PSARC 2006/027 Open Kerberos APIs

6381288 we should expose the krb5 api

19 files changed, 1879 insertions, 16 deletions

diff --git a/usr/src/lib/Makefile b/usr/src/lib/Makefile
index 0865e0328f..a46006f5d5 100644
--- a/usr/src/lib/Makefile
+++ b/usr/src/lib/Makefile
@@ -137,6 +137,7 @@ SUBDIRS += \
 	nametoaddr	\
 	ncad_addr	\
 	gss_mechs/mech_krb5	.WAIT	\
+	libkrb5	.WAIT	\
 	krb5	.WAIT
 $(CLOSED_BUILD)SUBDIRS += \
 	$(CLOSED)/lib/smartcard
@@ -369,6 +370,7 @@ HDRSUBDIRS= libaio	\
 	fm		\
 	udapl		\
 	libmapid	\
+	libkrb5		\
 	$($(MACH)_HDRSUBDIRS)
 
 $(CLOSED_BUILD)HDRSUBDIRS += \
diff --git a/usr/src/lib/gss_mechs/mech_krb5/Makefile.com b/usr/src/lib/gss_mechs/mech_krb5/Makefile.com
index 2045938977..963e451194 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/Makefile.com
+++ b/usr/src/lib/gss_mechs/mech_krb5/Makefile.com
@@ -28,7 +28,7 @@ CRYPTO = cksumtype_to_string.o \
 	keyed_checksum_types.o keyed_cksum.o \
 	make_random_key.o string_to_cksumtype.o \
 	string_to_enctype.o string_to_key.o valid_cksumtype.o \
-	valid_enctype.o pkcs11slot.o state.o pbkdf2.o
+	valid_enctype.o pkcs11slot.o state.o pbkdf2.o old_api_glue.o
 
 CRYPTO_UTS= cksumtypes.o decrypt.o encrypt.o encrypt_length.o \
 	etypes.o nfold.o verify_checksum.o default_state.o \
@@ -115,7 +115,8 @@ K5_KRB= addr_comp.o  addr_order.o  addr_srch.o \
 	recvauth.o  send_tgs.o  sendauth.o  srv_rcache.o  str_conv.o \
 	tgtname.o  valid_times.o  walk_rtree.o appdefault.o deltat.o \
 	enc_helper.o gic_keytab.o gic_opt.o gic_pwd.o preauth2.o \
-	vfy_increds.o vic_opt.o krb5_libinit.o
+	vfy_increds.o vic_opt.o krb5_libinit.o chpw.o \
+	init_keyblock.o init_allocated_keyblock.o get_set_keyblock.o
 
 K5_KRB_UTS= copy_athctr.o copy_auth.o copy_cksum.o copy_key.o \
 	copy_princ.o init_ctx.o kfree.o parse.o ser_actx.o \
@@ -131,7 +132,7 @@ K5_OS=	an_to_ln.o def_realm.o ccdefname.o free_krbhs.o free_hstrl.o \
 	read_msg.o read_pwd.o realm_dom.o sendto_kdc.o sn2princ.o \
 	unlck_file.o ustime.o write_msg.o safechown.o \
 	prompter.o realm_iter.o foreachaddr.o \
-	dnsglue.o dnssrv.o thread_safe.o
+	dnsglue.o dnssrv.o thread_safe.o changepw.o
 
 K5_OS_UTS=init_os_ctx.o timeofday.o toffset.o c_ustime.o
 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/crypto/old_api_glue.c b/usr/src/lib/gss_mechs/mech_krb5/crypto/old_api_glue.c
new file mode 100644
index 0000000000..aaa411544f
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/crypto/old_api_glue.c
@@ -0,0 +1,68 @@
+/*
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ * 
+ * All rights reserved.
+ * 
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government.  It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  FundsXpress makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include "k5-int.h"
+
+/*
+ * Solaris Kerberos
+ * krb5_string_to_key/krb5_use_enctype are needed by Samba
+ */
+
+krb5_error_code KRB5_CALLCONV
+krb5_string_to_key(krb5_context context, const krb5_encrypt_block *eblock,
+		   krb5_keyblock *keyblock, const krb5_data *data,
+		   const krb5_data *salt)
+{
+    return(krb5_c_string_to_key(context, eblock->crypto_entry, data, salt,
+				keyblock));
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_use_enctype(krb5_context context, krb5_encrypt_block *eblock,
+                 krb5_enctype enctype)
+{
+    eblock->crypto_entry = enctype;
+
+    return(0);
+}
+
+size_t KRB5_CALLCONV
+krb5_checksum_size(krb5_context context, krb5_cksumtype ctype)
+{
+  size_t ret;
+
+  if (krb5_c_checksum_length(context, ctype, &ret))
+    return(-1); /* XXX */
+
+  return(ret);
+}
diff --git a/usr/src/lib/gss_mechs/mech_krb5/include/com_err.h b/usr/src/lib/gss_mechs/mech_krb5/include/com_err.h
index 5042f46836..e32d283aba 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/include/com_err.h
+++ b/usr/src/lib/gss_mechs/mech_krb5/include/com_err.h
@@ -1,4 +1,9 @@
 /*
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+/*
  * Header file for common error description library.
  *
  * Copyright 1988, Student Information Processing Board of the
@@ -48,12 +53,16 @@ extern void KRB5_CALLCONV com_err_va
 extern /*@observer@*//*@dependent@*/ const char * KRB5_CALLCONV error_message
 	(errcode_t)
        /*@modifies internalState@*/;
-extern errcode_t KRB5_CALLCONV add_error_table
-	(/*@dependent@*/ const struct error_table *)
-       /*@modifies internalState@*/;
-extern errcode_t KRB5_CALLCONV remove_error_table
-	(const struct error_table *)
-       /*@modifies internalState@*/;
+
+/*
+ * Solaris Kerberos
+ * {add_,remove_}error_table have been removed here as they don't exist
+ * in the Solaris mech.
+ *
+ * initialize_krb5_error_table is not be needed anymore but Samba still
+ * calls it so we make it a no-op.
+ */
+#define initialize_krb5_error_table()
 
 #if !defined(_WIN32)
 /*
diff --git a/usr/src/lib/gss_mechs/mech_krb5/include/profile.h b/usr/src/lib/gss_mechs/mech_krb5/include/profile.h
index 1aabcc8b8b..1882a09a11 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/include/profile.h
+++ b/usr/src/lib/gss_mechs/mech_krb5/include/profile.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -12,9 +12,6 @@
 #ifndef _KRB5_PROFILE_H
 #define _KRB5_PROFILE_H
 
-/* SUNW14resync */
-#include "../profile/prof_err.h"
-
 #if defined(_WIN32)
 #include <win-mac.h>
 #endif
@@ -133,3 +130,47 @@ long KRB5_CALLCONV profile_add_relation
 #endif /* __cplusplus */
 
 #endif /* _KRB5_PROFILE_H */
+
+/*
+ * ettmp22072.h:
+ * This file is automatically generated; please do not edit it.
