krb5 commit: Move a bunch of stuff out of k5-int.h

Greg Hudson ghudson at MIT.EDU
Sun Mar 24 01:34:40 EDT 2013


https://github.com/krb5/krb5/commit/6c8fed1bb850b92d471b0741a452bb56354fc0e9
commit 6c8fed1bb850b92d471b0741a452bb56354fc0e9
Author: Greg Hudson <ghudson at mit.edu>
Date:   Sun Mar 24 01:28:13 2013 -0400

    Move a bunch of stuff out of k5-int.h
    
    Move internal declarations from k5-int.h to more localized headers
    (like int-proto.h) where appropriate.  Rename many symbols whose
    prototypes were moved to use the k5_ prefix instead of krb5int_.
    Remove some unused declarations or move them to the single source file
    they were needed in.  Remove krb5_creds_compare since it isn't used
    any more.

 src/include/k5-int.h                   |  371 --------------------------------
 src/kdc/kdc_util.h                     |    3 -
 src/lib/crypto/builtin/des/des_int.h   |    9 -
 src/lib/crypto/nss/enc_provider/des.c  |    2 +-
 src/lib/crypto/nss/enc_provider/des3.c |    2 +-
 src/lib/krb5/ccache/cc-int.h           |   69 ++++++
 src/lib/krb5/ccache/cc_file.c          |    4 +-
 src/lib/krb5/ccache/cc_keyring.c       |    4 +-
 src/lib/krb5/ccache/cc_memory.c        |    7 +-
 src/lib/krb5/ccache/cc_mslsa.c         |    8 +-
 src/lib/krb5/ccache/cc_retr.c          |   95 +--------
 src/lib/krb5/ccache/ccapi/stdcc.c      |    9 +-
 src/lib/krb5/ccache/ccfns.c            |   12 +-
 src/lib/krb5/ccache/ser_cc.c           |    1 +
 src/lib/krb5/ccache/t_cc.c             |    1 +
 src/lib/krb5/keytab/kt-int.h           |    3 +
 src/lib/krb5/keytab/kt_file.c          |    9 +-
 src/lib/krb5/keytab/ktdefault.c        |    1 +
 src/lib/krb5/krb/copy_creds.c          |    7 +-
 src/lib/krb5/krb/enc_keyhelper.c       |    8 +-
 src/lib/krb5/krb/fast.c                |    1 +
 src/lib/krb5/krb/fwd_tgt.c             |    3 +-
 src/lib/krb5/krb/gen_save_subkey.c     |    8 +-
 src/lib/krb5/krb/get_creds.c           |    2 +-
 src/lib/krb5/krb/get_in_tkt.c          |   34 ++--
 src/lib/krb5/krb/gic_keytab.c          |   14 +-
 src/lib/krb5/krb/gic_opt.c             |   83 +++-----
 src/lib/krb5/krb/gic_opt_set_pa.c      |    4 +-
 src/lib/krb5/krb/gic_pwd.c             |   58 +++---
 src/lib/krb5/krb/in_tkt_sky.c          |   16 +-
 src/lib/krb5/krb/init_creds_ctx.h      |    7 +-
 src/lib/krb5/krb/init_ctx.c            |    8 +-
 src/lib/krb5/krb/int-proto.h           |  128 +++++++++++
 src/lib/krb5/krb/kfree.c               |    9 -
 src/lib/krb5/krb/mk_cred.c             |    7 +-
 src/lib/krb5/krb/mk_rep.c              |   13 +-
 src/lib/krb5/krb/mk_req_ext.c          |    6 +-
 src/lib/krb5/krb/preauth2.c            |    1 +
 src/lib/krb5/krb/preauth_sam2.c        |    7 +-
 src/lib/krb5/krb/s4u_creds.c           |    9 +-
 src/lib/krb5/krb/sendauth.c            |    3 +-
 src/lib/krb5/krb/ser_ctx.c             |    3 +-
 src/lib/krb5/krb/srv_dec_tkt.c         |   11 +-
 src/lib/krb5/krb/t_cc_config.c         |    5 +-
 src/lib/krb5/libkrb5.exports           |   15 +-
 src/lib/krb5/os/accessor.c             |    5 +-
 src/lib/krb5/os/def_realm.c            |    2 +
 src/lib/krb5/os/dnsglue.h              |   14 ++
 src/lib/krb5/os/hostaddr.c             |    5 +-
 src/lib/krb5/os/hst_realm.c            |   14 +-
 src/lib/krb5/os/init_os_ctx.c          |    6 +-
 src/lib/krb5/os/krbfileio.c            |    9 +-
 src/lib/krb5/os/localaddr.c            |    3 +-
 src/lib/krb5/os/locate_kdc.c           |   13 +-
 src/lib/krb5/os/os-proto.h             |   18 ++
 src/lib/krb5/os/prompter.c             |    3 +-
 src/lib/krb5/os/trace.c                |    3 +-
 src/lib/krb5/os/ustime.c               |    1 +
 src/lib/krb5/os/write_msg.c            |    6 +-
 src/lib/krb5_32.def                    |    1 -
 60 files changed, 455 insertions(+), 728 deletions(-)

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index ed9f255..a8c1028 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -570,27 +570,8 @@ krb5_error_code krb5_unlock_file(krb5_context, int);
 krb5_error_code krb5_sendto_kdc(krb5_context, const krb5_data *,
                                 const krb5_data *, krb5_data *, int *, int);
 
-krb5_error_code krb5_create_secure_file(krb5_context, const char * pathname);
-krb5_error_code krb5_sync_disk_file(krb5_context, FILE *fp);
-
 krb5_error_code krb5int_init_context_kdc(krb5_context *);
 
-krb5_error_code krb5_os_init_context(krb5_context context, profile_t profile,
-                                     krb5_flags flags);
-
-void krb5_os_free_context(krb5_context);
-
-/* This function is needed by KfM's KerberosPreferences API
- * because it needs to be able to specify "secure" */
-krb5_error_code
-os_get_default_config_files(profile_filespec_t **pfiles, krb5_boolean secure);
-
-krb5_error_code
-krb5_os_hostaddr(krb5_context, const char *, krb5_address ***);
-
-krb5_error_code
-krb5int_get_domain_realm_mapping(krb5_context , const char *, char ***);
-
 struct derived_key {
     krb5_data constant;
     krb5_key dkey;
@@ -699,22 +680,8 @@ krb5_error_code krb5int_c_copy_keyblock_contents(krb5_context context,
                                                  const krb5_keyblock *from,
                                                  krb5_keyblock *to);
 
-#ifdef KRB5_OLD_CRYPTO
-/* old provider api */
-
-krb5_error_code krb5_crypto_os_localaddr(krb5_address ***);
-
 krb5_error_code krb5_crypto_us_timeofday(krb5_int32 *, krb5_int32 *);
 
-#endif /* KRB5_OLD_CRYPTO */
-
-/* this helper fct is in libkrb5, but it makes sense declared here. */
-
-krb5_error_code
-krb5_encrypt_keyhelper(krb5_context context, krb5_key key,
-                       krb5_keyusage keyusage, const krb5_data *plain,
-                       krb5_enc_data *cipher);
-
 /*
  * End "los-proto.h"
  */
@@ -727,12 +694,6 @@ typedef struct _krb5_os_context {
     char *                  default_ccname;
 } *krb5_os_context;
 
-/* Get the current time of day plus a specified offset. */
-krb5_error_code k5_time_with_offset(krb5_timestamp offset,
-                                    krb5_int32 offset_usec,
-                                    krb5_timestamp *time_out,
-                                    krb5_int32 *usec_out);
-
 /*
  * Flags for the os_flags field
  *
@@ -757,23 +718,6 @@ krb5_error_code k5_time_with_offset(krb5_timestamp offset,
 #define KRB5_LOCKMODE_UNLOCK    0x0008
 
 /*
- * Define our view of the size of a DES key.
- */
-#define KRB5_MIT_DES_KEYSIZE            8
-#define KRB5_MIT_DES3_KEYSIZE           24
-#define KRB5_MIT_DES3_KEY_BYTES         21
-
-/*
- * Check if des_int.h has been included before us.  If so, then check to see
- * that our view of the DES key size is the same as des_int.h's.
- */
-#ifdef  MIT_DES_KEYSIZE
-#if     MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE
-error(MIT_DES_KEYSIZE does not equal KRB5_MIT_DES_KEYSIZE)
-#endif  /* MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE */
-#endif  /* MIT_DES_KEYSIZE */
-
-/*
  * Begin "preauth.h"
  *
  * (Originally written by Glen Machin at Sandia Labs.)
@@ -786,20 +730,6 @@ error(MIT_DES_KEYSIZE does not equal KRB5_MIT_DES_KEYSIZE)
 #ifndef KRB5_PREAUTH__
 #define KRB5_PREAUTH__
 
-#include <krb5/clpreauth_plugin.h>
-
-typedef struct k5_response_items_st k5_response_items;
-struct krb5_responder_context_st {
-    k5_response_items *items;
-};
-
-typedef krb5_error_code
-(*krb5_gic_get_as_key_fct)(krb5_context, krb5_principal, krb5_enctype,
-                           krb5_prompter_fct, void *prompter_data,
-                           krb5_data *salt, krb5_data *s2kparams,
-                           krb5_keyblock *as_key, void *gak_data,
-                           k5_response_items *ritems);
-
 typedef struct _krb5_pa_enc_ts {
     krb5_timestamp      patimestamp;
     krb5_int32          pausec;
@@ -897,168 +827,23 @@ typedef struct _krb5_iakerb_finished {
     krb5_checksum checksum;
 } krb5_iakerb_finished;
 
-typedef krb5_error_code
-(*krb5_preauth_obtain_proc)(krb5_context, krb5_pa_data *,
-                            krb5_etype_info, krb5_keyblock *,
-                            krb5_error_code (*)(krb5_context,
-                                                const krb5_enctype,
-                                                krb5_data *,
-                                                krb5_const_pointer,
-                                                krb5_keyblock **),
-                            krb5_const_pointer, krb5_creds *,
-                            krb5_kdc_req *, krb5_pa_data **);
-
-typedef krb5_error_code
-(*krb5_preauth_process_proc)(krb5_context, krb5_pa_data *, krb5_kdc_req *,
-                             krb5_kdc_rep *,
-                             krb5_error_code (*)(krb5_context,
-                                                 const krb5_enctype,
-                                                 krb5_data *,
-                                                 krb5_const_pointer,
-                                                 krb5_keyblock **),
-                             krb5_const_pointer,
-                             krb5_error_code (*)(krb5_context,
-                                                 const krb5_keyblock *,
-                                                 krb5_const_pointer,
-                                                 krb5_kdc_rep * ),
-                             krb5_keyblock **, krb5_creds *, krb5_int32 *,
-                             krb5_int32 *);
-
-typedef struct _krb5_preauth_ops {
-    krb5_magic magic;
-    int     type;
-    int flags;
-    krb5_preauth_obtain_proc    obtain;
-    krb5_preauth_process_proc   process;
-} krb5_preauth_ops;
-
 krb5_pa_data *
 krb5int_find_pa_data(krb5_context, krb5_pa_data *const *, krb5_preauthtype);
 /* Does not return a copy; original padata sequence responsible for freeing*/
 
 void krb5_free_etype_info(krb5_context, krb5_etype_info);
 
-/*
- * Preauthentication property flags
- */
-#define KRB5_PREAUTH_FLAGS_ENCRYPT      0x00000001
-#define KRB5_PREAUTH_FLAGS_HARDWARE     0x00000002
-
 #endif /* KRB5_PREAUTH__ */
 /*
  * End "preauth.h"
  */
 
-/*
- * Extending the krb5_get_init_creds_opt structure.  The original
- * krb5_get_init_creds_opt structure is defined publicly.  The
- * new extended version is private.  The original interface
- * assumed a pre-allocated structure which was passed to
- * krb5_get_init_creds_init().  The new interface assumes that
- * the caller will call krb5_get_init_creds_alloc() and
- * krb5_get_init_creds_free().
- *
- * Callers MUST NOT call krb5_get_init_creds_init() after allocating an
- * opts structure using krb5_get_init_creds_alloc().  To do so will
- * introduce memory leaks.  Unfortunately, there is no way to enforce
- * this behavior.
- *
- * Two private flags are added for backward compatibility.
- * KRB5_GET_INIT_CREDS_OPT_EXTENDED says that the structure was allocated
- * with the new krb5_get_init_creds_opt_alloc() function.
- * KRB5_GET_INIT_CREDS_OPT_SHADOWED is set to indicate that the extended
- * structure is a shadow copy of an original krb5_get_init_creds_opt
- * structure.
- * If KRB5_GET_INIT_CREDS_OPT_SHADOWED is set after a call to
- * krb5int_gic_opt_to_opte(), the resulting extended structure should be
- * freed (using krb5_get_init_creds_free).  Otherwise, the original
- * structure was already extended and there is no need to free it.
- */
-
-#define KRB5_GET_INIT_CREDS_OPT_EXTENDED 0x80000000
-#define KRB5_GET_INIT_CREDS_OPT_SHADOWED 0x40000000
-
-#define krb5_gic_opt_is_extended(s)                                     \
-    ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_EXTENDED) ? 1 : 0)
-#define krb5_gic_opt_is_shadowed(s)                                     \
-    ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_SHADOWED) ? 1 : 0)
-
-
-typedef struct _krb5_gic_opt_private {
-    int num_preauth_data;
-    krb5_gic_opt_pa_data *preauth_data;
-    char * fast_ccache_name;
-    krb5_ccache in_ccache;
-    krb5_ccache out_ccache;
-    krb5_flags fast_flags;
-    krb5_expire_callback_func expire_cb;
-    void *expire_data;
-    krb5_responder_fn responder;
-    void *responder_data;
-} krb5_gic_opt_private;
-
-/*
- * On the Mac, ensure that the layout of krb5_gic_opt_ext matches that
- * of krb5_get_init_creds_opt.
- */
-#if TARGET_OS_MAC
-#    pragma pack(push,2)
-#endif
-
-typedef struct _krb5_gic_opt_ext {
-    krb5_flags flags;
-    krb5_deltat tkt_life;
-    krb5_deltat renew_life;
-    int forwardable;
-    int proxiable;
-    krb5_enctype *etype_list;
-    int etype_list_length;
-    krb5_address **address_list;
-    krb5_preauthtype *preauth_list;
-    int preauth_list_length;
-    krb5_data *salt;
-    /*
-     * Do not change anything above this point in this structure.
-     * It is identical to the public krb5_get_init_creds_opt structure.
-     * New members must be added below.
-     */
-    krb5_gic_opt_private *opt_private;
-} krb5_gic_opt_ext;
-
-#if TARGET_OS_MAC
-#    pragma pack(pop)
-#endif
-
-krb5_error_code
-krb5int_gic_opt_to_opte(krb5_context context, krb5_get_init_creds_opt *opt,
-                        krb5_gic_opt_ext **opte, unsigned int force,
-                        const char *where);
-
 krb5_error_code
 krb5int_copy_data_contents(krb5_context, const krb5_data *, krb5_data *);
 
 krb5_error_code
 krb5int_copy_data_contents_add0(krb5_context, const krb5_data *, krb5_data *);
 
