From b39330c4873d4c3923a577e89690fc0e43b0c61a Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 22 Aug 2007 06:46:34 +0000
Subject: [PATCH] r24614: Merge with current lorikeet-heimdal.  This brings us
 one step closer to an alpha release.

Andrew Bartlett
(This used to be commit 30e02747d511630659c59eafec8d28f58605943b)
---
 source4/heimdal/kdc/default_config.c          |   2 +-
 source4/heimdal/kdc/digest.c                  |  25 +-
 source4/heimdal/kdc/kaserver.c                |  17 +-
 source4/heimdal/kdc/kerberos4.c               |  53 +-
 source4/heimdal/kdc/kerberos5.c               | 140 ++-
 source4/heimdal/kdc/kx509.c                   |   6 +-
 source4/heimdal/kuser/kinit.c                 |  10 +-
 source4/heimdal/lib/asn1/asn1_err.et          |   5 +-
 source4/heimdal/lib/asn1/der_get.c            |  25 +-
 source4/heimdal/lib/asn1/gen.c                |   3 +-
 source4/heimdal/lib/asn1/gen_decode.c         |  72 +-
 source4/heimdal/lib/asn1/gen_encode.c         |  19 +-
 source4/heimdal/lib/asn1/gen_length.c         |  13 +-
 source4/heimdal/lib/asn1/k5.asn1              |   6 +-
 source4/heimdal/lib/asn1/lex.c                |  33 +-
 source4/heimdal/lib/asn1/parse.c              | 841 ++++++++++--------
 source4/heimdal/lib/asn1/parse.h              |   6 +-
 source4/heimdal/lib/asn1/rfc2459.asn1         |  23 +-
 source4/heimdal/lib/asn1/test.asn1            |   9 +-
 source4/heimdal/lib/asn1/timegm.c             |   6 +-
 .../lib/gssapi/mech/gss_acquire_cred.c        |   9 +-
 .../heimdal/lib/gssapi/mech/gss_add_cred.c    |  12 +-
 .../lib/gssapi/mech/gss_canonicalize_name.c   |   9 +-
 .../lib/gssapi/mech/gss_compare_name.c        |   9 +-
 .../lib/gssapi/mech/gss_duplicate_name.c      |   6 +-
 .../lib/gssapi/mech/gss_init_sec_context.c    |   8 +-
 .../heimdal/lib/gssapi/mech/gss_mech_switch.c |   5 +-
 source4/heimdal/lib/gssapi/mech/gss_names.c   |  27 +-
 .../heimdal/lib/gssapi/mech/gss_oid_to_str.c  |   5 +-
 source4/heimdal/lib/gssapi/mech/name.h        |   7 +-
 .../lib/gssapi/spnego/accept_sec_context.c    |  21 +-
 source4/heimdal/lib/gssapi/spnego/spnego.asn1 |  45 +-
 source4/heimdal/lib/hcrypto/hmac.c            |  12 +-
 source4/heimdal/lib/hx509/ca.c                |   4 +-
 source4/heimdal/lib/hx509/cert.c              |   4 +-
 source4/heimdal/lib/hx509/hx509-private.h     |  32 -
 source4/heimdal/lib/hx509/ks_p11.c            |  11 +-
 source4/heimdal/lib/hx509/peer.c              |   6 +-
 source4/heimdal/lib/hx509/print.c             |  48 +-
 source4/heimdal/lib/krb5/cache.c              |  39 +-
 source4/heimdal/lib/krb5/changepw.c           |   6 +-
 source4/heimdal/lib/krb5/get_cred.c           |  12 +-
 source4/heimdal/lib/krb5/init_creds.c         |   7 +-
 source4/heimdal/lib/krb5/init_creds_pw.c      |   4 +-
 source4/heimdal/lib/krb5/krb5-private.h       |   4 +-
 source4/heimdal/lib/krb5/krb5-protos.h        |   8 -
 source4/heimdal/lib/krb5/krb5-v4compat.h      |  50 +-
 source4/heimdal/lib/krb5/krb5.h               |  13 +-
 source4/heimdal/lib/krb5/krb5_locl.h          |  10 +-
 source4/heimdal/lib/krb5/krb_err.et           |  63 ++
 source4/heimdal/lib/krb5/krbhst.c             |   6 +-
 source4/heimdal/lib/krb5/pkinit.c             |  52 +-
 source4/heimdal/lib/krb5/plugin.c             |  16 +-
 source4/heimdal/lib/krb5/rd_priv.c            |  16 +-
 source4/heimdal/lib/krb5/v4_glue.c            |  64 +-
 source4/heimdal/lib/ntlm/ntlm.c               |   4 +-
 source4/heimdal_build/config.mk               |   8 +-
 source4/static_deps.mk                        |   1 +
 58 files changed, 1168 insertions(+), 809 deletions(-)
 create mode 100644 source4/heimdal/lib/krb5/krb_err.et

