
+
+	f = fopen(filespec, "r");
 	if (f) {
 		fclose(f);
 		return 1;
@@ -69,42 +148,136 @@ static int rw_access(filespec)
 #endif
 }
 
-errcode_t profile_open_file(filespec, ret_prof)
-	const_profile_filespec_t filespec;
-	prf_file_t *ret_prof;
+prf_data_t
+profile_make_prf_data(const char *filename)
+{
+    prf_data_t d;
+    size_t len, flen, slen;
+    char *fcopy;
+
+    flen = strlen(filename);
+    slen = offsetof(struct _prf_data_t, filespec);
+    len = slen + flen + 1;
+    if (len < sizeof(struct _prf_data_t))
+	len = sizeof(struct _prf_data_t);
+    d = malloc(len);
+    if (d == NULL)
+	return NULL;
+    memset(d, 0, len);
+    fcopy = (char *) d + slen;
+    assert(fcopy == d->filespec);
+    strcpy(fcopy, filename);
+    d->refcount = 1;
+    d->comment = NULL;
+    d->magic = PROF_MAGIC_FILE_DATA;
+    d->root = NULL;
+    d->next = NULL;
+    d->fslen = flen;
+    return d;
+}
+
+errcode_t profile_open_file(const_profile_filespec_t filespec,
+			    prf_file_t *ret_prof)
 {
 	prf_file_t	prf;
 	errcode_t	retval;
 	char		*home_env = 0;
-	int		len;
+	unsigned int	len;
+	prf_data_t	data;
+	char		*expanded_filename;
+
+	retval = CALL_INIT_FUNCTION(profile_library_initializer);
+	if (retval)
+		return retval;
+
+	scan_shared_trees_unlocked();
 
 	prf = (prf_file_t) malloc(sizeof(struct _prf_file_t));
 	if (!prf)
 		return ENOMEM;
 	memset(prf, 0, sizeof(struct _prf_file_t));
-		
-#ifndef macintosh
+	prf->magic = PROF_MAGIC_FILE;
+
 	len = strlen(filespec)+1;
 	if (filespec[0] == '~' && filespec[1] == '/') {
 		home_env = getenv("HOME");
+#ifdef HAVE_PWD_H
+		if (home_env == NULL) {
+		    uid_t uid;
+		    struct passwd *pw;
+#ifdef HAVE_GETPWUID_R
+		    struct passwd pwx;
+		    char pwbuf[BUFSIZ];
+#endif
+
+		    uid = getuid();
+#ifndef HAVE_GETPWUID_R
+		    pw = getpwuid(uid);
+#elif defined(GETPWUID_R_4_ARGS)
+		    /* earlier POSIX drafts */
+		    pw = getpwuid_r(uid, &pwx, pwbuf, sizeof(pwbuf));
+#else
+		    /* POSIX */
+		    if (getpwuid_r(uid, &pwx, pwbuf, sizeof(pwbuf), &pw) != 0)
+			/* Probably already null, but let's make sure.  */
+			pw = NULL;
+#endif /* getpwuid variants */
+		    if (pw != NULL && pw->pw_dir[0] != 0)
+			home_env = pw->pw_dir;
+		}
+#endif
 		if (home_env)
 			len += strlen(home_env);
 	}
-	prf->filespec = (char *) malloc(len);
-	if (!prf->filespec) {
-		free(prf);
-		return ENOMEM;
-	}
+	expanded_filename = malloc(len);
+	if (expanded_filename == 0)
+	    return errno;
 	if (home_env) {
-		strcpy(prf->filespec, home_env);
-		strcat(prf->filespec, filespec+1);
+	    strcpy(expanded_filename, home_env);
+	    strcat(expanded_filename, filespec+1);
 	} else
-		strcpy(prf->filespec, filespec);
-	prf->magic = PROF_MAGIC_FILE;
-#else
-	prf->filespec = filespec;
-	prf->magic = PROF_MAGIC_FILE;
-#endif
+	    memcpy(expanded_filename, filespec, len);
+
+	retval = k5_mutex_lock(&g_shared_trees_mutex);
+	if (retval) {
+	    free(expanded_filename);
+	    free(prf);
+	    scan_shared_trees_unlocked();
+	    return retval;
+	}
+	scan_shared_trees_locked();
+	for (data = g_shared_trees; data; data = data->next) {
+	    if (!strcmp(data->filespec, expanded_filename)
+		/* Check that current uid has read access.  */
+		&& r_access(data->filespec))
+		break;
+	}
+	if (data) {
+	    retval = profile_update_file_data(data);
+	    data->refcount++;
+	    (void) k5_mutex_unlock(&g_shared_trees_mutex);
+	    free(expanded_filename);
+	    prf->data = data;
+	    *ret_prof = prf;
+	    scan_shared_trees_unlocked();
+	    return retval;
+	}
+	(void) k5_mutex_unlock(&g_shared_trees_mutex);
+	data = profile_make_prf_data(expanded_filename);
+	if (data == NULL) {
+	    free(prf);
+	    free(expanded_filename);
+	    return ENOMEM;
+	}
+	free(expanded_filename);
+	prf->data = data;
+
+	retval = k5_mutex_init(&data->lock);
+	if (retval) {
+	    free(data);
+	    free(prf);
+	    return retval;
+	}
 
 	retval = profile_update_file(prf);
 	if (retval) {
@@ -112,31 +285,65 @@ errcode_t profile_open_file(filespec, ret_prof)
 		return retval;
 	}
 
+	retval = k5_mutex_lock(&g_shared_trees_mutex);
+	if (retval) {
+	    profile_close_file(prf);
+	    scan_shared_trees_unlocked();
+	    return retval;
+	}
+	scan_shared_trees_locked();
+	data->flags |= PROFILE_FILE_SHARED;
+	data->next = g_shared_trees;
+	g_shared_trees = data;
+	scan_shared_trees_locked();
+	(void) k5_mutex_unlock(&g_shared_trees_mutex);
+
 	*ret_prof = prf;
 	return 0;
 }
 
-errcode_t profile_update_file(prf)
-	prf_file_t prf;
+errcode_t profile_update_file_data(prf_data_t data)
 {
 	errcode_t retval;
 #ifdef HAVE_STAT
 	struct stat st;
+#ifdef STAT_ONCE_PER_SECOND
+	time_t now;
+#endif
 #endif
 	FILE *f;
 
+	retval = k5_mutex_lock(&data->lock);
+	if (retval)
+	    return retval;
+
 #ifdef HAVE_STAT
-	if (stat(prf->filespec, &st))
-		return errno;
-	if (st.st_mtime == prf->timestamp)
-		return 0;
-	if (prf->root) {
-		profile_free_node(prf->root);
-		prf->root = 0;
+#ifdef STAT_ONCE_PER_SECOND
+	now = time(0);
+	if (now == data->last_stat) {
+	    k5_mutex_unlock(&data->lock);
+	    return 0;
 	}
-	if (prf->comment) {
-		free(prf->comment);
-		prf->comment = 0;
+#endif
+	if (stat(data->filespec, &st)) {
+	    retval = errno;
+	    k5_mutex_unlock(&data->lock);
+	    return retval;
+	}
+#ifdef STAT_ONCE_PER_SECOND
+	data->last_stat = now;
+#endif
+	if (st.st_mtime == data->timestamp) {
+	    k5_mutex_unlock(&data->lock);
+	    return 0;
+	}
+	if (data->root) {
+		profile_free_node(data->root);
+		data->root = 0;
+	}
+	if (data->comment) {
+		free(data->comment);
+		data->comment = 0;
 	}
 #else
 	/*
@@ -144,91 +351,71 @@ errcode_t profile_update_file(prf)
 	 * memory image is correct.  That is, we won't reread the
 	 * profile file if it changes.
 	 */
-	if (prf->root)
-		return 0;
+	if (data->root) {
+	    k5_mutex_unlock(&data->lock);
+	    return 0;
+	}
 #endif
 	errno = 0;
-#ifdef PROFILE_USES_PATHS
-	f = fopen(prf->filespec, "r");
-#else
-	f = FSp_fopen (&prf->filespec, "r");
-#endif
+	f = fopen(data->filespec, "r");
 	if (f == NULL) {
 		retval = errno;
+		k5_mutex_unlock(&data->lock);
 		if (retval == 0)
 			retval = ENOENT;
 		return retval;
 	}
-	prf->upd_serial++;
-	prf->flags = 0;
-	if (rw_access(prf->filespec))
-		prf->flags |= PROFILE_FILE_RW;
-	retval = profile_parse_file(f, &prf->root);
+	data->upd_serial++;
+	data->flags &= PROFILE_FILE_SHARED;
+	if (rw_access(data->filespec))
+		data->flags |= PROFILE_FILE_RW;
+	retval = profile_parse_file(f, &data->root);
 	fclose(f);
-	if (retval)
-		return retval;
+	if (retval) {
+	    k5_mutex_unlock(&data->lock);
+	    return retval;
+	}
 #ifdef HAVE_STAT
-	prf->timestamp = st.st_mtime;
+	data->timestamp = st.st_mtime;
 #endif
+	k5_mutex_unlock(&data->lock);
 	return 0;
 }
 
-#ifndef PROFILE_USES_PATHS
-OSErr GetMacOSTempFilespec (
-	const	FSSpec*	inFileSpec,
-			FSSpec*	outFileSpec)
+static int
+make_hard_link(const char *oldpath, const char *newpath)
 {
-	OSErr	err;
-	
-	err = FindFolder (inFileSpec -> vRefNum, kTemporaryFolderType,
-		kCreateFolder, &(outFileSpec -> vRefNum), &(outFileSpec -> parID));
-	if (err != noErr)
-		return err;
-		
-	BlockMoveData (&(inFileSpec -> name), &(outFileSpec -> name), StrLength (inFileSpec -> name) + 1);
-	return noErr;
-}
+#ifdef _WIN32
+    return -1;
+#else
+    return link(oldpath, newpath);
 #endif
+}
 
-
-errcode_t profile_flush_file(prf)
-	prf_file_t prf;
+static errcode_t write_data_to_file(prf_data_t data, const char *outfile,
+				    int can_create)
 {
 	FILE		*f;
 	profile_filespec_t new_file;
 	profile_filespec_t old_file;
 	errcode_t	retval = 0;
-	
-	if (!prf || prf->magic != PROF_MAGIC_FILE)
-		return PROF_MAGIC_FILE;
-	
-	if ((prf->flags & PROFILE_FILE_DIRTY) == 0)
-		return 0;
 
 	retval = ENOMEM;
 	
-#ifdef PROFILE_USES_PATHS
 	new_file = old_file = 0;
-	new_file = (char *) malloc(strlen(prf->filespec) + 5);
+	new_file = (char *) malloc(strlen(outfile) + 5);
 	if (!new_file)
 		goto errout;
-	old_file = (char *) malloc(strlen(prf->filespec) + 5);
+	old_file = (char *) malloc(strlen(outfile) + 5);
 	if (!old_file)
 		goto errout;
 
-	sprintf(new_file, "%s.$$$", prf->filespec);
-	sprintf(old_file, "%s.bak", prf->filespec);
+	sprintf(new_file, "%s.$$$", outfile);
+	sprintf(old_file, "%s.bak", outfile);
 
 	errno = 0;
 
 	f = fopen(new_file, "w");
-#else
-	/* On MacOS, we do this by writing to a new file and then atomically
-	swapping the files with a file system call */
-	GetMacOSTempFilespec (&prf->filespec, &new_file);
-	f = FSp_fopen (&new_file, "w");
-#endif
-	
 	if (!f) {
 		retval = errno;
 		if (retval == 0)
@@ -236,70 +423,175 @@ errcode_t profile_flush_file(prf)
 		goto errout;
 	}
 
-	profile_write_tree_file(prf->root, f);
+	profile_write_tree_file(data->root, f);
 	if (fclose(f) != 0) {
 		retval = errno;
 		goto errout;
 	}
 
-#ifdef PROFILE_USES_PATHS
 	unlink(old_file);
-	if (rename(prf->filespec, old_file)) {
+	if (make_hard_link(outfile, old_file) == 0) {
+	    /* Okay, got the hard link.  Yay.  Now we've got our
+	       backup version, so just put the new version in
+	       place.  */
+	    if (rename(new_file, outfile)) {
+		/* Weird, the rename didn't work.  But the old version
+		   should still be in place, so no special cleanup is
+		   needed.  */
 		retval = errno;
 		goto errout;
-	}
-	if (rename(new_file, prf->filespec)) {
+	    }
+	} else if (errno == ENOENT && can_create) {
+	    if (rename(new_file, outfile)) {
 		retval = errno;
-		rename(old_file, prf->filespec); /* back out... */
 		goto errout;
-	}
-#else
-	{
-		OSErr err = FSpExchangeFiles (&prf->filespec, &new_file);
-		if (err != noErr) {
-			retval = ENFILE;
-			goto errout;
-		}
-		FSpDelete (&new_file);
-	}
+	    }
+	} else {
+	    /* Couldn't make the hard link, so there's going to be a
+	       small window where data->filespec does not refer to
+	       either version.  */
+#ifndef _WIN32
+	    sync();
 #endif
+	    if (rename(outfile, old_file)) {
+		retval = errno;
+		goto errout;
+	    }
+	    if (rename(new_file, outfile)) {
+		retval = errno;
+		rename(old_file, outfile); /* back out... */
+		goto errout;
+	    }
+	}
 
-
-	prf->flags = 0;
-	if (rw_access(prf->filespec))
-		prf->flags |= PROFILE_FILE_RW;
+	data->flags = 0;
+	if (rw_access(outfile))
+		data->flags |= PROFILE_FILE_RW;
 	retval = 0;
-	
+
 errout:
-#ifdef PROFILE_USES_PATHS
 	if (new_file)
 		free(new_file);
 	if (old_file)
 		free(old_file);
-#endif
 	return retval;
 }
 
+errcode_t profile_flush_file_data_to_buffer (prf_data_t data, char **bufp)
+{
+	errcode_t	retval;
+	retval = k5_mutex_lock(&data->lock);
+	if (retval)
+		return retval;
+	retval = profile_write_tree_to_buffer(data->root, bufp);
+	k5_mutex_unlock(&data->lock);
+	return retval;
+}
 
-void profile_free_file(prf)
-	prf_file_t prf;
+errcode_t profile_flush_file_data(prf_data_t data)
 {
-#ifdef PROFILE_USES_PATHS
-	if (prf->filespec)
-		free(prf->filespec);
-#endif
-	if (prf->root)
-		profile_free_node(prf->root);
-	if (prf->comment)
-		free(prf->comment);
-	prf->magic = 0;
-	free(prf);
+	errcode_t	retval = 0;
+
+	if (!data || data->magic != PROF_MAGIC_FILE_DATA)
+		return PROF_MAGIC_FILE_DATA;
+
+	retval = k5_mutex_lock(&data->lock);
+	if (retval)
+	    return retval;
+	
+	if ((data->flags & PROFILE_FILE_DIRTY) == 0) {
+	    k5_mutex_unlock(&data->lock);
+	    return 0;
+	}
+
+	retval = write_data_to_file(data, data->filespec, 0);
+	k5_mutex_unlock(&data->lock);
+	return retval;
+}
+
+errcode_t profile_flush_file_data_to_file(prf_data_t data, const char *outfile)
+{
+    errcode_t retval = 0;
+
+    if (!data || data->magic != PROF_MAGIC_FILE_DATA)
+	return PROF_MAGIC_FILE_DATA;
+
+    retval = k5_mutex_lock(&data->lock);
+    if (retval)
+	return retval;
+    retval = write_data_to_file(data, outfile, 1);
+    k5_mutex_unlock(&data->lock);
+    return retval;
+}
 
+
+
+void profile_dereference_data(prf_data_t data)
+{
+    int err;
+    scan_shared_trees_unlocked();
+    err = k5_mutex_lock(&g_shared_trees_mutex);
+    if (err)
 	return;
+    profile_dereference_data_locked(data);
+    (void) k5_mutex_unlock(&g_shared_trees_mutex);
+    scan_shared_trees_unlocked();
+}
+void profile_dereference_data_locked(prf_data_t data)
+{
+    data->refcount--;
+    if (data->refcount == 0)
+	profile_free_file_data(data);
+}
+
+int profile_lock_global()
+{
+    return k5_mutex_lock(&g_shared_trees_mutex);
+}
+int profile_unlock_global()
+{
+    return k5_mutex_unlock(&g_shared_trees_mutex);
 }
 
-errcode_t profile_close_file(prf)
-	prf_file_t prf;
+void profile_free_file(prf_file_t prf)
+{
+    profile_dereference_data(prf->data);
+    free(prf);
+}
+
+/* Call with mutex locked!  */
+static void profile_free_file_data(prf_data_t data)
+{
+    scan_shared_trees_locked();
+    if (data->flags & PROFILE_FILE_SHARED) {
+	/* Remove from linked list.  */
+	if (g_shared_trees == data)
+	    g_shared_trees = data->next;
+	else {
+	    prf_data_t prev, next;
+	    prev = g_shared_trees;
+	    next = prev->next;
+	    while (next) {
+		if (next == data) {
+		    prev->next = next->next;
+		    break;
+		}
+		prev = next;
+		next = next->next;
+	    }
+	}
+    }
+    if (data->root)
+	profile_free_node(data->root);
+    if (data->comment)
+	free(data->comment);
+    data->magic = 0;
+    k5_mutex_destroy(&data->lock);
+    free(data);
+    scan_shared_trees_locked();
+}
+
+errcode_t profile_close_file(prf_file_t prf)
 {
 	errcode_t	retval;
 	
@@ -309,4 +601,3 @@ errcode_t profile_close_file(prf)
 	profile_free_file(prf);
 	return 0;
 }
-
diff --git a/usr/src/lib/gss_mechs/mech_krb5/profile/prof_get.c b/usr/src/lib/gss_mechs/mech_krb5/profile/prof_get.c
index f22b211a19..fdf4470087 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/profile/prof_get.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/profile/prof_get.c
@@ -5,14 +5,14 @@
  *
  */
 
+#include "prof_int.h"
 #include <stdio.h>
 #include <string.h>
 #ifdef HAVE_STDLIB_H
 #include <stdlib.h>
 #endif
 #include <errno.h>
-
-#include "prof_int.h"
+#include <limits.h>
 
 /*
  * These functions --- init_list(), end_list(), and add_to_list() are
@@ -36,8 +36,7 @@ struct profile_string_list {
 /*
  * Initialize the string list abstraction.
  */
-static errcode_t init_list(list)
-	struct profile_string_list *list;
+static errcode_t init_list(struct profile_string_list *list)
 {
 	list->num = 0;
 	list->max = 10;
@@ -52,9 +51,7 @@ static errcode_t init_list(list)
  * Free any memory left over in the string abstraction, returning the
  * built up list in *ret_list if it is non-null.
  */
-static void end_list(list, ret_list)
-    struct profile_string_list *list;
-    char ***ret_list;
+static void end_list(struct profile_string_list *list, char ***ret_list)
 {
 	char	**cp;
 
@@ -76,16 +73,14 @@ static void end_list(list, ret_list)
 /*
  * Add a string to the list.
  */
-static errcode_t add_to_list(list, str)
-	struct profile_string_list *list;
-	const char	*str;
+static errcode_t add_to_list(struct profile_string_list *list, const char *str)
 {
 	char 	*newstr, **newlist;
 	int	newmax;
 	
 	if (list->num+1 >= list->max) {
 		newmax = list->max + 10;
-		newlist = (char **)realloc(list->list, newmax * sizeof(char *));
+		newlist = (char **) realloc(list->list, newmax * sizeof(char *));
 		if (newlist == 0)
 			return ENOMEM;
 		list->max = newmax;
@@ -104,9 +99,7 @@ static errcode_t add_to_list(list, str)
 /*
  * Return TRUE if the string is already a member of the list.
  */
-static int is_list_member(list, str)
-	struct profile_string_list *list;
-	const char	*str;
+static int is_list_member(struct profile_string_list *list, const char *str)
 {
 	char **cpp;
 
@@ -124,8 +117,7 @@ static int is_list_member(list, str)
  * This function frees a null-terminated list as returned by
  * profile_get_values.
  */
-KRB5_DLLIMP void KRB5_CALLCONV profile_free_list(list)
-    char	**list;
+void KRB5_CALLCONV profile_free_list(char **list)
 {
     char	**cp;
 
@@ -137,11 +129,9 @@ KRB5_DLLIMP void KRB5_CALLCONV profile_free_list(list)
     free(list);
 }
 
-KRB5_DLLIMP errcode_t KRB5_CALLCONV
-profile_get_values(profile, names, ret_values)
-	profile_t	profile;
-	const char	**names;
-	char	***ret_values;
+errcode_t KRB5_CALLCONV
+profile_get_values(profile_t profile, const char *const *names,
+		   char ***ret_values)
 {
 	errcode_t		retval;
 	void			*state;
@@ -180,10 +170,8 @@ cleanup:
  * This function only gets the first value from the file; it is a
  * helper function for profile_get_string, profile_get_integer, etc.
  */
-errcode_t profile_get_value(profile, names, ret_value)
-	profile_t	profile;
-	const char	**names;
-	const char	**ret_value;
+errcode_t profile_get_value(profile_t profile, const char **names,
+			    const char **ret_value)
 {
 	errcode_t		retval;
 	void			*state;
@@ -207,13 +195,10 @@ cleanup:
 	return retval;
 }
 
-KRB5_DLLIMP errcode_t KRB5_CALLCONV
-profile_get_string(profile, name, subname, subsubname,
-			     def_val, ret_string)
-	profile_t	profile;
-	const char	*name, *subname, *subsubname;
-	const char	*def_val;
-	char 	**ret_string;
+errcode_t KRB5_CALLCONV
+profile_get_string(profile_t profile, const char *name, const char *subname,
+		   const char *subsubname, const char *def_val,
+		   char **ret_string)
 {
 	const char	*value;
 	errcode_t	retval;
@@ -233,7 +218,7 @@ profile_get_string(profile, name, subname, subsubname,
 		value = def_val;
     
 	if (value) {
-		*ret_string = (char *) malloc(strlen(value)+1);
+	  *ret_string = (char *) malloc(strlen(value)+1);
 		if (*ret_string == 0)
 			return ENOMEM;
 		strcpy(*ret_string, value);
@@ -242,22 +227,19 @@ profile_get_string(profile, name, subname, subsubname,
 	return 0;
 }
 
-KRB5_DLLIMP errcode_t KRB5_CALLCONV
-profile_get_integer(profile, name, subname, subsubname,
-			      def_val, ret_int)
-	profile_t	profile;
-	const char	*name, *subname, *subsubname;
-	int		def_val;
-	int		*ret_int;
+errcode_t KRB5_CALLCONV
+profile_get_integer(profile_t profile, const char *name, const char *subname,
+		    const char *subsubname, int def_val, int *ret_int)
 {
 	const char	*value;
 	errcode_t	retval;
 	const char	*names[4];
+	char            *end_value;
+	long		ret_long;
 
-	if (profile == 0) {
-		*ret_int = def_val;
+	*ret_int = def_val;
+	if (profile == 0)
 		return 0;
-	}
 
 	names[0] = name;
 	names[1] = subname;
@@ -269,20 +251,97 @@ profile_get_integer(profile, name, subname, subsubname,
 		return 0;
 	} else if (retval)
 		return retval;
+
+	if (value[0] == 0)
+	    /* Empty string is no good.  */
+	    return PROF_BAD_INTEGER;
+	errno = 0;
+	ret_long = strtol (value, &end_value, 10);
+
+	/* Overflow or underflow.  */
+	if ((ret_long == LONG_MIN || ret_long == LONG_MAX) && errno != 0)
+	    return PROF_BAD_INTEGER;
+	/* Value outside "int" range.  */
+	if ((long) (int) ret_long != ret_long)
+	    return PROF_BAD_INTEGER;
+	/* Garbage in string.  */
+	if (end_value != value + strlen (value))
+	    return PROF_BAD_INTEGER;
+	
    
-	*ret_int = atoi(value);
+	*ret_int = ret_long;
 	return 0;
 }
 
+static const char *const conf_yes[] = {
+    "y", "yes", "true", "t", "1", "on",
+    0,
+};
+
+static const char *const conf_no[] = {
+    "n", "no", "false", "nil", "0", "off",
+    0,
+};
+
+static errcode_t
+profile_parse_boolean(const char *s, int *ret_boolean)
+{
+    const char *const *p;
+    
+    if (ret_boolean == NULL)
+    	return PROF_EINVAL;
+
+    for(p=conf_yes; *p; p++) {
+		if (!strcasecmp(*p,s)) {
+			*ret_boolean = 1;
+	    	return 0;
+		}
+    }
+
+    for(p=conf_no; *p; p++) {
+		if (!strcasecmp(*p,s)) {
+			*ret_boolean = 0;
+			return 0;
+		}
+    }
+	
+	return PROF_BAD_BOOLEAN;
+}
+
+errcode_t KRB5_CALLCONV
+profile_get_boolean(profile_t profile, const char *name, const char *subname,
+		    const char *subsubname, int def_val, int *ret_boolean)
+{
+	const char	*value;
+	errcode_t	retval;
+	const char	*names[4];
+
+	if (profile == 0) {
+		*ret_boolean = def_val;
+		return 0;
+	}
+
+	names[0] = name;
+	names[1] = subname;
+	names[2] = subsubname;
+	names[3] = 0;
+	retval = profile_get_value(profile, names, &value);
+	if (retval == PROF_NO_SECTION || retval == PROF_NO_RELATION) {
+		*ret_boolean = def_val;
+		return 0;
+	} else if (retval)
+		return retval;
+   
+	return profile_parse_boolean (value, ret_boolean);
+}
+
 /*
  * This function will return the list of the names of subections in the
  * under the specified section name.
  */
-KRB5_DLLIMP errcode_t KRB5_CALLCONV
-profile_get_subsection_names(profile, names, ret_names)
-	profile_t	profile;
-	const char	**names;
-	char		***ret_names;
+errcode_t KRB5_CALLCONV
+profile_get_subsection_names(profile_t profile, const char **names,
+			     char ***ret_names)
 {
 	errcode_t		retval;
 	void			*state;
@@ -316,11 +375,9 @@ cleanup:
  * This function will return the list of the names of relations in the
  * under the specified section name.
  */
-KRB5_DLLIMP errcode_t KRB5_CALLCONV
-profile_get_relation_names(profile, names, ret_names)
-	profile_t	profile;
-	const char	**names;
-	char		***ret_names;
+errcode_t KRB5_CALLCONV
+profile_get_relation_names(profile_t profile, const char **names,
+			   char ***ret_names)
 {
 	errcode_t		retval;
 	void			*state;
@@ -350,27 +407,21 @@ cleanup:
 	return retval;
 }
 
-KRB5_DLLIMP errcode_t KRB5_CALLCONV
-profile_iterator_create(profile, names, flags, ret_iter)
-	profile_t	profile;
-	const char	**names;
-	int		flags;
-	void		**ret_iter;
+errcode_t KRB5_CALLCONV
+profile_iterator_create(profile_t profile, const char *const *names, int flags,
+			void **ret_iter)
 {
 	return profile_node_iterator_create(profile, names, flags, ret_iter);
 }
 
-KRB5_DLLIMP void KRB5_CALLCONV
-profile_iterator_free(iter_p)
-	void	**iter_p;
+void KRB5_CALLCONV
+profile_iterator_free(void **iter_p)
 {
 	profile_node_iterator_free(iter_p);
 }
 
-KRB5_DLLIMP errcode_t KRB5_CALLCONV
-profile_iterator(iter_p, ret_name, ret_value)
-	void	**iter_p;
-	char **ret_name, **ret_value;
+errcode_t KRB5_CALLCONV
+profile_iterator(void **iter_p, char **ret_name, char **ret_value)
 {
 	char *name, *value;
 	errcode_t	retval;
@@ -381,7 +432,7 @@ profile_iterator(iter_p, ret_name, ret_value)
 
 	if (ret_name) {
 		if (name) {
-			*ret_name = (char *) malloc(strlen(name)+1);
+		  *ret_name = (char *) malloc(strlen(name)+1);
 			if (!*ret_name)
 				return ENOMEM;
 			strcpy(*ret_name, name);
@@ -390,7 +441,7 @@ profile_iterator(iter_p, ret_name, ret_value)
 	}
 	if (ret_value) {
 		if (value) {
-			*ret_value = (char *) malloc(strlen(value)+1);
+		  *ret_value = (char *) malloc(strlen(value)+1);
 			if (!*ret_value) {
 				if (ret_name) {
 					free(*ret_name);
@@ -405,9 +456,8 @@ profile_iterator(iter_p, ret_name, ret_value)
 	return 0;
 }
 
-KRB5_DLLIMP void KRB5_CALLCONV
-profile_release_string(str)
-	char *str;
+void KRB5_CALLCONV
+profile_release_string(char *str)
 {
 	free(str);
 }
diff --git a/usr/src/lib/gss_mechs/mech_krb5/profile/prof_init.c b/usr/src/lib/gss_mechs/mech_krb5/profile/prof_init.c
index dd47030ee0..2ee24b3aa9 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/profile/prof_init.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/profile/prof_init.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -10,6 +10,8 @@
  * 	object.
  */
 
+#include "prof_int.h"
+
 #include <stdio.h>
 #include <string.h>
 #ifdef HAVE_STDLIB_H
@@ -17,23 +19,19 @@
 #endif
 #include <errno.h>
 
-#include "prof_int.h"
-
 /* Find a 4-byte integer type */
 #if	(SIZEOF_SHORT == 4)
 typedef short	prof_int32;
 #elif	(SIZEOF_INT == 4)
 typedef int	prof_int32;
 #elif	(SIZEOF_LONG == 4)
-typedef	int	prof_int32;
+typedef long	prof_int32;
 #else	/* SIZEOF_LONG == 4 */
 error(do not have a 4-byte integer type)
 #endif	/* SIZEOF_LONG == 4 */
 
-KRB5_DLLIMP errcode_t KRB5_CALLCONV
-profile_init(files, ret_profile)
-	const_profile_filespec_t *files;
-	profile_t *ret_profile;
+errcode_t KRB5_CALLCONV
+profile_init(const_profile_filespec_t *files, profile_t *ret_profile)
 {
 	const_profile_filespec_t *fs;
 	profile_t profile;
@@ -51,7 +49,7 @@ profile_init(files, ret_profile)
 	    for (fs = files; !PROFILE_LAST_FILESPEC(*fs); fs++) {
 		retval = profile_open_file(*fs, &new_file);
 		/* if this file is missing, skip to the next */
-		if (retval == ENOENT) {
+		if (retval == ENOENT || retval == EACCES) {
 			continue;
 		}
 		if (retval) {
@@ -78,19 +76,14 @@ profile_init(files, ret_profile)
         return 0;
 }
 
-#ifndef macintosh
-/*
- * On MacOS, profile_init_path is the same as profile_init
- */
-KRB5_DLLIMP errcode_t KRB5_CALLCONV
-profile_init_path(filepath, ret_profile)
-	const_profile_filespec_list_t filepath;
-	profile_t *ret_profile;
+errcode_t KRB5_CALLCONV
+profile_init_path(const_profile_filespec_list_t filepath,
+		  profile_t *ret_profile)
 {
 	int n_entries, i;
-	int ent_len;
+	unsigned int ent_len;
 	const char *s, *t;
-	char **filenames;
+	profile_filespec_t *filenames;
 	errcode_t retval;
 
 	/* count the distinct filename components */
@@ -100,13 +93,13 @@ profile_init_path(filepath, ret_profile)
 	}
 	
 	/* the array is NULL terminated */
-	filenames = (char**) malloc((n_entries+1) * sizeof(char*));
+	filenames = (profile_filespec_t*) malloc((n_entries+1) * sizeof(char*));
 	if (filenames == 0)
 		return ENOMEM;
 
 	/* measure, copy, and skip each one */
 	for(s = filepath, i=0; ((t = strchr(s, ':')) != NULL) ||
-				((t=s+strlen(s)) != NULL); s=t+1, i++) {
+			((t=s+strlen(s)) != NULL); s=t+1, i++) {
 		ent_len = t-s;
 		filenames[i] = (char*) malloc(ent_len + 1);
 		if (filenames[i] == 0) {
@@ -125,7 +118,8 @@ profile_init_path(filepath, ret_profile)
 	/* cap the array */
 	filenames[i] = 0;
 
-	retval = profile_init((const_profile_filespec_t *)filenames, ret_profile);
+	retval = profile_init((const_profile_filespec_t *) filenames, 
+			      ret_profile);
 
 	/* count back down and free the entries */
 	while(--i >= 0) free(filenames[i]);
@@ -133,19 +127,39 @@ profile_init_path(filepath, ret_profile)
 
 	return retval;
 }
-#else
-KRB5_DLLIMP errcode_t KRB5_CALLCONV
-profile_init_path(filelist, ret_profile)
-	profile_filespec_list_t filelist;
-	profile_t *ret_profile;
+
+errcode_t KRB5_CALLCONV
+profile_is_writable(profile_t profile, int *writable)
 {
-	return profile_init (filelist, ret_profile);
+	if (!profile || profile->magic != PROF_MAGIC_PROFILE)
+		return PROF_MAGIC_PROFILE;
+	
+	if (!writable) 
+		return EINVAL;
+	
+	if (profile->first_file)
+		*writable = (profile->first_file->data->flags & PROFILE_FILE_RW);
+	
+	return 0;
+}
+
+errcode_t KRB5_CALLCONV
+profile_is_modified(profile_t profile, int *modified)
+{
+	if (!profile || profile->magic != PROF_MAGIC_PROFILE)
+		return PROF_MAGIC_PROFILE;
+	
+	if (!modified) 
+		return EINVAL;
+	
+	if (profile->first_file)
+		*modified = (profile->first_file->data->flags & PROFILE_FILE_DIRTY);
+	
+	return 0;
 }
-#endif
 
-KRB5_DLLIMP errcode_t KRB5_CALLCONV
-profile_flush(profile)
-	profile_t	profile;
+errcode_t KRB5_CALLCONV
+profile_flush(profile_t profile)
 {
 	if (!profile || profile->magic != PROF_MAGIC_PROFILE)
 		return PROF_MAGIC_PROFILE;
@@ -156,9 +170,33 @@ profile_flush(profile)
 	return 0;
 }
 
-KRB5_DLLIMP void KRB5_CALLCONV
-profile_abandon(profile)
-	profile_t	profile;
+errcode_t KRB5_CALLCONV
+profile_flush_to_file(profile_t profile, const_profile_filespec_t outfile)
+{
+	if (!profile || profile->magic != PROF_MAGIC_PROFILE)
+		return PROF_MAGIC_PROFILE;
+
+	if (profile->first_file)
+		return profile_flush_file_to_file(profile->first_file,
+						  outfile);
+
+	return 0;
+}
+
+errcode_t KRB5_CALLCONV
+profile_flush_to_buffer(profile_t profile, char **buf)
+{
+    return profile_flush_file_data_to_buffer(profile->first_file->data, buf);
+}
+
+void KRB5_CALLCONV
+profile_free_buffer(profile_t profile, char *buf)
+{
+    free(buf);
+}
+
+void KRB5_CALLCONV
+profile_abandon(profile_t profile)
 {
 	prf_file_t	p, next;
 
@@ -173,9 +211,8 @@ profile_abandon(profile)
 	free(profile);
 }
 
-KRB5_DLLIMP void KRB5_CALLCONV
-profile_release(profile)
-	profile_t	profile;
+void KRB5_CALLCONV
+profile_release(profile_t profile)
 {
 	prf_file_t	p, next;
 
@@ -194,10 +231,8 @@ profile_release(profile)
  * Here begins the profile serialization functions.
  */
 /*ARGSUSED*/
-errcode_t profile_ser_size(unused, profile, sizep)
-    const char *unused;
-    profile_t	profile;
-    size_t	*sizep;
+errcode_t profile_ser_size(const char *unused, profile_t profile,
+			   size_t *sizep)
 {
     size_t	required;
     prf_file_t	pfp;
@@ -205,21 +240,13 @@ errcode_t profile_ser_size(unused, profile, sizep)
     required = 3*sizeof(prof_int32);
     for (pfp = profile->first_file; pfp; pfp = pfp->next) {
 	required += sizeof(prof_int32);
-#ifdef PROFILE_USES_PATHS
-	if (pfp->filespec)
-	    required += strlen(pfp->filespec);
-#else
-	required += sizeof (profile_filespec_t);
-#endif
+	required += strlen(pfp->data->filespec);
     }
     *sizep += required;
     return 0;
 }
 
-static void pack_int32(oval, bufpp, remainp)
-    prof_int32		oval;
-    unsigned char	**bufpp;
-    size_t		*remainp;
+static void pack_int32(prof_int32 oval, unsigned char **bufpp, size_t *remainp)
 {
     (*bufpp)[0] = (unsigned char) ((oval >> 24) & 0xff);
     (*bufpp)[1] = (unsigned char) ((oval >> 16) & 0xff);
@@ -229,11 +256,8 @@ static void pack_int32(oval, bufpp, remainp)
     *remainp -= sizeof(prof_int32);
 }
 
-errcode_t profile_ser_externalize(unused, profile, bufpp, remainp)
-    const char		*unused;
-    profile_t		profile;
-    unsigned char	**bufpp;
-    size_t		*remainp;
+errcode_t profile_ser_externalize(const char *unused, profile_t profile,
+				  unsigned char **bufpp, size_t *remainp)
 {
     errcode_t		retval;
     size_t		required;
@@ -256,22 +280,13 @@ errcode_t profile_ser_externalize(unused, profile, bufpp, remainp)
 	    pack_int32((prof_int32)PROF_MAGIC_PROFILE, &bp, &remain);
 	    pack_int32(fcount, &bp, &remain);
 	    for (pfp = profile->first_file; pfp; pfp = pfp->next) {
-#ifdef PROFILE_USES_PATHS
-		slen = (pfp->filespec) ?
-		    (prof_int32) strlen(pfp->filespec) : 0;
+		slen = (prof_int32) strlen(pfp->data->filespec);
 		pack_int32(slen, &bp, &remain);
 		if (slen) {
-		    memcpy(bp, pfp->filespec, (size_t) slen);
+		    memcpy(bp, pfp->data->filespec, (size_t) slen);
 		    bp += slen;
 		    remain -= (size_t) slen;
 		}
-#else
-		slen = sizeof (FSSpec);
-		pack_int32(slen, &bp, &remain);
-		memcpy (bp, &(pfp->filespec), (size_t) slen);
-		bp += slen;
-		remain -= (size_t) slen;
-#endif
 	    }
 	    pack_int32((prof_int32)PROF_MAGIC_PROFILE, &bp, &remain);
 	    retval = 0;
@@ -282,10 +297,8 @@ errcode_t profile_ser_externalize(unused, profile, bufpp, remainp)
     return(retval);
 }
 
-static int unpack_int32(intp, bufpp, remainp)
-    prof_int32		*intp;
-    unsigned char	**bufpp;
-    size_t		*remainp;
+static int unpack_int32(prof_int32 *intp, unsigned char **bufpp,
+			size_t *remainp)
 {
     if (*remainp >= sizeof(prof_int32)) {
 	*intp = (((prof_int32) (*bufpp)[0] << 24) |
@@ -301,11 +314,8 @@ static int unpack_int32(intp, bufpp, remainp)
 }
 
 /*ARGSUSED*/
-errcode_t profile_ser_internalize(unused, profilep, bufpp, remainp)
-	const char		*unused;
-	profile_t		*profilep;
-	unsigned char	**bufpp;
-	size_t		*remainp;
+errcode_t profile_ser_internalize(const char *unused, profile_t *profilep,
+				  unsigned char **bufpp, size_t *remainp)
 {
 	errcode_t		retval;
 	unsigned char	*bp;
@@ -337,15 +347,11 @@ errcode_t profile_ser_internalize(unused, profilep, bufpp, remainp)
 	memset(flist, 0, sizeof(char *) * (fcount+1));
 	for (i=0; i<fcount; i++) {
 		if (!unpack_int32(&tmp, &bp, &remain)) {
-#ifdef PROFILE_USES_PATHS
 			flist[i] = (char *) malloc((size_t) (tmp+1));
 			if (!flist[i])
 				goto cleanup;
 			memcpy(flist[i], bp, (size_t) tmp);
 			flist[i][tmp] = '\0';
-#else
-			memcpy (&flist[i], bp, (size_t) tmp);
-#endif
 			bp += tmp;
 			remain -= (size_t) tmp;
 		}
@@ -357,27 +363,25 @@ errcode_t profile_ser_internalize(unused, profilep, bufpp, remainp)
 		goto cleanup;
 	}
 
-	if ((retval = profile_init((const_profile_filespec_t *)flist, profilep)))
+	if ((retval = profile_init((const_profile_filespec_t *) flist, 
+				   profilep)))
 		goto cleanup;
 	
 	*bufpp = bp;
 	*remainp = remain;
-
+    
 cleanup:
 	if (flist) {
-#ifdef PROFILE_USES_PATHS
 		for (i=0; i<fcount; i++) {
 			if (flist[i])
 				free(flist[i]);
 		}
-#endif
 		free(flist);
 	}
 	return(retval);
 }
 
 
-
 errcode_t
 profile_get_options_boolean(profile, section, options)
     profile_t		profile;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/profile/prof_int.h b/usr/src/lib/gss_mechs/mech_krb5/profile/prof_int.h
index f836be518b..26721834d5 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/profile/prof_int.h
+++ b/usr/src/lib/gss_mechs/mech_krb5/profile/prof_int.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -12,22 +12,21 @@
 #ifndef __PROF_INT_H
 
 #include <time.h>
+#include <stdio.h>
+
+#if defined(__MACH__) && defined(__APPLE__)
+#include <TargetConditionals.h>
+#define PROFILE_SUPPORTS_FOREIGN_NEWLINES
+#endif
+
+#include <k5-thread.h>
 #include <com_err.h>
-#include "prof_err.h"
 #include <profile.h>
+#include "prof_err.h"  /* SUNW14resync */
+#include "osconf.h"  /* SUNW14resync */
 
-#if defined(__STDC__) || defined(_MSDOS) || defined(_WIN32)
-#define PROTOTYPE(x) x
-#else
-#define PROTOTYPE(x) ()
-#endif
 
-#if defined(_MSDOS)
-/* From k5-config.h */
-#define SIZEOF_INT      2
-#define SIZEOF_SHORT    2
-#define SIZEOF_LONG     4
-#endif
+#define STAT_ONCE_PER_SECOND
 
 #if defined(_WIN32)
 #define SIZEOF_INT      4
@@ -35,25 +34,43 @@
 #define SIZEOF_LONG     4
 #endif
 
-#if defined(macintosh)
-#define NO_SYS_TYPES_H
-#define NO_SYS_STAT_H
-#endif
-
 typedef long prf_magic_t;
 
 /*
  * This is the structure which stores the profile information for a
  * particular configuration file.
+ *
+ * Locking strategy:
+ * - filespec is fixed after creation
+ * - refcount and next should only be tweaked with the global lock held
+ * - other fields can be tweaked after grabbing the in-struct lock
  */
-struct _prf_file_t {
+struct _prf_data_t {
 	prf_magic_t	magic;
+	k5_mutex_t	lock;
 	char		*comment;
-	profile_filespec_t filespec;
 	struct profile_node *root;
-	time_t		timestamp;
-	int		flags;
-	int		upd_serial;
+#ifdef STAT_ONCE_PER_SECOND
+	time_t		last_stat;
+#endif
+	time_t		timestamp; /* time tree was last updated from file */
+	int		flags;	/* r/w, dirty */
+	int		upd_serial; /* incremented when data changes */
+	int		refcount; /* prf_file_t references */
+	struct _prf_data_t *next;
+	/* Was: "profile_filespec_t filespec".  Now: flexible char
+	   array ... except, we need to work in C89, so an array
+	   length must be specified.  */
+	size_t		fslen;
+	const char	filespec[sizeof(DEFAULT_SECURE_PROFILE_PATH)];
+};
+
+typedef struct _prf_data_t *prf_data_t;
+prf_data_t profile_make_prf_data(const char *);
+
+struct _prf_file_t {
+	prf_magic_t	magic;
+	struct _prf_data_t	*data;
 	struct _prf_file_t *next;
 };
 
@@ -64,6 +81,7 @@ typedef struct _prf_file_t *prf_file_t;
  */
 #define PROFILE_FILE_RW		0x0001
 #define PROFILE_FILE_DIRTY	0x0002
+#define PROFILE_FILE_SHARED	0x0004
 
 /*
  * This structure defines the high-level, user visible profile_t
@@ -100,121 +118,143 @@ typedef struct _profile_times {
  * Check if a filespec is last in a list (NULL on UNIX, invalid FSSpec on MacOS
  */
 
-#ifdef PROFILE_USES_PATHS
 #define	PROFILE_LAST_FILESPEC(x) (((x) == NULL) || ((x)[0] == '\0'))
-#else
-#define PROFILE_LAST_FILESPEC(x) (((x).vRefNum == 0) && ((x).parID == 0) && ((x).name[0] == '\0'))
-#endif
 
 /* profile_parse.c */
 
 errcode_t profile_parse_file
-	PROTOTYPE((FILE *f, struct profile_node **root));
+	(FILE *f, struct profile_node **root);
 
 errcode_t profile_write_tree_file
-	PROTOTYPE((struct profile_node *root, FILE *dstfile));
+	(struct profile_node *root, FILE *dstfile);
+
+errcode_t profile_write_tree_to_buffer
+	(struct profile_node *root, char **buf);
 
 
 /* prof_tree.c */
 
 void profile_free_node
-	PROTOTYPE((struct profile_node *relation));
+	(struct profile_node *relation);
 
 errcode_t profile_create_node
-	PROTOTYPE((const char *name, const char *value,
-		   struct profile_node **ret_node));
+	(const char *name, const char *value,
+		   struct profile_node **ret_node);
 
 errcode_t profile_verify_node
-	PROTOTYPE((struct profile_node *node));
+	(struct profile_node *node);
 
 errcode_t profile_add_node
-	PROTOTYPE ((struct profile_node *section,
+	(struct profile_node *section,
 		    const char *name, const char *value,
-		    struct profile_node **ret_node));
+		    struct profile_node **ret_node);
 
 errcode_t profile_make_node_final
-	PROTOTYPE((struct profile_node *node));
+	(struct profile_node *node);
 	
 int profile_is_node_final
-	PROTOTYPE((struct profile_node *node));
+	(struct profile_node *node);
 
 const char *profile_get_node_name
-	PROTOTYPE((struct profile_node *node));
+	(struct profile_node *node);
 
 const char *profile_get_node_value
-	PROTOTYPE((struct profile_node *node));
+	(struct profile_node *node);
 
 errcode_t profile_find_node
-	PROTOTYPE ((struct profile_node *section,
+	(struct profile_node *section,
 		    const char *name, const char *value,
 		    int section_flag, void **state,
-		    struct profile_node **node));
+		    struct profile_node **node);
 
 errcode_t profile_find_node_relation
-	PROTOTYPE ((struct profile_node *section,
+	(struct profile_node *section,
 		    const char *name, void **state,
-		    char **ret_name, char **value));
+		    char **ret_name, char **value);
 
 errcode_t profile_find_node_subsection
-	PROTOTYPE ((struct profile_node *section,
+	(struct profile_node *section,
 		    const char *name, void **state,
-		    char **ret_name, struct profile_node **subsection));
-		
+		    char **ret_name, struct profile_node **subsection);
+		   
 errcode_t profile_get_node_parent
-	PROTOTYPE ((struct profile_node *section,
-		   struct profile_node **parent));
-		
+	(struct profile_node *section,
+		   struct profile_node **parent);
+		   
 errcode_t profile_delete_node_relation
-	PROTOTYPE ((struct profile_node *section, const char *name));
+	(struct profile_node *section, const char *name);
 
 errcode_t profile_find_node_name
-	PROTOTYPE ((struct profile_node *section, void **state,
-		    char **ret_name));
+	(struct profile_node *section, void **state,
+		    char **ret_name);
 
 errcode_t profile_node_iterator_create
-	PROTOTYPE((profile_t profile, const char **names,
-		   int flags, void **ret_iter));
+	(profile_t profile, const char *const *names,
+		   int flags, void **ret_iter);
 
 void profile_node_iterator_free
-	PROTOTYPE((void	**iter_p));
+	(void	**iter_p);
 
 errcode_t profile_node_iterator
-	PROTOTYPE((void	**iter_p, struct profile_node **ret_node,
-		   char **ret_name, char **ret_value));
+	(void	**iter_p, struct profile_node **ret_node,
+		   char **ret_name, char **ret_value);
 
 errcode_t profile_remove_node
-	PROTOTYPE((struct profile_node *node));
+	(struct profile_node *node);
 
 errcode_t profile_set_relation_value
-	PROTOTYPE((struct profile_node *node, const char *new_value));
+	(struct profile_node *node, const char *new_value);
 
 errcode_t profile_rename_node
-	PROTOTYPE((struct profile_node *node, const char *new_name));
+	(struct profile_node *node, const char *new_name);
 
 /* prof_file.c */
 
 errcode_t profile_open_file
-	PROTOTYPE ((const_profile_filespec_t file, prf_file_t *ret_prof));
+	(const_profile_filespec_t file, prf_file_t *ret_prof);
 
-errcode_t profile_update_file
-	PROTOTYPE ((prf_file_t profile));
+#define profile_update_file(P) profile_update_file_data((P)->data)
+errcode_t profile_update_file_data
+	(prf_data_t profile);
 
-errcode_t profile_flush_file
-	PROTOTYPE ((prf_file_t profile));
+#define profile_flush_file(P) (((P) && (P)->magic == PROF_MAGIC_FILE) ? profile_flush_file_data((P)->data) : PROF_MAGIC_FILE)
+errcode_t profile_flush_file_data
+	(prf_data_t data);
+
+#define profile_flush_file_to_file(P,F) (((P) && (P)->magic == PROF_MAGIC_FILE) ? profile_flush_file_data_to_file((P)->data, (F)) : PROF_MAGIC_FILE)
+errcode_t profile_flush_file_data_to_file
+	(prf_data_t data, const char *outfile);
+
+errcode_t profile_flush_file_data_to_buffer
+	(prf_data_t data, char **bufp);
 
 void profile_free_file
-	PROTOTYPE ((prf_file_t profile));
+	(prf_file_t profile);
 
 errcode_t profile_close_file
-	PROTOTYPE ((prf_file_t profile));
+	(prf_file_t profile);
+
+void profile_dereference_data (prf_data_t);
+void profile_dereference_data_locked (prf_data_t);
+
+int profile_lock_global (void);
+int profile_unlock_global (void);
 
 /* prof_init.c -- included from profile.h */
+errcode_t profile_ser_size
+        (const char *, profile_t, size_t *);
+
+errcode_t profile_ser_externalize
+        (const char *, profile_t, unsigned char **, size_t *);
+
+errcode_t profile_ser_internalize
+        (const char *, profile_t *, unsigned char **, size_t *);
 
 /* prof_get.c */
 
 errcode_t profile_get_value
-	PROTOTYPE ((profile_t profile, const char **names,
-		    const char	**ret_value));
+	(profile_t profile, const char **names,
+		    const char	**ret_value);
 /* Others included from profile.h */
 	
 /* prof_set.c -- included from profile.h */
diff --git a/usr/src/lib/gss_mechs/mech_krb5/profile/prof_parse.c b/usr/src/lib/gss_mechs/mech_krb5/profile/prof_parse.c
index 9185d57c2f..33dd13b2c0 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/profile/prof_parse.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/profile/prof_parse.c
@@ -1,10 +1,12 @@
 /*
- * Copyright 2002-2003 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
 
+#include "prof_int.h"
+
 #include <stdio.h>
 #include <string.h>
 #ifdef HAVE_STDLIB_H
@@ -13,8 +15,6 @@
 #include <errno.h>
 #include <ctype.h>
 
-#include "prof_int.h"
-
 #define SECTION_SEP_CHAR '/'
 
 #define STATE_INIT_COMMENT	1
@@ -28,26 +28,18 @@ struct parse_state {
 	struct profile_node *current_section;
 };
 
-static char *skip_over_blanks(cp)
-	char	*cp;
+static char *skip_over_blanks(char *cp)
 {
-	while (*cp && isspace(*cp))
+	while (*cp && isspace((int) (*cp)))
 		cp++;
 	return cp;
 }
 
-static void strip_line(line)
-	char	*line;
+static void strip_line(char *line)
 {
-	char	*p;
-
-	while (*line) {
-		p = line + strlen(line) - 1;
-		if ((*p == '\n') || (*p == '\r'))
-			*p = 0;
-		else
-			break;
-	}
+	char *p = line + strlen(line);
+	while (p > line && (p[-1] == '\n' || p[-1] == '\r'))
+	    *p-- = 0;
 }
 
 static void parse_quoted_string(char *str)
@@ -80,8 +72,7 @@ static void parse_quoted_string(char *str)
 }
 
 
-static errcode_t parse_init_state(state)
-	struct parse_state *state;
+static errcode_t parse_init_state(struct parse_state *state)
 {
 	state->state = STATE_INIT_COMMENT;
 	state->group_level = 0;
@@ -89,9 +80,7 @@ static errcode_t parse_init_state(state)
 	return profile_create_node("(root)", 0, &state->root_section);
 }
 
-static errcode_t parse_std_line(line, state)
-	char	*line;
-	struct parse_state *state;
+static errcode_t parse_std_line(char *line, struct parse_state *state)
 {
 	char	*cp, ch, *tag, *value;
 	char	*p;
@@ -138,9 +127,8 @@ static errcode_t parse_std_line(line, state)
 			profile_make_node_final(state->current_section);
 			cp++;
 		}
-
 		/*
-		 * A space after ']' should not be fatal
+		 * A space after ']' should not be fatal 
 		 */
 		cp = skip_over_blanks(cp);
 		if (*cp)
@@ -166,13 +154,22 @@ static errcode_t parse_std_line(line, state)
 	cp = strchr(cp, '=');
 	if (!cp)
 		return PROF_RELATION_SYNTAX;
+	if (cp == tag)
+	    return PROF_RELATION_SYNTAX;
 	*cp = '\0';
-	p = strchr(tag, ' ');
-	if (p) {
-		*p = '\0';
-		p = skip_over_blanks(p+1);
-		if (p != cp)
-			return PROF_RELATION_SYNTAX;
+	p = tag;
+	/* Look for whitespace on left-hand side.  */
+	while (p < cp && !isspace((int)*p))
+	    p++;
+	if (p < cp) {
+	    /* Found some sort of whitespace.  */
+	    *p++ = 0;
+	    /* If we have more non-whitespace, it's an error.  */
+	    while (p < cp) {
+		if (!isspace((int)*p))
+		    return PROF_RELATION_SYNTAX;
+		p++;
+	    }
 	}
 	cp = skip_over_blanks(cp+1);
 	value = cp;
@@ -182,17 +179,16 @@ static errcode_t parse_std_line(line, state)
 	} else if (value[0] == 0) {
 		do_subsection++;
 		state->state = STATE_GET_OBRACE;
-	} else if (value[0] == '{' && value[1] == 0)
+	} else if (value[0] == '{' && *(skip_over_blanks(value+1)) == 0)
 		do_subsection++;
 	else {
 		/*
 		 * Skip over trailing whitespace characters
 		 */
 		cp = value + strlen(value) - 1;
-		while ((cp > value) && isspace(*cp))
+		while ((cp > value) && isspace((int) (*cp)))
 			*cp-- = 0;
 	}
-
 	if (do_subsection) {
 		p = strchr(tag, '*');
 		if (p)
@@ -215,9 +211,7 @@ static errcode_t parse_std_line(line, state)
 	return 0;
 }
 
-static errcode_t parse_line(line, state)
-	char	*line;
-	struct parse_state *state;
+static errcode_t parse_line(char *line, struct parse_state *state)
 {
 	char	*cp;
 	
@@ -239,9 +233,7 @@ static errcode_t parse_line(line, state)
 	return 0;
 }
 
-errcode_t profile_parse_file(f, root)
-	FILE	*f;
-	struct profile_node **root;
+errcode_t profile_parse_file(FILE *f, struct profile_node **root)
 {
 #define BUF_SIZE	2048
 	char *bptr;
@@ -260,6 +252,7 @@ errcode_t profile_parse_file(f, root)
 	while (!feof(f)) {
 		if (fgets(bptr, BUF_SIZE, f) == NULL)
 			break;
+#ifndef PROFILE_SUPPORTS_FOREIGN_NEWLINES
 		retval = parse_line(bptr, &state);
 		if (retval) {
 			/* check if an unconfigured file */
@@ -268,6 +261,55 @@ errcode_t profile_parse_file(f, root)
 			free (bptr);
 			return retval;
 		}
+#else
+		{
+		    char *p, *end;
+
+		    if (strlen(bptr) >= BUF_SIZE - 1) {
+			/* The string may have foreign newlines and
+			   gotten chopped off on a non-newline
+			   boundary.  Seek backwards to the last known
+			   newline.  */
+			long offset;
+			char *c = bptr + strlen (bptr);
+			for (offset = 0; offset > -BUF_SIZE; offset--) {
+			    if (*c == '\r' || *c == '\n') {
+				*c = '\0';
+				fseek (f, offset, SEEK_CUR);
+				break;
+			    }
+			    c--;
+			}
+		    }
+
+		    /* First change all newlines to \n */
+		    for (p = bptr; *p != '\0'; p++) {
+			if (*p == '\r')
+                            *p = '\n';
+		    }
+		    /* Then parse all lines */
+		    p = bptr;
+		    end = bptr + strlen (bptr);
+		    while (p < end) {
+			char* newline;
+			char* newp;
+
+			newline = strchr (p, '\n');
+			if (newline != NULL)
+			    *newline = '\0';
+
+			/* parse_line modifies contents of p */
+			newp = p + strlen (p) + 1;
+			retval = parse_line (p, &state);
+			if (retval) {
+			    free (bptr);
+			    return retval;
+			}
+
+			p = newp;
+		    }
+		}
+#endif
 	}
 	*root = state.root_section;
 
@@ -278,12 +320,11 @@ errcode_t profile_parse_file(f, root)
 /*
  * Return TRUE if the string begins or ends with whitespace
  */
-static int need_double_quotes(str)
-	char *str;
+static int need_double_quotes(char *str)
 {
 	if (!str || !*str)
 		return 0;
-	if (isspace(*str) ||isspace(*(str + strlen(str) - 1)))
+	if (isspace((int) (*str)) ||isspace((int) (*(str + strlen(str) - 1))))
 		return 1;
 	if (strchr(str, '\n') || strchr(str, '\t') || strchr(str, '\b'))
 		return 1;
@@ -294,57 +335,57 @@ static int need_double_quotes(str)
  * Output a string with double quotes, doing appropriate backquoting
  * of characters as necessary.
  */
-static void output_quoted_string(str, f)
-	char	*str;
-	FILE	*f;
+static void output_quoted_string(char *str, void (*cb)(const char *,void *),
+				 void *data)
 {
 	char	ch;
-	
-	fputc('"', f);
+	char buf[2];
+
+	cb("\"", data);
 	if (!str) {
-		fputc('"', f);
+		cb("\"", data);
 		return;
 	}
+	buf[1] = 0;
 	while ((ch = *str++)) {
 		switch (ch) {
 		case '\\':
-			fputs("\\\\", f);
+			cb("\\\\", data);
 			break;
 		case '\n':
-			fputs("\\n", f);
+			cb("\\n", data);
 			break;
 		case '\t':
-			fputs("\\t", f);
+			cb("\\t", data);
 			break;
 		case '\b':
-			fputs("\\b", f);
+			cb("\\b", data);
 			break;
 		default:
-			fputc(ch, f);
+			/* This would be a lot faster if we scanned
+			   forward for the next "interesting"
+			   character.  */
+			buf[0] = ch;
+			cb(buf, data);
 			break;
 		}
 	}
-	fputc('"', f);
+	cb("\"", data);
 }
 
 
 
-#if defined(_MSDOS) || defined(_WIN32)
+#if defined(_WIN32)
 #define EOL "\r\n"
 #endif
 
-#ifdef macintosh
-#define EOL "\r"
-#endif
-
 #ifndef EOL
 #define EOL "\n"
 #endif
 
