2025-01-26 10:04:02 +03:00 · 2005-08-09 03:04:47 +00:00 · 2005-08-09 03:04:47 +00:00 · 9a1d2f2fec
commit 9a1d2f2fec
parent c419eef1c9
73 changed files with 9514 additions and 4688 deletions
--- a/source/heimdal/fix-export
+++ b/source/heimdal/fix-export
@ -0,0 +1,82 @@
 #! /bin/sh
 # $Id: fix-export,v 1.38 2005/07/05 14:00:51 lha Exp $
 echo "fixing distribution in $1..."
 test -d "$1" || { echo not a dir in \$1 ; exit 1 ; }
 cd $1
 if test "$DATEDVERSION"; then
 	ed -s configure.in << END
 /AC_INIT/s/AC_INIT(\([^,]*\), [^,]*, \(.*\))/AC_INIT(\1, $DATEDVERSION, \2)/
 w
 q
 END
 	error=WARN
 	exitcmd=:
 else
    	error=ERROR
 	exitcmd=exit
 fi
 ver=`sed -n 's/AC_INIT([^,]*,\([^,]*\),.*/\1/p' configure.in`
 M="*   This is version $ver.   *"
 echo "$M" | sed -e 's/./*/g'
 echo "$M"
 echo "$M" | sed -e 's/./*/g'
 ed -s configure.in << END
 /test -z/s,^,#,
 w
 q
 END
 autoreconf --force --install
 (cd doc && makeinfo heimdal.texi)
 find . -name Makefile.am | while read f; do
 	for i in `sed -n -e '/^man_MANS/{
 			:loop
 			p
 			/[^\\]$/b quit
 			n
 			b loop
 			}
 		:quit' $f | sed 's/man_MANS//;s/=//;s/[	\\][	\\]*/ /g'`; do 
 		x=`dirname $f`/$i
 		y=`dirname $f`/`echo $i | sed 's/[0-9]$/cat&/'`
 		echo `grog -Tascii $x` \> $y
 		`grog -Tascii $x` > $y
 		perl -p -e 'exit 1 if (/NetBSD|FreeBSD|OpenBSD|Linux|OSF|Solaris/); exit 0;' $y
 		if [ $? != 0 ] ; then
 		    echo "$error: catfile $y contains operating system"
 		    head -1 $y
 		    $exitcmd
 		fi
 	done
 done
 make_proto () {
 	(top=`pwd`
 	cd $1
 	b=`basename $1`
        if test X"$5" != X ; then
 	    e="-E $5";
 	else
 	    e=
 	fi
 	perl $top/cf/make-proto.pl $e -o $2 -p $3 `(perl -p -e 's/^(include|if|else|endif)\b/##$1/' Makefile.am; 
 		echo 'print-sources:; @if test "$(proto_opts)"; then echo $(proto_opts); else echo -q -P comment; fi; echo '$4 | sort -u ) | make -f - print-sources `)
 }
 make_proto lib/krb5 krb5-protos.h krb5-private.h '$(libkrb5_la_SOURCES)' KRB5_LIB_FUNCTION
 make_proto lib/kadm5 kadm5-protos.h kadm5-private.h '$(libkadm5srv_la_SOURCES) $(libkadm5clnt_la_SOURCES)'
 make_proto lib/hdb hdb-protos.h hdb-private.h '$(libhdb_la_SOURCES)'
 make_proto appl/login login_protos.h /dev/null '$(login_SOURCES)'
 make_proto kcm kcm_protos.h /dev/null '$(kcm_SOURCES)'
 make_proto kdc kdc-protos.h /dev/null '$(libkdc_la_SOURCES)'
 rm fix-export make-release make-release.el
 find . -name .cvsignore -print | xargs rm
 find . -name .__afs\* -print | xargs rm
 rm -fr autom4te*.cache
--- a/source/heimdal/kdc/kerberos5.c
+++ b/source/heimdal/kdc/kerberos5.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@ -189,22 +189,26 @@ log_timestamp(krb5_context context,
 	      KerberosTime authtime, KerberosTime *starttime, 
 	      KerberosTime endtime, KerberosTime *renew_till)
 {
-    char atime[100], stime[100], etime[100], rtime[100];
+    char authtime_str[100], starttime_str[100], endtime_str[100], renewtime_str[100];
-    krb5_format_time(context, authtime, atime, sizeof(atime), TRUE); 
+    krb5_format_time(context, authtime, 
 		     authtime_str, sizeof(authtime_str), TRUE); 
    if (starttime)
-	krb5_format_time(context, *starttime, stime, sizeof(stime), TRUE); 
+	krb5_format_time(context, *starttime, 
 			 starttime_str, sizeof(starttime_str), TRUE); 
    else
-	strlcpy(stime, "unset", sizeof(stime));
+	strlcpy(starttime_str, "unset", sizeof(starttime_str));
-    krb5_format_time(context, endtime, etime, sizeof(etime), TRUE); 
+    krb5_format_time(context, endtime, 
 		     endtime_str, sizeof(endtime_str), TRUE); 
    if (renew_till)
-	krb5_format_time(context, *renew_till, rtime, sizeof(rtime), TRUE); 
+	krb5_format_time(context, *renew_till, 
 			 renewtime_str, sizeof(renewtime_str), TRUE); 
    else
-	strlcpy(rtime, "unset", sizeof(rtime));
+	strlcpy(renewtime_str, "unset", sizeof(renewtime_str));
    kdc_log(context, config, 5,
 	    "%s authtime: %s starttime: %s endtype: %s renew till: %s",
-	    type, atime, stime, etime, rtime);
+	    type, authtime_str, starttime_str, endtime_str, renewtime_str);
 }
 static krb5_error_code
@ -578,7 +582,8 @@ get_pa_etype_info2(krb5_context context,
 	ret = krb5_unparse_name(context, client->principal, &name);
 	if (ret)
 	    name = "<unparse_name failed>";
-	kdc_log(context, config, 0, "internal error in get_pa_etype_info2(%s): %d != %d", 
+	kdc_log(context, config, 0,
 		"internal error in get_pa_etype_info2(%s): %d != %d", 
 		name, n, pa.len);
 	if (ret == 0)
 	    free(name);
@ -623,24 +628,26 @@ _kdc_check_flags(krb5_context context,
 	if(!client->flags.client){
 	    kdc_log(context, config, 0,
-		    "Principal may not act as client -- %s", 
+		    "Principal may not act as client -- %s", client_name);
 		    client_name);
 	    return KRB5KDC_ERR_POLICY;
 	}
 	if (client->valid_start && *client->valid_start > kdc_time) {
-	    kdc_log(context, config, 0, "Client not yet valid -- %s", client_name);
+	    kdc_log(context, config, 0,
 		    "Client not yet valid -- %s", client_name);
 	    return KRB5KDC_ERR_CLIENT_NOTYET;
 	}
 	if (client->valid_end && *client->valid_end < kdc_time) {
-	    kdc_log(context, config, 0, "Client expired -- %s", client_name);
+	    kdc_log(context, config, 0,
 		    "Client expired -- %s", client_name);
 	    return KRB5KDC_ERR_NAME_EXP;
 	}
 	if (client->pw_end && *client->pw_end < kdc_time
 	    && !server->flags.change_pw) {
-	    kdc_log(context, config, 0, "Client's key has expired -- %s", client_name);
+	    kdc_log(context, config, 0,
 		    "Client's key has expired -- %s", client_name);
 	    return KRB5KDC_ERR_KEY_EXPIRED;
 	}
    }
@ -649,33 +656,38 @@ _kdc_check_flags(krb5_context context,
    if (server != NULL) {
 	if (server->flags.invalid) {
-	    kdc_log(context, config, 0, "Server has invalid flag set -- %s", server_name);
+	    kdc_log(context, config, 0,
 		    "Server has invalid flag set -- %s", server_name);
 	    return KRB5KDC_ERR_POLICY;
 	}
 	if(!server->flags.server){
-	    kdc_log(context, config, 0, "Principal may not act as server -- %s", 
+	    kdc_log(context, config, 0,
-		    server_name);
+		    "Principal may not act as server -- %s", server_name);
 	    return KRB5KDC_ERR_POLICY;
 	}
 	if(!is_as_req && server->flags.initial) {
-	    kdc_log(context, config, 0, "AS-REQ is required for server -- %s", server_name);
+	    kdc_log(context, config, 0,
 		    "AS-REQ is required for server -- %s", server_name);
 	    return KRB5KDC_ERR_POLICY;
 	}
 	if (server->valid_start && *server->valid_start > kdc_time) {
-	    kdc_log(context, config, 0, "Server not yet valid -- %s", server_name);
+	    kdc_log(context, config, 0,
 		    "Server not yet valid -- %s", server_name);
 	    return KRB5KDC_ERR_SERVICE_NOTYET;
 	}
 	if (server->valid_end && *server->valid_end < kdc_time) {
-	    kdc_log(context, config, 0, "Server expired -- %s", server_name);
+	    kdc_log(context, config, 0,
 		    "Server expired -- %s", server_name);
 	    return KRB5KDC_ERR_SERVICE_EXP;
 	}
 	if (server->pw_end && *server->pw_end < kdc_time) {
-	    kdc_log(context, config, 0, "Server's key has expired -- %s", server_name);
+	    kdc_log(context, config, 0,
 		    "Server's key has expired -- %s", server_name);
 	    return KRB5KDC_ERR_KEY_EXPIRED;
 	}
    }
@ -868,6 +880,7 @@ _kdc_as_rep(krb5_context context,
 	    size_t len;
 	    EncryptedData enc_data;
 	    Key *pa_key;
 	    char *str;
 	    found_pa = 1;
@ -919,14 +932,24 @@ _kdc_as_rep(krb5_context context,
 					      &ts_data);
 	    krb5_crypto_destroy(context, crypto);
 	    if(ret){
 		krb5_error_code ret2;
 		ret2 = krb5_enctype_to_string(context, 
 					     pa_key->key.keytype, &str);
 		if (ret2)
 		    str = NULL;
 		kdc_log(context, config, 5, 
 			"Failed to decrypt PA-DATA -- %s "
 			"(enctype %s) error %s",
 			client_name, str ? str : "unknown enctype", 
 			krb5_get_err_text(context, ret));
 		free(str);
 		if(hdb_next_enctype2key(context, client, 
 					enc_data.etype, &pa_key) == 0)
 		    goto try_next_key;
 		free_EncryptedData(&enc_data);
 		e_text = "Failed to decrypt PA-DATA";
-		kdc_log(context, config, 
+
-			5, "Failed to decrypt PA-DATA -- %s",
+		free_EncryptedData(&enc_data);
 			client_name);
 		ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 		continue;
 	    }
@ -953,9 +976,15 @@ _kdc_as_rep(krb5_context context,
 		goto out;
 	    }
 	    et.flags.pre_authent = 1;
 	    ret = krb5_enctype_to_string(context,pa_key->key.keytype, &str);
 	    if (ret)
 		str = NULL;
 	    kdc_log(context, config, 2,
-		    "ENC-TS Pre-authentication succeeded -- %s", 
+		    "ENC-TS Pre-authentication succeeded -- %s using %s", 
-		    client_name);
+		    client_name, str ? str : "unknown enctype");
 	    free(str);
 	    break;
 	}
 #ifdef PKINIT
@ -1877,7 +1906,7 @@ tgs_check_authenticator(krb5_context context,
    free(buf);
    krb5_crypto_destroy(context, crypto);
    if(ret){
-	kdc_log(context, config, 0, "Failed to verify checksum: %s", 
+	kdc_log(context, config, 0, "Failed to verify authenticator checksum: %s", 
 		krb5_get_err_text(context, ret));
    }
 out:
@ -2073,6 +2102,10 @@ tgs_rep2(krb5_context context,
    ret = tgs_check_authenticator(context, config, 
 				  ac, b, &e_text, &tgt->key);
    if(ret){
 	krb5_auth_con_free(context, ac);
 	goto out2;
    }
    if (b->enc_authorization_data) {
 	krb5_keyblock *subkey;
@ -2134,14 +2167,6 @@ tgs_rep2(krb5_context context,
 	}
    }
    krb5_auth_con_free(context, ac);
    if(ret){
 	kdc_log(context, config, 0, "Failed to verify authenticator: %s", 
 		krb5_get_err_text(context, ret));
 	goto out2;
    }
    {
 	PrincipalName *s;
 	Realm r;
--- a/source/heimdal/kdc/pkinit.c
+++ b/source/heimdal/kdc/pkinit.c
@ -33,7 +33,7 @@
 #include "kdc_locl.h"
-RCSID("$Id: pkinit.c,v 1.36 2005/07/01 15:37:24 lha Exp $");
+RCSID("$Id: pkinit.c,v 1.37 2005/07/26 18:37:02 lha Exp $");
 #ifdef PKINIT
@ -927,8 +927,10 @@ pk_mk_pa_reply_enckey(krb5_context context,
    enc_alg->parameters->data = params.data;
    enc_alg->parameters->length = params.length;
-    if (client_params->type == PKINIT_COMPAT_WIN2K || client_params->type == PKINIT_COMPAT_19 || client_params->type == PKINIT_COMPAT_25) {
+    switch (client_params->type) {
-	ReplyKeyPack kp;
+    case PKINIT_COMPAT_WIN2K:
    case PKINIT_COMPAT_19: {
 	ReplyKeyPack_19 kp;
 	memset(&kp, 0, sizeof(kp));
 	ret = copy_EncryptionKey(reply_key, &kp.replyKey);
@ -938,9 +940,25 @@ pk_mk_pa_reply_enckey(krb5_context context,
 	}
 	kp.nonce = client_params->nonce;
 	ASN1_MALLOC_ENCODE(ReplyKeyPack_19, 
 			   buf.data, buf.length,
 			   &kp, &size,ret);
 	free_ReplyKeyPack_19(&kp);
    }
    case PKINIT_COMPAT_25: {
 	ReplyKeyPack kp;
 	memset(&kp, 0, sizeof(kp));
 	ret = copy_EncryptionKey(reply_key, &kp.replyKey);
 	if (ret) {
 	    krb5_clear_error_string(context);
 	    goto out;
 	}
 	/* XXX add whatever is the outcome of asChecksum discussion here */
 	ASN1_MALLOC_ENCODE(ReplyKeyPack, buf.data, buf.length, &kp, &size,ret);
 	free_ReplyKeyPack(&kp);
-    } else {
+    }
    default:
 	krb5_abortx(context, "internal pkinit error");
    }
    if (ret) {
--- a/source/heimdal/lib/asn1/CMS.asn1
+++ b/source/heimdal/lib/asn1/CMS.asn1
@ -0,0 +1,151 @@
 -- From RFC 3369 --
 -- $Id: CMS.asn1,v 1.3 2005/07/23 10:37:13 lha Exp $ --
 CMS DEFINITIONS ::= BEGIN
 IMPORTS CertificateSerialNumber, AlgorithmIdentifier, Name,
 	Attribute, Certificate, Name, SubjectKeyIdentifier FROM rfc2459
 	heim_any, heim_any_set FROM heim;
 id-pkcs7 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
         us(840) rsadsi(113549) pkcs(1) pkcs7(7) }
 id-pkcs7-data OBJECT IDENTIFIER ::= 			{ id-pkcs7 1 }
 id-pkcs7-signedData OBJECT IDENTIFIER ::= 		{ id-pkcs7 2 }
 id-pkcs7-envelopedData OBJECT IDENTIFIER ::= 		{ id-pkcs7 3 }
 id-pkcs7-signedAndEnvelopedData OBJECT IDENTIFIER ::= 	{ id-pkcs7 4 }
 id-pkcs7-digestedData OBJECT IDENTIFIER ::= 		{ id-pkcs7 5 }
 id-pkcs7-encryptedData OBJECT IDENTIFIER ::= 		{ id-pkcs7 6 }
 CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4) }
 DigestAlgorithmIdentifier ::= AlgorithmIdentifier
 DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier
 SignatureAlgorithmIdentifier ::= AlgorithmIdentifier
 ContentType ::= OBJECT IDENTIFIER
 MessageDigest ::= OCTET STRING
 ContentInfo ::= SEQUENCE {
 	contentType ContentType,
 	content [0] EXPLICIT heim_any OPTIONAL --  DEFINED BY contentType 
 }
 EncapsulatedContentInfo ::= SEQUENCE {
 	eContentType ContentType,
 	eContent [0] EXPLICIT OCTET STRING OPTIONAL
 }
 CertificateSet ::= SET OF heim_any
 CertificateList ::= Certificate
 CertificateRevocationLists ::= SET OF CertificateList
 IssuerAndSerialNumber ::= SEQUENCE {
 	issuer Name,
 	serialNumber CertificateSerialNumber
 }
 -- RecipientIdentifier is same as SignerIdentifier, 
 -- lets glue them togheter and save some bytes and share code for them
 CMSIdentifier ::= CHOICE {
 	issuerAndSerialNumber IssuerAndSerialNumber,
 	subjectKeyIdentifier [0] SubjectKeyIdentifier
 }
 SignerIdentifier ::= CMSIdentifier
 RecipientIdentifier ::= CMSIdentifier
 --- CMSAttributes are the combined UnsignedAttributes and SignedAttributes
 --- to store space and share code
 CMSAttributes ::= SET OF Attribute		-- SIZE (1..MAX) 
 SignatureValue ::= OCTET STRING
 SignerInfo ::= SEQUENCE {
 	version CMSVersion,
 	sid SignerIdentifier,
 	digestAlgorithm DigestAlgorithmIdentifier,
 	signedAttrs [0] IMPLICIT -- CMSAttributes --
 		SET OF Attribute OPTIONAL,
 	signatureAlgorithm SignatureAlgorithmIdentifier,
 	signature SignatureValue,
 	unsignedAttrs [1] IMPLICIT -- CMSAttributes -- 
 		SET OF Attribute OPTIONAL
 }
 SignerInfos ::= SET OF SignerInfo
 SignedData ::= SEQUENCE {
 	version CMSVersion,
 	digestAlgorithms DigestAlgorithmIdentifiers,
 	encapContentInfo EncapsulatedContentInfo,
 	certificates [0] IMPLICIT -- CertificateSet --
 		SET OF heim_any OPTIONAL,
 	crls [1] IMPLICIT -- CertificateRevocationLists --
 		heim_any OPTIONAL,
 	signerInfos SignerInfos
 }
 OriginatorInfo ::= SEQUENCE {
 	certs [0] IMPLICIT -- CertificateSet --
 		SET OF heim_any OPTIONAL,
 	crls [1] IMPLICIT --CertificateRevocationLists --
 		heim_any OPTIONAL
 }
 KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
 ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
 EncryptedKey ::= OCTET STRING
 KeyTransRecipientInfo ::= SEQUENCE {
 	version CMSVersion,  -- always set to 0 or 2
 	rid RecipientIdentifier,
 	keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
 	encryptedKey EncryptedKey
 }
 RecipientInfo ::= KeyTransRecipientInfo
 RecipientInfos ::= SET OF RecipientInfo
 EncryptedContent ::= OCTET STRING
 EncryptedContentInfo ::= SEQUENCE {
 	contentType ContentType,
 	contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
 	encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL
 }
 UnprotectedAttributes ::= SET OF Attribute	-- SIZE (1..MAX)
 CMSEncryptedData ::= SEQUENCE {
 	version CMSVersion,
 	encryptedContentInfo EncryptedContentInfo,
        unprotectedAttrs [1] IMPLICIT -- UnprotectedAttributes --
 		heim_any OPTIONAL
 }
 EnvelopedData ::= SEQUENCE {
 	version CMSVersion,
 	originatorInfo [0] IMPLICIT -- OriginatorInfo -- heim_any OPTIONAL,
 	recipientInfos RecipientInfos,
 	encryptedContentInfo EncryptedContentInfo,
 	unprotectedAttrs [1] IMPLICIT -- UnprotectedAttributes --
 		heim_any OPTIONAL
 }
 -- Data ::= OCTET STRING
 CMSRC2CBCParameter ::= SEQUENCE {
 	rc2ParameterVersion	INTEGER,
 	iv			OCTET STRING -- exactly 8 octets
 }
 CMSCBCParameter ::= OCTET STRING
 END
--- a/source/heimdal/lib/asn1/asn1-common.h
+++ b/source/heimdal/lib/asn1/asn1-common.h
@ -1,4 +1,4 @@
-/* $Id: asn1-common.h,v 1.4 2003/07/15 13:57:31 lha Exp $ */
+/* $Id: asn1-common.h,v 1.5 2005/07/12 06:27:14 lha Exp $ */
 #include <stddef.h>
 #include <time.h>
@ -6,6 +6,12 @@
 #ifndef __asn1_common_definitions__
 #define __asn1_common_definitions__
 typedef struct heim_integer {
    size_t length;
    void *data;
    int negative;
 } heim_integer;
 typedef struct heim_octet_string {
    size_t length;
    void *data;
@ -13,10 +19,44 @@ typedef struct heim_octet_string {
 typedef char *heim_general_string;
 typedef char *heim_utf8_string;
 typedef char *heim_printable_string;
 typedef char *heim_ia5_string;
 typedef struct heim_bmp_string {
    size_t length;
    uint16_t *data;
 } heim_bmp_string;
 typedef struct heim_universal_string {
    size_t length;
    uint32_t *data;
 } heim_universal_string;
 typedef struct heim_oid {
    size_t length;
    unsigned *components;
 } heim_oid;
 typedef struct heim_bit_string {
    size_t length;
    void *data;
 } heim_bit_string;
 #define ASN1_MALLOC_ENCODE(T, B, BL, S, L, R)                  \
  do {                                                         \
    (BL) = length_##T((S));                                    \
    (B) = malloc((BL));                                        \
    if((B) == NULL) {                                          \
      (R) = ENOMEM;                                            \
    } else {                                                   \
      (R) = encode_##T(((unsigned char*)(B)) + (BL) - 1, (BL), \
                       (S), (L));                              \
      if((R) != 0) {                                           \
        free((B));                                             \
        (B) = NULL;                                            \
      }                                                        \
    }                                                          \
  } while (0)
 #endif
--- a/source/heimdal/lib/asn1/asn1_gen.c
+++ b/source/heimdal/lib/asn1/asn1_gen.c
@ -0,0 +1,187 @@
 /*
 * Copyright (c) 2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
 * Redistribution and use in source and binary forms, with or without 
 * modification, are permitted provided that the following conditions 
 * are met: 
 *
 * 1. Redistributions of source code must retain the above copyright 
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright 
 *    notice, this list of conditions and the following disclaimer in the 
 *    documentation and/or other materials provided with the distribution. 
 *
 * 3. Neither the name of the Institute nor the names of its contributors 
 *    may be used to endorse or promote products derived from this software 
 *    without specific prior written permission. 
 *
 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 * SUCH DAMAGE. 
 */
 #include "der_locl.h"
 #include <com_err.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <ctype.h>
 #include <getarg.h>
 #include <hex.h>
 #include <err.h>
 RCSID("$Id: asn1_gen.c,v 1.2 2005/07/12 06:27:14 lha Exp $");
 static int
 doit(const char *fn)
 {
    char buf[2048];
    char *fnout;
    const char *bname;
    unsigned long line = 0;
    FILE *f, *fout;
    size_t offset = 0;
    f = fopen(fn, "r");
    if (f == NULL)
 	err(1, "fopen");
    bname = strrchr(fn, '/');
    if (bname)
 	bname++;
    else
 	bname = fn;
    asprintf(&fnout, "%s.out", bname);
    if (fnout == NULL)
 	errx(1, "malloc");
    fout = fopen(fnout, "w");
    if (fout == NULL)
 	err(1, "fopen: output file");
    while (fgets(buf, sizeof(buf), f) != NULL) {
 	char *ptr, *class, *type, *tag, *length, *data, *foo;
 	int ret, l, c, ty, ta;
 	unsigned char p[6], *pdata;
 	size_t sz;
 	line++;
 	buf[strcspn(buf, "\r\n")] = '\0';
 	if (buf[0] == '#' || buf[0] == '\0')
 	    continue;
 	ptr = buf;
 	while (isspace((unsigned char)*ptr))
 	       ptr++;
 	class = strtok_r(ptr, " \t\n", &foo);
 	if (class == NULL) errx(1, "class missing one line %lu", line);
 	type = strtok_r(NULL, " \t\n", &foo);
 	if (type == NULL) errx(1, "type missing one line %lu", line);
 	tag = strtok_r(NULL, " \t\n", &foo);
 	if (tag == NULL) errx(1, "tag missing one line %lu", line);
 	length = strtok_r(NULL, " \t\n", &foo);
 	if (length == NULL) errx(1, "length missing one line %lu", line);
 	data = strtok_r(NULL, " \t\n", &foo);
 	c = der_get_class_num(class);
 	if (c == -1) errx(1, "no valid class on line %lu", line);
 	ty = der_get_type_num(type);
 	if (ty == -1) errx(1, "no valid type on line %lu", line);
 	ta = der_get_tag_num(tag);
 	if (ta == -1)
 	    ta = atoi(tag);
 	l = atoi(length);
 	printf("line: %3lu offset: %3lu class: %d type: %d "
 	       "tag: %3d length: %3d %s\n", 
 	       line, (unsigned long)offset, c, ty, ta, l, 
 	       data ? "<have data>" : "<no data>");
 	ret = der_put_length_and_tag(p + sizeof(p) - 1, sizeof(p),
 				     l,
 				     c,
 				     ty,
 				     ta,
 				     &sz);
 	if (ret)
 	    errx(1, "der_put_length_and_tag: %d", ret);
 	if (fwrite(p + sizeof(p) - sz , sz, 1, fout) != 1)
 	    err(1, "fwrite length/tag failed");
 	offset += sz;
 	if (data) {
 	    size_t datalen;
 	    datalen = strlen(data) / 2;
 	    pdata = emalloc(sz);
 	    if (hex_decode(data, pdata, datalen) != datalen)
 		errx(1, "failed to decode data");
 	    if (fwrite(pdata, datalen, 1, fout) != 1)
 		err(1, "fwrite data failed");
 	    offset += datalen;
 	    free(pdata);
 	}
    }
    printf("line: eof offset: %lu\n", (unsigned long)offset);
    fclose(fout);
    fclose(f);
    return 0;
 }
 static int version_flag;
 static int help_flag;
 struct getargs args[] = {
    { "version", 0, arg_flag, &version_flag },
    { "help", 0, arg_flag, &help_flag }
 };
 int num_args = sizeof(args) / sizeof(args[0]);
 static void
 usage(int code)
 {
    arg_printusage(args, num_args, NULL, "parse-file");
    exit(code);
 }
 int
 main(int argc, char **argv)
 {
    int optind = 0;
    setprogname (argv[0]);
    if(getarg(args, num_args, argc, argv, &optind))
 	usage(1);
    if(help_flag)
 	usage(0);
    if(version_flag) {
 	print_version(NULL);
 	exit(0);
    }
    argv += optind;
    argc -= optind;
    if (argc != 1)
 	usage (1);
    return doit (argv[0]);
 }
--- a/source/heimdal/lib/asn1/asn1_queue.h
+++ b/source/heimdal/lib/asn1/asn1_queue.h
@ -0,0 +1,167 @@
 /*	$NetBSD: queue.h,v 1.38 2004/04/18 14:12:05 lukem Exp $	*/
 /*	$Id: asn1_queue.h,v 1.2 2005/07/12 06:27:15 lha Exp $ */
 /*
 * Copyright (c) 1991, 1993
 *	The Regents of the University of California.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 *	@(#)queue.h	8.5 (Berkeley) 8/20/94
 */
 #ifndef	_ASN1_QUEUE_H_
 #define	_ASN1_QUEUE_H_
 /*
 * Tail queue definitions.
 */
 #define	ASN1_TAILQ_HEAD(name, type)					\
 struct name {								\
 	struct type *tqh_first;	/* first element */			\
 	struct type **tqh_last;	/* addr of last next element */		\
 }
 #define	ASN1_TAILQ_HEAD_INITIALIZER(head)				\
 	{ NULL, &(head).tqh_first }
 #define	ASN1_TAILQ_ENTRY(type)						\
 struct {								\
 	struct type *tqe_next;	/* next element */			\
 	struct type **tqe_prev;	/* address of previous next element */	\
 }
 /*
 * Tail queue functions.
 */
 #if defined(_KERNEL) && defined(QUEUEDEBUG)
 #define	QUEUEDEBUG_ASN1_TAILQ_INSERT_HEAD(head, elm, field)		\
 	if ((head)->tqh_first &&					\
 	    (head)->tqh_first->field.tqe_prev != &(head)->tqh_first)	\
 		panic("ASN1_TAILQ_INSERT_HEAD %p %s:%d", (head), __FILE__, __LINE__);
 #define	QUEUEDEBUG_ASN1_TAILQ_INSERT_TAIL(head, elm, field)		\
 	if (*(head)->tqh_last != NULL)					\
 		panic("ASN1_TAILQ_INSERT_TAIL %p %s:%d", (head), __FILE__, __LINE__);
 #define	QUEUEDEBUG_ASN1_TAILQ_OP(elm, field)				\
 	if ((elm)->field.tqe_next &&					\
 	    (elm)->field.tqe_next->field.tqe_prev !=			\
 	    &(elm)->field.tqe_next)					\
 		panic("ASN1_TAILQ_* forw %p %s:%d", (elm), __FILE__, __LINE__);\
 	if (*(elm)->field.tqe_prev != (elm))				\
 		panic("ASN1_TAILQ_* back %p %s:%d", (elm), __FILE__, __LINE__);
 #define	QUEUEDEBUG_ASN1_TAILQ_PREREMOVE(head, elm, field)		\
 	if ((elm)->field.tqe_next == NULL &&				\
 	    (head)->tqh_last != &(elm)->field.tqe_next)			\
 		panic("ASN1_TAILQ_PREREMOVE head %p elm %p %s:%d",	\
 		      (head), (elm), __FILE__, __LINE__);
 #define	QUEUEDEBUG_ASN1_TAILQ_POSTREMOVE(elm, field)			\
 	(elm)->field.tqe_next = (void *)1L;				\
 	(elm)->field.tqe_prev = (void *)1L;
 #else
 #define	QUEUEDEBUG_ASN1_TAILQ_INSERT_HEAD(head, elm, field)
 #define	QUEUEDEBUG_ASN1_TAILQ_INSERT_TAIL(head, elm, field)
 #define	QUEUEDEBUG_ASN1_TAILQ_OP(elm, field)
 #define	QUEUEDEBUG_ASN1_TAILQ_PREREMOVE(head, elm, field)
 #define	QUEUEDEBUG_ASN1_TAILQ_POSTREMOVE(elm, field)
 #endif
 #define	ASN1_TAILQ_INIT(head) do {					\
 	(head)->tqh_first = NULL;					\
 	(head)->tqh_last = &(head)->tqh_first;				\
 } while (/*CONSTCOND*/0)
 #define	ASN1_TAILQ_INSERT_HEAD(head, elm, field) do {			\
 	QUEUEDEBUG_ASN1_TAILQ_INSERT_HEAD((head), (elm), field)		\
 	if (((elm)->field.tqe_next = (head)->tqh_first) != NULL)	\
 		(head)->tqh_first->field.tqe_prev =			\
 		    &(elm)->field.tqe_next;				\
 	else								\
 		(head)->tqh_last = &(elm)->field.tqe_next;		\
 	(head)->tqh_first = (elm);					\
 	(elm)->field.tqe_prev = &(head)->tqh_first;			\
 } while (/*CONSTCOND*/0)
 #define	ASN1_TAILQ_INSERT_TAIL(head, elm, field) do {			\
 	QUEUEDEBUG_ASN1_TAILQ_INSERT_TAIL((head), (elm), field)		\
 	(elm)->field.tqe_next = NULL;					\
 	(elm)->field.tqe_prev = (head)->tqh_last;			\
 	*(head)->tqh_last = (elm);					\
 	(head)->tqh_last = &(elm)->field.tqe_next;			\
 } while (/*CONSTCOND*/0)
 #define	ASN1_TAILQ_INSERT_AFTER(head, listelm, elm, field) do {		\
 	QUEUEDEBUG_ASN1_TAILQ_OP((listelm), field)			\
 	if (((elm)->field.tqe_next = (listelm)->field.tqe_next) != NULL)\
 		(elm)->field.tqe_next->field.tqe_prev = 		\
 		    &(elm)->field.tqe_next;				\
 	else								\
 		(head)->tqh_last = &(elm)->field.tqe_next;		\
 	(listelm)->field.tqe_next = (elm);				\
 	(elm)->field.tqe_prev = &(listelm)->field.tqe_next;		\
 } while (/*CONSTCOND*/0)
 #define	ASN1_TAILQ_INSERT_BEFORE(listelm, elm, field) do {		\
 	QUEUEDEBUG_ASN1_TAILQ_OP((listelm), field)			\
 	(elm)->field.tqe_prev = (listelm)->field.tqe_prev;		\
 	(elm)->field.tqe_next = (listelm);				\
 	*(listelm)->field.tqe_prev = (elm);				\
 	(listelm)->field.tqe_prev = &(elm)->field.tqe_next;		\
 } while (/*CONSTCOND*/0)
 #define	ASN1_TAILQ_REMOVE(head, elm, field) do {			\
 	QUEUEDEBUG_ASN1_TAILQ_PREREMOVE((head), (elm), field)		\
 	QUEUEDEBUG_ASN1_TAILQ_OP((elm), field)				\
 	if (((elm)->field.tqe_next) != NULL)				\
 		(elm)->field.tqe_next->field.tqe_prev = 		\
 		    (elm)->field.tqe_prev;				\
 	else								\
 		(head)->tqh_last = (elm)->field.tqe_prev;		\
 	*(elm)->field.tqe_prev = (elm)->field.tqe_next;			\
 	QUEUEDEBUG_ASN1_TAILQ_POSTREMOVE((elm), field);			\
 } while (/*CONSTCOND*/0)
 #define	ASN1_TAILQ_FOREACH(var, head, field)				\
 	for ((var) = ((head)->tqh_first);				\
 		(var);							\
 		(var) = ((var)->field.tqe_next))
 #define	ASN1_TAILQ_FOREACH_REVERSE(var, head, headname, field)		\
 	for ((var) = (*(((struct headname *)((head)->tqh_last))->tqh_last)); \
 		(var);							\
 		(var) = (*(((struct headname *)((var)->field.tqe_prev))->tqh_last)))
 /*
 * Tail queue access methods.
 */
 #define	ASN1_TAILQ_EMPTY(head)		((head)->tqh_first == NULL)
 #define	ASN1_TAILQ_FIRST(head)		((head)->tqh_first)
 #define	ASN1_TAILQ_NEXT(elm, field)		((elm)->field.tqe_next)
 #define	ASN1_TAILQ_LAST(head, headname) \
 	(*(((struct headname *)((head)->tqh_last))->tqh_last))
 #define	ASN1_TAILQ_PREV(elm, headname, field) \
 	(*(((struct headname *)((elm)->field.tqe_prev))->tqh_last))
 #endif	/* !_ASN1_QUEUE_H_ */
--- a/source/heimdal/lib/asn1/canthandle.asn1
+++ b/source/heimdal/lib/asn1/canthandle.asn1
@ -0,0 +1,34 @@
 -- $Id: canthandle.asn1,v 1.4 2005/07/21 20:49:15 lha Exp $ --
 CANTHANDLE DEFINITIONS ::= BEGIN
 -- Code the tag [1] but not the [ CONTEXT CONS UT_Sequence ] for Kaka2
 -- Workaround: use inline the structure directly
 -- Code the tag [2] but it should be primitive since KAKA3 is
 -- Workaround: use the INTEGER type directly
 Kaka2  ::= SEQUENCE { 
        kaka2-1 [0] INTEGER
 }
 Kaka3  ::= INTEGER
 Foo ::= SEQUENCE {
        kaka1 [0] IMPLICIT INTEGER OPTIONAL,
        kaka2 [1] IMPLICIT Kaka2 OPTIONAL,
        kaka3 [2] IMPLICIT Kaka3 OPTIONAL
 }
 -- Don't code kaka if its 1
 -- Workaround is to use OPTIONAL and check for in the encoder stubs
 Bar ::= SEQUENCE {
        kaka [0] INTEGER DEFAULT 1
 }
 --  Can't handle primitives in SET OF
 --  Workaround is to define a type that is only an integer and use that
 Baz ::= SET OF INTEGER
 END
--- a/source/heimdal/lib/asn1/der.c
+++ b/source/heimdal/lib/asn1/der.c
@ -0,0 +1,142 @@
 /*
 * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
 * Redistribution and use in source and binary forms, with or without 
 * modification, are permitted provided that the following conditions 
 * are met: 
 *
 * 1. Redistributions of source code must retain the above copyright 
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright 
 *    notice, this list of conditions and the following disclaimer in the 
 *    documentation and/or other materials provided with the distribution. 
 *
 * 3. Neither the name of the Institute nor the names of its contributors 
 *    may be used to endorse or promote products derived from this software 
 *    without specific prior written permission. 
 *
 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 * SUCH DAMAGE. 
 */
 #include "der_locl.h"
 #include <com_err.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <getarg.h>
 #include <err.h>
 RCSID("$Id: der.c,v 1.2 2005/07/12 06:27:19 lha Exp $");
 static const char *class_names[] = {
    "UNIV",			/* 0 */
    "APPL",			/* 1 */
    "CONTEXT",			/* 2 */
    "PRIVATE"			/* 3 */
 };
 static const char *type_names[] = {
    "PRIM",			/* 0 */
    "CONS"			/* 1 */
 };
 static const char *tag_names[] = {
    "EndOfContent",		/* 0 */
    "Boolean",			/* 1 */
    "Integer",			/* 2 */
    "BitString",		/* 3 */
    "OctetString",		/* 4 */
    "Null",			/* 5 */
    "ObjectID",			/* 6 */
    NULL,			/* 7 */
    NULL,			/* 8 */
    NULL,			/* 9 */
    "Enumerated",		/* 10 */
    NULL,			/* 11 */
    NULL,			/* 12 */
    NULL,			/* 13 */
    NULL,			/* 14 */
    NULL,			/* 15 */
    "Sequence",			/* 16 */
    "Set",			/* 17 */
    NULL,			/* 18 */
    "PrintableString",		/* 19 */
    NULL,			/* 20 */
    NULL,			/* 21 */
    "IA5String",		/* 22 */
    "UTCTime",			/* 23 */
    "GeneralizedTime",		/* 24 */
    NULL,			/* 25 */
    "VisibleString",		/* 26 */
    "GeneralString",		/* 27 */
    NULL,			/* 28 */
    NULL,			/* 29 */
    "BMPString"			/* 30 */
 };
 static int
 get_type(const char *name, const char *list[], unsigned len)
 {
    unsigned i;
    for (i = 0; i < len; i++)
 	if (list[i] && strcasecmp(list[i], name) == 0)
 	    return i;
    return -1;
 }
 #define SIZEOF_ARRAY(a) (sizeof((a))/sizeof((a)[0]))
 const char *
 der_get_class_name(unsigned num)
 {
    if (num >= SIZEOF_ARRAY(class_names))
 	return NULL;
    return class_names[num];
 }
 int
 der_get_class_num(const char *name)
 {
    return get_type(name, class_names, SIZEOF_ARRAY(class_names));
 }
 const char *
 der_get_type_name(unsigned num)
 {
    if (num >= SIZEOF_ARRAY(type_names))
 	return NULL;
    return type_names[num];
 }
 int
 der_get_type_num(const char *name)
 {
    return get_type(name, type_names, SIZEOF_ARRAY(type_names));
 }
 const char *
 der_get_tag_name(unsigned num)
 {
    if (num >= SIZEOF_ARRAY(tag_names))
 	return NULL;
    return tag_names[num];
 }
 int
 der_get_tag_num(const char *name)
 {
    return get_type(name, tag_names, SIZEOF_ARRAY(tag_names));
 }
--- a/source/heimdal/lib/asn1/der.h
+++ b/source/heimdal/lib/asn1/der.h
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@ -31,13 +31,11 @@
 * SUCH DAMAGE. 
