Update to GSSAPI-V2

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6638 dc483132-0cff-0310-8789-dd5450dbe970

10 files changed, 842 insertions, 216 deletions

diff --git a/src/lib/gssapi/generic/.Sanitize b/src/lib/gssapi/generic/.Sanitize
index dc4d5312f..c76c457d2 100644
--- a/src/lib/gssapi/generic/.Sanitize
+++ b/src/lib/gssapi/generic/.Sanitize
@@ -36,6 +36,7 @@ gssapiP_generic.h
 gssapi_err_generic.et
 gssapi_generic.c
 gssapi_generic.h
+oid_ops.c
 rel_buffer.c
 rel_oid_set.c
 util_buffer.c
diff --git a/src/lib/gssapi/generic/ChangeLog b/src/lib/gssapi/generic/ChangeLog
index 3d8a7ea5c..89f798626 100644
--- a/src/lib/gssapi/generic/ChangeLog
+++ b/src/lib/gssapi/generic/ChangeLog
@@ -1,4 +1,18 @@
 
+Thu Aug 31 11:43:59 EDT 1995	Paul Park	(pjpark@mit.edu)
+	* gssapi.h - Update to V2 API.  Also use autoconf.h if USE_AUTOCONF_H
+		is defined, otherwise resort to brute force.  Remove const_
+		gss_OID, as it's not defined in the API.
+	* gssapiP_generic.h - Add new V2 dispatch prototypes.  Update
+		arguments to be compatible with V2 API.
+	* disp_major_status.c - Describe new failure codes.  Update argument.
+	* gssapi_generic.c - Replace const_gss_OID.
+	* rel_oid_set.c - Free individual OID data also.
+	* util_token.c - Replace const_gss_OID.
+	* oid_ops.c - New V2 OID set manipulation routines.
+	* Makefile.in, .Sanitize - Add oid_ops.c.
+
+
 Tue Aug 29 13:30:29 EDT 1995	Paul Park	(pjpark@mit.edu)
 	* gssapi.h - Add prototypes for gss_{im,ex}port_sec_context.
 
diff --git a/src/lib/gssapi/generic/Makefile.in b/src/lib/gssapi/generic/Makefile.in
index 626512d9b..2db4458d9 100644
--- a/src/lib/gssapi/generic/Makefile.in
+++ b/src/lib/gssapi/generic/Makefile.in
@@ -1,4 +1,4 @@
-CFLAGS = $(CCOPTS) $(DEFS) -I. -I$(srcdir)
+CFLAGS = $(CCOPTS) $(DEFS) -I. -I$(srcdir) -DUSE_AUTOCONF_H
 
 ##DOSBUILDTOP = ..\..\..
 ##DOSLIBNAME=..\gssapi.$(LIBEXT)
@@ -29,6 +29,7 @@ CCSRCS = \
 	$(srcdir)/disp_major_status.c \
 	$(srcdir)/disp_com_err_status.c \
 	$(srcdir)/gssapi_generic.c \
+	$(srcdir)/oid_ops.c \
 	$(srcdir)/rel_buffer.c \
 	$(srcdir)/rel_oid_set.c \
 	$(srcdir)/util_buffer.c \
@@ -42,6 +43,7 @@ CCOBJS = \
 	disp_major_status.$(OBJEXT) \
 	disp_com_err_status.$(OBJEXT) \
 	gssapi_generic.$(OBJEXT) \
+	oid_ops.$(OBJEXT) \
 	rel_buffer.$(OBJEXT) \
 	rel_oid_set.$(OBJEXT) \
 	util_buffer.$(OBJEXT) \
diff --git a/src/lib/gssapi/generic/disp_major_status.c b/src/lib/gssapi/generic/disp_major_status.c
index c6f82789d..ad0b17f20 100644
--- a/src/lib/gssapi/generic/disp_major_status.c
+++ b/src/lib/gssapi/generic/disp_major_status.c
@@ -62,7 +62,10 @@ static const char * const routine_error_string[] = {
    "A credential was invalid",
    "The referenced credentials have expired",
    "The context has expired",
-   "Miscellaneous failure",   
+   "Miscellaneous failure",
+   "The quality-of-protection requested could not be provided",
+   "The operation is forbidden by the local security policy",
+   "The operation or option is not available",
 };   
 
 static const char * const routine_error = "routine error";
@@ -206,7 +209,7 @@ OM_uint32 g_display_major_status(minor_status, status_value,
 				 message_context, status_string)
      OM_uint32 *minor_status;
      OM_uint32 status_value;
-     int *message_context;
+     OM_uint32 *message_context;
      gss_buffer_t status_string;
 {
    OM_uint32 ret, tmp;
diff --git a/src/lib/gssapi/generic/gssapi.h b/src/lib/gssapi/generic/gssapi.h
index 7d4174444..7f79ca1bb 100644
--- a/src/lib/gssapi/generic/gssapi.h
+++ b/src/lib/gssapi/generic/gssapi.h
@@ -23,21 +23,40 @@
 #ifndef _GSSAPI_H_
 #define _GSSAPI_H_
 
-/* for general config: */
-#ifndef NO_STDLIB_H
-#include <stdlib.h>
-#endif
-#include <stdio.h>
-
 /*
- * First, define the platform-dependent types.
+ * Determine platform-dependent configuration.
+ */
+#ifdef	USE_AUTOCONF_H
+/*
+ * Use autoconf generated header.
+ */
+#include "autoconf.h"
+#define	GSS_SIZEOF_INT		SIZEOF_INT
+#define	GSS_SIZEOF_LONG		SIZEOF_LONG
+#define	GSS_SIZEOF_SHORT	SIZEOF_SHORT
+#else	/* USE_AUTOCONF_H */
+/*
+ * Do it brute force.
  */
-
 #ifdef _MSDOS
 #define GSS_SIZEOF_INT      2
 #define GSS_SIZEOF_SHORT    2
 #define GSS_SIZEOF_LONG     4
+/* #define	HAVE_STDDEF_H	1 */
+/* #define	HAVE_XOM_H	1 */
+#else	/* _MSDOS */
+#define GSS_SIZEOF_INT 4
+#define GSS_SIZEOF_LONG 4
+#define GSS_SIZEOF_SHORT 2
+/* #define	HAVE_STDDEF_H	1 */
+/* #define	HAVE_XOM_H	1 */
+#endif	/* _MSDOS */
+#endif	/* USE_AUTOCONF_H */
 
+/*
+ * Define INTERFACE, INTERFACE_C and FAR.
+ */
+#ifdef	_MSDOS
 #ifndef INTERFACE
 #define INTERFACE   __far __export __pascal
 #define INTERFACE_C __far __export __cdecl
@@ -47,53 +66,80 @@
 #define FAR     _far
 #endif /* FAR */
 #else /* _MSDOS */
-/*
- * XXX we need to fix this to be modified by autoconf...
- */
-#define GSS_SIZEOF_INT 4
-#define GSS_SIZEOF_LONG 4
-#define GSS_SIZEOF_SHORT 2
 #ifndef FAR
 #define FAR
 #define INTERFACE
 #endif /* FAR */
 #endif
 
