Merge more KfM krb4 things

Implement *_in_tkt_creds, mk_req_creds, and rd_req_int functions.

Implement KfM krb4 kadm password changing, mostly by pulling in the
client side of the kadm library into the krb4 library.

Do some more header file cleanup of des.h and krb.h.

Remove some ancient krb4 dead weight.

Some Mac-specific functionality still needs to be merged.

ticket: 1189
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15014 dc483132-0cff-0310-8789-dd5450dbe970

13 files changed, 325 insertions, 300 deletions

diff --git a/src/include/ChangeLog b/src/include/ChangeLog
index 8007aafbe..0cf22ca70 100644
--- a/src/include/ChangeLog
+++ b/src/include/ChangeLog
@@ -1,3 +1,8 @@
+2002-11-26  Tom Yu  <tlyu@mit.edu>
+
+	* port-sockets.h: Add SOCKET_CONNECT, SOCKET_GETSOCKNAME, and
+	SOCKET_CLOSE to allow for porting of some KfM things.
+
 2002-11-14  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Remove references to adm_err.h from here too.
diff --git a/src/include/kerberosIV/ChangeLog b/src/include/kerberosIV/ChangeLog
index 8c8fa69b7..bbee33b22 100644
--- a/src/include/kerberosIV/ChangeLog
+++ b/src/include/kerberosIV/ChangeLog
@@ -1,3 +1,31 @@
+2002-11-26  Tom Yu  <tlyu@mit.edu>
+
+	* Makefile.in (KRB4_HEADERS): Don't install kadm.h anymore.
+
+	* des.h: Put "#" characters in first column.  Do the
+	KRBINT_BEGIN_DECLS hack to make emacs happy.  Shuffle limits.h
+	inclusion to be outside C++ and Mac alignment magic.
+
+	* kadm.h: Remove some spurious prototypes.  Rename a bunch of
+	internal kadm_stream stuff to avoid stomping on namespace.  Add
+	prototypes for some client-side kadm stuff.
+
+	* krb.h: Do Mac CFM magic.  Do C++ mangling protection.  Do Mac
+	alignment magic.  Move inclusions outside of C++ mangling
+	protection and Mac magic.  Add KRB5_CALLCONV to a few functions
+	that KfM's krb.h exports.  Merge the *_in_tkt_*_creds,
+	mk_req_creds, and rd_req_int functions from KfM.  Add prototypes
+	for some KfM-specific things yet to be merged.
+
+	* prot.h: Don't include krb_conf.h anymore.  Twiddle the int
+	encoding/decoding macros a little.
+
+	* des_conf.h:
+	* highc.h:
+	* krb_conf.h:
+	* passwd_server.h:
+	* principal.h: Remove, since they're obsolete.
+
 2002-10-07  Sam Hartman  <hartmans@mit.edu>
 
 	* Makefile.in: Support install-headers
diff --git a/src/include/kerberosIV/Makefile.in b/src/include/kerberosIV/Makefile.in
index e48321ec6..d54101dcd 100644
--- a/src/include/kerberosIV/Makefile.in
+++ b/src/include/kerberosIV/Makefile.in
@@ -3,7 +3,7 @@ myfulldir=include/kerberosIV
 mydir=kerberosIV
 MY_SUBDIRS=.
 BUILDTOP=$(REL)..$(S)..
-KRB4_HEADERS=krb.h des.h kadm.h mit-copyright.h
+KRB4_HEADERS=krb.h des.h mit-copyright.h
 
 all-unix:: krb_err.h
 
diff --git a/src/include/kerberosIV/des.h b/src/include/kerberosIV/des.h
index 46a4f527d..d51120958 100644
--- a/src/include/kerberosIV/des.h
+++ b/src/include/kerberosIV/des.h
@@ -27,25 +27,37 @@
  */
 
 #if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__))
-	#include <TargetConditionals.h>
-    #if TARGET_RT_MAC_CFM
-        #error "Use KfM 4.0 SDK headers for CFM compilation."
-    #endif
+#	include <TargetConditionals.h>
+#	if TARGET_RT_MAC_CFM
+#		error "Use KfM 4.0 SDK headers for CFM compilation."
+#	endif
+#endif
+
+#ifdef __cplusplus
+#ifndef KRBINT_BEGIN_DECLS
+#define KRBINT_BEGIN_DECLS	extern "C" {
+#define KRBINT_END_DECLS	}
+#endif
+#else
+#define KRBINT_BEGIN_DECLS
+#define KRBINT_END_DECLS
 #endif
 
 #ifndef KRB5INT_DES_TYPES_DEFINED
 #define KRB5INT_DES_TYPES_DEFINED
 
+#include <limits.h>
+
+KRBINT_BEGIN_DECLS
+
 #if TARGET_OS_MAC
-    #if defined(__MWERKS__)
-        #pragma import on
-        #pragma enumsalwaysint on
-    #endif
-    #pragma options align=mac68k
+#	if defined(__MWERKS__)
+#		pragma import on
+#		pragma enumsalwaysint on
+#	endif
+#	pragma options align=mac68k
 #endif
 