 */
-/* $Id: der.h,v 1.28 2005/05/29 14:23:00 lha Exp $ */
+/* $Id: der.h,v 1.29 2005/07/12 06:27:19 lha Exp $ */
 #ifndef __DER_H__
 #define __DER_H__
 #include <time.h>
 typedef enum {
    ASN1_C_UNIV = 0,
    ASN1_C_APPL = 1,
@ -47,9 +45,12 @@ typedef enum {
 typedef enum {PRIM = 0, CONS = 1} Der_type;
 #define MAKE_TAG(CLASS, TYPE, TAG)  (((CLASS) << 6) | ((TYPE) << 5) | (TAG))
 /* Universal tags */
 enum {
    UT_EndOfContent	= 0,
    UT_Boolean		= 1,
    UT_Integer		= 2,	
    UT_BitString	= 3,
@ -65,116 +66,178 @@ enum {
    UT_UTCTime		= 23,
    UT_GeneralizedTime	= 24,
    UT_VisibleString	= 26,
-     UT_GeneralString	= 27
+    UT_GeneralString	= 27,
    /* unsupported types */
    UT_ObjectDescriptor = 7,
    UT_External		= 8,
    UT_Real		= 9,
    UT_EmbeddedPDV	= 11,
    UT_RelativeOID	= 13,
    UT_NumericString	= 18,
    UT_TeletexString	= 20,
    UT_VideotexString	= 21,
    UT_GraphicString	= 25,
    UT_UniversalString	= 25,
    UT_BMPString	= 30,
 };
 #define ASN1_INDEFINITE 0xdce0deed
-#ifndef HAVE_TIMEGM
+typedef struct asn1_der_time_t {
-time_t timegm (struct tm *);
+    time_t dt_sec;
-#endif
+    unsigned long dt_nsec;
 } asn1_der_time_t;
-int time2generalizedtime (time_t t, heim_octet_string *s);
+typedef struct asn1_ber_time_t {
    time_t bt_sec;
    unsigned bt_nsec;
    int bt_zone;
 } asn1_ber_time_t;
-int der_get_int (const unsigned char *p, size_t len, int *ret, size_t *size);
+int der_get_unsigned (const unsigned char *p, size_t len,
-int der_get_length (const unsigned char *p, size_t len,
+		      unsigned *ret, size_t *size);
-		    size_t *val, size_t *size);
+int der_get_integer (const unsigned char *p, size_t len,
 		     int *ret, size_t *size);
 int der_get_heim_integer (const unsigned char *p, size_t len,
 			  heim_integer *ret, size_t *size);
 int der_get_boolean(const unsigned char *p, size_t len,
 		    int *data, size_t *size);
 int der_get_length (const unsigned char *p, size_t len,
 		    size_t *val, size_t *size);
 int der_get_general_string (const unsigned char *p, size_t len, 
 			    heim_general_string *str, size_t *size);
 int der_get_utf8string (const unsigned char *p, size_t len, 
 			    heim_utf8_string *str, size_t *size);
 int der_get_universal_string (const unsigned char *p, size_t len, 
 			     heim_universal_string *str, size_t *size);
 int der_get_bmp_string (const unsigned char *p, size_t len, 
 			heim_bmp_string *str, size_t *size);
 int der_get_printable_string (const unsigned char *p, size_t len, 
 			    heim_printable_string *str, size_t *size);
 int der_get_ia5_string (const unsigned char *p, size_t len,
 			heim_ia5_string *str, size_t *size);
 int der_get_octet_string (const unsigned char *p, size_t len, 
 			  heim_octet_string *data, size_t *size);
 int der_get_generalized_time (const unsigned char *p, size_t len, 
 			      time_t *data, size_t *size);
 int der_get_generalized_time_der (const unsigned char *p, size_t len, 
 				  asn1_der_time_t *data, size_t *size);
 int der_get_generalized_time_ber (const unsigned char *p, size_t len, 
 				  asn1_ber_time_t *data, size_t *size);
 int der_get_utctime (const unsigned char *p, size_t len, 
 		     time_t *data, size_t *size);
 int der_get_oid (const unsigned char *p, size_t len,
 		 heim_oid *data, size_t *size);
 int der_get_bit_string (const unsigned char *p, size_t len,
 			heim_bit_string *data, size_t *size);
 int der_get_tag (const unsigned char *p, size_t len, 
 		 Der_class *class, Der_type *type,
-		 int *tag, size_t *size);
+		 unsigned int *tag, size_t *size);
 int der_match_tag (const unsigned char *p, size_t len, 
 		   Der_class class, Der_type type,
-		   int tag, size_t *size);
+		   unsigned int tag, size_t *size);
 int der_match_tag_and_length (const unsigned char *p, size_t len,
-			      Der_class class, Der_type type, int tag,
+			      Der_class class, Der_type type, unsigned int tag,
 			      size_t *length_ret, size_t *size);
-int decode_boolean (const unsigned char*, size_t, int*, size_t*);
+int der_put_unsigned (unsigned char *p, size_t len, const unsigned *val, size_t*);
-int decode_integer (const unsigned char*, size_t, int*, size_t*);
+int der_put_integer (unsigned char *p, size_t len, const int *val, size_t*);
-int decode_unsigned (const unsigned char*, size_t, unsigned*, size_t*);
+int der_put_heim_integer (unsigned char *p, size_t len, 
-int decode_enumerated (const unsigned char*, size_t, unsigned*, size_t*);
+			  const heim_integer *val, size_t*);
-int decode_general_string (const unsigned char*, size_t,
+int der_put_boolean (unsigned char *p, size_t len, const int *val, size_t*);
 			   heim_general_string*, size_t*);
 int decode_oid (const unsigned char *p, size_t len, 
 		heim_oid *k, size_t *size);
 int decode_octet_string (const unsigned char*, size_t, 
 			 heim_octet_string*, size_t*);
 int decode_generalized_time (const unsigned char*, size_t, time_t*, size_t*);
 int decode_nulltype (const unsigned char*, size_t, size_t*);
 int decode_utf8string (const unsigned char*, size_t, 
 		       heim_utf8_string*, size_t*);
 int der_put_int (unsigned char *p, size_t len, int val, size_t*);
 int der_put_length (unsigned char *p, size_t len, size_t val, size_t*);
 int der_put_boolean (unsigned char *p, size_t len, const int *data, size_t*);
 int der_put_general_string (unsigned char *p, size_t len,
 			    const heim_general_string *str, size_t*);
 int der_put_utf8string (unsigned char *p, size_t len,
 			const heim_utf8_string *str, size_t*);
 int der_put_universal_string (unsigned char *p, size_t len,
 			      const heim_universal_string *str, size_t*);
 int der_put_bmp_string (unsigned char *p, size_t len,
 			    const heim_bmp_string *str, size_t*);
 int der_put_printable_string (unsigned char *p, size_t len,
 			    const heim_printable_string *str, size_t*);
 int der_put_ia5_string (unsigned char *p, size_t len,
 			const heim_ia5_string *str, size_t*);
 int der_put_octet_string (unsigned char *p, size_t len,
 			  const heim_octet_string *data, size_t*);
 int der_put_generalized_time (unsigned char *p, size_t len, 
 			      const time_t *data, size_t *size);
 int der_put_utctime (unsigned char *p, size_t len, 
 		     const time_t *data, size_t *size);
 int der_put_oid (unsigned char *p, size_t len,
 		 const heim_oid *data, size_t *size);
 int der_put_bit_string (unsigned char *p, size_t len,
 			const heim_bit_string *data, size_t *size);
 int der_put_tag (unsigned char *p, size_t len, Der_class class, Der_type type,
-		 int tag, size_t*);
+		 unsigned int tag, size_t*);
 int der_put_length_and_tag (unsigned char*, size_t, size_t, 
-			    Der_class, Der_type, int, size_t*);
+			    Der_class, Der_type, unsigned int, size_t*);
 int encode_boolean (unsigned char *p, size_t len,
 		    const int *data, size_t*);
 int encode_integer (unsigned char *p, size_t len,
 		    const int *data, size_t*);
 int encode_unsigned (unsigned char *p, size_t len,
 		     const unsigned *data, size_t*);
 int encode_enumerated (unsigned char *p, size_t len,
 		       const unsigned *data, size_t*);
 int encode_general_string (unsigned char *p, size_t len, 
 			   const heim_general_string *data, size_t*);
 int encode_octet_string (unsigned char *p, size_t len,
 			 const heim_octet_string *k, size_t*);
 int encode_oid (unsigned char *p, size_t len,
 		const heim_oid *k, size_t*);
 int encode_generalized_time (unsigned char *p, size_t len,
 			     const time_t *t, size_t*);
 int encode_nulltype (unsigned char*, size_t, size_t*);
 int encode_utf8string (unsigned char*, size_t, 
 		       const heim_utf8_string*, size_t*);
 void free_integer (int *num);
 void free_heim_integer (heim_integer *num);
 void free_octet_string (heim_octet_string *k);
 void free_general_string (heim_general_string *str);
 void free_octet_string (heim_octet_string *k);
 void free_oid (heim_oid *k);
 void free_bit_string (heim_bit_string *k);
 void free_generalized_time (time_t *t);
 void free_utctime (time_t *t);
 void free_utf8string (heim_utf8_string*);
 void free_printable_string (heim_printable_string*);
 void free_ia5_string (heim_ia5_string*);
 void free_universal_string (heim_universal_string*);
 void free_bmp_string (heim_bmp_string*);
 size_t length_len (size_t len);
 size_t length_boolean (const int *data);
 size_t length_integer (const int *data);
 size_t length_heim_integer (const heim_integer *data);
 size_t length_unsigned (const unsigned *data);
 size_t length_enumerated (const unsigned *data);
 size_t length_general_string (const heim_general_string *data);
 size_t length_octet_string (const heim_octet_string *k);
 size_t length_oid (const heim_oid *k);
 size_t length_bit_string (const heim_bit_string *k);
 size_t length_generalized_time (const time_t *t);
-size_t length_nulltype (void);
+size_t length_utctime (const time_t *t);
 size_t length_utf8string (const heim_utf8_string*);
 size_t length_printable_string (const heim_printable_string*);
 size_t length_ia5_string (const heim_ia5_string*);
 size_t length_bmp_string (const heim_bmp_string*);
 size_t length_universal_string (const heim_universal_string*);
 size_t length_boolean (const int*);
 int copy_heim_integer (const heim_integer *, heim_integer *);
 int copy_general_string (const heim_general_string *, heim_general_string *);
 int copy_octet_string (const heim_octet_string *, heim_octet_string *);
 int copy_oid (const heim_oid *from, heim_oid *to);
-int copy_nulltype (void *, void *);
+int copy_bit_string (const heim_bit_string *from, heim_bit_string *to);
 int copy_utf8string (const heim_utf8_string*, heim_utf8_string*);
 int copy_printable_string (const heim_printable_string*,heim_printable_string*);
 int copy_ia5_string (const heim_ia5_string*,heim_ia5_string*);
 int copy_universal_string(const heim_universal_string*,heim_universal_string*);
 int copy_bmp_string (const heim_bmp_string*,heim_bmp_string*);
 int heim_oid_cmp(const heim_oid *, const heim_oid *);
 int heim_octet_string_cmp(const heim_octet_string *,const heim_octet_string *);
 int heim_bit_string_cmp(const heim_bit_string *, const heim_bit_string *);
 int heim_integer_cmp(const heim_integer *, const heim_integer *);
 int heim_bmp_string_cmp(const heim_bmp_string *, const heim_bmp_string *);
 int heim_universal_string_cmp(const heim_universal_string *, 
 			      const heim_universal_string *);
-int fix_dce(size_t reallen, size_t *len);
+int der_parse_oid(const char *, heim_oid *);
 int _heim_fix_dce(size_t reallen, size_t *len);
 int _heim_der_set_sort(const void *, const void *);
 int _heim_time2generalizedtime (time_t, heim_octet_string *, int);
 const char *	der_get_class_name(unsigned);
 int		der_get_class_num(const char *);
 const char *	der_get_type_name(unsigned);
 int		der_get_type_num(const char *);
 const char *	der_get_tag_name(unsigned);
 int		der_get_tag_num(const char *);
 #endif /* __DER_H__ */
--- a/source/heimdal/lib/asn1/der_cmp.c
+++ b/source/heimdal/lib/asn1/der_cmp.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 2003-2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@ -33,8 +33,6 @@
 #include "der_locl.h"
 RCSID("$Id: der_cmp.c,v 1.2 2004/04/26 20:54:02 lha Exp $");
 int
 heim_oid_cmp(const heim_oid *p, const heim_oid *q)
 {
@ -52,3 +50,50 @@ heim_octet_string_cmp(const heim_octet_string *p, const heim_octet_string *q)
 	return p->length - q->length;
    return memcmp(p->data, q->data, p->length);
 }
 int
 heim_bit_string_cmp(const heim_bit_string *p, const heim_bit_string *q)
 {
    int i, r1, r2;
    if (p->length != q->length)
 	return p->length - q->length;
    i = memcmp(p->data, q->data, p->length / 8);
    if (i)
 	return i;
    if ((p->length % 8) == 0)
 	return 0;
    i = (p->length / 8);
    r1 = ((unsigned char *)p->data)[i];
    r2 = ((unsigned char *)q->data)[i];
    i = 8 - (p->length % 8);
    r1 = r1 >> i;
    r2 = r2 >> i;
    return r1 - r2;
 }
 int
 heim_integer_cmp(const heim_integer *p, const heim_integer *q)
 {
    if (p->length != q->length)
 	return p->length - q->length;
    if (p->negative != q->negative)
 	return p->negative - q->negative;
    return memcmp(p->data, q->data, p->length);
 }
 int
 heim_bmp_string_cmp(const heim_bmp_string *p, const heim_bmp_string *q)
 {
    if (p->length != q->length)
 	return p->length - q->length;
    return memcmp(p->data, q->data, q->length * sizeof(q->data[0]));
 }
 int
 heim_universal_string_cmp(const heim_universal_string *p, 
 			  const heim_universal_string *q)
 {
    if (p->length != q->length)
 	return p->length - q->length;
    return memcmp(p->data, q->data, q->length * sizeof(q->data[0]));
 }
--- a/source/heimdal/lib/asn1/der_copy.c
+++ b/source/heimdal/lib/asn1/der_copy.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@ -33,7 +33,7 @@
 #include "der_locl.h"
-RCSID("$Id: der_copy.c,v 1.12 2003/11/07 07:39:43 lha Exp $");
+RCSID("$Id: der_copy.c,v 1.13 2005/07/12 06:27:20 lha Exp $");
 int
 copy_general_string (const heim_general_string *from, heim_general_string *to)
@ -44,6 +44,49 @@ copy_general_string (const heim_general_string *from, heim_general_string *to)
    return 0;
 }
 int
 copy_utf8string (const heim_utf8_string *from, heim_utf8_string *to)
 {
    return copy_general_string(from, to);
 }
 int
 copy_printable_string (const heim_printable_string *from, 
 		       heim_printable_string *to)
 {
    return copy_general_string(from, to);
 }
 int
 copy_ia5_string (const heim_printable_string *from, 
 		       heim_printable_string *to)
 {
    return copy_general_string(from, to);
 }
 int
 copy_bmp_string (const heim_bmp_string *from, heim_bmp_string *to)
 {
    to->length = from->length;
    to->data   = malloc(to->length * sizeof(to->data[0]));
    if(to->length != 0 && to->data == NULL)
 	return ENOMEM;
    memcpy(to->data, from->data, to->length * sizeof(to->data[0]));
    return 0;
 }
 int
 copy_universal_string (const heim_universal_string *from,
 		       heim_universal_string *to)
 {
    to->length = from->length;
    to->data   = malloc(to->length * sizeof(to->data[0]));
    if(to->length != 0 && to->data == NULL)
 	return ENOMEM;
    memcpy(to->data, from->data, to->length * sizeof(to->data[0]));
    return 0;
 }
 int
 copy_octet_string (const heim_octet_string *from, heim_octet_string *to)
 {
@ -55,6 +98,17 @@ copy_octet_string (const heim_octet_string *from, heim_octet_string *to)
    return 0;
 }
 int
 copy_heim_integer (const heim_integer *from, heim_integer *to)
 {
    to->length = from->length;
    to->data   = malloc(to->length);
    if(to->length != 0 && to->data == NULL)
 	return ENOMEM;
    memcpy(to->data, from->data, to->length);
    return 0;
 }
 int
 copy_oid (const heim_oid *from, heim_oid *to)
 {
@ -66,3 +120,17 @@ copy_oid (const heim_oid *from, heim_oid *to)
 	   to->length * sizeof(*to->components));
    return 0;
 }
 int
 copy_bit_string (const heim_bit_string *from, heim_bit_string *to)
 {
    size_t len;
    len = (from->length + 7) / 8;
    to->length = from->length;
    to->data   = malloc(len);
    if(len != 0 && to->data == NULL)
 	return ENOMEM;
    memcpy(to->data, from->data, len);
    return 0;
 }
--- a/source/heimdal/lib/asn1/der_free.c
+++ b/source/heimdal/lib/asn1/der_free.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@ -33,7 +33,7 @@
 #include "der_locl.h"
-RCSID("$Id: der_free.c,v 1.10 2003/08/20 16:18:49 joda Exp $");
+RCSID("$Id: der_free.c,v 1.11 2005/07/12 06:27:21 lha Exp $");
 void
 free_general_string (heim_general_string *str)
@ -42,11 +42,56 @@ free_general_string (heim_general_string *str)
    *str = NULL;
 }
 void
 free_utf8string (heim_utf8_string *str)
 {
    free(*str);
    *str = NULL;
 }
 void
 free_printable_string (heim_printable_string *str)
 {
    free(*str);
    *str = NULL;
 }
 void
 free_ia5_string (heim_ia5_string *str)
 {
    free_general_string(str);
 }
 void
 free_bmp_string (heim_bmp_string *k)
 {
    free(k->data);
    k->data = NULL;
    k->length = 0;
 }
 void
 free_universal_string (heim_universal_string *k)
 {
    free(k->data);
    k->data = NULL;
    k->length = 0;
 }
 void
 free_octet_string (heim_octet_string *k)
 {
    free(k->data);
    k->data = NULL;
    k->length = 0;
 }
 void
 free_heim_integer (heim_integer *k)
 {
    free(k->data);
    k->data = NULL;
    k->length = 0;
 }
 void
@ -54,4 +99,13 @@ free_oid (heim_oid *k)
 {
    free(k->components);
    k->components = NULL;
    k->length = 0;
 }
 void
 free_bit_string (heim_bit_string *k)
 {
    free(k->data);
    k->data = NULL;
    k->length = 0;
 }
--- a/source/heimdal/lib/asn1/der_get.c
+++ b/source/heimdal/lib/asn1/der_get.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@ -33,7 +33,7 @@
 #include "der_locl.h"
-RCSID("$Id: der_get.c,v 1.39 2005/05/29 14:23:00 lha Exp $");
+RCSID("$Id: der_get.c,v 1.44 2005/07/19 18:04:00 lha Exp $");
 #include <version.h>
@ -45,13 +45,18 @@ RCSID("$Id: der_get.c,v 1.39 2005/05/29 14:23:00 lha Exp $");
 * Either 0 or an error code is returned.
 */
-static int
+int
 der_get_unsigned (const unsigned char *p, size_t len,
 		  unsigned *ret, size_t *size)
 {
    unsigned val = 0;
    size_t oldlen = len;
    if (len == sizeof(unsigned) + 1 && p[0] == 0)
 	;
    else if (len > sizeof(unsigned))
 	return ASN1_OVERRUN;
    while (len--)
 	val = val * 256 + *p++;
    *ret = val;
@ -60,12 +65,15 @@ der_get_unsigned (const unsigned char *p, size_t len,
 }
 int
-der_get_int (const unsigned char *p, size_t len,
+der_get_integer (const unsigned char *p, size_t len,
 		 int *ret, size_t *size)
 {
    int val = 0;
    size_t oldlen = len;
    if (len > sizeof(int))
 	return ASN1_OVERRUN;
    if (len > 0) {
 	val = (signed char)*p++;
 	while (--len)
@ -76,19 +84,6 @@ der_get_int (const unsigned char *p, size_t len,
    return 0;
 }
 int
 der_get_boolean(const unsigned char *p, size_t len, int *data, size_t *size)
 {
    if(len < 1)
 	return ASN1_OVERRUN;
    if(*p != 0)
 	*data = 1;
    else
 	*data = 0;
    *size = 1;
    return 0;
 }
 int
 der_get_length (const unsigned char *p, size_t len,
 		size_t *val, size_t *size)
@ -123,12 +118,28 @@ der_get_length (const unsigned char *p, size_t len,
    return 0;
 }
 int
 der_get_boolean(const unsigned char *p, size_t len, int *data, size_t *size)
 {
    if(len < 1)
 	return ASN1_OVERRUN;
    if(*p != 0)
 	*data = 1;
    else
 	*data = 0;
    *size = 1;
    return 0;
 }
 int
 der_get_general_string (const unsigned char *p, size_t len, 
 			heim_general_string *str, size_t *size)
 {
    char *s;
    if (len > len + 1)
 	return ASN1_BAD_LENGTH;
    s = malloc (len + 1);
    if (s == NULL)
 	return ENOMEM;
@ -139,6 +150,70 @@ der_get_general_string (const unsigned char *p, size_t len,
    return 0;
 }
 int
 der_get_utf8string (const unsigned char *p, size_t len, 
 		    heim_utf8_string *str, size_t *size)
 {
    return der_get_general_string(p, len, str, size);
 }
 int
 der_get_printable_string (const unsigned char *p, size_t len, 
 			  heim_printable_string *str, size_t *size)
 {
    return der_get_general_string(p, len, str, size);
 }
 int
 der_get_ia5_string (const unsigned char *p, size_t len, 
 		    heim_ia5_string *str, size_t *size)
 {
    return der_get_general_string(p, len, str, size);
 }
 int
 der_get_bmp_string (const unsigned char *p, size_t len, 
 		    heim_bmp_string *data, size_t *size)
 {
    size_t i;
    if (len & 1)
 	return ASN1_BAD_FORMAT;
    data->length = len / 2;
    data->data = malloc(data->length * sizeof(data->data[0]));
    if (data->data == NULL && data->length != 0)
 	return ENOMEM;
    for (i = 0; i < data->length; i++) {
 	data->data[i] = (p[0] << 8) | p[1];
 	p += 2;
    }
    if (size) *size = len;
    return 0;
 }
 int
 der_get_universal_string (const unsigned char *p, size_t len, 
 			  heim_universal_string *data, size_t *size)
 {
    size_t i;
    if (len & 3)
 	return ASN1_BAD_FORMAT;
    data->length = len / 4;
    data->data = malloc(data->length * sizeof(data->data[0]));
    if (data->data == NULL && data->length != 0)
 	return ENOMEM;
    for (i = 0; i < data->length; i++) {
 	data->data[i] = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
 	p += 4;
    }
    if (size) *size = len;
    return 0;
 }
 int
 der_get_octet_string (const unsigned char *p, size_t len, 
 		      heim_octet_string *data, size_t *size)
@ -152,6 +227,108 @@ der_get_octet_string (const unsigned char *p, size_t len,
    return 0;
 }
 int
 der_get_heim_integer (const unsigned char *p, size_t len, 
 		      heim_integer *data, size_t *size)
 {
    data->length = 0;
    data->negative = 0;
    data->data = NULL;
    if (len == 0) {
 	if (size)
 	    *size = 0;
 	return 0;
    }
    if (p[0] & 0x80) {
 	data->negative = 1;
 	return ASN1_OVERRUN;
    } else {
 	data->negative = 0;
 	data->length = len;
 	if (p[0] == 0 && data->length != 1) {
 	    p++;
 	    data->length--;
 	}
 	data->data = malloc(data->length);
 	if (data->data == NULL) {
 	    data->length = 0;
 	    return ENOMEM;
 	}
 	memcpy(data->data, p, data->length);
    }
    if (size)
 	*size = len;
    return 0;
 }
 static int
 generalizedtime2time (const char *s, time_t *t)
 {
    struct tm tm;
    memset(&tm, 0, sizeof(tm));
    if (sscanf (s, "%04d%02d%02d%02d%02d%02dZ",
 		&tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour,
 		&tm.tm_min, &tm.tm_sec) != 6) {
 	if (sscanf (s, "%02d%02d%02d%02d%02d%02dZ",
 		    &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour,
 		    &tm.tm_min, &tm.tm_sec) != 6)
 	    return ASN1_BAD_TIMEFORMAT;
 	if (tm.tm_year < 50)
 	    tm.tm_year += 2000;
 	else
 	    tm.tm_year += 1900;
    }
    tm.tm_year -= 1900;
    tm.tm_mon -= 1;
    *t = timegm (&tm);
    return 0;
 }
 static int
 der_get_time (const unsigned char *p, size_t len, 
 	      time_t *data, size_t *size)
 {
    heim_octet_string k;
    char *times;
    size_t ret = 0;
    size_t l;
    int e;
    e = der_get_octet_string (p, len, &k, &l);
    if (e) return e;
    p += l;
    len -= l;
    ret += l;
    times = realloc(k.data, k.length + 1);
    if (times == NULL){
 	free(k.data);
 	return ENOMEM;
    }
    times[k.length] = 0;
    e = generalizedtime2time(times, data);
    free (times);
    if(size) *size = ret;
    return e;
 }
 int
 der_get_generalized_time (const unsigned char *p, size_t len, 
 			  time_t *data, size_t *size)
 {
    return der_get_time(p, len, data, size);
 }
 int
 der_get_utctime (const unsigned char *p, size_t len, 
 			  time_t *data, size_t *size)
 {
    return der_get_time(p, len, data, size);
 }
 int
 der_get_oid (const unsigned char *p, size_t len,
 	     heim_oid *data, size_t *size)
@ -162,6 +339,9 @@ der_get_oid (const unsigned char *p, size_t len,
    if (len < 1)
 	return ASN1_OVERRUN;
    if (len > len + 1)
 	return ASN1_BAD_LENGTH;
    data->components = malloc((len + 1) * sizeof(*data->components));
    if (data->components == NULL)
 	return ENOMEM;
@ -170,15 +350,21 @@ der_get_oid (const unsigned char *p, size_t len,
    --len;
    ++p;
    for (n = 2; len > 0; ++n) {
-	unsigned u = 0;
+	unsigned u = 0, u1;
 	do {
 	    --len;
-	    u = u * 128 + (*p++ % 128);
+	    u1 = u * 128 + (*p++ % 128);
 	    /* check that we don't overflow the element */
 	    if (u1 < u) {
 		free_oid(data);
 		return ASN1_OVERRUN;
 	    }
 	    u = u1;
 	} while (len > 0 && p[-1] & 0x80);
 	data->components[n] = u;
    }
-    if (len > 0 && p[-1] & 0x80) {
+    if (n > 2 && p[-1] & 0x80) {
 	free_oid (data);
 	return ASN1_OVERRUN;
    }
@ -191,26 +377,44 @@ der_get_oid (const unsigned char *p, size_t len,
 int
 der_get_tag (const unsigned char *p, size_t len,
 	     Der_class *class, Der_type *type,
-	     int *tag, size_t *size)
+	     unsigned int *tag, size_t *size)
 {
    size_t ret = 0;
    if (len < 1)
 	return ASN1_OVERRUN;
    *class = (Der_class)(((*p) >> 6) & 0x03);
    *type = (Der_type)(((*p) >> 5) & 0x01);
-    *tag = (*p) & 0x1F;
+    *tag = (*p) & 0x1f;
-    if(size) *size = 1;
+    p++; len--; ret++;
    if(*tag == 0x1f) {
 	unsigned int continuation;
 	unsigned int tag1;
 	*tag = 0;
 	do {
 	    if(len < 1)
 		return ASN1_OVERRUN;
 	    continuation = *p & 128;
 	    tag1 = *tag * 128 + (*p % 128);
 	    /* check that we don't overflow the tag */
 	    if (tag1 < *tag)
 		return ASN1_OVERFLOW;
 	    *tag = tag1;
 	    p++; len--; ret++;
 	} while(continuation);
    }
    if(size) *size = ret;
    return 0;
 }
 int
 der_match_tag (const unsigned char *p, size_t len,
 	       Der_class class, Der_type type,
-	       int tag, size_t *size)
+	       unsigned int tag, size_t *size)
 {
    size_t l;
    Der_class thisclass;
    Der_type thistype;
-    int thistag;
+    unsigned int thistag;
    int e;
    e = der_get_tag (p, len, &thisclass, &thistype, &thistag, &l);
@ -227,7 +431,7 @@ der_match_tag (const unsigned char *p, size_t len,
 int
 der_match_tag_and_length (const unsigned char *p, size_t len,
-			  Der_class class, Der_type type, int tag,
+			  Der_class class, Der_type type, unsigned int tag,
 			  size_t *length_ret, size_t *size)
 {
    size_t l, ret = 0;
@ -238,7 +442,6 @@ der_match_tag_and_length (const unsigned char *p, size_t len,
    p += l;
    len -= l;
    ret += l;
    e = der_get_length (p, len, length_ret, &l);
    if (e) return e;
    p += l;
@ -248,281 +451,21 @@ der_match_tag_and_length (const unsigned char *p, size_t len,
    return 0;
 }
-int
+/* 
-decode_boolean (const unsigned char *p, size_t len,
+ * Old versions of DCE was based on a very early beta of the MIT code,
-		int *num, size_t *size)
+ * which used MAVROS for ASN.1 encoding. MAVROS had the interesting
-{
+ * feature that it encoded data in the forward direction, which has
-    size_t ret = 0;
+ * it's problems, since you have no idea how long the data will be
-    size_t l, reallen;
+ * until after you're done. MAVROS solved this by reserving one byte
-    int e;
+ * for length, and later, if the actual length was longer, it reverted
-
+ * to indefinite, BER style, lengths. The version of MAVROS used by
-    e = der_match_tag (p, len, ASN1_C_UNIV, PRIM, UT_Boolean, &l);
+ * the DCE people could apparently generate correct X.509 DER encodings, and
-    if (e) return e;
+ * did this by making space for the length after encoding, but
-    p += l;
+ * unfortunately this feature wasn't used with Kerberos. 
-    len -= l;
+ */
    ret += l;
    e = der_get_length (p, len, &reallen, &l);
    if (e) return e;
    p += l;
    len -= l;
    ret += l;
    if (reallen > len)
 	return ASN1_OVERRUN;
    e = der_get_boolean (p, reallen, num, &l);
    if (e) return e;
    p += l;
    len -= l;
    ret += l;
    if(size) *size = ret;
    return 0;
 }
 int
-decode_integer (const unsigned char *p, size_t len,
+_heim_fix_dce(size_t reallen, size_t *len)
 		int *num, size_t *size)
 {
    size_t ret = 0;
    size_t l, reallen;
    int e;
    e = der_match_tag (p, len, ASN1_C_UNIV, PRIM, UT_Integer, &l);
    if (e) return e;
    p += l;
    len -= l;
    ret += l;
    e = der_get_length (p, len, &reallen, &l);
    if (e) return e;
    p += l;
    len -= l;
    ret += l;
    if (reallen > len)
 	return ASN1_OVERRUN;
    e = der_get_int (p, reallen, num, &l);
    if (e) return e;
    p += l;
    len -= l;
    ret += l;
    if(size) *size = ret;
    return 0;
 }
 int
 decode_unsigned (const unsigned char *p, size_t len,
 		 unsigned *num, size_t *size)
 {
    size_t ret = 0;
    size_t l, reallen;
    int e;
    e = der_match_tag (p, len, ASN1_C_UNIV, PRIM, UT_Integer, &l);
    if (e) return e;
    p += l;
    len -= l;
    ret += l;
    e = der_get_length (p, len, &reallen, &l);
    if (e) return e;
    p += l;
    len -= l;
    ret += l;
    if (reallen > len)
 	return ASN1_OVERRUN;
    e = der_get_unsigned (p, reallen, num, &l);
    if (e) return e;
    p += l;
    len -= l;
    ret += l;
    if(size) *size = ret;
    return 0;
 }
 int
 decode_enumerated (const unsigned char *p, size_t len,
 		   unsigned *num, size_t *size)
 {
    size_t ret = 0;
    size_t l, reallen;
    int e;
    e = der_match_tag (p, len, ASN1_C_UNIV, PRIM, UT_Enumerated, &l);
    if (e) return e;
    p += l;
    len -= l;
    ret += l;
    e = der_get_length (p, len, &reallen, &l);
    if (e) return e;
    p += l;
    len -= l;
    ret += l;
    if (reallen > len)
 	return ASN1_OVERRUN;
    e = der_get_int (p, reallen, num, &l);
    if (e) return e;
    p += l;
    len -= l;
    ret += l;
    if(size) *size = ret;
    return 0;
 }
 int
 decode_general_string (const unsigned char *p, size_t len, 
 		       heim_general_string *str, size_t *size)
 {
    size_t ret = 0;
    size_t l, reallen;
    int e;
    e = der_match_tag (p, len, ASN1_C_UNIV, PRIM, UT_GeneralString, &l);
    if (e) return e;
    p += l;
    len -= l;
    ret += l;
    e = der_get_length (p, len, &reallen, &l);
    if (e) return e;
    p += l;
    len -= l;
    ret += l;
    if (len < reallen)
 	return ASN1_OVERRUN;
    e = der_get_general_string (p, reallen, str, &l);
    if (e) return e;
    p += l;
    len -= l;
    ret += l;
    if(size) *size = ret;
    return 0;
 }
 int
 decode_octet_string (const unsigned char *p, size_t len, 
 		     heim_octet_string *k, size_t *size)
 {
    size_t ret = 0;
    size_t l, reallen;
    int e;
    e = der_match_tag (p, len, ASN1_C_UNIV, PRIM, UT_OctetString, &l);
    if (e) return e;
    p += l;
    len -= l;
    ret += l;
    e = der_get_length (p, len, &reallen, &l);
    if (e) return e;
    p += l;
    len -= l;
    ret += l;
    if (len < reallen)
 	return ASN1_OVERRUN;
    e = der_get_octet_string (p, reallen, k, &l);
    if (e) return e;
    p += l;
    len -= l;
    ret += l;
    if(size) *size = ret;
    return 0;
 }
 int
 decode_oid (const unsigned char *p, size_t len, 
 	    heim_oid *k, size_t *size)
 {
    size_t ret = 0;
    size_t l, reallen;
    int e;
    e = der_match_tag (p, len, ASN1_C_UNIV, PRIM, UT_OID, &l);
    if (e) return e;
    p += l;
    len -= l;
    ret += l;
    e = der_get_length (p, len, &reallen, &l);
    if (e) return e;
    p += l;
    len -= l;
    ret += l;
    if (len < reallen)
 	return ASN1_OVERRUN;
    e = der_get_oid (p, reallen, k, &l);
    if (e) return e;
    p += l;
    len -= l;
    ret += l;
    if(size) *size = ret;
    return 0;
 }
 static void
 generalizedtime2time (const char *s, time_t *t)
 {
    struct tm tm;
    memset(&tm, 0, sizeof(tm));
    sscanf (s, "%04d%02d%02d%02d%02d%02dZ",
 	    &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour,
 	    &tm.tm_min, &tm.tm_sec);
    tm.tm_year -= 1900;
    tm.tm_mon -= 1;
    *t = timegm (&tm);
 }
 int
 decode_generalized_time (const unsigned char *p, size_t len,
 			 time_t *t, size_t *size)
 {
    heim_octet_string k;
    char *times;
    size_t ret = 0;
    size_t l, reallen;
    int e;
    e = der_match_tag (p, len, ASN1_C_UNIV, PRIM, UT_GeneralizedTime, &l);
    if (e) return e;
    p += l;
    len -= l;
    ret += l;
    e = der_get_length (p, len, &reallen, &l);
    if (e) return e;
    p += l;
    len -= l;
    ret += l;
    if (len < reallen)
 	return ASN1_OVERRUN;
    e = der_get_octet_string (p, reallen, &k, &l);
    if (e) return e;
    p += l;
    len -= l;
    ret += l;
    times = realloc(k.data, k.length + 1);
    if (times == NULL){
 	free(k.data);
 	return ENOMEM;
    }
    times[k.length] = 0;
    generalizedtime2time (times, t);
    free (times);
    if(size) *size = ret;
    return 0;
 }
 int
 fix_dce(size_t reallen, size_t *len)
 {
    if(reallen == ASN1_INDEFINITE)
 	return 1;
@ -531,3 +474,27 @@ fix_dce(size_t reallen, size_t *len)
    *len = reallen;
    return 0;
 }
 int
 der_get_bit_string (const unsigned char *p, size_t len, 
 		    heim_bit_string *data, size_t *size)
 {
    if (len < 1)
 	return ASN1_OVERRUN;
    if (p[0] > 7)
 	return ASN1_BAD_FORMAT;
    if (len - 1 == 0 && p[0] != 0)
 	return ASN1_BAD_FORMAT;
    /* check if any of the three upper bits are set
     * any of them will cause a interger overrun */
    if ((len - 1) >> (sizeof(len) * 8 - 3))
 	return ASN1_OVERRUN;
    data->length = (len - 1) * 8;
    data->data = malloc(len - 1);
    if (data->data == NULL && (len - 1) != 0)
 	return ENOMEM;
    memcpy (data->data, p + 1, len - 1);
    data->length -= p[0];
    if(size) *size = len;
    return 0;
 }
--- a/source/heimdal/lib/asn1/der_length.c
+++ b/source/heimdal/lib/asn1/der_length.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@ -33,17 +33,23 @@
 #include "der_locl.h"
-RCSID("$Id: der_length.c,v 1.16 2004/02/07 14:27:59 lha Exp $");
+RCSID("$Id: der_length.c,v 1.17 2005/07/12 06:27:22 lha Exp $");
 size_t
 _heim_len_unsigned (unsigned val)
 {
    size_t ret = 0;
    int last_val_gt_128;
    do {
 	++ret;
 	last_val_gt_128 = (val >= 128);
 	val /= 256;
    } while (val);
    if(last_val_gt_128)
 	ret++;
    return ret;
 }
@ -83,12 +89,10 @@ len_oid (const heim_oid *oid)
    for (n = 2; n < oid->length; ++n) {
 	unsigned u = oid->components[n];
 	do {
 	    ++ret;
 	    u /= 128;
-	while (u > 0) {
+	} while(u > 0);
 	    ++ret;
 	    u /= 128;
 	}
    }
    return ret;
 }
@ -98,68 +102,91 @@ length_len (size_t len)
 {
    if (len < 128)
 	return 1;
-    else
+    else {
-	return _heim_len_unsigned (len) + 1;
+	int ret = 0;
 	do {
 	    ++ret;
 	    len /= 256;
 	} while (len);
 	return ret + 1;
    }
 size_t
 length_boolean (const int *data)
 {
  return 1 + length_len(1) + 1;
 }
 size_t
 length_integer (const int *data)
 {
-    size_t len = _heim_len_int (*data);
+    return _heim_len_int (*data);
    return 1 + length_len(len) + len;
 }
 size_t
 length_unsigned (const unsigned *data)
 {
-    unsigned val = *data;
+    return _heim_len_unsigned(*data);
    size_t len = 0;
    while (val > 255) {
 	++len;
 	val /= 256;
    }
    len++;
    if (val >= 128)
 	len++;
    return 1 + length_len(len) + len;
 }
 size_t
 length_enumerated (const unsigned *data)
 {
-    size_t len = _heim_len_int (*data);
+  return _heim_len_int (*data);
    return 1 + length_len(len) + len;
 }
 size_t
 length_general_string (const heim_general_string *data)
 {
-    char *str = *data;
+    return strlen(*data);
-    size_t len = strlen(str);
+}
-    return 1 + length_len(len) + len;
+
 size_t
 length_utf8string (const heim_utf8_string *data)
 {
    return strlen(*data);
 }
 size_t
 length_printable_string (const heim_printable_string *data)
 {
    return strlen(*data);
 }
 size_t
 length_ia5_string (const heim_ia5_string *data)
 {
    return strlen(*data);
 }
 size_t
 length_bmp_string (const heim_bmp_string *data)
 {
    return data->length * 2;
 }
 size_t
 length_universal_string (const heim_universal_string *data)
 {
    return data->length * 4;
 }
 size_t
 length_octet_string (const heim_octet_string *k)
 {
-    return 1 + length_len(k->length) + k->length;
+    return k->length;
 }
 size_t
 length_heim_integer (const heim_integer *k)
 {
    if (k->length == 0)
 	return 1;
    if (k->negative)
 	return k->length + ((((unsigned char *)k->data)[0] & 0x80) ? 0 : 1);
    else
 	return k->length + ((((unsigned char *)k->data)[0] & 0x80) ? 1 : 0);
 }
 size_t
 length_oid (const heim_oid *k)
 {
-    size_t len = len_oid (k);
+    return len_oid (k);
    return 1 + length_len(len) + len;
 }
 size_t
@ -168,8 +195,32 @@ length_generalized_time (const time_t *t)
    heim_octet_string k;
    size_t ret;
-    time2generalizedtime (*t, &k);
+    _heim_time2generalizedtime (*t, &k, 1);
-    ret = 1 + length_len(k.length) + k.length;
+    ret = k.length;
    free(k.data);
    return ret;
 }
 size_t
 length_utctime (const time_t *t)
 {
    heim_octet_string k;
    size_t ret;
    _heim_time2generalizedtime (*t, &k, 0);
    ret = k.length;
    free(k.data);
    return ret;
 }
 size_t
 length_boolean (const int *k)
 {
    return 1;
 }
 size_t
 length_bit_string (const heim_bit_string *k)
 {
    return (k->length + 7) / 8 + 1;
 }
--- a/source/heimdal/lib/asn1/der_locl.h
+++ b/source/heimdal/lib/asn1/der_locl.h
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2002, 2004 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@ -31,7 +31,7 @@
 * SUCH DAMAGE. 