+ */
+
+#include <com_err.h>
+
+#define PROF_VERSION                             (-1429577728L)
+#define PROF_MAGIC_NODE                          (-1429577727L)
+#define PROF_NO_SECTION                          (-1429577726L)
+#define PROF_NO_RELATION                         (-1429577725L)
+#define PROF_ADD_NOT_SECTION                     (-1429577724L)
+#define PROF_SECTION_WITH_VALUE                  (-1429577723L)
+#define PROF_BAD_LINK_LIST                       (-1429577722L)
+#define PROF_BAD_GROUP_LVL                       (-1429577721L)
+#define PROF_BAD_PARENT_PTR                      (-1429577720L)
+#define PROF_MAGIC_ITERATOR                      (-1429577719L)
+#define PROF_SET_SECTION_VALUE                   (-1429577718L)
+#define PROF_EINVAL                              (-1429577717L)
+#define PROF_READ_ONLY                           (-1429577716L)
+#define PROF_SECTION_NOTOP                       (-1429577715L)
+#define PROF_SECTION_SYNTAX                      (-1429577714L)
+#define PROF_RELATION_SYNTAX                     (-1429577713L)
+#define PROF_EXTRA_CBRACE                        (-1429577712L)
+#define PROF_MISSING_OBRACE                      (-1429577711L)
+#define PROF_MAGIC_PROFILE                       (-1429577710L)
+#define PROF_MAGIC_SECTION                       (-1429577709L)
+#define PROF_TOPSECTION_ITER_NOSUPP              (-1429577708L)
+#define PROF_INVALID_SECTION                     (-1429577707L)
+#define PROF_END_OF_SECTIONS                     (-1429577706L)
+#define PROF_BAD_NAMESET                         (-1429577705L)
+#define PROF_NO_PROFILE                          (-1429577704L)
+#define PROF_MAGIC_FILE                          (-1429577703L)
+#define PROF_FAIL_OPEN                           (-1429577702L)
+#define PROF_EXISTS                              (-1429577701L)
+#define PROF_BAD_BOOLEAN                         (-1429577700L)
+#define PROF_BAD_INTEGER                         (-1429577699L)
+#define PROF_MAGIC_FILE_DATA                     (-1429577698L)
+
+#define ERROR_TABLE_BASE_prof (-1429577728L)
+
+/* for compatibility with older versions... */
+#define prof_err_base ERROR_TABLE_BASE_prof
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/chpw.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/chpw.c
new file mode 100644
index 0000000000..f964132e87
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/chpw.c
@@ -0,0 +1,522 @@
+/*
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+/*
+** set password functions added by Paul W. Nelson, Thursby Software Systems, Inc.
+*/
+#include <string.h>
+
+#include "k5-int.h"
+/* #include "krb5_err.h" gtb */
+#include "auth_con.h"
+
+
+krb5_error_code 
+krb5int_mk_chpw_req(krb5_context context, krb5_auth_context auth_context, krb5_data *ap_req, char *passwd, krb5_data *packet)
+{
+    krb5_error_code ret = 0;
+    krb5_data clearpw;
+    krb5_data cipherpw;
+    krb5_replay_data replay;
+    char *ptr;
+
+    cipherpw.data = NULL;
+
+    if ((ret = krb5_auth_con_setflags(context, auth_context,
+				      KRB5_AUTH_CONTEXT_DO_SEQUENCE)))
+	  goto cleanup;
+
+    clearpw.length = strlen(passwd);
+    clearpw.data = passwd;
+
+    if ((ret = krb5_mk_priv(context, auth_context,
+			    &clearpw, &cipherpw, &replay)))
+      goto cleanup;
+
+    packet->length = 6 + ap_req->length + cipherpw.length;
+    packet->data = (char *) malloc(packet->length);
+    if (packet->data == NULL)
+	  {
+	    ret = ENOMEM;
+	    goto cleanup;
+	  }
+    ptr = packet->data;
+
+    /* length */
+
+    *ptr++ = (packet->length>>8) & 0xff;
+    *ptr++ = packet->length & 0xff;
+
+    /* version == 0x0001 big-endian */
+
+    *ptr++ = 0;
+    *ptr++ = 1;
+
+    /* ap_req length, big-endian */
+
+    *ptr++ = (ap_req->length>>8) & 0xff;
+    *ptr++ = ap_req->length & 0xff;
+
+    /* ap-req data */
+
+    memcpy(ptr, ap_req->data, ap_req->length);
+    ptr += ap_req->length;
+
+    /* krb-priv of password */
+
+    memcpy(ptr, cipherpw.data, cipherpw.length);
+
+cleanup:
+    if(cipherpw.data != NULL)  /* allocated by krb5_mk_priv */
+      free(cipherpw.data);
+      
+    return(ret);
+}
+
+krb5_error_code 
+krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *packet, int *result_code, krb5_data *result_data)
+{
+    char *ptr;
+    int plen, vno;
+    krb5_data ap_rep;
+    krb5_ap_rep_enc_part *ap_rep_enc;
+    krb5_error_code ret;
+    krb5_data cipherresult;
+    krb5_data clearresult;
+    krb5_error *krberror;
+    krb5_replay_data replay;
+    krb5_keyblock *tmp;
+
+    if (packet->length < 4)
+	/* either this, or the server is printing bad messages,
+	   or the caller passed in garbage */
+	return(KRB5KRB_AP_ERR_MODIFIED);
+
+    ptr = packet->data;
+
+    /* verify length */
+
+    plen = (*ptr++ & 0xff);
+    plen = (plen<<8) | (*ptr++ & 0xff);
+
+    if (plen != packet->length)
+	return(KRB5KRB_AP_ERR_MODIFIED);
+
+    /* verify version number */
+
+    vno = (*ptr++ & 0xff);
+    vno = (vno<<8) | (*ptr++ & 0xff);
+
+    if (vno != 1)
+	return(KRB5KDC_ERR_BAD_PVNO);
+
+    /* read, check ap-rep length */
+
+    ap_rep.length = (*ptr++ & 0xff);
+    ap_rep.length = (ap_rep.length<<8) | (*ptr++ & 0xff);
+
+    if (ptr + ap_rep.length >= packet->data + packet->length)
+	return(KRB5KRB_AP_ERR_MODIFIED);
+
+    if (ap_rep.length) {
+	/* verify ap_rep */
+	ap_rep.data = ptr;
+	ptr += ap_rep.length;
+
+	/*
+	 * Save send_subkey to later smash recv_subkey.
+	 */
+	ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmp);
+	if (ret)
+	    return ret;
+
+	ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc);
+	if (ret) {
+	    krb5_free_keyblock(context, tmp);
+	    return(ret);
+	}
+
+	krb5_free_ap_rep_enc_part(context, ap_rep_enc);
+
+	/* extract and decrypt the result */
+
+	cipherresult.data = ptr;
+	cipherresult.length = (packet->data + packet->length) - ptr;
+
+	/*
+	 * Smash recv_subkey to be send_subkey, per spec.