-#if (GSS_SIZEOF_INT == 4)
-typedef unsigned int OM_uint32;
-#elif (GSS_SIZEOF_LONG == 4)
-typedef unsigned long OM_uint32;
-#elif (GSS_SIZEOF_SHORT == 4)
-typedef unsigned short OM_uint32;
+/*
+ * Make sure we have a definition for PROTOTYPE.
+ */
+#if !defined(PROTOTYPE)
+#if defined(__STDC__) || defined(_WINDOWS)
+#define PROTOTYPE(x) x
+#else
+#define PROTOTYPE(x) ()
 #endif
+#endif
+
+/*
+ * First, include stddef.h to get size_t defined.
+ */
+#if	HAVE_STDDEF_H
+#include <stddef.h>
+#endif	/* HAVE_STDDEF_H */
+
+/*
+ * If the platform supports the xom.h header file, it should be included here.
+ */
+#if	HAVE_XOM_H
+#include <xom.h>
+#endif	/* HAVE_XOM_H */
 
+/*
+ * First, define the three platform-dependent pointer types.
+ */
 typedef void FAR * gss_name_t;
 typedef void FAR * gss_cred_id_t;
 typedef void FAR * gss_ctx_id_t;
 
-#if !defined(PROTOTYPE)
-#if defined(__STDC__) || defined(_WINDOWS)
-#define PROTOTYPE(x) x
-#else
-#define PROTOTYPE(x) ()
+/*
+ * The following type must be defined as the smallest natural unsigned integer
+ * supported by the platform that has at least 32 bits of precision.
+ */
+#if (GSS_SIZEOF_SHORT == 4)
+typedef unsigned short gss_uint32;
+#elif (GSS_SIZEOF_INT == 4)
+typedef unsigned int gss_uint32;
+#elif (GSS_SIZEOF_LONG == 4)
+typedef unsigned long gss_uint32;
 #endif
+
+#ifdef	OM_STRING
+/*
+ * We have included the xom.h header file.  Verify that OM_uint32 is defined
+ * correctly.
+ */
+#if sizeof(gss_uint32) != sizeof(OM_uint32)
+#error Incompatible definition of OM_uint32 from xom.h
 #endif
 
+typedef OM_object_identifier	gss_OID_desc, *gss_OID;
+#else	/* OM_STRING */
 /*
- * Note that a platform supporting the xom.h X/Open header file
- * may make use of that header for the definitions of OM_uint32
- * and the structure to which gss_OID_desc equates.
+ * We can't use X/Open definitions, so roll our own.
  */
+typedef gss_uint32	OM_uint32;
 
 typedef struct gss_OID_desc_struct {
       OM_uint32 length;
       void      FAR *elements;
 } gss_OID_desc, FAR *gss_OID;
-
-typedef const gss_OID_desc FAR * const const_gss_OID;
+#endif	/* OM_STRING */
 
 typedef struct gss_OID_set_desc_struct  {
-      int     count;
+      size_t  count;
       gss_OID elements;
 } gss_OID_set_desc, FAR *gss_OID_set;
 
@@ -110,10 +156,15 @@ typedef struct gss_channel_bindings_struct {
       gss_buffer_desc application_data;
 } FAR *gss_channel_bindings_t;
 
+/*
+ * For now, define a QOP-type as an OM_uint32 (pending resolution of ongoing
+ * discussions).
+ */
+typedef	OM_uint32	gss_qop_t;
+typedef	int		gss_cred_usage_t;
 
 /*
- * Six independent flags each of which indicates that a context
- * supports a specific service option.
+ * Flag bits for context-level services.
  */
 #define GSS_C_DELEG_FLAG 1
 #define GSS_C_MUTUAL_FLAG 2
@@ -121,7 +172,7 @@ typedef struct gss_channel_bindings_struct {
 #define GSS_C_SEQUENCE_FLAG 8
 #define GSS_C_CONF_FLAG 16
 #define GSS_C_INTEG_FLAG 32
-
+#define	GSS_C_ANON_FLAG 64
 
 /*
  * Credential usage options
@@ -163,22 +214,31 @@ typedef struct gss_channel_bindings_struct {
 
 #define GSS_C_AF_NULLADDR   255
 
+/*
+ * Various Null values.
+ */
 #define GSS_C_NO_BUFFER ((gss_buffer_t) 0)
-#define GSS_C_NULL_OID ((gss_OID) 0)
-#define GSS_C_NULL_OID_SET ((gss_OID_set) 0)
-#define GSS_C_NO_NAME ((gss_name_t) 0)
+#define GSS_C_NO_OID ((gss_OID) 0)
+#define GSS_C_NO_OID_SET ((gss_OID_set) 0)
 #define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0)
 #define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0)
 #define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0)
 #define GSS_C_EMPTY_BUFFER {0, NULL}
 
 /*
- * Define the default Quality of Protection for per-message
- * services.  Note that an implementation that offers multiple
- * levels of QOP may either reserve a value (for example zero,
- * as assumed here) to mean "default protection", or alternatively
- * may simply equate GSS_C_QOP_DEFAULT to a specific explicit QOP
- * value.
+ * Some alternate names for a couple of the above values.  These are defined
+ * for V1 compatibility.
+ */
+#define	GSS_C_NULL_OID		GSS_C_NO_OID
+#define	GSS_C_NULL_OID_SET	GSS_C_NO_OID_SET
+
+/*
+ * Define the default Quality of Protection for per-message services.  Note
+ * that an implementation that offers multiple levels of QOP may either reserve
+ * a value (for example zero, as assumed here) to mean "default protection", or
+ * alternatively may simply equate GSS_C_QOP_DEFAULT to a specific explicit
+ * QOP value.  However a value of 0 should always be interpreted by a GSSAPI
+ * implementation as a request for the default protection level.
  */
 #define GSS_C_QOP_DEFAULT 0
 
@@ -186,7 +246,7 @@ typedef struct gss_channel_bindings_struct {
  * Expiration time of 2^32-1 seconds means infinite lifetime for a
  * credential or security context
  */
-#define GSS_C_INDEFINITE 0xffffffff
+#define GSS_C_INDEFINITE 0xfffffffful
 
 
 /* Major status codes */
@@ -199,12 +259,14 @@ typedef struct gss_channel_bindings_struct {
 #define GSS_C_CALLING_ERROR_OFFSET 24
 #define GSS_C_ROUTINE_ERROR_OFFSET 16
 #define GSS_C_SUPPLEMENTARY_OFFSET 0
-#define GSS_C_CALLING_ERROR_MASK 0377
-#define GSS_C_ROUTINE_ERROR_MASK 0377
-#define GSS_C_SUPPLEMENTARY_MASK 0177777
+#define GSS_C_CALLING_ERROR_MASK 0377ul
+#define GSS_C_ROUTINE_ERROR_MASK 0377ul
+#define GSS_C_SUPPLEMENTARY_MASK 0177777ul
 
