From ghudson at MIT.EDU  Thu Oct  1 10:50:04 2009
From: ghudson at MIT.EDU (ghudson@MIT.EDU)
Date: Thu, 1 Oct 2009 10:50:04 -0400
Subject: svn rev #22816: branches/enc-perf/src/ lib/crypto/
	lib/crypto/builtin/ lib/crypto/builtin/arcfour/ ...
Message-ID: <200910011450.n91Eo4dT013831@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22816
Commit By: ghudson
Log Message:
Merge trunk changes from r22791 to r22815 to enc-perf branch.

bigredbutton: whitespace



Changed Files:
U   branches/enc-perf/src/Makefile.in
U   branches/enc-perf/src/configure.in
U   branches/enc-perf/src/lib/crypto/Makefile.in
U   branches/enc-perf/src/lib/crypto/builtin/Makefile.in
U   branches/enc-perf/src/lib/crypto/builtin/arcfour/Makefile.in
U   branches/enc-perf/src/lib/crypto/builtin/deps
A   branches/enc-perf/src/lib/crypto/builtin/hash_provider/
A   branches/enc-perf/src/lib/crypto/builtin/yhash.h
U   branches/enc-perf/src/lib/crypto/crypto_tests/Makefile.in
U   branches/enc-perf/src/lib/crypto/krb/Makefile.in
U   branches/enc-perf/src/lib/crypto/krb/deps
D   branches/enc-perf/src/lib/crypto/krb/hash_provider/
U   branches/enc-perf/src/lib/crypto/krb/keyhash_provider/Makefile.in
U   branches/enc-perf/src/lib/crypto/krb/keyhash_provider/deps
U   branches/enc-perf/src/lib/crypto/krb/prf/Makefile.in
U   branches/enc-perf/src/lib/crypto/krb/prf/deps
U   branches/enc-perf/src/lib/crypto/krb/yarrow/Makefile.in
U   branches/enc-perf/src/lib/crypto/krb/yarrow/deps
U   branches/enc-perf/src/lib/crypto/krb/yarrow/yarrow.c
U   branches/enc-perf/src/lib/crypto/krb/yarrow/yarrow.h
D   branches/enc-perf/src/lib/crypto/krb/yarrow/yhash.h
A   branches/enc-perf/src/lib/crypto/openssl/aes/
A   branches/enc-perf/src/lib/crypto/openssl/arcfour/
A   branches/enc-perf/src/lib/crypto/openssl/des/
A   branches/enc-perf/src/lib/crypto/openssl/hash_provider/
U   branches/enc-perf/src/lib/crypto/openssl/hmac.c
U   branches/enc-perf/src/lib/crypto/openssl/sha1/shs.c
U   branches/enc-perf/src/lib/crypto/openssl/sha1/shs.h
A   branches/enc-perf/src/lib/crypto/openssl/yhash.h
Modified: branches/enc-perf/src/Makefile.in
===================================================================
--- branches/enc-perf/src/Makefile.in	2009-09-30 22:33:41 UTC (rev 22815)
+++ branches/enc-perf/src/Makefile.in	2009-10-01 14:50:04 UTC (rev 22816)
@@ -196,7 +196,7 @@
 	lib\Makefile lib\crypto\Makefile \
 	lib\crypto\krb\crc32\Makefile lib\crypto\builtin\des\Makefile \
 	lib\crypto\krb\dk\Makefile lib\crypto\builtin\enc_provider\Makefile \
-	lib\crypto\krb\hash_provider\Makefile \
+	lib\crypto\builtin\hash_provider\Makefile \
 	lib\crypto\krb\keyhash_provider\Makefile \
 	lib\crypto\krb\prf\Makefile lib\crypto\krb\rand2key\Makefile \
 	lib\crypto\krb\raw\Makefile lib\crypto\krb\old\Makefile \
@@ -271,7 +271,7 @@
 ##DOS##	$(WCONFIG) config < $@.in > $@
 ##DOS##lib\crypto\builtin\enc_provider\Makefile: lib\crypto\builtin\enc_provider\Makefile.in $(MKFDEP)
 ##DOS##	$(WCONFIG) config < $@.in > $@
-##DOS##lib\crypto\krb\hash_provider\Makefile: lib\crypto\krb\hash_provider\Makefile.in $(MKFDEP)
+##DOS##lib\crypto\builtin\hash_provider\Makefile: lib\crypto\builtin\hash_provider\Makefile.in $(MKFDEP)
 ##DOS##	$(WCONFIG) config < $@.in > $@
 ##DOS##lib\crypto\krb\keyhash_provider\Makefile: lib\crypto\krb\keyhash_provider\Makefile.in $(MKFDEP)
 ##DOS##	$(WCONFIG) config < $@.in > $@
@@ -396,7 +396,7 @@
 	config/* include/* include/kerberosIV/* \
 	include/krb5/* include/krb5/stock/* include/sys/* lib/* \
 	lib/crypto/* lib/crypto/krb/crc32/* lib/crypto/builtin/des/* lib/crypto/krb/dk/* \
-	lib/crypto/builtin/enc_provider/* lib/crypto/krb/hash_provider/* \
+	lib/crypto/builtin/enc_provider/* lib/crypto/builtin/hash_provider/* \
 	lib/crypto/krb/keyhash_provider/* \
 	lib/crypto/krb/prf/* lib/crypto/krb/rand2key/* \
 	lib/crypto/krb/old/* lib/crypto/krb/raw/* \

Modified: branches/enc-perf/src/configure.in
===================================================================
--- branches/enc-perf/src/configure.in	2009-09-30 22:33:41 UTC (rev 22815)
+++ branches/enc-perf/src/configure.in	2009-10-01 14:50:04 UTC (rev 22816)
@@ -1061,7 +1061,7 @@
 
 	lib/crypto lib/crypto/krb lib/crypto/krb/crc32 lib/crypto/builtin/des
 	lib/crypto/krb/dk lib/crypto/builtin/enc_provider
-	lib/crypto/krb/hash_provider lib/crypto/krb/keyhash_provider
+	lib/crypto/builtin/hash_provider lib/crypto/krb/keyhash_provider
 	lib/crypto/krb/prf lib/crypto/krb/rand2key
 	lib/crypto/builtin lib/crypto/builtin/md4 lib/crypto/builtin/md5
 	lib/crypto/krb/old lib/crypto/krb/raw lib/crypto/builtin/sha1

Modified: branches/enc-perf/src/lib/crypto/Makefile.in
===================================================================
--- branches/enc-perf/src/lib/crypto/Makefile.in	2009-09-30 22:33:41 UTC (rev 22815)
+++ branches/enc-perf/src/lib/crypto/Makefile.in	2009-10-01 14:50:04 UTC (rev 22816)
@@ -21,7 +21,7 @@
 RELDIR=crypto
 
 STOBJLISTS=krb/crc32/OBJS.ST krb/dk/OBJS.ST builtin/enc_provider/OBJS.ST	\
-	krb/hash_provider/OBJS.ST krb/keyhash_provider/OBJS.ST  		\
+	builtin/hash_provider/OBJS.ST krb/keyhash_provider/OBJS.ST  		\
 	krb/prf/OBJS.ST krb/rand2key/OBJS.ST 		 			\
 	krb/old/OBJS.ST krb/raw/OBJS.ST krb/yarrow/OBJS.ST 			\
 	builtin/md4/OBJS.ST builtin/md5/OBJS.ST builtin/sha1/OBJS.ST 		\
@@ -29,7 +29,7 @@
 	krb/OBJS.ST  builtin/OBJS.ST
 
 SUBDIROBJLISTS=krb/crc32/OBJS.ST krb/dk/OBJS.ST builtin/enc_provider/OBJS.ST 	\
-	krb/hash_provider/OBJS.ST krb/keyhash_provider/OBJS.ST 			\
+	builtin/hash_provider/OBJS.ST krb/keyhash_provider/OBJS.ST 		\
 	krb/prf/OBJS.ST krb/rand2key/OBJS.ST 		 			\
 	krb/old/OBJS.ST krb/raw/OBJS.ST  krb/yarrow/OBJS.ST 			\
 	builtin/md4/OBJS.ST builtin/md5/OBJS.ST	builtin/sha1/OBJS.ST 		\

Modified: branches/enc-perf/src/lib/crypto/builtin/Makefile.in
===================================================================
--- branches/enc-perf/src/lib/crypto/builtin/Makefile.in	2009-09-30 22:33:41 UTC (rev 22815)
+++ branches/enc-perf/src/lib/crypto/builtin/Makefile.in	2009-10-01 14:50:04 UTC (rev 22816)
@@ -2,7 +2,7 @@
 myfulldir=lib/crypto/builtin
 mydir=lib/crypto/builtin
 BUILDTOP=$(REL)..$(S)..$(S)..
-SUBDIRS=des arcfour aes	 md4 md5  sha1 enc_provider
+SUBDIRS=des arcfour aes	 md4 md5  sha1 enc_provider hash_provider
 LOCALINCLUDES = -I$(srcdir)/../krb 			\
 		-I$(srcdir)/../krb/hash_provider 	\
 		-I$(srcdir)/../@CRYPTO_IMPL@/des 	\
@@ -11,7 +11,8 @@
 		-I$(srcdir)/../@CRYPTO_IMPL@/sha1 	\
 		-I$(srcdir)/../@CRYPTO_IMPL@/md4 	\
 		-I$(srcdir)/../@CRYPTO_IMPL@/md5	\
-		-I$(srcdir)/../@CRYPTO_IMPL@/enc_provider 	
+		-I$(srcdir)/../@CRYPTO_IMPL@/enc_provider	\
+		-I$(srcdir)/../@CRYPTO_IMPL@/hash_provider 	
 PROG_LIBPATH=-L$(TOPLIBD)
 PROG_RPATH=$(KRB5_LIBDIR)
 DEFS=
@@ -38,6 +39,7 @@
 STOBJLISTS= des/OBJS.ST md4/OBJS.ST 	\
 	md5/OBJS.ST sha1/OBJS.ST 	\
 	enc_provider/OBJS.ST 		\
+	hash_provider/OBJS.ST 		\
 	arcfour/OBJS.ST 		\
 	aes/OBJS.ST 			\
 	OBJS.ST
@@ -45,8 +47,9 @@
 SUBDIROBJLISTS= des/OBJS.ST md4/OBJS.ST 	\
 		md5/OBJS.ST sha1/OBJS.ST 	\
 		enc_provider/OBJS.ST 		\
+		hash_provider/OBJS.ST 		\
 		arcfour/OBJS.ST 		\
-		aes/OBJS.ST OBJS.ST
+		aes/OBJS.ST 
 
 ##DOS##LIBOBJS = $(OBJS)
 
@@ -70,6 +73,9 @@
 	cd ..\sha1
 	@echo Making in crypto\sha1
 	$(MAKE) -$(MFLAGS)
+	cd ..\hash_provider
+	@echo Making in crypto\hash_provider
+	$(MAKE) -$(MFLAGS)
 	cd ..\enc_provider
 	@echo Making in crypto\enc_provider
 	$(MAKE) -$(MFLAGS)
@@ -94,6 +100,9 @@
 	cd ..\sha1
 	@echo Making clean in crypto\sha1
 	$(MAKE) -$(MFLAGS) clean
+	cd ..\hash_provider
+	@echo Making clean in crypto\hash_provider
+	$(MAKE) -$(MFLAGS) clean
 	cd ..\enc_provider
 	@echo Making clean in crypto\enc_provider
 	$(MAKE) -$(MFLAGS) clean
@@ -118,6 +127,9 @@
 	cd ..\sha1
 	@echo Making check in crypto\sha1
 	$(MAKE) -$(MFLAGS) check
+	cd ..\hash_provider
+	@echo Making check in crypto\hash_provider
+	$(MAKE) -$(MFLAGS) check
 	cd ..\enc_provider
 	@echo Making check in crypto\enc_provider
 	$(MAKE) -$(MFLAGS) check

Modified: branches/enc-perf/src/lib/crypto/builtin/arcfour/Makefile.in
===================================================================
--- branches/enc-perf/src/lib/crypto/builtin/arcfour/Makefile.in	2009-09-30 22:33:41 UTC (rev 22815)
+++ branches/enc-perf/src/lib/crypto/builtin/arcfour/Makefile.in	2009-10-01 14:50:04 UTC (rev 22816)
@@ -2,7 +2,7 @@
 myfulldir=lib/crypto/builtin/arcfour
 mydir=lib/crypto/builtin/arcfour
 BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
-LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)/../md4 -I$(srcdir)/../../krb
+LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)/../../@CRYPTO_IMPL@/md4  -I$(srcdir)/../../krb
 DEFS=
 
 ##DOS##BUILDTOP = ..\..\..\..

Modified: branches/enc-perf/src/lib/crypto/builtin/deps
===================================================================
--- branches/enc-perf/src/lib/crypto/builtin/deps	2009-09-30 22:33:41 UTC (rev 22815)
+++ branches/enc-perf/src/lib/crypto/builtin/deps	2009-10-01 14:50:04 UTC (rev 22816)
@@ -21,4 +21,4 @@
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
   $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
   $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../builtin/pbkdf2.c $(srcdir)/../krb/hash_provider/hash_provider.h
+  $(srcdir)/../builtin/pbkdf2.c $(srcdir)/../builtin/hash_provider/hash_provider.h

Copied: branches/enc-perf/src/lib/crypto/builtin/hash_provider (from rev 22815, trunk/src/lib/crypto/builtin/hash_provider)


Modified: branches/enc-perf/src/lib/crypto/crypto_tests/Makefile.in
===================================================================
--- branches/enc-perf/src/lib/crypto/crypto_tests/Makefile.in	2009-09-30 22:33:41 UTC (rev 22815)
+++ branches/enc-perf/src/lib/crypto/crypto_tests/Makefile.in	2009-10-01 14:50:04 UTC (rev 22816)
@@ -3,7 +3,7 @@
 mydir=lib/crypto/crypto_tests
 BUILDTOP=$(REL)..$(S)..$(S)..
 LOCALINCLUDES = -I$(srcdir)/../krb -I$(srcdir)/../@CRYPTO_IMPL@/enc_provider 		\
-	-I$(srcdir)/../krb/hash_provider -I$(srcdir)/../krb/keyhash_provider 	\
+	-I$(srcdir)/../@CRYPTO_IMPL@/hash_provider -I$(srcdir)/../krb/keyhash_provider 	\
 	-I$(srcdir)/../krb/dk -I$(srcdir)/../@CRYPTO_IMPL@/ 			\
 	-I$(srcdir)/../krb/yarrow 	\
 	-I$(srcdir)/../krb/crc32 -I$(srcdir)/../krb/old -I$(srcdir)/../krb/raw 	\

Modified: branches/enc-perf/src/lib/crypto/krb/Makefile.in
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/Makefile.in	2009-09-30 22:33:41 UTC (rev 22815)
+++ branches/enc-perf/src/lib/crypto/krb/Makefile.in	2009-10-01 14:50:04 UTC (rev 22816)
@@ -2,15 +2,15 @@
 myfulldir=lib/crypto/krb
 mydir=lib/crypto/krb
 BUILDTOP=$(REL)..$(S)..$(S)..
-SUBDIRS= crc32 dk hash_provider keyhash_provider \
+SUBDIRS= crc32 dk keyhash_provider \
 	prf rand2key old raw yarrow 
 LOCALINCLUDES = -I$(srcdir) -I$(srcdir)/../@CRYPTO_IMPL@/enc_provider -I$(srcdir)/dk	\
-		-I$(srcdir)/hash_provider -I$(srcdir)/keyhash_provider 			\
+		-I$(srcdir)/../@CRYPTO_IMPL@/hash_provider -I$(srcdir)/keyhash_provider	\
 		-I$(srcdir)/prf -I$(srcdir)/rand2key		 			\
 		-I$(srcdir)/old -I$(srcdir)/raw -I$(srcdir)/yarrow 			\
 		-I$(srcdir)/../@CRYPTO_IMPL@/ -I$(srcdir)/../@CRYPTO_IMPL@/des		\
 		-I$(srcdir)/../@CRYPTO_IMPL@/aes -I$(srcdir)/../@CRYPTO_IMPL@/arcfour 	\
-		-I$(srcdir)/../@CRYPTO_IMPL@/sha1
+		-I$(srcdir)/../@CRYPTO_IMPL@/sha1 -I$(srcdir)/../@CRYPTO_IMPL@
 PROG_LIBPATH=-L$(TOPLIBD)
 PROG_RPATH=$(KRB5_LIBDIR)
 DEFS=
@@ -154,14 +154,14 @@
 	$(srcdir)/verify_checksum_iov.c
 
 STOBJLISTS=crc32/OBJS.ST  dk/OBJS.ST 			 	\
-	hash_provider/OBJS.ST keyhash_provider/OBJS.ST  	\
+	keyhash_provider/OBJS.ST 			 	\
 	prf/OBJS.ST rand2key/OBJS.ST 			 	\
 	old/OBJS.ST raw/OBJS.ST  yarrow/OBJS.ST  OBJS.ST
 
 SUBDIROBJLISTS=crc32/OBJS.ST  dk/OBJS.ST 		 	\
-	hash_provider/OBJS.ST keyhash_provider/OBJS.ST  	\
+	keyhash_provider/OBJS.ST 			 	\
 	prf/OBJS.ST rand2key/OBJS.ST 			 	\
-	old/OBJS.ST raw/OBJS.ST  yarrow/OBJS.ST OBJS.ST 
+	old/OBJS.ST raw/OBJS.ST  yarrow/OBJS.ST 
 
 ##DOS##LIBOBJS = $(OBJS)
 
@@ -179,9 +179,6 @@
 	cd ..\dk
 	@echo Making in crypto\dk
 	$(MAKE) -$(MFLAGS)
-	cd ..\hash_provider
-	@echo Making in crypto\hash_provider
-	$(MAKE) -$(MFLAGS)
 	cd ..\keyhash_provider
 	@echo Making in crypto\keyhash_provider
 	$(MAKE) -$(MFLAGS)
@@ -209,9 +206,6 @@
 	cd ..\dk
 	@echo Making clean in crypto\dk
 	$(MAKE) -$(MFLAGS) clean
-	cd ..\hash_provider
-	@echo Making clean in crypto\hash_provider
-	$(MAKE) -$(MFLAGS) clean
 	cd ..\keyhash_provider
 	@echo Making clean in crypto\keyhash_provider
 	$(MAKE) -$(MFLAGS) clean
@@ -239,9 +233,6 @@
 	cd ..\dk
 	@echo Making check in crypto\dk
 	$(MAKE) -$(MFLAGS) check
-	cd ..\hash_provider
-	@echo Making check in crypto\hash_provider
-	$(MAKE) -$(MFLAGS) check
 	cd ..\keyhash_provider
 	@echo Making check in crypto\keyhash_provider
 	$(MAKE) -$(MFLAGS) check

Modified: branches/enc-perf/src/lib/crypto/krb/deps
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/deps	2009-09-30 22:33:41 UTC (rev 22815)
+++ branches/enc-perf/src/lib/crypto/krb/deps	2009-10-01 14:50:04 UTC (rev 22816)
@@ -52,7 +52,7 @@
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
   $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
   $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/hash_provider/hash_provider.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../builtin/hash_provider/hash_provider.h \
   $(srcdir)/keyhash_provider/keyhash_provider.h cksumtypes.c \
   cksumtypes.h
 coll_proof_cksum.so coll_proof_cksum.po $(OUTPRE)coll_proof_cksum.$(OBJEXT): \
@@ -192,7 +192,7 @@
   $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
   $(srcdir)/../builtin/aes/aes_s2k.h $(srcdir)/../builtin/arcfour/arcfour.h \
   $(srcdir)/../builtin/des/des_int.h $(srcdir)/../builtin/enc_provider/enc_provider.h \
-  $(srcdir)/dk/dk.h $(srcdir)/hash_provider/hash_provider.h \
+  $(srcdir)/dk/dk.h $(srcdir)/../builtin/hash_provider/hash_provider.h \
   $(srcdir)/old/old.h $(srcdir)/prf/prf_int.h $(srcdir)/raw/raw.h \
   etypes.c etypes.h
 keyblocks.so keyblocks.po $(OUTPRE)keyblocks.$(OBJEXT): \
@@ -329,7 +329,7 @@
   $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
   $(srcdir)/../builtin/enc_provider/enc_provider.h $(srcdir)/../builtin/sha1/shs.h \
   $(srcdir)/yarrow/yarrow.h $(srcdir)/yarrow/ycipher.h \
-  $(srcdir)/yarrow/yhash.h $(srcdir)/yarrow/ytypes.h \
+  $(srcdir)/../builtin/yhash.h $(srcdir)/yarrow/ytypes.h \
   prng.c
 random_to_key.so random_to_key.po $(OUTPRE)random_to_key.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \

Modified: branches/enc-perf/src/lib/crypto/krb/keyhash_provider/Makefile.in
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/keyhash_provider/Makefile.in	2009-09-30 22:33:41 UTC (rev 22815)
+++ branches/enc-perf/src/lib/crypto/krb/keyhash_provider/Makefile.in	2009-10-01 14:50:04 UTC (rev 22816)
@@ -4,7 +4,7 @@
 BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
 LOCALINCLUDES = -I$(srcdir)/../../@CRYPTO_IMPL@/des -I$(srcdir)/../../@CRYPTO_IMPL@/md4 \
 		-I$(srcdir)/../../@CRYPTO_IMPL@/md5 -I$(srcdir)/../../@CRYPTO_IMPL@/arcfour \
-		-I$(srcdir)/../hash_provider
+		-I$(srcdir)/../../@CRYPTO_IMPL@/hash_provider -I$(srcdir)/../../@CRYPTO_IMPL@
 DEFS=
 
 ##DOS##BUILDTOP = ..\..\..\..

Modified: branches/enc-perf/src/lib/crypto/krb/keyhash_provider/deps
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/keyhash_provider/deps	2009-09-30 22:33:41 UTC (rev 22815)
+++ branches/enc-perf/src/lib/crypto/krb/keyhash_provider/deps	2009-10-01 14:50:04 UTC (rev 22816)
@@ -44,7 +44,7 @@
   $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
   $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/arcfour/arcfour-int.h \
   $(srcdir)/../../builtin/arcfour/arcfour.h $(srcdir)/../../builtin/md5/rsa-md5.h \
-  $(srcdir)/../aead.h $(srcdir)/../cksumtypes.h $(srcdir)/../hash_provider/hash_provider.h \
+  $(srcdir)/../aead.h $(srcdir)/../cksumtypes.h $(srcdir)/../../builtin/hash_provider/hash_provider.h \
   hmac_md5.c keyhash_provider.h
 md5_hmac.so md5_hmac.po $(OUTPRE)md5_hmac.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -57,5 +57,5 @@
   $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
   $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/arcfour/arcfour-int.h \
   $(srcdir)/../../builtin/arcfour/arcfour.h $(srcdir)/../../builtin/md5/rsa-md5.h \
-  $(srcdir)/../hash_provider/hash_provider.h keyhash_provider.h \
+  $(srcdir)/../../builtin/hash_provider/hash_provider.h keyhash_provider.h \
   md5_hmac.c

Modified: branches/enc-perf/src/lib/crypto/krb/prf/Makefile.in
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/prf/Makefile.in	2009-09-30 22:33:41 UTC (rev 22815)
+++ branches/enc-perf/src/lib/crypto/krb/prf/Makefile.in	2009-10-01 14:50:04 UTC (rev 22816)
@@ -4,6 +4,7 @@
 BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
 LOCALINCLUDES = -I$(srcdir) -I$(srcdir)/.. 		\
 		-I$(srcdir)/../dk			\
+		-I$(srcdir)/../../@CRYPTO_IMPL@ 	\
 		-I$(srcdir)/../../@CRYPTO_IMPL@/md5 	\
 		-I$(srcdir)/../../@CRYPTO_IMPL@/sha1 
 DEFS=

Modified: branches/enc-perf/src/lib/crypto/krb/prf/deps
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/prf/deps	2009-09-30 22:33:41 UTC (rev 22815)
+++ branches/enc-perf/src/lib/crypto/krb/prf/deps	2009-10-01 14:50:04 UTC (rev 22816)
@@ -30,5 +30,5 @@
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
   $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
   $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../hash_provider/hash_provider.h prf_int.h \
+  $(srcdir)/../../builtin/hash_provider/hash_provider.h prf_int.h \
   rc4_prf.c

Modified: branches/enc-perf/src/lib/crypto/krb/yarrow/Makefile.in
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/yarrow/Makefile.in	2009-09-30 22:33:41 UTC (rev 22815)
+++ branches/enc-perf/src/lib/crypto/krb/yarrow/Makefile.in	2009-10-01 14:50:04 UTC (rev 22816)
@@ -2,7 +2,10 @@
 myfulldir=lib/crypto/krb/yarrow
 mydir=lib/crypto/krb/yarrow
 BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
-LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)/../../@CRYPTO_IMPL@ -I$(srcdir)/../../@CRYPTO_IMPL@/sha1 -I$(srcdir)/../../@CRYPTO_IMPL@/enc_provider
+LOCALINCLUDES = -I$(srcdir)/.. \
+		-I$(srcdir)/../../@CRYPTO_IMPL@		\
+		-I$(srcdir)/../../@CRYPTO_IMPL@/sha1 	\
+		-I$(srcdir)/../../@CRYPTO_IMPL@/enc_provider
 DEFS=
 
 ##DOS##BUILDTOP = ..\..\..\..

Modified: branches/enc-perf/src/lib/crypto/krb/yarrow/deps
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/yarrow/deps	2009-09-30 22:33:41 UTC (rev 22815)
+++ branches/enc-perf/src/lib/crypto/krb/yarrow/deps	2009-10-01 14:50:04 UTC (rev 22816)
@@ -11,7 +11,7 @@
   $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
   $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
   $(srcdir)/../../builtin/sha1/shs.h yarrow.c yarrow.h \
-  ycipher.h yexcep.h yhash.h ylock.h ystate.h ytypes.h
+  ycipher.h yexcep.h $(srcdir)/../../builtin/yhash.h ylock.h ystate.h ytypes.h
 ycipher.so ycipher.po $(OUTPRE)ycipher.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -23,4 +23,4 @@
   $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
   $(srcdir)/../../builtin/enc_provider/enc_provider.h \
   $(srcdir)/../../builtin/sha1/shs.h yarrow.h ycipher.c \
-  ycipher.h yhash.h ytypes.h
+  ycipher.h $(srcdir)/../../builtin/yhash.h ytypes.h

Modified: branches/enc-perf/src/lib/crypto/krb/yarrow/yarrow.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/yarrow/yarrow.c	2009-09-30 22:33:41 UTC (rev 22815)
+++ branches/enc-perf/src/lib/crypto/krb/yarrow/yarrow.c	2009-10-01 14:50:04 UTC (rev 22816)
@@ -34,7 +34,6 @@
 
 #define YARROW_IMPL
 #include "yarrow.h"
-#include "yhash.h"
 #include "ycipher.h"
 #include "ylock.h"
 #include "ystate.h"

Modified: branches/enc-perf/src/lib/crypto/krb/yarrow/yarrow.h
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/yarrow/yarrow.h	2009-09-30 22:33:41 UTC (rev 22815)
+++ branches/enc-perf/src/lib/crypto/krb/yarrow/yarrow.h	2009-10-01 14:50:04 UTC (rev 22816)
@@ -10,7 +10,7 @@
 #define YARROW_NO_MATHLIB
 
 #include "ytypes.h"
-#include "yhash.h"
+#include <yhash.h>
 #include "ycipher.h"
 
 /* These error codes are returned by the functions below. */

Deleted: branches/enc-perf/src/lib/crypto/krb/yarrow/yhash.h

Copied: branches/enc-perf/src/lib/crypto/openssl/aes (from rev 22815, trunk/src/lib/crypto/openssl/aes)

Copied: branches/enc-perf/src/lib/crypto/openssl/arcfour (from rev 22815, trunk/src/lib/crypto/openssl/arcfour)

Copied: branches/enc-perf/src/lib/crypto/openssl/des (from rev 22815, trunk/src/lib/crypto/openssl/des)

Copied: branches/enc-perf/src/lib/crypto/openssl/hash_provider (from rev 22815, trunk/src/lib/crypto/openssl/hash_provider)

Modified: branches/enc-perf/src/lib/crypto/openssl/hmac.c
===================================================================
--- branches/enc-perf/src/lib/crypto/openssl/hmac.c	2009-09-30 22:33:41 UTC (rev 22815)
+++ branches/enc-perf/src/lib/crypto/openssl/hmac.c	2009-10-01 14:50:04 UTC (rev 22816)
@@ -1,4 +1,4 @@
-/*
+/* lib/crypto/openssl/hmac.c
  */
 
 #include "k5-int.h"

Modified: branches/enc-perf/src/lib/crypto/openssl/sha1/shs.c
===================================================================
--- branches/enc-perf/src/lib/crypto/openssl/sha1/shs.c	2009-09-30 22:33:41 UTC (rev 22815)
+++ branches/enc-perf/src/lib/crypto/openssl/sha1/shs.c	2009-10-01 14:50:04 UTC (rev 22816)
@@ -3,12 +3,19 @@
 #include <sys/types.h>
 #endif
 #include <string.h>
+#define h0init  0x67452301L
+#define h1init  0xEFCDAB89L
+#define h2init  0x98BADCFEL
+#define h3init  0x10325476L
+#define h4init  0xC3D2E1F0L
 
 /* Initialize the SHS values */
 void shsInit(SHS_INFO *shsInfo)
 {
     EVP_MD_CTX_init(&shsInfo->ossl_sha1_ctx );
     EVP_DigestInit_ex(&shsInfo->ossl_sha1_ctx , EVP_sha1(), NULL);
+    shsInfo->digestLen = 0;
+    memset(shsInfo->digestBuf, 0 , sizeof(shsInfo->digestBuf));
 }
 
 /* Update SHS for a block of data */
@@ -22,13 +29,8 @@
 
 void shsFinal(SHS_INFO *shsInfo)
 {
-    unsigned char *digest_buf = NULL;
+    EVP_DigestFinal_ex(&shsInfo->ossl_sha1_ctx ,(unsigned char *)shsInfo->digestBuf , &shsInfo->digestLen); 
+    EVP_MD_CTX_cleanup(&shsInfo->ossl_sha1_ctx );
+}
 
-    digest_buf =  (unsigned char *)OPENSSL_malloc( sizeof(shsInfo->digest));
 
-    EVP_DigestFinal_ex(&shsInfo->ossl_sha1_ctx , digest_buf , &shsInfo->digest_len); 
-
-    memcpy(shsInfo->digest, digest_buf, shsInfo->digest_len);
-    OPENSSL_free(digest_buf);
-    EVP_MD_CTX_cleanup(&shsInfo->ossl_sha1_ctx );
-}

Modified: branches/enc-perf/src/lib/crypto/openssl/sha1/shs.h
===================================================================
--- branches/enc-perf/src/lib/crypto/openssl/sha1/shs.h	2009-09-30 22:33:41 UTC (rev 22815)
+++ branches/enc-perf/src/lib/crypto/openssl/sha1/shs.h	2009-10-01 14:50:04 UTC (rev 22816)
@@ -22,11 +22,9 @@
 /* The structure for storing SHS info */
 
 typedef struct {
-    EVP_MD_CTX ossl_sha1_ctx;
-    unsigned int   digest_len;
-    SHS_LONG digest[ 5 ];            /* Message digest */
-    SHS_LONG countLo, countHi;       /* 64-bit bit count */
-    SHS_LONG data[ 16 ];             /* SHS data buffer */
+    EVP_MD_CTX ossl_sha1_ctx;  
+    unsigned char   digestBuf[SHS_DIGESTSIZE]; /* output */
+    unsigned int    digestLen; /* output */
 } SHS_INFO;
 
 /* Message digest functions (shs.c) */

Copied: branches/enc-perf/src/lib/crypto/openssl/yhash.h (from rev 22815, trunk/src/lib/crypto/openssl/yhash.h)

Property changes on: branches/enc-perf/src/lib/crypto/builtin/hash_provider
___________________________________________________________________
Name: svn:mergeinfo
   + 

Copied: branches/enc-perf/src/lib/crypto/builtin/yhash.h (from rev 22815, trunk/src/lib/crypto/builtin/yhash.h)



From tsitkova at MIT.EDU  Thu Oct  1 14:39:42 2009
From: tsitkova at MIT.EDU (tsitkova@MIT.EDU)
Date: Thu, 1 Oct 2009 14:39:42 -0400
Subject: svn rev #22819: trunk/src/lib/crypto/ builtin/hash_provider/
	openssl/enc_provider/
Message-ID: <200910011839.n91Idgdn003934@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22819
Commit By: tsitkova
Log Message:
Cleanup



Changed Files:
U   trunk/src/lib/crypto/builtin/hash_provider/Makefile.in
U   trunk/src/lib/crypto/openssl/enc_provider/des.c
U   trunk/src/lib/crypto/openssl/enc_provider/des3.c
U   trunk/src/lib/crypto/openssl/enc_provider/rc4.c
Modified: trunk/src/lib/crypto/builtin/hash_provider/Makefile.in
===================================================================
--- trunk/src/lib/crypto/builtin/hash_provider/Makefile.in	2009-10-01 17:01:49 UTC (rev 22818)
+++ trunk/src/lib/crypto/builtin/hash_provider/Makefile.in	2009-10-01 18:39:42 UTC (rev 22819)
@@ -13,14 +13,24 @@
 PROG_LIBPATH=-L$(TOPLIBD)
 PROG_RPATH=$(KRB5_LIBDIR)
 
-STLIBOBJS= hash_crc32.o hash_md4.o hash_md5.o hash_sha1.o
+CIMPL = @CRYPTO_IMPL@/hash_provider
 
-OBJS=   $(OUTPRE)hash_crc32.$(OBJEXT) $(OUTPRE)hash_md4.$(OBJEXT) \
-	$(OUTPRE)hash_md5.$(OBJEXT) $(OUTPRE)hash_sha1.$(OBJEXT)
+STLIBOBJS= \
+	../../$(CIMPL)/hash_crc32.o 	\
+	../../$(CIMPL)/hash_md4.o 	\
+	../../$(CIMPL)/hash_md5.o 	\
+	../../$(CIMPL)/hash_sha1.o
 
-SRCS= $(srcdir)/hash_crc32.c $(srcdir)/hash_md4.c \
-	$(srcdir)/hash_md5.c $(srcdir)/hash_sha1.c
+OBJS=   $(OUTPRE)../../$(CIMPL)/hash_crc32.$(OBJEXT) 	\
+	$(OUTPRE)../../$(CIMPL)/hash_md4.$(OBJEXT) 	\
+	$(OUTPRE)../../$(CIMPL)/hash_md5.$(OBJEXT) 	\
+	$(OUTPRE)../../$(CIMPL)/hash_sha1.$(OBJEXT)
 
+SRCS=	$(srcdir)/../../$(CIMPL)/hash_crc32.c	\
+	$(srcdir)/../../$(CIMPL)/hash_md4.c 	\
+	$(srcdir)/../../$(CIMPL)/hash_md5.c 	\
+	$(srcdir)/../../$(CIMPL)/hash_sha1.c
+
 ##DOS##LIBOBJS = $(OBJS)
 
 all-unix:: all-libobjs

Modified: trunk/src/lib/crypto/openssl/enc_provider/des.c
===================================================================
--- trunk/src/lib/crypto/openssl/enc_provider/des.c	2009-10-01 17:01:49 UTC (rev 22818)
+++ trunk/src/lib/crypto/openssl/enc_provider/des.c	2009-10-01 18:39:42 UTC (rev 22819)
@@ -35,7 +35,6 @@
 
     for (i = 0, input_length = 0; i < num_data; i++) {
         const krb5_crypto_iov *iov = &data[i];
-
         if (ENCRYPT_IOV(iov))
             input_length += iov->data.length;
     }
@@ -54,12 +53,11 @@
 k5_des_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
            const krb5_data *input, krb5_data *output)
 {
-    int ret = 0, tmp_len = 0;
-    unsigned int tmp_buf_len = 0;
+    int              ret = 0, tmp_len = 0;
+    unsigned int     tmp_buf_len = 0;
     unsigned char   *keybuf  = NULL;
     unsigned char   *tmp_buf = NULL;
-    unsigned char   iv[EVP_MAX_IV_LENGTH];
-    EVP_CIPHER_CTX  ciph_ctx;
+    EVP_CIPHER_CTX   ciph_ctx;
 
     ret = validate(key, ivec, input, output);
     if (ret)
@@ -68,11 +66,6 @@
     keybuf=key->contents;
     keybuf[key->length] = '\0';
 
-    if ( ivec && ivec->data ) {
-        memset(iv,0,sizeof(iv));
-        memcpy(iv,ivec->data,ivec->length);
-    }
-
     tmp_buf_len = output->length*2;
     tmp_buf=OPENSSL_malloc(tmp_buf_len);
     if (!tmp_buf)
@@ -82,13 +75,13 @@
     EVP_CIPHER_CTX_init(&ciph_ctx);
 
     ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL, keybuf,
-                             (ivec && ivec->data) ? iv : NULL);
+                             (ivec) ? (unsigned char*)ivec->data  : NULL);
     if (ret) {
         EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
         ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf,  &tmp_len,
                                 (unsigned char *)input->data, input->length);
         if (!ret || output->length < (unsigned int)tmp_len) {
-            return KRB5_CRYPTO_INTERNAL;
+            ret =  KRB5_CRYPTO_INTERNAL;
         } else {
             output->length = tmp_len;
             ret = EVP_EncryptFinal_ex(&ciph_ctx, tmp_buf + tmp_len, &tmp_len);
@@ -97,13 +90,13 @@
 
     EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
-    if (ret)
+    if (ret == 1)
         memcpy(output->data,tmp_buf, output->length);
 
     memset(tmp_buf, 0, tmp_buf_len);
     OPENSSL_free(tmp_buf);
 
-    if (!ret)
+    if (ret != 1)
         return KRB5_CRYPTO_INTERNAL;
     return 0;
 }
@@ -114,10 +107,9 @@
            const krb5_data *input, krb5_data *output)
 {
     /* key->enctype was checked by the caller */
-    int ret = 0, tmp_len = 0;
+    int              ret = 0, tmp_len = 0;
     unsigned char   *keybuf  = NULL;
     unsigned char   *tmp_buf;
-    unsigned char   iv[EVP_MAX_IV_LENGTH];
     EVP_CIPHER_CTX  ciph_ctx;
 
     ret = validate(key, ivec, input, output);
@@ -127,10 +119,6 @@
     keybuf=key->contents;
     keybuf[key->length] = '\0';
 
-    if ( ivec != NULL && ivec->data ){
-        memset(iv,0,sizeof(iv));
-        memcpy(iv,ivec->data,ivec->length);
-    }
     tmp_buf=OPENSSL_malloc(output->length);
     if (!tmp_buf)
         return ENOMEM;
@@ -139,7 +127,7 @@
     EVP_CIPHER_CTX_init(&ciph_ctx);
 
     ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL, keybuf,
-                             (ivec && ivec->data) ? iv : NULL);
+                             (ivec) ? (unsigned char*)ivec->data : NULL);
     if (ret) {
         EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
         ret = EVP_DecryptUpdate(&ciph_ctx, tmp_buf,  &tmp_len,
@@ -152,13 +140,13 @@
 
     EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
-    if (ret)
+    if (ret == 1)
         memcpy(output->data,tmp_buf, output->length);
 
     memset(tmp_buf,0,output->length);
     OPENSSL_free(tmp_buf);
 
-    if (!ret)
+    if ( ret != 1)
         return KRB5_CRYPTO_INTERNAL;
     return 0;
 }
@@ -169,21 +157,21 @@
             krb5_crypto_iov *data,
             size_t num_data)
 {
-    int ret = 0, tmp_len = MIT_DES_BLOCK_LENGTH;
+    int             ret = 0, tmp_len = MIT_DES_BLOCK_LENGTH;
+    int             oblock_len = MIT_DES_BLOCK_LENGTH * num_data;
+    unsigned char  *iblock = NULL, *oblock = NULL;
+    unsigned char  *keybuf = NULL ;
+    struct iov_block_state input_pos, output_pos;
     EVP_CIPHER_CTX  ciph_ctx;
-    unsigned char   *keybuf = NULL ;
-    unsigned char   iv[EVP_MAX_IV_LENGTH];
 
-    struct iov_block_state input_pos, output_pos;
-    int oblock_len = MIT_DES_BLOCK_LENGTH*num_data;
-    unsigned char  *iblock, *oblock;
-
     iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH);
     if (!iblock)
         return ENOMEM;
     oblock = OPENSSL_malloc(oblock_len);
-    if (!oblock)
+    if (!oblock){
+        OPENSSL_free(iblock);
         return ENOMEM;
+    }
 
     IOV_BLOCK_STATE_INIT(&input_pos);
     IOV_BLOCK_STATE_INIT(&output_pos);
@@ -195,19 +183,18 @@
     if (ret)
         return ret;
 
-    if (ivec && ivec->data){
-        memset(iv,0,sizeof(iv));
-        memcpy(iv,ivec->data,ivec->length);
-    }
-
     memset(oblock, 0, oblock_len);
 
     EVP_CIPHER_CTX_init(&ciph_ctx);
 
     ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL,
-                             keybuf, (ivec && ivec->data) ? iv : NULL);
-    if (!ret)
+                             keybuf, (ivec && ivec->data) ? (unsigned char*)ivec->data : NULL);
+    if (!ret){
+        EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+        OPENSSL_free(iblock);
+        OPENSSL_free(oblock);
         return KRB5_CRYPTO_INTERNAL;
+    }
 
     EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
 
@@ -229,11 +216,6 @@
     if(ret)
         ret = EVP_EncryptFinal_ex(&ciph_ctx, oblock+16, &tmp_len);
 
-    if (ret) {
-        if (ivec != NULL)
-            memcpy(iv, oblock, MIT_DES_BLOCK_LENGTH);
-    }
-
     EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
     memset(iblock,0,sizeof(iblock));
@@ -241,7 +223,7 @@
     OPENSSL_free(iblock);
     OPENSSL_free(oblock);
 
-    if (!ret)
+    if ( ret != 1)
         return KRB5_CRYPTO_INTERNAL;
     return 0;
 }
@@ -252,21 +234,22 @@
            krb5_crypto_iov *data,
            size_t num_data)
 {
-    int ret = 0, tmp_len = MIT_DES_BLOCK_LENGTH;
-    EVP_CIPHER_CTX  ciph_ctx;
-    unsigned char   *keybuf = NULL ;
-    unsigned char   iv[EVP_MAX_IV_LENGTH];
-
+    int                    ret = 0;
+    int                    tmp_len = MIT_DES_BLOCK_LENGTH;
+    int                    oblock_len = MIT_DES_BLOCK_LENGTH*num_data;
+    unsigned char         *iblock = NULL, *oblock = NULL;
+    unsigned char         *keybuf = NULL;
     struct iov_block_state input_pos, output_pos;
-    int oblock_len = MIT_DES_BLOCK_LENGTH*num_data;
-    unsigned char  *iblock, *oblock;
+    EVP_CIPHER_CTX         ciph_ctx;
 
     iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH);
     if (!iblock)
         return ENOMEM;
     oblock = OPENSSL_malloc(oblock_len);
-    if (!oblock)
+    if (!oblock){
+        OPENSSL_free(iblock);
         return ENOMEM;
+    }
 
     IOV_BLOCK_STATE_INIT(&input_pos);
     IOV_BLOCK_STATE_INIT(&output_pos);
@@ -278,19 +261,18 @@
     if (ret)
         return ret;
 
-    if (ivec && ivec->data){
-        memset(iv,0,sizeof(iv));
-        memcpy(iv,ivec->data,ivec->length);
-    }
-
     memset(oblock, 0, oblock_len);
 
     EVP_CIPHER_CTX_init(&ciph_ctx);
 
     ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL,
-                             keybuf, (ivec && ivec->data) ? iv : NULL);
-    if (!ret)
+                             keybuf, (ivec) ? (unsigned char*)ivec->data : NULL);
+    if (!ret){
+        EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+        OPENSSL_free(iblock);
+        OPENSSL_free(oblock);
         return KRB5_CRYPTO_INTERNAL;
+    }
 
     EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
 
@@ -315,11 +297,6 @@
     if(ret)
         ret = EVP_DecryptFinal_ex(&ciph_ctx, oblock+16, &tmp_len);
 
-    if (ret) {
-        if (ivec != NULL)
-            memcpy(iv, oblock, MIT_DES_BLOCK_LENGTH);
-    }
-
     EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
     memset(iblock,0,sizeof(iblock));
@@ -327,7 +304,7 @@
     OPENSSL_free(iblock);
     OPENSSL_free(oblock);
 
-    if (!ret)
+    if (ret != 1)
         return KRB5_CRYPTO_INTERNAL;
     return 0;
 }

Modified: trunk/src/lib/crypto/openssl/enc_provider/des3.c
===================================================================
--- trunk/src/lib/crypto/openssl/enc_provider/des3.c	2009-10-01 17:01:49 UTC (rev 22818)
+++ trunk/src/lib/crypto/openssl/enc_provider/des3.c	2009-10-01 18:39:42 UTC (rev 22819)
@@ -36,7 +36,6 @@
 
     for (i = 0, input_length = 0; i < num_data; i++) {
 	const krb5_crypto_iov *iov = &data[i];
-
 	if (ENCRYPT_IOV(iov))
 	    input_length += iov->data.length;
     }
@@ -55,12 +54,11 @@
 k5_des3_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
 		const krb5_data *input, krb5_data *output)
 {
-    int ret = 0, tmp_len = 0;
-    unsigned int  tmp_buf_len = 0;
+    int              ret = 0, tmp_len = 0;
+    unsigned int     tmp_buf_len = 0;
     unsigned char   *keybuf  = NULL;
     unsigned char   *tmp_buf = NULL;
-    unsigned char   iv[EVP_MAX_IV_LENGTH];
-    EVP_CIPHER_CTX  ciph_ctx;
+    EVP_CIPHER_CTX   ciph_ctx;
 
     ret = validate(key, ivec, input, output);
     if (ret)
@@ -69,9 +67,6 @@
     keybuf=key->contents;
     keybuf[key->length] = '\0';
 
-    if (ivec && ivec->data) {
-        memcpy(iv,ivec->data,ivec->length);
-    }
     tmp_buf_len = output->length * 2;
     tmp_buf = OPENSSL_malloc(tmp_buf_len);
     if (!tmp_buf)
@@ -80,7 +75,7 @@
     EVP_CIPHER_CTX_init(&ciph_ctx);
 
     ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL, keybuf,
-                             (ivec && ivec->data) ? iv : NULL);
+                             (ivec) ? (unsigned char*)ivec->data : NULL);
     if (ret) {
         EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
         ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
@@ -95,12 +90,13 @@
 
     EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
-    if (ret)
+    if (ret == 1)
         memcpy(output->data,tmp_buf, output->length);
+
     memset(tmp_buf, 0, tmp_buf_len);
     OPENSSL_free(tmp_buf);
 
-    if (!ret)
+    if (ret != 1)
         return KRB5_CRYPTO_INTERNAL;
 
     return 0;
@@ -111,11 +107,11 @@
 k5_des3_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
 		const krb5_data *input, krb5_data *output)
 {
-    int ret = 0, tmp_len = 0;
-    EVP_CIPHER_CTX  ciph_ctx;
+    int              ret = 0, tmp_len = 0;
+    unsigned int     tmp_buf_len = 0;
     unsigned char   *keybuf  = NULL;
     unsigned char   *tmp_buf = NULL;
-    unsigned char   iv[EVP_MAX_IV_LENGTH];
+    EVP_CIPHER_CTX   ciph_ctx;
 
     ret = validate(key, ivec, input, output);
     if (ret)
@@ -124,24 +120,22 @@
     keybuf=key->contents;
     keybuf[key->length] = '\0';
 
-    if (ivec && ivec->data) {
-        memset(iv,0,sizeof(iv));
-        memcpy(iv,ivec->data,ivec->length);
-    }
-
-    tmp_buf=OPENSSL_malloc(output->length);
+    tmp_buf_len = output->length;
+    tmp_buf=OPENSSL_malloc(tmp_buf_len);
     if (!tmp_buf)
         return ENOMEM;
 
     EVP_CIPHER_CTX_init(&ciph_ctx);
 
     ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL, keybuf,
-                             (ivec && ivec->data) ? iv: NULL);
+                             (ivec) ? (unsigned char*)ivec->data: NULL);
     if (ret) {
         EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
         ret = EVP_DecryptUpdate(&ciph_ctx, tmp_buf,  &tmp_len,
                                 (unsigned char *)input->data, input->length);
-        if (ret) {
+        if (!ret || output->length < (unsigned int)tmp_len) {
+            ret = KRB5_CRYPTO_INTERNAL;
+        } else {
             output->length = tmp_len;
             ret = EVP_DecryptFinal_ex(&ciph_ctx, tmp_buf+tmp_len, &tmp_len);
         }
@@ -149,13 +143,13 @@
 
     EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
-    if (ret)
+    if (ret == 1)
         memcpy(output->data,tmp_buf, output->length);
 
-    memset(tmp_buf,0,output->length);
+    memset(tmp_buf,0,tmp_buf_len);
     OPENSSL_free(tmp_buf);
 
-    if (!ret)
+    if (ret != 1)
         return KRB5_CRYPTO_INTERNAL;
     return 0;
 
@@ -167,14 +161,13 @@
 		    krb5_crypto_iov *data,
 		    size_t num_data)
 {
-    int ret = 0, tmp_len = MIT_DES_BLOCK_LENGTH;
-    EVP_CIPHER_CTX  ciph_ctx;
-    unsigned char   *keybuf = NULL ;
-    unsigned char   iv[EVP_MAX_IV_LENGTH];
-
+    int                    ret = 0;
+    int                    tmp_len = MIT_DES_BLOCK_LENGTH;
+    int                    oblock_len = MIT_DES_BLOCK_LENGTH*num_data;
+    unsigned char         *iblock = NULL, *oblock = NULL;
+    unsigned char         *keybuf = NULL;
     struct iov_block_state input_pos, output_pos;
-    int oblock_len = MIT_DES_BLOCK_LENGTH*num_data;
-    unsigned char  *iblock, *oblock;
+    EVP_CIPHER_CTX         ciph_ctx;
 
     ret = validate_iov(key, ivec, data, num_data);
     if (ret)
@@ -184,8 +177,10 @@
     if (!iblock)
         return ENOMEM;
     oblock = OPENSSL_malloc(oblock_len);
-    if (!oblock)
+    if (!oblock){
+        OPENSSL_free(iblock);
         return ENOMEM;
+    }
 
     IOV_BLOCK_STATE_INIT(&input_pos);
     IOV_BLOCK_STATE_INIT(&output_pos);
@@ -193,19 +188,18 @@
     keybuf=key->contents;
     keybuf[key->length] = '\0';
 
-    if (ivec && ivec->data){
-        memset(iv,0,sizeof(iv));
-        memcpy(iv,ivec->data,ivec->length);
-    }
-
     memset(oblock, 0, oblock_len);
 
     EVP_CIPHER_CTX_init(&ciph_ctx);
 
     ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL,
-                             keybuf, (ivec && ivec->data) ? iv : NULL);
-    if (!ret)
+                             keybuf, (ivec) ? (unsigned char*)ivec->data : NULL);
+    if (!ret){
+        EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+        OPENSSL_free(iblock);
+        OPENSSL_free(oblock);
         return KRB5_CRYPTO_INTERNAL;
+    }
 
     EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
 
@@ -229,11 +223,6 @@
     if(ret)
         ret = EVP_EncryptFinal_ex(&ciph_ctx, oblock+input_pos.data_pos, &tmp_len);
 
-    if (ret) {
-        if (ivec != NULL)
-            memcpy(iv, oblock, MIT_DES_BLOCK_LENGTH);
-    }
-
     EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
     memset(iblock,0,sizeof(iblock));
@@ -241,7 +230,7 @@
     OPENSSL_free(iblock);
     OPENSSL_free(oblock);
 
-    if (!ret)
+    if (ret != 1)
         return KRB5_CRYPTO_INTERNAL;
     return 0;
 }
@@ -252,14 +241,13 @@
 		    krb5_crypto_iov *data,
 		    size_t num_data)
 {
-    int ret = 0, tmp_len = MIT_DES_BLOCK_LENGTH;
-    EVP_CIPHER_CTX  ciph_ctx;
-    unsigned char   *keybuf = NULL ;
-    unsigned char   iv[EVP_MAX_IV_LENGTH];
-
+    int                    ret = 0;
+    int                    tmp_len = MIT_DES_BLOCK_LENGTH;
+    int                    oblock_len = MIT_DES_BLOCK_LENGTH * num_data;
+    unsigned char         *iblock = NULL, *oblock = NULL;
+    unsigned char         *keybuf = NULL ;
     struct iov_block_state input_pos, output_pos;
-    int oblock_len = MIT_DES_BLOCK_LENGTH*num_data;
-    unsigned char  *iblock, *oblock;
+    EVP_CIPHER_CTX         ciph_ctx;
 
     ret = validate_iov(key, ivec, data, num_data);
     if (ret)
@@ -269,8 +257,10 @@
     if (!iblock)
         return ENOMEM;
     oblock = OPENSSL_malloc(oblock_len);
-    if (!oblock)
+    if (!oblock){
+        OPENSSL_free(iblock);
         return ENOMEM;
+    }
 
     IOV_BLOCK_STATE_INIT(&input_pos);
     IOV_BLOCK_STATE_INIT(&output_pos);
@@ -278,19 +268,18 @@
     keybuf=key->contents;
     keybuf[key->length] = '\0';
 
-    if (ivec && ivec->data){
-        memset(iv,0,sizeof(iv));
-        memcpy(iv,ivec->data,ivec->length);
-    }
-
     memset(oblock, 0, oblock_len);
 
     EVP_CIPHER_CTX_init(&ciph_ctx);
 
     ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL,
-                             keybuf, (ivec && ivec->data) ? iv : NULL);
-    if (!ret)
+                             keybuf, (ivec) ? (unsigned char*)ivec->data : NULL);
+    if (!ret){
+        EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+        OPENSSL_free(iblock);
+        OPENSSL_free(oblock);
         return KRB5_CRYPTO_INTERNAL;
+    }
 
     EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
 
@@ -315,11 +304,6 @@
         ret = EVP_DecryptFinal_ex(&ciph_ctx,
                                   oblock + input_pos.data_pos, &tmp_len);
 
-    if (ret) {
-        if (ivec != NULL)
-            memcpy(iv, oblock, MIT_DES_BLOCK_LENGTH);
-    }
-
     EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
     memset(iblock,0,sizeof(iblock));
@@ -327,7 +311,7 @@
     OPENSSL_free(iblock);
     OPENSSL_free(oblock);
 
-    if (!ret)
+    if (ret != 1)
         return KRB5_CRYPTO_INTERNAL;
     return 0;
 }

Modified: trunk/src/lib/crypto/openssl/enc_provider/rc4.c
===================================================================
--- trunk/src/lib/crypto/openssl/enc_provider/rc4.c	2009-10-01 17:01:49 UTC (rev 22818)
+++ trunk/src/lib/crypto/openssl/enc_provider/rc4.c	2009-10-01 18:39:42 UTC (rev 22819)
@@ -62,7 +62,7 @@
 
     EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
-    if (!ret)
+    if (ret != 1)
         return KRB5_CRYPTO_INTERNAL;
 
     output->length += tmp_len;
@@ -90,8 +90,10 @@
     EVP_CIPHER_CTX_init(&ciph_ctx);
 
     ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_rc4(), NULL, keybuf, NULL);
-    if (!ret) 
-        return -1;
+    if (!ret){
+        EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+        return KRB5_CRYPTO_INTERNAL;
+    }
 
     for (i = 0; i < num_data; i++) {
         iov = &data[i];
@@ -112,7 +114,7 @@
 
     EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
-    if (!ret) 
+    if (ret != 1)
         return KRB5_CRYPTO_INTERNAL;
 
     iov->data.length += tmp_len;



From tsitkova at MIT.EDU  Thu Oct  1 17:18:05 2009
From: tsitkova at MIT.EDU (tsitkova@MIT.EDU)
Date: Thu, 1 Oct 2009 17:18:05 -0400
Subject: svn rev #22820: trunk/src/lib/crypto/openssl/enc_provider/ 
Message-ID: <200910012118.n91LI5gF017110@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22820
Commit By: tsitkova
Log Message:
Crypto modulrity proj: Basic AES crypto for openssl impl.



Changed Files:
A   trunk/src/lib/crypto/openssl/enc_provider/aes.c
Added: trunk/src/lib/crypto/openssl/enc_provider/aes.c
===================================================================
--- trunk/src/lib/crypto/openssl/enc_provider/aes.c	2009-10-01 18:39:42 UTC (rev 22819)
+++ trunk/src/lib/crypto/openssl/enc_provider/aes.c	2009-10-01 21:18:05 UTC (rev 22820)
@@ -0,0 +1,505 @@
+/*
+ * lib/crypto/openssl/enc_provider/aes.c
+ *
+ * Copyright (C) 2003, 2007, 2008, 2009 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#include "k5-int.h"
+#include "enc_provider.h"
+#include "aes.h"
+#include <aead.h>
+#include <hash_provider/hash_provider.h>
+#include <openssl/evp.h>
+#include <openssl/aes.h>
+#include <openssl/modes.h>
+#include <rand2key.h>
+
+/* proto's */
+static krb5_error_code
+cts_enc(const krb5_keyblock *key, const krb5_data *ivec,
+		    const krb5_data *input, krb5_data *output);
+static krb5_error_code
+cbc_enc(const krb5_keyblock *key, const krb5_data *ivec,
+		    const krb5_data *input, krb5_data *output);
+static krb5_error_code
+cts_decr(const krb5_keyblock *key, const krb5_data *ivec,
+		    const krb5_data *input, krb5_data *output);
+static krb5_error_code
+cbc_decr(const krb5_keyblock *key, const krb5_data *ivec,
+		    const krb5_data *input, krb5_data *output);
+
+static const EVP_CIPHER *
+map_mode( unsigned int len)
+{
+    if (len==16)
+        return EVP_aes_128_cbc();
+    if (len==32)
+        return EVP_aes_256_cbc();
+    else
+        return NULL;
+}
+
+static inline void enc(char *out, const char *in, aes_ctx *ctx)
+{
+    if (aes_enc_blk((const unsigned char *)in, (unsigned char *)out, ctx)
+	!= aes_good)
+	abort();
+}
+static inline void dec(char *out, const char *in, aes_ctx *ctx)
+{
+    if (aes_dec_blk((const unsigned char *)in, (unsigned char *)out, ctx)
+	!= aes_good)
+	abort();
+}
+static void xorblock(char *out, const char *in)
+{
+    int z;
+    for (z = 0; z < BLOCK_SIZE; z++)
+	out[z] ^= in[z];
+}
+
+
+static krb5_error_code
+cbc_enc(const krb5_keyblock *key, const krb5_data *ivec,
+		    const krb5_data *input, krb5_data *output)
+{
+    EVP_CIPHER_CTX  ciph_ctx;
+    unsigned char   *key_buf = NULL;
+    unsigned char  *tmp_buf = NULL;
+    int  ret = 0, tmp_len = 0;
+
+    key_buf = OPENSSL_malloc(key->length);
+    if (!key_buf)
+        return ENOMEM;
+    tmp_len = input->length;
+    tmp_buf = OPENSSL_malloc(input->length);
+    if (!tmp_buf){
+        OPENSSL_free(key_buf);
+        return ENOMEM;
+    }
+    memcpy(key_buf, key->contents, key->length);
+
+    EVP_CIPHER_CTX_init(&ciph_ctx);
+
+    if (ivec && ivec->data && (ivec->length <= EVP_MAX_IV_LENGTH)){
+        ret = EVP_EncryptInit_ex(&ciph_ctx, map_mode(key->length),
+                                 NULL, key_buf, (unsigned char*)ivec->data);
+    } else {
+        ret = EVP_EncryptInit_ex(&ciph_ctx, map_mode(key->length),
+                                 NULL, key_buf, NULL);
+    }
+
+    if (ret == 1){
+        EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); 
+        ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
+                           (unsigned char *)input->data, input->length);
+
+        output->length = tmp_len;
+        if(ret)
+            ret = EVP_EncryptFinal_ex(&ciph_ctx,tmp_buf+tmp_len,&tmp_len);
+    }
+
+    EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+
+    if (ret == 1){
+        memcpy(output->data, tmp_buf, output->length);
+        ret = 0;
+    } else {
+        ret = KRB5_CRYPTO_INTERNAL;
+    }
+
+    OPENSSL_free(key_buf);
+    OPENSSL_free(tmp_buf);
+
+    return ret;
+}
+
+static krb5_error_code
+cbc_decr(const krb5_keyblock *key, const krb5_data *ivec,
+		    const krb5_data *input, krb5_data *output)
+{
+    int ret = 0;
+    int tmp_len = 0;
+    unsigned char   *key_buf = NULL;
+    unsigned char   *tmp_buf = NULL;
+    EVP_CIPHER_CTX  ciph_ctx;
+
+
+    key_buf = OPENSSL_malloc(key->length);
+    if (!key_buf)
+        return ENOMEM;
+    tmp_len = input->length;
+    tmp_buf = OPENSSL_malloc(input->length);
+    if (!tmp_buf){
+        OPENSSL_free(key_buf);
+        return ENOMEM;
+    }
+    memcpy(key_buf, key->contents, key->length);
+
+    EVP_CIPHER_CTX_init(&ciph_ctx);
+
+    if (ivec && ivec->data && (ivec->length <= EVP_MAX_IV_LENGTH)) {
+        ret = EVP_DecryptInit_ex(&ciph_ctx, map_mode(key->length),
+                                 NULL, key_buf, (unsigned char*)ivec->data);
+    } else
+        ret = EVP_DecryptInit_ex(&ciph_ctx, map_mode(key->length),
+                                 NULL, key_buf, NULL);
+
+    if (ret == 1) {
+        EVP_CIPHER_CTX_set_padding(&ciph_ctx,0); 
+        ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
+                           (unsigned char *)input->data, input->length);
+        output->length = tmp_len;
+        if (ret == 1)
+            ret = EVP_DecryptFinal_ex(&ciph_ctx,tmp_buf+tmp_len,&tmp_len);
+    }
+
+    EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+
+    if (ret == 1) {
+        output->length += tmp_len;
+        memcpy(output->data, tmp_buf, output->length);
+        ret = 0;
+    } else {
+        ret = KRB5_CRYPTO_INTERNAL;
+    }
+
+    OPENSSL_free(key_buf);
+    OPENSSL_free(tmp_buf);
+
+    return ret;
+}
+
+static krb5_error_code
+cts_enc(const krb5_keyblock *key, const krb5_data *ivec,
+		    const krb5_data *input, krb5_data *output)
+{
+    size_t          size = 0;
+    int             ret = 0, tmp_len = 0;
+    unsigned char   iv_cts[EVP_MAX_IV_LENGTH*4];
+    unsigned char  *tmp_buf = NULL;
+    AES_KEY         enck;
+
+    memset(iv_cts,0,sizeof(iv_cts));
+    if (ivec && ivec->data && (ivec->length <= sizeof(iv_cts)))  
+        memcpy(iv_cts, ivec->data,ivec->length);
+
+    tmp_buf = OPENSSL_malloc(input->length);
+    if (!tmp_buf)
+        return ENOMEM;
+    tmp_len = input->length;
+
+    AES_set_encrypt_key(key->contents, 8*key->length, &enck);
+
+    size = CRYPTO_cts128_encrypt((unsigned char *)input->data, tmp_buf,
+                        input->length, &enck,
+                        iv_cts, (cbc128_f)AES_cbc_encrypt);
+
+    if (size <= 0 || output->length < size) {
+        ret = KRB5_CRYPTO_INTERNAL;
+    } else {
+        output->length = size;
+        memcpy(output->data, tmp_buf, output->length);
+        ret = 0;
+    }
+
+    OPENSSL_free(tmp_buf);
+
+    return ret;
+}
+
+static krb5_error_code
+cts_decr(const krb5_keyblock *key, const krb5_data *ivec,
+		    const krb5_data *input, krb5_data *output)
+{
+    size_t size = 0;
+    int    ret = 0, tmp_len = 0;
+    unsigned char   iv_cts[EVP_MAX_IV_LENGTH*4];
+    unsigned char  *tmp_buf = NULL;
+    AES_KEY         deck;
+
+    memset(iv_cts,0,EVP_MAX_IV_LENGTH*4);
+    if (ivec && ivec->data && (ivec->length <= EVP_MAX_IV_LENGTH))
+        memcpy(iv_cts, ivec->data,ivec->length);
+
+    tmp_buf = OPENSSL_malloc(input->length);
+    if (!tmp_buf)
+        return ENOMEM;
+    tmp_len = input->length;
+
+    AES_set_decrypt_key(key->contents, 8*key->length, &deck);
+
+    size = CRYPTO_cts128_decrypt((unsigned char *)input->data, tmp_buf,
+                        input->length, &deck,
+                        iv_cts, (cbc128_f)AES_cbc_encrypt);
+
+
+    if (size <= 0 || output->length < size) {
+        ret = KRB5_CRYPTO_INTERNAL;
+    } else {
+        output->length = size + 16;
+        memcpy(output->data, tmp_buf, output->length);
+        ret = 0;
+    }
+
+    OPENSSL_free(tmp_buf);
+
+    return ret;
+}
+
+krb5_error_code
+krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
+		    const krb5_data *input, krb5_data *output)
+{
+    int  ret = 0;
+
+    if ( input->length < BLOCK_SIZE * 2) {
+
+        ret = cbc_enc(key, ivec, input, output);
+
+    } else {
+
+        ret = cts_enc(key, ivec, input, output);
+    }
+
+    return ret;
+}
+
+krb5_error_code
+krb5int_aes_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
+		    const krb5_data *input, krb5_data *output)
+{
+    int ret = 0;
+
+    if ( input->length < BLOCK_SIZE*2) {
+
+        ret = cbc_decr(key, ivec, input, output);
+
+    } else {
+
+        ret = cts_decr(key, ivec, input, output);
+
+    }
+
+    return ret;
+}
+
+static krb5_error_code
+krb5int_aes_encrypt_iov(const krb5_keyblock *key,
+		        const krb5_data *ivec,
+		        krb5_crypto_iov *data,
+		        size_t num_data)
+{
+    aes_ctx ctx;
+    char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE];
+    int nblocks = 0, blockno;
+    size_t input_length, i;
+
+    if (aes_enc_key(key->contents, key->length, &ctx) != aes_good)
+	abort();
+
+    if (ivec != NULL)
+	memcpy(tmp, ivec->data, BLOCK_SIZE);
+    else
+	memset(tmp, 0, BLOCK_SIZE);
+
+    for (i = 0, input_length = 0; i < num_data; i++) {
+	krb5_crypto_iov *iov = &data[i];
+
+	if (ENCRYPT_IOV(iov))
+	    input_length += iov->data.length;
+    }
+
+    nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
+
+    assert(nblocks > 1);
+
+    {
+	char blockN2[BLOCK_SIZE];   /* second last */
+	char blockN1[BLOCK_SIZE];   /* last block */
+	struct iov_block_state input_pos, output_pos;
+
+	IOV_BLOCK_STATE_INIT(&input_pos);
+	IOV_BLOCK_STATE_INIT(&output_pos);
+
+	for (blockno = 0; blockno < nblocks - 2; blockno++) {
+	    char blockN[BLOCK_SIZE];
+
+	    krb5int_c_iov_get_block((unsigned char *)blockN, BLOCK_SIZE, data, num_data, &input_pos);
+	    xorblock(tmp, blockN);
+	    enc(tmp2, tmp, &ctx);
+	    krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, BLOCK_SIZE, &output_pos);
+
+	    /* Set up for next block.  */
+	    memcpy(tmp, tmp2, BLOCK_SIZE);
+	}
+
+	/* Do final CTS step for last two blocks (the second of which
+	   may or may not be incomplete).  */
+
+	/* First, get the last two blocks */
+	memset(blockN1, 0, sizeof(blockN1)); /* pad last block with zeros */
+	krb5int_c_iov_get_block((unsigned char *)blockN2, BLOCK_SIZE, data, num_data, &input_pos);
+	krb5int_c_iov_get_block((unsigned char *)blockN1, BLOCK_SIZE, data, num_data, &input_pos);
+
+	/* Encrypt second last block */
+	xorblock(tmp, blockN2);
+	enc(tmp2, tmp, &ctx);
+	memcpy(blockN2, tmp2, BLOCK_SIZE); /* blockN2 now contains first block */
+	memcpy(tmp, tmp2, BLOCK_SIZE);
+
+	/* Encrypt last block */
+	xorblock(tmp, blockN1);
+	enc(tmp2, tmp, &ctx);
+	memcpy(blockN1, tmp2, BLOCK_SIZE);
+
+	/* Put the last two blocks back into the iovec (reverse order) */
+	krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN1, BLOCK_SIZE, &output_pos);
+	krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN2, BLOCK_SIZE, &output_pos);
+
+	if (ivec != NULL)
+	    memcpy(ivec->data, blockN1, BLOCK_SIZE);
+    }
+
+    return 0;
+}
+
+static krb5_error_code
+krb5int_aes_decrypt_iov(const krb5_keyblock *key,
+		        const krb5_data *ivec,
+		        krb5_crypto_iov *data,
+		        size_t num_data)
+{
+    aes_ctx ctx;
+    char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE];
+    int nblocks = 0, blockno;
+    unsigned int i;
+    size_t input_length;
+
+    if (aes_dec_key(key->contents, key->length, &ctx) != aes_good)
+	abort();
+
+    if (ivec != NULL)
+	memcpy(tmp, ivec->data, BLOCK_SIZE);
+    else
+	memset(tmp, 0, BLOCK_SIZE);
+
+    for (i = 0, input_length = 0; i < num_data; i++) {
+	krb5_crypto_iov *iov = &data[i];
+
+	if (ENCRYPT_IOV(iov))
+	    input_length += iov->data.length;
+    }
+
+    nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
+
+    assert(nblocks > 1);
+
+    {
+	char blockN2[BLOCK_SIZE];   /* second last */
+	char blockN1[BLOCK_SIZE];   /* last block */
+	struct iov_block_state input_pos, output_pos;
+
+	IOV_BLOCK_STATE_INIT(&input_pos);
+	IOV_BLOCK_STATE_INIT(&output_pos);
+
+	for (blockno = 0; blockno < nblocks - 2; blockno++) {
+	    char blockN[BLOCK_SIZE];
+
+	    krb5int_c_iov_get_block((unsigned char *)blockN, BLOCK_SIZE, data, num_data, &input_pos);
+	    dec(tmp2, blockN, &ctx);
+	    xorblock(tmp2, tmp);
+	    krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, BLOCK_SIZE, &output_pos);
+	    memcpy(tmp, blockN, BLOCK_SIZE);
+	}
+
+	/* Do last two blocks, the second of which (next-to-last block
+	   of plaintext) may be incomplete.  */
+
+	/* First, get the last two encrypted blocks */
+	memset(blockN1, 0, sizeof(blockN1)); /* pad last block with zeros */
+	krb5int_c_iov_get_block((unsigned char *)blockN2, BLOCK_SIZE, data, num_data, &input_pos);
+	krb5int_c_iov_get_block((unsigned char *)blockN1, BLOCK_SIZE, data, num_data, &input_pos);
+
+	/* Decrypt second last block */
+	dec(tmp2, blockN2, &ctx);
+	/* Set tmp2 to last (possibly partial) plaintext block, and
+	   save it.  */
+	xorblock(tmp2, blockN1);
+	memcpy(blockN2, tmp2, BLOCK_SIZE);
+
+	/* Maybe keep the trailing part, and copy in the last
+	   ciphertext block.  */
+	input_length %= BLOCK_SIZE;
+	memcpy(tmp2, blockN1, input_length ? input_length : BLOCK_SIZE);
+	dec(tmp3, tmp2, &ctx);
+	xorblock(tmp3, tmp);
+	/* Copy out ivec first before we clobber blockN1 with plaintext */
+	if (ivec != NULL)
+	    memcpy(ivec->data, blockN1, BLOCK_SIZE);
+	memcpy(blockN1, tmp3, BLOCK_SIZE);
+
+	/* Put the last two blocks back into the iovec */
+	krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN1, BLOCK_SIZE, &output_pos);
+	krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN2, BLOCK_SIZE, &output_pos);
+    }
+
+    return 0;
+}
+
+static krb5_error_code
+krb5int_aes_init_state (const krb5_keyblock *key, krb5_keyusage usage,
+			krb5_data *state)
+{
+    state->length = 16;
+    state->data = (void *) malloc(16);
+    if (state->data == NULL)
+	return ENOMEM;
+    memset(state->data, 0, state->length);
+    return 0;
+}
+
+const struct krb5_enc_provider krb5int_enc_aes128 = {
+    16,
+    16, 16,
+    krb5int_aes_encrypt,
+    krb5int_aes_decrypt,
+    krb5int_aes_make_key,
+    krb5int_aes_init_state,
+    krb5int_default_free_state,
+    krb5int_aes_encrypt_iov,
+    krb5int_aes_decrypt_iov
+};
+
+const struct krb5_enc_provider krb5int_enc_aes256 = {
+    16,
+    32, 32,
+    krb5int_aes_encrypt,
+    krb5int_aes_decrypt,
+    krb5int_aes_make_key,
+    krb5int_aes_init_state,
+    krb5int_default_free_state,
+    krb5int_aes_encrypt_iov,
+    krb5int_aes_decrypt_iov
+};
+



From tsitkova at MIT.EDU  Thu Oct  1 17:46:57 2009
From: tsitkova at MIT.EDU (tsitkova@MIT.EDU)
Date: Thu, 1 Oct 2009 17:46:57 -0400
Subject: svn rev #22821: trunk/src/lib/crypto/openssl/des/ 
Message-ID: <200910012146.n91Lkvs5019690@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22821
Commit By: tsitkova
Log Message:
Crypto modularity proj: Populate openssl/des dir.
To avoid breaking the export list some functions (mostly mit_xxx) are left in place with the disabled functionality.




Changed Files:
A   trunk/src/lib/crypto/openssl/des/afsstring2key.c
A   trunk/src/lib/crypto/openssl/des/d3_aead.c
A   trunk/src/lib/crypto/openssl/des/d3_cbc.c
A   trunk/src/lib/crypto/openssl/des/d3_kysched.c
A   trunk/src/lib/crypto/openssl/des/des_int.h
A   trunk/src/lib/crypto/openssl/des/f_aead.c
A   trunk/src/lib/crypto/openssl/des/f_cbc.c
A   trunk/src/lib/crypto/openssl/des/f_cksum.c
A   trunk/src/lib/crypto/openssl/des/f_parity.c
A   trunk/src/lib/crypto/openssl/des/f_sched.c
A   trunk/src/lib/crypto/openssl/des/f_tables.c
A   trunk/src/lib/crypto/openssl/des/f_tables.h
A   trunk/src/lib/crypto/openssl/des/key_sched.c
A   trunk/src/lib/crypto/openssl/des/string2key.c
A   trunk/src/lib/crypto/openssl/des/weak_key.c
Added: trunk/src/lib/crypto/openssl/des/afsstring2key.c
===================================================================
--- trunk/src/lib/crypto/openssl/des/afsstring2key.c	2009-10-01 21:18:05 UTC (rev 22820)
+++ trunk/src/lib/crypto/openssl/des/afsstring2key.c	2009-10-01 21:46:57 UTC (rev 22821)
@@ -0,0 +1,27 @@
+/* lib/crypto/openss/des/afsstring2key.c
+ *
+ * Copyright 2009 by the Massachusetts Institute
+ * of Technology.
+ * All Rights Reserved.
+ *
+ */
+
+#include "k5-int.h"
+#include "des_int.h"
+#include <ctype.h>
+
+krb5_error_code
+mit_afs_string_to_key (krb5_keyblock *keyblock, const krb5_data *data,
+		       const krb5_data *salt)
+{
+    return KRB5_CRYPTO_INTERNAL; 
+}
+char *
+mit_afs_crypt(const char *pw, const char *salt,
+                char *iobuf)
+{
+    /* Unsupported operation */
+    return NULL;
+}
+
+

Added: trunk/src/lib/crypto/openssl/des/d3_aead.c
===================================================================
--- trunk/src/lib/crypto/openssl/des/d3_aead.c	2009-10-01 21:18:05 UTC (rev 22820)
+++ trunk/src/lib/crypto/openssl/des/d3_aead.c	2009-10-01 21:46:57 UTC (rev 22821)
@@ -0,0 +1,34 @@
+/* lib/crypto/openssl/des/d3_aead.c
+ *
+ * Copyright 2009 by the Massachusetts Institute
+ * of Technology.
+ * All Rights Reserved.
+ *
+ */
+#include "des_int.h"
+#include "aead.h"
+
+void
+krb5int_des3_cbc_encrypt_iov(krb5_crypto_iov *data,
+			     unsigned long num_data,
+			     const mit_des_key_schedule ks1,
+			     const mit_des_key_schedule ks2,
+			     const mit_des_key_schedule ks3,
+			     mit_des_cblock ivec)
+{
+    /* Unsupported operation */
+    abort();
+}
+
+void
+krb5int_des3_cbc_decrypt_iov(krb5_crypto_iov *data,
+			     unsigned long num_data,
+			     const mit_des_key_schedule ks1,
+			     const mit_des_key_schedule ks2,
+			     const mit_des_key_schedule ks3,
+			     mit_des_cblock ivec)
+{
+    /* Unsupported operation */
+    abort();
+}
+

Added: trunk/src/lib/crypto/openssl/des/d3_cbc.c
===================================================================
--- trunk/src/lib/crypto/openssl/des/d3_cbc.c	2009-10-01 21:18:05 UTC (rev 22820)
+++ trunk/src/lib/crypto/openssl/des/d3_cbc.c	2009-10-01 21:46:57 UTC (rev 22821)
@@ -0,0 +1,51 @@
+/* lib/crypto/openssl/des/d3_cbc.c
+ *
+ * Copyright 2009 by the Massachusetts Institute
+ * of Technology.
+ * All Rights Reserved.
+ *
+ */
+#include "des_int.h"
+
+/*
+ * Triple-DES CBC encryption mode.
+ */
+
+#undef mit_des3_cbc_encrypt
+int
+mit_des3_cbc_encrypt(const mit_des_cblock *in, mit_des_cblock *out,
+		     unsigned long length, const mit_des_key_schedule ks1,
+		     const mit_des_key_schedule ks2,
+		     const mit_des_key_schedule ks3,
+		     const mit_des_cblock ivec, int enc)
+{
+    /* Unsupported operation */
+    return KRB5_CRYPTO_INTERNAL;
+}
+
+void
+krb5int_des3_cbc_encrypt(const mit_des_cblock *input,
+			 mit_des_cblock *output,
+			 unsigned long length,
+			 const mit_des_key_schedule key,
+			 const mit_des_key_schedule ks2,
+			 const mit_des_key_schedule ks3,
+			 const mit_des_cblock ivec)
+{
+    /* Unsupported operation */
+    abort();
+}
+
+void
+krb5int_des3_cbc_decrypt(const mit_des_cblock *in,
+			 mit_des_cblock *out,
+			 unsigned long length,
+			 const mit_des_key_schedule ks1,
+			 const mit_des_key_schedule ks2,
+			 const mit_des_key_schedule ks3,
+			 const mit_des_cblock ivec)
+{
+    /* Unsupported operation */
+    abort();
+}
+

Added: trunk/src/lib/crypto/openssl/des/d3_kysched.c
===================================================================
--- trunk/src/lib/crypto/openssl/des/d3_kysched.c	2009-10-01 21:18:05 UTC (rev 22820)
+++ trunk/src/lib/crypto/openssl/des/d3_kysched.c	2009-10-01 21:46:57 UTC (rev 22821)
@@ -0,0 +1,18 @@
+/* lib/crypto/openssl/des/d3_kysched.c
+ *
+ * Copyright 2009 by the Massachusetts Institute
+ * of Technology.
+ * All Rights Reserved.
+ *
+ */
+
+#include "des_int.h"
+
+int
+mit_des3_key_sched(mit_des3_cblock k, mit_des3_key_schedule schedule)
+{
+    /* Unsupported operation */
+    return KRB5_CRYPTO_INTERNAL;
+}
+
+

Added: trunk/src/lib/crypto/openssl/des/des_int.h
===================================================================
--- trunk/src/lib/crypto/openssl/des/des_int.h	2009-10-01 21:18:05 UTC (rev 22820)
+++ trunk/src/lib/crypto/openssl/des/des_int.h	2009-10-01 21:46:57 UTC (rev 22821)
@@ -0,0 +1,377 @@
+/*
+ * lib/crypto/des/des_int.h
+ *
+ * Copyright 1987, 1988, 1990, 2002 by the Massachusetts Institute of
+ * Technology.  All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ *
+ * Private include file for the Data Encryption Standard library.
+ */
+
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ * 
+ * All rights reserved.
+ * 
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government.  It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  FundsXpress makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+/* only do the whole thing once	 */
+#ifndef DES_INTERNAL_DEFS
+#define DES_INTERNAL_DEFS
+
+#include "k5-int.h"
+/*
+ * Begin "mit-des.h"
+ */
+#ifndef KRB5_MIT_DES__
+#define KRB5_MIT_DES__
+
+#if defined(__MACH__) && defined(__APPLE__)
+#include <TargetConditionals.h>
+#include <AvailabilityMacros.h>
+#if TARGET_RT_MAC_CFM
+#error "Use KfM 4.0 SDK headers for CFM compilation."
+#endif
+#if defined(DEPRECATED_IN_MAC_OS_X_VERSION_10_5) && !defined(KRB5_SUPRESS_DEPRECATED_WARNINGS)
+#define KRB5INT_DES_DEPRECATED DEPRECATED_IN_MAC_OS_X_VERSION_10_5
+#endif
+#endif /* defined(__MACH__) && defined(__APPLE__) */
+
+/* Macro to add deprecated attribute to DES types and functions */
+/* Currently only defined on Mac OS X 10.5 and later.           */
+#ifndef KRB5INT_DES_DEPRECATED
+#define KRB5INT_DES_DEPRECATED
+#endif
+
+#include <limits.h>
+
+#if UINT_MAX >= 0xFFFFFFFFUL
+#define DES_INT32 int
+#define DES_UINT32 unsigned int
+#else
+#define DES_INT32 long
+#define DES_UINT32 unsigned long
+#endif
+
+typedef unsigned char des_cblock[8] 	/* crypto-block size */
+KRB5INT_DES_DEPRECATED;
+
+/*
+ * Key schedule.
+ *
+ * This used to be
+ *
+ * typedef struct des_ks_struct {
+ *     union { DES_INT32 pad; des_cblock _;} __;
+ * } des_key_schedule[16];
+ *
+ * but it would cause trouble if DES_INT32 were ever more than 4
+ * bytes.  The reason is that all the encryption functions cast it to
+ * (DES_INT32 *), and treat it as if it were DES_INT32[32].  If
+ * 2*sizeof(DES_INT32) is ever more than sizeof(des_cblock), the
+ * caller-allocated des_key_schedule will be overflowed by the key
+ * scheduling functions.  We can't assume that every platform will
+ * have an exact 32-bit int, and nothing should be looking inside a
+ * des_key_schedule anyway.
+ */
+typedef struct des_ks_struct {  DES_INT32 _[2]; } des_key_schedule[16] 
+KRB5INT_DES_DEPRECATED;
+
+typedef des_cblock mit_des_cblock;
+typedef des_key_schedule mit_des_key_schedule;
+
+/* Triple-DES structures */
+typedef mit_des_cblock		mit_des3_cblock[3];
+typedef mit_des_key_schedule	mit_des3_key_schedule[3];
+
+#define MIT_DES_ENCRYPT	1
+#define MIT_DES_DECRYPT	0
+
+typedef struct mit_des_ran_key_seed {
+    krb5_encrypt_block eblock;
+    krb5_data sequence;
+} mit_des_random_state;
+
+/* the first byte of the key is already in the keyblock */
+
+#define MIT_DES_BLOCK_LENGTH 		(8*sizeof(krb5_octet))
+#define	MIT_DES_CBC_CRC_PAD_MINIMUM	CRC32_CKSUM_LENGTH
+/* This used to be 8*sizeof(krb5_octet) */
+#define MIT_DES_KEYSIZE		 	8
+
+#define MIT_DES_CBC_CKSUM_LENGTH	(4*sizeof(krb5_octet))
+
+/*
+ * Check if k5-int.h has been included before us.  If so, then check to see
+ * that our view of the DES key size is the same as k5-int.h's.
+ */
+#ifdef	KRB5_MIT_DES_KEYSIZE
+#if	MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE
+error(MIT_DES_KEYSIZE does not equal KRB5_MIT_DES_KEYSIZE)
+#endif	/* MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE */
+#endif	/* KRB5_MIT_DES_KEYSIZE */
+#endif /* KRB5_MIT_DES__ */
+/*
+ * End "mit-des.h"
+ */
+
+/* afsstring2key.c */
+extern krb5_error_code mit_afs_string_to_key
+	(krb5_keyblock *keyblock,
+		   const krb5_data *data,
+		   const krb5_data *salt);
+extern char *mit_afs_crypt
+    (const char *pw, const char *salt, char *iobuf);
+
+/* f_cksum.c */
+extern unsigned long mit_des_cbc_cksum
+    (const krb5_octet *, krb5_octet *, unsigned long ,
+     const mit_des_key_schedule, const krb5_octet *);
+
+/* f_ecb.c */
+extern int mit_des_ecb_encrypt
+    (const mit_des_cblock *, mit_des_cblock *, mit_des_key_schedule , int );
+
+/* f_cbc.c */
+extern int mit_des_cbc_encrypt (const mit_des_cblock *in,
+				mit_des_cblock *out,
+				unsigned long length,
+				const mit_des_key_schedule schedule,
+				const mit_des_cblock ivec, int enc);
+    
+#define mit_des_zeroblock krb5int_c_mit_des_zeroblock
+extern const mit_des_cblock mit_des_zeroblock;
+
+/* fin_rndkey.c */
+extern krb5_error_code mit_des_finish_random_key
+    ( const krb5_encrypt_block *,
+		krb5_pointer *);
+
+/* finish_key.c */
+extern krb5_error_code mit_des_finish_key
+    ( krb5_encrypt_block *);
+
+/* init_rkey.c */
+extern krb5_error_code mit_des_init_random_key
+    ( const krb5_encrypt_block *,
+		const krb5_keyblock *,
+		krb5_pointer *);
+
+/* key_parity.c */
+extern void mit_des_fixup_key_parity (mit_des_cblock );
+extern int mit_des_check_key_parity (mit_des_cblock );
+
+/* key_sched.c */
+extern int mit_des_key_sched
+    (mit_des_cblock , mit_des_key_schedule );
+
+/* process_ky.c */
+extern krb5_error_code mit_des_process_key
+    ( krb5_encrypt_block *,  const krb5_keyblock *);
+
+/* random_key.c */
+extern krb5_error_code mit_des_random_key
+    ( const krb5_encrypt_block *, krb5_pointer ,
+                krb5_keyblock **);
+
+/* string2key.c */
+extern krb5_error_code mit_des_string_to_key
+    ( const krb5_encrypt_block *, 
+	       krb5_keyblock *, const krb5_data *, const krb5_data *);
+extern krb5_error_code mit_des_string_to_key_int
+	(krb5_keyblock *, const krb5_data *, const krb5_data *);
+
+/* weak_key.c */
+extern int mit_des_is_weak_key (mit_des_cblock );
+
+/* cmb_keys.c */
+krb5_error_code mit_des_combine_subkeys
+    (const krb5_keyblock *, const krb5_keyblock *,
+	       krb5_keyblock **);
+
+/* f_pcbc.c */
+int mit_des_pcbc_encrypt ();
+
+/* f_sched.c */
+int mit_des_make_key_sched(mit_des_cblock, mit_des_key_schedule);
+
+
+/* misc.c */
+extern void swap_bits (char *);
+extern unsigned long long_swap_bits (unsigned long );
+extern unsigned long swap_six_bits_to_ansi (unsigned long );
+extern unsigned long swap_four_bits_to_ansi (unsigned long );
+extern unsigned long swap_bit_pos_1 (unsigned long );
+extern unsigned long swap_bit_pos_0 (unsigned long );
+extern unsigned long swap_bit_pos_0_to_ansi (unsigned long );
+extern unsigned long rev_swap_bit_pos_0 (unsigned long );
+extern unsigned long swap_byte_bits (unsigned long );
+extern unsigned long swap_long_bytes_bit_number (unsigned long );
+#ifdef FILE
+/* XXX depends on FILE being a #define! */
+extern void test_set (FILE *, const char *, int, const char *, int);
+#endif
+
+/* d3_ecb.c */
+extern int mit_des3_ecb_encrypt
+	(const mit_des_cblock *in,
+		   mit_des_cblock *out,
+		   mit_des_key_schedule sched1,
+		   mit_des_key_schedule sched2,
+		   mit_des_key_schedule sched3,
+		   int enc);
+
+/* d3_cbc.c */
+extern int mit_des3_cbc_encrypt
+	(const mit_des_cblock *in,
+	 mit_des_cblock *out,
+	 unsigned long length,
+	 const mit_des_key_schedule ks1,
+	 const mit_des_key_schedule ks2,
+	 const mit_des_key_schedule ks3,
+	 const mit_des_cblock ivec,
+	 int enc);
+
+void
+krb5int_des3_cbc_encrypt(const mit_des_cblock *in,
+			 mit_des_cblock *out,
+			 unsigned long length,
+			 const mit_des_key_schedule ks1,
+			 const mit_des_key_schedule ks2,
+			 const mit_des_key_schedule ks3,
+			 const mit_des_cblock ivec);
+void
+krb5int_des3_cbc_decrypt(const mit_des_cblock *in,
+			 mit_des_cblock *out,
+			 unsigned long length,
+			 const mit_des_key_schedule ks1,
+			 const mit_des_key_schedule ks2,
+			 const mit_des_key_schedule ks3,
+			 const mit_des_cblock ivec);
+
+void
+krb5int_des3_cbc_encrypt_iov(krb5_crypto_iov *data,
+			     unsigned long num_data,
+			     const mit_des_key_schedule ks1,
+			     const mit_des_key_schedule ks2,
+			     const mit_des_key_schedule ks3,
+			     mit_des_cblock ivec);
+
+void
+krb5int_des3_cbc_decrypt_iov(krb5_crypto_iov *data,
+			     unsigned long num_data,
+			     const mit_des_key_schedule ks1,
+			     const mit_des_key_schedule ks2,
+			     const mit_des_key_schedule ks3,
+			     mit_des_cblock ivec);
+
+#define mit_des3_cbc_encrypt(in,out,length,ks1,ks2,ks3,ivec,enc) \
+    ((enc ? krb5int_des3_cbc_encrypt : krb5int_des3_cbc_decrypt) \
+     (in, out, length, ks1, ks2, ks3, ivec), 0)
+
+void
+krb5int_des_cbc_encrypt(const mit_des_cblock *in,
+			mit_des_cblock *out,
+			unsigned long length,
+			const mit_des_key_schedule schedule,
+			const mit_des_cblock ivec);
+void
+krb5int_des_cbc_decrypt(const mit_des_cblock *in,
+			mit_des_cblock *out,
+			unsigned long length,
+			const mit_des_key_schedule schedule,
+			const mit_des_cblock ivec);
+
+#define mit_des_cbc_encrypt(in,out,length,schedule,ivec,enc) \
+    ((enc ? krb5int_des_cbc_encrypt : krb5int_des_cbc_decrypt) \
+     (in, out, length, schedule, ivec), 0)
+
+void
+krb5int_des_cbc_encrypt_iov(krb5_crypto_iov *data,
+			    unsigned long num_data,
+			    const mit_des_key_schedule schedule,
+			    mit_des_cblock ivec);
+
+void
+krb5int_des_cbc_decrypt_iov(krb5_crypto_iov *data,
+			    unsigned long num_data,
+			    const mit_des_key_schedule schedule,
+			    mit_des_cblock ivec);
+
+/* d3_procky.c */
+extern krb5_error_code mit_des3_process_key
+	(krb5_encrypt_block * eblock,
+		   const krb5_keyblock * keyblock);
+
+/* d3_kysched.c */
+extern int mit_des3_key_sched
+	(mit_des3_cblock key,
+		   mit_des3_key_schedule schedule);
+
+/* d3_str2ky.c */
+extern krb5_error_code mit_des3_string_to_key
+	(const krb5_encrypt_block * eblock,
+		   krb5_keyblock * keyblock,
+		   const krb5_data * data,
+		   const krb5_data * salt);
+
+/* u_nfold.c */
+extern krb5_error_code mit_des_n_fold
+	(const krb5_octet * input,
+		   const size_t in_len,
+		   krb5_octet * output,
+		   const size_t out_len);
+
+/* u_rn_key.c */
+extern int mit_des_is_weak_keyblock
+	(krb5_keyblock *keyblock);
+
+extern void mit_des_fixup_keyblock_parity
+	(krb5_keyblock *keyblock);
+
+extern krb5_error_code mit_des_set_random_generator_seed
+	(const krb5_data * seed,
+		   krb5_pointer random_state);
+
+extern krb5_error_code mit_des_set_random_sequence_number
+	(const krb5_data * sequence,
+		   krb5_pointer random_state);
+#endif	/*DES_INTERNAL_DEFS*/

Added: trunk/src/lib/crypto/openssl/des/f_aead.c
===================================================================
--- trunk/src/lib/crypto/openssl/des/f_aead.c	2009-10-01 21:18:05 UTC (rev 22820)
+++ trunk/src/lib/crypto/openssl/des/f_aead.c	2009-10-01 21:46:57 UTC (rev 22821)
@@ -0,0 +1,33 @@
+/* lib/crypto/openssl/des/f_aead.c
+ *
+ * Copyright 2009 by the Massachusetts Institute
+ * of Technology.
+ * All Rights Reserved.
+ *
+ */
+
+#include "des_int.h"
+#include "aead.h"
+
+
+void
+krb5int_des_cbc_encrypt_iov(krb5_crypto_iov *data,
+			    unsigned long num_data,
+			    const mit_des_key_schedule schedule,
+			    mit_des_cblock ivec)
+{
+    /* Unsupported operation */
+    abort(); 
+}
+
+void
+krb5int_des_cbc_decrypt_iov(krb5_crypto_iov *data,
+			    unsigned long num_data,
+         		    const mit_des_key_schedule schedule,
+                            mit_des_cblock iv)
+{
+    /* Unsupported operation */
+    abort(); 
+}
+
+

Added: trunk/src/lib/crypto/openssl/des/f_cbc.c
===================================================================
--- trunk/src/lib/crypto/openssl/des/f_cbc.c	2009-10-01 21:18:05 UTC (rev 22820)
+++ trunk/src/lib/crypto/openssl/des/f_cbc.c	2009-10-01 21:46:57 UTC (rev 22821)
@@ -0,0 +1,89 @@
+/*
+ * lib/crypto/openssldes/f_cbc.c
+ *
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ *
+ * DES implementation donated by Dennis Ferguson
+ */
+
+/*
+ * des_cbc_encrypt.c - an implementation of the DES cipher function in cbc mode
+ */
+#include "des_int.h"
+
+/*
+ * des_cbc_encrypt - {en,de}crypt a stream in CBC mode
+ */
+
+/*
+ * This routine performs DES cipher-block-chaining operation, either
+ * encrypting from cleartext to ciphertext, if encrypt != 0 or
+ * decrypting from ciphertext to cleartext, if encrypt == 0.
+ *
+ * The key schedule is passed as an arg, as well as the cleartext or
+ * ciphertext.  The cleartext and ciphertext should be in host order.
+ *
+ * NOTE-- the output is ALWAYS an multiple of 8 bytes long.  If not
+ * enough space was provided, your program will get trashed.
+ *
+ * For encryption, the cleartext string is null padded, at the end, to
+ * an integral multiple of eight bytes.
+ *
+ * For decryption, the ciphertext will be used in integral multiples
+ * of 8 bytes, but only the first "length" bytes returned into the
+ * cleartext.
+ */
+
+const mit_des_cblock mit_des_zeroblock /* = all zero */;
+
+#undef mit_des_cbc_encrypt
+int
+mit_des_cbc_encrypt(const mit_des_cblock *in, mit_des_cblock *out,
+		    unsigned long length, const mit_des_key_schedule schedule,
+		    const mit_des_cblock ivec, int enc)
+{
+    /* Unsupported operation */
+    return KRB5_CRYPTO_INTERNAL;
+}
+void
+krb5int_des_cbc_encrypt(const mit_des_cblock *in,
+			mit_des_cblock *out,
+			unsigned long length,
+			const mit_des_key_schedule schedule,
+			const mit_des_cblock ivec)
+{
+    /* Unsupported operation */
+    abort();
+}
+
+void
+krb5int_des_cbc_decrypt(const mit_des_cblock *in,
+			mit_des_cblock *out,
+			unsigned long length,
+			const mit_des_key_schedule schedule,
+			const mit_des_cblock ivec)
+{
+    /* Unsupported operation */
+    abort();
+}
+

Added: trunk/src/lib/crypto/openssl/des/f_cksum.c
===================================================================
--- trunk/src/lib/crypto/openssl/des/f_cksum.c	2009-10-01 21:18:05 UTC (rev 22820)
+++ trunk/src/lib/crypto/openssl/des/f_cksum.c	2009-10-01 21:46:57 UTC (rev 22821)
@@ -0,0 +1,18 @@
+/*
+ * lib/crypto/openssl/des/f_cksum.c
+ *
+ * Copyright (C) 2009 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ */
+
+#include "des_int.h"
+
+unsigned long
+mit_des_cbc_cksum(const krb5_octet *in, krb5_octet *out,
+		  unsigned long length, const mit_des_key_schedule schedule,
+		  const krb5_octet *ivec)
+{
+    /* Unsupported operation */
+    return KRB5_CRYPTO_INTERNAL; 
+}
+

Added: trunk/src/lib/crypto/openssl/des/f_parity.c
===================================================================
--- trunk/src/lib/crypto/openssl/des/f_parity.c	2009-10-01 21:18:05 UTC (rev 22820)
+++ trunk/src/lib/crypto/openssl/des/f_parity.c	2009-10-01 21:46:57 UTC (rev 22821)
@@ -0,0 +1,29 @@
+/*
+ * lib/crypto/openssl/des/f_parity.c
+ *
+ * Copyright (C) 2009 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ */
+
+#include "des_int.h"
+#include <openssl/des.h>
+
+void
+mit_des_fixup_key_parity(mit_des_cblock key)
+{
+   DES_set_odd_parity(key);
+}
+
+/*
+ * des_check_key_parity: returns true iff key has the correct des parity.
+ *                       See des_fix_key_parity for the definition of
+ *                       correct des parity.
+ */
+int
+mit_des_check_key_parity(mit_des_cblock key)
+{
+    if (!DES_check_key_parity(key))
+                return(0);
+    return (1);
+}
+

Added: trunk/src/lib/crypto/openssl/des/f_sched.c
===================================================================
--- trunk/src/lib/crypto/openssl/des/f_sched.c	2009-10-01 21:18:05 UTC (rev 22820)
+++ trunk/src/lib/crypto/openssl/des/f_sched.c	2009-10-01 21:46:57 UTC (rev 22821)
@@ -0,0 +1,15 @@
+/*
+ * lib/crypto/openssl/des/f_sched.c
+ *
+ * Copyright (C) 2009 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ */
+
+#include "des_int.h"
+
+int
+mit_des_make_key_sched(mit_des_cblock key, mit_des_key_schedule schedule)
+{
+    return KRB5_CRYPTO_INTERNAL; // CRYPTO_UNSOPPERTED_OP
+}
+

Added: trunk/src/lib/crypto/openssl/des/f_tables.c
===================================================================
--- trunk/src/lib/crypto/openssl/des/f_tables.c	2009-10-01 21:18:05 UTC (rev 22820)
+++ trunk/src/lib/crypto/openssl/des/f_tables.c	2009-10-01 21:46:57 UTC (rev 22821)
@@ -0,0 +1,17 @@
+/*
+ * lib/crypto/openssl/des/f_tables.c
+ *
+ * Copyright 2009 by the Massachusetts Institute
+ * of Technology.
+ * All Rights Reserved.
+ *
+ */
+
+#include "des_int.h"
+#include "f_tables.h"
+
+const unsigned DES_INT32 des_IP_table[] = {};
+const unsigned DES_INT32 des_FP_table[] = {};
+const unsigned DES_INT32 des_SP_table[] = {};
+
+

Added: trunk/src/lib/crypto/openssl/des/f_tables.h
===================================================================
--- trunk/src/lib/crypto/openssl/des/f_tables.h	2009-10-01 21:18:05 UTC (rev 22820)
+++ trunk/src/lib/crypto/openssl/des/f_tables.h	2009-10-01 21:46:57 UTC (rev 22821)
@@ -0,0 +1,9 @@
+/*
+ * lib/crypto/des/f_tables.h
+ *
+ * Copyright 2009 by the Massachusetts Institute
+ * of Technology.
+ * All Rights Reserved.
+ *
+ */
+

Added: trunk/src/lib/crypto/openssl/des/key_sched.c
===================================================================
--- trunk/src/lib/crypto/openssl/des/key_sched.c	2009-10-01 21:18:05 UTC (rev 22820)
+++ trunk/src/lib/crypto/openssl/des/key_sched.c	2009-10-01 21:46:57 UTC (rev 22821)
@@ -0,0 +1,18 @@
+/*
+ * lib/crypto/openssl/des/key_sched.c
+ *
+ * Copyright 2009 by the Massachusetts Institute
+ * of Technology.
+ * All Rights Reserved.
+ *
+ */
+
+#include "des_int.h"
+
+int
+mit_des_key_sched(mit_des_cblock k, mit_des_key_schedule schedule)
+{
+    /* Unsupported operation */
+    return KRB5_CRYPTO_INTERNAL; 
+}
+

Added: trunk/src/lib/crypto/openssl/des/string2key.c
===================================================================
--- trunk/src/lib/crypto/openssl/des/string2key.c	2009-10-01 21:18:05 UTC (rev 22820)
+++ trunk/src/lib/crypto/openssl/des/string2key.c	2009-10-01 21:46:57 UTC (rev 22821)
@@ -0,0 +1,26 @@
+/*
+ * lib/crypto/openssl/des/string2key.c
+ *
+ * Copyright 2009 by the Massachusetts Institute
+ * of Technology.
+ * All Rights Reserved.
+ *
+ */
+
+#include "des_int.h"
+#include <openssl/des.h>
+
+
+krb5_error_code
+mit_des_string_to_key_int (krb5_keyblock *key,
+			   const krb5_data *pw, const krb5_data *salt)
+{
+    DES_cblock outkey;
+    DES_string_to_key(pw->data, &outkey);
+    if ( key->length <  sizeof(outkey))
+        return KRB5_CRYPTO_INTERNAL;
+    key->length = sizeof(outkey);
+    memcpy(key->contents, outkey, key->length); 
+    return 0;
+}
+

Added: trunk/src/lib/crypto/openssl/des/weak_key.c
===================================================================
--- trunk/src/lib/crypto/openssl/des/weak_key.c	2009-10-01 21:18:05 UTC (rev 22820)
+++ trunk/src/lib/crypto/openssl/des/weak_key.c	2009-10-01 21:46:57 UTC (rev 22821)
@@ -0,0 +1,87 @@
+/*
+ * lib/crypto/openssl/des/weak_key.c
+ *
+ * Copyright 1989,1990,2009 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ *
+ * Under U.S. law, this software may not be exported outside the US
+ * without license from the U.S. Commerce department.
+ *
+ * These routines form the library interface to the DES facilities.
+ *
+ * Originally written 8/85 by Steve Miller, MIT Project Athena.
+ */
+
+#include "des_int.h"
+
+/*
+ * The following are the weak DES keys:
+ */
+static const mit_des_cblock weak[16] = {
+    /* weak keys */
+    {0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01},
+    {0xfe,0xfe,0xfe,0xfe,0xfe,0xfe,0xfe,0xfe},
+    {0x1f,0x1f,0x1f,0x1f,0x0e,0x0e,0x0e,0x0e},
+    {0xe0,0xe0,0xe0,0xe0,0xf1,0xf1,0xf1,0xf1},
+
+    /* semi-weak */
+    {0x01,0xfe,0x01,0xfe,0x01,0xfe,0x01,0xfe},
+    {0xfe,0x01,0xfe,0x01,0xfe,0x01,0xfe,0x01},
+
+    {0x1f,0xe0,0x1f,0xe0,0x0e,0xf1,0x0e,0xf1},
+    {0xe0,0x1f,0xe0,0x1f,0xf1,0x0e,0xf1,0x0e},
+
+    {0x01,0xe0,0x01,0xe0,0x01,0xf1,0x01,0xf1},
+    {0xe0,0x01,0xe0,0x01,0xf1,0x01,0xf1,0x01},
+
+    {0x1f,0xfe,0x1f,0xfe,0x0e,0xfe,0x0e,0xfe},
+    {0xfe,0x1f,0xfe,0x1f,0xfe,0x0e,0xfe,0x0e},
+
+    {0x01,0x1f,0x01,0x1f,0x01,0x0e,0x01,0x0e},
+    {0x1f,0x01,0x1f,0x01,0x0e,0x01,0x0e,0x01},
+
+    {0xe0,0xfe,0xe0,0xfe,0xf1,0xfe,0xf1,0xfe},
+    {0xfe,0xe0,0xfe,0xe0,0xfe,0xf1,0xfe,0xf1}
+};
+
+/*
+ * mit_des_is_weak_key: returns true iff key is a [semi-]weak des key.
+ *
+ * Requires: key has correct odd parity.
+ */
+int
+mit_des_is_weak_key(mit_des_cblock key)
+{
+    unsigned int i;
+    const mit_des_cblock *weak_p = weak;
+
+    for (i = 0; i < (sizeof(weak)/sizeof(mit_des_cblock)); i++) {
+	if (!memcmp(weak_p++,key,sizeof(mit_des_cblock)))  
+	    return 1;
+    }
+    if ( DES_is_weak_key(key) == 1) /* Also OpenSSL's check */
+	    return 1;
+
+    return 0;
+}
+



From tsitkova at MIT.EDU  Thu Oct  1 18:54:28 2009
From: tsitkova at MIT.EDU (tsitkova@MIT.EDU)
Date: Thu, 1 Oct 2009 18:54:28 -0400
Subject: svn rev #22825: trunk/src/lib/crypto/openssl/arcfour/ 
Message-ID: <200910012254.n91MsSOS024841@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22825
Commit By: tsitkova
Log Message:
Crypto modularity proj: Populae openssl/arcfour dir



Changed Files:
A   trunk/src/lib/crypto/openssl/arcfour/arcfour-int.h
A   trunk/src/lib/crypto/openssl/arcfour/arcfour.c
A   trunk/src/lib/crypto/openssl/arcfour/arcfour.h
A   trunk/src/lib/crypto/openssl/arcfour/arcfour_aead.c
A   trunk/src/lib/crypto/openssl/arcfour/arcfour_s2k.c
Added: trunk/src/lib/crypto/openssl/arcfour/arcfour-int.h
===================================================================
--- trunk/src/lib/crypto/openssl/arcfour/arcfour-int.h	2009-10-01 22:31:39 UTC (rev 22824)
+++ trunk/src/lib/crypto/openssl/arcfour/arcfour-int.h	2009-10-01 22:54:27 UTC (rev 22825)
@@ -0,0 +1,35 @@
+/*
+
+ARCFOUR cipher (based on a cipher posted on the Usenet in Spring-95).
+This cipher is widely believed and has been tested to be equivalent
+with the RC4 cipher from RSA Data Security, Inc.  (RC4 is a trademark
+of RSA Data Security)
+
+*/
+#ifndef ARCFOUR_INT_H
+#define ARCFOUR_INT_H
+
+#include "arcfour.h"
+#include <openssl/evp.h>
+
+#define CONFOUNDERLENGTH 8
+
+typedef struct
+{
+    EVP_CIPHER_CTX  evp_ctx;
+    unsigned int x;
+    unsigned int y;
+    unsigned char state[256]; 
+   
+} ArcfourContext;
+
+typedef struct {
+    int initialized;
+    ArcfourContext ctx;
+} ArcFourCipherState;
+
+krb5_keyusage krb5int_arcfour_translate_usage(krb5_keyusage usage);
+
+extern const char *const krb5int_arcfour_l40;
+
+#endif /* ARCFOUR_INT_H */

Added: trunk/src/lib/crypto/openssl/arcfour/arcfour.c
===================================================================
--- trunk/src/lib/crypto/openssl/arcfour/arcfour.c	2009-10-01 22:31:39 UTC (rev 22824)
+++ trunk/src/lib/crypto/openssl/arcfour/arcfour.c	2009-10-01 22:54:27 UTC (rev 22825)
@@ -0,0 +1,326 @@
+/*
+
+ARCFOUR cipher (based on a cipher posted on the Usenet in Spring-95).
+This cipher is widely believed and has been tested to be equivalent
+with the RC4 cipher from RSA Data Security, Inc.  (RC4 is a trademark
+of RSA Data Security)
+
+*/
+#include "k5-int.h"
+#include "arcfour-int.h"
+#include "hash_provider/hash_provider.h"
+
+const char *const krb5int_arcfour_l40 = "fortybits";
+
+void
+krb5_arcfour_encrypt_length(const struct krb5_enc_provider *enc,
+			    const struct krb5_hash_provider *hash,
+			    size_t inputlen, size_t *length)
+{
+  size_t blocksize, hashsize;
+
+  blocksize = enc->block_size;
+  hashsize = hash->hashsize;
+
+  /* checksum + (confounder + inputlen, in even blocksize) */
+  *length = hashsize + krb5_roundup(8 + inputlen, blocksize);
+}
+
+ krb5_keyusage
+ krb5int_arcfour_translate_usage(krb5_keyusage usage)
+{
+  switch (usage) {
+  case 1:			/* AS-REQ PA-ENC-TIMESTAMP padata timestamp,  */
+    return 1;
+  case 2:			/* ticket from kdc */
+    return 2;
+  case 3:			/* as-rep encrypted part */
+    return 8;
+  case 4:			/* tgs-req authz data */
+    return 4;
+  case 5:			/* tgs-req authz data in subkey */
+    return 5;
+  case 6:			/* tgs-req authenticator cksum */
+    return 6;
+case 7:				/* tgs-req authenticator */
+  return 7;
+    case 8:
+    return 8;
+  case 9:			/* tgs-rep encrypted with subkey */
+    return 9;
+  case 10:			/* ap-rep authentication cksum */
+    return 10;			/* xxx  Microsoft never uses this*/
+  case 11:			/* app-req authenticator */
+    return 11;
+  case 12:			/* app-rep encrypted part */
+    return 12;
+  case 23: /* sign wrap token*/
+    return 13;
+  default:
+      return usage;
+}
+}
+
+/* RFC 4757 */ 
+krb5_error_code
+krb5_arcfour_encrypt(const struct krb5_enc_provider *enc,
+		     const struct krb5_hash_provider *hash,
+		     const krb5_keyblock *key, krb5_keyusage usage,
+		     const krb5_data *ivec, const krb5_data *input,
+		     krb5_data *output)
+{
+  krb5_keyblock k1, k2, k3;
+  krb5_data d1, d2, d3, salt, plaintext, checksum, ciphertext, confounder;
+  krb5_keyusage ms_usage;
+  size_t keylength, keybytes, blocksize, hashsize;
+  krb5_error_code ret;
+
+  blocksize = enc->block_size;
+  keybytes = enc->keybytes;
+  keylength = enc->keylength;
+  hashsize = hash->hashsize;
+
+  d1.length=keybytes;
+  d1.data=malloc(d1.length);
+  if (d1.data == NULL)
+    return (ENOMEM);
+  k1 = *key;
+  k1.length=d1.length;
+  k1.contents= (void *) d1.data;
+
+  d2.length=keybytes;
+  d2.data=malloc(d2.length);
+  if (d2.data == NULL) {
+    free(d1.data);
+    return (ENOMEM);
+  }
+  k2 = *key;
+  k2.length=d2.length;
+  k2.contents=(void *) d2.data;
+
+  d3.length=keybytes;
+  d3.data=malloc(d3.length);
+  if (d3.data == NULL) {
+    free(d1.data);
+    free(d2.data);
+    return (ENOMEM);
+  }
+  k3 = *key;
+  k3.length=d3.length;
+  k3.contents= (void *) d3.data;
+
+  salt.length=14;
+  salt.data=malloc(salt.length);
+  if (salt.data == NULL) {
+    free(d1.data);
+    free(d2.data);
+    free(d3.data);
+    return (ENOMEM);
+  }
+
+  /* is "input" already blocksize aligned?  if it is, then we need this
+     step, otherwise we do not */
+  plaintext.length=krb5_roundup(input->length+CONFOUNDERLENGTH,blocksize);
+  plaintext.data=malloc(plaintext.length);
+  if (plaintext.data == NULL) {
+    free(d1.data);
+    free(d2.data);
+    free(d3.data);
+    free(salt.data);
+    return(ENOMEM);
+  }
+
+  /* setup convienient pointers into the allocated data */
+  checksum.length=hashsize;
+  checksum.data=output->data;
+  ciphertext.length=krb5_roundup(input->length+CONFOUNDERLENGTH,blocksize);
+  ciphertext.data=output->data+hashsize;
+  confounder.length=CONFOUNDERLENGTH;
+  confounder.data=plaintext.data;
+  output->length = plaintext.length+hashsize;
+
+  /* begin the encryption, computer K1 */
+  ms_usage=krb5int_arcfour_translate_usage(usage);
+  if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
+    strncpy(salt.data, krb5int_arcfour_l40, salt.length);
+    store_32_le(ms_usage, salt.data+10);
+  } else {
+    salt.length=4;
+    store_32_le(ms_usage, salt.data);
+  }
+  krb5_hmac(hash, key, 1, &salt, &d1);
+
+  memcpy(k2.contents, k1.contents, k2.length);
+
+  if (key->enctype==ENCTYPE_ARCFOUR_HMAC_EXP)
+    memset(k1.contents+7, 0xab, 9);
+
+  ret=krb5_c_random_make_octets(/* XXX */ 0, &confounder);
+  memcpy(plaintext.data+confounder.length, input->data, input->length);
+  if (ret)
+    goto cleanup;
+
+  krb5_hmac(hash, &k2, 1, &plaintext, &checksum);
+
+  krb5_hmac(hash, &k1, 1, &checksum, &d3);
+
+  ret=(*(enc->encrypt))(&k3, ivec, &plaintext, &ciphertext);
+
+ cleanup:
+  memset(d1.data, 0, d1.length);
+  memset(d2.data, 0, d2.length);
+  memset(d3.data, 0, d3.length);
+  memset(salt.data, 0, salt.length);
+  memset(plaintext.data, 0, plaintext.length);
+
+  free(d1.data);
+  free(d2.data);
+  free(d3.data);
+  free(salt.data);
+  free(plaintext.data);
+  return (ret);
+}
+
+/* This is the arcfour-hmac decryption routine */
+krb5_error_code
+krb5_arcfour_decrypt(const struct krb5_enc_provider *enc,
+		     const struct krb5_hash_provider *hash,
+		     const krb5_keyblock *key, krb5_keyusage usage,
+		     const krb5_data *ivec, const krb5_data *input,
+		     krb5_data *output)
+{
+  krb5_keyblock k1,k2,k3;
+  krb5_data d1,d2,d3,salt,ciphertext,plaintext,checksum;
+  krb5_keyusage ms_usage;
+  size_t keybytes, keylength, hashsize, blocksize;
+  krb5_error_code ret;
+
+  blocksize = enc->block_size;
+  keybytes = enc->keybytes;
+  keylength = enc->keylength;
+  hashsize = hash->hashsize;
+
+  d1.length=keybytes;
+  d1.data=malloc(d1.length);
+  if (d1.data == NULL)
+    return (ENOMEM);
+  k1 = *key;
+  k1.length=d1.length;
+  k1.contents= (void *) d1.data;
+
+  d2.length=keybytes;
+  d2.data=malloc(d2.length);
+  if (d2.data == NULL) {
+    free(d1.data);
+    return (ENOMEM);
+  }
+  k2 = *key;
+  k2.length=d2.length;
+  k2.contents= (void *) d2.data;
+
+  d3.length=keybytes;
+  d3.data=malloc(d3.length);
+  if  (d3.data == NULL) {
+    free(d1.data);
+    free(d2.data);
+    return (ENOMEM);
+  }
+  k3 = *key;
+  k3.length=d3.length;
+  k3.contents= (void *) d3.data;
+
+  salt.length=14;
+  salt.data=malloc(salt.length);
+  if(salt.data==NULL) {
+    free(d1.data);
+    free(d2.data);
+    free(d3.data);
+    return (ENOMEM);
+  }
+
+  ciphertext.length=input->length-hashsize;
+  ciphertext.data=input->data+hashsize;
+  plaintext.length=ciphertext.length;
+  plaintext.data=malloc(plaintext.length);
+  if (plaintext.data == NULL) {
+    free(d1.data);
+    free(d2.data);
+    free(d3.data);
+    free(salt.data);
+    return (ENOMEM);
+  }
+
+  checksum.length=hashsize;
+  checksum.data=input->data;
+
+  ms_usage=krb5int_arcfour_translate_usage(usage);
+
+  /* We may have to try two ms_usage values; see below. */
+  do {
+      /* compute the salt */
+      if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
+	  strncpy(salt.data, krb5int_arcfour_l40, salt.length);
+	  store_32_le(ms_usage, salt.data + 10);
+      } else {
+	  salt.length = 4;
+	  store_32_le(ms_usage, salt.data);
+      }
+      ret = krb5_hmac(hash, key, 1, &salt, &d1);
+      if (ret)
+	  goto cleanup;
+
+      memcpy(k2.contents, k1.contents, k2.length);
+
+      if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
+	  memset(k1.contents + 7, 0xab, 9);
+
+      ret = krb5_hmac(hash, &k1, 1, &checksum, &d3);
+      if (ret)
+	  goto cleanup;
+
+      ret = (*(enc->decrypt))(&k3, ivec, &ciphertext, &plaintext);
+      if (ret)
+	  goto cleanup;
+
+      ret = krb5_hmac(hash, &k2, 1, &plaintext, &d1);
+      if (ret)
+	  goto cleanup;
+
+      if (memcmp(checksum.data, d1.data, hashsize) != 0) {
+	  if (ms_usage == 9) {
+	      /*
+	       * RFC 4757 specifies usage 8 for TGS-REP encrypted
+	       * parts encrypted in a subkey, but the value used by MS
+	       * is actually 9.  We now use 9 to start with, but fall
+	       * back to 8 on failure in case we are communicating
+	       * with a KDC using the value from the RFC.
+	       */
+	      ms_usage = 8;
+	      continue;
+	  }
+	  ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+	  goto cleanup;
+      }
+
+      break;
+  } while (1);
+
+  memcpy(output->data, plaintext.data+CONFOUNDERLENGTH,
+	 (plaintext.length-CONFOUNDERLENGTH));
+  output->length=plaintext.length-CONFOUNDERLENGTH;
+
+ cleanup:
+  memset(d1.data, 0, d1.length);
+  memset(d2.data, 0, d2.length);
+  memset(d3.data, 0, d2.length);
+  memset(salt.data, 0, salt.length);
+  memset(plaintext.data, 0, plaintext.length);
+
+  free(d1.data);
+  free(d2.data);
+  free(d3.data);
+  free(salt.data);
+  free(plaintext.data);
+  return (ret);
+}
+

Added: trunk/src/lib/crypto/openssl/arcfour/arcfour.h
===================================================================
--- trunk/src/lib/crypto/openssl/arcfour/arcfour.h	2009-10-01 22:31:39 UTC (rev 22824)
+++ trunk/src/lib/crypto/openssl/arcfour/arcfour.h	2009-10-01 22:54:27 UTC (rev 22825)
@@ -0,0 +1,43 @@
+#ifndef ARCFOUR_H
+#define ARCFOUR_H
+
+extern void
+krb5_arcfour_encrypt_length(const struct krb5_enc_provider *,
+			const struct krb5_hash_provider *,
+			size_t,
+			size_t *);
+
+extern 
+krb5_error_code krb5_arcfour_encrypt(const struct krb5_enc_provider *,
+			const struct krb5_hash_provider *,
+			const krb5_keyblock *,
+			krb5_keyusage,
+			const krb5_data *,
+     			const krb5_data *,
+			krb5_data *);
+
+extern 
+krb5_error_code krb5_arcfour_decrypt(const struct krb5_enc_provider *,
+			const struct krb5_hash_provider *,
+			const krb5_keyblock *,
+			krb5_keyusage,
+			const krb5_data *,
+			const krb5_data *,
+			krb5_data *);
+
+extern krb5_error_code krb5int_arcfour_string_to_key(
+     const struct krb5_enc_provider *,
+     const krb5_data *,
+     const krb5_data *,
+     const krb5_data *,
+     krb5_keyblock *);
+
+extern const struct krb5_enc_provider krb5int_enc_arcfour;
+extern const struct krb5_aead_provider krb5int_aead_arcfour;
+ krb5_error_code krb5int_arcfour_prf(
+					 const struct krb5_enc_provider *enc,
+					 const struct krb5_hash_provider *hash,
+					 const krb5_keyblock *key,
+					 const krb5_data *in, krb5_data *out);
+
+#endif /* ARCFOUR_H */

Added: trunk/src/lib/crypto/openssl/arcfour/arcfour_aead.c
===================================================================
--- trunk/src/lib/crypto/openssl/arcfour/arcfour_aead.c	2009-10-01 22:31:39 UTC (rev 22824)
+++ trunk/src/lib/crypto/openssl/arcfour/arcfour_aead.c	2009-10-01 22:54:27 UTC (rev 22825)
@@ -0,0 +1,325 @@
+/*
+ * lib/crypto/arcfour/arcfour_aead.c
+ *
+ * Copyright 2008 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+
+#include "k5-int.h"
+#include "arcfour.h"
+#include "arcfour-int.h"
+#include "aead.h"
+
+/* AEAD */
+
+static krb5_error_code
+krb5int_arcfour_crypto_length(const struct krb5_aead_provider *aead,
+			      const struct krb5_enc_provider *enc,
+			      const struct krb5_hash_provider *hash,
+			      krb5_cryptotype type,
+			      unsigned int *length)
+{
+    switch (type) {
+    case KRB5_CRYPTO_TYPE_HEADER:
+	*length = hash->hashsize + CONFOUNDERLENGTH;
+	break;
+    case KRB5_CRYPTO_TYPE_PADDING:
+	*length = 0;
+	break;
+    case KRB5_CRYPTO_TYPE_TRAILER:
+	*length = 0;
+	break;
+    case KRB5_CRYPTO_TYPE_CHECKSUM:
+	*length = hash->hashsize;
+	break;
+    default:
+	assert(0 && "invalid cryptotype passed to krb5int_arcfour_crypto_length");
+	break;
+    }
+
+    return 0;
+}
+
+static krb5_error_code
+alloc_derived_key(const struct krb5_enc_provider *enc,
+		  krb5_keyblock *dst,
+		  krb5_data *data,
+		  const krb5_keyblock *src)
+{
+    data->length = enc->keybytes;
+    data->data = malloc(data->length);
+    if (data->data == NULL)
+	return ENOMEM;
+
+    *dst = *src;
+    dst->length = data->length;
+    dst->contents = (void *)data->data;
+
+    return 0;
+}
+
+static krb5_error_code
+krb5int_arcfour_encrypt_iov(const struct krb5_aead_provider *aead,
+			    const struct krb5_enc_provider *enc,
+			    const struct krb5_hash_provider *hash,
+			    const krb5_keyblock *key,
+			    krb5_keyusage usage,
+			    const krb5_data *ivec,
+			    krb5_crypto_iov *data,
+			    size_t num_data)
+{
+    krb5_error_code ret;
+    krb5_crypto_iov *header, *trailer;
+    krb5_keyblock k1, k2, k3;
+    krb5_data d1, d2, d3;
+    krb5_data checksum, confounder, header_data;
+    krb5_keyusage ms_usage;
+    char salt_data[14];
+    krb5_data salt;
+    size_t i;
+
+    d1.length = d2.length = d3.length = 0;
+    d1.data = d2.data = d3.data = NULL;
+
+    /*
+     * Caller must have provided space for the header, padding
+     * and trailer; per RFC 4757 we will arrange it as:
+     *
+     *	    Checksum | E(Confounder | Plaintext) 
+     */
+
+    header = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_HEADER);
+    if (header == NULL ||
+	header->data.length < hash->hashsize + CONFOUNDERLENGTH)
+	return KRB5_BAD_MSIZE;
+
+    header_data = header->data;
+
+    /* Trailer may be absent */
+    trailer = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_TRAILER);
+    if (trailer != NULL)
+	trailer->data.length = 0;
+
+    /* Ensure that there is no padding */
+    for (i = 0; i < num_data; i++) {
+	if (data[i].flags == KRB5_CRYPTO_TYPE_PADDING)
+	    data[i].data.length = 0;
+    }
+
+    ret = alloc_derived_key(enc, &k1, &d1, key);
+    if (ret != 0)
+	goto cleanup;
+
+    ret = alloc_derived_key(enc, &k2, &d2, key);
+    if (ret != 0)
+	goto cleanup;
+
+    ret = alloc_derived_key(enc, &k3, &d3, key);
+    if (ret != 0)
+	goto cleanup;
+
+    /* Begin the encryption, compute K1 */
+    salt.data = salt_data;
+    salt.length = sizeof(salt_data);
+
+    ms_usage = krb5int_arcfour_translate_usage(usage);
+
+    if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
+	strncpy(salt.data, krb5int_arcfour_l40, salt.length);
+	store_32_le(ms_usage, salt.data + 10);
+    } else {
+	salt.length = 4;
+	store_32_le(ms_usage, salt.data);
+    }
+    ret = krb5_hmac(hash, key, 1, &salt, &d1);
+    if (ret != 0)
+	goto cleanup;
+
+    memcpy(k2.contents, k1.contents, k2.length);
+
+    if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
+	memset(k1.contents + 7, 0xAB, 9);
+
+    header->data.length = hash->hashsize + CONFOUNDERLENGTH;
+
+    confounder.data = header->data.data + hash->hashsize;
+    confounder.length = CONFOUNDERLENGTH;
+
+    ret = krb5_c_random_make_octets(0, &confounder);
+    if (ret != 0)
+	goto cleanup;
+
+    checksum.data = header->data.data;
+    checksum.length = hash->hashsize;
+
+    /* Adjust pointers so confounder is at start of header */
+    header->data.length -= hash->hashsize;
+    header->data.data   += hash->hashsize;
+
+    ret = krb5int_hmac_iov(hash, &k2, data, num_data, &checksum);
+    if (ret != 0)
+	goto cleanup;
+
+    ret = krb5_hmac(hash, &k1, 1, &checksum, &d3);
+    if (ret != 0)
+	goto cleanup;
+
+    ret = enc->encrypt_iov(&k3, ivec, data, num_data);
+    if (ret != 0)
+	goto cleanup;
+
+cleanup:
+    header->data = header_data; /* restore header pointers */
+
+    if (d1.data != NULL) {
+	memset(d1.data, 0, d1.length);
+	free(d1.data);
+    }
+    if (d2.data != NULL) {
+	memset(d2.data, 0, d2.length);
+	free(d2.data);
+    }
+    if (d3.data != NULL) {
+	memset(d3.data, 0, d3.length);
+	free(d3.data);
+    }
+
+    return ret;
+}
+
+static krb5_error_code
+krb5int_arcfour_decrypt_iov(const struct krb5_aead_provider *aead,
+			    const struct krb5_enc_provider *enc,
+			    const struct krb5_hash_provider *hash,
+			    const krb5_keyblock *key,
+			    krb5_keyusage usage,
+			    const krb5_data *ivec,
+			    krb5_crypto_iov *data,
+			    size_t num_data)
+{
+    krb5_error_code ret;
+    krb5_crypto_iov *header, *trailer;
+    krb5_keyblock k1, k2, k3;
+    krb5_data d1, d2, d3;
+    krb5_data checksum, header_data;
+    krb5_keyusage ms_usage;
+    char salt_data[14];
+    krb5_data salt;
+
+    d1.length = d2.length = d3.length = 0;
+    d1.data = d2.data = d3.data = NULL;
+
+    header = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_HEADER);
+    if (header == NULL ||
+        header->data.length != hash->hashsize + CONFOUNDERLENGTH)
+	return KRB5_BAD_MSIZE;
+
+    header_data = header->data;
+
+    trailer = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_TRAILER);
+    if (trailer != NULL && trailer->data.length != 0)
+	return KRB5_BAD_MSIZE;
+    
+    ret = alloc_derived_key(enc, &k1, &d1, key);
+    if (ret != 0)
+	goto cleanup;
+
+    ret = alloc_derived_key(enc, &k2, &d2, key);
+    if (ret != 0)
+	goto cleanup;
+
+    ret = alloc_derived_key(enc, &k3, &d3, key);
+    if (ret != 0)
+	goto cleanup;
+
+    /* Begin the decryption, compute K1 */
+    salt.data = salt_data;
+    salt.length = sizeof(salt_data);
+
+    ms_usage = krb5int_arcfour_translate_usage(usage);
+
+    if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
+	strncpy(salt.data, krb5int_arcfour_l40, salt.length);
+	store_32_le(ms_usage, (unsigned char *)salt.data + 10);
+    } else {
+	salt.length = 4;
+	store_32_le(ms_usage, (unsigned char *)salt.data);
+    }
+    ret = krb5_hmac(hash, key, 1, &salt, &d1);
+    if (ret != 0)
+	goto cleanup;
+
+    memcpy(k2.contents, k1.contents, k2.length);
+
+    if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
+	memset(k1.contents + 7, 0xAB, 9);
+
+    checksum.data = header->data.data;
+    checksum.length = hash->hashsize;
+
+    /* Adjust pointers so confounder is at start of header */
+    header->data.length -= hash->hashsize;
+    header->data.data   += hash->hashsize;
+
+    ret = krb5_hmac(hash, &k1, 1, &checksum, &d3);
+    if (ret != 0)
+	goto cleanup;
+
+    ret = enc->decrypt_iov(&k3, ivec, data, num_data);
+    if (ret != 0)
+	goto cleanup;
+
+    ret = krb5int_hmac_iov(hash, &k2, data, num_data, &d1);
+    if (ret != 0)
+	goto cleanup;
+
+    if (memcmp(checksum.data, d1.data, hash->hashsize) != 0) {
+	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+	goto cleanup;
+    }
+
+cleanup:
+    header->data = header_data; /* restore header pointers */
+
+    if (d1.data != NULL) {
+	memset(d1.data, 0, d1.length);
+	free(d1.data);
+    }
+    if (d2.data != NULL) {
+	memset(d2.data, 0, d2.length);
+	free(d2.data);
+    }
+    if (d3.data != NULL) {
+	memset(d3.data, 0, d3.length);
+	free(d3.data);
+    }
+
+    return ret;
+}
+
+const struct krb5_aead_provider krb5int_aead_arcfour = {
+    krb5int_arcfour_crypto_length,
+    krb5int_arcfour_encrypt_iov,
+    krb5int_arcfour_decrypt_iov
+};
+

Added: trunk/src/lib/crypto/openssl/arcfour/arcfour_s2k.c
===================================================================
--- trunk/src/lib/crypto/openssl/arcfour/arcfour_s2k.c	2009-10-01 22:31:39 UTC (rev 22824)
+++ trunk/src/lib/crypto/openssl/arcfour/arcfour_s2k.c	2009-10-01 22:54:27 UTC (rev 22825)
@@ -0,0 +1,59 @@
+#include "k5-int.h"
+#include "k5-utf8.h"
+#include "rsa-md4.h"
+#include "arcfour-int.h"
+
+#if TARGET_OS_MAC && !defined(DEPEND)
+#include <CoreFoundation/CFString.h>
+#endif
+
+krb5_error_code
+krb5int_arcfour_string_to_key(const struct krb5_enc_provider *enc,
+			      const krb5_data *string, const krb5_data *salt,
+			      const krb5_data *params, krb5_keyblock *key)
+{
+  krb5_error_code err = 0;
+  krb5_MD4_CTX md4_context;
+  unsigned char *copystr;
+  size_t copystrlen;
+
+  if (params != NULL)
+      return KRB5_ERR_BAD_S2K_PARAMS;
+  
+  if (key->length != 16)
+    return (KRB5_BAD_MSIZE);
+
+  /* We ignore salt per the Microsoft spec*/
+
+  /* compute the space needed for the new string.
+     Since the password must be stored in unicode, we need to increase
+     that number by 2x.
+  */
+
+  err = krb5int_utf8cs_to_ucs2les(string->data, string->length, &copystr, &copystrlen);
+  if (err)
+    return err;
+
+  /* the actual MD4 hash of the data */
+  krb5_MD4Init(&md4_context);
+  krb5_MD4Update(&md4_context, copystr, copystrlen);
+  krb5_MD4Final(&md4_context);
+  memcpy(key->contents, md4_context.digest, 16);
+
+#if 0  
+  /* test the string_to_key function */
+  printf("Hash=");
+  {
+    int counter;
+    for(counter=0;counter<16;counter++)
+      printf("%02x", md4_context.digest[counter]);
+    printf("\n");
+  }
+#endif /* 0 */
+
+  /* Zero out the data behind us */
+  memset(copystr, 0, copystrlen);
+  memset(&md4_context, 0, sizeof(md4_context));
+  free(copystr);
+  return err;
+}



From ghudson at MIT.EDU  Fri Oct  2 11:33:56 2009
From: ghudson at MIT.EDU (ghudson@MIT.EDU)
Date: Fri, 2 Oct 2009 11:33:56 -0400
Subject: svn rev #22834: branches/enc-perf/src/lib/crypto/
	builtin/hash_provider/ openssl/arcfour/ ...
Message-ID: <200910021533.n92FXuLN004352@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22834
Commit By: ghudson
Log Message:
Merge trunk changes from r22791 to r22833 to enc-perf branch.