+	 */
+	ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmp);
+	krb5_free_keyblock(context, tmp);
+	if (ret)
+	    return ret;
+
+	ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult,
+			   &replay);
+
+	if (ret)
+	    return(ret);
+    } else {
+	cipherresult.data = ptr;
+	cipherresult.length = (packet->data + packet->length) - ptr;
+
+	if ((ret = krb5_rd_error(context, &cipherresult, &krberror)))
+	    return(ret);
+
+	clearresult = krberror->e_data;
+    }
+
+    if (clearresult.length < 2) {
+	ret = KRB5KRB_AP_ERR_MODIFIED;
+	goto cleanup;
+    }
+
+    ptr = clearresult.data;
+
+    *result_code = (*ptr++ & 0xff);
+    *result_code = (*result_code<<8) | (*ptr++ & 0xff);
+
+    if ((*result_code < KRB5_KPASSWD_SUCCESS) ||
+	(*result_code > KRB5_KPASSWD_INITIAL_FLAG_NEEDED)) {
+	ret = KRB5KRB_AP_ERR_MODIFIED;
+	goto cleanup;
+    }
+
+    /* all success replies should be authenticated/encrypted */
+
+    if ((ap_rep.length == 0) && (*result_code == KRB5_KPASSWD_SUCCESS)) {
+	ret = KRB5KRB_AP_ERR_MODIFIED;
+	goto cleanup;
+    }
+
+    result_data->length = (clearresult.data + clearresult.length) - ptr;
+
+    if (result_data->length) {
+	result_data->data = (char *) malloc(result_data->length);
+	if (result_data->data == NULL) {
+	    ret = ENOMEM;
+	    goto cleanup;
+	}
+	memcpy(result_data->data, ptr, result_data->length);
+    } else {
+	result_data->data = NULL;
+    }
+
+    ret = 0;
+
+cleanup:
+    if (ap_rep.length) {
+	krb5_xfree(clearresult.data);
+    } else {
+	krb5_free_error(context, krberror);
+    }
+
+    return(ret);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_chpw_result_code_string(krb5_context context, int result_code, char **code_string)
+{
+   switch (result_code) {
+   case KRB5_KPASSWD_MALFORMED:
+      *code_string = "Malformed request error";
+      break;
+   case KRB5_KPASSWD_HARDERROR:
+      *code_string = "Server error";
+      break;
+   case KRB5_KPASSWD_AUTHERROR:
+      *code_string = "Authentication error";
+      break;
+   case KRB5_KPASSWD_SOFTERROR:
+      *code_string = "Password change rejected";
+      break;
+   default:
+      *code_string = "Password change failed";
+      break;
+   }
+
+   return(0);
+}
+
+krb5_error_code 
+krb5int_mk_setpw_req(
+     krb5_context context,
+     krb5_auth_context auth_context,
+     krb5_data *ap_req,
+     krb5_principal targprinc,
+     char *passwd,
+     krb5_data *packet )
+{
+    krb5_error_code ret;
+    krb5_data	cipherpw;
+    krb5_data	*encoded_setpw;
+
+    char *ptr;
+
+     cipherpw.data = NULL;
+     cipherpw.length = 0;
+     
+    if ((ret = krb5_auth_con_setflags(context, auth_context,
+				      KRB5_AUTH_CONTEXT_DO_SEQUENCE)))
+		return(ret);
+
+    ret = encode_krb5_setpw_req(targprinc, passwd, &encoded_setpw);
+    if (ret) {
+	return ret;
+    }
+
+    if ( (ret = krb5_mk_priv(context, auth_context, encoded_setpw, &cipherpw, NULL)) != 0) {
+	krb5_free_data( context, encoded_setpw);
+	return(ret);
+    }
+    krb5_free_data( context, encoded_setpw);
+    
+
+    packet->length = 6 + ap_req->length + cipherpw.length;
+    packet->data = (char *) malloc(packet->length);
+    if (packet->data  == NULL) {
+	ret = ENOMEM;
+	goto cleanup;
+    }
+    ptr = packet->data;
+/*
+** build the packet -
+*/
+/* put in the length */
+    *ptr++ = (packet->length>>8) & 0xff;
+    *ptr++ = packet->length & 0xff;
+/* put in the version */
+    *ptr++ = (char)0xff;
+    *ptr++ = (char)0x80;
+/* the ap_req length is big endian */
+    *ptr++ = (ap_req->length>>8) & 0xff;
+    *ptr++ = ap_req->length & 0xff;
+/* put in the request data */
+    memcpy(ptr, ap_req->data, ap_req->length);
+    ptr += ap_req->length;
+/*
+** put in the "private" password data -
+*/
+    memcpy(ptr, cipherpw.data, cipherpw.length);
+    ret = 0;
+ cleanup:
+    if (cipherpw.data)
+	krb5_free_data_contents(context, &cipherpw);
+    if ((ret != 0) && packet->data) {
+	free( packet->data);
+	packet->data = NULL;
+    }
+    return ret;
+}
+
+krb5_error_code 
+krb5int_rd_setpw_rep( krb5_context context, krb5_auth_context auth_context, krb5_data *packet,
+     int *result_code, krb5_data *result_data )
+{
+    char *ptr;
+    unsigned int message_length, version_number;
+    krb5_data ap_rep;
+    krb5_ap_rep_enc_part *ap_rep_enc;
+    krb5_error_code ret;
+    krb5_data cipherresult;
+    krb5_data clearresult;
+    krb5_keyblock *tmpkey;
+/*
+** validate the packet length -
+*/
+    if (packet->length < 4)
+	return(KRB5KRB_AP_ERR_MODIFIED);
+
+    ptr = packet->data;
+
+/*
+** see if it is an error
+*/
+    if (krb5_is_krb_error(packet)) {
+	krb5_error *krberror;
+	if ((ret = krb5_rd_error(context, packet, &krberror)))
+	    return(ret);
+	if (krberror->e_data.data  == NULL) {
+	    ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error;
+	    krb5_free_error(context, krberror);
+	    return (ret);
+	}
+	clearresult = krberror->e_data;
+	krberror->e_data.data  = NULL; /*So we can free it later*/
+	krberror->e_data.length = 0;
+	krb5_free_error(context, krberror);
+		
+    } else { /* Not an error*/
+
+/*
+** validate the message length -
+** length is big endian 
+*/
+	message_length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+	ptr += 2;
+/*
+** make sure the message length and packet length agree -
+*/
+	if (message_length != packet->length)
+	    return(KRB5KRB_AP_ERR_MODIFIED);
+/*
+** get the version number -
+*/
+	version_number = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+	ptr += 2;
+/*
+** make sure we support the version returned -
+*/
+/*
+** set password version is 0xff80, change password version is 1
+*/
+	if (version_number != 0xff80 && version_number != 1)
+	    return(KRB5KDC_ERR_BAD_PVNO);
+/*
+** now fill in ap_rep with the reply -
+*/
+/*
+** get the reply length -
+*/
+	ap_rep.length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+	ptr += 2;
+/*
+** validate ap_rep length agrees with the packet length -
+*/
+	if (ptr + ap_rep.length >= packet->data + packet->length)
+	    return(KRB5KRB_AP_ERR_MODIFIED);
+/*
+** if data was returned, set the ap_rep ptr -
+*/
+	if( ap_rep.length ) {
+	    ap_rep.data = ptr;
+	    ptr += ap_rep.length;
+
+	    /*
+	     * Save send_subkey to later smash recv_subkey.
+	     */
+	    ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmpkey);
+	    if (ret)
+		return ret;
+
+	    ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc);
+	    if (ret) {
+		krb5_free_keyblock(context, tmpkey);
+		return(ret);
+	    }
+
+	    krb5_free_ap_rep_enc_part(context, ap_rep_enc);
+/*
+** now decrypt the result -
+*/
+	    cipherresult.data = ptr;
+	    cipherresult.length = (packet->data + packet->length) - ptr;
+
+	    /*
+	     * Smash recv_subkey to be send_subkey, per spec.
