Merge branch 'master' into lukeh/acquire-cred-ex

lib/NTMakefile

@@ -43,7 +43,7 @@ dir_dce = kdfs
 dir_hcrypto = hcrypto
 !endif
 
-SUBDIRS = vers editline com_err sl wind asn1 sqlite \
+SUBDIRS = vers libedit com_err sl wind asn1 sqlite \
 	$(dir_hcrypto) hx509 krb5 heimdal ntlm kafs gssapi hdb \
 	kadm5 $(dir_45) $(dir_otp) $(dir_dce) ..\packages\windows\assembly
 

lib/asn1/asn1_print.c

@@ -41,9 +41,8 @@
 #include <err.h>
 #include <der.h>
 
-RCSID("$Id$");
-
 static int indent_flag = 1;
+static int inner_flag = 0;
 
 static unsigned long indefinite_form_loop;
 static unsigned long indefinite_form_loop_max = 10000;
@@ -167,17 +166,39 @@ loop (unsigned char *buf, size_t len, int indent)
 	    }
 	    case UT_OctetString : {
 		heim_octet_string str;
-		int i;
-		unsigned char *uc;
+		size_t i;
 
 		ret = der_get_octet_string (buf, length, &str, NULL);
 		if (ret)
 		    errx (1, "der_get_octet_string: %s", error_message (ret));
 		printf ("(length %lu), ", (unsigned long)length);
-		uc = (unsigned char *)str.data;
-		for (i = 0; i < min(16,length); ++i)
-		    printf ("%02x", uc[i]);
-		printf ("\n");
+
+		if (inner_flag) {
+		    Der_class class;
+		    Der_type type;
+		    unsigned int tag;
+
+		    ret = der_get_tag(str.data, str.length,
+				      &class, &type, &tag, &sz);
+		    if (ret || sz > str.length ||
+			type != CONS || tag != UT_Sequence)
+			goto just_an_octet_string;
+		    
+		    printf("{\n");
+		    loop (str.data, str.length, indent + 2);
+		    for (i = 0; i < indent; ++i)
+			printf (" ");
+		    printf ("}\n");
+
+		} else {
+		    unsigned char *uc;
+
+		just_an_octet_string:
+		    uc = (unsigned char *)str.data;
+		    for (i = 0; i < min(16,length); ++i)
+			printf ("%02x", uc[i]);
+		    printf ("\n");
+		}
 		free (str.data);
 		break;
 	    }
@@ -295,6 +316,7 @@ static int version_flag;
 static int help_flag;
 struct getargs args[] = {
     { "indent", 0, arg_negative_flag, &indent_flag },
+    { "inner", 0, arg_flag, &inner_flag, "try to parse inner structures of OCTET STRING" },
     { "version", 0, arg_flag, &version_flag },
     { "help", 0, arg_flag, &help_flag }
 };

lib/asn1/check-gen.c

@@ -1249,6 +1249,34 @@ check_seq_of_size(void)
     return 0;
 }
 
+static int
+check_TESTMechTypeList(void)
+{
+    TESTMechTypeList tl;
+    unsigned oid1[] =  { 1, 2, 840, 48018, 1, 2, 2};
+    TESTMechType t1 = { 7, oid1 };
+    unsigned oid2[] =  { 1, 2, 840, 113554, 1, 2, 2};
+    TESTMechType t2 = { 7, oid2 };
+    unsigned oid3[] =   { 1, 3, 6, 1, 4, 1, 311, 2, 2, 30};
+    TESTMechType t3 = { 10, oid3 };
+    unsigned oid4[] =   { 1, 3, 6, 1, 4, 1, 311, 2, 2, 10};
+    TESTMechType t4 = { 10, oid4 };
+    TESTMechType array[4] = { t1, t2, t3, t4 };
+    size_t size, len;
+    void *ptr;
+    int ret;
+
+    tl.len = 4;
+    tl.val = array;
+
+    ASN1_MALLOC_ENCODE(TESTMechTypeList, ptr, len, &tl, &size, ret);
+    if (ret)
+	errx(1, "TESTMechTypeList: %d", ret);
+    if (len != size)
+	abort();
+    return 0;
+}
+
 int
 main(int argc, char **argv)
 {
@@ -1278,5 +1306,7 @@ main(int argc, char **argv)
     ret += check_seq();
     ret += check_seq_of_size();
 
+    ret += check_TESTMechTypeList();
+
     return ret;
 }

lib/asn1/der_format.c

@@ -108,7 +108,7 @@ int
 der_print_heim_oid (const heim_oid *oid, char delim, char **str)
 {
     struct rk_strpool *p = NULL;
-    int i;
+    size_t i;
 
     if (oid->length == 0)
 	return EINVAL;

lib/asn1/der_get.c

@@ -141,9 +141,9 @@ der_get_general_string (const unsigned char *p, size_t len,
 	 * an strings in the NEED_PREAUTH case that includes a
 	 * trailing NUL.
 	 */
-	while (p1 - p < len && *p1 == '\0')
+	while ((size_t)(p1 - p) < len && *p1 == '\0')
 	    p1++;
-       if (p1 - p != len)
+       if ((size_t)(p1 - p) != len)
 	    return ASN1_BAD_CHARACTER;
     }
     if (len > len + 1)

lib/asn1/der_length.c

@@ -86,7 +86,7 @@ static size_t
 len_oid (const heim_oid *oid)
 {
     size_t ret = 1;
-    int n;
+    size_t n;
 
     for (n = 2; n < oid->length; ++n) {
 	unsigned u = oid->components[n];

lib/asn1/der_put.c

@@ -433,7 +433,8 @@ _heim_time2generalizedtime (time_t t, heim_octet_string *s, int gtimep)
      if (s->data == NULL)
 	 return ENOMEM;
      s->length = len;
-     _der_gmtime(t, &tm);
+     if (_der_gmtime(t, &tm) == NULL)
+	 return ASN1_BAD_TIMEFORMAT;
      if (gtimep)
 	 snprintf (s->data, len + 1, "%04d%02d%02d%02d%02d%02dZ",
 		   tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday,

lib/asn1/gen_decode.c

@@ -209,7 +209,8 @@ range_check(const char *name,
 
 static int
 decode_type (const char *name, const Type *t, int optional,
-	     const char *forwstr, const char *tmpstr, const char *dertype)
+	     const char *forwstr, const char *tmpstr, const char *dertype,
+	     size_t depth)
 {
     switch (t->type) {
     case TType: {
@@ -328,7 +329,8 @@ decode_type (const char *name, const Type *t, int optional,
 	    if (asprintf (&s, "%s(%s)->%s", m->optional ? "" : "&",
 			  name, m->gen_name) < 0 || s == NULL)
 		errx(1, "malloc");
-	    decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL);
+	    decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL,
+		depth + 1);
 	    free (s);
 	}
 
@@ -369,7 +371,7 @@ decode_type (const char *name, const Type *t, int optional,
 			"%s = calloc(1, sizeof(*%s));\n"
 			"if (%s == NULL) { e = ENOMEM; %s; }\n",
 			s, s, s, forwstr);
-	    decode_type (s, m->type, 0, forwstr, m->gen_name, NULL);
+	    decode_type (s, m->type, 0, forwstr, m->gen_name, NULL, depth + 1);
 	    free (s);
 
 	    fprintf(codefile, "members |= (1 << %d);\n", memno);
@@ -442,7 +444,7 @@ decode_type (const char *name, const Type *t, int optional,
 	    errx(1, "malloc");
 	if (asprintf (&sname, "%s_s_of", tmpstr) < 0 || sname == NULL)
 	    errx(1, "malloc");
-	decode_type (n, t->subtype, 0, forwstr, sname, NULL);
+	decode_type (n, t->subtype, 0, forwstr, sname, NULL, depth + 1);
 	fprintf (codefile,
 		 "(%s)->len++;\n"
 		 "len = %s_origlen - ret;\n"
@@ -480,7 +482,7 @@ decode_type (const char *name, const Type *t, int optional,
 		tmpstr, tmpstr, typestring);
 	if(support_ber)
 	    fprintf(codefile,
-		    "int is_indefinite;\n");
+		    "int is_indefinite%zu;\n", depth);
 
 	fprintf(codefile, "e = der_match_tag_and_length(p, len, %s, &%s, %s, "
 		"&%s_datalen, &l);\n",
@@ -516,20 +518,20 @@ decode_type (const char *name, const Type *t, int optional,
 		 tmpstr);
 	if(support_ber)
 	    fprintf (codefile,
-		     "if((is_indefinite = _heim_fix_dce(%s_datalen, &len)) < 0)\n"
+		     "if((is_indefinite%zu = _heim_fix_dce(%s_datalen, &len)) < 0)\n"
 		     "{ e = ASN1_BAD_FORMAT; %s; }\n"
-		     "if (is_indefinite) { if (len < 2) { e = ASN1_OVERRUN; %s; } len -= 2; }",
-		     tmpstr, forwstr, forwstr);
+		     "if (is_indefinite%zu) { if (len < 2) { e = ASN1_OVERRUN; %s; } len -= 2; }",
+		     depth, tmpstr, forwstr, depth, forwstr);
 	else
 	    fprintf(codefile,
 		    "if (%s_datalen > len) { e = ASN1_OVERRUN; %s; }\n"
 		    "len = %s_datalen;\n", tmpstr, forwstr, tmpstr);
 	if (asprintf (&tname, "%s_Tag", tmpstr) < 0 || tname == NULL)
 	    errx(1, "malloc");
-	decode_type (name, t->subtype, 0, forwstr, tname, ide);
+	decode_type (name, t->subtype, 0, forwstr, tname, ide, depth + 1);
 	if(support_ber)
 	    fprintf(codefile,
-		    "if(is_indefinite){\n"
+		    "if(is_indefinite%zu){\n"
 		    "len += 2;\n"
 		    "e = der_match_tag_and_length(p, len, "
 		    "(Der_class)0, &%s, UT_EndOfContent, "
@@ -538,6 +540,7 @@ decode_type (const char *name, const Type *t, int optional,
 		    "p += l; len -= l; ret += l;\n"
 		    "if (%s != (Der_type)0) { e = ASN1_BAD_ID; %s; }\n"
 		    "} else \n",
+		    depth,
 		    typestring,
 		    tmpstr,
 		    forwstr,
@@ -584,7 +587,8 @@ decode_type (const char *name, const Type *t, int optional,
 	    if (asprintf (&s, "%s(%s)->u.%s", m->optional ? "" : "&",
 			  name, m->gen_name) < 0 || s == NULL)
 		errx(1, "malloc");
-	    decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL);
+	    decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL,
+		depth + 1);
 	    fprintf(codefile,
 		    "(%s)->element = %s;\n",
 		    name, m->label);
@@ -702,7 +706,7 @@ generate_type_decode (const Symbol *s)
 	fprintf (codefile, "\n");
 	fprintf (codefile, "memset(data, 0, sizeof(*data));\n"); /* hack to avoid `unused variable' */
 
-	decode_type ("data", s->type, 0, "goto fail", "Top", NULL);
+	decode_type ("data", s->type, 0, "goto fail", "Top", NULL, 1);
 	if (preserve)
 	    fprintf (codefile,
 		     "data->_save.data = calloc(1, ret);\n"

lib/asn1/gen_encode.c

@@ -302,7 +302,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
 		name, name);
 
 	fprintf(codefile,
-		"for(i = 0; i < (%s)->len; i++) {\n",
+		"for(i = 0; i < (int)(%s)->len; i++) {\n",
 		name);
 
 	fprintf(codefile,
@@ -326,7 +326,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
 
 	fprintf(codefile,
 		"if (totallen > len) {\n"
-		"for (i = 0; i < (%s)->len; i++) {\n"
+		"for (i = 0; i < (int)(%s)->len; i++) {\n"
 		"free(val[i].data);\n"
 		"}\n"
 		"free(val);\n"
@@ -339,7 +339,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
 		name);
 
 	fprintf (codefile,
-		 "for(i = (%s)->len - 1; i >= 0; --i) {\n"
+		 "for(i = (int)(%s)->len - 1; i >= 0; --i) {\n"
 		 "p -= val[i].length;\n"
 		 "ret += val[i].length;\n"
 		 "memcpy(p + 1, val[i].data, val[i].length);\n"
@@ -355,7 +355,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
 	char *n = NULL;
 
 	fprintf (codefile,
-		 "for(i = (%s)->len - 1; i >= 0; --i) {\n"
+		 "for(i = (int)(%s)->len - 1; i >= 0; --i) {\n"
 		 "size_t %s_for_oldret = ret;\n"
 		 "ret = 0;\n",
 		 name, tmpstr);

lib/asn1/test.asn1

@@ -132,4 +132,7 @@ TESTBitString ::= BIT STRING {
 	      thirtyone(31)
 }
 
+TESTMechType::= OBJECT IDENTIFIER
+TESTMechTypeList ::= SEQUENCE OF TESTMechType
+
 END

lib/asn1/timegm.c

@@ -56,13 +56,13 @@ time_t
 _der_timegm (struct tm *tm)
 {
   time_t res = 0;
-  unsigned i;
+  int i;
 
   if (tm->tm_year < 0)
       return -1;
   if (tm->tm_mon < 0 || tm->tm_mon > 11)
       return -1;
-  if (tm->tm_mday < 1 || tm->tm_mday > ndays[is_leap(tm->tm_year)][tm->tm_mon])
+  if (tm->tm_mday < 1 || tm->tm_mday > (int)ndays[is_leap(tm->tm_year)][tm->tm_mon])
       return -1;
   if (tm->tm_hour < 0 || tm->tm_hour > 23)
       return -1;
@@ -98,6 +98,14 @@ _der_gmtime(time_t t, struct tm *tm)
     tm->tm_min = (secday % 3600) / 60;
     tm->tm_hour = secday / 3600;
 
+    /* 
+     * Refuse to calculate time ~ 2000 years into the future, this is
+     * not possible for systems where time_t is a int32_t, however,
+     * when time_t is a int64_t, that can happen.
+     */
+    if (days > 356000)
+	return NULL;
+
     tm->tm_year = 70;
     while(1) {
 	unsigned dayinyear = (is_leap(tm->tm_year) ? 366 : 365);

lib/gssapi/gen-oid.pl

@@ -110,7 +110,7 @@ while(<>) {
 	    printf "#define $name (&$store)\n\n";
 	} else {
 	    printf "/* $name - $oid */\n";
-	    printf "gss_OID_desc GSSAPI_LIB_VARIABLE $store = { $length, \"$data\" };\n\n";
+	    printf "gss_OID_desc GSSAPI_LIB_VARIABLE $store = { $length, rk_UNCONST(\"$data\") };\n\n";
 	}
     } elsif (/^desc\s+([\w]+)\s+(\w+)\s+(\"[^\"]*\")\s+(\"[^\"]*\")/) {
         my ($type, $oid, $short, $long) = ($1, $2, $3, $4);

lib/gssapi/gss_acquire_cred.3

@@ -513,7 +513,7 @@ In GSS-API an contiguous string name is stored in a
 .Dv gss_buffer_t .
 .Pp
 Exported names also have the property that they are specified by the
-mechanism itself and compatible between diffrent GSS-API
+mechanism itself and compatible between different GSS-API
 implementations.
 .El
 .Sh ACCESS CONTROL

lib/gssapi/gssapi.3

@@ -53,57 +53,52 @@ These functions constitute the gssapi library,
 .Em libgssapi .
 Declarations for these functions may be obtained from the include file
 .Pa gssapi.h .
-.sp 2
-.nf
-.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u
-\fIName/Page\fP	\fIDescription\fP
-.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u+6nC
-.sp 5p
-gss_accept_sec_context.3
-gss_acquire_cred.3
-gss_add_cred.3
-gss_add_oid_set_member.3
-gss_canonicalize_name.3
-gss_compare_name.3
-gss_context_time.3
-gss_create_empty_oid_set.3
-gss_delete_sec_context.3
-gss_display_name.3
-gss_display_status.3
-gss_duplicate_name.3
-gss_export_name.3
-gss_export_sec_context.3
-gss_get_mic.3
-gss_import_name.3
-gss_import_sec_context.3
-gss_indicate_mechs.3
-gss_init_sec_context.3
-gss_inquire_context.3
-gss_inquire_cred.3
-gss_inquire_cred_by_mech.3
-gss_inquire_mechs_for_name.3
-gss_inquire_names_for_mech.3
-gss_krb5_ccache_name.3
-gss_krb5_compat_des3_mic.3
-gss_krb5_copy_ccache.3
-gss_krb5_extract_authz_data_from_sec_context.3
-gss_krb5_import_ccache.3
-gss_process_context_token.3
-gss_release_buffer.3
-gss_release_cred.3
-gss_release_name.3
-gss_release_oid_set.3
-gss_seal.3
-gss_sign.3
-gss_test_oid_set_member.3
-gss_unseal.3
-gss_unwrap.3
-gss_verify.3
-gss_verify_mic.3
-gss_wrap.3
-gss_wrap_size_limit.3
-.ta
-.Fi
+.Bl -column -compact
+.It Sy Name/Page
+.It Xr gss_accept_sec_context 3
+.It Xr gss_acquire_cred 3
+.It Xr gss_add_cred 3
+.It Xr gss_add_oid_set_member 3
+.It Xr gss_canonicalize_name 3
+.It Xr gss_compare_name 3
+.It Xr gss_context_time 3
+.It Xr gss_create_empty_oid_set 3
+.It Xr gss_delete_sec_context 3
+.It Xr gss_display_name 3
+.It Xr gss_display_status 3
+.It Xr gss_duplicate_name 3
+.It Xr gss_export_name 3
+.It Xr gss_export_sec_context 3
+.It Xr gss_get_mic 3
+.It Xr gss_import_name 3
+.It Xr gss_import_sec_context 3
+.It Xr gss_indicate_mechs 3
+.It Xr gss_init_sec_context 3
+.It Xr gss_inquire_context 3
+.It Xr gss_inquire_cred 3
+.It Xr gss_inquire_cred_by_mech 3
+.It Xr gss_inquire_mechs_for_name 3
+.It Xr gss_inquire_names_for_mech 3
+.It Xr gss_krb5_ccache_name 3
+.It Xr gss_krb5_compat_des3_mic 3
+.It Xr gss_krb5_copy_ccache 3
+.It Xr gss_krb5_extract_authz_data_from_sec_context 3
+.It Xr gss_krb5_import_ccache 3
+.It Xr gss_process_context_token 3
+.It Xr gss_release_buffer 3
+.It Xr gss_release_cred 3
+.It Xr gss_release_name 3
+.It Xr gss_release_oid_set 3
+.It Xr gss_seal 3
+.It Xr gss_sign 3
+.It Xr gss_test_oid_set_member 3
+.It Xr gss_unseal 3
+.It Xr gss_unwrap 3
+.It Xr gss_verify 3
+.It Xr gss_verify_mic 3
+.It Xr gss_wrap 3
+.It Xr gss_wrap_size_limit 3
+.El
 .Sh COMPATIBILITY
 The
 .Nm Heimdal
@@ -147,7 +142,7 @@ the later will override.
 .Pp
 This config option modifies behaviour for both clients and servers.
 .Pp
-Microsoft implemented SPNEGO to Windows2000, however, they manage to
+Microsoft implemented SPNEGO to Windows2000, however, they managed to
 get it wrong, their implementation didn't fill in the MechListMIC in
 the reply token with the right content.
 There is a work around for this problem, but not all implementation

lib/gssapi/gsstool.c

@@ -132,7 +132,7 @@ supported_mechanisms(void *argptr, int argc, char **argv)
     return 0;
 }
 
-void static 
+static void
 print_mech_attr(const char *mechname, gss_const_OID mech, gss_OID_set set)
 {
     gss_buffer_desc name, desc;

lib/gssapi/krb5/accept_sec_context.c

@@ -55,11 +55,13 @@ validate_keytab(krb5_context context, const char *name, krb5_keytab *id)
 }
 
 OM_uint32
-_gsskrb5_register_acceptor_identity (const char *identity)
+_gsskrb5_register_acceptor_identity(OM_uint32 *min_stat, const char *identity)
 {
     krb5_context context;
     krb5_error_code ret;
 