 */
-/* $Id: der_locl.h,v 1.5 2004/02/07 14:16:53 lha Exp $ */
+/* $Id: der_locl.h,v 1.6 2005/07/12 06:27:22 lha Exp $ */
 #ifndef __DER_LOCL_H__
 #define __DER_LOCL_H__
@ -53,6 +53,10 @@
 #include <asn1_err.h>
 #include <der.h>
 #ifndef HAVE_TIMEGM
 time_t timegm (struct tm *);
 #endif
 size_t _heim_len_unsigned (unsigned);
 size_t _heim_len_int (int);
--- a/source/heimdal/lib/asn1/der_put.c
+++ b/source/heimdal/lib/asn1/der_put.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@ -33,7 +33,7 @@
 #include "der_locl.h"
-RCSID("$Id: der_put.c,v 1.32 2005/05/29 14:23:01 lha Exp $");
+RCSID("$Id: der_put.c,v 1.33 2005/07/12 06:27:23 lha Exp $");
 /*
 * All encoding functions take a pointer `p' to first position in
@ -43,10 +43,11 @@ RCSID("$Id: der_put.c,v 1.32 2005/05/29 14:23:01 lha Exp $");
 * The return value is 0 or an error.
 */
-static int
+int
-der_put_unsigned (unsigned char *p, size_t len, unsigned val, size_t *size)
+der_put_unsigned (unsigned char *p, size_t len, const unsigned *v, size_t *size)
 {
    unsigned char *base = p;
    unsigned val = *v;
    if (val) {
 	while (len > 0 && val) {
@ -57,6 +58,11 @@ der_put_unsigned (unsigned char *p, size_t len, unsigned val, size_t *size)
 	if (val != 0)
 	    return ASN1_OVERFLOW;
 	else {
 	    if(p[1] >= 128) {
 		if(len < 1)
 		    return ASN1_OVERFLOW;
 		*p-- = 0;
 	    }
 	    *size = base - p;
 	    return 0;
 	}
@ -70,9 +76,10 @@ der_put_unsigned (unsigned char *p, size_t len, unsigned val, size_t *size)
 }
 int
-der_put_int (unsigned char *p, size_t len, int val, size_t *size)
+der_put_integer (unsigned char *p, size_t len, const int *v, size_t *size)
 {
    unsigned char *base = p;
    int val = *v;
    if(val >= 0) {
 	do {
@ -114,22 +121,26 @@ der_put_length (unsigned char *p, size_t len, size_t val, size_t *size)
 {
    if (len < 1)
 	return ASN1_OVERFLOW;
    if (val < 128) {
 	*p = val;
 	*size = 1;
 	return 0;
    } else {
-	size_t l;
+	size_t l = 0;
 	int e;
-	e = der_put_unsigned (p, len - 1, val, &l);
+	while(val > 0) {
-	if (e)
+	    if(len < 2)
-	    return e;
+		return ASN1_OVERFLOW;
-	p -= l;
+	    *p-- = val % 256;
-	*p = 0x80 | l;
+	    val /= 256;
-	*size = l + 1;
+	    len--;
-	return 0;
+	    l++;
 	}
 	*p = 0x80 | l;
 	if(size)
 	    *size = l + 1;
    }
    return 0;
 }
 int
@ -160,6 +171,65 @@ der_put_general_string (unsigned char *p, size_t len,
    return 0;
 }
 int
 der_put_utf8string (unsigned char *p, size_t len, 
 		    const heim_utf8_string *str, size_t *size)
 {
    return der_put_general_string(p, len, str, size);
 }
 int
 der_put_printable_string (unsigned char *p, size_t len, 
 			  const heim_printable_string *str, size_t *size)
 {
    return der_put_general_string(p, len, str, size);
 }
 int
 der_put_ia5_string (unsigned char *p, size_t len, 
 		    const heim_ia5_string *str, size_t *size)
 {
    return der_put_general_string(p, len, str, size);
 }
 int
 der_put_bmp_string (unsigned char *p, size_t len, 
 		    const heim_bmp_string *data, size_t *size)
 {
    size_t i;
    if (len / 2 < data->length)
 	return ASN1_OVERFLOW;
    p -= data->length * 2;
    len -= data->length * 2;
    for (i = 0; i < data->length; i++) {
 	p[1] = (data->data[i] >> 8) & 0xff;
 	p[2] = data->data[i] & 0xff;
 	p += 2;
    }
    if (size) *size = data->length * 2;
    return 0;
 }
 int
 der_put_universal_string (unsigned char *p, size_t len, 
 			  const heim_universal_string *data, size_t *size)
 {
    size_t i;
    if (len / 4 < data->length)
 	return ASN1_OVERFLOW;
    p -= data->length * 4;
    len -= data->length * 4;
    for (i = 0; i < data->length; i++) {
 	p[1] = (data->data[i] >> 24) & 0xff;
 	p[2] = (data->data[i] >> 16) & 0xff;
 	p[3] = (data->data[i] >> 8) & 0xff;
 	p[4] = data->data[i] & 0xff;
 	p += 4;
    }
    if (size) *size = data->length * 4;
    return 0;
 }
 int
 der_put_octet_string (unsigned char *p, size_t len, 
 		      const heim_octet_string *data, size_t *size)
@ -173,6 +243,98 @@ der_put_octet_string (unsigned char *p, size_t len,
    return 0;
 }
 int
 der_put_heim_integer (unsigned char *p, size_t len, 
 		     const heim_integer *data, size_t *size)
 {
    unsigned char *buf = data->data;
    int hibitset = 0;
    if (data->length == 0) {
 	if (len < 1)
 	    return ASN1_OVERFLOW;
 	*p-- = 0;
 	if (size)
 	    *size = 1;
 	return 0;
    }
    if (len < data->length)
 	return ASN1_OVERFLOW;
    len -= data->length;
    if (data->negative) {
 	int i, carry;
 	for (i = data->length - 1, carry = 1; i >= 0; i--) {
 	    *p = buf[i] ^ 0xff;
 	    if (carry)
 		carry = !++*p;
 	    p--;
 	}
 	if (p[1] < 128) {
 	    if (len < 1)
 		return ASN1_OVERFLOW;
 	    *p-- = 0xff;
 	    len--;
 	    hibitset = 1;
 	}
    } else {
 	p -= data->length;
 	memcpy(p + 1, buf, data->length);
 	if (p[1] >= 128) {
 	    if (len < 1)
 		return ASN1_OVERFLOW;
 	    p[0] = 0;
 	    len--;
 	    hibitset = 1;
 	}
    }
    if (size)
 	*size = data->length + hibitset;
    return 0;
 }
 int
 der_put_generalized_time (unsigned char *p, size_t len, 
 			  const time_t *data, size_t *size)
 {
    heim_octet_string k;
    size_t l;
    int e;
    e = _heim_time2generalizedtime (*data, &k, 1);
    if (e)
 	return e;
    e = der_put_octet_string(p, len, &k, &l);
    free(k.data);
    if(e)
 	return e;
    if(size)
 	*size = l;
    return 0;
 }
 int
 der_put_utctime (unsigned char *p, size_t len, 
 		 const time_t *data, size_t *size)
 {
    heim_octet_string k;
    size_t l;
    int e;
    e = _heim_time2generalizedtime (*data, &k, 0);
    if (e)
 	return e;
    e = der_put_octet_string(p, len, &k, &l);
    free(k.data);
    if(e)
 	return e;
    if(size)
 	*size = l;
    return 0;
 }
 int
 der_put_oid (unsigned char *p, size_t len,
 	     const heim_oid *data, size_t *size)
@ -205,18 +367,39 @@ der_put_oid (unsigned char *p, size_t len,
 int
 der_put_tag (unsigned char *p, size_t len, Der_class class, Der_type type,
-	     int tag, size_t *size)
+	     unsigned int tag, size_t *size)
 {
    if (tag <= 30) {
 	if (len < 1)
 	    return ASN1_OVERFLOW;
-    *p = (class << 6) | (type << 5) | tag; /* XXX */
+	*p = MAKE_TAG(class, type, tag);
 	*size = 1;
    } else {
 	size_t ret = 0;
 	unsigned int continuation = 0;
 	do {
 	    if (len < 1)
 		return ASN1_OVERFLOW;
 	    *p-- = tag % 128 | continuation;
 	    len--;
 	    ret++;
 	    tag /= 128;
 	    continuation = 0x80;
 	} while(tag > 0);
 	if (len < 1)
 	    return ASN1_OVERFLOW;
 	*p-- = MAKE_TAG(class, type, 0x1f);
 	ret++;
 	*size = ret;
    }
    return 0;
 }
 int
 der_put_length_and_tag (unsigned char *p, size_t len, size_t len_val,
-			Der_class class, Der_type type, int tag, size_t *size)
+			Der_class class, Der_type type, 
 			unsigned int tag, size_t *size)
 {
    size_t ret = 0;
    size_t l;
@ -239,229 +422,55 @@ der_put_length_and_tag (unsigned char *p, size_t len, size_t len_val,
 }
 int
-encode_boolean (unsigned char *p, size_t len, const int *data,
+_heim_time2generalizedtime (time_t t, heim_octet_string *s, int gtimep)
 		size_t *size)
 {
    size_t ret = 0;
    size_t l;
    int e;
    e = der_put_boolean (p, len, data, &l);
    if(e)
 	return e;
    p -= l;
    len -= l;
    ret += l;
    e = der_put_length_and_tag (p, len, l, ASN1_C_UNIV, PRIM, UT_Boolean, &l);
    if (e)
 	return e;
    p -= l;
    len -= l;
    ret += l;
    *size = ret;
    return 0;
 }
 int
 encode_integer (unsigned char *p, size_t len, const int *data, size_t *size)
 {
    int num = *data;
    size_t ret = 0;
    size_t l;
    int e;
    e = der_put_int (p, len, num, &l);
    if(e)
 	return e;
    p -= l;
    len -= l;
    ret += l;
    e = der_put_length_and_tag (p, len, l, ASN1_C_UNIV, PRIM, UT_Integer, &l);
    if (e)
 	return e;
    p -= l;
    len -= l;
    ret += l;
    *size = ret;
    return 0;
 }
 int
 encode_unsigned (unsigned char *p, size_t len, const unsigned *data,
 		 size_t *size)
 {
    unsigned num = *data;
    size_t ret = 0;
    size_t l;
    int e;
    e = der_put_unsigned (p, len, num, &l);
    if(e)
 	return e;
    p -= l;
    len -= l;
    ret += l;
    /* if first octet has msb set, we need to pad with a zero byte */
    if(p[1] >= 128) {
 	if(len == 0)
 	    return ASN1_OVERFLOW;
 	*p-- = 0;
 	len--;
 	ret++;
 	l++;
    }
    e = der_put_length_and_tag (p, len, l, ASN1_C_UNIV, PRIM, UT_Integer, &l);
    if (e)
 	return e;
    p -= l;
    len -= l;
    ret += l;
    *size = ret;
    return 0;
 }
 int
 encode_enumerated (unsigned char *p, size_t len, const unsigned *data,
 		   size_t *size)
 {
    unsigned num = *data;
    size_t ret = 0;
    size_t l;
    int e;
    e = der_put_int (p, len, num, &l);
    if(e)
 	return e;
    p -= l;
    len -= l;
    ret += l;
    e = der_put_length_and_tag (p, len, l, ASN1_C_UNIV, PRIM, UT_Enumerated, &l);
    if (e)
 	return e;
    p -= l;
    len -= l;
    ret += l;
    *size = ret;
    return 0;
 }
 int
 encode_general_string (unsigned char *p, size_t len, 
 		       const heim_general_string *data, size_t *size)
 {
    size_t ret = 0;
    size_t l;
    int e;
    e = der_put_general_string (p, len, data, &l);
    if (e)
 	return e;
    p -= l;
    len -= l;
    ret += l;
    e = der_put_length_and_tag (p, len, l, ASN1_C_UNIV, PRIM, UT_GeneralString, &l);
    if (e)
 	return e;
    p -= l;
    len -= l;
    ret += l;
    *size = ret;
    return 0;
 }
 int
 encode_octet_string (unsigned char *p, size_t len, 
 		     const heim_octet_string *k, size_t *size)
 {
    size_t ret = 0;
    size_t l;
    int e;
    e = der_put_octet_string (p, len, k, &l);
    if (e)
 	return e;
    p -= l;
    len -= l;
    ret += l;
    e = der_put_length_and_tag (p, len, l, ASN1_C_UNIV, PRIM, UT_OctetString, &l);
    if (e)
 	return e;
    p -= l;
    len -= l;
    ret += l;
    *size = ret;
    return 0;
 }
 int
 encode_oid(unsigned char *p, size_t len,
 	   const heim_oid *k, size_t *size)
 {
    size_t ret = 0;
    size_t l;
    int e;
    e = der_put_oid (p, len, k, &l);
    if (e)
 	return e;
    p -= l;
    len -= l;
    ret += l;
    e = der_put_length_and_tag (p, len, l, ASN1_C_UNIV, PRIM, UT_OID, &l);
    if (e)
 	return e;
    p -= l;
    len -= l;
    ret += l;
    *size = ret;
    return 0;
 }
 int
 time2generalizedtime (time_t t, heim_octet_string *s)
 {
     struct tm *tm;
-     size_t len;
+     const size_t len = gtimep ? 15 : 13;
     len = 15;
     s->data = malloc(len + 1);
     if (s->data == NULL)
 	 return ENOMEM;
     s->length = len;
     tm = gmtime (&t);
     if (gtimep)
 	 snprintf (s->data, len + 1, "%04d%02d%02d%02d%02d%02dZ", 
 		   tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday, 
 		   tm->tm_hour, tm->tm_min, tm->tm_sec);
     else
 	 snprintf (s->data, len + 1, "%02d%02d%02d%02d%02d%02dZ", 
 		   tm->tm_year % 100, tm->tm_mon + 1, tm->tm_mday, 
 		   tm->tm_hour, tm->tm_min, tm->tm_sec);
     return 0;
 }
 int
-encode_generalized_time (unsigned char *p, size_t len,
+der_put_bit_string (unsigned char *p, size_t len, 
-			 const time_t *t, size_t *size)
+		    const heim_bit_string *data, size_t *size)
 {
-    size_t ret = 0;
+    size_t data_size = (data->length + 7) / 8;
-    size_t l;
+    if (len < data_size + 1)
-    heim_octet_string k;
+	return ASN1_OVERFLOW;
-    int e;
+    p -= data_size + 1;
-
+    len -= data_size + 1;
-    e = time2generalizedtime (*t, &k);
+    memcpy (p+2, data->data, data_size);
-    if (e)
+    if (data->length && (data->length % 8) != 0)
-	return e;
+	p[1] = 8 - (data->length % 8);
-    e = der_put_octet_string (p, len, &k, &l);
+    else
-    free (k.data);
+	p[1] = 0;
-    if (e)
+    *size = data_size + 1;
 	return e;
    p -= l;
    len -= l;
    ret += l;
    e = der_put_length_and_tag (p, len, k.length, ASN1_C_UNIV, PRIM, 
 				UT_GeneralizedTime, &l);
    if (e)
 	return e;
    p -= l;
    len -= l;
    ret += l;
    *size = ret;
    return 0;
 }
 int 
 _heim_der_set_sort(const void *a1, const void *a2)
 {
    const struct heim_octet_string *s1 = a1, *s2 = a2;
    int ret;
    ret = memcmp(s1->data, s2->data, 
 		 s1->length < s2->length ? s1->length : s2->length);
    if(ret)
 	return ret;
    return s1->length - s2->length;
 }
--- a/source/heimdal/lib/asn1/extra.c
+++ b/source/heimdal/lib/asn1/extra.c
@ -0,0 +1,159 @@
 /*
 * Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
 * Redistribution and use in source and binary forms, with or without 
 * modification, are permitted provided that the following conditions 
 * are met: 
 *
 * 1. Redistributions of source code must retain the above copyright 
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright 
 *    notice, this list of conditions and the following disclaimer in the 
 *    documentation and/or other materials provided with the distribution. 
 *
 * 3. Neither the name of the Institute nor the names of its contributors 
 *    may be used to endorse or promote products derived from this software 
 *    without specific prior written permission. 
 *
 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 * SUCH DAMAGE. 
 */
 #include "der_locl.h"
 #include "heim_asn1.h"
 RCSID("$Id: extra.c,v 1.5 2005/07/19 18:05:16 lha Exp $");
 int
 encode_heim_any(unsigned char *p, size_t len, 
 		const heim_any *data, size_t *size)
 {
    if (data->length > len)
 	return ASN1_OVERFLOW;
    p -= data->length;
    len -= data->length;
    memcpy (p+1, data->data, data->length);
    *size = data->length;
    return 0;
 }
 int
 decode_heim_any(const unsigned char *p, size_t len, 
 		heim_any *data, size_t *size)
 {
    size_t len_len, length, l;
    Der_class thisclass;
    Der_type thistype;
    unsigned int thistag;
    int e;
    if (data == NULL && len == 0) { /* XXX tag less OPTIONAL */
 	*size = 0;
 	return 0;
    }
    e = der_get_tag (p, len, &thisclass, &thistype, &thistag, &l);
    if (e) return e;
    if (l > len)
 	return ASN1_OVERFLOW;
    e = der_get_length(p + l, len - l, &length, &len_len);
    if (e) return e;
    if (length + len_len + l > len)
 	return ASN1_OVERFLOW;
    if (data) { /* XXX hack to workaround tag less OPTIONAL data */
 	memset(data, 0, sizeof(*data));
 	data->data = malloc(length + len_len + l);
 	if (data->data == NULL)
 	    return ENOMEM;
 	data->length = length + len_len + l;
 	memcpy(data->data, p, length + len_len + l);
    }
    if (size) *size = length + len_len + l;
    return 0;
 }
 void
 free_heim_any(heim_any *data)
 {
    free(data->data);
    data->data = NULL;
 }
 size_t
 length_heim_any(const heim_any *data)
 {
    return data->length;
 }
 int
 copy_heim_any(const heim_any *from, heim_any *to)
 {
    to->data = malloc(from->length);
    if (to->data == NULL && from->length != 0)
 	return ENOMEM;
    memcpy(to->data, from->data, from->length);
    to->length = from->length;
    return 0;
 }
 int
 encode_heim_any_set(unsigned char *p, size_t len, 
 		    const heim_any_set *data, size_t *size)
 {
    return encode_heim_any(p, len, data, size);
 }
 int
 decode_heim_any_set(const unsigned char *p, size_t len, 
 		heim_any_set *data, size_t *size)
 {
    memset(data, 0, sizeof(*data));
    data->data = malloc(len);
    if (data->data == NULL && len != 0)
 	return ENOMEM;
    data->length = len;
    memcpy(data->data, p, len);
    if (size) *size = len;
    return 0;
 }
 void
 free_heim_any_set(heim_any_set *data)
 {
    free_heim_any(data);
 }
 size_t
 length_heim_any_set(const heim_any *data)
 {
    return length_heim_any(data);
 }
 int
 copy_heim_any_set(const heim_any_set *from, heim_any_set *to)
 {
    return copy_heim_any(from, to);
 }
 int
 heim_any_cmp(const heim_any_set *p, const heim_any_set *q)
 {
    if (p->length != q->length)
 	return p->length - q->length;
    return memcmp(p->data, q->data, p->length);
 }
--- a/source/heimdal/lib/asn1/gen.c
+++ b/source/heimdal/lib/asn1/gen.c
--- a/source/heimdal/lib/asn1/gen_copy.c
+++ b/source/heimdal/lib/asn1/gen_copy.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@ -33,28 +33,35 @@
 #include "gen_locl.h"
-RCSID("$Id: gen_copy.c,v 1.15 2005/06/16 20:03:38 lha Exp $");
+RCSID("$Id: gen_copy.c,v 1.16 2005/07/12 06:27:26 lha Exp $");
 static int used_fail;
 static void
 copy_primitive (const char *typename, const char *from, const char *to)
 {
-    fprintf (codefile, "if(copy_%s(%s, %s)) return ENOMEM;\n", 
+    fprintf (codefile, "if(copy_%s(%s, %s)) goto fail;\n", 
 	     typename, from, to);
    used_fail++;
 }
 static void
-copy_type (const char *from, const char *to, const Type *t)
+copy_type (const char *from, const char *to, const Type *t, int preserve)
 {
    switch (t->type) {
    case TType:
 #if 0
-      copy_type (from, to, t->symbol->type);
+	copy_type (from, to, t->symbol->type, preserve);
 #endif
-      fprintf (codefile, "if(copy_%s(%s, %s)) return ENOMEM;\n", 
+	fprintf (codefile, "if(copy_%s(%s, %s)) goto fail;\n", 
 		 t->symbol->gen_name, from, to);
 	used_fail++;
 	break;
    case TInteger:
-  case TUInteger:
+	if (t->range == NULL && t->members == NULL) {
 	    copy_primitive ("heim_integer", from, to);
 	    break;
 	}
    case TBoolean:
    case TEnumerated :
 	fprintf(codefile, "*(%s) = *(%s);\n", to, from);
@ -62,45 +69,91 @@ copy_type (const char *from, const char *to, const Type *t)
    case TOctetString:
 	copy_primitive ("octet_string", from, to);
 	break;
-  case TOID:
+    case TBitString:
-      copy_primitive ("oid", from, to);
+	if (ASN1_TAILQ_EMPTY(t->members))
-      break;
+	    copy_primitive ("bit_string", from, to);
-  case TBitString: {
+	else
 	    fprintf(codefile, "*(%s) = *(%s);\n", to, from);
 	break;
-  }
+    case TSet:
-  case TSequence: {
+    case TSequence:
-      Member *m;
+    case TChoice: {
-      int tag = -1;
+	Member *m, *have_ellipsis = NULL;
 	if(t->members == NULL)
 	    break;
-      for (m = t->members; m && tag != m->val; m = m->next) {
+	if ((t->type == TSequence || t->type == TChoice) && preserve) {
-	  char *fn;
+	    fprintf(codefile,
-	  char *tn;
+		    "{ int ret;\n"
-
+		    "ret = copy_octet_string(&(%s)->_save, &(%s)->_save);\n"
-	  asprintf (&fn, "%s(%s)->%s",
+		    "if (ret) goto fail;\n"
-		    m->optional ? "" : "&", from, m->gen_name);
+		    "}\n",
-	  asprintf (&tn, "%s(%s)->%s",
+		    from, to);
-		    m->optional ? "" : "&", to, m->gen_name);
+	    used_fail++;
 	  if(m->optional){
 	      fprintf(codefile, "if(%s) {\n", fn);
 	      fprintf(codefile, "%s = malloc(sizeof(*%s));\n", tn, tn);
 	      fprintf(codefile, "if(%s == NULL) return ENOMEM;\n", tn);
 	}
-	  copy_type (fn, tn, m->type);
+
 	if(t->type == TChoice) {
 	    fprintf(codefile, "(%s)->element = (%s)->element;\n", to, from);
 	    fprintf(codefile, "switch((%s)->element) {\n", from);
 	}
 	ASN1_TAILQ_FOREACH(m, t->members, members) {
 	    char *fs;
 	    char *ts;
 	    if (m->ellipsis) {
 		have_ellipsis = m;
 		continue;
 	    }
 	    if(t->type == TChoice)
 		fprintf(codefile, "case %s:\n", m->label);
 	    asprintf (&fs, "%s(%s)->%s%s",
 		      m->optional ? "" : "&", from, 
 		      t->type == TChoice ? "u." : "", m->gen_name);
 	    if (fs == NULL)
 		errx(1, "malloc");
 	    asprintf (&ts, "%s(%s)->%s%s",
 		      m->optional ? "" : "&", to, 
 		      t->type == TChoice ? "u." : "", m->gen_name);
 	    if (ts == NULL)
 		errx(1, "malloc");
 	    if(m->optional){
 		fprintf(codefile, "if(%s) {\n", fs);
 		fprintf(codefile, "%s = malloc(sizeof(*%s));\n", ts, ts);
 		fprintf(codefile, "if(%s == NULL) goto fail;\n", ts);
 		used_fail++;
 	    }
 	    copy_type (fs, ts, m->type, FALSE);
 	    if(m->optional){
 		fprintf(codefile, "}else\n");
-	      fprintf(codefile, "%s = NULL;\n", tn);
+		fprintf(codefile, "%s = NULL;\n", ts);
 	    }
-	  if (tag == -1)
+	    free (fs);
-	      tag = m->val;
+	    free (ts);
-	  free (fn);
+	    if(t->type == TChoice)
-	  free (tn);
+		fprintf(codefile, "break;\n");
 	}
 	if(t->type == TChoice) {
 	    if (have_ellipsis) {
 		fprintf(codefile, "case %s: {\n"
 			"int ret;\n"
 			"ret = copy_octet_string(&(%s)->u.%s, &(%s)->u.%s);\n"
 			"if (ret) goto fail;\n"
 			"break;\n"
 			"}\n",
 			have_ellipsis->label,
 			from, have_ellipsis->gen_name, 
 			to, have_ellipsis->gen_name);
 		used_fail++;
 	    }
 	    fprintf(codefile, "}\n");	
 	}
 	break;
    }
    case TSetOf:
    case TSequenceOf: {
 	char *f;
 	char *T;
@ -108,13 +161,18 @@ copy_type (const char *from, const char *to, const Type *t)
 	fprintf (codefile, "if(((%s)->val = "
 		 "malloc((%s)->len * sizeof(*(%s)->val))) == NULL && (%s)->len != 0)\n", 
 		 to, from, to, from);
-      fprintf (codefile, "return ENOMEM;\n");
+	fprintf (codefile, "goto fail;\n");
 	used_fail++;
 	fprintf(codefile,
 		"for((%s)->len = 0; (%s)->len < (%s)->len; (%s)->len++){\n",
 		to, to, from, to);
 	asprintf(&f, "&(%s)->val[(%s)->len]", from, to);
 	if (f == NULL)
 	    errx(1, "malloc");
 	asprintf(&T, "&(%s)->val[(%s)->len]", to, to);
-      copy_type(f, T, t->subtype);
+	if (T == NULL)
 	    errx(1, "malloc");
 	copy_type(f, T, t->subtype, FALSE);
 	fprintf(codefile, "}\n");
 	free(f);
 	free(T);
@ -126,13 +184,31 @@ copy_type (const char *from, const char *to, const Type *t)
    case TGeneralString:
 	copy_primitive ("general_string", from, to);
 	break;
    case TUTCTime:
 	fprintf(codefile, "*(%s) = *(%s);\n", to, from);
 	break;
    case TUTF8String:
 	copy_primitive ("utf8string", from, to);
 	break;
-  case TNull:
+    case TPrintableString:
 	copy_primitive ("printable_string", from, to);
 	break;
-  case TApplication:
+    case TIA5String:
-      copy_type (from, to, t->subtype);
+	copy_primitive ("ia5_string", from, to);
 	break;
    case TBMPString:
 	copy_primitive ("bmp_string", from, to);
 	break;
    case TUniversalString:
 	copy_primitive ("universal_string", from, to);
 	break;
    case TTag:
 	copy_type (from, to, t->subtype, preserve);
 	break;
    case TOID:
 	copy_primitive ("oid", from, to);
 	break;
    case TNull:
 	break;
    default :
 	abort ();
@ -142,16 +218,29 @@ copy_type (const char *from, const char *to, const Type *t)
 void
 generate_type_copy (const Symbol *s)
 {
  int preserve = preserve_type(s->name) ? TRUE : FALSE;
  used_fail = 0;
  fprintf (headerfile,
 	   "int    copy_%s  (const %s *, %s *);\n",
 	   s->gen_name, s->gen_name, s->gen_name);
  fprintf (codefile, "int\n"
 	   "copy_%s(const %s *from, %s *to)\n"
-	   "{\n",
+	   "{\n"
 	   "memset(to, 0, sizeof(*to));\n",
 	   s->gen_name, s->gen_name, s->gen_name);
  copy_type ("from", "to", s->type, preserve);
  fprintf (codefile, "return 0;\n");
-  copy_type ("from", "to", s->type);
+  if (used_fail)
-  fprintf (codefile, "return 0;\n}\n\n");
+      fprintf (codefile, "fail:\n"
 	       "free_%s(to);\n"
 	       "return ENOMEM;\n",
 	       s->gen_name);
  fprintf(codefile,
 	  "}\n\n");
 }
--- a/source/heimdal/lib/asn1/gen_decode.c
+++ b/source/heimdal/lib/asn1/gen_decode.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@ -32,288 +32,554 @@
 */
 #include "gen_locl.h"
 #include "lex.h"
-RCSID("$Id: gen_decode.c,v 1.21 2005/05/29 14:23:01 lha Exp $");
+RCSID("$Id: gen_decode.c,v 1.27 2005/07/19 18:09:30 lha Exp $");
 static void
-decode_primitive (const char *typename, const char *name)
+decode_primitive (const char *typename, const char *name, const char *forwstr)
 {
 #if 0
    fprintf (codefile,
 	     "e = decode_%s(p, len, %s, &l);\n"
-	     "FORW;\n",
+	     "%s;\n",
 	     typename,
-	     name);
+	     name,
 	     forwstr);
 #else
    fprintf (codefile,
 	     "e = der_get_%s(p, len, %s, &l);\n"
 	     "if(e) %s;\np += l; len -= l; ret += l;\n",
 	     typename,
 	     name,
 	     forwstr);
 #endif
 }
 static int
 is_primitive_type(int type)
 {
    switch(type) {
    case TInteger:
    case TBoolean:
    case TOctetString:
    case TBitString:
    case TEnumerated:
    case TGeneralizedTime:
    case TGeneralString:
    case TOID:
    case TUTCTime:
    case TUTF8String:
    case TPrintableString:
    case TIA5String:
    case TBMPString:
    case TUniversalString:
    case TNull:
 	return 1;
    default:
 	return 0;
    }
 }
 static void
-decode_type (const char *name, const Type *t)
+find_tag (const Type *t,
 	  Der_class *cl, Der_type *ty, unsigned *tag)
 {
    switch (t->type) {
-    case TType:
+    case TBitString:
-#if 0
+	*cl  = ASN1_C_UNIV;
-	decode_type (name, t->symbol->type);
+	*ty  = PRIM;
-#endif
+	*tag = UT_BitString;
 	fprintf (codefile,
 		 "e = decode_%s(p, len, %s, &l);\n"
 		 "FORW;\n",
 		 t->symbol->gen_name, name);
 	break;
    case TInteger:
 	if(t->members == NULL)
 	    decode_primitive ("integer", name);
 	else {
 	    char *s;
 	    asprintf(&s, "(int*)%s", name);
 	    if(s == NULL)
 		errx (1, "out of memory");
 	    decode_primitive ("integer", s);
 	    free(s);
 	}
 	break;
    case TUInteger:
 	decode_primitive ("unsigned", name);
 	break;
    case TEnumerated:
 	decode_primitive ("enumerated", name);
 	break;
    case TOctetString:
 	decode_primitive ("octet_string", name);
 	break;
    case TOID :
 	decode_primitive ("oid", name);
 	break;
    case TBitString: {
 	Member *m;
 	int tag = -1;
 	int pos;
 	fprintf (codefile,
 		 "e = der_match_tag_and_length (p, len, ASN1_C_UNIV, PRIM, UT_BitString,"
 		 "&reallen, &l);\n"
 		 "FORW;\n"
 		 "if(len < reallen)\n"
 		 "return ASN1_OVERRUN;\n"
 		 "p++;\n"
 		 "len--;\n"
 		 "reallen--;\n"
 		 "ret++;\n");
 	pos = 0;
 	for (m = t->members; m && tag != m->val; m = m->next) {
 	    while (m->val / 8 > pos / 8) {
 		fprintf (codefile,
 			 "p++; len--; reallen--; ret++;\n");
 		pos += 8;
 	    }
 	    fprintf (codefile,
 		     "%s->%s = (*p >> %d) & 1;\n",
 		     name, m->gen_name, 7 - m->val % 8);
 	    if (tag == -1)
 		tag = m->val;
 	}
 	fprintf (codefile,
 		 "p += reallen; len -= reallen; ret += reallen;\n");
 	break;
    }
    case TSequence: {
 	Member *m;
 	int tag = -1;
 	int fd_counter = unique_get_next();
 	int fd_counter_inner = unique_get_next();
 	if (t->members == NULL)
 	    break;
 	fprintf (codefile,
 		 "e = der_match_tag_and_length (p, len, ASN1_C_UNIV, CONS, UT_Sequence,"
 		 "&reallen, &l);\n"
 		 "FORW;\n"
 		 "{\n"
 		 "int dce_fix%d;\n"
 		 "if((dce_fix%d = fix_dce(reallen, &len)) < 0)\n"
 		 "return ASN1_BAD_FORMAT;\n",
 		 fd_counter, fd_counter);
 	for (m = t->members; m && tag != m->val; m = m->next) {
 	    char *s;
 	    asprintf (&s, "%s(%s)->%s", m->optional ? "" : "&", name, m->gen_name);
 	    if (0 && m->type->type == TType){
 		if(m->optional)
 		    fprintf (codefile,
 			     "%s = malloc(sizeof(*%s));\n"
 			     "if(%s == NULL) return ENOMEM;\n", s, s, s);
 		fprintf (codefile, 
 			 "e = decode_seq_%s(p, len, %d, %d, %s, &l);\n",
 			 m->type->symbol->gen_name,
 			 m->val, 
 			 m->optional,
 			 s);
 		if(m->optional)
 		    fprintf (codefile, 
 			     "if (e == ASN1_MISSING_FIELD) {\n"
 			     "free(%s);\n"
 			     "%s = NULL;\n"
 			     "e = l = 0;\n"
 			     "}\n",
 			     s, s);
 		fprintf (codefile, "FORW;\n");
 	    }else{
 		fprintf (codefile, "{\n"
 			 "size_t newlen, oldlen;\n\n"
 			 "e = der_match_tag (p, len, ASN1_C_CONTEXT, CONS, %d, &l);\n",
 			 m->val);
 		fprintf (codefile,
 			 "if (e)\n");
 		if(m->optional)
 		    /* XXX should look at e */
 		    fprintf (codefile,
 			     "%s = NULL;\n", s);
 		else
 		    fprintf (codefile,
 			     "return e;\n");
 		fprintf (codefile, 
 			 "else {\n");
 		fprintf (codefile,
 			 "p += l;\n"
 			 "len -= l;\n"
 			 "ret += l;\n"
 			 "e = der_get_length (p, len, &newlen, &l);\n"
 			 "FORW;\n"
 			 "{\n"
 			 "int dce_fix%d;\n"
 			 "oldlen = len;\n"
 			 "if((dce_fix%d = fix_dce(newlen, &len)) < 0)"
 			 "return ASN1_BAD_FORMAT;\n",
 			 fd_counter_inner,
 			 fd_counter_inner);
 		if (m->optional)
 		    fprintf (codefile,
 			     "%s = malloc(sizeof(*%s));\n"
 			     "if(%s == NULL) return ENOMEM;\n", s, s, s);
 		decode_type (s, m->type);
 		fprintf (codefile,
 			 "if(dce_fix%d){\n"
 			 "e = der_match_tag_and_length (p, len, "
 			 "(Der_class)0, (Der_type)0, 0, &reallen, &l);\n"
 			 "FORW;\n"
 			 "}else \n"
 			 "len = oldlen - newlen;\n"
 			 "}\n"
 			 "}\n",
 			 fd_counter_inner);
 		fprintf (codefile,
 			 "}\n");
 	    }
 	    if (tag == -1)
 		tag = m->val;
 	    free (s);
 	}
 	fprintf(codefile,
 		"if(dce_fix%d){\n"
 		"e = der_match_tag_and_length (p, len, "
 		"(Der_class)0, (Der_type)0, 0, &reallen, &l);\n"
 		"FORW;\n"
 		"}\n"
 		"}\n",
 		fd_counter);
 	break;
    }
    case TSequenceOf: {
 	char *n;
 	int oldret_counter = unique_get_next();
 	fprintf (codefile,
 		 "e = der_match_tag_and_length (p, len, ASN1_C_UNIV, CONS, UT_Sequence,"
 		 "&reallen, &l);\n"
 		 "FORW;\n"
 		 "if(len < reallen)\n"
 		 "return ASN1_OVERRUN;\n"
 		 "len = reallen;\n");
 	fprintf (codefile,
 		 "{\n"
 		 "size_t origlen = len;\n"
 		 "int oldret%d = ret;\n"
 		 "ret = 0;\n"
 		 "(%s)->len = 0;\n"
 		 "(%s)->val = NULL;\n"
 		 "while(ret < origlen) {\n"
 		 "(%s)->len++;\n"
 		 "(%s)->val = realloc((%s)->val, sizeof(*((%s)->val)) * (%s)->len);\n",
 		 oldret_counter, name, name, name, name, name, name, name);
 	asprintf (&n, "&(%s)->val[(%s)->len-1]", name, name);
 	decode_type (n, t->subtype);
 	fprintf (codefile, 
 		 "len = origlen - ret;\n"
 		 "}\n"
 		 "ret += oldret%d;\n"
 		 "}\n",
 		 oldret_counter);
 	free (n);
 	break;
    }
    case TGeneralizedTime:
 	decode_primitive ("generalized_time", name);
 	break;
    case TGeneralString:
 	decode_primitive ("general_string", name);
 	break;
    case TUTF8String:
 	decode_primitive ("utf8string", name);
 	break;