+	     */
+	    ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmpkey);
+	    krb5_free_keyblock(context, tmpkey);
+	    if (ret)
+		return ret;
+
+	    ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult,
+			       NULL);
+	    if (ret)
+		return(ret);
+	} /*We got an ap_rep*/
+	else
+	    return (KRB5KRB_AP_ERR_MODIFIED);
+    } /*Response instead of error*/
+
+/*
+** validate the cleartext length 
+*/
+    if (clearresult.length < 2) {
+	ret = KRB5KRB_AP_ERR_MODIFIED;
+	goto cleanup;
+    }
+/*
+** now decode the result -
+*/
+    ptr = clearresult.data;
+
+    *result_code = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff));
+    ptr += 2;
+
+/*
+** result code 5 is access denied
+*/
+    if ((*result_code < KRB5_KPASSWD_SUCCESS) || (*result_code > 5))
+    {
+	ret = KRB5KRB_AP_ERR_MODIFIED;
+	goto cleanup;
+    }
+/*
+** all success replies should be authenticated/encrypted
+*/
+    if( (ap_rep.length == 0) && (*result_code == KRB5_KPASSWD_SUCCESS) )
+    {
+	ret = KRB5KRB_AP_ERR_MODIFIED;
+	goto cleanup;
+    }
+
+    if (result_data) {
+	result_data->length = (clearresult.data + clearresult.length) - ptr;
+
+	if (result_data->length)
+	{
+	    result_data->data = (char *) malloc(result_data->length);
+	    if (result_data->data)
+		memcpy(result_data->data, ptr, result_data->length);
+	}
+	else
+	    result_data->data = NULL;
+    }
+    ret = 0;
+
+ cleanup:
+    krb5_free_data_contents(context, &clearresult);
+    return(ret);
+}
+
+krb5_error_code 
+krb5int_setpw_result_code_string( krb5_context context, int result_code, const char **code_string )
+{
+   switch (result_code)
+   {
+   case KRB5_KPASSWD_MALFORMED:
+      *code_string = "Malformed request error";
+      break;
+   case KRB5_KPASSWD_HARDERROR:
+      *code_string = "Server error";
+      break;
+   case KRB5_KPASSWD_AUTHERROR:
+      *code_string = "Authentication error";
+      break;
+   case KRB5_KPASSWD_SOFTERROR:
+      *code_string = "Password change rejected";
+      break;
+   case 5: /* access denied */
+      *code_string = "Access denied";
+      break;
+   case 6:	/* bad version */
+      *code_string = "Wrong protocol version";
+      break;
+   case 7: /* initial flag is needed */
+      *code_string = "Initial password required";
+      break;
+   case 0:
+	  *code_string = "Success";
+   default:
+      *code_string = "Password change failed";
+      break;
+   }
+
+   return(0);
+}
+
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/get_set_keyblock.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/get_set_keyblock.c
new file mode 100644
index 0000000000..c61b1989e5
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/get_set_keyblock.c
@@ -0,0 +1,66 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+#include "k5-int.h"
+
+
+krb5_enctype
+krb5_get_key_enctype(krb5_keyblock *kb)
+{
+	return (kb->enctype);
+}
+
+unsigned int
+krb5_get_key_length(krb5_keyblock *kb)
+{
+	return (kb->length);
+}
+
+krb5_octet *
+krb5_get_key_data(krb5_keyblock *kb)
+{
+	return (kb->contents);
+}
+
+void
+krb5_set_key_enctype(krb5_keyblock *kb, krb5_enctype enctype)
+{
+	kb->enctype = enctype;
+}
+
+void
+krb5_set_key_length(krb5_keyblock *kb, unsigned int len)
+{
+	kb->length = len;
+}
+
+void
+krb5_set_key_data(krb5_keyblock *kb, krb5_octet *data)
+{
+	kb->contents = data;
+}
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/init_allocated_keyblock.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/init_allocated_keyblock.c
new file mode 100644
index 0000000000..11d096ce6f
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/krb/init_allocated_keyblock.c
@@ -0,0 +1,65 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+#include "k5-int.h"
+
+krb5_error_code KRB5_CALLCONV
+krb5_init_allocated_keyblock(
+	krb5_context context,
+	krb5_enctype enctype,
+	unsigned int length,
+	krb5_keyblock *kb)
+{
+
+	if (!kb)
+		return (EINVAL);
+
+	(void) memset(kb, 0, sizeof (*kb));
+	kb->enctype = enctype;
+	kb->length = length;
+
+	if (length) {
+		kb->contents = malloc(length);
+		if (!kb->contents) {
+			return (ENOMEM);
+		}
+		(void) memset(kb->contents, 0, length);
+	} else {
+		kb->contents = NULL;
+	}
+
+	kb->dk_list = NULL;
+
+#ifdef _KERNEL
+	kb->kef_key = NULL;
+#else
+	kb->hKey = CK_INVALID_HANDLE;
+#endif
+
+	return (0);
+}
diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/changepw.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/changepw.c
new file mode 100644
index 0000000000..760f47e1e9
--- /dev/null
+++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/changepw.c
@@ -0,0 +1,432 @@
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+/*
+ * lib/krb5/os/changepw.c
+ *
+ * Copyright 1990,1999,2001 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ *
+ */
+/*
+ * krb5_set_password - Implements set password per RFC 3244
+ * Added by Paul W. Nelson, Thursby Software Systems, Inc.
+ */
+
+#define NEED_SOCKETS
+#include "fake-addrinfo.h"
+#include "k5-int.h"
+#include "os-proto.h"
+
+#include <stdio.h>
+#include <errno.h>
+
+#ifndef GETSOCKNAME_ARG3_TYPE
+#define GETSOCKNAME_ARG3_TYPE int
+#endif
+
+/*
+ * Wrapper function for the two backends
+ */
+
+static krb5_error_code
+krb5_locate_kpasswd(krb5_context context, const krb5_data *realm,
+		    struct addrlist *addrlist)
+{
+    krb5_error_code code;
+
+    code = krb5int_locate_server (context, realm, addrlist, 0,
+				  "kpasswd_server", "_kpasswd", 0,
+				  htons(DEFAULT_KPASSWD_PORT), 0, 0);
+    if (code == KRB5_REALM_CANT_RESOLVE || code == KRB5_REALM_UNKNOWN) {
+	code = krb5int_locate_server (context, realm, addrlist, 0,
+				      "admin_server", "_kerberos-adm", 1,
+				      DEFAULT_KPASSWD_PORT, 0, 0);
+	if (!code) {
+	    /* Success with admin_server but now we need to change the
+	       port number to use DEFAULT_KPASSWD_PORT.  */
+	    int i;
+	    for ( i=0;i<addrlist->naddrs;i++ ) {
+		struct addrinfo *a = addrlist->addrs[i];
+		if (a->ai_family == AF_INET)
+		    sa2sin (a->ai_addr)->sin_port = htons(DEFAULT_KPASSWD_PORT);
+	    }
+	}
+    }
+    return (code);
+}
+
+
+/*
+** The logic for setting and changing a password is mostly the same
+** krb5_change_set_password handles both cases 
+**	if set_password_for is NULL, then a password change is performed,
+**  otherwise, the password is set for the principal indicated in set_password_for
+*/
+krb5_error_code KRB5_CALLCONV
+krb5_change_set_password(
+	krb5_context context, krb5_creds *creds, char *newpw, krb5_principal set_password_for,
+	int *result_code, krb5_data *result_code_string, krb5_data *result_string)
+{
+    krb5_auth_context auth_context;
+    krb5_data ap_req, chpw_req, chpw_rep;
+    krb5_address local_kaddr, remote_kaddr;
+    char *code_string;
+    krb5_error_code code = 0;
+    int i;
+    GETSOCKNAME_ARG3_TYPE addrlen;
+    struct sockaddr_storage local_addr, remote_addr, tmp_addr;
+    int cc, local_result_code;
+    /* platforms seem to be consistant and use the same types */
+    GETSOCKNAME_ARG3_TYPE tmp_len; 
+    SOCKET s1 = INVALID_SOCKET, s2 = INVALID_SOCKET;
+    int tried_one = 0;
+    struct addrlist al = ADDRLIST_INIT;
+
+
+    /* Initialize values so that cleanup call can safely check for NULL */
+    auth_context = NULL;
+    memset(&chpw_req, 0, sizeof(krb5_data));
+    memset(&chpw_rep, 0, sizeof(krb5_data));
+    memset(&ap_req, 0, sizeof(krb5_data));
+
+    /* initialize auth_context so that we know we have to free it */
+    if ((code = krb5_auth_con_init(context, &auth_context)))
+	  goto cleanup;
+
+    if ((code = krb5_mk_req_extended(context, &auth_context,
+				     AP_OPTS_USE_SUBKEY,
+				     NULL, creds, &ap_req)))
+	  goto cleanup;
+
+    if ((code = krb5_locate_kpasswd(context,
+                                    krb5_princ_realm(context, creds->server),
+				    &al)))
+        goto cleanup;
+
+    /* this is really obscure.  s1 is used for all communications.  it
+       is left unconnected in case the server is multihomed and routes
+       are asymmetric.  s2 is connected to resolve routes and get
+       addresses.  this is the *only* way to get proper addresses for
+       multihomed hosts if routing is asymmetric.