+    *min_stat = 0;
+
     ret = _gsskrb5_init(&context);
     if(ret)
 	return GSS_S_FAILURE;
@@ -92,8 +94,10 @@ _gsskrb5_register_acceptor_identity (const char *identity)
 	}
     }
     HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
-    if(ret)
+    if(ret) {
+	*min_stat = ret;
 	return GSS_S_FAILURE;
+    }
     return GSS_S_COMPLETE;
 }
 

lib/gssapi/krb5/arcfour.c

@@ -255,7 +255,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
 			   const gss_buffer_t token_buffer,
 			   gss_qop_t * qop_state,
 			   krb5_keyblock *key,
-			   char *type)
+			   const char *type)
 {
     krb5_error_code ret;
     uint32_t seq_number;
@@ -270,7 +270,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
     p = token_buffer->value;
     omret = _gsskrb5_verify_header (&p,
 				       token_buffer->length,
-				       (u_char *)type,
+				       type,
 				       GSS_KRB5_MECHANISM);
     if (omret)
 	return omret;

lib/gssapi/krb5/cfx.c

@@ -285,7 +285,8 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status,
     gss_iov_buffer_desc *header, *trailer, *padding;
     size_t gsshsize, k5hsize;
     size_t gsstsize, k5tsize;
-    size_t i, rrc = 0, ec = 0;
+    size_t rrc = 0, ec = 0;
+    int i;
     gss_cfx_wrap_token token;
     krb5_error_code ret;
     int32_t seq_number;
@@ -424,6 +425,9 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status,
     token->Flags     = 0;
     token->Filler    = 0xFF;
 
+    if ((ctx->more_flags & LOCAL) == 0)
+	token->Flags |= CFXSentByAcceptor;
+
     if (ctx->more_flags & ACCEPTOR_SUBKEY)
 	token->Flags |= CFXAcceptorSubkey;
 
@@ -666,7 +670,7 @@ unrotate_iov(OM_uint32 *minor_status, size_t rrc, gss_iov_buffer_desc *iov, int
 	    q += iov[i].buffer.length;
 	}
     }
-    assert((q - p) == len);
+    assert((size_t)(q - p) == len);
 
     /* unrotate first part */
     q = p + rrc;

lib/gssapi/krb5/external.c

@@ -180,7 +180,7 @@ static gss_mo_desc krb5_mo[] = {
 	GSS_C_MA_SASL_MECH_NAME,
 	GSS_MO_MA,
 	"SASL mech name",
-	"GS2-KRB5",
+	rk_UNCONST("GS2-KRB5"),
 	_gss_mo_get_ctx_as_string,
 	NULL
     },
@@ -188,7 +188,7 @@ static gss_mo_desc krb5_mo[] = {
 	GSS_C_MA_MECH_NAME,
 	GSS_MO_MA,
 	"Mechanism name",
-	"KRB5",
+	rk_UNCONST("KRB5"),
 	_gss_mo_get_ctx_as_string,
 	NULL
     },
@@ -196,7 +196,7 @@ static gss_mo_desc krb5_mo[] = {
 	GSS_C_MA_MECH_DESCRIPTION,
 	GSS_MO_MA,
 	"Mechanism description",
-	"Heimdal Kerberos 5 mech",
+	rk_UNCONST("Heimdal Kerberos 5 mech"),
 	_gss_mo_get_ctx_as_string,
 	NULL
     },
@@ -214,19 +214,19 @@ static gss_mo_desc krb5_mo[] = {
     },
     {
 	GSS_C_MA_AUTH_TARG,
-	GSS_MO_MA
+	.flags = GSS_MO_MA
     },
     {
 	GSS_C_MA_AUTH_INIT_ANON,
-	GSS_MO_MA
+	.flags = GSS_MO_MA
     },
     {
 	GSS_C_MA_DELEG_CRED,
-	GSS_MO_MA
+	.flags = GSS_MO_MA
     },
     {
 	GSS_C_MA_INTEG_PROT,
-	GSS_MO_MA
+	.flags = GSS_MO_MA
     },
     {
 	GSS_C_MA_CONF_PROT,
@@ -273,7 +273,7 @@ static gss_mo_desc krb5_mo[] = {
 static gssapi_mech_interface_desc krb5_mech = {
     GMI_VERSION,
     "kerberos 5",
-    {9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" },
+    {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") },
     0,
     _gsskrb5_acquire_cred,
     _gsskrb5_release_cred,
@@ -323,7 +323,13 @@ static gssapi_mech_interface_desc krb5_mech = {
     NULL,
     NULL,
     krb5_mo,
-    sizeof(krb5_mo) / sizeof(krb5_mo[0])
+    sizeof(krb5_mo) / sizeof(krb5_mo[0]),
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
 };
 
 gssapi_mech_interface

lib/gssapi/krb5/init_sec_context.c

@@ -422,11 +422,6 @@ init_auth
 	goto failure;
     }
 
-    ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
-    if (ret)
-	goto failure;
-
-
     /*
      * This is hideous glue for (NFS) clients that wants to limit the
      * available enctypes to what it can support (encryption in
@@ -469,6 +464,10 @@ init_auth
 
     ctx->lifetime = ctx->kcred->times.endtime;
 
+    ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
+    if (ret)
+	goto failure;
+
     ret = _gsskrb5_lifetime_left(minor_status,
 				 context,
 				 ctx->lifetime,
@@ -676,7 +675,8 @@ init_auth_restart
 	output_token->length = outbuf.length;
     } else {
         ret = _gsskrb5_encapsulate (minor_status, &outbuf, output_token,
-				    (u_char *)"\x01\x00", GSS_KRB5_MECHANISM);
+				    (u_char *)(intptr_t)"\x01\x00",
+				    GSS_KRB5_MECHANISM);
 	krb5_data_free (&outbuf);
 	if (ret)
 	    goto failure;
@@ -911,20 +911,20 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_init_sec_context
 	return GSS_S_BAD_MECH;
 
     if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) {
-	OM_uint32 ret;
+	OM_uint32 ret1;
 
 	if (*context_handle != GSS_C_NO_CONTEXT) {
 	    *minor_status = 0;
 	    return GSS_S_FAILURE | GSS_S_CALL_BAD_STRUCTURE;
 	}
 
-	ret = _gsskrb5_create_ctx(minor_status,
+	ret1 = _gsskrb5_create_ctx(minor_status,
 				  context_handle,
 				  context,
 				  input_chan_bindings,
 				  INITIATOR_START);
-	if (ret)
-	    return ret;
+	if (ret1)
+	    return ret1;
     }
 
     if (*context_handle == GSS_C_NO_CONTEXT) {

lib/gssapi/krb5/prf.c

@@ -47,18 +47,21 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
     krb5_crypto crypto;
     krb5_data input, output;
     uint32_t num;
+    OM_uint32 junk;
     unsigned char *p;
     krb5_keyblock *key = NULL;
+    size_t dol;
 
     if (ctx == NULL) {
 	*minor_status = 0;
 	return GSS_S_NO_CONTEXT;
     }
 
-    if (desired_output_len <= 0) {
+    if (desired_output_len <= 0 || prf_in->length + 4 < prf_in->length) {
 	*minor_status = 0;
 	return GSS_S_FAILURE;
     }
+    dol = desired_output_len;
 
     GSSAPI_KRB5_INIT (&context);
 
@@ -88,21 +91,20 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
 	return GSS_S_FAILURE;
     }
 
-    prf_out->value = malloc(desired_output_len);
+    prf_out->value = malloc(dol);
     if (prf_out->value == NULL) {
 	_gsskrb5_set_status(GSS_KRB5_S_KG_INPUT_TOO_LONG, "Out of memory");
 	*minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG;
 	krb5_crypto_destroy(context, crypto);
 	return GSS_S_FAILURE;
     }
-    prf_out->length = desired_output_len;
+    prf_out->length = dol;
 
     HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
 
     input.length = prf_in->length + 4;
     input.data = malloc(prf_in->length + 4);
     if (input.data == NULL) {
-	OM_uint32 junk;
 	_gsskrb5_set_status(GSS_KRB5_S_KG_INPUT_TOO_LONG, "Out of memory");
 	*minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG;
 	gss_release_buffer(&junk, prf_out);
@@ -110,15 +112,17 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
 	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
 	return GSS_S_FAILURE;
     }
-    memcpy(((unsigned char *)input.data) + 4, prf_in->value, prf_in->length);
+    memcpy(((uint8_t *)input.data) + 4, prf_in->value, prf_in->length);
 
     num = 0;
     p = prf_out->value;
-    while(desired_output_len > 0) {
+    while(dol > 0) {
+	size_t tsize;
+
 	_gsskrb5_encode_om_uint32(num, input.data);
+
 	ret = krb5_crypto_prf(context, crypto, &input, &output);
 	if (ret) {
-	    OM_uint32 junk;
 	    *minor_status = ret;
 	    free(input.data);
 	    gss_release_buffer(&junk, prf_out);
@@ -126,9 +130,11 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
 	    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
 	    return GSS_S_FAILURE;
 	}
-	memcpy(p, output.data, min(desired_output_len, output.length));
+
+	tsize = min(dol, output.length);
+	memcpy(p, output.data, tsize);
 	p += output.length;
-	desired_output_len -= output.length;
+	dol -= tsize;
 	krb5_data_free(&output);
 	num++;
     }

lib/gssapi/krb5/process_context_token.c

@@ -52,7 +52,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_process_context_token (
 				       (gsskrb5_ctx)context_handle,
 				       context,
 				       token_buffer, &empty_buffer,
-				       GSS_C_QOP_DEFAULT, "\x01\x02");
+				       GSS_C_QOP_DEFAULT,
+				       "\x01\x02");
 
     if (ret == GSS_S_COMPLETE)
 	ret = _gsskrb5_delete_sec_context(minor_status,

lib/gssapi/krb5/sequence.c

@@ -141,7 +141,7 @@ OM_uint32
 _gssapi_msg_order_check(struct gss_msg_order *o, OM_uint32 seq_num)
 {
     OM_uint32 r;
-    int i;
+    size_t i;
 
     if (o == NULL)
 	return GSS_S_COMPLETE;

lib/gssapi/krb5/set_sec_context_option.c

@@ -154,11 +154,10 @@ _gsskrb5_set_sec_context_option
 	if (maj_stat != GSS_S_COMPLETE)
 	    return maj_stat;
 
-	_gsskrb5_register_acceptor_identity(str);
+	maj_stat = _gsskrb5_register_acceptor_identity(minor_status, str);
 	free(str);
 
-	*minor_status = 0;
-	return GSS_S_COMPLETE;
+	return maj_stat;
 
     } else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DEFAULT_REALM_X)) {
 	char *str;

lib/gssapi/krb5/unwrap.c

@@ -54,7 +54,7 @@ unwrap_des
   DES_key_schedule schedule;
   DES_cblock deskey;
   DES_cblock zero;
-  int i;
+  size_t i;
   uint32_t seq_number;
   size_t padlength;
   OM_uint32 ret;

lib/gssapi/krb5/verify_mic.c

@@ -44,7 +44,7 @@ verify_mic_des
             const gss_buffer_t token_buffer,
             gss_qop_t * qop_state,
 	    krb5_keyblock *key,
-	    char *type
+	    const char *type
 	    )
 {
   u_char *p;
@@ -142,7 +142,7 @@ verify_mic_des3
             const gss_buffer_t token_buffer,
             gss_qop_t * qop_state,
 	    krb5_keyblock *key,
-	    char *type
+	    const char *type
 	    )
 {
   u_char *p;
@@ -276,7 +276,7 @@ _gsskrb5_verify_mic_internal
             const gss_buffer_t message_buffer,
             const gss_buffer_t token_buffer,
             gss_qop_t * qop_state,
-	    char * type
+	    const char * type
 	    )
 {
     krb5_keyblock *key;
@@ -348,7 +348,7 @@ _gsskrb5_verify_mic
 				       (gsskrb5_ctx)context_handle,
 				       context,
 				       message_buffer, token_buffer,
-				       qop_state, "\x01\x01");
+				       qop_state, (void *)(intptr_t)"\x01\x01");
 
     return ret;
 }

lib/gssapi/krb5/wrap.c

@@ -214,7 +214,7 @@ wrap_des
   EVP_CIPHER_CTX des_ctx;
   DES_cblock deskey;
   DES_cblock zero;
-  int i;
+  size_t i;
   int32_t seq_number;
   size_t len, total_len, padlength, datalen;
 

lib/gssapi/mech/gss_acquire_cred.c

@@ -46,7 +46,7 @@ gss_acquire_cred(OM_uint32 *minor_status,
 	struct _gss_cred *cred;
 	struct _gss_mechanism_cred *mc;
 	OM_uint32 min_time, cred_time;
-	int i;
+	size_t i;
 
 	*minor_status = 0;
 	if (output_cred_handle == NULL)

lib/gssapi/mech/gss_aeap.c

@@ -168,7 +168,7 @@ gss_release_iov_buffer(OM_uint32 *minor_status,
 		       int iov_count)
 {
     OM_uint32 junk;
-    size_t i;
+    int i;
 
     if (minor_status)
 	*minor_status = 0;

lib/gssapi/mech/gss_buffer_set.c

@@ -100,7 +100,7 @@ GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
 gss_release_buffer_set(OM_uint32 * minor_status,
 		       gss_buffer_set_t *buffer_set)
 {
-    int i;
+    size_t i;
     OM_uint32 minor;
 
     *minor_status = 0;

lib/gssapi/mech/gss_cred.c

@@ -85,7 +85,7 @@ gss_export_cred(OM_uint32 * minor_status,
 	}
 
 	ret = krb5_storage_write(sp, buffer.value, buffer.length);
-	if (ret != buffer.length) {
+	if (ret < 0 || (size_t)ret != buffer.length) {
 	    gss_release_buffer(minor_status, &buffer);
 	    krb5_storage_free(sp);
 	    *minor_status = EINVAL;

lib/gssapi/mech/gss_get_name_attribute.c

@@ -47,8 +47,10 @@ gss_get_name_attribute(OM_uint32 *minor_status,
     struct _gss_mechanism_name *mn;
         
     *minor_status = 0;
-    *authenticated = 0;
-    *complete = 0;
+    if (authenticated != NULL)
+        *authenticated = 0;
+    if (complete != NULL)
+        *complete = 0;
     _mg_buffer_zero(value);
     _mg_buffer_zero(display_value);
 

lib/gssapi/mech/gss_import_name.c

@@ -41,6 +41,7 @@ _gss_import_export_name(OM_uint32 *minor_status,
 	gssapi_mech_interface m;
 	struct _gss_name *name;
 	gss_name_t new_canonical_name;
+	int composite = 0;
 
 	*minor_status = 0;
 	*output_name = 0;
@@ -50,8 +51,17 @@ _gss_import_export_name(OM_uint32 *minor_status,
 	 */
 	if (len < 2)
 		return (GSS_S_BAD_NAME);
-	if (p[0] != 4 || p[1] != 1)
+	if (p[0] != 4)
 		return (GSS_S_BAD_NAME);
+	switch (p[1]) {
+	case 1:	/* non-composite name */
+		break;
+	case 2:	/* composite name */
+		composite = 1;
+		break;
+	default:
+		return (GSS_S_BAD_NAME);
+	}
 	p += 2;
 	len -= 2;
 
@@ -106,7 +116,7 @@ _gss_import_export_name(OM_uint32 *minor_status,
 	p += 4;
 	len -= 4;
 
-	if (len != t)
+	if (!composite && len != t)
 		return (GSS_S_BAD_NAME);
 
 	m = __gss_get_mechanism(&mech_oid);

lib/gssapi/mech/gss_indicate_mechs.c

@@ -35,7 +35,7 @@ gss_indicate_mechs(OM_uint32 *minor_status,
 	struct _gss_mech_switch *m;
 	OM_uint32 major_status;
 	gss_OID_set set;
-	int i;
+	size_t i;
 
 	_gss_load_mech();
 

lib/gssapi/mech/gss_inquire_context.c

@@ -37,7 +37,7 @@ gss_inquire_context(OM_uint32 *minor_status,
     gss_OID *mech_type,
     OM_uint32 *ctx_flags,
     int *locally_initiated,
-    int *open)
+    int *xopen)
 {
 	OM_uint32 major_status;
 	struct _gss_context *ctx = (struct _gss_context *) context_handle;
@@ -47,8 +47,8 @@ gss_inquire_context(OM_uint32 *minor_status,
 
 	if (locally_initiated)
 	    *locally_initiated = 0;
-	if (open)
-	    *open = 0;
+	if (xopen)
+	    *xopen = 0;
 	if (lifetime_rec)
 	    *lifetime_rec = 0;
 
@@ -68,7 +68,7 @@ gss_inquire_context(OM_uint32 *minor_status,
 	    mech_type,
 	    ctx_flags,
 	    locally_initiated,
-	    open);
+	    xopen);
 
 	if (major_status != GSS_S_COMPLETE) {
 		_gss_mg_error(m, major_status, *minor_status);

lib/gssapi/mech/gss_inquire_cred_by_oid.c

@@ -52,7 +52,7 @@ gss_inquire_cred_by_oid (OM_uint32 *minor_status,
 
 	HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
 		gss_buffer_set_t rset = GSS_C_NO_BUFFER_SET;
-		int i;
+		size_t i;
 
 		m = mc->gmc_mech;
 		if (m == NULL) {

lib/gssapi/mech/gss_inquire_name.c

@@ -44,9 +44,12 @@ gss_inquire_name(OM_uint32 *minor_status,
     struct _gss_mechanism_name *mn;
         
     *minor_status = 0;
-    *name_is_MN = 0;
-    *MN_mech = GSS_C_NO_OID;
-    *attrs = GSS_C_NO_BUFFER_SET;
+    if (name_is_MN != NULL)
+        *name_is_MN = 0;
+    if (MN_mech != NULL)
+        *MN_mech = GSS_C_NO_OID;
+    if (attrs != NULL)
+        *attrs = GSS_C_NO_BUFFER_SET;
 
     if (input_name == GSS_C_NO_NAME)
         return GSS_S_BAD_NAME;
@@ -63,7 +66,8 @@ gss_inquire_name(OM_uint32 *minor_status,
                                           MN_mech,
                                           attrs);
         if (major_status == GSS_S_COMPLETE) {
-            *name_is_MN = 1;
+            if (name_is_MN != NULL)
+                *name_is_MN = 1;
 #if 0
             if (*MN_mech == GSS_C_NO_OID)
                 *MN_mech = &m->gm_mech_oid;

lib/gssapi/mech/gss_krb5.c

@@ -188,7 +188,7 @@ out:
 GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
 gsskrb5_register_acceptor_identity(const char *identity)
 {
-        struct _gss_mech_switch	*m;
+	gssapi_mech_interface m;
 	gss_buffer_desc buffer;
 	OM_uint32 junk;
 
@@ -197,14 +197,12 @@ gsskrb5_register_acceptor_identity(const char *identity)
 	buffer.value = rk_UNCONST(identity);
 	buffer.length = strlen(identity);
 
-	HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
-		if (m->gm_mech.gm_set_sec_context_option == NULL)
-			continue;
-		m->gm_mech.gm_set_sec_context_option(&junk, NULL,
-		    GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X, &buffer);
-	}
+	m = __gss_get_mechanism(GSS_KRB5_MECHANISM);
+	if (m == NULL || m->gm_set_sec_context_option == NULL)
+	    return GSS_S_FAILURE;
 
-	return (GSS_S_COMPLETE);
+	return m->gm_set_sec_context_option(&junk, NULL,
+	        GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X, &buffer);
 }
 
 GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
@@ -441,7 +439,7 @@ gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status,
     gss_buffer_desc buffer;
     krb5_storage *sp;
     krb5_data data;
-    int i;
+    size_t i;
 
     sp = krb5_storage_emem();
     if (sp == NULL) {

lib/gssapi/mech/gss_mech_switch.c

@@ -152,7 +152,8 @@ _gss_string_to_oid(const char* s, gss_OID oid)
 #define SYM(name)							\
 do {									\
 	m->gm_mech.gm_ ## name = dlsym(so, "gss_" #name);		\
-	if (!m->gm_mech.gm_ ## name) {					\
+	if (!m->gm_mech.gm_ ## name ||					\
+	    m->gm_mech.gm_ ##name == gss_ ## name) {			\
 		fprintf(stderr, "can't find symbol gss_" #name "\n");	\
 		goto bad;						\
 	}								\
@@ -160,7 +161,21 @@ do {									\
 
 #define OPTSYM(name)							\
 do {									\
-	m->gm_mech.gm_ ## name = dlsym(so, "gss_" #name);			\
+	m->gm_mech.gm_ ## name = dlsym(so, "gss_" #name);		\
+	if (m->gm_mech.gm_ ## name == gss_ ## name)			\
+		m->gm_mech.gm_ ## name = NULL;				\
+} while (0)
+
+#define OPTSPISYM(name)							\
+do {									\
+	m->gm_mech.gm_ ## name = dlsym(so, "gssspi_" #name);		\
+} while (0)
+
+#define COMPATSYM(name)							\
+do {									\
+	m->gm_mech.gm_compat->gmc_ ## name = dlsym(so, "gss_" #name);	\
+	if (m->gm_mech.gm_compat->gmc_ ## name == gss_ ## name)		\
+		m->gm_mech.gm_compat->gmc_ ## name = NULL;		\
 } while (0)
 
