WIP

Set up nix tooling
zed: set tab width
2026-02-02 08:53:06 +09:00 · 2026-02-01 03:45:20 +09:00 · 2026-02-01 03:45:18 +09:00 · 2026-01-24 14:42:38 -06:00 · 2026-01-23 00:40:39 -06:00 · 2026-01-23 00:37:44 -06:00
1130 changed files with 27248 additions and 114194 deletions
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -0,0 +1,57 @@
 name: Test Coverage
 on:
    push:
      branches:
         - 'coverage-*'
 jobs:
    coverage:
        runs-on: ubuntu-22.04
        steps:
            - name: Clone repository
              uses: actions/checkout@v4
            - name: Install packages
              run: |
                sudo apt-get update -qq
                sudo apt-get install -y bison comerr-dev flex doxygen
                sudo apt-get install -y libcap-ng-dev libdb-dev libedit-dev libjson-perl
                sudo apt-get install -y libldap2-dev libncurses5-dev libperl4-corelibs-perl
                sudo apt-get install -y libsqlite3-dev libkeyutils-dev pkg-config python3
                sudo apt-get install -y ss-dev texinfo unzip netbase keyutils ldap-utils
                sudo apt-get install -y gdb apport curl libmicrohttpd-dev jq valgrind
                sudo apt-get install -y lcov
                # Temporary workaround for:
                # https://github.com/actions/virtual-environments/issues/3185
                sudo hostname localhost
            - name: Build with coverage
              env:
                CC: gcc
                CFLAGS: '--coverage -O0 -g'
                LDFLAGS: '--coverage'
              run: |
                /bin/sh ./autogen.sh
                mkdir build
                cd build
                ../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap --prefix=$HOME/inst CFLAGS="$CFLAGS" LDFLAGS="$LDFLAGS"
                make -j4
            - name: Test
              run: |
                cd build
                sudo sysctl kernel.core_pattern=core.%p || true
                ulimit -c unlimited
                make check || true
            - name: Generate coverage report
              run: |
                cd build
                # Capture coverage data
                lcov --capture --directory . --output-file coverage.info --ignore-errors source
                # Remove coverage for system headers and generated files
                lcov --remove coverage.info '/usr/*' '*/build/*asn1*' '*/build/*_err.*' --output-file coverage.info --ignore-errors unused
                # List coverage summary
                lcov --list coverage.info
            - name: Upload to Coveralls
              uses: coverallsapp/github-action@v2
              with:
                file: build/coverage.info
                format: lcov
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -20,7 +20,7 @@ jobs:
                      compiler: clang
        steps:
            - name: Clone repository
-              uses: actions/checkout@v1
+              uses: actions/checkout@v4
            - name: Install packages
              if: startsWith(matrix.os, 'ubuntu')
              run: |
--- a/.github/workflows/linux-mit-interop.yml
+++ b/.github/workflows/linux-mit-interop.yml
@@ -3,7 +3,7 @@ name: Linux Build
 on:
    push:
      branches:
-         - 'interop-mit*'
+         - 'interop*'
 jobs:
    unix:
@@ -19,9 +19,14 @@ jobs:
                      cflags: ''
        steps:
            - name: Clone repository
-              uses: actions/checkout@v1
+              uses: actions/checkout@v4
            - name: Clone older Heimdal for interop testing
              uses: actions/checkout@v4
              with:
                ref: older-branch-for-interop-testing
                path: older-heimdal
            - name: Checkout MIT
-              uses: actions/checkout@v3
+              uses: actions/checkout@v4
              with:
                repository: krb5/krb5
                path: mit
@@ -41,6 +46,17 @@ jobs:
                # Temporary workaround for:
                # https://github.com/actions/virtual-environments/issues/3185
                sudo hostname localhost
            - name: Build older Heimdal
              env:
                CC: ${{ matrix.compiler }}
              run: |
                cd older-heimdal
                /bin/sh ./autogen.sh
                mkdir build
                cd build
                ../configure --prefix=$HOME/oh5l --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS CFLAGS="${{ matrix.cflags }} -Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations"
                make -j4
                make install
            - name: Build MIT
              env:
                CC: ${{ matrix.compiler }}
@@ -59,7 +75,7 @@ jobs:
                /bin/sh ./autogen.sh
                mkdir build
                cd build
-                ../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="${{ matrix.cflags }} -Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" --with-mitkrb5=$HOME/mitkrb5
+                ../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="${{ matrix.cflags }} -Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" --with-mitkrb5=$HOME/mitkrb5 --with-older-heimdal=$HOME/oh5l
                make -j4
            - name: Test
              env:
@@ -67,8 +83,14 @@ jobs:
                MAKEVARS: ${{ matrix.makevars }}
              run: |
                cd build
                sudo sysctl kernel.core_pattern=core.%p || true
                ulimit -c unlimited
                cd lib
                make check
                cd ../tests/bin
                make check
                cd ../kdc
                make SCRIPT_TESTS='check-fast check-mit-kdc check-old-heimdal-client check-old-heimdal-kdc' check
            - name: Make Install
              env:
                CC: ${{ matrix.compiler }}
@@ -91,27 +113,13 @@ jobs:
              if: ${{ failure() }}
              run: |
                find build -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat
            - name: Make Dist
              run: |
                cd build
                make dist
                make distclean
                if [ "$(git ls-files -o|grep -v ^build/ | wc -l)" -ne 0 ]; then
                  echo "Files not removed by make distclean:"
                  git ls-files -o|grep -v ^build/
                fi
            - name: Upload Install Tarball
-              uses: actions/upload-artifact@v2
+              uses: actions/upload-artifact@v4
              with:
-                name: Install Tarball
+                name: Install Tarball (interop)
                path: '~/heimdal-install-linux-${{ matrix.compiler }}.tgz'
            - name: Upload Dist Tarball
              uses: actions/upload-artifact@v2
              with:
                name: Dist Tarball
                path: 'build/heimdal-*.tar.gz'
            - name: Upload Logs Tarball
-              uses: actions/upload-artifact@v2
+              uses: actions/upload-artifact@v4
              with:
-                name: Test Logs
+                name: Test Logs (interop)
                path: '~/logs-linux-${{ matrix.compiler }}.tgz'
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -19,12 +19,11 @@ on:
         - '**.py'
         - '**.asn1'
         - '**.opt'
         - '**.map'
         - '**/COPYING'
         - '**/INSTALL'
         - '**/README*'
         - '.github/workflows/linux.yml'
         - '!appveyor.yml'
         - '!.travis.yml'
    pull_request:
      paths:
@@ -45,28 +44,28 @@ on:
         - '**/INSTALL'
         - '**/README*'
         - '.github/workflows/linux.yml'
         - '!appveyor.yml'
         - '!.travis.yml'
 jobs:
    unix:
        # Run if no [only X] tag, or if [only linux] is present (check both push commits and PR titles)
        if: >-
            (!contains(github.event.head_commit.message, '[only ') &&
             !contains(github.event.pull_request.title, '[only ')) ||
            contains(github.event.head_commit.message, '[only linux]') ||
            contains(github.event.pull_request.title, '[only linux]')
        runs-on: ${{ matrix.os }}
        strategy:
            fail-fast: false
            matrix:
-                name: [linux-clang, linux-gcc]
+                name: [linux-gcc]
                include:
                    - name: linux-clang
                      os: ubuntu-22.04
                      compiler: clang
                      cflags: ''
                    - name: linux-gcc
                      os: ubuntu-22.04
                      compiler: gcc
                      cflags: '-Wnonnull'
        steps:
            - name: Clone repository
-              uses: actions/checkout@v1
+              uses: actions/checkout@v4
            - name: Install packages
              if: startsWith(matrix.os, 'ubuntu')
              run: |
@@ -96,6 +95,7 @@ jobs:
                MAKEVARS: ${{ matrix.makevars }}
              run: |
                cd build
                sudo sysctl kernel.core_pattern=core.%p || true
                ulimit -c unlimited
                make check
            - name: Make Install
@@ -108,11 +108,14 @@ jobs:
                cd /tmp/h5l
                tar czf $HOME/heimdal-install-linux-${{ matrix.compiler }}.tgz .
            - name: Core dump stacks
              if: ${{ always() }}
              run: |
                find . -name '*core*' -print
                echo "thread apply all bt" > /tmp/x
-                find . -name core -print | while read core; do gdb -batch -x x `file "$core"|sed -e "s/^[^']*'//" -e "s/[ '].*$//"` "$core"; done
+                find . -name core\* -print | while read core; do gdb -batch -x x `file "$core"|sed -e "s/^[^']*'//" -e "s/[ '].*$//"` "$core"; done
                if [ "$(find . -name core -print | wc -l)" -gt 0 ]; then false; fi
            - name: Test logs
              if: ${{ always() }}
              run: |
                find build -depth -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | tar -czf $HOME/logs-linux-${{ matrix.compiler }}.tgz --verbatim-files-from --files-from -
                find build -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat
@@ -130,17 +133,17 @@ jobs:
                  git ls-files -o|grep -v ^build/
                fi
            - name: Upload Install Tarball
-              uses: actions/upload-artifact@v2
+              uses: actions/upload-artifact@v4
              with:
-                name: Install Tarball
+                name: Install Tarball (${{ matrix.name }})
                path: '~/heimdal-install-linux-${{ matrix.compiler }}.tgz'
            - name: Upload Dist Tarball
-              uses: actions/upload-artifact@v2
+              uses: actions/upload-artifact@v4
              with:
-                name: Dist Tarball
+                name: Dist Tarball (${{ matrix.name }})
                path: 'build/heimdal-*.tar.gz'
            - name: Upload Logs Tarball
-              uses: actions/upload-artifact@v2
+              uses: actions/upload-artifact@v4
              with:
-                name: Test Logs
+                name: Test Logs (${{ matrix.name }})
                path: '~/logs-linux-${{ matrix.compiler }}.tgz'
--- a/.github/workflows/osx.yml
+++ b/.github/workflows/osx.yml
@@ -24,8 +24,6 @@ on:
         - '**/INSTALL'
         - '**/README*'
         - '.github/workflows/osx.yml'
         - '!appveyor.yml'
         - '!.travis.yml'
    pull_request:
      paths:
@@ -46,11 +44,15 @@ on:
         - '**/INSTALL'
         - '**/README*'
         - '.github/workflows/osx.yml'
         - '!appveyor.yml'
         - '!.travis.yml'
 jobs:
    osx:
        # Run if no [only X] tag, or if [only osx] is present (check both push commits and PR titles)
        if: >-
            (!contains(github.event.head_commit.message, '[only ') &&
             !contains(github.event.pull_request.title, '[only ')) ||
            contains(github.event.head_commit.message, '[only osx]') ||
            contains(github.event.pull_request.title, '[only osx]')
        runs-on: ${{ matrix.os }}
        strategy:
            fail-fast: false
@@ -66,10 +68,12 @@ jobs:
                echo "bison, flex, ncurses, texinfo, and unzip are in the base OS."
                echo "berkeley-db, perl, python3, curl, and jq are installed in the"
                echo "base image already."
-                brew install autoconf automake libtool cpanm texinfo texi2html
+                brew install autoconf automake bison libtool cpanm texinfo texi2html bash openssl@3
                sudo cpanm install JSON
                # Use Homebrew bash for tests (much faster than /bin/bash on macOS)
                echo "$(brew --prefix)/bin" >> $GITHUB_PATH
            - name: Clone repository
-              uses: actions/checkout@v1
+              uses: actions/checkout@v4
            - name: Build
              env:
                CC: ${{ matrix.compiler }}
@@ -79,7 +83,7 @@ jobs:
                /bin/sh ./autogen.sh
                mkdir build
                cd build
-                ../configure --srcdir=`dirname "$PWD"` --disable-heimdal-documentation --disable-afs-support --enable-maintainer-mode --enable-developer $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" CFLAGS="-O0 -g -ggdb3"
+                ../configure --srcdir=`dirname "$PWD"` --disable-heimdal-documentation --enable-maintainer-mode --enable-developer $CONFIGURE_OPTS --prefix=$HOME/inst --with-openssl=/opt/homebrew/opt/openssl@3/ CFLAGS="-O0 -g -ggdb3 -Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations"
                ulimit -c unlimited
                PATH=/usr/local/opt/texinfo/bin:$PATH
                export PATH
@@ -89,12 +93,15 @@ jobs:
            #  with:
            #      limit-access-to-actor: true
            - name: Test
              shell: bash
              env:
                CC: ${{ matrix.compiler }}
                MAKEVARS: ${{ matrix.makevars }}
                CONFIGURE_OPTS:  ${{ matrix.configureopts }}
              run: |
                set -vx
                # Verify we're using Homebrew bash (faster than system bash)
                echo "Using bash: $(which bash) version $BASH_VERSION"
                sudo lsof -nP -i:49188 || true
                cd build
                make check
@@ -113,12 +120,12 @@ jobs:
              run: |
                find build -name \*.trs|xargs grep -lw FAIL|sed -e 's/trs$/log/'|xargs cat
            - name: Upload Install Tarball
-              uses: actions/upload-artifact@v2
+              uses: actions/upload-artifact@v4
              with:
-                name: Install Tarball
+                name: Install Tarball (osx)
                path: '~/heimdal-install-osx.tgz'
            - name: Upload Artifacts
-              uses: actions/upload-artifact@v2
+              uses: actions/upload-artifact@v4
              with:
-                name: Upload Test Logs
+                name: Test Logs (osx)
                path: '~/logs-osx.cpio'
--- a/.github/workflows/scanbuild.yml
+++ b/.github/workflows/scanbuild.yml
@@ -24,7 +24,7 @@ jobs:
                      compiler: clang
        steps:
            - name: Clone repository
-              uses: actions/checkout@v1
+              uses: actions/checkout@v4
            - name: Install packages
              if: startsWith(matrix.os, 'ubuntu')
              run: |
@@ -61,7 +61,7 @@ jobs:
              run: |
                find build -name \*.trs|xargs grep -lw FAIL|sed -e 's/trs$/log/'|xargs cat
            - name: Upload Artifacts
-              uses: actions/upload-artifact@v2
+              uses: actions/upload-artifact@v4
              with:
                name: Scan-Build Reports
                path: '/tmp/scan-build*/'
--- a/.github/workflows/ubsan.yml
+++ b/.github/workflows/ubsan.yml
@@ -19,12 +19,11 @@ on:
         - '**.py'
         - '**.asn1'
         - '**.opt'
         - '**.map'
         - '**/COPYING'
         - '**/INSTALL'
         - '**/README*'
         - '.github/workflows/ubsan.yml'
         - '!appveyor.yml'
         - '!.travis.yml'
    pull_request:
      paths:
@@ -45,8 +44,6 @@ on:
         - '**/INSTALL'
         - '**/README*'
         - '.github/workflows/ubsan.yml'
         - '!appveyor.yml'
         - '!.travis.yml'
 jobs:
    unix:
@@ -68,7 +65,7 @@ jobs:
                      ldflags: ''
        steps:
            - name: Clone repository
-              uses: actions/checkout@v1
+              uses: actions/checkout@v4
            - name: Install packages
              if: startsWith(matrix.os, 'ubuntu')
              run: |
@@ -127,7 +124,7 @@ jobs:
              run: |
                find build -name \*.trs | sed -e 's/trs$/log/' | xargs cat
            - name: Upload Logs Tarball
-              uses: actions/upload-artifact@v2
+              uses: actions/upload-artifact@v4
              with:
-                name: Test Logs
+                name: Test Logs UBSAN (${{ matrix.name }})
                path: '~/logs-linux-${{ matrix.compiler }}.tgz'
--- a/.github/workflows/valgrind.yml
+++ b/.github/workflows/valgrind.yml
@@ -24,7 +24,7 @@ jobs:
                      compiler: clang
        steps:
            - name: Clone repository
-              uses: actions/checkout@v1
+              uses: actions/checkout@v4
            - name: Install packages
              if: startsWith(matrix.os, 'ubuntu')
              run: |
@@ -43,7 +43,7 @@ jobs:
                /bin/sh ./autogen.sh
                mkdir build
                cd build
-                ../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-g -ggdb3 -O0 -Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations"
+                ../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-gdwarf-4 -g -ggdb3 -O0 -Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations"
                make -j4
            - name: Test
              env:
@@ -51,6 +51,7 @@ jobs:
                MAKEVARS: ${{ matrix.makevars }}
              run: |
                cd build
                sudo sysctl kernel.core_pattern=core.%p || true
                ulimit -c unlimited
                make check-valgrind
            - name: Valgrind output
@@ -65,7 +66,7 @@ jobs:
              run: |
                find build -name \*.trs|xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat
            - name: Upload Artifacts
-              uses: actions/upload-artifact@v2
+              uses: actions/upload-artifact@v4
              with:
-                name: Test Logs
+                name: Test Logs (valgrind)
                path: '~/logs-linux-valgrind.tgz'
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -18,13 +18,12 @@ on:
         - '**.asn1'
         - '**.opt'
         - '**.w32'
         - '**.def'
         - '**/NTMakefile*'
         - '**/COPYING'
         - '**/INSTALL'
         - '**/README*'
         - '.github/workflows/windows.yml'
         - '!appveyor.yml'
         - '!.travis.yml'
    pull_request:
      paths:
@@ -44,12 +43,21 @@ on:
         - '**/INSTALL'
         - '**/README*'
         - '.github/workflows/windows.yml'
         - '!appveyor.yml'
         - '!.travis.yml'
 jobs:
    windows:
        # Run if no [only X] tag, or if [only windows] is present (check both push commits and PR titles)
        if: >-
            (!contains(github.event.head_commit.message, '[only ') &&
             !contains(github.event.pull_request.title, '[only ')) ||
            contains(github.event.head_commit.message, '[only windows]') ||
            contains(github.event.pull_request.title, '[only windows]')
        runs-on: windows-latest
        strategy:
            fail-fast: false
            matrix:
                # clang-cl disabled due to LLVM 19 bug with MMX intrinsics in VS 2022 headers
                compiler: [msvc]
        env:
            APPVER: '10.0'
            CODESIGN_PKT: 0000000000000000
@@ -58,37 +66,67 @@ jobs:
            WIXDIR: 'c:\Program Files (x86)\Windows Installer XML v3.5'
        steps:
            - name: Clone repository
-              uses: actions/checkout@v1
+              uses: actions/checkout@v4
            - name: Find MSVC and run vcvarsall.bat
              uses: ilammy/msvc-dev-cmd@v1
              with:
                arch: amd64
-            - name: Build and Test
+
            - name: Setup OpenSSL
              shell: pwsh
              run: |
                # OpenSSL 3.x is pre-installed on windows-latest at C:\Program Files\OpenSSL
                $opensslDir = "C:\Program Files\OpenSSL"
                if (Test-Path $opensslDir) {
                    Write-Host "OpenSSL found at $opensslDir"
                    Get-ChildItem $opensslDir
                    # Show version
                    & "$opensslDir\bin\openssl.exe" version
                } else {
                    Write-Host "OpenSSL not found, installing via chocolatey..."
                    choco install openssl -y
                    $opensslDir = "C:\Program Files\OpenSSL"
                }
                # Set environment variables for the build
                echo "OPENSSL_DIR=$opensslDir" >> $env:GITHUB_ENV
                echo "INCLUDE_openssl_crypto=$opensslDir\include" >> $env:GITHUB_ENV
                echo "LIB_openssl_crypto=$opensslDir\lib\VC\x64\MD\libcrypto.lib" >> $env:GITHUB_ENV
            - name: Install MSYS2 packages
              shell: cmd
              run: |
-                set PATH=%PATH%;C:\msys64\usr\bin;C:\Program Files (x86)\HTML Help Workshop;C:\program files (x86)\windows installer xml v3.5\bin;C:\cygwin\bin
+                C:\msys64\usr\bin\pacman.exe --noconfirm -Sy
                C:\msys64\usr\bin\pacman.exe --noconfirm -S zstd autoconf automake flex bison perl perl-JSON texinfo
            - name: Build
              shell: cmd
              run: |
                set "PATH=%PATH%;C:\msys64\usr\bin"
                set "PATH=%PATH%;C:\Program Files (x86)\HTML Help Workshop"
                set "PATH=%PATH%;C:\Program Files\OpenSSL\bin"
                set CODESIGN_PKT=0000000000000000
                set dbg__type=Debug
                mkdir %INSTALL_DIR%
                pacman --noconfirm -S zstd
                pacman --noconfirm -S autoconf
                pacman --noconfirm -S automake
                pacman --noconfirm -S flex
                pacman --noconfirm -S bison
                pacman --noconfirm -S perl
                pacman --noconfirm -S perl-JSON
                pacman --noconfirm -S texinfo
                set PATH=%PATH%;%wix%bin
                title Heimdal Build %CPU% %dbg__type%
                set "PATH=%PATH%;C:\Perl64\bin;C:\tools\cygwin\bin;C:\Program Files (x86)\HTML Help Workshop"
                set "PATH=%PATH%;C:/msys64/usr/bin"
                set "PATH=%PATH%;C:\program files (x86)\windows installer xml v3.5\bin;C:\cygwin\bin"
                set "PATH=%PATH%;C:\Python310-x64"
                echo PATH=%PATH%
-                nmake /f NTMakefile APPVEYOR=1 MAKEINFO=makeinfo NO_INSTALLERS=1
+                echo INCLUDE_openssl_crypto=%INCLUDE_openssl_crypto%
-                nmake /f NTMakefile APPVEYOR=1 MAKEINFO=makeinfo NO_INSTALLERS=1 test
+                echo LIB_openssl_crypto=%LIB_openssl_crypto%
                echo Compiler: ${{ matrix.compiler }}
                if "${{ matrix.compiler }}"=="clang-cl" (
                    clang-cl --version
                    nmake /f NTMakefile CC=clang-cl GHA=1 NO_INSTALLERS=1 INCLUDE_openssl_crypto="%INCLUDE_openssl_crypto%" LIB_openssl_crypto="%LIB_openssl_crypto%" CFLAGS="-msse2"
                ) else (
                    nmake /f NTMakefile GHA=1 NO_INSTALLERS=1 INCLUDE_openssl_crypto="%INCLUDE_openssl_crypto%" LIB_openssl_crypto="%LIB_openssl_crypto%"
                )
            - name: Test
              shell: cmd
              run: |
                set "PATH=%PATH%;C:\msys64\usr\bin"
                set "PATH=%PATH%;C:\Program Files\OpenSSL\bin"
                nmake /f NTMakefile GHA=1 NO_INSTALLERS=1 test
            - name: Upload Artifacts
-              uses: actions/upload-artifact@v2
+              uses: actions/upload-artifact@v4
              with:
-                name: Objects
+                name: Objects-${{ matrix.compiler }}
                path: 'D:/a/heimdal/heimdal/out/'
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,92 +0,0 @@
 os:
    - linux
    - osx
 language: c
 env:
    global:
        secure: "YKG77M7zMvJ+IeV2ziw//HcHqMqFoAzIZlE99Yw/aOn5pvMYKq6Ep7EFVhbfDu9yN0T7M5csCGQeH7/ylDlsZSRMUw72844ezMDM8e10T/lW/T/OYN7j1ZVHh3WSJgS+1D9VG6/Y0OY1Si3lb7PcOdAIU0fPJV5xQONN2+hpJeI="
 before_install:
    - if [ $TRAVIS_OS_NAME = linux ]; then sudo apt-get update -qq; fi
    - if [ $TRAVIS_OS_NAME = linux ]; then sudo apt-get install -qq bison comerr-dev flex libcap-ng-dev libdb-dev libedit-dev libjson-perl libldap2-dev libncurses5-dev libperl4-corelibs-perl libsqlite3-dev libkeyutils-dev pkg-config python ss-dev texinfo unzip netbase keyutils; fi
    - if [ $TRAVIS_OS_NAME = linux ]; then sudo apt-get install -qq ldap-utils gdb apport; fi
    - if [ $TRAVIS_OS_NAME = linux ]; then sudo apt-get install -qq curl libmicrohttpd-dev; fi
    - if [ $TRAVIS_OS_NAME = linux -a -n "$COVERAGE" ]; then sudo apt-get install -qq jq; fi
    - if [ $TRAVIS_OS_NAME = osx ]; then HOMEBREW_NO_AUTO_UPDATE=1 brew install cpanm bison flex berkeley-db lmdb openldap openssl; fi
    - if [ $TRAVIS_OS_NAME = osx ]; then sudo cpanm install JSON; fi
    - if [ $TRAVIS_OS_NAME = osx -a -n "$COVERAGE" ]; then brew install jq; fi
    - mkdir ci-build
    - mkdir coverity-build
    - ./autogen.sh
 install:
    - cd ci-build
    - |
      if [ $TRAVIS_OS_NAME = osx ]; then
          LDFLAGS="-L/usr/local/opt/berkeley-db/lib -L/usr/local/opt/lmdb/lib" \
          CFLAGS="-I/usr/local/opt/lmdb/include" \
          ../configure \
                  --srcdir=`dirname "$PWD"` \
                  --prefix=/tmp/heimdal \
                  --enable-maintainer-mode $COVERAGE \
                  --enable-static=no \
                  --enable-pthread-support \
                  --disable-afs-support \
                  --disable-ndbm-db \
                  --with-openldap=/usr/local/opt/openldap \
                  --with-openssl=/usr/local/opt/openssl/ \
                  --with-hcrypto-default-backend=ossl \
                  --with-berkeley-db \
                  --with-berkeley-db-include=/usr/local/opt/berkeley-db/include
      else
          # This list of -Wno-error options should be reduced over time where possible
          if [ x"$TRAVIS_COMPILER" != x"clang" ]; then
              CFLAGS="-Wno-error=empty-body -Wno-error=shadow -Wno-error=unused-value -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" ../configure --enable-developer --srcdir=`dirname "$PWD"` --enable-maintainer-mode $COVERAGE
          else
              CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" ../configure --enable-developer --srcdir=`dirname "$PWD"` --enable-maintainer-mode $COVERAGE
          fi
      fi
    - ulimit -c unlimited; make -j3
 script:
    - if [ x${COVERITY_SCAN_BRANCH} != x1 ]; then ulimit -c unlimited; make check${MAKE_CHECK_SUFFIX}; fi
 after_script:
    - if [ -n "$COVERAGE" ]; then ../tools/coveralls-tool -O $PWD -S ..; fi
    - find . -name \*.log -print0|xargs -0 grep '^==[1-9]'
 after_failure:
    - find . -name test-suite.log -print0 | xargs -0 cat
    - if [ $TRAVIS_OS_NAME = linux ]; then echo "thread apply all bt" > x; find . -name core -print | while read core; do gdb -batch -x x `file "$core"|sed -e "s/^[^']*'//" -e "s/[ '].*$//"` "$core"; done; fi
    - if [ $TRAVIS_OS_NAME = osx ]; then find . -name core -print | while read core; do echo bt | lldb --core "$core" `file "$core"|sed -e "s/^[^']*'//" -e "s/[ '].*$//"` "$core"; done; fi
 compiler:
    - clang
    - gcc
 matrix:
    include:
      - os: linux
        compiler: gcc
        env: COVERAGE=--enable-gcov
    exclude:
      - os: osx
        compiler: gcc
 notifications:
    email:
        on_success: change
        on_failure: always
 addons:
    coverity_scan:
        project:
            name: "heimdal/heimdal"
            description: "Build submitted via Travis CI"
        notification_email: heimdal-builders@secure-endpoints.com
        build_command_prepend: ../configure --enable-maintainer-mode
        build_command: make
        branch_pattern: coverity_scan
--- a/.zed/settings.json
+++ b/.zed/settings.json
@@ -0,0 +1,8 @@
 // Folder-specific settings
 //
 // For a full list of overridable settings, and general information on folder-specific settings,
 // see the documentation: https://zed.dev/docs/configuring-zed#settings-files
 {
  "tab_size": 8,
  "hard_tabs": false
 }
--- a/Makefile.am
+++ b/Makefile.am
@@ -52,6 +52,7 @@ EXTRA_DIST = \
 	cf/roken.m4 \
 	cf/valgrind-suppressions \
 	cf/maybe-valgrind.sh \
 	cf/maybe-helgrind.sh \
 	cf/symbol-version.py \
 	cf/w32-check-exported-symbols.pl \
 	cf/w32-def-from-dll.pl \
--- a/79
+++ b/79
@@ -1,8 +1,7 @@
-Partial news for a future Heimdal 8.0 release -- but NOTE WELL that this is NOT
+Release Notes - Heimdal - Version Heimdal 8.0 (future)
 a release at this time!