Changed Files:
U   branches/enc-perf/src/lib/crypto/builtin/hash_provider/Makefile.in
A   branches/enc-perf/src/lib/crypto/openssl/arcfour/arcfour-int.h
A   branches/enc-perf/src/lib/crypto/openssl/arcfour/arcfour.c
A   branches/enc-perf/src/lib/crypto/openssl/arcfour/arcfour.h
A   branches/enc-perf/src/lib/crypto/openssl/arcfour/arcfour_aead.c
A   branches/enc-perf/src/lib/crypto/openssl/arcfour/arcfour_s2k.c
A   branches/enc-perf/src/lib/crypto/openssl/des/afsstring2key.c
A   branches/enc-perf/src/lib/crypto/openssl/des/d3_aead.c
A   branches/enc-perf/src/lib/crypto/openssl/des/d3_cbc.c
A   branches/enc-perf/src/lib/crypto/openssl/des/d3_kysched.c
A   branches/enc-perf/src/lib/crypto/openssl/des/des_int.h
A   branches/enc-perf/src/lib/crypto/openssl/des/f_aead.c
A   branches/enc-perf/src/lib/crypto/openssl/des/f_cbc.c
A   branches/enc-perf/src/lib/crypto/openssl/des/f_cksum.c
A   branches/enc-perf/src/lib/crypto/openssl/des/f_parity.c
A   branches/enc-perf/src/lib/crypto/openssl/des/f_sched.c
A   branches/enc-perf/src/lib/crypto/openssl/des/f_tables.c
A   branches/enc-perf/src/lib/crypto/openssl/des/f_tables.h
A   branches/enc-perf/src/lib/crypto/openssl/des/key_sched.c
A   branches/enc-perf/src/lib/crypto/openssl/des/string2key.c
A   branches/enc-perf/src/lib/crypto/openssl/des/weak_key.c
A   branches/enc-perf/src/lib/crypto/openssl/enc_provider/aes.c
U   branches/enc-perf/src/lib/crypto/openssl/enc_provider/des.c
U   branches/enc-perf/src/lib/crypto/openssl/enc_provider/des3.c
U   branches/enc-perf/src/lib/crypto/openssl/enc_provider/rc4.c
Modified: branches/enc-perf/src/lib/crypto/builtin/hash_provider/Makefile.in
===================================================================
--- branches/enc-perf/src/lib/crypto/builtin/hash_provider/Makefile.in	2009-10-02 14:02:31 UTC (rev 22833)
+++ branches/enc-perf/src/lib/crypto/builtin/hash_provider/Makefile.in	2009-10-02 15:33:56 UTC (rev 22834)
@@ -13,14 +13,24 @@
 PROG_LIBPATH=-L$(TOPLIBD)
 PROG_RPATH=$(KRB5_LIBDIR)
 
-STLIBOBJS= hash_crc32.o hash_md4.o hash_md5.o hash_sha1.o
+CIMPL = @CRYPTO_IMPL@/hash_provider
 
-OBJS=   $(OUTPRE)hash_crc32.$(OBJEXT) $(OUTPRE)hash_md4.$(OBJEXT) \
-	$(OUTPRE)hash_md5.$(OBJEXT) $(OUTPRE)hash_sha1.$(OBJEXT)
+STLIBOBJS= \
+	../../$(CIMPL)/hash_crc32.o 	\
+	../../$(CIMPL)/hash_md4.o 	\
+	../../$(CIMPL)/hash_md5.o 	\
+	../../$(CIMPL)/hash_sha1.o
 
-SRCS= $(srcdir)/hash_crc32.c $(srcdir)/hash_md4.c \
-	$(srcdir)/hash_md5.c $(srcdir)/hash_sha1.c
+OBJS=   $(OUTPRE)../../$(CIMPL)/hash_crc32.$(OBJEXT) 	\
+	$(OUTPRE)../../$(CIMPL)/hash_md4.$(OBJEXT) 	\
+	$(OUTPRE)../../$(CIMPL)/hash_md5.$(OBJEXT) 	\
+	$(OUTPRE)../../$(CIMPL)/hash_sha1.$(OBJEXT)
 
+SRCS=	$(srcdir)/../../$(CIMPL)/hash_crc32.c	\
+	$(srcdir)/../../$(CIMPL)/hash_md4.c 	\
+	$(srcdir)/../../$(CIMPL)/hash_md5.c 	\
+	$(srcdir)/../../$(CIMPL)/hash_sha1.c
+
 ##DOS##LIBOBJS = $(OBJS)
 
 all-unix:: all-libobjs

Copied: branches/enc-perf/src/lib/crypto/openssl/arcfour/arcfour-int.h (from rev 22833, trunk/src/lib/crypto/openssl/arcfour/arcfour-int.h)

Copied: branches/enc-perf/src/lib/crypto/openssl/arcfour/arcfour.c (from rev 22833, trunk/src/lib/crypto/openssl/arcfour/arcfour.c)

Copied: branches/enc-perf/src/lib/crypto/openssl/arcfour/arcfour.h (from rev 22833, trunk/src/lib/crypto/openssl/arcfour/arcfour.h)

Copied: branches/enc-perf/src/lib/crypto/openssl/arcfour/arcfour_aead.c (from rev 22833, trunk/src/lib/crypto/openssl/arcfour/arcfour_aead.c)

Copied: branches/enc-perf/src/lib/crypto/openssl/arcfour/arcfour_s2k.c (from rev 22833, trunk/src/lib/crypto/openssl/arcfour/arcfour_s2k.c)

Copied: branches/enc-perf/src/lib/crypto/openssl/des/afsstring2key.c (from rev 22833, trunk/src/lib/crypto/openssl/des/afsstring2key.c)

Copied: branches/enc-perf/src/lib/crypto/openssl/des/d3_aead.c (from rev 22833, trunk/src/lib/crypto/openssl/des/d3_aead.c)

Copied: branches/enc-perf/src/lib/crypto/openssl/des/d3_cbc.c (from rev 22833, trunk/src/lib/crypto/openssl/des/d3_cbc.c)

Copied: branches/enc-perf/src/lib/crypto/openssl/des/d3_kysched.c (from rev 22833, trunk/src/lib/crypto/openssl/des/d3_kysched.c)

Copied: branches/enc-perf/src/lib/crypto/openssl/des/des_int.h (from rev 22833, trunk/src/lib/crypto/openssl/des/des_int.h)

Copied: branches/enc-perf/src/lib/crypto/openssl/des/f_aead.c (from rev 22833, trunk/src/lib/crypto/openssl/des/f_aead.c)

Copied: branches/enc-perf/src/lib/crypto/openssl/des/f_cbc.c (from rev 22833, trunk/src/lib/crypto/openssl/des/f_cbc.c)

Copied: branches/enc-perf/src/lib/crypto/openssl/des/f_cksum.c (from rev 22833, trunk/src/lib/crypto/openssl/des/f_cksum.c)

Copied: branches/enc-perf/src/lib/crypto/openssl/des/f_parity.c (from rev 22833, trunk/src/lib/crypto/openssl/des/f_parity.c)

Copied: branches/enc-perf/src/lib/crypto/openssl/des/f_sched.c (from rev 22833, trunk/src/lib/crypto/openssl/des/f_sched.c)

Copied: branches/enc-perf/src/lib/crypto/openssl/des/f_tables.c (from rev 22833, trunk/src/lib/crypto/openssl/des/f_tables.c)

Copied: branches/enc-perf/src/lib/crypto/openssl/des/f_tables.h (from rev 22833, trunk/src/lib/crypto/openssl/des/f_tables.h)

Copied: branches/enc-perf/src/lib/crypto/openssl/des/key_sched.c (from rev 22833, trunk/src/lib/crypto/openssl/des/key_sched.c)

Copied: branches/enc-perf/src/lib/crypto/openssl/des/string2key.c (from rev 22833, trunk/src/lib/crypto/openssl/des/string2key.c)

Copied: branches/enc-perf/src/lib/crypto/openssl/des/weak_key.c (from rev 22833, trunk/src/lib/crypto/openssl/des/weak_key.c)

Copied: branches/enc-perf/src/lib/crypto/openssl/enc_provider/aes.c (from rev 22833, trunk/src/lib/crypto/openssl/enc_provider/aes.c)

Modified: branches/enc-perf/src/lib/crypto/openssl/enc_provider/des.c
===================================================================
--- branches/enc-perf/src/lib/crypto/openssl/enc_provider/des.c	2009-10-02 14:02:31 UTC (rev 22833)
+++ branches/enc-perf/src/lib/crypto/openssl/enc_provider/des.c	2009-10-02 15:33:56 UTC (rev 22834)
@@ -35,7 +35,6 @@
 
     for (i = 0, input_length = 0; i < num_data; i++) {
         const krb5_crypto_iov *iov = &data[i];
-
         if (ENCRYPT_IOV(iov))
             input_length += iov->data.length;
     }
@@ -54,12 +53,11 @@
 k5_des_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
            const krb5_data *input, krb5_data *output)
 {
-    int ret = 0, tmp_len = 0;
-    unsigned int tmp_buf_len = 0;
+    int              ret = 0, tmp_len = 0;
+    unsigned int     tmp_buf_len = 0;
     unsigned char   *keybuf  = NULL;
     unsigned char   *tmp_buf = NULL;
-    unsigned char   iv[EVP_MAX_IV_LENGTH];
-    EVP_CIPHER_CTX  ciph_ctx;
+    EVP_CIPHER_CTX   ciph_ctx;
 
     ret = validate(key, ivec, input, output);
     if (ret)
@@ -68,11 +66,6 @@
     keybuf=key->contents;
     keybuf[key->length] = '\0';
 
-    if ( ivec && ivec->data ) {
-        memset(iv,0,sizeof(iv));
-        memcpy(iv,ivec->data,ivec->length);
-    }
-
     tmp_buf_len = output->length*2;
     tmp_buf=OPENSSL_malloc(tmp_buf_len);
     if (!tmp_buf)
@@ -82,13 +75,13 @@
     EVP_CIPHER_CTX_init(&ciph_ctx);
 
     ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL, keybuf,
-                             (ivec && ivec->data) ? iv : NULL);
+                             (ivec) ? (unsigned char*)ivec->data  : NULL);
     if (ret) {
         EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
         ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf,  &tmp_len,
                                 (unsigned char *)input->data, input->length);
         if (!ret || output->length < (unsigned int)tmp_len) {
-            return KRB5_CRYPTO_INTERNAL;
+            ret =  KRB5_CRYPTO_INTERNAL;
         } else {
             output->length = tmp_len;
             ret = EVP_EncryptFinal_ex(&ciph_ctx, tmp_buf + tmp_len, &tmp_len);
@@ -97,13 +90,13 @@
 
     EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
-    if (ret)
+    if (ret == 1)
         memcpy(output->data,tmp_buf, output->length);
 
     memset(tmp_buf, 0, tmp_buf_len);
     OPENSSL_free(tmp_buf);
 
-    if (!ret)
+    if (ret != 1)
         return KRB5_CRYPTO_INTERNAL;
     return 0;
 }
@@ -114,10 +107,9 @@
            const krb5_data *input, krb5_data *output)
 {
     /* key->enctype was checked by the caller */
-    int ret = 0, tmp_len = 0;
+    int              ret = 0, tmp_len = 0;
     unsigned char   *keybuf  = NULL;
     unsigned char   *tmp_buf;
-    unsigned char   iv[EVP_MAX_IV_LENGTH];
     EVP_CIPHER_CTX  ciph_ctx;
 
     ret = validate(key, ivec, input, output);
@@ -127,10 +119,6 @@
     keybuf=key->contents;
     keybuf[key->length] = '\0';
 
-    if ( ivec != NULL && ivec->data ){
-        memset(iv,0,sizeof(iv));
-        memcpy(iv,ivec->data,ivec->length);
-    }
     tmp_buf=OPENSSL_malloc(output->length);
     if (!tmp_buf)
         return ENOMEM;
@@ -139,7 +127,7 @@
     EVP_CIPHER_CTX_init(&ciph_ctx);
 
     ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL, keybuf,
-                             (ivec && ivec->data) ? iv : NULL);
+                             (ivec) ? (unsigned char*)ivec->data : NULL);
     if (ret) {
         EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
         ret = EVP_DecryptUpdate(&ciph_ctx, tmp_buf,  &tmp_len,
@@ -152,13 +140,13 @@
 
     EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
-    if (ret)
+    if (ret == 1)
         memcpy(output->data,tmp_buf, output->length);
 
     memset(tmp_buf,0,output->length);
     OPENSSL_free(tmp_buf);
 
-    if (!ret)
+    if ( ret != 1)
         return KRB5_CRYPTO_INTERNAL;
     return 0;
 }
@@ -169,21 +157,21 @@
             krb5_crypto_iov *data,
             size_t num_data)
 {
-    int ret = 0, tmp_len = MIT_DES_BLOCK_LENGTH;
+    int             ret = 0, tmp_len = MIT_DES_BLOCK_LENGTH;
+    int             oblock_len = MIT_DES_BLOCK_LENGTH * num_data;
+    unsigned char  *iblock = NULL, *oblock = NULL;
+    unsigned char  *keybuf = NULL ;
+    struct iov_block_state input_pos, output_pos;
     EVP_CIPHER_CTX  ciph_ctx;
-    unsigned char   *keybuf = NULL ;
-    unsigned char   iv[EVP_MAX_IV_LENGTH];
 
-    struct iov_block_state input_pos, output_pos;
-    int oblock_len = MIT_DES_BLOCK_LENGTH*num_data;
-    unsigned char  *iblock, *oblock;
-
     iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH);
     if (!iblock)
         return ENOMEM;
     oblock = OPENSSL_malloc(oblock_len);
-    if (!oblock)
+    if (!oblock){
+        OPENSSL_free(iblock);
         return ENOMEM;
+    }
 
     IOV_BLOCK_STATE_INIT(&input_pos);
     IOV_BLOCK_STATE_INIT(&output_pos);
@@ -195,19 +183,18 @@
     if (ret)
         return ret;
 
-    if (ivec && ivec->data){
-        memset(iv,0,sizeof(iv));
-        memcpy(iv,ivec->data,ivec->length);
-    }
-
     memset(oblock, 0, oblock_len);
 
     EVP_CIPHER_CTX_init(&ciph_ctx);
 
     ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL,
-                             keybuf, (ivec && ivec->data) ? iv : NULL);
-    if (!ret)
+                             keybuf, (ivec && ivec->data) ? (unsigned char*)ivec->data : NULL);
+    if (!ret){
+        EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+        OPENSSL_free(iblock);
+        OPENSSL_free(oblock);
         return KRB5_CRYPTO_INTERNAL;
+    }
 
     EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
 
@@ -229,11 +216,6 @@
     if(ret)
         ret = EVP_EncryptFinal_ex(&ciph_ctx, oblock+16, &tmp_len);
 
-    if (ret) {
-        if (ivec != NULL)
-            memcpy(iv, oblock, MIT_DES_BLOCK_LENGTH);
-    }
-
     EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
     memset(iblock,0,sizeof(iblock));
@@ -241,7 +223,7 @@
     OPENSSL_free(iblock);
     OPENSSL_free(oblock);
 
-    if (!ret)
+    if ( ret != 1)
         return KRB5_CRYPTO_INTERNAL;
     return 0;
 }
@@ -252,21 +234,22 @@
            krb5_crypto_iov *data,
            size_t num_data)
 {
-    int ret = 0, tmp_len = MIT_DES_BLOCK_LENGTH;
-    EVP_CIPHER_CTX  ciph_ctx;
-    unsigned char   *keybuf = NULL ;
-    unsigned char   iv[EVP_MAX_IV_LENGTH];
-
+    int                    ret = 0;
+    int                    tmp_len = MIT_DES_BLOCK_LENGTH;
+    int                    oblock_len = MIT_DES_BLOCK_LENGTH*num_data;
+    unsigned char         *iblock = NULL, *oblock = NULL;
+    unsigned char         *keybuf = NULL;
     struct iov_block_state input_pos, output_pos;
-    int oblock_len = MIT_DES_BLOCK_LENGTH*num_data;
-    unsigned char  *iblock, *oblock;
+    EVP_CIPHER_CTX         ciph_ctx;
 
     iblock = OPENSSL_malloc(MIT_DES_BLOCK_LENGTH);
     if (!iblock)
         return ENOMEM;
     oblock = OPENSSL_malloc(oblock_len);
-    if (!oblock)
+    if (!oblock){
+        OPENSSL_free(iblock);
         return ENOMEM;
+    }
 
     IOV_BLOCK_STATE_INIT(&input_pos);
     IOV_BLOCK_STATE_INIT(&output_pos);
@@ -278,19 +261,18 @@
     if (ret)
         return ret;
 
-    if (ivec && ivec->data){
-        memset(iv,0,sizeof(iv));
-        memcpy(iv,ivec->data,ivec->length);
-    }
-
     memset(oblock, 0, oblock_len);
 
     EVP_CIPHER_CTX_init(&ciph_ctx);
 
     ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_cbc(), NULL,
-                             keybuf, (ivec && ivec->data) ? iv : NULL);
-    if (!ret)
+                             keybuf, (ivec) ? (unsigned char*)ivec->data : NULL);
+    if (!ret){
+        EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+        OPENSSL_free(iblock);
+        OPENSSL_free(oblock);
         return KRB5_CRYPTO_INTERNAL;
+    }
 
     EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
 
@@ -315,11 +297,6 @@
     if(ret)
         ret = EVP_DecryptFinal_ex(&ciph_ctx, oblock+16, &tmp_len);
 
-    if (ret) {
-        if (ivec != NULL)
-            memcpy(iv, oblock, MIT_DES_BLOCK_LENGTH);
-    }
-
     EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
     memset(iblock,0,sizeof(iblock));
@@ -327,7 +304,7 @@
     OPENSSL_free(iblock);
     OPENSSL_free(oblock);
 
-    if (!ret)
+    if (ret != 1)
         return KRB5_CRYPTO_INTERNAL;
     return 0;
 }

Modified: branches/enc-perf/src/lib/crypto/openssl/enc_provider/des3.c
===================================================================
--- branches/enc-perf/src/lib/crypto/openssl/enc_provider/des3.c	2009-10-02 14:02:31 UTC (rev 22833)
+++ branches/enc-perf/src/lib/crypto/openssl/enc_provider/des3.c	2009-10-02 15:33:56 UTC (rev 22834)
@@ -36,7 +36,6 @@
 
     for (i = 0, input_length = 0; i < num_data; i++) {
 	const krb5_crypto_iov *iov = &data[i];
-
 	if (ENCRYPT_IOV(iov))
 	    input_length += iov->data.length;
     }
@@ -55,12 +54,11 @@
 k5_des3_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
 		const krb5_data *input, krb5_data *output)
 {
-    int ret = 0, tmp_len = 0;
-    unsigned int  tmp_buf_len = 0;
+    int              ret = 0, tmp_len = 0;
+    unsigned int     tmp_buf_len = 0;
     unsigned char   *keybuf  = NULL;
     unsigned char   *tmp_buf = NULL;
-    unsigned char   iv[EVP_MAX_IV_LENGTH];
-    EVP_CIPHER_CTX  ciph_ctx;
+    EVP_CIPHER_CTX   ciph_ctx;
 
     ret = validate(key, ivec, input, output);
     if (ret)
@@ -69,9 +67,6 @@
     keybuf=key->contents;
     keybuf[key->length] = '\0';
 
-    if (ivec && ivec->data) {
-        memcpy(iv,ivec->data,ivec->length);
-    }
     tmp_buf_len = output->length * 2;
     tmp_buf = OPENSSL_malloc(tmp_buf_len);
     if (!tmp_buf)
@@ -80,7 +75,7 @@
     EVP_CIPHER_CTX_init(&ciph_ctx);
 
     ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL, keybuf,
-                             (ivec && ivec->data) ? iv : NULL);
+                             (ivec) ? (unsigned char*)ivec->data : NULL);
     if (ret) {
         EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
         ret = EVP_EncryptUpdate(&ciph_ctx, tmp_buf, &tmp_len,
@@ -95,12 +90,13 @@
 
     EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
-    if (ret)
+    if (ret == 1)
         memcpy(output->data,tmp_buf, output->length);
+
     memset(tmp_buf, 0, tmp_buf_len);
     OPENSSL_free(tmp_buf);
 
-    if (!ret)
+    if (ret != 1)
         return KRB5_CRYPTO_INTERNAL;
 
     return 0;
@@ -111,11 +107,11 @@
 k5_des3_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
 		const krb5_data *input, krb5_data *output)
 {
-    int ret = 0, tmp_len = 0;
-    EVP_CIPHER_CTX  ciph_ctx;
+    int              ret = 0, tmp_len = 0;
+    unsigned int     tmp_buf_len = 0;
     unsigned char   *keybuf  = NULL;
     unsigned char   *tmp_buf = NULL;
-    unsigned char   iv[EVP_MAX_IV_LENGTH];
+    EVP_CIPHER_CTX   ciph_ctx;
 
     ret = validate(key, ivec, input, output);
     if (ret)
@@ -124,24 +120,22 @@
     keybuf=key->contents;
     keybuf[key->length] = '\0';
 
-    if (ivec && ivec->data) {
-        memset(iv,0,sizeof(iv));
-        memcpy(iv,ivec->data,ivec->length);
-    }
-
-    tmp_buf=OPENSSL_malloc(output->length);
+    tmp_buf_len = output->length;
+    tmp_buf=OPENSSL_malloc(tmp_buf_len);
     if (!tmp_buf)
         return ENOMEM;
 
     EVP_CIPHER_CTX_init(&ciph_ctx);
 
     ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL, keybuf,
-                             (ivec && ivec->data) ? iv: NULL);
+                             (ivec) ? (unsigned char*)ivec->data: NULL);
     if (ret) {
         EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
         ret = EVP_DecryptUpdate(&ciph_ctx, tmp_buf,  &tmp_len,
                                 (unsigned char *)input->data, input->length);
-        if (ret) {
+        if (!ret || output->length < (unsigned int)tmp_len) {
+            ret = KRB5_CRYPTO_INTERNAL;
+        } else {
             output->length = tmp_len;
             ret = EVP_DecryptFinal_ex(&ciph_ctx, tmp_buf+tmp_len, &tmp_len);
         }
@@ -149,13 +143,13 @@
 
     EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
-    if (ret)
+    if (ret == 1)
         memcpy(output->data,tmp_buf, output->length);
 
-    memset(tmp_buf,0,output->length);
+    memset(tmp_buf,0,tmp_buf_len);
     OPENSSL_free(tmp_buf);
 
-    if (!ret)
+    if (ret != 1)
         return KRB5_CRYPTO_INTERNAL;
     return 0;
 
@@ -167,14 +161,13 @@
 		    krb5_crypto_iov *data,
 		    size_t num_data)
 {
-    int ret = 0, tmp_len = MIT_DES_BLOCK_LENGTH;
-    EVP_CIPHER_CTX  ciph_ctx;
-    unsigned char   *keybuf = NULL ;
-    unsigned char   iv[EVP_MAX_IV_LENGTH];
-
+    int                    ret = 0;
+    int                    tmp_len = MIT_DES_BLOCK_LENGTH;
+    int                    oblock_len = MIT_DES_BLOCK_LENGTH*num_data;
+    unsigned char         *iblock = NULL, *oblock = NULL;
+    unsigned char         *keybuf = NULL;
     struct iov_block_state input_pos, output_pos;
-    int oblock_len = MIT_DES_BLOCK_LENGTH*num_data;
-    unsigned char  *iblock, *oblock;
+    EVP_CIPHER_CTX         ciph_ctx;
 
     ret = validate_iov(key, ivec, data, num_data);
     if (ret)
@@ -184,8 +177,10 @@
     if (!iblock)
         return ENOMEM;
     oblock = OPENSSL_malloc(oblock_len);
-    if (!oblock)
+    if (!oblock){
+        OPENSSL_free(iblock);
         return ENOMEM;
+    }
 
     IOV_BLOCK_STATE_INIT(&input_pos);
     IOV_BLOCK_STATE_INIT(&output_pos);
@@ -193,19 +188,18 @@
     keybuf=key->contents;
     keybuf[key->length] = '\0';
 
-    if (ivec && ivec->data){
-        memset(iv,0,sizeof(iv));
-        memcpy(iv,ivec->data,ivec->length);
-    }
-
     memset(oblock, 0, oblock_len);
 
     EVP_CIPHER_CTX_init(&ciph_ctx);
 
     ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL,
-                             keybuf, (ivec && ivec->data) ? iv : NULL);
-    if (!ret)
+                             keybuf, (ivec) ? (unsigned char*)ivec->data : NULL);
+    if (!ret){
+        EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+        OPENSSL_free(iblock);
+        OPENSSL_free(oblock);
         return KRB5_CRYPTO_INTERNAL;
+    }
 
     EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
 
@@ -229,11 +223,6 @@
     if(ret)
         ret = EVP_EncryptFinal_ex(&ciph_ctx, oblock+input_pos.data_pos, &tmp_len);
 
-    if (ret) {
-        if (ivec != NULL)
-            memcpy(iv, oblock, MIT_DES_BLOCK_LENGTH);
-    }
-
     EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
     memset(iblock,0,sizeof(iblock));
@@ -241,7 +230,7 @@
     OPENSSL_free(iblock);
     OPENSSL_free(oblock);
 
-    if (!ret)
+    if (ret != 1)
         return KRB5_CRYPTO_INTERNAL;
     return 0;
 }
@@ -252,14 +241,13 @@
 		    krb5_crypto_iov *data,
 		    size_t num_data)
 {
-    int ret = 0, tmp_len = MIT_DES_BLOCK_LENGTH;
-    EVP_CIPHER_CTX  ciph_ctx;
-    unsigned char   *keybuf = NULL ;
-    unsigned char   iv[EVP_MAX_IV_LENGTH];
-
+    int                    ret = 0;
+    int                    tmp_len = MIT_DES_BLOCK_LENGTH;
+    int                    oblock_len = MIT_DES_BLOCK_LENGTH * num_data;
+    unsigned char         *iblock = NULL, *oblock = NULL;
+    unsigned char         *keybuf = NULL ;
     struct iov_block_state input_pos, output_pos;
-    int oblock_len = MIT_DES_BLOCK_LENGTH*num_data;
-    unsigned char  *iblock, *oblock;
+    EVP_CIPHER_CTX         ciph_ctx;
 
     ret = validate_iov(key, ivec, data, num_data);
     if (ret)
@@ -269,8 +257,10 @@
     if (!iblock)
         return ENOMEM;
     oblock = OPENSSL_malloc(oblock_len);
-    if (!oblock)
+    if (!oblock){
+        OPENSSL_free(iblock);
         return ENOMEM;
+    }
 
     IOV_BLOCK_STATE_INIT(&input_pos);
     IOV_BLOCK_STATE_INIT(&output_pos);
@@ -278,19 +268,18 @@
     keybuf=key->contents;
     keybuf[key->length] = '\0';
 
-    if (ivec && ivec->data){
-        memset(iv,0,sizeof(iv));
-        memcpy(iv,ivec->data,ivec->length);
-    }
-
     memset(oblock, 0, oblock_len);
 
     EVP_CIPHER_CTX_init(&ciph_ctx);
 
     ret = EVP_DecryptInit_ex(&ciph_ctx, EVP_des_ede3_cbc(), NULL,
-                             keybuf, (ivec && ivec->data) ? iv : NULL);
-    if (!ret)
+                             keybuf, (ivec) ? (unsigned char*)ivec->data : NULL);
+    if (!ret){
+        EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+        OPENSSL_free(iblock);
+        OPENSSL_free(oblock);
         return KRB5_CRYPTO_INTERNAL;
+    }
 
     EVP_CIPHER_CTX_set_padding(&ciph_ctx,0);
 
@@ -315,11 +304,6 @@
         ret = EVP_DecryptFinal_ex(&ciph_ctx,
                                   oblock + input_pos.data_pos, &tmp_len);
 
-    if (ret) {
-        if (ivec != NULL)
-            memcpy(iv, oblock, MIT_DES_BLOCK_LENGTH);
-    }
-
     EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
     memset(iblock,0,sizeof(iblock));
@@ -327,7 +311,7 @@
     OPENSSL_free(iblock);
     OPENSSL_free(oblock);
 
-    if (!ret)
+    if (ret != 1)
         return KRB5_CRYPTO_INTERNAL;
     return 0;
 }

Modified: branches/enc-perf/src/lib/crypto/openssl/enc_provider/rc4.c
===================================================================
--- branches/enc-perf/src/lib/crypto/openssl/enc_provider/rc4.c	2009-10-02 14:02:31 UTC (rev 22833)
+++ branches/enc-perf/src/lib/crypto/openssl/enc_provider/rc4.c	2009-10-02 15:33:56 UTC (rev 22834)
@@ -62,7 +62,7 @@
 
     EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
-    if (!ret)
+    if (ret != 1)
         return KRB5_CRYPTO_INTERNAL;
 
     output->length += tmp_len;
@@ -90,8 +90,10 @@
     EVP_CIPHER_CTX_init(&ciph_ctx);
 
     ret = EVP_EncryptInit_ex(&ciph_ctx, EVP_rc4(), NULL, keybuf, NULL);
-    if (!ret) 
-        return -1;
+    if (!ret){
+        EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+        return KRB5_CRYPTO_INTERNAL;
+    }
 
     for (i = 0; i < num_data; i++) {
         iov = &data[i];
@@ -112,7 +114,7 @@
 
     EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
-    if (!ret) 
+    if (ret != 1)
         return KRB5_CRYPTO_INTERNAL;
 
     iov->data.length += tmp_len;



From ghudson at MIT.EDU  Sat Oct  3 10:46:54 2009
From: ghudson at MIT.EDU (ghudson@MIT.EDU)
Date: Sat, 3 Oct 2009 10:46:54 -0400
Subject: svn rev #22838: trunk/src/include/ 
Message-ID: <200910031446.n93EksgO021459@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22838
Commit By: ghudson
Log Message:
Add convenience functions zapfree (test for null, zap, free) and
k5alloc (allocate memory, set a krb5_error_code result) to k5-int.h.



Changed Files:
U   trunk/src/include/k5-int.h
Modified: trunk/src/include/k5-int.h
===================================================================
--- trunk/src/include/k5-int.h	2009-10-02 17:28:35 UTC (rev 22837)
+++ trunk/src/include/k5-int.h	2009-10-03 14:46:54 UTC (rev 22838)
@@ -776,6 +776,16 @@
 #endif /* WIN32 */
 #define zap(p,l) krb5int_zap_data(p,l)
 
+/* Convenience function: zap and free ptr if it is non-NULL. */
+static inline void
+zapfree(void *ptr, size_t len)
+{
+    if (ptr != NULL) {
+	zap(ptr, len);
+	free(ptr);
+    }
+}
+
 /* A definition of init_state for DES based encryption systems.
  * sets up an 8-byte IV of all zeros
  */
@@ -2823,6 +2833,17 @@
 	    && !memcmp(a1.contents, a2.contents, a1.length));
 }
 
+/* Allocate zeroed memory; set *code to 0 on success or ENOMEM on failure. */
+static inline void *
+k5alloc(size_t size, krb5_error_code *code)
+{
+    void *ptr;
+
+    ptr = calloc(size, 1);
+    *code = (ptr == NULL) ? ENOMEM : 0;
+    return ptr;
+}
+
 krb5_error_code KRB5_CALLCONV
 krb5int_pac_sign(krb5_context context,
 		 krb5_pac pac,



From ghudson at MIT.EDU  Sat Oct  3 12:03:15 2009
From: ghudson at MIT.EDU (ghudson@MIT.EDU)
Date: Sat, 3 Oct 2009 12:03:15 -0400
Subject: svn rev #22839: trunk/src/lib/crypto/krb/ 
Message-ID: <200910031603.n93G3FnP027181@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22839
Commit By: ghudson
Log Message:
Update the crypto API glue to conform to most of the current coding
practices (except lack of tabs).  Use the helper functions k5alloc,
zapfree, and find_enctype to reduce code size.



Changed Files:
U   trunk/src/lib/crypto/krb/aead.c
U   trunk/src/lib/crypto/krb/block_size.c
U   trunk/src/lib/crypto/krb/cf2.c
U   trunk/src/lib/crypto/krb/checksum_length.c
U   trunk/src/lib/crypto/krb/cksumtype_to_string.c
U   trunk/src/lib/crypto/krb/cksumtypes.c
U   trunk/src/lib/crypto/krb/cksumtypes.h
U   trunk/src/lib/crypto/krb/coll_proof_cksum.c
U   trunk/src/lib/crypto/krb/combine_keys.c
U   trunk/src/lib/crypto/krb/crypto_length.c
U   trunk/src/lib/crypto/krb/decrypt.c
U   trunk/src/lib/crypto/krb/decrypt_iov.c
U   trunk/src/lib/crypto/krb/encrypt.c
U   trunk/src/lib/crypto/krb/encrypt_iov.c
U   trunk/src/lib/crypto/krb/encrypt_length.c
U   trunk/src/lib/crypto/krb/enctype_compare.c
U   trunk/src/lib/crypto/krb/enctype_to_string.c
U   trunk/src/lib/crypto/krb/etypes.c
U   trunk/src/lib/crypto/krb/etypes.h
U   trunk/src/lib/crypto/krb/keyblocks.c
U   trunk/src/lib/crypto/krb/keyed_checksum_types.c
U   trunk/src/lib/crypto/krb/keyed_cksum.c
U   trunk/src/lib/crypto/krb/keylengths.c
U   trunk/src/lib/crypto/krb/make_checksum.c
U   trunk/src/lib/crypto/krb/make_checksum_iov.c
U   trunk/src/lib/crypto/krb/make_random_key.c
U   trunk/src/lib/crypto/krb/mandatory_sumtype.c
U   trunk/src/lib/crypto/krb/old_api_glue.c
U   trunk/src/lib/crypto/krb/prf.c
U   trunk/src/lib/crypto/krb/prng.c
U   trunk/src/lib/crypto/krb/random_to_key.c
U   trunk/src/lib/crypto/krb/state.c
U   trunk/src/lib/crypto/krb/string_to_cksumtype.c
U   trunk/src/lib/crypto/krb/string_to_enctype.c
U   trunk/src/lib/crypto/krb/string_to_key.c
U   trunk/src/lib/crypto/krb/valid_cksumtype.c
U   trunk/src/lib/crypto/krb/valid_enctype.c
U   trunk/src/lib/crypto/krb/verify_checksum.c
U   trunk/src/lib/crypto/krb/verify_checksum_iov.c
Modified: trunk/src/lib/crypto/krb/aead.c
===================================================================
--- trunk/src/lib/crypto/krb/aead.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/aead.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -72,8 +72,8 @@
 	    num_sign_data++;
     }
 
-    /* XXX cleanup to avoid alloc */
-    sign_data = (krb5_data *)calloc(num_sign_data, sizeof(krb5_data));
+    /* XXX cleanup to avoid alloc. */
+    sign_data = calloc(num_sign_data, sizeof(krb5_data));
     if (sign_data == NULL)
 	return ENOMEM;
 
@@ -84,7 +84,7 @@
 	    sign_data[j++] = iov->data;
     }
 
-    ret = hash_provider->hash(num_sign_data, sign_data, output);
+    ret = (*hash_provider->hash)(num_sign_data, sign_data, output);
 
     free(sign_data);
 
@@ -99,36 +99,26 @@
 			    size_t num_data,
 			    krb5_data *cksum_data)
 {
-    int e1, e2;
+    const struct krb5_keytypes *e1, *e2;
     krb5_error_code ret;
 
     if (cksum_type->keyhash != NULL) {
-	/* check if key is compatible */
+	/* Check if key is compatible. */
 
 	if (cksum_type->keyed_etype) {
-	    for (e1=0; e1<krb5_enctypes_length; e1++) 
-		if (krb5_enctypes_list[e1].etype ==
-		    cksum_type->keyed_etype)
-		    break;
-
-	    for (e2=0; e2<krb5_enctypes_length; e2++) 
-		if (krb5_enctypes_list[e2].etype == key->enctype)
-		    break;
-
-	    if ((e1 == krb5_enctypes_length) ||
-		(e2 == krb5_enctypes_length) ||
-		(krb5_enctypes_list[e1].enc != krb5_enctypes_list[e2].enc)) {
+	    e1 = find_enctype(cksum_type->keyed_etype);
+	    e2 = find_enctype(key->enctype);
+	    if (e1 == NULL || e2 == NULL || e1->enc != e2->enc) {
 		ret = KRB5_BAD_ENCTYPE;
 		goto cleanup;
 	    }
 	}
 
-	if (cksum_type->keyhash->hash_iov == NULL) {
+	if (cksum_type->keyhash->hash_iov == NULL)
 	    return KRB5_BAD_ENCTYPE;
-	}
 
-	ret = (*(cksum_type->keyhash->hash_iov))(key, usage, 0,
-						 data, num_data, cksum_data);
+	ret = (*cksum_type->keyhash->hash_iov)(key, usage, 0, data, num_data,
+					       cksum_data);
     } else if (cksum_type->flags & KRB5_CKSUMFLAG_DERIVE) {
 	ret = krb5int_dk_make_checksum_iov(cksum_type->hash,
 					   key, usage, data, num_data,
@@ -364,22 +354,25 @@
     stream = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_STREAM);
     assert(stream != NULL);
 
-    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_HEADER, &header_len);
+    ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_HEADER,
+				 &header_len);
     if (ret != 0)
 	return ret;
 
-    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER, &trailer_len);
+    ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER,
+				 &trailer_len);
     if (ret != 0)
 	return ret;
 
-    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING, &padding_len);
+    ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING,
+				 &padding_len);
     if (ret != 0)
 	return ret;
 
     if (stream->data.length < header_len + trailer_len)
 	return KRB5_BAD_MSIZE;
 
-    iov = (krb5_crypto_iov *)calloc(num_data + 2, sizeof(krb5_crypto_iov));
+    iov = calloc(num_data + 2, sizeof(krb5_crypto_iov));
     if (iov == NULL)
 	return ENOMEM;
 
@@ -400,14 +393,18 @@
 	    got_data++;
 
 	    data[j].data.data = stream->data.data + header_len;
-	    data[j].data.length = stream->data.length - header_len - trailer_len;
+	    data[j].data.length = stream->data.length - header_len
+		- trailer_len;
 	}
 	if (data[j].flags == KRB5_CRYPTO_TYPE_SIGN_ONLY ||
 	    data[j].flags == KRB5_CRYPTO_TYPE_DATA)
 	    iov[i++] = data[j];
     }
 
-    /* XXX not self-describing with respect to length, this is the best we can do */
+    /*
+     * XXX not self-describing with respect to length, this is the best
+     * we can do.
+     */
     iov[i].flags = KRB5_CRYPTO_TYPE_PADDING;
     iov[i].data.data = NULL;
     iov[i].data.length = 0;
@@ -420,7 +417,7 @@
 
     assert(i <= num_data + 2);
 
-    ret = aead->decrypt_iov(aead, enc, hash, key, keyusage, ivec, iov, i);
+    ret = (*aead->decrypt_iov)(aead, enc, hash, key, keyusage, ivec, iov, i);
 
     free(iov);
 
@@ -437,7 +434,8 @@
     unsigned int padding;
     krb5_error_code ret;
 
-    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING, &padding);
+    ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING,
+				 &padding);
     if (ret != 0)
 	return ret;
 
@@ -463,21 +461,23 @@
     unsigned int padding_len = 0;
     unsigned int trailer_len = 0;
 
-    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_HEADER,
-			      &header_len);
+    ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_HEADER,
+				 &header_len);
     if (ret != 0)
 	return ret;
 
-    ret = krb5int_c_padding_length(aead, enc, hash, input->length, &padding_len);
+    ret = krb5int_c_padding_length(aead, enc, hash, input->length,
+				   &padding_len);
     if (ret != 0)
 	return ret;
 
-    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER,
-			      &trailer_len);
+    ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER,
+				 &trailer_len);
     if (ret != 0)
 	return ret;
 
-    if (output->length < header_len + input->length + padding_len + trailer_len)
+    if (output->length <
+	header_len + input->length + padding_len + trailer_len)
 	return KRB5_BAD_MSIZE;
 
     iov[0].flags = KRB5_CRYPTO_TYPE_HEADER;
@@ -497,9 +497,8 @@
     iov[3].data.data = iov[2].data.data + iov[2].data.length;
     iov[3].data.length = trailer_len;
 
-    ret = aead->encrypt_iov(aead, enc, hash, key,
-			    usage, ivec,
-			    iov, sizeof(iov)/sizeof(iov[0]));
+    ret = (*aead->encrypt_iov)(aead, enc, hash, key, usage, ivec,
+			       iov, sizeof(iov) / sizeof(iov[0]));
 
     if (ret != 0)
 	zap(iov[1].data.data, iov[1].data.length);
@@ -548,8 +547,7 @@
     output->length = iov[1].data.length;
 
 cleanup:
-    zap(iov[0].data.data,  iov[0].data.length);
-    free(iov[0].data.data);
+    zapfree(iov[0].data.data, iov[0].data.length);
 
     return ret;
 }
@@ -564,9 +562,11 @@
     unsigned int padding_len = 0;
     unsigned int trailer_len = 0;
 
-    aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_HEADER, &header_len);
+    (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_HEADER,
+			   &header_len);
     krb5int_c_padding_length(aead, enc, hash, inputlen, &padding_len);
-    aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER, &trailer_len);
+    (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER,
+			   &trailer_len);
 
     *length = header_len + inputlen + padding_len + trailer_len;
 }

Modified: trunk/src/lib/crypto/krb/block_size.c
===================================================================
--- trunk/src/lib/crypto/krb/block_size.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/block_size.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -31,17 +31,12 @@
 krb5_c_block_size(krb5_context context, krb5_enctype enctype,
 		  size_t *blocksize)
 {
-    int i;
+    const struct krb5_keytypes *ktp;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == enctype)
-	    break;
-    }
+    ktp = find_enctype(enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
+    *blocksize = ktp->enc->block_size;
 
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
-
-    *blocksize = krb5_enctypes_list[i].enc->block_size;
-
-    return(0);
+    return 0;
 }

Modified: trunk/src/lib/crypto/krb/cf2.c
===================================================================
--- trunk/src/lib/crypto/krb/cf2.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/cf2.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -40,8 +40,8 @@
  * a count byte  to get enough bits of output. 
  */
 static krb5_error_code
-prf_plus( krb5_context context, krb5_keyblock *k,const char *pepper,
-	  size_t keybytes, char **out)
+prf_plus(krb5_context context, krb5_keyblock *k, const char *pepper,
+	 size_t keybytes, char **out)
 {
     krb5_error_code retval = 0;
     size_t prflen, iterations;
@@ -49,46 +49,44 @@
     krb5_data in_data;
     char *buffer = NULL;
     struct k5buf prf_inbuf;
+
     krb5int_buf_init_dynamic(&prf_inbuf);
-    krb5int_buf_add_len( &prf_inbuf, "\001", 1);
-    krb5int_buf_add( &prf_inbuf, pepper);
+    krb5int_buf_add_len(&prf_inbuf, "\001", 1);
+    krb5int_buf_add(&prf_inbuf, pepper);
     retval = krb5_c_prf_length( context, k->enctype, &prflen);
-    if (retval != 0)
+    if (retval)
 	goto cleanup;
-    iterations = keybytes/prflen;
-    if ((keybytes%prflen) != 0)
+    iterations = keybytes / prflen;
+    if (keybytes % prflen != 0)
 	iterations++;
     assert(iterations <= 254);
-    buffer = malloc(iterations*prflen);
-    if (buffer == NULL) {
-	retval = ENOMEM;
+    buffer = k5alloc(iterations * prflen, &retval);
+    if (retval)
 	goto cleanup;
-	}
-    if (krb5int_buf_len( &prf_inbuf) == -1) {
+    if (krb5int_buf_len(&prf_inbuf) == -1) {
 	retval = ENOMEM;
 	goto cleanup;
     }
-    in_data.length = (krb5_int32) krb5int_buf_len( &prf_inbuf);
-    in_data.data = krb5int_buf_data( &prf_inbuf);
+    in_data.length = (krb5_int32) krb5int_buf_len(&prf_inbuf);
+    in_data.data = krb5int_buf_data(&prf_inbuf);
     out_data.length = prflen;
     out_data.data = buffer;
 
     while (iterations > 0) {
-	retval = krb5_c_prf( context, k, &in_data, &out_data);
-    if (retval != 0)
-	goto cleanup;
-    out_data.data += prflen;
-    in_data.data[0]++;
-    iterations--;
+	retval = krb5_c_prf(context, k, &in_data, &out_data);
+	if (retval)
+	    goto cleanup;
+	out_data.data += prflen;
+	in_data.data[0]++;
+	iterations--;
     }
- cleanup:
-    if (retval == 0 )
-	*out = buffer;
-    else{
-	if (buffer != NULL)
-	    free(buffer);
-    }
-    krb5int_free_buf( &prf_inbuf);
+
+    *out = buffer;
+    buffer = NULL;
+
+cleanup:
+    free(buffer);
+    krb5int_free_buf(&prf_inbuf);
     return retval;
 }
 
@@ -107,48 +105,46 @@
     krb5_error_code retval = 0;
     krb5_keyblock *out_key = NULL;
 
-
-    if (k1 == NULL ||!krb5_c_valid_enctype(k1->enctype))
+    if (k1 == NULL || !krb5_c_valid_enctype(k1->enctype))
 	return KRB5_BAD_ENCTYPE;
     if (k2 == NULL || !krb5_c_valid_enctype(k2->enctype))
 	return KRB5_BAD_ENCTYPE;
     out_enctype_num = k1->enctype;
     assert(out != NULL);
-    assert ((out_enctype = find_enctype(out_enctype_num)) != NULL);
+    assert((out_enctype = find_enctype(out_enctype_num)) != NULL);
     if (out_enctype->prf == NULL) {
 	if (context)
-	    krb5int_set_error(&(context->err) , KRB5_CRYPTO_INTERNAL,
-				   "Enctype %d has no PRF", out_enctype_num);
+	    krb5int_set_error(&(context->err), KRB5_CRYPTO_INTERNAL,
+			      "Enctype %d has no PRF", out_enctype_num);
 	return KRB5_CRYPTO_INTERNAL;
-		}
+    }
     keybytes = out_enctype->enc->keybytes;
     keylength = out_enctype->enc->keylength;
 
-    retval = prf_plus( context, k1, pepper1, keybytes, &prf1);
-	if (retval != 0)
-	    goto cleanup;
-    retval = prf_plus( context, k2, pepper2, keybytes, &prf2);
-    if (retval != 0)
+    retval = prf_plus(context, k1, pepper1, keybytes, &prf1);
+    if (retval)
 	goto cleanup;
+    retval = prf_plus(context, k2, pepper2, keybytes, &prf2);
+    if (retval)
+	goto cleanup;
     for (i = 0; i < keybytes; i++)
 	prf1[i] ^= prf2[i];
-    zap(prf2, keybytes);
-    retval = krb5int_c_init_keyblock( context, out_enctype_num, keylength, &out_key);
-    if (retval != 0)
+    retval = krb5int_c_init_keyblock(context, out_enctype_num, keylength,
+				     &out_key);
+    if (retval)
 	goto cleanup;
     keydata.data = prf1;
     keydata.length = keybytes;
-    retval = out_enctype->enc->make_key( &keydata, out_key);
+    retval = (*out_enctype->enc->make_key)(&keydata, out_key);
+    if (retval)
+	goto cleanup;
 
- cleanup:
-    if (retval == 0)
-	*out = out_key;
-    else krb5int_c_free_keyblock( context, out_key);
-    if (prf1 != NULL) {
-	zap(prf1, keybytes);
-	free(prf1);
-    }
-    if (prf2 != NULL)
-	free(prf2);
+    *out = out_key;
+    out_key = NULL;
+
+cleanup:
+    krb5int_c_free_keyblock( context, out_key);
+    zapfree(prf1, keybytes);
+    zapfree(prf2, keybytes);
     return retval;
 }

Modified: trunk/src/lib/crypto/krb/checksum_length.c
===================================================================
--- trunk/src/lib/crypto/krb/checksum_length.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/checksum_length.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -39,7 +39,7 @@
     }
 
     if (i == krb5_cksumtypes_length)
-	return(KRB5_BAD_ENCTYPE);
+	return KRB5_BAD_ENCTYPE;
 
     if (krb5_cksumtypes_list[i].keyhash)
 	*length = krb5_cksumtypes_list[i].keyhash->hashsize;
@@ -48,6 +48,6 @@
     else
 	*length = krb5_cksumtypes_list[i].hash->hashsize;
 
-    return(0);
+    return 0;
 }
 	

Modified: trunk/src/lib/crypto/krb/cksumtype_to_string.c
===================================================================
--- trunk/src/lib/crypto/krb/cksumtype_to_string.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/cksumtype_to_string.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -32,14 +32,14 @@
 {
     unsigned int i;
 
-    for (i=0; i<krb5_cksumtypes_length; i++) {
+    for (i = 0; i < krb5_cksumtypes_length; i++) {
 	if (krb5_cksumtypes_list[i].ctype == cksumtype) {
 	    if (strlcpy(buffer, krb5_cksumtypes_list[i].out_string,
 			buflen) >= buflen)
-		return(ENOMEM);
-	    return(0);
+		return ENOMEM;
+	    return 0;
 	}
     }
 
-    return(EINVAL);
+    return EINVAL;
 }

Modified: trunk/src/lib/crypto/krb/cksumtypes.c
===================================================================
--- trunk/src/lib/crypto/krb/cksumtypes.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/cksumtypes.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -88,4 +88,4 @@
 };
 
 const unsigned int krb5_cksumtypes_length =
-sizeof(krb5_cksumtypes_list)/sizeof(struct krb5_cksumtypes);
+    sizeof(krb5_cksumtypes_list) / sizeof(struct krb5_cksumtypes);

Modified: trunk/src/lib/crypto/krb/cksumtypes.h
===================================================================
--- trunk/src/lib/crypto/krb/cksumtypes.h	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/cksumtypes.h	2009-10-03 16:03:15 UTC (rev 22839)
@@ -34,23 +34,29 @@
     char *name;
     char *aliases[2];
     char *out_string;
-    /* if the hash is keyed, this is the etype it is keyed with.
-       Actually, it can be keyed by any etype which has the same
-       enc_provider as the specified etype.  DERIVE checksums can
-       be keyed with any valid etype. */
+    /*
+     * If the hash is keyed, this is the etype it is keyed with.
+     * Actually, it can be keyed by any etype which has the same
+     * enc_provider as the specified etype.  DERIVE checksums can
+     * be keyed with any valid etype.
+     */
     krb5_enctype keyed_etype;
-    /* I can't statically initialize a union, so I'm just going to use
-       two pointers here.  The keyhash is used if non-NULL.  If NULL,
-       then HMAC/hash with derived keys is used if the relevant flag
-       is set.  Otherwise, a non-keyed hash is computed.  This is all
-       kind of messy, but so is the krb5 api. */
+    /*
+     * I can't statically initialize a union, so I'm just going to use
+     * two pointers here.  The keyhash is used if non-NULL.  If NULL,
+     * then HMAC/hash with derived keys is used if the relevant flag
+     * is set.  Otherwise, a non-keyed hash is computed.  This is all
+     * kind of messy, but so is the krb5 api.
+     */
     const struct krb5_keyhash_provider *keyhash;
     const struct krb5_hash_provider *hash;
-    /* This just gets uglier and uglier.  In the key derivation case,
-       we produce an hmac.  To make the hmac code work, we can't hack
-       the output size indicated by the hash provider, but we may want
-       a truncated hmac.  If we want truncation, this is the number of
-       bytes we truncate to; it should be 0 otherwise.  */
+    /*
+     * This just gets uglier and uglier.  In the key derivation case,
+     * we produce an hmac.  To make the hmac code work, we can't hack
+     * the output size indicated by the hash provider, but we may want
+     * a truncated hmac.  If we want truncation, this is the number of
+     * bytes we truncate to; it should be 0 otherwise.
+     */
     unsigned int trunc_size;
 };
 

Modified: trunk/src/lib/crypto/krb/coll_proof_cksum.c
===================================================================
--- trunk/src/lib/crypto/krb/coll_proof_cksum.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/coll_proof_cksum.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -32,19 +32,19 @@
 {
     unsigned int i;
 
-    for (i=0; i<krb5_cksumtypes_length; i++) {
+    for (i = 0; i < krb5_cksumtypes_length; i++) {
 	if (krb5_cksumtypes_list[i].ctype == ctype)
 	    return((krb5_cksumtypes_list[i].flags &
-		    KRB5_CKSUMFLAG_NOT_COLL_PROOF)?0:1);
+		    KRB5_CKSUMFLAG_NOT_COLL_PROOF) ? FALSE : TRUE);
     }
 
     /* ick, but it's better than coredumping, which is what the
        old code would have done */
-    return(0);
+    return FALSE;
 }
 
 krb5_boolean KRB5_CALLCONV
 is_coll_proof_cksum(krb5_cksumtype ctype)
 {
-    return krb5_c_is_coll_proof_cksum (ctype);
+    return krb5_c_is_coll_proof_cksum(ctype);
 }

Modified: trunk/src/lib/crypto/krb/combine_keys.c
===================================================================
--- trunk/src/lib/crypto/krb/combine_keys.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/combine_keys.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -46,9 +46,9 @@
 #include "etypes.h"
 #include "dk.h"
 
-static krb5_error_code dr
-(const struct krb5_enc_provider *enc, const krb5_keyblock *inkey,
-		unsigned char *outdata, const krb5_data *in_constant);
+static krb5_error_code dr(const struct krb5_enc_provider *enc,
+			  const krb5_keyblock *inkey, unsigned char *outdata,
+			  const krb5_data *in_constant);
 
 /*
  * We only support this combine_keys algorithm for des and 3des keys.
@@ -56,86 +56,66 @@
  * We don't implement that yet.
  */
 
-static krb5_boolean  enctype_ok (krb5_enctype e) 
+static krb5_boolean
+enctype_ok(krb5_enctype e)
 {
     switch (e) {
     case ENCTYPE_DES_CBC_CRC:
     case ENCTYPE_DES_CBC_MD4:
     case ENCTYPE_DES_CBC_MD5:
     case ENCTYPE_DES3_CBC_SHA1:
-	return 1;
+	return TRUE;
     default:
-	return 0;
+	return FALSE;
     }
 }
 
-krb5_error_code krb5int_c_combine_keys
-(krb5_context context, krb5_keyblock *key1, krb5_keyblock *key2, krb5_keyblock *outkey)
+krb5_error_code
+krb5int_c_combine_keys(krb5_context context, krb5_keyblock *key1,
+		       krb5_keyblock *key2, krb5_keyblock *outkey)
 {
-    unsigned char *r1, *r2, *combined, *rnd, *output;
+    unsigned char *r1 = NULL, *r2 = NULL, *combined = NULL, *rnd = NULL;
+    unsigned char *output = NULL;
     size_t keybytes, keylength;
     const struct krb5_enc_provider *enc;
     krb5_data input, randbits;
     krb5_keyblock tkey;
     krb5_error_code ret;
-    int i, myalloc = 0;
-    if (!(enctype_ok(key1->enctype)&&enctype_ok(key2->enctype)))
-	return (KRB5_CRYPTO_INTERNAL);
-    
+    const struct krb5_keytypes *ktp;
+    krb5_boolean myalloc = FALSE;
 
+    if (!enctype_ok(key1->enctype) || !enctype_ok(key2->enctype))
+	return KRB5_CRYPTO_INTERNAL;
+
     if (key1->length != key2->length || key1->enctype != key2->enctype)
-	return (KRB5_CRYPTO_INTERNAL);
+	return KRB5_CRYPTO_INTERNAL;
 
-    /*
-     * Find our encryption algorithm
-     */
+    /* Find our encryption algorithm. */
+    ktp = find_enctype(key1->enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
+    enc = ktp->enc;
 
-    for (i = 0; i < krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == key1->enctype)
-	    break;
-    }
-
-    if (i == krb5_enctypes_length)
-	return (KRB5_BAD_ENCTYPE);
-
-    enc = krb5_enctypes_list[i].enc;
-
     keybytes = enc->keybytes;
     keylength = enc->keylength;
 
-    /*
-     * Allocate and set up buffers
-     */
+    /* Allocate and set up buffers. */
+    r1 = k5alloc(keybytes, &ret);
+    if (ret)
+	goto cleanup;
+    r2 = k5alloc(keybytes, &ret);
+    if (ret)
+	goto cleanup;
+    rnd = k5alloc(keybytes, &ret);
+    if (ret)
+	goto cleanup;
+    combined = k5alloc(keybytes * 2, &ret);
+    if (ret)
+	goto cleanup;
+    output = k5alloc(keylength, &ret);
+    if (ret)
+	goto cleanup;
 
-    if ((r1 = (unsigned char *) malloc(keybytes)) == NULL)
-	return (ENOMEM);
-
-    if ((r2 = (unsigned char *) malloc(keybytes)) == NULL) {
-	free(r1);
-	return (ENOMEM);
-    }
-
-    if ((rnd = (unsigned char *) malloc(keybytes)) == NULL) {
-	free(r1);
-	free(r2);
-	return (ENOMEM);
-    }
-
-    if ((combined = (unsigned char *) malloc(keybytes * 2)) == NULL) {
-	free(r1);
-	free(r2);
-	free(rnd);
-	return (ENOMEM);
-    }
-
-    if ((output = (unsigned char *) malloc(keylength)) == NULL) {
-	free(r1);
-	free(r2);
-	free(rnd);
-	free(combined);
-	return (ENOMEM);
-    }
-
     /*
      * Get R1 and R2 (by running the input keys through the DR algorithm.
      * Note this is most of derive-key, but not all.
@@ -143,34 +123,16 @@
 
     input.length = key2->length;
     input.data = (char *) key2->contents;
-    if ((ret = dr(enc, key1, r1, &input)))
+    ret = dr(enc, key1, r1, &input);
+    if (ret)
 	goto cleanup;
 
-#if 0
-    {
-	int i;
-	printf("R1 =");
-	for (i = 0; i < keybytes; i++)
-	    printf(" %02x", (unsigned char) r1[i]);
-	printf("\n");
-    }
-#endif
-
     input.length = key1->length;
     input.data = (char *) key1->contents;
-    if ((ret = dr(enc, key2, r2, &input)))
+    ret = dr(enc, key2, r2, &input);
+    if (ret)
 	goto cleanup;
 
-#if 0
-    {
-	int i;
-	printf("R2 =");
-	for (i = 0; i < keybytes; i++)
-	    printf(" %02x", (unsigned char) r2[i]);
-	printf("\n");
-    }
-#endif
-
     /*
      * Concatenate the two keys together, and then run them through
      * n-fold to reduce them to a length appropriate for the random-to-key
@@ -183,16 +145,6 @@
 
     krb5_nfold((keybytes * 2) * 8, combined, keybytes * 8, rnd);
 
-#if 0
-    {
-	int i;
-	printf("rnd =");
-	for (i = 0; i < keybytes; i++)
-	    printf(" %02x", (unsigned char) rnd[i]);
-	printf("\n");
-    }
-#endif
-
     /*
      * Run the "random" bits through random-to-key to produce a encryption
      * key.
@@ -203,25 +155,16 @@
     tkey.length = keylength;
     tkey.contents = output;
 
-    if ((ret = (*(enc->make_key))(&randbits, &tkey)))
+    ret = (*enc->make_key)(&randbits, &tkey);
+    if (ret)
 	goto cleanup;
 
-#if 0
-    {
-	int i;
-	printf("tkey =");
-	for (i = 0; i < tkey.length; i++)
-	    printf(" %02x", (unsigned char) tkey.contents[i]);
-	printf("\n");
-    }
-#endif
-
     /*
      * Run through derive-key one more time to produce the final key.
      * Note that the input to derive-key is the ASCII string "combine".
      */
 
-    input.length = 7; /* Note; change this if string length changes */
+    input.length = 7;
     input.data = "combine";
 
     /*
@@ -234,17 +177,16 @@
      */
 
     if (outkey->length == 0 || outkey->contents == NULL) {
-	outkey->contents = (krb5_octet *) malloc(keylength);
-	if (!outkey->contents) {
-	    ret = ENOMEM;
+	outkey->contents = k5alloc(keylength, &ret);
+	if (ret)
 	    goto cleanup;
-	}
 	outkey->length = keylength;
 	outkey->enctype = key1->enctype;
-	myalloc = 1;
+	myalloc = TRUE;
     }
 
-    if ((ret = krb5_derive_key(enc, &tkey, outkey, &input))) {
+    ret = krb5_derive_key(enc, &tkey, outkey, &input);
+    if (ret) {
 	if (myalloc) {
 	    free(outkey->contents);
 	    outkey->contents = NULL;
@@ -252,59 +194,39 @@
 	goto cleanup;
     }
 
-#if 0
-    {
-	int i;
-	printf("output =");
-	for (i = 0; i < outkey->length; i++)
-	    printf(" %02x", (unsigned char) outkey->contents[i]);
-	printf("\n");
-    }
-#endif
-
-    ret = 0;
-
 cleanup:
-    memset(r1, 0, keybytes);
-    memset(r2, 0, keybytes);
-    memset(rnd, 0, keybytes);
-    memset(combined, 0, keybytes * 2);
-    memset(output, 0, keylength);
-
-    free(r1);
-    free(r2);
-    free(rnd);
-    free(combined);
-    free(output);
-
-    return (ret);
+    zapfree(r1, keybytes);
+    zapfree(r2, keybytes);
+    zapfree(rnd, keybytes);
+    zapfree(combined, keybytes * 2);
+    zapfree(output, keylength);
+    return ret;
 }
 
 /*
  * Our DR function; mostly taken from derive.c
  */
 
-static krb5_error_code dr
-(const struct krb5_enc_provider *enc, const krb5_keyblock *inkey, unsigned char *out, const krb5_data *in_constant)
+static krb5_error_code
+dr(const struct krb5_enc_provider *enc, const krb5_keyblock *inkey,
+   unsigned char *out, const krb5_data *in_constant)
 {
-    size_t blocksize, keybytes, keylength, n;
-    unsigned char *inblockdata, *outblockdata;
+    size_t blocksize, keybytes, n;
+    unsigned char *inblockdata = NULL, *outblockdata = NULL;
     krb5_data inblock, outblock;
+    krb5_error_code ret;
 
     blocksize = enc->block_size;
     keybytes = enc->keybytes;
-    keylength = enc->keylength;
 
-    /* allocate and set up buffers */
+    /* Allocate and set up buffers. */
+    inblockdata = k5alloc(blocksize, &ret);
+    if (ret)
+	goto cleanup;
+    outblockdata = k5alloc(blocksize, &ret);
+    if (ret)
+	goto cleanup;
 
-    if ((inblockdata = (unsigned char *) malloc(blocksize)) == NULL)
-	return(ENOMEM);
-
-    if ((outblockdata = (unsigned char *) malloc(blocksize)) == NULL) {
-	free(inblockdata);
-	return(ENOMEM);
-    }
-
     inblock.data = (char *) inblockdata;
     inblock.length = blocksize;
 
@@ -324,26 +246,23 @@
 
     n = 0;
     while (n < keybytes) {
-	(*(enc->encrypt))(inkey, 0, &inblock, &outblock);
+	ret = (*enc->encrypt)(inkey, 0, &inblock, &outblock);
+	if (ret)
+	    goto cleanup;
 
 	if ((keybytes - n) <= outblock.length) {
-	    memcpy(out+n, outblock.data, (keybytes - n));
+	    memcpy(out + n, outblock.data, (keybytes - n));
 	    break;
 	}
 
-	memcpy(out+n, outblock.data, outblock.length);
+	memcpy(out + n, outblock.data, outblock.length);
 	memcpy(inblock.data, outblock.data, outblock.length);
 	n += outblock.length;
     }
 
-    /* clean memory, free resources and exit */
-
-    memset(inblockdata, 0, blocksize);
-    memset(outblockdata, 0, blocksize);
-
-    free(outblockdata);
-    free(inblockdata);
-
-    return(0);
+cleanup:
+    zapfree(inblockdata, blocksize);
+    zapfree(outblockdata, blocksize);
+    return ret;
 }
 

Modified: trunk/src/lib/crypto/krb/crypto_length.c
===================================================================
--- trunk/src/lib/crypto/krb/crypto_length.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/crypto_length.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -29,25 +29,15 @@
 #include "aead.h"
 
 krb5_error_code KRB5_CALLCONV
-krb5_c_crypto_length(krb5_context context,
-		     krb5_enctype enctype,
-		     krb5_cryptotype type,
-		     unsigned int *size)
+krb5_c_crypto_length(krb5_context context, krb5_enctype enctype,
+		     krb5_cryptotype type, unsigned int *size)
 {
-    int i;
-    const struct krb5_keytypes *ktp = NULL;
+    const struct krb5_keytypes *ktp;
     krb5_error_code ret;
 
-    for (i = 0; i < krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == enctype) {
-	    ktp = &krb5_enctypes_list[i];
-	    break;
-	}
-    }
-
-    if (ktp == NULL || ktp->aead == NULL) {
+    ktp = find_enctype(enctype);
+    if (ktp == NULL || ktp->aead == NULL)
 	return KRB5_BAD_ENCTYPE;
-    }
 
     switch (type) {
     case KRB5_CRYPTO_TYPE_EMPTY:
@@ -63,7 +53,8 @@
     case KRB5_CRYPTO_TYPE_PADDING:
     case KRB5_CRYPTO_TYPE_TRAILER:
     case KRB5_CRYPTO_TYPE_CHECKSUM:
-	ret = ktp->aead->crypto_length(ktp->aead, ktp->enc, ktp->hash, type, size);
+	ret = (*ktp->aead->crypto_length)(ktp->aead, ktp->enc, ktp->hash,
+					  type, size);
 	break;
     default:
 	ret = EINVAL;
@@ -74,55 +65,37 @@
 }
 
 krb5_error_code KRB5_CALLCONV
-krb5_c_padding_length(krb5_context context,
-		      krb5_enctype enctype,
-		      size_t data_length,
-		      unsigned int *pad_length)
+krb5_c_padding_length(krb5_context context, krb5_enctype enctype,
+		      size_t data_length, unsigned int *pad_length)
 {
-    int i;
-    const struct krb5_keytypes *ktp = NULL;
+    const struct krb5_keytypes *ktp;
 
-    for (i = 0; i < krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == enctype) {
-	    ktp = &krb5_enctypes_list[i];
-	    break;
-	}
-    }
-
-    if (ktp == NULL || ktp->aead == NULL) {
+    ktp = find_enctype(enctype);
+    if (ktp == NULL || ktp->aead == NULL)
 	return KRB5_BAD_ENCTYPE;
-    }
 
-    return krb5int_c_padding_length(ktp->aead, ktp->enc, ktp->hash, data_length, pad_length);
+    return krb5int_c_padding_length(ktp->aead, ktp->enc, ktp->hash,
+				    data_length, pad_length);
 }
 
 krb5_error_code KRB5_CALLCONV
-krb5_c_crypto_length_iov(krb5_context context,
-			 krb5_enctype enctype,
-			 krb5_crypto_iov *data,
-			 size_t num_data)
+krb5_c_crypto_length_iov(krb5_context context, krb5_enctype enctype,
+			 krb5_crypto_iov *data, size_t num_data)
 {
     krb5_error_code ret = 0;
     size_t i;
-    const struct krb5_keytypes *ktp = NULL;
+    const struct krb5_keytypes *ktp;
     unsigned int data_length = 0, pad_length;
     krb5_crypto_iov *padding = NULL;
 
     /*
      * XXX need to rejig internal interface so we can accurately
-     * report variable header lengths
+     * report variable header lengths.
      */
 
-    for (i = 0; i < (size_t)krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == enctype) {
-	    ktp = &krb5_enctypes_list[i];
-	    break;
-	}
-    }
-
-    if (ktp == NULL || ktp->aead == NULL) {
+    ktp = find_enctype(enctype);
+    if (ktp == NULL || ktp->aead == NULL)
 	return KRB5_BAD_ENCTYPE;
-    }
 
     for (i = 0; i < num_data; i++) {
 	krb5_crypto_iov *iov = &data[i];
@@ -140,7 +113,8 @@
 	case KRB5_CRYPTO_TYPE_HEADER:
 	case KRB5_CRYPTO_TYPE_TRAILER:
 	case KRB5_CRYPTO_TYPE_CHECKSUM:
-	    ret = ktp->aead->crypto_length(ktp->aead, ktp->enc, ktp->hash, iov->flags, &iov->data.length);
+	    ret = (*ktp->aead->crypto_length)(ktp->aead, ktp->enc, ktp->hash,
+					      iov->flags, &iov->data.length);
 	    break;
 	case KRB5_CRYPTO_TYPE_EMPTY:
 	case KRB5_CRYPTO_TYPE_SIGN_ONLY:
@@ -155,7 +129,8 @@
     if (ret != 0)
 	return ret;
 
-    ret = krb5int_c_padding_length(ktp->aead, ktp->enc, ktp->hash, data_length, &pad_length);
+    ret = krb5int_c_padding_length(ktp->aead, ktp->enc, ktp->hash,
+				   data_length, &pad_length);
     if (ret != 0)
 	return ret;
 

Modified: trunk/src/lib/crypto/krb/decrypt.c
===================================================================
--- trunk/src/lib/crypto/krb/decrypt.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/decrypt.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -33,35 +33,23 @@
 	       krb5_keyusage usage, const krb5_data *ivec,
 	       const krb5_enc_data *input, krb5_data *output)
 {
-    int i;
+    const struct krb5_keytypes *ktp;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == key->enctype)
-	    break;
-    }
+    ktp = find_enctype(key->enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
 
-    if (i == krb5_enctypes_length) {
-	krb5int_set_error(&context->err, KRB5_BAD_ENCTYPE,
-			  "Bad encryption type (type %d unknown)",
-			  key->enctype);
-	return(KRB5_BAD_ENCTYPE);
-    }
+    if (input->enctype != ENCTYPE_UNKNOWN && ktp->etype != input->enctype)
+	return KRB5_BAD_ENCTYPE;
 
-    if ((input->enctype != ENCTYPE_UNKNOWN) &&
-	(krb5_enctypes_list[i].etype != input->enctype))
-	return(KRB5_BAD_ENCTYPE);
+    if (ktp->decrypt == NULL) {
+	assert(ktp->aead != NULL);
 
-    if (krb5_enctypes_list[i].decrypt == NULL) {
-	assert(krb5_enctypes_list[i].aead != NULL);
-
-	return krb5int_c_decrypt_aead_compat(krb5_enctypes_list[i].aead,
-					     krb5_enctypes_list[i].enc,
-					     krb5_enctypes_list[i].hash,
+	return krb5int_c_decrypt_aead_compat(ktp->aead, ktp->enc, ktp->hash,
 					     key, usage, ivec,
 					     &input->ciphertext, output);
     }
 
-    return((*(krb5_enctypes_list[i].decrypt))
-	   (krb5_enctypes_list[i].enc, krb5_enctypes_list[i].hash,
-	    key, usage, ivec, &input->ciphertext, output));
+    return (*ktp->decrypt)(ktp->enc, ktp->hash, key, usage, ivec,
+			   &input->ciphertext, output);
 }

Modified: trunk/src/lib/crypto/krb/decrypt_iov.c
===================================================================
--- trunk/src/lib/crypto/krb/decrypt_iov.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/decrypt_iov.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -36,26 +36,20 @@
 		   krb5_crypto_iov *data,
 		   size_t num_data)
 {
-    int i;
-    const struct krb5_keytypes *ktp = NULL;
+    const struct krb5_keytypes *ktp;
 
-    for (i = 0; i < krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == key->enctype) {
-	    ktp = &krb5_enctypes_list[i];
-	    break;
-	}
-    }
-
-    if (ktp == NULL || ktp->aead == NULL) {
+    ktp = find_enctype(key->enctype);
+    if (ktp == NULL || ktp->aead == NULL)
 	return KRB5_BAD_ENCTYPE;
-    }
 
-    if (krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_STREAM) != NULL) {
+    if (krb5int_c_locate_iov(data, num_data,
+			     KRB5_CRYPTO_TYPE_STREAM) != NULL) {
 	return krb5int_c_iov_decrypt_stream(ktp->aead, ktp->enc, ktp->hash,
-					    key, usage, cipher_state, data, num_data);
+					    key, usage, cipher_state, data,
+					    num_data);
     }
 
-    return ktp->aead->decrypt_iov(ktp->aead, ktp->enc, ktp->hash,
-				  key, usage, cipher_state, data, num_data);
+    return (*ktp->aead->decrypt_iov)(ktp->aead, ktp->enc, ktp->hash, key,
+				     usage, cipher_state, data, num_data);
 }
 

Modified: trunk/src/lib/crypto/krb/encrypt.c
===================================================================
--- trunk/src/lib/crypto/krb/encrypt.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/encrypt.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -33,31 +33,24 @@
 	       krb5_keyusage usage, const krb5_data *ivec,
 	       const krb5_data *input, krb5_enc_data *output)
 {
-    int i;
+    const struct krb5_keytypes *ktp;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == key->enctype)
-	    break;
-    }
+    ktp = find_enctype(key->enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
 
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
-
     output->magic = KV5M_ENC_DATA;
     output->kvno = 0;
     output->enctype = key->enctype;
 
-    if (krb5_enctypes_list[i].encrypt == NULL) {
-	assert(krb5_enctypes_list[i].aead != NULL);
+    if (ktp->encrypt == NULL) {
+	assert(ktp->aead != NULL);
 
-	return krb5int_c_encrypt_aead_compat(krb5_enctypes_list[i].aead,
-					     krb5_enctypes_list[i].enc,
-					     krb5_enctypes_list[i].hash,
-					     key, usage, ivec,
-					     input, &output->ciphertext);
+	return krb5int_c_encrypt_aead_compat(ktp->aead, ktp->enc, ktp->hash,
+					     key, usage, ivec, input,
+					     &output->ciphertext);
     }
 
-    return((*(krb5_enctypes_list[i].encrypt))
-	   (krb5_enctypes_list[i].enc, krb5_enctypes_list[i].hash,
-	    key, usage, ivec, input, &output->ciphertext));
+    return (*ktp->encrypt)(ktp->enc, ktp->hash, key, usage, ivec, input,
+			   &output->ciphertext);
 }

Modified: trunk/src/lib/crypto/krb/encrypt_iov.c
===================================================================
--- trunk/src/lib/crypto/krb/encrypt_iov.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/encrypt_iov.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -35,21 +35,13 @@
 		   krb5_crypto_iov *data,
 		   size_t num_data)
 {
-    int i;
-    const struct krb5_keytypes *ktp = NULL;
+    const struct krb5_keytypes *ktp;
 
-    for (i = 0; i < krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == key->enctype) {
-	    ktp = &krb5_enctypes_list[i];
-	    break;
-	}
-    }
-
-    if (ktp == NULL || ktp->aead == NULL) {
+    ktp = find_enctype(key->enctype);
+    if (ktp == NULL || ktp->aead == NULL)
 	return KRB5_BAD_ENCTYPE;
-    }
 
-    return ktp->aead->encrypt_iov(ktp->aead, ktp->enc, ktp->hash,
-				  key, usage, cipher_state, data, num_data);
+    return (*ktp->aead->encrypt_iov)(ktp->aead, ktp->enc, ktp->hash,
+				     key, usage, cipher_state, data, num_data);
 }
 

Modified: trunk/src/lib/crypto/krb/encrypt_length.c
===================================================================
--- trunk/src/lib/crypto/krb/encrypt_length.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/encrypt_length.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -32,28 +32,20 @@
 krb5_c_encrypt_length(krb5_context context, krb5_enctype enctype,
 		      size_t inputlen, size_t *length)
 {
-    int i;
+    const struct krb5_keytypes *ktp;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == enctype)
-	    break;
-    }
+    ktp = find_enctype(enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
 
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
+    if (ktp->encrypt_len == NULL) {
+	assert(ktp->aead != NULL);
 
-    if (krb5_enctypes_list[i].encrypt_len == NULL) {
-	assert(krb5_enctypes_list[i].aead != NULL);
-
-	krb5int_c_encrypt_length_aead_compat(krb5_enctypes_list[i].aead,
-					     krb5_enctypes_list[i].enc,
-					     krb5_enctypes_list[i].hash,
+	krb5int_c_encrypt_length_aead_compat(ktp->aead, ktp->enc, ktp->hash,
 					     inputlen, length);
     } else {
-	(*(krb5_enctypes_list[i].encrypt_len))
-	    (krb5_enctypes_list[i].enc, krb5_enctypes_list[i].hash,
-	    inputlen, length);
+	(*ktp->encrypt_len)(ktp->enc, ktp->hash, inputlen, length);
     }
 
-    return(0);
+    return 0;
 }

Modified: trunk/src/lib/crypto/krb/enctype_compare.c
===================================================================
--- trunk/src/lib/crypto/krb/enctype_compare.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/enctype_compare.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -31,25 +31,13 @@
 krb5_c_enctype_compare(krb5_context context, krb5_enctype e1, krb5_enctype e2,
 		       krb5_boolean *similar)
 {
-    int i, j;
+    const struct krb5_keytypes *ktp1, *ktp2;
 
-    for (i=0; i<krb5_enctypes_length; i++) 
-	if (krb5_enctypes_list[i].etype == e1)
-	    break;
+    ktp1 = find_enctype(e1);
+    ktp2 = find_enctype(e2);
+    if (ktp1 == NULL || ktp2 == NULL)
+	return KRB5_BAD_ENCTYPE;
 
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
-
-    for (j=0; j<krb5_enctypes_length; j++) 
-	if (krb5_enctypes_list[j].etype == e2)
-	    break;
-
-    if (j == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
-
-    *similar = 
-	((krb5_enctypes_list[i].enc == krb5_enctypes_list[j].enc) &&
-	 (krb5_enctypes_list[i].str2key == krb5_enctypes_list[j].str2key));
-
-    return(0);
+    *similar = (ktp1->enc == ktp2->enc && ktp1->str2key == ktp2->str2key);
+    return 0;
 }

Modified: trunk/src/lib/crypto/krb/enctype_to_string.c
===================================================================
--- trunk/src/lib/crypto/krb/enctype_to_string.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/enctype_to_string.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -30,16 +30,12 @@
 krb5_error_code KRB5_CALLCONV
 krb5_enctype_to_string(krb5_enctype enctype, char *buffer, size_t buflen)
 {
-    int i;
+    const struct krb5_keytypes *ktp;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == enctype) {
-	    if (strlcpy(buffer, krb5_enctypes_list[i].out_string,
-			buflen) >= buflen)
-		return(ENOMEM);
-	    return(0);
-	}
-    }
-
-    return(EINVAL);
+    ktp = find_enctype(enctype);
+    if (ktp == NULL)
+	return EINVAL;
+    if (strlcpy(buffer, ktp->out_string, buflen) >= buflen)
+	return ENOMEM;
+    return 0;
 }

Modified: trunk/src/lib/crypto/krb/etypes.c
===================================================================
--- trunk/src/lib/crypto/krb/etypes.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/etypes.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -167,4 +167,4 @@
 };
 
 const int krb5_enctypes_length =
-sizeof(krb5_enctypes_list)/sizeof(struct krb5_keytypes);
+    sizeof(krb5_enctypes_list) / sizeof(struct krb5_keytypes);

Modified: trunk/src/lib/crypto/krb/etypes.h
===================================================================
--- trunk/src/lib/crypto/krb/etypes.h	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/etypes.h	2009-10-03 16:03:15 UTC (rev 22839)
@@ -26,21 +26,27 @@
 
 #include "k5-int.h"
 
-typedef void (*krb5_encrypt_length_func) (const struct krb5_enc_provider *enc,
-  const struct krb5_hash_provider *hash,
-  size_t inputlen, size_t *length);
+typedef void (*krb5_encrypt_length_func)(const struct krb5_enc_provider *enc,
+					 const struct krb5_hash_provider *hash,
+					 size_t inputlen, size_t *length);
 
-typedef krb5_error_code (*krb5_crypt_func) (const struct krb5_enc_provider *enc,
-  const struct krb5_hash_provider *hash,
-  const krb5_keyblock *key, krb5_keyusage keyusage,
-  const krb5_data *ivec, 
-  const krb5_data *input, krb5_data *output);
+typedef krb5_error_code (*krb5_crypt_func)(const struct krb5_enc_provider *enc,
+					   const struct
+					   krb5_hash_provider *hash,
+					   const krb5_keyblock *key,
+					   krb5_keyusage keyusage,
+					   const krb5_data *ivec,
+					   const krb5_data *input,
+					   krb5_data *output);
 
-typedef krb5_error_code (*krb5_str2key_func) (const struct krb5_enc_provider *enc, const krb5_data *string,
-  const krb5_data *salt, const krb5_data *parm, krb5_keyblock *key);
+typedef krb5_error_code (*krb5_str2key_func)(const struct
+					     krb5_enc_provider *enc,
+					     const krb5_data *string,
+					     const krb5_data *salt,
+					     const krb5_data *parm,
+					     krb5_keyblock *key);
 
-typedef krb5_error_code (*krb5_prf_func)(
-					 const struct krb5_enc_provider *enc,
+typedef krb5_error_code (*krb5_prf_func)(const struct krb5_enc_provider *enc,
 					 const struct krb5_hash_provider *hash,
 					 const krb5_keyblock *key,
 					 const krb5_data *in, krb5_data *out);
@@ -68,11 +74,12 @@
 extern const struct krb5_keytypes krb5_enctypes_list[];
 extern const int krb5_enctypes_length;
 
-static inline const struct krb5_keytypes*
-find_enctype (krb5_enctype enctype)
+static inline const struct krb5_keytypes *
+find_enctype(krb5_enctype enctype)
 {
     int i;
-    for (i=0; i<krb5_enctypes_length; i++) {
+
+    for (i = 0; i < krb5_enctypes_length; i++) {
 	if (krb5_enctypes_list[i].etype == enctype)
 	    break;
     }

Modified: trunk/src/lib/crypto/krb/keyblocks.c
===================================================================
--- trunk/src/lib/crypto/krb/keyblocks.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/keyblocks.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -33,29 +33,31 @@
 #include "k5-int.h"
 #include <assert.h>
 
-krb5_error_code   krb5int_c_init_keyblock
-	(krb5_context context, krb5_enctype enctype,
-	 size_t length, krb5_keyblock **out)
+krb5_error_code
+krb5int_c_init_keyblock(krb5_context context, krb5_enctype enctype,
+			size_t length, krb5_keyblock **out)
 {
     krb5_keyblock *kb;
-    kb = malloc (sizeof(krb5_keyblock));
-    assert (out);
+
+    assert(out);
     *out = NULL;
-    if (!kb) {
+
+    kb = malloc(sizeof(krb5_keyblock));
+    if (kb == NULL)
 	return ENOMEM;
-    }
     kb->magic = KV5M_KEYBLOCK;
     kb->enctype = enctype;
     kb->length = length;
-    if(length) {
-	kb->contents = malloc (length);
-	if(!kb->contents) {
-	    free (kb);
+    if (length) {
+	kb->contents = malloc(length);
+	if (!kb->contents) {
+	    free(kb);
 	    return ENOMEM;
 	}
     } else {
 	kb->contents = NULL;
     }
+
     *out = kb;
     return 0;
 }
@@ -72,8 +74,7 @@
 krb5int_c_free_keyblock_contents(krb5_context context, krb5_keyblock *key)
 {
     if (key && key->contents) {
-	krb5int_zap_data (key->contents, key->length);
-	free(key->contents);
-	key->contents = 0;
+	zapfree(key->contents, key->length);
+	key->contents = NULL;
     }
 }

Modified: trunk/src/lib/crypto/krb/keyed_checksum_types.c
===================================================================
--- trunk/src/lib/crypto/krb/keyed_checksum_types.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/keyed_checksum_types.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -28,62 +28,54 @@
 #include "etypes.h"
 #include "cksumtypes.h"
 
-static int etype_match(krb5_enctype e1, krb5_enctype e2)
+static krb5_boolean
+etype_match(krb5_enctype e1, krb5_enctype e2)
 {
-    int i1, i2;
+    const struct krb5_keytypes *ktp1, *ktp2;
 
-    for (i1=0; i1<krb5_enctypes_length; i1++) 
-	if (krb5_enctypes_list[i1].etype == e1)
-	    break;
-
-    for (i2=0; i2<krb5_enctypes_length; i2++) 
-	if (krb5_enctypes_list[i2].etype == e2)
-	    break;
-
-    return((i1 < krb5_enctypes_length) &&
-	   (i2 < krb5_enctypes_length) &&
-	   (krb5_enctypes_list[i1].enc == krb5_enctypes_list[i2].enc));
+    ktp1 = find_enctype(e1);
+    ktp2 = find_enctype(e2);
+    return (ktp1 != NULL && ktp2 != NULL && ktp1->enc == ktp2->enc);
 }
 
 krb5_error_code KRB5_CALLCONV
 krb5_c_keyed_checksum_types(krb5_context context, krb5_enctype enctype,
 			    unsigned int *count, krb5_cksumtype **cksumtypes)
 {
-    unsigned int i, c;
+    unsigned int i, c, nctypes;
+    krb5_cksumtype *ctypes;
+    const struct krb5_cksumtypes *ct;
 
-    c = 0;
-    for (i=0; i<krb5_cksumtypes_length; i++) {
-	if ((krb5_cksumtypes_list[i].keyhash &&
-	     etype_match(krb5_cksumtypes_list[i].keyed_etype, enctype)) ||
-	    (krb5_cksumtypes_list[i].flags & KRB5_CKSUMFLAG_DERIVE)) {
-	    c++;
-	}
+    *count = 0;
+    *cksumtypes = NULL;
+
+    nctypes = 0;
+    for (i = 0; i < krb5_cksumtypes_length; i++) {
+	ct = &krb5_cksumtypes_list[i];
+	if ((ct->keyhash && etype_match(ct->keyed_etype, enctype)) ||
+	    (ct->flags & KRB5_CKSUMFLAG_DERIVE))
+	    nctypes++;
     }
 
-    *count = c;
+    ctypes = malloc(nctypes * sizeof(krb5_cksumtype));
+    if (ctypes == NULL)
+	return ENOMEM;
 
-    if ((*cksumtypes = (krb5_cksumtype *) malloc(c*sizeof(krb5_cksumtype)))
-	== NULL)
-	return(ENOMEM);
-
     c = 0;
-    for (i=0; i<krb5_cksumtypes_length; i++) {
-	if ((krb5_cksumtypes_list[i].keyhash &&
-	     etype_match(krb5_cksumtypes_list[i].keyed_etype, enctype)) ||
-	    (krb5_cksumtypes_list[i].flags & KRB5_CKSUMFLAG_DERIVE)) {
-	    (*cksumtypes)[c] = krb5_cksumtypes_list[i].ctype;
-	    c++;
-	}
+    for (i = 0; i < krb5_cksumtypes_length; i++) {
+	ct = &krb5_cksumtypes_list[i];
+	if ((ct->keyhash && etype_match(ct->keyed_etype, enctype)) ||
+	    (ct->flags & KRB5_CKSUMFLAG_DERIVE))
+	    ctypes[c++] = krb5_cksumtypes_list[i].ctype;
     }
 
-    return(0);
+    *count = nctypes;
+    *cksumtypes = ctypes;
+    return 0;
 }
 
 void KRB5_CALLCONV
 krb5_free_cksumtypes(krb5_context context, krb5_cksumtype *val)
 {
-    if (val)
-	free(val);
-    return;
+    free(val);
 }
-

Modified: trunk/src/lib/crypto/krb/keyed_cksum.c
===================================================================
--- trunk/src/lib/crypto/krb/keyed_cksum.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/keyed_cksum.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -31,25 +31,22 @@
 krb5_c_is_keyed_cksum(krb5_cksumtype ctype)
 {
     unsigned int i;
+    const struct krb5_cksumtypes *ctp;
 
-    for (i=0; i<krb5_cksumtypes_length; i++) {
-	if (krb5_cksumtypes_list[i].ctype == ctype) {
-	    if (krb5_cksumtypes_list[i].keyhash ||
-		(krb5_cksumtypes_list[i].flags &
-		 KRB5_CKSUMFLAG_DERIVE))
-		return(1);
-	    else
-		return(0);
+    for (i = 0; i < krb5_cksumtypes_length; i++) {
+	ctp = &krb5_cksumtypes_list[i];
+	if (ctp->ctype == ctype) {
+	    return (ctp->keyhash != NULL ||
+		    (ctp->flags & KRB5_CKSUMFLAG_DERIVE));
 	}
     }
 
-    /* ick, but it's better than coredumping, which is what the
-       old code would have done */
-    return 0;   /* error case */
+    /* Invalid ctype.  This is misleading, but better than dumping core. */
+    return FALSE;
 }
 
 krb5_boolean KRB5_CALLCONV
 is_keyed_cksum(krb5_cksumtype ctype)
 {
-    return krb5_c_is_keyed_cksum (ctype);
+    return krb5_c_is_keyed_cksum(ctype);
 }

Modified: trunk/src/lib/crypto/krb/keylengths.c
===================================================================
--- trunk/src/lib/crypto/krb/keylengths.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/keylengths.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -39,23 +39,19 @@
 krb5_c_keylengths(krb5_context context, krb5_enctype enctype,
 		  size_t *keybytes, size_t *keylength)
 {
-    int i;
+    const struct krb5_keytypes *ktp;
 
     if (keybytes == NULL && keylength == NULL)
-	return(EINVAL);
+	return EINVAL;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == enctype)
-	    break;
-    }
+    ktp = find_enctype(enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
 
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
-
     if (keybytes)
-	*keybytes = krb5_enctypes_list[i].enc->keybytes;
+	*keybytes = ktp->enc->keybytes;
     if (keylength)
-	*keylength = krb5_enctypes_list[i].enc->keylength;
+	*keylength = ktp->enc->keylength;
 
-    return(0);
+    return 0;
 }

Modified: trunk/src/lib/crypto/krb/make_checksum.c
===================================================================
--- trunk/src/lib/crypto/krb/make_checksum.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/make_checksum.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -35,56 +35,47 @@
 		     const krb5_data *input, krb5_checksum *cksum)
 {
     unsigned int i;
-    int e1, e2;
+    const struct krb5_cksumtypes *ctp;
+    const struct krb5_keytypes *ktp1, *ktp2;
+    const struct krb5_keyhash_provider *keyhash;
     krb5_data data;
+    krb5_octet *trunc;
     krb5_error_code ret;
     size_t cksumlen;
 
-    for (i=0; i<krb5_cksumtypes_length; i++) {
+    for (i = 0; i < krb5_cksumtypes_length; i++) {
 	if (krb5_cksumtypes_list[i].ctype == cksumtype)
 	    break;
     }
-
     if (i == krb5_cksumtypes_length)
-	return(KRB5_BAD_ENCTYPE);
+	return KRB5_BAD_ENCTYPE;
+    ctp = &krb5_cksumtypes_list[i];
 
-    if (krb5_cksumtypes_list[i].keyhash)
-	cksumlen = krb5_cksumtypes_list[i].keyhash->hashsize;
+    if (ctp->keyhash != NULL)
+	cksumlen = ctp->keyhash->hashsize;
     else
-	cksumlen = krb5_cksumtypes_list[i].hash->hashsize;
+	cksumlen = ctp->hash->hashsize;
 
     cksum->length = cksumlen;
+    cksum->contents = malloc(cksum->length);
+    if (cksum->contents == NULL)
+	return ENOMEM;
 
-    if ((cksum->contents = (krb5_octet *) malloc(cksum->length)) == NULL)
-	return(ENOMEM);
-
     data.length = cksum->length;
     data.data = (char *) cksum->contents;
 
-    if (krb5_cksumtypes_list[i].keyhash) {
+    if (ctp->keyhash) {
 	/* check if key is compatible */
-	const struct krb5_keyhash_provider *keyhash;
-
-	keyhash = krb5_cksumtypes_list[i].keyhash;
-
-	if (krb5_cksumtypes_list[i].keyed_etype) {
-	    for (e1=0; e1<krb5_enctypes_length; e1++) 
-		if (krb5_enctypes_list[e1].etype ==
-		    krb5_cksumtypes_list[i].keyed_etype)
-		    break;
-
-	    for (e2=0; e2<krb5_enctypes_length; e2++) 
-		if (krb5_enctypes_list[e2].etype == key->enctype)
-		    break;
-
-	    if ((e1 == krb5_enctypes_length) ||
-		(e2 == krb5_enctypes_length) ||
-		(krb5_enctypes_list[e1].enc != krb5_enctypes_list[e2].enc)) {
+	if (ctp->keyed_etype) {
+	    ktp1 = find_enctype(ctp->keyed_etype);
+	    ktp2 = find_enctype(key->enctype);
+	    if (ktp1 == NULL || ktp2 == NULL || ktp1->enc != ktp2->enc) {
 		ret = KRB5_BAD_ENCTYPE;
 		goto cleanup;
 	    }
 	}
 
+	keyhash = ctp->keyhash;
 	if (keyhash->hash == NULL) {
 	    krb5_crypto_iov iov[1];
 
@@ -97,22 +88,19 @@
 	} else {
 	    ret = (*keyhash->hash)(key, usage, 0, input, &data);
 	}
-    } else if (krb5_cksumtypes_list[i].flags & KRB5_CKSUMFLAG_DERIVE) {
-	ret = krb5_dk_make_checksum(krb5_cksumtypes_list[i].hash,
-				    key, usage, input, &data);
+    } else if (ctp->flags & KRB5_CKSUMFLAG_DERIVE) {
+	ret = krb5_dk_make_checksum(ctp->hash, key, usage, input, &data);
     } else {
-	/* no key is used */
-
-	ret = (*(krb5_cksumtypes_list[i].hash->hash))(1, input, &data);
+	/* No key is used. */
+	ret = (*ctp->hash->hash)(1, input, &data);
     }
 
     if (!ret) {
 	cksum->magic = KV5M_CHECKSUM;
 	cksum->checksum_type = cksumtype;
-	if (krb5_cksumtypes_list[i].trunc_size) {
-	    krb5_octet *trunc;
-	    cksum->length = krb5_cksumtypes_list[i].trunc_size;
-	    trunc = (krb5_octet *) realloc(cksum->contents, cksum->length);
+	if (ctp->trunc_size) {
+	    cksum->length = ctp->trunc_size;
+	    trunc = realloc(cksum->contents, cksum->length);
 	    if (trunc)
 		cksum->contents = trunc;
 	}
@@ -120,10 +108,9 @@
 
 cleanup:
     if (ret) {
-	memset(cksum->contents, 0, cksum->length);
-	free(cksum->contents);
+	zapfree(cksum->contents, cksum->length);
 	cksum->contents = NULL;
     }
 
-    return(ret);
+    return ret;
 }

Modified: trunk/src/lib/crypto/krb/make_checksum_iov.c
===================================================================
--- trunk/src/lib/crypto/krb/make_checksum_iov.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/make_checksum_iov.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -41,22 +41,23 @@
     krb5_error_code ret;
     krb5_data cksum_data;
     krb5_crypto_iov *checksum;
+    const struct krb5_cksumtypes *ctp;
 
     for (i = 0; i < krb5_cksumtypes_length; i++) {
 	if (krb5_cksumtypes_list[i].ctype == cksumtype)
 	    break;
     }
-
     if (i == krb5_cksumtypes_length)
-	return(KRB5_BAD_ENCTYPE);
+	return KRB5_BAD_ENCTYPE;
+    ctp = &krb5_cksumtypes_list[i];
 
-    if (krb5_cksumtypes_list[i].keyhash != NULL)
-	cksum_data.length = krb5_cksumtypes_list[i].keyhash->hashsize;
+    if (ctp->keyhash != NULL)
+	cksum_data.length = ctp->keyhash->hashsize;
     else
-	cksum_data.length = krb5_cksumtypes_list[i].hash->hashsize;
+	cksum_data.length = ctp->hash->hashsize;
 
-    if (krb5_cksumtypes_list[i].trunc_size != 0)
-	cksumlen = krb5_cksumtypes_list[i].trunc_size;
+    if (ctp->trunc_size != 0)
+	cksumlen = ctp->trunc_size;
     else
 	cksumlen = cksum_data.length;
 

Modified: trunk/src/lib/crypto/krb/make_random_key.c
===================================================================
--- trunk/src/lib/crypto/krb/make_random_key.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/make_random_key.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -31,53 +31,46 @@
 krb5_c_make_random_key(krb5_context context, krb5_enctype enctype,
 		       krb5_keyblock *random_key)
 {
-    int i;
     krb5_error_code ret;
+    const struct krb5_keytypes *ktp;
     const struct krb5_enc_provider *enc;
     size_t keybytes, keylength;
     krb5_data random_data;
-    unsigned char *bytes;
+    unsigned char *bytes = NULL;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == enctype)
-	    break;
-    }
+    ktp = find_enctype(enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
+    enc = ktp->enc;
 
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
-
-    enc = krb5_enctypes_list[i].enc;
-
     keybytes = enc->keybytes;
     keylength = enc->keylength;
 
-    if ((bytes = (unsigned char *) malloc(keybytes)) == NULL)
-	return(ENOMEM);
-    if ((random_key->contents = (krb5_octet *) malloc(keylength)) == NULL) {
-	free(bytes);
-	return(ENOMEM);
-    }
+    bytes = k5alloc(keybytes, &ret);
+    if (ret)
+	return ret;
+    random_key->contents = k5alloc(keylength, &ret);
+    if (ret)
+	goto cleanup;
 
     random_data.data = (char *) bytes;
     random_data.length = keybytes;
 
-    if ((ret = krb5_c_random_make_octets(context, &random_data)))
+    ret = krb5_c_random_make_octets(context, &random_data);
+    if (ret)
 	goto cleanup;
 
     random_key->magic = KV5M_KEYBLOCK;
     random_key->enctype = enctype;
     random_key->length = keylength;
 
-    ret = ((*(enc->make_key))(&random_data, random_key));
+    ret = (*enc->make_key)(&random_data, random_key);
 
 cleanup:
-    memset(bytes, 0, keybytes);
-    free(bytes);
-
     if (ret) {
-	memset(random_key->contents, 0, keylength);
-	free(random_key->contents);
+	zapfree(random_key->contents, keylength);
+	random_key->contents = NULL;
     }
-
-    return(ret);
+    zapfree(bytes, keybytes);
+    return ret;
 }

Modified: trunk/src/lib/crypto/krb/mandatory_sumtype.c
===================================================================
--- trunk/src/lib/crypto/krb/mandatory_sumtype.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/mandatory_sumtype.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -26,16 +26,14 @@
 #include "etypes.h"
 
 krb5_error_code
-krb5int_c_mandatory_cksumtype (krb5_context ctx, krb5_enctype etype,
-			       krb5_cksumtype *cksumtype)
+krb5int_c_mandatory_cksumtype(krb5_context ctx, krb5_enctype etype,
+			      krb5_cksumtype *cksumtype)
 {
-    int i;
+    const struct krb5_keytypes *ktp;
 
-    for (i = 0; i < krb5_enctypes_length; i++)
-	if (krb5_enctypes_list[i].etype == etype) {
-	    *cksumtype = krb5_enctypes_list[i].required_ctype;
-	    return 0;
-	}
-
-    return KRB5_BAD_ENCTYPE;
+    ktp = find_enctype(etype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
+    *cksumtype = ktp->required_ctype;
+    return 0;
 }

Modified: trunk/src/lib/crypto/krb/old_api_glue.c
===================================================================
--- trunk/src/lib/crypto/krb/old_api_glue.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/old_api_glue.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -37,28 +37,31 @@
     krb5_error_code ret;
 
     if (ivec) {
-	if ((ret = krb5_c_block_size(context, eblock->key->enctype, &blocksize)))
-	    return(ret);
+	ret = krb5_c_block_size(context, eblock->key->enctype, &blocksize);
+	if (ret)
+	    return ret;
 
 	ivecd.length = blocksize;
 	ivecd.data = ivec;
     }
 
-    /* size is the length of the input cleartext data */
+    /* size is the length of the input cleartext data. */
     inputd.length = size;
     inputd.data = inptr;
 
-    /* The size of the output buffer isn't part of the old api.  Not too
-       safe.  So, we assume here that it's big enough. */
-    if ((ret = krb5_c_encrypt_length(context, eblock->key->enctype, size,
-				     &outlen)))
-	return(ret);
+    /*
+     * The size of the output buffer isn't part of the old api.  Not too
+     * safe.  So, we assume here that it's big enough.
+     */
+    ret = krb5_c_encrypt_length(context, eblock->key->enctype, size, &outlen);
+    if (ret)
+	return ret;
 
     outputd.ciphertext.length = outlen;
     outputd.ciphertext.data = outptr;
 
-    return(krb5_c_encrypt(context, eblock->key, 0, ivec?&ivecd:0,
-			  &inputd, &outputd));
+    return krb5_c_encrypt(context, eblock->key, 0, ivec ? &ivecd : 0,
+			  &inputd, &outputd);
 }
 
 krb5_error_code KRB5_CALLCONV
@@ -72,8 +75,9 @@
     krb5_error_code ret;
 
     if (ivec) {
-	if ((ret = krb5_c_block_size(context, eblock->key->enctype, &blocksize)))
-	    return(ret);
+	ret = krb5_c_block_size(context, eblock->key->enctype, &blocksize);
+	if (ret)
+	    return ret;
 
 	ivecd.length = blocksize;
 	ivecd.data = ivec;
@@ -90,8 +94,8 @@
     outputd.length = size;
     outputd.data = outptr;
 
-    return(krb5_c_decrypt(context, eblock->key, 0, ivec?&ivecd:0,
-			  &inputd, &outputd));
+    return krb5_c_decrypt(context, eblock->key, 0, ivec ? &ivecd : 0,
+			  &inputd, &outputd);
 }
 
 krb5_error_code KRB5_CALLCONV
@@ -100,13 +104,13 @@
 {
     eblock->key = (krb5_keyblock *) key;
 
-    return(0);
+    return 0;
 }
 
 krb5_error_code KRB5_CALLCONV
 krb5_finish_key(krb5_context context, krb5_encrypt_block *eblock)
 {
-    return(0);
+    return 0;
 }
 
 krb5_error_code KRB5_CALLCONV
@@ -114,8 +118,8 @@
 		   krb5_keyblock *keyblock, const krb5_data *data,
 		   const krb5_data *salt)
 {
-    return(krb5_c_string_to_key(context, eblock->crypto_entry, data, salt,
-				keyblock));
+    return krb5_c_string_to_key(context, eblock->crypto_entry, data, salt,
+				keyblock);
 }
 
 krb5_error_code KRB5_CALLCONV
@@ -127,14 +131,14 @@
     data.length = keyblock->length;
     data.data = (char *) keyblock->contents;
 
-    return(krb5_c_random_seed(context, &data));
+    return krb5_c_random_seed(context, &data);
 }
 
 krb5_error_code KRB5_CALLCONV
 krb5_finish_random_key(krb5_context context, const krb5_encrypt_block *eblock,
 		       krb5_pointer *ptr)
 {
-    return(0);
+    return 0;
 }
 
 krb5_error_code KRB5_CALLCONV
@@ -144,23 +148,26 @@
     krb5_keyblock *key;
     krb5_error_code ret;
 
-    if ((key = (krb5_keyblock *) malloc(sizeof(krb5_keyblock))) == NULL)
-	return(ENOMEM);
+    *keyblock = NULL;
 
-    if ((ret = krb5_c_make_random_key(context, eblock->crypto_entry, key))) {
+    key = malloc(sizeof(krb5_keyblock));
+    if (key == NULL)
+	return ENOMEM;
+
+    ret = krb5_c_make_random_key(context, eblock->crypto_entry, key);
+    if (ret) {
 	free(key);
-	key = NULL;
+	return ret;
     }
 
     *keyblock = key;
-
     return(ret);
 }
 
 krb5_enctype KRB5_CALLCONV
 krb5_eblock_enctype(krb5_context context, const krb5_encrypt_block *eblock)
 {
-    return(eblock->crypto_entry);
+    return eblock->crypto_entry;
 }
 
 krb5_error_code KRB5_CALLCONV
@@ -169,7 +176,7 @@
 {
     eblock->crypto_entry = enctype;
 
-    return(0);
+    return 0;
 }
 
 size_t KRB5_CALLCONV
@@ -177,10 +184,10 @@
 {
     size_t ret;
 
-    if (krb5_c_encrypt_length(/* XXX */ 0, crypto, length, &ret))
-	return(-1); /* XXX */
+    if (krb5_c_encrypt_length(NULL, crypto, length, &ret))
+	return (size_t) -1; /* XXX */
 
-    return(ret);
+    return ret;
 }
 
 size_t KRB5_CALLCONV
@@ -189,9 +196,9 @@
     size_t ret;
 
     if (krb5_c_checksum_length(context, ctype, &ret))
-	return(-1); /* XXX */
+	return (size_t) -1; /* XXX */
 
-    return(ret);
+    return ret;
 }
 
 krb5_error_code KRB5_CALLCONV
@@ -211,13 +218,14 @@
     key.length = seed_length;
     key.contents = seed;
 
-    if ((ret = krb5_c_make_checksum(context, ctype, &key, 0, &input, &cksum)))
-	return(ret);
+    ret = krb5_c_make_checksum(context, ctype, &key, 0, &input, &cksum);
+    if (ret)
+	return ret;
 
     if (outcksum->length < cksum.length) {
 	memset(cksum.contents, 0, cksum.length);
 	free(cksum.contents);
-	return(KRB5_BAD_MSIZE);
+	return KRB5_BAD_MSIZE;
     }
 
     outcksum->magic = cksum.magic;
@@ -247,14 +255,14 @@
     key.length = seed_length;
     key.contents = seed;
 
-    if ((ret = krb5_c_verify_checksum(context, &key, 0, &input, cksum,
-				      &valid)))
-	return(ret);
+    ret = krb5_c_verify_checksum(context, &key, 0, &input, cksum, &valid);
+    if (ret)
+	return ret;
 
     if (!valid)
-	return(KRB5KRB_AP_ERR_BAD_INTEGRITY);
+	return KRB5KRB_AP_ERR_BAD_INTEGRITY;
 
-    return(0);
+    return 0;
 }
 
 krb5_error_code KRB5_CALLCONV
@@ -265,7 +273,7 @@
     random_data.length = size;
     random_data.data = ptr;
 
-    return(krb5_c_random_make_octets(/* XXX */ 0, &random_data));
+    return krb5_c_random_make_octets(NULL, &random_data);
 }
 
 krb5_error_code krb5_encrypt_data(krb5_context context, krb5_keyblock *key,
@@ -276,13 +284,14 @@
     size_t enclen, blocksize;
     krb5_data ivecd;
 
-    if ((ret = krb5_c_encrypt_length(context, key->enctype, data->length,
-				     &enclen)))
-	return(ret);
+    ret = krb5_c_encrypt_length(context, key->enctype, data->length, &enclen);
+    if (ret)
+	return ret;
 
     if (ivec) {
-	if ((ret = krb5_c_block_size(context, key->enctype, &blocksize)))
-	    return(ret);
+	ret = krb5_c_block_size(context, key->enctype, &blocksize);
+	if (ret)
+	    return ret;
 
 	ivecd.length = blocksize;
 	ivecd.data = ivec;
@@ -292,13 +301,15 @@
     enc_data->kvno = 0;
     enc_data->enctype = key->enctype;
     enc_data->ciphertext.length = enclen;
-    if ((enc_data->ciphertext.data = malloc(enclen)) == NULL)
-	return(ENOMEM);
+    enc_data->ciphertext.data = malloc(enclen);
+    if (enc_data->ciphertext.data == NULL)
+	return ENOMEM;
 
-    if ((ret = krb5_c_encrypt(context, key, 0, ivec?&ivecd:0, data, enc_data)))
+    ret = krb5_c_encrypt(context, key, 0, ivec ? &ivecd : 0, data, enc_data);
+    if (ret)
 	free(enc_data->ciphertext.data);
 
-    return(ret);
+    return ret;
 }
 
 krb5_error_code krb5_decrypt_data(krb5_context context, krb5_keyblock *key,
@@ -310,19 +321,22 @@
     size_t blocksize;
 
     if (ivec) {
-	if ((ret = krb5_c_block_size(context, key->enctype, &blocksize)))
-	    return(ret);
+	ret = krb5_c_block_size(context, key->enctype, &blocksize);
+	if (ret)
+	    return ret;
 
 	ivecd.length = blocksize;
 	ivecd.data = ivec;
     }
 
     data->length = enc_data->ciphertext.length;
-    if ((data->data = (char *) malloc(data->length)) == NULL)
-	return(ENOMEM);
+    data->data = malloc(data->length);
+    if (data->data == NULL)
+	return ENOMEM;
 
-    if ((ret = krb5_c_decrypt(context, key, 0, ivec?&ivecd:0, enc_data, data)))
+    ret = krb5_c_decrypt(context, key, 0, ivec ? &ivecd : 0, enc_data, data);
+    if (ret)
 	free(data->data);
 
-    return(0);
+    return 0;
 }

Modified: trunk/src/lib/crypto/krb/prf.c
===================================================================
--- trunk/src/lib/crypto/krb/prf.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/prf.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -37,51 +37,35 @@
 #include <assert.h>
 
 krb5_error_code KRB5_CALLCONV
-krb5_c_prf_length(krb5_context context, krb5_enctype enctype,
-		  size_t *len)
+krb5_c_prf_length(krb5_context context, krb5_enctype enctype, size_t *len)
 {
-    int i;
-    assert (len);
+    const struct krb5_keytypes *ktp;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == enctype)
-	    break;
-    }
-
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
-
-    *len = krb5_enctypes_list[i].prf_length;
+    assert(len);
+    ktp = find_enctype(enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
+    *len = ktp->prf_length;
     return 0;
-    
 }
 
 krb5_error_code KRB5_CALLCONV
 krb5_c_prf(krb5_context context, const krb5_keyblock *key,
 	   krb5_data *input, krb5_data *output)
 {
-    int i;
-    size_t len;
+    const struct krb5_keytypes *ktp;
+
     assert(input && output);
-    assert (output->data);
+    assert(output->data);
 
+    ktp = find_enctype(key->enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
+    if (ktp->prf == NULL)
+	return KRB5_CRYPTO_INTERNAL;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == key->enctype)
-	    break;
-    }
-
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
-
     output->magic = KV5M_DATA;
-    if (!krb5_enctypes_list[i].prf)
-	return (KRB5_CRYPTO_INTERNAL);
-    krb5_c_prf_length (context, key->enctype, &len);
-    if (len != output->length)
-	return (KRB5_CRYPTO_INTERNAL);
-    return((*(krb5_enctypes_list[i].prf))
-	   (krb5_enctypes_list[i].enc, krb5_enctypes_list[i].hash,
-	    key,  input, output));
+    if (ktp->prf_length != output->length)
+	return KRB5_CRYPTO_INTERNAL;
+    return (*ktp->prf)(ktp->enc, ktp->hash, key, input, output);
 }
-

Modified: trunk/src/lib/crypto/krb/prng.c
===================================================================
--- trunk/src/lib/crypto/krb/prng.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/prng.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -38,27 +38,28 @@
  */
 
 static size_t
-entropy_estimate (unsigned int randsource, size_t length)
+entropy_estimate(unsigned int randsource, size_t length)
 {
-  switch (randsource) {
-  case KRB5_C_RANDSOURCE_OLDAPI:
-    return (4*length);
-  case KRB5_C_RANDSOURCE_OSRAND:
-    return (8*length);
-  case KRB5_C_RANDSOURCE_TRUSTEDPARTY:
-    return (4*length);
-  case KRB5_C_RANDSOURCE_TIMING:return (2);
-  case KRB5_C_RANDSOURCE_EXTERNAL_PROTOCOL:
-    return (0);
-  default:
-    abort();
-  }
-return (0);
+    switch (randsource) {
+    case KRB5_C_RANDSOURCE_OLDAPI:
+	return 4 * length;
+    case KRB5_C_RANDSOURCE_OSRAND:
+	return 8 * length;
+    case KRB5_C_RANDSOURCE_TRUSTEDPARTY:
+	return 4 * length;
+    case KRB5_C_RANDSOURCE_TIMING:
+	return 2;
+    case KRB5_C_RANDSOURCE_EXTERNAL_PROTOCOL:
+	return 0;
+    default:
+	abort();
+    }
+    return 0;
 }
 
 int krb5int_prng_init(void)
 {
-    unsigned i;
+    unsigned i, source_id;
     int yerr;
 
     yerr = k5_mutex_finish_init(&yarrow_lock);
@@ -66,12 +67,11 @@
 	return yerr;
 
     yerr = krb5int_yarrow_init (&y_ctx, NULL);
-    if ((yerr != YARROW_OK) && (yerr != YARROW_NOT_SEEDED))
+    if (yerr != YARROW_OK && yerr != YARROW_NOT_SEEDED)
 	return KRB5_CRYPTO_INTERNAL;
 
     for (i=0; i < KRB5_C_RANDSOURCE_MAX; i++ ) {
-	unsigned source_id;
-	if (krb5int_yarrow_new_source (&y_ctx, &source_id) != YARROW_OK )
+	if (krb5int_yarrow_new_source(&y_ctx, &source_id) != YARROW_OK)
 	    return KRB5_CRYPTO_INTERNAL;
 	assert (source_id == i);
     }
@@ -80,46 +80,47 @@
 }
 
 krb5_error_code KRB5_CALLCONV
-krb5_c_random_add_entropy (krb5_context context, unsigned int randsource,
-			   const krb5_data *data)
+krb5_c_random_add_entropy(krb5_context context, unsigned int randsource,
+			  const krb5_data *data)
 {
-  int yerr;
+    int yerr;
 
-  /* Make sure the mutex got initialized.  */
-  yerr = krb5int_crypto_init();
-  if (yerr)
-      return yerr;
-  /* Now, finally, feed in the data.  */
-  yerr = krb5int_yarrow_input (&y_ctx, randsource,
-			       data->data, data->length,
-			       entropy_estimate (randsource, data->length));
-  if (yerr != YARROW_OK)
-      return (KRB5_CRYPTO_INTERNAL);
-  return (0);
+    /* Make sure the mutex got initialized.  */
+    yerr = krb5int_crypto_init();
+    if (yerr)
+	return yerr;
+    /* Now, finally, feed in the data.  */
+    yerr = krb5int_yarrow_input(&y_ctx, randsource,
+				data->data, data->length,
+				entropy_estimate(randsource, data->length));
+    if (yerr != YARROW_OK)
+	return KRB5_CRYPTO_INTERNAL;
+    return 0;
 }
 
 krb5_error_code KRB5_CALLCONV
-krb5_c_random_seed (krb5_context context, krb5_data *data)
+krb5_c_random_seed(krb5_context context, krb5_data *data)
 {
-    return krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_OLDAPI, data);
+    return krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_OLDAPI, data);
 }
 
 krb5_error_code KRB5_CALLCONV
 krb5_c_random_make_octets(krb5_context context, krb5_data *data)
 {
     int yerr;
-    yerr = krb5int_yarrow_output (&y_ctx, data->data, data->length);
+    yerr = krb5int_yarrow_output(&y_ctx, data->data, data->length);
     if (yerr == YARROW_NOT_SEEDED) {
-      yerr = krb5int_yarrow_reseed (&y_ctx, YARROW_SLOW_POOL);
-      if (yerr == YARROW_OK)
-	yerr = krb5int_yarrow_output (&y_ctx, data->data, data->length);
+	yerr = krb5int_yarrow_reseed(&y_ctx, YARROW_SLOW_POOL);
+	if (yerr == YARROW_OK)
+	    yerr = krb5int_yarrow_output(&y_ctx, data->data, data->length);
     }
-    if ( yerr != YARROW_OK)
-      return (KRB5_CRYPTO_INTERNAL);
-    return(0);
+    if (yerr != YARROW_OK)
+      return KRB5_CRYPTO_INTERNAL;
+    return 0;
 }
 
-void krb5int_prng_cleanup (void)
+void
+krb5int_prng_cleanup (void)
 {
     krb5int_yarrow_final (&y_ctx);
     k5_mutex_destroy(&yarrow_lock);
@@ -133,11 +134,11 @@
 #if defined(_WIN32)
 
 krb5_error_code KRB5_CALLCONV
-krb5_c_random_os_entropy (krb5_context context, int strong, int *success)
+krb5_c_random_os_entropy(krb5_context context, int strong, int *success)
 {
-  if (success)
-    *success  = 0;
-  return 0;
+    if (success)
+	*success = 0;
+    return 0;
 }
 
 #else /*Windows*/
@@ -156,60 +157,58 @@
  */
 
 static int
-read_entropy_from_device (krb5_context context, const char *device)
+read_entropy_from_device(krb5_context context, const char *device)
 {
-  krb5_data data;
-  struct stat sb;
-  int fd;
-  unsigned char buf[YARROW_SLOW_THRESH/8], *bp;
-  int left;
-  fd = open (device, O_RDONLY);
-  if (fd == -1)
-    return 0;
-  set_cloexec_fd(fd);
-  if (fstat (fd, &sb) == -1 || S_ISREG(sb.st_mode)) {
-      close(fd);
-      return 0;
-  }
+    krb5_data data;
+    struct stat sb;
+    int fd;
+    unsigned char buf[YARROW_SLOW_THRESH/8], *bp;
+    int left;
 
-  for (bp = buf, left = sizeof (buf); left > 0;) {
-    ssize_t count;
-    count = read (fd, bp, (unsigned) left);
-    if (count <= 0) {
-      close(fd);
-      return 0;
+    fd = open (device, O_RDONLY);
+    if (fd == -1)
+	return 0;
+    set_cloexec_fd(fd);
+    if (fstat(fd, &sb) == -1 || S_ISREG(sb.st_mode)) {
+	close(fd);
+	return 0;
     }
-    left -= count;
-    bp += count;
-  }
-  close (fd);
-  data.length = sizeof (buf);
-  data.data = ( char * ) buf;
-  if ( krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_OSRAND, 
-				  &data) != 0) {
-    return 0;
-  }
-  return 1;
+
+    for (bp = buf, left = sizeof(buf); left > 0;) {
+	ssize_t count;
+	count = read(fd, bp, (unsigned) left);
+	if (count <= 0) {
+	    close(fd);
+	    return 0;
+	}
+	left -= count;
+	bp += count;
+    }
+    close(fd);
+    data.length = sizeof (buf);
+    data.data = (char *) buf;
+    return (krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_OSRAND,
+				      &data) == 0);
 }
     
 krb5_error_code KRB5_CALLCONV
-krb5_c_random_os_entropy (krb5_context context,
-			  int strong, int *success)
+krb5_c_random_os_entropy(krb5_context context, int strong, int *success)
 {
-  int unused;
-  int *oursuccess = success?success:&unused;
-  *oursuccess = 0;
-  /* If we are getting strong data then try that first.  We are
-     guaranteed to cause a reseed of some kind if strong is true and
-     we have both /dev/random and /dev/urandom.  We want the strong
-     data included in the reseed so we get it first.*/
-  if (strong) {
-    if (read_entropy_from_device (context, "/dev/random"))
-      *oursuccess = 1;
-  }
-  if (read_entropy_from_device (context, "/dev/urandom"))
-    *oursuccess = 1;
-  return 0;
+    int unused;
+    int *oursuccess = success ? success : &unused;
+
+    *oursuccess = 0;
+    /* If we are getting strong data then try that first.  We are
+       guaranteed to cause a reseed of some kind if strong is true and
+       we have both /dev/random and /dev/urandom.  We want the strong
+       data included in the reseed so we get it first.*/
+    if (strong) {
+	if (read_entropy_from_device(context, "/dev/random"))
+	    *oursuccess = 1;
+    }
+    if (read_entropy_from_device(context, "/dev/urandom"))
+	*oursuccess = 1;
+    return 0;
 }
 
 #endif /*Windows or pre-OSX Mac*/

Modified: trunk/src/lib/crypto/krb/random_to_key.c
===================================================================
--- trunk/src/lib/crypto/krb/random_to_key.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/random_to_key.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -40,34 +40,25 @@
 krb5_c_random_to_key(krb5_context context, krb5_enctype enctype,
 		     krb5_data *random_data, krb5_keyblock *random_key)
 {
-    int i;
     krb5_error_code ret;
+    const struct krb5_keytypes *ktp;
     const struct krb5_enc_provider *enc;
 
-    if (random_data == NULL || random_key == NULL)
-	return(EINVAL);
+    if (random_data == NULL || random_key == NULL ||
+	random_key->contents == NULL)
+	return EINVAL;
 
-    if (random_key->contents == NULL)
-	return(EINVAL);
+    ktp = find_enctype(enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
+    enc = ktp->enc;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == enctype)
-	    break;
-    }
-
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
-
-    enc = krb5_enctypes_list[i].enc;
-
     if (random_key->length != enc->keylength)
-	return(KRB5_BAD_KEYSIZE);
+	return KRB5_BAD_KEYSIZE;
 
-    ret = ((*(enc->make_key))(random_data, random_key));
-
-    if (ret) {
+    ret = (*enc->make_key)(random_data, random_key);
+    if (ret)
 	memset(random_key->contents, 0, random_key->length);
-    }
 
-    return(ret);
+    return ret;
 }

Modified: trunk/src/lib/crypto/krb/state.c
===================================================================
--- trunk/src/lib/crypto/krb/state.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/state.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -39,34 +39,22 @@
 krb5_c_init_state (krb5_context context, const krb5_keyblock *key,
 		   krb5_keyusage keyusage, krb5_data *new_state)
 {
-      int i;
+    const struct krb5_keytypes *ktp;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == key->enctype)
-	    break;
-    }
-
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
-
-    return (*(krb5_enctypes_list[i].enc->init_state))
-      (key, keyusage, new_state);
+    ktp = find_enctype(key->enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
+    return ktp->enc->init_state(key, keyusage, new_state);
 }
 
 krb5_error_code KRB5_CALLCONV
-krb5_c_free_state (krb5_context context, const krb5_keyblock *key,
-		   krb5_data *state)
+krb5_c_free_state(krb5_context context, const krb5_keyblock *key,
+		  krb5_data *state)
 {
-      int i;
+    const struct krb5_keytypes *ktp;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == key->enctype)
-	    break;
-    }
-
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
-
-    return     (*(krb5_enctypes_list[i].enc->free_state))
-      (state);
+    ktp = find_enctype(key->enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
+    return ktp->enc->free_state(state);
 }

Modified: trunk/src/lib/crypto/krb/string_to_cksumtype.c
===================================================================
--- trunk/src/lib/crypto/krb/string_to_cksumtype.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/string_to_cksumtype.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -31,23 +31,26 @@
 krb5_string_to_cksumtype(char *string, krb5_cksumtype *cksumtypep)
 {
     unsigned int i, j;
+    const char *alias;
+    const struct krb5_cksumtypes *ctp;
 
     for (i=0; i<krb5_cksumtypes_length; i++) {
-	if (strcasecmp(krb5_cksumtypes_list[i].name, string) == 0) {
-	    *cksumtypep = krb5_cksumtypes_list[i].ctype;
-	    return(0);
+	ctp = &krb5_cksumtypes_list[i];
+	if (strcasecmp(ctp->name, string) == 0) {
+	    *cksumtypep = ctp->ctype;
+	    return 0;
 	}
-#define MAX_ALIASES (sizeof(krb5_cksumtypes_list[i].aliases) / sizeof(krb5_cksumtypes_list[i].aliases[0]))
+#define MAX_ALIASES (sizeof(ctp->aliases) / sizeof(ctp->aliases[0]))
 	for (j = 0; j < MAX_ALIASES; j++) {
-	    const char *alias = krb5_cksumtypes_list[i].aliases[j];
+	    alias = ctp->aliases[j];
 	    if (alias == NULL)
 		break;
 	    if (strcasecmp(alias, string) == 0) {
-		*cksumtypep = krb5_cksumtypes_list[i].ctype;
+		*cksumtypep = ctp->ctype;
 		return 0;
 	    }
 	}
     }
 
-    return(EINVAL);
+    return EINVAL;
 }

Modified: trunk/src/lib/crypto/krb/string_to_enctype.c
===================================================================
--- trunk/src/lib/crypto/krb/string_to_enctype.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/string_to_enctype.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -30,24 +30,28 @@
 krb5_error_code KRB5_CALLCONV
 krb5_string_to_enctype(char *string, krb5_enctype *enctypep)
 {
-    unsigned int i, j;
+    int i;
+    unsigned int j;
+    const char *alias;
+    const struct krb5_keytypes *ktp;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (strcasecmp(krb5_enctypes_list[i].name, string) == 0) {
-	    *enctypep = krb5_enctypes_list[i].etype;
+    for (i = 0; i < krb5_enctypes_length; i++) {
+	ktp = &krb5_enctypes_list[i];
+	if (strcasecmp(ktp->name, string) == 0) {
+	    *enctypep = ktp->etype;
 	    return 0;
 	}
-#define MAX_ALIASES (sizeof(krb5_enctypes_list[i].aliases) / sizeof(krb5_enctypes_list[i].aliases[0]))
+#define MAX_ALIASES (sizeof(ktp->aliases) / sizeof(ktp->aliases[0]))
 	for (j = 0; j < MAX_ALIASES; j++) {
-	    const char *alias = krb5_enctypes_list[i].aliases[j];
+	    alias = ktp->aliases[j];
 	    if (alias == NULL)
 		break;
 	    if (strcasecmp(alias, string) == 0) {
-		*enctypep = krb5_enctypes_list[i].etype;
+		*enctypep = ktp->etype;
 		return 0;
 	    }
 	}
     }
 
-    return(EINVAL);
+    return EINVAL;
 }

Modified: trunk/src/lib/crypto/krb/string_to_key.c
===================================================================
--- trunk/src/lib/crypto/krb/string_to_key.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/string_to_key.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -51,23 +51,20 @@
 				 const krb5_data *salt,
 				 const krb5_data *params, krb5_keyblock *key)
 {
-    int i;
     krb5_error_code ret;
-    const struct krb5_enc_provider *enc;
-    size_t keybytes, keylength;
+    const struct krb5_keytypes *ktp;
+    size_t keylength;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == enctype)
-	    break;
-    }
+    ktp = find_enctype(enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
+    keylength = ktp->enc->keylength;
 
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
-
-    enc = krb5_enctypes_list[i].enc;
-/* xxx AFS string2key function is indicated by a special length  in
- * the salt in much of the code.  However only the DES enctypes can
- * deal with this.  Using s2kparams would be a much better solution.*/
+    /*
+     * xxx AFS string2key function is indicated by a special length  in
+     * the salt in much of the code.  However only the DES enctypes can
+     * deal with this.  Using s2kparams would be a much better solution.
+     */
     if (salt && salt->length == SALT_TYPE_AFS_LENGTH) {
 	switch (enctype) {
 	case ENCTYPE_DES_CBC_CRC:
@@ -75,27 +72,24 @@
 	case ENCTYPE_DES_CBC_MD5:
 	    break;
 	default:
-	    return (KRB5_CRYPTO_INTERNAL);
+	    return KRB5_CRYPTO_INTERNAL;
 	}
     }
 
-    keybytes = enc->keybytes;
-    keylength = enc->keylength;
+    key->contents = malloc(keylength);
+    if (key->contents == NULL)
+	return ENOMEM;
 
-    if ((key->contents = (krb5_octet *) malloc(keylength)) == NULL)
-	return(ENOMEM);
-
     key->magic = KV5M_KEYBLOCK;
     key->enctype = enctype;
     key->length = keylength;
 
-    ret = (*krb5_enctypes_list[i].str2key)(enc, string, salt, params, key);
+    ret = (*ktp->str2key)(ktp->enc, string, salt, params, key);
     if (ret) {
-	memset(key->contents, 0, keylength);
-	free(key->contents);
+	zapfree(key->contents, keylength);
 	key->length = 0;
 	key->contents = NULL;
     }
 
-    return(ret);
+    return ret;
 }

Modified: trunk/src/lib/crypto/krb/valid_cksumtype.c
===================================================================
--- trunk/src/lib/crypto/krb/valid_cksumtype.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/valid_cksumtype.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -32,16 +32,16 @@
 {
     unsigned int i;
 
-    for (i=0; i<krb5_cksumtypes_length; i++) {
+    for (i = 0; i < krb5_cksumtypes_length; i++) {
 	if (krb5_cksumtypes_list[i].ctype == ctype)
-	    return(1);
+	    return TRUE;
     }
 
-    return(0);
+    return FALSE;
 }
 
 krb5_boolean KRB5_CALLCONV
 valid_cksumtype(krb5_cksumtype ctype)
 {
-    return krb5_c_valid_cksumtype (ctype);
+    return krb5_c_valid_cksumtype(ctype);
 }

Modified: trunk/src/lib/crypto/krb/valid_enctype.c
===================================================================
--- trunk/src/lib/crypto/krb/valid_enctype.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/valid_enctype.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -30,39 +30,20 @@
 krb5_boolean KRB5_CALLCONV
 krb5_c_valid_enctype(krb5_enctype etype)
 {
-    int i;
-
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == etype)
-	    return(1);
-    }
-
-    return(0);
+    return (find_enctype(etype) != NULL);
 }
 
 krb5_boolean KRB5_CALLCONV
 valid_enctype(krb5_enctype etype)
 {
-    return krb5_c_valid_enctype (etype);
+    return krb5_c_valid_enctype(etype);
 }
 
 krb5_boolean KRB5_CALLCONV
 krb5_c_weak_enctype(krb5_enctype etype)
 {
-    int i;
-    const struct krb5_keytypes *k;
+    const struct krb5_keytypes *ktp;
 
-    for (i = 0; i < krb5_enctypes_length; i++) {
-#if 0
-	if (krb5_enctypes_list[i].etype == etype &&
-	    krb5_enctypes_list[i].flags | ETYPE_WEAK)
-	    return(1);
-#endif
-	k = &krb5_enctypes_list[i];
-	if (k->etype == etype && (k->flags & ETYPE_WEAK)) {
-	    return(1);
-	}
-    }
-
-    return(0);
+    ktp = find_enctype(etype);
+    return ((ktp->flags & ETYPE_WEAK) != 0);
 }

Modified: trunk/src/lib/crypto/krb/verify_checksum.c
===================================================================
--- trunk/src/lib/crypto/krb/verify_checksum.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/verify_checksum.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -33,6 +33,8 @@
 		       const krb5_checksum *cksum, krb5_boolean *valid)
 {
     unsigned int i;
+    const struct krb5_cksumtypes *ctp;
+    const struct krb5_keyhash_provider *keyhash;
     size_t hashsize;
     krb5_error_code ret;
     krb5_data indata;
@@ -42,51 +44,47 @@
 	if (krb5_cksumtypes_list[i].ctype == cksum->checksum_type)
 	    break;
     }
-
     if (i == krb5_cksumtypes_length)
-	return(KRB5_BAD_ENCTYPE);
+	return KRB5_BAD_ENCTYPE;
+    ctp = &krb5_cksumtypes_list[i];
 
-    /* if there's actually a verify function, call it */
-
     indata.length = cksum->length;
     indata.data = (char *) cksum->contents;
 
-    if (krb5_cksumtypes_list[i].keyhash) {
-	const struct krb5_keyhash_provider *keyhash;
+    /* If there's actually a verify function, call it. */
+    if (ctp->keyhash) {
+	keyhash = ctp->keyhash;
 
-	keyhash = krb5_cksumtypes_list[i].keyhash;
-
 	if (keyhash->verify == NULL && keyhash->verify_iov != NULL) {
 	    krb5_crypto_iov iov[1];
 
 	    iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
 	    iov[0].data = *data;
 
-	    return (*keyhash->verify_iov)(key, usage, 0, iov, 1, &indata, valid);
+	    return (*keyhash->verify_iov)(key, usage, 0, iov, 1, &indata,
+					  valid);
 	} else if (keyhash->verify != NULL) {
 	    return (*keyhash->verify)(key, usage, 0, data, &indata, valid);
 	}
     }
 
-    /* otherwise, make the checksum again, and compare */
+    /* Otherwise, make the checksum again, and compare. */
+    ret = krb5_c_checksum_length(context, cksum->checksum_type, &hashsize);
+    if (ret)
+	return ret;
 
-    if ((ret = krb5_c_checksum_length(context, cksum->checksum_type, &hashsize)))
-	return(ret);
-
     if (cksum->length != hashsize)
-	return(KRB5_BAD_MSIZE);
+	return KRB5_BAD_MSIZE;
 
     computed.length = hashsize;
 
-    if ((ret = krb5_c_make_checksum(context, cksum->checksum_type, key, usage,
-				   data, &computed))) {
-	free(computed.contents);
-	return(ret);
-    }
+    ret = krb5_c_make_checksum(context, cksum->checksum_type, key, usage,
+			       data, &computed);
+    if (ret)
+	return ret;
 
     *valid = (memcmp(computed.contents, cksum->contents, hashsize) == 0);
 
     free(computed.contents);
-
-    return(0);
+    return 0;
 }

Modified: trunk/src/lib/crypto/krb/verify_checksum_iov.c
===================================================================
--- trunk/src/lib/crypto/krb/verify_checksum_iov.c	2009-10-03 14:46:54 UTC (rev 22838)
+++ trunk/src/lib/crypto/krb/verify_checksum_iov.c	2009-10-03 16:03:15 UTC (rev 22839)
@@ -38,6 +38,7 @@
 			   krb5_boolean *valid)
 {
     unsigned int i;
+    const struct krb5_cksumtypes *ctp;
     size_t cksumlen;
     krb5_error_code ret;
     krb5_data computed;
@@ -47,52 +48,49 @@
 	if (krb5_cksumtypes_list[i].ctype == checksum_type)
 	    break;
     }
-
     if (i == krb5_cksumtypes_length)
-	return(KRB5_BAD_ENCTYPE);
+	return KRB5_BAD_ENCTYPE;
+    ctp = &krb5_cksumtypes_list[i];
 
-    checksum = krb5int_c_locate_iov((krb5_crypto_iov *)data, num_data, KRB5_CRYPTO_TYPE_CHECKSUM);
+    checksum = krb5int_c_locate_iov((krb5_crypto_iov *)data, num_data,
+				    KRB5_CRYPTO_TYPE_CHECKSUM);
     if (checksum == NULL)
 	return(KRB5_BAD_MSIZE);
 
-    /* if there's actually a verify function, call it */
+    /* If there's actually a verify function, call it. */
+    if (ctp->keyhash && ctp->keyhash->verify_iov) {
+	return (*ctp->keyhash->verify_iov)(key, usage, 0, data, num_data,
+					   &checksum->data, valid);
+    }
 
-    if (krb5_cksumtypes_list[i].keyhash &&
-	krb5_cksumtypes_list[i].keyhash->verify_iov)
-	return((*(krb5_cksumtypes_list[i].keyhash->verify_iov))(key, usage, 0,
-								data, num_data,
-								&checksum->data,
-								valid));
-
-    /* otherwise, make the checksum again, and compare */
-
-    if (krb5_cksumtypes_list[i].keyhash != NULL)
-	computed.length = krb5_cksumtypes_list[i].keyhash->hashsize;
+    /* Otherwise, make the checksum again, and compare. */
+    if (ctp->keyhash != NULL)
+	computed.length = ctp->keyhash->hashsize;
     else
-	computed.length = krb5_cksumtypes_list[i].hash->hashsize;
+	computed.length = ctp->hash->hashsize;
 
-    if (krb5_cksumtypes_list[i].trunc_size != 0)
-	cksumlen = krb5_cksumtypes_list[i].trunc_size;
+    if (ctp->trunc_size != 0)
+	cksumlen = ctp->trunc_size;
     else
 	cksumlen = computed.length;
 
     if (checksum->data.length != cksumlen)
-	return(KRB5_BAD_MSIZE);
+	return KRB5_BAD_MSIZE;
 
     computed.data = malloc(computed.length);
     if (computed.data == NULL)
-	return(ENOMEM);
+	return ENOMEM;
 
-    if ((ret = krb5int_c_make_checksum_iov(&krb5_cksumtypes_list[i], key, usage,
-					   data, num_data, &computed))) {
+    ret = krb5int_c_make_checksum_iov(&krb5_cksumtypes_list[i], key, usage,
+				      data, num_data, &computed);
+    if (ret) {
 	free(computed.data);
-	return(ret);
+	return ret;
     }
 
     *valid = (computed.length == cksumlen) &&
 	     (memcmp(computed.data, checksum->data.data, cksumlen) == 0);
 
     free(computed.data);
-
-    return(0);
+    return 0;
 }



From ghudson at MIT.EDU  Sat Oct  3 14:07:44 2009
From: ghudson at MIT.EDU (ghudson@MIT.EDU)
Date: Sat, 3 Oct 2009 14:07:44 -0400
Subject: svn rev #22840: trunk/src/lib/crypto/krb/dk/ 
Message-ID: <200910031807.n93I7iYc003917@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22840
Commit By: ghudson
Log Message:
Update the crypto derived key support code to conform to most of the
current coding practices (except lack of tabs).  Use the helper
functions k5alloc, zapfree, and find_enctype to reduce code size.