 /*
@@ -283,28 +298,23 @@ _gss_load_mech(void)
 #endif
 
 		so = dlopen(lib, RTLD_LAZY | RTLD_LOCAL | RTLD_GROUP);
-		if (!so) {
+		if (so == NULL) {
 /*			fprintf(stderr, "dlopen: %s\n", dlerror()); */
-			free(mech_oid.elements);
-			continue;
+			goto bad;
 		}
 
-		m = malloc(sizeof(*m));
-		if (!m) {
-			free(mech_oid.elements);
-			break;
-		}
+		m = calloc(1, sizeof(*m));
+		if (m == NULL)
+			goto bad;
+
 		m->gm_so = so;
 		m->gm_mech.gm_mech_oid = mech_oid;
 		m->gm_mech.gm_flags = 0;
-		
+
 		major_status = gss_add_oid_set_member(&minor_status,
 		    &m->gm_mech.gm_mech_oid, &_gss_mech_oids);
-		if (major_status) {
-			free(m->gm_mech.gm_mech_oid.elements);
-			free(m);
-			continue;
-		}
+		if (GSS_ERROR(major_status))
+			goto bad;
 
 		SYM(acquire_cred);
 		SYM(release_cred);
@@ -338,7 +348,7 @@ _gss_load_mech(void)
 		OPTSYM(inquire_cred_by_oid);
 		OPTSYM(inquire_sec_context_by_oid);
 		OPTSYM(set_sec_context_option);
-		OPTSYM(set_cred_option);
+		OPTSPISYM(set_cred_option);
 		OPTSYM(pseudo_random);
 		OPTSYM(wrap_iov);
 		OPTSYM(unwrap_iov);
@@ -362,20 +372,29 @@ _gss_load_mech(void)
 
 		mi = dlsym(so, "gss_mo_init");
 		if (mi != NULL) {
-			major_status = mi(&minor_status,
-					  &mech_oid,
-					  &m->gm_mech.gm_mo,
-					  &m->gm_mech.gm_mo_num);
+			major_status = mi(&minor_status, &mech_oid,
+					  &m->gm_mech.gm_mo, &m->gm_mech.gm_mo_num);
 			if (GSS_ERROR(major_status))
 				goto bad;
 		}
 
+		/* pick up the oid sets of names */
+
+		if (m->gm_mech.gm_inquire_names_for_mech)
+			(*m->gm_mech.gm_inquire_names_for_mech)(&minor_status,
+			&m->gm_mech.gm_mech_oid, &m->gm_name_types);
+
+		if (m->gm_name_types == NULL)
+			gss_create_empty_oid_set(&minor_status, &m->gm_name_types);
+
 		HEIM_SLIST_INSERT_HEAD(&_gss_mechs, m, gm_link);
 		continue;
 
 	bad:
-		free(m->gm_mech.gm_mech_oid.elements);
-		free(m);
+		if (m != NULL) {
+			free(m->gm_mech.gm_mech_oid.elements);
+			free(m);
+		}
 		dlclose(so);
 		continue;
 	}

lib/gssapi/mech/gss_mo.c

@@ -434,28 +434,28 @@ gss_display_mech_attr(OM_uint32 * minor_status,
 	return GSS_S_BAD_MECH_ATTR;
 
     if (name) {
-	gss_buffer_desc n;
-	n.value = rk_UNCONST(ma->name);
-	n.length = strlen(ma->name);
-	major = _gss_copy_buffer(minor_status, &n, name);
+	gss_buffer_desc bd;
+	bd.value = rk_UNCONST(ma->name);
+	bd.length = strlen(ma->name);
+	major = _gss_copy_buffer(minor_status, &bd, name);
 	if (major != GSS_S_COMPLETE)
 	    return major;
     }
 
     if (short_desc) {
-	gss_buffer_desc n;
-	n.value = rk_UNCONST(ma->short_desc);
-	n.length = strlen(ma->short_desc);
-	major = _gss_copy_buffer(minor_status, &n, short_desc);
+	gss_buffer_desc bd;
+	bd.value = rk_UNCONST(ma->short_desc);
+	bd.length = strlen(ma->short_desc);
+	major = _gss_copy_buffer(minor_status, &bd, short_desc);
 	if (major != GSS_S_COMPLETE)
 	    return major;
     }
 
     if (long_desc) {
-	gss_buffer_desc n;
-	n.value = rk_UNCONST(ma->long_desc);
-	n.length = strlen(ma->long_desc);
-	major = _gss_copy_buffer(minor_status, &n, long_desc);
+	gss_buffer_desc bd;
+	bd.value = rk_UNCONST(ma->long_desc);
+	bd.length = strlen(ma->long_desc);
+	major = _gss_copy_buffer(minor_status, &bd, long_desc);
 	if (major != GSS_S_COMPLETE)
 	    return major;
     }

lib/gssapi/mech/gss_oid.c

@@ -2,106 +2,106 @@
 #include "mech_locl.h"
 
 /* GSS_KRB5_COPY_CCACHE_X - 1.2.752.43.13.1 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_copy_ccache_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x01" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_copy_ccache_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x01") };
 
 /* GSS_KRB5_GET_TKT_FLAGS_X - 1.2.752.43.13.2 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_tkt_flags_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x02" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_tkt_flags_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x02") };
 
 /* GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X - 1.2.752.43.13.3 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_extract_authz_data_from_sec_context_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x03" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_extract_authz_data_from_sec_context_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03") };
 
 /* GSS_KRB5_COMPAT_DES3_MIC_X - 1.2.752.43.13.4 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_compat_des3_mic_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x04" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_compat_des3_mic_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x04") };
 
 /* GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X - 1.2.752.43.13.5 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_register_acceptor_identity_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x05" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_register_acceptor_identity_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05") };
 
 /* GSS_KRB5_EXPORT_LUCID_CONTEXT_X - 1.2.752.43.13.6 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x06" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06") };
 
 /* GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X - 1.2.752.43.13.6.1 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_v1_x_oid_desc = { 7, "\x2a\x85\x70\x2b\x0d\x06\x01" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_v1_x_oid_desc = { 7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06\x01") };
 
 /* GSS_KRB5_SET_DNS_CANONICALIZE_X - 1.2.752.43.13.7 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_dns_canonicalize_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x07" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_dns_canonicalize_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x07") };
 
 /* GSS_KRB5_GET_SUBKEY_X - 1.2.752.43.13.8 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_subkey_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x08" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_subkey_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x08") };
 
 /* GSS_KRB5_GET_INITIATOR_SUBKEY_X - 1.2.752.43.13.9 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_initiator_subkey_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x09" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_initiator_subkey_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x09") };
 
 /* GSS_KRB5_GET_ACCEPTOR_SUBKEY_X - 1.2.752.43.13.10 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_acceptor_subkey_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0a" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_acceptor_subkey_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0a") };
 
 /* GSS_KRB5_SEND_TO_KDC_X - 1.2.752.43.13.11 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_send_to_kdc_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0b" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_send_to_kdc_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0b") };
 
 /* GSS_KRB5_GET_AUTHTIME_X - 1.2.752.43.13.12 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_authtime_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0c" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_authtime_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0c") };
 
 /* GSS_KRB5_GET_SERVICE_KEYBLOCK_X - 1.2.752.43.13.13 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_service_keyblock_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0d" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_service_keyblock_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0d") };
 
 /* GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X - 1.2.752.43.13.14 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_allowable_enctypes_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0e" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_allowable_enctypes_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0e") };
 
 /* GSS_KRB5_SET_DEFAULT_REALM_X - 1.2.752.43.13.15 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_default_realm_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0f" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_default_realm_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0f") };
 
 /* GSS_KRB5_CCACHE_NAME_X - 1.2.752.43.13.16 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_ccache_name_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x10" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_ccache_name_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x10") };
 
 /* GSS_KRB5_SET_TIME_OFFSET_X - 1.2.752.43.13.17 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_time_offset_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x11" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_time_offset_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x11") };
 
 /* GSS_KRB5_GET_TIME_OFFSET_X - 1.2.752.43.13.18 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_time_offset_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x12" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_time_offset_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x12") };
 
 /* GSS_KRB5_PLUGIN_REGISTER_X - 1.2.752.43.13.19 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_plugin_register_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x13" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_plugin_register_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x13") };
 
 /* GSS_NTLM_GET_SESSION_KEY_X - 1.2.752.43.13.20 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_get_session_key_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x14" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_get_session_key_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x14") };
 
 /* GSS_C_NT_NTLM - 1.2.752.43.13.21 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_ntlm_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x15" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_ntlm_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x15") };
 
 /* GSS_C_NT_DN - 1.2.752.43.13.22 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_dn_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x16" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_dn_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x16") };
 
 /* GSS_KRB5_NT_PRINCIPAL_NAME_REFERRAL - 1.2.752.43.13.23 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_nt_principal_name_referral_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x17" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_nt_principal_name_referral_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x17") };
 
 /* GSS_C_NTLM_AVGUEST - 1.2.752.43.13.24 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_avguest_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x18" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_avguest_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x18") };
 
 /* GSS_C_NTLM_V1 - 1.2.752.43.13.25 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v1_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x19" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v1_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x19") };
 
 /* GSS_C_NTLM_V2 - 1.2.752.43.13.26 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v2_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1a" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v2_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1a") };
 
 /* GSS_C_NTLM_SESSION_KEY - 1.2.752.43.13.27 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_session_key_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1b" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_session_key_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1b") };
 
 /* GSS_C_NTLM_FORCE_V1 - 1.2.752.43.13.28 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_force_v1_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1c" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_force_v1_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1c") };
 
 /* GSS_KRB5_CRED_NO_CI_FLAGS_X - 1.2.752.43.13.29 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_cred_no_ci_flags_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1d" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_cred_no_ci_flags_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1d") };
 
 /* GSS_KRB5_IMPORT_CRED_X - 1.2.752.43.13.30 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_import_cred_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1e" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_import_cred_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1e") };
 
 /* GSS_C_MA_SASL_MECH_NAME - 1.2.752.43.13.100 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_sasl_mech_name_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x64" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_sasl_mech_name_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x64") };
 
 /* GSS_C_MA_MECH_NAME - 1.2.752.43.13.101 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_name_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x65" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_name_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x65") };
 
 /* GSS_C_MA_MECH_DESCRIPTION - 1.2.752.43.13.102 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_description_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x66" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_description_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x66") };
 
 /* GSS_C_CRED_PASSWORD - 1.2.752.43.13.200 */
 gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_password_oid_desc = { 7, "\x2a\x85\x70\x2b\x0d\x81\x48" };
@@ -110,118 +110,118 @@ gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_password_oid_desc = { 7, "\x2a\x85
 gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_certificate_oid_desc = { 7, "\x2a\x85\x70\x2b\x0d\x81\x49" };
 
 /* GSS_SASL_DIGEST_MD5_MECHANISM - 1.2.752.43.14.1 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_sasl_digest_md5_mechanism_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x01" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_sasl_digest_md5_mechanism_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") };
 
 /* GSS_NETLOGON_MECHANISM - 1.2.752.43.14.2 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_mechanism_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x02" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_mechanism_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x02") };
 
 /* GSS_NETLOGON_SET_SESSION_KEY_X - 1.2.752.43.14.3 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_session_key_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x03" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_session_key_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x03") };
 
 /* GSS_NETLOGON_SET_SIGN_ALGORITHM_X - 1.2.752.43.14.4 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_sign_algorithm_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x04" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_sign_algorithm_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x04") };
 
 /* GSS_NETLOGON_NT_NETBIOS_DNS_NAME - 1.2.752.43.14.5 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_nt_netbios_dns_name_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x05" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_nt_netbios_dns_name_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x05") };
 
 /* GSS_C_INQ_WIN2K_PAC_X - 1.2.752.43.13.3.128 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_win2k_pac_x_oid_desc = { 8, "\x2a\x85\x70\x2b\x0d\x03\x81\x00" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_win2k_pac_x_oid_desc = { 8, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03\x81\x00") };
 
 /* GSS_C_INQ_SSPI_SESSION_KEY - 1.2.840.113554.1.2.2.5.5 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_sspi_session_key_oid_desc = { 11, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_sspi_session_key_oid_desc = { 11, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05") };
 
 /* GSS_KRB5_MECHANISM - 1.2.840.113554.1.2.2 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_mechanism_oid_desc = { 9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_mechanism_oid_desc = { 9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") };
 
 /* GSS_NTLM_MECHANISM - 1.3.6.1.4.1.311.2.2.10 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_mechanism_oid_desc = { 10, "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_mechanism_oid_desc = { 10, rk_UNCONST("\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a") };
 
 /* GSS_SPNEGO_MECHANISM - 1.3.6.1.5.5.2 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_spnego_mechanism_oid_desc = { 6, "\x2b\x06\x01\x05\x05\x02" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_spnego_mechanism_oid_desc = { 6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02") };
 
 /* GSS_C_PEER_HAS_UPDATED_SPNEGO - 1.3.6.1.4.1.9513.19.5 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_peer_has_updated_spnego_oid_desc = { 9, "\x2b\x06\x01\x04\x01\xca\x29\x13\x05" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_peer_has_updated_spnego_oid_desc = { 9, rk_UNCONST("\x2b\x06\x01\x04\x01\xca\x29\x13\x05") };
 
 /* GSS_C_MA_MECH_CONCRETE - 1.3.6.1.5.5.13.1 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_concrete_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x01" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_concrete_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x01") };
 
 /* GSS_C_MA_MECH_PSEUDO - 1.3.6.1.5.5.13.2 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_pseudo_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x02" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_pseudo_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x02") };
 
 /* GSS_C_MA_MECH_COMPOSITE - 1.3.6.1.5.5.13.3 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_composite_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x03" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_composite_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x03") };
 
 /* GSS_C_MA_MECH_NEGO - 1.3.6.1.5.5.13.4 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_nego_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x04" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_nego_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x04") };
 
 /* GSS_C_MA_MECH_GLUE - 1.3.6.1.5.5.13.5 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_glue_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x05" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_glue_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x05") };
 
 /* GSS_C_MA_NOT_MECH - 1.3.6.1.5.5.13.6 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_mech_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x06" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_mech_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x06") };
 
 /* GSS_C_MA_DEPRECATED - 1.3.6.1.5.5.13.7 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deprecated_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x07" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deprecated_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x07") };
 
 /* GSS_C_MA_NOT_DFLT_MECH - 1.3.6.1.5.5.13.8 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_dflt_mech_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x08" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_dflt_mech_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x08") };
 
 /* GSS_C_MA_ITOK_FRAMED - 1.3.6.1.5.5.13.9 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_itok_framed_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x09" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_itok_framed_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x09") };
 
 /* GSS_C_MA_AUTH_INIT - 1.3.6.1.5.5.13.10 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0a" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0a") };
 
 /* GSS_C_MA_AUTH_TARG - 1.3.6.1.5.5.13.11 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0b" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0b") };
 
 /* GSS_C_MA_AUTH_INIT_INIT - 1.3.6.1.5.5.13.12 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_init_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0c" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_init_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0c") };
 
 /* GSS_C_MA_AUTH_TARG_INIT - 1.3.6.1.5.5.13.13 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_init_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0d" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_init_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0d") };
 
 /* GSS_C_MA_AUTH_INIT_ANON - 1.3.6.1.5.5.13.14 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_anon_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0e" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_anon_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0e") };
 
 /* GSS_C_MA_AUTH_TARG_ANON - 1.3.6.1.5.5.13.15 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_anon_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0f" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_anon_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0f") };
 
 /* GSS_C_MA_DELEG_CRED - 1.3.6.1.5.5.13.16 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deleg_cred_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x10" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deleg_cred_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x10") };
 
 /* GSS_C_MA_INTEG_PROT - 1.3.6.1.5.5.13.17 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_integ_prot_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x11" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_integ_prot_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x11") };
 
 /* GSS_C_MA_CONF_PROT - 1.3.6.1.5.5.13.18 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_conf_prot_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x12" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_conf_prot_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x12") };
 
 /* GSS_C_MA_MIC - 1.3.6.1.5.5.13.19 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mic_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x13" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mic_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x13") };
 
 /* GSS_C_MA_WRAP - 1.3.6.1.5.5.13.20 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_wrap_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x14" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_wrap_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x14") };
 
 /* GSS_C_MA_PROT_READY - 1.3.6.1.5.5.13.21 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_prot_ready_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x15" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_prot_ready_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x15") };
 
 /* GSS_C_MA_REPLAY_DET - 1.3.6.1.5.5.13.22 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_replay_det_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x16" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_replay_det_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x16") };
 
 /* GSS_C_MA_OOS_DET - 1.3.6.1.5.5.13.23 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_oos_det_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x17" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_oos_det_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x17") };
 
 /* GSS_C_MA_CBINDINGS - 1.3.6.1.5.5.13.24 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_cbindings_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x18" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_cbindings_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x18") };
 
 /* GSS_C_MA_PFS - 1.3.6.1.5.5.13.25 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_pfs_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x19" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_pfs_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x19") };
 
 /* GSS_C_MA_COMPRESS - 1.3.6.1.5.5.13.26 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_compress_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x1a" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_compress_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x1a") };
 
 /* GSS_C_MA_CTX_TRANS - 1.3.6.1.5.5.13.27 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_ctx_trans_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x1b" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_ctx_trans_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x1b") };
 
 struct _gss_oid_name_table _gss_ont_ma[] = {
   { GSS_C_MA_COMPRESS, "GSS_C_MA_COMPRESS", "compress", "" },

lib/gssapi/mech/gss_test_oid_set_member.c

@@ -34,7 +34,7 @@ gss_test_oid_set_member(OM_uint32 *minor_status,
     const gss_OID_set set,
     int *present)
 {
-	int i;
+	size_t i;
 
 	*present = 0;
 	for (i = 0; i < set->count; i++)

lib/gssapi/ntlm/accept_sec_context.c

@@ -155,15 +155,15 @@ _gss_ntlm_accept_sec_context
 						 &out);
 	heim_ntlm_free_type1(&type1);
 	if (major_status != GSS_S_COMPLETE) {
-	    OM_uint32 junk;
-	    _gss_ntlm_delete_sec_context(&junk, context_handle, NULL);
+	    OM_uint32 gunk;
+	    _gss_ntlm_delete_sec_context(&gunk, context_handle, NULL);
 	    return major_status;
 	}
 
 	output_token->value = malloc(out.length);
 	if (output_token->value == NULL && out.length != 0) {
-	    OM_uint32 junk;
-	    _gss_ntlm_delete_sec_context(&junk, context_handle, NULL);
+	    OM_uint32 gunk;
+	    _gss_ntlm_delete_sec_context(&gunk, context_handle, NULL);
 	    *minor_status = ENOMEM;
 	    return GSS_S_FAILURE;
 	}

lib/gssapi/ntlm/external.c

@@ -38,7 +38,7 @@ static gss_mo_desc ntlm_mo[] = {
 	GSS_C_MA_SASL_MECH_NAME,
 	GSS_MO_MA,
 	"SASL mech name",
-	"NTLM",
+	rk_UNCONST("NTLM"),
 	_gss_mo_get_ctx_as_string,
 	NULL
     },
@@ -46,7 +46,7 @@ static gss_mo_desc ntlm_mo[] = {
 	GSS_C_MA_MECH_NAME,
 	GSS_MO_MA,
 	"Mechanism name",
-	"NTLMSPP",
+	rk_UNCONST("NTLMSPP"),
 	_gss_mo_get_ctx_as_string,
 	NULL
     },
@@ -54,7 +54,7 @@ static gss_mo_desc ntlm_mo[] = {
 	GSS_C_MA_MECH_DESCRIPTION,
 	GSS_MO_MA,
 	"Mechanism description",
-	"Heimdal NTLMSSP Mechanism",
+	rk_UNCONST("Heimdal NTLMSSP Mechanism"),
 	_gss_mo_get_ctx_as_string,
 	NULL
     }
@@ -113,7 +113,13 @@ static gssapi_mech_interface_desc ntlm_mech = {
     NULL,
     NULL,
     ntlm_mo,
-    sizeof(ntlm_mo) / sizeof(ntlm_mo[0])
+    sizeof(ntlm_mo) / sizeof(ntlm_mo[0]),
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
 };
 
 gssapi_mech_interface

lib/gssapi/spnego/accept_sec_context.c

@@ -316,7 +316,7 @@ select_mech(OM_uint32 *minor_status, MechType *mechType, int verify_p,
     gss_OID_desc oid;
     gss_OID oidp;
     gss_OID_set mechs;
-    int i;
+    size_t i;
     OM_uint32 ret, junk;
 
     ret = der_put_oid ((unsigned char *)mechbuf + sizeof(mechbuf) - 1,
@@ -368,12 +368,13 @@ select_mech(OM_uint32 *minor_status, MechType *mechType, int verify_p,
 
 	host = getenv("GSSAPI_SPNEGO_NAME");
 	if (host == NULL || issuid()) {
+	    int rv;
 	    if (gethostname(hostname, sizeof(hostname)) != 0) {
 		*minor_status = errno;
 		return GSS_S_FAILURE;
 	    }
-	    i = asprintf(&str, "host@%s", hostname);
-	    if (i < 0 || str == NULL) {
+	    rv = asprintf(&str, "host@%s", hostname);
+	    if (rv < 0 || str == NULL) {
 		*minor_status = ENOMEM;
 		return GSS_S_FAILURE;
 	    }
@@ -491,7 +492,6 @@ acceptor_start
     NegotiationToken nt;
     size_t nt_len;
     NegTokenInit *ni;
-    int i;
     gss_buffer_desc data;
     gss_buffer_t mech_input_token = GSS_C_NO_BUFFER;
     gss_buffer_desc mech_output_token;
@@ -613,13 +613,14 @@ acceptor_start
      */
 
     if (!first_ok && ni->mechToken != NULL) {
+	size_t j;
 
 	preferred_mech_type = GSS_C_NO_OID;
 
