Merge branch 'master' of github.com:heimdal/heimdal

Conflicts: lib/gssapi/gssapi/gssapi.h lib/gssapi/mech/gss_mech_switch.c
2011-02-28 10:21:31 +11:00
parent 4304e719a6 1ec5eff475
commit 65ebfb5712
29 changed files with 119 additions and 94 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -143,6 +143,7 @@ asn1_*.[cx]
 /kpasswd/kpasswdd
 /kuser/copy_cred_cache
 /kuser/generate-requests
+/kuser/kcc
 /kuser/kdecode_ticket
 /kuser/kdestroy
 /kuser/kdigest
@@ -172,6 +173,7 @@ asn1_*.[cx]
 /lib/editline/strlcat.c
 /lib/editline/testit
 /lib/gssapi/gss
+/lib/gssapi/gsstool
 /lib/gssapi/krb5/gsskrb5-private.h
 /lib/gssapi/ntlm/ntlm-private.h
 /lib/gssapi/spnego/spnego-private.h
@@ -183,6 +185,7 @@ asn1_*.[cx]
 /lib/hdb/hdb-private.h
 /lib/hdb/test_dbinfo
 /lib/hdb/test_hdbkeys
+/lib/hdb/test_mkey
 /lib/hx509/data/*.srl
 /lib/hx509/data/*.req
 /lib/hx509/data/sub-ca-combined.crt
@@ -215,6 +218,7 @@ asn1_*.[cx]
 /lib/krb5/test_gic
 /lib/krb5/test_kuserok
 /lib/krb5/test_renew
+/lib/krb5/test_rfc3961
 /lib/krb5/verify_krb5_conf
 /lib/ntlm/heimntlm-protos.h
 /lib/otp/ndbm_wrap.c
--- a/doc/ack.texi
+++ b/doc/ack.texi
@@ -58,8 +58,9 @@ Bugfixes, documentation, encouragement, and code has been contributed by:
@item Frank van der Linden
@item Guido Günther
@item Harald Barth
-@item Jason McIntyre
+@item Jaideep Padhye
@item Jan Rekorajski
+@item Jason McIntyre
@item Johan Gadsjö
@item Johan Ihrén
@item John Center
--- a/kdc/kdc.h
+++ b/kdc/kdc.h
@@ -41,6 +41,7 @@
 #ifndef __KDC_H__
 #define __KDC_H__

+#include <hdb.h>
 #include <krb5.h>

 enum krb5_kdc_trpolicy {
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -1000,9 +1000,8 @@ _kdc_as_rep(krb5_context context,
 	ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
 	goto out;
    }
-
    ret = _kdc_db_fetch(context, config, server_princ,
-			HDB_F_GET_SERVER|HDB_F_GET_KRBTGT,
+			HDB_F_GET_SERVER|HDB_F_GET_KRBTGT | flags,
 			NULL, NULL, &server);
    if(ret == HDB_ERR_NOT_FOUND_HERE) {
 	kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", server_name);
--- a/kdc/version-script.map
+++ b/kdc/version-script.map
@@ -16,6 +16,10 @@ HEIMDAL_KDC_1.0 {
 		krb5_kdc_save_request;
 		krb5_kdc_update_time;
 		krb5_kdc_pk_initialize;
+
+		# needed for digest-service
+		_kdc_db_fetch;
+		_kdc_free_ent;
 	local:
 		*;
 };
--- a/kuser/Makefile.am
+++ b/kuser/Makefile.am
@@ -35,7 +35,8 @@ kimpersonate_LDADD = $(kinit_LDADD)

 kcc_LDADD = \
 	$(top_builddir)/lib/sl/libsl.la \
-	$(kinit_LDADD)
+	$(kinit_LDADD) \
+	$(LIB_readline)

 dist_kcc_SOURCES = kcc.c klist.c kswitch.c copy_cred_cache.c
 nodist_kcc_SOURCES = kcc-commands.c
--- a/lib/asn1/krb5.asn1
+++ b/lib/asn1/krb5.asn1
@@ -172,6 +172,7 @@ PADATA-TYPE ::= INTEGER {
 	KRB5-PADATA-EPAK-AS-REP(146),
 	KRB5-PADATA-PKINIT-KX(147),		-- krb-wg-anon
 	KRB5-PADATA-PKU2U-NAME(148),		-- zhu-pku2u
+	KRB5-PADATA-REQ-ENC-PA-REP(149),	--
 	KRB5-PADATA-SUPPORTED-ETYPES(165)	-- MS-KILE
 }

