Merge branch 'master' into lukeh/moonshot

Conflicts: lib/gssapi/krb5/external.c lib/libedit/src/vi.c
2011-05-12 13:04:55 +02:00
parent 7178ca10de be92276b8b
commit e128b0ca01
221 changed files with 2074 additions and 2100 deletions
--- a/admin/add.c
+++ b/admin/add.c
@@ -113,7 +113,7 @@ kt_add(struct add_options *opt, int argc, char **argv)
 		goto out;
 	    }
-	    if (hex_decode(opt->password_string, data, len) != len) {
+	    if ((size_t)hex_decode(opt->password_string, data, len) != len) {
 		free(data);
 		krb5_warn(context, ENOMEM, "hex decode failed");
 		goto out;
--- a/admin/get.c
+++ b/admin/get.c
@@ -90,7 +90,8 @@ kt_get(struct get_options *opt, int argc, char **argv)
    void *kadm_handle = NULL;
    krb5_enctype *etypes = NULL;
    size_t netypes = 0;
-    int i, j;
+    size_t i;
    int a, j;
    unsigned int failed = 0;
    if((keytab = ktutil_open_keytab()) == NULL)
@@ -120,7 +121,7 @@ kt_get(struct get_options *opt, int argc, char **argv)
    }
-    for(i = 0; i < argc; i++){
+    for(a = 0; a < argc; a++){
 	krb5_principal princ_ent;
 	kadm5_principal_ent_rec princ;
 	int mask = 0;
@@ -129,9 +130,9 @@ kt_get(struct get_options *opt, int argc, char **argv)
 	int created = 0;
 	krb5_keytab_entry entry;
-	ret = krb5_parse_name(context, argv[i], &princ_ent);
+	ret = krb5_parse_name(context, argv[a], &princ_ent);
 	if (ret) {
-	    krb5_warn(context, ret, "can't parse principal %s", argv[i]);
+	    krb5_warn(context, ret, "can't parse principal %s", argv[a]);
 	    failed++;
 	    continue;
 	}
@@ -161,14 +162,14 @@ kt_get(struct get_options *opt, int argc, char **argv)
 	if(ret == 0)
 	    created = 1;
 	else if(ret != KADM5_DUP) {
-	    krb5_warn(context, ret, "kadm5_create_principal(%s)", argv[i]);
+	    krb5_warn(context, ret, "kadm5_create_principal(%s)", argv[a]);
 	    krb5_free_principal(context, princ_ent);
 	    failed++;
 	    continue;
 	}
 	ret = kadm5_randkey_principal(kadm_handle, princ_ent, &keys, &n_keys);
 	if (ret) {
-	    krb5_warn(context, ret, "kadm5_randkey_principal(%s)", argv[i]);
+	    krb5_warn(context, ret, "kadm5_randkey_principal(%s)", argv[a]);
 	    krb5_free_principal(context, princ_ent);
 	    failed++;
 	    continue;
@@ -177,7 +178,7 @@ kt_get(struct get_options *opt, int argc, char **argv)
 	ret = kadm5_get_principal(kadm_handle, princ_ent, &princ,
 			      KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES);
 	if (ret) {
-	    krb5_warn(context, ret, "kadm5_get_principal(%s)", argv[i]);
+	    krb5_warn(context, ret, "kadm5_get_principal(%s)", argv[a]);
 	    for (j = 0; j < n_keys; j++)
 		krb5_free_keyblock_contents(context, &keys[j]);
 	    krb5_free_principal(context, princ_ent);
@@ -185,7 +186,7 @@ kt_get(struct get_options *opt, int argc, char **argv)
 	    continue;
 	}
 	if(!created && (princ.attributes & KRB5_KDB_DISALLOW_ALL_TIX))
-	    krb5_warnx(context, "%s: disallow-all-tix flag set - clearing", argv[i]);
+	    krb5_warnx(context, "%s: disallow-all-tix flag set - clearing", argv[a]);
 	princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
 	mask = KADM5_ATTRIBUTES;
 	if(created) {
@@ -194,7 +195,7 @@ kt_get(struct get_options *opt, int argc, char **argv)
 	}
 	ret = kadm5_modify_principal(kadm_handle, &princ, mask);
 	if (ret) {
-	    krb5_warn(context, ret, "kadm5_modify_principal(%s)", argv[i]);
+	    krb5_warn(context, ret, "kadm5_modify_principal(%s)", argv[a]);
 	    for (j = 0; j < n_keys; j++)
 		krb5_free_keyblock_contents(context, &keys[j]);
 	    krb5_free_principal(context, princ_ent);
@@ -205,7 +206,7 @@ kt_get(struct get_options *opt, int argc, char **argv)
 	    int do_add = TRUE;
 	    if (netypes) {
-		int k;
+		size_t k;
 		do_add = FALSE;
 		for (k = 0; k < netypes; ++k)
--- a/admin/ktutil.8
+++ b/admin/ktutil.8
@@ -53,72 +53,43 @@
 is a program for managing keytabs.
 Supported options:
 .Bl -tag -width Ds
-.It Xo
+.It Fl v , Fl -verbose
 .Fl v ,
 .Fl -verbose
 .Xc
 Verbose output.
 .El
 .Pp
 .Ar command
 can be one of the following:
 .Bl -tag -width srvconvert
-.It add Xo
+.It add Oo Fl p Ar principal Oc Oo Fl -principal= Ns Ar principal Oc \
-.Op Fl p Ar principal
+Oo Fl V Ar kvno Oc Oo Fl -kvno= Ns Ar kvno Oc Oo Fl e Ar enctype Oc \
-.Op Fl -principal= Ns Ar principal
+Oo Fl -enctype= Ns Ar enctype Oc Oo Fl w Ar password Oc \
-.Op Fl V Ar kvno
+Oo Fl -password= Ns Ar password Oc Oo Fl r Oc Oo Fl -random Oc \
-.Op Fl -kvno= Ns Ar kvno
+Oo Fl s Oc Oo Fl -no-salt Oc Oo Fl H Oc Op Fl -hex
 .Op Fl e Ar enctype
 .Op Fl -enctype= Ns Ar enctype
 .Op Fl w Ar password
 .Op Fl -password= Ns Ar password
 .Op Fl r
 .Op Fl -random
 .Op Fl s
 .Op Fl -no-salt
 .Op Fl H
 .Op Fl -hex
 .Xc
 Adds a key to the keytab. Options that are not specified will be
 prompted for. This requires that you know the password or the hex key of the
 principal to add; if what you really want is to add a new principal to
 the keytab, you should consider the
 .Ar get
 command, which talks to the kadmin server.
-.It change Xo
+.It change Oo Fl r Ar realm Oc Oo Fl -realm= Ns Ar realm Oc \
-.Op Fl r Ar realm
+Oo Fl -a Ar host Oc Oo Fl -admin-server= Ns Ar host Oc \
-.Op Fl -realm= Ns Ar realm
+Oo Fl -s Ar port Oc Op Fl -server-port= Ns Ar port
 .Op Fl -a Ar host
 .Op Fl -admin-server= Ns Ar host
 .Op Fl -s Ar port
 .Op Fl -server-port= Ns Ar port
 .Xc
 Update one or several keys to new versions.  By default, use the admin
 server for the realm of a keytab entry.  Otherwise it will use the
 values specified by the options.
 .Pp
 If no principals are given, all the ones in the keytab are updated.
-.It copy Xo
+.It copy Ar keytab-src Ar keytab-dest
 .Ar keytab-src
 .Ar keytab-dest
 .Xc
 Copies all the entries from
 .Ar keytab-src
 to
 .Ar keytab-dest .
-.It get Xo
+.It get Oo Fl p Ar admin principal Oc \
-.Op Fl p Ar admin principal
+Oo Fl -principal= Ns Ar admin principal Oc Oo Fl e Ar enctype Oc \
-.Op Fl -principal= Ns Ar admin principal
+Oo Fl -enctypes= Ns Ar enctype Oc Oo Fl r Ar realm Oc \
-.Op Fl e Ar enctype
+Oo Fl -realm= Ns Ar realm Oc Oo Fl a Ar admin server Oc \
-.Op Fl -enctypes= Ns Ar enctype
+Oo Fl -admin-server= Ns Ar admin server Oc Oo Fl s Ar server port Oc \
-.Op Fl r Ar realm
+Oo Fl -server-port= Ns Ar server port Oc Ar principal ...
 .Op Fl -realm= Ns Ar realm
 .Op Fl a Ar admin server
 .Op Fl -admin-server= Ns Ar admin server
 .Op Fl s Ar server port
 .Op Fl -server-port= Ns Ar server port
 .Ar principal ...
 .Xc
 For each
 .Ar principal ,
 generate a new key for it (creating it if it doesn't already exist),
@@ -128,35 +99,22 @@ If no
 .Ar realm
 is specified, the realm to operate on is taken from the first
 principal.
-.It list Xo
+.It list Oo Fl -keys Oc Op Fl -timestamp
 .Op Fl -keys
 .Op Fl -timestamp
 .Xc
 List the keys stored in the keytab.
-.It remove Xo
+.It remove Oo Fl p Ar principal Oc Oo Fl -principal= Ns Ar principal Oc \
-.Op Fl p Ar principal
+Oo Fl V kvno Oc Oo Fl -kvno= Ns Ar kvno Oc Oo Fl e enctype Oc \
-.Op Fl -principal= Ns Ar principal
+Oo Fl -enctype= Ns Ar enctype Oc
 .Op Fl V kvno
 .Op Fl -kvno= Ns Ar kvno
 .Op Fl e enctype
 .Op Fl -enctype= Ns Ar enctype
 .Xc
 Removes the specified key or keys. Not specifying a
 .Ar kvno
 removes keys with any version number. Not specifying an
 .Ar enctype
 removes keys of any type.
-.It rename Xo
+.It rename Ar from-principal Ar to-principal
 .Ar from-principal
 .Ar to-principal
 .Xc
 Renames all entries in the keytab that match the
 .Ar from-principal
 to
 .Ar to-principal .
-.It purge Xo
+.It purge Op Fl -age= Ns Ar age
 .Op Fl -age= Ns Ar age
 .Xc
 Removes all old versions of a key for which there is a newer version
 that is at least
 .Ar age
--- a/admin/ktutil.c
+++ b/admin/ktutil.c
@@ -118,8 +118,11 @@ help(void *opt, int argc, char **argv)
 		     argv[0]);
 	} else {
 	    if(c->func) {
-		char *fake[] = { NULL, "--help", NULL };
+		char shelp[] = "--help";
 		char *fake[3];
 		fake[0] = argv[0];
 		fake[1] = shelp;
 		fake[2] = NULL;
 		(*c->func)(2, fake);
 		fprintf(stderr, "\n");
 	    }
--- a/admin/list.c
+++ b/admin/list.c
@@ -113,7 +113,7 @@ do_list(struct list_options *opt, const char *keytab_str)
 	    rtbl_add_column_entry_by_id(table, 3, buf);
 	}
 	if(opt->keys_flag) {
-	    int i;
+	    size_t i;
 	    s = malloc(2 * entry.keyblock.keyvalue.length + 1);
 	    if (s == NULL) {
 		krb5_warnx(context, "malloc failed");
--- a/appl/telnet/telnet/sys_bsd.c
+++ b/appl/telnet/telnet/sys_bsd.c
@@ -608,11 +608,11 @@ TerminalSpeeds(long *input_speed, long *output_speed)
 int
 TerminalWindowSize(long *rows, long *cols)
 {
-    struct winsize ws;
+    int irows, icols;
-    if (get_window_size (STDIN_FILENO, &ws) == 0) {
+    if (get_window_size(STDIN_FILENO, &irows, &icols) == 0) {
-	*rows = ws.ws_row;
+	*rows = irows;
-	*cols = ws.ws_col;
+	*cols = icols;
 	return 1;
    } else
 	return 0;
--- a/appl/test/http_client.c
+++ b/appl/test/http_client.c
@@ -237,12 +237,16 @@ http_query(const char *host, const char *page,
 		    in_ptr -= 2;
 		    break;
 		} else if (state == RESPONSE) {
-		    req->response = strndup(in_buf, p - in_buf);
+		    req->response = emalloc(p - in_buf + 1);
 		    memcpy(req->response, in_buf, p - in_buf);
 		    req->response[p - in_buf] = '\0';
 		    state = HEADER;
 		} else {
 		    req->headers = realloc(req->headers,
 					   (req->num_headers + 1) * sizeof(req->headers[0]));
-		    req->headers[req->num_headers] = strndup(in_buf, p - in_buf);
+		    req->headers[req->num_headers] = emalloc(p - in_buf + 1);
 		    memcpy(req->headers[req->num_headers], in_buf, p - in_buf);
 		    req->headers[req->num_headers][p - in_buf] = '\0';
 		    if (req->headers[req->num_headers] == NULL)
 			errx(1, "strdup");
 		    req->num_headers++;
--- a/base/dict.c
+++ b/base/dict.c
@@ -77,7 +77,7 @@ struct heim_type_data dict_object = {
 static size_t
 isprime(size_t p)
 {
-    int q, i;
+    size_t q, i;
    for(i = 2 ; i < p; i++) {
 	q = p / i;
--- a/configure.ac
+++ b/configure.ac
@@ -172,6 +172,8 @@ if test "X$with_sqlite3" != Xyes ; then
 fi
 AM_CONDITIONAL(SQLITE3,  test "X$with_sqlite3" = Xyes)
 AC_DEFINE(HAVE_SQLITE3, 1, [Define if you want support for sqlite in Heimdal.])
 AC_ARG_ENABLE(sqlite-cache, 
 	AS_HELP_STRING([--disable-sqlite-cache],[if you want support for cache in sqlite]))
 if test "$enable_sqlite_cache" != no; then
--- a/doc/ack.texi
+++ b/doc/ack.texi
@@ -91,6 +91,7 @@ Bugfixes, documentation, encouragement, and code has been contributed by:
@item Sho Hosoda, 細田 将
@item Stefan Metzmacher
@item Ted Percival
@item Tom Payerle
@item Victor Guerra
@item Zeqing Xia
@item Åke Sandgren 
--- a/doc/copyright.texi
+++ b/doc/copyright.texi
@@ -84,7 +84,7 @@ or implied warranty.
@heading The Regents of the University of California
-The parts of the libroken, most of libtelnet, libeditline, telnet, ftp,
+The parts of the libroken, most of libtelnet, telnet, ftp,
 and popper.
@verbatim
--- a/kadmin/ank.c
+++ b/kadmin/ank.c
@@ -39,21 +39,21 @@
 */
 static krb5_error_code
-get_default (kadm5_server_context *context,
+get_default (kadm5_server_context *contextp,
 	     krb5_principal princ,
 	     kadm5_principal_ent_t default_ent)
 {
    krb5_error_code ret;
    krb5_principal def_principal;
-    krb5_const_realm realm = krb5_principal_get_realm(context->context, princ);
+    krb5_const_realm realm = krb5_principal_get_realm(contextp->context, princ);
-    ret = krb5_make_principal (context->context, &def_principal,
+    ret = krb5_make_principal (contextp->context, &def_principal,
 			       realm, "default", NULL);
    if (ret)
 	return ret;
-    ret = kadm5_get_principal (context, def_principal, default_ent,
+    ret = kadm5_get_principal (contextp, def_principal, default_ent,
 			       KADM5_PRINCIPAL_NORMAL_MASK);
-    krb5_free_principal (context->context, def_principal);
+    krb5_free_principal (contextp->context, def_principal);
    return ret;
 }
--- a/kadmin/check.c
+++ b/kadmin/check.c
@@ -86,7 +86,7 @@ do_check_entry(krb5_principal principal, void *data)
 	ret = krb5_enctype_keysize(context,
 				   princ.key_data[i].key_data_type[0],
 				   &keysize);
-	if (ret == 0 && keysize != princ.key_data[i].key_data_length[0]) {
+	if (ret == 0 && keysize != (size_t)princ.key_data[i].key_data_length[0]) {
 	    krb5_warnx(context,
 		       "Principal %s enctype %d, wrong length: %lu\n",
 		       name, princ.key_data[i].key_data_type[0],
--- a/kadmin/get.c
+++ b/kadmin/get.c
@@ -110,9 +110,9 @@ add_column(struct get_entry_data *data, struct field_name *ff, const char *heade
 static int
 cmp_salt (const krb5_salt *salt, const krb5_key_data *k)
 {
-    if (salt->salttype != k->key_data_type[1])
+    if (salt->salttype != (size_t)k->key_data_type[1])
 	return 1;
-    if (salt->saltvalue.length != k->key_data_length[1])
+    if (salt->saltvalue.length != (size_t)k->key_data_length[1])
 	return 1;
    return memcmp (salt->saltvalue.data, k->key_data_contents[1],
 		   salt->saltvalue.length);
@@ -245,7 +245,7 @@ format_field(kadm5_principal_ent_t princ, unsigned int field,
 	krb5_tl_data *tl;
 	for (tl = princ->tl_data; tl != NULL; tl = tl->tl_data_next)
-	    if (tl->tl_data_type == subfield)
+	    if ((unsigned)tl->tl_data_type == subfield)
 		break;
 	if (tl == NULL) {
 	    strlcpy(buf, "", buf_len);
@@ -261,7 +261,8 @@ format_field(kadm5_principal_ent_t princ, unsigned int field,
 	case KRB5_TL_PKINIT_ACL: {
 	    HDB_Ext_PKINIT_acl acl;
 	    size_t size;
-	    int i, ret;
+	    int ret;
 	    size_t i;
 	    ret = decode_HDB_Ext_PKINIT_acl(tl->tl_data_contents,
 					    tl->tl_data_length,
@@ -293,7 +294,8 @@ format_field(kadm5_principal_ent_t princ, unsigned int field,
 	case KRB5_TL_ALIASES: {
 	    HDB_Ext_Aliases alias;
 	    size_t size;
-	    int i, ret;
+	    int ret;
 	    size_t i;
 	    ret = decode_HDB_Ext_Aliases(tl->tl_data_contents,
 					 tl->tl_data_length,
@@ -309,7 +311,7 @@ format_field(kadm5_principal_ent_t princ, unsigned int field,
 		ret = krb5_unparse_name(context, &alias.aliases.val[i], &p);
 		if (ret)
 		    break;
-		if (i < 0)
+		if (i > 0)
 		    strlcat(buf, " ", buf_len);
 		strlcat(buf, p, buf_len);
 		free(p);
--- a/kadmin/kadm_conn.c
+++ b/kadmin/kadm_conn.c
@@ -43,12 +43,12 @@ struct kadm_port {
 } *kadm_ports;
 static void
-add_kadm_port(krb5_context context, const char *service, unsigned int port)
+add_kadm_port(krb5_context contextp, const char *service, unsigned int port)
 {
    struct kadm_port *p;
    p = malloc(sizeof(*p));
    if(p == NULL) {
-	krb5_warnx(context, "failed to allocate %lu bytes\n",
+	krb5_warnx(contextp, "failed to allocate %lu bytes\n",
 		   (unsigned long)sizeof(*p));
 	return;
    }
@@ -61,9 +61,9 @@ add_kadm_port(krb5_context context, const char *service, unsigned int port)
 }
 static void
-add_standard_ports (krb5_context context)
+add_standard_ports (krb5_context contextp)
 {
-    add_kadm_port(context, "kerberos-adm", 749);
+    add_kadm_port(contextp, "kerberos-adm", 749);
 }
 /*
@@ -73,15 +73,15 @@ add_standard_ports (krb5_context context)
 */
 void
-parse_ports(krb5_context context, const char *str)
+parse_ports(krb5_context contextp, const char *str)
 {
    char p[128];
    while(strsep_copy(&str, " \t", p, sizeof(p)) != -1) {
 	if(strcmp(p, "+") == 0)
-	    add_standard_ports(context);
+	    add_standard_ports(contextp);
 	else
-	    add_kadm_port(context, p, 0);
+	    add_kadm_port(contextp, p, 0);
    }
 }
@@ -120,10 +120,11 @@ terminate(int sig)
 }
 static int
-spawn_child(krb5_context context, int *socks,
+spawn_child(krb5_context contextp, int *socks,
 	    unsigned int num_socks, int this_sock)
 {
-    int e, i;
+    int e;
    size_t i;
    struct sockaddr_storage __ss;
    struct sockaddr *sa = (struct sockaddr *)&__ss;
    socklen_t sa_size = sizeof(__ss);
@@ -135,20 +136,20 @@ spawn_child(krb5_context context, int *socks,
    s = accept(socks[this_sock], sa, &sa_size);
    if(rk_IS_BAD_SOCKET(s)) {
-	krb5_warn(context, rk_SOCK_ERRNO, "accept");
+	krb5_warn(contextp, rk_SOCK_ERRNO, "accept");
 	return 1;
    }
-    e = krb5_sockaddr2address(context, sa, &addr);
+    e = krb5_sockaddr2address(contextp, sa, &addr);
    if(e)
-	krb5_warn(context, e, "krb5_sockaddr2address");
+	krb5_warn(contextp, e, "krb5_sockaddr2address");
    else {
 	e = krb5_print_address (&addr, buf, sizeof(buf),
 				&buf_len);
 	if(e)
-	    krb5_warn(context, e, "krb5_print_address");
+	    krb5_warn(contextp, e, "krb5_print_address");
 	else
-	    krb5_warnx(context, "connection from %s", buf);
+	    krb5_warnx(contextp, "connection from %s", buf);
-	krb5_free_address(context, &addr);
+	krb5_free_address(contextp, &addr);
    }
    pid = fork();
@@ -167,7 +168,7 @@ spawn_child(krb5_context context, int *socks,
 }
 static void
-wait_for_connection(krb5_context context,
+wait_for_connection(krb5_context contextp,
 		    krb5_socket_t *socks, unsigned int num_socks)
 {
    unsigned int i;
@@ -200,13 +201,13 @@ wait_for_connection(krb5_context context,
 	e = select(max_fd + 1, &read_set, NULL, NULL, NULL);
 	if(rk_IS_SOCKET_ERROR(e)) {
 	    if(rk_SOCK_ERRNO != EINTR)
-		krb5_warn(context, rk_SOCK_ERRNO, "select");
+		krb5_warn(contextp, rk_SOCK_ERRNO, "select");
 	} else if(e == 0)
-	    krb5_warnx(context, "select returned 0");
+	    krb5_warnx(contextp, "select returned 0");
 	else {
 	    for(i = 0; i < num_socks; i++) {
 		if(FD_ISSET(socks[i], &read_set))
-		    if(spawn_child(context, socks, num_socks, i) == 0)
+		    if(spawn_child(contextp, socks, num_socks, i) == 0)
 			return;
 	    }
 	}
@@ -221,7 +222,7 @@ wait_for_connection(krb5_context context,
 void
-start_server(krb5_context context, const char *port_str)
+start_server(krb5_context contextp, const char *port_str)
 {
    int e;
    struct kadm_port *p;
@@ -233,7 +234,7 @@ start_server(krb5_context context, const char *port_str)
    if (port_str == NULL)
 	port_str = "+";
-    parse_ports(context, port_str);
+    parse_ports(contextp, port_str);
    for(p = kadm_ports; p; p = p->next) {
 	struct addrinfo hints, *ai, *ap;
@@ -249,7 +250,7 @@ start_server(krb5_context context, const char *port_str)
 	}
 	if(e) {
-	    krb5_warn(context, krb5_eai_to_heim_errno(e, errno),
+	    krb5_warn(contextp, krb5_eai_to_heim_errno(e, errno),
 		      "%s", portstr);
 	    continue;
 	}
@@ -258,7 +259,7 @@ start_server(krb5_context context, const char *port_str)
 	    i++;
 	tmp = realloc(socks, (num_socks + i) * sizeof(*socks));
 	if(tmp == NULL) {
-	    krb5_warnx(context, "failed to reallocate %lu bytes",
+	    krb5_warnx(contextp, "failed to reallocate %lu bytes",
 		       (unsigned long)(num_socks + i) * sizeof(*socks));
 	    continue;
 	}
@@ -266,7 +267,7 @@ start_server(krb5_context context, const char *port_str)
 	for(ap = ai; ap; ap = ap->ai_next) {
 	    krb5_socket_t s = socket(ap->ai_family, ap->ai_socktype, ap->ai_protocol);
 	    if(rk_IS_BAD_SOCKET(s)) {
-		krb5_warn(context, rk_SOCK_ERRNO, "socket");
+		krb5_warn(contextp, rk_SOCK_ERRNO, "socket");
 		continue;
 	    }
@@ -274,12 +275,12 @@ start_server(krb5_context context, const char *port_str)
 	    socket_set_ipv6only(s, 1);
 	    if (rk_IS_SOCKET_ERROR(bind (s, ap->ai_addr, ap->ai_addrlen))) {
-		krb5_warn(context, rk_SOCK_ERRNO, "bind");
+		krb5_warn(contextp, rk_SOCK_ERRNO, "bind");
 		rk_closesocket(s);
 		continue;
 	    }
 	    if (rk_IS_SOCKET_ERROR(listen (s, SOMAXCONN))) {
-		krb5_warn(context, rk_SOCK_ERRNO, "listen");
+		krb5_warn(contextp, rk_SOCK_ERRNO, "listen");
 		rk_closesocket(s);
 		continue;
 	    }
@@ -288,7 +289,7 @@ start_server(krb5_context context, const char *port_str)
 	freeaddrinfo (ai);
    }
    if(num_socks == 0)
-	krb5_errx(context, 1, "no sockets to listen to - exiting");
+	krb5_errx(contextp, 1, "no sockets to listen to - exiting");
-    wait_for_connection(context, socks, num_socks);
+    wait_for_connection(contextp, socks, num_socks);
 }
--- a/kadmin/kadmin.8
+++ b/kadmin/kadmin.8
@@ -40,34 +40,13 @@
 .Sh SYNOPSIS
 .Nm
 .Bk -words
-.Oo Fl p Ar string \*(Ba Xo
+.Op Fl p Ar string \*(Ba Fl -principal= Ns Ar string
-.Fl -principal= Ns Ar string
+.Op Fl K Ar string \*(Ba Fl -keytab= Ns Ar string
-.Xc
+.Op Fl c Ar file \*(Ba Fl -config-file= Ns Ar file
-.Oc
+.Op Fl k Ar file \*(Ba Fl -key-file= Ns Ar file
-.Oo Fl K Ar string \*(Ba Xo
+.Op Fl r Ar realm \*(Ba Fl -realm= Ns Ar realm
-.Fl -keytab= Ns Ar string
+.Op Fl a Ar host \*(Ba Fl -admin-server= Ns Ar host
-.Xc
+.Op Fl s Ar port number \*(Ba Fl -server-port= Ns Ar port number
 .Oc
 .Oo Fl c Ar file \*(Ba Xo
 .Fl -config-file= Ns Ar file
 .Xc
 .Oc
 .Oo Fl k Ar file \*(Ba Xo
 .Fl -key-file= Ns Ar file
 .Xc
 .Oc
 .Oo Fl r Ar realm \*(Ba Xo
 .Fl -realm= Ns Ar realm
 .Xc
 .Oc
 .Oo Fl a Ar host \*(Ba Xo
 .Fl -admin-server= Ns Ar host
 .Xc
 .Oc
 .Oo Fl s Ar port number \*(Ba Xo
 .Fl -server-port= Ns Ar port number
 .Xc
 .Oc
 .Op Fl l | Fl -local
 .Op Fl h | Fl -help
 .Op Fl v | Fl -version
@@ -84,45 +63,21 @@ option).