-static void dump_profile_to_file(root, level, dstfile)
-	struct profile_node *root;
-	int level;
-	FILE *dstfile;
+/* Errors should be returned, not ignored!  */
+static void dump_profile(struct profile_node *root, int level,
+			 void (*cb)(const char *, void *), void *data)
 {
 	int i;
 	struct profile_node *p;
@@ -359,14 +400,18 @@ static void dump_profile_to_file(root, level, dstfile)
 		if (retval)
 			break;
 		for (i=0; i < level; i++)
-			fprintf(dstfile, "\t");
+			cb("\t", data);
 		if (need_double_quotes(value)) {
-			fputs(name, dstfile);
-			fputs(" = ", dstfile);
-			output_quoted_string(value, dstfile);
-			fputs(EOL, dstfile);
-		} else
-			fprintf(dstfile, "%s = %s%s", name, value, EOL);
+			cb(name, data);
+			cb(" = ", data);
+			output_quoted_string(value, cb, data);
+			cb(EOL, data);
+		} else {
+			cb(name, data);
+			cb(" = ", data);
+			cb(value, data);
+			cb(EOL, data);
+		}
 	} while (iter != 0);
 
 	iter = 0;
@@ -376,29 +421,88 @@ static void dump_profile_to_file(root, level, dstfile)
 		if (retval)
 			break;
 		if (level == 0)	{ /* [xxx] */
-			for (i=0; i < level; i++)
-				fprintf(dstfile, "\t");
-			fprintf(dstfile, "[%s]%s%s", name,
-				profile_is_node_final(p) ? "*" : "", EOL);
-			dump_profile_to_file(p, level+1, dstfile);
-			fprintf(dstfile, EOL);
+			cb("[", data);
+			cb(name, data);
+			cb("]", data);
+			cb(profile_is_node_final(p) ? "*" : "", data);
+			cb(EOL, data);
+			dump_profile(p, level+1, cb, data);
+			cb(EOL, data);
 		} else { 	/* xxx = { ... } */
 			for (i=0; i < level; i++)
-				fprintf(dstfile, "\t");
-			fprintf(dstfile, "%s = {%s", name, EOL);
-			dump_profile_to_file(p, level+1, dstfile);
+				cb("\t", data);
+			cb(name, data);
+			cb(" = {", data);
+			cb(EOL, data);
+			dump_profile(p, level+1, cb, data);
 			for (i=0; i < level; i++)
-				fprintf(dstfile, "\t");
-			fprintf(dstfile, "}%s%s",
-				profile_is_node_final(p) ? "*" : "", EOL);
+				cb("\t", data);
+			cb("}", data);
+			cb(profile_is_node_final(p) ? "*" : "", data);
+			cb(EOL, data);
 		}
 	} while (iter != 0);
 }
 
-errcode_t profile_write_tree_file(root, dstfile)
-	struct profile_node *root;
-	FILE		*dstfile;
+static void dump_profile_to_file_cb(const char *str, void *data)
+{
+	fputs(str, data);
+}
+
+errcode_t profile_write_tree_file(struct profile_node *root, FILE *dstfile)
+{
+	dump_profile(root, 0, dump_profile_to_file_cb, dstfile);
+	return 0;
+}
+
+struct prof_buf {
+	char *base;
+	size_t cur, max;
+	int err;
+};
+
+static void add_data_to_buffer(struct prof_buf *b, const void *d, size_t len)
 {
-	dump_profile_to_file(root, 0, dstfile);
+	if (b->err)
+		return;
+	if (b->max - b->cur < len) {
+		size_t newsize;
+		char *newptr;
+
+		newsize = b->max + (b->max >> 1) + len + 1024;
+		newptr = realloc(b->base, newsize);
+		if (newptr == NULL) {
+			b->err = 1;
+			return;
+		}
+		b->base = newptr;
+		b->max = newsize;
+	}
+	memcpy(b->base + b->cur, d, len);
+	b->cur += len; 		/* ignore overflow */
+}
+
+static void dump_profile_to_buffer_cb(const char *str, void *data)
+{
+	add_data_to_buffer((struct prof_buf *)data, str, strlen(str));
+}
+
+errcode_t profile_write_tree_to_buffer(struct profile_node *root,
+				       char **buf)
+{
+	struct prof_buf prof_buf = { 0, 0, 0, 0 };
+
+	dump_profile(root, 0, dump_profile_to_buffer_cb, &prof_buf);
+	if (prof_buf.err) {
+		*buf = NULL;
+		return ENOMEM;
+	}
+	add_data_to_buffer(&prof_buf, "", 1); /* append nul */
+	if (prof_buf.max - prof_buf.cur > (prof_buf.max >> 3)) {
+		char *newptr = realloc(prof_buf.base, prof_buf.cur);
+		if (newptr)
+			prof_buf.base = newptr;
+	}
+	*buf = prof_buf.base;
 	return 0;
 }
diff --git a/usr/src/lib/gss_mechs/mech_krb5/profile/prof_set.c b/usr/src/lib/gss_mechs/mech_krb5/profile/prof_set.c
index f8f709864d..bcca00a4c4 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/profile/prof_set.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/profile/prof_set.c
@@ -12,6 +12,8 @@
  *
  */
 
+#include "prof_int.h"
+
 #include <stdio.h>
 #include <string.h>
 #ifdef HAVE_STDLIB_H
@@ -19,13 +21,10 @@
 #endif
 #include <errno.h>
 
-#include "prof_int.h"
-
-static errcode_t rw_setup(profile)
-	profile_t	profile;
+static errcode_t rw_setup(profile_t profile)
 {
    	prf_file_t	file;
-	errcode_t	retval;
+	errcode_t	retval = 0;
 
 	if (!profile)
 		return PROF_NO_PROFILE;
@@ -34,15 +33,44 @@ static errcode_t rw_setup(profile)
 		return PROF_MAGIC_PROFILE;
 
 	file = profile->first_file;
-	if (!(file->flags & PROFILE_FILE_RW))
-		return PROF_READ_ONLY;
+
+	retval = profile_lock_global();
+	if (retval)
+	    return retval;
 
 	/* Don't update the file if we've already made modifications */
-	if (file->flags & PROFILE_FILE_DIRTY)
-		return 0;
-			
+	if (file->data->flags & PROFILE_FILE_DIRTY) {
+	    profile_unlock_global();
+	    return 0;
+	}
+
+	if ((file->data->flags & PROFILE_FILE_SHARED) != 0) {
+	    prf_data_t new_data;
+	    new_data = profile_make_prf_data(file->data->filespec);
+	    if (new_data == NULL) {
+		retval = ENOMEM;
+	    } else {
+		retval = k5_mutex_init(&new_data->lock);
+		if (retval == 0) {
+		    new_data->root = NULL;
+		    new_data->flags = file->data->flags & ~PROFILE_FILE_SHARED;
+		    new_data->timestamp = 0;
+		    new_data->upd_serial = file->data->upd_serial;
+		}
+	    }
+
+	    if (retval != 0) {
+		profile_unlock_global();
+		free(new_data);
+		return retval;
+	    }
+	    profile_dereference_data_locked(file->data);
+	    file->data = new_data;
+	}
+
+	profile_unlock_global();
 	retval = profile_update_file(file);
-	
+
 	return retval;
 }
 
@@ -52,12 +80,9 @@ static errcode_t rw_setup(profile)
  * 
  * ADL - 2/23/99, rewritten TYT 2/25/99
  */
-KRB5_DLLIMP errcode_t KRB5_CALLCONV
-profile_update_relation(profile, names, old_value, new_value)
-	profile_t	profile;
-	const char	**names;
-	const char	*old_value;
-	const char	*new_value;
+errcode_t KRB5_CALLCONV
+profile_update_relation(profile_t profile, const char **names,
+			const char *old_value, const char *new_value)
 {	
 	errcode_t	retval;
 	struct profile_node *section, *node;
@@ -74,30 +99,33 @@ profile_update_relation(profile, names, old_value, new_value)
 	if (!old_value || !*old_value)
 		return PROF_EINVAL;
 
-	section = profile->first_file->root;
+	retval = k5_mutex_lock(&profile->first_file->data->lock);
+	if (retval)
+	    return retval;
+	section = profile->first_file->data->root;
 	for (cpp = names; cpp[1]; cpp++) {
 		state = 0;
 		retval = profile_find_node(section, *cpp, 0, 1,
 					   &state, &section);
-		if (retval)
-			return retval;
+		if (retval) {
+		    k5_mutex_unlock(&profile->first_file->data->lock);
+		    return retval;
+		}
 	}
 
 	state = 0;
 	retval = profile_find_node(section, *cpp, old_value, 0, &state, &node);
-	if (retval)
-		return retval;
-
-	if (new_value)
+	if (retval == 0) {
+	    if (new_value)
 		retval = profile_set_relation_value(node, new_value);
-	else
+	    else
 		retval = profile_remove_node(node);
-	if (retval)
-		return retval;
-
-	profile->first_file->flags |= PROFILE_FILE_DIRTY;
+	}
+	if (retval == 0)
+	    profile->first_file->data->flags |= PROFILE_FILE_DIRTY;
+	k5_mutex_unlock(&profile->first_file->data->lock);
 	
-	return 0;
+	return retval;
 }
 
 /* 
@@ -105,16 +133,14 @@ profile_update_relation(profile, names, old_value, new_value)
  * 
  * TYT - 2/25/99
  */
-KRB5_DLLIMP errcode_t KRB5_CALLCONV
-profile_clear_relation(profile, names)
-	profile_t	profile;
-	const char	**names;
+errcode_t KRB5_CALLCONV
+profile_clear_relation(profile_t profile, const char **names)
 {	
 	errcode_t	retval;
 	struct profile_node *section, *node;
 	void		*state;
 	const char	**cpp;
-	
+
 	retval = rw_setup(profile);
 	if (retval)
 		return retval;
@@ -122,7 +148,7 @@ profile_clear_relation(profile, names)
 	if (names == 0 || names[0] == 0 || names[1] == 0)
 		return PROF_BAD_NAMESET;
 
-	section = profile->first_file->root;
+	section = profile->first_file->data->root;
 	for (cpp = names; cpp[1]; cpp++) {
 		state = 0;
 		retval = profile_find_node(section, *cpp, 0, 1,
@@ -141,7 +167,7 @@ profile_clear_relation(profile, names)
 			return retval;
 	} while (state);
 
-	profile->first_file->flags |= PROFILE_FILE_DIRTY;
+	profile->first_file->data->flags |= PROFILE_FILE_DIRTY;
 	
 	return 0;
 }
@@ -152,11 +178,9 @@ profile_clear_relation(profile, names)
  * 
  * ADL - 2/23/99, rewritten TYT 2/25/99
  */
-KRB5_DLLIMP errcode_t KRB5_CALLCONV
-profile_rename_section(profile, names, new_name)
-	profile_t	profile;
-	const char	**names;
-	const char	*new_name;
+errcode_t KRB5_CALLCONV
+profile_rename_section(profile_t profile, const char **names,
+		       const char *new_name)
 {	
 	errcode_t	retval;
 	struct profile_node *section, *node;
@@ -170,30 +194,32 @@ profile_rename_section(profile, names, new_name)
 	if (names == 0 || names[0] == 0 || names[1] == 0)
 		return PROF_BAD_NAMESET;
 
-	section = profile->first_file->root;
+	retval = k5_mutex_lock(&profile->first_file->data->lock);
+	if (retval)
+	    return retval;
+	section = profile->first_file->data->root;
 	for (cpp = names; cpp[1]; cpp++) {
 		state = 0;
 		retval = profile_find_node(section, *cpp, 0, 1,
 					   &state, &section);
-		if (retval)
-			return retval;
+		if (retval) {
+		    k5_mutex_unlock(&profile->first_file->data->lock);
+		    return retval;
+		}
 	}
 
 	state = 0;
 	retval = profile_find_node(section, *cpp, 0, 1, &state, &node);
-	if (retval)
-		return retval;
-
-	if (new_name)
+	if (retval == 0) {
+	    if (new_name)
 		retval = profile_rename_node(node, new_name);
-	else
+	    else
 		retval = profile_remove_node(node);
-	if (retval)
-		return retval;
-
-	profile->first_file->flags |= PROFILE_FILE_DIRTY;
-	
-	return 0;
+	}
+	if (retval == 0)
+	    profile->first_file->data->flags |= PROFILE_FILE_DIRTY;
+	k5_mutex_unlock(&profile->first_file->data->lock);
+	return retval;
 }
 
 /*
@@ -205,11 +231,9 @@ profile_rename_section(profile, names, new_name)
  *
  * ADL - 2/23/99, rewritten TYT 2/25/99
  */
-KRB5_DLLIMP errcode_t KRB5_CALLCONV
-profile_add_relation(profile, names, new_value)
-	profile_t	profile;
-	const char  	**names;
-	const char	*new_value; 
+errcode_t KRB5_CALLCONV
+profile_add_relation(profile_t profile, const char **names,
+		     const char *new_value)
 {
 	errcode_t	retval;
     	struct profile_node *section;
@@ -223,31 +247,41 @@ profile_add_relation(profile, names, new_value)
 	if (names == 0 || names[0] == 0 || names[1] == 0)
 		return PROF_BAD_NAMESET;
 
-	section = profile->first_file->root;
+	retval = k5_mutex_lock(&profile->first_file->data->lock);
+	if (retval)
+	    return retval;
+	section = profile->first_file->data->root;
 	for (cpp = names; cpp[1]; cpp++) {
 		state = 0;
 		retval = profile_find_node(section, *cpp, 0, 1,
 					   &state, &section);
 		if (retval == PROF_NO_SECTION)
 			retval = profile_add_node(section, *cpp, 0, &section);
-		if (retval)
-			return retval;
+		if (retval) {
+		    k5_mutex_unlock(&profile->first_file->data->lock);
+		    return retval;
+		}
 	}
 
 	if (new_value == 0) {
 		retval = profile_find_node(section, *cpp, 0, 1, &state, 0);
-		if (retval == 0)
-			return PROF_EXISTS;
-		else if (retval != PROF_NO_SECTION)
-			return retval;
+		if (retval == 0) {
+		    k5_mutex_unlock(&profile->first_file->data->lock);
+		    return PROF_EXISTS;
+		} else if (retval != PROF_NO_SECTION) {
+		    k5_mutex_unlock(&profile->first_file->data->lock);
+		    return retval;
+		}
 	}
 
 	retval = profile_add_node(section, *cpp, new_value, 0);
-	if (retval)
-		return retval;
+	if (retval) {
+	    k5_mutex_unlock(&profile->first_file->data->lock);
+	    return retval;
+	}
 
-	profile->first_file->flags |= PROFILE_FILE_DIRTY;
-	
+	profile->first_file->data->flags |= PROFILE_FILE_DIRTY;
+	k5_mutex_unlock(&profile->first_file->data->lock);
 	return 0;
 }
 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/profile/prof_tree.c b/usr/src/lib/gss_mechs/mech_krb5/profile/prof_tree.c
index 18bc1913b8..398a979d89 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/profile/prof_tree.c
+++ b/usr/src/lib/gss_mechs/mech_krb5/profile/prof_tree.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -8,21 +8,24 @@
 /*
  * prof_tree.c --- these routines maintain the parse tree of the
  * 	config file.
- *
+ * 
  * All of the details of how the tree is stored is abstracted away in
  * this file; all of the other profile routines build, access, and
  * modify the tree via the accessor functions found in this file.
  *
  * Each node may represent either a relation or a section header.
- *
+ * 
  * A section header must have its value field set to 0, and may a one
  * or more child nodes, pointed to by first_child.
- *
+ * 
  * A relation has as its value a pointer to allocated memory
  * containing a string.  Its first_child pointer must be null.
  *
  */
 
+
+#include "prof_int.h"
+
 #include <stdio.h>
 #include <string.h>
 #ifdef HAVE_STDLIB_H
@@ -31,14 +34,13 @@
 #include <errno.h>
 #include <ctype.h>
 
-#include "prof_int.h"
-
 struct profile_node {
 	errcode_t	magic;
 	char *name;
 	char *value;
 	int group_level;
 	int final:1;		/* Indicate don't search next file */
+	int deleted:1;
 	struct profile_node *first_child;
 	struct profile_node *parent;
 	struct profile_node *next, *prev;
@@ -51,8 +53,7 @@ struct profile_node {
 /*
  * Free a node, and any children
  */
-void profile_free_node(node)
-	struct profile_node *node;
+void profile_free_node(struct profile_node *node)
 {
 	struct profile_node *child, *next;
 
@@ -73,12 +74,24 @@ void profile_free_node(node)
 	free(node);
 }
 
+#ifndef HAVE_STRDUP
+#undef strdup
+#define strdup MYstrdup
+static char *MYstrdup (const char *s)
+{
+    size_t sz = strlen(s) + 1;
+    char *p = malloc(sz);
+    if (p != 0)
+	memcpy(p, s, sz);
+    return p;
+}
+#endif
+
 /*
  * Create a node
  */
-errcode_t profile_create_node(name, value, ret_node)
-	const char *name, *value;
-	struct profile_node **ret_node;
+errcode_t profile_create_node(const char *name, const char *value,
+			      struct profile_node **ret_node)
 {
 	struct profile_node *new;
 
@@ -86,19 +99,17 @@ errcode_t profile_create_node(name, value, ret_node)
 	if (!new)
 		return ENOMEM;
 	memset(new, 0, sizeof(struct profile_node));
-	new->name = (char *) malloc(strlen(name)+1);
+	new->name = (char *) strdup(name);
 	if (new->name == 0) {
-		profile_free_node(new);
-		return ENOMEM;
+	    profile_free_node(new);
+	    return ENOMEM;
 	}
-	strcpy(new->name, name);
 	if (value) {
-		new->value = (char *) malloc(strlen(value)+1);
+	new->value = (char *) strdup(value);
 		if (new->value == 0) {
-			profile_free_node(new);
-			return ENOMEM;
+		    profile_free_node(new);
+		    return ENOMEM;
 		}
-		strcpy(new->value, value);
 	}
 	new->magic = PROF_MAGIC_NODE;
 
@@ -111,8 +122,7 @@ errcode_t profile_create_node(name, value, ret_node)
  * the profile are true.  If not, we have a programming bug somewhere,
  * probably in this file.
  */
-errcode_t profile_verify_node(node)
-	struct profile_node *node;
+errcode_t profile_verify_node(struct profile_node *node)
 {
 	struct profile_node *p, *last;
 	errcode_t	retval;
@@ -142,14 +152,11 @@ errcode_t profile_verify_node(node)
 /*
  * Add a node to a particular section
  */
-errcode_t profile_add_node(section, name, value, ret_node)
-	struct profile_node *section;
-	const char *name, *value;
-	struct profile_node **ret_node;
+errcode_t profile_add_node(struct profile_node *section, const char *name,
+			   const char *value, struct profile_node **ret_node)
 {
 	errcode_t retval;
 	struct profile_node *p, *last, *new;
-	int	cmp = -1;
 
 	CHECK_MAGIC(section);
 
@@ -158,10 +165,11 @@ errcode_t profile_add_node(section, name, value, ret_node)
 
 	/*
 	 * Find the place to insert the new node.  We look for the
-	 * place *after* the last match of the node name, since
+	 * place *after* the last match of the node name, since 
 	 * order matters.
 	 */
 	for (p=section->first_child, last = 0; p; last = p, p = p->next) {
+		int cmp;
 		cmp = strcmp(p->name, name);
 		if (cmp > 0)
 			break;
@@ -170,6 +178,7 @@ errcode_t profile_add_node(section, name, value, ret_node)
 	if (retval)
 		return retval;
 	new->group_level = section->group_level+1;
+	new->deleted = 0;
 	new->parent = section;
 	new->prev = last;
 	new->next = p;
@@ -187,8 +196,7 @@ errcode_t profile_add_node(section, name, value, ret_node)
 /*
  * Set the final flag on a particular node.
  */
-errcode_t profile_make_node_final(node)
-	struct profile_node *node;
+errcode_t profile_make_node_final(struct profile_node *node)
 {
 	CHECK_MAGIC(node);
 
@@ -199,8 +207,7 @@ errcode_t profile_make_node_final(node)
 /*
  * Check the final flag on a node
  */
-int profile_is_node_final(node)
-	struct profile_node *node;
+int profile_is_node_final(struct profile_node *node)
 {
 	return (node->final != 0);
 }
@@ -210,8 +217,7 @@ int profile_is_node_final(node)
  * only; if the name needs to be returned from an exported function,
  * strdup it first!)
  */
-const char *profile_get_node_name(node)
-	struct profile_node *node;
+const char *profile_get_node_name(struct profile_node *node)
 {
 	return node->name;
 }
@@ -221,8 +227,7 @@ const char *profile_get_node_name(node)
  * only; if the name needs to be returned from an exported function,
  * strdup it first!)
  */
-const char *profile_get_node_value(node)
-	struct profile_node *node;
+const char *profile_get_node_value(struct profile_node *node)
 {
 	return node->value;
 }
@@ -234,20 +239,16 @@ const char *profile_get_node_value(node)
  * section which matches the name; don't return relations.  If value
  * is non-NULL, then only return relations which match the requested
  * value.  (The value argument is ignored if section_flag is non-zero.)
- *
+ * 
  * The first time this routine is called, the state pointer must be
  * null.  When this profile_find_node_relation() returns, if the state
  * pointer is non-NULL, then this routine should be called again.
  * (This won't happen if section_flag is non-zero, obviously.)
  *
  */
-errcode_t profile_find_node(section, name, value, section_flag, state, node)
-	struct profile_node *section;
-	const char *name;
-	const char *value;
-	int section_flag;
-	void **state;
-	struct profile_node **node;
+errcode_t profile_find_node(struct profile_node *section, const char *name,
+			    const char *value, int section_flag, void **state,
+			    struct profile_node **node)
 {
 	struct profile_node *p;
 
@@ -270,6 +271,8 @@ errcode_t profile_find_node(section, name, value, section_flag, state, node)
 			if (value && (strcmp(p->value, value)))
 				continue;
 		}
+		if (p->deleted)
+		    continue;
 		/* A match! */
 		if (node)
 			*node = p;
@@ -317,11 +320,9 @@ errcode_t profile_find_node(section, name, value, section_flag, state, node)
  * returned to a calling application (profile_find_node_relation is not an
  * exported interface), it should be strdup()'ed.
  */
-errcode_t profile_find_node_relation(section, name, state, ret_name, value)
-	struct profile_node *section;
-	const char *name;
-	void **state;
-	char **ret_name, **value;
+errcode_t profile_find_node_relation(struct profile_node *section,
+				     const char *name, void **state,
+				     char **ret_name, char **value)
 {
 	struct profile_node *p;
 	errcode_t	retval;
@@ -349,15 +350,12 @@ errcode_t profile_find_node_relation(section, name, state, ret_name, value)
  *
  * This is (plus accessor functions for the name and value given a
  * profile node) makes this function mostly syntactic sugar for
- * profile_find_node.
+ * profile_find_node. 
  */
-errcode_t profile_find_node_subsection(section, name, state, ret_name,
-				       subsection)
-	struct profile_node *section;
-	const char *name;
-	void **state;
-	char **ret_name;
-	struct profile_node **subsection;
+errcode_t profile_find_node_subsection(struct profile_node *section,
+				       const char *name, void **state,
+				       char **ret_name,
+				       struct profile_node **subsection)
 {
 	struct profile_node *p;
 	errcode_t	retval;
@@ -381,8 +379,8 @@ errcode_t profile_find_node_subsection(section, name, state, ret_name,
 /*
  * This function returns the parent of a particular node.
  */
-errcode_t profile_get_node_parent(section, parent)
-	struct profile_node *section, **parent;
+errcode_t profile_get_node_parent(struct profile_node *section,
+				  struct profile_node **parent)
 {
 	*parent = section->parent;
 	return 0;
@@ -390,13 +388,13 @@ errcode_t profile_get_node_parent(section, parent)
 
 /*
  * This is a general-purpose iterator for returning all nodes that
- * match the specified name array.
+ * match the specified name array.  
  */
 struct profile_iterator {
 	prf_magic_t		magic;
 	profile_t		profile;
 	int			flags;
-	const char 		**names;
+	const char 		*const *names;
 	const char		*name;
 	prf_file_t		file;
 	int			file_serial;
@@ -405,11 +403,9 @@ struct profile_iterator {
 	int			num;
 };
 
-errcode_t profile_node_iterator_create(profile, names, flags, ret_iter)
-	profile_t	profile;
-	const char	**names;
-	int		flags;
-	void		**ret_iter;
+errcode_t profile_node_iterator_create(profile_t profile,
+				       const char *const *names, int flags,
+				       void **ret_iter)
 {
 	struct profile_iterator *iter;
 	int	done_idx = 0;
@@ -442,8 +438,7 @@ errcode_t profile_node_iterator_create(profile, names, flags, ret_iter)
 	return 0;
 }
 
-void profile_node_iterator_free(iter_p)
-	void	**iter_p;
+void profile_node_iterator_free(void **iter_p)
 {
 	struct profile_iterator *iter;
 
@@ -463,32 +458,46 @@ void profile_node_iterator_free(iter_p)
  * (profile_node_iterator is not an exported interface), it should be
  * strdup()'ed.
  */
-errcode_t profile_node_iterator(iter_p, ret_node, ret_name, ret_value)
-	void	**iter_p;
-	struct profile_node	**ret_node;
-	char **ret_name, **ret_value;
+errcode_t profile_node_iterator(void **iter_p, struct profile_node **ret_node,
+				char **ret_name, char **ret_value)
 {
 	struct profile_iterator 	*iter = *iter_p;
 	struct profile_node 		*section, *p;
-	const char			**cpp;
+	const char			*const *cpp;
 	errcode_t			retval;
 	int				skip_num = 0;
 
 	if (!iter || iter->magic != PROF_MAGIC_ITERATOR)
 		return PROF_MAGIC_ITERATOR;
+	if (iter->file && iter->file->magic != PROF_MAGIC_FILE)
+	    return PROF_MAGIC_FILE;
+	if (iter->file && iter->file->data->magic != PROF_MAGIC_FILE_DATA)
+	    return PROF_MAGIC_FILE_DATA;
 	/*
 	 * If the file has changed, then the node pointer is invalid,
 	 * so we'll have search the file again looking for it.
 	 */
-	if (iter->node && (iter->file->upd_serial != iter->file_serial)) {
+	if (iter->file) {
+	    retval = k5_mutex_lock(&iter->file->data->lock);
+	    if (retval)
+		return retval;
+	}
+	if (iter->node && (iter->file->data->upd_serial != iter->file_serial)) {
 		iter->flags &= ~PROFILE_ITER_FINAL_SEEN;
 		skip_num = iter->num;
 		iter->node = 0;
 	}
+	if (iter->node && iter->node->magic != PROF_MAGIC_NODE) {
+	    if (iter->file)
+		k5_mutex_unlock(&iter->file->data->lock);
+	    return PROF_MAGIC_NODE;
+	}
 get_new_file:
 	if (iter->node == 0) {
 		if (iter->file == 0 ||
 		    (iter->flags & PROFILE_ITER_FINAL_SEEN)) {
+			if (iter->file)
+			    k5_mutex_unlock(&iter->file->data->lock);
 			profile_node_iterator_free(iter_p);
 			if (ret_node)
 				*ret_node = 0;
@@ -498,20 +507,42 @@ get_new_file:
 				*ret_value =0;
 			return 0;
 		}
+		k5_mutex_unlock(&iter->file->data->lock);
 		if ((retval = profile_update_file(iter->file))) {
+		    if (retval == ENOENT || retval == EACCES) {
+			/* XXX memory leak? */
+			iter->file = iter->file->next;
+			if (iter->file) {
+			    retval = k5_mutex_lock(&iter->file->data->lock);
+			    if (retval) {
+				profile_node_iterator_free(iter_p);
+				return retval;
+			    }
+			}
+			skip_num = 0;
+			retval = 0;
+			goto get_new_file;
+		    } else {
 			profile_node_iterator_free(iter_p);
 			return retval;
+		    }
+		}
+		retval = k5_mutex_lock(&iter->file->data->lock);
+		if (retval) {
+		    profile_node_iterator_free(iter_p);
+		    return retval;
 		}
-		iter->file_serial = iter->file->upd_serial;
+		iter->file_serial = iter->file->data->upd_serial;
 		/*
 		 * Find the section to list if we are a LIST_SECTION,
 		 * or find the containing section if not.
 		 */
-		section = iter->file->root;
+		section = iter->file->data->root;
 		for (cpp = iter->names; cpp[iter->done_idx]; cpp++) {
-			for (p=section->first_child; p; p = p->next)
+			for (p=section->first_child; p; p = p->next) {
 				if (!strcmp(p->name, *cpp) && !p->value)
 					break;
+			}
 			if (!p) {
 				section = 0;
 				break;
@@ -521,7 +552,15 @@ get_new_file:
 				iter->flags |= PROFILE_ITER_FINAL_SEEN;
 		}
 		if (!section) {
+			k5_mutex_unlock(&iter->file->data->lock);
 			iter->file = iter->file->next;
+			if (iter->file) {
+			    retval = k5_mutex_lock(&iter->file->data->lock);
+			    if (retval) {
+				profile_node_iterator_free(iter_p);
+				return retval;
+			    }
+			}
 			skip_num = 0;
 			goto get_new_file;
 		}
@@ -549,11 +588,20 @@ get_new_file:
 	}
 	iter->num++;
 	if (!p) {
+		k5_mutex_unlock(&iter->file->data->lock);
 		iter->file = iter->file->next;
+		if (iter->file) {
+		    retval = k5_mutex_lock(&iter->file->data->lock);
+		    if (retval) {
+			profile_node_iterator_free(iter_p);
+			return retval;
+		    }
+		}
 		iter->node = 0;
 		skip_num = 0;
 		goto get_new_file;
 	}
+	k5_mutex_unlock(&iter->file->data->lock);
 	if ((iter->node = p->next) == NULL)
 		iter->file = iter->file->next;
 	if (ret_node)
@@ -565,28 +613,19 @@ get_new_file:
 	return 0;
 }
 
-/*
+/* 
  * Remove a particular node.
- *
+ * 
  * TYT, 2/25/99
  */
-errcode_t profile_remove_node(node)
-	struct profile_node *node;
+errcode_t profile_remove_node(struct profile_node *node)
 {
 	CHECK_MAGIC(node);
 
 	if (node->parent == 0)
 		return PROF_EINVAL; /* Can't remove the root! */
 	
-	if (node->prev)
-		node->prev->next = node->next;
-	else
-		node->parent->first_child = node->next;
-
-	if (node->next)
-		node->next->prev = node->prev;
-
-	profile_free_node(node);
+	node->deleted = 1;
 
 	return 0;
 }
@@ -596,9 +635,8 @@ errcode_t profile_remove_node(node)
  *
  * TYT, 2/25/99
  */
-errcode_t profile_set_relation_value(node, new_value)
-	struct profile_node *node;
-	const char *new_value;
+errcode_t profile_set_relation_value(struct profile_node *node,
+				     const char *new_value)
 {
 	char	*cp;
 	
@@ -623,9 +661,7 @@ errcode_t profile_set_relation_value(node, new_value)
  *
  * TYT 2/25/99
  */
-errcode_t profile_rename_node(node, new_name)
-	struct profile_node	*node;
-	const char		*new_name;
+errcode_t profile_rename_node(struct profile_node *node, const char *new_name)
 {
 	char			*new_string;
 	struct profile_node 	*p, *last;
diff --git a/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_cache.spec b/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_cache.spec
index beaa569430..ea01999263 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_cache.spec
+++ b/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_cache.spec
@@ -1,5 +1,5 @@
 #
-# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # ident	"%Z%%M%	%I%	%E% SMI"
@@ -7,338 +7,17 @@
 # lib/gss_mechs/mech_krb5/spec/krb5_cache.spec
 #
 
-function	krb5_fcc_close
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_close \
-			(krb5_context context, krb5_ccache id)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_close_file
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_close_file \
-			(krb5_context context, krb5_ccache id)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_destroy
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_destroy \
-			(krb5_context context, krb5_ccache id)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_end_seq_get
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_end_seq_get \
-			(krb5_context context, krb5_ccache id, \
-			krb5_cc_cursor *cursor)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_generate_new
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_generate_new \
-			(krb5_context context, krb5_ccache *id)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_get_name
-include		<krb5.h>, <fcc-proto.h>
-declaration	char * krb5_fcc_get_name \
-			(krb5_context context, krb5_ccache id)
-version		SUNWprivate_1.1
-end
 
-function	krb5_fcc_get_principal
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_get_principal \
-			(krb5_context context, krb5_ccache id, \
-			krb5_principal *princ)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_initialize
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_initialize \
-			(krb5_context context, krb5_ccache id, \
-			krb5_principal princ)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_interpret
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_interpret \
-			(krb5_context context, int errnum)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_next_cred
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_next_cred \
-			(krb5_context, krb5_ccache id, \
-			krb5_cc_cursor *cursor, \
-			krb5_creds *creds)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_open_file
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_open_file \
-			(krb5_context context, krb5_ccache id, \
-			int mode)
-version		SUNWprivate_1.1
-end
 
 data		krb5_fcc_ops
 declaration	krb5_cc_ops krb5_fcc_ops
 version		SUNWprivate_1.1
 end
 
-function	krb5_fcc_read
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_read \
-			(krb5_context context, krb5_ccache id, \
-			krb5_pointer buf, int len)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_read_addr
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_read_addr \
-			(krb5_context context, krb5_ccache id, \
-			krb5_address *addr)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_read_addrs
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_read_addrs \
-			(krb5_context context, krb5_ccache id, \
-			krb5_address ***addrs)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_read_authdata
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_read_authdata \
-			(krb5_context context, krb5_ccache id, \
-			krb5_authdata ***a)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_read_authdatum
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_read_authdatum \
-			(krb5_context context, krb5_ccache id, \
-			krb5_authdata *a)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_read_data
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_read_data \
-			(krb5_context context, krb5_ccache id, \
-			krb5_data *data)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_read_int32
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_read_int32 \
-			(krb5_context context, krb5_ccache id, \
-			krb5_int32 *i)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_read_keyblock
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_read_keyblock \
-			(krb5_context context, krb5_ccache id, \
-			krb5_keyblock *keyblock)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_read_octet
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_read_octet \
-			(krb5_context context, krb5_ccache id, \
-			krb5_octet *i)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_read_principal
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_read_principal \
-			(krb5_context context, krb5_ccache id, \
-			krb5_principal *princ)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_read_times
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_read_times \
-			(krb5_context context, krb5_ccache id, \
-			krb5_ticket_times *t)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_read_ui_2
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_read_ui_2 \
-			(krb5_context context, krb5_ccache id, \
-			krb5_ui_2 *i)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_resolve
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_resolve \
-			(krb5_context context, krb5_ccache *id, \
-			const char *residual)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_retrieve
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_retrieve \
-			(krb5_context context, krb5_ccache id, \
-			krb5_flags whichfields, krb5_creds *mcreds, \
-			krb5_creds *creds)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_set_flags
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_set_flags \
-			(krb5_context context, krb5_ccache id, \
-			krb5_flags flags)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_skip_header
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_skip_header \
-			(krb5_context context, krb5_ccache id)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_skip_principal
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_skip_principal \
-			(krb5_context context, krb5_ccache id)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_start_seq_get
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_start_seq_get \
-			(krb5_context context, krb5_ccache id, \
-			krb5_cc_cursor *cursor)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_store
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_store \
-			(krb5_context context, krb5_ccache id, \
-			krb5_creds *creds)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_store_addr
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_store_addr \
-			(krb5_context context, krb5_ccache id, \
-			krb5_address *addr)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_store_addrs
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_store_addrs \
-			(krb5_context context, krb5_ccache id, \
-			krb5_address **addrs)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_store_authdata
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_store_authdata \
-			(krb5_context context, krb5_ccache id, \
-			krb5_authdata **a)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_store_authdatum
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_store_authdatum \
-			(krb5_context context, krb5_ccache id, \
-			krb5_authdata *a)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_store_data
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_store_data \
-			(krb5_context context, krb5_ccache id, \
-			krb5_data *data)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_store_int32
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_store_int32 \
-			(krb5_context context, krb5_ccache id, \
-			krb5_int32 i)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_store_keyblock
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_store_keyblock \
-			(krb5_context context, krb5_ccache id, \
-			krb5_keyblock *keyblock)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_store_octet
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_store_octet \
-			(krb5_context context, krb5_ccache id, \
-			krb5_int32 i)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_store_principal
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_store_principal \
-			(krb5_context context, krb5_ccache id, \
-			krb5_principal princ)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_store_times
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_store_times \
-			(krb5_context context, krb5_ccache id, \
-			krb5_ticket_times *t)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_store_ui_2
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_store_ui_2 \
-			(krb5_context context, krb5_ccache id, \
-			krb5_int32 i)
-version		SUNWprivate_1.1
-end
-
-function	krb5_fcc_write
-include		<krb5.h>, <fcc-proto.h>
-declaration	krb5_error_code krb5_fcc_write \
-			(krb5_context context, krb5_ccache id, \
-			krb5_pointer buf, int len)
+function	krb5_rc_close
+include		<krb5.h>
+declaration	krb5_error_code krb5_rc_close \
+			(krb5_context context, krb5_rcache id)
 version		SUNWprivate_1.1
 end
 
@@ -625,339 +304,7 @@ declaration	krb5_error_code krb5_rc_resolve_full \
 version		SUNWprivate_1.1
 end
 
-function	krb5_scc_close
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_close \
-			(krb5_context context, krb5_ccache id)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_close_file
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_close_file \
-			(krb5_context context, krb5_ccache id)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_destroy
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_destroy \
-			(krb5_context context, krb5_ccache id)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_end_seq_get
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_end_seq_get \
-			(krb5_context, krb5_ccache id, \
-			krb5_cc_cursor *cursor)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_generate_new
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_generate_new \
-			(krb5_context context, krb5_ccache *id)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_get_name
-include		<krb5.h>, <scc-proto.h>
-declaration	char *krb5_scc_get_name \
-			(krb5_context context, krb5_ccache id)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_get_principal
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_get_principal \
-			(krb5_context context, krb5_ccache id, \
-			krb5_principal *princ)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_initialize
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_initialize \
-			(krb5_context context, krb5_ccache id, \
-			krb5_principal princ)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_interpret
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_interpret \
-			(krb5_context context, int errnum)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_next_cred
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_next_cred \
-			(krb5_context context, krb5_ccache id, \
-			krb5_cc_cursor *cursor, krb5_creds *creds)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_open_file
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_open_file \
-			(krb5_context context, krb5_ccache id, \
-			int mode)
-version		SUNWprivate_1.1
-end
-
-data		krb5_scc_ops
-declaration	krb5_cc_ops krb5_scc_ops
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_read
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_read \
-			(krb5_context context, krb5_ccache id, \
-			krb5_pointer buf, int len)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_read_addr
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_read_addr \
-			(krb5_context context, krb5_ccache id, \
-			krb5_address *addr)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_read_addrs
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_read_addrs \
-			(krb5_context context, krb5_ccache id, \
-			krb5_address ***addrs)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_read_authdata
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_read_authdata \
-			(krb5_context context, krb5_ccache id, \
-			krb5_authdata ***a)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_read_authdatum
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_read_authdatum \
-			(krb5_context context, krb5_ccache id, \
-			krb5_authdata *a)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_read_data
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_read_data \
-			(krb5_context context, krb5_ccache id, \
-			krb5_data *data)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_read_int32
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_read_int32 \
-			(krb5_context context, krb5_ccache id, \
-			krb5_int32 *i)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_read_keyblock
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_read_keyblock \
-			(krb5_context context, krb5_ccache id, \
-			krb5_keyblock *keyblock)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_read_octet
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_read_octet \
-			(krb5_context context, krb5_ccache id, \
-			krb5_octet *i)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_read_principal
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_read_principal \
-			(krb5_context context, krb5_ccache id, \
-			krb5_principal *princ)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_read_times
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_read_times \
-			(krb5_context context, krb5_ccache id, \
-			krb5_ticket_times *t)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_read_ui_2
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_read_ui_2 \
-			(krb5_context context, krb5_ccache id, \
-			krb5_ui_2 *i)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_resolve
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_resolve \
-			(krb5_context context, krb5_ccache *id, \
-			const char *residual)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_retrieve
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_retrieve \
-			(krb5_context context, krb5_ccache id, \
-			krb5_flags whichfields, krb5_creds *mcreds, \
-			krb5_creds *creds)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_set_flags
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_set_flags \
-			(krb5_context context, krb5_ccache id, \
-			krb5_flags flags)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_skip_header
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_skip_header \
-			(krb5_context context, krb5_ccache id)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_skip_principal
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_skip_principal \
-			(krb5_context context, krb5_ccache id)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_start_seq_get
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_start_seq_get \
-			(krb5_context context, krb5_ccache id, \
-			krb5_cc_cursor *cursor)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_store
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_store \
-			(krb5_context context, krb5_ccache id, \
-			krb5_creds *creds)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_store_addr
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_store_addr \
-			(krb5_context context, krb5_ccache id, \
-			krb5_address *addr)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_store_addrs
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_store_addrs \
-			(krb5_context context, krb5_ccache id, \
-			krb5_address **addrs)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_store_authdata
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_store_authdata \
-			(krb5_context, krb5_ccache, \
-			krb5_authdata **)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_store_authdatum
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_store_authdatum \
-			(krb5_context context, krb5_ccache id, \
-			krb5_authdata *a)
-version		SUNWprivate_1.1
-end
 
-function	krb5_scc_store_data
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_store_data \
-			(krb5_context context, krb5_ccache id, \
-			krb5_data *data)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_store_int32
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_store_int32 \
-			(krb5_context context, krb5_ccache id, \
-			krb5_int32 i)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_store_keyblock
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_store_keyblock \
-			(krb5_context context, krb5_ccache id, \
-			krb5_keyblock *keyblock)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_store_octet
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_store_octet \
-			(krb5_context context, krb5_ccache id, \
-			krb5_int32 i)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_store_principal
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_store_principal \
-			(krb5_context context, krb5_ccache id, \
-			krb5_principal princ)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_store_times
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_store_times \
-			(krb5_context context, krb5_ccache id, \
-			krb5_ticket_times *t)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_store_ui_2
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_store_ui_2 \
-			(krb5_context context, krb5_ccache id, \
-			krb5_int32 i)
-version		SUNWprivate_1.1
-end
-
-function	krb5_scc_write
-include		<krb5.h>, <scc-proto.h>
-declaration	krb5_error_code krb5_scc_write \
-			(krb5_context context, krb5_ccache id, \
-			krb5_pointer buf, int len)
-version		SUNWprivate_1.1
-end
 
 function	krb5_cc_copy_creds
 include		<krb5.h>
@@ -1007,9 +354,9 @@ declaration	krb5_error_code krb5_cc_resolve \
 version		SUNWprivate_1.1
 end
 
-function	krb5_cc_retrieve_cred_default
+function	krb5_cc_retrieve_cred
 include		<krb5.h>
-declaration	krb5_error_code krb5_cc_retrieve_cred_default \
+declaration	krb5_error_code krb5_cc_retrieve_cred \
 			(krb5_context context, krb5_ccache id, \
 			krb5_flags flags, krb5_creds *mcreds, \
 			krb5_creds *creds)
@@ -1023,11 +370,6 @@ declaration	krb5_error_code krb5_cc_set_default_name ( \
 version		SUNWprivate_1.1
 end
 
-data		krb5_cc_stdio_ops
-declaration	krb5_cc_ops krb5_cc_stdio_ops
-version		SUNWprivate_1.1
-end
-
 function	krb5_change_cache
 include		<fcc-proto.h>
 declaration	krb5_error_code krb5_change_cache (void)
@@ -1040,3 +382,86 @@ declaration	unsigned int krb5_get_notification_message (void)
 version		SUNWprivate_1.1
 end
 
+function	krb5_cc_initialize
+include		<krb5.h>
+declaration	krb5_error_code  krb5_cc_initialize \
+			(krb5_context context, krb5_ccache cache, \
+                       	krb5_principal principal)
+version		SUNWprivate_1.1
+end
+
+function	krb5_cc_get_principal
+include		<krb5.h>
+declaration	krb5_error_code  krb5_cc_get_principal \
+			(krb5_context context, krb5_ccache cache, \
+                       	krb5_principal *principal)
+version		SUNWprivate_1.1
+end
+
+function	krb5_cc_close
+include		<krb5.h>
+declaration	krb5_error_code  krb5_cc_close \
+			(krb5_context context, krb5_ccache cache)
+version		SUNWprivate_1.1
+end
+
+function	krb5_cc_destroy
+include		<krb5.h>
+declaration	krb5_error_code  krb5_cc_destroy \
+			(krb5_context context, krb5_ccache cache)
+version		SUNWprivate_1.1
+end
+
+function	krb5_cc_end_seq_get
+include		<krb5.h>
+declaration	krb5_error_code  krb5_cc_end_seq_get \
+			(krb5_context context, krb5_ccache cache, \
+			krb5_cc_cursor *cursor)
+version		SUNWprivate_1.1
+end
+
+function	krb5_cc_get_name
+include		<krb5.h>
+declaration	krb5_error_code  krb5_cc_get_name \
+			(krb5_context context, krb5_ccache cache)
+version		SUNWprivate_1.1
+end
+
+function	krb5_cc_get_type
+include		<krb5.h>
+declaration	krb5_error_code  krb5_cc_get_type \
+			(krb5_context context, krb5_ccache cache)
+version		SUNWprivate_1.1
+end
+
+function	krb5_cc_next_cred
+include		<krb5.h>
+declaration	krb5_error_code  krb5_cc_next_cred \
+			(krb5_context context, krb5_ccache cache, \
+			krb5_cc_cursor *cursor, krb5_creds *creds)
+version		SUNWprivate_1.1
+end
+
+function	krb5_cc_set_flags
+include		<krb5.h>
+declaration	krb5_error_code  krb5_cc_destroy \
+			(krb5_context context, krb5_ccache cache, \
+			krb5_flags flags)
+version		SUNWprivate_1.1
+end
+
+function	krb5_cc_start_seq_get
+include		<krb5.h>
+declaration	krb5_error_code  krb5_cc_start_seq_get \
+			(krb5_context context, krb5_ccache cache, \
+			krb5_cc_cursor *cursor)
+version		SUNWprivate_1.1
+end
+
+function	krb5_cc_store_cred
+include		<krb5.h>
+declaration	krb5_error_code  krb5_cc_store_cred \
+			(krb5_context context, krb5_ccache cache, \
+			krb5_creds *creds)
+version		SUNWprivate_1.1
+end
diff --git a/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_keytab.spec b/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_keytab.spec
index a493b8f567..64c50c9235 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_keytab.spec
+++ b/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_keytab.spec
@@ -1,5 +1,5 @@
 #
-# Copyright 1998-2002 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # ident	"%Z%%M%	%I%	%E% SMI"
@@ -56,6 +56,54 @@ declaration	krb5_error_code krb5_kt_register \
 version		SUNWprivate_1.1
 end
 
+function	krb5_kt_close
+include		<krb5.h>
+declaration	krb5_error_code krb5_kt_close \
+			(krb5_context context, krb5_keytab keytab)
+version		SUNWprivate_1.1
+end
+
+function	krb5_kt_next_entry
+include		<krb5.h>
+declaration	krb5_error_code krb5_kt_next_entry \
+			(krb5_context context, krb5_keytab keytab, \
+		   	krb5_keytab_entry *entry, krb5_kt_cursor *cursor)
+version		SUNWprivate_1.1
+end
+
+function	krb5_kt_get_name
+include		<krb5.h>
+declaration	krb5_error_code krb5_kt_get_name \
+			(krb5_context context, krb5_keytab keytab, char *name, \
+		 	unsigned int namelen)
+version		SUNWprivate_1.1
+end
+
+
+function	krb5_kt_start_seq_get
+include		<krb5.h>
+declaration	krb5_error_code krb5_kt_start_seq_get(krb5_context context, \
+			krb5_keytab keytab, krb5_kt_cursor *cursor)
+version		SUNWprivate_1.1
+end
+
+function	krb5_kt_end_seq_get
+include		<krb5.h>
+declaration	krb5_error_code  \
+		krb5_kt_end_seq_get(krb5_context context, krb5_keytab keytab, \
+		    krb5_kt_cursor *cursor)
+version		SUNWprivate_1.1
+end
+
+function	krb5_kt_get_entry
+include		<krb5.h>
+declaration	krb5_error_code krb5_kt_get_entry \
+			(krb5_context context, krb5_keytab keytab, \
+			krb5_const_principal principal, krb5_kvno vno, \
+			krb5_enctype enctype, krb5_keytab_entry *entry)
+version		SUNWprivate_1.1
+end
+
 function	krb5_kt_remove_entry
 include		<krb5.h>
 declaration	krb5_error_code krb5_kt_remove_entry \
diff --git a/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_krb.spec b/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_krb.spec
index d72e45681e..fded6f805d 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_krb.spec
+++ b/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_krb.spec
@@ -1,5 +1,5 @@
 #
-# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # ident	"%Z%%M%	%I%	%E% SMI"
@@ -359,21 +359,6 @@ declaration	void krb5_verify_init_creds_opt_set_ap_req_nofail ( \
 version		SUNWprivate_1.1
 end
 
-function	recvauth_common
-include		<krb5.h>, <k5-int.h>
-declaration	krb5_error_code recvauth_common ( \
-			krb5_context context, \
-			krb5_auth_context * auth_context, \
-			krb5_pointer fd, \
-			char *appl_version, \
-			krb5_principal server, \
-			krb5_int32 flags, \
-			krb5_keytab keytab, \
-			krb5_ticket ** ticket, \
-			krb5_data *version)
-version		SUNWprivate_1.1
-end
-
 function	krb5_decode_ticket
 include		<krb5.h>
 declaration	krb5_error_code krb5_decode_ticket \
diff --git a/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_mech3.spec b/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_mech3.spec
index fcf0ceccbb..21c0a1ce58 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_mech3.spec
+++ b/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_mech3.spec
@@ -230,11 +230,6 @@ declaration	krb5_error_code krb5_principal2salt \
 version		SUNWprivate_1.1
 end
 
-# spec2trace RFE
-function	krb5_principal2salt_internal
-version		SUNWprivate_1.1
-end
-
 function	krb5_principal2salt_norealm
 include		<krb5.h>
 declaration	krb5_error_code krb5_principal2salt_norealm \
diff --git a/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_profile.spec b/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_profile.spec
index ee40f13cc5..4318c44844 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_profile.spec
+++ b/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_profile.spec
@@ -1,5 +1,5 @@
 #
-# Copyright 1998-2002 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # ident	"%Z%%M%	%I%	%E% SMI"
@@ -154,12 +154,6 @@ declaration	errcode_t profile_ser_size (const char *unused, \
 version		SUNWprivate_1.1
 end
 
-function	profile_update_file
-include		<stdio.h>, <prof_int.h>
-declaration	errcode_t profile_update_file (prf_file_t prf)
-version		SUNWprivate_1.1
-end
-
 function	profile_verify_node
 include		<stdio.h>, <prof_int.h>
 declaration	errcode_t profile_verify_node (struct profile_node *node)
diff --git a/usr/src/lib/gss_mechs/mech_krb5/support/fake-addrinfo.c b/usr/src/lib/gss_mechs/mech_krb5/support/fake-addrinfo.c
new file mode 100644
index 0000000000..d768762dfc
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/support/fake-addrinfo.c
@@ -0,0 +1,73 @@
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+/*
+ * Copyright (C) 2004 by the Massachusetts Institute of Technology,
+ * Cambridge, MA, USA.  All Rights Reserved.
+ * 
+ * This software is being provided to you, the LICENSEE, by the 
+ * Massachusetts Institute of Technology (M.I.T.) under the following 
+ * license.  By obtaining, using and/or copying this software, you agree 
+ * that you have read, understood, and will comply with these terms and 
+ * conditions:  
+ * 
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute 
+ * this software and its documentation for any purpose and without fee or 
+ * royalty is hereby granted, provided that you agree to comply with the 
+ * following copyright notice and statements, including the disclaimer, and 
+ * that the same appear on ALL copies of the software and documentation, 
+ * including modifications that you make for internal use or for 
+ * distribution:
+ * 
+ * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS 
+ * OR WARRANTIES, EXPRESS OR IMPLIED.  By way of example, but not 
+ * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF 
+ * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF 
+ * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY 
+ * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.   
+ * 
+ * The name of the Massachusetts Institute of Technology or M.I.T. may NOT 
+ * be used in advertising or publicity pertaining to distribution of the 
+ * software.  Title to copyright in this software and any associated 
+ * documentation shall at all times remain with M.I.T., and USER agrees to 
+ * preserve same.
+ *
+ * Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.  
+ */
+
+#include <fake-addrinfo.h>
+#include <k5-thread.h>
+
+/* Allocate the storage here.  */
+struct fac krb5int_fac = { K5_MUTEX_PARTIAL_INITIALIZER, 0 };
+
+int krb5int_init_fac (void)
+{
+    return k5_mutex_finish_init(&krb5int_fac.lock);
+}
+
+void krb5int_fini_fac (void)
+{
+    k5_mutex_destroy(&krb5int_fac.lock);
+}
+
+extern int krb5int_call_thread_support_init(void);
+int krb5int_lock_fac (void)
+{
+    int err;
+    err = krb5int_call_thread_support_init();
+    if (err)
+	return err;
+    return k5_mutex_lock(&krb5int_fac.lock);
+}
+
+int krb5int_unlock_fac (void)
+{
+    return k5_mutex_unlock(&krb5int_fac.lock);
+}
diff --git a/usr/src/lib/gss_mechs/mech_krb5/support/threads.c b/usr/src/lib/gss_mechs/mech_krb5/support/threads.c
new file mode 100644
index 0000000000..029590f8b7
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/support/threads.c
@@ -0,0 +1,392 @@
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+/*
+ * util/support/threads.c
+ *
+ * Copyright 2004 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ *
+ * Preliminary thread support.
+ */
+
+#include <assert.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <k5-thread.h>
+#include <k5-platform.h>
+
+MAKE_INIT_FUNCTION(krb5int_thread_support_init);
+MAKE_FINI_FUNCTION(krb5int_thread_support_fini);
+
+#ifndef ENABLE_THREADS /* no thread support */
+
+static void (*destructors[K5_KEY_MAX])(void *);
+struct tsd_block { void *values[K5_KEY_MAX]; };
+static struct tsd_block tsd_no_threads;
+static unsigned char destructors_set[K5_KEY_MAX];
+
+#elif defined(_WIN32)
+
+static DWORD tls_idx;
+static CRITICAL_SECTION key_lock;
+struct tsd_block {
+  void *values[K5_KEY_MAX];
+};
+static void (*destructors[K5_KEY_MAX])(void *);
+static unsigned char destructors_set[K5_KEY_MAX];
+
+void krb5int_thread_detach_hook (void)
+{
+    /* XXX Memory leak here!
+       Need to destroy all TLS objects we know about for this thread.  */
+    struct tsd_block *t;
+    int i, err;
+
+    err = CALL_INIT_FUNCTION(krb5int_thread_support_init);
+    if (err)
+	return;
+
+    t = TlsGetValue(tls_idx);
+    if (t == NULL)
+	return;
+    for (i = 0; i < K5_KEY_MAX; i++) {
+	if (destructors_set[i] && destructors[i] && t->values[i]) {
+	    void *v = t->values[i];
+	    t->values[i] = 0;
+	    (*destructors[i])(v);
+	}
+    }
+}
+
+#else /* POSIX threads */
+
+/* Must support register/delete/register sequence, e.g., if krb5 is
+   loaded so this support code stays in the process, and gssapi is
+   loaded, unloaded, and loaded again.  */
+
+static k5_mutex_t key_lock = K5_MUTEX_PARTIAL_INITIALIZER;
+static void (*destructors[K5_KEY_MAX])(void *);
+static unsigned char destructors_set[K5_KEY_MAX];
+
+/* This is not safe yet!
+
+   Thread termination concurrent with key deletion can cause two
+   threads to interfere.  It's a bit tricky, since one of the threads
+   will want to remove this structure from the list being walked by
+   the other.
+
+   Other cases, like looking up data while the library owning the key
+   is in the process of being unloaded, we don't worry about.  */
+
+struct tsd_block {
+    struct tsd_block *next;
+    void *values[K5_KEY_MAX];
+};
+
+#ifdef HAVE_PRAGMA_WEAK_REF
+# pragma weak pthread_getspecific
+# pragma weak pthread_setspecific
+# pragma weak pthread_key_create
+# pragma weak pthread_key_delete
+static struct tsd_block tsd_if_single;
+# define GET_NO_PTHREAD_TSD()	(&tsd_if_single)
+#else
+# define GET_NO_PTHREAD_TSD()	(abort(),(struct tsd_block *)0)
+#endif
+
+static pthread_key_t key;
+static void thread_termination(void *);
+
+static void thread_termination (void *tptr)
+{
+    int i, pass, none_found;
+    struct tsd_block *t = tptr;
+
+    /* Make multiple passes in case, for example, a libkrb5 cleanup
+       function wants to print out an error message, which causes
+       com_err to allocate a thread-specific buffer, after we just
+       freed up the old one.
+
+       Shouldn't actually happen, if we're careful, but check just in
+       case.  */
+
+    pass = 0;
+    none_found = 0;
+    while (pass < 4 && !none_found) {
+	none_found = 1;
+	for (i = 0; i < K5_KEY_MAX; i++) {
+	    if (destructors_set[i] && destructors[i] && t->values[i]) {
+		void *v = t->values[i];
+		t->values[i] = 0;
+		(*destructors[i])(v);
+		none_found = 0;
+	    }
+	}
+    }
+    /* remove thread from global linked list */
+}
+
+#endif /* no threads vs Win32 vs POSIX */
+
+void *k5_getspecific (k5_key_t keynum)
+{
+    struct tsd_block *t;
+    int err;
+
+    err = CALL_INIT_FUNCTION(krb5int_thread_support_init);
+    if (err)
+	return NULL;
+
+    assert(keynum >= 0 && keynum < K5_KEY_MAX);
+    assert(destructors_set[keynum] == 1);
+
+#ifndef ENABLE_THREADS
+
+    t = &tsd_no_threads;
+
+#elif defined(_WIN32)
+
+    t = TlsGetValue(tls_idx);
+
+#else /* POSIX */
+
+    if (K5_PTHREADS_LOADED)
+	t = pthread_getspecific(key);
+    else
+	t = GET_NO_PTHREAD_TSD();
+
+#endif
+
+    if (t == NULL)
+	return NULL;
+    return t->values[keynum];
+}
+
+int k5_setspecific (k5_key_t keynum, void *value)
+{
+    struct tsd_block *t;
+    int err;
+
+    err = CALL_INIT_FUNCTION(krb5int_thread_support_init);
+    if (err)
+	return err;
+
+    assert(keynum >= 0 && keynum < K5_KEY_MAX);
+    assert(destructors_set[keynum] == 1);
+
+#ifndef ENABLE_THREADS
+
+    t = &tsd_no_threads;
+
+#elif defined(_WIN32)
+
+    t = TlsGetValue(tls_idx);
+    if (t == NULL) {
+	int i;
+	t = malloc(sizeof(*t));
+	if (t == NULL)
+	    return errno;
+	for (i = 0; i < K5_KEY_MAX; i++)
+	    t->values[i] = 0;
+	/* add to global linked list */
+	/*	t->next = 0; */
+	err = TlsSetValue(tls_idx, t);
+	if (err) {
+	    free(t);
+	    return err;
+	}
+    }
+
+#else /* POSIX */
+
+    if (K5_PTHREADS_LOADED) {
+	t = pthread_getspecific(key);
+	if (t == NULL) {
+	    int i;
+	    t = malloc(sizeof(*t));
+	    if (t == NULL)
+		return errno;
+	    for (i = 0; i < K5_KEY_MAX; i++)
+		t->values[i] = 0;
+	    /* add to global linked list */
+	    t->next = 0;
+	    err = pthread_setspecific(key, t);
+	    if (err) {
+		free(t);
+		return err;
+	    }
+	}
+    } else {
+	t = GET_NO_PTHREAD_TSD();
+    }
+
+#endif
+
+    t->values[keynum] = value;
+    return 0;
+}
+
+int k5_key_register (k5_key_t keynum, void (*destructor)(void *))
+{
+    int err;
+
+    err = CALL_INIT_FUNCTION(krb5int_thread_support_init);
+    if (err)
+	return err;
+
+    assert(keynum >= 0 && keynum < K5_KEY_MAX);
+
+#ifndef ENABLE_THREADS
+
+    assert(destructors_set[keynum] == 0);
+    destructors[keynum] = destructor;
+    destructors_set[keynum] = 1;
+    err = 0;
+
+#elif defined(_WIN32)
+
+    /* XXX: This can raise EXCEPTION_POSSIBLE_DEADLOCK.  */
+    EnterCriticalSection(&key_lock);
+    assert(destructors_set[keynum] == 0);
+    destructors_set[keynum] = 1;
+    destructors[keynum] = destructor;
+    LeaveCriticalSection(&key_lock);
+    err = 0;
+
+#else /* POSIX */
+
+    err = k5_mutex_lock(&key_lock);
+    if (err == 0) {
+	assert(destructors_set[keynum] == 0);
+	destructors_set[keynum] = 1;
+	destructors[keynum] = destructor;
+	err = k5_mutex_unlock(&key_lock);
+    }
+
+#endif
+    return 0;
+}
+
+int k5_key_delete (k5_key_t keynum)
+{
+    assert(keynum >= 0 && keynum < K5_KEY_MAX);
+
+#ifndef ENABLE_THREADS
+
+    assert(destructors_set[keynum] == 1);
+    if (destructors[keynum] && tsd_no_threads.values[keynum])
+	(*destructors[keynum])(tsd_no_threads.values[keynum]);
+    destructors[keynum] = 0;
+    tsd_no_threads.values[keynum] = 0;
+    destructors_set[keynum] = 0;
+
+#elif defined(_WIN32)
+
+    /* XXX: This can raise EXCEPTION_POSSIBLE_DEADLOCK.  */
+    EnterCriticalSection(&key_lock);
+    /* XXX Memory leak here!
+       Need to destroy the associated data for all threads.
+       But watch for race conditions in case threads are going away too.  */
+    LeaveCriticalSection(&key_lock);
+
+#else /* POSIX */
+
+    /* Not written yet.  */
+    abort();
+
+#endif
+
+    return 0;
+}
+
+int krb5int_call_thread_support_init (void)
+{
+    return CALL_INIT_FUNCTION(krb5int_thread_support_init);
+}
+
+extern int krb5int_init_fac(void);
+extern void krb5int_fini_fac(void);
+
+int krb5int_thread_support_init (void)
+{
+    int err;
+
+#ifndef ENABLE_THREADS
+
+    /* Nothing to do for TLS initialization.  */
+
+#elif defined(_WIN32)
+
+    tls_idx = TlsAlloc();
+    /* XXX This can raise an exception if memory is low!  */
+    InitializeCriticalSection(&key_lock);
+
+#else /* POSIX */
+
+    err = k5_mutex_finish_init(&key_lock);
+    if (err)
+	return err;
+    if (K5_PTHREADS_LOADED) {
+	err = pthread_key_create(&key, thread_termination);
+	if (err)
+	    return err;
+    }
+
+#endif
+
+    err = krb5int_init_fac();
+    if (err)
+	return err;
+
+    return 0;
+}
+
+void krb5int_thread_support_fini (void)
+{
+    if (! INITIALIZER_RAN (krb5int_thread_support_init))
+	return;
+
+#ifndef ENABLE_THREADS
+
+    /* Do nothing.  */
+
+#elif defined(_WIN32)
+
+    /* ... free stuff ... */
+    TlsFree(tls_idx);
+    DeleteCriticalSection(&key_lock);
+
+#else /* POSIX */
+
+    if (! INITIALIZER_RAN(krb5int_thread_support_init))
+	return;
+    if (K5_PTHREADS_LOADED)
+	pthread_key_delete(key);
+    /* ... delete stuff ... */
+    k5_mutex_destroy(&key_lock);
+
+#endif
+
+    krb5int_fini_fac();
+}
+
diff --git a/usr/src/lib/krb5/kadm5/clnt/changepw.c b/usr/src/lib/krb5/kadm5/clnt/changepw.c
index b5b4099d8b..48d4d130aa 100644
--- a/usr/src/lib/krb5/kadm5/clnt/changepw.c
+++ b/usr/src/lib/krb5/kadm5/clnt/changepw.c
@@ -1,6 +1,6 @@
 /*
- * Copyright (c) 1998-2001 by Sun Microsystems, Inc.
- * All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
  */
 