Changed Files:
U   trunk/src/lib/crypto/krb/dk/checksum.c
U   trunk/src/lib/crypto/krb/dk/derive.c
U   trunk/src/lib/crypto/krb/dk/dk.h
U   trunk/src/lib/crypto/krb/dk/dk_aead.c
U   trunk/src/lib/crypto/krb/dk/dk_decrypt.c
U   trunk/src/lib/crypto/krb/dk/dk_encrypt.c
U   trunk/src/lib/crypto/krb/dk/stringtokey.c
Modified: trunk/src/lib/crypto/krb/dk/checksum.c
===================================================================
--- trunk/src/lib/crypto/krb/dk/checksum.c	2009-10-03 16:03:15 UTC (rev 22839)
+++ trunk/src/lib/crypto/krb/dk/checksum.c	2009-10-03 18:07:44 UTC (rev 22840)
@@ -36,41 +36,35 @@
 		      const krb5_keyblock *key, krb5_keyusage usage,
 		      const krb5_data *input, krb5_data *output)
 {
-    int i;
+    const struct krb5_keytypes *ktp;
     const struct krb5_enc_provider *enc;
-    size_t blocksize, keybytes, keylength;
+    size_t keylength;
     krb5_error_code ret;
     unsigned char constantdata[K5CLENGTH];
     krb5_data datain;
     unsigned char *kcdata;
     krb5_keyblock kc;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == key->enctype)
-	    break;
-    }
+    ktp = find_enctype(key->enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
+    enc = ktp->enc;
 
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
+    /*
+     * key->length will be tested in enc->encrypt.
+     * output->length will be tested in krb5_hmac.
+     */
 
-    enc = krb5_enctypes_list[i].enc;
-
-    /* allocate and set to-be-derived keys */
-
-    blocksize = enc->block_size;
-    keybytes = enc->keybytes;
+    /* Allocate and set to-be-derived keys. */
     keylength = enc->keylength;
+    kcdata = malloc(keylength);
+    if (kcdata == NULL)
+	return ENOMEM;
 
-    /* key->length will be tested in enc->encrypt
-       output->length will be tested in krb5_hmac */
-
-    if ((kcdata = (unsigned char *) malloc(keylength)) == NULL)
-	return(ENOMEM);
-
     kc.contents = kcdata;
     kc.length = keylength;
 
-    /* derive the key */
+    /* Derive the key. */
  
     datain.data = (char *) constantdata;
     datain.length = K5CLENGTH;
@@ -79,24 +73,21 @@
 
     datain.data[4] = (char) 0x99;
 
-    if ((ret = krb5_derive_key(enc, key, &kc, &datain)) != 0)
+    ret = krb5_derive_key(enc, key, &kc, &datain);
+    if (ret)
 	goto cleanup;
 
     /* hash the data */
 
     datain = *input;
 
-    if ((ret = krb5_hmac(hash, &kc, 1, &datain, output)) != 0)
+    ret = krb5_hmac(hash, &kc, 1, &datain, output);
+    if (ret)
 	memset(output->data, 0, output->length);
 
-    /* ret is set correctly by the prior call */
-
 cleanup:
-    memset(kcdata, 0, keylength);
-
-    free(kcdata);
-
-    return(ret);
+    zapfree(kcdata, keylength);
+    return ret;
 }
 
 krb5_error_code
@@ -105,41 +96,36 @@
 			  const krb5_crypto_iov *data, size_t num_data,
 			  krb5_data *output)
 {
-    int i;
+    const struct krb5_keytypes *ktp;
     const struct krb5_enc_provider *enc;
-    size_t blocksize, keybytes, keylength;
+    size_t keylength;
     krb5_error_code ret;
     unsigned char constantdata[K5CLENGTH];
     krb5_data datain;
     unsigned char *kcdata;
     krb5_keyblock kc;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == key->enctype)
-	    break;
-    }
+    ktp = find_enctype(key->enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
+    enc = ktp->enc;
 
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
+    /*
+     * key->length will be tested in enc->encrypt.
+     * output->length will be tested in krb5_hmac.
+     */
 
-    enc = krb5_enctypes_list[i].enc;
+    /* Allocate and set to-be-derived keys. */
 
-    /* allocate and set to-be-derived keys */
-
-    blocksize = enc->block_size;
-    keybytes = enc->keybytes;
     keylength = enc->keylength;
+    kcdata = malloc(keylength);
+    if (kcdata == NULL)
+	return ENOMEM;
 
-    /* key->length will be tested in enc->encrypt
-       output->length will be tested in krb5_hmac */
-
-    if ((kcdata = (unsigned char *) malloc(keylength)) == NULL)
-	return(ENOMEM);
-
     kc.contents = kcdata;
     kc.length = keylength;
 
-    /* derive the key */
+    /* Derive the key. */
  
     datain.data = (char *) constantdata;
     datain.length = K5CLENGTH;
@@ -148,21 +134,19 @@
 
     datain.data[4] = (char) 0x99;
 
-    if ((ret = krb5_derive_key(enc, key, &kc, &datain)) != 0)
+    ret = krb5_derive_key(enc, key, &kc, &datain);
+    if (ret)
 	goto cleanup;
 
-    /* hash the data */
+    /* Hash the data. */
 
-    if ((ret = krb5int_hmac_iov(hash, &kc, data, num_data, output)) != 0)
+    ret = krb5int_hmac_iov(hash, &kc, data, num_data, output);
+    if (ret)
 	memset(output->data, 0, output->length);
 
-    /* ret is set correctly by the prior call */
-
 cleanup:
-    memset(kcdata, 0, keylength);
+    zapfree(kcdata, keylength);
 
-    free(kcdata);
-
     return(ret);
 }
 

Modified: trunk/src/lib/crypto/krb/dk/derive.c
===================================================================
--- trunk/src/lib/crypto/krb/dk/derive.c	2009-10-03 16:03:15 UTC (rev 22839)
+++ trunk/src/lib/crypto/krb/dk/derive.c	2009-10-03 18:07:44 UTC (rev 22840)
@@ -32,41 +32,35 @@
 		const krb5_keyblock *inkey, krb5_keyblock *outkey,
 		const krb5_data *in_constant)
 {
-    size_t blocksize, keybytes, keylength, n;
-    unsigned char *inblockdata, *outblockdata, *rawkey;
+    size_t blocksize, keybytes, n;
+    unsigned char *inblockdata = NULL, *outblockdata = NULL, *rawkey = NULL;
     krb5_data inblock, outblock;
+    krb5_error_code ret;
 
     blocksize = enc->block_size;
     keybytes = enc->keybytes;
-    keylength = enc->keylength;
 
-    if ((inkey->length != keylength) ||
-	(outkey->length != keylength))
-	return(KRB5_CRYPTO_INTERNAL);
+    if (inkey->length != enc->keylength || outkey->length != enc->keylength)
+	return KRB5_CRYPTO_INTERNAL;
 
-    /* allocate and set up buffers */
+    /* Allocate and set up buffers. */
+    inblockdata = k5alloc(blocksize, &ret);
+    if (ret)
+	goto cleanup;
+    outblockdata = k5alloc(blocksize, &ret);
+    if (ret)
+	goto cleanup;
+    rawkey = k5alloc(keybytes, &ret);
+    if (ret)
+	goto cleanup;
 
-    if ((inblockdata = (unsigned char *) malloc(blocksize)) == NULL)
-	return(ENOMEM);
-
-    if ((outblockdata = (unsigned char *) malloc(blocksize)) == NULL) {
-	free(inblockdata);
-	return(ENOMEM);
-    }
-
-    if ((rawkey = (unsigned char *) malloc(keybytes)) == NULL) {
-	free(outblockdata);
-	free(inblockdata);
-	return(ENOMEM);
-    }
-
     inblock.data = (char *) inblockdata;
     inblock.length = blocksize;
 
     outblock.data = (char *) outblockdata;
     outblock.length = blocksize;
 
-    /* initialize the input block */
+    /* Initialize the input block. */
 
     if (in_constant->length == inblock.length) {
 	memcpy(inblock.data, in_constant->data, inblock.length);
@@ -75,14 +69,16 @@
 		   inblock.length*8, (unsigned char *) inblock.data);
     }
 
-    /* loop encrypting the blocks until enough key bytes are generated */
+    /* Loop encrypting the blocks until enough key bytes are generated */
 
     n = 0;
     while (n < keybytes) {
-	(*(enc->encrypt))(inkey, 0, &inblock, &outblock);
+	ret = (*enc->encrypt)(inkey, 0, &inblock, &outblock);
+	if (ret)
+	    goto cleanup;
 
 	if ((keybytes - n) <= outblock.length) {
-	    memcpy(rawkey+n, outblock.data, (keybytes - n));
+	    memcpy(rawkey + n, outblock.data, (keybytes - n));
 	    break;
 	}
 
@@ -96,19 +92,15 @@
     inblock.data = (char *) rawkey;
     inblock.length = keybytes;
 
-    (*(enc->make_key))(&inblock, outkey);
+    ret = (*enc->make_key)(&inblock, outkey);
+    if (ret)
+	goto cleanup;
 
-    /* clean memory, free resources and exit */
-
-    memset(inblockdata, 0, blocksize);
-    memset(outblockdata, 0, blocksize);
-    memset(rawkey, 0, keybytes);
-
-    free(rawkey);
-    free(outblockdata);
-    free(inblockdata);
-
-    return(0);
+cleanup:
+    zapfree(inblockdata, blocksize);
+    zapfree(outblockdata, blocksize);
+    zapfree(rawkey, keybytes);
+    return ret;
 }
 
 
@@ -117,42 +109,36 @@
 		   const krb5_keyblock *inkey, krb5_data *outrnd,
 		   const krb5_data *in_constant)
 {
-    size_t blocksize, keybytes, keylength, n;
-    unsigned char *inblockdata, *outblockdata, *rawkey;
+    size_t blocksize, keybytes, n;
+    unsigned char *inblockdata = NULL, *outblockdata = NULL, *rawkey = NULL;
     krb5_data inblock, outblock;
+    krb5_error_code ret;
 
     blocksize = enc->block_size;
     keybytes = enc->keybytes;
-    keylength = enc->keylength;
 
-    if ((inkey->length != keylength) ||
-	(outrnd->length != keybytes))
-	return(KRB5_CRYPTO_INTERNAL);
+    if (inkey->length != enc->keylength || outrnd->length != keybytes)
+	return KRB5_CRYPTO_INTERNAL;
 
-    /* allocate and set up buffers */
+    /* Allocate and set up buffers. */
 
-    if ((inblockdata = (unsigned char *) malloc(blocksize)) == NULL)
-	return(ENOMEM);
+    inblockdata = k5alloc(blocksize, &ret);
+    if (ret)
+	goto cleanup;
+    outblockdata = k5alloc(blocksize, &ret);
+    if (ret)
+	goto cleanup;
+    rawkey = k5alloc(keybytes, &ret);
+    if (ret)
+	goto cleanup;
 
-    if ((outblockdata = (unsigned char *) malloc(blocksize)) == NULL) {
-	free(inblockdata);
-	return(ENOMEM);
-    }
-
-    if ((rawkey = (unsigned char *) malloc(keybytes)) == NULL) {
-	free(outblockdata);
-	free(inblockdata);
-	return(ENOMEM);
-    }
-
     inblock.data = (char *) inblockdata;
     inblock.length = blocksize;
 
     outblock.data = (char *) outblockdata;
     outblock.length = blocksize;
 
-    /* initialize the input block */
-
+    /* Initialize the input block. */
     if (in_constant->length == inblock.length) {
 	memcpy(inblock.data, in_constant->data, inblock.length);
     } else {
@@ -160,14 +146,15 @@
 		   inblock.length*8, (unsigned char *) inblock.data);
     }
 
-    /* loop encrypting the blocks until enough key bytes are generated */
-
+    /* Loop encrypting the blocks until enough key bytes are generated. */
     n = 0;
     while (n < keybytes) {
-	(*(enc->encrypt))(inkey, 0, &inblock, &outblock);
+	ret = (*enc->encrypt)(inkey, 0, &inblock, &outblock);
+	if (ret)
+	    goto cleanup;
 
 	if ((keybytes - n) <= outblock.length) {
-	    memcpy(rawkey+n, outblock.data, (keybytes - n));
+	    memcpy(rawkey + n, outblock.data, (keybytes - n));
 	    break;
 	}
 
@@ -176,42 +163,12 @@
 	n += outblock.length;
     }
 
-    /* postprocess the key */
+    /* Postprocess the key. */
+    memcpy(outrnd->data, rawkey, keybytes);
 
-    memcpy (outrnd->data, rawkey, keybytes);
-
-    /* clean memory, free resources and exit */
-
-    memset(inblockdata, 0, blocksize);
-    memset(outblockdata, 0, blocksize);
-    memset(rawkey, 0, keybytes);
-
-    free(rawkey);
-    free(outblockdata);
-    free(inblockdata);
-
-    return(0);
+cleanup:
+    zapfree(inblockdata, blocksize);
+    zapfree(outblockdata, blocksize);
+    zapfree(rawkey, keybytes);
+    return ret;
 }
-
-#if 0
-#include "etypes.h"
-void
-krb5_random2key (krb5_enctype enctype, krb5_data *inblock,
-		 krb5_keyblock *outkey)
-{
-    int i;
-    const struct krb5_enc_provider *enc;
-
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == enctype)
-	    break;
-    }
-
-    if (i == krb5_enctypes_length)
-	abort ();
-
-    enc = krb5_enctypes_list[i].enc;
-
-    enc->make_key (inblock, outkey);
-}
-#endif

Modified: trunk/src/lib/crypto/krb/dk/dk.h
===================================================================
--- trunk/src/lib/crypto/krb/dk/dk.h	2009-10-03 16:03:15 UTC (rev 22839)
+++ trunk/src/lib/crypto/krb/dk/dk.h	2009-10-03 18:07:44 UTC (rev 22840)
@@ -26,64 +26,64 @@
 
 #include "k5-int.h"
 
-void krb5_dk_encrypt_length
-(const struct krb5_enc_provider *enc,
-		const struct krb5_hash_provider *hash,
-		size_t input, size_t *length);
+void krb5_dk_encrypt_length(const struct krb5_enc_provider *enc,
+			    const struct krb5_hash_provider *hash,
+			    size_t input, size_t *length);
 
-krb5_error_code krb5_dk_encrypt
-(const struct krb5_enc_provider *enc,
-		const struct krb5_hash_provider *hash,
-		const krb5_keyblock *key, krb5_keyusage usage,
-		const krb5_data *ivec,
-		const krb5_data *input, krb5_data *output);
+krb5_error_code krb5_dk_encrypt(const struct krb5_enc_provider *enc,
+				const struct krb5_hash_provider *hash,
+				const krb5_keyblock *key, krb5_keyusage usage,
+				const krb5_data *ivec,
+				const krb5_data *input, krb5_data *output);
 
-void krb5int_aes_encrypt_length
-(const struct krb5_enc_provider *enc,
-		const struct krb5_hash_provider *hash,
-		size_t input, size_t *length);
+void krb5int_aes_encrypt_length(const struct krb5_enc_provider *enc,
+				const struct krb5_hash_provider *hash,
+				size_t input, size_t *length);
 
-krb5_error_code krb5int_aes_dk_encrypt
-(const struct krb5_enc_provider *enc,
-		const struct krb5_hash_provider *hash,
-		const krb5_keyblock *key, krb5_keyusage usage,
-		const krb5_data *ivec,
-		const krb5_data *input, krb5_data *output);
+krb5_error_code krb5int_aes_dk_encrypt(const struct krb5_enc_provider *enc,
+				       const struct krb5_hash_provider *hash,
+				       const krb5_keyblock *key,
+				       krb5_keyusage usage,
+				       const krb5_data *ivec,
+				       const krb5_data *input,
+				       krb5_data *output);
 
-krb5_error_code krb5_dk_decrypt
-(const struct krb5_enc_provider *enc,
-		const struct krb5_hash_provider *hash,
-		const krb5_keyblock *key, krb5_keyusage usage,
-		const krb5_data *ivec, const krb5_data *input,
-		krb5_data *arg_output);
+krb5_error_code krb5_dk_decrypt(const struct krb5_enc_provider *enc,
+				const struct krb5_hash_provider *hash,
+				const krb5_keyblock *key, krb5_keyusage usage,
+				const krb5_data *ivec, const krb5_data *input,
+				krb5_data *arg_output);
 
-krb5_error_code krb5int_aes_dk_decrypt
-(const struct krb5_enc_provider *enc,
-		const struct krb5_hash_provider *hash,
-		const krb5_keyblock *key, krb5_keyusage usage,
-		const krb5_data *ivec, const krb5_data *input,
-		krb5_data *arg_output);
+krb5_error_code krb5int_aes_dk_decrypt(const struct krb5_enc_provider *enc,
+				       const struct krb5_hash_provider *hash,
+				       const krb5_keyblock *key,
+				       krb5_keyusage usage,
+				       const krb5_data *ivec,
+				       const krb5_data *input,
+				       krb5_data *arg_output);
 
-krb5_error_code krb5int_dk_string_to_key
-(const struct krb5_enc_provider *enc, 
-		const krb5_data *string, const krb5_data *salt,
-		const krb5_data *params, krb5_keyblock *key);
+krb5_error_code krb5int_dk_string_to_key(const struct krb5_enc_provider *enc,
+					 const krb5_data *string,
+					 const krb5_data *salt,
+					 const krb5_data *params,
+					 krb5_keyblock *key);
 
-krb5_error_code krb5_derive_key
-(const struct krb5_enc_provider *enc,
-		const krb5_keyblock *inkey,
-		krb5_keyblock *outkey, const krb5_data *in_constant);
+krb5_error_code krb5_derive_key(const struct krb5_enc_provider *enc,
+				const krb5_keyblock *inkey,
+				krb5_keyblock *outkey,
+				const krb5_data *in_constant);
 
-krb5_error_code krb5_dk_make_checksum
-(const struct krb5_hash_provider *hash,
-		const krb5_keyblock *key, krb5_keyusage usage,
-		const krb5_data *input, krb5_data *output);
+krb5_error_code krb5_dk_make_checksum(const struct krb5_hash_provider *hash,
+				      const krb5_keyblock *key,
+				      krb5_keyusage usage,
+				      const krb5_data *input,
+				      krb5_data *output);
 
 krb5_error_code
 krb5int_dk_make_checksum_iov(const struct krb5_hash_provider *hash,
-		          const krb5_keyblock *key, krb5_keyusage usage,
-			  const krb5_crypto_iov *data, size_t num_data,
-			  krb5_data *output);
+			     const krb5_keyblock *key, krb5_keyusage usage,
+			     const krb5_crypto_iov *data, size_t num_data,
+			     krb5_data *output);
 
 krb5_error_code
 krb5_derive_random(const struct krb5_enc_provider *enc,
@@ -94,26 +94,3 @@
 
 extern const struct krb5_aead_provider krb5int_aead_dk;
 extern const struct krb5_aead_provider krb5int_aead_aes;
-
-/* CCM */
-
-void
-krb5int_ccm_encrypt_length(const struct krb5_enc_provider *enc,
-			   const struct krb5_hash_provider *hash,
-			   size_t inputlen, size_t *length);
-
-extern const struct krb5_aead_provider krb5int_aead_ccm;
-
-krb5_error_code krb5int_ccm_encrypt
-(const struct krb5_enc_provider *enc,
-		const struct krb5_hash_provider *hash,
-		const krb5_keyblock *key, krb5_keyusage usage,
-		const krb5_data *ivec, const krb5_data *input,
-		krb5_data *arg_output);
-
-krb5_error_code krb5int_ccm_decrypt
-(const struct krb5_enc_provider *enc,
-		const struct krb5_hash_provider *hash,
-		const krb5_keyblock *key, krb5_keyusage usage,
-		const krb5_data *ivec, const krb5_data *input,
-		krb5_data *arg_output);

Modified: trunk/src/lib/crypto/krb/dk/dk_aead.c
===================================================================
--- trunk/src/lib/crypto/krb/dk/dk_aead.c	2009-10-03 16:03:15 UTC (rev 22839)
+++ trunk/src/lib/crypto/krb/dk/dk_aead.c	2009-10-03 18:07:44 UTC (rev 22840)
@@ -8,7 +8,7 @@
  *   require a specific license from the United States Government.
  *   It is the responsibility of any person or organization contemplating
  *   export to obtain such a license before exporting.
- * 
+ *
  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  * distribute this software and its documentation for any purpose and
  * without fee is hereby granted, provided that the above copyright
@@ -84,11 +84,13 @@
 
     /* E(Confounder | Plaintext | Pad) | Checksum */
 
-    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING, &blocksize);
+    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING,
+			      &blocksize);
     if (ret != 0)
 	return ret;
 
-    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER, &hmacsize);
+    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER,
+			      &hmacsize);
     if (ret != 0)
 	return ret;
 
@@ -110,7 +112,7 @@
 	return KRB5_BAD_MSIZE;
 
     if (blocksize != 0) {
-	/* Check that the input data is correctly padded */
+	/* Check that the input data is correctly padded. */
 	if (plainlen % blocksize)
 	    padsize = blocksize - (plainlen % blocksize);
     }
@@ -125,24 +127,18 @@
     }
 
     ke.length = enc->keylength;
-    ke.contents = malloc(ke.length);
-    if (ke.contents == NULL) {
-	ret = ENOMEM;
+    ke.contents = k5alloc(ke.length, &ret);
+    if (ret != 0)
 	goto cleanup;
-    }
     ki.length = enc->keylength;
-    ki.contents = malloc(ki.length);
-    if (ki.contents == NULL) {
-	ret = ENOMEM;
+    ki.contents = k5alloc(ki.length, &ret);
+    if (ret != 0)
 	goto cleanup;
-    }
-    cksum = (unsigned char *)malloc(hash->hashsize);
-    if (cksum == NULL) {
-	ret = ENOMEM;
+    cksum = k5alloc(hash->hashsize, &ret);
+    if (ret != 0)
 	goto cleanup;
-    }
 
-    /* derive the keys */
+    /* Derive the keys. */
 
     d1.data = (char *)constantdata;
     d1.length = K5CLENGTH;
@@ -161,7 +157,7 @@
     if (ret != 0)
 	goto cleanup;
 
-    /* generate confounder */
+    /* Generate confounder. */
 
     header->data.length = enc->block_size;
 
@@ -169,7 +165,7 @@
     if (ret != 0)
 	goto cleanup;
 
-    /* hash the plaintext */
+    /* Hash the plaintext. */
     d2.length = hash->hashsize;
     d2.data = (char *)cksum;
 
@@ -177,32 +173,23 @@
     if (ret != 0)
 	goto cleanup;
 
-    /* encrypt the plaintext (header | data | padding) */
+    /* Encrypt the plaintext (header | data | padding) */
     assert(enc->encrypt_iov != NULL);
 
-    ret = enc->encrypt_iov(&ke, ivec, data, num_data); /* will update ivec */
+    ret = (*enc->encrypt_iov)(&ke, ivec, data, num_data); /* updates ivec */
     if (ret != 0)
 	goto cleanup;
 
-    /* possibly truncate the hash */
+    /* Possibly truncate the hash */
     assert(hmacsize <= d2.length);
 
     memcpy(trailer->data.data, cksum, hmacsize);
     trailer->data.length = hmacsize;
 
 cleanup:
-    if (ke.contents != NULL) {
-	memset(ke.contents, 0, ke.length);
-	free(ke.contents);
-    }
-    if (ki.contents != NULL) {
-	memset(ki.contents, 0, ki.length);
-	free(ki.contents);
-    }
-    if (cksum != NULL) {
-	free(cksum);
-    }
-
+    zapfree(ke.contents, ke.length);
+    zapfree(ki.contents, ki.length);
+    free(cksum);
     return ret;
 }
 
@@ -222,12 +209,13 @@
     krb5_crypto_iov *header, *trailer;
     krb5_keyblock ke, ki;
     size_t i;
-    unsigned int blocksize = 0; /* careful, this is enc block size not confounder len */
+    unsigned int blocksize = 0; /* enc block size, not confounder len */
     unsigned int cipherlen = 0;
     unsigned int hmacsize = 0;
     unsigned char *cksum = NULL;
 
-    if (krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_STREAM) != NULL) {
+    if (krb5int_c_locate_iov(data, num_data,
+			     KRB5_CRYPTO_TYPE_STREAM) != NULL) {
 	return krb5int_c_iov_decrypt_stream(aead, enc, hash, key,
 					    usage, ivec, data, num_data);
     }
@@ -237,11 +225,13 @@
 
     /* E(Confounder | Plaintext | Pad) | Checksum */
 
-    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING, &blocksize);
+    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING,
+			      &blocksize);
     if (ret != 0)
 	return ret;
 
-    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER, &hmacsize);
+    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER,
+			      &hmacsize);
     if (ret != 0)
 	return ret;
 
@@ -273,24 +263,18 @@
 	return KRB5_BAD_MSIZE;
 
     ke.length = enc->keylength;
-    ke.contents = malloc(ke.length);
-    if (ke.contents == NULL) {
-	ret = ENOMEM;
+    ke.contents = k5alloc(ke.length, &ret);
+    if (ret != 0)
 	goto cleanup;
-    }
     ki.length = enc->keylength;
-    ki.contents = malloc(ki.length);
-    if (ki.contents == NULL) {
-	ret = ENOMEM;
+    ki.contents = k5alloc(ki.length, &ret);
+    if (ret != 0)
 	goto cleanup;
-    }
-    cksum = (unsigned char *)malloc(hash->hashsize);
-    if (cksum == NULL) {
-	ret = ENOMEM;
+    cksum = k5alloc(hash->hashsize, &ret);
+    if (ret != 0)
 	goto cleanup;
-    }
 
-    /* derive the keys */
+    /* Derive the keys. */
 
     d1.data = (char *)constantdata;
     d1.length = K5CLENGTH;
@@ -309,14 +293,14 @@
     if (ret != 0)
 	goto cleanup;
 
-    /* decrypt the plaintext (header | data | padding) */
+    /* Decrypt the plaintext (header | data | padding). */
     assert(enc->decrypt_iov != NULL);
 
-    ret = enc->decrypt_iov(&ke, ivec, data, num_data); /* will update ivec */
+    ret = (*enc->decrypt_iov)(&ke, ivec, data, num_data); /* updates ivec */
     if (ret != 0)
 	goto cleanup;
 
-    /* verify the hash */
+    /* Verify the hash. */
     d1.length = hash->hashsize; /* non-truncated length */
     d1.data = (char *)cksum;
 
@@ -324,24 +308,16 @@
     if (ret != 0)
 	goto cleanup;
 
-    /* compare only the possibly truncated length */
+    /* Compare only the possibly truncated length. */
     if (memcmp(cksum, trailer->data.data, hmacsize) != 0) {
 	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 	goto cleanup;
     }
 
 cleanup:
-    if (ke.contents != NULL) {
-	memset(ke.contents, 0, ke.length);
-	free(ke.contents);
-    }
-    if (ki.contents != NULL) {
-	memset(ki.contents, 0, ki.length);
-	free(ki.contents);
-    }
-    if (cksum != NULL) {
-	free(cksum);
-    }
+    zapfree(ke.contents, ke.length);
+    zapfree(ki.contents, ki.length);
+    free(cksum);
 
     return ret;
 }
@@ -383,4 +359,3 @@
     krb5int_dk_encrypt_iov,
     krb5int_dk_decrypt_iov
 };
-

Modified: trunk/src/lib/crypto/krb/dk/dk_decrypt.c
===================================================================
--- trunk/src/lib/crypto/krb/dk/dk_decrypt.c	2009-10-03 16:03:15 UTC (rev 22839)
+++ trunk/src/lib/crypto/krb/dk/dk_decrypt.c	2009-10-03 18:07:44 UTC (rev 22840)
@@ -71,17 +71,15 @@
 				 int ivec_mode)
 {
     krb5_error_code ret;
-    size_t hashsize, blocksize, keybytes, keylength, enclen, plainlen;
-    unsigned char *plaindata, *kedata, *kidata, *cksum, *cn;
+    size_t hashsize, blocksize, keylength, enclen, plainlen;
+    unsigned char *plaindata = NULL, *kedata = NULL, *kidata = NULL;
+    unsigned char *cksum = NULL, *cn;
     krb5_keyblock ke, ki;
     krb5_data d1, d2;
     unsigned char constantdata[K5CLENGTH];
 
-    /* allocate and set up ciphertext and to-be-derived keys */
-
     hashsize = hash->hashsize;
     blocksize = enc->block_size;
-    keybytes = enc->keybytes;
     keylength = enc->keylength;
 
     if (hmacsize == 0)
@@ -91,30 +89,26 @@
 
     enclen = input->length - hmacsize;
 
-    if ((kedata = (unsigned char *) malloc(keylength)) == NULL)
-	return(ENOMEM);
-    if ((kidata = (unsigned char *) malloc(keylength)) == NULL) {
-	free(kedata);
-	return(ENOMEM);
-    }
-    if ((plaindata = (unsigned char *) malloc(enclen)) == NULL) {
-	free(kidata);
-	free(kedata);
-	return(ENOMEM);
-    }
-    if ((cksum = (unsigned char *) malloc(hashsize)) == NULL) {
-	free(plaindata);
-	free(kidata);
-	free(kedata);
-	return(ENOMEM);
-    }
+    /* Allocate and set up ciphertext and to-be-derived keys. */
+    kedata = k5alloc(keylength, &ret);
+    if (ret != 0)
+	goto cleanup;
+    kidata = k5alloc(keylength, &ret);
+    if (ret != 0)
+	goto cleanup;
+    plaindata = k5alloc(enclen, &ret);
+    if (ret != 0)
+	goto cleanup;
+    cksum = k5alloc(hashsize, &ret);
+    if (ret != 0)
+	goto cleanup;
 
     ke.contents = kedata;
     ke.length = keylength;
     ki.contents = kidata;
     ki.length = keylength;
 
-    /* derive the keys */
+    /* Derive the keys. */
 
     d1.data = (char *) constantdata;
     d1.length = K5CLENGTH;
@@ -123,12 +117,14 @@
 
     d1.data[4] = (char) 0xAA;
 
-    if ((ret = krb5_derive_key(enc, key, &ke, &d1)) != 0)
+    ret = krb5_derive_key(enc, key, &ke, &d1);
+    if (ret != 0)
 	goto cleanup;
 
     d1.data[4] = 0x55;
 
-    if ((ret = krb5_derive_key(enc, key, &ki, &d1)) != 0)
+    ret = krb5_derive_key(enc, key, &ki, &d1);
+    if (ret != 0)
 	goto cleanup;
 
     /* decrypt the ciphertext */
@@ -139,7 +135,8 @@
     d2.length = enclen;
     d2.data = (char *) plaindata;
 
-    if ((ret = ((*(enc->decrypt))(&ke, ivec, &d1, &d2))) != 0)
+    ret = (*enc->decrypt)(&ke, ivec, &d1, &d2);
+    if (ret != 0)
 	goto cleanup;
 
     if (ivec != NULL && ivec->length == blocksize) {
@@ -147,18 +144,19 @@
 	    cn = (unsigned char *) d1.data + d1.length - blocksize;
 	else if (ivec_mode == 1) {
 	    int nblocks = (d1.length + blocksize - 1) / blocksize;
-	    cn = d1.data + blocksize * (nblocks - 2);
+	    cn = (unsigned char *) d1.data + blocksize * (nblocks - 2);
 	} else
 	    abort();
     } else
 	cn = NULL;
 
-    /* verify the hash */
+    /* Verify the hash. */
 
     d1.length = hashsize;
     d1.data = (char *) cksum;
 
-    if ((ret = krb5_hmac(hash, &ki, 1, &d2, &d1)) != 0)
+    ret = krb5_hmac(hash, &ki, 1, &d2, &d1);
+    if (ret != 0)
 	goto cleanup;
 
     if (memcmp(cksum, input->data+enclen, hmacsize) != 0) {
@@ -166,14 +164,16 @@
 	goto cleanup;
     }
 
-    /* because this encoding isn't self-describing wrt length, the
-       best we can do here is to compute the length minus the
-       confounder. */
+    /*
+     * Because this encoding isn't self-describing wrt length, the
+     * best we can do here is to compute the length minus the
+     * confounder.
+     */
 
     plainlen = enclen - blocksize;
 
     if (output->length < plainlen)
-	return(KRB5_BAD_MSIZE);
+	return KRB5_BAD_MSIZE;
 
     output->length = plainlen;
 
@@ -182,19 +182,10 @@
     if (cn != NULL)
 	memcpy(ivec->data, cn, blocksize);
 
-    ret = 0;
-
 cleanup:
-    memset(kedata, 0, keylength);
-    memset(kidata, 0, keylength);
-    memset(plaindata, 0, enclen);
-    memset(cksum, 0, hashsize);
-
-    free(cksum);
-    free(plaindata);
-    free(kidata);
-    free(kedata);
-
-    return(ret);
+    zapfree(kedata, keylength);
+    zapfree(kidata, keylength);
+    zapfree(plaindata, enclen);
+    zapfree(cksum, hashsize);
+    return ret;
 }
-

Modified: trunk/src/lib/crypto/krb/dk/dk_encrypt.c
===================================================================
--- trunk/src/lib/crypto/krb/dk/dk_encrypt.c	2009-10-03 16:03:15 UTC (rev 22839)
+++ trunk/src/lib/crypto/krb/dk/dk_encrypt.c	2009-10-03 18:07:44 UTC (rev 22840)
@@ -29,12 +29,14 @@
 
 #define K5CLENGTH 5 /* 32 bit net byte order integer + one byte seed */
 
-/* the spec says that the confounder size and padding are specific to
-   the encryption algorithm.  This code (dk_encrypt_length and
-   dk_encrypt) assume the confounder is always the blocksize, and the
-   padding is always zero bytes up to the blocksize.  If these
-   assumptions ever fails, the keytype table should be extended to
-   include these bits of info. */
+/*
+ * The spec says that the confounder size and padding are specific to
+ * the encryption algorithm.  This code (dk_encrypt_length and
+ * dk_encrypt) assume the confounder is always the blocksize, and the
+ * padding is always zero bytes up to the blocksize.  If these
+ * assumptions ever fails, the keytype table should be extended to
+ * include these bits of info.
+ */
 
 void
 krb5_dk_encrypt_length(const struct krb5_enc_provider *enc,
@@ -45,7 +47,7 @@
 
     blocksize = enc->block_size;
     hashsize = hash->hashsize;
-    *length = krb5_roundup(blocksize+inputlen, blocksize) + hashsize;
+    *length = krb5_roundup(blocksize + inputlen, blocksize) + hashsize;
 }
 
 krb5_error_code
@@ -55,46 +57,43 @@
 		const krb5_data *ivec, const krb5_data *input,
 		krb5_data *output)
 {
-    size_t blocksize, keybytes, keylength, plainlen, enclen;
+    size_t blocksize, keylength, plainlen, enclen;
     krb5_error_code ret;
     unsigned char constantdata[K5CLENGTH];
     krb5_data d1, d2;
-    unsigned char *plaintext, *kedata, *kidata;
+    unsigned char *plaintext = NULL, *kedata = NULL, *kidata = NULL;
     char *cn;
     krb5_keyblock ke, ki;
 
-    /* allocate and set up plaintext and to-be-derived keys */
-
     blocksize = enc->block_size;
-    keybytes = enc->keybytes;
     keylength = enc->keylength;
-    plainlen = krb5_roundup(blocksize+input->length, blocksize);
+    plainlen = krb5_roundup(blocksize + input->length, blocksize);
 
     krb5_dk_encrypt_length(enc, hash, input->length, &enclen);
 
-    /* key->length, ivec will be tested in enc->encrypt */
+    /* key->length, ivec will be tested in enc->encrypt. */
 
     if (output->length < enclen)
 	return(KRB5_BAD_MSIZE);
 
-    if ((kedata = (unsigned char *) malloc(keylength)) == NULL)
-	return(ENOMEM);
-    if ((kidata = (unsigned char *) malloc(keylength)) == NULL) {
-	free(kedata);
-	return(ENOMEM);
-    }
-    if ((plaintext = (unsigned char *) malloc(plainlen)) == NULL) {
-	free(kidata);
-	free(kedata);
-	return(ENOMEM);
-    }
+    /* Allocate and set up plaintext and to-be-derived keys. */
 
+    kedata = k5alloc(keylength, &ret);
+    if (ret != 0)
+	goto cleanup;
+    kidata = k5alloc(keylength, &ret);
+    if (ret != 0)
+	goto cleanup;
+    plaintext = k5alloc(plainlen, &ret);
+    if (ret != 0)
+	goto cleanup;
+
     ke.contents = kedata;
     ke.length = keylength;
     ki.contents = kidata;
     ki.length = keylength;
 
-    /* derive the keys */
+    /* Derive the keys. */
 
     d1.data = (char *) constantdata;
     d1.length = K5CLENGTH;
@@ -103,28 +102,31 @@
 
     d1.data[4] = (char) 0xAA;
 
-    if ((ret = krb5_derive_key(enc, key, &ke, &d1)))
+    ret = krb5_derive_key(enc, key, &ke, &d1);
+    if (ret != 0)
 	goto cleanup;
 
     d1.data[4] = 0x55;
 
-    if ((ret = krb5_derive_key(enc, key, &ki, &d1)))
+    ret = krb5_derive_key(enc, key, &ki, &d1);
+    if (ret != 0)
 	goto cleanup;
 
-    /* put together the plaintext */
+    /* Put together the plaintext. */
 
     d1.length = blocksize;
     d1.data = (char *) plaintext;
 
-    if ((ret = krb5_c_random_make_octets(/* XXX */ 0, &d1)))
+    ret = krb5_c_random_make_octets(/* XXX */ 0, &d1);
+    if (ret != 0)
 	goto cleanup;
 
-    memcpy(plaintext+blocksize, input->data, input->length);
+    memcpy(plaintext + blocksize, input->data, input->length);
 
-    memset(plaintext+blocksize+input->length, 0,
-	   plainlen - (blocksize+input->length));
+    memset(plaintext + blocksize + input->length, 0,
+	   plainlen - (blocksize + input->length));
 
-    /* encrypt the plaintext */
+    /* Encrypt the plaintext. */
 
     d1.length = plainlen;
     d1.data = (char *) plaintext;
@@ -132,7 +134,8 @@
     d2.length = plainlen;
     d2.data = output->data;
 
-    if ((ret = ((*(enc->encrypt))(&ke, ivec, &d1, &d2))))
+    ret = (*enc->encrypt)(&ke, ivec, &d1, &d2);
+    if (ret != 0)
 	goto cleanup;
 
     if (ivec != NULL && ivec->length == blocksize)
@@ -140,34 +143,28 @@
     else
 	cn = NULL;
 
-    /* hash the plaintext */
+    /* Hash the plaintext. */
 
     d2.length = enclen - plainlen;
     d2.data = output->data+plainlen;
 
     output->length = enclen;
 
-    if ((ret = krb5_hmac(hash, &ki, 1, &d1, &d2))) {
+    ret = krb5_hmac(hash, &ki, 1, &d1, &d2);
+    if (ret != 0) {
 	memset(d2.data, 0, d2.length);
 	goto cleanup;
     }
 
-    /* update ivec */
+    /* Update ivec. */
     if (cn != NULL)
 	memcpy(ivec->data, cn, blocksize);
 
-    /* ret is set correctly by the prior call */
-
 cleanup:
-    memset(kedata, 0, keylength);
-    memset(kidata, 0, keylength);
-    memset(plaintext, 0, plainlen);
-
-    free(plaintext);
-    free(kidata);
-    free(kedata);
-
-    return(ret);
+    zapfree(kedata, keylength);
+    zapfree(kidata, keylength);
+    zapfree(plaintext, plainlen);
+    return ret;
 }
 
 /* Not necessarily "AES", per se, but "a CBC+CTS mode block cipher
@@ -222,7 +219,7 @@
     krb5_error_code ret;
     unsigned char constantdata[K5CLENGTH];
     krb5_data d1, d2;
-    unsigned char *plaintext, *kedata, *kidata;
+    unsigned char *plaintext = NULL, *kedata = NULL, *kidata = NULL;
     char *cn;
     krb5_keyblock ke, ki;
 
@@ -238,26 +235,24 @@
     /* key->length, ivec will be tested in enc->encrypt */
 
     if (output->length < enclen)
-	return(KRB5_BAD_MSIZE);
+	return KRB5_BAD_MSIZE;
 
-    if ((kedata = (unsigned char *) malloc(keylength)) == NULL)
-	return(ENOMEM);
-    if ((kidata = (unsigned char *) malloc(keylength)) == NULL) {
-	free(kedata);
-	return(ENOMEM);
-    }
-    if ((plaintext = (unsigned char *) malloc(plainlen)) == NULL) {
-	free(kidata);
-	free(kedata);
-	return(ENOMEM);
-    }
+    kedata = k5alloc(keylength, &ret);
+    if (ret != 0)
+	goto cleanup;
+    kidata = k5alloc(keylength, &ret);
+    if (ret != 0)
+	goto cleanup;
+    plaintext = k5alloc(plainlen, &ret);
+    if (ret != 0)
+	goto cleanup;
 
     ke.contents = kedata;
     ke.length = keylength;
     ki.contents = kidata;
     ki.length = keylength;
 
-    /* derive the keys */
+    /* Derive the keys. */
 
     d1.data = (char *) constantdata;
     d1.length = K5CLENGTH;
@@ -266,12 +261,14 @@
 
     d1.data[4] = (char) 0xAA;
 
-    if ((ret = krb5_derive_key(enc, key, &ke, &d1)))
+    ret = krb5_derive_key(enc, key, &ke, &d1);
+    if (ret != 0)
 	goto cleanup;
 
     d1.data[4] = 0x55;
 
-    if ((ret = krb5_derive_key(enc, key, &ki, &d1)))
+    ret = krb5_derive_key(enc, key, &ki, &d1);
+    if (ret != 0)
 	goto cleanup;
 
     /* put together the plaintext */
@@ -279,16 +276,17 @@
     d1.length = blocksize;
     d1.data = (char *) plaintext;
 
-    if ((ret = krb5_c_random_make_octets(/* XXX */ 0, &d1)))
+    ret = krb5_c_random_make_octets(NULL, &d1);
+    if (ret != 0)
 	goto cleanup;
 
-    memcpy(plaintext+blocksize, input->data, input->length);
+    memcpy(plaintext + blocksize, input->data, input->length);
 
     /* Ciphertext stealing; there should be no more.  */
     if (plainlen != blocksize + input->length)
 	abort();
 
-    /* encrypt the plaintext */
+    /* Encrypt the plaintext. */
 
     d1.length = plainlen;
     d1.data = (char *) plaintext;
@@ -296,7 +294,8 @@
     d2.length = plainlen;
     d2.data = output->data;
 
-    if ((ret = ((*(enc->encrypt))(&ke, ivec, &d1, &d2))))
+    ret = (*enc->encrypt)(&ke, ivec, &d1, &d2);
+    if (ret != 0)
 	goto cleanup;
 
     if (ivec != NULL && ivec->length == blocksize) {
@@ -305,54 +304,29 @@
     } else
 	cn = NULL;
 
-    /* hash the plaintext */
+    /* Hash the plaintext. */
 
     d2.length = enclen - plainlen;
     d2.data = output->data+plainlen;
     if (d2.length != 96 / 8)
 	abort();
 
-    if ((ret = trunc_hmac(hash, &ki, 1, &d1, &d2))) {
+    ret = trunc_hmac(hash, &ki, 1, &d1, &d2);
+    if (ret != 0) {
 	memset(d2.data, 0, d2.length);
 	goto cleanup;
     }
 
     output->length = enclen;
 
-    /* update ivec */
-    if (cn != NULL) {
+    /* Update ivec. */
+    if (cn != NULL)
 	memcpy(ivec->data, cn, blocksize);
-#if 0
-	{
-	    int i;
-	    printf("\n%s: output:", __func__);
-	    for (i = 0; i < output->length; i++) {
-		if (i % 16 == 0)
-		    printf("\n%s: ", __func__);
-		printf(" %02x", i[(unsigned char *)output->data]);
-	    }
-	    printf("\n%s: outputIV:", __func__);
-	    for (i = 0; i < ivec->length; i++) {
-		if (i % 16 == 0)
-		    printf("\n%s: ", __func__);
-		printf(" %02x", i[(unsigned char *)ivec->data]);
-	    }
-	    printf("\n");  fflush(stdout);
-	}
-#endif
-    }
 
-    /* ret is set correctly by the prior call */
-
 cleanup:
-    memset(kedata, 0, keylength);
-    memset(kidata, 0, keylength);
-    memset(plaintext, 0, plainlen);
-
-    free(plaintext);
-    free(kidata);
-    free(kedata);
-
-    return(ret);
+    zapfree(kedata, keylength);
+    zapfree(kidata, keylength);
+    zapfree(plaintext, plainlen);
+    return ret;
 }
 

Modified: trunk/src/lib/crypto/krb/dk/stringtokey.c
===================================================================
--- trunk/src/lib/crypto/krb/dk/stringtokey.c	2009-10-03 16:03:15 UTC (rev 22839)
+++ trunk/src/lib/crypto/krb/dk/stringtokey.c	2009-10-03 18:07:44 UTC (rev 22840)
@@ -36,34 +36,32 @@
 {
     krb5_error_code ret;
     size_t keybytes, keylength, concatlen;
-    unsigned char *concat, *foldstring, *foldkeydata;
+    unsigned char *concat = NULL, *foldstring = NULL, *foldkeydata = NULL;
     krb5_data indata;
     krb5_keyblock foldkey;
 
-    /* key->length is checked by krb5_derive_key */
+    /* key->length is checked by krb5_derive_key. */
 
     keybytes = enc->keybytes;
     keylength = enc->keylength;
 
-    concatlen = string->length+(salt?salt->length:0);
+    concatlen = string->length + (salt ? salt->length : 0);
 
-    if ((concat = (unsigned char *) malloc(concatlen)) == NULL)
-	return(ENOMEM);
-    if ((foldstring = (unsigned char *) malloc(keybytes)) == NULL) {
-	free(concat);
-	return(ENOMEM);
-    }
-    if ((foldkeydata = (unsigned char *) malloc(keylength)) == NULL) {
-	free(foldstring);
-	free(concat);
-	return(ENOMEM);
-    }
+    concat = k5alloc(concatlen, &ret);
+    if (ret != 0)
+	goto cleanup;
+    foldstring = k5alloc(keybytes, &ret);
+    if (ret != 0)
+	goto cleanup;
+    foldkeydata = k5alloc(keylength, &ret);
+    if (ret != 0)
+	goto cleanup;
 
     /* construct input string ( = string + salt), fold it, make_key it */
 
     memcpy(concat, string->data, string->length);
     if (salt)
-	memcpy(concat+string->length, salt->data, salt->length);
+	memcpy(concat + string->length, salt->data, salt->length);
 
     krb5_nfold(concatlen*8, concat, keybytes*8, foldstring);
 
@@ -72,25 +70,22 @@
     foldkey.length = keylength;
     foldkey.contents = foldkeydata;
 
-    (*(enc->make_key))(&indata, &foldkey);
+    ret = (*enc->make_key)(&indata, &foldkey);
+    if (ret != 0)
+	goto cleanup;
 
     /* now derive the key from this one */
 
     indata.length = kerberos_len;
     indata.data = (char *) kerberos;
 
-    if ((ret = krb5_derive_key(enc, &foldkey, key, &indata)))
+    ret = krb5_derive_key(enc, &foldkey, key, &indata);
+    if (ret != 0)
 	memset(key->contents, 0, key->length);
 
-    /* ret is set correctly by the prior call */
-
-    memset(concat, 0, concatlen);
-    memset(foldstring, 0, keybytes);
-    memset(foldkeydata, 0, keylength);
-
-    free(foldkeydata);
-    free(foldstring);
-    free(concat);
-
-    return(ret);
+cleanup:
+    zapfree(concat, concatlen);
+    zapfree(foldstring, keybytes);
+    zapfree(foldkeydata, keylength);
+    return ret;
 }



From ghudson at MIT.EDU  Sat Oct  3 17:00:42 2009
From: ghudson at MIT.EDU (ghudson@MIT.EDU)
Date: Sat, 3 Oct 2009 17:00:42 -0400
Subject: svn rev #22841: branches/enc-perf/src/ include/krb5/ lib/crypto/krb/
Message-ID: <200910032100.n93L0gua016837@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22841
Commit By: ghudson
Log Message:
Define constructors, destructors, and accessors for krb5_key (file was
missing from r22793).  Const-poison signature of krb5_k_create_key.



Changed Files:
U   branches/enc-perf/src/include/krb5/krb5.hin
A   branches/enc-perf/src/lib/crypto/krb/key.c
Modified: branches/enc-perf/src/include/krb5/krb5.hin
===================================================================
--- branches/enc-perf/src/include/krb5/krb5.hin	2009-10-03 18:07:44 UTC (rev 22840)
+++ branches/enc-perf/src/include/krb5/krb5.hin	2009-10-03 21:00:42 UTC (rev 22841)
@@ -719,7 +719,7 @@
  */
 
 krb5_error_code KRB5_CALLCONV
-krb5_k_create_key(krb5_context context, krb5_keyblock *key_data,
+krb5_k_create_key(krb5_context context, const krb5_keyblock *key_data,
 		  krb5_key *out);
 
 void KRB5_CALLCONV krb5_k_free_key(krb5_context context, krb5_key key);

Added: branches/enc-perf/src/lib/crypto/krb/key.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/key.c	2009-10-03 18:07:44 UTC (rev 22840)
+++ branches/enc-perf/src/lib/crypto/krb/key.c	2009-10-03 21:00:42 UTC (rev 22841)
@@ -0,0 +1,82 @@
+/*
+ * Copyright (C) 2009 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ * Functions for manipulating krb5_key structures
+ */
+
+#include "k5-int.h"
+
+/*
+ * The krb5_key data type wraps an exposed keyblock in an opaque data
+ * structure, to allow for internal optimizations such as caching of
+ * derived keys.
+ */
+
+/* Create a krb5_key from the enctype and key data in a keyblock. */
+krb5_error_code KRB5_CALLCONV
+krb5_k_create_key(krb5_context context, const krb5_keyblock *key_data,
+		  krb5_key *out)
+{
+    krb5_key key = NULL;
+    krb5_error_code code;
+
+    *out = NULL;
+
+    key = malloc(sizeof(*key));
+    if (key == NULL)
+	return ENOMEM;
+    code = krb5int_c_copy_keyblock_contents(context, key_data, &key->keyblock);
+    if (code)
+	goto cleanup;
+
+    *out = key;
+    return 0;
+
+cleanup:
+    free(key);
+    return code;
+}
+
+/* Free the memory used by a krb5_key. */
+void KRB5_CALLCONV
+krb5_k_free_key(krb5_context context, krb5_key key)
+{
+    if (key == NULL)
+	return;
+    krb5int_c_free_keyblock_contents(context, &key->keyblock);
+}
+
+/* Retrieve a copy of the keyblock from a krb5_key. */
+krb5_error_code KRB5_CALLCONV
+krb5_k_key_keyblock(krb5_context context, krb5_key key,
+		    krb5_keyblock **key_data)
+{
+    return krb5int_c_copy_keyblock(context, &key->keyblock, key_data);
+}
+
+/* Retrieve the enctype of a krb5_key. */
+krb5_enctype KRB5_CALLCONV
+krb5_k_key_enctype(krb5_context context, krb5_key key)
+{
+    return key->keyblock.enctype;
+}



From ghudson at MIT.EDU  Sat Oct  3 17:02:45 2009
From: ghudson at MIT.EDU (ghudson@MIT.EDU)
Date: Sat, 3 Oct 2009 17:02:45 -0400
Subject: svn rev #22842: branches/enc-perf/src/ include/ lib/crypto/krb/
	lib/crypto/krb/dk/
Message-ID: <200910032102.n93L2ji5017217@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22842
Commit By: ghudson
Log Message:
Merge trunk changes from r22833 to r22841 to enc-perf branch.



Changed Files:
U   branches/enc-perf/src/include/k5-int.h
U   branches/enc-perf/src/lib/crypto/krb/aead.c
U   branches/enc-perf/src/lib/crypto/krb/block_size.c
U   branches/enc-perf/src/lib/crypto/krb/cf2.c
U   branches/enc-perf/src/lib/crypto/krb/checksum_length.c
U   branches/enc-perf/src/lib/crypto/krb/cksumtype_to_string.c
U   branches/enc-perf/src/lib/crypto/krb/cksumtypes.c
U   branches/enc-perf/src/lib/crypto/krb/cksumtypes.h
U   branches/enc-perf/src/lib/crypto/krb/coll_proof_cksum.c
U   branches/enc-perf/src/lib/crypto/krb/combine_keys.c
U   branches/enc-perf/src/lib/crypto/krb/crypto_length.c
U   branches/enc-perf/src/lib/crypto/krb/decrypt.c
U   branches/enc-perf/src/lib/crypto/krb/decrypt_iov.c
U   branches/enc-perf/src/lib/crypto/krb/dk/checksum.c
U   branches/enc-perf/src/lib/crypto/krb/dk/derive.c
U   branches/enc-perf/src/lib/crypto/krb/dk/dk.h
U   branches/enc-perf/src/lib/crypto/krb/dk/dk_aead.c
U   branches/enc-perf/src/lib/crypto/krb/dk/dk_decrypt.c
U   branches/enc-perf/src/lib/crypto/krb/dk/dk_encrypt.c
U   branches/enc-perf/src/lib/crypto/krb/dk/stringtokey.c
U   branches/enc-perf/src/lib/crypto/krb/encrypt.c
U   branches/enc-perf/src/lib/crypto/krb/encrypt_iov.c
U   branches/enc-perf/src/lib/crypto/krb/encrypt_length.c
U   branches/enc-perf/src/lib/crypto/krb/enctype_compare.c
U   branches/enc-perf/src/lib/crypto/krb/enctype_to_string.c
U   branches/enc-perf/src/lib/crypto/krb/etypes.c
U   branches/enc-perf/src/lib/crypto/krb/etypes.h
U   branches/enc-perf/src/lib/crypto/krb/keyblocks.c
U   branches/enc-perf/src/lib/crypto/krb/keyed_checksum_types.c
U   branches/enc-perf/src/lib/crypto/krb/keyed_cksum.c
U   branches/enc-perf/src/lib/crypto/krb/keylengths.c
U   branches/enc-perf/src/lib/crypto/krb/make_checksum.c
U   branches/enc-perf/src/lib/crypto/krb/make_checksum_iov.c
U   branches/enc-perf/src/lib/crypto/krb/make_random_key.c
U   branches/enc-perf/src/lib/crypto/krb/mandatory_sumtype.c
U   branches/enc-perf/src/lib/crypto/krb/old_api_glue.c
U   branches/enc-perf/src/lib/crypto/krb/prf.c
U   branches/enc-perf/src/lib/crypto/krb/prng.c
U   branches/enc-perf/src/lib/crypto/krb/random_to_key.c
U   branches/enc-perf/src/lib/crypto/krb/state.c
U   branches/enc-perf/src/lib/crypto/krb/string_to_cksumtype.c
U   branches/enc-perf/src/lib/crypto/krb/string_to_enctype.c
U   branches/enc-perf/src/lib/crypto/krb/string_to_key.c
U   branches/enc-perf/src/lib/crypto/krb/valid_cksumtype.c
U   branches/enc-perf/src/lib/crypto/krb/valid_enctype.c
U   branches/enc-perf/src/lib/crypto/krb/verify_checksum.c
U   branches/enc-perf/src/lib/crypto/krb/verify_checksum_iov.c
Modified: branches/enc-perf/src/include/k5-int.h
===================================================================
--- branches/enc-perf/src/include/k5-int.h	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/include/k5-int.h	2009-10-03 21:02:44 UTC (rev 22842)
@@ -781,6 +781,16 @@
 #endif /* WIN32 */
 #define zap(p,l) krb5int_zap_data(p,l)
 
+/* Convenience function: zap and free ptr if it is non-NULL. */
+static inline void
+zapfree(void *ptr, size_t len)
+{
+    if (ptr != NULL) {
+	zap(ptr, len);
+	free(ptr);
+    }
+}
+
 /* A definition of init_state for DES based encryption systems.
  * sets up an 8-byte IV of all zeros
  */
@@ -2833,6 +2843,17 @@
 	    && !memcmp(a1.contents, a2.contents, a1.length));
 }
 
+/* Allocate zeroed memory; set *code to 0 on success or ENOMEM on failure. */
+static inline void *
+k5alloc(size_t size, krb5_error_code *code)
+{
+    void *ptr;
+
+    ptr = calloc(size, 1);
+    *code = (ptr == NULL) ? ENOMEM : 0;
+    return ptr;
+}
+
 krb5_error_code KRB5_CALLCONV
 krb5int_pac_sign(krb5_context context,
 		 krb5_pac pac,

Modified: branches/enc-perf/src/lib/crypto/krb/aead.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/aead.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/aead.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -72,8 +72,8 @@
 	    num_sign_data++;
     }
 
-    /* XXX cleanup to avoid alloc */
-    sign_data = (krb5_data *)calloc(num_sign_data, sizeof(krb5_data));
+    /* XXX cleanup to avoid alloc. */
+    sign_data = calloc(num_sign_data, sizeof(krb5_data));
     if (sign_data == NULL)
 	return ENOMEM;
 
@@ -84,7 +84,7 @@
 	    sign_data[j++] = iov->data;
     }
 
-    ret = hash_provider->hash(num_sign_data, sign_data, output);
+    ret = (*hash_provider->hash)(num_sign_data, sign_data, output);
 
     free(sign_data);
 
@@ -99,36 +99,26 @@
 			    size_t num_data,
 			    krb5_data *cksum_data)
 {
-    int e1, e2;
+    const struct krb5_keytypes *e1, *e2;
     krb5_error_code ret;
 
     if (cksum_type->keyhash != NULL) {
-	/* check if key is compatible */
+	/* Check if key is compatible. */
 
 	if (cksum_type->keyed_etype) {
-	    for (e1=0; e1<krb5_enctypes_length; e1++) 
-		if (krb5_enctypes_list[e1].etype ==
-		    cksum_type->keyed_etype)
-		    break;
-
-	    for (e2=0; e2<krb5_enctypes_length; e2++) 
-		if (krb5_enctypes_list[e2].etype == key->enctype)
-		    break;
-
-	    if ((e1 == krb5_enctypes_length) ||
-		(e2 == krb5_enctypes_length) ||
-		(krb5_enctypes_list[e1].enc != krb5_enctypes_list[e2].enc)) {
+	    e1 = find_enctype(cksum_type->keyed_etype);
+	    e2 = find_enctype(key->enctype);
+	    if (e1 == NULL || e2 == NULL || e1->enc != e2->enc) {
 		ret = KRB5_BAD_ENCTYPE;
 		goto cleanup;
 	    }
 	}
 
-	if (cksum_type->keyhash->hash_iov == NULL) {
+	if (cksum_type->keyhash->hash_iov == NULL)
 	    return KRB5_BAD_ENCTYPE;
-	}
 
-	ret = (*(cksum_type->keyhash->hash_iov))(key, usage, 0,
-						 data, num_data, cksum_data);
+	ret = (*cksum_type->keyhash->hash_iov)(key, usage, 0, data, num_data,
+					       cksum_data);
     } else if (cksum_type->flags & KRB5_CKSUMFLAG_DERIVE) {
 	ret = krb5int_dk_make_checksum_iov(cksum_type->hash,
 					   key, usage, data, num_data,
@@ -364,22 +354,25 @@
     stream = krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_STREAM);
     assert(stream != NULL);
 
-    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_HEADER, &header_len);
+    ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_HEADER,
+				 &header_len);
     if (ret != 0)
 	return ret;
 
-    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER, &trailer_len);
+    ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER,
+				 &trailer_len);
     if (ret != 0)
 	return ret;
 
-    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING, &padding_len);
+    ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING,
+				 &padding_len);
     if (ret != 0)
 	return ret;
 
     if (stream->data.length < header_len + trailer_len)
 	return KRB5_BAD_MSIZE;
 
-    iov = (krb5_crypto_iov *)calloc(num_data + 2, sizeof(krb5_crypto_iov));
+    iov = calloc(num_data + 2, sizeof(krb5_crypto_iov));
     if (iov == NULL)
 	return ENOMEM;
 
@@ -400,14 +393,18 @@
 	    got_data++;
 
 	    data[j].data.data = stream->data.data + header_len;
-	    data[j].data.length = stream->data.length - header_len - trailer_len;
+	    data[j].data.length = stream->data.length - header_len
+		- trailer_len;
 	}
 	if (data[j].flags == KRB5_CRYPTO_TYPE_SIGN_ONLY ||
 	    data[j].flags == KRB5_CRYPTO_TYPE_DATA)
 	    iov[i++] = data[j];
     }
 
-    /* XXX not self-describing with respect to length, this is the best we can do */
+    /*
+     * XXX not self-describing with respect to length, this is the best
+     * we can do.
+     */
     iov[i].flags = KRB5_CRYPTO_TYPE_PADDING;
     iov[i].data.data = NULL;
     iov[i].data.length = 0;
@@ -420,7 +417,7 @@
 
     assert(i <= num_data + 2);
 
-    ret = aead->decrypt_iov(aead, enc, hash, key, keyusage, ivec, iov, i);
+    ret = (*aead->decrypt_iov)(aead, enc, hash, key, keyusage, ivec, iov, i);
 
     free(iov);
 
@@ -437,7 +434,8 @@
     unsigned int padding;
     krb5_error_code ret;
 
-    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING, &padding);
+    ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING,
+				 &padding);
     if (ret != 0)
 	return ret;
 
@@ -463,21 +461,23 @@
     unsigned int padding_len = 0;
     unsigned int trailer_len = 0;
 
-    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_HEADER,
-			      &header_len);
+    ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_HEADER,
+				 &header_len);
     if (ret != 0)
 	return ret;
 
-    ret = krb5int_c_padding_length(aead, enc, hash, input->length, &padding_len);
+    ret = krb5int_c_padding_length(aead, enc, hash, input->length,
+				   &padding_len);
     if (ret != 0)
 	return ret;
 
-    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER,
-			      &trailer_len);
+    ret = (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER,
+				 &trailer_len);
     if (ret != 0)
 	return ret;
 
-    if (output->length < header_len + input->length + padding_len + trailer_len)
+    if (output->length <
+	header_len + input->length + padding_len + trailer_len)
 	return KRB5_BAD_MSIZE;
 
     iov[0].flags = KRB5_CRYPTO_TYPE_HEADER;
@@ -497,9 +497,8 @@
     iov[3].data.data = iov[2].data.data + iov[2].data.length;
     iov[3].data.length = trailer_len;
 
-    ret = aead->encrypt_iov(aead, enc, hash, key,
-			    usage, ivec,
-			    iov, sizeof(iov)/sizeof(iov[0]));
+    ret = (*aead->encrypt_iov)(aead, enc, hash, key, usage, ivec,
+			       iov, sizeof(iov) / sizeof(iov[0]));
 
     if (ret != 0)
 	zap(iov[1].data.data, iov[1].data.length);
@@ -548,8 +547,7 @@
     output->length = iov[1].data.length;
 
 cleanup:
-    zap(iov[0].data.data,  iov[0].data.length);
-    free(iov[0].data.data);
+    zapfree(iov[0].data.data, iov[0].data.length);
 
     return ret;
 }
@@ -564,9 +562,11 @@
     unsigned int padding_len = 0;
     unsigned int trailer_len = 0;
 
-    aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_HEADER, &header_len);
+    (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_HEADER,
+			   &header_len);
     krb5int_c_padding_length(aead, enc, hash, inputlen, &padding_len);
-    aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER, &trailer_len);
+    (*aead->crypto_length)(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER,
+			   &trailer_len);
 
     *length = header_len + inputlen + padding_len + trailer_len;
 }

Modified: branches/enc-perf/src/lib/crypto/krb/block_size.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/block_size.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/block_size.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -31,17 +31,12 @@
 krb5_c_block_size(krb5_context context, krb5_enctype enctype,
 		  size_t *blocksize)
 {
-    int i;
+    const struct krb5_keytypes *ktp;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == enctype)
-	    break;
-    }
+    ktp = find_enctype(enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
+    *blocksize = ktp->enc->block_size;
 
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
-
-    *blocksize = krb5_enctypes_list[i].enc->block_size;
-
-    return(0);
+    return 0;
 }

Modified: branches/enc-perf/src/lib/crypto/krb/cf2.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/cf2.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/cf2.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -40,8 +40,8 @@
  * a count byte  to get enough bits of output. 
  */
 static krb5_error_code
-prf_plus( krb5_context context, krb5_keyblock *k,const char *pepper,
-	  size_t keybytes, char **out)
+prf_plus(krb5_context context, krb5_keyblock *k, const char *pepper,
+	 size_t keybytes, char **out)
 {
     krb5_error_code retval = 0;
     size_t prflen, iterations;
@@ -49,46 +49,44 @@
     krb5_data in_data;
     char *buffer = NULL;
     struct k5buf prf_inbuf;
+
     krb5int_buf_init_dynamic(&prf_inbuf);
-    krb5int_buf_add_len( &prf_inbuf, "\001", 1);
-    krb5int_buf_add( &prf_inbuf, pepper);
+    krb5int_buf_add_len(&prf_inbuf, "\001", 1);
+    krb5int_buf_add(&prf_inbuf, pepper);
     retval = krb5_c_prf_length( context, k->enctype, &prflen);
-    if (retval != 0)
+    if (retval)
 	goto cleanup;
-    iterations = keybytes/prflen;
-    if ((keybytes%prflen) != 0)
+    iterations = keybytes / prflen;
+    if (keybytes % prflen != 0)
 	iterations++;
     assert(iterations <= 254);
-    buffer = malloc(iterations*prflen);
-    if (buffer == NULL) {
-	retval = ENOMEM;
+    buffer = k5alloc(iterations * prflen, &retval);
+    if (retval)
 	goto cleanup;
-	}
-    if (krb5int_buf_len( &prf_inbuf) == -1) {
+    if (krb5int_buf_len(&prf_inbuf) == -1) {
 	retval = ENOMEM;
 	goto cleanup;
     }
-    in_data.length = (krb5_int32) krb5int_buf_len( &prf_inbuf);
-    in_data.data = krb5int_buf_data( &prf_inbuf);
+    in_data.length = (krb5_int32) krb5int_buf_len(&prf_inbuf);
+    in_data.data = krb5int_buf_data(&prf_inbuf);
     out_data.length = prflen;
     out_data.data = buffer;
 
     while (iterations > 0) {
-	retval = krb5_c_prf( context, k, &in_data, &out_data);
-    if (retval != 0)
-	goto cleanup;
-    out_data.data += prflen;
-    in_data.data[0]++;
-    iterations--;
+	retval = krb5_c_prf(context, k, &in_data, &out_data);
+	if (retval)
+	    goto cleanup;
+	out_data.data += prflen;
+	in_data.data[0]++;
+	iterations--;
     }
- cleanup:
-    if (retval == 0 )
-	*out = buffer;
-    else{
-	if (buffer != NULL)
-	    free(buffer);
-    }
-    krb5int_free_buf( &prf_inbuf);
+
+    *out = buffer;
+    buffer = NULL;
+
+cleanup:
+    free(buffer);
+    krb5int_free_buf(&prf_inbuf);
     return retval;
 }
 
@@ -107,48 +105,46 @@
     krb5_error_code retval = 0;
     krb5_keyblock *out_key = NULL;
 
-
-    if (k1 == NULL ||!krb5_c_valid_enctype(k1->enctype))
+    if (k1 == NULL || !krb5_c_valid_enctype(k1->enctype))
 	return KRB5_BAD_ENCTYPE;
     if (k2 == NULL || !krb5_c_valid_enctype(k2->enctype))
 	return KRB5_BAD_ENCTYPE;
     out_enctype_num = k1->enctype;
     assert(out != NULL);
-    assert ((out_enctype = find_enctype(out_enctype_num)) != NULL);
+    assert((out_enctype = find_enctype(out_enctype_num)) != NULL);
     if (out_enctype->prf == NULL) {
 	if (context)
-	    krb5int_set_error(&(context->err) , KRB5_CRYPTO_INTERNAL,
-				   "Enctype %d has no PRF", out_enctype_num);
+	    krb5int_set_error(&(context->err), KRB5_CRYPTO_INTERNAL,
+			      "Enctype %d has no PRF", out_enctype_num);
 	return KRB5_CRYPTO_INTERNAL;
-		}
+    }
     keybytes = out_enctype->enc->keybytes;
     keylength = out_enctype->enc->keylength;
 
-    retval = prf_plus( context, k1, pepper1, keybytes, &prf1);
-	if (retval != 0)
-	    goto cleanup;
-    retval = prf_plus( context, k2, pepper2, keybytes, &prf2);
-    if (retval != 0)
+    retval = prf_plus(context, k1, pepper1, keybytes, &prf1);
+    if (retval)
 	goto cleanup;
+    retval = prf_plus(context, k2, pepper2, keybytes, &prf2);
+    if (retval)
+	goto cleanup;
     for (i = 0; i < keybytes; i++)
 	prf1[i] ^= prf2[i];
-    zap(prf2, keybytes);
-    retval = krb5int_c_init_keyblock( context, out_enctype_num, keylength, &out_key);
-    if (retval != 0)
+    retval = krb5int_c_init_keyblock(context, out_enctype_num, keylength,
+				     &out_key);
+    if (retval)
 	goto cleanup;
     keydata.data = prf1;
     keydata.length = keybytes;
-    retval = out_enctype->enc->make_key( &keydata, out_key);
+    retval = (*out_enctype->enc->make_key)(&keydata, out_key);
+    if (retval)
+	goto cleanup;
 
- cleanup:
-    if (retval == 0)
-	*out = out_key;
-    else krb5int_c_free_keyblock( context, out_key);
-    if (prf1 != NULL) {
-	zap(prf1, keybytes);
-	free(prf1);
-    }
-    if (prf2 != NULL)
-	free(prf2);
+    *out = out_key;
+    out_key = NULL;
+
+cleanup:
+    krb5int_c_free_keyblock( context, out_key);
+    zapfree(prf1, keybytes);
+    zapfree(prf2, keybytes);
     return retval;
 }

Modified: branches/enc-perf/src/lib/crypto/krb/checksum_length.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/checksum_length.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/checksum_length.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -39,7 +39,7 @@
     }
 
     if (i == krb5_cksumtypes_length)
-	return(KRB5_BAD_ENCTYPE);
+	return KRB5_BAD_ENCTYPE;
 
     if (krb5_cksumtypes_list[i].keyhash)
 	*length = krb5_cksumtypes_list[i].keyhash->hashsize;
@@ -48,6 +48,6 @@
     else
 	*length = krb5_cksumtypes_list[i].hash->hashsize;
 
-    return(0);
+    return 0;
 }
 	

Modified: branches/enc-perf/src/lib/crypto/krb/cksumtype_to_string.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/cksumtype_to_string.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/cksumtype_to_string.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -32,14 +32,14 @@
 {
     unsigned int i;
 
-    for (i=0; i<krb5_cksumtypes_length; i++) {
+    for (i = 0; i < krb5_cksumtypes_length; i++) {
 	if (krb5_cksumtypes_list[i].ctype == cksumtype) {
 	    if (strlcpy(buffer, krb5_cksumtypes_list[i].out_string,
 			buflen) >= buflen)
-		return(ENOMEM);
-	    return(0);
+		return ENOMEM;
+	    return 0;
 	}
     }
 
-    return(EINVAL);
+    return EINVAL;
 }

Modified: branches/enc-perf/src/lib/crypto/krb/cksumtypes.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/cksumtypes.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/cksumtypes.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -88,4 +88,4 @@
 };
 
 const unsigned int krb5_cksumtypes_length =
-sizeof(krb5_cksumtypes_list)/sizeof(struct krb5_cksumtypes);
+    sizeof(krb5_cksumtypes_list) / sizeof(struct krb5_cksumtypes);

Modified: branches/enc-perf/src/lib/crypto/krb/cksumtypes.h
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/cksumtypes.h	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/cksumtypes.h	2009-10-03 21:02:44 UTC (rev 22842)
@@ -34,23 +34,29 @@
     char *name;
     char *aliases[2];
     char *out_string;
-    /* if the hash is keyed, this is the etype it is keyed with.
-       Actually, it can be keyed by any etype which has the same
-       enc_provider as the specified etype.  DERIVE checksums can
-       be keyed with any valid etype. */
+    /*
+     * If the hash is keyed, this is the etype it is keyed with.
+     * Actually, it can be keyed by any etype which has the same
+     * enc_provider as the specified etype.  DERIVE checksums can
+     * be keyed with any valid etype.
+     */
     krb5_enctype keyed_etype;
-    /* I can't statically initialize a union, so I'm just going to use
-       two pointers here.  The keyhash is used if non-NULL.  If NULL,
-       then HMAC/hash with derived keys is used if the relevant flag
-       is set.  Otherwise, a non-keyed hash is computed.  This is all
-       kind of messy, but so is the krb5 api. */
+    /*
+     * I can't statically initialize a union, so I'm just going to use
+     * two pointers here.  The keyhash is used if non-NULL.  If NULL,
+     * then HMAC/hash with derived keys is used if the relevant flag
+     * is set.  Otherwise, a non-keyed hash is computed.  This is all
+     * kind of messy, but so is the krb5 api.
+     */
     const struct krb5_keyhash_provider *keyhash;
     const struct krb5_hash_provider *hash;
-    /* This just gets uglier and uglier.  In the key derivation case,
-       we produce an hmac.  To make the hmac code work, we can't hack
-       the output size indicated by the hash provider, but we may want
-       a truncated hmac.  If we want truncation, this is the number of
-       bytes we truncate to; it should be 0 otherwise.  */
+    /*
+     * This just gets uglier and uglier.  In the key derivation case,
+     * we produce an hmac.  To make the hmac code work, we can't hack
+     * the output size indicated by the hash provider, but we may want
+     * a truncated hmac.  If we want truncation, this is the number of
+     * bytes we truncate to; it should be 0 otherwise.
+     */
     unsigned int trunc_size;
 };
 

Modified: branches/enc-perf/src/lib/crypto/krb/coll_proof_cksum.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/coll_proof_cksum.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/coll_proof_cksum.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -32,19 +32,19 @@
 {
     unsigned int i;
 
-    for (i=0; i<krb5_cksumtypes_length; i++) {
+    for (i = 0; i < krb5_cksumtypes_length; i++) {
 	if (krb5_cksumtypes_list[i].ctype == ctype)
 	    return((krb5_cksumtypes_list[i].flags &
-		    KRB5_CKSUMFLAG_NOT_COLL_PROOF)?0:1);
+		    KRB5_CKSUMFLAG_NOT_COLL_PROOF) ? FALSE : TRUE);
     }
 
     /* ick, but it's better than coredumping, which is what the
        old code would have done */
-    return(0);
+    return FALSE;
 }
 
 krb5_boolean KRB5_CALLCONV
 is_coll_proof_cksum(krb5_cksumtype ctype)
 {
-    return krb5_c_is_coll_proof_cksum (ctype);
+    return krb5_c_is_coll_proof_cksum(ctype);
 }

Modified: branches/enc-perf/src/lib/crypto/krb/combine_keys.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/combine_keys.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/combine_keys.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -46,9 +46,9 @@
 #include "etypes.h"
 #include "dk.h"
 
-static krb5_error_code dr
-(const struct krb5_enc_provider *enc, const krb5_keyblock *inkey,
-		unsigned char *outdata, const krb5_data *in_constant);
+static krb5_error_code dr(const struct krb5_enc_provider *enc,
+			  const krb5_keyblock *inkey, unsigned char *outdata,
+			  const krb5_data *in_constant);
 
 /*
  * We only support this combine_keys algorithm for des and 3des keys.
@@ -56,86 +56,66 @@
  * We don't implement that yet.
  */
 
-static krb5_boolean  enctype_ok (krb5_enctype e) 
+static krb5_boolean
+enctype_ok(krb5_enctype e)
 {
     switch (e) {
     case ENCTYPE_DES_CBC_CRC:
     case ENCTYPE_DES_CBC_MD4:
     case ENCTYPE_DES_CBC_MD5:
     case ENCTYPE_DES3_CBC_SHA1:
-	return 1;
+	return TRUE;
     default:
-	return 0;
+	return FALSE;
     }
 }
 
-krb5_error_code krb5int_c_combine_keys
-(krb5_context context, krb5_keyblock *key1, krb5_keyblock *key2, krb5_keyblock *outkey)
+krb5_error_code
+krb5int_c_combine_keys(krb5_context context, krb5_keyblock *key1,
+		       krb5_keyblock *key2, krb5_keyblock *outkey)
 {
-    unsigned char *r1, *r2, *combined, *rnd, *output;
+    unsigned char *r1 = NULL, *r2 = NULL, *combined = NULL, *rnd = NULL;
+    unsigned char *output = NULL;
     size_t keybytes, keylength;
     const struct krb5_enc_provider *enc;
     krb5_data input, randbits;
     krb5_keyblock tkey;
     krb5_error_code ret;
-    int i, myalloc = 0;
-    if (!(enctype_ok(key1->enctype)&&enctype_ok(key2->enctype)))
-	return (KRB5_CRYPTO_INTERNAL);
-    
+    const struct krb5_keytypes *ktp;
+    krb5_boolean myalloc = FALSE;
 
+    if (!enctype_ok(key1->enctype) || !enctype_ok(key2->enctype))
+	return KRB5_CRYPTO_INTERNAL;
+
     if (key1->length != key2->length || key1->enctype != key2->enctype)
-	return (KRB5_CRYPTO_INTERNAL);
+	return KRB5_CRYPTO_INTERNAL;
 
-    /*
-     * Find our encryption algorithm
-     */
+    /* Find our encryption algorithm. */
+    ktp = find_enctype(key1->enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
+    enc = ktp->enc;
 
-    for (i = 0; i < krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == key1->enctype)
-	    break;
-    }
-
-    if (i == krb5_enctypes_length)
-	return (KRB5_BAD_ENCTYPE);
-
-    enc = krb5_enctypes_list[i].enc;
-
     keybytes = enc->keybytes;
     keylength = enc->keylength;
 
-    /*
-     * Allocate and set up buffers
-     */
+    /* Allocate and set up buffers. */
+    r1 = k5alloc(keybytes, &ret);
+    if (ret)
+	goto cleanup;
+    r2 = k5alloc(keybytes, &ret);
+    if (ret)
+	goto cleanup;
+    rnd = k5alloc(keybytes, &ret);
+    if (ret)
+	goto cleanup;
+    combined = k5alloc(keybytes * 2, &ret);
+    if (ret)
+	goto cleanup;
+    output = k5alloc(keylength, &ret);
+    if (ret)
+	goto cleanup;
 
-    if ((r1 = (unsigned char *) malloc(keybytes)) == NULL)
-	return (ENOMEM);
-
-    if ((r2 = (unsigned char *) malloc(keybytes)) == NULL) {
-	free(r1);
-	return (ENOMEM);
-    }
-
-    if ((rnd = (unsigned char *) malloc(keybytes)) == NULL) {
-	free(r1);
-	free(r2);
-	return (ENOMEM);
-    }
-
-    if ((combined = (unsigned char *) malloc(keybytes * 2)) == NULL) {
-	free(r1);
-	free(r2);
-	free(rnd);
-	return (ENOMEM);
-    }
-
-    if ((output = (unsigned char *) malloc(keylength)) == NULL) {
-	free(r1);
-	free(r2);
-	free(rnd);
-	free(combined);
-	return (ENOMEM);
-    }
-
     /*
      * Get R1 and R2 (by running the input keys through the DR algorithm.
      * Note this is most of derive-key, but not all.
@@ -143,34 +123,16 @@
 
     input.length = key2->length;
     input.data = (char *) key2->contents;
-    if ((ret = dr(enc, key1, r1, &input)))
+    ret = dr(enc, key1, r1, &input);
+    if (ret)
 	goto cleanup;
 
-#if 0
-    {
-	int i;
-	printf("R1 =");
-	for (i = 0; i < keybytes; i++)
-	    printf(" %02x", (unsigned char) r1[i]);
-	printf("\n");
-    }
-#endif
-
     input.length = key1->length;
     input.data = (char *) key1->contents;
-    if ((ret = dr(enc, key2, r2, &input)))
+    ret = dr(enc, key2, r2, &input);
+    if (ret)
 	goto cleanup;
 
-#if 0
-    {
-	int i;
-	printf("R2 =");
-	for (i = 0; i < keybytes; i++)
-	    printf(" %02x", (unsigned char) r2[i]);
-	printf("\n");
-    }
-#endif
-
     /*
      * Concatenate the two keys together, and then run them through
      * n-fold to reduce them to a length appropriate for the random-to-key
@@ -183,16 +145,6 @@
 
     krb5_nfold((keybytes * 2) * 8, combined, keybytes * 8, rnd);
 
-#if 0
-    {
-	int i;
-	printf("rnd =");
-	for (i = 0; i < keybytes; i++)
-	    printf(" %02x", (unsigned char) rnd[i]);
-	printf("\n");
-    }
-#endif
-
     /*
      * Run the "random" bits through random-to-key to produce a encryption
      * key.
@@ -203,25 +155,16 @@
     tkey.length = keylength;
     tkey.contents = output;
 
-    if ((ret = (*(enc->make_key))(&randbits, &tkey)))
+    ret = (*enc->make_key)(&randbits, &tkey);
+    if (ret)
 	goto cleanup;
 
-#if 0
-    {
-	int i;
-	printf("tkey =");
-	for (i = 0; i < tkey.length; i++)
-	    printf(" %02x", (unsigned char) tkey.contents[i]);
-	printf("\n");
-    }
-#endif
-
     /*
      * Run through derive-key one more time to produce the final key.
      * Note that the input to derive-key is the ASCII string "combine".
      */
 
-    input.length = 7; /* Note; change this if string length changes */
+    input.length = 7;
     input.data = "combine";
 
     /*
@@ -234,17 +177,16 @@
      */
 
     if (outkey->length == 0 || outkey->contents == NULL) {
-	outkey->contents = (krb5_octet *) malloc(keylength);
-	if (!outkey->contents) {
-	    ret = ENOMEM;
+	outkey->contents = k5alloc(keylength, &ret);
+	if (ret)
 	    goto cleanup;
-	}
 	outkey->length = keylength;
 	outkey->enctype = key1->enctype;
-	myalloc = 1;
+	myalloc = TRUE;
     }
 
-    if ((ret = krb5_derive_key(enc, &tkey, outkey, &input))) {
+    ret = krb5_derive_key(enc, &tkey, outkey, &input);
+    if (ret) {
 	if (myalloc) {
 	    free(outkey->contents);
 	    outkey->contents = NULL;
@@ -252,59 +194,39 @@
 	goto cleanup;
     }
 
-#if 0
-    {
-	int i;
-	printf("output =");
-	for (i = 0; i < outkey->length; i++)
-	    printf(" %02x", (unsigned char) outkey->contents[i]);
-	printf("\n");
-    }
-#endif
-
-    ret = 0;
-
 cleanup:
-    memset(r1, 0, keybytes);
-    memset(r2, 0, keybytes);
-    memset(rnd, 0, keybytes);
-    memset(combined, 0, keybytes * 2);
-    memset(output, 0, keylength);
-
-    free(r1);
-    free(r2);
-    free(rnd);
-    free(combined);
-    free(output);
-
-    return (ret);
+    zapfree(r1, keybytes);
+    zapfree(r2, keybytes);
+    zapfree(rnd, keybytes);
+    zapfree(combined, keybytes * 2);
+    zapfree(output, keylength);
+    return ret;
 }
 
 /*
  * Our DR function; mostly taken from derive.c
  */
 
-static krb5_error_code dr
-(const struct krb5_enc_provider *enc, const krb5_keyblock *inkey, unsigned char *out, const krb5_data *in_constant)
+static krb5_error_code
+dr(const struct krb5_enc_provider *enc, const krb5_keyblock *inkey,
+   unsigned char *out, const krb5_data *in_constant)
 {
-    size_t blocksize, keybytes, keylength, n;
-    unsigned char *inblockdata, *outblockdata;
+    size_t blocksize, keybytes, n;
+    unsigned char *inblockdata = NULL, *outblockdata = NULL;
     krb5_data inblock, outblock;
+    krb5_error_code ret;
 
     blocksize = enc->block_size;
     keybytes = enc->keybytes;
-    keylength = enc->keylength;
 
-    /* allocate and set up buffers */
+    /* Allocate and set up buffers. */
+    inblockdata = k5alloc(blocksize, &ret);
+    if (ret)
+	goto cleanup;
+    outblockdata = k5alloc(blocksize, &ret);
+    if (ret)
+	goto cleanup;
 
-    if ((inblockdata = (unsigned char *) malloc(blocksize)) == NULL)
-	return(ENOMEM);
-
-    if ((outblockdata = (unsigned char *) malloc(blocksize)) == NULL) {
-	free(inblockdata);
-	return(ENOMEM);
-    }
-
     inblock.data = (char *) inblockdata;
     inblock.length = blocksize;
 
@@ -324,26 +246,23 @@
 
     n = 0;
     while (n < keybytes) {
-	(*(enc->encrypt))(inkey, 0, &inblock, &outblock);
+	ret = (*enc->encrypt)(inkey, 0, &inblock, &outblock);
+	if (ret)
+	    goto cleanup;
 
 	if ((keybytes - n) <= outblock.length) {
-	    memcpy(out+n, outblock.data, (keybytes - n));
+	    memcpy(out + n, outblock.data, (keybytes - n));
 	    break;
 	}
 
-	memcpy(out+n, outblock.data, outblock.length);
+	memcpy(out + n, outblock.data, outblock.length);
 	memcpy(inblock.data, outblock.data, outblock.length);
 	n += outblock.length;
     }
 
-    /* clean memory, free resources and exit */
-
-    memset(inblockdata, 0, blocksize);
-    memset(outblockdata, 0, blocksize);
-
-    free(outblockdata);
-    free(inblockdata);
-
-    return(0);
+cleanup:
+    zapfree(inblockdata, blocksize);
+    zapfree(outblockdata, blocksize);
+    return ret;
 }
 

Modified: branches/enc-perf/src/lib/crypto/krb/crypto_length.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/crypto_length.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/crypto_length.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -29,25 +29,15 @@
 #include "aead.h"
 
 krb5_error_code KRB5_CALLCONV
-krb5_c_crypto_length(krb5_context context,
-		     krb5_enctype enctype,
-		     krb5_cryptotype type,
-		     unsigned int *size)
+krb5_c_crypto_length(krb5_context context, krb5_enctype enctype,
+		     krb5_cryptotype type, unsigned int *size)
 {
-    int i;
-    const struct krb5_keytypes *ktp = NULL;
+    const struct krb5_keytypes *ktp;
     krb5_error_code ret;
 
-    for (i = 0; i < krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == enctype) {
-	    ktp = &krb5_enctypes_list[i];
-	    break;
-	}
-    }
-
-    if (ktp == NULL || ktp->aead == NULL) {
+    ktp = find_enctype(enctype);
+    if (ktp == NULL || ktp->aead == NULL)
 	return KRB5_BAD_ENCTYPE;
-    }
 
     switch (type) {
     case KRB5_CRYPTO_TYPE_EMPTY:
@@ -63,7 +53,8 @@
     case KRB5_CRYPTO_TYPE_PADDING:
     case KRB5_CRYPTO_TYPE_TRAILER:
     case KRB5_CRYPTO_TYPE_CHECKSUM:
-	ret = ktp->aead->crypto_length(ktp->aead, ktp->enc, ktp->hash, type, size);
+	ret = (*ktp->aead->crypto_length)(ktp->aead, ktp->enc, ktp->hash,
+					  type, size);
 	break;
     default:
 	ret = EINVAL;
@@ -74,55 +65,37 @@
 }
 
 krb5_error_code KRB5_CALLCONV
-krb5_c_padding_length(krb5_context context,
-		      krb5_enctype enctype,
-		      size_t data_length,
-		      unsigned int *pad_length)
+krb5_c_padding_length(krb5_context context, krb5_enctype enctype,
+		      size_t data_length, unsigned int *pad_length)
 {
-    int i;
-    const struct krb5_keytypes *ktp = NULL;
+    const struct krb5_keytypes *ktp;
 
-    for (i = 0; i < krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == enctype) {
-	    ktp = &krb5_enctypes_list[i];
-	    break;
-	}
-    }
-
-    if (ktp == NULL || ktp->aead == NULL) {
+    ktp = find_enctype(enctype);
+    if (ktp == NULL || ktp->aead == NULL)
 	return KRB5_BAD_ENCTYPE;
-    }
 
-    return krb5int_c_padding_length(ktp->aead, ktp->enc, ktp->hash, data_length, pad_length);
+    return krb5int_c_padding_length(ktp->aead, ktp->enc, ktp->hash,
+				    data_length, pad_length);
 }
 
 krb5_error_code KRB5_CALLCONV
-krb5_c_crypto_length_iov(krb5_context context,
-			 krb5_enctype enctype,
-			 krb5_crypto_iov *data,
-			 size_t num_data)
+krb5_c_crypto_length_iov(krb5_context context, krb5_enctype enctype,
+			 krb5_crypto_iov *data, size_t num_data)
 {
     krb5_error_code ret = 0;
     size_t i;
-    const struct krb5_keytypes *ktp = NULL;
+    const struct krb5_keytypes *ktp;
     unsigned int data_length = 0, pad_length;
     krb5_crypto_iov *padding = NULL;
 
     /*
      * XXX need to rejig internal interface so we can accurately
-     * report variable header lengths
+     * report variable header lengths.
      */
 
-    for (i = 0; i < (size_t)krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == enctype) {
-	    ktp = &krb5_enctypes_list[i];
-	    break;
-	}
-    }
-
-    if (ktp == NULL || ktp->aead == NULL) {
+    ktp = find_enctype(enctype);
+    if (ktp == NULL || ktp->aead == NULL)
 	return KRB5_BAD_ENCTYPE;
-    }
 
     for (i = 0; i < num_data; i++) {
 	krb5_crypto_iov *iov = &data[i];
@@ -140,7 +113,8 @@
 	case KRB5_CRYPTO_TYPE_HEADER:
 	case KRB5_CRYPTO_TYPE_TRAILER:
 	case KRB5_CRYPTO_TYPE_CHECKSUM:
-	    ret = ktp->aead->crypto_length(ktp->aead, ktp->enc, ktp->hash, iov->flags, &iov->data.length);
+	    ret = (*ktp->aead->crypto_length)(ktp->aead, ktp->enc, ktp->hash,
+					      iov->flags, &iov->data.length);
 	    break;
 	case KRB5_CRYPTO_TYPE_EMPTY:
 	case KRB5_CRYPTO_TYPE_SIGN_ONLY:
@@ -155,7 +129,8 @@
     if (ret != 0)
 	return ret;
 
-    ret = krb5int_c_padding_length(ktp->aead, ktp->enc, ktp->hash, data_length, &pad_length);
+    ret = krb5int_c_padding_length(ktp->aead, ktp->enc, ktp->hash,
+				   data_length, &pad_length);
     if (ret != 0)
 	return ret;
 

Modified: branches/enc-perf/src/lib/crypto/krb/decrypt.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/decrypt.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/decrypt.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -33,35 +33,23 @@
 	       krb5_keyusage usage, const krb5_data *ivec,
 	       const krb5_enc_data *input, krb5_data *output)
 {
-    int i;
+    const struct krb5_keytypes *ktp;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == key->enctype)
-	    break;
-    }
+    ktp = find_enctype(key->enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
 
-    if (i == krb5_enctypes_length) {
-	krb5int_set_error(&context->err, KRB5_BAD_ENCTYPE,
-			  "Bad encryption type (type %d unknown)",
-			  key->enctype);
-	return(KRB5_BAD_ENCTYPE);
-    }
+    if (input->enctype != ENCTYPE_UNKNOWN && ktp->etype != input->enctype)
+	return KRB5_BAD_ENCTYPE;
 
-    if ((input->enctype != ENCTYPE_UNKNOWN) &&
-	(krb5_enctypes_list[i].etype != input->enctype))
-	return(KRB5_BAD_ENCTYPE);
+    if (ktp->decrypt == NULL) {
+	assert(ktp->aead != NULL);
 
-    if (krb5_enctypes_list[i].decrypt == NULL) {
-	assert(krb5_enctypes_list[i].aead != NULL);
-
-	return krb5int_c_decrypt_aead_compat(krb5_enctypes_list[i].aead,
-					     krb5_enctypes_list[i].enc,
-					     krb5_enctypes_list[i].hash,
+	return krb5int_c_decrypt_aead_compat(ktp->aead, ktp->enc, ktp->hash,
 					     key, usage, ivec,
 					     &input->ciphertext, output);
     }
 
-    return((*(krb5_enctypes_list[i].decrypt))
-	   (krb5_enctypes_list[i].enc, krb5_enctypes_list[i].hash,
-	    key, usage, ivec, &input->ciphertext, output));
+    return (*ktp->decrypt)(ktp->enc, ktp->hash, key, usage, ivec,
+			   &input->ciphertext, output);
 }

Modified: branches/enc-perf/src/lib/crypto/krb/decrypt_iov.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/decrypt_iov.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/decrypt_iov.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -36,26 +36,20 @@
 		   krb5_crypto_iov *data,
 		   size_t num_data)
 {
-    int i;
-    const struct krb5_keytypes *ktp = NULL;
+    const struct krb5_keytypes *ktp;
 
-    for (i = 0; i < krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == key->enctype) {
-	    ktp = &krb5_enctypes_list[i];
-	    break;
-	}
-    }
-
-    if (ktp == NULL || ktp->aead == NULL) {
+    ktp = find_enctype(key->enctype);
+    if (ktp == NULL || ktp->aead == NULL)
 	return KRB5_BAD_ENCTYPE;
-    }
 
-    if (krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_STREAM) != NULL) {
+    if (krb5int_c_locate_iov(data, num_data,
+			     KRB5_CRYPTO_TYPE_STREAM) != NULL) {
 	return krb5int_c_iov_decrypt_stream(ktp->aead, ktp->enc, ktp->hash,
-					    key, usage, cipher_state, data, num_data);
+					    key, usage, cipher_state, data,
+					    num_data);
     }
 
-    return ktp->aead->decrypt_iov(ktp->aead, ktp->enc, ktp->hash,
-				  key, usage, cipher_state, data, num_data);
+    return (*ktp->aead->decrypt_iov)(ktp->aead, ktp->enc, ktp->hash, key,
+				     usage, cipher_state, data, num_data);
 }
 

Modified: branches/enc-perf/src/lib/crypto/krb/dk/checksum.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/dk/checksum.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/dk/checksum.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -36,41 +36,35 @@
 		      const krb5_keyblock *key, krb5_keyusage usage,
 		      const krb5_data *input, krb5_data *output)
 {
-    int i;
+    const struct krb5_keytypes *ktp;
     const struct krb5_enc_provider *enc;
-    size_t blocksize, keybytes, keylength;
+    size_t keylength;
     krb5_error_code ret;
     unsigned char constantdata[K5CLENGTH];
     krb5_data datain;
     unsigned char *kcdata;
     krb5_keyblock kc;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == key->enctype)
-	    break;
-    }
+    ktp = find_enctype(key->enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
+    enc = ktp->enc;
 
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
+    /*
+     * key->length will be tested in enc->encrypt.
+     * output->length will be tested in krb5_hmac.
+     */
 
-    enc = krb5_enctypes_list[i].enc;
-
-    /* allocate and set to-be-derived keys */
-
-    blocksize = enc->block_size;
-    keybytes = enc->keybytes;
+    /* Allocate and set to-be-derived keys. */
     keylength = enc->keylength;
+    kcdata = malloc(keylength);
+    if (kcdata == NULL)
+	return ENOMEM;
 
-    /* key->length will be tested in enc->encrypt
-       output->length will be tested in krb5_hmac */
-
-    if ((kcdata = (unsigned char *) malloc(keylength)) == NULL)
-	return(ENOMEM);
-
     kc.contents = kcdata;
     kc.length = keylength;
 
-    /* derive the key */
+    /* Derive the key. */
  
     datain.data = (char *) constantdata;
     datain.length = K5CLENGTH;
@@ -79,24 +73,21 @@
 
     datain.data[4] = (char) 0x99;
 
-    if ((ret = krb5_derive_key(enc, key, &kc, &datain)) != 0)
+    ret = krb5_derive_key(enc, key, &kc, &datain);
+    if (ret)
 	goto cleanup;
 
     /* hash the data */
 
     datain = *input;
 
-    if ((ret = krb5_hmac(hash, &kc, 1, &datain, output)) != 0)
+    ret = krb5_hmac(hash, &kc, 1, &datain, output);
+    if (ret)
 	memset(output->data, 0, output->length);
 
-    /* ret is set correctly by the prior call */
-
 cleanup:
-    memset(kcdata, 0, keylength);
-
-    free(kcdata);
-
-    return(ret);
+    zapfree(kcdata, keylength);
+    return ret;
 }
 
 krb5_error_code
@@ -105,41 +96,36 @@
 			  const krb5_crypto_iov *data, size_t num_data,
 			  krb5_data *output)
 {
-    int i;
+    const struct krb5_keytypes *ktp;
     const struct krb5_enc_provider *enc;
-    size_t blocksize, keybytes, keylength;
+    size_t keylength;
     krb5_error_code ret;
     unsigned char constantdata[K5CLENGTH];
     krb5_data datain;
     unsigned char *kcdata;
     krb5_keyblock kc;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == key->enctype)
-	    break;
-    }
+    ktp = find_enctype(key->enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
+    enc = ktp->enc;
 
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
+    /*
+     * key->length will be tested in enc->encrypt.
+     * output->length will be tested in krb5_hmac.
+     */
 
-    enc = krb5_enctypes_list[i].enc;
+    /* Allocate and set to-be-derived keys. */
 
-    /* allocate and set to-be-derived keys */
-
-    blocksize = enc->block_size;
-    keybytes = enc->keybytes;
     keylength = enc->keylength;
+    kcdata = malloc(keylength);
+    if (kcdata == NULL)
+	return ENOMEM;
 
-    /* key->length will be tested in enc->encrypt
-       output->length will be tested in krb5_hmac */
-
-    if ((kcdata = (unsigned char *) malloc(keylength)) == NULL)
-	return(ENOMEM);
-
     kc.contents = kcdata;
     kc.length = keylength;
 
-    /* derive the key */
+    /* Derive the key. */
  
     datain.data = (char *) constantdata;
     datain.length = K5CLENGTH;
@@ -148,21 +134,19 @@
 
     datain.data[4] = (char) 0x99;
 
-    if ((ret = krb5_derive_key(enc, key, &kc, &datain)) != 0)
+    ret = krb5_derive_key(enc, key, &kc, &datain);
+    if (ret)
 	goto cleanup;
 
-    /* hash the data */
+    /* Hash the data. */
 
-    if ((ret = krb5int_hmac_iov(hash, &kc, data, num_data, output)) != 0)
+    ret = krb5int_hmac_iov(hash, &kc, data, num_data, output);
+    if (ret)
 	memset(output->data, 0, output->length);
 
-    /* ret is set correctly by the prior call */
-
 cleanup:
-    memset(kcdata, 0, keylength);
+    zapfree(kcdata, keylength);
 
-    free(kcdata);
-
     return(ret);
 }
 

Modified: branches/enc-perf/src/lib/crypto/krb/dk/derive.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/dk/derive.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/dk/derive.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -32,41 +32,35 @@
 		const krb5_keyblock *inkey, krb5_keyblock *outkey,
 		const krb5_data *in_constant)
 {
-    size_t blocksize, keybytes, keylength, n;
-    unsigned char *inblockdata, *outblockdata, *rawkey;
+    size_t blocksize, keybytes, n;
+    unsigned char *inblockdata = NULL, *outblockdata = NULL, *rawkey = NULL;
     krb5_data inblock, outblock;
+    krb5_error_code ret;
 
     blocksize = enc->block_size;
     keybytes = enc->keybytes;
-    keylength = enc->keylength;
 
-    if ((inkey->length != keylength) ||
-	(outkey->length != keylength))
-	return(KRB5_CRYPTO_INTERNAL);
+    if (inkey->length != enc->keylength || outkey->length != enc->keylength)
+	return KRB5_CRYPTO_INTERNAL;
 
-    /* allocate and set up buffers */
+    /* Allocate and set up buffers. */
+    inblockdata = k5alloc(blocksize, &ret);
+    if (ret)
+	goto cleanup;
+    outblockdata = k5alloc(blocksize, &ret);
+    if (ret)
+	goto cleanup;
+    rawkey = k5alloc(keybytes, &ret);
+    if (ret)
+	goto cleanup;
 
-    if ((inblockdata = (unsigned char *) malloc(blocksize)) == NULL)
-	return(ENOMEM);
-
-    if ((outblockdata = (unsigned char *) malloc(blocksize)) == NULL) {
-	free(inblockdata);
-	return(ENOMEM);
-    }
-
-    if ((rawkey = (unsigned char *) malloc(keybytes)) == NULL) {
-	free(outblockdata);
-	free(inblockdata);
-	return(ENOMEM);
-    }
-
     inblock.data = (char *) inblockdata;
     inblock.length = blocksize;
 
     outblock.data = (char *) outblockdata;
     outblock.length = blocksize;
 
-    /* initialize the input block */
+    /* Initialize the input block. */
 
     if (in_constant->length == inblock.length) {
 	memcpy(inblock.data, in_constant->data, inblock.length);
@@ -75,14 +69,16 @@
 		   inblock.length*8, (unsigned char *) inblock.data);
     }
 
-    /* loop encrypting the blocks until enough key bytes are generated */
+    /* Loop encrypting the blocks until enough key bytes are generated */
 
     n = 0;
     while (n < keybytes) {
-	(*(enc->encrypt))(inkey, 0, &inblock, &outblock);
+	ret = (*enc->encrypt)(inkey, 0, &inblock, &outblock);
+	if (ret)
+	    goto cleanup;
 
 	if ((keybytes - n) <= outblock.length) {
-	    memcpy(rawkey+n, outblock.data, (keybytes - n));
+	    memcpy(rawkey + n, outblock.data, (keybytes - n));
 	    break;
 	}
 
@@ -96,19 +92,15 @@
     inblock.data = (char *) rawkey;
     inblock.length = keybytes;
 
-    (*(enc->make_key))(&inblock, outkey);
+    ret = (*enc->make_key)(&inblock, outkey);
+    if (ret)
+	goto cleanup;
 
-    /* clean memory, free resources and exit */
-
-    memset(inblockdata, 0, blocksize);
-    memset(outblockdata, 0, blocksize);
-    memset(rawkey, 0, keybytes);
-
-    free(rawkey);
-    free(outblockdata);
-    free(inblockdata);
-
-    return(0);
+cleanup:
+    zapfree(inblockdata, blocksize);
+    zapfree(outblockdata, blocksize);
+    zapfree(rawkey, keybytes);
+    return ret;
 }
 
 
@@ -117,42 +109,36 @@
 		   const krb5_keyblock *inkey, krb5_data *outrnd,
 		   const krb5_data *in_constant)
 {
-    size_t blocksize, keybytes, keylength, n;
-    unsigned char *inblockdata, *outblockdata, *rawkey;
+    size_t blocksize, keybytes, n;
+    unsigned char *inblockdata = NULL, *outblockdata = NULL, *rawkey = NULL;
     krb5_data inblock, outblock;
+    krb5_error_code ret;
 
     blocksize = enc->block_size;
     keybytes = enc->keybytes;
-    keylength = enc->keylength;
 
-    if ((inkey->length != keylength) ||
-	(outrnd->length != keybytes))
-	return(KRB5_CRYPTO_INTERNAL);
+    if (inkey->length != enc->keylength || outrnd->length != keybytes)
+	return KRB5_CRYPTO_INTERNAL;
 
-    /* allocate and set up buffers */
+    /* Allocate and set up buffers. */
 
-    if ((inblockdata = (unsigned char *) malloc(blocksize)) == NULL)
-	return(ENOMEM);
+    inblockdata = k5alloc(blocksize, &ret);
+    if (ret)
+	goto cleanup;
+    outblockdata = k5alloc(blocksize, &ret);
+    if (ret)
+	goto cleanup;
+    rawkey = k5alloc(keybytes, &ret);
+    if (ret)
+	goto cleanup;
 
-    if ((outblockdata = (unsigned char *) malloc(blocksize)) == NULL) {
-	free(inblockdata);
-	return(ENOMEM);
-    }
-
-    if ((rawkey = (unsigned char *) malloc(keybytes)) == NULL) {
-	free(outblockdata);
-	free(inblockdata);
-	return(ENOMEM);
-    }
-
     inblock.data = (char *) inblockdata;
     inblock.length = blocksize;
 
     outblock.data = (char *) outblockdata;
     outblock.length = blocksize;
 
-    /* initialize the input block */
-
+    /* Initialize the input block. */
     if (in_constant->length == inblock.length) {
 	memcpy(inblock.data, in_constant->data, inblock.length);
     } else {
@@ -160,14 +146,15 @@
 		   inblock.length*8, (unsigned char *) inblock.data);
     }
 
-    /* loop encrypting the blocks until enough key bytes are generated */
-
+    /* Loop encrypting the blocks until enough key bytes are generated. */
     n = 0;
     while (n < keybytes) {
-	(*(enc->encrypt))(inkey, 0, &inblock, &outblock);
+	ret = (*enc->encrypt)(inkey, 0, &inblock, &outblock);
+	if (ret)
+	    goto cleanup;
 
 	if ((keybytes - n) <= outblock.length) {
-	    memcpy(rawkey+n, outblock.data, (keybytes - n));
+	    memcpy(rawkey + n, outblock.data, (keybytes - n));
 	    break;
 	}
 
@@ -176,42 +163,12 @@
 	n += outblock.length;
     }
 
-    /* postprocess the key */
+    /* Postprocess the key. */
+    memcpy(outrnd->data, rawkey, keybytes);
 
-    memcpy (outrnd->data, rawkey, keybytes);
-
-    /* clean memory, free resources and exit */
-
-    memset(inblockdata, 0, blocksize);
-    memset(outblockdata, 0, blocksize);
-    memset(rawkey, 0, keybytes);
-
-    free(rawkey);
-    free(outblockdata);
-    free(inblockdata);
-
-    return(0);
+cleanup:
+    zapfree(inblockdata, blocksize);
+    zapfree(outblockdata, blocksize);
+    zapfree(rawkey, keybytes);
+    return ret;
 }
-
-#if 0
-#include "etypes.h"
-void
-krb5_random2key (krb5_enctype enctype, krb5_data *inblock,
-		 krb5_keyblock *outkey)
-{
-    int i;
-    const struct krb5_enc_provider *enc;
-
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == enctype)
-	    break;
-    }
-
-    if (i == krb5_enctypes_length)
-	abort ();
-
-    enc = krb5_enctypes_list[i].enc;
-
-    enc->make_key (inblock, outkey);
-}
-#endif

Modified: branches/enc-perf/src/lib/crypto/krb/dk/dk.h
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/dk/dk.h	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/dk/dk.h	2009-10-03 21:02:44 UTC (rev 22842)
@@ -26,64 +26,64 @@
 
 #include "k5-int.h"
 
-void krb5_dk_encrypt_length
-(const struct krb5_enc_provider *enc,
-		const struct krb5_hash_provider *hash,
-		size_t input, size_t *length);
+void krb5_dk_encrypt_length(const struct krb5_enc_provider *enc,
+			    const struct krb5_hash_provider *hash,
+			    size_t input, size_t *length);
 
-krb5_error_code krb5_dk_encrypt
-(const struct krb5_enc_provider *enc,
-		const struct krb5_hash_provider *hash,
-		const krb5_keyblock *key, krb5_keyusage usage,
-		const krb5_data *ivec,
-		const krb5_data *input, krb5_data *output);
+krb5_error_code krb5_dk_encrypt(const struct krb5_enc_provider *enc,
+				const struct krb5_hash_provider *hash,
+				const krb5_keyblock *key, krb5_keyusage usage,
+				const krb5_data *ivec,
+				const krb5_data *input, krb5_data *output);
 
-void krb5int_aes_encrypt_length
-(const struct krb5_enc_provider *enc,
-		const struct krb5_hash_provider *hash,
-		size_t input, size_t *length);
+void krb5int_aes_encrypt_length(const struct krb5_enc_provider *enc,
+				const struct krb5_hash_provider *hash,
+				size_t input, size_t *length);
 
-krb5_error_code krb5int_aes_dk_encrypt
-(const struct krb5_enc_provider *enc,
-		const struct krb5_hash_provider *hash,
-		const krb5_keyblock *key, krb5_keyusage usage,
-		const krb5_data *ivec,
-		const krb5_data *input, krb5_data *output);
+krb5_error_code krb5int_aes_dk_encrypt(const struct krb5_enc_provider *enc,
+				       const struct krb5_hash_provider *hash,
+				       const krb5_keyblock *key,
+				       krb5_keyusage usage,
+				       const krb5_data *ivec,
+				       const krb5_data *input,
+				       krb5_data *output);
 
-krb5_error_code krb5_dk_decrypt
-(const struct krb5_enc_provider *enc,
-		const struct krb5_hash_provider *hash,
-		const krb5_keyblock *key, krb5_keyusage usage,
-		const krb5_data *ivec, const krb5_data *input,
-		krb5_data *arg_output);
+krb5_error_code krb5_dk_decrypt(const struct krb5_enc_provider *enc,
+				const struct krb5_hash_provider *hash,
+				const krb5_keyblock *key, krb5_keyusage usage,
+				const krb5_data *ivec, const krb5_data *input,
+				krb5_data *arg_output);
 
-krb5_error_code krb5int_aes_dk_decrypt
-(const struct krb5_enc_provider *enc,
-		const struct krb5_hash_provider *hash,
-		const krb5_keyblock *key, krb5_keyusage usage,
-		const krb5_data *ivec, const krb5_data *input,
-		krb5_data *arg_output);
+krb5_error_code krb5int_aes_dk_decrypt(const struct krb5_enc_provider *enc,
+				       const struct krb5_hash_provider *hash,
+				       const krb5_keyblock *key,
+				       krb5_keyusage usage,
+				       const krb5_data *ivec,
+				       const krb5_data *input,
+				       krb5_data *arg_output);
 
-krb5_error_code krb5int_dk_string_to_key
-(const struct krb5_enc_provider *enc, 
-		const krb5_data *string, const krb5_data *salt,
-		const krb5_data *params, krb5_keyblock *key);
+krb5_error_code krb5int_dk_string_to_key(const struct krb5_enc_provider *enc,
+					 const krb5_data *string,
+					 const krb5_data *salt,
+					 const krb5_data *params,
+					 krb5_keyblock *key);
 
-krb5_error_code krb5_derive_key
-(const struct krb5_enc_provider *enc,
-		const krb5_keyblock *inkey,
-		krb5_keyblock *outkey, const krb5_data *in_constant);
+krb5_error_code krb5_derive_key(const struct krb5_enc_provider *enc,
+				const krb5_keyblock *inkey,
+				krb5_keyblock *outkey,
+				const krb5_data *in_constant);
 
-krb5_error_code krb5_dk_make_checksum
-(const struct krb5_hash_provider *hash,
-		const krb5_keyblock *key, krb5_keyusage usage,
-		const krb5_data *input, krb5_data *output);
+krb5_error_code krb5_dk_make_checksum(const struct krb5_hash_provider *hash,
+				      const krb5_keyblock *key,
+				      krb5_keyusage usage,
+				      const krb5_data *input,
+				      krb5_data *output);
 
 krb5_error_code
 krb5int_dk_make_checksum_iov(const struct krb5_hash_provider *hash,
-		          const krb5_keyblock *key, krb5_keyusage usage,
-			  const krb5_crypto_iov *data, size_t num_data,
-			  krb5_data *output);
+			     const krb5_keyblock *key, krb5_keyusage usage,
+			     const krb5_crypto_iov *data, size_t num_data,
+			     krb5_data *output);
 
 krb5_error_code
 krb5_derive_random(const struct krb5_enc_provider *enc,
@@ -94,26 +94,3 @@
 
 extern const struct krb5_aead_provider krb5int_aead_dk;
 extern const struct krb5_aead_provider krb5int_aead_aes;
-
-/* CCM */
-
-void
-krb5int_ccm_encrypt_length(const struct krb5_enc_provider *enc,
-			   const struct krb5_hash_provider *hash,
-			   size_t inputlen, size_t *length);
-
-extern const struct krb5_aead_provider krb5int_aead_ccm;
-
-krb5_error_code krb5int_ccm_encrypt
-(const struct krb5_enc_provider *enc,
-		const struct krb5_hash_provider *hash,
-		const krb5_keyblock *key, krb5_keyusage usage,
-		const krb5_data *ivec, const krb5_data *input,
-		krb5_data *arg_output);
-
-krb5_error_code krb5int_ccm_decrypt
-(const struct krb5_enc_provider *enc,
-		const struct krb5_hash_provider *hash,
-		const krb5_keyblock *key, krb5_keyusage usage,
-		const krb5_data *ivec, const krb5_data *input,
-		krb5_data *arg_output);

Modified: branches/enc-perf/src/lib/crypto/krb/dk/dk_aead.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/dk/dk_aead.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/dk/dk_aead.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -8,7 +8,7 @@
  *   require a specific license from the United States Government.
  *   It is the responsibility of any person or organization contemplating
  *   export to obtain such a license before exporting.
- * 
+ *
  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  * distribute this software and its documentation for any purpose and
  * without fee is hereby granted, provided that the above copyright
@@ -84,11 +84,13 @@
 
     /* E(Confounder | Plaintext | Pad) | Checksum */
 
-    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING, &blocksize);
+    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING,
+			      &blocksize);
     if (ret != 0)
 	return ret;
 
-    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER, &hmacsize);
+    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER,
+			      &hmacsize);
     if (ret != 0)
 	return ret;
 
@@ -110,7 +112,7 @@
 	return KRB5_BAD_MSIZE;
 
     if (blocksize != 0) {
-	/* Check that the input data is correctly padded */
+	/* Check that the input data is correctly padded. */
 	if (plainlen % blocksize)
 	    padsize = blocksize - (plainlen % blocksize);
     }
@@ -125,24 +127,18 @@
     }
 
     ke.length = enc->keylength;
-    ke.contents = malloc(ke.length);
-    if (ke.contents == NULL) {
-	ret = ENOMEM;
+    ke.contents = k5alloc(ke.length, &ret);
+    if (ret != 0)
 	goto cleanup;
-    }
     ki.length = enc->keylength;
-    ki.contents = malloc(ki.length);
-    if (ki.contents == NULL) {
-	ret = ENOMEM;
+    ki.contents = k5alloc(ki.length, &ret);
+    if (ret != 0)
 	goto cleanup;
-    }
-    cksum = (unsigned char *)malloc(hash->hashsize);
-    if (cksum == NULL) {
-	ret = ENOMEM;
+    cksum = k5alloc(hash->hashsize, &ret);
+    if (ret != 0)
 	goto cleanup;
-    }
 
-    /* derive the keys */
+    /* Derive the keys. */
 
     d1.data = (char *)constantdata;
     d1.length = K5CLENGTH;
@@ -161,7 +157,7 @@
     if (ret != 0)
 	goto cleanup;
 
-    /* generate confounder */
+    /* Generate confounder. */
 
     header->data.length = enc->block_size;
 
@@ -169,7 +165,7 @@
     if (ret != 0)
 	goto cleanup;
 
-    /* hash the plaintext */
+    /* Hash the plaintext. */
     d2.length = hash->hashsize;
     d2.data = (char *)cksum;
 
@@ -177,32 +173,23 @@
     if (ret != 0)
 	goto cleanup;
 
-    /* encrypt the plaintext (header | data | padding) */
+    /* Encrypt the plaintext (header | data | padding) */
     assert(enc->encrypt_iov != NULL);
 
-    ret = enc->encrypt_iov(&ke, ivec, data, num_data); /* will update ivec */
+    ret = (*enc->encrypt_iov)(&ke, ivec, data, num_data); /* updates ivec */
     if (ret != 0)
 	goto cleanup;
 
-    /* possibly truncate the hash */
+    /* Possibly truncate the hash */
     assert(hmacsize <= d2.length);
 
     memcpy(trailer->data.data, cksum, hmacsize);
     trailer->data.length = hmacsize;
 
 cleanup:
-    if (ke.contents != NULL) {
-	memset(ke.contents, 0, ke.length);
-	free(ke.contents);
-    }
-    if (ki.contents != NULL) {
-	memset(ki.contents, 0, ki.length);
-	free(ki.contents);
-    }
-    if (cksum != NULL) {
-	free(cksum);
-    }
-
+    zapfree(ke.contents, ke.length);
+    zapfree(ki.contents, ki.length);
+    free(cksum);
     return ret;
 }
 
@@ -222,12 +209,13 @@
     krb5_crypto_iov *header, *trailer;
     krb5_keyblock ke, ki;
     size_t i;
-    unsigned int blocksize = 0; /* careful, this is enc block size not confounder len */
+    unsigned int blocksize = 0; /* enc block size, not confounder len */
     unsigned int cipherlen = 0;
     unsigned int hmacsize = 0;
     unsigned char *cksum = NULL;
 
-    if (krb5int_c_locate_iov(data, num_data, KRB5_CRYPTO_TYPE_STREAM) != NULL) {
+    if (krb5int_c_locate_iov(data, num_data,
+			     KRB5_CRYPTO_TYPE_STREAM) != NULL) {
 	return krb5int_c_iov_decrypt_stream(aead, enc, hash, key,
 					    usage, ivec, data, num_data);
     }
@@ -237,11 +225,13 @@
 
     /* E(Confounder | Plaintext | Pad) | Checksum */
 
-    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING, &blocksize);
+    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING,
+			      &blocksize);
     if (ret != 0)
 	return ret;
 
-    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER, &hmacsize);
+    ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_TRAILER,
+			      &hmacsize);
     if (ret != 0)
 	return ret;
 
@@ -273,24 +263,18 @@
 	return KRB5_BAD_MSIZE;
 
     ke.length = enc->keylength;
-    ke.contents = malloc(ke.length);
-    if (ke.contents == NULL) {
-	ret = ENOMEM;
+    ke.contents = k5alloc(ke.length, &ret);
+    if (ret != 0)
 	goto cleanup;
-    }
     ki.length = enc->keylength;
-    ki.contents = malloc(ki.length);
-    if (ki.contents == NULL) {
-	ret = ENOMEM;
+    ki.contents = k5alloc(ki.length, &ret);
+    if (ret != 0)
 	goto cleanup;
-    }
-    cksum = (unsigned char *)malloc(hash->hashsize);
-    if (cksum == NULL) {
-	ret = ENOMEM;
+    cksum = k5alloc(hash->hashsize, &ret);
+    if (ret != 0)
 	goto cleanup;
-    }
 