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Xo
+.It Fl p Ar string , Fl -principal= Ns Ar string
 .Fl p Ar string ,
 .Fl -principal= Ns Ar string
 .Xc
 principal to authenticate as
-.It Xo
+.It Fl K Ar string , Fl -keytab= Ns Ar string
 .Fl K Ar string ,
 .Fl -keytab= Ns Ar string
 .Xc
 keytab for authentication principal
-.It Xo
+.It Fl c Ar file , Fl -config-file= Ns Ar file
 .Fl c Ar file ,
 .Fl -config-file= Ns Ar file
 .Xc
 location of config file
-.It Xo
+.It Fl k Ar file , Fl -key-file= Ns Ar file
 .Fl k Ar file ,
 .Fl -key-file= Ns Ar file
 .Xc
 location of master key file
-.It Xo
+.It Fl r Ar realm , Fl -realm= Ns Ar realm
 .Fl r Ar realm ,
 .Fl -realm= Ns Ar realm
 .Xc
 realm to use
-.It Xo
+.It Fl a Ar host , Fl -admin-server= Ns Ar host
 .Fl a Ar host ,
 .Fl -admin-server= Ns Ar host
 .Xc
 server to contact
-.It Xo
+.It Fl s Ar port number , Fl -server-port= Ns Ar port number
 .Fl s Ar port number ,
 .Fl -server-port= Ns Ar port number
 .Xc
 port to use
-.It Xo
+.It Fl l , Fl -local
 .Fl l ,
 .Fl -local
 .Xc
 local admin mode
 .El
 .Pp
@@ -148,10 +103,7 @@ Commands include:
 .Nm add
 .Op Fl r | Fl -random-key
 .Op Fl -random-password
-.Oo Fl p Ar string \*(Ba Xo
+.Op Fl p Ar string \*(Ba Fl -password= Ns Ar string
 .Fl -password= Ns Ar string
 .Xc
 .Oc
 .Op Fl -key= Ns Ar string
 .Op Fl -max-ticket-life= Ns Ar lifetime
 .Op Fl -max-renewable-life= Ns Ar lifetime
--- a/kadmin/kadmin.c
+++ b/kadmin/kadmin.c
@@ -52,9 +52,9 @@ static getarg_strings policy_libraries = { 0, NULL };
 static struct getargs args[] = {
    {	"principal", 	'p',	arg_string,	&client_name,
-	"principal to authenticate as" },
+	"principal to authenticate as", NULL },
    {   "keytab",	'K',	arg_string,	&keytab,
-   	"keytab for authentication principal" },
+   	"keytab for authentication principal", NULL },
    {
 	"config-file",	'c',	arg_string,	&config_file,
 	"location of config file",	"file"
@@ -75,7 +75,8 @@ static struct getargs args[] = {
 	"server-port",	's',	arg_integer,   &server_port,
 	"port to use", "port number"
    },
-    {	"ad", 		0, arg_flag, &ad_flag, "active directory admin mode" },
+    {	"ad", 		0, arg_flag, &ad_flag, "active directory admin mode",
 	NULL },
 #ifdef HAVE_DLOPEN
    { "check-library", 0, arg_string, &check_library,
      "library to load password check function from", "library" },
@@ -84,9 +85,9 @@ static struct getargs args[] = {
    { "policy-libraries", 0, arg_strings, &policy_libraries,
      "password check function to load", "function" },
 #endif
-    {	"local", 'l', arg_flag, &local_flag, "local admin mode" },
+    {	"local", 'l', arg_flag, &local_flag, "local admin mode", NULL },
-    {	"help",		'h',	arg_flag,   &help_flag },
+    {	"help",		'h',	arg_flag,   &help_flag, NULL, NULL },
-    {	"version",	'v',	arg_flag,   &version_flag }
+    {	"version",	'v',	arg_flag,   &version_flag, NULL, NULL }
 };
 static int num_args = sizeof(args) / sizeof(args[0]);
--- a/kadmin/kadmind.8
+++ b/kadmin/kadmind.8
@@ -76,8 +76,7 @@ The
 .Xr kpasswdd 8
 daemon is responsible for the Kerberos 5 password changing protocol
 (used by
-.Xr kpasswd 1 )
+.Xr kpasswd 1 ) .
 .
 .Pp
 This daemon should only be run on the master server, and not on any
 slaves.
@@ -118,34 +117,17 @@ glob-style pattern.
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Xo
+.It Fl c Ar file , Fl -config-file= Ns Ar file
 .Fl c Ar file ,
 .Fl -config-file= Ns Ar file
 .Xc
 location of config file
-.It Xo
+.It Fl k Ar file , Fl -key-file= Ns Ar file
 .Fl k Ar file ,
 .Fl -key-file= Ns Ar file
 .Xc
 location of master key file
-.It Xo
+.It Fl -keytab= Ns Ar keytab
 .Fl -keytab= Ns Ar keytab
 .Xc
 what keytab to use
-.It Xo
+.It Fl r Ar realm , Fl -realm= Ns Ar realm
 .Fl r Ar realm ,
 .Fl -realm= Ns Ar realm
 .Xc
 realm to use
-.It Xo
+.It Fl d , Fl -debug
 .Fl d ,
 .Fl -debug
 .Xc
 enable debugging
-.It Xo
+.It Fl p Ar port , Fl -ports= Ns Ar port
 .Fl p Ar port ,
 .Fl -ports= Ns Ar port
 .Xc
 ports to listen to. By default, if run as a daemon, it listens to port
 749, but you can add any number of ports with this option. The port
 string is a whitespace separated list of port specifications, with the
--- a/kadmin/kadmind.c
+++ b/kadmin/kadmind.c
@@ -37,7 +37,8 @@ static char *check_library  = NULL;
 static char *check_function = NULL;
 static getarg_strings policy_libraries = { 0, NULL };
 static char *config_file;
-static char *keytab_str = "HDB:";
+static char sHDB[] = "HDB:";
 static char *keytab_str = sHDB;
 static int help_flag;
 static int version_flag;
 static int debug_flag;
@@ -65,12 +66,12 @@ static struct getargs args[] = {
      "password check function to load", "function" },
 #endif
    {	"debug",	'd',	arg_flag,   &debug_flag,
-	"enable debugging"
+	"enable debugging", NULL
    },
    {	"ports",	'p',	arg_string, &port_str,
 	"ports to listen to", "port" },
-    {	"help",		'h',	arg_flag,   &help_flag },
+    {	"help",		'h',	arg_flag,   &help_flag, NULL, NULL },
-    {	"version",	'v',	arg_flag,   &version_flag }
+    {	"version",	'v',	arg_flag,   &version_flag, NULL, NULL }
 };
 static int num_args = sizeof(args) / sizeof(args[0]);
--- a/kadmin/load.c
+++ b/kadmin/load.c
@@ -153,7 +153,7 @@ parse_keys(hdb_entry *ent, char *str)
    krb5_error_code ret;
    int tmp;
    char *p;
-    int i;
+    size_t i;
    p = strsep(&str, ":");
    if (sscanf(p, "%d", &tmp) != 1)
--- a/kadmin/mod.c
+++ b/kadmin/mod.c
@@ -55,7 +55,7 @@ add_tl(kadm5_principal_ent_rec *princ, int type, krb5_data *data)
 }
 static void
-add_constrained_delegation(krb5_context context,
+add_constrained_delegation(krb5_context contextp,
 			   kadm5_principal_ent_rec *princ,
 			   struct getarg_strings *strings)
 {
@@ -81,13 +81,13 @@ add_constrained_delegation(krb5_context context,
 	ext.data.u.allowed_to_delegate_to.len = strings->num_strings;
 	for (i = 0; i < strings->num_strings; i++) {
-	    ret = krb5_parse_name(context, strings->strings[i], &p);
+	    ret = krb5_parse_name(contextp, strings->strings[i], &p);
 	    if (ret)
 		abort();
 	    ret = copy_Principal(p, &ext.data.u.allowed_to_delegate_to.val[i]);
 	    if (ret)
 		abort();
-	    krb5_free_principal(context, p);
+	    krb5_free_principal(contextp, p);
 	}
    }
@@ -103,7 +103,7 @@ add_constrained_delegation(krb5_context context,
 }
 static void
-add_aliases(krb5_context context, kadm5_principal_ent_rec *princ,
+add_aliases(krb5_context contextp, kadm5_principal_ent_rec *princ,
 	    struct getarg_strings *strings)
 {
    krb5_error_code ret;
@@ -128,9 +128,9 @@ add_aliases(krb5_context context, kadm5_principal_ent_rec *princ,
 	ext.data.u.aliases.aliases.len = strings->num_strings;
 	for (i = 0; i < strings->num_strings; i++) {
-	    ret = krb5_parse_name(context, strings->strings[i], &p);
+	    ret = krb5_parse_name(contextp, strings->strings[i], &p);
 	    ret = copy_Principal(p, &ext.data.u.aliases.aliases.val[i]);
-	    krb5_free_principal(context, p);
+	    krb5_free_principal(contextp, p);
 	}
    }
@@ -146,7 +146,7 @@ add_aliases(krb5_context context, kadm5_principal_ent_rec *princ,
 }
 static void
-add_pkinit_acl(krb5_context context, kadm5_principal_ent_rec *princ,
+add_pkinit_acl(krb5_context contextp, kadm5_principal_ent_rec *princ,
 	       struct getarg_strings *strings)
 {
    krb5_error_code ret;
--- a/kadmin/rpc.c
+++ b/kadmin/rpc.c
@@ -161,7 +161,7 @@ parse_name(const unsigned char *p, size_t len,
 static void
-gss_error(krb5_context context,
+gss_error(krb5_context contextp,
 	  gss_OID mech, OM_uint32 type, OM_uint32 error)
 {
    OM_uint32 new_stat;
@@ -176,7 +176,7 @@ gss_error(krb5_context context,
 				  mech,
 				  &msg_ctx,
 				  &status_string);
-	krb5_warnx(context, "%.*s",
+	krb5_warnx(contextp, "%.*s",
 		   (int)status_string.length,
 		   (char *)status_string.value);
 	gss_release_buffer (&new_stat, &status_string);
@@ -184,11 +184,11 @@ gss_error(krb5_context context,
 }
 static void
-gss_print_errors (krb5_context context, 
+gss_print_errors (krb5_context contextp, 
 		  OM_uint32 maj_stat, OM_uint32 min_stat)
 {
-    gss_error(context, GSS_C_NO_OID, GSS_C_GSS_CODE, maj_stat);
+    gss_error(contextp, GSS_C_NO_OID, GSS_C_GSS_CODE, maj_stat);
-    gss_error(context, GSS_C_NO_OID, GSS_C_MECH_CODE, min_stat);
+    gss_error(contextp, GSS_C_NO_OID, GSS_C_MECH_CODE, min_stat);
 }
 static int
@@ -204,10 +204,10 @@ read_data(krb5_storage *sp, krb5_storage *msg, size_t len)
 	    tlen = sizeof(buf);
 	slen = krb5_storage_read(sp, buf, tlen);
-	INSIST(slen == tlen);
+	INSIST((size_t)slen == tlen);
 	slen = krb5_storage_write(msg, buf, tlen);
-	INSIST(slen == tlen);
+	INSIST((size_t)slen == tlen);
 	len -= tlen;
    }
@@ -252,7 +252,7 @@ store_data_xdr(krb5_storage *sp, krb5_data data)
 	static const char zero[4] = { 0, 0, 0, 0 };
 	ret = krb5_storage_write(sp, zero, res);
-	if(ret != res)
+	if((size_t)ret != res)
 	    return (ret < 0)? errno : krb5_storage_get_eof_code(sp);
    }
    return 0;
@@ -273,7 +273,7 @@ ret_data_xdr(krb5_storage *sp, krb5_data *data)
 	res = 4 - (data->length % 4);
 	if (res != 4) {
 	    ret = krb5_storage_read(sp, buf, res);
-	    if(ret != res)
+	    if((size_t)ret != res)
 		return (ret < 0)? errno : krb5_storage_get_eof_code(sp);
 	}
    }
@@ -362,19 +362,19 @@ ret_string_xdr(krb5_storage *sp, char **str)
 }
 static int
-store_principal_xdr(krb5_context context,
+store_principal_xdr(krb5_context contextp,
 		    krb5_storage *sp,
 		    krb5_principal p)
 {
    char *str;
-    CHECK(krb5_unparse_name(context, p, &str));
+    CHECK(krb5_unparse_name(contextp, p, &str));
    CHECK(store_string_xdr(sp, str));
    free(str);
    return 0;
 }
 static int
-ret_principal_xdr(krb5_context context,
+ret_principal_xdr(krb5_context contextp,
 		  krb5_storage *sp,
 		  krb5_principal *p)
 {
@@ -382,27 +382,27 @@ ret_principal_xdr(krb5_context context,
    *p = NULL;
    CHECK(ret_string_xdr(sp, &str));
    if (str) {
-	CHECK(krb5_parse_name(context, str, p));
+	CHECK(krb5_parse_name(contextp, str, p));
 	free(str);
    }
    return 0;
 }
 static int
-store_principal_ent(krb5_context context,
+store_principal_ent(krb5_context contextp,
 		    krb5_storage *sp,
 		    kadm5_principal_ent_rec *ent)
 {
-    size_t i;
+    int i;
-    CHECK(store_principal_xdr(context, sp, ent->principal));
+    CHECK(store_principal_xdr(contextp, sp, ent->principal));
    CHECK(krb5_store_uint32(sp, ent->princ_expire_time));
    CHECK(krb5_store_uint32(sp, ent->pw_expiration));
    CHECK(krb5_store_uint32(sp, ent->last_pwd_change));
    CHECK(krb5_store_uint32(sp, ent->max_life));
    CHECK(krb5_store_int32(sp, ent->mod_name == NULL));
    if (ent->mod_name)
-	CHECK(store_principal_xdr(context, sp, ent->mod_name));
+	CHECK(store_principal_xdr(contextp, sp, ent->mod_name));
    CHECK(krb5_store_uint32(sp, ent->mod_date));
    CHECK(krb5_store_uint32(sp, ent->attributes));
    CHECK(krb5_store_uint32(sp, ent->kvno));
@@ -443,7 +443,7 @@ store_principal_ent(krb5_context context,
 }
 static int
-ret_principal_ent(krb5_context context,
+ret_principal_ent(krb5_context contextp,
 		  krb5_storage *sp,
 		  kadm5_principal_ent_rec *ent)
 {
@@ -452,7 +452,7 @@ ret_principal_ent(krb5_context context,
    memset(ent, 0, sizeof(*ent));
-    CHECK(ret_principal_xdr(context, sp, &ent->principal));
+    CHECK(ret_principal_xdr(contextp, sp, &ent->principal));
    CHECK(krb5_ret_uint32(sp, &flag));
    ent->princ_expire_time = flag;
    CHECK(krb5_ret_uint32(sp, &flag));
@@ -463,7 +463,7 @@ ret_principal_ent(krb5_context context,
    ent->max_life = flag;
    CHECK(krb5_ret_uint32(sp, &flag));
    if (flag == 0)
-	ret_principal_xdr(context, sp, &ent->mod_name);
+	ret_principal_xdr(contextp, sp, &ent->mod_name);
    CHECK(krb5_ret_uint32(sp, &flag));
    ent->mod_date = flag;
    CHECK(krb5_ret_uint32(sp, &flag));
@@ -508,13 +508,13 @@ ret_principal_ent(krb5_context context,
 	    count++;
 	}
-	INSIST(ent->n_tl_data == count);
+	INSIST((size_t)ent->n_tl_data == count);
    } else {
 	INSIST(ent->n_tl_data == 0);
    }
    CHECK(krb5_ret_uint32(sp, &num));
-    INSIST(num == ent->n_key_data);
+    INSIST(num == (uint32_t)ent->n_key_data);
    ent->key_data = calloc(num, sizeof(ent->key_data[0]));
    INSIST(ent->key_data != NULL);
@@ -538,7 +538,7 @@ ret_principal_ent(krb5_context context,
 */
 static void
-proc_create_principal(kadm5_server_context *context,
+proc_create_principal(kadm5_server_context *contextp,
 		      krb5_storage *in,
 		      krb5_storage *out)
 {
@@ -551,30 +551,30 @@ proc_create_principal(kadm5_server_context *context,
    CHECK(krb5_ret_uint32(in, &version));
    INSIST(version == VERSION2);
-    CHECK(ret_principal_ent(context->context, in, &ent));
+    CHECK(ret_principal_ent(contextp->context, in, &ent));
    CHECK(krb5_ret_uint32(in, &mask));
    CHECK(ret_string_xdr(in, &password));
    INSIST(ent.principal);
-    ret = _kadm5_acl_check_permission(context, KADM5_PRIV_ADD, ent.principal);
+    ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_ADD, ent.principal);
    if (ret)
 	goto fail;
-    ret = kadm5_create_principal(context, &ent, mask, password);
+    ret = kadm5_create_principal(contextp, &ent, mask, password);
 fail:
-    krb5_warn(context->context, ret, "create principal");
+    krb5_warn(contextp->context, ret, "create principal");
    CHECK(krb5_store_uint32(out, VERSION2)); /* api version */
    CHECK(krb5_store_uint32(out, ret)); /* code */
    free(password);
-    kadm5_free_principal_ent(context, &ent);
+    kadm5_free_principal_ent(contextp, &ent);
 }
 static void
-proc_delete_principal(kadm5_server_context *context,
+proc_delete_principal(kadm5_server_context *contextp,
 		      krb5_storage *in,
 		      krb5_storage *out)
 {
@@ -584,24 +584,24 @@ proc_delete_principal(kadm5_server_context *context,
    CHECK(krb5_ret_uint32(in, &version));
    INSIST(version == VERSION2);
-    CHECK(ret_principal_xdr(context->context, in, &princ));
+    CHECK(ret_principal_xdr(contextp->context, in, &princ));
-    ret = _kadm5_acl_check_permission(context, KADM5_PRIV_DELETE, princ);
+    ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_DELETE, princ);
    if (ret)
 	goto fail;
-    ret = kadm5_delete_principal(context, princ);
+    ret = kadm5_delete_principal(contextp, princ);
 fail:
-    krb5_warn(context->context, ret, "delete principal");
+    krb5_warn(contextp->context, ret, "delete principal");
    CHECK(krb5_store_uint32(out, VERSION2)); /* api version */
    CHECK(krb5_store_uint32(out, ret)); /* code */
-    krb5_free_principal(context->context, princ);
+    krb5_free_principal(contextp->context, princ);
 }
 static void
-proc_get_principal(kadm5_server_context *context,
+proc_get_principal(kadm5_server_context *contextp,
 		   krb5_storage *in,
 		   krb5_storage *out)
 {
@@ -614,29 +614,29 @@ proc_get_principal(kadm5_server_context *context,
    CHECK(krb5_ret_uint32(in, &version));
    INSIST(version == VERSION2);
-    CHECK(ret_principal_xdr(context->context, in, &princ));
+    CHECK(ret_principal_xdr(contextp->context, in, &princ));
    CHECK(krb5_ret_uint32(in, &mask));
-    ret = _kadm5_acl_check_permission(context, KADM5_PRIV_GET, princ);
+    ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_GET, princ);
    if(ret)
 	goto fail;
-    ret = kadm5_get_principal(context, princ, &ent, mask);
+    ret = kadm5_get_principal(contextp, princ, &ent, mask);
 fail:
-    krb5_warn(context->context, ret, "get principal principal");
+    krb5_warn(contextp->context, ret, "get principal principal");
    CHECK(krb5_store_uint32(out, VERSION2)); /* api version */
    CHECK(krb5_store_uint32(out, ret)); /* code */
    if (ret == 0) {
-	CHECK(store_principal_ent(context->context, out, &ent));
+	CHECK(store_principal_ent(contextp->context, out, &ent));
    }
-    krb5_free_principal(context->context, princ);
+    krb5_free_principal(contextp->context, princ);
-    kadm5_free_principal_ent(context, &ent);
+    kadm5_free_principal_ent(contextp, &ent);
 }
 static void
-proc_chrand_principal_v2(kadm5_server_context *context,
+proc_chrand_principal_v2(kadm5_server_context *contextp,
 			 krb5_storage *in, 
 			 krb5_storage *out)
 {
@@ -648,36 +648,36 @@ proc_chrand_principal_v2(kadm5_server_context *context,
    CHECK(krb5_ret_uint32(in, &version));
    INSIST(version == VERSION2);
-    CHECK(ret_principal_xdr(context->context, in, &princ));
+    CHECK(ret_principal_xdr(contextp->context, in, &princ));
-    ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ);
+    ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_CPW, princ);
    if(ret)
 	goto fail;
-    ret = kadm5_randkey_principal(context, princ,
+    ret = kadm5_randkey_principal(contextp, princ,
 				  &new_keys, &n_keys);
 fail:
-    krb5_warn(context->context, ret, "rand key principal");
+    krb5_warn(contextp->context, ret, "rand key principal");
    CHECK(krb5_store_uint32(out, VERSION2)); /* api version */
    CHECK(krb5_store_uint32(out, ret));
    if (ret == 0) {
-	size_t i;
+	int i;
 	CHECK(krb5_store_int32(out, n_keys));
 	for(i = 0; i < n_keys; i++){
 	    CHECK(krb5_store_uint32(out, new_keys[i].keytype));
 	    CHECK(store_data_xdr(out, new_keys[i].keyvalue));
-	    krb5_free_keyblock_contents(context->context, &new_keys[i]);
+	    krb5_free_keyblock_contents(contextp->context, &new_keys[i]);
 	}
 	free(new_keys);
    }
-    krb5_free_principal(context->context, princ);
+    krb5_free_principal(contextp->context, princ);
 }
 static void
-proc_init(kadm5_server_context *context,
+proc_init(kadm5_server_context *contextp,
 	  krb5_storage *in,
 	  krb5_storage *out)
 {
@@ -687,7 +687,7 @@ proc_init(kadm5_server_context *context,
 }
 struct krb5_proc {
-    char *name;
+    const char *name;
    void (*func)(kadm5_server_context *, krb5_storage *, krb5_storage *);
 } procs[] = {
    { "NULL", NULL },
@@ -723,7 +723,7 @@ copyheader(krb5_storage *sp, krb5_data *data)
    off = krb5_storage_seek(sp, 0, SEEK_CUR);
    CHECK(krb5_data_alloc(data, off));
-    INSIST(off == data->length);
+    INSIST((size_t)off == data->length);
    krb5_storage_seek(sp, 0, SEEK_SET);
    sret = krb5_storage_read(sp, data->data, data->length);
    INSIST(sret == off);
@@ -741,7 +741,7 @@ struct gctx {
 };
 static int
-process_stream(krb5_context context, 
+process_stream(krb5_context contextp, 
 	       unsigned char *buf, size_t ilen,
 	       krb5_storage *sp)
 {
@@ -792,7 +792,7 @@ process_stream(krb5_context context,
 	    if (ilen < 4) {
 		memcpy(tmp, buf, ilen);
 		slen = krb5_storage_read(sp, tmp + ilen, sizeof(tmp) - ilen);
-		INSIST(slen == sizeof(tmp) - ilen);
+		INSIST((size_t)slen == sizeof(tmp) - ilen);
 		ilen = sizeof(tmp);
 		buf = tmp;
@@ -809,12 +809,12 @@ process_stream(krb5_context context,
 	    if (ilen) {
 		if (len < ilen) {
 		    slen = krb5_storage_write(msg, buf, len);
-		    INSIST(slen == len);
+		    INSIST((size_t)slen == len);
 		    ilen -= len;
 		    len = 0;
 		} else {
 		    slen = krb5_storage_write(msg, buf, ilen);
-		    INSIST(slen == ilen);
+		    INSIST((size_t)slen == ilen);
 		    len -= ilen;
 		}
 	    }
@@ -824,14 +824,14 @@ process_stream(krb5_context context,
 	    if (!last_fragment) {
 		ret = collect_framents(sp, msg);
 		if (ret == HEIM_ERR_EOF)
-		    krb5_errx(context, 0, "client disconnected");
+		    krb5_errx(contextp, 0, "client disconnected");
 		INSIST(ret == 0);
 	    }
 	} else {
 	    ret = collect_framents(sp, msg);
 	    if (ret == HEIM_ERR_EOF)
-		krb5_errx(context, 0, "client disconnected");
+		krb5_errx(contextp, 0, "client disconnected");
 	    INSIST(ret == 0);
 	}
 	krb5_storage_seek(msg, 0, SEEK_SET);
@@ -873,7 +873,7 @@ process_stream(krb5_context context,
 	    krb5_data data;
 	    int conf_state;
 	    uint32_t seq;
-	    krb5_storage *sp;
+	    krb5_storage *sp1;
 	    INSIST(gcred.service == rpg_privacy);
@@ -892,10 +892,10 @@ process_stream(krb5_context context,
 	    INSIST(maj_stat == GSS_S_COMPLETE);
 	    INSIST(conf_state != 0);
-	    sp = krb5_storage_from_mem(gout.value, gout.length);
+	    sp1 = krb5_storage_from_mem(gout.value, gout.length);
-	    INSIST(sp != NULL);
+	    INSIST(sp1 != NULL);
-	    CHECK(krb5_ret_uint32(sp, &seq));
+	    CHECK(krb5_ret_uint32(sp1, &seq));
 	    INSIST (seq == gcred.seq_num);
 	    /*
@@ -905,19 +905,19 @@ process_stream(krb5_context context,
 	    gctx.seq_num = seq;
 	    /* 
-	     * If context is setup, priv data have the seq_num stored
+	     * If contextp is setup, priv data have the seq_num stored
 	     * first in the block, so add it here before users data is
 	     * added.