-#include <limits.h>
-
 #if UINT_MAX >= 0xFFFFFFFFUL
 #define DES_INT32 int
 #define DES_UINT32 unsigned int
@@ -60,10 +72,12 @@ typedef unsigned char des_cblock[8];	/* crypto-block size */
  *
  * This used to be
  *
- * typedef struct des_ks_struct { union { DES_INT32 pad; des_cblock _;} __; } des_key_schedule[16];
+ * typedef struct des_ks_struct {
+ *     union { DES_INT32 pad; des_cblock _;} __;
+ * } des_key_schedule[16];
  *
- * but it would cause trouble if DES_INT32 is ever more than 4 bytes.
- * The reason is that all the encryption functions cast it to
+ * but it would cause trouble if DES_INT32 were ever more than 4
+ * bytes.  The reason is that all the encryption functions cast it to
  * (DES_INT32 *), and treat it as if it were DES_INT32[32].  If
  * 2*sizeof(DES_INT32) is ever more than sizeof(des_cblock), the
  * caller-allocated des_key_schedule will be overflowed by the key
@@ -74,13 +88,15 @@ typedef unsigned char des_cblock[8];	/* crypto-block size */
 typedef struct des_ks_struct {  DES_INT32 _[2]; } des_key_schedule[16];
 
 #if TARGET_OS_MAC
-    #if defined(__MWERKS__)
-        #pragma enumsalwaysint reset
-        #pragma import reset
-    #endif
-	#pragma options align=reset
+#	if defined(__MWERKS__)
+#		pragma enumsalwaysint reset
+#		pragma import reset
+#	endif
+#	pragma options align=reset
 #endif
 
+KRBINT_END_DECLS
+
 #endif /* KRB5INT_DES_TYPES_DEFINED */
 
 /* only do the whole thing once	 */
@@ -94,18 +110,6 @@ typedef struct des_ks_struct {  DES_INT32 _[2]; } des_key_schedule[16];
 #ifndef KRB5INT_CRYPTO_DES_INT
 #define DES_DEFS
 
-#if TARGET_OS_MAC
-    #if defined(__MWERKS__)
-        #pragma import on
-        #pragma enumsalwaysint on
-    #endif
-    #pragma options align=mac68k
-#endif
-
-#if defined(_WIN32) && !defined(_WINDOWS)
-#define _WINDOWS
-#endif
-
 #if defined(_WINDOWS)
 #ifndef KRB4
 #define KRB4 1
@@ -114,6 +118,20 @@ typedef struct des_ks_struct {  DES_INT32 _[2]; } des_key_schedule[16];
 #endif
 #include <stdio.h> /* need FILE for des_cblock_print_file */
 
+KRBINT_BEGIN_DECLS
+
+#if TARGET_OS_MAC
+#	if defined(__MWERKS__)
+#		pragma import on
+#		pragma enumsalwaysint on
+#	endif
+#	pragma options align=mac68k
+#endif
+
+#if defined(_WIN32) && !defined(_WINDOWS)
+#define _WINDOWS
+#endif
+
 /* Windows declarations */
 #ifndef KRB5_CALLCONV
 #define KRB5_CALLCONV
@@ -221,12 +239,14 @@ void des_set_sequence_number(des_cblock);
 #endif /* TARGET_OS_MAC */
 
 #if TARGET_OS_MAC
-    #if defined(__MWERKS__)
-        #pragma enumsalwaysint reset
-        #pragma import reset
-    #endif
-	#pragma options align=reset
+#	if defined(__MWERKS__)
+#		pragma enumsalwaysint reset
+#		pragma import reset
+#	endif
+#	pragma options align=reset
 #endif
 
+KRBINT_END_DECLS
+
 #endif /* KRB5INT_CRYPTO_DES_INT */
 #endif	/* DES_DEFS */
diff --git a/src/include/kerberosIV/des_conf.h b/src/include/kerberosIV/des_conf.h
deleted file mode 100644
index 673eb93fb..000000000
--- a/src/include/kerberosIV/des_conf.h
+++ /dev/null
@@ -1,2 +0,0 @@
-This file is obsolete and should not be used any more.
-Use "conf.h" instead.
diff --git a/src/include/kerberosIV/highc.h b/src/include/kerberosIV/highc.h
deleted file mode 100644
index c45a85502..000000000
--- a/src/include/kerberosIV/highc.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * include/kerberosIV/highc.h
- *
- * Copyright 1988, 1994 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- *   require a specific license from the United States Government.
- *   It is the responsibility of any person or organization contemplating
- *   export to obtain such a license before exporting.
- * 
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
- * 
- * Known breakage in the version of Metaware's High C compiler that
- * we've got available....
- */
-
-#define const
-/*#define volatile*/
-
-/*
- * Some builtin functions we can take advantage of for inlining....
- */
-
-#define abs			_abs
-/* the _max and _min builtins accept any number of arguments */
-#undef MAX
-#define MAX(x,y)		_max(x,y)
-#undef MIN
-#define MIN(x,y)		_min(x,y)
-/*
- * I'm not sure if 65535 is a limit for this builtin, but it's
- * reasonable for a string length.  Or is it?
- */
-/*#define strlen(s)		_find_char(s,65535,0)*/
-#define bzero(ptr,len)		_fill_char(ptr,len,'\0')
-#define bcmp(b1,b2,len)		_compare(b1,b2,len)
diff --git a/src/include/kerberosIV/kadm.h b/src/include/kerberosIV/kadm.h
index e3f47c059..e65af2926 100644
--- a/src/include/kerberosIV/kadm.h
+++ b/src/include/kerberosIV/kadm.h
@@ -1,8 +1,8 @@
 /*
  * include/kerberosIV/kadm.h
  *
- * Copyright 1988, 1994 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
+ * Copyright 1988, 1994, 2002 by the Massachusetts Institute of
+ * Technology.  All Rights Reserved.
  *
  * Export of this software from the United States of America may
  *   require a specific license from the United States Government.
@@ -23,7 +23,9 @@
  * this software for any purpose.  It is provided "as is" without express
  * or implied warranty.
  * 
- * Definitions for Kerberos administration server & client
+ * Definitions for Kerberos administration server & client.  These
+ * should be considered private; among other reasons, it leaks all
+ * over the namespace.
  */
 