-Bug fixes
+ Bug fixes:
 - Errors found by the Coverity static analysis.
 - Errors found by the LLVM scan-build static analyzer.
@@ -11,17 +10,37 @@ Bug fixes
 - iprop bugs, race conditions, and performance
 - Many misc. bugs
-Features:
+ Defaults changes:
 - Default enctypes set to: aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192.
 - 1DES now disabled by default in the build configuration.
   Use `./configure --with-1des=yes` to re-enable 1DES.
   (Use `--with-3des=no` to disable 3DES.)
   (Use `--with-arcfour` to disable RC4.)
 Features:
 - OpenSSL 3 support (hcrypto has been removed).
 - OpenSSL 3 provider support, including propq (e.g., for enabling FIPS) and
   PKCS#11 providers such as the Latchset provider
   (https://github.com/latchset/pkcs11-provider).
 - PKINIT: RFC 8636 (algorithm agility) implemented.
 - PKINIT: ECDH w/ NIST and X curves implemented.
 - PKINIT: Support for ECDSA and EdDSA implemented.
 - PKINIT: RSA key transport is disabled by default
 - KDC: Add FAST support for TGS.
 - KDC: Greatly improved plugin facility for Samba.
 - KDC: Add httpkadmind service providing a subset of kadmin
        functionality over HTTP.
- - KDC: Add support for virtual service principal namespaces.
+ - KDC: Add support for virtual service principal namespaces, which rekey
        service principals on a clock.
 - KDC: Add support for synthetic client principals that exist if the
        pre-authentication mechanism (e.g., PKINIT) can authenticate
        them, thus not requiring an HDB entry.
- - KDC: Add experimental GSS-API pre-authentication support.
+        Together with virtual service principal namespaces this allows for
        realms with minimal, primarily read-only HDBs.
 - KDC: Add experimental GSS-API pre-authentication support for Kerberos KDC
        exchanges.
 - KDC: Revamp and enhance kx509 support (though bx509d mostly replaces kx509).
 - KDC: Better support for aliases and referrals.
 - KDC: Always return the salt in the PA-ETYPE-INFO[2].
@@ -29,14 +48,18 @@ Features:
 - KDC: allow anonymous AS requests with long-term keys.
 - KDC: Do not include PAC for anonymous AS requests.
 - KDC: Enable keepalive mode on incoming sockets.
- - KDC: Greatly improved logging.
+ - KDC: Greatly improved logging, with one structured log message per-request,
        with all details as key/value pairs.
 - KDC: Remove KRB5SignedPath, to be replaced with PAC.
 - PKIX: Add bx509d -- an online certification authority (CA) with an HTTP API.
- - kadmin: Add HTTP-based kadmin protocol.
+ - PKIX: Add support elliptic curve signatures (ECDSA and EdDSA).
 - PKIX: Add support for modern password-based encryption ciphers for PKCS#12.
 - kadmind: Add httpkadmind, an HTTP-based kadmin protocol.
 - kadmin: Add add_alias, del_alias.
 - kadmin: Add command aliases to man page.
 - kadmin: Add disallow-client attribute.
- - kadmin: add --hdb / -H argument.
+ - kadmin: Improve -e enctype option support.
 - kadmin: Add --hdb / -H argument.
 - kadmin: Allow enforcing password quality on admin password change.
 - kadmin: Improve ext_keytab usage.
 - kadmin: Selective pruning of historic key for principal.
@@ -53,12 +76,13 @@ Features:
 - krb5: Implement KRB5_TRACE environment variable.
 - krb5: Add experimental name canonicalization rules configuration.
 - krb5: Support start_realm ccconfig entry type.
- - kinit: Add --default-for option for ccache collection support.
+ - kinit: Add --default-for-principal option for ccache collection support.
 - kinit: Add --pk-anon-fast-armor option.
 - kinit: Don't leave dangling temporary ccaches.
 - klist: Better --json
 - iprop: Many performance and scaling enhancements.
 - iprop: Support hierarchical propagation.
 - iprop: Support fast full props by using async writes during transfer.
 - ASN.1: Document fuzzing process.
 - ASN.1: Complete template backend.
 - ASN.1: Add partial Information Object System support (template backend
@@ -71,31 +95,50 @@ Features:
 - ASN.1: Support circular types.
 - ASN.1: Topographically sort declarations.
 - ASN.1: Proper support for IMPLICIT tags.
 - GSS: Import gss-token(1) command.
 - GSS: Add advanced credential store / load functionality.
 - GSS: Add gss_acquire_cred_from() and credential store extensions.
 - GSS: Add name attributes support, with support for many basic attributes
        and PAC buffer accessors too.
 - GSS: Add SANON mechanism for anonymous-only key exchange using
        elliptic curve Diffie-Hellman (ECDH) with Curve25519.
 - GSS: Add gss_acquire_cred_from() and credential store extensions.
 - GSS: Support fragmented tokens reassembly (for SMB).
 - GSS: Support client keytab.
 - GSS: Add NegoEx support.
- - libhx509: Lots of improvements.
+ - GSS: Import gss-token(1) command.
 - GSS: Improve gsstoool(1) command.
 - hxtool: Add "acert" (assert cert contents) command
 - hxtool: add cert type: https-negotiate-server
 - hxtool: add generate-key command
 - hxtool: Add OID symbol resolution and printing of OIDs known to hxtool.
 - hxtool: Add print --raw-json option that shows certificates in JSON, with
           all extensions and attributes known to Heimdal fully decoded.
- - hxtool: Improved SAN support.
+ - hxtool: Greatly improved SAN support.
- - hxtool: Improved CSR support.
+ - hxtool: Greatly improved CSR support.
 - hxtool: Greatly improved manual page.
 - Improved plugin interfaces.
 - hcrypto: Add X25519.
 - hcrypto: Better RSA key generation.
 - hcrypto: import libtommath v1.2.0.
 - roken: Add secure_getenv() and issuid(), use them extensively.
 Features removed:
 - NTLM support.
 - "digest" server functionality in KDC (for NTLM).
 - OTP.
 - libhcrypto.
 Feature removal warnings:
 - 1DES and RC4 may be removed in Heimdal 8.2
 Upgrade considerations:
 - Due to a change in HDB schema operators should check that Heimdal 8.x can
   dump HDBs modified by Heimdal 7.x before upgrading from 7.x to 8.x.
 Downgrade considerations:
 - Due to a change in HDB schema operators should check that Heimdal 7.x can
   dump HDBs modified by Heimdal 8.x before downgrading from 8.x to 7.x.
 Release Notes - Heimdal - Version Heimdal 7.8
 Bug fixes
--- a/2
+++ b/2
@@ -33,7 +33,7 @@
 thirdparty=thirdparty
 !endif
-!ifdef APPVEYOR
+!ifdef GHA
 SUBDIRS = include lib kuser kdc admin kadmin kpasswd appl \
 	tools tests packages etc
 !else
--- a/README.md
+++ b/README.md
@@ -1,8 +1,6 @@
 [![GitHub Build Workflow](https://github.com/heimdal/heimdal/actions/workflows/linux.yml/badge.svg)](https://github.com/heimdal/heimdal/actions?query=workflow%3Alinux)
 [![GitHub Build Workflow](https://github.com/heimdal/heimdal/actions/workflows/osx.yml/badge.svg)](https://github.com/heimdal/heimdal/actions?query=workflow%3Aosx)
 [![GitHub Build Workflow](https://github.com/heimdal/heimdal/actions/workflows/windows.yml/badge.svg)](https://github.com/heimdal/heimdal/actions?query=workflow%3Awindows)
 [![Appveyor-CI build (Windows)](https://ci.appveyor.com/api/projects/status/6j0k0m7kd6jjj4tw/branch/master?svg=true)](https://ci.appveyor.com/project/heimdal/heimdal/branch/master)
 [![Coverage Status](https://coveralls.io/repos/github/heimdal/heimdal/badge.svg?branch=master)](https://coveralls.io/github/heimdal/heimdal?branch=master)
 Heimdal
 =======
@@ -35,5 +33,3 @@ Build Status
 [![GitHub Build Workflow](https://github.com/heimdal/heimdal/actions/workflows/linux.yml/badge.svg)](https://github.com/heimdal/heimdal/actions?query=workflow%3Alinux)
 [![GitHub Build Workflow](https://github.com/heimdal/heimdal/actions/workflows/osx.yml/badge.svg)](https://github.com/heimdal/heimdal/actions?query=workflow%3Aosx)
 [![GitHub Build Workflow](https://github.com/heimdal/heimdal/actions/workflows/windows.yml/badge.svg)](https://github.com/heimdal/heimdal/actions?query=workflow%3Awindows)
 [![Appveyor-CI build (Windows)](https://ci.appveyor.com/api/projects/status/6j0k0m7kd6jjj4tw/branch/master?svg=true)](https://ci.appveyor.com/project/heimdal/heimdal/branch/master)
 [![Coverage Status](https://coveralls.io/repos/github/heimdal/heimdal/badge.svg?branch=master)](https://coveralls.io/github/heimdal/heimdal?branch=master)
--- a/admin/Makefile.am
+++ b/admin/Makefile.am
@@ -2,12 +2,14 @@
 include $(top_srcdir)/Makefile.am.common
-AM_CPPFLAGS += $(INCLUDE_readline)
+AM_CPPFLAGS += $(INCLUDE_readline) -I$(srcdir)/../lib/krb5
 man_MANS = ktutil.1
 bin_PROGRAMS = ktutil
 ktutil_CPPFLAGS = $(AM_CPPFLAGS) -I$(srcdir)/../lib/krb5
 dist_ktutil_SOURCES =				\
 	add.c					\
 	change.c				\
@@ -34,7 +36,6 @@ ktutil-commands.c ktutil-commands.h: ktutil-commands.in
 LDADD = \
 	$(top_builddir)/lib/kadm5/libkadm5clnt.la \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(top_builddir)/lib/sl/libsl.la \
 	$(LIB_heimbase) \
--- a/admin/add.c
+++ b/admin/add.c
@@ -96,7 +96,7 @@ kt_add(struct add_options *opt, int argc, char **argv)
 	    goto out;
    }
    if(opt->password_string == NULL && opt->random_flag == 0) {
-	if(UI_UTIL_read_pw_string(buf, sizeof(buf), "Password: ",
+        if(_krb5_UI_UTIL_read_pw_string(buf, sizeof(buf), "Password: ",
                                        UI_UTIL_FLAG_VERIFY)) {
 	    ret = 1;
 	    goto out;
--- a/admin/ktutil_locl.h
+++ b/admin/ktutil_locl.h
@@ -55,6 +55,7 @@
 #include "crypto-headers.h"
 #include <krb5.h>
 #include <krb5_locl.h>
 #include <kadm5/admin.h>
 #include <kadm5/kadm5_err.h>
--- a/appl/Makefile.am
+++ b/appl/Makefile.am
@@ -2,19 +2,11 @@
 include $(top_srcdir)/Makefile.am.common
 if OTP
 dir_otp = otp
 endif
 if DCE
 dir_dce = dceutils
 endif
 if !NO_AFS
 dir_afsutil = afsutil
 endif
 SUBDIRS = 					\
 	  $(dir_afsutil)			\
 	  dbutils				\
 	  $(dir_otp)				\
 	  gssmask				\
 	  test					\
 	  kf					\
--- a/appl/afsutil/ChangeLog
+++ b/appl/afsutil/ChangeLog
@@ -1,125 +0,0 @@
 2007-04-11  Love Hörnquist Åstrand  <lha@it.su.se>
 	* pagsh.1,afslog.1: - options must be lexicographically ordered;
 	  again, options without arguments must be placed before options
 	  with arguments.  - manual page cross references are done using
 	  the macro `.Xr', not the macro `.Nm' (used for command names
 	  instead).
 	From Igor Sobrado.
 2006-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
 	* Makefile.am: Add man_MANS to EXTRA_DIST
 2006-01-03  Love Hörnquist Åstrand  <lha@it.su.se>
 	* afslog.1: Document options to allow select principal or
 	credential cache when doing afslog.
 	* afslog.c: Add options to allow select principal or credential
 	cache when doing afslog.
 2005-02-12  Love Hörnquist Åstrand  <lha@it.su.se>
 	* Makefile.am: man_MANS += pagsh.1
 	* pagsh.c: add --cache-type that allows the user to control the
 	resulting credential cache type, inherit the type from the
 	invoking process
 	* pagsh.1: manpage for pagsh
 2004-09-03  Love Hörnquist Åstrand  <lha@it.su.se>
 	* afslog.c: use negative string help string for arg_negative_flag
 	Pointed out by Harald Barth
 2004-07-27  Love Hörnquist Åstrand  <lha@it.su.se>
 	* pagsh.c: use setprogname, if we stripped off -c, try use the
 	fallback code
 2003-10-14  Johan Danielsson  <joda@pdc.kth.se>
 	* pagsh.c: mkstemp formats must end in exactly six X's
 2003-07-15  Love Hörnquist Åstrand  <lha@it.su.se>
 	* afslog.c (do_afslog): is cell is unset, set it "<default cell>"
 	for error printing
 	* pagsh.c: unconditionally set KRBTKFILE
 2003-04-23  Love Hörnquist Åstrand  <lha@it.su.se>
 	* afslog.c (log_func): drop the error number
 2003-04-14  Love Hörnquist Åstrand  <lha@it.su.se>
 	* afslog.c: set kafs log function if verbose is turned on
 2003-03-18  Love Hörnquist Åstrand  <lha@it.su.se>
 	* Makefile.am (LDADD): use LIB_kafs
 	* afslog.1: --no-v4, --no-v5
 	* Makefile.am: always build afsutils now
 	* afslog.c: make build without KRB4
 2002-11-26  Johan Danielsson  <joda@pdc.kth.se>
 	* afslog.c: remove plural form in help string
 	* Makefile.am: add afslog manpage
 	* afslog.1: manpage
 	* afslog.c: try more files when trying to expand a cell name
 	* afslog.c: create a list of cells to get tokens for, before
 	actually doing anything, and try to get tokens via krb4 if krb5
 	fails, and give it a chance to work with krb4-only; also some bug
 	fixes, partially from Tomas Olsson.
 2002-08-23  Assar Westerlund  <assar@kth.se>
 	* pagsh.c: make it handle --version/--help
 2001-05-17  Assar Westerlund  <assar@sics.se>
 	* afslog.c (main): call free_getarg_strings
 2000-12-31  Assar Westerlund  <assar@sics.se>
 	* afslog.c (main): handle krb5_init_context failure consistently
 2000-12-25  Assar Westerlund  <assar@sics.se>
 	* afslog.c: clarify usage strings
 1999-08-04  Assar Westerlund  <assar@sics.se>
 	* pagsh.c (main): use mkstemp to generate temporary file names.
  	From Miroslav Ruda <ruda@ics.muni.cz>
 1999-07-04  Assar Westerlund  <assar@sics.se>
 	* afslog.c (expand_cell_name): terminate on #.  From Miroslav Ruda
 	<ruda@ics.muni.cz>
 1999-06-27  Assar Westerlund  <assar@sics.se>
 	* Makefile.am (bin_PROGRAMS): only include pagsh if KRB4
 1999-06-26  Assar Westerlund  <assar@sics.se>
 	* Makefile.am: add pagsh
 	* pagsh.c: new file.  contributed by Miroslav Ruda <ruda@ics.muni.cz>
 Sat Mar 27 12:49:43 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
 	* afslog.c: cleanup option parsing
--- a/appl/afsutil/Makefile.am
+++ b/appl/afsutil/Makefile.am
@@ -1,19 +0,0 @@
 # $Id$
 include $(top_srcdir)/Makefile.am.common
 bin_PROGRAMS = afslog pagsh
 afslog_SOURCES = afslog.c
 pagsh_SOURCES  = pagsh.c
 man_MANS = afslog.1 pagsh.1
 LDADD = $(LIB_kafs) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_hcrypto) \
 	$(LIB_roken)
 EXTRA_DIST = NTMakefile $(man_MANS)
--- a/appl/afsutil/NTMakefile
+++ b/appl/afsutil/NTMakefile
@@ -1,35 +0,0 @@
 ########################################################################
 #
 # Copyright (c) 2009, Secure Endpoints Inc.
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
 # are met:
 # 
 # - Redistributions of source code must retain the above copyright
 #   notice, this list of conditions and the following disclaimer.
 # 
 # - Redistributions in binary form must reproduce the above copyright
 #   notice, this list of conditions and the following disclaimer in
 #   the documentation and/or other materials provided with the
 #   distribution.
 # 
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 # POSSIBILITY OF SUCH DAMAGE.
 # 
 RELDIR=appl\afsutil 
 !include ../../windows/NTMakefile.w32 
--- a/appl/afsutil/afslog.1
+++ b/appl/afsutil/afslog.1
@@ -1,147 +0,0 @@
 .\" Copyright (c) 2002 - 2007 Kungliga Tekniska Högskolan
 .\" (Royal Institute of Technology, Stockholm, Sweden).
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\"
 .\" 1. Redistributions of source code must retain the above copyright
 .\"    notice, this list of conditions and the following disclaimer.
 .\"
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
 .\"
 .\" 3. Neither the name of the Institute nor the names of its contributors
 .\"    may be used to endorse or promote products derived from this software
 .\"    without specific prior written permission.
 .\"
 .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 .\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
 .\" $Id$
 .\"
 .Dd November 26, 2002
 .Dt AFSLOG 1
 .Os HEIMDAL
 .Sh NAME
 .Nm afslog
 .Nd obtain AFS tokens
 .Sh SYNOPSIS
 .Nm
 .Op Fl h | Fl Fl help
 .Op Fl Fl no-v5
 .Op Fl u | Fl Fl unlog
 .Op Fl v | Fl Fl verbose
 .Op Fl Fl version
 .Oo Fl c Ar cell \*(Ba Xo
 .Fl Fl cell= Ns Ar cell
 .Xc
 .Oc
 .Oo Fl k Ar realm \*(Ba Xo
 .Fl Fl realm= Ns Ar realm
 .Xc
 .Oc
 .Oo Fl P Ar principal \*(Ba Xo
 .Fl Fl principal= Ns Ar principal
 .Xc
 .Oc
 .Bk -words
 .Oo Fl p Ar path \*(Ba Xo
 .Fl Fl file= Ns Ar path
 .Xc
 .Oc
 .Ek
 .Op Ar cell | path ...
 .Sh DESCRIPTION
 .Nm
 obtains AFS tokens for a number of cells. What cells to get tokens for
 can either be specified as an explicit list, as file paths to get
 tokens for, or be left unspecified, in which case
 .Nm
 will use whatever magic
 .Xr krb_afslog 3
 decides upon.
 .Pp
 Supported options:
 .Bl -tag -width Ds
 .It Fl Fl no-v5
 This makes
 .Nm
 not try using Kerberos 5.
 .It Xo
 .Fl P Ar principal ,
 .Fl Fl principal Ar principal
 .Xc
 select what Kerberos 5 principal to use.
 .It Fl Fl cache Ar cache
 select what Kerberos 5 credential cache to use.
 .Fl Fl principal
 overrides this option.
 .It Xo
 .Fl u ,
 .Fl Fl unlog
 .Xc
 Destroy tokens instead of obtaining new. If this is specified, all
 other options are ignored (except for
 .Fl Fl help
 and
 .Fl Fl version ) .
 .It Xo
 .Fl v ,
 .Fl Fl verbose
 .Xc
 Adds more verbosity for what is actually going on.
 .It Xo
 .Fl c Ar cell,
 .Fl Fl cell= Ns Ar cell
 .Xc
 This specified one or more cell names to get tokens for.
 .It Xo
 .Fl k Ar realm ,
 .Fl Fl realm= Ns Ar realm
 .Xc
 This is the Kerberos realm the AFS servers live in, this should
 normally not be specified.
 .It Xo
 .Fl p Ar path ,
 .Fl Fl file= Ns Ar path
 .Xc
 This specified one or more file paths for which tokens should be
 obtained.