 	     */
 	    CHECK(krb5_store_uint32(dreply, gctx.seq_num));
 	    if (chdr.proc >= sizeof(procs)/sizeof(procs[0])) {
-		krb5_warnx(context, "proc number out of array");
+		krb5_warnx(contextp, "proc number out of array");
 	    } else if (procs[chdr.proc].func == NULL) {
-		krb5_warnx(context, "proc '%s' never implemented", 
+		krb5_warnx(contextp, "proc '%s' never implemented", 
 			  procs[chdr.proc].name);
 	    } else {
-		krb5_warnx(context, "proc %s", procs[chdr.proc].name);
+		krb5_warnx(contextp, "proc %s", procs[chdr.proc].name);
 		INSIST(server_handle != NULL);
 		(*procs[chdr.proc].func)(server_handle, sp, dreply);
 	    }
@@ -957,29 +957,29 @@ process_stream(krb5_context context,
 					      NULL,
 					      NULL);
 	    if (GSS_ERROR(maj_stat)) {
-		gss_print_errors(context, maj_stat, min_stat);
+		gss_print_errors(contextp, maj_stat, min_stat);
-		krb5_errx(context, 1, "gss error, exit");
+		krb5_errx(contextp, 1, "gss error, exit");
 	    }
 	    if ((maj_stat & GSS_S_CONTINUE_NEEDED) == 0) {
 		kadm5_config_params realm_params;
-		gss_buffer_desc buf;
+		gss_buffer_desc bufp;
 		char *client;
 		gctx.done = 1;
 		memset(&realm_params, 0, sizeof(realm_params));
-		maj_stat = gss_export_name(&min_stat, src_name, &buf);
+		maj_stat = gss_export_name(&min_stat, src_name, &bufp);
 		INSIST(maj_stat == GSS_S_COMPLETE);
-		CHECK(parse_name(buf.value, buf.length, 
+		CHECK(parse_name(bufp.value, bufp.length, 
 				 GSS_KRB5_MECHANISM, &client));
-		gss_release_buffer(&min_stat, &buf);
+		gss_release_buffer(&min_stat, &bufp);
-		krb5_warnx(context, "%s connected", client);
+		krb5_warnx(contextp, "%s connected", client);
-		ret = kadm5_s_init_with_password_ctx(context,
+		ret = kadm5_s_init_with_password_ctx(contextp,
 						     client,
 						     NULL,
 						     KADM5_ADMIN_SERVICE,
@@ -1002,9 +1002,9 @@ process_stream(krb5_context context,
 	    break;
 	}
 	case RPG_DESTROY:
-	    krb5_errx(context, 1, "client destroyed gss context");
+	    krb5_errx(contextp, 1, "client destroyed gss contextp");
 	default:
-	    krb5_errx(context, 1, "client sent unknown gsscode %d", 
+	    krb5_errx(contextp, 1, "client sent unknown gsscode %d", 
 		      (int)gcred.proc);
 	}
@@ -1026,7 +1026,7 @@ process_stream(krb5_context context,
 	    CHECK(krb5_store_uint32(reply, 0)); /* SUCCESS */
 	    CHECK(krb5_storage_to_data(dreply, &data));
-	    INSIST(krb5_storage_write(reply, data.data, data.length) == data.length);
+	    INSIST((size_t)krb5_storage_write(reply, data.data, data.length) == data.length);
 	    krb5_data_free(&data);
 	} else {
@@ -1054,7 +1054,7 @@ process_stream(krb5_context context,
 		ssize_t sret;
 		gctx.inprogress = 0;
 		sret = krb5_storage_write(reply, data.data, data.length);
-		INSIST(sret == data.length);
+		INSIST((size_t)sret == data.length);
 		krb5_data_free(&data);
 	    } else {
 		int conf_state;
@@ -1082,7 +1082,7 @@ process_stream(krb5_context context,
 	    CHECK(krb5_storage_to_data(reply, &data));
 	    CHECK(krb5_store_uint32(sp, data.length | LAST_FRAGMENT));
 	    sret = krb5_storage_write(sp, data.data, data.length);
-	    INSIST(sret == data.length);
+	    INSIST((size_t)sret == data.length);
 	    krb5_data_free(&data);
 	}
@@ -1091,16 +1091,16 @@ process_stream(krb5_context context,
 int
-handle_mit(krb5_context context, void *buf, size_t len, krb5_socket_t sock)
+handle_mit(krb5_context contextp, void *buf, size_t len, krb5_socket_t sock)
 {
    krb5_storage *sp;
-    dcontext = context;
+    dcontext = contextp;
    sp = krb5_storage_from_fd(sock);
    INSIST(sp != NULL);
-    process_stream(context, buf, len, sp);
+    process_stream(contextp, buf, len, sp);
    return 0;
 }
--- a/kadmin/server.c
+++ b/kadmin/server.c
@@ -35,14 +35,14 @@
 #include <krb5-private.h>
 static kadm5_ret_t
-kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
+kadmind_dispatch(void *kadm_handlep, krb5_boolean initial,
 		 krb5_data *in, krb5_data *out)
 {
    kadm5_ret_t ret;
    int32_t cmd, mask, tmp;
-    kadm5_server_context *context = kadm_handle;
+    kadm5_server_context *contextp = kadm_handlep;
    char client[128], name[128], name2[128];
-    char *op = "";
+    const char *op = "";
    krb5_principal princ, princ2;
    kadm5_principal_ent_rec ent;
    char *password, *expression;
@@ -52,12 +52,12 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
    int n_princs;
    krb5_storage *sp;
-    krb5_unparse_name_fixed(context->context, context->caller,
+    krb5_unparse_name_fixed(contextp->context, contextp->caller,
 			    client, sizeof(client));
    sp = krb5_storage_from_data(in);
    if (sp == NULL)
-	krb5_errx(context->context, 1, "out of memory");
+	krb5_errx(contextp->context, 1, "out of memory");
    krb5_ret_int32(sp, &cmd);
    switch(cmd){
@@ -68,26 +68,26 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 	    goto fail;
 	ret = krb5_ret_int32(sp, &mask);
 	if(ret){
-	    krb5_free_principal(context->context, princ);
+	    krb5_free_principal(contextp->context, princ);
 	    goto fail;
 	}
 	mask |= KADM5_PRINCIPAL;
-	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
+	krb5_unparse_name_fixed(contextp->context, princ, name, sizeof(name));
-	krb5_warnx(context->context, "%s: %s %s", client, op, name);
+	krb5_warnx(contextp->context, "%s: %s %s", client, op, name);
-	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_GET, princ);
+	ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_GET, princ);
 	if(ret){
-	    krb5_free_principal(context->context, princ);
+	    krb5_free_principal(contextp->context, princ);
 	    goto fail;
 	}
-	ret = kadm5_get_principal(kadm_handle, princ, &ent, mask);
+	ret = kadm5_get_principal(kadm_handlep, princ, &ent, mask);
 	krb5_storage_free(sp);
 	sp = krb5_storage_emem();
 	krb5_store_int32(sp, ret);
 	if(ret == 0){
 	    kadm5_store_principal_ent(sp, &ent);
-	    kadm5_free_principal_ent(kadm_handle, &ent);
+	    kadm5_free_principal_ent(kadm_handlep, &ent);
 	}
-	krb5_free_principal(context->context, princ);
+	krb5_free_principal(contextp->context, princ);
 	break;
    }
    case kadm_delete:{
@@ -95,15 +95,15 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 	ret = krb5_ret_principal(sp, &princ);
 	if(ret)
 	    goto fail;
-	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
+	krb5_unparse_name_fixed(contextp->context, princ, name, sizeof(name));
-	krb5_warnx(context->context, "%s: %s %s", client, op, name);
+	krb5_warnx(contextp->context, "%s: %s %s", client, op, name);
-	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_DELETE, princ);
+	ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_DELETE, princ);
 	if(ret){
-	    krb5_free_principal(context->context, princ);
+	    krb5_free_principal(contextp->context, princ);
 	    goto fail;
 	}
-	ret = kadm5_delete_principal(kadm_handle, princ);
+	ret = kadm5_delete_principal(kadm_handlep, princ);
-	krb5_free_principal(context->context, princ);
+	krb5_free_principal(contextp->context, princ);
 	krb5_storage_free(sp);
 	sp = krb5_storage_emem();
 	krb5_store_int32(sp, ret);
@@ -116,28 +116,28 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 	    goto fail;
 	ret = krb5_ret_int32(sp, &mask);
 	if(ret){
-	    kadm5_free_principal_ent(context->context, &ent);
+	    kadm5_free_principal_ent(contextp->context, &ent);
 	    goto fail;
 	}
 	ret = krb5_ret_string(sp, &password);
 	if(ret){
-	    kadm5_free_principal_ent(context->context, &ent);
+	    kadm5_free_principal_ent(contextp->context, &ent);
 	    goto fail;
 	}
-	krb5_unparse_name_fixed(context->context, ent.principal,
+	krb5_unparse_name_fixed(contextp->context, ent.principal,
 				name, sizeof(name));
-	krb5_warnx(context->context, "%s: %s %s", client, op, name);
+	krb5_warnx(contextp->context, "%s: %s %s", client, op, name);
-	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_ADD,
+	ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_ADD,
 					  ent.principal);
 	if(ret){
-	    kadm5_free_principal_ent(context->context, &ent);
+	    kadm5_free_principal_ent(contextp->context, &ent);
 	    memset(password, 0, strlen(password));
 	    free(password);
 	    goto fail;
 	}
-	ret = kadm5_create_principal(kadm_handle, &ent,
+	ret = kadm5_create_principal(kadm_handlep, &ent,
 				     mask, password);
-	kadm5_free_principal_ent(kadm_handle, &ent);
+	kadm5_free_principal_ent(kadm_handlep, &ent);
 	memset(password, 0, strlen(password));
 	free(password);
 	krb5_storage_free(sp);
@@ -152,20 +152,20 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 	    goto fail;
 	ret = krb5_ret_int32(sp, &mask);
 	if(ret){
-	    kadm5_free_principal_ent(context, &ent);
+	    kadm5_free_principal_ent(contextp, &ent);
 	    goto fail;
 	}
-	krb5_unparse_name_fixed(context->context, ent.principal,
+	krb5_unparse_name_fixed(contextp->context, ent.principal,
 				name, sizeof(name));
-	krb5_warnx(context->context, "%s: %s %s", client, op, name);
+	krb5_warnx(contextp->context, "%s: %s %s", client, op, name);
-	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_MODIFY,
+	ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_MODIFY,
 					  ent.principal);
 	if(ret){
-	    kadm5_free_principal_ent(context, &ent);
+	    kadm5_free_principal_ent(contextp, &ent);
 	    goto fail;
 	}
-	ret = kadm5_modify_principal(kadm_handle, &ent, mask);
+	ret = kadm5_modify_principal(kadm_handlep, &ent, mask);
-	kadm5_free_principal_ent(kadm_handle, &ent);
+	kadm5_free_principal_ent(kadm_handlep, &ent);
 	krb5_storage_free(sp);
 	sp = krb5_storage_emem();
 	krb5_store_int32(sp, ret);
@@ -178,27 +178,27 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 	    goto fail;
 	ret = krb5_ret_principal(sp, &princ2);
 	if(ret){
-	    krb5_free_principal(context->context, princ);
+	    krb5_free_principal(contextp->context, princ);
 	    goto fail;
 	}
-	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
+	krb5_unparse_name_fixed(contextp->context, princ, name, sizeof(name));
-	krb5_unparse_name_fixed(context->context, princ2, name2, sizeof(name2));
+	krb5_unparse_name_fixed(contextp->context, princ2, name2, sizeof(name2));
-	krb5_warnx(context->context, "%s: %s %s -> %s",
+	krb5_warnx(contextp->context, "%s: %s %s -> %s",
 		   client, op, name, name2);
-	ret = _kadm5_acl_check_permission(context,
+	ret = _kadm5_acl_check_permission(contextp,
 					  KADM5_PRIV_ADD,
 					  princ2)
-	    || _kadm5_acl_check_permission(context,
+	    || _kadm5_acl_check_permission(contextp,
 					   KADM5_PRIV_DELETE,
 					   princ);
 	if(ret){
-	    krb5_free_principal(context->context, princ);
+	    krb5_free_principal(contextp->context, princ);
-	    krb5_free_principal(context->context, princ2);
+	    krb5_free_principal(contextp->context, princ2);
 	    goto fail;
 	}
-	ret = kadm5_rename_principal(kadm_handle, princ, princ2);
+	ret = kadm5_rename_principal(kadm_handlep, princ, princ2);
-	krb5_free_principal(context->context, princ);
+	krb5_free_principal(contextp->context, princ);
-	krb5_free_principal(context->context, princ2);
+	krb5_free_principal(contextp->context, princ2);
 	krb5_storage_free(sp);
 	sp = krb5_storage_emem();
 	krb5_store_int32(sp, ret);
@@ -211,11 +211,11 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 	    goto fail;
 	ret = krb5_ret_string(sp, &password);
 	if(ret){
-	    krb5_free_principal(context->context, princ);
+	    krb5_free_principal(contextp->context, princ);
 	    goto fail;
 	}
-	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
+	krb5_unparse_name_fixed(contextp->context, princ, name, sizeof(name));
-	krb5_warnx(context->context, "%s: %s %s", client, op, name);
+	krb5_warnx(contextp->context, "%s: %s %s", client, op, name);
 	/*
 	 * The change is allowed if at least one of:
@@ -227,7 +227,7 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 	 */
 	if (initial
-	    && krb5_principal_compare (context->context, context->caller,
+	    && krb5_principal_compare (contextp->context, contextp->caller,
 				       princ))
 	{
 	    krb5_data pwd_data;
@@ -236,23 +236,23 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 	    pwd_data.data = password;
 	    pwd_data.length = strlen(password);
-	    pwd_reason = kadm5_check_password_quality (context->context,
+	    pwd_reason = kadm5_check_password_quality (contextp->context,
 						       princ, &pwd_data);
 	    if (pwd_reason != NULL)
 		ret = KADM5_PASS_Q_DICT;
 	    else
 		ret = 0;
 	} else
-	    ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ);
+	    ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_CPW, princ);
 	if(ret) {
-	    krb5_free_principal(context->context, princ);
+	    krb5_free_principal(contextp->context, princ);
 	    memset(password, 0, strlen(password));
 	    free(password);
 	    goto fail;
 	}
-	ret = kadm5_chpass_principal(kadm_handle, princ, password);
+	ret = kadm5_chpass_principal(kadm_handlep, princ, password);
-	krb5_free_principal(context->context, princ);
+	krb5_free_principal(contextp->context, princ);
 	memset(password, 0, strlen(password));
 	free(password);
 	krb5_storage_free(sp);
@@ -271,21 +271,21 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 	    goto fail;
 	ret = krb5_ret_int32(sp, &n_key_data);
 	if (ret) {
-	    krb5_free_principal(context->context, princ);
+	    krb5_free_principal(contextp->context, princ);
 	    goto fail;
 	}
 	/* n_key_data will be squeezed into an int16_t below. */
 	if (n_key_data < 0 || n_key_data >= 1 << 16 ||
-	    n_key_data > UINT_MAX/sizeof(*key_data)) {
+	    (size_t)n_key_data > UINT_MAX/sizeof(*key_data)) {
 	    ret = ERANGE;
-	    krb5_free_principal(context->context, princ);
+	    krb5_free_principal(contextp->context, princ);
 	    goto fail;
 	}
 	key_data = malloc (n_key_data * sizeof(*key_data));
 	if (key_data == NULL && n_key_data != 0) {
 	    ret = ENOMEM;
-	    krb5_free_principal(context->context, princ);
+	    krb5_free_principal(contextp->context, princ);
 	    goto fail;
 	}
@@ -294,38 +294,38 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 	    if (ret) {
 		int16_t dummy = i;
-		kadm5_free_key_data (context, &dummy, key_data);
+		kadm5_free_key_data (contextp, &dummy, key_data);
 		free (key_data);
-		krb5_free_principal(context->context, princ);
+		krb5_free_principal(contextp->context, princ);
 		goto fail;
 	    }
 	}
-	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
+	krb5_unparse_name_fixed(contextp->context, princ, name, sizeof(name));
-	krb5_warnx(context->context, "%s: %s %s", client, op, name);
+	krb5_warnx(contextp->context, "%s: %s %s", client, op, name);
 	/*
 	 * The change is only allowed if the user is on the CPW ACL,
 	 * this it to force password quality check on the user.
 	 */
-	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ);
+	ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_CPW, princ);
 	if(ret) {
 	    int16_t dummy = n_key_data;
-	    kadm5_free_key_data (context, &dummy, key_data);
+	    kadm5_free_key_data (contextp, &dummy, key_data);
 	    free (key_data);
-	    krb5_free_principal(context->context, princ);
+	    krb5_free_principal(contextp->context, princ);
 	    goto fail;
 	}
-	ret = kadm5_chpass_principal_with_key(kadm_handle, princ,
+	ret = kadm5_chpass_principal_with_key(kadm_handlep, princ,
 					      n_key_data, key_data);
 	{
 	    int16_t dummy = n_key_data;
-	    kadm5_free_key_data (context, &dummy, key_data);
+	    kadm5_free_key_data (contextp, &dummy, key_data);
 	}
 	free (key_data);
-	krb5_free_principal(context->context, princ);
+	krb5_free_principal(contextp->context, princ);
 	krb5_storage_free(sp);
 	sp = krb5_storage_emem();
 	krb5_store_int32(sp, ret);
@@ -336,8 +336,8 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 	ret = krb5_ret_principal(sp, &princ);
 	if(ret)
 	    goto fail;
-	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
+	krb5_unparse_name_fixed(contextp->context, princ, name, sizeof(name));
-	krb5_warnx(context->context, "%s: %s %s", client, op, name);
+	krb5_warnx(contextp->context, "%s: %s %s", client, op, name);
 	/*
 	 * The change is allowed if at least one of:
 	 * a) it's for the principal him/herself and this was an initial ticket
@@ -345,19 +345,19 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 	 */
 	if (initial
-	    && krb5_principal_compare (context->context, context->caller,
+	    && krb5_principal_compare (contextp->context, contextp->caller,
 				       princ))
 	    ret = 0;
 	else
-	    ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ);
+	    ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_CPW, princ);
 	if(ret) {
-	    krb5_free_principal(context->context, princ);
+	    krb5_free_principal(contextp->context, princ);
 	    goto fail;
 	}
-	ret = kadm5_randkey_principal(kadm_handle, princ,
+	ret = kadm5_randkey_principal(kadm_handlep, princ,
 				      &new_keys, &n_keys);
-	krb5_free_principal(context->context, princ);
+	krb5_free_principal(contextp->context, princ);
 	krb5_storage_free(sp);
 	sp = krb5_storage_emem();
 	krb5_store_int32(sp, ret);
@@ -366,7 +366,7 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 	    krb5_store_int32(sp, n_keys);
 	    for(i = 0; i < n_keys; i++){
 		krb5_store_keyblock(sp, new_keys[i]);
-		krb5_free_keyblock_contents(context->context, &new_keys[i]);
+		krb5_free_keyblock_contents(contextp->context, &new_keys[i]);
 	    }
 	    free(new_keys);
 	}
@@ -374,7 +374,7 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
    }
    case kadm_get_privs:{
 	uint32_t privs;
-	ret = kadm5_get_privs(kadm_handle, &privs);
+	ret = kadm5_get_privs(kadm_handlep, &privs);
 	krb5_storage_free(sp);
 	sp = krb5_storage_emem();
 	krb5_store_int32(sp, ret);
@@ -393,14 +393,14 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 		goto fail;
 	}else
 	    expression = NULL;
-	krb5_warnx(context->context, "%s: %s %s", client, op,
+	krb5_warnx(contextp->context, "%s: %s %s", client, op,
 		   expression ? expression : "*");
-	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_LIST, NULL);
+	ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_LIST, NULL);
 	if(ret){
 	    free(expression);
 	    goto fail;
 	}
-	ret = kadm5_get_principals(kadm_handle, expression, &princs, &n_princs);
+	ret = kadm5_get_principals(kadm_handlep, expression, &princs, &n_princs);
 	free(expression);
 	krb5_storage_free(sp);
 	sp = krb5_storage_emem();
@@ -410,12 +410,12 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 	    krb5_store_int32(sp, n_princs);
 	    for(i = 0; i < n_princs; i++)
 		krb5_store_string(sp, princs[i]);
-	    kadm5_free_name_list(kadm_handle, princs, &n_princs);
+	    kadm5_free_name_list(kadm_handlep, princs, &n_princs);
 	}
 	break;
    }
    default:
-	krb5_warnx(context->context, "%s: UNKNOWN OP %d", client, cmd);
+	krb5_warnx(contextp->context, "%s: UNKNOWN OP %d", client, cmd);
 	krb5_storage_free(sp);
 	sp = krb5_storage_emem();
 	krb5_store_int32(sp, KADM5_FAILURE);
@@ -425,7 +425,7 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
    krb5_storage_free(sp);
    return 0;
 fail:
-    krb5_warn(context->context, ret, "%s", op);
+    krb5_warn(contextp->context, ret, "%s", op);
    krb5_storage_seek(sp, 0, SEEK_SET);
    krb5_store_int32(sp, ret);
    krb5_storage_to_data(sp, out);
@@ -434,10 +434,10 @@ fail:
 }
 static void
-v5_loop (krb5_context context,
+v5_loop (krb5_context contextp,
 	 krb5_auth_context ac,
 	 krb5_boolean initial,
-	 void *kadm_handle,
+	 void *kadm_handlep,
 	 krb5_socket_t fd)
 {
    krb5_error_code ret;
@@ -447,17 +447,17 @@ v5_loop (krb5_context context,
 	doing_useful_work = 0;
 	if(term_flag)
 	    exit(0);
-	ret = krb5_read_priv_message(context, ac, &fd, &in);
+	ret = krb5_read_priv_message(contextp, ac, &fd, &in);
 	if(ret == HEIM_ERR_EOF)
 	    exit(0);
 	if(ret)
-	    krb5_err(context, 1, ret, "krb5_read_priv_message");
+	    krb5_err(contextp, 1, ret, "krb5_read_priv_message");
 	doing_useful_work = 1;
-	kadmind_dispatch(kadm_handle, initial, &in, &out);
+	kadmind_dispatch(kadm_handlep, initial, &in, &out);
 	krb5_data_free(&in);
-	ret = krb5_write_priv_message(context, ac, &fd, &out);
+	ret = krb5_write_priv_message(contextp, ac, &fd, &out);
 	if(ret)
-	    krb5_err(context, 1, ret, "krb5_write_priv_message");
+	    krb5_err(contextp, 1, ret, "krb5_write_priv_message");
    }
 }
@@ -467,12 +467,13 @@ match_appl_version(const void *data, const char *appl_version)
    unsigned minor;
    if(sscanf(appl_version, "KADM0.%u", &minor) != 1)
 	return 0;
-    *(unsigned*)data = minor;
+    /*XXX*/
    *(unsigned*)(intptr_t)data = minor;
    return 1;
 }
 static void
-handle_v5(krb5_context context,
+handle_v5(krb5_context contextp,
 	  krb5_keytab keytab,
 	  krb5_socket_t fd)
 {
@@ -480,29 +481,29 @@ handle_v5(krb5_context context,
    krb5_ticket *ticket;
    char *server_name;
    char *client;
-    void *kadm_handle;
+    void *kadm_handlep;
    krb5_boolean initial;
    krb5_auth_context ac = NULL;
    unsigned kadm_version;
    kadm5_config_params realm_params;
-    ret = krb5_recvauth_match_version(context, &ac, &fd,
+    ret = krb5_recvauth_match_version(contextp, &ac, &fd,
 				      match_appl_version, &kadm_version,
 				      NULL, KRB5_RECVAUTH_IGNORE_VERSION,
 				      keytab, &ticket);
    if(ret == KRB5_KT_NOTFOUND)
-	krb5_errx(context, 1, "krb5_recvauth: key not found");
+	krb5_errx(contextp, 1, "krb5_recvauth: key not found");
    if(ret)
-	krb5_err(context, 1, ret, "krb5_recvauth");
+	krb5_err(contextp, 1, ret, "krb5_recvauth");
-    ret = krb5_unparse_name (context, ticket->server, &server_name);
+    ret = krb5_unparse_name (contextp, ticket->server, &server_name);
    if (ret)
-	krb5_err (context, 1, ret, "krb5_unparse_name");
+	krb5_err (contextp, 1, ret, "krb5_unparse_name");
    if (strncmp (server_name, KADM5_ADMIN_SERVICE,
 		 strlen(KADM5_ADMIN_SERVICE)) != 0)
-	krb5_errx (context, 1, "ticket for strange principal (%s)",
+	krb5_errx (contextp, 1, "ticket for strange principal (%s)",
 		   server_name);
    free (server_name);
@@ -511,31 +512,31 @@ handle_v5(krb5_context context,
    if(kadm_version == 1) {
 	krb5_data params;
-	ret = krb5_read_priv_message(context, ac, &fd, &params);
+	ret = krb5_read_priv_message(contextp, ac, &fd, &params);
 	if(ret)
-	    krb5_err(context, 1, ret, "krb5_read_priv_message");
+	    krb5_err(contextp, 1, ret, "krb5_read_priv_message");
-	_kadm5_unmarshal_params(context, &params, &realm_params);
+	_kadm5_unmarshal_params(contextp, &params, &realm_params);
    }
    initial = ticket->ticket.flags.initial;
-    ret = krb5_unparse_name(context, ticket->client, &client);
+    ret = krb5_unparse_name(contextp, ticket->client, &client);
    if (ret)
-	krb5_err (context, 1, ret, "krb5_unparse_name");
+	krb5_err (contextp, 1, ret, "krb5_unparse_name");
-    krb5_free_ticket (context, ticket);
+    krb5_free_ticket (contextp, ticket);
-    ret = kadm5_s_init_with_password_ctx(context,
+    ret = kadm5_s_init_with_password_ctx(contextp,
 					 client,
 					 NULL,
 					 KADM5_ADMIN_SERVICE,
 					 &realm_params,
 					 0, 0,
-					 &kadm_handle);
+					 &kadm_handlep);
    if(ret)
-	krb5_err (context, 1, ret, "kadm5_init_with_password_ctx");
+	krb5_err (contextp, 1, ret, "kadm5_init_with_password_ctx");
-    v5_loop (context, ac, initial, kadm_handle, fd);
+    v5_loop (contextp, ac, initial, kadm_handlep, fd);
 }
 krb5_error_code
-kadmind_loop(krb5_context context,
+kadmind_loop(krb5_context contextp,
 	     krb5_keytab keytab,
 	     krb5_socket_t sock)
 {
@@ -543,30 +544,30 @@ kadmind_loop(krb5_context context,
    ssize_t n;
    unsigned long len;
-    n = krb5_net_read(context, &sock, buf, 4);
+    n = krb5_net_read(contextp, &sock, buf, 4);
    if(n == 0)
 	exit(0);
    if(n < 0)
-	krb5_err(context, 1, errno, "read");
+	krb5_err(contextp, 1, errno, "read");
    _krb5_get_int(buf, &len, 4);
    if (len == sizeof(KRB5_SENDAUTH_VERSION)) {
-	n = krb5_net_read(context, &sock, buf + 4, len);
+	n = krb5_net_read(contextp, &sock, buf + 4, len);
 	if (n < 0)
-	    krb5_err (context, 1, errno, "reading sendauth version");
+	    krb5_err (contextp, 1, errno, "reading sendauth version");
 	if (n == 0)
-	    krb5_errx (context, 1, "EOF reading sendauth version");
+	    krb5_errx (contextp, 1, "EOF reading sendauth version");
 	if(memcmp(buf + 4, KRB5_SENDAUTH_VERSION, len) == 0) {
-	    handle_v5(context, keytab, sock);
+	    handle_v5(contextp, keytab, sock);
 	    return 0;
 	}
 	len += 4;
    } else
 	len = 4;
-    handle_mit(context, buf, len, sock);
+    handle_mit(contextp, buf, len, sock);
    return 0;
 }
--- a/kadmin/util.c
+++ b/kadmin/util.c
@@ -65,7 +65,7 @@ struct units kdb_attrs[] = {
    { "disallow-tgt-based",	KRB5_KDB_DISALLOW_TGT_BASED },
    { "disallow-forwardable",	KRB5_KDB_DISALLOW_FORWARDABLE },
    { "disallow-postdated",	KRB5_KDB_DISALLOW_POSTDATED },
-    { NULL }
+    { NULL, 0 }
 };
 /*
@@ -188,7 +188,7 @@ str2time_t (const char *str, time_t *t)
    if (str[0] == '+') {
 	str++;
 	*t = parse_time(str, "month");
-	if (t < 0)
+	if (*t < 0)
 	    return -1;
 	*t += time(NULL);
 	return 0;
@@ -430,7 +430,7 @@ edit_entry(kadm5_principal_ent_t ent, int *mask,
 */
 int
-set_entry(krb5_context context,
+set_entry(krb5_context contextp,
 	  kadm5_principal_ent_t ent,
 	  int *mask,
 	  const char *max_ticket_life,
@@ -442,14 +442,14 @@ set_entry(krb5_context context,
    if (max_ticket_life != NULL) {
 	if (parse_deltat (max_ticket_life, &ent->max_life,
 			  mask, KADM5_MAX_LIFE)) {
-	    krb5_warnx (context, "unable to parse `%s'", max_ticket_life);
+	    krb5_warnx (contextp, "unable to parse `%s'", max_ticket_life);
 	    return 1;
 	}
    }
    if (max_renewable_life != NULL) {
 	if (parse_deltat (max_renewable_life, &ent->max_renewable_life,
 			  mask, KADM5_MAX_RLIFE)) {
-	    krb5_warnx (context, "unable to parse `%s'", max_renewable_life);
+	    krb5_warnx (contextp, "unable to parse `%s'", max_renewable_life);
 	    return 1;
 	}
    }
@@ -457,21 +457,21 @@ set_entry(krb5_context context,
    if (expiration) {
 	if (parse_timet (expiration, &ent->princ_expire_time,
 			mask, KADM5_PRINC_EXPIRE_TIME)) {
-	    krb5_warnx (context, "unable to parse `%s'", expiration);
+	    krb5_warnx (contextp, "unable to parse `%s'", expiration);
 	    return 1;
 	}
    }
    if (pw_expiration) {
 	if (parse_timet (pw_expiration, &ent->pw_expiration,
 			 mask, KADM5_PW_EXPIRATION)) {
-	    krb5_warnx (context, "unable to parse `%s'", pw_expiration);
+	    krb5_warnx (contextp, "unable to parse `%s'", pw_expiration);
 	    return 1;
 	}
    }
    if (attributes != NULL) {
 	if (parse_attributes (attributes, &ent->attributes,
 			      mask, KADM5_ATTRIBUTES)) {
-	    krb5_warnx (context, "unable to parse `%s'", attributes);
+	    krb5_warnx (contextp, "unable to parse `%s'", attributes);
 	    return 1;
 	}
    }
--- a/kcm/kcm.8
+++ b/kcm/kcm.8
@@ -127,91 +127,42 @@ the ticket itself.