 	/* Call glue layer to find first mech we support */
-	for (i = 1; i < ni->mechTypes.len; ++i) {
+	for (j = 1; j < ni->mechTypes.len; ++j) {
 	    ret = select_mech(minor_status,
-			      &ni->mechTypes.val[i],
+			      &ni->mechTypes.val[j],
 			      1,
 			      &preferred_mech_type);
 	    if (ret == 0)

lib/gssapi/spnego/compat.c

@@ -41,10 +41,10 @@
  * Kerberos mechanism.
  */
 gss_OID_desc _gss_spnego_mskrb_mechanism_oid_desc =
-	{9, (void *)"\x2a\x86\x48\x82\xf7\x12\x01\x02\x02"};
+    {9, rk_UNCONST("\x2a\x86\x48\x82\xf7\x12\x01\x02\x02")};
 
 gss_OID_desc _gss_spnego_krb5_mechanism_oid_desc =
-	{9, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"};
+    {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")};
 
 /*
  * Allocate a SPNEGO context handle
@@ -241,7 +241,7 @@ _gss_spnego_indicate_mechtypelist (OM_uint32 *minor_status,
     gss_OID_set supported_mechs = GSS_C_NO_OID_SET;
     gss_OID first_mech = GSS_C_NO_OID;
     OM_uint32 ret;
-    int i;
+    size_t i;
 
     mechtypelist->len = 0;
     mechtypelist->val = NULL;

lib/gssapi/spnego/context_stubs.c

@@ -37,7 +37,7 @@ spnego_supported_mechs(OM_uint32 *minor_status, gss_OID_set *mechs)
 {
     OM_uint32 ret, junk;
     gss_OID_set m;
-    int i;
+    size_t i;
 
     ret = gss_indicate_mechs(minor_status, &m);
     if (ret != GSS_S_COMPLETE)
@@ -565,7 +565,7 @@ OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_names_for_mech (
 {
     gss_OID_set mechs, names, n;
     OM_uint32 ret, junk;
-    int i, j;
+    size_t i, j;
 
     *name_types = NULL;
 

lib/gssapi/spnego/cred_stubs.c

@@ -70,7 +70,7 @@ OM_uint32 GSSAPI_CALLCONV _gss_spnego_acquire_cred
     OM_uint32 ret, tmp;
     gss_OID_set_desc actual_desired_mechs;
     gss_OID_set mechs;
-    int i, j;
+    size_t i, j;
 
     *output_cred_handle = GSS_C_NO_CREDENTIAL;
 

lib/gssapi/spnego/external.c

@@ -39,13 +39,12 @@
  *  negotiation token is identified by the Object Identifier
  *  iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2).
  */
-
 static gss_mo_desc spnego_mo[] = {
     {
 	GSS_C_MA_SASL_MECH_NAME,
 	GSS_MO_MA,
 	"SASL mech name",
-	"SPNEGO",
+	rk_UNCONST("SPNEGO"),
 	_gss_mo_get_ctx_as_string,
 	NULL
     },
@@ -53,7 +52,7 @@ static gss_mo_desc spnego_mo[] = {
 	GSS_C_MA_MECH_NAME,
 	GSS_MO_MA,
 	"Mechanism name",
-	"SPNEGO",
+	rk_UNCONST("SPNEGO"),
 	_gss_mo_get_ctx_as_string,
 	NULL
     },
@@ -61,7 +60,7 @@ static gss_mo_desc spnego_mo[] = {
 	GSS_C_MA_MECH_DESCRIPTION,
 	GSS_MO_MA,
 	"Mechanism description",
-	"Heimdal SPNEGO Mechanism",
+	rk_UNCONST("Heimdal SPNEGO Mechanism"),
 	_gss_mo_get_ctx_as_string,
 	NULL
     },
@@ -78,7 +77,7 @@ static gss_mo_desc spnego_mo[] = {
 static gssapi_mech_interface_desc spnego_mech = {
     GMI_VERSION,
     "spnego",
-    {6, (void *)"\x2b\x06\x01\x05\x05\x02"},
+    {6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02") },
     0,
     _gss_spnego_acquire_cred,
     _gss_spnego_release_cred,
@@ -128,7 +127,13 @@ static gssapi_mech_interface_desc spnego_mech = {
     NULL,
     NULL,
     spnego_mo,
-    sizeof(spnego_mo) / sizeof(spnego_mo[0])
+    sizeof(spnego_mo) / sizeof(spnego_mo[0]),
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
 };
 
 gssapi_mech_interface

lib/gssapi/test_context.c

@@ -553,8 +553,12 @@ main(int argc, char **argv)
     else
 	mechoid = string_to_oid(mech_string);
 
-    if (gsskrb5_acceptor_identity)
-	gsskrb5_register_acceptor_identity(gsskrb5_acceptor_identity);
+    if (gsskrb5_acceptor_identity) {
+	maj_stat = gsskrb5_register_acceptor_identity(gsskrb5_acceptor_identity);
+	if (maj_stat)
+	    errx(1, "gsskrb5_acceptor_identity: %s",
+		 gssapi_err(maj_stat, 0, GSS_C_NO_OID));
+    }
 
     if (client_password) {
 	credential_type = GSS_C_CRED_PASSWORD; 

lib/hdb/common.c

@@ -171,7 +171,7 @@ hdb_remove_aliases(krb5_context context, HDB *db, krb5_data *key)
     krb5_error_code code;
     hdb_entry oldentry;
     krb5_data value;
-    int i;
+    size_t i;
 
     code = db->hdb__get(context, db, *key, &value);
     if (code == HDB_ERR_NOENTRY)
@@ -211,7 +211,7 @@ hdb_add_aliases(krb5_context context, HDB *db,
     const HDB_Ext_Aliases *aliases;
     krb5_error_code code;
     krb5_data key, value;
-    int i;
+    size_t i;
 
     code = hdb_entry_get_aliases(&entry->entry, &aliases);
     if (code || aliases == NULL)
@@ -240,7 +240,8 @@ static krb5_error_code
 hdb_check_aliases(krb5_context context, HDB *db, hdb_entry_ex *entry)
 {
     const HDB_Ext_Aliases *aliases;
-    int code, i;
+    int code;
+    size_t i;
 
     /* check if new aliases already is used */
 

lib/hdb/ext.c

@@ -37,7 +37,7 @@
 krb5_error_code
 hdb_entry_check_mandatory(krb5_context context, const hdb_entry *ent)
 {
-    int i;
+    size_t i;
 
     if (ent->extensions == NULL)
 	return 0;
@@ -63,13 +63,13 @@ hdb_entry_check_mandatory(krb5_context context, const hdb_entry *ent)
 HDB_extension *
 hdb_find_extension(const hdb_entry *entry, int type)
 {
-    int i;
+    size_t i;
 
     if (entry->extensions == NULL)
 	return NULL;
 
     for (i = 0; i < entry->extensions->len; i++)
-	if (entry->extensions->val[i].data.element == type)
+	if (entry->extensions->val[i].data.element == (unsigned)type)
 	    return &entry->extensions->val[i];
     return NULL;
 }
@@ -112,7 +112,7 @@ hdb_replace_extension(krb5_context context,
 	Der_type replace_type, list_type;
 	unsigned int replace_tag, list_tag;
 	size_t size;
-	int i;
+	size_t i;
 
 	ret = der_get_tag(ext->data.u.asn1_ellipsis.data,
 			  ext->data.u.asn1_ellipsis.length,
@@ -180,13 +180,13 @@ hdb_clear_extension(krb5_context context,
 		    hdb_entry *entry,
 		    int type)
 {
-    int i;
+    size_t i;
 
     if (entry->extensions == NULL)
 	return 0;
 
     for (i = 0; i < entry->extensions->len; i++) {
-	if (entry->extensions->val[i].data.element == type) {
+	if (entry->extensions->val[i].data.element == (unsigned)type) {
 	    free_HDB_extension(&entry->extensions->val[i]);
 	    memmove(&entry->extensions->val[i],
 		    &entry->extensions->val[i + 1],
@@ -286,7 +286,7 @@ hdb_entry_get_password(krb5_context context, HDB *db,
 
     ext = hdb_find_extension(entry, choice_HDB_extension_data_password);
     if (ext) {
-	heim_utf8_string str;
+	heim_utf8_string xstr;
 	heim_octet_string pw;
 
 	if (db->hdb_master_key_set && ext->data.u.password.mkvno) {
@@ -314,13 +314,13 @@ hdb_entry_get_password(krb5_context context, HDB *db,
 	    return ret;
 	}
 
-	str = pw.data;
-	if (str[pw.length - 1] != '\0') {
+	xstr = pw.data;
+	if (xstr[pw.length - 1] != '\0') {
 	    krb5_set_error_message(context, EINVAL, "malformed password");
 	    return EINVAL;
 	}
 
-	*p = strdup(str);
+	*p = strdup(xstr);
 
 	der_free_octet_string(&pw);
 	if (*p == NULL) {

lib/hdb/hdb-mitdb.c

@@ -144,7 +144,7 @@ fix_salt(krb5_context context, hdb_entry *ent, int key_num)
     case KRB5_KDB_SALTTYPE_NOREALM:
     {
 	size_t len;
-	int i;
+	size_t i;
 	char *p;
 	
 	len = 0;

lib/hdb/hdb-sqlite.c

@@ -416,6 +416,13 @@ hdb_sqlite_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal princi
         }
     }
 
+    value.length = sqlite3_column_bytes(fetch, 0);
+    value.data = (void *) sqlite3_column_blob(fetch, 0);
+
+    ret = hdb_value2entry(context, &value, &entry->entry);
+    if(ret)
+        goto out;
+
     if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) {
         ret = hdb_unseal_keys(context, db, &entry->entry);
         if(ret) {
@@ -423,13 +430,6 @@ hdb_sqlite_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal princi
            goto out;
         }
     }
-
-    value.length = sqlite3_column_bytes(fetch, 0);
-    value.data = (void *) sqlite3_column_blob(fetch, 0);
-
-    ret = hdb_value2entry(context, &value, &entry->entry);
-    if(ret)
-        goto out;
     
     ret = 0;
 

lib/hdb/hdb.c

@@ -78,7 +78,9 @@ static struct hdb_method methods[] = {
     { HDB_INTERFACE_VERSION, "ldap:",	hdb_ldap_create},
     { HDB_INTERFACE_VERSION, "ldapi:",	hdb_ldapi_create},
 #endif
+#ifdef HAVE_SQLITE3
     { HDB_INTERFACE_VERSION, "sqlite:", hdb_sqlite_create},
+#endif
     {0, NULL,	NULL}
 };
 
@@ -166,7 +168,7 @@ hdb_unlock(int fd)
 void
 hdb_free_entry(krb5_context context, hdb_entry_ex *ent)
 {
-    int i;
+    size_t i;
 
     if (ent->free_entry)
 	(*ent->free_entry)(context, ent);
@@ -215,7 +217,7 @@ hdb_check_db_format(krb5_context context, HDB *db)
     if (ret)
 	return ret;
 
-    tag.data = HDB_DB_FORMAT_ENTRY;
+    tag.data = (void *)(intptr_t)HDB_DB_FORMAT_ENTRY;
     tag.length = strlen(tag.data);
     ret = (*db->hdb__get)(context, db, tag, &version);
     ret2 = db->hdb_unlock(context, db);
@@ -248,7 +250,7 @@ hdb_init_db(krb5_context context, HDB *db)
     if (ret)
 	return ret;
 
-    tag.data = HDB_DB_FORMAT_ENTRY;
+    tag.data = (void *)(intptr_t)HDB_DB_FORMAT_ENTRY;
     tag.length = strlen(tag.data);
     snprintf(ver, sizeof(ver), "%u", HDB_DB_FORMAT);
     version.data = ver;

lib/hdb/keys.c

@@ -256,8 +256,8 @@ hdb_generate_key_set(krb5_context context, krb5_principal principal,
     char **ktypes, **kp;
     krb5_error_code ret;
     Key *k, *key_set;
-    int i, j;
-    char *default_keytypes[] = {
+    size_t i, j;
+    static const char *default_keytypes[] = {
 	"aes256-cts-hmac-sha1-96:pw-salt",
 	"des3-cbc-sha1:pw-salt",
 	"arcfour-hmac-md5:pw-salt",
@@ -267,7 +267,7 @@ hdb_generate_key_set(krb5_context context, krb5_principal principal,
     ktypes = krb5_config_get_strings(context, NULL, "kadmin",
 				     "default_keys", NULL);
     if (ktypes == NULL)
-	ktypes = default_keytypes;
+	ktypes = (char **)(intptr_t)default_keytypes;
 
     *ret_key_set = key_set = NULL;
     *nkeyset = 0;
@@ -337,7 +337,7 @@ hdb_generate_key_set(krb5_context context, krb5_principal principal,
     *ret_key_set = key_set;
 
  out:
-    if (ktypes != default_keytypes)
+    if (ktypes != (char **)(intptr_t)default_keytypes)
 	krb5_config_free_strings(ktypes);
 
     if (ret) {
@@ -364,7 +364,7 @@ hdb_generate_key_set_password(krb5_context context,
 			      Key **keys, size_t *num_keys)
 {
     krb5_error_code ret;
-    int i;
+    size_t i;
 
     ret = hdb_generate_key_set(context, principal,
 				keys, num_keys, 0);

lib/hdb/keytab.c

@@ -184,7 +184,7 @@ hdb_get_entry(krb5_context context,
     const char *mkey   = d->mkey;
     char *fdbname = NULL, *fmkey = NULL;
     HDB *db;
-    int i;
+    size_t i;
 
     memset(&ent, 0, sizeof(ent));
 
@@ -222,7 +222,7 @@ hdb_get_entry(krb5_context context,
     }else if(ret)
 	goto out;
 
-    if(kvno && ent.entry.kvno != kvno) {
+    if(kvno && (krb5_kvno)ent.entry.kvno != kvno) {
 	hdb_free_entry(context, &ent);
  	ret = KRB5_KT_NOTFOUND;
 	goto out;
@@ -382,7 +382,7 @@ hdb_next_entry(krb5_context context,
      * next entry
      */
     
-    if (c->key_idx == c->hdb_entry.entry.keys.len) {
+    if ((size_t)c->key_idx == c->hdb_entry.entry.keys.len) {
 	hdb_free_entry(context, &c->hdb_entry);
 	c->next = TRUE;
 	c->key_idx = 0;

lib/hdb/mkey.c

@@ -372,7 +372,7 @@ _hdb_find_master_key(uint32_t *mkvno, hdb_master_key mkey)
 	if(mkvno == NULL) {
 	    if(ret == NULL || mkey->keytab.vno > ret->keytab.vno)
 		ret = mkey;
-	} else if(mkey->keytab.vno == *mkvno)
+	} else if((uint32_t)mkey->keytab.vno == *mkvno)
 	    return mkey;
 	mkey = mkey->next;
     }
@@ -459,7 +459,7 @@ hdb_unseal_key_mkey(krb5_context context, Key *k, hdb_master_key mkey)
 krb5_error_code
 hdb_unseal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey)
 {
-    int i;
+    size_t i;
 
     for(i = 0; i < ent->keys.len; i++){
 	krb5_error_code ret;
@@ -526,7 +526,7 @@ hdb_seal_key_mkey(krb5_context context, Key *k, hdb_master_key mkey)
 krb5_error_code
 hdb_seal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey)
 {
-    int i;
+    size_t i;
     for(i = 0; i < ent->keys.len; i++){
 	krb5_error_code ret;
 

lib/hdb/print.c

@@ -78,7 +78,8 @@ append_string(krb5_context context, krb5_storage *sp, const char *fmt, ...)
 static krb5_error_code
 append_hex(krb5_context context, krb5_storage *sp, krb5_data *data)
 {
-    int i, printable = 1;
+    int printable = 1;
+    size_t i;
     char *p;
 
     p = data->data;
@@ -126,7 +127,7 @@ static krb5_error_code
 entry2string_int (krb5_context context, krb5_storage *sp, hdb_entry *ent)
 {
     char *p;
-    int i;
+    size_t i;
     krb5_error_code ret;
 
     /* --- principal */

lib/hx509/ca.c

@@ -266,7 +266,7 @@ hx509_ca_tbs_set_template(hx509_context context,
     }
     if (flags & HX509_CA_TEMPLATE_EKU) {
 	ExtKeyUsage eku;
-	int i;
+	size_t i;
 	ret = _hx509_cert_get_eku(context, cert, &eku);
 	if (ret)
 	    return ret;
@@ -689,7 +689,7 @@ add_utf8_san(hx509_context context,
 	     const heim_oid *oid,
 	     const char *string)
 {
-    const PKIXXmppAddr ustring = (const PKIXXmppAddr)string;
+    const PKIXXmppAddr ustring = (const PKIXXmppAddr)(intptr_t)string;
     heim_octet_string os;
     size_t size;
     int ret;

lib/hx509/cms.c

@@ -362,7 +362,8 @@ hx509_cms_unenvelope(hx509_context context,
     heim_octet_string *params, params_data;
     heim_octet_string ivec;
     size_t size;
-    int ret, i, matched = 0, findflags = 0;
+    int ret, matched = 0, findflags = 0;
+    size_t i;
 
 
     memset(&key, 0, sizeof(key));
@@ -718,7 +719,8 @@ out:
 static int
 any_to_certs(hx509_context context, const SignedData *sd, hx509_certs certs)
 {
-    int ret, i;
+    int ret;
+    size_t i;
 
     if (sd->certificates == NULL)
 	return 0;
@@ -744,7 +746,7 @@ any_to_certs(hx509_context context, const SignedData *sd, hx509_certs certs)
 static const Attribute *
 find_attribute(const CMSAttributes *attr, const heim_oid *oid)
 {
-    int i;
+    size_t i;
     for (i = 0; i < attr->len; i++)
 	if (der_heim_oid_cmp(&attr->val[i].type, oid) == 0)
 	    return &attr->val[i];
@@ -790,7 +792,8 @@ hx509_cms_verify_signed(hx509_context context,
     hx509_certs certs = NULL;
     SignedData sd;
     size_t size;
-    int ret, i, found_valid_sig;
+    int ret, found_valid_sig;
+    size_t i;
 
     *signer_certs = NULL;
     content->data = NULL;

lib/hx509/collector.c

@@ -253,7 +253,8 @@ _hx509_collector_collect_certs(hx509_context context,
 			       hx509_certs *ret_certs)
 {
     hx509_certs certs;
-    int ret, i;
+    int ret;
+    size_t i;
 
     *ret_certs = NULL;
 
@@ -286,7 +287,7 @@ _hx509_collector_collect_private_keys(hx509_context context,
 				      struct hx509_collector *c,
 				      hx509_private_key **keys)
 {
-    int i, nkeys;
+    size_t i, nkeys;
 
     *keys = NULL;
 