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
@@ -80,9 +80,10 @@ _kadm5_get_kpasswd_protocol(void *handle)
  * non-SEAM servers which support the Marc Horowitz defined
  * protocol (1998) for password changing.
  *
+ * SUNW14resync - added _local as it conflicts with one in krb5.h
  */
 static krb5_error_code
-krb5_change_password(context, params, creds, newpw, srvr_rsp_code,
+krb5_change_password_local(context, params, creds, newpw, srvr_rsp_code,
 		    srvr_msg)
 krb5_context context;
 kadm5_config_params *params;
@@ -426,7 +427,7 @@ kadm5_chpass_principal_v2(void *server_handle,
 	}
 
 	/* Now we have all we need to make the change request. */
-	result = krb5_change_password(handle->context, &handle->params,
+	result = krb5_change_password_local(handle->context, &handle->params,
 				    &ncreds, newpw,
 				    srvr_rsp_code,
 				    srvr_msg);
diff --git a/usr/src/lib/krb5/kadm5/srv/server_acl.h b/usr/src/lib/krb5/kadm5/srv/server_acl.h
index fef30e5277..756c3d7b4a 100644
--- a/usr/src/lib/krb5/kadm5/srv/server_acl.h
+++ b/usr/src/lib/krb5/kadm5/srv/server_acl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -119,23 +119,23 @@ typedef struct _restriction {
 } restriction_t;
 
 krb5_error_code acl_init
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		   int,
-		   char *));
+		   char *);
 void acl_finish
-	KRB5_PROTOTYPE((krb5_context,
-		   int));
+	(krb5_context,
+		   int);
 krb5_boolean acl_check
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		   gss_name_t,
 		   krb5_int32,
 		   krb5_principal,
-		   restriction_t **));
+		   restriction_t **);
 krb5_error_code acl_impose_restrictions
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		   kadm5_principal_ent_rec *,
 		   long *,
-		   restriction_t *));
+		   restriction_t *);
 #ifdef	__cplusplus
 }
 #endif
diff --git a/usr/src/lib/krb5/kadm5/str_conv.c b/usr/src/lib/krb5/kadm5/str_conv.c
index 0a5f7474fe..9e81c46194 100644
--- a/usr/src/lib/krb5/kadm5/str_conv.c
+++ b/usr/src/lib/krb5/kadm5/str_conv.c
@@ -420,8 +420,8 @@ krb5_keysalt_iterate(ksaltlist, nksalt, ignoresalt, iterator, arg)
     krb5_key_salt_tuple	*ksaltlist;
     krb5_int32		nksalt;
     krb5_boolean	ignoresalt;
-    krb5_error_code	(*iterator) KRB5_NPROTOTYPE((krb5_key_salt_tuple *,
-						     krb5_pointer));
+    krb5_error_code	(*iterator) (krb5_key_salt_tuple *,
+						     krb5_pointer);
     krb5_pointer	arg;
 {
     int			i;
diff --git a/usr/src/lib/krb5/kdb/kdb_db2.c b/usr/src/lib/krb5/kdb/kdb_db2.c
index 351d600a7c..3697d7bbc8 100644
--- a/usr/src/lib/krb5/kdb/kdb_db2.c
+++ b/usr/src/lib/krb5/kdb/kdb_db2.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -78,13 +78,13 @@
 #include "kdb_db2.h"
 
 static char *gen_dbsuffix 
-	PROTOTYPE((char *, char * ));
+	(char *, char * );
 static krb5_error_code krb5_db2_db_start_update 
-	PROTOTYPE((krb5_context));
+	(krb5_context);
 static krb5_error_code krb5_db2_db_end_update 
-	PROTOTYPE((krb5_context));
+	(krb5_context);
 static krb5_error_code krb5_db2_db_set_hashfirst
-	PROTOTYPE((krb5_context, int));
+	(krb5_context, int);
 
 static char default_db_name[] = DEFAULT_KDB_FILE;
 
@@ -1219,7 +1219,7 @@ cleanup:
 krb5_error_code
 krb5_db2_db_iterate (context, func, func_arg)
     krb5_context context;
-    krb5_error_code (*func) PROTOTYPE((krb5_pointer, krb5_db_entry *));
+    krb5_error_code (*func) (krb5_pointer, krb5_db_entry *);
     krb5_pointer func_arg;
 {
     krb5_db2_context *db_ctx;
diff --git a/usr/src/lib/krb5/kdb/kdb_db2.h b/usr/src/lib/krb5/kdb/kdb_db2.h
index ec577edca5..bc0c690dae 100644
--- a/usr/src/lib/krb5/kdb/kdb_db2.h
+++ b/usr/src/lib/krb5/kdb/kdb_db2.h
@@ -70,56 +70,56 @@ typedef struct _krb5_db2_context {
 #define KDB2_LOCK_EXT ".ok"
 
 krb5_error_code krb5_db2_db_set_name 
-	KRB5_PROTOTYPE((krb5_context,
-		   char * ));
+	(krb5_context,
+		   char * );
 krb5_error_code krb5_db2_db_init 
-	KRB5_PROTOTYPE((krb5_context));
+	(krb5_context);
 krb5_error_code krb5_db2_db_fini 
-	KRB5_PROTOTYPE((krb5_context));
+	(krb5_context);
 krb5_error_code krb5_db2_db_get_age 
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		   char *,
-		   time_t * ));
+		   time_t * );
 krb5_error_code krb5_db2_db_create 
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		   char *,
-		   krb5_int32));
+		   krb5_int32);
 krb5_error_code krb5_db2_db_destroy 
-	KRB5_PROTOTYPE((krb5_context,
-		   char * ));
+	(krb5_context,
+		   char * );
 krb5_error_code krb5_db2_db_rename 
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		   char *,
-		   char * ));
+		   char * );
 krb5_error_code krb5_db2_db_get_principal 
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		   krb5_const_principal,
 		   krb5_db_entry *,
 		   int *,
-		   krb5_boolean * ));
+		   krb5_boolean * );
 void krb5_db2_db_free_principal 
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		   krb5_db_entry *,
-		   int ));
+		   int );
 krb5_error_code krb5_db2_db_put_principal 
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		   krb5_db_entry *,
-		   int * ));
+		   int * );
 krb5_error_code krb5_db2_db_iterate
-    	KRB5_PROTOTYPE((krb5_context,
-		   krb5_error_code (*) KRB5_PROTOTYPE((krb5_pointer,
-					          krb5_db_entry *)),
-	           krb5_pointer ));
+    	(krb5_context,
+		   krb5_error_code (*) (krb5_pointer,
+					          krb5_db_entry *),
+	           krb5_pointer );
 krb5_error_code krb5_db2_db_set_nonblocking 
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		   krb5_boolean,
-		   krb5_boolean * ));
+		   krb5_boolean * );
 krb5_boolean krb5_db2_db_set_lockmode
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_boolean ));
+	(krb5_context,
+		   krb5_boolean );
 krb5_error_code krb5_db2_db_open_database 
-	KRB5_PROTOTYPE((krb5_context));
+	(krb5_context);
 krb5_error_code krb5_db2_db_close_database 
-	KRB5_PROTOTYPE((krb5_context));
+	(krb5_context);
 
 #endif /* KRB5_KDB_DB2_H */
diff --git a/usr/src/lib/pam_modules/krb5/krb5_authenticate.c b/usr/src/lib/pam_modules/krb5/krb5_authenticate.c
index 862b2b4ac0..4601023b2f 100644
--- a/usr/src/lib/pam_modules/krb5/krb5_authenticate.c
+++ b/usr/src/lib/pam_modules/krb5/krb5_authenticate.c
@@ -20,7 +20,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -763,7 +763,6 @@ krb5_cleanup(pam_handle_t *pamh, void *data, int pam_status)
 	 */
 	if ((pam_status == PAM_SUCCESS) &&
 	    (kmd->auth_status == PAM_SUCCESS) && kmd->ccache)
-		/* LINTED */
 		krb5_cc_close(kmd->kcontext, kmd->ccache);
 
 	if (kmd->password) {
diff --git a/usr/src/lib/pam_modules/krb5/krb5_setcred.c b/usr/src/lib/pam_modules/krb5/krb5_setcred.c
index b3fef6cfce..9715b94a03 100644
--- a/usr/src/lib/pam_modules/krb5/krb5_setcred.c
+++ b/usr/src/lib/pam_modules/krb5/krb5_setcred.c
@@ -20,7 +20,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -41,6 +41,7 @@
 #include <unistd.h>
 #include <sys/stat.h>
 #include <fcntl.h>
+#include <errno.h>
 #include <com_err.h>
 
 #include "utils.h"
diff --git a/usr/src/lib/pam_modules/krb5/utils.c b/usr/src/lib/pam_modules/krb5/utils.c
index 324079abc0..18c3a8f155 100644
--- a/usr/src/lib/pam_modules/krb5/utils.c
+++ b/usr/src/lib/pam_modules/krb5/utils.c
@@ -20,7 +20,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -34,6 +34,7 @@
 #include <unistd.h>
 #include <ctype.h>
 #include <syslog.h>
+#include <errno.h>
 
 #include "utils.h"
 
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/arcfour/k5_arcfour.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/arcfour/k5_arcfour.c
index 5c6e0ac0bf..13908f8b71 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/arcfour/k5_arcfour.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/arcfour/k5_arcfour.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2003 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -28,8 +28,8 @@ krb5_arcfour_encrypt_length(enc, hash, inputlen, length)
 {
   size_t blocksize, hashsize;
 
-  (*(enc->block_size))(&blocksize);
-  (*(hash->hash_size))(&hashsize);
+  blocksize = enc->block_size;
+  hashsize = hash->hashsize;
 
   /* checksum + (confounder + inputlen, in even blocksize) */
   *length = hashsize + krb5_roundup(8 + inputlen, blocksize);
@@ -85,12 +85,12 @@ krb5_arcfour_encrypt(context, enc, hash, key, usage, ivec, input, output)
   krb5_keyblock *kptr;
   krb5_data d1, d2, d3, salt, plaintext, checksum, ciphertext, confounder;
   krb5_keyusage ms_usage;
-  size_t keylength, keybytes, blocksize, hashsize;
+  size_t keybytes, blocksize, hashsize;
   krb5_error_code ret = 0;
 
-  (*(enc->block_size))(&blocksize);
-  (*(enc->keysize))(&keybytes, &keylength);
-  (*(hash->hash_size))(&hashsize);
+  blocksize = enc->block_size;
+  keybytes = enc->keybytes;
+  hashsize = hash->hashsize;
   
   bzero(&d2, sizeof(krb5_data));
   bzero(&k2, sizeof(krb5_keyblock));
@@ -281,12 +281,11 @@ krb5_arcfour_decrypt(context, enc, hash, key, usage, ivec, input, output)
   krb5_keyblock k1,k2,k3, *kptr;
   krb5_data d1,d2,d3,salt,ciphertext,plaintext,checksum;
   krb5_keyusage ms_usage;
-  size_t keybytes, keylength, hashsize, blocksize;
+  size_t keybytes, hashsize;
   krb5_error_code ret;
 
-  (*(enc->block_size))(&blocksize);
-  (*(enc->keysize))(&keybytes, &keylength);
-  (*(hash->hash_size))(&hashsize);
+  keybytes = enc->keybytes;
+  hashsize = hash->hashsize;
 
   bzero(&d2, sizeof(krb5_data));
   bzero(&k2, sizeof(krb5_keyblock));
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/block_size.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/block_size.c
index 255503eb1f..a3ccf6faa9 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/block_size.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/block_size.c
@@ -29,11 +29,9 @@
 #include <etypes.h>
 
 /*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_c_block_size(context, enctype, blocksize)
-     krb5_context context;
-     krb5_enctype enctype;
-     size_t *blocksize;
+krb5_error_code KRB5_CALLCONV
+krb5_c_block_size(krb5_context context, krb5_enctype enctype,
+		size_t *blocksize)
 {
     int i;
 
@@ -45,7 +43,7 @@ krb5_c_block_size(context, enctype, blocksize)
     if (i == krb5_enctypes_length)
 	return(KRB5_BAD_ENCTYPE);
 
-    (*(krb5_enctypes_list[i].enc->block_size))(blocksize);
+    *blocksize = krb5_enctypes_list[i].enc->block_size;
 
     return(0);
 }
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/checksum_length.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/checksum_length.c
index d36da1aec1..2b1cc0ff96 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/checksum_length.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/checksum_length.c
@@ -29,11 +29,9 @@
 #include <cksumtypes.h>
 
 /*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_c_checksum_length(context, cksumtype, length)
-     krb5_context context;
-     krb5_cksumtype cksumtype;
-     size_t *length;
+krb5_error_code KRB5_CALLCONV
+krb5_c_checksum_length(krb5_context context, krb5_cksumtype cksumtype,
+		    size_t *length)
 {
     int i;
 
@@ -46,11 +44,11 @@ krb5_c_checksum_length(context, cksumtype, length)
 	return(KRB5_BAD_ENCTYPE);
 
     if (krb5_cksumtypes_list[i].keyhash)
-	(*(krb5_cksumtypes_list[i].keyhash->hash_size))(length);
-    else if (krb5_cksumtypes_list[i].trunc_size)
-	*length = krb5_cksumtypes_list[i].trunc_size;
+        *length = krb5_cksumtypes_list[i].keyhash->hashsize;
+    else if (krb5_cksumtypes_list[i].trunc_size) 
+        *length = krb5_cksumtypes_list[i].trunc_size; 
     else
-	(*(krb5_cksumtypes_list[i].hash->hash_size))(length);
+        *length = krb5_cksumtypes_list[i].hash->hashsize;
 
     return(0);
 }
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/combine_keys.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/combine_keys.c
index 100e8591af..0de017fe9f 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/combine_keys.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/combine_keys.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -108,7 +108,8 @@ krb5_error_code krb5int_c_combine_keys
 
     enc = krb5_enctypes_list[i].enc;
 
-    (*(enc->keysize))(&keybytes, &keylength);
+    keybytes = enc->keybytes;
+    keylength = enc->keylength;
 
     /*
      * Allocate and set up buffers
@@ -302,8 +303,9 @@ static krb5_error_code dr
     unsigned char *inblockdata, *outblockdata;
     krb5_data inblock, outblock;
 
-    (*(enc->block_size))(&blocksize);
-    (*(enc->keysize))(&keybytes, &keylength);
+    blocksize = enc->block_size;
+    keybytes = enc->keybytes;
+    keylength = enc->keylength;
 
     /* allocate and set up buffers */
 
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/decrypt.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/decrypt.c
index 99ccb6f64a..1e0bf724b4 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/decrypt.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/decrypt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -34,14 +34,10 @@
 #include <etypes.h>
 
 /*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_c_decrypt(context, key, usage, ivec, input, output)
-     krb5_context context;
-     krb5_const krb5_keyblock *key;
-     krb5_keyusage usage;
-     krb5_const krb5_data *ivec;
-     krb5_const krb5_enc_data *input;
-     krb5_data *output;
+krb5_error_code KRB5_CALLCONV
+krb5_c_decrypt(krb5_context context, const krb5_keyblock *key,
+	    krb5_keyusage usage, const krb5_data *ivec,
+	    const krb5_enc_data *input, krb5_data *output)
 {
     int i;
     krb5_error_code ret = 0;
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/des/d3_cbc.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/des/d3_cbc.c
index dbf363dba1..374e913718 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/des/d3_cbc.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/des/d3_cbc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
@@ -35,8 +35,8 @@
 int
 mit_des3_cbc_encrypt(context, in, out, length, key, ivec, encrypt)
 	krb5_context context;
-	const mit_des_cblock FAR *in;
-	mit_des_cblock FAR *out;
+	const mit_des_cblock *in;
+	mit_des_cblock *out;
 	long length;
 	krb5_keyblock *key;
 	mit_des_cblock ivec;
@@ -116,8 +116,8 @@ final_cleanup:
 /* ARGSUSED */
 int
 mit_des3_cbc_encrypt(krb5_context context,
-	const mit_des_cblock FAR *in,
-	mit_des_cblock FAR *out,
+	const mit_des_cblock *in,
+	mit_des_cblock *out,
         long length, krb5_keyblock *key,
         mit_des_cblock ivec, int encrypt)
 {
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/des/f_cbc.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/des/f_cbc.c
index 2550836f10..40774cbb1d 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/des/f_cbc.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/des/f_cbc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -23,12 +23,18 @@
  * des_cbc_encrypt - {en,de}crypt a stream in CBC mode
  */
 
+/* SUNW14resync - sparcv9 cc complained about lack of object init */
+/* = all zero */
+const mit_des_cblock mit_des_zeroblock = {0, 0, 0, 0, 0, 0, 0, 0};
+
+#undef mit_des_cbc_encrypt
+
 #ifndef _KERNEL
 int
 mit_des_cbc_encrypt(context, in, out, length, key, ivec, encrypt)
 	krb5_context context;
-	const mit_des_cblock FAR *in;
-	mit_des_cblock FAR *out;
+	const mit_des_cblock  *in;
+	mit_des_cblock  *out;
 	long length;
 	krb5_keyblock *key;
 	mit_des_cblock ivec;
@@ -126,8 +132,8 @@ final_cleanup:
 /* ARGSUSED */
 int 
 mit_des_cbc_encrypt(krb5_context context,
-	const mit_des_cblock FAR *in,
-	mit_des_cblock FAR *out,
+	const mit_des_cblock *in,
+	mit_des_cblock *out,
 	long length, krb5_keyblock *key,
 	mit_des_cblock ivec, int encrypt)
 {
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/des/f_cksum.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/des/f_cksum.c
index 4cc96a60f9..7ede8065ff 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/des/f_cksum.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/des/f_cksum.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2001-2003 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -28,7 +28,7 @@ unsigned long
 mit_des_cbc_cksum(krb5_context context,
 	krb5_octet *in, krb5_octet *out,
 	long length, krb5_keyblock *key,
-	krb5_octet FAR *ivec)
+	krb5_octet  *ivec)
 {
 	krb5_error_code ret = 0;
 /* EXPORT DELETE START */
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/dk/derive.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/dk/derive.c
index e0209d3edf..22986e60ac 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/dk/derive.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/dk/derive.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
@@ -268,8 +268,10 @@ krb5_derive_key(context, enc, inkey, outkey, in_constant)
 
     KRB5_LOG0(KRB5_INFO, "krb5_derive_key() start");
 
-    (*(enc->block_size))(&blocksize);
-    (*(enc->keysize))(&keybytes, &keylength);
+    blocksize = enc->block_size;
+    keybytes = enc->keybytes;
+    keylength = enc->keylength;
+
 
     if ((inkey->length != keylength) ||
 	(outkey->length != keylength))
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/dk/dk_decrypt.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/dk/dk_decrypt.c
index 358ef04aac..2cc6f307f6 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/dk/dk_decrypt.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/dk/dk_decrypt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -90,7 +90,7 @@ krb5_dk_decrypt_maybe_trunc_hmac(
      size_t hmacsize)
 {
     krb5_error_code ret;
-    size_t hashsize, blocksize, keybytes, keylength, enclen, plainlen;
+    size_t hashsize, blocksize, enclen, plainlen;
     unsigned char *plaindata = NULL, *cksum = NULL, *cn;
     krb5_data d1, d2;
     krb5_keyblock *derived_encr_key = NULL;
@@ -111,9 +111,8 @@ krb5_dk_decrypt_maybe_trunc_hmac(
     if (ret)
 	    return (ret);
 
-    (*(hash->hash_size))(&hashsize);
-    (*(enc->block_size))(&blocksize);
-    (*(enc->keysize))(&keybytes, &keylength);
+    hashsize = hash->hashsize;
+    blocksize = enc->block_size;
 
     if (hmacsize == 0)
 	hmacsize = hashsize;
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/dk/dk_encrypt.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/dk/dk_encrypt.c
index 5f3f23ce5b..6f80bf6610 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/dk/dk_encrypt.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/dk/dk_encrypt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -44,32 +44,30 @@
    include these bits of info. */
 
 void
-krb5_dk_encrypt_length(enc, hash, inputlen, length)
-     krb5_const struct krb5_enc_provider *enc;
-     krb5_const struct krb5_hash_provider *hash;
-     size_t inputlen;
-     size_t *length;
+krb5_dk_encrypt_length(const struct krb5_enc_provider *enc,
+		    const struct krb5_hash_provider *hash,
+		    size_t inputlen, size_t *length)
 {
     size_t blocksize, hashsize;
 
-    (*(enc->block_size))(&blocksize);
-    (*(hash->hash_size))(&hashsize);
+    blocksize = enc->block_size;
+    hashsize = hash->hashsize;
 
     *length = krb5_roundup(blocksize+inputlen, blocksize) + hashsize;
 }
 
 krb5_error_code
-krb5_dk_encrypt(context, enc, hash, key, usage, ivec, input, output)
-     krb5_context context;
-     krb5_const struct krb5_enc_provider *enc;
-     krb5_const struct krb5_hash_provider *hash;
-     krb5_const krb5_keyblock *key;
-     krb5_keyusage usage;
-     krb5_const krb5_data *ivec;
-     krb5_const krb5_data *input;
-     krb5_data *output;
+krb5_dk_encrypt(
+	krb5_context context,
+	krb5_const struct krb5_enc_provider *enc,
+	krb5_const struct krb5_hash_provider *hash,
+	krb5_const krb5_keyblock *key,
+	krb5_keyusage usage,
+	krb5_const krb5_data *ivec,
+	krb5_const krb5_data *input,
+	krb5_data *output)
 {
-    size_t blocksize, keybytes, keylength, plainlen, enclen;
+    size_t blocksize, plainlen, enclen;
     krb5_error_code ret;
     krb5_data d1, d2;
     unsigned char *plaintext = NULL, *cn;
@@ -91,8 +89,7 @@ krb5_dk_encrypt(context, enc, hash, key, usage, ivec, input, output)
     if (ret)
 	    return (ret);
 
-    (*(enc->block_size))(&blocksize);
-    (*(enc->keysize))(&keybytes, &keylength);
+    blocksize = enc->block_size;
     plainlen = krb5_roundup(blocksize+input->length, blocksize);
 
     krb5_dk_encrypt_length(enc, hash, input->length, &enclen);
@@ -179,7 +176,7 @@ krb5int_aes_encrypt_length(enc, hash, inputlen, length)
 {
     size_t blocksize, hashsize;
 
-    (*(enc->block_size))(&blocksize);
+    blocksize = enc->block_size;
     hashsize = 96 / 8;
 
     /* No roundup, since CTS requires no padding once we've hit the
@@ -199,7 +196,7 @@ trunc_hmac (krb5_context context,
     char buff[256]; /* sufficiently large enough to hold current hmacs */
     krb5_data tmphash;
 
-    (hash->hash_size)(&hashsize);
+    hashsize = hash->hashsize;
     if (hashsize < output->length)
 	return (KRB5_CRYPTO_INTERNAL);
 
@@ -233,7 +230,7 @@ krb5int_aes_dk_encrypt(krb5_context context,
 	const krb5_data *input,
 	krb5_data *output)
 {
-    size_t blocksize, keybytes, keylength, plainlen, enclen;
+    size_t blocksize, plainlen, enclen;
     krb5_error_code ret;
     krb5_data d1, d2;
     unsigned char *plaintext, *cn;
@@ -253,8 +250,7 @@ krb5int_aes_dk_encrypt(krb5_context context,
     if (ret)
             return (ret);
 
-    (*(enc->block_size))(&blocksize);
-    (*(enc->keysize))(&keybytes, &keylength);
+    blocksize = enc->block_size;
     plainlen = blocksize+input->length;
 
     krb5int_aes_encrypt_length(enc, hash, input->length, &enclen);
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/enc_provider/aes_provider.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/enc_provider/aes_provider.c
index 39bbab6db5..9e59789531 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/enc_provider/aes_provider.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/enc_provider/aes_provider.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -10,24 +10,6 @@
 
 #define BLOCK_SIZE 16
 
-static void
-aes_block_size(size_t *blocksize)
-{
-    *blocksize = 16;
-}
-
-static void
-aes128_keysize(size_t *keybytes, size_t *keylength)
-{
-    *keybytes = *keylength = 16;
-}
-
-static void
-aes256_keysize(size_t *keybytes, size_t *keylength)
-{
-    *keybytes = *keylength = 32;
-}
-
 #define XOR_BLOCK(src, dst) \
 	(dst)[0] ^= (src)[0]; \
 	(dst)[1] ^= (src)[1]; \
@@ -553,8 +535,8 @@ krb5int_aes_init_state (krb5_context context, const krb5_keyblock *key,
 }
 
 const struct krb5_enc_provider krb5int_enc_aes128 = {
-    aes_block_size,
-    aes128_keysize,
+    BLOCK_SIZE,
+    16, 16,
     krb5int_aes_encrypt,
     krb5int_aes_decrypt,
     k5_aes_make_key,
@@ -563,8 +545,8 @@ const struct krb5_enc_provider krb5int_enc_aes128 = {
 };
 
 const struct krb5_enc_provider krb5int_enc_aes256 = {
-    aes_block_size,
-    aes256_keysize,
+    BLOCK_SIZE,
+    32, 32,
     krb5int_aes_encrypt,
     krb5int_aes_decrypt,
     k5_aes_make_key,
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/enc_provider/arcfour_provider.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/enc_provider/arcfour_provider.c
index 001dcd98dc..4778d44d28 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/enc_provider/arcfour_provider.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/enc_provider/arcfour_provider.c
@@ -13,36 +13,10 @@
 #include <k5-int.h>
 #include <arcfour.h>
 
-/* The blocksize for the enctype */
-static void k5_arcfour_blocksize(size_t *);
-
-/* keysize for the enctype (number of bytes, and length of key (parity/etc) */
-static void k5_arcfour_keysize(size_t *, size_t *);
-
 /* from a random bitstrem, construct a key */
 static krb5_error_code
 k5_arcfour_make_key(krb5_context, const krb5_data *, krb5_keyblock *);
 
-/* This seems to work... although I am not sure what the implications are
-   in other places in the kerberos library */
-static void
-k5_arcfour_blocksize(size_t *blocksize)
-{
-  KRB5_LOG0(KRB5_INFO, "k5_arcfour_blocksize called");
-  *blocksize = 1;
-}
-
-/* Keysize is arbitrary in arcfour, but the constraints of the system, and
-   to attempt to work with the MSFT system forces us to 16byte/128bit.
-   Since there is no parity in the key, the byte and length are the same.
-*/
-static void
-k5_arcfour_keysize(size_t *keybytes, size_t *keylength)
-{
-    KRB5_LOG0(KRB5_INFO, "k5_arcfour_keysize called");
-    *keybytes = 16;
-    *keylength = 16;
-}
 #ifndef _KERNEL
 static krb5_error_code
 setup_arcfour_crypto(CK_SESSION_HANDLE session,
@@ -376,8 +350,8 @@ k5_arcfour_init_state (krb5_context context,
    we just call "docrypt" directly
 */
 const struct krb5_enc_provider krb5int_enc_arcfour = {
-    k5_arcfour_blocksize,
-    k5_arcfour_keysize,
+    1,
+    16, 16,
     k5_arcfour_encrypt,
     k5_arcfour_decrypt,
     k5_arcfour_make_key,
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/enc_provider/des.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/enc_provider/des.c
index 2c9b771e99..815e669ddb 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/enc_provider/des.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/enc_provider/des.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -35,29 +35,6 @@
 #include <des_int.h>
 #include <enc_provider.h>
 
-static const mit_des_cblock mit_des_zeroblock[8] = {
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00} };
-
-static void
-k5_des_block_size(size_t *blocksize)
-{
-    *blocksize = 8;
-}
-
-static void
-k5_des_keysize(size_t *keybytes, size_t *keylength)
-{
-    *keybytes = 7;
-    *keylength = 8;
-}
-
 static krb5_error_code
 k5_des_docrypt(krb5_context context, krb5_const krb5_keyblock *key, 
 	krb5_const krb5_data *ivec, krb5_const krb5_data *input,
@@ -141,8 +118,8 @@ k5_des_make_key(krb5_context context, krb5_const krb5_data *randombits,
 }
 
 const struct krb5_enc_provider krb5_enc_des = {
-    k5_des_block_size,
-    k5_des_keysize,
+    8,
+    7, 8,
     k5_des_encrypt,
     k5_des_decrypt,
     k5_des_make_key,
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/enc_provider/des3.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/enc_provider/des3.c
index 6995fa8792..20f73b2cd4 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/enc_provider/des3.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/enc_provider/des3.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -34,31 +34,6 @@
 #include <k5-int.h>
 #include <des_int.h>
 
-static const mit_des_cblock mit_des_zeroblock[8] = {
-        {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-        {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-        {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-        {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-        {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-        {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-        {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-        {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00} };
-
-static void
-k5_des3_block_size(size_t *blocksize)
-{
-    KRB5_LOG0(KRB5_INFO, "k5_des3_block_size() start\n");
-    *blocksize = 8;
-}
-
-static void
-k5_des3_keysize(size_t *keybytes, size_t *keylength)
-{
-    KRB5_LOG0(KRB5_INFO, "k5_des3_keysize() start\n");
-    *keybytes = 21;
-    *keylength = 24;
-}
-
 static krb5_error_code
 k5_des3_docrypt(krb5_context context,
 	krb5_const krb5_keyblock *key, krb5_const krb5_data *ivec,
@@ -152,8 +127,8 @@ k5_des3_make_key(krb5_context context, krb5_const krb5_data *randombits,
 }
 
 const struct krb5_enc_provider krb5_enc_des3 = {
-    k5_des3_block_size,
-    k5_des3_keysize,
+    8,
+    21, 24,
     k5_des3_encrypt,
     k5_des3_decrypt,
     k5_des3_make_key,
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/encrypt.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/encrypt.c
index 36dc5c5961..d8dd5f3f1f 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/encrypt.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/encrypt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
@@ -172,14 +172,10 @@ init_key_uef(CK_SESSION_HANDLE hSession, krb5_keyblock *key)
 #endif /* _KERNEL */
 
 /*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_c_encrypt(context, key, usage, ivec, input, output)
-     krb5_context context;
-     krb5_const krb5_keyblock *key;
-     krb5_keyusage usage;
-     krb5_const krb5_data *ivec;
-     krb5_const krb5_data *input;
-     krb5_enc_data *output;
+krb5_error_code KRB5_CALLCONV 
+krb5_c_encrypt(krb5_context context, const krb5_keyblock *key,
+	    krb5_keyusage usage, const krb5_data *ivec,
+	    const krb5_data *input, krb5_enc_data *output)
 {
     krb5_error_code ret;
     int i;
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/encrypt_length.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/encrypt_length.c
index 4fee9eced3..78df89bd18 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/encrypt_length.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/encrypt_length.c
@@ -29,12 +29,9 @@
 #include <etypes.h>
 
 /*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_c_encrypt_length(context, enctype, inputlen, length)
-     krb5_context context;
-     krb5_enctype enctype;
-     size_t inputlen;
-     size_t *length;
+krb5_error_code KRB5_CALLCONV
+krb5_c_encrypt_length(krb5_context context, krb5_enctype enctype,
+		    size_t inputlen, size_t *length)
 {
     int i;
 
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/hash_provider/hash_crc32.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/hash_provider/hash_crc32.c
index 37db9bcfd8..abde11aed2 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/hash_provider/hash_crc32.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/hash_provider/hash_crc32.c
@@ -30,18 +30,6 @@
 #include <crc-32.h>
 #include <hash_provider.h>
 
-static void
-k5_crc32_hash_size(size_t *output)
-{
-    *output = CRC32_CKSUM_LENGTH;
-}
-
-static void
-k5_crc32_block_size(size_t *output)
-{
-    *output = 1;
-}
-
 /* ARGSUSED */
 static krb5_error_code
 k5_crc32_hash(krb5_context context,
@@ -69,7 +57,7 @@ k5_crc32_hash(krb5_context context,
 }
 
 const struct krb5_hash_provider krb5_hash_crc32 = {
-    k5_crc32_hash_size,
-    k5_crc32_block_size,
+    CRC32_CKSUM_LENGTH,
+    1,
     k5_crc32_hash
 };
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/hash_provider/hash_kmd5.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/hash_provider/hash_kmd5.c
index 4836e81895..d67b8b90c8 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/hash_provider/hash_kmd5.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/hash_provider/hash_kmd5.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2003 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -43,19 +43,6 @@
 #include <hash_provider.h>
 #include <sys/crypto/api.h>
 
-
-static void
-k5_md5_hash_size(size_t *output)
-{
-    *output = MD5_CKSUM_LENGTH;
-}
-
-static void
-k5_md5_block_size(size_t *output)
-{
-    *output = 64;
-}
-
 static krb5_error_code
 k5_md5_hash(krb5_context context,
 	unsigned int icount, krb5_const krb5_data *input,
@@ -71,7 +58,7 @@ k5_md5_hash(krb5_context context,
 }
 
 const struct krb5_hash_provider krb5int_hash_md5 = {
-    k5_md5_hash_size,
-    k5_md5_block_size,
+    MD5_CKSUM_LENGTH,
+    64,
     k5_md5_hash
 };
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/hash_provider/hash_ksha1.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/hash_provider/hash_ksha1.c
index 5051d32177..b7046f88f6 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/hash_provider/hash_ksha1.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/hash_provider/hash_ksha1.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -43,20 +43,6 @@
 #include <hash_provider.h>
 #include <sys/crypto/api.h>
 
-static void
-k5_sha1_hash_size(size_t *output)
-{
-    KRB5_LOG0(KRB5_INFO, "k5_sha1_hash_size() start");
-    *output = SHS_DIGESTSIZE;
-}
-
-static void
-k5_sha1_block_size(size_t *output)
-{
-    KRB5_LOG0(KRB5_INFO, "k5_sha1_block_size() start");
-    *output = SHS_DATASIZE;
-}
-
 static krb5_error_code
 k5_sha1_hash(krb5_context context,
 	unsigned int icount, krb5_const krb5_data *input,
@@ -81,7 +67,7 @@ k5_sha1_hash(krb5_context context,
 }
 
 const struct krb5_hash_provider krb5_hash_sha1 = {
-    k5_sha1_hash_size,
-    k5_sha1_block_size,
+    SHS_DIGESTSIZE,
+    SHS_DATASIZE,
     k5_sha1_hash
 };
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/hmac.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/hmac.c
index 22909c1b55..2ba05ab7ff 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/hmac.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/hmac.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -134,8 +134,8 @@ krb5_hmac(krb5_context context,
 	return(EINVAL);
     }
 
-    (*(hash->hash_size))(&hashsize);
-    (*(hash->block_size))(&blocksize);
+    hashsize = hash->hashsize;
+    blocksize = hash->blocksize;
 
     if (key->length > blocksize)
 	return(KRB5_CRYPTO_INTERNAL);
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/keyhash_provider/descbc.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/keyhash_provider/descbc.c
index d71a259cf0..d136871bbb 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/keyhash_provider/descbc.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/keyhash_provider/descbc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2003 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -39,14 +39,6 @@
 #include <sys/crypto/api.h>
 #endif
 
-static const char mit_des_zeroblock[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
-
-static void
-k5_descbc_hash_size(size_t *output)
-{
-    *output = MIT_DES_BLOCK_LENGTH;
-}
-
 /*ARGSUSED*/
 static krb5_error_code
 k5_descbc_hash(krb5_context context,
@@ -77,7 +69,7 @@ k5_descbc_hash(krb5_context context,
 }
 
 const struct krb5_keyhash_provider krb5_keyhash_descbc = {
-    k5_descbc_hash_size,
+    MIT_DES_BLOCK_LENGTH,
     k5_descbc_hash,
     NULL
 };
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/keyhash_provider/k5_kmd5des.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/keyhash_provider/k5_kmd5des.c
index d247e8e169..c2b814f600 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/keyhash_provider/k5_kmd5des.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/keyhash_provider/k5_kmd5des.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2003 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -50,22 +50,6 @@
 /* Force acceptance of krb5-beta5 md5des checksum for now. */
 #define KRB5_MD5DES_BETA5_COMPAT
 
-static const mit_des_cblock mit_des_zeroblock[8] = {
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-	{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00} };
-
-static void
-k5_md5des_hash_size(size_t *output)
-{
-    *output = CONFLENGTH+MD5_CKSUM_LENGTH;
-}
-
 /* des-cbc(xorkey, conf | rsa-md5(conf | data)) */
 
 /* this could be done in terms of the md5 and des providers, but
@@ -279,7 +263,7 @@ cleanup:
 }
 
 const struct krb5_keyhash_provider krb5_keyhash_md5des = {
-    k5_md5des_hash_size,
+    CONFLENGTH+MD5_CKSUM_LENGTH,
     k5_md5des_hash,
     k5_md5des_verify
 };
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/keyhash_provider/k_hmac_md5.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/keyhash_provider/k_hmac_md5.c
index ae34fbf51c..d776c3b18a 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/keyhash_provider/k_hmac_md5.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/keyhash_provider/k_hmac_md5.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2003 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -43,12 +43,6 @@
 #include <arcfour.h>
 #include <hash_provider.h>
 
-static void 
-k5_hmac_md5_hash_size (size_t *output) 
-{
-  *output = MD5_CKSUM_LENGTH;
-}
-
 /*ARGSUSED*/
 static  krb5_error_code
 k5_hmac_md5_hash (krb5_context context,
@@ -146,7 +140,7 @@ cleanup:
 
  const struct krb5_keyhash_provider 
 krb5int_keyhash_hmac_md5 = {
-			k5_hmac_md5_hash_size,
+                	MD5_CKSUM_LENGTH,
 			k5_hmac_md5_hash,
 			NULL /*checksum  again*/
 			};
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/make_checksum.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/make_checksum.c
index 7676ce5594..d000988f18 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/make_checksum.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/make_checksum.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -37,14 +37,11 @@
 
 #include <dk.h>
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_c_make_checksum(context, cksumtype, key, usage, input, cksum)
-     krb5_context context;
-     krb5_cksumtype cksumtype;
-     krb5_const krb5_keyblock *key;
-     krb5_keyusage usage;
-     krb5_const krb5_data *input;
-     krb5_checksum *cksum;
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_make_checksum(krb5_context context, krb5_cksumtype cksumtype,
+		    const krb5_keyblock *key, krb5_keyusage usage,
+		    const krb5_data *input, krb5_checksum *cksum)
 {
     int i, e1, e2;
     krb5_data data;
@@ -62,9 +59,9 @@ krb5_c_make_checksum(context, cksumtype, key, usage, input, cksum)
 	return(KRB5_BAD_ENCTYPE);
 
     if (krb5_cksumtypes_list[i].keyhash)
-	(*(krb5_cksumtypes_list[i].keyhash->hash_size))(&cksumlen);
+	cksumlen = krb5_cksumtypes_list[i].keyhash->hashsize;
     else
-	(*(krb5_cksumtypes_list[i].hash->hash_size))(&cksumlen);
+	cksumlen = krb5_cksumtypes_list[i].hash->hashsize;
 
 #ifdef _KERNEL
     context->kef_cksum_mt = krb5_cksumtypes_list[i].kef_cksum_mt;
@@ -174,7 +171,7 @@ cleanup:
 	(void) memset(cksum->contents, 0, cksum->length);
 	FREE(cksum->contents, cksum->length);
 	cksum->length = 0;
-	cksum->contents = 0;
+	cksum->contents = NULL;
     }
 
     KRB5_LOG(KRB5_INFO, "krb5_c_make_checksum() end ret = %d\n", ret);
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/old/old_decrypt.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/old/old_decrypt.c
index e0a6b56c70..14083326d2 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/old/old_decrypt.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/old/old_decrypt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2001-2003 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -34,23 +34,16 @@
 #include <k5-int.h>
 #include <old.h>
 
-#ifndef HAVE_MEMMOVE
-#ifdef HAVE_BCOPY
-#define memmove(dst,src,size) bcopy(src,dst,size)
-#endif
-#endif
-
 /*ARGSUSED*/
 krb5_error_code
-krb5_old_decrypt(context, enc, hash, key, usage, ivec, input, arg_output)
-     krb5_context context;
-     krb5_const struct krb5_enc_provider *enc;
-     krb5_const struct krb5_hash_provider *hash;
-     krb5_const krb5_keyblock *key;
-     krb5_keyusage usage;
-     krb5_const krb5_data *ivec;
-     krb5_const krb5_data *input;
-     krb5_data *arg_output;
+krb5_old_decrypt(krb5_context context,
+		krb5_const struct krb5_enc_provider *enc,
+		krb5_const struct krb5_hash_provider *hash,
+		krb5_const krb5_keyblock *key,
+		krb5_keyusage usage,
+		krb5_const krb5_data *ivec,
+		krb5_const krb5_data *input,
+		krb5_data *arg_output)
 {
     krb5_error_code ret;
     size_t blocksize, hashsize, plainsize;
@@ -59,8 +52,9 @@ krb5_old_decrypt(context, enc, hash, key, usage, ivec, input, arg_output)
     int alloced;
     unsigned char orig_cksum[128], new_cksum[128];
 
-    (*(enc->block_size))(&blocksize);
-    (*(hash->hash_size))(&hashsize);
+
+    blocksize = enc->block_size;
+    hashsize = hash->hashsize;
 
     plainsize = input->length - blocksize - hashsize;
 
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/old/old_encrypt.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/old/old_encrypt.c
index 3a9ea2cce8..b7d6ee9621 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/old/old_encrypt.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/old/old_encrypt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2001-2003 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -35,39 +35,37 @@
 #include <old.h>
 
 void
-krb5_old_encrypt_length(enc, hash, inputlen, length)
-     krb5_const struct krb5_enc_provider *enc;
-     krb5_const struct krb5_hash_provider *hash;
-     size_t inputlen;
-     size_t *length;
+krb5_old_encrypt_length(const struct krb5_enc_provider *enc,
+			const struct krb5_hash_provider *hash,
+			size_t inputlen,
+			size_t *length)
 {
     size_t blocksize, hashsize;
 
-    (*(enc->block_size))(&blocksize);
-    (*(hash->hash_size))(&hashsize);
+    blocksize = enc->block_size;
+    hashsize = hash->hashsize;
 
     *length = krb5_roundup(blocksize+hashsize+inputlen, blocksize);
 }
 
 /*ARGSUSED*/
 krb5_error_code
-krb5_old_encrypt(context, enc, hash, key, usage, ivec, input, output)
-     krb5_context context;
-     krb5_const struct krb5_enc_provider *enc;
-     krb5_const struct krb5_hash_provider *hash;
-     krb5_const krb5_keyblock *key;
-     krb5_keyusage usage;
-     krb5_const krb5_data *ivec;
-     krb5_const krb5_data *input;
-     krb5_data *output;
+krb5_old_encrypt(krb5_context context,
+		krb5_const struct krb5_enc_provider *enc,
+		krb5_const struct krb5_hash_provider *hash,
+		krb5_const krb5_keyblock *key,
+		krb5_keyusage usage,
+		krb5_const krb5_data *ivec,
+		krb5_const krb5_data *input,
+		krb5_data *output)
 {
     krb5_error_code ret;
     size_t blocksize, hashsize, enclen;
     krb5_data datain, crcivec;
     int real_ivec;
 
-    (*(enc->block_size))(&blocksize);
-    (*(hash->hash_size))(&hashsize);
+    blocksize = enc->block_size;
+    hashsize = hash->hashsize;
 
     krb5_old_encrypt_length(enc, hash, input->length, &enclen);
 
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/prng.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/prng.c
index 63c96ce5a5..4624107d2c 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/prng.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/prng.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -25,10 +25,6 @@
  * permission.  FundsXpress makes no representations about the suitability of
  * this software for any purpose.  It is provided "as is" without express
  * or implied warranty.
- * 
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  */
 
 #include <k5-int.h>
@@ -46,7 +42,7 @@
  */
 
 /*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_error_code KRB5_CALLCONV
 krb5_c_random_seed(krb5_context context, krb5_data *data)
 {
 	/*
@@ -85,7 +81,7 @@ krb5_c_random_seed(krb5_context context, krb5_data *data)
  */
 
 /*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_error_code KRB5_CALLCONV
 krb5_c_random_make_octets(krb5_context context, krb5_data *data)
 {
 /*
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/raw/raw_encrypt.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/raw/raw_encrypt.c
index 505fbc92a7..3fa8f2ae44 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/raw/raw_encrypt.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/raw/raw_encrypt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2003 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -36,30 +36,27 @@
 
 /*ARGSUSED*/
 void
-krb5_raw_encrypt_length(enc, hash, inputlen, length)
-     krb5_const struct krb5_enc_provider *enc;
-     krb5_const struct krb5_hash_provider *hash;
-     size_t inputlen;
-     size_t *length;
+krb5_raw_encrypt_length(const struct krb5_enc_provider *enc,
+			const struct krb5_hash_provider *hash,
+			size_t inputlen, size_t *length)
 {
     size_t blocksize;
 
-    (*(enc->block_size))(&blocksize);
+    blocksize = enc->block_size;
 
     *length = krb5_roundup(inputlen, blocksize);
 }
 
 /*ARGSUSED*/
 krb5_error_code
-krb5_raw_encrypt(context, enc, hash, key, usage, ivec, input, output)
-     krb5_context context;
-     krb5_const struct krb5_enc_provider *enc;
-     krb5_const struct krb5_hash_provider *hash;
-     krb5_const krb5_keyblock *key;
-     krb5_keyusage usage;
-     krb5_const krb5_data *ivec;
-     krb5_const krb5_data *input;
-     krb5_data *output;
+krb5_raw_encrypt(krb5_context context,
+		krb5_const struct krb5_enc_provider *enc,
+		krb5_const struct krb5_hash_provider *hash,
+		krb5_const krb5_keyblock *key,
+		krb5_keyusage usage,
+		krb5_const krb5_data *ivec,
+		krb5_const krb5_data *input,
+		krb5_data *output)
 {
 	return((*(enc->encrypt))(context, key, ivec, input, output));
 }
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/crypto/verify_checksum.c b/usr/src/uts/common/gssapi/mechs/krb5/crypto/verify_checksum.c
index 459db44b97..8f1f67e5bc 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/crypto/verify_checksum.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/crypto/verify_checksum.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2003 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -34,14 +34,10 @@
 #include <k5-int.h>
 #include <cksumtypes.h>
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_c_verify_checksum(context, key, usage, data, cksum, valid)
-     krb5_context context;
-     krb5_const krb5_keyblock *key;
-     krb5_keyusage usage;
-     krb5_const krb5_data *data;
-     krb5_const krb5_checksum *cksum;
-     krb5_boolean *valid;
+krb5_error_code KRB5_CALLCONV
+krb5_c_verify_checksum(krb5_context context, const krb5_keyblock *key,
+		    krb5_keyusage usage, const krb5_data *data,
+		    const krb5_checksum *cksum, krb5_boolean *valid)
 {
     int i;
     size_t hashsize;
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/include/auth_con.h b/usr/src/uts/common/gssapi/mechs/krb5/include/auth_con.h
index b85c446ec4..45c2b2e801 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/include/auth_con.h
+++ b/usr/src/uts/common/gssapi/mechs/krb5/include/auth_con.h
@@ -14,8 +14,8 @@ struct _krb5_auth_context {
     krb5_keyblock     * recv_subkey;
 
     krb5_int32		auth_context_flags;
-    krb5_int32		remote_seq_number;
-    krb5_int32		local_seq_number;
+    krb5_ui_4		remote_seq_number;
+    krb5_ui_4		local_seq_number;
     krb5_authenticator *authentp;		/* mk_req, rd_req, mk_rep, ...*/
     krb5_cksumtype	req_cksumtype;		/* mk_safe, ... */
     krb5_cksumtype	safe_cksumtype;		/* mk_safe, ... */
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/include/crc-32.h b/usr/src/uts/common/gssapi/mechs/krb5/include/crc-32.h
index 02da43c467..db13933a79 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/include/crc-32.h
+++ b/usr/src/uts/common/gssapi/mechs/krb5/include/crc-32.h
@@ -32,7 +32,12 @@
 #define CRC32_CKSUM_LENGTH	4
 
 void
-mit_crc32 PROTOTYPE((krb5_const krb5_pointer in, krb5_const size_t in_length,
-		     unsigned long *c));
+mit_crc32 (const krb5_pointer in, const size_t in_length, unsigned long *c);
+
+#ifdef CRC32_SHIFT4
+void mit_crc32_shift4(const krb5_pointer /* in */,
+		    const size_t /* in_length */,
+		    unsigned long * /* cksum */);
+#endif
 
 #endif /* KRB5_CRC32__ */
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/include/des_int.h b/usr/src/uts/common/gssapi/mechs/krb5/include/des_int.h
index f627483176..1817269cf0 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/include/des_int.h
+++ b/usr/src/uts/common/gssapi/mechs/krb5/include/des_int.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -71,35 +71,37 @@
 #ifndef KRB5_MIT_DES__
 #define KRB5_MIT_DES__
 
-#if !defined(PROTOTYPE)
-#if defined(__STDC__) || defined(_MSDOS)
-#define PROTOTYPE(x) x
-#else
-#define PROTOTYPE(x) ()
-#endif
+#if 0 /* SUNW14resync */
+#define KRB5INT_CRYPTO_DES_INT  /* skip krb4-specific DES stuff */
+#include "kerberosIV/des.h"     /* for des_key_schedule, etc. */
+#undef KRB5INT_CRYPTO_DES_INT   /* don't screw other inclusions of des.h */
 #endif
 
-typedef krb5_octet mit_des_cblock[8];		/* crypto-block size */
-
-#ifndef DES_INT32
-#ifdef SIZEOF_INT
-#if SIZEOF_INT >= 4
-#define DES_INT32 int
-#else
-#define DES_INT32 long
-#endif
-#else /* !defined(SIZEOF_INT) */
-#include <limits.h>
-#if (UINT_MAX >= 0xffffffff)
+/*
+ * SUNW14resync
+ * Solaris Kerberos does not do krb4 so we don't have its des.h file
+ * but we need a few symbols from it so we include them here.
+ */
+/* begin: from mit kerberosIV/des.h */
+#if UINT_MAX >= 0xFFFFFFFFUL
 #define DES_INT32 int
+#define DES_UINT32 unsigned int
 #else
 #define DES_INT32 long
+#define DES_UINT32 unsigned long
 #endif
-#endif /* !defined(SIZEOF_INT) */
-#endif /* !defined(DES_INT32) */
+/* end: from mit kerberosIV/des.h */
+
+typedef unsigned char des_cblock[8];    /* crypto-block size */
+typedef struct des_ks_struct {  DES_INT32 _[2]; } des_key_schedule[16];
+
+
+typedef des_cblock mit_des_cblock;
+typedef des_key_schedule mit_des_key_schedule;
 
 /* Triple-DES structures */
 typedef mit_des_cblock		mit_des3_cblock[3];
+typedef mit_des_key_schedule	mit_des3_key_schedule[3];
 
 #define MIT_DES_ENCRYPT	1
 #define MIT_DES_DECRYPT	0
@@ -132,111 +134,117 @@ error(MIT_DES_KEYSIZE does not equal KRB5_MIT_DES_KEYSIZE)
 #ifndef _KERNEL
 /* afsstring2key.c */
 extern krb5_error_code mit_afs_string_to_key
-	PROTOTYPE((krb5_context context,
-		krb5_keyblock FAR *keyblock,
-		const krb5_data FAR *data,
-		const krb5_data FAR *salt));
+(krb5_context context,
+		krb5_keyblock *keyblock,
+		const krb5_data  *data,
+		const krb5_data  *salt);
 #endif
 
 /* f_cksum.c */
 extern unsigned long mit_des_cbc_cksum
-    PROTOTYPE((
+(
 	krb5_context context,
-	krb5_octet FAR *, krb5_octet FAR *, long ,
-	krb5_keyblock *, krb5_octet FAR *));
+	krb5_octet  *, krb5_octet  *, long ,
+	krb5_keyblock *, krb5_octet  *);
 
 /* f_cbc.c */
 extern int mit_des_cbc_encrypt
-    PROTOTYPE((krb5_context context,
-	const mit_des_cblock FAR *in,
-	mit_des_cblock FAR *out, long length,
+(krb5_context context,
+	const mit_des_cblock  *in,
+	mit_des_cblock  *out, long length,
 	krb5_keyblock *key,
 	mit_des_cblock ivec,
-	int encrypt));
+	int encrypt);
+
+#define mit_des_zeroblock krb5int_c_mit_des_zeroblock
+extern const mit_des_cblock mit_des_zeroblock;
 
 /* fin_rndkey.c */
 extern krb5_error_code mit_des_finish_random_key
-    PROTOTYPE(( const krb5_encrypt_block FAR *,
-		krb5_pointer FAR *));
+(const krb5_encrypt_block  *,
+		krb5_pointer  *);
 
 /* finish_key.c */
 extern krb5_error_code mit_des_finish_key
-    PROTOTYPE(( krb5_encrypt_block FAR *));
+( krb5_encrypt_block  *);
 
 /* key_parity.c */
-extern void mit_des_fixup_key_parity PROTOTYPE((mit_des_cblock ));
-extern int mit_des_check_key_parity PROTOTYPE((mit_des_cblock ));
+extern void mit_des_fixup_key_parity (mit_des_cblock);
+extern int mit_des_check_key_parity (mit_des_cblock );
 
 /* process_ky.c */
 extern krb5_error_code mit_des_process_key
-    PROTOTYPE(( krb5_encrypt_block FAR *,  const krb5_keyblock FAR *));
+( krb5_encrypt_block  *,  const krb5_keyblock  *);
 
 /* string2key.c */
 extern krb5_error_code mit_des_string_to_key
-    PROTOTYPE((const krb5_encrypt_block FAR *,
-		krb5_keyblock FAR *,
-		const krb5_data FAR *,
-		const krb5_data FAR *));
+(const krb5_encrypt_block  *,
+		krb5_keyblock  *,
+		const krb5_data  *,
+		const krb5_data  *);
 
 /* weak_key.c */
-extern int mit_des_is_weak_key PROTOTYPE((mit_des_cblock ));
+extern int mit_des_is_weak_key (mit_des_cblock);
 
 /* cmb_keys.c */
 krb5_error_code mit_des_combine_subkeys
-    PROTOTYPE((const krb5_keyblock FAR *, const krb5_keyblock FAR *,
-	       krb5_keyblock FAR * FAR *));
+(const krb5_keyblock  *, const krb5_keyblock  *,
+	       krb5_keyblock  *  *);
 
 /* f_pcbc.c */
 int mit_des_pcbc_encrypt ();
 
+/* f_sched.c */
+int mit_des_make_key_sched(mit_des_cblock, mit_des_key_schedule); 
+
 /* misc.c */
-extern void swap_bits PROTOTYPE((char FAR *));
-extern unsigned long long_swap_bits PROTOTYPE((unsigned long ));
-extern unsigned long swap_six_bits_to_ansi PROTOTYPE((unsigned long ));
-extern unsigned long swap_four_bits_to_ansi PROTOTYPE((unsigned long ));
-extern unsigned long swap_bit_pos_1 PROTOTYPE((unsigned long ));
-extern unsigned long swap_bit_pos_0 PROTOTYPE((unsigned long ));
-extern unsigned long swap_bit_pos_0_to_ansi PROTOTYPE((unsigned long ));
-extern unsigned long rev_swap_bit_pos_0 PROTOTYPE((unsigned long ));
-extern unsigned long swap_byte_bits PROTOTYPE((unsigned long ));
-extern unsigned long swap_long_bytes_bit_number PROTOTYPE((unsigned long ));
+extern void swap_bits (char  *) ;
+extern unsigned long long_swap_bits (unsigned long ) ;
+extern unsigned long swap_six_bits_to_ansi (unsigned long ) ;
+extern unsigned long swap_four_bits_to_ansi (unsigned long ) ;
+extern unsigned long swap_bit_pos_1 (unsigned long ) ;
+extern unsigned long swap_bit_pos_0 (unsigned long );
+extern unsigned long swap_bit_pos_0_to_ansi (unsigned long );
+extern unsigned long rev_swap_bit_pos_0 (unsigned long );
+extern unsigned long swap_byte_bits (unsigned long );
+extern unsigned long swap_long_bytes_bit_number (unsigned long );
 #ifdef FILE
 /* XXX depends on FILE being a #define! */
-extern void test_set PROTOTYPE((FILE *, const char *, int, const char *, int));
+extern void test_set (FILE *, const char *, int, const char *, int);
 #endif
 