    case TNull:
 	fprintf (codefile,
 		 "e = decode_nulltype(p, len, &l);\n"
 		 "FORW;\n");
 	break;
    case TApplication:
 	fprintf (codefile,
 		 "e = der_match_tag_and_length (p, len, ASN1_C_APPL, CONS, %d, "
 		 "&reallen, &l);\n"
 		 "FORW;\n"
 		 "{\n"
 		 "int dce_fix;\n"
 		 "if((dce_fix = fix_dce(reallen, &len)) < 0)\n"
 		 "return ASN1_BAD_FORMAT;\n", 
 		 t->application);
 	decode_type (name, t->subtype);
 	fprintf(codefile,
 		"if(dce_fix){\n"
 		"e = der_match_tag_and_length (p, len, "
 		"(Der_class)0, (Der_type)0, 0, &reallen, &l);\n"
 		"FORW;\n"
 		"}\n"
 		"}\n");
 	break;
    case TBoolean:
-	decode_primitive ("boolean", name);
+	*cl  = ASN1_C_UNIV;
 	*ty  = PRIM;
 	*tag = UT_Boolean;
 	break;
    case TChoice: 
 	errx(1, "Cannot have recursive CHOICE");
    case TEnumerated:
 	*cl  = ASN1_C_UNIV;
 	*ty  = PRIM;
 	*tag = UT_Enumerated;
 	break;
    case TGeneralString: 
 	*cl  = ASN1_C_UNIV;
 	*ty  = PRIM;
 	*tag = UT_GeneralString;
 	break;
    case TGeneralizedTime: 
 	*cl  = ASN1_C_UNIV;
 	*ty  = PRIM;
 	*tag = UT_GeneralizedTime;
 	break;
    case TIA5String:
 	*cl  = ASN1_C_UNIV;
 	*ty  = PRIM;
 	*tag = UT_IA5String;
 	break;
    case TInteger: 
 	*cl  = ASN1_C_UNIV;
 	*ty  = PRIM;
 	*tag = UT_Integer;
 	break;
    case TNull:
 	*cl  = ASN1_C_UNIV;
 	*ty  = PRIM;
 	*tag = UT_Null;
 	break;
    case TOID: 
 	*cl  = ASN1_C_UNIV;
 	*ty  = PRIM;
 	*tag = UT_OID;
 	break;
    case TOctetString: 
 	*cl  = ASN1_C_UNIV;
 	*ty  = PRIM;
 	*tag = UT_OctetString;
 	break;
    case TPrintableString:
 	*cl  = ASN1_C_UNIV;
 	*ty  = PRIM;
 	*tag = UT_PrintableString;
 	break;
    case TSequence: 
    case TSequenceOf:
 	*cl  = ASN1_C_UNIV;
 	*ty  = CONS;
 	*tag = UT_Sequence;
 	break;
    case TSet: 
    case TSetOf:
 	*cl  = ASN1_C_UNIV;
 	*ty  = CONS;
 	*tag = UT_Set;
 	break;
    case TTag: 
 	*cl  = t->tag.tagclass;
 	*ty  = is_primitive_type(t->subtype->type) ? PRIM : CONS;
 	*tag = t->tag.tagvalue;
 	break;
    case TType: 
 	if ((t->symbol->stype == Stype && t->symbol->type == NULL)
 	    || t->symbol->stype == SUndefined) {
 	    error_message("%s is imported or still undefined, "
 			  " can't generate tag checking data in CHOICE "
 			  "without this information",
 			  t->symbol->name);
 	    exit(1);
 	}
 	find_tag(t->symbol->type, cl, ty, tag);
 	return;
    case TUTCTime: 
 	*cl  = ASN1_C_UNIV;
 	*ty  = PRIM;
 	*tag = UT_UTCTime;
 	break;
    case TUTF8String:
 	*cl  = ASN1_C_UNIV;
 	*ty  = PRIM;
 	*tag = UT_UTF8String;
 	break;
    case TBMPString:
 	*cl  = ASN1_C_UNIV;
 	*ty  = PRIM;
 	*tag = UT_BMPString;
 	break;
    case TUniversalString:
 	*cl  = ASN1_C_UNIV;
 	*ty  = PRIM;
 	*tag = UT_UniversalString;
 	break;
    default:
 	abort();
    }
 }
 static int
 decode_type (const char *name, const Type *t, int optional, 
 	     const char *forwstr)
 {
    switch (t->type) {
    case TType: {
 	if (optional)
 	    fprintf(codefile, 
 		    "%s = calloc(1, sizeof(*%s));\n"
 		    "if (%s == NULL) %s;\n",
 		    name, name, name, forwstr);
 	fprintf (codefile,
 		 "e = decode_%s(p, len, %s, &l);\n",
 		 t->symbol->gen_name, name);
 	if (optional) {
 	    fprintf (codefile,
 		     "if(e) {\n"
 		     "free(%s);\n"
 		     "%s = NULL;\n"
 		     "} else {\n"
 		     "p += l; len -= l; ret += l;\n"
 		     "}\n",
 		     name, name);
 	} else {
 	    fprintf (codefile,
 		     "if(e) %s;\n",
 		     forwstr);
 	    fprintf (codefile,
 		     "p += l; len -= l; ret += l;\n");
 	}
 	break;
    }
    case TInteger:
 	if(t->members) {
 	    char *s;
 	    asprintf(&s, "(int*)%s", name);
 	    if (s == NULL)
 		errx (1, "out of memory");
 	    decode_primitive ("integer", s, forwstr);
 	    free(s);
 	} else if (t->range == NULL) {
 	    decode_primitive ("heim_integer", name, forwstr);
 	} else if (t->range->min == INT_MIN && t->range->max == INT_MAX) {
 	    decode_primitive ("integer", name, forwstr);
 	} else if (t->range->min == 0 && t->range->max == UINT_MAX) {
 	    decode_primitive ("unsigned", name, forwstr);
 	} else if (t->range->min == 0 && t->range->max == INT_MAX) {
 	    decode_primitive ("unsigned", name, forwstr);
 	} else
 	    errx(1, "%s: unsupported range %d -> %d", 
 		 name, t->range->min, t->range->max);
 	break;
    case TBoolean:
      decode_primitive ("boolean", name, forwstr);
      break;
    case TEnumerated:
 	decode_primitive ("enumerated", name, forwstr);
 	break;
    case TOctetString:
 	decode_primitive ("octet_string", name, forwstr);
 	break;
    case TBitString: {
 	Member *m;
 	int pos = 0;
 	if (ASN1_TAILQ_EMPTY(t->members)) {
 	    decode_primitive ("bit_string", name, forwstr);
 	    break;
 	}
 	fprintf(codefile,
 		"if (len < 1) return ASN1_OVERRUN;\n"
 		"p++; len--; ret++;\n");
 	fprintf(codefile,
 		"do {\n"
 		"if (len < 1) break;\n");
 	ASN1_TAILQ_FOREACH(m, t->members, members) {
 	    while (m->val / 8 > pos / 8) {
 		fprintf (codefile,
 			 "p++; len--; ret++;\n"
 			 "if (len < 1) break;\n");
 		pos += 8;
 	    }
 	    fprintf (codefile,
 		     "(%s)->%s = (*p >> %d) & 1;\n",
 		     name, m->gen_name, 7 - m->val % 8);
 	}
 	fprintf(codefile,
 		"} while(0);\n");
 	fprintf (codefile,
 		 "p += len; ret += len;\n");
 	break;
    }
    case TSequence: {
 	Member *m;
 	if (t->members == NULL)
 	    break;
 	ASN1_TAILQ_FOREACH(m, t->members, members) {
 	    char *s;
 	    if (m->ellipsis)
 		continue;
 	    asprintf (&s, "%s(%s)->%s", m->optional ? "" : "&",
 		      name, m->gen_name);
 	    if (s == NULL)
 		errx(1, "malloc");
 	    decode_type (s, m->type, m->optional, forwstr);
 	    free (s);
 	}
 	break;
    }
    case TSet: {
 	Member *m;
 	unsigned int memno;
 	if(t->members == NULL)
 	    break;
 	fprintf(codefile, "{\n");
 	fprintf(codefile, "unsigned int members = 0;\n");
 	fprintf(codefile, "while(len > 0) {\n");
 	fprintf(codefile, 
 		"Der_class class;\n"
 		"Der_type type;\n"
 		"int tag;\n"
 		"e = der_get_tag (p, len, &class, &type, &tag, NULL);\n"
 		"if(e) %s;\n", forwstr);
 	fprintf(codefile, "switch (MAKE_TAG(class, type, tag)) {\n");
 	memno = 0;
 	ASN1_TAILQ_FOREACH(m, t->members, members) {
 	    char *s;
 	    assert(m->type->type == TTag);
 	    fprintf(codefile, "case MAKE_TAG(%s, %s, %s):\n",
 		    classname(m->type->tag.tagclass),
 		    is_primitive_type(m->type->subtype->type) ? "PRIM" : "CONS",
 		    valuename(m->type->tag.tagclass, m->type->tag.tagvalue));
 	    asprintf (&s, "%s(%s)->%s", m->optional ? "" : "&", name, m->gen_name);
 	    if (s == NULL)
 		errx(1, "malloc");
 	    if(m->optional)
 		fprintf(codefile, 
 			"%s = calloc(1, sizeof(*%s));\n"
 			"if (%s == NULL) { e = ENOMEM; %s; }\n",
 			s, s, s, forwstr);
 	    decode_type (s, m->type, 0, forwstr);
 	    free (s);
 	    fprintf(codefile, "members |= (1 << %d);\n", memno);
 	    memno++;
 	    fprintf(codefile, "break;\n");
 	}
 	fprintf(codefile, 
 		"default:\n"
 		"return ASN1_MISPLACED_FIELD;\n"
 		"break;\n");
 	fprintf(codefile, "}\n");
 	fprintf(codefile, "}\n");
 	memno = 0;
 	ASN1_TAILQ_FOREACH(m, t->members, members) {
 	    char *s;
 	    asprintf (&s, "%s->%s", name, m->gen_name);
 	    if (s == NULL)
 		errx(1, "malloc");
 	    fprintf(codefile, "if((members & (1 << %d)) == 0)\n", memno);
 	    if(m->optional)
 		fprintf(codefile, "%s = NULL;\n", s);
 	    else if(m->defval)
 		gen_assign_defval(s, m->defval);
 	    else
 		fprintf(codefile, "return ASN1_MISSING_FIELD;\n");
 	    free(s);
 	    memno++;
 	}
 	fprintf(codefile, "}\n");
 	break;
    }
    case TSetOf:
    case TSequenceOf: {
 	char *n;
 	fprintf (codefile,
 		 "{\n"
 		 "size_t origlen = len;\n"
 		 "size_t oldret = ret;\n"
 		 "void *tmp;\n"
 		 "ret = 0;\n"
 		 "(%s)->len = 0;\n"
 		 "(%s)->val = NULL;\n"
 		 "while(ret < origlen) {\n"
 		 "tmp = realloc((%s)->val, "
 		 "    sizeof(*((%s)->val)) * ((%s)->len + 1));\n"
 		 "if (tmp == NULL) { %s; }\n"
 		 "(%s)->len++;\n"
 		 "(%s)->val = tmp;\n",
 		 name, name, name, name, name, forwstr, name, name);
 	asprintf (&n, "&(%s)->val[(%s)->len-1]", name, name);
 	if (n == NULL)
 	    errx(1, "malloc");
 	decode_type (n, t->subtype, 0, forwstr);
 	fprintf (codefile, 
 		 "len = origlen - ret;\n"
 		 "}\n"
 		 "ret += oldret;\n"
 		 "}\n");
 	free (n);
 	break;
    }
    case TGeneralizedTime:
 	decode_primitive ("generalized_time", name, forwstr);
 	break;
    case TGeneralString:
 	decode_primitive ("general_string", name, forwstr);
 	break;
    case TTag:{
 	fprintf(codefile, 
 		"{\n"
 		"size_t tagdatalen, oldlen;\n");
 	if(dce_fix)
 	    fprintf(codefile, 
 		    "int dce_fix;\n");
 	fprintf(codefile, "e = der_match_tag_and_length(p, len, %s, %s, %s, "
 		"&tagdatalen, &l);\n",
 		classname(t->tag.tagclass),
 		is_primitive_type(t->subtype->type) ? "PRIM" : "CONS",
 		valuename(t->tag.tagclass, t->tag.tagvalue));
 	if(optional) {
 	    fprintf(codefile, 
 		    "if(e) {\n"
 		    "%s = NULL;\n"
 		    "} else {\n"
 		     "%s = calloc(1, sizeof(*%s));\n"
 		     "if (%s == NULL) { e = ENOMEM; %s; }\n",
 		     name, name, name, name, forwstr);
 	} else {
 	    fprintf(codefile, "if(e) %s;\n", forwstr);
 	}
 	fprintf (codefile,
 		 "p += l; len -= l; ret += l;\n"
 		 "oldlen = len;\n");
 	if(dce_fix)
 	    fprintf (codefile,
 		     "if((dce_fix = _heim_fix_dce(tagdatalen, &len)) < 0)\n"
 		     "{ e = ASN1_BAD_FORMAT; %s; }\n",
 		     forwstr);
 	else
 	    fprintf(codefile, 
 		    "if (tagdatalen > len) { e = ASN1_OVERRUN; %s; }\n"
 		    "len = tagdatalen;\n", forwstr);
 	decode_type (name, t->subtype, 0, forwstr);
 	if(dce_fix)
 	    fprintf(codefile,
 		    "if(dce_fix){\n"
 		    "e = der_match_tag_and_length (p, len, "
 		    "(Der_class)0,(Der_type)0, UT_EndOfContent, "
 		    "&tagdatalen, &l);\n"
 		    "if(e) %s;\np += l; len -= l; ret += l;\n"
 		    "} else \n", forwstr);
 	fprintf(codefile, 
 		"len = oldlen - tagdatalen;\n");
 	if(optional)
 	    fprintf(codefile, 
 		    "}\n");
 	fprintf(codefile, 
 		"}\n");
 	break;
    }
    case TChoice: {
 	Member *m, *have_ellipsis = NULL;
 	const char *els = "";
 	if (t->members == NULL)
 	    break;
 	ASN1_TAILQ_FOREACH(m, t->members, members) {
 	    const Type *tt = m->type;
 	    char *s;
 	    Der_class cl;
 	    Der_type  ty;
 	    unsigned  tag;
 	    if (m->ellipsis) {
 		have_ellipsis = m;
 		continue;
 	    }
 	    find_tag(tt, &cl, &ty, &tag);
 	    fprintf(codefile,
 		    "%sif (der_match_tag(p, len, %s, %s, %s, NULL) == 0) {\n",
 		    els,
 		    classname(cl),
 		    ty ? "CONS" : "PRIM",
 		    valuename(cl, tag));
 	    asprintf (&s, "%s(%s)->u.%s", m->optional ? "" : "&",
 		      name, m->gen_name);
 	    if (s == NULL)
 		errx(1, "malloc");
 	    decode_type (s, m->type, m->optional, forwstr);
 	    fprintf(codefile,
 		    "(%s)->element = %s;\n",
 		    name, m->label);
 	    free(s);
 	    fprintf(codefile,
 		    "}\n");
 	    els = "else ";
 	}
 	if (have_ellipsis) {
 	    fprintf(codefile,
 		    "else {\n"
 		    "(%s)->u.%s.data = calloc(1, len);\n"
 		    "if ((%s)->u.%s.data == NULL) {\n"
 		    "e = ENOMEM; %s;\n"
 		    "}\n"
 		    "(%s)->u.%s.length = len;\n"
 		    "memcpy((%s)->u.%s.data, p, len);\n"
 		    "(%s)->element = %s;\n"
 		    "p += len;\n"
 		    "ret += len;\n"
 		    "len -= len;\n"
 		    "}\n",
 		    name, have_ellipsis->gen_name,
 		    name, have_ellipsis->gen_name,
 		    forwstr, 
 		    name, have_ellipsis->gen_name,
 		    name, have_ellipsis->gen_name,
 		    name, have_ellipsis->label);
 	} else {
 	    fprintf(codefile,
 		    "else {\n"
 		    "e = ASN1_PARSE_ERROR;\n"
 		    "%s;\n"
 		    "}\n",
 		    forwstr);
 	}
 	break;
    }
    case TUTCTime:
 	decode_primitive ("utctime", name, forwstr);
 	break;
    case TUTF8String:
 	decode_primitive ("utf8string", name, forwstr);
 	break;
    case TPrintableString:
 	decode_primitive ("printable_string", name, forwstr);
 	break;
    case TIA5String:
 	decode_primitive ("ia5_string", name, forwstr);
 	break;
    case TBMPString:
 	decode_primitive ("bmp_string", name, forwstr);
 	break;
    case TUniversalString:
 	decode_primitive ("universal_string", name, forwstr);
 	break;
    case TNull:
 	fprintf (codefile, "/* NULL */\n");
 	break;
    case TOID:
 	decode_primitive ("oid", name, forwstr);
 	break;
    default :
 	abort ();
    }
    return 0;
 }
 void
 generate_type_decode (const Symbol *s)
 {
-  unique_reset();
+  int preserve = preserve_type(s->name) ? TRUE : FALSE;
  fprintf (headerfile,
 	   "int    "
 	   "decode_%s(const unsigned char *, size_t, %s *, size_t *);\n",
 	   s->gen_name, s->gen_name);
  fprintf (codefile, "#define FORW "
 	   "if(e) goto fail; "
 	   "p += l; "
 	   "len -= l; "
 	   "ret += l\n\n");
  fprintf (codefile, "int\n"
 	   "decode_%s(const unsigned char *p,"
 	   " size_t len, %s *data, size_t *size)\n"
@ -322,28 +588,45 @@ generate_type_decode (const Symbol *s)
  switch (s->type->type) {
  case TInteger:
  case TUInteger:
  case TBoolean:
  case TOctetString:
  case TOID:
  case TGeneralizedTime:
  case TGeneralString:
  case TUTF8String:
  case TPrintableString:
  case TIA5String:
  case TBMPString:
  case TUniversalString:
  case TUTCTime:
  case TNull:
  case TEnumerated:
  case TBitString:
  case TSequence:
  case TSequenceOf:
-  case TApplication:
+  case TSet:
  case TSetOf:
  case TTag:
  case TType:
  case TChoice:
    fprintf (codefile,
 	     "size_t ret = 0, reallen;\n"
 	     "size_t l;\n"
-	     "int e;\n\n");
+	     "int e;\n");
    if (preserve)
 	fprintf (codefile, "const unsigned char *begin = p;\n");
    fprintf (codefile, "\n");
    fprintf (codefile, "memset(data, 0, sizeof(*data));\n");
    fprintf (codefile, "reallen = 0;\n"); /* hack to avoid `unused variable' */
-    decode_type ("data", s->type);
+    decode_type ("data", s->type, 0, "goto fail");
    if (preserve)
 	fprintf (codefile,
 		 "data->_save.data = calloc(1, ret);\n"
 		 "if (data->_save.data == NULL) { e = ENOMEM; goto fail; }\n"
 		 "data->_save.length = ret;\n"
 		 "memcpy(data->_save.data, begin, ret);\n");
    fprintf (codefile, 
 	     "if(size) *size = ret;\n"
 	     "return 0;\n");
@ -358,62 +641,3 @@ generate_type_decode (const Symbol *s)
  }
  fprintf (codefile, "}\n\n");
 }
 void
 generate_seq_type_decode (const Symbol *s)
 {
    fprintf (headerfile,
 	     "int decode_seq_%s(const unsigned char *, size_t, int, int, "
 	     "%s *, size_t *);\n",
 	     s->gen_name, s->gen_name);
    fprintf (codefile, "int\n"
 	     "decode_seq_%s(const unsigned char *p, size_t len, int tag, "
 	     "int optional, %s *data, size_t *size)\n"
 	     "{\n",
 	     s->gen_name, s->gen_name);
    fprintf (codefile,
 	     "size_t newlen, oldlen;\n"
 	     "size_t l, ret = 0;\n"
 	     "int e;\n"
 	     "int dce_fix;\n");
    fprintf (codefile,
 	     "e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, tag, &l);\n"
 	     "if (e)\n"
 	     "return e;\n");
    fprintf (codefile, 
 	     "p += l;\n"
 	     "len -= l;\n"
 	     "ret += l;\n"
 	     "e = der_get_length(p, len, &newlen, &l);\n"
 	     "if (e)\n"
 	     "return e;\n"
 	     "p += l;\n"
 	     "len -= l;\n"
 	     "ret += l;\n"
 	     "oldlen = len;\n"
 	     "if ((dce_fix = fix_dce(newlen, &len)) < 0)\n"
 	     "return ASN1_BAD_FORMAT;\n"
 	     "e = decode_%s(p, len, data, &l);\n"
 	     "if (e)\n"
 	     "return e;\n"
 	     "p += l;\n"
 	     "len -= l;\n"
 	     "ret += l;\n"
 	     "if (dce_fix) {\n"
 	     "size_t reallen;\n\n"
 	     "e = der_match_tag_and_length(p, len, "
 	     "(Der_class)0, (Der_type)0, 0, &reallen, &l);\n"
 	     "if (e)\n"
 	     "return e;\n"
 	     "ret += l;\n"
 	     "}\n",
 	     s->gen_name);
    fprintf (codefile, 
 	     "if(size) *size = ret;\n"
 	     "return 0;\n");
    fprintf (codefile, "}\n\n");
 }
--- a/source/heimdal/lib/asn1/gen_encode.c
+++ b/source/heimdal/lib/asn1/gen_encode.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@ -33,21 +33,82 @@
 #include "gen_locl.h"
-RCSID("$Id: gen_encode.c,v 1.15 2005/05/29 14:23:01 lha Exp $");
+RCSID("$Id: gen_encode.c,v 1.18 2005/07/13 10:40:23 lha Exp $");
 static void
 encode_primitive (const char *typename, const char *name)
 {
    fprintf (codefile,
-	     "e = encode_%s(p, len, %s, &l);\n"
+	     "e = der_put_%s(p, len, %s, &l);\n"
-	     "BACK;\n",
+	     "if (e) return e;\np -= l; len -= l; ret += l;\n\n",
 	     typename,
 	     name);
 }
-static void
+const char *
 classname(Der_class class)
 {
    const char *cn[] = { "ASN1_C_UNIV", "ASN1_C_APPL",
 			 "ASN1_C_CONTEXT", "ASN1_C_PRIV" };
    if(class < ASN1_C_UNIV || class > ASN1_C_PRIVATE)
 	return "???";
    return cn[class];
 }
 const char *
 valuename(Der_class class, int value)
 {
    static char s[32];
    struct { 
 	int value;
 	char *s;
    } *p, values[] = {
 #define X(Y) { Y, #Y }
 	X(UT_BMPString),
 	X(UT_BitString),
 	X(UT_Boolean),
 	X(UT_EmbeddedPDV),
 	X(UT_Enumerated),
 	X(UT_External),
 	X(UT_GeneralString),
 	X(UT_GeneralizedTime),
 	X(UT_GraphicString),
 	X(UT_IA5String),
 	X(UT_Integer),
 	X(UT_Null),
 	X(UT_NumericString),
 	X(UT_OID),
 	X(UT_ObjectDescriptor),
 	X(UT_OctetString),
 	X(UT_PrintableString),
 	X(UT_Real),
 	X(UT_RelativeOID),
 	X(UT_Sequence),
 	X(UT_Set),
 	X(UT_TeletexString),
 	X(UT_UTCTime),
 	X(UT_UTF8String),
 	X(UT_UniversalString),
 	X(UT_VideotexString),
 	X(UT_VisibleString),
 #undef X
 	{ -1, NULL }
    };
    if(class == ASN1_C_UNIV) {
 	for(p = values; p->value != -1; p++)
 	    if(p->value == value)
 		return p->s;
    }
    snprintf(s, sizeof(s), "%d", value);
    return s;
 }
 static int
 encode_type (const char *name, const Type *t)
 {
    int constructed = 1;
    switch (t->type) {
    case TType:
 #if 0
@ -55,45 +116,60 @@ encode_type (const char *name, const Type *t)
 #endif
 	fprintf (codefile,
 		 "e = encode_%s(p, len, %s, &l);\n"
-		 "BACK;\n",
+		 "if (e) return e;\np -= l; len -= l; ret += l;\n\n",
 		 t->symbol->gen_name, name);
 	break;
    case TInteger:
-	if(t->members == NULL)
+	if(t->members) {
 	    encode_primitive ("integer", name);
 	else {
 	    char *s;
 	    asprintf(&s, "(const int*)%s", name);
 	    if(s == NULL)
 		errx(1, "out of memory");
 	    encode_primitive ("integer", s);
 	    free(s);
-	}
+	} else if (t->range == NULL) {
-	break;
+	    encode_primitive ("heim_integer", name);
-    case TUInteger:
+	} else if (t->range->min == INT_MIN && t->range->max == INT_MAX) {
 	    encode_primitive ("integer", name);
 	} else if (t->range->min == 0 && t->range->max == UINT_MAX) {
 	    encode_primitive ("unsigned", name);
 	} else if (t->range->min == 0 && t->range->max == INT_MAX) {
 	    encode_primitive ("unsigned", name);
 	} else
 	    errx(1, "%s: unsupported range %d -> %d", 
 		 name, t->range->min, t->range->max);
 	constructed = 0;
 	break;
    case TBoolean:
 	encode_primitive ("boolean", name);
 	constructed = 0;
 	break;
    case TOctetString:
 	encode_primitive ("octet_string", name);
-	break;
+	constructed = 0;
    case TOID :
 	encode_primitive ("oid", name);
 	break;
    case TBitString: {
 	Member *m;
 	int pos;
 	int rest;
 	int tag = -1;
-	if (t->members == NULL)
+	if (ASN1_TAILQ_EMPTY(t->members)) {
 	    encode_primitive("bit_string", name);
 	    constructed = 0;
 	    break;
 	}
 	fprintf (codefile, "{\n"
 		 "unsigned char c = 0;\n");
 	if (!rfc1510_bitstring)
 	    fprintf (codefile,
 		     "int bit_set = 0;\n");
 #if 0
 	pos = t->members->prev->val;
 	/* fix for buggy MIT (and OSF?) code */
 	if (pos > 31)
 	    abort ();
 #endif
 	/*
 	 * It seems that if we do not always set pos to 31 here, the MIT
 	 * code will do the wrong thing.
@ -101,139 +177,293 @@ encode_type (const char *name, const Type *t)
 	 * I hate ASN.1 (and DER), but I hate it even more when everybody
 	 * has to screw it up differently.
 	 */
 	pos = ASN1_TAILQ_LAST(t->members, memhead)->val;
 	if (rfc1510_bitstring) {
 	    if (pos < 31)
 		pos = 31;
 	    rest = 7 - (pos % 8);
 	} else
 	    rest = 0;
-	for (m = t->members->prev; m && tag != m->val; m = m->prev) {
+	ASN1_TAILQ_FOREACH_REVERSE(m, t->members, memhead, members) {
 	    while (m->val / 8 < pos / 8) {
 		if (!rfc1510_bitstring)
 		    fprintf (codefile,
 			     "if (c != 0 || bit_set) {\n");
 		fprintf (codefile,
 			 "if (len < 1) return ASN1_OVERFLOW;\n"
 			 "*p-- = c; len--; ret++;\n"
 			 "c = 0;\n");
 		if (!rfc1510_bitstring)
 		    fprintf (codefile,
 			     "bit_set = 1;\n"
 			     "}\n");
 		pos -= 8;
 	    }
 	    fprintf (codefile,
-		     "if(%s->%s) c |= 1<<%d;\n", name, m->gen_name,
+		     "if((%s)->%s) {\n"
-		     7 - m->val % 8);
+		     "c |= 1<<%d;\n", 
-
+		     name, m->gen_name, 7 - m->val % 8);
-	    if (tag == -1)
+	    if (!rfc1510_bitstring)
-		tag = m->val;
+		rest = 7 - m->val % 8;
 	    fprintf (codefile,
 		     "}\n");
 	}
 	if (!rfc1510_bitstring)
 	    fprintf (codefile,
-		 "*p-- = c;\n"
+		     "if (c != 0 || bit_set) {\n");
 	fprintf (codefile, 
 		 "if (len < 1) return ASN1_OVERFLOW;\n"
 		 "*p-- = c; len--; ret++;\n");
 	if (!rfc1510_bitstring)
 	    fprintf (codefile,
 		     "}\n");
 	fprintf (codefile, 
 		 "if (len < 1) return ASN1_OVERFLOW;\n"
 		 "*p-- = %d;\n"
-		 "len -= 2;\n"
+		 "len -= 1;\n"
-		 "ret += 2;\n"
+		 "ret += 1;\n"
-		 "}\n\n"
+		 "}\n\n",
 		 "e = der_put_length_and_tag (p, len, ret, ASN1_C_UNIV, PRIM,"
 		 "UT_BitString, &l);\n"
 		 "BACK;\n",
 		 rest);
 	constructed = 0;
 	break;
    }
    case TEnumerated : {
 	encode_primitive ("enumerated", name);
 	constructed = 0;
 	break;
    }
    case TSet:
    case TSequence: {
 	Member *m;
 	int tag = -1;
 	int oldret_counter = unique_get_next();
 	if (t->members == NULL)
 	    break;
-	for (m = t->members->prev; m && tag != m->val; m = m->prev) {
+	ASN1_TAILQ_FOREACH_REVERSE(m, t->members, memhead, members) {
 	    char *s;
 	    if (m->ellipsis)
 		continue;
 	    asprintf (&s, "%s(%s)->%s", m->optional ? "" : "&", name, m->gen_name);
 	    if (s == NULL)
 		errx(1, "malloc");
 	    fprintf(codefile, "/* %s */\n", m->name);
 	    if (m->optional)
 		fprintf (codefile,
-			 "if(%s)\n",
+			 "if(%s) ",
 			 s);
-#if 1
+	    else if(m->defval)
-	    fprintf (codefile, "{\n"
+		gen_compare_defval(s + 1, m->defval);
-		     "int oldret%d = ret;\n"
+	    fprintf (codefile, "{\n");
-		     "ret = 0;\n",
+	    fprintf (codefile, "size_t oldret = ret;\n");
-		     oldret_counter);
+	    fprintf (codefile, "ret = 0;\n");
 #endif
 	    encode_type (s, m->type);
-	    fprintf (codefile,
+	    fprintf (codefile, "ret += oldret;\n");
-		     "e = der_put_length_and_tag (p, len, ret, ASN1_C_CONTEXT, CONS, "
+	    fprintf (codefile, "}\n");
 		     "%d, &l);\n"
 		     "BACK;\n",
 		     m->val);
 #if 1
 	    fprintf (codefile,
 		     "ret += oldret%d;\n"
 		     "}\n",
 		     oldret_counter);
 #endif
 	    if (tag == -1)
 		tag = m->val;
 	    free (s);
 	}
 	break;
    }
    case TSetOf: {
 	fprintf(codefile,
-		 "e = der_put_length_and_tag (p, len, ret, ASN1_C_UNIV, CONS, UT_Sequence, &l);\n"
+		"{\n"
-		 "BACK;\n");
+		"struct heim_octet_string *val;\n"
 		"size_t elen, totallen = 0;\n"
 		"int eret;\n");
 	fprintf(codefile,
 		"val = malloc(sizeof(val[0]) * (%s)->len);\n"
 		"if (val == NULL && (%s)->len != 0) return ENOMEM;\n",
 		name, name);
 	fprintf(codefile,
 		"for(i = 0; i < (%s)->len; i++) {\n",
 		name);
 	fprintf(codefile,
 		"ASN1_MALLOC_ENCODE(%s, val[i].data, "
 		"val[i].length, &(%s)->val[i], &elen, eret);\n",
 		t->subtype->symbol->gen_name,
 		name);
 	fprintf(codefile,
 		"if(eret) {\n"
 		"i--;\n"
 		"while (i >= 0) {\n"
 		"free(val[i].data);\n"
 		"i--;\n"
 		"}\n"
 		"free(val);\n"
 		"return eret;\n"
 		"}\n"
 		"totallen += elen;\n"
 		"}\n");
 	fprintf(codefile,
 		"if (totallen > len) {\n"
 		"for (i = 0; i < (%s)->len; i++) {\n"
 		"free(val[i].data);\n"
 		"}\n"
 		"free(val);\n"
 		"return ASN1_OVERFLOW;\n"
 		"}\n",
 		name);
 	fprintf(codefile,
 		"qsort(val, (%s)->len, sizeof(val[0]), _heim_der_set_sort);\n",
 		name);
 	fprintf (codefile,
 		 "for(i = (%s)->len - 1; i >= 0; --i) {\n"
 		 "p -= val[i].length;\n"
 		 "ret += val[i].length;\n"
 		 "memcpy(p + 1, val[i].data, val[i].length);\n"
 		 "free(val[i].data);\n"
 		 "}\n"
 		 "free(val);\n"
 		 "}\n",
 		 name);
 	break;
    }
    case TSequenceOf: {
 	int oldret_counter = unique_get_next();
 	char *n;
 	fprintf (codefile,
 		 "for(i = (%s)->len - 1; i >= 0; --i) {\n"
-#if 1
+		 "size_t oldret = ret;\n"
 		 "int oldret%d = ret;\n"
 		 "ret = 0;\n",
-#else
+		 name);
 		 ,
 #endif
 		 name, oldret_counter);
 	asprintf (&n, "&(%s)->val[i]", name);
 	if (n == NULL)
 	    errx(1, "malloc");
 	encode_type (n, t->subtype);
 	fprintf (codefile,
-#if 1
+		 "ret += oldret;\n"
-		 "ret += oldret%d;\n"
+		 "}\n");
 #endif
 		 "}\n"
 		 "e = der_put_length_and_tag (p, len, ret, ASN1_C_UNIV, CONS, UT_Sequence, &l);\n"
 		 "BACK;\n"
 #if 1
 		 , oldret_counter
 #endif
 	    );
 	free (n);
 	break;
    }
    case TGeneralizedTime:
 	encode_primitive ("generalized_time", name);
 	constructed = 0;
 	break;
    case TGeneralString:
 	encode_primitive ("general_string", name);
 	constructed = 0;
 	break;
    case TTag: {
 	int c = encode_type (name, t->subtype);
 	fprintf (codefile,
 		 "e = der_put_length_and_tag (p, len, ret, %s, %s, %s, &l);\n"
 		 "if (e) return e;\np -= l; len -= l; ret += l;\n\n",
 		 classname(t->tag.tagclass),
 		 c ? "CONS" : "PRIM", 
 		 valuename(t->tag.tagclass, t->tag.tagvalue));
 	break;
    }
    case TChoice:{
 	Member *m, *have_ellipsis = NULL;
 	char *s;
 	if (t->members == NULL)
 	    break;
 	fprintf(codefile, "\n");
 	asprintf (&s, "(%s)", name);
 	if (s == NULL)
 	    errx(1, "malloc");
 	fprintf(codefile, "switch(%s->element) {\n", s);
 	ASN1_TAILQ_FOREACH_REVERSE(m, t->members, memhead, members) {
 	    char *s2;
 	    if (m->ellipsis) {
 		have_ellipsis = m;
 		continue;
 	    }
 	    fprintf (codefile, "case %s: {", m->label); 
 	    asprintf(&s2, "%s(%s)->u.%s", m->optional ? "" : "&", 
 		     s, m->gen_name);
 	    if (s2 == NULL)
 		errx(1, "malloc");
 	    if (m->optional)
 		fprintf (codefile, "if(%s) {\n", s2);
 	    fprintf (codefile, "size_t oldret;\n");
 	    fprintf (codefile, "oldret = ret;\n");
 	    fprintf (codefile, "ret = 0;\n");
 	    constructed = encode_type (s2, m->type);
 	    fprintf (codefile, "ret += oldret;\n");
 	    if(m->optional)
 		fprintf (codefile, "}\n");
 	    fprintf(codefile, "break;\n");
 	    fprintf(codefile, "}\n");
 	    free (s2);
 	}
 	free (s);
 	if (have_ellipsis) {
 	    fprintf(codefile,
 		    "case %s: {\n"
 		    "if (len < (%s)->u.%s.length)\n"
 		    "return ASN1_OVERFLOW;\n"
 		    "p -= (%s)->u.%s.length;\n"
 		    "ret += (%s)->u.%s.length;\n"
 		    "memcpy(p + 1, (%s)->u.%s.data, (%s)->u.%s.length);\n"
 		    "break;\n"
 		    "}\n",
 		    have_ellipsis->label,
 		    name, have_ellipsis->gen_name,
 		    name, have_ellipsis->gen_name,
 		    name, have_ellipsis->gen_name,
 		    name, have_ellipsis->gen_name,
 		    name, have_ellipsis->gen_name);
 	}
 	fprintf(codefile, "};\n");
 	break;
    }
    case TOID:
 	encode_primitive ("oid", name);
 	constructed = 0;
 	break;
    case TUTCTime:
 	encode_primitive ("utctime", name);
 	constructed = 0;
 	break;
    case TUTF8String:
 	encode_primitive ("utf8string", name);
 	constructed = 0;
 	break;
    case TPrintableString:
 	encode_primitive ("printable_string", name);
 	constructed = 0;
 	break;
    case TIA5String:
 	encode_primitive ("ia5_string", name);
 	constructed = 0;
 	break;
    case TBMPString:
 	encode_primitive ("bmp_string", name);
 	constructed = 0;
 	break;
    case TUniversalString:
 	encode_primitive ("universal_string", name);
 	constructed = 0;
 	break;
    case TNull:
-	fprintf (codefile,
+	fprintf (codefile, "/* NULL */\n");
-		 "e = encode_nulltype(p, len, &l);\n"
+	constructed = 0;
 		 "BACK;\n");
 	break;
    case TApplication:
 	encode_type (name, t->subtype);
 	fprintf (codefile,
 		 "e = der_put_length_and_tag (p, len, ret, ASN1_C_APPL, CONS, %d, &l);\n"
 		 "BACK;\n",
 		 t->application);
 	break;
    case TBoolean:
 	encode_primitive ("boolean", name);
 	break;
    default:
 	abort ();
    }
    return constructed;
 }
 void
@ -244,9 +474,6 @@ generate_type_encode (const Symbol *s)
 	   "encode_%s(unsigned char *, size_t, const %s *, size_t *);\n",
 	   s->gen_name, s->gen_name);
  fprintf (codefile, "#define BACK if (e) return e; p -= l; len -= l; ret += l\n\n");
  fprintf (codefile, "int\n"
 	   "encode_%s(unsigned char *p, size_t len,"
 	   " const %s *data, size_t *size)\n"
@ -255,20 +482,27 @@ generate_type_encode (const Symbol *s)
  switch (s->type->type) {
  case TInteger:
  case TUInteger:
  case TBoolean:
  case TOctetString:
  case TGeneralizedTime:
  case TGeneralString:
  case TUTCTime:
  case TUTF8String:
  case TPrintableString:
  case TIA5String:
  case TBMPString:
  case TUniversalString:
  case TNull:
  case TBitString:
  case TEnumerated:
  case TOID:
  case TSequence:
  case TSequenceOf:
-  case TApplication:
+  case TSet:
  case TSetOf:
  case TTag:
  case TType:
  case TChoice:
    fprintf (codefile,
 	     "size_t ret = 0;\n"
 	     "size_t l;\n"
--- a/source/heimdal/lib/asn1/gen_free.c
+++ b/source/heimdal/lib/asn1/gen_free.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@ -33,7 +33,7 @@
 #include "gen_locl.h"
-RCSID("$Id: gen_free.c,v 1.12 2003/10/03 00:28:08 lha Exp $");
+RCSID("$Id: gen_free.c,v 1.14 2005/07/25 21:28:29 lha Exp $");
 static void
 free_primitive (const char *typename, const char *name)