@@ -315,7 +316,7 @@ _hx509_collector_collect_private_keys(hx509_context context,
 void
 _hx509_collector_free(struct hx509_collector *c)
 {
-    int i;
+    size_t i;
 
     if (c->unenvelop_certs)
 	hx509_certs_free(&c->unenvelop_certs);

lib/hx509/crypto.c

@@ -589,7 +589,7 @@ rsa_verify_signature(hx509_context context,
 	}
 	
 	/* Check for extra data inside the sigature */
-	if (size != retsize) {
+	if (size != (size_t)retsize) {
 	    ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
 	    hx509_set_error_string(context, 0, ret, "size from decryption mismatch");
 	    goto out;
@@ -620,7 +620,7 @@ rsa_verify_signature(hx509_context context,
 				      data,
 				      &di.digest);
     } else {
-	if (retsize != data->length ||
+	if ((size_t)retsize != data->length ||
 	    ct_memcmp(to, data->data, retsize) != 0)
 	{
 	    ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
@@ -739,7 +739,7 @@ rsa_create_signature(hx509_context context,
 			       "RSA private encrypt failed: %d", ret);
 	return ret;
     }
-    if (ret > sig->length)
+    if ((size_t)ret > sig->length)
 	_hx509_abort("RSA signature prelen longer the output len");
 
     sig->length = ret;
@@ -1256,7 +1256,8 @@ static const struct signature_alg heim_rsa_pkcs1_x509 = {
     0,
     NULL,
     rsa_verify_signature,
-    rsa_create_signature
+    rsa_create_signature,
+    0
 };
 
 static const struct signature_alg pkcs1_rsa_sha1_alg = {
@@ -1269,7 +1270,8 @@ static const struct signature_alg pkcs1_rsa_sha1_alg = {
     0,
     NULL,
     rsa_verify_signature,
-    rsa_create_signature
+    rsa_create_signature,
+    0
 };
 
 static const struct signature_alg rsa_with_sha512_alg = {
@@ -1282,7 +1284,8 @@ static const struct signature_alg rsa_with_sha512_alg = {
     0,
     NULL,
     rsa_verify_signature,
-    rsa_create_signature
+    rsa_create_signature,
+    0
 };
 
 static const struct signature_alg rsa_with_sha384_alg = {
@@ -1295,7 +1298,8 @@ static const struct signature_alg rsa_with_sha384_alg = {
     0,
     NULL,
     rsa_verify_signature,
-    rsa_create_signature
+    rsa_create_signature,
+    0
 };
 
 static const struct signature_alg rsa_with_sha256_alg = {
@@ -1308,7 +1312,8 @@ static const struct signature_alg rsa_with_sha256_alg = {
     0,
     NULL,
     rsa_verify_signature,
-    rsa_create_signature
+    rsa_create_signature,
+    0
 };
 
 static const struct signature_alg rsa_with_sha1_alg = {
@@ -1321,7 +1326,8 @@ static const struct signature_alg rsa_with_sha1_alg = {
     0,
     NULL,
     rsa_verify_signature,
-    rsa_create_signature
+    rsa_create_signature,
+    0
 };
 
 static const struct signature_alg rsa_with_sha1_alg_secsig = {
@@ -1334,7 +1340,8 @@ static const struct signature_alg rsa_with_sha1_alg_secsig = {
     0,
     NULL,
     rsa_verify_signature,
-    rsa_create_signature
+    rsa_create_signature,
+    0
 };
 
 static const struct signature_alg rsa_with_md5_alg = {
@@ -1347,7 +1354,8 @@ static const struct signature_alg rsa_with_md5_alg = {
     1230739889,
     NULL,
     rsa_verify_signature,
-    rsa_create_signature
+    rsa_create_signature,
+    0
 };
 
 static const struct signature_alg dsa_sha1_alg = {
@@ -1361,6 +1369,7 @@ static const struct signature_alg dsa_sha1_alg = {
     NULL,
     dsa_verify_signature,
     /* create_signature */ NULL,
+    0
 };
 
 static const struct signature_alg sha512_alg = {
@@ -1373,7 +1382,8 @@ static const struct signature_alg sha512_alg = {
     0,
     EVP_sha512,
     evp_md_verify_signature,
-    evp_md_create_signature
+    evp_md_create_signature,
+    0
 };
 
 static const struct signature_alg sha384_alg = {
@@ -1386,7 +1396,8 @@ static const struct signature_alg sha384_alg = {
     0,
     EVP_sha384,
     evp_md_verify_signature,
-    evp_md_create_signature
+    evp_md_create_signature,
+    0
 };
 
 static const struct signature_alg sha256_alg = {
@@ -1399,7 +1410,8 @@ static const struct signature_alg sha256_alg = {
     0,
     EVP_sha256,
     evp_md_verify_signature,
-    evp_md_create_signature
+    evp_md_create_signature,
+    0
 };
 
 static const struct signature_alg sha1_alg = {
@@ -1412,7 +1424,8 @@ static const struct signature_alg sha1_alg = {
     0,
     EVP_sha1,
     evp_md_verify_signature,
-    evp_md_create_signature
+    evp_md_create_signature,
+    0
 };
 
 static const struct signature_alg md5_alg = {
@@ -1425,7 +1438,8 @@ static const struct signature_alg md5_alg = {
     0,
     EVP_md5,
     evp_md_verify_signature,
-    NULL
+    NULL,
+    0
 };
 
 /*
@@ -1748,7 +1762,7 @@ hx509_private_key_private_decrypt(hx509_context context,
 			       "Failed to decrypt using private key: %d", ret);
 	return HX509_CRYPTO_RSA_PRIVATE_DECRYPT;
     }
-    if (cleartext->length < ret)
+    if (cleartext->length < (size_t)ret)
 	_hx509_abort("internal rsa decryption failure: ret > tosize");
 
     cleartext->length = ret;
@@ -2339,7 +2353,7 @@ static const struct hx509cipher ciphers[] = {
 static const struct hx509cipher *
 find_cipher_by_oid(const heim_oid *oid)
 {
-    int i;
+    size_t i;
 
     for (i = 0; i < sizeof(ciphers)/sizeof(ciphers[0]); i++)
 	if (der_heim_oid_cmp(oid, ciphers[i].oid) == 0)
@@ -2351,7 +2365,7 @@ find_cipher_by_oid(const heim_oid *oid)
 static const struct hx509cipher *
 find_cipher_by_name(const char *name)
 {
-    int i;
+    size_t i;
 
     for (i = 0; i < sizeof(ciphers)/sizeof(ciphers[0]); i++)
 	if (strcasecmp(name, ciphers[i].name) == 0)
@@ -2461,7 +2475,7 @@ hx509_crypto_set_padding(hx509_crypto crypto, int padding_type)
 int
 hx509_crypto_set_key_data(hx509_crypto crypto, const void *data, size_t length)
 {
-    if (EVP_CIPHER_key_length(crypto->c) > length)
+    if (EVP_CIPHER_key_length(crypto->c) > (int)length)
 	return HX509_CRYPTO_INTERNAL_ERROR;
 
     if (crypto->key.data) {
@@ -2558,7 +2572,7 @@ hx509_crypto_encrypt(hx509_crypto crypto,
 	(crypto->flags & ALLOW_WEAK) == 0)
 	return HX509_CRYPTO_ALGORITHM_BEST_BEFORE;
 
-    assert(EVP_CIPHER_iv_length(crypto->c) == ivec->length);
+    assert(EVP_CIPHER_iv_length(crypto->c) == (int)ivec->length);
 
     EVP_CIPHER_CTX_init(&evp);
 
@@ -2598,7 +2612,7 @@ hx509_crypto_encrypt(hx509_crypto crypto,
 	
     memcpy((*ciphertext)->data, data, length);
     if (padsize) {
-	int i;
+	size_t i;
 	unsigned char *p = (*ciphertext)->data;
 	p += length;
 	for (i = 0; i < padsize; i++)
@@ -2647,7 +2661,7 @@ hx509_crypto_decrypt(hx509_crypto crypto,
 	(crypto->flags & ALLOW_WEAK) == 0)
 	return HX509_CRYPTO_ALGORITHM_BEST_BEFORE;
 
-    if (ivec && EVP_CIPHER_iv_length(crypto->c) < ivec->length)
+    if (ivec && EVP_CIPHER_iv_length(crypto->c) < (int)ivec->length)
 	return HX509_CRYPTO_INTERNAL_ERROR;
 
     if (crypto->key.data == NULL)
@@ -2683,7 +2697,7 @@ hx509_crypto_decrypt(hx509_crypto crypto,
 	unsigned char *p;
 	int j, bsize = EVP_CIPHER_block_size(crypto->c);
 
-	if (clear->length < bsize) {
+	if ((int)clear->length < bsize) {
 	    ret = HX509_CMS_PADDING_ERROR;
 	    goto out;
 	}
@@ -2854,7 +2868,8 @@ _hx509_pbe_decrypt(hx509_context context,
     const EVP_CIPHER *c;
     const EVP_MD *md;
     PBE_string2key_func s2k;
-    int i, ret = 0;
+    int ret = 0;
+    size_t i;
 
     memset(&key, 0, sizeof(key));
     memset(&iv, 0, sizeof(iv));

lib/hx509/hxtool.c

@@ -45,9 +45,9 @@ static int version_flag;
 static int help_flag;
 
 struct getargs args[] = {
-    { "statistic-file", 0, arg_string, &stat_file_string },
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 0, arg_flag, &help_flag }
+    { "statistic-file", 0, arg_string, &stat_file_string, NULL, NULL },
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 0, arg_flag, &help_flag, NULL, NULL }
 };
 int num_args = sizeof(args) / sizeof(args[0]);
 
@@ -80,15 +80,15 @@ lock_strings(hx509_lock lock, getarg_strings *pass)
  */
 
 static void
-certs_strings(hx509_context context, const char *type, hx509_certs certs,
+certs_strings(hx509_context contextp, const char *type, hx509_certs certs,
 	      hx509_lock lock, const getarg_strings *s)
 {
     int i, ret;
 
     for (i = 0; i < s->num_strings; i++) {
-	ret = hx509_certs_append(context, certs, lock, s->strings[i]);
+	ret = hx509_certs_append(contextp, certs, lock, s->strings[i]);
 	if (ret)
-	    hx509_err(context, 1, ret,
+	    hx509_err(contextp, 1, ret,
 		      "hx509_certs_append: %s %s", type, s->strings[i]);
     }
 }
@@ -114,16 +114,16 @@ parse_oid(const char *str, const heim_oid *def, heim_oid *oid)
  */
 
 static void
-peer_strings(hx509_context context,
+peer_strings(hx509_context contextp,
 	     hx509_peer_info *peer,
 	     const getarg_strings *s)
 {
     AlgorithmIdentifier *val;
     int ret, i;
 
-    ret = hx509_peer_info_alloc(context, peer);
+    ret = hx509_peer_info_alloc(contextp, peer);
     if (ret)
-	hx509_err(context, 1, ret, "hx509_peer_info_alloc");
+	hx509_err(contextp, 1, ret, "hx509_peer_info_alloc");
 
     val = calloc(s->num_strings, sizeof(*val));
     if (val == NULL)
@@ -132,9 +132,9 @@ peer_strings(hx509_context context,
     for (i = 0; i < s->num_strings; i++)
 	parse_oid(s->strings[i], NULL, &val[i].algorithm);
 	
-    ret = hx509_peer_info_set_cms_algs(context, *peer, val, s->num_strings);
+    ret = hx509_peer_info_set_cms_algs(contextp, *peer, val, s->num_strings);
     if (ret)
-	hx509_err(context, 1, ret, "hx509_peer_info_set_cms_algs");
+	hx509_err(contextp, 1, ret, "hx509_peer_info_set_cms_algs");
 
     for (i = 0; i < s->num_strings; i++)
 	free_AlgorithmIdentifier(&val[i]);
@@ -151,7 +151,7 @@ struct pem_data {
 };
 
 static int
-pem_reader(hx509_context context, const char *type,
+pem_reader(hx509_context contextp, const char *type,
 	   const hx509_pem_header *headers,
 	   const void *data , size_t length, void *ctx)
 {
@@ -211,22 +211,22 @@ cms_verify_sd(struct cms_verify_sd_options *opt, int argc, char **argv)
     certs_strings(context, "store", store, lock, &opt->certificate_strings);
 
     if (opt->pem_flag) {
-	struct pem_data p;
+	struct pem_data pd;
 	FILE *f;
 
-	p.os = &co;
-	p.detached_data = 0;
+	pd.os = &co;
+	pd.detached_data = 0;
 	
 	f = fopen(argv[0], "r");
 	if (f == NULL)
 	    err(1, "Failed to open file %s", argv[0]);
 
-	ret = hx509_pem_read(context, f, pem_reader, &p);
+	ret = hx509_pem_read(context, f, pem_reader, &pd);
 	fclose(f);
 	if (ret)
 	    errx(1, "PEM reader failed: %d", ret);
 
-	if (p.detached_data && opt->signed_content_string == NULL) {
+	if (pd.detached_data && opt->signed_content_string == NULL) {
 	    char *r = strrchr(argv[0], '.');
 	    if (r && strcasecmp(r, ".pem") == 0) {
 		char *s = strdup(argv[0]);
@@ -331,7 +331,7 @@ cms_verify_sd(struct cms_verify_sd_options *opt, int argc, char **argv)
 }
 
 static int
-print_signer(hx509_context context, void *ctx, hx509_cert cert)
+print_signer(hx509_context contextp, void *ctx, hx509_cert cert)
 {
     hx509_pem_header **header = ctx;
     char *signer_name = NULL;
@@ -801,10 +801,10 @@ certificate_copy(struct certificate_copy_options *opt, int argc, char **argv)
 	hx509_err(context, 1, ret, "hx509_certs_init");
 
     while(argc-- > 1) {
-	int ret;
-	ret = hx509_certs_append(context, certs, inlock, argv[0]);
-	if (ret)
-	    hx509_err(context, 1, ret, "hx509_certs_append");
+	int retx;
+	retx = hx509_certs_append(context, certs, inlock, argv[0]);
+	if (retx)
+	    hx509_err(context, 1, retx, "hx509_certs_append");
 	argv++;
     }
 
@@ -1534,7 +1534,7 @@ hxtool_hex(struct hex_options *opt, int argc, char **argv)
 	    len = hex_decode(p, buf2, strlen(p));
 	    if (len < 0)
 		errx(1, "hex_decode failed");
-	    if (fwrite(buf2, 1, len, stdout) != len)
+	    if (fwrite(buf2, 1, len, stdout) != (size_t)len)
 		errx(1, "fwrite failed");
 	}
     } else {
@@ -1558,38 +1558,38 @@ struct cert_type_opt {
 
 
 static int
-https_server(hx509_context context, hx509_ca_tbs tbs, struct cert_type_opt *opt)
+https_server(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
 {
-    return hx509_ca_tbs_add_eku(context, tbs, &asn1_oid_id_pkix_kp_serverAuth);
+    return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_serverAuth);
 }
 
 static int
-https_client(hx509_context context, hx509_ca_tbs tbs, struct cert_type_opt *opt)
+https_client(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
 {
-    return hx509_ca_tbs_add_eku(context, tbs, &asn1_oid_id_pkix_kp_clientAuth);
+    return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_clientAuth);
 }
 
 static int
-peap_server(hx509_context context, hx509_ca_tbs tbs, struct cert_type_opt *opt)
+peap_server(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
 {
-    return hx509_ca_tbs_add_eku(context, tbs, &asn1_oid_id_pkix_kp_serverAuth);
+    return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_serverAuth);
 }
 
 static int
-pkinit_kdc(hx509_context context, hx509_ca_tbs tbs, struct cert_type_opt *opt)
+pkinit_kdc(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
 {
     opt->pkinit++;
-    return hx509_ca_tbs_add_eku(context, tbs, &asn1_oid_id_pkkdcekuoid);
+    return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkkdcekuoid);
 }
 
 static int
-pkinit_client(hx509_context context, hx509_ca_tbs tbs, struct cert_type_opt *opt)
+pkinit_client(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
 {
     int ret;
 
     opt->pkinit++;
 
-    ret = hx509_ca_tbs_add_eku(context, tbs, &asn1_oid_id_pkekuoid);
+    ret = hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkekuoid);
     if (ret)
 	return ret;
 
@@ -1601,9 +1601,9 @@ pkinit_client(hx509_context context, hx509_ca_tbs tbs, struct cert_type_opt *opt
 }
 
 static int
-email_client(hx509_context context, hx509_ca_tbs tbs, struct cert_type_opt *opt)
+email_client(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt)
 {
-    return hx509_ca_tbs_add_eku(context, tbs, &asn1_oid_id_pkix_kp_emailProtection);
+    return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_emailProtection);
 }
 
 struct {
@@ -1663,12 +1663,13 @@ print_eval_types(FILE *out)
 }
 
 static int
-eval_types(hx509_context context,
+eval_types(hx509_context contextp,
 	   hx509_ca_tbs tbs,
 	   const struct certificate_sign_options *opt)
 {
     struct cert_type_opt ctopt;
-    unsigned i, j;
+    int i;
+    size_t j;
     int ret;
 
     memset(&ctopt, 0, sizeof(ctopt));
@@ -1678,9 +1679,9 @@ eval_types(hx509_context context,
 	
 	for (j = 0; j < sizeof(certtypes)/sizeof(certtypes[0]); j++) {
 	    if (strcasecmp(type, certtypes[j].type) == 0) {
-		ret = (*certtypes[j].eval)(context, tbs, &ctopt);
+		ret = (*certtypes[j].eval)(contextp, tbs, &ctopt);
 		if (ret)
-		    hx509_err(context, 1, ret,
+		    hx509_err(contextp, 1, ret,
 			      "Failed to evaluate cert type %s", type);
 		break;
 	    }
@@ -1697,47 +1698,47 @@ eval_types(hx509_context context,
 	if (!ctopt.pkinit)
 	    errx(1, "pk-init principal given but no pk-init oid");
 
-	ret = hx509_ca_tbs_add_san_pkinit(context, tbs,
+	ret = hx509_ca_tbs_add_san_pkinit(contextp, tbs,
 					  opt->pk_init_principal_string);
 	if (ret)
-	    hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_pkinit");
+	    hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_pkinit");
     }
 
     if (opt->ms_upn_string) {
 	if (!ctopt.pkinit)
 	    errx(1, "MS upn given but no pk-init oid");
 
-	ret = hx509_ca_tbs_add_san_ms_upn(context, tbs, opt->ms_upn_string);
+	ret = hx509_ca_tbs_add_san_ms_upn(contextp, tbs, opt->ms_upn_string);
 	if (ret)
-	    hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_ms_upn");
+	    hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_ms_upn");
     }
 
 
     for (i = 0; i < opt->hostname_strings.num_strings; i++) {
 	const char *hostname = opt->hostname_strings.strings[i];
 
-	ret = hx509_ca_tbs_add_san_hostname(context, tbs, hostname);
+	ret = hx509_ca_tbs_add_san_hostname(contextp, tbs, hostname);
 	if (ret)
-	    hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_hostname");
+	    hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_hostname");
     }
 
     for (i = 0; i < opt->email_strings.num_strings; i++) {
 	const char *email = opt->email_strings.strings[i];
 
-	ret = hx509_ca_tbs_add_san_rfc822name(context, tbs, email);
+	ret = hx509_ca_tbs_add_san_rfc822name(contextp, tbs, email);
 	if (ret)
-	    hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_hostname");
+	    hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_hostname");
 	