 #ifndef KADM_DEFS
@@ -47,18 +49,21 @@
 
 /* The global structures for the client and server */
 typedef struct {
-  struct sockaddr_in admin_addr;
-  struct sockaddr_in my_addr;
-  int my_addr_len;
-  int admin_fd;			/* file descriptor for link to admin server */
-  char sname[ANAME_SZ];		/* the service name */
-  char sinst[INST_SZ];		/* the services instance */
-  char krbrlm[REALM_SZ];
+    struct sockaddr_in admin_addr;
+    struct sockaddr_in my_addr;
+    int my_addr_len;
+    int admin_fd;		/* file descriptor for link to admin server */
+    char sname[ANAME_SZ];	/* the service name */
+    char sinst[INST_SZ];	/* the services instance */
+    char krbrlm[REALM_SZ];
+    /* KfM additions... */
+    int  default_port;
+    CREDENTIALS creds; /* The client's credentials (from krb_get_pw_in_tkt_creds)*/
 } Kadm_Client;
 
 typedef struct {		/* status of the server, i.e the parameters */
-   int inter;			/* Space for command line flags */
-   char *sysfile;		/* filename of server */
+    int inter;			/* Space for command line flags */
+    char *sysfile;		/* filename of server */
 } admin_params;			/* Well... it's the admin's parameters */
 
 /* Largest password length to be supported */
@@ -92,9 +97,9 @@ typedef struct {
     u_char         fields[FLDSZ];     /* The active fields in this struct */
     char           name[ANAME_SZ];
     char           instance[INST_SZ];
-    unsigned long  key_low;
-    unsigned long  key_high;
-    unsigned long  exp_date;
+    KRB_UINT32     key_low;
+    KRB_UINT32     key_high;
+    KRB_UINT32     exp_date;
     unsigned short attributes;
     unsigned char  max_life;
 } Kadm_vals;                    /* The basic values structure in Kadm */
@@ -143,18 +148,47 @@ DELACL
 #define KADM_CYGNUS_EXT_BASE 64
 #define DEL_ENT              (KADM_CYGNUS_EXT_BASE+1)
 
-extern long kdb_get_master_key();	/* XXX should be in krb_db.h */
-extern long kdb_verify_master_key();	/* XXX ditto */
-
-extern long krb_mk_priv(), krb_rd_priv(); /* XXX should be in krb.h */
-extern void krb_set_tkt_string();	/* XXX ditto */
-
-extern unsigned long quad_cksum();	/* XXX should be in des.h */
-
 #ifdef POSIX
 typedef void sigtype;
 #else
 typedef int sigtype;
 #endif
 
+/* Avoid stomping on namespace... */
+
+#define vals_to_stream		kadm_vals_to_stream
+#define build_field_header	kadm_build_field_header
+#define vts_string		kadm_vts_string
+#define vts_short		kadm_vts_short
+#define vts_long		kadm_vts_long
+#define vts_char		kadm_vts_char
+
+#define stream_to_vals		kadm_stream_to_vals
+#define check_field_header	kadm_check_field_header
+#define stv_string		kadm_stv_string
+#define stv_short		kadm_stv_short
+#define stv_long		kadm_stv_long
+#define stv_char		kadm_stv_char
+
+int vals_to_stream(Kadm_vals *, u_char **);
+int build_field_header(u_char *, u_char **);
+int vts_string(char *, u_char **, int);
+int vts_short(KRB_UINT32, u_char **, int);
+int vts_long(KRB_UINT32, u_char **, int);
+int vts_char(KRB_UINT32, u_char **, int);
+
+int stream_to_vals(u_char *, Kadm_vals *, int);
+int check_field_header(u_char *, u_char *, int);
+int stv_string(u_char *, char *, int, int, int);
+int stv_short(u_char *, u_short *, int, int);
+int stv_long(u_char *, KRB_UINT32 *, int, int);
+int stv_char(u_char *, u_char *, int, int);
+
+int kadm_init_link(char *, char *, char *, Kadm_Client *, int);
+int kadm_cli_send(Kadm_Client *, u_char *, size_t, u_char **, size_t *);
+int kadm_cli_conn(Kadm_Client *);
+void kadm_cli_disconn(Kadm_Client *);
+int kadm_cli_out(Kadm_Client *, u_char *, int, u_char **, size_t *);
+int kadm_cli_keyd(Kadm_Client *, des_cblock, des_key_schedule);
+
 #endif /* KADM_DEFS */
diff --git a/src/include/kerberosIV/krb.h b/src/include/kerberosIV/krb.h
index 30376bcfd..fe28111c4 100644
--- a/src/include/kerberosIV/krb.h
+++ b/src/include/kerberosIV/krb.h
@@ -1,8 +1,8 @@
 /*
  * include/kerberosIV/krb.h
  *
- * Copyright 1987, 1988, 1994, 2001 by the Massachusetts Institute of
- * Technology.  All Rights Reserved.
+ * Copyright 1987, 1988, 1994, 2001, 2002 by the Massachusetts
+ * Institute of Technology.  All Rights Reserved.
  *
  * Export of this software from the United States of America may
  *   require a specific license from the United States Government.
@@ -30,17 +30,51 @@
 #ifndef	KRB_DEFS
 #define KRB_DEFS
 