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Xo
+.It Fl -cache-name= Ns Ar cachename
 .Fl -cache-name= Ns Ar cachename
 .Xc
 system cache name
-.It Xo
+.It Fl c Ar file , Fl -config-file= Ns Ar file
 .Fl c Ar file ,
 .Fl -config-file= Ns Ar file
 .Xc
 location of config file
-.It Xo
+.It Fl g Ar group , Fl -group= Ns Ar group
 .Fl g Ar group ,
 .Fl -group= Ns Ar group
 .Xc
 system cache group
-.It Xo
+.It Fl -max-request= Ns Ar size
 .Fl -max-request= Ns Ar size
 .Xc
 max size for a kcm-request
-.It Xo
+.It Fl -disallow-getting-krbtgt
 .Fl -disallow-getting-krbtgt
 .Xc
 disallow extracting any krbtgt from the
 .Nm kcm
 daemon.
-.It Xo
+.It Fl -detach
 .Fl -detach
 .Xc
 detach from console
-.It Xo
+.It Fl h , Fl -help
-.Fl h ,
+.It Fl k Ar principal , Fl -system-principal= Ns Ar principal
 .Fl -help
 .Xc
 .It Xo
 .Fl k Ar principal ,
 .Fl -system-principal= Ns Ar principal
 .Xc
 system principal name
-.It Xo
+.It Fl l Ar time , Fl -lifetime= Ns Ar time
 .Fl l Ar time ,
 .Fl -lifetime= Ns Ar time
 .Xc
 lifetime of system tickets
-.It Xo
+.It Fl m Ar mode , Fl -mode= Ns Ar mode
 .Fl m Ar mode ,
 .Fl -mode= Ns Ar mode
 .Xc
 octal mode of system cache
-.It Xo
+.It Fl n , Fl -no-name-constraints
 .Fl n ,
 .Fl -no-name-constraints
 .Xc
 disable credentials cache name constraints
-.It Xo
+.It Fl r Ar time , Fl -renewable-life= Ns Ar time
 .Fl r Ar time ,
 .Fl -renewable-life= Ns Ar time
 .Xc
 renewable lifetime of system tickets
-.It Xo
+.It Fl s Ar path , Fl -socket-path= Ns Ar path
 .Fl s Ar path ,
 .Fl -socket-path= Ns Ar path
 .Xc
 path to kcm domain socket
-.It Xo
+.It Fl -door-path= Ns Ar path
 .Fl -door-path= Ns Ar path
 .Xc
 path to kcm door socket
-.It Xo
+.It Fl S Ar principal , Fl -server= Ns Ar principal
 .Fl S Ar principal ,
 .Fl -server= Ns Ar principal
 .Xc
 server to get system ticket for
-.It Xo
+.It Fl t Ar keytab , Fl -keytab= Ns Ar keytab
 .Fl t Ar keytab ,
 .Fl -keytab= Ns Ar keytab
 .Xc
 system keytab name
-.It Xo
+.It Fl u Ar user , Fl -user= Ns Ar user
 .Fl u Ar user ,
 .Fl -user= Ns Ar user
 .Xc
 system cache owner
-.It Xo
+.It Fl v , Fl -version
 .Fl v ,
 .Fl -version
 .Xc
 .El
 .\".Sh ENVIRONMENT
 .\".Sh FILES
--- a/kdc/Makefile.am
+++ b/kdc/Makefile.am
@@ -115,7 +115,8 @@ kdc_CFLAGS = $(CAPNG_CFLAGS)
 digest_service_LDADD = \
 	libkdc.la \
-	../lib/ipc/libheim-ipcs.la \
+	$(top_builddir)/lib/ntlm/libheimntlm.la \
 	$(top_builddir)/lib/ipc/libheim-ipcs.la \
 	$(LDADD) $(LIB_pidfile)
 kdc_replay_LDADD = libkdc.la $(LDADD) $(LIB_pidfile)
--- a/kdc/config.c
+++ b/kdc/config.c
@@ -50,10 +50,6 @@ static int require_preauth = -1; /* 1 == require preauth for all principals */
 static char *max_request_str;	/* `max_request' as a string */
 static int disable_des = -1;
 static int enable_v4 = -1;
 static int enable_kaserver = -1;
 static int enable_524 = -1;
 static int enable_v4_cross_realm = -1;
 static int builtin_hdb_flag;
 static int help_flag;
@@ -61,8 +57,6 @@ static int version_flag;
 static struct getarg_strings addresses_str;	/* addresses to listen on */
 static char *v4_realm;
 char *runas_string;
 char *chroot_string;
@@ -74,31 +68,14 @@ static struct getargs args[] = {
    },
    {
 	"require-preauth",	'p',	arg_negative_flag, &require_preauth,
-	"don't require pa-data in as-reqs"
+	"don't require pa-data in as-reqs", NULL
    },
    {
 	"max-request",	0,	arg_string, &max_request_str,
 	"max size for a kdc-request", "size"
    },
-    { "enable-http", 'H', arg_flag, &enable_http, "turn on HTTP support" },
+    { "enable-http", 'H', arg_flag, &enable_http, "turn on HTTP support",
-    {	"524",		0, 	arg_negative_flag, &enable_524,
+   	 NULL },
 	"don't respond to 524 requests"
    },
    {
 	"kaserver", 'K', arg_flag,   &enable_kaserver,
 	"enable kaserver support"
    },
    {	"kerberos4",	0, 	arg_flag, &enable_v4,
 	"respond to kerberos 4 requests"
    },
    {
 	"v4-realm",	'r',	arg_string, &v4_realm,
 	"realm to serve v4-requests for"
    },
    {	"kerberos4-cross-realm",	0, 	arg_flag,
 	&enable_v4_cross_realm,
 	"respond to kerberos 4 requests from foreign realms"
    },
    {	"ports",	'P', 	arg_string, rk_UNCONST(&port_str),
 	"ports to listen to", "portspec"
    },
@@ -106,29 +83,29 @@ static struct getargs args[] = {
 #if DETACH_IS_DEFAULT
    {
 	"detach",       'D',      arg_negative_flag, &detach_from_console,
-	"don't detach from console"
+	"don't detach from console", NULL
    },
 #else
    {
 	"detach",       0 ,      arg_flag, &detach_from_console,
-	"detach from console"
+	"detach from console", NULL
    },
 #endif
 #endif
    {	"addresses",	0,	arg_strings, &addresses_str,
 	"addresses to listen on", "list of addresses" },
    {	"disable-des",	0,	arg_flag, &disable_des,
-	"disable DES" },
+	"disable DES", NULL },
    {	"builtin-hdb",	0,	arg_flag,   &builtin_hdb_flag,
-	"list builtin hdb backends"},
+	"list builtin hdb backends", NULL},
    {   "runas-user",	0,	arg_string, &runas_string,
-	"run as this user when connected to network"
+	"run as this user when connected to network", NULL
    },
    {   "chroot",	0,	arg_string, &chroot_string,
-	"chroot directory to run in"
+	"chroot directory to run in", NULL
    },
-    {	"help",		'h',	arg_flag,   &help_flag },
+    {	"help",		'h',	arg_flag,   &help_flag, NULL, NULL },
-    {	"version",	'v',	arg_flag,   &version_flag }
+    {	"version",	'v',	arg_flag,   &version_flag, NULL, NULL }
 };
 static int num_args = sizeof(args) / sizeof(args[0]);
@@ -261,15 +238,6 @@ configure(krb5_context context, int argc, char **argv)
 	}
    }
    if(enable_v4 != -1)
 	config->enable_v4 = enable_v4;
    if(enable_v4_cross_realm != -1)
 	config->enable_v4_cross_realm = enable_v4_cross_realm;
    if(enable_524 != -1)
 	config->enable_524 = enable_524;
    if(enable_http == -1)
 	enable_http = krb5_config_get_bool(context, NULL, "kdc",
 					   "enable-http", NULL);
@@ -285,9 +253,6 @@ configure(krb5_context context, int argc, char **argv)
 	krb5_errx(context, 1, "enforce-transited-policy deprecated, "
 		  "use [kdc]transited-policy instead");
    if (enable_kaserver != -1)
 	config->enable_kaserver = enable_kaserver;
 #ifdef SUPPORT_DETACH
    if(detach_from_console == -1)
 	detach_from_console = krb5_config_get_bool_default(context, NULL,
@@ -304,12 +269,6 @@ configure(krb5_context context, int argc, char **argv)
    if (port_str == NULL)
 	port_str = "+";
    if (v4_realm)
 	config->v4_realm = v4_realm;
    if(config->v4_realm == NULL && (config->enable_kaserver || config->enable_v4))
 	krb5_errx(context, 1, "Kerberos 4 enabled but no realm configured");
    if(disable_des == -1)
 	disable_des = krb5_config_get_bool_default(context, NULL,
 						   FALSE,
@@ -322,13 +281,6 @@ configure(krb5_context context, int argc, char **argv)
 	krb5_enctype_disable(context, ETYPE_DES_CBC_NONE);
 	krb5_enctype_disable(context, ETYPE_DES_CFB64_NONE);
 	krb5_enctype_disable(context, ETYPE_DES_PCBC_NONE);
 	kdc_log(context, config,
 		0, "DES was disabled, turned off Kerberos V4, 524 "
 		"and kaserver");
 	config->enable_v4 = 0;
 	config->enable_524 = 0;
 	config->enable_kaserver = 0;
    }
    krb5_kdc_windc_init(context);
--- a/kdc/connect.c
+++ b/kdc/connect.c
@@ -60,7 +60,7 @@ struct port_desc{
 /* the current ones */
 static struct port_desc *ports;
-static int num_ports;
+static size_t num_ports;
 /*
 * add `family, port, protocol' to the list with duplicate suppresion.
@@ -71,7 +71,7 @@ add_port(krb5_context context,
 	 int family, int port, const char *protocol)
 {
    int type;
-    int i;
+    size_t i;
    if(strcmp(protocol, "udp") == 0)
 	type = SOCK_DGRAM;
@@ -148,16 +148,6 @@ add_standard_ports (krb5_context context,
    add_port_service(context, family, "kerberos-sec", 88, "tcp");
    if(enable_http)
 	add_port_service(context, family, "http", 80, "tcp");
    if(config->enable_524) {
 	add_port_service(context, family, "krb524", 4444, "udp");
 	add_port_service(context, family, "krb524", 4444, "tcp");
    }
    if(config->enable_v4) {
 	add_port_service(context, family, "kerberos-iv", 750, "udp");
 	add_port_service(context, family, "kerberos-iv", 750, "tcp");
    }
    if (config->enable_kaserver)
 	add_port_service(context, family, "afs3-kaserver", 7004, "udp");
    if(config->enable_kx509) {
 	add_port_service(context, family, "kca_service", 9878, "udp");
 	add_port_service(context, family, "kca_service", 9878, "tcp");
@@ -324,7 +314,7 @@ init_sockets(krb5_context context,
 	     struct descr **desc)
 {
    krb5_error_code ret;
-    int i, j;
+    size_t i, j;
    struct descr *d;
    int num = 0;
    krb5_addresses addresses;
@@ -478,7 +468,7 @@ handle_udp(krb5_context context,
 	   struct descr *d)
 {
    unsigned char *buf;
-    int n;
+    ssize_t n;
    buf = malloc(max_request_udp);
    if(buf == NULL){
@@ -493,7 +483,7 @@ handle_udp(krb5_context context,
    else {
 	addr_to_string (context, d->sa, d->sock_len,
 			d->addr_string, sizeof(d->addr_string));
-	if (n == max_request_udp) {
+	if ((size_t)n == max_request_udp) {
 	    krb5_data data;
 	    krb5_warn(context, errno,
 		      "recvfrom: truncated packet from %s, asking for TCP",
@@ -754,7 +744,7 @@ handle_http_tcp (krb5_context context,
 	    return -1;
 	}
    }
-    if (len > d->len)
+    if ((size_t)len > d->len)
        len = d->len;
    memcpy(d->buf, data, len);
    d->len = len;
@@ -864,7 +854,7 @@ loop(krb5_context context,
 	fd_set fds;
 	int min_free = -1;
 	int max_fd = 0;
-	int i;
+	size_t i;
 	FD_ZERO(&fds);
 	for(i = 0; i < ndescr; i++) {
@@ -886,7 +876,7 @@ loop(krb5_context context,
 #endif
 #endif
 		FD_SET(d[i].s, &fds);
-	    } else if(min_free < 0 || i < min_free)
+	    } else if(min_free < 0 || i < (size_t)min_free)
 		min_free = i;
 	}
 	if(min_free == -1){
--- a/kdc/default_config.c
+++ b/kdc/default_config.c
@@ -55,10 +55,6 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
    c->allow_null_ticket_addresses = TRUE;
    c->allow_anonymous = FALSE;
    c->trpolicy = TRPOLICY_ALWAYS_CHECK;
    c->enable_v4 = FALSE;
    c->enable_kaserver = FALSE;
    c->enable_524 = FALSE;
    c->enable_v4_cross_realm = FALSE;
    c->enable_pkinit = FALSE;
    c->pkinit_princ_in_cert = TRUE;
    c->pkinit_require_binding = TRUE;
@@ -70,19 +66,6 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
 	krb5_config_get_bool_default(context, NULL,
 				     c->require_preauth,
 				     "kdc", "require-preauth", NULL);
    c->enable_v4 =
 	krb5_config_get_bool_default(context, NULL,
 				     c->enable_v4,
 				     "kdc", "enable-kerberos4", NULL);
    c->enable_v4_cross_realm =
 	krb5_config_get_bool_default(context, NULL,
 				     c->enable_v4_cross_realm,
 				     "kdc",
 				     "enable-kerberos4-cross-realm", NULL);
    c->enable_524 =
 	krb5_config_get_bool_default(context, NULL,
 				     c->enable_v4,
 				     "kdc", "enable-524", NULL);
 #ifdef DIGEST
    c->enable_digest =
 	krb5_config_get_bool_default(context, NULL,
@@ -180,28 +163,6 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
 	}
    }
    {
 	const char *p;
 	p = krb5_config_get_string (context, NULL,
 				    "kdc",
 				    "v4-realm",
 				    NULL);
 	if(p != NULL) {
 	    c->v4_realm = strdup(p);
 	    if (c->v4_realm == NULL)
 		krb5_errx(context, 1, "out of memory");
 	} else {
 	    c->v4_realm = NULL;
 	}
    }
    c->enable_kaserver =
 	krb5_config_get_bool_default(context,
 				     NULL,
 				     c->enable_kaserver,
 				     "kdc", "enable-kaserver", NULL);
    c->encode_as_rep_as_tgs_rep =
 	krb5_config_get_bool_default(context, NULL,
 				     c->encode_as_rep_as_tgs_rep,
--- a/kdc/digest-service.c
+++ b/kdc/digest-service.c
@@ -63,7 +63,7 @@ ntlm_service(void *ctx, const heim_idata *req,
    NTLMReply ntp;
    size_t size;
    int ret;
-    char *domain;
+    const char *domain;
    kdc_log(context, config, 1, "digest-request: uid=%d",
 	    (int)heim_ipc_cred_get_uid(cred));
@@ -184,13 +184,13 @@ ntlm_service(void *ctx, const heim_idata *req,
 	free(answer.data);
 	{
-	    EVP_MD_CTX *ctx;
+	    EVP_MD_CTX *ctxp;
-	    ctx = EVP_MD_CTX_create();
+	    ctxp = EVP_MD_CTX_create();
-	    EVP_DigestInit_ex(ctx, EVP_md4(), NULL);
+	    EVP_DigestInit_ex(ctxp, EVP_md4(), NULL);
-	    EVP_DigestUpdate(ctx, key->key.keyvalue.data, key->key.keyvalue.length);
+	    EVP_DigestUpdate(ctxp, key->key.keyvalue.data, key->key.keyvalue.length);
-	    EVP_DigestFinal_ex(ctx, sessionkey, NULL);
+	    EVP_DigestFinal_ex(ctxp, sessionkey, NULL);
-	    EVP_MD_CTX_destroy(ctx);
+	    EVP_MD_CTX_destroy(ctxp);
 	}
    }
@@ -218,8 +218,8 @@ static int help_flag;
 static int version_flag;
 static struct getargs args[] = {
-    {	"help",		'h',	arg_flag,   &help_flag },
+    {	"help",		'h',	arg_flag,   &help_flag, NULL, NULL },
-    {	"version",	'v',	arg_flag,   &version_flag }
+    {	"version",	'v',	arg_flag,   &version_flag, NULL, NULL }
 };
 static int num_args = sizeof(args) / sizeof(args[0]);
@@ -272,6 +272,10 @@ main(int argc, char **argv)
 	heim_sipc_timeout(60);
    }
 #endif
    {
 	heim_sipc un;
 	heim_sipc_service_unix("org.h5l.ntlm-service", ntlm_service, NULL, &un);
    }
    heim_ipc_main();
    return 0;
--- a/kdc/digest.c
+++ b/kdc/digest.c
@@ -257,7 +257,7 @@ _kdc_do_digest(krb5_context context,
    /* check the server principal in the ticket matches digest/R@R */
    {
 	krb5_principal principal = NULL;
-	const char *p, *r;
+	const char *p, *rr;
 	ret = krb5_ticket_get_server(context, ticket, &principal);
 	if (ret)
@@ -280,12 +280,12 @@ _kdc_do_digest(krb5_context context,
 	    krb5_free_principal(context, principal);
 	    goto out;
 	}
-	r = krb5_principal_get_realm(context, principal);
+	rr = krb5_principal_get_realm(context, principal);
-	if (r == NULL) {
+	if (rr == NULL) {
 	    krb5_free_principal(context, principal);
 	    goto out;
 	}
-	if (strcmp(p, r) != 0) {
+	if (strcmp(p, rr) != 0) {
 	    krb5_free_principal(context, principal);
 	    goto out;
 	}
@@ -616,7 +616,7 @@ _kdc_do_digest(krb5_context context,
 	    EVP_MD_CTX *ctx;
 	    unsigned char md[MD5_DIGEST_LENGTH];
 	    char *mdx;
-	    char id;
+	    char idx;
 	    if ((config->digests_allowed & CHAP_MD5) == 0) {
 		kdc_log(context, config, 0, "Digest CHAP MD5 not allowed");
@@ -630,7 +630,7 @@ _kdc_do_digest(krb5_context context,
 		goto out;
 	    }
-	    if (hex_decode(*ireq.u.digestRequest.identifier, &id, 1) != 1) {
+	    if (hex_decode(*ireq.u.digestRequest.identifier, &idx, 1) != 1) {
 		ret = EINVAL;
 		krb5_set_error_message(context, ret, "failed to decode identifier");
 		goto out;
@@ -645,7 +645,7 @@ _kdc_do_digest(krb5_context context,
 	    ctx = EVP_MD_CTX_create();
 	    EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
-	    EVP_DigestUpdate(ctx, &id, 1);
+	    EVP_DigestUpdate(ctx, &idx, 1);
 	    EVP_DigestUpdate(ctx, password, strlen(password));
 	    EVP_DigestUpdate(ctx, serverNonce.data, serverNonce.length);
 	    EVP_DigestFinal_ex(ctx, md, NULL);
@@ -804,7 +804,7 @@ _kdc_do_digest(krb5_context context,
 	    const char *username;
 	    struct ntlm_buf answer;
 	    Key *key = NULL;
-	    EVP_MD_CTX *ctx;
+	    EVP_MD_CTX *ctp;
 	    if ((config->digests_allowed & MS_CHAP_V2) == 0) {
 		kdc_log(context, config, 0, "MS-CHAP-V2 not allowed");
@@ -831,10 +831,10 @@ _kdc_do_digest(krb5_context context,
 	    else
 		username++;
-	    ctx = EVP_MD_CTX_create();
+	    ctp = EVP_MD_CTX_create();
 	    /* ChallangeHash */
-	    EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
+	    EVP_DigestInit_ex(ctp, EVP_sha1(), NULL);
 	    {
 		ssize_t ssize;
 		krb5_data clientNonce;
@@ -845,7 +845,7 @@ _kdc_do_digest(krb5_context context,
 		    ret = ENOMEM;
 		    krb5_set_error_message(context, ret,
 					   "malloc: out of memory");
-		    EVP_MD_CTX_destroy(ctx);
+		    EVP_MD_CTX_destroy(ctp);
 		    goto out;
 		}
@@ -855,18 +855,18 @@ _kdc_do_digest(krb5_context context,
 		    ret = ENOMEM;
 		    krb5_set_error_message(context, ret,
 					   "Failed to decode clientNonce");
-		    EVP_MD_CTX_destroy(ctx);
+		    EVP_MD_CTX_destroy(ctp);
 		    goto out;
 		}
-		EVP_DigestUpdate(ctx, clientNonce.data, ssize);
+		EVP_DigestUpdate(ctp, clientNonce.data, ssize);
 		free(clientNonce.data);
 	    }
-	    EVP_DigestUpdate(ctx, serverNonce.data, serverNonce.length);
+	    EVP_DigestUpdate(ctp, serverNonce.data, serverNonce.length);
-	    EVP_DigestUpdate(ctx, username, strlen(username));
+	    EVP_DigestUpdate(ctp, username, strlen(username));
-	    EVP_DigestFinal_ex(ctx, challange, NULL);
+	    EVP_DigestFinal_ex(ctp, challange, NULL);
-	    EVP_MD_CTX_destroy(ctx);
+	    EVP_MD_CTX_destroy(ctp);
 	    /* NtPasswordHash */
 	    ret = krb5_parse_name(context, username, &clientprincipal);
@@ -923,39 +923,39 @@ _kdc_do_digest(krb5_context context,
 	    if (r.u.response.success) {
 		unsigned char hashhash[MD4_DIGEST_LENGTH];
-		EVP_MD_CTX *ctx;
+		EVP_MD_CTX *ctxp;
-		ctx = EVP_MD_CTX_create();
+		ctxp = EVP_MD_CTX_create();
 		/* hashhash */
 		{
-		    EVP_DigestInit_ex(ctx, EVP_md4(), NULL);
+		    EVP_DigestInit_ex(ctxp, EVP_md4(), NULL);
-		    EVP_DigestUpdate(ctx,
+		    EVP_DigestUpdate(ctxp,
 				     key->key.keyvalue.data,
 				     key->key.keyvalue.length);
-		    EVP_DigestFinal_ex(ctx, hashhash, NULL);
+		    EVP_DigestFinal_ex(ctxp, hashhash, NULL);
 		}
 		/* GenerateAuthenticatorResponse */
-		EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
+		EVP_DigestInit_ex(ctxp, EVP_sha1(), NULL);
-		EVP_DigestUpdate(ctx, hashhash, sizeof(hashhash));
+		EVP_DigestUpdate(ctxp, hashhash, sizeof(hashhash));
-		EVP_DigestUpdate(ctx, answer.data, answer.length);
+		EVP_DigestUpdate(ctxp, answer.data, answer.length);
-		EVP_DigestUpdate(ctx, ms_chap_v2_magic1,
+		EVP_DigestUpdate(ctxp, ms_chap_v2_magic1,
 				 sizeof(ms_chap_v2_magic1));
-		EVP_DigestFinal_ex(ctx, md, NULL);
+		EVP_DigestFinal_ex(ctxp, md, NULL);
-		EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
+		EVP_DigestInit_ex(ctxp, EVP_sha1(), NULL);
-		EVP_DigestUpdate(ctx, md, sizeof(md));
+		EVP_DigestUpdate(ctxp, md, sizeof(md));
-		EVP_DigestUpdate(ctx, challange, 8);
+		EVP_DigestUpdate(ctxp, challange, 8);
-		EVP_DigestUpdate(ctx, ms_chap_v2_magic2,
+		EVP_DigestUpdate(ctxp, ms_chap_v2_magic2,
 				 sizeof(ms_chap_v2_magic2));
-		EVP_DigestFinal_ex(ctx, md, NULL);
+		EVP_DigestFinal_ex(ctxp, md, NULL);
 		r.u.response.rsp = calloc(1, sizeof(*r.u.response.rsp));
 		if (r.u.response.rsp == NULL) {
 		    free(answer.data);
 		    krb5_clear_error_message(context);
-		    EVP_MD_CTX_destroy(ctx);
+		    EVP_MD_CTX_destroy(ctxp);
 		    ret = ENOMEM;
 		    goto out;
 		}
@@ -964,22 +964,22 @@ _kdc_do_digest(krb5_context context,
 		if (r.u.response.rsp == NULL) {
 		    free(answer.data);
 		    krb5_clear_error_message(context);
-		    EVP_MD_CTX_destroy(ctx);
+		    EVP_MD_CTX_destroy(ctxp);
 		    ret = ENOMEM;
 		    goto out;
 		}
 		/* get_master, rfc 3079 3.4 */
-		EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
+		EVP_DigestInit_ex(ctxp, EVP_sha1(), NULL);
-		EVP_DigestUpdate(ctx, hashhash, 16);
+		EVP_DigestUpdate(ctxp, hashhash, 16);
-		EVP_DigestUpdate(ctx, answer.data, answer.length);
+		EVP_DigestUpdate(ctxp, answer.data, answer.length);
-		EVP_DigestUpdate(ctx, ms_rfc3079_magic1,
+		EVP_DigestUpdate(ctxp, ms_rfc3079_magic1,
 				 sizeof(ms_rfc3079_magic1));
-		EVP_DigestFinal_ex(ctx, md, NULL);
+		EVP_DigestFinal_ex(ctxp, md, NULL);
 		free(answer.data);
-		EVP_MD_CTX_destroy(ctx);
+		EVP_MD_CTX_destroy(ctxp);
 		r.u.response.session_key =
 		    calloc(1, sizeof(*r.u.response.session_key));
--- a/kdc/hprop.8
+++ b/kdc/hprop.8
@@ -89,19 +89,11 @@ specified on the command by opening a TCP connection to port 754
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Xo
+.It Fl m Ar file , Fl -master-key= Ns Pa file
 .Fl m Ar file ,
 .Fl -master-key= Ns Pa file
 .Xc
 Where to find the master key to encrypt or decrypt keys with.