@@ -318,7 +319,8 @@ TicketFlags ::= BIT STRING {
 	hw-authent(11),
 	transited-policy-checked(12),
 	ok-as-delegate(13),
-	anonymous(14)
+	anonymous(14),
+	enc-pa-rep(15)
 }

 KDCOptions ::= BIT STRING {
--- a/lib/com_err/lex.h
+++ b/lib/com_err/lex.h
@@ -33,7 +33,7 @@

 /* $Id$ */

-void error_message (const char *, ...)
+void _lex_error_message (const char *, ...)
 __attribute__ ((format (printf, 1, 2)));

 int yylex(void);
--- a/lib/com_err/lex.l
+++ b/lib/com_err/lex.l
@@ -95,7 +95,7 @@ getstring(void)
 	    continue;
 	}
 	if(c == '\n'){
-	    error_message("unterminated string");
+	    _lex_error_message("unterminated string");
 	    lineno++;
 	    break;
 	}
@@ -115,7 +115,7 @@ getstring(void)
 }

 void
-error_message (const char *format, ...)
+_lex_error_message (const char *format, ...)
 {
     va_list args;

--- a/lib/com_err/parse.y
+++ b/lib/com_err/parse.y
@@ -170,5 +170,5 @@ name2number(const char *str)
 void
 yyerror (char *s)
 {
-     error_message ("%s\n", s);
+     _lex_error_message ("%s\n", s);
 }
--- a/lib/gssapi/Makefile.am
+++ b/lib/gssapi/Makefile.am
@@ -208,7 +208,7 @@ nodist_libgssapi_la_SOURCES  = \
 	gkrb5_err.h \
 	$(BUILT_SOURCES)

-libgssapi_la_LDFLAGS = -version-info 2:0:0
+libgssapi_la_LDFLAGS = -version-info 3:0:0

 if versionscript
 libgssapi_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
--- a/lib/gssapi/gssapi/gssapi.h
+++ b/lib/gssapi/gssapi/gssapi.h
@@ -261,18 +261,16 @@ typedef OM_uint32 gss_qop_t;
 #define GSS_IOV_BUFFER_TYPE_STREAM 10
 #define GSS_IOV_BUFFER_TYPE_SIGN_ONLY 11

-#define GSS_IOV_BUFFER_FLAG_MASK 0xffff0000
-#define GSS_IOV_BUFFER_FLAG_ALLOCATE 0x00010000
-#define GSS_IOV_BUFFER_FLAG_ALLOCATED 0x00020000
+#define GSS_IOV_BUFFER_TYPE_FLAG_MASK		0xffff0000
+#define GSS_IOV_BUFFER_FLAG_ALLOCATE		0x00010000
+#define GSS_IOV_BUFFER_FLAG_ALLOCATED		0x00020000
+
+#define GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE	0x00010000 /* old name */
+#define GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED	0x00020000 /* old name */

 #define GSS_IOV_BUFFER_TYPE(_t) ((_t) & ~GSS_IOV_BUFFER_FLAG_MASK)
 #define GSS_IOV_BUFFER_FLAGS(_t) ((_t) & GSS_IOV_BUFFER_FLAG_MASK)

-/* compatibility macros; will be removed in the next release */
-#define GSS_IOV_BUFFER_TYPE_FLAG_MASK GSS_IOV_BUFFER_FLAG_MASK
-#define GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE GSS_IOV_BUFFER_FLAG_ALLOCATE
-#define GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED GSS_IOV_BUFFER_FLAG_ALLOCATED
-
 GSSAPI_CPP_START

