13 files changed, 325 insertions, 300 deletions
diff --git a/src/include/ChangeLog b/src/include/ChangeLog
index 8007aafbec..0cf22ca701 100644
--- a/src/include/ChangeLog
+++ b/src/include/ChangeLog
@@ -1,3 +1,8 @@
+2002-11-26  Tom Yu  <tlyu@mit.edu>
+
+	* port-sockets.h: Add SOCKET_CONNECT, SOCKET_GETSOCKNAME, and
+	SOCKET_CLOSE to allow for porting of some KfM things.
+
 2002-11-14  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Remove references to adm_err.h from here too.
diff --git a/src/include/kerberosIV/ChangeLog b/src/include/kerberosIV/ChangeLog
index 8c8fa69b72..bbee33b227 100644
--- a/src/include/kerberosIV/ChangeLog
+++ b/src/include/kerberosIV/ChangeLog
@@ -1,3 +1,31 @@
+2002-11-26  Tom Yu  <tlyu@mit.edu>
+
+	* Makefile.in (KRB4_HEADERS): Don't install kadm.h anymore.
+
+	* des.h: Put "#" characters in first column.  Do the
+	KRBINT_BEGIN_DECLS hack to make emacs happy.  Shuffle limits.h
+	inclusion to be outside C++ and Mac alignment magic.
+
+	* kadm.h: Remove some spurious prototypes.  Rename a bunch of
+	internal kadm_stream stuff to avoid stomping on namespace.  Add
+	prototypes for some client-side kadm stuff.
+
+	* krb.h: Do Mac CFM magic.  Do C++ mangling protection.  Do Mac
+	alignment magic.  Move inclusions outside of C++ mangling
+	protection and Mac magic.  Add KRB5_CALLCONV to a few functions
+	that KfM's krb.h exports.  Merge the *_in_tkt_*_creds,
+	mk_req_creds, and rd_req_int functions from KfM.  Add prototypes
+	for some KfM-specific things yet to be merged.
+
+	* prot.h: Don't include krb_conf.h anymore.  Twiddle the int
+	encoding/decoding macros a little.
+
+	* des_conf.h:
+	* highc.h:
+	* krb_conf.h:
+	* passwd_server.h:
+	* principal.h: Remove, since they're obsolete.
+
 2002-10-07  Sam Hartman  <hartmans@mit.edu>
 
 	* Makefile.in: Support install-headers
diff --git a/src/include/kerberosIV/Makefile.in b/src/include/kerberosIV/Makefile.in
index e48321ec60..d54101dcd0 100644
--- a/src/include/kerberosIV/Makefile.in
+++ b/src/include/kerberosIV/Makefile.in
@@ -3,7 +3,7 @@ myfulldir=include/kerberosIV
 mydir=kerberosIV
 MY_SUBDIRS=.
 BUILDTOP=$(REL)..$(S)..
-KRB4_HEADERS=krb.h des.h kadm.h mit-copyright.h
+KRB4_HEADERS=krb.h des.h mit-copyright.h
 
 all-unix:: krb_err.h
 
diff --git a/src/include/kerberosIV/des.h b/src/include/kerberosIV/des.h
index 46a4f527db..d51120958e 100644
--- a/src/include/kerberosIV/des.h
+++ b/src/include/kerberosIV/des.h
@@ -27,25 +27,37 @@
  */
 
 #if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__))
-	#include <TargetConditionals.h>
-    #if TARGET_RT_MAC_CFM
-        #error "Use KfM 4.0 SDK headers for CFM compilation."
-    #endif
+#	include <TargetConditionals.h>
+#	if TARGET_RT_MAC_CFM
+#		error "Use KfM 4.0 SDK headers for CFM compilation."
+#	endif
+#endif
+
+#ifdef __cplusplus
+#ifndef KRBINT_BEGIN_DECLS
+#define KRBINT_BEGIN_DECLS	extern "C" {
+#define KRBINT_END_DECLS	}
+#endif
+#else
+#define KRBINT_BEGIN_DECLS
+#define KRBINT_END_DECLS
 #endif
 
 #ifndef KRB5INT_DES_TYPES_DEFINED
 #define KRB5INT_DES_TYPES_DEFINED
 
+#include <limits.h>
+
+KRBINT_BEGIN_DECLS
+
 #if TARGET_OS_MAC
-    #if defined(__MWERKS__)
-        #pragma import on
-        #pragma enumsalwaysint on
-    #endif
-    #pragma options align=mac68k
+#	if defined(__MWERKS__)
+#		pragma import on
+#		pragma enumsalwaysint on
+#	endif
+#	pragma options align=mac68k
 #endif
 