 /* d3_cbc.c */
 extern int mit_des3_cbc_encrypt
-	PROTOTYPE((krb5_context context,
-		const mit_des_cblock FAR *in,
-		mit_des_cblock FAR *out,
+(krb5_context context,
+		const mit_des_cblock  *in,
+		mit_des_cblock  *out,
 		long length,
 		krb5_keyblock *key,
 		mit_des_cblock ivec,
-		int encrypt));
+		int encrypt);
 
 /* d3_procky.c */
 extern krb5_error_code mit_des3_process_key
-	PROTOTYPE((krb5_encrypt_block * eblock,
-		   const krb5_keyblock * keyblock));
+(krb5_encrypt_block * eblock,
+		   const krb5_keyblock * keyblock);
 
 /* d3_str2ky.c */
 extern krb5_error_code mit_des3_string_to_key
-	PROTOTYPE((const krb5_encrypt_block FAR *,
-		   krb5_keyblock FAR *,
-		   const krb5_data FAR *,
-		   const krb5_data FAR *));
+(const krb5_encrypt_block  *,
+		   krb5_keyblock  *,
+		   const krb5_data  *,
+		   const krb5_data  *);
 
 
 /* u_nfold.c */
 extern krb5_error_code mit_des_n_fold
-	PROTOTYPE((const krb5_octet * input,
+(const krb5_octet * input,
 		   const size_t in_len,
 		   krb5_octet * output,
-		   const size_t out_len));
+		   const size_t out_len);
 
 extern krb5_error_code mit_des_set_random_sequence_number
-	PROTOTYPE((const krb5_data * sequence,
-		   krb5_pointer random_state));
+(const krb5_data * sequence,
+		   krb5_pointer random_state);
 
 #endif	/*DES_INTERNAL_DEFS*/
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/include/gssapi_generic.h b/usr/src/uts/common/gssapi/mechs/krb5/include/gssapi_generic.h
index 6a545a4814..8e3983867a 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/include/gssapi_generic.h
+++ b/usr/src/uts/common/gssapi/mechs/krb5/include/gssapi_generic.h
@@ -1,4 +1,9 @@
 /*
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+/*
  * Copyright 1993 by OpenVision Technologies, Inc.
  * 
  * Permission to use, copy, modify, distribute, and sell this software
@@ -26,22 +31,37 @@
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
 
 /*
- * $Id: gssapi_generic.h,v 1.11 1999/03/12 00:01:04 tytso Exp $
+ * $Id: gssapi_generic.h,v 1.16 2003/03/06 20:26:35 lxs Exp $
  */
 
-#include "krb5.h"
-#if defined(__MWERKS__) || defined(applec) || defined(THINK_C)
-#include <gssapi.h>
-#else
 #include <gssapi/gssapi.h>
+
+#if defined(__cplusplus) && !defined(GSSAPIGENERIC_BEGIN_DECLS)
+#define GSSAPIGENERIC_BEGIN_DECLS	extern "C" {
+#define GSSAPIGENERIC_END_DECLS	}
+#else
+#define GSSAPIGENERIC_BEGIN_DECLS
+#define GSSAPIGENERIC_END_DECLS
 #endif
 
-/* these are defined in gssapi/gen_oid.c */
+GSSAPIGENERIC_BEGIN_DECLS
+
+/* SUNW14resync */
+#ifndef GSS_DLLIMP
+#define GSS_DLLIMP
+#endif
+
+/* Deprecated MIT krb5 oid names provided for compatibility.
+ * The correct oids (GSS_C_NT_USER_NAME, etc) from rfc 2744 
+ * are defined in gssapi.h. */
+
 GSS_DLLIMP extern gss_OID gss_nt_user_name;
 GSS_DLLIMP extern gss_OID gss_nt_machine_uid_name;
 GSS_DLLIMP extern gss_OID gss_nt_string_uid_name;
+extern gss_OID gss_nt_service_name_v2;
 GSS_DLLIMP extern gss_OID gss_nt_service_name;
-GSS_DLLIMP extern gss_OID gss_nt_exported_name;
-GSS_DLLIMP extern gss_OID gss_nt_service_name_v2;
+extern gss_OID gss_nt_exported_name;
+
+GSSAPIGENERIC_END_DECLS
 
 #endif /* _GSSAPI_GENERIC_H_ */
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/include/gssapi_krb5.h b/usr/src/uts/common/gssapi/mechs/krb5/include/gssapi_krb5.h
index 360e2009cb..494e314549 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/include/gssapi_krb5.h
+++ b/usr/src/uts/common/gssapi/mechs/krb5/include/gssapi_krb5.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -71,19 +71,19 @@ extern const gss_OID_desc krb5_gss_oid_array[];
 #define gss_krb5_nt_machine_uid_name	gss_nt_machine_uid_name
 #define gss_krb5_nt_string_uid_name	gss_nt_string_uid_name
 
-GSS_DLLIMP OM_uint32 KRB5_CALLCONV gss_krb5_get_tkt_flags
-	PROTOTYPE((OM_uint32 *minor_status,
+OM_uint32 KRB5_CALLCONV gss_krb5_get_tkt_flags
+	(OM_uint32 *minor_status,
 		   gss_ctx_id_t context_handle,
-		   krb5_flags *ticket_flags));
+		   krb5_flags *ticket_flags);
 
-GSS_DLLIMP OM_uint32 KRB5_CALLCONV gss_krb5_copy_ccache
-	PROTOTYPE((void *ctx, OM_uint32 *minor_status,
+OM_uint32 KRB5_CALLCONV gss_krb5_copy_ccache
+	(void *ctx, OM_uint32 *minor_status,
 		   gss_cred_id_t cred_handle,
-		   krb5_ccache out_ccache));
+		   krb5_ccache out_ccache);
 
-GSS_DLLIMP OM_uint32 KRB5_CALLCONV gss_krb5_ccache_name
-	PROTOTYPE((OM_uint32 *minor_status, const char *name,
-		   const char **out_name));
+OM_uint32 KRB5_CALLCONV gss_krb5_ccache_name
+	(OM_uint32 *minor_status, const char *name,
+		   const char **out_name);
 
 #ifdef __cplusplus
 }
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/include/k5-int.h b/usr/src/uts/common/gssapi/mechs/krb5/include/k5-int.h
index a8639f7e56..b9e3372f7d 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/include/k5-int.h
+++ b/usr/src/uts/common/gssapi/mechs/krb5/include/k5-int.h
@@ -158,9 +158,6 @@ extern unsigned int krb5_log;
 
 #endif /* KRB5_LOG_LVL */
 
-/* Compatibility switch for SAM preauth */
-#define AS_REP_105_SAM_COMPAT
-
 #ifdef POSIX_TYPES
 #define timetype time_t
 #else
@@ -177,43 +174,17 @@ extern unsigned int krb5_log;
  * Machine-type definitions: PC Clone 386 running Microsoft Windows
  */
 
-#if defined(_MSDOS) || defined(_WIN32) || defined(macintosh)
+#if defined(_MSDOS) || defined(_WIN32) 
 #include "win-mac.h"
-#if defined(macintosh) && defined(__CFM68K__) && !defined(__USING_STATIC_LIBS__)
-#pragma import on
-#endif
-#endif
 
-#if defined(_MSDOS) || defined(_WIN32)
 /* Kerberos Windows initialization file */
 #define KERBEROS_INI    "kerberos.ini"
 #define INI_FILES       "Files"
 #define INI_KRB_CCACHE  "krb5cc"       /* Location of the ccache */
 #define INI_KRB5_CONF   "krb5.ini"		/* Location of krb5.conf file */
-#define HAVE_LABS
 #define ANSI_STDIO
 #endif
 
-
-#ifndef macintosh
-#if defined(__MWERKS__) || defined(applec) || defined(THINK_C)
-#define macintosh
-#define SIZEOF_INT 4
-#define SIZEOF_SHORT 2
-#define HAVE_SRAND
-#define NO_PASSWORD
-#define HAVE_LABS
-/*#define ENOMEM -1*/
-#define ANSI_STDIO
-#ifndef _SIZET
-typedef unsigned int size_t;
-#define _SIZET
-#endif
-#include <unix.h>
-#include <ctype.h>
-#endif
-#endif
-
 #ifndef _KERNEL
 #ifndef KRB5_AUTOCONF__
 #define KRB5_AUTOCONF__
@@ -230,15 +201,8 @@ typedef unsigned int size_t;
 #endif /* HAVE_SYS_TYPES_H */
 #endif /* KRB5_SYSTYPES__ */
 
-#ifdef SYSV
-/* Change srandom and random to use rand and srand */
-/* Taken from the Sandia changes.  XXX  We should really just include */
-/* srandom and random into Kerberos release, since rand() is a really */
-/* bad random number generator.... [tytso:19920616.2231EDT] */
-#define random() rand()
-#define srandom(a) srand(a)
-#endif /* SYSV */
-
+/* #include "k5-platform.h" SUNW XXX */
+/* not used in krb5.h (yet) */ 
 typedef uint64_t krb5_ui_8;
 typedef int64_t krb5_int64;
 
@@ -258,20 +222,11 @@ typedef int64_t krb5_int64;
 #ifndef KRB5_CALLCONV
 #define KRB5_CALLCONV
 #define KRB5_CALLCONV_C
-#define KRB5_DLLIMP
-#define GSS_DLLIMP
-#define KRB5_EXPORTVAR
-#define FAR
-#define NEAR
 #endif
 #ifndef O_BINARY
 #define O_BINARY 0
 #endif
 
-#ifndef HAVE_LABS
-#define labs(x) abs(x)
-#endif
-
 #endif /* KRB5_CONFIG__ */
 
 /*
@@ -281,10 +236,15 @@ typedef int64_t krb5_int64;
 /*
  * After loading the configuration definitions, load the Kerberos definitions.
  */
+#ifndef _KERNEL
+#include <errno.h>
+#include "profile.h"
+#endif
+
 #include <krb5.h>
 
 #ifndef _KERNEL
-#ifdef NEED_SOCKETS
+#if 1 /* def NEED_SOCKETS */
 #include <port-sockets.h>
 #include <socket-utils.h>
 #else
@@ -294,6 +254,10 @@ struct sockaddr;
 #endif
 #endif
 
+/* Get mutex support; currently used only for the replay cache.  */
+#include "k5-thread.h"
+
+
 /* krb5/krb5.h includes many other .h files in the krb5 subdirectory.
    The ones that it doesn't include, we include below.  */
 
@@ -558,13 +522,7 @@ typedef struct _krb5_enc_sam_response_enc_2 {
 
 #ifndef _KERNEL
 #include <stdlib.h>
-
-#ifdef HAVE_STRING_H
 #include <string.h>
-#else
-#include <strings.h>
-#endif
-
 #endif /* !_KERNEL */
 
 #ifndef HAVE_STRDUP
@@ -659,7 +617,7 @@ int krb5_net_write
 
 krb5_error_code krb5_sendto_kdc
 	(krb5_context, const krb5_data *, const krb5_data *,
-	   krb5_data *, int, int);
+	   krb5_data *, int *, int);
 
 krb5_error_code krb5_get_krbhst
 	(krb5_context, const krb5_data *, char ***);
@@ -695,8 +653,18 @@ krb5_error_code krb5_os_init_context
 
 void krb5_os_free_context (krb5_context);
 
+/* This function is needed by KfM's KerberosPreferences API  
+ * because it needs to be able to specify "secure" */ 
+#ifndef _KERNEL
+krb5_error_code os_get_default_config_files  
+    (profile_filespec_t **pfiles, krb5_boolean secure); 
+#endif
+
 krb5_error_code krb5_find_config_files(void);
 
+krb5_error_code krb5_os_hostaddr 
+    (krb5_context, const char *, krb5_address ***); 
+
 #ifndef _KERNEL
 /* N.B.: You need to include fake-addrinfo.h *before* k5-int.h if you're
  * going to use this structure.  */
@@ -712,22 +680,6 @@ extern int krb5int_grow_addrlist (struct addrlist *, int);
 extern int krb5int_add_host_to_list (struct addrlist *, const char *,
 			int, int, int, int);
 
-krb5_error_code krb5_locate_srv_conf
-	(krb5_context, const krb5_data *, const char *,
-	struct sockaddr **, int*, int);
-
-#ifdef KRB5_DNS_LOOKUP
-/* no context? */
-krb5_error_code krb5_locate_srv_dns
-	(const krb5_data *, const char *,
-	const char *, struct sockaddr **, int *,
-	char *, unsigned short *, boolean_t);
-
-int _krb5_conf_boolean(char *);
-int _krb5_use_dns_kdc(krb5_context);
-int _krb5_use_dns_realm(krb5_context);
-
-#endif /* KRB5_DNS_LOOKUP */
 #endif /* _KERNEL */
 
 #endif /* KRB5_LIBOS_PROTO__ */
@@ -735,13 +687,12 @@ int _krb5_use_dns_realm(krb5_context);
 /* new encryption provider api */
 
 struct krb5_enc_provider {
-    void (*block_size) (size_t *output);
 
     /* keybytes is the input size to make_key;
        keylength is the output size */
-    void (*keysize) (size_t *keybytes, size_t *keylength);
+    size_t block_size, keybytes, keylength;
 
-    /* ivec == 0 is an all-zeros ivec */
+    /* cipher-state == 0 fresh state thrown away at end */
     krb5_error_code (*encrypt) (
 	krb5_context context,
 	krb5_const krb5_keyblock *key, krb5_const krb5_data *ivec,
@@ -763,9 +714,7 @@ struct krb5_enc_provider {
 };
 
 struct krb5_hash_provider {
-    void (*hash_size) (size_t *output);
-
-    void (*block_size) (size_t *output);
+    size_t hashsize, blocksize; 
 
     /* this takes multiple inputs to avoid lots of copying. */
     krb5_error_code (*hash) (krb5_context context,
@@ -774,7 +723,7 @@ struct krb5_hash_provider {
 };
 
 struct krb5_keyhash_provider {
-    void (*hash_size) (size_t *output);
+    size_t hashsize;
 
     krb5_error_code (*hash) (
 	krb5_context context,
@@ -925,9 +874,37 @@ krb5_error_code krb5int_pbkdf2_hmac_sha1 (krb5_context,
 		const krb5_data *,
 		const krb5_data *);
 
+/* Make this a function eventually?  */ 
+#ifdef WIN32 
+# define krb5int_zap_data(ptr, len) SecureZeroMemory(ptr, len) 
+#else 
+# define krb5int_zap_data(ptr, len) memset((void *)ptr, 0, len) 
+# if defined(__GNUC__) && defined(__GLIBC__) 
+/* GNU libc generates multiple bogus initialization warnings if we 
+   pass memset a volatile pointer.  The compiler should do well enough 
+   with memset even without GNU libc's attempt at optimization.  */ 
+# undef memset 
+# endif 
+#endif /* WIN32 */ 
+#define zap(p,l) krb5int_zap_data(p,l)
+
+
+/* 
+ * These declarations are here, so both krb5 and k5crypto
+ * can get to them.
+ * krb5 needs to get to them so it can  make them available to libgssapi.
+ */
+extern const struct krb5_enc_provider krb5int_enc_arcfour;
+extern const struct krb5_hash_provider krb5int_hash_md5;
+
+
+/* #ifdef KRB5_OLD_CRYPTO XXX SUNW14resync */
+
 krb5_error_code krb5_crypto_us_timeofday
     (krb5_int32  *, krb5_int32  *);
 
+/* #endif KRB5_OLD_CRYPTO */
+
 /* this helper fct is in libkrb5, but it makes sense declared here. */
 
 krb5_error_code krb5_encrypt_helper
@@ -957,7 +934,6 @@ typedef struct _krb5_os_context {
 	krb5_int32	usec_offset;
 	krb5_int32	os_flags;
 	char *		default_ccname;
-	krb5_principal	default_ccprincipal;
 } *krb5_os_context;
 
 /*
@@ -1120,9 +1096,14 @@ krb5_get_init_creds
 	krb5_get_init_creds_opt *options,
 	krb5_gic_get_as_key_fct gak,
 	void *gak_data,
-	int master,
+	int *master,
 	krb5_kdc_rep **as_reply);
 
+void krb5int_populate_gic_opt (
+     krb5_context, krb5_get_init_creds_opt *,
+     krb5_flags options, krb5_address * const *addrs, krb5_enctype *ktypes,
+     krb5_preauthtype *pre_auth_types, krb5_creds *creds);
+
 krb5_error_code krb5_do_preauth
 	(krb5_context, krb5_kdc_req *,
 	krb5_pa_data **, krb5_pa_data ***,
@@ -1169,6 +1150,10 @@ void KRB5_CALLCONV krb5_free_pa_enc_ts
 	(krb5_context, krb5_pa_enc_ts *);
 
 /* #include "krb5/wordsize.h" -- comes in through base-defs.h. */
+#ifndef	_KERNEL
+#include "com_err.h"
+#endif /* _KERNEL */
+
 /*
  * Solaris Kerberos: moved from sendto_kdc.c so other code can reference
  */
@@ -1203,7 +1188,16 @@ struct _krb5_context {
 	int		in_tkt_ktype_count;
 	krb5_enctype	*tgs_ktypes;
 	int		tgs_ktype_count;
-	void		*os_context;
+        /* This used to be a void*, but since we always allocate them 
+           together (though in different source files), and the types 
+           are declared in the same header, might as well just combine 
+           them. 
+
+           The array[1] is so the existing code treating the field as 
+           a pointer will still work.  For cleanliness, it should 
+           eventually get changed to a single element instead of an 
+           array.  */ 
+        struct _krb5_os_context os_context[1];
 	char		*default_realm;
 	int		ser_ctx_count;
 	krb5_boolean	profile_secure;
@@ -1371,6 +1365,42 @@ derive_3des_keys(krb5_context, struct krb5_enc_provider *,
 
 #define KRB5_LIBOPT_SYNC_KDCTIME	0x0001
 
+/* internal message representations */
+
+typedef struct _krb5_safe {
+    krb5_magic magic;
+    krb5_data user_data;                /* user data */
+    krb5_timestamp timestamp;           /* client time, optional */
+    krb5_int32 usec;                    /* microsecond portion of time,
+                                           optional */
+    krb5_ui_4 seq_number;               /* sequence #, optional */
+    krb5_address *s_address;    /* sender address */
+    krb5_address *r_address;    /* recipient address, optional */
+    krb5_checksum *checksum;    /* data integrity checksum */
+} krb5_safe;
+
+typedef struct _krb5_priv {
+    krb5_magic magic;
+    krb5_enc_data enc_part;             /* encrypted part */
+} krb5_priv;
+
+typedef struct _krb5_priv_enc_part {
+    krb5_magic magic;
+    krb5_data user_data;                /* user data */
+    krb5_timestamp timestamp;           /* client time, optional */
+    krb5_int32 usec;                    /* microsecond portion of time, opt. */
+    krb5_ui_4 seq_number;               /* sequence #, optional */
+    krb5_address *s_address;    /* sender address */
+    krb5_address *r_address;    /* recipient address, optional */
+} krb5_priv_enc_part;
+
+void KRB5_CALLCONV krb5_free_safe
+        (krb5_context, krb5_safe * );
+void KRB5_CALLCONV krb5_free_priv
+        (krb5_context, krb5_priv * );
+void KRB5_CALLCONV krb5_free_priv_enc_part
+        (krb5_context, krb5_priv_enc_part * );
+
 /*
  * Begin "asn1.h"
  */
@@ -1746,6 +1776,9 @@ krb5_error_code krb5_encode_kdc_rep
 krb5_error_code krb5_validate_times
 	(krb5_context, krb5_ticket_times *);
 
+krb5_boolean krb5int_auth_con_chkseqnum
+	(krb5_context ctx, krb5_auth_context ac, krb5_ui_4 in_seq);
+
 /*
  * [De]Serialization Handle and operations.
  */
@@ -1767,17 +1800,21 @@ typedef struct __krb5_serializer * krb5_ser_handle;
 typedef struct __krb5_serializer krb5_ser_entry;
 
 krb5_ser_handle krb5_find_serializer
-	(krb5_context, krb5_magic);
-
+	(krb5_context,
+		krb5_magic);
 krb5_error_code krb5_register_serializer
-	(krb5_context, const krb5_ser_entry *);
+	(krb5_context,
+			const krb5_ser_entry *);
 
 /* Determine the external size of a particular opaque structure */
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_size_opaque
-	(krb5_context, krb5_magic, krb5_pointer, size_t *);
+krb5_error_code KRB5_CALLCONV krb5_size_opaque
+	(krb5_context,
+		krb5_magic,
+		krb5_pointer,
+		size_t *);
 
 /* Serialize the structure into a buffer */
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_externalize_opaque
+krb5_error_code KRB5_CALLCONV krb5_externalize_opaque
 	(krb5_context,
 	krb5_magic,
 	krb5_pointer,
@@ -1785,60 +1822,71 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_externalize_opaque
 	size_t *);
 
 /* Deserialize the structure from a buffer */
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_internalize_opaque
-	(krb5_context, krb5_magic, krb5_pointer *,
-		krb5_octet * *, size_t *);
+krb5_error_code KRB5_CALLCONV krb5_internalize_opaque
+	(krb5_context,
+		krb5_magic,
+		krb5_pointer *,
+		krb5_octet **,
+		size_t *);
 
 /* Serialize data into a buffer */
 krb5_error_code krb5_externalize_data
-	(krb5_context, krb5_pointer, krb5_octet **, size_t *);
+	(krb5_context,
+		krb5_pointer,
+		krb5_octet **,
+		size_t *);
 /*
  * Initialization routines.
  */
 
 /* Initialize serialization for krb5_[os_]context */
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_ser_context_init
+krb5_error_code KRB5_CALLCONV krb5_ser_context_init
 	(krb5_context);
 
 /* Initialize serialization for krb5_auth_context */
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_ser_auth_context_init
+krb5_error_code KRB5_CALLCONV krb5_ser_auth_context_init
 	(krb5_context);
 
 /* Initialize serialization for krb5_keytab */
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_ser_keytab_init
+krb5_error_code KRB5_CALLCONV krb5_ser_keytab_init
 	(krb5_context);
 
 /* Initialize serialization for krb5_ccache */
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_ser_ccache_init
+krb5_error_code KRB5_CALLCONV krb5_ser_ccache_init
 	(krb5_context);
 
 /* Initialize serialization for krb5_rcache */
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_ser_rcache_init
+krb5_error_code KRB5_CALLCONV krb5_ser_rcache_init
 	(krb5_context);
 
 /* [De]serialize 4-byte integer */
 krb5_error_code KRB5_CALLCONV krb5_ser_pack_int32
-	(krb5_int32, krb5_octet * *, size_t *);
-
+	(krb5_int32,
+		krb5_octet **,
+		size_t *);
+krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int32
+	(krb5_int32 *,
+		krb5_octet **,
+		size_t *);
+/* [De]serialize 8-byte integer */
 krb5_error_code KRB5_CALLCONV krb5_ser_pack_int64
 	(krb5_int64, krb5_octet * *, size_t *);
-
-krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int32
-	(krb5_int32 *, krb5_octet **, size_t *);
-
 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int64
 	(krb5_int64 *, krb5_octet **, size_t *);
-
 /* [De]serialize byte string */
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_ser_pack_bytes
+krb5_error_code KRB5_CALLCONV krb5_ser_pack_bytes
 	(krb5_octet *,
-	size_t, krb5_octet * *, size_t *);
-
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_ser_unpack_bytes
+		size_t,
+		krb5_octet **,
+		size_t *);
+krb5_error_code KRB5_CALLCONV krb5_ser_unpack_bytes
 	(krb5_octet *,
-	size_t, krb5_octet * *, size_t *);
+		size_t,
+		krb5_octet **,
+		size_t *);
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5int_cc_default
+
+krb5_error_code KRB5_CALLCONV krb5int_cc_default
 	(krb5_context, krb5_ccache *);
 
 krb5_error_code KRB5_CALLCONV krb5_cc_retrieve_cred_default
@@ -1851,10 +1899,29 @@ krb5_error_code
 krb5int_generate_and_save_subkey (krb5_context, krb5_auth_context,
 		krb5_keyblock * /* Old keyblock, not new!  */);
 
-
-
-extern const struct krb5_hash_provider krb5int_hash_md5;
-extern const struct krb5_enc_provider krb5int_enc_arcfour;
+/* set and change password helpers */
+
+krb5_error_code krb5int_mk_chpw_req
+        (krb5_context context, krb5_auth_context auth_context,
+             krb5_data *ap_req, char *passwd, krb5_data *packet);
+krb5_error_code krb5int_rd_chpw_rep
+        (krb5_context context, krb5_auth_context auth_context,
+                       krb5_data *packet, int *result_code,
+                       krb5_data *result_data);
+krb5_error_code KRB5_CALLCONV krb5_chpw_result_code_string
+        (krb5_context context, int result_code,
+                        char **result_codestr);
+krb5_error_code  krb5int_mk_setpw_req
+        (krb5_context context, krb5_auth_context auth_context,
+             krb5_data *ap_req, krb5_principal targetprinc, char *passwd, krb5_data *packet);
+krb5_error_code krb5int_rd_setpw_rep
+        (krb5_context context, krb5_auth_context auth_context,
+                       krb5_data *packet, int *result_code,
+                       krb5_data *result_data);
+
+krb5_error_code krb5int_setpw_result_code_string
+        (krb5_context context, int result_code,
+                       const char **result_codestr);
 
 struct srv_dns_entry {
 	struct srv_dns_entry *next;
@@ -1877,12 +1944,264 @@ void krb5int_free_srv_dns_data(struct srv_dns_entry *);
 #define KRB5_VERIFY_MAGIC(structure,magic_number) \
     if ((structure)->magic != (magic_number)) return (magic_number);
 
+
+/* SUNW14resync XXX - see k5-util.h */
+#if 0
 int krb5_seteuid  (int);
+#endif
 
 char * krb5_getenv(const char *);
-
 int krb5_setenv  (const char *, const char *, int);
-
 void krb5_unsetenv  (const char *);
 
+  
+/* SUNW14resync - (from here to EOF) not sure if we need this but will add it
+   for future resync sake */
+
+/* To keep happy libraries which are (for now) accessing internal stuff */
+
+/* Make sure to increment by one when changing the struct */
+#define KRB5INT_ACCESS_STRUCT_VERSION 9
+
+#ifndef ANAME_SZ
+struct ktext;                   /* from krb.h, for krb524 support */
+#endif
+typedef struct _krb5int_access {
+    /* crypto stuff */
+    const struct krb5_hash_provider *md5_hash_provider;
+    const struct krb5_enc_provider *arcfour_enc_provider;
+    krb5_error_code (* krb5_hmac) (const struct krb5_hash_provider *hash,
+                                   const krb5_keyblock *key,
+                                   unsigned int icount, const krb5_data *input,
+                                   krb5_data *output);
+    /* service location and communication */
+#ifndef _KERNEL
+    krb5_error_code (*locate_server) (krb5_context, const krb5_data *,
+                                      struct addrlist *, int,
+                                      const char *, const char *,
+                                      int, int, int, int);
+    krb5_error_code (*sendto_udp) (krb5_context, const krb5_data *msg,
+                                   const struct addrlist *, krb5_data *reply,
+                                   struct sockaddr *, socklen_t *, int *);
+    krb5_error_code (*add_host_to_list)(struct addrlist *lp,
+                                        const char *hostname,
+                                        int port, int secport,
+                                        int socktype, int family);
+    void (*free_addrlist) (struct addrlist *);
+#endif /* _KERNEL */
+
+
+    krb5_error_code (*make_srv_query_realm)(const krb5_data *realm,
+                                            const char *service,
+                                            const char *protocol,
+                                            struct srv_dns_entry **answers);
+    void (*free_srv_dns_data)(struct srv_dns_entry *);
+    int (*use_dns_kdc)(krb5_context);
+
+    /* krb4 compatibility stuff -- may be null if not enabled */
+    krb5_int32 (*krb_life_to_time)(krb5_int32, int);
+    int (*krb_time_to_life)(krb5_int32, krb5_int32);
+    int (*krb524_encode_v4tkt)(struct ktext *, char *, unsigned int *);
+    krb5_error_code (*krb5int_c_mandatory_cksumtype)
+        (krb5_context, krb5_enctype, krb5_cksumtype *);
+    krb5_error_code (KRB5_CALLCONV *krb5_ser_pack_int64)
+        (krb5_int64, krb5_octet **, size_t *);
+    krb5_error_code (KRB5_CALLCONV *krb5_ser_unpack_int64)
+        (krb5_int64 *, krb5_octet **, size_t *);
+} krb5int_access;
+
+#define KRB5INT_ACCESS_VERSION \
+    (((krb5_int32)((sizeof(krb5int_access) & 0xFFFF) | \
+                   (KRB5INT_ACCESS_STRUCT_VERSION << 16))) & 0xFFFFFFFF)
+
+krb5_error_code KRB5_CALLCONV krb5int_accessor
+        (krb5int_access*, krb5_int32);
+
+/* Ick -- some krb524 and krb4 support placed in the krb5 library,
+   because AFS (and potentially other applications?) use the krb4
+   object as an opaque token, which (in some implementations) is not
+   in fact a krb4 ticket, so we don't want to drag in the krb4 support
+   just to enable this.  */
+
+#define KRB524_SERVICE "krb524"
+#define KRB524_PORT 4444
+
+/* v4lifetime.c */
+extern krb5_int32 krb5int_krb_life_to_time(krb5_int32, int);
+extern int krb5int_krb_time_to_life(krb5_int32, krb5_int32);
+
+/* conv_creds.c */
+int krb5int_encode_v4tkt
+        (struct ktext *v4tkt, char *buf, unsigned int *encoded_len);
+
+/* send524.c */
+int krb5int_524_sendto_kdc
+        (krb5_context context, const krb5_data * message, 
+         const krb5_data * realm, krb5_data * reply,
+         struct sockaddr *, socklen_t *);
+
+/* temporary -- this should be under lib/krb5/ccache somewhere */
+
+struct _krb5_ccache {
+    krb5_magic magic;
+    const struct _krb5_cc_ops *ops;
+    krb5_pointer data;
+};
+
+struct _krb5_cc_ops {
+    krb5_magic magic;
+    char *prefix;
+    const char * (KRB5_CALLCONV *get_name) (krb5_context, krb5_ccache);
+    krb5_error_code (KRB5_CALLCONV *resolve) (krb5_context, krb5_ccache *,
+                                            const char *);
+    krb5_error_code (KRB5_CALLCONV *gen_new) (krb5_context, krb5_ccache *);
+    krb5_error_code (KRB5_CALLCONV *init) (krb5_context, krb5_ccache,
+                                            krb5_principal);
+    krb5_error_code (KRB5_CALLCONV *destroy) (krb5_context, krb5_ccache);
+    krb5_error_code (KRB5_CALLCONV *close) (krb5_context, krb5_ccache);
+    krb5_error_code (KRB5_CALLCONV *store) (krb5_context, krb5_ccache,
+                                            krb5_creds *);
+    krb5_error_code (KRB5_CALLCONV *retrieve) (krb5_context, krb5_ccache,
+                                            krb5_flags, krb5_creds *,
+                                            krb5_creds *);
+    krb5_error_code (KRB5_CALLCONV *get_princ) (krb5_context, krb5_ccache,
+                                            krb5_principal *);
+    krb5_error_code (KRB5_CALLCONV *get_first) (krb5_context, krb5_ccache,
+                                            krb5_cc_cursor *);
+    krb5_error_code (KRB5_CALLCONV *get_next) (krb5_context, krb5_ccache,
+                                            krb5_cc_cursor *, krb5_creds *);
+    krb5_error_code (KRB5_CALLCONV *end_get) (krb5_context, krb5_ccache,
+                                            krb5_cc_cursor *);
+    krb5_error_code (KRB5_CALLCONV *remove_cred) (krb5_context, krb5_ccache,
+                                            krb5_flags, krb5_creds *);
+    krb5_error_code (KRB5_CALLCONV *set_flags) (krb5_context, krb5_ccache,
+                                            krb5_flags);
+};
+
+extern const krb5_cc_ops *krb5_cc_dfl_ops;
+
+typedef struct _krb5_donot_replay {
+    krb5_magic magic;
+    krb5_ui_4 hash;
+    char *server;                       /* null-terminated */
+    char *client;                       /* null-terminated */
+    krb5_int32 cusec;
+    krb5_timestamp ctime;
+} krb5_donot_replay;
+
+krb5_error_code krb5_rc_default 
+        (krb5_context,
+                krb5_rcache *);
+krb5_error_code krb5_rc_resolve_type 
+        (krb5_context,
+                krb5_rcache *,char *);
+krb5_error_code krb5_rc_resolve_full 
+        (krb5_context,
+                krb5_rcache *,char *);
+char * krb5_rc_get_type 
+        (krb5_context,
+                krb5_rcache);
+char * krb5_rc_default_type 
+        (krb5_context);
+char * krb5_rc_default_name 
+        (krb5_context);
+krb5_error_code krb5_auth_to_rep 
+        (krb5_context,
+                krb5_tkt_authent *,
+                krb5_donot_replay *);
+
+krb5_error_code KRB5_CALLCONV krb5_rc_initialize
+        (krb5_context, krb5_rcache,krb5_deltat);
+krb5_error_code KRB5_CALLCONV krb5_rc_recover_or_initialize
+        (krb5_context, krb5_rcache,krb5_deltat);
+krb5_error_code KRB5_CALLCONV krb5_rc_recover
+        (krb5_context, krb5_rcache);
+krb5_error_code KRB5_CALLCONV krb5_rc_destroy
+        (krb5_context, krb5_rcache);
+krb5_error_code KRB5_CALLCONV krb5_rc_close
+        (krb5_context, krb5_rcache);
+krb5_error_code KRB5_CALLCONV krb5_rc_store
+        (krb5_context, krb5_rcache,krb5_donot_replay *);
+krb5_error_code KRB5_CALLCONV krb5_rc_expunge
+        (krb5_context, krb5_rcache);
+krb5_error_code KRB5_CALLCONV krb5_rc_get_lifespan
+        (krb5_context, krb5_rcache,krb5_deltat *);
+char *KRB5_CALLCONV krb5_rc_get_name
+        (krb5_context, krb5_rcache);
+krb5_error_code KRB5_CALLCONV krb5_rc_resolve
+        (krb5_context, krb5_rcache, char *);
+
+typedef struct _krb5_kt_ops {
+    krb5_magic magic;
+    char *prefix;
+    /* routines always present */
+    krb5_error_code (KRB5_CALLCONV *resolve) 
+        (krb5_context,
+                 const char *,
+                 krb5_keytab *);
+    krb5_error_code (KRB5_CALLCONV *get_name) 
+        (krb5_context,
+                 krb5_keytab,
+                 char *,
+                 unsigned int);
+    krb5_error_code (KRB5_CALLCONV *close) 
+        (krb5_context,
+                 krb5_keytab);
+    krb5_error_code (KRB5_CALLCONV *get) 
+        (krb5_context,
+                 krb5_keytab,
+                 krb5_const_principal,
+                 krb5_kvno,
+                 krb5_enctype,
+                 krb5_keytab_entry *);
+    krb5_error_code (KRB5_CALLCONV *start_seq_get) 
+        (krb5_context,
+                 krb5_keytab,
+                 krb5_kt_cursor *);     
+    krb5_error_code (KRB5_CALLCONV *get_next) 
+        (krb5_context,
+                 krb5_keytab,
+                 krb5_keytab_entry *,
+                 krb5_kt_cursor *);
+    krb5_error_code (KRB5_CALLCONV *end_get) 
+        (krb5_context,
+                 krb5_keytab,
+                 krb5_kt_cursor *);
+    /* routines to be included on extended version (write routines) */
+    krb5_error_code (KRB5_CALLCONV *add) 
+        (krb5_context,
+                 krb5_keytab,
+                 krb5_keytab_entry *);
+    krb5_error_code (KRB5_CALLCONV *remove) 
+        (krb5_context,
+                 krb5_keytab,
+                  krb5_keytab_entry *);
+
+    /* Handle for serializer */
+    const krb5_ser_entry *serializer;
+} krb5_kt_ops;
+
+extern const krb5_kt_ops krb5_kt_dfl_ops;
+
+extern krb5_error_code krb5int_translate_gai_error (int);
+
+/* Not sure it's ready for exposure just yet.  */
+extern krb5_error_code
+krb5int_c_mandatory_cksumtype (krb5_context, krb5_enctype, krb5_cksumtype *);
+
+extern int krb5int_crypto_init (void);
+extern int krb5int_prng_init(void);
+
+/*
+ * SUNW14resync
+ * Hack (?) to neuter C99 "inline" which causes warnings w/our build.
+ */
+#define inline
+
+/* Solaris kerberos */
+krb5_boolean KRB5_CALLCONV is_in_keytype 
+	(krb5_const krb5_enctype *keytype, 
+	int numkeytypes, krb5_enctype enctype); 
+
+
 #endif /* _KRB5_INT_H */
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/include/k5-platform.h b/usr/src/uts/common/gssapi/mechs/krb5/include/k5-platform.h
index 4e2e8da2b9..9236fbf969 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/include/k5-platform.h
+++ b/usr/src/uts/common/gssapi/mechs/krb5/include/k5-platform.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -8,7 +8,7 @@
 /*
  * k5-platform.h
  *
- * Copyright 2003  by the Massachusetts Institute of Technology.
+ * Copyright 2003, 2004 Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -34,16 +34,285 @@
  * Some platform-dependent definitions to sync up the C support level.
  * Some to a C99-ish level, some related utility code.
  *
- * Currently: make "static" work; 64-bit types and load/store
- * code; SIZE_MAX.
+ * Currently:
+ * + make "static inline" work
+ * + 64-bit types and load/store code
+ * + SIZE_MAX
+ * + shared library init/fini hooks
  */
 
 #ifndef K5_PLATFORM_H
 #define K5_PLATFORM_H
 
-/* 64-bit support: krb5_ui_8 and krb5_int64.
+#ifndef _KERNEL
 #include "autoconf.h"
 
+/* Initialization and finalization function support for libraries.
+
+   At top level, before the functions are defined or even declared:
+   MAKE_INIT_FUNCTION(init_fn);
+   MAKE_FINI_FUNCTION(fini_fn);
+   int init_fn(void) { ... }
+   void fini_fn(void) { if (INITIALIZER_RAN(init_fn)) ... }
+
+   In code, in the same file:
+   err = CALL_INIT_FUNCTION(init_fn);
+
+   To trigger or verify the initializer invocation from another file,
+   an additional function must be created.
+
+   The init_fn and fini_fn names should be chosen such that any
+   exported names staring with those names, and optionally followed by
+   additional characters, fits in with any namespace constraints on
+   the library in question.
+
+
+   Implementation outline:
+
+   Windows: MAKE_FINI_FUNCTION creates a symbol with a magic name that
+   is sought at library build time, and code is added to invoke the
+   function when the library is unloaded.  MAKE_INIT_FUNCTION does
+   likewise, but the function is invoked when the library is loaded,
+   and an extra variable is declared to hold an error code and a "yes
+   the initializer ran" flag.  CALL_INIT_FUNCTION blows up if the flag
+   isn't set, otherwise returns the error code.
+
+   UNIX: MAKE_INIT_FUNCTION creates and initializes a variable with a
+   name derived from the function name, containing a k5_once_t
+   (pthread_once_t or int), an error code, and a pointer to the
+   function.  The function itself is declared static, but the
+   associated variable has external linkage.  CALL_INIT_FUNCTION
+   ensures thath the function is called exactly once (pthread_once or
+   just check the flag) and returns the stored error code (or the
+   pthread_once error).
+
+   UNIX, with compiler support: MAKE_FINI_FUNCTION declares the
+   function as a destructor, and the run time linker support or
+   whatever will cause it to be invoked when the library is unloaded,
+   the program ends, etc.
+
+   UNIX, with linker support: MAKE_FINI_FUNCTION creates a symbol with
+   a magic name that is sought at library build time, and linker
+   options are used to mark it as a finalization function for the
+   library.  The symbol must be exported.
+
+   UNIX, no library finalization support: The finalization function
+   never runs, and we leak memory.  Tough.
+
+
+
+   For maximum flexibility in defining the macros, the function name
+   parameter should be a simple name, not even a macro defined as
+   another name.  The function should have a unique name, and should
+   conform to whatever namespace is used by the library in question.
+
+   If the macro expansion needs the function to have been declared, it
+   must include a declaration.  If it is not necessary for the symbol
+   name to be exported from the object file, the macro should declare
+   it as "static".  Hence the signature must exactly match "void
+   foo(void)".  (ANSI C allows a static declaration followed by a
+   non-static one; the result is internal linkage.)  The macro
+   expansion has to come before the function, because gcc apparently
+   won't act on "__attribute__((constructor))" if it comes after the
+   function definition.
+
+   This is going to be compiler- and environment-specific, and may
+   require some support at library build time, and/or "asm"
+   statements.
+
+   It's okay for this code to require that the library be built
+   with the same compiler and compiler options throughout, but
+   we shouldn't require that the library and application use the
+   same compiler.
+
+   For static libraries, we don't really care about cleanup too much,
+   since it's all memory handling and mutex allocation which will all
+   be cleaned up when the program exits.  Thus, it's okay if gcc-built
+   static libraries don't play nicely with cc-built executables when
+   it comes to static constructors, just as long as it doesn't cause
+   linking to fail.
+
+   For dynamic libraries on UNIX, we'll use pthread_once-type support
+   to do delayed initialization, so if finalization can't be made to
+   work, we'll only have memory leaks in a load/use/unload cycle.  If
+   anyone (like, say, the OS vendor) complains about this, they can
+   tell us how to get a shared library finalization function invoked
+   automatically.  */
+
+/* Helper macros.  */
+
+# define JOIN__2_2(A,B) A ## _ ## _ ## B
+# define JOIN__2(A,B) JOIN__2_2(A,B)
+
+/* XXX Should test USE_LINKER_INIT_OPTION early, and if it's set,
+   always provide a function by the expected name, even if we're
+   delaying initialization.  */
+
+#if defined(DELAY_INITIALIZER)
+
+/* Run the initialization code during program execution, at the latest
+   possible moment.  This means multiple threads may be active.  */
+# include "k5-thread.h"
+typedef struct { k5_once_t once; int error, did_run; void (*fn)(void); } k5_init_t;
+# ifdef USE_LINKER_INIT_OPTION
+#  define MAYBE_DUMMY_INIT(NAME)		\
+	void JOIN__2(NAME, auxinit) () { }
+# else
+#  define MAYBE_DUMMY_INIT(NAME)
+# endif
+# define MAKE_INIT_FUNCTION(NAME)				\
+	static int NAME(void);					\
+	MAYBE_DUMMY_INIT(NAME)					\
+	/* forward declaration for use in initializer */	\
+	static void JOIN__2(NAME, aux) (void);			\
+	static k5_init_t JOIN__2(NAME, once) =			\
+		{ K5_ONCE_INIT, 0, 0, JOIN__2(NAME, aux) };	\
+	static void JOIN__2(NAME, aux) (void)			\
+	{							\
+	    JOIN__2(NAME, once).did_run = 1;			\
+	    JOIN__2(NAME, once).error = NAME();			\
+	}							\
+	/* so ';' following macro use won't get error */	\
+	static int NAME(void)
+# define CALL_INIT_FUNCTION(NAME)	\
+	k5_call_init_function(& JOIN__2(NAME, once))
+# ifdef __GNUC__
+/* Do it in macro form so we get the file/line of the invocation if
+   the assertion fails.  */
+#  define k5_call_init_function(I)					\
+	(__extension__ ({						\
+		k5_init_t *k5int_i = (I);				\
+		int k5int_err = k5_once(&k5int_i->once, k5int_i->fn);	\
+		(k5int_err						\
+		 ? k5int_err						\
+		 : (assert(k5int_i->did_run != 0), k5int_i->error));	\
+	    }))
+# else /* __GNUC__ */
+static int k5_call_init_function(k5_init_t *i)
+{
+    int err;
+    err = k5_once(&i->once, i->fn);
+    if (err)
+	return err;
+    assert (i->did_run != 0);
+    return i->error;
+}
+# endif  /* __GNUC__ */
+/* This should be called in finalization only, so we shouldn't have
+   multiple active threads mucking around in our library at this
+   point.  So ignore the once_t object and just look at the flag.
+
+   XXX Could we have problems with memory coherence between
+   processors if we don't invoke mutex/once routines?  */
+# define INITIALIZER_RAN(NAME)	\
+	(JOIN__2(NAME, once).did_run && JOIN__2(NAME, once).error == 0)
+
+# define PROGRAM_EXITING()		(0)
+
+#elif defined(__GNUC__) && !defined(_WIN32) && defined(CONSTRUCTOR_ATTR_WORKS)
+
+/* Run initializer at load time, via GCC/C++ hook magic.  */
+
+# ifdef USE_LINKER_INIT_OPTION
+#  define MAYBE_DUMMY_INIT(NAME)		\
+	void JOIN__2(NAME, auxinit) () { }
+# else
+#  define MAYBE_DUMMY_INIT(NAME)
+# endif
+
+typedef struct { int error; unsigned char did_run; } k5_init_t;
+# define MAKE_INIT_FUNCTION(NAME)		\
+	MAYBE_DUMMY_INIT(NAME)			\
+	static k5_init_t JOIN__2(NAME, ran)	\
+		= { 0, 2 };			\
+	static void JOIN__2(NAME, aux)(void)	\
+	    __attribute__((constructor));	\
+	static int NAME(void);			\
+	static void JOIN__2(NAME, aux)(void)	\
+	{					\
+	    JOIN__2(NAME, ran).error = NAME();	\
+	    JOIN__2(NAME, ran).did_run = 3;	\
+	}					\
+	static int NAME(void)
+# define CALL_INIT_FUNCTION(NAME)		\
+	(JOIN__2(NAME, ran).did_run == 3	\
+	 ? JOIN__2(NAME, ran).error		\
+	 : (abort(),0))
+# define INITIALIZER_RAN(NAME)	(JOIN__2(NAME,ran).did_run == 3 && JOIN__2(NAME, ran).error == 0)
+
+#elif defined(USE_LINKER_INIT_OPTION) || defined(_WIN32)
+
+/* Run initializer at load time, via linker magic, or in the
+   case of WIN32, win_glue.c hard-coded knowledge.  */
+typedef struct { int error; unsigned char did_run; } k5_init_t;
+# define MAKE_INIT_FUNCTION(NAME)		\
+	static k5_init_t JOIN__2(NAME, ran)	\
+		= { 0, 2 };			\
+	static int NAME(void);			\
+	void JOIN__2(NAME, auxinit)()		\
+	{					\
+	    JOIN__2(NAME, ran).error = NAME();	\
+	    JOIN__2(NAME, ran).did_run = 3;	\
+	}					\
+	static int NAME(void)
+# define CALL_INIT_FUNCTION(NAME)		\
+	(JOIN__2(NAME, ran).did_run == 3	\
+	 ? JOIN__2(NAME, ran).error		\
+	 : (abort(),0))
+# define INITIALIZER_RAN(NAME)	\
+	(JOIN__2(NAME, ran).error == 0)
+
+# define PROGRAM_EXITING()		(0)
+
+#else
+
+# error "Don't know how to do load-time initializers for this configuration."
+
+# define PROGRAM_EXITING()		(0)
+
+#endif
+
+
+
+#if defined(USE_LINKER_FINI_OPTION) || defined(_WIN32)
+/* If we're told the linker option will be used, it doesn't really
+   matter what compiler we're using.  Do it the same way
+   regardless.  */
+
+# define MAKE_FINI_FUNCTION(NAME)	\
+	void NAME(void)
+
+#elif defined(__GNUC__) && defined(DESTRUCTOR_ATTR_WORKS)
+/* If we're using gcc, if the C++ support works, the compiler should
+   build executables and shared libraries that support the use of
+   static constructors and destructors.  The C compiler supports a
+   function attribute that makes use of the same facility as C++.
+
+   XXX How do we know if the C++ support actually works?  */
+# define MAKE_FINI_FUNCTION(NAME)	\
+	static void NAME(void) __attribute__((destructor))
+
+#elif !defined(SHARED)
+
+/* In this case, we just don't care about finalization.
+
+   The code will still define the function, but we won't do anything
+   with it.  Annoying: This may generate unused-function warnings.  */
+
+# define MAKE_FINI_FUNCTION(NAME)	\
+	static void NAME(void)
+
+#else  /* DELAY_INITIALIZER */
+
+# error "Don't know how to do unload-time finalization for this configuration."
+
+#endif /* DELAY_INITIALIZER */
+
+#endif /* !_KERNEL */
+
+
+/* 64-bit support: krb5_ui_8 and krb5_int64.
+
    This should move to krb5.h eventually, but without the namespace
    pollution from the autoconf macros.  */
 #if defined(HAVE_STDINT_H) || defined(HAVE_INTTYPES_H)
@@ -63,10 +332,14 @@
 # define UINT64_TYPE unsigned long long
 #endif
 
+#ifndef _KERNEL
+#include <limits.h>
+#endif /* !_KERNEL */
 #ifndef SIZE_MAX
 # define SIZE_MAX ((size_t)((size_t)0 - 1))
 #endif
 
+
 /* Read and write integer values as (unaligned) octet strings in
    specific byte orders.
 
@@ -74,19 +347,19 @@
    unaligned word stores and gcc/asm instructions for byte swaps,
    etc.)  */
 
