From 7097787a21bc2238d7fc4dab7c418ad887afa056 Mon Sep 17 00:00:00 2001
From: Asanka Herath <asanka@secure-endpoints.com>
Date: Tue, 24 Nov 2009 21:56:41 -0800
Subject: [PATCH 1/9] Make com_err build on windows

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
---
 lib/com_err/libcom_err-exports.def | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 lib/com_err/libcom_err-exports.def

diff --git a/lib/com_err/libcom_err-exports.def b/lib/com_err/libcom_err-exports.def
new file mode 100644
index 000000000..974ec2ae3
--- /dev/null
+++ b/lib/com_err/libcom_err-exports.def
@@ -0,0 +1,12 @@
+EXPORTS
+	com_right
+	free_error_table
+	initialize_error_table_r
+	add_to_error_table
+	com_err
+	com_err_va
+	error_message
+	error_table_name
+	init_error_table
+	reset_com_err_hook
+	set_com_err_hook

From caf8f875982e6b41a1ee20136050d43cbe8c5959 Mon Sep 17 00:00:00 2001
From: Asanka Herath <asanka@secure-endpoints.com>
Date: Tue, 24 Nov 2009 21:59:12 -0800
Subject: [PATCH 2/9] Make hdb build on windows

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
---
 lib/hdb/hdb-sqlite.c       | 15 +++---
 lib/hdb/libhdb-exports.def | 95 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 102 insertions(+), 8 deletions(-)
 create mode 100644 lib/hdb/libhdb-exports.def

diff --git a/lib/hdb/hdb-sqlite.c b/lib/hdb/hdb-sqlite.c
index be59ebc40..ee3e88186 100644
--- a/lib/hdb/hdb-sqlite.c
+++ b/lib/hdb/hdb-sqlite.c
@@ -389,6 +389,8 @@ hdb_sqlite_fetch(krb5_context context, HDB *db, krb5_const_principal principal,
     krb5_error_code ret;
     char *principal_string;
     hdb_sqlite_db *hsdb = (hdb_sqlite_db*)(db->hdb_db);
+    sqlite3_stmt *fetch = hsdb->fetch;
+    krb5_data value;
 
     ret = krb5_unparse_name(context, principal, &principal_string);
     if (ret) {
@@ -396,7 +398,6 @@ hdb_sqlite_fetch(krb5_context context, HDB *db, krb5_const_principal principal,
         return ret;
     }
 
-    sqlite3_stmt *fetch = hsdb->fetch;
     sqlite3_bind_text(fetch, 1, principal_string, -1, SQLITE_STATIC);
 
     sqlite_error = hdb_sqlite_step(context, hsdb->db, fetch);
@@ -421,7 +422,6 @@ hdb_sqlite_fetch(krb5_context context, HDB *db, krb5_const_principal principal,
         }
     }
 
-    krb5_data value;
     value.length = sqlite3_column_bytes(fetch, 0);
     value.data = (void *) sqlite3_column_blob(fetch, 0);
 
@@ -487,6 +487,8 @@ hdb_sqlite_store(krb5_context context, HDB *db, unsigned flags,
     const HDB_Ext_Aliases *aliases;
 
     hdb_sqlite_db *hsdb = (hdb_sqlite_db *)(db->hdb_db);
+    krb5_data value;
+    sqlite3_stmt *get_ids = hsdb->get_ids;
 
     ret = hdb_sqlite_exec_stmt(context, hsdb->db,
                                "BEGIN IMMEDIATE TRANSACTION", EINVAL);
@@ -507,14 +509,11 @@ hdb_sqlite_store(krb5_context context, HDB *db, unsigned flags,
         goto rollback;
     }
 
-    krb5_data value;
     ret = hdb_entry2value(context, &entry->entry, &value);
     if(ret) {
         goto rollback;
     }
 
-    sqlite3_stmt *get_ids = hsdb->get_ids;
-
     sqlite3_bind_text(get_ids, 1, principal_string, -1, SQLITE_STATIC);
     ret = hdb_sqlite_step(context, hsdb->db, get_ids);
 
@@ -664,12 +663,13 @@ static krb5_error_code
 hdb_sqlite_destroy(krb5_context context, HDB *db)
 {
     int ret;
+    hdb_sqlite_db *hsdb;
 
     ret = hdb_clear_master_key(context, db);
 
     hdb_sqlite_close_database(context, db);
 
-    hdb_sqlite_db *hsdb = (hdb_sqlite_db*)(db->hdb_db);
+    hsdb = (hdb_sqlite_db*)(db->hdb_db);
 
     free(hsdb->db_file);
     free(db->hdb_db);
@@ -786,6 +786,7 @@ hdb_sqlite_remove(krb5_context context, HDB *db,
     krb5_error_code ret;
     char *principal_string;
     hdb_sqlite_db *hsdb = (hdb_sqlite_db*)(db->hdb_db);
+    sqlite3_stmt *remove = hsdb->remove;
     
     ret = krb5_unparse_name(context, principal, &principal_string);
     if (ret) {
@@ -793,8 +794,6 @@ hdb_sqlite_remove(krb5_context context, HDB *db,
         return ret;
     }
 
-    sqlite3_stmt *remove = hsdb->remove;
-
     sqlite3_bind_text(remove, 1, principal_string, -1, SQLITE_STATIC);
 