-	ret = hx509_ca_tbs_add_eku(context, tbs,
+	ret = hx509_ca_tbs_add_eku(contextp, tbs,
 				   &asn1_oid_id_pkix_kp_emailProtection);
 	if (ret)
-	    hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku");
+	    hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_eku");
     }
 
     if (opt->jid_string) {
-	ret = hx509_ca_tbs_add_san_jid(context, tbs, opt->jid_string);
+	ret = hx509_ca_tbs_add_san_jid(contextp, tbs, opt->jid_string);
 	if (ret)
-	    hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_jid");
+	    hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_jid");
     }
 
     return 0;

lib/hx509/ks_dir.c

@@ -202,16 +202,12 @@ dir_iter_end(hx509_context context,
 
 
 static struct hx509_keyset_ops keyset_dir = {
-    "DIR",
-    0,
-    dir_init,
-    NULL,
-    dir_free,
-    NULL,
-    NULL,
-    dir_iter_start,
-    dir_iter,
-    dir_iter_end
+    .name = "DIR",
+    .init = dir_init,
+    .free = dir_free,
+    .iter_start = dir_iter_start,
+    .iter = dir_iter,
+    .iter_end = dir_iter_end,
 };
 
 void

lib/hx509/ks_file.c

@@ -177,7 +177,8 @@ parse_pem_private_key(hx509_context context, const char *fn,
 	const EVP_CIPHER *cipher;
 	const struct _hx509_password *pw;
 	hx509_lock lock;
-	int i, decrypted = 0;
+	int decrypted = 0;
+	size_t i;
 
 	lock = _hx509_collector_get_lock(c);
 	if (lock == NULL) {
@@ -329,7 +330,8 @@ pem_func(hx509_context context, const char *type,
 	 const void *data, size_t len, void *ctx)
 {
     struct pem_ctx *pem_ctx = (struct pem_ctx*)ctx;
-    int ret = 0, j;
+    int ret = 0;
+    size_t j;
 
     for (j = 0; j < sizeof(formats)/sizeof(formats[0]); j++) {
 	const char *q = formats[j].name;
@@ -436,7 +438,7 @@ file_init_common(hx509_context context,
 	else if (ret == HX509_PARSING_KEY_FAILED) {
 	    size_t length;
 	    void *ptr;
-	    int i;
+	    size_t i;
 
 	    ret = rk_undumpdata(p, &ptr, &length);
 	    if (ret) {

lib/hx509/ks_p11.c

@@ -152,7 +152,7 @@ p11_rsa_private_encrypt(int flen,
     }
 
     ret = P11FUNC(p11rsa->p, Sign,
-		  (session, (CK_BYTE *)from, flen, to, &ck_sigsize));
+		  (session, (CK_BYTE *)(intptr_t)from, flen, to, &ck_sigsize));
     p11_put_session(p11rsa->p, p11rsa->slot, session);
     if (ret != CKR_OK)
 	return -1;
@@ -190,7 +190,7 @@ p11_rsa_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
     }
 
     ret = P11FUNC(p11rsa->p, Decrypt,
-		  (session, (CK_BYTE *)from, flen, to, &ck_sigsize));
+		  (session, (CK_BYTE *)(intptr_t)from, flen, to, &ck_sigsize));
     p11_put_session(p11rsa->p, p11rsa->slot, session);
     if (ret != CKR_OK)
 	return -1;
@@ -878,7 +878,8 @@ p11_init(hx509_context context,
 
     {
 	CK_SLOT_ID_PTR slot_ids;
-	int i, num_tokens = 0;
+	int num_tokens = 0;
+	size_t i;
 
 	slot_ids = malloc(p->num_slots * sizeof(*slot_ids));
 	if (slot_ids == NULL) {
@@ -933,7 +934,7 @@ p11_init(hx509_context context,
 static void
 p11_release_module(struct p11_module *p)
 {
-    int i;
+    size_t i;
 
     if (p->ref == 0)
 	_hx509_abort("pkcs11 ref to low");
@@ -957,7 +958,7 @@ p11_release_module(struct p11_module *p)
 	    free(p->slot[i].mechs.list);
 
 	    if (p->slot[i].mechs.infos) {
-		int j;
+		size_t j;
 
 		for (j = 0 ; j < p->slot[i].mechs.num ; j++)
 		    free(p->slot[i].mechs.infos[j]);
@@ -981,7 +982,7 @@ static int
 p11_free(hx509_certs certs, void *data)
 {
     struct p11_module *p = data;
-    int i;
+    size_t i;
 
     for (i = 0; i < p->num_slots; i++) {
 	if (p->slot[i].certs)
@@ -1002,7 +1003,8 @@ p11_iter_start(hx509_context context,
 {
     struct p11_module *p = data;
     struct p11_cursor *c;
-    int ret, i;
+    int ret;
+    size_t i;
 
     c = malloc(sizeof(*c));
     if (c == NULL) {
@@ -1103,7 +1105,7 @@ p11_printinfo(hx509_context context,
 	      void *ctx)
 {
     struct p11_module *p = data;
-    int i, j;
+    size_t i, j;
 
     _hx509_pi_printf(func, ctx, "pkcs11 driver with %d slot%s",
 		     p->num_slots, p->num_slots > 1 ? "s" : "");

lib/hx509/ks_p12.c

@@ -56,7 +56,7 @@ parse_pkcs12_type(hx509_context, struct hx509_collector *, const heim_oid *,
 static const PKCS12_Attribute *
 find_attribute(const PKCS12_Attributes *attrs, const heim_oid *oid)
 {
-    int i;
+    size_t i;
     if (attrs == NULL)
 	return NULL;
     for (i = 0; i < attrs->len; i++)
@@ -168,7 +168,7 @@ certBag_parser(hx509_context context,
 	const heim_oid *oids[] = {
 	    &asn1_oid_id_pkcs_9_at_localKeyId, &asn1_oid_id_pkcs_9_at_friendlyName
 	};
-	int i;
+	size_t i;
 
 	for  (i = 0; i < sizeof(oids)/sizeof(oids[0]); i++) {
 	    const heim_oid *oid = oids[i];
@@ -190,7 +190,8 @@ parse_safe_content(hx509_context context,
 		   const unsigned char *p, size_t len)
 {
     PKCS12_SafeContents sc;
-    int ret, i;
+    int ret;
+    size_t i;
 
     memset(&sc, 0, sizeof(sc));
 
@@ -310,7 +311,7 @@ parse_pkcs12_type(hx509_context context,
 		  const void *data, size_t length,
 		  const PKCS12_Attributes *attrs)
 {
-    int i;
+    size_t i;
 
     for (i = 0; i < sizeof(bagtypes)/sizeof(bagtypes[0]); i++)
 	if (der_heim_oid_cmp(bagtypes[i].oid, oid) == 0)
@@ -327,7 +328,8 @@ p12_init(hx509_context context,
     void *buf;
     PKCS12_PFX pfx;
     PKCS12_AuthenticatedSafe as;
-    int ret, i;
+    int ret;
+    size_t i;
     struct hx509_collector *c;
 
     *data = NULL;

lib/hx509/lock.c

@@ -121,7 +121,7 @@ _hx509_lock_unlock_certs(hx509_lock lock)
 void
 hx509_lock_reset_passwords(hx509_lock lock)
 {
-    int i;
+    size_t i;
     for (i = 0; i < lock->password.len; i++)
 	free(lock->password.val[i]);
     free(lock->password.val);

lib/hx509/name.c

@@ -66,17 +66,17 @@ static const struct {
     const heim_oid *o;
     wind_profile_flags flags;
 } no[] = {
-    { "C", &asn1_oid_id_at_countryName },
-    { "CN", &asn1_oid_id_at_commonName },
-    { "DC", &asn1_oid_id_domainComponent },
-    { "L", &asn1_oid_id_at_localityName },
-    { "O", &asn1_oid_id_at_organizationName },
-    { "OU", &asn1_oid_id_at_organizationalUnitName },
-    { "S", &asn1_oid_id_at_stateOrProvinceName },
-    { "STREET", &asn1_oid_id_at_streetAddress },
-    { "UID", &asn1_oid_id_Userid },
-    { "emailAddress", &asn1_oid_id_pkcs9_emailAddress },
-    { "serialNumber", &asn1_oid_id_at_serialNumber }
+    { "C", &asn1_oid_id_at_countryName, 0 },
+    { "CN", &asn1_oid_id_at_commonName, 0 },
+    { "DC", &asn1_oid_id_domainComponent, 0 },
+    { "L", &asn1_oid_id_at_localityName, 0 },
+    { "O", &asn1_oid_id_at_organizationName, 0 },
+    { "OU", &asn1_oid_id_at_organizationalUnitName, 0 },
+    { "S", &asn1_oid_id_at_stateOrProvinceName, 0 },
+    { "STREET", &asn1_oid_id_at_streetAddress, 0 },
+    { "UID", &asn1_oid_id_Userid, 0 },
+    { "emailAddress", &asn1_oid_id_pkcs9_emailAddress, 0 },
+    { "serialNumber", &asn1_oid_id_at_serialNumber, 0 }
 };
 
 static char *
@@ -159,7 +159,8 @@ oidtostring(const heim_oid *type)
 static int
 stringtooid(const char *name, size_t len, heim_oid *oid)
 {
-    int i, ret;
+    int ret;
+    size_t i;
     char *s;
 
     memset(oid, 0, sizeof(*oid));
@@ -200,14 +201,16 @@ int
 _hx509_Name_to_string(const Name *n, char **str)
 {
     size_t total_len = 0;
-    int i, j, ret;
+    size_t i, j, m;
+    int ret;
 
     *str = strdup("");
     if (*str == NULL)
 	return ENOMEM;
 
-    for (i = n->u.rdnSequence.len - 1 ; i >= 0 ; i--) {
+    for (m = n->u.rdnSequence.len; m > 0; m--) {
 	size_t len;
+	i = m - 1;
 
 	for (j = 0; j < n->u.rdnSequence.val[i].len; j++) {
 	    DirectoryString *ds = &n->u.rdnSequence.val[i].val[j].value;
@@ -438,7 +441,8 @@ _hx509_name_ds_cmp(const DirectoryString *ds1,
 int
 _hx509_name_cmp(const Name *n1, const Name *n2, int *c)
 {
-    int ret, i, j;
+    int ret;
+    size_t i, j;
 
     *c = n1->u.rdnSequence.len - n2->u.rdnSequence.len;
     if (*c)
@@ -610,7 +614,7 @@ hx509_parse_name(hx509_context context, const char *str, hx509_name *name)
 	    goto out;
 	}
 	
-	if ((q - p) > len) {
+	if ((size_t)(q - p) > len) {
 	    ret = HX509_PARSING_NAME_FAILED;
 	    hx509_set_error_string(context, 0, ret, " = after , in %s", p);
 	    goto out;
@@ -727,7 +731,7 @@ hx509_name_expand(hx509_context context,
 		  hx509_env env)
 {
     Name *n = &name->der_name;
-    int i, j;
+    size_t i, j;
 
     if (env == NULL)
 	return 0;

lib/hx509/print.c

@@ -163,7 +163,7 @@ void
 hx509_bitstring_print(const heim_bit_string *b,
 		      hx509_vprint_func func, void *ctx)
 {
-    int i;
+    size_t i;
     print_func(func, ctx, "\tlength: %d\n\t", b->length);
     for (i = 0; i < (b->length + 7) / 8; i++)
 	print_func(func, ctx, "%02x%s%s",
@@ -481,7 +481,8 @@ check_CRLDistributionPoints(hx509_validate_ctx ctx,
 {
     CRLDistributionPoints dp;
     size_t size;
-    int ret, i;
+    int ret;
+    size_t i;
 
     check_Null(ctx, status, cf, e);
 
@@ -499,7 +500,7 @@ check_CRLDistributionPoints(hx509_validate_ctx ctx,
 	if (dp.val[i].distributionPoint) {
 	    DistributionPointName dpname;
 	    heim_any *data = dp.val[i].distributionPoint;
-	    int j;
+	    size_t j;
 	
 	    ret = decode_DistributionPointName(data->data, data->length,
 					       &dpname, NULL);
@@ -565,7 +566,8 @@ check_altName(hx509_validate_ctx ctx,
 {
     GeneralNames gn;
     size_t size;
-    int ret, i;
+    int ret;
+    size_t i;
 
     check_Null(ctx, status, cf, e);
 
@@ -717,7 +719,8 @@ check_authorityInfoAccess(hx509_validate_ctx ctx,
 {
     AuthorityInfoAccessSyntax aia;
     size_t size;
-    int ret, i;
+    int ret;
+    size_t i;
 
     check_Null(ctx, status, cf, e);
 
@@ -773,7 +776,7 @@ struct {
     { ext(certificateIssuer, Null), M_C },
     { ext(nameConstraints, Null), M_C },
     { ext(cRLDistributionPoints, CRLDistributionPoints), S_N_C },
-    { ext(certificatePolicies, Null) },
+    { ext(certificatePolicies, Null), 0 },
     { ext(policyMappings, Null), M_N_C },
     { ext(authorityKeyIdentifier, authorityKeyIdentifier), M_N_C },
     { ext(policyConstraints, Null), D_C },
@@ -789,7 +792,7 @@ struct {
       check_Null, D_C },
     { "Netscape cert comment", &asn1_oid_id_netscape_cert_comment,
       check_Null, D_C },
-    { NULL }
+    { NULL, NULL, NULL, 0 }
 };
 
 /**
@@ -936,7 +939,7 @@ hx509_validate_cert(hx509_context context,
     free(str);
 
     if (t->extensions) {
-	int i, j;
+	size_t i, j;
 
 	if (t->extensions->len == 0) {
 	    validate_print(ctx,

lib/hx509/revoke.c

@@ -349,7 +349,7 @@ load_ocsp(hx509_context context, struct revoke_ocsp *ocsp)
     }
 
     if (basic.certs) {
-	int i;
+	size_t i;
 
 	ret = hx509_certs_init(context, "MEMORY:ocsp-certs", 0,
 			       NULL, &certs);
@@ -760,8 +760,7 @@ hx509_revoke_verify(hx509_context context,
 	    if (ocsp->ocsp.tbsResponseData.responses.val[j].nextUpdate) {
 		if (*ocsp->ocsp.tbsResponseData.responses.val[j].nextUpdate < now)
 		    continue;
-	    } else
-		/* Should force a refetch, but can we ? */;
+	    } /* else should force a refetch, but can we ? */
 
 	    return 0;
 	}
@@ -1055,8 +1054,13 @@ static char *
 printable_time(time_t t)
 {
     static char s[128];
-    strlcpy(s, ctime(&t)+ 4, sizeof(s));
-    s[20] = 0;
+    char *p;
+    if ((p = ctime(&t)) == NULL)
+       strlcpy(s, "?", sizeof(s));
+    else {
+       strlcpy(s, p + 4, sizeof(s));
+       s[20] = 0;
+    }
     return s;
 }
 
@@ -1076,7 +1080,8 @@ int
 hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out)
 {
     struct revoke_ocsp ocsp;
-    int ret, i;
+    int ret;
+    size_t i;
 
     if (out == NULL)
 	out = stdout;
@@ -1141,7 +1146,7 @@ hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out)
 	    status = "element unknown";
 	}
 
-	fprintf(out, "\t%d. status: %s\n", i, status);
+	fprintf(out, "\t%zu. status: %s\n", i, status);
 
 	fprintf(out, "\tthisUpdate: %s\n",
 		printable_time(ocsp.ocsp.tbsResponseData.responses.val[i].thisUpdate));
@@ -1188,7 +1193,8 @@ hx509_ocsp_verify(hx509_context context,
 {
     const Certificate *c = _hx509_get_cert(cert);
     OCSPBasicOCSPResponse basic;
-    int ret, i;
+    int ret;
+    size_t i;
 
     if (now == 0)
 	now = time(NULL);

lib/hx509/sel.c

@@ -223,7 +223,7 @@ _hx509_expr_parse(const char *buf)
 }
 
 void
-_hx509_sel_yyerror (char *s)
+_hx509_sel_yyerror (const char *s)
 {
      if (_hx509_expr_input.error)
          free(_hx509_expr_input.error);

lib/hx509/sel.h

@@ -78,5 +78,5 @@ extern struct hx_expr_input _hx509_expr_input;
 
 int  _hx509_sel_yyparse(void);
 int  _hx509_sel_yylex(void);
-void _hx509_sel_yyerror(char *);
+void _hx509_sel_yyerror(const char *);
 

lib/hx509/softp11.c

@@ -140,9 +140,9 @@ snprintf_fill(char *str, size_t size, char fillchar, const char *fmt, ...)
     va_start(ap, fmt);
     len = vsnprintf(str, size, fmt, ap);
     va_end(ap);
-    if (len < 0 || len > size)
+    if (len < 0 || (size_t)len > size)
 	return;
-    while(len < size)
+    while ((size_t)len < size)
 	str[len++] = fillchar;
 }
 
@@ -152,9 +152,9 @@ snprintf_fill(char *str, size_t size, char fillchar, const char *fmt, ...)
 
 #define VERIFY_SESSION_HANDLE(s, state)			\
 {							\
-    CK_RV ret;						\
-    ret = verify_session_handle(s, state);		\
-    if (ret != CKR_OK) {				\
+    CK_RV xret;						\
+    xret = verify_session_handle(s, state);		\
+    if (xret != CKR_OK) {				\
 	/* return CKR_OK */;				\
     }							\
 }
@@ -163,7 +163,7 @@ static CK_RV
 verify_session_handle(CK_SESSION_HANDLE hSession,
 		      struct session_state **state)
 {
-    int i;
+    size_t i;
 
     for (i = 0; i < MAX_NUM_SESSION; i++){
 	if (soft_token.state[i].session_handle == hSession)
@@ -421,6 +421,7 @@ struct foo {
 static int
 add_cert(hx509_context hxctx, void *ctx, hx509_cert cert)
 {
+    static char empty[] = "";
     struct foo *foo = (struct foo *)ctx;
     struct st_object *o = NULL;
     CK_OBJECT_CLASS type;
@@ -520,8 +521,8 @@ add_cert(hx509_context hxctx, void *ctx, hx509_cert cert)
 
     add_object_attribute(o, 0, CKA_KEY_TYPE, &key_type, sizeof(key_type));
     add_object_attribute(o, 0, CKA_ID, foo->id, strlen(foo->id));
-    add_object_attribute(o, 0, CKA_START_DATE, "", 1); /* XXX */
-    add_object_attribute(o, 0, CKA_END_DATE, "", 1); /* XXX */
+    add_object_attribute(o, 0, CKA_START_DATE, empty, 1); /* XXX */
+    add_object_attribute(o, 0, CKA_END_DATE, empty, 1); /* XXX */
     add_object_attribute(o, 0, CKA_DERIVE, &bool_false, sizeof(bool_false));
     add_object_attribute(o, 0, CKA_LOCAL, &bool_false, sizeof(bool_false));
     mech_type = CKM_RSA_X_509;
@@ -557,8 +558,8 @@ add_cert(hx509_context hxctx, void *ctx, hx509_cert cert)
 
 	add_object_attribute(o, 0, CKA_KEY_TYPE, &key_type, sizeof(key_type));
 	add_object_attribute(o, 0, CKA_ID, foo->id, strlen(foo->id));
-	add_object_attribute(o, 0, CKA_START_DATE, "", 1); /* XXX */
-	add_object_attribute(o, 0, CKA_END_DATE, "", 1); /* XXX */
+	add_object_attribute(o, 0, CKA_START_DATE, empty, 1); /* XXX */
+	add_object_attribute(o, 0, CKA_END_DATE, empty, 1); /* XXX */
 	add_object_attribute(o, 0, CKA_DERIVE, &bool_false, sizeof(bool_false));
 	add_object_attribute(o, 0, CKA_LOCAL, &bool_false, sizeof(bool_false));
 	mech_type = CKM_RSA_X_509;
@@ -859,7 +860,7 @@ C_Initialize(CK_VOID_PTR a)
 {
     CK_C_INITIALIZE_ARGS_PTR args = a;
     CK_RV ret;
-    int i;
+    size_t i;
 
     st_logf("Initialize\n");
 
@@ -916,7 +917,7 @@ C_Initialize(CK_VOID_PTR a)
 CK_RV
 C_Finalize(CK_VOID_PTR args)
 {
-    int i;
+    size_t i;
 
     INIT_CONTEXT();
 
@@ -1112,7 +1113,7 @@ C_OpenSession(CK_SLOT_ID slotID,
 	      CK_NOTIFY Notify,
 	      CK_SESSION_HANDLE_PTR phSession)
 {
-    int i;
+    size_t i;
     INIT_CONTEXT();
     st_logf("OpenSession: slot: %d\n", (int)slotID);
 
@@ -1155,7 +1156,7 @@ C_CloseSession(CK_SESSION_HANDLE hSession)
 CK_RV
 C_CloseAllSessions(CK_SLOT_ID slotID)
 {
-    int i;
+    size_t i;
     INIT_CONTEXT();
 
     st_logf("CloseAllSessions\n");
@@ -1429,7 +1430,7 @@ commonInit(CK_ATTRIBUTE *attr_match, int attr_match_len,
 
 
 static CK_RV
-dup_mechanism(CK_MECHANISM_PTR *dup, const CK_MECHANISM_PTR pMechanism)
+dup_mechanism(CK_MECHANISM_PTR *dp, const CK_MECHANISM_PTR pMechanism)
 {
     CK_MECHANISM_PTR p;
 
@@ -1437,9 +1438,9 @@ dup_mechanism(CK_MECHANISM_PTR *dup, const CK_MECHANISM_PTR pMechanism)
     if (p == NULL)
 	return CKR_DEVICE_MEMORY;
 
