From 774f50b28ba423379b455be6e5c7039392fe319e Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Fri, 27 Aug 2021 14:20:01 +1000
Subject: [PATCH] gss: move GSS pre-auth helpers to convenience lib

GSS pre-auth helpers do not belong in libgssapi, so move them to a separate
convenience library.
---
 .gitignore                                    |  2 +
 configure.ac                                  |  1 +
 kdc/Makefile.am                               |  2 +
 kdc/NTMakefile                                |  4 +-
 kdc/gss_preauth.c                             |  4 +-
 kuser/Makefile.am                             |  1 +
 kuser/NTMakefile                              |  3 +-
 kuser/kuser_locl.h                            |  4 +-
 lib/Makefile.am                               |  1 +
 lib/NTMakefile                                |  4 +-
 lib/gss_preauth/Makefile.am                   | 21 +++++
 lib/gss_preauth/NTMakefile                    | 70 ++++++++++++++
 lib/{gssapi/preauth => gss_preauth}/README.md |  0
 .../gss_preauth.h}                            |  0
 .../preauth => gss_preauth}/pa_client.c       | 11 +--
 .../preauth => gss_preauth}/pa_common.c       | 91 ++++++++++---------
 lib/gssapi/Makefile.am                        | 16 +---
 lib/gssapi/NTMakefile                         | 21 -----
 lib/gssapi/libgssapi-exports.def              |  8 --
 lib/gssapi/version-script.map                 |  8 --
 windows/NTMakefile.w32                        |  1 +
 21 files changed, 165 insertions(+), 108 deletions(-)
 create mode 100644 lib/gss_preauth/Makefile.am
 create mode 100644 lib/gss_preauth/NTMakefile
 rename lib/{gssapi/preauth => gss_preauth}/README.md (100%)
 rename lib/{gssapi/gssapi/gssapi_preauth.h => gss_preauth/gss_preauth.h} (100%)
 rename lib/{gssapi/preauth => gss_preauth}/pa_client.c (97%)
 rename lib/{gssapi/preauth => gss_preauth}/pa_common.c (75%)

diff --git a/.gitignore b/.gitignore
index 66f290fb4..2a09f94ac 100644
--- a/.gitignore
+++ b/.gitignore
@@ -206,6 +206,8 @@ tags
 /lib/gssapi/test_names
 /lib/gssapi/test_ntlm
 /lib/gssapi/test_oid
+/lib/gss_preauth/gss-preauth-protos.h
+/lib/gss_preauth/gss-preauth-private.h
 /lib/hcrypto/crypto-test
 /lib/hcrypto/crypto-test2
 /lib/hcrypto/destest
diff --git a/configure.ac b/configure.ac
index 7ba178d36..05c228ede 100644
--- a/configure.ac
+++ b/configure.ac
@@ -709,6 +709,7 @@ AC_CONFIG_FILES(Makefile 		\
 	lib/sqlite/Makefile		\
 	lib/vers/Makefile		\
 	lib/wind/Makefile		\
+	lib/gss_preauth/Makefile	\
 	po/Makefile			\
 	kuser/Makefile			\
 	kpasswd/Makefile		\
diff --git a/kdc/Makefile.am b/kdc/Makefile.am
index f4597857f..8fd6348f6 100644
--- a/kdc/Makefile.am
+++ b/kdc/Makefile.am
@@ -151,6 +151,7 @@ libkdc_la_LDFLAGS = -version-info 2:0:0
 if versionscript
 libkdc_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
 endif
+
 $(libkdc_la_OBJECTS): $(srcdir)/version-script.map
 
 $(srcdir)/kdc-protos.h: $(libkdc_la_SOURCES)
@@ -187,6 +188,7 @@ libkdc_la_LIBADD = \
 	$(top_builddir)/lib/hdb/libhdb.la \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(top_builddir)/lib/gssapi/libgssapi.la \
+	$(top_builddir)/lib/gss_preauth/libgss_preauth.la \
 	$(LIB_kdb)  \
 	$(top_builddir)/lib/ntlm/libheimntlm.la \
 	$(LIB_hcrypto) \
diff --git a/kdc/NTMakefile b/kdc/NTMakefile
index 2115ebb7f..58eb75771 100644
--- a/kdc/NTMakefile
+++ b/kdc/NTMakefile
@@ -33,7 +33,7 @@ RELDIR=kdc
 