 .El
 .Pp
 Instead of using
 .Fl c
 and
 .Fl p ,
 you may also pass a list of cells and file paths after any other
 options. These arguments are considered files if they are either
 the strings
 .Do . Dc
 or
 .Dq ..
 or they contain a slash, or if there exists a file by that name.
 .Sh EXAMPLES
 Assuming that there is no file called
 .Dq openafs.org
 in the current directory, and that
 .Pa /afs/openafs.org
 points to that cell, the follwing should be identical:
 .Bd -literal -offset indent
 $ afslog -c openafs.org
 $ afslog openafs.org
 $ afslog /afs/openafs.org/some/file
 .Ed
 .Sh SEE ALSO
 .Xr krb_afslog 3
--- a/appl/afsutil/afslog.c
+++ b/appl/afsutil/afslog.c
@@ -1,303 +0,0 @@
 /*
 * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden).
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * 3. Neither the name of the Institute nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 RCSID("$Id$");
 #endif
 #include <ctype.h>
 #ifdef KRB5
 #include <krb5.h>
 #endif
 #include <kafs.h>
 #include <roken.h>
 #include <getarg.h>
 #include <err.h>
 static int help_flag;
 static int version_flag;
 static getarg_strings cells;
 static char *realm;
 static getarg_strings files;
 static int unlog_flag;
 static int verbose;
 #ifdef KRB5
 static char *client_string;
 static char *cache_string;
 static int use_krb5 = 1;
 #endif
 struct getargs args[] = {
    { "cell",	'c', arg_strings, &cells, "cells to get tokens for", "cell" },
    { "file",	'p', arg_strings, &files, "files to get tokens for", "path" },
    { "realm",	'k', arg_string, &realm, "realm for afs cell", "realm" },
    { "unlog",	'u', arg_flag, &unlog_flag, "remove tokens", NULL },
 #ifdef KRB5
    { "principal",'P',arg_string,&client_string,"principal to use","principal"},
    { "cache",   0,  arg_string, &cache_string, "ccache to use", "cache"},
    { "v5",	 0,  arg_negative_flag, &use_krb5, "don't use Kerberos 5",
      NULL },
 #endif
    { "verbose",'v', arg_flag, &verbose, NULL, NULL },
    { "version", 0,  arg_flag, &version_flag, NULL, NULL },
    { "help",	'h', arg_flag, &help_flag, NULL, NULL },
 };
 static int num_args = sizeof(args) / sizeof(args[0]);
 #ifdef KRB5
 krb5_context context;
 krb5_ccache id;
 #endif
 static const char *
 expand_one_file(FILE *f, const char *cell)
 {
    static char buf[1024];
    char *p;
    while (fgets (buf, sizeof(buf), f) != NULL) {
 	if(buf[0] == '>') {
 	    for(p = buf; *p && !isspace((unsigned char)*p) && *p != '#'; p++)
 		;
 	    *p = '\0';
 	    if(strncmp(buf + 1, cell, strlen(cell)) == 0)
 		return buf + 1;
 	}
 	buf[0] = '\0';
    }
    return NULL;
 }
 static const char *
 expand_cell_name(const char *cell)
 {
    FILE *f;
    const char *c;
    const char **fn, *fns[] = { _PATH_CELLSERVDB,
 				_PATH_ARLA_CELLSERVDB,
 				_PATH_OPENAFS_DEBIAN_CELLSERVDB,
 				_PATH_ARLA_DEBIAN_CELLSERVDB,
 				NULL };
    for(fn = fns; *fn; fn++) {
 	f = fopen(*fn, "r");
 	if(f == NULL)
 	    continue;
 	c = expand_one_file(f, cell);
 	fclose(f);
 	if(c)
 	    return c;
    }
    return NULL;
 }
 static void
 usage(int ecode)
 {
    arg_printusage(args, num_args, NULL, "[cell|path]...");
    exit(ecode);
 }
 struct cell_list {
    char *cell;
    struct cell_list *next;
 } *cell_list;
 static int
 afslog_cell(const char *cell, int expand)
 {
    struct cell_list *p, **q;
    const char *c = cell;
    if(expand){
 	c = expand_cell_name(cell);
 	if(c == NULL){
 	    warnx("No cell matching \"%s\" found.", cell);
 	    return -1;
 	}
 	if(verbose && strcmp(c, cell) != 0)
 	    warnx("Cell \"%s\" expanded to \"%s\"", cell, c);
    }
    /* add to list of cells to get tokens for, and also remove
       duplicates; the actual afslog takes place later */
    for(p = cell_list, q = &cell_list; p; q = &p->next, p = p->next)
 	if(strcmp(p->cell, c) == 0)
 	    return 0;
    p = malloc(sizeof(*p));
    if(p == NULL)
 	return -1;
    p->cell = strdup(c);
    if(p->cell == NULL) {
 	free(p);
 	return -1;
    }
    p->next = NULL;
    *q = p;
    return 0;
 }
 static int
 afslog_file(const char *path)
 {
    char cell[64];
    if(k_afs_cell_of_file(path, cell, sizeof(cell))){
 	warnx("No cell found for file \"%s\".", path);
 	return -1;
    }
    if(verbose)
 	warnx("File \"%s\" lives in cell \"%s\"", path, cell);
    return afslog_cell(cell, 0);
 }
 static int
 do_afslog(const char *cell)
 {
    int k5ret;
    k5ret = 0;
 #ifdef KRB5
    if(context != NULL && id != NULL && use_krb5) {
 	k5ret = krb5_afslog(context, id, cell, realm);
 	if(k5ret == 0)
 	    return 0;
    }
 #endif
    if (cell == NULL)
 	cell = "<default cell>";
 #ifdef KRB5
    if (k5ret)
 	krb5_warn(context, k5ret, "krb5_afslog(%s)", cell);
 #endif
    if (k5ret)
 	return 1;
    return 0;
 }
 static void
 log_func(void *ctx, const char *str)
 {
    fprintf(stderr, "%s\n", str);
 }
 int
 main(int argc, char **argv)
 {
    int optidx = 0;
    int i;
    int num;
    int ret = 0;
    int failed = 0;
    struct cell_list *p;
    setprogname(argv[0]);
    if(getarg(args, num_args, argc, argv, &optidx))
 	usage(1);
    if(help_flag)
 	usage(0);
    if(version_flag) {
 	print_version(NULL);
 	exit(0);
    }
    if(!k_hasafs())
 	errx(1, "AFS does not seem to be present on this machine");
    if(unlog_flag){
 	k_unlog();
 	exit(0);
    }
 #ifdef KRB5
    ret = krb5_init_context(&context);
    if (ret) {
 	context = NULL;
    } else {
 	if (client_string) {
 	    krb5_principal client;
 	    ret = krb5_parse_name(context, client_string, &client);
 	    if (ret == 0)
 		ret = krb5_cc_cache_match(context, client, &id);
 	    if (ret)
 		id = NULL;
 	}
 	if (id == NULL && cache_string) {
 	    if(krb5_cc_resolve(context, cache_string, &id) != 0) {
 		krb5_warnx(context, "failed to open kerberos 5 cache '%s'",
 			   cache_string);
 		id = NULL;
 	    }
 	}
 	if (id == NULL)
 	    if(krb5_cc_default(context, &id) != 0)
 		id = NULL;
    }
 #endif
    if (verbose)
 	kafs_set_verbose(log_func, NULL);
    num = 0;
    for(i = 0; i < files.num_strings; i++){
 	afslog_file(files.strings[i]);
 	num++;
    }
    free_getarg_strings (&files);
    for(i = 0; i < cells.num_strings; i++){
 	afslog_cell(cells.strings[i], 1);
 	num++;
    }
    free_getarg_strings (&cells);
    for(i = optidx; i < argc; i++){
 	num++;
 	if(strcmp(argv[i], ".") == 0 ||
 	   strcmp(argv[i], "..") == 0 ||
 	   strchr(argv[i], '/') ||
 	   access(argv[i], F_OK) == 0)
 	    afslog_file(argv[i]);
 	else
 	    afslog_cell(argv[i], 1);
    }
    if(num == 0) {
 	if(do_afslog(NULL))
 	    failed++;
    } else
 	for(p = cell_list; p; p = p->next) {
 	    if(verbose)
 		warnx("Getting tokens for cell \"%s\"", p->cell);
 	    if(do_afslog(p->cell))
 		failed++;
    }
    return failed;
 }
--- a/appl/afsutil/pagsh.1
+++ b/appl/afsutil/pagsh.1
@@ -1,94 +0,0 @@
 .\" Copyright (c) 2005 Kungliga Tekniska Högskolan
 .\" (Royal Institute of Technology, Stockholm, Sweden).
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\"
 .\" 1. Redistributions of source code must retain the above copyright
 .\"    notice, this list of conditions and the following disclaimer.
 .\"
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
 .\"
 .\" 3. Neither the name of the Institute nor the names of its contributors
 .\"    may be used to endorse or promote products derived from this software
 .\"    without specific prior written permission.
 .\"
 .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 .\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
 .\" $Id$
 .\"
 .Dd February 12, 2005
 .Dt PAGSH 1
 .Os
 .Sh NAME
 .Nm pagsh
 .Nd creates a new credential cache sandbox
 .Sh SYNOPSIS
 .Nm
 .Op Fl c Ar command-string
 .Op Fl h | Fl Fl help
 .Op Fl Fl version
 .Op Fl Fl cache-type= Ns Ar string
 .Ar command [args...]
 .Sh DESCRIPTION
 Supported options:
 .Bl -tag -width Ds
 .It Xo
 .Fl c Ar command-string
 Executes command(s) contained in
 .Ar command-string .
 .Xc
 .It Xo
 .Fl Fl cache-type= Ns Ar string
 .Xc
 .It Xo
 .Fl h ,
 .Fl Fl help
 .Xc
 .It Xo
 .Fl Fl version
 .Xc
 .El
 .Pp
 .Nm
 creates a new credential cache sandbox for the user to live in.
 If AFS is installed on the computer, the user is put in a newly
 created Process Authentication Group (PAG).
 .Pp
 For Kerberos 5, the credential cache type that is used is the same as
 the credential cache type that was used at the time of
 .Nm
 invocation.
 The credential cache type can be controlled by the option
 .Fl Fl cache-type .
 .Sh EXAMPLES
 Create a new sandbox where new credentials can be used, while the old
 credentials can be used by other processes.
 .Bd -literal -offset indent
 $ klist
 Credentials cache: FILE:/tmp/krb5cc_913
        Principal: lha@E.KTH.SE
  Issued           Expires          Principal
 Feb 12 10:08:31  Feb 12 20:06:36  krbtgt/E.KTH.SE@E.KTH.SE
 $ pagsh
 $ klist
 klist: No ticket file: /tmp/krb5cc_03014a
 .Ed
 .Sh SEE ALSO
 .Xr afslog 1 ,
 .Xr kinit 1
--- a/appl/afsutil/pagsh.c
+++ b/appl/afsutil/pagsh.c
@@ -1,213 +0,0 @@
 /*
 * Copyright (c) 1995 - 2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden).
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * 3. Neither the name of the Institute nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 #endif
 RCSID("$Id$");
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 #ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>
 #endif
 #include <time.h>
 #ifdef HAVE_FCNTL_H
 #include <fcntl.h>
 #endif
 #ifdef HAVE_PWD_H
 #include <pwd.h>
 #endif
 #ifdef KRB5
 #include <krb5.h>
 #endif
 #include <kafs.h>
 #include <err.h>
 #include <roken.h>
 #include <getarg.h>
 #ifndef TKT_ROOT
 #define TKT_ROOT "/tmp/tkt"
 #endif
 static int help_flag;
 static int version_flag;
 static int c_flag;
 #ifdef KRB5
 static char *typename_arg;
 #endif
 struct getargs getargs[] = {
    { NULL,	'c', arg_flag, &c_flag, NULL, NULL },
 #ifdef KRB5
    { "cache-type", 0,  arg_string, &typename_arg, NULL, NULL },
 #endif
    { "version", 0,  arg_flag, &version_flag, NULL, NULL },
    { "help",	'h', arg_flag, &help_flag, NULL, NULL },
 };
 static int num_args = sizeof(getargs) / sizeof(getargs[0]);
 static void
 usage(int ecode)
 {
    arg_printusage(getargs, num_args, NULL, "command [args...]");
    exit(ecode);
 }
 /*
 * Run command with a new ticket file / credentials cache / token
 */
 int
 main(int argc, char **argv)
 {
    int f;
    char tf[1024];
    char shellbuf[MAX_PATH];
    char *p;
    char *path;
    char **args;
    unsigned int i;
    int optidx = 0;
    setprogname(argv[0]);
    if(getarg(getargs, num_args, argc, argv, &optidx))
 	usage(1);
    if(help_flag)
 	usage(0);
    if(version_flag) {
 	print_version(NULL);
 	exit(0);
    }
    argc -= optidx;
    argv += optidx;
 #ifdef KRB5
    {
 	krb5_error_code ret;
 	krb5_context context;
 	krb5_ccache id;
 	const char *name;
 	ret = krb5_init_context(&context);
 	if (ret) /* XXX should this really call exit ? */
 	    errx(1, "no kerberos 5 support");
 	ret = krb5_cc_new_unique(context, typename_arg, NULL, &id);
 	if (ret)
 	    krb5_err(context, 1, ret, "Failed generating credential cache");
 	name = krb5_cc_get_name(context, id);
 	if (name == NULL)
 	    krb5_errx(context, 1, "Generated credential cache have no name");
 	snprintf(tf, sizeof(tf), "%s:%s", krb5_cc_get_type(context, id), name);
 	ret = krb5_cc_close(context, id);
 	if (ret)
 	    krb5_err(context, 1, ret, "Failed closing credential cache");
 	krb5_free_context(context);
 	esetenv("KRB5CCNAME", tf, 1);
    }
 #endif
    snprintf (tf, sizeof(tf), "%s_XXXXXX", TKT_ROOT);
    f = mkstemp (tf);
    if (f < 0)
 	err(1, "mkstemp failed");
    close (f);
    unlink (tf);
    esetenv("KRBTKFILE", tf, 1);
    i = 0;
    args = (char **) malloc((argc + 10)*sizeof(char *));
    if (args == NULL)
 	errx (1, "Out of memory allocating %lu bytes",
 	      (unsigned long)((argc + 10)*sizeof(char *)));
    if(*argv == NULL) {
        if (roken_get_shell(shellbuf, sizeof(shellbuf)) != NULL)
            path = strdup(shellbuf);
        else
            path = strdup("/bin/sh");
    } else {
 	path = strdup(*argv++);
    }
    if (path == NULL)
 	errx (1, "Out of memory copying path");
    p=strrchr(path, '/');
    if(p)
 	args[i] = strdup(p+1);
    else
 	args[i] = strdup(path);
    if (args[i++] == NULL)
 	errx (1, "Out of memory copying arguments");
    while(*argv)
 	args[i++] = *argv++;
    args[i++] = NULL;
    if(k_hasafs())
 	k_setpag();
    unsetenv("PAGPID");
    execvp(path, args);
    if (errno == ENOENT || c_flag) {
 	char **sh_args = malloc ((i + 2) * sizeof(char *));
 	unsigned int j;
 	if (sh_args == NULL)
 	    errx (1, "Out of memory copying sh arguments");
 	for (j = 1; j < i; ++j)
 	    sh_args[j + 2] = args[j];
 	sh_args[0] = "sh";
 	sh_args[1] = "-c";
 	sh_args[2] = path;
 	execv ("/bin/sh", sh_args);
    }
    err (1, "execvp");
 }
--- a/appl/gssmask/common.c
+++ b/appl/gssmask/common.c
@@ -95,3 +95,13 @@ permutate_all(struct getarg_strings *strings, size_t *size)
    free(list);
    return all;
 }
 void
 tcp_nodelay(rk_socket_t sock)
 {
 #ifdef HAVE_NETINET_TCP_H
    int on = 1;
    (void)setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, &on, sizeof(on));
 #endif
 }
--- a/appl/gssmask/common.h
+++ b/appl/gssmask/common.h
@@ -46,6 +46,10 @@
 #include <sys/wait.h>
 #endif
 #ifdef HAVE_NETINET_TCP_H
 #include <netinet/tcp.h>
 #endif
 #include <assert.h>
 #include <krb5.h>
 #include <gssapi/gssapi.h>
@@ -112,3 +116,5 @@ krb5_error_code store_string(krb5_storage *, const char *);
    } while(0)
 char *** permutate_all(struct getarg_strings *, size_t *);
 void tcp_nodelay(rk_socket_t);
--- a/appl/gssmask/gssmaestro.c
+++ b/appl/gssmask/gssmaestro.c
@@ -303,6 +303,7 @@ wait_log(struct client *c)
    sock2 = accept(sock, (struct sockaddr *)&sast, &salen);
    if (sock2 == rk_INVALID_SOCKET)
 	err(1, "failed to accept local socket for %s", c->moniker);
    tcp_nodelay(sock2);
    rk_closesocket(sock);
    return sock2;
@@ -413,7 +414,8 @@ test_mic(struct client *c1, int32_t hc1, struct client *c2, int32_t hc2)
    krb5_data msg, mic;
    int32_t val;
-    msg.data = "foo";
+    /* used read-only by get_mic, verify_mic */
    msg.data = rk_UNCONST("foo");
    msg.length = 3;
    krb5_data_zero(&mic);
@@ -435,7 +437,8 @@ test_wrap(struct client *c1, int32_t hc1, struct client *c2, int32_t hc2,
    krb5_data msg, wrapped, out;
    int32_t val;
-    msg.data = "foo";
+    /* used read_only by encrypt_token */
    msg.data = rk_UNCONST("foo");
    msg.length = 3;
    krb5_data_zero(&wrapped);
@@ -474,13 +477,16 @@ test_wrap_ext(struct client *c1, int32_t hc1, struct client *c2, int32_t hc2,
    krb5_data header, msg, trailer, wrapped, out;
    int32_t val;
-    header.data = "header";
+    /* used read-only by wrap_token_ext, unwrap_token_ext */
    header.data = rk_UNCONST("header");
    header.length = sizeof("header") - 1;
-    msg.data = "0123456789abcdef"; /* padded for most enctypes */
+    /* used read-only by wrap_token_ext */
    msg.data = rk_UNCONST("0123456789abcdef"); /* padded for most enctypes */
    msg.length = sizeof("0123456789abcdef") - 1;
-    trailer.data = "trailer";
+    /* used read-only by wrap_token_ext, unwrap_token_ext */
    trailer.data = rk_UNCONST("trailer");
    trailer.length = 7;
    krb5_data_zero(&wrapped);
@@ -633,6 +639,7 @@ connect_client(const char *slave)
 	sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
 	if (sock == rk_INVALID_SOCKET)
 	    continue;
 	tcp_nodelay(sock);
 	if (connect(sock, res->ai_addr, res->ai_addrlen) < 0) {
 	    rk_closesocket(sock);
 	    sock = rk_INVALID_SOCKET;
--- a/appl/gssmask/gssmask.c
+++ b/appl/gssmask/gssmask.c
@@ -705,6 +705,7 @@ HandleOP(SetLoggingSocket)
    sock = socket(((struct sockaddr *)&c->sa)->sa_family, SOCK_STREAM, 0);
    if (sock == rk_INVALID_SOCKET)
 	return 0;
    tcp_nodelay(sock);
    ret = connect(sock, (struct sockaddr *)&c->sa, c->salen);
    if (ret < 0) {
@@ -1180,6 +1181,9 @@ static int version_flag;
 static int help_flag;
 static char *logfile_str;
 static char *moniker_str;
 static int detach_flag;
 static int daemon_child_fd = -1;
 static char *pidfile_str;
 static int port = 4711;
@@ -1192,6 +1196,12 @@ struct getargs args[] = {
      "number-of-service" },
    { "moniker", 0,  arg_string,	&moniker_str,	"nickname",
      "name" },
    { "detach", 0, arg_flag,		&detach_flag,	"detach from console",
      NULL },
    { "daemon-child", 0, arg_integer,	&daemon_child_fd, "private argument, do not use",
      NULL },
    { "pidfile", 0, arg_string,		&pidfile_str,	"write pid to file",
      "file" },
    { "version", 0,  arg_flag,		&version_flag,	"Print version",
      NULL },
    { "help",	 0,  arg_flag,		&help_flag,	NULL,
@@ -1213,6 +1223,11 @@ main(int argc, char **argv)
 {
    int optidx	= 0;
    krb5_error_code ret;
    struct addrinfo *ai, hints;
    char portstr[NI_MAXSERV];
    rk_socket_t *fds;
    int num_fds;
    int error;
    setprogname (argv[0]);
@@ -1238,6 +1253,9 @@ main(int argc, char **argv)
 	    errx (1, "Bad port `%s'", port_str);
    }
    if (detach_flag && daemon_child_fd == -1)
 	daemon_child_fd = roken_detach_prep(argc, argv, "--daemon-child");
    ret = krb5_init_context(&context);
    if (ret)
 	errx(1, "Error initializing kerberos: %d", ret);
@@ -1252,12 +1270,32 @@ main(int argc, char **argv)
 	    err(1, "error opening %s", lf);
    }
-    mini_inetd(htons(port), NULL);
+    memset(&hints, 0, sizeof(hints));
    hints.ai_flags    = AI_PASSIVE;
    hints.ai_socktype = SOCK_STREAM;
    hints.ai_family   = PF_UNSPEC;
    snprintf(portstr, sizeof(portstr), "%d", port);
    error = getaddrinfo(NULL, portstr, &hints, &ai);
    if (error)
 	errx(1, "getaddrinfo: %s", gai_strerror(error));
    mini_inetd_addrinfo_listen(ai, &fds, &num_fds);
    freeaddrinfo(ai);
    if (pidfile_str)
 	rk_pidfile(pidfile_str);
    roken_detach_finish(NULL, daemon_child_fd);
    mini_inetd_accept(fds, num_fds, NULL);
    fprintf(logfile, "connected\n");
    {
 	struct client *c;
 	tcp_nodelay(0);
 	c = create_client(0, port, moniker_str);
 	/* close(0); */
--- a/appl/kf/Makefile.am
+++ b/appl/kf/Makefile.am
@@ -13,7 +13,6 @@ kf_SOURCES = kf.c kf_locl.h
 kfd_SOURCES = kfd.c kf_locl.h
 LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
 	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken)
--- a/appl/kf/kf.c
+++ b/appl/kf/kf.c
@@ -184,7 +184,7 @@ proto (int sock, const char *hostname, const char *svc,
    if (ccache_name == NULL)
 	ccache_name = "";
-    data_send.data   = (void *)remote_name;
+    data_send.data   = rk_UNCONST(remote_name);
    data_send.length = strlen(remote_name) + 1;
    status = krb5_write_priv_message(context, auth_context, &sock, &data_send);
    if (status) {
@@ -192,7 +192,7 @@ proto (int sock, const char *hostname, const char *svc,
 	krb5_warn (context, status, "krb5_write_message");
 	return 1;
    }
-    data_send.data   = (void *)ccache_name;
+    data_send.data   = rk_UNCONST(ccache_name);
    data_send.length = strlen(ccache_name)+1;
    status = krb5_write_priv_message(context, auth_context, &sock, &data_send);
    if (status) {
--- a/appl/kf/kfd.c
+++ b/appl/kf/kfd.c
@@ -39,10 +39,10 @@ char krb5_tkfile[MAXPATHLEN];
 static int help_flag;
 static int version_flag;
-static char *port_str;
+static const char *port_str;
-char *service = KF_SERVICE;
+const char *service = KF_SERVICE;
 int do_inetd = 0;
-static char *regpag_str=NULL;
+static const char *regpag_str = NULL;
 static struct getargs args[] = {
    { "port", 'p', arg_string, &port_str, "port to listen to", "port" },
@@ -176,9 +176,12 @@ proto (int sock, const char *svc)
 	krb5_err(context, 1, status, "krb5_unparse_name");
    if(protocol_version == 0) {
-	data.data = "old clnt"; /* XXX old clients only had room for
+	/*
-                                   10 bytes of message, and also
+	 * XXX old clients only had room for 10 bytes of message, and
-                                   didn't show it to the user */
+	 * also didn't show it to the user
 	 */
 	/* used read-only by krb5_write_message */
 	data.data = rk_UNCONST("old clnt");
 	data.length = strlen(data.data) + 1;
 	krb5_write_message(context, &sock, &data);
 	sleep(2); /* XXX give client time to finish */
--- a/appl/otp/ChangeLog
+++ b/appl/otp/ChangeLog
@@ -1,58 +0,0 @@
 2006-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
 	* Makefile.am: Add man_MANS to EXTRA_DIST
 2005-05-29  Love Hörquist Åstrand  <lha@it.su.se>
 	* Makefile.am: add LIB_roken as a explit dependency
 2003-09-03  Love Hörquist Åstrand <lha@it.su.se>
 	* otpprint.c: s/des_read_pw_string/UI_UTIL_read_pw_string/
 	* otp.c: s/des_read_pw_string/UI_UTIL_read_pw_string/
 2003-02-25  Love Hörquist Åstrand <lha@it.su.se>
 	* otp.c: remove \n from errx, from NetBSD
 2000-11-29  Johan Danielsson  <joda@pdc.kth.se>
 	* otpprint.1: sort parameters and close a list
 	* otp.1: sort parameters and close a list
 1999-09-14  Assar Westerlund  <assar@sics.se>
 	* otp.c (verify_user_otp): check return value from
 	des_read_pw_string
 Thu Apr  1 16:51:07 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
 	* otpprint.c: use getarg
 	* otp.c: use getarg
 Thu Mar 18 12:08:58 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
 	* Makefile.am: include Makefile.am.common
 Thu Mar  4 19:45:40 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
 	* Makefile.am: DESTDIR
 Sat Feb 27 19:44:25 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
 	* Makefile.am: add
 Sun Nov 22 10:32:50 1998  Assar Westerlund  <assar@sics.se>
 	* otpprint.c: more braces
 	* Makefile.in (WFLAGS): set
 Sun Dec 21 09:31:30 1997  Assar Westerlund  <assar@sics.se>
 	* otp.c (renew): don't set the OTP if the reading of the string
 	fails.