     ret = hdb_sqlite_step(context, hsdb->db, remove);
diff --git a/lib/hdb/libhdb-exports.def b/lib/hdb/libhdb-exports.def
new file mode 100644
index 000000000..008088457
--- /dev/null
+++ b/lib/hdb/libhdb-exports.def
@@ -0,0 +1,95 @@
+EXPORTS
+	encode_hdb_keyset
+	hdb_add_master_key
+	hdb_check_db_format
+	hdb_clear_extension
+	hdb_clear_master_key
+	hdb_create
+	hdb_db_dir
+	hdb_dbinfo_get_acl_file
+	hdb_dbinfo_get_binding
+	hdb_dbinfo_get_dbname
+	hdb_dbinfo_get_label
+	hdb_dbinfo_get_log_file
+	hdb_dbinfo_get_mkey_file
+	hdb_dbinfo_get_next
+	hdb_dbinfo_get_realm
+	hdb_default_db
+	hdb_enctype2key
+	hdb_entry2string
+	hdb_entry2value
+	hdb_entry_alias2value
+	hdb_entry_check_mandatory
+	hdb_entry_clear_password
+	hdb_entry_get_ConstrainedDelegACL
+	hdb_entry_get_aliases
+	hdb_entry_get_password
+	hdb_entry_get_pkinit_acl
+	hdb_entry_get_pkinit_cert
+	hdb_entry_get_pkinit_hash
+	hdb_entry_get_pw_change_time
+	hdb_entry_set_password
+	hdb_entry_set_pw_change_time
+	hdb_find_extension
+	hdb_foreach
+	hdb_free_dbinfo
+	hdb_free_entry
+	hdb_free_key
+	hdb_free_keys
+	hdb_free_master_key
+	hdb_generate_key_set
+	hdb_generate_key_set_password
+	hdb_get_dbinfo
+	hdb_init_db
+	hdb_key2principal
+	hdb_list_builtin
+	hdb_lock
+	hdb_next_enctype2key
+	hdb_principal2key
+	hdb_print_entry
+	hdb_process_master_key
+	hdb_read_master_key
+	hdb_replace_extension
+	hdb_seal_key
+	hdb_seal_key_mkey
+	hdb_seal_keys
+	hdb_seal_keys_mkey
+	hdb_set_master_key
+	hdb_set_master_keyfile
+	hdb_unlock
+	hdb_unseal_key
+	hdb_unseal_key_mkey
+	hdb_unseal_keys
+	hdb_unseal_keys_mkey
+	hdb_value2entry
+	hdb_value2entry_alias
+	hdb_write_master_key
+	length_hdb_keyset
+
+	hdb_kt_ops
+
+; some random bits needed for libkadm
+	copy_Event
+	copy_HDB_extensions
+	copy_Key
+	copy_Salt
+	decode_HDB_extension
+	encode_HDB_Ext_Aliases
+	free_Event
+	free_HDB_extension
+	free_HDB_extensions
+	free_Key
+	free_hdb_entry
+	asn1_HDBFlags_units
+	HDBFlags2int
+	int2HDBFlags
+	length_HDB_Ext_Aliases
+	decode_HDB_Ext_PKINIT_acl
+	free_HDB_Ext_PKINIT_acl
+	decode_HDB_Ext_Aliases
+	free_HDB_Ext_Aliases
+	length_HDB_extension
+	encode_HDB_extension
+	length_HDB_Ext_PKINIT_acl
+	encode_HDB_Ext_PKINIT_acl
+

From b191b1e12fb58013d0a3e40b2008582bbfbaedad Mon Sep 17 00:00:00 2001
From: Asanka Herath <asanka@secure-endpoints.com>
Date: Tue, 24 Nov 2009 22:19:37 -0800
Subject: [PATCH 3/9] Make kdc build on windows

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
---
 configure.ac           |  3 ++
 include/config.h.w32   |  3 --
 kadmin/kadm_conn.c     |  2 +
 kdc/connect.c          | 94 +++++++++++++++++++++++-------------------
 kdc/hprop.c            | 14 ++++++-
 kdc/hpropd.c           | 39 +++++++++++-------
 kdc/kstash.c           | 10 ++++-
 kdc/libkdc-exports.def | 12 ++++++
 kdc/main.c             | 10 +++++
 lib/roken/mini_inetd.c |  2 +-
 10 files changed, 125 insertions(+), 64 deletions(-)
 create mode 100644 kdc/libkdc-exports.def

diff --git a/configure.ac b/configure.ac
index a599b3e91..5bca7c6c0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -195,6 +195,9 @@ AM_CONDITIONAL(KRB4, false)
 AM_CONDITIONAL(KRB5, true)
 AM_CONDITIONAL(do_roken_rename, true)
 
+AC_DEFINE(SUPPORT_INETD, 1, [Enable use of inetd style startup.])dnl
+
+
 AC_DEFINE(KRB5, 1, [Enable Kerberos 5 support in applications.])dnl
 AC_SUBST(LIB_kdb)dnl
 
diff --git a/include/config.h.w32 b/include/config.h.w32
index 8b480884f..5f12064b3 100644
--- a/include/config.h.w32
+++ b/include/config.h.w32
@@ -1362,9 +1362,6 @@ static const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* Define if the Unix rand method is not defined */
 #define NO_RAND_UNIX_METHOD 1
 
-/* Define if fd_sets aren't limited to FD_SETSIZE sockets */
-#define NO_LIMIT_FD_SETSIZE 1
-
 /* Define if PID files should not be used. */
 #define NO_PIDFILES 1
 
diff --git a/kadmin/kadm_conn.c b/kadmin/kadm_conn.c
index 393a6c1eb..9cc2293f5 100644
--- a/kadmin/kadm_conn.c
+++ b/kadmin/kadm_conn.c
@@ -175,8 +175,10 @@ wait_for_connection(krb5_context context,
     FD_ZERO(&orig_read_set);
 
     for(i = 0; i < num_socks; i++) {
+#ifdef FD_SETSIZE
 	if (socks[i] >= FD_SETSIZE)
 	    errx (1, "fd too large");
+#endif
 	FD_SET(socks[i], &orig_read_set);
 	max_fd = max(max_fd, socks[i]);
     }
diff --git a/kdc/connect.c b/kdc/connect.c
index c9b0ec538..318179b38 100644
--- a/kdc/connect.c
+++ b/kdc/connect.c
@@ -217,7 +217,7 @@ parse_ports(krb5_context context,
  */
 
 struct descr {
-    int s;
+    krb5_socket_t s;
     int type;
     int port;
     unsigned char *buf;
@@ -235,7 +235,7 @@ init_descr(struct descr *d)
 {
     memset(d, 0, sizeof(*d));
     d->sa = (struct sockaddr *)&d->__ss;
-    d->s = -1;
+    d->s = rk_INVALID_SOCKET;
 }
 