 /*
- * The macros that test status codes for error conditions
+ * The macros that test status codes for error conditions.  Note that the
+ * GSS_ERROR() macro has changed slightly from the V1 GSSAPI so that it now
+ * evaluates its argument only once.
  */
 #define GSS_CALLING_ERROR(x) \
   ((x) & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET))
@@ -213,16 +275,8 @@ typedef struct gss_channel_bindings_struct {
 #define GSS_SUPPLEMENTARY_INFO(x) \
   ((x) & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET))
 #define GSS_ERROR(x) \
-  ((GSS_CALLING_ERROR(x) != 0) || (GSS_ROUTINE_ERROR(x) != 0))
-
-/* XXXX these are not part of the GSSAPI C bindings!  (but should be) */
-
-#define GSS_CALLING_ERROR_FIELD(x) \
-   (((x) >> GSS_C_CALLING_ERROR_OFFSET) & GSS_C_CALLING_ERROR_MASK)
-#define GSS_ROUTINE_ERROR_FIELD(x) \
-   (((x) >> GSS_C_ROUTINE_ERROR_OFFSET) & GSS_C_ROUTINE_ERROR_MASK)
-#define GSS_SUPPLEMENTARY_INFO_FIELD(x) \
-   (((x) >> GSS_C_SUPPLEMENTARY_OFFSET) & GSS_C_SUPPLEMENTARY_MASK)
+  ((x) & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \
+	  (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)))
 
 /*
  * Now the actual status code definitions
@@ -232,38 +286,39 @@ typedef struct gss_channel_bindings_struct {
  * Calling errors:
  */
 #define GSS_S_CALL_INACCESSIBLE_READ \
-                             (1 << GSS_C_CALLING_ERROR_OFFSET)
+                             (1ul << GSS_C_CALLING_ERROR_OFFSET)
 #define GSS_S_CALL_INACCESSIBLE_WRITE \
-                             (2 << GSS_C_CALLING_ERROR_OFFSET)
+                             (2ul << GSS_C_CALLING_ERROR_OFFSET)
 #define GSS_S_CALL_BAD_STRUCTURE \
-                             (3 << GSS_C_CALLING_ERROR_OFFSET)
+                             (3ul << GSS_C_CALLING_ERROR_OFFSET)
 
 /*
  * Routine errors:
  */
-#define GSS_S_BAD_MECH (1 << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_BAD_NAME (2 << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_BAD_NAMETYPE (3 << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_BAD_BINDINGS (4 << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_BAD_STATUS (5 << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_BAD_SIG (6 << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_NO_CRED (7 << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_NO_CONTEXT (8 << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_DEFECTIVE_TOKEN (9 << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_DEFECTIVE_CREDENTIAL (10 << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_CREDENTIALS_EXPIRED (11 << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_CONTEXT_EXPIRED (12 << GSS_C_ROUTINE_ERROR_OFFSET)
-#define GSS_S_FAILURE (13 << GSS_C_ROUTINE_ERROR_OFFSET)
-/* XXXX This is a necessary evil until the spec is fixed */
-#define GSS_S_CRED_UNAVAIL GSS_S_FAILURE
+#define GSS_S_BAD_MECH (1ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_NAME (2ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_NAMETYPE (3ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_BINDINGS (4ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_STATUS (5ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_SIG (6ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_NO_CRED (7ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_NO_CONTEXT (8ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_DEFECTIVE_TOKEN (9ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_DEFECTIVE_CREDENTIAL (10ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_CREDENTIALS_EXPIRED (11ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_CONTEXT_EXPIRED (12ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_FAILURE (13ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_BAD_QOP (14ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_UNAUTHORIZED (15ul << GSS_C_ROUTINE_ERROR_OFFSET)
+#define GSS_S_UNAVAILABLE (16ul << GSS_C_ROUTINE_ERROR_OFFSET)
 
 /*
  * Supplementary info bits:
  */
-#define GSS_S_CONTINUE_NEEDED (1 << (GSS_C_SUPPLEMENTARY_OFFSET + 0))
-#define GSS_S_DUPLICATE_TOKEN (1 << (GSS_C_SUPPLEMENTARY_OFFSET + 1))
-#define GSS_S_OLD_TOKEN (1 << (GSS_C_SUPPLEMENTARY_OFFSET + 2))
-#define GSS_S_UNSEQ_TOKEN (1 << (GSS_C_SUPPLEMENTARY_OFFSET + 3))
+#define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0))
+#define GSS_S_DUPLICATE_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1))
+#define GSS_S_OLD_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2))
+#define GSS_S_UNSEQ_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3))
 
 
 /*
@@ -271,185 +326,346 @@ typedef struct gss_channel_bindings_struct {
  */
 
 OM_uint32 INTERFACE gss_acquire_cred
-PROTOTYPE( (OM_uint32 FAR *,    /* minor_status */
-            gss_name_t,         /* desired_name */
-            OM_uint32,        	/* time_req */
-            gss_OID_set,      	/* desired_mechs */
-            int,              	/* cred_usage */
-            gss_cred_id_t FAR *,/* output_cred_handle */
-            gss_OID_set FAR *,  /* actual_mechs */
-            OM_uint32 FAR *     /* time_rec */
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+            gss_name_t,			/* desired_name */
+            OM_uint32,			/* time_req */
+            gss_OID_set,		/* desired_mechs */
+            gss_cred_usage_t,		/* cred_usage */
+            gss_cred_id_t FAR *,	/* output_cred_handle */
+            gss_OID_set FAR *,		/* actual_mechs */
+            OM_uint32 FAR *		/* time_rec */
            ));
 
 OM_uint32 INTERFACE gss_release_cred
-PROTOTYPE( (OM_uint32 FAR *,    /* minor_status */
-            gss_cred_id_t FAR * /* cred_handle */
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+            gss_cred_id_t FAR *		/* cred_handle */
            ));
 
 OM_uint32 INTERFACE gss_init_sec_context
-PROTOTYPE( (OM_uint32 FAR *,    /* minor_status */
-            gss_cred_id_t,    	/* claimant_cred_handle */
-            gss_ctx_id_t FAR *, /* context_handle */
-            gss_name_t,       	/* target_name */
-            const_gss_OID,   	/* mech_type */
-            int,              	/* req_flags */
-            OM_uint32,        	/* time_req */
-            gss_channel_bindings_t,
-                              	/* input_chan_bindings */
-            gss_buffer_t,     	/* input_token */
-            gss_OID FAR *,      /* actual_mech_type */
-            gss_buffer_t,     	/* output_token */
-            int FAR *,          /* ret_flags */
-            OM_uint32 FAR *     /* time_rec */
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+            gss_cred_id_t,		/* claimant_cred_handle */
+            gss_ctx_id_t FAR *,		/* context_handle */
+            gss_name_t,			/* target_name */
+            gss_OID,			/* mech_type (used to be const) */
+            OM_uint32,			/* req_flags */
+            OM_uint32,			/* time_req */
+            gss_channel_bindings_t,	/* input_chan_bindings */
+            gss_buffer_t,		/* input_token */
+            gss_OID FAR *,		/* actual_mech_type */
+            gss_buffer_t,		/* output_token */
+            OM_uint32 FAR *,		/* ret_flags */
+            OM_uint32 FAR *		/* time_rec */
            ));
 