--- a/appl/otp/Makefile.am
+++ b/appl/otp/Makefile.am
@@ -1,15 +0,0 @@
 # $Id$
 include $(top_srcdir)/Makefile.am.common
 bin_PROGRAMS = otp otpprint
 bin_SUIDS = otp
 otp_SOURCES = otp.c otp_locl.h
 otp_LDADD  = $(LIB_hcrypto) $(LIB_roken) $(top_builddir)/lib/otp/libotp.la
 otpprint_SOURCES = otpprint.c otp_locl.h
 otpprint_LDADD  = $(LIB_hcrypto) $(LIB_roken) $(top_builddir)/lib/otp/libotp.la
 man_MANS = otp.1  otpprint.1
 EXTRA_DIST = NTMakefile $(man_MANS)
--- a/appl/otp/NTMakefile
+++ b/appl/otp/NTMakefile
@@ -1,35 +0,0 @@
 ########################################################################
 #
 # Copyright (c) 2009, Secure Endpoints Inc.
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
 # are met:
 # 
 # - Redistributions of source code must retain the above copyright
 #   notice, this list of conditions and the following disclaimer.
 # 
 # - Redistributions in binary form must reproduce the above copyright
 #   notice, this list of conditions and the following disclaimer in
 #   the documentation and/or other materials provided with the
 #   distribution.
 # 
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 # POSSIBILITY OF SUCH DAMAGE.
 # 
 RELDIR=appl\otp 
 !include ../../windows/NTMakefile.w32 
--- a/appl/otp/otp.1
+++ b/appl/otp/otp.1
@@ -1,90 +0,0 @@
 .\" Copyright (c) 1996, 2000 Kungliga Tekniska Högskolan
 .\" (Royal Institute of Technology, Stockholm, Sweden).
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\"
 .\" 1. Redistributions of source code must retain the above copyright
 .\"    notice, this list of conditions and the following disclaimer.
 .\"
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
 .\"
 .\" 3. Neither the name of the Institute nor the names of its contributors
 .\"    may be used to endorse or promote products derived from this software
 .\"    without specific prior written permission.
 .\"
 .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 .\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
 .\" $Id$
 .\"
 .Dd November 17, 1996
 .Dt OTP 1
 .Os KTH-KRB
 .Sh NAME
 .Nm otp
 .Nd manages one-time passwords
 .Sh SYNOPSIS
 .Nm otp
 .Op Fl dhlor
 .Op Fl f Ar algorithm
 .Op Fl u Ar user
 .Ar sequence-number
 .Ar seed
 .Sh DESCRIPTION
 The
 .Nm
 program initializes and updates your current series of one-time
 passwords (OTPs).
 .Pp
 Use this to set a new series of one-time passwords.  Only perform this
 on the console or over an encrypted link as you will have to supply
 your pass-phrase.  The other two parameters are
 .Ar sequence-number
 and
 .Ar seed .
 .Pp
 Options are:
 .Bl -tag -width Ds
 .It Fl d
 To delete a one-time password.
 .It Fl f
 Choose a different
 .Ar algorithm
 from the default md5.  Pick any of: md4, md5, and sha.
 .It Fl h
 For getting a help message.
 .It Fl l
 List the current table of one-time passwords.
 .It Fl o
 To open (unlock) the otp-entry for a user.
 .It Fl r
 To renew a one-time password series.  This operation can be performed
 over an potentially eavesdropped link because you do not supply the
 pass-phrase.  First you need to supply the current one-time password
 and then the new one corresponding to the supplied
 .Ar sequence-number
 and
 .Ar seed .
 .It Fl u
 To choose a different
 .Ar user
 to set one-time passwords for.  This only works when running
 .Nm
 as root.
 .El
 .Sh SEE ALSO
 .Xr otpprint 1
--- a/appl/otp/otp.c
+++ b/appl/otp/otp.c
@@ -1,371 +0,0 @@
 /*
 * Copyright (c) 1995-1997, 1999 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden).
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * 3. Neither the name of the Institute nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */
 #include "otp_locl.h"
 #include <getarg.h>
 RCSID("$Id$");
 static int listp;
 static int deletep;
 static int openp;
 static int renewp;
 static char* alg_string;
 static char *user;
 static int version_flag;
 static int help_flag;
 struct getargs args[] = {
    { "list", 'l', arg_flag, &listp, "list OTP status", NULL },
    { "delete", 'd', arg_flag, &deletep, "delete OTP", NULL },
    { "open", 'o', arg_flag, &openp, "open a locked OTP", NULL },
    { "renew", 'r', arg_flag, &renewp, "securely renew OTP", NULL },
    { "hash", 'f', arg_string, &alg_string,
      "hash algorithm (md4, md5, or sha)", "algorithm"},
    { "user", 'u', arg_string, &user,
      "user other than current user (root only)", "user" },
    { "version", 0, arg_flag, &version_flag, NULL, NULL },
    { "help", 'h', arg_flag, &help_flag, NULL, NULL }
 };
 int num_args = sizeof(args) / sizeof(args[0]);
 static void
 usage(int code)
 {
    arg_printusage(args, num_args, NULL, "[num seed]");
    exit(code);
 }
 /*
 * Renew the OTP for a user.
 * The pass-phrase is not required (RFC 1938/8.0)
 */
 static int
 renew (int argc, char **argv, OtpAlgorithm *alg, char *inuser)
 {
    OtpContext newctx, *ctx;
    char prompt[128];
    char pw[64];
    void *dbm;
    int ret;
    newctx.alg = alg;
    newctx.user = inuser;
    newctx.n = atoi (argv[0]);
    strlcpy (newctx.seed, argv[1], sizeof(newctx.seed));
    strlwr(newctx.seed);
    snprintf (prompt, sizeof(prompt),
 	      "[ otp-%s %u %s ]",
 	      newctx.alg->name,
 	      newctx.n,
 	      newctx.seed);
    if (UI_UTIL_read_pw_string (pw, sizeof(pw), prompt, 0) == 0 &&
 	otp_parse (newctx.key, pw, alg) == 0) {
 	ctx = &newctx;
 	ret = 0;
    } else
 	return 1;
    dbm = otp_db_open ();
    if (dbm == NULL) {
 	warnx ("otp_db_open failed");
 	return 1;
    }
    otp_put (dbm, ctx);
    otp_db_close (dbm);
    return ret;
 }
 /*
 * Return 0 if the user could enter the next OTP.
 * I would rather have returned !=0 but it's shell-like here around.
 */
 static int
 verify_user_otp(char *username)
 {
    OtpContext ctx;
    char passwd[OTP_MAX_PASSPHRASE + 1];
    char ss[256];
    char *prompt = NULL;
    if (otp_challenge (&ctx, username, ss, sizeof(ss)) != 0) {
 	warnx("no otp challenge found for %s", username);
 	return 1;
    }
    if (asprintf(&prompt, "%s's %s Password: ", username, ss) == -1 ||
        prompt == NULL)
        err(1, "out of memory");
    if (UI_UTIL_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)) {
        free(prompt);
 	return 1;
    }
    free(prompt);
    return otp_verify_user (&ctx, passwd);
 }
 /*
 * Set the OTP for a user
 */
 static int
 set (int argc, char **argv, OtpAlgorithm *alg, char *inuser)
 {
    void *db;
    OtpContext ctx;
    char pw[OTP_MAX_PASSPHRASE + 1];
    int ret;
    int i;
    ctx.alg = alg;
    ctx.user = strdup (inuser);
    if (ctx.user == NULL)
 	err (1, "out of memory");
    ctx.n = atoi (argv[0]);
    strlcpy (ctx.seed, argv[1], sizeof(ctx.seed));
    strlwr(ctx.seed);
    do {
 	if (UI_UTIL_read_pw_string (pw, sizeof(pw), "Pass-phrase: ",
 	    UI_UTIL_FLAG_VERIFY))
 	    return 1;
 	if (strlen (pw) < OTP_MIN_PASSPHRASE)
 	    printf ("Too short pass-phrase.  Use at least %d characters\n",
 		    OTP_MIN_PASSPHRASE);
    } while(strlen(pw) < OTP_MIN_PASSPHRASE);
    ctx.alg->init (ctx.key, pw, ctx.seed);
    for (i = 0; i < ctx.n; ++i)
 	ctx.alg->next (ctx.key);
    db = otp_db_open ();
    if(db == NULL) {
 	free (ctx.user);
 	err (1, "otp_db_open failed");
    }
    ret = otp_put (db, &ctx);
    otp_db_close (db);
    free (ctx.user);
    return ret;
 }
 /*
 * Delete otp of user from the database
 */
 static int
 delete_otp (int argc, char **argv, char *inuser)
 {
    void *db;
    OtpContext ctx;
    int ret;
    db = otp_db_open ();
    if(db == NULL)
 	errx (1, "otp_db_open failed");
    ctx.user = inuser;
    ret = otp_delete(db, &ctx);
    otp_db_close (db);
    return ret;
 }
 /*
 * Tell whether the user has an otp
 */
 static int
 has_an_otp(char *inuser)
 {
    void *db;
    OtpContext ctx;
    int ret;
    db = otp_db_open ();
    if(db == NULL) {
 	warnx ("otp_db_open failed");
 	return 0; /* if no db no otp! */
    }
    ctx.user = inuser;
    ret = otp_simple_get(db, &ctx);
    otp_db_close (db);
    return !ret;
 }
 /*
 * Get and print out the otp entry for some user
 */
 static void
 print_otp_entry_for_name (void *db, char *inuser)
 {
    OtpContext ctx;
    ctx.user = inuser;
    if (!otp_simple_get(db, &ctx)) {
 	fprintf(stdout,
 		"%s\totp-%s %d %s",
 		ctx.user, ctx.alg->name, ctx.n, ctx.seed);
 	if (ctx.lock_time)
 	    fprintf(stdout,
 		    "\tlocked since %s",
 		    ctime(&ctx.lock_time));
 	else
 	    fprintf(stdout, "\n");
    }
 }
 static int
 open_otp (int argc, char **argv, char *inuser)
 {
    void *db;
    OtpContext ctx;
    int ret;
    db = otp_db_open ();
    if (db == NULL)
 	errx (1, "otp_db_open failed");
    ctx.user = inuser;
    ret = otp_simple_get (db, &ctx);
    if (ret == 0)
 	ret = otp_put (db, &ctx);
    otp_db_close (db);
    return ret;
 }
 /*
 * Print otp entries for one or all users
 */
 static int
 list_otps (int argc, char **argv, char *inuser)
 {
    void *db;
    struct passwd *pw;
    db = otp_db_open ();
    if(db == NULL)
 	errx (1, "otp_db_open failed");
    if (inuser)
 	print_otp_entry_for_name(db, inuser);
    else
 	/* scans all users... so as to get a deterministic order */
 	while ((pw = getpwent()))
 	    print_otp_entry_for_name(db, pw->pw_name);
    otp_db_close (db);
    return 0;
 }
 int
 main (int argc, char **argv)
 {
    int defaultp = 0;
    int uid = getuid();
    OtpAlgorithm *alg = otp_find_alg (OTP_ALG_DEFAULT);
    int optidx = 0;
    char userbuf[128];
    setprogname (argv[0]);
    if(getarg(args, num_args, argc, argv, &optidx))
 	usage(1);
    if(help_flag)
 	usage(0);
    if(version_flag) {
 	print_version(NULL);
 	exit(0);
    }
    if(deletep && uid != 0)
 	errx (1, "Only root can delete OTPs");
    if(alg_string) {
 	alg = otp_find_alg (alg_string);
 	if (alg == NULL)
 	    errx (1, "Unknown algorithm: %s", alg_string);
    }
    if (user && uid != 0)
 	errx (1, "Only root can use `-u'");
    argc -= optidx;
    argv += optidx;
    if (!(listp || deletep || renewp || openp))
 	defaultp = 1;
    if ( listp + deletep + renewp + defaultp + openp != 1)
 	usage(1); /* one of -d or -l or -r or none */
    if(deletep || openp || listp) {
 	if(argc != 0)
 	    errx(1, "delete, open, and list requires no arguments");
    } else {
 	if(argc != 2)
 	    errx(1, "setup, and renew requires `num', and `seed'");
    }
    if (listp)
 	return list_otps (argc, argv, user);
    if (user == NULL) {
        user = roken_get_username(userbuf, sizeof(userbuf));
        if (user == NULL)
 	    err (1, "You don't exist");
    }
    /*
     * users other that root must provide the next OTP to update the sequence.
     * it avoids someone to use a pending session to change an OTP sequence.
     * see RFC 1938/8.0.
     */
    if (uid != 0 && (defaultp || renewp)) {
 	if (!has_an_otp(user)) {
 	    errx (1, "Only root can set an initial OTP");
 	} else { /* Check the next OTP (RFC 1938/8.0: SHOULD) */
 	    if (verify_user_otp(user) != 0) {
 		errx (1, "User authentication failed");
 	    }
 	}
    }
    if (deletep)
 	return delete_otp (argc, argv, user);
    else if (renewp)
 	return renew (argc, argv, alg, user);
    else if (openp)
 	return open_otp (argc, argv, user);
    else
 	return set (argc, argv, alg, user);
 }
--- a/appl/otp/otp_locl.h
+++ b/appl/otp/otp_locl.h
@@ -1,56 +0,0 @@
 /*
 * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden).
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * 3. Neither the name of the Institute nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */
 /* $Id$ */
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 #endif
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <ctype.h>
 #ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>
 #endif
 #ifdef HAVE_UNISTD_H
 #include <unistd.h>
 #endif
 #ifdef HAVE_PWD_H
 #include <pwd.h>
 #endif
 #include <roken.h>
 #include <err.h>
 #include "crypto-headers.h" /* for des_read_pw_string */
 #include <otp.h>
--- a/appl/otp/otpprint.1
+++ b/appl/otp/otpprint.1
@@ -1,82 +0,0 @@
 .\" Copyright (c) 1996, 2000 - 2001 Kungliga Tekniska Högskolan
 .\" (Royal Institute of Technology, Stockholm, Sweden).
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\"
 .\" 1. Redistributions of source code must retain the above copyright
 .\"    notice, this list of conditions and the following disclaimer.
 .\"
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
 .\"
 .\" 3. Neither the name of the Institute nor the names of its contributors
 .\"    may be used to endorse or promote products derived from this software
 .\"    without specific prior written permission.
 .\"
 .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 .\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
 .\" $Id$
 .\"
 .Dd November 17, 1996
 .Dt OTP 1
 .Os KTH-KRB
 .Sh NAME
 .Nm otpprint
 .Nd print lists of one-time passwords
 .Sh SYNOPSIS
 .Nm otp
 .Op Fl n Ar count
 .Op Fl e
 .Op Fl h
 .Op Fl f Ar algorithm
 .Ar sequence-number
 .Ar seed
 .Sh DESCRIPTION
 The
 .Nm
 program prints lists of OTPs.
 .Pp
 Use this to print out a series of one-time passwords.  You will have
 to supply the
 .Ar sequence number
 and the
 .Ar seed
 as arguments and then the program will prompt you for your pass-phrase.
 .Pp
 There are several different print formats.  The default is to print
 each password with six short english words.
 .Pp
 Options are:
 .Bl -tag -width Ds
 .It Fl e
 Print the passwords in ``extended'' format.  In this format a prefix
 that says ``hex:'' or ``word:'' is included.
 .It Fl f
 To choose a different
 .Ar algorithm
 from the default md5.  Pick any of: md4, md5, and sha.
 .It Fl h
 Print the passwords in hex.
 .It Fl n
 Print
 .Ar count
 one-time passwords, starting at
 .Ar sequence-number
 and going backwards. The default is 10.
 .El
 .Sh SEE ALSO
 .Xr otp 1
--- a/appl/otp/otpprint.c
+++ b/appl/otp/otpprint.c
@@ -1,136 +0,0 @@
 /*
 * Copyright (c) 1995-1999 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden).
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * 3. Neither the name of the Institute nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */
 #include "otp_locl.h"
 #include <getarg.h>
 RCSID("$Id$");
 static int extendedp;
 static int count = 10;
 static int hexp;
 static char* alg_string;
 static int version_flag;
 static int help_flag;
 struct getargs args[] = {
    { "extended", 'e', arg_flag, &extendedp, "print keys in extended format",
      NULL },
    { "count", 'n', arg_integer, &count, "number of keys to print", NULL },
    { "hexadecimal", 'h', arg_flag, &hexp, "output in hexadecimal", NULL },
    { "hash", 'f', arg_string, &alg_string,
      "hash algorithm (md4, md5, or sha)", "algorithm"},
    { "version", 0, arg_flag, &version_flag, NULL, NULL },
    { "help", 0, arg_flag, &help_flag, NULL, NULL }
 };
 int num_args = sizeof(args) / sizeof(args[0]);
 static void
 usage(int code)
 {
    arg_printusage(args, num_args, NULL, "num seed");
    exit(code);
 }
 static int
 print (int argc,
       char **argv,
       int incount,
       OtpAlgorithm *alg,
       void (*print_fn)(OtpKey, char *, size_t))
 {
  char pw[64];
  OtpKey key;
  int n;
  int i;
  char *seed;
  if (argc != 2)
      usage (1);
  n = atoi(argv[0]);
  seed = argv[1];
  if (UI_UTIL_read_pw_string (pw, sizeof(pw), "Pass-phrase: ", 0))
    return 1;
  alg->init (key, pw, seed);
  for (i = 0; i < n; ++i) {
    char s[64];
    alg->next (key);
    if (i >= n - incount) {
      (*print_fn)(key, s, sizeof(s));
      printf ("%d: %s\n", i + 1, s);
    }
  }
  return 0;
 }
 int
 main (int argc, char **argv)
 {
    int optidx = 0;
    void (*fn)(OtpKey, char *, size_t);
    OtpAlgorithm *alg = otp_find_alg (OTP_ALG_DEFAULT);
    setprogname (argv[0]);
    if(getarg(args, num_args, argc, argv, &optidx))
 	usage(1);
    if(help_flag)
 	usage(0);
    if(version_flag) {
 	print_version(NULL);
 	exit(0);
    }
    if(alg_string) {
 	alg = otp_find_alg (alg_string);
 	if (alg == NULL)
 	    errx(1, "Unknown algorithm: %s", alg_string);
    }
    argc -= optidx;
    argv += optidx;
    if (hexp) {
 	if (extendedp)
 	    fn = otp_print_hex_extended;
 	else
 	    fn = otp_print_hex;
    } else {
 	if (extendedp)
 	    fn = otp_print_stddict_extended;
 	else
 	    fn = otp_print_stddict;
    }
    return print (argc, argv, count, alg, fn);
 }
--- a/appl/test/Makefile.am
+++ b/appl/test/Makefile.am
@@ -4,6 +4,8 @@ include $(top_srcdir)/Makefile.am.common
 WFLAGS += $(WFLAGS_LITE)
 AUTOMAKE_OPTIONS = subdir-objects
 noinst_PROGRAMS = tcp_client tcp_server gssapi_server gssapi_client \
 	uu_server uu_client nt_gss_server nt_gss_client http_client \
 	kinit_auditdns
@@ -52,14 +54,11 @@ kinit_auditdns_LDADD = \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(top_builddir)/lib/gssapi/libgssapi.la \
 	$(top_builddir)/lib/gss_preauth/libgss_preauth.la \
 	$(top_builddir)/lib/ntlm/libheimntlm.la \
 	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_libintl) \
 	$(LIB_roken)
 LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
 	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken)
--- a/appl/test/common.c
+++ b/appl/test/common.c
@@ -36,10 +36,10 @@
 static int help_flag;
 static int version_flag;
 static char *port_str;
-char *keytab_str;
+const char *keytab_str;
 krb5_keytab keytab;
-char *service = SERVICE;
+const char *service = SERVICE;
-char *mech = "krb5";
+const char *mech = "krb5";
 int fork_flag;
 char *password = NULL;
--- a/appl/test/gssapi_client.c
+++ b/appl/test/gssapi_client.c
@@ -50,7 +50,7 @@ do_trans (int sock, gss_ctx_id_t context_hdl)
    /* get_mic */
    input_token->length = 3;
-    input_token->value  = strdup("hej");
+    input_token->value  = rk_UNCONST("hej");
    maj_stat = gss_get_mic(&min_stat,
 			   context_hdl,
@@ -84,7 +84,7 @@ do_trans (int sock, gss_ctx_id_t context_hdl)
    /* wrap */
    input_token->length = 7;
-    input_token->value  = "hemligt";
+    input_token->value  = rk_UNCONST("hemligt");
    maj_stat = gss_wrap (&min_stat,
 			 context_hdl,
--- a/appl/test/gssapi_server.c
+++ b/appl/test/gssapi_server.c
@@ -149,7 +149,8 @@ process_it(int sock,
    gss_release_buffer (&min_stat, input_token);
    gss_release_buffer (&min_stat, output_token);
-    input_token->value = "hejhej";
+    /* used read-only by gss_wrap */
    input_token->value = rk_UNCONST("hejhej");
    input_token->length = 6;
    maj_stat = gss_wrap (&min_stat,
@@ -190,7 +191,8 @@ proto (int sock, const char *service)
    u_char init_buf[4];
    u_char acct_buf[4];
    gss_OID mech_oid;
-    char *mech, *p;
+    const char *mech;
    char *p;
    memset(&remote, 0, sizeof(remote));
    local = remote;
--- a/appl/test/http_client.c
+++ b/appl/test/http_client.c
@@ -85,13 +85,13 @@ fdprintf(int s, const char *fmt, ...)