-    if (*dup)
-	free(*dup);
-    *dup = p;
+    if (*dp)
+	free(*dp);
+    *dp = p;
     memcpy(p, pMechanism, sizeof(*p));
 
     return CKR_OK;

lib/hx509/test_nist.in

@@ -96,7 +96,7 @@ while read id verify cert arg1 arg2 arg3 arg4 arg5 ; do
     args="$args crl:FILE:$nistdir/crls/TrustAnchorRootCRL.crl"
     args="$args cert:FILE:$nistdir/certs/$cert"
 
-    if ${hxtool} verify $args > /dev/null; then
+    if ${hxtool} verify --time=2008-05-20 $args > /dev/null; then
 	if test "$verify" = "f"; then
 	    echo "verify passed on fail: $id $cert"
 	    exit 1

lib/hx509/test_nist2.in

@@ -102,7 +102,7 @@ while read result cert other ; do
 	args="$args crl:FILE:$a"
     done
 
-    cmd="${hxtool} verify $args"
+    cmd="${hxtool} verify --time=2008-05-20 $args"
     eval ${cmd} > /dev/null
     res=$?
 

lib/ipc/client.c

@@ -393,7 +393,7 @@ unix_socket_ipc(void *ctx,
 
     if (net_write(s->fd, &len, sizeof(len)) != sizeof(len))
 	return -1;
-    if (net_write(s->fd, req->data, req->length) != req->length)
+    if (net_write(s->fd, req->data, req->length) != (ssize_t)req->length)
 	return -1;
 
     if (net_read(s->fd, &len, sizeof(len)) != sizeof(len))
@@ -407,7 +407,7 @@ unix_socket_ipc(void *ctx,
 	rep->data = malloc(rep->length);
 	if (rep->data == NULL)
 	    return -1;
-	if (net_read(s->fd, rep->data, rep->length) != rep->length)
+	if (net_read(s->fd, rep->data, rep->length) != (ssize_t)rep->length)
 	    return -1;
     } else
 	rep->data = NULL;
@@ -489,9 +489,9 @@ struct hipc_ops ipcs[] = {
     { "MACH", mach_init, mach_release, mach_ipc, mach_async },
 #endif
 #ifdef HAVE_DOOR
-    { "DOOR", door_init, common_release, door_ipc }
+    { "DOOR", door_init, common_release, door_ipc, NULL }
 #endif
-    { "UNIX", unix_socket_init, common_release, unix_socket_ipc }
+    { "UNIX", unix_socket_init, common_release, unix_socket_ipc, NULL }
 };
 
 struct heim_ipc {
@@ -546,29 +546,29 @@ heim_ipc_free_context(heim_ipc ctx)
 }
 
 int
-heim_ipc_call(heim_ipc ctx, const heim_idata *send, heim_idata *recv,
+heim_ipc_call(heim_ipc ctx, const heim_idata *snd, heim_idata *rcv,
 	      heim_icred *cred)
 {
     if (cred)
 	*cred = NULL;
-    return (ctx->ops->ipc)(ctx->ctx, send, recv, cred);
+    return (ctx->ops->ipc)(ctx->ctx, snd, rcv, cred);
 }
 
 int
-heim_ipc_async(heim_ipc ctx, const heim_idata *send, void *userctx,
+heim_ipc_async(heim_ipc ctx, const heim_idata *snd, void *userctx,
 	       void (*func)(void *, int, heim_idata *, heim_icred))
 {
     if (ctx->ops->async == NULL) {
-	heim_idata recv;
+	heim_idata rcv;
 	heim_icred cred = NULL;
 	int ret;
 
-	ret = (ctx->ops->ipc)(ctx->ctx, send, &recv, &cred);
-	(*func)(userctx, ret, &recv, cred);
+	ret = (ctx->ops->ipc)(ctx->ctx, snd, &rcv, &cred);
+	(*func)(userctx, ret, &rcv, cred);
 	heim_ipc_free_cred(cred);
-	free(recv.data);
+	free(rcv.data);
 	return ret;
     } else {
-	return (ctx->ops->async)(ctx->ctx, send, userctx, func);
+	return (ctx->ops->async)(ctx->ctx, snd, userctx, func);
     }
 }

lib/ipc/server.c

@@ -557,7 +557,7 @@ update_client_creds(struct client *c)
 #endif
 #if defined(SOCKCREDSIZE) && defined(SCM_CREDS)
     /* NetBSD */
-    if (c->unixrights.uid == -1) {
+    if (c->unixrights.uid == (uid_t)-1) {
 	struct msghdr msg;
 	socklen_t crmsgsize;
 	void *crmsg;
@@ -959,7 +959,7 @@ handle_write(struct client *c)
     if (len <= 0) {
 	c->flags |= WAITING_CLOSE;
 	c->flags &= ~(WAITING_WRITE);
-    } else if (c->olen != len) {
+    } else if (c->olen != (size_t)len) {
 	memmove(&c->outmsg[0], &c->outmsg[len], c->olen - len);
 	c->olen -= len;
     } else {

lib/kadm5/acl.c

@@ -44,7 +44,7 @@ static struct units acl_units[] = {
     { "modify",		KADM5_PRIV_MODIFY },
     { "add",		KADM5_PRIV_ADD },
     { "get", 		KADM5_PRIV_GET },
-    { NULL }
+    { NULL,		0 }
 };
 
 kadm5_ret_t

lib/kadm5/get_s.c

@@ -142,7 +142,7 @@ kadm5_s_get_principal(void *server_handle,
     if(mask & KADM5_KVNO)
 	out->kvno = ent.entry.kvno;
     if(mask & KADM5_MKVNO) {
-	int n;
+	size_t n;
 	out->mkvno = 0; /* XXX */
 	for(n = 0; n < ent.entry.keys.len; n++)
 	    if(ent.entry.keys.val[n].mkvno) {
@@ -169,7 +169,7 @@ kadm5_s_get_principal(void *server_handle,
 	    out->max_renewable_life = INT_MAX;
     }
     if(mask & KADM5_KEY_DATA){
-	int i;
+	size_t i;
 	Key *key;
 	krb5_key_data *kd;
 	krb5_salt salt;

lib/kadm5/iprop-log.8

@@ -83,28 +83,17 @@ maintain the iprop log file
 .Sh DESCRIPTION
 Supported options:
 .Bl -tag -width Ds
-.It Xo
-.Fl -version
-.Xc
-.It Xo
-.Fl h ,
-.Fl -help
-.Xc
+.It Fl -version
+.It Fl h , Fl -help
 .El
 .Pp
 command can be one of the following:
 .Bl -tag -width truncate
 .It truncate
 .Bl -tag -width Ds
-.It Xo
-.Fl c Ar file ,
-.Fl -config-file= Ns Ar file
-.Xc
+.It Fl c Ar file , Fl -config-file= Ns Ar file
 configuration file
-.It Xo
-.Fl r Ar string ,
-.Fl -realm= Ns Ar string
-.Xc
+.It Fl r Ar string , Fl -realm= Ns Ar string
 realm
 .El
 .Pp
@@ -113,10 +102,7 @@ last entry of the old log.  If the log is truncted by emptying the
 file, the log will start over at the first version (0).
 .It dump
 .Bl -tag -width Ds
-.It Xo
-.Fl c Ar file ,
-.Fl -config-file= Ns Ar file
-.Xc
+.It Fl c Ar file , Fl -config-file= Ns Ar file
 configuration file
 .It Xo
 .Fl r Ar string ,
@@ -125,26 +111,18 @@ configuration file
 realm
 .El
 .Pp
-Print out all entires in the log to standard output.
+Print out all entries in the log to standard output.
 .It replay
 .Bl -tag -width Ds
-.It Xo
-.Fl -start-version= Ns Ar version-number
-.Xc
+.It Fl -start-version= Ns Ar version-number
 start replay with this version
 .It Xo
 .Fl -end-version= Ns Ar version-number
 .Xc
 end replay with this version
-.It Xo
-.Fl c Ar file ,
-.Fl -config-file= Ns Ar file
-.Xc
+.It Fl c Ar file , Fl -config-file= Ns Ar file
 configuration file
-.It Xo
-.Fl r Ar string ,
-.Fl -realm= Ns Ar string
-.Xc
+.It Fl r Ar string , Fl -realm= Ns Ar string
 realm
 .El
 .Pp
@@ -152,15 +130,9 @@ Replay the changes from specified entries (or all if none is
 specified) in the transaction log to the database.
 .It last-version
 .Bl -tag -width Ds
-.It Xo
-.Fl c Ar file ,
-.Fl -config-file= Ns Ar file
-.Xc
+.It Fl c Ar file , Fl -config-file= Ns Ar file
 configuration file
-.It Xo
-.Fl r Ar string ,
-.Fl -realm= Ns Ar string
-.Xc
+.It Fl r Ar string , Fl -realm= Ns Ar string
 realm
 .El
 .Pp

lib/kadm5/iprop-log.c

@@ -124,7 +124,7 @@ print_entry(kadm5_server_context *server_context,
 
     strftime(t, sizeof(t), "%Y-%m-%d %H:%M:%S", localtime(&timestamp));
 
-    if(op < kadm_get || op > kadm_nop) {
+    if((int)op < (int)kadm_get || (int)op > (int)kadm_nop) {
 	printf("unknown op: %d\n", op);
 	krb5_storage_seek(sp, end, SEEK_SET);
 	return;
@@ -350,8 +350,8 @@ apply_entry(kadm5_server_context *server_context,
     struct replay_options *opt = ctx;
     krb5_error_code ret;
 
-    if((opt->start_version_integer != -1 && ver < opt->start_version_integer) ||
-       (opt->end_version_integer != -1 && ver > opt->end_version_integer)) {
+    if((opt->start_version_integer != -1 && ver < (uint32_t)opt->start_version_integer) ||
+       (opt->end_version_integer != -1 && ver > (uint32_t)opt->end_version_integer)) {
 	/* XXX skip this entry */
 	krb5_storage_seek(sp, len, SEEK_CUR);
 	return;
@@ -426,8 +426,11 @@ help(void *opt, int argc, char **argv)
 		     argv[0]);
 	} else {
 	    if(c->func) {
-		char *fake[] = { NULL, "--help", NULL };
+		static char shelp[] = "--help";
+		char *fake[3];
 		fake[0] = argv[0];
+		fake[1] = shelp;
+		fake[2] = NULL;
 		(*c->func)(2, fake);
 		fprintf(stderr, "\n");
 	    }

lib/kadm5/iprop.8

@@ -38,51 +38,49 @@
 .Nm iprop ,
 .Nm ipropd-master ,
 .Nm ipropd-slave
-.Nd
-propagate changes to a Heimdal Kerberos master KDC to slave KDCs
+.Nd propagate changes to a Heimdal Kerberos master KDC to slave KDCs
 .Sh SYNOPSIS
 .Nm ipropd-master
 .Oo Fl c Ar string \*(Ba Xo
-.Fl -config-file= Ns Ar string
+.Fl Fl config-file= Ns Ar string
 .Xc
 .Oc
 .Oo Fl r Ar string \*(Ba Xo
-.Fl -realm= Ns Ar string
+.Fl Fl realm= Ns Ar string
 .Xc
 .Oc
 .Oo Fl k Ar kspec \*(Ba Xo
-.Fl -keytab= Ns Ar kspec
+.Fl Fl keytab= Ns Ar kspec
 .Xc
 .Oc
 .Oo Fl d Ar file \*(Ba Xo
-.Fl -database= Ns Ar file
+.Fl Fl database= Ns Ar file
 .Xc
 .Oc
-.Op Fl -slave-stats-file= Ns Ar file
-.Op Fl -time-missing= Ns Ar time
-.Op Fl -time-gone= Ns Ar time
-.Op Fl -detach
-.Op Fl -version
-.Op Fl -help
+.Op Fl Fl slave-stats-file= Ns Ar file
+.Op Fl Fl time-missing= Ns Ar time
+.Op Fl Fl time-gone= Ns Ar time
+.Op Fl Fl detach
+.Op Fl Fl version
+.Op Fl Fl help
 .Nm ipropd-slave
 .Oo Fl c Ar string \*(Ba Xo
-.Fl -config-file= Ns Ar string
+.Fl Fl config-file= Ns Ar string
 .Xc
 .Oc
 .Oo Fl r Ar string \*(Ba Xo
-.Fl -realm= Ns Ar string
+.Fl Fl realm= Ns Ar string
 .Xc
 .Oc
 .Oo Fl k Ar kspec \*(Ba Xo
-.Fl -keytab= Ns Ar kspec
+.Fl Fl keytab= Ns Ar kspec
 .Xc
 .Oc
-.Op Fl -time-lost= Ns Ar time
-.Op Fl -detach
-.Op Fl -version
-.Op Fl -help
+.Op Fl Fl time-lost= Ns Ar time
+.Op Fl Fl detach
+.Op Fl Fl version
+.Op Fl Fl help
 .Ar master
-.Pp
 .Sh DESCRIPTION
 .Nm ipropd-master
 is used to propagate changes to a Heimdal Kerberos database from the
@@ -96,9 +94,9 @@ file in the KDC's database directory, e.g.\&
 .Pa /var/heimdal/slaves .
 This has principals one per-line of the form
 .Dl iprop/ Ns Ar slave Ns @ Ns Ar REALM
-where 
-.Ar slave 
-is the hostname of the slave server in the given 
+where
+.Ar slave
+is the hostname of the slave server in the given
 .Ar REALM ,
 e.g.\&
 .Dl iprop/kerberos-1.example.com@EXAMPLE.COM
@@ -110,20 +108,23 @@ In contrast to
 .Xr hprop 8 ,
 which sends the whole database to the slaves regularly,
 .Nm
-normally sends only the changes as they happen on the master.  The
-master keeps track of all the changes by assigning a version number to
-every change to the database.  The slaves know which was the latest
-version they saw, and in this way it can be determined if they are in
-sync or not.  A log of all the changes is kept on the master.  When a
-slave is at an older version than the oldest one in the log, the whole
-database has to be sent.
+normally sends only the changes as they happen on the master.
+The master keeps track of all the changes by assigning a version
+number to every change to the database.
+The slaves know which was the latest version they saw, and in this
+way it can be determined if they are in sync or not.
+A log of all the changes is kept on the master.
+When a slave is at an older version than the oldest one in the log,
+the whole database has to be sent.
 .Pp
 The changes are propagated over a secure channel (on port 2121 by
-default).  This should normally be defined as
+default).
+This should normally be defined as
 .Dq iprop/tcp
 in
 .Pa /etc/services
-or another source of the services database.  The master and slaves
+or another source of the services database.
+The master and slaves
 must each have access to a keytab with keys for the
 .Nm iprop
 service principal on the local host.
@@ -136,78 +137,37 @@ file (e.g.\&
 Supported options for
 .Nm ipropd-master :
 .Bl -tag -width Ds
-.It Xo
-.Fl c Ar string ,
-.Fl -config-file= Ns Ar string
-.Xc
-.It Xo
-.Fl r Ar string ,
-.Fl -realm= Ns Ar string
-.Xc
-.It Xo
-.Fl k Ar kspec ,
-.Fl -keytab= Ns Ar kspec
-.Xc
+.It Fl c Ar string , Fl Fl config-file= Ns Ar string
+.It Fl r Ar string , Fl Fl realm= Ns Ar string
+.It Fl k Ar kspec , Fl Fl keytab= Ns Ar kspec
 keytab to get authentication from
-.It Xo
-.Fl d Ar file ,
-.Fl -database= Ns Ar file
-.Xc
+.It Fl d Ar file , Fl Fl database= Ns Ar file
 Database (default per KDC)
-.It Xo
-.Fl -slave-stats-file= Ns Ar file
-.Xc
+.It Fl Fl slave-stats-file= Ns Ar file
 file for slave status information
-.It Xo
-.Fl -time-missing= Ns Ar time
-.Xc
+.It Fl Fl time-missing= Ns Ar time
 time before slave is polled for presence (default 2 min)
-.It Xo
-.Fl -time-gone= Ns Ar time
-.Xc
+.It Fl Fl time-gone= Ns Ar time
 time of inactivity after which a slave is considered gone (default 5 min)
-.It Xo
-.Fl -detach
-.Xc
+.It Fl Fl detach
 detach from console
-.It Xo
-.Fl -version
-.Xc
-.It Xo
-.Fl -help
-.Xc
+.It Fl Fl version
+.It Fl Fl help
 .El
 .Pp
 Supported options for
 .Nm ipropd-slave :
 .Bl -tag -width Ds
-.It Xo
-.Fl c Ar string ,
-.Fl -config-file= Ns Ar string
-.Xc
-.It Xo
-.Fl r Ar string ,
-.Fl -realm= Ns Ar string
-.Xc
-.It Xo
-.Fl k Ar kspec ,
-.Fl -keytab= Ns Ar kspec
-.Xc
+.It Fl c Ar string , Fl Fl config-file= Ns Ar string
+.It Fl r Ar string , Fl Fl realm= Ns Ar string
+.It Fl k Ar kspec , Fl Fl keytab= Ns Ar kspec
 keytab to get authentication from
-.It Xo
-.Fl -time-lost= Ns Ar time
-.Xc
+.It Fl Fl time-lost= Ns Ar time
 time before server is considered lost (default 5 min)
-.It Xo
-.Fl -detach
-.Xc
+.It Fl Fl detach
 detach from console
-.It Xo
-.Fl -version
-.Xc
-.It Xo
-.Fl -help
-.Xc
+.It Fl Fl version
+.It Fl Fl help
 .El
 Time arguments for the relevant options above may be specified in forms
 like 5 min, 300 s, or simply a number of seconds.

lib/kadm5/ipropd_master.c

@@ -141,9 +141,11 @@ check_acl (krb5_context context, const char *name)
     FILE *fp;
     char buf[256];
     int ret = 1;
-    char *slavefile;
+    char *slavefile = NULL;
 
-    asprintf(&slavefile, "%s/slaves", hdb_db_dir(context));
+    if (asprintf(&slavefile, "%s/slaves", hdb_db_dir(context)) == -1
+	|| slavefile == NULL)
+	errx(1, "out of memory");
 
     fn = krb5_config_get_string_default(context,
 					NULL,
@@ -573,7 +575,7 @@ process_msg (krb5_context context, slave *s, int log_fd,
 	}
 	/* new started slave that have old log */
 	if (s->version == 0 && tmp != 0) {
-	    if (current_version < tmp) {
+	    if (current_version < (uint32_t)tmp) {
 		krb5_warnx (context, "Slave %s (version %lu) have later version "
 			    "the master (version %lu) OUT OF SYNC", 
 			    s->name, (unsigned long)tmp,
@@ -581,7 +583,7 @@ process_msg (krb5_context context, slave *s, int log_fd,
 	    }
 	    s->version = tmp;
 	}
-	if (tmp < s->version) {
+	if ((uint32_t)tmp < s->version) {
 	    krb5_warnx (context, "Slave claims to not have "
 			"version we already sent to it");
 	} else {
@@ -718,10 +720,11 @@ write_stats(krb5_context context, slave *slaves, uint32_t current_version)
 }
 
 
+static char sHDB[] = "HDB:";
 static char *realm;
 static int version_flag;
 static int help_flag;
-static char *keytab_str = "HDB:";
+static char *keytab_str = sHDB;
 static char *database;
 static char *config_file;
 static char *port_str;
@@ -730,8 +733,8 @@ static int detach_from_console = 0;
 #endif
 
 static struct getargs args[] = {
-    { "config-file", 'c', arg_string, &config_file },
-    { "realm", 'r', arg_string, &realm },
+    { "config-file", 'c', arg_string, &config_file, NULL, NULL },
+    { "realm", 'r', arg_string, &realm, NULL, NULL },
     { "keytab", 'k', arg_string, &keytab_str,
       "keytab to get authentication from", "kspec" },
     { "database", 'd', arg_string, &database, "database", "file"},
@@ -745,12 +748,12 @@ static struct getargs args[] = {
       "port ipropd will listen to", "port"},
 #ifdef SUPPORT_DETACH
     { "detach", 0, arg_flag, &detach_from_console,
-      "detach from console" },
+      "detach from console", NULL },
 #endif
     { "hostname", 0, arg_string, rk_UNCONST(&master_hostname),
       "hostname of master (if not same as hostname)", "hostname" },
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 0, arg_flag, &help_flag }
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 0, arg_flag, &help_flag, NULL, NULL }
 };
 static int num_args = sizeof(args) / sizeof(args[0]);
 

lib/kadm5/ipropd_slave.c

@@ -38,7 +38,8 @@ RCSID("$Id$");
 static const char *config_name = "ipropd-slave";
 
 static krb5_log_facility *log_facility;
-static char *server_time_lost = "5 min";
+static char five_min[] = "5 min";
+static char *server_time_lost = five_min;
 static int time_before_lost;
 const char *slave_str = NULL;
 