@ -42,61 +42,96 @@ free_primitive (const char *typename, const char *name)
 }
 static void
-free_type (const char *name, const Type *t)
+free_type (const char *name, const Type *t, int preserve)
 {
    switch (t->type) {
    case TType:
 #if 0
-      free_type (name, t->symbol->type);
+	free_type (name, t->symbol->type, preserve);
 #endif
 	fprintf (codefile, "free_%s(%s);\n", t->symbol->gen_name, name);
 	break;
    case TInteger:
-  case TUInteger:
+	if (t->range == NULL && t->members == NULL) {
 	    free_primitive ("heim_integer", name);
 	    break;
 	}
    case TBoolean:
    case TEnumerated :
    case TNull:
    case TGeneralizedTime:
    case TUTCTime:
 	break;
    case TBitString:
 	if (ASN1_TAILQ_EMPTY(t->members))
 	    free_primitive("bit_string", name);
 	break;
    case TOctetString:
 	free_primitive ("octet_string", name);
 	break;
-  case TOID :
+    case TChoice:
-      free_primitive ("oid", name);
+    case TSet:
      break;
  case TBitString: {
      break;
  }
    case TSequence: {
-      Member *m;
+	Member *m, *have_ellipsis = NULL;
      int tag = -1;
 	if (t->members == NULL)
 	    break;
-      for (m = t->members; m && tag != m->val; m = m->next) {
+	if ((t->type == TSequence || t->type == TChoice) && preserve)
 	    fprintf(codefile, "free_octet_string(&data->_save);\n");
 	if(t->type == TChoice)
 	    fprintf(codefile, "switch((%s)->element) {\n", name);
 	ASN1_TAILQ_FOREACH(m, t->members, members) {
 	    char *s;
-	  asprintf (&s, "%s(%s)->%s",
+	    if (m->ellipsis){
-		    m->optional ? "" : "&", name, m->gen_name);
+		have_ellipsis = m;
 		continue;
 	    }
 	    if(t->type == TChoice)
 		fprintf(codefile, "case %s:\n", m->label);
 	    asprintf (&s, "%s(%s)->%s%s",
 		      m->optional ? "" : "&", name, 
 		      t->type == TChoice ? "u." : "", m->gen_name);
 	    if (s == NULL)
 		errx(1, "malloc");
 	    if(m->optional)
 		fprintf(codefile, "if(%s) {\n", s);
-	  free_type (s, m->type);
+	    free_type (s, m->type, FALSE);
 	    if(m->optional)
 		fprintf(codefile, 
 			"free(%s);\n"
 			"%s = NULL;\n"
 			"}\n",s, s);
 	  if (tag == -1)
 	      tag = m->val;
 	    free (s);
 	    if(t->type == TChoice)
 		fprintf(codefile, "break;\n");
 	}
 	if(t->type == TChoice) {
 	    if (have_ellipsis)
 		fprintf(codefile,
 			"case %s:\n"
 			"free_octet_string(&(%s)->u.%s);\n"
 			"break;",
 			have_ellipsis->label,
 			name, have_ellipsis->gen_name);
 	    fprintf(codefile, "}\n");
 	}
 	break;
    }
    case TSetOf:
    case TSequenceOf: {
 	char *n;
 	fprintf (codefile, "while((%s)->len){\n", name);
 	asprintf (&n, "&(%s)->val[(%s)->len-1]", name, name);
-      free_type(n, t->subtype);
+	if (n == NULL)
 	    errx(1, "malloc");
 	free_type(n, t->subtype, FALSE);
 	fprintf(codefile, 
 		"(%s)->len--;\n"
 		"}\n",
@ -107,18 +142,29 @@ free_type (const char *name, const Type *t)
 	free(n);
 	break;
    }
  case TGeneralizedTime:
      break;
    case TGeneralString:
 	free_primitive ("general_string", name);
 	break;
    case TUTF8String:
 	free_primitive ("utf8string", name);
 	break;
-  case TNull:
+    case TPrintableString:
 	free_primitive ("printable_string", name);
 	break;
-  case TApplication:
+    case TIA5String:
-      free_type (name, t->subtype);
+	free_primitive ("ia5_string", name);
 	break;
    case TBMPString:
 	free_primitive ("bmp_string", name);
 	break;
    case TUniversalString:
 	free_primitive ("universal_string", name);
 	break;
    case TTag:
 	free_type (name, t->subtype, preserve);
 	break;
    case TOID :
 	free_primitive ("oid", name);
 	break;
    default :
 	abort ();
@ -128,6 +174,8 @@ free_type (const char *name, const Type *t)
 void
 generate_type_free (const Symbol *s)
 {
  int preserve = preserve_type(s->name) ? TRUE : FALSE;
  fprintf (headerfile,
 	   "void   free_%s  (%s *);\n",
 	   s->gen_name, s->gen_name);
@ -137,7 +185,7 @@ generate_type_free (const Symbol *s)
 	   "{\n",
 	   s->gen_name, s->gen_name);
-  free_type ("data", s->type);
+  free_type ("data", s->type, preserve);
  fprintf (codefile, "}\n\n");
 }
--- a/source/heimdal/lib/asn1/gen_glue.c
+++ b/source/heimdal/lib/asn1/gen_glue.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997, 1999, 2000, 2003 - 2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@ -33,59 +33,51 @@
 #include "gen_locl.h"
-RCSID("$Id: gen_glue.c,v 1.8 2005/04/25 18:07:07 lha Exp $");
+RCSID("$Id: gen_glue.c,v 1.9 2005/07/12 06:27:29 lha Exp $");
 static void
-generate_2int (const Symbol *s)
+generate_2int (const Type *t, const char *gen_name)
 {
    Type *t = s->type;
    Member *m;
    int tag = -1;
    fprintf (headerfile,
 	     "unsigned %s2int(%s);\n",
-	     s->gen_name, s->gen_name);
+	     gen_name, gen_name);
    fprintf (codefile,
 	     "unsigned %s2int(%s f)\n"
 	     "{\n"
 	     "unsigned r = 0;\n",
-	     s->gen_name, s->gen_name);
+	     gen_name, gen_name);
-    for (m = t->members; m && m->val != tag; m = m->next) {
+    ASN1_TAILQ_FOREACH(m, t->members, members) {
 	fprintf (codefile, "if(f.%s) r |= (1U << %d);\n",
 		 m->gen_name, m->val);
 	if (tag == -1)
 	    tag = m->val;
    }
    fprintf (codefile, "return r;\n"
 	     "}\n\n");
 }
 static void
-generate_int2 (const Symbol *s)
+generate_int2 (const Type *t, const char *gen_name)
 {
    Type *t = s->type;
    Member *m;
    int tag = -1;
    fprintf (headerfile,
 	     "%s int2%s(unsigned);\n",
-	     s->gen_name, s->gen_name);
+	     gen_name, gen_name);
    fprintf (codefile,
 	     "%s int2%s(unsigned n)\n"
 	     "{\n"
 	     "\t%s flags;\n\n",
-	     s->gen_name, s->gen_name, s->gen_name);
+	     gen_name, gen_name, gen_name);
-    for (m = t->members; m && m->val != tag; m = m->next) {
+    if(t->members) {
 	ASN1_TAILQ_FOREACH(m, t->members, members) {
 	    fprintf (codefile, "\tflags.%s = (n >> %d) & 1;\n",
 		     m->gen_name, m->val);
-	
+	}
 	if (tag == -1)
 	    tag = m->val;
    }
    fprintf (codefile, "\treturn flags;\n"
 	     "}\n\n");
@ -96,27 +88,23 @@ generate_int2 (const Symbol *s)
 */
 static void
-generate_units (const Symbol *s)
+generate_units (const Type *t, const char *gen_name)
 {
    Type *t = s->type;
    Member *m;
    int tag = -1;
    fprintf (headerfile,
 	     "const struct units * asn1_%s_units(void);",
-	     s->gen_name);
+	     gen_name);
    fprintf (codefile,
 	     "static struct units %s_units[] = {\n",
-	     s->gen_name);
+	     gen_name);
-    if(t->members)
+    if(t->members) {
-	for (m = t->members->prev; m && m->val != tag; m = m->prev) {
+	ASN1_TAILQ_FOREACH_REVERSE(m, t->members, memhead, members) {
 	    fprintf (codefile,
 		     "\t{\"%s\",\t1U << %d},\n", m->gen_name, m->val);
-	    
+	}
 	    if (tag == -1)
 		tag = m->val;
    }
    fprintf (codefile,
@ -127,19 +115,24 @@ generate_units (const Symbol *s)
 	     "const struct units * asn1_%s_units(void){\n"
 	     "return %s_units;\n"
 	     "}\n\n",
-	     s->gen_name, s->gen_name);
+	     gen_name, gen_name);
 }
 void
-generate_glue (const Symbol *s)
+generate_glue (const Type *t, const char *gen_name)
 {
-    switch(s->type->type) {
+    switch(t->type) {
    case TTag:
 	generate_glue(t->subtype, gen_name);
 	break;
    case TBitString :
-	generate_2int (s);
+	if (!ASN1_TAILQ_EMPTY(t->members)) {
-	generate_int2 (s);
+	    generate_2int (t, gen_name);
-	generate_units (s);
+	    generate_int2 (t, gen_name);
 	    generate_units (t, gen_name);
 	}
 	break;
    default :
 	break;
--- a/source/heimdal/lib/asn1/gen_length.c
+++ b/source/heimdal/lib/asn1/gen_length.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@ -33,7 +33,7 @@
 #include "gen_locl.h"
-RCSID("$Id: gen_length.c,v 1.14 2004/01/19 17:54:33 lha Exp $");
+RCSID("$Id: gen_length.c,v 1.18 2005/07/19 18:01:59 lha Exp $");
 static void
 length_primitive (const char *typename,
@ -43,7 +43,22 @@ length_primitive (const char *typename,
    fprintf (codefile, "%s += length_%s(%s);\n", variable, typename, name);
 }
-static void
+static size_t
 length_tag(unsigned int tag)
 {
    size_t len = 0;
    if(tag <= 30)
 	return 1;
    while(tag) {
 	tag /= 128;
 	len++;
    }
    return len + 1;
 }
 static int
 length_type (const char *name, const Type *t, const char *variable)
 {
    switch (t->type) {
@ -55,19 +70,28 @@ length_type (const char *name, const Type *t, const char *variable)
 		 variable, t->symbol->gen_name, name);
 	break;
    case TInteger:
-        if(t->members == NULL)
+	if(t->members) {
            length_primitive ("integer", name, variable);
        else {
 	    char *s;
 	    asprintf(&s, "(const int*)%s", name);
 	    if(s == NULL)
 		errx (1, "out of memory");
 	    length_primitive ("integer", s, variable);
 	    free(s);
-        }
+	} else if (t->range == NULL) {
-	break;
+	    length_primitive ("heim_integer", name, variable);
-    case TUInteger:
+	} else if (t->range->min == INT_MIN && t->range->max == INT_MAX) {
 	    length_primitive ("integer", name, variable);
 	} else if (t->range->min == 0 && t->range->max == UINT_MAX) {
 	    length_primitive ("unsigned", name, variable);
 	} else if (t->range->min == 0 && t->range->max == INT_MAX) {
 	    length_primitive ("unsigned", name, variable);
 	} else
 	    errx(1, "%s: unsupported range %d -> %d", 
 		 name, t->range->min, t->range->max);
 	break;
    case TBoolean:
 	fprintf (codefile, "%s += 1;\n", variable);
 	break;
    case TEnumerated :
 	length_primitive ("enumerated", name, variable);
@ -75,71 +99,112 @@ length_type (const char *name, const Type *t, const char *variable)
    case TOctetString:
 	length_primitive ("octet_string", name, variable);
 	break;
    case TOID :
 	length_primitive ("oid", name, variable);
 	break;
    case TBitString: {
-	/*
+	if (ASN1_TAILQ_EMPTY(t->members))
-	 * XXX - Hope this is correct
+	    length_primitive("bit_string", name, variable);
-	 * look at TBitString case in `encode_type'
+	else {
-	 */
+	    if (!rfc1510_bitstring) {
-	fprintf (codefile, "%s += 7;\n", variable);
+		Member *m;
 		int pos = ASN1_TAILQ_LAST(t->members, memhead)->val;
 		fprintf(codefile,
 			"do {\n");
 		ASN1_TAILQ_FOREACH_REVERSE(m, t->members, memhead, members) {
 		    while (m->val / 8 < pos / 8) {
 			pos -= 8;
 		    }
 		    fprintf (codefile,
 			     "if((%s)->%s) { %s += %d; break; }\n",
 			     name, m->gen_name, variable, (pos + 8) / 8);
 		}
 		fprintf(codefile,
 			"} while(0);\n");
 		fprintf (codefile, "%s += 1;\n", variable);
 	    } else {
 		fprintf (codefile, "%s += 5;\n", variable);
 	    }
 	}
 	break;
    }
-    case TSequence: {
+    case TSet:
-	Member *m;
+    case TSequence:
-	int tag = -1;
+    case TChoice: {
-	int oldret_counter = unique_get_next();
+	Member *m, *have_ellipsis = NULL;
 	if (t->members == NULL)
 	    break;
-	for (m = t->members; m && tag != m->val; m = m->next) {
+	if(t->type == TChoice)
 	    fprintf (codefile, "switch((%s)->element) {\n", name);
 	ASN1_TAILQ_FOREACH(m, t->members, members) {
 	    char *s;
-	    asprintf (&s, "%s(%s)->%s",
+	    if (m->ellipsis) {
-		      m->optional ? "" : "&", name, m->gen_name);
+		have_ellipsis = m;
 		continue;
 	    }
 	    if(t->type == TChoice)
 		fprintf(codefile, "case %s:\n", m->label);
 	    asprintf (&s, "%s(%s)->%s%s",
 		      m->optional ? "" : "&", name, 
 		      t->type == TChoice ? "u." : "", m->gen_name);
 	    if (s == NULL)
 		errx(1, "malloc");
 	    if (m->optional)
 		fprintf (codefile, "if(%s)", s);
 	    else if(m->defval)
 		gen_compare_defval(s + 1, m->defval);
 	    fprintf (codefile, "{\n"
-		     "int oldret%d = %s;\n"
+		     "size_t oldret = %s;\n"
-		     "%s = 0;\n", oldret_counter, variable, variable);
+		     "%s = 0;\n", variable, variable);
 	    length_type (s, m->type, "ret");
-	    fprintf (codefile, "%s += 1 + length_len(%s) + oldret%d;\n",
+	    fprintf (codefile, "ret += oldret;\n");
 		     variable, variable, oldret_counter);
 	    fprintf (codefile, "}\n");
 	    if (tag == -1)
 		tag = m->val;
 	    free (s);
 	    if(t->type == TChoice)
 		fprintf(codefile, "break;\n");
 	}
 	if(t->type == TChoice) {
 	    if (have_ellipsis)
 		fprintf(codefile,
-		 "%s += 1 + length_len(%s);\n", variable, variable);
+			"case %s:\n"
 			"ret += (%s)->u.%s.length;\n"
 			"break;\n",
 			have_ellipsis->label,
 			name,
 			have_ellipsis->gen_name);
 	    fprintf (codefile, "}\n"); /* switch */
 	}
 	break;
    }
    case TSetOf:
    case TSequenceOf: {
 	char *n;
 	int oldret_counter = unique_get_next();
 	int oldret_counter_inner = unique_get_next();
 	fprintf (codefile,
 		 "{\n"
-		 "int oldret%d = %s;\n"
+		 "int oldret = %s;\n"
 		 "int i;\n"
 		 "%s = 0;\n",
-		 oldret_counter, variable, variable);
+		 variable, variable);
 	fprintf (codefile, "for(i = (%s)->len - 1; i >= 0; --i){\n", name);
-	fprintf (codefile, "int oldret%d = %s;\n"
+	fprintf (codefile, "int oldret = %s;\n"
-		 "%s = 0;\n", oldret_counter_inner, variable, variable);
+		 "%s = 0;\n", variable, variable);
 	asprintf (&n, "&(%s)->val[i]", name);
 	if (n == NULL)
 	    errx(1, "malloc");
 	length_type(n, t->subtype, variable);
-	fprintf (codefile, "%s += oldret%d;\n",
+	fprintf (codefile, "%s += oldret;\n",
-		 variable, oldret_counter_inner);
+		 variable);
 	fprintf (codefile, "}\n");
 	fprintf (codefile,
-		 "%s += 1 + length_len(%s) + oldret%d;\n"
+		 "%s += oldret;\n"
-		 "}\n", variable, variable, oldret_counter);
+		 "}\n", variable);
 	free(n);
 	break;
    }
@ -149,28 +214,44 @@ length_type (const char *name, const Type *t, const char *variable)
    case TGeneralString:
 	length_primitive ("general_string", name, variable);
 	break;
    case TUTCTime:
 	length_primitive ("utctime", name, variable);
 	break;
    case TUTF8String:
 	length_primitive ("utf8string", name, variable);
 	break;
    case TPrintableString:
 	length_primitive ("printable_string", name, variable);
 	break;
    case TIA5String:
 	length_primitive ("ia5_string", name, variable);
 	break;
    case TBMPString:
 	length_primitive ("bmp_string", name, variable);
 	break;
    case TUniversalString:
 	length_primitive ("universal_string", name, variable);
 	break;
    case TNull:
-	fprintf (codefile, "%s += length_nulltype();\n", variable);
+	fprintf (codefile, "/* NULL */\n");
 	break;
-    case TApplication:
+    case TTag:
 	length_type (name, t->subtype, variable);
-	fprintf (codefile, "ret += 1 + length_len (ret);\n");
+	fprintf (codefile, "ret += %lu + length_len (ret);\n", 
 		 (unsigned long)length_tag(t->tag.tagvalue));
 	break;
-    case TBoolean:
+    case TOID:
-	length_primitive ("boolean", name, variable);
+	length_primitive ("oid", name, variable);
 	break;
    default :
 	abort ();
    }
    return 0;
 }
 void
 generate_type_length (const Symbol *s)
 {
  unique_reset();
  fprintf (headerfile,
 	   "size_t length_%s(const %s *);\n",
 	   s->gen_name, s->gen_name);
--- a/source/heimdal/lib/asn1/gen_locl.h
+++ b/source/heimdal/lib/asn1/gen_locl.h
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@ -31,7 +31,7 @@
 * SUCH DAMAGE. 
 */
-/* $Id: gen_locl.h,v 1.10 2005/06/16 19:58:58 lha Exp $ */
+/* $Id: gen_locl.h,v 1.12 2005/07/12 06:27:30 lha Exp $ */
 #ifndef __GEN_LOCL_H__
 #define __GEN_LOCL_H__
@ -51,6 +51,8 @@
 #include <roken.h>
 #include "hash.h"
 #include "symbol.h"
 #include "asn1-common.h"
 #include "der.h"
 void generate_type (const Symbol *);
 void generate_constant (const Symbol *);
@ -61,10 +63,14 @@ void generate_type_free (const Symbol *s);
 void generate_type_length (const Symbol *s);
 void generate_type_copy (const Symbol *s);
 void generate_type_maybe (const Symbol *s);
-void generate_glue (const Symbol *s);
+void generate_glue (const Type *, const char*);
 const char *classname(Der_class);
 const char *valuename(Der_class class, int);
 void gen_compare_defval(const char *var, struct value *val);
 void gen_assign_defval(const char *var, struct value *val);
 void unique_reset(void);
 int unique_get_next(void);
 void init_generate (const char *filename, const char *basename);
 const char *get_filename (void);
@ -72,6 +78,12 @@ void close_generate(void);
 void add_import(const char *module);
 int yyparse(void);
 int preserve_type(const char *);
 extern FILE *headerfile, *codefile, *logfile;
 extern int dce_fix;
 extern int rfc1510_bitstring;
 extern int error_flag;
 #endif /* __GEN_LOCL_H__ */
--- a/source/heimdal/lib/asn1/hash.c
+++ b/source/heimdal/lib/asn1/hash.c
@ -37,7 +37,7 @@
 #include "gen_locl.h"
-RCSID("$Id: hash.c,v 1.9 2005/01/08 22:55:26 lha Exp $");
+RCSID("$Id: hash.c,v 1.10 2005/07/12 06:27:30 lha Exp $");
 static Hashentry *_search(Hashtab * htab,	/* The hash table */
 			  void *ptr);	/* And key */
--- a/source/heimdal/lib/asn1/heim_asn1.h
+++ b/source/heimdal/lib/asn1/heim_asn1.h
@ -0,0 +1,55 @@
 /*
 * Copyright (c) 2003-2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
 * Redistribution and use in source and binary forms, with or without 
 * modification, are permitted provided that the following conditions 
 * are met: 
 *
 * 1. Redistributions of source code must retain the above copyright 
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright 
 *    notice, this list of conditions and the following disclaimer in the 
 *    documentation and/or other materials provided with the distribution. 
 *
 * 3. Neither the name of the Institute nor the names of its contributors 
 *    may be used to endorse or promote products derived from this software 
 *    without specific prior written permission. 
 *
 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 * SUCH DAMAGE. 
 */
 #ifndef __HEIM_ANY_H__
 #define __HEIM_ANY_H__ 1
 typedef struct heim_octet_string heim_any;
 typedef struct heim_octet_string heim_any_set;
 int	encode_heim_any(unsigned char *, size_t, const heim_any *, size_t *);
 int	decode_heim_any(const unsigned char *, size_t, heim_any *, size_t *);
 void	free_heim_any(heim_any *);
 size_t	length_heim_any(const heim_any *);
 int	copy_heim_any(const heim_any *, heim_any *);
 int	encode_heim_any_set(unsigned char *, size_t,
 			    const heim_any_set *, size_t *);
 int	decode_heim_any_set(const unsigned char *, size_t,
 			    heim_any_set *,size_t *);
 void	free_heim_any_set(heim_any_set *);
 size_t	length_heim_any_set(const heim_any_set *);
 int	copy_heim_any_set(const heim_any_set *, heim_any_set *);
 int	heim_any_cmp(const heim_any_set *, const heim_any_set *);
 #endif /* __HEIM_ANY_H__ */
--- a/source/heimdal/lib/asn1/k5.asn1
+++ b/source/heimdal/lib/asn1/k5.asn1
@ -1,4 +1,4 @@
-- $Id: k5.asn1,v 1.43 2005/06/17 04:58:59 lha Exp $
+-- $Id: k5.asn1,v 1.45 2005/07/13 05:29:49 lha Exp $
 KERBEROS5 DEFINITIONS ::=
 BEGIN
@ -11,7 +11,11 @@ NAME-TYPE ::= INTEGER {
 	KRB5_NT_SRV_XHST(4),	-- Service with host as remaining components
 	KRB5_NT_UID(5),		-- Unique ID
 	KRB5_NT_X500_PRINCIPAL(6), -- PKINIT
-	KRB5_NT_ENTERPRISE(10)	-- May be mapped to principal name
+	KRB5_NT_SMTP_NAME(7),	-- Name in form of SMTP email name
 	KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN
 	KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID
 	KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name
 	KRB5_NT_MS_PRINCIPAL_AND_ID(-129) -- NT style name and SID
 }
 -- message types
@ -49,6 +53,7 @@ PADATA-TYPE ::= INTEGER {
 	KRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
 	KRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
 	KRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
 	KRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number)
 	KRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
 	KRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
 	KRB5-PADATA-ETYPE-INFO2(19),
@ -58,7 +63,6 @@ PADATA-TYPE ::= INTEGER {
 	KRB5-PADATA-SAM-ETYPE-INFO(23),
 	KRB5-PADATA-SERVER-REFERRAL(25),
 	KRB5-PADATA-TD-KRB-PRINCIPAL(102),	-- PrincipalName
 	KRB5-PADATA-TD-KRB-REALM(103),		-- Realm
 	KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
 	KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
 	KRB5-PADATA-TD-APP-DEFINED-ERROR(106),	-- application specific
@ -137,9 +141,13 @@ ENCTYPE ::= INTEGER {
 	ETYPE_DES3_CBC_NONE_CMS(-0x100a)
 }
 -- this is sugar to make something ASN1 does not have: unsigned
-UNSIGNED ::= INTEGER (0..4294967295)
+krb5uint32 ::= INTEGER (0..4294967295)
 krb5int32 ::= INTEGER (-2147483648..2147483647)
 KerberosString  ::= GeneralString
@ -156,14 +164,14 @@ Principal ::= SEQUENCE {
 }
 HostAddress ::= SEQUENCE  {
-	addr-type[0]		INTEGER,
+	addr-type[0]		krb5int32,
 	address[1]		OCTET STRING
 }
 -- This is from RFC1510.
 --
 -- HostAddresses ::= SEQUENCE OF SEQUENCE {
-- 	addr-type[0]		INTEGER,
+-- 	addr-type[0]		krb5int32,
 --	address[1]		OCTET STRING
 -- }
@ -174,7 +182,7 @@ HostAddresses ::= SEQUENCE OF HostAddress
 KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
 AuthorizationData ::= SEQUENCE OF SEQUENCE {
-	ad-type[0]		INTEGER,
+	ad-type[0]		krb5int32,
 	ad-data[1]		OCTET STRING
 }
@ -243,23 +251,23 @@ LastReq ::= SEQUENCE OF SEQUENCE {
 EncryptedData ::= SEQUENCE {
 	etype[0] 		ENCTYPE, -- EncryptionType
-	kvno[1]			INTEGER OPTIONAL,
+	kvno[1]			krb5int32 OPTIONAL,
 	cipher[2]		OCTET STRING -- ciphertext
 }
 EncryptionKey ::= SEQUENCE {
-	keytype[0]		INTEGER,
+	keytype[0]		krb5int32,
 	keyvalue[1]		OCTET STRING
 }
 -- encoded Transited field
 TransitedEncoding ::= SEQUENCE {
-	tr-type[0]		INTEGER, -- must be registered
+	tr-type[0]		krb5int32, -- must be registered
 	contents[1]		OCTET STRING
 }
 Ticket ::= [APPLICATION 1] SEQUENCE {
-	tkt-vno[0]		INTEGER,
+	tkt-vno[0]		krb5int32,
 	realm[1]		Realm,
 	sname[2]		PrincipalName,
 	enc-part[3]		EncryptedData
@ -285,14 +293,14 @@ Checksum ::= SEQUENCE {
 }
 Authenticator ::= [APPLICATION 2] SEQUENCE    {
-	authenticator-vno[0]	INTEGER,
+	authenticator-vno[0]	krb5int32,
 	crealm[1]		Realm,
 	cname[2]		PrincipalName,
 	cksum[3]		Checksum OPTIONAL,
-	cusec[4]		INTEGER,
+	cusec[4]		krb5int32,
 	ctime[5]		KerberosTime,
 	subkey[6]		EncryptionKey OPTIONAL,
-	seq-number[7]		UNSIGNED OPTIONAL,
+	seq-number[7]		krb5uint32 OPTIONAL,
 	authorization-data[8]	AuthorizationData OPTIONAL
 	}
@ -305,7 +313,7 @@ PA-DATA ::= SEQUENCE {
 ETYPE-INFO-ENTRY ::= SEQUENCE {
 	etype[0]		ENCTYPE,
 	salt[1]			OCTET STRING OPTIONAL,
-	salttype[2]		INTEGER OPTIONAL
+	salttype[2]		krb5int32 OPTIONAL
 }
 ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
@ -320,6 +328,13 @@ ETYPE-INFO2 ::= SEQUENCE OF ETYPE-INFO2-ENTRY
 METHOD-DATA ::= SEQUENCE OF PA-DATA
 TypedData ::=   SEQUENCE {
 	data-type[0]		krb5int32,
 	data-value[1]		OCTET STRING OPTIONAL
 }
 TYPED-DATA ::= SEQUENCE OF TypedData
 KDC-REQ-BODY ::= SEQUENCE {
 	kdc-options[0]		KDCOptions,
 	cname[1]		PrincipalName OPTIONAL, -- Used only in AS-REQ
@ -329,7 +344,7 @@ KDC-REQ-BODY ::= SEQUENCE {
 	from[4]			KerberosTime OPTIONAL,
 	till[5]			KerberosTime OPTIONAL,
 	rtime[6]		KerberosTime OPTIONAL,
-	nonce[7]		INTEGER,
+	nonce[7]		krb5int32,
 	etype[8]		SEQUENCE OF ENCTYPE, -- EncryptionType,
 					-- in preference order
 	addresses[9]		HostAddresses OPTIONAL,
@ -339,7 +354,7 @@ KDC-REQ-BODY ::= SEQUENCE {
 }
 KDC-REQ ::= SEQUENCE {
-	pvno[1]			INTEGER,
+	pvno[1]			krb5int32,
 	msg-type[2]		MESSAGE-TYPE,
 	padata[3]		METHOD-DATA OPTIONAL,
 	req-body[4]		KDC-REQ-BODY
@ -353,7 +368,7 @@ TGS-REQ ::= [APPLICATION 12] KDC-REQ
 PA-ENC-TS-ENC ::= SEQUENCE {
 	patimestamp[0]		KerberosTime, -- client's time
-	pausec[1]		INTEGER OPTIONAL
+	pausec[1]		krb5int32 OPTIONAL
 }
 -- draft-brezak-win2k-krb-authz-01
@ -362,8 +377,11 @@ PA-PAC-REQUEST ::= SEQUENCE {
 					-- should be included or not
 }
 -- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
 PROV-SRV-LOCATION ::= GeneralString
 KDC-REP ::= SEQUENCE {
-	pvno[0]			INTEGER,
+	pvno[0]			krb5int32,
 	msg-type[1]		MESSAGE-TYPE,
 	padata[2]		METHOD-DATA OPTIONAL,
 	crealm[3]		Realm,
@ -378,7 +396,7 @@ TGS-REP ::= [APPLICATION 13] KDC-REP
 EncKDCRepPart ::= SEQUENCE {
 	key[0]			EncryptionKey,
 	last-req[1]		LastReq,
-	nonce[2]		INTEGER,
+	nonce[2]		krb5int32,
 	key-expiration[3]	KerberosTime OPTIONAL,
 	flags[4]		TicketFlags,
 	authtime[5]		KerberosTime,
@ -394,7 +412,7 @@ EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
 AP-REQ ::= [APPLICATION 14] SEQUENCE {
-	pvno[0]			INTEGER,
+	pvno[0]			krb5int32,
 	msg-type[1]		MESSAGE-TYPE,
 	ap-options[2]		APOptions,
 	ticket[3]		Ticket,
@ -402,50 +420,50 @@ AP-REQ ::= [APPLICATION 14] SEQUENCE {
 }
 AP-REP ::= [APPLICATION 15] SEQUENCE {
-	pvno[0]			INTEGER,
+	pvno[0]			krb5int32,
 	msg-type[1]		MESSAGE-TYPE,
 	enc-part[2]		EncryptedData
 }
 EncAPRepPart ::= [APPLICATION 27]     SEQUENCE {
 	ctime[0]		KerberosTime,
-	cusec[1]		INTEGER,
+	cusec[1]		krb5int32,
 	subkey[2]		EncryptionKey OPTIONAL,
-	seq-number[3]		UNSIGNED OPTIONAL
+	seq-number[3]		krb5uint32 OPTIONAL
 }
 KRB-SAFE-BODY ::= SEQUENCE {
 	user-data[0]		OCTET STRING,
 	timestamp[1]		KerberosTime OPTIONAL,
-	usec[2]			INTEGER OPTIONAL,
+	usec[2]			krb5int32 OPTIONAL,
-	seq-number[3]		UNSIGNED OPTIONAL,
+	seq-number[3]		krb5uint32 OPTIONAL,
 	s-address[4]		HostAddress OPTIONAL,
 	r-address[5]		HostAddress OPTIONAL
 }
 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
-	pvno[0]			INTEGER,
+	pvno[0]			krb5int32,
 	msg-type[1]		MESSAGE-TYPE,
 	safe-body[2]		KRB-SAFE-BODY,
 	cksum[3]		Checksum
 }
 KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
-	pvno[0]			INTEGER,
+	pvno[0]			krb5int32,
 	msg-type[1]		MESSAGE-TYPE,
 	enc-part[3]		EncryptedData
 }
 EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
 	user-data[0]		OCTET STRING,
 	timestamp[1]		KerberosTime OPTIONAL,
-	usec[2]			INTEGER OPTIONAL,
+	usec[2]			krb5int32 OPTIONAL,
-	seq-number[3]		UNSIGNED OPTIONAL,
+	seq-number[3]		krb5uint32 OPTIONAL,
 	s-address[4]		HostAddress OPTIONAL, -- sender's addr
 	r-address[5]		HostAddress OPTIONAL  -- recip's addr
 }
 KRB-CRED ::= [APPLICATION 22]   SEQUENCE {
-	pvno[0]			INTEGER,
+	pvno[0]			krb5int32,
 	msg-type[1]		MESSAGE-TYPE, -- KRB_CRED
 	tickets[2]		SEQUENCE OF Ticket,
 	enc-part[3]		EncryptedData
@ -467,21 +485,21 @@ KrbCredInfo ::= SEQUENCE {
 EncKrbCredPart ::= [APPLICATION 29]   SEQUENCE {
 	ticket-info[0]		SEQUENCE OF KrbCredInfo,
-	nonce[1]		INTEGER OPTIONAL,
+	nonce[1]		krb5int32 OPTIONAL,
 	timestamp[2]		KerberosTime OPTIONAL,
-	usec[3]			INTEGER OPTIONAL,
+	usec[3]			krb5int32 OPTIONAL,
 	s-address[4]		HostAddress OPTIONAL,
 	r-address[5]		HostAddress OPTIONAL
 }
 KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
-	pvno[0]			INTEGER,
+	pvno[0]			krb5int32,
 	msg-type[1]		MESSAGE-TYPE,
 	ctime[2]		KerberosTime OPTIONAL,
-	cusec[3]		INTEGER OPTIONAL,
+	cusec[3]		krb5int32 OPTIONAL,
 	stime[4]		KerberosTime,
-	susec[5]		INTEGER,
+	susec[5]		krb5int32,
-	error-code[6]		INTEGER,
+	error-code[6]		krb5int32,
 	crealm[7]		Realm OPTIONAL,
 	cname[8]		PrincipalName OPTIONAL,
 	realm[9]		Realm, -- Correct realm
@ -496,15 +514,15 @@ ChangePasswdDataMS ::= SEQUENCE {
 	targrealm[2]		Realm OPTIONAL
 }
-EtypeList ::= SEQUENCE OF INTEGER
+EtypeList ::= SEQUENCE OF krb5int32
 	-- the client's proposed enctype list in
 	-- decreasing preference order, favorite choice first
-krb5-pvno INTEGER ::= 5 -- current Kerberos protocol version number
+krb5-pvno krb5int32 ::= 5 -- current Kerberos protocol version number
 -- transited encodings
-DOMAIN-X500-COMPRESS	INTEGER ::= 1
+DOMAIN-X500-COMPRESS	krb5int32 ::= 1
 -- authorization data primitives
@ -544,7 +562,7 @@ SAMFlags ::= BIT STRING {
 }
 PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
-	sam-type[0]		INTEGER,
+	sam-type[0]		krb5int32,
 	sam-flags[1]		SAMFlags,
 	sam-type-name[2]	GeneralString OPTIONAL,
 	sam-track-id[3]		GeneralString OPTIONAL,
@ -552,8 +570,8 @@ PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
 	sam-challenge[5]	GeneralString OPTIONAL,
 	sam-response-prompt[6]	GeneralString OPTIONAL,
 	sam-pk-for-sad[7]	EncryptionKey OPTIONAL,
-	sam-nonce[8]		INTEGER,
+	sam-nonce[8]		krb5int32,
-	sam-etype[9]		INTEGER,
+	sam-etype[9]		krb5int32,
 	...
 }
@ -564,27 +582,31 @@ PA-SAM-CHALLENGE-2 ::= SEQUENCE {
 }
 PA-SAM-RESPONSE-2 ::= SEQUENCE {
-	sam-type[0]		INTEGER,
+	sam-type[0]		krb5int32,
 	sam-flags[1]		SAMFlags,
 	sam-track-id[2]		GeneralString OPTIONAL,
 	sam-enc-nonce-or-sad[3]	EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
-	sam-nonce[4]		INTEGER,
+	sam-nonce[4]		krb5int32,
 	...
 }
 PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
-	sam-nonce[0]		INTEGER,
+	sam-nonce[0]		krb5int32,
 	sam-sad[1]		GeneralString OPTIONAL,
 	...
 }
 -- This is really part of CMS, but its here because KCRYPTO provides
 -- the crypto framework for CMS glue in heimdal.
 RC2CBCParameter ::= SEQUENCE {
-	rc2ParameterVersion	[0] INTEGER,
+	rc2ParameterVersion	krb5int32,
-	iv			[1] OCTET STRING -- exactly 8 octets
+	iv			OCTET STRING -- exactly 8 octets
 }
 CBCParameter ::= OCTET STRING
 END
 -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1
--- a/source/heimdal/lib/asn1/lex.c
+++ b/source/heimdal/lib/asn1/lex.c
--- a/source/heimdal/lib/asn1/lex.h
+++ b/source/heimdal/lib/asn1/lex.h
@ -31,11 +31,12 @@
 * SUCH DAMAGE. 
 */
-/* $Id: lex.h,v 1.5 2000/07/01 20:21:34 assar Exp $ */
+/* $Id: lex.h,v 1.6 2005/07/12 06:27:33 lha Exp $ */
 #include <roken.h>
 void error_message (const char *, ...)
 __attribute__ ((format (printf, 1, 2)));
 extern int error_flag;
 int yylex(void);
--- a/source/heimdal/lib/asn1/lex.l
+++ b/source/heimdal/lib/asn1/lex.l
@ -1,6 +1,6 @@
 %{
 /*
- * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@ -32,7 +32,7 @@
 * SUCH DAMAGE. 