 !include ../windows/NTMakefile.w32 
 
-intcflags=-I$(OBJ) -I$(SRC)\lib\gssapi -I$(OBJDIR)\lib\gssapi
+intcflags=-I$(OBJ) -I$(SRC)\lib\gssapi -I$(OBJDIR)\lib\gssapi -I$(OBJDIR)\lib\gss_preauth
 
 BINPROGRAMS=$(BINDIR)\string2key.exe
 
@@ -61,7 +61,6 @@ clean::
 
 BIN_LIBS=\
 	$(LIBHDB)	\
-	$(LIBGSSAPI)	\
 	$(LIBHEIMDAL)	\
 	$(LIBROKEN)	\
 	$(LIBVERS)
@@ -115,6 +114,7 @@ LIBKDC_OBJS=\
 
 LIBKDC_LIBS=\
 	$(LIBHDB)		\
+	$(LIBGSS_PREAUTH)	\
 	$(LIBGSSAPI)		\
 	$(LIBHEIMBASE)		\
 	$(LIBHEIMDAL)		\
diff --git a/kdc/gss_preauth.c b/kdc/gss_preauth.c
index 85cce0b38..bc066b353 100644
--- a/kdc/gss_preauth.c
+++ b/kdc/gss_preauth.c
@@ -36,7 +36,9 @@
 
 #include <gssapi/gssapi.h>
 #include <gssapi_mech.h>
-#include "../lib/gssapi/preauth/pa-private.h"
+
+#include <gss-preauth-protos.h>
+#include <gss-preauth-private.h>
 
 #include "gss_preauth_authorizer_plugin.h"
 
diff --git a/kuser/Makefile.am b/kuser/Makefile.am
index a24a81ed8..91db2edca 100644
--- a/kuser/Makefile.am
+++ b/kuser/Makefile.am
@@ -30,6 +30,7 @@ kinit_LDADD = \
 	$(afs_lib) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(top_builddir)/lib/gssapi/libgssapi.la \
+	$(top_builddir)/lib/gss_preauth/libgss_preauth.la \
 	$(top_builddir)/lib/ntlm/libheimntlm.la \
 	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
diff --git a/kuser/NTMakefile b/kuser/NTMakefile
index 87c95f889..2538744db 100644
--- a/kuser/NTMakefile
+++ b/kuser/NTMakefile
@@ -31,7 +31,7 @@
 
 RELDIR=kuser
 
-intcflags=-I$(OBJ) -I$(SRC)\lib\gssapi -I$(OBJDIR)\lib\gssapi
+intcflags=-I$(OBJ) -I$(SRC)\lib\gssapi -I$(OBJDIR)\lib\gssapi -I$(OBJDIR)\lib\gss_preauth
 
 !include ../windows/NTMakefile.w32 
 
@@ -55,6 +55,7 @@ NOINSTPROGRAMS=\
 
 
 BINLIBS=\
+	$(LIBGSS_PREAUTH) \
 	$(LIBGSSAPI)	\
 	$(LIBHEIMDAL)	\
 	$(LIBHEIMNTLM)	\
diff --git a/kuser/kuser_locl.h b/kuser/kuser_locl.h
index c6fb5856f..8218a6f09 100644
--- a/kuser/kuser_locl.h
+++ b/kuser/kuser_locl.h
@@ -75,8 +75,8 @@
 #include <heimbase.h>
 
 #include <gssapi_mech.h>
-#include <gssapi/gssapi_preauth.h>
-#include <preauth/pa-private.h>
+#include <gss-preauth-protos.h>
+#include <gss-preauth-private.h>
 