    size_t len;
    ssize_t ret;
    va_list ap;
-    char *str, *buf;
+    char *str = NULL, *buf;
    va_start(ap, fmt);
-    vasprintf(&str, fmt, ap);
+    ret = vasprintf(&str, fmt, ap);
    va_end(ap);
-    if (str == NULL)
+    if (ret == -1 || str == NULL)
 	errx(1, "vasprintf");
    buf = str;
@@ -113,8 +113,8 @@ static int version_flag;
 static int verbose_flag;
 static int mutual_flag = 1;
 static int delegate_flag;
-static char *port_str = "http";
+static const char *port_str = "http";
-static char *gss_service = "HTTP";
+static const char *gss_service = "HTTP";
 static struct getargs http_args[] = {
    { "verbose", 'v', arg_flag, &verbose_flag, "verbose logging", NULL },
@@ -372,8 +372,11 @@ main(int argc, char **argv)
 		    printf("Negotiate found\n");
 		if (server == GSS_C_NO_NAME) {
-		    char *name;
+		    char *name = NULL;
-		    asprintf(&name, "%s@%s", gss_service, host);
+
 		    if (asprintf(&name, "%s@%s", gss_service, host) == -1 ||
                        name == NULL)
                        err(1, "asprintf");
 		    input_token.length = strlen(name);
 		    input_token.value = name;
@@ -483,8 +486,11 @@ main(int argc, char **argv)
 				     output_token.length,
 				     &neg_token);
-		    asprintf(&headers[num_headers++], "Authorization: Negotiate %s",
+		    if (asprintf(&headers[num_headers],
-			     neg_token);
+                                 "Authorization: Negotiate %s", neg_token) == -1 ||
                        headers[num_headers] == NULL)
                        err(1, "asprintf");
                    num_headers++;
 		    free(neg_token);
 		    gss_release_buffer(&min_stat, &output_token);
--- a/appl/test/nt_gss_client.c
+++ b/appl/test/nt_gss_client.c
@@ -140,7 +140,8 @@ proto (int sock, const char *hostname, const char *service)
    /* wrap */
    input_token->length = 7;
-    input_token->value  = "hemligt";
+    /* used read-only by gss_wrap */
    input_token->value  = rk_UNCONST("hemligt");
    maj_stat = gss_wrap (&min_stat,
--- a/appl/test/nt_gss_server.c
+++ b/appl/test/nt_gss_server.c
@@ -50,8 +50,8 @@ RCSID("$Id$");
 static int help_flag;
 static int version_flag;
 static char *port_str;
-char *service = SERVICE;
+const char *service = SERVICE;
-static char *auth_file;
+static const char *auth_file;
 static struct getargs args[] = {
    { "port", 'p', arg_string, &port_str, "port to listen to", "port" },
--- a/appl/test/tcp_client.c
+++ b/appl/test/tcp_client.c
@@ -80,7 +80,8 @@ proto (int sock, const char *hostname, const char *service)
    if (status)
 	krb5_err (context, 1, status, "krb5_sendauth");
-    data.data   = "hej";
+    /* used read-only by krb5_mk_safe */
    data.data   = rk_UNCONST("hej");
    data.length = 3;
    krb5_data_zero (&packet);
@@ -101,7 +102,7 @@ proto (int sock, const char *hostname, const char *service)
    if (krb5_net_write (context, &sock, packet.data, len) != len)
 	err (1, "krb5_net_write");
-    data.data   = "hemligt";
+    data.data   = rk_UNCONST("hemligt");
    data.length = 7;
    krb5_data_free (&packet);
--- a/appl/test/test_locl.h
+++ b/appl/test/test_locl.h
@@ -78,9 +78,9 @@
 #define PORT "test"
-extern char *service;
+extern const char *service;
-extern char *mech;
+extern const char *mech;
-extern char *keytab_str;
+extern const char *keytab_str;
 extern krb5_keytab keytab;
 extern int fork_flag;
 int server_setup(krb5_context*, int, char**);
--- a/appl/test/uu_client.c
+++ b/appl/test/uu_client.c
@@ -148,7 +148,8 @@ proto (int sock, const char *hostname, const char *service)
 	}
    }
-    data.data   = "hej";
+    /* used read-only by krb5_mk_safe */
    data.data   = rk_UNCONST("hej");
    data.length = 3;
    krb5_data_zero (&packet);
@@ -165,7 +166,8 @@ proto (int sock, const char *hostname, const char *service)
    if(status)
 	krb5_err(context, 1, status, "krb5_write_message");
-    data.data   = "hemligt";
+    /* used read-only by krb5_mk_priv */
    data.data   = rk_UNCONST("hemligt");
    data.length = 7;
    krb5_data_free (&packet);
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -1,85 +0,0 @@
 #
 # This file tells appveyor.com how to build Heimdal on Windows.
 # Appveyor is a continuous integration (CI) service for github and other
 # users, and is free for public repositories.
 #
 version: '1.0.{build}'
 image:
  - Visual Studio 2019
 install:
  # HACK -- pacman installation in Appveyor seems broken
  # Taken from https://github.com/johnkerl/miller/blob/master/appveyor.yml
  # (which is gone)
  #- ps: dir 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Microsoft SDKs\Windows' -Recurse
  - set "PATH=C:\msys64\usr\bin;%PATH%"
  - set "PATH=C:\%MSYS2_DIR%\%MSYSTEM%\bin;C:\%MSYS2_DIR%\usr\bin;%PATH%"
  - bash -lc "mkdir -p /var/lib/pacman/sync/"
  - bash -lc "pacman-key --init"
  - bash -lc "pacman-key --populate msys2"
  - bash -lc "curl -O http://repo.msys2.org/msys/x86_64/msys2-keyring-1~20211228-1-any.pkg.tar.zst"
  - bash -lc "curl -O http://repo.msys2.org/msys/x86_64/msys2-keyring-1~20211228-1-any.pkg.tar.zst.sig"
  - bash -lc "pacman --noconfirm -U --config <(echo) msys2-keyring-1~20211228-1-any.pkg.tar.zst"
  - bash -lc "mkdir -p /var/lib/pacman/sync/"
  - bash -lc "pacman-key --init"
  - bash -lc "pacman-key --populate msys2"
  - bash -lc "pacman -S --noconfirm --refresh pacman"
  - bash -lc "pacman -S --needed --noconfirm pacman-mirrors"
  - bash -lc "pacman -S --needed --noconfirm mingw-w64-x86_64-toolchain autoconf automake libtool make patch mingw-w64-x86_64-libtool"
  - bash -lc "pacman -S --needed --noconfirm bison flex"
  - bash -lc "pacman -S --needed --noconfirm perl perl-JSON"
 build_script:
  # build using Windows 10 SDK
  - set "WINSDKVER=10.0.22000.0"
  - call "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvarsall.bat" amd64 %WINSDKVER%
  - set "WIXDIR=c:\Program Files (x86)\Windows Installer XML v3.5"
  # We're not doing any codesigning in the Appveyor build yet.
  - SET "CODESIGN_PKT=0000000000000000"
  - set "PATH=%PATH%;C:\Perl64\bin;C:\tools\cygwin\bin;C:\Program Files (x86)\HTML Help Workshop"
  - set "PATH=%PATH%;C:/msys64/usr/bin"
  - set "PATH=%PATH%;C:\program files (x86)\windows installer xml v3.5\bin;C:\cygwin\bin"
  # double check this, should it be x86 or x64?
  - set "PATH=%PATH%;%WindowsSdkVerBinPath%\x86"
  - set "PATH=C:\Python310-x64;%PATH%"
  - set dbg__type=Debug
  - title Heimdal Build %CPU% %dbg__type%
  - echo PATH=%PATH%
  # target Windows 10 API
  - set APPVER=10.0
  # Newer texinfo has no .exe's, so we have to invoke it as
  # "perl ...\makeinfo ...".  See doc/NTMakefile.
  - nmake /f NTMakefile APPVEYOR=1 MAKEINFO=makeinfo NO_INSTALLERS=1
  - 7z a heimdal.zip C:\projects\heimdal
 test_script:
  # Packages are not validated in the Appveyor build, FYI.
  - nmake /f NTMakefile APPVEYOR=1 MAKEINFO=makeinfo NO_INSTALLERS=1 test
 artifacts:
  - path: heimdal-out.zip
    name: heimdal-out
  - path: heimdal.zip
    name: heimdal
 on_failure:
  - 7z a heimdal-out.zip C:\projects\heimdal
  - appveyor PushArtifact heimdal-out.zip
 # To get RDP access to an appveyor worker for debugging a build, just
 # uncomment these next two lines and the last two lines too.
 #init:
 #  - ps: iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1'))
 # Uncomment this to allow the RDP session to continue after the build
 # finishes.
 #
 # There's a delete-me file on the desktop that one should delete when
 # one is done with the worker.  RDP sessions are capped at 60 minutes as
 # of this writing.
 #
 #on_finish:
 #  - ps: $blockRdp = $true; iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1'))
--- a/cf/Makefile.am.common
+++ b/cf/Makefile.am.common
@@ -4,7 +4,7 @@ SUFFIXES = .et .h .pc.in .pc
 DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -I$(top_srcdir)/include
-AM_CPPFLAGS = $(INCLUDES_roken)
+AM_CPPFLAGS = $(INCLUDES_roken) $(INCLUDE_openssl_crypto)
 if do_roken_rename
 ROKEN_RENAME = -DROKEN_RENAME
@@ -269,6 +269,11 @@ check-valgrind:
 	tsrcdir=`cd $(top_srcdir) && pwd` ; \
 	env TESTS_ENVIRONMENT="$${tsrcdir}/cf/maybe-valgrind.sh -s $${tsrcdir} -o $${tobjdir}" make check
 check-helgrind:
 	tobjdir=`cd $(top_builddir) && pwd` ; \
 	tsrcdir=`cd $(top_srcdir) && pwd` ; \
 	env TESTS_ENVIRONMENT="$${tsrcdir}/cf/maybe-helgrind.sh -s $${tsrcdir} -o $${tobjdir}" make check
 #
 # Target to please samba build farm, builds distfiles in-tree.
 # Will break when automake changes...
--- a/cf/crypto.m4
+++ b/cf/crypto.m4
@@ -6,11 +6,13 @@ dnl - own-built libhcrypto
 m4_define([test_headers], [
 		#undef KRB5 /* makes md4.h et al unhappy */
 		#ifdef HAVE_HCRYPTO_W_OPENSSL
 		#ifdef HAVE_SYS_TYPES_H
 		#include <sys/types.h>
 		#endif
 		#include <openssl/evp.h>
 		#include <openssl/provider.h>
 		#include <openssl/encoder.h>
 		#include <openssl/core_names.h>
 		#include <openssl/bn.h>
 		#include <openssl/md4.h>
 		#include <openssl/md5.h>
@@ -27,18 +29,6 @@ m4_define([test_headers], [
 		#include <openssl/rand.h>
 		#include <openssl/hmac.h>
 		#include <openssl/pkcs12.h>
 		#else
 		#include <hcrypto/evp.h>
 		#include <hcrypto/md4.h>
 		#include <hcrypto/md5.h>
 		#include <hcrypto/sha.h>
 		#include <hcrypto/des.h>
 		#include <hcrypto/rc4.h>
 		#include <hcrypto/aes.h>
 		#include <hcrypto/engine.h>
 		#include <hcrypto/hmac.h>
 		#include <hcrypto/pkcs12.h>
 		#endif
 		])
 m4_define([test_body], [
 		void *schedule = 0;
@@ -54,9 +44,7 @@ m4_define([test_body], [
 		EVP_CIPHER_iv_length(((EVP_CIPHER*)0));
 		UI_UTIL_read_pw_string(0,0,0,0);
 		RAND_status();
 		#ifdef HAVE_HCRYPTO_W_OPENSSL
 		EC_KEY_new();
 		#endif
 		OpenSSL_add_all_algorithms();
 		AES_encrypt(0,0,0);
@@ -65,25 +53,19 @@ m4_define([test_body], [
 AC_DEFUN([KRB_CRYPTO],[
 AC_ARG_WITH([hcrypto-default-backend],
-            AS_HELP_STRING([--with-hcrypto-default-backend=cc|pkcs11_hcrypto|ossl|w32crypto|hcrypto],
+            AS_HELP_STRING([--with-hcrypto-default-backend=ossl],
                           [specify the default hcrypto backend]),
            [
-            CFLAGS="${CFLAGS} -DHCRYPTO_DEF_PROVIDER=${withval}"
+                if test "$with_val" != ossl -a "$withval" != ""; then
-            case "$withval" in
+                    AC_MSG_ERROR([hcrypto has been removed 0])
-            cc) AC_DEFINE(HCRYPTO_DEF_PROVIDER, [cc], [Define to one of cc, pkcs11, ossl, w32crypto, or hcrypto to set a default hcrypto provider]);;
+                fi
-            pkcs11_hcrypto) AC_DEFINE(HCRYPTO_DEF_PROVIDER, [pkcs11_hcrypto], [Define to one of cc, pkcs11, ossl, w32crypto, or hcrypto to set a default hcrypto provider]);;
+            ]
-            ossl) AC_DEFINE(HCRYPTO_DEF_PROVIDER, [ossl], [Define to one of cc, pkcs11, ossl, w32crypto, or hcrypto to set a default hcrypto provider]);;
+            )
            w32crypto) AC_DEFINE(HCRYPTO_DEF_PROVIDER, [w32crypto], [Define to one of cc, pkcs11, ossl, w32crypto, or hcrypto to set a default hcrypto provider]);;
            hcrypto) AC_DEFINE(HCRYPTO_DEF_PROVIDER, [hcrypto], [Define to one of cc, pkcs11, ossl, w32crypto, or hcrypto to set a default hcrypto provider]);;
            *) echo "Invalid hcrypto provider name ($withval)"; exit 5;;
            esac
            ],
            [])
 AC_ARG_WITH([hcrypto-fallback],
            AS_HELP_STRING([--without-hcrypto-fallback],
                           [disable fallback on hcrypto for unavailable algorithms]),
-            [AC_DEFINE([HCRYPTO_FALLBACK],0,[Set to 1 to allow fallback to hcrypto for unavailable algorithms])],
+            [AC_MSG_ERROR([hcrypto has been removed 2])]
-            [AC_DEFINE([HCRYPTO_FALLBACK],1,[Set to 1 to allow fallback to hcrypto for unavailable algorithms])])
+            )
 AC_WITH_ALL([openssl])
 AC_MSG_CHECKING([for crypto library])
@@ -105,10 +87,40 @@ if test "$with_openssl" != "no"; then
 	fi
 	if test "$with_openssl_lib" != ""; then
 		LIB_openssl_crypto="-L${with_openssl_lib}"
-        elif test "${with_openssl}" != "/usr" -a -d "${with_openssl}/lib"; then
+		openssl_libdir="${with_openssl_lib}"
-                LIB_openssl_crypto="-L${with_openssl}/lib"
+	elif test "${with_openssl}" != "/usr"; then
 		dnl Detect lib vs lib64: prefer lib64 on 64-bit Linux if it exists
 		dnl and contains libcrypto, otherwise fall back to lib
 		openssl_libdir=""
 		if test -f "${with_openssl}/lib64/libcrypto.so" -o \
 		        -f "${with_openssl}/lib64/libcrypto.dylib"; then
 			openssl_libdir="${with_openssl}/lib64"
 		elif test -f "${with_openssl}/lib/libcrypto.so" -o \
 		          -f "${with_openssl}/lib/libcrypto.dylib"; then
 			openssl_libdir="${with_openssl}/lib"
 		elif test -d "${with_openssl}/lib64"; then
 			openssl_libdir="${with_openssl}/lib64"
 		elif test -d "${with_openssl}/lib"; then
 			openssl_libdir="${with_openssl}/lib"
 		fi
-	CFLAGS="-DHAVE_HCRYPTO_W_OPENSSL ${INCLUDE_openssl_crypto} ${CFLAGS}"
+		if test -n "$openssl_libdir"; then
 			LIB_openssl_crypto="-L${openssl_libdir}"
 		fi
 	fi
 	dnl Add rpath for non-system OpenSSL installations
 	if test -n "$openssl_libdir" -a "$openssl_libdir" != "/usr/lib" -a "$openssl_libdir" != "/usr/lib64"; then
 		case "$host_os" in
 		darwin*)
 			dnl macOS uses -rpath with @loader_path or absolute path
 			LIB_openssl_crypto="${LIB_openssl_crypto} -Wl,-rpath,${openssl_libdir}"
 			;;
 		*)
 			dnl Linux and other ELF systems
 			LIB_openssl_crypto="${LIB_openssl_crypto} -Wl,-rpath,${openssl_libdir}"
 			;;
 		esac
 	fi
 	CFLAGS="${INCLUDE_openssl_crypto} ${CFLAGS}"
        LDFLAGS="${LIB_openssl_crypto} ${LDFLAGS}"
        AC_CHECK_LIB([crypto], [OPENSSL_init],
                     [LIB_openssl_crypto="${LIB_openssl_crypto} -lcrypto"; openssl=yes], [openssl=no], [])
@@ -150,13 +162,6 @@ if test "$with_openssl" != "no"; then
        LDFLAGS="${saved_LDFLAGS}"
 fi
 LIB_hcrypto='$(top_builddir)/lib/hcrypto/libhcrypto.la'
 LIB_hcrypto_a='$(top_builddir)/lib/hcrypto/.libs/libhcrypto.a'
 LIB_hcrypto_so='$(top_builddir)/lib/hcrypto/.libs/libhcrypto.so'
 LIB_hcrypto_appl="-lhcrypto"
 AC_MSG_RESULT([included libhcrypto])
 AC_ARG_WITH(pkcs11-module,
                       AS_HELP_STRING([--with-pkcs11-module=path],
                                      [use PKCS11 module in path]),
@@ -168,15 +173,77 @@ if test "$pkcs11_module" != ""; then
  openssl=no
 fi
 dnl Check for OpenSSL PKCS#11 provider (pkcs11-provider project)
 dnl It installs into the OpenSSL modules directory
 openssl_pkcs11_provider=""
 if test "$openssl" = "yes"; then
-  AC_DEFINE([HAVE_HCRYPTO_W_OPENSSL], 1, [define to use openssl's libcrypto as the default backend for libhcrypto])
+    if test -n "$openssl_libdir"; then
        pkcs11_provider_path="${openssl_libdir}/ossl-modules/pkcs11.so"
    else
        pkcs11_provider_path="/usr/lib/ossl-modules/pkcs11.so"
    fi
    AC_MSG_CHECKING([for OpenSSL PKCS11 provider])
    if test -f "$pkcs11_provider_path"; then
        openssl_pkcs11_provider="$pkcs11_provider_path"
        AC_MSG_RESULT([$openssl_pkcs11_provider])
    else
        AC_MSG_RESULT([not found at $pkcs11_provider_path])
    fi
 fi
 AC_SUBST(OPENSSL_PKCS11_PROVIDER, [$openssl_pkcs11_provider])
 AM_CONDITIONAL([HAVE_OPENSSL_PKCS11_PROVIDER], [test "x$openssl_pkcs11_provider" != "x"])
 if test "$openssl" != "yes"; then
    AC_MSG_ERROR([OpenSSL is required])
 fi
 AM_CONDITIONAL(HAVE_HCRYPTO_W_OPENSSL, test "$openssl" = yes)dnl
 AC_SUBST(INCLUDE_openssl_crypto)
 AC_SUBST(LIB_openssl_crypto)
-AC_SUBST(LIB_hcrypto)
+
-AC_SUBST(LIB_hcrypto_a)
+dnl
-AC_SUBST(LIB_hcrypto_so)
+dnl Legacy/weak encryption type options
-AC_SUBST(LIB_hcrypto_appl)
+dnl
 dnl Single DES (weak crypto) - disabled by default for security
 AC_ARG_WITH([1des],
    AS_HELP_STRING([--with-1des], [enable single DES encryption (weak, for legacy compatibility)]),
    [with_1des=$withval],
    [with_1des=no])
 AC_MSG_CHECKING([whether to enable single DES encryption])
 if test "$with_1des" = "yes"; then
    AC_DEFINE([HEIM_WEAK_CRYPTO], 1, [Define to enable single DES encryption support])
    AC_MSG_RESULT([yes])
 else
    AC_MSG_RESULT([no])
 fi
 AM_CONDITIONAL([HEIM_WEAK_CRYPTO], [test "$with_1des" = "yes"])
 dnl Triple DES - enabled by default for legacy compatibility
 AC_ARG_WITH([3des],
    AS_HELP_STRING([--with-3des], [enable triple DES encryption (default: yes)]),
    [with_3des=$withval],
    [with_3des=yes])
 AC_MSG_CHECKING([whether to enable triple DES encryption])
 if test "$with_3des" = "yes"; then
    AC_DEFINE([HEIM_DES3], 1, [Define to enable triple DES encryption support])
    AC_MSG_RESULT([yes])
 else
    AC_MSG_RESULT([no])
 fi
 AM_CONDITIONAL([HEIM_DES3], [test "$with_3des" = "yes"])
 dnl ARCFOUR/RC4 - enabled by default (still used by some Windows systems)
 AC_ARG_WITH([arcfour],
    AS_HELP_STRING([--with-arcfour], [enable ARCFOUR/RC4 encryption (default: yes)]),
    [with_arcfour=$withval],
    [with_arcfour=yes])
 AC_MSG_CHECKING([whether to enable ARCFOUR encryption])
 if test "$with_arcfour" = "yes"; then
    AC_DEFINE([HEIM_ARCFOUR], 1, [Define to enable ARCFOUR/RC4 encryption support])
    AC_MSG_RESULT([yes])
 else
    AC_MSG_RESULT([no])
 fi
 AM_CONDITIONAL([HEIM_ARCFOUR], [test "$with_arcfour" = "yes"])
 ])
--- a/cf/largefile.m4
+++ b/cf/largefile.m4
@@ -7,10 +7,16 @@ AC_DEFUN([rk_SYS_LARGEFILE],[
 AC_REQUIRE([AC_SYS_LARGEFILE])dnl
 dnl need to set this on the command line, since it might otherwise break
 dnl with generated code, such as lex
-if test "$enable_largefile" != no -a "$ac_cv_sys_large_files" != no; then
+if test "$enable_largefile" != no; then
 	if test -n "$ac_cv_sys_large_files" && test "$ac_cv_sys_large_files" != no; then
 		CPPFLAGS="$CPPFLAGS -D_LARGE_FILES=$ac_cv_sys_large_files"
-fi
+	fi
-if test "$enable_largefile" != no -a "$ac_cv_sys_file_offset_bits" != no && test -n "$ac_cv_sys_file_offset_bits"; then
+	if test -n "$ac_cv_sys_file_offset_bits" && test "$ac_cv_sys_file_offset_bits" != no; then
 		CPPFLAGS="$CPPFLAGS -D_FILE_OFFSET_BITS=$ac_cv_sys_file_offset_bits"
 	fi
 	if test -n "$ac_cv_sys_largefile_opts"; then
 		AS_CASE([$ac_cv_sys_largefile_opts],[-D_FILE_OFFSET_BITS=*|-D_LARGE_FILES=*],
 			[CPPFLAGS="$CPPFLAGS $ac_cv_sys_largefile_opts"])
 	fi
 fi
 ])
--- a/cf/maybe-helgrind.sh
+++ b/cf/maybe-helgrind.sh
@@ -0,0 +1,73 @@
 #!/bin/sh
 #
 # Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
 # (Royal Institute of Technology, Stockholm, Sweden).
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
 # are met:
 #
 # 1. Redistributions of source code must retain the above copyright
 #    notice, this list of conditions and the following disclaimer.
 #
 # 2. Redistributions in binary form must reproduce the above copyright
 #    notice, this list of conditions and the following disclaimer in the
 #    documentation and/or other materials provided with the distribution.
 #
 # 3. Neither the name of the Institute nor the names of its contributors
 #    may be used to endorse or promote products derived from this software
 #    without specific prior written permission.
 #
 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 # ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 while true
 do
  case $1 in
  -s) tsrcdir="$2"; shift 2;;
  -o) tobjdir="$2"; shift 2;;
  -*) echo "$0: Bad option $1"; echo $usage; exit 1;;
  *) break;;
  esac
 done
 if [ X"${tobjdir}" = "X" -o X"${tsrcdir}" = X ] ; then
    echo "tobjdir or tsrcdir not defined"
    exit 1
 fi
 if [ ! -f "${tobjdir}/libtool" ]; then
    echo "libtool missing from \"${tobjdir}\""
    exit 1
 fi
 doit=1
 libtool="${tobjdir}/libtool --mode=execute"
 helgrind="valgrind --tool=helgrind --quiet -q --num-callers=30"
 # Add suppressions file if it exists
 if [ -f "${tsrcdir}/cf/helgrind-suppressions" ]; then
    helgrind="$helgrind --suppressions=${tsrcdir}/cf/helgrind-suppressions"
 fi
 if head -10 "$1" | grep 'Generated by ltmain.sh' > /dev/null ; then
    uselibtool=1
 elif head -10 "$1" | grep 'bin/sh' > /dev/null ; then
    libtool=
    helgrind=
 fi
 exec $libtool $helgrind "$@"
--- a/cf/maybe-valgrind.sh
+++ b/cf/maybe-valgrind.sh
@@ -56,7 +56,7 @@ doit=1
 libtool="${tobjdir}/libtool --mode=execute"
-valgrind="valgrind --leak-check=full --quiet -q --num-callers=30 --suppressions=${tsrcdir}/cf/valgrind-suppressions"
+valgrind="valgrind --leak-check=full --show-leak-kinds=definite --quiet -q --num-callers=30 --suppressions=${tsrcdir}/cf/valgrind-suppressions"
 if head -10 "$1" | grep 'Generated by ltmain.sh' > /dev/null ; then
    uselibtool=1
--- a/cf/otp.m4
+++ b/cf/otp.m4
@@ -3,25 +3,8 @@ dnl
 dnl check requirements for OTP library
 dnl
 AC_DEFUN([rk_OTP],[
 AC_REQUIRE([rk_DB])dnl
 AC_ARG_ENABLE(otp,
 	AS_HELP_STRING([--disable-otp],[if you don't want OTP support]))
-if test "$enable_otp" = yes -a "$db_type" = unknown; then
+	AC_MSG_ERROR([OTP has been removed],
-	AC_MSG_ERROR([OTP requires a NDBM/DB compatible library])
+	AC_MSG_ERROR([OTP has been removed])
 fi
 if test "$enable_otp" != no; then
 	if test "$db_type" != unknown; then
 		enable_otp=yes
 	else
 		enable_otp=no
 	fi
 fi
 if test "$enable_otp" = yes; then
 	AC_DEFINE(OTP, 1, [Define if you want OTP support in applications.])