 */
-/* $Id: lex.l,v 1.25 2005/06/16 19:58:35 lha Exp $ */
+/* $Id: lex.l,v 1.26 2005/07/12 06:27:33 lha Exp $ */
 #ifdef HAVE_CONFIG_H
 #include <config.h>
@ -52,62 +52,118 @@
 static unsigned lineno = 1;
 #define YY_NO_UNPUT
 #undef ECHO
 static void handle_comment(int type);
-
+static char *handle_string(void);
 %}
 %%
-INTEGER			{ return INTEGER; }
+ABSENT			{ return kw_ABSENT; }
-BOOLEAN			{ return BOOLEAN; }
+ABSTRACT-SYNTAX		{ return kw_ABSTRACT_SYNTAX; }
-IMPORTS			{ return IMPORTS; }
+ALL			{ return kw_ALL; }
-FROM			{ return FROM; }
+APPLICATION		{ return kw_APPLICATION; }
-SEQUENCE		{ return SEQUENCE; }
+AUTOMATIC		{ return kw_AUTOMATIC; }
-CHOICE			{ return CHOICE; }
+BEGIN			{ return kw_BEGIN; }
-OF			{ return OF; }
+BIT			{ return kw_BIT; }
-OCTET			{ return OCTET; }
+BMPString		{ return kw_BMPString; }
-STRING			{ return STRING; }
+BOOLEAN			{ return kw_BOOLEAN; }
-GeneralizedTime		{ return GeneralizedTime; }
+BY			{ return kw_BY; }
-GeneralString		{ return GeneralString; }
+CHARACTER		{ return kw_CHARACTER; }
-UTF8String		{ return UTF8String; }
+CHOICE			{ return kw_CHOICE; }
-NULL			{ return NULLTYPE; }
+CLASS			{ return kw_CLASS; }
-BIT			{ return BIT; }
+COMPONENT		{ return kw_COMPONENT; }
-APPLICATION		{ return APPLICATION; }
+COMPONENTS		{ return kw_COMPONENTS; }
-OPTIONAL		{ return OPTIONAL; }
+CONSTRAINED		{ return kw_CONSTRAINED; }
-BEGIN			{ return TBEGIN; }
+CONTAINING		{ return kw_CONTAINING; }
-END			{ return END; }
+DEFAULT			{ return kw_DEFAULT; }
-DEFAULT			{ return DEFAULT; }
+DEFINITIONS		{ return kw_DEFINITIONS; }
-DEFINITIONS		{ return DEFINITIONS; }
+EMBEDDED		{ return kw_EMBEDDED; }
-ENUMERATED		{ return ENUMERATED; }
+ENCODED			{ return kw_ENCODED; }
-EXTERNAL		{ return EXTERNAL; }
+END			{ return kw_END; }
-OBJECT			{ return OBJECT; }
+ENUMERATED		{ return kw_ENUMERATED; }
-IDENTIFIER		{ return IDENTIFIER; }
+EXCEPT			{ return kw_EXCEPT; }
-[-,;{}()|\"]		{ return *yytext; }
+EXPLICIT		{ return kw_EXPLICIT; }
 EXPORTS			{ return kw_EXPORTS; }
 EXTENSIBILITY		{ return kw_EXTENSIBILITY; }
 EXTERNAL		{ return kw_EXTERNAL; }
 FALSE			{ return kw_FALSE; }
 FROM			{ return kw_FROM; }
 GeneralString		{ return kw_GeneralString; }
 GeneralizedTime		{ return kw_GeneralizedTime; }
 GraphicString		{ return kw_GraphicString; }
 IA5String		{ return kw_IA5String; }
 IDENTIFIER		{ return kw_IDENTIFIER; }
 IMPLICIT		{ return kw_IMPLICIT; }
 IMPLIED			{ return kw_IMPLIED; }
 IMPORTS			{ return kw_IMPORTS; }
 INCLUDES		{ return kw_INCLUDES; }
 INSTANCE		{ return kw_INSTANCE; }
 INTEGER			{ return kw_INTEGER; }
 INTERSECTION		{ return kw_INTERSECTION; }
 ISO646String		{ return kw_ISO646String; }
 MAX			{ return kw_MAX; }
 MIN			{ return kw_MIN; }
 MINUS-INFINITY		{ return kw_MINUS_INFINITY; }
 NULL			{ return kw_NULL; }
 NumericString		{ return kw_NumericString; }
 OBJECT			{ return kw_OBJECT; }
 OCTET			{ return kw_OCTET; }
 OF			{ return kw_OF; }
 OPTIONAL		{ return kw_OPTIONAL; }
 ObjectDescriptor	{ return kw_ObjectDescriptor; }
 PATTERN			{ return kw_PATTERN; }
 PDV			{ return kw_PDV; }
 PLUS-INFINITY		{ return kw_PLUS_INFINITY; }
 PRESENT			{ return kw_PRESENT; }
 PRIVATE			{ return kw_PRIVATE; }
 PrintableString		{ return kw_PrintableString; }
 REAL			{ return kw_REAL; }
 RELATIVE_OID		{ return kw_RELATIVE_OID; }
 SEQUENCE		{ return kw_SEQUENCE; }
 SET			{ return kw_SET; }
 SIZE			{ return kw_SIZE; }
 STRING			{ return kw_STRING; }
 SYNTAX			{ return kw_SYNTAX; }
 T61String		{ return kw_T61String; }
 TAGS			{ return kw_TAGS; }
 TRUE			{ return kw_TRUE; }
 TYPE-IDENTIFIER		{ return kw_TYPE_IDENTIFIER; }
 TeletexString		{ return kw_TeletexString; }
 UNION			{ return kw_UNION; }
 UNIQUE			{ return kw_UNIQUE; }
 UNIVERSAL		{ return kw_UNIVERSAL; }
 UTCTime			{ return kw_UTCTime; }
 UTF8String		{ return kw_UTF8String; }
 UniversalString		{ return kw_UniversalString; }
 VideotexString		{ return kw_VideotexString; }
 VisibleString		{ return kw_VisibleString; }
 WITH			{ return kw_WITH; }
 [-,;{}()|]		{ return *yytext; }
 "["			{ return *yytext; }
 "]"			{ return *yytext; }
 ::=			{ return EEQUAL; }
 --			{ handle_comment(0); }
 \/\*			{ handle_comment(1); }
-0x[0-9A-Fa-f]+|[0-9]+	{ char *e, *y = yytext;
+"\""			{ yylval.name = handle_string(); return STRING; }
 -?0x[0-9A-Fa-f]+|-?[0-9]+ { char *e, *y = yytext;
 			  yylval.constant = strtol((const char *)yytext,
 						   &e, 0);
 			  if(e == y) 
 			    error_message("malformed constant (%s)", yytext); 
 			  else
-			    return CONSTANT;
+			    return NUMBER;
 			}
 [A-Za-z][-A-Za-z0-9_]*	{
-			  yylval.name =  strdup ((const char *)yytext);
+			  yylval.name =  estrdup ((const char *)yytext);
-			  return IDENT;
+			  return IDENTIFIER;
 			}
 [ \t]			;
 \n			{ ++lineno; }
-\.\.\.			{ return DOTDOTDOT; }
+\.\.\.			{ return ELLIPSIS; }
-\.\.			{ return DOTDOT; }
+\.\.			{ return RANGE; }
 .			{ error_message("Ignoring char(%c)\n", *yytext); }
 %%
@ -128,6 +184,7 @@ error_message (const char *format, ...)
     fprintf (stderr, "%s:%d: ", get_filename(), lineno);
     vfprintf (stderr, format, args);
     va_end (args);
     error_flag++;
 }
 static void
@ -165,6 +222,12 @@ handle_comment(int type)
 		seen_slash = 1;
 		continue;
 	    }
 	    if(seen_star && c == '/') {
 		if(--level == 0)
 		    return;
 		seen_star = 0;
 		continue;
 	    }
 	    if(c == '*') {
 		if(seen_slash) {
 		    level++;
@ -184,3 +247,50 @@ handle_comment(int type)
    if(c == EOF)
 	error_message("unterminated comment, possibly started on line %d\n", start_lineno);
 }
 static char *
 handle_string(void)
 {
    int start_lineno = lineno;
    int c;
    char buf[1024];
    char *p = buf;
    int f = 0;
    int skip_ws = 0;
    while((c = input()) != EOF) {
 	if(isspace(c) && skip_ws) {
 	    if(c == '\n')
 		lineno++;
 	    continue;
 	}
 	skip_ws = 0;
 	if(c == '"') {
 	    if(f) {
 		*p++ = '"';
 		f = 0;
 	    } else
 		f = 1;
 	    continue;
 	}
 	if(f == 1) {
 	    unput(c);
 	    break;
 	}
 	if(c == '\n') {
 	    lineno++;
 	    while(p > buf && isspace((unsigned char)p[-1]))
 		p--;
 	    skip_ws = 1;
 	    continue;
 	}
 	*p++ = c;
    }
    if(c == EOF)
 	error_message("unterminated string, possibly started on line %d\n", start_lineno);
    *p++ = '\0';
    fprintf(stderr, "string -- %s\n", buf);
    return estrdup(buf);
 }
--- a/source/heimdal/lib/asn1/libasn1.h
+++ b/source/heimdal/lib/asn1/libasn1.h
@ -0,0 +1,51 @@
 /*
 * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
 * Redistribution and use in source and binary forms, with or without 
 * modification, are permitted provided that the following conditions 
 * are met: 
 *
 * 1. Redistributions of source code must retain the above copyright 
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright 
 *    notice, this list of conditions and the following disclaimer in the 
 *    documentation and/or other materials provided with the distribution. 
 *
 * 3. Neither the name of the Institute nor the names of its contributors 
 *    may be used to endorse or promote products derived from this software 
 *    without specific prior written permission. 
 *
 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 * SUCH DAMAGE. 
 */
 /* $Id: libasn1.h,v 1.11 2005/07/12 06:27:34 lha Exp $ */
 #ifndef __LIBASN1_H__
 #define __LIBASN1_H__
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 #endif
 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>
 #include "krb5_asn1.h"
 #include "der.h"
 #include "asn1_err.h"
 #include <parse_units.h>
 #endif /* __LIBASN1_H__ */
--- a/source/heimdal/lib/asn1/main.c
+++ b/source/heimdal/lib/asn1/main.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@ -33,14 +33,32 @@
 #include "gen_locl.h"
 #include <getarg.h>
 #include "lex.h"
-RCSID("$Id: main.c,v 1.13 2005/06/16 20:05:31 lha Exp $");
+RCSID("$Id: main.c,v 1.14 2005/07/12 06:27:34 lha Exp $");
 extern FILE *yyin;
 static getarg_strings preserve;
 int
 preserve_type(const char *p)
 {
    int i;
    for (i = 0; i < preserve.num_strings; i++)
 	if (strcmp(preserve.strings[i], p) == 0)
 	    return 1;
    return 0;
 }
 int dce_fix;
 int rfc1510_bitstring;
 int version_flag;
 int help_flag;
 struct getargs args[] = {
    { "encode-rfc1510-bit-string", 0, arg_flag, &rfc1510_bitstring },
    { "decode-dce-ber", 0, arg_flag, &dce_fix },
    { "preserve-binary", 0, arg_strings, &preserve },
    { "version", 0, arg_flag, &version_flag },
    { "help", 0, arg_flag, &help_flag }
 };
@ -53,12 +71,14 @@ usage(int code)
    exit(code);
 }
 int error_flag;
 int
 main(int argc, char **argv)
 {
    int ret;
-    const char *file;
+    char *file;
-    const char *name = NULL;
+    char *name = NULL;
    int optidx = 0;
    setprogname(argv[0]);
@ -79,12 +99,21 @@ main(int argc, char **argv)
 	yyin = fopen (file, "r");
 	if (yyin == NULL)
 	    err (1, "open %s", file);
 	if (argc == optidx + 1) {
 	    char *p;
 	    name = estrdup(file);
 	    p = strrchr(name, '.');
 	    if (p)
 		*p = '\0';
 	} else
 	    name = argv[optidx + 1];
    }
    init_generate (file, name);
    initsym ();
    ret = yyparse ();
    if(ret != 0 || error_flag != 0)
 	exit(1);
    close_generate ();
-    return ret;
+    return 0;
 }
--- a/source/heimdal/lib/asn1/parse.c
+++ b/source/heimdal/lib/asn1/parse.c
--- a/source/heimdal/lib/asn1/parse.h
+++ b/source/heimdal/lib/asn1/parse.h
@ -1,7 +1,7 @@
-/* A Bison parser, made by GNU Bison 1.875d.  */
+/* A Bison parser, made by GNU Bison 1.875c.  */
 /* Skeleton parser for Yacc-like parsing with Bison,
-   Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc.
+   Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003 Free Software Foundation, Inc.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@ -29,81 +29,203 @@
   /* Put the tokens into the symbol table, so that GDB and other debuggers
      know about them.  */
   enum yytokentype {
-     INTEGER = 258,
+     kw_ABSENT = 258,
-     SEQUENCE = 259,
+     kw_ABSTRACT_SYNTAX = 259,
-     CHOICE = 260,
+     kw_ALL = 260,
-     OF = 261,
+     kw_APPLICATION = 261,
-     OCTET = 262,
+     kw_AUTOMATIC = 262,
-     STRING = 263,
+     kw_BEGIN = 263,
-     GeneralizedTime = 264,
+     kw_BIT = 264,
-     GeneralString = 265,
+     kw_BMPString = 265,
-     BIT = 266,
+     kw_BOOLEAN = 266,
-     APPLICATION = 267,
+     kw_BY = 267,
-     OPTIONAL = 268,
+     kw_CHARACTER = 268,
-     EEQUAL = 269,
+     kw_CHOICE = 269,
-     TBEGIN = 270,
+     kw_CLASS = 270,
-     END = 271,
+     kw_COMPONENT = 271,
-     DEFINITIONS = 272,
+     kw_COMPONENTS = 272,
-     ENUMERATED = 273,
+     kw_CONSTRAINED = 273,
-     UTF8String = 274,
+     kw_CONTAINING = 274,
-     NULLTYPE = 275,
+     kw_DEFAULT = 275,
-     EXTERNAL = 276,
+     kw_DEFINITIONS = 276,
-     DEFAULT = 277,
+     kw_EMBEDDED = 277,
-     DOTDOT = 278,
+     kw_ENCODED = 278,
-     DOTDOTDOT = 279,
+     kw_END = 279,
-     BOOLEAN = 280,
+     kw_ENUMERATED = 280,
-     IMPORTS = 281,
+     kw_EXCEPT = 281,
-     FROM = 282,
+     kw_EXPLICIT = 282,
-     OBJECT = 283,
+     kw_EXPORTS = 283,
-     IDENTIFIER = 284,
+     kw_EXTENSIBILITY = 284,
-     IDENT = 285,
+     kw_EXTERNAL = 285,
-     CONSTANT = 286
+     kw_FALSE = 286,
     kw_FROM = 287,
     kw_GeneralString = 288,
     kw_GeneralizedTime = 289,
     kw_GraphicString = 290,
     kw_IA5String = 291,
     kw_IDENTIFIER = 292,
     kw_IMPLICIT = 293,
     kw_IMPLIED = 294,
     kw_IMPORTS = 295,
     kw_INCLUDES = 296,
     kw_INSTANCE = 297,
     kw_INTEGER = 298,
     kw_INTERSECTION = 299,
     kw_ISO646String = 300,
     kw_MAX = 301,
     kw_MIN = 302,
     kw_MINUS_INFINITY = 303,
     kw_NULL = 304,
     kw_NumericString = 305,
     kw_OBJECT = 306,
     kw_OCTET = 307,
     kw_OF = 308,
     kw_OPTIONAL = 309,
     kw_ObjectDescriptor = 310,
     kw_PATTERN = 311,
     kw_PDV = 312,
     kw_PLUS_INFINITY = 313,
     kw_PRESENT = 314,
     kw_PRIVATE = 315,
     kw_PrintableString = 316,
     kw_REAL = 317,
     kw_RELATIVE_OID = 318,
     kw_SEQUENCE = 319,
     kw_SET = 320,
     kw_SIZE = 321,
     kw_STRING = 322,
     kw_SYNTAX = 323,
     kw_T61String = 324,
     kw_TAGS = 325,
     kw_TRUE = 326,
     kw_TYPE_IDENTIFIER = 327,
     kw_TeletexString = 328,
     kw_UNION = 329,
     kw_UNIQUE = 330,
     kw_UNIVERSAL = 331,
     kw_UTCTime = 332,
     kw_UTF8String = 333,
     kw_UniversalString = 334,
     kw_VideotexString = 335,
     kw_VisibleString = 336,
     kw_WITH = 337,
     RANGE = 338,
     EEQUAL = 339,
     ELLIPSIS = 340,
     IDENTIFIER = 341,
     referencename = 342,
     STRING = 343,
     NUMBER = 344
   };
 #endif
-#define INTEGER 258
+#define kw_ABSENT 258
-#define SEQUENCE 259
+#define kw_ABSTRACT_SYNTAX 259
-#define CHOICE 260
+#define kw_ALL 260
-#define OF 261
+#define kw_APPLICATION 261
-#define OCTET 262
+#define kw_AUTOMATIC 262
-#define STRING 263
+#define kw_BEGIN 263
-#define GeneralizedTime 264
+#define kw_BIT 264
-#define GeneralString 265
+#define kw_BMPString 265
-#define BIT 266
+#define kw_BOOLEAN 266
-#define APPLICATION 267
+#define kw_BY 267
-#define OPTIONAL 268
+#define kw_CHARACTER 268
-#define EEQUAL 269
+#define kw_CHOICE 269
-#define TBEGIN 270
+#define kw_CLASS 270
-#define END 271
+#define kw_COMPONENT 271
-#define DEFINITIONS 272
+#define kw_COMPONENTS 272
-#define ENUMERATED 273
+#define kw_CONSTRAINED 273
-#define UTF8String 274
+#define kw_CONTAINING 274
-#define NULLTYPE 275
+#define kw_DEFAULT 275
-#define EXTERNAL 276
+#define kw_DEFINITIONS 276
-#define DEFAULT 277
+#define kw_EMBEDDED 277
-#define DOTDOT 278
+#define kw_ENCODED 278
-#define DOTDOTDOT 279
+#define kw_END 279
-#define BOOLEAN 280
+#define kw_ENUMERATED 280
-#define IMPORTS 281
+#define kw_EXCEPT 281
-#define FROM 282
+#define kw_EXPLICIT 282
-#define OBJECT 283
+#define kw_EXPORTS 283
-#define IDENTIFIER 284
+#define kw_EXTENSIBILITY 284
-#define IDENT 285
+#define kw_EXTERNAL 285
-#define CONSTANT 286
+#define kw_FALSE 286
 #define kw_FROM 287
 #define kw_GeneralString 288
 #define kw_GeneralizedTime 289
 #define kw_GraphicString 290
 #define kw_IA5String 291
 #define kw_IDENTIFIER 292
 #define kw_IMPLICIT 293
 #define kw_IMPLIED 294
 #define kw_IMPORTS 295
 #define kw_INCLUDES 296
 #define kw_INSTANCE 297
 #define kw_INTEGER 298
 #define kw_INTERSECTION 299
 #define kw_ISO646String 300
 #define kw_MAX 301
 #define kw_MIN 302
 #define kw_MINUS_INFINITY 303
 #define kw_NULL 304
 #define kw_NumericString 305
 #define kw_OBJECT 306
 #define kw_OCTET 307
 #define kw_OF 308
 #define kw_OPTIONAL 309
 #define kw_ObjectDescriptor 310
 #define kw_PATTERN 311
 #define kw_PDV 312
 #define kw_PLUS_INFINITY 313
 #define kw_PRESENT 314
 #define kw_PRIVATE 315
 #define kw_PrintableString 316
 #define kw_REAL 317
 #define kw_RELATIVE_OID 318
 #define kw_SEQUENCE 319
 #define kw_SET 320
 #define kw_SIZE 321
 #define kw_STRING 322
 #define kw_SYNTAX 323
 #define kw_T61String 324
 #define kw_TAGS 325
 #define kw_TRUE 326
 #define kw_TYPE_IDENTIFIER 327
 #define kw_TeletexString 328
 #define kw_UNION 329
 #define kw_UNIQUE 330
 #define kw_UNIVERSAL 331
 #define kw_UTCTime 332
 #define kw_UTF8String 333
 #define kw_UniversalString 334
 #define kw_VideotexString 335
 #define kw_VisibleString 336
 #define kw_WITH 337
 #define RANGE 338
 #define EEQUAL 339
 #define ELLIPSIS 340
 #define IDENTIFIER 341
 #define referencename 342
 #define STRING 343
 #define NUMBER 344
 #if ! defined (YYSTYPE) && ! defined (YYSTYPE_IS_DECLARED)
-#line 56 "parse.y"
+#line 64 "parse.y"
 typedef union YYSTYPE {
    int constant;
    struct value *value;
    struct range range;
    char *name;
    Type *type;
    Member *member;
    struct objid *objid;
    char *defval;
    struct string_list *sl;
    struct tagtype tag;
    struct memhead *members;
 } YYSTYPE;
-/* Line 1285 of yacc.c.  */
+/* Line 1275 of yacc.c.  */
-#line 107 "parse.h"
+#line 229 "parse.h"
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
 # define YYSTYPE_IS_DECLARED 1
 # define YYSTYPE_IS_TRIVIAL 1
--- a/source/heimdal/lib/asn1/parse.y
+++ b/source/heimdal/lib/asn1/parse.y
--- a/source/heimdal/lib/asn1/pkcs12.asn1
+++ b/source/heimdal/lib/asn1/pkcs12.asn1
@ -0,0 +1,81 @@
 -- $Id: pkcs12.asn1,v 1.3 2005/07/23 11:07:39 lha Exp $ --
 PKCS12 DEFINITIONS ::=
 BEGIN
 IMPORTS ContentInfo FROM cms
 	DigestInfo FROM rfc2459
 	heim_any, heim_any_set FROM heim;
 -- The PFX PDU
 id-pkcs-12 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
 	rsadsi(113549) pkcs(1) pkcs-12(12) }
 id-pkcs-12PbeIds                   OBJECT IDENTIFIER ::= { id-pkcs-12 1}
 id-pbeWithSHAAnd128BitRC4          OBJECT IDENTIFIER ::= { id-pkcs-12PbeIds 1}
 id-pbeWithSHAAnd40BitRC4           OBJECT IDENTIFIER ::= { id-pkcs-12PbeIds 2}
 id-pbeWithSHAAnd3-KeyTripleDES-CBC OBJECT IDENTIFIER ::= { id-pkcs-12PbeIds 3}
 id-pbeWithSHAAnd2-KeyTripleDES-CBC OBJECT IDENTIFIER ::= { id-pkcs-12PbeIds 4}
 id-pbeWithSHAAnd128BitRC2-CBC      OBJECT IDENTIFIER ::= { id-pkcs-12PbeIds 5}
 id-pbewithSHAAnd40BitRC2-CBC       OBJECT IDENTIFIER ::= { id-pkcs-12PbeIds 6}
 id-pkcs12-bagtypes		OBJECT IDENTIFIER ::= { id-pkcs-12 10 1}
 id-pkcs12-keyBag		OBJECT IDENTIFIER ::= { id-pkcs12-bagtypes 1 }
 id-pkcs12-pkcs8ShroudedKeyBag	OBJECT IDENTIFIER ::= { id-pkcs12-bagtypes 2 }
 id-pkcs12-certBag		OBJECT IDENTIFIER ::= { id-pkcs12-bagtypes 3 }
 id-pkcs12-crlBag		OBJECT IDENTIFIER ::= { id-pkcs12-bagtypes 4 }
 id-pkcs12-secretBag		OBJECT IDENTIFIER ::= { id-pkcs12-bagtypes 5 }
 id-pkcs12-safeContentsBag	OBJECT IDENTIFIER ::= { id-pkcs12-bagtypes 6 }
 PKCS12-MacData ::= SEQUENCE {
    	mac 		DigestInfo,
 	macSalt	        OCTET STRING,
 	iterations	INTEGER OPTIONAL
 }
 PKCS12-PFX ::= SEQUENCE {
    	version		INTEGER,
    	authSafe	ContentInfo,
    	macData    	PKCS12-MacData OPTIONAL
 }
 PKCS12-AuthenticatedSafe ::= SEQUENCE OF ContentInfo
 	-- Data if unencrypted
 	-- EncryptedData if password-encrypted
 	-- EnvelopedData if public key-encrypted
 PKCS12-Attribute ::= SEQUENCE {
 	attrId	   	OBJECT IDENTIFIER,
 	attrValues 	-- SET OF -- heim_any_set 
 }
 PKCS12-Attributes ::= SET OF PKCS12-Attribute
 PKCS12-SafeBag ::= SEQUENCE {
  	bagId	      	OBJECT IDENTIFIER,
  	bagValue      	[0] heim_any,
  	bagAttributes 	PKCS12-Attributes OPTIONAL
 }
 PKCS12-SafeContents ::= SEQUENCE OF PKCS12-SafeBag
 PKCS12-CertBag ::= SEQUENCE {
 	certType	OBJECT IDENTIFIER,
  	certValue      	[0] heim_any
 }
 PKCS12-PBEParams ::= SEQUENCE {
 	salt		OCTET STRING,
 	iterations	INTEGER (0..4294967295) OPTIONAL
 }
 PKCS12-OctetString ::= OCTET STRING
 -- KeyBag ::= PrivateKeyInfo
 -- PKCS8ShroudedKeyBag ::= EncryptedPrivateKeyInfo
 END
--- a/source/heimdal/lib/asn1/pkcs8.asn1
+++ b/source/heimdal/lib/asn1/pkcs8.asn1
@ -0,0 +1,30 @@
 -- $Id: pkcs8.asn1,v 1.2 2005/07/12 06:27:36 lha Exp $ --
 PKCS8 DEFINITIONS ::=
 BEGIN
 IMPORTS	Attribute, AlgorithmIdentifier FROM rfc2459
 	heim_any, heim_any_set FROM heim;
 PKCS8PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
 PKCS8PrivateKey ::= OCTET STRING
 PKCS8Attributes ::= SET OF Attribute
 PKCS8PrivateKeyInfo ::= SEQUENCE {
  version INTEGER,
  privateKeyAlgorithm PKCS8PrivateKeyAlgorithmIdentifier,
  privateKey PKCS8PrivateKey,
  attributes [0] IMPLICIT PKCS8Attributes OPTIONAL
 }
 PKCS8EncryptedData ::= OCTET STRING
 PKCS8EncryptedPrivateKeyInfo ::= SEQUENCE {
    encryptionAlgorithm AlgorithmIdentifier,
    encryptedData PKCS8EncryptedData 
 }
 END
--- a/source/heimdal/lib/asn1/pkcs9.asn1
+++ b/source/heimdal/lib/asn1/pkcs9.asn1
@ -0,0 +1,27 @@
 -- $Id: pkcs9.asn1,v 1.3 2005/07/23 10:38:28 lha Exp $ --
 PKCS9 DEFINITIONS ::=
 BEGIN
 -- The PFX PDU
 id-pkcs-9 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
 	rsadsi(113549) pkcs(1) pkcs-9(9) }
 id-pkcs9-contentType		OBJECT IDENTIFIER ::= {id-pkcs-9 3 }
 id-pkcs9-messageDigest		OBJECT IDENTIFIER ::= {id-pkcs-9 4 }
 id-pkcs9-signingTime		OBJECT IDENTIFIER ::= {id-pkcs-9 5 }
 id-pkcs9-countersignature	OBJECT IDENTIFIER ::= {id-pkcs-9 6 }
 id-pkcs-9-at-friendlyName	OBJECT IDENTIFIER ::= {id-pkcs-9 20}
 id-pkcs-9-at-localKeyId		OBJECT IDENTIFIER ::= {id-pkcs-9 21}
 id-pkcs-9-at-certTypes		OBJECT IDENTIFIER ::= {id-pkcs-9 22}
 id-pkcs-9-at-certTypes-x509	OBJECT IDENTIFIER ::= {id-pkcs-9-at-certTypes 1}
 PKCS9-BMPString ::= BMPString
 PKCS9-friendlyName ::= SET OF PKCS9-BMPString
 END
--- a/source/heimdal/lib/asn1/symbol.c
+++ b/source/heimdal/lib/asn1/symbol.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden).
 * All rights reserved.
 *
@ -32,8 +32,9 @@
 */
 #include "gen_locl.h"
 #include "lex.h"
-RCSID("$Id: symbol.c,v 1.9 2001/09/25 13:39:27 assar Exp $");
+RCSID("$Id: symbol.c,v 1.10 2005/07/12 06:27:39 lha Exp $");
 static Hashtab *htab;
@ -79,12 +80,31 @@ addsym (char *name)
    key.name = name;
    s = (Symbol *) hashtabsearch(htab, (void *) &key);
    if (s == NULL) {
-    s = (Symbol *)malloc (sizeof (*s));
+	s = (Symbol *) emalloc(sizeof(*s));
 	s->name = name;
-    s->gen_name = strdup(name);
+	s->gen_name = estrdup(name);
 	output_name(s->gen_name);
 	s->stype = SUndefined;
 	hashtabadd(htab, s);
    }
    return s;
 }
 static int
 checkfunc(void *ptr, void *arg)
 {
    Symbol *s = ptr;
    if (s->stype == SUndefined) {
 	error_message("%s is still undefined\n", s->name);
 	*(int *) arg = 1;
    }
    return 0;
 }
 int
 checkundefined(void)
 {
    int f = 0;
    hashtabforeach(htab, checkfunc, &f);
    return f;
 }
--- a/source/heimdal/lib/asn1/symbol.h
+++ b/source/heimdal/lib/asn1/symbol.h
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@ -31,63 +31,108 @@
 * SUCH DAMAGE. 
 */
-/* $Id: symbol.h,v 1.11 2003/10/03 00:28:29 lha Exp $ */
+/* $Id: symbol.h,v 1.12 2005/07/12 06:27:40 lha Exp $ */
 #ifndef _SYMBOL_H
 #define _SYMBOL_H
 #include "asn1_queue.h"
 enum typetype { 
    TApplication,
    TBitString,
    TBoolean,
    TChoice, 
    TEnumerated,
    TGeneralString, 
    TGeneralizedTime, 
    TIA5String,
    TInteger, 
    TNull,
    TOID, 
    TOctetString, 
    TPrintableString,
    TSequence, 
    TSequenceOf,
    TSet, 
    TSetOf,
    TTag, 
    TType, 
-    TUInteger,
+    TUTCTime, 
-    TUTF8String
+    TUTF8String,
    TBMPString,
    TUniversalString
 };
 typedef enum typetype Typetype;
 struct type;
 struct value {
    enum { booleanvalue, 
 	   nullvalue, 
 	   integervalue, 
 	   stringvalue, 
 	   objectidentifiervalue
    } type;
    union {
 	int booleanvalue;
 	int integervalue;
 	char *stringvalue;
 	struct objid *objectidentifiervalue;
    } u;
 };
 struct member {
    char *name;
    char *gen_name;
    char *label;
    int val;
    int optional;
    int ellipsis;
    struct type *type;
-  struct member *next, *prev;
+    ASN1_TAILQ_ENTRY(member) members;
-  char *defval;
+    struct value *defval;
 };
 typedef struct member Member;
 ASN1_TAILQ_HEAD(memhead, member);
 struct symbol;
 struct tagtype {
    int tagclass;
    int tagvalue;
    enum { TE_IMPLICIT, TE_EXPLICIT } tagenv;
 };
 struct range {
    int min;
    int max;
 };
 struct type {
    Typetype type;
-  int application;
+    struct memhead *members;
  Member *members;
  struct type *subtype;
    struct symbol *symbol;
    struct type *subtype;
    struct tagtype tag;
    struct range *range;
 };
 typedef struct type Type;
 struct objid {
    const char *label;
    int value;
    struct objid *next;
 };
 struct symbol {
    char *name;
    char *gen_name;
-  enum { SUndefined, SConstant, Stype } stype;
+    enum { SUndefined, SValue, Stype } stype;
-  int constant;
+    struct value *value;
    Type *type;
 };
@ -96,4 +141,5 @@ typedef struct symbol Symbol;
 void initsym (void);
 Symbol *addsym (char *);
 void output_name (char *);
 int checkundefined(void);
 #endif
--- a/source/heimdal/lib/asn1/test.asn1
+++ b/source/heimdal/lib/asn1/test.asn1
@ -0,0 +1,48 @@
 -- $Id: test.asn1,v 1.5 2005/07/21 20:48:27 lha Exp $ --
 TEST DEFINITIONS ::=
 BEGIN
 TESTLargeTag ::= SEQUENCE {
 	foo[127] INTEGER (-2147483648..2147483647)
 }
 TESTSeq ::= SEQUENCE {
 	tag0[0] INTEGER (-2147483648..2147483647),
 	tag1[1] TESTLargeTag,
 	tagless INTEGER (-2147483648..2147483647),
 	tag3[2] INTEGER (-2147483648..2147483647)
 }
 TESTChoice1 ::= CHOICE {
 	i1[1]	INTEGER (-2147483648..2147483647),
 	i2[2]	INTEGER (-2147483648..2147483647),
 	...	
 }
 TESTChoice2 ::= CHOICE {
 	i1[1]	INTEGER (-2147483648..2147483647),
 	...	
 }
 TESTInteger ::= INTEGER (-2147483648..2147483647)
 TESTInteger2 ::= [4] IMPLICIT TESTInteger
 TESTInteger3 ::= [5] IMPLICIT TESTInteger2
 TESTImplicit ::= SEQUENCE {
 	ti1[0] IMPLICIT INTEGER (-2147483648..2147483647),
 	ti2[1] IMPLICIT SEQUENCE { 
 		foo[127] INTEGER (-2147483648..2147483647)
 	},
 	ti3[2] IMPLICIT [5] IMPLICIT [4] IMPLICIT INTEGER (-2147483648..2147483647)
 }
 TESTImplicit2 ::= SEQUENCE {
 	ti1[0] IMPLICIT TESTInteger,
 	ti2[1] IMPLICIT TESTLargeTag,
 	ti3[2] IMPLICIT TESTInteger3
 }
 END
--- a/source/heimdal/lib/asn1/test.gen
+++ b/source/heimdal/lib/asn1/test.gen
@ -0,0 +1,14 @@
 # $Id: test.gen,v 1.2 2005/07/12 06:27:41 lha Exp $
 # Sample for TESTSeq in test.asn1
 #
 UNIV CONS Sequence 23
  CONTEXT CONS 0 3
    UNIV PRIM Integer 1 01
   CONTEXT CONS 1 8
     UNIV CONS Sequence 6
       CONTEXT CONS 127 3
         UNIV PRIM Integer 1 01
   UNIV PRIM Integer 1 01
   CONTEXT CONS 2 3
     UNIV PRIM Integer 1 01
--- a/source/heimdal/lib/com_err/lex.c
+++ b/source/heimdal/lib/com_err/lex.c
--- a/source/heimdal/lib/com_err/parse.c
+++ b/source/heimdal/lib/com_err/parse.c
@ -1,7 +1,7 @@
-/* A Bison parser, made by GNU Bison 1.875d.  */
+/* A Bison parser, made by GNU Bison 1.875c.  */
 /* Skeleton parser for Yacc-like parsing with Bison,
-   Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc.
+   Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003 Free Software Foundation, Inc.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@ -209,7 +209,7 @@ typedef union YYSTYPE {
 /* A type that is properly aligned for any stack member.  */
 union yyalloc
 {
-  short int yyss;
+  short yyss;
  YYSTYPE yyvs;
  };
@ -219,7 +219,7 @@ union yyalloc
 /* The size of an array large to enough to hold all stacks, each with
   N elements.  */
 # define YYSTACK_BYTES(N) \
-     ((N) * (sizeof (short int) + sizeof (YYSTYPE))			\
+     ((N) * (sizeof (short) + sizeof (YYSTYPE))				\
      + YYSTACK_GAP_MAXIMUM)
 /* Copy COUNT objects from FROM to TO.  The source and destination do
@ -261,7 +261,7 @@ union yyalloc
 #if defined (__STDC__) || defined (__cplusplus)
   typedef signed char yysigned_char;
 #else
-   typedef short int yysigned_char;
+   typedef short yysigned_char;
 #endif
 /* YYFINAL -- State number of the termination state. */
@ -358,7 +358,7 @@ static const char *const yytname[] =
 # ifdef YYPRINT
 /* YYTOKNUM[YYLEX-NUM] -- Internal token number corresponding to
   token YYLEX-NUM.  */
-static const unsigned short int yytoknum[] =
+static const unsigned short yytoknum[] =
 {
       0,   256,   257,   258,   259,   260,   261,   262,   263,   264,
     265,    44
@ -550,12 +550,12 @@ do {								\
 #if defined (__STDC__) || defined (__cplusplus)
 static void
-yy_stack_print (short int *bottom, short int *top)
+yy_stack_print (short *bottom, short *top)
 #else
 static void
 yy_stack_print (bottom, top)
-    short int *bottom;
+    short *bottom;
-    short int *top;
+    short *top;
 #endif
 {
  YYFPRINTF (stderr, "Stack now");
@ -822,9 +822,9 @@ yyparse ()
     to reallocate them elsewhere.  */
  /* The state stack.  */
-  short int yyssa[YYINITDEPTH];
+  short	yyssa[YYINITDEPTH];
-  short int *yyss = yyssa;
+  short *yyss = yyssa;
-  register short int *yyssp;
+  register short *yyssp;
  /* The semantic value stack.  */
  YYSTYPE yyvsa[YYINITDEPTH];
@ -861,7 +861,6 @@ yyparse ()
  yyssp = yyss;
  yyvsp = yyvs;
  goto yysetstate;
 /*------------------------------------------------------------.
@ -887,7 +886,7 @@ yyparse ()
 	   these so that the &'s don't force the real ones into
 	   memory.  */
 	YYSTYPE *yyvs1 = yyvs;
-	short int *yyss1 = yyss;
+	short *yyss1 = yyss;
 	/* Each stack pointer address is followed by the size of the
@ -915,7 +914,7 @@ yyparse ()
 	yystacksize = YYMAXDEPTH;
      {
-	short int *yyss1 = yyss;
+	short *yyss1 = yyss;
 	union yyalloc *yyptr =
 	  (union yyalloc *) YYSTACK_ALLOC (YYSTACK_BYTES (yystacksize));
 	if (! yyptr)
@ -1134,8 +1133,8 @@ yyreduce:
    }
-/* Line 1010 of yacc.c.  */
+/* Line 1000 of yacc.c.  */
-#line 1139 "$base.c"
+#line 1138 "$base.c"
  yyvsp -= yylen;
  yyssp -= yylen;
--- a/source/heimdal/lib/com_err/parse.h
+++ b/source/heimdal/lib/com_err/parse.h
@ -1,7 +1,7 @@
-/* A Bison parser, made by GNU Bison 1.875d.  */
+/* A Bison parser, made by GNU Bison 1.875c.  */
 /* Skeleton parser for Yacc-like parsing with Bison,
-   Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc.
+   Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003 Free Software Foundation, Inc.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@ -57,7 +57,7 @@ typedef union YYSTYPE {
  char *string;
  int number;
 } YYSTYPE;
-/* Line 1285 of yacc.c.  */
+/* Line 1275 of yacc.c.  */
 #line 62 "parse.h"
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
 # define YYSTYPE_IS_DECLARED 1
--- a/source/heimdal/lib/des/des.c
+++ b/source/heimdal/lib/des/des.c
@ -45,7 +45,7 @@
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: des.c,v 1.14 2005/06/18 22:47:17 lha Exp $");
+RCSID("$Id: des.c,v 1.15 2005/07/20 10:49:22 lha Exp $");
 #endif
 #include <stdio.h>
@ -267,9 +267,11 @@ DES_ecb_encrypt(DES_cblock *input, DES_cblock *output,
 */
 void
-DES_cbc_encrypt(unsigned char *input, unsigned char *output, long length,
+DES_cbc_encrypt(const void *in, void *out, long length,
 		DES_key_schedule *ks, DES_cblock *iv, int forward_encrypt)
 {
    const unsigned char *input = in;
    unsigned char *output = out;
    uint32_t u[2];
    uint32_t uiv[2];
@ -328,9 +330,11 @@ DES_cbc_encrypt(unsigned char *input, unsigned char *output, long length,
 */
 void
-DES_pcbc_encrypt(unsigned char *input, unsigned char *output, long length,
+DES_pcbc_encrypt(const void *in, void *out, long length,
 		 DES_key_schedule *ks, DES_cblock *iv, int forward_encrypt)
 {
    const unsigned char *input = in;
    unsigned char *output = out;
    uint32_t u[2];
    uint32_t uiv[2];
@ -430,11 +434,13 @@ DES_ecb3_encrypt(DES_cblock *input,
 */
 void
-DES_ede3_cbc_encrypt(const unsigned char *input, unsigned char *output,
+DES_ede3_cbc_encrypt(const void *in, void *out,
 		     long length, DES_key_schedule *ks1, 
 		     DES_key_schedule *ks2, DES_key_schedule *ks3,
 		     DES_cblock *iv, int forward_encrypt)
 {
    const unsigned char *input = in;
    unsigned char *output = out;
    uint32_t u[2];
    uint32_t uiv[2];
@ -494,10 +500,12 @@ DES_ede3_cbc_encrypt(const unsigned char *input, unsigned char *output,
 */
 void
-DES_cfb64_encrypt(unsigned char *input, unsigned char *output, 
+DES_cfb64_encrypt(const void *in, void *out, 
 		  long length, DES_key_schedule *ks, DES_cblock *iv,
 		  int *num, int forward_encrypt)
 {
    const unsigned char *input = in;
    unsigned char *output = out;
    unsigned char tmp[DES_CBLOCK_LEN];
    uint32_t uiv[2];
@ -555,9 +563,10 @@ DES_cfb64_encrypt(unsigned char *input, unsigned char *output,
 */
 uint32_t
-DES_cbc_cksum(const unsigned char *input, DES_cblock *output,
+DES_cbc_cksum(const void *in, DES_cblock *output,
 	      long length, DES_key_schedule *ks, DES_cblock *iv)
 {
    const unsigned char *input = in;
    uint32_t uiv[2];
    uint32_t u[2] = { 0, 0 };
--- a/source/heimdal/lib/des/des.h
+++ b/source/heimdal/lib/des/des.h
@ -31,7 +31,7 @@
 * SUCH DAMAGE.