 /*
@@ -270,8 +270,8 @@ init_socket(krb5_context context,
     ret = krb5_addr2sockaddr (context, a, sa, &sa_size, port);
     if (ret) {
 	krb5_warn(context, ret, "krb5_addr2sockaddr");
-	close(d->s);
-	d->s = -1;
+	rk_closesocket(d->s);
+	d->s = rk_INVALID_SOCKET;
 	return;
     }
 
@@ -279,9 +279,9 @@ init_socket(krb5_context context,
 	return;
 
     d->s = socket(family, type, 0);
-    if(d->s < 0){
+    if(rk_IS_BAD_SOCKET(d->s)){
 	krb5_warn(context, errno, "socket(%d, %d, 0)", family, type);
-	d->s = -1;
+	d->s = rk_INVALID_SOCKET;
 	return;
     }
 #if defined(HAVE_SETSOCKOPT) && defined(SOL_SOCKET) && defined(SO_REUSEADDR)
@@ -293,24 +293,24 @@ init_socket(krb5_context context,
     d->type = type;
     d->port = port;
 
-    if(bind(d->s, sa, sa_size) < 0){
+    if(rk_IS_SOCKET_ERROR(bind(d->s, sa, sa_size))){
 	char a_str[256];
 	size_t len;
 
 	krb5_print_address (a, a_str, sizeof(a_str), &len);
 	krb5_warn(context, errno, "bind %s/%d", a_str, ntohs(port));
-	close(d->s);
-	d->s = -1;
+	rk_closesocket(d->s);
+	d->s = rk_INVALID_SOCKET;
 	return;
     }
-    if(type == SOCK_STREAM && listen(d->s, SOMAXCONN) < 0){
+    if(type == SOCK_STREAM && rk_IS_SOCKET_ERROR(listen(d->s, SOMAXCONN))){
 	char a_str[256];
 	size_t len;
 
 	krb5_print_address (a, a_str, sizeof(a_str), &len);
 	krb5_warn(context, errno, "listen %s/%d", a_str, ntohs(port));
-	close(d->s);
-	d->s = -1;
+	rk_closesocket(d->s);
+	d->s = rk_INVALID_SOCKET;
 	return;
     }
 }
@@ -348,7 +348,7 @@ init_sockets(krb5_context context,
 	for (j = 0; j < addresses.len; ++j) {
 	    init_socket(context, config, &d[num], &addresses.val[j],
 			ports[i].family, ports[i].type, ports[i].port);
-	    if(d[num].s != -1){
+	    if(d[num].s != rk_INVALID_SOCKET){
 		char a_str[80];
 		size_t len;
 
@@ -423,15 +423,16 @@ send_reply(krb5_context context,
 	l[1] = (reply->length >> 16) & 0xff;
 	l[2] = (reply->length >> 8) & 0xff;
 	l[3] = reply->length & 0xff;
-	if(sendto(d->s, l, sizeof(l), 0, d->sa, d->sock_len) < 0) {
+	if(rk_IS_SOCKET_ERROR(sendto(d->s, l, sizeof(l), 0, d->sa, d->sock_len))) {
 	    kdc_log (context, config,
-		     0, "sendto(%s): %s", d->addr_string, strerror(errno));
+		     0, "sendto(%s): %s", d->addr_string,
+		     strerror(rk_SOCK_ERRNO));
 	    return;
 	}
     }
-    if(sendto(d->s, reply->data, reply->length, 0, d->sa, d->sock_len) < 0) {
-	kdc_log (context, config,
-		 0, "sendto(%s): %s", d->addr_string, strerror(errno));
+    if(rk_IS_SOCKET_ERROR(sendto(d->s, reply->data, reply->length, 0, d->sa, d->sock_len))) {
+	kdc_log (context, config, 0, "sendto(%s): %s", d->addr_string,
+		 strerror(rk_SOCK_ERRNO));
 	return;
     }
 }
@@ -489,9 +490,9 @@ handle_udp(krb5_context context,
 
     d->sock_len = sizeof(d->__ss);
     n = recvfrom(d->s, buf, max_request_udp, 0, d->sa, &d->sock_len);
-    if(n < 0) {
-	krb5_warn(context, errno, "recvfrom");
-    } else {
+    if(rk_IS_SOCKET_ERROR(n))
+	krb5_warn(context, rk_SOCK_ERRNO, "recvfrom");
+    else {
 	addr_to_string (context, d->sa, d->sock_len,
 			d->addr_string, sizeof(d->addr_string));
 	if (n == max_request_udp) {
@@ -523,9 +524,9 @@ clear_descr(struct descr *d)
     if(d->buf)
 	memset(d->buf, 0, d->size);
     d->len = 0;
-    if(d->s != -1)
-	close(d->s);
-    d->s = -1;
+    if(d->s != rk_INVALID_SOCKET)
+	rk_closesocket(d->s);
+    d->s = rk_INVALID_SOCKET;
 }
 
 
@@ -559,23 +560,25 @@ add_new_tcp (krb5_context context,
 	     krb5_kdc_configuration *config,
 	     struct descr *d, int parent, int child)
 {
-    int s;
+    krb5_socket_t s;
 
     if (child == -1)
 	return;
 
     d[child].sock_len = sizeof(d[child].__ss);
     s = accept(d[parent].s, d[child].sa, &d[child].sock_len);
-    if(s < 0) {
-	krb5_warn(context, errno, "accept");
+    if(rk_IS_BAD_SOCKET(s)) {
+	krb5_warn(context, rk_SOCK_ERRNO, "accept");
 	return;
     }
-	
+
+#ifdef FD_SETSIZE
     if (s >= FD_SETSIZE) {
 	krb5_warnx(context, "socket FD too large");
-	close (s);
+	rk_closesocket (s);
 	return;
     }
+#endif
 