 OM_uint32 INTERFACE gss_accept_sec_context
-PROTOTYPE( (OM_uint32 FAR *,    /* minor_status */
-            gss_ctx_id_t FAR *, /* context_handle */
-            gss_cred_id_t,    	/* verifier_cred_handle */
-            gss_buffer_t,     	/* input_token_buffer */
-            gss_channel_bindings_t,
-                              	/* input_chan_bindings */
-            gss_name_t FAR *,   /* src_name */
-            gss_OID FAR *,      /* mech_type */
-            gss_buffer_t,     	/* output_token */
-            int FAR *,          /* ret_flags */
-            OM_uint32 FAR *,    /* time_rec */
-            gss_cred_id_t FAR * /* delegated_cred_handle */
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+            gss_ctx_id_t FAR *,		/* context_handle */
+            gss_cred_id_t,		/* acceptor_cred_handle */
+            gss_buffer_t,		/* input_token_buffer */
+            gss_channel_bindings_t,	/* input_chan_bindings */
+            gss_name_t FAR *,		/* src_name */
+            gss_OID FAR *,		/* mech_type */
+            gss_buffer_t,		/* output_token */
+            OM_uint32 FAR *,		/* ret_flags */
+            OM_uint32 FAR *,		/* time_rec */
+            gss_cred_id_t FAR *		/* delegated_cred_handle */
            ));
 
 OM_uint32 INTERFACE gss_process_context_token
-PROTOTYPE( (OM_uint32 FAR *,    /* minor_status */
-            gss_ctx_id_t,     	/* context_handle */
-            gss_buffer_t      	/* token_buffer */
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+            gss_ctx_id_t,		/* context_handle */
+            gss_buffer_t		/* token_buffer */
            ));
 
 OM_uint32 INTERFACE gss_delete_sec_context
-PROTOTYPE( (OM_uint32 FAR *,    /* minor_status */
-            gss_ctx_id_t FAR *, /* context_handle */
-            gss_buffer_t      	/* output_token */
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+            gss_ctx_id_t FAR *,		/* context_handle */
+            gss_buffer_t		/* output_token */
            ));
 
 OM_uint32 INTERFACE gss_context_time
-PROTOTYPE( (OM_uint32 FAR *,    /* minor_status */
-            gss_ctx_id_t,     	/* context_handle */
-            OM_uint32 FAR *     /* time_rec */
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+            gss_ctx_id_t,		/* context_handle */
+            OM_uint32 FAR *		/* time_rec */
            ));
 
-OM_uint32 INTERFACE gss_sign
-PROTOTYPE( (OM_uint32 FAR *,    /* minor_status */
-            gss_ctx_id_t,     	/* context_handle */
-            int,              	/* qop_req */
-            gss_buffer_t,     	/* message_buffer */
-            gss_buffer_t      	/* message_token */
-           ));
+/* New for V2 */
+OM_uint32 INTERFACE gss_get_mic
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+	    gss_ctx_id_t,		/* context_handle */
+	    gss_qop_t,			/* qop_req */
+	    gss_buffer_t,		/* message_buffer */
+	    gss_buffer_t		/* message_token */
+	   ));
 
-OM_uint32 INTERFACE gss_verify
-PROTOTYPE( (OM_uint32 FAR *,    /* minor_status */
-            gss_ctx_id_t,     	/* context_handle */
-            gss_buffer_t,     	/* message_buffer */
-            gss_buffer_t,     	/* token_buffer */
-            int FAR *           /* qop_state */
-           ));
+/* New for V2 */
+OM_uint32 INTERFACE gss_verify_mic
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+	    gss_ctx_id_t,		/* context_handle */
+	    gss_buffer_t,		/* message_buffer */
+	    gss_buffer_t,		/* message_token */
+	    gss_qop_t *			/* qop_state */
+	   ));
 
-OM_uint32 INTERFACE gss_seal
-PROTOTYPE( (OM_uint32 FAR *,    /* minor_status */
-            gss_ctx_id_t,     	/* context_handle */
-            int,              	/* conf_req_flag */
-            int,              	/* qop_req */
-            gss_buffer_t,     	/* input_message_buffer */
-            int FAR *,          /* conf_state */
-            gss_buffer_t      	/* output_message_buffer */
-           ));
+/* New for V2 */
+OM_uint32 INTERFACE gss_wrap
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+	    gss_ctx_id_t,		/* context_handle */
+	    int,			/* conf_req_flag */
+	    gss_qop_t,			/* qop_req */
+	    gss_buffer_t,		/* input_message_buffer */
+	    int FAR *,			/* conf_state */
+	    gss_buffer_t		/* output_message_buffer */
+	   ));
 
-OM_uint32 INTERFACE gss_unseal
-PROTOTYPE( (OM_uint32 FAR *,    /* minor_status */
-            gss_ctx_id_t,     	/* context_handle */
-            gss_buffer_t,     	/* input_message_buffer */
-            gss_buffer_t,     	/* output_message_buffer */
-            int FAR *,          /* conf_state */
-            int FAR *           /* qop_state */
-           ));
+/* New for V2 */
+OM_uint32 INTERFACE gss_unwrap
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+	    gss_ctx_id_t,		/* context_handle */
+	    gss_buffer_t,		/* input_message_buffer */
+	    gss_buffer_t,		/* output_message_buffer */
+	    int FAR *,			/* conf_state */
+	    gss_qop_t FAR *		/* qop_state */
+	   ));
 
 OM_uint32 INTERFACE gss_display_status
-PROTOTYPE( (OM_uint32 FAR *,    /* minor_status */
-            OM_uint32,        	/* status_value */
-            int,              	/* status_type */
-            const_gss_OID,    	/* mech_type */
-            int FAR *,          /* message_context */
-            gss_buffer_t      	/* status_string */
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+            OM_uint32,			/* status_value */
+            int,			/* status_type */
+            gss_OID,			/* mech_type (used to be const) */
+            OM_uint32 FAR *,		/* message_context */
+            gss_buffer_t		/* status_string */
            ));
 
 OM_uint32 INTERFACE gss_indicate_mechs
-PROTOTYPE( (OM_uint32 FAR *,    /* minor_status */
-            gss_OID_set FAR *   /* mech_set */
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+            gss_OID_set FAR *		/* mech_set */
            ));
 
 OM_uint32 INTERFACE gss_compare_name
-PROTOTYPE( (OM_uint32 FAR *,    /* minor_status */
-            gss_name_t,       	/* name1 */
-            gss_name_t,       	/* name2 */
-            int FAR *           /* name_equal */
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+            gss_name_t,			/* name1 */
+            gss_name_t,			/* name2 */
+            int FAR *			/* name_equal */
            ));
 