+#if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__))
+#	include <TargetConditionals.h>
+#	if TARGET_RT_MAC_CFM
+#		error "Use KfM 4.0 SDK headers for CFM compilation."
+#	endif
+#endif
+
+/* Define u_char, u_short, u_int, and u_long. */
+/* XXX these typdef names are not standardized! */
+#include <sys/types.h>
+
 /* Need some defs from des.h	 */
 #include <kerberosIV/des.h>
 
-#define KRB4_32		DES_INT32
-#define KRB_INT32	DES_INT32
-#define KRB_UINT32	DES_UINT32
+#include <kerberosIV/krb_err.h>		/* XXX FIXME! */
+
+#include <profile.h>
 
 #ifdef _WINDOWS
 #include <time.h>
 #endif /* _WINDOWS */
 
+#ifdef __cplusplus
+#ifndef KRBINT_BEGIN_DECLS
+#define KRBINT_BEGIN_DECLS	extern "C" {
+#define KRBINT_END_DECLS	}
+#endif
+#else
+#define KRBINT_BEGIN_DECLS
+#define KRBINT_END_DECLS
+#endif
+KRBINT_BEGIN_DECLS
+
+#if TARGET_OS_MAC
+#	if defined(__MWERKS__)
+#		pragma import on
+#		pragma enumsalwaysint on
+#	endif
+#	pragma options align=mac68k
+#endif
+
+#define KRB4_32		DES_INT32
+#define KRB_INT32	DES_INT32
+#define KRB_UINT32	DES_UINT32
+
 /* Text describing error codes */
 #define		MAX_KRB_ERRORS	256
 extern const char *const krb_err_txt[MAX_KRB_ERRORS];
@@ -74,6 +108,9 @@ extern const char *const krb_err_txt[MAX_KRB_ERRORS];
 #define		REALM_SZ	40
 #define		SNAME_SZ	40
 #define		INST_SZ		40
+/*
+ * NB: This overcounts due to NULs.
+ */
 /* include space for '.' and '@' */
 #define		MAX_K_NAME_SZ	(ANAME_SZ + INST_SZ + REALM_SZ + 2)
 #define		KKEY_SZ		100
@@ -117,7 +154,7 @@ typedef struct ktext KTEXT_ST;
 #endif /* PC */
 
 /* Parameters for rd_ap_req */
-/* Maximum alloable clock skew in seconds */
+/* Maximum allowable clock skew in seconds */
 #define 	CLOCK_SKEW	5*60
 /* Filename for readservkey */
 #define		KEYFILE		((char*)krb__get_srvtabname("/etc/srvtab"))
@@ -182,7 +219,10 @@ typedef struct msg_dat MSG_DAT;
 #define TKT_ROOT        "/tmp/tkt"
 #endif /* PC */
 
-#include "kerberosIV/krb_err.h"		/* XXX FIXME! */
+/*
+ * Error codes are now defined as offsets from com_err (krb_err.et)
+ * values.
+ */
 #define KRB_ET(x)	((KRBET_ ## x) - ERROR_TABLE_BASE_krb)
 
 /* Error codes returned from the KDC */
@@ -267,7 +307,7 @@ typedef struct msg_dat MSG_DAT;
 #define	KNAME_FMT	KRB_ET(KNAME_FMT)	/* 81 - Bad krb name fmt */
 
 /* Error code returned by krb_mk_safe */
-#define		SAFE_PRIV_ERROR	-1	/* syscall error */
+#define	SAFE_PRIV_ERROR	(-1)			/* syscall error */
 
 /* Kerberos ticket flag field bit definitions */
 #define K_FLAG_ORDER    0       /* bit 0 --> lsb */
@@ -279,6 +319,7 @@ typedef struct msg_dat MSG_DAT;
 #define K_FLAG_6                /* reserved */
 #define K_FLAG_7                /* reserved, bit 7 --> msb */
 
+/* Are these needed anymore? */
 #ifdef	OLDNAMES
 #define krb_mk_req	mk_ap_req
 #define krb_rd_req	rd_ap_req
@@ -330,9 +371,6 @@ typedef struct msg_dat MSG_DAT;
 #endif /*_WINDOWS*/
 
 
-/* Define u_char, u_short, u_int, and u_long. */
-#include <sys/types.h>
-
 /* ask to disable IP address checking in the library */
 extern int krb_ignore_ip_address;
 