     d[child].s = s;
     d[child].timeout = time(NULL) + TCP_TIMEOUT;
@@ -718,14 +721,14 @@ handle_http_tcp (krb5_context context,
 	kdc_log(context, config, 0, "HTTP request from %s is non KDC request", d->addr_string);
 	kdc_log(context, config, 5, "HTTP request: %s", t);
 	free(data);
-	if (write(d->s, proto, strlen(proto)) < 0) {
+	if (rk_IS_SOCKET_ERROR(send(d->s, proto, strlen(proto), 0))) {
 	    kdc_log(context, config, 0, "HTTP write failed: %s: %s",
-		    d->addr_string, strerror(errno));
+		    d->addr_string, strerror(rk_SOCK_ERRNO));
 	    return -1;
 	}
-	if (write(d->s, msg, strlen(msg)) < 0) {
+	if (rk_IS_SOCKET_ERROR(send(d->s, msg, strlen(msg), 0))) {
 	    kdc_log(context, config, 0, "HTTP write failed: %s: %s",
-		    d->addr_string, strerror(errno));
+		    d->addr_string, strerror(rk_SOCK_ERRNO));
 	    return -1;
 	}
 	return -1;
@@ -738,16 +741,16 @@ handle_http_tcp (krb5_context context,
 	    "Pragma: no-cache\r\n"
 	    "Content-type: application/octet-stream\r\n"
 	    "Content-transfer-encoding: binary\r\n\r\n";
-	if (write(d->s, proto, strlen(proto)) < 0) {
+	if (rk_IS_SOCKET_ERROR(send(d->s, proto, strlen(proto), 0))) {
 	    free(data);
 	    kdc_log(context, config, 0, "HTTP write failed: %s: %s",
-		    d->addr_string, strerror(errno));
+		    d->addr_string, strerror(rk_SOCK_ERRNO));
 	    return -1;
 	}
-	if (write(d->s, msg, strlen(msg)) < 0) {
+	if (rk_IS_SOCKET_ERROR(send(d->s, msg, strlen(msg), 0))) {
 	    free(data);
 	    kdc_log(context, config, 0, "HTTP write failed: %s: %s",
-		    d->addr_string, strerror(errno));
+		    d->addr_string, strerror(rk_SOCK_ERRNO));
 	    return -1;
 	}
     }
@@ -778,8 +781,8 @@ handle_tcp(krb5_context context,
     }
 
     n = recvfrom(d[idx].s, buf, sizeof(buf), 0, NULL, NULL);
-    if(n < 0){
-	krb5_warn(context, errno, "recvfrom failed from %s to %s/%d",
+    if(rk_IS_SOCKET_ERROR(n)){
+	krb5_warn(context, rk_SOCK_ERRNO, "recvfrom failed from %s to %s/%d",
 		  d[idx].addr_string, descr_type(d + idx),
 		  ntohs(d[idx].port));
 	return;
@@ -865,7 +868,7 @@ loop(krb5_context context,
 
 	FD_ZERO(&fds);
 	for(i = 0; i < ndescr; i++) {
-	    if(d[i].s >= 0){
+	    if(!rk_IS_BAD_SOCKET(d[i].s)){
 		if(d[i].type == SOCK_STREAM &&
 		   d[i].timeout && d[i].timeout < time(NULL)) {
 		    kdc_log(context, config, 1,
@@ -876,8 +879,10 @@ loop(krb5_context context,
 		}
 		if(max_fd < d[i].s)
 		    max_fd = d[i].s;
+#ifdef FD_SETSIZE
 		if (max_fd >= FD_SETSIZE)
 		    krb5_errx(context, 1, "fd too large");
+#endif
 		FD_SET(d[i].s, &fds);
 	    } else if(min_free < 0 || i < min_free)
 		min_free = i;
@@ -905,11 +910,11 @@ loop(krb5_context context,
 	    break;
 	case -1:
 	    if (errno != EINTR)
-		krb5_warn(context, errno, "select");
+		krb5_warn(context, rk_SOCK_ERRNO, "select");
 	    break;
 	default:
 	    for(i = 0; i < ndescr; i++)
-		if(d[i].s >= 0 && FD_ISSET(d[i].s, &fds)) {
+		if(!rk_IS_BAD_SOCKET(d[i].s) && FD_ISSET(d[i].s, &fds)) {
 		    if(d[i].type == SOCK_DGRAM)
 			handle_udp(context, config, &d[i]);
 		    else if(d[i].type == SOCK_STREAM)
@@ -917,8 +922,11 @@ loop(krb5_context context,
 		}
 	}
     }
-    if(exit_flag == SIGXCPU)
+    if (0);
+#ifdef SIGXCPU
+    else if(exit_flag == SIGXCPU)
 	kdc_log(context, config, 0, "CPU time limit exceeded");
+#endif
     else if(exit_flag == SIGINT || exit_flag == SIGTERM)
 	kdc_log(context, config, 0, "Terminated");
     else
diff --git a/kdc/hprop.c b/kdc/hprop.c
index 432c7e28b..eb400e610 100644
--- a/kdc/hprop.c
+++ b/kdc/hprop.c
@@ -131,6 +131,7 @@ v5_prop(krb5_context context, HDB *db, hdb_entry_ex *entry, void *appdata)
     return ret;
 }
 
+#ifdef KRB4
 int
 v4_prop(void *arg, struct v4_principal *p)
 {
@@ -255,6 +256,7 @@ v4_prop(void *arg, struct v4_principal *p)
     hdb_free_entry(pd->context, &ent);
     return ret;
 }
+#endif
 
 #include "kadb.h"
 
@@ -277,6 +279,8 @@ read_block(krb5_context context, int fd, int32_t pos, void *buf, size_t len)
 	krb5_errx(context, 1, "read(%lu) = %u", (unsigned long)len, ret);
 }
 
+#ifdef KRB4
+
 static int
 ka_convert(struct prop_data *pd, int fd, struct ka_entry *ent)
 {
@@ -405,7 +409,7 @@ ka_dump(struct prop_data *pd, const char *file)
     }
     return 0;
 }
-
+#endif	/* KRB4 */
 
 
 struct getargs args[] = {
@@ -414,13 +418,19 @@ struct getargs args[] = {
     { "source",   0,	arg_string, &source_type, "type of database to read",
       "heimdal"
       "|mit-dump"
+#ifdef KRB4
       "|krb4-dump"
       "|kaserver"
+#endif
     },
 