 #if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
 #include <sys/ioctl.h>
diff --git a/lib/Makefile.am b/lib/Makefile.am
index 78a661bc3..dc7011619 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -41,6 +41,7 @@ SUBDIRS = \
 	ntlm \
 	$(dir_afs) \
 	gssapi \
+	gss_preauth \
 	hdb \
 	kadm5 \
 	$(dir_otp) \
diff --git a/lib/NTMakefile b/lib/NTMakefile
index fdb0261fe..39a0db554 100644
--- a/lib/NTMakefile
+++ b/lib/NTMakefile
@@ -51,8 +51,8 @@ assembly=..\packages\windows\assembly
 !endif
 
 SUBDIRS = roken vers com_err base sl wind asn1 sqlite \
-	hcrypto hx509 krb5 heimdal ntlm kafs gssapi hdb \
-	kadm5 $(dir_otp) $(dir_dce) $(plugin) $(assembly)
+	hcrypto hx509 krb5 heimdal ntlm kafs gssapi gss_preauth \
+	hdb kadm5 $(dir_otp) $(dir_dce) $(plugin) $(assembly)
 
 !include ../windows/NTMakefile.w32
 
diff --git a/lib/gss_preauth/Makefile.am b/lib/gss_preauth/Makefile.am
new file mode 100644
index 000000000..e1382c37d
--- /dev/null
+++ b/lib/gss_preauth/Makefile.am
@@ -0,0 +1,21 @@
+# $Id$
+
+include $(top_srcdir)/Makefile.am.common
+
+AM_CPPFLAGS +=			    \
+    -I$(srcdir)/../krb5		    \
+    -I$(srcdir)/../gssapi	    \
+    -I$(srcdir)/../gssapi/mech	    \
+    -I$(top_srcdir)/include/gssapi  \
+    -I$(top_builddir)/include/gssapi
+
+noinst_LTLIBRARIES = libgss_preauth.la
+include_HEADERS = $(srcdir)/gss-preauth-protos.h $(srcdir)/gss-preauth-private.h
+
+libgss_preauth_la_SOURCES = pa_client.c pa_common.c
+
+$(srcdir)/gss-preauth-protos.h: $(libgss_preauth_la_SOURCES)
+	cd $(srcdir); perl ../../cf/make-proto.pl -q -P comment -o gss-preauth-protos.h $(libgss_preauth_la_SOURCES) || rm -f gss-preauth-protos.h
+
+$(srcdir)/gss-preauth-private.h: $(libgss_preauth_la_SOURCES)
+	cd $(srcdir); perl ../../cf/make-proto.pl -q -P comment -p gss-preauth-private.h $(libgss_preauth_la_SOURCES) || rm -f gss-preauth-private.h
diff --git a/lib/gss_preauth/NTMakefile b/lib/gss_preauth/NTMakefile
new file mode 100644
index 000000000..60c963b2e
--- /dev/null
+++ b/lib/gss_preauth/NTMakefile
@@ -0,0 +1,70 @@
+########################################################################
+#
+# Copyright (c) 2021, Secure Endpoints Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# - Redistributions of source code must retain the above copyright
+#   notice, this list of conditions and the following disclaimer.
+#
+# - Redistributions in binary form must reproduce the above copyright
+#   notice, this list of conditions and the following disclaimer in
+#   the documentation and/or other materials provided with the
+#   distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+RELDIR=lib\gss_preauth
+
+intcflags=-I$(SRCDIR)		    \
+    -I$(SRCDIR)\..\krb5		    \
+    -I$(SRCDIR)\..\gssapi	    \
+    -I$(SRCDIR)\..\gssapi\mech	    \
+    -I$(OBJ)			    \
+    -I$(OBJDIR)\lib\gssapi	    \
+    -I$(OBJDIR)\lib\gssapi\gssapi   \
+    -I$(INCDIR)			    \
+    -I$(INCDIR)\gssapi		    \
+
+!include ../../windows/NTMakefile.w32
+
+INCFILES=				\
+	$(OBJ)\gss-preauth-protos.h	\
+	$(OBJ)\gss-preauth-private.h
+
+libgss_preauth_SOURCES =	\
+	pa_client.c		\
+	pa_common.c
+
+libgss_preauth_OBJS =		\
+	$(OBJ)\pa_client.obj	\
+	$(OBJ)\pa_common.obj
+
+$(LIBGSS_PREAUTH): $(libgss_preauth_OBJS)
+	$(LIBCON)
+
+$(OBJ)\gss-preauth-protos.h: $(libgss_preauth_SOURCES)
+	$(PERL) ..\..\cf\make-proto.pl -E KRB5_LIB -q -P remove -o $(OBJ)\gss-preauth-protos.h $(libgss_preauth_SOURCES) || $(RM) -f $(OBJ)\gss-preauth-protos.h
+
+$(OBJ)\gss-preauth-private.h: $(libgss_preauth_SOURCES)
+	$(PERL) ..\..\cf\make-proto.pl -q -P remove -p $(OBJ)\gss-preauth-private.h $(libgss_preauth_SOURCES) || $(RM) -f $(OBJ)\gss-preauth-private.h
+
+all:: $(INCFILES) $(LIBGSS_PREAUTH)
+
+clean::
+	-$(RM) $(INCFILES) $(LIBGSS_PREAUTH)
diff --git a/lib/gssapi/preauth/README.md b/lib/gss_preauth/README.md
similarity index 100%
rename from lib/gssapi/preauth/README.md
rename to lib/gss_preauth/README.md
diff --git a/lib/gssapi/gssapi/gssapi_preauth.h b/lib/gss_preauth/gss_preauth.h
similarity index 100%
rename from lib/gssapi/gssapi/gssapi_preauth.h
rename to lib/gss_preauth/gss_preauth.h
diff --git a/lib/gssapi/preauth/pa_client.c b/lib/gss_preauth/pa_client.c
similarity index 97%
rename from lib/gssapi/preauth/pa_client.c
rename to lib/gss_preauth/pa_client.c
index a81a1a0c8..83a392f7d 100644
--- a/lib/gssapi/preauth/pa_client.c
+++ b/lib/gss_preauth/pa_client.c
@@ -30,12 +30,11 @@
  * SUCH DAMAGE.
  */
 