-.It Xo
+.It Fl d Ar file , Fl -database= Ns Pa file
 .Fl d Ar file ,
 .Fl -database= Ns Pa file
 .Xc
 The database to be propagated.
-.It Xo
+.It Fl -source= Ns Ar heimdal|mit-dump|krb4-dump|kaserver
 .Fl -source= Ns Ar heimdal|mit-dump
 .Xc
 Specifies the type of the source database. Alternatives include:
 .Pp
 .Bl -tag -width mit-dump -compact -offset indent
@@ -110,42 +102,27 @@ a Heimdal database
 .It mit-dump
 a MIT Kerberos 5 dump file
 .El
-.It Xo
+.It Fl k Ar keytab , Fl -keytab= Ns Ar keytab
 .Fl k Ar keytab ,
 .Fl -keytab= Ns Ar keytab
 .Xc
 The keytab to use for fetching the key to be used for authenticating
 to the propagation daemon(s). The key
 .Pa hprop/hostname
 is used from this keytab.  The default is to fetch the key from the
 KDC database.
-.It Xo
+.It Fl R Ar string , Fl -v5-realm= Ns Ar string
 .Fl R Ar string ,
 .Fl -v5-realm= Ns Ar string
 .Xc
 Local realm override.
-.It Xo
+.It Fl D , Fl -decrypt
 .Fl D ,
 .Fl -decrypt
 .Xc
 The encryption keys in the database can either be in clear, or
 encrypted with a master key. This option transmits the database with
 unencrypted keys.
-.It Xo
+.It Fl E , Fl -encrypt
 .Fl E ,
 .Fl -encrypt
 .Xc
 This option transmits the database with encrypted keys.
-.It Xo
+.It Fl n , Fl -stdout
 .Fl n ,
 .Fl -stdout
 .Xc
 Dump the database on stdout, in a format that can be fed to hpropd.
 .El
 .Sh EXAMPLES
 The following will propagate a database to another machine (which
 should run
-.Xr hpropd 8 ):
+.Xr hpropd 8 ) :
 .Bd -literal -offset indent
 $ hprop slave-1 slave-2
 .Ed
--- a/kdc/hprop.c
+++ b/kdc/hprop.c
@@ -133,13 +133,13 @@ struct getargs args[] = {
    { "keytab",   'k',	arg_string, rk_UNCONST(&ktname),
      "keytab to use for authentication", "keytab" },
-    { "v5-realm", 'R',  arg_string, &local_realm, "v5 realm to use" },
+    { "v5-realm", 'R',  arg_string, &local_realm, "v5 realm to use", NULL },
-    { "decrypt",  'D',  arg_flag,   &decrypt_flag,   "decrypt keys" },
+    { "decrypt",  'D',  arg_flag,   &decrypt_flag,   "decrypt keys", NULL },
-    { "encrypt",  'E',  arg_flag,   &encrypt_flag,   "encrypt keys" },
+    { "encrypt",  'E',  arg_flag,   &encrypt_flag,   "encrypt keys", NULL },
-    { "stdout",	  'n',  arg_flag,   &to_stdout, "dump to stdout" },
+    { "stdout",	  'n',  arg_flag,   &to_stdout, "dump to stdout", NULL },
-    { "verbose",  'v',	arg_flag, &verbose_flag },
+    { "verbose",  'v',	arg_flag, &verbose_flag, NULL, NULL },
-    { "version",   0,	arg_flag, &version_flag },
+    { "version",   0,	arg_flag, &version_flag, NULL, NULL },
-    { "help",     'h',	arg_flag, &help_flag }
+    { "help",     'h',	arg_flag, &help_flag, NULL, NULL }
 };
 static int num_args = sizeof(args) / sizeof(args[0]);
@@ -213,7 +213,7 @@ struct {
 static int
 parse_source_type(const char *s)
 {
-    int i;
+    size_t i;
    for(i = 0; i < sizeof(types) / sizeof(types[0]); i++) {
 	if(strstr(types[i].name, s) == types[i].name)
 	    return types[i].type;
--- a/kdc/hpropd.8
+++ b/kdc/hpropd.8
@@ -73,34 +73,17 @@ are accepted.
 .Pp
 Options supported:
 .Bl -tag -width Ds
-.It Xo
+.It Fl d Ar file , Fl -database= Ns Ar file
 .Fl d Ar file ,
 .Fl -database= Ns Ar file
 .Xc
 database
-.It Xo
+.It Fl n , Fl -stdin
 .Fl n ,
 .Fl -stdin
 .Xc
 read from stdin
-.It Xo
+.It Fl -print
 .Fl -print
 .Xc
 print dump to stdout
-.It Xo
+.It Fl i , Fl -no-inetd
 .Fl i ,
 .Fl -no-inetd
 .Xc
 not started from inetd
-.It Xo
+.It Fl k Ar keytab , Fl -keytab= Ns Ar keytab
 .Fl k Ar keytab ,
 .Fl -keytab= Ns Ar keytab
 .Xc
 keytab to use for authentication
-.It Xo
+.It Fl 4 , Fl -v4dump
 .Fl 4 ,
 .Fl -v4dump
 .Xc
 create v4 type DB
 .El
 .Sh SEE ALSO
--- a/kdc/hpropd.c
+++ b/kdc/hpropd.c
@@ -44,19 +44,20 @@ static char *ktname = NULL;
 struct getargs args[] = {
    { "database", 'd', arg_string, rk_UNCONST(&database), "database", "file" },
-    { "stdin",    'n', arg_flag, &from_stdin, "read from stdin" },
+    { "stdin",    'n', arg_flag, &from_stdin, "read from stdin", NULL },
-    { "print",	    0, arg_flag, &print_dump, "print dump to stdout" },
+    { "print",	    0, arg_flag, &print_dump, "print dump to stdout", NULL },
 #ifdef SUPPORT_INETD
    { "inetd",	   'i',	arg_negative_flag,	&inetd_flag,
-      "Not started from inetd" },
+      "Not started from inetd", NULL },
 #endif
    { "keytab",   'k',	arg_string, &ktname,	"keytab to use for authentication", "keytab" },
-    { "realm",   'r',	arg_string, &local_realm, "realm to use" },
+    { "realm",   'r',	arg_string, &local_realm, "realm to use", NULL },
    { "version",    0, arg_flag, &version_flag, NULL, NULL },
    { "help",    'h',  arg_flag, &help_flag, NULL, NULL}
 };
 static int num_args = sizeof(args) / sizeof(args[0]);
 static char unparseable_name[] = "unparseable name";
 static void
 usage(int ret)
@@ -194,7 +195,7 @@ main(int argc, char **argv)
 	    char *s;
 	    ret = krb5_unparse_name(context, c2, &s);
 	    if (ret)
-		s = "unparseable name";
+		s = unparseable_name;
 	    krb5_errx(context, 1, "Unauthorized connection from %s", s);
 	}
 	krb5_free_principal(context, c1);
@@ -260,7 +261,7 @@ main(int argc, char **argv)
 		char *s;
 		ret = krb5_unparse_name(context, entry.entry.principal, &s);
 		if (ret)
-		    s = strdup("unparseable name");
+		    s = strdup(unparseable_name);
 		krb5_warnx(context, "Entry exists: %s", s);
 		free(s);
 	    } else if(ret)
--- a/kdc/kdc.8
+++ b/kdc/kdc.8
@@ -72,17 +72,11 @@ or from a default compiled-in value.
 .Pp
 Options supported:
 .Bl -tag -width Ds
-.It Xo
+.It Fl c Ar file , Fl -config-file= Ns Ar file
 .Fl c Ar file ,
 .Fl -config-file= Ns Ar file
 .Xc
 Specifies the location of the config file, the default is
 .Pa /var/heimdal/kdc.conf .
 This is the only value that can't be specified in the config file.
-.It Xo
+.It Fl p , Fl -no-require-preauth
 .Fl p ,
 .Fl -no-require-preauth
 .Xc
 Turn off the requirement for pre-autentication in the initial AS-REQ
 for all principals.
 The use of pre-authentication makes it more difficult to do offline
@@ -95,34 +89,20 @@ pre-athentication.
 The default is to require pre-authentication.
 Adding the require-preauth per principal is a more flexible way of
 handling this.
-.It Xo
+.It Fl -max-request= Ns Ar size
 .Fl -max-request= Ns Ar size
 .Xc
 Gives an upper limit on the size of the requests that the kdc is
 willing to handle.
-.It Xo
+.It Fl H , Fl -enable-http
 .Fl H ,
 .Fl -enable-http
 .Xc
 Makes the kdc listen on port 80 and handle requests encapsulated in HTTP.
-.It Xo
+.It Fl -no-524
 .Fl -no-524
 .Xc
 don't respond to 524 requests
-.It Xo
+.It Fl -kerberos4
 .Fl -kerberos4
 .Xc
 respond to Kerberos 4 requests
-.It Xo
+.It Fl -kerberos4-cross-realm
 .Fl -kerberos4-cross-realm
 .Xc
 respond to Kerberos 4 requests from foreign realms.
 This is a known security hole and should not be enabled unless you
 understand the consequences and are willing to live with them.
-.It Xo
+.It Fl r Ar string , Fl -v4-realm= Ns Ar string
 .Fl r Ar string ,
 .Fl -v4-realm= Ns Ar string
 .Xc
 What realm this server should act as when dealing with version 4
 requests.
 The database can contain any number of realms, but since the version 4
@@ -130,17 +110,11 @@ protocol doesn't contain a realm for the server, it must be explicitly
 specified.
 The default is whatever is returned by
 .Fn krb_get_lrealm .
-This option is only availabe if the KDC has been compiled with version
+This option is only available if the KDC has been compiled with version
 4 support.
-.It Xo
+.It Fl K , Fl -kaserver
 .Fl K ,
 .Fl -kaserver
 .Xc
 Enable kaserver emulation (in case it's compiled in).
-.It Xo
+.It Fl P Ar portspec , Fl -ports= Ns Ar portspec
 .Fl P Ar portspec ,
 .Fl -ports= Ns Ar portspec
 .Xc
 Specifies the set of ports the KDC should listen on.
 It is given as a
 white-space separated list of services or port numbers.
@@ -198,11 +172,8 @@ Permit anonymous tickets with no addresses.
 .It Li max-kdc-datagram-reply-length = Va number
 Maximum packet size the UDP rely that the KDC will transmit, instead
 the KDC sends back a reply telling the client to use TCP instead.
-.It Li transited-policy = Xo
+.It Li transited-policy = Li always-check \*(Ba \
-.Li always-check \*(Ba
+Li allow-per-principal | Li always-honour-request
 .Li allow-per-principal |
 .Li always-honour-request
 .Xc
 This controls how KDC requests with the
 .Li disable-transited-check
 flag are handled. It can be one of:
--- a/kdc/kdc.h
+++ b/kdc/kdc.h
@@ -64,15 +64,6 @@ typedef struct krb5_kdc_configuration {
    krb5_boolean allow_anonymous;
    enum krb5_kdc_trpolicy trpolicy;
    char *v4_realm;
    krb5_boolean enable_v4;
    krb5_boolean enable_v4_cross_realm;
    krb5_boolean enable_v4_per_principal;
    krb5_boolean enable_kaserver;
    krb5_boolean enable_524;
    krb5_boolean enable_pkinit;
    krb5_boolean pkinit_princ_in_cert;
    const char *pkinit_kdc_identity;
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -74,9 +74,9 @@ _kdc_find_padata(const KDC_REQ *req, int *start, int type)
    if (req->padata == NULL)
 	return NULL;
-    while(*start < req->padata->len){
+    while((size_t)*start < req->padata->len){
 	(*start)++;
-	if(req->padata->val[*start - 1].padata_type == type)
+	if(req->padata->val[*start - 1].padata_type == (unsigned)type)
 	    return &req->padata->val[*start - 1];
    }
    return NULL;
@@ -127,7 +127,7 @@ _kdc_find_etype(krb5_context context, const hdb_entry_ex *princ,
 		krb5_enctype *etypes, unsigned len,
 		Key **ret_key)
 {
-    int i;
+    size_t i;
    krb5_error_code ret = KRB5KDC_ERR_ETYPE_NOSUPP;
    krb5_salt def_salt;
@@ -211,7 +211,7 @@ log_patypes(krb5_context context,
 {
    struct rk_strpool *p = NULL;
    char *str;
-    int i;
+    size_t i;
    for (i = 0; i < padata->len; i++) {
 	switch(padata->val[i].padata_type) {
@@ -614,7 +614,7 @@ log_as_req(krb5_context context,
    krb5_error_code ret;
    struct rk_strpool *p;
    char *str;
-    int i;
+    size_t i;
    p = rk_strpoolprintf(NULL, "%s", "Client supported enctypes: ");
@@ -809,7 +809,7 @@ _kdc_check_addresses(krb5_context context,
    krb5_address addr;
    krb5_boolean result;
    krb5_boolean only_netbios = TRUE;
-    int i;
+    size_t i;
    if(config->check_ticket_addresses == 0)
 	return TRUE;
@@ -1035,7 +1035,7 @@ _kdc_as_rep(krb5_context context,
    {
 	const krb5_enctype *p;
 	krb5_enctype clientbest = ETYPE_NULL;
-	int i, j;
+	size_t i, j;
 	p = krb5_kerberos_enctypes(context);
@@ -1663,7 +1663,7 @@ _kdc_as_rep(krb5_context context,
 	PA_ClientCanonicalized canon;
 	krb5_data data;
 	PA_DATA pa;
-	krb5_crypto crypto;
+	krb5_crypto cryptox;
 	size_t len;
 	memset(&canon, 0, sizeof(canon));
@@ -1679,18 +1679,18 @@ _kdc_as_rep(krb5_context context,
 	    krb5_abortx(context, "internal asn.1 error");
 	/* sign using "returned session key" */
-	ret = krb5_crypto_init(context, &et.key, 0, &crypto);
+	ret = krb5_crypto_init(context, &et.key, 0, &cryptox);
 	if (ret) {
 	    free(data.data);
 	    goto out;
 	}
-	ret = krb5_create_checksum(context, crypto,
+	ret = krb5_create_checksum(context, cryptox,
 				   KRB5_KU_CANONICALIZED_NAMES, 0,
 				   data.data, data.length,
 				   &canon.canon_checksum);
 	free(data.data);
-	krb5_crypto_destroy(context, crypto);
+	krb5_crypto_destroy(context, cryptox);
 	if (ret)
 	    goto out;
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -508,7 +508,7 @@ check_constrained_delegation(krb5_context context,
 {
    const HDB_Ext_Constrained_delegation_acl *acl;
    krb5_error_code ret;
-    int i;
+    size_t i;
    /* if client delegates to itself, that ok */
    if (krb5_principal_compare(context, client->entry.principal, server) == TRUE)
@@ -606,7 +606,7 @@ fix_transited_encoding(krb5_context context,
    krb5_error_code ret = 0;
    char **realms, **tmp;
    unsigned int num_realms;
-    int i;
+    size_t i;
    switch (tr->tr_type) {
    case DOMAIN_X500_COMPRESS:
@@ -1131,6 +1131,7 @@ tgs_parse_request(krb5_context context,
 		  krb5_keyblock **replykey,
 		  int *rk_is_subkey)
 {
    static char failed[] = "<unparse_name failed>";
    krb5_ap_req ap_req;
    krb5_error_code ret;
    krb5_principal princ;
@@ -1174,7 +1175,7 @@ tgs_parse_request(krb5_context context,
 	char *p;
 	ret = krb5_unparse_name(context, princ, &p);
 	if (ret != 0)
-	    p = "<unparse_name failed>";
+	    p = failed;
 	krb5_free_principal(context, princ);
 	kdc_log(context, config, 5, "Ticket-granting ticket account %s does not have secrets at this KDC, need to proxy", p);
 	if (ret == 0)
@@ -1186,7 +1187,7 @@ tgs_parse_request(krb5_context context,
 	char *p;
 	ret = krb5_unparse_name(context, princ, &p);
 	if (ret != 0)
-	    p = "<unparse_name failed>";
+	    p = failed;
 	krb5_free_principal(context, princ);
 	kdc_log(context, config, 0,
 		"Ticket-granting ticket not found in database: %s", msg);
@@ -1198,13 +1199,13 @@ tgs_parse_request(krb5_context context,
    }
    if(ap_req.ticket.enc_part.kvno &&
-       *ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
+       (size_t)*ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
 	char *p;
 	ret = krb5_unparse_name (context, princ, &p);
 	krb5_free_principal(context, princ);
 	if (ret != 0)
-	    p = "<unparse_name failed>";
+	    p = failed;
 	kdc_log(context, config, 0,
 		"Ticket kvno = %d, DB kvno = %d (%s)",
 		*ap_req.ticket.enc_part.kvno,
@@ -1646,7 +1647,7 @@ server_lookup:
 	krb5_enctype etype;
 	if(b->kdc_options.enc_tkt_in_skey) {
-	    int i;
+	    size_t i;
 	    ekey = &adtkt.key;
 	    for(i = 0; i < b->etype.len; i++)
 		if (b->etype.val[i] == adtkt.key.keytype)
--- a/kdc/kstash.8
+++ b/kdc/kstash.8
@@ -62,28 +62,16 @@ used by the KDC.
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Xo
+.It Fl e Ar string , Fl -enctype= Ns Ar string
 .Fl e Ar string ,
 .Fl -enctype= Ns Ar string
 .Xc
 the encryption type to use, defaults to DES3-CBC-SHA1.
-.It Xo
+.It Fl k Ar file , Fl -key-file= Ns Ar file
 .Fl k Ar file ,
 .Fl -key-file= Ns Ar file
 .Xc
 the name of the master key file.
-.It Xo
+.It Fl -convert-file
 .Fl -convert-file
 .Xc
 don't ask for a new master key, just read an old master key file, and
 write it back in the new keyfile format.
-.It Xo
+.It Fl -random-key
 .Fl -random-key
 .Xc
 generate a random master key.
-.It Xo
+.It Fl -master-key-fd= Ns Ar fd
 .Fl -master-key-fd= Ns Ar fd
 .Xc
 filedescriptor to read passphrase from, if not specified the
 passphrase will be read from the terminal.
 .El
--- a/kdc/kstash.c
+++ b/kdc/kstash.c
@@ -46,15 +46,17 @@ static int random_key_flag;
 static const char *enctype_str = "des3-cbc-sha1";
 static struct getargs args[] = {
-    { "enctype", 'e', arg_string, rk_UNCONST(&enctype_str), "encryption type" },
+    { "enctype", 'e', arg_string, rk_UNCONST(&enctype_str), "encryption type",
 	NULL },
    { "key-file", 'k', arg_string, &keyfile, "master key file", "file" },
    { "convert-file", 0, arg_flag, &convert_flag,
-      "just convert keyfile to new format" },
+      "just convert keyfile to new format", NULL },
    { "master-key-fd", 0, arg_integer, &master_key_fd,
      "filedescriptor to read passphrase from", "fd" },
-    { "random-key", 0, arg_flag, &random_key_flag, "generate a random master key" },
+    { "random-key", 0, arg_flag, &random_key_flag,
-    { "help", 'h', arg_flag, &help_flag },
+	"generate a random master key", NULL },
-    { "version", 0, arg_flag, &version_flag }
+    { "help", 'h', arg_flag, &help_flag, NULL, NULL },
    { "version", 0, arg_flag, &version_flag, NULL, NULL }
 };
 int num_args = sizeof(args) / sizeof(args[0]);
--- a/kdc/log.c
+++ b/kdc/log.c
@@ -50,10 +50,12 @@ kdc_openlog(krb5_context context,
 	    krb5_addlog_dest(context, config->logf, *p);
 	krb5_config_free_strings(s);
    }else {
-	char *s;
+	char *ss;
-	asprintf(&s, "0-1/FILE:%s/%s", hdb_db_dir(context), KDC_LOG_FILE);
+	if (asprintf(&ss, "0-1/FILE:%s/%s", hdb_db_dir(context),
-	krb5_addlog_dest(context, config->logf, s);
+	    KDC_LOG_FILE) < 0)
-	free(s);
+	    err(1, NULL);
 	krb5_addlog_dest(context, config->logf, ss);
 	free(ss);
    }
    krb5_set_warn_dest(context, config->logf);
 }
--- a/kdc/mit_dump.c
+++ b/kdc/mit_dump.c
@@ -77,7 +77,7 @@ unless no extra data
 static int
 hex_to_octet_string(const char *ptr, krb5_data *data)
 {
-    int i;
+    size_t i;
    unsigned int v;
    for(i = 0; i < data->length; i++) {
 	if(sscanf(ptr + 2 * i, "%02x", &v) != 1)
@@ -165,7 +165,7 @@ fix_salt(krb5_context context, hdb_entry *ent, int key_num)
    case KRB5_KDB_SALTTYPE_NOREALM:
    {
 	size_t len;
-	int i;
+	size_t i;
 	char *p;
 	len = 0;
--- a/kdc/pkinit.c
+++ b/kdc/pkinit.c
@@ -237,7 +237,7 @@ generate_dh_keyblock(krb5_context context,
 	}
 	dh_gen_keylen = DH_compute_key(dh_gen_key,client_params->u.dh.public_key, client_params->u.dh.key);
-	if (dh_gen_keylen == -1) {
+	if (dh_gen_keylen == (size_t)-1) {
 	    ret = KRB5KRB_ERR_GENERIC;
 	    krb5_set_error_message(context, ret,
 				   "Can't compute Diffie-Hellman key");
@@ -1247,7 +1247,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
    krb5_enctype enctype;
    int pa_type;
    hx509_cert kdc_cert = NULL;
-    int i;
+    size_t i;
    if (!config->enable_pkinit) {
 	krb5_clear_error_message(context);
@@ -1575,7 +1575,8 @@ match_rfc_san(krb5_context context,
 	      krb5_const_principal match)
 {
    hx509_octet_string_list list;
-    int ret, i, found = 0;
+    int ret, found = 0;
    size_t i;
    memset(&list, 0 , sizeof(list));
@@ -1709,7 +1710,7 @@ _kdc_pk_check_client(krb5_context context,
    const HDB_Ext_PKINIT_cert *pc;
    krb5_error_code ret;
    hx509_name name;
-    int i;
+    size_t i;
    if (cp->cert == NULL) {
@@ -1737,12 +1738,12 @@ _kdc_pk_check_client(krb5_context context,
    ret = hdb_entry_get_pkinit_cert(&client->entry, &pc);
    if (ret == 0 && pc) {
 	hx509_cert cert;
-	unsigned int i;
+	size_t j;
-	for (i = 0; i < pc->len; i++) {
+	for (j = 0; j < pc->len; j++) {
 	    ret = hx509_cert_init_data(context->hx509ctx,
-				       pc->val[i].cert.data,
+				       pc->val[j].cert.data,
-				       pc->val[i].cert.length,
+				       pc->val[j].cert.length,
 				       &cert);
 	    if (ret)
 		continue;
--- a/kdc/string2key.8
+++ b/kdc/string2key.8
@@ -65,46 +65,21 @@ performs the string-to-key function.