+#ifdef KRB4
     { "v4-realm", 'r',  arg_string, &v4_realm, "v4 realm to use" },
+#endif
     { "cell",	  'c',  arg_string, &afs_cell, "name of AFS cell" },
+#ifdef KRB4
     { "kaspecials", 'S', arg_flag,   &kaspecials_flag, "dump KASPECIAL keys"},
+#endif
     { "keytab",   'k',	arg_string, &ktname, "keytab to use for authentication", "keytab" },
     { "v5-realm", 'R',  arg_string, &local_realm, "v5 realm to use" },
     { "decrypt",  'D',  arg_flag,   &decrypt_flag,   "decrypt keys" },
@@ -526,6 +536,7 @@ iterate (krb5_context context,
     int ret;
 
     switch(type) {
+#ifdef KRB4
     case HPROP_KRB4_DUMP:
 	ret = v4_prop_dump(pd, database_name);
 	if(ret)
@@ -536,6 +547,7 @@ iterate (krb5_context context,
 	if(ret)
 	    krb5_warn(context, ret, "ka_dump");
 	break;
+#endif
     case HPROP_MIT_DUMP:
 	ret = mit_prop_dump(pd, database_name);
 	if (ret)
diff --git a/kdc/hpropd.c b/kdc/hpropd.c
index c34a2c85c..625fec5b9 100644
--- a/kdc/hpropd.c
+++ b/kdc/hpropd.c
@@ -48,8 +48,10 @@ struct getargs args[] = {
     { "database", 'd', arg_string, &database, "database", "file" },
     { "stdin",    'n', arg_flag, &from_stdin, "read from stdin" },
     { "print",	    0, arg_flag, &print_dump, "print dump to stdout" },
+#ifdef SUPPORT_INETD
     { "inetd",	   'i',	arg_negative_flag,	&inetd_flag,
       "Not started from inetd" },
+#endif
     { "keytab",   'k',	arg_string, &ktname,	"keytab to use for authentication", "keytab" },
     { "realm",   'r',	arg_string, &local_realm, "realm to use" },
     { "version",    0, arg_flag, &version_flag, NULL, NULL },
@@ -74,7 +76,7 @@ main(int argc, char **argv)
     krb5_principal c1, c2;
     krb5_authenticator authent;
     krb5_keytab keytab;
-    int fd;
+    krb5_socket_t sock = rk_INVALID_SOCKET;
     HDB *db = NULL;
     int optidx = 0;
     char *tmp_db;
@@ -114,9 +116,9 @@ main(int argc, char **argv)
     if (database == NULL)
 	database = hdb_default_db(context);
 
-    if(from_stdin)
-	fd = STDIN_FILENO;
-    else {
+    if(from_stdin) {
+	sock = STDIN_FILENO;
+    } else {
 	struct sockaddr_storage ss;
 	struct sockaddr *sa = (struct sockaddr *)&ss;
 	socklen_t sin_len = sizeof(ss);
@@ -124,19 +126,24 @@ main(int argc, char **argv)
 	krb5_ticket *ticket;
 	char *server;
 
-	fd = STDIN_FILENO;
+	sock = STDIN_FILENO;
+#ifdef SUPPORT_INETD
 	if (inetd_flag == -1) {
-	    if (getpeername (fd, sa, &sin_len) < 0)
+	    if (getpeername (sock, sa, &sin_len) < 0) {
 		inetd_flag = 0;
-	    else
+	    } else {
 		inetd_flag = 1;
+	    }
 	}
+#else
+	inetd_flag = 0;
+#endif
 	if (!inetd_flag) {
 	    mini_inetd (krb5_getportbyname (context, "hprop", "tcp",
-					    HPROP_PORT), NULL);
+					    HPROP_PORT), &sock);
 	}
 	sin_len = sizeof(ss);
-	if(getpeername(fd, sa, &sin_len) < 0)
+	if(getpeername(sock, sa, &sin_len) < 0)
 	    krb5_err(context, 1, errno, "getpeername");
 
 	if (inet_ntop(sa->sa_family,
@@ -162,7 +169,7 @@ main(int argc, char **argv)
 		krb5_err (context, 1, ret, "krb5_kt_default");
 	}
 
-	ret = krb5_recvauth(context, &ac, &fd, HPROP_VERSION, NULL,
+	ret = krb5_recvauth(context, &ac, &sock, HPROP_VERSION, NULL,
 			    0, keytab, &ticket);
 	if(ret)
 	    krb5_err(context, 1, ret, "krb5_recvauth");
@@ -179,7 +186,7 @@ main(int argc, char **argv)
 	ret = krb5_auth_con_getauthenticator(context, ac, &authent);
 	if(ret)
 	    krb5_err(context, 1, ret, "krb5_auth_con_getauthenticator");
-	
+
 	ret = krb5_make_principal(context, &c1, NULL, "kadmin", "hprop", NULL);
 	if(ret)
 	    krb5_err(context, 1, ret, "krb5_make_principal");
@@ -217,11 +224,11 @@ main(int argc, char **argv)
 	hdb_entry_ex entry;
 