-    /* derive the keys */
+    /* Derive the keys. */
 
     d1.data = (char *)constantdata;
     d1.length = K5CLENGTH;
@@ -309,14 +293,14 @@
     if (ret != 0)
 	goto cleanup;
 
-    /* decrypt the plaintext (header | data | padding) */
+    /* Decrypt the plaintext (header | data | padding). */
     assert(enc->decrypt_iov != NULL);
 
-    ret = enc->decrypt_iov(&ke, ivec, data, num_data); /* will update ivec */
+    ret = (*enc->decrypt_iov)(&ke, ivec, data, num_data); /* updates ivec */
     if (ret != 0)
 	goto cleanup;
 
-    /* verify the hash */
+    /* Verify the hash. */
     d1.length = hash->hashsize; /* non-truncated length */
     d1.data = (char *)cksum;
 
@@ -324,24 +308,16 @@
     if (ret != 0)
 	goto cleanup;
 
-    /* compare only the possibly truncated length */
+    /* Compare only the possibly truncated length. */
     if (memcmp(cksum, trailer->data.data, hmacsize) != 0) {
 	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 	goto cleanup;
     }
 
 cleanup:
-    if (ke.contents != NULL) {
-	memset(ke.contents, 0, ke.length);
-	free(ke.contents);
-    }
-    if (ki.contents != NULL) {
-	memset(ki.contents, 0, ki.length);
-	free(ki.contents);
-    }
-    if (cksum != NULL) {
-	free(cksum);
-    }
+    zapfree(ke.contents, ke.length);
+    zapfree(ki.contents, ki.length);
+    free(cksum);
 
     return ret;
 }
@@ -383,4 +359,3 @@
     krb5int_dk_encrypt_iov,
     krb5int_dk_decrypt_iov
 };
-

Modified: branches/enc-perf/src/lib/crypto/krb/dk/dk_decrypt.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/dk/dk_decrypt.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/dk/dk_decrypt.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -71,17 +71,15 @@
 				 int ivec_mode)
 {
     krb5_error_code ret;
-    size_t hashsize, blocksize, keybytes, keylength, enclen, plainlen;
-    unsigned char *plaindata, *kedata, *kidata, *cksum, *cn;
+    size_t hashsize, blocksize, keylength, enclen, plainlen;
+    unsigned char *plaindata = NULL, *kedata = NULL, *kidata = NULL;
+    unsigned char *cksum = NULL, *cn;
     krb5_keyblock ke, ki;
     krb5_data d1, d2;
     unsigned char constantdata[K5CLENGTH];
 
-    /* allocate and set up ciphertext and to-be-derived keys */
-
     hashsize = hash->hashsize;
     blocksize = enc->block_size;
-    keybytes = enc->keybytes;
     keylength = enc->keylength;
 
     if (hmacsize == 0)
@@ -91,30 +89,26 @@
 
     enclen = input->length - hmacsize;
 
-    if ((kedata = (unsigned char *) malloc(keylength)) == NULL)
-	return(ENOMEM);
-    if ((kidata = (unsigned char *) malloc(keylength)) == NULL) {
-	free(kedata);
-	return(ENOMEM);
-    }
-    if ((plaindata = (unsigned char *) malloc(enclen)) == NULL) {
-	free(kidata);
-	free(kedata);
-	return(ENOMEM);
-    }
-    if ((cksum = (unsigned char *) malloc(hashsize)) == NULL) {
-	free(plaindata);
-	free(kidata);
-	free(kedata);
-	return(ENOMEM);
-    }
+    /* Allocate and set up ciphertext and to-be-derived keys. */
+    kedata = k5alloc(keylength, &ret);
+    if (ret != 0)
+	goto cleanup;
+    kidata = k5alloc(keylength, &ret);
+    if (ret != 0)
+	goto cleanup;
+    plaindata = k5alloc(enclen, &ret);
+    if (ret != 0)
+	goto cleanup;
+    cksum = k5alloc(hashsize, &ret);
+    if (ret != 0)
+	goto cleanup;
 
     ke.contents = kedata;
     ke.length = keylength;
     ki.contents = kidata;
     ki.length = keylength;
 
-    /* derive the keys */
+    /* Derive the keys. */
 
     d1.data = (char *) constantdata;
     d1.length = K5CLENGTH;
@@ -123,12 +117,14 @@
 
     d1.data[4] = (char) 0xAA;
 
-    if ((ret = krb5_derive_key(enc, key, &ke, &d1)) != 0)
+    ret = krb5_derive_key(enc, key, &ke, &d1);
+    if (ret != 0)
 	goto cleanup;
 
     d1.data[4] = 0x55;
 
-    if ((ret = krb5_derive_key(enc, key, &ki, &d1)) != 0)
+    ret = krb5_derive_key(enc, key, &ki, &d1);
+    if (ret != 0)
 	goto cleanup;
 
     /* decrypt the ciphertext */
@@ -139,7 +135,8 @@
     d2.length = enclen;
     d2.data = (char *) plaindata;
 
-    if ((ret = ((*(enc->decrypt))(&ke, ivec, &d1, &d2))) != 0)
+    ret = (*enc->decrypt)(&ke, ivec, &d1, &d2);
+    if (ret != 0)
 	goto cleanup;
 
     if (ivec != NULL && ivec->length == blocksize) {
@@ -147,18 +144,19 @@
 	    cn = (unsigned char *) d1.data + d1.length - blocksize;
 	else if (ivec_mode == 1) {
 	    int nblocks = (d1.length + blocksize - 1) / blocksize;
-	    cn = d1.data + blocksize * (nblocks - 2);
+	    cn = (unsigned char *) d1.data + blocksize * (nblocks - 2);
 	} else
 	    abort();
     } else
 	cn = NULL;
 
-    /* verify the hash */
+    /* Verify the hash. */
 
     d1.length = hashsize;
     d1.data = (char *) cksum;
 
-    if ((ret = krb5_hmac(hash, &ki, 1, &d2, &d1)) != 0)
+    ret = krb5_hmac(hash, &ki, 1, &d2, &d1);
+    if (ret != 0)
 	goto cleanup;
 
     if (memcmp(cksum, input->data+enclen, hmacsize) != 0) {
@@ -166,14 +164,16 @@
 	goto cleanup;
     }
 
-    /* because this encoding isn't self-describing wrt length, the
-       best we can do here is to compute the length minus the
-       confounder. */
+    /*
+     * Because this encoding isn't self-describing wrt length, the
+     * best we can do here is to compute the length minus the
+     * confounder.
+     */
 
     plainlen = enclen - blocksize;
 
     if (output->length < plainlen)
-	return(KRB5_BAD_MSIZE);
+	return KRB5_BAD_MSIZE;
 
     output->length = plainlen;
 
@@ -182,19 +182,10 @@
     if (cn != NULL)
 	memcpy(ivec->data, cn, blocksize);
 
-    ret = 0;
-
 cleanup:
-    memset(kedata, 0, keylength);
-    memset(kidata, 0, keylength);
-    memset(plaindata, 0, enclen);
-    memset(cksum, 0, hashsize);
-
-    free(cksum);
-    free(plaindata);
-    free(kidata);
-    free(kedata);
-
-    return(ret);
+    zapfree(kedata, keylength);
+    zapfree(kidata, keylength);
+    zapfree(plaindata, enclen);
+    zapfree(cksum, hashsize);
+    return ret;
 }
-

Modified: branches/enc-perf/src/lib/crypto/krb/dk/dk_encrypt.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/dk/dk_encrypt.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/dk/dk_encrypt.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -29,12 +29,14 @@
 
 #define K5CLENGTH 5 /* 32 bit net byte order integer + one byte seed */
 
-/* the spec says that the confounder size and padding are specific to
-   the encryption algorithm.  This code (dk_encrypt_length and
-   dk_encrypt) assume the confounder is always the blocksize, and the
-   padding is always zero bytes up to the blocksize.  If these
-   assumptions ever fails, the keytype table should be extended to
-   include these bits of info. */
+/*
+ * The spec says that the confounder size and padding are specific to
+ * the encryption algorithm.  This code (dk_encrypt_length and
+ * dk_encrypt) assume the confounder is always the blocksize, and the
+ * padding is always zero bytes up to the blocksize.  If these
+ * assumptions ever fails, the keytype table should be extended to
+ * include these bits of info.
+ */
 
 void
 krb5_dk_encrypt_length(const struct krb5_enc_provider *enc,
@@ -45,7 +47,7 @@
 
     blocksize = enc->block_size;
     hashsize = hash->hashsize;
-    *length = krb5_roundup(blocksize+inputlen, blocksize) + hashsize;
+    *length = krb5_roundup(blocksize + inputlen, blocksize) + hashsize;
 }
 
 krb5_error_code
@@ -55,46 +57,43 @@
 		const krb5_data *ivec, const krb5_data *input,
 		krb5_data *output)
 {
-    size_t blocksize, keybytes, keylength, plainlen, enclen;
+    size_t blocksize, keylength, plainlen, enclen;
     krb5_error_code ret;
     unsigned char constantdata[K5CLENGTH];
     krb5_data d1, d2;
-    unsigned char *plaintext, *kedata, *kidata;
+    unsigned char *plaintext = NULL, *kedata = NULL, *kidata = NULL;
     char *cn;
     krb5_keyblock ke, ki;
 
-    /* allocate and set up plaintext and to-be-derived keys */
-
     blocksize = enc->block_size;
-    keybytes = enc->keybytes;
     keylength = enc->keylength;
-    plainlen = krb5_roundup(blocksize+input->length, blocksize);
+    plainlen = krb5_roundup(blocksize + input->length, blocksize);
 
     krb5_dk_encrypt_length(enc, hash, input->length, &enclen);
 
-    /* key->length, ivec will be tested in enc->encrypt */
+    /* key->length, ivec will be tested in enc->encrypt. */
 
     if (output->length < enclen)
 	return(KRB5_BAD_MSIZE);
 
-    if ((kedata = (unsigned char *) malloc(keylength)) == NULL)
-	return(ENOMEM);
-    if ((kidata = (unsigned char *) malloc(keylength)) == NULL) {
-	free(kedata);
-	return(ENOMEM);
-    }
-    if ((plaintext = (unsigned char *) malloc(plainlen)) == NULL) {
-	free(kidata);
-	free(kedata);
-	return(ENOMEM);
-    }
+    /* Allocate and set up plaintext and to-be-derived keys. */
 
+    kedata = k5alloc(keylength, &ret);
+    if (ret != 0)
+	goto cleanup;
+    kidata = k5alloc(keylength, &ret);
+    if (ret != 0)
+	goto cleanup;
+    plaintext = k5alloc(plainlen, &ret);
+    if (ret != 0)
+	goto cleanup;
+
     ke.contents = kedata;
     ke.length = keylength;
     ki.contents = kidata;
     ki.length = keylength;
 
-    /* derive the keys */
+    /* Derive the keys. */
 
     d1.data = (char *) constantdata;
     d1.length = K5CLENGTH;
@@ -103,28 +102,31 @@
 
     d1.data[4] = (char) 0xAA;
 
-    if ((ret = krb5_derive_key(enc, key, &ke, &d1)))
+    ret = krb5_derive_key(enc, key, &ke, &d1);
+    if (ret != 0)
 	goto cleanup;
 
     d1.data[4] = 0x55;
 
-    if ((ret = krb5_derive_key(enc, key, &ki, &d1)))
+    ret = krb5_derive_key(enc, key, &ki, &d1);
+    if (ret != 0)
 	goto cleanup;
 
-    /* put together the plaintext */
+    /* Put together the plaintext. */
 
     d1.length = blocksize;
     d1.data = (char *) plaintext;
 
-    if ((ret = krb5_c_random_make_octets(/* XXX */ 0, &d1)))
+    ret = krb5_c_random_make_octets(/* XXX */ 0, &d1);
+    if (ret != 0)
 	goto cleanup;
 
-    memcpy(plaintext+blocksize, input->data, input->length);
+    memcpy(plaintext + blocksize, input->data, input->length);
 
-    memset(plaintext+blocksize+input->length, 0,
-	   plainlen - (blocksize+input->length));
+    memset(plaintext + blocksize + input->length, 0,
+	   plainlen - (blocksize + input->length));
 
-    /* encrypt the plaintext */
+    /* Encrypt the plaintext. */
 
     d1.length = plainlen;
     d1.data = (char *) plaintext;
@@ -132,7 +134,8 @@
     d2.length = plainlen;
     d2.data = output->data;
 
-    if ((ret = ((*(enc->encrypt))(&ke, ivec, &d1, &d2))))
+    ret = (*enc->encrypt)(&ke, ivec, &d1, &d2);
+    if (ret != 0)
 	goto cleanup;
 
     if (ivec != NULL && ivec->length == blocksize)
@@ -140,34 +143,28 @@
     else
 	cn = NULL;
 
-    /* hash the plaintext */
+    /* Hash the plaintext. */
 
     d2.length = enclen - plainlen;
     d2.data = output->data+plainlen;
 
     output->length = enclen;
 
-    if ((ret = krb5_hmac(hash, &ki, 1, &d1, &d2))) {
+    ret = krb5_hmac(hash, &ki, 1, &d1, &d2);
+    if (ret != 0) {
 	memset(d2.data, 0, d2.length);
 	goto cleanup;
     }
 
-    /* update ivec */
+    /* Update ivec. */
     if (cn != NULL)
 	memcpy(ivec->data, cn, blocksize);
 
-    /* ret is set correctly by the prior call */
-
 cleanup:
-    memset(kedata, 0, keylength);
-    memset(kidata, 0, keylength);
-    memset(plaintext, 0, plainlen);
-
-    free(plaintext);
-    free(kidata);
-    free(kedata);
-
-    return(ret);
+    zapfree(kedata, keylength);
+    zapfree(kidata, keylength);
+    zapfree(plaintext, plainlen);
+    return ret;
 }
 
 /* Not necessarily "AES", per se, but "a CBC+CTS mode block cipher
@@ -222,7 +219,7 @@
     krb5_error_code ret;
     unsigned char constantdata[K5CLENGTH];
     krb5_data d1, d2;
-    unsigned char *plaintext, *kedata, *kidata;
+    unsigned char *plaintext = NULL, *kedata = NULL, *kidata = NULL;
     char *cn;
     krb5_keyblock ke, ki;
 
@@ -238,26 +235,24 @@
     /* key->length, ivec will be tested in enc->encrypt */
 
     if (output->length < enclen)
-	return(KRB5_BAD_MSIZE);
+	return KRB5_BAD_MSIZE;
 
-    if ((kedata = (unsigned char *) malloc(keylength)) == NULL)
-	return(ENOMEM);
-    if ((kidata = (unsigned char *) malloc(keylength)) == NULL) {
-	free(kedata);
-	return(ENOMEM);
-    }
-    if ((plaintext = (unsigned char *) malloc(plainlen)) == NULL) {
-	free(kidata);
-	free(kedata);
-	return(ENOMEM);
-    }
+    kedata = k5alloc(keylength, &ret);
+    if (ret != 0)
+	goto cleanup;
+    kidata = k5alloc(keylength, &ret);
+    if (ret != 0)
+	goto cleanup;
+    plaintext = k5alloc(plainlen, &ret);
+    if (ret != 0)
+	goto cleanup;
 
     ke.contents = kedata;
     ke.length = keylength;
     ki.contents = kidata;
     ki.length = keylength;
 
-    /* derive the keys */
+    /* Derive the keys. */
 
     d1.data = (char *) constantdata;
     d1.length = K5CLENGTH;
@@ -266,12 +261,14 @@
 
     d1.data[4] = (char) 0xAA;
 
-    if ((ret = krb5_derive_key(enc, key, &ke, &d1)))
+    ret = krb5_derive_key(enc, key, &ke, &d1);
+    if (ret != 0)
 	goto cleanup;
 
     d1.data[4] = 0x55;
 
-    if ((ret = krb5_derive_key(enc, key, &ki, &d1)))
+    ret = krb5_derive_key(enc, key, &ki, &d1);
+    if (ret != 0)
 	goto cleanup;
 
     /* put together the plaintext */
@@ -279,16 +276,17 @@
     d1.length = blocksize;
     d1.data = (char *) plaintext;
 
-    if ((ret = krb5_c_random_make_octets(/* XXX */ 0, &d1)))
+    ret = krb5_c_random_make_octets(NULL, &d1);
+    if (ret != 0)
 	goto cleanup;
 
-    memcpy(plaintext+blocksize, input->data, input->length);
+    memcpy(plaintext + blocksize, input->data, input->length);
 
     /* Ciphertext stealing; there should be no more.  */
     if (plainlen != blocksize + input->length)
 	abort();
 
-    /* encrypt the plaintext */
+    /* Encrypt the plaintext. */
 
     d1.length = plainlen;
     d1.data = (char *) plaintext;
@@ -296,7 +294,8 @@
     d2.length = plainlen;
     d2.data = output->data;
 
-    if ((ret = ((*(enc->encrypt))(&ke, ivec, &d1, &d2))))
+    ret = (*enc->encrypt)(&ke, ivec, &d1, &d2);
+    if (ret != 0)
 	goto cleanup;
 
     if (ivec != NULL && ivec->length == blocksize) {
@@ -305,54 +304,29 @@
     } else
 	cn = NULL;
 
-    /* hash the plaintext */
+    /* Hash the plaintext. */
 
     d2.length = enclen - plainlen;
     d2.data = output->data+plainlen;
     if (d2.length != 96 / 8)
 	abort();
 
-    if ((ret = trunc_hmac(hash, &ki, 1, &d1, &d2))) {
+    ret = trunc_hmac(hash, &ki, 1, &d1, &d2);
+    if (ret != 0) {
 	memset(d2.data, 0, d2.length);
 	goto cleanup;
     }
 
     output->length = enclen;
 
-    /* update ivec */
-    if (cn != NULL) {
+    /* Update ivec. */
+    if (cn != NULL)
 	memcpy(ivec->data, cn, blocksize);
-#if 0
-	{
-	    int i;
-	    printf("\n%s: output:", __func__);
-	    for (i = 0; i < output->length; i++) {
-		if (i % 16 == 0)
-		    printf("\n%s: ", __func__);
-		printf(" %02x", i[(unsigned char *)output->data]);
-	    }
-	    printf("\n%s: outputIV:", __func__);
-	    for (i = 0; i < ivec->length; i++) {
-		if (i % 16 == 0)
-		    printf("\n%s: ", __func__);
-		printf(" %02x", i[(unsigned char *)ivec->data]);
-	    }
-	    printf("\n");  fflush(stdout);
-	}
-#endif
-    }
 
-    /* ret is set correctly by the prior call */
-
 cleanup:
-    memset(kedata, 0, keylength);
-    memset(kidata, 0, keylength);
-    memset(plaintext, 0, plainlen);
-
-    free(plaintext);
-    free(kidata);
-    free(kedata);
-
-    return(ret);
+    zapfree(kedata, keylength);
+    zapfree(kidata, keylength);
+    zapfree(plaintext, plainlen);
+    return ret;
 }
 

Modified: branches/enc-perf/src/lib/crypto/krb/dk/stringtokey.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/dk/stringtokey.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/dk/stringtokey.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -36,34 +36,32 @@
 {
     krb5_error_code ret;
     size_t keybytes, keylength, concatlen;
-    unsigned char *concat, *foldstring, *foldkeydata;
+    unsigned char *concat = NULL, *foldstring = NULL, *foldkeydata = NULL;
     krb5_data indata;
     krb5_keyblock foldkey;
 
-    /* key->length is checked by krb5_derive_key */
+    /* key->length is checked by krb5_derive_key. */
 
     keybytes = enc->keybytes;
     keylength = enc->keylength;
 
-    concatlen = string->length+(salt?salt->length:0);
+    concatlen = string->length + (salt ? salt->length : 0);
 
-    if ((concat = (unsigned char *) malloc(concatlen)) == NULL)
-	return(ENOMEM);
-    if ((foldstring = (unsigned char *) malloc(keybytes)) == NULL) {
-	free(concat);
-	return(ENOMEM);
-    }
-    if ((foldkeydata = (unsigned char *) malloc(keylength)) == NULL) {
-	free(foldstring);
-	free(concat);
-	return(ENOMEM);
-    }
+    concat = k5alloc(concatlen, &ret);
+    if (ret != 0)
+	goto cleanup;
+    foldstring = k5alloc(keybytes, &ret);
+    if (ret != 0)
+	goto cleanup;
+    foldkeydata = k5alloc(keylength, &ret);
+    if (ret != 0)
+	goto cleanup;
 
     /* construct input string ( = string + salt), fold it, make_key it */
 
     memcpy(concat, string->data, string->length);
     if (salt)
-	memcpy(concat+string->length, salt->data, salt->length);
+	memcpy(concat + string->length, salt->data, salt->length);
 
     krb5_nfold(concatlen*8, concat, keybytes*8, foldstring);
 
@@ -72,25 +70,22 @@
     foldkey.length = keylength;
     foldkey.contents = foldkeydata;
 
-    (*(enc->make_key))(&indata, &foldkey);
+    ret = (*enc->make_key)(&indata, &foldkey);
+    if (ret != 0)
+	goto cleanup;
 
     /* now derive the key from this one */
 
     indata.length = kerberos_len;
     indata.data = (char *) kerberos;
 
-    if ((ret = krb5_derive_key(enc, &foldkey, key, &indata)))
+    ret = krb5_derive_key(enc, &foldkey, key, &indata);
+    if (ret != 0)
 	memset(key->contents, 0, key->length);
 
-    /* ret is set correctly by the prior call */
-
-    memset(concat, 0, concatlen);
-    memset(foldstring, 0, keybytes);
-    memset(foldkeydata, 0, keylength);
-
-    free(foldkeydata);
-    free(foldstring);
-    free(concat);
-
-    return(ret);
+cleanup:
+    zapfree(concat, concatlen);
+    zapfree(foldstring, keybytes);
+    zapfree(foldkeydata, keylength);
+    return ret;
 }

Modified: branches/enc-perf/src/lib/crypto/krb/encrypt.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/encrypt.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/encrypt.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -33,31 +33,24 @@
 	       krb5_keyusage usage, const krb5_data *ivec,
 	       const krb5_data *input, krb5_enc_data *output)
 {
-    int i;
+    const struct krb5_keytypes *ktp;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == key->enctype)
-	    break;
-    }
+    ktp = find_enctype(key->enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
 
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
-
     output->magic = KV5M_ENC_DATA;
     output->kvno = 0;
     output->enctype = key->enctype;
 
-    if (krb5_enctypes_list[i].encrypt == NULL) {
-	assert(krb5_enctypes_list[i].aead != NULL);
+    if (ktp->encrypt == NULL) {
+	assert(ktp->aead != NULL);
 
-	return krb5int_c_encrypt_aead_compat(krb5_enctypes_list[i].aead,
-					     krb5_enctypes_list[i].enc,
-					     krb5_enctypes_list[i].hash,
-					     key, usage, ivec,
-					     input, &output->ciphertext);
+	return krb5int_c_encrypt_aead_compat(ktp->aead, ktp->enc, ktp->hash,
+					     key, usage, ivec, input,
+					     &output->ciphertext);
     }
 
-    return((*(krb5_enctypes_list[i].encrypt))
-	   (krb5_enctypes_list[i].enc, krb5_enctypes_list[i].hash,
-	    key, usage, ivec, input, &output->ciphertext));
+    return (*ktp->encrypt)(ktp->enc, ktp->hash, key, usage, ivec, input,
+			   &output->ciphertext);
 }

Modified: branches/enc-perf/src/lib/crypto/krb/encrypt_iov.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/encrypt_iov.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/encrypt_iov.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -35,21 +35,13 @@
 		   krb5_crypto_iov *data,
 		   size_t num_data)
 {
-    int i;
-    const struct krb5_keytypes *ktp = NULL;
+    const struct krb5_keytypes *ktp;
 
-    for (i = 0; i < krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == key->enctype) {
-	    ktp = &krb5_enctypes_list[i];
-	    break;
-	}
-    }
-
-    if (ktp == NULL || ktp->aead == NULL) {
+    ktp = find_enctype(key->enctype);
+    if (ktp == NULL || ktp->aead == NULL)
 	return KRB5_BAD_ENCTYPE;
-    }
 
-    return ktp->aead->encrypt_iov(ktp->aead, ktp->enc, ktp->hash,
-				  key, usage, cipher_state, data, num_data);
+    return (*ktp->aead->encrypt_iov)(ktp->aead, ktp->enc, ktp->hash,
+				     key, usage, cipher_state, data, num_data);
 }
 

Modified: branches/enc-perf/src/lib/crypto/krb/encrypt_length.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/encrypt_length.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/encrypt_length.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -32,28 +32,20 @@
 krb5_c_encrypt_length(krb5_context context, krb5_enctype enctype,
 		      size_t inputlen, size_t *length)
 {
-    int i;
+    const struct krb5_keytypes *ktp;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == enctype)
-	    break;
-    }
+    ktp = find_enctype(enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
 
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
+    if (ktp->encrypt_len == NULL) {
+	assert(ktp->aead != NULL);
 
-    if (krb5_enctypes_list[i].encrypt_len == NULL) {
-	assert(krb5_enctypes_list[i].aead != NULL);
-
-	krb5int_c_encrypt_length_aead_compat(krb5_enctypes_list[i].aead,
-					     krb5_enctypes_list[i].enc,
-					     krb5_enctypes_list[i].hash,
+	krb5int_c_encrypt_length_aead_compat(ktp->aead, ktp->enc, ktp->hash,
 					     inputlen, length);
     } else {
-	(*(krb5_enctypes_list[i].encrypt_len))
-	    (krb5_enctypes_list[i].enc, krb5_enctypes_list[i].hash,
-	    inputlen, length);
+	(*ktp->encrypt_len)(ktp->enc, ktp->hash, inputlen, length);
     }
 
-    return(0);
+    return 0;
 }

Modified: branches/enc-perf/src/lib/crypto/krb/enctype_compare.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/enctype_compare.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/enctype_compare.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -31,25 +31,13 @@
 krb5_c_enctype_compare(krb5_context context, krb5_enctype e1, krb5_enctype e2,
 		       krb5_boolean *similar)
 {
-    int i, j;
+    const struct krb5_keytypes *ktp1, *ktp2;
 
-    for (i=0; i<krb5_enctypes_length; i++) 
-	if (krb5_enctypes_list[i].etype == e1)
-	    break;
+    ktp1 = find_enctype(e1);
+    ktp2 = find_enctype(e2);
+    if (ktp1 == NULL || ktp2 == NULL)
+	return KRB5_BAD_ENCTYPE;
 
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
-
-    for (j=0; j<krb5_enctypes_length; j++) 
-	if (krb5_enctypes_list[j].etype == e2)
-	    break;
-
-    if (j == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
-
-    *similar = 
-	((krb5_enctypes_list[i].enc == krb5_enctypes_list[j].enc) &&
-	 (krb5_enctypes_list[i].str2key == krb5_enctypes_list[j].str2key));
-
-    return(0);
+    *similar = (ktp1->enc == ktp2->enc && ktp1->str2key == ktp2->str2key);
+    return 0;
 }

Modified: branches/enc-perf/src/lib/crypto/krb/enctype_to_string.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/enctype_to_string.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/enctype_to_string.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -30,16 +30,12 @@
 krb5_error_code KRB5_CALLCONV
 krb5_enctype_to_string(krb5_enctype enctype, char *buffer, size_t buflen)
 {
-    int i;
+    const struct krb5_keytypes *ktp;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == enctype) {
-	    if (strlcpy(buffer, krb5_enctypes_list[i].out_string,
-			buflen) >= buflen)
-		return(ENOMEM);
-	    return(0);
-	}
-    }
-
-    return(EINVAL);
+    ktp = find_enctype(enctype);
+    if (ktp == NULL)
+	return EINVAL;
+    if (strlcpy(buffer, ktp->out_string, buflen) >= buflen)
+	return ENOMEM;
+    return 0;
 }

Modified: branches/enc-perf/src/lib/crypto/krb/etypes.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/etypes.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/etypes.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -167,4 +167,4 @@
 };
 
 const int krb5_enctypes_length =
-sizeof(krb5_enctypes_list)/sizeof(struct krb5_keytypes);
+    sizeof(krb5_enctypes_list) / sizeof(struct krb5_keytypes);

Modified: branches/enc-perf/src/lib/crypto/krb/etypes.h
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/etypes.h	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/etypes.h	2009-10-03 21:02:44 UTC (rev 22842)
@@ -26,21 +26,27 @@
 
 #include "k5-int.h"
 
-typedef void (*krb5_encrypt_length_func) (const struct krb5_enc_provider *enc,
-  const struct krb5_hash_provider *hash,
-  size_t inputlen, size_t *length);
+typedef void (*krb5_encrypt_length_func)(const struct krb5_enc_provider *enc,
+					 const struct krb5_hash_provider *hash,
+					 size_t inputlen, size_t *length);
 
-typedef krb5_error_code (*krb5_crypt_func) (const struct krb5_enc_provider *enc,
-  const struct krb5_hash_provider *hash,
-  const krb5_keyblock *key, krb5_keyusage keyusage,
-  const krb5_data *ivec, 
-  const krb5_data *input, krb5_data *output);
+typedef krb5_error_code (*krb5_crypt_func)(const struct krb5_enc_provider *enc,
+					   const struct
+					   krb5_hash_provider *hash,
+					   const krb5_keyblock *key,
+					   krb5_keyusage keyusage,
+					   const krb5_data *ivec,
+					   const krb5_data *input,
+					   krb5_data *output);
 
-typedef krb5_error_code (*krb5_str2key_func) (const struct krb5_enc_provider *enc, const krb5_data *string,
-  const krb5_data *salt, const krb5_data *parm, krb5_keyblock *key);
+typedef krb5_error_code (*krb5_str2key_func)(const struct
+					     krb5_enc_provider *enc,
+					     const krb5_data *string,
+					     const krb5_data *salt,
+					     const krb5_data *parm,
+					     krb5_keyblock *key);
 
-typedef krb5_error_code (*krb5_prf_func)(
-					 const struct krb5_enc_provider *enc,
+typedef krb5_error_code (*krb5_prf_func)(const struct krb5_enc_provider *enc,
 					 const struct krb5_hash_provider *hash,
 					 const krb5_keyblock *key,
 					 const krb5_data *in, krb5_data *out);
@@ -68,11 +74,12 @@
 extern const struct krb5_keytypes krb5_enctypes_list[];
 extern const int krb5_enctypes_length;
 
-static inline const struct krb5_keytypes*
-find_enctype (krb5_enctype enctype)
+static inline const struct krb5_keytypes *
+find_enctype(krb5_enctype enctype)
 {
     int i;
-    for (i=0; i<krb5_enctypes_length; i++) {
+
+    for (i = 0; i < krb5_enctypes_length; i++) {
 	if (krb5_enctypes_list[i].etype == enctype)
 	    break;
     }

Modified: branches/enc-perf/src/lib/crypto/krb/keyblocks.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/keyblocks.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/keyblocks.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -33,29 +33,31 @@
 #include "k5-int.h"
 #include <assert.h>
 
-krb5_error_code   krb5int_c_init_keyblock
-	(krb5_context context, krb5_enctype enctype,
-	 size_t length, krb5_keyblock **out)
+krb5_error_code
+krb5int_c_init_keyblock(krb5_context context, krb5_enctype enctype,
+			size_t length, krb5_keyblock **out)
 {
     krb5_keyblock *kb;
-    kb = malloc (sizeof(krb5_keyblock));
-    assert (out);
+
+    assert(out);
     *out = NULL;
-    if (!kb) {
+
+    kb = malloc(sizeof(krb5_keyblock));
+    if (kb == NULL)
 	return ENOMEM;
-    }
     kb->magic = KV5M_KEYBLOCK;
     kb->enctype = enctype;
     kb->length = length;
-    if(length) {
-	kb->contents = malloc (length);
-	if(!kb->contents) {
-	    free (kb);
+    if (length) {
+	kb->contents = malloc(length);
+	if (!kb->contents) {
+	    free(kb);
 	    return ENOMEM;
 	}
     } else {
 	kb->contents = NULL;
     }
+
     *out = kb;
     return 0;
 }
@@ -71,9 +73,8 @@
 krb5int_c_free_keyblock_contents(krb5_context context, krb5_keyblock *key)
 {
     if (key && key->contents) {
-	krb5int_zap_data (key->contents, key->length);
-	free(key->contents);
-	key->contents = 0;
+	zapfree(key->contents, key->length);
+	key->contents = NULL;
     }
 }
 

Modified: branches/enc-perf/src/lib/crypto/krb/keyed_checksum_types.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/keyed_checksum_types.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/keyed_checksum_types.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -28,62 +28,54 @@
 #include "etypes.h"
 #include "cksumtypes.h"
 
-static int etype_match(krb5_enctype e1, krb5_enctype e2)
+static krb5_boolean
+etype_match(krb5_enctype e1, krb5_enctype e2)
 {
-    int i1, i2;
+    const struct krb5_keytypes *ktp1, *ktp2;
 
-    for (i1=0; i1<krb5_enctypes_length; i1++) 
-	if (krb5_enctypes_list[i1].etype == e1)
-	    break;
-
-    for (i2=0; i2<krb5_enctypes_length; i2++) 
-	if (krb5_enctypes_list[i2].etype == e2)
-	    break;
-
-    return((i1 < krb5_enctypes_length) &&
-	   (i2 < krb5_enctypes_length) &&
-	   (krb5_enctypes_list[i1].enc == krb5_enctypes_list[i2].enc));
+    ktp1 = find_enctype(e1);
+    ktp2 = find_enctype(e2);
+    return (ktp1 != NULL && ktp2 != NULL && ktp1->enc == ktp2->enc);
 }
 
 krb5_error_code KRB5_CALLCONV
 krb5_c_keyed_checksum_types(krb5_context context, krb5_enctype enctype,
 			    unsigned int *count, krb5_cksumtype **cksumtypes)
 {
-    unsigned int i, c;
+    unsigned int i, c, nctypes;
+    krb5_cksumtype *ctypes;
+    const struct krb5_cksumtypes *ct;
 
-    c = 0;
-    for (i=0; i<krb5_cksumtypes_length; i++) {
-	if ((krb5_cksumtypes_list[i].keyhash &&
-	     etype_match(krb5_cksumtypes_list[i].keyed_etype, enctype)) ||
-	    (krb5_cksumtypes_list[i].flags & KRB5_CKSUMFLAG_DERIVE)) {
-	    c++;
-	}
+    *count = 0;
+    *cksumtypes = NULL;
+
+    nctypes = 0;
+    for (i = 0; i < krb5_cksumtypes_length; i++) {
+	ct = &krb5_cksumtypes_list[i];
+	if ((ct->keyhash && etype_match(ct->keyed_etype, enctype)) ||
+	    (ct->flags & KRB5_CKSUMFLAG_DERIVE))
+	    nctypes++;
     }
 
-    *count = c;
+    ctypes = malloc(nctypes * sizeof(krb5_cksumtype));
+    if (ctypes == NULL)
+	return ENOMEM;
 
-    if ((*cksumtypes = (krb5_cksumtype *) malloc(c*sizeof(krb5_cksumtype)))
-	== NULL)
-	return(ENOMEM);
-
     c = 0;
-    for (i=0; i<krb5_cksumtypes_length; i++) {
-	if ((krb5_cksumtypes_list[i].keyhash &&
-	     etype_match(krb5_cksumtypes_list[i].keyed_etype, enctype)) ||
-	    (krb5_cksumtypes_list[i].flags & KRB5_CKSUMFLAG_DERIVE)) {
-	    (*cksumtypes)[c] = krb5_cksumtypes_list[i].ctype;
-	    c++;
-	}
+    for (i = 0; i < krb5_cksumtypes_length; i++) {
+	ct = &krb5_cksumtypes_list[i];
+	if ((ct->keyhash && etype_match(ct->keyed_etype, enctype)) ||
+	    (ct->flags & KRB5_CKSUMFLAG_DERIVE))
+	    ctypes[c++] = krb5_cksumtypes_list[i].ctype;
     }
 
-    return(0);
+    *count = nctypes;
+    *cksumtypes = ctypes;
+    return 0;
 }
 
 void KRB5_CALLCONV
 krb5_free_cksumtypes(krb5_context context, krb5_cksumtype *val)
 {
-    if (val)
-	free(val);
-    return;
+    free(val);
 }
-

Modified: branches/enc-perf/src/lib/crypto/krb/keyed_cksum.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/keyed_cksum.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/keyed_cksum.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -31,25 +31,22 @@
 krb5_c_is_keyed_cksum(krb5_cksumtype ctype)
 {
     unsigned int i;
+    const struct krb5_cksumtypes *ctp;
 
-    for (i=0; i<krb5_cksumtypes_length; i++) {
-	if (krb5_cksumtypes_list[i].ctype == ctype) {
-	    if (krb5_cksumtypes_list[i].keyhash ||
-		(krb5_cksumtypes_list[i].flags &
-		 KRB5_CKSUMFLAG_DERIVE))
-		return(1);
-	    else
-		return(0);
+    for (i = 0; i < krb5_cksumtypes_length; i++) {
+	ctp = &krb5_cksumtypes_list[i];
+	if (ctp->ctype == ctype) {
+	    return (ctp->keyhash != NULL ||
+		    (ctp->flags & KRB5_CKSUMFLAG_DERIVE));
 	}
     }
 
-    /* ick, but it's better than coredumping, which is what the
-       old code would have done */
-    return 0;   /* error case */
+    /* Invalid ctype.  This is misleading, but better than dumping core. */
+    return FALSE;
 }
 
 krb5_boolean KRB5_CALLCONV
 is_keyed_cksum(krb5_cksumtype ctype)
 {
-    return krb5_c_is_keyed_cksum (ctype);
+    return krb5_c_is_keyed_cksum(ctype);
 }

Modified: branches/enc-perf/src/lib/crypto/krb/keylengths.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/keylengths.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/keylengths.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -39,23 +39,19 @@
 krb5_c_keylengths(krb5_context context, krb5_enctype enctype,
 		  size_t *keybytes, size_t *keylength)
 {
-    int i;
+    const struct krb5_keytypes *ktp;
 
     if (keybytes == NULL && keylength == NULL)
-	return(EINVAL);
+	return EINVAL;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == enctype)
-	    break;
-    }
+    ktp = find_enctype(enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
 
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
-
     if (keybytes)
-	*keybytes = krb5_enctypes_list[i].enc->keybytes;
+	*keybytes = ktp->enc->keybytes;
     if (keylength)
-	*keylength = krb5_enctypes_list[i].enc->keylength;
+	*keylength = ktp->enc->keylength;
 
-    return(0);
+    return 0;
 }

Modified: branches/enc-perf/src/lib/crypto/krb/make_checksum.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/make_checksum.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/make_checksum.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -35,56 +35,47 @@
 		     const krb5_data *input, krb5_checksum *cksum)
 {
     unsigned int i;
-    int e1, e2;
+    const struct krb5_cksumtypes *ctp;
+    const struct krb5_keytypes *ktp1, *ktp2;
+    const struct krb5_keyhash_provider *keyhash;
     krb5_data data;
+    krb5_octet *trunc;
     krb5_error_code ret;
     size_t cksumlen;
 
-    for (i=0; i<krb5_cksumtypes_length; i++) {
+    for (i = 0; i < krb5_cksumtypes_length; i++) {
 	if (krb5_cksumtypes_list[i].ctype == cksumtype)
 	    break;
     }
-
     if (i == krb5_cksumtypes_length)
-	return(KRB5_BAD_ENCTYPE);
+	return KRB5_BAD_ENCTYPE;
+    ctp = &krb5_cksumtypes_list[i];
 
-    if (krb5_cksumtypes_list[i].keyhash)
-	cksumlen = krb5_cksumtypes_list[i].keyhash->hashsize;
+    if (ctp->keyhash != NULL)
+	cksumlen = ctp->keyhash->hashsize;
     else
-	cksumlen = krb5_cksumtypes_list[i].hash->hashsize;
+	cksumlen = ctp->hash->hashsize;
 
     cksum->length = cksumlen;
+    cksum->contents = malloc(cksum->length);
+    if (cksum->contents == NULL)
+	return ENOMEM;
 
-    if ((cksum->contents = (krb5_octet *) malloc(cksum->length)) == NULL)
-	return(ENOMEM);
-
     data.length = cksum->length;
     data.data = (char *) cksum->contents;
 
-    if (krb5_cksumtypes_list[i].keyhash) {
+    if (ctp->keyhash) {
 	/* check if key is compatible */
-	const struct krb5_keyhash_provider *keyhash;
-
-	keyhash = krb5_cksumtypes_list[i].keyhash;
-
-	if (krb5_cksumtypes_list[i].keyed_etype) {
-	    for (e1=0; e1<krb5_enctypes_length; e1++) 
-		if (krb5_enctypes_list[e1].etype ==
-		    krb5_cksumtypes_list[i].keyed_etype)
-		    break;
-
-	    for (e2=0; e2<krb5_enctypes_length; e2++) 
-		if (krb5_enctypes_list[e2].etype == key->enctype)
-		    break;
-
-	    if ((e1 == krb5_enctypes_length) ||
-		(e2 == krb5_enctypes_length) ||
-		(krb5_enctypes_list[e1].enc != krb5_enctypes_list[e2].enc)) {
+	if (ctp->keyed_etype) {
+	    ktp1 = find_enctype(ctp->keyed_etype);
+	    ktp2 = find_enctype(key->enctype);
+	    if (ktp1 == NULL || ktp2 == NULL || ktp1->enc != ktp2->enc) {
 		ret = KRB5_BAD_ENCTYPE;
 		goto cleanup;
 	    }
 	}
 
+	keyhash = ctp->keyhash;
 	if (keyhash->hash == NULL) {
 	    krb5_crypto_iov iov[1];
 
@@ -97,22 +88,19 @@
 	} else {
 	    ret = (*keyhash->hash)(key, usage, 0, input, &data);
 	}
-    } else if (krb5_cksumtypes_list[i].flags & KRB5_CKSUMFLAG_DERIVE) {
-	ret = krb5_dk_make_checksum(krb5_cksumtypes_list[i].hash,
-				    key, usage, input, &data);
+    } else if (ctp->flags & KRB5_CKSUMFLAG_DERIVE) {
+	ret = krb5_dk_make_checksum(ctp->hash, key, usage, input, &data);
     } else {
-	/* no key is used */
-
-	ret = (*(krb5_cksumtypes_list[i].hash->hash))(1, input, &data);
+	/* No key is used. */
+	ret = (*ctp->hash->hash)(1, input, &data);
     }
 
     if (!ret) {
 	cksum->magic = KV5M_CHECKSUM;
 	cksum->checksum_type = cksumtype;
-	if (krb5_cksumtypes_list[i].trunc_size) {
-	    krb5_octet *trunc;
-	    cksum->length = krb5_cksumtypes_list[i].trunc_size;
-	    trunc = (krb5_octet *) realloc(cksum->contents, cksum->length);
+	if (ctp->trunc_size) {
+	    cksum->length = ctp->trunc_size;
+	    trunc = realloc(cksum->contents, cksum->length);
 	    if (trunc)
 		cksum->contents = trunc;
 	}
@@ -120,10 +108,9 @@
 
 cleanup:
     if (ret) {
-	memset(cksum->contents, 0, cksum->length);
-	free(cksum->contents);
+	zapfree(cksum->contents, cksum->length);
 	cksum->contents = NULL;
     }
 
-    return(ret);
+    return ret;
 }

Modified: branches/enc-perf/src/lib/crypto/krb/make_checksum_iov.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/make_checksum_iov.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/make_checksum_iov.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -41,22 +41,23 @@
     krb5_error_code ret;
     krb5_data cksum_data;
     krb5_crypto_iov *checksum;
+    const struct krb5_cksumtypes *ctp;
 
     for (i = 0; i < krb5_cksumtypes_length; i++) {
 	if (krb5_cksumtypes_list[i].ctype == cksumtype)
 	    break;
     }
-
     if (i == krb5_cksumtypes_length)
-	return(KRB5_BAD_ENCTYPE);
+	return KRB5_BAD_ENCTYPE;
+    ctp = &krb5_cksumtypes_list[i];
 
-    if (krb5_cksumtypes_list[i].keyhash != NULL)
-	cksum_data.length = krb5_cksumtypes_list[i].keyhash->hashsize;
+    if (ctp->keyhash != NULL)
+	cksum_data.length = ctp->keyhash->hashsize;
     else
-	cksum_data.length = krb5_cksumtypes_list[i].hash->hashsize;
+	cksum_data.length = ctp->hash->hashsize;
 
-    if (krb5_cksumtypes_list[i].trunc_size != 0)
-	cksumlen = krb5_cksumtypes_list[i].trunc_size;
+    if (ctp->trunc_size != 0)
+	cksumlen = ctp->trunc_size;
     else
 	cksumlen = cksum_data.length;
 

Modified: branches/enc-perf/src/lib/crypto/krb/make_random_key.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/make_random_key.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/make_random_key.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -31,53 +31,46 @@
 krb5_c_make_random_key(krb5_context context, krb5_enctype enctype,
 		       krb5_keyblock *random_key)
 {
-    int i;
     krb5_error_code ret;
+    const struct krb5_keytypes *ktp;
     const struct krb5_enc_provider *enc;
     size_t keybytes, keylength;
     krb5_data random_data;
-    unsigned char *bytes;
+    unsigned char *bytes = NULL;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == enctype)
-	    break;
-    }
+    ktp = find_enctype(enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
+    enc = ktp->enc;
 
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
-
-    enc = krb5_enctypes_list[i].enc;
-
     keybytes = enc->keybytes;
     keylength = enc->keylength;
 
-    if ((bytes = (unsigned char *) malloc(keybytes)) == NULL)
-	return(ENOMEM);
-    if ((random_key->contents = (krb5_octet *) malloc(keylength)) == NULL) {
-	free(bytes);
-	return(ENOMEM);
-    }
+    bytes = k5alloc(keybytes, &ret);
+    if (ret)
+	return ret;
+    random_key->contents = k5alloc(keylength, &ret);
+    if (ret)
+	goto cleanup;
 
     random_data.data = (char *) bytes;
     random_data.length = keybytes;
 
-    if ((ret = krb5_c_random_make_octets(context, &random_data)))
+    ret = krb5_c_random_make_octets(context, &random_data);
+    if (ret)
 	goto cleanup;
 
     random_key->magic = KV5M_KEYBLOCK;
     random_key->enctype = enctype;
     random_key->length = keylength;
 
-    ret = ((*(enc->make_key))(&random_data, random_key));
+    ret = (*enc->make_key)(&random_data, random_key);
 
 cleanup:
-    memset(bytes, 0, keybytes);
-    free(bytes);
-
     if (ret) {
-	memset(random_key->contents, 0, keylength);
-	free(random_key->contents);
+	zapfree(random_key->contents, keylength);
+	random_key->contents = NULL;
     }
-
-    return(ret);
+    zapfree(bytes, keybytes);
+    return ret;
 }

Modified: branches/enc-perf/src/lib/crypto/krb/mandatory_sumtype.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/mandatory_sumtype.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/mandatory_sumtype.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -26,16 +26,14 @@
 #include "etypes.h"
 
 krb5_error_code
-krb5int_c_mandatory_cksumtype (krb5_context ctx, krb5_enctype etype,
-			       krb5_cksumtype *cksumtype)
+krb5int_c_mandatory_cksumtype(krb5_context ctx, krb5_enctype etype,
+			      krb5_cksumtype *cksumtype)
 {
-    int i;
+    const struct krb5_keytypes *ktp;
 
-    for (i = 0; i < krb5_enctypes_length; i++)
-	if (krb5_enctypes_list[i].etype == etype) {
-	    *cksumtype = krb5_enctypes_list[i].required_ctype;
-	    return 0;
-	}
-
-    return KRB5_BAD_ENCTYPE;
+    ktp = find_enctype(etype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
+    *cksumtype = ktp->required_ctype;
+    return 0;
 }

Modified: branches/enc-perf/src/lib/crypto/krb/old_api_glue.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/old_api_glue.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/old_api_glue.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -37,28 +37,31 @@
     krb5_error_code ret;
 
     if (ivec) {
-	if ((ret = krb5_c_block_size(context, eblock->key->enctype, &blocksize)))
-	    return(ret);
+	ret = krb5_c_block_size(context, eblock->key->enctype, &blocksize);
+	if (ret)
+	    return ret;
 
 	ivecd.length = blocksize;
 	ivecd.data = ivec;
     }
 
-    /* size is the length of the input cleartext data */
+    /* size is the length of the input cleartext data. */
     inputd.length = size;
     inputd.data = inptr;
 
-    /* The size of the output buffer isn't part of the old api.  Not too
-       safe.  So, we assume here that it's big enough. */
-    if ((ret = krb5_c_encrypt_length(context, eblock->key->enctype, size,
-				     &outlen)))
-	return(ret);
+    /*
+     * The size of the output buffer isn't part of the old api.  Not too
+     * safe.  So, we assume here that it's big enough.
+     */
+    ret = krb5_c_encrypt_length(context, eblock->key->enctype, size, &outlen);
+    if (ret)
+	return ret;
 
     outputd.ciphertext.length = outlen;
     outputd.ciphertext.data = outptr;
 
-    return(krb5_c_encrypt(context, eblock->key, 0, ivec?&ivecd:0,
-			  &inputd, &outputd));
+    return krb5_c_encrypt(context, eblock->key, 0, ivec ? &ivecd : 0,
+			  &inputd, &outputd);
 }
 
 krb5_error_code KRB5_CALLCONV
@@ -72,8 +75,9 @@
     krb5_error_code ret;
 
     if (ivec) {
-	if ((ret = krb5_c_block_size(context, eblock->key->enctype, &blocksize)))
-	    return(ret);
+	ret = krb5_c_block_size(context, eblock->key->enctype, &blocksize);
+	if (ret)
+	    return ret;
 
 	ivecd.length = blocksize;
 	ivecd.data = ivec;
@@ -90,8 +94,8 @@
     outputd.length = size;
     outputd.data = outptr;
 
-    return(krb5_c_decrypt(context, eblock->key, 0, ivec?&ivecd:0,
-			  &inputd, &outputd));
+    return krb5_c_decrypt(context, eblock->key, 0, ivec ? &ivecd : 0,
+			  &inputd, &outputd);
 }
 
 krb5_error_code KRB5_CALLCONV
@@ -100,13 +104,13 @@
 {
     eblock->key = (krb5_keyblock *) key;
 
-    return(0);
+    return 0;
 }
 
 krb5_error_code KRB5_CALLCONV
 krb5_finish_key(krb5_context context, krb5_encrypt_block *eblock)
 {
-    return(0);
+    return 0;
 }
 
 krb5_error_code KRB5_CALLCONV
@@ -114,8 +118,8 @@
 		   krb5_keyblock *keyblock, const krb5_data *data,
 		   const krb5_data *salt)
 {
-    return(krb5_c_string_to_key(context, eblock->crypto_entry, data, salt,
-				keyblock));
+    return krb5_c_string_to_key(context, eblock->crypto_entry, data, salt,
+				keyblock);
 }
 
 krb5_error_code KRB5_CALLCONV
@@ -127,14 +131,14 @@
     data.length = keyblock->length;
     data.data = (char *) keyblock->contents;
 
-    return(krb5_c_random_seed(context, &data));
+    return krb5_c_random_seed(context, &data);
 }
 
 krb5_error_code KRB5_CALLCONV
 krb5_finish_random_key(krb5_context context, const krb5_encrypt_block *eblock,
 		       krb5_pointer *ptr)
 {
-    return(0);
+    return 0;
 }
 
 krb5_error_code KRB5_CALLCONV
@@ -144,23 +148,26 @@
     krb5_keyblock *key;
     krb5_error_code ret;
 
-    if ((key = (krb5_keyblock *) malloc(sizeof(krb5_keyblock))) == NULL)
-	return(ENOMEM);
+    *keyblock = NULL;
 
-    if ((ret = krb5_c_make_random_key(context, eblock->crypto_entry, key))) {
+    key = malloc(sizeof(krb5_keyblock));
+    if (key == NULL)
+	return ENOMEM;
+
+    ret = krb5_c_make_random_key(context, eblock->crypto_entry, key);
+    if (ret) {
 	free(key);
-	key = NULL;
+	return ret;
     }
 
     *keyblock = key;
-
     return(ret);
 }
 
 krb5_enctype KRB5_CALLCONV
 krb5_eblock_enctype(krb5_context context, const krb5_encrypt_block *eblock)
 {
-    return(eblock->crypto_entry);
+    return eblock->crypto_entry;
 }
 
 krb5_error_code KRB5_CALLCONV
@@ -169,7 +176,7 @@
 {
     eblock->crypto_entry = enctype;
 
-    return(0);
+    return 0;
 }
 
 size_t KRB5_CALLCONV
@@ -177,10 +184,10 @@
 {
     size_t ret;
 
-    if (krb5_c_encrypt_length(/* XXX */ 0, crypto, length, &ret))
-	return(-1); /* XXX */
+    if (krb5_c_encrypt_length(NULL, crypto, length, &ret))
+	return (size_t) -1; /* XXX */
 
-    return(ret);
+    return ret;
 }
 
 size_t KRB5_CALLCONV
@@ -189,9 +196,9 @@
     size_t ret;
 
     if (krb5_c_checksum_length(context, ctype, &ret))
-	return(-1); /* XXX */
+	return (size_t) -1; /* XXX */
 
-    return(ret);
+    return ret;
 }
 
 krb5_error_code KRB5_CALLCONV
@@ -211,13 +218,14 @@
     key.length = seed_length;
     key.contents = seed;
 
-    if ((ret = krb5_c_make_checksum(context, ctype, &key, 0, &input, &cksum)))
-	return(ret);
+    ret = krb5_c_make_checksum(context, ctype, &key, 0, &input, &cksum);
+    if (ret)
+	return ret;
 
     if (outcksum->length < cksum.length) {
 	memset(cksum.contents, 0, cksum.length);
 	free(cksum.contents);
-	return(KRB5_BAD_MSIZE);
+	return KRB5_BAD_MSIZE;
     }
 
     outcksum->magic = cksum.magic;
@@ -247,14 +255,14 @@
     key.length = seed_length;
     key.contents = seed;
 
-    if ((ret = krb5_c_verify_checksum(context, &key, 0, &input, cksum,
-				      &valid)))
-	return(ret);
+    ret = krb5_c_verify_checksum(context, &key, 0, &input, cksum, &valid);
+    if (ret)
+	return ret;
 
     if (!valid)
-	return(KRB5KRB_AP_ERR_BAD_INTEGRITY);
+	return KRB5KRB_AP_ERR_BAD_INTEGRITY;
 
-    return(0);
+    return 0;
 }
 
 krb5_error_code KRB5_CALLCONV
@@ -265,7 +273,7 @@
     random_data.length = size;
     random_data.data = ptr;
 
-    return(krb5_c_random_make_octets(/* XXX */ 0, &random_data));
+    return krb5_c_random_make_octets(NULL, &random_data);
 }
 
 krb5_error_code krb5_encrypt_data(krb5_context context, krb5_keyblock *key,
@@ -276,13 +284,14 @@
     size_t enclen, blocksize;
     krb5_data ivecd;
 
-    if ((ret = krb5_c_encrypt_length(context, key->enctype, data->length,
-				     &enclen)))
-	return(ret);
+    ret = krb5_c_encrypt_length(context, key->enctype, data->length, &enclen);
+    if (ret)
+	return ret;
 
     if (ivec) {
-	if ((ret = krb5_c_block_size(context, key->enctype, &blocksize)))
-	    return(ret);
+	ret = krb5_c_block_size(context, key->enctype, &blocksize);
+	if (ret)
+	    return ret;
 
 	ivecd.length = blocksize;
 	ivecd.data = ivec;
@@ -292,13 +301,15 @@
     enc_data->kvno = 0;
     enc_data->enctype = key->enctype;
     enc_data->ciphertext.length = enclen;
-    if ((enc_data->ciphertext.data = malloc(enclen)) == NULL)
-	return(ENOMEM);
+    enc_data->ciphertext.data = malloc(enclen);
+    if (enc_data->ciphertext.data == NULL)
+	return ENOMEM;
 
-    if ((ret = krb5_c_encrypt(context, key, 0, ivec?&ivecd:0, data, enc_data)))
+    ret = krb5_c_encrypt(context, key, 0, ivec ? &ivecd : 0, data, enc_data);
+    if (ret)
 	free(enc_data->ciphertext.data);
 
-    return(ret);
+    return ret;
 }
 
 krb5_error_code krb5_decrypt_data(krb5_context context, krb5_keyblock *key,
@@ -310,19 +321,22 @@
     size_t blocksize;
 
     if (ivec) {
-	if ((ret = krb5_c_block_size(context, key->enctype, &blocksize)))
-	    return(ret);
+	ret = krb5_c_block_size(context, key->enctype, &blocksize);
+	if (ret)
+	    return ret;
 
 	ivecd.length = blocksize;
 	ivecd.data = ivec;
     }
 
     data->length = enc_data->ciphertext.length;
-    if ((data->data = (char *) malloc(data->length)) == NULL)
-	return(ENOMEM);
+    data->data = malloc(data->length);
+    if (data->data == NULL)
+	return ENOMEM;
 
-    if ((ret = krb5_c_decrypt(context, key, 0, ivec?&ivecd:0, enc_data, data)))
+    ret = krb5_c_decrypt(context, key, 0, ivec ? &ivecd : 0, enc_data, data);
+    if (ret)
 	free(data->data);
 
-    return(0);
+    return 0;
 }

Modified: branches/enc-perf/src/lib/crypto/krb/prf.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/prf.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/prf.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -37,51 +37,35 @@
 #include <assert.h>
 
 krb5_error_code KRB5_CALLCONV
-krb5_c_prf_length(krb5_context context, krb5_enctype enctype,
-		  size_t *len)
+krb5_c_prf_length(krb5_context context, krb5_enctype enctype, size_t *len)
 {
-    int i;
-    assert (len);
+    const struct krb5_keytypes *ktp;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == enctype)
-	    break;
-    }
-
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
-
-    *len = krb5_enctypes_list[i].prf_length;
+    assert(len);
+    ktp = find_enctype(enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
+    *len = ktp->prf_length;
     return 0;
-    
 }
 
 krb5_error_code KRB5_CALLCONV
 krb5_c_prf(krb5_context context, const krb5_keyblock *key,
 	   krb5_data *input, krb5_data *output)
 {
-    int i;
-    size_t len;
+    const struct krb5_keytypes *ktp;
+
     assert(input && output);
-    assert (output->data);
+    assert(output->data);
 
+    ktp = find_enctype(key->enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
+    if (ktp->prf == NULL)
+	return KRB5_CRYPTO_INTERNAL;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == key->enctype)
-	    break;
-    }
-
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
-
     output->magic = KV5M_DATA;
-    if (!krb5_enctypes_list[i].prf)
-	return (KRB5_CRYPTO_INTERNAL);
-    krb5_c_prf_length (context, key->enctype, &len);
-    if (len != output->length)
-	return (KRB5_CRYPTO_INTERNAL);
-    return((*(krb5_enctypes_list[i].prf))
-	   (krb5_enctypes_list[i].enc, krb5_enctypes_list[i].hash,
-	    key,  input, output));
+    if (ktp->prf_length != output->length)
+	return KRB5_CRYPTO_INTERNAL;
+    return (*ktp->prf)(ktp->enc, ktp->hash, key, input, output);
 }
-

Modified: branches/enc-perf/src/lib/crypto/krb/prng.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/prng.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/prng.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -38,27 +38,28 @@
  */
 
 static size_t
-entropy_estimate (unsigned int randsource, size_t length)
+entropy_estimate(unsigned int randsource, size_t length)
 {
-  switch (randsource) {
-  case KRB5_C_RANDSOURCE_OLDAPI:
-    return (4*length);
-  case KRB5_C_RANDSOURCE_OSRAND:
-    return (8*length);
-  case KRB5_C_RANDSOURCE_TRUSTEDPARTY:
-    return (4*length);
-  case KRB5_C_RANDSOURCE_TIMING:return (2);
-  case KRB5_C_RANDSOURCE_EXTERNAL_PROTOCOL:
-    return (0);
-  default:
-    abort();
-  }
-return (0);
+    switch (randsource) {
+    case KRB5_C_RANDSOURCE_OLDAPI:
+	return 4 * length;
+    case KRB5_C_RANDSOURCE_OSRAND:
+	return 8 * length;
+    case KRB5_C_RANDSOURCE_TRUSTEDPARTY:
+	return 4 * length;
+    case KRB5_C_RANDSOURCE_TIMING:
+	return 2;
+    case KRB5_C_RANDSOURCE_EXTERNAL_PROTOCOL:
+	return 0;
+    default:
+	abort();
+    }
+    return 0;
 }
 
 int krb5int_prng_init(void)
 {
-    unsigned i;
+    unsigned i, source_id;
     int yerr;
 
     yerr = k5_mutex_finish_init(&yarrow_lock);
@@ -66,12 +67,11 @@
 	return yerr;
 
     yerr = krb5int_yarrow_init (&y_ctx, NULL);
-    if ((yerr != YARROW_OK) && (yerr != YARROW_NOT_SEEDED))
+    if (yerr != YARROW_OK && yerr != YARROW_NOT_SEEDED)
 	return KRB5_CRYPTO_INTERNAL;
 
     for (i=0; i < KRB5_C_RANDSOURCE_MAX; i++ ) {
-	unsigned source_id;
-	if (krb5int_yarrow_new_source (&y_ctx, &source_id) != YARROW_OK )
+	if (krb5int_yarrow_new_source(&y_ctx, &source_id) != YARROW_OK)
 	    return KRB5_CRYPTO_INTERNAL;
 	assert (source_id == i);
     }
@@ -80,46 +80,47 @@
 }
 
 krb5_error_code KRB5_CALLCONV
-krb5_c_random_add_entropy (krb5_context context, unsigned int randsource,
-			   const krb5_data *data)
+krb5_c_random_add_entropy(krb5_context context, unsigned int randsource,
+			  const krb5_data *data)
 {
-  int yerr;
+    int yerr;
 
-  /* Make sure the mutex got initialized.  */
-  yerr = krb5int_crypto_init();
-  if (yerr)
-      return yerr;
-  /* Now, finally, feed in the data.  */
-  yerr = krb5int_yarrow_input (&y_ctx, randsource,
-			       data->data, data->length,
-			       entropy_estimate (randsource, data->length));
-  if (yerr != YARROW_OK)
-      return (KRB5_CRYPTO_INTERNAL);
-  return (0);
+    /* Make sure the mutex got initialized.  */
+    yerr = krb5int_crypto_init();
+    if (yerr)
+	return yerr;
+    /* Now, finally, feed in the data.  */
+    yerr = krb5int_yarrow_input(&y_ctx, randsource,
+				data->data, data->length,
+				entropy_estimate(randsource, data->length));
+    if (yerr != YARROW_OK)
+	return KRB5_CRYPTO_INTERNAL;
+    return 0;
 }
 
 krb5_error_code KRB5_CALLCONV
-krb5_c_random_seed (krb5_context context, krb5_data *data)
+krb5_c_random_seed(krb5_context context, krb5_data *data)
 {
-    return krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_OLDAPI, data);
+    return krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_OLDAPI, data);
 }
 
 krb5_error_code KRB5_CALLCONV
 krb5_c_random_make_octets(krb5_context context, krb5_data *data)
 {
     int yerr;
-    yerr = krb5int_yarrow_output (&y_ctx, data->data, data->length);
+    yerr = krb5int_yarrow_output(&y_ctx, data->data, data->length);
     if (yerr == YARROW_NOT_SEEDED) {
-      yerr = krb5int_yarrow_reseed (&y_ctx, YARROW_SLOW_POOL);
-      if (yerr == YARROW_OK)
-	yerr = krb5int_yarrow_output (&y_ctx, data->data, data->length);
+	yerr = krb5int_yarrow_reseed(&y_ctx, YARROW_SLOW_POOL);
+	if (yerr == YARROW_OK)
+	    yerr = krb5int_yarrow_output(&y_ctx, data->data, data->length);
     }
-    if ( yerr != YARROW_OK)
-      return (KRB5_CRYPTO_INTERNAL);
-    return(0);
+    if (yerr != YARROW_OK)
+      return KRB5_CRYPTO_INTERNAL;
+    return 0;
 }
 
-void krb5int_prng_cleanup (void)
+void
+krb5int_prng_cleanup (void)
 {
     krb5int_yarrow_final (&y_ctx);
     k5_mutex_destroy(&yarrow_lock);
@@ -133,11 +134,11 @@
 #if defined(_WIN32)
 
 krb5_error_code KRB5_CALLCONV
-krb5_c_random_os_entropy (krb5_context context, int strong, int *success)
+krb5_c_random_os_entropy(krb5_context context, int strong, int *success)
 {
-  if (success)
-    *success  = 0;
-  return 0;
+    if (success)
+	*success = 0;
+    return 0;
 }
 
 #else /*Windows*/
@@ -156,60 +157,58 @@
  */
 
 static int
-read_entropy_from_device (krb5_context context, const char *device)
+read_entropy_from_device(krb5_context context, const char *device)
 {
-  krb5_data data;
-  struct stat sb;
-  int fd;
-  unsigned char buf[YARROW_SLOW_THRESH/8], *bp;
-  int left;
-  fd = open (device, O_RDONLY);
-  if (fd == -1)
-    return 0;
-  set_cloexec_fd(fd);
-  if (fstat (fd, &sb) == -1 || S_ISREG(sb.st_mode)) {
-      close(fd);
-      return 0;
-  }
+    krb5_data data;
+    struct stat sb;
+    int fd;
+    unsigned char buf[YARROW_SLOW_THRESH/8], *bp;
+    int left;
 
-  for (bp = buf, left = sizeof (buf); left > 0;) {
-    ssize_t count;
-    count = read (fd, bp, (unsigned) left);
-    if (count <= 0) {
-      close(fd);
-      return 0;
+    fd = open (device, O_RDONLY);
+    if (fd == -1)
+	return 0;
+    set_cloexec_fd(fd);
+    if (fstat(fd, &sb) == -1 || S_ISREG(sb.st_mode)) {
+	close(fd);
+	return 0;
     }
-    left -= count;
-    bp += count;
-  }
-  close (fd);
-  data.length = sizeof (buf);
-  data.data = ( char * ) buf;
-  if ( krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_OSRAND, 
-				  &data) != 0) {
-    return 0;
-  }
-  return 1;
+
+    for (bp = buf, left = sizeof(buf); left > 0;) {
+	ssize_t count;
+	count = read(fd, bp, (unsigned) left);
+	if (count <= 0) {
+	    close(fd);
+	    return 0;
+	}
+	left -= count;
+	bp += count;
+    }
+    close(fd);
+    data.length = sizeof (buf);
+    data.data = (char *) buf;
+    return (krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_OSRAND,
+				      &data) == 0);
 }
     
 krb5_error_code KRB5_CALLCONV
-krb5_c_random_os_entropy (krb5_context context,
-			  int strong, int *success)
+krb5_c_random_os_entropy(krb5_context context, int strong, int *success)
 {
-  int unused;
-  int *oursuccess = success?success:&unused;
-  *oursuccess = 0;
-  /* If we are getting strong data then try that first.  We are
-     guaranteed to cause a reseed of some kind if strong is true and
-     we have both /dev/random and /dev/urandom.  We want the strong
-     data included in the reseed so we get it first.*/
-  if (strong) {
-    if (read_entropy_from_device (context, "/dev/random"))
-      *oursuccess = 1;
-  }
-  if (read_entropy_from_device (context, "/dev/urandom"))
-    *oursuccess = 1;
-  return 0;
+    int unused;
+    int *oursuccess = success ? success : &unused;
+
+    *oursuccess = 0;
+    /* If we are getting strong data then try that first.  We are
+       guaranteed to cause a reseed of some kind if strong is true and
+       we have both /dev/random and /dev/urandom.  We want the strong
+       data included in the reseed so we get it first.*/
+    if (strong) {
+	if (read_entropy_from_device(context, "/dev/random"))
+	    *oursuccess = 1;
+    }
+    if (read_entropy_from_device(context, "/dev/urandom"))
+	*oursuccess = 1;
+    return 0;
 }
 
 #endif /*Windows or pre-OSX Mac*/

Modified: branches/enc-perf/src/lib/crypto/krb/random_to_key.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/random_to_key.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/random_to_key.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -40,34 +40,25 @@
 krb5_c_random_to_key(krb5_context context, krb5_enctype enctype,
 		     krb5_data *random_data, krb5_keyblock *random_key)
 {
-    int i;
     krb5_error_code ret;
+    const struct krb5_keytypes *ktp;
     const struct krb5_enc_provider *enc;
 
-    if (random_data == NULL || random_key == NULL)
-	return(EINVAL);
+    if (random_data == NULL || random_key == NULL ||
+	random_key->contents == NULL)
+	return EINVAL;
 
-    if (random_key->contents == NULL)
-	return(EINVAL);
+    ktp = find_enctype(enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
+    enc = ktp->enc;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == enctype)
-	    break;
-    }
-
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
-
-    enc = krb5_enctypes_list[i].enc;
-
     if (random_key->length != enc->keylength)
-	return(KRB5_BAD_KEYSIZE);
+	return KRB5_BAD_KEYSIZE;
 
-    ret = ((*(enc->make_key))(random_data, random_key));
-
-    if (ret) {
+    ret = (*enc->make_key)(random_data, random_key);
+    if (ret)
 	memset(random_key->contents, 0, random_key->length);
-    }
 
-    return(ret);
+    return ret;
 }

Modified: branches/enc-perf/src/lib/crypto/krb/state.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/state.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/state.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -39,34 +39,22 @@
 krb5_c_init_state (krb5_context context, const krb5_keyblock *key,
 		   krb5_keyusage keyusage, krb5_data *new_state)
 {
-      int i;
+    const struct krb5_keytypes *ktp;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == key->enctype)
-	    break;
-    }
-
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
-
-    return (*(krb5_enctypes_list[i].enc->init_state))
-      (key, keyusage, new_state);
+    ktp = find_enctype(key->enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
+    return ktp->enc->init_state(key, keyusage, new_state);
 }
 
 krb5_error_code KRB5_CALLCONV
-krb5_c_free_state (krb5_context context, const krb5_keyblock *key,
-		   krb5_data *state)
+krb5_c_free_state(krb5_context context, const krb5_keyblock *key,
+		  krb5_data *state)
 {
-      int i;
+    const struct krb5_keytypes *ktp;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == key->enctype)
-	    break;
-    }
-
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
-
-    return     (*(krb5_enctypes_list[i].enc->free_state))
-      (state);
+    ktp = find_enctype(key->enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
+    return ktp->enc->free_state(state);
 }

Modified: branches/enc-perf/src/lib/crypto/krb/string_to_cksumtype.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/string_to_cksumtype.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/string_to_cksumtype.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -31,23 +31,26 @@
 krb5_string_to_cksumtype(char *string, krb5_cksumtype *cksumtypep)
 {
     unsigned int i, j;
+    const char *alias;
+    const struct krb5_cksumtypes *ctp;
 
     for (i=0; i<krb5_cksumtypes_length; i++) {
-	if (strcasecmp(krb5_cksumtypes_list[i].name, string) == 0) {
-	    *cksumtypep = krb5_cksumtypes_list[i].ctype;
-	    return(0);
+	ctp = &krb5_cksumtypes_list[i];
+	if (strcasecmp(ctp->name, string) == 0) {
+	    *cksumtypep = ctp->ctype;
+	    return 0;
 	}
-#define MAX_ALIASES (sizeof(krb5_cksumtypes_list[i].aliases) / sizeof(krb5_cksumtypes_list[i].aliases[0]))
+#define MAX_ALIASES (sizeof(ctp->aliases) / sizeof(ctp->aliases[0]))
 	for (j = 0; j < MAX_ALIASES; j++) {
-	    const char *alias = krb5_cksumtypes_list[i].aliases[j];
+	    alias = ctp->aliases[j];
 	    if (alias == NULL)
 		break;
 	    if (strcasecmp(alias, string) == 0) {
-		*cksumtypep = krb5_cksumtypes_list[i].ctype;
+		*cksumtypep = ctp->ctype;
 		return 0;
 	    }
 	}
     }
 
-    return(EINVAL);
+    return EINVAL;
 }

Modified: branches/enc-perf/src/lib/crypto/krb/string_to_enctype.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/string_to_enctype.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/string_to_enctype.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -30,24 +30,28 @@
 krb5_error_code KRB5_CALLCONV
 krb5_string_to_enctype(char *string, krb5_enctype *enctypep)
 {
-    unsigned int i, j;
+    int i;
+    unsigned int j;
+    const char *alias;
+    const struct krb5_keytypes *ktp;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (strcasecmp(krb5_enctypes_list[i].name, string) == 0) {
-	    *enctypep = krb5_enctypes_list[i].etype;
+    for (i = 0; i < krb5_enctypes_length; i++) {
+	ktp = &krb5_enctypes_list[i];
+	if (strcasecmp(ktp->name, string) == 0) {
+	    *enctypep = ktp->etype;
 	    return 0;
 	}
-#define MAX_ALIASES (sizeof(krb5_enctypes_list[i].aliases) / sizeof(krb5_enctypes_list[i].aliases[0]))
+#define MAX_ALIASES (sizeof(ktp->aliases) / sizeof(ktp->aliases[0]))
 	for (j = 0; j < MAX_ALIASES; j++) {
-	    const char *alias = krb5_enctypes_list[i].aliases[j];
+	    alias = ktp->aliases[j];
 	    if (alias == NULL)
 		break;
 	    if (strcasecmp(alias, string) == 0) {
-		*enctypep = krb5_enctypes_list[i].etype;
+		*enctypep = ktp->etype;
 		return 0;
 	    }
 	}
     }
 
-    return(EINVAL);
+    return EINVAL;
 }

Modified: branches/enc-perf/src/lib/crypto/krb/string_to_key.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/string_to_key.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/string_to_key.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -51,23 +51,20 @@
 				 const krb5_data *salt,
 				 const krb5_data *params, krb5_keyblock *key)
 {
-    int i;
     krb5_error_code ret;
-    const struct krb5_enc_provider *enc;
-    size_t keybytes, keylength;
+    const struct krb5_keytypes *ktp;
+    size_t keylength;
 
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == enctype)
-	    break;
-    }
+    ktp = find_enctype(enctype);
+    if (ktp == NULL)
+	return KRB5_BAD_ENCTYPE;
+    keylength = ktp->enc->keylength;
 
-    if (i == krb5_enctypes_length)
-	return(KRB5_BAD_ENCTYPE);
-
-    enc = krb5_enctypes_list[i].enc;
-/* xxx AFS string2key function is indicated by a special length  in
- * the salt in much of the code.  However only the DES enctypes can
- * deal with this.  Using s2kparams would be a much better solution.*/
+    /*
+     * xxx AFS string2key function is indicated by a special length  in
+     * the salt in much of the code.  However only the DES enctypes can
+     * deal with this.  Using s2kparams would be a much better solution.
+     */
     if (salt && salt->length == SALT_TYPE_AFS_LENGTH) {
 	switch (enctype) {
 	case ENCTYPE_DES_CBC_CRC:
@@ -75,27 +72,24 @@
 	case ENCTYPE_DES_CBC_MD5:
 	    break;
 	default:
-	    return (KRB5_CRYPTO_INTERNAL);
+	    return KRB5_CRYPTO_INTERNAL;
 	}
     }
 
-    keybytes = enc->keybytes;
-    keylength = enc->keylength;
+    key->contents = malloc(keylength);
+    if (key->contents == NULL)
+	return ENOMEM;
 
-    if ((key->contents = (krb5_octet *) malloc(keylength)) == NULL)
-	return(ENOMEM);
-
     key->magic = KV5M_KEYBLOCK;
     key->enctype = enctype;
     key->length = keylength;
 
-    ret = (*krb5_enctypes_list[i].str2key)(enc, string, salt, params, key);
+    ret = (*ktp->str2key)(ktp->enc, string, salt, params, key);
     if (ret) {
-	memset(key->contents, 0, keylength);
-	free(key->contents);
+	zapfree(key->contents, keylength);
 	key->length = 0;
 	key->contents = NULL;
     }
 
-    return(ret);
+    return ret;
 }

Modified: branches/enc-perf/src/lib/crypto/krb/valid_cksumtype.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/valid_cksumtype.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/valid_cksumtype.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -32,16 +32,16 @@
 {
     unsigned int i;
 
-    for (i=0; i<krb5_cksumtypes_length; i++) {
+    for (i = 0; i < krb5_cksumtypes_length; i++) {
 	if (krb5_cksumtypes_list[i].ctype == ctype)
-	    return(1);
+	    return TRUE;
     }
 
-    return(0);
+    return FALSE;
 }
 
 krb5_boolean KRB5_CALLCONV
 valid_cksumtype(krb5_cksumtype ctype)
 {
-    return krb5_c_valid_cksumtype (ctype);
+    return krb5_c_valid_cksumtype(ctype);
 }

Modified: branches/enc-perf/src/lib/crypto/krb/valid_enctype.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/valid_enctype.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/valid_enctype.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -30,39 +30,20 @@
 krb5_boolean KRB5_CALLCONV
 krb5_c_valid_enctype(krb5_enctype etype)
 {
-    int i;
-
-    for (i=0; i<krb5_enctypes_length; i++) {
-	if (krb5_enctypes_list[i].etype == etype)
-	    return(1);
-    }
-
-    return(0);
+    return (find_enctype(etype) != NULL);
 }
 
 krb5_boolean KRB5_CALLCONV
 valid_enctype(krb5_enctype etype)
 {
-    return krb5_c_valid_enctype (etype);
+    return krb5_c_valid_enctype(etype);
 }
 
 krb5_boolean KRB5_CALLCONV
 krb5_c_weak_enctype(krb5_enctype etype)
 {
-    int i;
-    const struct krb5_keytypes *k;
+    const struct krb5_keytypes *ktp;
 
-    for (i = 0; i < krb5_enctypes_length; i++) {
-#if 0
-	if (krb5_enctypes_list[i].etype == etype &&
-	    krb5_enctypes_list[i].flags | ETYPE_WEAK)
-	    return(1);
-#endif
-	k = &krb5_enctypes_list[i];
-	if (k->etype == etype && (k->flags & ETYPE_WEAK)) {
-	    return(1);
-	}
-    }
-
-    return(0);
+    ktp = find_enctype(etype);
+    return ((ktp->flags & ETYPE_WEAK) != 0);
 }

Modified: branches/enc-perf/src/lib/crypto/krb/verify_checksum.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/verify_checksum.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/verify_checksum.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -33,6 +33,8 @@
 		       const krb5_checksum *cksum, krb5_boolean *valid)
 {
     unsigned int i;
+    const struct krb5_cksumtypes *ctp;
+    const struct krb5_keyhash_provider *keyhash;
     size_t hashsize;
     krb5_error_code ret;
     krb5_data indata;
@@ -42,51 +44,47 @@
 	if (krb5_cksumtypes_list[i].ctype == cksum->checksum_type)
 	    break;
     }
-
     if (i == krb5_cksumtypes_length)
-	return(KRB5_BAD_ENCTYPE);
+	return KRB5_BAD_ENCTYPE;
+    ctp = &krb5_cksumtypes_list[i];
 
-    /* if there's actually a verify function, call it */
-
     indata.length = cksum->length;
     indata.data = (char *) cksum->contents;
 
-    if (krb5_cksumtypes_list[i].keyhash) {
-	const struct krb5_keyhash_provider *keyhash;
+    /* If there's actually a verify function, call it. */
+    if (ctp->keyhash) {
+	keyhash = ctp->keyhash;
 
-	keyhash = krb5_cksumtypes_list[i].keyhash;
-
 	if (keyhash->verify == NULL && keyhash->verify_iov != NULL) {
 	    krb5_crypto_iov iov[1];
 
 	    iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
 	    iov[0].data = *data;
 
-	    return (*keyhash->verify_iov)(key, usage, 0, iov, 1, &indata, valid);
+	    return (*keyhash->verify_iov)(key, usage, 0, iov, 1, &indata,
+					  valid);
 	} else if (keyhash->verify != NULL) {
 	    return (*keyhash->verify)(key, usage, 0, data, &indata, valid);
 	}
     }
 
-    /* otherwise, make the checksum again, and compare */
+    /* Otherwise, make the checksum again, and compare. */
+    ret = krb5_c_checksum_length(context, cksum->checksum_type, &hashsize);
+    if (ret)
+	return ret;
 
-    if ((ret = krb5_c_checksum_length(context, cksum->checksum_type, &hashsize)))
-	return(ret);
-
     if (cksum->length != hashsize)
-	return(KRB5_BAD_MSIZE);
+	return KRB5_BAD_MSIZE;
 
     computed.length = hashsize;
 
-    if ((ret = krb5_c_make_checksum(context, cksum->checksum_type, key, usage,
-				   data, &computed))) {
-	free(computed.contents);
-	return(ret);
-    }
+    ret = krb5_c_make_checksum(context, cksum->checksum_type, key, usage,
+			       data, &computed);
+    if (ret)
+	return ret;
 
     *valid = (memcmp(computed.contents, cksum->contents, hashsize) == 0);
 
     free(computed.contents);
-
-    return(0);
+    return 0;
 }

Modified: branches/enc-perf/src/lib/crypto/krb/verify_checksum_iov.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/verify_checksum_iov.c	2009-10-03 21:00:42 UTC (rev 22841)
+++ branches/enc-perf/src/lib/crypto/krb/verify_checksum_iov.c	2009-10-03 21:02:44 UTC (rev 22842)
@@ -38,6 +38,7 @@
 			   krb5_boolean *valid)
 {
     unsigned int i;
+    const struct krb5_cksumtypes *ctp;
     size_t cksumlen;
     krb5_error_code ret;
     krb5_data computed;
@@ -47,52 +48,49 @@
 	if (krb5_cksumtypes_list[i].ctype == checksum_type)
 	    break;
     }
-
     if (i == krb5_cksumtypes_length)
-	return(KRB5_BAD_ENCTYPE);
+	return KRB5_BAD_ENCTYPE;
+    ctp = &krb5_cksumtypes_list[i];
 
-    checksum = krb5int_c_locate_iov((krb5_crypto_iov *)data, num_data, KRB5_CRYPTO_TYPE_CHECKSUM);
+    checksum = krb5int_c_locate_iov((krb5_crypto_iov *)data, num_data,
+				    KRB5_CRYPTO_TYPE_CHECKSUM);
     if (checksum == NULL)
 	return(KRB5_BAD_MSIZE);
 
-    /* if there's actually a verify function, call it */
+    /* If there's actually a verify function, call it. */
+    if (ctp->keyhash && ctp->keyhash->verify_iov) {
+	return (*ctp->keyhash->verify_iov)(key, usage, 0, data, num_data,
+					   &checksum->data, valid);
+    }
 
-    if (krb5_cksumtypes_list[i].keyhash &&
-	krb5_cksumtypes_list[i].keyhash->verify_iov)
-	return((*(krb5_cksumtypes_list[i].keyhash->verify_iov))(key, usage, 0,
-								data, num_data,
-								&checksum->data,
-								valid));
-
-    /* otherwise, make the checksum again, and compare */
-
-    if (krb5_cksumtypes_list[i].keyhash != NULL)
-	computed.length = krb5_cksumtypes_list[i].keyhash->hashsize;
+    /* Otherwise, make the checksum again, and compare. */
+    if (ctp->keyhash != NULL)
+	computed.length = ctp->keyhash->hashsize;
     else
-	computed.length = krb5_cksumtypes_list[i].hash->hashsize;
+	computed.length = ctp->hash->hashsize;
 
-    if (krb5_cksumtypes_list[i].trunc_size != 0)
-	cksumlen = krb5_cksumtypes_list[i].trunc_size;
+    if (ctp->trunc_size != 0)
+	cksumlen = ctp->trunc_size;
     else
 	cksumlen = computed.length;
 
     if (checksum->data.length != cksumlen)
-	return(KRB5_BAD_MSIZE);
+	return KRB5_BAD_MSIZE;
 
     computed.data = malloc(computed.length);
     if (computed.data == NULL)
-	return(ENOMEM);
+	return ENOMEM;
 
-    if ((ret = krb5int_c_make_checksum_iov(&krb5_cksumtypes_list[i], key, usage,
-					   data, num_data, &computed))) {
+    ret = krb5int_c_make_checksum_iov(&krb5_cksumtypes_list[i], key, usage,
+				      data, num_data, &computed);
+    if (ret) {
 	free(computed.data);
-	return(ret);
+	return ret;
     }
 
     *valid = (computed.length == cksumlen) &&
 	     (memcmp(computed.data, checksum->data.data, cksumlen) == 0);
 
     free(computed.data);
-
-    return(0);
+    return 0;
 }



From tsitkova at MIT.EDU  Sun Oct  4 14:37:10 2009
From: tsitkova at MIT.EDU (tsitkova@MIT.EDU)
Date: Sun, 4 Oct 2009 14:37:10 -0400
Subject: svn rev #22843: trunk/src/lib/crypto/openssl/enc_provider/ 
Message-ID: <200910041837.n94IbADL001154@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22843
Commit By: tsitkova
Log Message:
Impl. krb5int_aes_enc/decrypt_iov. Passes t_encrypt test.



Changed Files:
U   trunk/src/lib/crypto/openssl/enc_provider/aes.c
Modified: trunk/src/lib/crypto/openssl/enc_provider/aes.c
===================================================================
--- trunk/src/lib/crypto/openssl/enc_provider/aes.c	2009-10-03 21:02:44 UTC (rev 22842)
+++ trunk/src/lib/crypto/openssl/enc_provider/aes.c	2009-10-04 18:37:09 UTC (rev 22843)
@@ -47,6 +47,12 @@
 static krb5_error_code
 cbc_decr(const krb5_keyblock *key, const krb5_data *ivec,
 		    const krb5_data *input, krb5_data *output);
+static krb5_error_code
+cts_enc_iov(const krb5_keyblock *key, const krb5_data *ivec,
+                    krb5_crypto_iov *data, size_t num_data);
+static krb5_error_code
+cts_decr_iov(const krb5_keyblock *key, const krb5_data *ivec,
+                    krb5_crypto_iov *data, size_t num_data);
 
 static const EVP_CIPHER *
 map_mode( unsigned int len)
@@ -212,8 +218,8 @@
     AES_set_encrypt_key(key->contents, 8*key->length, &enck);
 
     size = CRYPTO_cts128_encrypt((unsigned char *)input->data, tmp_buf,
-                        input->length, &enck,
-                        iv_cts, (cbc128_f)AES_cbc_encrypt);
+                                 input->length, &enck,
+                                 iv_cts, (cbc128_f)AES_cbc_encrypt);
 
     if (size <= 0 || output->length < size) {
         ret = KRB5_CRYPTO_INTERNAL;
@@ -250,8 +256,8 @@
     AES_set_decrypt_key(key->contents, 8*key->length, &deck);
 
     size = CRYPTO_cts128_decrypt((unsigned char *)input->data, tmp_buf,
-                        input->length, &deck,
-                        iv_cts, (cbc128_f)AES_cbc_encrypt);
+                                 input->length, &deck,
+                                 iv_cts, (cbc128_f)AES_cbc_encrypt);
 
 
     if (size <= 0 || output->length < size) {
@@ -267,6 +273,134 @@
     return ret;
 }
 
+static krb5_error_code
+cts_enc_iov(const krb5_keyblock *key,
+		        const krb5_data *ivec,
+		        krb5_crypto_iov *data,
+		        size_t num_data)
+{
+    int                    ret = 0;
+    int                    oblock_len = BLOCK_SIZE*num_data;
+    size_t                 size = 0;
+    AES_KEY                enck;
+    unsigned char         *oblock = NULL;
+    unsigned char          iblock_buf[BLOCK_SIZE*2];
+    unsigned char          iblockN1[BLOCK_SIZE];
+    unsigned char          iblockN2[BLOCK_SIZE];
+    unsigned char          iv_cts[EVP_MAX_IV_LENGTH*4];
+    struct iov_block_state input_pos, output_pos;
+
+    oblock = OPENSSL_malloc(oblock_len);
+    if (!oblock){
+        return ENOMEM;
+    }
+    memset(oblock, 0, oblock_len);
+
+    IOV_BLOCK_STATE_INIT(&input_pos);
+    IOV_BLOCK_STATE_INIT(&output_pos);
+
+    memset(iv_cts,0,sizeof(iv_cts));
+    if (ivec && ivec->data && (ivec->length <= sizeof(iv_cts)))
+        memcpy(iv_cts, ivec->data,ivec->length);
+
+    AES_set_encrypt_key(key->contents, 8*key->length, &enck);
+
+    for (;;) {
+
+        if (!krb5int_c_iov_get_block(iblockN1, BLOCK_SIZE,
+                                     data, num_data, &input_pos))
+            break;
+        if (!krb5int_c_iov_get_block(iblockN2, BLOCK_SIZE,
+                                     data, num_data, &input_pos))
+            break;
+
+        if (input_pos.iov_pos == num_data)
+            break;
+
+        memcpy(iblock_buf,iblockN1,input_pos.data_pos);
+        memcpy(iblock_buf+input_pos.data_pos,iblockN2,input_pos.data_pos);
+
+        size = CRYPTO_cts128_encrypt((unsigned char *)iblock_buf, oblock,
+                        2*BLOCK_SIZE, &enck,
+                        iv_cts, (cbc128_f)AES_cbc_encrypt);
+        if (size <= 0) {
+            ret = KRB5_CRYPTO_INTERNAL;
+            break;
+        }
+        krb5int_c_iov_put_block(data, num_data,
+                                oblock, 2*BLOCK_SIZE, &output_pos);
+    }
+
+    memset(oblock,0,sizeof(oblock));
+    OPENSSL_free(oblock);
+
+    return ret;
+}
+
+static krb5_error_code
+cts_decr_iov(const krb5_keyblock *key,
+		        const krb5_data *ivec,
+		        krb5_crypto_iov *data,
+		        size_t num_data)
+{
+    int                    ret = 0;
+    int                    oblock_len = BLOCK_SIZE*num_data;
+    size_t                 size = 0;
+    AES_KEY                deck;
+    unsigned char         *oblock = NULL;
+    unsigned char          iblock_buf[BLOCK_SIZE*2];
+    unsigned char          iblockN1[BLOCK_SIZE];
+    unsigned char          iblockN2[BLOCK_SIZE];
+    unsigned char          iv_cts[EVP_MAX_IV_LENGTH*4];
+    struct iov_block_state input_pos, output_pos;
+
+    oblock = OPENSSL_malloc(oblock_len);
+    if (!oblock){
+        return ENOMEM;
+    }
+    memset(oblock, 0, oblock_len);
+
+    IOV_BLOCK_STATE_INIT(&input_pos);
+    IOV_BLOCK_STATE_INIT(&output_pos);
+
+    memset(iv_cts,0,sizeof(iv_cts));
+    if (ivec && ivec->data && (ivec->length <= sizeof(iv_cts)))
+        memcpy(iv_cts, ivec->data,ivec->length);
+
+    AES_set_decrypt_key(key->contents, 8*key->length, &deck);
+
+    for (;;) {
+
+        if (!krb5int_c_iov_get_block(iblockN1, BLOCK_SIZE,
+                                     data, num_data, &input_pos))
+            break;
+        if (!krb5int_c_iov_get_block(iblockN2, BLOCK_SIZE,
+                                     data, num_data, &input_pos))
+            break;
+
+        if (input_pos.iov_pos == num_data)
+            break;
+        memset(iblock_buf, 0, 32);
+        memcpy(iblock_buf,iblockN1,input_pos.data_pos);
+        memcpy(iblock_buf+input_pos.data_pos,iblockN2,input_pos.data_pos);
+
+        size = CRYPTO_cts128_decrypt((unsigned char *)iblock_buf, oblock,
+                                     2*BLOCK_SIZE, &deck,
+                                     iv_cts, (cbc128_f)AES_cbc_encrypt);
+        if (size <= 0) {
+            ret = KRB5_CRYPTO_INTERNAL;
+            break;
+        }
+        krb5int_c_iov_put_block(data, num_data,
+                                oblock, 2*BLOCK_SIZE, &output_pos);
+    }
+
+    memset(oblock,0,sizeof(oblock));
+    OPENSSL_free(oblock);
+
+    return ret;
+}
+
 krb5_error_code
 krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
 		    const krb5_data *input, krb5_data *output)
@@ -310,78 +444,10 @@
 		        krb5_crypto_iov *data,
 		        size_t num_data)
 {
-    aes_ctx ctx;
-    char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE];
-    int nblocks = 0, blockno;
-    size_t input_length, i;
+    int ret = 0;
 
-    if (aes_enc_key(key->contents, key->length, &ctx) != aes_good)
-	abort();
-
-    if (ivec != NULL)
-	memcpy(tmp, ivec->data, BLOCK_SIZE);
-    else
-	memset(tmp, 0, BLOCK_SIZE);
-
-    for (i = 0, input_length = 0; i < num_data; i++) {
-	krb5_crypto_iov *iov = &data[i];
-
-	if (ENCRYPT_IOV(iov))
-	    input_length += iov->data.length;
-    }
-
-    nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
-
-    assert(nblocks > 1);
-
-    {
-	char blockN2[BLOCK_SIZE];   /* second last */
-	char blockN1[BLOCK_SIZE];   /* last block */
-	struct iov_block_state input_pos, output_pos;
-
-	IOV_BLOCK_STATE_INIT(&input_pos);
-	IOV_BLOCK_STATE_INIT(&output_pos);
-
-	for (blockno = 0; blockno < nblocks - 2; blockno++) {
-	    char blockN[BLOCK_SIZE];
-
-	    krb5int_c_iov_get_block((unsigned char *)blockN, BLOCK_SIZE, data, num_data, &input_pos);
-	    xorblock(tmp, blockN);
-	    enc(tmp2, tmp, &ctx);
-	    krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, BLOCK_SIZE, &output_pos);
-
-	    /* Set up for next block.  */
-	    memcpy(tmp, tmp2, BLOCK_SIZE);
-	}
-
-	/* Do final CTS step for last two blocks (the second of which
-	   may or may not be incomplete).  */
-
-	/* First, get the last two blocks */
-	memset(blockN1, 0, sizeof(blockN1)); /* pad last block with zeros */
-	krb5int_c_iov_get_block((unsigned char *)blockN2, BLOCK_SIZE, data, num_data, &input_pos);
-	krb5int_c_iov_get_block((unsigned char *)blockN1, BLOCK_SIZE, data, num_data, &input_pos);
-
-	/* Encrypt second last block */
-	xorblock(tmp, blockN2);
-	enc(tmp2, tmp, &ctx);
-	memcpy(blockN2, tmp2, BLOCK_SIZE); /* blockN2 now contains first block */
-	memcpy(tmp, tmp2, BLOCK_SIZE);
-
-	/* Encrypt last block */
-	xorblock(tmp, blockN1);
-	enc(tmp2, tmp, &ctx);
-	memcpy(blockN1, tmp2, BLOCK_SIZE);
-
-	/* Put the last two blocks back into the iovec (reverse order) */
-	krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN1, BLOCK_SIZE, &output_pos);
-	krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN2, BLOCK_SIZE, &output_pos);
-
-	if (ivec != NULL)
-	    memcpy(ivec->data, blockN1, BLOCK_SIZE);
-    }
-
-    return 0;
+    ret = cts_enc_iov(key, ivec, data, num_data);
+    return ret;
 }
 
 static krb5_error_code
@@ -390,81 +456,10 @@
 		        krb5_crypto_iov *data,
 		        size_t num_data)
 {
-    aes_ctx ctx;
-    char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE];
-    int nblocks = 0, blockno;
-    unsigned int i;
-    size_t input_length;
+    int ret = 0;
 
-    if (aes_dec_key(key->contents, key->length, &ctx) != aes_good)
-	abort();
-
-    if (ivec != NULL)
-	memcpy(tmp, ivec->data, BLOCK_SIZE);
-    else
-	memset(tmp, 0, BLOCK_SIZE);
-
-    for (i = 0, input_length = 0; i < num_data; i++) {
-	krb5_crypto_iov *iov = &data[i];
-
-	if (ENCRYPT_IOV(iov))
-	    input_length += iov->data.length;
-    }
-
-    nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
-
-    assert(nblocks > 1);
-
-    {
-	char blockN2[BLOCK_SIZE];   /* second last */
-	char blockN1[BLOCK_SIZE];   /* last block */
-	struct iov_block_state input_pos, output_pos;
-
-	IOV_BLOCK_STATE_INIT(&input_pos);
-	IOV_BLOCK_STATE_INIT(&output_pos);
-
-	for (blockno = 0; blockno < nblocks - 2; blockno++) {
-	    char blockN[BLOCK_SIZE];
-
-	    krb5int_c_iov_get_block((unsigned char *)blockN, BLOCK_SIZE, data, num_data, &input_pos);
-	    dec(tmp2, blockN, &ctx);
-	    xorblock(tmp2, tmp);
-	    krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, BLOCK_SIZE, &output_pos);
-	    memcpy(tmp, blockN, BLOCK_SIZE);
-	}
-
-	/* Do last two blocks, the second of which (next-to-last block
-	   of plaintext) may be incomplete.  */
-
-	/* First, get the last two encrypted blocks */
-	memset(blockN1, 0, sizeof(blockN1)); /* pad last block with zeros */
-	krb5int_c_iov_get_block((unsigned char *)blockN2, BLOCK_SIZE, data, num_data, &input_pos);
-	krb5int_c_iov_get_block((unsigned char *)blockN1, BLOCK_SIZE, data, num_data, &input_pos);
-
-	/* Decrypt second last block */
-	dec(tmp2, blockN2, &ctx);
-	/* Set tmp2 to last (possibly partial) plaintext block, and
-	   save it.  */
-	xorblock(tmp2, blockN1);
-	memcpy(blockN2, tmp2, BLOCK_SIZE);
-
-	/* Maybe keep the trailing part, and copy in the last
-	   ciphertext block.  */
-	input_length %= BLOCK_SIZE;
-	memcpy(tmp2, blockN1, input_length ? input_length : BLOCK_SIZE);
-	dec(tmp3, tmp2, &ctx);
-	xorblock(tmp3, tmp);
-	/* Copy out ivec first before we clobber blockN1 with plaintext */
-	if (ivec != NULL)
-	    memcpy(ivec->data, blockN1, BLOCK_SIZE);
-	memcpy(blockN1, tmp3, BLOCK_SIZE);
-
-	/* Put the last two blocks back into the iovec */
-	krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN1, BLOCK_SIZE, &output_pos);
-	krb5int_c_iov_put_block(data, num_data, (unsigned char *)blockN2, BLOCK_SIZE, &output_pos);
-    }
-
-    return 0;
+    ret = cts_decr_iov(key, ivec, data, num_data);
+    return ret;
 }
 
 static krb5_error_code



From ghudson at MIT.EDU  Mon Oct  5 14:30:00 2009
From: ghudson at MIT.EDU (ghudson@MIT.EDU)
Date: Mon, 5 Oct 2009 14:30:00 -0400
Subject: svn rev #22845: branches/enc-perf/src/ include/ lib/crypto/builtin/
	lib/crypto/builtin/aes/ ...
Message-ID: <200910051830.n95IU005012768@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22845
Commit By: ghudson
Log Message:
Respecify most crypto internals in terms of krb5_key.
Implement krb5_k_encrypt/decrypt/etc. with krb5_c versions as wrapers.
OpenSSL back end not yet updated since it is undergoing work on trunk.



Changed Files:
U   branches/enc-perf/src/include/k5-int.h
U   branches/enc-perf/src/lib/crypto/builtin/aes/aes_s2k.c
U   branches/enc-perf/src/lib/crypto/builtin/arcfour/arcfour.c
U   branches/enc-perf/src/lib/crypto/builtin/arcfour/arcfour.h
U   branches/enc-perf/src/lib/crypto/builtin/arcfour/arcfour_aead.c
U   branches/enc-perf/src/lib/crypto/builtin/enc_provider/aes.c
U   branches/enc-perf/src/lib/crypto/builtin/enc_provider/des.c
U   branches/enc-perf/src/lib/crypto/builtin/enc_provider/des3.c
U   branches/enc-perf/src/lib/crypto/builtin/enc_provider/rc4.c
U   branches/enc-perf/src/lib/crypto/builtin/hmac.c
U   branches/enc-perf/src/lib/crypto/builtin/pbkdf2.c
U   branches/enc-perf/src/lib/crypto/krb/aead.c
U   branches/enc-perf/src/lib/crypto/krb/aead.h
U   branches/enc-perf/src/lib/crypto/krb/combine_keys.c
U   branches/enc-perf/src/lib/crypto/krb/decrypt.c
U   branches/enc-perf/src/lib/crypto/krb/decrypt_iov.c
U   branches/enc-perf/src/lib/crypto/krb/dk/checksum.c
U   branches/enc-perf/src/lib/crypto/krb/dk/derive.c
U   branches/enc-perf/src/lib/crypto/krb/dk/dk.h
U   branches/enc-perf/src/lib/crypto/krb/dk/dk_aead.c
U   branches/enc-perf/src/lib/crypto/krb/dk/dk_decrypt.c
U   branches/enc-perf/src/lib/crypto/krb/dk/dk_encrypt.c
U   branches/enc-perf/src/lib/crypto/krb/dk/stringtokey.c
U   branches/enc-perf/src/lib/crypto/krb/encrypt.c
U   branches/enc-perf/src/lib/crypto/krb/encrypt_iov.c
U   branches/enc-perf/src/lib/crypto/krb/etypes.h
U   branches/enc-perf/src/lib/crypto/krb/keyhash_provider/descbc.c
U   branches/enc-perf/src/lib/crypto/krb/keyhash_provider/hmac_md5.c
U   branches/enc-perf/src/lib/crypto/krb/keyhash_provider/k5_md4des.c
U   branches/enc-perf/src/lib/crypto/krb/keyhash_provider/k5_md5des.c
U   branches/enc-perf/src/lib/crypto/krb/keyhash_provider/md5_hmac.c
U   branches/enc-perf/src/lib/crypto/krb/make_checksum.c
U   branches/enc-perf/src/lib/crypto/krb/make_checksum_iov.c
U   branches/enc-perf/src/lib/crypto/krb/old/old.h
U   branches/enc-perf/src/lib/crypto/krb/old/old_decrypt.c
U   branches/enc-perf/src/lib/crypto/krb/old/old_encrypt.c
U   branches/enc-perf/src/lib/crypto/krb/prf/des_prf.c
U   branches/enc-perf/src/lib/crypto/krb/prf/dk_prf.c
U   branches/enc-perf/src/lib/crypto/krb/prf/prf_int.h
U   branches/enc-perf/src/lib/crypto/krb/prf/rc4_prf.c
U   branches/enc-perf/src/lib/crypto/krb/prf.c
U   branches/enc-perf/src/lib/crypto/krb/raw/raw.h
U   branches/enc-perf/src/lib/crypto/krb/raw/raw_aead.c
U   branches/enc-perf/src/lib/crypto/krb/raw/raw_decrypt.c
U   branches/enc-perf/src/lib/crypto/krb/raw/raw_encrypt.c
U   branches/enc-perf/src/lib/crypto/krb/verify_checksum.c
U   branches/enc-perf/src/lib/crypto/krb/verify_checksum_iov.c
U   branches/enc-perf/src/lib/crypto/krb/yarrow/ycipher.c
U   branches/enc-perf/src/lib/crypto/krb/yarrow/ycipher.h
U   branches/enc-perf/src/lib/rpc/unit-test/lib/helpers.exp
Modified: branches/enc-perf/src/include/k5-int.h
===================================================================
--- branches/enc-perf/src/include/k5-int.h	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/include/k5-int.h	2009-10-05 18:30:00 UTC (rev 22845)
@@ -648,12 +648,12 @@
     size_t block_size, keybytes, keylength;
 
     /* cipher-state == 0 fresh state thrown away at end */
-    krb5_error_code (*encrypt) (const krb5_keyblock *key,
+    krb5_error_code (*encrypt) (krb5_key key,
 				const krb5_data *cipher_state,
 				const krb5_data *input,
 				krb5_data *output);
 
-    krb5_error_code (*decrypt) (const krb5_keyblock *key,
+    krb5_error_code (*decrypt) (krb5_key key,
 				const krb5_data *ivec,
 				const krb5_data *input,
 				krb5_data *output);
@@ -666,13 +666,13 @@
   krb5_error_code (*free_state) (krb5_data *state);
 
     /* In-place encryption/decryption of multiple buffers */
-    krb5_error_code (*encrypt_iov) (const krb5_keyblock *key,
+    krb5_error_code (*encrypt_iov) (krb5_key key,
 				    const krb5_data *cipher_state,
 				    krb5_crypto_iov *data,
 				    size_t num_data);
 
 
-    krb5_error_code (*decrypt_iov) (const krb5_keyblock *key,
+    krb5_error_code (*decrypt_iov) (krb5_key key,
 				    const krb5_data *cipher_state,
 				    krb5_crypto_iov *data,
 				    size_t num_data);
@@ -691,27 +691,27 @@
 struct krb5_keyhash_provider {
     size_t hashsize;
 
-    krb5_error_code (*hash) (const krb5_keyblock *key,
+    krb5_error_code (*hash) (krb5_key key,
 			     krb5_keyusage keyusage,
 			     const krb5_data *ivec,
 			     const krb5_data *input,
 			     krb5_data *output);
 
-    krb5_error_code (*verify) (const krb5_keyblock *key,
+    krb5_error_code (*verify) (krb5_key key,
 			       krb5_keyusage keyusage,
 			       const krb5_data *ivec,
 			       const krb5_data *input,
 			       const krb5_data *hash,
 			       krb5_boolean *valid);
 
-    krb5_error_code (*hash_iov) (const krb5_keyblock *key,
+    krb5_error_code (*hash_iov) (krb5_key key,
 				 krb5_keyusage keyusage,
 				 const krb5_data *ivec,
 				 const krb5_crypto_iov *data,
 				 size_t num_data,
 				 krb5_data *output);
 
-    krb5_error_code (*verify_iov) (const krb5_keyblock *key,
+    krb5_error_code (*verify_iov) (krb5_key key,
 				  krb5_keyusage keyusage,
 				  const krb5_data *ivec,
 				  const krb5_crypto_iov *data,
@@ -729,7 +729,7 @@
     krb5_error_code (*encrypt_iov) (const struct krb5_aead_provider *aead,
 				    const struct krb5_enc_provider *enc,
 				    const struct krb5_hash_provider *hash,
-				    const krb5_keyblock *key,
+				    krb5_key key,
 				    krb5_keyusage keyusage,
 				    const krb5_data *ivec,
 				    krb5_crypto_iov *data,
@@ -737,7 +737,7 @@
     krb5_error_code (*decrypt_iov) (const struct krb5_aead_provider *aead,
 				    const struct krb5_enc_provider *enc,
 				    const struct krb5_hash_provider *hash,
-				    const krb5_keyblock *key,
+				    krb5_key key,
 				    krb5_keyusage keyusage,
 				    const krb5_data *ivec,
 				    krb5_crypto_iov *data,
@@ -754,11 +754,22 @@
 
 krb5_error_code krb5_hmac
 (const struct krb5_hash_provider *hash,
-		const krb5_keyblock *key, unsigned int icount,
+		krb5_key key, unsigned int icount,
 		const krb5_data *input, krb5_data *output);
 
 krb5_error_code krb5int_hmac_iov
 (const struct krb5_hash_provider *hash,
+		krb5_key key,
+		const krb5_crypto_iov *data, size_t num_data,
+		krb5_data *output);
+
+krb5_error_code krb5int_hmac_keyblock
+(const struct krb5_hash_provider *hash,
+		const krb5_keyblock *key, unsigned int icount,
+		const krb5_data *input, krb5_data *output);
+
+krb5_error_code krb5int_hmac_iov_keyblock
+(const struct krb5_hash_provider *hash,
 		const krb5_keyblock *key,
 		const krb5_crypto_iov *data, size_t num_data,
 		krb5_data *output);
@@ -2465,10 +2476,10 @@
 		krb5_data *enc_data);
 
 krb5_error_code
-krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
+krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec,
 		    const krb5_data *input, krb5_data *output);
 krb5_error_code
-krb5int_aes_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
+krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec,
 		    const krb5_data *input, krb5_data *output);
 
 struct _krb5_kt {	/* should move into k5-int.h */

Modified: branches/enc-perf/src/lib/crypto/builtin/aes/aes_s2k.c
===================================================================
--- branches/enc-perf/src/lib/crypto/builtin/aes/aes_s2k.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/builtin/aes/aes_s2k.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -44,6 +44,7 @@
     unsigned long iter_count;
     krb5_data out;
     static const krb5_data usage = { KV5M_DATA, 8, "kerberos" };
+    krb5_key tempkey = NULL;
     krb5_error_code err;
 
     if (params) {
@@ -66,25 +67,25 @@
     if (iter_count >= MAX_ITERATION_COUNT)
 	return KRB5_ERR_BAD_S2K_PARAMS;
 
-    /*
-     * Dense key space, no parity bits or anything, so take a shortcut
-     * and use the key contents buffer for the generated bytes.
-     */
+    /* Use the output keyblock contents for temporary space. */
     out.data = (char *) key->contents;
     out.length = key->length;
     if (out.length != 16 && out.length != 32)
 	return KRB5_CRYPTO_INTERNAL;
 
     err = krb5int_pbkdf2_hmac_sha1 (&out, iter_count, string, salt);
-    if (err) {
-	memset(out.data, 0, out.length);
-	return err;
-    }
+    if (err)
+	goto cleanup;
 
-    err = krb5_derive_key (enc, key, key, &usage);
-    if (err) {
-	memset(out.data, 0, out.length);
-	return err;
-    }
-    return 0;
+    err = krb5_k_create_key (NULL, key, &tempkey);
+    if (err)
+	goto cleanup;
+
+    err = krb5_derive_keyblock (enc, tempkey, key, &usage);
+
+cleanup:
+    if (err)
+	memset (out.data, 0, out.length);
+    krb5_k_free_key (NULL, tempkey);
+    return err;
 }

Modified: branches/enc-perf/src/lib/crypto/builtin/arcfour/arcfour.c
===================================================================
--- branches/enc-perf/src/lib/crypto/builtin/arcfour/arcfour.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/builtin/arcfour/arcfour.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -64,11 +64,12 @@
 krb5_error_code
 krb5_arcfour_encrypt(const struct krb5_enc_provider *enc,
 		     const struct krb5_hash_provider *hash,
-		     const krb5_keyblock *key, krb5_keyusage usage,
+		     krb5_key key, krb5_keyusage usage,
 		     const krb5_data *ivec, const krb5_data *input,
 		     krb5_data *output)
 {
   krb5_keyblock k1, k2, k3;
+  krb5_key k3key = NULL;
   krb5_data d1, d2, d3, salt, plaintext, checksum, ciphertext, confounder;
   krb5_keyusage ms_usage;
   size_t keylength, keybytes, blocksize, hashsize;
@@ -83,7 +84,7 @@
   d1.data=malloc(d1.length);
   if (d1.data == NULL)
     return (ENOMEM);
-  k1 = *key;
+  k1 = key->keyblock;
   k1.length=d1.length;
   k1.contents= (void *) d1.data;
 
@@ -93,7 +94,7 @@
     free(d1.data);
     return (ENOMEM);
   }
-  k2 = *key;
+  k2 = key->keyblock;
   k2.length=d2.length;
   k2.contents=(void *) d2.data;
 
@@ -104,7 +105,7 @@
     free(d2.data);
     return (ENOMEM);
   }
-  k3 = *key;
+  k3 = key->keyblock;
   k3.length=d3.length;
   k3.contents= (void *) d3.data;
 
@@ -140,7 +141,7 @@
 
   /* begin the encryption, computer K1 */
   ms_usage=krb5int_arcfour_translate_usage(usage);
-  if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
+  if (key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
     strncpy(salt.data, krb5int_arcfour_l40, salt.length);
     store_32_le(ms_usage, salt.data+10);
   } else {
@@ -151,7 +152,7 @@
 
   memcpy(k2.contents, k1.contents, k2.length);
 
-  if (key->enctype==ENCTYPE_ARCFOUR_HMAC_EXP)
+  if (key->keyblock.enctype==ENCTYPE_ARCFOUR_HMAC_EXP)
     memset(k1.contents+7, 0xab, 9);
 
   ret=krb5_c_random_make_octets(/* XXX */ 0, &confounder);
@@ -159,12 +160,20 @@
   if (ret)
     goto cleanup;
 
-  krb5_hmac(hash, &k2, 1, &plaintext, &checksum);
+  ret = krb5int_hmac_keyblock(hash, &k2, 1, &plaintext, &checksum);
+  if (ret)
+    goto cleanup;
 
-  krb5_hmac(hash, &k1, 1, &checksum, &d3);
+  ret = krb5int_hmac_keyblock(hash, &k1, 1, &checksum, &d3);
+  if (ret)
+    goto cleanup;
 
-  ret=(*(enc->encrypt))(&k3, ivec, &plaintext, &ciphertext);
+  ret = krb5_k_create_key(NULL, &k3, &k3key);
+  if (ret)
+    goto cleanup;
 
+  ret=(*(enc->encrypt))(k3key, ivec, &plaintext, &ciphertext);
+
  cleanup:
   memset(d1.data, 0, d1.length);
   memset(d2.data, 0, d2.length);
@@ -184,11 +193,12 @@
 krb5_error_code
 krb5_arcfour_decrypt(const struct krb5_enc_provider *enc,
 		     const struct krb5_hash_provider *hash,
-		     const krb5_keyblock *key, krb5_keyusage usage,
+		     krb5_key key, krb5_keyusage usage,
 		     const krb5_data *ivec, const krb5_data *input,
 		     krb5_data *output)
 {
   krb5_keyblock k1,k2,k3;
+  krb5_key k3key;
   krb5_data d1,d2,d3,salt,ciphertext,plaintext,checksum;
   krb5_keyusage ms_usage;
   size_t keybytes, keylength, hashsize, blocksize;
@@ -203,7 +213,7 @@
   d1.data=malloc(d1.length);
   if (d1.data == NULL)
     return (ENOMEM);
-  k1 = *key;
+  k1 = key->keyblock;
   k1.length=d1.length;
   k1.contents= (void *) d1.data;
 
@@ -213,7 +223,7 @@
     free(d1.data);
     return (ENOMEM);
   }
-  k2 = *key;
+  k2 = key->keyblock;
   k2.length=d2.length;
   k2.contents= (void *) d2.data;
 
@@ -224,7 +234,7 @@
     free(d2.data);
     return (ENOMEM);
   }
-  k3 = *key;
+  k3 = key->keyblock;
   k3.length=d3.length;
   k3.contents= (void *) d3.data;
 
@@ -257,7 +267,7 @@
   /* We may have to try two ms_usage values; see below. */
   do {
       /* compute the salt */
-      if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
+      if (key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
 	  strncpy(salt.data, krb5int_arcfour_l40, salt.length);
 	  store_32_le(ms_usage, salt.data + 10);
       } else {
@@ -270,18 +280,22 @@
 
       memcpy(k2.contents, k1.contents, k2.length);
 
-      if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
+      if (key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
 	  memset(k1.contents + 7, 0xab, 9);
 
-      ret = krb5_hmac(hash, &k1, 1, &checksum, &d3);
+      ret = krb5int_hmac_keyblock(hash, &k1, 1, &checksum, &d3);
       if (ret)
 	  goto cleanup;
 
-      ret = (*(enc->decrypt))(&k3, ivec, &ciphertext, &plaintext);
+      ret = krb5_k_create_key(NULL, &k3, &k3key);
       if (ret)
+	goto cleanup;
+      ret = (*(enc->decrypt))(k3key, ivec, &ciphertext, &plaintext);
+      krb5_k_free_key(NULL, k3key);
+      if (ret)
 	  goto cleanup;
 
-      ret = krb5_hmac(hash, &k2, 1, &plaintext, &d1);
+      ret = krb5int_hmac_keyblock(hash, &k2, 1, &plaintext, &d1);
       if (ret)
 	  goto cleanup;
 

Modified: branches/enc-perf/src/lib/crypto/builtin/arcfour/arcfour.h
===================================================================
--- branches/enc-perf/src/lib/crypto/builtin/arcfour/arcfour.h	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/builtin/arcfour/arcfour.h	2009-10-05 18:30:00 UTC (rev 22845)
@@ -10,7 +10,7 @@
 extern 
 krb5_error_code krb5_arcfour_encrypt(const struct krb5_enc_provider *,
 			const struct krb5_hash_provider *,
-			const krb5_keyblock *,
+			krb5_key,
 			krb5_keyusage,
 			const krb5_data *,
      			const krb5_data *,
@@ -19,7 +19,7 @@
 extern 
 krb5_error_code krb5_arcfour_decrypt(const struct krb5_enc_provider *,
 			const struct krb5_hash_provider *,
-			const krb5_keyblock *,
+			krb5_key,
 			krb5_keyusage,
 			const krb5_data *,
 			const krb5_data *,

Modified: branches/enc-perf/src/lib/crypto/builtin/arcfour/arcfour_aead.c
===================================================================
--- branches/enc-perf/src/lib/crypto/builtin/arcfour/arcfour_aead.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/builtin/arcfour/arcfour_aead.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -82,7 +82,7 @@
 krb5int_arcfour_encrypt_iov(const struct krb5_aead_provider *aead,
 			    const struct krb5_enc_provider *enc,
 			    const struct krb5_hash_provider *hash,
-			    const krb5_keyblock *key,
+			    krb5_key key,
 			    krb5_keyusage usage,
 			    const krb5_data *ivec,
 			    krb5_crypto_iov *data,
@@ -91,6 +91,7 @@
     krb5_error_code ret;
     krb5_crypto_iov *header, *trailer;
     krb5_keyblock k1, k2, k3;
+    krb5_key k3key = NULL;
     krb5_data d1, d2, d3;
     krb5_data checksum, confounder, header_data;
     krb5_keyusage ms_usage;
@@ -126,15 +127,15 @@
 	    data[i].data.length = 0;
     }
 
-    ret = alloc_derived_key(enc, &k1, &d1, key);
+    ret = alloc_derived_key(enc, &k1, &d1, &key->keyblock);
     if (ret != 0)
 	goto cleanup;
 
-    ret = alloc_derived_key(enc, &k2, &d2, key);
+    ret = alloc_derived_key(enc, &k2, &d2, &key->keyblock);
     if (ret != 0)
 	goto cleanup;
 
-    ret = alloc_derived_key(enc, &k3, &d3, key);
+    ret = alloc_derived_key(enc, &k3, &d3, &key->keyblock);
     if (ret != 0)
 	goto cleanup;
 
@@ -144,7 +145,7 @@
 
     ms_usage = krb5int_arcfour_translate_usage(usage);
 
-    if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
+    if (key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
 	strncpy(salt.data, krb5int_arcfour_l40, salt.length);
 	store_32_le(ms_usage, salt.data + 10);
     } else {
@@ -157,7 +158,7 @@
 
     memcpy(k2.contents, k1.contents, k2.length);
 
-    if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
+    if (key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
 	memset(k1.contents + 7, 0xAB, 9);
 
     header->data.length = hash->hashsize + CONFOUNDERLENGTH;
@@ -176,18 +177,22 @@
     header->data.length -= hash->hashsize;
     header->data.data   += hash->hashsize;
 
-    ret = krb5int_hmac_iov(hash, &k2, data, num_data, &checksum);
+    ret = krb5int_hmac_iov_keyblock(hash, &k2, data, num_data, &checksum);
     if (ret != 0)
 	goto cleanup;
 
-    ret = krb5_hmac(hash, &k1, 1, &checksum, &d3);
+    ret = krb5int_hmac_keyblock(hash, &k1, 1, &checksum, &d3);
     if (ret != 0)
 	goto cleanup;
 
-    ret = enc->encrypt_iov(&k3, ivec, data, num_data);
+    ret = krb5_k_create_key(NULL, &k3, &k3key);
     if (ret != 0)
 	goto cleanup;
 
+    ret = enc->encrypt_iov(k3key, ivec, data, num_data);
+    if (ret != 0)
+	goto cleanup;
+
 cleanup:
     header->data = header_data; /* restore header pointers */
 
@@ -204,6 +209,7 @@
 	free(d3.data);
     }
 
+    krb5_k_free_key(NULL, k3key);
     return ret;
 }
 
@@ -211,7 +217,7 @@
 krb5int_arcfour_decrypt_iov(const struct krb5_aead_provider *aead,
 			    const struct krb5_enc_provider *enc,
 			    const struct krb5_hash_provider *hash,
-			    const krb5_keyblock *key,
+			    krb5_key key,
 			    krb5_keyusage usage,
 			    const krb5_data *ivec,
 			    krb5_crypto_iov *data,
@@ -220,6 +226,7 @@
     krb5_error_code ret;
     krb5_crypto_iov *header, *trailer;
     krb5_keyblock k1, k2, k3;
+    krb5_key k3key = NULL;
     krb5_data d1, d2, d3;
     krb5_data checksum, header_data;
     krb5_keyusage ms_usage;
@@ -240,15 +247,15 @@
     if (trailer != NULL && trailer->data.length != 0)
 	return KRB5_BAD_MSIZE;
     
-    ret = alloc_derived_key(enc, &k1, &d1, key);
+    ret = alloc_derived_key(enc, &k1, &d1, &key->keyblock);
     if (ret != 0)
 	goto cleanup;
 
-    ret = alloc_derived_key(enc, &k2, &d2, key);
+    ret = alloc_derived_key(enc, &k2, &d2, &key->keyblock);
     if (ret != 0)
 	goto cleanup;
 
-    ret = alloc_derived_key(enc, &k3, &d3, key);
+    ret = alloc_derived_key(enc, &k3, &d3, &key->keyblock);
     if (ret != 0)
 	goto cleanup;
 
@@ -258,7 +265,7 @@
 
     ms_usage = krb5int_arcfour_translate_usage(usage);
 
-    if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
+    if (key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
 	strncpy(salt.data, krb5int_arcfour_l40, salt.length);
 	store_32_le(ms_usage, (unsigned char *)salt.data + 10);
     } else {
@@ -271,7 +278,7 @@
 
     memcpy(k2.contents, k1.contents, k2.length);
 
-    if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
+    if (key->keyblock.enctype == ENCTYPE_ARCFOUR_HMAC_EXP)
 	memset(k1.contents + 7, 0xAB, 9);
 
     checksum.data = header->data.data;
@@ -281,18 +288,22 @@
     header->data.length -= hash->hashsize;
     header->data.data   += hash->hashsize;
 
-    ret = krb5_hmac(hash, &k1, 1, &checksum, &d3);
+    ret = krb5int_hmac_keyblock(hash, &k1, 1, &checksum, &d3);
     if (ret != 0)
 	goto cleanup;
 
-    ret = enc->decrypt_iov(&k3, ivec, data, num_data);
+    ret = krb5_k_create_key(NULL, &k3, &k3key);
     if (ret != 0)
 	goto cleanup;
 
-    ret = krb5int_hmac_iov(hash, &k2, data, num_data, &d1);
+    ret = enc->decrypt_iov(k3key, ivec, data, num_data);
     if (ret != 0)
 	goto cleanup;
 
+    ret = krb5int_hmac_iov_keyblock(hash, &k2, data, num_data, &d1);
+    if (ret != 0)
+	goto cleanup;
+
     if (memcmp(checksum.data, d1.data, hash->hashsize) != 0) {
 	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 	goto cleanup;
@@ -314,6 +325,7 @@
 	free(d3.data);
     }
 
+    krb5_k_free_key(NULL, k3key);
     return ret;
 }
 

Modified: branches/enc-perf/src/lib/crypto/builtin/enc_provider/aes.c
===================================================================
--- branches/enc-perf/src/lib/crypto/builtin/enc_provider/aes.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/builtin/enc_provider/aes.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -86,7 +86,7 @@
 }
 
 krb5_error_code
-krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
+krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec,
 		    const krb5_data *input, krb5_data *output)
 {
     aes_ctx ctx;
@@ -95,7 +95,8 @@
 
 /*    CHECK_SIZES; */
 
-    if (aes_enc_key(key->contents, key->length, &ctx) != aes_good)
+    if (aes_enc_key(key->keyblock.contents, key->keyblock.length,
+		    &ctx) != aes_good)
 	abort();
 
     if (ivec)
@@ -140,7 +141,7 @@
 }
 
 krb5_error_code
-krb5int_aes_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
+krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec,
 		    const krb5_data *input, krb5_data *output)
 {
     aes_ctx ctx;
@@ -149,7 +150,8 @@
 
     CHECK_SIZES;
 
-    if (aes_dec_key(key->contents, key->length, &ctx) != aes_good)
+    if (aes_dec_key(key->keyblock.contents, key->keyblock.length,
+		    &ctx) != aes_good)
 	abort();
 
     if (ivec)
@@ -200,7 +202,7 @@
 }
 
 static krb5_error_code
-krb5int_aes_encrypt_iov(const krb5_keyblock *key,
+krb5int_aes_encrypt_iov(krb5_key key,
 		        const krb5_data *ivec,
 		        krb5_crypto_iov *data,
 		        size_t num_data)
@@ -210,7 +212,8 @@
     int nblocks = 0, blockno;
     size_t input_length, i;
 
-    if (aes_enc_key(key->contents, key->length, &ctx) != aes_good)
+    if (aes_enc_key(key->keyblock.contents, key->keyblock.length, &ctx)
+	!= aes_good)
 	abort();
 
     if (ivec != NULL)
@@ -280,7 +283,7 @@
 }
 
 static krb5_error_code
-krb5int_aes_decrypt_iov(const krb5_keyblock *key,
+krb5int_aes_decrypt_iov(krb5_key key,
 		        const krb5_data *ivec,
 		        krb5_crypto_iov *data,
 		        size_t num_data)
@@ -293,7 +296,8 @@
 
     CHECK_SIZES;
 
-    if (aes_dec_key(key->contents, key->length, &ctx) != aes_good)
+    if (aes_dec_key(key->keyblock.contents, key->keyblock.length,
+		    &ctx) != aes_good)
 	abort();
 
     if (ivec != NULL)

Modified: branches/enc-perf/src/lib/crypto/builtin/enc_provider/des.c
===================================================================
--- branches/enc-perf/src/lib/crypto/builtin/enc_provider/des.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/builtin/enc_provider/des.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -32,14 +32,14 @@
 
 
 static krb5_error_code
-k5_des_docrypt(const krb5_keyblock *key, const krb5_data *ivec,
+k5_des_docrypt(krb5_key key, const krb5_data *ivec,
 	       const krb5_data *input, krb5_data *output, int enc)
 {
     mit_des_key_schedule schedule;
 
-    /* key->enctype was checked by the caller */
+    /* key->keyblock.enctype was checked by the caller */
 
-    if (key->length != 8)
+    if (key->keyblock.length != 8)
 	return(KRB5_BAD_KEYSIZE);
     if ((input->length%8) != 0)
 	return(KRB5_BAD_MSIZE);
@@ -48,7 +48,7 @@
     if (input->length != output->length)
 	return(KRB5_BAD_MSIZE);
 
-    switch (mit_des_key_sched(key->contents, schedule)) {
+    switch (mit_des_key_sched(key->keyblock.contents, schedule)) {
     case -1:
 	return(KRB5DES_BAD_KEYPAR);
     case -2:
@@ -71,30 +71,30 @@
 }
 
 static krb5_error_code
-k5_des_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
+k5_des_encrypt(krb5_key key, const krb5_data *ivec,
 	       const krb5_data *input, krb5_data *output)
 {
     return(k5_des_docrypt(key, ivec, input, output, 1));
 }
 
 static krb5_error_code
-k5_des_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
+k5_des_decrypt(krb5_key key, const krb5_data *ivec,
 	       const krb5_data *input, krb5_data *output)
 {
     return(k5_des_docrypt(key, ivec, input, output, 0));
 }
 
 static krb5_error_code
-k5_des_docrypt_iov(const krb5_keyblock *key, const krb5_data *ivec,
+k5_des_docrypt_iov(krb5_key key, const krb5_data *ivec,
 		   krb5_crypto_iov *data, size_t num_data, int enc)
 {
     mit_des_key_schedule schedule;
     size_t input_length = 0;
     unsigned int i;
 
-    /* key->enctype was checked by the caller */
+    /* key->keyblock.enctype was checked by the caller */
 
-    if (key->length != 8)
+    if (key->keyblock.length != 8)
 	return(KRB5_BAD_KEYSIZE);
 
     for (i = 0; i < num_data; i++) {
@@ -109,7 +109,7 @@
     if (ivec && (ivec->length != 8))
 	return(KRB5_BAD_MSIZE);
 
-    switch (mit_des_key_sched(key->contents, schedule)) {
+    switch (mit_des_key_sched(key->keyblock.contents, schedule)) {
     case -1:
 	return(KRB5DES_BAD_KEYPAR);
     case -2:
@@ -128,7 +128,7 @@
 }
 
 static krb5_error_code
-k5_des_encrypt_iov(const krb5_keyblock *key,
+k5_des_encrypt_iov(krb5_key key,
 		    const krb5_data *ivec,
 		    krb5_crypto_iov *data,
 		    size_t num_data)
@@ -137,7 +137,7 @@
 }
 
 static krb5_error_code
-k5_des_decrypt_iov(const krb5_keyblock *key,
+k5_des_decrypt_iov(krb5_key key,
 		   const krb5_data *ivec,
 		   krb5_crypto_iov *data,
 		   size_t num_data)

Modified: branches/enc-perf/src/lib/crypto/builtin/enc_provider/des3.c
===================================================================
--- branches/enc-perf/src/lib/crypto/builtin/enc_provider/des3.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/builtin/enc_provider/des3.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -30,13 +30,13 @@
 #include <rand2key.h>
 
 static krb5_error_code
-validate_and_schedule(const krb5_keyblock *key, const krb5_data *ivec,
+validate_and_schedule(krb5_key key, const krb5_data *ivec,
 		      const krb5_data *input, const krb5_data *output,
 		      mit_des3_key_schedule *schedule)
 {
-    /* key->enctype was checked by the caller */
+    /* key->keyblock.enctype was checked by the caller */
 