+
+       A related problem in the server, but not the client, is that
+       many os's have no way to disconnect a connected udp socket, so
+       the s2 socket needs to be closed and recreated for each
+       request.  The s1 socket must not be closed, or else queued
+       requests will be lost.
+
+       A "naive" client implementation (one socket, no connect,
+       hostname resolution to get the local ip addr) will work and
+       interoperate if the client is single-homed. */
+
+    if ((s1 = socket(AF_INET, SOCK_DGRAM, 0)) == INVALID_SOCKET) {
+	code = SOCKET_ERRNO;
+	goto cleanup;
+    }
+
+    if ((s2 = socket(AF_INET, SOCK_DGRAM, 0)) == INVALID_SOCKET) {
+	code = SOCKET_ERRNO;
+	goto cleanup;
+    }
+
+    /*
+     * This really should try fallback addresses in cases of timeouts.
+     * For now, where the MIT KDC implementation only supports one
+     * kpasswd server machine anyways, we'll only try the first IPv4
+     * address we can connect() to.  This isn't right for multi-homed
+     * servers; oh well.
+     */
+    for (i=0; i<al.naddrs; i++) {
+	fd_set fdset;
+	struct timeval timeout;
+
+	/* XXX Now the locate_ functions can return IPv6 addresses.  */
+	if (al.addrs[i]->ai_family != AF_INET)
+	    continue;
+
+	tried_one = 1;
+	if (connect(s2, al.addrs[i]->ai_addr, al.addrs[i]->ai_addrlen) == SOCKET_ERROR) {
+	    if (SOCKET_ERRNO == ECONNREFUSED || SOCKET_ERRNO == EHOSTUNREACH)
+		continue; /* try the next addr */
+
+	    code = SOCKET_ERRNO;
+	    goto cleanup;
+	}
+
+        addrlen = sizeof(local_addr);
+
+	if (getsockname(s2, ss2sa(&local_addr), &addrlen) < 0) {
+	    if (SOCKET_ERRNO == ECONNREFUSED || SOCKET_ERRNO == EHOSTUNREACH)
+		continue; /* try the next addr */
+
+	    code = SOCKET_ERRNO;
+	    goto cleanup;
+	}
+
+	/* some brain-dead OS's don't return useful information from
+	 * the getsockname call.  Namely, windows and solaris.  */
+
+	if (ss2sin(&local_addr)->sin_addr.s_addr != 0) {
+	    local_kaddr.addrtype = ADDRTYPE_INET;
+	    local_kaddr.length = sizeof(ss2sin(&local_addr)->sin_addr);
+	    local_kaddr.contents = (krb5_octet *) &ss2sin(&local_addr)->sin_addr;
+	} else {
+	    krb5_address **addrs;
+
+	    krb5_os_localaddr(context, &addrs);
+
+	    local_kaddr.magic = addrs[0]->magic;
+	    local_kaddr.addrtype = addrs[0]->addrtype;
+	    local_kaddr.length = addrs[0]->length;
+	    local_kaddr.contents = malloc(addrs[0]->length);
+	    memcpy(local_kaddr.contents, addrs[0]->contents, addrs[0]->length);
+
+	    krb5_free_addresses(context, addrs);
+	}
+
+	addrlen = sizeof(remote_addr);
+	if (getpeername(s2, ss2sa(&remote_addr), &addrlen) < 0) {
+	    if (SOCKET_ERRNO == ECONNREFUSED || SOCKET_ERRNO == EHOSTUNREACH)
+		continue; /* try the next addr */
+
+	    code = SOCKET_ERRNO;
+	    goto cleanup;
+	}
+
+	remote_kaddr.addrtype = ADDRTYPE_INET;
+	remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr);
+	remote_kaddr.contents = (krb5_octet *) &ss2sin(&remote_addr)->sin_addr;
+
+	/* mk_priv requires that the local address be set.
+	   getsockname is used for this.  rd_priv requires that the
+	   remote address be set.  recvfrom is used for this.  If
+	   rd_priv is given a local address, and the message has the
+	   recipient addr in it, this will be checked.  However, there
+	   is simply no way to know ahead of time what address the
+	   message will be delivered *to*.  Therefore, it is important
+	   that either no recipient address is in the messages when
+	   mk_priv is called, or that no local address is passed to
+	   rd_priv.  Both is a better idea, and I have done that.  In
+	   summary, when mk_priv is called, *only* a local address is
+	   specified.  when rd_priv is called, *only* a remote address
+	   is specified.  Are we having fun yet?  */
+
+	if ((code = krb5_auth_con_setaddrs(context, auth_context,
+					   &local_kaddr, NULL))) {
+	  goto cleanup;
+	}
+
+	if( set_password_for )
+		code = krb5int_mk_setpw_req(context, auth_context, &ap_req, set_password_for, newpw, &chpw_req);
+	else
+		code = krb5int_mk_chpw_req(context, auth_context, &ap_req, newpw, &chpw_req);
+	if (code)
+	{
+	    goto cleanup;
+	}
+
+	if ((cc = sendto(s1, chpw_req.data, 
+			 (GETSOCKNAME_ARG3_TYPE) chpw_req.length, 0,
+			 al.addrs[i]->ai_addr, al.addrs[i]->ai_addrlen)) != chpw_req.length)
+	{
+	    if ((cc < 0) && ((SOCKET_ERRNO == ECONNREFUSED) ||
+			     (SOCKET_ERRNO == EHOSTUNREACH)))
+		continue; /* try the next addr */
+
+	    code = (cc < 0) ? SOCKET_ERRNO : ECONNABORTED;
+	    goto cleanup;
+	}
+
+	chpw_rep.length = 1500;
+	chpw_rep.data = (char *) malloc(chpw_rep.length);
+
+	/* XXX need a timeout/retry loop here */
+	FD_ZERO (&fdset);
+	FD_SET (s1, &fdset);
+	timeout.tv_sec = 120;
+	timeout.tv_usec = 0;
+	switch (select (s1 + 1, &fdset, 0, 0, &timeout)) {
+	case -1:
+	    code = SOCKET_ERRNO;
+	    goto cleanup;
+	case 0:
+	    code = ETIMEDOUT;
+	    goto cleanup;
+	default:
+	    /* fall through */
+	    ;
+	}
+
+	/* "recv" would be good enough here... except that Windows/NT
+	   commits the atrocity of returning -1 to indicate failure,
+	   but leaving errno set to 0.