-krb5_error_code
-krb5int_copy_creds_contents(krb5_context, const krb5_creds *, krb5_creds *);
-
-krb5_error_code KRB5_CALLCONV
-krb5int_get_init_creds(krb5_context context, krb5_creds *creds,
-                       krb5_principal client, krb5_prompter_fct prompter,
-                       void *prompter_data, krb5_deltat start_time,
-                       const char *in_tkt_service,
-                       krb5_get_init_creds_opt *options,
-                       krb5_gic_get_as_key_fct gak, void *gak_data,
-                       int *master, krb5_kdc_rep **as_reply);
-
-krb5_error_code
-krb5int_populate_gic_opt (krb5_context, krb5_get_init_creds_opt **,
-                          krb5_flags options, krb5_address *const *addrs,
-                          krb5_enctype *ktypes,
-                          krb5_preauthtype *pre_auth_types, krb5_creds *creds);
-
-
 void KRB5_CALLCONV
 krb5_free_sam_challenge_2(krb5_context, krb5_sam_challenge_2 *);
 
@@ -1100,9 +885,6 @@ krb5_free_pa_s4u_x509_user(krb5_context, krb5_pa_s4u_x509_user *);
 void KRB5_CALLCONV
 krb5_free_pa_pac_req(krb5_context, krb5_pa_pac_req * );
 
-void KRB5_CALLCONV
-krb5_free_etype_list(krb5_context, krb5_etype_list * );
-
 void KRB5_CALLCONV krb5_free_fast_armor(krb5_context, krb5_fast_armor *);
 void KRB5_CALLCONV krb5_free_fast_armored_req(krb5_context,
                                               krb5_fast_armored_req *);
@@ -1961,57 +1743,11 @@ krb5_ser_unpack_bytes(krb5_octet *, size_t, krb5_octet **, size_t *);
 krb5_error_code KRB5_CALLCONV
 krb5int_cc_default(krb5_context, krb5_ccache *);
 
-krb5_error_code KRB5_CALLCONV
-krb5_cc_retrieve_cred_default(krb5_context, krb5_ccache, krb5_flags,
-                              krb5_creds *, krb5_creds *);
-
-krb5_error_code
-krb5int_build_conf_principals(krb5_context context, krb5_ccache id,
-                              krb5_const_principal principal,
-                              const char *name, krb5_creds *cred);
-
-krb5_boolean KRB5_CALLCONV
-krb5_creds_compare(krb5_context in_context, krb5_creds *in_creds,
-                   krb5_creds *in_compare_creds);
-
-void
-krb5int_set_prompt_types(krb5_context, krb5_prompt_type *);
-
-krb5_error_code
-krb5int_generate_and_save_subkey(krb5_context, krb5_auth_context,
-                                 krb5_keyblock * /* Old keyblock, not new!  */,
-                                 krb5_enctype);
-
-struct srv_dns_entry {
-    struct srv_dns_entry *next;
-    int priority;
-    int weight;
-    unsigned short port;
-    char *host;
-};
-
-#define MAX_DNS_NAMELEN (15*(MAXHOSTNAMELEN + 1)+1)
-
-#ifdef KRB5_DNS_LOOKUP
-krb5_error_code
-krb5int_make_srv_query_realm(const krb5_data *realm,
-                             const char *service,
-                             const char *protocol,
-                             struct srv_dns_entry **answers);
-void krb5int_free_srv_dns_data(struct srv_dns_entry *);
-#endif
-
 /* value to use when requesting a keytab entry and KVNO doesn't matter */
 #define IGNORE_VNO 0
 /* value to use when requesting a keytab entry and enctype doesn't matter */
 #define IGNORE_ENCTYPE 0
 
-/*
- * Convenience function for structure magic number
- */
-#define KRB5_VERIFY_MAGIC(structure,magic_number)                       \
-    if ((structure)->magic != (magic_number)) return (magic_number);
-
 /* to keep lint happy */
 #define krb5_xfree(val) free((char *)(val))
 
@@ -2146,82 +1882,6 @@ typedef struct _krb5int_access {
 krb5_error_code KRB5_CALLCONV
 krb5int_accessor(krb5int_access*, krb5_int32);
 
-/* Ick -- some krb524 and krb4 support placed in the krb5 library,
-   because AFS (and potentially other applications?) use the krb4
-   object as an opaque token, which (in some implementations) is not
-   in fact a krb4 ticket, so we don't want to drag in the krb4 support
-   just to enable this.  */
-
-#define KRB524_SERVICE "krb524"
-#define KRB524_PORT 4444
-
-/* temporary -- this should be under lib/krb5/ccache somewhere */
-
-struct _krb5_ccache {
-    krb5_magic magic;
-    const struct _krb5_cc_ops *ops;
-    krb5_pointer data;
-};
-
-/*
- * Per-type ccache cursor.
- */
-struct krb5_cc_ptcursor_s {
-    const struct _krb5_cc_ops *ops;
-    krb5_pointer data;
-};
-typedef struct krb5_cc_ptcursor_s *krb5_cc_ptcursor;
-
-struct _krb5_cc_ops {
-    krb5_magic magic;
-    char *prefix;
-    const char * (KRB5_CALLCONV *get_name)(krb5_context, krb5_ccache);
-    krb5_error_code (KRB5_CALLCONV *resolve)(krb5_context, krb5_ccache *,
-                                             const char *);
-    krb5_error_code (KRB5_CALLCONV *gen_new)(krb5_context, krb5_ccache *);
-    krb5_error_code (KRB5_CALLCONV *init)(krb5_context, krb5_ccache,
-                                          krb5_principal);
-    krb5_error_code (KRB5_CALLCONV *destroy)(krb5_context, krb5_ccache);
-    krb5_error_code (KRB5_CALLCONV *close)(krb5_context, krb5_ccache);
-    krb5_error_code (KRB5_CALLCONV *store)(krb5_context, krb5_ccache,
-                                           krb5_creds *);
-    krb5_error_code (KRB5_CALLCONV *retrieve)(krb5_context, krb5_ccache,
-                                              krb5_flags, krb5_creds *,
-                                              krb5_creds *);
-    krb5_error_code (KRB5_CALLCONV *get_princ)(krb5_context, krb5_ccache,
-                                               krb5_principal *);
-    krb5_error_code (KRB5_CALLCONV *get_first)(krb5_context, krb5_ccache,
-                                               krb5_cc_cursor *);
-    krb5_error_code (KRB5_CALLCONV *get_next)(krb5_context, krb5_ccache,
-                                              krb5_cc_cursor *, krb5_creds *);
-    krb5_error_code (KRB5_CALLCONV *end_get)(krb5_context, krb5_ccache,
-                                             krb5_cc_cursor *);
-    krb5_error_code (KRB5_CALLCONV *remove_cred)(krb5_context, krb5_ccache,
-                                                 krb5_flags, krb5_creds *);
-    krb5_error_code (KRB5_CALLCONV *set_flags)(krb5_context, krb5_ccache,
-                                               krb5_flags);
-    krb5_error_code (KRB5_CALLCONV *get_flags)(krb5_context, krb5_ccache,
-                                               krb5_flags *);
-    krb5_error_code (KRB5_CALLCONV *ptcursor_new)(krb5_context,
-                                                  krb5_cc_ptcursor *);
-    krb5_error_code (KRB5_CALLCONV *ptcursor_next)(krb5_context,
-                                                   krb5_cc_ptcursor,
-                                                   krb5_ccache *);
-    krb5_error_code (KRB5_CALLCONV *ptcursor_free)(krb5_context,
-                                                   krb5_cc_ptcursor *);
-    krb5_error_code (KRB5_CALLCONV *move)(krb5_context, krb5_ccache,
-                                          krb5_ccache);
-    krb5_error_code (KRB5_CALLCONV *lastchange)(krb5_context,
-                                                krb5_ccache, krb5_timestamp *);
-    krb5_error_code (KRB5_CALLCONV *wasdefault)(krb5_context, krb5_ccache,
-                                                krb5_timestamp *);
-    krb5_error_code (KRB5_CALLCONV *lock)(krb5_context, krb5_ccache);
-    krb5_error_code (KRB5_CALLCONV *unlock)(krb5_context, krb5_ccache);
-    krb5_error_code (KRB5_CALLCONV *switch_to)(krb5_context, krb5_ccache);
-};
-
-extern const krb5_cc_ops *krb5_cc_dfl_ops;
-
 typedef struct _krb5_donot_replay {
     krb5_magic magic;
     krb5_ui_4 hash;
@@ -2310,10 +1970,6 @@ typedef struct _krb5_kt_ops {
     const krb5_ser_entry *serializer;
 } krb5_kt_ops;
 
-extern const krb5_kt_ops krb5_kt_dfl_ops;
-
-extern krb5_error_code krb5int_translate_gai_error(int);
-
 /* Not sure it's ready for exposure just yet.  */
 extern krb5_error_code
 krb5int_c_mandatory_cksumtype(krb5_context, krb5_enctype, krb5_cksumtype *);
@@ -2323,10 +1979,6 @@ krb5int_c_mandatory_cksumtype(krb5_context, krb5_enctype, krb5_cksumtype *);
  */
 #define        KRB5_REFERRAL_MAXHOPS    10
 
-/* Common hostname-parsing code. */
-krb5_error_code
-krb5int_clean_hostname(krb5_context, const char *, char *, size_t);
-
 struct _krb5_kt {       /* should move into k5-int.h */
     krb5_magic magic;
     const struct _krb5_kt_ops *ops;
@@ -2378,9 +2030,6 @@ krb5_error_code KRB5_CALLCONV krb5_kt_register(krb5_context,
 krb5_error_code k5_kt_get_principal(krb5_context context, krb5_keytab keytab,
                                     krb5_principal *princ_out);
 
-krb5_error_code k5_kt_client_default_name(krb5_context context,
-                                          char **name_out);
-
 krb5_error_code krb5_principal2salt_norealm(krb5_context, krb5_const_principal,
                                             krb5_data *);
 
@@ -2437,10 +2086,6 @@ krb5_error_code krb5_walk_realm_tree(krb5_context, const krb5_data *,
                                      int);
 
 krb5_error_code
-k5_client_realm_path(krb5_context context, const krb5_data *client,
-                     const krb5_data *server, krb5_data **rpath_out);
-
-krb5_error_code
 krb5_auth_con_set_safe_cksumtype(krb5_context, krb5_auth_context,
                                  krb5_cksumtype);
 
@@ -2470,15 +2115,8 @@ krb5_auth_con_set_authdata_context(krb5_context context,
                                    krb5_auth_context auth_context,
                                    krb5_authdata_context ad_context);
 
-krb5_error_code KRB5_CALLCONV
-krb5int_server_decrypt_ticket_keyblock(krb5_context context,
-                                       const krb5_keyblock *key,
-                                       krb5_ticket  *ticket);
-
 krb5_error_code krb5_read_message(krb5_context, krb5_pointer, krb5_data *);
 krb5_error_code krb5_write_message(krb5_context, krb5_pointer, krb5_data *);
-krb5_error_code krb5int_write_messages(krb5_context, krb5_pointer, krb5_data *,
-                                       int);
 int krb5_net_read(krb5_context, int , char *, int);
 int krb5_net_write(krb5_context, int , const char *, int);
 
@@ -2617,10 +2255,6 @@ krb5_error_code krb5int_parse_enctype_list(krb5_context context,
                                            krb5_enctype *default_list,
                                            krb5_enctype **result);
 
-/* Utility functions for zero-terminated enctype lists. */
-size_t k5_count_etypes(const krb5_enctype *list);
-krb5_error_code k5_copy_etypes(const krb5_enctype *old_list,
-                               krb5_enctype **new_list);
 krb5_boolean k5_etypes_contains(const krb5_enctype *list, krb5_enctype etype);
 
 #ifdef DEBUG_ERROR_LOCATIONS
@@ -2635,9 +2269,4 @@ krb5_set_error_message_fl(krb5_context ctx, krb5_error_code code,
 #endif
     ;
 
-#ifndef DISABLE_TRACING
-/* Do not use these functions directly; see k5-trace.h. */
-void krb5int_init_trace(krb5_context context);
-#endif
-
 #endif /* _KRB5_INT_H */
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index e9d1ae3..8fff99c 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -371,9 +371,6 @@ kdc_handle_protected_negotiation( krb5_context context,
                                   krb5_data *req_pkt, krb5_kdc_req *request,
                                   const krb5_keyblock *reply_key,
                                   krb5_pa_data ***out_enc_padata);
-krb5_error_code
-krb5int_get_domain_realm_mapping(krb5_context context,
-                                 const char *host, char ***realmsp);
 
 /* Information handle for kdcpreauth callbacks.  All pointers are aliases. */
 struct krb5_kdcpreauth_rock_st {
diff --git a/src/lib/crypto/builtin/des/des_int.h b/src/lib/crypto/builtin/des/des_int.h
index 2338a9c..0801cb5 100644
--- a/src/lib/crypto/builtin/des/des_int.h
+++ b/src/lib/crypto/builtin/des/des_int.h
@@ -137,15 +137,6 @@ typedef struct mit_des_ran_key_seed {
 
 #define MIT_DES_CBC_CKSUM_LENGTH        (4*sizeof(krb5_octet))
 