-static void
+static  void
 store_16_be (unsigned int val, unsigned char *p)
 {
     p[0] = (val >>  8) & 0xff;
     p[1] = (val      ) & 0xff;
 }
-static void
+static  void
 store_16_le (unsigned int val, unsigned char *p)
 {
     p[1] = (val >>  8) & 0xff;
     p[0] = (val      ) & 0xff;
 }
-static void
+static  void
 store_32_be (unsigned int val, unsigned char *p)
 {
     p[0] = (val >> 24) & 0xff;
@@ -94,7 +367,7 @@ store_32_be (unsigned int val, unsigned char *p)
     p[2] = (val >>  8) & 0xff;
     p[3] = (val      ) & 0xff;
 }
-static void
+static  void
 store_32_le (unsigned int val, unsigned char *p)
 {
     p[3] = (val >> 24) & 0xff;
@@ -102,7 +375,7 @@ store_32_le (unsigned int val, unsigned char *p)
     p[1] = (val >>  8) & 0xff;
     p[0] = (val      ) & 0xff;
 }
-static void
+static  void
 store_64_be (UINT64_TYPE val, unsigned char *p)
 {
     p[0] = (unsigned char)((val >> 56) & 0xff);
@@ -114,7 +387,7 @@ store_64_be (UINT64_TYPE val, unsigned char *p)
     p[6] = (unsigned char)((val >>  8) & 0xff);
     p[7] = (unsigned char)((val      ) & 0xff);
 }
-static void
+static  void
 store_64_le (UINT64_TYPE val, unsigned char *p)
 {
     p[7] = (unsigned char)((val >> 56) & 0xff);
@@ -126,32 +399,32 @@ store_64_le (UINT64_TYPE val, unsigned char *p)
     p[1] = (unsigned char)((val >>  8) & 0xff);
     p[0] = (unsigned char)((val      ) & 0xff);
 }
-static unsigned short
+static  unsigned short
 load_16_be (unsigned char *p)
 {
     return (p[1] | (p[0] << 8));
 }
-static unsigned short
+static  unsigned short
 load_16_le (unsigned char *p)
 {
     return (p[0] | (p[1] << 8));
 }
-static unsigned int
+static  unsigned int
 load_32_be (unsigned char *p)
 {
     return (p[3] | (p[2] << 8) | (p[1] << 16) | (p[0] << 24));
 }
-static unsigned int
+static  unsigned int
 load_32_le (unsigned char *p)
 {
     return (p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24));
 }
-static UINT64_TYPE
+static  UINT64_TYPE
 load_64_be (unsigned char *p)
 {
     return ((UINT64_TYPE)load_32_be(p) << 32) | load_32_be(p+4);
 }
-static UINT64_TYPE
+static  UINT64_TYPE
 load_64_le (unsigned char *p)
 {
     return ((UINT64_TYPE)load_32_le(p+4) << 32) | load_32_le(p);
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/include/k5-thread.h b/usr/src/uts/common/gssapi/mechs/krb5/include/k5-thread.h
new file mode 100644
index 0000000000..683934ae71
--- /dev/null
+++ b/usr/src/uts/common/gssapi/mechs/krb5/include/k5-thread.h
@@ -0,0 +1,761 @@
+/*
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+/*
+ * include/k5-thread.h
+ *
+ * Copyright 2004 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ *
+ * Preliminary thread support.
+ */
+
+#ifndef K5_THREAD_H
+#define K5_THREAD_H
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+#ifndef _KERNEL   /* SUNW14resync, mimic k5-int.h ? */
+#include "autoconf.h"
+#endif
+
+/* Interface (tentative):
+
+   Mutex support:
+
+   // Between these two, we should be able to do pure compile-time
+   // and pure run-time initialization.
+   //   POSIX:   partial initializer is PTHREAD_MUTEX_INITIALIZER,
+   //            finish does nothing
+   //   Windows: partial initializer is an invalid handle,
+   //            finish does the real initialization work
+   //   debug:   partial initializer sets one magic value,
+   //            finish verifies and sets a new magic value for
+   //              lock/unlock to check
+   k5_mutex_t foo_mutex = K5_MUTEX_PARTIAL_INITIALIZER;
+   int k5_mutex_finish_init(k5_mutex_t *);
+   // for dynamic allocation
+   int k5_mutex_init(k5_mutex_t *);
+   // Must work for both kinds of alloc, even if it means adding flags.
+   int k5_mutex_destroy(k5_mutex_t *);
+
+   // As before.
+   int k5_mutex_lock(k5_mutex_t *);
+   int k5_mutex_unlock(k5_mutex_t *);
+
+   In each library, one new function to finish the static mutex init,
+   and any other library-wide initialization that might be desired.
+   On POSIX, this function would be called via the second support
+   function (see below).  On Windows, it would be called at library
+   load time.  These functions, or functions they calls, should be the
+   only places that k5_mutex_finish_init gets called.
+
+   A second function or macro called at various possible "first" entry
+   points which either calls pthread_once on the first function
+   (POSIX), or checks some flag set by the first function (Windows,
+   debug support), and possibly returns an error.  (In the
+   non-threaded case, a simple flag can be used to avoid multiple
+   invocations, and the mutexes don't need run-time initialization
+   anyways.)
+
+   A third function for library termination calls mutex_destroy on
+   each mutex for the library.  This function would be called
+   automatically at library unload time.  If it turns out to be needed
+   at exit time for libraries that don't get unloaded, perhaps we
+   should also use atexit().  Any static mutexes should be cleaned up
+   with k5_mutex_destroy here.
+
+   How does that second support function invoke the first support
+   function only once?  Through something modelled on pthread_once
+   that I haven't written up yet.  Probably:
+
+   k5_once_t foo_once = K5_ONCE_INIT;
+   k5_once(k5_once_t *, void (*)(void));
+
+   For POSIX: Map onto pthread_once facility.
+   For non-threaded case: A simple flag.
+   For Windows: Not needed; library init code takes care of it.
+
+   XXX: A general k5_once mechanism isn't possible for Windows,
+   without faking it through named mutexes or mutexes initialized at
+   startup.  I was only using it in one place outside these headers,
+   so I'm dropping the general scheme.  Eventually the existing uses
+   in k5-thread.h and k5-platform.h will be converted to pthread_once
+   or static variables.
+
+
+   Thread-specific data:
+
+   // TSD keys are limited in number in gssapi/krb5/com_err; enumerate
+   // them all.  This allows support code init to allocate the
+   // necessary storage for pointers all at once, and avoids any
+   // possible error in key creation.
+   enum { ... } k5_key_t;
+   // Register destructor function.  Called in library init code.
+   int k5_key_register(k5_key_t, void (*destructor)(void *));
+   // Returns NULL or data.
+   void *k5_getspecific(k5_key_t);
+   // Returns error if key out of bounds, or the pointer table can't
+   // be allocated.  A call to k5_key_register must have happened first.
+   // This may trigger the calling of pthread_setspecific on POSIX.
+   int k5_setspecific(k5_key_t, void *);
+   // Called in library termination code.
+   // Trashes data in all threads, calling the registered destructor
+   // (but calling it from the current thread).
+   int k5_key_delete(k5_key_t);
+
+   For the non-threaded version, the support code will have a static
+   array indexed by k5_key_t values, and get/setspecific simply access
+   the array elements.
+
+   The TSD destructor table is global state, protected by a mutex if
+   threads are enabled.
+
+   Debug support: Not much.  Might check if k5_key_register has been
+   called and abort if not.
+
+
+   Any actual external symbols will use the krb5int_ prefix.  The k5_
+   names will be simple macros or inline functions to rename the
+   external symbols, or slightly more complex ones to expand the
+   implementation inline (e.g., map to POSIX versions and/or debug
+   code using __FILE__ and the like).
+
+
+   More to be added, perhaps.  */
+
+#undef DEBUG_THREADS /* SUNW14resync XXX */
+#undef DEBUG_THREADS_LOC /* SUNW14resync XXX */
+#undef DEBUG_THREADS_SLOW /* debugging stuff that'll slow things down? */
+#undef DEBUG_THREADS_STATS
+
+#ifndef _KERNEL
+#include <assert.h>
+#include <stdarg.h> 
+#define ASSERT assert 
+#endif
+
+/* For tracking locations, of (e.g.) last lock or unlock of mutex.  */
+#ifdef DEBUG_THREADS_LOC
+typedef struct {
+    const char *filename;
+    short lineno;
+} k5_debug_loc;
+#define K5_DEBUG_LOC_INIT	{ __FILE__, __LINE__ }
+#if __GNUC__ >= 2
+#define K5_DEBUG_LOC		(__extension__ (k5_debug_loc)K5_DEBUG_LOC_INIT)
+#else
+static inline k5_debug_loc k5_debug_make_loc(const char *file, short line)
+{
+    k5_debug_loc l;
+    l.filename = file;
+    l.lineno = line;
+    return l;
+}
+#define K5_DEBUG_LOC		(k5_debug_make_loc(__FILE__,__LINE__))
+#endif
+#else /* ! DEBUG_THREADS_LOC */
+typedef char k5_debug_loc;
+#define K5_DEBUG_LOC_INIT	0
+#define K5_DEBUG_LOC		0
+#endif
+
+#define k5_debug_update_loc(L)	((L) = K5_DEBUG_LOC)
+
+
+
+/* Statistics gathering:
+
+   Currently incomplete, don't try enabling it.
+
+   Eventually: Report number of times locked, total and standard
+   deviation of the time the lock was held, total and std dev time
+   spent waiting for the lock.  "Report" will probably mean "write a
+   line to a file if a magic environment variable is set."  */
+
+#ifdef DEBUG_THREADS_STATS
+
+#if HAVE_TIME_H && (!defined(HAVE_SYS_TIME_H) || defined(TIME_WITH_SYS_TIME))
+# include <time.h>
+#endif
+#if HAVE_SYS_TIME_H
+# include <sys/time.h>
+#endif
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#include <inttypes.h>
+typedef uint64_t k5_debug_timediff_t;
+typedef struct timeval k5_debug_time_t;
+static inline k5_debug_timediff_t
+timediff(k5_debug_time_t t2, k5_debug_time_t t1)
+{
+    return (t2.tv_sec - t1.tv_sec) * 1000000 + (t2.tv_usec - t1.tv_usec);
+}
+struct k5_timediff_stats {
+    k5_debug_timediff_t valmin, valmax, valsum, valsqsum;
+};
+typedef struct {
+    int count;
+    k5_debug_time_t time_acquired, time_created;
+    struct k5_timediff_stats lockwait, lockheld;
+} k5_debug_mutex_stats;
+#define k5_mutex_init_stats(S) \
+	(memset((S), 0, sizeof(struct k5_debug_mutex_stats)), 0)
+#define k5_mutex_finish_init_stats(S) 	(0)
+#define K5_MUTEX_STATS_INIT	{ 0, {0}, {0}, {0}, {0} }
+
+#else
+
+typedef char k5_debug_mutex_stats;
+#define k5_mutex_init_stats(S)		(*(S) = 's', 0)
+#define k5_mutex_finish_init_stats(S)	(0)
+#define K5_MUTEX_STATS_INIT		's'
+
+#endif
+
+
+
+/* Define the OS mutex bit.  */
+
+/* First, if we're not actually doing multiple threads, do we
+   want the debug support or not?  */
+
+#ifdef DEBUG_THREADS
+
+enum k5_mutex_init_states {
+    K5_MUTEX_DEBUG_PARTLY_INITIALIZED = 0x12,
+    K5_MUTEX_DEBUG_INITIALIZED,
+    K5_MUTEX_DEBUG_DESTROYED
+};
+enum k5_mutex_flag_states {
+    K5_MUTEX_DEBUG_UNLOCKED = 0x23,
+    K5_MUTEX_DEBUG_LOCKED
+};
+
+typedef struct {
+    enum k5_mutex_init_states initialized;
+    enum k5_mutex_flag_states locked;
+} k5_os_nothread_mutex;
+
+# define K5_OS_NOTHREAD_MUTEX_PARTIAL_INITIALIZER \
+	{ K5_MUTEX_DEBUG_PARTLY_INITIALIZED, K5_MUTEX_DEBUG_UNLOCKED }
+
+# define k5_os_nothread_mutex_finish_init(M)				\
+	(ASSERT((M)->initialized != K5_MUTEX_DEBUG_INITIALIZED),	\
+	 ASSERT((M)->initialized == K5_MUTEX_DEBUG_PARTLY_INITIALIZED),	\
+	 ASSERT((M)->locked == K5_MUTEX_DEBUG_UNLOCKED),		\
+	 (M)->initialized = K5_MUTEX_DEBUG_INITIALIZED, 0)
+# define k5_os_nothread_mutex_init(M)			\
+	((M)->initialized = K5_MUTEX_DEBUG_INITIALIZED,	\
+	 (M)->locked = K5_MUTEX_DEBUG_UNLOCKED, 0)
+# define k5_os_nothread_mutex_destroy(M)				\
+	(ASSERT((M)->initialized == K5_MUTEX_DEBUG_INITIALIZED),	\
+	 (M)->initialized = K5_MUTEX_DEBUG_DESTROYED, 0)
+
+# define k5_os_nothread_mutex_lock(M)			\
+	(k5_os_nothread_mutex_assert_unlocked(M),	\
+	 (M)->locked = K5_MUTEX_DEBUG_LOCKED, 0)
+# define k5_os_nothread_mutex_unlock(M)			\
+	(k5_os_nothread_mutex_assert_locked(M),		\
+	 (M)->locked = K5_MUTEX_DEBUG_UNLOCKED, 0)
+
+# define k5_os_nothread_mutex_assert_locked(M)				\
+	(ASSERT((M)->initialized == K5_MUTEX_DEBUG_INITIALIZED),	\
+	 ASSERT((M)->locked != K5_MUTEX_DEBUG_UNLOCKED),		\
+	 ASSERT((M)->locked == K5_MUTEX_DEBUG_LOCKED))
+# define k5_os_nothread_mutex_assert_unlocked(M)			\
+	(ASSERT((M)->initialized == K5_MUTEX_DEBUG_INITIALIZED),	\
+	 ASSERT((M)->locked != K5_MUTEX_DEBUG_LOCKED),			\
+	 ASSERT((M)->locked == K5_MUTEX_DEBUG_UNLOCKED))
+
+#else /* threads disabled and not debugging */
+
+typedef char k5_os_nothread_mutex;
+# define K5_OS_NOTHREAD_MUTEX_PARTIAL_INITIALIZER	0
+/* Empty inline functions avoid the "statement with no effect"
+   warnings, and do better type-checking than functions that don't use
+   their arguments.  */
+/* SUNW 1.4resync, remove "inline" to avoid warning */
+/* ARGSUSED */
+/* LINTED */
+static int k5_os_nothread_mutex_finish_init(k5_os_nothread_mutex *m) {
+    return 0;
+}
+/* ARGSUSED */
+/* LINTED */
+static int k5_os_nothread_mutex_init(k5_os_nothread_mutex *m) {
+    return 0;
+}
+/* ARGSUSED */
+/* LINTED */
+static int k5_os_nothread_mutex_destroy(k5_os_nothread_mutex *m) {
+    return 0;
+}
+/* ARGSUSED */
+/* LINTED */
+static int k5_os_nothread_mutex_lock(k5_os_nothread_mutex *m) {
+    return 0;
+}
+/* ARGSUSED */
+/* LINTED */
+static int k5_os_nothread_mutex_unlock(k5_os_nothread_mutex *m) {
+    return 0;
+}
+# define k5_os_nothread_mutex_assert_locked(M)		((void)0)
+# define k5_os_nothread_mutex_assert_unlocked(M)	((void)0)
+
+#endif
+
+/* Values:
+   2 - function has not been run
+   3 - function has been run
+   4 - function is being run -- deadlock detected */
+typedef unsigned char k5_os_nothread_once_t;
+# define K5_OS_NOTHREAD_ONCE_INIT	2
+# define k5_os_nothread_once(O,F)					\
+	(*(O) == 3 ? 0							\
+	 : *(O) == 2 ? (*(O) = 4, (F)(), *(O) = 3, 0)			\
+	 : (ASSERT(*(O) != 4), ASSERT(*(O) == 2 || *(O) == 3), 0))
+
+
+
+#ifndef ENABLE_THREADS
+
+typedef k5_os_nothread_mutex k5_os_mutex;
+# define K5_OS_MUTEX_PARTIAL_INITIALIZER	\
+		K5_OS_NOTHREAD_MUTEX_PARTIAL_INITIALIZER
+# define k5_os_mutex_finish_init	k5_os_nothread_mutex_finish_init
+# define k5_os_mutex_init		k5_os_nothread_mutex_init
+# define k5_os_mutex_destroy		k5_os_nothread_mutex_destroy
+# define k5_os_mutex_lock		k5_os_nothread_mutex_lock
+# define k5_os_mutex_unlock		k5_os_nothread_mutex_unlock
+# define k5_os_mutex_assert_locked	k5_os_nothread_mutex_assert_locked
+# define k5_os_mutex_assert_unlocked	k5_os_nothread_mutex_assert_unlocked
+
+# define k5_once_t			k5_os_nothread_once_t
+# define K5_ONCE_INIT			K5_OS_NOTHREAD_ONCE_INIT
+# define k5_once			k5_os_nothread_once
+
+#elif HAVE_PTHREAD
+
+# include <pthread.h>
+
+/* Weak reference support, etc.
+
+   Linux: Stub mutex routines exist, but pthread_once does not.
+
+   Solaris: In libc there's a pthread_once that doesn't seem
+   to do anything.  Bleah.  But pthread_mutexattr_setrobust_np
+   is defined only in libpthread.
+
+   IRIX 6.5 stub pthread support in libc is really annoying.  The
+   pthread_mutex_lock function returns ENOSYS for a program not linked
+   against -lpthread.  No link-time failure, no weak symbols, etc.
+   The C library doesn't provide pthread_once; we can use weak
+   reference support for that.
+
+   If weak references are not available, then for now, we assume that
+   the pthread support routines will always be available -- either the
+   real thing, or functional stubs that merely prohibit creating
+   threads.
+
+   If we find a platform with non-functional stubs and no weak
+   references, we may have to resort to some hack like dlsym on the
+   symbol tables of the current process.  */
+#ifdef HAVE_PRAGMA_WEAK_REF
+# pragma weak pthread_once
+# pragma weak pthread_mutex_lock
+# pragma weak pthread_mutex_unlock
+# pragma weak pthread_mutex_destroy
+# pragma weak pthread_mutex_init
+# pragma weak pthread_self
+# pragma weak pthread_equal
+# ifdef HAVE_PTHREAD_MUTEXATTR_SETROBUST_NP_IN_THREAD_LIB
+#  pragma weak pthread_mutexattr_setrobust_np
+# endif
+# if !defined HAVE_PTHREAD_ONCE
+#  define K5_PTHREADS_LOADED	(&pthread_once != 0)
+# elif !defined HAVE_PTHREAD_MUTEXATTR_SETROBUST_NP \
+	&& defined HAVE_PTHREAD_MUTEXATTR_SETROBUST_NP_IN_THREAD_LIB
+#  define K5_PTHREADS_LOADED	(&pthread_mutexattr_setrobust_np != 0)
+# else
+#  define K5_PTHREADS_LOADED	(1)
+# endif
+#else
+/* no pragma weak support */
+# define K5_PTHREADS_LOADED	(1)
+#endif
+
+#if defined(__mips) && defined(__sgi) && (defined(_SYSTYPE_SVR4) || defined(__SYSTYPE_SVR4__))
+/* IRIX 6.5 stub pthread support in libc is really annoying.  The
+   pthread_mutex_lock function returns ENOSYS for a program not linked
+   against -lpthread.  No link-time failure, no weak reference tests,
+   etc.
+
+   The C library doesn't provide pthread_once; we can use weak
+   reference support for that.  */
+# ifndef HAVE_PRAGMA_WEAK_REF
+#  if defined(__GNUC__) && __GNUC__ < 3
+#   error "Please update to a newer gcc with weak symbol support, or switch to native cc, reconfigure and recompile."
+#  else
+#   error "Weak reference support is required"
+#  endif
+# endif
+# define USE_PTHREAD_LOCK_ONLY_IF_LOADED
+#endif
+
+#if !defined(HAVE_PTHREAD_MUTEX_LOCK) && !defined(USE_PTHREAD_LOCK_ONLY_IF_LOADED)
+# define USE_PTHREAD_LOCK_ONLY_IF_LOADED
+#endif
+
+#ifdef HAVE_PRAGMA_WEAK_REF
+/* Can't rely on useful stubs -- see above regarding Solaris.  */
+typedef struct {
+    pthread_once_t o;
+    k5_os_nothread_once_t n;
+} k5_once_t;
+# define K5_ONCE_INIT	{ PTHREAD_ONCE_INIT, K5_OS_NOTHREAD_ONCE_INIT }
+# define k5_once(O,F)	(K5_PTHREADS_LOADED			\
+			 ? pthread_once(&(O)->o,F)		\
+			 : k5_os_nothread_once(&(O)->n,F))
+#else
+typedef pthread_once_t k5_once_t;
+# define K5_ONCE_INIT	PTHREAD_ONCE_INIT
+# define k5_once	pthread_once
+#endif
+
+typedef struct {
+    pthread_mutex_t p;
+#ifdef DEBUG_THREADS
+    pthread_t owner;
+#endif
+#ifdef USE_PTHREAD_LOCK_ONLY_IF_LOADED
+    k5_os_nothread_mutex n;
+#endif
+} k5_os_mutex;
+
+#ifdef DEBUG_THREADS
+# ifdef __GNUC__
+#  define k5_pthread_mutex_lock(M)			\
+	({						\
+	    k5_os_mutex *_m2 = (M);			\
+	    int _r2 = pthread_mutex_lock(&_m2->p);	\
+	    if (_r2 == 0) _m2->owner = pthread_self();	\
+	    _r2;					\
+	})
+# else
+static inline int
+k5_pthread_mutex_lock(k5_os_mutex *m)
+{
+    int r = pthread_mutex_lock(&m->p);
+    if (r)
+	return r;
+    m->owner = pthread_self();
+    return 0;
+}
+# endif
+# define k5_pthread_assert_locked(M)				\
+	(K5_PTHREADS_LOADED					\
+	 ? ASSERT(pthread_equal((M)->owner, pthread_self()))	\
+	 : (void)0)
+# define k5_pthread_mutex_unlock(M)	\
+	(k5_pthread_assert_locked(M),	\
+	 (M)->owner = (pthread_t) 0,	\
+	 pthread_mutex_unlock(&(M)->p))
+#else
+# define k5_pthread_mutex_lock(M) pthread_mutex_lock(&(M)->p)
+/* LINTED */
+static void k5_pthread_assert_locked(k5_os_mutex *m) { }
+# define k5_pthread_mutex_unlock(M) pthread_mutex_unlock(&(M)->p)
+#endif
+
+/* Define as functions to:
+   (1) eliminate "statement with no effect" warnings for "0"
+   (2) encourage type-checking in calling code  */
+
+/* LINTED */
+static void k5_pthread_assert_unlocked(pthread_mutex_t *m) { }
+
+#if defined(DEBUG_THREADS_SLOW) && HAVE_SCHED_H && (HAVE_SCHED_YIELD || HAVE_PRAGMA_WEAK_REF)
+# include <sched.h>
+# if !HAVE_SCHED_YIELD
+#  pragma weak sched_yield
+#  define MAYBE_SCHED_YIELD()	((void)((&sched_yield != NULL) ? sched_yield() : 0))
+# else
+#  define MAYBE_SCHED_YIELD()	((void)sched_yield())
+# endif
+#else
+# define MAYBE_SCHED_YIELD()	((void)0)
+#endif
+
+/* It may not be obvious why this function is desirable.
+
+   I want to call pthread_mutex_lock, then sched_yield, then look at
+   the return code from pthread_mutex_lock.  That can't be implemented
+   in a macro without a temporary variable, or GNU C extensions.
+
+   There used to be an inline function which did it, with both
+   functions called from the inline function.  But that messes with
+   the debug information on a lot of configurations, and you can't
+   tell where the inline function was called from.  (Typically, gdb
+   gives you the name of the function from which the inline function
+   was called, and a line number within the inline function itself.)
+
+   With this auxiliary function, pthread_mutex_lock can be called at
+   the invoking site via a macro; once it returns, the inline function
+   is called (with messed-up line-number info for gdb hopefully
+   localized to just that call).  */
+#ifdef __GNUC__
+#define return_after_yield(R)			\
+	__extension__ ({			\
+	    int _r = (R);			\
+	    MAYBE_SCHED_YIELD();		\
+	    _r;					\
+	})
+#else
+static int return_after_yield(int r)
+{
+    MAYBE_SCHED_YIELD();
+    return r;
+}
+#endif
+
+#ifdef USE_PTHREAD_LOCK_ONLY_IF_LOADED
+
+# if defined(PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP) && defined(DEBUG_THREADS)
+#  define K5_OS_MUTEX_PARTIAL_INITIALIZER \
+	{ PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP, (pthread_t) 0, \
+	  K5_OS_NOTHREAD_MUTEX_PARTIAL_INITIALIZER }
+# elif defined(DEBUG_THREADS)
+#  define K5_OS_MUTEX_PARTIAL_INITIALIZER \
+	{ PTHREAD_MUTEX_INITIALIZER, (pthread_t) 0, \
+	  K5_OS_NOTHREAD_MUTEX_PARTIAL_INITIALIZER }
+# else
+#  define K5_OS_MUTEX_PARTIAL_INITIALIZER \
+	{ PTHREAD_MUTEX_INITIALIZER, K5_OS_NOTHREAD_MUTEX_PARTIAL_INITIALIZER }
+# endif
+
+# define k5_os_mutex_finish_init(M)		\
+	k5_os_nothread_mutex_finish_init(&(M)->n)
+# define k5_os_mutex_init(M)			\
+	(k5_os_nothread_mutex_init(&(M)->n),	\
+	 (K5_PTHREADS_LOADED			\
+	  ? pthread_mutex_init(&(M)->p, 0)	\
+	  : 0))
+# define k5_os_mutex_destroy(M)			\
+	(k5_os_nothread_mutex_destroy(&(M)->n),	\
+	 (K5_PTHREADS_LOADED			\
+	  ? pthread_mutex_destroy(&(M)->p)	\
+	  : 0))
+
+# define k5_os_mutex_lock(M)						\
+	return_after_yield(K5_PTHREADS_LOADED				\
+			   ? k5_pthread_mutex_lock(M)			\
+			   : k5_os_nothread_mutex_lock(&(M)->n))
+# define k5_os_mutex_unlock(M)				\
+	(MAYBE_SCHED_YIELD(),				\
+	 (K5_PTHREADS_LOADED				\
+	  ? k5_pthread_mutex_unlock(M)			\
+	  : k5_os_nothread_mutex_unlock(&(M)->n)))
+
+# define k5_os_mutex_assert_unlocked(M)			\
+	(K5_PTHREADS_LOADED				\
+	 ? k5_pthread_assert_unlocked(&(M)->p)		\
+	 : k5_os_nothread_mutex_assert_unlocked(&(M)->n))
+# define k5_os_mutex_assert_locked(M)			\
+	(K5_PTHREADS_LOADED				\
+	 ? k5_pthread_assert_locked(M)			\
+	 : k5_os_nothread_mutex_assert_locked(&(M)->n))
+
+#else
+
+# ifdef DEBUG_THREADS
+#  ifdef PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP
+#   define K5_OS_MUTEX_PARTIAL_INITIALIZER \
+	{ PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP, (pthread_t) 0 }
+#  else
+#   define K5_OS_MUTEX_PARTIAL_INITIALIZER \
+	{ PTHREAD_MUTEX_INITIALIZER, (pthread_t) 0 }
+#  endif
+# else
+#  define K5_OS_MUTEX_PARTIAL_INITIALIZER \
+	{ PTHREAD_MUTEX_INITIALIZER }
+# endif
+
+/* LINTED */
+static  int k5_os_mutex_finish_init(k5_os_mutex *m) { return 0; }
+# define k5_os_mutex_init(M)		pthread_mutex_init(&(M)->p, 0)
+# define k5_os_mutex_destroy(M)		pthread_mutex_destroy(&(M)->p)
+# define k5_os_mutex_lock(M)	return_after_yield(k5_pthread_mutex_lock(M))
+# define k5_os_mutex_unlock(M)		(MAYBE_SCHED_YIELD(),k5_pthread_mutex_unlock(M))
+
+# define k5_os_mutex_assert_unlocked(M)	k5_pthread_assert_unlocked(&(M)->p)
+# define k5_os_mutex_assert_locked(M)	k5_pthread_assert_locked(M)
+
+#endif /* is pthreads always available? */
+
+#elif defined _WIN32
+
+typedef struct {
+    HANDLE h;
+    int is_locked;
+} k5_os_mutex;
+
+# define K5_OS_MUTEX_PARTIAL_INITIALIZER { INVALID_HANDLE_VALUE, 0 }
+
+# define k5_os_mutex_finish_init(M)					 \
+	(ASSERT((M)->h == INVALID_HANDLE_VALUE),			 \
+	 ((M)->h = CreateMutex(NULL, FALSE, NULL)) ? 0 : GetLastError())
+# define k5_os_mutex_init(M)						 \
+	((M)->is_locked = 0,						 \
+	 ((M)->h = CreateMutex(NULL, FALSE, NULL)) ? 0 : GetLastError())
+# define k5_os_mutex_destroy(M)		\
+	(CloseHandle((M)->h) ? ((M)->h = 0, 0) : GetLastError())
+
+static inline int k5_os_mutex_lock(k5_os_mutex *m)
+{
+    DWORD res;
+    res = WaitForSingleObject(m->h, INFINITE);
+    if (res == WAIT_FAILED)
+	return GetLastError();
+    /* Eventually these should be turned into some reasonable error
+       code.  */
+    ASSERT(res != WAIT_TIMEOUT);
+    ASSERT(res != WAIT_ABANDONED);
+    ASSERT(res == WAIT_OBJECT_0);
+    /* Avoid locking twice.  */
+    ASSERT(m->is_locked == 0);
+    m->is_locked = 1;
+    return 0;
+}
+
+# define k5_os_mutex_unlock(M)				\
+	(ASSERT((M)->is_locked == 1),			\
+	 (M)->is_locked = 0,				\
+	 ReleaseMutex((M)->h) ? 0 : GetLastError())
+
+# define k5_os_mutex_assert_unlocked(M)	((void)0)
+# define k5_os_mutex_assert_locked(M)	((void)0)
+
+#else
+
+# error "Thread support enabled, but thread system unknown"
+
+#endif
+
+
+
+
+typedef struct {
+    k5_debug_loc loc_last, loc_created;
+    k5_os_mutex os;
+    k5_debug_mutex_stats stats;
+} k5_mutex_t;
+#define K5_MUTEX_PARTIAL_INITIALIZER		\
+	{ K5_DEBUG_LOC_INIT, K5_DEBUG_LOC_INIT,	\
+	  K5_OS_MUTEX_PARTIAL_INITIALIZER, K5_MUTEX_STATS_INIT }
+/* LINTED */
+static int k5_mutex_init_1(k5_mutex_t *m, k5_debug_loc l)
+{
+    int err = k5_os_mutex_init(&m->os);
+    if (err) return err;
+    m->loc_created = m->loc_last = l;
+    err = k5_mutex_init_stats(&m->stats);
+    ASSERT(err == 0);
+    return 0;
+}
+#define k5_mutex_init(M)	k5_mutex_init_1((M), K5_DEBUG_LOC)
+/* LINTED */
+static  int k5_mutex_finish_init_1(k5_mutex_t *m, k5_debug_loc l)
+{
+    int err = k5_os_mutex_finish_init(&m->os);
+    if (err) return err;
+    m->loc_created = m->loc_last = l;
+    err = k5_mutex_finish_init_stats(&m->stats);
+    ASSERT(err == 0);
+    return 0;
+}
+#define k5_mutex_finish_init(M)	k5_mutex_finish_init_1((M), K5_DEBUG_LOC)
+#define k5_mutex_destroy(M)			\
+	(k5_os_mutex_assert_unlocked(&(M)->os),	\
+	 k5_mutex_lock(M), (M)->loc_last = K5_DEBUG_LOC, k5_mutex_unlock(M), \
+	 k5_os_mutex_destroy(&(M)->os))
+#ifdef __GNUC__
+#define k5_mutex_lock(M)				\
+	__extension__ ({				\
+	    int _err = 0;				\
+	    k5_mutex_t *_m = (M);			\
+	    _err = k5_os_mutex_lock(&_m->os);		\
+	    if (_err == 0) _m->loc_last = K5_DEBUG_LOC;	\
+	    _err;					\
+	})
+#else
+/* LINTED */
+static  int k5_mutex_lock_1(k5_mutex_t *m, k5_debug_loc l)
+{
+    int err = 0;
+    err = k5_os_mutex_lock(&m->os);
+    if (err)
+	return err;
+    m->loc_last = l;
+    return err;
+}
+#define k5_mutex_lock(M)	k5_mutex_lock_1(M, K5_DEBUG_LOC)
+#endif
+#define k5_mutex_unlock(M)				\
+	(k5_mutex_assert_locked(M),			\
+	 (M)->loc_last = K5_DEBUG_LOC,			\
+	 k5_os_mutex_unlock(&(M)->os))
+
+#define k5_mutex_assert_locked(M)	k5_os_mutex_assert_locked(&(M)->os)
+#define k5_mutex_assert_unlocked(M)	k5_os_mutex_assert_unlocked(&(M)->os)
+
+#define k5_assert_locked	k5_mutex_assert_locked
+#define k5_assert_unlocked	k5_mutex_assert_unlocked
+
+
+/* Thread-specific data; implemented in a support file, because we'll
+   need to keep track of some global data for cleanup purposes.
+
+   Note that the callback function type is such that the C library
+   routine free() is a valid callback.  */
+typedef enum {
+    K5_KEY_COM_ERR,
+    K5_KEY_GSS_KRB5_SET_CCACHE_OLD_NAME,
+    K5_KEY_GSS_KRB5_CCACHE_NAME,
+    K5_KEY_MAX
+} k5_key_t;
+/* rename shorthand symbols for export */
+#define k5_key_register	krb5int_key_register
+#define k5_getspecific	krb5int_getspecific
+#define k5_setspecific	krb5int_setspecific
+#define k5_key_delete	krb5int_key_delete
+extern int k5_key_register(k5_key_t, void (*)(void *));
+extern void *k5_getspecific(k5_key_t);
+extern int k5_setspecific(k5_key_t, void *);
+extern int k5_key_delete(k5_key_t);
+
+#endif /* multiple inclusion? */
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h b/usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h
index 4531456fa7..fdb2e7654a 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h
+++ b/usr/src/uts/common/gssapi/mechs/krb5/include/krb5.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -111,10 +111,28 @@
 #include <thread.h>
 #include <synch.h>
 #include <security/cryptoki.h>
+#include <limits.h>    /* for *_MAX */
 #endif /* _KERNEL */
 
+/* By default, do not expose deprecated interfaces. */ 
+/* SUNW14resync - we need to enable this for rlogind and such */
+#ifndef KRB5_DEPRECATED 
+#define KRB5_DEPRECATED 1
+#endif
+/* Do not expose private interfaces.  Build system will override. */
+/* SUNW14resync - for the Solaris build we set it to 1 here */
+#ifndef KRB5_PRIVATE
+#define KRB5_PRIVATE 1
+#endif
+
+#if defined(__MACH__) && defined(__APPLE__) 
+#       include <TargetConditionals.h> 
+#    if TARGET_RT_MAC_CFM 
+#       error "Use KfM 4.0 SDK headers for CFM compilation." 
+#    endif 
+#endif
 
-#if (defined(_MSDOS) || defined(_WIN32)) || defined(macintosh)
+#if (defined(_MSDOS) || defined(_WIN32))
 #include <win-mac.h>
 #endif
 
@@ -122,14 +140,14 @@
 #ifndef KRB5_CALLCONV
 #define KRB5_CALLCONV
 #define KRB5_CALLCONV_C
-#define KRB5_DLLIMP
-#define GSS_DLLIMP
-#define KRB5_EXPORTVAR
-#define NEAR
-#define	FAR
 #endif /* !KRB5_CALLCONV */
 #endif /* !KRB5_CONFIG__ */
 
+#ifndef KRB5_CALLCONV_WRONG
+#define KRB5_CALLCONV_WRONG
+#endif
+
+/* SUNW14resync XXX */
 #include <sys/types.h>
 #include <sys/socket.h>
 
@@ -137,31 +155,33 @@
 #define THREEPARAMOPEN(x,y,z) open(x,y,z)
 #endif
 
+
 /*
  * Solaris Kerberos:
  *   KRB5_OLD_CRYPTO is not needed or supported anymore.
  */
 /* #define KRB5_OLD_CRYPTO */
 
-/*
- * begin "error_def.h"
- */
 
-#ifdef	_KERNEL
-#include <sys/errno.h>
-#else
-#include <errno.h>
-#include <profile.h>
-#endif /* _KERNEL */
-
-/*
- * end "error_def.h"
- */
+#ifndef KRB5INT_BEGIN_DECLS 
+#if defined(__cplusplus) 
+#define KRB5INT_BEGIN_DECLS     extern "C" { 
+#define KRB5INT_END_DECLS } 
+#else 
+#define KRB5INT_BEGIN_DECLS 
+#define KRB5INT_END_DECLS 
+#endif 
+#endif /* KRB5INT_BEGIN_DECLS */
 
-#ifdef __cplusplus
-extern "C" {
+#if TARGET_OS_MAC 
+#    pragma options align=mac68k 
 #endif
 
+/* from profile.h */
+struct _profile_t;
+/* typedef struct _profile_t *profile_t; */
+
+
 /*
  * begin wordsize.h
  */
@@ -171,35 +191,33 @@ extern "C" {
  */
 
 typedef	unsigned char	krb5_octet;
-typedef	unsigned char	krb5_ui_1;
 
-#if (SIZEOF_INT == 2)
+#if INT_MAX == 0x7fff
 typedef	int	krb5_int16;
 typedef	unsigned int	krb5_ui_2;
-#define VALID_INT_BITS    0x7fff
-#define VALID_UINT_BITS   0xffff
-#elif (SIZEOF_SHORT == 2)
+#elif SHRT_MAX == 0x7fff
 typedef	short	krb5_int16;
 typedef	unsigned short	krb5_ui_2;
 #else
-  ?==error: undefined 16 bit type
+#error undefined 16 bit type
 #endif
 
-#if (SIZEOF_INT == 4)
+#if INT_MAX == 0x7fffffffL
 typedef	int		krb5_int32;
 typedef	unsigned int	krb5_ui_4;
-#define VALID_INT_BITS    0x7fffffff
-#define VALID_UINT_BITS   0xffffffff
-#elif (SIZEOF_LONG == 4)
+#elif LONG_MAX == 0x7fffffffL
 typedef	long	krb5_int32;
 typedef	unsigned long	krb5_ui_4;
-#elif (SIZEOF_SHORT == 4)
+#elif SHRT_MAX == 0x7fffffffL
 typedef	short	krb5_int32;
 typedef	unsigned short	krb5_ui_4;
 #else
- ?== error: undefined 32 bit type
+#error: undefined 32 bit type
 #endif
 
+#define VALID_INT_BITS    INT_MAX
+#define VALID_UINT_BITS   UINT_MAX
+
 #define KRB5_INT32_MAX	2147483647
 /* this strange form is necessary since - is a unary operator, not a sign
    indicator */
@@ -253,51 +271,17 @@ typedef struct _krb5_data {
     char *data;
 } krb5_data;
 
-#define SALT_TYPE_NO_LENGTH  (4294967295U)
-
-/* Define krb5_const as necessary */
-
-/*
- * Hardcoded scrudge to deal with Ultrix; see note on NPROTOTYPE below
- */
+/* 
+ * Hack length for crypto library to use the afs_string_to_key It is 
+ * equivalent to -1 without possible sign extension  
+ * We also overload for an unset salt type length - which is also -1, but 
+ * hey, why not.... 
+*/ 
+#define SALT_TYPE_AFS_LENGTH UINT_MAX 
+#define SALT_TYPE_NO_LENGTH  UINT_MAX 
 
-#if defined(KRB5_NO_CONST) || (defined(__ultrix) && !defined(__GNUC__))
-#define krb5_const
-#else
-#define krb5_const const
-#endif
-
-#if defined(__STDC__) || defined(__cplusplus) || defined(HAS_VOID_TYPE)
-typedef	void * krb5_pointer;
-typedef void krb5_const * krb5_const_pointer;
-#else
-typedef char * krb5_pointer;
-typedef char krb5_const * krb5_const_pointer;
-#endif
-
-#if (defined(__STDC__) || defined(__cplusplus) || defined(_MSDOS) || defined(_WIN32) || defined(KRB5_PROVIDE_PROTOTYPES)) && !defined(KRB5_NO_PROTOTYPES)
-#define KRB5_PROTOTYPE(x) x
-#if defined(__STDC__) || defined(__cplusplus) || defined(HAVE_STDARG_H) || defined(_MSDOS) || defined(_WIN32)
-#define	KRB5_STDARG_P(x) x
-#else
-#define KRB5_STDARG_P(x) ()
-#endif /* defined(__STDC__) || defined(__cplusplus) || defined(HAVE_STDARG_H) */
-#else
-#define KRB5_PROTOTYPE(x) ()
-#define KRB5_STDARG_P(x) ()
-#endif /* STDC or PROTOTYPES */
-
-/*
- * This gross compiler dependency is in here because the stock Ultrix
- * compiler defines __STDC__ but doesn't deal with nested prototypes
- * properly.  The reason this isn't tested for is so that this header
- * is actually useful when installed.
- */
-#if defined(KRB5_NO_NESTED_PROTOTYPES) || (defined(__ultrix) && !defined(__GNUC__))
-#define	KRB5_NPROTOTYPE(x) ()
-#else
-#define	KRB5_NPROTOTYPE(x) KRB5_PROTOTYPE(x)
-#endif
+typedef void * krb5_pointer; 
+typedef void const * krb5_const_pointer; 
 
 typedef struct krb5_principal_data {
     krb5_magic magic;
@@ -327,7 +311,7 @@ typedef	krb5_principal_data * krb5_principal;
 #define KRB5_NT_UID		5
 
 /* constant version thereof: */
-typedef krb5_const krb5_principal_data *krb5_const_principal;
+typedef const krb5_principal_data *krb5_const_principal;
 
 #define krb5_princ_realm(context, princ) (&(princ)->realm)
 #define krb5_princ_set_realm(context, princ,value) ((princ)->realm = *(value))
@@ -336,8 +320,10 @@ typedef krb5_const krb5_principal_data *krb5_const_principal;
 #define	krb5_princ_size(context, princ) (princ)->length
 #define	krb5_princ_type(context, princ) (princ)->type
 #define	krb5_princ_name(context, princ) (princ)->data
-#define	krb5_princ_component(context, princ, i) \
-	(i < krb5_princ_size(context, princ) ? ((princ)->data + i) : NULL)
+#define krb5_princ_component(context, princ,i)         \
+            (((i) < krb5_princ_size(context, princ)) \
+             ? (princ)->data + (i)                   \
+             : NULL) 
 
 /*
  * end "base-defs.h"
@@ -382,6 +368,7 @@ typedef struct _krb5_auth_context * krb5_auth_context;
 
 struct _krb5_cryptosystem_entry;
 
+/* SUNW EF (I assume) crypto mods ... */
 struct _krb5_keyblock;
 
 /*
@@ -451,7 +438,6 @@ typedef struct _krb5_enc_data {
 #define ENCTYPE_AES256_CTS_HMAC_SHA1_96 0x0012
 #define ENCTYPE_ARCFOUR_HMAC	0x0017
 #define ENCTYPE_ARCFOUR_HMAC_EXP 0x0018
-
 #define	ENCTYPE_UNKNOWN		0x01ff
 
 #define	CKSUMTYPE_CRC32		0x0001
@@ -468,6 +454,26 @@ typedef struct _krb5_enc_data {
 #define CKSUMTYPE_HMAC_SHA1_96_AES256	0x0010
 #define CKSUMTYPE_HMAC_MD5_ARCFOUR -138 /*Microsoft md5 hmac cksumtype*/
 
+/* The following are entropy source designations. Whenever
+ * krb5_C_random_add_entropy is called, one of these source  ids is passed
+ * in.  This  allows the library  to better estimate bits of
+ * entropy in the sample and to keep track of what sources of entropy have
+ * contributed enough entropy.  Sources marked internal MUST NOT be
+ * used by applications outside the Kerberos library
+*/
+
+enum {
+  KRB5_C_RANDSOURCE_OLDAPI = 0, /*calls to krb5_C_RANDOM_SEED (INTERNAL)*/
+  KRB5_C_RANDSOURCE_OSRAND = 1, /* /dev/random or equivalent (internal)*/
+  KRB5_C_RANDSOURCE_TRUSTEDPARTY = 2, /* From KDC or other trusted party*/
+  /*This source should be used carefully; data in this category
+   * should be from a third party trusted to give random bits
+   * For example keys issued by the KDC in the application server.
+   */
+  KRB5_C_RANDSOURCE_TIMING = 3, /* Timing of operations*/
+  KRB5_C_RANDSOURCE_EXTERNAL_PROTOCOL = 4, /*Protocol data possibly from attacker*/
+  KRB5_C_RANDSOURCE_MAX = 5 /*Do not use; maximum source ID*/
+};
 
 #ifndef krb5_roundup
 /* round x up to nearest multiple of y */
@@ -486,27 +492,27 @@ typedef struct _krb5_enc_data {
 
 krb5_error_code KRB5_CALLCONV
     krb5_c_encrypt
-    KRB5_PROTOTYPE((krb5_context context,
-		    krb5_const krb5_keyblock *key,
-		    krb5_keyusage usage, krb5_const krb5_data *ivec,
-		    krb5_const krb5_data *input, krb5_enc_data *output));
+    (krb5_context context,
+		    const krb5_keyblock *key,
+		    krb5_keyusage usage, const krb5_data *ivec,
+		    const krb5_data *input, krb5_enc_data *output);
 
 krb5_error_code KRB5_CALLCONV
     krb5_c_decrypt
-    KRB5_PROTOTYPE((krb5_context context,
-		    krb5_const krb5_keyblock *key,
-		    krb5_keyusage usage, krb5_const krb5_data *ivec,
-		    krb5_const krb5_enc_data *input, krb5_data *output));
+    (krb5_context context,
+		    const krb5_keyblock *key,
+		    krb5_keyusage usage, const krb5_data *ivec,
+		    const krb5_enc_data *input, krb5_data *output);
 
 krb5_error_code KRB5_CALLCONV
     krb5_c_encrypt_length
-    KRB5_PROTOTYPE((krb5_context context, krb5_enctype enctype,
-		    size_t inputlen, size_t *length));
+    (krb5_context context, krb5_enctype enctype,
+		    size_t inputlen, size_t *length);
 
 krb5_error_code KRB5_CALLCONV
     krb5_c_block_size
-    KRB5_PROTOTYPE((krb5_context context, krb5_enctype enctype,
-		    size_t *blocksize));
+    (krb5_context context, krb5_enctype enctype,
+		    size_t *blocksize);
 
 krb5_error_code KRB5_CALLCONV
 	krb5_c_init_state(krb5_context,
@@ -519,22 +525,45 @@ krb5_error_code KRB5_CALLCONV
 
 krb5_error_code KRB5_CALLCONV
     krb5_c_make_random_key
-    KRB5_PROTOTYPE((krb5_context context, krb5_enctype enctype,
-		    krb5_keyblock *random_key));
+    (krb5_context context, krb5_enctype enctype,
+		    krb5_keyblock *random_key);
+
+/* Register a new entropy sample  with the PRNG. may cause 
+* the PRNG to be reseeded, although this is not guaranteed.  See previous randsource definitions 
+* for information on how each source should be used. 
+*/ 
+krb5_error_code KRB5_CALLCONV 
+        krb5_c_random_add_entropy 
+(krb5_context context, unsigned int  randsource_id, const krb5_data *data); 
 
 krb5_error_code KRB5_CALLCONV
     krb5_c_random_make_octets
-    KRB5_PROTOTYPE((krb5_context context, krb5_data *data));
+    (krb5_context context, krb5_data *data);
+
+/* 
+* Collect entropy from the OS if possible. strong requests that as strong  
+* of a source of entropy  as available be used.  Setting strong may  
+* increase the probability of blocking and should not  be used for normal  
+* applications.  Good uses include seeding the PRNG for kadmind 
+* and realm setup. 
+* If successful is non-null, then successful is set to 1 if the OS provided 
+* entropy else zero. 
+*/ 
+#if 0 /* SUNW14resync - not used in Solaris */
+krb5_error_code KRB5_CALLCONV 
+krb5_c_random_os_entropy 
+(krb5_context context, int strong, int *success); 
+#endif
 
-krb5_error_code KRB5_CALLCONV
+/*deprecated*/ krb5_error_code KRB5_CALLCONV
     krb5_c_random_seed
-    KRB5_PROTOTYPE((krb5_context context, krb5_data *data));
+    (krb5_context context, krb5_data *data);
 
 krb5_error_code KRB5_CALLCONV
     krb5_c_string_to_key
-    KRB5_PROTOTYPE((krb5_context context, krb5_enctype enctype,
-		    krb5_const krb5_data *string, krb5_const krb5_data *salt,
-		    krb5_keyblock *key));
+    (krb5_context context, krb5_enctype enctype,
+		    const krb5_data *string, const krb5_data *salt,
+		    krb5_keyblock *key);
 
 krb5_error_code KRB5_CALLCONV 
 krb5_c_string_to_key_with_params(krb5_context context,
@@ -546,32 +575,32 @@ krb5_c_string_to_key_with_params(krb5_context context,
 
 krb5_error_code KRB5_CALLCONV
     krb5_c_enctype_compare
-    KRB5_PROTOTYPE((krb5_context context, krb5_enctype e1, krb5_enctype e2,
-		    krb5_boolean *similar));
+    (krb5_context context, krb5_enctype e1, krb5_enctype e2,
+		    krb5_boolean *similar);
 
 krb5_error_code KRB5_CALLCONV
     krb5_c_make_checksum
-    KRB5_PROTOTYPE((krb5_context context, krb5_cksumtype cksumtype,
-		    krb5_const krb5_keyblock *key, krb5_keyusage usage,
-		    krb5_const krb5_data *input, krb5_checksum *cksum));
+    (krb5_context context, krb5_cksumtype cksumtype,
+		    const krb5_keyblock *key, krb5_keyusage usage,
+		    const krb5_data *input, krb5_checksum *cksum);
 
 krb5_error_code KRB5_CALLCONV
     krb5_c_verify_checksum
-    KRB5_PROTOTYPE((krb5_context context,
-		    krb5_const krb5_keyblock *key, krb5_keyusage usage,
-		    krb5_const krb5_data *data,
-		    krb5_const krb5_checksum *cksum,
-		    krb5_boolean *valid));
+    (krb5_context context,
+		    const krb5_keyblock *key, krb5_keyusage usage,
+		    const krb5_data *data,
+		    const krb5_checksum *cksum,
+		    krb5_boolean *valid);
 
 krb5_error_code KRB5_CALLCONV
     krb5_c_checksum_length
-    KRB5_PROTOTYPE((krb5_context context, krb5_cksumtype cksumtype,
-		    size_t *length));
+    (krb5_context context, krb5_cksumtype cksumtype,
+		    size_t *length);
 
 krb5_error_code KRB5_CALLCONV
     krb5_c_keyed_checksum_types
-    KRB5_PROTOTYPE((krb5_context context, krb5_enctype enctype,
-		    unsigned int *count, krb5_cksumtype **cksumtypes));
+    (krb5_context context, krb5_enctype enctype,
+		    unsigned int *count, krb5_cksumtype **cksumtypes);
 
 #define KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS		1
 #define KRB5_KEYUSAGE_KDC_REP_TICKET		2
@@ -607,30 +636,31 @@ krb5_error_code KRB5_CALLCONV
 #define KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID	26
 #define KRB5_KEYUSAGE_PA_SAM_RESPONSE		27
 
-
 krb5_boolean KRB5_CALLCONV krb5_c_valid_enctype
-	(krb5_enctype ktype);
-
-#define valid_enctype(k) krb5_c_valid_enctype(k)
-
+        (krb5_enctype ktype);
 krb5_boolean KRB5_CALLCONV krb5_c_valid_cksumtype
-	(krb5_cksumtype ctype);
-
-#define valid_cksumtype(c) krb5_c_valid_cksumtype(c)
-
+        (krb5_cksumtype ctype);
 krb5_boolean KRB5_CALLCONV krb5_c_is_coll_proof_cksum
-	(krb5_const krb5_cksumtype ctype);
-
-#define is_coll_proof_cksum(c) krb5_c_is_coll_proof_cksum(c)
-
+        (krb5_cksumtype ctype);
 krb5_boolean KRB5_CALLCONV krb5_c_is_keyed_cksum
-	(krb5_const krb5_cksumtype ctype);
-
-#define	is_keyed_cksum(c) krb5_c_is_keyed_cksum(c)
+        (krb5_cksumtype ctype);
+
+
+#if KRB5_PRIVATE
+/* Use the above four instead.  */
+krb5_boolean KRB5_CALLCONV valid_enctype
+        (krb5_enctype ktype);
+krb5_boolean KRB5_CALLCONV valid_cksumtype
+        (krb5_cksumtype ctype);
+krb5_boolean KRB5_CALLCONV is_coll_proof_cksum
+        (krb5_cksumtype ctype);
+krb5_boolean KRB5_CALLCONV is_keyed_cksum
+        (krb5_cksumtype ctype);
+#endif
 
-krb5_boolean KRB5_CALLCONV is_in_keytype
-	(krb5_const krb5_enctype *keytype,
-        int numkeytypes, krb5_enctype enctype);
+/* #ifdef KRB5_OLD_CRYPTO
+ * this mit block removed for Solaris Kerberos
+#endif KRB5_OLD_CRYPTO */
 
 /*
  * end "encryption.h"
@@ -870,6 +900,11 @@ krb5_boolean KRB5_CALLCONV is_in_keytype
 #define KRB5_KPASSWD_HARDERROR		2
 #define KRB5_KPASSWD_AUTHERROR		3
 #define KRB5_KPASSWD_SOFTERROR		4
+/* These are Microsoft's extensions in RFC 3244, and it looks like
+   they'll become standardized, possibly with other additions.  */
+#define KRB5_KPASSWD_ACCESSDENIED       5       /* unused */
+#define KRB5_KPASSWD_BAD_VERSION        6
+#define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7      /* unused */
 
 /*
  * end "proto.h"
@@ -1067,33 +1102,6 @@ typedef struct _krb5_response {
     krb5_timestamp request_time;   /* When we made the request */
 } krb5_response;
 
-typedef struct _krb5_safe {
-    krb5_magic magic;
-    krb5_data user_data;		/* user data */
-    krb5_timestamp timestamp;		/* client time, optional */
-    krb5_int32 usec;			/* microsecond portion of time,
-					   optional */
-    krb5_ui_4 seq_number;		/* sequence #, optional */
-    krb5_address *s_address;	/* sender address */
-    krb5_address *r_address;	/* recipient address, optional */
-    krb5_checksum *checksum;	/* data integrity checksum */
-} krb5_safe;
-
-typedef struct _krb5_priv {
-    krb5_magic magic;
-    krb5_enc_data enc_part;		/* encrypted part */
-} krb5_priv;
-
-typedef struct _krb5_priv_enc_part {
-    krb5_magic magic;
-    krb5_data user_data;		/* user data */
-    krb5_timestamp timestamp;		/* client time, optional */
-    krb5_int32 usec;			/* microsecond portion of time, opt. */
-    krb5_ui_4 seq_number;		/* sequence #, optional */
-    krb5_address *s_address;	/* sender address */
-    krb5_address *r_address;	/* recipient address, optional */
-} krb5_priv_enc_part;
-
 typedef struct _krb5_cred_info {
     krb5_magic magic;
     krb5_keyblock *session;         /* session key used to encrypt */
@@ -1183,41 +1191,10 @@ typedef krb5_error_code
 
 typedef	krb5_pointer	krb5_cc_cursor;	/* cursor for sequential lookup */
 
-typedef struct _krb5_ccache {
-    krb5_magic magic;
-    struct _krb5_cc_ops *ops;
-    krb5_pointer data;
-} *krb5_ccache;
-
-typedef struct _krb5_cc_ops {
-    krb5_magic magic;
-    char *prefix;
-    char * (KRB5_CALLCONV *get_name) KRB5_NPROTOTYPE((krb5_context, krb5_ccache));
-    krb5_error_code (KRB5_CALLCONV *resolve) KRB5_NPROTOTYPE((krb5_context, krb5_ccache *,
-					    const char *));
-    krb5_error_code (KRB5_CALLCONV *gen_new) KRB5_NPROTOTYPE((krb5_context, krb5_ccache *));
-    krb5_error_code (KRB5_CALLCONV *init) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
-					    krb5_principal));
-    krb5_error_code (KRB5_CALLCONV *destroy) KRB5_NPROTOTYPE((krb5_context, krb5_ccache));
-    krb5_error_code (KRB5_CALLCONV *close) KRB5_NPROTOTYPE((krb5_context, krb5_ccache));
-    krb5_error_code (KRB5_CALLCONV *store) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
-					    krb5_creds *));
-    krb5_error_code (KRB5_CALLCONV *retrieve) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
-					    krb5_flags, krb5_creds *,
-					    krb5_creds *));
-    krb5_error_code (KRB5_CALLCONV *get_princ) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
-					    krb5_principal *));
-    krb5_error_code (KRB5_CALLCONV *get_first) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
-					    krb5_cc_cursor *));
-    krb5_error_code (KRB5_CALLCONV *get_next) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
-					    krb5_cc_cursor *, krb5_creds *));
-    krb5_error_code (KRB5_CALLCONV *end_get) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
-					    krb5_cc_cursor *));
-    krb5_error_code (KRB5_CALLCONV *remove_cred) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
-					    krb5_flags, krb5_creds *));
-    krb5_error_code (KRB5_CALLCONV *set_flags) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
-					    krb5_flags));
-} krb5_cc_ops;
+struct _krb5_ccache;
+typedef struct _krb5_ccache *krb5_ccache;
+struct _krb5_cc_ops;
+typedef struct _krb5_cc_ops krb5_cc_ops;
 
 /* for retrieve_cred */
 #define	KRB5_TC_MATCH_TIMES		0x00000001
@@ -1233,23 +1210,60 @@ typedef struct _krb5_cc_ops {
 
 /* for set_flags and other functions */
 #define KRB5_TC_OPENCLOSE		0x00000001
+#define KRB5_TC_NOTICKET                0x00000002
+
+
+
+krb5_error_code KRB5_CALLCONV 
+krb5_cc_gen_new (krb5_context context, krb5_ccache *cache); 
+
+krb5_error_code KRB5_CALLCONV 
+krb5_cc_initialize(krb5_context context, krb5_ccache cache, 
+                   krb5_principal principal); 
+
+krb5_error_code KRB5_CALLCONV 
+krb5_cc_destroy (krb5_context context, krb5_ccache cache); 
+
+krb5_error_code KRB5_CALLCONV 
+krb5_cc_close (krb5_context context, krb5_ccache cache); 
+
+krb5_error_code KRB5_CALLCONV 
+krb5_cc_store_cred (krb5_context context, krb5_ccache cache, 
+                    krb5_creds *creds); 
+
+krb5_error_code KRB5_CALLCONV 
+krb5_cc_retrieve_cred (krb5_context context, krb5_ccache cache, 
+                       krb5_flags flags, krb5_creds *mcreds, 
+                       krb5_creds *creds); 
+
+krb5_error_code KRB5_CALLCONV 
+krb5_cc_get_principal (krb5_context context, krb5_ccache cache, 
+                       krb5_principal *principal); 
+krb5_error_code KRB5_CALLCONV
+krb5_cc_start_seq_get (krb5_context context, krb5_ccache cache,
+                       krb5_cc_cursor *cursor);
+
+krb5_error_code KRB5_CALLCONV 
+krb5_cc_next_cred (krb5_context context, krb5_ccache cache, 
+                   krb5_cc_cursor *cursor, krb5_creds *creds); 
+
+krb5_error_code KRB5_CALLCONV 
+krb5_cc_end_seq_get (krb5_context context, krb5_ccache cache, 
+                     krb5_cc_cursor *cursor); 
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_remove_cred (krb5_context context, krb5_ccache cache, krb5_flags flags,
+                     krb5_creds *creds);
 
-#define krb5_cc_initialize(context, cache, principal) krb5_x((cache)->ops->init,(context, cache, principal))
-#define krb5_cc_gen_new(context, cache) krb5_x((*cache)->ops->gen_new,(context, cache))
-#define krb5_cc_destroy(context, cache) krb5_x((cache)->ops->destroy,(context, cache))
-#define krb5_cc_close(context, cache) krb5_x((cache)->ops->close,(context, cache))
-#define krb5_cc_store_cred(context, cache, creds) krb5_x((cache)->ops->store,(context, cache, creds))
-#define krb5_cc_retrieve_cred(context, cache, flags, mcreds, creds) krb5_x((cache)->ops->retrieve,(context, cache, flags, mcreds, creds))
-#define krb5_cc_get_principal(context, cache, principal) krb5_x((cache)->ops->get_princ,(context, cache, principal))
-#define krb5_cc_start_seq_get(context, cache, cursor) krb5_x((cache)->ops->get_first,(context, cache, cursor))
-#define krb5_cc_next_cred(context, cache, cursor, creds) krb5_x((cache)->ops->get_next,(context, cache, cursor, creds))
-#define krb5_cc_end_seq_get(context, cache, cursor) krb5_x((cache)->ops->end_get,(context, cache, cursor))
-#define krb5_cc_remove_cred(context, cache, flags, creds) krb5_x((cache)->ops->remove_cred,(context, cache,flags, creds))
-#define krb5_cc_set_flags(context, cache, flags) krb5_x((cache)->ops->set_flags,(context, cache, flags))
-#define krb5_cc_get_name(context, cache) krb5_xc((cache)->ops->get_name,(context, cache))
-#define krb5_cc_get_type(context, cache) ((cache)->ops->prefix)
-
-extern krb5_cc_ops *krb5_cc_dfl_ops;
+krb5_error_code KRB5_CALLCONV
+krb5_cc_set_flags (krb5_context context, krb5_ccache cache, krb5_flags flags);
+
+const char * KRB5_CALLCONV
+krb5_cc_get_type (krb5_context context, krb5_ccache cache);
+
+/* SUNW14resync - add_cred.c needs this func */
+const char * KRB5_CALLCONV
+krb5_cc_get_name (krb5_context context, krb5_ccache cache);
 
 /*
  * end "ccache.h"
@@ -1259,74 +1273,8 @@ extern krb5_cc_ops *krb5_cc_dfl_ops;
  * begin "rcache.h"
  */
 
-typedef struct krb5_rc_st {
-    krb5_magic magic;
-    struct _krb5_rc_ops *ops;
-    krb5_pointer data;
-} *krb5_rcache;
-
-typedef struct _krb5_donot_replay {
-    krb5_magic magic;
-    char *server;			/* null-terminated */
-    char *client;			/* null-terminated */
-    krb5_int32 cusec;
-    krb5_timestamp ctime;
-} krb5_donot_replay;
-
-typedef struct _krb5_rc_ops {
-    krb5_magic magic;
-    char *type;
-    krb5_error_code (KRB5_CALLCONV *init)
-	KRB5_NPROTOTYPE((krb5_context, krb5_rcache,krb5_deltat)); /* create */
-    krb5_error_code (KRB5_CALLCONV *recover)
-	KRB5_NPROTOTYPE((krb5_context, krb5_rcache)); /* open */
-    krb5_error_code (KRB5_CALLCONV *destroy)
-	KRB5_NPROTOTYPE((krb5_context, krb5_rcache));
-    krb5_error_code (KRB5_CALLCONV *close)
-	KRB5_NPROTOTYPE((krb5_context, krb5_rcache));
-    krb5_error_code (KRB5_CALLCONV *store)
-	KRB5_NPROTOTYPE((krb5_context, krb5_rcache,krb5_donot_replay *));
-    krb5_error_code (KRB5_CALLCONV *expunge)
-	KRB5_NPROTOTYPE((krb5_context, krb5_rcache));
-    krb5_error_code (KRB5_CALLCONV *get_span)
-	KRB5_NPROTOTYPE((krb5_context, krb5_rcache,krb5_deltat *));
-    char *(KRB5_CALLCONV *get_name)
-	KRB5_NPROTOTYPE((krb5_context, krb5_rcache));
-    krb5_error_code (KRB5_CALLCONV *resolve)
-	KRB5_NPROTOTYPE((krb5_context, krb5_rcache, char *));
-} krb5_rc_ops;
-
-krb5_error_code krb5_rc_resolve
-	KRB5_PROTOTYPE((krb5_context, krb5_rcache id, char *name));
-krb5_error_code krb5_rc_default
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_rcache *));
-krb5_error_code krb5_rc_register_type
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_rc_ops *));
-krb5_error_code krb5_rc_resolve_full
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_rcache *,char *));
-char * krb5_rc_get_type
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_rcache));
-char * krb5_rc_default_name
-	KRB5_PROTOTYPE((krb5_context));
-krb5_error_code krb5_auth_to_rep
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_tkt_authent *,
-		   krb5_donot_replay *));
-
-#define krb5_rc_initialize(context, id, span) krb5_x((id)->ops->init,(context, id, span))
-#define krb5_rc_recover(context, id) krb5_x((id)->ops->recover,(context, id))
-#define krb5_rc_destroy(context, id) krb5_x((id)->ops->destroy,(context, id))
-#define krb5_rc_close(context, id) krb5_x((id)->ops->close,(context, id))
-#define krb5_rc_store(context, id, dontreplay) krb5_x((id)->ops->store,(context, id, dontreplay))
-#define krb5_rc_expunge(context, id) krb5_x((id)->ops->expunge,(context, id))
-#define krb5_rc_get_lifespan(context, id, spanp) krb5_x((id)->ops->get_span,(context, id, spanp))
-#define krb5_rc_get_name(context, id) krb5_xc((id)->ops->get_name,(context, id))
-
-extern krb5_rc_ops *krb5_rc_dfl_ops;
+struct krb5_rc_st;
+typedef struct krb5_rc_st *krb5_rcache;
 
 /*
  * end "rcache.h"
@@ -1350,76 +1298,38 @@ typedef struct krb5_keytab_entry_st {
     krb5_keyblock key;		/* the secret key */
 } krb5_keytab_entry;
 
-
-typedef struct _krb5_kt {
+#if KRB5_PRIVATE
+struct _krb5_kt_ops; 
+typedef struct _krb5_kt {       /* should move into k5-int.h */ 
     krb5_magic magic;
-    struct _krb5_kt_ops *ops;
+    const struct _krb5_kt_ops *ops; 
     krb5_pointer data;
-} *krb5_keytab;
-
-
-typedef struct _krb5_kt_ops {
-    krb5_magic magic;
-    char *prefix;
-    /* routines always present */
-    krb5_error_code (KRB5_CALLCONV *resolve)
-	(krb5_context,
-		    krb5_const char *,
-		    krb5_keytab *);
-    krb5_error_code (KRB5_CALLCONV *get_name)
-	(krb5_context,
-		    krb5_keytab,
-		    char *,
-		    int);
-    krb5_error_code (KRB5_CALLCONV *close)
-	KRB5_NPROTOTYPE((krb5_context,
-		    krb5_keytab));
-    krb5_error_code (KRB5_CALLCONV *get)
-	KRB5_NPROTOTYPE((krb5_context,
-		    krb5_keytab,
-		    krb5_const_principal,
-		    krb5_kvno,
-		    krb5_enctype,
-		    krb5_keytab_entry *));
-    krb5_error_code (KRB5_CALLCONV *start_seq_get)
-	KRB5_NPROTOTYPE((krb5_context,
-		    krb5_keytab,
-		    krb5_kt_cursor *));	
-    krb5_error_code (KRB5_CALLCONV *get_next)
-	KRB5_NPROTOTYPE((krb5_context,
-		    krb5_keytab,
-		    krb5_keytab_entry *,
-		    krb5_kt_cursor *));
-    krb5_error_code (KRB5_CALLCONV *end_get)
-	KRB5_NPROTOTYPE((krb5_context,
-		    krb5_keytab,
-		    krb5_kt_cursor *));
-    /* routines to be included on extended version (write routines) */
-    krb5_error_code (KRB5_CALLCONV *add)
-	KRB5_NPROTOTYPE((krb5_context,
-		    krb5_keytab,
-		    krb5_keytab_entry *));
-    krb5_error_code (KRB5_CALLCONV *remove)
-	KRB5_NPROTOTYPE((krb5_context,
-		    krb5_keytab,
-		  krb5_keytab_entry *));
-
-    /* Handle for serializer */
-    void * serializer;
-} krb5_kt_ops;
-
-#define krb5_kt_get_type(context, keytab) ((keytab)->ops->prefix)
-#define krb5_kt_get_name(context, keytab, name, namelen) krb5_x((keytab)->ops->get_name,(context, keytab,name,namelen))
-#define krb5_kt_close(context, keytab) krb5_x((keytab)->ops->close,(context, keytab))
-#define krb5_kt_get_entry(context, keytab, principal, vno, enctype, entry) krb5_x((keytab)->ops->get,(context, keytab, principal, vno, enctype, entry))
-#define krb5_kt_start_seq_get(context, keytab, cursor) krb5_x((keytab)->ops->start_seq_get,(context, keytab, cursor))
-#define krb5_kt_next_entry(context, keytab, entry, cursor) krb5_x((keytab)->ops->get_next,(context, keytab, entry, cursor))
-#define krb5_kt_end_seq_get(context, keytab, cursor) krb5_x((keytab)->ops->end_get,(context, keytab, cursor))
-/* remove and add are functions, so that they can return NOWRITE
-   if not a writable keytab */
-
+} *krb5_keytab; 
+#else
+struct _krb5_kt; 
+typedef struct _krb5_kt *krb5_keytab; 
+#endif
 