+
+	   "recvfrom(...,NULL,NULL)" would seem to be a good enough
+	   alternative, and it works on NT, but it doesn't work on
+	   SunOS 4.1.4 or Irix 5.3.  Thus we must actually accept the
+	   value and discard it. */
+	tmp_len = sizeof(tmp_addr);
+	if ((cc = recvfrom(s1, chpw_rep.data, 
+			   (GETSOCKNAME_ARG3_TYPE) chpw_rep.length,
+			   0, ss2sa(&tmp_addr), &tmp_len)) < 0)
+	{
+	    code = SOCKET_ERRNO;
+	    goto cleanup;
+	}
+
+	closesocket(s1);
+	s1 = INVALID_SOCKET;
+	closesocket(s2);
+	s2 = INVALID_SOCKET;
+
+	chpw_rep.length = cc;
+
+	if ((code = krb5_auth_con_setaddrs(context, auth_context,
+					   NULL, &remote_kaddr)))
+	    goto cleanup;
+
+	if( set_password_for )
+		code = krb5int_rd_setpw_rep(context, auth_context, &chpw_rep, &local_result_code, result_string);
+	else
+		code = krb5int_rd_chpw_rep(context, auth_context, &chpw_rep, &local_result_code, result_string);
+	if (code)
+		goto cleanup;
+
+	if (result_code)
+	    *result_code = local_result_code;
+
+	if (result_code_string) {
+		if( set_password_for )
+	    	code = krb5int_setpw_result_code_string(context, local_result_code, (const char **)&code_string);
+		else
+	    	code = krb5_chpw_result_code_string(context, local_result_code, &code_string);
+		if(code)
+			goto cleanup;
+
+	    result_code_string->length = strlen(code_string);
+	    result_code_string->data = malloc(result_code_string->length);
+	    if (result_code_string->data == NULL) {
+		code = ENOMEM;
+		goto cleanup;
+	    }
+	    strncpy(result_code_string->data, code_string, result_code_string->length);
+	}
+
+	code = 0;
+	goto cleanup;
+    }
+
+    if (tried_one)
+	/* Got some non-fatal errors, but didn't get any successes.  */
+	code = SOCKET_ERRNO;
+    else
+	/* Had some addresses, but didn't try any because they weren't
+	   AF_INET addresses and we don't support AF_INET6 addresses
+	   here yet.  */
+	code = EHOSTUNREACH;
+
+cleanup:
+    if (auth_context != NULL)
+	krb5_auth_con_free(context, auth_context);
+
+    krb5int_free_addrlist (&al);
+
+    if (s1 != INVALID_SOCKET)
+	closesocket(s1);
+
+    if (s2 != INVALID_SOCKET)
+	closesocket(s2);
+
+    krb5_free_data_contents(context, &chpw_req);
+    krb5_free_data_contents(context, &chpw_rep);
+    krb5_free_data_contents(context, &ap_req);
+
+    return(code);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw, int *result_code, krb5_data *result_code_string, krb5_data *result_string)
+{
+	return krb5_change_set_password(
+		context, creds, newpw, NULL, result_code, result_code_string, result_string );
+}
+
+/*
+ * krb5_set_password - Implements set password per RFC 3244
+ *
+ */
+
+krb5_error_code KRB5_CALLCONV
+krb5_set_password(
+	krb5_context context,
+	krb5_creds *creds,
+	char *newpw,
+	krb5_principal change_password_for,
+	int *result_code, krb5_data *result_code_string, krb5_data *result_string
+	)
+{
+	return krb5_change_set_password(
+		context, creds, newpw, change_password_for, result_code, result_code_string, result_string );
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_set_password_using_ccache(
+	krb5_context context,
+	krb5_ccache ccache,
+	char *newpw,
+	krb5_principal change_password_for,
+	int *result_code, krb5_data *result_code_string, krb5_data *result_string
+	)
+{
+	krb5_creds		creds;
+	krb5_creds		*credsp;
+	krb5_error_code	code;
+
+/*
+** get the proper creds for use with krb5_set_password -
+*/
+	memset( &creds, 0, sizeof(creds) );
+/*
+** first get the principal for the password service -
+*/
+	code = krb5_cc_get_principal( context, ccache, &creds.client );
+	if( !code )
+	{
+		code = krb5_build_principal( context, &creds.server, 
+				krb5_princ_realm(context, change_password_for)->length,
+				krb5_princ_realm(context, change_password_for)->data,
+				"kadmin", "changepw", NULL );
+		if(!code)
+		{
+			code = krb5_get_credentials(context, 0, ccache, &creds, &credsp);
+			if( ! code )
+			{
+				code = krb5_set_password(context, credsp, newpw, change_password_for,
+					result_code, result_code_string,
+					result_string);
+				krb5_free_creds(context, credsp);
+			}
+		}
+		krb5_free_cred_contents(context, &creds);
+	}
+	return code;
+}
diff --git a/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_crypto.spec b/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_crypto.spec
index dcf926c783..5817ed05a5 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_crypto.spec
+++ b/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_crypto.spec
@@ -1,5 +1,5 @@
 #
-# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # ident	"%Z%%M%	%I%	%E% SMI"
@@ -356,4 +356,27 @@ declaration	krb5_error_code krb5int_pbkdf2_hmac_sha1 ( \
 version		SUNWprivate_1.1
 end
 
+function	krb5_string_to_key
+include		<k5-int.h>
+declaration	krb5_error_code krb5_string_to_key(krb5_context context,\
+			const krb5_encrypt_block *eblock,\
+		   	krb5_keyblock *keyblock, const krb5_data *data,\
+		   	const krb5_data *salt)
+version		SUNWprivate_1.1
+end
+
+function	krb5_use_enctype
+include		<k5-int.h>
+declaration	krb5_error_code krb5_use_enctype(krb5_context context,\
+			krb5_encrypt_block *eblock,\
+	                krb5_enctype enctype)
+version		SUNWprivate_1.1
+end
+
+function	krb5_checksum_size
+include		<k5-int.h>
+declaration	size_t krb5_checksum_size(krb5_context context, \
+			krb5_cksumtype ctype)
+version		SUNWprivate_1.1
+end
 
diff --git a/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_krb.spec b/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_krb.spec
index fded6f805d..ecbf99d188 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_krb.spec
+++ b/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_krb.spec
@@ -1,5 +1,5 @@
 #
-# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # ident	"%Z%%M%	%I%	%E% SMI"
@@ -365,3 +365,58 @@ declaration	krb5_error_code krb5_decode_ticket \