-#include <limits.h>
-
 #if UINT_MAX >= 0xFFFFFFFFUL
 #define DES_INT32 int
 #define DES_UINT32 unsigned int
@@ -60,10 +72,12 @@ typedef unsigned char des_cblock[8];	/* crypto-block size */
  *
  * This used to be
  *
- * typedef struct des_ks_struct { union { DES_INT32 pad; des_cblock _;} __; } des_key_schedule[16];
+ * typedef struct des_ks_struct {
+ *     union { DES_INT32 pad; des_cblock _;} __;
+ * } des_key_schedule[16];
  *
- * but it would cause trouble if DES_INT32 is ever more than 4 bytes.
- * The reason is that all the encryption functions cast it to
+ * but it would cause trouble if DES_INT32 were ever more than 4
+ * bytes.  The reason is that all the encryption functions cast it to
  * (DES_INT32 *), and treat it as if it were DES_INT32[32].  If
  * 2*sizeof(DES_INT32) is ever more than sizeof(des_cblock), the
  * caller-allocated des_key_schedule will be overflowed by the key
@@ -74,13 +88,15 @@ typedef unsigned char des_cblock[8];	/* crypto-block size */
 typedef struct des_ks_struct {  DES_INT32 _[2]; } des_key_schedule[16];
 
 #if TARGET_OS_MAC
-    #if defined(__MWERKS__)
-        #pragma enumsalwaysint reset
-        #pragma import reset
-    #endif
-	#pragma options align=reset
+#	if defined(__MWERKS__)
+#		pragma enumsalwaysint reset
+#		pragma import reset
+#	endif
+#	pragma options align=reset
 #endif
 
+KRBINT_END_DECLS
+
 #endif /* KRB5INT_DES_TYPES_DEFINED */
 
 /* only do the whole thing once	 */
@@ -94,18 +110,6 @@ typedef struct des_ks_struct {  DES_INT32 _[2]; } des_key_schedule[16];
 #ifndef KRB5INT_CRYPTO_DES_INT
 #define DES_DEFS
 
-#if TARGET_OS_MAC
-    #if defined(__MWERKS__)
-        #pragma import on
-        #pragma enumsalwaysint on
-    #endif
-    #pragma options align=mac68k
-#endif
-
-#if defined(_WIN32) && !defined(_WINDOWS)
-#define _WINDOWS
-#endif
-
 #if defined(_WINDOWS)
 #ifndef KRB4
 #define KRB4 1
@@ -114,6 +118,20 @@ typedef struct des_ks_struct {  DES_INT32 _[2]; } des_key_schedule[16];
 #endif
 #include <stdio.h> /* need FILE for des_cblock_print_file */
 
+KRBINT_BEGIN_DECLS
+
+#if TARGET_OS_MAC
+#	if defined(__MWERKS__)
+#		pragma import on
+#		pragma enumsalwaysint on
+#	endif
+#	pragma options align=mac68k
+#endif
+
+#if defined(_WIN32) && !defined(_WINDOWS)
+#define _WINDOWS
+#endif
+
 /* Windows declarations */
 #ifndef KRB5_CALLCONV
 #define KRB5_CALLCONV
@@ -221,12 +239,14 @@ void des_set_sequence_number(des_cblock);
 #endif /* TARGET_OS_MAC */
 
 #if TARGET_OS_MAC
-    #if defined(__MWERKS__)
-        #pragma enumsalwaysint reset
-        #pragma import reset
-    #endif
-	#pragma options align=reset
+#	if defined(__MWERKS__)
+#		pragma enumsalwaysint reset
+#		pragma import reset
+#	endif
+#	pragma options align=reset
 #endif
 
+KRBINT_END_DECLS
+
 #endif /* KRB5INT_CRYPTO_DES_INT */
 #endif	/* DES_DEFS */
diff --git a/src/include/kerberosIV/des_conf.h b/src/include/kerberosIV/des_conf.h
deleted file mode 100644
index 673eb93fbb..0000000000
--- a/src/include/kerberosIV/des_conf.h
+++ /dev/null
@@ -1,2 +0,0 @@
-This file is obsolete and should not be used any more.
-Use "conf.h" instead.
diff --git a/src/include/kerberosIV/highc.h b/src/include/kerberosIV/highc.h
deleted file mode 100644
index c45a85502b..0000000000
--- a/src/include/kerberosIV/highc.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * include/kerberosIV/highc.h
- *
- * Copyright 1988, 1994 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- *   require a specific license from the United States Government.
- *   It is the responsibility of any person or organization contemplating
- *   export to obtain such a license before exporting.
- * 
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
- * 
- * Known breakage in the version of Metaware's High C compiler that
- * we've got available....
- */
-
-#define const
-/*#define volatile*/
-
-/*
- * Some builtin functions we can take advantage of for inlining....
- */
-
-#define abs			_abs
-/* the _max and _min builtins accept any number of arguments */
-#undef MAX
-#define MAX(x,y)		_max(x,y)
-#undef MIN
-#define MIN(x,y)		_min(x,y)
-/*
- * I'm not sure if 65535 is a limit for this builtin, but it's
- * reasonable for a string length.  Or is it?
- */
-/*#define strlen(s)		_find_char(s,65535,0)*/
-#define bzero(ptr,len)		_fill_char(ptr,len,'\0')
-#define bcmp(b1,b2,len)		_compare(b1,b2,len)
diff --git a/src/include/kerberosIV/kadm.h b/src/include/kerberosIV/kadm.h
index e3f47c0595..e65af29266 100644
--- a/src/include/kerberosIV/kadm.h
+++ b/src/include/kerberosIV/kadm.h
@@ -1,8 +1,8 @@
 /*
  * include/kerberosIV/kadm.h
  *
- * Copyright 1988, 1994 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
+ * Copyright 1988, 1994, 2002 by the Massachusetts Institute of
+ * Technology.  All Rights Reserved.
  *
  * Export of this software from the United States of America may
  *   require a specific license from the United States Government.
@@ -23,7 +23,9 @@
  * this software for any purpose.  It is provided "as is" without express
  * or implied warranty.
  * 
- * Definitions for Kerberos administration server & client
+ * Definitions for Kerberos administration server & client.  These
+ * should be considered private; among other reasons, it leaks all
+ * over the namespace.
  */
 