diff --git a/source4/heimdal/kdc/default_config.c b/source4/heimdal/kdc/default_config.c
index e06366f214b..5f336e3275d 100644
--- a/source4/heimdal/kdc/default_config.c
+++ b/source4/heimdal/kdc/default_config.c
@@ -36,7 +36,7 @@
 #include <getarg.h>
 #include <parse_bytes.h>
 
-RCSID("$Id: default_config.c 21296 2007-06-25 14:49:11Z lha $");
+RCSID("$Id: default_config.c 21405 2007-07-04 10:35:45Z lha $");
 
 krb5_error_code
 krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
diff --git a/source4/heimdal/kdc/digest.c b/source4/heimdal/kdc/digest.c
index 801449fe5e5..358ca5ad56d 100644
--- a/source4/heimdal/kdc/digest.c
+++ b/source4/heimdal/kdc/digest.c
@@ -34,7 +34,7 @@
 #include "kdc_locl.h"
 #include <hex.h>
 
-RCSID("$Id: digest.c 21241 2007-06-20 11:30:19Z lha $");
+RCSID("$Id: digest.c 21606 2007-07-17 07:03:25Z lha $");
 
 #define MS_CHAP_V2	0x20
 #define CHAP_MD5	0x10
@@ -975,7 +975,7 @@ _kdc_do_digest(krb5_context context,
 	}
 
 	kdc_log(context, config, 0, "Digest %s request successful %s",
-		ireq.u.digestRequest.type, from);
+		ireq.u.digestRequest.type, ireq.u.digestRequest.username);
 
 	break;
     }
@@ -1227,7 +1227,7 @@ _kdc_do_digest(krb5_context context,
 	    version = 1;
 
 	    if (flags & NTLM_NEG_NTLM2_SESSION) {
-		char sessionhash[MD5_DIGEST_LENGTH];
+		unsigned char sessionhash[MD5_DIGEST_LENGTH];
 		MD5_CTX md5ctx;
 		
 		if ((config->digests_allowed & NTLM_V1_SESSION) == 0) {
@@ -1331,10 +1331,24 @@ _kdc_do_digest(krb5_context context,
 		version, ireq.u.ntlmRequest.username);
 	break;
     }
-    default:
+    default: {
+	char *s;
+	krb5_set_error_string(context, "unknown operation to digest");
+	ret = EINVAL;
+
     failed:
+
+	s = krb5_get_error_message(context, ret);
+	if (s == NULL) {
+	    krb5_clear_error_string(context);
+	    goto out;
+	}
+	
+	kdc_log(context, config, 0, "Digest failed with: %s", s);
+
 	r.element = choice_DigestRepInner_error;
-	r.u.error.reason = strdup("unknown/failed operation");
+	r.u.error.reason = strdup("unknown error");
+	krb5_free_error_string(context, s);
 	if (r.u.error.reason == NULL) {
 	    krb5_set_error_string(context, "out of memory");
 	    ret = ENOMEM;
@@ -1343,6 +1357,7 @@ _kdc_do_digest(krb5_context context,
 	r.u.error.code = EINVAL;
 	break;
     }
+    }
 