 			(const krb5_data *code, krb5_ticket **rep)
 version		SUNWprivate_1.1
 end
+
+function	krb5_init_keyblock
+include		<k5-int.h>
+declaration	krb5_error_code krb5_init_keyblock \
+			(krb5_context, krb5_enctype enctype, \
+			size_t length, krb5_keyblock **out)
+version		SUNWprivate_1.1
+end
+
+function	krb5_init_allocated_keyblock
+include		<k5-int.h>
+declaration	krb5_error_code krb5_init_allocated_keyblock \
+			(krb5_context, krb5_enctype enctype, \
+			unsigned int length)
+version		SUNWprivate_1.1
+end
+
+function	krb5_get_key_enctype
+include		<k5-int.h>
+declaration	krb5_enctype krb5_get_key_enctype(krb5_keyblock *)
+version		SUNWprivate_1.1
+end
+
+function	krb5_get_key_length
+include		<k5-int.h>
+declaration	unsigned int krb5_get_key_length(krb5_keyblock *)
+version		SUNWprivate_1.1
+end
+
+function	krb5_get_key_data
+include		<k5-int.h>
+declaration	krb5_octet *krb5_get_key_data(krb5_keyblock *)
+version		SUNWprivate_1.1
+end
+
+function	krb5_set_key_enctype
+include		<k5-int.h>
+declaration	void krb5_set_key_enctype(krb5_keyblock *, krb5_enctype)
+version		SUNWprivate_1.1
+end
+
+function	krb5_set_key_data
+include		<k5-int.h>
+declaration	void krb5_set_key_data(krb5_keyblock *,\
+                		krb5_octet *)
+version		SUNWprivate_1.1
+end
+
+function	krb5_set_key_length
+include		<k5-int.h>
+declaration	void krb5_set_key_length(krb5_keyblock *,\
+	                 unsigned int)
+version		SUNWprivate_1.1
+end
+
diff --git a/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_mech3.spec b/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_mech3.spec
index 21c0a1ce58..727311f11c 100644
--- a/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_mech3.spec
+++ b/usr/src/lib/gss_mechs/mech_krb5/spec/krb5_mech3.spec
@@ -1,5 +1,5 @@
 #
-# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # ident	"%Z%%M%	%I%	%E% SMI"
@@ -805,3 +805,26 @@ declaration	int foreach_localaddr (void *, \
 		    int (*pass2fn)(void *, struct sockaddr *))
 version		SUNWprivate_1.1
 end
+
+function	krb5_change_password
+include		<k5-int.h>
+declaration	krb5_error_code \
+		krb5_change_password (krb5_context context, \
+			krb5_creds *creds, char *newpw, \
+			int *result_code, \
+			krb5_data *result_code_string, \
+			krb5_data *result_string)
+version		SUNWprivate_1.1
+end
+
+function	krb5_set_password
+include		<k5-int.h>
+declaration	krb5_set_password (krb5_context context,\
+			krb5_creds *creds,\
+			char *newpw,\
+			krb5_principal change_password_for,\
+			int *result_code,\
+			krb5_data *result_code_string,\
+			krb5_data *result_string)
+version		SUNWprivate_1.1
+end
diff --git a/usr/src/lib/libkrb5/Makefile b/usr/src/lib/libkrb5/Makefile
new file mode 100755
index 0000000000..5b94b3aaef
--- /dev/null
+++ b/usr/src/lib/libkrb5/Makefile
@@ -0,0 +1,71 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ident	"%Z%%M%	%I%	%E% SMI"
+#
+# lib/libkrb5/Makefile
+
+include		$(SRC)/lib/Makefile.lib
+
+SUBDIRS=	$(MACH) $(MACH64)
+
+INSTALLED_HDRS= com_err.h krb5.h
+COMERRH= $(SRC)/lib/gss_mechs/mech_krb5/include/com_err.h
+KRB5H=  $(SRC)/uts/common/gssapi/mechs/krb5/include/krb5.h
+
+KRB5INCDIR= $(ROOT)/usr/include/kerberosv5
+
+
+COMERRHINST= $(KRB5INCDIR)/com_err.h
+KRB5HINST= $(KRB5INCDIR)/krb5.h
+
+KRB5HDRS= $(INSTALLED_HDRS:%=$(KRB5INCDIR)/%)
+
+
+all :=		TARGET= all
+clean :=	TARGET= clean
+clobber :=	TARGET= clobber
+install :=	TARGET= install
+lint :=		TARGET= lint
+
+LIBRARY= 	libkrb5.a
+
+.KEEP_STATE:
+
+all clean clobber install: $(SUBDIRS)
+
+$(SUBDIRS): FRC
+	@cd $@; pwd; $(MAKE) $(TARGET)
+
+
+install_h: $(KRB5INCDIR) $(KRB5HDRS)
+
+$(COMERRHINST): $(COMERRH)
+	install -s -m 644 -f $(KRB5INCDIR) $(COMERRH)
+$(KRB5HINST): $(KRB5H)
+	install -s -m 644 -f $(KRB5INCDIR) $(KRB5H)
+
+
+check FRC:
+
diff --git a/usr/src/lib/libkrb5/Makefile.com b/usr/src/lib/libkrb5/Makefile.com
new file mode 100755
index 0000000000..341576dfae
--- /dev/null
+++ b/usr/src/lib/libkrb5/Makefile.com
@@ -0,0 +1,71 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ident	"%Z%%M%	%I%	%E% SMI"
+#
+# lib/libkrb5/Makefile.com
+#
+
+# include library definitions
+include $(SRC)/lib/Makefile.lib
+
+LIBRARY= libkrb5.a
+LLIBRARY= libkrb5.so.1
+VERS= .1
+MAPFILE=../common/mapfile
+
+
+LIBS=		$(DYNLIB)
+
+#override liblink
+INS.liblink=	-$(RM) $@; $(SYMLINK) $(LIBLINKS)$(VERS) $@
+
+.KEEP_STATE:
+
+all:	$(LIBS)
+
+
+$(LIBS):	$(MAPFILE)
+	$(LD) $(DYNFLAGS) -o $@ -M$(MAPFILE)
+
+
+
+$(ROOTLIBDIR)/$(DYNLIB) :=	FILEMODE= 755
+$(ROOTLIBDIR64)/$(DYNLIB) :=	FILEMODE= 755
+
+$(ROOTLIBDIR)/%: %
+	$(INS.file)
+$(ROOTLIBDIR64)/%: %
+	$(INS.file)
+
+$(ROOTLIBDIR)/$(LIBLINKS): $(ROOTLIBDIR)/$(LIBLINKS)$(VERS)
+	$(INS.liblink)
+$(ROOTLIBDIR64)/$(LIBLINKS): $(ROOTLIBDIR64)/$(LIBLINKS)$(VERS)
+	$(INS.liblink64)
+
+clobber: clean
+	-$(RM) $(CLOBBERTARGFILES)
+
+clean:
+	-$(RM) $(LIBS)
diff --git a/usr/src/lib/libkrb5/amd64/Makefile b/usr/src/lib/libkrb5/amd64/Makefile
new file mode 100644
index 0000000000..54b82e901c
--- /dev/null
+++ b/usr/src/lib/libkrb5/amd64/Makefile
@@ -0,0 +1,35 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ident	"%Z%%M%	%I%	%E% SMI"
+#
+# lib/libkrb5/amd64/Makefile
+
+MAPDIR= ../common
+
+include ../Makefile.com
+
+DYNFLAGS = -64 -G -h$(DYNLIB) -ztext -zdefs -zcombreloc -zloadfltr -R/usr/lib/64/gss
+
+install: all $(ROOTLIBS64) $(ROOTLINKS64)
diff --git a/usr/src/lib/libkrb5/common/mapfile b/usr/src/lib/libkrb5/common/mapfile
new file mode 100644
index 0000000000..932b9bdcb5
--- /dev/null
+++ b/usr/src/lib/libkrb5/common/mapfile
@@ -0,0 +1,273 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ident	"%Z%%M%	%I%	%E% SMI"
+#
+# This is a mapfile that defines a filter for mech_krb5 so that
+# a new public library can be made to access certain functions in
+# the private library.
+#
+# New functions can be added as needed.