 #ifndef KADM_DEFS
@@ -47,18 +49,21 @@
 
 /* The global structures for the client and server */
 typedef struct {
-  struct sockaddr_in admin_addr;
-  struct sockaddr_in my_addr;
-  int my_addr_len;
-  int admin_fd;			/* file descriptor for link to admin server */
-  char sname[ANAME_SZ];		/* the service name */
-  char sinst[INST_SZ];		/* the services instance */
-  char krbrlm[REALM_SZ];
+    struct sockaddr_in admin_addr;
+    struct sockaddr_in my_addr;
+    int my_addr_len;
+    int admin_fd;		/* file descriptor for link to admin server */
+    char sname[ANAME_SZ];	/* the service name */
+    char sinst[INST_SZ];	/* the services instance */
+    char krbrlm[REALM_SZ];
+    /* KfM additions... */
+    int  default_port;
+    CREDENTIALS creds; /* The client's credentials (from krb_get_pw_in_tkt_creds)*/
 } Kadm_Client;
 
 typedef struct {		/* status of the server, i.e the parameters */
-   int inter;			/* Space for command line flags */
-   char *sysfile;		/* filename of server */
+    int inter;			/* Space for command line flags */
+    char *sysfile;		/* filename of server */
 } admin_params;			/* Well... it's the admin's parameters */
 
 /* Largest password length to be supported */
@@ -92,9 +97,9 @@ typedef struct {
     u_char         fields[FLDSZ];     /* The active fields in this struct */
     char           name[ANAME_SZ];
     char           instance[INST_SZ];
-    unsigned long  key_low;
-    unsigned long  key_high;
-    unsigned long  exp_date;
+    KRB_UINT32     key_low;
+    KRB_UINT32     key_high;
+    KRB_UINT32     exp_date;
     unsigned short attributes;
     unsigned char  max_life;
 } Kadm_vals;                    /* The basic values structure in Kadm */
@@ -143,18 +148,47 @@ DELACL
 #define KADM_CYGNUS_EXT_BASE 64
 #define DEL_ENT              (KADM_CYGNUS_EXT_BASE+1)
 
-extern long kdb_get_master_key();	/* XXX should be in krb_db.h */
-extern long kdb_verify_master_key();	/* XXX ditto */
-
-extern long krb_mk_priv(), krb_rd_priv(); /* XXX should be in krb.h */
-extern void krb_set_tkt_string();	/* XXX ditto */
-
-extern unsigned long quad_cksum();	/* XXX should be in des.h */
-
 #ifdef POSIX
 typedef void sigtype;
 #else
 typedef int sigtype;
 #endif
 
+/* Avoid stomping on namespace... */
+
+#define vals_to_stream		kadm_vals_to_stream
+#define build_field_header	kadm_build_field_header
+#define vts_string		kadm_vts_string
+#define vts_short		kadm_vts_short
+#define vts_long		kadm_vts_long
+#define vts_char		kadm_vts_char
+
+#define stream_to_vals		kadm_stream_to_vals
+#define check_field_header	kadm_check_field_header
+#define stv_string		kadm_stv_string
+#define stv_short		kadm_stv_short
+#define stv_long		kadm_stv_long
+#define stv_char		kadm_stv_char
+
+int vals_to_stream(Kadm_vals *, u_char **);
+int build_field_header(u_char *, u_char **);
+int vts_string(char *, u_char **, int);
+int vts_short(KRB_UINT32, u_char **, int);
+int vts_long(KRB_UINT32, u_char **, int);
+int vts_char(KRB_UINT32, u_char **, int);
+
+int stream_to_vals(u_char *, Kadm_vals *, int);
+int check_field_header(u_char *, u_char *, int);
+int stv_string(u_char *, char *, int, int, int);
+int stv_short(u_char *, u_short *, int, int);
+int stv_long(u_char *, KRB_UINT32 *, int, int);
+int stv_char(u_char *, u_char *, int, int);
+
+int kadm_init_link(char *, char *, char *, Kadm_Client *, int);
+int kadm_cli_send(Kadm_Client *, u_char *, size_t, u_char **, size_t *);
+int kadm_cli_conn(Kadm_Client *);
+void kadm_cli_disconn(Kadm_Client *);
+int kadm_cli_out(Kadm_Client *, u_char *, int, u_char **, size_t *);
+int kadm_cli_keyd(Kadm_Client *, des_cblock, des_key_schedule);
+
 #endif /* KADM_DEFS */
diff --git a/src/include/kerberosIV/krb.h b/src/include/kerberosIV/krb.h
index 30376bcfdc..fe28111c49 100644
--- a/src/include/kerberosIV/krb.h
+++ b/src/include/kerberosIV/krb.h
@@ -1,8 +1,8 @@
 /*
  * include/kerberosIV/krb.h
  *
- * Copyright 1987, 1988, 1994, 2001 by the Massachusetts Institute of
- * Technology.  All Rights Reserved.
+ * Copyright 1987, 1988, 1994, 2001, 2002 by the Massachusetts
+ * Institute of Technology.  All Rights Reserved.
  *
  * Export of this software from the United States of America may
  *   require a specific license from the United States Government.
@@ -30,17 +30,51 @@
 #ifndef	KRB_DEFS
 #define KRB_DEFS
 