     ASN1_MALLOC_ENCODE(DigestRepInner, buf.data, buf.length, &r, &size, ret);
     if (ret) {
diff --git a/source4/heimdal/kdc/kaserver.c b/source4/heimdal/kdc/kaserver.c
index deb32e10199..15624e8e763 100644
--- a/source4/heimdal/kdc/kaserver.c
+++ b/source4/heimdal/kdc/kaserver.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: kaserver.c 17904 2006-08-23 11:45:16Z lha $");
+RCSID("$Id: kaserver.c 21661 2007-07-22 01:57:17Z lha $");
 
 #include <krb5-v4compat.h>
 #include <rx.h>
@@ -191,19 +191,28 @@ init_reply_header (struct rx_header *hdr,
     reply_hdr->serviceid = hdr->serviceid;
 }
 
+/*
+ * Create an error `reply� using for the packet `hdr' with the error
+ * `error� code.
+ */
 static void
 make_error_reply (struct rx_header *hdr,
-		  uint32_t ret,
+		  uint32_t error,
 		  krb5_data *reply)
 
 {
-    krb5_storage *sp;
     struct rx_header reply_hdr;
+    krb5_error_code ret;
+    krb5_storage *sp;
 
     init_reply_header (hdr, &reply_hdr, HT_ABORT, HF_LAST);
     sp = krb5_storage_emem();
+    if (sp == NULL)
+	return;
     ret = encode_rx_header (&reply_hdr, sp);
-    krb5_store_int32(sp, ret);
+    if (ret)
+	return;
+    krb5_store_int32(sp, error);
     krb5_storage_to_data (sp, reply);
     krb5_storage_free (sp);
 }
diff --git a/source4/heimdal/kdc/kerberos4.c b/source4/heimdal/kdc/kerberos4.c
index 3c76bb99b22..cbba64945b3 100644
--- a/source4/heimdal/kdc/kerberos4.c
+++ b/source4/heimdal/kdc/kerberos4.c
@@ -35,7 +35,7 @@
 
 #include <krb5-v4compat.h>
 
-RCSID("$Id: kerberos4.c 18349 2006-10-08 13:43:52Z lha $");
+RCSID("$Id: kerberos4.c 21577 2007-07-16 08:14:06Z lha $");
 
 #ifndef swap32
 static uint32_t
@@ -151,7 +151,8 @@ _kdc_do_version4(krb5_context context,
     if(!config->enable_v4) {
 	kdc_log(context, config, 0,
 		"Rejected version 4 request from %s", from);
-	make_err_reply(context, reply, KDC_GEN_ERR, "function not enabled");
+	make_err_reply(context, reply, KRB4ET_KDC_GEN_ERR,
+		       "Function not enabled");
 	return 0;
     }
 