 	if(from_stdin) {
-	    ret = krb5_read_message(context, &fd, &data);
+	    ret = krb5_read_message(context, &sock, &data);
 	    if(ret != 0 && ret != HEIM_ERR_EOF)
 		krb5_err(context, 1, ret, "krb5_read_message");
 	} else {
-	    ret = krb5_read_priv_message(context, ac, &fd, &data);
+	    ret = krb5_read_priv_message(context, ac, &sock, &data);
 	    if(ret)
 		krb5_err(context, 1, ret, "krb5_read_priv_message");
 	}
@@ -230,7 +237,7 @@ main(int argc, char **argv)
 	    if(!from_stdin) {
 		data.data = NULL;
 		data.length = 0;
-		krb5_write_priv_message(context, ac, &fd, &data);
+		krb5_write_priv_message(context, ac, &sock, &data);
 	    }
 	    if(!print_dump) {
 		ret = db->hdb_rename(context, db, database);
@@ -267,5 +274,9 @@ main(int argc, char **argv)
     }
     if (!print_dump)
 	krb5_log(context, fac, 0, "Received %d principals", nprincs);
+
+    if (inetd_flag == 0)
+	rk_closesocket(sock);
+
     exit(0);
 }
diff --git a/kdc/kstash.c b/kdc/kstash.c
index ad504b29c..784525d5e 100644
--- a/kdc/kstash.c
+++ b/kdc/kstash.c
@@ -144,13 +144,19 @@ main(int argc, char **argv)
 	if(ret)
 	    unlink(new);
 	else {
+#ifndef NO_POSIX_LINKS
 	    unlink(old);
 	    if(link(keyfile, old) < 0 && errno != ENOENT) {
 		ret = errno;
 		unlink(new);
-	    } else if(rename(new, keyfile) < 0) {
-		ret = errno;
+	    } else {
+#endif
+		if(rename(new, keyfile) < 0) {
+		    ret = errno;
+		}
+#ifndef NO_POSIX_LINKS
 	    }
+#endif
 	}
     out:
 	free(old);
diff --git a/kdc/libkdc-exports.def b/kdc/libkdc-exports.def
new file mode 100644
index 000000000..b3ace1c1a
--- /dev/null
+++ b/kdc/libkdc-exports.def
@@ -0,0 +1,12 @@
+EXPORTS
+	kdc_log
+	kdc_log_msg
+	kdc_log_msg_va
+	kdc_openlog
+	krb5_kdc_windc_init
+	krb5_kdc_get_config
+	krb5_kdc_set_dbinfo
+	krb5_kdc_process_krb5_request
+	krb5_kdc_process_request
+	krb5_kdc_save_request
+	krb5_kdc_update_time
diff --git a/kdc/main.c b/kdc/main.c
index b40bd11ef..d5a117064 100644
--- a/kdc/main.c
+++ b/kdc/main.c
@@ -64,6 +64,7 @@ sigterm(int sig)
 static void
 switch_environment(void)
 {
+#ifdef HAVE_GETEUID
     if ((runas_string || chroot_string) && geteuid() != 0)
 	errx(1, "no running as root, can't switch user/chroot");
 
@@ -86,6 +87,7 @@ switch_environment(void)
 	if (setuid(pw->pw_uid) < 0)
 	    err(1, "setuid(%s)", runas_string);
     }
+#endif
 }
 
 
@@ -120,17 +122,25 @@ main(int argc, char **argv)
 
 	sigaction(SIGINT, &sa, NULL);
 	sigaction(SIGTERM, &sa, NULL);
+#ifdef SIGXCPU
 	sigaction(SIGXCPU, &sa, NULL);
+#endif
 
 	sa.sa_handler = SIG_IGN;
+#ifdef SIGPIPE
 	sigaction(SIGPIPE, &sa, NULL);
+#endif
     }
 #else
     signal(SIGINT, sigterm);
     signal(SIGTERM, sigterm);
+#ifdef SIGXCPU
     signal(SIGXCPU, sigterm);
+#endif
+#ifdef SIGPIPE
     signal(SIGPIPE, SIG_IGN);
 #endif
+#endif
 #ifdef SUPPORT_DETACH
     if (detach_from_console)
 	daemon(0, 0);
diff --git a/lib/roken/mini_inetd.c b/lib/roken/mini_inetd.c
index a9398f4fd..4d8ccb6e5 100644
--- a/lib/roken/mini_inetd.c
+++ b/lib/roken/mini_inetd.c
@@ -124,7 +124,7 @@ mini_inetd_addrinfo (struct addrinfo *ai, rk_socket_t *ret_socket)
 	    fds[i] = rk_INVALID_SOCKET;
 	    continue;
 	}
-#ifndef NO_LIMIT_FD_SETSIZE
+#ifdef FD_SETSIZE
 	if (fds[i] >= FD_SETSIZE)
 	    errx (1, "fd too large");
 #endif

From a059a70746874a84f767b2babaa89f2c6200a5d5 Mon Sep 17 00:00:00 2001
From: Love Hornquist Astrand <lha@h5l.org>
Date: Wed, 25 Nov 2009 05:03:16 -0800
Subject: [PATCH 4/9] Only accept self-signed certs within chains for strong
 hash types

---
 lib/hx509/cert.c   |  5 ++++-
 lib/hx509/crypto.c | 36 +++++++++++++++++++++++++++++-------
 2 files changed, 33 insertions(+), 8 deletions(-)

diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c
index 452bd0ecd..4783edd68 100644
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -1023,9 +1023,12 @@ certificate_is_self_signed(hx509_context context,
     ret = _hx509_name_cmp(&cert->tbsCertificate.subject,
 			  &cert->tbsCertificate.issuer, &diff);
     *self_signed = (diff == 0);
-    if (ret)
+    if (ret) {
 	hx509_set_error_string(context, 0, ret,
 			       "Failed to check if self signed");
+    } else
+	ret = _hx509_self_signed_valid(context, &cert->signatureAlgorithm);
+
     return ret;
 }
 
diff --git a/lib/hx509/crypto.c b/lib/hx509/crypto.c
index 050a0902b..bee64c145 100644
--- a/lib/hx509/crypto.c
+++ b/lib/hx509/crypto.c
@@ -87,8 +87,9 @@ struct signature_alg {
     const heim_oid *key_oid;
     const AlgorithmIdentifier *digest_alg;
     int flags;
-#define PROVIDE_CONF 1
-#define REQUIRE_SIGNER 2
+#define PROVIDE_CONF	0x1
+#define REQUIRE_SIGNER	0x2
+#define SELF_SIGNED_OK	0x4
 