-    if (key->length != 24)
+    if (key->keyblock.length != 24)
 	return(KRB5_BAD_KEYSIZE);
     if ((input->length%8) != 0)
 	return(KRB5_BAD_MSIZE);
@@ -45,7 +45,7 @@
     if (input->length != output->length)
 	return(KRB5_BAD_MSIZE);
 
-    switch (mit_des3_key_sched(*(mit_des3_cblock *)key->contents,
+    switch (mit_des3_key_sched(*(mit_des3_cblock *)key->keyblock.contents,
 			       *schedule)) {
     case -1:
 	return(KRB5DES_BAD_KEYPAR);
@@ -56,7 +56,7 @@
 }
 
 static krb5_error_code
-validate_and_schedule_iov(const krb5_keyblock *key, const krb5_data *ivec,
+validate_and_schedule_iov(krb5_key key, const krb5_data *ivec,
 			  const krb5_crypto_iov *data, size_t num_data,
 			  mit_des3_key_schedule *schedule)
 {
@@ -69,14 +69,14 @@
 	    input_length += iov->data.length;
     }
 
-    if (key->length != 24)
+    if (key->keyblock.length != 24)
 	return(KRB5_BAD_KEYSIZE);
     if ((input_length%8) != 0)
 	return(KRB5_BAD_MSIZE);
     if (ivec && (ivec->length != 8))
 	return(KRB5_BAD_MSIZE);
 
-    switch (mit_des3_key_sched(*(mit_des3_cblock *)key->contents,
+    switch (mit_des3_key_sched(*(mit_des3_cblock *)key->keyblock.contents,
 			       *schedule)) {
     case -1:
 	return(KRB5DES_BAD_KEYPAR);
@@ -87,7 +87,7 @@
 }
 
 static krb5_error_code
-k5_des3_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
+k5_des3_encrypt(krb5_key key, const krb5_data *ivec,
 		const krb5_data *input, krb5_data *output)
 {
     mit_des3_key_schedule schedule;
@@ -109,7 +109,7 @@
 }
 
 static krb5_error_code
-k5_des3_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
+k5_des3_decrypt(krb5_key key, const krb5_data *ivec,
 		const krb5_data *input, krb5_data *output)
 {
     mit_des3_key_schedule schedule;
@@ -131,7 +131,7 @@
 }
 
 static krb5_error_code
-k5_des3_encrypt_iov(const krb5_keyblock *key,
+k5_des3_encrypt_iov(krb5_key key,
 		    const krb5_data *ivec,
 		    krb5_crypto_iov *data,
 		    size_t num_data)
@@ -154,7 +154,7 @@
 }
 
 static krb5_error_code
-k5_des3_decrypt_iov(const krb5_keyblock *key,
+k5_des3_decrypt_iov(krb5_key key,
 		    const krb5_data *ivec,
 		    krb5_crypto_iov *data,
 		    size_t num_data)

Modified: branches/enc-perf/src/lib/crypto/builtin/enc_provider/rc4.c
===================================================================
--- branches/enc-perf/src/lib/crypto/builtin/enc_provider/rc4.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/builtin/enc_provider/rc4.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -29,7 +29,7 @@
 
 /* Interface layer to kerb5 crypto layer */
 static krb5_error_code
-k5_arcfour_docrypt(const krb5_keyblock *, const krb5_data *,
+k5_arcfour_docrypt(krb5_key, const krb5_data *,
 		   const krb5_data *, krb5_data *);
 
 static const unsigned char arcfour_weakkey1[] = {0x00, 0x00, 0xfd};
@@ -113,14 +113,14 @@
 
 /* The workhorse of the arcfour system, this impliments the cipher */
 static krb5_error_code
-k5_arcfour_docrypt(const krb5_keyblock *key, const krb5_data *state,
+k5_arcfour_docrypt(krb5_key key, const krb5_data *state,
 	       const krb5_data *input, krb5_data *output)
 {
   ArcfourContext *arcfour_ctx;
   ArcFourCipherState *cipher_state;
   int ret;
 
-  if (key->length != 16)
+  if (key->keyblock.length != 16)
     return(KRB5_BAD_KEYSIZE);
   if (state && (state->length != sizeof (ArcFourCipherState)))
     return(KRB5_BAD_MSIZE);
@@ -131,7 +131,8 @@
     cipher_state = (ArcFourCipherState *) state->data;
     arcfour_ctx=&cipher_state->ctx;
     if (cipher_state->initialized == 0) {
-      if ((ret=k5_arcfour_init(arcfour_ctx, key->contents, key->length))) {
+      if ((ret=k5_arcfour_init(arcfour_ctx, key->keyblock.contents,
+			       key->keyblock.length))) {
 	return ret;
       }
       cipher_state->initialized = 1;
@@ -142,7 +143,8 @@
     arcfour_ctx=malloc(sizeof (ArcfourContext));
     if (arcfour_ctx == NULL)
       return ENOMEM;
-    if ((ret=k5_arcfour_init(arcfour_ctx, key->contents, key->length))) {
+    if ((ret=k5_arcfour_init(arcfour_ctx, key->keyblock.contents,
+			     key->keyblock.length))) {
       free(arcfour_ctx);
       return (ret);
     }
@@ -157,7 +159,7 @@
 
 /* In-place encryption */
 static krb5_error_code
-k5_arcfour_docrypt_iov(const krb5_keyblock *key,
+k5_arcfour_docrypt_iov(krb5_key key,
 		       const krb5_data *state,
 		       krb5_crypto_iov *data,
 		       size_t num_data)
@@ -167,7 +169,7 @@
     krb5_error_code ret;
     size_t i;
 
-    if (key->length != 16)
+    if (key->keyblock.length != 16)
 	return KRB5_BAD_KEYSIZE;
     if (state != NULL && (state->length != sizeof(ArcFourCipherState)))
 	return KRB5_BAD_MSIZE;
@@ -176,7 +178,8 @@
 	cipher_state = (ArcFourCipherState *)state->data;
 	arcfour_ctx = &cipher_state->ctx;
 	if (cipher_state->initialized == 0) {
-	    ret = k5_arcfour_init(arcfour_ctx, key->contents, key->length);
+	    ret = k5_arcfour_init(arcfour_ctx, key->keyblock.contents,
+				  key->keyblock.length);
 	    if (ret != 0)
 		return ret;
 
@@ -187,7 +190,8 @@
 	if (arcfour_ctx == NULL)
 	    return ENOMEM;
 
-	ret = k5_arcfour_init(arcfour_ctx, key->contents, key->length);
+	ret = k5_arcfour_init(arcfour_ctx, key->keyblock.contents,
+			      key->keyblock.length);
 	if (ret != 0) {
 	    free(arcfour_ctx);
 	    return ret;

Modified: branches/enc-perf/src/lib/crypto/builtin/hmac.c
===================================================================
--- branches/enc-perf/src/lib/crypto/builtin/hmac.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/builtin/hmac.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -28,6 +28,17 @@
 #include "aead.h"
 
 /*
+ * Because our built-in HMAC implementation doesn't need to invoke any
+ * encryption or keyed hash functions, it is simplest to define it in
+ * terms of keyblocks, and then supply a simple wrapper for the
+ * "normal" krb5_key-using interfaces.  The keyblock interfaces are
+ * useful for the biult-in arcfour code which constructs a lot of
+ * intermediate HMAC keys.  For other back ends, it should not be
+ * necessary to supply the _keyblock versions of the hmac functions if
+ * the back end code doesn't make use of them.
+ */
+
+/*
  * the HMAC transform looks like:
  *
  * H(K XOR opad, H(K XOR ipad, text))
@@ -40,8 +51,9 @@
  */
 
 krb5_error_code
-krb5_hmac(const struct krb5_hash_provider *hash, const krb5_keyblock *key,
-          unsigned int icount, const krb5_data *input, krb5_data *output)
+krb5int_hmac_keyblock(const struct krb5_hash_provider *hash,
+		      const krb5_keyblock *key, unsigned int icount,
+		      const krb5_data *input, krb5_data *output)
 {
     size_t hashsize, blocksize;
     unsigned char *xorkey, *ihash;
@@ -127,8 +139,10 @@
 }
 
 krb5_error_code
-krb5int_hmac_iov(const struct krb5_hash_provider *hash, const krb5_keyblock *key,
-                 const krb5_crypto_iov *data, size_t num_data, krb5_data *output)
+krb5int_hmac_iov_keyblock(const struct krb5_hash_provider *hash,
+			  const krb5_keyblock *key,
+			  const krb5_crypto_iov *data, size_t num_data,
+			  krb5_data *output)
 {
     krb5_data *sign_data;
     size_t num_sign_data;
@@ -156,10 +170,25 @@
     }
 
     /* caller must store checksum in iov as it may be TYPE_TRAILER or TYPE_CHECKSUM */
-    ret = krb5_hmac(hash, key, num_sign_data, sign_data, output);
+    ret = krb5int_hmac_keyblock(hash, key, num_sign_data, sign_data, output);
 
     free(sign_data);
 
     return ret;
 }
 
+krb5_error_code
+krb5_hmac(const struct krb5_hash_provider *hash, krb5_key key,
+	  unsigned int icount, const krb5_data *input, krb5_data *output)
+{
+    return krb5int_hmac_keyblock(hash, &key->keyblock, icount, input, output);
+}
+
+krb5_error_code
+krb5int_hmac_iov(const struct krb5_hash_provider *hash, krb5_key key,
+		 const krb5_crypto_iov *data, size_t num_data,
+		 krb5_data *output)
+{
+    return krb5int_hmac_iov_keyblock(hash, &key->keyblock, data, num_data,
+				     output);
+}

Modified: branches/enc-perf/src/lib/crypto/builtin/pbkdf2.c
===================================================================
--- branches/enc-perf/src/lib/crypto/builtin/pbkdf2.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/builtin/pbkdf2.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -25,19 +25,36 @@
  * 
  *
  * Implementation of PBKDF2 from RFC 2898.
- * Not currently used; likely to be used when we get around to AES support.
  */
 
 #include <ctype.h>
 #include "k5-int.h"
 #include "hash_provider.h"
 
+/*
+ * RFC 2898 specifies PBKDF2 in terms of an underlying pseudo-random
+ * function with two arguments (password and salt||blockindex).  Right
+ * now we only use PBKDF2 with the hmac-sha1 PRF, also specified in
+ * RFC 2898, which invokes HMAC with the password as the key and the
+ * second argument as the text.  (HMAC accepts any key size up to the
+ * block size; the password is pre-hashed with unkeyed SHA1 if it is
+ * longer than the block size.)
+ *
+ * For efficiency, it is better to generate the key from the password
+ * once at the beginning, so we specify prf_func in terms of a
+ * krb5_key first argument.  That might not be convenient for a PRF
+ * which uses the password in some other way, so this might need to be
+ * adjusted in the future.
+ */
+
+typedef krb5_error_code (*prf_func)(krb5_key pass, krb5_data *salt,
+				    krb5_data *out);
+
 /* Not exported, for now.  */
 static krb5_error_code
-krb5int_pbkdf2 (krb5_error_code (*prf)(krb5_keyblock *, krb5_data *,
-				       krb5_data *),
-		size_t hlen, const krb5_data *pass, const krb5_data *salt,
-		unsigned long count, const krb5_data *output);
+krb5int_pbkdf2 (prf_func prf, size_t hlen, krb5_key pass,
+		const krb5_data *salt, unsigned long count,
+		const krb5_data *output);
 
 static int debug_hmac = 0;
 
@@ -61,35 +78,21 @@
     }
     printf("\n");
 }
-static void printk(const char *descr, krb5_keyblock *k) {
-    krb5_data d;
-    d.data = (char *) k->contents;
-    d.length = k->length;
-    printd(descr, &d);
-}
 
 static krb5_error_code
-F(char *output, char *u_tmp1, char *u_tmp2,
-  krb5_error_code (*prf)(krb5_keyblock *, krb5_data *, krb5_data *),
-  size_t hlen,
-  const krb5_data *pass, const krb5_data *salt,
-  unsigned long count, int i)
+F(char *output, char *u_tmp1, char *u_tmp2, prf_func prf, size_t hlen,
+  krb5_key pass, const krb5_data *salt, unsigned long count, int i)
 {
     unsigned char ibytes[4];
     size_t tlen;
     unsigned int j, k;
-    krb5_keyblock pdata;
     krb5_data sdata;
     krb5_data out;
     krb5_error_code err;
 
-    pdata.contents = pass->data;
-    pdata.length = pass->length;
-
 #if 0
     printf("F(i=%d, count=%lu, pass=%d:%s)\n", i, count,
 	   pass->length, pass->data);
-    printk("F password", &pdata);
 #endif
 
     /* Compute U_1.  */
@@ -112,7 +115,7 @@
 #if 0
     printf("F: computing hmac #1 (U_1) with %s\n", pdata.contents);
 #endif
-    err = (*prf)(&pdata, &sdata, &out);
+    err = (*prf)(pass, &sdata, &out);
     if (err)
 	return err;
 #if 0
@@ -127,7 +130,7 @@
 	printf("F: computing hmac #%d (U_%d)\n", j, j);
 #endif
 	memcpy(u_tmp2, u_tmp1, hlen);
-	err = (*prf)(&pdata, &sdata, &out);
+	err = (*prf)(pass, &sdata, &out);
 	if (err)
 	    return err;
 #if 0
@@ -147,11 +150,9 @@
 }
 
 static krb5_error_code
-krb5int_pbkdf2 (krb5_error_code (*prf)(krb5_keyblock *, krb5_data *,
-				       krb5_data *),
-		size_t hlen,
-		const krb5_data *pass, const krb5_data *salt,
-		unsigned long count, const krb5_data *output)
+krb5int_pbkdf2 (prf_func prf, size_t hlen, krb5_key pass,
+		const krb5_data *salt, unsigned long count,
+		const krb5_data *output)
 {
     int l, r, i;
     char *utmp1, *utmp2;
@@ -209,57 +210,55 @@
     return 0;
 }
 
-static krb5_error_code hmac1(const struct krb5_hash_provider *h,
-			     krb5_keyblock *key, krb5_data *in, krb5_data *out)
+/*
+ * Implements the hmac-sha1 PRF.  pass has been pre-hashed (if
+ * necessary) and converted to a key already; salt has had the block
+ * index appended to the original salt.
+ */
+static krb5_error_code
+hmac_sha1(krb5_key pass, krb5_data *salt, krb5_data *out)
 {
-    char tmp[40];
-    size_t blocksize, hashsize;
+    const struct krb5_hash_provider *h = &krb5int_hash_sha1;
     krb5_error_code err;
-    krb5_keyblock k;
 
-    k = *key;
-    key = &k;
     if (debug_hmac)
-	printk(" test key", key);
-    blocksize = h->blocksize;
-    hashsize = h->hashsize;
-    if (hashsize > sizeof(tmp))
-	abort();
-    if (key->length > blocksize) {
-	krb5_data d, d2;
-	d.data = (char *) key->contents;
-	d.length = key->length;
-	d2.data = tmp;
-	d2.length = hashsize;
-	err = h->hash (1, &d, &d2);
-	if (err)
-	    return err;
-	key->length = d2.length;
-	key->contents = (krb5_octet *) d2.data;
-	if (debug_hmac)
-	    printk(" pre-hashed key", key);
-    }
-    if (debug_hmac)
-	printd(" hmac input", in);
-    err = krb5_hmac(h, key, 1, in, out);
+	printd(" hmac input", salt);
+    err = krb5_hmac(h, pass, 1, salt, out);
     if (err == 0 && debug_hmac)
 	printd(" hmac output", out);
     return err;
 }
 
-static krb5_error_code
-foo(krb5_keyblock *pass, krb5_data *salt, krb5_data *out)
+krb5_error_code
+krb5int_pbkdf2_hmac_sha1 (const krb5_data *out, unsigned long count,
+			  const krb5_data *pass, const krb5_data *salt)
 {
+    const struct krb5_hash_provider *h = &krb5int_hash_sha1;
+    krb5_keyblock keyblock;
+    krb5_key key;
+    char tmp[40];
+    krb5_data d;
     krb5_error_code err;
 
-    memset(out->data, 0, out->length);
-    err = hmac1 (&krb5int_hash_sha1, pass, salt, out);
+    assert(h->hashsize <= sizeof(tmp));
+    if (pass->length > h->blocksize) {
+	d.data = tmp;
+	d.length = h->hashsize;
+	err = h->hash (1, pass, &d);
+	if (err)
+	    return err;
+	keyblock.length = d.length;
+	keyblock.contents = (krb5_octet *) d.data;
+    } else {
+	keyblock.length = pass->length;
+	keyblock.contents = (krb5_octet *) pass->data;
+    }
+
+    err = krb5_k_create_key(NULL, &keyblock, &key);
+    if (err)
+	return err;
+
+    err = krb5int_pbkdf2(hmac_sha1, 20, key, salt, count, out);
+    krb5_k_free_key(NULL, key);
     return err;
 }
-
-krb5_error_code
-krb5int_pbkdf2_hmac_sha1 (const krb5_data *out, unsigned long count,
-			  const krb5_data *pass, const krb5_data *salt)
-{
-    return krb5int_pbkdf2 (foo, 20, pass, salt, count, out);
-}

Modified: branches/enc-perf/src/lib/crypto/krb/aead.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/aead.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/aead.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -93,7 +93,7 @@
 
 krb5_error_code 
 krb5int_c_make_checksum_iov(const struct krb5_cksumtypes *cksum_type,
-			    const krb5_keyblock *key,
+			    krb5_key key,
 			    krb5_keyusage usage,
 			    const krb5_crypto_iov *data,
 			    size_t num_data,
@@ -107,7 +107,7 @@
 
 	if (cksum_type->keyed_etype) {
 	    e1 = find_enctype(cksum_type->keyed_etype);
-	    e2 = find_enctype(key->enctype);
+	    e2 = find_enctype(key->keyblock.enctype);
 	    if (e1 == NULL || e2 == NULL || e1->enc != e2->enc) {
 		ret = KRB5_BAD_ENCTYPE;
 		goto cleanup;
@@ -338,7 +338,7 @@
 krb5int_c_iov_decrypt_stream(const struct krb5_aead_provider *aead,
 			     const struct krb5_enc_provider *enc,
 			     const struct krb5_hash_provider *hash,
-			     const krb5_keyblock *key,
+			     krb5_key key,
 			     krb5_keyusage keyusage,
 			     const krb5_data *ivec,
 			     krb5_crypto_iov *data,
@@ -451,7 +451,7 @@
 krb5int_c_encrypt_aead_compat(const struct krb5_aead_provider *aead,
 			      const struct krb5_enc_provider *enc,
 			      const struct krb5_hash_provider *hash,
-			      const krb5_keyblock *key, krb5_keyusage usage,
+			      krb5_key key, krb5_keyusage usage,
 			      const krb5_data *ivec, const krb5_data *input,
 			      krb5_data *output)
 {
@@ -513,7 +513,7 @@
 krb5int_c_decrypt_aead_compat(const struct krb5_aead_provider *aead,
 			      const struct krb5_enc_provider *enc,
 			      const struct krb5_hash_provider *hash,
-			      const krb5_keyblock *key, krb5_keyusage usage,
+			      krb5_key key, krb5_keyusage usage,
 			      const krb5_data *ivec, const krb5_data *input,
 			      krb5_data *output)
 {

Modified: branches/enc-perf/src/lib/crypto/krb/aead.h
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/aead.h	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/aead.h	2009-10-05 18:30:00 UTC (rev 22845)
@@ -36,7 +36,7 @@
 
 krb5_error_code
 krb5int_c_make_checksum_iov(const struct krb5_cksumtypes *cksum,
-			    const krb5_keyblock *key,
+			    krb5_key key,
 			    krb5_keyusage usage,
 			    const krb5_crypto_iov *data,
 			    size_t num_data,
@@ -87,7 +87,7 @@
 krb5int_c_iov_decrypt_stream(const struct krb5_aead_provider *aead,
 			     const struct krb5_enc_provider *enc,
 			     const struct krb5_hash_provider *hash,
-			     const krb5_keyblock *key,
+			     krb5_key key,
 			     krb5_keyusage keyusage,
 			     const krb5_data *ivec,
 			     krb5_crypto_iov *data,
@@ -97,7 +97,7 @@
 krb5int_c_decrypt_aead_compat(const struct krb5_aead_provider *aead,
 			      const struct krb5_enc_provider *enc,
 			      const struct krb5_hash_provider *hash,
-			      const krb5_keyblock *key, krb5_keyusage usage,
+			      krb5_key key, krb5_keyusage usage,
 			      const krb5_data *ivec, const krb5_data *input,
 			      krb5_data *output);
 
@@ -105,7 +105,7 @@
 krb5int_c_encrypt_aead_compat(const struct krb5_aead_provider *aead,
 			      const struct krb5_enc_provider *enc,
 			      const struct krb5_hash_provider *hash,
-			      const krb5_keyblock *key, krb5_keyusage usage,
+			      krb5_key key, krb5_keyusage usage,
 			      const krb5_data *ivec, const krb5_data *input,
 			      krb5_data *output);
 

Modified: branches/enc-perf/src/lib/crypto/krb/combine_keys.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/combine_keys.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/combine_keys.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -79,7 +79,8 @@
     size_t keybytes, keylength;
     const struct krb5_enc_provider *enc;
     krb5_data input, randbits;
-    krb5_keyblock tkey;
+    krb5_keyblock tkeyblock;
+    krb5_key tkey = NULL;
     krb5_error_code ret;
     const struct krb5_keytypes *ktp;
     krb5_boolean myalloc = FALSE;
@@ -152,13 +153,17 @@
 
     randbits.length = keybytes;
     randbits.data = (char *) rnd;
-    tkey.length = keylength;
-    tkey.contents = output;
+    tkeyblock.length = keylength;
+    tkeyblock.contents = output;
 
-    ret = (*enc->make_key)(&randbits, &tkey);
+    ret = (*enc->make_key)(&randbits, &tkeyblock);
     if (ret)
 	goto cleanup;
 
+    ret = krb5_k_create_key(NULL, &tkeyblock, &tkey);
+    if (ret)
+	goto cleanup;
+
     /*
      * Run through derive-key one more time to produce the final key.
      * Note that the input to derive-key is the ASCII string "combine".
@@ -185,7 +190,7 @@
 	myalloc = TRUE;
     }
 
-    ret = krb5_derive_key(enc, &tkey, outkey, &input);
+    ret = krb5_derive_keyblock(enc, tkey, outkey, &input);
     if (ret) {
 	if (myalloc) {
 	    free(outkey->contents);
@@ -200,6 +205,7 @@
     zapfree(rnd, keybytes);
     zapfree(combined, keybytes * 2);
     zapfree(output, keylength);
+    krb5_k_free_key(NULL, tkey);
     return ret;
 }
 
@@ -215,6 +221,7 @@
     unsigned char *inblockdata = NULL, *outblockdata = NULL;
     krb5_data inblock, outblock;
     krb5_error_code ret;
+    krb5_key key = NULL;
 
     blocksize = enc->block_size;
     keybytes = enc->keybytes;
@@ -226,6 +233,9 @@
     outblockdata = k5alloc(blocksize, &ret);
     if (ret)
 	goto cleanup;
+    ret = krb5_k_create_key(NULL, inkey, &key);
+    if (ret)
+	goto cleanup;
 
     inblock.data = (char *) inblockdata;
     inblock.length = blocksize;
@@ -246,7 +256,7 @@
 
     n = 0;
     while (n < keybytes) {
-	ret = (*enc->encrypt)(inkey, 0, &inblock, &outblock);
+	ret = (*enc->encrypt)(key, 0, &inblock, &outblock);
 	if (ret)
 	    goto cleanup;
 
@@ -263,6 +273,7 @@
 cleanup:
     zapfree(inblockdata, blocksize);
     zapfree(outblockdata, blocksize);
+    krb5_k_free_key(NULL, key);
     return ret;
 }
 

Modified: branches/enc-perf/src/lib/crypto/krb/decrypt.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/decrypt.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/decrypt.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -29,13 +29,13 @@
 #include "aead.h"
 
 krb5_error_code KRB5_CALLCONV
-krb5_c_decrypt(krb5_context context, const krb5_keyblock *key,
+krb5_k_decrypt(krb5_context context, krb5_key key,
 	       krb5_keyusage usage, const krb5_data *ivec,
 	       const krb5_enc_data *input, krb5_data *output)
 {
     const struct krb5_keytypes *ktp;
 
-    ktp = find_enctype(key->enctype);
+    ktp = find_enctype(key->keyblock.enctype);
     if (ktp == NULL)
 	return KRB5_BAD_ENCTYPE;
 
@@ -53,3 +53,19 @@
     return (*ktp->decrypt)(ktp->enc, ktp->hash, key, usage, ivec,
 			   &input->ciphertext, output);
 }
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_decrypt(krb5_context context, const krb5_keyblock *keyblock,
+	       krb5_keyusage usage, const krb5_data *ivec,
+	       const krb5_enc_data *input, krb5_data *output)
+{
+    krb5_key key;
+    krb5_error_code ret;
+
+    ret = krb5_k_create_key(context, keyblock, &key);
+    if (ret != 0)
+	return ret;
+    ret = krb5_k_decrypt(context, key, usage, ivec, input, output);
+    krb5_k_free_key(context, key);
+    return ret;
+}

Modified: branches/enc-perf/src/lib/crypto/krb/decrypt_iov.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/decrypt_iov.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/decrypt_iov.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -29,8 +29,8 @@
 #include "aead.h"
 
 krb5_error_code KRB5_CALLCONV
-krb5_c_decrypt_iov(krb5_context context,
-		   const krb5_keyblock *key,
+krb5_k_decrypt_iov(krb5_context context,
+		   krb5_key key,
 		   krb5_keyusage usage,
 		   const krb5_data *cipher_state,
 		   krb5_crypto_iov *data,
@@ -38,7 +38,7 @@
 {
     const struct krb5_keytypes *ktp;
 
-    ktp = find_enctype(key->enctype);
+    ktp = find_enctype(key->keyblock.enctype);
     if (ktp == NULL || ktp->aead == NULL)
 	return KRB5_BAD_ENCTYPE;
 
@@ -53,3 +53,22 @@
 				     usage, cipher_state, data, num_data);
 }
 
+krb5_error_code KRB5_CALLCONV
+krb5_c_decrypt_iov(krb5_context context,
+		   const krb5_keyblock *keyblock,
+		   krb5_keyusage usage,
+		   const krb5_data *cipher_state,
+		   krb5_crypto_iov *data,
+		   size_t num_data)
+{
+    krb5_key key;
+    krb5_error_code ret;
+
+    ret = krb5_k_create_key(context, keyblock, &key);
+    if (ret != 0)
+	return ret;
+    ret = krb5_k_decrypt_iov(context, key, usage, cipher_state, data,
+			     num_data);
+    krb5_k_free_key(context, key);
+    return ret;
+}

Modified: branches/enc-perf/src/lib/crypto/krb/dk/checksum.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/dk/checksum.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/dk/checksum.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -33,19 +33,17 @@
 
 krb5_error_code
 krb5_dk_make_checksum(const struct krb5_hash_provider *hash,
-		      const krb5_keyblock *key, krb5_keyusage usage,
+		      krb5_key key, krb5_keyusage usage,
 		      const krb5_data *input, krb5_data *output)
 {
     const struct krb5_keytypes *ktp;
     const struct krb5_enc_provider *enc;
-    size_t keylength;
     krb5_error_code ret;
     unsigned char constantdata[K5CLENGTH];
     krb5_data datain;
-    unsigned char *kcdata;
-    krb5_keyblock kc;
+    krb5_key kc;
 
-    ktp = find_enctype(key->enctype);
+    ktp = find_enctype(key->keyblock.enctype);
     if (ktp == NULL)
 	return KRB5_BAD_ENCTYPE;
     enc = ktp->enc;
@@ -55,15 +53,6 @@
      * output->length will be tested in krb5_hmac.
      */
 
-    /* Allocate and set to-be-derived keys. */
-    keylength = enc->keylength;
-    kcdata = malloc(keylength);
-    if (kcdata == NULL)
-	return ENOMEM;
-
-    kc.contents = kcdata;
-    kc.length = keylength;
-
     /* Derive the key. */
  
     datain.data = (char *) constantdata;
@@ -75,37 +64,34 @@
 
     ret = krb5_derive_key(enc, key, &kc, &datain);
     if (ret)
-	goto cleanup;
+	return ret;
 
     /* hash the data */
 
     datain = *input;
 
-    ret = krb5_hmac(hash, &kc, 1, &datain, output);
+    ret = krb5_hmac(hash, kc, 1, &datain, output);
     if (ret)
 	memset(output->data, 0, output->length);
 
-cleanup:
-    zapfree(kcdata, keylength);
+    krb5_k_free_key(NULL, kc);
     return ret;
 }
 
 krb5_error_code
 krb5int_dk_make_checksum_iov(const struct krb5_hash_provider *hash,
-		          const krb5_keyblock *key, krb5_keyusage usage,
+		          krb5_key key, krb5_keyusage usage,
 			  const krb5_crypto_iov *data, size_t num_data,
 			  krb5_data *output)
 {
     const struct krb5_keytypes *ktp;
     const struct krb5_enc_provider *enc;
-    size_t keylength;
     krb5_error_code ret;
     unsigned char constantdata[K5CLENGTH];
     krb5_data datain;
-    unsigned char *kcdata;
-    krb5_keyblock kc;
+    krb5_key kc;
 
-    ktp = find_enctype(key->enctype);
+    ktp = find_enctype(key->keyblock.enctype);
     if (ktp == NULL)
 	return KRB5_BAD_ENCTYPE;
     enc = ktp->enc;
@@ -115,16 +101,6 @@
      * output->length will be tested in krb5_hmac.
      */
 
-    /* Allocate and set to-be-derived keys. */
-
-    keylength = enc->keylength;
-    kcdata = malloc(keylength);
-    if (kcdata == NULL)
-	return ENOMEM;
-
-    kc.contents = kcdata;
-    kc.length = keylength;
-
     /* Derive the key. */
  
     datain.data = (char *) constantdata;
@@ -136,17 +112,14 @@
 
     ret = krb5_derive_key(enc, key, &kc, &datain);
     if (ret)
-	goto cleanup;
+	return ret;
 
     /* Hash the data. */
 
-    ret = krb5int_hmac_iov(hash, &kc, data, num_data, output);
+    ret = krb5int_hmac_iov(hash, kc, data, num_data, output);
     if (ret)
 	memset(output->data, 0, output->length);
 
-cleanup:
-    zapfree(kcdata, keylength);
-
-    return(ret);
+    krb5_k_free_key(NULL, kc);
+    return ret;
 }
-

Modified: branches/enc-perf/src/lib/crypto/krb/dk/derive.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/dk/derive.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/dk/derive.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -28,9 +28,9 @@
 #include "dk.h"
 
 krb5_error_code
-krb5_derive_key(const struct krb5_enc_provider *enc,
-		const krb5_keyblock *inkey, krb5_keyblock *outkey,
-		const krb5_data *in_constant)
+krb5_derive_keyblock(const struct krb5_enc_provider *enc,
+		     krb5_key inkey, krb5_keyblock *outkey,
+		     const krb5_data *in_constant)
 {
     size_t blocksize, keybytes, n;
     unsigned char *inblockdata = NULL, *outblockdata = NULL, *rawkey = NULL;
@@ -40,7 +40,8 @@
     blocksize = enc->block_size;
     keybytes = enc->keybytes;
 
-    if (inkey->length != enc->keylength || outkey->length != enc->keylength)
+    if (inkey->keyblock.length != enc->keylength ||
+	outkey->length != enc->keylength)
 	return KRB5_CRYPTO_INTERNAL;
 
     /* Allocate and set up buffers. */
@@ -103,10 +104,37 @@
     return ret;
 }
 
+krb5_error_code
+krb5_derive_key(const struct krb5_enc_provider *enc,
+		krb5_key inkey, krb5_key *outkey,
+		const krb5_data *in_constant)
+{
+    krb5_keyblock keyblock;
+    krb5_error_code ret;
 
+    *outkey = NULL;
+
+    /* Set up a temporary keyblock. */
+    keyblock.length = enc->keylength;
+    keyblock.contents = malloc(keyblock.length);
+    if (keyblock.contents == NULL)
+	return ENOMEM;
+
+    ret = krb5_derive_keyblock(enc, inkey, &keyblock, in_constant);
+    if (ret)
+	goto cleanup;
+
+    /* Convert the keyblock to a key. */
+    ret = krb5_k_create_key(NULL, &keyblock, outkey);
+
+cleanup:
+    zapfree(keyblock.contents, keyblock.length);
+    return ret;
+}
+
 krb5_error_code
 krb5_derive_random(const struct krb5_enc_provider *enc,
-		   const krb5_keyblock *inkey, krb5_data *outrnd,
+		   krb5_key inkey, krb5_data *outrnd,
 		   const krb5_data *in_constant)
 {
     size_t blocksize, keybytes, n;
@@ -117,7 +145,7 @@
     blocksize = enc->block_size;
     keybytes = enc->keybytes;
 
-    if (inkey->length != enc->keylength || outrnd->length != keybytes)
+    if (inkey->keyblock.length != enc->keylength || outrnd->length != keybytes)
 	return KRB5_CRYPTO_INTERNAL;
 
     /* Allocate and set up buffers. */

Modified: branches/enc-perf/src/lib/crypto/krb/dk/dk.h
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/dk/dk.h	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/dk/dk.h	2009-10-05 18:30:00 UTC (rev 22845)
@@ -32,7 +32,7 @@
 
 krb5_error_code krb5_dk_encrypt(const struct krb5_enc_provider *enc,
 				const struct krb5_hash_provider *hash,
-				const krb5_keyblock *key, krb5_keyusage usage,
+				krb5_key key, krb5_keyusage usage,
 				const krb5_data *ivec,
 				const krb5_data *input, krb5_data *output);
 
@@ -42,7 +42,7 @@
 
 krb5_error_code krb5int_aes_dk_encrypt(const struct krb5_enc_provider *enc,
 				       const struct krb5_hash_provider *hash,
-				       const krb5_keyblock *key,
+				       krb5_key key,
 				       krb5_keyusage usage,
 				       const krb5_data *ivec,
 				       const krb5_data *input,
@@ -50,13 +50,13 @@
 
 krb5_error_code krb5_dk_decrypt(const struct krb5_enc_provider *enc,
 				const struct krb5_hash_provider *hash,
-				const krb5_keyblock *key, krb5_keyusage usage,
+				krb5_key key, krb5_keyusage usage,
 				const krb5_data *ivec, const krb5_data *input,
 				krb5_data *arg_output);
 
 krb5_error_code krb5int_aes_dk_decrypt(const struct krb5_enc_provider *enc,
 				       const struct krb5_hash_provider *hash,
-				       const krb5_keyblock *key,
+				       krb5_key key,
 				       krb5_keyusage usage,
 				       const krb5_data *ivec,
 				       const krb5_data *input,
@@ -68,26 +68,31 @@
 					 const krb5_data *params,
 					 krb5_keyblock *key);
 
+krb5_error_code krb5_derive_keyblock(const struct krb5_enc_provider *enc,
+				     krb5_key inkey,
+				     krb5_keyblock *outkey,
+				     const krb5_data *in_constant);
+
 krb5_error_code krb5_derive_key(const struct krb5_enc_provider *enc,
-				const krb5_keyblock *inkey,
-				krb5_keyblock *outkey,
+				krb5_key inkey,
+				krb5_key *outkey,
 				const krb5_data *in_constant);
 
 krb5_error_code krb5_dk_make_checksum(const struct krb5_hash_provider *hash,
-				      const krb5_keyblock *key,
+				      krb5_key key,
 				      krb5_keyusage usage,
 				      const krb5_data *input,
 				      krb5_data *output);
 
 krb5_error_code
 krb5int_dk_make_checksum_iov(const struct krb5_hash_provider *hash,
-			     const krb5_keyblock *key, krb5_keyusage usage,
+			     krb5_key key, krb5_keyusage usage,
 			     const krb5_crypto_iov *data, size_t num_data,
 			     krb5_data *output);
 
 krb5_error_code
 krb5_derive_random(const struct krb5_enc_provider *enc,
-		   const krb5_keyblock *inkey, krb5_data *outrnd,
+		   krb5_key inkey, krb5_data *outrnd,
 		   const krb5_data *in_constant);
 
 /* AEAD */

Modified: branches/enc-perf/src/lib/crypto/krb/dk/dk_aead.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/dk/dk_aead.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/dk/dk_aead.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -61,7 +61,7 @@
 krb5int_dk_encrypt_iov(const struct krb5_aead_provider *aead,
 		       const struct krb5_enc_provider *enc,
 		       const struct krb5_hash_provider *hash,
-		       const krb5_keyblock *key,
+		       krb5_key key,
 		       krb5_keyusage usage,
 		       const krb5_data *ivec,
 		       krb5_crypto_iov *data,
@@ -71,7 +71,7 @@
     unsigned char constantdata[K5CLENGTH];
     krb5_data d1, d2;
     krb5_crypto_iov *header, *trailer, *padding;
-    krb5_keyblock ke, ki;
+    krb5_key ke = NULL, ki = NULL;
     size_t i;
     unsigned int blocksize = 0;
     unsigned int plainlen = 0;
@@ -79,9 +79,6 @@
     unsigned int padsize = 0;
     unsigned char *cksum = NULL;
 
-    ke.contents = ki.contents = NULL;
-    ke.length = ki.length = 0;
-
     /* E(Confounder | Plaintext | Pad) | Checksum */
 
     ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING,
@@ -126,14 +123,6 @@
 	padding->data.length = padsize;
     }
 
-    ke.length = enc->keylength;
-    ke.contents = k5alloc(ke.length, &ret);
-    if (ret != 0)
-	goto cleanup;
-    ki.length = enc->keylength;
-    ki.contents = k5alloc(ki.length, &ret);
-    if (ret != 0)
-	goto cleanup;
     cksum = k5alloc(hash->hashsize, &ret);
     if (ret != 0)
 	goto cleanup;
@@ -169,14 +158,14 @@
     d2.length = hash->hashsize;
     d2.data = (char *)cksum;
 
-    ret = krb5int_hmac_iov(hash, &ki, data, num_data, &d2);
+    ret = krb5int_hmac_iov(hash, ki, data, num_data, &d2);
     if (ret != 0)
 	goto cleanup;
 
     /* Encrypt the plaintext (header | data | padding) */
     assert(enc->encrypt_iov != NULL);
 
-    ret = (*enc->encrypt_iov)(&ke, ivec, data, num_data); /* updates ivec */
+    ret = (*enc->encrypt_iov)(ke, ivec, data, num_data); /* updates ivec */
     if (ret != 0)
 	goto cleanup;
 
@@ -187,8 +176,8 @@
     trailer->data.length = hmacsize;
 
 cleanup:
-    zapfree(ke.contents, ke.length);
-    zapfree(ki.contents, ki.length);
+    krb5_k_free_key(NULL, ke);
+    krb5_k_free_key(NULL, ki);
     free(cksum);
     return ret;
 }
@@ -197,7 +186,7 @@
 krb5int_dk_decrypt_iov(const struct krb5_aead_provider *aead,
 		       const struct krb5_enc_provider *enc,
 		       const struct krb5_hash_provider *hash,
-		       const krb5_keyblock *key,
+		       krb5_key key,
 		       krb5_keyusage usage,
 		       const krb5_data *ivec,
 		       krb5_crypto_iov *data,
@@ -207,7 +196,7 @@
     unsigned char constantdata[K5CLENGTH];
     krb5_data d1;
     krb5_crypto_iov *header, *trailer;
-    krb5_keyblock ke, ki;
+    krb5_key ke = NULL, ki = NULL;
     size_t i;
     unsigned int blocksize = 0; /* enc block size, not confounder len */
     unsigned int cipherlen = 0;
@@ -220,9 +209,6 @@
 					    usage, ivec, data, num_data);
     }
 
-    ke.contents = ki.contents = NULL;
-    ke.length = ki.length = 0;
-
     /* E(Confounder | Plaintext | Pad) | Checksum */
 
     ret = aead->crypto_length(aead, enc, hash, KRB5_CRYPTO_TYPE_PADDING,
@@ -262,14 +248,6 @@
     if (trailer == NULL || trailer->data.length != hmacsize)
 	return KRB5_BAD_MSIZE;
 
-    ke.length = enc->keylength;
-    ke.contents = k5alloc(ke.length, &ret);
-    if (ret != 0)
-	goto cleanup;
-    ki.length = enc->keylength;
-    ki.contents = k5alloc(ki.length, &ret);
-    if (ret != 0)
-	goto cleanup;
     cksum = k5alloc(hash->hashsize, &ret);
     if (ret != 0)
 	goto cleanup;
@@ -296,7 +274,7 @@
     /* Decrypt the plaintext (header | data | padding). */
     assert(enc->decrypt_iov != NULL);
 
-    ret = (*enc->decrypt_iov)(&ke, ivec, data, num_data); /* updates ivec */
+    ret = (*enc->decrypt_iov)(ke, ivec, data, num_data); /* updates ivec */
     if (ret != 0)
 	goto cleanup;
 
@@ -304,7 +282,7 @@
     d1.length = hash->hashsize; /* non-truncated length */
     d1.data = (char *)cksum;
 
-    ret = krb5int_hmac_iov(hash, &ki, data, num_data, &d1);
+    ret = krb5int_hmac_iov(hash, ki, data, num_data, &d1);
     if (ret != 0)
 	goto cleanup;
 
@@ -315,10 +293,9 @@
     }
 
 cleanup:
-    zapfree(ke.contents, ke.length);
-    zapfree(ki.contents, ki.length);
+    krb5_k_free_key(NULL, ke);
+    krb5_k_free_key(NULL, ki);
     free(cksum);
-
     return ret;
 }
 

Modified: branches/enc-perf/src/lib/crypto/krb/dk/dk_decrypt.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/dk/dk_decrypt.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/dk/dk_decrypt.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -32,7 +32,7 @@
 static krb5_error_code
 krb5_dk_decrypt_maybe_trunc_hmac(const struct krb5_enc_provider *enc,
 				 const struct krb5_hash_provider *hash,
-				 const krb5_keyblock *key,
+				 krb5_key key,
 				 krb5_keyusage usage,
 				 const krb5_data *ivec,
 				 const krb5_data *input,
@@ -43,7 +43,7 @@
 krb5_error_code
 krb5_dk_decrypt(const struct krb5_enc_provider *enc,
 		const struct krb5_hash_provider *hash,
-		const krb5_keyblock *key, krb5_keyusage usage,
+		krb5_key key, krb5_keyusage usage,
 		const krb5_data *ivec, const krb5_data *input,
 		krb5_data *output)
 {
@@ -54,7 +54,7 @@
 krb5_error_code
 krb5int_aes_dk_decrypt(const struct krb5_enc_provider *enc,
 		       const struct krb5_hash_provider *hash,
-		       const krb5_keyblock *key, krb5_keyusage usage,
+		       krb5_key key, krb5_keyusage usage,
 		       const krb5_data *ivec, const krb5_data *input,
 		       krb5_data *output)
 {
@@ -65,22 +65,20 @@
 static krb5_error_code
 krb5_dk_decrypt_maybe_trunc_hmac(const struct krb5_enc_provider *enc,
 				 const struct krb5_hash_provider *hash,
-				 const krb5_keyblock *key, krb5_keyusage usage,
+				 krb5_key key, krb5_keyusage usage,
 				 const krb5_data *ivec, const krb5_data *input,
 				 krb5_data *output, size_t hmacsize,
 				 int ivec_mode)
 {
     krb5_error_code ret;
-    size_t hashsize, blocksize, keylength, enclen, plainlen;
-    unsigned char *plaindata = NULL, *kedata = NULL, *kidata = NULL;
-    unsigned char *cksum = NULL, *cn;
-    krb5_keyblock ke, ki;
+    size_t hashsize, blocksize, enclen, plainlen;
+    unsigned char *plaindata = NULL, *cksum = NULL, *cn;
+    krb5_key ke = NULL, ki = NULL;
     krb5_data d1, d2;
     unsigned char constantdata[K5CLENGTH];
 
     hashsize = hash->hashsize;
     blocksize = enc->block_size;
-    keylength = enc->keylength;
 
     if (hmacsize == 0)
 	hmacsize = hashsize;
@@ -90,12 +88,6 @@
     enclen = input->length - hmacsize;
 
     /* Allocate and set up ciphertext and to-be-derived keys. */
-    kedata = k5alloc(keylength, &ret);
-    if (ret != 0)
-	goto cleanup;
-    kidata = k5alloc(keylength, &ret);
-    if (ret != 0)
-	goto cleanup;
     plaindata = k5alloc(enclen, &ret);
     if (ret != 0)
 	goto cleanup;
@@ -103,11 +95,6 @@
     if (ret != 0)
 	goto cleanup;
 
-    ke.contents = kedata;
-    ke.length = keylength;
-    ki.contents = kidata;
-    ki.length = keylength;
-
     /* Derive the keys. */
 
     d1.data = (char *) constantdata;
@@ -135,7 +122,7 @@
     d2.length = enclen;
     d2.data = (char *) plaindata;
 
-    ret = (*enc->decrypt)(&ke, ivec, &d1, &d2);
+    ret = (*enc->decrypt)(ke, ivec, &d1, &d2);
     if (ret != 0)
 	goto cleanup;
 
@@ -155,7 +142,7 @@
     d1.length = hashsize;
     d1.data = (char *) cksum;
 
-    ret = krb5_hmac(hash, &ki, 1, &d2, &d1);
+    ret = krb5_hmac(hash, ki, 1, &d2, &d1);
     if (ret != 0)
 	goto cleanup;
 
@@ -183,8 +170,8 @@
 	memcpy(ivec->data, cn, blocksize);
 
 cleanup:
-    zapfree(kedata, keylength);
-    zapfree(kidata, keylength);
+    krb5_k_free_key(NULL, ke);
+    krb5_k_free_key(NULL, ki);
     zapfree(plaindata, enclen);
     zapfree(cksum, hashsize);
     return ret;

Modified: branches/enc-perf/src/lib/crypto/krb/dk/dk_encrypt.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/dk/dk_encrypt.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/dk/dk_encrypt.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -53,20 +53,19 @@
 krb5_error_code
 krb5_dk_encrypt(const struct krb5_enc_provider *enc,
 		const struct krb5_hash_provider *hash,
-		const krb5_keyblock *key, krb5_keyusage usage,
+		krb5_key key, krb5_keyusage usage,
 		const krb5_data *ivec, const krb5_data *input,
 		krb5_data *output)
 {
-    size_t blocksize, keylength, plainlen, enclen;
+    size_t blocksize, plainlen, enclen;
     krb5_error_code ret;
     unsigned char constantdata[K5CLENGTH];
     krb5_data d1, d2;
-    unsigned char *plaintext = NULL, *kedata = NULL, *kidata = NULL;
+    unsigned char *plaintext = NULL;
     char *cn;
-    krb5_keyblock ke, ki;
+    krb5_key ke = NULL, ki = NULL;
 
     blocksize = enc->block_size;
-    keylength = enc->keylength;
     plainlen = krb5_roundup(blocksize + input->length, blocksize);
 
     krb5_dk_encrypt_length(enc, hash, input->length, &enclen);
@@ -78,21 +77,10 @@
 
     /* Allocate and set up plaintext and to-be-derived keys. */
 
-    kedata = k5alloc(keylength, &ret);
-    if (ret != 0)
-	goto cleanup;
-    kidata = k5alloc(keylength, &ret);
-    if (ret != 0)
-	goto cleanup;
-    plaintext = k5alloc(plainlen, &ret);
-    if (ret != 0)
-	goto cleanup;
+    plaintext = malloc(plainlen);
+    if (plaintext == NULL)
+	return ENOMEM;
 
-    ke.contents = kedata;
-    ke.length = keylength;
-    ki.contents = kidata;
-    ki.length = keylength;
-
     /* Derive the keys. */
 
     d1.data = (char *) constantdata;
@@ -134,7 +122,7 @@
     d2.length = plainlen;
     d2.data = output->data;
 
-    ret = (*enc->encrypt)(&ke, ivec, &d1, &d2);
+    ret = (*enc->encrypt)(ke, ivec, &d1, &d2);
     if (ret != 0)
 	goto cleanup;
 
@@ -150,7 +138,7 @@
 
     output->length = enclen;
 
-    ret = krb5_hmac(hash, &ki, 1, &d1, &d2);
+    ret = krb5_hmac(hash, ki, 1, &d1, &d2);
     if (ret != 0) {
 	memset(d2.data, 0, d2.length);
 	goto cleanup;
@@ -161,8 +149,8 @@
 	memcpy(ivec->data, cn, blocksize);
 
 cleanup:
-    zapfree(kedata, keylength);
-    zapfree(kidata, keylength);
+    krb5_k_free_key(NULL, ke);
+    krb5_k_free_key(NULL, ki);
     zapfree(plaintext, plainlen);
     return ret;
 }
@@ -186,7 +174,7 @@
 
 static krb5_error_code
 trunc_hmac (const struct krb5_hash_provider *hash,
-	    const krb5_keyblock *ki, unsigned int num,
+	    krb5_key ki, unsigned int num,
 	    const krb5_data *input, const krb5_data *output)
 {
     size_t hashsize;
@@ -211,23 +199,22 @@
 krb5_error_code
 krb5int_aes_dk_encrypt(const struct krb5_enc_provider *enc,
 		       const struct krb5_hash_provider *hash,
-		       const krb5_keyblock *key, krb5_keyusage usage,
+		       krb5_key key, krb5_keyusage usage,
 		       const krb5_data *ivec, const krb5_data *input,
 		       krb5_data *output)
 {
-    size_t blocksize, keybytes, keylength, plainlen, enclen;
+    size_t blocksize, keybytes, plainlen, enclen;
     krb5_error_code ret;
     unsigned char constantdata[K5CLENGTH];
     krb5_data d1, d2;
-    unsigned char *plaintext = NULL, *kedata = NULL, *kidata = NULL;
+    unsigned char *plaintext = NULL;
     char *cn;
-    krb5_keyblock ke, ki;
+    krb5_key ke = NULL, ki = NULL;
 
     /* allocate and set up plaintext and to-be-derived keys */
 
     blocksize = enc->block_size;
     keybytes = enc->keybytes;
-    keylength = enc->keylength;
     plainlen = blocksize+input->length;
 
     krb5int_aes_encrypt_length(enc, hash, input->length, &enclen);
@@ -237,21 +224,10 @@
     if (output->length < enclen)
 	return KRB5_BAD_MSIZE;
 
-    kedata = k5alloc(keylength, &ret);
-    if (ret != 0)
-	goto cleanup;
-    kidata = k5alloc(keylength, &ret);
-    if (ret != 0)
-	goto cleanup;
-    plaintext = k5alloc(plainlen, &ret);
-    if (ret != 0)
-	goto cleanup;
+    plaintext = malloc(plainlen);
+    if (plaintext == NULL)
+	return ENOMEM;
 
-    ke.contents = kedata;
-    ke.length = keylength;
-    ki.contents = kidata;
-    ki.length = keylength;
-
     /* Derive the keys. */
 
     d1.data = (char *) constantdata;
@@ -294,7 +270,7 @@
     d2.length = plainlen;
     d2.data = output->data;
 
-    ret = (*enc->encrypt)(&ke, ivec, &d1, &d2);
+    ret = (*enc->encrypt)(ke, ivec, &d1, &d2);
     if (ret != 0)
 	goto cleanup;
 
@@ -311,7 +287,7 @@
     if (d2.length != 96 / 8)
 	abort();
 
-    ret = trunc_hmac(hash, &ki, 1, &d1, &d2);
+    ret = trunc_hmac(hash, ki, 1, &d1, &d2);
     if (ret != 0) {
 	memset(d2.data, 0, d2.length);
 	goto cleanup;
@@ -324,8 +300,8 @@
 	memcpy(ivec->data, cn, blocksize);
 
 cleanup:
-    zapfree(kedata, keylength);
-    zapfree(kidata, keylength);
+    krb5_k_free_key(NULL, ke);
+    krb5_k_free_key(NULL, ki);
     zapfree(plaintext, plainlen);
     return ret;
 }

Modified: branches/enc-perf/src/lib/crypto/krb/dk/stringtokey.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/dk/stringtokey.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/dk/stringtokey.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -32,15 +32,16 @@
 krb5_error_code
 krb5int_dk_string_to_key(const struct krb5_enc_provider *enc,
 			 const krb5_data *string, const krb5_data *salt,
-			 const krb5_data *parms, krb5_keyblock *key)
+			 const krb5_data *parms, krb5_keyblock *keyblock)
 {
     krb5_error_code ret;
     size_t keybytes, keylength, concatlen;
     unsigned char *concat = NULL, *foldstring = NULL, *foldkeydata = NULL;
     krb5_data indata;
-    krb5_keyblock foldkey;
+    krb5_keyblock foldkeyblock;
+    krb5_key foldkey = NULL;
 
-    /* key->length is checked by krb5_derive_key. */
+    /* keyblock->length is checked by krb5_derive_key. */
 
     keybytes = enc->keybytes;
     keylength = enc->keylength;
@@ -67,25 +68,30 @@
 
     indata.length = keybytes;
     indata.data = (char *) foldstring;
-    foldkey.length = keylength;
-    foldkey.contents = foldkeydata;
+    foldkeyblock.length = keylength;
+    foldkeyblock.contents = foldkeydata;
 
-    ret = (*enc->make_key)(&indata, &foldkey);
+    ret = (*enc->make_key)(&indata, &foldkeyblock);
     if (ret != 0)
 	goto cleanup;
 
+    ret = krb5_k_create_key(NULL, &foldkeyblock, &foldkey);
+    if (ret != 0)
+	goto cleanup;
+
     /* now derive the key from this one */
 
     indata.length = kerberos_len;
     indata.data = (char *) kerberos;
 
-    ret = krb5_derive_key(enc, &foldkey, key, &indata);
+    ret = krb5_derive_keyblock(enc, foldkey, keyblock, &indata);
     if (ret != 0)
-	memset(key->contents, 0, key->length);
+	memset(keyblock->contents, 0, keyblock->length);
 
 cleanup:
     zapfree(concat, concatlen);
     zapfree(foldstring, keybytes);
     zapfree(foldkeydata, keylength);
+    krb5_k_free_key(NULL, foldkey);
     return ret;
 }

Modified: branches/enc-perf/src/lib/crypto/krb/encrypt.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/encrypt.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/encrypt.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -29,19 +29,19 @@
 #include "aead.h"
 
 krb5_error_code KRB5_CALLCONV
-krb5_c_encrypt(krb5_context context, const krb5_keyblock *key,
+krb5_k_encrypt(krb5_context context, krb5_key key,
 	       krb5_keyusage usage, const krb5_data *ivec,
 	       const krb5_data *input, krb5_enc_data *output)
 {
     const struct krb5_keytypes *ktp;
 
-    ktp = find_enctype(key->enctype);
+    ktp = find_enctype(key->keyblock.enctype);
     if (ktp == NULL)
 	return KRB5_BAD_ENCTYPE;
 
     output->magic = KV5M_ENC_DATA;
     output->kvno = 0;
-    output->enctype = key->enctype;
+    output->enctype = key->keyblock.enctype;
 
     if (ktp->encrypt == NULL) {
 	assert(ktp->aead != NULL);
@@ -54,3 +54,19 @@
     return (*ktp->encrypt)(ktp->enc, ktp->hash, key, usage, ivec, input,
 			   &output->ciphertext);
 }
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_encrypt(krb5_context context, const krb5_keyblock *keyblock,
+	       krb5_keyusage usage, const krb5_data *ivec,
+	       const krb5_data *input, krb5_enc_data *output)
+{
+    krb5_key key;
+    krb5_error_code ret;
+
+    ret = krb5_k_create_key(context, keyblock, &key);
+    if (ret != 0)
+	return ret;
+    ret = krb5_k_encrypt(context, key, usage, ivec, input, output);
+    krb5_k_free_key(context, key);
+    return ret;
+}

Modified: branches/enc-perf/src/lib/crypto/krb/encrypt_iov.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/encrypt_iov.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/encrypt_iov.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -28,8 +28,8 @@
 #include "etypes.h"
 
 krb5_error_code KRB5_CALLCONV
-krb5_c_encrypt_iov(krb5_context context,
-		   const krb5_keyblock *key,
+krb5_k_encrypt_iov(krb5_context context,
+		   krb5_key key,
 		   krb5_keyusage usage,
 		   const krb5_data *cipher_state,
 		   krb5_crypto_iov *data,
@@ -37,7 +37,7 @@
 {
     const struct krb5_keytypes *ktp;
 
-    ktp = find_enctype(key->enctype);
+    ktp = find_enctype(key->keyblock.enctype);
     if (ktp == NULL || ktp->aead == NULL)
 	return KRB5_BAD_ENCTYPE;
 
@@ -45,3 +45,22 @@
 				     key, usage, cipher_state, data, num_data);
 }
 
+krb5_error_code KRB5_CALLCONV
+krb5_c_encrypt_iov(krb5_context context,
+		   const krb5_keyblock *keyblock,
+		   krb5_keyusage usage,
+		   const krb5_data *cipher_state,
+		   krb5_crypto_iov *data,
+		   size_t num_data)
+{
+    krb5_key key;
+    krb5_error_code ret;
+
+    ret = krb5_k_create_key(context, keyblock, &key);
+    if (ret != 0)
+	return ret;
+    ret = krb5_k_encrypt_iov(context, key, usage, cipher_state, data,
+			     num_data);
+    krb5_k_free_key(context, key);
+    return ret;
+}

Modified: branches/enc-perf/src/lib/crypto/krb/etypes.h
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/etypes.h	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/etypes.h	2009-10-05 18:30:00 UTC (rev 22845)
@@ -33,7 +33,7 @@
 typedef krb5_error_code (*krb5_crypt_func)(const struct krb5_enc_provider *enc,
 					   const struct
 					   krb5_hash_provider *hash,
-					   const krb5_keyblock *key,
+					   krb5_key key,
 					   krb5_keyusage keyusage,
 					   const krb5_data *ivec,
 					   const krb5_data *input,
@@ -48,7 +48,7 @@
 
 typedef krb5_error_code (*krb5_prf_func)(const struct krb5_enc_provider *enc,
 					 const struct krb5_hash_provider *hash,
-					 const krb5_keyblock *key,
+					 krb5_key key,
 					 const krb5_data *in, krb5_data *out);
 
 struct krb5_keytypes {

Modified: branches/enc-perf/src/lib/crypto/krb/keyhash_provider/descbc.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/keyhash_provider/descbc.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/keyhash_provider/descbc.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -29,12 +29,12 @@
 #include "keyhash_provider.h"
 
 static krb5_error_code
-k5_descbc_hash(const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *ivec,
+k5_descbc_hash(krb5_key key, krb5_keyusage usage, const krb5_data *ivec,
 	       const krb5_data *input, krb5_data *output)
 {
     mit_des_key_schedule schedule;
 
-    if (key->length != 8)
+    if (key->keyblock.length != 8)
 	return(KRB5_BAD_KEYSIZE);
     if ((input->length%8) != 0)
 	return(KRB5_BAD_MSIZE);
@@ -43,7 +43,7 @@
     if (output->length != 8)
 	return(KRB5_CRYPTO_INTERNAL);
 
-    switch (mit_des_key_sched(key->contents, schedule)) {
+    switch (mit_des_key_sched(key->keyblock.contents, schedule)) {
     case -1:
 	return(KRB5DES_BAD_KEYPAR);
     case -2:

Modified: branches/enc-perf/src/lib/crypto/krb/keyhash_provider/hmac_md5.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/keyhash_provider/hmac_md5.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/keyhash_provider/hmac_md5.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -36,24 +36,23 @@
 #include "../aead.h"
 
 static  krb5_error_code
-k5_hmac_md5_hash (const krb5_keyblock *key, krb5_keyusage usage,
+k5_hmac_md5_hash (krb5_key key, krb5_keyusage usage,
 		  const krb5_data *iv,
 		  const krb5_data *input, krb5_data *output)
 {
   krb5_keyusage ms_usage;
   krb5_error_code ret;
-  krb5_keyblock ks;
+  krb5_keyblock keyblock;
+  krb5_key ks = NULL;
   krb5_data ds, ks_constant, md5tmp;
   krb5_MD5_CTX ctx;
   char t[4];
   
 
-  ds.length = key->length;
-  ks.length = key->length;
+  ds.length = key->keyblock.length;
   ds.data = malloc(ds.length);
   if (ds.data == NULL)
     return ENOMEM;
-  ks.contents = (void *) ds.data;
 
   ks_constant.data = "signaturekey";
   ks_constant.length = strlen(ks_constant.data)+1; /* Including null*/
@@ -63,6 +62,12 @@
   if (ret)
     goto cleanup;
 
+  keyblock.length = key->keyblock.length;
+  keyblock.contents = (void *) ds.data;
+  ret = krb5_k_create_key(NULL, &keyblock, &ks);
+  if (ret)
+      goto cleanup;
+
   krb5_MD5Init (&ctx);
   ms_usage = krb5int_arcfour_translate_usage (usage);
   store_32_le(ms_usage, t);
@@ -72,36 +77,36 @@
   krb5_MD5Final(&ctx);
   md5tmp.data = (void *) ctx.digest;
   md5tmp.length = 16;
-  ret = krb5_hmac ( &krb5int_hash_md5, &ks, 1, &md5tmp,
+
+  ret = krb5_hmac ( &krb5int_hash_md5, ks, 1, &md5tmp,
 		    output);
 
     cleanup:
   memset(&ctx, 0, sizeof(ctx));
-  memset (ks.contents, 0, ks.length);
-  free (ks.contents);
+  zapfree(ds.data, ds.length);
+  krb5_k_free_key(NULL, ks);
   return ret;
 }
 
 static  krb5_error_code
-k5_hmac_md5_hash_iov (const krb5_keyblock *key, krb5_keyusage usage,
+k5_hmac_md5_hash_iov (krb5_key key, krb5_keyusage usage,
 		      const krb5_data *iv,
 		      const krb5_crypto_iov *data, size_t num_data,
 		      krb5_data *output)
 {
   krb5_keyusage ms_usage;
   krb5_error_code ret;
-  krb5_keyblock ks;
+  krb5_keyblock keyblock;
+  krb5_key ks = NULL;
   krb5_data ds, ks_constant, md5tmp;
   krb5_MD5_CTX ctx;
   char t[4];
   size_t i;
 
-  ds.length = key->length;
-  ks.length = key->length;
+  ds.length = key->keyblock.length;
   ds.data = malloc(ds.length);
   if (ds.data == NULL)
     return ENOMEM;
-  ks.contents = (void *) ds.data;
 
   ks_constant.data = "signaturekey";
   ks_constant.length = strlen(ks_constant.data)+1; /* Including null*/
@@ -111,6 +116,12 @@
   if (ret)
     goto cleanup;
 
+  keyblock.length = key->keyblock.length;
+  keyblock.contents = (void *) ds.data;
+  ret = krb5_k_create_key(NULL, &keyblock, &ks);
+  if (ret)
+      goto cleanup;
+
   krb5_MD5Init (&ctx);
   ms_usage = krb5int_arcfour_translate_usage (usage);
   store_32_le(ms_usage, t);
@@ -125,13 +136,13 @@
   krb5_MD5Final(&ctx);
   md5tmp.data = (void *) ctx.digest;
   md5tmp.length = 16;
-  ret = krb5_hmac ( &krb5int_hash_md5, &ks, 1, &md5tmp,
+  ret = krb5_hmac ( &krb5int_hash_md5, ks, 1, &md5tmp,
 		    output);
 
     cleanup:
   memset(&ctx, 0, sizeof(ctx));
-  memset (ks.contents, 0, ks.length);
-  free (ks.contents);
+  zapfree(keyblock.contents, keyblock.length);
+  krb5_k_free_key(NULL, ks);
   return ret;
 }
 

Modified: branches/enc-perf/src/lib/crypto/krb/keyhash_provider/k5_md4des.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/keyhash_provider/k5_md4des.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/keyhash_provider/k5_md4des.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -39,7 +39,7 @@
 extern struct krb5_enc_provider krb5int_enc_des;
 
 static krb5_error_code
-k5_md4des_hash(const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *ivec,
+k5_md4des_hash(krb5_key key, krb5_keyusage usage, const krb5_data *ivec,
 	       const krb5_data *input, krb5_data *output)
 {
     krb5_error_code ret;
@@ -77,7 +77,7 @@
 }
 
 static krb5_error_code
-k5_md4des_verify(const krb5_keyblock *key, krb5_keyusage usage,
+k5_md4des_verify(krb5_key key, krb5_keyusage usage,
 		 const krb5_data *ivec,
 		 const krb5_data *input, const krb5_data *hash,
 		 krb5_boolean *valid)
@@ -89,7 +89,7 @@
     struct krb5_enc_provider *enc = &krb5int_enc_des;
     krb5_data output, iv;
 
-    if (key->length != 8)
+    if (key->keyblock.length != 8)
 	return(KRB5_BAD_KEYSIZE);
     if (hash->length != (CONFLENGTH+RSA_MD4_CKSUM_LENGTH)) {
 #ifdef KRB5_MD4DES_BETA5_COMPAT
@@ -104,11 +104,11 @@
     }
 
     if (compathash) {
-        iv.data = malloc(key->length);
+        iv.data = malloc(key->keyblock.length);
         if (!iv.data) return ENOMEM;
-        iv.length = key->length;
-        if (key->contents)
-            memcpy(iv.data, key->contents, key->length);
+        iv.length = key->keyblock.length;
+        if (key->keyblock.contents)
+            memcpy(iv.data, key->keyblock.contents, key->keyblock.length);
     }
 
     /* decrypt it */

Modified: branches/enc-perf/src/lib/crypto/krb/keyhash_provider/k5_md5des.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/keyhash_provider/k5_md5des.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/keyhash_provider/k5_md5des.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -39,7 +39,7 @@
 extern struct krb5_enc_provider krb5int_enc_des;
 
 static krb5_error_code
-k5_md5des_hash(const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *ivec,
+k5_md5des_hash(krb5_key key, krb5_keyusage usage, const krb5_data *ivec,
 	       const krb5_data *input, krb5_data *output)
 {
     krb5_error_code ret;
@@ -78,7 +78,7 @@
 }
 
 static krb5_error_code
-k5_md5des_verify(const krb5_keyblock *key, krb5_keyusage usage, const krb5_data *ivec,
+k5_md5des_verify(krb5_key key, krb5_keyusage usage, const krb5_data *ivec,
 		 const krb5_data *input, const krb5_data *hash,
 		 krb5_boolean *valid)
 {
@@ -89,7 +89,7 @@
     struct krb5_enc_provider *enc = &krb5int_enc_des;
     krb5_data output, iv;
 
-    if (key->length != 8)
+    if (key->keyblock.length != 8)
 	return(KRB5_BAD_KEYSIZE);
 
     if (hash->length != (CONFLENGTH+RSA_MD5_CKSUM_LENGTH)) {
@@ -104,11 +104,11 @@
     }
 
     if (compathash) {
-        iv.data = malloc(key->length);
+        iv.data = malloc(key->keyblock.length);
         if (!iv.data) return ENOMEM;
-        iv.length = key->length;
-        if (key->contents)
-            memcpy(iv.data, key->contents, key->length);
+        iv.length = key->keyblock.length;
+        if (key->keyblock.contents)
+            memcpy(iv.data, key->keyblock.contents, key->keyblock.length);
     }
 
     /* decrypt it */

Modified: branches/enc-perf/src/lib/crypto/krb/keyhash_provider/md5_hmac.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/keyhash_provider/md5_hmac.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/keyhash_provider/md5_hmac.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -33,7 +33,7 @@
 #include "hash_provider.h"
 
 static  krb5_error_code
-k5_md5_hmac_hash (const krb5_keyblock *key, krb5_keyusage usage,
+k5_md5_hmac_hash (krb5_key key, krb5_keyusage usage,
 		  const krb5_data *iv,
 		  const krb5_data *input, krb5_data *output)
 {

Modified: branches/enc-perf/src/lib/crypto/krb/make_checksum.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/make_checksum.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/make_checksum.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -30,8 +30,8 @@
 #include "dk.h"
 
 krb5_error_code KRB5_CALLCONV
-krb5_c_make_checksum(krb5_context context, krb5_cksumtype cksumtype,
-		     const krb5_keyblock *key, krb5_keyusage usage,
+krb5_k_make_checksum(krb5_context context, krb5_cksumtype cksumtype,
+		     krb5_key key, krb5_keyusage usage,
 		     const krb5_data *input, krb5_checksum *cksum)
 {
     unsigned int i;
@@ -68,7 +68,7 @@
 	/* check if key is compatible */
 	if (ctp->keyed_etype) {
 	    ktp1 = find_enctype(ctp->keyed_etype);
-	    ktp2 = find_enctype(key->enctype);
+	    ktp2 = find_enctype(key->keyblock.enctype);
 	    if (ktp1 == NULL || ktp2 == NULL || ktp1->enc != ktp2->enc) {
 		ret = KRB5_BAD_ENCTYPE;
 		goto cleanup;
@@ -114,3 +114,21 @@
 
     return ret;
 }
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_make_checksum(krb5_context context, krb5_cksumtype cksumtype,
+		     const krb5_keyblock *keyblock, krb5_keyusage usage,
+		     const krb5_data *input, krb5_checksum *cksum)
+{
+    krb5_key key = NULL;
+    krb5_error_code ret;
+
+    if (keyblock != NULL) {
+	ret = krb5_k_create_key(context, keyblock, &key);
+	if (ret != 0)
+	    return ret;
+    }
+    ret = krb5_k_make_checksum(context, cksumtype, key, usage, input, cksum);
+    krb5_k_free_key(context, key);
+    return ret;
+}

Modified: branches/enc-perf/src/lib/crypto/krb/make_checksum_iov.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/make_checksum_iov.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/make_checksum_iov.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -29,9 +29,9 @@
 #include "aead.h"
 
 krb5_error_code KRB5_CALLCONV
-krb5_c_make_checksum_iov(krb5_context context,
+krb5_k_make_checksum_iov(krb5_context context,
 			 krb5_cksumtype cksumtype,
-			 const krb5_keyblock *key,
+			 krb5_key key,
 			 krb5_keyusage usage,
 			 krb5_crypto_iov *data,
 			 size_t num_data)
@@ -81,3 +81,23 @@
 
     return(ret);
 }
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_make_checksum_iov(krb5_context context,
+			 krb5_cksumtype cksumtype,
+			 const krb5_keyblock *keyblock,
+			 krb5_keyusage usage,
+			 krb5_crypto_iov *data,
+			 size_t num_data)
+{
+    krb5_key key;
+    krb5_error_code ret;
+
+    ret = krb5_k_create_key(context, keyblock, &key);
+    if (ret != 0)
+	return ret;
+    ret = krb5_k_make_checksum_iov(context, cksumtype, key, usage,
+				   data, num_data);
+    krb5_k_free_key(context, key);
+    return ret;
+}

Modified: branches/enc-perf/src/lib/crypto/krb/old/old.h
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/old/old.h	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/old/old.h	2009-10-05 18:30:00 UTC (rev 22845)
@@ -34,14 +34,14 @@
 krb5_error_code krb5_old_encrypt
 (const struct krb5_enc_provider *enc,
 		const struct krb5_hash_provider *hash,
-		const krb5_keyblock *key, krb5_keyusage usage,
+		krb5_key key, krb5_keyusage usage,
 		const krb5_data *ivec, const krb5_data *input,
 		krb5_data *output);
 
 krb5_error_code krb5_old_decrypt
 (const struct krb5_enc_provider *enc,
 		const struct krb5_hash_provider *hash,
-		const krb5_keyblock *key, krb5_keyusage usage,
+		krb5_key key, krb5_keyusage usage,
 		const krb5_data *ivec, const krb5_data *input,
 		krb5_data *arg_output);
 

Modified: branches/enc-perf/src/lib/crypto/krb/old/old_decrypt.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/old/old_decrypt.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/old/old_decrypt.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -30,7 +30,7 @@
 krb5_error_code
 krb5_old_decrypt(const struct krb5_enc_provider *enc,
 		 const struct krb5_hash_provider *hash,
-		 const krb5_keyblock *key,
+		 krb5_key key,
 		 krb5_keyusage usage,
 		 const krb5_data *ivec,
 		 const krb5_data *input,
@@ -87,9 +87,9 @@
 	cn = NULL;
 
     /* XXX this is gross, but I don't have much choice */
-    if ((key->enctype == ENCTYPE_DES_CBC_CRC) && (ivec == 0)) {
-	crcivec.length = key->length;
-	crcivec.data = (char *) key->contents;
+    if ((key->keyblock.enctype == ENCTYPE_DES_CBC_CRC) && (ivec == 0)) {
+	crcivec.length = key->keyblock.length;
+	crcivec.data = (char *) key->keyblock.contents;
 	ivec = &crcivec;
     }
 

Modified: branches/enc-perf/src/lib/crypto/krb/old/old_encrypt.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/old/old_encrypt.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/old/old_encrypt.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -44,7 +44,7 @@
 krb5_error_code
 krb5_old_encrypt(const struct krb5_enc_provider *enc,
 		 const struct krb5_hash_provider *hash,
-		 const krb5_keyblock *key,
+		 krb5_key key,
 		 krb5_keyusage usage,
 		 const krb5_data *ivec,
 		 const krb5_data *input,
@@ -87,9 +87,9 @@
     /* encrypt it */
 
     /* XXX this is gross, but I don't have much choice */
-    if ((key->enctype == ENCTYPE_DES_CBC_CRC) && (ivec == 0)) {
-	crcivec.length = key->length;
-	crcivec.data = (char *) key->contents;
+    if ((key->keyblock.enctype == ENCTYPE_DES_CBC_CRC) && (ivec == 0)) {
+	crcivec.length = key->keyblock.length;
+	crcivec.data = (char *) key->keyblock.contents;
 	ivec = &crcivec;
 	real_ivec = 0;
     } else

Modified: branches/enc-perf/src/lib/crypto/krb/prf/des_prf.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/prf/des_prf.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/prf/des_prf.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -35,8 +35,7 @@
 krb5_error_code
 krb5int_des_prf (const struct krb5_enc_provider *enc,
 		const struct krb5_hash_provider *hash,
-		const krb5_keyblock *key,
-		const krb5_data *in, krb5_data *out)
+		krb5_key key, const krb5_data *in, krb5_data *out)
 {
   krb5_data tmp;
   krb5_error_code ret = 0;

Modified: branches/enc-perf/src/lib/crypto/krb/prf/dk_prf.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/prf/dk_prf.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/prf/dk_prf.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -35,12 +35,11 @@
 krb5_error_code
 krb5int_dk_prf (const struct krb5_enc_provider *enc,
 		const struct krb5_hash_provider *hash,
-		const krb5_keyblock *key,
-		const krb5_data *in, krb5_data *out)
+		krb5_key key, const krb5_data *in, krb5_data *out)
 {
   krb5_data tmp;
   krb5_data prfconst;
-  krb5_keyblock *kp = NULL;
+  krb5_key kp = NULL;
   krb5_error_code ret = 0;
   
   prfconst.data = (char *) "prf";
@@ -51,14 +50,10 @@
     return ENOMEM;
   hash->hash(1, in, &tmp);
   tmp.length = (tmp.length/enc->block_size)*enc->block_size; /*truncate to block size*/
-  ret = krb5int_c_init_keyblock(0, key->enctype,
-			   key->length, &kp);
-    if (ret == 0)
-      ret = krb5_derive_key(enc, key, kp, &prfconst);
+  ret = krb5_derive_key(enc, key, &kp, &prfconst);
   if (ret == 0)
-    ret = enc->encrypt(kp, NULL, &tmp, out);
-      if (kp)
-	krb5int_c_free_keyblock(0, kp);
+      ret = enc->encrypt(kp, NULL, &tmp, out);
+  krb5_k_free_key(NULL, kp);
   free (tmp.data);
   return ret;
 }

Modified: branches/enc-perf/src/lib/crypto/krb/prf/prf_int.h
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/prf/prf_int.h	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/prf/prf_int.h	2009-10-05 18:30:00 UTC (rev 22845)
@@ -32,19 +32,17 @@
 krb5_error_code 
 krb5int_arcfour_prf(const struct krb5_enc_provider *enc,
                     const struct krb5_hash_provider *hash,
-                    const krb5_keyblock *key,
-                    const krb5_data *in, krb5_data *out);
+                    krb5_key key, const krb5_data *in, krb5_data *out);
 
 krb5_error_code
 krb5int_des_prf (const struct krb5_enc_provider *enc,
                 const struct krb5_hash_provider *hash,
-                const krb5_keyblock *key,
-                 const krb5_data *in, krb5_data *out);
+                krb5_key key, const krb5_data *in, krb5_data *out);
 
 krb5_error_code
 krb5int_dk_prf(const struct krb5_enc_provider *enc,
                const struct krb5_hash_provider *hash,
-               const krb5_keyblock *key, const krb5_data *in, krb5_data *out);
+               krb5_key key, const krb5_data *in, krb5_data *out);
 
 #endif  /*PRF_INTERNAL_DEFS*/
 

Modified: branches/enc-perf/src/lib/crypto/krb/prf/rc4_prf.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/prf/rc4_prf.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/prf/rc4_prf.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -32,8 +32,7 @@
 krb5_error_code 
 krb5int_arcfour_prf(const struct krb5_enc_provider *enc,
                     const struct krb5_hash_provider *hash,
-                    const krb5_keyblock *key,
-                    const krb5_data *in, krb5_data *out)
+                    krb5_key key, const krb5_data *in, krb5_data *out)
 {
     assert(out->length == 20);
     return krb5_hmac(&krb5int_hash_sha1, key, 1, in, out);

Modified: branches/enc-perf/src/lib/crypto/krb/prf.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/prf.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/prf.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -50,15 +50,17 @@
 }
 
 krb5_error_code KRB5_CALLCONV
-krb5_c_prf(krb5_context context, const krb5_keyblock *key,
+krb5_c_prf(krb5_context context, const krb5_keyblock *keyblock,
 	   krb5_data *input, krb5_data *output)
 {
     const struct krb5_keytypes *ktp;
+    krb5_key key;
+    krb5_error_code ret;
 
     assert(input && output);
     assert(output->data);
 
-    ktp = find_enctype(key->enctype);
+    ktp = find_enctype(keyblock->enctype);
     if (ktp == NULL)
 	return KRB5_BAD_ENCTYPE;
     if (ktp->prf == NULL)
@@ -67,5 +69,10 @@
     output->magic = KV5M_DATA;
     if (ktp->prf_length != output->length)
 	return KRB5_CRYPTO_INTERNAL;
-    return (*ktp->prf)(ktp->enc, ktp->hash, key, input, output);
+    ret = krb5_k_create_key(context, keyblock, &key);
+    if (ret != 0)
+	return ret;
+    ret = (*ktp->prf)(ktp->enc, ktp->hash, key, input, output);
+    krb5_k_free_key(context, key);
+    return ret;
 }

Modified: branches/enc-perf/src/lib/crypto/krb/raw/raw.h
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/raw/raw.h	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/raw/raw.h	2009-10-05 18:30:00 UTC (rev 22845)
@@ -34,14 +34,14 @@
 krb5_error_code krb5_raw_encrypt
 (const struct krb5_enc_provider *enc,
 		const struct krb5_hash_provider *hash,
-		const krb5_keyblock *key, krb5_keyusage usage,
+		krb5_key key, krb5_keyusage usage,
 		const krb5_data *ivec, const krb5_data *input,
 		krb5_data *output);
 
 krb5_error_code krb5_raw_decrypt
 (const struct krb5_enc_provider *enc,
 		const struct krb5_hash_provider *hash,
-		const krb5_keyblock *key, krb5_keyusage usage,
+		krb5_key key, krb5_keyusage usage,
 		const krb5_data *ivec, const krb5_data *input,
 		krb5_data *arg_output);
 

Modified: branches/enc-perf/src/lib/crypto/krb/raw/raw_aead.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/raw/raw_aead.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/raw/raw_aead.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -54,7 +54,7 @@
 krb5int_raw_encrypt_iov(const struct krb5_aead_provider *aead,
 			const struct krb5_enc_provider *enc,
 			const struct krb5_hash_provider *hash,
-			const krb5_keyblock *key,
+			krb5_key key,
 			krb5_keyusage usage,
 			const krb5_data *ivec,
 			krb5_crypto_iov *data,
@@ -104,7 +104,7 @@
 krb5int_raw_decrypt_iov(const struct krb5_aead_provider *aead,
 			const struct krb5_enc_provider *enc,
 			const struct krb5_hash_provider *hash,
-			const krb5_keyblock *key,
+			krb5_key key,
 			krb5_keyusage usage,
 			const krb5_data *ivec,
 			krb5_crypto_iov *data,

Modified: branches/enc-perf/src/lib/crypto/krb/raw/raw_decrypt.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/raw/raw_decrypt.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/raw/raw_decrypt.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -30,7 +30,7 @@
 krb5_error_code
 krb5_raw_decrypt(const struct krb5_enc_provider *enc,
 		 const struct krb5_hash_provider *hash,
-		 const krb5_keyblock *key, krb5_keyusage usage,
+		 krb5_key key, krb5_keyusage usage,
 		 const krb5_data *ivec, const krb5_data *input,
 		 krb5_data *output)
 {

Modified: branches/enc-perf/src/lib/crypto/krb/raw/raw_encrypt.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/raw/raw_encrypt.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/raw/raw_encrypt.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -42,7 +42,7 @@
 krb5_error_code
 krb5_raw_encrypt(const struct krb5_enc_provider *enc,
 		 const struct krb5_hash_provider *hash,
-		 const krb5_keyblock *key, krb5_keyusage usage,
+		 krb5_key key, krb5_keyusage usage,
 		 const krb5_data *ivec, const krb5_data *input,
 		 krb5_data *output)
 {

Modified: branches/enc-perf/src/lib/crypto/krb/verify_checksum.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/verify_checksum.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/verify_checksum.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -28,7 +28,7 @@
 #include "cksumtypes.h"
 
 krb5_error_code KRB5_CALLCONV
-krb5_c_verify_checksum(krb5_context context, const krb5_keyblock *key,
+krb5_k_verify_checksum(krb5_context context, krb5_key key,
 		       krb5_keyusage usage, const krb5_data *data,
 		       const krb5_checksum *cksum, krb5_boolean *valid)
 {
@@ -78,7 +78,7 @@
 
     computed.length = hashsize;
 
-    ret = krb5_c_make_checksum(context, cksum->checksum_type, key, usage,
+    ret = krb5_k_make_checksum(context, cksum->checksum_type, key, usage,
 			       data, &computed);
     if (ret)
 	return ret;
@@ -88,3 +88,21 @@
     free(computed.contents);
     return 0;
 }
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_verify_checksum(krb5_context context, const krb5_keyblock *keyblock,
+		       krb5_keyusage usage, const krb5_data *data,
+		       const krb5_checksum *cksum, krb5_boolean *valid)
+{
+    krb5_key key = NULL;
+    krb5_error_code ret;
+
+    if (keyblock != NULL) {
+	ret = krb5_k_create_key(context, keyblock, &key);
+	if (ret != 0)
+	    return ret;
+    }
+    ret = krb5_k_verify_checksum(context, key, usage, data, cksum, valid);
+    krb5_k_free_key(context, key);
+    return ret;
+}

Modified: branches/enc-perf/src/lib/crypto/krb/verify_checksum_iov.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/verify_checksum_iov.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/verify_checksum_iov.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -29,9 +29,9 @@
 #include "aead.h"
 
 krb5_error_code KRB5_CALLCONV
-krb5_c_verify_checksum_iov(krb5_context context, 
+krb5_k_verify_checksum_iov(krb5_context context,
 			   krb5_cksumtype checksum_type,
-			   const krb5_keyblock *key,
+			   krb5_key key,
 			   krb5_keyusage usage,
 			   const krb5_crypto_iov *data,
 			   size_t num_data,
@@ -94,3 +94,24 @@
     free(computed.data);
     return 0;
 }
+
+krb5_error_code KRB5_CALLCONV
+krb5_c_verify_checksum_iov(krb5_context context,
+			   krb5_cksumtype checksum_type,
+			   const krb5_keyblock *keyblock,
+			   krb5_keyusage usage,
+			   const krb5_crypto_iov *data,
+			   size_t num_data,
+			   krb5_boolean *valid)
+{
+    krb5_key key;
+    krb5_error_code ret;
+
+    ret = krb5_k_create_key(context, keyblock, &key);
+    if (ret != 0)
+	return ret;
+    ret = krb5_k_verify_checksum_iov(context, checksum_type, key, usage, data,
+				     num_data, valid);
+    krb5_k_free_key(context, key);
+    return ret;
+}

Modified: branches/enc-perf/src/lib/crypto/krb/yarrow/ycipher.c
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/yarrow/ycipher.c	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/yarrow/ycipher.c	2009-10-05 18:30:00 UTC (rev 22845)
@@ -42,27 +42,28 @@
   const struct krb5_enc_provider *enc = &yarrow_enc_provider;
   krb5_error_code ret;
   krb5_data randombits;
+  krb5_keyblock keyblock;
+
   keybytes = enc->keybytes;
   keylength = enc->keylength;
   assert (keybytes == CIPHER_KEY_SIZE);
-  if (ctx->key.contents) {
-    memset (ctx->key.contents, 0, ctx->key.length);
-    free (ctx->key.contents);
-  }
-  ctx->key.contents = (void *) malloc  (keylength);
-  ctx->key.length = keylength;
-  if (ctx->key.contents == NULL)
+  krb5_k_free_key(NULL, ctx->key);
+  ctx->key = NULL;
+  keyblock.contents = malloc(keylength);
+  keyblock.length = keylength;
+  if (keyblock.contents == NULL)
     return (YARROW_NOMEM);
   randombits.data = (char *) key;
   randombits.length = keybytes;
-  ret = enc->make_key (&randombits, &ctx->key);
-  if (ret) {
-    memset (ctx->key.contents, 0, ctx->key.length);
-    free(ctx->key.contents);
-    ctx->key.contents = NULL;
-    return (YARROW_FAIL);
-  }
-  return (YARROW_OK);
+  ret = enc->make_key(&randombits, &keyblock);
+  if (ret != 0)
+      goto cleanup;
+  ret = krb5_k_create_key(NULL, &keyblock, &ctx->key);
+cleanup:
+  free(keyblock.contents);
+  if (ret)
+    return YARROW_FAIL;
+  return YARROW_OK;
 }
 
 int krb5int_yarrow_cipher_encrypt_block
@@ -76,7 +77,7 @@
   ind.length = CIPHER_BLOCK_SIZE;
   outd.data = (char *) out;
   outd.length = CIPHER_BLOCK_SIZE;
-  ret = enc->encrypt (&ctx->key, 0, &ind, &outd);
+  ret = enc->encrypt(ctx->key, 0, &ind, &outd);
   if (ret)
     return YARROW_FAIL;
   return YARROW_OK;
@@ -87,10 +88,6 @@
 (CIPHER_CTX *ctx)
 
 {
- if (ctx->key.contents) {
-    memset (ctx->key.contents, 0, ctx->key.length);
-    free (ctx->key.contents);
-  }
-  ctx->key.contents = 0;
-  ctx->key.length = 0;
+  krb5_k_free_key(NULL, ctx->key);
+  ctx->key = NULL;
 }

Modified: branches/enc-perf/src/lib/crypto/krb/yarrow/ycipher.h
===================================================================
--- branches/enc-perf/src/lib/crypto/krb/yarrow/ycipher.h	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/crypto/krb/yarrow/ycipher.h	2009-10-05 18:30:00 UTC (rev 22845)
@@ -7,7 +7,7 @@
 
 typedef struct 
 {
-    krb5_keyblock key;
+    krb5_key key;
 } CIPHER_CTX;
 
 /* We need to choose a cipher. To do this, choose an enc_provider.

Modified: branches/enc-perf/src/lib/rpc/unit-test/lib/helpers.exp
===================================================================
--- branches/enc-perf/src/lib/rpc/unit-test/lib/helpers.exp	2009-10-05 18:08:47 UTC (rev 22844)
+++ branches/enc-perf/src/lib/rpc/unit-test/lib/helpers.exp	2009-10-05 18:30:00 UTC (rev 22845)
@@ -96,6 +96,7 @@
     }
     expect_tcl_prompt
 
+    while {![file exists /tmp/go]} {}
     send_tcl_cmd_await_echo {kadm5_init admin admin $KADM5_ADMIN_SERVICE null $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 server_handle}
     expect_kadm_ok
     expect "^% "



From ghudson at MIT.EDU  Tue Oct  6 11:33:12 2009
From: ghudson at MIT.EDU (ghudson@MIT.EDU)
Date: Tue, 6 Oct 2009 11:33:12 -0400
Subject: svn rev #22854: branches/enc-perf/src/lib/crypto/ 
Message-ID: <200910061533.n96FXCsB019781@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22854
Commit By: ghudson
Log Message:
Export krb5_k_encrypt/etc. from libk5crypto (change was missing
from r22845).



Changed Files:
U   branches/enc-perf/src/lib/crypto/libk5crypto.exports
Modified: branches/enc-perf/src/lib/crypto/libk5crypto.exports
===================================================================
--- branches/enc-perf/src/lib/crypto/libk5crypto.exports	2009-10-06 15:24:52 UTC (rev 22853)
+++ branches/enc-perf/src/lib/crypto/libk5crypto.exports	2009-10-06 15:33:11 UTC (rev 22854)
@@ -73,9 +73,17 @@
 krb5_hmac
 krb5_init_random_key
 krb5_k_create_key
+krb5_k_decrypt
+krb5_k_decrypt_iov
+krb5_k_encrypt
+krb5_k_encrypt_iov
 krb5_k_free_key
 krb5_k_key_enctype
 krb5_k_key_keyblock
+krb5_k_make_checksum
+krb5_k_make_checksum_iov
+krb5_k_verify_checksum
+krb5_k_verify_checksum_iov
 krb5_nfold
 krb5_old_decrypt
 krb5_old_encrypt



From ghudson at MIT.EDU  Tue Oct  6 11:40:28 2009
From: ghudson at MIT.EDU (ghudson@MIT.EDU)
Date: Tue, 6 Oct 2009 11:40:28 -0400
Subject: svn rev #22855: branches/enc-perf/src/lib/crypto/crypto_tests/ 
Message-ID: <200910061540.n96FeSfV020332@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22855
Commit By: ghudson
Log Message:
Extend t_encrypt to test krb5_k_encrypt and related functions as well
as the krb5_c variants.



Changed Files:
U   branches/enc-perf/src/lib/crypto/crypto_tests/t_encrypt.c
Modified: branches/enc-perf/src/lib/crypto/crypto_tests/t_encrypt.c
===================================================================
--- branches/enc-perf/src/lib/crypto/crypto_tests/t_encrypt.c	2009-10-06 15:33:11 UTC (rev 22854)
+++ branches/enc-perf/src/lib/crypto/crypto_tests/t_encrypt.c	2009-10-06 15:40:28 UTC (rev 22855)
@@ -78,13 +78,14 @@
 main ()
 {
   krb5_context context = 0;
-  krb5_data  in, in2, out, out2, check, check2, state;
+  krb5_data  in, in2, out, out2, check, check2, state, signdata;
   krb5_crypto_iov iov[5];
-  int i;
+  int i, j, pos;
+  unsigned int dummy;
   size_t len;
   krb5_enc_data enc_out, enc_out2;
-  krb5_error_code retval;
-  krb5_keyblock *key;
+  krb5_keyblock *keyblock;
+  krb5_key key;
 
   memset(iov, 0, sizeof(iov));
 
@@ -95,6 +96,8 @@
 
   test ("Seeding random number generator",
 	krb5_c_random_seed (context, &in));
+
+  /* Set up output buffers. */
   out.data = malloc(2048);
   out2.data = malloc(2048);
   check.data = malloc(2048);
@@ -106,38 +109,66 @@
   out2.length = 2048;
   check.length = 2048;
   check2.length = 2048;
+
   for (i = 0; interesting_enctypes[i]; i++) {
     krb5_enctype enctype = interesting_enctypes [i];
+
     printf ("Testing enctype %d\n", enctype);
     test ("Initializing a keyblock",
-	  krb5_init_keyblock (context, enctype, 0, &key));
-    test ("Generating random key",
-	  krb5_c_make_random_key (context, enctype, key));
+	  krb5_init_keyblock (context, enctype, 0, &keyblock));
+    test ("Generating random keyblock",
+	  krb5_c_make_random_key (context, enctype, keyblock));
+    test ("Creating opaque key from keyblock",
+	  krb5_k_create_key (context, keyblock, &key));
+
     enc_out.ciphertext = out;
     enc_out2.ciphertext = out2;
     /* We use an intermediate `len' because size_t may be different size 
        than `int' */
-    krb5_c_encrypt_length (context, key->enctype, in.length, &len);
+    krb5_c_encrypt_length (context, keyblock->enctype, in.length, &len);
     enc_out.ciphertext.length = len;
-    test ("Encrypting",
-	  krb5_c_encrypt (context, key, 7, 0, &in, &enc_out));
+
+    /* Encrypt, decrypt, and see if we got the plaintext back again. */
+    test ("Encrypting (c)",
+	  krb5_c_encrypt (context, keyblock, 7, 0, &in, &enc_out));
     test ("Decrypting",
-	  krb5_c_decrypt (context, key, 7, 0, &enc_out, &check));
+	  krb5_c_decrypt (context, keyblock, 7, 0, &enc_out, &check));
     test ("Comparing", compare_results (&in, &check));
-    if ( krb5_c_crypto_length(context, key->enctype, KRB5_CRYPTO_TYPE_HEADER, &len) == 0 ){
-	/* We support iov/aead*/
-	int j, pos;
-	krb5_data signdata;
-	signdata.data = (char *) "This should be signed";
-	signdata.length = strlen(signdata.data);
+
+    /* Try again with the opaque-key-using variants. */
+    memset(out.data, 0, out.length);
+    test ("Encrypting (k)",
+	  krb5_k_encrypt (context, key, 7, 0, &in, &enc_out));
+    test ("Decrypting",
+	  krb5_k_decrypt (context, key, 7, 0, &enc_out, &check));
+    test ("Comparing", compare_results (&in, &check));
+
+    /* Check if this enctype supports IOV encryption. */
+    if ( krb5_c_crypto_length(context, keyblock->enctype,
+			      KRB5_CRYPTO_TYPE_HEADER, &dummy) == 0 ){
+	/* Set up iovecs for stream decryption. */
+	memcpy(out2.data, enc_out.ciphertext.data, enc_out.ciphertext.length);
 	iov[0].flags= KRB5_CRYPTO_TYPE_STREAM;
+	iov[0].data.data = out2.data;
+	iov[0].data.length = enc_out.ciphertext.length;
 	iov[1].flags = KRB5_CRYPTO_TYPE_DATA;
-	iov[0].data = enc_out.ciphertext;
-	iov[1].data = out;
-	test("IOV stream decrypting",
-	     krb5_c_decrypt_iov( context, key, 7, 0, iov, 2));
+
+	/* Decrypt the encrypted data from above and check it. */
+	test("IOV stream decrypting (c)",
+	     krb5_c_decrypt_iov( context, keyblock, 7, 0, iov, 2));
 	test("Comparing results",
 	     compare_results(&in, &iov[1].data));
+
+	/* Try again with the opaque-key-using variant. */
+	memcpy(out2.data, enc_out.ciphertext.data, enc_out.ciphertext.length);
+	test("IOV stream decrypting (k)",
+	     krb5_k_decrypt_iov( context, key, 7, 0, iov, 2));
+	test("Comparing results",
+	     compare_results(&in, &iov[1].data));
+
+	/* Set up iovecs for AEAD encryption. */
+	signdata.data = (char *) "This should be signed";
+	signdata.length = strlen(signdata.data);
 	iov[0].flags = KRB5_CRYPTO_TYPE_HEADER;
 	iov[1].flags = KRB5_CRYPTO_TYPE_DATA;
 	iov[1].data = in; /*We'll need to copy memory before encrypt*/
@@ -145,8 +176,10 @@
 	iov[2].data = signdata;
 	iov[3].flags = KRB5_CRYPTO_TYPE_PADDING;
 	iov[4].flags = KRB5_CRYPTO_TYPE_TRAILER;
+
+	/* "Allocate" data for the iovec buffers from the "out" buffer. */
 	test("Setting up iov lengths",
-	     krb5_c_crypto_length_iov(context, key->enctype, iov, 5));
+	     krb5_c_crypto_length_iov(context, keyblock->enctype, iov, 5));
 	for (j=0,pos=0; j <= 4; j++ ){
 	    if (iov[j].flags == KRB5_CRYPTO_TYPE_SIGN_ONLY)
 		continue;
@@ -155,53 +188,67 @@
 	}
 	assert (iov[1].data.length == in.length);
 	memcpy(iov[1].data.data, in.data, in.length);
-	test("iov encrypting",
-	     krb5_c_encrypt_iov(context, key, 7, 0, iov, 5));
+
+	/* Encrypt and decrypt in place, and check the result. */
+	test("iov encrypting (c)",
+	     krb5_c_encrypt_iov(context, keyblock, 7, 0, iov, 5));
 	assert(iov[1].data.length == in.length);
 	test("iov decrypting",
-	     krb5_c_decrypt_iov(context, key, 7, 0, iov, 5));
+	     krb5_c_decrypt_iov(context, keyblock, 7, 0, iov, 5));
 	test("Comparing results",
 	     compare_results(&in, &iov[1].data));
 		       
+	/* Try again with opaque-key-using variants. */
+	test("iov encrypting (k)",
+	     krb5_k_encrypt_iov(context, key, 7, 0, iov, 5));
+	assert(iov[1].data.length == in.length);
+	test("iov decrypting",
+	     krb5_k_decrypt_iov(context, key, 7, 0, iov, 5));
+	test("Comparing results",
+	     compare_results(&in, &iov[1].data));
     }
+
     enc_out.ciphertext.length = out.length;
     check.length = 2048;
+
     test ("init_state",
-	  krb5_c_init_state (context, key, 7, &state));
+	  krb5_c_init_state (context, keyblock, 7, &state));
     test ("Encrypting with state",
-	  krb5_c_encrypt (context, key, 7, &state, &in, &enc_out));
+	  krb5_c_encrypt (context, keyblock, 7, &state, &in, &enc_out));
     test ("Encrypting again with state",
-	  krb5_c_encrypt (context, key, 7, &state, &in2, &enc_out2));
+	  krb5_c_encrypt (context, keyblock, 7, &state, &in2, &enc_out2));
     test ("free_state",
-	  krb5_c_free_state (context, key, &state));
+	  krb5_c_free_state (context, keyblock, &state));
     test ("init_state",
-	  krb5_c_init_state (context, key, 7, &state));
+	  krb5_c_init_state (context, keyblock, 7, &state));
     test ("Decrypting with state",
-	  krb5_c_decrypt (context, key, 7, &state, &enc_out, &check));
+	  krb5_c_decrypt (context, keyblock, 7, &state, &enc_out, &check));
     test ("Decrypting again with state",
-	  krb5_c_decrypt (context, key, 7, &state, &enc_out2, &check2));
+	  krb5_c_decrypt (context, keyblock, 7, &state, &enc_out2, &check2));
     test ("free_state",
-	  krb5_c_free_state (context, key, &state));
+	  krb5_c_free_state (context, keyblock, &state));
     test ("Comparing",
 	  compare_results (&in, &check));
     test ("Comparing",
 	  compare_results (&in2, &check2));
-    krb5_free_keyblock (context, key);
+
+    krb5_free_keyblock (context, keyblock);
+    krb5_k_free_key (context, key);
   }
 
   /* Test the RC4 decrypt fallback from key usage 9 to 8. */
   test ("Initializing an RC4 keyblock",
-	krb5_init_keyblock (context, ENCTYPE_ARCFOUR_HMAC, 0, &key));
+	krb5_init_keyblock (context, ENCTYPE_ARCFOUR_HMAC, 0, &keyblock));
   test ("Generating random RC4 key",
-	krb5_c_make_random_key (context, ENCTYPE_ARCFOUR_HMAC, key));
+	krb5_c_make_random_key (context, ENCTYPE_ARCFOUR_HMAC, keyblock));
   enc_out.ciphertext = out;
-  krb5_c_encrypt_length (context, key->enctype, in.length, &len);
+  krb5_c_encrypt_length (context, keyblock->enctype, in.length, &len);
   enc_out.ciphertext.length = len;
   check.length = 2048;
   test ("Encrypting with RC4 key usage 8",
-	krb5_c_encrypt (context, key, 8, 0, &in, &enc_out));
+	krb5_c_encrypt (context, keyblock, 8, 0, &in, &enc_out));
   test ("Decrypting with RC4 key usage 9",
-	krb5_c_decrypt (context, key, 9, 0, &enc_out, &check));
+	krb5_c_decrypt (context, keyblock, 9, 0, &enc_out, &check));
   test ("Comparing", compare_results (&in, &check));
 
   free(out.data);



From tsitkova at MIT.EDU  Tue Oct  6 11:47:04 2009
From: tsitkova at MIT.EDU (tsitkova@MIT.EDU)
Date: Tue, 6 Oct 2009 11:47:04 -0400
Subject: svn rev #22856: trunk/src/lib/crypto/builtin/aes/ 
Message-ID: <200910061547.n96Fl4Kf020969@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22856
Commit By: tsitkova
Log Message:
Fix object file path.



Changed Files:
U   trunk/src/lib/crypto/builtin/aes/Makefile.in
Modified: trunk/src/lib/crypto/builtin/aes/Makefile.in
===================================================================
--- trunk/src/lib/crypto/builtin/aes/Makefile.in	2009-10-06 15:40:28 UTC (rev 22855)
+++ trunk/src/lib/crypto/builtin/aes/Makefile.in	2009-10-06 15:47:04 UTC (rev 22856)
@@ -2,7 +2,7 @@
 myfulldir=lib/crypto/builtin/aes
 mydir=lib/crypto/builtin/aes
 BUILDTOP=$(REL)..$(S)..$(S)..$(S)..
-LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)/../../krb/dk
+LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)/../../krb/dk  -I$(srcdir)/../../../../include
 DEFS=
 
 ##DOS##BUILDTOP = ..\..\..\..
@@ -46,10 +46,10 @@
 depend:: $(SRCS)
 
 aes-gen: aes-gen.o $(GEN_OBJS)
-	$(CC_LINK) -o aes-gen aes-gen.o $(GEN_OBJS)
+	$(CC_LINK) -I../../../../include $(LOCALINCLUDES) -o ../../$(CIMPL)/aes-gen ../../$(CIMPL)/aes-gen.o $(GEN_OBJS)
 
-run-aes-gen: aes-gen
-	./aes-gen > kresults.out
+run-aes-gen: ../../$(CIMPL)/aes-gen
+	../../$(CIMPL)/aes-gen > kresults.out
 
 check:: run-aes-gen
 
@@ -57,7 +57,7 @@
 clean-unix:: clean-libobjs
 
 clean::
-	-$(RM) aes-gen aes-gen.o kresults.out
+	-$(RM) ../../$(CIMPL)/aes-gen ../../$(CIMPL)/aes-gen.o ../../$(CIMPL)/kresults.out
 
 @libobj_frag@
 



From raeburn at MIT.EDU  Tue Oct  6 11:54:51 2009
From: raeburn at MIT.EDU (raeburn@MIT.EDU)
Date: Tue, 6 Oct 2009 11:54:51 -0400
Subject: svn rev #22857: trunk/src/lib/krb5/error_tables/ 
Message-ID: <200910061554.n96Fsp0U021583@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22857
Commit By: raeburn
Log Message:
Slightly more comprehensible message for KRB5_RC_IO.


Changed Files:
U   trunk/src/lib/krb5/error_tables/krb5_err.et
Modified: trunk/src/lib/krb5/error_tables/krb5_err.et
===================================================================
--- trunk/src/lib/krb5/error_tables/krb5_err.et	2009-10-06 15:47:04 UTC (rev 22856)
+++ trunk/src/lib/krb5/error_tables/krb5_err.et	2009-10-06 15:54:50 UTC (rev 22857)
@@ -220,7 +220,7 @@
 error_code KRB5_RC_TYPE_NOTFOUND,	"Replay cache type is unknown"
 error_code KRB5_RC_UNKNOWN,		"Generic unknown RC error"
 error_code KRB5_RC_REPLAY,		"Message is a replay"
-error_code KRB5_RC_IO,			"Replay I/O operation failed XXX"
+error_code KRB5_RC_IO,			"Replay cache I/O operation failed"
 error_code KRB5_RC_NOIO,		"Replay cache type does not support non-volatile storage"
 error_code KRB5_RC_PARSE,		"Replay cache name parse/format error"
 



From ghudson at MIT.EDU  Tue Oct  6 12:11:31 2009
From: ghudson at MIT.EDU (ghudson@MIT.EDU)
Date: Tue, 6 Oct 2009 12:11:31 -0400
Subject: svn rev #22858: branches/enc-perf/src/lib/crypto/crypto_tests/ 
Message-ID: <200910061611.n96GBVdE023016@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22858
Commit By: ghudson
Log Message:
Adjust test programs to match new internal interfaces using krb5_key.



Changed Files:
U   branches/enc-perf/src/lib/crypto/crypto_tests/aes-test.c
U   branches/enc-perf/src/lib/crypto/crypto_tests/t_cksum.c
U   branches/enc-perf/src/lib/crypto/crypto_tests/t_hmac.c
Modified: branches/enc-perf/src/lib/crypto/crypto_tests/aes-test.c
===================================================================
--- branches/enc-perf/src/lib/crypto/crypto_tests/aes-test.c	2009-10-06 15:54:50 UTC (rev 22857)
+++ branches/enc-perf/src/lib/crypto/crypto_tests/aes-test.c	2009-10-06 16:11:31 UTC (rev 22858)
@@ -50,7 +50,11 @@
 }
 static void enc()
 {
-    krb5int_aes_encrypt(&enc_key, &ivec, &in, &out);
+    krb5_key key;
+
+    krb5_k_create_key(NULL, &enc_key, &key);
+    krb5int_aes_encrypt(key, &ivec, &in, &out);
+    krb5_k_free_key(NULL, key);
 }
 
 static void hexdump(const char *label, const char *cp, int len)

Modified: branches/enc-perf/src/lib/crypto/crypto_tests/t_cksum.c
===================================================================
--- branches/enc-perf/src/lib/crypto/crypto_tests/t_cksum.c	2009-10-06 15:54:50 UTC (rev 22857)
+++ branches/enc-perf/src/lib/crypto/crypto_tests/t_cksum.c	2009-10-06 16:11:31 UTC (rev 22858)
@@ -75,6 +75,7 @@
   krb5_boolean		valid;
   size_t		length;
   krb5_keyblock		keyblock;
+  krb5_key		key;
   krb5_error_code	kret=0;
   krb5_data		plaintext, newstyle_checksum;
 
@@ -89,6 +90,8 @@
   keyblock.length = sizeof(testkey);
   keyblock.contents = testkey;
 
+  krb5_k_create_key(NULL, &keyblock, &key);
+
   length = khp.hashsize;
 
   newstyle_checksum.length = length;
@@ -102,13 +105,13 @@
     plaintext.length = strlen(argv[msgindex]);
     plaintext.data = argv[msgindex];
 
-    if ((kret = (*(khp.hash))(&keyblock, 0, 0, &plaintext, &newstyle_checksum))) {
+    if ((kret = (*(khp.hash))(key, 0, 0, &plaintext, &newstyle_checksum))) {
       printf("krb5_calculate_checksum choked with %d\n", kret);
       break;
     }
     print_checksum("correct", MD, argv[msgindex], &newstyle_checksum);
 
-    if ((kret = (*(khp.verify))(&keyblock, 0, 0, &plaintext, &newstyle_checksum,
+    if ((kret = (*(khp.verify))(key, 0, 0, &plaintext, &newstyle_checksum,
 				&valid))) {
       printf("verify on new checksum choked with %d\n", kret);
       break;
@@ -120,7 +123,7 @@
     printf("Verify succeeded for \"%s\"\n", argv[msgindex]);
 
     newstyle_checksum.data[0]++;
-    if ((kret = (*(khp.verify))(&keyblock, 0, 0, &plaintext, &newstyle_checksum,
+    if ((kret = (*(khp.verify))(key, 0, 0, &plaintext, &newstyle_checksum,
 				&valid))) {
       printf("verify on new checksum choked with %d\n", kret);
       break;

Modified: branches/enc-perf/src/lib/crypto/crypto_tests/t_hmac.c
===================================================================
--- branches/enc-perf/src/lib/crypto/crypto_tests/t_hmac.c	2009-10-06 15:54:50 UTC (rev 22857)
+++ branches/enc-perf/src/lib/crypto/crypto_tests/t_hmac.c	2009-10-06 16:11:31 UTC (rev 22858)
@@ -98,6 +98,7 @@
     char tmp[40];
     size_t blocksize, hashsize;
     krb5_error_code err;
+    krb5_key k;
 
     printk(" test key", key);
     blocksize = h->blocksize;
@@ -120,7 +121,9 @@
 	printk(" pre-hashed key", key);
     }
     printd(" hmac input", in);
-    err = krb5_hmac(h, key, 1, in, out);
+    krb5_k_create_key(NULL, key, &k);
+    err = krb5_hmac(h, k, 1, in, out);
+    krb5_k_free_key(NULL, k);
     if (err == 0)
 	printd(" hmac output", out);
     return err;



From tsitkova at MIT.EDU  Tue Oct  6 12:20:19 2009
From: tsitkova at MIT.EDU (tsitkova@MIT.EDU)
Date: Tue, 6 Oct 2009 12:20:19 -0400
Subject: svn rev #22859: trunk/src/lib/crypto/openssl/aes/ 
Message-ID: <200910061620.n96GKJQl023935@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22859
Commit By: tsitkova
Log Message:
Crypto modularity proj: Populate openssl/aes dir.



Changed Files:
A   trunk/src/lib/crypto/openssl/aes/aes-gen.c
A   trunk/src/lib/crypto/openssl/aes/aes.h
A   trunk/src/lib/crypto/openssl/aes/aes_s2k.c
A   trunk/src/lib/crypto/openssl/aes/aes_s2k.h
A   trunk/src/lib/crypto/openssl/aes/aescpp.h
A   trunk/src/lib/crypto/openssl/aes/aescrypt.c
A   trunk/src/lib/crypto/openssl/aes/aeskey.c
A   trunk/src/lib/crypto/openssl/aes/aesopt.h
A   trunk/src/lib/crypto/openssl/aes/aestab.c
A   trunk/src/lib/crypto/openssl/aes/uitypes.h
Added: trunk/src/lib/crypto/openssl/aes/aes-gen.c
===================================================================
--- trunk/src/lib/crypto/openssl/aes/aes-gen.c	2009-10-06 16:11:31 UTC (rev 22858)
+++ trunk/src/lib/crypto/openssl/aes/aes-gen.c	2009-10-06 16:20:19 UTC (rev 22859)
@@ -0,0 +1,326 @@
+/*
+ * To be compiled against the AES code from:
+ * http://fp.gladman.plus.com/cryptography_technology/rijndael/index.htm
+ */
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include "aes.h"
+
+#define B 16U
+unsigned char key[16];
+unsigned char test_case_len[] = { B+1, 2*B-1, 2*B, 2*B+1, 3*B-1, 3*B, 4*B, };
+#define NTESTS (sizeof(test_case_len))
+struct {
+    unsigned char ivec[16];
+    unsigned char input[4*16];
+    unsigned char output[4*16];
+} test_case[NTESTS];
+aes_ctx ctx, dctx;
+
+static void init ()
+{
+    int i, j, r;
+
+    srand(42);
+    for (i = 0; i < 16; i++)
+	key[i] = 0xff & rand();
+    memset(test_case, 0, sizeof(test_case));
+    for (i = 0; i < NTESTS; i++)
+	for (j = 0; j < test_case_len[i]; j++) {
+	    test_case[i].input[j] = 0xff & rand();
+	}
+
+    r = aes_enc_key (key, sizeof(key), &ctx);
+    if (!r) fprintf(stderr, "error, line %d\n", __LINE__), exit(1);
+    r = aes_dec_key (key, sizeof(key), &dctx);
+    if (!r) fprintf(stderr, "error, line %d\n", __LINE__), exit(1);
+}
+
+static void hexdump(const unsigned char *ptr, size_t len)
+{
+    int i;
+    for (i = 0; i < len; i++)
+	printf ("%s%02X", (i % 16 == 0) ? "\n    " : " ", ptr[i]);
+}
+
+static void fips_test ()
+{
+    static const unsigned char fipskey[16] = {
+	0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
+    };
+    static const unsigned char input[16] = {
+	0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
+	0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
+    };
+    static const unsigned char expected[16] = {
+	0x69, 0xc4, 0xe0, 0xd8, 0x6a, 0x7b, 0x04, 0x30,
+	0xd8, 0xcd, 0xb7, 0x80, 0x70, 0xb4, 0xc5, 0x5a,
+    };
+    unsigned char output[16];
+    unsigned char tmp[16];
+    aes_ctx fipsctx;
+    int r;
+
+    printf ("FIPS test:\nkey:");
+    hexdump (fipskey, 16);
+    printf ("\ninput:");
+    hexdump (input, 16);
+    r = aes_enc_key (fipskey, sizeof(fipskey), &fipsctx);
+    if (!r) fprintf(stderr, "error, line %d\n", __LINE__), exit(1);
+    r = aes_enc_blk (input, output, &fipsctx);
+    if (!r) fprintf(stderr, "error, line %d\n", __LINE__), exit(1);
+    printf ("\noutput:");
+    hexdump (output, 16);
+    printf ("\n");
+    if (memcmp(expected, output, 16))
+	fprintf(stderr, "wrong results!!!\n"), exit (1);
+    r = aes_dec_key (fipskey, sizeof(fipskey), &fipsctx);
+    if (!r) fprintf(stderr, "error, line %d\n", __LINE__), exit(1);
+    r = aes_dec_blk (output, tmp, &fipsctx);
+    if (!r) fprintf(stderr, "error, line %d\n", __LINE__), exit(1);
+    if (memcmp(input, tmp, 16))
+	fprintf(stderr, "decryption failed!!\n"), exit(1);
+    printf ("ok.\n\n");
+}
+
+static void
+xor (unsigned char *out, const unsigned char *a, const unsigned char *b)
+{
+    int i;
+    for (i = 0; i < B; i++)
+	out[i] = a[i] ^ b[i];
+}
+
+static void
+ecb_enc (unsigned char *out, unsigned char *in, unsigned int len)
+{
+    int i, r;
+    for (i = 0; i < len; i += 16) {
+	r = aes_enc_blk (in + i, out + i, &ctx);
+	if (!r) fprintf(stderr, "error, line %d\n", __LINE__), exit(1);
+    }
+    if (i != len) abort ();
+}
+
+static void
+ecb_dec (unsigned char *out, unsigned char *in, unsigned int len)
+{
+    int i, r;
+    for (i = 0; i < len; i += 16) {
+	r = aes_dec_blk (in + i, out + i, &dctx);
+	if (!r) fprintf(stderr, "error, line %d\n", __LINE__), exit(1);
+    }
+    if (i != len) abort ();
+}
+
+#define D(X) (printf("%s %d: %s=",__FUNCTION__,__LINE__, #X),hexdump(X,B),printf("\n"))
+
+#undef D
+#define D(X)
+
+static void
+cbc_enc (unsigned char *out, unsigned char *in, unsigned char *iv,
+	 unsigned int len)
+{
+    int i, r;
+    unsigned char tmp[B];
+    D(iv);
+    memcpy (tmp, iv, B);
+    for (i = 0; i < len; i += B) {
+	D(in+i);
+	xor (tmp, tmp, in + i);
+	D(tmp);
+	r = aes_enc_blk (tmp, out + i, &ctx);
+	if (!r) fprintf(stderr, "error, line %d\n", __LINE__), exit(1);
+	memcpy (tmp, out + i, B);
+	D(out+i);
+    }
+    if (i != len) abort ();
+}
+
+static void
+cbc_dec (unsigned char *out, unsigned char *in, unsigned char *iv,
+	 unsigned int len)
+{
+    int i, r;
+    unsigned char tmp[B];
+    memcpy (tmp, iv, B);
+    for (i = 0; i < len; i += B) {
+	r = aes_dec_blk (in + i, tmp, &dctx);
+	if (!r) fprintf(stderr, "error, line %d\n", __LINE__), exit(1);
+	xor (tmp, tmp, iv);
+	iv = in + i;
+	memcpy (out + i, tmp, B);
+    }
+    if (i != len) abort ();
+}
+
+static void
+cts_enc (unsigned char *out, unsigned char *in, unsigned char *iv,
+	 unsigned int len)
+{
+    int r;
+    unsigned int len2;
+    unsigned char pn1[B], pn[B], cn[B], cn1[B];
+
+    if (len < B + 1) abort ();
+    len2 = (len - B - 1) & ~(B-1);
+    cbc_enc (out, in, iv, len2);
+    out += len2;
+    in += len2;
+    len -= len2;
+    if (len2)
+	iv = out - B;
+    if (len <= B || len > 2 * B)
+	abort ();
+    printf ("(did CBC mode for %d)\n", len2);
+
+    D(in);
+    xor (pn1, in, iv);
+    D(pn1);
+    r = aes_enc_blk (pn1, cn, &ctx);
+    if (!r) fprintf(stderr, "error, line %d\n", __LINE__), exit(1);
+    D(cn);
+    memset (pn, 0, sizeof(pn));
+    memcpy (pn, in+B, len-B);
+    D(pn);
+    xor (pn, pn, cn);
+    D(pn);
+    r = aes_enc_blk (pn, cn1, &ctx);
+    if (!r) fprintf(stderr, "error, line %d\n", __LINE__), exit(1);
+    D(cn1);
+    memcpy(out, cn1, B);
+    memcpy(out+B, cn, len-B);
+}
+
+static void
+cts_dec (unsigned char *out, unsigned char *in, unsigned char *iv,
+	 unsigned int len)
+{
+    int r;
+    unsigned int len2;
+    unsigned char pn1[B], pn[B], cn[B], cn1[B];
+
+    if (len < B + 1) abort ();
+    len2 = (len - B - 1) & ~(B-1);
+    cbc_dec (out, in, iv, len2);
+    out += len2;
+    in += len2;
+    len -= len2;
+    if (len2)
+	iv = in - B;
+    if (len <= B || len > 2 * B)
+	abort ();
+
+    memcpy (cn1, in, B);
+    r = aes_dec_blk (cn1, pn, &dctx);
+    if (!r) fprintf(stderr, "error, line %d\n", __LINE__), exit(1);
+    memset (cn, 0, sizeof(cn));
+    memcpy (cn, in+B, len-B);
+    xor (pn, pn, cn);
+    memcpy (cn+len-B, pn+len-B, 2*B-len);
+    r = aes_dec_blk (cn, pn1, &dctx);
+    if (!r) fprintf(stderr, "error, line %d\n", __LINE__), exit(1);
+    xor (pn1, pn1, iv);
+    memcpy(out, pn1, B);
+    memcpy(out+B, pn, len-B);
+}
+
+static void ecb_test ()
+{
+    int testno;
+    unsigned char tmp[4*B];
+
+    printf ("ECB tests:\n");
+    printf ("key:");
+    hexdump (key, sizeof(key));
+    for (testno = 0; testno < NTESTS; testno++) {
+	unsigned len = (test_case_len[testno] + 15) & ~15;
+	printf ("\ntest %d - %d bytes\n", testno, len);
+	printf ("input:");
+	hexdump (test_case[testno].input, len);
+	printf ("\n");
+	ecb_enc (test_case[testno].output, test_case[testno].input, len);
+	printf ("output:");
+	hexdump (test_case[testno].output, len);
+	printf ("\n");
+	ecb_dec (tmp, test_case[testno].output, len);
+	if (memcmp (tmp, test_case[testno].input, len)) {
+	    printf ("ecb decrypt failed!!");
+	    hexdump (tmp, len);
+	    printf ("\n");
+	    exit (1);
+	}
+    }
+    printf ("\n");
+}
+
+unsigned char ivec[16] = { 0 };
+
+static void cbc_test ()
+{
+    int testno;
+    unsigned char tmp[4*B];
+
+    printf ("CBC tests:\n");
+    printf ("initial vector:");
+    hexdump (ivec, sizeof(ivec));
+    for (testno = 0; testno < NTESTS; testno++) {
+	unsigned len = (test_case_len[testno] + 15) & ~15;
+	printf ("\ntest %d - %d bytes\n", testno, len);
+	printf ("input:");
+	hexdump (test_case[testno].input, len);
+	printf ("\n");
+	cbc_enc (test_case[testno].output, test_case[testno].input, ivec, len);
+	printf ("output:");
+	hexdump (test_case[testno].output, len);
+	printf ("\n");
+	cbc_dec (tmp, test_case[testno].output, ivec, len);
+	if (memcmp (tmp, test_case[testno].input, len)) {
+	    printf("cbc decrypt failed!!");
+	    hexdump (tmp, len);
+	    printf ("\n");
+	    exit(1);
+	}
+    }
+    printf ("\n");
+}
+
+static void cts_test ()
+{
+    int testno;
+    unsigned char tmp[4*B];
+
+    printf ("CTS tests:\n");
+    printf ("initial vector:");
+    hexdump (ivec, sizeof(ivec));
+    for (testno = 0; testno < NTESTS; testno++) {
+	unsigned int len = test_case_len[testno];
+	printf ("\ntest %d - %d bytes\n", testno, len);
+	printf ("input:");
+	hexdump (test_case[testno].input, len);
+	printf ("\n");
+	cts_enc (test_case[testno].output, test_case[testno].input, ivec, len);
+	printf ("output:");
+	hexdump (test_case[testno].output, len);
+	printf ("\n");
+	cts_dec (tmp, test_case[testno].output, ivec, len);
+	if (memcmp (tmp, test_case[testno].input, len))
+	    fprintf (stderr, "cts decrypt failed!!\n"), exit(1);
+    }
+    printf ("\n");
+}
+
+int main ()
+{
+    init ();
+    fips_test ();
+
+    ecb_test();
+    cbc_test();
+    cts_test();
+
+    return 0;
+}

Added: trunk/src/lib/crypto/openssl/aes/aes.h
===================================================================
--- trunk/src/lib/crypto/openssl/aes/aes.h	2009-10-06 16:11:31 UTC (rev 22858)
+++ trunk/src/lib/crypto/openssl/aes/aes.h	2009-10-06 16:20:19 UTC (rev 22859)
@@ -0,0 +1,97 @@
+/*
+ -------------------------------------------------------------------------
+ Copyright (c) 2001, Dr Brian Gladman <brg at gladman.uk.net>, Worcester, UK.
+ All rights reserved.
+
+ LICENSE TERMS
+
+ The free distribution and use of this software in both source and binary 
+ form is allowed (with or without changes) provided that:
+
+   1. distributions of this source code include the above copyright 
+      notice, this list of conditions and the following disclaimer;
+
+   2. distributions in binary form include the above copyright
+      notice, this list of conditions and the following disclaimer
+      in the documentation and/or other associated materials;
+
+   3. the copyright holder's name is not used to endorse products 
+      built using this software without specific written permission. 
+
+ DISCLAIMER
+
+ This software is provided 'as is' with no explcit or implied warranties
+ in respect of any properties, including, but not limited to, correctness 
+ and fitness for purpose.
+ -------------------------------------------------------------------------
+ Issue Date: 21/01/2002
+
+ This file contains the definitions required to use AES (Rijndael) in C.
+*/
+
+#ifndef _AES_H
+#define _AES_H
+
+#include "uitypes.h"
+
+/*  BLOCK_SIZE is in BYTES: 16, 24, 32 or undefined for aes.c and 16, 20, 
+    24, 28, 32 or undefined for aespp.c.  When left undefined a slower 
+    version that provides variable block length is compiled.    
+*/
+
+#define BLOCK_SIZE  16
+
+/* key schedule length (in 32-bit words)    */
+
+#if !defined(BLOCK_SIZE)
+#define KS_LENGTH   128
+#else
+#define KS_LENGTH   4 * BLOCK_SIZE
+#endif
+
+#if defined(__cplusplus)
+extern "C"
+{
+#endif
+
+typedef uint16_t    aes_fret;   /* type for function return value       */
+#define aes_bad     0           /* bad function return value            */
+#define aes_good    1           /* good function return value           */
+#ifndef AES_DLL                 /* implement normal or DLL functions    */
+#define aes_rval    aes_fret
+#else
+#define aes_rval    aes_fret __declspec(dllexport) _stdcall
+#endif
+
+typedef struct                      /* the AES context for encryption   */
+{   uint32_t    k_sch[KS_LENGTH];   /* the encryption key schedule      */
+    uint32_t    n_rnd;              /* the number of cipher rounds      */
+    uint32_t    n_blk;              /* the number of bytes in the state */
+} aes_ctx;
+
+/* for Kerberos 5 tree -- hide names!  */
+#define aes_blk_len	krb5int_aes_blk_len
+#define aes_enc_key	krb5int_aes_enc_key
+#define aes_enc_blk	krb5int_aes_enc_blk
+#define aes_dec_key	krb5int_aes_dec_key
+#define aes_dec_blk	krb5int_aes_dec_blk
+#define fl_tab		krb5int_fl_tab
+#define ft_tab		krb5int_ft_tab
+#define il_tab		krb5int_il_tab
+#define im_tab		krb5int_im_tab
+#define it_tab		krb5int_it_tab
+#define rcon_tab	krb5int_rcon_tab
+
+aes_rval aes_blk_len(unsigned int blen, aes_ctx cx[1]);
+
+aes_rval aes_enc_key(const unsigned char in_key[], unsigned int klen, aes_ctx cx[1]);
+aes_rval aes_enc_blk(const unsigned char in_blk[], unsigned char out_blk[], const aes_ctx cx[1]);
+
+aes_rval aes_dec_key(const unsigned char in_key[], unsigned int klen, aes_ctx cx[1]);
+aes_rval aes_dec_blk(const unsigned char in_blk[], unsigned char out_blk[], const aes_ctx cx[1]);
+
+#if defined(__cplusplus)
+}
+#endif
+
+#endif

Added: trunk/src/lib/crypto/openssl/aes/aes_s2k.c
===================================================================
--- trunk/src/lib/crypto/openssl/aes/aes_s2k.c	2009-10-06 16:11:31 UTC (rev 22858)
+++ trunk/src/lib/crypto/openssl/aes/aes_s2k.c	2009-10-06 16:20:19 UTC (rev 22859)
@@ -0,0 +1,90 @@
+/*
+ * lib/crypto/openssl/aes/aes_s2k.c
+ *
+ * Copyright 2003 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ *
+ * krb5int_aes_string_to_key
+ */
+
+#include "k5-int.h"
+#include "dk.h"
+#include "aes_s2k.h"
+
+#define DEFAULT_ITERATION_COUNT		4096 /* was 0xb000L in earlier drafts */
+#define MAX_ITERATION_COUNT		0x1000000L
+
+krb5_error_code
+krb5int_aes_string_to_key(const struct krb5_enc_provider *enc,
+			  const krb5_data *string,
+			  const krb5_data *salt,
+			  const krb5_data *params,
+			  krb5_keyblock *key)
+{
+    unsigned long iter_count;
+    krb5_data out;
+    static const krb5_data usage = { KV5M_DATA, 8, "kerberos" };
+    krb5_error_code err;
+
+    if (params) {
+	unsigned char *p = (unsigned char *) params->data;
+	if (params->length != 4)
+	    return KRB5_ERR_BAD_S2K_PARAMS;
+	/* The first two need casts in case 'int' is 16 bits.  */
+	iter_count = load_32_be(p);
+	if (iter_count == 0) {
+	    iter_count = (1UL << 16) << 16;
+	    if (((iter_count >> 16) >> 16) != 1)
+		return KRB5_ERR_BAD_S2K_PARAMS;
+	}
+    } else
+	iter_count = DEFAULT_ITERATION_COUNT;
+
+    /* This is not a protocol specification constraint; this is an
+       implementation limit, which should eventually be controlled by
+       a config file.  */
+    if (iter_count >= MAX_ITERATION_COUNT)
+	return KRB5_ERR_BAD_S2K_PARAMS;
+
+    /*
+     * Dense key space, no parity bits or anything, so take a shortcut
+     * and use the key contents buffer for the generated bytes.
+     */
+    out.data = (char *) key->contents;
+    out.length = key->length;
+    if (out.length != 16 && out.length != 32)
+	return KRB5_CRYPTO_INTERNAL;
+
+    err = krb5int_pbkdf2_hmac_sha1 (&out, iter_count, string, salt);
+    if (err) {
+	memset(out.data, 0, out.length);
+	return err;
+    }
+
+    err = krb5_derive_key (enc, key, key, &usage);
+    if (err) {
+	memset(out.data, 0, out.length);
+	return err;
+    }
+    return 0;
+}

Added: trunk/src/lib/crypto/openssl/aes/aes_s2k.h
===================================================================
--- trunk/src/lib/crypto/openssl/aes/aes_s2k.h	2009-10-06 16:11:31 UTC (rev 22858)
+++ trunk/src/lib/crypto/openssl/aes/aes_s2k.h	2009-10-06 16:20:19 UTC (rev 22859)
@@ -0,0 +1,9 @@
+/*
+ * lib/crypto/openssl/aes/aes_s2k.h
+ */
+
+
+extern krb5_error_code
+krb5int_aes_string_to_key (const struct krb5_enc_provider *,
+			   const krb5_data *, const krb5_data *,
+			   const krb5_data *, krb5_keyblock *key);