 #include <gssapi/gssapi_oid.h>
--- a/lib/gssapi/krb5/accept_sec_context.c
+++ b/lib/gssapi/krb5/accept_sec_context.c
@@ -99,6 +99,7 @@ _gsskrb5i_is_cfx(krb5_context context, gsskrb5_ctx ctx, int acceptor)
    case ETYPE_DES_CBC_MD4:
    case ETYPE_DES_CBC_MD5:
    case ETYPE_DES3_CBC_MD5:
+    case ETYPE_OLD_DES3_CBC_SHA1:
    case ETYPE_DES3_CBC_SHA1:
    case ETYPE_ARCFOUR_HMAC_MD5:
    case ETYPE_ARCFOUR_HMAC_MD5_56:
@@ -263,6 +264,10 @@ send_error_token(OM_uint32 *minor_status,
    krb5_principal ap_req_server = NULL;
    krb5_error_code ret;
    krb5_data outbuf;
+    /* this e_data value encodes KERB_AP_ERR_TYPE_SKEW_RECOVERY which
+       tells windows to try again with the corrected timestamp. See
+       [MS-KILE] 2.2.1 KERB-ERROR-DATA */
+    krb5_data e_data = { 7, rk_UNCONST("\x30\x05\xa1\x03\x02\x01\x02") };

    /* build server from request if the acceptor had not selected one */
    if (server == NULL) {
@@ -285,7 +290,7 @@ send_error_token(OM_uint32 *minor_status,
 	server = ap_req_server;
    }

-    ret = krb5_mk_error(context, kret, NULL, NULL, NULL,
+    ret = krb5_mk_error(context, kret, NULL, &e_data, NULL,
 			server, NULL, NULL, &outbuf);
    if (ap_req_server)
 	krb5_free_principal(context, ap_req_server);
--- a/lib/gssapi/krb5/import_sec_context.c
+++ b/lib/gssapi/krb5/import_sec_context.c
@@ -202,6 +202,8 @@ _gsskrb5_import_sec_context (

    krb5_storage_free (sp);

+    _gsskrb5i_is_cfx(context, ctx, (ctx->more_flags & LOCAL) == 0);
+
    *context_handle = (gss_ctx_id_t)ctx;

    return GSS_S_COMPLETE;
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -310,7 +310,7 @@ int
 _hx509_cert_assign_key(hx509_cert cert, hx509_private_key private_key)
 {
    if (cert->private_key)
-	_hx509_private_key_free(&cert->private_key);
+	hx509_private_key_free(&cert->private_key);
    cert->private_key = _hx509_private_key_ref(private_key);
    return 0;
 }
@@ -341,7 +341,7 @@ hx509_cert_free(hx509_cert cert)
 	(cert->release)(cert, cert->ctx);

    if (cert->private_key)
-	_hx509_private_key_free(&cert->private_key);
+	hx509_private_key_free(&cert->private_key);

    free_Certificate(cert->data);
    free(cert->data);
@@ -1607,7 +1607,7 @@ _hx509_cert_private_decrypt(hx509_context context,
 	return HX509_PRIVATE_KEY_MISSING;
    }

-    return _hx509_private_key_private_decrypt(context,
+    return hx509_private_key_private_decrypt(context,
 					      ciphertext,
 					      encryption_oid,
 					      p->private_key,
@@ -1615,7 +1615,7 @@ _hx509_cert_private_decrypt(hx509_context context,
 }

 int
-_hx509_cert_public_encrypt(hx509_context context,
+hx509_cert_public_encrypt(hx509_context context,
 			   const heim_octet_string *cleartext,
 			   const hx509_cert p,
 			   heim_oid *encryption_oid,
--- a/lib/hx509/cms.c
+++ b/lib/hx509/cms.c
@@ -665,7 +665,7 @@ hx509_cms_envelope_1(hx509_context context,
 	goto out;
    }

-    ret = _hx509_cert_public_encrypt(context,
+    ret = hx509_cert_public_encrypt(context,
 				     &key, cert,
 				     &ri->keyEncryptionAlgorithm.algorithm,
 				     &ri->encryptedKey);
--- a/lib/hx509/collector.c
+++ b/lib/hx509/collector.c
@@ -105,7 +105,7 @@ free_private_key(struct private_key *key)
 {
    free_AlgorithmIdentifier(&key->alg);
    if (key->private_key)
-	_hx509_private_key_free(&key->private_key);
+	hx509_private_key_free(&key->private_key);
    der_free_octet_string(&key->localKeyId);
    free(key);
 }
@@ -143,7 +143,7 @@ _hx509_collector_private_key_add(hx509_context context,
    if (private_key) {
 	key->private_key = private_key;
    } else {
-	ret = _hx509_parse_private_key(context, alg,
+	ret = hx509_parse_private_key(context, alg,
 				       key_data->data, key_data->length,
 				       HX509_KEY_FORMAT_DER,
 				       &key->private_key);
--- a/lib/hx509/crypto.c
+++ b/lib/hx509/crypto.c
@@ -1506,8 +1506,8 @@ static struct hx509_private_key_ops *private_algs[] = {
    NULL
 };