-#include "krb5_locl.h"
-#include "mech_locl.h"
+#include <krb5_locl.h>
+#include <mech_locl.h>
 
-#include <gssapi/gssapi_preauth.h>
-
-#include <preauth/pa-private.h>
+#include "gss-preauth-protos.h"
+#include "gss-preauth-private.h"
 
 static krb5_error_code
 pa_gss_acquire_initiator_cred(krb5_context context,
@@ -239,7 +238,7 @@ pa_gss_release_cred(krb5_context context,
     gss_release_cred(&minor, &cred);
 }
 
-GSSAPI_LIB_FUNCTION krb5_error_code GSSAPI_LIB_CALL
+krb5_error_code
 krb5_gss_set_init_creds(krb5_context context,
                         krb5_init_creds_context ctx,
                         gss_const_cred_id_t gss_cred,
diff --git a/lib/gssapi/preauth/pa_common.c b/lib/gss_preauth/pa_common.c
similarity index 75%
rename from lib/gssapi/preauth/pa_common.c
rename to lib/gss_preauth/pa_common.c
index 05bcdb7f7..e58ca3131 100644
--- a/lib/gssapi/preauth/pa_common.c
+++ b/lib/gss_preauth/pa_common.c
@@ -30,13 +30,12 @@
  * SUCH DAMAGE.
  */
 
-#include "krb5_locl.h"
-#include "mech_locl.h"
-
-#include <gssapi/gssapi_preauth.h>
+#include <krb5_locl.h>
+#include <mech_locl.h>
 #include <heimntlm.h>
 