Added: trunk/src/lib/crypto/openssl/aes/aescpp.h
===================================================================
--- trunk/src/lib/crypto/openssl/aes/aescpp.h	2009-10-06 16:11:31 UTC (rev 22858)
+++ trunk/src/lib/crypto/openssl/aes/aescpp.h	2009-10-06 16:20:19 UTC (rev 22859)
@@ -0,0 +1,55 @@
+
+/*
+ -------------------------------------------------------------------------
+ Copyright (c) 2001, Dr Brian Gladman <brg at gladman.uk.net>, Worcester, UK.
+ All rights reserved.
+
+ TERMS
+
+ Redistribution and use in source and binary forms, with or without 
+ modification, are permitted subject to the following conditions:
+
+  1. Redistributions of source code must retain the above copyright 
+     notice, this list of conditions and the following disclaimer. 
+
+  2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the 
+     documentation and/or other materials provided with the distribution. 
+
+  3. The copyright holder's name must not be used to endorse or promote 
+     any products derived from this software without his specific prior 
+     written permission. 
+
+ This software is provided 'as is' with no express or implied warranties 
+ of correctness or fitness for purpose.
+ -------------------------------------------------------------------------
+ Issue Date: 21/01/2002
+
+ This file contains the definitions required to use AES (Rijndael) in C++.
+*/
+
+#ifndef _AESCPP_H
+#define _AESCPP_H
+
+#include "aes.h"
+
+class AESclass
+{   aes_ctx cx[1];
+public:
+#if defined(BLOCK_SIZE)
+    AESclass()                          { cx->n_blk = BLOCK_SIZE; cx->n_rnd = 0; }
+#else
+    AESclass(unsigned int blen = 16)    { cx->n_blk = blen; cx->n_rnd = 0; }
+#endif
+    aes_rval blk_len(unsigned int blen) { return aes_blk_len(blen, cx); }
+    aes_rval enc_key(const unsigned char in_key[], unsigned int klen)
+            { return aes_enc_key(in_key, klen, cx); }
+    aes_rval dec_key(const unsigned char in_key[], unsigned int klen)
+            { return aes_dec_key(in_key, klen, cx); }
+    aes_rval enc_blk(const unsigned char in_blk[], unsigned char out_blk[])
+            { return aes_enc_blk(in_blk, out_blk, cx); }
+    aes_rval dec_blk(const unsigned char in_blk[], unsigned char out_blk[])
+            { return aes_dec_blk(in_blk, out_blk, cx); }
+};
+
+#endif

Added: trunk/src/lib/crypto/openssl/aes/aescrypt.c
===================================================================
--- trunk/src/lib/crypto/openssl/aes/aescrypt.c	2009-10-06 16:11:31 UTC (rev 22858)
+++ trunk/src/lib/crypto/openssl/aes/aescrypt.c	2009-10-06 16:20:19 UTC (rev 22859)
@@ -0,0 +1,14 @@
+/* lib/crypto/openssl/aes/aescrypt.c 
+ */ 
+
+#include "aesopt.h"
+
+aes_rval aes_dec_blk(const unsigned char in_blk[], unsigned char out_blk[], const aes_ctx cx[1])
+{
+    return aes_bad;
+}
+aes_rval aes_enc_blk(const unsigned char in_blk[], unsigned char out_blk[], const aes_ctx cx[1])
+{
+    return aes_bad;
+}
+

Added: trunk/src/lib/crypto/openssl/aes/aeskey.c
===================================================================
--- trunk/src/lib/crypto/openssl/aes/aeskey.c	2009-10-06 16:11:31 UTC (rev 22858)
+++ trunk/src/lib/crypto/openssl/aes/aeskey.c	2009-10-06 16:20:19 UTC (rev 22859)
@@ -0,0 +1,15 @@
+/*
+ * lib/crypto/openssl/aes/aeskey.c
+ */
+
+#include "aesopt.h"
+
+aes_rval aes_enc_key(const unsigned char in_key[], unsigned int klen, aes_ctx cx[1])
+{
+    return aes_bad;
+}
+aes_rval aes_dec_key(const unsigned char in_key[], unsigned int klen, aes_ctx cx[1])
+{
+    return aes_bad;
+}
+

Added: trunk/src/lib/crypto/openssl/aes/aesopt.h
===================================================================
--- trunk/src/lib/crypto/openssl/aes/aesopt.h	2009-10-06 16:11:31 UTC (rev 22858)
+++ trunk/src/lib/crypto/openssl/aes/aesopt.h	2009-10-06 16:20:19 UTC (rev 22859)
@@ -0,0 +1,851 @@
+/*
+ -------------------------------------------------------------------------
+ Copyright (c) 2001, Dr Brian Gladman <brg at gladman.uk.net>, Worcester, UK.
+ All rights reserved.
+
+ LICENSE TERMS
+
+ The free distribution and use of this software in both source and binary 
+ form is allowed (with or without changes) provided that:
+
+   1. distributions of this source code include the above copyright 
+      notice, this list of conditions and the following disclaimer;
+
+   2. distributions in binary form include the above copyright
+      notice, this list of conditions and the following disclaimer
+      in the documentation and/or other associated materials;
+
+   3. the copyright holder's name is not used to endorse products 
+      built using this software without specific written permission. 
+
+ DISCLAIMER
+
+ This software is provided 'as is' with no explcit or implied warranties
+ in respect of any properties, including, but not limited to, correctness 
+ and fitness for purpose.
+ -------------------------------------------------------------------------
+ Issue Date: 07/02/2002
+
+ This file contains the compilation options for AES (Rijndael) and code 
+ that is common across encryption, key scheduling and table generation.
+
+
+    OPERATION
+ 
+    These source code files implement the AES algorithm Rijndael designed by
+    Joan Daemen and Vincent Rijmen. The version in aes.c is designed for 
+    block and key sizes of 128, 192 and 256 bits (16, 24 and 32 bytes) while 
+    that in aespp.c provides for block and keys sizes of 128, 160, 192, 224 
+    and 256 bits (16, 20, 24, 28 and 32 bytes).  This file is a common header 
+    file for these two implementations and for aesref.c, which is a reference 
+    implementation.
+    
+    This version is designed for flexibility and speed using operations on
+    32-bit words rather than operations on bytes.  It provides aes_both fixed 
+    and  dynamic block and key lengths and can also run with either big or 
+    little endian internal byte order (see aes.h).  It inputs block and key 
+    lengths in bytes with the legal values being  16, 24 and 32 for aes.c and 
+    16, 20, 24, 28 and 32 for aespp.c
+ 
+    THE CIPHER INTERFACE
+
+    uint8_t         (an unsigned  8-bit type)
+    uint32_t        (an unsigned 32-bit type)
+    aes_fret        (a signed 16 bit type for function return values)
+    aes_good        (value != 0, a good return)
+    aes_bad         (value == 0, an error return)
+    struct aes_ctx  (structure for the cipher encryption context)
+    struct aes_ctx  (structure for the cipher decryption context)
+    aes_rval        the function return type (aes_fret if not DLL)
+
+    C subroutine calls:
+
+      aes_rval aes_blk_len(unsigned int blen, aes_ctx cx[1]);
+      aes_rval aes_enc_key(const unsigned char in_key[], unsigned int klen, aes_ctx cx[1]);
+      aes_rval aes_enc_blk(const unsigned char in_blk[], unsigned char out_blk[], const aes_ctx cx[1]);
+
+      aes_rval aes_dec_len(unsigned int blen, aes_ctx cx[1]);
+      aes_rval aes_dec_key(const unsigned char in_key[], unsigned int klen, aes_ctx cx[1]);
+      aes_rval aes_dec_blk(const unsigned char in_blk[], unsigned char out_blk[], const aes_ctx cx[1]);
+
+    IMPORTANT NOTE: If you are using this C interface and your compiler does 
+    not set the memory used for objects to zero before use, you will need to 
+    ensure that cx.s_flg is set to zero before using these subroutine calls.
+
+    C++ aes class subroutines:
+
+      class AESclass    for encryption
+      class AESclass    for decryption
+
+      aes_rval len(unsigned int blen = 16);
+      aes_rval key(const unsigned char in_key[], unsigned int klen);
+      aes_rval blk(const unsigned char in_blk[], unsigned char out_blk[]);
+
+      aes_rval len(unsigned int blen = 16);
+      aes_rval key(const unsigned char in_key[], unsigned int klen);
+      aes_rval blk(const unsigned char in_blk[], unsigned char out_blk[]);
+
+    The block length inputs to set_block and set_key are in numbers of
+    BYTES, not bits.  The calls to subroutines must be made in the above 
+    order but multiple calls can be made without repeating earlier calls
+    if their parameters have not changed. If the cipher block length is
+    variable but set_blk has not been called before cipher operations a
+    value of 16 is assumed (that is, the AES block size). In contrast to 
+    earlier versions the block and key length parameters are now checked
+    for correctness and the encryption and decryption routines check to 
+    ensure that an appropriate key has been set before they are called.
+
+    COMPILATION 
+
+    The files used to provide AES (Rijndael) are
+
+    a. aes.h for the definitions needed for use in C.
+    b. aescpp.h for the definitions needed for use in C++. 
+    c. aesopt.h for setting compilation options (also includes common
+       code).
+    d. aescrypt.c for encryption and decrytpion, or
+    e. aescrypt.asm for encryption and decryption using assembler code.
+    f. aeskey.c for key scheduling.
+    g. aestab.c for table loading or generation.
+    h. uitypes.h for defining fixed length unsigned integers.
+
+    The assembler code uses the NASM assembler. The above files provice
+    block and key lengths of 16, 24 and 32 bytes (128, 192 and 256 bits).
+    If aescrypp.c and aeskeypp.c are used instead of aescrypt.c and
+    aeskey.c respectively, the block and key lengths can then be 16, 20,
+    24, 28 or 32 bytes. However this code has not been optimised to the 
+    same extent and is hence slower (esepcially for the AES block size
+    of 16 bytes).
+
+    To compile AES (Rijndael) for use in C code use aes.h and exclude
+    the AES_DLL define in aes.h
+
+    To compile AES (Rijndael) for use in in C++ code use aescpp.h and
+    exclude the AES_DLL define in aes.h
+
+    To compile AES (Rijndael) in C as a Dynamic Link Library DLL) use
+    aes.h, include the AES_DLL define and compile the DLL.  If using 
+    the test files to test the DLL, exclude aes.c from the test build
+    project and compile it with the same defines as used for the DLL 
+    (ensure that the DLL path is correct)
+
+    CONFIGURATION OPTIONS (here and in aes.h)
+
+    a. define BLOCK_SIZE in aes.h to set the cipher block size (16, 24 
+       or 32 for the standard code, or 16, 20, 24, 28 or 32 for the 
+       extended code) or leave this undefined for dynamically variable 
+       block size (this will result in much slower code).
+    b. set AES_DLL in aes.h if AES (Rijndael) is to be compiled as a DLL
+    c. You may need to set PLATFORM_BYTE_ORDER to define the byte order. 
+    d. If you want the code to run in a specific internal byte order, then
+       INTERNAL_BYTE_ORDER must be set accordingly.
+    e. set other configuration options decribed below.
+*/ 
+
+#ifndef _AESOPT_H
+#define _AESOPT_H
+
+/*  START OF CONFIGURATION OPTIONS
+
+    USE OF DEFINES
+  
+    Later in this section there are a number of defines that control
+    the operation of the code.  In each section, the purpose of each
+    define is explained so that the relevant form can be included or
+    excluded by setting either 1's or 0's respectively on the branches
+    of the related #if clauses.
+*/
+
+#include "autoconf.h"
+
+/*  1. PLATFORM SPECIFIC INCLUDES */
+
+#if /* defined(__GNUC__) || */ defined(__GNU_LIBRARY__)
+#  include <endian.h>
+#  include <byteswap.h>
+#elif defined(__CRYPTLIB__)
+#  if defined( INC_ALL )
+#    include "crypt.h"
+#  elif defined( INC_CHILD )
+#    include "../crypt.h"
+#  else
+#    include "crypt.h"
+#  endif
+#  if defined(DATA_LITTLEENDIAN)
+#    define PLATFORM_BYTE_ORDER AES_LITTLE_ENDIAN
+#  else
+#    define PLATFORM_BYTE_ORDER AES_BIG_ENDIAN
+#  endif
+#elif defined(_MSC_VER)
+#  include <stdlib.h>
+#elif defined(__m68k__) && defined(__palmos__)
+#  include <FloatMgr.h> /* defines BIG_ENDIAN */
+#elif defined(_MIPSEB)
+#  define PLATFORM_BYTE_ORDER AES_BIG_ENDIAN
+#elif defined(_MIPSEL)
+#  define PLATFORM_BYTE_ORDER AES_LITTLE_ENDIAN
+#elif defined(_WIN32)
+#  define PLATFORM_BYTE_ORDER AES_LITTLE_ENDIAN
+#elif !defined(_WIN32)
+#  include <stdlib.h>
+#  if defined(HAVE_ENDIAN_H)
+#    include <endian.h>
+#  elif defined(HAVE_MACHINE_ENDIAN_H)
+#    include <machine/endian.h>
+#  else
+#    include <sys/param.h>
+#  endif
+#endif
+
+/*  2. BYTE ORDER IN 32-BIT WORDS
+
+    To obtain the highest speed on processors with 32-bit words, this code 
+    needs to determine the order in which bytes are packed into such words.
+    The following block of code is an attempt to capture the most obvious 
+    ways in which various environemnts specify heir endian definitions. It 
+    may well fail, in which case the definitions will need to be set by 
+    editing at the points marked **** EDIT HERE IF NECESSARY **** below.
+*/
+#define AES_LITTLE_ENDIAN   1234 /* byte 0 is least significant (i386) */
+#define AES_BIG_ENDIAN      4321 /* byte 0 is most significant (mc68k) */
+
+#if !defined(PLATFORM_BYTE_ORDER)
+#if defined(LITTLE_ENDIAN) || defined(BIG_ENDIAN)
+#  if defined(LITTLE_ENDIAN) && defined(BIG_ENDIAN)
+#    if defined(BYTE_ORDER)
+#      if   (BYTE_ORDER == LITTLE_ENDIAN)
+#        define PLATFORM_BYTE_ORDER AES_LITTLE_ENDIAN
+#      elif (BYTE_ORDER == BIG_ENDIAN)
+#        define PLATFORM_BYTE_ORDER AES_BIG_ENDIAN
+#      endif
+#    endif
+#  elif defined(LITTLE_ENDIAN) && !defined(BIG_ENDIAN) 
+#    define PLATFORM_BYTE_ORDER AES_LITTLE_ENDIAN
+#  elif !defined(LITTLE_ENDIAN) && defined(BIG_ENDIAN)
+#    define PLATFORM_BYTE_ORDER AES_BIG_ENDIAN
+#  endif
+#elif defined(_LITTLE_ENDIAN) || defined(_BIG_ENDIAN)
+#  if defined(_LITTLE_ENDIAN) && defined(_BIG_ENDIAN)
+#    if defined(_BYTE_ORDER)
+#      if   (_BYTE_ORDER == _LITTLE_ENDIAN)
+#        define PLATFORM_BYTE_ORDER AES_LITTLE_ENDIAN
+#      elif (_BYTE_ORDER == _BIG_ENDIAN)
+#        define PLATFORM_BYTE_ORDER AES_BIG_ENDIAN
+#      endif
+#    endif
+#  elif defined(_LITTLE_ENDIAN) && !defined(_BIG_ENDIAN) 
+#    define PLATFORM_BYTE_ORDER AES_LITTLE_ENDIAN
+#  elif !defined(_LITTLE_ENDIAN) && defined(_BIG_ENDIAN)
+#    define PLATFORM_BYTE_ORDER AES_BIG_ENDIAN
+#  endif
+#elif 0     /* **** EDIT HERE IF NECESSARY **** */
+#define PLATFORM_BYTE_ORDER AES_LITTLE_ENDIAN
+#elif 0     /* **** EDIT HERE IF NECESSARY **** */
+#define PLATFORM_BYTE_ORDER AES_BIG_ENDIAN
+#elif 1
+#define PLATFORM_BYTE_ORDER AES_LITTLE_ENDIAN
+#define UNKNOWN_BYTE_ORDER	/* we're guessing */
+#endif
+#endif
+
+/*  3. ASSEMBLER SUPPORT
+    
+    If the assembler code is used for encryption and decryption this file only 
+    provides key scheduling so the following defines are used
+*/
+#ifdef  AES_ASM
+#define ENCRYPTION_KEY_SCHEDULE
+#define DECRYPTION_KEY_SCHEDULE
+#endif
+
+/*  4. FUNCTIONS REQUIRED
+
+    This implementation provides five main subroutines which provide for
+    setting block length, setting encryption and decryption keys and for
+    encryption and decryption. When the assembler code is not being used
+    the following definition blocks allow the selection of the routines
+    that are to be included in the compilation.
+*/
+#if 1
+#ifndef AES_ASM
+#define SET_BLOCK_LENGTH
+#endif
+#endif
+
+#if 1
+#ifndef AES_ASM
+#define ENCRYPTION_KEY_SCHEDULE
+#endif
+#endif
+
+#if 1
+#ifndef AES_ASM
+#define DECRYPTION_KEY_SCHEDULE
+#endif
+#endif
+
+#if 1
+#ifndef AES_ASM
+#define ENCRYPTION
+#endif
+#endif
+
+#if 1
+#ifndef AES_ASM
+#define DECRYPTION
+#endif
+#endif
+
+/*  5. BYTE ORDER WITHIN 32 BIT WORDS
+
+    The fundamental data processing units in Rijndael are 8-bit bytes. The 
+    input, output and key input are all enumerated arrays of bytes in which 
+    bytes are numbered starting at zero and increasing to one less than the 
+    number of bytes in the array in question. This enumeration is only used 
+    for naming bytes and does not imply any adjacency or order relationship 
+    from one byte to another. When these inputs and outputs are considered 
+    as bit sequences, bits 8*n to 8*n+7 of the bit sequence are mapped to 
+    byte[n] with bit 8n+i in the sequence mapped to bit 7-i within the byte. 
+    In this implementation bits are numbered from 0 to 7 starting at the 
+    numerically least significant end of each byte (bit n represents 2^n).
+
+    However, Rijndael can be implemented more efficiently using 32-bit 
+    words by packing bytes into words so that bytes 4*n to 4*n+3 are placed
+    into word[n]. While in principle these bytes can be assembled into words 
+    in any positions, this implementation only supports the two formats in 
+    which bytes in adjacent positions within words also have adjacent byte
+    numbers. This order is called big-endian if the lowest numbered bytes 
+    in words have the highest numeric significance and little-endian if the 
+    opposite applies. 
+    
+    This code can work in either order irrespective of the order used by the 
+    machine on which it runs. Normally the internal byte order will be set
+    to the order of the processor on which the code is to be run but this
+    define can be used to reverse this in special situations
+*/
+#if 1
+#define INTERNAL_BYTE_ORDER PLATFORM_BYTE_ORDER
+#elif defined(AES_LITTLE_ENDIAN)
+#define INTERNAL_BYTE_ORDER AES_LITTLE_ENDIAN
+#elif defined(AES_BIG_ENDIAN)
+#define INTERNAL_BYTE_ORDER AES_BIG_ENDIAN
+#endif
+
+/*  6. FAST INPUT/OUTPUT OPERATIONS.  
+
+    On some machines it is possible to improve speed by transferring the 
+    bytes in the input and output arrays to and from the internal 32-bit 
+    variables by addressing these arrays as if they are arrays of 32-bit 
+    words.  On some machines this will always be possible but there may 
+    be a large performance penalty if the byte arrays are not aligned on 
+    the normal word boundaries. On other machines this technique will 
+    lead to memory access errors when such 32-bit word accesses are not
+    properly aligned. The option SAFE_IO avoids such problems but will 
+    often be slower on those machines that support misaligned access 
+    (especially so if care is taken to align the input  and output byte 
+    arrays on 32-bit word boundaries). If SAFE_IO is not defined it is 
+    assumed that access to byte arrays as if they are arrays of 32-bit 
+    words will not cause problems when such accesses are misaligned.
+*/
+#if 1
+#define SAFE_IO
+#endif
+
+/*
+ * If PLATFORM_BYTE_ORDER does not match the actual machine byte
+ * order, the fast word-access code will cause incorrect results.
+ * Therefore, SAFE_IO is required when the byte order is unknown.
+ */
+#if !defined(SAFE_IO) && defined(UNKNOWN_BYTE_ORDER)
+#  error "SAFE_IO must be defined if machine byte order is unknown."
+#endif
+
+/*  7. LOOP UNROLLING
+
+    The code for encryption and decrytpion cycles through a number of rounds
+    that can be implemented either in a loop or by expanding the code into a 
+    long sequence of instructions, the latter producing a larger program but
+    one that will often be much faster. The latter is called loop unrolling.
+    There are also potential speed advantages in expanding two iterations in
+    a loop with half the number of iterations, which is called partial loop
+    unrolling.  The following options allow partial or full loop unrolling 
+    to be set independently for encryption and decryption
+*/
+#if !defined(CONFIG_SMALL) || defined(CONFIG_SMALL_NO_CRYPTO)
+#define ENC_UNROLL  FULL
+#elif 0
+#define ENC_UNROLL  PARTIAL
+#else
+#define ENC_UNROLL  NONE
+#endif
+
+#if !defined(CONFIG_SMALL) || defined(CONFIG_SMALL_NO_CRYPTO)
+#define DEC_UNROLL  FULL
+#elif 0
+#define DEC_UNROLL  PARTIAL
+#else
+#define DEC_UNROLL  NONE
+#endif
+
+/*  8. FIXED OR DYNAMIC TABLES
+
+    When this section is included the tables used by the code are compiled 
+    statically into the binary file.  Otherwise they are computed once when 
+    the code is first used.
+*/
+#if 1
+#define FIXED_TABLES
+#endif
+
+/*  9. FAST FINITE FIELD OPERATIONS
+
+    If this section is included, tables are used to provide faster finite 
+    field arithmetic (this has no effect if FIXED_TABLES is defined).
+*/
+#if 1
+#define FF_TABLES
+#endif
+
+/*  10. INTERNAL STATE VARIABLE FORMAT
+
+    The internal state of Rijndael is stored in a number of local 32-bit 
+    word varaibles which can be defined either as an array or as individual 
+    names variables. Include this section if you want to store these local
+    varaibles in arrays. Otherwise individual local variables will be used.
+*/
+#if 1
+#define ARRAYS
+#endif
+
+/* In this implementation the columns of the state array are each held in
+   32-bit words. The state array can be held in various ways: in an array
+   of words, in a number of individual word variables or in a number of 
+   processor registers. The following define maps a variable name x and
+   a column number c to the way the state array variable is to be held.
+   The first define below maps the state into an array x[c] whereas the 
+   second form maps the state into a number of individual variables x0,
+   x1, etc.  Another form could map individual state colums to machine
+   register names.
+*/
+
+#if defined(ARRAYS)
+#define s(x,c) x[c]
+#else
+#define s(x,c) x##c
+#endif
+
+/*  11. VARIABLE BLOCK SIZE SPEED
+
+    This section is only relevant if you wish to use the variable block
+    length feature of the code.  Include this section if you place more
+    emphasis on speed rather than code size.
+*/
+#if 1
+#define FAST_VARIABLE
+#endif
+
+/*  12. INTERNAL TABLE CONFIGURATION
+
+    This cipher proceeds by repeating in a number of cycles known as 'rounds'
+    which are implemented by a round function which can optionally be speeded
+    up using tables.  The basic tables are each 256 32-bit words, with either 
+    one or four tables being required for each round function depending on
+    how much speed is required. The encryption and decryption round functions
+    are different and the last encryption and decrytpion round functions are
+    different again making four different round functions in all.
+
+    This means that:
+      1. Normal encryption and decryption rounds can each use either 0, 1 
+         or 4 tables and table spaces of 0, 1024 or 4096 bytes each.
+      2. The last encryption and decryption rounds can also use either 0, 1 
+         or 4 tables and table spaces of 0, 1024 or 4096 bytes each.
+
+    Include or exclude the appropriate definitions below to set the number
+    of tables used by this implementation.
+*/
+
+#if !defined(CONFIG_SMALL) || defined(CONFIG_SMALL_NO_CRYPTO)   /* set tables for the normal encryption round */
+#define ENC_ROUND   FOUR_TABLES
+#elif 0
+#define ENC_ROUND   ONE_TABLE
+#else
+#define ENC_ROUND   NO_TABLES
+#endif
+
+#if !defined(CONFIG_SMALL) || defined(CONFIG_SMALL_NO_CRYPTO)       /* set tables for the last encryption round */
+#define LAST_ENC_ROUND  FOUR_TABLES
+#elif 0
+#define LAST_ENC_ROUND  ONE_TABLE
+#else
+#define LAST_ENC_ROUND  NO_TABLES
+#endif
+
+#if !defined(CONFIG_SMALL) || defined(CONFIG_SMALL_NO_CRYPTO)   /* set tables for the normal decryption round */
+#define DEC_ROUND   FOUR_TABLES
+#elif 0
+#define DEC_ROUND   ONE_TABLE
+#else
+#define DEC_ROUND   NO_TABLES
+#endif
+
+#if !defined(CONFIG_SMALL) || defined(CONFIG_SMALL_NO_CRYPTO)       /* set tables for the last decryption round */
+#define LAST_DEC_ROUND  FOUR_TABLES
+#elif 0
+#define LAST_DEC_ROUND  ONE_TABLE
+#else
+#define LAST_DEC_ROUND  NO_TABLES
+#endif
+
+/*  The decryption key schedule can be speeded up with tables in the same
+    way that the round functions can.  Include or exclude the following 
+    defines to set this requirement.
+*/
+#if !defined(CONFIG_SMALL) || defined(CONFIG_SMALL_NO_CRYPTO)
+#define KEY_SCHED   FOUR_TABLES
+#elif 0
+#define KEY_SCHED   ONE_TABLE
+#else
+#define KEY_SCHED   NO_TABLES
+#endif
+
+/* END OF CONFIGURATION OPTIONS */
+
+#define NO_TABLES   0   /* DO NOT CHANGE */
+#define ONE_TABLE   1   /* DO NOT CHANGE */
+#define FOUR_TABLES 4   /* DO NOT CHANGE */
+#define NONE        0   /* DO NOT CHANGE */
+#define PARTIAL     1   /* DO NOT CHANGE */
+#define FULL        2   /* DO NOT CHANGE */
+
+#if defined(BLOCK_SIZE) && ((BLOCK_SIZE & 3) || BLOCK_SIZE < 16 || BLOCK_SIZE > 32)
+#error An illegal block size has been specified.
+#endif  
+
+#if !defined(BLOCK_SIZE)
+#define RC_LENGTH    29
+#else
+#define RC_LENGTH   5 * BLOCK_SIZE / 4 - (BLOCK_SIZE == 16 ? 10 : 11)
+#endif
+
+/* Disable at least some poor combinations of options */
+
+#if ENC_ROUND == NO_TABLES && LAST_ENC_ROUND != NO_TABLES
+#undef  LAST_ENC_ROUND
+#define LAST_ENC_ROUND  NO_TABLES
+#elif ENC_ROUND == ONE_TABLE && LAST_ENC_ROUND == FOUR_TABLES
+#undef  LAST_ENC_ROUND
+#define LAST_ENC_ROUND  ONE_TABLE 
+#endif
+
+#if ENC_ROUND == NO_TABLES && ENC_UNROLL != NONE
+#undef  ENC_UNROLL
+#define ENC_UNROLL  NONE
+#endif
+
+#if DEC_ROUND == NO_TABLES && LAST_DEC_ROUND != NO_TABLES
+#undef  LAST_DEC_ROUND
+#define LAST_DEC_ROUND  NO_TABLES
+#elif DEC_ROUND == ONE_TABLE && LAST_DEC_ROUND == FOUR_TABLES
+#undef  LAST_DEC_ROUND
+#define LAST_DEC_ROUND  ONE_TABLE 
+#endif
+
+#if DEC_ROUND == NO_TABLES && DEC_UNROLL != NONE
+#undef  DEC_UNROLL
+#define DEC_UNROLL  NONE
+#endif
+
+#include "aes.h"
+
+ /*
+   upr(x,n):  rotates bytes within words by n positions, moving bytes to
+              higher index positions with wrap around into low positions
+   ups(x,n):  moves bytes by n positions to higher index positions in 
+              words but without wrap around
+   bval(x,n): extracts a byte from a word
+ */
+
+#if (INTERNAL_BYTE_ORDER == AES_LITTLE_ENDIAN)
+#if defined(_MSC_VER)
+#define upr(x,n)        _lrotl((x), 8 * (n))
+#else
+#define upr(x,n)        (((x) << (8 * (n))) | ((x) >> (32 - 8 * (n))))
+#endif
+#define ups(x,n)        ((x) << (8 * (n)))
+#define bval(x,n)       ((uint8_t)((x) >> (8 * (n))))
+#define bytes2word(b0, b1, b2, b3)  \
+        (((uint32_t)(b3) << 24) | ((uint32_t)(b2) << 16) | ((uint32_t)(b1) << 8) | (b0))
+#endif
+
+#if (INTERNAL_BYTE_ORDER == AES_BIG_ENDIAN)
+#define upr(x,n)        (((x) >> (8 * (n))) | ((x) << (32 - 8 * (n))))
+#define ups(x,n)        ((x) >> (8 * (n))))
+#define bval(x,n)       ((uint8_t)((x) >> (24 - 8 * (n))))
+#define bytes2word(b0, b1, b2, b3)  \
+        (((uint32_t)(b0) << 24) | ((uint32_t)(b1) << 16) | ((uint32_t)(b2) << 8) | (b3))
+#endif
+
+#if defined(SAFE_IO)
+
+#define word_in(x)      bytes2word((x)[0], (x)[1], (x)[2], (x)[3])
+#define word_out(x,v)   { (x)[0] = bval(v,0); (x)[1] = bval(v,1);   \
+                          (x)[2] = bval(v,2); (x)[3] = bval(v,3);   }
+
+#elif (INTERNAL_BYTE_ORDER == PLATFORM_BYTE_ORDER)
+
+#define word_in(x)      *(uint32_t*)(x)
+#define word_out(x,v)   *(uint32_t*)(x) = (v)
+
+#else
+
+#if !defined(bswap_32)
+#if !defined(_MSC_VER)
+#define _lrotl(x,n)     (((x) <<  n) | ((x) >> (32 - n)))
+#endif
+#define bswap_32(x)     ((_lrotl((x),8) & 0x00ff00ff) | (_lrotl((x),24) & 0xff00ff00)) 
+#endif
+
+#define word_in(x)      bswap_32(*(uint32_t*)(x))
+#define word_out(x,v)   *(uint32_t*)(x) = bswap_32(v)
+
+#endif
+
+/* the finite field modular polynomial and elements */
+
+#define WPOLY   0x011b
+#define BPOLY     0x1b
+
+/* multiply four bytes in GF(2^8) by 'x' {02} in parallel */
+
+#define m1  0x80808080
+#define m2  0x7f7f7f7f
+#define FFmulX(x)  ((((x) & m2) << 1) ^ ((((x) & m1) >> 7) * BPOLY))
+
+/* The following defines provide alternative definitions of FFmulX that might
+   give improved performance if a fast 32-bit multiply is not available. Note
+   that a temporary variable u needs to be defined where FFmulX is used.
+
+#define FFmulX(x) (u = (x) & m1, u |= (u >> 1), ((x) & m2) << 1) ^ ((u >> 3) | (u >> 6)) 
+#define m4  (0x01010101 * BPOLY)
+#define FFmulX(x) (u = (x) & m1, ((x) & m2) << 1) ^ ((u - (u >> 7)) & m4) 
+*/
+
+/* Work out which tables are needed for the different options   */
+
+#ifdef  AES_ASM
+#ifdef  ENC_ROUND
+#undef  ENC_ROUND
+#endif
+#define ENC_ROUND   FOUR_TABLES
+#ifdef  LAST_ENC_ROUND
+#undef  LAST_ENC_ROUND
+#endif
+#define LAST_ENC_ROUND  FOUR_TABLES
+#ifdef  DEC_ROUND
+#undef  DEC_ROUND
+#endif
+#define DEC_ROUND   FOUR_TABLES
+#ifdef  LAST_DEC_ROUND
+#undef  LAST_DEC_ROUND
+#endif
+#define LAST_DEC_ROUND  FOUR_TABLES
+#ifdef  KEY_SCHED
+#undef  KEY_SCHED
+#define KEY_SCHED   FOUR_TABLES
+#endif
+#endif
+
+#if defined(ENCRYPTION) || defined(AES_ASM)
+#if ENC_ROUND == ONE_TABLE
+#define FT1_SET
+#elif ENC_ROUND == FOUR_TABLES
+#define FT4_SET
+#else
+#define SBX_SET
+#endif
+#if LAST_ENC_ROUND == ONE_TABLE
+#define FL1_SET
+#elif LAST_ENC_ROUND == FOUR_TABLES
+#define FL4_SET
+#elif !defined(SBX_SET)
+#define SBX_SET
+#endif
+#endif
+
+#if defined(DECRYPTION) || defined(AES_ASM)
+#if DEC_ROUND == ONE_TABLE
+#define IT1_SET
+#elif DEC_ROUND == FOUR_TABLES
+#define IT4_SET
+#else
+#define ISB_SET
+#endif
+#if LAST_DEC_ROUND == ONE_TABLE
+#define IL1_SET
+#elif LAST_DEC_ROUND == FOUR_TABLES
+#define IL4_SET
+#elif !defined(ISB_SET)
+#define ISB_SET
+#endif
+#endif
+
+#if defined(ENCRYPTION_KEY_SCHEDULE) || defined(DECRYPTION_KEY_SCHEDULE)
+#if KEY_SCHED == ONE_TABLE
+#define LS1_SET
+#define IM1_SET
+#elif KEY_SCHED == FOUR_TABLES
+#define LS4_SET
+#define IM4_SET
+#elif !defined(SBX_SET)
+#define SBX_SET
+#endif
+#endif
+
+#ifdef  FIXED_TABLES
+#define prefx   extern const
+#else
+#define prefx   extern
+extern uint8_t  tab_init;
+void gen_tabs(void);
+#endif
+
+prefx uint32_t  rcon_tab[0];
+
+#ifdef  SBX_SET
+prefx uint8_t s_box[256];
+#endif
+
+#ifdef  ISB_SET
+prefx uint8_t inv_s_box[256];
+#endif
+
+#ifdef  FT1_SET
+prefx uint32_t ft_tab[256];
+#endif
+
+#ifdef  FT4_SET
+prefx uint32_t ft_tab[4][256];
+#endif
+
+#ifdef  FL1_SET
+prefx uint32_t fl_tab[256];
+#endif
+
+#ifdef  FL4_SET
+prefx uint32_t fl_tab[4][256];
+#endif
+
+#ifdef  IT1_SET
+prefx uint32_t it_tab[256];
+#endif
+
+#ifdef  IT4_SET
+prefx uint32_t it_tab[4][256];
+#endif
+
+#ifdef  IL1_SET
+prefx uint32_t il_tab[256];
+#endif
+
+#ifdef  IL4_SET
+prefx uint32_t il_tab[4][256];
+#endif
+
+#ifdef  LS1_SET
+#ifdef  FL1_SET
+#undef  LS1_SET
+#else
+prefx uint32_t ls_tab[256];
+#endif
+#endif
+
+#ifdef  LS4_SET
+#ifdef  FL4_SET
+#undef  LS4_SET
+#else
+prefx uint32_t ls_tab[4][256];
+#endif
+#endif
+
+#ifdef  IM1_SET
+prefx uint32_t im_tab[256];
+#endif
+
+#ifdef  IM4_SET
+prefx uint32_t im_tab[4][256];
+#endif
+
+/* Set the number of columns in nc.  Note that it is important  */
+/* that nc is a constant which is known at compile time if the  */
+/* highest speed version of the code is needed                  */
+
+#if defined(BLOCK_SIZE)
+#define nc  (BLOCK_SIZE >> 2)
+#else
+#define nc  (cx->n_blk >> 2)
+#endif
+
+/* generic definitions of Rijndael macros that use of tables    */
+
+#define no_table(x,box,vf,rf,c) bytes2word( \
+    box[bval(vf(x,0,c),rf(0,c))], \
+    box[bval(vf(x,1,c),rf(1,c))], \
+    box[bval(vf(x,2,c),rf(2,c))], \
+    box[bval(vf(x,3,c),rf(3,c))])
+
+#define one_table(x,op,tab,vf,rf,c) \
+ (     tab[bval(vf(x,0,c),rf(0,c))] \
+  ^ op(tab[bval(vf(x,1,c),rf(1,c))],1) \
+  ^ op(tab[bval(vf(x,2,c),rf(2,c))],2) \
+  ^ op(tab[bval(vf(x,3,c),rf(3,c))],3))
+
+#define four_tables(x,tab,vf,rf,c) \
+ (  tab[0][bval(vf(x,0,c),rf(0,c))] \
+  ^ tab[1][bval(vf(x,1,c),rf(1,c))] \
+  ^ tab[2][bval(vf(x,2,c),rf(2,c))] \
+  ^ tab[3][bval(vf(x,3,c),rf(3,c))])
+
+#define vf1(x,r,c)  (x)
+#define rf1(r,c)    (r)
+#define rf2(r,c)    ((r-c)&3)
+
+/* perform forward and inverse column mix operation on four bytes in long word x in */
+/* parallel. NOTE: x must be a simple variable, NOT an expression in these macros.  */
+
+#define dec_fmvars
+#if defined(FM4_SET)    /* not currently used */
+#define fwd_mcol(x)     four_tables(x,fm_tab,vf1,rf1,0)
+#elif defined(FM1_SET)  /* not currently used */
+#define fwd_mcol(x)     one_table(x,upr,fm_tab,vf1,rf1,0)
+#else
+#undef  dec_fmvars
+#define dec_fmvars      uint32_t f1, f2;
+#define fwd_mcol(x)     (f1 = (x), f2 = FFmulX(f1), f2 ^ upr(f1 ^ f2, 3) ^ upr(f1, 2) ^ upr(f1, 1))
+#endif
+
+#define dec_imvars
+#if defined(IM4_SET)
+#define inv_mcol(x)     four_tables(x,im_tab,vf1,rf1,0)
+#elif defined(IM1_SET)
+#define inv_mcol(x)     one_table(x,upr,im_tab,vf1,rf1,0)
+#else
+#undef  dec_imvars
+#define dec_imvars      uint32_t    f2, f4, f8, f9;
+#define inv_mcol(x) \
+    (f9 = (x), f2 = FFmulX(f9), f4 = FFmulX(f2), f8 = FFmulX(f4), f9 ^= f8, \
+    f2 ^= f4 ^ f8 ^ upr(f2 ^ f9,3) ^ upr(f4 ^ f9,2) ^ upr(f9,1))
+#endif
+
+#if defined(FL4_SET)
+#define ls_box(x,c)     four_tables(x,fl_tab,vf1,rf2,c)
+#elif   defined(LS4_SET)
+#define ls_box(x,c)     four_tables(x,ls_tab,vf1,rf2,c)
+#elif defined(FL1_SET)
+#define ls_box(x,c)     one_table(x,upr,fl_tab,vf1,rf2,c)
+#elif defined(LS1_SET)
+#define ls_box(x,c)     one_table(x,upr,ls_tab,vf1,rf2,c)
+#else
+#define ls_box(x,c)     no_table(x,s_box,vf1,rf2,c)
+#endif
+
+#endif

Added: trunk/src/lib/crypto/openssl/aes/aestab.c
===================================================================
--- trunk/src/lib/crypto/openssl/aes/aestab.c	2009-10-06 16:11:31 UTC (rev 22858)
+++ trunk/src/lib/crypto/openssl/aes/aestab.c	2009-10-06 16:20:19 UTC (rev 22859)
@@ -0,0 +1,6 @@
+/* lib/crypto/openssl/aes/aestab.c 
+ */ 
+
+#include "aesopt.h"
+const uint32_t rcon_tab[0]={};
+

Added: trunk/src/lib/crypto/openssl/aes/uitypes.h
===================================================================
--- trunk/src/lib/crypto/openssl/aes/uitypes.h	2009-10-06 16:11:31 UTC (rev 22858)
+++ trunk/src/lib/crypto/openssl/aes/uitypes.h	2009-10-06 16:20:19 UTC (rev 22859)
@@ -0,0 +1,83 @@
+/*
+ -------------------------------------------------------------------------
+ Copyright (c) 2001, Dr Brian Gladman <brg at gladman.uk.net>, Worcester, UK.
+ All rights reserved.
+
+ LICENSE TERMS
+
+ The free distribution and use of this software in both source and binary 
+ form is allowed (with or without changes) provided that:
+
+   1. distributions of this source code include the above copyright 
+      notice, this list of conditions and the following disclaimer;
+
+   2. distributions in binary form include the above copyright
+      notice, this list of conditions and the following disclaimer
+      in the documentation and/or other associated materials;
+
+   3. the copyright holder's name is not used to endorse products 
+      built using this software without specific written permission. 
+
+ DISCLAIMER
+
+ This software is provided 'as is' with no explcit or implied warranties
+ in respect of any properties, including, but not limited to, correctness 
+ and fitness for purpose.
+ -------------------------------------------------------------------------
+ Issue Date: 01/02/2002
+
+ This file contains code to obtain or set the definitions for fixed length 
+ unsigned integer types.
+*/
+
+#ifndef _UITYPES_H
+#define _UITYPES_H
+
+#include "autoconf.h"
+
+#if defined(__GNU_LIBRARY__)
+#define HAS_INTTYPES_H
+#elif !defined(_MSC_VER)
+#include <limits.h>
+#if ULONG_MAX > 0xFFFFFFFFUL
+  #define MODEL_64
+#else
+  #define MODEL_32
+#endif
+#endif
+
+#if defined HAS_INTTYPES_H || defined HAVE_INTTYPES_H
+#include <inttypes.h>
+#define s_u32     u
+#define s_u64   ull
+#elif defined MODEL_32
+typedef unsigned char            uint8_t;
+typedef unsigned short int      uint16_t;
+typedef unsigned int            uint32_t;
+typedef unsigned long long int  uint64_t;
+#define s_u32     u
+#define s_u64   ull
+#elif defined MODEL_64
+typedef unsigned char            uint8_t;
+typedef unsigned short int      uint16_t;
+typedef unsigned int            uint32_t;
+typedef unsigned long int       uint64_t;
+#define s_u32     u
+#define s_u64    ul
+#elif defined(_MSC_VER)
+typedef unsigned  __int8         uint8_t;
+typedef unsigned __int16        uint16_t;
+typedef unsigned __int32        uint32_t;
+typedef unsigned __int64        uint64_t;
+#define s_u32    ui32
+#define s_u64    ui64
+#else
+#error You need to define fixed length types in uitypes.h
+#endif
+
+#define sfx_lo(x,y) x##y
+#define sfx_hi(x,y) sfx_lo(x,y)
+#define x_32(p)     sfx_hi(0x##p,s_u32)
+#define x_64(p)     sfx_hi(0x##p,s_u64)
+
+#endif



From ghudson at MIT.EDU  Tue Oct  6 12:36:34 2009
From: ghudson at MIT.EDU (ghudson@MIT.EDU)
Date: Tue, 6 Oct 2009 12:36:34 -0400
Subject: svn rev #22860: trunk/src/lib/krb5/krb/ 
Message-ID: <200910061636.n96GaYLA025234@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22860
Commit By: ghudson
Log Message:
In krb5_encrypt_helper, return ENOMEM instead of 0 if we can't
allocate the ciphertext buffer.



Changed Files:
U   trunk/src/lib/krb5/krb/enc_helper.c
Modified: trunk/src/lib/krb5/krb/enc_helper.c
===================================================================
--- trunk/src/lib/krb5/krb/enc_helper.c	2009-10-06 16:20:19 UTC (rev 22859)
+++ trunk/src/lib/krb5/krb/enc_helper.c	2009-10-06 16:36:34 UTC (rev 22860)
@@ -38,7 +38,7 @@
 
     cipher->ciphertext.length = enclen;
     if ((cipher->ciphertext.data = (char *) malloc(enclen)) == NULL)
-	return(ret);
+	return(ENOMEM);
     ret = krb5_c_encrypt(context, key, usage, 0, plain, cipher);
     if (ret) {
 	free(cipher->ciphertext.data);



From ghudson at MIT.EDU  Wed Oct  7 12:39:54 2009
From: ghudson at MIT.EDU (ghudson@MIT.EDU)
Date: Wed, 7 Oct 2009 12:39:54 -0400
Subject: svn rev #22864: trunk/doc/ 
Message-ID: <200910071639.n97Gds1A008717@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22864
Commit By: ghudson
Log Message:
Remove an outdated parenthetical comment about master_kdc; we actually
do check if the response came from the master KDC now.



Changed Files:
U   trunk/doc/admin.texinfo
Modified: trunk/doc/admin.texinfo
===================================================================
--- trunk/doc/admin.texinfo	2009-10-07 12:37:43 UTC (rev 22863)
+++ trunk/doc/admin.texinfo	2009-10-07 16:39:54 UTC (rev 22864)
@@ -691,9 +691,7 @@
 case: If an attempt to get credentials fails because of an invalid
 password, the client software will attempt to contact the master KDC,
 in case the user's password has just been changed, and the updated
-database has not been propagated to the slave servers yet.  (We don't
-currently check whether the KDC from which the initial response came
-is on the master KDC list.  That may be fixed in the future.)
+database has not been propagated to the slave servers yet.
 
 @itemx database_module
 



From ghudson at MIT.EDU  Wed Oct  7 14:13:29 2009
From: ghudson at MIT.EDU (ghudson@MIT.EDU)
Date: Wed, 7 Oct 2009 14:13:29 -0400
Subject: svn rev #22865: trunk/src/lib/crypto/krb/ 
Message-ID: <200910071813.n97IDTWm016548@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22865
Commit By: ghudson
Log Message:
Fix krb5_c_weak_enctype in the case of invalid enctypes; r22839
simplified it a bit too much.



Changed Files:
U   trunk/src/lib/crypto/krb/valid_enctype.c
Modified: trunk/src/lib/crypto/krb/valid_enctype.c
===================================================================
--- trunk/src/lib/crypto/krb/valid_enctype.c	2009-10-07 16:39:54 UTC (rev 22864)
+++ trunk/src/lib/crypto/krb/valid_enctype.c	2009-10-07 18:13:29 UTC (rev 22865)
@@ -45,5 +45,5 @@
     const struct krb5_keytypes *ktp;
 
     ktp = find_enctype(etype);
-    return ((ktp->flags & ETYPE_WEAK) != 0);
+    return (ktp != NULL && (ktp->flags & ETYPE_WEAK) != 0);
 }



From ghudson at MIT.EDU  Wed Oct  7 14:14:50 2009
From: ghudson at MIT.EDU (ghudson@MIT.EDU)
Date: Wed, 7 Oct 2009 14:14:50 -0400
Subject: svn rev #22866: trunk/src/lib/crypto/krb/ 
Message-ID: <200910071814.n97IEoXo016666@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22866
Commit By: ghudson
Log Message:
In krb5_c_make_checksum, avoid the structure copy of *input since we
don't care about input->magic.  Squashes a bunch of unimportant
Coverity defects.



Changed Files:
U   trunk/src/lib/crypto/krb/make_checksum.c
Modified: trunk/src/lib/crypto/krb/make_checksum.c
===================================================================
--- trunk/src/lib/crypto/krb/make_checksum.c	2009-10-07 18:13:29 UTC (rev 22865)
+++ trunk/src/lib/crypto/krb/make_checksum.c	2009-10-07 18:14:49 UTC (rev 22866)
@@ -80,7 +80,8 @@
 	    krb5_crypto_iov iov[1];
 
 	    iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
-	    iov[0].data = *input;
+	    iov[0].data.data = input->data;
+	    iov[0].data.length = input->length;
 
 	    assert(keyhash->hash_iov != NULL);
 



From ghudson at MIT.EDU  Thu Oct  8 08:58:56 2009
From: ghudson at MIT.EDU (ghudson@MIT.EDU)
Date: Thu, 8 Oct 2009 08:58:56 -0400
Subject: svn rev #22867: trunk/src/lib/crypto/krb/ 
Message-ID: <200910081258.n98CwuxP005365@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22867
Commit By: ghudson
Log Message:
In krb5_calculate_checksum (a compatibility routine), initialize
key.enctype to ENCTYPE_NULL.  This will predictably fail to match a
keyed hash's enctype, which may not be the best behavior, but is
better than unpredictably failing to match it.



Changed Files:
U   trunk/src/lib/crypto/krb/old_api_glue.c
Modified: trunk/src/lib/crypto/krb/old_api_glue.c
===================================================================
--- trunk/src/lib/crypto/krb/old_api_glue.c	2009-10-07 18:14:49 UTC (rev 22866)
+++ trunk/src/lib/crypto/krb/old_api_glue.c	2009-10-08 12:58:56 UTC (rev 22867)
@@ -215,6 +215,7 @@
     input.data = in;
     input.length = in_length;
 
+    key.enctype = ENCTYPE_NULL;
     key.length = seed_length;
     key.contents = seed;
 



From ghudson at MIT.EDU  Thu Oct  8 08:59:34 2009
From: ghudson at MIT.EDU (ghudson@MIT.EDU)
Date: Thu, 8 Oct 2009 08:59:34 -0400
Subject: svn rev #22868: trunk/src/lib/crypto/krb/ 
Message-ID: <200910081259.n98CxYwP005444@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22868
Commit By: ghudson
Log Message:
In krb5_c_verify_checksum, avoid the structure copy of *data since we
don't care about data->magic.  Squashes a bunch of unimportant
Coverity defects.  (May not be the correct long-term solution.)



Changed Files:
U   trunk/src/lib/crypto/krb/verify_checksum.c
Modified: trunk/src/lib/crypto/krb/verify_checksum.c
===================================================================
--- trunk/src/lib/crypto/krb/verify_checksum.c	2009-10-08 12:58:56 UTC (rev 22867)
+++ trunk/src/lib/crypto/krb/verify_checksum.c	2009-10-08 12:59:33 UTC (rev 22868)
@@ -59,7 +59,8 @@
 	    krb5_crypto_iov iov[1];
 
 	    iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
-	    iov[0].data = *data;
+	    iov[0].data.data = data->data;
+	    iov[0].data.length = data->length;
 
 	    return (*keyhash->verify_iov)(key, usage, 0, iov, 1, &indata,
 					  valid);



From ghudson at MIT.EDU  Thu Oct  8 09:44:54 2009
From: ghudson at MIT.EDU (ghudson@MIT.EDU)
Date: Thu, 8 Oct 2009 09:44:54 -0400
Subject: svn rev #22869: branches/enc-perf/src/lib/rpc/unit-test/lib/ 
Message-ID: <200910081344.n98Disv5009103@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22869
Commit By: ghudson
Log Message:
Revert an unintended debugging change from r22845.



Changed Files:
U   branches/enc-perf/src/lib/rpc/unit-test/lib/helpers.exp
Modified: branches/enc-perf/src/lib/rpc/unit-test/lib/helpers.exp
===================================================================
--- branches/enc-perf/src/lib/rpc/unit-test/lib/helpers.exp	2009-10-08 12:59:33 UTC (rev 22868)
+++ branches/enc-perf/src/lib/rpc/unit-test/lib/helpers.exp	2009-10-08 13:44:54 UTC (rev 22869)
@@ -96,7 +96,6 @@
     }
     expect_tcl_prompt
 
-    while {![file exists /tmp/go]} {}
     send_tcl_cmd_await_echo {kadm5_init admin admin $KADM5_ADMIN_SERVICE null $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 server_handle}
     expect_kadm_ok
     expect "^% "



From ghudson at MIT.EDU  Thu Oct  8 10:39:25 2009
From: ghudson at MIT.EDU (ghudson@MIT.EDU)
Date: Thu, 8 Oct 2009 10:39:25 -0400
Subject: svn rev #22870: branches/enc-perf/src/ include/ lib/krb5/krb/
Message-ID: <200910081439.n98EdPsg013149@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22870
Commit By: ghudson
Log Message:
Change the krb5_keyblocks in the libkrb5 auth context to krb5_keys,
and use krb5_k functions to encrypt and decrypt with them.



Changed Files:
U   branches/enc-perf/src/include/k5-int.h
U   branches/enc-perf/src/lib/krb5/krb/auth_con.c
U   branches/enc-perf/src/lib/krb5/krb/auth_con.h
U   branches/enc-perf/src/lib/krb5/krb/enc_helper.c
U   branches/enc-perf/src/lib/krb5/krb/mk_cred.c
U   branches/enc-perf/src/lib/krb5/krb/mk_priv.c
U   branches/enc-perf/src/lib/krb5/krb/mk_rep.c
U   branches/enc-perf/src/lib/krb5/krb/mk_req_ext.c
U   branches/enc-perf/src/lib/krb5/krb/mk_safe.c
U   branches/enc-perf/src/lib/krb5/krb/rd_cred.c
U   branches/enc-perf/src/lib/krb5/krb/rd_priv.c
U   branches/enc-perf/src/lib/krb5/krb/rd_rep.c
U   branches/enc-perf/src/lib/krb5/krb/rd_req_dec.c
U   branches/enc-perf/src/lib/krb5/krb/rd_safe.c
U   branches/enc-perf/src/lib/krb5/krb/ser_actx.c
Modified: branches/enc-perf/src/include/k5-int.h
===================================================================
--- branches/enc-perf/src/include/k5-int.h	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/include/k5-int.h	2009-10-08 14:39:24 UTC (rev 22870)
@@ -871,6 +871,11 @@
 		krb5_keyusage keyusage, const krb5_data *plain,
 		krb5_enc_data *cipher);
 
+krb5_error_code krb5_encrypt_keyhelper
+(krb5_context context, krb5_key key,
+		krb5_keyusage keyusage, const krb5_data *plain,
+		krb5_enc_data *cipher);
+
 /*
  * End "los-proto.h"
  */

Modified: branches/enc-perf/src/lib/krb5/krb/auth_con.c
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/auth_con.c	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/auth_con.c	2009-10-08 14:39:24 UTC (rev 22870)
@@ -56,12 +56,12 @@
 	krb5_free_address(context, auth_context->remote_port);
     if (auth_context->authentp) 
 	krb5_free_authenticator(context, auth_context->authentp);
-    if (auth_context->keyblock) 
-	krb5_free_keyblock(context, auth_context->keyblock);
+    if (auth_context->key)
+	krb5_k_free_key(context, auth_context->key);
     if (auth_context->send_subkey) 
-	krb5_free_keyblock(context, auth_context->send_subkey);
+	krb5_k_free_key(context, auth_context->send_subkey);
     if (auth_context->recv_subkey) 
-	krb5_free_keyblock(context, auth_context->recv_subkey);
+	krb5_k_free_key(context, auth_context->recv_subkey);
     if (auth_context->rcache)
 	krb5_rc_close(context, auth_context->rcache);
     if (auth_context->permitted_etypes)
@@ -158,16 +158,16 @@
 krb5_error_code KRB5_CALLCONV
 krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock)
 {
-    if (auth_context->keyblock)
-	krb5_free_keyblock(context, auth_context->keyblock);
-    return(krb5_copy_keyblock(context, keyblock, &(auth_context->keyblock)));
+    if (auth_context->key)
+	krb5_k_free_key(context, auth_context->key);
+    return(krb5_k_create_key(context, keyblock, &(auth_context->key)));
 }
 
 krb5_error_code KRB5_CALLCONV
 krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock)
 {
-    if (auth_context->keyblock)
-    	return krb5_copy_keyblock(context, auth_context->keyblock, keyblock);
+    if (auth_context->key)
+    	return krb5_k_key_keyblock(context, auth_context->key, keyblock);
     *keyblock = NULL;
     return 0;
 }
@@ -188,10 +188,10 @@
 krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock)
 {
     if (ac->send_subkey != NULL)
-	krb5_free_keyblock(ctx, ac->send_subkey);
+	krb5_k_free_key(ctx, ac->send_subkey);
     ac->send_subkey = NULL;
     if (keyblock !=NULL)
-	return krb5_copy_keyblock(ctx, keyblock, &ac->send_subkey);
+	return krb5_k_create_key(ctx, keyblock, &ac->send_subkey);
     else
 	return 0;
 }
@@ -200,10 +200,10 @@
 krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock)
 {
     if (ac->recv_subkey != NULL)
-	krb5_free_keyblock(ctx, ac->recv_subkey);
+	krb5_k_free_key(ctx, ac->recv_subkey);
     ac->recv_subkey = NULL;
     if (keyblock != NULL)
-	return krb5_copy_keyblock(ctx, keyblock, &ac->recv_subkey);
+	return krb5_k_create_key(ctx, keyblock, &ac->recv_subkey);
     else
 	return 0;
 }
@@ -212,7 +212,7 @@
 krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock)
 {
     if (ac->send_subkey != NULL)
-	return krb5_copy_keyblock(ctx, ac->send_subkey, keyblock);
+	return krb5_k_key_keyblock(ctx, ac->send_subkey, keyblock);
     *keyblock = NULL;
     return 0;
 }
@@ -221,7 +221,7 @@
 krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock)
 {
     if (ac->recv_subkey != NULL)
-	return krb5_copy_keyblock(ctx, ac->recv_subkey, keyblock);
+	return krb5_k_key_keyblock(ctx, ac->recv_subkey, keyblock);
     *keyblock = NULL;
     return 0;
 }
@@ -266,12 +266,13 @@
 krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context)
 {
     krb5_error_code ret;
+    krb5_enctype enctype;
 
-    if (auth_context->keyblock) {
+    if (auth_context->key) {
 	size_t blocksize;
 
-	if ((ret = krb5_c_block_size(context, auth_context->keyblock->enctype,
-				    &blocksize)))
+	enctype = krb5_k_key_enctype(context, auth_context->key);
+	if ((ret = krb5_c_block_size(context, enctype, &blocksize)))
 	    return(ret);
 	if ((auth_context->i_vector = (krb5_pointer)calloc(1,blocksize))) {
 	    return 0;

Modified: branches/enc-perf/src/lib/krb5/krb/auth_con.h
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/auth_con.h	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/auth_con.h	2009-10-08 14:39:24 UTC (rev 22870)
@@ -8,9 +8,9 @@
     krb5_address      *	remote_port;
     krb5_address      *	local_addr;
     krb5_address      *	local_port;
-    krb5_keyblock     * keyblock;
-    krb5_keyblock     * send_subkey;
-    krb5_keyblock     * recv_subkey;
+    krb5_key            key;
+    krb5_key            send_subkey;
+    krb5_key            recv_subkey;
 
     krb5_int32		auth_context_flags;
     krb5_ui_4		remote_seq_number;

Modified: branches/enc-perf/src/lib/krb5/krb/enc_helper.c
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/enc_helper.c	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/enc_helper.c	2009-10-08 14:39:24 UTC (rev 22870)
@@ -48,3 +48,28 @@
     return(ret);
 }
 	
+krb5_error_code
+krb5_encrypt_keyhelper(krb5_context context, krb5_key key, krb5_keyusage usage,
+		       const krb5_data *plain, krb5_enc_data *cipher)
+{
+    krb5_enctype enctype;
+    krb5_error_code ret;
+    size_t enclen;
+
+    enctype = krb5_k_key_enctype(context, key);
+    ret = krb5_c_encrypt_length(context, enctype, plain->length, &enclen);
+    if (ret != 0)
+	return ret;
+
+    cipher->ciphertext.length = enclen;
+    cipher->ciphertext.data = malloc(enclen);
+    if (cipher->ciphertext.data == NULL)
+	return ENOMEM;
+    ret = krb5_k_encrypt(context, key, usage, 0, plain, cipher);
+    if (ret) {
+	free(cipher->ciphertext.data);
+	cipher->ciphertext.data = NULL;
+    }
+
+    return ret;
+}

Modified: branches/enc-perf/src/lib/krb5/krb/mk_cred.c
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/mk_cred.c	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/mk_cred.c	2009-10-08 14:39:24 UTC (rev 22870)
@@ -22,7 +22,7 @@
  */
 static krb5_error_code 
 encrypt_credencpart(krb5_context context, krb5_cred_enc_part *pcredpart,
-		    krb5_keyblock *pkeyblock, krb5_enc_data *pencdata)
+		    krb5_key pkey, krb5_enc_data *pencdata)
 {
     krb5_error_code 	  retval;
     krb5_data 		* scratch;
@@ -35,7 +35,7 @@
      * If the keyblock is NULL, just copy the data from the encoded
      * data to the ciphertext area.
      */
-    if (pkeyblock == NULL) {
+    if (pkey == NULL) {
 	    pencdata->ciphertext.data = scratch->data;
 	    pencdata->ciphertext.length = scratch->length;
 	    free(scratch);
@@ -43,9 +43,9 @@
     }
 
     /* call the encryption routine */
-    retval = krb5_encrypt_helper(context, pkeyblock,
-				 KRB5_KEYUSAGE_KRB_CRED_ENCPART,
-				 scratch, pencdata);
+    retval = krb5_encrypt_keyhelper(context, pkey,
+				    KRB5_KEYUSAGE_KRB_CRED_ENCPART,
+				    scratch, pencdata);
 
     if (retval) {
     	memset(pencdata->ciphertext.data, 0, pencdata->ciphertext.length);
@@ -65,7 +65,7 @@
 static krb5_error_code
 krb5_mk_ncred_basic(krb5_context context,
 		    krb5_creds **ppcreds, krb5_int32 nppcreds,
-		    krb5_keyblock *keyblock, krb5_replay_data *replaydata,
+		    krb5_key key, krb5_replay_data *replaydata,
 		    krb5_address *local_addr, krb5_address *remote_addr,
 		    krb5_cred *pcred)
 {
@@ -134,8 +134,7 @@
     pcred->tickets[i] = NULL;
 
     /* encrypt the credential encrypted part */
-    retval = encrypt_credencpart(context, &credenc, keyblock,
-				 &pcred->enc_part);
+    retval = encrypt_credencpart(context, &credenc, key, &pcred->enc_part);
 
 cleanup:
     krb5_free_cred_enc_part(context, &credenc);
@@ -158,7 +157,7 @@
     krb5_address remote_fulladdr;
     krb5_address local_fulladdr;
     krb5_error_code 	retval;
-    krb5_keyblock	 * keyblock;
+    krb5_key		key;
     krb5_replay_data    replaydata;
     krb5_cred 		 * pcred;
     krb5_int32		ncred;
@@ -188,8 +187,8 @@
     }
 
     /* Get keyblock */
-    if ((keyblock = auth_context->send_subkey) == NULL) 
-	keyblock = auth_context->keyblock;
+    if ((key = auth_context->send_subkey) == NULL)
+	key = auth_context->key;
 
     /* Get replay info */
     if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
@@ -246,7 +245,7 @@
     }
 
     /* Setup creds structure */
-    if ((retval = krb5_mk_ncred_basic(context, ppcreds, ncred, keyblock,
+    if ((retval = krb5_mk_ncred_basic(context, ppcreds, ncred, key,
 				      &replaydata, plocal_fulladdr, 
 				      premote_fulladdr, pcred))) {
 	goto error;

Modified: branches/enc-perf/src/lib/krb5/krb/mk_priv.c
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/mk_priv.c	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/mk_priv.c	2009-10-08 14:39:24 UTC (rev 22870)
@@ -33,10 +33,11 @@
 
 static krb5_error_code
 krb5_mk_priv_basic(krb5_context context, const krb5_data *userdata,
-		   const krb5_keyblock *keyblock, krb5_replay_data *replaydata,
+		   krb5_key key, krb5_replay_data *replaydata,
 		   krb5_address *local_addr, krb5_address *remote_addr,
 		   krb5_pointer i_vector, krb5_data *outbuf)
 {
+    krb5_enctype	enctype = krb5_k_key_enctype(context, key);
     krb5_error_code 	retval;
     krb5_priv 		privmsg;
     krb5_priv_enc_part 	privmsg_enc_part;
@@ -44,7 +45,7 @@
     size_t		blocksize, enclen;
 
     privmsg.enc_part.kvno = 0;	/* XXX allow user-set? */
-    privmsg.enc_part.enctype = keyblock->enctype; 
+    privmsg.enc_part.enctype = enctype;
 
     privmsg_enc_part.user_data = *userdata;
     privmsg_enc_part.s_address = local_addr;
@@ -60,7 +61,7 @@
 	return retval;
 
     /* put together an eblock for this encryption */
-    if ((retval = krb5_c_encrypt_length(context, keyblock->enctype,
+    if ((retval = krb5_c_encrypt_length(context, enctype,
 					scratch1->length, &enclen)))
 	goto clean_scratch;
 
@@ -73,15 +74,14 @@
 
     /* call the encryption routine */
     if (i_vector) {
-	if ((retval = krb5_c_block_size(context, keyblock->enctype,
-					&blocksize)))
+	if ((retval = krb5_c_block_size(context, enctype, &blocksize)))
 	    goto clean_encpart;
 
 	ivdata.length = blocksize;
 	ivdata.data = i_vector;
     }
 
-    if ((retval = krb5_c_encrypt(context, keyblock,
+    if ((retval = krb5_k_encrypt(context, key,
 				 KRB5_KEYUSAGE_KRB_PRIV_ENCPART,
 				 i_vector?&ivdata:0,
 				 scratch1, &privmsg.enc_part)))
@@ -115,15 +115,15 @@
 	     krb5_replay_data *outdata)
 {
     krb5_error_code 	  retval;
-    krb5_keyblock       * keyblock;
+    krb5_key              key;
     krb5_replay_data      replaydata;
 
     /* Clear replaydata block */
     memset(&replaydata, 0, sizeof(krb5_replay_data));
 
     /* Get keyblock */
-    if ((keyblock = auth_context->send_subkey) == NULL)
-	keyblock = auth_context->keyblock;
+    if ((key = auth_context->send_subkey) == NULL)
+	key = auth_context->key;
 
     /* Get replay info */
     if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
@@ -192,7 +192,7 @@
 	}
     }
 
-    if ((retval = krb5_mk_priv_basic(context, userdata, keyblock, &replaydata, 
+    if ((retval = krb5_mk_priv_basic(context, userdata, key, &replaydata,
 				     plocal_fulladdr, premote_fulladdr,
 				     auth_context->i_vector, outbuf))) {
 	CLEANUP_DONE();

Modified: branches/enc-perf/src/lib/krb5/krb/mk_rep.c
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/mk_rep.c	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/mk_rep.c	2009-10-08 14:39:24 UTC (rev 22870)
@@ -80,7 +80,8 @@
     if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) ||
 	(auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
 	(auth_context->local_seq_number == 0)) {
-	if ((retval = krb5_generate_seq_number(context, auth_context->keyblock,
+	if ((retval = krb5_generate_seq_number(context,
+					       &auth_context->key->keyblock,
 					       &auth_context->local_seq_number)))
             return(retval);
     }
@@ -98,11 +99,11 @@
 	assert(auth_context->negotiated_etype != ENCTYPE_NULL);
 
 	retval = krb5int_generate_and_save_subkey (context, auth_context,
-						   auth_context->keyblock,
+						   &auth_context->key->keyblock,
 						   auth_context->negotiated_etype);
 	if (retval)
 	    return retval;
-	repl.subkey = auth_context->send_subkey;
+	repl.subkey = &auth_context->send_subkey->keyblock;
     } else
 	repl.subkey = auth_context->authentp->subkey;
 
@@ -115,9 +116,9 @@
     if ((retval = encode_krb5_ap_rep_enc_part(&repl, &scratch)))
 	return retval;
 
-    if ((retval = krb5_encrypt_helper(context, auth_context->keyblock,
-				      KRB5_KEYUSAGE_AP_REP_ENCPART,
-				      scratch, &reply.enc_part)))
+    if ((retval = krb5_encrypt_keyhelper(context, auth_context->key,
+					 KRB5_KEYUSAGE_AP_REP_ENCPART,
+					 scratch, &reply.enc_part)))
 	goto cleanup_scratch;
 
     if (!(retval = encode_krb5_ap_rep(&reply, &toutbuf))) {

Modified: branches/enc-perf/src/lib/krb5/krb/mk_req_ext.c
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/mk_req_ext.c	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/mk_req_ext.c	2009-10-08 14:39:24 UTC (rev 22870)
@@ -73,7 +73,7 @@
 static krb5_error_code 
 krb5_generate_authenticator (krb5_context,
 				       krb5_authenticator *, krb5_principal,
-				       krb5_checksum *, krb5_keyblock *,
+				       krb5_checksum *, krb5_key,
 				       krb5_ui_4, krb5_authdata **,
 				       krb5_enctype *desired_etypes,
 				       krb5_enctype tkt_enctype);
@@ -93,6 +93,7 @@
     } rnd_data;
     krb5_data d;
     krb5_error_code retval;
+    krb5_keyblock *kb = NULL;
 
     if (krb5_crypto_us_timeofday(&rnd_data.sec, &rnd_data.usec) == 0) {
 	d.length = sizeof(rnd_data);
@@ -100,22 +101,23 @@
 	krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_TIMING, &d);
     }
 
-    if (auth_context->send_subkey)
-	krb5_free_keyblock(context, auth_context->send_subkey);
-    if ((retval = krb5_generate_subkey_extended(context, keyblock, enctype,
-						&auth_context->send_subkey)))
+    retval = krb5_generate_subkey_extended(context, keyblock, enctype, &kb);
+    if (retval)
 	return retval;
+    retval = krb5_auth_con_setsendsubkey(context, auth_context, kb);
+    if (retval)
+	goto cleanup;
+    retval = krb5_auth_con_setrecvsubkey(context, auth_context, kb);
+    if (retval)
+	goto cleanup;
 
-    if (auth_context->recv_subkey)
-	krb5_free_keyblock(context, auth_context->recv_subkey);
-    retval = krb5_copy_keyblock(context, auth_context->send_subkey,
-				&auth_context->recv_subkey);
+cleanup:
     if (retval) {
-	krb5_free_keyblock(context, auth_context->send_subkey);
-	auth_context->send_subkey = NULL;
-	return retval;
+	(void) krb5_auth_con_setsendsubkey(context, auth_context, NULL);
+	(void) krb5_auth_con_setrecvsubkey(context, auth_context, NULL);
     }
-    return 0;
+    krb5_free_keyblock(context, kb);
+    return retval;
 }
 
 krb5_error_code KRB5_CALLCONV
@@ -159,14 +161,14 @@
 	*auth_context = new_auth_context;
     }
 
-    if ((*auth_context)->keyblock != NULL) {
-	krb5_free_keyblock(context, (*auth_context)->keyblock);
-	(*auth_context)->keyblock = NULL;
+    if ((*auth_context)->key != NULL) {
+	krb5_k_free_key(context, (*auth_context)->key);
+	(*auth_context)->key = NULL;
     }
 
     /* set auth context keyblock */
-    if ((retval = krb5_copy_keyblock(context, &in_creds->keyblock, 
-				     &((*auth_context)->keyblock))))
+    if ((retval = krb5_k_create_key(context, &in_creds->keyblock,
+				    &((*auth_context)->key))))
 	goto cleanup;
 
     /* generate seq number if needed */
@@ -205,16 +207,18 @@
 	    checksum.length = in_data->length;
 	    checksum.contents = (krb5_octet *) in_data->data;
 	} else {
+	    krb5_enctype enctype = krb5_k_key_enctype(context,
+						      (*auth_context)->key);
 	    krb5_cksumtype cksumtype;
-	    retval = krb5int_c_mandatory_cksumtype(context, (*auth_context)->keyblock->enctype,
+	    retval = krb5int_c_mandatory_cksumtype(context, enctype,
 						   &cksumtype);
 	    if (retval)
 		goto cleanup_cksum;
 	    if ((*auth_context)->req_cksumtype)
 		cksumtype = (*auth_context)->req_cksumtype;
-	    if ((retval = krb5_c_make_checksum(context, 
+	    if ((retval = krb5_k_make_checksum(context,
 					       cksumtype,
-					       (*auth_context)->keyblock,
+					       (*auth_context)->key,
 					       KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM,
 					       in_data, &checksum)))
 		goto cleanup_cksum;
@@ -297,7 +301,7 @@
 static krb5_error_code
 krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent,
 			    krb5_principal client, krb5_checksum *cksum,
-			    krb5_keyblock *key, krb5_ui_4 seq_number,
+			    krb5_key key, krb5_ui_4 seq_number,
 			    krb5_authdata **authorization,
 			    krb5_enctype *desired_etypes,
 			    krb5_enctype tkt_enctype)
@@ -307,7 +311,7 @@
     authent->client = client;
     authent->checksum = cksum;
     if (key) {
-	retval = krb5_copy_keyblock(context, key, &authent->subkey);
+	retval = krb5_k_key_keyblock(context, key, &authent->subkey);
 	if (retval)
 	    return retval;
     } else

Modified: branches/enc-perf/src/lib/krb5/krb/mk_safe.c
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/mk_safe.c	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/mk_safe.c	2009-10-08 14:39:24 UTC (rev 22870)
@@ -48,7 +48,7 @@
 */
 static krb5_error_code
 krb5_mk_safe_basic(krb5_context context, const krb5_data *userdata,
-		   const krb5_keyblock *keyblock, krb5_replay_data *replaydata,
+		   krb5_key key, krb5_replay_data *replaydata,
 		   krb5_address *local_addr, krb5_address *remote_addr,
 		   krb5_cksumtype sumtype, krb5_data *outbuf)
 {
@@ -88,7 +88,7 @@
     if ((retval = encode_krb5_safe(&safemsg, &scratch1)))
 	return retval;
 
-    if ((retval = krb5_c_make_checksum(context, sumtype, keyblock,
+    if ((retval = krb5_k_make_checksum(context, sumtype, key,
 				       KRB5_KEYUSAGE_KRB_SAFE_CKSUM,
 				       scratch1, &safe_checksum)))
 	goto cleanup_checksum;
@@ -115,15 +115,15 @@
 	     krb5_replay_data *outdata)
 {
     krb5_error_code 	  retval;
-    krb5_keyblock       * keyblock;
+    krb5_key              key;
     krb5_replay_data      replaydata;
 
     /* Clear replaydata block */
     memset(&replaydata, 0, sizeof(krb5_replay_data));
 
-    /* Get keyblock */
-    if ((keyblock = auth_context->send_subkey) == NULL)
-	keyblock = auth_context->keyblock;
+    /* Get key */
+    if ((key = auth_context->send_subkey) == NULL)
+	key = auth_context->key;
 
     /* Get replay info */
     if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
@@ -195,10 +195,11 @@
     }
 
     {
+	krb5_enctype enctype = krb5_k_key_enctype(context, key);
 	unsigned int nsumtypes;
 	unsigned int i;
 	krb5_cksumtype *sumtypes;
-	retval = krb5_c_keyed_checksum_types (context, keyblock->enctype,
+	retval = krb5_c_keyed_checksum_types (context, enctype,
 					      &nsumtypes, &sumtypes);
 	if (retval) {
 	    CLEANUP_DONE ();
@@ -218,7 +219,7 @@
 	sumtype = sumtypes[i];
 	krb5_free_cksumtypes (context, sumtypes);
     }
-    if ((retval = krb5_mk_safe_basic(context, userdata, keyblock, &replaydata, 
+    if ((retval = krb5_mk_safe_basic(context, userdata, key, &replaydata,
 				     plocal_fulladdr, premote_fulladdr,
 				     sumtype, outbuf))) {
 	CLEANUP_DONE();

Modified: branches/enc-perf/src/lib/krb5/krb/rd_cred.c
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/rd_cred.c	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/rd_cred.c	2009-10-08 14:39:24 UTC (rev 22870)
@@ -13,7 +13,7 @@
  */
 static krb5_error_code 
 decrypt_credencdata(krb5_context context, krb5_cred *pcred,
-		    krb5_keyblock *pkeyblock, krb5_cred_enc_part *pcredenc)
+		    krb5_key pkey, krb5_cred_enc_part *pcredenc)
 {
     krb5_cred_enc_part  * ppart = NULL;
     krb5_error_code 	  retval;
@@ -23,8 +23,8 @@
     if (!(scratch.data = (char *)malloc(scratch.length))) 
 	return ENOMEM;
 
-    if (pkeyblock != NULL) {
-	if ((retval = krb5_c_decrypt(context, pkeyblock,
+    if (pkey != NULL) {
+	if ((retval = krb5_k_decrypt(context, pkey,
 				     KRB5_KEYUSAGE_KRB_CRED_ENCPART, 0,
 				     &pcred->enc_part, &scratch)))
 	    goto cleanup;
@@ -53,7 +53,7 @@
 
 static krb5_error_code 
 krb5_rd_cred_basic(krb5_context context, krb5_data *pcreddata,
-		   krb5_keyblock *pkeyblock, krb5_replay_data *replaydata,
+		   krb5_key pkey, krb5_replay_data *replaydata,
 		   krb5_creds ***pppcreds)
 {
     krb5_error_code       retval;
@@ -68,7 +68,7 @@
 
     memset(&encpart, 0, sizeof(encpart));
 
-    if ((retval = decrypt_credencdata(context, pcred, pkeyblock, &encpart)))
+    if ((retval = decrypt_credencdata(context, pcred, pkey, &encpart)))
 	goto cleanup_cred;
 
 
@@ -167,12 +167,12 @@
 	     krb5_replay_data *outdata)
 {
     krb5_error_code       retval;
-    krb5_keyblock       * keyblock;
+    krb5_key              key;
     krb5_replay_data      replaydata;
 
-    /* Get keyblock */
-    if ((keyblock = auth_context->recv_subkey) == NULL)
-	keyblock = auth_context->keyblock;
+    /* Get key */
+    if ((key = auth_context->recv_subkey) == NULL)
+	key = auth_context->key;
 
     if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
       (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
@@ -186,14 +186,14 @@
 
 
     /*
-     * If decrypting with the first keyblock we try fails, perhaps the
+     * If decrypting with the first key we try fails, perhaps the
      * credentials are stored in the session key so try decrypting with
      * that.
      */
-    if ((retval = krb5_rd_cred_basic(context, pcreddata, keyblock,
+    if ((retval = krb5_rd_cred_basic(context, pcreddata, key,
 				     &replaydata, pppcreds))) {
 	if ((retval = krb5_rd_cred_basic(context, pcreddata,
-					 auth_context->keyblock,
+					 auth_context->key,
 					 &replaydata, pppcreds))) {
 	    return retval;
 	}

Modified: branches/enc-perf/src/lib/krb5/krb/rd_priv.c
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/rd_priv.c	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/rd_priv.c	2009-10-08 14:39:24 UTC (rev 22870)
@@ -54,8 +54,7 @@
 
 static krb5_error_code
 krb5_rd_priv_basic(krb5_context context, const krb5_data *inbuf,
-		   const krb5_keyblock *keyblock,
-		   const krb5_address *local_addr,
+		   const krb5_key key, const krb5_address *local_addr,
 		   const krb5_address *remote_addr, krb5_pointer i_vector,
 		   krb5_replay_data *replaydata, krb5_data *outbuf)
 {
@@ -65,6 +64,7 @@
     krb5_priv_enc_part  * privmsg_enc_part;
     size_t		  blocksize;
     krb5_data		  ivdata;
+    krb5_enctype	  enctype;
 
     if (!krb5_is_krb_priv(inbuf))
 	return KRB5KRB_AP_ERR_MSG_TYPE;
@@ -74,8 +74,8 @@
 	return retval;
     
     if (i_vector) {
-	if ((retval = krb5_c_block_size(context, keyblock->enctype,
-					&blocksize)))
+	enctype = krb5_k_key_enctype(context, key);
+	if ((retval = krb5_c_block_size(context, enctype, &blocksize)))
 	    goto cleanup_privmsg;
 
 	ivdata.length = blocksize;
@@ -88,7 +88,7 @@
 	goto cleanup_privmsg;
     }
 
-    if ((retval = krb5_c_decrypt(context, keyblock,
+    if ((retval = krb5_k_decrypt(context, key,
 				 KRB5_KEYUSAGE_KRB_PRIV_ENCPART, 
 				 i_vector?&ivdata:0,
 				 &privmsg->enc_part, &scratch)))
@@ -156,12 +156,12 @@
 	     krb5_replay_data *outdata)
 {
     krb5_error_code 	  retval;
-    krb5_keyblock       * keyblock;
+    krb5_key              key;
     krb5_replay_data	  replaydata;
 
-    /* Get keyblock */
-    if ((keyblock = auth_context->recv_subkey) == NULL)
-	keyblock = auth_context->keyblock;
+    /* Get key */
+    if ((key = auth_context->recv_subkey) == NULL)
+	key = auth_context->key;
 
     if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
       (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
@@ -213,7 +213,7 @@
     }
 
     memset(&replaydata, 0, sizeof(replaydata));
-    if ((retval = krb5_rd_priv_basic(context, inbuf, keyblock,
+    if ((retval = krb5_rd_priv_basic(context, inbuf, key,
 				     plocal_fulladdr,
 				     premote_fulladdr,
 				     auth_context->i_vector,

Modified: branches/enc-perf/src/lib/krb5/krb/rd_rep.c
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/rd_rep.c	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/rd_rep.c	2009-10-08 14:39:24 UTC (rev 22870)
@@ -95,7 +95,7 @@
 	goto clean_scratch;
     }
 
-    retval = krb5_c_decrypt(context, auth_context->keyblock,
+    retval = krb5_k_decrypt(context, auth_context->key,
 			    KRB5_KEYUSAGE_AP_REP_ENCPART, 0,
 			    &reply->enc_part, &scratch);
     if (retval)
@@ -115,23 +115,14 @@
 
     /* Set auth subkey. */
     if (enc->subkey) {
-	if (auth_context->recv_subkey) {
-	    krb5_free_keyblock(context, auth_context->recv_subkey);
-	    auth_context->recv_subkey = NULL;
-	}
-	retval = krb5_copy_keyblock(context, enc->subkey,
-				    &auth_context->recv_subkey);
+	retval = krb5_auth_con_setrecvsubkey(context, auth_context,
+					     enc->subkey);
 	if (retval)
 	    goto clean_scratch;
-	if (auth_context->send_subkey) {
-	    krb5_free_keyblock(context, auth_context->send_subkey);
-	    auth_context->send_subkey = NULL;
-	}
-	retval = krb5_copy_keyblock(context, enc->subkey,
-				    &auth_context->send_subkey);
+	retval = krb5_auth_con_setsendsubkey(context, auth_context,
+					     enc->subkey);
 	if (retval) {
-	    krb5_free_keyblock(context, auth_context->send_subkey);
-	    auth_context->send_subkey = NULL;
+	    (void) krb5_auth_con_setrecvsubkey(context, auth_context, NULL);
 	    goto clean_scratch;
 	}
 	/* Not used for anything yet. */
@@ -178,7 +169,7 @@
 	return(ENOMEM);
     }
 
-    if ((retval = krb5_c_decrypt(context, auth_context->keyblock,
+    if ((retval = krb5_k_decrypt(context, auth_context->key,
 				 KRB5_KEYUSAGE_AP_REP_ENCPART, 0,
 				 &reply->enc_part, &scratch)))
 	goto clean_scratch;

Modified: branches/enc-perf/src/lib/krb5/krb/rd_req_dec.c
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/rd_req_dec.c	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/rd_req_dec.c	2009-10-08 14:39:24 UTC (rev 22870)
@@ -227,12 +227,13 @@
        do we need special processing here ?	*/
 
     /* decrypt the ticket */
-    if ((*auth_context)->keyblock) { /* User to User authentication */
-    	if ((retval = krb5_decrypt_tkt_part(context, (*auth_context)->keyblock,
+    if ((*auth_context)->key) { /* User to User authentication */
+    	if ((retval = krb5_decrypt_tkt_part(context,
+					    &(*auth_context)->key->keyblock,
 					    req->ticket)))
 	    goto cleanup;
-	krb5_free_keyblock(context, (*auth_context)->keyblock);
-	(*auth_context)->keyblock = NULL;
+	krb5_k_free_key(context, (*auth_context)->key);
+	(*auth_context)->key = NULL;
     } else {
     	if ((retval = krb5_rd_req_decrypt_tkt_part(context, req, server, keytab)))
 	    goto cleanup;
@@ -459,14 +460,14 @@
 
     (*auth_context)->remote_seq_number = (*auth_context)->authentp->seq_number;
     if ((*auth_context)->authentp->subkey) {
-	if ((retval = krb5_copy_keyblock(context,
-					 (*auth_context)->authentp->subkey,
-					 &((*auth_context)->recv_subkey))))
+	if ((retval = krb5_k_create_key(context,
+					(*auth_context)->authentp->subkey,
+					&((*auth_context)->recv_subkey))))
 	    goto cleanup;
-	retval = krb5_copy_keyblock(context, (*auth_context)->authentp->subkey,
-				    &((*auth_context)->send_subkey));
+	retval = krb5_k_create_key(context, (*auth_context)->authentp->subkey,
+				   &((*auth_context)->send_subkey));
 	if (retval) {
-	    krb5_free_keyblock(context, (*auth_context)->recv_subkey);
+	    krb5_k_free_key(context, (*auth_context)->recv_subkey);
 	    (*auth_context)->recv_subkey = NULL;
 	    goto cleanup;
 	}
@@ -475,8 +476,8 @@
 	(*auth_context)->send_subkey = 0;
     }
 
-    if ((retval = krb5_copy_keyblock(context, req->ticket->enc_part2->session,
-				     &((*auth_context)->keyblock))))
+    if ((retval = krb5_k_create_key(context, req->ticket->enc_part2->session,
+				    &((*auth_context)->key))))
 	goto cleanup;
 
     debug_log_authz_data("ticket", req->ticket->enc_part2->authorization_data);
@@ -499,7 +500,8 @@
     	*ap_req_options = req->ap_options & AP_OPTS_WIRE_MASK;
 	if (rfc4537_etypes_len != 0)
 	    *ap_req_options |= AP_OPTS_ETYPE_NEGOTIATION;
-	if ((*auth_context)->negotiated_etype != (*auth_context)->keyblock->enctype)
+	if ((*auth_context)->negotiated_etype !=
+	    krb5_k_key_enctype(context, (*auth_context)->key))
 	    *ap_req_options |= AP_OPTS_USE_SUBKEY;
     }
 

Modified: branches/enc-perf/src/lib/krb5/krb/rd_safe.c
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/rd_safe.c	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/rd_safe.c	2009-10-08 14:39:24 UTC (rev 22870)
@@ -46,7 +46,7 @@
  */
 static krb5_error_code
 krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf,
-		   const krb5_keyblock *keyblock,
+		   krb5_key key,
 		   const krb5_address *recv_addr,
 		   const krb5_address *sender_addr,
 		   krb5_replay_data *replaydata, krb5_data *outbuf)
@@ -124,7 +124,7 @@
     if (retval)
 	goto cleanup;
 
-    retval = krb5_c_verify_checksum(context, keyblock,
+    retval = krb5_k_verify_checksum(context, key,
 				    KRB5_KEYUSAGE_KRB_SAFE_CKSUM,
 				    scratch, his_cksum, &valid);
 
@@ -136,7 +136,7 @@
 	 * Checksum over only the KRB-SAFE-BODY, like RFC 1510 says, in
 	 * case someone actually implements it correctly.
 	 */
-	retval = krb5_c_verify_checksum(context, keyblock,
+	retval = krb5_k_verify_checksum(context, key,
 					KRB5_KEYUSAGE_KRB_SAFE_CKSUM,
 					&safe_body, his_cksum, &valid);
 	if (!valid) {
@@ -164,7 +164,7 @@
 	     krb5_replay_data *outdata)
 {
     krb5_error_code 	  retval;
-    krb5_keyblock	* keyblock;
+    krb5_key		  key;
     krb5_replay_data	  replaydata;
 
     if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
@@ -180,9 +180,9 @@
     if (!auth_context->remote_addr)
 	return KRB5_REMOTE_ADDR_REQUIRED;
 
-    /* Get keyblock */
-    if ((keyblock = auth_context->recv_subkey) == NULL)
-	keyblock = auth_context->keyblock;
+    /* Get key */
+    if ((key = auth_context->recv_subkey) == NULL)
+	key = auth_context->key;
 
 {
     krb5_address * premote_fulladdr;
@@ -220,7 +220,7 @@
     }
 
     memset(&replaydata, 0, sizeof(replaydata));
-    if ((retval = krb5_rd_safe_basic(context, inbuf, keyblock,
+    if ((retval = krb5_rd_safe_basic(context, inbuf, key,
 				     plocal_fulladdr, premote_fulladdr,
 				     &replaydata, outbuf))) {
 	CLEANUP_DONE();

Modified: branches/enc-perf/src/lib/krb5/krb/ser_actx.c
===================================================================
--- branches/enc-perf/src/lib/krb5/krb/ser_actx.c	2009-10-08 13:44:54 UTC (rev 22869)
+++ branches/enc-perf/src/lib/krb5/krb/ser_actx.c	2009-10-08 14:39:24 UTC (rev 22870)
@@ -75,6 +75,7 @@
     krb5_error_code	kret;
     krb5_auth_context	auth_context;
     size_t		required;
+    krb5_enctype	enctype;
 
     /*
      * krb5_auth_context requires at minimum:
@@ -92,9 +93,9 @@
 	kret = 0;
 
 	/* Calculate size required by i_vector - ptooey */
-	if (auth_context->i_vector && auth_context->keyblock) {
-	    kret = krb5_c_block_size(kcontext, auth_context->keyblock->enctype,
-				     &required);
+	if (auth_context->i_vector && auth_context->key) {
+	    enctype = krb5_k_key_enctype(kcontext, auth_context->key);
+	    kret = krb5_c_block_size(kcontext, enctype, &required);
 	} else {
 	    required = 0;
 	}
@@ -141,11 +142,11 @@
 		required += sizeof(krb5_int32);
 	}
 
-	/* Calculate size required by keyblock, if appropriate */
-	if (!kret && auth_context->keyblock) {
+	/* Calculate size required by key, if appropriate */
+	if (!kret && auth_context->key) {
 	    kret = krb5_size_opaque(kcontext,
-				    KV5M_KEYBLOCK,
-				    (krb5_pointer) auth_context->keyblock,
+				    KV5M_KEYBLOCK, (krb5_pointer)
+				    &auth_context->key->keyblock,
 				    &required);
 	    if (!kret)
 		required += sizeof(krb5_int32);
@@ -154,8 +155,8 @@
 	/* Calculate size required by send_subkey, if appropriate */
 	if (!kret && auth_context->send_subkey) {
 	    kret = krb5_size_opaque(kcontext,
-				    KV5M_KEYBLOCK,
-				    (krb5_pointer) auth_context->send_subkey,
+				    KV5M_KEYBLOCK, (krb5_pointer)
+				    &auth_context->send_subkey->keyblock,
 				    &required);
 	    if (!kret)
 		required += sizeof(krb5_int32);
@@ -164,8 +165,8 @@
 	/* Calculate size required by recv_subkey, if appropriate */
 	if (!kret && auth_context->recv_subkey) {
 	    kret = krb5_size_opaque(kcontext,
-				    KV5M_KEYBLOCK,
-				    (krb5_pointer) auth_context->recv_subkey,
+				    KV5M_KEYBLOCK, (krb5_pointer)
+				    &auth_context->recv_subkey->keyblock,
 				    &required);
 	    if (!kret)
 		required += sizeof(krb5_int32);
@@ -197,6 +198,7 @@
     size_t		remain;
     size_t              obuf;
     krb5_int32		obuf32;
+    krb5_enctype	enctype;
 
     required = 0;
     bp = *buffer;
@@ -224,9 +226,8 @@
 
 	    /* Now figure out the number of bytes for i_vector and write it */
 	    if (auth_context->i_vector) {
-		kret = krb5_c_block_size(kcontext,
-					 auth_context->keyblock->enctype,
-					 &obuf);
+		enctype = krb5_k_key_enctype(kcontext, auth_context->key);
+		kret = krb5_c_block_size(kcontext, enctype, &obuf);
 	    } else {
 		obuf = 0;
 	    }
@@ -289,12 +290,12 @@
 	    }
 
 	    /* Now handle keyblock, if appropriate */
-	    if (!kret && auth_context->keyblock) {
+	    if (!kret && auth_context->key) {
 		(void) krb5_ser_pack_int32(TOKEN_KEYBLOCK, &bp, &remain);
 		kret = krb5_externalize_opaque(kcontext,
 					       KV5M_KEYBLOCK,
 					       (krb5_pointer)
-					       auth_context->keyblock,
+					       &auth_context->key->keyblock,
 					       &bp,
 					       &remain);
 	    }
@@ -304,8 +305,8 @@
 		(void) krb5_ser_pack_int32(TOKEN_LSKBLOCK, &bp, &remain);
 		kret = krb5_externalize_opaque(kcontext,
 					       KV5M_KEYBLOCK,
-					       (krb5_pointer)
-					       auth_context->send_subkey,
+					       (krb5_pointer) &auth_context->
+					       send_subkey->keyblock,
 					       &bp,
 					       &remain);
 	    }
@@ -315,8 +316,8 @@
 		(void) krb5_ser_pack_int32(TOKEN_RSKBLOCK, &bp, &remain);
 		kret = krb5_externalize_opaque(kcontext,
 					       KV5M_KEYBLOCK,
-					       (krb5_pointer)
-					       auth_context->recv_subkey,
+					       (krb5_pointer) &auth_context->
+					       recv_subkey->keyblock,
 					       &bp,
 					       &remain);
 	    }
@@ -345,6 +346,22 @@
     return(kret);
 }
 
+/* Internalize a keyblock and convert it to a key. */
+static krb5_error_code
+intern_key(krb5_context ctx, krb5_key *key, krb5_octet **bp, size_t *sp)
+{
+    krb5_keyblock *keyblock;
+    krb5_error_code ret;
+
+    ret = krb5_internalize_opaque(ctx, KV5M_KEYBLOCK,
+				  (krb5_pointer *) &keyblock, bp, sp);
+    if (ret != 0)
+	return ret;
+    ret = krb5_k_create_key(ctx, keyblock, key);
+    krb5_free_keyblock(ctx, keyblock);
+    return ret;
+}
+
 /*
  * krb5_auth_context_internalize()	- Internalize the krb5_auth_context.
  */
@@ -464,37 +481,29 @@
 
 	    /* This is the keyblock */
 	    if (!kret && (tag == TOKEN_KEYBLOCK)) {
-		if (!(kret = krb5_internalize_opaque(kcontext,
-						     KV5M_KEYBLOCK,
-						     (krb5_pointer *)
-						     &auth_context->keyblock,
-						     &bp,
-						     &remain)))
+		if (!(kret = intern_key(kcontext,
+					&auth_context->key,
+					&bp,
+					&remain)))
 		    kret = krb5_ser_unpack_int32(&tag, &bp, &remain);
 	    }
 
 	    /* This is the send_subkey */
 	    if (!kret && (tag == TOKEN_LSKBLOCK)) {
-		if (!(kret = krb5_internalize_opaque(kcontext,
-						     KV5M_KEYBLOCK,
-						     (krb5_pointer *)
-						     &auth_context->
-						     send_subkey,
-						     &bp,
-						     &remain)))
+		if (!(kret = intern_key(kcontext,
+					&auth_context->send_subkey,
+					&bp,
+					&remain)))
 		    kret = krb5_ser_unpack_int32(&tag, &bp, &remain);
 	    }
 
 	    /* This is the recv_subkey */
 	    if (!kret) {
 		if (tag == TOKEN_RSKBLOCK) {
-		    kret = krb5_internalize_opaque(kcontext,
-						   KV5M_KEYBLOCK,
-						   (krb5_pointer *)
-						   &auth_context->
-						   recv_subkey,
-						   &bp,
-						   &remain);
+		    kret = intern_key(kcontext,
+				      &auth_context->recv_subkey,
+				      &bp,
+				      &remain);
 		}
 		else {
 		    /*



From tsitkova at MIT.EDU  Thu Oct  8 12:11:01 2009
From: tsitkova at MIT.EDU (tsitkova@MIT.EDU)
Date: Thu, 8 Oct 2009 12:11:01 -0400
Subject: svn rev #22871: trunk/src/plugins/preauth/pkinit/ 
Message-ID: <200910081611.n98GB1Vb020039@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22871
Commit By: tsitkova
Log Message:
In anticipation of a new version of OpenSSL 1.0.0, support renamed API: EVP_PKEY_decrypt -> EVP_PKEY_decrypt_old



Changed Files:
U   trunk/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
Modified: trunk/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
===================================================================
--- trunk/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c	2009-10-08 14:39:24 UTC (rev 22870)
+++ trunk/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c	2009-10-08 16:11:01 UTC (rev 22871)
@@ -3624,7 +3624,11 @@
     if (buf == NULL)
 	goto cleanup;
 
-    retval = EVP_PKEY_decrypt(buf, data, (int)data_len, pkey);
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+    retval = EVP_PKEY_decrypt_old(buf, data, (int)data_len, pkey);
+#else
+     retval = EVP_PKEY_decrypt(buf, data, (int)data_len, pkey);
+#endif
     if (retval <= 0) {
 	pkiDebug("unable to decrypt received data (len=%d)\n", data_len);
 	goto cleanup;



From ghudson at MIT.EDU  Fri Oct  9 10:21:05 2009
From: ghudson at MIT.EDU (ghudson@MIT.EDU)
Date: Fri, 9 Oct 2009 10:21:05 -0400
Subject: svn rev #22872: trunk/src/lib/krb5/asn.1/ 
Message-ID: <200910091421.n99EL5VM026372@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22872
Commit By: ghudson
Log Message:
ticket: 6571
tags: pullup
target_version: 1.7.1

In asn1_decode_enc_kdc_rep_part, don't leak the enc_padata field on
invalid representations.



Changed Files:
U   trunk/src/lib/krb5/asn.1/asn1_k_decode.c
Modified: trunk/src/lib/krb5/asn.1/asn1_k_decode.c
===================================================================
--- trunk/src/lib/krb5/asn.1/asn1_k_decode.c	2009-10-08 16:11:01 UTC (rev 22871)
+++ trunk/src/lib/krb5/asn.1/asn1_k_decode.c	2009-10-09 14:21:04 UTC (rev 22872)
@@ -668,6 +668,7 @@
     krb5_free_last_req(NULL, val->last_req);
     krb5_free_principal(NULL, val->server);
     krb5_free_addresses(NULL, val->caddrs);
+    krb5_free_pa_data(NULL, val->enc_padata);
     val->session = NULL;
     val->last_req = NULL;
     val->server = NULL;



From ghudson at MIT.EDU  Fri Oct  9 13:18:50 2009
From: ghudson at MIT.EDU (ghudson@MIT.EDU)
Date: Fri, 9 Oct 2009 13:18:50 -0400
Subject: svn rev #22873: trunk/src/lib/crypto/builtin/aes/ 
Message-ID: <200910091718.n99HIoCB008955@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22873
Commit By: ghudson
Log Message:
Get aes-gen to build again (for the default back end, at least).



Changed Files:
U   trunk/src/lib/crypto/builtin/aes/Makefile.in
Modified: trunk/src/lib/crypto/builtin/aes/Makefile.in
===================================================================
--- trunk/src/lib/crypto/builtin/aes/Makefile.in	2009-10-09 14:21:04 UTC (rev 22872)
+++ trunk/src/lib/crypto/builtin/aes/Makefile.in	2009-10-09 17:18:50 UTC (rev 22873)
@@ -45,7 +45,7 @@
 
 depend:: $(SRCS)
 
-aes-gen: aes-gen.o $(GEN_OBJS)
+../../$(CIMPL)/aes-gen: ../../$(CIMPL)/aes-gen.o $(GEN_OBJS)
 	$(CC_LINK) -I../../../../include $(LOCALINCLUDES) -o ../../$(CIMPL)/aes-gen ../../$(CIMPL)/aes-gen.o $(GEN_OBJS)
 
 run-aes-gen: ../../$(CIMPL)/aes-gen



From ghudson at MIT.EDU  Fri Oct  9 14:29:36 2009
From: ghudson at MIT.EDU (ghudson@MIT.EDU)
Date: Fri, 9 Oct 2009 14:29:36 -0400
Subject: svn rev #22875: trunk/src/ clients/klist/ include/ include/krb5/ kdc/
	lib/crypto/krb/ ...
Message-ID: <200910091829.n99ITaAH014720@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22875
Commit By: ghudson
Log Message:
ticket: 6572
subject: Implement GSS naming extensions and authdata verification

Merge Luke's users/lhoward/authdata branch to trunk.  Implements GSS naming
extensions and verification of authorization data.



Changed Files:
U   trunk/src/clients/klist/klist.c
U   trunk/src/configure.in
U   trunk/src/include/k5-int.h
U   trunk/src/include/kdb_ext.h
U   trunk/src/include/krb5/authdata_plugin.h
U   trunk/src/include/krb5/krb5.hin
U   trunk/src/kdc/do_tgs_req.c
U   trunk/src/kdc/kdc_authdata.c
U   trunk/src/kdc/kdc_util.c
U   trunk/src/kdc/kdc_util.h
A   trunk/src/lib/crypto/krb/enc_provider/
A   trunk/src/lib/crypto/krb/hash_provider/
U   trunk/src/lib/crypto/openssl/sha1/shs.c
U   trunk/src/lib/crypto/openssl/sha1/shs.h
U   trunk/src/lib/gssapi/generic/gssapi_ext.h
U   trunk/src/lib/gssapi/krb5/Makefile.in
U   trunk/src/lib/gssapi/krb5/accept_sec_context.c
U   trunk/src/lib/gssapi/krb5/acquire_cred.c
U   trunk/src/lib/gssapi/krb5/add_cred.c
U   trunk/src/lib/gssapi/krb5/compare_name.c
U   trunk/src/lib/gssapi/krb5/delete_sec_context.c
U   trunk/src/lib/gssapi/krb5/disp_name.c
U   trunk/src/lib/gssapi/krb5/duplicate_name.c
U   trunk/src/lib/gssapi/krb5/export_name.c
U   trunk/src/lib/gssapi/krb5/gssapiP_krb5.h
U   trunk/src/lib/gssapi/krb5/gssapi_krb5.c
U   trunk/src/lib/gssapi/krb5/import_name.c
U   trunk/src/lib/gssapi/krb5/init_sec_context.c
U   trunk/src/lib/gssapi/krb5/inq_context.c
U   trunk/src/lib/gssapi/krb5/inq_cred.c
A   trunk/src/lib/gssapi/krb5/naming_exts.c
U   trunk/src/lib/gssapi/krb5/rel_cred.c
U   trunk/src/lib/gssapi/krb5/rel_name.c
U   trunk/src/lib/gssapi/krb5/s4u_gss_glue.c
U   trunk/src/lib/gssapi/krb5/ser_sctx.c
U   trunk/src/lib/gssapi/krb5/val_cred.c
U   trunk/src/lib/gssapi/libgssapi_krb5.exports
U   trunk/src/lib/gssapi/mechglue/Makefile.in
A   trunk/src/lib/gssapi/mechglue/g_del_name_attr.c
U   trunk/src/lib/gssapi/mechglue/g_dsp_name.c
A   trunk/src/lib/gssapi/mechglue/g_dsp_name_ext.c
A   trunk/src/lib/gssapi/mechglue/g_export_name_comp.c
A   trunk/src/lib/gssapi/mechglue/g_get_name_attr.c
U   trunk/src/lib/gssapi/mechglue/g_glue.c
U   trunk/src/lib/gssapi/mechglue/g_imp_name.c
U   trunk/src/lib/gssapi/mechglue/g_initialize.c
U   trunk/src/lib/gssapi/mechglue/g_inq_context_oid.c
U   trunk/src/lib/gssapi/mechglue/g_inq_cred_oid.c
A   trunk/src/lib/gssapi/mechglue/g_inq_name.c
A   trunk/src/lib/gssapi/mechglue/g_map_name_to_any.c
A   trunk/src/lib/gssapi/mechglue/g_rel_name_mapping.c
U   trunk/src/lib/gssapi/mechglue/g_set_context_option.c
U   trunk/src/lib/gssapi/mechglue/g_set_cred_option.c
A   trunk/src/lib/gssapi/mechglue/g_set_name_attr.c
U   trunk/src/lib/gssapi/mechglue/mglueP.h
U   trunk/src/lib/gssapi/spnego/gssapiP_spnego.h
U   trunk/src/lib/gssapi/spnego/spnego_mech.c
U   trunk/src/lib/krb5/asn.1/asn1_k_decode.c
U   trunk/src/lib/krb5/asn.1/asn1_k_decode.h
U   trunk/src/lib/krb5/asn.1/asn1_k_encode.c
U   trunk/src/lib/krb5/asn.1/krb5_decode.c
U   trunk/src/lib/krb5/ccache/cc_file.c
U   trunk/src/lib/krb5/ccache/ccfns.c
U   trunk/src/lib/krb5/error_tables/kv5m_err.et
U   trunk/src/lib/krb5/krb/Makefile.in
U   trunk/src/lib/krb5/krb/auth_con.c
U   trunk/src/lib/krb5/krb/auth_con.h
A   trunk/src/lib/krb5/krb/authdata.c
A   trunk/src/lib/krb5/krb/authdata.h
U   trunk/src/lib/krb5/krb/copy_auth.c
U   trunk/src/lib/krb5/krb/gc_frm_kdc.c
U   trunk/src/lib/krb5/krb/int-proto.h
U   trunk/src/lib/krb5/krb/kfree.c
U   trunk/src/lib/krb5/krb/mk_req_ext.c
U   trunk/src/lib/krb5/krb/pac.c
U   trunk/src/lib/krb5/krb/rd_req.c
U   trunk/src/lib/krb5/krb/rd_req_dec.c
U   trunk/src/lib/krb5/krb/s4u_creds.c
U   trunk/src/lib/krb5/krb/ser_actx.c
U   trunk/src/lib/krb5/krb/t_authdata.c
U   trunk/src/lib/krb5/libkrb5.exports
A   trunk/src/plugins/authdata/greet_client/
A   trunk/src/plugins/authdata/greet_server/
U   trunk/src/tests/asn.1/krb5_decode_leak.c
U   trunk/src/tests/asn.1/krb5_decode_test.c
U   trunk/src/tests/asn.1/krb5_encode_test.c
U   trunk/src/tests/asn.1/ktest.c
U   trunk/src/tests/asn.1/ktest.h
U   trunk/src/tests/asn.1/ktest_equal.c
U   trunk/src/tests/asn.1/ktest_equal.h
U   trunk/src/tests/asn.1/reference_encode.out
U   trunk/src/tests/asn.1/trval_reference.out
U   trunk/src/tests/gssapi/Makefile.in
A   trunk/src/tests/gssapi/t_namingexts.c
U   trunk/src/tests/gssapi/t_s4u.c
Modified: trunk/src/clients/klist/klist.c
===================================================================
--- trunk/src/clients/klist/klist.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/clients/klist/klist.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -57,6 +57,7 @@
 
 int show_flags = 0, show_time = 0, status_only = 0, show_keys = 0;
 int show_etype = 0, show_addresses = 0, no_resolve = 0, print_version = 0;
+int show_adtype = 0;
 char *defname;
 char *progname;
 krb5_int32 now;
@@ -81,7 +82,7 @@
 {
 #define KRB_AVAIL_STRING(x) ((x)?"available":"not available")
 
-    fprintf(stderr, "Usage: %s [-e] [-V] [[-c] [-f] [-s] [-a [-n]]] %s",
+    fprintf(stderr, "Usage: %s [-e] [-V] [[-c] [-d] [-f] [-s] [-a [-n]]] %s",
 	     progname, "[-k [-t] [-K]] [name]\n"); 
     fprintf(stderr, "\t-c specifies credentials cache\n");
     fprintf(stderr, "\t-k specifies keytab\n");
@@ -89,6 +90,7 @@
     fprintf(stderr, "\t-e shows the encryption type\n");
     fprintf(stderr, "\t-V shows the Kerberos version and exits\n");
     fprintf(stderr, "\toptions for credential caches:\n");
+    fprintf(stderr, "\t\t-d shows the submitted authorization data types\n");
     fprintf(stderr, "\t\t-f shows credentials flags\n");
     fprintf(stderr, "\t\t-s sets exit status based on valid tgt existence\n");
     fprintf(stderr, "\t\t-a displays the address list\n");
@@ -113,8 +115,11 @@
     name = NULL;
     mode = DEFAULT;
     /* V=version so v can be used for verbose later if desired.  */
-    while ((c = getopt(argc, argv, "fetKsnack45V")) != -1) {
+    while ((c = getopt(argc, argv, "dfetKsnack45V")) != -1) {
 	switch (c) {
+	case 'd':
+	    show_adtype = 1;
+	    break;
 	case 'f':
 	    show_flags = 1;
 	    break;
@@ -570,6 +575,24 @@
 	    krb5_free_ticket(kcontext, tkt);
     }
 
+    if (show_adtype) {
+	int i;
+
+	if (cred->authdata != NULL) {
+	    if (!extra_field)
+		fputs("\t",stdout);
+	    else
+		fputs(", ",stdout);
+	    printf("AD types: ");
+	    for (i = 0; cred->authdata[i] != NULL; i++) {
+		if (i)
+		    printf(", ");
+		printf("%d", cred->authdata[i]->ad_type);
+	    }
+	    extra_field++;
+	}
+    }
+
     /* if any additional info was printed, extra_field is non-zero */
     if (extra_field)
 	putchar('\n');

Modified: trunk/src/configure.in
===================================================================
--- trunk/src/configure.in	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/configure.in	2009-10-09 18:29:34 UTC (rev 22875)
@@ -1098,6 +1098,8 @@
 	plugins/preauth/cksum_body plugins/preauth/encrypted_challenge
 	plugins/preauth/wpse
 	plugins/authdata/greet
+	plugins/authdata/greet_client
+	plugins/authdata/greet_server
 
 	clients clients/klist clients/kinit clients/kvno
 	clients/kdestroy clients/kpasswd clients/ksu

Modified: trunk/src/include/k5-int.h
===================================================================
--- trunk/src/include/k5-int.h	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/include/k5-int.h	2009-10-09 18:29:34 UTC (rev 22875)
@@ -1035,6 +1035,11 @@
     krb5_int32 nonce;
 } krb5_fast_response;
 
+typedef struct _krb5_ad_kdcissued {
+    krb5_checksum ad_checksum;
+    krb5_principal i_principal;
+    krb5_authdata **elements;
+} krb5_ad_kdcissued;
 
 typedef krb5_error_code (*krb5_preauth_obtain_proc)
     (krb5_context,
@@ -1345,11 +1350,111 @@
 (krb5_context, krb5_fast_finished *);
 void KRB5_CALLCONV krb5_free_fast_response
 (krb5_context, krb5_fast_response *);
+void KRB5_CALLCONV krb5_free_ad_kdcissued
+(krb5_context, krb5_ad_kdcissued *);
 
 /* #include "krb5/wordsize.h" -- comes in through base-defs.h. */
 #include "com_err.h"
 #include "k5-plugin.h"
 
+#include <krb5/authdata_plugin.h>
+
+struct _krb5_authdata_context {
+    krb5_magic magic;
+    int n_modules;
+    struct _krb5_authdata_context_module {
+	krb5_authdatatype ad_type;
+	void *plugin_context;
+        authdata_client_plugin_fini_proc client_fini;
+	krb5_flags flags;
+	krb5plugin_authdata_client_ftable_v0 *ftable;
+	authdata_client_request_init_proc client_req_init;
+	authdata_client_request_fini_proc client_req_fini;
+	const char *name;
+	void *request_context;
+	void **request_context_pp;
+    } *modules;
+    struct plugin_dir_handle plugins;
+};
+
+typedef struct _krb5_authdata_context *krb5_authdata_context;
+
+void KRB5_CALLCONV krb5int_free_data_list
+(krb5_context context, krb5_data *data);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_context_init
+(krb5_context kcontext, krb5_authdata_context *pcontext);
+
+void KRB5_CALLCONV
+krb5_authdata_context_free
+(krb5_context kcontext, krb5_authdata_context context);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_export_authdata
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_flags usage,
+ krb5_authdata ***pauthdata);
+
+krb5_error_code KRB5_CALLCONV
+krb5_authdata_get_attribute_types
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_data **attrs);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_get_attribute
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ const krb5_data *attribute,
+ krb5_boolean *authenticated,
+ krb5_boolean *complete,
+ krb5_data *value,
+ krb5_data *display_value,
+ int *more);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_set_attribute
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_boolean complete,
+ const krb5_data *attribute,
+ const krb5_data *value);
+
+krb5_error_code KRB5_CALLCONV
+krb5_authdata_delete_attribute
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ const krb5_data *attribute);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_import_attributes
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_flags usage,
+ const krb5_data *attributes);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_export_attributes
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_flags usage,
+ krb5_data **pattributes);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_export_internal
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_boolean restrict_authenticated,
+ const char *module,
+ void **ptr);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_context_copy
+(krb5_context kcontext,
+ krb5_authdata_context src,
+ krb5_authdata_context *dst);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_free_internal
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ const char *module,
+ void *ptr);
+
+
 struct _kdb5_dal_handle;	/* private, in kdb5.h */
 typedef struct _kdb5_dal_handle kdb5_dal_handle;
 struct _kdb_log_context;
@@ -1669,6 +1774,9 @@
 krb5_error_code encode_krb5_fast_response
 (const krb5_fast_response *, krb5_data **);
 
+krb5_error_code encode_krb5_ad_kdcissued
+(const krb5_ad_kdcissued *, krb5_data **);
+
 /*************************************************************************
  * End of prototypes for krb5_encode.c
  *************************************************************************/
@@ -1844,6 +1952,9 @@
 krb5_error_code decode_krb5_fast_response
 (const krb5_data *, krb5_fast_response **);
 
+krb5_error_code decode_krb5_ad_kdcissued
+(const krb5_data *, krb5_ad_kdcissued **);
+
 struct _krb5_key_data;		/* kdb.h */
 
 struct ldap_seqof_key_data {
@@ -2686,6 +2797,7 @@
 		krb5_keytab,
 		krb5_flags *,
 		krb5_ticket **);
+
 krb5_error_code KRB5_CALLCONV krb5_cc_register
 	(krb5_context,
 		const krb5_cc_ops *,
@@ -2730,6 +2842,18 @@
 	    krb5_auth_context,
 	    krb5_enctype *);
 
+krb5_error_code
+krb5_auth_con_get_authdata_context
+	(krb5_context context,
+	    krb5_auth_context auth_context,
+	    krb5_authdata_context *ad_context);
+
+krb5_error_code
+krb5_auth_con_set_authdata_context
+	(krb5_context context,
+	    krb5_auth_context auth_context,
+	    krb5_authdata_context ad_context);
+
 krb5_error_code KRB5_CALLCONV
 krb5int_server_decrypt_ticket_keyblock
   	(krb5_context context,

Modified: trunk/src/include/kdb_ext.h
===================================================================
--- trunk/src/include/kdb_ext.h	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/include/kdb_ext.h	2009-10-09 18:29:34 UTC (rev 22875)
@@ -97,6 +97,7 @@
     krb5_keyblock *server_key;		/* Key used to generate server signature */
     krb5_timestamp authtime;		/* Authtime of TGT */
     krb5_authdata **auth_data;		/* Authorization data from TGT */
+    krb5_keyblock *session_key;		/* Reply session key */
 } kdb_sign_auth_data_req;
 
 typedef struct _kdb_sign_auth_data_rep {

Modified: trunk/src/include/krb5/authdata_plugin.h
===================================================================
--- trunk/src/include/krb5/authdata_plugin.h	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/include/krb5/authdata_plugin.h	2009-10-09 18:29:34 UTC (rev 22875)
@@ -7,7 +7,7 @@
  *   require a specific license from the United States Government.
  *   It is the responsibility of any person or organization contemplating
  *   export to obtain such a license before exporting.
- * 
+ *
  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  * distribute this software and its documentation for any purpose and
  * without fee is hereby granted, provided that the above copyright
@@ -21,7 +21,7 @@
  * M.I.T. makes no representations about the suitability of
  * this software for any purpose.  It is provided "as is" without express
  * or implied warranty.
- * 
+ *
  * AuthorizationData plugin definitions for Kerberos 5.
  */
 
@@ -68,7 +68,7 @@
  * functions.
  */
 /* extern krb5plugin_authdata_ftable_v0 authdata_server_0; */
-typedef struct krb5plugin_authdata_ftable_v0 {
+typedef struct krb5plugin_authdata_server_ftable_v0 {
     /* Not-usually-visible name. */
     char *name;
 
@@ -107,9 +107,11 @@
 				     krb5_data *req_pkt,
 				     krb5_kdc_req *request,
 				     krb5_enc_tkt_part *enc_tkt_reply);
-} krb5plugin_authdata_ftable_v0;
+} krb5plugin_server_authdata_ftable_v0;
 
-typedef struct krb5plugin_authdata_ftable_v1 {
+typedef krb5plugin_server_authdata_ftable_v0 krb5plugin_authdata_ftable_v0;
+
+typedef struct krb5plugin_authdata_server_ftable_v1 {
     /* Not-usually-visible name. */
     char *name;
 
@@ -155,6 +157,173 @@
 				     krb5_const_principal for_user_princ,
 				     krb5_enc_tkt_part *enc_tkt_request,
 				     krb5_enc_tkt_part *enc_tkt_reply);
-} krb5plugin_authdata_ftable_v1;
+} krb5plugin_authdata_server_ftable_v1;
 
+typedef krb5plugin_authdata_server_ftable_v1 krb5plugin_authdata_ftable_v1;
+
+typedef krb5_error_code
+(*authdata_client_plugin_init_proc)(krb5_context context,
+				    void **plugin_context);
+
+#define AD_USAGE_AS_REQ		0x01
+#define AD_USAGE_TGS_REQ	0x02
+#define AD_USAGE_AP_REQ		0x04
+#define AD_USAGE_KDC_ISSUED	0x08
+#define AD_USAGE_MASK		0x0F
+#define AD_INFORMATIONAL	0x10
+
+struct _krb5_authdata_context;
+
+typedef void
+(*authdata_client_plugin_flags_proc)(krb5_context kcontext,
+				     void *plugin_context,
+				     krb5_authdatatype ad_type,
+				     krb5_flags *flags);
+
+typedef void
+(*authdata_client_plugin_fini_proc)(krb5_context kcontext,
+				    void *plugin_context);
+
+typedef krb5_error_code
+(*authdata_client_request_init_proc)(krb5_context kcontext,
+				     struct _krb5_authdata_context *context,
+				     void *plugin_context,
+				     void **request_context);
+
+typedef void
+(*authdata_client_request_fini_proc)(krb5_context kcontext,
+				     struct _krb5_authdata_context *context,
+				     void *plugin_context,
+				     void *request_context);
+
+typedef krb5_error_code
+(*authdata_client_import_authdata_proc)(krb5_context kcontext,
+					struct _krb5_authdata_context *context,
+					void *plugin_context,
+					void *request_context,
+					krb5_authdata **authdata,
+					krb5_boolean kdc_issued_flag,
+					krb5_const_principal issuer);
+
+typedef krb5_error_code
+(*authdata_client_export_authdata_proc)(krb5_context kcontext,
+					struct _krb5_authdata_context *context,
+					void *plugin_context,
+					void *request_context,
+					krb5_flags usage,
+					krb5_authdata ***authdata);
+
+typedef krb5_error_code
+(*authdata_client_get_attribute_types_proc)(krb5_context kcontext,
+					    struct _krb5_authdata_context *context,
+					    void *plugin_context,
+					    void *request_context,
+					    krb5_data **attrs);
+
+typedef krb5_error_code
+(*authdata_client_get_attribute_proc)(krb5_context kcontext,
+				      struct _krb5_authdata_context *context,
+				      void *plugin_context,
+				      void *request_context,
+				      const krb5_data *attribute,
+				      krb5_boolean *authenticated,
+				      krb5_boolean *complete,
+				      krb5_data *value,
+				      krb5_data *display_value,
+				      int *more);
+
+typedef krb5_error_code
+(*authdata_client_set_attribute_proc)(krb5_context kcontext,
+				      struct _krb5_authdata_context *context,
+				      void *plugin_context,
+				      void *request_context,
+				      krb5_boolean complete,
+				      const krb5_data *attribute,
+				      const krb5_data *value);
+
+typedef krb5_error_code
+(*authdata_client_delete_attribute_proc)(krb5_context kcontext,
+					 struct _krb5_authdata_context *context,
+					 void *plugin_context,
+					 void *request_context,
+					 const krb5_data *attribute);
+
+typedef krb5_error_code
+(*authdata_client_export_internal_proc)(krb5_context kcontext,
+					struct _krb5_authdata_context *context,
+					void *plugin_context,
+					void *request_context,
+					krb5_boolean restrict_authenticated,
+					void **ptr);
+
+typedef void
+(*authdata_client_free_internal_proc)(krb5_context kcontext,
+				      struct _krb5_authdata_context *context,
+				      void *plugin_context,
+				      void *request_context,
+				      void *ptr);
+
+typedef krb5_error_code
+(*authdata_client_verify_proc)(krb5_context kcontext,
+			       struct _krb5_authdata_context *context,
+			       void *plugin_context,
+			       void *request_context,
+			       const krb5_auth_context *auth_context,
+			       const krb5_keyblock *key,
+			       const krb5_ap_req *req);
+
+typedef krb5_error_code
+(*authdata_client_size_proc)(krb5_context kcontext,
+			     struct _krb5_authdata_context *context,
+			     void *plugin_context,
+			     void *request_context,
+			     size_t *sizep);
+
+typedef krb5_error_code
+(*authdata_client_externalize_proc)(krb5_context kcontext,
+				    struct _krb5_authdata_context *context,
+				    void *plugin_context,
+				    void *request_context,
+				    krb5_octet **buffer,
+				    size_t *lenremain);
+
+typedef krb5_error_code
+(*authdata_client_internalize_proc)(krb5_context kcontext,
+				    struct _krb5_authdata_context *context,
+				    void *plugin_context,
+				    void *request_context,
+				    krb5_octet **buffer,
+				    size_t *lenremain);
+
+typedef krb5_error_code
+(*authdata_client_copy_proc)(krb5_context kcontext,
+			     struct _krb5_authdata_context *context,
+			     void *plugin_context,
+			     void *request_context,
+			     void *dst_plugin_context,
+			     void *dst_request_context);
+
+typedef struct krb5plugin_authdata_client_ftable_v0 {
+    char *name;
+    krb5_authdatatype *ad_type_list;
+    authdata_client_plugin_init_proc init;
+    authdata_client_plugin_fini_proc fini;
+    authdata_client_plugin_flags_proc flags;
+    authdata_client_request_init_proc request_init;
+    authdata_client_request_fini_proc request_fini;
+    authdata_client_get_attribute_types_proc get_attribute_types;
+    authdata_client_get_attribute_proc get_attribute;
+    authdata_client_set_attribute_proc set_attribute;
+    authdata_client_delete_attribute_proc delete_attribute;
+    authdata_client_export_authdata_proc export_authdata;
+    authdata_client_import_authdata_proc import_authdata;
+    authdata_client_export_internal_proc export_internal;
+    authdata_client_free_internal_proc free_internal;
+    authdata_client_verify_proc verify;
+    authdata_client_size_proc size;
+    authdata_client_externalize_proc externalize;
+    authdata_client_internalize_proc internalize;
+    authdata_client_copy_proc copy; /* optional */
+} krb5plugin_authdata_client_ftable_v0;
+
 #endif /* KRB5_AUTHDATA_PLUGIN_H_INCLUDED */

Modified: trunk/src/include/krb5/krb5.hin
===================================================================
--- trunk/src/include/krb5/krb5.hin	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/include/krb5/krb5.hin	2009-10-09 18:29:34 UTC (rev 22875)
@@ -2575,6 +2575,22 @@
     krb5_authdata ***container);
 
 /*
+ * AD-KDCIssued
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_make_authdata_kdc_issued(krb5_context context,
+    const krb5_keyblock *key,
+    krb5_const_principal issuer,
+    krb5_authdata *const *authdata,
+    krb5_authdata ***ad_kdcissued);
+krb5_error_code KRB5_CALLCONV
+krb5_verify_authdata_kdc_issued(krb5_context context,
+    const krb5_keyblock *key,
+    const krb5_authdata *ad_kdcissued,
+    krb5_principal *issuer,
+    krb5_authdata ***authdata);
+
+/*
  * Windows PAC
  */
 struct krb5_pac_data;

Modified: trunk/src/kdc/do_tgs_req.c
===================================================================
--- trunk/src/kdc/do_tgs_req.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/kdc/do_tgs_req.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -699,6 +699,10 @@
     else
         enc_tkt_reply.client = header_enc_tkt->client;
 
+    enc_tkt_reply.session = &session_key;
+    enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
+    enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */
+
     errcode = handle_authdata(kdc_context,
                               c_flags,
                               (c_nprincs != 0) ? &client : NULL,
@@ -728,10 +732,6 @@
         }
     }
 
-    enc_tkt_reply.session = &session_key;
-    enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
-    enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */
-
     /*
      * Only add the realm of the presented tgt to the transited list if 
      * it is different than the local realm (cross-realm) and it is different

Modified: trunk/src/kdc/kdc_authdata.c
===================================================================
--- trunk/src/kdc/kdc_authdata.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/kdc/kdc_authdata.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -158,11 +158,10 @@
     }
 
     /* Count the valid modules. */ 
-    module_count = sizeof(static_authdata_systems)
-	/ sizeof(static_authdata_systems[0]);
+    module_count = 0;
 
     if (authdata_plugins_ftables_v1 != NULL) {
-	struct krb5plugin_authdata_ftable_v1 *ftable;
+	struct krb5plugin_authdata_server_ftable_v1 *ftable;
 
 	for (i = 0; authdata_plugins_ftables_v1[i] != NULL; i++) {
 	    ftable = authdata_plugins_ftables_v1[i];
@@ -172,7 +171,7 @@
     }
  
     if (authdata_plugins_ftables_v0 != NULL) {
-	struct krb5plugin_authdata_ftable_v0 *ftable;
+	struct krb5plugin_authdata_server_ftable_v0 *ftable;
 
 	for (i = 0; authdata_plugins_ftables_v0[i] != NULL; i++) {
 	    ftable = authdata_plugins_ftables_v0[i];
@@ -181,6 +180,9 @@
 	}
     }
 
+    module_count += sizeof(static_authdata_systems)
+	/ sizeof(static_authdata_systems[0]);
+
     /* Build the complete list of supported authdata options, and
      * leave room for a terminator entry. */
     authdata_systems = calloc(module_count + 1, sizeof(krb5_authdata_systems));
@@ -189,25 +191,11 @@
 	goto cleanup;
     }
 
-    /* Add the locally-supplied mechanisms to the dynamic list first. */
-    for (i = 0, k = 0;
-	 i < sizeof(static_authdata_systems) / sizeof(static_authdata_systems[0]);
-	 i++) {
-	authdata_systems[k] = static_authdata_systems[i];
-	/* Try to initialize the authdata system.  If it fails, we'll remove it
-	 * from the list of systems we'll be using. */
-	server_init_proc = static_authdata_systems[i].init;
-	if ((server_init_proc != NULL) &&
-	    ((*server_init_proc)(context, &authdata_systems[k].plugin_context) != 0)) {
-	    memset(&authdata_systems[k], 0, sizeof(authdata_systems[k]));
-	    continue;
-	}
-	k++;
-    }
+    k = 0;
 
     /* Add dynamically loaded V1 plugins */
     if (authdata_plugins_ftables_v1 != NULL) {
-	struct krb5plugin_authdata_ftable_v1 *ftable;
+	struct krb5plugin_authdata_server_ftable_v1 *ftable;
 
 	for (i = 0; authdata_plugins_ftables_v1[i] != NULL; i++) {
 	    krb5_error_code initerr;
@@ -245,7 +233,7 @@
 
     /* Add dynamically loaded V0 plugins */
     if (authdata_plugins_ftables_v0 != NULL) {
-	struct krb5plugin_authdata_ftable_v0 *ftable;
+	struct krb5plugin_authdata_server_ftable_v0 *ftable;
 
 	for (i = 0; authdata_plugins_ftables_v0[i] != NULL; i++) {
 	    krb5_error_code initerr;
@@ -281,6 +269,22 @@
 	}
     }
 
+    /* Add the locally-supplied mechanisms to the dynamic list first. */
+    for (i = 0;
+	 i < sizeof(static_authdata_systems) / sizeof(static_authdata_systems[0]);
+	 i++) {
+	authdata_systems[k] = static_authdata_systems[i];
+	/* Try to initialize the authdata system.  If it fails, we'll remove it
+	 * from the list of systems we'll be using. */
+	server_init_proc = static_authdata_systems[i].init;
+	if ((server_init_proc != NULL) &&
+	    ((*server_init_proc)(context, &authdata_systems[k].plugin_context) != 0)) {
+	    memset(&authdata_systems[k], 0, sizeof(authdata_systems[k]));
+	    continue;
+	}
+	k++;
+    }
+
     n_authdata_systems = k;
     /* Add the end-of-list marker. */
     authdata_systems[k].name = "[end]";
@@ -526,6 +530,7 @@
 			    server_key, /* U2U or server key */
 			    enc_tkt_reply->times.authtime,
 			    tgs_req ? enc_tkt_request->authorization_data : NULL,
+			    enc_tkt_reply->session,
 			    &db_authdata,
 			    &ad_entry,
 			    &ad_nprincs);

Modified: trunk/src/kdc/kdc_util.c
===================================================================
--- trunk/src/kdc/kdc_util.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/kdc/kdc_util.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -1739,6 +1739,7 @@
 		  krb5_keyblock *server_key,
 		  krb5_timestamp authtime,
 		  krb5_authdata **tgs_authdata,
+		  krb5_keyblock *session_key,
 		  krb5_authdata ***ret_authdata,
 		  krb5_db_entry *ad_entry,
 		  int *ad_nprincs)
@@ -1765,6 +1766,7 @@
     req.server_key		= server_key;
     req.authtime		= authtime;
     req.auth_data		= tgs_authdata;
+    req.session_key		= session_key;
 
     rep.entry			= ad_entry;
     rep.nprincs			= 0;