-/*
- * Check if k5-int.h has been included before us.  If so, then check to see
- * that our view of the DES key size is the same as k5-int.h's.
- */
-#ifdef  KRB5_MIT_DES_KEYSIZE
-#if     MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE
-error(MIT_DES_KEYSIZE does not equal KRB5_MIT_DES_KEYSIZE)
-#endif  /* MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE */
-#endif  /* KRB5_MIT_DES_KEYSIZE */
 #endif /* KRB5_MIT_DES__ */
 /*
  * End "mit-des.h"
diff --git a/src/lib/crypto/nss/enc_provider/des.c b/src/lib/crypto/nss/enc_provider/des.c
index 3b96617..bb1f1c0 100644
--- a/src/lib/crypto/nss/enc_provider/des.c
+++ b/src/lib/crypto/nss/enc_provider/des.c
@@ -79,7 +79,7 @@ k5_des_cbc_mac(krb5_key key, const krb5_crypto_iov *data, size_t num_data,
 
 const struct krb5_enc_provider krb5int_enc_des = {
     8,
-    7, KRB5_MIT_DES_KEYSIZE,
+    7, 8,
     k5_des_encrypt_iov,
     k5_des_decrypt_iov,
     k5_des_cbc_mac,
diff --git a/src/lib/crypto/nss/enc_provider/des3.c b/src/lib/crypto/nss/enc_provider/des3.c
index de3f3c9..6217709 100644
--- a/src/lib/crypto/nss/enc_provider/des3.c
+++ b/src/lib/crypto/nss/enc_provider/des3.c
@@ -64,7 +64,7 @@ k5_des3_decrypt_iov(krb5_key key, const krb5_data *ivec,
 
 const struct krb5_enc_provider krb5int_enc_des3 = {
     8,
-    21, KRB5_MIT_DES3_KEYSIZE,
+    21, 24,
     k5_des3_encrypt_iov,
     k5_des3_decrypt_iov,
     NULL,
diff --git a/src/lib/krb5/ccache/cc-int.h b/src/lib/krb5/ccache/cc-int.h
index 9c24f20..c29fbec 100644
--- a/src/lib/krb5/ccache/cc-int.h
+++ b/src/lib/krb5/ccache/cc-int.h
@@ -32,6 +32,16 @@
 
 #include "k5-int.h"
 
+struct _krb5_ccache {
+    krb5_magic magic;
+    const struct _krb5_cc_ops *ops;
+    krb5_pointer data;
+};
+
+krb5_error_code
+k5_cc_retrieve_cred_default(krb5_context, krb5_ccache, krb5_flags,
+                            krb5_creds *, krb5_creds *);
+
 krb5_boolean
 krb5int_cc_creds_match_request(krb5_context, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds);
 
@@ -123,4 +133,63 @@ krb5_error_code
 ccselect_k5identity_initvt(krb5_context context, int maj_ver, int min_ver,
                            krb5_plugin_vtable vtable);
 
+/*
+ * Per-type ccache cursor.
+ */
+struct krb5_cc_ptcursor_s {
+    const struct _krb5_cc_ops *ops;
+    krb5_pointer data;
+};
+typedef struct krb5_cc_ptcursor_s *krb5_cc_ptcursor;
+
+struct _krb5_cc_ops {
+    krb5_magic magic;
+    char *prefix;
+    const char * (KRB5_CALLCONV *get_name)(krb5_context, krb5_ccache);
+    krb5_error_code (KRB5_CALLCONV *resolve)(krb5_context, krb5_ccache *,
+                                             const char *);
+    krb5_error_code (KRB5_CALLCONV *gen_new)(krb5_context, krb5_ccache *);
+    krb5_error_code (KRB5_CALLCONV *init)(krb5_context, krb5_ccache,
+                                          krb5_principal);
+    krb5_error_code (KRB5_CALLCONV *destroy)(krb5_context, krb5_ccache);
+    krb5_error_code (KRB5_CALLCONV *close)(krb5_context, krb5_ccache);
+    krb5_error_code (KRB5_CALLCONV *store)(krb5_context, krb5_ccache,
+                                           krb5_creds *);
+    krb5_error_code (KRB5_CALLCONV *retrieve)(krb5_context, krb5_ccache,
+                                              krb5_flags, krb5_creds *,
+                                              krb5_creds *);
+    krb5_error_code (KRB5_CALLCONV *get_princ)(krb5_context, krb5_ccache,
+                                               krb5_principal *);
+    krb5_error_code (KRB5_CALLCONV *get_first)(krb5_context, krb5_ccache,
+                                               krb5_cc_cursor *);
+    krb5_error_code (KRB5_CALLCONV *get_next)(krb5_context, krb5_ccache,
+                                              krb5_cc_cursor *, krb5_creds *);
+    krb5_error_code (KRB5_CALLCONV *end_get)(krb5_context, krb5_ccache,
+                                             krb5_cc_cursor *);
+    krb5_error_code (KRB5_CALLCONV *remove_cred)(krb5_context, krb5_ccache,
+                                                 krb5_flags, krb5_creds *);
+    krb5_error_code (KRB5_CALLCONV *set_flags)(krb5_context, krb5_ccache,
+                                               krb5_flags);
+    krb5_error_code (KRB5_CALLCONV *get_flags)(krb5_context, krb5_ccache,
+                                               krb5_flags *);
+    krb5_error_code (KRB5_CALLCONV *ptcursor_new)(krb5_context,
+                                                  krb5_cc_ptcursor *);
+    krb5_error_code (KRB5_CALLCONV *ptcursor_next)(krb5_context,
+                                                   krb5_cc_ptcursor,
+                                                   krb5_ccache *);
+    krb5_error_code (KRB5_CALLCONV *ptcursor_free)(krb5_context,
+                                                   krb5_cc_ptcursor *);
+    krb5_error_code (KRB5_CALLCONV *move)(krb5_context, krb5_ccache,
+                                          krb5_ccache);
+    krb5_error_code (KRB5_CALLCONV *lastchange)(krb5_context,
+                                                krb5_ccache, krb5_timestamp *);
+    krb5_error_code (KRB5_CALLCONV *wasdefault)(krb5_context, krb5_ccache,
+                                                krb5_timestamp *);
+    krb5_error_code (KRB5_CALLCONV *lock)(krb5_context, krb5_ccache);
+    krb5_error_code (KRB5_CALLCONV *unlock)(krb5_context, krb5_ccache);
+    krb5_error_code (KRB5_CALLCONV *switch_to)(krb5_context, krb5_ccache);
+};
+
+extern const krb5_cc_ops *krb5_cc_dfl_ops;
+
 #endif /* __KRB5_CCACHE_H__ */
diff --git a/src/lib/krb5/ccache/cc_file.c b/src/lib/krb5/ccache/cc_file.c
index 3613379..3879db5 100644
--- a/src/lib/krb5/ccache/cc_file.c
+++ b/src/lib/krb5/ccache/cc_file.c
@@ -2178,8 +2178,8 @@ done:
 static krb5_error_code KRB5_CALLCONV
 krb5_fcc_retrieve(krb5_context context, krb5_ccache id, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds)
 {
-    return krb5_cc_retrieve_cred_default (context, id, whichfields,
-                                          mcreds, creds);
+    return k5_cc_retrieve_cred_default(context, id, whichfields, mcreds,
+                                       creds);
 }
 
 
diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c
index fd1bcec..7f1a641 100644
--- a/src/lib/krb5/ccache/cc_keyring.c
+++ b/src/lib/krb5/ccache/cc_keyring.c
@@ -968,8 +968,8 @@ krb5_krcc_retrieve(krb5_context context, krb5_ccache id,
 {
     DEBUG_PRINT(("krb5_krcc_retrieve: entered\n"));
 
-    return krb5_cc_retrieve_cred_default(context, id, whichfields,
-                                         mcreds, creds);
+    return k5_cc_retrieve_cred_default(context, id, whichfields, mcreds,
+                                       creds);
 }
 
 /*
diff --git a/src/lib/krb5/ccache/cc_memory.c b/src/lib/krb5/ccache/cc_memory.c
index aa3d89d..b774251 100644
--- a/src/lib/krb5/ccache/cc_memory.c
+++ b/src/lib/krb5/ccache/cc_memory.c
@@ -25,6 +25,7 @@
  */
 
 #include "cc-int.h"
+#include "../krb/int-proto.h"
 #include <errno.h>
 
 static krb5_error_code KRB5_CALLCONV krb5_mcc_close
@@ -383,7 +384,7 @@ krb5_mcc_next_cred(krb5_context context, krb5_ccache id,
         return KRB5_CC_END;
     memset(creds, 0, sizeof(krb5_creds));
     if (mcursor->creds) {
-        retval = krb5int_copy_creds_contents(context, mcursor->creds, creds);
+        retval = k5_copy_creds_contents(context, mcursor->creds, creds);
         if (retval)
             return retval;
     }
@@ -607,8 +608,8 @@ krb5_error_code KRB5_CALLCONV
 krb5_mcc_retrieve(krb5_context context, krb5_ccache id, krb5_flags whichfields,
                   krb5_creds *mcreds, krb5_creds *creds)
 {
-    return krb5_cc_retrieve_cred_default (context, id, whichfields,
-                                          mcreds, creds);
+    return k5_cc_retrieve_cred_default(context, id, whichfields, mcreds,
+                                       creds);
 }
 
 /*
diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c
index bfaae65..416a7a5 100644
--- a/src/lib/krb5/ccache/cc_mslsa.c
+++ b/src/lib/krb5/ccache/cc_mslsa.c
@@ -2488,7 +2488,8 @@ krb5_lcc_retrieve(krb5_context context, krb5_ccache id, krb5_flags whichfields,
     memset(&fetchcreds, 0, sizeof(krb5_creds));
 
     /* first try to find out if we have an existing ticket which meets the requirements */
-    kret = krb5_cc_retrieve_cred_default (context, id, whichfields, mcreds, creds);
+    kret = k5_cc_retrieve_cred_default(context, id, whichfields, mcreds,
+                                       creds);
     /* This sometimes returns a zero-length ticket; work around it. */
     if ( !kret && creds->ticket.length > 0 )
         return KRB5_OK;
@@ -2506,7 +2507,8 @@ krb5_lcc_retrieve(krb5_context context, krb5_ccache id, krb5_flags whichfields,
     }
 
     /* try again to find out if we have an existing ticket which meets the requirements */
-    kret = krb5_cc_retrieve_cred_default (context, id, whichfields, mcreds, creds);
+    kret = k5_cc_retrieve_cred_default(context, id, whichfields, mcreds,
+                                       creds);
     /* This sometimes returns a zero-length ticket; work around it. */
     if ( !kret && creds->ticket.length > 0 )
         goto cleanup;
@@ -2570,7 +2572,7 @@ krb5_lcc_retrieve(krb5_context context, krb5_ccache id, krb5_flags whichfields,
 
 
     /* check to see if this ticket matches the request using logic from
-     * krb5_cc_retrieve_cred_default()
+     * k5_cc_retrieve_cred_default()
      */
     if ( krb5int_cc_creds_match_request(context, whichfields, mcreds, &fetchcreds) ) {
         *creds = fetchcreds;
diff --git a/src/lib/krb5/ccache/cc_retr.c b/src/lib/krb5/ccache/cc_retr.c
index 23d0361..960c9c9 100644
--- a/src/lib/krb5/ccache/cc_retr.c
+++ b/src/lib/krb5/ccache/cc_retr.c
@@ -266,8 +266,10 @@ krb5_cc_retrieve_cred_seq (krb5_context context, krb5_ccache id,
         return nomatch_err;
 }
 
-krb5_error_code KRB5_CALLCONV
-krb5_cc_retrieve_cred_default (krb5_context context, krb5_ccache id, krb5_flags flags, krb5_creds *mcreds, krb5_creds *creds)
+krb5_error_code
+k5_cc_retrieve_cred_default(krb5_context context, krb5_ccache id,
+                            krb5_flags flags, krb5_creds *mcreds,
+                            krb5_creds *creds)
 {
     krb5_enctype *ktypes;
     int nktypes;
@@ -288,92 +290,3 @@ krb5_cc_retrieve_cred_default (krb5_context context, krb5_ccache id, krb5_flags
                                           0, 0);
     }
 }
-
-/* The following function duplicates some of the functionality above and */
-/* should probably be merged with it at some point.  It is used by the   */
-/* CCAPI krb5_cc_remove to figure out if the opaque credentials object   */
-/* returned by the CCAPI is the same creds as the caller passed in.      */
-/* Unlike the code above it requires that all structures be identical.   */
-
-krb5_boolean KRB5_CALLCONV
-krb5_creds_compare (krb5_context in_context,
-                    krb5_creds *in_creds,
-                    krb5_creds *in_compare_creds)
-{
-    /* Set to 0 when we hit the first mismatch and then fall through */
-    int equal = 1;
-
-    if (equal) {
-        equal = krb5_principal_compare (in_context, in_creds->client,
-                                        in_compare_creds->client);
-    }
-
-    if (equal) {
-        equal = krb5_principal_compare (in_context, in_creds->server,
-                                        in_compare_creds->server);
-    }
-
-    if (equal) {
-        equal = (in_creds->keyblock.enctype == in_compare_creds->keyblock.enctype &&
-                 in_creds->keyblock.length  == in_compare_creds->keyblock.length &&
-                 (!in_creds->keyblock.length ||
-                  !memcmp (in_creds->keyblock.contents, in_compare_creds->keyblock.contents,
-                           in_creds->keyblock.length)));
-    }
-
-    if (equal) {
-        equal = (in_creds->times.authtime   == in_compare_creds->times.authtime &&
-                 in_creds->times.starttime  == in_compare_creds->times.starttime &&
-                 in_creds->times.endtime    == in_compare_creds->times.endtime &&
-                 in_creds->times.renew_till == in_compare_creds->times.renew_till);
-    }
-
-    if (equal) {
-        equal = (in_creds->is_skey == in_compare_creds->is_skey);
-    }
-
-    if (equal) {
-        equal = (in_creds->ticket_flags == in_compare_creds->ticket_flags);
-    }
-
-    if (equal) {
-        krb5_address **addresses = in_creds->addresses;
-        krb5_address **compare_addresses = in_compare_creds->addresses;
-        unsigned int i;
-
-        if (addresses && compare_addresses) {
-            for (i = 0; (equal && addresses[i] && compare_addresses[i]); i++) {
-                equal = krb5_address_compare (in_context, addresses[i],
-                                              compare_addresses[i]);
-            }
-            if (equal) { equal = (!addresses[i] && !compare_addresses[i]); }
-        } else {
-            if (equal) { equal = (!addresses && !compare_addresses); }
-        }
-    }
-
-    if (equal) {
-        equal = data_eq(in_creds->ticket, in_compare_creds->ticket);
-    }
-
-    if (equal) {
-        equal = data_eq(in_creds->second_ticket, in_compare_creds->second_ticket);
-    }
-
-    if (equal) {
-        krb5_authdata **authdata = in_creds->authdata;
-        krb5_authdata **compare_authdata = in_compare_creds->authdata;
-        unsigned int i;
-
-        if (authdata && compare_authdata) {
-            for (i = 0; (equal && authdata[i] && compare_authdata[i]); i++) {
-                equal = authdata_eq(*authdata[i], *compare_authdata[i]);
-            }
-            if (equal) { equal = (!authdata[i] && !compare_authdata[i]); }
-        } else {
-            if (equal) { equal = (!authdata && !compare_authdata); }
-        }
-    }
-
-    return equal;
-}
diff --git a/src/lib/krb5/ccache/ccapi/stdcc.c b/src/lib/krb5/ccache/ccapi/stdcc.c
index 555a961..0256a0a 100644
--- a/src/lib/krb5/ccache/ccapi/stdcc.c
+++ b/src/lib/krb5/ccache/ccapi/stdcc.c
@@ -32,6 +32,7 @@
 #if defined(_WIN32) || defined(USE_CCAPI)
 