-#include <preauth/pa-private.h>
+#include "gss-preauth-protos.h"
+#include "gss-preauth-private.h"
 
 krb5_error_code
 _krb5_gss_map_error(OM_uint32 major, OM_uint32 minor)
@@ -58,18 +57,18 @@ _krb5_gss_map_error(OM_uint32 major, OM_uint32 minor)
         ret = KRB5_PRINC_NOMATCH;
         break;
     case GSS_S_NO_CRED:
-	ret = KRB5_CC_NOTFOUND;
-	break;
+        ret = KRB5_CC_NOTFOUND;
+        break;
     case GSS_S_BAD_MIC:
     case GSS_S_DEFECTIVE_CREDENTIAL:
         ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
         break;
     case GSS_S_FAILURE:
-	if (minor == (OM_uint32)KRB5KRB_AP_ERR_BAD_INTEGRITY ||
-	    minor == (OM_uint32)HNTLM_ERR_AUTH) {
-	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-	    break;
-	}
+        if (minor == (OM_uint32)KRB5KRB_AP_ERR_BAD_INTEGRITY ||
+            minor == (OM_uint32)HNTLM_ERR_AUTH) {
+            ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+            break;
+        }
     default:
         ret = KRB5KDC_ERR_PREAUTH_FAILED;
         break;
@@ -99,7 +98,10 @@ _krb5_gss_pa_derive_key(krb5_context context,
     if (ret)
         return ret;
 
-    _gss_mg_encode_le_uint32(nonce, &saltdata[8]);
+    saltdata[ 8] = (nonce >> 0 ) & 0xFF;
+    saltdata[ 9] = (nonce >> 8 ) & 0xFF;
+    saltdata[10] = (nonce >> 16) & 0xFF;
+    saltdata[11] = (nonce >> 24) & 0xFF;
 
     salt.value = saltdata;
     salt.length = sizeof(saltdata);
@@ -115,7 +117,10 @@ _krb5_gss_pa_derive_key(krb5_context context,
 
     ret = krb5_copy_keyblock(context, &kdkey, keyblock);
 
-    _gss_secure_release_buffer(&minor, &dkey);
+    if (dkey.value) {
+        memset_s(dkey.value, dkey.length, 0, dkey.length);
+        gss_release_buffer(&minor, &dkey);
+    }
 
     return ret;
 }
@@ -148,42 +153,42 @@ _krb5_gss_pa_unparse_name(krb5_context context,
     name_buf.value = name;
 
     major = gss_import_name(&minor, &name_buf,
-			    GSS_KRB5_NT_PRINCIPAL_NAME, namep);
+                            GSS_KRB5_NT_PRINCIPAL_NAME, namep);
     if (major == GSS_S_BAD_NAMETYPE) {
-	gss_OID name_type = GSS_C_NO_OID;
-	int flags = 0;
+        gss_OID name_type = GSS_C_NO_OID;
+        int flags = 0;
 
-	if (principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
-	    name_type = GSS_C_NT_USER_NAME;
-	} else if (principal->name.name_type == KRB5_NT_PRINCIPAL) {
-	    flags = KRB5_PRINCIPAL_UNPARSE_SHORT;
-	    name_type = GSS_C_NT_USER_NAME;
-	} else if ((principal->name.name_type == KRB5_NT_SRV_HST ||
-		    principal->name.name_type == KRB5_NT_SRV_INST) &&
-	    principal->name.name_string.len == 2) {
-	    flags = KRB5_PRINCIPAL_UNPARSE_NO_REALM;
-	    name_type = GSS_C_NT_HOSTBASED_SERVICE;
-	}
+        if (principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
+            name_type = GSS_C_NT_USER_NAME;
+        } else if (principal->name.name_type == KRB5_NT_PRINCIPAL) {
+            flags = KRB5_PRINCIPAL_UNPARSE_SHORT;
+            name_type = GSS_C_NT_USER_NAME;
+        } else if ((principal->name.name_type == KRB5_NT_SRV_HST ||
+                    principal->name.name_type == KRB5_NT_SRV_INST) &&
+            principal->name.name_string.len == 2) {
+            flags = KRB5_PRINCIPAL_UNPARSE_NO_REALM;
+            name_type = GSS_C_NT_HOSTBASED_SERVICE;
+        }
 
-	if (flags) {
-	    krb5_xfree(name);
+        if (flags) {
+            krb5_xfree(name);
 
-	    ret = krb5_unparse_name_flags(context, principal, flags, &name);
-	    if (ret)
-		return ret;
+            ret = krb5_unparse_name_flags(context, principal, flags, &name);
+            if (ret)
+                return ret;
 