-extern krb5_kt_ops krb5_kt_dfl_ops;
+char * KRB5_CALLCONV
+krb5_kt_get_type (krb5_context, krb5_keytab keytab);
+krb5_error_code KRB5_CALLCONV
+krb5_kt_get_name(krb5_context context, krb5_keytab keytab, char *name,
+                 unsigned int namelen);
+krb5_error_code KRB5_CALLCONV
+krb5_kt_close(krb5_context context, krb5_keytab keytab);
+krb5_error_code KRB5_CALLCONV
+krb5_kt_get_entry(krb5_context context, krb5_keytab keytab,
+                  krb5_const_principal principal, krb5_kvno vno,
+                  krb5_enctype enctype, krb5_keytab_entry *entry);
+krb5_error_code KRB5_CALLCONV
+krb5_kt_start_seq_get(krb5_context context, krb5_keytab keytab,
+                      krb5_kt_cursor *cursor);
+krb5_error_code KRB5_CALLCONV
+krb5_kt_next_entry(krb5_context context, krb5_keytab keytab,
+                   krb5_keytab_entry *entry, krb5_kt_cursor *cursor);
+krb5_error_code KRB5_CALLCONV
+krb5_kt_end_seq_get(krb5_context context, krb5_keytab keytab,
+                    krb5_kt_cursor *cursor);
 
 /*
  * end "keytab.h"
@@ -1429,547 +1339,678 @@ extern krb5_kt_ops krb5_kt_dfl_ops;
  * begin "func-proto.h"
  */
 
-krb5_error_code KRB5_CALLCONV krb5_init_context
-	KRB5_PROTOTYPE((krb5_context *));
-krb5_error_code KRB5_CALLCONV krb5_init_secure_context
-	KRB5_PROTOTYPE((krb5_context *));
-void KRB5_CALLCONV krb5_free_context
-	KRB5_PROTOTYPE((krb5_context));
-
+/* Solaris Kerberos */
 krb5_error_code krb5_init_ef_handle(krb5_context);
 krb5_error_code krb5_free_ef_handle(krb5_context);
 
 krb5_boolean krb5_privacy_allowed(void);
 
+/*
+ * Solaris Kerberos:
+ * krb5_copy_keyblock_data is a new routine to hide the details
+ * of a keyblock copy operation.
+ */
+krb5_error_code KRB5_CALLCONV krb5_copy_keyblock_data
+	(krb5_context,
+		const krb5_keyblock *,
+		krb5_keyblock *);
+
+
+
+krb5_error_code KRB5_CALLCONV krb5_init_context
+	(krb5_context *);
+krb5_error_code KRB5_CALLCONV krb5_init_secure_context
+	(krb5_context *);
+void KRB5_CALLCONV krb5_free_context
+	(krb5_context);
+
+#if KRB5_PRIVATE
 krb5_error_code krb5_set_default_in_tkt_ktypes
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_const krb5_enctype *));
+	(krb5_context,
+		const krb5_enctype *);
 krb5_error_code krb5_get_default_in_tkt_ktypes
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_enctype **));
+	(krb5_context,
+		krb5_enctype **);
 
 krb5_error_code krb5_set_default_tgs_ktypes
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_const krb5_enctype *));
+	(krb5_context,
+		const krb5_enctype *);
+#endif
+
 krb5_error_code KRB5_CALLCONV 
 krb5_set_default_tgs_enctypes
 	(krb5_context,
-		krb5_const krb5_enctype *);
+		const krb5_enctype *);
+#if KRB5_PRIVATE
 krb5_error_code KRB5_CALLCONV krb5_get_tgs_ktypes
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_const_principal,
-		   krb5_enctype **));
+	(krb5_context,
+		krb5_const_principal,
+		krb5_enctype **);
+#endif
+
+krb5_error_code KRB5_CALLCONV krb5_get_permitted_enctypes
+	(krb5_context, krb5_enctype **);
 
-krb5_error_code krb5_get_permitted_enctypes
-	KRB5_PROTOTYPE((krb5_context, krb5_enctype **));
+#if KRB5_PRIVATE
 void KRB5_CALLCONV krb5_free_ktypes
-	KRB5_PROTOTYPE ((krb5_context, krb5_enctype *));
+	(krb5_context, krb5_enctype *);
 
 krb5_boolean krb5_is_permitted_enctype
-	KRB5_PROTOTYPE((krb5_context, krb5_enctype));
+	(krb5_context, krb5_enctype);
+#endif
+
+krb5_boolean KRB5_CALLCONV krb5_is_thread_safe(void);
 
 /* libkrb.spec */
+#if KRB5_PRIVATE
 krb5_error_code krb5_kdc_rep_decrypt_proc
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_const krb5_keyblock *,
-		   krb5_const_pointer,
-		   krb5_kdc_rep * ));
-krb5_error_code krb5_decrypt_tkt_part
-	KRB5_PROTOTYPE((krb5_context,
-		krb5_const krb5_keyblock *,
-		krb5_ticket * ));
+	(krb5_context,
+		const krb5_keyblock *,
+		krb5_const_pointer,
+		krb5_kdc_rep * );
+krb5_error_code KRB5_CALLCONV krb5_decrypt_tkt_part
+	(krb5_context,
+		const krb5_keyblock *,
+		krb5_ticket * );
 krb5_error_code krb5_get_cred_from_kdc
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_ccache,		/* not const, as reading may save
+	(krb5_context,
+		krb5_ccache,		/* not const, as reading may save
 					   state */
-		   krb5_creds *,
-		   krb5_creds **,
-		   krb5_creds *** ));
+		krb5_creds *,
+		krb5_creds **,
+		krb5_creds *** );
 krb5_error_code krb5_get_cred_from_kdc_validate
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_ccache,		/* not const, as reading may save
+	(krb5_context,
+		krb5_ccache,		/* not const, as reading may save
 					   state */
-		   krb5_creds *,
-		   krb5_creds **,
-		   krb5_creds *** ));
+		krb5_creds *,
+		krb5_creds **,
+		krb5_creds *** );
 krb5_error_code krb5_get_cred_from_kdc_renew
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_ccache,		/* not const, as reading may save
+	(krb5_context,
+		krb5_ccache,		/* not const, as reading may save
 					   state */
-		   krb5_creds *,
-		   krb5_creds **,
-		   krb5_creds *** ));
+		krb5_creds *,
+		krb5_creds **,
+		krb5_creds *** );
+#endif
+
 void KRB5_CALLCONV krb5_free_tgt_creds
-	KRB5_PROTOTYPE((krb5_context,
-		krb5_creds ** )); /* XXX too hard to do with const */
+	(krb5_context,
+	 krb5_creds **); /* XXX too hard to do with const */
 
 #define	KRB5_GC_USER_USER	1	/* want user-user ticket */
 #define	KRB5_GC_CACHED		2	/* want cached ticket only */
 
 krb5_error_code KRB5_CALLCONV krb5_get_credentials
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_const krb5_flags,
-		   krb5_ccache,
-		   krb5_creds *,
-		   krb5_creds * *));
+	(krb5_context,
+		krb5_flags,
+		krb5_ccache,
+		krb5_creds *,
+		krb5_creds **);
 krb5_error_code KRB5_CALLCONV krb5_get_credentials_validate
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_const krb5_flags,
-		   krb5_ccache,
-		   krb5_creds *,
-		   krb5_creds * *));
+	(krb5_context,
+		krb5_flags,
+		krb5_ccache,
+		krb5_creds *,
+		krb5_creds **);
 krb5_error_code KRB5_CALLCONV krb5_get_credentials_renew
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_const krb5_flags,
-		   krb5_ccache,
-		   krb5_creds *,
-		   krb5_creds * *));
+	(krb5_context,
+		krb5_flags,
+		krb5_ccache,
+		krb5_creds *,
+		krb5_creds **);
+#if KRB5_PRIVATE
 krb5_error_code krb5_get_cred_via_tkt
-        KRB5_PROTOTYPE((krb5_context,
-                   krb5_creds *,
-                   krb5_const krb5_flags,
-                   krb5_address * krb5_const *,
-                   krb5_creds *,
-                   krb5_creds **));
+	(krb5_context,
+		   krb5_creds *,
+		   krb5_flags,
+		   krb5_address * const *,
+		   krb5_creds *,
+		   krb5_creds **);
+#endif
 krb5_error_code KRB5_CALLCONV krb5_mk_req
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_auth_context *,
-		krb5_const krb5_flags,
+		krb5_flags,
 		char *,
 		char *,
 		krb5_data *,
 		krb5_ccache,
-		krb5_data * ));
+		krb5_data * );
 krb5_error_code KRB5_CALLCONV krb5_mk_req_extended
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_auth_context *,
-		   krb5_const krb5_flags,
-		   krb5_data *,
-		   krb5_creds *,
-		   krb5_data * ));
+	(krb5_context,
+		krb5_auth_context *,
+		krb5_flags,
+		krb5_data *,
+		krb5_creds *,
+		krb5_data * );
 krb5_error_code KRB5_CALLCONV krb5_mk_rep
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_auth_context,
-		krb5_data *));
+		krb5_data *);
 krb5_error_code KRB5_CALLCONV krb5_rd_rep
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_auth_context,
-		   krb5_const krb5_data *,
-		   krb5_ap_rep_enc_part * *));
+	(krb5_context,
+		krb5_auth_context,
+		const krb5_data *,
+		krb5_ap_rep_enc_part **);
 krb5_error_code KRB5_CALLCONV krb5_mk_error
-	KRB5_PROTOTYPE((krb5_context,
-		krb5_const krb5_error *,
-		krb5_data * ));
+	(krb5_context,
+		const krb5_error *,
+		krb5_data * );
 krb5_error_code KRB5_CALLCONV krb5_rd_error
-	KRB5_PROTOTYPE((krb5_context,
-		krb5_const krb5_data *,
-		krb5_error * * ));
+	(krb5_context,
+		const krb5_data *,
+		krb5_error ** );
 krb5_error_code KRB5_CALLCONV krb5_rd_safe
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_auth_context,
-		krb5_const krb5_data *,
+		const krb5_data *,
 		krb5_data *,
-		krb5_replay_data *));
+		krb5_replay_data *);
 krb5_error_code KRB5_CALLCONV krb5_rd_priv
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_auth_context,
-		krb5_const krb5_data *,
+		const krb5_data *,
 		krb5_data *,
-		krb5_replay_data *));
+		krb5_replay_data *);
 krb5_error_code KRB5_CALLCONV krb5_parse_name
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_const char *,
-		   krb5_principal * ));
+	(krb5_context,
+		const char *,
+		krb5_principal * );
 krb5_error_code KRB5_CALLCONV krb5_unparse_name
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_const_principal,
-		   char * * ));
+	(krb5_context,
+		krb5_const_principal,
+		char ** );
 krb5_error_code KRB5_CALLCONV krb5_unparse_name_ext
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_const_principal,
-		char * *,
-		int *));
+		char **,
+		unsigned int *);
 
 krb5_error_code KRB5_CALLCONV krb5_set_principal_realm
-	KRB5_PROTOTYPE((krb5_context, krb5_principal, const char *));
-
-krb5_boolean krb5_address_search
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_const krb5_address *,
-		   krb5_address * krb5_const *));
-krb5_boolean krb5_address_compare
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_const krb5_address *,
-		   krb5_const krb5_address *));
-int krb5_address_order
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_const krb5_address *,
-		   krb5_const krb5_address *));
-krb5_boolean krb5_realm_compare
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_const_principal,
-		   krb5_const_principal));
- krb5_boolean KRB5_CALLCONV krb5_principal_compare
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_const_principal,
-		   krb5_const_principal));
+	(krb5_context, krb5_principal, const char *);
+
+krb5_boolean KRB5_CALLCONV_WRONG krb5_address_search
+	(krb5_context,
+		const krb5_address *,
+		krb5_address * const *);
+krb5_boolean KRB5_CALLCONV krb5_address_compare
+	(krb5_context,
+		const krb5_address *,
+		const krb5_address *);
+int KRB5_CALLCONV krb5_address_order
+	(krb5_context,
+		const krb5_address *,
+		const krb5_address *);
+krb5_boolean KRB5_CALLCONV krb5_realm_compare
+	(krb5_context,
+		krb5_const_principal,
+		krb5_const_principal);
+krb5_boolean KRB5_CALLCONV krb5_principal_compare
+	(krb5_context,
+		krb5_const_principal,
+		krb5_const_principal);
+krb5_error_code KRB5_CALLCONV  krb5_init_keyblock
+		(krb5_context, krb5_enctype enctype,
+		size_t length, krb5_keyblock **out); 
+  		/* Initialize a new keyblock and allocate storage
+		 * for the contents of the key, which will be freed along
+		 * with the keyblock when krb5_free_keyblock is called.
+		 * It is legal to pass in a length of 0, in which
+		 * case contents are left unallocated.
+		 */
 krb5_error_code KRB5_CALLCONV krb5_copy_keyblock
-	KRB5_PROTOTYPE((krb5_context,
-		krb5_const krb5_keyblock *,
-		krb5_keyblock * *));
+	(krb5_context,
+		const krb5_keyblock *,
+		krb5_keyblock **);
 krb5_error_code KRB5_CALLCONV krb5_copy_keyblock_contents
-	KRB5_PROTOTYPE((krb5_context,
-		krb5_const krb5_keyblock *,
-		krb5_keyblock *));
-/*
- * Solaris Kerberos:
- * krb5_copy_keyblock_data is a new routine to hide the details
- * of a keyblock copy operation.
- */
-krb5_error_code KRB5_CALLCONV krb5_copy_keyblock_data
-	KRB5_PROTOTYPE((krb5_context,
-		krb5_const krb5_keyblock *,
-		krb5_keyblock *));
+	(krb5_context,
+		const krb5_keyblock *,
+		krb5_keyblock *);
 krb5_error_code KRB5_CALLCONV krb5_copy_creds
-	KRB5_PROTOTYPE((krb5_context,
-		krb5_const krb5_creds *,
-		krb5_creds * *));
+	(krb5_context,
+		const krb5_creds *,
+		krb5_creds **);
 krb5_error_code KRB5_CALLCONV krb5_copy_data
-	KRB5_PROTOTYPE((krb5_context,
-		krb5_const krb5_data *,
-		krb5_data * *));
+	(krb5_context,
+		const krb5_data *,
+		krb5_data **);
 krb5_error_code KRB5_CALLCONV krb5_copy_principal
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_const_principal,
-		krb5_principal *));
+		krb5_principal *);
+#if KRB5_PRIVATE
 krb5_error_code KRB5_CALLCONV krb5_copy_addr
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		const krb5_address *,
-		krb5_address * *));
+		krb5_address **);
+#endif
 krb5_error_code KRB5_CALLCONV krb5_copy_addresses
-	KRB5_PROTOTYPE((krb5_context,
-		krb5_address * krb5_const *,
-		krb5_address * * *));
+	(krb5_context,
+		krb5_address * const *,
+		krb5_address ***);
 krb5_error_code KRB5_CALLCONV krb5_copy_ticket
-	KRB5_PROTOTYPE((krb5_context,
-		krb5_const krb5_ticket *,
-		krb5_ticket * *));
+	(krb5_context,
+		const krb5_ticket *,
+		krb5_ticket **);
 krb5_error_code KRB5_CALLCONV krb5_copy_authdata
-	KRB5_PROTOTYPE((krb5_context,
-		krb5_authdata * krb5_const *,
-		krb5_authdata * * *));
+	(krb5_context,
+		krb5_authdata * const *,
+		krb5_authdata ***);
 krb5_error_code KRB5_CALLCONV krb5_copy_authenticator
-	KRB5_PROTOTYPE((krb5_context,
-		krb5_const krb5_authenticator *,
-		krb5_authenticator * *));
+	(krb5_context,
+		const krb5_authenticator *,
+		krb5_authenticator **);
 krb5_error_code KRB5_CALLCONV krb5_copy_checksum
-	KRB5_PROTOTYPE((krb5_context,
-		krb5_const krb5_checksum *,
-		krb5_checksum * *));
+	(krb5_context,
+		const krb5_checksum *,
+		krb5_checksum **);
+#if KRB5_PRIVATE
 void krb5_init_ets
-	KRB5_PROTOTYPE((krb5_context));
+	(krb5_context);
 void krb5_free_ets
-	KRB5_PROTOTYPE((krb5_context));
+	(krb5_context);
 krb5_error_code krb5_generate_subkey
-    	KRB5_PROTOTYPE((krb5_context,
-		   krb5_const krb5_keyblock *, krb5_keyblock **));
+	(krb5_context,
+		const krb5_keyblock *, krb5_keyblock **);
 krb5_error_code krb5_generate_seq_number
-    	KRB5_PROTOTYPE((krb5_context,
-		   krb5_const krb5_keyblock *, krb5_int32 *));
+	(krb5_context,
+		const krb5_keyblock *, krb5_ui_4 *);
+#endif
 krb5_error_code KRB5_CALLCONV krb5_get_server_rcache
-    	KRB5_PROTOTYPE((krb5_context,
-		   krb5_const krb5_data *, krb5_rcache *));
+	(krb5_context,
+		const krb5_data *, krb5_rcache *);
 krb5_error_code KRB5_CALLCONV_C krb5_build_principal_ext
-    	KRB5_STDARG_P((krb5_context, krb5_principal *, int, krb5_const char *, ...));
-krb5_error_code krb5_build_principal
-    	KRB5_STDARG_P((krb5_context, krb5_principal *, int, krb5_const char *, ...));
+	(krb5_context, krb5_principal *, unsigned int, const char *, ...);
+krb5_error_code KRB5_CALLCONV_C krb5_build_principal
+	(krb5_context, krb5_principal *, unsigned int, const char *, ...);
 #ifdef va_start
 /* XXX depending on varargs include file defining va_start... */
-krb5_error_code krb5_build_principal_va
-    	KRB5_PROTOTYPE((krb5_context,
-		   krb5_principal *, int, krb5_const char *, va_list));
+krb5_error_code KRB5_CALLCONV krb5_build_principal_va
+	(krb5_context,
+		krb5_principal, unsigned int, const char *, va_list);
 #endif
 
 krb5_error_code KRB5_CALLCONV krb5_425_conv_principal
-	KRB5_PROTOTYPE((krb5_context,
-		krb5_const char *name,
-		krb5_const char *instance, krb5_const char *realm,
-		krb5_principal *princ));
+	(krb5_context,
+		const char *name,
+		const char *instance, const char *realm,
+		krb5_principal *princ);
 
 krb5_error_code KRB5_CALLCONV krb5_524_conv_principal
-	KRB5_PROTOTYPE((krb5_context context, krb5_const krb5_principal princ,
-		char *name, char *inst, char *realm));
+	(krb5_context context, krb5_const_principal princ, 
+		char *name, char *inst, char *realm);
+
+struct credentials;
+int KRB5_CALLCONV krb5_524_convert_creds
+	(krb5_context context, krb5_creds *v5creds,
+	 struct credentials *v4creds);
+#if KRB5_DEPRECATED
+#define krb524_convert_creds_kdc krb5_524_convert_creds
+#define krb524_init_ets(x) (0)
+#endif
 
 /* libkt.spec */
+#if KRB5_PRIVATE
 krb5_error_code KRB5_CALLCONV krb5_kt_register
-	KRB5_PROTOTYPE((krb5_context,
-		krb5_kt_ops * ));
+	(krb5_context,
+		const struct _krb5_kt_ops * );
+#endif
+
 krb5_error_code KRB5_CALLCONV krb5_kt_resolve
-	KRB5_PROTOTYPE((krb5_context,
-		krb5_const char *,
-		krb5_keytab * ));
+	(krb5_context,
+		const char *,
+		krb5_keytab * );
 krb5_error_code KRB5_CALLCONV krb5_kt_default_name
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		char *,
-		int ));
+		int );
 krb5_error_code KRB5_CALLCONV krb5_kt_default
-	KRB5_PROTOTYPE((krb5_context,
-		krb5_keytab * ));
+	(krb5_context,
+		krb5_keytab * );
+krb5_error_code KRB5_CALLCONV krb5_free_keytab_entry_contents
+	(krb5_context,
+		krb5_keytab_entry * );
+#if KRB5_PRIVATE
+/* use krb5_free_keytab_entry_contents instead */
 krb5_error_code KRB5_CALLCONV krb5_kt_free_entry
-	KRB5_PROTOTYPE((krb5_context,
-		krb5_keytab_entry * ));
+	(krb5_context,
+		krb5_keytab_entry * );
+#endif
 /* remove and add are functions, so that they can return NOWRITE
    if not a writable keytab */
 krb5_error_code KRB5_CALLCONV krb5_kt_remove_entry
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_keytab,
-		krb5_keytab_entry * ));
+		krb5_keytab_entry * );
 krb5_error_code KRB5_CALLCONV krb5_kt_add_entry
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_keytab,
-		krb5_keytab_entry * ));
-krb5_error_code krb5_principal2salt
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_const_principal, krb5_data *));
+		krb5_keytab_entry * );
+krb5_error_code KRB5_CALLCONV_WRONG krb5_principal2salt
+	(krb5_context,
+		krb5_const_principal, krb5_data *);
+#if KRB5_PRIVATE
 krb5_error_code krb5_principal2salt_norealm
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_const_principal, krb5_data *));
-
+	(krb5_context,
+		krb5_const_principal, krb5_data *);
+#endif
 /* librc.spec--see rcache.h */
 
 /* libcc.spec */
 krb5_error_code KRB5_CALLCONV krb5_cc_resolve
-	KRB5_PROTOTYPE((krb5_context,
-		   const char *,
-		   krb5_ccache * ));
- const char * KRB5_CALLCONV krb5_cc_default_name
-	KRB5_PROTOTYPE((krb5_context));
+	(krb5_context,
+		const char *,
+		krb5_ccache * );
+const char * KRB5_CALLCONV krb5_cc_default_name
+	(krb5_context);
 krb5_error_code KRB5_CALLCONV krb5_cc_set_default_name
-	KRB5_PROTOTYPE((krb5_context, const char *));
+	(krb5_context, const char *);
 krb5_error_code KRB5_CALLCONV krb5_cc_default
-	KRB5_PROTOTYPE((krb5_context,
-		krb5_ccache *));
- unsigned int KRB5_CALLCONV krb5_get_notification_message
-   KRB5_PROTOTYPE((void));
+	(krb5_context,
+		krb5_ccache *);
+#if KRB5_PRIVATE
+unsigned int KRB5_CALLCONV krb5_get_notification_message
+	(void);
+#endif
 
 krb5_error_code KRB5_CALLCONV krb5_cc_copy_creds
-	KRB5_PROTOTYPE((krb5_context context,
+	(krb5_context context,
 			krb5_ccache incc,
-			krb5_ccache outcc));
+			krb5_ccache outcc);
 
-krb5_error_code krb5_cc_generate_new
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_cc_ops *,
-		   krb5_ccache * ));
 
 /* chk_trans.c */
+#if KRB5_PRIVATE
 krb5_error_code krb5_check_transited_list
-    KRB5_PROTOTYPE((krb5_context,
-		krb5_data *trans, const krb5_data *realm1,
-		const krb5_data *realm2));
+	(krb5_context, const krb5_data *trans,
+	 const krb5_data *realm1, const krb5_data *realm2);
+#endif
 
 /* free_rtree.c */
+#if KRB5_PRIVATE
 void krb5_free_realm_tree
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_principal *));
+	(krb5_context,
+		krb5_principal *);
+#endif
 
 /* krb5_free.c */
 void KRB5_CALLCONV krb5_free_principal
-	KRB5_PROTOTYPE((krb5_context, krb5_principal ));
+	(krb5_context, krb5_principal );
 void KRB5_CALLCONV krb5_free_authenticator
-	KRB5_PROTOTYPE((krb5_context, krb5_authenticator * ));
+	(krb5_context, krb5_authenticator * );
+#if KRB5_PRIVATE
 void KRB5_CALLCONV krb5_free_authenticator_contents
-	KRB5_PROTOTYPE((krb5_context, krb5_authenticator * ));
+	(krb5_context, krb5_authenticator * );
+#endif
 void KRB5_CALLCONV krb5_free_addresses
-	KRB5_PROTOTYPE((krb5_context, krb5_address * * ));
+	(krb5_context, krb5_address ** );
+#if KRB5_PRIVATE
 void KRB5_CALLCONV krb5_free_address
-	KRB5_PROTOTYPE((krb5_context, krb5_address * ));
+	(krb5_context, krb5_address * );
+#endif
 void KRB5_CALLCONV krb5_free_authdata
-	KRB5_PROTOTYPE((krb5_context, krb5_authdata * * ));
+	(krb5_context, krb5_authdata ** );
+#if KRB5_PRIVATE
 void KRB5_CALLCONV krb5_free_enc_tkt_part
-	KRB5_PROTOTYPE((krb5_context, krb5_enc_tkt_part * ));
+	(krb5_context, krb5_enc_tkt_part * );
+#endif
 void KRB5_CALLCONV krb5_free_ticket
-	KRB5_PROTOTYPE((krb5_context, krb5_ticket * ));
+	(krb5_context, krb5_ticket * );
+#if KRB5_PRIVATE
 void KRB5_CALLCONV krb5_free_tickets
-	KRB5_PROTOTYPE((krb5_context, krb5_ticket * * ));
+	(krb5_context, krb5_ticket ** );
 void KRB5_CALLCONV krb5_free_kdc_req
-	KRB5_PROTOTYPE((krb5_context, krb5_kdc_req * ));
+	(krb5_context, krb5_kdc_req * );
 void KRB5_CALLCONV krb5_free_kdc_rep
-	KRB5_PROTOTYPE((krb5_context, krb5_kdc_rep * ));
+	(krb5_context, krb5_kdc_rep * );
 void KRB5_CALLCONV krb5_free_last_req
-	KRB5_PROTOTYPE((krb5_context, krb5_last_req_entry * * ));
+	(krb5_context, krb5_last_req_entry ** );
 void KRB5_CALLCONV krb5_free_enc_kdc_rep_part
-	KRB5_PROTOTYPE((krb5_context, krb5_enc_kdc_rep_part * ));
+	(krb5_context, krb5_enc_kdc_rep_part * );
+#endif
 void KRB5_CALLCONV krb5_free_error
-	KRB5_PROTOTYPE((krb5_context, krb5_error * ));
+	(krb5_context, krb5_error * );
+#if KRB5_PRIVATE
 void KRB5_CALLCONV krb5_free_ap_req
-	KRB5_PROTOTYPE((krb5_context, krb5_ap_req * ));
+	(krb5_context, krb5_ap_req * );
 void KRB5_CALLCONV krb5_free_ap_rep
-	KRB5_PROTOTYPE((krb5_context, krb5_ap_rep * ));
-void KRB5_CALLCONV krb5_free_safe
-	KRB5_PROTOTYPE((krb5_context, krb5_safe * ));
-void KRB5_CALLCONV krb5_free_priv
-	KRB5_PROTOTYPE((krb5_context, krb5_priv * ));
-void KRB5_CALLCONV krb5_free_priv_enc_part
-	KRB5_PROTOTYPE((krb5_context, krb5_priv_enc_part * ));
+	(krb5_context, krb5_ap_rep * );
 void KRB5_CALLCONV krb5_free_cred
-	KRB5_PROTOTYPE((krb5_context, krb5_cred *));
+	(krb5_context, krb5_cred *);
+#endif
 void KRB5_CALLCONV krb5_free_creds
-	KRB5_PROTOTYPE((krb5_context, krb5_creds *));
+	(krb5_context, krb5_creds *);
 void KRB5_CALLCONV krb5_free_cred_contents
-	KRB5_PROTOTYPE((krb5_context, krb5_creds *));
+	(krb5_context, krb5_creds *);
+#if KRB5_PRIVATE
 void KRB5_CALLCONV krb5_free_cred_enc_part
-	KRB5_PROTOTYPE((krb5_context, krb5_cred_enc_part *));
+	(krb5_context, krb5_cred_enc_part *);
+#endif
 void KRB5_CALLCONV krb5_free_checksum
-	KRB5_PROTOTYPE((krb5_context, krb5_checksum *));
+	(krb5_context, krb5_checksum *);
 void KRB5_CALLCONV krb5_free_checksum_contents
-	KRB5_PROTOTYPE((krb5_context, krb5_checksum *));
+	(krb5_context, krb5_checksum *);
 void KRB5_CALLCONV krb5_free_keyblock
-	KRB5_PROTOTYPE((krb5_context, krb5_keyblock *));
+	(krb5_context, krb5_keyblock *);
 void KRB5_CALLCONV krb5_free_keyblock_contents
-	KRB5_PROTOTYPE((krb5_context, krb5_keyblock *));
+	(krb5_context, krb5_keyblock *);
+#if KRB5_PRIVATE
 void KRB5_CALLCONV krb5_free_pa_data
-	KRB5_PROTOTYPE((krb5_context, krb5_pa_data * *));
+	(krb5_context, krb5_pa_data **);
+#endif
 void KRB5_CALLCONV krb5_free_ap_rep_enc_part
-	KRB5_PROTOTYPE((krb5_context, krb5_ap_rep_enc_part *));
+	(krb5_context, krb5_ap_rep_enc_part *);
+#if KRB5_PRIVATE
 void KRB5_CALLCONV krb5_free_tkt_authent
-	KRB5_PROTOTYPE((krb5_context, krb5_tkt_authent *));
+	(krb5_context, krb5_tkt_authent *);
 void KRB5_CALLCONV krb5_free_pwd_data
-	KRB5_PROTOTYPE((krb5_context, krb5_pwd_data *));
+	(krb5_context, krb5_pwd_data *);
 void KRB5_CALLCONV krb5_free_pwd_sequences
-	KRB5_PROTOTYPE((krb5_context, passwd_phrase_element * *));
+	(krb5_context, passwd_phrase_element **);
+#endif
 void KRB5_CALLCONV krb5_free_data
-	KRB5_PROTOTYPE((krb5_context, krb5_data *));
+	(krb5_context, krb5_data *);
 void KRB5_CALLCONV krb5_free_data_contents
-	KRB5_PROTOTYPE((krb5_context, krb5_data *));
+	(krb5_context, krb5_data *);
 void KRB5_CALLCONV krb5_free_unparsed_name
-	KRB5_PROTOTYPE((krb5_context, char *));
+	(krb5_context, char *);
 void KRB5_CALLCONV krb5_free_cksumtypes
-	KRB5_PROTOTYPE((krb5_context, krb5_cksumtype *));
+	(krb5_context, krb5_cksumtype *);
 
 /* From krb5/os but needed but by the outside world */
 krb5_error_code KRB5_CALLCONV krb5_us_timeofday
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_int32 *,
-		   krb5_int32 * ));
+	(krb5_context,
+		krb5_int32 *,
+		krb5_int32 * );
 krb5_error_code KRB5_CALLCONV krb5_timeofday
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_int32 * ));
+	(krb5_context,
+		krb5_int32 * );
 		 /* get all the addresses of this host */
 krb5_error_code KRB5_CALLCONV krb5_os_localaddr
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_address * * *));
-
-int KRB5_CALLCONV foreach_localaddr 
-	KRB5_PROTOTYPE((void *, 
-		int (*pass1fn)(void *, struct sockaddr *), 
-		int (*betweenfn)(void *), 
-		int (*pass2fn)(void *, struct sockaddr *))); 
+	(krb5_context,
+		krb5_address ***);
 krb5_error_code KRB5_CALLCONV krb5_get_default_realm
-	KRB5_PROTOTYPE((krb5_context,
-		    char * * ));
+	(krb5_context,
+		 char ** );
 krb5_error_code KRB5_CALLCONV krb5_set_default_realm
-	KRB5_PROTOTYPE((krb5_context,
-                   krb5_const char * ));
+	(krb5_context,
+		   const char * );
 void KRB5_CALLCONV krb5_free_default_realm
-	KRB5_PROTOTYPE((krb5_context,
-		   char * ));
+	(krb5_context,
+		   char * );
 krb5_error_code KRB5_CALLCONV krb5_sname_to_principal
-	KRB5_PROTOTYPE((krb5_context,
-		krb5_const char *,
-		   krb5_const char *,
+	(krb5_context,
+		const char *,
+		   const char *,
 		   krb5_int32,
-		   krb5_principal *));
+		   krb5_principal *);
+krb5_error_code KRB5_CALLCONV
+krb5_change_password
+	(krb5_context context, krb5_creds *creds, char *newpw,
+			int *result_code, krb5_data *result_code_string,
+			krb5_data *result_string);
+krb5_error_code KRB5_CALLCONV
+krb5_set_password
+	(krb5_context context, krb5_creds *creds, char *newpw, krb5_principal change_password_for,
+			int *result_code, krb5_data *result_code_string, krb5_data *result_string);
+krb5_error_code KRB5_CALLCONV
+krb5_set_password_using_ccache
+	(krb5_context context, krb5_ccache ccache, char *newpw, krb5_principal change_password_for,
+			int *result_code, krb5_data *result_code_string, krb5_data *result_string);
 
+#if KRB5_PRIVATE
 krb5_error_code krb5_set_config_files
-	KRB5_PROTOTYPE ((krb5_context, krb5_const char * *));
-
-krb5_error_code krb5_secure_config_files
-	KRB5_PROTOTYPE ((krb5_context));
+	(krb5_context, const char **);
 
 krb5_error_code KRB5_CALLCONV krb5_get_default_config_files
-	KRB5_PROTOTYPE((char ***filenames));
+	(char ***filenames);
 
 void KRB5_CALLCONV krb5_free_config_files
-	KRB5_PROTOTYPE((char **filenames));
-
-#ifndef _KERNEL
-krb5_error_code KRB5_CALLCONV krb5_get_profile
-	KRB5_PROTOTYPE((krb5_context, profile_t *));
+	(char **filenames);
 #endif
 
+krb5_error_code KRB5_CALLCONV
+krb5_get_profile
+	(krb5_context, struct _profile_t * /* profile_t */ *);
+
+#if KRB5_PRIVATE
 krb5_error_code krb5_send_tgs
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_const krb5_flags,
-		   krb5_const krb5_ticket_times *,
-		   krb5_const krb5_enctype *,
-		   krb5_const_principal,
-		   krb5_address * krb5_const *,
-		   krb5_authdata * krb5_const *,
-		   krb5_pa_data * krb5_const *,
-		   krb5_const krb5_data *,
-		   krb5_creds *,
-		   krb5_response * ));
+	(krb5_context,
+		krb5_flags,
+		const krb5_ticket_times *,
+		const krb5_enctype *,
+		krb5_const_principal,
+		krb5_address * const *,
+		krb5_authdata * const *,
+		krb5_pa_data * const *,
+		const krb5_data *,
+		krb5_creds *,
+		krb5_response * );
+#endif
+
+#if KRB5_DEPRECATED
+krb5_error_code KRB5_CALLCONV krb5_get_in_tkt
+	(krb5_context,
+		krb5_flags,
+		krb5_address * const *,
+		krb5_enctype *,
+		krb5_preauthtype *,
+		krb5_error_code ( * )(krb5_context,
+					krb5_enctype,
+					krb5_data *,
+					krb5_const_pointer,
+					krb5_keyblock **),
+		krb5_const_pointer,
+		krb5_error_code ( * )(krb5_context,
+					const krb5_keyblock *,
+					krb5_const_pointer,
+					krb5_kdc_rep * ),
+		krb5_const_pointer,
+		krb5_creds *,
+		krb5_ccache,
+		krb5_kdc_rep ** );
+
+krb5_error_code KRB5_CALLCONV krb5_get_in_tkt_with_password
+	(krb5_context,
+		krb5_flags,
+		krb5_address * const *,
+		krb5_enctype *,
+		krb5_preauthtype *,
+		const char *,
+		krb5_ccache,
+		krb5_creds *,
+		krb5_kdc_rep ** );
+
+krb5_error_code KRB5_CALLCONV krb5_get_in_tkt_with_skey
+	(krb5_context,
+		krb5_flags,
+		krb5_address * const *,
+		krb5_enctype *,
+		krb5_preauthtype *,
+		const krb5_keyblock *,
+		krb5_ccache,
+		krb5_creds *,
+		krb5_kdc_rep ** );
+
+krb5_error_code KRB5_CALLCONV krb5_get_in_tkt_with_keytab
+	(krb5_context,
+		krb5_flags,
+		krb5_address * const *,
+		krb5_enctype *,
+		krb5_preauthtype *,
+		krb5_keytab,
+		krb5_ccache,
+		krb5_creds *,
+		krb5_kdc_rep ** );
+#endif /* KRB5_DEPRECATED */
 
+#if KRB5_PRIVATE
 krb5_error_code krb5_decode_kdc_rep
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_data *,
-		   krb5_const krb5_keyblock *,
-		   krb5_kdc_rep ** ));
+	(krb5_context,
+		krb5_data *,
+		const krb5_keyblock *,
+		krb5_kdc_rep ** );
+#endif
 
 krb5_error_code KRB5_CALLCONV krb5_rd_req
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_auth_context *,
-		krb5_const krb5_data *,
+		const krb5_data *,
 		krb5_const_principal,
 		krb5_keytab,
 		krb5_flags *,
-		krb5_ticket * *));
+		krb5_ticket **);
 
+#if KRB5_PRIVATE
 krb5_error_code krb5_rd_req_decoded
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_auth_context *,
-		   krb5_const krb5_ap_req *,
-		   krb5_const_principal,
-		   krb5_keytab,
-		   krb5_flags *,
-		   krb5_ticket **));
+	(krb5_context,
+		krb5_auth_context *,
+		const krb5_ap_req *,
+		krb5_const_principal,
+		krb5_keytab,
+		krb5_flags *,
+		krb5_ticket **);
 
 krb5_error_code krb5_rd_req_decoded_anyflag
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_auth_context *,
-		   krb5_const krb5_ap_req *,
-		   krb5_const_principal,
-		   krb5_keytab,
-		   krb5_flags *,
-		   krb5_ticket **));
+	(krb5_context,
+		krb5_auth_context *,
+		const krb5_ap_req *,
+		krb5_const_principal,
+		krb5_keytab,
+		krb5_flags *,
+		krb5_ticket **);
+#endif
 
 krb5_error_code KRB5_CALLCONV krb5_kt_read_service_key
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_pointer,
 		krb5_principal,
 		krb5_kvno,
 		krb5_enctype,
-		krb5_keyblock * *));
+		krb5_keyblock **);
 krb5_error_code KRB5_CALLCONV krb5_mk_safe
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_auth_context,
-		krb5_const krb5_data *,
+		const krb5_data *,
 		krb5_data *,
-		krb5_replay_data *));
+		krb5_replay_data *);
 krb5_error_code KRB5_CALLCONV krb5_mk_priv
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_auth_context,
-		krb5_const krb5_data *,
+		const krb5_data *,
 		krb5_data *,
-		krb5_replay_data *));
+		krb5_replay_data *);
+#if KRB5_PRIVATE
 krb5_error_code KRB5_CALLCONV krb5_cc_register
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_cc_ops *,
-		krb5_boolean ));
+		krb5_boolean );
+#endif
 
-krb5_error_code KRB5_CALLCONV krb5_sendauth
-	KRB5_PROTOTYPE((krb5_context,
+krb5_error_code KRB5_CALLCONV krb5_sendauth 
+	(krb5_context,
 		krb5_auth_context *,
 		krb5_pointer,
 		char *,
@@ -1979,120 +2020,122 @@ krb5_error_code KRB5_CALLCONV krb5_sendauth
 		krb5_data *,
 		krb5_creds *,
 		krb5_ccache,
-		krb5_error * *,
-		krb5_ap_rep_enc_part * *,
-		krb5_creds * *));
-
+		krb5_error **,
+		krb5_ap_rep_enc_part **,
+		krb5_creds **);
+	
 krb5_error_code KRB5_CALLCONV krb5_recvauth
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_auth_context *,
 		krb5_pointer,
 		char *,
 		krb5_principal,
-		krb5_int32,
+		krb5_int32, 
 		krb5_keytab,
-		krb5_ticket * *));
+		krb5_ticket **);
 krb5_error_code KRB5_CALLCONV krb5_recvauth_version
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_auth_context *,
 		krb5_pointer,
 		krb5_principal,
-		krb5_int32,
+		krb5_int32, 
 		krb5_keytab,
-		krb5_ticket * *,
-		krb5_data *));
+		krb5_ticket **,
+		krb5_data *);
 
+#if KRB5_PRIVATE
 krb5_error_code krb5_walk_realm_tree
-    	KRB5_PROTOTYPE((krb5_context,
-		krb5_const krb5_data *,
-		krb5_const krb5_data *,
+	(krb5_context,
+		const krb5_data *,
+		const krb5_data *,
 		krb5_principal **,
-		int));
+		int);
+#endif
 
 krb5_error_code KRB5_CALLCONV krb5_mk_ncred
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_auth_context,
-		krb5_creds * *,
-		krb5_data * *,
-		krb5_replay_data *));
+		krb5_creds **,
+		krb5_data **,
+		krb5_replay_data *);
 
 krb5_error_code KRB5_CALLCONV krb5_mk_1cred
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_auth_context,
 		krb5_creds *,
-		krb5_data * *,
-		krb5_replay_data *));
+		krb5_data **,
+		krb5_replay_data *);
 
 krb5_error_code KRB5_CALLCONV krb5_rd_cred
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_auth_context,
 		krb5_data *,
-		krb5_creds * * *,
-		krb5_replay_data *));
+		krb5_creds ***,
+		krb5_replay_data *);
 
 krb5_error_code KRB5_CALLCONV krb5_fwd_tgt_creds
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context, 
 		krb5_auth_context,
 		char *,
-		krb5_principal,
-		krb5_principal,
+		krb5_principal, 
+		krb5_principal, 
 		krb5_ccache,
 		int forwardable,
-		krb5_data *));
+		krb5_data *);	
 
 krb5_error_code KRB5_CALLCONV krb5_auth_con_init
-	KRB5_PROTOTYPE((krb5_context,
-		krb5_auth_context *));
+	(krb5_context,
+		krb5_auth_context *);
 
 krb5_error_code KRB5_CALLCONV krb5_auth_con_free
-	KRB5_PROTOTYPE((krb5_context,
-		krb5_auth_context));
+	(krb5_context,
+		krb5_auth_context);
 
 krb5_error_code KRB5_CALLCONV krb5_auth_con_setflags
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_auth_context,
-		krb5_int32));
+		krb5_int32);
 
 krb5_error_code KRB5_CALLCONV krb5_auth_con_getflags
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_auth_context,
-		krb5_int32 *));
+		krb5_int32 *);
 
 krb5_error_code KRB5_CALLCONV
 krb5_auth_con_set_checksum_func (krb5_context, krb5_auth_context,
-                                 krb5_mk_req_checksum_func, void *);
+				 krb5_mk_req_checksum_func, void *);
 
 krb5_error_code KRB5_CALLCONV
 krb5_auth_con_get_checksum_func( krb5_context, krb5_auth_context,
-                                 krb5_mk_req_checksum_func *, void **);
-
-krb5_error_code krb5_auth_con_setaddrs
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_auth_context,
-		   krb5_address *,
-		   krb5_address *));
-
-krb5_error_code krb5_auth_con_getaddrs
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_auth_context,
-		   krb5_address **,
-		   krb5_address **));
-
-krb5_error_code krb5_auth_con_setports
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_auth_context,
-		   krb5_address *,
-		   krb5_address *));
+				 krb5_mk_req_checksum_func *, void **);
+
+krb5_error_code KRB5_CALLCONV_WRONG krb5_auth_con_setaddrs
+	(krb5_context,
+		krb5_auth_context,
+		krb5_address *,
+		krb5_address *);
+
+krb5_error_code KRB5_CALLCONV krb5_auth_con_getaddrs
+	(krb5_context,
+		krb5_auth_context,
+		krb5_address **,
+		krb5_address **);
+
+krb5_error_code KRB5_CALLCONV krb5_auth_con_setports
+	(krb5_context,
+		krb5_auth_context,
+		krb5_address *,
+		krb5_address *);
 
 krb5_error_code KRB5_CALLCONV krb5_auth_con_setuseruserkey
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_auth_context,
-		krb5_keyblock *));
+		krb5_keyblock *);
 
 krb5_error_code KRB5_CALLCONV krb5_auth_con_getkey
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_auth_context,
-		krb5_keyblock **));
+		krb5_keyblock **);
 
 krb5_error_code KRB5_CALLCONV krb5_auth_con_getsendsubkey(
     krb5_context, krb5_auth_context, krb5_keyblock **);
@@ -2106,69 +2149,84 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_setsendsubkey(
 krb5_error_code KRB5_CALLCONV krb5_auth_con_setrecvsubkey(
     krb5_context, krb5_auth_context, krb5_keyblock *);
 
+#if KRB5_DEPRECATED
 krb5_error_code KRB5_CALLCONV krb5_auth_con_getlocalsubkey
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_auth_context,
-		krb5_keyblock * *));
+		krb5_keyblock **);
 
+krb5_error_code KRB5_CALLCONV krb5_auth_con_getremotesubkey
+	(krb5_context,
+		krb5_auth_context,
+		krb5_keyblock **);
+#endif
+
+#if KRB5_PRIVATE
 krb5_error_code KRB5_CALLCONV krb5_auth_con_set_req_cksumtype
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_auth_context,
-		krb5_cksumtype));
+		krb5_cksumtype);
 
 krb5_error_code krb5_auth_con_set_safe_cksumtype
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_auth_context,
-		   krb5_cksumtype));
-
-krb5_error_code krb5_auth_con_getcksumtype
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_auth_context,
-		   krb5_cksumtype *));
+	(krb5_context,
+		krb5_auth_context,
+		krb5_cksumtype);
+#endif
 
 krb5_error_code KRB5_CALLCONV krb5_auth_con_getlocalseqnumber
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_auth_context,
-		krb5_int32 *));
+		krb5_int32 *);
 
 krb5_error_code KRB5_CALLCONV krb5_auth_con_getremoteseqnumber
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_auth_context,
-		krb5_int32 *));
+		krb5_int32 *);
 
-krb5_error_code krb5_auth_con_initivector
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_auth_context));
+#if KRB5_DEPRECATED
+krb5_error_code KRB5_CALLCONV krb5_auth_con_initivector
+	(krb5_context,
+		krb5_auth_context);
+#endif
 
+#if KRB5_PRIVATE
 krb5_error_code krb5_auth_con_setivector
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_auth_context,
-		   krb5_pointer));
+	(krb5_context,
+		krb5_auth_context,
+		krb5_pointer);
 
 krb5_error_code krb5_auth_con_getivector
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_auth_context,
-		   krb5_pointer *));
+	(krb5_context,
+		krb5_auth_context,
+		krb5_pointer *);
+#endif
 
 krb5_error_code KRB5_CALLCONV krb5_auth_con_setrcache
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_auth_context,
-		krb5_rcache));
-
-krb5_error_code krb5_auth_con_getrcache
-	KRB5_PROTOTYPE((krb5_context,
-		   krb5_auth_context,
-		   krb5_rcache *));
+		krb5_rcache);
 
-krb5_error_code KRB5_CALLCONV krb5_auth_con_getauthenticator
-	KRB5_PROTOTYPE((krb5_context,
+krb5_error_code KRB5_CALLCONV_WRONG krb5_auth_con_getrcache
+	(krb5_context,
 		krb5_auth_context,
-		krb5_authenticator * *));
+		krb5_rcache *);
 
-krb5_error_code KRB5_CALLCONV krb5_auth_con_getremotesubkey
-	KRB5_PROTOTYPE((krb5_context,
+#if KRB5_PRIVATE
+krb5_error_code krb5_auth_con_setpermetypes
+	(krb5_context,
+	    krb5_auth_context,
+	    const krb5_enctype *);
+
+krb5_error_code krb5_auth_con_getpermetypes
+	(krb5_context,
+	    krb5_auth_context,
+	    krb5_enctype **);
+#endif
+
+krb5_error_code KRB5_CALLCONV krb5_auth_con_getauthenticator
+	(krb5_context,
 		krb5_auth_context,
-		krb5_keyblock * *));
+		krb5_authenticator **);
 
 #define KRB5_REALM_BRANCH_CHAR '.'
 
@@ -2180,83 +2238,103 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_getremotesubkey
  * begin stuff from libos.h
  */
 
+
+#if KRB5_PRIVATE
+krb5_error_code krb5_read_message (krb5_context, krb5_pointer, krb5_data *);
+krb5_error_code krb5_write_message (krb5_context, krb5_pointer, krb5_data *);
+int krb5_net_read (krb5_context, int , char *, int);
+int krb5_net_write (krb5_context, int , const char *, int);
+#endif
+
 krb5_error_code KRB5_CALLCONV krb5_read_password
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		const char *,
 		const char *,
 		char *,
-		unsigned int * ));
-krb5_error_code krb5_aname_to_localname
-	KRB5_PROTOTYPE((krb5_context,
+		unsigned int * );
+krb5_error_code KRB5_CALLCONV krb5_aname_to_localname
+	(krb5_context,
 		krb5_const_principal,
-		const int,
-		char * ));
+		int,
+		char * );
 krb5_error_code KRB5_CALLCONV krb5_get_host_realm
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		const char *,
-		char * * * ));
+		char *** );
 krb5_error_code KRB5_CALLCONV krb5_free_host_realm
-	KRB5_PROTOTYPE((krb5_context,
-		char * const * ));
+	(krb5_context,
+		char * const * );
+#if KRB5_PRIVATE
 krb5_error_code KRB5_CALLCONV krb5_get_realm_domain
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		const char *,
-		char ** ));
- krb5_boolean KRB5_CALLCONV krb5_kuserok
-	KRB5_PROTOTYPE((krb5_context,
-		krb5_principal, const char *));
+		char ** );
+#endif
+krb5_boolean KRB5_CALLCONV krb5_kuserok
+	(krb5_context,
+		krb5_principal, const char *);
 krb5_error_code KRB5_CALLCONV krb5_auth_con_genaddrs
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_auth_context,
-		int, int));
+		int, int);
+#if KRB5_PRIVATE
 krb5_error_code krb5_gen_portaddr
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		const krb5_address *,
 		krb5_const_pointer,
-		krb5_address **));
+		krb5_address **);
+krb5_error_code krb5_gen_replay_name
+	(krb5_context,
+		const krb5_address *,
+		const char *,
+		char **);
 krb5_error_code krb5_make_fulladdr
-	KRB5_PROTOTYPE((krb5_context,
+	(krb5_context,
 		krb5_address *,
 		krb5_address *,
-		krb5_address *));
+		krb5_address *);
+#endif
 
-krb5_error_code krb5_os_hostaddr
-	KRB5_PROTOTYPE((krb5_context, const char *, krb5_address ***));
+krb5_error_code KRB5_CALLCONV krb5_set_real_time
+	(krb5_context, krb5_int32, krb5_int32);
 
-krb5_error_code krb5_set_real_time
-	KRB5_PROTOTYPE((krb5_context, krb5_int32, krb5_int32));
+#if KRB5_PRIVATE
 krb5_error_code krb5_set_debugging_time
-	KRB5_PROTOTYPE((krb5_context, krb5_int32, krb5_int32));
+	(krb5_context, krb5_int32, krb5_int32);
 krb5_error_code krb5_use_natural_time
-	KRB5_PROTOTYPE((krb5_context));
-krb5_error_code krb5_get_time_offsets
-	KRB5_PROTOTYPE((krb5_context, krb5_int32 *, krb5_int32 *));
+	(krb5_context);
+#endif
+krb5_error_code KRB5_CALLCONV krb5_get_time_offsets
+	(krb5_context, krb5_int32 *, krb5_int32 *);
+#if KRB5_PRIVATE
 krb5_error_code krb5_set_time_offsets
-	KRB5_PROTOTYPE((krb5_context, krb5_int32, krb5_int32));
+	(krb5_context, krb5_int32, krb5_int32);
+#endif
 
 /* str_conv.c */
 krb5_error_code KRB5_CALLCONV krb5_string_to_enctype
-	KRB5_PROTOTYPE((char *, krb5_enctype *));
+	(char *, krb5_enctype *);
 krb5_error_code KRB5_CALLCONV krb5_string_to_salttype
-	KRB5_PROTOTYPE((char *, krb5_int32 *));
+	(char *, krb5_int32 *);
 krb5_error_code KRB5_CALLCONV krb5_string_to_cksumtype
-	KRB5_PROTOTYPE((char *, krb5_cksumtype *));
+	(char *, krb5_cksumtype *);
 krb5_error_code KRB5_CALLCONV krb5_string_to_timestamp
-	KRB5_PROTOTYPE((char *, krb5_timestamp *));
+	(char *, krb5_timestamp *);
 krb5_error_code KRB5_CALLCONV krb5_string_to_deltat
-	KRB5_PROTOTYPE((char *, krb5_deltat *));
+	(char *, krb5_deltat *);
 krb5_error_code KRB5_CALLCONV krb5_enctype_to_string
-	KRB5_PROTOTYPE((krb5_enctype, char *, size_t));
+	(krb5_enctype, char *, size_t);
 krb5_error_code KRB5_CALLCONV krb5_salttype_to_string
-	KRB5_PROTOTYPE((krb5_int32, char *, size_t));
+	(krb5_int32, char *, size_t);
 krb5_error_code KRB5_CALLCONV krb5_cksumtype_to_string
-	KRB5_PROTOTYPE((krb5_cksumtype, char *, size_t));
+	(krb5_cksumtype, char *, size_t);
 krb5_error_code KRB5_CALLCONV krb5_timestamp_to_string
-	KRB5_PROTOTYPE((krb5_timestamp, char *, size_t));
+	(krb5_timestamp, char *, size_t);
 krb5_error_code KRB5_CALLCONV krb5_timestamp_to_sfstring
-	KRB5_PROTOTYPE((krb5_timestamp, char *, size_t, char *));
+	(krb5_timestamp, char *, size_t, char *);
 krb5_error_code KRB5_CALLCONV krb5_deltat_to_string
-	KRB5_PROTOTYPE((krb5_deltat, char *, size_t));
+	(krb5_deltat, char *, size_t);
+
 
 /*
  * end stuff from libos.h
@@ -2304,12 +2382,12 @@ typedef krb5_error_code (KRB5_CALLCONV *krb5_prompter_fct)(krb5_context context,
 
 krb5_error_code KRB5_CALLCONV
 krb5_prompter_posix
-KRB5_PROTOTYPE((krb5_context context,
+    (krb5_context context,
 		void *data,
 		const char *name,
 		const char *banner,
 		int num_prompts,
-		krb5_prompt prompts[]));
+		krb5_prompt prompts[]);
 
 typedef struct _krb5_get_init_creds_opt {
     krb5_flags flags;
@@ -2336,53 +2414,55 @@ typedef struct _krb5_get_init_creds_opt {
 
 void KRB5_CALLCONV
 krb5_get_init_creds_opt_init
-KRB5_PROTOTYPE((krb5_get_init_creds_opt *opt));
+(krb5_get_init_creds_opt *opt);
 
 void KRB5_CALLCONV
 krb5_get_init_creds_opt_set_tkt_life
-KRB5_PROTOTYPE((krb5_get_init_creds_opt *opt,
-		krb5_deltat tkt_life));
+(krb5_get_init_creds_opt *opt,
+		krb5_deltat tkt_life);
 
 void KRB5_CALLCONV
 krb5_get_init_creds_opt_set_renew_life
-KRB5_PROTOTYPE((krb5_get_init_creds_opt *opt,
-		krb5_deltat renew_life));
+(krb5_get_init_creds_opt *opt,
+		krb5_deltat renew_life);
 
 void KRB5_CALLCONV
 krb5_get_init_creds_opt_set_forwardable
-KRB5_PROTOTYPE((krb5_get_init_creds_opt *opt,
-		int forwardable));
+(krb5_get_init_creds_opt *opt,
+		int forwardable);
 
 void KRB5_CALLCONV
 krb5_get_init_creds_opt_set_proxiable
-KRB5_PROTOTYPE((krb5_get_init_creds_opt *opt,
-		int proxiable));
+(krb5_get_init_creds_opt *opt,
+		int proxiable);
 
 void KRB5_CALLCONV
 krb5_get_init_creds_opt_set_etype_list
-KRB5_PROTOTYPE((krb5_get_init_creds_opt *opt,
+(krb5_get_init_creds_opt *opt,
 		krb5_enctype *etype_list,
-		int etype_list_length));
+		int etype_list_length);
 
 void KRB5_CALLCONV
 krb5_get_init_creds_opt_set_address_list
-KRB5_PROTOTYPE((krb5_get_init_creds_opt *opt,
-		krb5_address **addresses));
+(krb5_get_init_creds_opt *opt,
+		krb5_address **addresses);
 
 void KRB5_CALLCONV
 krb5_get_init_creds_opt_set_preauth_list
-KRB5_PROTOTYPE((krb5_get_init_creds_opt *opt,
+(krb5_get_init_creds_opt *opt,
 		krb5_preauthtype *preauth_list,
-		int preauth_list_length));
+		int preauth_list_length);
 
 void KRB5_CALLCONV
 krb5_get_init_creds_opt_set_salt
-KRB5_PROTOTYPE((krb5_get_init_creds_opt *opt,
-		krb5_data *salt));
+(krb5_get_init_creds_opt *opt,
+		krb5_data *salt);
+
+
 
 krb5_error_code KRB5_CALLCONV
 krb5_get_init_creds_password
-KRB5_PROTOTYPE((krb5_context context,
+(krb5_context context,
 		krb5_creds *creds,
 		krb5_principal client,
 		char *password,
@@ -2390,96 +2470,114 @@ KRB5_PROTOTYPE((krb5_context context,
 		void *data,
 		krb5_deltat start_time,
 		char *in_tkt_service,
-		krb5_get_init_creds_opt *options));
+		krb5_get_init_creds_opt *k5_gic_options);
 
 krb5_error_code KRB5_CALLCONV
 krb5_get_init_creds_keytab
-KRB5_PROTOTYPE((krb5_context context,
+(krb5_context context,
 		krb5_creds *creds,
 		krb5_principal client,
 		krb5_keytab arg_keytab,
 		krb5_deltat start_time,
 		char *in_tkt_service,
-		krb5_get_init_creds_opt *options));
+		krb5_get_init_creds_opt *k5_gic_options);
 
 typedef struct _krb5_verify_init_creds_opt {
     krb5_flags flags;
     int ap_req_nofail;
 } krb5_verify_init_creds_opt;
 
-#define KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL        0x0001
+#define KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL	0x0001
 
 void KRB5_CALLCONV
 krb5_verify_init_creds_opt_init
-KRB5_PROTOTYPE((krb5_verify_init_creds_opt *options));
+(krb5_verify_init_creds_opt *k5_vic_options);
 void KRB5_CALLCONV
 krb5_verify_init_creds_opt_set_ap_req_nofail
-KRB5_PROTOTYPE((krb5_verify_init_creds_opt *options,
-		int ap_req_nofail));
+(krb5_verify_init_creds_opt *k5_vic_options,
+		int ap_req_nofail);
 
 krb5_error_code KRB5_CALLCONV
 krb5_verify_init_creds
-KRB5_PROTOTYPE((krb5_context context,
+(krb5_context context,
 		krb5_creds *creds,
 		krb5_principal ap_req_server,
 		krb5_keytab ap_req_keytab,
 		krb5_ccache *ccache,
-		krb5_verify_init_creds_opt *options));
+		krb5_verify_init_creds_opt *k5_vic_options);
 
 krb5_error_code KRB5_CALLCONV
 krb5_get_validated_creds
-KRB5_PROTOTYPE((krb5_context context,
+(krb5_context context,
 		krb5_creds *creds,
 		krb5_principal client,
 		krb5_ccache ccache,
-		char *in_tkt_service));
+		char *in_tkt_service);
 
 krb5_error_code KRB5_CALLCONV
 krb5_get_renewed_creds
-KRB5_PROTOTYPE((krb5_context context,
+(krb5_context context,
 		krb5_creds *creds,
 		krb5_principal client,
 		krb5_ccache ccache,
-		char *in_tkt_service));
+		char *in_tkt_service);
 
 krb5_error_code KRB5_CALLCONV
 krb5_decode_ticket
-KRB5_PROTOTYPE((const krb5_data *code,
-		krb5_ticket **rep));
+(const krb5_data *code, 
+		krb5_ticket **rep);
 
 void KRB5_CALLCONV
 krb5_appdefault_string
-KRB5_PROTOTYPE((krb5_context context,
-		const char *appname,
-		const krb5_data *realm,
-		const char *option,
+(krb5_context context,
+		const char *appname,  
+	        const krb5_data *realm,
+ 		const char *option,
 		const char *default_value,
-		char ** ret_value));
+		char ** ret_value);
 
 void KRB5_CALLCONV
 krb5_appdefault_boolean
-KRB5_PROTOTYPE((krb5_context context,
-		const char *appname,
-		const krb5_data *realm,
-		const char *option,
+(krb5_context context,
+		const char *appname,  
+	        const krb5_data *realm,
+ 		const char *option,
 		int default_value,
-		int *ret_value));
+		int *ret_value);
 