 #include "k5-int.h"
+#include "../cc-int.h"
 #include "stdcc.h"
 #include "stdcc_util.h"
 #include "string.h"
@@ -620,8 +621,8 @@ krb5_stdccv3_retrieve (krb5_context context,
                        krb5_creds *mcreds,
                        krb5_creds *creds)
 {
-    return krb5_cc_retrieve_cred_default (context, id, whichfields,
-                                          mcreds, creds);
+    return k5_cc_retrieve_cred_default(context, id, whichfields, mcreds,
+                                       creds);
 }
 
 /*
@@ -1487,8 +1488,8 @@ krb5_stdcc_retrieve(context, id, whichfields, mcreds, creds)
     krb5_creds *mcreds;
     krb5_creds *creds;
 {
-    return krb5_cc_retrieve_cred_default (context, id, whichfields,
-                                          mcreds, creds);
+    return k5_cc_retrieve_cred_default(context, id, whichfields, mcreds,
+                                       creds);
 }
 
 #endif
diff --git a/src/lib/krb5/ccache/ccfns.c b/src/lib/krb5/ccache/ccfns.c
index a621560..419150a 100644
--- a/src/lib/krb5/ccache/ccfns.c
+++ b/src/lib/krb5/ccache/ccfns.c
@@ -25,6 +25,8 @@
  */
 
 #include "k5-int.h"
+#include "cc-int.h"
+#include "../krb/int-proto.h"
 
 const char * KRB5_CALLCONV
 krb5_cc_get_name(krb5_context context, krb5_ccache cache)
@@ -213,9 +215,9 @@ static const char conf_realm[] = "X-CACHECONF:";
 static const char conf_name[] = "krb5_ccache_conf_data";
 
 krb5_error_code
-krb5int_build_conf_principals(krb5_context context, krb5_ccache id,
-                              krb5_const_principal principal,
-                              const char *name, krb5_creds *cred)
+k5_build_conf_principals(krb5_context context, krb5_ccache id,
+                         krb5_const_principal principal,
+                         const char *name, krb5_creds *cred)
 {
     krb5_principal client;
     krb5_error_code ret;
@@ -277,7 +279,7 @@ krb5_cc_set_config(krb5_context context, krb5_ccache id,
 
     TRACE_CC_SET_CONFIG(context, id, principal, key, data);
 
-    ret = krb5int_build_conf_principals(context, id, principal, key, &cred);
+    ret = k5_build_conf_principals(context, id, principal, key, &cred);
     if (ret)
         goto out;
 
@@ -311,7 +313,7 @@ krb5_cc_get_config(krb5_context context, krb5_ccache id,
     memset(&cred, 0, sizeof(cred));
     memset(data, 0, sizeof(*data));
 
-    ret = krb5int_build_conf_principals(context, id, principal, key, &mcred);
+    ret = k5_build_conf_principals(context, id, principal, key, &mcred);
     if (ret)
         goto out;
 
diff --git a/src/lib/krb5/ccache/ser_cc.c b/src/lib/krb5/ccache/ser_cc.c
index 3821b0e..fdfc5e4 100644
--- a/src/lib/krb5/ccache/ser_cc.c
+++ b/src/lib/krb5/ccache/ser_cc.c
@@ -25,6 +25,7 @@
  */
 
 #include "k5-int.h"
+#include "cc-int.h"
 
 /*
  * Routines to deal with externalizing krb5_ccache.
diff --git a/src/lib/krb5/ccache/t_cc.c b/src/lib/krb5/ccache/t_cc.c
index e14ae7f..1c11272 100644
--- a/src/lib/krb5/ccache/t_cc.c
+++ b/src/lib/krb5/ccache/t_cc.c
@@ -25,6 +25,7 @@
  */
 
 #include "k5-int.h"
+#include "cc-int.h"
 #include <stdio.h>
 #include <stdlib.h>
 #include "autoconf.h"
diff --git a/src/lib/krb5/keytab/kt-int.h b/src/lib/krb5/keytab/kt-int.h
index ebefe80..b55118e 100644
--- a/src/lib/krb5/keytab/kt-int.h
+++ b/src/lib/krb5/keytab/kt-int.h
@@ -41,4 +41,7 @@ void krb5int_kt_finalize(void);
 int krb5int_mkt_initialize(void);
 
 void krb5int_mkt_finalize(void);
+
+extern const krb5_kt_ops krb5_kt_dfl_ops;
+
 #endif /* __KRB5_KEYTAB_INT_H__ */
diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
index d2aa88b..d34e748 100644
--- a/src/lib/krb5/keytab/kt_file.c
+++ b/src/lib/krb5/keytab/kt_file.c
@@ -54,6 +54,7 @@
 #ifndef LEAN_CLIENT
 
 #include "k5-int.h"
+#include "../os/os-proto.h"
 #include <stdio.h>
 
 /*
@@ -1045,7 +1046,7 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
     if (!KTFILEP(id)) {
         if ((mode == KRB5_LOCKMODE_EXCLUSIVE) && (errno == ENOENT)) {
             /* try making it first time around */
-            krb5_create_secure_file(context, KTFILENAME(id));
+            k5_create_secure_file(context, KTFILENAME(id));
             errno = 0;
             KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus);
             if (!KTFILEP(id))
@@ -1185,7 +1186,7 @@ krb5_ktfileint_delete_entry(krb5_context context, krb5_keytab id, krb5_int32 del
             }
         }
 
-        return krb5_sync_disk_file(context, KTFILEP(id));
+        return k5_sync_disk_file(context, KTFILEP(id));
     }
 
     return 0;
@@ -1530,7 +1531,7 @@ krb5_ktfileint_write_entry(krb5_context context, krb5_keytab id, krb5_keytab_ent
     if (fflush(KTFILEP(id)))
         goto abend;
 
-    retval = krb5_sync_disk_file(context, KTFILEP(id));
+    retval = k5_sync_disk_file(context, KTFILEP(id));
 
     if (retval) {
         return retval;
@@ -1546,7 +1547,7 @@ krb5_ktfileint_write_entry(krb5_context context, krb5_keytab id, krb5_keytab_ent
     }
     if (fflush(KTFILEP(id)))
         goto abend;
-    retval = krb5_sync_disk_file(context, KTFILEP(id));
+    retval = k5_sync_disk_file(context, KTFILEP(id));
 
     return retval;
 }
diff --git a/src/lib/krb5/keytab/ktdefault.c b/src/lib/krb5/keytab/ktdefault.c
index 2b1c298..482d52a 100644
--- a/src/lib/krb5/keytab/ktdefault.c
+++ b/src/lib/krb5/keytab/ktdefault.c
@@ -30,6 +30,7 @@
  */
 
 #include "k5-int.h"
+#include "../os/os-proto.h"
 #include <stdio.h>
 
 #ifndef LEAN_CLIENT
diff --git a/src/lib/krb5/krb/copy_creds.c b/src/lib/krb5/krb/copy_creds.c
index 42372a1..1de56dc 100644
--- a/src/lib/krb5/krb/copy_creds.c
+++ b/src/lib/krb5/krb/copy_creds.c
@@ -25,6 +25,7 @@
  */
 
 #include "k5-int.h"
+#include "int-proto.h"
 
 /*
  * Copy credentials, allocating fresh storage where needed.
@@ -39,7 +40,7 @@ krb5_copy_creds(krb5_context context, const krb5_creds *incred, krb5_creds **out
     if (!(tempcred = (krb5_creds *)malloc(sizeof(*tempcred))))
         return ENOMEM;
 
-    retval = krb5int_copy_creds_contents(context, incred, tempcred);
+    retval = k5_copy_creds_contents(context, incred, tempcred);
     if (retval)
         free(tempcred);
     else
@@ -54,8 +55,8 @@ krb5_copy_creds(krb5_context context, const krb5_creds *incred, krb5_creds **out
  * output structure is garbage and its contents should be ignored.
  */
 krb5_error_code
-krb5int_copy_creds_contents(krb5_context context, const krb5_creds *incred,
-                            krb5_creds *tempcred)
+k5_copy_creds_contents(krb5_context context, const krb5_creds *incred,
+                       krb5_creds *tempcred)
 {
     krb5_error_code retval;
     krb5_data *scratch;
diff --git a/src/lib/krb5/krb/enc_keyhelper.c b/src/lib/krb5/krb/enc_keyhelper.c
index 40ac4af..6878b25 100644
--- a/src/lib/krb5/krb/enc_keyhelper.c
+++ b/src/lib/krb5/krb/enc_keyhelper.c
@@ -24,16 +24,14 @@
  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- *
- * krb5_encrypt_keyhelper()
- *
  */
 
 #include "k5-int.h"
+#include "int-proto.h"
 
 krb5_error_code
-krb5_encrypt_keyhelper(krb5_context context, krb5_key key, krb5_keyusage usage,
-                       const krb5_data *plain, krb5_enc_data *cipher)
+k5_encrypt_keyhelper(krb5_context context, krb5_key key, krb5_keyusage usage,
+                     const krb5_data *plain, krb5_enc_data *cipher)
 {
     krb5_enctype enctype;
     krb5_error_code ret;
diff --git a/src/lib/krb5/krb/fast.c b/src/lib/krb5/krb/fast.c
index 5e37b45..4555b71 100644
--- a/src/lib/krb5/krb/fast.c
+++ b/src/lib/krb5/krb/fast.c
@@ -25,6 +25,7 @@
  */
 
 #include <k5-int.h>
+#include "int-proto.h"
 
 /*
  * It is possible to support sending a request that includes both a FAST and
diff --git a/src/lib/krb5/krb/fwd_tgt.c b/src/lib/krb5/krb/fwd_tgt.c
index 2e55066..250af3a 100644
--- a/src/lib/krb5/krb/fwd_tgt.c
+++ b/src/lib/krb5/krb/fwd_tgt.c
@@ -29,6 +29,7 @@
 #include <memory.h>
 #endif
 #include "int-proto.h"
+#include "os-proto.h"
 
 /* helper function: convert flags to necessary KDC options */
 #define flags2options(flags) (flags & KDC_TKT_COMMON_MASK)
@@ -137,7 +138,7 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context,
             free_rhost = 1;
         }
 
-        retval = krb5_os_hostaddr(context, rhost, &addrs);
+        retval = k5_os_hostaddr(context, rhost, &addrs);
         if (retval)
             goto errout;
     }
diff --git a/src/lib/krb5/krb/gen_save_subkey.c b/src/lib/krb5/krb/gen_save_subkey.c
index 801eed4..61f36aa 100644
--- a/src/lib/krb5/krb/gen_save_subkey.c
+++ b/src/lib/krb5/krb/gen_save_subkey.c
@@ -25,13 +25,13 @@
  */
 
 #include "k5-int.h"
+#include "int-proto.h"
 #include "auth_con.h"
 
 krb5_error_code
-krb5int_generate_and_save_subkey(krb5_context context,
-                                 krb5_auth_context auth_context,
-                                 krb5_keyblock *keyblock,
-                                 krb5_enctype enctype)
+k5_generate_and_save_subkey(krb5_context context,
+                            krb5_auth_context auth_context,
+                            krb5_keyblock *keyblock, krb5_enctype enctype)
 {
     /* Provide some more fodder for random number code.
        This isn't strong cryptographically; the point here is not
diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c
index 9e28f48..fc74c16 100644
--- a/src/lib/krb5/krb/get_creds.c
+++ b/src/lib/krb5/krb/get_creds.c
@@ -1103,7 +1103,7 @@ krb5_tkt_creds_get_creds(krb5_context context, krb5_tkt_creds_context ctx,
 {
     if (ctx->state != STATE_COMPLETE)
         return KRB5_NO_TKT_SUPPLIED;
-    return krb5int_copy_creds_contents(context, ctx->reply_creds, creds);
+    return k5_copy_creds_contents(context, ctx->reply_creds, creds);
 }
 
 krb5_error_code KRB5_CALLCONV
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index dfec991..e5fd554 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -491,7 +491,7 @@ krb5_init_creds_free(krb5_context context,
     if (ctx == NULL)
         return;
 
-    if (ctx->opte != NULL && krb5_gic_opt_is_shadowed(ctx->opte)) {
+    if (ctx->opte != NULL && gic_opt_is_shadowed(ctx->opte)) {
         krb5_get_init_creds_opt_free(context,
                                      (krb5_get_init_creds_opt *)ctx->opte);
     }
@@ -584,7 +584,7 @@ krb5_init_creds_get_creds(krb5_context context,
     if (!ctx->complete)
         return KRB5_NO_TKT_SUPPLIED;
 
-    return krb5int_copy_creds_contents(context, &ctx->cred, creds);
+    return k5_copy_creds_contents(context, &ctx->cred, creds);
 }
 
 krb5_error_code KRB5_CALLCONV
@@ -808,8 +808,8 @@ krb5_init_creds_init(krb5_context context,
         options = &local_opts;
     }
 
-    code = krb5int_gic_opt_to_opte(context, options,
-                                   &ctx->opte, 1, "krb5_init_creds_init");
+    code = k5_gic_opt_to_opte(context, options, &ctx->opte, 1,
+                              "krb5_init_creds_init");
     if (code != 0)
         goto cleanup;
 
@@ -1706,18 +1706,12 @@ cleanup:
 }
 
 krb5_error_code KRB5_CALLCONV
-krb5int_get_init_creds(krb5_context context,
-                       krb5_creds *creds,
-                       krb5_principal client,
-                       krb5_prompter_fct prompter,
-                       void *prompter_data,
-                       krb5_deltat start_time,
-                       const char *in_tkt_service,
-                       krb5_get_init_creds_opt *options,
-                       krb5_gic_get_as_key_fct gak_fct,
-                       void *gak_data,
-                       int  *use_master,
-                       krb5_kdc_rep **as_reply)
+k5_get_init_creds(krb5_context context, krb5_creds *creds,
+                  krb5_principal client, krb5_prompter_fct prompter,
+                  void *prompter_data, krb5_deltat start_time,
+                  const char *in_tkt_service, krb5_get_init_creds_opt *options,
+                  get_as_key_fn gak_fct, void *gak_data, int *use_master,
+                  krb5_kdc_rep **as_reply)
 {
     krb5_error_code code;
     krb5_init_creds_context ctx = NULL;
@@ -1761,10 +1755,10 @@ cleanup:
 }
 
 krb5_error_code
-krb5int_populate_gic_opt(krb5_context context, krb5_get_init_creds_opt **out,
-                         krb5_flags options, krb5_address *const *addrs,
-                         krb5_enctype *ktypes,
-                         krb5_preauthtype *pre_auth_types, krb5_creds *creds)
+k5_populate_gic_opt(krb5_context context, krb5_get_init_creds_opt **out,
+                    krb5_flags options, krb5_address *const *addrs,
+                    krb5_enctype *ktypes, krb5_preauthtype *pre_auth_types,
+                    krb5_creds *creds)
 {
     int i;
     krb5_int32 starttime;
diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c
index 9eef375..4c2942e 100644
--- a/src/lib/krb5/krb/gic_keytab.c
+++ b/src/lib/krb5/krb/gic_keytab.c
@@ -338,9 +338,8 @@ krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options,
     krb5_principal client_princ, server_princ;
     int use_master = 0;
 