-	    if (gss_oid_equal(name_type, GSS_C_NT_HOSTBASED_SERVICE)) {
-		char *inst = strchr(name, '/');
-		if (inst)
-		    *inst = '@';
-	    }
+            if (gss_oid_equal(name_type, GSS_C_NT_HOSTBASED_SERVICE)) {
+                char *inst = strchr(name, '/');
+                if (inst)
+                    *inst = '@';
+            }
 
-	    name_buf.length = strlen(name);
-	    name_buf.value = name;
-	}
+            name_buf.length = strlen(name);
+            name_buf.value = name;
+        }
 
-	if (name_type)
-	    major = gss_import_name(&minor, &name_buf, name_type, namep);
+        if (name_type)
+            major = gss_import_name(&minor, &name_buf, name_type, namep);
     }
 
     if (name != principal->name.name_string.val[0])
diff --git a/lib/gssapi/Makefile.am b/lib/gssapi/Makefile.am
index 33de29bd8..cb4960840 100644
--- a/lib/gssapi/Makefile.am
+++ b/lib/gssapi/Makefile.am
@@ -13,7 +13,6 @@ AM_CPPFLAGS += \
 	-I$(srcdir)/krb5 \
 	-I$(srcdir)/spnego \
 	-I$(srcdir)/sanon \
-	-I$(srcdir)/preauth \
 	$(INCLUDE_libintl)
 
 lib_LTLIBRARIES = libgssapi.la test_negoex_mech.la
@@ -251,17 +250,12 @@ sanonsrc = \
 	sanon/release_name.c \
 	sanon/sanon-private.h
 
-preauthsrc = \
-	preauth/pa_client.c \
-	preauth/pa_common.c
-
 dist_libgssapi_la_SOURCES  = \
 	$(krb5src) \
 	$(mechsrc) \
 	$(ntlmsrc) \
 	$(spnegosrc) \
-	$(sanonsrc) \
-	$(preauthsrc)
+	$(sanonsrc)
 
 nodist_libgssapi_la_SOURCES  = \
 	gkrb5_err.c \
@@ -295,7 +289,6 @@ noinst_HEADERS = \
 	$(srcdir)/ntlm/ntlm-private.h \
 	$(srcdir)/spnego/spnego-private.h \
 	$(srcdir)/sanon/sanon-private.h \
-	$(srcdir)/preauth/pa-private.h \
 	$(srcdir)/krb5/gsskrb5-private.h
 
 nobase_include_HEADERS = \
@@ -303,7 +296,6 @@ nobase_include_HEADERS = \
 	gssapi/gssapi_krb5.h \
 	gssapi/gssapi_ntlm.h \
 	gssapi/gssapi_oid.h \
-	gssapi/gssapi_preauth.h \
 	gssapi/gssapi_spnego.h
 
 gssapidir = $(includedir)/gssapi
@@ -327,8 +319,7 @@ BUILTHEADERS = \
 	$(srcdir)/krb5/gsskrb5-private.h \
 	$(srcdir)/spnego/spnego-private.h \
 	$(srcdir)/sanon/sanon-private.h \
-	$(srcdir)/ntlm/ntlm-private.h \
-	$(srcdir)/preauth/pa-private.h
+	$(srcdir)/ntlm/ntlm-private.h
 
 $(libgssapi_la_OBJECTS): $(BUILTHEADERS)
 $(test_context_OBJECTS): $(BUILTHEADERS)
@@ -365,9 +356,6 @@ $(srcdir)/spnego/spnego-private.h:
 $(srcdir)/sanon/sanon-private.h:
 	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p sanon/sanon-private.h $(sanonsrc) || rm -f sanon/sanon-private.h
 