-static hx509_private_key_ops *
-find_private_alg(const heim_oid *oid)
+hx509_private_key_ops *
+hx509_find_private_alg(const heim_oid *oid)
 {
    int i;
    for (i = 0; private_algs[i]; i++) {
@@ -1715,7 +1715,7 @@ _hx509_public_encrypt(hx509_context context,
 }

 int
-_hx509_private_key_private_decrypt(hx509_context context,
+hx509_private_key_private_decrypt(hx509_context context,
 				   const heim_octet_string *ciphertext,
 				   const heim_oid *encryption_oid,
 				   hx509_private_key p,
@@ -1758,7 +1758,7 @@ _hx509_private_key_private_decrypt(hx509_context context,


 int
-_hx509_parse_private_key(hx509_context context,
+hx509_parse_private_key(hx509_context context,
 			 const AlgorithmIdentifier *keyai,
 			 const void *data,
 			 size_t len,
@@ -1770,13 +1770,13 @@ _hx509_parse_private_key(hx509_context context,

    *private_key = NULL;

-    ops = find_private_alg(&keyai->algorithm);
+    ops = hx509_find_private_alg(&keyai->algorithm);
    if (ops == NULL) {
 	hx509_clear_error_string(context);
 	return HX509_SIG_ALG_NO_SUPPORTED;
    }

-    ret = _hx509_private_key_init(private_key, ops, NULL);
+    ret = hx509_private_key_init(private_key, ops, NULL);
    if (ret) {
 	hx509_set_error_string(context, 0, ret, "out of memory");
 	return ret;
@@ -1784,7 +1784,7 @@ _hx509_parse_private_key(hx509_context context,

    ret = (*ops->import)(context, keyai, data, len, format, *private_key);
    if (ret)
-	_hx509_private_key_free(private_key);
+	hx509_private_key_free(private_key);

    return ret;
 }
@@ -1794,7 +1794,7 @@ _hx509_parse_private_key(hx509_context context,
 */

 int
-_hx509_private_key2SPKI(hx509_context context,
+hx509_private_key2SPKI(hx509_context context,
 			hx509_private_key private_key,
 			SubjectPublicKeyInfo *spki)
 {
@@ -1865,13 +1865,13 @@ _hx509_generate_private_key(hx509_context context,

    *private_key = NULL;

-    ops = find_private_alg(ctx->key_oid);
+    ops = hx509_find_private_alg(ctx->key_oid);
    if (ops == NULL) {
 	hx509_clear_error_string(context);
 	return HX509_SIG_ALG_NO_SUPPORTED;
    }

-    ret = _hx509_private_key_init(private_key, ops, NULL);
+    ret = hx509_private_key_init(private_key, ops, NULL);
    if (ret) {
 	hx509_set_error_string(context, 0, ret, "out of memory");
 	return ret;
@@ -1879,7 +1879,7 @@ _hx509_generate_private_key(hx509_context context,

    ret = (*ops->generate_private_key)(context, ctx, *private_key);
    if (ret)
-	_hx509_private_key_free(private_key);
+	hx509_private_key_free(private_key);

    return ret;
 }
@@ -1976,7 +1976,7 @@ const AlgorithmIdentifier * _hx509_crypto_default_secret_alg =
 */

 int
-_hx509_private_key_init(hx509_private_key *key,
+hx509_private_key_init(hx509_private_key *key,
 			hx509_private_key_ops *ops,
 			void *keydata)
 {
@@ -2007,7 +2007,7 @@ _hx509_private_pem_name(hx509_private_key key)
 }

 int
-_hx509_private_key_free(hx509_private_key *key)
+hx509_private_key_free(hx509_private_key *key)
 {
    if (key == NULL || *key == NULL)
 	return 0;
@@ -2033,7 +2033,7 @@ _hx509_private_key_free(hx509_private_key *key)
 }