@@ -376,10 +414,6 @@ extern struct _krb5_context * krb5__krb4_context;
 
 struct sockaddr_in;
 
-#ifdef __cplusplus
-extern "C" {
-#endif
-
 /* dest_tkt.c */
 int KRB5_CALLCONV dest_tkt
 	(void);
@@ -387,7 +421,8 @@ int KRB5_CALLCONV dest_tkt
 const char * KRB5_CALLCONV krb_get_err_text
 	(int errnum);
 /* g_ad_tkt.c */
-int get_ad_tkt
+/* Previously not KRB5_CALLCONV */
+int KRB5_CALLCONV get_ad_tkt
 	(char *service, char *sinst, char *realm, int lifetime);
 /* g_admhst.c */
 int KRB5_CALLCONV krb_get_admhst
@@ -397,15 +432,21 @@ int KRB5_CALLCONV krb_get_cred
 	(char *service, char *instance, char *realm,
 		   CREDENTIALS *c);
 /* g_in_tkt.c */
-int krb_get_in_tkt
+/* Previously not KRB5_CALLCONV */
+int KRB5_CALLCONV krb_get_in_tkt
 	(char *k_user, char *instance, char *realm,
 		   char *service, char *sinst, int life,
 		   key_proc_type, decrypt_tkt_type, char *arg);
-int krb_get_in_tkt_preauth
+/* Previously not KRB5_CALLCONV */
+int KRB5_CALLCONV krb_get_in_tkt_preauth
 	(char *k_user, char *instance, char *realm,
 		   char *service, char *sinst, int life,
 		   key_proc_type, decrypt_tkt_type, char *arg,
 		   char *preauth_p, int preauth_len);
+/* From KfM */
+int KRB5_CALLCONV krb_get_in_tkt_creds(char *, char *, char *, char *, char *,
+    int, key_proc_type, decrypt_tkt_type, char *, CREDENTIALS *);
+
 /* g_krbhst.c */
 int KRB5_CALLCONV krb_get_krbhst
 	(char *host, char *realm, int idx);
@@ -427,11 +468,21 @@ int KRB5_CALLCONV krb_get_pw_in_tkt_preauth
 	(char *k_user, char *instance, char *realm,
 		   char *service, char *sinstance,
 		   int life, char *password);
+int KRB5_CALLCONV
+krb_get_pw_in_tkt_creds(char *, char *, char *,
+	char *, char *, int, char *, CREDENTIALS *);
+
 /* g_svc_in_tkt.c */
 int KRB5_CALLCONV krb_get_svc_in_tkt
 	(char *k_user, char *instance, char *realm,
 		   char *service, char *sinstance,
 		   int life, char *srvtab);
+#if TARGET_OS_MAC && defined(__FILES__)
+int KRB5_CALLCONV
+FSp_krb_get_svc_in_tkt(char *, char *, char *, char *, char *,
+    int, const FSSpec *);
+#endif
+
 /* g_tf_fname.c */
 int KRB5_CALLCONV krb_get_tf_fullname
 	(char *ticket_file, char *name, char *inst, char *realm);
@@ -453,6 +504,10 @@ int KRB5_CALLCONV krb_in_tkt
 int KRB5_CALLCONV kname_parse
 	(char *name, char *inst, char *realm,
 		   char *fullname);
+/* From KfM XXX to be merged*/
+int KRB5_CALLCONV kname_unparse
+	(char *, const char *, const char *, const char *);
+
 int KRB5_CALLCONV k_isname
         (char *);
 int KRB5_CALLCONV k_isinst
@@ -503,6 +558,12 @@ int KRB5_CALLCONV krb_mk_req
 	(KTEXT authent,
 		   char *service, char *instance, char *realm,
 		   KRB4_32 checksum);
+/* Merged from KfM */
+int KRB5_CALLCONV krb_mk_req_creds(KTEXT, CREDENTIALS *, KRB_INT32);
+
+/* Added CALLCONV (KfM exports w/o INTERFACE, but KfW doesn't export?) */
+int KRB5_CALLCONV krb_set_lifetime(int newval);
+
 /* mk_safe.c */
 long KRB5_CALLCONV krb_mk_safe
 	(u_char *in, u_char *out, unsigned KRB4_32 length,
@@ -510,12 +571,15 @@ long KRB5_CALLCONV krb_mk_safe
 		   struct sockaddr_in *sender,
 		   struct sockaddr_in *receiver);
 /* netread.c */
+/* XXX private */
 int krb_net_read
 	(int fd, char *buf, int len);
 /* netwrite.c */
+/* XXX private */
 int krb_net_write
 	(int fd, char *buf, int len);
 /* pkt_clen.c */
+/* XXX private */
 int pkt_clen
 	(KTEXT);
 /* put_svc_key.c */
@@ -523,6 +587,11 @@ int KRB5_CALLCONV put_svc_key
 	(char *sfile,
 		   char *name, char *inst, char *realm,
 		   int newvno, char *key);
+#if TARGET_OS_MAC && defined(__FILES__)
+int KRB5_CALLCONV FSp_put_svc_key(const FSSpec *, char *, char *, char *,
+    int, char *);
+#endif
+
 /* rd_err.c */
 int KRB5_CALLCONV krb_rd_err
 	(u_char *in, u_long in_length,
@@ -539,6 +608,10 @@ int KRB5_CALLCONV krb_rd_req
 	(KTEXT, char *service, char *inst,
 		   unsigned KRB4_32 from_addr, AUTH_DAT *,
 		   char *srvtab);
+/* Merged from KfM */
+int KRB5_CALLCONV
+krb_rd_req_int(KTEXT, char *, char *, KRB_UINT32, AUTH_DAT *, C_Block);
+
 /* rd_safe.c */
 long KRB5_CALLCONV krb_rd_safe
 	(u_char *in, unsigned KRB4_32 in_length,
@@ -553,6 +626,11 @@ int KRB5_CALLCONV read_service_key
 int KRB5_CALLCONV get_service_key
 	(char *service, char *instance, char *realm,
 		   int *kvno, char *file, char *key);
+#if TARGET_OS_MAC && defined(__FILES__)
+int KRB5_CALLCONV FSp_read_service_key(char *, char *, char *,
+    int, const FSSpec*, char *);
+#endif
+
 /* realmofhost.c */
 char * KRB5_CALLCONV krb_realmofhost
 	(char *host);
@@ -579,13 +657,15 @@ int KRB5_CALLCONV krb_save_credentials
 		   C_Block session, int lifetime, int kvno,
 		   KTEXT ticket, long issue_date);
 /* send_to_kdc.c */
+/* XXX PRIVATE? KfM doesn't export. */
 int send_to_kdc
 	(KTEXT pkt, KTEXT rpkt, char *realm);
 