 #define SIG_DIGEST	0x100
 #define SIG_PUBLIC_SIG	0x200
@@ -1200,7 +1201,7 @@ static const struct signature_alg ecdsa_with_sha256_alg = {
     &_hx509_signature_ecdsa_with_sha256_data,
     &asn1_oid_id_ecPublicKey,
     &_hx509_signature_sha256_data,
-    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG,
+    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
     0,
     NULL,
     ecdsa_verify_signature,
@@ -1214,7 +1215,7 @@ static const struct signature_alg ecdsa_with_sha1_alg = {
     &_hx509_signature_ecdsa_with_sha1_data,
     &asn1_oid_id_ecPublicKey,
     &_hx509_signature_sha1_data,
-    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG,
+    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
     0,
     NULL,
     ecdsa_verify_signature,
@@ -1243,7 +1244,7 @@ static const struct signature_alg pkcs1_rsa_sha1_alg = {
     &_hx509_signature_rsa_with_sha1_data,
     &asn1_oid_id_pkcs1_rsaEncryption,
     NULL,
-    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG,
+    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
     0,
     NULL,
     rsa_verify_signature,
@@ -1256,7 +1257,7 @@ static const struct signature_alg rsa_with_sha256_alg = {
     &_hx509_signature_rsa_with_sha256_data,
     &asn1_oid_id_pkcs1_rsaEncryption,
     &_hx509_signature_sha256_data,
-    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG,
+    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
     0,
     NULL,
     rsa_verify_signature,
@@ -1269,7 +1270,7 @@ static const struct signature_alg rsa_with_sha1_alg = {
     &_hx509_signature_rsa_with_sha1_data,
     &asn1_oid_id_pkcs1_rsaEncryption,
     &_hx509_signature_sha1_data,
-    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG,
+    PROVIDE_CONF|REQUIRE_SIGNER|RA_RSA_USES_DIGEST_INFO|SIG_PUBLIC_SIG|SELF_SIGNED_OK,
     0,
     NULL,
     rsa_verify_signature,
@@ -1481,6 +1482,27 @@ _hx509_signature_best_before(hx509_context context,
     return 0;
 }
 
+int
+_hx509_self_signed_valid(hx509_context context,
+			 const AlgorithmIdentifier *alg)
+{
+    const struct signature_alg *md;
+
+    md = find_sig_alg(&alg->algorithm);
+    if (md == NULL) {
+	hx509_clear_error_string(context);
+	return HX509_SIG_ALG_NO_SUPPORTED;
+    }
+    if ((md->flags & SELF_SIGNED_OK) == 0) {
+	hx509_set_error_string(context, 0, HX509_CRYPTO_ALGORITHM_BEST_BEFORE,
+			       "Algorithm %s not trusted for self signatures",
+			       md->name);
+	return HX509_CRYPTO_ALGORITHM_BEST_BEFORE;
+    }
+    return 0;
+}
+
+
 int
 _hx509_verify_signature(hx509_context context,
 			const hx509_cert cert,

From 17bfa5d3e51dbf4b3383bc61e7648e6a61a0c401 Mon Sep 17 00:00:00 2001
From: Gabor Gombas <gombasg@sztaki.hu>
Date: Wed, 25 Nov 2009 05:05:03 -0800
Subject: [PATCH 5/9] "unix" is a built-in preprocessor symbol, so it cannot be
 used as a variable name

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
---
 kcm/main.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kcm/main.c b/kcm/main.c
index 443c71bdc..2b3af2220 100644
--- a/kcm/main.c
+++ b/kcm/main.c
@@ -110,8 +110,8 @@ main(int argc, char **argv)
 	heim_sipc mach;
 	heim_sipc_launchd_mach_init(service_name, kcm_service, NULL, &mach);
     } else {
-	heim_sipc unix;
-	heim_sipc_service_unix(service_name, kcm_service, NULL, &unix);
+	heim_sipc un;
+	heim_sipc_service_unix(service_name, kcm_service, NULL, &un);
     }
 
     heim_ipc_main();

From 55db6909fe9a6e5c82f4eb73ca4aa15cac588ece Mon Sep 17 00:00:00 2001
From: Love Hornquist Astrand <lha@h5l.org>
Date: Wed, 25 Nov 2009 05:08:44 -0800
Subject: [PATCH 6/9] _kdc_pk_initialize needs to be exported for kdc-replay

prompted by patch from Gabor Gombas <gombasg@sztaki.hu>
---
 kdc/config.c           | 10 +++++-----
 kdc/kdc-replay.c       | 10 +++++-----
 kdc/pkinit.c           | 12 ++++++------
 kdc/version-script.map |  1 +
 4 files changed, 17 insertions(+), 16 deletions(-)

diff --git a/kdc/config.c b/kdc/config.c
index eeff5c3f8..58ff16d0e 100644
--- a/kdc/config.c
+++ b/kdc/config.c
@@ -356,11 +356,11 @@ configure(krb5_context context, int argc, char **argv)
 	if (config->pkinit_kdc_anchors == NULL)
 	    krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
 
-	_kdc_pk_initialize(context, config,
-			   config->pkinit_kdc_identity,
-			   config->pkinit_kdc_anchors,
-			   config->pkinit_kdc_cert_pool,
-			   config->pkinit_kdc_revoke);
+	krb5_kdc_pk_initialize(context, config,
+			       config->pkinit_kdc_identity,
+			       config->pkinit_kdc_anchors,
+			       config->pkinit_kdc_cert_pool,
+			       config->pkinit_kdc_revoke);
 
     }
     
diff --git a/kdc/kdc-replay.c b/kdc/kdc-replay.c
index a9bc38b8c..ccfd9784d 100644
--- a/kdc/kdc-replay.c
+++ b/kdc/kdc-replay.c
@@ -95,11 +95,11 @@ main(int argc, char **argv)
 	if (config->pkinit_kdc_anchors == NULL)
 	    krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
 
-	_kdc_pk_initialize(context, config,
-			   config->pkinit_kdc_identity,
-			   config->pkinit_kdc_anchors,
-			   config->pkinit_kdc_cert_pool,
-			   config->pkinit_kdc_revoke);
+	krb5_kdc_pk_initialize(context, config,
+			       config->pkinit_kdc_identity,
+			       config->pkinit_kdc_anchors,
+			       config->pkinit_kdc_cert_pool,
+			       config->pkinit_kdc_revoke);
 