@@ -160,7 +161,7 @@ _kdc_do_version4(krb5_context context,
     if(pvno != 4){
 	kdc_log(context, config, 0,
 		"Protocol version mismatch (krb4) (%d)", pvno);
-	make_err_reply(context, reply, KDC_PKT_VER, "protocol mismatch");
+	make_err_reply(context, reply, KRB4ET_KDC_PKT_VER, "protocol mismatch");
 	goto out;
     }
     RCHECK(krb5_ret_int8(sp, &msg_type), out);
@@ -196,7 +197,7 @@ _kdc_do_version4(krb5_context context,
 	if(ret) {
 	    kdc_log(context, config, 0, "Client not found in database: %s: %s",
 		    client_name, krb5_get_err_text(context, ret));
-	    make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
+	    make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
 			   "principal unknown");
 	    goto out1;
 	}
@@ -205,7 +206,7 @@ _kdc_do_version4(krb5_context context,
 	if(ret){
 	    kdc_log(context, config, 0, "Server not found in database: %s: %s",
 		    server_name, krb5_get_err_text(context, ret));
-	    make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
+	    make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
 			   "principal unknown");
 	    goto out1;
 	}
@@ -216,7 +217,7 @@ _kdc_do_version4(krb5_context context,
 				TRUE);
 	if (ret) {
 	    /* good error code? */
-	    make_err_reply(context, reply, KERB_ERR_NAME_EXP,
+	    make_err_reply(context, reply, KRB4ET_KDC_NAME_EXP,
 			   "operation not allowed");
 	    goto out1;
 	}
@@ -227,7 +228,7 @@ _kdc_do_version4(krb5_context context,
 	    kdc_log(context, config, 0,
 		    "Per principal Kerberos 4 flag not turned on for %s",
 		    client_name);
-	    make_err_reply(context, reply, KERB_ERR_NULL_KEY,
+	    make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
 			   "allow kerberos4 flag required");
 	    goto out1;
 	}
@@ -244,7 +245,7 @@ _kdc_do_version4(krb5_context context,
 		    "Pre-authentication required for v4-request: "
 		    "%s for %s",
 		    client_name, server_name);
-	    make_err_reply(context, reply, KERB_ERR_NULL_KEY,
+	    make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
 			   "preauth required");
 	    goto out1;
 	}
@@ -252,7 +253,7 @@ _kdc_do_version4(krb5_context context,
 	ret = _kdc_get_des_key(context, client, FALSE, FALSE, &ckey);
 	if(ret){
 	    kdc_log(context, config, 0, "no suitable DES key for client");
-	    make_err_reply(context, reply, KDC_NULL_KEY, 
+	    make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, 
 			   "no suitable DES key for client");
 	    goto out1;
 	}
@@ -265,7 +266,7 @@ _kdc_do_version4(krb5_context context,
 	if(ret){
 	    kdc_log(context, config, 0, "No version-4 salted key in database -- %s.%s@%s", 
 		    name, inst, realm);
-	    make_err_reply(context, reply, KDC_NULL_KEY, 
+	    make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, 
 			   "No version-4 salted key in database");
 	    goto out1;
 	}
@@ -274,8 +275,7 @@ _kdc_do_version4(krb5_context context,
 	ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
 	if(ret){
 	    kdc_log(context, config, 0, "no suitable DES key for server");
-	    /* XXX */
-	    make_err_reply(context, reply, KDC_NULL_KEY, 
+	    make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, 
 			   "no suitable DES key for server");
 	    goto out1;
 	}
@@ -400,7 +400,7 @@ _kdc_do_version4(krb5_context context,
 		    "tgs-req (krb4) with old kvno %d (current %d) for "
 		    "krbtgt.%s@%s", kvno, tgt->entry.kvno % 256, 
 		    realm, config->v4_realm);
-	    make_err_reply(context, reply, KDC_AUTH_EXP,
+	    make_err_reply(context, reply, KRB4ET_KDC_AUTH_EXP,
 			   "old krbtgt kvno used");
 	    goto out2;
 	}
@@ -409,8 +409,7 @@ _kdc_do_version4(krb5_context context,
 	if(ret){
 	    kdc_log(context, config, 0, 
 		    "no suitable DES key for krbtgt (krb4)");
-	    /* XXX */
-	    make_err_reply(context, reply, KDC_NULL_KEY, 
+	    make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, 
 			   "no suitable DES key for krbtgt");
 	    goto out2;
 	}
@@ -456,7 +455,7 @@ _kdc_do_version4(krb5_context context,
 	if(strcmp(ad.prealm, realm)){
 	    kdc_log(context, config, 0, 
 		    "Can't hop realms (krb4) %s -> %s", realm, ad.prealm);
-	    make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, 
+	    make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, 
 			   "Can't hop realms");
 	    goto out2;
 	}
@@ -465,7 +464,7 @@ _kdc_do_version4(krb5_context context,
 	    kdc_log(context, config, 0, 
 		    "krb4 Cross-realm %s -> %s disabled",
 		    realm, config->v4_realm);
-	    make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, 
+	    make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
 			   "Can't hop realms");
 	    goto out2;
 	}
@@ -473,7 +472,7 @@ _kdc_do_version4(krb5_context context,
 	if(strcmp(sname, "changepw") == 0){
 	    kdc_log(context, config, 0, 
 		    "Bad request for changepw ticket (krb4)");
-	    make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, 
+	    make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, 
 			   "Can't authorize password change based on TGT");
 	    goto out2;
 	}
@@ -485,7 +484,7 @@ _kdc_do_version4(krb5_context context,
 	    s = kdc_log_msg(context, config, 0,
 			    "Client not found in database: (krb4) %s: %s",
 			    client_name, krb5_get_err_text(context, ret));
-	    make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
+	    make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
 	    free(s);
 	    goto out2;
 	}
@@ -494,7 +493,7 @@ _kdc_do_version4(krb5_context context,
 	    s = kdc_log_msg(context, config, 0,
 			    "Local client not found in database: (krb4) "
 			    "%s", client_name);
-	    make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
+	    make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
 	    free(s);
 	    goto out2;
 	}
@@ -506,7 +505,7 @@ _kdc_do_version4(krb5_context context,
 	    s = kdc_log_msg(context, config, 0,
 			    "Server not found in database (krb4): %s: %s",
 			    server_name, krb5_get_err_text(context, ret));
-	    make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
+	    make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
 	    free(s);
 	    goto out2;
 	}
@@ -516,8 +515,7 @@ _kdc_do_version4(krb5_context context,
 				server, server_name,
 				FALSE);
 	if (ret) {
-	    /* good error code? */
-	    make_err_reply(context, reply, KERB_ERR_NAME_EXP,
+	    make_err_reply(context, reply, KRB4ET_KDC_NAME_EXP,
 			   "operation not allowed");
 	    goto out2;
 	}
@@ -526,8 +524,7 @@ _kdc_do_version4(krb5_context context,
 	if(ret){
 	    kdc_log(context, config, 0, 
 		    "no suitable DES key for server (krb4)");
-	    /* XXX */
-	    make_err_reply(context, reply, KDC_NULL_KEY, 
+	    make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, 
 			   "no suitable DES key for server");
 	    goto out2;
 	}
@@ -787,7 +784,7 @@ _kdc_get_des_key(krb5_context context,
 	else if(is_server && server_key)
 	    *ret_key = server_key;
 	else
-	    return KERB_ERR_NULL_KEY;
+	    return KRB4ET_KDC_NULL_KEY;
     } else {
 	if(v4_key)
 	    *ret_key = v4_key;
@@ -798,11 +795,11 @@ _kdc_get_des_key(krb5_context context,
 	else if(is_server && server_key)
 	    *ret_key = server_key;
 	else
-	    return KERB_ERR_NULL_KEY;
+	    return KRB4ET_KDC_NULL_KEY;
     }
 