-    retval = krb5int_populate_gic_opt(context, &opts,
-                                      options, addrs, ktypes,
-                                      pre_auth_types, creds);
+    retval = k5_populate_gic_opt(context, &opts, options, addrs, ktypes,
+                                 pre_auth_types, creds);
     if (retval)
         return retval;
 
@@ -356,11 +355,10 @@ krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options,
         goto cleanup;
     server_princ = creds->server;
     client_princ = creds->client;
-    retval = krb5int_get_init_creds(context, creds, creds->client,
-                                    krb5_prompter_posix,  NULL,
-                                    0, server, opts,
-                                    get_as_key_keytab, (void *)keytab,
-                                    &use_master, ret_as_reply);
+    retval = k5_get_init_creds(context, creds, creds->client,
+                               krb5_prompter_posix,  NULL, 0, server, opts,
+                               get_as_key_keytab, (void *)keytab, &use_master,
+                               ret_as_reply);
     krb5_free_unparsed_name( context, server);
     if (retval) {
         goto cleanup;
diff --git a/src/lib/krb5/krb/gic_opt.c b/src/lib/krb5/krb/gic_opt.c
index dddabf7..40a51d7 100644
--- a/src/lib/krb5/krb/gic_opt.c
+++ b/src/lib/krb5/krb/gic_opt.c
@@ -1,6 +1,7 @@
 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
 #include "k5-int.h"
 #include "int-proto.h"
+#include <krb5/clpreauth_plugin.h>
 
 static void
 init_common(krb5_get_init_creds_opt *opt)
@@ -100,32 +101,6 @@ krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt *opt,
         opt->flags &= ~KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT;
 }
 
-/*
- * Extending the krb5_get_init_creds_opt structure.  The original
- * krb5_get_init_creds_opt structure is defined publicly.  The
- * new extended version is private.  The original interface
- * assumed a pre-allocated structure which was passed to
- * krb5_get_init_creds_init().  The new interface assumes that
- * the caller will call krb5_get_init_creds_alloc() and
- * krb5_get_init_creds_free().
- *
- * Callers MUST NOT call krb5_get_init_creds_init() after allocating an
- * opts structure using krb5_get_init_creds_alloc().  To do so will
- * introduce memory leaks.  Unfortunately, there is no way to enforce
- * this behavior.
- *
- * Two private flags are added for backward compatibility.
- * KRB5_GET_INIT_CREDS_OPT_EXTENDED says that the structure was allocated
- * with the new krb5_get_init_creds_opt_alloc() function.
- * KRB5_GET_INIT_CREDS_OPT_SHADOWED is set to indicate that the extended
- * structure is a shadow copy of an original krb5_get_init_creds_opt
- * structure.
- * If KRB5_GET_INIT_CREDS_OPT_SHADOWED is set after a call to
- * krb5int_gic_opt_to_opte(), the resulting extended structure should be
- * freed (using krb5_get_init_creds_free).  Otherwise, the original
- * structure was already extended and there is no need to free it.
- */
-
 /* Forward prototype */
 static void
 free_gic_opt_ext_preauth_data(krb5_context context,
@@ -134,7 +109,7 @@ free_gic_opt_ext_preauth_data(krb5_context context,
 static krb5_error_code
 gic_opte_private_alloc(krb5_context context, krb5_gic_opt_ext *opte)
 {
-    if (NULL == opte || !krb5_gic_opt_is_extended(opte))
+    if (NULL == opte || !gic_opt_is_extended(opte))
         return EINVAL;
 
     opte->opt_private = calloc(1, sizeof(*opte->opt_private));
@@ -150,7 +125,7 @@ gic_opte_private_alloc(krb5_context context, krb5_gic_opt_ext *opte)
 static krb5_error_code
 gic_opte_private_free(krb5_context context, krb5_gic_opt_ext *opte)
 {
-    if (NULL == opte || !krb5_gic_opt_is_extended(opte))
+    if (NULL == opte || !gic_opt_is_extended(opte))
         return EINVAL;
 
     /* Free up any private stuff */
@@ -172,7 +147,7 @@ gic_opte_alloc(krb5_context context)
     opte = calloc(1, sizeof(*opte));
     if (NULL == opte)
         return NULL;
-    opte->flags = KRB5_GET_INIT_CREDS_OPT_EXTENDED;
+    opte->flags = GIC_OPT_EXTENDED;
 
     code = gic_opte_private_alloc(context, opte);
     if (code) {
@@ -214,7 +189,7 @@ krb5_get_init_creds_opt_free(krb5_context context,
         return;
 
     /* Don't touch it if we didn't allocate it */
-    if (!krb5_gic_opt_is_extended(opt))
+    if (!gic_opt_is_extended(opt))
         return;
 
     opte = (krb5_gic_opt_ext *)opt;
@@ -257,8 +232,7 @@ gic_opte_copy(krb5_context context,
      * here will be freed by the library because the
      * application is unaware of its existence.
      */
-    oe->flags |= ( KRB5_GET_INIT_CREDS_OPT_EXTENDED |
-                   KRB5_GET_INIT_CREDS_OPT_SHADOWED);
+    oe->flags |= (GIC_OPT_EXTENDED | GIC_OPT_SHADOWED);
 
     *opte = oe;
     return 0;
@@ -275,13 +249,11 @@ gic_opte_copy(krb5_context context,
  * cases where the original *should* be an extended structure.
  */
 krb5_error_code
-krb5int_gic_opt_to_opte(krb5_context context,
-                        krb5_get_init_creds_opt *opt,
-                        krb5_gic_opt_ext **opte,
-                        unsigned int force,
-                        const char *where)
+k5_gic_opt_to_opte(krb5_context context, krb5_get_init_creds_opt *opt,
+                   krb5_gic_opt_ext **opte, unsigned int force,
+                   const char *where)
 {
-    if (!krb5_gic_opt_is_extended(opt)) {
+    if (!gic_opt_is_extended(opt)) {
         if (force) {
             return gic_opte_copy(context, opt, opte);
         } else {
@@ -302,7 +274,7 @@ free_gic_opt_ext_preauth_data(krb5_context context,
 {
     int i;
 
-    if (NULL == opte || !krb5_gic_opt_is_extended(opte))
+    if (NULL == opte || !gic_opt_is_extended(opte))
         return;
     if (NULL == opte->opt_private || NULL == opte->opt_private->preauth_data)
         return;
@@ -338,8 +310,8 @@ krb5_get_init_creds_opt_get_pa(krb5_context context,
     int i;
     size_t allocsize;
 
-    retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0,
-                                     "krb5_get_init_creds_opt_get_pa");
+    retval = k5_gic_opt_to_opte(context, opt, &opte, 0,
+                                "krb5_get_init_creds_opt_get_pa");
     if (retval)
         return retval;
 
@@ -415,8 +387,8 @@ krb5_get_init_creds_opt_set_fast_ccache_name(krb5_context context,
     krb5_error_code retval = 0;
     krb5_gic_opt_ext *opte;
 
-    retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0,
-                                     "krb5_get_init_creds_opt_set_fast_ccache_name");
+    retval = k5_gic_opt_to_opte(context, opt, &opte, 0,
+                                "krb5_get_init_creds_opt_set_fast_ccache_name");
     if (retval)
         return retval;
     if (opte->opt_private->fast_ccache_name) {
@@ -459,8 +431,8 @@ krb5_get_init_creds_opt_set_in_ccache(krb5_context context,
     krb5_error_code retval = 0;
     krb5_gic_opt_ext *opte;
 
-    retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0,
-                                     "krb5_get_init_creds_opt_set_in_ccache");
+    retval = k5_gic_opt_to_opte(context, opt, &opte, 0,
+                                "krb5_get_init_creds_opt_set_in_ccache");
     if (retval)
         return retval;
     opte->opt_private->in_ccache = ccache;
@@ -475,8 +447,8 @@ krb5_get_init_creds_opt_set_out_ccache(krb5_context context,
     krb5_error_code retval = 0;
     krb5_gic_opt_ext *opte;
 
-    retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0,
-                                     "krb5_get_init_creds_opt_set_out_ccache");
+    retval = k5_gic_opt_to_opte(context, opt, &opte, 0,
+                                "krb5_get_init_creds_opt_set_out_ccache");
     if (retval)
         return retval;
     opte->opt_private->out_ccache = ccache;
@@ -491,8 +463,8 @@ krb5_get_init_creds_opt_set_fast_flags(krb5_context context,
     krb5_error_code retval = 0;
     krb5_gic_opt_ext *opte;
 
-    retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0,
-                                     "krb5_get_init_creds_opt_set_fast_flags");
+    retval = k5_gic_opt_to_opte(context, opt, &opte, 0,
+                                "krb5_get_init_creds_opt_set_fast_flags");
     if (retval)
         return retval;
     opte->opt_private->fast_flags = flags;
@@ -510,8 +482,8 @@ krb5_get_init_creds_opt_get_fast_flags(krb5_context context,
     if (out_flags == NULL)
         return EINVAL;
     *out_flags = 0;
-    retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0,
-                                     "krb5_get_init_creds_opt_get_fast_flags");
+    retval = k5_gic_opt_to_opte(context, opt, &opte, 0,
+                                "krb5_get_init_creds_opt_get_fast_flags");
     if (retval)
         return retval;
     *out_flags = opte->opt_private->fast_flags;
@@ -527,9 +499,8 @@ krb5_get_init_creds_opt_set_expire_callback(krb5_context context,
     krb5_error_code retval = 0;
     krb5_gic_opt_ext *opte;
 
-    retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0,
-                                     "krb5_get_init_creds_opt_set_"
-                                     "expire_callback");
+    retval = k5_gic_opt_to_opte(context, opt, &opte, 0,
+                                "krb5_get_init_creds_opt_set_expire_callback");
     if (retval)
         return retval;
     opte->opt_private->expire_cb = cb;
@@ -545,8 +516,8 @@ krb5_get_init_creds_opt_set_responder(krb5_context context,
     krb5_error_code ret;
     krb5_gic_opt_ext *opte;
 
-    ret = krb5int_gic_opt_to_opte(context, opt, &opte, 0,
-                                  "krb5_get_init_creds_opt_set_responder");
+    ret = k5_gic_opt_to_opte(context, opt, &opte, 0,
+                             "krb5_get_init_creds_opt_set_responder");
     if (ret)
         return ret;
     opte->opt_private->responder = responder;
diff --git a/src/lib/krb5/krb/gic_opt_set_pa.c b/src/lib/krb5/krb/gic_opt_set_pa.c
index 1e79c42..d447805 100644
--- a/src/lib/krb5/krb/gic_opt_set_pa.c
+++ b/src/lib/krb5/krb/gic_opt_set_pa.c
@@ -79,8 +79,8 @@ krb5_get_init_creds_opt_set_pa(krb5_context context,
     krb5_error_code retval;
     krb5_gic_opt_ext *opte;
 
-    retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0,
-                                     "krb5_get_init_creds_opt_set_pa");
+    retval = k5_gic_opt_to_opte(context, opt, &opte, 0,
+                                "krb5_get_init_creds_opt_set_pa");
     if (retval)
         return retval;
 
diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c
index 32b376f..22db2b5 100644
--- a/src/lib/krb5/krb/gic_pwd.c
+++ b/src/lib/krb5/krb/gic_pwd.c
@@ -3,6 +3,7 @@
 #include "com_err.h"
 #include "init_creds_ctx.h"
 #include "int-proto.h"
+#include "os-proto.h"
 
 krb5_error_code
 krb5_get_as_key_password(krb5_context context,
@@ -81,9 +82,9 @@ krb5_get_as_key_password(krb5_context context,
         prompt_type = KRB5_PROMPT_TYPE_PASSWORD;
 
         /* PROMPTER_INVOCATION */
-        krb5int_set_prompt_types(context, &prompt_type);
+        k5_set_prompt_types(context, &prompt_type);
         ret = (*prompter)(context, prompter_data, NULL, NULL, 1, &prompt);
-        krb5int_set_prompt_types(context, 0);
+        k5_set_prompt_types(context, 0);
         if (ret)
             return(ret);
     }
@@ -183,7 +184,7 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options,
 
     get_expiry_times(as_reply->enc_part2, &pw_exp, &acct_exp, &is_last_req);
 
-    ret = krb5int_gic_opt_to_opte(context, options, &opte, 0, "");
+    ret = k5_gic_opt_to_opte(context, options, &opte, 0, "");
     if (ret == 0 && opte->opt_private->expire_cb != NULL) {
         krb5_expire_callback_func cb = opte->opt_private->expire_cb;
         void *cb_data = opte->opt_private->expire_data;
@@ -286,10 +287,9 @@ krb5_get_init_creds_password(krb5_context context,
 
     /* first try: get the requested tkt from any kdc */
 
-    ret = krb5int_get_init_creds(context, creds, client, prompter, data,
-                                 start_time, in_tkt_service, options,
-                                 krb5_get_as_key_password, (void *) &pw0,
-                                 &use_master, &as_reply);
+    ret = k5_get_init_creds(context, creds, client, prompter, data, start_time,
+                            in_tkt_service, options, krb5_get_as_key_password,
+                            (void *) &pw0, &use_master, &as_reply);
 
     /* check for success */
 
@@ -316,10 +316,10 @@ krb5_get_init_creds_password(krb5_context context,
             krb5_free_kdc_rep( context, as_reply);
             as_reply = NULL;
         }
-        ret = krb5int_get_init_creds(context, creds, client, prompter, data,
-                                     start_time, in_tkt_service, options,
-                                     krb5_get_as_key_password, (void *) &pw0,
-                                     &use_master, &as_reply);
+        ret = k5_get_init_creds(context, creds, client, prompter, data,
+                                start_time, in_tkt_service, options,
+                                krb5_get_as_key_password, (void *) &pw0,
+                                &use_master, &as_reply);
 
         if (ret == 0)
             goto cleanup;
@@ -363,11 +363,11 @@ krb5_get_init_creds_password(krb5_context context,
     krb5_get_init_creds_opt_set_forwardable(chpw_opts, 0);
     krb5_get_init_creds_opt_set_proxiable(chpw_opts, 0);
 