@@ -198,9 +199,9 @@ receive_loop (krb5_context context,
 	krb5_ret_int32 (sp, &tmp);
 	op = tmp;
 	krb5_ret_int32 (sp, &len);
-	if (vers <= server_context->log_context.version)
+	if ((uint32_t)vers <= server_context->log_context.version)
 	    krb5_storage_seek(sp, len + 8, SEEK_CUR);
-    } while(vers <= server_context->log_context.version);
+    } while((uint32_t)vers <= server_context->log_context.version);
 
     /*
      * Read up rest of the entires into the memory...
@@ -460,8 +461,8 @@ static int detach_from_console = 0;
 #endif
 
 static struct getargs args[] = {
-    { "config-file", 'c', arg_string, &config_file },
-    { "realm", 'r', arg_string, &realm },
+    { "config-file", 'c', arg_string, &config_file, NULL, NULL },
+    { "realm", 'r', arg_string, &realm, NULL, NULL },
     { "keytab", 'k', arg_string, &keytab_str,
       "keytab to get authentication from", "kspec" },
     { "time-lost", 0, arg_string, &server_time_lost,
@@ -470,12 +471,12 @@ static struct getargs args[] = {
       "port ipropd-slave will connect to", "port"},
 #ifdef SUPPORT_DETACH
     { "detach", 0, arg_flag, &detach_from_console,
-      "detach from console" },
+      "detach from console", NULL },
 #endif
     { "hostname", 0, arg_string, rk_UNCONST(&slave_str),
       "hostname of slave (if not same as hostname)", "hostname" },
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 0, arg_flag, &help_flag }
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 0, arg_flag, &help_flag, NULL, NULL }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);
@@ -528,8 +529,8 @@ main(int argc, char **argv)
     setup_signal();
 
     if (config_file == NULL) {
-	asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
-	if (config_file == NULL)
+	if (asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context)) == -1
+	    || config_file == NULL)
 	    errx(1, "out of memory");
     }
 

lib/kadm5/keys.c

@@ -70,7 +70,7 @@ _kadm5_init_keys (Key *keys, int len)
 int
 _kadm5_exists_keys(Key *keys1, int len1, Key *keys2, int len2)
 {
-    unsigned int i, j;
+    int i, j;
 
     for (i = 0; i < len1; ++i) {
 	for (j = 0; j < len2; j++) {

lib/kadm5/log.c

@@ -193,12 +193,12 @@ kadm5_log_flush (kadm5_log_context *log_context,
 {
     krb5_data data;
     size_t len;
-    int ret;
+    ssize_t ret;
 
     krb5_storage_to_data(sp, &data);
     len = data.length;
     ret = write (log_context->log_fd, data.data, len);
-    if (ret != len) {
+    if (ret < 0 || (size_t)ret != len) {
 	krb5_data_free(&data);
 	return errno;
     }
@@ -696,7 +696,7 @@ kadm5_log_replay_modify (kadm5_server_context *context,
     }
     if (mask & KADM5_KEY_DATA) {
 	size_t num;
-	int i;
+	size_t i;
 
 	for (i = 0; i < ent.entry.keys.len; ++i)
 	    free_Key(&ent.entry.keys.val[i]);
@@ -880,7 +880,7 @@ kadm5_log_previous (krb5_context context,
     ret = krb5_ret_int32 (sp, &tmp);
     if (ret)
 	goto end_of_storage;
-    if (tmp != *ver) {
+    if ((uint32_t)tmp != *ver) {
 	krb5_storage_seek(sp, oldoff, SEEK_SET);
 	krb5_set_error_message(context, KADM5_BAD_DB,
 			       "kadm5_log_previous: log entry "
@@ -901,7 +901,7 @@ kadm5_log_previous (krb5_context context,
     ret = krb5_ret_int32 (sp, &tmp);
     if (ret)
 	goto end_of_storage;
-    if (tmp != *len) {
+    if ((uint32_t)tmp != *len) {
 	krb5_storage_seek(sp, oldoff, SEEK_SET);
 	krb5_set_error_message(context, KADM5_BAD_DB,
 			       "kadm5_log_previous: log entry "

lib/kadm5/password_quality.c

@@ -95,8 +95,8 @@ char_class_passwd_quality (krb5_context context,
 	"1234567890",
 	"!@#$%^&*()/?<>,.{[]}\\|'~`\" "
     };
-    int i, counter = 0, req_classes;
-    size_t len;
+    int counter = 0, req_classes;
+    size_t i, len;
     char *pw;
 
     req_classes = krb5_config_get_int_default(context, NULL, 3,
@@ -234,7 +234,7 @@ struct kadm5_pw_policy_check_func builtin_funcs[] = {
     { "minimum-length", min_length_passwd_quality },
     { "character-class", char_class_passwd_quality },
     { "external-check", external_passwd_quality },
-    { NULL }
+    { NULL, NULL }
 };
 struct kadm5_pw_policy_verifier builtin_verifier = {
     "builtin",
@@ -386,10 +386,10 @@ kadm5_add_passwd_quality_verifier(krb5_context context,
 				      "password_quality",
 				      "policy_libraries",
 				      NULL);
-	if(tmp == NULL)
+	if(tmp == NULL || *tmp == NULL)
 	    return 0;
 
-	while(tmp) {
+	while (*tmp) {
 	    ret = add_verifier(context, *tmp);
 	    if (ret)
 		return ret;
@@ -432,7 +432,7 @@ find_func(krb5_context context, const char *name)
 	if (module && strcmp(module, verifiers[i]->name) != 0)
 	    continue;
 	for (f = verifiers[i]->funcs; f->name ; f++)
-	    if (strcmp(name, f->name) == 0) {
+	    if (strcmp(func, f->name) == 0) {
 		if (module)
 		    free(module);
 		return f;

lib/kadm5/rename_s.c

@@ -62,7 +62,7 @@ kadm5_s_rename_principal(void *server_handle,
 	goto out2;
     {
 	/* fix salt */
-	int i;
+	size_t i;
 	Salt salt;
 	krb5_salt salt2;
 	memset(&salt, 0, sizeof(salt));

lib/kadm5/set_keys.c

@@ -201,8 +201,8 @@ _kadm5_set_keys_randomly (kadm5_server_context *context,
 {
    krb5_keyblock *kblock = NULL;
    kadm5_ret_t ret = 0;
-   int i, des_keyblock;
-   size_t num_keys;
+   int des_keyblock;
+   size_t i, num_keys;
    Key *keys;
 
    ret = hdb_generate_key_set(context->context, ent->principal,

lib/kafs/kafs.h

@@ -89,8 +89,8 @@
 
 struct ViceIoctl {
   caddr_t in, out;
-  short in_size;
-  short out_size;
+  unsigned short in_size;
+  unsigned short out_size;
 };
 
 struct ClearToken {

lib/krb5/Makefile.am

@@ -42,7 +42,8 @@ TESTS =						\
 	test_princ				\
 	test_pkinit_dh2key			\
 	test_pknistkdf				\
-	test_time
+	test_time				\
+	test_x500
 
 check_DATA = test_config_strings.out
 
@@ -236,7 +237,7 @@ if versionscript
 libkrb5_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
 endif
 
-$(libkrb5_la_OBJECTS) $(verify_krb5_conf_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h
+$(libkrb5_la_OBJECTS) $(verify_krb5_conf_OBJECTS) $(librfc3961_la_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h krb5_err.h heim_err.h k524_err.h krb5_err.h krb_err.h k524_err.h
 
 librfc3961_la_SOURCES =				\
 	crc.c					\
@@ -329,7 +330,7 @@ dist_include_HEADERS = \
 	krb5-private.h \
 	krb5_ccapi.h
 
-nodist_include_HEADERS = krb5_err.h heim_err.h k524_err.h 
+nodist_include_HEADERS = krb5_err.h heim_err.h k524_err.h
 
 # XXX use nobase_include_HEADERS = krb5/locate_plugin.h
 krb5dir = $(includedir)/krb5
@@ -347,7 +348,7 @@ CLEANFILES = \
 	heim_err.c heim_err.h \
 	k524_err.c k524_err.h
 
-$(libkrb5_la_OBJECTS): krb5_err.h krb_err.h heim_err.h k524_err.h crypto.h
+$(libkrb5_la_OBJECTS): krb5_err.h krb_err.h heim_err.h k524_err.h
 
 test_config_strings.out: test_config_strings.cfg
 	$(CP) $(srcdir)/test_config_strings.cfg test_config_strings.out

lib/krb5/acache.c

@@ -78,7 +78,7 @@ static const struct {
 static krb5_error_code
 translate_cc_error(krb5_context context, cc_int32 error)
 {
-    int i;
+    size_t i;
     krb5_clear_error_message(context);
     for(i = 0; i < sizeof(cc_errors)/sizeof(cc_errors[0]); i++)
 	if (cc_errors[i].error == error)
@@ -337,7 +337,7 @@ make_ccred_from_cred(krb5_context context,
 		     cc_credentials_v5_t *cred)
 {
     krb5_error_code ret;
-    int i;
+    size_t i;
 
     memset(cred, 0, sizeof(*cred));
 
@@ -1114,7 +1114,9 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_acc_ops = {
     acc_move,
     acc_get_default_name,
     acc_set_default,
-    acc_lastchange
+    acc_lastchange,
+    NULL,
+    NULL,
 };
 
 #endif

lib/krb5/addr_families.c

@@ -354,7 +354,7 @@ ipv6_print_addr (const krb5_address *addr, char *str, size_t len)
     if(inet_ntop(AF_INET6, addr->address.data, buf, sizeof(buf)) == NULL)
 	{
 	    /* XXX this is pretty ugly, but better than abort() */
-	    int i;
+	    size_t i;
 	    unsigned char *p = addr->address.data;
 	    buf[0] = '\0';
 	    for(i = 0; i < addr->address.length; i++) {
@@ -727,34 +727,78 @@ addrport_print_addr (const krb5_address *addr, char *str, size_t len)
 }
 
 static struct addr_operations at[] = {
-    {AF_INET,	KRB5_ADDRESS_INET, sizeof(struct sockaddr_in),
-     ipv4_sockaddr2addr,
-     ipv4_sockaddr2port,
-     ipv4_addr2sockaddr,
-     ipv4_h_addr2sockaddr,
-     ipv4_h_addr2addr,
-     ipv4_uninteresting, ipv4_is_loopback, ipv4_anyaddr, ipv4_print_addr,
-     ipv4_parse_addr, NULL, NULL, NULL, ipv4_mask_boundary },
+    {
+	AF_INET,	KRB5_ADDRESS_INET, sizeof(struct sockaddr_in),
+	ipv4_sockaddr2addr,
+	ipv4_sockaddr2port,
+	ipv4_addr2sockaddr,
+	ipv4_h_addr2sockaddr,
+	ipv4_h_addr2addr,
+	ipv4_uninteresting,
+	ipv4_is_loopback,
+	ipv4_anyaddr,
+	ipv4_print_addr,
+	ipv4_parse_addr,
+	NULL,
+	NULL,
+	NULL,
+     ipv4_mask_boundary
+    },
 #ifdef HAVE_IPV6
-    {AF_INET6,	KRB5_ADDRESS_INET6, sizeof(struct sockaddr_in6),
-     ipv6_sockaddr2addr,
-     ipv6_sockaddr2port,
-     ipv6_addr2sockaddr,
-     ipv6_h_addr2sockaddr,
-     ipv6_h_addr2addr,
-     ipv6_uninteresting, ipv6_is_loopback, ipv6_anyaddr, ipv6_print_addr,
-     ipv6_parse_addr, NULL, NULL, NULL, ipv6_mask_boundary } ,
+    {
+	AF_INET6,	KRB5_ADDRESS_INET6, sizeof(struct sockaddr_in6),
+	ipv6_sockaddr2addr,
+	ipv6_sockaddr2port,
+	ipv6_addr2sockaddr,
+	ipv6_h_addr2sockaddr,
+	ipv6_h_addr2addr,
+	ipv6_uninteresting,
+	ipv6_is_loopback,
+	ipv6_anyaddr,
+	ipv6_print_addr,
+	ipv6_parse_addr,
+	NULL,
+	NULL,
+	NULL,
+	ipv6_mask_boundary
+    } ,
 #endif
 #ifndef HEIMDAL_SMALLER
     /* fake address type */
-    {KRB5_ADDRESS_ARANGE, KRB5_ADDRESS_ARANGE, sizeof(struct arange),
-     NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
-     arange_print_addr, arange_parse_addr,
-     arange_order_addr, arange_free, arange_copy },
+    {
+	KRB5_ADDRESS_ARANGE, KRB5_ADDRESS_ARANGE, sizeof(struct arange),
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	arange_print_addr,
+	arange_parse_addr,
+	arange_order_addr,
+	arange_free,
+	arange_copy,
+	NULL
+    },
 #endif
-    {KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_ADDRPORT, 0,
-     NULL, NULL, NULL, NULL, NULL, NULL,
-     NULL, NULL, addrport_print_addr, NULL, NULL, NULL, NULL }
+    {
+	KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_ADDRPORT, 0,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	addrport_print_addr,
+	NULL,
+	NULL,
+	NULL,
+	NULL
+    }
 };
 
 static int num_addrs = sizeof(at) / sizeof(at[0]);
@@ -777,7 +821,7 @@ find_af(int af)
 }
 
 static struct addr_operations *
-find_atype(int atype)
+find_atype(krb5_address_type atype)
 {
     struct addr_operations *a;
 
@@ -1067,17 +1111,17 @@ krb5_print_address (const krb5_address *addr,
     if (a == NULL || a->print_addr == NULL) {
 	char *s;
 	int l;
-	int i;
+	size_t i;
 
 	s = str;
 	l = snprintf(s, len, "TYPE_%d:", addr->addr_type);
-	if (l < 0 || l >= len)
+	if (l < 0 || (size_t)l >= len)
 	    return EINVAL;
 	s += l;
 	len -= l;
 	for(i = 0; i < addr->address.length; i++) {
 	    l = snprintf(s, len, "%02x", ((char*)addr->address.data)[i]);
-	    if (l < 0 || l >= len)
+	    if (l < 0 || (size_t)l >= len)
 		return EINVAL;
 	    len -= l;
 	    s += l;
@@ -1263,7 +1307,7 @@ krb5_address_search(krb5_context context,
 		    const krb5_address *addr,
 		    const krb5_addresses *addrlist)
 {
-    int i;
+    size_t i;
 
     for (i = 0; i < addrlist->len; ++i)
 	if (krb5_address_compare (context, addr, &addrlist->val[i]))
@@ -1311,7 +1355,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_free_addresses(krb5_context context,
 		    krb5_addresses *addresses)
 {
-    int i;
+    size_t i;
     for(i = 0; i < addresses->len; i++)
 	krb5_free_address(context, &addresses->val[i]);
     free(addresses->val);
@@ -1362,7 +1406,7 @@ krb5_copy_addresses(krb5_context context,
 		    const krb5_addresses *inaddr,
 		    krb5_addresses *outaddr)
 {
-    int i;
+    size_t i;
     ALLOC_SEQ(outaddr, inaddr->len);
     if(inaddr->len > 0 && outaddr->val == NULL)
 	return ENOMEM;
@@ -1391,7 +1435,7 @@ krb5_append_addresses(krb5_context context,
 {
     krb5_address *tmp;
     krb5_error_code ret;
-    int i;
+    size_t i;
     if(source->len > 0) {
 	tmp = realloc(dest->val, (dest->len + source->len) * sizeof(*tmp));
 	if(tmp == NULL) {

lib/krb5/auth_context.c

@@ -262,6 +262,7 @@ krb5_auth_con_getaddrs(krb5_context context,
     return 0;
 }
 
+/* coverity[+alloc : arg-*2] */
 static krb5_error_code
 copy_key(krb5_context context,
 	 krb5_keyblock *in,
@@ -289,6 +290,7 @@ krb5_auth_con_getlocalsubkey(krb5_context context,
     return copy_key(context, auth_context->local_subkey, keyblock);
 }
 
+/* coverity[+alloc : arg-*2] */ 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_getremotesubkey(krb5_context context,
 			      krb5_auth_context auth_context,

lib/krb5/changepw.c

@@ -276,7 +276,7 @@ process_reply (krb5_context context,
 {
     krb5_error_code ret;
     u_char reply[1024 * 3];
-    ssize_t len;
+    size_t len;
     uint16_t pkt_len, pkt_ver;
     krb5_data ap_rep_data;
     int save_errno;
@@ -328,7 +328,7 @@ process_reply (krb5_context context,
 
     if (len < 6) {
 	str2data (result_string, "server %s sent to too short message "
-		  "(%ld bytes)", host, (long)len);
+		  "(%zu bytes)", host, len);
 	*result_code = KRB5_KPASSWD_MALFORMED;
 	return 0;
     }
@@ -496,7 +496,7 @@ static struct kpwd_proc {
 	chgpw_send_request,
 	process_reply
     },
-    { NULL }
+    { NULL, 0, NULL, NULL }
 };
 
 /*

lib/krb5/config_file.c

@@ -63,7 +63,7 @@ config_fgets(char *str, size_t len, struct fileptr *ptr)
 	p = ptr->s + strcspn(ptr->s, "\n");
 	if(*p == '\n')
 	    p++;
-	l = min(len, p - ptr->s);
+	l = min(len, (size_t)(p - ptr->s));
 	if(len > 0) {
 	    memcpy(str, ptr->s, l);
 	    str[l] = '\0';
@@ -91,7 +91,7 @@ _krb5_config_get_entry(krb5_config_section **parent, const char *name, int type)
 
     for(q = parent; *q != NULL; q = &(*q)->next)
 	if(type == krb5_config_list &&
-	   type == (*q)->type &&
+	   (unsigned)type == (*q)->type &&
 	   strcmp(name, (*q)->name) == 0)
 	    return *q;
     *q = calloc(1, sizeof(**q));
@@ -635,7 +635,7 @@ vget_next(krb5_context context,
     const char *p = va_arg(args, const char *);
     while(b != NULL) {
 	if(strcmp(b->name, name) == 0) {
-	    if(b->type == type && p == NULL) {
+	    if(b->type == (unsigned)type && p == NULL) {
 		*pointer = b;
 		return b->u.generic;
 	    } else if(b->type == krb5_config_list && p != NULL) {
@@ -675,7 +675,7 @@ _krb5_config_vget_next (krb5_context context,
     /* we were called again, so just look for more entries with the
        same name and type */
     for (b = (*pointer)->next; b != NULL; b = b->next) {
-	if(strcmp(b->name, (*pointer)->name) == 0 && b->type == type) {
+	if(strcmp(b->name, (*pointer)->name) == 0 && b->type == (unsigned)type) {
 	    *pointer = b;
 	    return b->u.generic;
 	}
@@ -865,7 +865,7 @@ krb5_config_get_string_default (krb5_context context,
 }
 
 static char *
-next_component_string(char * begin, char * delims, char **state)
+next_component_string(char * begin, const char * delims, char **state)
 {
     char * end;
 

lib/krb5/crypto-des.c

@@ -77,7 +77,9 @@ static struct _krb5_key_type keytype_des_old = {
     krb5_DES_random_key,
     krb5_DES_schedule_old,
     _krb5_des_salt,
-    krb5_DES_random_to_key
+    krb5_DES_random_to_key,
+    NULL,
+    NULL
 };
 
 static struct _krb5_key_type keytype_des = {

lib/krb5/crypto-evp.c

@@ -98,7 +98,7 @@ _krb5_evp_encrypt_cts(krb5_context context,
 {
     size_t i, blocksize;
     struct _krb5_evp_schedule *ctx = key->schedule->data;
-    char tmp[EVP_MAX_BLOCK_LENGTH], ivec2[EVP_MAX_BLOCK_LENGTH];
+    unsigned char tmp[EVP_MAX_BLOCK_LENGTH], ivec2[EVP_MAX_BLOCK_LENGTH];
     EVP_CIPHER_CTX *c;
     unsigned char *p;
 
@@ -142,7 +142,7 @@ _krb5_evp_encrypt_cts(krb5_context context,
 	if (ivec)
 	    memcpy(ivec, p, blocksize);
     } else {
-	char tmp2[EVP_MAX_BLOCK_LENGTH], tmp3[EVP_MAX_BLOCK_LENGTH];
+	unsigned char tmp2[EVP_MAX_BLOCK_LENGTH], tmp3[EVP_MAX_BLOCK_LENGTH];
 
 	p = data;
 	if (len > blocksize * 2) {