     if((*ret_key)->key.keyvalue.length == 0)
-	return KERB_ERR_NULL_KEY;
+	return KRB4ET_KDC_NULL_KEY;
     return 0;
 }
 
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index e34938447a2..40a9c9c972f 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: kerberos5.c 21040 2007-06-10 06:20:59Z lha $");
+RCSID("$Id: kerberos5.c 21529 2007-07-13 12:37:14Z lha $");
 
 #define MAX_TIME ((time_t)((1U << 31) - 1))
 
@@ -84,6 +84,22 @@ _kdc_find_padata(const KDC_REQ *req, int *start, int type)
     return NULL;
 }
 
+/*
+ * Detect if `key' is the using the the precomputed `default_salt'.
+ */
+
+static krb5_boolean
+is_default_salt_p(const krb5_salt *default_salt, const Key *key)
+{
+    if (key->salt == NULL)
+	return TRUE;
+    if (default_salt->salttype != key->salt->type)
+	return FALSE;
+    if (krb5_data_cmp(&default_salt->saltvalue, &key->salt->salt))
+	return FALSE;
+    return TRUE;
+}
+
 /*
  * return the first appropriate key of `princ' in `ret_key'.  Look for
  * all the etypes in (`etypes', `len'), stopping as soon as we find
@@ -97,6 +113,9 @@ _kdc_find_etype(krb5_context context, const hdb_entry_ex *princ,
 {
     int i;
     krb5_error_code ret = KRB5KDC_ERR_ETYPE_NOSUPP;
+    krb5_salt def_salt;
+
+    krb5_get_pw_salt (context, princ->entry.principal, &def_salt);
 