Modified: trunk/src/kdc/kdc_util.h
===================================================================
--- trunk/src/kdc/kdc_util.h	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/kdc/kdc_util.h	2009-10-09 18:29:34 UTC (rev 22875)
@@ -238,6 +238,7 @@
 		krb5_keyblock *server_key,
 		krb5_timestamp authtime,
 		krb5_authdata **tgs_authdata,
+		krb5_keyblock *session_key,
 		krb5_authdata ***ret_authdata,
 		krb5_db_entry *ad_entry,
 		int *ad_nprincs);

Copied: trunk/src/lib/crypto/krb/enc_provider (from rev 22872, users/lhoward/authdata/src/lib/crypto/krb/enc_provider)

Copied: trunk/src/lib/crypto/krb/hash_provider (from rev 22872, users/lhoward/authdata/src/lib/crypto/krb/hash_provider)

Modified: trunk/src/lib/crypto/openssl/sha1/shs.c
===================================================================
--- trunk/src/lib/crypto/openssl/sha1/shs.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/crypto/openssl/sha1/shs.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -29,7 +29,7 @@
 
 void shsFinal(SHS_INFO *shsInfo)
 {
-    EVP_DigestFinal_ex(&shsInfo->ossl_sha1_ctx ,(unsigned char *)shsInfo->digestBuf , &shsInfo->digestLen); 
+    EVP_DigestFinal_ex(&shsInfo->ossl_sha1_ctx ,(unsigned char *)shsInfo->digestBuf , &shsInfo->digestLen);
     EVP_MD_CTX_cleanup(&shsInfo->ossl_sha1_ctx );
 }
 

Modified: trunk/src/lib/crypto/openssl/sha1/shs.h
===================================================================
--- trunk/src/lib/crypto/openssl/sha1/shs.h	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/crypto/openssl/sha1/shs.h	2009-10-09 18:29:34 UTC (rev 22875)
@@ -22,7 +22,7 @@
 /* The structure for storing SHS info */
 
 typedef struct {
-    EVP_MD_CTX ossl_sha1_ctx;  
+    EVP_MD_CTX ossl_sha1_ctx;
     unsigned char   digestBuf[SHS_DIGESTSIZE]; /* output */
     unsigned int    digestLen; /* output */
 } SHS_INFO;

Modified: trunk/src/lib/gssapi/generic/gssapi_ext.h
===================================================================
--- trunk/src/lib/gssapi/generic/gssapi_ext.h	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/generic/gssapi_ext.h	2009-10-09 18:29:34 UTC (rev 22875)
@@ -254,7 +254,6 @@
     gss_iov_buffer_desc *, /* iov */
     int);		/* iov_count */
 
-
 /*
  * Protocol transition
  */
@@ -285,6 +284,80 @@
     OM_uint32 *,	    /* initiator_time_rec */
     OM_uint32 *);	    /* acceptor_time_rec */
 
+/*
+ * Naming extensions
+ */
+OM_uint32 KRB5_CALLCONV gss_display_name_ext
+(
+    OM_uint32 *,	/* minor_status */
+    gss_name_t,		/* name */
+    gss_OID,		/* display_as_name_type */
+    gss_buffer_t	/* display_name */
+);
+
+OM_uint32 KRB5_CALLCONV gss_inquire_name
+(
+    OM_uint32 *,	/* minor_status */
+    gss_name_t,		/* name */
+    int *,		/* name_is_MN */
+    gss_OID *,		/* MN_mech */
+    gss_buffer_set_t *	/* attrs */
+);
+
+OM_uint32 KRB5_CALLCONV gss_get_name_attribute
+(
+    OM_uint32 *,	/* minor_status */
+    gss_name_t,		/* name */
+    gss_buffer_t,	/* attr */
+    int *,		/* authenticated */
+    int *,		/* complete */
+    gss_buffer_t,	/* value */
+    gss_buffer_t,	/* display_value */
+    int *		/* more */
+);
+
+OM_uint32 KRB5_CALLCONV gss_set_name_attribute
+(
+    OM_uint32 *,	/* minor_status */
+    gss_name_t,		/* name */
+    int,		/* complete */
+    gss_buffer_t,	/* attr */
+    gss_buffer_t	/* value */
+);
+
+OM_uint32 KRB5_CALLCONV gss_delete_name_attribute
+(
+    OM_uint32 *,	/* minor_status */
+    gss_name_t,		/* name */
+    gss_buffer_t	/* attr */
+);
+
+OM_uint32 KRB5_CALLCONV gss_export_name_composite
+(
+    OM_uint32 *,	/* minor_status */
+    gss_name_t,		/* name */
+    gss_buffer_t	/* exp_composite_name */
+);
+
+typedef struct gss_any *gss_any_t;
+
+OM_uint32 KRB5_CALLCONV gss_map_name_to_any
+(
+    OM_uint32 *,	/* minor_status */
+    gss_name_t,		/* name */
+    int,		/* authenticated */
+    gss_buffer_t,	/* type_id */
+    gss_any_t *		/* output */
+);
+
+OM_uint32 KRB5_CALLCONV gss_release_any_name_mapping
+(
+    OM_uint32 *,	/* minor_status */
+    gss_name_t,		/* name */
+    gss_buffer_t,	/* type_id */
+    gss_any_t *		/* input */
+);
+
 #ifdef __cplusplus
 }
 #endif

Modified: trunk/src/lib/gssapi/krb5/Makefile.in
===================================================================
--- trunk/src/lib/gssapi/krb5/Makefile.in	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/Makefile.in	2009-10-09 18:29:34 UTC (rev 22875)
@@ -69,6 +69,7 @@
 	$(srcdir)/k5unsealiov.c \
 	$(srcdir)/krb5_gss_glue.c \
 	$(srcdir)/lucid_context.c \
+	$(srcdir)/naming_exts.c \
 	$(srcdir)/process_context_token.c \
 	$(srcdir)/rel_cred.c \
 	$(srcdir)/rel_oid.c \
@@ -120,6 +121,7 @@
 	$(OUTPRE)k5unsealiov.$(OBJEXT) \
 	$(OUTPRE)krb5_gss_glue.$(OBJEXT) \
 	$(OUTPRE)lucid_context.$(OBJEXT) \
+	$(OUTPRE)naming_exts.$(OBJEXT) \
 	$(OUTPRE)process_context_token.$(OBJEXT) \
 	$(OUTPRE)rel_cred.$(OBJEXT) \
 	$(OUTPRE)rel_oid.$(OBJEXT) \
@@ -174,6 +176,7 @@
 	k5unsealiov.o \
 	krb5_gss_glue.o \
 	lucid_context.o \
+	naming_exts.o \
 	process_context_token.o \
 	rel_cred.o \
 	rel_oid.o \

Modified: trunk/src/lib/gssapi/krb5/accept_sec_context.c
===================================================================
--- trunk/src/lib/gssapi/krb5/accept_sec_context.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/accept_sec_context.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -243,7 +243,7 @@
 
         /* copy the client principle into it... */
         if ((retval =
-             krb5_copy_principal(context, creds[0]->client, &(cred->princ)))) {
+             kg_init_name(context, creds[0]->client, NULL, 0, &cred->name))) {
             k5_mutex_destroy(&cred->lock);
             retval = ENOMEM; /* out of memory? */
             xfree(cred); /* clean up memory on failure */
@@ -252,7 +252,7 @@
         }
 
         cred->usage = GSS_C_INITIATE; /* we can't accept with this */
-        /* cred->princ already set */
+        /* cred->name already set */
         cred->prerfc_mech = 1; /* this cred will work with all three mechs */
         cred->rfc_mech = 1;
         cred->keytab = NULL; /* no keytab associated with this... */
@@ -307,7 +307,7 @@
    krb5_error_code code;
    krb5_gss_ctx_id_rec *ctx = 0;
    krb5_timestamp now;
-   krb5_principal name = NULL;
+   krb5_gss_name_t name = NULL;
    krb5_ui_4 nonce = 0;
    krb5_data ap_rep;
    OM_uint32 major_status = GSS_S_FAILURE;
@@ -350,16 +350,11 @@
    ctx->established = 1;
 
    if (src_name) {
-       if ((code = krb5_copy_principal(ctx->k5_context, ctx->there, &name))) {
+       if ((code = kg_duplicate_name(ctx->k5_context, ctx->there,
+                                     KG_INIT_NAME_INTERN, &name))) {
            major_status = GSS_S_FAILURE;
            goto fail;
        }
-       /* intern the src_name */
-       if (! kg_save_name((gss_name_t) name)) {
-           code = G_VALIDATE_FAILED;
-           major_status = GSS_S_FAILURE;
-           goto fail;
-       }
       *src_name = (gss_name_t) name;
    }
 
@@ -420,7 +415,7 @@
     krb5_address addr, *paddr;
     krb5_authenticator *authdat = 0;
     krb5_checksum reqcksum;
-    krb5_principal name = NULL;
+    krb5_gss_name_t name = NULL;
     krb5_ui_4 gss_flags = 0;
     int decode_req_message = 0;
     krb5_gss_ctx_id_rec *ctx = NULL;
@@ -442,6 +437,7 @@
     int no_encap = 0;
     krb5_flags ap_req_options = 0;
     krb5_enctype negotiated_etype;
+    krb5_authdata_context ad_context = NULL;
 
     code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
     if (code) {
@@ -587,8 +583,11 @@
         goto fail;
     }
 
-    if ((code = krb5_rd_req(context, &auth_context, &ap_req, cred->princ,
-                            cred->keytab, &ap_req_options, &ticket))) {
+    if ((code = krb5_rd_req(context, &auth_context, &ap_req,
+                            cred->name ? cred->name->princ : NULL,
+                            cred->keytab,
+                            &ap_req_options,
+                            &ticket))) {
         major_status = GSS_S_FAILURE;
         goto fail;
     }
@@ -865,15 +864,23 @@
         major_status = GSS_S_FAILURE;
         goto fail;
     }
-    if ((code = krb5_copy_principal(context, ticket->server, &ctx->here))) {
+    if ((code = kg_init_name(context, ticket->server, NULL, 0, &ctx->here))) {
         major_status = GSS_S_FAILURE;
         goto fail;
     }
-
-    if ((code = krb5_copy_principal(context, authdat->client, &ctx->there))) {
+    if ((code = krb5_auth_con_get_authdata_context(context, auth_context,
+                                                   &ad_context))) {
         major_status = GSS_S_FAILURE;
         goto fail;
     }
+    if ((code = kg_init_name(context, authdat->client,
+                             ad_context, KG_INIT_NAME_NO_COPY, &ctx->there))) {
+        major_status = GSS_S_FAILURE;
+        goto fail;
+    }
+    /* Now owned by ctx->there */
+    authdat->client = NULL;
+    krb5_auth_con_set_authdata_context(context, auth_context, NULL);
 
     if ((code = krb5_auth_con_getrecvsubkey(context, auth_context,
                                             &ctx->subkey))) {
@@ -1092,16 +1099,11 @@
     /* set the return arguments */
 
     if (src_name) {
-        if ((code = krb5_copy_principal(context, ctx->there, &name))) {
+        if ((code = kg_duplicate_name(context, ctx->there,
+                                      KG_INIT_NAME_INTERN, &name))) {
             major_status = GSS_S_FAILURE;
             goto fail;
         }
-        /* intern the src_name */
-        if (! kg_save_name((gss_name_t) name)) {
-            code = G_VALIDATE_FAILED;
-            major_status = GSS_S_FAILURE;
-            goto fail;
-        }
     }
 
     if (mech_type)
@@ -1163,15 +1165,14 @@
     if (deleg_cred) { /* free memory associated with the deleg credential */
         if (deleg_cred->ccache)
             (void)krb5_cc_close(context, deleg_cred->ccache);
-        if (deleg_cred->princ)
-            krb5_free_principal(context, deleg_cred->princ);
+        if (deleg_cred->name)
+            kg_release_name(context, 0, &deleg_cred->name);
         xfree(deleg_cred);
     }
     if (token.value)
         xfree(token.value);
     if (name) {
-        (void) kg_delete_name((gss_name_t) name);
-        krb5_free_principal(context, name);
+        (void) kg_release_name(context, 0, &name);
     }
 
     *minor_status = code;
@@ -1212,7 +1213,7 @@
         krb_error_data.error = code;
         (void) krb5_us_timeofday(context, &krb_error_data.stime,
                                  &krb_error_data.susec);
-        krb_error_data.server = cred->princ;
+        krb_error_data.server = cred->name ? cred->name->princ : NULL;
 
         code = krb5_mk_error(context, &krb_error_data, &scratch);
         if (code)

Modified: trunk/src/lib/gssapi/krb5/acquire_cred.c
===================================================================
--- trunk/src/lib/gssapi/krb5/acquire_cred.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/acquire_cred.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -131,18 +131,18 @@
 }
 
 /* get credentials corresponding to a key in the krb5 keytab.
-   If the default name is requested, return the name in output_princ.
-   If output_princ is non-NULL, the caller will use or free it, regardless
+   If the default name is requested, return the name in output_name.
+   If output_name is non-NULL, the caller will use or free it, regardless
    of the return value.
    If successful, set the keytab-specific fields in cred
 */
 
 static OM_uint32
-acquire_accept_cred(context, minor_status, desired_name, output_princ, cred)
+acquire_accept_cred(context, minor_status, desired_name, output_name, cred)
     krb5_context context;
     OM_uint32 *minor_status;
-    gss_name_t desired_name;
-    krb5_principal *output_princ;
+    krb5_gss_name_t desired_name;
+    krb5_gss_name_t *output_name;
     krb5_gss_cred_id_rec *cred;
 {
     krb5_error_code code;
@@ -150,7 +150,7 @@
     krb5_keytab kt;
     krb5_keytab_entry entry;
 
-    *output_princ = NULL;
+    *output_name = NULL;
     cred->keytab = NULL;
 
     /* open the default keytab */
@@ -178,8 +178,8 @@
         return(GSS_S_CRED_UNAVAIL);
     }
 
-    if (desired_name != GSS_C_NO_NAME) {
-        princ = (krb5_principal) desired_name;
+    if (desired_name != NULL) {
+        princ = desired_name->princ;
         if ((code = krb5_kt_get_entry(context, kt, princ, 0, 0, &entry))) {
             (void) krb5_kt_close(context, kt);
             if (code == KRB5_KT_NOTFOUND) {
@@ -212,18 +212,18 @@
 #endif /* LEAN_CLIENT */
 
 /* get credentials corresponding to the default credential cache.
-   If the default name is requested, return the name in output_princ.
-   If output_princ is non-NULL, the caller will use or free it, regardless
+   If the default name is requested, return the name in output_name.
+   If output_name is non-NULL, the caller will use or free it, regardless
    of the return value.
    If successful, set the ccache-specific fields in cred.
 */
 
 static OM_uint32
-acquire_init_cred(context, minor_status, desired_name, output_princ, cred)
+acquire_init_cred(context, minor_status, desired_name, output_name, cred)
     krb5_context context;
     OM_uint32 *minor_status;
-    gss_name_t desired_name;
-    krb5_principal *output_princ;
+    krb5_gss_name_t desired_name;
+    krb5_gss_name_t *output_name;
     krb5_gss_cred_id_rec *cred;
 {
     krb5_error_code code;
@@ -255,11 +255,10 @@
         kim_ccache kimccache = NULL;
         kim_identity identity = NULL;
         kim_credential_state state;
-        krb5_principal desired_princ = (krb5_principal) desired_name;
 
         err = kim_identity_create_from_krb5_principal (&identity,
                                                        context,
-                                                       desired_princ);
+                                                       desired_name->princ);
 
         if (!err) {
             err = kim_ccache_create_from_client_identity (&kimccache, identity);
@@ -307,7 +306,7 @@
 
         if ( pLeash_AcquireInitialTicketsIfNeeded ) {
             char ccname[256]="";
-            pLeash_AcquireInitialTicketsIfNeeded(context, (krb5_principal) desired_name, ccname, sizeof(ccname));
+            pLeash_AcquireInitialTicketsIfNeeded(context, desired_name->princ, ccname, sizeof(ccname));
             if (!ccname[0]) {
                 *minor_status = KRB5_CC_NOTFOUND;
                 return(GSS_S_CRED_UNAVAIL);
@@ -354,17 +353,24 @@
         return(GSS_S_FAILURE);
     }
 
-    if (desired_name != (gss_name_t) NULL) {
-        if (! krb5_principal_compare(context, princ, (krb5_principal) desired_name)) {
+    if (desired_name != (krb5_gss_name_t)NULL) {
+        if (! krb5_principal_compare(context, princ, desired_name->princ)) {
             (void)krb5_free_principal(context, princ);
             (void)krb5_cc_close(context, ccache);
             *minor_status = KG_CCACHE_NOMATCH;
             return(GSS_S_CRED_UNAVAIL);
         }
         (void)krb5_free_principal(context, princ);
-        princ = (krb5_principal) desired_name;
+        princ = desired_name->princ;
     } else {
-        *output_princ = princ;
+        if ((code = kg_init_name(context, princ, NULL,
+                                 KG_INIT_NAME_NO_COPY | KG_INIT_NAME_INTERN,
+                                 output_name))) {
+            (void)krb5_free_principal(context, princ);
+            (void)krb5_cc_close(context, ccache);
+            *minor_status = code;
+            return(GSS_S_FAILURE);
+        }
     }
 
     /* iterate over the ccache, find the tgt */
@@ -489,7 +495,7 @@
     /* validate the name */
 
     /*SUPPRESS 29*/
-    if ((desired_name != (gss_name_t) NULL) &&
+    if ((desired_name != GSS_C_NO_NAME) &&
         (! kg_validate_name(desired_name))) {
         *minor_status = (OM_uint32) G_VALIDATE_FAILED;
         krb5_free_context(context);
@@ -531,7 +537,7 @@
     memset(cred, 0, sizeof(krb5_gss_cred_id_rec));
 
     cred->usage = cred_usage;
-    cred->princ = NULL;
+    cred->name = NULL;
     cred->prerfc_mech = (req_old != 0);
     cred->rfc_mech = (req_new != 0);
 
@@ -561,15 +567,15 @@
     }
 
     /* if requested, acquire credentials for accepting */
-    /* this will fill in cred->princ if the desired_name is not specified */
+    /* this will fill in cred->name if the desired_name is not specified */
 #ifndef LEAN_CLIENT
     if ((cred_usage == GSS_C_ACCEPT) ||
         (cred_usage == GSS_C_BOTH))
         if ((ret = acquire_accept_cred(context, minor_status, desired_name,
-                                       &(cred->princ), cred))
+                                       &(cred->name), cred))
             != GSS_S_COMPLETE) {
-            if (cred->princ)
-                krb5_free_principal(context, cred->princ);
+            if (cred->name)
+                kg_release_name(context, 0, &cred->name);
             k5_mutex_destroy(&cred->lock);
             xfree(cred);
             /* minor_status set by acquire_accept_cred() */
@@ -580,22 +586,22 @@
 #endif /* LEAN_CLIENT */
 
     /* if requested, acquire credentials for initiation */
-    /* this will fill in cred->princ if it wasn't set above, and
+    /* this will fill in cred->name if it wasn't set above, and
        the desired_name is not specified */
 
     if ((cred_usage == GSS_C_INITIATE) ||
         (cred_usage == GSS_C_BOTH))
         if ((ret =
              acquire_init_cred(context, minor_status,
-                               cred->princ?(gss_name_t)cred->princ:desired_name,
-                               &(cred->princ), cred))
+                               cred->name?cred->name:(krb5_gss_name_t)desired_name,
+                               &cred->name, cred))
             != GSS_S_COMPLETE) {
 #ifndef LEAN_CLIENT
             if (cred->keytab)
                 krb5_kt_close(context, cred->keytab);
 #endif /* LEAN_CLIENT */
-            if (cred->princ)
-                krb5_free_principal(context, cred->princ);
+            if (cred->name)
+                kg_release_name(context, 0, &cred->name);
             k5_mutex_destroy(&cred->lock);
             xfree(cred);
             /* minor_status set by acquire_init_cred() */
@@ -606,9 +612,10 @@
 
     /* if the princ wasn't filled in already, fill it in now */
 
-    if (!cred->princ && (desired_name != GSS_C_NO_NAME))
-        if ((code = krb5_copy_principal(context, (krb5_principal) desired_name,
-                                        &(cred->princ)))) {
+    if (!cred->name && (desired_name != GSS_C_NO_NAME))
+        if ((code = kg_duplicate_name(context,
+                                      (krb5_gss_name_t)desired_name,
+                                      0, &cred->name))) {
             if (cred->ccache)
                 (void)krb5_cc_close(context, cred->ccache);
 #ifndef LEAN_CLIENT
@@ -640,8 +647,8 @@
             if (cred->keytab)
                 (void)krb5_kt_close(context, cred->keytab);
 #endif /* LEAN_CLIENT */
-            if (cred->princ)
-                krb5_free_principal(context, cred->princ);
+            if (cred->name)
+                kg_release_name(context, 0, &cred->name);
             k5_mutex_destroy(&cred->lock);
             xfree(cred);
             *minor_status = code;
@@ -673,8 +680,8 @@
             if (cred->keytab)
                 (void)krb5_kt_close(context, cred->keytab);
 #endif /* LEAN_CLIENT */
-            if (cred->princ)
-                krb5_free_principal(context, cred->princ);
+            if (cred->name)
+                kg_release_name(context, 0, &cred->name);
             k5_mutex_destroy(&cred->lock);
             xfree(cred);
             /* *minor_status set above */
@@ -694,8 +701,8 @@
         if (cred->keytab)
             (void)krb5_kt_close(context, cred->keytab);
 #endif /* LEAN_CLIENT */
-        if (cred->princ)
-            krb5_free_principal(context, cred->princ);
+        if (cred->name)
+            kg_release_name(context, 0, &cred->name);
         k5_mutex_destroy(&cred->lock);
         xfree(cred);
         *minor_status = (OM_uint32) G_VALIDATE_FAILED;

Modified: trunk/src/lib/gssapi/krb5/add_cred.c
===================================================================
--- trunk/src/lib/gssapi/krb5/add_cred.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/add_cred.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -170,8 +170,7 @@
     /* make sure the desired_name is the same as the existing one */
 
     if (desired_name &&
-        !krb5_principal_compare(context, (krb5_principal) desired_name,
-                                cred->princ)) {
+        !kg_compare_name(context, (krb5_gss_name_t)desired_name, cred->name)) {
         *minor_status = 0;
         krb5_free_context(context);
         return(GSS_S_BAD_NAME);
@@ -200,8 +199,8 @@
         new_cred->rfc_mech = cred->rfc_mech;
         new_cred->tgt_expire = cred->tgt_expire;
 
-        if (cred->princ)
-            code = krb5_copy_principal(context, cred->princ, &new_cred->princ);
+        if (cred->name)
+            code = kg_duplicate_name(context, cred->name, 0, &new_cred->name);
         if (code) {
             xfree(new_cred);
 
@@ -214,8 +213,8 @@
         if (cred->keytab) {
             kttype = krb5_kt_get_type(context, cred->keytab);
             if ((strlen(kttype)+2) > sizeof(ktboth)) {
-                if (new_cred->princ)
-                    krb5_free_principal(context, new_cred->princ);
+                if (new_cred->name)
+                    kg_release_name(context, 0, &new_cred->name);
                 xfree(new_cred);
 
                 *minor_status = ENOMEM;
@@ -231,8 +230,8 @@
                                     ktboth+strlen(ktboth),
                                     sizeof(ktboth)-strlen(ktboth));
             if (code) {
-                if(new_cred->princ)
-                    krb5_free_principal(context, new_cred->princ);
+                if(new_cred->name)
+                    kg_release_name(context, 0, &new_cred->name);
                 xfree(new_cred);
 
                 *minor_status = code;
@@ -243,8 +242,8 @@
 
             code = krb5_kt_resolve(context, ktboth, &new_cred->keytab);
             if (code) {
-                if (new_cred->princ)
-                    krb5_free_principal(context, new_cred->princ);
+                if (new_cred->name)
+                    kg_release_name(context, 0, &new_cred->name);
                 xfree(new_cred);
 
                 *minor_status = code;
@@ -261,15 +260,17 @@
 
         if (cred->rcache) {
             /* Open the replay cache for this principal. */
+            assert(cred->name->princ != NULL);
+
             if ((code = krb5_get_server_rcache(context,
-                                               krb5_princ_component(context, cred->princ, 0),
+                                               krb5_princ_component(context, cred->name->princ, 0),
                                                &new_cred->rcache))) {
 #ifndef LEAN_CLIENT
                 if (new_cred->keytab)
                     krb5_kt_close(context, new_cred->keytab);
 #endif /* LEAN_CLIENT */
-                if (new_cred->princ)
-                    krb5_free_principal(context, new_cred->princ);
+                if (new_cred->name)
+                    kg_release_name(context, 0, &new_cred->name);
                 xfree(new_cred);
 
                 *minor_status = code;
@@ -292,8 +293,8 @@
                 if (new_cred->keytab)
                     krb5_kt_close(context, new_cred->keytab);
 #endif /* LEAN_CLIENT */
-                if (new_cred->princ)
-                    krb5_free_principal(context, new_cred->princ);
+                if (new_cred->name)
+                    kg_release_name(context, 0, &new_cred->name);
                 xfree(new_cred);
 
                 krb5_free_context(context);
@@ -314,8 +315,8 @@
                 if (new_cred->keytab)
                     krb5_kt_close(context, new_cred->keytab);
 #endif /* LEAN_CLIENT */
-                if (new_cred->princ)
-                    krb5_free_principal(context, new_cred->princ);
+                if (new_cred->name)
+                    kg_release_name(context, 0, &new_cred->name);
                 xfree(new_cred);
 
                 *minor_status = code;
@@ -338,8 +339,8 @@
             if (new_cred->keytab)
                 krb5_kt_close(context, new_cred->keytab);
 #endif /* LEAN_CLIENT */
-            if (new_cred->princ)
-                krb5_free_principal(context, new_cred->princ);
+            if (new_cred->name)
+                kg_release_name(context, 0, &new_cred->name);
             xfree(new_cred);
             krb5_free_context(context);
 

Modified: trunk/src/lib/gssapi/krb5/compare_name.c
===================================================================
--- trunk/src/lib/gssapi/krb5/compare_name.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/compare_name.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -54,8 +54,9 @@
     }
 
     *minor_status = 0;
-    *name_equal = krb5_principal_compare(context, (krb5_principal) name1,
-                                         (krb5_principal) name2);
+    *name_equal = kg_compare_name(context,
+                                  (krb5_gss_name_t)name1,
+                                  (krb5_gss_name_t)name2);
     krb5_free_context(context);
     return(GSS_S_COMPLETE);
 }

Modified: trunk/src/lib/gssapi/krb5/delete_sec_context.c
===================================================================
--- trunk/src/lib/gssapi/krb5/delete_sec_context.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/delete_sec_context.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -88,9 +88,9 @@
         krb5_free_keyblock(context, ctx->seq);
 
     if (ctx->here)
-        krb5_free_principal(context, ctx->here);
+        kg_release_name(context, 0, &ctx->here);
     if (ctx->there)
-        krb5_free_principal(context, ctx->there);
+        kg_release_name(context, 0, &ctx->there);
     if (ctx->subkey)
         krb5_free_keyblock(context, ctx->subkey);
     if (ctx->acceptor_subkey)

Modified: trunk/src/lib/gssapi/krb5/disp_name.c
===================================================================
--- trunk/src/lib/gssapi/krb5/disp_name.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/disp_name.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -51,7 +51,8 @@
     }
 
     if ((code = krb5_unparse_name(context,
-                                  (krb5_principal) input_name, &str))) {
+                                  ((krb5_gss_name_t) input_name)->princ,
+                                  &str))) {
         *minor_status = code;
         save_error_info(*minor_status, context);
         krb5_free_context(context);

Modified: trunk/src/lib/gssapi/krb5/duplicate_name.c
===================================================================
--- trunk/src/lib/gssapi/krb5/duplicate_name.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/duplicate_name.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -34,7 +34,7 @@
 {
     krb5_context context;
     krb5_error_code code;
-    krb5_principal princ, outprinc;
+    krb5_gss_name_t princ, outprinc;
 
     if (minor_status)
         *minor_status = 0;
@@ -53,23 +53,16 @@
         return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
     }
 
-    princ = (krb5_principal)input_name;
-    if ((code = krb5_copy_principal(context, princ, &outprinc))) {
+    princ = (krb5_gss_name_t)input_name;
+    if ((code = kg_duplicate_name(context, princ, KG_INIT_NAME_INTERN, &outprinc))) {
         *minor_status = code;
         save_error_info(*minor_status, context);
         krb5_free_context(context);
         return(GSS_S_FAILURE);
     }
-
-    if (! kg_save_name((gss_name_t) outprinc)) {
-        krb5_free_principal(context, outprinc);
-        krb5_free_context(context);
-        *minor_status = (OM_uint32) G_VALIDATE_FAILED;
-        return(GSS_S_FAILURE);
-    }
-
     krb5_free_context(context);
     *dest_name = (gss_name_t) outprinc;
+    assert(kg_validate_name(*dest_name));
     return(GSS_S_COMPLETE);
 
 }

Modified: trunk/src/lib/gssapi/krb5/export_name.c
===================================================================
--- trunk/src/lib/gssapi/krb5/export_name.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/export_name.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -58,7 +58,7 @@
         return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
     }
 
-    if ((code = krb5_unparse_name(context, (krb5_principal) input_name,
+    if ((code = krb5_unparse_name(context, ((krb5_gss_name_t) input_name)->princ,
                                   &str))) {
         if (minor_status)
             *minor_status = code;

Modified: trunk/src/lib/gssapi/krb5/gssapiP_krb5.h
===================================================================
--- trunk/src/lib/gssapi/krb5/gssapiP_krb5.h	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/gssapiP_krb5.h	2009-10-09 18:29:34 UTC (rev 22875)
@@ -153,7 +153,11 @@
 
 /** internal types **/
 
-typedef krb5_principal krb5_gss_name_t;
+typedef struct _krb5_gss_name_rec {
+    krb5_principal princ; /* immutable */
+    k5_mutex_t lock; /* protects ad_context only for now */
+    krb5_authdata_context ad_context;
+} krb5_gss_name_rec, *krb5_gss_name_t;
 
 typedef struct _krb5_gss_cred_id_rec {
     /* protect against simultaneous accesses */
@@ -161,7 +165,7 @@
 
     /* name/type of credential */
     gss_cred_usage_t usage;
-    krb5_principal princ;        /* this is not interned as a gss_name_t */
+    krb5_gss_name_t name;
     unsigned int prerfc_mech : 1;
     unsigned int rfc_mech : 1;
     unsigned int proxy_cred : 1;
@@ -184,8 +188,8 @@
     unsigned int seed_init : 1;  /* XXX tested but never actually set */
     OM_uint32 gss_flags;
     unsigned char seed[16];
-    krb5_principal here;
-    krb5_principal there;
+    krb5_gss_name_t here;
+    krb5_gss_name_t there;
     krb5_keyblock *subkey; /*One of two potential keys to use with RFC
                             * 4121 packets; this key must always be set.*/
     int signalg;
@@ -825,6 +829,86 @@
 
 int gss_krb5int_rotate_left (void *ptr, size_t bufsiz, size_t rc);
 
+/* naming_exts.c */
+#define KG_INIT_NAME_INTERN  0x1
+#define KG_INIT_NAME_NO_COPY 0x2
+
+krb5_error_code
+kg_init_name(krb5_context context,
+             krb5_principal principal,
+             krb5_authdata_context ad_context,
+             krb5_flags flags,
+             krb5_gss_name_t *name);
+
+krb5_error_code
+kg_release_name(krb5_context context,
+                krb5_flags flags,
+                krb5_gss_name_t *name);
+
+krb5_error_code
+kg_duplicate_name(krb5_context context,
+                  const krb5_gss_name_t src,
+                  krb5_flags flags,
+                  krb5_gss_name_t *dst);
+
+krb5_boolean
+kg_compare_name(krb5_context context,
+                krb5_gss_name_t name1,
+                krb5_gss_name_t name2);
+
+OM_uint32
+krb5_gss_display_name_ext(OM_uint32 *minor_status,
+                          gss_name_t name,
+                          gss_OID display_as_name_type,
+                          gss_buffer_t display_name);
+
+OM_uint32
+krb5_gss_inquire_name(OM_uint32 *minor_status,
+                      gss_name_t name,
+                      int *name_is_MN,
+                      gss_OID *MN_mech,
+                      gss_buffer_set_t *attrs);
+
+OM_uint32
+krb5_gss_get_name_attribute(OM_uint32 *minor_status,
+                            gss_name_t name,
+                            gss_buffer_t attr,
+                            int *authenticated,
+                            int *complete,
+                            gss_buffer_t value,
+                            gss_buffer_t display_value,
+                            int *more);
+
+OM_uint32
+krb5_gss_set_name_attribute(OM_uint32 *minor_status,
+                            gss_name_t name,
+                            int complete,
+                            gss_buffer_t attr,
+                            gss_buffer_t value);
+
+OM_uint32
+krb5_gss_delete_name_attribute(OM_uint32 *minor_status,
+                               gss_name_t name,
+                               gss_buffer_t attr);
+
+OM_uint32
+krb5_gss_export_name_composite(OM_uint32 *minor_status,
+                               gss_name_t name,
+                               gss_buffer_t exp_composite_name);
+
+OM_uint32
+krb5_gss_map_name_to_any(OM_uint32 *minor_status,
+                         gss_name_t name,
+                         int authenticated,
+                         gss_buffer_t type_id,
+                         gss_any_t *output);
+
+OM_uint32
+krb5_gss_release_any_name_mapping(OM_uint32 *minor_status,
+                                  gss_name_t name,
+                                  gss_buffer_t type_id,
+                                  gss_any_t *input);
+
 /* s4u_gss_glue.c */
 OM_uint32
 kg_compose_deleg_cred(OM_uint32 *minor_status,
@@ -837,7 +921,6 @@
                       OM_uint32 *time_rec,
                       krb5_context context);
 
-
 /*
  * These take unglued krb5-mech-specific contexts.
  */

Modified: trunk/src/lib/gssapi/krb5/gssapi_krb5.c
===================================================================
--- trunk/src/lib/gssapi/krb5/gssapi_krb5.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/gssapi_krb5.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -681,6 +681,14 @@
     NULL,               /* complete_auth_token */
     krb5_gss_acquire_cred_impersonate_name,
     NULL,               /* krb5_gss_add_cred_impersonate_name */
+    NULL,               /* display_name_ext */
+    krb5_gss_inquire_name,
+    krb5_gss_get_name_attribute,
+    krb5_gss_set_name_attribute,
+    krb5_gss_delete_name_attribute,
+    krb5_gss_export_name_composite,
+    krb5_gss_map_name_to_any,
+    krb5_gss_release_any_name_mapping,
 };
 
 

Modified: trunk/src/lib/gssapi/krb5/import_name.c
===================================================================
--- trunk/src/lib/gssapi/krb5/import_name.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/import_name.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -45,6 +45,39 @@
  * GSS_S_FAILURE        if memory allocation fails
  */
 
+/*
+ * Import serialized authdata context
+ */
+static krb5_error_code
+import_name_composite(krb5_context context,
+                      unsigned char *enc_data, size_t enc_length,
+                      krb5_authdata_context *pad_context)
+{
+    krb5_authdata_context ad_context;
+    krb5_error_code code;
+    krb5_data data;
+
+    code = krb5_authdata_context_init(context, &ad_context);
+    if (code != 0)
+        return code;
+
+    data.data = (char *)enc_data;
+    data.length = enc_length;
+
+    code = krb5_authdata_import_attributes(context,
+                                           ad_context,
+                                           AD_USAGE_MASK,
+                                           &data);
+    if (code != 0) {
+        krb5_authdata_context_free(context, ad_context);
+        return code;
+    }
+
+    *pad_context = ad_context;
+
+    return 0;
+}
+
 OM_uint32
 krb5_gss_import_name(minor_status, input_name_buffer,
                      input_name_type, output_name)
@@ -54,13 +87,16 @@
     gss_name_t *output_name;
 {
     krb5_context context;
-    krb5_principal princ;
+    krb5_principal princ = NULL;
     krb5_error_code code;
-    char *stringrep, *tmp, *tmp2, *cp;
-    OM_uint32    length;
+    unsigned char *cp, *end;
+    char *tmp, *stringrep, *tmp2;
+    ssize_t    length;
 #ifndef NO_PASSWORD
     struct passwd *pw;
 #endif
+    int has_ad = 0;
+    krb5_authdata_context ad_context = NULL;
 
     code = krb5_gss_init_context(&context);
     if (code) {
@@ -81,7 +117,7 @@
         char *service, *host;
 
         if ((tmp =
-             (char *) xmalloc(input_name_buffer->length + 1)) == NULL) {
+             xmalloc(input_name_buffer->length + 1)) == NULL) {
             *minor_status = ENOMEM;
             krb5_free_context(context);
             return(GSS_S_FAILURE);
@@ -155,28 +191,49 @@
             goto do_getpwuid;
 #endif
         } else if (g_OID_equal(input_name_type, gss_nt_exported_name)) {
-            cp = tmp;
+#define BOUNDS_CHECK(cp, end, n) do { if ((end) - (cp) < (n)) goto fail_name; } while (0)
+            cp = (unsigned char *)tmp;
+            end = cp + input_name_buffer->length;
+
+            BOUNDS_CHECK(cp, end, 2);
             if (*cp++ != 0x04)
                 goto fail_name;
-            if (*cp++ != 0x01)
+            switch (*cp++) {
+            case 0x01:
+                break;
+            case 0x02:
+                has_ad++;
+                break;
+            default:
                 goto fail_name;
+            }
+
+            BOUNDS_CHECK(cp, end, 2);
             if (*cp++ != 0x00)
                 goto fail_name;
             length = *cp++;
-            if (length != gss_mech_krb5->length+2)
+            if (length != (ssize_t)gss_mech_krb5->length+2)
                 goto fail_name;
+
+            BOUNDS_CHECK(cp, end, 2);
             if (*cp++ != 0x06)
                 goto fail_name;
             length = *cp++;
-            if (length != gss_mech_krb5->length)
+            if (length != (ssize_t)gss_mech_krb5->length)
                 goto fail_name;
+
+            BOUNDS_CHECK(cp, end, length);
             if (memcmp(cp, gss_mech_krb5->elements, length) != 0)
                 goto fail_name;
             cp += length;
+
+            BOUNDS_CHECK(cp, end, 4);
             length = *cp++;
             length = (length << 8) | *cp++;
             length = (length << 8) | *cp++;
             length = (length << 8) | *cp++;
+
+            BOUNDS_CHECK(cp, end, length);
             tmp2 = malloc(length+1);
             if (tmp2 == NULL) {
                 xfree(tmp);
@@ -184,10 +241,27 @@
                 krb5_free_context(context);
                 return GSS_S_FAILURE;
             }
-            strncpy(tmp2, cp, length);
+            strncpy(tmp2, (char *)cp, length);
             tmp2[length] = 0;
+            stringrep = tmp2;
+            cp += length;
 
-            stringrep = tmp2;
+            if (has_ad) {
+                BOUNDS_CHECK(cp, end, 4);
+                length = *cp++;
+                length = (length << 8) | *cp++;
+                length = (length << 8) | *cp++;
+                length = (length << 8) | *cp++;
+
+                BOUNDS_CHECK(cp, end, length);
+                code = import_name_composite(context,
+                                             cp, length,
+                                             &ad_context);
+                if (code != 0)
+                    goto fail_name;
+                cp += length;
+            }
+            assert(cp == end);
         } else {
             xfree(tmp);
             krb5_free_context(context);
@@ -218,16 +292,21 @@
     if (code) {
         *minor_status = (OM_uint32) code;
         save_error_info(*minor_status, context);
+        krb5_authdata_context_free(context, ad_context);
         krb5_free_context(context);
         return(GSS_S_BAD_NAME);
     }
 
     /* save the name in the validation database */
-
-    if (! kg_save_name((gss_name_t) princ)) {
+    code = kg_init_name(context, princ, ad_context,
+                        KG_INIT_NAME_INTERN | KG_INIT_NAME_NO_COPY,
+                        (krb5_gss_name_t *)output_name);
+    if (code != 0) {
+        *minor_status = (OM_uint32) code;
+        save_error_info(*minor_status, context);
         krb5_free_principal(context, princ);
+        krb5_authdata_context_free(context, ad_context);
         krb5_free_context(context);
-        *minor_status = (OM_uint32) G_VALIDATE_FAILED;
         return(GSS_S_FAILURE);
     }
 
@@ -235,6 +314,5 @@
 
     /* return it */
 
-    *output_name = (gss_name_t) princ;
     return(GSS_S_COMPLETE);
 }

Modified: trunk/src/lib/gssapi/krb5/init_sec_context.c
===================================================================
--- trunk/src/lib/gssapi/krb5/init_sec_context.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/init_sec_context.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -122,7 +122,7 @@
                                        endtime, out_creds)
     krb5_context context;
     krb5_gss_cred_id_t cred;
-    krb5_principal server;
+    krb5_gss_name_t server;
     krb5_timestamp now;
     krb5_timestamp endtime;
     krb5_creds **out_creds;
@@ -137,6 +137,8 @@
     memset(&evidence_creds, 0, sizeof(krb5_creds));
     in_creds.client = in_creds.server = NULL;
 
+    assert(cred->name != NULL);
+
     if ((code = krb5_cc_get_principal(context, cred->ccache, &cc_princ)))
         goto cleanup;
 
@@ -146,7 +148,7 @@
      * we can just use the S4U2Self or evidence ticket directly).
      */
     if (cred->proxy_cred &&
-        !krb5_principal_compare(context, cc_princ, server)) {
+        !krb5_principal_compare(context, cc_princ, server->princ)) {
         krb5_creds mcreds;
 
         flags |= KRB5_GC_CANONICALIZE |
@@ -158,10 +160,11 @@
         mcreds.magic = KV5M_CREDS;
         mcreds.times.endtime = cred->tgt_expire;
         mcreds.server = cc_princ;
-        mcreds.client = cred->princ;
+        mcreds.client = cred->name->princ;
 
         code = krb5_cc_retrieve_cred(context, cred->ccache,
-                                     KRB5_TC_MATCH_TIMES, &mcreds,
+                                     KRB5_TC_MATCH_TIMES | KRB5_TC_MATCH_AUTHDATA,
+                                     &mcreds,
                                      &evidence_creds);
         if (code)
             goto cleanup;
@@ -171,19 +174,34 @@
         in_creds.client = cc_princ;
         in_creds.second_ticket = evidence_creds.ticket;
     } else {
-        in_creds.client = cred->princ;
+        in_creds.client = cred->name->princ;
     }
 
-    in_creds.server = server;
+    in_creds.server = server->princ;
     in_creds.times.endtime = endtime;
+    in_creds.authdata = NULL;
+    in_creds.keyblock.enctype = 0;
 
+    /*
+     * cred->name is immutable, so there is no need to acquire
+     * cred->name->lock.
+     */
+    if (cred->name->ad_context != NULL) {
+        code = krb5_authdata_export_authdata(context,
+                                             cred->name->ad_context,
+                                             AD_USAGE_TGS_REQ,
+                                             &in_creds.authdata);
+        if (code != 0)
+            goto cleanup;
+    }
+
     code = krb5_get_credentials(context, flags, cred->ccache,
                                 &in_creds, out_creds);
     if (code)
         goto cleanup;
 
     if (flags & KRB5_GC_CONSTRAINED_DELEGATION) {
-        if (!krb5_principal_compare(context, cred->princ,
+        if (!krb5_principal_compare(context, cred->name->princ,
                                     (*out_creds)->client)) {
             /* server did not support constrained delegation */
             code = KRB5_KDCREP_MODIFIED;
@@ -203,8 +221,8 @@
     }
 
 cleanup:
-    if (cc_princ)
-        krb5_free_principal(context, cc_princ);
+    krb5_free_authdata(context, in_creds.authdata);
+    krb5_free_principal(context, cc_princ);
     krb5_free_cred_contents(context, &evidence_creds);
 
     return code;
@@ -242,8 +260,10 @@
         krb5_auth_con_setflags(context, auth_context,
                                con_flags & ~KRB5_AUTH_CONTEXT_DO_TIME);
 
+        assert(data->cred->name != NULL);
+
         code = krb5_fwd_tgt_creds(context, auth_context, 0,
-                                  data->cred->princ, data->ctx->there,
+                                  data->cred->name->princ, data->ctx->there->princ,
                                   data->cred->ccache, 1,
                                   &credmsg);
 
@@ -318,11 +338,13 @@
 }
 
 static krb5_error_code
-make_ap_req_v1(context, ctx, cred, k_cred, chan_bindings, mech_type, token)
+make_ap_req_v1(context, ctx, cred, k_cred, ad_context,
+               chan_bindings, mech_type, token)
     krb5_context context;
     krb5_gss_ctx_id_rec *ctx;
     krb5_gss_cred_id_t cred;
     krb5_creds *k_cred;
+    krb5_authdata_context ad_context;
     gss_channel_bindings_t chan_bindings;
     gss_OID mech_type;
     gss_buffer_t token;
@@ -375,8 +397,10 @@
     if (ctx->gss_flags & GSS_C_MUTUAL_FLAG)
         mk_req_flags |= AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_ETYPE_NEGOTIATION;
 
+    krb5_auth_con_set_authdata_context(context, ctx->auth_context, ad_context);
     code = krb5_mk_req_extended(context, &ctx->auth_context, mk_req_flags,
                                 checksum_data, k_cred, &ap_req);
+    krb5_auth_con_set_authdata_context(context, ctx->auth_context, NULL);
     krb5_free_data_contents(context, &cksum_struct.checksum_data);
     if (code)
         goto cleanup;
@@ -526,11 +550,10 @@
         ctx->krb_times.endtime = now + time_req;
     }
 
-    if ((code = krb5_copy_principal(context, cred->princ, &ctx->here)))
+    if ((code = kg_duplicate_name(context, cred->name, 0, &ctx->here)))
         goto fail;
 
-    if ((code = krb5_copy_principal(context, (krb5_principal) target_name,
-                                    &ctx->there)))
+    if ((code = kg_duplicate_name(context, (krb5_gss_name_t)target_name, 0, &ctx->there)))
         goto fail;
 
     code = get_credentials(context, cred, ctx->there, now,
@@ -566,7 +589,8 @@
         /* gsskrb5 v1 */
         krb5_int32 seq_temp;
         if ((code = make_ap_req_v1(context, ctx,
-                                   cred, k_cred, input_chan_bindings,
+                                   cred, k_cred, ctx->here->ad_context,
+                                   input_chan_bindings,
                                    mech_type, &token))) {
             if ((code == KRB5_FCC_NOFILE) || (code == KRB5_CC_NOTFOUND) ||
                 (code == KG_EMPTY_CCACHE))
@@ -640,9 +664,9 @@
         if (ctx_free->auth_context)
             krb5_auth_con_free(context, ctx_free->auth_context);
         if (ctx_free->here)
-            krb5_free_principal(context, ctx_free->here);
+            kg_release_name(context, 0, &ctx_free->here);
         if (ctx_free->there)
-            krb5_free_principal(context, ctx_free->there);
+            kg_release_name(context, 0, &ctx_free->there);
         if (ctx_free->subkey)
             krb5_free_keyblock(context, ctx_free->subkey);
         xfree(ctx_free);
@@ -709,8 +733,7 @@
         goto fail;
     }
 
-    if (! krb5_principal_compare(context, ctx->there,
-                                 (krb5_principal) target_name)) {
+    if (! kg_compare_name(context, ctx->there, (krb5_gss_name_t)target_name)) {
         (void)krb5_gss_delete_sec_context(minor_status,
                                           context_handle, NULL);
         code = 0;

Modified: trunk/src/lib/gssapi/krb5/inq_context.c
===================================================================
--- trunk/src/lib/gssapi/krb5/inq_context.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/inq_context.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -94,7 +94,7 @@
     krb5_context context;
     krb5_error_code code;
     krb5_gss_ctx_id_rec *ctx;
-    krb5_principal initiator, acceptor;
+    krb5_gss_name_t initiator, acceptor;
     krb5_timestamp now;
     krb5_deltat lifetime;
 
@@ -130,38 +130,28 @@
         lifetime = 0;
 
     if (initiator_name) {
-        if ((code = krb5_copy_principal(context,
-                                        ctx->initiate?ctx->here:ctx->there,
-                                        &initiator))) {
+        if ((code = kg_duplicate_name(context,
+                                      ctx->initiate?ctx->here:ctx->there,
+                                      KG_INIT_NAME_INTERN,
+                                      &initiator))) {
             *minor_status = code;
             save_error_info(*minor_status, context);
             return(GSS_S_FAILURE);
         }
-        if (! kg_save_name((gss_name_t) initiator)) {
-            krb5_free_principal(context, initiator);
-            *minor_status = (OM_uint32) G_VALIDATE_FAILED;
-            return(GSS_S_FAILURE);
-        }
     }
 
     if (acceptor_name) {
-        if ((code = krb5_copy_principal(context,
-                                        ctx->initiate?ctx->there:ctx->here,
-                                        &acceptor))) {
-            if (initiator) krb5_free_principal(context, initiator);
+        if ((code = kg_duplicate_name(context,
+                                      ctx->initiate?ctx->there:ctx->here,
+                                      KG_INIT_NAME_INTERN,
+                                      &acceptor))) {
+            if (initiator)
+                kg_release_name(context, KG_INIT_NAME_INTERN,
+                                &initiator);
             *minor_status = code;
             save_error_info(*minor_status, context);
             return(GSS_S_FAILURE);
         }
-        if (! kg_save_name((gss_name_t) acceptor)) {
-            krb5_free_principal(context, acceptor);
-            if (initiator) {
-                kg_delete_name((gss_name_t) initiator);
-                krb5_free_principal(context, initiator);
-            }
-            *minor_status = (OM_uint32) G_VALIDATE_FAILED;
-            return(GSS_S_FAILURE);
-        }
     }
 
     if (initiator_name)

Modified: trunk/src/lib/gssapi/krb5/inq_cred.c
===================================================================
--- trunk/src/lib/gssapi/krb5/inq_cred.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/inq_cred.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -88,7 +88,7 @@
     krb5_error_code code;
     krb5_timestamp now;
     krb5_deltat lifetime;
-    krb5_principal ret_name;
+    krb5_gss_name_t ret_name;
     gss_OID_set mechs;
     OM_uint32 ret;
 
@@ -145,8 +145,9 @@
         lifetime = GSS_C_INDEFINITE;
 
     if (name) {
-        if (cred->princ &&
-            (code = krb5_copy_principal(context, cred->princ, &ret_name))) {
+        if (cred->name &&
+            (code = kg_duplicate_name(context, cred->name,
+                                      KG_INIT_NAME_INTERN, &ret_name))) {
             k5_mutex_unlock(&cred->lock);
             *minor_status = code;
             save_error_info(*minor_status, context);
@@ -168,24 +169,13 @@
                                                             &mechs)))) {
             k5_mutex_unlock(&cred->lock);
             if (ret_name)
-                krb5_free_principal(context, ret_name);
+                kg_release_name(context, KG_INIT_NAME_INTERN, &ret_name);
             /* *minor_status set above */
             goto fail;
         }
     }
 
     if (name) {
-        if (ret_name != NULL && ! kg_save_name((gss_name_t) ret_name)) {
-            k5_mutex_unlock(&cred->lock);
-            if (cred_handle == GSS_C_NO_CREDENTIAL)
-                krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
-
-            (void) generic_gss_release_oid_set(minor_status, &mechs);
-            krb5_free_principal(context, ret_name);
-            *minor_status = (OM_uint32) G_VALIDATE_FAILED;
-            krb5_free_context(context);
-            return(GSS_S_FAILURE);
-        }
         if (ret_name != NULL)
             *name = (gss_name_t) ret_name;
         else

Copied: trunk/src/lib/gssapi/krb5/naming_exts.c (from rev 22872, users/lhoward/authdata/src/lib/gssapi/krb5/naming_exts.c)

Modified: trunk/src/lib/gssapi/krb5/rel_cred.c
===================================================================
--- trunk/src/lib/gssapi/krb5/rel_cred.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/rel_cred.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -71,8 +71,8 @@
         code3 = krb5_rc_close(context, cred->rcache);
     else
         code3 = 0;
-    if (cred->princ)
-        krb5_free_principal(context, cred->princ);
+    if (cred->name)
+        kg_release_name(context, 0, &cred->name);
 
     if (cred->req_enctypes)
         free(cred->req_enctypes);

Modified: trunk/src/lib/gssapi/krb5/rel_name.c
===================================================================
--- trunk/src/lib/gssapi/krb5/rel_name.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/rel_name.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -43,9 +43,8 @@
         return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
     }
 
-    (void)kg_delete_name(*input_name);
-
-    krb5_free_principal(context, (krb5_principal) *input_name);
+    kg_release_name(context, KG_INIT_NAME_INTERN,
+                    (krb5_gss_name_t *)input_name);
     krb5_free_context(context);
 
     *input_name = (gss_name_t) NULL;

Modified: trunk/src/lib/gssapi/krb5/s4u_gss_glue.c
===================================================================
--- trunk/src/lib/gssapi/krb5/s4u_gss_glue.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/s4u_gss_glue.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -109,7 +109,7 @@
 static OM_uint32
 kg_impersonate_name(OM_uint32 *minor_status,
                     const krb5_gss_cred_id_t impersonator_cred,
-                    const krb5_principal user,
+                    const krb5_gss_name_t user,
                     OM_uint32 time_req,
                     const gss_OID_set desired_mechs,
                     krb5_gss_cred_id_t *output_cred,
@@ -124,18 +124,39 @@
     memset(&in_creds, 0, sizeof(in_creds));
     memset(&out_creds, 0, sizeof(out_creds));
 
-    in_creds.client = user;
-    in_creds.server = impersonator_cred->princ;
+    in_creds.client = user->princ;
+    in_creds.server = impersonator_cred->name->princ;
 
     if (impersonator_cred->req_enctypes != NULL)
         in_creds.keyblock.enctype = impersonator_cred->req_enctypes[0];
 
+    code = k5_mutex_lock(&user->lock);
+    if (code != 0) {
+        *minor_status = code;
+        return GSS_S_FAILURE;
+    }
+
+    if (user->ad_context != NULL) {
+        code = krb5_authdata_export_authdata(context,
+                                             user->ad_context,
+                                             AD_USAGE_TGS_REQ,
+                                             &in_creds.authdata);
+        if (code != 0) {
+            k5_mutex_unlock(&user->lock);
+            *minor_status = code;
+            return GSS_S_FAILURE;
+        }
+    }
+
+    k5_mutex_unlock(&user->lock);
+
     code = krb5_get_credentials_for_user(context,
                                          KRB5_GC_CANONICALIZE | KRB5_GC_NO_STORE,
                                          impersonator_cred->ccache,
                                          &in_creds,
                                          NULL, &out_creds);
     if (code != 0) {
+        krb5_free_authdata(context, in_creds.authdata);
         *minor_status = code;
         return GSS_S_FAILURE;
     }
@@ -150,6 +171,7 @@
                                          time_rec,
                                          context);
 
+    krb5_free_authdata(context, in_creds.authdata);
     krb5_free_creds(context, out_creds);
 
     return major_status;
@@ -207,7 +229,7 @@
 
     major_status = kg_impersonate_name(minor_status,
                                        (krb5_gss_cred_id_t)impersonator_cred_handle,
-                                       (krb5_principal)desired_name,
+                                       (krb5_gss_name_t)desired_name,
                                        time_req,
                                        desired_mechs,
                                        &cred,
@@ -242,12 +264,14 @@
     k5_mutex_assert_locked(&impersonator_cred->lock);
 
     if (!kg_is_initiator_cred(impersonator_cred) ||
-        impersonator_cred->princ == NULL ||
+        impersonator_cred->name == NULL ||
         impersonator_cred->proxy_cred) {
         code = G_BAD_USAGE;
         goto cleanup;
     }
 
+    assert(impersonator_cred->name->princ != NULL);
+
     assert(subject_creds != NULL);
     assert(subject_creds->client != NULL);
 
@@ -277,7 +301,7 @@
 
     cred->tgt_expire = impersonator_cred->tgt_expire;
 
-    code = krb5_copy_principal(context, subject_creds->client, &cred->princ);
+    code = kg_init_name(context, subject_creds->client, NULL, 0, &cred->name);
     if (code != 0)
         goto cleanup;
 
@@ -286,8 +310,8 @@
         goto cleanup;
 
     code = krb5_cc_initialize(context, cred->ccache,
-                              cred->proxy_cred ? impersonator_cred->princ :
-                                    (krb5_principal)subject_creds->client);
+                              cred->proxy_cred ? impersonator_cred->name->princ :
+                                    subject_creds->client);
     if (code != 0)
         goto cleanup;
 
@@ -334,10 +358,8 @@
 
     if (GSS_ERROR(major_status) && cred != NULL) {
         k5_mutex_destroy(&cred->lock);
-        if (cred->ccache != NULL)
-            krb5_cc_destroy(context, cred->ccache);
-        if (cred->princ != NULL)
-            krb5_free_principal(context, cred->princ);
+        krb5_cc_destroy(context, cred->ccache);
+        kg_release_name(context, 0, &cred->name);
         xfree(cred);
     }
 

Modified: trunk/src/lib/gssapi/krb5/ser_sctx.c
===================================================================
--- trunk/src/lib/gssapi/krb5/ser_sctx.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/ser_sctx.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -292,13 +292,13 @@
         if (!kret && ctx->here)
             kret = krb5_size_opaque(kcontext,
                                     KV5M_PRINCIPAL,
-                                    (krb5_pointer) ctx->here,
+                                    (krb5_pointer) ctx->here->princ,
                                     &required);
 
         if (!kret && ctx->there)
             kret = krb5_size_opaque(kcontext,
                                     KV5M_PRINCIPAL,
-                                    (krb5_pointer) ctx->there,
+                                    (krb5_pointer) ctx->there->princ,
                                     &required);
 
         if (!kret && ctx->subkey)
@@ -352,7 +352,18 @@
                                         &required);
             }
         }
-        if (!kret)
+        if (!kret) {
+            krb5_gss_name_t initiator_name;
+
+            initiator_name = ctx->initiate ? ctx->here : ctx->there;
+
+            if (initiator_name) {
+                kret = krb5_size_opaque(kcontext,
+                                        KV5M_AUTHDATA_CONTEXT,
+                                        initiator_name->ad_context,
+                                        &required);
+            }
+        }
             *sizep += required;
     }
     return(kret);
@@ -437,13 +448,13 @@
             if (!kret && ctx->here)
                 kret = krb5_externalize_opaque(kcontext,
                                                KV5M_PRINCIPAL,
-                                               (krb5_pointer) ctx->here,
+                                               (krb5_pointer) ctx->here->princ,
                                                &bp, &remain);
 
             if (!kret && ctx->there)
                 kret = krb5_externalize_opaque(kcontext,
                                                KV5M_PRINCIPAL,
-                                               (krb5_pointer) ctx->there,
+                                               (krb5_pointer) ctx->there->princ,
                                                &bp, &remain);
 
             if (!kret && ctx->subkey)
@@ -517,6 +528,20 @@
                                                        &remain);
                 }
             }
+            /* authdata context */
+            if (!kret) {
+                krb5_gss_name_t initiator_name;
+
+                initiator_name = ctx->initiate ? ctx->here : ctx->there;
+
+                if (initiator_name) {
+                    kret = krb5_externalize_opaque(kcontext,
+                                                   KV5M_AUTHDATA_CONTEXT,
+                                                   initiator_name->ad_context,
+                                                   &bp,
+                                                   &remain);
+                }
+            }
             /* trailer */
             if (!kret)
                 kret = krb5_ser_pack_int32(KG_CONTEXT, &bp, &remain);
@@ -545,6 +570,7 @@
     krb5_octet          *bp;
     size_t              remain;
     krb5int_access kaccess;
+    krb5_principal        princ;
 
     kret = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION);
     if (kret)
@@ -553,6 +579,7 @@
     bp = *buffer;
     remain = *lenremain;
     kret = EINVAL;
+    princ = NULL;
     /* Read our magic number */
     if (krb5_ser_unpack_int32(&ibuf, &bp, &remain))
         ibuf = 0;
@@ -618,23 +645,32 @@
                     kret = 0;
             }
             /* Now get substructure data */
-            if ((kret = krb5_internalize_opaque(kcontext,
-                                                KV5M_PRINCIPAL,
-                                                (krb5_pointer *) &ctx->here,
-                                                &bp, &remain))) {
-                if (kret == EINVAL)
+            kret = krb5_internalize_opaque(kcontext,
+                                           KV5M_PRINCIPAL,
+                                            (krb5_pointer *) &princ,
+                                            &bp, &remain);
+            if (kret == 0) {
+                kret = kg_init_name(kcontext, princ, NULL,
+                                    KG_INIT_NAME_NO_COPY, &ctx->here);
+                if (kret)
+                    krb5_free_principal(kcontext, princ);
+            } else if (kret == EINVAL)
+                kret = 0;
+            if (!kret) {
+                kret = krb5_internalize_opaque(kcontext,
+                                               KV5M_PRINCIPAL,
+                                               (krb5_pointer *) &princ,
+                                               &bp, &remain);
+                if (kret == 0) {
+                    kret = kg_init_name(kcontext, princ, NULL,
+                                        KG_INIT_NAME_NO_COPY, &ctx->there);
+                    if (kret)
+                        krb5_free_principal(kcontext, princ);
+                } else if (kret == EINVAL)
                     kret = 0;
             }
             if (!kret &&
                 (kret = krb5_internalize_opaque(kcontext,
-                                                KV5M_PRINCIPAL,
-                                                (krb5_pointer *) &ctx->there,
-                                                &bp, &remain))) {
-                if (kret == EINVAL)
-                    kret = 0;
-            }
-            if (!kret &&
-                (kret = krb5_internalize_opaque(kcontext,
                                                 KV5M_KEYBLOCK,
                                                 (krb5_pointer *) &ctx->subkey,
                                                 &bp, &remain))) {
@@ -718,6 +754,21 @@
                     }
                 }
             }
+            /* authdata context */
+            if (!kret) {
+                krb5_gss_name_t initiator_name;
+
+                initiator_name = ctx->initiate ? ctx->here : ctx->there;
+                if (initiator_name == NULL) {
+                    kret = EINVAL;
+                } else {
+                    kret = krb5_internalize_opaque(kcontext,
+                                                   KV5M_AUTHDATA_CONTEXT,
+                                                   (krb5_pointer *)&initiator_name->ad_context,
+                                                   &bp,
+                                                   &remain);
+                }
+            }
             /* Get trailer */
             if (!kret)
                 kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
@@ -736,9 +787,9 @@
                 if (ctx->subkey)
                     krb5_free_keyblock(kcontext, ctx->subkey);
                 if (ctx->there)
-                    krb5_free_principal(kcontext, ctx->there);
+                    kg_release_name(kcontext, 0, &ctx->there);
                 if (ctx->here)
-                    krb5_free_principal(kcontext, ctx->here);
+                    kg_release_name(kcontext, 0, &ctx->here);
                 xfree(ctx);
             }
         }

Modified: trunk/src/lib/gssapi/krb5/val_cred.c
===================================================================
--- trunk/src/lib/gssapi/krb5/val_cred.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/krb5/val_cred.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -59,7 +59,7 @@
             return(GSS_S_DEFECTIVE_CREDENTIAL);
         }
         if (!cred->proxy_cred &&
-            !krb5_principal_compare(context, princ, cred->princ)) {
+            !krb5_principal_compare(context, princ, cred->name->princ)) {
             k5_mutex_unlock(&cred->lock);
             *minor_status = KG_CCACHE_NOMATCH;
             return(GSS_S_DEFECTIVE_CREDENTIAL);

Modified: trunk/src/lib/gssapi/libgssapi_krb5.exports
===================================================================
--- trunk/src/lib/gssapi/libgssapi_krb5.exports	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/libgssapi_krb5.exports	2009-10-09 18:29:34 UTC (rev 22875)
@@ -20,13 +20,17 @@
 gss_context_time
 gss_create_empty_buffer_set
 gss_create_empty_oid_set
+gss_delete_name_attribute
 gss_delete_sec_context
 gss_display_name
+gss_display_name_ext
 gss_display_status
 gss_duplicate_name
 gss_export_name
+gss_export_name_composite
 gss_export_sec_context
 gss_get_mic
+gss_get_name_attribute
 gss_import_name
 gss_import_sec_context
 gss_indicate_mechs
@@ -49,6 +53,7 @@
 gss_krb5int_unseal_token_v3
 gsskrb5_extract_authtime_from_sec_context
 gsskrb5_extract_authz_data_from_sec_context
+gss_map_name_to_any
 gss_mech_krb5
 gss_mech_krb5_old
 gss_mech_set_krb5
@@ -64,6 +69,7 @@
 gss_nt_user_name
 gss_oid_to_str
 gss_process_context_token
+gss_release_any_name_mapping
 gss_release_buffer_set
 gss_release_buffer
 gss_release_cred
@@ -72,6 +78,7 @@
 gss_release_oid
 gss_release_oid_set
 gss_seal
+gss_set_name_attribute
 gss_set_sec_context_option
 gss_sign
 gss_str_to_oid
@@ -92,3 +99,4 @@
 krb5_gss_dbg_client_expcreds
 krb5_gss_register_acceptor_identity
 krb5_gss_use_kdc_context
+gss_inquire_name

Modified: trunk/src/lib/gssapi/mechglue/Makefile.in
===================================================================
--- trunk/src/lib/gssapi/mechglue/Makefile.in	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/mechglue/Makefile.in	2009-10-09 18:29:34 UTC (rev 22875)
@@ -21,11 +21,15 @@
 	$(srcdir)/g_complete_auth_token.c \
 	$(srcdir)/g_context_time.c \
 	$(srcdir)/g_delete_sec_context.c \
+	$(srcdir)/g_del_name_attr.c \
 	$(srcdir)/g_dsp_name.c \
+	$(srcdir)/g_dsp_name_ext.c \
 	$(srcdir)/g_dsp_status.c \
 	$(srcdir)/g_dup_name.c \
 	$(srcdir)/g_exp_sec_context.c \
 	$(srcdir)/g_export_name.c \
+	$(srcdir)/g_export_name_comp.c \
+	$(srcdir)/g_get_name_attr.c \
 	$(srcdir)/g_glue.c \
 	$(srcdir)/g_imp_name.c \
 	$(srcdir)/g_imp_sec_context.c \
@@ -35,7 +39,9 @@
 	$(srcdir)/g_inq_context_oid.c \
 	$(srcdir)/g_inq_cred.c \
 	$(srcdir)/g_inq_cred_oid.c \
+	$(srcdir)/g_inq_name.c \
 	$(srcdir)/g_inq_names.c \
+	$(srcdir)/g_map_name_to_any.c \
 	$(srcdir)/g_mech_invoke.c \
 	$(srcdir)/g_mechname.c \
 	$(srcdir)/g_oid_ops.c \
@@ -43,10 +49,12 @@
 	$(srcdir)/g_rel_buffer.c \
 	$(srcdir)/g_rel_cred.c \
 	$(srcdir)/g_rel_name.c \
+	$(srcdir)/g_rel_name_mapping.c \
 	$(srcdir)/g_rel_oid_set.c \
 	$(srcdir)/g_seal.c \
 	$(srcdir)/g_set_context_option.c \
 	$(srcdir)/g_set_cred_option.c \
+	$(srcdir)/g_set_name_attr.c \
 	$(srcdir)/g_sign.c \
 	$(srcdir)/g_store_cred.c \
 	$(srcdir)/g_unseal.c \
@@ -66,11 +74,15 @@
 	$(OUTPRE)g_complete_auth_token.$(OBJEXT) \
 	$(OUTPRE)g_context_time.$(OBJEXT) \
 	$(OUTPRE)g_delete_sec_context.$(OBJEXT) \
+	$(OUTPRE)g_del_name_attr.$(OBJEXT) \
 	$(OUTPRE)g_dsp_name.$(OBJEXT) \
+	$(OUTPRE)g_dsp_name_ext.$(OBJEXT) \
 	$(OUTPRE)g_dsp_status.$(OBJEXT) \
 	$(OUTPRE)g_dup_name.$(OBJEXT) \
 	$(OUTPRE)g_exp_sec_context.$(OBJEXT) \
 	$(OUTPRE)g_export_name.$(OBJEXT) \
+	$(OUTPRE)g_export_name_comp.$(OBJEXT) \
+	$(OUTPRE)g_get_name_attr.$(OBJEXT) \
 	$(OUTPRE)g_glue.$(OBJEXT) \
 	$(OUTPRE)g_imp_name.$(OBJEXT) \
 	$(OUTPRE)g_imp_sec_context.$(OBJEXT) \
@@ -80,7 +92,9 @@
 	$(OUTPRE)g_inq_context_oid.$(OBJEXT) \
 	$(OUTPRE)g_inq_cred.$(OBJEXT) \
 	$(OUTPRE)g_inq_cred_oid.$(OBJEXT) \
+	$(OUTPRE)g_inq_name.$(OBJEXT) \
 	$(OUTPRE)g_inq_names.$(OBJEXT) \
+	$(OUTPRE)g_map_name_to_any.$(OBJEXT) \
 	$(OUTPRE)g_mech_invoke.$(OBJEXT) \
 	$(OUTPRE)g_mechname.$(OBJEXT) \
 	$(OUTPRE)g_oid_ops.$(OBJEXT) \
@@ -88,10 +102,12 @@
 	$(OUTPRE)g_rel_buffer.$(OBJEXT) \
 	$(OUTPRE)g_rel_cred.$(OBJEXT) \
 	$(OUTPRE)g_rel_name.$(OBJEXT) \
+	$(OUTPRE)g_rel_name_mapping.$(OBJEXT) \
 	$(OUTPRE)g_rel_oid_set.$(OBJEXT) \
 	$(OUTPRE)g_seal.$(OBJEXT) \
 	$(OUTPRE)g_set_context_option.$(OBJEXT) \
 	$(OUTPRE)g_set_cred_option.$(OBJEXT) \
+	$(OUTPRE)g_set_name_attr.$(OBJEXT) \
 	$(OUTPRE)g_sign.$(OBJEXT) \
 	$(OUTPRE)g_store_cred.$(OBJEXT) \
 	$(OUTPRE)g_unseal.$(OBJEXT) \
@@ -111,11 +127,15 @@
 	g_complete_auth_token.o \
 	g_context_time.o \
 	g_delete_sec_context.o \
+	g_del_name_attr.o \
 	g_dsp_name.o \
+	g_dsp_name_ext.o \
 	g_dsp_status.o \
 	g_dup_name.o \
 	g_exp_sec_context.o \
 	g_export_name.o \
+	g_export_name_comp.o \
+	g_get_name_attr.o \
 	g_glue.o \
 	g_imp_name.o \
 	g_imp_sec_context.o \
@@ -125,7 +145,9 @@
 	g_inq_context_oid.o \
 	g_inq_cred.o \
 	g_inq_cred_oid.o \
+	g_inq_name.o \
 	g_inq_names.o \
+	g_map_name_to_any.o \
 	g_mech_invoke.o \
 	g_mechname.o \
 	g_oid_ops.o \
@@ -133,10 +155,12 @@
 	g_rel_buffer.o \
 	g_rel_cred.o \
 	g_rel_name.o \
+	g_rel_name_mapping.o \
 	g_rel_oid_set.o \
 	g_seal.o \
 	g_set_context_option.o \
 	g_set_cred_option.o \
+	g_set_name_attr.o \
 	g_sign.o \
 	g_store_cred.o \
 	g_unseal.o \

Copied: trunk/src/lib/gssapi/mechglue/g_del_name_attr.c (from rev 22872, users/lhoward/authdata/src/lib/gssapi/mechglue/g_del_name_attr.c)

Modified: trunk/src/lib/gssapi/mechglue/g_dsp_name.c
===================================================================
--- trunk/src/lib/gssapi/mechglue/g_dsp_name.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/mechglue/g_dsp_name.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -1,8 +1,7 @@
 /* #pragma ident	"@(#)g_dsp_name.c	1.13	04/02/23 SMI" */
-
 /*
  * Copyright 1996 by Sun Microsystems, Inc.
- * 
+ *
  * Permission to use, copy, modify, distribute, and sell this software
  * and its documentation for any purpose is hereby granted without fee,
  * provided that the above copyright notice appears in all copies and
@@ -12,7 +11,7 @@
  * without specific, written prior permission. Sun Microsystems makes no
  * representations about the suitability of this software for any
  * purpose.  It is provided "as is" without express or implied warranty.
- * 
+ *
  * SUN MICROSYSTEMS DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
  * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
  * EVENT SHALL SUN MICROSYSTEMS BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -102,7 +101,7 @@
 					    output_name_buffer,
 					    output_name_type));
     }
-    
+
     /*
      * copy the value of the external_name component of the union
      * name into the output_name_buffer and point the output_name_type

Copied: trunk/src/lib/gssapi/mechglue/g_dsp_name_ext.c (from rev 22872, users/lhoward/authdata/src/lib/gssapi/mechglue/g_dsp_name_ext.c)

Copied: trunk/src/lib/gssapi/mechglue/g_export_name_comp.c (from rev 22872, users/lhoward/authdata/src/lib/gssapi/mechglue/g_export_name_comp.c)

Copied: trunk/src/lib/gssapi/mechglue/g_get_name_attr.c (from rev 22872, users/lhoward/authdata/src/lib/gssapi/mechglue/g_get_name_attr.c)

Modified: trunk/src/lib/gssapi/mechglue/g_glue.c
===================================================================
--- trunk/src/lib/gssapi/mechglue/g_glue.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/mechglue/g_glue.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -288,8 +288,47 @@
  *  Internal routines to get and release an internal mechanism name
  */
 
-#include "mglueP.h"
+#if 0
+static OM_uint32
+import_internal_name_composite(OM_uint32 *minor_status,
+			       gss_mechanism mech,
+			       gss_union_name_t union_name,
+			       gss_name_t *internal_name)
+{
+    OM_uint32		status, tmp;
+    gss_mechanism	name_mech;
+    gss_buffer_desc	composite_name;
 
+    if (mech->gss_import_name == NULL)
+	return (GSS_S_UNAVAILABLE);
+
+    name_mech = gssint_get_mechanism(union_name->mech_type);
+    if (name_mech == NULL)
+	return (GSS_S_BAD_MECH);
+
+    if (name_mech->gss_export_name_composite == NULL)
+	return (GSS_S_UNAVAILABLE);
+
+    composite_name.length = 0;
+    composite_name.value = NULL;
+
+    status = (*name_mech->gss_export_name_composite)(minor_status,
+						     union_name->mech_name,
+						     &composite_name);
+    if (GSS_ERROR(status))
+	return (status);
+
+    status = (*mech->gss_import_name)(minor_status,
+				      &composite_name,
+				      gss_nt_exported_name,
+				      internal_name);
+
+    gss_release_buffer(&tmp, &composite_name);
+
+    return (status);
+}
+#endif
+
 OM_uint32 gssint_import_internal_name (minor_status, mech_type, union_name, 
 				internal_name)
 OM_uint32	*minor_status;
@@ -301,22 +340,32 @@
     gss_mechanism	mech;
 
     mech = gssint_get_mechanism (mech_type);
-    if (mech) {
-	if (mech->gss_import_name) {
-	    status = mech->gss_import_name (
-					    minor_status,
-					    union_name->external_name,
-					    union_name->name_type,
-					    internal_name);
-	    if (status != GSS_S_COMPLETE)
-		map_error(minor_status, mech);
-	} else
-	    status = GSS_S_UNAVAILABLE;
+    if (mech == NULL)
+	return (GSS_S_BAD_MECH);
 
-	return (status);
+#if 0
+    /* Try composite name, it will preserve any extended attributes */
+    if (union_name->mech_type && union_name->mech_name) {
+	status = import_internal_name_composite(minor_status,
+						mech,
+						union_name,
+						internal_name);
+	if (status == GSS_S_COMPLETE)
+	    return (GSS_S_COMPLETE);
     }
+#endif
 
-    return (GSS_S_BAD_MECH);
+    if (mech->gss_import_name == NULL)
+	return (GSS_S_UNAVAILABLE);
+
+    status = mech->gss_import_name(minor_status,
+				   union_name->external_name,
+				   union_name->name_type,
+				   internal_name);
+    if (status != GSS_S_COMPLETE)
+	map_error(minor_status, mech);
+
+    return (status);
 }
 
 OM_uint32 gssint_export_internal_name(minor_status, mech_type,

Modified: trunk/src/lib/gssapi/mechglue/g_imp_name.c
===================================================================
--- trunk/src/lib/gssapi/mechglue/g_imp_name.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/mechglue/g_imp_name.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -176,7 +176,6 @@
 /*
  * GSS export name constants
  */
-static const char *expNameTokId = "\x04\x01";
 static const unsigned int expNameTokIdLen = 2;
 static const unsigned int mechOidLenLen = 2;
 static const unsigned int nameTypeLenLen = 2;
@@ -201,8 +200,10 @@
 	return (GSS_S_DEFECTIVE_TOKEN);
 
     buf = (unsigned char *)expName.value;
-    if (memcmp(expNameTokId, buf, expNameTokIdLen) != 0)
+    if (buf[0] != 0x04)
 	return (GSS_S_DEFECTIVE_TOKEN);
+    if (buf[1] != 0x01 && buf[1] != 0x02)
+	return (GSS_S_DEFECTIVE_TOKEN);
 
     buf += expNameTokIdLen;
 

Modified: trunk/src/lib/gssapi/mechglue/g_initialize.c
===================================================================
--- trunk/src/lib/gssapi/mechglue/g_initialize.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/mechglue/g_initialize.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -761,9 +761,18 @@
 	GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_unwrap_iov);
 	GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_wrap_iov_length);
 	GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_complete_auth_token);
-	/* New for 1.8 */
+	/* Services4User (introduced in 1.8) */
 	GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_acquire_cred_impersonate_name);
 	GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_add_cred_impersonate_name);
+	/* Naming extensions (introduced in 1.8) */
+	GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_display_name_ext);
+	GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_inquire_name);
+	GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_get_name_attribute);
+	GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_set_name_attribute);
+	GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_delete_name_attribute);
+	GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_export_name_composite);
+	GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_map_name_to_any);
+	GSS_ADD_DYNAMIC_METHOD(dl, mech, gss_release_any_name_mapping);
 
 	assert(mech_type != GSS_C_NO_OID);
 

Modified: trunk/src/lib/gssapi/mechglue/g_inq_context_oid.c
===================================================================
--- trunk/src/lib/gssapi/mechglue/g_inq_context_oid.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/mechglue/g_inq_context_oid.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -62,11 +62,11 @@
 	    if (status != GSS_S_COMPLETE)
 		map_error(minor_status, mech);
 	} else
-	    status = GSS_S_BAD_MECH;
+	    status = GSS_S_UNAVAILABLE;
 
 	return status;
     }
 
-    return GSS_S_NO_CONTEXT;
+    return GSS_S_BAD_MECH;
 }
 

Modified: trunk/src/lib/gssapi/mechglue/g_inq_cred_oid.c
===================================================================
--- trunk/src/lib/gssapi/mechglue/g_inq_cred_oid.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/mechglue/g_inq_cred_oid.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -93,15 +93,19 @@
 	return status;
     }
 
-    status = GSS_S_BAD_MECH;
+    status = GSS_S_UNAVAILABLE;
 
     for (i = 0; i < union_cred->count; i++) {
 	mech = gssint_get_mechanism(&union_cred->mechs_array[i]);
-	if (mech == NULL)
-	    continue;
+	if (mech == NULL) {
+	    status = GSS_S_BAD_MECH;
+	    break;
+	}
 
-	if (mech->gss_inquire_cred_by_oid == NULL)
+	if (mech->gss_inquire_cred_by_oid == NULL) {
+	    status = GSS_S_UNAVAILABLE;
 	    continue;
+	}
 
 	status = (mech->gss_inquire_cred_by_oid)(minor_status,
 						 union_cred->cred_array[i],

Copied: trunk/src/lib/gssapi/mechglue/g_inq_name.c (from rev 22872, users/lhoward/authdata/src/lib/gssapi/mechglue/g_inq_name.c)

Copied: trunk/src/lib/gssapi/mechglue/g_map_name_to_any.c (from rev 22872, users/lhoward/authdata/src/lib/gssapi/mechglue/g_map_name_to_any.c)

Copied: trunk/src/lib/gssapi/mechglue/g_rel_name_mapping.c (from rev 22872, users/lhoward/authdata/src/lib/gssapi/mechglue/g_rel_name_mapping.c)

Modified: trunk/src/lib/gssapi/mechglue/g_set_context_option.c
===================================================================
--- trunk/src/lib/gssapi/mechglue/g_set_context_option.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/mechglue/g_set_context_option.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -65,9 +65,10 @@
 	mech = gssint_get_mechanism (ctx->mech_type);
     }
 
-    if (mech == NULL || mech->gss_set_sec_context_option == NULL) {
+    if (mech == NULL)
 	return GSS_S_BAD_MECH;
-    }
+    if (mech->gss_set_sec_context_option == NULL)
+	return GSS_S_UNAVAILABLE;
 
     status = mech->gss_set_sec_context_option(minor_status,
 					      ctx ? &ctx->internal_ctx_id :

Modified: trunk/src/lib/gssapi/mechglue/g_set_cred_option.c
===================================================================
--- trunk/src/lib/gssapi/mechglue/g_set_cred_option.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/mechglue/g_set_cred_option.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -56,15 +56,19 @@
 
     union_cred = (gss_union_cred_t) cred_handle;
 
-    status = GSS_S_BAD_MECH;
+    status = GSS_S_UNAVAILABLE;
 
     for (i = 0; i < union_cred->count; i++) {
 	mech = gssint_get_mechanism(&union_cred->mechs_array[i]);
-	if (mech == NULL)
-	    continue;
+	if (mech == NULL) {
+	    status = GSS_S_BAD_MECH;
+	    break;
+	}
 
-	if (mech->gssspi_set_cred_option == NULL)
+	if (mech->gssspi_set_cred_option == NULL) {
+	    status = GSS_S_UNAVAILABLE;
 	    continue;
+	}
 
 	status = (mech->gssspi_set_cred_option)(minor_status,
 						union_cred->cred_array[i],

Copied: trunk/src/lib/gssapi/mechglue/g_set_name_attr.c (from rev 22872, users/lhoward/authdata/src/lib/gssapi/mechglue/g_set_name_attr.c)

Modified: trunk/src/lib/gssapi/mechglue/mglueP.h
===================================================================
--- trunk/src/lib/gssapi/mechglue/mglueP.h	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/mechglue/mglueP.h	2009-10-09 18:29:34 UTC (rev 22875)
@@ -504,6 +504,75 @@
 	    OM_uint32 *			/* acceptor_time_rec */
 	/* */);
 
+	OM_uint32	(*gss_display_name_ext)
+	(
+	    OM_uint32 *,		/* minor_status */
+	    gss_name_t,			/* name */
+	    gss_OID,			/* display_as_name_type */
+	    gss_buffer_t		/* display_name */
+	/* */);
+
+	OM_uint32	(*gss_inquire_name)
+	(
+	    OM_uint32 *,		/* minor_status */
+	    gss_name_t,			/* name */
+	    int *,			/* name_is_MN */
+	    gss_OID *,			/* MN_mech */
+	    gss_buffer_set_t *		/* attrs */
+	/* */);
+
+	OM_uint32	(*gss_get_name_attribute)
+	(
+	    OM_uint32 *,		/* minor_status */
+	    gss_name_t,			/* name */
+	    gss_buffer_t,		/* attr */
+	    int *,			/* authenticated */
+	    int *,			/* complete */
+	    gss_buffer_t,		/* value */
+	    gss_buffer_t,		/* display_value */
+	    int *			/* more */
+	/* */);
+
+	OM_uint32	(*gss_set_name_attribute)
+	(
+	    OM_uint32 *,		/* minor_status */
+	    gss_name_t,			/* name */
+	    int,			/* complete */
+	    gss_buffer_t,		/* attr */
+	    gss_buffer_t		/* value */
+	/* */);
+
+	OM_uint32	(*gss_delete_name_attribute)
+	(
+	    OM_uint32 *,		/* minor_status */
+	    gss_name_t,			/* name */
+	    gss_buffer_t		/* attr */
+	/* */);
+
+	OM_uint32	(*gss_export_name_composite)
+	(
+	    OM_uint32 *,		/* minor_status */
+	    gss_name_t,			/* name */
+	    gss_buffer_t		/* exp_composite_name */
+	/* */);
+
+	OM_uint32	(*gss_map_name_to_any)
+	(
+	    OM_uint32 *,		/* minor_status */
+	    gss_name_t,			/* name */
+	    int,			/* authenticated */
+	    gss_buffer_t,		/* type_id */
+	    gss_any_t *			/* output */
+	/* */);
+
+	OM_uint32	(*gss_release_any_name_mapping)
+	(
+	    OM_uint32 *,		/* minor_status */
+	    gss_name_t,			/* name */
+	    gss_buffer_t,		/* type_id */
+	    gss_any_t *			/* input */
+	/* */);
+
 } *gss_mechanism;
 
 /* This structure MUST NOT be used by any code outside libgss */

Modified: trunk/src/lib/gssapi/spnego/gssapiP_spnego.h
===================================================================
--- trunk/src/lib/gssapi/spnego/gssapiP_spnego.h	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/spnego/gssapiP_spnego.h	2009-10-09 18:29:34 UTC (rev 22875)
@@ -442,6 +442,83 @@
     gss_OID_set *,	    /* actual_mechs */
     OM_uint32 *);	    /* time_rec */
 
+OM_uint32
+spnego_gss_display_name_ext
+(
+	OM_uint32 *minor_status,
+	gss_name_t name,
+	gss_OID display_as_name_type,
+	gss_buffer_t display_name
+);
+
+OM_uint32
+spnego_gss_inquire_name
+(
+	OM_uint32 *minor_status,
+	gss_name_t name,
+	int *name_is_MN,
+	gss_OID *MN_mech,
+	gss_buffer_set_t *attrs
+);
+
+OM_uint32
+spnego_gss_get_name_attribute
+(
+	OM_uint32 *minor_status,
+	gss_name_t name,
+	gss_buffer_t attr,
+	int *authenticated,
+	int *complete,
+	gss_buffer_t value,
+	gss_buffer_t display_value,
+	int *more
+);
+
+OM_uint32
+spnego_gss_set_name_attribute
+(
+	OM_uint32 *minor_status,
+	gss_name_t name,
+	int complete,
+	gss_buffer_t attr,
+	gss_buffer_t value
+);
+
+OM_uint32
+spnego_gss_delete_name_attribute
+(
+	OM_uint32 *minor_status,
+	gss_name_t name,
+	gss_buffer_t attr
+);
+
+OM_uint32
+spnego_gss_export_name_composite
+(
+	OM_uint32 *minor_status,
+	gss_name_t name,
+	gss_buffer_t exp_composite_name
+);
+
+OM_uint32
+spnego_gss_map_name_to_any
+(
+	OM_uint32 *minor_status,
+	gss_name_t name,
+	int authenticated,
+	gss_buffer_t type_id,
+	gss_any_t *output
+);
+
+OM_uint32
+spnego_gss_release_any_name_mapping
+(
+	OM_uint32 *minor_status,
+	gss_name_t name,
+	gss_buffer_t type_id,
+	gss_any_t *input
+);
+
 #ifdef	__cplusplus
 }
 #endif

Modified: trunk/src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- trunk/src/lib/gssapi/spnego/spnego_mech.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/gssapi/spnego/spnego_mech.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -260,6 +260,14 @@
 	spnego_gss_complete_auth_token,
 	spnego_gss_acquire_cred_impersonate_name,
 	NULL,				/* gss_add_cred_impersonate_name */
+	spnego_gss_display_name_ext,
+	spnego_gss_inquire_name,
+	spnego_gss_get_name_attribute,
+	spnego_gss_set_name_attribute,
+	spnego_gss_delete_name_attribute,
+	spnego_gss_export_name_composite,
+	spnego_gss_map_name_to_any,
+	spnego_gss_release_any_name_mapping,
 };
 
 #ifdef _GSS_STATIC_LINK
@@ -2354,6 +2362,129 @@
 	return (status);
 }
 
+OM_uint32
+spnego_gss_display_name_ext(OM_uint32 *minor_status,
+			    gss_name_t name,
+			    gss_OID display_as_name_type,
+			    gss_buffer_t display_name)
+{
+	OM_uint32 ret;
+	ret = gss_display_name_ext(minor_status,
+				   name,
+				   display_as_name_type,
+				   display_name);
+	return (ret);
+}
+
+
+OM_uint32
+spnego_gss_inquire_name(OM_uint32 *minor_status,
+			gss_name_t name,
+			int *name_is_MN,
+			gss_OID *MN_mech,
+			gss_buffer_set_t *attrs)
+{
+	OM_uint32 ret;
+	ret = gss_inquire_name(minor_status,
+			       name,
+			       name_is_MN,
+			       MN_mech,
+			       attrs);
+	return (ret);
+}
+
+OM_uint32
+spnego_gss_get_name_attribute(OM_uint32 *minor_status,
+			      gss_name_t name,
+			      gss_buffer_t attr,
+			      int *authenticated,
+			      int *complete,
+			      gss_buffer_t value,
+			      gss_buffer_t display_value,
+			      int *more)
+{
+	OM_uint32 ret;
+	ret = gss_get_name_attribute(minor_status,
+				     name,
+				     attr,
+				     authenticated,
+				     complete,
+				     value,
+				     display_value,
+				     more);
+	return (ret);
+}
+
+OM_uint32
+spnego_gss_set_name_attribute(OM_uint32 *minor_status,
+			      gss_name_t name,
+			      int complete,
+			      gss_buffer_t attr,
+			      gss_buffer_t value)
+{
+	OM_uint32 ret;
+	ret = gss_set_name_attribute(minor_status,
+				     name,
+				     complete,
+				     attr,
+				     value);
+	return (ret);
+}
+
+OM_uint32
+spnego_gss_delete_name_attribute(OM_uint32 *minor_status,
+				 gss_name_t name,
+				 gss_buffer_t attr)
+{
+	OM_uint32 ret;
+	ret = gss_delete_name_attribute(minor_status,
+					name,
+					attr);
+	return (ret);
+}
+
+OM_uint32
+spnego_gss_export_name_composite(OM_uint32 *minor_status,
+				 gss_name_t name,
+				 gss_buffer_t exp_composite_name)
+{
+	OM_uint32 ret;
+	ret = gss_export_name_composite(minor_status,
+					name,
+					exp_composite_name);
+	return (ret);
+}
+
+OM_uint32
+spnego_gss_map_name_to_any(OM_uint32 *minor_status,
+			   gss_name_t name,
+			   int authenticated,
+			   gss_buffer_t type_id,
+			   gss_any_t *output)
+{
+	OM_uint32 ret;
+	ret = gss_map_name_to_any(minor_status,
+				  name,
+				  authenticated,
+				  type_id,
+				  output);
+	return (ret);
+}
+
+OM_uint32
+spnego_gss_release_any_name_mapping(OM_uint32 *minor_status,
+				    gss_name_t name,
+				    gss_buffer_t type_id,
+				    gss_any_t *input)
+{
+	OM_uint32 ret;
+	ret = gss_release_any_name_mapping(minor_status,
+					   name,
+					   type_id,
+					   input);
+	return (ret);
+}
+
 /*
  * We will release everything but the ctx_handle so that it
  * can be passed back to init/accept context. This routine should

Modified: trunk/src/lib/krb5/asn.1/asn1_k_decode.c
===================================================================
--- trunk/src/lib/krb5/asn.1/asn1_k_decode.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/asn.1/asn1_k_decode.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -1720,7 +1720,31 @@
     decode_ptr( krb5_fast_finished *, asn1_decode_fast_finished);
 }
 
-  
+asn1_error_code asn1_decode_ad_kdcissued
+(asn1buf *buf, krb5_ad_kdcissued *val)
+{
+    setup();
+    val->ad_checksum.contents = NULL;
+    val->i_principal = NULL;
+    val->elements = NULL;
+    {begin_structure();
+    get_field(val->ad_checksum, 0, asn1_decode_checksum);
+    if (tagnum == 1) {
+        alloc_principal(val->i_principal);
+        opt_field(val->i_principal, 1, asn1_decode_realm, 0);
+        opt_field(val->i_principal, 2, asn1_decode_principal_name, 0);
+    }
+    get_field(val->elements, 3, asn1_decode_authorization_data);
+    end_structure();
+    }
+    return 0;
+error_out:
+    krb5_free_checksum_contents(NULL, &val->ad_checksum);
+    krb5_free_principal(NULL, val->i_principal);
+    krb5_free_authdata(NULL, val->elements);
+    return retval;
+}
+
 #ifndef DISABLE_PKINIT
 /* PKINIT */
 

Modified: trunk/src/lib/krb5/asn.1/asn1_k_decode.h
===================================================================
--- trunk/src/lib/krb5/asn.1/asn1_k_decode.h	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/asn.1/asn1_k_decode.h	2009-10-09 18:29:34 UTC (rev 22875)
@@ -282,4 +282,10 @@
 asn1_error_code asn1_decode_fast_finished_ptr
 (asn1buf *buf, krb5_fast_finished **val);
 
+asn1_error_code asn1_decode_ad_kdcissued
+(asn1buf *buf, krb5_ad_kdcissued *val);
+
+asn1_error_code asn1_decode_ad_kdcissued_ptr
+(asn1buf *buf, krb5_ad_kdcissued **val);
+
 #endif

Modified: trunk/src/lib/krb5/asn.1/asn1_k_encode.c
===================================================================
--- trunk/src/lib/krb5/asn.1/asn1_k_encode.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/asn.1/asn1_k_encode.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -1290,9 +1290,26 @@
 DEFFIELDTYPE(pa_fx_fast_reply, krb5_enc_data,
              FIELDOF_ENCODEAS(krb5_enc_data, fast_rep, 0));
 
+static const struct field_info ad_kdcissued_fields[] = {
+    FIELDOF_NORM(krb5_ad_kdcissued, checksum, ad_checksum, 0),
+    FIELDOF_OPT(krb5_ad_kdcissued, realm_of_principal, i_principal, 1, 1),
+    FIELDOF_OPT(krb5_ad_kdcissued, principal, i_principal, 2, 1),
+    FIELDOF_NORM(krb5_ad_kdcissued, auth_data_ptr, elements, 3),
+};
 
+static unsigned int ad_kdcissued_optional(const void *p)
+{
+    unsigned int optional = 0;
+    const krb5_ad_kdcissued *val = p;
+    if (val->i_principal)
+        optional |= (1u << 1);
+    return optional;
+}
 
+DEFSEQTYPE(ad_kdc_issued, krb5_ad_kdcissued, ad_kdcissued_fields, ad_kdcissued_optional);
 
+
+
 /* Exported complete encoders -- these produce a krb5_data with
    the encoding in the correct byte order.  */
 
@@ -1366,11 +1383,11 @@
 MAKE_FULL_ENCODER( encode_krb5_pa_fx_fast_reply, pa_fx_fast_reply);
 MAKE_FULL_ENCODER(encode_krb5_fast_response, fast_response);
 
+MAKE_FULL_ENCODER(encode_krb5_ad_kdcissued, ad_kdc_issued);
 
 
 
 
-
 /*
  * PKINIT
  */

Modified: trunk/src/lib/krb5/asn.1/krb5_decode.c
===================================================================
--- trunk/src/lib/krb5/asn.1/krb5_decode.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/asn.1/krb5_decode.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -1180,6 +1180,17 @@
     cleanup(free);
 }
 
+krb5_error_code decode_krb5_ad_kdcissued
+(const krb5_data *code, krb5_ad_kdcissued **repptr)
+{
+    setup_buf_only(krb5_ad_kdcissued *);
+    alloc_field(rep);
+
+    retval = asn1_decode_ad_kdcissued(&buf, rep);
+    if (retval) clean_return(retval);
+
+    cleanup(free);
+}
   
 #ifndef DISABLE_PKINIT
 krb5_error_code

Modified: trunk/src/lib/krb5/ccache/cc_file.c
===================================================================
--- trunk/src/lib/krb5/ccache/cc_file.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/ccache/cc_file.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -859,14 +859,14 @@
 {
     krb5_error_code kret;
     krb5_int32 int32;
-    krb5_ui_2 ui2;
+    krb5_int16 ui2; /* negative authorization data types are allowed */
     
     k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock);
 
     a->magic = KV5M_AUTHDATA;
     a->contents = NULL;
 
-    kret = krb5_fcc_read_ui_2(context, id, &ui2);
+    kret = krb5_fcc_read_ui_2(context, id, (krb5_ui_2 *)&ui2);
     CHECK(kret);
     a->ad_type = (krb5_authdatatype)ui2;
     kret = krb5_fcc_read_int32(context, id, &int32);

Modified: trunk/src/lib/krb5/ccache/ccfns.c
===================================================================
--- trunk/src/lib/krb5/ccache/ccfns.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/ccache/ccfns.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -70,7 +70,7 @@
     krb5_principal s1, s2;
 
     /* remove any dups */
-    krb5_cc_remove_cred(context, cache, 0, creds);
+    krb5_cc_remove_cred(context, cache, KRB5_TC_MATCH_AUTHDATA, creds);
 
     ret = cache->ops->store(context, cache, creds);
     if (ret) return ret;
@@ -87,7 +87,7 @@
     if (!krb5_principal_compare(context, s1, s2)) {
         creds->server = s2;
         /* remove any dups */
-        krb5_cc_remove_cred(context, cache, 0, creds);
+        krb5_cc_remove_cred(context, cache, KRB5_TC_MATCH_AUTHDATA, creds);
         ret = cache->ops->store(context, cache, creds);
         creds->server = s1;
     }

Modified: trunk/src/lib/krb5/error_tables/kv5m_err.et
===================================================================
--- trunk/src/lib/krb5/error_tables/kv5m_err.et	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/error_tables/kv5m_err.et	2009-10-09 18:29:34 UTC (rev 22875)
@@ -89,4 +89,5 @@
 error_code KV5M_FAST_ARMORED_REQ, "Bad magic number for fast armored request"
 error_code KV5M_FAST_REQ, "Bad magic number for FAST request"
 error_code KV5M_FAST_RESPONSE, "Bad magic number for FAST response"
+error_code KV5M_AUTHDATA_CONTEXT,  "Bad magic number for krb5_authdata_context"
 end

Modified: trunk/src/lib/krb5/krb/Makefile.in
===================================================================
--- trunk/src/lib/krb5/krb/Makefile.in	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/Makefile.in	2009-10-09 18:29:34 UTC (rev 22875)
@@ -18,6 +18,7 @@
 	addr_srch.o	\
 	appdefault.o	\
 	auth_con.o	\
+	authdata.o	\
 	bld_pr_ext.o	\
 	bld_princ.o	\
 	chk_trans.o	\
@@ -107,6 +108,7 @@
 	$(OUTPRE)addr_srch.$(OBJEXT)	\
 	$(OUTPRE)appdefault.$(OBJEXT)	\
 	$(OUTPRE)auth_con.$(OBJEXT)	\
+	$(OUTPRE)authdata.$(OBJEXT)	\
 	$(OUTPRE)bld_pr_ext.$(OBJEXT)	\
 	$(OUTPRE)bld_princ.$(OBJEXT)	\
 	$(OUTPRE)chk_trans.$(OBJEXT)	\
@@ -196,6 +198,7 @@
 	$(srcdir)/addr_srch.c	\
 	$(srcdir)/appdefault.c	\
 	$(srcdir)/auth_con.c	\
+	$(srcdir)/authdata.c	\
 	$(srcdir)/bld_pr_ext.c	\
 	$(srcdir)/bld_princ.c	\
 	$(srcdir)/brand.c	\
@@ -312,11 +315,11 @@
 T_KERB_OBJS= t_kerb.o conv_princ.o unparse.o set_realm.o str_conv.o
 
 T_SER_OBJS= t_ser.o ser_actx.o ser_adata.o ser_addr.o ser_auth.o ser_cksum.o \
-	ser_ctx.o ser_key.o ser_princ.o serialize.o 
+	ser_ctx.o ser_key.o ser_princ.o serialize.o authdata.o pac.o copy_data.o
 
 T_DELTAT_OBJS= t_deltat.o deltat.o
 
-T_PAC_OBJS= t_pac.o pac.o
+T_PAC_OBJS= t_pac.o pac.o copy_data.o
 
 T_PRINC_OBJS= t_princ.o parse.o unparse.o
 
@@ -327,8 +330,8 @@
 t_ad_fx_armor: t_ad_fx_armor.o
 	$(CC_LINK) -o $@ t_ad_fx_armor.o $(KRB5_BASE_LIBS)
 
-t_authdata: t_authdata.o copy_auth.o
-	$(CC_LINK) -o $@ t_authdata.o copy_auth.o $(KRB5_BASE_LIBS)
+t_authdata: t_authdata.o $(KRB5_BASE_DEPLIBS)
+	$(CC_LINK) -o $@ t_authdata.o $(KRB5_BASE_LIBS)
 
 t_kerb: $(T_KERB_OBJS) $(KRB5_BASE_DEPLIBS)
 	$(CC_LINK) -o t_kerb $(T_KERB_OBJS) $(KRB5_BASE_LIBS)

Modified: trunk/src/lib/krb5/krb/auth_con.c
===================================================================
--- trunk/src/lib/krb5/krb/auth_con.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/auth_con.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -66,6 +66,8 @@
 	krb5_rc_close(context, auth_context->rcache);
     if (auth_context->permitted_etypes)
 	free(auth_context->permitted_etypes);
+    if (auth_context->ad_context)
+	krb5_authdata_context_free(context, auth_context->ad_context);
     free(auth_context);
     return 0;
 }
@@ -568,3 +570,21 @@
     return 0;
 }
 
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_get_authdata_context(krb5_context context,
+				   krb5_auth_context auth_context,
+				   krb5_authdata_context *ad_context)
+{
+    *ad_context = auth_context->ad_context;
+    return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_auth_con_set_authdata_context(krb5_context context,
+				   krb5_auth_context auth_context,
+				   krb5_authdata_context ad_context)
+{
+    auth_context->ad_context = ad_context;
+    return 0;
+}
+

Modified: trunk/src/lib/krb5/krb/auth_con.h
===================================================================
--- trunk/src/lib/krb5/krb/auth_con.h	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/auth_con.h	2009-10-09 18:29:34 UTC (rev 22875)
@@ -24,6 +24,7 @@
     krb5_mk_req_checksum_func checksum_func;
     void *checksum_func_data;
     krb5_enctype	negotiated_etype;
+    krb5_authdata_context   ad_context;
 };
 
 

Copied: trunk/src/lib/krb5/krb/authdata.c (from rev 22872, users/lhoward/authdata/src/lib/krb5/krb/authdata.c)

Copied: trunk/src/lib/krb5/krb/authdata.h (from rev 22872, users/lhoward/authdata/src/lib/krb5/krb/authdata.h)

Modified: trunk/src/lib/krb5/krb/copy_auth.c
===================================================================
--- trunk/src/lib/krb5/krb/copy_auth.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/copy_auth.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -276,3 +276,126 @@
   else krb5_free_authdata(context, fctx.out);
   return retval;
 }
+
+krb5_error_code KRB5_CALLCONV
+krb5_make_authdata_kdc_issued(krb5_context context,
+    const krb5_keyblock *key,
+    krb5_const_principal issuer,
+    krb5_authdata *const *authdata,
+    krb5_authdata ***ad_kdcissued)
+{
+    krb5_error_code code;
+    krb5_ad_kdcissued ad_kdci;
+    krb5_data *data;
+    krb5_cksumtype cksumtype;
+    krb5_authdata ad_datum;
+    krb5_authdata *ad_data[2];
+
+    *ad_kdcissued = NULL;
+
+    ad_kdci.ad_checksum.contents = NULL;
+    ad_kdci.i_principal = (krb5_principal)issuer;
+    ad_kdci.elements = (krb5_authdata **)authdata;
+
+    code = krb5int_c_mandatory_cksumtype(context, key->enctype,
+                                         &cksumtype);
+    if (code != 0)
+        return code;
+
+    code = encode_krb5_authdata(ad_kdci.elements, &data);
+    if (code != 0)
+        return code;
+
+    code = krb5_c_make_checksum(context, cksumtype,
+                                key, KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM,
+                                data, &ad_kdci.ad_checksum);
+    if (code != 0) {
+        krb5_free_data(context, data);
+        return code;
+    }
+
+    krb5_free_data(context, data);
+
+    code = encode_krb5_ad_kdcissued(&ad_kdci, &data);
+    if (code != 0)
+        return code;
+
+    ad_datum.ad_type = KRB5_AUTHDATA_KDC_ISSUED;
+    ad_datum.length = data->length;
+    ad_datum.contents = (unsigned char *)data->data;
+
+    ad_data[0] = &ad_datum;
+    ad_data[1] = NULL;
+
+    code = krb5_copy_authdata(context, ad_data, ad_kdcissued);
+
+    krb5_free_data(context, data);
+    krb5_free_checksum_contents(context, &ad_kdci.ad_checksum);
+
+    return code;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_verify_authdata_kdc_issued(krb5_context context,
+    const krb5_keyblock *key,
+    const krb5_authdata *ad_kdcissued,
+    krb5_principal *issuer,
+    krb5_authdata ***authdata)
+{
+    krb5_error_code code;
+    krb5_ad_kdcissued *ad_kdci;
+    krb5_data data, *data2;
+    krb5_boolean valid = FALSE;
+
+    if ((ad_kdcissued->ad_type & AD_TYPE_FIELD_TYPE_MASK) !=
+	KRB5_AUTHDATA_KDC_ISSUED)
+	return EINVAL;
+
+    if (issuer != NULL)
+        *issuer = NULL;
+    if (authdata != NULL)
+        *authdata = NULL;
+
+    data.length = ad_kdcissued->length;
+    data.data = (char *)ad_kdcissued->contents;
+
+    code = decode_krb5_ad_kdcissued(&data, &ad_kdci);
+    if (code != 0)
+        return code;
+
+    code = encode_krb5_authdata(ad_kdci->elements, &data2);
+    if (code != 0) {
+        krb5_free_ad_kdcissued(context, ad_kdci);
+        return code;
+    }
+
+    code = krb5_c_verify_checksum(context, key,
+                                  KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM,
+                                  data2, &ad_kdci->ad_checksum, &valid);
+    if (code != 0) {
+        krb5_free_ad_kdcissued(context, ad_kdci);
+        krb5_free_data(context, data2);
+    }
+
+    krb5_free_data(context, data2);
+
+    if (valid == FALSE) {
+        krb5_free_ad_kdcissued(context, ad_kdci);
+        return KRB5KRB_AP_ERR_BAD_INTEGRITY;
+    }
+
+    if (issuer != NULL) {
+        *issuer = ad_kdci->i_principal;
+        ad_kdci->i_principal = NULL;
+    }
+
+    if (authdata != NULL) {
+        *authdata = ad_kdci->elements;
+        ad_kdci->elements = NULL;
+    }
+
+    krb5_free_ad_kdcissued(context, ad_kdci);
+
+    return 0;
+}
+

Modified: trunk/src/lib/krb5/krb/gc_frm_kdc.c
===================================================================
--- trunk/src/lib/krb5/krb/gc_frm_kdc.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/gc_frm_kdc.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -934,6 +934,7 @@
     krb5_boolean old_use_conf_ktypes;
     char **hrealms;
     unsigned int referral_count, i;
+    krb5_authdata **supplied_authdata, **out_supplied_authdata = NULL;
 
     /* 
      * Set up client and server pointers.  Make a fresh and modifyable
@@ -948,8 +949,18 @@
 	krb5_free_principal(context, server);
 	return retval;
     }
+    if (in_cred->authdata != NULL) {
+	if ((retval = krb5_copy_authdata(context, in_cred->authdata,
+					 &out_supplied_authdata)) != 0) {
+	    krb5_free_principal(context, out_supplied_server);
+	    krb5_free_principal(context, server);
+	    return retval;
+	}
+    }
+
     supplied_server = in_cred->server;
     in_cred->server=server;
+    supplied_authdata = in_cred->authdata;
 
     DUMP_PRINC("gc_from_kdc initial client", client);
     DUMP_PRINC("gc_from_kdc initial server", server);
@@ -1139,6 +1150,15 @@
 	    if (tgtptr == &cc_tgt)
 		krb5_free_cred_contents(context, tgtptr);
 	    tgtptr=*out_cred;
+	    /* Save requested auth data with TGT in case it ends up stored */
+	    if (supplied_authdata != NULL) {
+		/* Ensure we note TGT contains authorization data */
+		retval = krb5_copy_authdata(context,
+					    supplied_authdata,
+					    &(*out_cred)->authdata);
+		if (retval)
+		    goto cleanup;
+	    }
 	    /* Save pointer to tgt in referral_tgts. */
 	    referral_tgts[referral_count]=*out_cred;
 	    *out_cred = NULL;
@@ -1149,6 +1169,8 @@
 						&server->realm);
 	    if (retval)
 		goto cleanup;
+	    /* Don't ask for KDC to add auth data multiple times */
+	    in_cred->authdata = NULL;
 	    /*
 	     * Future work: rewrite server principal per any
 	     * supplied padata.
@@ -1252,7 +1274,6 @@
 	retval = KRB5_PROG_ETYPE_NOSUPP;
 	goto cleanup;
     }
-
     context->use_conf_ktypes = old_use_conf_ktypes;
     retval = krb5_get_cred_via_tkt(context, tgtptr,
 				   FLAGS2OPTS(tgtptr->ticket_flags) |
@@ -1272,10 +1293,13 @@
 	       server);
     krb5_free_principal(context, server);
     in_cred->server = supplied_server;
+    in_cred->authdata = supplied_authdata;
     if (*out_cred && !retval) {
         /* Success: free server, swap supplied server back in. */
         krb5_free_principal (context, (*out_cred)->server);
-	(*out_cred)->server= out_supplied_server;
+	(*out_cred)->server = out_supplied_server;
+	assert((*out_cred)->authdata == NULL);
+	(*out_cred)->authdata = out_supplied_authdata;
     }
     else {
         /* 
@@ -1283,7 +1307,8 @@
 	 * since it's either null or a referral TGT that we free below,
 	 * and we may need it to return.
 	 */
-        krb5_free_principal (context, out_supplied_server);
+        krb5_free_principal(context, out_supplied_server);
+	krb5_free_authdata(context, out_supplied_authdata);
     }
     DUMP_PRINC("gc_from_kdc: final server after reversion", in_cred->server);
     /*

Modified: trunk/src/lib/krb5/krb/int-proto.h
===================================================================
--- trunk/src/lib/krb5/krb/int-proto.h	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/int-proto.h	2009-10-09 18:29:34 UTC (rev 22875)
@@ -47,6 +47,7 @@
 krb5_error_code krb5_ser_checksum_init (krb5_context);
 krb5_error_code krb5_ser_keyblock_init (krb5_context);
 krb5_error_code krb5_ser_principal_init (krb5_context);
+krb5_error_code krb5_ser_authdata_context_init (krb5_context);
 
 krb5_error_code
 krb5_preauth_supply_preauth_data(krb5_context context,

Modified: trunk/src/lib/krb5/krb/kfree.c
===================================================================
--- trunk/src/lib/krb5/krb/kfree.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/kfree.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -534,7 +534,8 @@
 void KRB5_CALLCONV
 krb5_free_unparsed_name(krb5_context context, char *val)
 {
-    free(val);
+    if (val != NULL)
+	free(val);
 }
 
 void KRB5_CALLCONV
@@ -881,3 +882,30 @@
       krb5_free_checksum_contents(context, &val->req_checksum);
     free(val);
 }
+
+void KRB5_CALLCONV
+krb5int_free_data_list(krb5_context context, krb5_data *data)
+{
+    int i;
+
+    if (data == NULL)
+        return;
+
+    for (i = 0; data[i].data != NULL; i++)
+        free(data[i].data);
+
+    free(data);
+}
+
+void KRB5_CALLCONV
+krb5_free_ad_kdcissued(krb5_context context, krb5_ad_kdcissued *val)
+{
+    if (val == NULL)
+        return;
+
+    krb5_free_checksum_contents(context, &val->ad_checksum);
+    krb5_free_principal(context, val->i_principal);
+    krb5_free_authdata(context, val->elements);
+    free(val);
+}
+

Modified: trunk/src/lib/krb5/krb/mk_req_ext.c
===================================================================
--- trunk/src/lib/krb5/krb/mk_req_ext.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/mk_req_ext.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -75,6 +75,7 @@
 				       krb5_authenticator *, krb5_principal,
 				       krb5_checksum *, krb5_keyblock *,
 				       krb5_ui_4, krb5_authdata **,
+				       krb5_authdata_context ad_context,
 				       krb5_enctype *desired_etypes,
 				       krb5_enctype tkt_enctype);
 
@@ -244,6 +245,7 @@
 					      (*auth_context)->send_subkey,
 					      (*auth_context)->local_seq_number,
 					      in_creds->authdata,
+					      (*auth_context)->ad_context,
 					      desired_etypes,
 					      in_creds->keyblock.enctype)))
 	goto cleanup_cksum;
@@ -253,12 +255,6 @@
 					    &scratch)))
 	goto cleanup_cksum;
     
-    /* Null out these fields, to prevent pointer sharing problems;
-     * they were supplied by the caller
-     */
-    (*auth_context)->authentp->client = NULL;
-    (*auth_context)->authentp->checksum = NULL;
-
     /* call the encryption routine */
     if ((retval = krb5_encrypt_helper(context, &in_creds->keyblock,
 				      KRB5_KEYUSAGE_AP_REQ_AUTH,
@@ -272,6 +268,13 @@
     free(toutbuf);
 
 cleanup_cksum:
+    /* Null out these fields, to prevent pointer sharing problems;
+     * they were supplied by the caller
+     */
+    if ((*auth_context)->authentp != NULL) {
+	(*auth_context)->authentp->client = NULL;
+	(*auth_context)->authentp->checksum = NULL;
+    }
     if (checksump && checksump->checksum_type != 0x8003)
       free(checksump->contents);
 
@@ -299,11 +302,13 @@
 			    krb5_principal client, krb5_checksum *cksum,
 			    krb5_keyblock *key, krb5_ui_4 seq_number,
 			    krb5_authdata **authorization,
+			    krb5_authdata_context ad_context,
 			    krb5_enctype *desired_etypes,
 			    krb5_enctype tkt_enctype)
 {
     krb5_error_code retval;
-    
+    krb5_authdata **ext_authdata = NULL;
+
     authent->client = client;
     authent->checksum = cksum;
     if (key) {
@@ -315,12 +320,27 @@
     authent->seq_number = seq_number;
     authent->authorization_data = NULL;
 
-    if (authorization != NULL) {
-	retval = krb5_copy_authdata(context, authorization,
-				    &authent->authorization_data);
+    if (ad_context != NULL) {
+	retval = krb5_authdata_export_authdata(context,
+					       ad_context,
+					       AD_USAGE_AP_REQ,
+					       &ext_authdata);
 	if (retval)
 	    return retval;
     }
+
+    if (authorization != NULL || ext_authdata != NULL) {
+	retval = krb5_merge_authdata(context,
+				     authorization,
+				     ext_authdata,
+				     &authent->authorization_data);
+	if (retval) {
+	    krb5_free_authdata(context, ext_authdata);
+	    return retval;
+	}
+	krb5_free_authdata(context, ext_authdata);
+    }
+
     /* Only send EtypeList if we prefer another enctype to tkt_enctype */ 
     if (desired_etypes != NULL && desired_etypes[0] != tkt_enctype) {
 	retval = make_etype_list(context, desired_etypes, tkt_enctype,

Modified: trunk/src/lib/krb5/krb/pac.c
===================================================================
--- trunk/src/lib/krb5/krb/pac.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/pac.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -8,7 +8,7 @@
  *   require a specific license from the United States Government.
  *   It is the responsibility of any person or organization contemplating
  *   export to obtain such a license before exporting.
- * 
+ *
  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  * distribute this software and its documentation for any purpose and
  * without fee is hereby granted, provided that the above copyright
@@ -27,6 +27,7 @@
 
 #include "k5-int.h"
 #include "k5-utf8.h"
+#include "authdata.h"
 
 /* draft-brezak-win2k-krb-authz-00 */
 
@@ -46,9 +47,12 @@
 
 /* ulType */
 #define PAC_LOGON_INFO		1
+#define PAC_CREDENTIALS_INFO	2
 #define PAC_SERVER_CHECKSUM	6
 #define PAC_PRIVSVR_CHECKSUM	7
 #define PAC_CLIENT_INFO		10
+#define PAC_DELEGATION_INFO	11
+#define PAC_UPN_DNS_INFO	12
 
 typedef struct _PACTYPE {
     krb5_ui_4 cBuffers;
@@ -66,6 +70,7 @@
 struct krb5_pac_data {
     PACTYPE *pac;	/* PAC header + info buffer array */
     krb5_data data;	/* PAC data (including uninitialised header) */
+    krb5_boolean verified;
 };
 
 static krb5_error_code
@@ -93,7 +98,7 @@
 
     /* Check there isn't already a buffer of this type */
     if (k5_pac_locate_buffer(context, pac, type, NULL) == 0) {
-	return EINVAL;
+	return EEXIST;
     }
 
     header = (PACTYPE *)realloc(pac->pac,
@@ -148,6 +153,8 @@
 	out_data->length = data->length;
     }
 
+    pac->verified = FALSE;
+
     return 0;
 }
 
@@ -228,7 +235,7 @@
     ret = k5_pac_locate_buffer(context, pac, type, &d);
     if (ret != 0)
 	return ret;
- 
+
     data->data = malloc(d.length);
     if (data->data == NULL)
 	return ENOMEM;
@@ -277,7 +284,7 @@
 
     pac->pac = (PACTYPE *)malloc(sizeof(PACTYPE));
     if (pac->pac == NULL) {
-	free( pac);
+	free(pac);
 	return ENOMEM;
     }
 
@@ -291,11 +298,54 @@
 	return ENOMEM;
     }
 
+    pac->verified = FALSE;
+
     *ppac = pac;
 
     return 0;
 }
 
+static krb5_error_code
+k5_pac_copy(krb5_context context,
+	    krb5_pac src,
+	    krb5_pac *dst)
+{
+    size_t header_len;
+    krb5_ui_4 cbuffers;
+    krb5_error_code code;
+    krb5_pac pac;
+
+    cbuffers = src->pac->cBuffers;
+    if (cbuffers != 0)
+	cbuffers--;
+
+    header_len = sizeof(PACTYPE) + cbuffers * sizeof(PAC_INFO_BUFFER);
+
+    pac = (krb5_pac)malloc(sizeof(*pac));
+    if (pac == NULL)
+	return ENOMEM;
+
+    pac->pac = (PACTYPE *)malloc(header_len);
+    if (pac->pac == NULL) {
+	free(pac);
+	return ENOMEM;
+    }
+
+    memcpy(pac->pac, src->pac, header_len);
+
+    code = krb5int_copy_data_contents(context, &src->data, &pac->data);
+    if (code != 0) {
+	free(pac->pac);
+	free(pac);
+	return ENOMEM;
+    }
+
+    pac->verified = src->verified;
+    *dst = pac;
+
+    return 0;
+}
+
 /*
  * Parse the supplied data into the PAC allocated by this function
  */
@@ -379,7 +429,8 @@
 }
 
 static krb5_error_code
-k5_time_to_seconds_since_1970(krb5_int64 ntTime, krb5_timestamp *elapsedSeconds)
+k5_time_to_seconds_since_1970(krb5_int64 ntTime,
+			      krb5_timestamp *elapsedSeconds)
 {
     krb5_ui_8 abstime;
 
@@ -393,10 +444,11 @@
     *elapsedSeconds = abstime;
 
     return 0;
-}    
+}
 
 static krb5_error_code
-k5_seconds_since_1970_to_time(krb5_timestamp elapsedSeconds, krb5_ui_8 *ntTime)
+k5_seconds_since_1970_to_time(krb5_timestamp elapsedSeconds,
+			      krb5_ui_8 *ntTime)
 {
     *ntTime = elapsedSeconds;
 
@@ -404,7 +456,7 @@
 	*ntTime += NT_TIME_EPOCH;
 
     *ntTime *= 10000000;
-   
+
     return 0;
 }
 
@@ -441,10 +493,11 @@
 	return ret;
 
     if (client_info.length < PAC_CLIENT_INFO_LENGTH + pac_princname_length ||
-        pac_princname_length % 2)
+	pac_princname_length % 2)
 	return ERANGE;
 
-    ret = krb5int_ucs2lecs_to_utf8s(p, (size_t)pac_princname_length / 2, &pac_princname, NULL);
+    ret = krb5int_ucs2lecs_to_utf8s(p, (size_t)pac_princname_length / 2,
+				    &pac_princname, NULL);
     if (ret != 0)
 	return ret;
 
@@ -457,7 +510,10 @@
     free(pac_princname);
 
     if (pac_authtime != authtime ||
-	krb5_principal_compare(context, pac_principal, principal) == FALSE)
+	!krb5_principal_compare_flags(context,
+				      pac_principal,
+				      principal,
+				      KRB5_PRINCIPAL_COMPARE_IGNORE_REALM))
 	ret = KRB5KRB_AP_WRONG_PRINC;
 
     krb5_free_principal(context, pac_principal);
@@ -513,7 +569,8 @@
     krb5_boolean valid;
     krb5_octet *p;
 
-    ret = k5_pac_locate_buffer(context, pac, PAC_SERVER_CHECKSUM, &checksum_data);
+    ret = k5_pac_locate_buffer(context, pac,
+			       PAC_SERVER_CHECKSUM, &checksum_data);
     if (ret != 0)
 	return ret;
 
@@ -533,19 +590,22 @@
     memcpy(pac_data.data, pac->data.data, pac->data.length);
 
     /* Zero out both checksum buffers */
-    ret = k5_pac_zero_signature(context, pac, PAC_SERVER_CHECKSUM, &pac_data);
+    ret = k5_pac_zero_signature(context, pac,
+				PAC_SERVER_CHECKSUM, &pac_data);
     if (ret != 0) {
 	free(pac_data.data);
 	return ret;
     }
 
-    ret = k5_pac_zero_signature(context, pac, PAC_PRIVSVR_CHECKSUM, &pac_data);
+    ret = k5_pac_zero_signature(context, pac,
+				PAC_PRIVSVR_CHECKSUM, &pac_data);
     if (ret != 0) {
 	free(pac_data.data);
 	return ret;
     }
 
-    ret = krb5_c_verify_checksum(context, server, KRB5_KEYUSAGE_APP_DATA_CKSUM,
+    ret = krb5_c_verify_checksum(context, server,
+				 KRB5_KEYUSAGE_APP_DATA_CKSUM,
 				 &pac_data, &checksum, &valid);
 
     free(pac_data.data);
@@ -571,14 +631,16 @@
     krb5_boolean valid;
     krb5_octet *p;
 
-    ret = k5_pac_locate_buffer(context, pac, PAC_PRIVSVR_CHECKSUM, &privsvr_checksum);
+    ret = k5_pac_locate_buffer(context, pac,
+			       PAC_PRIVSVR_CHECKSUM, &privsvr_checksum);
     if (ret != 0)
 	return ret;
 
     if (privsvr_checksum.length < PAC_SIGNATURE_DATA_LENGTH)
 	return KRB5_BAD_MSIZE;
 
-    ret = k5_pac_locate_buffer(context, pac, PAC_SERVER_CHECKSUM, &server_checksum);
+    ret = k5_pac_locate_buffer(context, pac,
+			       PAC_SERVER_CHECKSUM, &server_checksum);
     if (ret != 0)
 	return ret;
 
@@ -593,7 +655,8 @@
     server_checksum.data += PAC_SIGNATURE_DATA_LENGTH;
     server_checksum.length -= PAC_SIGNATURE_DATA_LENGTH;
 
-    ret = krb5_c_verify_checksum(context, privsvr, KRB5_KEYUSAGE_APP_DATA_CKSUM,
+    ret = krb5_c_verify_checksum(context, privsvr,
+				 KRB5_KEYUSAGE_APP_DATA_CKSUM,
 				 &server_checksum, &checksum, &valid);
     if (ret != 0)
 	return ret;
@@ -633,6 +696,8 @@
 	    return ret;
     }
 
+    pac->verified = TRUE;
+
     return 0;
 }
 
@@ -650,12 +715,14 @@
     krb5_ui_8 nt_authtime;
 
     /* If we already have a CLIENT_INFO buffer, then just validate it */
-    if (k5_pac_locate_buffer(context, pac, PAC_CLIENT_INFO, &client_info) == 0) {
+    if (k5_pac_locate_buffer(context, pac,
+			     PAC_CLIENT_INFO, &client_info) == 0) {
 	return k5_pac_validate_client(context, pac, authtime, principal);
     }
 
     ret = krb5_unparse_name_flags(context, principal,
-				  KRB5_PRINCIPAL_UNPARSE_NO_REALM, &princ_name_utf8);
+				  KRB5_PRINCIPAL_UNPARSE_NO_REALM,
+				  &princ_name_utf8);
     if (ret != 0)
 	goto cleanup;
 
@@ -668,7 +735,8 @@
     client_info.length = PAC_CLIENT_INFO_LENGTH + princ_name_ucs2_len;
     client_info.data = NULL;
 
-    ret = k5_pac_add_buffer(context, pac, PAC_CLIENT_INFO, &client_info, TRUE, &client_info);
+    ret = k5_pac_add_buffer(context, pac, PAC_CLIENT_INFO,
+			    &client_info, TRUE, &client_info);
     if (ret != 0)
 	goto cleanup;
 
@@ -685,12 +753,11 @@
 
     /* copy in principal name */
     memcpy(p, princ_name_ucs2, princ_name_ucs2_len);
- 
+
 cleanup:
-    if (princ_name_utf8 != NULL)
-	free(princ_name_utf8);
     if (princ_name_ucs2 != NULL)
 	free(princ_name_ucs2);
+    krb5_free_unparsed_name(context, princ_name_utf8);
 
     return ret;
 }
@@ -716,7 +783,10 @@
 
     ret = k5_pac_locate_buffer(context, pac, type, &cksumdata);
     if (ret == 0) {
-	/* If we're resigning PAC, make sure we can fit checksum into existing buffer */
+	/*
+	 * If we're resigning PAC, make sure we can fit checksum
+	 * into existing buffer
+	 */
 	if (cksumdata.length != PAC_SIGNATURE_DATA_LENGTH + len)
 	    return ERANGE;
 
@@ -726,7 +796,9 @@
 	cksumdata.length = PAC_SIGNATURE_DATA_LENGTH + len;
 	cksumdata.data = NULL;
 
-	ret = k5_pac_add_buffer(context, pac, type, &cksumdata, TRUE, &cksumdata);
+	ret = k5_pac_add_buffer(context, pac,
+				type, &cksumdata,
+				TRUE, &cksumdata);
 	if (ret != 0)
 	    return ret;
     }
@@ -745,7 +817,8 @@
     unsigned char *p;
     size_t header_len;
 
-    header_len = PACTYPE_LENGTH + (pac->pac->cBuffers * PAC_INFO_BUFFER_LENGTH);
+    header_len = PACTYPE_LENGTH +
+	(pac->pac->cBuffers * PAC_INFO_BUFFER_LENGTH);
     assert(pac->data.length >= header_len);
 
     p = (unsigned char *)pac->data.data;
@@ -818,7 +891,8 @@
 	return ret;
 
     /* Generate the server checksum over the entire PAC */
-    ret = k5_pac_locate_buffer(context, pac, PAC_SERVER_CHECKSUM, &server_cksum);
+    ret = k5_pac_locate_buffer(context, pac,
+			       PAC_SERVER_CHECKSUM, &server_cksum);
     if (ret != 0)
 	return ret;
 
@@ -838,7 +912,8 @@
 	return ret;
 
     /* Generate the privsvr checksum over the server checksum buffer */
-    ret = k5_pac_locate_buffer(context, pac, PAC_PRIVSVR_CHECKSUM, &privsvr_cksum);
+    ret = k5_pac_locate_buffer(context, pac,
+			       PAC_PRIVSVR_CHECKSUM, &privsvr_cksum);
     if (ret != 0)
 	return ret;
 