 void
-_hx509_private_key_assign_rsa(hx509_private_key key, void *ptr)
+hx509_private_key_assign_rsa(hx509_private_key key, void *ptr)
 {
    if (key->private_key.rsa)
 	RSA_free(key->private_key.rsa);
--- a/lib/hx509/hx509.h
+++ b/lib/hx509/hx509.h
@@ -48,6 +48,7 @@ typedef struct hx509_crypto_data *hx509_crypto;
 typedef struct hx509_lock_data *hx509_lock;
 typedef struct hx509_name_data *hx509_name;
 typedef struct hx509_private_key *hx509_private_key;
+typedef struct hx509_private_key_ops hx509_private_key_ops;
 typedef struct hx509_validate_ctx_data *hx509_validate_ctx;
 typedef struct hx509_verify_ctx_data *hx509_verify_ctx;
 typedef struct hx509_revoke_ctx_data *hx509_revoke_ctx;
--- a/lib/hx509/hx_locl.h
+++ b/lib/hx509/hx_locl.h
@@ -82,7 +82,6 @@ typedef struct hx509_path hx509_path;

 typedef void (*_hx509_cert_release_func)(struct hx509_cert_data *, void *);

-typedef struct hx509_private_key_ops hx509_private_key_ops;

 #include "sel.h"

--- a/lib/hx509/hxtool.c
+++ b/lib/hx509/hxtool.c
@@ -1294,7 +1294,7 @@ request_create(struct request_create_options *opt, int argc, char **argv)
 	    opt->key_bits_integer,
 	    &signer);

-    _hx509_request_init(context, &req);
+    hx509_request_init(context, &req);

    if (opt->subject_string) {
 	hx509_name name = NULL;
@@ -1302,7 +1302,7 @@ request_create(struct request_create_options *opt, int argc, char **argv)
 	ret = hx509_parse_name(context, opt->subject_string, &name);
 	if (ret)
 	    errx(1, "hx509_parse_name: %d\n", ret);
-	_hx509_request_set_name(context, req, name);
+	hx509_request_set_name(context, req, name);

 	if (opt->verbose_flag) {
 	    char *s;
@@ -1327,16 +1327,16 @@ request_create(struct request_create_options *opt, int argc, char **argv)
    }


-    ret = _hx509_private_key2SPKI(context, signer, &key);
+    ret = hx509_private_key2SPKI(context, signer, &key);
    if (ret)
-	errx(1, "_hx509_private_key2SPKI: %d\n", ret);
+	errx(1, "hx509_private_key2SPKI: %d\n", ret);

-    ret = _hx509_request_set_SubjectPublicKeyInfo(context,
+    ret = hx509_request_set_SubjectPublicKeyInfo(context,
 						  req,
 						  &key);
    free_SubjectPublicKeyInfo(&key);
    if (ret)
-	hx509_err(context, 1, ret, "_hx509_request_set_SubjectPublicKeyInfo");
+	hx509_err(context, 1, ret, "hx509_request_set_SubjectPublicKeyInfo");

    ret = _hx509_request_to_pkcs10(context,
 				   req,
@@ -1345,8 +1345,8 @@ request_create(struct request_create_options *opt, int argc, char **argv)
    if (ret)
 	hx509_err(context, 1, ret, "_hx509_request_to_pkcs10");

-    _hx509_private_key_free(&signer);
-    _hx509_request_free(&req);
+    hx509_private_key_free(&signer);
+    hx509_request_free(&req);

    if (ret == 0)
 	rk_dumpdata(outfile, request.data, request.length);
@@ -1370,7 +1370,7 @@ request_print(struct request_print_options *opt, int argc, char **argv)
 	    hx509_err(context, 1, ret, "parse_request: %s", argv[i]);

 	ret = _hx509_request_print(context, req, stdout);
-	_hx509_request_free(&req);
+	hx509_request_free(&req);
 	if (ret)
 	    hx509_err(context, 1, ret, "Failed to print file %s", argv[i]);
    }
@@ -1814,9 +1814,9 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
 	if (ret)
 	    err(1, "read_private_key");