 OM_uint32 INTERFACE gss_display_name
-PROTOTYPE( (OM_uint32 FAR *,    /* minor_status */
-            gss_name_t,      	/* input_name */
-            gss_buffer_t,     	/* output_name_buffer */
-            gss_OID FAR *       /* output_name_type */
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+            gss_name_t,			/* input_name */
+            gss_buffer_t,		/* output_name_buffer */
+            gss_OID FAR *		/* output_name_type */
            ));
 
 OM_uint32 INTERFACE gss_import_name
-PROTOTYPE( (OM_uint32 FAR *,    /* minor_status */
-            gss_buffer_t,     	/* input_name_buffer */
-            const_gss_OID,    	/* input_name_type */
-            gss_name_t FAR *    /* output_name */
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+            gss_buffer_t,		/* input_name_buffer */
+            gss_OID,			/* input_name_type(used to be const) */
+            gss_name_t FAR *		/* output_name */
            ));
 
 OM_uint32 INTERFACE gss_release_name
-PROTOTYPE( (OM_uint32 FAR *,    /* minor_status */
-            gss_name_t FAR *    /* input_name */
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+            gss_name_t FAR *		/* input_name */
            ));
 
 OM_uint32 INTERFACE gss_release_buffer
-PROTOTYPE( (OM_uint32 FAR *,    /* minor_status */
-            gss_buffer_t      	/* buffer */
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+            gss_buffer_t		/* buffer */
            ));
 
 OM_uint32 INTERFACE gss_release_oid_set
-PROTOTYPE( (OM_uint32 FAR *,    /* minor_status */
-            gss_OID_set FAR *   /* set */
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+            gss_OID_set FAR * 		/* set */
            ));
 
 OM_uint32 INTERFACE gss_inquire_cred
-PROTOTYPE( (OM_uint32 FAR *,    /* minor_status */
-            gss_cred_id_t,    	/* cred_handle */
-            gss_name_t FAR *,   /* name */
-            OM_uint32 FAR *,    /* lifetime */
-            int FAR *,          /* cred_usage */
-            gss_OID_set FAR *   /* mechanisms */
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+            gss_cred_id_t,		/* cred_handle */
+            gss_name_t FAR *,		/* name */
+            OM_uint32 FAR *,		/* lifetime */
+            gss_cred_usage_t FAR *,	/* cred_usage */
+            gss_OID_set FAR *		/* mechanisms */
            ));
 
+/* Last argument new for V2 */
 OM_uint32 INTERFACE gss_inquire_context
-PROTOTYPE( (OM_uint32 FAR *,    /* minor_status */
-	    gss_ctx_id_t,     	/* context_handle */
-	    gss_name_t FAR *,   /* initiator_name */
-	    gss_name_t FAR *,   /* acceptor_name */
-	    OM_uint32 FAR *,    /* lifetime_rec */
-	    gss_OID FAR *,      /* mech_type */
-	    int FAR *,          /* ret_flags */
-	    int FAR *           /* locally_initiated */
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+	    gss_ctx_id_t,		/* context_handle */
+	    gss_name_t FAR *,		/* src_name */
+	    gss_name_t FAR *,		/* targ_name */
+	    OM_uint32 FAR *,		/* lifetime_rec */
+	    gss_OID FAR *,		/* mech_type */
+	    OM_uint32 FAR *,		/* ctx_flags */
+	    int FAR *,           	/* locally_initiated */
+	    int FAR *			/* open */
+	   ));
+
+/* New for V2 */
+OM_uint32 INTERFACE gss_wrap_size_limit
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+	    gss_ctx_id_t,		/* context_handle */
+	    int,			/* conf_req_flag */
+	    gss_qop_t,			/* qop_req */
+	    OM_uint32,			/* req_output_size */
+	    OM_uint32 *			/* max_input_size */
 	   ));
 
+/* New for V2 */
+OM_uint32 INTERFACE gss_import_name_object
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+	    void FAR *,			/* input_name */
+	    gss_OID,			/* input_name_type */
+	    gss_name_t FAR *		/* output_name */
+	   ));
+
+/* New for V2 */
+OM_uint32 INTERFACE gss_export_name_object
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+	    gss_name_t,			/* input_name */
+	    gss_OID,			/* desired_name_type */
+	    void FAR * FAR *		/* output_name */
+	   ));
+
+/* New for V2 */
+OM_uint32 INTERFACE gss_add_cred
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+	    gss_cred_id_t,		/* input_cred_handle */
+	    gss_name_t,			/* desired_name */
+	    gss_OID,			/* desired_mech */
+	    gss_cred_usage_t,		/* cred_usage */
+	    OM_uint32,			/* initiator_time_req */
+	    OM_uint32,			/* acceptor_time_req */
+	    gss_cred_id_t FAR *,	/* output_cred_handle */
+	    gss_OID_set FAR *,		/* actual_mechs */
+	    OM_uint32 FAR *,		/* initiator_time_rec */
+	    OM_uint32 FAR *		/* acceptor_time_rec */
+	   ));
+
+/* New for V2 */
+OM_uint32 INTERFACE gss_inquire_cred_by_mech
+PROTOTYPE( (OM_uint32  FAR *,		/* minor_status */
+	    gss_cred_id_t,		/* cred_handle */
+	    gss_OID,			/* mech_type */
+	    gss_name_t FAR *,		/* name */
+	    OM_uint32 FAR *,		/* initiator_lifetime */
+	    OM_uint32 FAR *,		/* acceptor_lifetime */
+	    gss_cred_usage_t FAR * 	/* cred_usage */
+	   ));
+
+/* New for V2 */
 OM_uint32 INTERFACE gss_export_sec_context
-PROTOTYPE( (OM_uint32 FAR *,	/* minor_status */
-	    gss_ctx_id_t FAR *,	/* context_handle */
-	    gss_buffer_t	/* interprocess_token */
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+	    gss_ctx_id_t FAR *,		/* context_handle */
+	    gss_buffer_t		/* interprocess_token */
 	    ));
 