 /* tkt_string.c */
-char * tkt_string
+/* Used to return pointer to non-const char */
+const char * KRB5_CALLCONV tkt_string
 	(void);
-void krb_set_tkt_string
+void KRB5_CALLCONV krb_set_tkt_string
 	(char *);
 
 /* tf_util.c */
@@ -608,7 +688,9 @@ unsigned KRB4_32 KRB5_CALLCONV unix_time_gmt_unixsec
  */
 extern int krb_set_key
 	(char *key, int cvt);
-extern int decomp_ticket
+
+/* This is exported by KfM.  It was previously not KRB5_CALLCONV. */
+extern int KRB5_CALLCONV decomp_ticket
 	(KTEXT tkt, unsigned char *flags, char *pname,
 		   char *pinstance, char *prealm, unsigned KRB4_32 *paddress,
 		   C_Block session, int *life, unsigned KRB4_32 *time_sec,
@@ -646,23 +728,38 @@ extern int krb_set_key_krb5(krb5_context ctx, krb5_keyblock *key);
 #endif
 
 #if TARGET_OS_MAC
-/* The following functions are not part of the standard Kerberos v4 API. 
- * They were created for Mac implementation, and used by admin tools 
- * such as CNS-Config. */
+/*
+ * KfM krb.hin had the following, probably inherited from CNS:
+ *
+ *   The following functions are not part of the standard Kerberos v4
+ *   API.  They were created for Mac implementation, and used by admin
+ *   tools such as CNS-Config.
+ */
 extern int KRB5_CALLCONV
 krb_get_num_cred(void);
 
-extern int INTERFACE
+extern int KRB5_CALLCONV
 krb_get_nth_cred(char *, char *, char *, int);
 
-extern int INTERFACE
+extern int KRB5_CALLCONV
 krb_delete_cred(char *, char *,char *);
 
-extern int INTERFACE
+extern int KRB5_CALLCONV
 dest_all_tkts(void);
 
 #endif /* TARGET_OS_MAC */
 
+/*
+ * krb_change_password -- merged from KfM
+ */
+/* change_password.c */
+int KRB5_CALLCONV krb_change_password(char *, char *, char *, char *, char *);
+
+/*
+ * RealmConfig-glue.c from KfM XXX to be merged
+ */
+extern int KRB5_CALLCONV krb_get_profile(profile_t *profile);
+
 #ifdef _WINDOWS
 HINSTANCE get_lib_instance(void);
 unsigned int krb_get_notification_message(void);
@@ -672,8 +769,14 @@ unsigned KRB4_32 win_time_gmt_unixsec(unsigned KRB4_32 *);
 long win_time_get_epoch(void);
 #endif
 
-#ifdef __cplusplus
-}
+#if TARGET_OS_MAC
+#	if defined(__MWERKS__)
+#		pragma enumsalwaysint reset
+#		pragma import reset
+#	endif
+#	pragma options align=reset
 #endif
 