+#if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__))
+#	include <TargetConditionals.h>
+#	if TARGET_RT_MAC_CFM
+#		error "Use KfM 4.0 SDK headers for CFM compilation."
+#	endif
+#endif
+
+/* Define u_char, u_short, u_int, and u_long. */
+/* XXX these typdef names are not standardized! */
+#include <sys/types.h>
+
 /* Need some defs from des.h	 */
 #include <kerberosIV/des.h>
 
-#define KRB4_32		DES_INT32
-#define KRB_INT32	DES_INT32
-#define KRB_UINT32	DES_UINT32
+#include <kerberosIV/krb_err.h>		/* XXX FIXME! */
+
+#include <profile.h>
 
 #ifdef _WINDOWS
 #include <time.h>
 #endif /* _WINDOWS */
 
+#ifdef __cplusplus
+#ifndef KRBINT_BEGIN_DECLS
+#define KRBINT_BEGIN_DECLS	extern "C" {
+#define KRBINT_END_DECLS	}
+#endif
+#else
+#define KRBINT_BEGIN_DECLS
+#define KRBINT_END_DECLS
+#endif
+KRBINT_BEGIN_DECLS
+
+#if TARGET_OS_MAC
+#	if defined(__MWERKS__)
+#		pragma import on
+#		pragma enumsalwaysint on
+#	endif
+#	pragma options align=mac68k
+#endif
+
+#define KRB4_32		DES_INT32
+#define KRB_INT32	DES_INT32
+#define KRB_UINT32	DES_UINT32
+
 /* Text describing error codes */
 #define		MAX_KRB_ERRORS	256
 extern const char *const krb_err_txt[MAX_KRB_ERRORS];
@@ -74,6 +108,9 @@ extern const char *const krb_err_txt[MAX_KRB_ERRORS];
 #define		REALM_SZ	40
 #define		SNAME_SZ	40
 #define		INST_SZ		40
+/*
+ * NB: This overcounts due to NULs.
+ */
 /* include space for '.' and '@' */
 #define		MAX_K_NAME_SZ	(ANAME_SZ + INST_SZ + REALM_SZ + 2)
 #define		KKEY_SZ		100
@@ -117,7 +154,7 @@ typedef struct ktext KTEXT_ST;
 #endif /* PC */
 
 /* Parameters for rd_ap_req */
-/* Maximum alloable clock skew in seconds */
+/* Maximum allowable clock skew in seconds */
 #define 	CLOCK_SKEW	5*60
 /* Filename for readservkey */
 #define		KEYFILE		((char*)krb__get_srvtabname("/etc/srvtab"))
@@ -182,7 +219,10 @@ typedef struct msg_dat MSG_DAT;
 #define TKT_ROOT        "/tmp/tkt"
 #endif /* PC */
 
-#include "kerberosIV/krb_err.h"		/* XXX FIXME! */
+/*
+ * Error codes are now defined as offsets from com_err (krb_err.et)
+ * values.
+ */
 #define KRB_ET(x)	((KRBET_ ## x) - ERROR_TABLE_BASE_krb)
 
 /* Error codes returned from the KDC */
@@ -267,7 +307,7 @@ typedef struct msg_dat MSG_DAT;
 #define	KNAME_FMT	KRB_ET(KNAME_FMT)	/* 81 - Bad krb name fmt */
 
 /* Error code returned by krb_mk_safe */
-#define		SAFE_PRIV_ERROR	-1	/* syscall error */
+#define	SAFE_PRIV_ERROR	(-1)			/* syscall error */
 
 /* Kerberos ticket flag field bit definitions */
 #define K_FLAG_ORDER    0       /* bit 0 --> lsb */
@@ -279,6 +319,7 @@ typedef struct msg_dat MSG_DAT;
 #define K_FLAG_6                /* reserved */
 #define K_FLAG_7                /* reserved, bit 7 --> msb */
 
+/* Are these needed anymore? */
 #ifdef	OLDNAMES
 #define krb_mk_req	mk_ap_req
 #define krb_rd_req	rd_ap_req
@@ -330,9 +371,6 @@ typedef struct msg_dat MSG_DAT;
 #endif /*_WINDOWS*/
 
 
-/* Define u_char, u_short, u_int, and u_long. */
-#include <sys/types.h>
-
 /* ask to disable IP address checking in the library */
 extern int krb_ignore_ip_address;
 
@@ -376,10 +414,6 @@ extern struct _krb5_context * krb5__krb4_context;
 
 struct sockaddr_in;
 