 */
-/* $Id: des.h,v 1.23 2005/04/30 14:09:50 lha Exp $ */
+/* $Id: des.h,v 1.24 2005/07/20 10:49:23 lha Exp $ */
 #ifndef _DESperate_H
 #define _DESperate_H 1
@ -59,10 +59,10 @@ int	DES_read_password(DES_cblock *, char *, int);
 int	UI_UTIL_read_pw_string(char *, int, const char *, int); /* XXX */
-void	DES_rand_data(unsigned char *, int);
+void	DES_rand_data(void *, int);
 void	DES_set_random_generator_seed(DES_cblock *);
 void	DES_generate_random_block(DES_cblock *);
-void	DES_set_sequence_number(unsigned char *);
+void	DES_set_sequence_number(void *);
 void 	DES_init_random_number_generator(DES_cblock *);
 void	DES_random_key(DES_cblock *);
@ -71,18 +71,18 @@ void	DES_encrypt(uint32_t [2], DES_key_schedule *, int);
 void	DES_ecb_encrypt(DES_cblock *, DES_cblock *, DES_key_schedule *, int);
 void	DES_ecb3_encrypt(DES_cblock *,DES_cblock *, DES_key_schedule *,
 			 DES_key_schedule *, DES_key_schedule *, int);
-void	DES_pcbc_encrypt(unsigned char *, unsigned char *, long,
+void	DES_pcbc_encrypt(const void *, void *, long,
 			 DES_key_schedule *, DES_cblock *, int);
-void	DES_cbc_encrypt(unsigned char *, unsigned char *, long,
+void	DES_cbc_encrypt(const void *, void *, long,
 			DES_key_schedule *, DES_cblock *, int);
-void	DES_ede3_cbc_encrypt(const unsigned char *, unsigned char *, long, 
+void	DES_ede3_cbc_encrypt(const void *, void *, long, 
 			     DES_key_schedule *, DES_key_schedule *, 
 			     DES_key_schedule *, DES_cblock *, int);
-void DES_cfb64_encrypt(unsigned char *, unsigned char *, long,
+void DES_cfb64_encrypt(const void *, void *, long,
 		       DES_key_schedule *, DES_cblock *, int *, int);
-uint32_t DES_cbc_cksum(const unsigned char *, DES_cblock *,
+uint32_t DES_cbc_cksum(const void *, DES_cblock *,
 		      long, DES_key_schedule *, DES_cblock *);
--- a/source/heimdal/lib/des/rnd_keys.c
+++ b/source/heimdal/lib/des/rnd_keys.c
@ -34,7 +34,7 @@
 #ifdef HAVE_CONFIG_H
 #include "config.h"
-RCSID("$Id: rnd_keys.c,v 1.68 2005/06/29 22:28:10 lha Exp $");
+RCSID("$Id: rnd_keys.c,v 1.69 2005/07/20 10:49:24 lha Exp $");
 #endif
 #ifdef KRB5
@ -240,8 +240,9 @@ static RETSIGTYPE
 * It's not neccessary to be root to run it.
 */
 void
-DES_rand_data(unsigned char *data, int size)
+DES_rand_data(void *outdata, int size)
 {
    unsigned char *data = outdata;
    struct itimerval tv, otv;
    RETSIGTYPE (*osa)(int);
    int i, j;
@ -388,7 +389,7 @@ memcpy((char *)sequence_index, (ll), sizeof(sequence_index));
 * Set the sequnce number to this value (a long long).
 */
 void
-DES_set_sequence_number(unsigned char *ll)
+DES_set_sequence_number(void *ll)
 {
    set_sequence_number(ll);
 }
--- a/source/heimdal/lib/gssapi/accept_sec_context.c
+++ b/source/heimdal/lib/gssapi/accept_sec_context.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@ -1051,28 +1051,27 @@ spnego_accept_sec_context
 }
 OM_uint32
-gss_accept_sec_context(
+gss_accept_sec_context
-	OM_uint32 * minor_status,
+           (OM_uint32 * minor_status,
            gss_ctx_id_t * context_handle,
            const gss_cred_id_t acceptor_cred_handle,
-	const gss_buffer_t input_token,
+            const gss_buffer_t input_token_buffer,
            const gss_channel_bindings_t input_chan_bindings,
            gss_name_t * src_name,
-	gss_OID * actual_mech_type,
+            gss_OID * mech_type,
            gss_buffer_t output_token,
            OM_uint32 * ret_flags,
            OM_uint32 * time_rec,
-	gss_cred_id_t * delegated_cred_handle)
+            gss_cred_id_t * delegated_cred_handle
           )
 {
    ssize_t mech_len;
    const u_char *p;
 	GSSAPI_KRB5_INIT ();
    *minor_status = 0;
 	if (src_name)			*src_name		= GSS_C_NO_NAME;
-	if (actual_mech_type)		*actual_mech_type	= GSS_C_NO_OID;
+    if (mech_type)		*mech_type	= GSS_C_NO_OID;
 	output_token->length = 0;
 	output_token->value  = NULL;
@ -1081,8 +1080,8 @@ gss_accept_sec_context(
 	if (time_rec)			*time_rec		= 0;
 	if (delegated_cred_handle)	*delegated_cred_handle	= NULL;
-	mech_len = gssapi_krb5_get_mech(input_token->value,
+	mech_len = gssapi_krb5_get_mech(input_token_buffer->value,
-					input_token->length,
+					input_token_buffer->length,
 					&p);
 	/* This could be 'dce style' kerberos, where the OID is missing :-( */
@ -1091,10 +1090,10 @@ gss_accept_sec_context(
 		return gsskrb5_accept_sec_context(minor_status,
 						  context_handle,
 						  acceptor_cred_handle,
-						  input_token,
+						  input_token_buffer,
 						  input_chan_bindings,
 						  src_name,
-						  actual_mech_type,
+						  mech_type,
 						  output_token,
 						  ret_flags,
 						  time_rec,
@ -1104,10 +1103,10 @@ gss_accept_sec_context(
 		return spnego_accept_sec_context(minor_status,
 						 context_handle,
 						 acceptor_cred_handle,
-						 input_token,
+						 input_token_buffer,
 						 input_chan_bindings,
 						 src_name,
-						 actual_mech_type,
+						 mech_type,
 						 output_token,
 						 ret_flags,
 						 time_rec,
--- a/source/heimdal/lib/gssapi/init_sec_context.c
+++ b/source/heimdal/lib/gssapi/init_sec_context.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@ -33,7 +33,7 @@
 #include "gssapi_locl.h"
-RCSID("$Id: init_sec_context.c,v 1.57 2005/05/30 20:58:29 lha Exp $");
+RCSID("$Id: init_sec_context.c,v 1.58 2005/07/13 07:00:15 lha Exp $");
 /*
 * copy the addresses from `input_chan_bindings' (if any) to
@ -41,8 +41,7 @@ RCSID("$Id: init_sec_context.c,v 1.57 2005/05/30 20:58:29 lha Exp $");
 */
 static OM_uint32
-gsskrb5_set_addresses(
+set_addresses (krb5_auth_context ac,
 	krb5_auth_context ac,
 	       const gss_channel_bindings_t input_chan_bindings)	       
 {
    /* Port numbers are expected to be in application_data.value, 
@ -136,7 +135,7 @@ _gsskrb5_create_ctx(
 		return GSS_S_FAILURE;
 	}
-	kret = gsskrb5_set_addresses((*context_handle)->auth_context,
+	kret = set_addresses((*context_handle)->auth_context,
 			     input_chan_bindings);
 	if (kret) {
 		*minor_status = kret;
@ -278,8 +277,7 @@ gsskrb5_initiator_ready(
 */
 static void
-gsskrb5_do_delegation(
+do_delegation (krb5_auth_context ac,
 	krb5_auth_context ac,
 	       krb5_ccache ccache,
 	       krb5_creds *cred,
 	       const gss_name_t target_name,
@ -342,8 +340,8 @@ gsskrb5_do_delegation(
 */
 static OM_uint32
-gsskrb5_initiator_start(
+gsskrb5_initiator_start
-	OM_uint32 * minor_status,
+(OM_uint32 * minor_status,
 const gss_cred_id_t initiator_cred_handle,
 gss_ctx_id_t * context_handle,
 const gss_name_t target_name,
@ -354,7 +352,8 @@ gsskrb5_initiator_start(
 const gss_buffer_t input_token,
 gss_buffer_t output_token,
 OM_uint32 * ret_flags,
-	OM_uint32 * time_rec)
+ OM_uint32 * time_rec
    )
 {
    OM_uint32 ret = GSS_S_FAILURE;
    krb5_error_code kret;
@ -425,7 +424,7 @@ gsskrb5_initiator_start(
 		ap_options = 0;
 		if (req_flags & GSS_C_DELEG_FLAG) {
-			gsskrb5_do_delegation((*context_handle)->auth_context,
+			do_delegation((*context_handle)->auth_context,
 					      ccache, cred, target_name, &fwd_data, &flags);
 		}
@ -681,8 +680,8 @@ gsskrb5_initiator_wait_for_mutual(
 }
 static OM_uint32
-gsskrb5_init_sec_context(
+gsskrb5_init_sec_context
-	OM_uint32 * minor_status,
+           (OM_uint32 * minor_status,
            const gss_cred_id_t initiator_cred_handle,
            gss_ctx_id_t * context_handle,
            const gss_name_t target_name,
@ -694,7 +693,8 @@ gsskrb5_init_sec_context(
            gss_OID * actual_mech_type,
            gss_buffer_t output_token,
            OM_uint32 * ret_flags,
-	OM_uint32 * time_rec)
+            OM_uint32 * time_rec
 	   )
 {
 	OM_uint32 ret;
@ -1076,9 +1076,7 @@ spnego_initial
    ni.mechListMIC = NULL;
 #if 0
    {
 	int ret;
 	NegotiationToken nt;
 	nt.element = choice_NegotiationToken_negTokenInit;
@ -1086,47 +1084,10 @@ spnego_initial
 	ASN1_MALLOC_ENCODE(NegotiationToken, buf, buf_size,
 			   &nt, &buf_len, ret);
-	if (buf_size != buf_len)
+	if (ret == 0 && buf_size != buf_len)
 	    abort();
    }
 #else
    ni_len = length_NegTokenInit(&ni);
    buf_size = 1 + length_len(ni_len) + ni_len;
    buf = malloc(buf_size);
    if (buf == NULL) {
 	free_NegTokenInit(&ni);
 	*minor_status = ENOMEM;
 	return GSS_S_FAILURE;
    }
    ret = encode_NegTokenInit(buf + buf_size - 1,
 			      ni_len,
 			      &ni, &buf_len);
    if (ret == 0 && ni_len != buf_len)
 	abort();
    if (ret == 0) {
 	size_t tmp;
 	ret = der_put_length_and_tag(buf + buf_size - buf_len - 1,
 				     buf_size - buf_len,
 				     buf_len,
 				     ASN1_C_CONTEXT,
 				     CONS,
 				     0,
 				     &tmp);
 	if (ret == 0 && tmp + buf_len != buf_size)
 	    abort();
    }
    if (ret) {
 	*minor_status = ret;
 	free(buf);
 	free_NegTokenInit(&ni);
 	return GSS_S_FAILURE;
    }
 #endif
    data.data   = buf;
    data.length = buf_size;
@ -1197,8 +1158,8 @@ spnego_init_sec_context
 * gss_init_sec_context
 */
-OM_uint32 gss_init_sec_context(
+OM_uint32 gss_init_sec_context
-	OM_uint32 * minor_status,
+           (OM_uint32 * minor_status,
            const gss_cred_id_t initiator_cred_handle,
            gss_ctx_id_t * context_handle,
            const gss_name_t target_name,
@ -1210,24 +1171,28 @@ OM_uint32 gss_init_sec_context(
            gss_OID * actual_mech_type,
            gss_buffer_t output_token,
            OM_uint32 * ret_flags,
-	OM_uint32 * time_rec)
+            OM_uint32 * time_rec
           )
 {
    GSSAPI_KRB5_INIT ();
 	*minor_status = 0;
 	if (actual_mech_type)	*actual_mech_type	= GSS_C_NO_OID;
    output_token->length = 0;
    output_token->value  = NULL;
-	if (ret_flags)		*ret_flags		= 0;
+    if (ret_flags)
-	if (time_rec)		*time_rec		= 0;
+	*ret_flags = 0;
    if (time_rec)
 	*time_rec = 0;
-	if (target_name == GSS_C_NO_NAME) return GSS_S_BAD_NAME;
+    if (target_name == GSS_C_NO_NAME) {
 	if (actual_mech_type)
 	    *actual_mech_type = GSS_C_NO_OID;
 	*minor_status = 0;
 	return GSS_S_BAD_NAME;
    }
    if (mech_type == GSS_C_NO_OID || 
-	    gss_oid_equal(mech_type, GSS_KRB5_MECHANISM)) {
+	gss_oid_equal(mech_type,  GSS_KRB5_MECHANISM))
 	return gsskrb5_init_sec_context(minor_status,
 					initiator_cred_handle,
 					context_handle,
@ -1241,7 +1206,7 @@ OM_uint32 gss_init_sec_context(
 					output_token,
 					ret_flags,
 					time_rec);
-	} else if (gss_oid_equal(mech_type, GSS_SPNEGO_MECHANISM)) {
+    else if (gss_oid_equal(mech_type, GSS_SPNEGO_MECHANISM))
 	return spnego_init_sec_context (minor_status,
 					initiator_cred_handle,
 					context_handle,
@ -1255,7 +1220,6 @@ OM_uint32 gss_init_sec_context(
 					output_token,
 					ret_flags,
 					time_rec);
-	}
+    else
 	return GSS_S_BAD_MECH;
 }
--- a/source/heimdal/lib/hdb/hdb-private.h
+++ b/source/heimdal/lib/hdb/hdb-private.h
@ -5,10 +5,14 @@
 #include <stdarg.h>
 krb5_error_code
-_hdb_fetch(krb5_context context, HDB *db, unsigned flags, 	   
+_hdb_fetch (
-	   krb5_principal principal,
+	krb5_context /*context*/,
-	   enum hdb_ent_type ent_type,
+	HDB */*db*/,
-	   hdb_entry *entry);
+	unsigned /*flags*/,
 	krb5_principal /*principal*/,
 	enum hdb_ent_type /*ent_type*/,
 	hdb_entry */*entry*/);
 krb5_error_code
 _hdb_remove (
 	krb5_context /*context*/,
--- a/source/heimdal/lib/krb5/crypto.c
+++ b/source/heimdal/lib/krb5/crypto.c
@ -32,7 +32,7 @@
 */
 #include "krb5_locl.h"
-RCSID("$Id: crypto.c,v 1.123 2005/06/29 22:20:33 lha Exp $");
+RCSID("$Id: crypto.c,v 1.128 2005/07/20 07:22:43 lha Exp $");
 #undef CRYPTO_DEBUG
 #ifdef CRYPTO_DEBUG
@ -2124,7 +2124,8 @@ verify_checksum(krb5_context context,
 	return KRB5_PROG_SUMTYPE_NOSUPP;
    }
    if(ct->checksumsize != cksum->checksum.length) {
-	krb5_clear_error_string (context);
+	krb5_set_error_string (context, "checksum length was %d, but should be %d for checksum type %s",
 			       cksum->checksum.length, ct->checksumsize, ct->name);
 	return KRB5KRB_AP_ERR_BAD_INTEGRITY; /* XXX */
    }
    keyed_checksum = (ct->flags & F_KEYED) != 0;
@ -2145,8 +2146,11 @@ verify_checksum(krb5_context context,
    (*ct->checksum)(context, dkey, data, len, usage, &c);
-    if(c.checksum.length != cksum->checksum.length || 
+    if(c.checksum.length != cksum->checksum.length) {
-       memcmp(c.checksum.data, cksum->checksum.data, c.checksum.length)) {
+ 	krb5_set_error_string (context, "(INTERNAL ERROR) our checksum length was %d, but should be %d for checksum type %s",
 			       c.checksum.length, ct->checksumsize, ct->name);
 	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
    } else if (memcmp(c.checksum.data, cksum->checksum.data, c.checksum.length)) {
 	krb5_clear_error_string (context);
 	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
    } else {
@ -3246,7 +3250,7 @@ static krb5_error_code
 encrypt_internal_derived(krb5_context context,
 			 krb5_crypto crypto,
 			 unsigned usage,
-			 void *data,
+			 const void *data,
 			 size_t len,
 			 krb5_data *result,
 			 void *ivec)
@ -3315,7 +3319,7 @@ encrypt_internal_derived(krb5_context context,
 static krb5_error_code
 encrypt_internal(krb5_context context,
 		 krb5_crypto crypto,
-		 void *data,
+		 const void *data,
 		 size_t len,
 		 krb5_data *result,
 		 void *ivec)
@ -3395,7 +3399,7 @@ static krb5_error_code
 encrypt_internal_special(krb5_context context,
 			 krb5_crypto crypto,
 			 int usage,
-			 void *data,
+			 const void *data,
 			 size_t len,
 			 krb5_data *result,
 			 void *ivec)
@ -3624,7 +3628,7 @@ krb5_error_code KRB5_LIB_FUNCTION
 krb5_encrypt_ivec(krb5_context context,
 		  krb5_crypto crypto,
 		  unsigned usage,
-		  void *data,
+		  const void *data,
 		  size_t len,
 		  krb5_data *result,
 		  void *ivec)
@ -3643,7 +3647,7 @@ krb5_error_code KRB5_LIB_FUNCTION
 krb5_encrypt(krb5_context context,
 	     krb5_crypto crypto,
 	     unsigned usage,
-	     void *data,
+	     const void *data,
 	     size_t len,
 	     krb5_data *result)
 {
@ -4228,14 +4232,9 @@ wrapped_length (krb5_context context,
 {
    struct encryption_type *et = crypto->et;
    size_t padsize = et->padsize;
-    size_t checksumsize;
+    size_t checksumsize = CHECKSUMSIZE(et->checksum);
    size_t res;
    if (et->keyed_checksum)
 	checksumsize = et->keyed_checksum->checksumsize;
    else
 	checksumsize = et->checksum->checksumsize;
    res =  et->confoundersize + checksumsize + data_len;
    res =  (res + padsize - 1) / padsize * padsize;
    return res;
@ -4306,6 +4305,65 @@ krb5_random_to_key(krb5_context context,
    return 0;
 }
 krb5_error_code
 _krb5_pk_octetstring2key(krb5_context context,
 			 krb5_enctype type,
 			 const void *dhdata,
 			 size_t dhsize,
 			 const heim_octet_string *c_n,
 			 const heim_octet_string *k_n,
 			 krb5_keyblock *key)
 {
    struct encryption_type *et = _find_enctype(type);
    krb5_error_code ret;
    size_t keylen, offset;
    void *keydata;
    unsigned char counter;
    unsigned char shaoutput[20];
    if(et == NULL) {
 	krb5_set_error_string(context, "encryption type %d not supported",
 			      type);
 	return KRB5_PROG_ETYPE_NOSUPP;
    }
    keylen = (et->keytype->bits + 7) / 8;
    keydata = malloc(keylen);
    if (keydata == NULL) {
 	krb5_set_error_string(context, "malloc: out of memory");
 	return ENOMEM;
    }
    counter = 0;
    offset = 0;
    do {
 	SHA_CTX m;
 	SHA1_Init(&m);
 	SHA1_Update(&m, &counter, 1);
 	SHA1_Update(&m, dhdata, dhsize);
 	if (c_n)
 	    SHA1_Update(&m, c_n->data, c_n->length);
 	if (k_n)
 	    SHA1_Update(&m, k_n->data, k_n->length);
 	SHA1_Final(shaoutput, &m);
 	memcpy((unsigned char *)keydata + offset,
 	       shaoutput,
 	       min(keylen - offset, sizeof(shaoutput)));
 	offset += sizeof(shaoutput);
 	counter++;
    } while(offset < keylen);
    memset(shaoutput, 0, sizeof(shaoutput));
    ret = krb5_random_to_key(context, type, keydata, keylen, key);
    memset(keydata, 0, sizeof(keylen));
    free(keydata);
    return ret;
 }
 #ifdef CRYPTO_DEBUG
 static krb5_error_code
--- a/source/heimdal/lib/krb5/get_cred.c
+++ b/source/heimdal/lib/krb5/get_cred.c
@ -33,7 +33,7 @@
 #include <krb5_locl.h>
-RCSID("$Id: get_cred.c,v 1.107 2005/06/16 22:57:14 lha Exp $");
+RCSID("$Id: get_cred.c,v 1.108 2005/07/13 07:38:02 lha Exp $");
 /*
 * Take the `body' and encode it into `padata' using the credentials
@ -837,10 +837,6 @@ krb5_get_credentials_with_flags(krb5_context context,
    if (in_creds->session.keytype)
 	options |= KRB5_TC_MATCH_KEYTYPE;
    ret = krb5_cc_retrieve_cred(context,
 				ccache,
 				options,
 				in_creds, res_creds);
    /* 
     * If we got a credential, check if credential is expired before
     * returning it.
--- a/source/heimdal/lib/krb5/keytab.c
+++ b/source/heimdal/lib/krb5/keytab.c
@ -33,7 +33,7 @@
 #include "krb5_locl.h"
-RCSID("$Id: keytab.c,v 1.60 2005/05/19 14:04:45 lha Exp $");
+RCSID("$Id: keytab.c,v 1.62 2005/07/06 01:14:42 lha Exp $");
 /*
 * Register a new keytab in `ops'
@ -240,8 +240,8 @@ krb5_kt_get_name(krb5_context context,
 }
 /*
- * Finish using the keytab in `id'.  All resources will be released.
+ * Finish using the keytab in `id'.  All resources will be released,
- * Return 0 or an error.
+ * even on errors.  Return 0 or an error.
 */
 krb5_error_code KRB5_LIB_FUNCTION
@ -251,7 +251,7 @@ krb5_kt_close(krb5_context context,
    krb5_error_code ret;
    ret = (*id->close)(context, id);
-    if(ret == 0)
+    memset(id, 0, sizeof(*id));
    free(id);
    return ret;
 }
@ -302,8 +302,10 @@ krb5_kt_get_entry(krb5_context context,
 	return (*id->get)(context, id, principal, kvno, enctype, entry);
    ret = krb5_kt_start_seq_get (context, id, &cursor);
-    if (ret)
+    if (ret) {
 	krb5_clear_error_string(context);
 	return KRB5_KT_NOTFOUND; /* XXX i.e. file not found */
    }
    entry->vno = 0;
    while (krb5_kt_next_entry(context, id, &tmp, &cursor) == 0) {
--- a/source/heimdal/lib/krb5/keytab_file.c
+++ b/source/heimdal/lib/krb5/keytab_file.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@ -33,7 +33,7 @@
 #include "krb5_locl.h"
-RCSID("$Id: keytab_file.c,v 1.18 2005/05/31 21:50:43 lha Exp $");
+RCSID("$Id: keytab_file.c,v 1.20 2005/07/13 06:08:07 lha Exp $");
 #define KRB5_KT_VNO_1 1
 #define KRB5_KT_VNO_2 2
@ -332,6 +332,12 @@ fkt_start_seq_get_int(krb5_context context,
 	return ret;
    }
    c->sp = krb5_storage_from_fd(c->fd);
    if (c->sp == NULL) {
 	_krb5_xunlock(context, c->fd);
 	close(c->fd);
 	krb5_set_error_string (context, "malloc: out of memory");
 	return ENOMEM;
    }
    krb5_storage_set_eof_code(c->sp, KRB5_KT_END);
    ret = krb5_ret_int8(c->sp, &pvno);
    if(ret) {
--- a/source/heimdal/lib/krb5/krb5-private.h
+++ b/source/heimdal/lib/krb5/krb5-private.h
@ -329,6 +329,14 @@ _krb5_put_int (
 	unsigned long /*value*/,
 	size_t /*size*/);
 krb5_error_code KRB5_LIB_FUNCTION
 _krb5_rd_rep_type (
 	krb5_context /*context*/,
 	krb5_auth_context /*auth_context*/,
 	const krb5_data */*inbuf*/,
 	krb5_ap_rep_enc_part **/*repl*/,
 	krb5_boolean /*dce_style_response*/);
 int
 _krb5_send_and_recv_tcp (
 	int /*fd*/,
@ -348,11 +356,4 @@ _krb5_xunlock (
 	krb5_context /*context*/,
 	int /*fd*/);
 krb5_error_code KRB5_LIB_FUNCTION
 _krb5_rd_rep_type(krb5_context context,
 		 krb5_auth_context auth_context,
 		 const krb5_data *inbuf,
 		 krb5_ap_rep_enc_part **repl,
 		  krb5_boolean dce_style_response);
 #endif /* __krb5_private_h__ */
--- a/source/heimdal/lib/krb5/krb5-protos.h
+++ b/source/heimdal/lib/krb5/krb5-protos.h
@ -1305,7 +1305,7 @@ krb5_encrypt (
 	krb5_context /*context*/,
 	krb5_crypto /*crypto*/,
 	unsigned /*usage*/,
-	void */*data*/,
+	const void */*data*/,
 	size_t /*len*/,
 	krb5_data */*result*/);
@ -1324,7 +1324,7 @@ krb5_encrypt_ivec (
 	krb5_context /*context*/,
 	krb5_crypto /*crypto*/,
 	unsigned /*usage*/,
-	void */*data*/,
+	const void */*data*/,
 	size_t /*len*/,
 	krb5_data */*result*/,
 	void */*ivec*/);
@ -2424,7 +2424,7 @@ krb5_principal_get_comp_string (
 const char* KRB5_LIB_FUNCTION
 krb5_principal_get_realm (
 	krb5_context /*context*/,
-	krb5_const_principal /*principal*/);
+	krb5_principal /*principal*/);
 int KRB5_LIB_FUNCTION
 krb5_principal_get_type (
--- a/source/heimdal/lib/krb5/krb5.h
+++ b/source/heimdal/lib/krb5/krb5.h
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@ -31,7 +31,7 @@
 * SUCH DAMAGE. 
 */
-/* $Id: krb5.h,v 1.236 2005/06/11 00:05:24 lha Exp $ */
+/* $Id: krb5.h,v 1.237 2005/07/09 14:47:21 lha Exp $ */
 #ifndef __KRB5_H__
 #define __KRB5_H__
@ -567,8 +567,8 @@ typedef struct krb5_auth_context_data {
    krb5_rcache rcache;
-    krb5_keytype keytype;	/* ¿requested key type ? */
+    krb5_keytype keytype;	/* ¿requested key type ? */
-    krb5_cksumtype cksumtype;	/* ¡requested checksum type! */
+    krb5_cksumtype cksumtype;	/* ¡requested checksum type! */
 }krb5_auth_context_data, *krb5_auth_context;
@ -617,28 +617,28 @@ typedef struct _krb5_prompt {
    krb5_prompt_type type;
 } krb5_prompt;
-typedef int (*krb5_prompter_fct)(krb5_context context,
+typedef int (*krb5_prompter_fct)(krb5_context /*context*/,
-				 void *data,
+				 void * /*data*/,
-				 const char *name,
+				 const char * /*name*/,
-				 const char *banner,
+				 const char * /*banner*/,
-				 int num_prompts,
+				 int /*num_prompts*/,
-				 krb5_prompt prompts[]);
+				 krb5_prompt /*prompts*/[]);
-typedef krb5_error_code (*krb5_key_proc)(krb5_context context,
+typedef krb5_error_code (*krb5_key_proc)(krb5_context /*context*/,
-					 krb5_enctype type,
+					 krb5_enctype /*type*/,
-					 krb5_salt salt,
+					 krb5_salt /*salt*/,
-					 krb5_const_pointer keyseed,
+					 krb5_const_pointer /*keyseed*/,
-					 krb5_keyblock **key);
+					 krb5_keyblock ** /*key*/);
-typedef krb5_error_code (*krb5_decrypt_proc)(krb5_context context,
+typedef krb5_error_code (*krb5_decrypt_proc)(krb5_context /*context*/,
-					     krb5_keyblock *key,
+					     krb5_keyblock * /*key*/,
-					     krb5_key_usage usage,
+					     krb5_key_usage /*usage*/,
-					     krb5_const_pointer decrypt_arg,
+					     krb5_const_pointer /*decrypt_arg*/,
-					     krb5_kdc_rep *dec_rep);
+					     krb5_kdc_rep * /*dec_rep*/);
-typedef krb5_error_code (*krb5_s2k_proc)(krb5_context context,
+typedef krb5_error_code (*krb5_s2k_proc)(krb5_context /*context*/,
-					 krb5_enctype type,
+					 krb5_enctype /*type*/,
-					 krb5_const_pointer keyseed,
+					 krb5_const_pointer /*keyseed*/,
-					 krb5_salt salt,
+					 krb5_salt /*salt*/,
-					 krb5_data *s2kparms,
+					 krb5_data * /*s2kparms*/,
-					 krb5_keyblock **key);
+					 krb5_keyblock ** /*key*/);
 struct _krb5_get_init_creds_opt_private;
--- a/source/heimdal/lib/krb5/pkinit.c
+++ b/source/heimdal/lib/krb5/pkinit.c
@ -33,7 +33,7 @@
 #include "krb5_locl.h"
-RCSID("$Id: pkinit.c,v 1.55 2005/05/19 18:49:05 lha Exp $");
+RCSID("$Id: pkinit.c,v 1.58 2005/07/23 10:42:01 lha Exp $");
 #ifdef PKINIT
@ -407,34 +407,25 @@ _krb5_pk_create_sign(krb5_context context,
 	goto out;
    }
-    sd.certificates->data = NULL;
+    i = sk_X509_num(id->cert);
-    sd.certificates->length = 0;
+    sd.certificates->val = malloc(sizeof(sd.certificates->val[0]) * i);
    if (sd.certificates->val == NULL) {
 	krb5_clear_error_string(context);
 	ret = ENOMEM;
 	goto out;
    }
    sd.certificates->len = i;
    for (i = 0; i < sk_X509_num(id->cert); i++) {
 	void *data;
 	OPENSSL_ASN1_MALLOC_ENCODE(X509, 
-				   buf.data,
+				   sd.certificates->val[i].data,
-				   buf.length,
+				   sd.certificates->val[i].length,
 				   sk_X509_value(id->cert, i),
 				   ret);
 	if (ret) {
 	    krb5_clear_error_string(context);
 	    goto out;
 	}
 	data = realloc(sd.certificates->data, 
 		       sd.certificates->length + buf.length);
 	if (data == NULL) {
 	    free(buf.data);
 	    krb5_clear_error_string(context);
 	    ret = ENOMEM;
 	    goto out;
 	}
 	memcpy(((char *)data) + sd.certificates->length,
 	       buf.data, buf.length);
 	sd.certificates->length += buf.length;
 	sd.certificates->data = data;
 	free(buf.data);
    }
    ASN1_MALLOC_ENCODE(SignedData, sd_data->data, sd_data->length, 
@ -563,7 +554,7 @@ build_auth_pack(krb5_context context,
    if (ret == 0 && dh) {
 	DomainParameters dp;
 	heim_integer dh_pub_key;
-	krb5_data buf;
+	krb5_data dhbuf;
 	size_t size;
 	ALLOC(a->clientPublicValue, 1);
@ -615,25 +606,25 @@ build_auth_pack(krb5_context context,
 	if (ret)
 	    return ret;
-	buf.length = length_heim_integer(&dh_pub_key);
+	dhbuf.length = length_heim_integer(&dh_pub_key);
-	buf.data = malloc(buf.length);
+	dhbuf.data = malloc(dhbuf.length);
-	if (buf.data == NULL) {
+	if (dhbuf.data == NULL) {
 	    free_heim_integer(&dh_pub_key);
 	    krb5_set_error_string(context, "malloc: out of memory");
 	    return ret;
 	}
-	ret = der_put_heim_integer((char *)buf.data + buf.length - 1,
+	ret = der_put_heim_integer((char *)dhbuf.data + dhbuf.length - 1,
-				   buf.length, &dh_pub_key, &size);
+				   dhbuf.length, &dh_pub_key, &size);
 	free_heim_integer(&dh_pub_key);
 	if (ret) {
-	    free(buf.data);
+	    free(dhbuf.data);
 	    return ret;
 	}
-	if (size != buf.length)
+	if (size != dhbuf.length)
 	    krb5_abortx(context, "asn1 internal error");
-	a->clientPublicValue->subjectPublicKey.length = buf.length * 8;
+	a->clientPublicValue->subjectPublicKey.length = dhbuf.length * 8;
-	a->clientPublicValue->subjectPublicKey.data = buf.data;
+	a->clientPublicValue->subjectPublicKey.data = dhbuf.data;
    }
    return ret;
@ -894,7 +885,7 @@ _krb5_pk_mk_padata(krb5_context context,
    if (provisioning_server) {
 	/* PacketCable requires the PROV-SRV-LOCATION authenticator */
-	const PROV_SRV_LOCATION prov_server = (char *)provisioning_server;
+	const PROV_SRV_LOCATION prov_server = rk_UNCONST(provisioning_server);
 	ASN1_MALLOC_ENCODE(PROV_SRV_LOCATION, buf.data, buf.length,
 			   &prov_server, &size, ret);
@ -1104,7 +1095,7 @@ pk_verify_chain_standard(krb5_context context,
 }
 static int
-cert_to_X509(krb5_context context, CertificateSetReal *set,
+cert_to_X509(krb5_context context, CertificateSet *set,
 	     STACK_OF(X509_CRL) **certs)
 {
    krb5_error_code ret;
@ -1112,6 +1103,9 @@ cert_to_X509(krb5_context context, CertificateSetReal *set,
    *certs = sk_X509_new_null();
    if (set == NULL)
 	return 0;
    ret = 0;
    for (i = 0; i < set->len; i++) {
 	unsigned char *p;
@ -1134,45 +1128,6 @@ cert_to_X509(krb5_context context, CertificateSetReal *set,
    return ret;
 }
 static krb5_error_code
 any_to_CertificateSet(krb5_context context, heim_any *cert, 
 		      CertificateSetReal *set)
 {
    size_t size, len, length;
    heim_any *val;
    int ret;
    char *p;
    set->len = 0;
    set->val = NULL;
    len = 0;
    p = cert->data;
    length = cert->length;
    while (len < cert->length) {
 	val = realloc(set->val, (set->len + 1) * sizeof(set->val[0]));
 	if (val == NULL) {
 	    ret = ENOMEM;
 	    goto out;
 	}
 	set->val = val;
 	ret = decode_heim_any(p, length, &set->val[set->len], &size);
 	if (ret)
 	    goto out;
 	set->len++;
 	p += size;
 	len += size;
 	length -= size;
    }
    return 0;
 out:
    krb5_clear_error_string(context);
    free_CertificateSetReal(set);
    set->val = NULL;
    return ret;
 }
 krb5_error_code KRB5_LIB_FUNCTION
 _krb5_pk_verify_sign(krb5_context context,
 		     const char *data,
@ -1187,7 +1142,6 @@ _krb5_pk_verify_sign(krb5_context context,
    const EVP_MD *evp_type;
    EVP_PKEY *public_key;
    krb5_error_code ret;
    CertificateSetReal set;
    EVP_MD_CTX md;
    X509 *cert;
    SignedData sd;
@ -1227,15 +1181,14 @@ _krb5_pk_verify_sign(krb5_context context,
    signer_info = &sd.signerInfos.val[0];
-    ret = any_to_CertificateSet(context, sd.certificates, &set);
+    {
-    if (ret) {
+	CertificateSet set;
-	krb5_set_error_string(context,
+	set.val = sd.certificates->val;
-			      "PKINIT: failed to decode CertificateSet");
+	set.len = sd.certificates->len;
 	goto out;
    }
 	ret = cert_to_X509(context, &set, &certificates);
-    free_CertificateSetReal(&set);
+	free_CertificateSet(&set);
    }
    if (ret) {
 	krb5_set_error_string(context,
 			      "PKINIT: failed to decode Certificates");
@ -1530,7 +1483,6 @@ pk_rd_pa_reply_enckey(krb5_context context,
    /* win2k uses ContentInfo */
    if (win2k_compat) {
 	ContentInfo ci;
 	size_t size;
 	ret = decode_ContentInfo(p, length, &ci, &size);
 	if (ret) {
@ -1604,6 +1556,8 @@ pk_rd_pa_reply_dh(krb5_context context,
                  ContentInfo *rep,
 		  krb5_pk_init_ctx ctx,
 		  krb5_enctype etype,
 		  const DHNonce *c_n,
 		  const DHNonce *k_n,
                  unsigned nonce,
                  PA_DATA *pa,
                  krb5_keyblock **key)
@ -1666,6 +1620,30 @@ pk_rd_pa_reply_dh(krb5_context context,
 	goto out;
    }
    if (kdc_dh_info.dhKeyExpiration) {
 	if (k_n == NULL) {
 	    krb5_set_error_string(context, "pkinit; got key expiration "
 				  "without server nonce");
 	    ret = KRB5KRB_ERR_GENERIC;
 	    goto out;
 	}
 	if (c_n == NULL) {
 	    krb5_set_error_string(context, "pkinit; got DH reuse but no "
 				  "client nonce");
 	    ret = KRB5KRB_ERR_GENERIC;
 	    goto out;
 	}
    } else {
 	if (k_n) {
 	    krb5_set_error_string(context, "pkinit; got server nonce "
 				  "without key expiration");
 	    ret = KRB5KRB_ERR_GENERIC;
 	    goto out;
 	}
 	c_n = NULL;
    }
    p = kdc_dh_info.subjectPublicKey.data;
    size = (kdc_dh_info.subjectPublicKey.length + 7) / 8;
    dh_pub_key = d2i_ASN1_INTEGER(NULL, &p, size);
@ -1684,14 +1662,21 @@ pk_rd_pa_reply_dh(krb5_context context,
 	goto out;
    }
-    dh_gen_key = malloc(DH_size(ctx->dh));
+    dh_gen_keylen = DH_size(ctx->dh);
    size = BN_num_bytes(ctx->dh->p);
    if (size < dh_gen_keylen)
 	size = dh_gen_keylen;
    dh_gen_key = malloc(size);
    if (dh_gen_key == NULL) {
 	krb5_set_error_string(context, "malloc: out of memory");
 	ret = ENOMEM;
 	goto out;
    }
    memset(dh_gen_key, 0, size - dh_gen_keylen);
-    dh_gen_keylen = DH_compute_key(dh_gen_key, kdc_dh_pubkey, ctx->dh);
+    dh_gen_keylen = DH_compute_key(dh_gen_key + (size - dh_gen_keylen),
 				   kdc_dh_pubkey, ctx->dh);
    if (dh_gen_keylen == -1) {
 	krb5_set_error_string(context, 
 			      "PKINIT: Can't compute Diffie-Hellman key (%s)",
@ -1707,7 +1692,11 @@ pk_rd_pa_reply_dh(krb5_context context,
 	goto out;
    }
-    ret = krb5_random_to_key(context, etype, dh_gen_key, dh_gen_keylen, *key);
+    ret = _krb5_pk_octetstring2key(context,
 				   etype,
 				   dh_gen_key, dh_gen_keylen,
 				   c_n, k_n,
 				   *key);
    if (ret) {
 	krb5_set_error_string(context,
 			      "PKINIT: can't create key from DH key");
@ -1761,6 +1750,25 @@ _krb5_pk_rd_pa_reply(krb5_context context,
 	    return ret;
 	switch (rep.element) {
 	case choice_PA_PK_AS_REP_dhInfo:
 	    ret = decode_ContentInfo(rep.u.dhInfo.dhSignedData.data,
 				     rep.u.dhInfo.dhSignedData.length,
 				     &ci,
 				     &size);
 	    if (ret) {
 		krb5_set_error_string(context,
 				      "PKINIT: -25 decoding failed DH "
 				      "ContentInfo: %d", ret);
 		free_PA_PK_AS_REP(&rep);
 		break;
 	    }
 	    ret = pk_rd_pa_reply_dh(context, &ci, ctx,
 				    etype, NULL, NULL, nonce, pa, key);
 	    free_ContentInfo(&ci);
 	    free_PA_PK_AS_REP(&rep);
 	    break;
 	case choice_PA_PK_AS_REP_encKeyPack:
 	    ret = decode_ContentInfo(rep.u.encKeyPack.data,
 				     rep.u.encKeyPack.length,
@ -1799,7 +1807,8 @@ _krb5_pk_rd_pa_reply(krb5_context context,
 	    switch(rep19.element) {
 	    case choice_PA_PK_AS_REP_19_dhSignedData:
 		ret = pk_rd_pa_reply_dh(context, &rep19.u.dhSignedData, ctx,
-					etype, nonce, pa, key);
+					etype, NULL, NULL, 
 					nonce, pa, key);
 		break;
 	    case choice_PA_PK_AS_REP_19_encKeyPack:
 		ret = pk_rd_pa_reply_enckey(context, 0,
@ -2314,8 +2323,8 @@ _krb5_pk_load_openssl_id(krb5_context context,
    FILE *f;
    krb5_error_code (*load_pair)(krb5_context, 
 				 char *, 
-				 krb5_prompter_fct prompter,
+				 krb5_prompter_fct,
-				 void * prompter_data,
+				 void *,
 				 const char *,
 				 struct krb5_pk_identity *) = NULL;
@ -2553,24 +2562,29 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
 	dh = DH_new();
 	if (dh == NULL) {
 	    krb5_set_error_string(context, "malloc: out of memory");
 	    _krb5_get_init_creds_opt_free_pkinit(opt);
 	    return ENOMEM;
 	}
 	opt->private->pk_init_ctx->dh = dh;
 	if (!BN_hex2bn(&dh->p, P)) {
 	    krb5_set_error_string(context, "malloc: out of memory");
 	    _krb5_get_init_creds_opt_free_pkinit(opt);
 	    return ENOMEM;
 	}
 	if (!BN_hex2bn(&dh->g, G)) {
 	    krb5_set_error_string(context, "malloc: out of memory");
 	    _krb5_get_init_creds_opt_free_pkinit(opt);
 	    return ENOMEM;
 	}
 	if (!BN_hex2bn(&dh->q, Q)) {
 	    krb5_set_error_string(context, "malloc: out of memory");
 	    _krb5_get_init_creds_opt_free_pkinit(opt);
 	    return ENOMEM;
 	}
 	/* XXX generate a new key for each request ? */
 	if (DH_generate_key(dh) != 1) {
 	    krb5_set_error_string(context, "malloc: out of memory");
 	    _krb5_get_init_creds_opt_free_pkinit(opt);
 	    return ENOMEM;
 	}
--- a/source/heimdal/lib/krb5/principal.c
+++ b/source/heimdal/lib/krb5/principal.c
@ -76,7 +76,7 @@ krb5_principal_get_type(krb5_context context,
 const char* KRB5_LIB_FUNCTION
 krb5_principal_get_realm(krb5_context context,
-			 krb5_const_principal principal)
+			 krb5_principal principal)
 {
    return princ_realm(principal);
 }			 
@ -235,19 +235,19 @@ static const char replace_chars[] = " ntb\\/@";
 #define add_char(BASE, INDEX, LEN, C) do { if((INDEX) < (LEN)) (BASE)[(INDEX)++] = (C); }while(0);
 static size_t
-quote_string(const char *s, char *out, size_t string_index, size_t len)
+quote_string(const char *s, char *out, size_t idx, size_t len)
 {
    const char *p, *q;
-    for(p = s; *p && string_index < len; p++){
+    for(p = s; *p && idx < len; p++){
 	if((q = strchr(quotable_chars, *p))){
-	    add_char(out, string_index, len, '\\');
+	    add_char(out, idx, len, '\\');
-	    add_char(out, string_index, len, replace_chars[q - quotable_chars]);
+	    add_char(out, idx, len, replace_chars[q - quotable_chars]);
 	}else
-	    add_char(out, string_index, len, *p);
+	    add_char(out, idx, len, *p);
    }
-    if(string_index < len)
+    if(idx < len)
-	out[string_index] = '\0';
+	out[idx] = '\0';
-    return string_index;
+    return idx;
 }
--- a/source/heimdal/lib/krb5/rd_cred.c
+++ b/source/heimdal/lib/krb5/rd_cred.c
@ -33,7 +33,7 @@
 #include <krb5_locl.h>
-RCSID("$Id: rd_cred.c,v 1.23 2005/06/17 04:31:48 lha Exp $");
+RCSID("$Id: rd_cred.c,v 1.24 2005/07/13 08:22:50 lha Exp $");
 static krb5_error_code
 compare_addrs(krb5_context context,
@ -68,6 +68,8 @@ krb5_rd_cred(krb5_context context,
    krb5_crypto crypto;
    int i;
    memset(&enc_krb_cred_part, 0, sizeof(enc_krb_cred_part));
    if ((auth_context->flags & 
 	 (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
 	outdata == NULL)
@ -262,9 +264,14 @@ krb5_rd_cred(krb5_context context,
    }
    (*ret_creds)[i] = NULL;
    free_KRB_CRED (&cred);
    free_EncKrbCredPart(&enc_krb_cred_part);
    return 0;
  out:
    free_EncKrbCredPart(&enc_krb_cred_part);
    free_KRB_CRED (&cred);
    if(*ret_creds) {
 	for(i = 0; (*ret_creds)[i]; i++)
--- a/source/heimdal/lib/krb5/test_crypto_wrapping.c
+++ b/source/heimdal/lib/krb5/test_crypto_wrapping.c
@ -0,0 +1,163 @@
 /*
 * Copyright (c) 2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
 * Redistribution and use in source and binary forms, with or without 
 * modification, are permitted provided that the following conditions 
 * are met: 
 *
 * 1. Redistributions of source code must retain the above copyright 
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright 
 *    notice, this list of conditions and the following disclaimer in the 
 *    documentation and/or other materials provided with the distribution. 