 	LIB_otp='$(top_builddir)/lib/otp/libotp.la'
 	AC_SUBST(LIB_otp)
 fi
 AC_MSG_CHECKING([whether to enable OTP library])
 AC_MSG_RESULT($enable_otp)
 AM_CONDITIONAL(OTP, test "$enable_otp" = yes)dnl
 ])
--- a/cf/resolv.m4
+++ b/cf/resolv.m4
@@ -73,13 +73,13 @@ AC_FIND_FUNC(res_ndestroy, resolv,
 ],
 [0])
-AC_FIND_FUNC_NO_LIBS(dns_search,,
+AC_FIND_FUNC(dns_search, resolv,
 [
 #ifdef HAVE_DNS_H
 #include <dns.h>
 #endif
 ],
-[0,0,0,0,0,0,0,0])
+[0])
 AC_FIND_FUNC(dn_expand, resolv,
--- a/cf/roken-frag.m4
+++ b/cf/roken-frag.m4
@@ -28,7 +28,7 @@ dnl C characteristics
 AC_REQUIRE([AC_C___ATTRIBUTE__])
 AC_REQUIRE([AC_C_INLINE])
 AC_REQUIRE([AC_C_CONST])
-rk_WFLAGS(-Wall -Wextra -Wno-sign-compare -Wno-unused-parameter -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -Wshadow)
+rk_WFLAGS(-Wall -Wextra -Wno-sign-compare -Wno-unused-parameter -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs -Wshadow -Wdiscarded-qualifiers -Wcast-qual -Wimplicit-fallthrough -Wenum-compare -Wunused-but-set-variable -Wunused-const-variable -Wunused-result -Wold-style-definition -Wwrite-strings)
 dnl -Wmissing-prototypes -Wpointer-arith -Wreturn-type -Wstrict-prototypes
 dnl -Wcast-qual -Wswitch -Wformat=2 -Wwrite-strings
@@ -334,15 +334,16 @@ AC_BROKEN([					\
 	err					\
 	errx					\
 	fchown					\
 	flock					\
 	fnmatch					\
 	freehostent				\
 	getcwd					\
 	getdelim				\
 	getdtablesize				\
 	getegid					\
 	geteuid					\
 	getgid					\
 	gethostname				\
 	getline					\
 	getifaddrs				\
 	getipnodebyaddr				\
 	getipnodebyname				\
@@ -400,6 +401,10 @@ AC_BROKEN([					\
 rk_LIBOBJ(closefrom)
 dnl Check for flock() - we always provide rk_flock() but need to know if
 dnl the system has flock() for our fallback chain
 AC_CHECK_FUNCS([flock])
 AM_CONDITIONAL(have_fnmatch_h,
 	test "$ac_cv_header_fnmatch_h" = yes -a "$ac_cv_func_fnmatch" = yes)
--- a/cf/wflags.m4
+++ b/cf/wflags.m4
@@ -18,7 +18,26 @@ if test -z "$WFLAGS" -a "$GCC" = "yes"; then
  #   -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast
  #   -Wmissing-declarations -Wnested-externs
  #   -Wstrict-overflow=5
-  WFLAGS="ifelse($#, 0,-Wall, $1) $dwflags"
+
  # Check if this is Clang (which also sets GCC=yes for compatibility)
  if $CC --version 2>&1 | grep -qi clang; then
    rk_CLANG=yes
  else
    rk_CLANG=no
  fi
  wflags="ifelse($#, 0,-Wall, $1)"
  # Replace GCC-specific warning flags with Clang equivalents
  if test "$rk_CLANG" = yes; then
    # -Wimplicit-fallthrough removed: flex-generated code triggers it and can't be fixed
    wflags=`echo "$wflags" | sed -e 's/-Wdiscarded-qualifiers/-Wignored-qualifiers/g' \
                                  -e 's/ -Wunused-but-set-variable//g' \
                                  -e 's/ -Wunused-const-variable//g' \
                                  -e 's/ -Wimplicit-fallthrough//g'`
  fi
  WFLAGS="$wflags $dwflags"
  #
  # WFLAGS_LITE can be appended to WFLAGS to turn off a host of warnings
--- a/configure.ac
+++ b/configure.ac
@@ -130,7 +130,7 @@ AC_SUBST([SLC_DEP])
 dnl ---
-AC_DEFINE(HEIM_WEAK_CRYPTO, 1, [Define if you want support for weak crypto])
+dnl HEIM_WEAK_CRYPTO is now controlled by --with-1des in cf/crypto.m4
 rk_TEST_PACKAGE(openldap,
 [#include <lber.h>
@@ -230,44 +230,37 @@ AM_CONDITIONAL([HAVE_MICROHTTPD], [test "$with_microhttpd" != "no"])
 AC_SUBST([MICROHTTPD_CFLAGS])
 AC_SUBST([MICROHTTPD_LIBS])
 dnl libcjwt
 AC_ARG_WITH([cjwt],
  AC_HELP_STRING([--with-cjwt], [(Experimental) use cjwt to validate JWT tokens @<:@default=check@:>@]),
  [],
  [with_cjwt=check])
 if test "$with_cjwt" != "no"; then
  PKG_CHECK_MODULES([CJWT], [libcjwt >= 1.0.0],
 		    [with_cjwt=yes],[with_cjwt=no])
 fi
 if test "$with_cjwt" = "yes"; then
  AC_DEFINE_UNQUOTED([HAVE_CJWT], 1, [whether libcjwt is available for KDC REST API])
 fi
 AM_CONDITIONAL([HAVE_CJWT], [test "$with_cjwt" != "no"])
 AC_SUBST([CJWT_CFLAGS])
 AC_SUBST([CJWT_LIBS])
 dnl libcjson
 AC_ARG_WITH([cjson],
  AC_HELP_STRING([--with-cjson], [(Experimental) use cJSON to extract private claims from JWT tokens @<:@default=check@:>@]),
  [],
  [with_cjson=check])
 if test "$with_cjson" != "no"; then
  PKG_CHECK_MODULES([CJSON], [libcjson >= 1.0.0],
 		    [with_cjson=yes],[with_cjson=no])
 fi
 if test "$with_cjson" = "yes"; then
  AC_DEFINE_UNQUOTED([HAVE_CJSON], 1, [whether libcjson is available for KDC REST API])
 fi
 AM_CONDITIONAL([HAVE_CJSON], [test "$with_cjson" != "no"])
 AC_SUBST([CJSON_CFLAGS])
 AC_SUBST([CJSON_LIBS])
 dnl mitkrb5
 AC_ARG_WITH([mitkrb5],
-  AC_HELP_STRING([--with-mitkrb5], [Path to MIT Kerberos for interop testing @<:@default=check@:>@]),
+  AC_HELP_STRING([--with-mitkrb5=PATH], [Path to MIT Kerberos for interop testing]),
  [],
-  [with_mikrb5=check])
+  [with_mitkrb5=no])
-AM_CONDITIONAL([MITKRB5], [test "$with_mitkrb5" != "no"])
+MITKRB5=
 if test "$with_mitkrb5" != "no" && test "$with_mitkrb5" != "yes"; then
  if test -d "$with_mitkrb5"; then
    MITKRB5="$with_mitkrb5"
  else
    AC_MSG_WARN([MIT Kerberos directory $with_mitkrb5 does not exist])
  fi
 fi
 AC_SUBST(MITKRB5)
 AM_CONDITIONAL([MITKRB5], [test -n "$MITKRB5"])
 dnl older-heimdal (for interop testing)
 AC_ARG_WITH([older-heimdal],
  AC_HELP_STRING([--with-older-heimdal=PATH], [Path to older version of Heimdal for interop testing]),
  [],
  [with_older_heimdal=no])
 OLD_HEIMDAL=
 if test "$with_older_heimdal" != "no" && test "$with_older_heimdal" != "yes"; then
  if test -d "$with_older_heimdal"; then
    OLD_HEIMDAL="$with_older_heimdal"
  else
    AC_MSG_WARN([Older Heimdal directory $with_older_heimdal does not exist])
  fi
 fi
 AC_SUBST(OLD_HEIMDAL)
 AM_CONDITIONAL([OLD_HEIMDAL], [test -n "$OLD_HEIMDAL"])
 dnl Check for sqlite
 rk_TEST_PACKAGE(sqlite3,
@@ -342,8 +335,14 @@ AC_SUBST(dpagaix_ldadd)
 AC_SUBST(dpagaix_ldflags)
 AC_ARG_ENABLE([afs-support],
-	AS_HELP_STRING([--disable-afs-support],[if you don't want support for AFS]))
+	AS_HELP_STRING([--enable-afs-support],[enable support for AFS]),
-if test "$enable_afs_support" = no; then
+                       [enable_afs_support=yes],
                       [enable_afs_support=no])
 if test "$enable_afs_support" = yes; then
 	NO_AFS="0"
        AC_MSG_ERROR([AFS no longer supported])
 else
        # XXX This is pointless now, should be removed
 	AC_DEFINE(NO_AFS, 1, [Define if you don't wan't support for AFS.])
 	NO_AFS="1"
 fi
@@ -359,8 +358,6 @@ LIBADD_roken="$LIB_roken"
 AC_SUBST(LIBADD_roken)dnl
 LIB_roken="\$(top_builddir)/lib/vers/libvers.la $LIB_roken"
 rk_OTP
 rk_LIBDISPATCH
 AC_CHECK_OSFC2
@@ -550,16 +547,13 @@ dnl Deal with switch fallthrough warnings
 AH_TOP([
 #if defined(DISPATCH_FALLTHROUGH)
 # define HEIM_FALLTHROUGH DISPATCH_FALLTHROUGH
-#else
+#elif defined(__clang__)
-# if defined(__GNUC__)
+  /* Clang sets __GNUC__ to 4 for compat, but supports fallthrough attr */
 #  if __GNUC__ >= 7
 # define HEIM_FALLTHROUGH __attribute__((fallthrough))
-#  else
+#elif defined(__GNUC__) && __GNUC__ >= 7
 # define HEIM_FALLTHROUGH __attribute__((fallthrough))
 #else
 # define HEIM_FALLTHROUGH do {} while (0) /* fallthrough */
 #  endif
 # else
 #  define HEIM_FALLTHROUGH do {} while (0) /* fallthrough */
 # endif
 #endif
 ])
@@ -734,23 +728,18 @@ AC_CONFIG_FILES(Makefile 		\
 	etc/Makefile			\
 	include/Makefile		\
 	include/gssapi/Makefile		\
 	include/hcrypto/Makefile	\
 	include/kadm5/Makefile		\
 	lib/Makefile			\
 	lib/base/Makefile		\
 	lib/asn1/Makefile		\
 	lib/com_err/Makefile		\
 	lib/hcrypto/Makefile		\
 	lib/hx509/Makefile		\
 	lib/gssapi/Makefile		\
 	lib/ntlm/Makefile		\
 	lib/hdb/Makefile		\
 	lib/ipc/Makefile		\
 	lib/kadm5/Makefile		\
 	lib/kafs/Makefile		\
 	lib/kdfs/Makefile		\
 	lib/krb5/Makefile		\
 	lib/otp/Makefile		\
 	lib/roken/Makefile		\
 	lib/sl/Makefile			\
 	lib/sqlite/Makefile		\
@@ -765,10 +754,8 @@ AC_CONFIG_FILES(Makefile 		\
 	kcm/Makefile			\
 	kdc/Makefile			\
 	appl/Makefile			\
 	appl/afsutil/Makefile		\
 	appl/dbutils/Makefile		\
 	appl/gssmask/Makefile		\
 	appl/otp/Makefile		\
 	appl/test/Makefile		\
 	appl/kf/Makefile		\
 	appl/dceutils/Makefile		\
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -18,11 +18,6 @@ dxy_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \
 	-e 's,[@]objdir[@],.,g' \
 	-e 's,[@]PACKAGE_VERSION[@],$(PACKAGE_VERSION),g'
 hcrypto.dxy: hcrypto.din Makefile
 	$(dxy_subst) < $(srcdir)/hcrypto.din > hcrypto.dxy.tmp
 	chmod +x hcrypto.dxy.tmp
 	mv hcrypto.dxy.tmp hcrypto.dxy
 hdb.dxy: hdb.din Makefile
 	$(dxy_subst) < $(srcdir)/hdb.din > hdb.dxy.tmp
 	chmod +x hdb.dxy.tmp
@@ -48,11 +43,6 @@ krb5.dxy: krb5.din Makefile
 	chmod +x krb5.dxy.tmp
 	mv krb5.dxy.tmp krb5.dxy
 ntlm.dxy: ntlm.din Makefile
 	$(dxy_subst) < $(srcdir)/ntlm.din > ntlm.dxy.tmp
 	chmod +x ntlm.dxy.tmp
 	mv ntlm.dxy.tmp ntlm.dxy
 wind.dxy: wind.din Makefile
 	$(dxy_subst) < $(srcdir)/wind.din > wind.dxy.tmp
 	chmod +x wind.dxy.tmp
@@ -67,11 +57,9 @@ vars.texi: vars.tin Makefile
 	chmod +x vars.texi.tmp
 	mv vars.texi.tmp vars.texi
-PROJECTS = base hdb hx509 gssapi krb5 ntlm wind 
+PROJECTS = base hdb hx509 gssapi krb5 wind 
-PROJECTS += hcrypto
+doxyout doxygen: base.dxy hdb.dxy hx509.dxy gssapi.dxy krb5.dxy wind.dxy
 doxyout doxygen: base.dxy hdb.dxy hx509.dxy hcrypto.dxy gssapi.dxy krb5.dxy ntlm.dxy wind.dxy
 	@test -d $(srcdir)/doxyout && \
 	find $(srcdir)/doxyout -type d ! -perm -200 -exec chmod u+w {} ';' ; \
 	rm -rf $(srcdir)/doxyout ; \
@@ -137,13 +125,11 @@ EXTRA_DIST = \
 	footer.html \
 	gssapi.din \
 	hdb.din \
 	hcrypto.din \
 	header.html \
 	heimdal.css \
 	base.din \
 	hx509.din \
 	krb5.din \
 	ntlm.din \
 	init-creds \
 	latin1.tex \
 	layman.asc \
@@ -155,12 +141,10 @@ EXTRA_DIST = \
 	vars.tin
 CLEANFILES = \
 	hcrypto.dxy* \
 	base.dxy* \
 	hx509.dxy* \
 	hdb.dxy* \
 	gssapi.dxy* \
 	krb5.dxy* \
 	ntlm.dxy* \
 	wind.dxy* \
 	vars.texi*
--- a/doc/NTMakefile
+++ b/doc/NTMakefile
@@ -61,9 +61,7 @@ hx509_TEXINFOS = \
 MAKEINFOFLAGS = --css-include=$(SRCDIR)/heimdal.css
-!ifdef APPVEYOR
+# MAKEINFO = $(PERL) C:\msys64\usr\bin\makeinfo
 MAKEINFO = $(PERL) C:\msys64\usr\bin\makeinfo
 !endif
 ######################################################################
 # Build heimdal.chm
--- a/doc/ack.texi
+++ b/doc/ack.texi
@@ -2,17 +2,6 @@
@comment  node-name,  next,  previous,  up
@appendix Acknowledgments
 Eric Young wrote ``libdes''. Heimdal used to use libdes, without it
 kth-krb would never have existed. Since there are no longer any Eric
 Young code left in the library, we renamed it to libhcrypto.
 All functions in libhcrypto have been re-implemented or used available
 public domain code. The core AES function where written by Vincent
 Rijmen, Antoon Bosselaers and Paulo Barreto.  The core DES SBOX
 transformation was written by Richard Outerbridge. @code{imath} that
 is used for public key crypto support is written by Michael
 J. Fromberger.
 The University of California at Berkeley initially wrote @code{telnet},
 and @code{telnetd}.  The authentication and encryption code of
@code{telnet} and @code{telnetd} was added by David Borman (then of Cray
--- a/doc/copyright.texi
+++ b/doc/copyright.texi
@@ -16,6 +16,7 @@
@copyrightstart
@verbatim
 SPDX-License-Identifier: BSD-3-Clause
 Copyright (c) 1997-2011 Kungliga Tekniska Högskolan 
 (Royal Institute of Technology, Stockholm, Sweden).
@@ -58,6 +59,7 @@ SUCH DAMAGE.
 The parts of the libtelnet that handle Kerberos.
@verbatim
 SPDX-License-Identifier: HPND-export-US
 Copyright (C) 1990 by the Massachusetts Institute of Technology
@@ -86,6 +88,7 @@ The parts of the libroken, most of libtelnet, telnet, ftp,
 and popper.
@verbatim
 SPDX-License-Identifier: BSD-3-Clause
 Copyright (c) 1988, 1990, 1993
     The Regents of the University of California.  All rights reserved.
@@ -125,6 +128,7 @@ SUCH DAMAGE.
 libedit
@verbatim
 SPDX-License-Identifier: BSD-3-Clause
 Copyright (c) 1992, 1993
 The Regents of the University of California.  All rights reserved.
@@ -159,16 +163,6 @@ SUCH DAMAGE.
@end verbatim
@copynext
@heading TomsFastMath / LibTomMath
 Tom's fast math (bignum support) and LibTomMath
@verbatim
 LibTomMath is hereby released into the Public Domain.  
@end verbatim 
@copynext
@heading Doug Rabson
@@ -176,6 +170,7 @@ LibTomMath is hereby released into the Public Domain.
 GSS-API mechglue layer.
@verbatim
 SPDX-License-Identifier: BSD-2-Clause
 Copyright (c) 2005 Doug Rabson
 All rights reserved.
@@ -213,6 +208,7 @@ SUCH DAMAGE.
@end table
@verbatim
 SPDX-License-Identifier: BSD-3-Clause
 Copyright (c) 2003-2011, PADL Software Pty Ltd.
 Copyright (c) 2004, Andrew Bartlett.
@@ -250,70 +246,6 @@ SUCH DAMAGE.
@end verbatim
@copynext
@heading Marko Kreen
 Fortuna in libhcrypto
@verbatim
 Copyright (c) 2005 Marko Kreen
 All rights reserved.
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions
 are met:
 1. Redistributions of source code must retain the above copyright
       notice, this list of conditions and the following disclaimer.
 2. Redistributions in binary form must reproduce the above copyright
       notice, this list of conditions and the following disclaimer in the
       documentation and/or other materials provided with the distribution.
 THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 ARE DISCLAIMED.	IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 SUCH DAMAGE.
@end verbatim
@copynext
@heading NTT (Nippon Telegraph and Telephone Corporation)
 Camellia in libhcrypto
@verbatim
 Copyright (c) 2006,2007
 NTT (Nippon Telegraph and Telephone Corporation) . All rights reserved.
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions
 are met:
 1. Redistributions of source code must retain the above copyright
  notice, this list of conditions and the following disclaimer as
  the first lines of this file unmodified.
 2. Redistributions in binary form must reproduce the above copyright
  notice, this list of conditions and the following disclaimer in the
  documentation and/or other materials provided with the distribution.
 THIS SOFTWARE IS PROVIDED BY NTT ``AS IS'' AND ANY EXPRESS OR
 IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 IN NO EVENT SHALL NTT BE LIABLE FOR ANY DIRECT, INDIRECT,
 INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@end verbatim
@copynext
@heading The NetBSD Foundation, Inc.
@@ -321,6 +253,7 @@ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 vis.c in libroken
@verbatim
 SPDX-License-Identifier: BSD-2-Clause
 Copyright (c) 1999, 2005 The NetBSD Foundation, Inc.
 All rights reserved.
@@ -349,37 +282,6 @@ POSSIBILITY OF SUCH DAMAGE.
@end verbatim
@copynext
@heading Vincent Rijmen, Antoon Bosselaers, Paulo Barreto
 AES in libhcrypto
@verbatim
 rijndael-alg-fst.c
@version 3.0 (December 2000)
 Optimised ANSI C code for the Rijndael cipher (now AES)
@author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
@author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
@author Paulo Barreto <paulo.barreto@terra.com.br>
 This code is hereby placed in the public domain.
 THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
 OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
 LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
 BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
 WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
 OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
 EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@end verbatim
@copynext
@heading Apple, Inc
@@ -387,6 +289,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 kdc/announce.c
@verbatim
 SPDX-License-Identifier: HPND-export2-US
 Copyright (c) 2008 Apple Inc.  All Rights Reserved.
@@ -410,30 +313,6 @@ THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
 IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
 WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
@end verbatim
@copynext
@heading Richard Outerbridge
 DES core in libhcrypto
@verbatim
 D3DES (V5.09) - 
 A portable, public domain, version of the Data Encryption Standard.
 Written with Symantec's THINK (Lightspeed) C by Richard Outerbridge.
 Thanks to: Dan Hoey for his excellent Initial and Inverse permutation
 code;  Jim Gillogly & Phil Karn for the DES key schedule code; Dennis
 Ferguson, Eric Young and Dana How for comparing notes; and Ray Lau,
 for humouring me on. 
 Copyright (c) 1988,1989,1990,1991,1992 by Richard Outerbridge.
 (GEnie : OUTER; CIS : [71755,204]) Graven Imagery, 1992.
@end verbatim
@copynext
@@ -443,6 +322,7 @@ Copyright (c) 1988,1989,1990,1991,1992 by Richard Outerbridge.
 Windows support
@verbatim
 SPDX-License-Identifier: BSD-2-Clause
 Copyright (c) 2009-2015, Secure Endpoints Inc.
 All rights reserved.
@@ -476,44 +356,4 @@ OF THE POSSIBILITY OF SUCH DAMAGE.
@copynext
@heading Novell, Inc
 lib/hcrypto/test_dh.c
@verbatim
 Copyright (c) 2007, Novell, Inc.
 Author: Matthias Koenig <mkoenig@suse.de>
 All rights reserved.
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are met:
 * Redistributions of source code must retain the above copyright notice, this
  list of conditions and the following disclaimer.
 * Redistributions in binary form must reproduce the above copyright notice,
  this list of conditions and the following disclaimer in the documentation
  and/or other materials provided with the distribution.
 * Neither the name of the Novell nor the names of its contributors may be used
  to endorse or promote products derived from this software without specific
  prior written permission.
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
 LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGE.
@end verbatim
@copyrightend
--- a/doc/hcrypto.din
+++ b/doc/hcrypto.din
@@ -1,16 +0,0 @@
 # Doxyfile 1.5.3
 PROJECT_NAME           = "Heimdal crypto library"
 PROJECT_NUMBER         = @PACKAGE_VERSION@
 OUTPUT_DIRECTORY       = @srcdir@/doxyout/hcrypto
 INPUT                  = @srcdir@/../lib/hcrypto
 EXAMPLE_PATH	       = @srcdir@/../lib/hcrypto
 WARN_IF_UNDOCUMENTED   = YES
 PERL_PATH              = /usr/bin/perl
 HTML_HEADER = "@srcdir@/header.html"
 HTML_FOOTER = "@srcdir@/footer.html"
@INCLUDE = "@srcdir@/doxytmpl.dxy"
--- a/doc/layman.asc
+++ b/doc/layman.asc
@@ -23,7 +23,8 @@ subset of OSI's Abstract Syntax Notation One (ASN.1), Basic
 Encoding Rules (BER), and Distinguished Encoding Rules
 (DER). The particular purpose of this note is to provide
 background material sufficient for understanding and
-implementing the PKCS family of standards.