@@ -865,8 +940,603 @@
     data->length = pac->data.length;
 
     memcpy(data->data, pac->data.data, pac->data.length);
-    memset(pac->data.data, 0, PACTYPE_LENGTH + (pac->pac->cBuffers * PAC_INFO_BUFFER_LENGTH));
+    memset(pac->data.data, 0,
+	   PACTYPE_LENGTH + (pac->pac->cBuffers * PAC_INFO_BUFFER_LENGTH));
 
     return 0;
 }
 
+/*
+ * PAC auth data attribute backend
+ */
+struct mspac_context {
+    krb5_pac pac;
+};
+
+static krb5_error_code
+mspac_init(krb5_context kcontext, void **plugin_context)
+{
+    *plugin_context = NULL;
+    return 0;
+}
+
+static void
+mspac_flags(krb5_context kcontext,
+	    void *plugin_context,
+	    krb5_authdatatype ad_type,
+	    krb5_flags *flags)
+{
+    *flags = AD_USAGE_KDC_ISSUED;
+}
+
+static void
+mspac_fini(krb5_context kcontext, void *plugin_context)
+{
+    return;
+}
+
+static krb5_error_code
+mspac_request_init(krb5_context kcontext,
+		   krb5_authdata_context context,
+		   void *plugin_context,
+		   void **request_context)
+{
+    struct mspac_context *pacctx;
+
+    pacctx = (struct mspac_context *)malloc(sizeof(*pacctx));
+    if (pacctx == NULL)
+	return ENOMEM;
+
+    pacctx->pac = NULL;
+
+    *request_context = pacctx;
+
+    return 0;
+}
+
+static krb5_error_code
+mspac_import_authdata(krb5_context kcontext,
+		      krb5_authdata_context context,
+		      void *plugin_context,
+		      void *request_context,
+		      krb5_authdata **authdata,
+		      krb5_boolean kdc_issued,
+		      krb5_const_principal kdc_issuer)
+{
+    krb5_error_code code;
+    struct mspac_context *pacctx = (struct mspac_context *)request_context;
+
+    if (kdc_issued)
+	return EINVAL;
+
+    if (pacctx->pac != NULL) {
+	krb5_pac_free(kcontext, pacctx->pac);
+	pacctx->pac = NULL;
+    }
+
+    assert(authdata[0] != NULL);
+    assert((authdata[0]->ad_type & AD_TYPE_FIELD_TYPE_MASK) ==
+	KRB5_AUTHDATA_WIN2K_PAC);
+
+    code = krb5_pac_parse(kcontext, authdata[0]->contents,
+			  authdata[0]->length, &pacctx->pac);
+
+    return code;
+}
+
+static krb5_error_code
+mspac_export_authdata(krb5_context kcontext,
+		      krb5_authdata_context context,
+		      void *plugin_context,
+		      void *request_context,
+		      krb5_flags usage,
+		      krb5_authdata ***out_authdata)
+{
+    struct mspac_context *pacctx = (struct mspac_context *)request_context;
+    krb5_error_code code;
+    krb5_authdata **authdata;
+    krb5_data data;
+
+    if (pacctx->pac == NULL)
+	return 0;
+
+    authdata = calloc(2, sizeof(krb5_authdata *));
+    if (authdata == NULL)
+	return ENOMEM;
+
+    authdata[0] = calloc(1, sizeof(krb5_authdata));
+    if (authdata[0] == NULL) {
+	free(authdata);
+	return ENOMEM;
+    }
+    authdata[1] = NULL;
+
+    code = krb5int_copy_data_contents(kcontext, &pacctx->pac->data, &data);
+    if (code != 0) {
+	krb5_free_authdata(kcontext, authdata);
+	return code;
+    }
+
+    authdata[0]->magic = KV5M_AUTHDATA;
+    authdata[0]->ad_type = KRB5_AUTHDATA_WIN2K_PAC;
+    authdata[0]->length = data.length;
+    authdata[0]->contents = (krb5_octet *)data.data;
+
+    authdata[1] = NULL;
+
+    *out_authdata = authdata;
+
+    return 0;
+}
+
+static krb5_error_code
+mspac_verify(krb5_context kcontext,
+	     krb5_authdata_context context,
+	     void *plugin_context,
+	     void *request_context,
+	     const krb5_auth_context *auth_context,
+	     const krb5_keyblock *key,
+	     const krb5_ap_req *req)
+{
+    krb5_error_code code;
+    struct mspac_context *pacctx = (struct mspac_context *)request_context;
+
+    if (pacctx->pac == NULL)
+	return EINVAL;
+
+    code = krb5_pac_verify(kcontext,
+			   pacctx->pac,
+			   req->ticket->enc_part2->times.authtime,
+			   req->ticket->enc_part2->client,
+			   key,
+			   NULL);
+
+#if 0
+    /*
+     * Now, we could return 0 and just set pac->verified to FALSE.
+     * Thoughts?
+     */
+    if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
+	assert(pacctx->pac->verified == FALSE);
+	code = 0;
+    }
+#endif
+
+    return code;
+}
+
+static void
+mspac_request_fini(krb5_context kcontext,
+		   krb5_authdata_context context,
+		   void *plugin_context,
+		   void *request_context)
+{
+    struct mspac_context *pacctx = (struct mspac_context *)request_context;
+
+    if (pacctx != NULL) {
+	if (pacctx->pac != NULL)
+	    krb5_pac_free(kcontext, pacctx->pac);
+
+	free(pacctx);
+    }
+}
+
+#define STRLENOF(x) (sizeof((x)) - 1)
+
+static struct {
+    krb5_ui_4 type;
+    krb5_data attribute;
+} mspac_attribute_types[] = {
+    { (krb5_ui_4)-1,		{ KV5M_DATA, STRLENOF("mspac:"), "mspac:" } },
+    { PAC_LOGON_INFO,		{ KV5M_DATA, STRLENOF("mspac:logon-info"), "mspac:logon-info" } },
+    { PAC_CREDENTIALS_INFO,	{ KV5M_DATA, STRLENOF("mspac:credentials-info"), "mspac:credentials-info" } },
+    { PAC_SERVER_CHECKSUM,	{ KV5M_DATA, STRLENOF("mspac:server-checksum"), "mspac:server-checksum" } },
+    { PAC_PRIVSVR_CHECKSUM,	{ KV5M_DATA, STRLENOF("mspac:privsvr-checksum"), "mspac:privsvr-checksum" } },
+    { PAC_CLIENT_INFO,		{ KV5M_DATA, STRLENOF("mspac:client-info"), "mspac:client-info" } },
+    { PAC_DELEGATION_INFO,	{ KV5M_DATA, STRLENOF("mspac:delegation-info"), "mspac:delegation-info" } },
+    { PAC_UPN_DNS_INFO,		{ KV5M_DATA, STRLENOF("mspac:upn-dns-info"), "mspac:upn-dns-info" } },
+};
+
+#define MSPAC_ATTRIBUTE_COUNT	(sizeof(mspac_attribute_types)/sizeof(mspac_attribute_types[0]))
+
+static krb5_error_code
+mspac_type2attr(krb5_ui_4 type, krb5_data *attr)
+{
+    unsigned int i;
+
+    for (i = 0; i < MSPAC_ATTRIBUTE_COUNT; i++) {
+	if (mspac_attribute_types[i].type == type) {
+	    *attr = mspac_attribute_types[i].attribute;
+	    return 0;
+	}
+    }
+
+    return ENOENT;
+}
+
+static krb5_error_code
+mspac_attr2type(const krb5_data *attr, krb5_ui_4 *type)
+{
+    unsigned int i;
+
+    for (i = 0; i < MSPAC_ATTRIBUTE_COUNT; i++) {
+	if (attr->length == mspac_attribute_types[i].attribute.length &&
+	    strncasecmp(attr->data, mspac_attribute_types[i].attribute.data, attr->length) == 0) {
+	    *type = mspac_attribute_types[i].type;
+	    return 0;
+	}
+    }
+
+    if (attr->length > STRLENOF("mspac:") &&
+	strncasecmp(attr->data, "mspac:", STRLENOF("mspac:")) == 0)
+    {
+	char *p = &attr->data[STRLENOF("mspac:")];
+	char *endptr;
+
+	*type = strtoul(p, &endptr, 10);
+	if (*type != 0 && *endptr == '\0')
+	    return 0;
+    }
+
+    return ENOENT;
+}
+
+static krb5_error_code
+mspac_get_attribute_types(krb5_context kcontext,
+			  krb5_authdata_context context,
+			  void *plugin_context,
+			  void *request_context,
+			  krb5_data **out_attrs)
+{
+    struct mspac_context *pacctx = (struct mspac_context *)request_context;
+    unsigned int i, j;
+    krb5_data *attrs;
+    krb5_error_code code;
+
+    if (pacctx->pac == NULL)
+	return ENOENT;
+
+    attrs = calloc(1 + pacctx->pac->pac->cBuffers + 1, sizeof(krb5_data));
+    if (attrs == NULL)
+	return ENOMEM;
+
+    j = 0;
+
+    /* The entire PAC */
+    code = krb5int_copy_data_contents(kcontext,
+				      &mspac_attribute_types[0].attribute,
+				      &attrs[j++]);
+    if (code != 0) {
+	free(attrs);
+	return code;
+    }
+
+    /* PAC buffers */
+    for (i = 0; i < pacctx->pac->pac->cBuffers; i++) {
+	krb5_data attr;
+
+	code = mspac_type2attr(pacctx->pac->pac->Buffers[i].ulType, &attr);
+	if (code == 0) {
+	    code = krb5int_copy_data_contents(kcontext, &attr, &attrs[j++]);
+	    if (code != 0) {
+		krb5int_free_data_list(kcontext, attrs);
+		return code;
+	    }
+	} else {
+	    int length;
+
+	    length = asprintf(&attrs[j].data, "mspac:%d",
+			      pacctx->pac->pac->Buffers[i].ulType);
+	    if (length < 0) {
+		krb5int_free_data_list(kcontext, attrs);
+		return ENOMEM;
+	    }
+	    attrs[j++].length = length;
+	}
+    }
+    attrs[j].data = NULL;
+    attrs[j].length = 0;
+
+    *out_attrs = attrs;
+
+    return 0;
+}
+
+static krb5_error_code
+mspac_get_attribute(krb5_context kcontext,
+		    krb5_authdata_context context,
+		    void *plugin_context,
+		    void *request_context,
+		    const krb5_data *attribute,
+		    krb5_boolean *authenticated,
+		    krb5_boolean *complete,
+		    krb5_data *value,
+		    krb5_data *display_value,
+		    int *more)
+{
+    struct mspac_context *pacctx = (struct mspac_context *)request_context;
+    krb5_error_code code;
+    krb5_ui_4 type;
+
+    value->data = NULL;
+    value->length = 0;
+
+    if (display_value != NULL) {
+	display_value->data = NULL;
+	display_value->length = 0;
+    }
+
+    if (*more != -1 || pacctx->pac == NULL)
+	return ENOENT;
+
+    code = mspac_attr2type(attribute, &type);
+    if (code != 0)
+	return code;
+
+    /* -1 is a magic type that refers to the entire PAC */
+    if (type == (krb5_ui_4)-1) {
+	if (value != NULL)
+	    code = krb5int_copy_data_contents(kcontext,
+					      &pacctx->pac->data,
+					      value);
+	else
+	    code = 0;
+    } else {
+	if (value != NULL)
+	    code = krb5_pac_get_buffer(kcontext, pacctx->pac, type, value);
+	else
+	    code = k5_pac_locate_buffer(kcontext, pacctx->pac, type, NULL);
+    }
+    if (code == 0) {
+	*authenticated = pacctx->pac->verified;
+	*complete = TRUE;
+    }
+
+    *more = 0;
+
+    return code;
+}
+
+static krb5_error_code
+mspac_set_attribute(krb5_context kcontext,
+		    krb5_authdata_context context,
+		    void *plugin_context,
+		    void *request_context,
+		    krb5_boolean complete,
+		    const krb5_data *attribute,
+		    const krb5_data *value)
+{
+    struct mspac_context *pacctx = (struct mspac_context *)request_context;
+    krb5_error_code code;
+    krb5_ui_4 type;
+
+    if (pacctx->pac == NULL)
+	return ENOENT;
+
+    code = mspac_attr2type(attribute, &type);
+    if (code != 0)
+	return code;
+
+    /* -1 is a magic type that refers to the entire PAC */
+    if (type == (krb5_ui_4)-1) {
+	krb5_pac newpac;
+
+	code = krb5_pac_parse(kcontext, value->data, value->length, &newpac);
+	if (code != 0)
+	    return code;
+
+	krb5_pac_free(kcontext, pacctx->pac);
+	pacctx->pac = newpac;
+    } else {
+	code = krb5_pac_add_buffer(kcontext, pacctx->pac, type, value);
+    }
+
+    return code;
+}
+
+static krb5_error_code
+mspac_export_internal(krb5_context kcontext,
+		      krb5_authdata_context context,
+		      void *plugin_context,
+		      void *request_context,
+		      krb5_boolean restrict_authenticated,
+		      void **ptr)
+{
+    struct mspac_context *pacctx = (struct mspac_context *)request_context;
+    krb5_error_code code;
+    krb5_pac pac;
+
+    *ptr = NULL;
+
+    if (pacctx->pac == NULL)
+	return 0;
+
+    if (restrict_authenticated && (pacctx->pac->verified) == FALSE)
+	return 0;
+
+    code = krb5_pac_parse(kcontext, pacctx->pac->data.data,
+			  pacctx->pac->data.length, &pac);
+    if (code == 0) {
+	pac->verified = pacctx->pac->verified;
+	*ptr = pac;
+    }
+
+    return code;
+}
+
+static void
+mspac_free_internal(krb5_context kcontext,
+		    krb5_authdata_context context,
+		    void *plugin_context,
+		    void *request_context,
+		    void *ptr)
+{
+    if (ptr != NULL)
+	krb5_pac_free(kcontext, (krb5_pac)ptr);
+
+    return;
+}
+
+static krb5_error_code
+mspac_size(krb5_context kcontext,
+	   krb5_authdata_context context,
+	   void *plugin_context,
+	   void *request_context,
+	   size_t *sizep)
+{
+    struct mspac_context *pacctx = (struct mspac_context *)request_context;
+
+    *sizep += sizeof(krb5_int32);
+
+    if (pacctx->pac != NULL)
+	*sizep += pacctx->pac->data.length;
+
+    *sizep += sizeof(krb5_int32);
+
+    return 0;
+}
+
+static krb5_error_code
+mspac_externalize(krb5_context kcontext,
+		  krb5_authdata_context context,
+		  void *plugin_context,
+		  void *request_context,
+		  krb5_octet **buffer,
+		  size_t *lenremain)
+{
+    krb5_error_code code = 0;
+    struct mspac_context *pacctx = (struct mspac_context *)request_context;
+    size_t required = 0;
+    krb5_octet *bp;
+    size_t remain;
+
+    bp = *buffer;
+    remain = *lenremain;
+
+    if (pacctx->pac != NULL) {
+	mspac_size(kcontext, context, plugin_context,
+		   request_context, &required);
+
+	if (required <= remain) {
+	    krb5_ser_pack_int32((krb5_int32)pacctx->pac->data.length,
+				&bp, &remain);
+	    krb5_ser_pack_bytes((krb5_octet *)pacctx->pac->data.data,
+				(size_t)pacctx->pac->data.length,
+				&bp, &remain);
+	    krb5_ser_pack_int32((krb5_int32)pacctx->pac->verified,
+				&bp, &remain);
+	} else {
+	    code = ENOMEM;
+	}
+    } else {
+	krb5_ser_pack_int32(0, &bp, &remain); /* length */
+	krb5_ser_pack_int32(0, &bp, &remain); /* verified */
+    }
+
+    *buffer = bp;
+    *lenremain = remain;
+
+    return code;
+}
+
+static krb5_error_code
+mspac_internalize(krb5_context kcontext,
+		  krb5_authdata_context context,
+		  void *plugin_context,
+		  void *request_context,
+		  krb5_octet **buffer,
+		  size_t *lenremain)
+{
+    struct mspac_context *pacctx = (struct mspac_context *)request_context;
+    krb5_error_code code;
+    krb5_int32 ibuf;
+    krb5_octet *bp;
+    size_t remain;
+    krb5_pac pac = NULL;
+
+    bp = *buffer;
+    remain = *lenremain;
+
+    /* length */
+    code = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+    if (code != 0)
+	return code;
+
+    if (ibuf != 0) {
+	code = krb5_pac_parse(kcontext, bp, ibuf, &pac);
+	if (code != 0)
+	    return code;
+
+	bp += ibuf;
+	remain -= ibuf;
+    }
+
+    /* verified */
+    code = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+    if (code != 0) {
+	krb5_pac_free(kcontext, pac);
+	return code;
+    }
+
+    if (pac != NULL) {
+	pac->verified = (ibuf != 0);
+    }
+
+    if (pacctx->pac != NULL) {
+	krb5_pac_free(kcontext, pacctx->pac);
+    }
+
+    pacctx->pac = pac;
+
+    *buffer = bp;
+    *lenremain = remain;
+
+    return 0;
+}
+
+static krb5_error_code
+mspac_copy(krb5_context kcontext,
+	   krb5_authdata_context context,
+	   void *plugin_context,
+	   void *request_context,
+	   void *dst_plugin_context,
+	   void *dst_request_context)
+{
+    struct mspac_context *srcctx = (struct mspac_context *)request_context;
+    struct mspac_context *dstctx = (struct mspac_context *)dst_request_context;
+    krb5_error_code code = 0;
+
+    assert(dstctx != NULL);
+    assert(dstctx->pac == NULL);
+
+    if (srcctx->pac != NULL)
+	code = k5_pac_copy(kcontext, srcctx->pac, &dstctx->pac);
+
+    return code;
+}
+
+static krb5_authdatatype mspac_ad_types[] = { KRB5_AUTHDATA_WIN2K_PAC, 0 };
+
+krb5plugin_authdata_client_ftable_v0 krb5int_mspac_authdata_client_ftable = {
+    "mspac",
+    mspac_ad_types,
+    mspac_init,
+    mspac_fini,
+    mspac_flags,
+    mspac_request_init,
+    mspac_request_fini,
+    mspac_get_attribute_types,
+    mspac_get_attribute,
+    mspac_set_attribute,
+    NULL, /* delete_attribute_proc */
+    mspac_export_authdata,
+    mspac_import_authdata,
+    mspac_export_internal,
+    mspac_free_internal,
+    mspac_verify,
+    mspac_size,
+    mspac_externalize,
+    mspac_internalize,
+    mspac_copy
+};
+

Modified: trunk/src/lib/krb5/krb/rd_req.c
===================================================================
--- trunk/src/lib/krb5/krb/rd_req.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/rd_req.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -8,7 +8,7 @@
  *   require a specific license from the United States Government.
  *   It is the responsibility of any person or organization contemplating
  *   export to obtain such a license before exporting.
- * 
+ *
  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  * distribute this software and its documentation for any purpose and
  * without fee is hereby granted, provided that the above copyright
@@ -22,8 +22,8 @@
  * M.I.T. makes no representations about the suitability of
  * this software for any purpose.  It is provided "as is" without express
  * or implied warranty.
- * 
  *
+ *
  * krb5_rd_req()
  */
 
@@ -32,16 +32,16 @@
 
 /*
  *  Parses a KRB_AP_REQ message, returning its contents.
- * 
+ *
  *  server specifies the expected server's name for the ticket.
- * 
+ *
  *  keyproc specifies a procedure to generate a decryption key for the
  *  ticket.  If keyproc is non-NULL, keyprocarg is passed to it, and the result
  *  used as a decryption key. If keyproc is NULL, then fetchfrom is checked;
  *  if it is non-NULL, it specifies a parameter name from which to retrieve the
  *  decryption key.  If fetchfrom is NULL, then the default key store is
  *  consulted.
- * 
+ *
  *  returns system errors, encryption errors, replay errors
  */
 
@@ -58,14 +58,14 @@
 
     if (!krb5_is_ap_req(inbuf))
 	return KRB5KRB_AP_ERR_MSG_TYPE;
-#ifndef LEAN_CLIENT 
+#ifndef LEAN_CLIENT
     if ((retval = decode_krb5_ap_req(inbuf, &request))) {
     	switch (retval) {
 	case KRB5_BADMSGTYPE:
-	    return KRB5KRB_AP_ERR_BADVERSION; 
+	    return KRB5KRB_AP_ERR_BADVERSION;
 	default:
 	    return(retval);
-	} 
+	}
     }
 #endif /* LEAN_CLIENT */
 
@@ -78,7 +78,7 @@
     }
 
 
-#ifndef LEAN_CLIENT 
+#ifndef LEAN_CLIENT
     /* Get a keytab if necessary. */
     if (keytab == NULL) {
 	if ((retval = krb5_kt_default(context, &new_keytab)))
@@ -87,10 +87,10 @@
     }
 #endif /* LEAN_CLIENT */
 
-    retval = krb5_rd_req_decoded(context, auth_context, request, server, 
+    retval = krb5_rd_req_decoded(context, auth_context, request, server,
 				 keytab, ap_req_options, ticket);
 
-#ifndef LEAN_CLIENT 
+#ifndef LEAN_CLIENT
     if (new_keytab != NULL)
         (void) krb5_kt_close(context, new_keytab);
 #endif /* LEAN_CLIENT */

Modified: trunk/src/lib/krb5/krb/rd_req_dec.c
===================================================================
--- trunk/src/lib/krb5/krb/rd_req_dec.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/rd_req_dec.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -31,6 +31,8 @@
 
 #include "k5-int.h"
 #include "auth_con.h"
+#include "authdata.h"
+#include "int-proto.h"
 
 /*
  * essentially the same as krb_rd_req, but uses a decoded AP_REQ as
@@ -92,7 +94,8 @@
 
 static krb5_error_code
 krb5_rd_req_decrypt_tkt_part(krb5_context context, const krb5_ap_req *req,
-			     krb5_const_principal server, krb5_keytab keytab)
+			     krb5_const_principal server, krb5_keytab keytab,
+			     krb5_keyblock *key)
 {
     krb5_error_code 	  retval;
     krb5_keytab_entry 	  ktent;
@@ -107,10 +110,12 @@
 				   req->ticket->enc_part.enctype, &ktent);
 	if (retval == 0) {
 	    retval = krb5_decrypt_tkt_part(context, &ktent.key, req->ticket);
+	    if (retval == 0 && key != NULL)
+		retval = krb5_copy_keyblock_contents(context, &ktent.key, key);
 
 	    (void) krb5_free_keytab_entry_contents(context, &ktent);
 	}
-    } else { 
+    } else {
 	krb5_error_code code;
 	krb5_kt_cursor cursor;
 
@@ -142,6 +147,8 @@
 		 * server as it appeared in the ticket.
 		 */
 		retval = krb5_copy_principal(context, ktent.principal, &tmp);
+		if (retval == 0 && key != NULL)
+		    retval = krb5_copy_keyblock_contents(context, &ktent.key, key);
 		if (retval == 0) {
 		    krb5_free_principal(context, req->ticket->server);
 		    req->ticket->server = tmp;
@@ -204,11 +211,15 @@
 {
     krb5_error_code 	  retval = 0;
     krb5_principal_data	princ_data;
-    krb5_enctype         *desired_etypes = NULL;
+    krb5_enctype	 *desired_etypes = NULL;
     int			  desired_etypes_len = 0;
     int			  rfc4537_etypes_len = 0;
-    krb5_enctype         *permitted_etypes = NULL;
+    krb5_enctype	 *permitted_etypes = NULL;
     int			  permitted_etypes_len = 0;
+    krb5_keyblock	 decrypt_key;
+
+    decrypt_key.enctype = ENCTYPE_NULL;
+    decrypt_key.contents = NULL;
  
     req->ticket->enc_part2 = NULL;
     if (server && krb5_is_referral_realm(&server->realm)) {
@@ -231,14 +242,20 @@
     	if ((retval = krb5_decrypt_tkt_part(context, (*auth_context)->keyblock,
 					    req->ticket)))
 	    goto cleanup;
-	krb5_free_keyblock(context, (*auth_context)->keyblock);
+	if (check_valid_flag) {
+	    decrypt_key = *((*auth_context)->keyblock);
+	    free((*auth_context)->keyblock);
+	} else
+	    krb5_free_keyblock(context, (*auth_context)->keyblock);
 	(*auth_context)->keyblock = NULL;
     } else {
-    	if ((retval = krb5_rd_req_decrypt_tkt_part(context, req, server, keytab)))
+    	if ((retval = krb5_rd_req_decrypt_tkt_part(context, req,
+						   server, keytab,
+			    check_valid_flag ? &decrypt_key : NULL)))
 	    goto cleanup;
     }
 
-    /* XXX this is an evil hack.  check_valid_flag is set iff the call
+   /* XXX this is an evil hack.  check_valid_flag is set iff the call
        is not from inside the kdc.  we can use this to determine which
        key usage to use */
 #ifndef LEAN_CLIENT
@@ -284,7 +301,7 @@
 
       	/* If the transited list is empty, then we have at most one hop */
       	if (trans->tr_contents.data && trans->tr_contents.data[0])
-            retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
+	    retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
     }
 
 #elif defined(_NO_CROSS_REALM)
@@ -325,7 +342,7 @@
 	/*
       	 * If the transited list is not empty, then check that all realms 
       	 * transited are within the hierarchy between the client's realm  
-      	 * and the local realm.                                        
+      	 * and the local realm.
   	 */
 	if (trans->tr_contents.data && trans->tr_contents.data[0]) {
 	    retval = krb5_check_transited_list(context, &(trans->tr_contents), 
@@ -344,7 +361,7 @@
 
     if ((*auth_context)->rcache) {
 	krb5_donot_replay  rep;
-        krb5_tkt_authent   tktauthent;
+	krb5_tkt_authent   tktauthent;
 
 	tktauthent.ticket = req->ticket;	
 	tktauthent.authenticator = (*auth_context)->authentp;
@@ -376,6 +393,17 @@
 	retval = KRB5KRB_AP_ERR_TKT_INVALID;
 	goto cleanup;
       }
+
+      if ((retval = krb5_authdata_context_init(context,
+					       &(*auth_context)->ad_context)))
+	goto cleanup;
+      if ((retval = krb5int_authdata_verify(context,
+					    (*auth_context)->ad_context,
+					    AD_USAGE_MASK,
+					    auth_context,
+					    &decrypt_key,
+					    req)))
+        goto cleanup;
     }
 
     /* read RFC 4537 etype list from sender */
@@ -520,18 +548,21 @@
 	    krb5_free_enc_tkt_part(context, req->ticket->enc_part2);
 	req->ticket->enc_part2 = NULL;
     }
+    if (check_valid_flag)
+	krb5_free_keyblock_contents(context, &decrypt_key);
+
     return retval;
 }
 
 krb5_error_code
 krb5_rd_req_decoded(krb5_context context, krb5_auth_context *auth_context,
-		    const krb5_ap_req *req, krb5_const_principal server,
-		    krb5_keytab keytab, krb5_flags *ap_req_options,
-		    krb5_ticket **ticket)
+                    const krb5_ap_req *req, krb5_const_principal server,
+                    krb5_keytab keytab, krb5_flags *ap_req_options,
+                    krb5_ticket **ticket)
 {
   krb5_error_code retval;
   retval = krb5_rd_req_decoded_opt(context, auth_context,
-				   req, server, keytab, 
+				   req, server, keytab,
 				   ap_req_options, ticket,
 				   1); /* check_valid_flag */
   return retval;
@@ -539,14 +570,14 @@
 
 krb5_error_code
 krb5_rd_req_decoded_anyflag(krb5_context context,
-			    krb5_auth_context *auth_context,
-			    const krb5_ap_req *req,
-			    krb5_const_principal server, krb5_keytab keytab,
-			    krb5_flags *ap_req_options, krb5_ticket **ticket)
+                            krb5_auth_context *auth_context,
+                            const krb5_ap_req *req,
+                            krb5_const_principal server, krb5_keytab keytab,
+                            krb5_flags *ap_req_options, krb5_ticket **ticket)
 {
   krb5_error_code retval;
   retval = krb5_rd_req_decoded_opt(context, auth_context,
-				   req, server, keytab, 
+				   req, server, keytab,
 				   ap_req_options, ticket,
 				   0); /* don't check_valid_flag */
   return retval;

Modified: trunk/src/lib/krb5/krb/s4u_creds.c
===================================================================
--- trunk/src/lib/krb5/krb/s4u_creds.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/s4u_creds.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -115,7 +115,7 @@
         client = &client_data;
     }
 
-    code = krb5_get_init_creds(context, &creds, in_creds->client,
+    code = krb5_get_init_creds(context, &creds, client,
                                NULL, NULL, 0, NULL, opte,
                                krb5_get_as_key_noop, &userid,
                                &use_master, NULL);

Modified: trunk/src/lib/krb5/krb/ser_actx.c
===================================================================
--- trunk/src/lib/krb5/krb/ser_actx.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/ser_actx.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -560,5 +560,7 @@
 	kret = krb5_ser_keyblock_init(kcontext);
     if (!kret)
 	kret = krb5_ser_principal_init(kcontext);
+    if (!kret)
+	kret = krb5_ser_authdata_context_init(kcontext);
     return(kret);
 }

Modified: trunk/src/lib/krb5/krb/t_authdata.c
===================================================================
--- trunk/src/lib/krb5/krb/t_authdata.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/krb/t_authdata.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -65,6 +65,13 @@
 
 krb5_authdata *adseq2[] = {&ad3, NULL};
 
+krb5_keyblock key = {
+    KV5M_KEYBLOCK,
+    ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+    16,
+    (unsigned char *)"1234567890ABCDEF"
+};
+
 static void compare_authdata(const krb5_authdata *adc1, krb5_authdata *adc2) {
   assert(adc1->ad_type == adc2->ad_type);
   assert(adc1->length == adc2->length);
@@ -77,7 +84,7 @@
     krb5_authdata **results;
     krb5_authdata *container[2];
     krb5_authdata **container_out;
-  
+    krb5_authdata **kdci;
 
     assert(krb5_init_context(&context) == 0);
     assert(krb5_merge_authdata(context, adseq1, adseq2, &results) == 0);
@@ -96,6 +103,13 @@
     compare_authdata( results[1], &ad4);
     compare_authdata( results[2], &ad3);
     assert( results[3] == NULL);
+    krb5_free_authdata(context, container_out);
+    assert(krb5_make_authdata_kdc_issued(context, &key, NULL, results, &kdci) == 0);
+    assert(krb5_verify_authdata_kdc_issued(context, &key, kdci[0], NULL, &container_out) == 0);
+    compare_authdata(container_out[0], results[0]);
+    compare_authdata(container_out[1], results[1]);
+    compare_authdata(container_out[2], results[2]);
+    krb5_free_authdata(context, kdci);
     krb5_free_authdata(context, results);
     krb5_free_authdata(context, container_out);
     krb5_free_context(context);

Modified: trunk/src/lib/krb5/libkrb5.exports
===================================================================
--- trunk/src/lib/krb5/libkrb5.exports	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/lib/krb5/libkrb5.exports	2009-10-09 18:29:34 UTC (rev 22875)
@@ -1,4 +1,5 @@
 _krb5_conf_boolean
+decode_krb5_ad_kdcissued
 decode_krb5_alt_method
 decode_krb5_ap_rep
 decode_krb5_ap_rep_enc_part
@@ -40,6 +41,7 @@
 decode_krb5_tgs_req
 decode_krb5_ticket
 decode_krb5_typed_data
+encode_krb5_ad_kdcissued
 encode_krb5_alt_method
 encode_krb5_ap_rep
 encode_krb5_ap_rep_enc_part
@@ -108,6 +110,7 @@
 krb5_auth_con_free
 krb5_auth_con_genaddrs
 krb5_auth_con_get_checksum_func
+krb5_auth_con_get_authdata_context
 krb5_auth_con_getaddrs
 krb5_auth_con_getauthenticator
 krb5_auth_con_getflags
@@ -123,6 +126,7 @@
 krb5_auth_con_getsendsubkey
 krb5_auth_con_init
 krb5_auth_con_initivector
+krb5_auth_con_set_authdata_context
 krb5_auth_con_set_checksum_func
 krb5_auth_con_set_req_cksumtype
 krb5_auth_con_set_safe_cksumtype
@@ -136,6 +140,18 @@
 krb5_auth_con_setsendsubkey
 krb5_auth_con_setuseruserkey
 krb5_auth_to_rep
+krb5_authdata_context_copy
+krb5_authdata_context_free
+krb5_authdata_context_init
+krb5_authdata_delete_attribute
+krb5_authdata_get_attribute_types
+krb5_authdata_get_attribute
+krb5_authdata_set_attribute
+krb5_authdata_export_attributes
+krb5_authdata_export_authdata
+krb5_authdata_export_internal
+krb5_authdata_free_internal
+krb5_authdata_import_attributes
 krb5_build_principal
 krb5_build_principal_alloc_va
 krb5_build_principal_ext
@@ -203,6 +219,7 @@
 krb5_externalize_opaque
 krb5_fcc_ops
 krb5_find_serializer
+krb5_free_ad_kdcissued
 krb5_free_address
 krb5_free_addresses
 krb5_free_alt_method
@@ -364,6 +381,7 @@
 krb5_libdefault_boolean
 krb5_locate_kdc
 krb5_lock_file
+krb5_make_authdata_kdc_issued
 krb5_make_full_ipaddr
 krb5_make_fulladdr
 krb5_max_dgram_size
@@ -519,6 +537,7 @@
 krb5_us_timeofday
 krb5_use_natural_time
 krb5_validate_times
+krb5_verify_authdata_kdc_issued
 krb5_verify_init_creds
 krb5_verify_init_creds_opt_init
 krb5_verify_init_creds_opt_set_ap_req_nofail
@@ -534,6 +553,7 @@
 krb5int_find_pa_data
 krb5int_foreach_localaddr
 krb5int_free_addrlist
+krb5int_free_data_list
 krb5int_get_domain_realm_mapping
 krb5int_init_context_kdc
 krb5int_initialize_library

Copied: trunk/src/plugins/authdata/greet_client (from rev 22872, users/lhoward/authdata/src/plugins/authdata/greet_client)


Modified: trunk/src/tests/asn.1/krb5_decode_leak.c
===================================================================
--- trunk/src/tests/asn.1/krb5_decode_leak.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/tests/asn.1/krb5_decode_leak.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -662,7 +662,6 @@
     /* encode_krb5_pa_s4u_x509_user */
     {
         krb5_pa_s4u_x509_user s4u, *tmp;
-
         setup(s4u, "pa_s4u_x509_user",
               ktest_make_sample_pa_s4u_x509_user);
         leak_test(s4u, encode_krb5_pa_s4u_x509_user,
@@ -670,6 +669,17 @@
                   krb5_free_pa_s4u_x509_user);
         ktest_empty_pa_s4u_x509_user(&s4u);
     }
+    /****************************************************************/
+    /* encode_krb5_ad_kdcissued */
+    {
+        krb5_ad_kdcissued kdci, *tmp;
+        setup(kdci, "ad_kdcissued",
+              ktest_make_sample_ad_kdcissued);
+        leak_test(kdci, encode_krb5_ad_kdcissued,
+                  decode_krb5_ad_kdcissued,
+                  krb5_free_ad_kdcissued);
+        ktest_empty_ad_kdcissued(&kdci);
+    }
     krb5_free_context(test_context);
     return 0;
 }

Modified: trunk/src/tests/asn.1/krb5_decode_test.c
===================================================================
--- trunk/src/tests/asn.1/krb5_decode_test.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/tests/asn.1/krb5_decode_test.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -891,12 +891,22 @@
 	ktest_empty_sam_response(&ref);
     }
 
+    /****************************************************************/
+    /* decode_pa_s4u_x509_user */
     {
 	setup(krb5_pa_s4u_x509_user,"krb5_pa_s4u_x509_user",ktest_make_sample_pa_s4u_x509_user);
 	decode_run("pa_s4u_x509_user","","30 68 A0 55 30 53 A0 06 02 04 00 CA 14 9A A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 12 04 10 70 61 5F 73 34 75 5F 78 35 30 39 5F 75 73 65 72 A4 07 03 05 00 80 00 00 00 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_pa_s4u_x509_user,ktest_equal_pa_s4u_x509_user,krb5_free_pa_s4u_x509_user);
 	ktest_empty_pa_s4u_x509_user(&ref);
     }
 
+    /****************************************************************/
+    /* decode_ad_kdcissued */
+    {
+	setup(krb5_ad_kdcissued,"krb5_ad_kdcissued",ktest_make_sample_ad_kdcissued);
+	decode_run("ad_kdcissued","","30 65 A0 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 24 30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72",decode_krb5_ad_kdcissued,ktest_equal_ad_kdcissued,krb5_free_ad_kdcissued);
+	ktest_empty_ad_kdcissued(&ref);
+    }
+
 #ifdef ENABLE_LDAP
     /* ldap sequence_of_keys */
     {

Modified: trunk/src/tests/asn.1/krb5_encode_test.c
===================================================================
--- trunk/src/tests/asn.1/krb5_encode_test.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/tests/asn.1/krb5_encode_test.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -706,7 +706,17 @@
 		   encode_krb5_pa_s4u_x509_user);
 	ktest_empty_pa_s4u_x509_user(&s4u);
     }
-
+    /****************************************************************/
+    /* encode_krb5_ad_kdcissued */
+    {
+	krb5_ad_kdcissued kdci;
+	setup(kdci,krb5_ad_kdcissued,"ad_kdcissued",
+	      ktest_make_sample_ad_kdcissued);
+	encode_run(kdci,krb5_ad_kdcissued,
+		   "ad_kdcissued","",
+		   encode_krb5_ad_kdcissued);
+	ktest_empty_ad_kdcissued(&kdci);
+    }
 #ifdef ENABLE_LDAP
     {
 	ldap_seqof_key_data skd;

Modified: trunk/src/tests/asn.1/ktest.c
===================================================================
--- trunk/src/tests/asn.1/ktest.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/tests/asn.1/ktest.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -842,6 +842,19 @@
     return 0;
 }
 
+krb5_error_code ktest_make_sample_ad_kdcissued(p)
+    krb5_ad_kdcissued *p;
+{
+    krb5_error_code retval;
+    retval = ktest_make_sample_checksum(&p->ad_checksum);
+    if (retval) return retval;
+    retval = ktest_make_sample_principal(&p->i_principal);
+    if (retval) return retval;
+    retval = ktest_make_sample_authorization_data(&p->elements);
+    if (retval) return retval;
+    return retval;
+}
+
 #ifdef ENABLE_LDAP
 static krb5_error_code ktest_make_sample_key_data(krb5_key_data *p, int i)
 {
@@ -1445,6 +1458,14 @@
     if (p->cksum.contents) free(p->cksum.contents);
 }
 
+void ktest_empty_ad_kdcissued(p)
+    krb5_ad_kdcissued *p;
+{
+    if (p->ad_checksum.contents) free(p->ad_checksum.contents);
+    ktest_destroy_principal(&p->i_principal);
+    ktest_destroy_authorization_data(&p->elements);
+}
+
 #ifdef ENABLE_LDAP
 void ktest_empty_ldap_seqof_key_data(ctx, p)
     krb5_context ctx;

Modified: trunk/src/tests/asn.1/ktest.h
===================================================================
--- trunk/src/tests/asn.1/ktest.h	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/tests/asn.1/ktest.h	2009-10-09 18:29:34 UTC (rev 22875)
@@ -106,6 +106,7 @@
 krb5_error_code ktest_make_sample_predicted_sam_response(krb5_predicted_sam_response *p);
 krb5_error_code ktest_make_sample_enc_sam_response_enc_2(krb5_enc_sam_response_enc_2 *p);
 krb5_error_code ktest_make_sample_pa_s4u_x509_user(krb5_pa_s4u_x509_user *p);
+krb5_error_code ktest_make_sample_ad_kdcissued(krb5_ad_kdcissued *p);
 
 #ifdef ENABLE_LDAP
 krb5_error_code ktest_make_sample_ldap_seqof_key_data(ldap_seqof_key_data * p);
@@ -215,6 +216,7 @@
 void ktest_empty_sam_response_2(krb5_sam_response_2 *p);
 void ktest_empty_enc_sam_response_enc_2(krb5_enc_sam_response_enc_2 *p);
 void ktest_empty_pa_s4u_x509_user(krb5_pa_s4u_x509_user *p);
+void ktest_empty_ad_kdcissued(krb5_ad_kdcissued *p);
 
 #ifdef ENABLE_LDAP
 void ktest_empty_ldap_seqof_key_data(krb5_context, ldap_seqof_key_data *p);

Modified: trunk/src/tests/asn.1/ktest_equal.c
===================================================================
--- trunk/src/tests/asn.1/ktest_equal.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/tests/asn.1/ktest_equal.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -556,6 +556,20 @@
     p=p&&struct_equal(cksum,ktest_equal_checksum);
     return p;
 }
+
+int ktest_equal_ad_kdcissued(ref, var)
+    krb5_ad_kdcissued *ref;
+    krb5_ad_kdcissued *var;
+{
+    int p = TRUE;
+    if (ref == var) return TRUE;
+    else if (ref == NULL || var == NULL) return FALSE;
+    p=p&&struct_equal(ad_checksum,ktest_equal_checksum);
+    p=p&&ptr_equal(i_principal,ktest_equal_principal_data);
+    p=p&&ptr_equal(elements,ktest_equal_authorization_data);
+    return p;
+}
+
 #ifdef ENABLE_LDAP
 static int equal_key_data(ref, var)
     krb5_key_data *ref;

Modified: trunk/src/tests/asn.1/ktest_equal.h
===================================================================
--- trunk/src/tests/asn.1/ktest_equal.h	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/tests/asn.1/ktest_equal.h	2009-10-09 18:29:34 UTC (rev 22875)
@@ -95,6 +95,10 @@
     (krb5_pa_s4u_x509_user *ref,
 		    krb5_pa_s4u_x509_user *var);
 
+int ktest_equal_ad_kdcissued
+    (krb5_ad_kdcissued *ref,
+		    krb5_ad_kdcissued *var);
+
 int ktest_equal_ldap_sequence_of_keys(ldap_seqof_key_data *ref,
 				      ldap_seqof_key_data *var);
 #endif

Modified: trunk/src/tests/asn.1/reference_encode.out
===================================================================
--- trunk/src/tests/asn.1/reference_encode.out	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/tests/asn.1/reference_encode.out	2009-10-09 18:29:34 UTC (rev 22875)
@@ -57,3 +57,4 @@
 encode_krb5_sam_response_2: 30 42 A0 03 02 01 2B A1 07 03 05 00 80 00 00 00 A2 0C 04 0A 74 72 61 63 6B 20 64 61 74 61 A3 1D 30 1B A0 03 02 01 01 A1 04 02 02 0D 36 A2 0E 04 0C 6E 6F 6E 63 65 20 6F 72 20 73 61 64 A4 05 02 03 54 32 10
 encode_krb5_enc_sam_response_enc_2: 30 1F A0 03 02 01 58 A1 18 04 16 65 6E 63 5F 73 61 6D 5F 72 65 73 70 6F 6E 73 65 5F 65 6E 63 5F 32
 encode_krb5_pa_s4u_x509_user: 30 68 A0 55 30 53 A0 06 02 04 00 CA 14 9A A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 12 04 10 70 61 5F 73 34 75 5F 78 35 30 39 5F 75 73 65 72 A4 07 03 05 00 80 00 00 00 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34
+encode_krb5_ad_kdcissued: 30 65 A0 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 24 30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72

Modified: trunk/src/tests/asn.1/trval_reference.out
===================================================================
--- trunk/src/tests/asn.1/trval_reference.out	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/tests/asn.1/trval_reference.out	2009-10-09 18:29:34 UTC (rev 22875)
@@ -1263,3 +1263,23 @@
 .  .  [0] [Integer] 1
 .  .  [1] [Octet String] "1234"
 
+encode_krb5_ad_kdcissued:
+
+[Sequence/Sequence Of] 
+.  [0] [Sequence/Sequence Of] 
+.  .  [0] [Integer] 1
+.  .  [1] [Octet String] "1234"
+.  [1] [General string] "ATHENA.MIT.EDU"
+.  [2] [Sequence/Sequence Of] 
+.  .  [0] [Integer] 1
+.  .  [1] [Sequence/Sequence Of] 
+.  .  .  [General string] "hftsai"
+.  .  .  [General string] "extra"
+.  [3] [Sequence/Sequence Of] 
+.  .  [Sequence/Sequence Of] 
+.  .  .  [0] [Integer] 1
+.  .  .  [1] [Octet String] "foobar"
+.  .  [Sequence/Sequence Of] 
+.  .  .  [0] [Integer] 1
+.  .  .  [1] [Octet String] "foobar"
+

Modified: trunk/src/tests/gssapi/Makefile.in
===================================================================
--- trunk/src/tests/gssapi/Makefile.in	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/tests/gssapi/Makefile.in	2009-10-09 18:29:34 UTC (rev 22875)
@@ -6,18 +6,19 @@
 PROG_LIBPATH=-L$(TOPLIBD)
 PROG_RPATH=$(KRB5_LIBDIR)
 
-SRCS= $(srcdir)/t_imp_name.c $(srcdir)/t_s4u.c
+SRCS= $(srcdir)/t_imp_name.c $(srcdir)/t_s4u.c $(srcdir)/t_namingexts.c
 
-OBJS= t_imp_name.o t_s4u.o
+OBJS= t_imp_name.o t_s4u.o t_namingexts.o
 
-all:: t_imp_name t_s4u
+all:: t_imp_name t_s4u t_namingexts
 
 t_imp_name: t_imp_name.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
 	$(CC_LINK) -o t_imp_name t_imp_name.o $(GSS_LIBS) $(KRB5_BASE_LIBS)
-
+t_namingexts: t_namingexts.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
+	$(CC_LINK) -o t_namingexts t_namingexts.o $(GSS_LIBS) $(KRB5_BASE_LIBS)
 t_s4u: t_s4u.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
 	$(CC_LINK) -o t_s4u t_s4u.o $(GSS_LIBS) $(KRB5_BASE_LIBS)
 
 clean::
-	$(RM) t_imp_name t_s4u
+	$(RM) t_imp_name t_s4u t_namingexts
 

Copied: trunk/src/tests/gssapi/t_namingexts.c (from rev 22872, users/lhoward/authdata/src/tests/gssapi/t_namingexts.c)

Modified: trunk/src/tests/gssapi/t_s4u.c
===================================================================
--- trunk/src/tests/gssapi/t_s4u.c	2009-10-09 17:23:31 UTC (rev 22874)
+++ trunk/src/tests/gssapi/t_s4u.c	2009-10-09 18:29:34 UTC (rev 22875)
@@ -59,7 +59,7 @@
 
 static gss_OID_desc spnego_mech = { 6, "\053\006\001\005\005\002" };
 
-int use_spnego = 0;
+static int use_spnego = 0;
 
 static void displayStatus_1(m, code, type)
      char *m;
@@ -140,7 +140,135 @@
     return GSS_S_COMPLETE;
 }
 
+static void
+dumpAttribute(OM_uint32 *minor,
+              gss_name_t name,
+              gss_buffer_t attribute,
+              int noisy)
+{
+    OM_uint32 major, tmp_minor;
+    gss_buffer_desc value;
+    gss_buffer_desc display_value;
+    int authenticated = 0;
+    int complete = 0;
+    int more = -1;
+    unsigned int i;
+
+    while (more != 0) {
+        value.value = NULL;
+        display_value.value = NULL;
+
+        major = gss_get_name_attribute(minor,
+                                       name,
+                                       attribute,
+                                       &authenticated,
+                                       &complete,
+                                       &value,
+                                       &display_value,
+                                       &more);
+        if (GSS_ERROR(major)) {
+            displayStatus("gss_get_name_attribute", major, *minor);
+            break;
+        }
+
+        printf("Attribute %.*s %s %s\n\n%.*s\n",
+               (int)attribute->length, (char *)attribute->value,
+               authenticated ? "Authenticated" : "",
+                complete ? "Complete" : "",
+               (int)display_value.length, (char *)display_value.value);
+
+        if (noisy) {
+            for (i = 0; i < value.length; i++) {
+                if ((i % 32) == 0)
+                    printf("\n");
+                printf("%02x", ((char *)value.value)[i] & 0xFF);
+            }
+            printf("\n\n");
+        }
+
+        gss_release_buffer(&tmp_minor, &value);
+        gss_release_buffer(&tmp_minor, &display_value);
+    }
+}
+
 static OM_uint32
+enumerateAttributes(OM_uint32 *minor,
+                    gss_name_t name,
+                    int noisy)
+{
+    OM_uint32 major, tmp_minor;
+    int name_is_MN;
+    gss_OID mech = GSS_C_NO_OID;
+    gss_buffer_set_t attrs = GSS_C_NO_BUFFER_SET;
+    unsigned int i;
+
+    major = gss_inquire_name(minor,
+                             name,
+                             &name_is_MN,
+                             &mech,
+                             &attrs);
+    if (GSS_ERROR(major)) {
+        displayStatus("gss_inquire_name", major, *minor);
+        return major;
+    }
+
+    if (attrs != GSS_C_NO_BUFFER_SET) {
+        for (i = 0; i < attrs->count; i++)
+            dumpAttribute(minor, name, &attrs->elements[i], noisy);
+    }
+
+    gss_release_oid(&tmp_minor, &mech);
+    gss_release_buffer_set(&tmp_minor, &attrs);
+
+    return major;
+}
+
+static OM_uint32
+testGreetAuthzData(OM_uint32 *minor,
+                   gss_name_t *name)
+{
+    OM_uint32 major, tmp_minor;
+    gss_buffer_desc attr;
+    gss_buffer_desc value;
+    gss_name_t canon;
+
+    major = gss_canonicalize_name(minor,
+                                  *name,
+                                  (gss_OID)gss_mech_krb5,
+                                  &canon);
+    if (GSS_ERROR(major)) {
+        displayStatus("gss_canonicalize_name", major, *minor);
+        return major;
+    }
+
+    attr.value = "greet:greeting";
+    attr.length = strlen((char *)attr.value);
+
+    value.value = "Hello, acceptor world!";
+    value.length = strlen((char *)value.value);
+
+    major = gss_set_name_attribute(minor,
+                                   canon,
+                                   1,
+                                   &attr,
+                                   &value);
+    if (major == GSS_S_UNAVAILABLE)
+        major = GSS_S_COMPLETE;
+    else if (GSS_ERROR(major))
+        displayStatus("gss_set_name_attribute", major, *minor);
+    else {
+        gss_release_name(&tmp_minor, name);
+        *name = canon;
+        canon = GSS_C_NO_NAME;
+    }
+
+    if (canon != GSS_C_NO_NAME)
+        gss_release_name(&tmp_minor, &canon);
+
+    return GSS_S_COMPLETE;
+}
+
+static OM_uint32
 initAcceptSecContext(OM_uint32 *minor,
                      gss_cred_id_t claimant_cred_handle,
                      gss_cred_id_t verifier_cred_handle,
@@ -217,6 +345,7 @@
     else {
         displayCanonName(minor, source_name, "Source name");
         displayOID(minor, mech, "Source mech");
+        enumerateAttributes(minor, source_name, 1);
     }
 
     (void) gss_release_name(&tmp_minor, &source_name);
@@ -367,6 +496,10 @@
     printf("Protocol transition tests follow\n");
     printf("-----------------------------------\n\n");
 
+    major = testGreetAuthzData(&minor, &user);
+    if (GSS_ERROR(major))
+        goto out;
+
     /* get S4U2Self cred */
     major = gss_acquire_cred_impersonate_name(&minor,
                                               impersonator_cred_handle,

Property changes on: trunk/src/plugins/authdata/greet_client
___________________________________________________________________
Name: svn:ignore
   + Makefile


Copied: trunk/src/plugins/authdata/greet_server (from rev 22872, users/lhoward/authdata/src/plugins/authdata/greet_server)


Property changes on: trunk/src/plugins/authdata/greet_server
___________________________________________________________________
Name: svn:ignore
   + Makefile




From epeisach at MIT.EDU  Fri Oct  9 21:49:39 2009
From: epeisach at MIT.EDU (epeisach@MIT.EDU)
Date: Fri, 9 Oct 2009 21:49:39 -0400
Subject: svn rev #22876: trunk/src/tests/mkeystash_compat/ 
Message-ID: <200910100149.n9A1ndv9024520@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22876
Commit By: epeisach
Log Message:
Remove krb5.conf, bigendian.o, and bigendian on make clean.




Changed Files:
U   trunk/src/tests/mkeystash_compat/Makefile.in
Modified: trunk/src/tests/mkeystash_compat/Makefile.in
===================================================================
--- trunk/src/tests/mkeystash_compat/Makefile.in	2009-10-09 18:29:34 UTC (rev 22875)
+++ trunk/src/tests/mkeystash_compat/Makefile.in	2009-10-10 01:49:38 UTC (rev 22876)
@@ -48,5 +48,5 @@
 	$(RM) $(TEST_DB)* stash_file
 
 clean::
-	$(RM) kdc.conf
+	$(RM) kdc.conf krb5.conf bigendian.$(OBJEXT) bigendian
 



From tlyu at MIT.EDU  Fri Oct  9 23:57:46 2009
From: tlyu at MIT.EDU (tlyu@MIT.EDU)
Date: Fri, 9 Oct 2009 23:57:46 -0400
Subject: svn rev #22877: trunk/src/ appl/bsd/ appl/telnet/telnetd/
	clients/ksu/ clients/kvno/ ...
Message-ID: <200910100357.n9A3vksZ001169@drugstore.mit.edu>

http://src.mit.edu/fisheye/changelog/krb5/?cs=22877
Commit By: tlyu
Log Message:
Move destest to builtin/des, because it depends on overriding some
internals.

Make depend.


Changed Files:
U   trunk/src/appl/bsd/deps
U   trunk/src/appl/telnet/telnetd/deps
U   trunk/src/clients/ksu/deps
U   trunk/src/clients/kvno/deps
U   trunk/src/kadmin/cli/deps
U   trunk/src/kadmin/dbutil/deps
U   trunk/src/kadmin/ktutil/deps
U   trunk/src/kadmin/server/deps
U   trunk/src/kdc/deps
U   trunk/src/lib/apputils/deps
U   trunk/src/lib/crypto/builtin/aes/deps
U   trunk/src/lib/crypto/builtin/arcfour/deps
U   trunk/src/lib/crypto/builtin/deps
U   trunk/src/lib/crypto/builtin/des/Makefile.in
U   trunk/src/lib/crypto/builtin/des/deps
A   trunk/src/lib/crypto/builtin/des/destest.c
A   trunk/src/lib/crypto/builtin/des/keytest.data
U   trunk/src/lib/crypto/builtin/enc_provider/deps
U   trunk/src/lib/crypto/builtin/hash_provider/deps
U   trunk/src/lib/crypto/builtin/md4/deps
U   trunk/src/lib/crypto/builtin/md5/deps
U   trunk/src/lib/crypto/builtin/sha1/deps
U   trunk/src/lib/crypto/crypto_tests/Makefile.in
D   trunk/src/lib/crypto/crypto_tests/destest.c
D   trunk/src/lib/crypto/crypto_tests/keytest.data
U   trunk/src/lib/crypto/krb/crc32/deps
U   trunk/src/lib/crypto/krb/deps
U   trunk/src/lib/crypto/krb/dk/deps
U   trunk/src/lib/crypto/krb/keyhash_provider/deps
U   trunk/src/lib/crypto/krb/old/deps
U   trunk/src/lib/crypto/krb/prf/deps
U   trunk/src/lib/crypto/krb/rand2key/deps
U   trunk/src/lib/crypto/krb/raw/deps
U   trunk/src/lib/crypto/krb/yarrow/deps
U   trunk/src/lib/gssapi/krb5/deps
U   trunk/src/lib/gssapi/mechglue/deps
U   trunk/src/lib/gssapi/spnego/deps
U   trunk/src/lib/kadm5/clnt/deps
U   trunk/src/lib/kadm5/deps
U   trunk/src/lib/kadm5/srv/deps
U   trunk/src/lib/kadm5/unit-test/deps
U   trunk/src/lib/kdb/deps
U   trunk/src/lib/krb5/asn.1/deps
U   trunk/src/lib/krb5/ccache/deps
U   trunk/src/lib/krb5/deps
U   trunk/src/lib/krb5/keytab/deps
U   trunk/src/lib/krb5/krb/deps
U   trunk/src/lib/krb5/os/deps
U   trunk/src/lib/krb5/rcache/deps
U   trunk/src/lib/krb5/unicode/deps
U   trunk/src/plugins/kdb/db2/deps
U   trunk/src/plugins/kdb/ldap/deps
U   trunk/src/plugins/kdb/ldap/libkdb_ldap/deps
U   trunk/src/plugins/preauth/encrypted_challenge/deps
U   trunk/src/slave/deps
U   trunk/src/tests/asn.1/deps
U   trunk/src/tests/create/deps
U   trunk/src/tests/gssapi/deps
U   trunk/src/tests/hammer/deps
U   trunk/src/tests/misc/deps
U   trunk/src/tests/verify/deps
U   trunk/src/util/ss/deps
Modified: trunk/src/appl/bsd/deps
===================================================================
--- trunk/src/appl/bsd/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/appl/bsd/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -9,9 +9,9 @@
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
   $(SRCTOP)/include/k5-util.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  defines.h krcp.c
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h defines.h krcp.c
 $(OUTPRE)krlogin.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/fake-addrinfo.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
@@ -30,9 +30,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h defines.h kcmd.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  defines.h kcmd.c
 $(OUTPRE)forward.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/fake-addrinfo.h \
@@ -40,9 +41,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h defines.h forward.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  defines.h forward.c
 $(OUTPRE)login.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/libpty.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -50,9 +52,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h login.c loginpaths.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  login.c loginpaths.h
 $(OUTPRE)krshd.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/libpty.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -61,10 +64,10 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/k5-util.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h defines.h krshd.c \
-  loginpaths.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  defines.h krshd.c loginpaths.h
 $(OUTPRE)krlogind.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/libpty.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -73,6 +76,7 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/k5-util.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h defines.h krlogind.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  defines.h krlogind.c

Modified: trunk/src/appl/telnet/telnetd/deps
===================================================================
--- trunk/src/appl/telnet/telnetd/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/appl/telnet/telnetd/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -34,11 +34,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../arpa/telnet.h \
-  $(srcdir)/../libtelnet/auth-proto.h $(srcdir)/../libtelnet/auth.h \
-  defs.h ext.h pathnames.h sys_term.c telnetd.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../arpa/telnet.h $(srcdir)/../libtelnet/auth-proto.h \
+  $(srcdir)/../libtelnet/auth.h defs.h ext.h pathnames.h \
+  sys_term.c telnetd.h
 $(OUTPRE)utility.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-thread.h \
   $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \

Modified: trunk/src/clients/ksu/deps
===================================================================
--- trunk/src/clients/ksu/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/clients/ksu/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -8,9 +8,10 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/k5-util.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h krb_auth_su.c ksu.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  krb_auth_su.c ksu.h
 $(OUTPRE)ccache.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h \
@@ -19,9 +20,9 @@
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
   $(SRCTOP)/include/k5-util.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  ccache.c ksu.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h ccache.c ksu.h
 $(OUTPRE)authorization.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -29,9 +30,10 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/k5-util.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h authorization.c ksu.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  authorization.c ksu.h
 $(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h \
@@ -40,9 +42,9 @@
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
   $(SRCTOP)/include/k5-util.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  ksu.h main.c
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h ksu.h main.c
 $(OUTPRE)heuristic.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -50,9 +52,10 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/k5-util.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h heuristic.c ksu.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  heuristic.c ksu.h
 $(OUTPRE)xmalloc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -60,8 +63,9 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/k5-util.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h ksu.h xmalloc.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  ksu.h xmalloc.c
 $(OUTPRE)setenv.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   setenv.c

Modified: trunk/src/clients/kvno/deps
===================================================================
--- trunk/src/clients/kvno/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/clients/kvno/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -8,6 +8,6 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  kvno.c
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h kvno.c

Modified: trunk/src/kadmin/cli/deps
===================================================================
--- trunk/src/kadmin/cli/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/kadmin/cli/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -36,9 +36,10 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h kadmin.h keytab.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  kadmin.h keytab.c
 $(OUTPRE)keytab_local.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
   $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
@@ -54,7 +55,7 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h kadmin.h keytab.c \
-  keytab_local.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  kadmin.h keytab.c keytab_local.c

Modified: trunk/src/kadmin/dbutil/deps
===================================================================
--- trunk/src/kadmin/dbutil/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/kadmin/dbutil/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -18,9 +18,9 @@
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
   $(SRCTOP)/include/kdb_log.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  kdb5_util.c kdb5_util.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h kdb5_util.c kdb5_util.h
 $(OUTPRE)kdb5_create.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
   $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \
@@ -39,9 +39,9 @@
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
   $(SRCTOP)/include/kdb_log.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  kdb5_create.c kdb5_util.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h kdb5_create.c kdb5_util.h
 $(OUTPRE)kadm5_create.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
   $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
@@ -59,10 +59,10 @@
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
   $(SRCTOP)/include/kdb.h $(SRCTOP)/include/kdb_log.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h kadm5_create.c kdb5_util.h \
-  string_table.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  kadm5_create.c kdb5_util.h string_table.h
 $(OUTPRE)string_table.$(OBJEXT): string_table.c
 $(OUTPRE)kdb5_destroy.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
@@ -80,9 +80,10 @@
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
   $(SRCTOP)/include/kdb.h $(SRCTOP)/include/kdb_log.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h kdb5_destroy.c kdb5_util.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  kdb5_destroy.c kdb5_util.h
 $(OUTPRE)kdb5_stash.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
   $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
@@ -99,9 +100,10 @@
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
   $(SRCTOP)/include/kdb.h $(SRCTOP)/include/kdb_log.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h kdb5_stash.c kdb5_util.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  kdb5_stash.c kdb5_util.h
 $(OUTPRE)import_err.$(OBJEXT): $(COM_ERR_DEPS) import_err.c
 $(OUTPRE)strtok.$(OBJEXT): nstrtok.h strtok.c
 $(OUTPRE)dump.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
@@ -121,9 +123,10 @@
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
   $(SRCTOP)/include/kdb.h $(SRCTOP)/include/kdb_log.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h dump.c kdb5_util.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  dump.c kdb5_util.h
 $(OUTPRE)ovload.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
   $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \
@@ -141,10 +144,10 @@
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
   $(SRCTOP)/include/kdb.h $(SRCTOP)/include/kdb_log.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h import_err.h kdb5_util.h \
-  nstrtok.h ovload.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  import_err.h kdb5_util.h nstrtok.h ovload.c
 $(OUTPRE)kdb5_mkey.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
   $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \
@@ -163,6 +166,6 @@
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
   $(SRCTOP)/include/kdb_log.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  kdb5_mkey.c kdb5_util.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h kdb5_mkey.c kdb5_util.h

Modified: trunk/src/kadmin/ktutil/deps
===================================================================
--- trunk/src/kadmin/ktutil/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/kadmin/ktutil/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -8,10 +8,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(SS_DEPS) ktutil.c \
-  ktutil.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(SS_DEPS) ktutil.c ktutil.h
 $(OUTPRE)ktutil_ct.$(OBJEXT): $(COM_ERR_DEPS) $(SS_DEPS) \
   ktutil_ct.c
 $(OUTPRE)ktutil_funcs.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
@@ -21,6 +21,6 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  ktutil.h ktutil_funcs.c
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h ktutil.h ktutil_funcs.c

Modified: trunk/src/kadmin/server/deps
===================================================================
--- trunk/src/kadmin/server/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/kadmin/server/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -51,11 +51,11 @@
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
   $(SRCTOP)/include/kdb.h $(SRCTOP)/include/kdb_kt.h \
   $(SRCTOP)/include/kdb_log.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(SRCTOP)/lib/gssapi/generic/gssapiP_generic.h $(SRCTOP)/lib/gssapi/generic/gssapi_ext.h \
-  $(SRCTOP)/lib/gssapi/generic/gssapi_generic.h $(SRCTOP)/lib/gssapi/krb5/gssapiP_krb5.h \
-  misc.h ovsec_kadmd.c
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(SRCTOP)/lib/gssapi/generic/gssapiP_generic.h \
+  $(SRCTOP)/lib/gssapi/generic/gssapi_ext.h $(SRCTOP)/lib/gssapi/generic/gssapi_generic.h \
+  $(SRCTOP)/lib/gssapi/krb5/gssapiP_krb5.h misc.h ovsec_kadmd.c
 $(OUTPRE)schpw.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
   $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
@@ -71,9 +71,10 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h misc.h schpw.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  misc.h schpw.c
 $(OUTPRE)misc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
   $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \
@@ -90,9 +91,10 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h misc.c misc.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  misc.c misc.h
 $(OUTPRE)ipropd_svc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \
   $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \
@@ -128,6 +130,7 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h misc.h network.c
+  $(SRCTOP)/include/kdb.h $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  misc.h network.c

Modified: trunk/src/kdc/deps
===================================================================
--- trunk/src/kdc/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/kdc/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -10,10 +10,10 @@
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
   $(SRCTOP)/include/kdb.h $(SRCTOP)/include/kdb_ext.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h dispatch.c extern.h \
-  kdc_util.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  dispatch.c extern.h kdc_util.h
 $(OUTPRE)do_as_req.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm.h \
@@ -23,9 +23,10 @@
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
   $(SRCTOP)/include/kdb_ext.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  do_as_req.c extern.h kdc_util.h policy.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h do_as_req.c extern.h \
+  kdc_util.h policy.h
 $(OUTPRE)do_tgs_req.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h \
@@ -34,10 +35,10 @@
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
   $(SRCTOP)/include/kdb.h $(SRCTOP)/include/kdb_ext.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h do_tgs_req.c extern.h \
-  kdc_util.h policy.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  do_tgs_req.c extern.h kdc_util.h policy.h
 $(OUTPRE)fast_util.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -46,9 +47,10 @@
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
   $(SRCTOP)/include/kdb_ext.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  extern.h fast_util.c kdc_util.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h extern.h fast_util.c \
+  kdc_util.h
 $(OUTPRE)kdc_util.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm.h \
@@ -58,9 +60,10 @@
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
   $(SRCTOP)/include/kdb_ext.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  extern.h kdc_util.c kdc_util.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h extern.h kdc_util.c \
+  kdc_util.h
 $(OUTPRE)kdc_preauth.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h \
@@ -69,10 +72,10 @@
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
   $(SRCTOP)/include/kdb.h $(SRCTOP)/include/kdb_ext.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h extern.h kdc_preauth.c \
-  kdc_util.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  extern.h kdc_preauth.c kdc_util.h
 $(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm.h \
@@ -82,10 +85,10 @@
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
   $(SRCTOP)/include/kdb_ext.h $(SRCTOP)/include/kdb_kt.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h extern.h kdc5_err.h \
-  kdc_util.h main.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  extern.h kdc5_err.h kdc_util.h main.c
 $(OUTPRE)network.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h \
@@ -96,9 +99,10 @@
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
   $(SRCTOP)/include/kdb_ext.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  extern.h kdc5_err.h kdc_util.h network.c
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h extern.h kdc5_err.h \
+  kdc_util.h network.c
 $(OUTPRE)policy.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -107,9 +111,10 @@
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
   $(SRCTOP)/include/kdb_ext.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  extern.h kdc_util.h policy.c
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h extern.h kdc_util.h \
+  policy.c
 $(OUTPRE)extern.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -117,9 +122,10 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h extern.c extern.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  extern.c extern.h
 $(OUTPRE)replay.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -128,9 +134,10 @@
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/kdb.h \
   $(SRCTOP)/include/kdb_ext.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  extern.h kdc_util.h replay.c
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h extern.h kdc_util.h \
+  replay.c
 $(OUTPRE)kdc_authdata.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/adm_proto.h \

Modified: trunk/src/lib/apputils/deps
===================================================================
--- trunk/src/lib/apputils/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/lib/apputils/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -8,7 +8,7 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  daemon.c
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h daemon.c
 dummy.so dummy.po $(OUTPRE)dummy.$(OBJEXT): dummy.c

Modified: trunk/src/lib/crypto/builtin/aes/deps
===================================================================
--- trunk/src/lib/crypto/builtin/aes/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/lib/crypto/builtin/aes/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -18,7 +18,7 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../../builtin/aes/aes_s2k.c $(srcdir)/../../builtin/aes/aes_s2k.h \
-  $(srcdir)/../../krb/dk/dk.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/aes/aes_s2k.c \
+  $(srcdir)/../../builtin/aes/aes_s2k.h $(srcdir)/../../krb/dk/dk.h

Modified: trunk/src/lib/crypto/builtin/arcfour/deps
===================================================================
--- trunk/src/lib/crypto/builtin/arcfour/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/lib/crypto/builtin/arcfour/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -8,10 +8,11 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../../builtin/arcfour/arcfour-int.h $(srcdir)/../../builtin/arcfour/arcfour.c \
-  $(srcdir)/../../builtin/arcfour/arcfour.h $(srcdir)/../../krb/hash_provider/hash_provider.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/arcfour/arcfour-int.h \
+  $(srcdir)/../../builtin/arcfour/arcfour.c $(srcdir)/../../builtin/arcfour/arcfour.h \
+  $(srcdir)/../hash_provider/hash_provider.h
 arcfour_aead.so arcfour_aead.po $(OUTPRE)arcfour_aead.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -19,11 +20,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/arcfour/arcfour-int.h \
-  $(srcdir)/../../builtin/arcfour/arcfour.h $(srcdir)/../../builtin/arcfour/arcfour_aead.c \
-  $(srcdir)/../../krb/aead.h $(srcdir)/../../krb/cksumtypes.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../../builtin/arcfour/arcfour-int.h $(srcdir)/../../builtin/arcfour/arcfour.h \
+  $(srcdir)/../../builtin/arcfour/arcfour_aead.c $(srcdir)/../../krb/aead.h \
+  $(srcdir)/../../krb/cksumtypes.h
 arcfour_s2k.so arcfour_s2k.po $(OUTPRE)arcfour_s2k.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -32,7 +34,8 @@
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
   $(SRCTOP)/include/k5-utf8.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../../builtin/arcfour/arcfour-int.h $(srcdir)/../../builtin/arcfour/arcfour.h \
-  $(srcdir)/../../builtin/arcfour/arcfour_s2k.c $(srcdir)/../md4/rsa-md4.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/arcfour/arcfour-int.h \
+  $(srcdir)/../../builtin/arcfour/arcfour.h $(srcdir)/../../builtin/arcfour/arcfour_s2k.c \
+  $(srcdir)/../../builtin/md4/rsa-md4.h

Modified: trunk/src/lib/crypto/builtin/deps
===================================================================
--- trunk/src/lib/crypto/builtin/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/lib/crypto/builtin/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -8,10 +8,10 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../builtin/hmac.c $(srcdir)/../krb/aead.h \
-  $(srcdir)/../krb/cksumtypes.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../builtin/hmac.c \
+  $(srcdir)/../krb/aead.h $(srcdir)/../krb/cksumtypes.h
 pbkdf2.so pbkdf2.po $(OUTPRE)pbkdf2.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -19,6 +19,7 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../builtin/pbkdf2.c $(srcdir)/../builtin/hash_provider/hash_provider.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../builtin/hash_provider/hash_provider.h \
+  $(srcdir)/../builtin/pbkdf2.c

Modified: trunk/src/lib/crypto/builtin/des/Makefile.in
===================================================================
--- trunk/src/lib/crypto/builtin/des/Makefile.in	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/lib/crypto/builtin/des/Makefile.in	2009-10-10 03:57:45 UTC (rev 22877)
@@ -9,6 +9,7 @@
 ##DOS##PREFIXDIR=des
 ##DOS##OBJFILE=..\$(OUTPRE)des.lst
 
+RUN_SETUP = @KRB5_RUN_ENV@
 PROG_LIBPATH=-L$(TOPLIBD)
 PROG_RPATH=$(KRB5_LIBDIR)
 
@@ -57,17 +58,30 @@
 	$(srcdir)/../../$(CIMPL)/weak_key.c	\
 	$(srcdir)/../../$(CIMPL)/string2key.c
 
+EXTRADEPSRCS = $(SRCDIR)destest.c
+
 ##DOS##LIBOBJS = $(OBJS)
 
+TOBJS = $(OUTPRE)key_sched.$(OBJEXT) $(OUTPRE)f_sched.$(OBJEXT) \
+	$(OUTPRE)f_cbc.$(OBJEXT) $(OUTPRE)f_tables.$(OBJEXT) \
+	$(OUTPRE)f_cksum.$(OBJEXT)
+
+destest$(EXEEXT): destest.$(OBJEXT) $(TOBJS) $(SUPPORT_DEPLIB)
+	$(CC_LINK) -o $@ destest.$(OBJEXT) $(TOBJS) $(SUPPORT_LIB)
+
 all-unix:: all-libobjs
 
+check-unix:: destest
+	$(RUN_SETUP) $(VALGRIND) ./destest < $(srcdir)/keytest.data
+
 includes:: depend
 
 depend:: $(SRCS)
 
 check-windows::
 
-clean:: 
+clean::
+	$(RM) destest.$(OBJEXT) destest$(EXEEXT)
 
 clean-unix:: clean-libobjs
 

Modified: trunk/src/lib/crypto/builtin/des/deps
===================================================================
--- trunk/src/lib/crypto/builtin/des/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/lib/crypto/builtin/des/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -8,10 +8,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/afsstring2key.c \
-  $(srcdir)/../../builtin/des/des_int.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../../builtin/des/afsstring2key.c $(srcdir)/../../builtin/des/des_int.h
 d3_cbc.so d3_cbc.po $(OUTPRE)d3_cbc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -19,10 +19,10 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../../builtin/des/d3_cbc.c $(srcdir)/../../builtin/des/des_int.h \
-  $(srcdir)/../../builtin/des/f_tables.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/d3_cbc.c \
+  $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/des/f_tables.h
 d3_aead.so d3_aead.po $(OUTPRE)d3_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -30,11 +30,11 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../../builtin/des/d3_aead.c $(srcdir)/../../builtin/des/des_int.h \
-  $(srcdir)/../../builtin/des/f_tables.h $(srcdir)/../../krb/aead.h \
-  $(srcdir)/../../krb/cksumtypes.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/d3_aead.c \
+  $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/des/f_tables.h \
+  $(srcdir)/../../krb/aead.h $(srcdir)/../../krb/cksumtypes.h
 d3_kysched.so d3_kysched.po $(OUTPRE)d3_kysched.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -42,10 +42,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/d3_kysched.c \
-  $(srcdir)/../../builtin/des/des_int.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../../builtin/des/d3_kysched.c $(srcdir)/../../builtin/des/des_int.h
 f_aead.so f_aead.po $(OUTPRE)f_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -53,11 +53,11 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/des/f_aead.c \
-  $(srcdir)/../../builtin/des/f_tables.h $(srcdir)/../../krb/aead.h \
-  $(srcdir)/../../krb/cksumtypes.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \
+  $(srcdir)/../../builtin/des/f_aead.c $(srcdir)/../../builtin/des/f_tables.h \
+  $(srcdir)/../../krb/aead.h $(srcdir)/../../krb/cksumtypes.h
 f_cbc.so f_cbc.po $(OUTPRE)f_cbc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -65,10 +65,10 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/des/f_cbc.c \
-  $(srcdir)/../../builtin/des/f_tables.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \
+  $(srcdir)/../../builtin/des/f_cbc.c $(srcdir)/../../builtin/des/f_tables.h
 f_cksum.so f_cksum.po $(OUTPRE)f_cksum.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -76,10 +76,10 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/des/f_cksum.c \
-  $(srcdir)/../../builtin/des/f_tables.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \
+  $(srcdir)/../../builtin/des/f_cksum.c $(srcdir)/../../builtin/des/f_tables.h
 f_parity.so f_parity.po $(OUTPRE)f_parity.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -87,10 +87,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \
-  $(srcdir)/../../builtin/des/f_parity.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/des/f_parity.c
 f_sched.so f_sched.po $(OUTPRE)f_sched.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -98,9 +98,10 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/des/f_sched.c
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \
+  $(srcdir)/../../builtin/des/f_sched.c
 f_tables.so f_tables.po $(OUTPRE)f_tables.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -108,10 +109,11 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \
-  $(srcdir)/../../builtin/des/f_tables.c $(srcdir)/../../builtin/des/f_tables.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/des/f_tables.c \
+  $(srcdir)/../../builtin/des/f_tables.h
 key_sched.so key_sched.po $(OUTPRE)key_sched.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -119,10 +121,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \
-  $(srcdir)/../../builtin/des/key_sched.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/des/key_sched.c
 weak_key.so weak_key.po $(OUTPRE)weak_key.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -130,10 +132,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \
-  $(srcdir)/../../builtin/des/weak_key.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/des/weak_key.c
 string2key.so string2key.po $(OUTPRE)string2key.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -141,7 +143,17 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/des/string2key.c
+destest.so destest.po $(OUTPRE)destest.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
+  $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
+  $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
+  $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
+  $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
   $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \
-  $(srcdir)/../../builtin/des/string2key.c
+  $(SRCTOP)/include/socket-utils.h des_int.h destest.c

Copied: trunk/src/lib/crypto/builtin/des/destest.c (from rev 22875, trunk/src/lib/crypto/crypto_tests/destest.c)
===================================================================
--- trunk/src/lib/crypto/crypto_tests/destest.c	2009-10-09 18:29:34 UTC (rev 22875)
+++ trunk/src/lib/crypto/builtin/des/destest.c	2009-10-10 03:57:45 UTC (rev 22877)
@@ -0,0 +1,248 @@
+/*
+ * lib/crypto/des/destest.c
+ *
+ * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ *
+ * Test a DES implementation against known inputs & outputs
+ */
+
+
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ * 
+ * All rights reserved.
+ * 
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government.  It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  FundsXpress makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include "des_int.h"
+#include "com_err.h"
+
+#include <stdio.h>
+
+void convert (char *, unsigned char []);
+
+void des_cblock_print_file (mit_des_cblock, FILE *);
+
+krb5_octet zeroblock[8] = {0,0,0,0,0,0,0,0};
+
+int
+main(argc, argv)
+    int argc;
+    char *argv[];
+{
+    char block1[17], block2[17], block3[17];
+#if 0
+    mit_des_cblock key, input, output, output2;
+#else
+    /* Force tests of unaligned accesses.  */
+    union { unsigned char c[8*4+3]; long l; } u;
+    unsigned char *ioblocks = u.c;
+    unsigned char *input = ioblocks+1;
+    unsigned char *output = ioblocks+10;
+    unsigned char *output2 = ioblocks+19;
+    unsigned char *key = ioblocks+27;
+#endif
+    mit_des_key_schedule sched;
+    int num = 0;
+    int retval;
+
+    int error = 0;
+
+    while (scanf("%16s %16s %16s", block1, block2, block3) == 3) {
+	convert(block1, key);
+	convert(block2, input);
+	convert(block3, output);
+
+	retval = mit_des_key_sched(key, sched);
+	if (retval) {
+	    fprintf(stderr, "des test: can't process key: %d\n", retval);
+	    fprintf(stderr, "des test: %s %s %s\n", block1, block2, block3);
+            exit(1);
+        }
+	mit_des_cbc_encrypt((const mit_des_cblock *) input, output2, 8,
+			    sched, zeroblock, 1);
+
+	if (memcmp((char *)output2, (char *)output, 8)) {
+	    fprintf(stderr, 
+		    "DES ENCRYPT ERROR, key %s, text %s, real cipher %s, computed cyphertext %02X%02X%02X%02X%02X%02X%02X%02X\n",
+		    block1, block2, block3,
+		    output2[0],output2[1],output2[2],output2[3],
+		    output2[4],output2[5],output2[6],output2[7]);
+	    error++;
+	}
+
+	/*
+	 * Now try decrypting....
+	 */
+	mit_des_cbc_encrypt((const mit_des_cblock *) output, output2, 8,
+			    sched, zeroblock, 0);
+
+	if (memcmp((char *)output2, (char *)input, 8)) {
+	    fprintf(stderr, 
+		    "DES DECRYPT ERROR, key %s, text %s, real cipher %s, computed cleartext %02X%02X%02X%02X%02X%02X%02X%02X\n",
+		    block1, block2, block3,
+		    output2[0],output2[1],output2[2],output2[3],
+		    output2[4],output2[5],output2[6],output2[7]);
+	    error++;
+	}
+
+	num++;
+    }
+
+    if (error) 
+	printf("destest: failed to pass the test\n");
+    else
+	printf("destest: %d tests passed successfully\n", num);
+
+    exit( (error > 256 && error % 256) ? 1 : error);
+}
+
+int value[128] = {
+-1, -1, -1, -1, -1, -1, -1, -1,
+-1, -1, -1, -1, -1, -1, -1, -1,
+-1, -1, -1, -1, -1, -1, -1, -1,
+-1, -1, -1, -1, -1, -1, -1, -1,
+-1, -1, -1, -1, -1, -1, -1, -1,
+-1, -1, -1, -1, -1, -1, -1, -1,
+0, 1, 2, 3, 4, 5, 6, 7,
+8, 9, -1, -1, -1, -1, -1, -1,
+-1, 10, 11, 12, 13, 14, 15, -1,
+-1, -1, -1, -1, -1, -1, -1, -1,
+-1, -1, -1, -1, -1, -1, -1, -1,
+-1, -1, -1, -1, -1, -1, -1, -1,
+-1, -1, -1, -1, -1, -1, -1, -1,
+-1, -1, -1, -1, -1, -1, -1, -1,
+-1, -1, -1, -1, -1, -1, -1, -1,
+-1, -1, -1, -1, -1, -1, -1, -1,
+};
+
+void
+convert(text, cblock)
+    char *text;
+    unsigned char cblock[];
+{
+    register int i;
+    for (i = 0; i < 8; i++) {
+	if (text[i*2] < 0 || text[i*2] >= 128)
+	    abort ();
+	if (value[(int) text[i*2]] == -1 || value[(int) text[i*2+1]] == -1) {
+	    printf("Bad value byte %d in %s\n", i, text);
+	    exit(1);
+	}
+	cblock[i] = 16*value[(int) text[i*2]] + value[(int) text[i*2+1]];
+    }
+    return;
+}
+
+/*
+ * Fake out the DES library, for the purposes of testing.
+ */
+
+#include "des_int.h"
+
+int
+mit_des_is_weak_key(key)
+    mit_des_cblock key;
+{
+    return 0;				/* fake it out for testing */
+}
+
+void
+des_cblock_print_file(x, fp)
+    mit_des_cblock x;
+    FILE *fp;
+{
+    unsigned char *y = (unsigned char *) x;
+    register int i = 0;
+    fprintf(fp," 0x { ");
+
+    while (i++ < 8) {
+        fprintf(fp,"%x",*y++);
+        if (i < 8)
+            fprintf(fp,", ");
+    }
+    fprintf(fp," }");
+}
+
+
+#define smask(step) ((1<<step)-1)
+#define pstep(x,step) (((x)&smask(step))^(((x)>>step)&smask(step)))
+#define parity_char(x) pstep(pstep(pstep((x),4),2),1)
+
+/*
+ * des_check_key_parity: returns true iff key has the correct des parity.
+ *                       See des_fix_key_parity for the definition of
+ *                       correct des parity.
+ */
+int
+mit_des_check_key_parity(key)
+     register mit_des_cblock key;
+{
+    int i;
+    
+    for (i=0; i<sizeof(mit_des_cblock); i++) {
+	if ((key[i] & 1) == parity_char(0xfe&key[i])) {
+	    printf("warning: bad parity key:");
+	    des_cblock_print_file(key, stdout); 
+	    putchar('\n');
+	      
+	    return 1;
+	}
+    }
+
+    return(1);
+}
+
+void
+mit_des_fixup_key_parity(key)
+     register mit_des_cblock key;
+{
+    int i;
+    for (i=0; i<sizeof(mit_des_cblock); i++) 
+      {
+	key[i] &= 0xfe;
+	key[i] |= 1^parity_char(key[i]);
+      }
+  
+    return;
+}

Copied: trunk/src/lib/crypto/builtin/des/keytest.data (from rev 22875, trunk/src/lib/crypto/crypto_tests/keytest.data)
===================================================================
--- trunk/src/lib/crypto/crypto_tests/keytest.data	2009-10-09 18:29:34 UTC (rev 22875)
+++ trunk/src/lib/crypto/builtin/des/keytest.data	2009-10-10 03:57:45 UTC (rev 22877)
@@ -0,0 +1,171 @@
+0101010101010101 95F8A5E5DD31D900 8000000000000000
+0101010101010101 DD7F121CA5015619 4000000000000000
+0101010101010101 2E8653104F3834EA 2000000000000000
+0101010101010101 4BD388FF6CD81D4F 1000000000000000
+0101010101010101 20B9E767B2FB1456 0800000000000000
+0101010101010101 55579380D77138EF 0400000000000000
+0101010101010101 6CC5DEFAAF04512F 0200000000000000
+0101010101010101 0D9F279BA5D87260 0100000000000000
+0101010101010101 D9031B0271BD5A0A 0080000000000000
+0101010101010101 424250B37C3DD951 0040000000000000
+0101010101010101 B8061B7ECD9A21E5 0020000000000000
+0101010101010101 F15D0F286B65BD28 0010000000000000
+0101010101010101 ADD0CC8D6E5DEBA1 0008000000000000
+0101010101010101 E6D5F82752AD63D1 0004000000000000
+0101010101010101 ECBFE3BD3F591A5E 0002000000000000
+0101010101010101 F356834379D165CD 0001000000000000
+0101010101010101 2B9F982F20037FA9 0000800000000000
+0101010101010101 889DE068A16F0BE6 0000400000000000
+0101010101010101 E19E275D846A1298 0000200000000000
+0101010101010101 329A8ED523D71AEC 0000100000000000
+0101010101010101 E7FCE22557D23C97 0000080000000000
+0101010101010101 12A9F5817FF2D65D 0000040000000000
+0101010101010101 A484C3AD38DC9C19 0000020000000000
+0101010101010101 FBE00A8A1EF8AD72 0000010000000000
+0101010101010101 750D079407521363 0000008000000000
+0101010101010101 64FEED9C724C2FAF 0000004000000000
+0101010101010101 F02B263B328E2B60 0000002000000000
+0101010101010101 9D64555A9A10B852 0000001000000000
+0101010101010101 D106FF0BED5255D7 0000000800000000
+0101010101010101 E1652C6B138C64A5 0000000400000000
+0101010101010101 E428581186EC8F46 0000000200000000
+0101010101010101 AEB5F5EDE22D1A36 0000000100000000
+0101010101010101 E943D7568AEC0C5C 0000000080000000
+0101010101010101 DF98C8276F54B04B 0000000040000000
+0101010101010101 B160E4680F6C696F 0000000020000000
+0101010101010101 FA0752B07D9C4AB8 0000000010000000
+0101010101010101 CA3A2B036DBC8502 0000000008000000
+0101010101010101 5E0905517BB59BCF 0000000004000000
+0101010101010101 814EEB3B91D90726 0000000002000000
+0101010101010101 4D49DB1532919C9F 0000000001000000
+0101010101010101 25EB5FC3F8CF0621 0000000000800000
+0101010101010101 AB6A20C0620D1C6F 0000000000400000
+0101010101010101 79E90DBC98F92CCA 0000000000200000
+0101010101010101 866ECEDD8072BB0E 0000000000100000
+0101010101010101 8B54536F2F3E64A8 0000000000080000
+0101010101010101 EA51D3975595B86B 0000000000040000
+0101010101010101 CAFFC6AC4542DE31 0000000000020000
+0101010101010101 8DD45A2DDF90796C 0000000000010000
+0101010101010101 1029D55E880EC2D0 0000000000008000
+0101010101010101 5D86CB23639DBEA9 0000000000004000
+0101010101010101 1D1CA853AE7C0C5F 0000000000002000
+0101010101010101 CE332329248F3228 0000000000001000
+0101010101010101 8405D1ABE24FB942 0000000000000800
+0101010101010101 E643D78090CA4207 0000000000000400
+0101010101010101 48221B9937748A23 0000000000000200
+0101010101010101 DD7C0BBD61FAFD54 0000000000000100
+0101010101010101 2FBC291A570DB5C4 0000000000000080
+0101010101010101 E07C30D7E4E26E12 0000000000000040
+0101010101010101 0953E2258E8E90A1 0000000000000020
+0101010101010101 5B711BC4CEEBF2EE 0000000000000010
+0101010101010101 CC083F1E6D9E85F6 0000000000000008
+0101010101010101 D2FD8867D50D2DFE 0000000000000004
+0101010101010101 06E7EA22CE92708F 0000000000000002
+0101010101010101 166B40B44ABA4BD6 0000000000000001
+8001010101010101 0000000000000000 95A8D72813DAA94D
+4001010101010101 0000000000000000 0EEC1487DD8C26D5
+2001010101010101 0000000000000000 7AD16FFB79C45926
+1001010101010101 0000000000000000 D3746294CA6A6CF3
+0801010101010101 0000000000000000 809F5F873C1FD761
+0401010101010101 0000000000000000 C02FAFFEC989D1FC
+0201010101010101 0000000000000000 4615AA1D33E72F10
+0180010101010101 0000000000000000 2055123350C00858
+0140010101010101 0000000000000000 DF3B99D6577397C8
+0120010101010101 0000000000000000 31FE17369B5288C9
+0110010101010101 0000000000000000 DFDD3CC64DAE1642
+0108010101010101 0000000000000000 178C83CE2B399D94
+0104010101010101 0000000000000000 50F636324A9B7F80
+0102010101010101 0000000000000000 A8468EE3BC18F06D
+0101800101010101 0000000000000000 A2DC9E92FD3CDE92
+0101400101010101 0000000000000000 CAC09F797D031287
+0101200101010101 0000000000000000 90BA680B22AEB525
+0101100101010101 0000000000000000 CE7A24F350E280B6
+0101080101010101 0000000000000000 882BFF0AA01A0B87
+0101040101010101 0000000000000000 25610288924511C2
+0101020101010101 0000000000000000 C71516C29C75D170
+0101018001010101 0000000000000000 5199C29A52C9F059
+0101014001010101 0000000000000000 C22F0A294A71F29F
+0101012001010101 0000000000000000 EE371483714C02EA
+0101011001010101 0000000000000000 A81FBD448F9E522F
+0101010801010101 0000000000000000 4F644C92E192DFED
+0101010401010101 0000000000000000 1AFA9A66A6DF92AE
+0101010201010101 0000000000000000 B3C1CC715CB879D8
+0101010180010101 0000000000000000 19D032E64AB0BD8B
+0101010140010101 0000000000000000 3CFAA7A7DC8720DC
+0101010120010101 0000000000000000 B7265F7F447AC6F3
+0101010110010101 0000000000000000 9DB73B3C0D163F54
+0101010108010101 0000000000000000 8181B65BABF4A975
+0101010104010101 0000000000000000 93C9B64042EAA240
+0101010102010101 0000000000000000 5570530829705592
+0101010101800101 0000000000000000 8638809E878787A0
+0101010101400101 0000000000000000 41B9A79AF79AC208
+0101010101200101 0000000000000000 7A9BE42F2009A892
+0101010101100101 0000000000000000 29038D56BA6D2745
+0101010101080101 0000000000000000 5495C6ABF1E5DF51
+0101010101040101 0000000000000000 AE13DBD561488933
+0101010101020101 0000000000000000 024D1FFA8904E389
+0101010101018001 0000000000000000 D1399712F99BF02E
+0101010101014001 0000000000000000 14C1D7C1CFFEC79E
+0101010101012001 0000000000000000 1DE5279DAE3BED6F
+0101010101011001 0000000000000000 E941A33F85501303
+0101010101010801 0000000000000000 DA99DBBC9A03F379
+0101010101010401 0000000000000000 B7FC92F91D8E92E9
+0101010101010201 0000000000000000 AE8E5CAA3CA04E85
+0101010101010180 0000000000000000 9CC62DF43B6EED74
+0101010101010140 0000000000000000 D863DBB5C59A91A0
+0101010101010120 0000000000000000 A1AB2190545B91D7
+0101010101010110 0000000000000000 0875041E64C570F7
+0101010101010108 0000000000000000 5A594528BEBEF1CC
+0101010101010104 0000000000000000 FCDB3291DE21F0C0
+0101010101010102 0000000000000000 869EFD7F9F265A09
+1046913489980131 0000000000000000 88D55E54F54C97B4
+1007103489988020 0000000000000000 0C0CC00C83EA48FD
+10071034C8980120 0000000000000000 83BC8EF3A6570183
+1046103489988020 0000000000000000 DF725DCAD94EA2E9
+1086911519190101 0000000000000000 E652B53B550BE8B0
+1086911519580101 0000000000000000 AF527120C485CBB0
+5107B01519580101 0000000000000000 0F04CE393DB926D5
+1007B01519190101 0000000000000000 C9F00FFC74079067
+3107915498080101 0000000000000000 7CFD82A593252B4E
+3107919498080101 0000000000000000 CB49A2F9E91363E3
+10079115B9080140 0000000000000000 00B588BE70D23F56
+3107911598080140 0000000000000000 406A9A6AB43399AE
+1007D01589980101 0000000000000000 6CB773611DCA9ADA
+9107911589980101 0000000000000000 67FD21C17DBB5D70
+9107D01589190101 0000000000000000 9592CB4110430787
+1007D01598980120 0000000000000000 A6B7FF68A318DDD3
+1007940498190101 0000000000000000 4D102196C914CA16
+0107910491190401 0000000000000000 2DFA9F4573594965
+0107910491190101 0000000000000000 B46604816C0E0774
+0107940491190401 0000000000000000 6E7E6221A4F34E87
+19079210981A0101 0000000000000000 AA85E74643233199
+1007911998190801 0000000000000000 2E5A19DB4D1962D6
+10079119981A0801 0000000000000000 23A866A809D30894
+1007921098190101 0000000000000000 D812D961F017D320
+100791159819010B 0000000000000000 055605816E58608F
+1004801598190101 0000000000000000 ABD88E8B1B7716F1
+1004801598190102 0000000000000000 537AC95BE69DA1E1
+1004801598190108 0000000000000000 AED0F6AE3C25CDD8
+1002911598100104 0000000000000000 B3E35A5EE53E7B8D
+1002911598190104 0000000000000000 61C79C71921A2EF8
+1002911598100201 0000000000000000 E2F5728F0995013C
+1002911698100101 0000000000000000 1AEAC39A61F0A464
+7CA110454A1A6E57 01A1D6D039776742 690F5B0D9A26939B
+0131D9619DC1376E 5CD54CA83DEF57DA 7A389D10354BD271
+07A1133E4A0B2686 0248D43806F67172 868EBB51CAB4599A
+3849674C2602319E 51454B582DDF440A 7178876E01F19B2A
+04B915BA43FEB5B6 42FD443059577FA2 AF37FB421F8C4095
+0113B970FD34F2CE 059B5E0851CF143A 86A560F10EC6D85B
+0170F175468FB5E6 0756D8E0774761D2 0CD3DA020021DC09
+43297FAD38E373FE 762514B829BF486A EA676B2CB7DB2B7A
+07A7137045DA2A16 3BDD119049372802 DFD64A815CAF1A0F
+04689104C2FD3B2F 26955F6835AF609A 5C513C9C4886C088
+37D06BB516CB7546 164D5E404F275232 0A2AEEAE3FF4AB77
+1F08260D1AC2465E 6B056E18759F5CCA EF1BF03E5DFA575A
+584023641ABA6176 004BD6EF09176062 88BF0DB6D70DEE56
+025816164629B007 480D39006EE762F2 A1F9915541020B56
+49793EBC79B3258F 437540C8698F3CFA 6FBF1CAFCFFD0556
+4FB05E1515AB73A7 072D43A077075292 2F22E49BAB7CA1AC
+49E95D6D4CA229BF 02FE55778117F12A 5A6B612CC26CCE4A
+018310DC409B26D6 1D9D5C5018F728C2 5F4C038ED12B2E41
+1C587F1C13924FEF 305532286D6F295A 63FAC0D034D9F793

Modified: trunk/src/lib/crypto/builtin/enc_provider/deps
===================================================================
--- trunk/src/lib/crypto/builtin/enc_provider/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/lib/crypto/builtin/enc_provider/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -8,10 +8,10 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/enc_provider/des.c \
-  $(srcdir)/../../builtin/enc_provider/enc_provider.h \
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \
+  $(srcdir)/../../builtin/enc_provider/des.c $(srcdir)/../../builtin/enc_provider/enc_provider.h \
   $(srcdir)/../../krb/aead.h $(srcdir)/../../krb/cksumtypes.h \
   $(srcdir)/../../krb/rand2key/rand2key.h
 des3.so des3.po $(OUTPRE)des3.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
@@ -21,11 +21,11 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/enc_provider/des3.c \
-  $(srcdir)/../../krb/aead.h $(srcdir)/../../krb/cksumtypes.h \
-  $(srcdir)/../../krb/rand2key/rand2key.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \
+  $(srcdir)/../../builtin/enc_provider/des3.c $(srcdir)/../../krb/aead.h \
+  $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/rand2key/rand2key.h
 aes.so aes.po $(OUTPRE)aes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -33,10 +33,11 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../../builtin/aes/aes.h $(srcdir)/../../builtin/aes/uitypes.h \
-  $(srcdir)/../../builtin/enc_provider/aes.c $(srcdir)/../../builtin/enc_provider/enc_provider.h \
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/aes/aes.h \
+  $(srcdir)/../../builtin/aes/uitypes.h $(srcdir)/../../builtin/enc_provider/aes.c \
+  $(srcdir)/../../builtin/enc_provider/enc_provider.h \
   $(srcdir)/../../krb/aead.h $(srcdir)/../../krb/cksumtypes.h \
   $(srcdir)/../../krb/rand2key/rand2key.h
 rc4.so rc4.po $(OUTPRE)rc4.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
@@ -46,9 +47,9 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../../builtin/arcfour/arcfour-int.h $(srcdir)/../../builtin/arcfour/arcfour.h \
-  $(srcdir)/../../builtin/enc_provider/enc_provider.h \
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/arcfour/arcfour-int.h \
+  $(srcdir)/../../builtin/arcfour/arcfour.h $(srcdir)/../../builtin/enc_provider/enc_provider.h \
   $(srcdir)/../../builtin/enc_provider/rc4.c $(srcdir)/../../krb/aead.h \
   $(srcdir)/../../krb/cksumtypes.h $(srcdir)/../../krb/rand2key/rand2key.h

Modified: trunk/src/lib/crypto/builtin/hash_provider/deps
===================================================================
--- trunk/src/lib/crypto/builtin/hash_provider/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/lib/crypto/builtin/hash_provider/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -8,10 +8,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../krb/crc32/crc-32.h \
-  hash_crc32.c hash_provider.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../../builtin/hash_provider/hash_crc32.c \
+  $(srcdir)/../../builtin/hash_provider/hash_provider.h \
+  $(srcdir)/../../krb/crc32/crc-32.h
 hash_md4.so hash_md4.po $(OUTPRE)hash_md4.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -19,10 +21,11 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/md4/rsa-md4.h \
-  hash_md4.c hash_provider.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../../builtin/hash_provider/hash_md4.c $(srcdir)/../../builtin/hash_provider/hash_provider.h \
+  $(srcdir)/../../builtin/md4/rsa-md4.h
 hash_md5.so hash_md5.po $(OUTPRE)hash_md5.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -30,10 +33,11 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/md5/rsa-md5.h \
-  hash_md5.c hash_provider.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../../builtin/hash_provider/hash_md5.c $(srcdir)/../../builtin/hash_provider/hash_provider.h \
+  $(srcdir)/../../builtin/md5/rsa-md5.h
 hash_sha1.so hash_sha1.po $(OUTPRE)hash_sha1.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -41,7 +45,8 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/sha1/shs.h \
-  hash_provider.h hash_sha1.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../../builtin/hash_provider/hash_provider.h \
+  $(srcdir)/../../builtin/hash_provider/hash_sha1.c $(srcdir)/../../builtin/sha1/shs.h

Modified: trunk/src/lib/crypto/builtin/md4/deps
===================================================================
--- trunk/src/lib/crypto/builtin/md4/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/lib/crypto/builtin/md4/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -8,6 +8,7 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../../builtin/md4/md4.c $(srcdir)/../../builtin/md4/rsa-md4.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/md4/md4.c \
+  $(srcdir)/../../builtin/md4/rsa-md4.h

Modified: trunk/src/lib/crypto/builtin/md5/deps
===================================================================
--- trunk/src/lib/crypto/builtin/md5/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/lib/crypto/builtin/md5/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -8,6 +8,7 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../../builtin/md5/md5.c $(srcdir)/../../builtin/md5/rsa-md5.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/md5/md5.c \
+  $(srcdir)/../../builtin/md5/rsa-md5.h

Modified: trunk/src/lib/crypto/builtin/sha1/deps
===================================================================
--- trunk/src/lib/crypto/builtin/sha1/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/lib/crypto/builtin/sha1/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -8,6 +8,7 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../../builtin/sha1/shs.c $(srcdir)/../../builtin/sha1/shs.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/sha1/shs.c \
+  $(srcdir)/../../builtin/sha1/shs.h

Modified: trunk/src/lib/crypto/crypto_tests/Makefile.in
===================================================================
--- trunk/src/lib/crypto/crypto_tests/Makefile.in	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/lib/crypto/crypto_tests/Makefile.in	2009-10-10 03:57:45 UTC (rev 22877)
@@ -45,7 +45,7 @@
 
 check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_cf2 \
 		t_cksum4 t_cksum5 \
-		aes-test verify destest t_afss2k \
+		aes-test verify t_afss2k \
 		t_mddriver4 t_mddriver \
 		t_shs t_shs3 t_crc
 	$(RUN_SETUP) $(VALGRIND) ./t_nfold
@@ -67,7 +67,6 @@
 	$(RUN_SETUP) $(VALGRIND) ./verify -z
 	$(RUN_SETUP) $(VALGRIND) ./verify -m
 	$(RUN_SETUP) $(VALGRIND) ./verify
-	$(RUN_SETUP) $(VALGRIND) ./destest < $(srcdir)/keytest.data
 	$(RUN_SETUP) $(VALGRIND) ./t_afss2k
 	$(RUN_SETUP) $(VALGRIND) $(C)t_mddriver4 -x
 	$(RUN_SETUP) $(VALGRIND) $(C)t_mddriver -x
@@ -132,9 +131,6 @@
 verify$(EXEEXT): t_verify.$(OBJEXT) $(COM_ERR_DEPLIB) $(SUPPORT_DEPLIB)
 	$(CC_LINK) -o $@ t_verify.$(OBJEXT) -lcom_err $(SUPPORT_LIB) -lk5crypto
 
-destest$(EXEEXT): destest.$(OBJEXT)  $(SUPPORT_DEPLIB)
-	$(CC_LINK) -o $@ destest.$(OBJEXT) $(TOBJS) $(SUPPORT_LIB) -lk5crypto
-
 t_afss2k: t_afss2k.$(OBJEXT) $(COM_ERR_DEPLIB) $(SUPPORT_DEPLIB) $(CRYPTO_DEPLIB)
 	$(CC_LINK) -o $@ t_afss2k.$(OBJEXT) -lcom_err $(SUPPORT_LIB) -lk5crypto
 
@@ -162,7 +158,6 @@
 	$(RM) t_nfold.o t_nfold t_encrypt t_encrypt.o t_prng.o t_prng \
 		t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o t_cf2 t_cf2.o \
 		aes-test.o aes-test vt.txt vk.txt kresults.out 	\
-		destest.o destest 	\
 		t_afss2k.o t_afss2k t_cksum.o t_cksum 	\
 		t_crc.o t_crc t_cts.o t_cts 	\
 		t_mddriver4.o t_mddriver4 t_mddriver.o t_mddriver	\

Deleted: trunk/src/lib/crypto/crypto_tests/destest.c

Deleted: trunk/src/lib/crypto/crypto_tests/keytest.data

Modified: trunk/src/lib/crypto/krb/crc32/deps
===================================================================
--- trunk/src/lib/crypto/krb/crc32/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/lib/crypto/krb/crc32/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -8,6 +8,6 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  crc-32.h crc32.c
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h crc-32.h crc32.c

Modified: trunk/src/lib/crypto/krb/deps
===================================================================
--- trunk/src/lib/crypto/krb/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/lib/crypto/krb/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -8,9 +8,10 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/dk/dk.h aead.c aead.h cksumtypes.h etypes.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/dk/dk.h \
+  aead.c aead.h cksumtypes.h etypes.h
 block_size.so block_size.po $(OUTPRE)block_size.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -18,9 +19,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h block_size.c etypes.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  block_size.c etypes.h
 checksum_length.so checksum_length.po $(OUTPRE)checksum_length.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -28,10 +30,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h checksum_length.c \
-  cksumtypes.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  checksum_length.c cksumtypes.h
 cksumtype_to_string.so cksumtype_to_string.po $(OUTPRE)cksumtype_to_string.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -39,10 +41,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h cksumtype_to_string.c \
-  cksumtypes.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  cksumtype_to_string.c cksumtypes.h
 cksumtypes.so cksumtypes.po $(OUTPRE)cksumtypes.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -50,9 +52,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../builtin/hash_provider/hash_provider.h \
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../builtin/hash_provider/hash_provider.h \
   $(srcdir)/keyhash_provider/keyhash_provider.h cksumtypes.c \
   cksumtypes.h
 coll_proof_cksum.so coll_proof_cksum.po $(OUTPRE)coll_proof_cksum.$(OBJEXT): \
@@ -62,9 +65,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h cksumtypes.h coll_proof_cksum.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  cksumtypes.h coll_proof_cksum.c
 combine_keys.so combine_keys.po $(OUTPRE)combine_keys.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -72,10 +76,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/dk/dk.h \
-  combine_keys.c etypes.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/dk/dk.h combine_keys.c etypes.h
 crypto_length.so crypto_length.po $(OUTPRE)crypto_length.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -83,10 +87,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h aead.h cksumtypes.h \
-  crypto_length.c etypes.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  aead.h cksumtypes.h crypto_length.c etypes.h
 crypto_libinit.so crypto_libinit.po $(OUTPRE)crypto_libinit.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -94,9 +98,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h crypto_libinit.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  crypto_libinit.c
 default_state.so default_state.po $(OUTPRE)default_state.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -104,9 +109,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h default_state.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  default_state.c
 decrypt.so decrypt.po $(OUTPRE)decrypt.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -114,9 +120,10 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  aead.h cksumtypes.h decrypt.c etypes.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h aead.h cksumtypes.h \
+  decrypt.c etypes.h
 decrypt_iov.so decrypt_iov.po $(OUTPRE)decrypt_iov.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -124,10 +131,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h aead.h cksumtypes.h \
-  decrypt_iov.c etypes.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  aead.h cksumtypes.h decrypt_iov.c etypes.h
 encrypt.so encrypt.po $(OUTPRE)encrypt.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -135,9 +142,10 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  aead.h cksumtypes.h encrypt.c etypes.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h aead.h cksumtypes.h \
+  encrypt.c etypes.h
 encrypt_iov.so encrypt_iov.po $(OUTPRE)encrypt_iov.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -145,9 +153,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h encrypt_iov.c etypes.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  encrypt_iov.c etypes.h
 encrypt_length.so encrypt_length.po $(OUTPRE)encrypt_length.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -155,10 +164,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h aead.h cksumtypes.h \
-  encrypt_length.c etypes.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  aead.h cksumtypes.h encrypt_length.c etypes.h
 enctype_compare.so enctype_compare.po $(OUTPRE)enctype_compare.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -166,10 +175,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h enctype_compare.c \
-  etypes.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  enctype_compare.c etypes.h
 enctype_to_string.so enctype_to_string.po $(OUTPRE)enctype_to_string.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -177,10 +186,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h enctype_to_string.c \
-  etypes.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  enctype_to_string.c etypes.h
 etypes.so etypes.po $(OUTPRE)etypes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -188,13 +197,13 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../builtin/aes/aes_s2k.h $(srcdir)/../builtin/arcfour/arcfour.h \
-  $(srcdir)/../builtin/des/des_int.h $(srcdir)/../builtin/enc_provider/enc_provider.h \
-  $(srcdir)/dk/dk.h $(srcdir)/../builtin/hash_provider/hash_provider.h \
-  $(srcdir)/old/old.h $(srcdir)/prf/prf_int.h $(srcdir)/raw/raw.h \
-  etypes.c etypes.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../builtin/aes/aes_s2k.h \
+  $(srcdir)/../builtin/arcfour/arcfour.h $(srcdir)/../builtin/des/des_int.h \
+  $(srcdir)/../builtin/enc_provider/enc_provider.h $(srcdir)/../builtin/hash_provider/hash_provider.h \
+  $(srcdir)/dk/dk.h $(srcdir)/old/old.h $(srcdir)/prf/prf_int.h \
+  $(srcdir)/raw/raw.h etypes.c etypes.h
 keyblocks.so keyblocks.po $(OUTPRE)keyblocks.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -202,9 +211,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h keyblocks.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  keyblocks.c
 keyed_cksum.so keyed_cksum.po $(OUTPRE)keyed_cksum.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -212,9 +222,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h cksumtypes.h keyed_cksum.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  cksumtypes.h keyed_cksum.c
 keyed_checksum_types.so keyed_checksum_types.po $(OUTPRE)keyed_checksum_types.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -222,10 +233,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h cksumtypes.h etypes.h \
-  keyed_checksum_types.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  cksumtypes.h etypes.h keyed_checksum_types.c
 keylengths.so keylengths.po $(OUTPRE)keylengths.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -233,9 +244,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h etypes.h keylengths.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  etypes.h keylengths.c
 make_checksum.so make_checksum.po $(OUTPRE)make_checksum.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -243,10 +255,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/dk/dk.h \
-  cksumtypes.h etypes.h make_checksum.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/dk/dk.h cksumtypes.h etypes.h make_checksum.c
 make_checksum_iov.so make_checksum_iov.po $(OUTPRE)make_checksum_iov.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -254,10 +266,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h aead.h cksumtypes.h \
-  make_checksum_iov.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  aead.h cksumtypes.h make_checksum_iov.c
 make_random_key.so make_random_key.po $(OUTPRE)make_random_key.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -265,9 +277,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h etypes.h make_random_key.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  etypes.h make_random_key.c
 mandatory_sumtype.so mandatory_sumtype.po $(OUTPRE)mandatory_sumtype.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -275,9 +288,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h etypes.h mandatory_sumtype.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  etypes.h mandatory_sumtype.c
 nfold.so nfold.po $(OUTPRE)nfold.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -285,9 +299,9 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  nfold.c
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h nfold.c
 old_api_glue.so old_api_glue.po $(OUTPRE)old_api_glue.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -295,9 +309,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h old_api_glue.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  old_api_glue.c
 prf.so prf.po $(OUTPRE)prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -305,9 +320,9 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  etypes.h prf.c
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h etypes.h prf.c
 cf2.so cf2.po $(OUTPRE)cf2.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -315,9 +330,9 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  cf2.c etypes.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h cf2.c etypes.h
 prng.so prng.po $(OUTPRE)prng.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -325,12 +340,12 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../builtin/enc_provider/enc_provider.h $(srcdir)/../builtin/sha1/shs.h \
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../builtin/enc_provider/enc_provider.h \
+  $(srcdir)/../builtin/sha1/shs.h $(srcdir)/../builtin/yhash.h \
   $(srcdir)/yarrow/yarrow.h $(srcdir)/yarrow/ycipher.h \
-  $(srcdir)/../builtin/yhash.h $(srcdir)/yarrow/ytypes.h \
-  prng.c
+  $(srcdir)/yarrow/ytypes.h prng.c
 random_to_key.so random_to_key.po $(OUTPRE)random_to_key.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -338,9 +353,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h etypes.h random_to_key.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  etypes.h random_to_key.c
 state.so state.po $(OUTPRE)state.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -348,9 +364,9 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  etypes.h state.c
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h etypes.h state.c
 string_to_cksumtype.so string_to_cksumtype.po $(OUTPRE)string_to_cksumtype.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -358,9 +374,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h cksumtypes.h string_to_cksumtype.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  cksumtypes.h string_to_cksumtype.c
 string_to_enctype.so string_to_enctype.po $(OUTPRE)string_to_enctype.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -368,9 +385,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h etypes.h string_to_enctype.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  etypes.h string_to_enctype.c
 string_to_key.so string_to_key.po $(OUTPRE)string_to_key.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -378,9 +396,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h etypes.h string_to_key.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  etypes.h string_to_key.c
 valid_cksumtype.so valid_cksumtype.po $(OUTPRE)valid_cksumtype.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -388,9 +407,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h cksumtypes.h valid_cksumtype.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  cksumtypes.h valid_cksumtype.c
 valid_enctype.so valid_enctype.po $(OUTPRE)valid_enctype.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -398,9 +418,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h etypes.h valid_enctype.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  etypes.h valid_enctype.c
 verify_checksum.so verify_checksum.po $(OUTPRE)verify_checksum.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -408,9 +429,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h cksumtypes.h verify_checksum.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  cksumtypes.h verify_checksum.c
 verify_checksum_iov.so verify_checksum_iov.po $(OUTPRE)verify_checksum_iov.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -418,7 +440,7 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h aead.h cksumtypes.h \
-  verify_checksum_iov.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  aead.h cksumtypes.h verify_checksum_iov.c

Modified: trunk/src/lib/crypto/krb/dk/deps
===================================================================
--- trunk/src/lib/crypto/krb/dk/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/lib/crypto/krb/dk/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -8,11 +8,11 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../aead.h \
-  $(srcdir)/../cksumtypes.h $(srcdir)/../etypes.h checksum.c \
-  dk.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../aead.h $(srcdir)/../cksumtypes.h $(srcdir)/../etypes.h \
+  checksum.c dk.h
 dk_aead.so dk_aead.po $(OUTPRE)dk_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -20,10 +20,10 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../aead.h $(srcdir)/../cksumtypes.h dk.h \
-  dk_aead.c
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../aead.h \
+  $(srcdir)/../cksumtypes.h dk.h dk_aead.c
 dk_decrypt.so dk_decrypt.po $(OUTPRE)dk_decrypt.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -31,9 +31,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h dk.h dk_decrypt.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  dk.h dk_decrypt.c
 dk_encrypt.so dk_encrypt.po $(OUTPRE)dk_encrypt.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -41,9 +42,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h dk.h dk_encrypt.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  dk.h dk_encrypt.c
 derive.so derive.po $(OUTPRE)derive.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -51,9 +53,9 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  derive.c dk.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h derive.c dk.h
 stringtokey.so stringtokey.po $(OUTPRE)stringtokey.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -61,6 +63,7 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h dk.h stringtokey.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  dk.h stringtokey.c

Modified: trunk/src/lib/crypto/krb/keyhash_provider/deps
===================================================================
--- trunk/src/lib/crypto/krb/keyhash_provider/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/lib/crypto/krb/keyhash_provider/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -8,9 +8,10 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../../builtin/des/des_int.h descbc.c keyhash_provider.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \
+  descbc.c keyhash_provider.h
 k5_md4des.so k5_md4des.po $(OUTPRE)k5_md4des.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -18,10 +19,11 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \
-  $(srcdir)/../../builtin/md4/rsa-md4.h k5_md4des.c keyhash_provider.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/md4/rsa-md4.h \
+  k5_md4des.c keyhash_provider.h
 k5_md5des.so k5_md5des.po $(OUTPRE)k5_md5des.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -29,10 +31,11 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \
-  $(srcdir)/../../builtin/md5/rsa-md5.h k5_md5des.c keyhash_provider.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../../builtin/des/des_int.h $(srcdir)/../../builtin/md5/rsa-md5.h \
+  k5_md5des.c keyhash_provider.h
 hmac_md5.so hmac_md5.po $(OUTPRE)hmac_md5.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -40,12 +43,13 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/arcfour/arcfour-int.h \
-  $(srcdir)/../../builtin/arcfour/arcfour.h $(srcdir)/../../builtin/md5/rsa-md5.h \
-  $(srcdir)/../aead.h $(srcdir)/../cksumtypes.h $(srcdir)/../../builtin/hash_provider/hash_provider.h \
-  hmac_md5.c keyhash_provider.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../../builtin/arcfour/arcfour-int.h $(srcdir)/../../builtin/arcfour/arcfour.h \
+  $(srcdir)/../../builtin/hash_provider/hash_provider.h \
+  $(srcdir)/../../builtin/md5/rsa-md5.h $(srcdir)/../aead.h \
+  $(srcdir)/../cksumtypes.h hmac_md5.c keyhash_provider.h
 md5_hmac.so md5_hmac.po $(OUTPRE)md5_hmac.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -53,9 +57,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/arcfour/arcfour-int.h \
-  $(srcdir)/../../builtin/arcfour/arcfour.h $(srcdir)/../../builtin/md5/rsa-md5.h \
-  $(srcdir)/../../builtin/hash_provider/hash_provider.h keyhash_provider.h \
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../../builtin/arcfour/arcfour-int.h $(srcdir)/../../builtin/arcfour/arcfour.h \
+  $(srcdir)/../../builtin/hash_provider/hash_provider.h \
+  $(srcdir)/../../builtin/md5/rsa-md5.h keyhash_provider.h \
   md5_hmac.c

Modified: trunk/src/lib/crypto/krb/old/deps
===================================================================
--- trunk/src/lib/crypto/krb/old/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/lib/crypto/krb/old/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -8,10 +8,11 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/des/des_int.h \
-  des_stringtokey.c old.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../../builtin/des/des_int.h des_stringtokey.c \
+  old.h
 old_decrypt.so old_decrypt.po $(OUTPRE)old_decrypt.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -19,9 +20,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h old.h old_decrypt.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  old.h old_decrypt.c
 old_encrypt.so old_encrypt.po $(OUTPRE)old_encrypt.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -29,6 +31,7 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h old.h old_encrypt.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  old.h old_encrypt.c

Modified: trunk/src/lib/crypto/krb/prf/deps
===================================================================
--- trunk/src/lib/crypto/krb/prf/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/lib/crypto/krb/prf/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -8,9 +8,9 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  des_prf.c prf_int.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h des_prf.c prf_int.h
 dk_prf.so dk_prf.po $(OUTPRE)dk_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -18,9 +18,10 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../dk/dk.h dk_prf.c prf_int.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../dk/dk.h \
+  dk_prf.c prf_int.h
 rc4_prf.so rc4_prf.po $(OUTPRE)rc4_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -28,7 +29,7 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../../builtin/hash_provider/hash_provider.h prf_int.h \
-  rc4_prf.c
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/hash_provider/hash_provider.h \
+  prf_int.h rc4_prf.c

Modified: trunk/src/lib/crypto/krb/rand2key/deps
===================================================================
--- trunk/src/lib/crypto/krb/rand2key/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/lib/crypto/krb/rand2key/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -8,9 +8,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h aes_rand2key.c rand2key.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  aes_rand2key.c rand2key.h
 des_rand2key.so des_rand2key.po $(OUTPRE)des_rand2key.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -18,9 +19,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h des_rand2key.c rand2key.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  des_rand2key.c rand2key.h
 des3_rand2key.so des3_rand2key.po $(OUTPRE)des3_rand2key.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -28,9 +30,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h des3_rand2key.c rand2key.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  des3_rand2key.c rand2key.h
 rc4_rand2key.so rc4_rand2key.po $(OUTPRE)rc4_rand2key.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -38,6 +41,7 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h rand2key.h rc4_rand2key.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  rand2key.h rc4_rand2key.c

Modified: trunk/src/lib/crypto/krb/raw/deps
===================================================================
--- trunk/src/lib/crypto/krb/raw/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/lib/crypto/krb/raw/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -8,9 +8,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h raw.h raw_decrypt.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  raw.h raw_decrypt.c
 raw_encrypt.so raw_encrypt.po $(OUTPRE)raw_encrypt.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -18,9 +19,10 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h raw.h raw_encrypt.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  raw.h raw_encrypt.c
 raw_aead.so raw_aead.po $(OUTPRE)raw_aead.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
@@ -28,7 +30,8 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../aead.h \
-  $(srcdir)/../cksumtypes.h raw.h raw_aead.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../aead.h $(srcdir)/../cksumtypes.h raw.h \
+  raw_aead.c

Modified: trunk/src/lib/crypto/krb/yarrow/deps
===================================================================
--- trunk/src/lib/crypto/krb/yarrow/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/lib/crypto/krb/yarrow/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -8,10 +8,11 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../../builtin/sha1/shs.h yarrow.c yarrow.h \
-  ycipher.h yexcep.h $(srcdir)/../../builtin/yhash.h ylock.h ystate.h ytypes.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/sha1/shs.h \
+  $(srcdir)/../../builtin/yhash.h yarrow.c yarrow.h ycipher.h \
+  yexcep.h ylock.h ystate.h ytypes.h
 ycipher.so ycipher.po $(OUTPRE)ycipher.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
@@ -19,8 +20,8 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../../builtin/enc_provider/enc_provider.h \
-  $(srcdir)/../../builtin/sha1/shs.h yarrow.h ycipher.c \
-  ycipher.h $(srcdir)/../../builtin/yhash.h ytypes.h
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../../builtin/enc_provider/enc_provider.h \
+  $(srcdir)/../../builtin/sha1/shs.h $(srcdir)/../../builtin/yhash.h \
+  yarrow.h ycipher.c ycipher.h ytypes.h

Modified: trunk/src/lib/gssapi/krb5/deps
===================================================================
--- trunk/src/lib/gssapi/krb5/deps	2009-10-10 01:49:38 UTC (rev 22876)
+++ trunk/src/lib/gssapi/krb5/deps	2009-10-10 03:57:45 UTC (rev 22877)
@@ -9,12 +9,13 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h accept_sec_context.c \
-  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  accept_sec_context.c gssapiP_krb5.h gssapi_err_krb5.h \
+  gssapi_krb5.h
 acquire_cred.so acquire_cred.po $(OUTPRE)acquire_cred.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -23,12 +24,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h acquire_cred.c gssapiP_krb5.h \
-  gssapi_err_krb5.h gssapi_krb5.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  acquire_cred.c gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h
 add_cred.so add_cred.po $(OUTPRE)add_cred.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -37,12 +38,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h add_cred.c gssapiP_krb5.h \
-  gssapi_err_krb5.h gssapi_krb5.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  add_cred.c gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h
 canon_name.so canon_name.po $(OUTPRE)canon_name.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -51,12 +52,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h canon_name.c gssapiP_krb5.h \
-  gssapi_err_krb5.h gssapi_krb5.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  canon_name.c gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h
 compare_name.so compare_name.po $(OUTPRE)compare_name.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -65,12 +66,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h compare_name.c gssapiP_krb5.h \
-  gssapi_err_krb5.h gssapi_krb5.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  compare_name.c gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h
 context_time.so context_time.po $(OUTPRE)context_time.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -79,12 +80,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h context_time.c gssapiP_krb5.h \
-  gssapi_err_krb5.h gssapi_krb5.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  context_time.c gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h
 copy_ccache.so copy_ccache.po $(OUTPRE)copy_ccache.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -93,12 +94,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h copy_ccache.c gssapiP_krb5.h \
-  gssapi_err_krb5.h gssapi_krb5.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  copy_ccache.c gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h
 delete_sec_context.so delete_sec_context.po $(OUTPRE)delete_sec_context.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -107,12 +108,13 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h delete_sec_context.c \
-  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  delete_sec_context.c gssapiP_krb5.h gssapi_err_krb5.h \
+  gssapi_krb5.h
 disp_name.so disp_name.po $(OUTPRE)disp_name.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -121,12 +123,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h disp_name.c gssapiP_krb5.h \
-  gssapi_err_krb5.h gssapi_krb5.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  disp_name.c gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h
 disp_status.so disp_status.po $(OUTPRE)disp_status.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -135,12 +137,13 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h disp_status.c error_map.h \
-  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  disp_status.c error_map.h gssapiP_krb5.h gssapi_err_krb5.h \
+  gssapi_krb5.h
 duplicate_name.so duplicate_name.po $(OUTPRE)duplicate_name.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -149,12 +152,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h duplicate_name.c gssapiP_krb5.h \
-  gssapi_err_krb5.h gssapi_krb5.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  duplicate_name.c gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h
 export_name.so export_name.po $(OUTPRE)export_name.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -163,12 +166,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h export_name.c gssapiP_krb5.h \
-  gssapi_err_krb5.h gssapi_krb5.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  export_name.c gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h
 export_sec_context.so export_sec_context.po $(OUTPRE)export_sec_context.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -177,12 +180,13 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h export_sec_context.c \
-  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  export_sec_context.c gssapiP_krb5.h gssapi_err_krb5.h \
+  gssapi_krb5.h
 get_tkt_flags.so get_tkt_flags.po $(OUTPRE)get_tkt_flags.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -191,12 +195,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h get_tkt_flags.c gssapiP_krb5.h \
-  gssapi_err_krb5.h gssapi_krb5.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  get_tkt_flags.c gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h
 gssapi_krb5.so gssapi_krb5.po $(OUTPRE)gssapi_krb5.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -205,13 +209,13 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  $(srcdir)/../mechglue/mechglue.h $(srcdir)/../mechglue/mglueP.h \
-  ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
-  gssapi_krb5.c gssapi_krb5.h
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h $(srcdir)/../mechglue/mechglue.h \
+  $(srcdir)/../mechglue/mglueP.h ../generic/gssapi_err_generic.h \
+  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.c gssapi_krb5.h
 import_name.so import_name.po $(OUTPRE)import_name.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -220,12 +224,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
-  gssapi_krb5.h import_name.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h import_name.c
 import_sec_context.so import_sec_context.po $(OUTPRE)import_sec_context.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -234,12 +238,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
-  gssapi_krb5.h import_sec_context.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h import_sec_context.c
 indicate_mechs.so indicate_mechs.po $(OUTPRE)indicate_mechs.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -248,13 +252,13 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  $(srcdir)/../mechglue/mechglue.h $(srcdir)/../mechglue/mglueP.h \
-  ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
-  gssapi_krb5.h indicate_mechs.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h $(srcdir)/../mechglue/mechglue.h \
+  $(srcdir)/../mechglue/mglueP.h ../generic/gssapi_err_generic.h \
+  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h indicate_mechs.c
 init_sec_context.so init_sec_context.po $(OUTPRE)init_sec_context.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -263,12 +267,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
-  gssapi_krb5.h init_sec_context.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h init_sec_context.c
 inq_context.so inq_context.po $(OUTPRE)inq_context.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -277,12 +281,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
-  gssapi_krb5.h inq_context.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h inq_context.c
 inq_cred.so inq_cred.po $(OUTPRE)inq_cred.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -291,12 +295,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
-  gssapi_krb5.h inq_cred.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h inq_cred.c
 inq_names.so inq_names.po $(OUTPRE)inq_names.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -305,12 +309,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
-  gssapi_krb5.h inq_names.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h inq_names.c
 k5seal.so k5seal.po $(OUTPRE)k5seal.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
@@ -319,11 +323,12 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
-  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
-  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h k5seal.c
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
+  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
+  ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
+  gssapi_krb5.h k5seal.c
 k5sealiov.so k5sealiov.po $(OUTPRE)k5sealiov.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -332,12 +337,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
-  gssapi_krb5.h k5sealiov.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h k5sealiov.c
 k5sealv3.so k5sealv3.po $(OUTPRE)k5sealv3.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -346,12 +351,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
-  gssapi_krb5.h k5sealv3.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h k5sealv3.c
 k5sealv3iov.so k5sealv3iov.po $(OUTPRE)k5sealv3iov.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -360,12 +365,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
-  gssapi_krb5.h k5sealv3iov.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h k5sealv3iov.c
 k5unseal.so k5unseal.po $(OUTPRE)k5unseal.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -374,12 +379,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
-  gssapi_krb5.h k5unseal.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h k5unseal.c
 k5unsealiov.so k5unsealiov.po $(OUTPRE)k5unsealiov.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -388,12 +393,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
-  gssapi_krb5.h k5unsealiov.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h k5unsealiov.c
 krb5_gss_glue.so krb5_gss_glue.po $(OUTPRE)krb5_gss_glue.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -402,12 +407,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
-  gssapi_krb5.h krb5_gss_glue.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h krb5_gss_glue.c
 lucid_context.so lucid_context.po $(OUTPRE)lucid_context.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -416,12 +421,26 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
-  gssapi_krb5.h lucid_context.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h lucid_context.c
+naming_exts.so naming_exts.po $(OUTPRE)naming_exts.$(OBJEXT): \
+  $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
+  $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
+  $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+  $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h $(SRCTOP)/include/k5-err.h \
+  $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
+  $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
+  $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h naming_exts.c
 process_context_token.so process_context_token.po $(OUTPRE)process_context_token.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -430,12 +449,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
-  gssapi_krb5.h process_context_token.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h process_context_token.c
 rel_cred.so rel_cred.po $(OUTPRE)rel_cred.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -444,12 +463,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
-  gssapi_krb5.h rel_cred.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h rel_cred.c
 rel_oid.so rel_oid.po $(OUTPRE)rel_oid.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
@@ -458,11 +477,12 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
-  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
-  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h rel_oid.c
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
+  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
+  ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
+  gssapi_krb5.h rel_oid.c
 rel_name.so rel_name.po $(OUTPRE)rel_name.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -471,12 +491,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
-  gssapi_krb5.h rel_name.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h rel_name.c
 s4u_gss_glue.so s4u_gss_glue.po $(OUTPRE)s4u_gss_glue.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -485,12 +505,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
-  gssapi_krb5.h s4u_gss_glue.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h s4u_gss_glue.c
 seal.so seal.po $(OUTPRE)seal.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \
   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
@@ -499,11 +519,12 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
-  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
-  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h seal.c
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
+  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
+  ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
+  gssapi_krb5.h seal.c
 set_allowable_enctypes.so set_allowable_enctypes.po \
   $(OUTPRE)set_allowable_enctypes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \
@@ -513,11 +534,12 @@
   $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
   $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
   $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
-  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
-  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h set_allowable_enctypes.c
+  $(SRCTOP)/include/krb5/authdata_plugin.h $(SRCTOP)/include/krb5/locate_plugin.h \
+  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
+  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
+  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
+  ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
+  gssapi_krb5.h set_allowable_enctypes.c
 ser_sctx.so ser_sctx.po $(OUTPRE)ser_sctx.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -526,12 +548,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(SRCTOP)/include/k5-plugin.h $(SRCTOP)/include/k5-thread.h \
-  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-  $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-  $(SRCTOP)/include/socket-utils.h $(srcdir)/../generic/gssapiP_generic.h \
-  $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \
-  ../generic/gssapi_err_generic.h gssapiP_krb5.h gssapi_err_krb5.h \
-  gssapi_krb5.h ser_sctx.c
+  $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/authdata_plugin.h \
+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+  $(srcdir)/../generic/gssapiP_generic.h $(srcdir)/../generic/gssapi_ext.h \
+  $(srcdir)/../generic/gssapi_generic.h ../generic/gssapi_err_generic.h \
+  gssapiP_krb5.h gssapi_err_krb5.h gssapi_krb5.h ser_sctx.c
 set_ccache.so set_ccache.po $(OUTPRE)set_ccache.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \
   $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/krb5/krb5.h \
@@ -540,12 +562,12 @@
   $(SRCTOP)/include/k5-gmt_mktime.h $(SRCTOP)/include/k5-int-pkinit.h \
   $(SRCTOP)/include/k5-int.h $(SRCTOP)/include/k5-platform.h \
   $(