-$(srcdir)/preauth/pa-private.h:
-	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p preauth/pa-private.h $(preauthsrc) || rm -f preauth/pa-private.h
-
 TESTS = test_oid test_names test_cfx
 # test_sequence 
 
diff --git a/lib/gssapi/NTMakefile b/lib/gssapi/NTMakefile
index 7580b39e6..fe103f272 100644
--- a/lib/gssapi/NTMakefile
+++ b/lib/gssapi/NTMakefile
@@ -261,10 +261,6 @@ sanonsrc = \
 	sanon/release_cred.c \
 	sanon/release_name.c
 
-preauthsrc = \
-	preauth/pa_client.c \
-	preauth/pa_common.c
-
 $(OBJ)\ntlm\ntlm-private.h: $(ntlmsrc)
 	$(PERL) ../../cf/make-proto.pl -q -P remove -p $@ $(ntlmsrc)
 
@@ -277,9 +273,6 @@ $(OBJ)\spnego\spnego-private.h: $(spnegosrc)
 $(OBJ)\sanon\sanon-private.h: $(sanonsrc)
 	$(PERL) ../../cf/make-proto.pl -q -P remove -p $@ $(sanonsrc)
 
-$(OBJ)\preauth\pa-private.h: $(preauthsrc)
-	$(PERL) ../../cf/make-proto.pl -q -P remove -p $@ $(preauthsrc)
-
 gssapi_files = $(OBJ)\gssapi\asn1_gssapi_asn1.x
 
 spnego_files = $(OBJ)\spnego\asn1_spnego_asn1.x
@@ -320,12 +313,10 @@ INCFILES=				\
     $(INCDIR)\gssapi\gssapi_oid.h	\
     $(INCDIR)\gssapi\gssapi_ntlm.h	\
     $(INCDIR)\gssapi\gssapi_spnego.h	\
-    $(INCDIR)\gssapi\gssapi_preauth.h	\
     $(INCDIR)\gssapi\gkrb5_err.h	\
     $(OBJ)\ntlm\ntlm-private.h		\
     $(OBJ)\spnego\spnego-private.h	\
     $(OBJ)\sanon\sanon-private.h	\
-    $(OBJ)\preauth\pa-private.h		\
     $(OBJ)\krb5\gsskrb5-private.h	\
     $(OBJ)\gkrb5_err.h			\
     $(OBJ)\negoex_err.h			\
@@ -542,8 +533,6 @@ libgssapi_OBJs = \
 	$(OBJ)\sanon/process_context_token.obj \
 	$(OBJ)\sanon/release_cred.obj \
 	$(OBJ)\sanon/release_name.obj \
-	$(OBJ)\preauth/pa_client.obj \
-	$(OBJ)\preauth/pa_common.obj \
 	$(OBJ)\gkrb5_err.obj \
 	$(OBJ)\negoex_err.obj \
 	$(spnego_files:.x=.obj) \
@@ -581,12 +570,6 @@ GCOPTS=-I$(SRCDIR) -I$(OBJ) -Igssapi -DBUILD_GSSAPI_LIB
 {sanon}.c{$(OBJ)\sanon}.obj::
 	$(C2OBJ_NP) -Fo$(OBJ)\sanon\ -Fd$(OBJ)\sanon\ -I$(OBJ)\sanon -I$(OBJ) -I$(OBJ)\krb5 -I$(OBJ)\gssapi -Ikrb5 -Imech -Igssapi $(GCOPTS) -DASN1_LIB
 
-{$(OBJ)\preauth}.c{$(OBJ)\preauth}.obj::
-	$(C2OBJ_NP) -Fo$(OBJ)\preauth\ -Fd$(OBJ)\preauth\ -I$(OBJ)\preauth -I$(OBJ) -I$(OBJ)\krb5 -I$(OBJ)\gssapi -Ikrb5 -Imech -Igssapi $(GCOPTS)
-
-{preauth}.c{$(OBJ)\preauth}.obj::
-	$(C2OBJ_NP) -Fo$(OBJ)\preauth\ -Fd$(OBJ)\preauth\ -I$(OBJ)\preauth -I$(OBJ) -I$(OBJ)\krb5 -I$(OBJ)\gssapi -Ikrb5 -Imech -Igssapi $(GCOPTS) -DASN1_LIB
-
 {$(OBJ)\gssapi}.c{$(OBJ)\gssapi}.obj::
 	$(C2OBJ_NP) -Fo$(OBJ)\gssapi\ -Fd$(OBJ)\gssapi\ -I$(OBJ)\gssapi $(GCOPTS)
 