+implementing the PKCS family of standards.  NOTE WELL: This
 document is full of errors and not to be used.
 1. Introduction
--- a/doc/ntlm.din
+++ b/doc/ntlm.din
@@ -1,16 +0,0 @@
 # Doxyfile 1.5.3
 PROJECT_NAME           = Heimdal ntlm library
 PROJECT_NUMBER         = @PACKAGE_VERSION@
 OUTPUT_DIRECTORY       = @srcdir@/doxyout/ntlm
 INPUT                  = @srcdir@/../lib/ntlm
 EXAMPLE_PATH	       = @srcdir@/../lib/ntlm
 WARN_IF_UNDOCUMENTED   = YES
 PERL_PATH              = /usr/bin/perl
 HTML_HEADER = "@srcdir@/header.html"
 HTML_FOOTER = "@srcdir@/footer.html"
@INCLUDE = "@srcdir@/doxytmpl.dxy"
--- a/flake.lock
+++ b/flake.lock
@@ -0,0 +1,27 @@
 {
  "nodes": {
    "nixpkgs": {
      "locked": {
        "lastModified": 1742800061,
        "narHash": "sha256-oDJGK1UMArK52vcW9S5S2apeec4rbfNELgc50LqiPNs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "1750f3c1c89488e2ffdd47cab9d05454dddfb734",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/flake.nix
+++ b/flake.nix
@@ -0,0 +1,48 @@
 {
  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
  outputs = { self, nixpkgs }: let
    inherit (nixpkgs) lib;
    systems = [
      "x86_64-linux"
      "aarch64-linux"
    ];
    forAllSystems = f: lib.genAttrs systems (system: let
      pkgs = import nixpkgs {
        inherit system;
        overlays = [
          self.overlays.${system}.default
        ];
      };
    in f system pkgs);
  in {
    devShells = forAllSystems (system: pkgs: {
      default = pkgs.callPackage ./nix/shell.nix { };
    });
    packages = forAllSystems (system: pkgs: with pkgs; {
      default = self.packages.${system}.heimdal;
      heimdal = pkgs.callPackage ./nix/heimdal {
        src = lib.cleanSource ./.;
        inherit (pkgs.darwin.apple_sdk.frameworks) CoreFoundation Security SystemConfiguration;
        autoreconfHook = pkgs.buildPackages.autoreconfHook269;
      };
      nixosTest = pkgs.testers.runNixOSTest (import ./nix/nixosTest.nix { inherit nixpkgs; });
    });
    overlays = forAllSystems (system: pkgs: {
      default = final: prev: {
        heimdal = self.packages.${system}.heimdal;
      };
    });
    nixosModules = {
      default = self.nixosModules.heimdal;
      heimdal = ./nix/module;
    };
  };
 }
--- a/include/Makefile.am
+++ b/include/Makefile.am
@@ -2,7 +2,7 @@
 include $(top_srcdir)/Makefile.am.common
-SUBDIRS = kadm5 hcrypto gssapi
+SUBDIRS = kadm5 gssapi
 noinst_PROGRAMS = bits
 CHECK_LOCAL = no-check-local
@@ -69,8 +69,6 @@ CLEANFILES =			\
 	heimbase.h		\
 	heimbase-svc.h		\
 	heimbase-protos.h	\
 	heimntlm-protos.h	\
 	heimntlm.h		\
 	hex.h			\
 	hx509-private.h		\
 	hx509-protos.h		\
@@ -98,10 +96,8 @@ CLEANFILES =			\
 	kx509_err.h		\
 	locate_plugin.h		\
 	login-protos.h		\
 	ntlm_err.h		\
 	ocsp_asn1.h		\
 	ocsp_template_asn1.h	\
 	otp.h			\
 	parse_bytes.h		\
 	parse_time.h		\
 	parse_units.h		\
@@ -126,6 +122,7 @@ CLEANFILES =			\
 	send_to_kdc_plugin.h	\
 	sl.h			\
 	sqlite3.h		\
 	sqlite3_namespace.h	\
 	sqlite3ext.h		\
 	test-mem.h		\
 	vers.h			\
@@ -137,9 +134,7 @@ CLEANFILES =			\
 	kdc-audit.h		\
 	csr_authorizer_plugin.h	\
 	gss_preauth_authorizer_plugin.h	\
 	token_validator_plugin.h	\
 	xdbm.h			\
 	x25519_ref10.h		\
 	x690sample_asn1.h	\
 	x690sample_template_asn1.h
--- a/include/NTMakefile
+++ b/include/NTMakefile
@@ -31,7 +31,7 @@
 RELDIR=include
-SUBDIRS=kadm5 hcrypto gssapi
+SUBDIRS=kadm5 gssapi
 !include ../windows/NTMakefile.w32
 !include ../windows/NTMakefile.version
@@ -62,12 +62,13 @@ while(<>) {
    if ("$(KRB5)") { print "#define KRB5 1\n"; }
    if ("$(KRB4)") { print "#define KRB4 1\n"; }
    if ("$(WEAK_CRYPTO)") { print "#define HEIM_WEAK_CRYPTO 1\n"; }
-    if ("$(HCRYPTO_FALLBACK)") { print "#define HCRYPTO_FALLBACK 1\n"; } else { print "#define HCRYPTO_FALLBACK 0\n"; }
+    # Always enable 3DES and ARCFOUR for Windows builds (needed for interop)
    print "#define HEIM_DES3 1\n";
    print "#define HEIM_ARCFOUR 1\n";
    if ("$(PKINIT)") { print "#define PKINIT 1\n"; }
    if ("$(NO_AFS)") { print "#define NO_AFS 1\n"; }
    if ("$(OPENLDAP)") { print "#define OPENLDAP 1\n"; }
    if ("$(OPENLDAP_MODULE)") { print "#define OPENLDAP_MODULE 1\n"; }
    if ("$(OTP)") { print "#define OTP 1 \n"; }
    if ("$(AUTHENTICATION)") { print "#define AUTHENTICATION 1\n"; }
    if ("$(DIAGNOSTICS)") { print "#define DIAGNOSTICS 1\n"; }
    if ("$(ENCRYPTION)") { print "#define ENCRYPTION 1\n"; }
--- a/include/bits.c
+++ b/include/bits.c
@@ -139,6 +139,7 @@ int main(int argc, char **argv)
    int flag;
    char *p = NULL;
    const char *hb;
    char *freeme = NULL;
    if (argc > 1 && strcmp(argv[1], "--version") == 0) {
 	printf("some version");
@@ -149,13 +150,12 @@ int main(int argc, char **argv)
 	hb = "__BITS_H__";
 	f = stdout;
    } else {
-	p = malloc(strlen(argv[1]) + 5);
+	p = freeme = malloc(strlen(argv[1]) + 5);
 	sprintf(p, "__%s__", argv[1]);
 	hb = p;
-	for(; *p; p++){
+	for(; *p; p++)
 	    if(!isalnum((unsigned char)*p))
 		*p = '_';
 	}
 	f = fopen(argv[1], "w");
    }
    fprintf(f, "#ifndef %s\n", hb);
@@ -325,5 +325,6 @@ int main(int argc, char **argv)
    if (f != stdout)
 	fclose(f);
    free(freeme);
    return 0;
 }
--- a/include/config.h.w32
+++ b/include/config.h.w32
@@ -693,9 +693,6 @@ static const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* Define to 1 if you have the `openpty' function. */
 /* #define HAVE_OPENPTY 1 */
 /* define to 1 to use openssl's libcrypto as a (default) backend for libhcrypto */
 /* #undef HAVE_HCRYPTO_W_OPENSSL */
 /* Define to enable basic OSF C2 support. */
 /* #undef HAVE_OSFC2 */
--- a/include/crypto-headers.h
+++ b/include/crypto-headers.h
@@ -9,17 +9,22 @@
 #include <krb5-types.h>
 #endif
-#include <hcrypto/evp.h>
+#include <openssl/evp.h>
-#include <hcrypto/des.h>
+#include <openssl/des.h>
-#include <hcrypto/md4.h>
+#include <openssl/md4.h>
-#include <hcrypto/md5.h>
+#include <openssl/md5.h>
-#include <hcrypto/sha.h>
+#include <openssl/sha.h>
-#include <hcrypto/rc4.h>
+#include <openssl/rc4.h>
-#include <hcrypto/rc2.h>
+#include <openssl/rc2.h>
-#include <hcrypto/ui.h>
+#include <openssl/ui.h>
-#include <hcrypto/rand.h>
+#include <openssl/rand.h>
-#include <hcrypto/engine.h>
+#include <openssl/engine.h>
-#include <hcrypto/pkcs12.h>
+#include <openssl/pkcs12.h>
-#include <hcrypto/hmac.h>
+#include <openssl/hmac.h>
 #include <openssl/provider.h>
 #include <openssl/encoder.h>
 #include <openssl/core_names.h>
 #include <openssl/param_build.h>
 #include <openssl/x509.h>
 #endif /* __crypto_header__ */
--- a/include/gssapi/Makefile.am
+++ b/include/gssapi/Makefile.am
@@ -2,6 +2,6 @@
 include $(top_srcdir)/Makefile.am.common
-CLEANFILES = gssapi.h gssapi_krb5.h gssapi_spnego.h gssapi_ntlm.h gssapi_oid.h
+CLEANFILES = gssapi.h gssapi_krb5.h gssapi_spnego.h gssapi_oid.h
 EXTRA_DIST = NTMakefile
--- a/include/hcrypto/Makefile.am
+++ b/include/hcrypto/Makefile.am
@@ -1,30 +0,0 @@
 # $Id$
 include $(top_srcdir)/Makefile.am.common
 CLEANFILES =		\
 	aes.h		\
 	bn.h		\
 	des.h		\
 	dh.h		\
 	dsa.h		\
 	ec.h		\
 	ecdsa.h		\
 	ecdh.h		\
 	engine.h	\
 	evp.h		\
 	evp-hcrypto.h	\
 	evp-cc.h	\
 	hmac.h		\
 	md4.h		\
 	md5.h		\
 	pkcs12.h	\
 	rand.h		\
 	rc2.h		\
 	rc4.h		\
 	rsa.h		\
 	sha.h		\
 	ui.h		\
 	undef.h
 EXTRA_DIST = NTMakefile
--- a/include/hcrypto/NTMakefile
+++ b/include/hcrypto/NTMakefile
@@ -1,34 +0,0 @@
 ########################################################################
 #
 # Copyright (c) 2009, Secure Endpoints Inc.
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
 # are met:
 # 
 # - Redistributions of source code must retain the above copyright
 #   notice, this list of conditions and the following disclaimer.
 # 
 # - Redistributions in binary form must reproduce the above copyright
 #   notice, this list of conditions and the following disclaimer in
 #   the documentation and/or other materials provided with the
 #   distribution.
 # 
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 # POSSIBILITY OF SUCH DAMAGE.
 # 
 RELDIR=include\hcrypto
 !include ../../windows/NTMakefile.w32
--- a/include/heim_threads.h
+++ b/include/heim_threads.h
@@ -103,6 +103,7 @@ typedef unsigned long HEIM_PRIV_thread_key;
 #define HEIMDAL_THREAD_ID thr_t
 #define HEIMDAL_THREAD_create(t,f,a) thr_create((t), 0, (f), (a))
 #define HEIMDAL_THREAD_join(t,r) thr_join((t), 0, (r))
 #elif defined(ENABLE_PTHREAD_SUPPORT) && (!defined(__NetBSD__) || __NetBSD_Version__ >= 299001200)
@@ -142,9 +143,12 @@ typedef unsigned long HEIM_PRIV_thread_key;
 #define HEIMDAL_THREAD_ID pthread_t
 #define HEIMDAL_THREAD_create(t,f,a) pthread_create((t), 0, (f), (a))
 #define HEIMDAL_THREAD_join(t,r) pthread_join((t), (r))
 #elif defined(_WIN32)
 #define _Atomic
 typedef struct heim_mutex {
    HANDLE	h;
 } heim_mutex_t;
@@ -288,9 +292,44 @@ heim_rwlock_destroy(heim_rwlock_t *l)
 #define HEIMDAL_getspecific(k) (heim_w32_getspecific(k))
 #define HEIMDAL_key_delete(k) (heim_w32_delete_key(k))
-#define HEIMDAL_THREAD_ID DWORD
+typedef struct heim_thread {
-#define HEIMDAL_THREAD_create(t,f,a) \
+    HANDLE handle;
-    ((CreateThread(0, 0, (f), (a), 0, (t)) == INVALID_HANDLE_VALUE) ? EINVAL : 0)
+    DWORD id;
 } heim_thread_t;
 static inline int
 heim_thread_create(heim_thread_t *t, LPTHREAD_START_ROUTINE f, void *a)
 {
    t->handle = CreateThread(NULL, 0, f, a, 0, &t->id);
    if (t->handle == NULL || t->handle == INVALID_HANDLE_VALUE)
        return EINVAL;
    return 0;
 }
 static inline int
 heim_thread_join(heim_thread_t t, void **retval)
 {
    DWORD ret;
    DWORD exitcode;
    ret = WaitForSingleObject(t.handle, INFINITE);
    if (ret != WAIT_OBJECT_0) {
        CloseHandle(t.handle);
        return EINVAL;
    }
    if (retval) {
        if (GetExitCodeThread(t.handle, &exitcode))
            *retval = (void *)(uintptr_t)exitcode;
        else
            *retval = NULL;
    }
    CloseHandle(t.handle);
    return 0;
 }
 #define HEIMDAL_THREAD_ID heim_thread_t
 #define HEIMDAL_THREAD_create(t,f,a) heim_thread_create((t), (f), (a))
 #define HEIMDAL_THREAD_join(t,r) heim_thread_join((t), (r))
 #elif defined(HEIMDAL_DEBUG_THREADS)
@@ -318,6 +357,7 @@ heim_rwlock_destroy(heim_rwlock_t *l)
 #define HEIMDAL_THREAD_ID int
 #define HEIMDAL_THREAD_create(t,f,a) abort()
 #define HEIMDAL_THREAD_join(t,r) abort()
 #else /* no thread support, no debug case */
@@ -340,6 +380,7 @@ heim_rwlock_destroy(heim_rwlock_t *l)
 #define HEIMDAL_THREAD_ID int
 #define HEIMDAL_THREAD_create(t,f,a) abort()
 #define HEIMDAL_THREAD_join(t,r) abort()
 #define HEIMDAL_internal_thread_key 1
--- a/kadmin/FUZZING.md
+++ b/kadmin/FUZZING.md
@@ -0,0 +1,71 @@
 # Fuzzing kadmin
 Kadmind includes built-in fuzzing support via the `--fuzz-stdin` flag, which
 processes a single RPC message from stdin without requiring network setup or
 authentication.
 ## Running
 ### Standalone mode
 ```bash
 # Process a single corpus file
 ./kadmind --fuzz-stdin < fuzz/get_existing_test.bin
 # With a specific realm
 ./kadmind -r TEST.H5L.SE --fuzz-stdin < fuzz/create_new.bin
 ```
 ### With AFL++
 ```bash
 # Build with AFL instrumentation
 CC=afl-clang-fast CXX=afl-clang-fast++ \
  ../configure --enable-maintainer-mode --enable-developer
 make
 # Run fuzzer
 afl-fuzz -i kadmin/fuzz -o findings -- ./kadmind --fuzz-stdin
 ```
 ### With libFuzzer
 To use libFuzzer, create a harness that calls the internal fuzzing entry point:
 ```c
 #include <stdint.h>
 extern int kadmind_fuzz_input(const uint8_t *data, size_t size);
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
    kadmind_fuzz_input(data, size);
    return 0;
 }
 ```
 ## Seed Corpus
 The `fuzz/` directory contains seed inputs covering:
 - All kadm_ops commands (GET, DELETE, CREATE, RENAME, CHPASS, MODIFY, RANDKEY, etc.)
 - Edge cases (invalid commands, truncated data, malformed principals)
 - Overflow tests (large/negative array counts)
 See `fuzz/README` for detailed corpus file descriptions.
 ## Regenerating Corpus
 ```bash
 cd fuzz
 python3 gen_corpus.py
 ```
 ## Message Format
 Each corpus file contains a length-prefixed message:
 ```
 [4-byte big-endian length][message payload]
 ```
 The payload starts with a 4-byte command number (see `kadm_ops` enum in
 `lib/kadm5/kadm5-private.h`).
--- a/kadmin/Makefile.am
+++ b/kadmin/Makefile.am
@@ -63,7 +63,6 @@ check_PROGRAMS = $(TESTS)
 LDADD_common = \
 	$(top_builddir)/lib/hdb/libhdb.la \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(LIB_roken) \
 	$(DB3LIB) $(DB1LIB) $(LMDBLIB) $(NDBMLIB)
--- a/kadmin/ank.c
+++ b/kadmin/ank.c
@@ -150,7 +150,7 @@ add_one_principal(const char *name,
 	    krb5_set_error_message(context, ret, "out of memory");
 	    goto out;
 	}
-	ret = UI_UTIL_read_pw_string (pwbuf, sizeof(pwbuf), prompt,
+	ret = _krb5_UI_UTIL_read_pw_string(pwbuf, sizeof(pwbuf), prompt,
                                           UI_UTIL_FLAG_VERIFY |
                                           UI_UTIL_FLAG_VERIFY_SILENT);
 	free (prompt);
@@ -275,7 +275,7 @@ add_new_key(struct add_options *opt, int argc, char **argv)
        enctypes = krb5_config_get_string(context, NULL, "libdefaults",
                                          "supported_enctypes", NULL);
    if (enctypes == NULL || enctypes[0] == '\0')
-        enctypes = "aes128-cts-hmac-sha1-96";
+        enctypes = "aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192";
    ret = krb5_string_to_keysalts2(context, enctypes, &nkstuple, &kstuple);
    if (ret) {
        fprintf(stderr, "enctype(s) unknown\n");
@@ -505,7 +505,7 @@ add_new_namespace(struct add_namespace_options *opt, int argc, char **argv)
        enctypes = krb5_config_get_string(context, NULL, "libdefaults",
                                          "supported_enctypes", NULL);
    if (enctypes == NULL || enctypes[0] == '\0')
-        enctypes = "aes128-cts-hmac-sha1-96";
+        enctypes = "aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192";
    ret = krb5_string_to_keysalts2(context, enctypes, &nkstuple, &kstuple);
    if (ret) {
        fprintf(stderr, "enctype(s) unknown\n");
--- a/kadmin/cpw.c
+++ b/kadmin/cpw.c
@@ -39,24 +39,39 @@ struct cpw_entry_data {
    int random_key;
    int random_password;
    char *password;
    const char *enctypes;
    krb5_key_data *key_data;
    void *kadm_handle;
 };
 static int
-set_random_key(void *dup_kadm_handle, krb5_principal principal, int keepold)
+set_random_key(void *dup_kadm_handle,
               krb5_principal principal,
               const char *enctypes,
               int keepold)
 {
    krb5_error_code ret;
    krb5_key_salt_tuple *key_salt_tuples = NULL;
    size_t nkey_salt_tuples = 0;
    int i;
    krb5_keyblock *keys;
    int num_keys;
-    ret = kadm5_randkey_principal_3(dup_kadm_handle, principal, keepold, 0,
+    if (enctypes) {
-                                    NULL, &keys, &num_keys);
+        ret = krb5_string_to_keysalts2(context, enctypes, &nkey_salt_tuples,
                                       &key_salt_tuples);
        if (ret)
            return ret;
    }
    ret = kadm5_randkey_principal_3(dup_kadm_handle, principal, keepold,
                                    nkey_salt_tuples, key_salt_tuples, &keys,
                                    &num_keys);
    if(ret)
 	return ret;
    for(i = 0; i < num_keys; i++)
 	krb5_free_keyblock_contents(context, &keys[i]);
    free(key_salt_tuples);
    free(keys);
    return 0;
 }
@@ -64,9 +79,12 @@ set_random_key(void *dup_kadm_handle, krb5_principal principal, int keepold)
 static int
 set_random_password(void *dup_kadm_handle,
                    krb5_principal principal,
                    const char *enctypes,
                    int keepold)
 {
    krb5_error_code ret;
    krb5_key_salt_tuple *key_salt_tuples = NULL;
    size_t nkey_salt_tuples = 0;
    char pw[128];
    char *princ_name;
@@ -74,11 +92,19 @@ set_random_password(void *dup_kadm_handle,
    if (ret)
 	return ret;
    if (enctypes) {
        ret = krb5_string_to_keysalts2(context, enctypes, &nkey_salt_tuples,
                                       &key_salt_tuples);
        if (ret)
            return ret;
    }
    random_password(pw, sizeof(pw));
-    ret = kadm5_chpass_principal_3(dup_kadm_handle, principal, keepold, 0,
+    ret = kadm5_chpass_principal_3(dup_kadm_handle, principal, keepold,
-                                   NULL, pw);
+                                   nkey_salt_tuples, key_salt_tuples, pw);
    if (ret == 0)
 	printf ("%s's password set to \"%s\"\n", princ_name, pw);
    free(key_salt_tuples);
    free(princ_name);
    memset_s(pw, sizeof(pw), 0, sizeof(pw));
    return ret;
@@ -87,10 +113,13 @@ set_random_password(void *dup_kadm_handle,
 static int
 set_password(void *dup_kadm_handle,
             krb5_principal principal,
             const char *enctypes,
             char *password,
             int keepold)
 {
    krb5_error_code ret = 0;
    krb5_key_salt_tuple *key_salt_tuples = NULL;
    size_t nkey_salt_tuples = 0;
    char pwbuf[128];
    int aret;
@@ -105,7 +134,7 @@ set_password(void *dup_kadm_handle,
 	free (princ_name);
 	if (aret == -1)
 	    return ENOMEM;
-	ret = UI_UTIL_read_pw_string(pwbuf, sizeof(pwbuf), prompt,
+	ret = _krb5_UI_UTIL_read_pw_string(pwbuf, sizeof(pwbuf), prompt,
                                           UI_UTIL_FLAG_VERIFY |
                                           UI_UTIL_FLAG_VERIFY_SILENT);
 	free (prompt);
@@ -114,10 +143,20 @@ set_password(void *dup_kadm_handle,
 	}
 	password = pwbuf;
    }
    if (enctypes) {
        ret = krb5_string_to_keysalts2(context, enctypes, &nkey_salt_tuples,
                                       &key_salt_tuples);
        if (ret)
            return ret;
    }
    if(ret == 0)
-        ret = kadm5_chpass_principal_3(dup_kadm_handle, principal, keepold, 0,
+        ret = kadm5_chpass_principal_3(dup_kadm_handle, principal, keepold,
-                                       NULL, password);
+                                       nkey_salt_tuples, key_salt_tuples,
                                       password);
    memset_s(pwbuf, sizeof(pwbuf), 0, sizeof(pwbuf));
    free(key_salt_tuples);
    return ret;
 }
@@ -140,13 +179,13 @@ do_cpw_entry(krb5_principal principal, void *data)
    struct cpw_entry_data *e = data;
    if (e->random_key)
-	return set_random_key(e->kadm_handle, principal, e->keepold);
+	return set_random_key(e->kadm_handle, principal, e->enctypes, e->keepold);
    else if (e->random_password)
-	return set_random_password(e->kadm_handle, principal, e->keepold);
+	return set_random_password(e->kadm_handle, principal, e->enctypes, e->keepold);
    else if (e->key_data)
 	return set_key_data(e->kadm_handle, principal, e->key_data, e->keepold);
    else
-	return set_password(e->kadm_handle, principal, e->password, e->keepold);
+	return set_password(e->kadm_handle, principal, e->enctypes, e->password, e->keepold);
 }
 int
@@ -164,6 +203,7 @@ cpw_entry(struct passwd_options *opt, int argc, char **argv)
    ret = kadm5_dup_context(kadm_handle, &data.kadm_handle);
    if (ret)
        krb5_err(context, 1, ret, "Could not duplicate kadmin connection");
    data.enctypes = opt->enctypes_string;
    data.random_key = opt->random_key_flag;
    data.random_password = opt->random_password_flag;
    data.password = opt->password_string;
--- a/kadmin/ext.c
+++ b/kadmin/ext.c
@@ -68,6 +68,12 @@ do_ext_keytab(krb5_principal principal, void *data)
    if (ret)
 	goto out;
    /* Debug: record which principal was fetched and some context */
    krb5_warnx(context, "do_ext_keytab: fetched principal %s mask=0x%x n_key_data=%d",
               unparsed ? unparsed : "<unparsed>",
               mask,
               (int)princ.n_key_data);
    if (!e->random_key_flag) {
        if (princ.n_key_data == 0) {
            krb5_warnx(context, "principal has no keys, or user lacks "
@@ -111,6 +117,13 @@ do_ext_keytab(krb5_principal principal, void *data)
 	    keys[i].keyblock.keyvalue.data = kd->key_data_contents[0];
 	    keys[i].timestamp = time(NULL);
            n_k++;
            /* Debug: log each key extracted (kvno/enctype) for the principal */
            krb5_warnx(context, "do_ext_keytab: principal=%s key_index=%zu kvno=%d enctype=%d",
                       unparsed ? unparsed : "<unparsed>",
                       i,
                       keys[i].vno,
                       keys[i].keyblock.keytype);
 	}
    } else if (e->random_key_flag) {
        ret = kadm5_randkey_principal_3(e->kadm_handle, principal, e->keep,
@@ -144,7 +157,7 @@ do_ext_keytab(krb5_principal principal, void *data)
    kadm5_free_principal_ent(e->kadm_handle, &princ);
    if (k) {
        for (i = 0; i < n_k; i++)
-            memset(k[i].keyvalue.data, 0, k[i].keyvalue.length);
+            krb5_free_keyblock_contents(context, &k[i]);
 	free(k);
    }
    free(unparsed);
@@ -199,7 +212,7 @@ ext_keytab(struct ext_keytab_options *opt, int argc, char **argv)
        enctypes = krb5_config_get_string(context, NULL, "libdefaults",
                                          "supported_enctypes", NULL);
    if (enctypes == NULL || enctypes[0] == '\0')
-        enctypes = "aes128-cts-hmac-sha1-96";
+        enctypes = "aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192";
    ret = krb5_string_to_keysalts2(context, enctypes, &data.nkstuple,
                                   &data.kstuple);
    if (ret) {
@@ -208,6 +221,10 @@ ext_keytab(struct ext_keytab_options *opt, int argc, char **argv)
        return ret;
    }
    /* Debug: record ext_keytab invocation details */
    krb5_warnx(context, "ext_keytab: invoking foreach_principal for %zu principals, enctypes=%s",
               (size_t)argc, enctypes ? enctypes : "<none>");
    for(i = 0; i < argc; i++) {
 	ret = foreach_principal(argv[i], do_ext_keytab, "ext", &data);
 	if (ret)
--- a/kadmin/fuzz/README
+++ b/kadmin/fuzz/README
@@ -0,0 +1,81 @@
 Kadmind Fuzzing Corpus
 ======================
 This directory contains seed inputs for fuzzing kadmind RPC handling.