+/* New for V2 */
 OM_uint32 INTERFACE gss_import_sec_context
-PROTOTYPE( (OM_uint32 FAR *,	/* minor_status */
-	    gss_buffer_t,	/* interprocess_token */
-	    gss_ctx_id_t FAR *	/* context_handle */
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+	    gss_buffer_t,		/* interprocess_token */
+	    gss_ctx_id_t FAR *		/* context_handle */
 	    ));
+
+/* New for V2 */
+OM_uint32 INTERFACE gss_release_oid
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+	    gss_OID FAR *		/* oid */
+	   ));
+
+/* New for V2 */
+OM_uint32 INTERFACE gss_create_empty_oid_set
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+	    gss_OID_set FAR *		/* oid_set */
+	   ));
+
+/* New for V2 */
+OM_uint32 INTERFACE gss_add_oid_set_member
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+	    gss_OID,			/* member_oid */
+	    gss_OID_set FAR *		/* oid_set */
+	   ));
+
+/* New for V2 */
+OM_uint32 INTERFACE gss_test_oid_set_member
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+	    gss_OID,			/* member */
+	    gss_OID_set,		/* set */
+	    int FAR *			/* present */
+	   ));
+
+/* New for V2 */
+OM_uint32 INTERFACE gss_str_to_oid
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+	    gss_buffer_t,		/* oid_str */
+	    gss_OID FAR *		/* oid */
+	   ));
+
+/* New for V2 */
+OM_uint32 INTERFACE gss_oid_to_str
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+	    gss_OID,			/* oid */
+	    gss_buffer_t		/* oid_str */
+	   ));
+
+/* New for V2 */
+OM_uint32 INTERFACE gss_inquire_names_for_mech
+PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
+	    gss_OID,			/* mechanism */
+	    gss_OID_set FAR *		/* name_types */
+	   ));
+
+/*
+ * The following routines are obsolete variants of gss_get_mic, gss_wrap,
+ * gss_verify_mic and gss_unwrap.  They should be provided by GSSAPI V2
+ * implementations for backwards compatibility with V1 applications.  Distinct
+ * entrypoints (as opposed to #defines) should be provided, to allow GSSAPI
+ * V1 applications to link against GSSAPI V2 implementations.
+ */
+OM_uint32 INTERFACE gss_sign
+PROTOTYPE( (OM_uint32 FAR *,    /* minor_status */
+            gss_ctx_id_t,     	/* context_handle */
+            int,              	/* qop_req */
+            gss_buffer_t,     	/* message_buffer */
+            gss_buffer_t      	/* message_token */
+           ));
+
+OM_uint32 INTERFACE gss_verify
+PROTOTYPE( (OM_uint32 FAR *,    /* minor_status */
+            gss_ctx_id_t,     	/* context_handle */
+            gss_buffer_t,     	/* message_buffer */
+            gss_buffer_t,     	/* token_buffer */
+            int FAR *           /* qop_state */
+           ));
+
+OM_uint32 INTERFACE gss_seal
+PROTOTYPE( (OM_uint32 FAR *,    /* minor_status */
+            gss_ctx_id_t,     	/* context_handle */
+            int,              	/* conf_req_flag */
+            int,              	/* qop_req */
+            gss_buffer_t,     	/* input_message_buffer */
+            int FAR *,          /* conf_state */
+            gss_buffer_t      	/* output_message_buffer */
+           ));
+
+OM_uint32 INTERFACE gss_unseal
+PROTOTYPE( (OM_uint32 FAR *,    /* minor_status */
+            gss_ctx_id_t,     	/* context_handle */
+            gss_buffer_t,     	/* input_message_buffer */
+            gss_buffer_t,     	/* output_message_buffer */
+            int FAR *,          /* conf_state */
+            int FAR *           /* qop_state */
+           ));
+
+/* XXXX these are not part of the GSSAPI C bindings!  (but should be) */
+
+#define GSS_CALLING_ERROR_FIELD(x) \
+   (((x) >> GSS_C_CALLING_ERROR_OFFSET) & GSS_C_CALLING_ERROR_MASK)
+#define GSS_ROUTINE_ERROR_FIELD(x) \
+   (((x) >> GSS_C_ROUTINE_ERROR_OFFSET) & GSS_C_ROUTINE_ERROR_MASK)
+#define GSS_SUPPLEMENTARY_INFO_FIELD(x) \
+   (((x) >> GSS_C_SUPPLEMENTARY_OFFSET) & GSS_C_SUPPLEMENTARY_MASK)
+
+/* XXXX This is a necessary evil until the spec is fixed */
+#define GSS_S_CRED_UNAVAIL GSS_S_FAILURE
+
 #endif /* _GSSAPI_H_ */
diff --git a/src/lib/gssapi/generic/gssapiP_generic.h b/src/lib/gssapi/generic/gssapiP_generic.h
index 21ac01c89..ab7eddf97 100644
--- a/src/lib/gssapi/generic/gssapiP_generic.h
+++ b/src/lib/gssapi/generic/gssapiP_generic.h
@@ -93,17 +93,17 @@ int g_make_string_buffer PROTOTYPE((const char *str, gss_buffer_t buffer));
 
 int g_copy_OID_set PROTOTYPE((const gss_OID_set_desc * const in, gss_OID_set *out));
 
-int g_token_size PROTOTYPE((const_gss_OID mech, unsigned int body_size));
+int g_token_size PROTOTYPE((gss_OID mech, unsigned int body_size));
 
-void g_make_token_header PROTOTYPE((const_gss_OID mech, int body_size,
+void g_make_token_header PROTOTYPE((gss_OID mech, int body_size,
 			  unsigned char **buf, int tok_type));
 
-int g_verify_token_header PROTOTYPE((const_gss_OID mech, int *body_size,
+int g_verify_token_header PROTOTYPE((gss_OID mech, int *body_size,
 			  unsigned char **buf, int tok_type, int toksize));
 
 OM_uint32 g_display_major_status PROTOTYPE((OM_uint32 *minor_status,
 				 OM_uint32 status_value,
-				 int *message_context,
+				 OM_uint32 *message_context,
 				 gss_buffer_t status_string));
 
 OM_uint32 g_display_com_err_status PROTOTYPE((OM_uint32 *minor_status,
@@ -126,4 +126,39 @@ PROTOTYPE( (OM_uint32*,       /* minor_status */
             gss_OID_set*      /* set */
            ));
 
+OM_uint32 generic_gss_release_oid
+PROTOTYPE( (OM_uint32 *,	/* minor_status */
+	    gss_OID *		/* oid */
+	   ));
+
+OM_uint32 generic_gss_create_empty_oid_set
+PROTOTYPE( (OM_uint32 *,	/* minor_status */
+	    gss_OID_set *	/* oid_set */
+	   ));
+
+OM_uint32 generic_gss_add_oid_set_member
+PROTOTYPE( (OM_uint32 *,	/* minor_status */
+	    gss_OID,		/* member_oid */
+	    gss_OID_set *	/* oid_set */
+	   ));
+
+OM_uint32 generic_gss_test_oid_set_member
+PROTOTYPE( (OM_uint32 *,	/* minor_status */
+	    gss_OID,		/* member */
+	    gss_OID_set,	/* set */
+	    int *		/* present */
+	   ));
+
+OM_uint32 generic_gss_oid_to_str
+PROTOTYPE( (OM_uint32 *,	/* minor_status */
+	    gss_OID,		/* oid */
+	    gss_buffer_t	/* oid_str */
+	   ));
+
+OM_uint32 generic_gss_str_to_oid
+PROTOTYPE( (OM_uint32 *,	/* minor_status */
+	    gss_buffer_t,	/* oid_str */
+	    gss_OID *		/* oid */
+	   ));
+
 #endif /* _GSSAPIP_GENERIC_H_ */
diff --git a/src/lib/gssapi/generic/gssapi_generic.c b/src/lib/gssapi/generic/gssapi_generic.c
index 8f88a8c21..f94e424cf 100644
--- a/src/lib/gssapi/generic/gssapi_generic.c
+++ b/src/lib/gssapi/generic/gssapi_generic.c
@@ -49,7 +49,7 @@ static const gss_OID_desc oids[] = {
    {10, "\052\206\110\206\367\022\001\002\001\004"},
 };
 