+KRBINT_END_DECLS
+
 #endif	/* KRB_DEFS */
diff --git a/src/include/kerberosIV/krb_conf.h b/src/include/kerberosIV/krb_conf.h
deleted file mode 100644
index 3edeaf941..000000000
--- a/src/include/kerberosIV/krb_conf.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * include/kerberosIV/krb_conf.h
- *
- * Copyright 1988, 1994 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- *   require a specific license from the United States Government.
- *   It is the responsibility of any person or organization contemplating
- *   export to obtain such a license before exporting.
- * 
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
- * 
- * This file contains configuration information for the Kerberos library
- * which is machine specific; currently, this file contains
- * configuration information for the vax, the "ibm032" (RT), and the
- * "PC8086" (IBM PC). 
- *
- * Note:  cross-compiled targets must appear BEFORE their corresponding
- * cross-compiler host.  Otherwise, both will be defined when running
- * the native compiler on the programs that construct cross-compiled
- * sources. 
- */
-
-#ifndef KRB_CONF_DEFS
-#define KRB_CONF_DEFS
-
-/* Byte ordering */
-extern int krbONE;
-#define		HOST_BYTE_ORDER	(* (char *) &krbONE)
-#define		MSB_FIRST		0	/* 68000, IBM RT/PC */
-#define		LSB_FIRST		1	/* Vax, PC8086 */
-
-#endif /* KRB_CONF_DEFS */
diff --git a/src/include/kerberosIV/passwd_server.h b/src/include/kerberosIV/passwd_server.h
deleted file mode 100644
index e0a32c54c..000000000
--- a/src/include/kerberosIV/passwd_server.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * include/kerberosIV/passwd_server.h
- *
- * Copyright 1987, 1988, 1994 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- *   require a specific license from the United States Government.
- *   It is the responsibility of any person or organization contemplating
- *   export to obtain such a license before exporting.
- * 
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
- * 
- * Include file for password server
- */
-
-#ifndef PASSWD_SERVER_DEFS
-#define PASSWD_SERVER_DEFS
-
-#define PW_SRV_VERSION	2	/* version number */
-#define	RETRY_LIMIT	1
-#define	TIME_OUT	30
-#define USER_TIMEOUT	90
-#define MAX_KPW_LEN	40	/* hey, seems like a good number */
-
-#define INSTALL_NEW_PW	(1<<0)	/*
-				 * ver, cmd, name, password, old_pass,
-				 * crypt_pass, uid
-				 */
-
-#define INSTALL_REPLY	(1<<1)	/* ver, cmd, name, password */
-
-#endif /* PASSWD_SERVER_DEFS */
diff --git a/src/include/kerberosIV/principal.h b/src/include/kerberosIV/principal.h
deleted file mode 100644
index 2960870be..000000000
--- a/src/include/kerberosIV/principal.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * include/kerberosIV/principal.h
- *
- * Copyright 1988, 1994 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- *   require a specific license from the United States Government.
- *   It is the responsibility of any person or organization contemplating
- *   export to obtain such a license before exporting.
- * 
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission.  Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose.  It is provided "as is" without express
- * or implied warranty.
- * 
- * Definitions for principal names.
- */
-
-#ifndef PRINCIPAL_DEFS
-#define PRINCIPAL_DEFS
-
-#define NAME_LEN	39
-#define INSTANCE_LEN	39
-
-#endif /* PRINCIPAL_DEFS */
diff --git a/src/include/kerberosIV/prot.h b/src/include/kerberosIV/prot.h
index aec6546cf..3c1b530e0 100644
--- a/src/include/kerberosIV/prot.h
+++ b/src/include/kerberosIV/prot.h
@@ -27,8 +27,6 @@
  * encoding and decoding.
  */
 
-#include <kerberosIV/krb_conf.h>
-
 #ifndef PROT_DEFS
 #define PROT_DEFS
 
@@ -100,20 +98,22 @@
  * that is a moving pointer of type (unsigned char *) into the buffer,
  * and assume that the caller has already bounds-checked.
  */
-#define KRB4_PUT32BE(p, val)				\
-do {							\
-    *(p)++ = ((unsigned KRB4_32)(val) >> 24) & 0xff;	\
-    *(p)++ = ((unsigned KRB4_32)(val) >> 16) & 0xff;	\
-    *(p)++ = ((unsigned KRB4_32)(val) >> 8) & 0xff;	\
-    *(p)++ = (unsigned KRB4_32)(val) & 0xff;		\
+#define KRB4_PUT32BE(p, val)			\
+do {						\
+    (p)[0] = ((KRB_UINT32)(val) >> 24) & 0xff;	\
+    (p)[1] = ((KRB_UINT32)(val) >> 16) & 0xff;	\
+    (p)[2] = ((KRB_UINT32)(val) >> 8)  & 0xff;	\
+    (p)[3] =  (KRB_UINT32)(val)        & 0xff;	\
+    (p) += 4;					\
 } while (0)
 
-#define KRB4_PUT32LE(p, val)				\
-do {							\
-    *(p)++ = (unsigned KRB4_32)(val) & 0xff;		\
-    *(p)++ = ((unsigned KRB4_32)(val) >> 8) & 0xff;	\
-    *(p)++ = ((unsigned KRB4_32)(val) >> 16) & 0xff;	\
-    *(p)++ = ((unsigned KRB4_32)(val) >> 24) & 0xff;	\
+#define KRB4_PUT32LE(p, val)			\
+do {						\
+    (p)[0] =  (KRB_UINT32)(val)        & 0xff;	\
+    (p)[1] = ((KRB_UINT32)(val) >> 8)  & 0xff;	\
+    (p)[2] = ((KRB_UINT32)(val) >> 16) & 0xff;	\
+    (p)[3] = ((KRB_UINT32)(val) >> 24) & 0xff;	\
+    (p) += 4;					\
 } while (0)
 