 Usage
 -----
 Run kadmind in fuzzing mode:
    ./kadmind --fuzz-stdin < corpus_file.bin > output.bin
 Or with a specific realm:
    ./kadmind -r MY.REALM --fuzz-stdin < corpus_file.bin
 Message Format
 --------------
 Each corpus file contains a length-prefixed message:
    [4-byte big-endian length][message payload]
 The message payload starts with a 4-byte command number (kadm_ops enum):
    kadm_get           = 0   - Get principal
    kadm_delete        = 1   - Delete principal
    kadm_create        = 2   - Create principal
    kadm_rename        = 3   - Rename principal
    kadm_chpass        = 4   - Change password
    kadm_modify        = 5   - Modify principal
    kadm_randkey       = 6   - Randomize keys
    kadm_get_privs     = 7   - Get admin privileges
    kadm_get_princs    = 8   - List principals
    kadm_chpass_with_key = 9 - Change password with explicit keys
    kadm_nop           = 10  - No operation (ping/interrupt)
    kadm_prune         = 11  - Prune old keys
 Corpus Files
 ------------
 Normal operations:
  nop_reply.bin              - NOP with reply requested
  nop_noreply.bin            - NOP without reply (interrupt)
  get_principal.bin          - GET with basic mask
  get_principal_all.bin      - GET with all fields
  delete_principal.bin       - DELETE principal
  create_principal.bin       - CREATE with minimal fields
  create_principal_attrs.bin - CREATE with attributes
  modify_principal.bin       - MODIFY principal
  rename_principal.bin       - RENAME principal
  chpass_principal.bin       - CHPASS
  chpass_principal_keepold.bin - CHPASS keeping old keys
  randkey_principal.bin      - RANDKEY simple
  randkey_principal_full.bin - RANDKEY with ks_tuples
  get_privs.bin              - GET_PRIVS
  get_princs_all.bin         - LIST all principals
  get_princs_expr.bin        - LIST with expression
  get_princs_iter.bin        - LIST with online iteration
  prune_principal.bin        - PRUNE to specific kvno
  prune_principal_all.bin    - PRUNE (no kvno)
  chpass_with_key.bin        - CHPASS_WITH_KEY
  create_with_tldata.bin     - CREATE with TL_DATA
  create_empty_password.bin  - CREATE with empty password
 Edge cases and malformed inputs:
  invalid_cmd.bin            - Invalid command number
  truncated_get.bin          - GET with missing data
  malformed_principal.bin    - Bad principal encoding
  long_principal.bin         - Very long principal name
  many_components.bin        - Principal with many components
  large_nkeydata.bin         - Large n_key_data (overflow test)
  negative_nkeydata.bin      - Negative n_key_data
  empty_message.bin          - Zero-length message
 Regenerating
 ------------
 Run gen_corpus.py to regenerate all corpus files:
    python3 gen_corpus.py
--- a/kadmin/fuzz/chpass_existing.bin
+++ b/kadmin/fuzz/chpass_existing.bin
--- a/kadmin/fuzz/chpass_existing_keepold.bin
+++ b/kadmin/fuzz/chpass_existing_keepold.bin
--- a/kadmin/fuzz/chpass_key_existing.bin
+++ b/kadmin/fuzz/chpass_key_existing.bin
--- a/kadmin/fuzz/chpass_multikey.bin
+++ b/kadmin/fuzz/chpass_multikey.bin
--- a/kadmin/fuzz/create_empty_password.bin
+++ b/kadmin/fuzz/create_empty_password.bin
--- a/kadmin/fuzz/create_new.bin
+++ b/kadmin/fuzz/create_new.bin
--- a/kadmin/fuzz/create_service.bin
+++ b/kadmin/fuzz/create_service.bin
--- a/kadmin/fuzz/create_with_attrs.bin
+++ b/kadmin/fuzz/create_with_attrs.bin
--- a/kadmin/fuzz/create_with_tldata.bin
+++ b/kadmin/fuzz/create_with_tldata.bin
--- a/kadmin/fuzz/delete_existing.bin
+++ b/kadmin/fuzz/delete_existing.bin
--- a/kadmin/fuzz/delete_nonexisting.bin
+++ b/kadmin/fuzz/delete_nonexisting.bin
--- a/kadmin/fuzz/empty_message.bin
+++ b/kadmin/fuzz/empty_message.bin
--- a/kadmin/fuzz/gen_corpus.py
+++ b/kadmin/fuzz/gen_corpus.py
@@ -0,0 +1,472 @@
 #!/usr/bin/env python3
 """
 Generate fuzz corpus for kadmind RPC testing.
 Message format:
  4-byte big-endian length prefix
  N bytes of message data
 The message data starts with a 4-byte command number (kadm_ops enum).
 The fuzzer pre-populates the HDB with these principals (in FUZZ.REALM):
  - test
  - admin/admin
  - user1
  - user2
  - host/localhost
  - HTTP/www.example.com
  - krbtgt/FUZZ.REALM
 """
 import struct
 import os
 # kadm_ops enum values
 KADM_GET = 0
 KADM_DELETE = 1
 KADM_CREATE = 2
 KADM_RENAME = 3
 KADM_CHPASS = 4
 KADM_MODIFY = 5
 KADM_RANDKEY = 6
 KADM_GET_PRIVS = 7
 KADM_GET_PRINCS = 8
 KADM_CHPASS_WITH_KEY = 9
 KADM_NOP = 10
 KADM_PRUNE = 11
 # Pre-populated principals (must match kadmind.c fuzz_stdin)
 EXISTING_PRINCIPALS = [
    "test",
    "admin/admin",
    "user1",
    "user2",
    "host/localhost",
    "HTTP/www.example.com",
    "krbtgt/FUZZ.REALM",
 ]
 # KADM5 mask bits (from admin.h)
 KADM5_PRINCIPAL = 0x000001
 KADM5_PRINC_EXPIRE_TIME = 0x000002
 KADM5_PW_EXPIRATION = 0x000004
 KADM5_LAST_PWD_CHANGE = 0x000008
 KADM5_ATTRIBUTES = 0x000010
 KADM5_MAX_LIFE = 0x000020
 KADM5_MOD_TIME = 0x000040
 KADM5_MOD_NAME = 0x000080
 KADM5_KVNO = 0x000100
 KADM5_MKVNO = 0x000200
 KADM5_AUX_ATTRIBUTES = 0x000400
 KADM5_POLICY = 0x000800
 KADM5_POLICY_CLR = 0x001000
 KADM5_MAX_RLIFE = 0x002000
 KADM5_LAST_SUCCESS = 0x004000
 KADM5_LAST_FAILED = 0x008000
 KADM5_FAIL_AUTH_COUNT = 0x010000
 KADM5_KEY_DATA = 0x020000
 KADM5_TL_DATA = 0x040000
 def pack_int32(val):
    """Pack a 32-bit big-endian integer."""
    return struct.pack('>i', val)
 def pack_uint32(val):
    """Pack a 32-bit big-endian unsigned integer."""
    return struct.pack('>I', val)
 def pack_string(s):
    """Pack a string (4-byte length + data + null terminator)."""
    # Heimdal krb5_store_string includes null terminator in length
    data = s.encode('utf-8') + b'\x00'
    return pack_uint32(len(data)) + data
 def pack_data(d):
    """Pack binary data (4-byte length + data)."""
    return pack_uint32(len(d)) + d
 def pack_principal(name, realm="FUZZ.REALM"):
    """
    Pack a Kerberos principal.
    Format: name_type (4), num_components (4), realm (string),
            components (string each)
    """
    parts = name.split('/')
    # KRB5_NT_PRINCIPAL = 1
    result = pack_int32(1)  # name_type
    result += pack_int32(len(parts))  # num_components
    result += pack_string(realm)  # realm
    for part in parts:
        result += pack_string(part)
    return result
 def pack_principal_ent(principal_name, mask, realm="FUZZ.REALM"):
    """
    Pack a kadm5_principal_ent structure.
    Only includes fields indicated by mask.
    """
    result = pack_int32(mask)  # mask comes first
    if mask & KADM5_PRINCIPAL:
        result += pack_principal(principal_name, realm)
    if mask & KADM5_PRINC_EXPIRE_TIME:
        result += pack_int32(0)  # princ_expire_time
    if mask & KADM5_PW_EXPIRATION:
        result += pack_int32(0)  # pw_expiration
    if mask & KADM5_LAST_PWD_CHANGE:
        result += pack_int32(0)  # last_pwd_change
    if mask & KADM5_MAX_LIFE:
        result += pack_int32(86400)  # max_life = 1 day
    if mask & KADM5_MOD_NAME:
        result += pack_int32(0)  # mod_name is NULL
    if mask & KADM5_MOD_TIME:
        result += pack_int32(0)  # mod_date
    if mask & KADM5_ATTRIBUTES:
        result += pack_int32(0)  # attributes
    if mask & KADM5_KVNO:
        result += pack_int32(1)  # kvno
    if mask & KADM5_MKVNO:
        result += pack_int32(1)  # mkvno
    if mask & KADM5_POLICY:
        result += pack_int32(0)  # policy is NULL
    if mask & KADM5_AUX_ATTRIBUTES:
        result += pack_int32(0)  # aux_attributes
    if mask & KADM5_MAX_RLIFE:
        result += pack_int32(604800)  # max_renewable_life = 1 week
    if mask & KADM5_LAST_SUCCESS:
        result += pack_int32(0)
    if mask & KADM5_LAST_FAILED:
        result += pack_int32(0)
    if mask & KADM5_FAIL_AUTH_COUNT:
        result += pack_int32(0)
    if mask & KADM5_KEY_DATA:
        result += pack_int32(0)  # n_key_data = 0
    if mask & KADM5_TL_DATA:
        result += pack_int32(0)  # n_tl_data = 0
    return result
 def wrap_message(data):
    """Wrap message data with 4-byte length prefix."""
    return pack_uint32(len(data)) + data
 def write_corpus(filename, data):
    """Write a corpus file."""
    path = os.path.join(os.path.dirname(__file__), filename)
    with open(path, 'wb') as f:
        f.write(wrap_message(data))
    print(f"Created {filename} ({len(data)} bytes payload)")
 # Generate corpus files
 # ========== Basic operations ==========
 # 1. NOP with reply wanted
 write_corpus("nop_reply.bin",
    pack_int32(KADM_NOP) + pack_int32(1))
 # 2. NOP without reply (interrupt request)
 write_corpus("nop_noreply.bin",
    pack_int32(KADM_NOP) + pack_int32(0))
 # 3. GET_PRIVS
 write_corpus("get_privs.bin",
    pack_int32(KADM_GET_PRIVS))
 # ========== Operations on EXISTING principals ==========
 # These should exercise deeper code paths since the principals exist
 # 4. GET existing principal "test"
 write_corpus("get_existing_test.bin",
    pack_int32(KADM_GET) +
    pack_principal("test") +
    pack_int32(KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES))
 # 5. GET existing principal with all fields
 write_corpus("get_existing_all.bin",
    pack_int32(KADM_GET) +
    pack_principal("test") +
    pack_int32(0x7FFFF))  # All mask bits
 # 6. GET existing admin/admin
 write_corpus("get_existing_admin.bin",
    pack_int32(KADM_GET) +
    pack_principal("admin/admin") +
    pack_int32(KADM5_PRINCIPAL | KADM5_KVNO))
 # 7. GET existing host principal
 write_corpus("get_existing_host.bin",
    pack_int32(KADM_GET) +
    pack_principal("host/localhost") +
    pack_int32(KADM5_PRINCIPAL | KADM5_KEY_DATA))
 # 8. GET existing HTTP service
 write_corpus("get_existing_http.bin",
    pack_int32(KADM_GET) +
    pack_principal("HTTP/www.example.com") +
    pack_int32(KADM5_PRINCIPAL))
 # 9. GET krbtgt (special principal)
 write_corpus("get_existing_krbtgt.bin",
    pack_int32(KADM_GET) +
    pack_principal("krbtgt/FUZZ.REALM") +
    pack_int32(KADM5_PRINCIPAL | KADM5_KVNO | KADM5_MAX_LIFE))
 # 10. CHPASS on existing principal
 write_corpus("chpass_existing.bin",
    pack_int32(KADM_CHPASS) +
    pack_principal("user1") +
    pack_string("newpassword123") +
    pack_int32(0))  # keepold = false
 # 11. CHPASS on existing with keepold
 write_corpus("chpass_existing_keepold.bin",
    pack_int32(KADM_CHPASS) +
    pack_principal("user2") +
    pack_string("anotherpassword") +
    pack_int32(1))  # keepold = true
 # 12. RANDKEY on existing principal
 write_corpus("randkey_existing.bin",
    pack_int32(KADM_RANDKEY) +
    pack_principal("test"))
 # 13. RANDKEY on existing with ks_tuples
 write_corpus("randkey_existing_full.bin",
    pack_int32(KADM_RANDKEY) +
    pack_principal("user1") +
    pack_int32(1) +  # keepold
    pack_int32(2) +  # n_ks_tuple
    pack_int32(17) + pack_int32(0) +  # aes128-cts-hmac-sha1-96
    pack_int32(18) + pack_int32(0))   # aes256-cts-hmac-sha1-96
 # 14. MODIFY existing principal
 mask = KADM5_PRINCIPAL | KADM5_ATTRIBUTES | KADM5_MAX_LIFE
 write_corpus("modify_existing.bin",
    pack_int32(KADM_MODIFY) +
    pack_principal_ent("test", mask) +
    pack_int32(mask))
 # 15. MODIFY existing - change max_renewable_life
 mask = KADM5_PRINCIPAL | KADM5_MAX_RLIFE
 write_corpus("modify_existing_rlife.bin",
    pack_int32(KADM_MODIFY) +
    pack_principal_ent("user1", mask) +
    pack_int32(mask))
 # 16. PRUNE existing principal
 write_corpus("prune_existing.bin",
    pack_int32(KADM_PRUNE) +
    pack_principal("test") +
    pack_int32(1))  # keep kvno >= 1
 # 17. RENAME existing to new
 write_corpus("rename_existing.bin",
    pack_int32(KADM_RENAME) +
    pack_principal("user2") +
    pack_principal("user2_renamed"))
 # 18. CHPASS_WITH_KEY on existing
 key_data = (
    pack_int32(2) +  # key_data_ver
    pack_int32(2) +  # key_data_kvno
    pack_int32(17) +  # aes128
    pack_data(b'\x00' * 16) +
    pack_int32(0) +  # no salt type
    pack_data(b'')
 )
 write_corpus("chpass_key_existing.bin",
    pack_int32(KADM_CHPASS_WITH_KEY) +
    pack_principal("test") +
    pack_int32(1) +  # n_key_data
    pack_int32(0) +  # keepold
    key_data)
 # ========== Operations on NON-EXISTING principals ==========
 # 19. GET non-existing principal
 write_corpus("get_nonexisting.bin",
    pack_int32(KADM_GET) +
    pack_principal("does/not/exist") +
    pack_int32(KADM5_PRINCIPAL))
 # 20. DELETE non-existing principal
 write_corpus("delete_nonexisting.bin",
    pack_int32(KADM_DELETE) +
    pack_principal("nonexistent"))
 # 21. CREATE new principal
 mask = KADM5_PRINCIPAL | KADM5_MAX_LIFE | KADM5_MAX_RLIFE
 write_corpus("create_new.bin",
    pack_int32(KADM_CREATE) +
    pack_principal_ent("newprinc", mask) +
    pack_int32(mask) +
    pack_string("password123"))
 # 22. CREATE with various attributes
 mask = KADM5_PRINCIPAL | KADM5_ATTRIBUTES | KADM5_MAX_LIFE | KADM5_PRINC_EXPIRE_TIME
 write_corpus("create_with_attrs.bin",
    pack_int32(KADM_CREATE) +
    pack_principal_ent("newprinc2", mask) +
    pack_int32(mask) +
    pack_string("password456"))
 # ========== GET_PRINCS listing ==========
 # 23. GET_PRINCS - list all
 write_corpus("get_princs_all.bin",
    pack_int32(KADM_GET_PRINCS) +
    pack_int32(0))  # no expression
 # 24. GET_PRINCS with wildcard
 write_corpus("get_princs_wildcard.bin",
    pack_int32(KADM_GET_PRINCS) +
    pack_int32(1) +
    pack_string("*"))
 # 25. GET_PRINCS with pattern
 write_corpus("get_princs_user.bin",
    pack_int32(KADM_GET_PRINCS) +
    pack_int32(1) +
    pack_string("user*"))
 # 26. GET_PRINCS with host pattern
 write_corpus("get_princs_host.bin",
    pack_int32(KADM_GET_PRINCS) +
    pack_int32(1) +
    pack_string("host/*"))
 # 27. GET_PRINCS online iteration mode
 write_corpus("get_princs_iter.bin",
    pack_int32(KADM_GET_PRINCS) +
    pack_int32(0x55555555) +
    pack_string("*"))
 # ========== Edge cases and malformed inputs ==========
 # 28. Invalid command
 write_corpus("invalid_cmd.bin",
    pack_int32(99))
 # 29. Truncated message
 write_corpus("truncated_get.bin",
    pack_int32(KADM_GET))
 # 30. Malformed principal (bad component count)
 write_corpus("malformed_principal.bin",
    pack_int32(KADM_GET) +
    pack_int32(1) +  # name_type
    pack_int32(-1) +  # invalid num_components
    pack_string("FUZZ.REALM"))
 # 31. Very long principal name
 write_corpus("long_principal.bin",
    pack_int32(KADM_GET) +
    pack_principal("A" * 1000))
 # 32. Principal with many components
 write_corpus("many_components.bin",
    pack_int32(KADM_GET) +
    pack_principal("/".join(["c"] * 50)))
 # 33. Empty password create
 mask = KADM5_PRINCIPAL
 write_corpus("create_empty_password.bin",
    pack_int32(KADM_CREATE) +
    pack_principal_ent("emptypass", mask) +
    pack_int32(mask) +
    pack_string(""))
 # 34. Create with TL_DATA
 mask = KADM5_PRINCIPAL | KADM5_TL_DATA
 tl_data = (
    pack_int32(1) +  # tl_data_type
    pack_data(b'test tl data content')
 )
 princ_with_tl = (
    pack_int32(mask) +
    pack_principal("withtldata") +
    pack_int32(1) +  # n_tl_data
    tl_data
 )
 write_corpus("create_with_tldata.bin",
    pack_int32(KADM_CREATE) +
    princ_with_tl +
    pack_int32(mask) +
    pack_string("password"))
 # 35. Large n_key_data (integer overflow)
 write_corpus("large_nkeydata.bin",
    pack_int32(KADM_CHPASS_WITH_KEY) +
    pack_principal("test") +
    pack_int32(0x7FFFFFFF) +
    pack_int32(0))
 # 36. Negative n_key_data
 write_corpus("negative_nkeydata.bin",
    pack_int32(KADM_CHPASS_WITH_KEY) +
    pack_principal("test") +
    pack_int32(-1) +
    pack_int32(0))
 # 37. Zero-length message
 with open(os.path.join(os.path.dirname(__file__), "empty_message.bin"), 'wb') as f:
    f.write(pack_uint32(0))
 print("Created empty_message.bin (0 bytes payload)")
 # 38. Multiple key_data entries
 multi_key = b''
 for i in range(3):
    multi_key += (
        pack_int32(2) +  # ver
        pack_int32(i + 1) +  # kvno
        pack_int32(17) +  # aes128
        pack_data(b'\x00' * 16) +
        pack_int32(0) +
        pack_data(b'')
    )
 write_corpus("chpass_multikey.bin",
    pack_int32(KADM_CHPASS_WITH_KEY) +
    pack_principal("test") +
    pack_int32(3) +  # n_key_data
    pack_int32(1) +  # keepold
    multi_key)
 # 39. MODIFY with policy (even though we don't have policies)
 mask = KADM5_PRINCIPAL | KADM5_POLICY
 write_corpus("modify_with_policy.bin",
    pack_int32(KADM_MODIFY) +
    pack_int32(mask) +
    pack_principal("test") +
    pack_int32(1) +  # policy is present
    pack_string("default") +
    pack_int32(mask))
 # 40. DELETE existing principal (exercising actual delete path)
 write_corpus("delete_existing.bin",
    pack_int32(KADM_DELETE) +
    pack_principal("user1"))
 # 41. Cross-realm principal reference
 write_corpus("get_crossrealm.bin",
    pack_int32(KADM_GET) +
    pack_principal("user", "OTHER.REALM") +
    pack_int32(KADM5_PRINCIPAL))
 # 42. Service principal with instance
 write_corpus("create_service.bin",
    pack_int32(KADM_CREATE) +
    pack_principal_ent("ldap/server.example.com", KADM5_PRINCIPAL | KADM5_MAX_LIFE) +
    pack_int32(KADM5_PRINCIPAL | KADM5_MAX_LIFE) +
    pack_string("servicepass"))
 print("\nCorpus generation complete!")
--- a/kadmin/fuzz/get_crossrealm.bin
+++ b/kadmin/fuzz/get_crossrealm.bin
--- a/Show More
+++ b/Show More