-    if ((ret = krb5int_get_init_creds(context, &chpw_creds, client,
-                                      prompter, data,
-                                      start_time, "kadmin/changepw", chpw_opts,
-                                      krb5_get_as_key_password, (void *) &pw0,
-                                      &use_master, NULL)))
+    ret = k5_get_init_creds(context, &chpw_creds, client, prompter, data,
+                            start_time, "kadmin/changepw", chpw_opts,
+                            krb5_get_as_key_password, (void *) &pw0,
+                            &use_master, NULL);
+    if (ret)
         goto cleanup;
 
     prompt[0].prompt = _("Enter new password");
@@ -389,10 +389,10 @@ krb5_get_init_creds_password(krb5_context context,
         pw1.length = sizeof(pw1array);
 
         /* PROMPTER_INVOCATION */
-        krb5int_set_prompt_types(context, prompt_types);
+        k5_set_prompt_types(context, prompt_types);
         ret = (*prompter)(context, data, 0, banner,
                           sizeof(prompt)/sizeof(prompt[0]), prompt);
-        krb5int_set_prompt_types(context, 0);
+        k5_set_prompt_types(context, 0);
         if (ret)
             goto cleanup;
 
@@ -460,10 +460,10 @@ krb5_get_init_creds_password(krb5_context context,
        is final.  */
 
     TRACE_GIC_PWD_CHANGED(context);
-    ret = krb5int_get_init_creds(context, creds, client, prompter, data,
-                                 start_time, in_tkt_service, options,
-                                 krb5_get_as_key_password, (void *) &pw0,
-                                 &use_master, &as_reply);
+    ret = k5_get_init_creds(context, creds, client, prompter, data,
+                            start_time, in_tkt_service, options,
+                            krb5_get_as_key_password, (void *) &pw0,
+                            &use_master, &as_reply);
     if (ret)
         goto cleanup;
 
@@ -528,9 +528,8 @@ krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options,
         pw0.data[0] = '\0';
         pw0.length = sizeof(pw0array);
     }
-    retval = krb5int_populate_gic_opt(context, &opts,
-                                      options, addrs, ktypes,
-                                      pre_auth_types, creds);
+    retval = k5_populate_gic_opt(context, &opts, options, addrs, ktypes,
+                                 pre_auth_types, creds);
     if (retval)
         return (retval);
     retval = krb5_unparse_name( context, creds->server, &server);
@@ -540,11 +539,10 @@ krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options,
     }
     server_princ = creds->server;
     client_princ = creds->client;
-    retval = krb5int_get_init_creds(context, creds, creds->client,
-                                    krb5_prompter_posix, NULL,
-                                    0, server, opts,
-                                    krb5_get_as_key_password, &pw0,
-                                    &use_master, ret_as_reply);
+    retval = k5_get_init_creds(context, creds, creds->client,
+                               krb5_prompter_posix, NULL, 0, server, opts,
+                               krb5_get_as_key_password, &pw0, &use_master,
+                               ret_as_reply);
     krb5_free_unparsed_name( context, server);
     krb5_get_init_creds_opt_free(context, opts);
     if (retval) {
diff --git a/src/lib/krb5/krb/in_tkt_sky.c b/src/lib/krb5/krb/in_tkt_sky.c
index d1b69c6..b11e694 100644
--- a/src/lib/krb5/krb/in_tkt_sky.c
+++ b/src/lib/krb5/krb/in_tkt_sky.c
@@ -25,9 +25,9 @@
  */
 
 #include "k5-int.h"
+#include "int-proto.h"
 
-/* A krb5_gic_get_as_key_fct shim for copying a caller-provided keyblock into
- * the AS keyblock. */
+/* Copy the caller-provided keyblock into the AS keyblock. */
 static krb5_error_code
 get_as_key_skey(krb5_context context, krb5_principal client,
                 krb5_enctype etype, krb5_prompter_fct prompter,
@@ -86,8 +86,8 @@ krb5_get_in_tkt_with_skey(krb5_context context, krb5_flags options,
     }
 #endif /* LEAN_CLIENT */
 
-    retval = krb5int_populate_gic_opt(context, &opts, options, addrs, ktypes,
-                                      pre_auth_types, creds);
+    retval = k5_populate_gic_opt(context, &opts, options, addrs, ktypes,
+                                 pre_auth_types, creds);
     if (retval)
         return retval;
     retval = krb5_unparse_name(context, creds->server, &server);
@@ -97,10 +97,10 @@ krb5_get_in_tkt_with_skey(krb5_context context, krb5_flags options,
     }
     server_princ = creds->server;
     client_princ = creds->client;
-    retval = krb5int_get_init_creds(context, creds, creds->client,
-                                    krb5_prompter_posix, NULL, 0, server, opts,
-                                    get_as_key_skey, (void *) key, &use_master,
-                                    ret_as_reply);
+    retval = k5_get_init_creds(context, creds, creds->client,
+                               krb5_prompter_posix, NULL, 0, server, opts,
+                               get_as_key_skey, (void *)key, &use_master,
+                               ret_as_reply);
     krb5_free_unparsed_name(context, server);
     krb5_get_init_creds_opt_free(context, opts);
     if (retval)
diff --git a/src/lib/krb5/krb/init_creds_ctx.h b/src/lib/krb5/krb/init_creds_ctx.h
index 1bc90a5..d886c7a 100644
--- a/src/lib/krb5/krb/init_creds_ctx.h
+++ b/src/lib/krb5/krb/init_creds_ctx.h
@@ -4,13 +4,18 @@
 #define KRB5_INIT_CREDS_CONTEXT 1
 
 #include "k5-json.h"
+#include "int-proto.h"
+
+struct krb5_responder_context_st {
+    k5_response_items *items;
+};
 
 struct _krb5_init_creds_context {
     krb5_gic_opt_ext *opte;
     char *in_tkt_service;
     krb5_prompter_fct prompter;
     void *prompter_data;
-    krb5_gic_get_as_key_fct gak_fct;
+    get_as_key_fn gak_fct;
     void *gak_data;
     krb5_timestamp request_time;
     krb5_deltat start_time;
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index 33330e7..58eb01a 100644
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -51,6 +51,7 @@
 
 #include "k5-int.h"
 #include "int-proto.h"
+#include "os-proto.h"
 #include <ctype.h>
 #include "brand.c"
 #include "../krb5_libinit.h"
@@ -189,13 +190,14 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
 
     ctx->profile_secure = (flags & KRB5_INIT_CONTEXT_SECURE) != 0;
 
-    if ((retval = krb5_os_init_context(ctx, profile, flags)) != 0)
+    retval = k5_os_init_context(ctx, profile, flags);
+    if (retval)
         goto cleanup;
 
     ctx->trace_callback = NULL;
 #ifndef DISABLE_TRACING
     if (!ctx->profile_secure)
-        krb5int_init_trace(ctx);
+        k5_init_trace(ctx);
 #endif
 
     retval = get_boolean(ctx, KRB5_CONF_ALLOW_WEAK_CRYPTO, 0, &tmp);
@@ -287,7 +289,7 @@ krb5_free_context(krb5_context ctx)
 {
     if (ctx == NULL)
         return;
-    krb5_os_free_context(ctx);
+    k5_os_free_context(ctx);
 
     free(ctx->in_tkt_etypes);
     ctx->in_tkt_etypes = NULL;
diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h
index 6d7939e..04535f6 100644
--- a/src/lib/krb5/krb/int-proto.h
+++ b/src/lib/krb5/krb/int-proto.h
@@ -29,6 +29,92 @@
 
 struct krb5int_fast_request_state;
 
+typedef struct k5_response_items_st k5_response_items;
+
+typedef krb5_error_code
+(*get_as_key_fn)(krb5_context, krb5_principal, krb5_enctype, krb5_prompter_fct,
+                 void *prompter_data, krb5_data *salt, krb5_data *s2kparams,
+                 krb5_keyblock *as_key, void *gak_data,
+                 k5_response_items *ritems);
+
+/*
+ * Extending the krb5_get_init_creds_opt structure.  The original
+ * krb5_get_init_creds_opt structure is defined publicly.  The new extended
+ * version is private.  The original interface assumed a pre-allocated
+ * structure which was passed to krb5_get_init_creds_init().  The new interface
+ * assumes that the caller will call krb5_get_init_creds_alloc() and
+ * krb5_get_init_creds_free().
+ *
+ * Callers MUST NOT call krb5_get_init_creds_init() after allocating an opts
+ * structure using krb5_get_init_creds_alloc().  To do so will introduce memory
+ * leaks.  Unfortunately, there is no way to enforce this behavior.
+ *
+ * Two private flags are added for backward compatibility.  GIC_OPT_EXTENDED
+ * says that the structure was allocated with the new
+ * krb5_get_init_creds_opt_alloc() function.  GIC_OPT_SHADOWED is set to
+ * indicate that the extended structure is a shadow copy of an original
+ * krb5_get_init_creds_opt structure.  If GIC_OPT_SHADOWED is set after a call
+ * to k5_gic_opt_to_opte(), the resulting extended structure should be freed
+ * (using krb5_get_init_creds_free).  Otherwise, the original structure was
+ * already extended and there is no need to free it.
+ */
+
+#define GIC_OPT_EXTENDED 0x80000000
+#define GIC_OPT_SHADOWED 0x40000000
+
+#define gic_opt_is_extended(s) ((s) != NULL && ((s)->flags & GIC_OPT_EXTENDED))
+#define gic_opt_is_shadowed(s) ((s) != NULL && ((s)->flags & GIC_OPT_SHADOWED))
+
+typedef struct gic_opt_private_st {
+    int num_preauth_data;
+    krb5_gic_opt_pa_data *preauth_data;
+    char * fast_ccache_name;
+    krb5_ccache in_ccache;
+    krb5_ccache out_ccache;
+    krb5_flags fast_flags;
+    krb5_expire_callback_func expire_cb;
+    void *expire_data;
+    krb5_responder_fn responder;
+    void *responder_data;
+} gic_opt_private;
+
+/*
+ * On the Mac, ensure that the layout of krb5_gic_opt_ext matches that
+ * of krb5_get_init_creds_opt.
+ */
+#if TARGET_OS_MAC
+#    pragma pack(push,2)
+#endif
+
+typedef struct _krb5_gic_opt_ext {
+    krb5_flags flags;
+    krb5_deltat tkt_life;
+    krb5_deltat renew_life;
+    int forwardable;
+    int proxiable;
+    krb5_enctype *etype_list;
+    int etype_list_length;
+    krb5_address **address_list;
+    krb5_preauthtype *preauth_list;
+    int preauth_list_length;
+    krb5_data *salt;
+    /*
+     * Do not change anything above this point in this structure.
+     * It is identical to the public krb5_get_init_creds_opt structure.
+     * New members must be added below.
+     */
+    gic_opt_private *opt_private;
+} krb5_gic_opt_ext;
+
+#if TARGET_OS_MAC
+#    pragma pack(pop)
+#endif
+
+krb5_error_code
+k5_gic_opt_to_opte(krb5_context context, krb5_get_init_creds_opt *opt,
+                   krb5_gic_opt_ext **opte, unsigned int force,
+                   const char *where);
+
 krb5_error_code
 krb5int_tgtname(krb5_context context, const krb5_data *, const krb5_data *,
                 krb5_principal *);
@@ -236,4 +322,46 @@ k5_save_ctx_error(krb5_context ctx, krb5_error_code code, struct errinfo *out);
 krb5_error_code
 k5_restore_ctx_error(krb5_context ctx, struct errinfo *in);
 
+krb5_error_code
+k5_encrypt_keyhelper(krb5_context context, krb5_key key,
+                     krb5_keyusage keyusage, const krb5_data *plain,
+                     krb5_enc_data *cipher);
+
+krb5_error_code KRB5_CALLCONV
+k5_get_init_creds(krb5_context context, krb5_creds *creds,
+                  krb5_principal client, krb5_prompter_fct prompter,
+                  void *prompter_data, krb5_deltat start_time,
+                  const char *in_tkt_service, krb5_get_init_creds_opt *options,
+                  get_as_key_fn gak, void *gak_data, int *master,
+                  krb5_kdc_rep **as_reply);
+
+krb5_error_code
+k5_populate_gic_opt(krb5_context context, krb5_get_init_creds_opt **opt,
+                    krb5_flags options, krb5_address *const *addrs,
+                    krb5_enctype *ktypes, krb5_preauthtype *pre_auth_types,
+                    krb5_creds *creds);
+
+krb5_error_code
+k5_copy_creds_contents(krb5_context, const krb5_creds *, krb5_creds *);
+
+krb5_error_code
+k5_build_conf_principals(krb5_context context, krb5_ccache id,
+                         krb5_const_principal principal, const char *name,
+                         krb5_creds *cred);
+
+krb5_error_code
+k5_generate_and_save_subkey(krb5_context context,
+                            krb5_auth_context auth_context,
+                            krb5_keyblock *keyblock, krb5_enctype enctype);
+
+krb5_error_code
+k5_client_realm_path(krb5_context context, const krb5_data *client,
+                     const krb5_data *server, krb5_data **rpath_out);
+
+size_t
+k5_count_etypes(const krb5_enctype *list);
+
+krb5_error_code
+k5_copy_etypes(const krb5_enctype *old_list, krb5_enctype **new_list);
+
 #endif /* KRB5_INT_FUNC_PROTO__ */
diff --git a/src/lib/krb5/krb/kfree.c b/src/lib/krb5/krb/kfree.c
index 9629ae6..466861f 100644
--- a/src/lib/krb5/krb/kfree.c
+++ b/src/lib/krb5/krb/kfree.c
@@ -641,15 +641,6 @@ krb5_free_pa_pac_req(krb5_context context,
 }
 
 void KRB5_CALLCONV
-krb5_free_etype_list(krb5_context context,
-                     krb5_etype_list *etypes)
-{
-    if (etypes != NULL) {
-        free(etypes->etypes);
-        free(etypes);
-    }
-}
-void KRB5_CALLCONV
 krb5_free_fast_req(krb5_context context, krb5_fast_req *val)
 {
     if (val == NULL)
diff --git a/src/lib/krb5/krb/mk_cred.c b/src/lib/krb5/krb/mk_cred.c
index 566d138..a31d85c 100644
--- a/src/lib/krb5/krb/mk_cred.c
+++ b/src/lib/krb5/krb/mk_cred.c
@@ -9,6 +9,7 @@
  *
  */
 #include "k5-int.h"
+#include "int-proto.h"
 #include "cleanup.h"
 #include "auth_con.h"
 