 #define KRB4_PUT32(p, val, le)			\
@@ -124,16 +124,18 @@ do {						\
 	KRB4_PUT32BE((p), (val));		\
 } while (0)
 
-#define KRB4_PUT16BE(p, val)				\
-do {							\
-    *(p)++ = ((unsigned KRB4_32)(val) >> 8) & 0xff;	\
-    *(p)++ = (unsigned KRB4_32)(val) & 0xff;		\
+#define KRB4_PUT16BE(p, val)			\
+do {						\
+    (p)[0] = ((KRB_UINT32)(val) >> 8) & 0xff;	\
+    (p)[1] =  (KRB_UINT32)(val)       & 0xff;	\
+    (p) += 2;					\
 } while (0)
 
-#define KRB4_PUT16LE(p, val)				\
-do {							\
-    *(p)++ = (unsigned KRB4_32)(val) & 0xff;		\
-    *(p)++ = ((unsigned KRB4_32)(val) >> 8) & 0xff;	\
+#define KRB4_PUT16LE(p, val)			\
+do {						\
+    (p)[0] =  (KRB_UINT32)(val)       & 0xff;	\
+    (p)[1] = ((KRB_UINT32)(val) >> 8) & 0xff;	\
+    (p) += 2;					\
 } while (0)
 
 #define KRB4_PUT16(p, val, le)			\
@@ -154,18 +156,20 @@ do {						\
  */
 #define KRB4_GET32BE(val, p)			\
 do {						\
-    (val) = (unsigned KRB4_32)*(p)++ << 24;	\
-    (val) |= (unsigned KRB4_32)*(p)++ << 16;	\
-    (val) |= (unsigned KRB4_32)*(p)++ << 8;	\
-    (val) |= (unsigned KRB4_32)*(p)++;		\
+    (val)  = (KRB_UINT32)(p)[0] << 24;		\
+    (val) |= (KRB_UINT32)(p)[1] << 16;		\
+    (val) |= (KRB_UINT32)(p)[2] << 8;		\
+    (val) |= (KRB_UINT32)(p)[3];		\
+    (p) += 4;					\
 } while (0)
 
 #define KRB4_GET32LE(val, p)			\
 do {						\
-    (val) = (unsigned KRB4_32)*(p)++;		\
-    (val) |= (unsigned KRB4_32)*(p)++ << 8;	\
-    (val) |= (unsigned KRB4_32)*(p)++ << 16;	\
-    (val) |= (unsigned KRB4_32)*(p)++ << 24;	\
+    (val)  = (KRB_UINT32)(p)[0];		\
+    (val) |= (KRB_UINT32)(p)[1] << 8;		\
+    (val) |= (KRB_UINT32)(p)[2] << 16;		\
+    (val) |= (KRB_UINT32)(p)[3] << 24;		\
+    (p) += 4;					\
 } while(0)
 
 #define KRB4_GET32(val, p, le)			\
@@ -178,14 +182,16 @@ do {						\
 
 #define KRB4_GET16BE(val, p)			\
 do {						\
-    (val) = (unsigned KRB4_32)*(p)++ << 8;	\
-    (val) |= (unsigned KRB4_32)*(p)++;		\
+    (val)  = (KRB_UINT32)(p)[0] << 8;		\
+    (val) |= (KRB_UINT32)(p)[1];		\
+    (p) += 2;					\
 } while (0)
 
 #define KRB4_GET16LE(val, p)			\
 do {						\
-    (val) = (unsigned KRB4_32)*(p)++;		\
-    (val) |= (unsigned KRB4_32)*(p)++ << 8;	\
+    (val)  = (KRB_UINT32)(p)[0];		\
+    (val) |= (KRB_UINT32)(p)[1] << 8;		\
+    (p) += 2;					\
 } while (0)
 
 #define KRB4_GET16(val, p, le)			\
diff --git a/src/include/port-sockets.h b/src/include/port-sockets.h
index 1b9be3ee1..e23ac1a3f 100644
--- a/src/include/port-sockets.h
+++ b/src/include/port-sockets.h
@@ -26,6 +26,9 @@ typedef WSABUF sg_buf;
 #define SOCKET_NFDS(f)          (0)     /* select()'s first arg is ignored */
 #define SOCKET_READ(fd, b, l)   (recv(fd, b, l, 0))
 #define SOCKET_WRITE(fd, b, l)  (send(fd, b, l, 0))
+#define SOCKET_CONNECT		connect	/* XXX */
+#define SOCKET_GETSOCKNAME	getsockname /* XXX */
+#define SOCKET_CLOSE		close /* XXX */
 #define SOCKET_EINTR            WSAEINTR
 
 /* Return -1 for error or number of bytes written.
@@ -119,6 +122,9 @@ typedef struct iovec sg_buf;
 #define SOCKET_NFDS(f)		((f)+1)	/* select() arg for a single fd */
 #define SOCKET_READ		read
 #define SOCKET_WRITE		write
+#define SOCKET_CONNECT		connect
+#define SOCKET_GETSOCKNAME	getsockname
+#define SOCKET_CLOSE		close
 #define SOCKET_EINTR		EINTR
 #define SOCKET_WRITEV_TEMP int
 /* Use TMP to avoid compiler warnings and keep things consistent with