+#if KRB5_PRIVATE
 /*
  * The realm iterator functions
  */
 
 krb5_error_code KRB5_CALLCONV krb5_realm_iterator_create
-	KRB5_PROTOTYPE((krb5_context context, void **iter_p));
+	(krb5_context context, void **iter_p);
 
 krb5_error_code KRB5_CALLCONV krb5_realm_iterator
-	KRB5_PROTOTYPE((krb5_context context, void **iter_p, char **ret_realm));
+	(krb5_context context, void **iter_p, char **ret_realm);
 
 void KRB5_CALLCONV krb5_realm_iterator_free
-	KRB5_PROTOTYPE((krb5_context context, void **iter_p));
+	(krb5_context context, void **iter_p);
 
 void KRB5_CALLCONV krb5_free_realm_string
-	KRB5_PROTOTYPE((krb5_context context, char *str));
+	(krb5_context context, char *str);
+#endif
+
+/*
+ * The realm iterator functions
+ */
+
+krb5_error_code KRB5_CALLCONV krb5_realm_iterator_create
+	(krb5_context context, void **iter_p);
+
+krb5_error_code KRB5_CALLCONV krb5_realm_iterator
+	(krb5_context context, void **iter_p, char **ret_realm);
+
+void KRB5_CALLCONV krb5_realm_iterator_free
+	(krb5_context context, void **iter_p);
+
+void KRB5_CALLCONV krb5_free_realm_string
+	(krb5_context context, char *str);
 
 /*
  * Prompter enhancements
@@ -2495,6 +2593,14 @@ typedef krb5_int32 krb5_prompt_type;
 krb5_prompt_type* KRB5_CALLCONV krb5_get_prompt_types
 	(krb5_context context);
 
+#if TARGET_OS_MAC 
+#    pragma options align=reset 
+#endif /* KRB5INT_END_DECLS */
+
+/* Don't use this!  We're going to phase it out.  It's just here to keep
+   applications from breaking right away.  */
+#define krb5_const const
+
 #endif /* KRB5_GENERAL__ */
 
 
@@ -2762,6 +2868,9 @@ krb5_prompt_type* KRB5_CALLCONV krb5_get_prompt_types
 #else
 #define PKCS_ERR				 (-1765328134L)
 #endif /* _KERNEL */
+
+#define KRB5_DELTAT_BADFORMAT			(-1765328133L)
+
 #define ERROR_TABLE_BASE_krb5 (-1765328384L)
 
 /* for compatibility with older versions... */
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/include/old.h b/usr/src/uts/common/gssapi/mechs/krb5/include/old.h
index 043fa9acf4..33b3e4d590 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/include/old.h
+++ b/usr/src/uts/common/gssapi/mechs/krb5/include/old.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2003 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
@@ -33,32 +33,32 @@
 #include <k5-int.h>
 
 void krb5_old_encrypt_length
-KRB5_PROTOTYPE((krb5_const struct krb5_enc_provider *enc,
+(const struct krb5_enc_provider *enc,
 		krb5_const struct krb5_hash_provider *hash,
-		size_t input, size_t *length));
+		size_t input, size_t *length);
 
 krb5_error_code krb5_old_encrypt
-KRB5_PROTOTYPE((krb5_context context,
+(krb5_context context,
 		krb5_const struct krb5_enc_provider *enc,
 		krb5_const struct krb5_hash_provider *hash,
 		krb5_const krb5_keyblock *key, krb5_keyusage usage,
 		krb5_const krb5_data *ivec, krb5_const krb5_data *input,
-		krb5_data *output));
+		krb5_data *output);
 
 krb5_error_code krb5_old_decrypt
-KRB5_PROTOTYPE((krb5_context context,
+(krb5_context context,
 		krb5_const struct krb5_enc_provider *enc,
 		krb5_const struct krb5_hash_provider *hash,
 		krb5_const krb5_keyblock *key, krb5_keyusage usage,
 		krb5_const krb5_data *ivec, krb5_const krb5_data *input,
-		krb5_data *arg_output));
+		krb5_data *arg_output);
 
 #ifndef	_KERNEL
 krb5_error_code krb5_des_string_to_key
-KRB5_PROTOTYPE((krb5_context context,
+(krb5_context context,
 		krb5_const struct krb5_enc_provider *enc,
 		krb5_const krb5_data *string,
 		krb5_const krb5_data *salt, 
 		krb5_const krb5_data *params, 
-		krb5_keyblock *key));
+		krb5_keyblock *key);
 #endif	/* _KERNEL */
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/include/raw.h b/usr/src/uts/common/gssapi/mechs/krb5/include/raw.h
index f7f4cc4edb..9ddf242d53 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/include/raw.h
+++ b/usr/src/uts/common/gssapi/mechs/krb5/include/raw.h
@@ -28,22 +28,22 @@
 #include "k5-int.h"
 
 void krb5_raw_encrypt_length
-KRB5_PROTOTYPE((krb5_const struct krb5_enc_provider *enc,
+(krb5_const struct krb5_enc_provider *enc,
 		krb5_const struct krb5_hash_provider *hash,
-		size_t input, size_t *length));
+		size_t input, size_t *length);
 
 krb5_error_code krb5_raw_encrypt
-KRB5_PROTOTYPE((krb5_context context,
+(krb5_context context,
 		krb5_const struct krb5_enc_provider *enc,
 		krb5_const struct krb5_hash_provider *hash,
 		krb5_const krb5_keyblock *key, krb5_keyusage usage,
 		krb5_const krb5_data *ivec, krb5_const krb5_data *input,
-		krb5_data *output));
+		krb5_data *output);
 
 krb5_error_code krb5_raw_decrypt
-KRB5_PROTOTYPE((krb5_context context,
+(krb5_context context,
 		krb5_const struct krb5_enc_provider *enc,
 		krb5_const struct krb5_hash_provider *hash,
 		krb5_const krb5_keyblock *key, krb5_keyusage usage,
 		krb5_const krb5_data *ivec, krb5_const krb5_data *input,
-		krb5_data *arg_output));
+		krb5_data *arg_output);
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/copy_athctr.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/copy_athctr.c
index 8faad51ec5..200436ea71 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/copy_athctr.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/copy_athctr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -36,11 +36,8 @@
 
 #include <k5-int.h>
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_copy_authenticator(context, authfrom, authto)
-    krb5_context context;
-    const krb5_authenticator FAR *authfrom;
-    krb5_authenticator FAR *FAR *authto;
+krb5_error_code KRB5_CALLCONV
+krb5_copy_authenticator(krb5_context context, const krb5_authenticator *authfrom, krb5_authenticator **authto)
 {
     krb5_error_code retval;
     krb5_authenticator *tempto;
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/copy_auth.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/copy_auth.c
index 5ab03ce061..68ae89f5b5 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/copy_auth.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/copy_auth.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -37,10 +37,7 @@
 
 /*ARGSUSED*/
 static krb5_error_code
-krb5_copy_authdatum(context, inad, outad)
-    krb5_context context;
-const krb5_authdata *inad;
-krb5_authdata **outad;
+krb5_copy_authdatum(krb5_context context, const krb5_authdata *inad, krb5_authdata **outad)
 {
     krb5_authdata *tmpad;
 
@@ -64,15 +61,12 @@ krb5_authdata **outad;
 /*
  * Copy an authdata array, with fresh allocation.
  */
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_copy_authdata(context, inauthdat, outauthdat)
-    krb5_context context;
-    krb5_authdata FAR * const FAR * inauthdat;
-    krb5_authdata FAR * FAR * FAR *outauthdat;
+krb5_error_code KRB5_CALLCONV
+krb5_copy_authdata(krb5_context context, krb5_authdata *const *inauthdat, krb5_authdata ***outauthdat)
 {
     krb5_error_code retval;
     krb5_authdata ** tempauthdat;
-    register int nelems = 0;
+    register unsigned int nelems = 0;
 
     if (!inauthdat) {
 	    *outauthdat = 0;
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/copy_cksum.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/copy_cksum.c
index 1985f71353..1a06d1cd40 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/copy_cksum.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/copy_cksum.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -36,11 +36,8 @@
 #include <k5-int.h>
 
 /*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_copy_checksum(context, ckfrom, ckto)
-    krb5_context context;
-    const krb5_checksum FAR *ckfrom;
-    krb5_checksum FAR * FAR *ckto;
+krb5_error_code KRB5_CALLCONV
+krb5_copy_checksum(krb5_context context, const krb5_checksum *ckfrom, krb5_checksum **ckto)
 {
     krb5_checksum *tempto;
 
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/copy_key.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/copy_key.c
index 2509354b93..82a00def34 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/copy_key.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/copy_key.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -44,7 +44,7 @@
  */
 krb5_error_code
 krb5_copy_keyblock_data(krb5_context context,
-	const krb5_keyblock *from, krb5_keyblock *to)
+			const krb5_keyblock *from, krb5_keyblock *to)
 {
 	krb5_error_code ret = 0;
 
@@ -87,7 +87,7 @@ krb5_copy_keyblock_data(krb5_context context,
  * Copy a keyblock, including alloc'ed storage.
  */
 /*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_error_code KRB5_CALLCONV
 krb5_copy_keyblock(context, from, to)
     krb5_context context;
     const krb5_keyblock *from;
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/copy_princ.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/copy_princ.c
index 0b281c2fe2..8792a03e38 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/copy_princ.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/copy_princ.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -38,11 +38,8 @@
  * Copy a principal structure, with fresh allocation.
  */
 /*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_copy_principal(context, inprinc, outprinc)
-    krb5_context context;
-    krb5_const_principal inprinc;
-    krb5_principal FAR *outprinc;
+krb5_error_code KRB5_CALLCONV
+krb5_copy_principal(krb5_context context, krb5_const_principal inprinc, krb5_principal *outprinc)
 {
     register krb5_principal tempprinc;
     register int i, nelems;
@@ -67,7 +64,7 @@ krb5_copy_principal(context, inprinc, outprinc)
     }
 
     for (i = 0; i < nelems; i++) {
-	int len = krb5_princ_component(context, inprinc, i)->length;
+	unsigned int len = krb5_princ_component(context, inprinc, i)->length;
 	krb5_princ_component(context, tempprinc, i)->length = len;
 
         /*
@@ -87,29 +84,32 @@ krb5_copy_principal(context, inprinc, outprinc)
 	if (len)
 	    (void) memcpy(krb5_princ_component(context, tempprinc, i)->data,
 		   krb5_princ_component(context, inprinc, i)->data, len);
+	else
+	    krb5_princ_component(context, tempprinc, i)->data = 0;
     }
 
     tempprinc->realm.length = inprinc->realm.length;
 
     /*
-     * Allocate one extra byte for the realm name string terminator.  The
+     * Allocate one extra byte for the realm name string terminator. The
      * realm and principle component strings alway leave a null byte after
      * 'length' bytes that needs to be malloc/freed.
      */
-    tempprinc->realm.data = MALLOC(tempprinc->realm.length + 1);
-
-    if (!tempprinc->realm.data && tempprinc->realm.length) {
+    if (tempprinc->realm.length) {
+        tempprinc->realm.data = MALLOC(tempprinc->realm.length + 1);
+        if (!tempprinc->realm.data) {
 	    for (i = 0; i < nelems; i++)
-		    FREE(krb5_princ_component(context, tempprinc, i)->data,
+                FREE(krb5_princ_component(context, tempprinc, i)->data,
 			krb5_princ_component(context, inprinc, i)->length + 1);
-	    FREE (tempprinc->data, nelems * sizeof(krb5_data));
-	    FREE (tempprinc,sizeof(krb5_principal_data));
+	    FREE(tempprinc->data, nelems * sizeof(krb5_data));
+	    FREE(tempprinc, sizeof(krb5_principal_data));
 	    return ENOMEM;
-    }
-    if (tempprinc->realm.length)
-	(void) memcpy(tempprinc->realm.data, inprinc->realm.data,
+        }
+	memcpy(tempprinc->realm.data, inprinc->realm.data,
 	       inprinc->realm.length);
-    
+    } else
+        tempprinc->realm.data = 0;
+
     *outprinc = tempprinc;
     return 0;
 }
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/init_ctx.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/init_ctx.c
index d64d75399a..6b189e78be 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/init_ctx.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/init_ctx.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -8,7 +8,7 @@
 /*
  * lib/krb5/krb/init_ctx.c
  *
- * Copyright 1994,1999,2000 by the Massachusetts Institute of Technology.
+ * Copyright 1994,1999,2000, 2002, 2003  by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -72,6 +72,23 @@
 pid_t __krb5_current_pid; /* fork safety: contains the current process ID */
 #endif
 
+#ifndef _KERNEL
+#include <krb5_libinit.h>
+#endif
+
+/* The des-mdX entries are last for now, because it's easy to
+   configure KDCs to issue TGTs with des-mdX keys and then not accept
+   them.  This'll be fixed, but for better compatibility, let's prefer
+   des-crc for now.  */
+#define DEFAULT_ETYPE_LIST	\
+	"aes256-cts-hmac-sha1-96 " \
+	"aes128-cts-hmac-sha1-96 " \
+	"des3-hmac-sha1 " \
+	"arcfour-hmac-md5 " \
+	"des-cbc-md5 " \
+	"des-cbc-crc"
+
+
 /* The only functions that are needed from this file when in kernel are
  * krb5_init_context and krb5_free_context.
  * In krb5_init_context we need only os_init_context since we don'it need the
@@ -84,16 +101,16 @@ extern krb5_error_code krb5_vercheck();
 extern void krb5_win_ccdll_load(krb5_context context);
 #endif
 
-static krb5_error_code init_common ();
+static krb5_error_code init_common (krb5_context *, krb5_boolean);
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_error_code KRB5_CALLCONV
 krb5_init_context(context)
 	krb5_context *context;
 {
 	return init_common (context, FALSE);
 }
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_error_code KRB5_CALLCONV
 krb5_init_secure_context(context)
 	krb5_context *context;
 {
@@ -323,9 +340,7 @@ krb5_free_ef_handle(krb5_context ctx)
 #endif /* !_KERNEL */
 
 static krb5_error_code
-init_common (context, secure)
-	krb5_context *context;
-	krb5_boolean secure;
+init_common (krb5_context *context, krb5_boolean secure)
 {
 	krb5_context ctx = 0;
 	krb5_error_code retval;
@@ -338,7 +353,7 @@ init_common (context, secure)
 	int tmp;
 #endif
 
-#if (defined(_MSDOS) || defined(_WIN32))
+#if (defined(_WIN32))
 	/* 
 	 * Load the krbcc32.dll if necessary.  We do this here so that
 	 * we know to use API: later on during initialization.
@@ -353,6 +368,12 @@ init_common (context, secure)
 	retval = krb5_vercheck();
 	if (retval)
 		return retval;
+#else /* assume UNIX for now */
+#ifndef _KERNEL
+	retval = krb5int_initialize_library ();
+	if (retval)
+	    return retval;
+#endif /* !_KERNEL */
 #endif
 
 	*context = 0;
@@ -442,12 +463,8 @@ init_common (context, secure)
 	profile_get_integer(ctx->profile, "libdefaults",
 			    "kdc_default_options", 0,
 			    KDC_OPT_RENEWABLE_OK, &tmp);
-	ctx->kdc_default_options = KDC_OPT_RENEWABLE_OK;
-#ifdef macintosh
+	ctx->kdc_default_options = tmp;
 #define DEFAULT_KDC_TIMESYNC 1
-#else
-#define DEFAULT_KDC_TIMESYNC 0
-#endif
 	profile_get_integer(ctx->profile, "libdefaults",
 			    "kdc_timesync", 0, DEFAULT_KDC_TIMESYNC,
 			    &tmp);
@@ -488,9 +505,8 @@ cleanup:
 	return retval;
 }
 
-KRB5_DLLIMP void KRB5_CALLCONV
-krb5_free_context(ctx)
-	krb5_context	ctx;
+void KRB5_CALLCONV
+krb5_free_context(krb5_context ctx)
 {
 	KRB5_LOG0(KRB5_INFO,"krb5_free_context() start");
 
@@ -537,16 +553,14 @@ krb5_free_context(ctx)
  * Set the desired default ktypes, making sure they are valid.
  */
 krb5_error_code
-krb5_set_default_in_tkt_ktypes(context, ktypes)
-	krb5_context context;
-	const krb5_enctype *ktypes;
+krb5_set_default_in_tkt_ktypes(krb5_context context, const krb5_enctype *ktypes)
 {
     krb5_enctype * new_ktypes;
     int i;
 
     if (ktypes) {
 	for (i = 0; ktypes[i]; i++) {
-	    if (!valid_enctype(ktypes[i])) 
+	    if (!krb5_c_valid_enctype(ktypes[i])) 
 		return KRB5_PROG_ETYPE_NOSUPP;
 	}
 
@@ -569,12 +583,8 @@ krb5_set_default_in_tkt_ktypes(context, ktypes)
 }
 
 static krb5_error_code
-get_profile_etype_list(context, ktypes, profstr, ctx_count, ctx_list)
-     krb5_context context;
-     krb5_enctype **ktypes;
-     char *profstr;
-     int ctx_count;
-     krb5_enctype *ctx_list;
+get_profile_etype_list(krb5_context context, krb5_enctype **ktypes, char *profstr,
+		       int ctx_count, krb5_enctype *ctx_list)
 {
     krb5_enctype *old_ktypes = NULL;
 
@@ -596,35 +606,29 @@ get_profile_etype_list(context, ktypes, profstr, ctx_count, ctx_list)
 	   session key types.
 	 */
 
-	char *retval;
+	char *retval = NULL;
 	char *sp, *ep;
 	int j, checked_enctypes, count;
 	krb5_error_code code;
 
 	code = profile_get_string(context->profile, "libdefaults", profstr,
-				  NULL,
-				  "aes256-cts-hmac-sha1-96 "
-				  "aes128-cts-hmac-sha1-96 "
-				  "des3-hmac-sha1 "
-				  "arcfour-hmac-md5 "
-				  "des-cbc-md5 "
-				  "des-cbc-crc",
-				  &retval);
+				  NULL, DEFAULT_ETYPE_LIST, &retval);
 	if (code)
 	    return code;
 
+	if (!retval)  /* SUNW14resync - just in case */
+            return PROF_EINVAL;  /* XXX */
+
 	count = 0;
 	sp = retval;
-	while (sp) {
-	    for (ep = sp; *ep && (*ep != ',') && !isspace(*ep); ep++)
+	while (*sp) {
+	    for (ep = sp; *ep && (*ep != ',') && !isspace((int) (*ep)); ep++)
 		;
 	    if (*ep) {
 		*ep++ = '\0';
-		while (isspace(*ep))
-		    ep++;
-	    } else
-		ep = (char *) NULL;
-
+		while (isspace((int) (*ep)) || *ep == ',')
+		    *ep++ = '\0';
+	    }
 	    count++;
 	    sp = ep;
 	}
@@ -681,9 +685,7 @@ get_profile_etype_list(context, ktypes, profstr, ctx_count, ctx_list)
 }
 
 krb5_error_code
-krb5_get_default_in_tkt_ktypes(context, ktypes)
-    krb5_context context;
-    krb5_enctype **ktypes;
+krb5_get_default_in_tkt_ktypes(krb5_context context, krb5_enctype **ktypes)
 {
     return(get_profile_etype_list(context, ktypes, "default_tkt_enctypes",
 				  context->in_tkt_ktype_count,
@@ -691,9 +693,7 @@ krb5_get_default_in_tkt_ktypes(context, ktypes)
 }
 
 krb5_error_code
-krb5_set_default_tgs_enctypes(context, ktypes)
-	krb5_context context;
-	const krb5_enctype *ktypes;
+krb5_set_default_tgs_enctypes (krb5_context context, const krb5_enctype *ktypes)
 {
     krb5_enctype * new_ktypes;
     int i;
@@ -734,9 +734,7 @@ krb5_error_code krb5_set_default_tgs_ktypes
 /*ARGSUSED*/
 void
 KRB5_CALLCONV
-krb5_free_ktypes (context, val)
-     krb5_context context;
-     krb5_enctype FAR *val;
+krb5_free_ktypes (krb5_context context, krb5_enctype *val)
 {
     free (val);
 }
@@ -744,10 +742,7 @@ krb5_free_ktypes (context, val)
 /*ARGSUSED*/
 krb5_error_code
 KRB5_CALLCONV
-krb5_get_tgs_ktypes(context, princ, ktypes)
-    krb5_context context;
-    krb5_const_principal princ;
-    krb5_enctype **ktypes;
+krb5_get_tgs_ktypes(krb5_context context, krb5_const_principal princ, krb5_enctype **ktypes)
 {
     if (context->use_conf_ktypes)
 	/* This one is set *only* by reading the config file; it's not
@@ -762,9 +757,7 @@ krb5_get_tgs_ktypes(context, princ, ktypes)
 }
 
 krb5_error_code
-krb5_get_permitted_enctypes(context, ktypes)
-    krb5_context context;
-    krb5_enctype **ktypes;
+krb5_get_permitted_enctypes(krb5_context context, krb5_enctype **ktypes)
 {
     return(get_profile_etype_list(context, ktypes, "permitted_enctypes",
 				  context->tgs_ktype_count,
@@ -772,9 +765,7 @@ krb5_get_permitted_enctypes(context, ktypes)
 }
 
 krb5_boolean
-krb5_is_permitted_enctype(context, etype)
-     krb5_context context;
-     krb5_enctype etype;
+krb5_is_permitted_enctype(krb5_context context, krb5_enctype etype)
 {
     krb5_enctype *list, *ptr;
     krb5_boolean ret;
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/kfree.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/kfree.c
index 50e22de17c..c1b04a59b2 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/kfree.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/kfree.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -34,9 +34,7 @@ static void cleanup_dk_list(krb5_context, krb5_keyblock *);
 
 /* ARGSUSED */
 void KRB5_CALLCONV
-krb5_free_address(context, val)
-    krb5_context context;
-    krb5_address FAR *val;
+krb5_free_address(krb5_context context, krb5_address *val)
 {
     if (val->contents)
 	krb5_xfree_wrap(val->contents, val->length);
@@ -45,9 +43,7 @@ krb5_free_address(context, val)
 
 #ifndef _KERNEL
 void KRB5_CALLCONV
-krb5_free_addresses(context, val)
-    krb5_context context;
-    krb5_address FAR * FAR *val;
+krb5_free_addresses(krb5_context context, krb5_address **val)
 {
     register krb5_address **temp;
 
@@ -61,9 +57,7 @@ krb5_free_addresses(context, val)
 
 
 void KRB5_CALLCONV
-krb5_free_ap_rep(context, val)
-    krb5_context context;
-    register krb5_ap_rep FAR *val;
+krb5_free_ap_rep(krb5_context context, register krb5_ap_rep *val)
 {
     if (val->enc_part.ciphertext.data) {
 	krb5_xfree(val->enc_part.ciphertext.data);
@@ -73,9 +67,7 @@ krb5_free_ap_rep(context, val)
 }
 
 void KRB5_CALLCONV
-krb5_free_ap_req(context, val)
-    krb5_context context;
-    register krb5_ap_req FAR *val;
+krb5_free_ap_req(krb5_context context, register krb5_ap_req *val)
 {
     if (val->ticket) {
 	krb5_free_ticket(context, val->ticket);
@@ -89,9 +81,7 @@ krb5_free_ap_req(context, val)
 }
 
 void KRB5_CALLCONV
-krb5_free_ap_rep_enc_part(context, val)
-    krb5_context context;
-    krb5_ap_rep_enc_part FAR *val;
+krb5_free_ap_rep_enc_part(krb5_context context, krb5_ap_rep_enc_part *val)
 {
     if (val->subkey)
 	krb5_free_keyblock(context, val->subkey);
@@ -100,9 +90,7 @@ krb5_free_ap_rep_enc_part(context, val)
 #endif	/* !_KERNEL */
 
 void KRB5_CALLCONV
-krb5_free_authenticator_contents(context, val)
-    krb5_context context;
-    krb5_authenticator FAR *val;
+krb5_free_authenticator_contents(krb5_context context, krb5_authenticator *val)
 {
     if (val->checksum) {
 	krb5_free_checksum(context, val->checksum);
@@ -124,9 +112,7 @@ krb5_free_authenticator_contents(context, val)
 
 /* ARGSUSED */
 void KRB5_CALLCONV
-krb5_free_authdata(context, val)
-    krb5_context context;
-    krb5_authdata FAR * FAR *val;
+krb5_free_authdata(krb5_context context, krb5_authdata **val)
 {
     register krb5_authdata **temp;
 
@@ -142,18 +128,14 @@ krb5_free_authdata(context, val)
 }
 
 void KRB5_CALLCONV
-krb5_free_authenticator(context, val)
-    krb5_context context;
-    krb5_authenticator FAR *val;
+krb5_free_authenticator(krb5_context context, krb5_authenticator *val)
 {
     krb5_free_authenticator_contents(context, val);
     krb5_xfree_wrap(val, sizeof(krb5_authenticator));
 }
 
 void KRB5_CALLCONV
-krb5_free_checksum(context, val)
-    krb5_context context;
-    register krb5_checksum *val;
+krb5_free_checksum(krb5_context context, register krb5_checksum *val)
 {
     krb5_free_checksum_contents(context, val);
     krb5_xfree_wrap(val, sizeof(krb5_checksum));
@@ -161,9 +143,7 @@ krb5_free_checksum(context, val)
 
 /* ARGSUSED */
 void KRB5_CALLCONV
-krb5_free_checksum_contents(context, val)
-    krb5_context context;
-    register krb5_checksum *val;
+krb5_free_checksum_contents(krb5_context context, register krb5_checksum *val)
 {
     if (val->contents) {
 	krb5_xfree_wrap(val->contents, val->length);
@@ -174,9 +154,7 @@ krb5_free_checksum_contents(context, val)
 
 #ifndef _KERNEL
 void KRB5_CALLCONV
-krb5_free_cred(context, val)
-    krb5_context context;
-    register krb5_cred FAR *val;
+krb5_free_cred(krb5_context context, register krb5_cred *val)
 {
     if (val->tickets) {
         krb5_free_tickets(context, val->tickets);
@@ -195,9 +173,7 @@ krb5_free_cred(context, val)
  */
 
 void KRB5_CALLCONV
-krb5_free_cred_contents(context, val)
-    krb5_context context;
-    krb5_creds FAR *val;
+krb5_free_cred_contents(krb5_context context, krb5_creds *val)
 {
     if (val->client) {
 	krb5_free_principal(context, val->client);
@@ -228,10 +204,8 @@ krb5_free_cred_contents(context, val)
     }
 }
 
-void KRB5_CALLCONV 
-krb5_free_cred_enc_part(context, val)
-    krb5_context context;
-    register krb5_cred_enc_part FAR *val;
+void KRB5_CALLCONV
+krb5_free_cred_enc_part(krb5_context context, register krb5_cred_enc_part *val)
 {
     register krb5_cred_info **temp;
     
@@ -263,9 +237,7 @@ krb5_free_cred_enc_part(context, val)
 
 
 void KRB5_CALLCONV
-krb5_free_creds(context, val)
-    krb5_context context;
-    krb5_creds FAR *val;
+krb5_free_creds(krb5_context context, krb5_creds *val)
 {
     krb5_free_cred_contents(context, val);
     krb5_xfree(val);
@@ -273,9 +245,7 @@ krb5_free_creds(context, val)
 
 /* ARGSUSED */
 void KRB5_CALLCONV
-krb5_free_data(context, val)
-    krb5_context context;
-    krb5_data FAR * val;
+krb5_free_data(krb5_context context, krb5_data *val)
 {
     if (val->data) {
 	krb5_xfree(val->data);
@@ -287,9 +257,7 @@ krb5_free_data(context, val)
 
 /* ARGSUSED */
 void KRB5_CALLCONV
-krb5_free_data_contents(context, val)
-    krb5_context context;
-    krb5_data FAR * val;
+krb5_free_data_contents(krb5_context context, krb5_data *val)
 {
     if (val->data) {
 	krb5_xfree_wrap(val->data, val->length);
@@ -299,15 +267,14 @@ krb5_free_data_contents(context, val)
 }
 
 #ifndef _KERNEL
-void krb5_free_etype_info(context, info)
-    krb5_context context;
-    krb5_etype_info info;
+void krb5_free_etype_info(krb5_context context, krb5_etype_info info)
 {
   int i;
 
   for(i=0; info[i] != NULL; i++) {
       if (info[i]->salt)
 	  free(info[i]->salt);
+      krb5_free_data_contents(context, &info[i]->s2kparams);
       free(info[i]);
   }
   free(info);
@@ -315,9 +282,7 @@ void krb5_free_etype_info(context, info)
     
 
 void KRB5_CALLCONV
-krb5_free_enc_kdc_rep_part(context, val)
-    krb5_context context;
-    register krb5_enc_kdc_rep_part *val;
+krb5_free_enc_kdc_rep_part(krb5_context context, register krb5_enc_kdc_rep_part *val)
 {
     if (val->session)
 	krb5_free_keyblock(context, val->session);
@@ -331,9 +296,7 @@ krb5_free_enc_kdc_rep_part(context, val)
 }
 
 void KRB5_CALLCONV
-krb5_free_enc_tkt_part(context, val)
-    krb5_context context;
-    krb5_enc_tkt_part FAR *val;
+krb5_free_enc_tkt_part(krb5_context context, krb5_enc_tkt_part *val)
 {
     if (val->session) {
 	krb5_free_keyblock(context, val->session);
@@ -356,9 +319,7 @@ krb5_free_enc_tkt_part(context, val)
 #endif	/* !_KERNEL */
 
 void KRB5_CALLCONV
-krb5_free_error(context, val)
-    krb5_context context;
-    register krb5_error FAR *val;
+krb5_free_error(krb5_context context, register krb5_error *val)
 {
     if (val->client)
 	krb5_free_principal(context, val->client);
@@ -373,9 +334,7 @@ krb5_free_error(context, val)
 
 #ifndef _KERNEL
 void KRB5_CALLCONV
-krb5_free_kdc_rep(context, val)
-    krb5_context context;
-    krb5_kdc_rep FAR *val;
+krb5_free_kdc_rep(krb5_context context, krb5_kdc_rep *val)
 {
     if (val->padata) {
 	krb5_free_pa_data(context, val->padata);
@@ -402,9 +361,7 @@ krb5_free_kdc_rep(context, val)
 
 
 void KRB5_CALLCONV
-krb5_free_kdc_req(context, val)
-    krb5_context context;
-    krb5_kdc_req FAR *val;
+krb5_free_kdc_req(krb5_context context, krb5_kdc_req *val)
 {
     if (val->padata) {
 	krb5_free_pa_data(context, val->padata);
@@ -473,9 +430,7 @@ cleanup_dk_list(krb5_context context, krb5_keyblock *key)
 
 /* ARGSUSED */
 void KRB5_CALLCONV
-krb5_free_keyblock_contents(context, key)
-     krb5_context context;
-     register krb5_keyblock FAR *key;
+krb5_free_keyblock_contents(krb5_context context, register krb5_keyblock *key)
 {
      if (key->contents) {
 	  (void) memset(key->contents, 0, key->length);
@@ -509,9 +464,7 @@ krb5_free_keyblock_contents(context, key)
 }
 
 void KRB5_CALLCONV
-krb5_free_keyblock(context, val)
-    krb5_context context;
-    register krb5_keyblock FAR *val;
+krb5_free_keyblock(krb5_context context, register krb5_keyblock *val)
 {
     if (!val)
         return;
@@ -523,9 +476,7 @@ krb5_free_keyblock(context, val)
 
 #ifndef _KERNEL
 void KRB5_CALLCONV
-krb5_free_last_req(context, val)
-    krb5_context context;
-    krb5_last_req_entry FAR * FAR *val;
+krb5_free_last_req(krb5_context context, krb5_last_req_entry **val)
 {
     register krb5_last_req_entry **temp;
 
@@ -535,9 +486,7 @@ krb5_free_last_req(context, val)
 }
 
 void KRB5_CALLCONV
-krb5_free_pa_data(context, val)
-    krb5_context context;
-    krb5_pa_data FAR * FAR *val;
+krb5_free_pa_data(krb5_context context, krb5_pa_data **val)
 {
     register krb5_pa_data **temp;
 
@@ -552,9 +501,7 @@ krb5_free_pa_data(context, val)
 
 /* ARGSUSED */
 void KRB5_CALLCONV
-krb5_free_principal(context, val)
-    krb5_context context;
-    krb5_principal val;
+krb5_free_principal(krb5_context context, krb5_principal val)
 {
     register krb5_int32 i;
 
@@ -576,9 +523,7 @@ krb5_free_principal(context, val)
 
 #ifndef _KERNEL
 void KRB5_CALLCONV
-krb5_free_priv(context, val)
-    krb5_context context;
-    register krb5_priv FAR *val;
+krb5_free_priv(krb5_context context, register krb5_priv *val)
 {
     if (val->enc_part.ciphertext.data) {
 	krb5_xfree(val->enc_part.ciphertext.data);
@@ -588,9 +533,7 @@ krb5_free_priv(context, val)
 }
 
 void KRB5_CALLCONV
-krb5_free_priv_enc_part(context, val)
-    krb5_context context;
-    register krb5_priv_enc_part FAR *val;
+krb5_free_priv_enc_part(krb5_context context, register krb5_priv_enc_part *val)
 {
     if (val->user_data.data) {
 	krb5_xfree(val->user_data.data);
@@ -608,9 +551,7 @@ krb5_free_priv_enc_part(context, val)
 }
 
 void KRB5_CALLCONV
-krb5_free_pwd_data(context, val)
-    krb5_context context;
-    krb5_pwd_data FAR *val;
+krb5_free_pwd_data(krb5_context context, krb5_pwd_data *val)
 {
     if (val->element)
 	krb5_free_pwd_sequences(context, val->element);
@@ -619,25 +560,27 @@ krb5_free_pwd_data(context, val)
 
 
 void KRB5_CALLCONV
-krb5_free_pwd_sequences(context, val)
-    krb5_context context;
-    passwd_phrase_element FAR * FAR *val;
+krb5_free_pwd_sequences(krb5_context context, passwd_phrase_element **val)
 {
-    if ((*val)->passwd) {
-	krb5_xfree((*val)->passwd);
-	(*val)->passwd = 0;
-    }
-    if ((*val)->phrase) {
-	krb5_xfree((*val)->phrase);
-	(*val)->phrase = 0;
+    register passwd_phrase_element **temp;
+
+    for (temp = val; *temp; temp++) {
+	if ((*temp)->passwd) {
+	   krb5_free_data(context, (*temp)->passwd);
+	   (*temp)->passwd = 0;
+	}
+	if ((*temp)->phrase) {
+	   krb5_free_data(context, (*temp)->phrase);
+	   (*temp)->phrase = 0;
+	}
+	krb5_xfree(*temp);
     }
+    krb5_xfree(val);
 }
 
 
 void KRB5_CALLCONV
-krb5_free_safe(context, val)
-    krb5_context context;
-    register krb5_safe FAR *val;
+krb5_free_safe(krb5_context context, register krb5_safe *val)
 {
     if (val->user_data.data) {
 	krb5_xfree(val->user_data.data);
@@ -660,9 +603,7 @@ krb5_free_safe(context, val)
 
 
 void KRB5_CALLCONV
-krb5_free_ticket(context, val)
-    krb5_context context;
-    krb5_ticket FAR *val;
+krb5_free_ticket(krb5_context context, krb5_ticket *val)
 {
     if (val->server)
 	krb5_free_principal(context, val->server);
@@ -676,9 +617,7 @@ krb5_free_ticket(context, val)
 }
 
 void KRB5_CALLCONV
-krb5_free_tickets(context, val)
-    krb5_context context;
-    krb5_ticket FAR * FAR *val;
+krb5_free_tickets(krb5_context context, krb5_ticket **val)
 {
     register krb5_ticket **temp;
 
@@ -689,9 +628,7 @@ krb5_free_tickets(context, val)
 
 
 void KRB5_CALLCONV
-krb5_free_tgt_creds(context, tgts)
-    krb5_context context;
-    krb5_creds FAR * FAR *tgts;
+krb5_free_tgt_creds(krb5_context context, krb5_creds **tgts)
 {
     register krb5_creds **tgtpp;
     for (tgtpp = tgts; *tgtpp; tgtpp++)
@@ -700,9 +637,7 @@ krb5_free_tgt_creds(context, tgts)
 }
 
 void KRB5_CALLCONV
-krb5_free_tkt_authent(context, val)
-    krb5_context context;
-    krb5_tkt_authent FAR *val;
+krb5_free_tkt_authent(krb5_context context, krb5_tkt_authent *val)
 {
     if (val->ticket) {
 	krb5_free_ticket(context, val->ticket);
@@ -716,9 +651,7 @@ krb5_free_tkt_authent(context, val)
 }
 
 void KRB5_CALLCONV
-krb5_free_unparsed_name(context, val)
-    krb5_context context;
-    char FAR * val;
+krb5_free_unparsed_name(krb5_context context, char *val)
 {
     if (val) {
 	krb5_xfree(val);
@@ -726,7 +659,7 @@ krb5_free_unparsed_name(context, val)
 }
 
 void KRB5_CALLCONV
-krb5_free_sam_challenge(krb5_context ctx, krb5_sam_challenge FAR *sc)
+krb5_free_sam_challenge(krb5_context ctx, krb5_sam_challenge *sc)
 {
     if (!sc)
 	return;
@@ -744,7 +677,7 @@ krb5_free_sam_challenge_2(krb5_context ctx, krb5_sam_challenge_2 *sc2)
 }
 
 void KRB5_CALLCONV
-krb5_free_sam_challenge_contents(krb5_context ctx, krb5_sam_challenge FAR *sc)
+krb5_free_sam_challenge_contents(krb5_context ctx, krb5_sam_challenge *sc)
 {
     if (!sc)
 	return;
@@ -818,7 +751,7 @@ krb5_free_sam_challenge_2_body_contents(krb5_context ctx,
 }
 
 void KRB5_CALLCONV
-krb5_free_sam_response(krb5_context ctx, krb5_sam_response FAR *sr)
+krb5_free_sam_response(krb5_context ctx, krb5_sam_response *sr)
 {
     if (!sr)
 	return;
@@ -827,7 +760,16 @@ krb5_free_sam_response(krb5_context ctx, krb5_sam_response FAR *sr)
 }
 
 void KRB5_CALLCONV
-krb5_free_sam_response_contents(krb5_context ctx, krb5_sam_response FAR *sr)
+krb5_free_sam_response_2(krb5_context ctx, krb5_sam_response_2 *sr2)
+{
+    if (!sr2)
+	return;
+    krb5_free_sam_response_2_contents(ctx, sr2);
+    krb5_xfree(sr2);
+}
+
+void KRB5_CALLCONV
+krb5_free_sam_response_contents(krb5_context ctx, krb5_sam_response *sr)
 {
     if (!sr)
 	return;
@@ -840,8 +782,19 @@ krb5_free_sam_response_contents(krb5_context ctx, krb5_sam_response FAR *sr)
 }
 
 void KRB5_CALLCONV
+krb5_free_sam_response_2_contents(krb5_context ctx, krb5_sam_response_2 *sr2)
+{
+    if (!sr2)
+	return;
+    if (sr2->sam_track_id.data)
+	krb5_free_data_contents(ctx, &sr2->sam_track_id);
+    if (sr2->sam_enc_nonce_or_sad.ciphertext.data)
+	krb5_free_data_contents(ctx, &sr2->sam_enc_nonce_or_sad.ciphertext);
+}
+
+void KRB5_CALLCONV
 krb5_free_predicted_sam_response(krb5_context ctx,
-				 krb5_predicted_sam_response FAR *psr)
+				 krb5_predicted_sam_response *psr)
 {
     if (!psr)
 	return;
@@ -851,7 +804,7 @@ krb5_free_predicted_sam_response(krb5_context ctx,
 
 void KRB5_CALLCONV
 krb5_free_predicted_sam_response_contents(krb5_context ctx,
-				 krb5_predicted_sam_response FAR *psr)
+				 krb5_predicted_sam_response *psr)
 {
     if (!psr)
 	return;
@@ -867,7 +820,7 @@ krb5_free_predicted_sam_response_contents(krb5_context ctx,
 
 void KRB5_CALLCONV
 krb5_free_enc_sam_response_enc(krb5_context ctx,
-			       krb5_enc_sam_response_enc FAR *esre)
+			       krb5_enc_sam_response_enc *esre)
 {
     if (!esre)
 	return;
@@ -875,9 +828,19 @@ krb5_free_enc_sam_response_enc(krb5_context ctx,
     krb5_xfree(esre);
 }
 
+void KRB5_CALLCONV 
+krb5_free_enc_sam_response_enc_2(krb5_context ctx,
+				 krb5_enc_sam_response_enc_2 *esre2)
+{
+    if (!esre2)
+	return;
+    krb5_free_enc_sam_response_enc_2_contents(ctx, esre2);
+    krb5_xfree(esre2);
+}
+
 void KRB5_CALLCONV
 krb5_free_enc_sam_response_enc_contents(krb5_context ctx,
-			       krb5_enc_sam_response_enc FAR *esre)
+			       krb5_enc_sam_response_enc *esre)
 {
     if (!esre)
 	return;
@@ -886,7 +849,17 @@ krb5_free_enc_sam_response_enc_contents(krb5_context ctx,
 }
 
 void KRB5_CALLCONV
-krb5_free_pa_enc_ts(krb5_context ctx, krb5_pa_enc_ts FAR *pa_enc_ts)
+krb5_free_enc_sam_response_enc_2_contents(krb5_context ctx,
+					  krb5_enc_sam_response_enc_2 *esre2)
+{
+    if (!esre2)
+	return;
+    if (esre2->sam_sad.data)
+	krb5_free_data_contents(ctx, &esre2->sam_sad);
+}
+
+void KRB5_CALLCONV
+krb5_free_pa_enc_ts(krb5_context ctx, krb5_pa_enc_ts *pa_enc_ts)
 {
     if (!pa_enc_ts)
 	return;
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/parse.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/parse.c
index 62f54f2b0d..79e72cd5f2 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/parse.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/parse.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -38,6 +38,12 @@
 
 #include "k5-int.h"
 
+#ifndef _KERNEL
+#include <assert.h>
+#include <stdarg.h> 
+#define ASSERT assert 
+#endif
+
 /*
  * converts a single-string representation of the name to the
  * multi-part principal format used in the protocols.
@@ -70,11 +76,8 @@
  * that arbitrarily large multi-component names are a Good Thing.....
  */
 /*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_parse_name(context, name, nprincipal)
-	krb5_context context;
-	const char	FAR *name;
-	krb5_principal	FAR *nprincipal;
+krb5_error_code KRB5_CALLCONV
+krb5_parse_name(krb5_context context, const char *name, krb5_principal *nprincipal)
 {
 	const char	*cp;
 	char		*q;
@@ -82,14 +85,14 @@ krb5_parse_name(context, name, nprincipal)
 	int		components = 0;
 	const char	*parsed_realm = NULL;
 	int		fcompsize[FCOMPNUM];
-	int		realmsize = 0;
-	static char	*default_realm = NULL;
-	static int	default_realm_size = 0;
-	char		*tmpdata;
-	krb5_principal	principal;
+	unsigned int	realmsize = 0;
 #ifndef _KERNEL
+	char		*default_realm = NULL;
+	int		default_realm_size = 0;
 	krb5_error_code retval;
 #endif
+	char		*tmpdata;
+	krb5_principal	principal;
 
 	/*
 	 * Pass 1.  Find out how many components there are to the name,
@@ -194,13 +197,13 @@ krb5_parse_name(context, name, nprincipal)
 				cp++;
 				size++;
 			} else if (c == COMPONENT_SEP) {
-				krb5_princ_component(context,
-				    principal, i)->length = size;
+				if (krb5_princ_size(context, principal) > i)
+					krb5_princ_component(context, principal, i)->length = size;
 				size = 0;
 				i++;
 			} else if (c == REALM_SEP) {
-				krb5_princ_component(context,
-				    principal, i)->length = size;
+				if (krb5_princ_size(context, principal) > i)
+					krb5_princ_component(context, principal, i)->length = size;
 				size = 0;
 				parsed_realm = cp+1;
 			} else
@@ -209,17 +212,18 @@ krb5_parse_name(context, name, nprincipal)
 		if (parsed_realm)
 			krb5_princ_realm(context, principal)->length = size;
 		else
-			krb5_princ_component(context,
-			    principal, i)->length = size;
+			if (krb5_princ_size(context, principal) > i)
+				krb5_princ_component(context, principal,
+						    i)->length = size;
 		if (i + 1 != components) {
-#if !defined(_MSDOS) && !defined(_WIN32) && !defined(macintosh)
-/*
-			dprintf("Programming error in krb5_parse_name!");
-*/
-			return (KRB5_PARSE_MALFORMED);
+#ifndef _KERNEL
+			fprintf(stderr,
+				"Programming error in krb5_parse_name!");
+		    ASSERT(i + 1 == components);
+		    abort();
 #else
-         /* Need to come up with windows error handling mechanism */
-#endif
+		    ASSERT(i + 1 == components);
+#endif /* !_KERNEL */
 		}
 	} else {
 		/*
@@ -240,14 +244,18 @@ krb5_parse_name(context, name, nprincipal)
 		    sizeof (krb5_data) * components);
 		krb5_xfree_wrap((char *)principal,
 		    sizeof (krb5_principal_data));
+#ifndef _KERNEL
+		if (default_realm)
+			krb5_xfree_wrap(default_realm, strlen(default_realm));
+#endif
 		return (ENOMEM);
 	}
 	krb5_princ_set_realm_length(context, principal, realmsize);
 	krb5_princ_set_realm_data(context, principal, tmpdata);
 	for (i = 0; i < components; i++) {
-		char *tmpdata = MALLOC(krb5_princ_component(context,
+		char *tmpdata2 = MALLOC(krb5_princ_component(context,
 			principal, i)->length + 1);
-		if (!tmpdata) {
+		if (!tmpdata2) {
                         /*
                          * Release the principle and realm strings remembering
                          * that we allocated one additional byte beyond the
@@ -265,9 +273,14 @@ krb5_parse_name(context, name, nprincipal)
 			    principal)->length + 1);
 			krb5_xfree_wrap(principal->data, principal->length);
 			krb5_xfree_wrap(principal, sizeof(krb5_principal_data));
+#ifndef _KERNEL
+			if (default_realm)
+				krb5_xfree_wrap(default_realm,
+						strlen(default_realm));
+#endif
 			return (ENOMEM);
 		}
-		krb5_princ_component(context, principal, i)->data = tmpdata;
+		krb5_princ_component(context, principal, i)->data = tmpdata2;
 		krb5_princ_component(context, principal, i)->magic = KV5M_DATA;
 	}
 	
@@ -309,11 +322,9 @@ krb5_parse_name(context, name, nprincipal)
 			*q++ = (char) c;
 	}
 	*q++ = '\0';
+
 	if (!parsed_realm)
-#ifdef _KERNEL
-		(void) strncpy(krb5_princ_realm(context, principal)->data,
-			default_realm, default_realm_size);
-#else
+#ifndef _KERNEL
 		(void) strcpy(krb5_princ_realm(context, principal)->data,
 			default_realm);
 #endif
@@ -325,5 +336,9 @@ krb5_parse_name(context, name, nprincipal)
 	principal->magic = KV5M_PRINCIPAL;
 	principal->realm.magic = KV5M_DATA;
 	*nprincipal = principal;
+#ifndef _KERNEL
+	if (default_realm)
+		krb5_xfree_wrap(default_realm, strlen(default_realm));
+#endif
 	return(0);
 }
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_actx.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_actx.c
index 181900376e..d66959f042 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_actx.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_actx.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -35,6 +35,7 @@
  * ser_actx.c - Serialize krb5_auth_context structure.
  */
 #include <k5-int.h>
+#include <int-proto.h>
 #include <auth_con.h>
 
 #define	TOKEN_RADDR	950916
@@ -61,12 +62,6 @@ static krb5_error_code krb5_auth_context_internalize
 /*
  * Other metadata serialization initializers.
  */
-krb5_error_code krb5_ser_authdata_init (krb5_context);
-krb5_error_code krb5_ser_address_init (krb5_context);
-krb5_error_code krb5_ser_authenticator_init (krb5_context);
-krb5_error_code krb5_ser_checksum_init (krb5_context);
-krb5_error_code krb5_ser_keyblock_init (krb5_context);
-krb5_error_code krb5_ser_principal_init (krb5_context);
 
 /* Local data */
 static const krb5_ser_entry krb5_auth_context_ser_entry = {
@@ -81,10 +76,7 @@ static const krb5_ser_entry krb5_auth_context_ser_entry = {
  *				  the krb5_auth_context.
  */
 static krb5_error_code
-krb5_auth_context_size(
-    krb5_context	kcontext,
-    krb5_pointer	arg,
-    size_t		*sizep)
+krb5_auth_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
 {
     krb5_error_code	kret;
     krb5_auth_context	auth_context;
@@ -203,11 +195,7 @@ krb5_auth_context_size(
  * krb5_auth_context_externalize()	- Externalize the krb5_auth_context.
  */
 static krb5_error_code
-krb5_auth_context_externalize(
-    krb5_context	kcontext,
-    krb5_pointer	arg,
-    krb5_octet		**buffer,
-    size_t		*lenremain)
+krb5_auth_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain)
 {
     krb5_error_code	kret;
     krb5_auth_context	auth_context;
@@ -215,6 +203,8 @@ krb5_auth_context_externalize(
     krb5_octet		*bp;
     size_t		remain;
     size_t		obuf;
+    krb5_int32		obuf32;
+
 
     required = 0;
     bp = *buffer;
@@ -249,14 +239,18 @@ krb5_auth_context_externalize(
 	    } else {
 		obuf = 0;
 	    }
-		
+
+	    /* Convert to signed 32 bit integer */
+	    obuf32 = obuf;
+	    if (kret == 0 && obuf != obuf32)
+		kret = EINVAL;
 	    if (!kret)
-		(void) krb5_ser_pack_int32(obuf, &bp, &remain);
+		(void) krb5_ser_pack_int32(obuf32, &bp, &remain);
 
 	    /* Now copy i_vector */
 	    if (!kret && auth_context->i_vector)
 		(void) krb5_ser_pack_bytes(auth_context->i_vector,
-					   (size_t) obuf,
+					   obuf,
 					   &bp, &remain);
 
 	    /* Now handle remote_addr, if appropriate */
@@ -364,11 +358,7 @@ krb5_auth_context_externalize(
  * krb5_auth_context_internalize()	- Internalize the krb5_auth_context.
  */
 static krb5_error_code
-krb5_auth_context_internalize(
-    krb5_context	kcontext,
-    krb5_pointer	*argp,
-    krb5_octet		**buffer,
-    size_t		*lenremain)
+krb5_auth_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain)
 {
     krb5_error_code	kret;
     krb5_auth_context	auth_context;
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_adata.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_adata.c
index 1a97f97cac..307d473f34 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_adata.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_adata.c
@@ -27,6 +27,7 @@
  * ser_adata.c - Serialize a krb5_authdata structure.
  */
 #include <k5-int.h>
+#include <int-proto.h>
 
 /*
  * Routines to deal with externalizing the krb5_authdata:
@@ -35,11 +36,11 @@
  *	krb5_authdata_internalize();
  */
 static krb5_error_code krb5_authdata_size
-	KRB5_PROTOTYPE((krb5_context, krb5_pointer, size_t *));
+	(krb5_context, krb5_pointer, size_t *);
 static krb5_error_code krb5_authdata_externalize
-	KRB5_PROTOTYPE((krb5_context, krb5_pointer, krb5_octet **, size_t *));
+	(krb5_context, krb5_pointer, krb5_octet **, size_t *);
 static krb5_error_code krb5_authdata_internalize
-	KRB5_PROTOTYPE((krb5_context,krb5_pointer *, krb5_octet **, size_t *));
+	(krb5_context, krb5_pointer *, krb5_octet **, size_t *);
 
 /* Local data */
 static const krb5_ser_entry krb5_authdata_ser_entry = {
@@ -55,10 +56,7 @@ static const krb5_ser_entry krb5_authdata_ser_entry = {
  */
 /*ARGSUSED*/
 static krb5_error_code
-krb5_authdata_size(kcontext, arg, sizep)
-    krb5_context	kcontext;
-    krb5_pointer	arg;
-    size_t		*sizep;
+krb5_authdata_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
 {
     krb5_error_code	kret;
     krb5_authdata	*authdata;
@@ -88,11 +86,7 @@ krb5_authdata_size(kcontext, arg, sizep)
  * krb5_authdata_externalize()	- Externalize the krb5_authdata.
  */
 static krb5_error_code
-krb5_authdata_externalize(kcontext, arg, buffer, lenremain)
-    krb5_context	kcontext;
-    krb5_pointer	arg;
-    krb5_octet		**buffer;
-    size_t		*lenremain;
+krb5_authdata_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain)
 {
     krb5_error_code	kret;
     krb5_authdata	*authdata;
@@ -140,11 +134,7 @@ krb5_authdata_externalize(kcontext, arg, buffer, lenremain)
  */
 /*ARGSUSED*/
 static krb5_error_code
-krb5_authdata_internalize(kcontext, argp, buffer, lenremain)
-    krb5_context	kcontext;
-    krb5_pointer	*argp;
-    krb5_octet		**buffer;
-    size_t		*lenremain;
+krb5_authdata_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain)
 {
     krb5_error_code	kret;
     krb5_authdata	*authdata;
@@ -206,8 +196,7 @@ krb5_authdata_internalize(kcontext, argp, buffer, lenremain)
  * Register the authdata serializer.
  */
 krb5_error_code
-krb5_ser_authdata_init(kcontext)
-    krb5_context	kcontext;
+krb5_ser_authdata_init(krb5_context kcontext)
 {
     return(krb5_register_serializer(kcontext, &krb5_authdata_ser_entry));
 }
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_addr.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_addr.c
index 82f13862f9..dba92cf002 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_addr.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_addr.c
@@ -27,6 +27,7 @@
  * ser_addr.c - Serialize a krb5_address structure.
  */
 #include <k5-int.h>
+#include <int-proto.h>
 
 /*
  * Routines to deal with externalizing the krb5_address:
@@ -35,11 +36,11 @@
  *	krb5_address_internalize();
  */
 static krb5_error_code krb5_address_size
-	KRB5_PROTOTYPE((krb5_context, krb5_pointer, size_t *));
+	(krb5_context, krb5_pointer, size_t *);
 static krb5_error_code krb5_address_externalize
-	KRB5_PROTOTYPE((krb5_context, krb5_pointer, krb5_octet **, size_t *));
+	(krb5_context, krb5_pointer, krb5_octet **, size_t *);
 static krb5_error_code krb5_address_internalize
-	KRB5_PROTOTYPE((krb5_context,krb5_pointer *, krb5_octet **, size_t *));
+	(krb5_context,krb5_pointer *, krb5_octet **, size_t *);
 
 /* Local data */
 static const krb5_ser_entry krb5_address_ser_entry = {
@@ -55,10 +56,7 @@ static const krb5_ser_entry krb5_address_ser_entry = {
  */
 /*ARGSUSED*/
 static krb5_error_code
-krb5_address_size(kcontext, arg, sizep)
-    krb5_context	kcontext;
-    krb5_pointer	arg;
-    size_t		*sizep;
+krb5_address_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
 {
     krb5_error_code	kret;
     krb5_address	*address;
@@ -88,11 +86,7 @@ krb5_address_size(kcontext, arg, sizep)
  * krb5_address_externalize()	- Externalize the krb5_address.
  */
 static krb5_error_code
-krb5_address_externalize(kcontext, arg, buffer, lenremain)
-    krb5_context	kcontext;
-    krb5_pointer	arg;
-    krb5_octet		**buffer;
-    size_t		*lenremain;
+krb5_address_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain)
 {
     krb5_error_code	kret;
     krb5_address	*address;
@@ -142,11 +136,7 @@ krb5_address_externalize(kcontext, arg, buffer, lenremain)
 
 /*ARGSUSED*/
 static krb5_error_code
-krb5_address_internalize(kcontext, argp, buffer, lenremain)
-    krb5_context	kcontext;
-    krb5_pointer	*argp;
-    krb5_octet		**buffer;
-    size_t		*lenremain;
+krb5_address_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain)
 {
     krb5_error_code	kret;
     krb5_address	*address;
@@ -211,8 +201,7 @@ krb5_address_internalize(kcontext, argp, buffer, lenremain)
  * Register the address serializer.
  */
 krb5_error_code
-krb5_ser_address_init(kcontext)
-    krb5_context	kcontext;
+krb5_ser_address_init(krb5_context kcontext)
 {
     return(krb5_register_serializer(kcontext, &krb5_address_ser_entry));
 }
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_auth.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_auth.c
index 10fdb2f6b8..7b7d7cd954 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_auth.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_auth.c
@@ -26,7 +26,8 @@
 /*
  * ser_auth.c - Serialize krb5_authenticator structure.
  */
-#include "k5-int.h"
+#include <k5-int.h>
+#include <int-proto.h>
 
 /*
  * Routines to deal with externalizing the krb5_authenticator:
@@ -35,11 +36,11 @@
  *	krb5_authenticator_internalize();
  */
 static krb5_error_code krb5_authenticator_size
-	KRB5_PROTOTYPE((krb5_context, krb5_pointer, size_t *));
+	(krb5_context, krb5_pointer, size_t *);
 static krb5_error_code krb5_authenticator_externalize
-	KRB5_PROTOTYPE((krb5_context, krb5_pointer, krb5_octet **, size_t *));
+	(krb5_context, krb5_pointer, krb5_octet **, size_t *);
 static krb5_error_code krb5_authenticator_internalize
-	KRB5_PROTOTYPE((krb5_context,krb5_pointer *, krb5_octet **, size_t *));
+	(krb5_context,krb5_pointer *, krb5_octet **, size_t *);
 
 /* Local data */
 static const krb5_ser_entry krb5_authenticator_ser_entry = {
@@ -54,10 +55,7 @@ static const krb5_ser_entry krb5_authenticator_ser_entry = {
  *				  the krb5_authenticator.
  */
 static krb5_error_code
-krb5_authenticator_size(kcontext, arg, sizep)
-    krb5_context	kcontext;
-    krb5_pointer	arg;
-    size_t		*sizep;
+krb5_authenticator_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
 {
     krb5_error_code	kret;
     krb5_authenticator	*authenticator;
@@ -122,11 +120,7 @@ krb5_authenticator_size(kcontext, arg, sizep)
  * krb5_authenticator_externalize()	- Externalize the krb5_authenticator.
  */
 static krb5_error_code
-krb5_authenticator_externalize(kcontext, arg, buffer, lenremain)
-    krb5_context	kcontext;
-    krb5_pointer	arg;
-    krb5_octet		**buffer;
-    size_t		*lenremain;
+krb5_authenticator_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain)
 {
     krb5_error_code	kret;
     krb5_authenticator	*authenticator;
@@ -229,11 +223,7 @@ krb5_authenticator_externalize(kcontext, arg, buffer, lenremain)
  * krb5_authenticator_internalize()	- Internalize the krb5_authenticator.
  */
 static krb5_error_code
-krb5_authenticator_internalize(kcontext, argp, buffer, lenremain)
-    krb5_context	kcontext;
-    krb5_pointer	*argp;
-    krb5_octet		**buffer;
-    size_t		*lenremain;
+krb5_authenticator_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain)
 {
     krb5_error_code	kret;
     krb5_authenticator	*authenticator;
@@ -354,8 +344,7 @@ krb5_authenticator_internalize(kcontext, argp, buffer, lenremain)
  * Register the authenticator serializer.
  */
 krb5_error_code
-krb5_ser_authenticator_init(kcontext)
-    krb5_context	kcontext;
+krb5_ser_authenticator_init(krb5_context kcontext)
 {
     return(krb5_register_serializer(kcontext, &krb5_authenticator_ser_entry));
 }
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_cksum.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_cksum.c
index 4dda59663a..72e9c42f7b 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_cksum.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_cksum.c
@@ -27,6 +27,7 @@
  * ser_cksum.c - Serialize a krb5_checksum structure.
  */
 #include <k5-int.h>
+#include <int-proto.h>
 