 This is useful when you want to handle the raw key instead of the password.
 Supported options:
 .Bl -tag -width Ds
-.It Xo
+.It Fl 5 , Fl -version5
 .Fl 5 ,
 .Fl -version5
 .Xc
 Output Kerberos v5 string-to-key
-.It Xo
+.It Fl 4 , Fl -version4
 .Fl 4 ,
 .Fl -version4
 .Xc
 Output Kerberos v4 string-to-key
-.It Xo
+.It Fl a , Fl -afs
 .Fl a ,
 .Fl -afs
 .Xc
 Output AFS string-to-key
-.It Xo
+.It Fl c Ar cell , Fl -cell= Ns Ar cell
 .Fl c Ar cell ,
 .Fl -cell= Ns Ar cell
 .Xc
 AFS cell to use
-.It Xo
+.It Fl w Ar password , Fl -password= Ns Ar password
 .Fl w Ar password ,
 .Fl -password= Ns Ar password
 .Xc
 Password to use
-.It Xo
+.It Fl p Ar principal , Fl -principal= Ns Ar principal
 .Fl p Ar principal ,
 .Fl -principal= Ns Ar principal
 .Xc
 Kerberos v5 principal to use
-.It Xo
+.It Fl k Ar string , Fl -keytype= Ns Ar string
 .Fl k Ar string ,
 .Fl -keytype= Ns Ar string
 .Xc
 Keytype
-.It Xo
+.It Fl -version
 .Fl -version
 .Xc
 print version
-.It Xo
+.It Fl -help
 .Fl -help
 .Xc
 .El
--- a/kdc/string2key.c
+++ b/kdc/string2key.c
@@ -45,15 +45,17 @@ int version;
 int help;
 struct getargs args[] = {
-    { "version5", '5', arg_flag,   &version5, "Output Kerberos v5 string-to-key" },
+    { "version5", '5', arg_flag,   &version5, "Output Kerberos v5 string-to-key",
-    { "version4", '4', arg_flag,   &version4, "Output Kerberos v4 string-to-key" },
+	NULL },
-    { "afs",      'a', arg_flag,   &afs, "Output AFS string-to-key" },
+    { "version4", '4', arg_flag,   &version4, "Output Kerberos v4 string-to-key",
 	NULL },
    { "afs",      'a', arg_flag,   &afs, "Output AFS string-to-key", NULL },
    { "cell",     'c', arg_string, &cell, "AFS cell to use", "cell" },
    { "password", 'w', arg_string, &password, "Password to use", "password" },
    { "principal",'p', arg_string, &principal, "Kerberos v5 principal to use", "principal" },
-    { "keytype",  'k', arg_string, rk_UNCONST(&keytype_str), "Keytype" },
+    { "keytype",  'k', arg_string, rk_UNCONST(&keytype_str), "Keytype", NULL },
-    { "version",    0, arg_flag,   &version, "print version" },
+    { "version",    0, arg_flag,   &version, "print version", NULL },
-    { "help",       0, arg_flag,   &help, NULL }
+    { "help",       0, arg_flag,   &help, NULL, NULL }
 };
 int num_args = sizeof(args) / sizeof(args[0]);
@@ -73,7 +75,7 @@ tokey(krb5_context context,
      const char *label)
 {
    krb5_error_code ret;
-    int i;
+    size_t i;
    krb5_keyblock key;
    char *e;
--- a/kpasswd/kpasswd.c
+++ b/kpasswd/kpasswd.c
@@ -40,10 +40,11 @@ static char *admin_principal_str;
 static char *cred_cache_str;
 static struct getargs args[] = {
-    { "admin-principal",	0,   arg_string, &admin_principal_str },
+    { "admin-principal",	0,   arg_string, &admin_principal_str, NULL,
-    { "cache",			'c', arg_string, &cred_cache_str },
+   	 NULL },
-    { "version", 		0,   arg_flag, &version_flag },
+    { "cache",			'c', arg_string, &cred_cache_str, NULL, NULL },
-    { "help",			0,   arg_flag, &help_flag }
+    { "version", 		0,   arg_flag, &version_flag, NULL, NULL },
    { "help",			0,   arg_flag, &help_flag, NULL, NULL }
 };
 static void
--- a/kpasswd/kpasswdd.8
+++ b/kpasswd/kpasswdd.8
@@ -64,20 +64,14 @@ the database directly and should thus only run on the master KDC.
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Xo
+.It Fl -addresses= Ns Ar address
 .Fl -addresses= Ns Ar address
 .Xc
 For each till the argument is given, add the address to what kpasswdd
 should listen too.
-.It Xo
+.It Fl -check-library= Ns Ar library
 .Fl -check-library= Ns Ar library
 .Xc
 If your system has support for dynamic loading of shared libraries,
 you can use an external function to check password quality. This
 option specifies which library to load.
-.It Xo
+.It Fl -check-function= Ns Ar function
 .Fl -check-function= Ns Ar function
 .Xc
 This is the function to call in the loaded library. The function
 should look like this:
 .Pp
@@ -92,20 +86,11 @@ is the one who tries to change passwords, and
 is the new password. Note that the password (in
 .Fa password->data )
 is not zero terminated.
-.It Xo
+.It Fl k Ar kspec , Fl -keytab= Ns Ar kspec
 .Fl k Ar kspec ,
 .Fl -keytab= Ns Ar kspec
 .Xc
 Keytab to get authentication key from.
-.It Xo
+.It Fl r Ar realm , Fl -realm= Ns Ar realm
 .Fl r Ar realm ,
 .Fl -realm= Ns Ar realm
 .Xc
 Default realm.
-.It Xo
+.It Fl p Ar string , Fl -port= Ns Ar string
 .Fl p Ar string ,
 .Fl -port= Ns Ar string
 .Xc
 Port to listen on (default service kpasswd - 464).
 .El
 .Sh DIAGNOSTICS
--- a/kpasswd/kpasswdd.c
+++ b/kpasswd/kpasswdd.c
@@ -680,11 +680,11 @@ doit (krb5_keytab keytab, int port)
 	krb5_errx (context, 1, "No sockets!");
    while(exit_flag == 0) {
-	int ret;
+	krb5_ssize_t retx;
 	fd_set fdset = real_fdset;
-	ret = select (maxfd + 1, &fdset, NULL, NULL, NULL);
+	retx = select (maxfd + 1, &fdset, NULL, NULL, NULL);
-	if (ret < 0) {
+	if (retx < 0) {
 	    if (errno == EINTR)
 		continue;
 	    else
@@ -695,9 +695,9 @@ doit (krb5_keytab keytab, int port)
 		u_char buf[BUFSIZ];
 		socklen_t addrlen = sizeof(__ss);
-		ret = recvfrom (sockets[i], buf, sizeof(buf), 0,
+		retx = recvfrom(sockets[i], buf, sizeof(buf), 0,
 				sa, &addrlen);
-		if (ret < 0) {
+		if (retx < 0) {
 		    if(errno == EINTR)
 			break;
 		    else
@@ -707,7 +707,7 @@ doit (krb5_keytab keytab, int port)
 		process (realms, keytab, sockets[i],
 			 &addrs.val[i],
 			 sa, addrlen,
-			 buf, ret);
+			 buf, retx);
 	    }
    }
@@ -730,7 +730,8 @@ sigterm(int sig)
 static const char *check_library  = NULL;
 static const char *check_function = NULL;
 static getarg_strings policy_libraries = { 0, NULL };
-static char *keytab_str = "HDB:";
+static char sHDB[] = "HDB:";
 static char *keytab_str = sHDB;
 static char *realm_str;
 static int version_flag;
 static int help_flag;
@@ -750,11 +751,11 @@ struct getargs args[] = {
      "addresses to listen on", "list of addresses" },
    { "keytab", 'k', arg_string, &keytab_str,
      "keytab to get authentication key from", "kspec" },
-    { "config-file", 'c', arg_string, &config_file },
+    { "config-file", 'c', arg_string, &config_file, NULL, NULL },
    { "realm", 'r', arg_string, &realm_str, "default realm", "realm" },
-    { "port",  'p', arg_string, &port_str, "port" },
+    { "port",  'p', arg_string, &port_str, "port", NULL },
-    { "version", 0, arg_flag, &version_flag },
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
-    { "help", 0, arg_flag, &help_flag }
+    { "help", 0, arg_flag, &help_flag, NULL, NULL }
 };
 int num_args = sizeof(args) / sizeof(args[0]);
@@ -836,10 +837,10 @@ main (int argc, char **argv)
    explicit_addresses.len = 0;
    if (addresses_str.num_strings) {
-	int i;
+	int j;
-	for (i = 0; i < addresses_str.num_strings; ++i)
+	for (j = 0; j < addresses_str.num_strings; ++j)
-	    add_one_address (addresses_str.strings[i], i == 0);
+	    add_one_address (addresses_str.strings[j], j == 0);
 	free_getarg_strings (&addresses_str);
    } else {
 	char **foo = krb5_config_get_strings (context, NULL,
--- a/kuser/copy_cred_cache.1
+++ b/kuser/copy_cred_cache.1
@@ -88,7 +88,7 @@ $ copy_cred_cache --valid-for=1d --flags=initial FILE:/some/cache
 .Sh DIAGNOSTICS
 The
 .Nm
-utility exits 0 on success, and \*[Gt]0 if an error occurs, or of no
+utility exits 0 on success, and \*[Gt]0 if an error occurs, or if no
 credentials where actually copied.
 .\".Sh SEE ALSO
 .\".Sh STANDARDS
--- a/kuser/copy_cred_cache.c
+++ b/kuser/copy_cred_cache.c
@@ -60,7 +60,7 @@ parse_ticket_flags(krb5_context context,
    memset(&ff, 0, sizeof(ff));
    ff.proxy = 1;
-    if (parse_flags("proxy", asn1_TicketFlags_units(), 0) == TicketFlags2int(ff))
+    if ((size_t)parse_flags("proxy", asn1_TicketFlags_units(), 0) == TicketFlags2int(ff))
 	ret_flags->i = flags;
    else
 	ret_flags->i = bitswap32(flags);
--- a/kuser/kcc.c
+++ b/kuser/kcc.c
@@ -40,8 +40,8 @@ static int version_flag;
 static int help_flag;
 static struct getargs args[] = {
-    { "version", 	0,   arg_flag, &version_flag },
+    { "version", 	0,   arg_flag, &version_flag, NULL, NULL },
-    { "help",		0,   arg_flag, &help_flag }
+    { "help",		0,   arg_flag, &help_flag, NULL, NULL }
 };
 static void
--- a/kuser/kdestroy.1
+++ b/kuser/kdestroy.1
@@ -36,7 +36,7 @@
 .Os HEIMDAL
 .Sh NAME
 .Nm kdestroy
-.Nd remove one credental or destroy the current ticket file
+.Nd remove one credential or destroy the current ticket file
 .Sh SYNOPSIS
 .Nm
 .Bk -words
@@ -51,7 +51,7 @@
 .Ek
 .Sh DESCRIPTION
 .Nm
-remove one or the current set of tickets.
+removes one credential or the current set of tickets.
 .Pp
 Supported options:
 .Bl -tag -width Ds
--- a/kuser/kdestroy.c
+++ b/kuser/kdestroy.c
@@ -47,7 +47,7 @@ struct getargs args[] = {
    { "credential",	0,   arg_string, rk_UNCONST(&credential),
      "remove one credential", "principal" },
    { "cache",		'c', arg_string, rk_UNCONST(&cache), "cache to destroy", "cache" },
-    { "all",		'A', arg_flag, &all_flag, "destroy all caches" },
+    { "all",		'A', arg_flag, &all_flag, "destroy all caches", NULL },
 #ifndef NO_AFS
    { "unlog",		0,   arg_negative_flag, &unlog_flag,
      "do not destroy tokens", NULL },
--- a/kuser/kdigest.c
+++ b/kuser/kdigest.c
@@ -436,6 +436,7 @@ ntlm_server_init(struct ntlm_server_init_options *opt,
    krb5_data challenge, opaque;
    struct ntlm_buf data;
    char *s;
    static char zero2[] = "\x00\x00";
    memset(&type2, 0, sizeof(type2));
@@ -471,7 +472,7 @@ ntlm_server_init(struct ntlm_server_init_options *opt,
 	krb5_err(context, 1, ret, "krb5_ntlm_init_get_flags");
    krb5_ntlm_init_get_targetname(context, ntlm, &type2.targetname);
-    type2.targetinfo.data = "\x00\x00";
+    type2.targetinfo.data = zero2;
    type2.targetinfo.length = 2;
    ret = heim_ntlm_encode_type2(&type2, &data);
--- a/kuser/kgetcred.1
+++ b/kuser/kgetcred.1
@@ -61,30 +61,16 @@ ticket or of a special type.
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Xo
+.It Fl -canonicalize
 .Fl -canonicalize
 .Xc
 requests that the KDC canonicalize the principal.
-.It Xo
+.It Fl c Ar cache , Fl -cache= Ns Ar cache
 .Fl c Ar cache ,
 .Fl -cache= Ns Ar cache
 .Xc
 the credential cache to use.
-.It Xo
+.It Fl e Ar enctype , Fl -enctype= Ns Ar enctype
 .Fl e Ar enctype ,
 .Fl -enctype= Ns Ar enctype
 .Xc
 encryption type to use.
-.It Xo
+.It Fl -no-transit-check
-.Fl -no-transit-check
+requests that the KDC doesn't do transit checking.
-.Xc
+.It Fl -version
-requests that the KDC doesn't do trasnit checking.
+.It Fl -help
 .It Xo
 .Fl -version
 .Xc
 .It Xo
 .Fl -help
 .Xc
 .El
 .Sh SEE ALSO
 .Xr kinit 1 ,
--- a/kuser/kgetcred.c
+++ b/kuser/kgetcred.c
@@ -53,17 +53,17 @@ struct getargs args[] = {
    { "delegation-credential-cache",0,arg_string, &delegation_cred_str,
      NP_("where to find the ticket use for delegation", ""), "cache"},
    { "canonicalize",	0, arg_flag, &canonicalize_flag,
-      NP_("canonicalize the principal", "") },
+      NP_("canonicalize the principal", ""), NULL },
    { "forwardable",	0, arg_flag, &forwardable_flag,
-      NP_("forwardable ticket requested", "")},
+      NP_("forwardable ticket requested", ""), NULL},
-    { "transit-check",	0,   arg_negative_flag, &transit_flag },
+    { "transit-check",	0,   arg_negative_flag, &transit_flag, NULL, NULL },
    { "enctype",	'e', arg_string, &etype_str,
      NP_("encryption type to use", ""), "enctype"},
    { "impersonate",	0,   arg_string, &impersonate_str,
      NP_("client to impersonate", ""), "principal"},
-    { "name-type",		0,   arg_string, &nametype_str },
+    { "name-type",		0,   arg_string, &nametype_str, NULL, NULL },
-    { "version", 	0,   arg_flag, &version_flag },
+    { "version", 	0,   arg_flag, &version_flag, NULL, NULL },
-    { "help",		0,   arg_flag, &help_flag }
+    { "help",		0,   arg_flag, &help_flag, NULL, NULL }
 };
 static void
--- a/kuser/kimpersonate.8
+++ b/kuser/kimpersonate.8
@@ -40,28 +40,14 @@
 impersonate a user when there exist a srvtab, keyfile or KeyFile
 .Sh SYNOPSIS
 .Nm
-.Oo Fl s Ar string \*(Ba Xo
+.Op Fl s Ar string \*(Ba Fl -server= Ns Ar string
-.Fl -server= Ns Ar string Oc
+.Op Fl c Ar string \*(Ba Fl -client= Ns Ar string
-.Xc
+.Op Fl k Ar string \*(Ba Fl -keytab= Ns Ar string
 .Oo Fl c Ar string \*(Ba Xo
 .Fl -client= Ns Ar string Oc
 .Xc
 .Oo Fl k Ar string \*(Ba Xo
 .Fl -keytab= Ns Ar string Oc
 .Xc
 .Op Fl 5 | Fl -krb5
-.Oo Fl e Ar integer \*(Ba Xo
+.Op Fl e Ar integer \*(Ba Fl -expire-time= Ns Ar integer
-.Fl -expire-time= Ns Ar integer Oc
+.Op Fl a Ar string \*(Ba Fl -client-address= Ns Ar string
-.Xc
+.Op Fl t Ar string \*(Ba Fl -enc-type= Ns Ar string
-.Oo Fl a Ar string \*(Ba Xo
+.Op Fl f Ar string \*(Ba Fl -ticket-flags= Ns Ar string
 .Fl -client-address= Ns Ar string Oc
 .Xc
 .Oo Fl t Ar string \*(Ba Xo
 .Fl -enc-type= Ns Ar string Oc
 .Xc
 .Oo Fl f Ar string \*(Ba Xo
 .Fl -ticket-flags= Ns Ar string Oc
 .Xc
 .Op Fl -verbose
 .Op Fl -version
 .Op Fl -help
@@ -73,57 +59,27 @@ The service key can be read from a Kerberos 5 keytab, AFS KeyFile or
 (if compiled with support for Kerberos 4) a Kerberos 4 srvtab.
 Supported options:
 .Bl -tag -width Ds
-.It Xo
+.It Fl s Ar string Ns , Fl -server= Ns Ar string
 .Fl s Ar string Ns ,
 .Fl -server= Ns Ar string
 .Xc
 name of server principal
-.It Xo
+.It Fl c Ar string Ns , Fl -client= Ns Ar string
 .Fl c Ar string Ns ,
 .Fl -client= Ns Ar string
 .Xc
 name of client principal
-.It Xo
+.It Fl k Ar string Ns , Fl -keytab= Ns Ar string
 .Fl k Ar string Ns ,
 .Fl -keytab= Ns Ar string
 .Xc
 name of keytab file
-.It Xo
+.It Fl 5 Ns , Fl -krb5
 .Fl 5 Ns ,
 .Fl -krb5
 .Xc
 create a Kerberos 5 ticket
-.It Xo
+.It Fl e Ar integer Ns , Fl -expire-time= Ns Ar integer
 .Fl e Ar integer Ns ,
 .Fl -expire-time= Ns Ar integer
 .Xc
 lifetime of ticket in seconds
-.It Xo
+.It Fl a Ar string Ns , Fl -client-address= Ns Ar string
 .Fl a Ar string Ns ,
 .Fl -client-address= Ns Ar string
 .Xc
 address of client
-.It Xo
+.It Fl t Ar string Ns , Fl -enc-type= Ns Ar string
 .Fl t Ar string Ns ,
 .Fl -enc-type= Ns Ar string
 .Xc
 encryption type
-.It Xo
+.It Fl f Ar string Ns , Fl -ticket-flags= Ns Ar string
 .Fl f Ar string Ns ,
 .Fl -ticket-flags= Ns Ar string
 .Xc
 ticket flags for krb5 ticket
-.It Xo
+.It Fl -verbose
 .Fl -verbose
 .Xc
 Verbose output
-.It Xo
+.It Fl -version
 .Fl -version
 .Xc
 Print version
-.It Xo
+.It Fl -help
 .Fl -help
 .Xc
 .El
 .Sh FILES
 Uses
@@ -131,9 +87,9 @@ Uses
 .Pa /etc/srvtab
 and
 .Pa /usr/afs/etc/KeyFile
-when avalible and the the
+when available and the
 .Fl k
-is used with appropriate prefix.
+option is used with an appropriate prefix.
 .Sh EXAMPLES
 .Nm
 can be used in
--- a/kuser/kimpersonate.c
+++ b/kuser/kimpersonate.c
@@ -44,7 +44,7 @@ static char *ccache_str = NULL;
 static char *ticket_flags_str = NULL;
 static TicketFlags ticket_flags;
 static char *keytab_file = NULL;
-static char *enc_type = "des-cbc-md5";
+static const char *enc_type = "des-cbc-md5";
 static int   expiration_time = 3600;
 static struct getarg_strings client_addresses;
 static int   version_flag = 0;
@@ -268,21 +268,21 @@ struct getargs args[] = {
    { "ccache", 0, arg_string, &ccache_str,
      "name of kerberos 5 credential cache", "cache-name"},
    { "server", 's', arg_string, &server_principal_str,
-      "name of server principal" },
+      "name of server principal", NULL },
    { "client", 'c', arg_string, &client_principal_str,
-      "name of client principal" },
+      "name of client principal", NULL },
    { "keytab", 'k', arg_string, &keytab_file,
-      "name of keytab file" },
+      "name of keytab file", NULL },
    { "krb5", '5', arg_flag,	 &use_krb5,
-      "create a kerberos 5 ticket"},
+      "create a kerberos 5 ticket", NULL },
    { "expire-time", 'e', arg_integer, &expiration_time,
-      "lifetime of ticket in seconds" },
+      "lifetime of ticket in seconds", NULL },
    { "client-addresses", 'a', arg_strings, &client_addresses,
-      "addresses of client" },
+      "addresses of client", NULL },
    { "enc-type", 't', arg_string, 	&enc_type,
-      "encryption type" },
+      "encryption type", NULL },
    { "ticket-flags", 'f', arg_string,   &ticket_flags_str,
-      "ticket flags for krb5 ticket" },
+      "ticket flags for krb5 ticket", NULL },
    { "version", 0,  arg_flag,		&version_flag,	"Print version",
      NULL },
    { "help",	 0,  arg_flag,		&help_flag,	NULL,
@@ -302,7 +302,7 @@ usage (int ret)
 int
 main (int argc, char **argv)
 {
-    int optind = 0;
+    int optidx = 0;
    krb5_error_code ret;
    krb5_context context;
    krb5_keytab kt;
@@ -313,23 +313,23 @@ main (int argc, char **argv)
    if (ret)
 	errx(1, "krb5_init_context failed: %u", ret);
-    if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
+    if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
-		&optind))
+	usage(1);
 	usage (1);
    if (help_flag)
-	usage (0);
+	usage(0);
    if (version_flag) {
 	print_version(NULL);
 	return 0;
    }
-    setup_env (context, &kt);
+    setup_env(context, &kt);
    if (use_krb5)
-	create_krb5_tickets (context, kt);
+	create_krb5_tickets(context, kt);
    krb5_kt_close(context, kt);
    krb5_kt_close (context, kt);
    return 0;
 }
--- a/kuser/kinit.1
+++ b/kuser/kinit.1
@@ -96,41 +96,23 @@ can later be used to obtain tickets for other services.
 .Pp
 Supported options:
 .Bl -tag -width Ds
-.It Xo
+.It Fl c Ar cachename Fl -cache= Ns Ar cachename
 .Fl c Ar cachename
 .Fl -cache= Ns Ar cachename
 .Xc
 The credentials cache to put the acquired ticket in, if other than
 default.
-.It Xo
+.It Fl f Fl -no-forwardable
 .Fl f
 .Fl -no-forwardable
 .Xc
 Get ticket that can be forwarded to another host, or if the negative
 flags use, don't get a forwardable flag.
-.It Xo
+.It Fl t Ar keytabname , Fl -keytab= Ns Ar keytabname
 .Fl t Ar keytabname ,
 .Fl -keytab= Ns Ar keytabname
 .Xc
 Don't ask for a password, but instead get the key from the specified
 keytab.
-.It Xo
+.It Fl l Ar time , Fl -lifetime= Ns Ar time
 .Fl l Ar time ,
 .Fl -lifetime= Ns Ar time
 .Xc
 Specifies the lifetime of the ticket.
 The argument can either be in seconds, or a more human readable string
 like
 .Sq 1h .
-.It Xo
+.It Fl p , Fl -proxiable
 .Fl p ,
 .Fl -proxiable
 .Xc
 Request tickets with the proxiable flag set.
-.It Xo
+.It Fl R , Fl -renew
 .Fl R ,
 .Fl -renew
 .Xc
 Try to renew ticket.
 The ticket must have the
 .Sq renewable
@@ -139,46 +121,26 @@ flag set, and must not be expired.
 The same as
 .Fl -renewable-life ,
 with an infinite time.
-.It Xo
+.It Fl r Ar time , Fl -renewable-life= Ns Ar time
 .Fl r Ar time ,
 .Fl -renewable-life= Ns Ar time
 .Xc
 The max renewable ticket life.