-#ifdef __cplusplus
-extern "C" {
-#endif
-
 /* dest_tkt.c */
 int KRB5_CALLCONV dest_tkt
 	(void);
@@ -387,7 +421,8 @@ int KRB5_CALLCONV dest_tkt
 const char * KRB5_CALLCONV krb_get_err_text
 	(int errnum);
 /* g_ad_tkt.c */
-int get_ad_tkt
+/* Previously not KRB5_CALLCONV */
+int KRB5_CALLCONV get_ad_tkt
 	(char *service, char *sinst, char *realm, int lifetime);
 /* g_admhst.c */
 int KRB5_CALLCONV krb_get_admhst
@@ -397,15 +432,21 @@ int KRB5_CALLCONV krb_get_cred
 	(char *service, char *instance, char *realm,
 		   CREDENTIALS *c);
 /* g_in_tkt.c */
-int krb_get_in_tkt
+/* Previously not KRB5_CALLCONV */
+int KRB5_CALLCONV krb_get_in_tkt
 	(char *k_user, char *instance, char *realm,
 		   char *service, char *sinst, int life,
 		   key_proc_type, decrypt_tkt_type, char *arg);
-int krb_get_in_tkt_preauth
+/* Previously not KRB5_CALLCONV */
+int KRB5_CALLCONV krb_get_in_tkt_preauth
 	(char *k_user, char *instance, char *realm,
 		   char *service, char *sinst, int life,
 		   key_proc_type, decrypt_tkt_type, char *arg,
 		   char *preauth_p, int preauth_len);
+/* From KfM */
+int KRB5_CALLCONV krb_get_in_tkt_creds(char *, char *, char *, char *, char *,
+    int, key_proc_type, decrypt_tkt_type, char *, CREDENTIALS *);
+
 /* g_krbhst.c */
 int KRB5_CALLCONV krb_get_krbhst
 	(char *host, char *realm, int idx);
@@ -427,11 +468,21 @@ int KRB5_CALLCONV krb_get_pw_in_tkt_preauth
 	(char *k_user, char *instance, char *realm,
 		   char *service, char *sinstance,
 		   int life, char *password);
+int KRB5_CALLCONV
+krb_get_pw_in_tkt_creds(char *, char *, char *,
+	char *, char *, int, char *, CREDENTIALS *);
+
 /* g_svc_in_tkt.c */
 int KRB5_CALLCONV krb_get_svc_in_tkt
 	(char *k_user, char *instance, char *realm,
 		   char *service, char *sinstance,
 		   int life, char *srvtab);
+#if TARGET_OS_MAC && defined(__FILES__)
+int KRB5_CALLCONV
+FSp_krb_get_svc_in_tkt(char *, char *, char *, char *, char *,
+    int, const FSSpec *);
+#endif
+
 /* g_tf_fname.c */
 int KRB5_CALLCONV krb_get_tf_fullname
 	(char *ticket_file, char *name, char *inst, char *realm);
@@ -453,6 +504,10 @@ int KRB5_CALLCONV krb_in_tkt
 int KRB5_CALLCONV kname_parse
 	(char *name, char *inst, char *realm,
 		   char *fullname);
+/* From KfM XXX to be merged*/
+int KRB5_CALLCONV kname_unparse
+	(char *, const char *, const char *, const char *);
+
 int KRB5_CALLCONV k_isname
         (char *);
 int KRB5_CALLCONV k_isinst
@@ -503,6 +558,12 @@ int KRB5_CALLCONV krb_mk_req
 	(KTEXT authent,
 		   char *service, char *instance, char *realm,
 		   KRB4_32 checksum);
+/* Merged from KfM */
+int KRB5_CALLCONV krb_mk_req_creds(KTEXT, CREDENTIALS *, KRB_INT32);
+
+/* Added CALLCONV (KfM exports w/o INTERFACE, but KfW doesn't export?) */
+int KRB5_CALLCONV krb_set_lifetime(int newval);
+
 /* mk_safe.c */
 long KRB5_CALLCONV krb_mk_safe
 	(u_char *in, u_char *out, unsigned KRB4_32 length,
@@ -510,12 +571,15 @@ long KRB5_CALLCONV krb_mk_safe
 		   struct sockaddr_in *sender,
 		   struct sockaddr_in *receiver);
 /* netread.c */
+/* XXX private */
 int krb_net_read
 	(int fd, char *buf, int len);
 /* netwrite.c */
+/* XXX private */
 int krb_net_write
 	(int fd, char *buf, int len);
 /* pkt_clen.c */
+/* XXX private */
 int pkt_clen
 	(KTEXT);
 /* put_svc_key.c */
@@ -523,6 +587,11 @@ int KRB5_CALLCONV put_svc_key
 	(char *sfile,
 		   char *name, char *inst, char *realm,
 		   int newvno, char *key);
+#if TARGET_OS_MAC && defined(__FILES__)
+int KRB5_CALLCONV FSp_put_svc_key(const FSSpec *, char *, char *, char *,
+    int, char *);
+#endif
+
 /* rd_err.c */
 int KRB5_CALLCONV krb_rd_err
 	(u_char *in, u_long in_length,
@@ -539,6 +608,10 @@ int KRB5_CALLCONV krb_rd_req
 	(KTEXT, char *service, char *inst,
 		   unsigned KRB4_32 from_addr, AUTH_DAT *,
 		   char *srvtab);
+/* Merged from KfM */
+int KRB5_CALLCONV
+krb_rd_req_int(KTEXT, char *, char *, KRB_UINT32, AUTH_DAT *, C_Block);
+
 /* rd_safe.c */
 long KRB5_CALLCONV krb_rd_safe
 	(u_char *in, unsigned KRB4_32 in_length,
@@ -553,6 +626,11 @@ int KRB5_CALLCONV read_service_key
 int KRB5_CALLCONV get_service_key
 	(char *service, char *instance, char *realm,
 		   int *kvno, char *file, char *key);
+#if TARGET_OS_MAC && defined(__FILES__)
+int KRB5_CALLCONV FSp_read_service_key(char *, char *, char *,
+    int, const FSSpec*, char *);
+#endif
+
 /* realmofhost.c */
 char * KRB5_CALLCONV krb_realmofhost
 	(char *host);
@@ -579,13 +657,15 @@ int KRB5_CALLCONV krb_save_credentials
 		   C_Block session, int lifetime, int kvno,
 		   KTEXT ticket, long issue_date);
 /* send_to_kdc.c */
+/* XXX PRIVATE? KfM doesn't export. */
 int send_to_kdc
 	(KTEXT pkt, KTEXT rpkt, char *realm);
 