-	ret = _hx509_private_key2SPKI(context, private_key, &spki);
+	ret = hx509_private_key2SPKI(context, private_key, &spki);
 	if (ret)
-	    errx(1, "_hx509_private_key2SPKI: %d\n", ret);
+	    errx(1, "hx509_private_key2SPKI: %d\n", ret);

 	if (opt->self_signed_flag)
 	    cert_key = private_key;
@@ -1828,13 +1828,13 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
 	ret = _hx509_request_parse(context, opt->req_string, &req);
 	if (ret)
 	    hx509_err(context, 1, ret, "parse_request: %s", opt->req_string);
-	ret = _hx509_request_get_name(context, req, &subject);
+	ret = hx509_request_get_name(context, req, &subject);
 	if (ret)
 	    hx509_err(context, 1, ret, "get name");
-	ret = _hx509_request_get_SubjectPublicKeyInfo(context, req, &spki);
+	ret = hx509_request_get_SubjectPublicKeyInfo(context, req, &spki);
 	if (ret)
 	    hx509_err(context, 1, ret, "get spki");
-	_hx509_request_free(&req);
+	hx509_request_free(&req);
    }

    if (opt->generate_key_string) {
@@ -1859,9 +1859,9 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
 	if (ret)
 	    hx509_err(context, 1, ret, "generate private key");
 	
-	ret = _hx509_private_key2SPKI(context, cert_key, &spki);
+	ret = hx509_private_key2SPKI(context, cert_key, &spki);
 	if (ret)
-	    errx(1, "_hx509_private_key2SPKI: %d\n", ret);
+	    errx(1, "hx509_private_key2SPKI: %d\n", ret);

 	if (opt->self_signed_flag)
 	    private_key = cert_key;
@@ -2015,8 +2015,8 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
    free_SubjectPublicKeyInfo(&spki);

    if (private_key != cert_key)
-	_hx509_private_key_free(&private_key);
-    _hx509_private_key_free(&cert_key);
+	hx509_private_key_free(&private_key);
+    hx509_private_key_free(&cert_key);

    hx509_ca_tbs_free(&tbs);

--- a/lib/hx509/keyset.c
+++ b/lib/hx509/keyset.c
@@ -781,6 +781,6 @@ _hx509_certs_keys_free(hx509_context context,
 {
    int i;
    for (i = 0; keys[i]; i++)
-	_hx509_private_key_free(&keys[i]);
+	hx509_private_key_free(&keys[i]);
    free(keys);
 }
--- a/lib/hx509/ks_keychain.c
+++ b/lib/hx509/ks_keychain.c
@@ -259,7 +259,7 @@ set_private_key(hx509_context context,
    RSA *rsa;
    int ret;

-    ret = _hx509_private_key_init(&key, NULL, NULL);
+    ret = hx509_private_key_init(&key, NULL, NULL);
    if (ret)
 	return ret;

@@ -302,7 +302,7 @@ set_private_key(hx509_context context,
    if (ret != 1)
 	_hx509_abort("RSA_set_app_data");

-    _hx509_private_key_assign_rsa(key, rsa);
+    hx509_private_key_assign_rsa(key, rsa);
    _hx509_cert_assign_key(cert, key);

    return 0;
--- a/lib/hx509/ks_mem.c
+++ b/lib/hx509/ks_mem.c
@@ -78,7 +78,7 @@ mem_free(hx509_certs certs, void *data)
 	hx509_cert_free(mem->certs.val[i]);
    free(mem->certs.val);
    for (i = 0; mem->keys && mem->keys[i]; i++)
-	_hx509_private_key_free(&mem->keys[i]);
+	hx509_private_key_free(&mem->keys[i]);
    free(mem->keys);
    free(mem->name);
    free(mem);
@@ -167,7 +167,7 @@ mem_getkeys(hx509_context context,
 	(*keys)[i] = _hx509_private_key_ref(mem->keys[i]);
 	if ((*keys)[i] == NULL) {
 	    while (--i >= 0)
-		_hx509_private_key_free(&(*keys)[i]);
+		hx509_private_key_free(&(*keys)[i]);
 	    hx509_set_error_string(context, 0, ENOMEM, "out of memory");
 	    return ENOMEM;
 	}
--- a/lib/hx509/ks_p11.c
+++ b/lib/hx509/ks_p11.c
@@ -613,7 +613,7 @@ collect_private_key(hx509_context context,
    localKeyId.data = query[0].pValue;
    localKeyId.length = query[0].ulValueLen;

-    ret = _hx509_private_key_init(&key, NULL, NULL);
+    ret = hx509_private_key_init(&key, NULL, NULL);
    if (ret)
 	return ret;

@@ -648,7 +648,7 @@ collect_private_key(hx509_context context,
    if (ret != 1)
 	_hx509_abort("RSA_set_app_data");