@@ -677,9 +660,6 @@ mkdirs-gss:
 !if !exist($(OBJ)\gssapi)
 	$(MKDIR) $(OBJ)\gssapi
 !endif
-!if !exist($(OBJ)\preauth)
-	$(MKDIR) $(OBJ)\preauth
-!endif
 
 clean::
 	-$(RM) $(OBJ)\ntlm\*.*
@@ -688,7 +668,6 @@ clean::
 	-$(RM) $(OBJ)\mech\*.*
 	-$(RM) $(OBJ)\sanon\*.*
 	-$(RM) $(OBJ)\gssapi\*.*
-	-$(RM) $(OBJ)\preauth\*.*
 
 all-tools:: $(BINDIR)\gsstool.exe
 
diff --git a/lib/gssapi/libgssapi-exports.def b/lib/gssapi/libgssapi-exports.def
index 3a14e30d3..ec5b46423 100644
--- a/lib/gssapi/libgssapi-exports.def
+++ b/lib/gssapi/libgssapi-exports.def
@@ -123,14 +123,6 @@ EXPORTS
 	gsskrb5_set_send_to_kdc
 	gsskrb5_set_time_offset
 	krb5_gss_register_acceptor_identity
-	krb5_gss_set_init_creds
-
-	_krb5_gss_data_to_buffer
-	_krb5_gss_buffer_to_data
-	_krb5_gss_map_error
-	_krb5_gss_pa_parse_name
-	_krb5_gss_pa_unparse_name
-	_krb5_gss_pa_derive_key
 
 ; _gsskrb5cfx_ are really internal symbols, but export
 ; then now to make testing easier.
diff --git a/lib/gssapi/version-script.map b/lib/gssapi/version-script.map
index 2ea9e47c5..b1bd35f0d 100644
--- a/lib/gssapi/version-script.map
+++ b/lib/gssapi/version-script.map
@@ -117,7 +117,6 @@ HEIMDAL_GSS_2.0 {
 		gsskrb5_set_send_to_kdc;
 		gsskrb5_set_time_offset;
 		krb5_gss_register_acceptor_identity;
-		krb5_gss_set_init_creds;
 		gss_display_mech_attr;
 		gss_inquire_attrs_for_mech;
 		gss_indicate_mechs_by_attrs;
@@ -135,13 +134,6 @@ HEIMDAL_GSS_2.0 {
 		_gsskrb5cfx_wrap_length_cfx;
 		_gssapi_wrap_size_cfx;
 
-		_krb5_gss_data_to_buffer;
-		_krb5_gss_buffer_to_data;
-		_krb5_gss_map_error;
-		_krb5_gss_pa_parse_name;
-		_krb5_gss_pa_unparse_name;
-		_krb5_gss_pa_derive_key;
-
 		__gss_krb5_copy_ccache_x_oid_desc;
 		__gss_krb5_get_tkt_flags_x_oid_desc;
 		__gss_krb5_extract_authz_data_from_sec_context_x_oid_desc;
diff --git a/windows/NTMakefile.w32 b/windows/NTMakefile.w32
index 1847a805f..47df51042 100644
--- a/windows/NTMakefile.w32
+++ b/windows/NTMakefile.w32
@@ -577,6 +577,7 @@ LIBASN1	    =$(LIBDIR)\libasn1.lib
 LIBCOMERR   =$(LIBDIR)\libcom_err.lib
 LIBEDITLINE =$(LIBDIR)\libeditline.lib
 LIBGSSAPI   =$(LIBDIR)\libgssapi.lib
+LIBGSS_PREAUTH=$(LIBDIR)\libgss_preauth.lib
 LIBHCRYPTO  =$(LIBDIR)\libhcrypto.lib
 LIBHDB	    =$(LIBDIR)\libhdb.lib
 LIBHEIMBASE =$(LIBDIR)\libheimbase.lib