@@ -44,9 +45,9 @@ encrypt_credencpart(krb5_context context, krb5_cred_enc_part *pcredpart,
     }
 
     /* call the encryption routine */
-    retval = krb5_encrypt_keyhelper(context, pkey,
-                                    KRB5_KEYUSAGE_KRB_CRED_ENCPART,
-                                    scratch, pencdata);
+    retval = k5_encrypt_keyhelper(context, pkey,
+                                  KRB5_KEYUSAGE_KRB_CRED_ENCPART, scratch,
+                                  pencdata);
 
     if (retval) {
         memset(pencdata->ciphertext.data, 0, pencdata->ciphertext.length);
diff --git a/src/lib/krb5/krb/mk_rep.c b/src/lib/krb5/krb/mk_rep.c
index 0681a22..dd7a7d9 100644
--- a/src/lib/krb5/krb/mk_rep.c
+++ b/src/lib/krb5/krb/mk_rep.c
@@ -52,6 +52,7 @@
  */
 
 #include "k5-int.h"
+#include "int-proto.h"
 #include "auth_con.h"
 
 /*
@@ -95,9 +96,9 @@ k5_mk_rep(krb5_context context, krb5_auth_context auth_context,
     else if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_USE_SUBKEY) {
         assert(auth_context->negotiated_etype != ENCTYPE_NULL);
 
-        retval = krb5int_generate_and_save_subkey (context, auth_context,
-                                                   &auth_context->key->keyblock,
-                                                   auth_context->negotiated_etype);
+        retval = k5_generate_and_save_subkey(context, auth_context,
+                                             &auth_context->key->keyblock,
+                                             auth_context->negotiated_etype);
         if (retval)
             return retval;
         repl.subkey = &auth_context->send_subkey->keyblock;
@@ -116,9 +117,9 @@ k5_mk_rep(krb5_context context, krb5_auth_context auth_context,
     if ((retval = encode_krb5_ap_rep_enc_part(&repl, &scratch)))
         return retval;
 
-    if ((retval = krb5_encrypt_keyhelper(context, auth_context->key,
-                                         KRB5_KEYUSAGE_AP_REP_ENCPART,
-                                         scratch, &reply.enc_part)))
+    if ((retval = k5_encrypt_keyhelper(context, auth_context->key,
+                                       KRB5_KEYUSAGE_AP_REP_ENCPART, scratch,
+                                       &reply.enc_part)))
         goto cleanup_scratch;
 
     if (!(retval = encode_krb5_ap_rep(&reply, &toutbuf))) {
diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c
index 1938cbe..dce0927 100644
--- a/src/lib/krb5/krb/mk_req_ext.c
+++ b/src/lib/krb5/krb/mk_req_ext.c
@@ -174,9 +174,9 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
 
     /* generate subkey if needed */
     if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->send_subkey)) {
-        retval = krb5int_generate_and_save_subkey (context, *auth_context,
-                                                   &in_creds->keyblock,
-                                                   in_creds->keyblock.enctype);
+        retval = k5_generate_and_save_subkey(context, *auth_context,
+                                             &in_creds->keyblock,
+                                             in_creds->keyblock.enctype);
         if (retval)
             goto cleanup;
     }
diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index 7252048..747611e 100644
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -35,6 +35,7 @@
 #include "osconf.h"
 #include <krb5/clpreauth_plugin.h>
 #include "int-proto.h"
+#include "os-proto.h"
 #include "fast.h"
 #include "init_creds_ctx.h"
 
diff --git a/src/lib/krb5/krb/preauth_sam2.c b/src/lib/krb5/krb/preauth_sam2.c
index e6e2c68..6888e94 100644
--- a/src/lib/krb5/krb/preauth_sam2.c
+++ b/src/lib/krb5/krb/preauth_sam2.c
@@ -28,6 +28,7 @@
 #include <k5-int.h>
 #include <krb5/clpreauth_plugin.h>
 #include "int-proto.h"
+#include "os-proto.h"
 #include "init_creds_ctx.h"
 
 /* this macro expands to the int,ptr necessary for "%.*s" in an sprintf */
@@ -182,17 +183,17 @@ sam2_process(krb5_context context, krb5_clpreauth_moddata moddata,
     kprompt.reply = &response_data;
 
     prompt_type = KRB5_PROMPT_TYPE_PREAUTH;
-    krb5int_set_prompt_types(context, &prompt_type);
+    k5_set_prompt_types(context, &prompt_type);
 
     if ((retval = ((*prompter)(context, prompter_data, name,
                                banner, 1, &kprompt)))) {
         krb5_free_sam_challenge_2(context, sc2);
         krb5_free_sam_challenge_2_body(context, sc2b);
-        krb5int_set_prompt_types(context, 0);
+        k5_set_prompt_types(context, NULL);
         return(retval);
     }
 
-    krb5int_set_prompt_types(context, (krb5_prompt_type *)NULL);
+    k5_set_prompt_types(context, NULL);
 
     /* Generate salt used by string_to_key() */
     if (ctx->default_salt) {
diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index b3c536c..8d5f130 100644
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -115,10 +115,9 @@ s4u_identify_user(krb5_context context,
         client = &client_data;
     }
 
-    code = krb5int_get_init_creds(context, &creds, client,
-                                  NULL, NULL, 0, NULL, opts,
-                                  krb5_get_as_key_noop, &userid,
-                                  &use_master, NULL);
+    code = k5_get_init_creds(context, &creds, client, NULL, NULL, 0, NULL,
+                             opts, krb5_get_as_key_noop, &userid, &use_master,
+                             NULL);
     if (code == 0 || code == KRB5_PREAUTH_FAILED) {
         *canon_user = userid.user;
         userid.user = NULL;
@@ -517,7 +516,7 @@ krb5_get_self_cred_from_kdc(krb5_context context,
 
     tgtptr = tgt;
 
-    code = krb5int_copy_creds_contents(context, in_creds, &s4u_creds);
+    code = k5_copy_creds_contents(context, in_creds, &s4u_creds);
     if (code != 0)
         goto cleanup;
 
diff --git a/src/lib/krb5/krb/sendauth.c b/src/lib/krb5/krb/sendauth.c
index dc0c6e8..b1dde3c 100644
--- a/src/lib/krb5/krb/sendauth.c
+++ b/src/lib/krb5/krb/sendauth.c
@@ -25,6 +25,7 @@
  */
 
 #include "k5-int.h"
+#include "os-proto.h"
 #include "com_err.h"
 #include "auth_con.h"
 #include <errno.h>
@@ -63,7 +64,7 @@ krb5_sendauth(krb5_context context, krb5_auth_context *auth_context,
     outbuf[0].data = (char *) sendauth_version;
     outbuf[1].length = strlen(appl_version) + 1;
     outbuf[1].data = appl_version;
-    if ((retval = krb5int_write_messages(context, fd, outbuf, 2)))
+    if ((retval = k5_write_messages(context, fd, outbuf, 2)))
         return(retval);
     /*
      * Now, read back a byte: 0 means no error, 1 means bad sendauth
diff --git a/src/lib/krb5/krb/ser_ctx.c b/src/lib/krb5/krb/ser_ctx.c
index 0452ebf..b52a04d 100644
--- a/src/lib/krb5/krb/ser_ctx.c
+++ b/src/lib/krb5/krb/ser_ctx.c
@@ -189,7 +189,8 @@ krb5_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **b
     context = (krb5_context) arg;
     if (!context)
         return (EINVAL);
-    KRB5_VERIFY_MAGIC(context, KV5M_CONTEXT);
+    if (context->magic != KV5M_CONTEXT)
+        return (KV5M_CONTEXT);
 
     if ((kret = krb5_context_size(kcontext, arg, &required)))
         return (kret);
diff --git a/src/lib/krb5/krb/srv_dec_tkt.c b/src/lib/krb5/krb/srv_dec_tkt.c
index 094758c..708a25f 100644
--- a/src/lib/krb5/krb/srv_dec_tkt.c
+++ b/src/lib/krb5/krb/srv_dec_tkt.c
@@ -40,10 +40,9 @@
 #include <k5-int.h>
 
 #ifndef LEAN_CLIENT
-krb5_error_code KRB5_CALLCONV
-krb5int_server_decrypt_ticket_keyblock(krb5_context context,
-                                       const krb5_keyblock *key,
-                                       krb5_ticket *ticket)
+static krb5_error_code
+decrypt_ticket_keyblock(krb5_context context, const krb5_keyblock *key,
+                        krb5_ticket *ticket)
 {
     krb5_error_code retval;
     krb5_data *realm;
@@ -85,7 +84,7 @@ krb5_server_decrypt_ticket_keytab(krb5_context context,
                                    ticket->enc_part.kvno,
                                    ticket->enc_part.enctype, &ktent);
         if (retval == 0) {
-            retval = krb5int_server_decrypt_ticket_keyblock(context, &ktent.key, ticket);
+            retval = decrypt_ticket_keyblock(context, &ktent.key, ticket);
 
             (void) krb5_free_keytab_entry_contents(context, &ktent);
         }
@@ -103,7 +102,7 @@ krb5_server_decrypt_ticket_keytab(krb5_context context,
             if (ktent.key.enctype != ticket->enc_part.enctype)
                 continue;
 
-            retval = krb5int_server_decrypt_ticket_keyblock(context, &ktent.key, ticket);
+            retval = decrypt_ticket_keyblock(context, &ktent.key, ticket);
             if (retval == 0) {
                 krb5_principal tmp;
 
diff --git a/src/lib/krb5/krb/t_cc_config.c b/src/lib/krb5/krb/t_cc_config.c
index 04e7283..156a5b5 100644
--- a/src/lib/krb5/krb/t_cc_config.c
+++ b/src/lib/krb5/krb/t_cc_config.c
@@ -36,6 +36,7 @@
  */
 
 #include <k5-int.h>
+#include "int-proto.h"
 #include <getopt.h>
 
 static void
@@ -70,8 +71,8 @@ unset_config(krb5_context context, krb5_ccache ccache,
     memset(&mcreds, 0, sizeof(mcreds));
     memset(&creds, 0, sizeof(creds));
     bail_on_err(context, "Error while deriving configuration principal names",
-                krb5int_build_conf_principals(context, ccache, server, key,
-                                              &mcreds));
+                k5_build_conf_principals(context, ccache, server, key,
+                                         &mcreds));
     bail_on_err(context, "Error resolving first in-memory ccache",
                 krb5_cc_resolve(context, "MEMORY:tmp1", &tmp1));
     bail_on_err(context, "Error initializing first in-memory ccache",
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index de41959..b0547d5 100644
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -105,9 +105,8 @@ initialize_krb5_error_table
 initialize_k5e1_error_table
 initialize_kv5m_error_table
 initialize_prof_error_table
+k5_build_conf_principals
 k5_ccselect_free_context
-k5_copy_etypes
-k5_count_etypes
 k5_etypes_contains
 k5_expand_path_tokens
 k5_expand_path_tokens_extra
@@ -116,8 +115,11 @@ k5_free_otp_tokeninfo
 k5_free_pa_otp_challenge
 k5_free_pa_otp_req
 k5_free_serverlist
+k5_init_trace
 k5_kt_get_principal
 k5_locate_kdc
+k5_os_free_context
+k5_os_init_context
 k5_plugin_free_modules
 k5_plugin_load
 k5_plugin_load_all
@@ -215,7 +217,6 @@ krb5_cc_register
 krb5_cc_remove_cred
 krb5_cc_resolve
 krb5_cc_retrieve_cred
-krb5_cc_retrieve_cred_default
 krb5_cc_select
 krb5_cc_set_config
 krb5_cc_set_default_name
@@ -248,7 +249,6 @@ krb5_copy_keyblock
 krb5_copy_keyblock_contents
 krb5_copy_principal
 krb5_copy_ticket
-krb5_create_secure_file
 krb5_crypto_us_timeofday
 krb5_decode_authdata_container
 krb5_decode_ticket
@@ -444,9 +444,6 @@ krb5_mk_req_extended
 krb5_mk_safe
 krb5_net_read
 krb5_net_write
-krb5_os_free_context
-krb5_os_hostaddr
-krb5_os_init_context
 krb5_os_localaddr
 krb5_overridekeyname
 krb5_pac_add_buffer
@@ -569,7 +566,6 @@ krb5_sname_to_principal
 krb5_string_to_deltat
 krb5_string_to_salttype
 krb5_string_to_timestamp
-krb5_sync_disk_file
 krb5int_tgtname
 krb5_tkt_creds_free
 krb5_tkt_creds_get
@@ -597,10 +593,8 @@ krb5_vset_error_message
 krb5_walk_realm_tree
 krb5_write_message
 krb5int_accessor
-krb5int_build_conf_principals
 krb5int_cc_default
 krb5int_cleanup_library
-krb5int_clean_hostname
 krb5int_cm_call_select
 krb5int_copy_data_contents
 krb5int_copy_data_contents_add0
@@ -609,7 +603,6 @@ krb5int_foreach_localaddr
 krb5int_free_data_list
 krb5int_get_authdata_containee_types
 krb5int_init_context_kdc
-krb5int_init_trace
 krb5int_initialize_library
 krb5int_parse_enctype_list
 krb5int_sendtokdc_debug_handler
diff --git a/src/lib/krb5/os/accessor.c b/src/lib/krb5/os/accessor.c
index 2e31e83..df63b14 100644
--- a/src/lib/krb5/os/accessor.c
+++ b/src/lib/krb5/os/accessor.c
@@ -26,6 +26,7 @@
 
 #include "k5-int.h"
 #include "os-proto.h"
+#include "../krb/int-proto.h"
 
 /* If this trick gets used elsewhere, move it to k5-platform.h.  */
 #ifndef DESIGNATED_INITIALIZERS
@@ -52,7 +53,7 @@ krb5int_accessor(krb5int_access *internals, krb5_int32 version)
 #endif
             S (auth_con_get_subkey_enctype, krb5_auth_con_get_subkey_enctype),
 
-            S (clean_hostname, krb5int_clean_hostname),
+            S (clean_hostname, k5_clean_hostname),
 
 #ifndef LEAN_CLIENT
 #define SC(FIELD, VAL)  S(FIELD, VAL)
@@ -101,7 +102,7 @@ krb5int_accessor(krb5int_access *internals, krb5_int32 version)
             SC (decode_krb5_td_dh_parameters, decode_krb5_td_dh_parameters),
             SC (encode_krb5_kdc_req_body, encode_krb5_kdc_req_body),
             SC (free_kdc_req, krb5_free_kdc_req),
-            SC (set_prompt_types, krb5int_set_prompt_types),
+            SC (set_prompt_types, k5_set_prompt_types),
 #undef SC
 