-    _hx509_private_key_assign_rsa(key, rsa);
+    hx509_private_key_assign_rsa(key, rsa);

    ret = _hx509_collector_private_key_add(context,
 					   collector,
@@ -658,7 +658,7 @@ collect_private_key(hx509_context context,
 					   &localKeyId);

    if (ret) {
-	_hx509_private_key_free(&key);
+	hx509_private_key_free(&key);
 	return ret;
    }
    return 0;
--- a/lib/hx509/req.c
+++ b/lib/hx509/req.c
@@ -46,7 +46,7 @@ struct hx509_request_data {
 */

 int
-_hx509_request_init(hx509_context context, hx509_request *req)
+hx509_request_init(hx509_context context, hx509_request *req)
 {
    *req = calloc(1, sizeof(**req));
    if (*req == NULL)
@@ -56,7 +56,7 @@ _hx509_request_init(hx509_context context, hx509_request *req)
 }

 void
-_hx509_request_free(hx509_request *req)
+hx509_request_free(hx509_request *req)
 {
    if ((*req)->name)
 	hx509_name_free(&(*req)->name);
@@ -69,7 +69,7 @@ _hx509_request_free(hx509_request *req)
 }

 int
-_hx509_request_set_name(hx509_context context,
+hx509_request_set_name(hx509_context context,
 			hx509_request req,
 			hx509_name name)
 {
@@ -84,7 +84,7 @@ _hx509_request_set_name(hx509_context context,
 }

 int
-_hx509_request_get_name(hx509_context context,
+hx509_request_get_name(hx509_context context,
 			hx509_request req,
 			hx509_name *name)
 {
@@ -96,7 +96,7 @@ _hx509_request_get_name(hx509_context context,
 }

 int
-_hx509_request_set_SubjectPublicKeyInfo(hx509_context context,
+hx509_request_set_SubjectPublicKeyInfo(hx509_context context,
 					hx509_request req,
 					const SubjectPublicKeyInfo *key)
 {
@@ -105,7 +105,7 @@ _hx509_request_set_SubjectPublicKeyInfo(hx509_context context,
 }

 int
-_hx509_request_get_SubjectPublicKeyInfo(hx509_context context,
+hx509_request_get_SubjectPublicKeyInfo(hx509_context context,
 					hx509_request req,
 					SubjectPublicKeyInfo *key)
 {
@@ -271,7 +271,7 @@ _hx509_request_parse(hx509_context context,
 	return ret;
    }

-    ret = _hx509_request_init(context, req);
+    ret = hx509_request_init(context, req);
    if (ret) {
 	free_CertificationRequest(&r);
 	return ret;
@@ -279,25 +279,25 @@ _hx509_request_parse(hx509_context context,

    rinfo = &r.certificationRequestInfo;

-    ret = _hx509_request_set_SubjectPublicKeyInfo(context, *req,
+    ret = hx509_request_set_SubjectPublicKeyInfo(context, *req,
 						  &rinfo->subjectPKInfo);
    if (ret) {
 	free_CertificationRequest(&r);
-	_hx509_request_free(req);
+	hx509_request_free(req);
 	return ret;
    }

    ret = _hx509_name_from_Name(&rinfo->subject, &subject);
    if (ret) {
 	free_CertificationRequest(&r);
-	_hx509_request_free(req);
+	hx509_request_free(req);
 	return ret;
    }
-    ret = _hx509_request_set_name(context, *req, subject);
+    ret = hx509_request_set_name(context, *req, subject);
    hx509_name_free(&subject);
    free_CertificationRequest(&r);
    if (ret) {
-	_hx509_request_free(req);
+	hx509_request_free(req);
 	return ret;
    }