 /* tkt_string.c */
-char * tkt_string
+/* Used to return pointer to non-const char */
+const char * KRB5_CALLCONV tkt_string
 	(void);
-void krb_set_tkt_string
+void KRB5_CALLCONV krb_set_tkt_string
 	(char *);
 
 /* tf_util.c */
@@ -608,7 +688,9 @@ unsigned KRB4_32 KRB5_CALLCONV unix_time_gmt_unixsec
  */
 extern int krb_set_key
 	(char *key, int cvt);
-extern int decomp_ticket
+
+/* This is exported by KfM.  It was previously not KRB5_CALLCONV. */
+extern int KRB5_CALLCONV decomp_ticket
 	(KTEXT tkt, unsigned char *flags, char *pname,
 		   char *pinstance, char *prealm, unsigned KRB4_32 *paddress,
 		   C_Block session, int *life, unsigned KRB4_32 *time_sec,
@@ -646,23 +728,38 @@ extern int krb_set_key_krb5(krb5_context ctx, krb5_keyblock *key);
 #endif
 
 #if TARGET_OS_MAC
-/* The following functions are not part of the standard Kerberos v4 API. 
- * They were created for Mac implementation, and used by admin tools 
- * such as CNS-Config. */
+/*
+ * KfM krb.hin had the following, probably inherited from CNS:
+ *
+ *   The following functions are not part of the standard Kerberos v4
+ *   API.  They were created for Mac implementation, and used by admin
+ *   tools such as CNS-Config.
+ */
 extern int KRB5_CALLCONV
 krb_get_num_cred(void);
 
-extern int INTERFACE
+extern int KRB5_CALLCONV
 krb_get_nth_cred(char *, char *, char *, int);
 
-extern int INTERFACE
+extern int KRB5_CALLCONV
 krb_delete_cred(char *, char *,char *);
 
-extern int INTERFACE
+extern int KRB5_CALLCONV
 dest_all_tkts(void);
 
 #endif /* TARGET_OS_MAC */
 
+/*
+ * krb_change_password -- merged from KfM
+ */
+/* change_password.c */
+int KRB5_CALLCONV krb_change_password(char *, char *, char *, char *, char *);
+
+/*
+ * RealmConfig-glue.c from KfM XXX to be merged
+ */
+extern int KRB5_CALLCONV krb_get_profile(profile_t *profile);
+
 #ifdef _WINDOWS
 HINSTANCE get_lib_instance(void);
 unsigned int krb_get_notification_message(void);
@@ -672,8 +769,14 @@ unsigned KRB4_32 win_time_gmt_unixsec(unsigned KRB4_32 *);
 long win_time_get_epoch(void);
 #endif
 
-#ifdef __cplusplus
-}
+#if TARGET_OS_MAC
+#	if defined(__MWERKS__)
+#		pragma enumsalwaysint reset
+#		pragma import reset
+#	endif
+#	pragma options align=reset
 #endif
 