     }
 
diff --git a/kdc/pkinit.c b/kdc/pkinit.c
index 0215bb5ad..099d3ebe7 100644
--- a/kdc/pkinit.c
+++ b/kdc/pkinit.c
@@ -1945,12 +1945,12 @@ load_mappings(krb5_context context, const char *fn)
  */
 
 krb5_error_code
-_kdc_pk_initialize(krb5_context context,
-		   krb5_kdc_configuration *config,
-		   const char *user_id,
-		   const char *anchors,
-		   char **pool,
-		   char **revoke_list)
+krb5_kdc_pk_initialize(krb5_context context,
+		       krb5_kdc_configuration *config,
+		       const char *user_id,
+		       const char *anchors,
+		       char **pool,
+		       char **revoke_list)
 {
     const char *file;
     char *fn = NULL;
diff --git a/kdc/version-script.map b/kdc/version-script.map
index 47e90a9d4..237acc390 100644
--- a/kdc/version-script.map
+++ b/kdc/version-script.map
@@ -13,6 +13,7 @@ HEIMDAL_KDC_1.0 {
 		krb5_kdc_process_request;
 		krb5_kdc_save_request;
 		krb5_kdc_update_time;
+		krb5_kdc_pk_initialize;
 	local:
 		*;
 };

From 75a53f54fc948089f7dd9189139cdd2f1c7f416d Mon Sep 17 00:00:00 2001
From: Gabor Gombas <gombasg@sztaki.hu>
Date: Wed, 25 Nov 2009 05:10:29 -0800
Subject: [PATCH 7/9] the MIT DB code is between "#if HAVE_DB1... #endif"

use the same check in the descriptor table

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
---
 lib/hdb/hdb.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/hdb/hdb.c b/lib/hdb/hdb.c
index 913e71ad8..97de91893 100644
--- a/lib/hdb/hdb.c
+++ b/lib/hdb/hdb.c
@@ -66,6 +66,8 @@ const int hdb_interface_version = HDB_INTERFACE_VERSION;
 static struct hdb_method methods[] = {
 #if HAVE_DB1 || HAVE_DB3
     { HDB_INTERFACE_VERSION, "db:",	hdb_db_create},
+#endif
+#if HAVE_DB1
     { HDB_INTERFACE_VERSION, "mit-db:",	hdb_mdb_create},
 #endif
 #if HAVE_NDBM

From 4c37844073699882b3c3a234ce81f31c22a7e02f Mon Sep 17 00:00:00 2001
From: Gabor Gombas <gombasg@sztaki.hu>
Date: Wed, 25 Nov 2009 05:14:46 -0800
Subject: [PATCH 8/9] define KRB5_LIB_CALL in generated headers

glob.h did not define ROKEN_LIB_CALL and that caused havoc when it was
included before other roken headers, because those only check for the
existence of ROKEN_LIB_FUNCTION

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
---
 lib/roken/fnmatch.hin | 2 +-
 lib/roken/glob.hin    | 4 +++-
 lib/roken/ifaddrs.hin | 4 +++-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/lib/roken/fnmatch.hin b/lib/roken/fnmatch.hin
index 1a66d4274..fd96656de 100644
--- a/lib/roken/fnmatch.hin
+++ b/lib/roken/fnmatch.hin
@@ -36,7 +36,7 @@
 
 #ifndef ROKEN_LIB_FUNCTION
 #ifdef _WIN32
-#define ROKEN_LIB_FUNCTION __declspec(dllimport)
+#define ROKEN_LIB_FUNCTION
 #define ROKEN_LIB_CALL __stdcall
 #else
 #define ROKEN_LIB_FUNCTION
diff --git a/lib/roken/glob.hin b/lib/roken/glob.hin
index ffb608104..a4f16ce5e 100644
--- a/lib/roken/glob.hin
+++ b/lib/roken/glob.hin
@@ -37,9 +37,11 @@
 
 #ifndef ROKEN_LIB_FUNCTION
 #ifdef _WIN32
-#define ROKEN_LIB_FUNCTION _stdcall
+#define ROKEN_LIB_FUNCTION
+#define ROKEN_LIB_CALL _stdcall
 #else
 #define ROKEN_LIB_FUNCTION
+#define ROKEN_LIB_CALL
 #endif
 #endif
 
diff --git a/lib/roken/ifaddrs.hin b/lib/roken/ifaddrs.hin
index 60d985a34..ef00b63ba 100644
--- a/lib/roken/ifaddrs.hin
+++ b/lib/roken/ifaddrs.hin
@@ -38,9 +38,11 @@
 
 #ifndef ROKEN_LIB_FUNCTION
 #ifdef _WIN32
-#define ROKEN_LIB_FUNCTION _stdcall
+#define ROKEN_LIB_FUNCTION
+#define ROKEN_LIB_CALL _stdcall
 #else
 #define ROKEN_LIB_FUNCTION
+#define ROKEN_LIB_CALL
 #endif
 #endif
 

From b6fe5a95d365f8d96da232bf46a4d4fe81d772b1 Mon Sep 17 00:00:00 2001
From: Gabor Gombas <gombasg@sztaki.hu>
Date: Wed, 25 Nov 2009 05:18:49 -0800
Subject: [PATCH 9/9] kdc and kinit wanted to use some symbols that were not
 exported by  libkrb5/libkdc

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
---
 lib/krb5/version-script.map | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/krb5/version-script.map b/lib/krb5/version-script.map
index 898f99287..fff13a41e 100644
--- a/lib/krb5/version-script.map
+++ b/lib/krb5/version-script.map
@@ -94,6 +94,7 @@ HEIMDAL_KRB5_2.0 {
 		krb5_cc_get_config;
 		krb5_cc_get_friendly_name;
 		krb5_cc_get_full_name;
+		krb5_cc_get_kdc_offset;
 		krb5_cc_get_lifetime;
 		krb5_cc_get_name;
 		krb5_cc_get_ops;
@@ -113,8 +114,10 @@ HEIMDAL_KRB5_2.0 {
 		krb5_cc_set_config;
 		krb5_cc_set_default_name;
 		krb5_cc_set_flags;
+		krb5_cc_set_kdc_offset;
 		krb5_cc_start_seq_get;
 		krb5_cc_store_cred;
+		krb5_cc_support_switch
 		krb5_cc_switch;
  		krb5_cc_set_friendly_name;
 		krb5_change_password;