--- a/lib/hx509/version-script.map
+++ b/lib/hx509/version-script.map
@@ -16,20 +16,12 @@ HEIMDAL_X509_1.2 {
 		_hx509_generate_private_key_is_ca;
 		_hx509_map_file_os;
 		_hx509_name_from_Name;
-		_hx509_private_key2SPKI;
-		_hx509_private_key_free;
 		_hx509_private_key_ref;
 		_hx509_request_add_dns_name;
 		_hx509_request_add_email;
-		_hx509_request_free;
-		_hx509_request_get_SubjectPublicKeyInfo;
-		_hx509_request_get_name;
-		_hx509_request_init;
 		_hx509_request_parse;
 		_hx509_request_print;
-		_hx509_request_set_SubjectPublicKeyInfo;
 		_hx509_request_set_email;
-		_hx509_request_set_name;
 		_hx509_request_to_pkcs10;
 		_hx509_request_to_pkcs10;
 		_hx509_unmap_file_os;
@@ -82,6 +74,7 @@ HEIMDAL_X509_1.2 {
 		hx509_cert_init;
 		hx509_cert_init_data;
 		hx509_cert_keyusage_print;
+		hx509_cert_public_encrypt;
 		hx509_cert_ref;
 		hx509_cert_set_friendly_name;
 		hx509_certs_add;
@@ -146,6 +139,7 @@ HEIMDAL_X509_1.2 {
 		hx509_err;
 		hx509_free_error_string;
 		hx509_free_octet_string_list;
+		hx509_find_private_alg;
 		hx509_general_name_unparse;
 		hx509_get_error_string;
 		hx509_get_one_cert;
@@ -174,6 +168,7 @@ HEIMDAL_X509_1.2 {
 		hx509_oid_print;
 		hx509_oid_sprint;
 		hx509_parse_name;
+		hx509_parse_private_key;
 		hx509_peer_info_add_cms_alg;
 		hx509_peer_info_alloc;
 		hx509_peer_info_free;
@@ -186,6 +181,11 @@ HEIMDAL_X509_1.2 {
 		hx509_pem_write;
 		hx509_print_stdout;
 		hx509_print_cert;
+		hx509_private_key_assign_rsa;
+		hx509_private_key_free;
+		hx509_private_key_private_decrypt;
+		hx509_private_key_init;
+		hx509_private_key2SPKI;
 		hx509_prompt_hidden;
 		hx509_query_alloc;
 		hx509_query_free;
@@ -197,6 +197,12 @@ HEIMDAL_X509_1.2 {
 		hx509_query_match_option;
 		hx509_query_statistic_file;
 		hx509_query_unparse_stats;
+		hx509_request_get_name;
+		hx509_request_get_SubjectPublicKeyInfo;
+		hx509_request_free;
+		hx509_request_init;
+		hx509_request_set_name;
+		hx509_request_set_SubjectPublicKeyInfo;
 		hx509_revoke_add_crl;
 		hx509_revoke_add_ocsp;
 		hx509_revoke_free;
--- a/lib/krb5/Makefile.am
+++ b/lib/krb5/Makefile.am
@@ -63,28 +63,28 @@ use_sqlite = $(LIB_sqlite3)
 endif

 libkrb5_la_LIBADD = \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(top_builddir)/lib/ipc/libheim-ipcc.la \
+	$(top_builddir)/lib/wind/libwind.la \
+	$(top_builddir)/base/libheimbase.la \
 	$(LIB_pkinit) \
 	$(use_sqlite) \
 	$(LIB_com_err) \
 	$(LIB_hcrypto) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	../ipc/libheim-ipcc.la \
-	../wind/libwind.la \
 	$(LIB_libintl) \
 	$(LIBADD_roken) \
-	../../base/libheimbase.la \
 	$(PTHREAD_LIBADD) \
 	$(LIB_door_create) \
 	$(LIB_dlopen)

 librfc3961_la_LIBADD = \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(top_builddir)/lib/ipc/libheim-ipcc.la \
+	$(top_builddir)/lib/wind/libwind.la \
 	$(LIB_pkinit) \
 	$(use_sqlite) \
 	$(LIB_com_err) \
 	$(LIB_hcrypto) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	../ipc/libheim-ipcc.la \
-	../wind/libwind.la \
 	$(LIB_libintl) \
 	$(LIBADD_roken) \
 	$(PTHREAD_LIBADD) \
--- a/lib/krb5/krb5.h
+++ b/lib/krb5/krb5.h
@@ -241,6 +241,8 @@ typedef enum krb5_key_usage {
    /* Encryption of the SAM-NONCE-OR-SAD field */
    KRB5_KU_PA_PKINIT_KX = 44,
    /* Encryption type of the kdc session contribution in pk-init */
+    KRB5_KU_AS_REQ = 56,
+    /* Checksum of over the AS-REQ send by the KDC in PA-REQ-ENC-PA-REP */
    KRB5_KU_DIGEST_ENCRYPT = -18,
    /* Encryption key usage used in the digest encryption field */
    KRB5_KU_DIGEST_OPAQUE = -19,