+KRBINT_END_DECLS
+
 #endif	/* KRB_DEFS */
diff --git a/src/include/kerberosIV/krb_conf.h b/src/include/kerberosIV/krb_conf.h
deleted file mode 100644
index 3edeaf9413..0000000000
--- a/src/include/kerberosIV/krb_conf.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * include/kerberosIV/krb_conf.h
- *
- * Copyright 1988, 1994 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- *   require a specific license from the United States Government.
- *   It is the responsibility of any person or organization contemplating
- *   export to obtain such a license before exporting.
- * 
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
- * 
- * This file contains configuration information for the Kerberos library
- * which is machine specific; currently, this file contains
- * configuration information for the vax, the "ibm032" (RT), and the
- * "PC8086" (IBM PC). 
- *
- * Note:  cross-compiled targets must appear BEFORE their corresponding
- * cross-compiler host.  Otherwise, both will be defined when running
- * the native compiler on the programs that construct cross-compiled
- * sources. 
- */
-
-#ifndef KRB_CONF_DEFS
-#define KRB_CONF_DEFS
-
-/* Byte ordering */
-extern int krbONE;
-#define		HOST_BYTE_ORDER	(* (char *) &krbONE)
-#define		MSB_FIRST		0	/* 68000, IBM RT/PC */
-#define		LSB_FIRST		1	/* Vax, PC8086 */
-
-#endif /* KRB_CONF_DEFS */
diff --git a/src/include/kerberosIV/passwd_server.h b/src/include/kerberosIV/passwd_server.h
deleted file mode 100644
index e0a32c54ca..0000000000
--- a/src/include/kerberosIV/passwd_server.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * include/kerberosIV/passwd_server.h
- *
- * Copyright 1987, 1988, 1994 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- *   require a specific license from the United States Government.
- *   It is the responsibility of any person or organization contemplating
- *   export to obtain such a license before exporting.
- * 
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
- * 
- * Include file for password server
- */
-
-#ifndef PASSWD_SERVER_DEFS
-#define PASSWD_SERVER_DEFS
-
-#define PW_SRV_VERSION	2	/* version number */
-#define	RETRY_LIMIT	1
-#define	TIME_OUT	30
-#define USER_TIMEOUT	90
-#define MAX_KPW_LEN	40	/* hey, seems like a good number */
-
-#define INSTALL_NEW_PW	(1<<0)	/*
-				 * ver, cmd, name, password, old_pass,
-				 * crypt_pass, uid
-				 */
-
-#define INSTALL_REPLY	(1<<1)	/* ver, cmd, name, password */
-
-#endif /* PASSWD_SERVER_DEFS */
diff --git a/src/include/kerberosIV/principal.h b/src/include/kerberosIV/principal.h
deleted file mode 100644
index 2960870be4..0000000000
--- a/src/include/kerberosIV/principal.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * include/kerberosIV/principal.h
- *
- * Copyright 1988, 1994 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- *   require a specific license from the United States Government.
- *   It is the responsibility of any person or organization contemplating
- *   export to obtain such a license before exporting.
- * 
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
- * 
- * Definitions for principal names.
- */
-
-#ifndef PRINCIPAL_DEFS
-#define PRINCIPAL_DEFS
-
-#define NAME_LEN	39
-#define INSTANCE_LEN	39
-
-#endif /* PRINCIPAL_DEFS */
diff --git a/src/include/kerberosIV/prot.h b/src/include/kerberosIV/prot.h
index aec6546cfc..3c1b530e0f 100644
--- a/src/include/kerberosIV/prot.h
+++ b/src/include/kerberosIV/prot.h
@@ -27,8 +27,6 @@
  * encoding and decoding.
  */
 
-#include <kerberosIV/krb_conf.h>
-
 #ifndef PROT_DEFS
 #define PROT_DEFS
 
@@ -100,20 +98,22 @@
  * that is a moving pointer of type (unsigned char *) into the buffer,
  * and assume that the caller has already bounds-checked.
  */
-#define KRB4_PUT32BE(p, val)				\
-do {							\
-    *(p)++ = ((unsigned KRB4_32)(val) >> 24) & 0xff;	\
-    *(p)++ = ((unsigned KRB4_32)(val) >> 16) & 0xff;	\
-    *(p)++ = ((unsigned KRB4_32)(val) >> 8) & 0xff;	\
-    *(p)++ = (unsigned KRB4_32)(val) & 0xff;		\
+#define KRB4_PUT32BE(p, val)			\
+do {						\
+    (p)[0] = ((KRB_UINT32)(val) >> 24) & 0xff;	\
+    (p)[1] = ((KRB_UINT32)(val) >> 16) & 0xff;	\
+    (p)[2] = ((KRB_UINT32)(val) >> 8)  & 0xff;	\
+    (p)[3] =  (KRB_UINT32)(val)        & 0xff;	\
+    (p) += 4;					\
 } while (0)
 
-#define KRB4_PUT32LE(p, val)				\
-do {							\
-    *(p)++ = (unsigned KRB4_32)(val) & 0xff;		\
-    *(p)++ = ((unsigned KRB4_32)(val) >> 8) & 0xff;	\
-    *(p)++ = ((unsigned KRB4_32)(val) >> 16) & 0xff;	\
-    *(p)++ = ((unsigned KRB4_32)(val) >> 24) & 0xff;	\
+#define KRB4_PUT32LE(p, val)			\
+do {						\
+    (p)[0] =  (KRB_UINT32)(val)        & 0xff;	\
+    (p)[1] = ((KRB_UINT32)(val) >> 8)  & 0xff;	\
+    (p)[2] = ((KRB_UINT32)(val) >> 16) & 0xff;	\
+    (p)[3] = ((KRB_UINT32)(val) >> 24) & 0xff;	\
+    (p) += 4;					\
 } while (0)
 