 #if DESIGNATED_INITIALIZERS
diff --git a/src/lib/krb5/os/def_realm.c b/src/lib/krb5/os/def_realm.c
index f47e170..0ebe9db 100644
--- a/src/lib/krb5/os/def_realm.c
+++ b/src/lib/krb5/os/def_realm.c
@@ -51,6 +51,8 @@
 #define MAXHOSTNAMELEN 64
 #endif
 
+#define MAX_DNS_NAMELEN (15*(MAXHOSTNAMELEN + 1)+1)
+
 #endif /* KRB5_DNS_LOOKUP */
 
 /*
diff --git a/src/lib/krb5/os/dnsglue.h b/src/lib/krb5/os/dnsglue.h
index e66de6a..2f9192f 100644
--- a/src/lib/krb5/os/dnsglue.h
+++ b/src/lib/krb5/os/dnsglue.h
@@ -155,5 +155,19 @@ int krb5int_dns_expand(struct krb5int_dns_state *,
                        const unsigned char *, char *, int);
 void krb5int_dns_fini(struct krb5int_dns_state *);
 
+struct srv_dns_entry {
+    struct srv_dns_entry *next;
+    int priority;
+    int weight;
+    unsigned short port;
+    char *host;
+};
+
+krb5_error_code krb5int_make_srv_query_realm(const krb5_data *realm,
+                                             const char *service,
+                                             const char *protocol,
+                                             struct srv_dns_entry **answers);
+void krb5int_free_srv_dns_data(struct srv_dns_entry *);
+
 #endif /* KRB5_DNS_LOOKUP */
 #endif /* !defined(KRB5_DNSGLUE_H) */
diff --git a/src/lib/krb5/os/hostaddr.c b/src/lib/krb5/os/hostaddr.c
index a38fad5..22f6ad6 100644
--- a/src/lib/krb5/os/hostaddr.c
+++ b/src/lib/krb5/os/hostaddr.c
@@ -25,12 +25,13 @@
  */
 
 #include "k5-int.h"
+#include "os-proto.h"
 
 #include "fake-addrinfo.h"
 
 krb5_error_code
-krb5_os_hostaddr(krb5_context context, const char *name,
-                 krb5_address ***ret_addrs)
+k5_os_hostaddr(krb5_context context, const char *name,
+               krb5_address ***ret_addrs)
 {
     krb5_error_code     retval;
     krb5_address        **addrs;
diff --git a/src/lib/krb5/os/hst_realm.c b/src/lib/krb5/os/hst_realm.c
index 599823e..7160873 100644
--- a/src/lib/krb5/os/hst_realm.c
+++ b/src/lib/krb5/os/hst_realm.c
@@ -31,7 +31,7 @@
 /*
  * krb5_get_host_realm()
  * krb5_get_fallback_host_realm()
- * krb5int_clean_hostname()
+ * k5_clean_hostname()
  * krb5_free_host_realm()
  */
 
@@ -98,7 +98,7 @@ domain_heuristic(krb5_context context, const char *domain,
 #endif /* MAXDNAME */
 #endif /* KRB5_DNS_LOOKUP */
 
-krb5_error_code krb5int_translate_gai_error (int);
+static krb5_error_code krb5int_translate_gai_error(int);
 
 static krb5_error_code
 get_fq_hostname(char *buf, size_t bufsize, const char *name)
@@ -144,7 +144,7 @@ krb5_get_host_realm(krb5_context context, const char *host, char ***realmsp)
 
     TRACE_GET_HOST_REALM(context, host);
 
-    retval = krb5int_clean_hostname(context, host, local_host, sizeof local_host);
+    retval = k5_clean_hostname(context, host, local_host, sizeof local_host);
     if (retval)
         return retval;
 
@@ -216,7 +216,7 @@ krb5_get_host_realm(krb5_context context, const char *host, char ***realmsp)
 # endif
 #endif
 
-krb5_error_code
+static krb5_error_code
 krb5int_translate_gai_error (int num)
 {
     switch (num) {
@@ -279,7 +279,7 @@ krb5_get_fallback_host_realm(krb5_context context,
 
     TRACE_GET_FALLBACK_HOST_REALM(context, host);
 
-    retval = krb5int_clean_hostname(context, host, local_host, sizeof local_host);
+    retval = k5_clean_hostname(context, host, local_host, sizeof local_host);
     if (retval)
         return retval;
 
@@ -367,8 +367,8 @@ krb5_get_fallback_host_realm(krb5_context context,
  * to do basic sanity checks on supplied hostname.
  */
 krb5_error_code
-krb5int_clean_hostname(krb5_context context,
-                       const char *host, char *local_host, size_t lhsize)
+k5_clean_hostname(krb5_context context, const char *host, char *local_host,
+                  size_t lhsize)
 {
     char *cp;
     krb5_error_code retval;
diff --git a/src/lib/krb5/os/init_os_ctx.c b/src/lib/krb5/os/init_os_ctx.c
index 56b8d92..2afe2e1 100644
--- a/src/lib/krb5/os/init_os_ctx.c
+++ b/src/lib/krb5/os/init_os_ctx.c
@@ -234,7 +234,7 @@ free_filespecs(profile_filespec_t *files)
 
 /* This function is needed by KfM's KerberosPreferences API
  * because it needs to be able to specify "secure" */
-krb5_error_code
+static krb5_error_code
 os_get_default_config_files(profile_filespec_t **pfiles, krb5_boolean secure)
 {
     profile_filespec_t* files;
@@ -421,7 +421,7 @@ os_init_paths(krb5_context ctx, krb5_boolean kdc)
 }
 
 krb5_error_code
-krb5_os_init_context(krb5_context ctx, profile_t profile, krb5_flags flags)
+k5_os_init_context(krb5_context ctx, profile_t profile, krb5_flags flags)
 {
     krb5_os_context os_ctx;
     krb5_error_code    retval = 0;
@@ -499,7 +499,7 @@ krb5_free_config_files(char **filenames)
 }
 
 void
-krb5_os_free_context(krb5_context ctx)
+k5_os_free_context(krb5_context ctx)
 {
     krb5_os_context os_ctx;
 
diff --git a/src/lib/krb5/os/krbfileio.c b/src/lib/krb5/os/krbfileio.c
index 6dce8ca..41cd40f 100644
--- a/src/lib/krb5/os/krbfileio.c
+++ b/src/lib/krb5/os/krbfileio.c
@@ -26,10 +26,6 @@
  * M.I.T. makes no representations about the suitability of
  * this software for any purpose.  It is provided "as is" without express
  * or implied warranty.
- *
- *
- * krb5_create_secure_file
- * krb5_sync_disk_file
  */
 
 #ifdef MODULE_VERSION_ID
@@ -38,6 +34,7 @@ static char *VersionID = "@(#)krbfileio.c       2 - 08/22/91";
 
 
 #include "k5-int.h"
+#include "os-proto.h"
 #ifdef HAVE_SYS_FILE_H
 #include <sys/file.h>
 #endif
@@ -52,7 +49,7 @@ static char *VersionID = "@(#)krbfileio.c       2 - 08/22/91";
 #endif
 
 krb5_error_code
-krb5_create_secure_file(krb5_context context, const char *pathname)
+k5_create_secure_file(krb5_context context, const char *pathname)
 {
     int fd;
 
@@ -89,7 +86,7 @@ krb5_create_secure_file(krb5_context context, const char *pathname)
 }
 
 krb5_error_code
-krb5_sync_disk_file(krb5_context context, FILE *fp)
+k5_sync_disk_file(krb5_context context, FILE *fp)
 {
     fflush(fp);
 #if !defined(MSDOS_FILESYSTEM)
diff --git a/src/lib/krb5/os/localaddr.c b/src/lib/krb5/os/localaddr.c
index faa214a..f894d05 100644
--- a/src/lib/krb5/os/localaddr.c
+++ b/src/lib/krb5/os/localaddr.c
@@ -34,6 +34,7 @@
  */
 
 #include "k5-int.h"
+#include "os-proto.h"
 
 #if !defined(_WIN32)
 
@@ -1291,7 +1292,7 @@ krb5_os_localaddr_profile (krb5_context context, struct localaddr_data *datap)
             fprintf (stderr, "    processing '%s'\n", current);
 #endif
             newaddrs = 0;
-            err = krb5_os_hostaddr (context, current, &newaddrs);
+            err = k5_os_hostaddr (context, current, &newaddrs);
             if (err)
                 continue;
             for (i = 0; newaddrs[i]; i++) {
diff --git a/src/lib/krb5/os/locate_kdc.c b/src/lib/krb5/os/locate_kdc.c
index 5bf7776..283f36c 100644
--- a/src/lib/krb5/os/locate_kdc.c
+++ b/src/lib/krb5/os/locate_kdc.c
@@ -38,14 +38,7 @@
 #include <resolv.h>
 #include <netdb.h>
 #endif /* WSHELPER */
-#ifndef T_SRV
-#define T_SRV 33
-#endif /* T_SRV */
-
-/* for old Unixes and friends ... */
-#ifndef MAXHOSTNAMELEN
-#define MAXHOSTNAMELEN 64
-#endif
+#include "dnsglue.h"
 
 #if KRB5_DNS_LOOKUP_KDC
 #define DEFAULT_LOOKUP_KDC 1
@@ -488,8 +481,8 @@ prof_locate_server(krb5_context context, const krb5_data *realm,
         break;
     case locate_service_krb524:
         profname = KRB5_CONF_KRB524_SERVER;
-        serv = getservbyname(KRB524_SERVICE, "udp");
-        dflport1 = serv ? serv->s_port : htons (KRB524_PORT);
+        serv = getservbyname("krb524", "udp");
+        dflport1 = serv ? serv->s_port : htons(4444);
         break;
     case locate_service_kpasswd:
         profname = KRB5_CONF_KPASSWD_SERVER;
diff --git a/src/lib/krb5/os/os-proto.h b/src/lib/krb5/os/os-proto.h
index e50a0d4..83c9d65 100644
--- a/src/lib/krb5/os/os-proto.h
+++ b/src/lib/krb5/os/os-proto.h
@@ -110,6 +110,24 @@ krb5_error_code k5_expand_path_tokens_extra(krb5_context context,
                                             const char *path_in,
                                             char **path_out, ...);
 
+krb5_error_code k5_create_secure_file(krb5_context, const char * pathname);
+krb5_error_code k5_sync_disk_file(krb5_context, FILE *fp);
+krb5_error_code k5_os_init_context(krb5_context context, profile_t profile,
+                                   krb5_flags flags);
+void k5_os_free_context(krb5_context);
+krb5_error_code k5_os_hostaddr(krb5_context, const char *, krb5_address ***);
+krb5_error_code k5_time_with_offset(krb5_timestamp offset,
+                                    krb5_int32 offset_usec,
+                                    krb5_timestamp *time_out,
+                                    krb5_int32 *usec_out);
+void k5_set_prompt_types(krb5_context, krb5_prompt_type *);
+krb5_error_code k5_clean_hostname(krb5_context, const char *, char *, size_t);
+krb5_error_code k5_kt_client_default_name(krb5_context context,
+                                          char **name_out);
+krb5_error_code k5_write_messages(krb5_context, krb5_pointer, krb5_data *,
+                                  int);
+void k5_init_trace(krb5_context context);
+
 #include "k5-thread.h"
 extern k5_mutex_t krb5int_us_time_mutex;
 
diff --git a/src/lib/krb5/os/prompter.c b/src/lib/krb5/os/prompter.c
index aa7399c..26cdebc 100644
--- a/src/lib/krb5/os/prompter.c
+++ b/src/lib/krb5/os/prompter.c
@@ -1,5 +1,6 @@
 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
 #include "k5-int.h"
+#include "os-proto.h"
 #if !defined(_WIN32) || (defined(_WIN32) && defined(__CYGWIN32__))
 #include <stdio.h>
 #include <errno.h>
@@ -317,7 +318,7 @@ krb5_prompter_posix(krb5_context context,
 #endif /* Windows or Mac */
 
 void
-krb5int_set_prompt_types(krb5_context context, krb5_prompt_type *types)
+k5_set_prompt_types(krb5_context context, krb5_prompt_type *types)
 {
     context->prompt_types = types;
 }
diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
index 21fe105..97e1c06 100644
--- a/src/lib/krb5/os/trace.c
+++ b/src/lib/krb5/os/trace.c
@@ -38,6 +38,7 @@
  */
 
 #include "k5-int.h"
+#include "os-proto.h"
 #include "cm.h"
 
 #ifndef DISABLE_TRACING
@@ -328,7 +329,7 @@ subfmt(krb5_context context, struct k5buf *buf, const char *fmt, ...)
 }
 
 void
-krb5int_init_trace(krb5_context context)
+k5_init_trace(krb5_context context)
 {
     const char *filename;
 
diff --git a/src/lib/krb5/os/ustime.c b/src/lib/krb5/os/ustime.c
index 90fa4a6..0563576 100644
--- a/src/lib/krb5/os/ustime.c
+++ b/src/lib/krb5/os/ustime.c
@@ -34,6 +34,7 @@
  */
 
 #include "k5-int.h"
+#include "os-proto.h"
 
 krb5_error_code
 k5_time_with_offset(krb5_timestamp offset, krb5_int32 offset_usec,
diff --git a/src/lib/krb5/os/write_msg.c b/src/lib/krb5/os/write_msg.c
index b745f3f..a9d6050 100644
--- a/src/lib/krb5/os/write_msg.c
+++ b/src/lib/krb5/os/write_msg.c
@@ -36,8 +36,8 @@
  * efficiently.
  */
 krb5_error_code
-krb5int_write_messages(krb5_context context, krb5_pointer fdp,
-                       krb5_data *outbuf, int nbufs)
+k5_write_messages(krb5_context context, krb5_pointer fdp, krb5_data *outbuf,
+                  int nbufs)
 {
     int fd = *( (int *) fdp);
 
@@ -72,5 +72,5 @@ krb5int_write_messages(krb5_context context, krb5_pointer fdp,
 krb5_error_code
 krb5_write_message(krb5_context context, krb5_pointer fdp, krb5_data *outbuf)
 {
-    return krb5int_write_messages(context, fdp, outbuf, 1);
+    return k5_write_messages(context, fdp, outbuf, 1);
 }
diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def
index d093d1f..57604ad 100644
--- a/src/lib/krb5_32.def
+++ b/src/lib/krb5_32.def
@@ -443,7 +443,6 @@ EXPORTS
 	krb5_responder_otp_challenge_free		@415
 	krb5_cc_move					@416
 	krb5_get_init_creds_opt_set_in_ccache		@417
-	krb5int_build_conf_principals			@418 ; PRIVATE
 
 ; new in 1.12
 	krb5_free_enctypes				@419


More information about the cvs-krb5 mailing list