 /*
  * Routines to deal with externalizing the krb5_checksum:
@@ -35,11 +36,11 @@
  *	krb5_checksum_internalize();
  */
 static krb5_error_code krb5_checksum_esize
-	KRB5_PROTOTYPE((krb5_context, krb5_pointer, size_t *));
+	(krb5_context, krb5_pointer, size_t *);
 static krb5_error_code krb5_checksum_externalize
-	KRB5_PROTOTYPE((krb5_context, krb5_pointer, krb5_octet **, size_t *));
+	(krb5_context, krb5_pointer, krb5_octet **, size_t *);
 static krb5_error_code krb5_checksum_internalize
-	KRB5_PROTOTYPE((krb5_context,krb5_pointer *, krb5_octet **, size_t *));
+	(krb5_context,krb5_pointer *, krb5_octet **, size_t *);
 
 /* Local data */
 static const krb5_ser_entry krb5_checksum_ser_entry = {
@@ -55,10 +56,7 @@ static const krb5_ser_entry krb5_checksum_ser_entry = {
  */
 /*ARGSUSED*/
 static krb5_error_code
-krb5_checksum_esize(kcontext, arg, sizep)
-    krb5_context	kcontext;
-    krb5_pointer	arg;
-    size_t		*sizep;
+krb5_checksum_esize(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
 {
     krb5_error_code	kret;
     krb5_checksum	*checksum;
@@ -88,11 +86,7 @@ krb5_checksum_esize(kcontext, arg, sizep)
  * krb5_checksum_externalize()	- Externalize the krb5_checksum.
  */
 static krb5_error_code
-krb5_checksum_externalize(kcontext, arg, buffer, lenremain)
-    krb5_context	kcontext;
-    krb5_pointer	arg;
-    krb5_octet		**buffer;
-    size_t		*lenremain;
+krb5_checksum_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain)
 {
     krb5_error_code	kret;
     krb5_checksum	*checksum;
@@ -141,11 +135,7 @@ krb5_checksum_externalize(kcontext, arg, buffer, lenremain)
  */
 /*ARGSUSED*/
 static krb5_error_code
-krb5_checksum_internalize(kcontext, argp, buffer, lenremain)
-    krb5_context	kcontext;
-    krb5_pointer	*argp;
-    krb5_octet		**buffer;
-    size_t		*lenremain;
+krb5_checksum_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain)
 {
     krb5_error_code	kret;
     krb5_checksum	*checksum;
@@ -211,8 +201,7 @@ krb5_checksum_internalize(kcontext, argp, buffer, lenremain)
  * Register the checksum serializer.
  */
 krb5_error_code
-krb5_ser_checksum_init(kcontext)
-    krb5_context	kcontext;
+krb5_ser_checksum_init(krb5_context kcontext)
 {
     return(krb5_register_serializer(kcontext, &krb5_checksum_ser_entry));
 }
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_ctx.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_ctx.c
index e2d3a8d57b..9b76bc6395 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_ctx.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_ctx.c
@@ -52,24 +52,24 @@
  *	krb5_ser_context_init();
  */
 static krb5_error_code krb5_context_size
-	KRB5_PROTOTYPE((krb5_context, krb5_pointer, size_t *));
+	(krb5_context, krb5_pointer, size_t *);
 static krb5_error_code krb5_context_externalize
-	KRB5_PROTOTYPE((krb5_context, krb5_pointer, krb5_octet **, size_t *));
+	(krb5_context, krb5_pointer, krb5_octet **, size_t *);
 static krb5_error_code krb5_context_internalize
-	KRB5_PROTOTYPE((krb5_context,krb5_pointer *, krb5_octet **, size_t *));
+	(krb5_context,krb5_pointer *, krb5_octet **, size_t *);
 static krb5_error_code krb5_oscontext_size
-	KRB5_PROTOTYPE((krb5_context, krb5_pointer, size_t *));
+	(krb5_context, krb5_pointer, size_t *);
 static krb5_error_code krb5_oscontext_externalize
-	KRB5_PROTOTYPE((krb5_context, krb5_pointer, krb5_octet **, size_t *));
+	(krb5_context, krb5_pointer, krb5_octet **, size_t *);
 static krb5_error_code krb5_oscontext_internalize
-	KRB5_PROTOTYPE((krb5_context,krb5_pointer *, krb5_octet **, size_t *));
+	(krb5_context,krb5_pointer *, krb5_octet **, size_t *);
 #ifndef _KERNEL
 krb5_error_code profile_ser_size
-	KRB5_PROTOTYPE((krb5_context, krb5_pointer, size_t *));
+	(krb5_context, krb5_pointer, size_t *);
 krb5_error_code profile_ser_externalize
-	KRB5_PROTOTYPE((krb5_context, krb5_pointer, krb5_octet **, size_t *));
+	(krb5_context, krb5_pointer, krb5_octet **, size_t *);
 krb5_error_code profile_ser_internalize
-	KRB5_PROTOTYPE((krb5_context,krb5_pointer *, krb5_octet **, size_t *));
+	(krb5_context,krb5_pointer *, krb5_octet **, size_t *);
 #endif
 /* Local data */
 static const krb5_ser_entry krb5_context_ser_entry = {
@@ -98,10 +98,7 @@ static const krb5_ser_entry krb5_profile_ser_entry = {
  *			  krb5_context.
  */
 static krb5_error_code
-krb5_context_size(kcontext, arg, sizep)
-    krb5_context	kcontext;
-    krb5_pointer	arg;
-    size_t		*sizep;
+krb5_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
 {
     krb5_error_code	kret;
     size_t		required;
@@ -170,11 +167,7 @@ krb5_context_size(kcontext, arg, sizep)
  * krb5_context_externalize()	- Externalize the krb5_context.
  */
 static krb5_error_code
-krb5_context_externalize(kcontext, arg, buffer, lenremain)
-    krb5_context	kcontext;
-    krb5_pointer	arg;
-    krb5_octet		**buffer;
-    size_t		*lenremain;
+krb5_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain)
 {
     krb5_error_code	kret;
     krb5_context	context;
@@ -345,11 +338,7 @@ krb5_context_externalize(kcontext, arg, buffer, lenremain)
  * krb5_context_internalize()	- Internalize the krb5_context.
  */
 static krb5_error_code
-krb5_context_internalize(kcontext, argp, buffer, lenremain)
-    krb5_context	kcontext;
-    krb5_pointer	*argp;
-    krb5_octet		**buffer;
-    size_t		*lenremain;
+krb5_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain)
 {
     krb5_error_code	kret;
     krb5_context	context;
@@ -477,12 +466,22 @@ krb5_context_internalize(kcontext, argp, buffer, lenremain)
 	goto cleanup;
     context->scc_default_format = (int) ibuf;
     
-    /* Attempt to read in the os_context */
-    kret = krb5_internalize_opaque(kcontext, KV5M_OS_CONTEXT,
-				   (krb5_pointer *) &context->os_context,
-				   &bp, &remain);
-    if (kret && (kret != EINVAL) && (kret != ENOENT))
-	goto cleanup;
+    /* Attempt to read in the os_context.  It's an array now, but
+       we still treat it in most places as a separate object with
+       a pointer.  */
+    {
+	krb5_os_context osp = 0;
+	kret = krb5_internalize_opaque(kcontext, KV5M_OS_CONTEXT,
+				       (krb5_pointer *) &osp,
+				       &bp, &remain);
+	if (kret && (kret != EINVAL) && (kret != ENOENT))
+	    goto cleanup;
+	/* Put the newly allocated data into the krb5_context
+	   structure where we're really keeping it these days.  */
+	if (osp)
+	    *context->os_context = *osp;
+	free(osp);
+    }
 
     /* Attempt to read in the db_context */
     kret = krb5_internalize_opaque(kcontext, KV5M_DB_CONTEXT,
@@ -528,10 +527,7 @@ cleanup:
  */
 /*ARGSUSED*/
 static krb5_error_code
-krb5_oscontext_size(kcontext, arg, sizep)
-    krb5_context	kcontext;
-    krb5_pointer	arg;
-    size_t		*sizep;
+krb5_oscontext_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
 {
     /*
      * We need five 32-bit integers:
@@ -546,11 +542,7 @@ krb5_oscontext_size(kcontext, arg, sizep)
  * krb5_oscontext_externalize()	- Externalize the krb5_os_context.
  */
 static krb5_error_code
-krb5_oscontext_externalize(kcontext, arg, buffer, lenremain)
-    krb5_context	kcontext;
-    krb5_pointer	arg;
-    krb5_octet		**buffer;
-    size_t		*lenremain;
+krb5_oscontext_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain)
 {
     krb5_error_code	kret;
     krb5_os_context	os_ctx;
@@ -589,11 +581,7 @@ krb5_oscontext_externalize(kcontext, arg, buffer, lenremain)
  */
 /*ARGSUSED*/
 static krb5_error_code
-krb5_oscontext_internalize(kcontext, argp, buffer, lenremain)
-    krb5_context	kcontext;
-    krb5_pointer	*argp;
-    krb5_octet		**buffer;
-    size_t		*lenremain;
+krb5_oscontext_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain)
 {
     krb5_error_code	kret;
     krb5_os_context	os_ctx;
@@ -647,9 +635,8 @@ krb5_oscontext_internalize(kcontext, argp, buffer, lenremain)
 /*
  * Register the context serializers.
  */
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_ser_context_init(kcontext)
-    krb5_context	kcontext;
+krb5_error_code KRB5_CALLCONV
+krb5_ser_context_init(krb5_context kcontext)
 {
     krb5_error_code	kret;
     kret = krb5_register_serializer(kcontext, &krb5_context_ser_entry);
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_key.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_key.c
index 74bc50babb..d5afb4e1cf 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_key.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_key.c
@@ -27,6 +27,7 @@
  * ser_key.c - Serialize a krb5_keyblock structure.
  */
 #include <k5-int.h>
+#include <int-proto.h>
 
 /*
  * Routines to deal with externalizing the krb5_keyblock:
@@ -35,11 +36,11 @@
  *	krb5_keyblock_internalize();
  */
 static krb5_error_code krb5_keyblock_size
-	KRB5_PROTOTYPE((krb5_context, krb5_pointer, size_t *));
+	(krb5_context, krb5_pointer, size_t *);
 static krb5_error_code krb5_keyblock_externalize
-	KRB5_PROTOTYPE((krb5_context, krb5_pointer, krb5_octet **, size_t *));
+	(krb5_context, krb5_pointer, krb5_octet **, size_t *);
 static krb5_error_code krb5_keyblock_internalize
-	KRB5_PROTOTYPE((krb5_context,krb5_pointer *, krb5_octet **, size_t *));
+	(krb5_context,krb5_pointer *, krb5_octet **, size_t *);
 
 /* Local data */
 static const krb5_ser_entry krb5_keyblock_ser_entry = {
@@ -55,10 +56,7 @@ static const krb5_ser_entry krb5_keyblock_ser_entry = {
  */
 /*ARGSUSED*/
 static krb5_error_code
-krb5_keyblock_size(kcontext, arg, sizep)
-    krb5_context	kcontext;
-    krb5_pointer	arg;
-    size_t		*sizep;
+krb5_keyblock_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
 {
     krb5_error_code	kret;
     krb5_keyblock	*keyblock;
@@ -89,11 +87,7 @@ krb5_keyblock_size(kcontext, arg, sizep)
  * krb5_keyblock_externalize()	- Externalize the krb5_keyblock.
  */
 static krb5_error_code
-krb5_keyblock_externalize(kcontext, arg, buffer, lenremain)
-    krb5_context	kcontext;
-    krb5_pointer	arg;
-    krb5_octet		**buffer;
-    size_t		*lenremain;
+krb5_keyblock_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain)
 {
     krb5_error_code	kret;
     krb5_keyblock	*keyblock;
@@ -143,11 +137,7 @@ krb5_keyblock_externalize(kcontext, arg, buffer, lenremain)
 
 /*ARGSUSED*/
 static krb5_error_code
-krb5_keyblock_internalize(kcontext, argp, buffer, lenremain)
-    krb5_context	kcontext;
-    krb5_pointer	*argp;
-    krb5_octet		**buffer;
-    size_t		*lenremain;
+krb5_keyblock_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain)
 {
     krb5_error_code	kret;
     krb5_keyblock	*keyblock;
@@ -208,8 +198,7 @@ krb5_keyblock_internalize(kcontext, argp, buffer, lenremain)
  * Register the keyblock serializer.
  */
 krb5_error_code
-krb5_ser_keyblock_init(kcontext)
-    krb5_context	kcontext;
+krb5_ser_keyblock_init(krb5_context kcontext)
 {
     return(krb5_register_serializer(kcontext, &krb5_keyblock_ser_entry));
 }
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_princ.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_princ.c
index 0966fd98a4..9f3ff325f5 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_princ.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/ser_princ.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -33,6 +33,7 @@
  * ser_princ.c - Serialize a krb5_principal structure.
  */
 #include <k5-int.h>
+#include <int-proto.h>
 
 /*
  * Routines to deal with externalizing the krb5_principal:
@@ -41,11 +42,11 @@
  *	krb5_principal_internalize();
  */
 static krb5_error_code krb5_principal_size
-	KRB5_PROTOTYPE((krb5_context, krb5_pointer, size_t *));
+	(krb5_context, krb5_pointer, size_t *);
 static krb5_error_code krb5_principal_externalize
-	KRB5_PROTOTYPE((krb5_context, krb5_pointer, krb5_octet **, size_t *));
+	(krb5_context, krb5_pointer, krb5_octet **, size_t *);
 static krb5_error_code krb5_principal_internalize
-	KRB5_PROTOTYPE((krb5_context,krb5_pointer *, krb5_octet **, size_t *));
+	(krb5_context,krb5_pointer *, krb5_octet **, size_t *);
 
 /* Local data */
 static const krb5_ser_entry krb5_principal_ser_entry = {
@@ -60,10 +61,7 @@ static const krb5_ser_entry krb5_principal_ser_entry = {
  *				  the krb5_principal.
  */
 static krb5_error_code
-krb5_principal_size(kcontext, arg, sizep)
-    krb5_context	kcontext;
-    krb5_pointer	arg;
-    size_t		*sizep;
+krb5_principal_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
 {
     krb5_error_code	kret;
     krb5_principal	principal;
@@ -90,11 +88,7 @@ krb5_principal_size(kcontext, arg, sizep)
  * krb5_principal_externalize()	- Externalize the krb5_principal.
  */
 static krb5_error_code
-krb5_principal_externalize(kcontext, arg, buffer, lenremain)
-    krb5_context	kcontext;
-    krb5_pointer	arg;
-    krb5_octet		**buffer;
-    size_t		*lenremain;
+krb5_principal_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain)
 {
     krb5_error_code	kret;
     krb5_principal	principal;
@@ -134,11 +128,7 @@ krb5_principal_externalize(kcontext, arg, buffer, lenremain)
  * krb5_principal_internalize()	- Internalize the krb5_principal.
  */
 static krb5_error_code
-krb5_principal_internalize(kcontext, argp, buffer, lenremain)
-    krb5_context	kcontext;
-    krb5_pointer	*argp;
-    krb5_octet		**buffer;
-    size_t		*lenremain;
+krb5_principal_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain)
 {
     krb5_error_code	kret;
     krb5_principal	principal;
@@ -193,8 +183,7 @@ krb5_principal_internalize(kcontext, argp, buffer, lenremain)
  * Register the context serializer.
  */
 krb5_error_code
-krb5_ser_principal_init(kcontext)
-    krb5_context	kcontext;
+krb5_ser_principal_init(krb5_context kcontext)
 {
     return(krb5_register_serializer(kcontext, &krb5_principal_ser_entry));
 }
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/serialize.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/serialize.c
index c05ebacf44..d605d88397 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/serialize.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/serialize.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -41,9 +41,7 @@
  * krb5_find_serializer()	- See if a particular type is registered.
  */
 krb5_ser_handle
-krb5_find_serializer(kcontext, odtype)
-    krb5_context	kcontext;
-    krb5_magic		odtype;
+krb5_find_serializer(krb5_context kcontext, krb5_magic odtype)
 {
     krb5_ser_handle	res;
     krb5_ser_handle	sctx;
@@ -64,9 +62,7 @@ krb5_find_serializer(kcontext, odtype)
  * krb5_register_serializer()	- Register a particular serializer.
  */
 krb5_error_code
-krb5_register_serializer(kcontext, entry)
-    krb5_context	kcontext;
-    const krb5_ser_entry *entry;
+krb5_register_serializer(krb5_context kcontext, const krb5_ser_entry *entry)
 {
     krb5_error_code	kret;
     krb5_ser_handle	stable;
@@ -105,11 +101,7 @@ krb5_register_serializer(kcontext, entry)
  *			  piece of opaque data.
  */
 krb5_error_code KRB5_CALLCONV
-krb5_size_opaque(
-    krb5_context	kcontext,
-    krb5_magic		odtype,
-    krb5_pointer	arg,
-    size_t		*sizep)
+krb5_size_opaque(krb5_context kcontext, krb5_magic odtype, krb5_pointer arg, size_t *sizep)
 {
     krb5_error_code	kret;
     krb5_ser_handle	shandle;
@@ -125,12 +117,7 @@ krb5_size_opaque(
  * krb5_externalize_opaque()	- Externalize a piece of opaque data.
  */
 krb5_error_code KRB5_CALLCONV
-krb5_externalize_opaque(
-    krb5_context	kcontext,
-    krb5_magic		odtype,
-    krb5_pointer	arg,
-    krb5_octet		* *bufpp,
-    size_t		*sizep)
+krb5_externalize_opaque(krb5_context kcontext, krb5_magic odtype, krb5_pointer arg, krb5_octet **bufpp, size_t *sizep)
 {
     krb5_error_code	kret;
     krb5_ser_handle	shandle;
@@ -147,11 +134,7 @@ krb5_externalize_opaque(
  * Externalize a piece of arbitrary data.
  */
 krb5_error_code
-krb5_externalize_data(kcontext, arg, bufpp, sizep)
-    krb5_context	kcontext;
-    krb5_pointer	arg;
-    krb5_octet		**bufpp;
-    size_t		*sizep;
+krb5_externalize_data(krb5_context kcontext, krb5_pointer arg, krb5_octet **bufpp, size_t *sizep)
 {
     krb5_error_code	kret;
     krb5_magic		*mp;
@@ -186,12 +169,7 @@ krb5_externalize_data(kcontext, arg, bufpp, sizep)
  *				  structure.
  */
 krb5_error_code KRB5_CALLCONV
-krb5_internalize_opaque(
-    krb5_context	kcontext,
-    krb5_magic		odtype,
-    krb5_pointer	*argp,
-    krb5_octet		* *bufpp,
-    size_t		*sizep)
+krb5_internalize_opaque(krb5_context kcontext, krb5_magic odtype, krb5_pointer *argp, krb5_octet **bufpp, size_t *sizep)
 {
     krb5_error_code	kret;
     krb5_ser_handle	shandle;
@@ -209,10 +187,7 @@ krb5_internalize_opaque(
  *				  Update buffer pointer and remaining space.
  */
 krb5_error_code KRB5_CALLCONV
-krb5_ser_pack_int32(
-    krb5_int32		iarg,
-    krb5_octet		* *bufp,
-    size_t		*remainp)
+krb5_ser_pack_int32(krb5_int32 iarg, krb5_octet **bufp, size_t *remainp)
 {
     if (*remainp >= sizeof(krb5_int32)) {
 	(*bufp)[0] = (krb5_octet) ((iarg >> 24) & 0xff);
@@ -248,11 +223,7 @@ krb5_ser_pack_int64(krb5_int64 iarg, krb5_octet **bufp, size_t *remainp)
  * krb5_ser_pack_bytes()	- Pack a string of bytes.
  */
 krb5_error_code KRB5_CALLCONV
-krb5_ser_pack_bytes(
-    krb5_octet	*ostring,
-    size_t	osize,
-    krb5_octet	* *bufp,
-    size_t	*remainp)
+krb5_ser_pack_bytes(krb5_octet *ostring, size_t osize, krb5_octet **bufp, size_t *remainp)
 {
     if (*remainp >= osize) {
 	(void) memcpy(*bufp, ostring, osize);
@@ -268,10 +239,7 @@ krb5_ser_pack_bytes(
  * krb5_ser_unpack_int32()	- Unpack a 4-byte integer if it's there.
  */
 krb5_error_code KRB5_CALLCONV
-krb5_ser_unpack_int32(
-    krb5_int32	*intp,
-    krb5_octet	* *bufp,
-    size_t	*remainp)
+krb5_ser_unpack_int32(krb5_int32 *intp, krb5_octet **bufp, size_t *remainp)
 {
     if (*remainp >= sizeof(krb5_int32)) {
 	*intp = (((krb5_int32) ((unsigned char) (*bufp)[0]) << 24) |
@@ -306,11 +274,7 @@ krb5_ser_unpack_int64(krb5_int64 *intp, krb5_octet **bufp, size_t *remainp)
  * krb5_ser_unpack_bytes()	- Unpack a byte string if it's there.
  */
 krb5_error_code KRB5_CALLCONV
-krb5_ser_unpack_bytes(
-    krb5_octet	*istring,
-    size_t	isize,
-    krb5_octet	* *bufp,
-    size_t	*remainp)
+krb5_ser_unpack_bytes(krb5_octet *istring, size_t isize, krb5_octet **bufp, size_t *remainp)
 {
     if (*remainp >= isize) {
 	(void) memcpy(istring, *bufp, isize);
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/unparse.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/unparse.c
index ef6d425982..2fd0a91b7f 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/unparse.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/unparse.c
@@ -29,7 +29,7 @@
  *
  * krb5_unparse_name() routine
  *
- * Rewritten by Theodore Ts'o to propoerly unparse principal names
+ * Rewritten by Theodore Ts'o to properly unparse principal names
  * which have the component or realm separator as part of one of their
  * components.
  */
@@ -63,18 +63,17 @@
 #define	COMPONENT_SEP	'/'
 
 /*ARGSUSED*/
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_unparse_name_ext(context, principal, name, size)
-    krb5_context context;
-    krb5_const_principal principal;
-    register char FAR * FAR *name;
-    int	FAR *size;
+krb5_error_code KRB5_CALLCONV
+krb5_unparse_name_ext(krb5_context context, krb5_const_principal principal, register char **name, unsigned int *size)
 {
 	register char *cp, *q;
 	register int i,j;
 	int	length;
 	krb5_int32 nelem;
-	register int totalsize = 0;
+	register unsigned int totalsize = 0;
+
+	if (!principal || !name)
+		return KRB5_PARSE_MALFORMED;
 
 	cp = krb5_princ_realm(context, principal)->data;
 	length = krb5_princ_realm(context, principal)->length;
@@ -100,7 +99,7 @@ krb5_unparse_name_ext(context, principal, name, size)
 	}
 	if (nelem == 0 )
 		totalsize++;
-	
+
 	/*
 	 * Allocate space for the ascii string; if space has been
 	 * provided, use it, realloc'ing it if necessary.
@@ -202,13 +201,11 @@ krb5_unparse_name_ext(context, principal, name, size)
     return 0;
 }
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_unparse_name(context, principal, name)
-    krb5_context context;
-    krb5_const_principal principal;
-    register char **name;
+krb5_error_code KRB5_CALLCONV
+krb5_unparse_name(krb5_context context, krb5_const_principal principal, register char **name)
 {
-	*name = NULL;
+	if (name)			/* name == NULL will return error from _ext */
+		*name = NULL;
 	return(krb5_unparse_name_ext(context, principal, name, NULL));
 }
 
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/os/c_ustime.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/os/c_ustime.c
index 39c2c2d711..dffde1f40d 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/os/c_ustime.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/os/c_ustime.c
@@ -1,9 +1,10 @@
 /*
- * Copyright 2001-2003 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
+
 /*
  * lib/crypto/os/c_ustime.c
  *
@@ -14,7 +15,7 @@
  *   require a specific license from the United States Government.
  *   It is the responsibility of any person or organization contemplating
  *   export to obtain such a license before exporting.
- *
+ * 
  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  * distribute this software and its documentation for any purpose and
  * without fee is hereby granted, provided that the above copyright
@@ -28,239 +29,22 @@
  * M.I.T. makes no representations about the suitability of
  * this software for any purpose.  It is provided "as is" without express
  * or implied warranty.
- *
+ * 
  *
  * krb5_mstimeofday for BSD 4.3
  */
- 
-#define	NEED_SOCKETS
-#include <k5-int.h>
-
-#ifdef macintosh
-
-/* We're a Macintosh -- do Mac time things.  */
-
-/*
- * This code is derived from kerberos/src/lib/des/mac_time.c from
- * the Cygnus Support release of Kerberos V4:
- *
- * mac_time.c
- * (Originally time_stuff.c)
- * Copyright 1989 by the Massachusetts Institute of Technology.
- * Macintosh ooperating system interface for Kerberos.
- */
-
-#include <ConditionalMacros.h>
-#include <script.h>		/* Defines MachineLocation, used by getTimeZoneOffset */
-#include <ToolUtils.h>		/* Defines BitTst(), called by getTimeZoneOffset() */
-#include <OSUtils.h>		/* Defines GetDateTime */
-#include <DriverServices.h> /* Nanosecond timing */
-#include <CodeFragments.h>	/* Check for presence of UpTime */
-#include <Math64.h>			/* 64-bit integer math */
-
-/* Mac Cincludes */
-#include <string.h>
-#include <stddef.h>
-
-static krb5_int32 last_sec = 0, last_usec = 0;
-
-/* Check for availability of microseconds or better timer */
-Boolean HaveAccurateTime ();
-
-/* Convert nanoseconds to date and time */
-void AbsoluteToSecsNanosecs (
-      AbsoluteTime		eventTime,              /* Value to convert   */
-      UInt32			*eventSeconds,         /* Result goes here   */
-      UInt32			*residualNanoseconds    /* Fractional second  */
-   );
-
-/*
- * The Unix epoch is 1/1/70, the Mac epoch is 1/1/04.
- *
- * 70 - 4 = 66 year differential
- *
- * Thus the offset is:
- *
- * (66 yrs) * (365 days/yr) * (24 hours/day) * (60 mins/hour) * (60 secs/min)
- * plus
- * (17 leap days) * (24 hours/day) * (60 mins/hour) * (60 secs/min)
- *
- * Don't forget the offset from GMT.
- */
-
-/* returns the offset in hours between the mac local time and the GMT  */
-/* unsigned krb5_int32 */
-krb5_int32
-getTimeZoneOffset()
-{
-    MachineLocation macLocation;
-    long gmtDelta;
-
-    macLocation.u.gmtDelta=0L;
-    ReadLocation(&macLocation); 
-    gmtDelta=macLocation.u.gmtDelta & 0x00FFFFFF;
-    if (BitTst((void *)&gmtDelta,23L))
-	gmtDelta |= 0xFF000000;
-    gmtDelta /= 3600L;
-    return(gmtDelta);
-}
-
-/* Returns the GMT in seconds (and fake microseconds) using the Unix epoch */
-
-/*
- * Note that unix timers are guaranteed that consecutive calls to timing functions will
- * always return monotonically increasing values for time; even if called within one microsecond,
- * they must increase from one call to another. We must preserve this property in this code,
- * even though Mac UpTime does not make such guarantees... (actually it does, but it measures in 
- * units that can be finer than 1 microsecond, so conversion can cause repeat microsecond values
- */
-
-krb5_error_code
-krb5_crypto_us_timeofday(seconds, microseconds)
-    krb5_int32 *seconds, *microseconds;
-{
-    krb5_int32 sec, usec;
-    time_t the_time;
-
-    GetDateTime (&the_time);
 
-    sec = the_time - 
-    	((66 * 365 * 24 * 60 * 60) + (17 *  24 * 60 * 60) + 
-    	(getTimeZoneOffset() * 60 * 60));
-
-#if TARGET_CPU_PPC	    						/* Only PPC has accurate time */
-    if (HaveAccurateTime ()) {					/* Does hardware support accurate time? */
-    
-    	AbsoluteTime 	absoluteTime;
-    	UInt32			nanoseconds;
-    	
-    	absoluteTime = UpTime ();
-    	AbsoluteToSecsNanosecs (absoluteTime, &sec, &nanoseconds);
-    	
-    	usec = nanoseconds / 1000;
-    } else
-#endif /* TARGET_CPU_PPC */
-    {
-	    GetDateTime (&sec);
-	    usec = 0;
-	}
-	
-	/* Fix secs to UNIX epoch */
-	
-    sec -= ((66 * 365 * 24 * 60 * 60) + (17 *  24 * 60 * 60) + 
-    	(getTimeZoneOffset() * 60 * 60));
 
-	/* Make sure that we are _not_ repeating */
-	
-	if (sec < last_sec) {	/* Seconds should be at least equal to last seconds */
-		sec = last_sec;
-	}
-	
-	if (sec == last_sec) {			/* Same seconds as last time? */
-		if (usec <= last_usec) {	/* Yep, microseconds must be bigger than last time*/
-			usec = last_usec + 1;
-		}
-		
-		if (usec >= 1000000) {		/* handle 1e6 wraparound */
-			sec++;
-			usec = 0;
-		}
-	}
-
-    last_sec = sec;						/* Remember for next time */
-    last_usec = usec;
-
-    *seconds = sec;
-    *microseconds = usec;					/* Return the values */
-
-    return 0;
-}
-
-/* Check if we have microsecond or better timer */
-
-Boolean HaveAccurateTime ()
-{
-	static	Boolean alreadyChecked = false;
-	static	haveAccurateTime = false;
-	
-	if (!alreadyChecked) {
-		alreadyChecked = true;
-		haveAccurateTime = false;
-#if TARGET_CPU_PPC
-		if ((Ptr) UpTime != (Ptr) kUnresolvedCFragSymbolAddress) {
-			UInt32	minAbsoluteTimeDelta;
-			UInt32	theAbsoluteTimeToNanosecondNumerator;
-			UInt32	theAbsoluteTimeToNanosecondDenominator;
-			UInt32	theProcessorToAbsoluteTimeNumerator;
-			UInt32	theProcessorToAbsoluteTimeDenominator;
-
-			GetTimeBaseInfo (
-				&minAbsoluteTimeDelta,
-				&theAbsoluteTimeToNanosecondNumerator,
-				&theAbsoluteTimeToNanosecondDenominator,
-				&theProcessorToAbsoluteTimeNumerator,
-				&theProcessorToAbsoluteTimeDenominator);
-				
-			/* minAbsoluteTimeDelta is the period in which Uptime is updated, in absolute time */
-			/* We convert it to nanoseconds and compare it with .5 microsecond */
-			
-			if (minAbsoluteTimeDelta * theAbsoluteTimeToNanosecondNumerator <
-				500 * theAbsoluteTimeToNanosecondDenominator) {
-				haveAccurateTime = true;
-			}
-		}
-#endif /* TARGET_CPU_PPC */
-	}
-	
-	return haveAccurateTime;
-}
+#define	NEED_SOCKETS
+#include "k5-int.h"
+#include "k5-thread.h"
 
-/* Convert nanoseconds to date and time */
 
-void AbsoluteToSecsNanosecs (
-      AbsoluteTime		eventTime,              /* Value to convert   */
-      UInt32			*eventSeconds,         /* Result goes here   */
-      UInt32			*residualNanoseconds    /* Fractional second  */
-   )
-{
-   UInt64					eventNanoseconds;
-   UInt64					eventSeconds64;
-   static const UInt64		kTenE9 = U64SetU (1000000000);
-   static UInt64			gNanosecondsAtStart = U64SetU (0);
+k5_mutex_t krb5int_us_time_mutex = K5_MUTEX_PARTIAL_INITIALIZER;
 
-   /*
-    * If this is the first call, compute the offset between
-    * GetDateTime and UpTime.
-    */
-   if (U64Compare (gNanosecondsAtStart, U64SetU (0)) == 0) {
-      UInt32				secondsAtStart;
-      AbsoluteTime			absoluteTimeAtStart;
-      UInt64				upTimeAtStart;
-	  UInt64				nanosecondsAtStart;
+struct time_now { krb5_int32 sec, usec; };
 
-      GetDateTime (&secondsAtStart);
-      upTimeAtStart = UnsignedWideToUInt64 (AbsoluteToNanoseconds (UpTime()));
-	  nanosecondsAtStart = U64SetU (secondsAtStart);
-      nanosecondsAtStart = U64Multiply (nanosecondsAtStart, kTenE9);
-      gNanosecondsAtStart = U64Subtract (nanosecondsAtStart, upTimeAtStart);
-   }
-   /*
-    * Convert the event time (UpTime value) to nanoseconds and add
-    * the local time epoch.
-    */
-   eventNanoseconds = UnsignedWideToUInt64 (AbsoluteToNanoseconds (eventTime));
-   eventNanoseconds = U64Add (gNanosecondsAtStart, eventNanoseconds);
-   /*
-    * eventSeconds = eventNanoseconds /= 10e9;
-    * residualNanoseconds = eventNanoseconds % 10e9;
-    * Finally, compute the local time (seconds) and fraction.
-    */
-   eventSeconds64 = U64Div (eventNanoseconds, kTenE9);
-   eventNanoseconds = U64Subtract (eventNanoseconds, U64Multiply (eventSeconds64, kTenE9));
-   *eventSeconds = (UInt64ToUnsignedWide (eventSeconds64)).lo;
-   *residualNanoseconds = (UInt64ToUnsignedWide (eventNanoseconds)).lo;
-}
-#elif defined(_WIN32)
+#if defined(_WIN32)
 
    /* Microsoft Windows NT and 95   (32bit)  */
    /* This one works for WOW (Windows on Windows, ntvdm on Win-NT) */
@@ -269,199 +53,82 @@ void AbsoluteToSecsNanosecs (
 #include <sys/timeb.h>
 #include <string.h>
 
-krb5_error_code
-krb5_crypto_us_timeofday(seconds, microseconds)
-register krb5_int32 *seconds, *microseconds;
+static krb5_error_code
+get_time_now(struct time_now *n)
 {
     struct _timeb timeptr;
-    krb5_int32 sec, usec;
-    static krb5_int32 last_sec = 0;
-    static krb5_int32 last_usec = 0;
-
-    _ftime(&timeptr);                           /* Get the current time */
-    sec  = timeptr.time;
-    usec = timeptr.millitm * 1000;
-
-    if ((sec == last_sec) && (usec <= last_usec)) { /* Same as last time??? */
-        usec = ++last_usec;
-        if (usec >= 1000000) {
-            ++sec;
-            usec = 0;
-        }
-    }
-    last_sec = sec;                             /* Remember for next time */
-    last_usec = usec;
-
-    *seconds = sec;                             /* Return the values */
-    *microseconds = usec;
-
+    _ftime(&timeptr);
+    n->sec = timeptr.time;
+    n->usec = timeptr.millitm * 1000;
     return 0;
 }
 
-#elif defined (_MSDOS)
-
-
-/*
- * Originally written by John Gilmore, Cygnus Support, May '94.
- * Public Domain.
- */
-
-#include <time.h>
-#include <sys/timeb.h>
-#include <dos.h>
-#include <string.h>
+#else
 
-/*
- * Time handling.  Translate Unix time calls into Kerberos internal 
- * procedure calls.
- *
- * Due to the fact that DOS time can be unreliable we have reverted
- * to using the AT hardware clock and converting it to Unix time.
- */
 
-static time_t win_gettime ();
-static long win_time_get_epoch();               /* Adjust for MSC 7.00 bug */
+/* Everybody else is UNIX, right?  POSIX 1996 doesn't give us
+   gettimeofday, but what real OS doesn't?  */
 
-krb5_error_code
-krb5_crypto_us_timeofday(seconds, microseconds)
-register krb5_int32 *seconds, *microseconds;
+static krb5_error_code
+get_time_now(struct time_now *n)
 {
-    krb5_int32 sec, usec;
-    static krb5_int32 last_sec = 0;
-    static krb5_int32 last_usec = 0;
-
-    sec = win_gettime ();                       /* Get the current time */
-    usec = 0;                                   /* Can't do microseconds */
-
-    if (sec == last_sec) {                      /* Same as last time??? */
-        usec = ++last_usec;                     /* Yep, so do microseconds */
-        if (usec >= 1000000) {
-            ++sec;
-            usec = 0;
-        }
-    }
-    last_sec = sec;                             /* Remember for next time */
-    last_usec = usec;
+    struct timeval tv;
+#ifdef _KERNEL
+    timestruc_t now;
 
-    *seconds = sec;                             /* Return the values */
-    *microseconds = usec;
+    gethrestime(&now);
+    tv.tv_sec = now.tv_sec;
+    tv.tv_usec = now.tv_nsec / (NANOSEC / MICROSEC);
+#else
+    if (gettimeofday(&tv, (struct timezone *)0) == -1)
+	return errno;
+#endif
 
+    n->sec = tv.tv_sec;
+    n->usec = tv.tv_usec;
     return 0;
 }
-
-
-static time_t
-win_gettime () {
-    struct tm tm;
-    union _REGS inregs;                         /* For calling BIOS */
-    union _REGS outregs;
-    struct _timeb now;
-    time_t time;
-    long convert;                               /* MSC 7.00 bug work around */
-
-    _ftime(&now);                               /* Daylight savings time */
-
-    /* Get time from AT hardware clock INT 0x1A, AH=2 */
-    (void) memset(&inregs, 0, sizeof(inregs));
-    inregs.h.ah = 2;
-    _int86(0x1a, &inregs, &outregs);
-
-    /* 0x13 = decimal 13, hence the decoding below */
-    tm.tm_sec = 10 * ((outregs.h.dh & 0xF0) >> 4) + (outregs.h.dh & 0x0F);
-    tm.tm_min = 10 * ((outregs.h.cl & 0xF0) >> 4) + (outregs.h.cl & 0x0F);
-    tm.tm_hour = 10 * ((outregs.h.ch & 0xF0) >> 4) + (outregs.h.ch & 0x0F);
-
-    /* Get date from AT hardware clock INT 0x1A, AH=4 */
-    (void) memset(&inregs, 0, sizeof(inregs));
-    inregs.h.ah = 4;
-    _int86(0x1a, &inregs, &outregs);
-
-    tm.tm_mday = 10 * ((outregs.h.dl & 0xF0) >> 4) + (outregs.h.dl & 0x0F);
-    tm.tm_mon = 10 * ((outregs.h.dh & 0xF0) >> 4) + (outregs.h.dh & 0x0F) - 1;
-    tm.tm_year = 10 * ((outregs.h.cl & 0xF0) >> 4) + (outregs.h.cl & 0x0F);
-    tm.tm_year += 100 * ((10 * (outregs.h.ch & 0xF0) >> 4)
-	            + (outregs.h.ch & 0x0F) - 19);
-
-    tm.tm_wday = 0;
-    tm.tm_yday = 0;
-    tm.tm_isdst = now.dstflag;
-
-    time = mktime(&tm);
-
-    convert = win_time_get_epoch();
-    return time + convert;
-
-}
-
-
-/*
- * This routine figures out the current time epoch and returns the
- * conversion factor.  It exists because 
- * Microloss screwed the pooch on the time() and _ftime() calls in
- * its release 7.0 libraries.  They changed the epoch to Dec 31, 1899!
- * Idiots...   We try to cope.
- */
-
-static struct tm jan_1_70 = {0, 0, 0, 1, 0, 70};
-static long epoch = 0;
-static int epoch_set = 0;
-
-long
-win_time_get_epoch()
-{
-
-    if (!epoch_set) {
-        epoch = 0 - mktime (&jan_1_70);	/* Seconds til 1970 localtime */
-        epoch += _timezone;		/* Seconds til 1970 GMT */
-        epoch_set = 1;
-    }
-    return epoch;
-}
-
-
-#else
-
-
-/* We're a Unix machine -- do Unix time things.  */
-
-#ifdef _KERNEL
-#include <sys/time.h>
-#else
-#include <time.h>
-#include <errno.h>
 #endif
 
-static struct timeval last_tv = {0, 0};
+static struct time_now last_time;
 
 krb5_error_code
-krb5_crypto_us_timeofday(seconds, microseconds)
-    register krb5_int32 *seconds, *microseconds;
+krb5_crypto_us_timeofday(krb5_int32 *seconds, krb5_int32 *microseconds)
 {
-	struct timeval tv;
-	timestruc_t now;
-
-#ifndef _KERNEL
-	if (gettimeofday(&tv, (struct timezone *)NULL) == -1) {
-		/* failed, return errno */
-		return ((krb5_error_code) errno);
+    struct time_now now;
+    krb5_error_code err;
+
+    err = get_time_now(&now);
+    if (err)
+	return err;
+
+    err = k5_mutex_lock(&krb5int_us_time_mutex);
+    if (err)
+	return err;
+    /* Just guessing: If the number of seconds hasn't changed, yet the
+       microseconds are moving backwards, we probably just got a third
+       instance of returning the same clock value from the system, so
+       the saved value was artificially incremented.
+
+       On Windows, where we get millisecond accuracy currently, that's
+       quite likely.  On UNIX, it appears that we always get new
+       microsecond values, so this case should never trigger.  */
+    if ((now.sec == last_time.sec) && (now.usec <= last_time.usec)) {
+	/* Same as last time??? */
+	now.usec = ++last_time.usec;
+	if (now.usec >= 1000000) {
+	    ++now.sec;
+	    now.usec = 0;
 	}
-#else
-	gethrestime(&now);
-	tv.tv_sec = now.tv_sec;
-	tv.tv_usec = now.tv_nsec / (NANOSEC / MICROSEC);
-#endif
-	if ((tv.tv_sec == last_tv.tv_sec) && (tv.tv_usec == last_tv.tv_usec)) {
-		if (++last_tv.tv_usec >= 1000000) {
-			last_tv.tv_usec = 0;
-			last_tv.tv_sec++;
-		}
-		tv = last_tv;
-	} else
-		last_tv = tv;
+	/* For now, we're not worrying about the case of enough
+	   returns of the same value that we roll over now.sec, and
+	   the next call still gets the previous now.sec value.  */
+    }
+    last_time.sec = now.sec;	/* Remember for next time */
+    last_time.usec = now.usec;
+    (void) k5_mutex_unlock(&krb5int_us_time_mutex);
 
-	*seconds = tv.tv_sec;
-	*microseconds = tv.tv_usec;
-	return (0);
+    *seconds = now.sec;
+    *microseconds = now.usec;
+    return 0;
 }
-
-#endif
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/os/init_os_ctx.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/os/init_os_ctx.c
index 46f78576ab..1007b3b27e 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/os/init_os_ctx.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/os/init_os_ctx.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2001-2003 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -35,12 +35,20 @@
 
 #define NEED_WINDOWS
 #include <k5-int.h>
+#ifndef _KERNEL
+#include "os-proto.h"
+#endif
+
+/* SUNW14resync: Solaris kerb does not need this feature in this file */
+#ifdef USE_LOGIN_LIBRARY
+#undef USE_LOGIN_LIBRARY
+#endif
 
-#ifdef macintosh
-#include <PreferencesLib.h>
-#endif /* macintosh */
+#ifdef USE_LOGIN_LIBRARY
+#include "KerberosLoginPrivate.h"
+#endif 
 
-#if defined(_MSDOS) || defined(_WIN32)
+#if defined(_WIN32)
 
 static krb5_error_code
 get_from_windows_dir(
@@ -171,14 +179,12 @@ get_from_registry(
     return retval;
 }
 
-#endif /* _MSDOS || _WIN32 */
+#endif /* _WIN32 */
 
 #ifndef _KERNEL
 static void
-free_filespecs(files)
-	profile_filespec_t *files;
+free_filespecs(profile_filespec_t *files) 
 {
-#ifndef macintosh
     char **cp;
 
     if (files == 0)
@@ -186,107 +192,16 @@ free_filespecs(files)
     
     for (cp = files; *cp; cp++)
 	free(*cp);
-#endif
     free(files);
 }
 
-static krb5_error_code
-os_get_default_config_files(pfiles, secure)
-	profile_filespec_t ** pfiles;
-	krb5_boolean secure;
+/* This function is needed by KfM's KerberosPreferences API
+ * because it needs to be able to specify "secure" */
+krb5_error_code
+os_get_default_config_files(profile_filespec_t **pfiles, krb5_boolean secure)
 {
     profile_filespec_t* files;
-#ifdef macintosh
-	FSSpec*	preferencesFiles = nil;
-	UInt32	numPreferencesFiles;
-	FSSpec*	preferencesFilesToInit = nil;
-	UInt32	numPreferencesFilesToInit;
-	UInt32 i;
-	Boolean foundPreferences = false;
-	Boolean writtenPreferences = false;
-	SInt16 refNum = -1;
-	SInt32 length = 0;
-	
-	OSErr err = KPGetListOfPreferencesFiles (
-		secure ? kpSystemPreferences : kpUserPreferences | kpSystemPreferences,
-		&preferencesFiles,
-		&numPreferencesFiles);
-
-	if (err == noErr) {		
-		/* After we get the list of files, check whether any of them contain any useful information */
-		for (i = 0; i < numPreferencesFiles; i++) {
-			if (KPPreferencesFileIsReadable (&preferencesFiles [i]) == noErr) {
-				/* It's readable, check if it has anything in the data fork */
-				err = FSpOpenDF (&preferencesFiles [i], fsRdPerm, &refNum);
-				if (err == noErr) {
-					err = GetEOF (refNum, &length);
-				}
-				
-				if (refNum != -1) {
-					FSClose (refNum);
-				}
-				
-				if (length != 0) {
-					foundPreferences = true;
-					break;
-				}
-			}
-		}
-
-		if (!foundPreferences) {
-			/* We found no profile data in any of those files; try to initialize one */
-			/* If we are running "secure" do not try to initialize preferences */
-			if (!secure) {
-				err = KPGetListOfPreferencesFiles (kpUserPreferences, &preferencesFilesToInit, &numPreferencesFilesToInit);
-				if (err == noErr) {
-					for (i = 0; i < numPreferencesFilesToInit; i++) {
-						if (KPPreferencesFileIsWritable (&preferencesFilesToInit [i]) == noErr) {
-							err = noErr;
-							/* If not readable, create it */
-							if (KPPreferencesFileIsReadable (&preferencesFilesToInit [i]) != noErr) {
-								err = KPCreatePreferencesFile (&preferencesFilesToInit [i]);
-							}
-							/* Initialize it */
-							if (err == noErr) {
-								err = KPInitializeWithDefaultKerberosLibraryPreferences (&preferencesFilesToInit [i]);
-							}
-							break;
-						}
-					}
-				}
-			}
-		}
-	}
-	
-	if (err == noErr) {
-		files = malloc ((numPreferencesFiles + 1) * sizeof (FSSpec));
-		if (files == NULL)
-			err = memFullErr;
-	}
-	
-	if (err == noErr) {
-    	for (i = 0; i < numPreferencesFiles; i++) {
-    		files [i] = preferencesFiles [i];
-    	}
-    	
-    	files [numPreferencesFiles].vRefNum = 0;
-    	files [numPreferencesFiles].parID = 0;
-    	files [numPreferencesFiles].name[0] = '\0';
-	}
-	
-	if (preferencesFiles != nil)
-		KPFreeListOfPreferencesFiles (preferencesFiles);
-	
-	if (preferencesFilesToInit != nil) 
-		KPFreeListOfPreferencesFiles (preferencesFilesToInit);
-		
-	if (err == memFullErr)
-		return ENOMEM;
-	else if (err != noErr)
-		return ENOENT;
-	
-#else /* !macintosh */
-#if defined(_MSDOS) || defined(_WIN32)
+#if defined(_WIN32)
     krb5_error_code retval = 0;
     char *name = 0;
 
@@ -331,14 +246,24 @@ os_get_default_config_files(pfiles, secure)
     files = malloc(2 * sizeof(char *));
     files[0] = name;
     files[1] = 0;
-#else /* !_MSDOS && !_WIN32 */
+#else /* !_WIN32 */
     char* filepath = 0;
     int n_entries, i;
-    int ent_len;
+    unsigned int ent_len;
     const char *s, *t;
 
-    if (!secure) filepath = getenv("KRB5_CONFIG");
-    if (!filepath) filepath = DEFAULT_PROFILE_PATH;
+#ifdef USE_LOGIN_LIBRARY 
+    /* If __KLAllowHomeDirectoryAccess() == FALSE, we are probably 
+       trying to authenticate to a fileserver for the user's homedir. */ 
+    if (secure || !__KLAllowHomeDirectoryAccess ()) {
+#else 
+    if (secure) { 
+#endif 
+	filepath = DEFAULT_SECURE_PROFILE_PATH; 
+    } else {  
+	filepath = getenv("KRB5_CONFIG"); 
+	if (!filepath) filepath = DEFAULT_PROFILE_PATH;
+    }
 
     /* count the distinct filename components */
     for(s = filepath, n_entries = 1; *s; s++) {
@@ -372,9 +297,8 @@ os_get_default_config_files(pfiles, secure)
     }
     /* cap the array */
     files[i] = 0;
-#endif /* !_MSDOS && !_WIN32 */
-#endif /* !macintosh */
-    *pfiles = files;
+#endif /* !_WIN32 */
+    *pfiles = (profile_filespec_t *)files;
     return 0;
 }
 
@@ -383,8 +307,7 @@ os_get_default_config_files(pfiles, secure)
    do not include user paths (from environment variables, etc.)
 */
 static krb5_error_code
-os_init_paths(ctx)
-	krb5_context ctx;
+os_init_paths(krb5_context ctx)
 {
     krb5_error_code	retval = 0;
     profile_filespec_t *files = 0;
@@ -399,6 +322,7 @@ os_init_paths(ctx)
     if (!retval) {
         retval = profile_init((const_profile_filespec_t *) files,
 			      &ctx->profile);
+
 #ifdef KRB5_DNS_LOOKUP
         /* if none of the filenames can be opened use an empty profile */
         if (retval == ENOENT) {
@@ -430,31 +354,22 @@ os_init_paths(ctx)
 #endif /* !_KERNEL */
 
 krb5_error_code
-krb5_os_init_context(ctx)
-	krb5_context ctx;
+krb5_os_init_context(krb5_context ctx)
 {
 	krb5_os_context os_ctx;
 	krb5_error_code	retval = 0;
 
-	if (ctx->os_context)
-		return 0;
-
-	os_ctx = MALLOC(sizeof(struct _krb5_os_context));
-	if (!os_ctx)
-		return ENOMEM;
-	(void) memset(os_ctx, 0, sizeof(struct _krb5_os_context));
+	os_ctx = ctx->os_context;
 	os_ctx->magic = KV5M_OS_CONTEXT;
 
-	ctx->os_context = (void *) os_ctx;
-
 	os_ctx->time_offset = 0;
 	os_ctx->usec_offset = 0;
 	os_ctx->os_flags = 0;
 	os_ctx->default_ccname = 0;
-	os_ctx->default_ccprincipal = 0;
 
 #ifndef _KERNEL
 	krb5_cc_set_default_name(ctx, NULL);
+
 	retval = os_init_paths(ctx);
 #endif
 	/*
@@ -467,18 +382,18 @@ krb5_os_init_context(ctx)
 
 #ifndef _KERNEL
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_get_profile (ctx, profile)
-	krb5_context ctx;
-	profile_t* profile;
+krb5_error_code KRB5_CALLCONV
+krb5_get_profile (krb5_context ctx, profile_t *profile)
 {
     krb5_error_code	retval = 0;
     profile_filespec_t *files = 0;
 
     retval = os_get_default_config_files(&files, ctx->profile_secure);
 
-    if (!retval)
-        retval = profile_init((const_profile_filespec_t *) files, profile);
+    if (!retval) {
+	retval = profile_init((const_profile_filespec_t *) files,
+                               profile); 
+    }
 
     if (files)
         free_filespecs(files);
@@ -498,13 +413,10 @@ krb5_get_profile (ctx, profile)
 
 #endif
 
-#ifndef macintosh
 #ifndef _KERNEL
 
 krb5_error_code
-krb5_set_config_files(ctx, filenames)
-	krb5_context ctx;
-	const char **filenames;
+krb5_set_config_files(krb5_context ctx, const char **filenames)
 {
 	krb5_error_code retval;
 	profile_t	profile;
@@ -520,30 +432,26 @@ krb5_set_config_files(ctx, filenames)
 	return 0;
 }
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_get_default_config_files(pfilenames)
-	char ***pfilenames;
+krb5_error_code KRB5_CALLCONV
+krb5_get_default_config_files(char ***pfilenames)
 {
     if (!pfilenames)
         return EINVAL;
     return os_get_default_config_files(pfilenames, FALSE);
 }
 
-KRB5_DLLIMP void KRB5_CALLCONV
-krb5_free_config_files(filenames)
-	char **filenames;
+void KRB5_CALLCONV
+krb5_free_config_files(char **filenames)
 {
     free_filespecs(filenames);
 }
 
 #endif /* _KERNEL */
-#endif /* macintosh */
 
 #ifndef _KERNEL
 
 krb5_error_code
-krb5_secure_config_files(ctx)
-	krb5_context ctx;
+krb5_secure_config_files(krb5_context ctx)
 {
 	/* Obsolete interface; always return an error.
 
@@ -567,30 +475,19 @@ krb5_secure_config_files(ctx)
 #endif /* _KERNEL */
 
 void
-krb5_os_free_context(ctx)
-	krb5_context	ctx;
+krb5_os_free_context(krb5_context ctx)
 {
 	krb5_os_context os_ctx;
 
 	os_ctx = ctx->os_context;
 	
-	if (!os_ctx)
-		return;
-
         if (os_ctx->default_ccname) {
 		FREE(os_ctx->default_ccname,
 			strlen(os_ctx->default_ccname) + 1);
                 os_ctx->default_ccname = 0;
         }
 
-	if (os_ctx->default_ccprincipal) {
-		krb5_free_principal (ctx, os_ctx->default_ccprincipal);
-		os_ctx->default_ccprincipal = 0;
-	}
-
 	os_ctx->magic = 0;
-	FREE(os_ctx, sizeof(struct _krb5_os_context));
-	ctx->os_context = 0;
 
 #ifndef _KERNEL
 	if (ctx->profile) {
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5/os/timeofday.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5/os/timeofday.c
index d4200bf49b..3608dc4d4c 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5/os/timeofday.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5/os/timeofday.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2001-2003 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -50,10 +50,8 @@
 extern int errno;
 #endif
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_timeofday(context, timeret)
-    krb5_context context;
-    register krb5_int32 FAR *timeret;
+krb5_error_code KRB5_CALLCONV 
+krb5_timeofday(krb5_context context, register krb5_int32 *timeret)
 {
     krb5_os_context os_ctx = context->os_context;
     krb5_int32 tval;
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/krb5mech.c b/usr/src/uts/common/gssapi/mechs/krb5/krb5mech.c
index a6152f3f53..c0d828c3d9 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/krb5mech.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/krb5mech.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  *
  * A module for Kerberos V5  security mechanism.
@@ -23,10 +23,10 @@ char _depends_on[] = "misc/kgssapi crypto/md5";
 OM_uint32 krb5_gss_get_context(void ** context);
 
 extern krb5_error_code krb5_ser_context_init
-	KRB5_PROTOTYPE((krb5_context));
+	(krb5_context);
 
 extern	krb5_error_code	krb5_ser_auth_context_init
-	KRB5_PROTOTYPE((krb5_context));
+	(krb5_context);
 
 static	struct	gss_config krb5_mechanism =
 	{{9, "\052\206\110\206\367\022\001\002\002"},
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/mech/import_sec_context.c b/usr/src/uts/common/gssapi/mechs/krb5/mech/import_sec_context.c
index 118c4d6f53..0bc87cc72a 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/mech/import_sec_context.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/mech/import_sec_context.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2001-2003 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -39,7 +39,6 @@
 #include <k5-int.h>
 #include <gssapi/gssapi.h>
 
-#include <sys/debug.h>
 /*
  * Fix up the OID of the mechanism so that uses the static version of
  * the OID if possible.
diff --git a/usr/src/uts/common/gssapi/mechs/krb5/mech/util_token.c b/usr/src/uts/common/gssapi/mechs/krb5/mech/util_token.c
index 6a2b4d5b76..1d51fa9855 100644
--- a/usr/src/uts/common/gssapi/mechs/krb5/mech/util_token.c
+++ b/usr/src/uts/common/gssapi/mechs/krb5/mech/util_token.c
@@ -24,6 +24,14 @@
 #include <gssapiP_generic.h>
 
 /*
+ * SUNW14resync
+ * This is defed in autoconf but we don't grok it for kernel (why?).
+ */
+#ifndef SIZEOF_INT
+#define SIZEOF_INT 4
+#endif
+
+/*
  * $Id: util_token.c,v 1.20.2.1 2003/12/16 02:56:16 tlyu Exp $
  */
 
diff --git a/usr/src/uts/intel/kmech_krb5/Makefile b/usr/src/uts/intel/kmech_krb5/Makefile
index 60270e4087..47a5df3ca0 100644
--- a/usr/src/uts/intel/kmech_krb5/Makefile
+++ b/usr/src/uts/intel/kmech_krb5/Makefile
@@ -20,7 +20,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 #ident	"%Z%%M%	%I%	%E% SMI"
@@ -83,4 +83,6 @@ include $(UTSBASE)/intel/Makefile.targ
 INC_PATH += \
 	-I$(UTSBASE)/common/gssapi \
 	-I$(UTSBASE)/common/gssapi/include \
-	-I$(UTSBASE)/common/gssapi/mechs/krb5/include
+	-I$(UTSBASE)/common/gssapi/mechs/krb5/include \
+	-I$(SRC)/lib/gss_mechs/mech_krb5/include \
+	-I$(SRC)/lib/gss_mechs/mech_krb5/krb5/krb
diff --git a/usr/src/uts/sparc/kmech_krb5/Makefile b/usr/src/uts/sparc/kmech_krb5/Makefile
index 5fb14f0712..95ea38603a 100644
--- a/usr/src/uts/sparc/kmech_krb5/Makefile
+++ b/usr/src/uts/sparc/kmech_krb5/Makefile
@@ -20,7 +20,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 #ident	"%Z%%M%	%I%	%E% SMI"
@@ -88,4 +88,6 @@ include $(UTSBASE)/sparc/Makefile.targ
 INC_PATH += \
 	-I$(UTSBASE)/common/gssapi \
 	-I$(UTSBASE)/common/gssapi/include \
-	-I$(UTSBASE)/common/gssapi/mechs/krb5/include
+	-I$(UTSBASE)/common/gssapi/mechs/krb5/include \
+	-I$(SRC)/lib/gss_mechs/mech_krb5/include \
+	-I$(SRC)/lib/gss_mechs/mech_krb5/krb5/krb
diff --git a/usr/src/uts/sun4u/kmech_krb5/Makefile b/usr/src/uts/sun4u/kmech_krb5/Makefile
index 57b45c7140..12be55bdff 100644
--- a/usr/src/uts/sun4u/kmech_krb5/Makefile
+++ b/usr/src/uts/sun4u/kmech_krb5/Makefile
@@ -20,7 +20,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 #ident	"%Z%%M%	%I%	%E% SMI"
@@ -94,4 +94,6 @@ include $(UTSBASE)/sun4u/Makefile.targ
 INC_PATH += \
 	-I$(UTSBASE)/common/gssapi \
 	-I$(UTSBASE)/common/gssapi/include \
-	-I$(UTSBASE)/common/gssapi/mechs/krb5/include
+	-I$(UTSBASE)/common/gssapi/mechs/krb5/include \
+	-I$(SRC)/lib/gss_mechs/mech_krb5/include \
+	-I$(SRC)/lib/gss_mechs/mech_krb5/krb5/krb