-.It Xo
+.It Fl S Ar principal , Fl -server= Ns Ar principal
 .Fl S Ar principal ,
 .Fl -server= Ns Ar principal
 .Xc
 Get a ticket for a service other than krbtgt/LOCAL.REALM.
-.It Xo
+.It Fl s Ar time , Fl -start-time= Ns Ar time
 .Fl s Ar time ,
 .Fl -start-time= Ns Ar time
 .Xc
 Obtain a ticket that starts to be valid
 .Ar time
 (which can really be a generic time specification, like
 .Sq 1h )
 seconds into the future.
-.It Xo
+.It Fl k , Fl -use-keytab
 .Fl k ,
 .Fl -use-keytab
 .Xc
 The same as
 .Fl -keytab ,
 but with the default keytab name (normally
 .Ar FILE:/etc/krb5.keytab ) .
-.It Xo
+.It Fl v , Fl -validate
 .Fl v ,
 .Fl -validate
 .Xc
 Try to validate an invalid ticket.
-.It Xo
+.It Fl e , Fl -enctypes= Ns Ar enctypes
 .Fl e ,
 .Fl -enctypes= Ns Ar enctypes
 .Xc
 Request tickets with this particular enctype.
-.It Xo
+.It Fl -password-file= Ns Ar filename
 .Fl -password-file= Ns Ar filename
 .Xc
 read the password from the first line of
 .Ar filename .
 If the
@@ -186,15 +148,10 @@ If the
 is
 .Ar STDIN ,
 the password will be read from the standard input.
-.It Xo
+.It Fl -fcache-version= Ns Ar version-number
 .Fl -fcache-version= Ns Ar version-number
 .Xc
 Create a credentials cache of version
 .Ar version-number .
-.It Xo
+.It Fl a , Fl -extra-addresses= Ns Ar enctypes
 .Fl a ,
 .Fl -extra-addresses= Ns Ar enctypes
 .Xc
 Adds a set of addresses that will, in addition to the systems local
 addresses, be put in the ticket.
 This can be useful if all addresses a client can use can't be
@@ -204,20 +161,13 @@ Also settable via
 .Li libdefaults/extra_addresses
 in
 .Xr krb5.conf 5 .
-.It Xo
+.It Fl A , Fl -no-addresses
 .Fl A ,
 .Fl -no-addresses
 .Xc
 Request a ticket with no addresses.
-.It Xo
+.It Fl -anonymous
 .Fl -anonymous
 .Xc
 Request an anonymous ticket (which means that the ticket will be
 issued to an anonymous principal, typically
 .Dq anonymous@REALM ) .
-.It Xo
+.It Fl -enterprise
 .Fl -enterprise
 .Xc
 Parse principal as a enterprise (KRB5-NT-ENTERPRISE) name. Enterprise
 names are email like principals that are stored in the name part of
 the principal, and since there are two @ characters the parser needs
--- a/kuser/kinit.c
+++ b/kuser/kinit.c
@@ -96,31 +96,31 @@ static struct getargs args[] = {
     * 9:
     */
    { "afslog", 	0  , arg_flag, &do_afslog,
-      NP_("obtain afs tokens", "")  },
+      NP_("obtain afs tokens", ""), NULL },
    { "cache", 		'c', arg_string, &cred_cache,
      NP_("credentials cache", ""), "cachename" },
    { "forwardable",	0, arg_negative_flag, &forwardable_flag,
-      NP_("get tickets not forwardable", "")},
+      NP_("get tickets not forwardable", ""), NULL },
    { NULL,		'f', arg_flag, &forwardable_flag,
-      NP_("get forwardable tickets", "")},
+      NP_("get forwardable tickets", ""), NULL },
    { "keytab",         't', arg_string, &keytab_str,
      NP_("keytab to use", ""), "keytabname" },
    { "lifetime",	'l', arg_string, &lifetime,
-      NP_("lifetime of tickets", ""), "time"},
+      NP_("lifetime of tickets", ""), "time" },
    { "proxiable",	'p', arg_flag, &proxiable_flag,
-      NP_("get proxiable tickets", "") },
+      NP_("get proxiable tickets", ""), NULL },
    { "renew",          'R', arg_flag, &renew_flag,
-      NP_("renew TGT", "") },
+      NP_("renew TGT", ""), NULL },
    { "renewable",	0,   arg_flag, &renewable_flag,
-      NP_("get renewable tickets", "") },
+      NP_("get renewable tickets", ""), NULL },
    { "renewable-life",	'r', arg_string, &renew_life,
      NP_("renewable lifetime of tickets", ""), "time" },
@@ -132,40 +132,40 @@ static struct getargs args[] = {
      NP_("when ticket gets valid", ""), "time" },
    { "use-keytab",     'k', arg_flag, &use_keytab,
-      NP_("get key from keytab", "") },
+      NP_("get key from keytab", ""), NULL },
    { "validate",	'v', arg_flag, &validate_flag,
-      NP_("validate TGT", "") },
+      NP_("validate TGT", ""), NULL },
    { "enctypes",	'e', arg_strings, &etype_str,
      NP_("encryption types to use", ""), "enctypes" },
    { "fcache-version", 0,   arg_integer, &fcache_version,
-      NP_("file cache version to create", "") },
+      NP_("file cache version to create", ""), NULL },
    { "addresses",	'A',   arg_negative_flag,	&addrs_flag,
-      NP_("request a ticket with no addresses", "") },
+      NP_("request a ticket with no addresses", ""), NULL },
    { "extra-addresses",'a', arg_strings,	&extra_addresses,
      NP_("include these extra addresses", ""), "addresses" },
    { "anonymous",	0,   arg_flag,	&anonymous_flag,
-      NP_("request an anonymous ticket", "") },
+      NP_("request an anonymous ticket", ""), NULL },
    { "request-pac",	0,   arg_flag,	&pac_flag,
-      NP_("request a Windows PAC", "") },
+      NP_("request a Windows PAC", ""), NULL },
    { "password-file",	0,   arg_string, &password_file,
-      NP_("read the password from a file", "") },
+      NP_("read the password from a file", ""), NULL },
    { "canonicalize",0,   arg_flag, &canonicalize_flag,
-      NP_("canonicalize client principal", "") },
+      NP_("canonicalize client principal", ""), NULL },
    { "enterprise",0,   arg_flag, &enterprise_flag,
-      NP_("parse principal as a KRB5-NT-ENTERPRISE name", "") },
+      NP_("parse principal as a KRB5-NT-ENTERPRISE name", ""), NULL },
 #ifdef PKINIT
    { "pk-enterprise",	0,	arg_flag,	&pk_enterprise_flag,
-      NP_("use enterprise name from certificate", "") },
+      NP_("use enterprise name from certificate", ""), NULL },
    { "pk-user",	'C',	arg_string,	&pk_user_id,
      NP_("principal's public/private/certificate identifier", ""), "id" },
@@ -174,7 +174,7 @@ static struct getargs args[] = {
      NP_("directory with CA certificates", ""), "directory" },
    { "pk-use-enckey",	0,  arg_flag, &pk_use_enckey,
-      NP_("Use RSA encrypted reply (instead of DH)", "") },
+      NP_("Use RSA encrypted reply (instead of DH)", ""), NULL },
 #endif
 #ifndef NO_NTLM
    { "ntlm-domain",	0,  arg_string, &ntlm_domain,
@@ -182,19 +182,19 @@ static struct getargs args[] = {
 #endif
    { "change-default",  0,  arg_negative_flag, &switch_cache_flags,
-      NP_("switch the default cache to the new credentials cache", "") },
+      NP_("switch the default cache to the new credentials cache", ""), NULL },
    { "ok-as-delegate",	0,  arg_flag, &ok_as_delegate_flag,
-      NP_("honor ok-as-delegate on tickets", "") },
+      NP_("honor ok-as-delegate on tickets", ""), NULL },
    { "use-referrals",	0,  arg_flag, &use_referrals_flag,
-      NP_("only use referrals, no dns canalisation", "") },
+      NP_("only use referrals, no dns canalisation", ""), NULL },
    { "windows",	0,  arg_flag, &windows_flag,
-      NP_("get windows behavior", "") },
+      NP_("get windows behavior", ""), NULL },
-    { "version", 	0,   arg_flag, &version_flag },
+    { "version", 	0,   arg_flag, &version_flag, NULL, NULL },
-    { "help",		0,   arg_flag, &help_flag }
+    { "help",		0,   arg_flag, &help_flag, NULL, NULL }
 };
 static void
@@ -357,7 +357,7 @@ get_new_tickets(krb5_context context,
    char passwd[256];
    krb5_deltat start_time = 0;
    krb5_deltat renew = 0;
-    char *renewstr = NULL;
+    const char *renewstr = NULL;
    krb5_enctype *enctype = NULL;
    krb5_ccache tempccache;
 #ifndef NO_NTLM
--- a/kuser/klist.1
+++ b/kuser/klist.1
@@ -60,27 +60,14 @@ known as the ticket file).
 .Pp
 Options supported:
 .Bl -tag -width Ds
-.It Xo
+.It Fl c Ar cache , Fl -cache= Ns Ar cache
 .Fl c Ar cache ,
 .Fl -cache= Ns Ar cache
 .Xc
 credential cache to list
-.It Xo
+.It Fl s , Fl t , Fl -test
 .Fl s ,
 .Fl t ,
 .Fl -test
 .Xc
 Test for there being an active and valid TGT for the local realm of
 the user in the credential cache.
-.It Xo
+.It Fl T , Fl -tokens
 .Fl T ,
 .Fl -tokens
 .Xc
 display AFS tokens
-.It Xo
+.It Fl 5 , Fl -v5
 .Fl 5 ,
 .Fl -v5
 .Xc
 display v5 cred cache (this is the default)
 .It Fl f
 Include ticket flags in short form, each character stands for a
@@ -113,10 +100,7 @@ hardware authenticated
 This information is also output with the
 .Fl -verbose
 option, but in a more verbose way.
-.It Xo
+.It Fl v , Fl -verbose
 .Fl v ,
 .Fl -verbose
 .Xc
 Verbose output. Include all possible information:
 .Bl -tag -width XXXX -offset indent
 .It Server
@@ -141,10 +125,7 @@ the flags set on the ticket
 .It Addresses
 the set of addresses from which this ticket is valid
 .El
-.It Xo
+.It Fl l , Fl -list-caches
 .Fl l ,
 .Fl -list-caches
 .Xc
 List the credential caches for the current users, not all cache types
 supports listing multiple caches.
 .Pp
--- a/kuser/klist.c
+++ b/kuser/klist.c
@@ -39,21 +39,29 @@
 #include "kcc-commands.h"
 static char*
-printable_time(time_t t)
+printable_time_internal(time_t t, int x)
 {
    static char s[128];
-    strlcpy(s, ctime(&t)+ 4, sizeof(s));
+    char *p;
-    s[15] = 0;
+
    if ((p = ctime(&t)) == NULL)
 	strlcpy(s, "?", sizeof(s));
    else
 	strlcpy(s, p + 4, sizeof(s));
    s[x] = 0;
    return s;
 }
 static char*
 printable_time(time_t t)
 {
    return printable_time_internal(t, 20);
 }
 static char*
 printable_time_long(time_t t)
 {
-    static char s[128];
+    return printable_time_internal(t, 20);
    strlcpy(s, ctime(&t)+ 4, sizeof(s));
    s[20] = 0;
    return s;
 }
 #define COL_ISSUED		NP_("  Issued","")
@@ -124,7 +132,7 @@ print_cred(krb5_context context, krb5_creds *cred, rtbl_t ct, int do_flags)
 static void
 print_cred_verbose(krb5_context context, krb5_creds *cred)
 {
-    int j;
+    size_t j;
    char *str;
    krb5_error_code ret;
    krb5_timestamp sec;
--- a/kuser/kswitch.c
+++ b/kuser/kswitch.c
@@ -35,11 +35,11 @@
 #include "kcc-commands.h"
 #ifdef HAVE_READLINE
-char *readline(char *prompt);
+char *readline(const char *prompt);
 #else
 static char *
-readline(char *prompt)
+readline(const char *prompt)
 {
    char buf[BUFSIZ];
    printf ("%s", prompt);
--- a/lib/NTMakefile
+++ b/lib/NTMakefile
@@ -43,7 +43,7 @@ dir_dce = kdfs
 dir_hcrypto = hcrypto
 !endif
-SUBDIRS = vers editline com_err sl wind asn1 sqlite \
+SUBDIRS = vers libedit com_err sl wind asn1 sqlite \
 	$(dir_hcrypto) hx509 krb5 heimdal ntlm kafs gssapi hdb \
 	kadm5 $(dir_45) $(dir_otp) $(dir_dce) ..\packages\windows\assembly
--- a/lib/asn1/asn1_print.c
+++ b/lib/asn1/asn1_print.c
@@ -41,9 +41,8 @@
 #include <err.h>
 #include <der.h>
 RCSID("$Id$");
 static int indent_flag = 1;
 static int inner_flag = 0;
 static unsigned long indefinite_form_loop;
 static unsigned long indefinite_form_loop_max = 10000;
@@ -167,17 +166,39 @@ loop (unsigned char *buf, size_t len, int indent)
 	    }
 	    case UT_OctetString : {
 		heim_octet_string str;
-		int i;
+		size_t i;
 		unsigned char *uc;
 		ret = der_get_octet_string (buf, length, &str, NULL);
 		if (ret)
 		    errx (1, "der_get_octet_string: %s", error_message (ret));
 		printf ("(length %lu), ", (unsigned long)length);
 		if (inner_flag) {
 		    Der_class class;
 		    Der_type type;
 		    unsigned int tag;
 		    ret = der_get_tag(str.data, str.length,
 				      &class, &type, &tag, &sz);
 		    if (ret || sz > str.length ||
 			type != CONS || tag != UT_Sequence)
 			goto just_an_octet_string;
 		    printf("{\n");
 		    loop (str.data, str.length, indent + 2);
 		    for (i = 0; i < indent; ++i)
 			printf (" ");
 		    printf ("}\n");
 		} else {
 		    unsigned char *uc;
 		just_an_octet_string:
 		    uc = (unsigned char *)str.data;
 		    for (i = 0; i < min(16,length); ++i)
 			printf ("%02x", uc[i]);
 		    printf ("\n");
 		}
 		free (str.data);
 		break;
 	    }
@@ -295,6 +316,7 @@ static int version_flag;
 static int help_flag;
 struct getargs args[] = {
    { "indent", 0, arg_negative_flag, &indent_flag },
    { "inner", 0, arg_flag, &inner_flag, "try to parse inner structures of OCTET STRING" },
    { "version", 0, arg_flag, &version_flag },
    { "help", 0, arg_flag, &help_flag }
 };
--- a/lib/asn1/check-gen.c
+++ b/lib/asn1/check-gen.c
@@ -1249,6 +1249,34 @@ check_seq_of_size(void)
    return 0;
 }
 static int
 check_TESTMechTypeList(void)
 {
    TESTMechTypeList tl;
    unsigned oid1[] =  { 1, 2, 840, 48018, 1, 2, 2};
    TESTMechType t1 = { 7, oid1 };
    unsigned oid2[] =  { 1, 2, 840, 113554, 1, 2, 2};
    TESTMechType t2 = { 7, oid2 };
    unsigned oid3[] =   { 1, 3, 6, 1, 4, 1, 311, 2, 2, 30};
    TESTMechType t3 = { 10, oid3 };
    unsigned oid4[] =   { 1, 3, 6, 1, 4, 1, 311, 2, 2, 10};
    TESTMechType t4 = { 10, oid4 };
    TESTMechType array[4] = { t1, t2, t3, t4 };
    size_t size, len;
    void *ptr;
    int ret;
    tl.len = 4;
    tl.val = array;
    ASN1_MALLOC_ENCODE(TESTMechTypeList, ptr, len, &tl, &size, ret);
    if (ret)
 	errx(1, "TESTMechTypeList: %d", ret);
    if (len != size)
 	abort();
    return 0;
 }
 int
 main(int argc, char **argv)
 {
@@ -1278,5 +1306,7 @@ main(int argc, char **argv)
    ret += check_seq();
    ret += check_seq_of_size();
    ret += check_TESTMechTypeList();
    return ret;
 }
--- a/lib/asn1/der_format.c
+++ b/lib/asn1/der_format.c
@@ -108,7 +108,7 @@ int
 der_print_heim_oid (const heim_oid *oid, char delim, char **str)
 {
    struct rk_strpool *p = NULL;
-    int i;
+    size_t i;
    if (oid->length == 0)
 	return EINVAL;
--- a/lib/asn1/der_get.c
+++ b/lib/asn1/der_get.c
@@ -141,9 +141,9 @@ der_get_general_string (const unsigned char *p, size_t len,
 	 * an strings in the NEED_PREAUTH case that includes a
 	 * trailing NUL.
 	 */
-	while (p1 - p < len && *p1 == '\0')
+	while ((size_t)(p1 - p) < len && *p1 == '\0')
 	    p1++;
-       if (p1 - p != len)
+       if ((size_t)(p1 - p) != len)
 	    return ASN1_BAD_CHARACTER;
    }
    if (len > len + 1)
--- a/lib/asn1/der_length.c
+++ b/lib/asn1/der_length.c
@@ -86,7 +86,7 @@ static size_t
 len_oid (const heim_oid *oid)
 {
    size_t ret = 1;
-    int n;
+    size_t n;
    for (n = 2; n < oid->length; ++n) {
 	unsigned u = oid->components[n];
--- a/lib/asn1/der_put.c
+++ b/lib/asn1/der_put.c
@@ -433,7 +433,8 @@ _heim_time2generalizedtime (time_t t, heim_octet_string *s, int gtimep)
     if (s->data == NULL)
 	 return ENOMEM;
     s->length = len;
-     _der_gmtime(t, &tm);
+     if (_der_gmtime(t, &tm) == NULL)
 	 return ASN1_BAD_TIMEFORMAT;
     if (gtimep)
 	 snprintf (s->data, len + 1, "%04d%02d%02d%02d%02d%02dZ",
 		   tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday,
--- a/lib/asn1/gen_decode.c
+++ b/lib/asn1/gen_decode.c
@@ -209,7 +209,8 @@ range_check(const char *name,
 static int
 decode_type (const char *name, const Type *t, int optional,
-	     const char *forwstr, const char *tmpstr, const char *dertype)
+	     const char *forwstr, const char *tmpstr, const char *dertype,
 	     size_t depth)
 {
    switch (t->type) {
    case TType: {
@@ -328,7 +329,8 @@ decode_type (const char *name, const Type *t, int optional,
 	    if (asprintf (&s, "%s(%s)->%s", m->optional ? "" : "&",
 			  name, m->gen_name) < 0 || s == NULL)
 		errx(1, "malloc");
-	    decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL);
+	    decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL,
 		depth + 1);
 	    free (s);
 	}
@@ -369,7 +371,7 @@ decode_type (const char *name, const Type *t, int optional,
 			"%s = calloc(1, sizeof(*%s));\n"
 			"if (%s == NULL) { e = ENOMEM; %s; }\n",
 			s, s, s, forwstr);
-	    decode_type (s, m->type, 0, forwstr, m->gen_name, NULL);
+	    decode_type (s, m->type, 0, forwstr, m->gen_name, NULL, depth + 1);
 	    free (s);
 	    fprintf(codefile, "members |= (1 << %d);\n", memno);
@@ -442,7 +444,7 @@ decode_type (const char *name, const Type *t, int optional,
 	    errx(1, "malloc");
 	if (asprintf (&sname, "%s_s_of", tmpstr) < 0 || sname == NULL)
 	    errx(1, "malloc");
-	decode_type (n, t->subtype, 0, forwstr, sname, NULL);
+	decode_type (n, t->subtype, 0, forwstr, sname, NULL, depth + 1);
 	fprintf (codefile,
 		 "(%s)->len++;\n"
 		 "len = %s_origlen - ret;\n"
@@ -480,7 +482,7 @@ decode_type (const char *name, const Type *t, int optional,
 		tmpstr, tmpstr, typestring);
 	if(support_ber)
 	    fprintf(codefile,
-		    "int is_indefinite;\n");
+		    "int is_indefinite%zu;\n", depth);
 	fprintf(codefile, "e = der_match_tag_and_length(p, len, %s, &%s, %s, "
 		"&%s_datalen, &l);\n",
@@ -516,20 +518,20 @@ decode_type (const char *name, const Type *t, int optional,
 		 tmpstr);
 	if(support_ber)
 	    fprintf (codefile,
-		     "if((is_indefinite = _heim_fix_dce(%s_datalen, &len)) < 0)\n"
+		     "if((is_indefinite%zu = _heim_fix_dce(%s_datalen, &len)) < 0)\n"
 		     "{ e = ASN1_BAD_FORMAT; %s; }\n"
-		     "if (is_indefinite) { if (len < 2) { e = ASN1_OVERRUN; %s; } len -= 2; }",
+		     "if (is_indefinite%zu) { if (len < 2) { e = ASN1_OVERRUN; %s; } len -= 2; }",
-		     tmpstr, forwstr, forwstr);
+		     depth, tmpstr, forwstr, depth, forwstr);
 	else
 	    fprintf(codefile,
 		    "if (%s_datalen > len) { e = ASN1_OVERRUN; %s; }\n"
 		    "len = %s_datalen;\n", tmpstr, forwstr, tmpstr);
 	if (asprintf (&tname, "%s_Tag", tmpstr) < 0 || tname == NULL)
 	    errx(1, "malloc");
-	decode_type (name, t->subtype, 0, forwstr, tname, ide);
+	decode_type (name, t->subtype, 0, forwstr, tname, ide, depth + 1);
 	if(support_ber)
 	    fprintf(codefile,
-		    "if(is_indefinite){\n"
+		    "if(is_indefinite%zu){\n"
 		    "len += 2;\n"
 		    "e = der_match_tag_and_length(p, len, "
 		    "(Der_class)0, &%s, UT_EndOfContent, "
@@ -538,6 +540,7 @@ decode_type (const char *name, const Type *t, int optional,
 		    "p += l; len -= l; ret += l;\n"
 		    "if (%s != (Der_type)0) { e = ASN1_BAD_ID; %s; }\n"
 		    "} else \n",
 		    depth,
 		    typestring,
 		    tmpstr,
 		    forwstr,
@@ -584,7 +587,8 @@ decode_type (const char *name, const Type *t, int optional,
 	    if (asprintf (&s, "%s(%s)->u.%s", m->optional ? "" : "&",
 			  name, m->gen_name) < 0 || s == NULL)
 		errx(1, "malloc");
-	    decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL);
+	    decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL,
 		depth + 1);
 	    fprintf(codefile,
 		    "(%s)->element = %s;\n",
 		    name, m->label);
@@ -702,7 +706,7 @@ generate_type_decode (const Symbol *s)
 	fprintf (codefile, "\n");
 	fprintf (codefile, "memset(data, 0, sizeof(*data));\n"); /* hack to avoid `unused variable' */
-	decode_type ("data", s->type, 0, "goto fail", "Top", NULL);
+	decode_type ("data", s->type, 0, "goto fail", "Top", NULL, 1);
 	if (preserve)
 	    fprintf (codefile,
 		     "data->_save.data = calloc(1, ret);\n"
--- a/lib/asn1/gen_encode.c
+++ b/lib/asn1/gen_encode.c
@@ -302,7 +302,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
 		name, name);
 	fprintf(codefile,
-		"for(i = 0; i < (%s)->len; i++) {\n",
+		"for(i = 0; i < (int)(%s)->len; i++) {\n",
 		name);
 	fprintf(codefile,
@@ -326,7 +326,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
 	fprintf(codefile,
 		"if (totallen > len) {\n"
-		"for (i = 0; i < (%s)->len; i++) {\n"
+		"for (i = 0; i < (int)(%s)->len; i++) {\n"
 		"free(val[i].data);\n"
 		"}\n"
 		"free(val);\n"
@@ -339,7 +339,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
 		name);
 	fprintf (codefile,
-		 "for(i = (%s)->len - 1; i >= 0; --i) {\n"
+		 "for(i = (int)(%s)->len - 1; i >= 0; --i) {\n"
 		 "p -= val[i].length;\n"
 		 "ret += val[i].length;\n"
 		 "memcpy(p + 1, val[i].data, val[i].length);\n"
@@ -355,7 +355,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
 	char *n = NULL;
 	fprintf (codefile,
-		 "for(i = (%s)->len - 1; i >= 0; --i) {\n"
+		 "for(i = (int)(%s)->len - 1; i >= 0; --i) {\n"
 		 "size_t %s_for_oldret = ret;\n"
 		 "ret = 0;\n",
 		 name, tmpstr);
--- a/lib/asn1/test.asn1
+++ b/lib/asn1/test.asn1
@@ -132,4 +132,7 @@ TESTBitString ::= BIT STRING {
 	      thirtyone(31)
 }
 TESTMechType::= OBJECT IDENTIFIER
 TESTMechTypeList ::= SEQUENCE OF TESTMechType
 END
--- a/lib/asn1/timegm.c
+++ b/lib/asn1/timegm.c
@@ -56,13 +56,13 @@ time_t
 _der_timegm (struct tm *tm)
 {
  time_t res = 0;
-  unsigned i;
+  int i;
  if (tm->tm_year < 0)
      return -1;
  if (tm->tm_mon < 0 || tm->tm_mon > 11)
      return -1;
-  if (tm->tm_mday < 1 || tm->tm_mday > ndays[is_leap(tm->tm_year)][tm->tm_mon])
+  if (tm->tm_mday < 1 || tm->tm_mday > (int)ndays[is_leap(tm->tm_year)][tm->tm_mon])
      return -1;
  if (tm->tm_hour < 0 || tm->tm_hour > 23)
      return -1;
@@ -98,6 +98,14 @@ _der_gmtime(time_t t, struct tm *tm)
    tm->tm_min = (secday % 3600) / 60;
    tm->tm_hour = secday / 3600;
    /* 
     * Refuse to calculate time ~ 2000 years into the future, this is
     * not possible for systems where time_t is a int32_t, however,
     * when time_t is a int64_t, that can happen.