-const_gss_OID gss_nt_user_name = oids+0;
-const_gss_OID gss_nt_machine_uid_name = oids+1;
-const_gss_OID gss_nt_string_uid_name = oids+2;
-const_gss_OID gss_nt_service_name = oids+3;
+const gss_OID_desc * const gss_nt_user_name = oids+0;
+const gss_OID_desc * const gss_nt_machine_uid_name = oids+1;
+const gss_OID_desc * const gss_nt_string_uid_name = oids+2;
+const gss_OID_desc * const gss_nt_service_name = oids+3;
diff --git a/src/lib/gssapi/generic/oid_ops.c b/src/lib/gssapi/generic/oid_ops.c
new file mode 100644
index 000000000..d7af94d53
--- /dev/null
+++ b/src/lib/gssapi/generic/oid_ops.c
@@ -0,0 +1,351 @@
+/*
+ * lib/gssapi/generic/oid_ops.c
+ *
+ * Copyright 1995 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ *
+ */
+
+/*
+ * oid_ops.c - GSS-API V2 interfaces to manipulate OIDs
+ */
+
+#include "gssapiP_generic.h"
+#include "gssapi_generic.h"
+
+OM_uint32
+generic_gss_release_oid(minor_status, oid)
+    OM_uint32	*minor_status;
+    gss_OID	*oid;
+{
+    *minor_status = 0;
+
+    if (*oid == GSS_C_NO_OID)
+	return(GSS_S_COMPLETE);
+
+    /*
+     * The V2 API says the following!
+     *
+     * gss_release_oid[()] will recognize any of the GSSAPI's own OID values,
+     * and will silently ignore attempts to free these OIDs; for other OIDs
+     * it will call the C free() routine for both the OID data and the
+     * descriptor.  This allows applications to freely mix their own heap-
+     * allocated OID values with OIDs returned by GSS-API.
+     */
+    if ((*oid != gss_nt_user_name) &&
+	(*oid != gss_nt_machine_uid_name) &&
+	(*oid != gss_nt_string_uid_name) &&
+	(*oid != gss_nt_service_name)) {
+	xfree((*oid)->elements);
+	xfree(*oid);
+    }
+    *oid = GSS_C_NO_OID;
+    return(GSS_S_COMPLETE);
+}
+
+OM_uint32
+generic_gss_create_empty_oid_set(minor_status, oid_set)
+    OM_uint32	*minor_status;
+    gss_OID_set	*oid_set;
+{
+    if ((*oid_set = (gss_OID_set) xmalloc(sizeof(gss_OID_set_desc)))) {
+	memset(*oid_set, 0, sizeof(gss_OID_set_desc));
+	*minor_status = 0;
+	return(GSS_S_COMPLETE);
+    }
+    else {
+	*minor_status = ENOMEM;
+	return(GSS_S_FAILURE);
+    }
+}
+
+OM_uint32
+generic_gss_add_oid_set_member(minor_status, member_oid, oid_set)
+    OM_uint32	*minor_status;
+    gss_OID	member_oid;
+    gss_OID_set	*oid_set;
+{
+    gss_OID	elist;
+    gss_OID	lastel;
+
+    elist = (*oid_set)->elements;
+    /* Get an enlarged copy of the array */
+    if (((*oid_set)->elements = (gss_OID) xmalloc(((*oid_set)->count+1) *
+						  sizeof(gss_OID_desc)))) {
+	/* Copy in the old junk */
+	if (elist)
+	    memcpy((*oid_set)->elements,
+		   elist,
+		   ((*oid_set)->count * sizeof(gss_OID_desc)));
+
+	/* Duplicate the input element */
+	lastel = &(*oid_set)->elements[(*oid_set)->count];
+	if ((lastel->elements =
+	     (void *) xmalloc((size_t) member_oid->length))) {
+	    /* Success - copy elements */
+	    memcpy(lastel->elements, member_oid->elements,
+		   (size_t) member_oid->length);
+	    /* Set length */
+	    lastel->length = member_oid->length;
+
+	    /* Update count */
+	    (*oid_set)->count++;
+	    if (elist)
+		xfree(elist);
+	    *minor_status = 0;
+	    return(GSS_S_COMPLETE);
+	}
+	else
+	    xfree((*oid_set)->elements);
+    }
+    /* Failure - restore old contents of list */
+    (*oid_set)->elements = elist;
+    *minor_status = ENOMEM;
+    return(GSS_S_FAILURE);
+}
+
+OM_uint32
+generic_gss_test_oid_set_member(minor_status, member, set, present)
+    OM_uint32	*minor_status;
+    gss_OID	member;
+    gss_OID_set	set;
+    int		*present;
+{
+    size_t	i;
+    int		result;
+
+    result = 0;
+    for (i=0; i<set->count; i++) {
+	if ((set->elements[i].length == member->length) &&
+	    !memcmp(set->elements[i].elements,
+		    member->elements,
+		    member->length)) {
+	    result = 1;
+	    break;
+	}
+    }
+    *present = result;
+    *minor_status = 0;
+    return(GSS_S_COMPLETE);
+}
+
+/*
+ * OID<->string routines.  These are uuuuugly.
+ */
+OM_uint32
+generic_gss_oid_to_str(minor_status, oid, oid_str)
+    OM_uint32		*minor_status;
+    gss_OID		oid;
+    gss_buffer_t	oid_str;
+{
+    char		numstr[128];
+    unsigned long	number;
+    int			numshift;
+    size_t		string_length;
+    size_t		i;
+    unsigned char	*cp;
+    char		*bp;
+
+    /* Decoded according to krb5/gssapi_krb5.c */
+
+    /* First determine the size of the string */
+    string_length = 0;
+    number = 0;
+    numshift = 0;
+    cp = (unsigned char *) oid->elements;
+    number = (unsigned long) cp[0];
+    sprintf(numstr, "%d ", number/40);
+    string_length += strlen(numstr);
+    sprintf(numstr, "%d ", number%40);
+    string_length += strlen(numstr);
+    for (i=1; i<oid->length; i++) {
+	if ((numshift+7) < (sizeof(unsigned long)*8)) {
+	    number = (number << 7) | (cp[i] & 0x7f);
+	    numshift += 7;
+	}
+	else {
+	    *minor_status = EINVAL;
+	    return(GSS_S_FAILURE);
+	}
+	if ((cp[i] & 0x80) == 0) {
+	    sprintf(numstr, "%d ", number);
+	    string_length += strlen(numstr);
+	    number = 0;
+	    numshift = 0;
+	}
+    }
+    /*
+     * If we get here, we've calculated the length of "n n n ... n ".  Add 4
+     * here for "{ " and "}\0".
+     */
+    string_length += 4;
+    if ((bp = (char *) xmalloc(string_length))) {
+	strcpy(bp, "{ ");
+	number = (unsigned long) cp[0];
+	sprintf(numstr, "%d ", number/40);
+	strcat(bp, numstr);
+	sprintf(numstr, "%d ", number%40);
+	strcat(bp, numstr);
+	number = 0;
+	cp = (unsigned char *) oid->elements;
+	for (i=1; i<oid->length; i++) {
+	    number = (number << 7) | (cp[i] & 0x7f);
+	    if ((cp[i] & 0x80) == 0) {
+		sprintf(numstr, "%d ", number);
+		strcat(bp, numstr);
+		number = 0;
+	    }
+	}
+	strcat(bp, "}");
+	oid_str->length = strlen(bp)+1;
+	oid_str->value = (void *) bp;
+	*minor_status = 0;
+	return(GSS_S_COMPLETE);
+    }
+    *minor_status = ENOMEM;
+    return(GSS_S_FAILURE);
+}
+
+OM_uint32
+generic_gss_str_to_oid(minor_status, oid_str, oid)
+    OM_uint32		*minor_status;
+    gss_buffer_t	oid_str;
+    gss_OID		*oid;
+{
+    size_t	i;
+    char	*cp, *bp, *startp;
+    int		brace;
+    long	numbuf;
+    long	onumbuf;
+    OM_uint32	nbytes;
+    int		index;
+    unsigned char *op;
+
+    brace = 0;
+    bp = (char *) oid_str->value;
+    cp = bp;
+    /* Skip over leading space */
+    while ((bp < &cp[oid_str->length]) && isspace(*bp))
+	bp++;
+    if (*bp == '{') {
+	brace = 1;
+	bp++;
+    }
+    while ((bp < &cp[oid_str->length]) && isspace(*bp))
+	bp++;
+    startp = bp;
+    nbytes = 0;
+
+    /*
+     * The first two numbers are chewed up by the first octet.
+     */
+    if (sscanf(bp, "%ld", &numbuf) != 1) {
+	*minor_status = EINVAL;
+	return(GSS_S_FAILURE);
+    }
+    while ((bp < &cp[oid_str->length]) && isdigit(*bp))
+	bp++;
+    while ((bp < &cp[oid_str->length]) && isspace(*bp))
+	bp++;
+    if (sscanf(bp, "%ld", &numbuf) != 1) {
+	*minor_status = EINVAL;
+	return(GSS_S_FAILURE);
+    }
+    while ((bp < &cp[oid_str->length]) && isdigit(*bp))
+	bp++;
+    while ((bp < &cp[oid_str->length]) && isspace(*bp))
+	bp++;
+    nbytes++;
+    while (isdigit(*bp)) {
+	if (sscanf(bp, "%ld", &numbuf) != 1) {
+	    *minor_status = EINVAL;
+	    return(GSS_S_FAILURE);
+	}
+	while (numbuf) {
+	    nbytes++;
+	    numbuf >>= 7;
+	}
+	while ((bp < &cp[oid_str->length]) && isdigit(*bp))
+	    bp++;
+	while ((bp < &cp[oid_str->length]) && isspace(*bp))
+	    bp++;
+    }
+    if (brace && (*bp != '}')) {
+	*minor_status = EINVAL;
+	return(GSS_S_FAILURE);
+    }
+
+    /*
+     * Phew!  We've come this far, so the syntax is good.
+     */
+    if ((*oid = (gss_OID) malloc(sizeof(gss_OID_desc)))) {
+	if ((*oid)->elements = (void *) malloc(nbytes)) {
+	    (*oid)->length = nbytes;
+	    op = (unsigned char *) (*oid)->elements;
+	    bp = startp;
+	    sscanf(bp, "%ld", &numbuf);
+	    while (isdigit(*bp))
+		bp++;
+	    while (isspace(*bp))
+		bp++;
+	    onumbuf = 40*numbuf;
+	    sscanf(bp, "%ld", &numbuf);
+	    onumbuf += numbuf;
+	    *op = (unsigned char) onumbuf;
+	    op++;
+	    while (isdigit(*bp))
+		bp++;
+	    while (isspace(*bp))
+		bp++;
+	    while (isdigit(*bp)) {
+		sscanf(bp, "%ld", &numbuf);
+		nbytes = 0;
+		/* Have to fill in the bytes msb-first */
+		onumbuf = numbuf;
+		while (numbuf) {
+		    nbytes++;
+		    numbuf >>= 7;
+		}
+		numbuf = onumbuf;
+		op += nbytes;
+		index = -1;
+		while (numbuf) {
+		    op[index] = numbuf & 0x7f;
+		    if (index != -1)
+			op[index] |= 0x80;
+		    index--;
+		    numbuf >>= 7;
+		}
+		while (isdigit(*bp))
+		    bp++;
+		while (isspace(*bp))
+		    bp++;
+	    }
+	    *minor_status = 0;
+	    return(GSS_S_COMPLETE);
+	}
+	else {
+	    xfree(*oid);
+	    *oid = GSS_C_NO_OID;
+	}
+    }
+    *minor_status = ENOMEM;
+    return(GSS_S_FAILURE);
+}
+
diff --git a/src/lib/gssapi/generic/rel_oid_set.c b/src/lib/gssapi/generic/rel_oid_set.c
index 2edfe9a39..96f6f8d15 100644
--- a/src/lib/gssapi/generic/rel_oid_set.c
+++ b/src/lib/gssapi/generic/rel_oid_set.c
@@ -26,11 +26,15 @@ OM_uint32 generic_gss_release_oid_set(minor_status, set)
      OM_uint32 *minor_status;
      gss_OID_set *set;
 {
+   size_t index;
+
    *minor_status = 0;
 