 #define KRB4_PUT32(p, val, le)			\
@@ -124,16 +124,18 @@ do {						\
 	KRB4_PUT32BE((p), (val));		\
 } while (0)
 
-#define KRB4_PUT16BE(p, val)				\
-do {							\
-    *(p)++ = ((unsigned KRB4_32)(val) >> 8) & 0xff;	\
-    *(p)++ = (unsigned KRB4_32)(val) & 0xff;		\
+#define KRB4_PUT16BE(p, val)			\
+do {						\
+    (p)[0] = ((KRB_UINT32)(val) >> 8) & 0xff;	\
+    (p)[1] =  (KRB_UINT32)(val)       & 0xff;	\
+    (p) += 2;					\
 } while (0)
 
-#define KRB4_PUT16LE(p, val)				\
-do {							\
-    *(p)++ = (unsigned KRB4_32)(val) & 0xff;		\
-    *(p)++ = ((unsigned KRB4_32)(val) >> 8) & 0xff;	\
+#define KRB4_PUT16LE(p, val)			\
+do {						\
+    (p)[0] =  (KRB_UINT32)(val)       & 0xff;	\
+    (p)[1] = ((KRB_UINT32)(val) >> 8) & 0xff;	\
+    (p) += 2;					\
 } while (0)
 
 #define KRB4_PUT16(p, val, le)			\
@@ -154,18 +156,20 @@ do {						\
  */
 #define KRB4_GET32BE(val, p)			\
 do {						\
-    (val) = (unsigned KRB4_32)*(p)++ << 24;	\
-    (val) |= (unsigned KRB4_32)*(p)++ << 16;	\
-    (val) |= (unsigned KRB4_32)*(p)++ << 8;	\
-    (val) |= (unsigned KRB4_32)*(p)++;		\
+    (val)  = (KRB_UINT32)(p)[0] << 24;		\
+    (val) |= (KRB_UINT32)(p)[1] << 16;		\
+    (val) |= (KRB_UINT32)(p)[2] << 8;		\
+    (val) |= (KRB_UINT32)(p)[3];		\
+    (p) += 4;					\
 } while (0)
 
 #define KRB4_GET32LE(val, p)			\
 do {						\
-    (val) = (unsigned KRB4_32)*(p)++;		\
-    (val) |= (unsigned KRB4_32)*(p)++ << 8;	\
-    (val) |= (unsigned KRB4_32)*(p)++ << 16;	\
-    (val) |= (unsigned KRB4_32)*(p)++ << 24;	\
+    (val)  = (KRB_UINT32)(p)[0];		\
+    (val) |= (KRB_UINT32)(p)[1] << 8;		\
+    (val) |= (KRB_UINT32)(p)[2] << 16;		\
+    (val) |= (KRB_UINT32)(p)[3] << 24;		\
+    (p) += 4;					\
 } while(0)
 
 #define KRB4_GET32(val, p, le)			\
@@ -178,14 +182,16 @@ do {						\
 
 #define KRB4_GET16BE(val, p)			\
 do {						\
-    (val) = (unsigned KRB4_32)*(p)++ << 8;	\
-    (val) |= (unsigned KRB4_32)*(p)++;		\
+    (val)  = (KRB_UINT32)(p)[0] << 8;		\
+    (val) |= (KRB_UINT32)(p)[1];		\
+    (p) += 2;					\
 } while (0)
 
 #define KRB4_GET16LE(val, p)			\
 do {						\
-    (val) = (unsigned KRB4_32)*(p)++;		\
-    (val) |= (unsigned KRB4_32)*(p)++ << 8;	\
+    (val)  = (KRB_UINT32)(p)[0];		\
+    (val) |= (KRB_UINT32)(p)[1] << 8;		\
+    (p) += 2;					\
 } while (0)
 
 #define KRB4_GET16(val, p, le)			\
diff --git a/src/include/port-sockets.h b/src/include/port-sockets.h
index 1b9be3ee12..e23ac1a3fd 100644
--- a/src/include/port-sockets.h
+++ b/src/include/port-sockets.h
@@ -26,6 +26,9 @@ typedef WSABUF sg_buf;
 #define SOCKET_NFDS(f)          (0)     /* select()'s first arg is ignored */
 #define SOCKET_READ(fd, b, l)   (recv(fd, b, l, 0))
 #define SOCKET_WRITE(fd, b, l)  (send(fd, b, l, 0))
+#define SOCKET_CONNECT		connect	/* XXX */
+#define SOCKET_GETSOCKNAME	getsockname /* XXX */
+#define SOCKET_CLOSE		close /* XXX */
 #define SOCKET_EINTR            WSAEINTR
 
 /* Return -1 for error or number of bytes written.
@@ -119,6 +122,9 @@ typedef struct iovec sg_buf;
 #define SOCKET_NFDS(f)		((f)+1)	/* select() arg for a single fd */
 #define SOCKET_READ		read
 #define SOCKET_WRITE		write
+#define SOCKET_CONNECT		connect
+#define SOCKET_GETSOCKNAME	getsockname
+#define SOCKET_CLOSE		close
 #define SOCKET_EINTR		EINTR
 #define SOCKET_WRITEV_TEMP int
 /* Use TMP to avoid compiler warnings and keep things consistent with