 *
 * 3. Neither the name of KTH nor the names of its contributors may be
 *    used to endorse or promote products derived from this software without
 *    specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
 #include "krb5_locl.h"
 #include <err.h>
 #include <getarg.h>
 RCSID("$Id: test_crypto_wrapping.c,v 1.2 2005/07/09 01:31:43 lha Exp $");
 static void
 test_wrapping(krb5_context context,
 	      size_t min_size,
 	      size_t max_size,
 	      size_t step,
 	      krb5_enctype etype)
 {
    krb5_error_code ret;
    krb5_keyblock key;
    krb5_crypto crypto;
    krb5_data data;
    char *etype_name;
    void *buf;
    size_t size;
    ret = krb5_generate_random_keyblock(context, etype, &key);
    if (ret)
 	krb5_err(context, 1, ret, "krb5_generate_random_keyblock");
    ret = krb5_enctype_to_string(context, etype, &etype_name);
    if (ret)
 	krb5_err(context, 1, ret, "krb5_enctype_to_string");
    buf = malloc(max_size);
    if (buf == NULL)
 	krb5_errx(context, 1, "out of memory");
    memset(buf, 0, max_size);
    ret = krb5_crypto_init(context, &key, 0, &crypto);
    if (ret)
 	krb5_err(context, 1, ret, "krb5_crypto_init");
    for (size = min_size; size < max_size; size += step) {
 	size_t wrapped_size;
 	ret = krb5_encrypt(context, crypto, 0, buf, size, &data);
 	if (ret)
 	    krb5_err(context, 1, ret, "encrypt size %d using %s",
 		     size, etype_name);
 	wrapped_size = krb5_get_wrapped_length(context, crypto, size);
 	if (wrapped_size != data.length)
 	    krb5_errx(context, 1, "calculated wrapped length %lu != "
 		      "real wrapped length %lu for data length %lu using "
 		      "enctype %s",
 		      (unsigned long)wrapped_size,
 		      (unsigned long)data.length,
 		      (unsigned long)size,
 		      etype_name);
 	krb5_data_free(&data);
    }
    free(buf);
    krb5_crypto_destroy(context, crypto);
    krb5_free_keyblock_contents(context, &key);
 }
 static int version_flag = 0;
 static int help_flag	= 0;
 static struct getargs args[] = {
    {"version",	0,	arg_flag,	&version_flag,
     "print version", NULL },
    {"help",	0,	arg_flag,	&help_flag,
     NULL, NULL }
 };
 static void
 usage (int ret)
 {
    arg_printusage (args,
 		    sizeof(args)/sizeof(*args),
 		    NULL,
 		    "");
    exit (ret);
 }
 int
 main(int argc, char **argv)
 {
    krb5_context context;
    krb5_error_code ret;
    int i, optidx = 0;
    krb5_enctype enctypes[] = { 
 	ETYPE_DES_CBC_CRC,
 	ETYPE_DES_CBC_MD4,
 	ETYPE_DES_CBC_MD5,
 	ETYPE_DES3_CBC_SHA1,
 	ETYPE_ARCFOUR_HMAC_MD5,
 	ETYPE_AES128_CTS_HMAC_SHA1_96,
 	ETYPE_AES256_CTS_HMAC_SHA1_96
    };
    setprogname(argv[0]);
    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
 	usage(1);
    if (help_flag)
 	usage (0);
    if(version_flag){
 	print_version(NULL);
 	exit(0);
    }
    argc -= optidx;
    argv += optidx;
    ret = krb5_init_context(&context);
    if (ret)
 	errx (1, "krb5_init_context failed: %d", ret);
    for (i = 0; i < sizeof(enctypes)/sizeof(enctypes[0]); i++) {
 	test_wrapping(context, 0, 1024, 1, enctypes[i]);
 	test_wrapping(context, 1024, 1024 * 100, 1024, enctypes[i]);
    }
    krb5_free_context(context);
    return 0;
 }
--- a/source/heimdal/lib/krb5/test_pkinit_dh2key.c
+++ b/source/heimdal/lib/krb5/test_pkinit_dh2key.c
@ -0,0 +1,110 @@
 /*
 * Copyright (c) 2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
 * Redistribution and use in source and binary forms, with or without 
 * modification, are permitted provided that the following conditions 
 * are met: 
 *
 * 1. Redistributions of source code must retain the above copyright 
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright 
 *    notice, this list of conditions and the following disclaimer in the 
 *    documentation and/or other materials provided with the distribution. 
 *
 * 3. Neither the name of KTH nor the names of its contributors may be
 *    used to endorse or promote products derived from this software without
 *    specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
 #include "krb5_locl.h"
 #include <err.h>
 #include <getarg.h>
 RCSID("$Id: test_pkinit_dh2key.c,v 1.1 2005/07/20 16:27:58 lha Exp $");
 static void
 test_dh2key(krb5_context context, 
 	    const heim_octet_string *K,
 	    const heim_octet_string *c_n,
 	    const heim_octet_string *k_n,
 	    krb5_enctype etype)
 {
    return;
 }
 static int version_flag = 0;
 static int help_flag	= 0;
 static struct getargs args[] = {
    {"version",	0,	arg_flag,	&version_flag,
     "print version", NULL },
    {"help",	0,	arg_flag,	&help_flag,
     NULL, NULL }
 };
 static void
 usage (int ret)
 {
    arg_printusage (args,
 		    sizeof(args)/sizeof(*args),
 		    NULL,
 		    "");
    exit (ret);
 }
 int
 main(int argc, char **argv)
 {
    krb5_context context;
    krb5_error_code ret;
    int i, optidx = 0;
    krb5_enctype enctypes[] = { 
 	ETYPE_AES128_CTS_HMAC_SHA1_96,
 	ETYPE_AES256_CTS_HMAC_SHA1_96
    };
    setprogname(argv[0]);
    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
 	usage(1);
    if (help_flag)
 	usage (0);
    if(version_flag){
 	print_version(NULL);
 	exit(0);
    }
    argc -= optidx;
    argv += optidx;
    ret = krb5_init_context(&context);
    if (ret)
 	errx (1, "krb5_init_context failed: %d", ret);
    for (i = 0; i < sizeof(enctypes)/sizeof(enctypes[0]); i++) {
 	test_dh2key(context, NULL, NULL, NULL, enctypes[i]);
    }
    krb5_free_context(context);
    return 0;
 }
--- a/source/heimdal/lib/roken/base64.c
+++ b/source/heimdal/lib/roken/base64.c
@ -33,7 +33,7 @@
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: base64.c,v 1.6 2005/04/12 11:28:34 lha Exp $");
+RCSID("$Id: base64.c,v 1.7 2005/06/23 10:47:57 lha Exp $");
 #endif
 #include <stdlib.h>
 #include <string.h>
--- a/source/heimdal/lib/roken/ecalloc.c
+++ b/source/heimdal/lib/roken/ecalloc.c
@ -0,0 +1,56 @@
 /*
 * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden).
 * All rights reserved.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 
 * 3. Neither the name of the Institute nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 * 
 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 RCSID("$Id: ecalloc.c,v 1.2 2005/04/12 11:28:36 lha Exp $");
 #endif
 #include <stdlib.h>
 #include <err.h>
 #include <roken.h>
 /*
 * Like calloc but never fails.
 */
 void * ROKEN_LIB_FUNCTION
 ecalloc (size_t number, size_t size)
 {
    void *tmp = calloc (number, size);
    if (tmp == NULL && number * size != 0)
 	errx (1, "calloc %lu failed", (unsigned long)number * size);
    return tmp;
 }
--- a/source/heimdal/lib/roken/estrdup.c
+++ b/source/heimdal/lib/roken/estrdup.c
@ -0,0 +1,56 @@
 /*
 * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden).
 * All rights reserved.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 
 * 3. Neither the name of the Institute nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 * 
 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 RCSID("$Id: estrdup.c,v 1.4 2005/04/12 11:28:39 lha Exp $");
 #endif
 #include <stdlib.h>
 #include <err.h>
 #include <roken.h>
 /*
 * Like strdup but never fails.
 */
 char * ROKEN_LIB_FUNCTION
 estrdup (const char *str)
 {
    char *tmp = strdup (str);
    if (tmp == NULL)
 	errx (1, "strdup failed");
    return tmp;
 }
--- a/source/heimdal/lib/roken/gai_strerror.c
+++ b/source/heimdal/lib/roken/gai_strerror.c
@ -33,14 +33,14 @@
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: gai_strerror.c,v 1.5 2005/04/12 11:28:42 lha Exp $");
+RCSID("$Id: gai_strerror.c,v 1.7 2005/08/05 09:31:35 lha Exp $");
 #endif
 #include "roken.h"
 static struct gai_error {
    int code;
-    char *str;
+    const char *str;
 } errors[] = {
 {EAI_NOERROR,		"no error"},
 #ifdef EAI_ADDRFAMILY
@ -65,7 +65,7 @@ static struct gai_error {
 *
 */
-char * ROKEN_LIB_FUNCTION
+const char * ROKEN_LIB_FUNCTION
 gai_strerror(int ecode)
 {
    struct gai_error *g;
--- a/source/heimdal/lib/roken/roken.h
+++ b/source/heimdal/lib/roken/roken.h
@ -32,7 +32,7 @@
 * SUCH DAMAGE.
 */
-/* $Id: roken.h.in,v 1.175 2005/07/07 19:16:17 lha Exp $ */
+/* $Id: roken.h.in,v 1.177 2005/08/05 09:06:29 lha Exp $ */
 #include <stdio.h>
 #include <stdlib.h>
@ -143,15 +143,15 @@ ROKEN_CPP_START
 #endif
 #ifndef HAVE_PUTENV
-int ROKEN_LIB_FUNCTION putenv(const char *string);
+int ROKEN_LIB_FUNCTION putenv(const char *);
 #endif
 #if !defined(HAVE_SETENV) || defined(NEED_SETENV_PROTO)
-int ROKEN_LIB_FUNCTION setenv(const char *var, const char *val, int rewrite);
+int ROKEN_LIB_FUNCTION setenv(const char *, const char *, int);
 #endif
 #if !defined(HAVE_UNSETENV) || defined(NEED_UNSETENV_PROTO)
-void ROKEN_LIB_FUNCTION unsetenv(const char *name);
+void ROKEN_LIB_FUNCTION unsetenv(const char *);
 #endif
 #if !defined(HAVE_GETUSERSHELL) || defined(NEED_GETUSERSHELL_PROTO)
@ -160,46 +160,46 @@ void ROKEN_LIB_FUNCTION endusershell(void);
 #endif
 #if !defined(HAVE_SNPRINTF) || defined(NEED_SNPRINTF_PROTO)
-int ROKEN_LIB_FUNCTION snprintf (char *str, size_t sz, const char *format, ...)
+int ROKEN_LIB_FUNCTION snprintf (char *, size_t, const char *, ...)
     __attribute__ ((format (printf, 3, 4)));
 #endif
 #if !defined(HAVE_VSNPRINTF) || defined(NEED_VSNPRINTF_PROTO)
 int ROKEN_LIB_FUNCTION 
-     vsnprintf (char *str, size_t sz, const char *format, va_list ap)
+     vsnprintf (char *, size_t, const char *, va_list)
     __attribute__((format (printf, 3, 0)));
 #endif
 #if !defined(HAVE_ASPRINTF) || defined(NEED_ASPRINTF_PROTO)
 int ROKEN_LIB_FUNCTION
-     asprintf (char **ret, const char *format, ...)
+     asprintf (char **, const char *, ...)
     __attribute__ ((format (printf, 2, 3)));
 #endif
 #if !defined(HAVE_VASPRINTF) || defined(NEED_VASPRINTF_PROTO)
 int ROKEN_LIB_FUNCTION
-    vasprintf (char **ret, const char *format, va_list ap)
+    vasprintf (char **, const char *, va_list)
     __attribute__((format (printf, 2, 0)));
 #endif
 #if !defined(HAVE_ASNPRINTF) || defined(NEED_ASNPRINTF_PROTO)
 int ROKEN_LIB_FUNCTION
-    asnprintf (char **ret, size_t max_sz, const char *format, ...)
+    asnprintf (char **, size_t, const char *, ...)
     __attribute__ ((format (printf, 3, 4)));
 #endif
 #if !defined(HAVE_VASNPRINTF) || defined(NEED_VASNPRINTF_PROTO)
 int ROKEN_LIB_FUNCTION
-    vasnprintf (char **ret, size_t max_sz, const char *format, va_list ap)
+    vasnprintf (char **, size_t, const char *, va_list)
     __attribute__((format (printf, 3, 0)));
 #endif
 #ifndef HAVE_STRDUP
-char * ROKEN_LIB_FUNCTION strdup(const char *old);
+char * ROKEN_LIB_FUNCTION strdup(const char *);
 #endif
 #if !defined(HAVE_STRNDUP) || defined(NEED_STRNDUP_PROTO)
-char * ROKEN_LIB_FUNCTION strndup(const char *old, size_t sz);
+char * ROKEN_LIB_FUNCTION strndup(const char *, size_t);
 #endif
 #ifndef HAVE_STRLWR
@ -219,7 +219,7 @@ ssize_t ROKEN_LIB_FUNCTION strsep_copy(const char**, const char*, char*, size_t)
 #endif
 #ifndef HAVE_STRCASECMP
-int ROKEN_LIB_FUNCTION strcasecmp(const char *s1, const char *s2);
+int ROKEN_LIB_FUNCTION strcasecmp(const char *, const char *);
 #endif
 #ifdef NEED_FCLOSE_PROTO
@ -227,7 +227,7 @@ int ROKEN_LIB_FUNCTION fclose(FILE *);
 #endif
 #ifdef NEED_STRTOK_R_PROTO
-char * ROKEN_LIB_FUNCTION strtok_r(char *s1, const char *s2, char **lasts);
+char * ROKEN_LIB_FUNCTION strtok_r(char *, const char *, char **);
 #endif
 #ifndef HAVE_STRUPR
@ -235,11 +235,11 @@ char * ROKEN_LIB_FUNCTION strupr(char *);
 #endif
 #ifndef HAVE_STRLCPY
-size_t ROKEN_LIB_FUNCTION strlcpy (char *dst, const char *src, size_t dst_sz);
+size_t ROKEN_LIB_FUNCTION strlcpy (char *, const char *, size_t);
 #endif
 #ifndef HAVE_STRLCAT
-size_t ROKEN_LIB_FUNCTION strlcat (char *dst, const char *src, size_t dst_sz);
+size_t ROKEN_LIB_FUNCTION strlcat (char *, const char *, size_t);
 #endif
 #ifndef HAVE_GETDTABLESIZE
@ -247,13 +247,13 @@ int ROKEN_LIB_FUNCTION getdtablesize(void);
 #endif
 #if !defined(HAVE_STRERROR) && !defined(strerror)
-char * ROKEN_LIB_FUNCTION strerror(int eno);
+char * ROKEN_LIB_FUNCTION strerror(int);
 #endif
 #if !defined(HAVE_HSTRERROR) || defined(NEED_HSTRERROR_PROTO)
 /* This causes a fatal error under Psoriasis */
 #if !(defined(SunOS) && (SunOS >= 50))
-const char * ROKEN_LIB_FUNCTION hstrerror(int herr);
+const char * ROKEN_LIB_FUNCTION hstrerror(int);
 #endif
 #endif
@ -262,7 +262,7 @@ extern int h_errno;
 #endif
 #if !defined(HAVE_INET_ATON) || defined(NEED_INET_ATON_PROTO)
-int ROKEN_LIB_FUNCTION inet_aton(const char *cp, struct in_addr *adr);
+int ROKEN_LIB_FUNCTION inet_aton(const char *, struct in_addr *);
 #endif
 #ifndef HAVE_INET_NTOP
@ -272,31 +272,31 @@ inet_ntop(int af, const void *src, char *dst, size_t size);
 #ifndef HAVE_INET_PTON
 int ROKEN_LIB_FUNCTION
-inet_pton(int af, const char *src, void *dst);
+inet_pton(int, const char *, void *);
 #endif
 #if !defined(HAVE_GETCWD)
-char* ROKEN_LIB_FUNCTION getcwd(char *path, size_t size);
+char* ROKEN_LIB_FUNCTION getcwd(char *, size_t);
 #endif
 #ifdef HAVE_PWD_H
 #include <pwd.h>
-struct passwd * ROKEN_LIB_FUNCTION k_getpwnam (const char *user);
+struct passwd * ROKEN_LIB_FUNCTION k_getpwnam (const char *);
-struct passwd * ROKEN_LIB_FUNCTION k_getpwuid (uid_t uid);
+struct passwd * ROKEN_LIB_FUNCTION k_getpwuid (uid_t);
 #endif
 const char * ROKEN_LIB_FUNCTION get_default_username (void);
 #ifndef HAVE_SETEUID
-int ROKEN_LIB_FUNCTION seteuid(uid_t euid);
+int ROKEN_LIB_FUNCTION seteuid(uid_t);
 #endif
 #ifndef HAVE_SETEGID
-int ROKEN_LIB_FUNCTION setegid(gid_t egid);
+int ROKEN_LIB_FUNCTION setegid(gid_t);
 #endif
 #ifndef HAVE_LSTAT
-int ROKEN_LIB_FUNCTION lstat(const char *path, struct stat *buf);
+int ROKEN_LIB_FUNCTION lstat(const char *, struct stat *);
 #endif
 #if !defined(HAVE_MKSTEMP) || defined(NEED_MKSTEMP_PROTO)
@ -304,35 +304,35 @@ int ROKEN_LIB_FUNCTION mkstemp(char *);
 #endif
 #ifndef HAVE_CGETENT
-int ROKEN_LIB_FUNCTION cgetent(char **buf, char **db_array, const char *name);
+int ROKEN_LIB_FUNCTION cgetent(char **, char **, const char *);
-int ROKEN_LIB_FUNCTION cgetstr(char *buf, const char *cap, char **str);
+int ROKEN_LIB_FUNCTION cgetstr(char *, const char *, char **);
 #endif
 #ifndef HAVE_INITGROUPS
-int ROKEN_LIB_FUNCTION initgroups(const char *name, gid_t basegid);
+int ROKEN_LIB_FUNCTION initgroups(const char *, gid_t);
 #endif
 #ifndef HAVE_FCHOWN
-int ROKEN_LIB_FUNCTION fchown(int fd, uid_t owner, gid_t group);
+int ROKEN_LIB_FUNCTION fchown(int, uid_t, gid_t);
 #endif
 #if !defined(HAVE_DAEMON) || defined(NEED_DAEMON_PROTO)
-int ROKEN_LIB_FUNCTION daemon(int nochdir, int noclose);
+int ROKEN_LIB_FUNCTION daemon(int, int);
 #endif
 #ifndef HAVE_INNETGR
-int ROKEN_LIB_FUNCTION innetgr(const char *netgroup, const char *machine, 
+int ROKEN_LIB_FUNCTION innetgr(const char *, const char *, 
-	    const char *user, const char *domain);
+	    const char *, const char *);
 #endif
 #ifndef HAVE_CHOWN
-int ROKEN_LIB_FUNCTION chown(const char *path, uid_t owner, gid_t group);
+int ROKEN_LIB_FUNCTION chown(const char *, uid_t, gid_t);
 #endif
 #ifndef HAVE_RCMD
 int ROKEN_LIB_FUNCTION
-    rcmd(char **ahost, unsigned short inport, const char *locuser,
+    rcmd(char **, unsigned short, const char *,
-	 const char *remuser, const char *cmd, int *fd2p);
+	 const char *, const char *, int *);
 #endif
 #if !defined(HAVE_INNETGR) || defined(NEED_INNETGR_PROTO)
@ -341,27 +341,27 @@ int ROKEN_LIB_FUNCTION innetgr(const char*, const char*,
 #endif
 #ifndef HAVE_IRUSEROK
-int ROKEN_LIB_FUNCTION iruserok(unsigned raddr, int superuser, 
+int ROKEN_LIB_FUNCTION iruserok(unsigned, int, 
-    const char *ruser, const char *luser);
+    const char *, const char *);
 #endif
 #if !defined(HAVE_GETHOSTNAME) || defined(NEED_GETHOSTNAME_PROTO)
-int ROKEN_LIB_FUNCTION gethostname(char *name, int namelen);
+int ROKEN_LIB_FUNCTION gethostname(char *, int);
 #endif
 #ifndef HAVE_WRITEV
 ssize_t ROKEN_LIB_FUNCTION
-writev(int d, const struct iovec *iov, int iovcnt);
+writev(int, const struct iovec *, int);
 #endif
 #ifndef HAVE_READV
 ssize_t ROKEN_LIB_FUNCTION
-readv(int d, const struct iovec *iov, int iovcnt);
+readv(int, const struct iovec *, int);
 #endif
 #ifndef HAVE_MKSTEMP
 int ROKEN_LIB_FUNCTION
-mkstemp(char *template);
+mkstemp(char *);
 #endif
 #ifndef HAVE_PIDFILE
@ -393,22 +393,22 @@ unsigned short ROKEN_LIB_FUNCTION bswap16(unsigned short);
 int flock(int fd, int operation);
 #endif /* HAVE_FLOCK */
-time_t ROKEN_LIB_FUNCTION tm2time (struct tm tm, int local);
+time_t ROKEN_LIB_FUNCTION tm2time (struct tm, int);
-int ROKEN_LIB_FUNCTION unix_verify_user(char *user, char *password);
+int ROKEN_LIB_FUNCTION unix_verify_user(char *, char *);
-int ROKEN_LIB_FUNCTION roken_concat (char *s, size_t len, ...);
+int ROKEN_LIB_FUNCTION roken_concat (char *, size_t, ...);
-size_t ROKEN_LIB_FUNCTION roken_mconcat (char **s, size_t max_len, ...);
+size_t ROKEN_LIB_FUNCTION roken_mconcat (char **, size_t, ...);
-int ROKEN_LIB_FUNCTION roken_vconcat (char *s, size_t len, va_list args);
+int ROKEN_LIB_FUNCTION roken_vconcat (char *, size_t, va_list);
 size_t ROKEN_LIB_FUNCTION
-    roken_vmconcat (char **s, size_t max_len, va_list args);
+    roken_vmconcat (char **, size_t, va_list);
-ssize_t ROKEN_LIB_FUNCTION net_write (int fd, const void *buf, size_t nbytes);
+ssize_t ROKEN_LIB_FUNCTION net_write (int, const void *, size_t);
-ssize_t ROKEN_LIB_FUNCTION net_read (int fd, void *buf, size_t nbytes);
+ssize_t ROKEN_LIB_FUNCTION net_read (int, void *, size_t);
 int ROKEN_LIB_FUNCTION issuid(void);
@ -422,7 +422,7 @@ struct winsize {
 int ROKEN_LIB_FUNCTION get_window_size(int fd, struct winsize *);
 #ifndef HAVE_VSYSLOG
-void ROKEN_LIB_FUNCTION vsyslog(int pri, const char *fmt, va_list ap);
+void ROKEN_LIB_FUNCTION vsyslog(int, const char *, va_list);
 #endif
 #if !HAVE_DECL_OPTARG
@ -441,22 +441,22 @@ extern char **environ;
 #ifndef HAVE_GETIPNODEBYNAME
 struct hostent * ROKEN_LIB_FUNCTION
-getipnodebyname (const char *name, int af, int flags, int *error_num);
+getipnodebyname (const char *, int, int, int *);
 #endif
 #ifndef HAVE_GETIPNODEBYADDR
 struct hostent * ROKEN_LIB_FUNCTION
-getipnodebyaddr (const void *src, size_t len, int af, int *error_num);
+getipnodebyaddr (const void *, size_t, int, int *);
 #endif
 #ifndef HAVE_FREEHOSTENT
 void ROKEN_LIB_FUNCTION
-freehostent (struct hostent *h);
+freehostent (struct hostent *);
 #endif
 #ifndef HAVE_COPYHOSTENT
 struct hostent * ROKEN_LIB_FUNCTION
-copyhostent (const struct hostent *h);
+copyhostent (const struct hostent *);
 #endif
 #ifndef HAVE_SOCKLEN_T
@ -523,35 +523,35 @@ struct addrinfo {
 #ifndef HAVE_GETADDRINFO
 int ROKEN_LIB_FUNCTION
-getaddrinfo(const char *nodename,
+getaddrinfo(const char *,
-	    const char *servname,
+	    const char *,
-	    const struct addrinfo *hints,
+	    const struct addrinfo *,
-	    struct addrinfo **res);
+	    struct addrinfo **);
 #endif
 #ifndef HAVE_GETNAMEINFO
 int ROKEN_LIB_FUNCTION
-getnameinfo(const struct sockaddr *sa, socklen_t salen,
+getnameinfo(const struct sockaddr *, socklen_t,
-		char *host, size_t hostlen,
+		char *, size_t,
-		char *serv, size_t servlen,
+		char *, size_t,
-		int flags);
+		int);
 #endif
 #ifndef HAVE_FREEADDRINFO
 void ROKEN_LIB_FUNCTION
-freeaddrinfo(struct addrinfo *ai);
+freeaddrinfo(struct addrinfo *);
 #endif
 #ifndef HAVE_GAI_STRERROR
-char * ROKEN_LIB_FUNCTION
+const char * ROKEN_LIB_FUNCTION
-gai_strerror(int ecode);
+gai_strerror(int);
 #endif
 int ROKEN_LIB_FUNCTION
-getnameinfo_verified(const struct sockaddr *sa, socklen_t salen,
+getnameinfo_verified(const struct sockaddr *, socklen_t,
-		     char *host, size_t hostlen,
+		     char *, size_t,
-		     char *serv, size_t servlen,
+		     char *, size_t,
-		     int flags);
+		     int);
 int ROKEN_LIB_FUNCTION
 roken_getaddrinfo_hostspec(const char *, int, struct addrinfo **); 
@ -560,20 +560,19 @@ roken_getaddrinfo_hostspec2(const char *, int, int, struct addrinfo **);
 #ifndef HAVE_STRFTIME
 size_t ROKEN_LIB_FUNCTION
-strftime (char *buf, size_t maxsize, const char *format,
+strftime (char *, size_t, const char *, const struct tm *);
 	  const struct tm *tm);
 #endif
 #ifndef HAVE_STRPTIME
 char * ROKEN_LIB_FUNCTION
-strptime (const char *buf, const char *format, struct tm *timeptr);
+strptime (const char *, const char *, struct tm *);
 #endif
 #ifndef HAVE_EMALLOC
 void * ROKEN_LIB_FUNCTION emalloc (size_t);
 #endif
 #ifndef HAVE_ECALLOC
-void * ROKEN_LIB_FUNCTION ecalloc(size_t num, size_t sz);
+void * ROKEN_LIB_FUNCTION ecalloc(size_t, size_t);
 #endif
 #ifndef HAVE_EREALLOC
 void * ROKEN_LIB_FUNCTION erealloc (void *, size_t);
@ -626,7 +625,7 @@ roken_gethostbyaddr(const void*, size_t, int);
 #endif
 #ifndef HAVE_SETPROGNAME
-void ROKEN_LIB_FUNCTION setprogname(const char *argv0);
+void ROKEN_LIB_FUNCTION setprogname(const char *);
 #endif
 #ifndef HAVE_GETPROGNAME
@ -638,46 +637,46 @@ extern const char *__progname;
 #endif
 void ROKEN_LIB_FUNCTION mini_inetd_addrinfo (struct addrinfo*);
-void ROKEN_LIB_FUNCTION mini_inetd (int port);
+void ROKEN_LIB_FUNCTION mini_inetd (int);
 #ifndef HAVE_LOCALTIME_R
 struct tm * ROKEN_LIB_FUNCTION
-localtime_r(const time_t *timer, struct tm *result);
+localtime_r(const time_t *, struct tm *);
 #endif
 #if !defined(HAVE_STRSVIS) || defined(NEED_STRSVIS_PROTO)
 int ROKEN_LIB_FUNCTION
-strsvis(char *dst, const char *src, int flag, const char *extra);
+strsvis(char *, const char *, int, const char *);
 #endif
 #if !defined(HAVE_STRUNVIS) || defined(NEED_STRUNVIS_PROTO)
 int ROKEN_LIB_FUNCTION
-strunvis(char *dst, const char *src);
+strunvis(char *, const char *);
 #endif
 #if !defined(HAVE_STRVIS) || defined(NEED_STRVIS_PROTO)
 int ROKEN_LIB_FUNCTION
-strvis(char *dst, const char *src, int flag);
+strvis(char *, const char *, int);
 #endif
 #if !defined(HAVE_STRVISX) || defined(NEED_STRVISX_PROTO)
 int ROKEN_LIB_FUNCTION
-strvisx(char *dst, const char *src, size_t len, int flag);
+strvisx(char *, const char *, size_t, int);
 #endif
 #if !defined(HAVE_SVIS) || defined(NEED_SVIS_PROTO)
 char * ROKEN_LIB_FUNCTION
-svis(char *dst, int c, int flag, int nextc, const char *extra);
+svis(char *, int, int, int, const char *);
 #endif
 #if !defined(HAVE_UNVIS) || defined(NEED_UNVIS_PROTO)
 int ROKEN_LIB_FUNCTION
-unvis(char *cp, int c, int *astate, int flag);
+unvis(char *, int, int *, int);
 #endif
 #if !defined(HAVE_VIS) || defined(NEED_VIS_PROTO)
 char * ROKEN_LIB_FUNCTION
-vis(char *dst, int c, int flag, int nextc);
+vis(char *, int, int, int);
 #endif
 #if !defined(HAVE_CLOSEFROM)
--- a/source/heimdal_build/asn1_deps.pl
+++ b/source/heimdal_build/asn1_deps.pl
@ -7,18 +7,22 @@ use File::Basename;
 my $file = shift;
 my $prefix = shift;
 my $options = shift;
 my $x_file, @x_files;
 my $c_file, @c_files;
 if (not defined ($prefix)) { $prefix = "asn1"; }
 $dirname = dirname($file);
 $basename = basename($file);
 if (not defined $options) {
    $options = "";
 }
 my $header = "$dirname/$prefix.h";
 print "$header: $file bin/asn1_compile\n";
 print "\t\@echo \"Compiling ASN1 file $file\"\n";
-print "\t\@cd $dirname && ../../../bin/asn1_compile $basename $prefix\n\n";
+print "\t\@cd $dirname && ../../../bin/asn1_compile $options $basename $prefix\n\n";
 open(IN,$file) or die("Can't open $file: $!");
 foreach(<IN>) {
--- a/source/heimdal_build/config.mk
+++ b/source/heimdal_build/config.mk
@ -53,6 +53,7 @@ ADD_OBJ_FILES = \
 	heimdal/lib/gssapi/asn1_ContextFlags.o \
 	heimdal/lib/gssapi/asn1_MechType.o \
 	heimdal/lib/gssapi/asn1_MechTypeList.o \
 	heimdal/lib/gssapi/asn1_NegotiationToken.o \
 	heimdal/lib/gssapi/asn1_NegTokenInit.o \
 	heimdal/lib/gssapi/asn1_NegTokenTarg.o \
 	heimdal/lib/gssapi/8003.o \
@ -236,8 +237,9 @@ ADD_OBJ_FILES = \
 	heimdal/lib/asn1/asn1_Ticket.o \
 	heimdal/lib/asn1/asn1_TicketFlags.o \
 	heimdal/lib/asn1/asn1_TransitedEncoding.o \
-	heimdal/lib/asn1/asn1_UNSIGNED.o \
+	heimdal/lib/asn1/asn1_err.o \
-	heimdal/lib/asn1/asn1_err.o
+	heimdal/lib/asn1/asn1_krb5int32.o \
 	heimdal/lib/asn1/asn1_krb5uint32.o
 NOPROTO = YES
 # End SUBSYSTEM HEIMDAL_KRB5
 #######################
@ -357,6 +359,8 @@ ADD_OBJ_FILES = \
 	heimdal/lib/roken/strupr.o \
 	heimdal/lib/roken/getprogname.o \
 	heimdal/lib/roken/get_window_size.o \
 	heimdal/lib/roken/estrdup.o \
 	heimdal/lib/roken/ecalloc.o \
 	heimdal/lib/asn1/symbol.o \
 	heimdal_build/replace.o
 NOPROTO = YES
@ -403,7 +407,7 @@ heimdal/lib/roken/err.h: heimdal/lib/roken/err.hin
 include ./heimdal_build/asn1_deps.pl heimdal/lib/hdb/hdb.asn1 hdb_asn1|
 include ./heimdal_build/asn1_deps.pl heimdal/lib/gssapi/spnego.asn1 spnego_asn1|
-include ./heimdal_build/asn1_deps.pl heimdal/lib/asn1/k5.asn1 krb5_asn1|
+include ./heimdal_build/asn1_deps.pl heimdal/lib/asn1/k5.asn1 krb5_asn1 --encode-rfc1510-bit-string|
 include ./heimdal_build/et_deps.pl heimdal/lib/asn1/asn1_err.et|
 include ./heimdal_build/et_deps.pl heimdal/lib/hdb/hdb_err.et|
@ -423,11 +427,7 @@ heimdal_basics: \
 	heimdal/lib/krb5/k524_err.h \
 	heimdal/lib/krb5/krb5_err.h
-heimdal_clean:
+heimdal_clean:	hdb_asn1_clean spnego_asn1_clean krb5_asn1_clean
 	@echo Removing generated ASN1 files
 	@-find heimdal/lib/asn1 -name 'asn1_*.[cx]' -exec rm -f '{}' \;
 	@-find heimdal/lib/gssapi -name 'asn1_*.[c]' -exec rm -f '{}' \;
 	@-find heimdal/lib/hdb -name 'asn1_*.[c]' -exec rm -f '{}' \;
 	@-rm -f heimdal/lib/roken/vis.h heimdal/lib/roken/err.h
 	@-rm -f heimdal/lib/hdb/hdb_asn1.h
 	@-rm -f heimdal/lib/gssapi/spnego_asn1.h
--- a/source/heimdal_build/krb5-types.h
+++ b/source/heimdal_build/krb5-types.h
@ -3,6 +3,9 @@
 #ifndef __krb5_types_h__
 #define __krb5_types_h__
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 #endif
 #if HAVE_INTTYPES_H
 #include <inttypes.h>