    if (*set == GSS_C_NULL_OID_SET)
       return(GSS_S_COMPLETE);
 
+   for (index=0; index<(*set)->count; index++)
+     xfree((*set)->elements[index].elements);
    xfree((*set)->elements);
    xfree(*set);
 
diff --git a/src/lib/gssapi/generic/util_token.c b/src/lib/gssapi/generic/util_token.c
index eadfad82a..d8e5e91ae 100644
--- a/src/lib/gssapi/generic/util_token.c
+++ b/src/lib/gssapi/generic/util_token.c
@@ -118,7 +118,7 @@ static int der_read_length(buf, bufsize)
 /* returns the length of a token, given the mech oid and the body size */
 
 int g_token_size(mech, body_size)
-     const_gss_OID mech;
+     gss_OID mech;
      unsigned int body_size;
 {
    /* set body_size to sequence contents size */
@@ -130,7 +130,7 @@ int g_token_size(mech, body_size)
    be the right size.  buf is advanced past the token header */
 
 void g_make_token_header(mech, body_size, buf, tok_type)
-     const_gss_OID mech;
+     gss_OID mech;
      int body_size;
      unsigned char **buf;
      int tok_type;
@@ -149,7 +149,7 @@ void g_make_token_header(mech, body_size, buf, tok_type)
    to the number of remaining bytes */
 
 int g_verify_token_header(mech, body_size, buf, tok_type, toksize)
-     const_gss_OID mech;
+     gss_OID mech;
      int *body_size;
      unsigned char **buf;
      int tok_type;