     */
    if (days > 356000)
 	return NULL;
    tm->tm_year = 70;
    while(1) {
 	unsigned dayinyear = (is_leap(tm->tm_year) ? 366 : 365);
--- a/lib/gssapi/gen-oid.pl
+++ b/lib/gssapi/gen-oid.pl
@@ -110,7 +110,7 @@ while(<>) {
 	    printf "#define $name (&$store)\n\n";
 	} else {
 	    printf "/* $name - $oid */\n";
-	    printf "gss_OID_desc GSSAPI_LIB_VARIABLE $store = { $length, \"$data\" };\n\n";
+	    printf "gss_OID_desc GSSAPI_LIB_VARIABLE $store = { $length, rk_UNCONST(\"$data\") };\n\n";
 	}
    } elsif (/^desc\s+([\w]+)\s+(\w+)\s+(\"[^\"]*\")\s+(\"[^\"]*\")/) {
        my ($type, $oid, $short, $long) = ($1, $2, $3, $4);
--- a/lib/gssapi/gss_acquire_cred.3
+++ b/lib/gssapi/gss_acquire_cred.3
@@ -513,7 +513,7 @@ In GSS-API an contiguous string name is stored in a
 .Dv gss_buffer_t .
 .Pp
 Exported names also have the property that they are specified by the
-mechanism itself and compatible between diffrent GSS-API
+mechanism itself and compatible between different GSS-API
 implementations.
 .El
 .Sh ACCESS CONTROL
--- a/lib/gssapi/gssapi.3
+++ b/lib/gssapi/gssapi.3
@@ -53,57 +53,52 @@ These functions constitute the gssapi library,
 .Em libgssapi .
 Declarations for these functions may be obtained from the include file
 .Pa gssapi.h .
-.sp 2
+.Bl -column -compact
-.nf
+.It Sy Name/Page
-.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u
+.It Xr gss_accept_sec_context 3
-\fIName/Page\fP	\fIDescription\fP
+.It Xr gss_acquire_cred 3
-.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u+6nC
+.It Xr gss_add_cred 3
-.sp 5p
+.It Xr gss_add_oid_set_member 3
-gss_accept_sec_context.3
+.It Xr gss_canonicalize_name 3
-gss_acquire_cred.3
+.It Xr gss_compare_name 3
-gss_add_cred.3
+.It Xr gss_context_time 3
-gss_add_oid_set_member.3
+.It Xr gss_create_empty_oid_set 3
-gss_canonicalize_name.3
+.It Xr gss_delete_sec_context 3
-gss_compare_name.3
+.It Xr gss_display_name 3
-gss_context_time.3
+.It Xr gss_display_status 3
-gss_create_empty_oid_set.3
+.It Xr gss_duplicate_name 3
-gss_delete_sec_context.3
+.It Xr gss_export_name 3
-gss_display_name.3
+.It Xr gss_export_sec_context 3
-gss_display_status.3
+.It Xr gss_get_mic 3
-gss_duplicate_name.3
+.It Xr gss_import_name 3
-gss_export_name.3
+.It Xr gss_import_sec_context 3
-gss_export_sec_context.3
+.It Xr gss_indicate_mechs 3
-gss_get_mic.3
+.It Xr gss_init_sec_context 3
-gss_import_name.3
+.It Xr gss_inquire_context 3
-gss_import_sec_context.3
+.It Xr gss_inquire_cred 3
-gss_indicate_mechs.3
+.It Xr gss_inquire_cred_by_mech 3
-gss_init_sec_context.3
+.It Xr gss_inquire_mechs_for_name 3
-gss_inquire_context.3
+.It Xr gss_inquire_names_for_mech 3
-gss_inquire_cred.3
+.It Xr gss_krb5_ccache_name 3
-gss_inquire_cred_by_mech.3
+.It Xr gss_krb5_compat_des3_mic 3
-gss_inquire_mechs_for_name.3
+.It Xr gss_krb5_copy_ccache 3
-gss_inquire_names_for_mech.3
+.It Xr gss_krb5_extract_authz_data_from_sec_context 3
-gss_krb5_ccache_name.3
+.It Xr gss_krb5_import_ccache 3
-gss_krb5_compat_des3_mic.3
+.It Xr gss_process_context_token 3
-gss_krb5_copy_ccache.3
+.It Xr gss_release_buffer 3
-gss_krb5_extract_authz_data_from_sec_context.3
+.It Xr gss_release_cred 3
-gss_krb5_import_ccache.3
+.It Xr gss_release_name 3
-gss_process_context_token.3
+.It Xr gss_release_oid_set 3
-gss_release_buffer.3
+.It Xr gss_seal 3
-gss_release_cred.3
+.It Xr gss_sign 3
-gss_release_name.3
+.It Xr gss_test_oid_set_member 3
-gss_release_oid_set.3
+.It Xr gss_unseal 3
-gss_seal.3
+.It Xr gss_unwrap 3
-gss_sign.3
+.It Xr gss_verify 3
-gss_test_oid_set_member.3
+.It Xr gss_verify_mic 3
-gss_unseal.3
+.It Xr gss_wrap 3
-gss_unwrap.3
+.It Xr gss_wrap_size_limit 3
-gss_verify.3
+.El
 gss_verify_mic.3
 gss_wrap.3
 gss_wrap_size_limit.3
 .ta
 .Fi
 .Sh COMPATIBILITY
 The
 .Nm Heimdal
@@ -147,7 +142,7 @@ the later will override.
 .Pp
 This config option modifies behaviour for both clients and servers.
 .Pp
-Microsoft implemented SPNEGO to Windows2000, however, they manage to
+Microsoft implemented SPNEGO to Windows2000, however, they managed to
 get it wrong, their implementation didn't fill in the MechListMIC in
 the reply token with the right content.
 There is a work around for this problem, but not all implementation
--- a/lib/gssapi/gsstool.c
+++ b/lib/gssapi/gsstool.c
@@ -132,7 +132,7 @@ supported_mechanisms(void *argptr, int argc, char **argv)
    return 0;
 }
-void static 
+static void
 print_mech_attr(const char *mechname, gss_const_OID mech, gss_OID_set set)
 {
    gss_buffer_desc name, desc;
--- a/lib/gssapi/krb5/accept_sec_context.c
+++ b/lib/gssapi/krb5/accept_sec_context.c
@@ -55,11 +55,13 @@ validate_keytab(krb5_context context, const char *name, krb5_keytab *id)
 }
 OM_uint32
-_gsskrb5_register_acceptor_identity (const char *identity)
+_gsskrb5_register_acceptor_identity(OM_uint32 *min_stat, const char *identity)
 {
    krb5_context context;
    krb5_error_code ret;
    *min_stat = 0;
    ret = _gsskrb5_init(&context);
    if(ret)
 	return GSS_S_FAILURE;
@@ -92,8 +94,10 @@ _gsskrb5_register_acceptor_identity (const char *identity)
 	}
    }
    HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
-    if(ret)
+    if(ret) {
 	*min_stat = ret;
 	return GSS_S_FAILURE;
    }
    return GSS_S_COMPLETE;
 }
--- a/lib/gssapi/krb5/arcfour.c
+++ b/lib/gssapi/krb5/arcfour.c
@@ -255,7 +255,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
 			   const gss_buffer_t token_buffer,
 			   gss_qop_t * qop_state,
 			   krb5_keyblock *key,
-			   char *type)
+			   const char *type)
 {
    krb5_error_code ret;
    uint32_t seq_number;
@@ -270,7 +270,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
    p = token_buffer->value;
    omret = _gsskrb5_verify_header (&p,
 				       token_buffer->length,
-				       (u_char *)type,
+				       type,
 				       GSS_KRB5_MECHANISM);
    if (omret)
 	return omret;
--- a/lib/gssapi/krb5/cfx.c
+++ b/lib/gssapi/krb5/cfx.c
@@ -285,7 +285,8 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status,
    gss_iov_buffer_desc *header, *trailer, *padding;
    size_t gsshsize, k5hsize;
    size_t gsstsize, k5tsize;
-    size_t i, rrc = 0, ec = 0;
+    size_t rrc = 0, ec = 0;
    int i;
    gss_cfx_wrap_token token;
    krb5_error_code ret;
    int32_t seq_number;
@@ -424,6 +425,9 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status,
    token->Flags     = 0;
    token->Filler    = 0xFF;
    if ((ctx->more_flags & LOCAL) == 0)
 	token->Flags |= CFXSentByAcceptor;
    if (ctx->more_flags & ACCEPTOR_SUBKEY)
 	token->Flags |= CFXAcceptorSubkey;
@@ -666,7 +670,7 @@ unrotate_iov(OM_uint32 *minor_status, size_t rrc, gss_iov_buffer_desc *iov, int
 	    q += iov[i].buffer.length;
 	}
    }
-    assert((q - p) == len);
+    assert((size_t)(q - p) == len);
    /* unrotate first part */
    q = p + rrc;
--- a/lib/gssapi/krb5/external.c
+++ b/lib/gssapi/krb5/external.c
@@ -180,7 +180,7 @@ static gss_mo_desc krb5_mo[] = {
 	GSS_C_MA_SASL_MECH_NAME,
 	GSS_MO_MA,
 	"SASL mech name",
-	"GS2-KRB5",
+	rk_UNCONST("GS2-KRB5"),
 	_gss_mo_get_ctx_as_string,
 	NULL
    },
@@ -188,7 +188,7 @@ static gss_mo_desc krb5_mo[] = {
 	GSS_C_MA_MECH_NAME,
 	GSS_MO_MA,
 	"Mechanism name",
-	"KRB5",
+	rk_UNCONST("KRB5"),
 	_gss_mo_get_ctx_as_string,
 	NULL
    },
@@ -196,7 +196,7 @@ static gss_mo_desc krb5_mo[] = {
 	GSS_C_MA_MECH_DESCRIPTION,
 	GSS_MO_MA,
 	"Mechanism description",
-	"Heimdal Kerberos 5 mech",
+	rk_UNCONST("Heimdal Kerberos 5 mech"),
 	_gss_mo_get_ctx_as_string,
 	NULL
    },
@@ -214,19 +214,19 @@ static gss_mo_desc krb5_mo[] = {
    },
    {
 	GSS_C_MA_AUTH_TARG,
-	GSS_MO_MA
+	.flags = GSS_MO_MA
    },
    {
 	GSS_C_MA_AUTH_INIT_ANON,
-	GSS_MO_MA
+	.flags = GSS_MO_MA
    },
    {
 	GSS_C_MA_DELEG_CRED,
-	GSS_MO_MA
+	.flags = GSS_MO_MA
    },
    {
 	GSS_C_MA_INTEG_PROT,
-	GSS_MO_MA
+	.flags = GSS_MO_MA
    },
    {
 	GSS_C_MA_CONF_PROT,
@@ -273,7 +273,7 @@ static gss_mo_desc krb5_mo[] = {
 static gssapi_mech_interface_desc krb5_mech = {
    GMI_VERSION,
    "kerberos 5",
-    {9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" },
+    {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") },
    0,
    _gsskrb5_acquire_cred,
    _gsskrb5_release_cred,
@@ -324,9 +324,17 @@ static gssapi_mech_interface_desc krb5_mech = {
    NULL,
    krb5_mo,
    sizeof(krb5_mo) / sizeof(krb5_mo[0]),
    NULL,
    _gsskrb5_authorize_localname,
    _gsskrb5_pname_to_uid
    NULL,
    NULL,
    NULL,
    NULL,
    NULL,
    NULL,
    NULL,
    NULL,
    NULL,
 };
 gssapi_mech_interface
--- a/lib/gssapi/krb5/init_sec_context.c
+++ b/lib/gssapi/krb5/init_sec_context.c
@@ -422,11 +422,6 @@ init_auth
 	goto failure;
    }
    ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
    if (ret)
 	goto failure;
    /*
     * This is hideous glue for (NFS) clients that wants to limit the
     * available enctypes to what it can support (encryption in
@@ -469,6 +464,10 @@ init_auth
    ctx->lifetime = ctx->kcred->times.endtime;
    ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
    if (ret)
 	goto failure;
    ret = _gsskrb5_lifetime_left(minor_status,
 				 context,
 				 ctx->lifetime,
@@ -676,7 +675,8 @@ init_auth_restart
 	output_token->length = outbuf.length;
    } else {
        ret = _gsskrb5_encapsulate (minor_status, &outbuf, output_token,
-				    (u_char *)"\x01\x00", GSS_KRB5_MECHANISM);
+				    (u_char *)(intptr_t)"\x01\x00",
 				    GSS_KRB5_MECHANISM);
 	krb5_data_free (&outbuf);
 	if (ret)
 	    goto failure;
@@ -911,20 +911,20 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_init_sec_context
 	return GSS_S_BAD_MECH;
    if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) {
-	OM_uint32 ret;
+	OM_uint32 ret1;
 	if (*context_handle != GSS_C_NO_CONTEXT) {
 	    *minor_status = 0;
 	    return GSS_S_FAILURE | GSS_S_CALL_BAD_STRUCTURE;
 	}
-	ret = _gsskrb5_create_ctx(minor_status,
+	ret1 = _gsskrb5_create_ctx(minor_status,
 				  context_handle,
 				  context,
 				  input_chan_bindings,
 				  INITIATOR_START);
-	if (ret)
+	if (ret1)
-	    return ret;
+	    return ret1;
    }
    if (*context_handle == GSS_C_NO_CONTEXT) {
--- a/lib/gssapi/krb5/prf.c
+++ b/lib/gssapi/krb5/prf.c
@@ -47,18 +47,21 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
    krb5_crypto crypto;
    krb5_data input, output;
    uint32_t num;
    OM_uint32 junk;
    unsigned char *p;
    krb5_keyblock *key = NULL;
    size_t dol;
    if (ctx == NULL) {
 	*minor_status = 0;
 	return GSS_S_NO_CONTEXT;
    }
-    if (desired_output_len <= 0) {
+    if (desired_output_len <= 0 || prf_in->length + 4 < prf_in->length) {
 	*minor_status = 0;
 	return GSS_S_FAILURE;
    }
    dol = desired_output_len;
    GSSAPI_KRB5_INIT (&context);
@@ -88,21 +91,20 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
 	return GSS_S_FAILURE;
    }
-    prf_out->value = malloc(desired_output_len);
+    prf_out->value = malloc(dol);
    if (prf_out->value == NULL) {
 	_gsskrb5_set_status(GSS_KRB5_S_KG_INPUT_TOO_LONG, "Out of memory");
 	*minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG;
 	krb5_crypto_destroy(context, crypto);
 	return GSS_S_FAILURE;
    }
-    prf_out->length = desired_output_len;
+    prf_out->length = dol;
    HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
    input.length = prf_in->length + 4;
    input.data = malloc(prf_in->length + 4);
    if (input.data == NULL) {
 	OM_uint32 junk;
 	_gsskrb5_set_status(GSS_KRB5_S_KG_INPUT_TOO_LONG, "Out of memory");
 	*minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG;
 	gss_release_buffer(&junk, prf_out);
@@ -110,15 +112,17 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
 	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
 	return GSS_S_FAILURE;
    }
-    memcpy(((unsigned char *)input.data) + 4, prf_in->value, prf_in->length);
+    memcpy(((uint8_t *)input.data) + 4, prf_in->value, prf_in->length);
    num = 0;
    p = prf_out->value;
-    while(desired_output_len > 0) {
+    while(dol > 0) {
 	size_t tsize;
 	_gsskrb5_encode_om_uint32(num, input.data);
 	ret = krb5_crypto_prf(context, crypto, &input, &output);
 	if (ret) {
 	    OM_uint32 junk;
 	    *minor_status = ret;
 	    free(input.data);
 	    gss_release_buffer(&junk, prf_out);
@@ -126,9 +130,11 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
 	    HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
 	    return GSS_S_FAILURE;
 	}
-	memcpy(p, output.data, min(desired_output_len, output.length));
+
 	tsize = min(dol, output.length);
 	memcpy(p, output.data, tsize);
 	p += output.length;
-	desired_output_len -= output.length;
+	dol -= tsize;
 	krb5_data_free(&output);
 	num++;
    }
--- a/lib/gssapi/krb5/process_context_token.c
+++ b/lib/gssapi/krb5/process_context_token.c
@@ -52,7 +52,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_process_context_token (
 				       (gsskrb5_ctx)context_handle,
 				       context,
 				       token_buffer, &empty_buffer,
-				       GSS_C_QOP_DEFAULT, "\x01\x02");
+				       GSS_C_QOP_DEFAULT,
 				       "\x01\x02");
    if (ret == GSS_S_COMPLETE)
 	ret = _gsskrb5_delete_sec_context(minor_status,
--- a/lib/gssapi/krb5/sequence.c
+++ b/lib/gssapi/krb5/sequence.c
@@ -141,7 +141,7 @@ OM_uint32
 _gssapi_msg_order_check(struct gss_msg_order *o, OM_uint32 seq_num)
 {
    OM_uint32 r;
-    int i;
+    size_t i;
    if (o == NULL)
 	return GSS_S_COMPLETE;
--- a/lib/gssapi/krb5/set_sec_context_option.c
+++ b/lib/gssapi/krb5/set_sec_context_option.c
@@ -154,11 +154,10 @@ _gsskrb5_set_sec_context_option
 	if (maj_stat != GSS_S_COMPLETE)
 	    return maj_stat;
-	_gsskrb5_register_acceptor_identity(str);
+	maj_stat = _gsskrb5_register_acceptor_identity(minor_status, str);
 	free(str);
-	*minor_status = 0;
+	return maj_stat;
 	return GSS_S_COMPLETE;
    } else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DEFAULT_REALM_X)) {
 	char *str;
--- a/lib/gssapi/krb5/unwrap.c
+++ b/lib/gssapi/krb5/unwrap.c
@@ -54,7 +54,7 @@ unwrap_des
  DES_key_schedule schedule;
  DES_cblock deskey;
  DES_cblock zero;
-  int i;
+  size_t i;
  uint32_t seq_number;
  size_t padlength;
  OM_uint32 ret;
--- a/lib/gssapi/krb5/verify_mic.c
+++ b/lib/gssapi/krb5/verify_mic.c
@@ -44,7 +44,7 @@ verify_mic_des
            const gss_buffer_t token_buffer,
            gss_qop_t * qop_state,
 	    krb5_keyblock *key,
-	    char *type
+	    const char *type
 	    )
 {
  u_char *p;
@@ -142,7 +142,7 @@ verify_mic_des3
            const gss_buffer_t token_buffer,
            gss_qop_t * qop_state,
 	    krb5_keyblock *key,
-	    char *type
+	    const char *type
 	    )
 {
  u_char *p;
@@ -276,7 +276,7 @@ _gsskrb5_verify_mic_internal
            const gss_buffer_t message_buffer,
            const gss_buffer_t token_buffer,
            gss_qop_t * qop_state,
-	    char * type
+	    const char * type
 	    )
 {
    krb5_keyblock *key;
@@ -348,7 +348,7 @@ _gsskrb5_verify_mic
 				       (gsskrb5_ctx)context_handle,
 				       context,
 				       message_buffer, token_buffer,
-				       qop_state, "\x01\x01");
+				       qop_state, (void *)(intptr_t)"\x01\x01");
    return ret;
 }
--- a/lib/gssapi/krb5/wrap.c
+++ b/lib/gssapi/krb5/wrap.c
@@ -214,7 +214,7 @@ wrap_des
  EVP_CIPHER_CTX des_ctx;
  DES_cblock deskey;
  DES_cblock zero;
-  int i;
+  size_t i;
  int32_t seq_number;
  size_t len, total_len, padlength, datalen;
--- a/lib/gssapi/mech/gss_acquire_cred.c
+++ b/lib/gssapi/mech/gss_acquire_cred.c
@@ -46,7 +46,7 @@ gss_acquire_cred(OM_uint32 *minor_status,
 	struct _gss_cred *cred;
 	struct _gss_mechanism_cred *mc;
 	OM_uint32 min_time, cred_time;
-	int i;
+	size_t i;
 	*minor_status = 0;
 	if (output_cred_handle == NULL)
--- a/lib/gssapi/mech/gss_aeap.c
+++ b/lib/gssapi/mech/gss_aeap.c
@@ -168,7 +168,7 @@ gss_release_iov_buffer(OM_uint32 *minor_status,
 		       int iov_count)
 {
    OM_uint32 junk;
-    size_t i;
+    int i;
    if (minor_status)
 	*minor_status = 0;
--- a/lib/gssapi/mech/gss_buffer_set.c
+++ b/lib/gssapi/mech/gss_buffer_set.c
@@ -100,7 +100,7 @@ GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
 gss_release_buffer_set(OM_uint32 * minor_status,
 		       gss_buffer_set_t *buffer_set)
 {
-    int i;
+    size_t i;
    OM_uint32 minor;
    *minor_status = 0;
--- a/lib/gssapi/mech/gss_cred.c
+++ b/lib/gssapi/mech/gss_cred.c
@@ -85,7 +85,7 @@ gss_export_cred(OM_uint32 * minor_status,
 	}
 	ret = krb5_storage_write(sp, buffer.value, buffer.length);
-	if (ret != buffer.length) {
+	if (ret < 0 || (size_t)ret != buffer.length) {
 	    gss_release_buffer(minor_status, &buffer);
 	    krb5_storage_free(sp);
 	    *minor_status = EINVAL;
--- a/lib/gssapi/mech/gss_indicate_mechs.c
+++ b/lib/gssapi/mech/gss_indicate_mechs.c
@@ -35,7 +35,7 @@ gss_indicate_mechs(OM_uint32 *minor_status,
 	struct _gss_mech_switch *m;
 	OM_uint32 major_status;
 	gss_OID_set set;
-	int i;
+	size_t i;
 	_gss_load_mech();
--- a/lib/gssapi/mech/gss_inquire_context.c
+++ b/lib/gssapi/mech/gss_inquire_context.c
@@ -37,7 +37,7 @@ gss_inquire_context(OM_uint32 *minor_status,
    gss_OID *mech_type,
    OM_uint32 *ctx_flags,
    int *locally_initiated,
-    int *open)
+    int *xopen)
 {
 	OM_uint32 major_status;
 	struct _gss_context *ctx = (struct _gss_context *) context_handle;
@@ -47,8 +47,8 @@ gss_inquire_context(OM_uint32 *minor_status,
 	if (locally_initiated)
 	    *locally_initiated = 0;
-	if (open)
+	if (xopen)
-	    *open = 0;
+	    *xopen = 0;
 	if (lifetime_rec)
 	    *lifetime_rec = 0;
@@ -68,7 +68,7 @@ gss_inquire_context(OM_uint32 *minor_status,
 	    mech_type,
 	    ctx_flags,
 	    locally_initiated,
-	    open);
+	    xopen);
 	if (major_status != GSS_S_COMPLETE) {
 		_gss_mg_error(m, major_status, *minor_status);
--- a/lib/gssapi/mech/gss_inquire_cred_by_oid.c
+++ b/lib/gssapi/mech/gss_inquire_cred_by_oid.c
@@ -52,7 +52,7 @@ gss_inquire_cred_by_oid (OM_uint32 *minor_status,
 	HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
 		gss_buffer_set_t rset = GSS_C_NO_BUFFER_SET;
-		int i;
+		size_t i;
 		m = mc->gmc_mech;
 		if (m == NULL) {
--- a/lib/gssapi/mech/gss_krb5.c
+++ b/lib/gssapi/mech/gss_krb5.c
@@ -188,7 +188,7 @@ out:
 GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
 gsskrb5_register_acceptor_identity(const char *identity)
 {
-        struct _gss_mech_switch	*m;
+	gssapi_mech_interface m;
 	gss_buffer_desc buffer;
 	OM_uint32 junk;
@@ -197,14 +197,12 @@ gsskrb5_register_acceptor_identity(const char *identity)
 	buffer.value = rk_UNCONST(identity);
 	buffer.length = strlen(identity);
-	HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
+	m = __gss_get_mechanism(GSS_KRB5_MECHANISM);
-		if (m->gm_mech.gm_set_sec_context_option == NULL)
+	if (m == NULL || m->gm_set_sec_context_option == NULL)
-			continue;
+	    return GSS_S_FAILURE;
 		m->gm_mech.gm_set_sec_context_option(&junk, NULL,
 		    GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X, &buffer);
 	}
-	return (GSS_S_COMPLETE);
+	return m->gm_set_sec_context_option(&junk, NULL,
 	        GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X, &buffer);
 }
 GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
@@ -441,7 +439,7 @@ gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status,
    gss_buffer_desc buffer;
    krb5_storage *sp;
    krb5_data data;
-    int i;
+    size_t i;
    sp = krb5_storage_emem();
    if (sp == NULL) {
--- a/lib/gssapi/mech/gss_mo.c
+++ b/lib/gssapi/mech/gss_mo.c
@@ -605,28 +605,28 @@ gss_display_mech_attr(OM_uint32 * minor_status,
 	return GSS_S_BAD_MECH_ATTR;
    if (name) {
-	gss_buffer_desc n;
+	gss_buffer_desc bd;
-	n.value = rk_UNCONST(ma->name);
+	bd.value = rk_UNCONST(ma->name);
-	n.length = strlen(ma->name);
+	bd.length = strlen(ma->name);
-	major = _gss_copy_buffer(minor_status, &n, name);
+	major = _gss_copy_buffer(minor_status, &bd, name);
 	if (major != GSS_S_COMPLETE)
 	    return major;
    }
    if (short_desc) {
-	gss_buffer_desc n;
+	gss_buffer_desc bd;
-	n.value = rk_UNCONST(ma->short_desc);
+	bd.value = rk_UNCONST(ma->short_desc);
-	n.length = strlen(ma->short_desc);
+	bd.length = strlen(ma->short_desc);
-	major = _gss_copy_buffer(minor_status, &n, short_desc);
+	major = _gss_copy_buffer(minor_status, &bd, short_desc);
 	if (major != GSS_S_COMPLETE)
 	    return major;
    }
    if (long_desc) {
-	gss_buffer_desc n;
+	gss_buffer_desc bd;
-	n.value = rk_UNCONST(ma->long_desc);
+	bd.value = rk_UNCONST(ma->long_desc);
-	n.length = strlen(ma->long_desc);
+	bd.length = strlen(ma->long_desc);
-	major = _gss_copy_buffer(minor_status, &n, long_desc);
+	major = _gss_copy_buffer(minor_status, &bd, long_desc);
 	if (major != GSS_S_COMPLETE)
 	    return major;
    }
--- a/Show More
+++ b/Show More