+#
+
+{
+    global:
+
+# com_err.h
+        com_err =		FUNCTION FILTER mech_krb5.so.1;
+        com_err_va =		FUNCTION FILTER mech_krb5.so.1;
+        error_message = 	FUNCTION FILTER mech_krb5.so.1;
+
+# krb5.h (non-private and non-deprecated)
+        krb5_c_encrypt =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_c_decrypt =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_c_encrypt_length =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_c_block_size =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_c_init_state =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_c_free_state =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_c_make_random_key =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_c_random_make_octets =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_c_string_to_key =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_c_string_to_key_with_params =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_c_enctype_compare =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_c_make_checksum =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_c_verify_checksum =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_c_checksum_length =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_c_keyed_checksum_types =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_c_valid_enctype =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_c_valid_cksumtype =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_c_is_coll_proof_cksum =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_c_is_keyed_cksum =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_cc_gen_new =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_cc_initialize =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_cc_destroy =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_cc_close =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_cc_store_cred =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_cc_retrieve_cred =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_cc_get_name =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_cc_get_principal =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_cc_start_seq_get =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_cc_next_cred =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_cc_end_seq_get =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_cc_remove_cred =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_cc_set_flags =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_cc_get_type =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_kt_get_type =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_kt_get_name =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_kt_close =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_kt_get_entry =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_kt_start_seq_get =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_kt_next_entry =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_kt_end_seq_get =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_init_context =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_init_secure_context =	FUNCTION FILTER mech_krb5.so.1;
+	krb5_free_context =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_set_default_tgs_enctypes =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_get_permitted_enctypes =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_is_thread_safe =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_free_tgt_creds =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_get_credentials =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_get_credentials_validate =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_get_credentials_renew =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_mk_req =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_mk_req_extended =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_mk_rep =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_rd_rep =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_mk_error =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_rd_error =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_rd_safe =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_rd_priv =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_parse_name =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_unparse_name =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_unparse_name_ext =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_set_principal_realm =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_address_search =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_address_compare =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_address_order =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_realm_compare =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_principal_compare =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_init_keyblock =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_copy_keyblock =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_copy_keyblock_contents =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_copy_creds =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_copy_data =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_copy_principal =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_copy_addresses =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_copy_ticket =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_copy_authdata =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_copy_authenticator =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_copy_checksum =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_get_server_rcache =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_build_principal_ext =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_build_principal =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_kt_resolve =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_kt_default_name =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_kt_default =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_free_keytab_entry_contents =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_kt_remove_entry =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_kt_add_entry =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_principal2salt =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_cc_resolve =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_cc_default_name =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_cc_set_default_name =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_cc_default =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_cc_copy_creds =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_free_principal =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_free_authenticator =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_free_addresses =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_free_authdata =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_free_ticket =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_free_error =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_free_creds =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_free_cred_contents =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_free_checksum =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_free_checksum_contents =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_free_keyblock =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_free_keyblock_contents =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_free_ap_rep_enc_part =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_free_data =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_free_data_contents =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_free_unparsed_name =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_free_cksumtypes =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_us_timeofday =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_timeofday =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_os_localaddr =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_get_default_realm =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_set_default_realm =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_free_default_realm =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_sname_to_principal =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_change_password =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_set_password =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_set_password_using_ccache =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_get_profile =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_rd_req =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_kt_read_service_key =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_mk_safe =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_mk_priv =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_sendauth =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_recvauth =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_recvauth_version =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_mk_ncred =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_mk_1cred =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_rd_cred =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_fwd_tgt_creds =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_auth_con_init =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_auth_con_free =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_auth_con_setflags =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_auth_con_getflags =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_auth_con_set_checksum_func =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_auth_con_get_checksum_func =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_auth_con_setaddrs =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_auth_con_getaddrs =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_auth_con_setports =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_auth_con_setuseruserkey =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_auth_con_getkey =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_auth_con_getsendsubkey =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_auth_con_getrecvsubkey =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_auth_con_setsendsubkey =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_auth_con_setrecvsubkey =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_auth_con_getlocalseqnumber =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_auth_con_getremoteseqnumber =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_auth_con_setrcache =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_auth_con_getrcache =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_auth_con_getauthenticator =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_read_password =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_aname_to_localname =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_get_host_realm =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_free_host_realm =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_kuserok =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_auth_con_genaddrs =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_set_real_time =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_string_to_enctype =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_string_to_salttype =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_string_to_cksumtype =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_string_to_timestamp =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_string_to_deltat =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_enctype_to_string =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_salttype_to_string =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_cksumtype_to_string =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_timestamp_to_string =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_timestamp_to_sfstring =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_deltat_to_string =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_xfree_wrap =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_xfree =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_prompter_posix =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_get_init_creds_opt_init =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_get_init_creds_opt_set_tkt_life =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_get_init_creds_opt_set_renew_life =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_get_init_creds_opt_set_forwardable =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_get_init_creds_opt_set_proxiable =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_get_init_creds_opt_set_etype_list =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_get_init_creds_opt_set_address_list =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_get_init_creds_opt_set_preauth_list =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_get_init_creds_opt_set_salt =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_get_init_creds_password =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_get_init_creds_keytab =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_verify_init_creds_opt_init =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_verify_init_creds_opt_set_ap_req_nofail =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_verify_init_creds =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_get_validated_creds =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_get_renewed_creds =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_decode_ticket =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_appdefault_string =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_appdefault_boolean =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_realm_iterator_create =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_realm_iterator =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_realm_iterator_free =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_free_realm_string =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_get_prompt_types =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_string_to_key =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_use_enctype =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_init_allocated_keyblock =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_get_key_enctype =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_get_key_length =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_get_key_data =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_set_key_enctype =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_set_key_data =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_set_key_length =	FUNCTION FILTER mech_krb5.so.1;
+
+# krb5.h - priv/deprecated
+        krb5_string_to_key =	FUNCTION FILTER mech_krb5.so.1;
+        krb5_use_enctype =	FUNCTION FILTER mech_krb5.so.1;
+	krb5_checksum_size =	FUNCTION FILTER mech_krb5.so.1;
+	krb5_kt_free_entry  =	FUNCTION FILTER mech_krb5.so.1;
+	krb5_auth_con_getlocalsubkey =	FUNCTION FILTER mech_krb5.so.1;
+	krb5_auth_con_getremotesubkey =	FUNCTION FILTER mech_krb5.so.1;
+	krb5_set_default_tgs_ktypes =	FUNCTION FILTER mech_krb5.so.1;
+	krb5_free_ktypes =	FUNCTION FILTER mech_krb5.so.1;
+	krb5_free_ap_req =	FUNCTION FILTER mech_krb5.so.1;
+	krb5_free_ap_rep =	FUNCTION FILTER mech_krb5.so.1;
+	krb5_free_cred =	FUNCTION FILTER mech_krb5.so.1;
+	krb5_decrypt_tkt_part =	FUNCTION FILTER mech_krb5.so.1;
+	valid_cksumtype =	FUNCTION FILTER mech_krb5.so.1;
+
+# k5-int.h (needed by Samba, openssl, etc)
+	decode_krb5_ap_req =	FUNCTION FILTER mech_krb5.so.1;
+	encode_krb5_ap_req =	FUNCTION FILTER mech_krb5.so.1;
+	krb5_rc_get_lifespan =	FUNCTION FILTER mech_krb5.so.1;
+	krb5_rc_initialize =	FUNCTION FILTER mech_krb5.so.1;
+	krb5_rc_default	=	FUNCTION FILTER mech_krb5.so.1;
+	krb5_rc_destroy =	FUNCTION FILTER mech_krb5.so.1;
+
+};
diff --git a/usr/src/lib/libkrb5/i386/Makefile b/usr/src/lib/libkrb5/i386/Makefile
new file mode 100755
index 0000000000..8673c75014
--- /dev/null
+++ b/usr/src/lib/libkrb5/i386/Makefile
@@ -0,0 +1,36 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ident	"%Z%%M%	%I%	%E% SMI"
+#
+# lib/libkrb5/i386/Makefile
+
+MAPDIR= ../common
+
+include ../Makefile.com
+
+DYNFLAGS = -G -h$(DYNLIB) -ztext -zdefs -zcombreloc -zloadfltr \
+		-R/usr/lib/gss -M$(NX_MAP)
+
+install: all $(ROOTLIBDIR) $(ROOTLIBS) $(ROOTLINKS)
diff --git a/usr/src/lib/libkrb5/sparc/Makefile b/usr/src/lib/libkrb5/sparc/Makefile
new file mode 100755
index 0000000000..9187a100f5
--- /dev/null
+++ b/usr/src/lib/libkrb5/sparc/Makefile
@@ -0,0 +1,35 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ident	"%Z%%M%	%I%	%E% SMI"
+#
+# lib/libkrb5/sparc/Makefile
+
+MAPDIR= ../common
+
+include ../Makefile.com
+
+DYNFLAGS = -G -h$(DYNLIB) -ztext -zdefs -zcombreloc -zloadfltr -R/usr/lib/gss
+
+install: all $(ROOTLIBDIR) $(ROOTLIBS) $(ROOTLINKS)
diff --git a/usr/src/lib/libkrb5/sparcv9/Makefile b/usr/src/lib/libkrb5/sparcv9/Makefile
new file mode 100755
index 0000000000..c8105dab90
--- /dev/null
+++ b/usr/src/lib/libkrb5/sparcv9/Makefile
@@ -0,0 +1,35 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ident	"%Z%%M%	%I%	%E% SMI"
+#
+# lib/libkrb5/sparcv9/Makefile
+
+MAPDIR= ../common
+
+include ../Makefile.com
+
+DYNFLAGS = -64 -G -h$(DYNLIB) -ztext -zdefs -zcombreloc -zloadfltr -R/usr/lib/64/gss
+
+install: all $(ROOTLIBS64) $(ROOTLINKS64)