     for(i = 0; ret != 0 && i < len ; i++) {
 	Key *key = NULL;
@@ -112,10 +131,13 @@ _kdc_find_etype(krb5_context context, const hdb_entry_ex *princ,
 	    *ret_key   = key;
 	    *ret_etype = etypes[i];
 	    ret = 0;
-	    if (key->salt == NULL)
+	    if (is_default_salt_p(&def_salt, key)) {
+		krb5_free_salt (context, def_salt);
 		return ret;
+	    }
 	}
     }
+    krb5_free_salt (context, def_salt);
     return ret;
 }
 
@@ -325,6 +347,43 @@ _kdc_encode_reply(krb5_context context,
     return 0;
 }
 
+/*
+ * Return 1 if the client have only older enctypes, this is for
+ * determining if the server should send ETYPE_INFO2 or not.
+ */
+
+static int
+older_enctype(krb5_enctype enctype)
+{
+    switch (enctype) {
+    case ETYPE_DES_CBC_CRC:
+    case ETYPE_DES_CBC_MD4:
+    case ETYPE_DES_CBC_MD5:
+    case ETYPE_DES3_CBC_SHA1:
+    case ETYPE_ARCFOUR_HMAC_MD5:
+    case ETYPE_ARCFOUR_HMAC_MD5_56:
+	return 1;
+    default:
+	return 0;
+    }
+}
+
+static int
+only_older_enctype_p(const KDC_REQ *req)
+{
+    int i;
+
+    for(i = 0; i < req->req_body.etype.len; i++) {
+	if (!older_enctype(req->req_body.etype.val[i]))
+	    return 0;
+    }
+    return 1;
+}
+
+/*
+ *
+ */
+
 static krb5_error_code
 make_etype_info_entry(krb5_context context, ETYPE_INFO_ENTRY *ent, Key *key)
 {
@@ -395,14 +454,18 @@ get_pa_etype_info(krb5_context context,
 	return ENOMEM;
     memset(pa.val, 0, pa.len * sizeof(*pa.val));
 
-    for(j = 0; j < etypes_len; j++) {
-	for (i = 0; i < n; i++)
-	    if (pa.val[i].etype == etypes[j])
+    for(i = 0; i < client->keys.len; i++) {
+	for (j = 0; j < n; j++)
+	    if (pa.val[j].etype == client->keys.val[i].key.keytype)
 		goto skip1;
-	for(i = 0; i < client->keys.len; i++) {
+	for(j = 0; j < etypes_len; j++) {
 	    if(client->keys.val[i].key.keytype == etypes[j]) {
  		if (krb5_enctype_valid(context, etypes[j]) != 0)
  		    continue;
+		if (!older_enctype(etypes[j]))
+ 		    continue;
+		if (n >= pa.len)
+		    krb5_abortx(context, "internal error: n >= p.len");
 		if((ret = make_etype_info_entry(context, 
 						&pa.val[n++], 
 						&client->keys.val[i])) != 0) {
@@ -420,6 +483,10 @@ get_pa_etype_info(krb5_context context,
 	}
 	if (krb5_enctype_valid(context, client->keys.val[i].key.keytype) != 0)
 	    continue;
+	if (!older_enctype(etypes[j]))
+	    continue;
+	if (n >= pa.len)
+	    krb5_abortx(context, "internal error: n >= p.len");
 	if((ret = make_etype_info_entry(context, 
 					&pa.val[n++], 
 					&client->keys.val[i])) != 0) {
@@ -429,16 +496,8 @@ get_pa_etype_info(krb5_context context,
     skip2:;
     }
     
-    if(n != pa.len) {
-	char *name;
-	ret = krb5_unparse_name(context, client->principal, &name);
-	if (ret)
-	    name = rk_UNCONST("<unparse_name failed>");
-	kdc_log(context, config, 0, 
-		"internal error in get_pa_etype_info(%s): %d != %d", 
-		name, n, pa.len);
-	if (ret == 0)
-	    free(name);
+    if(n < pa.len) {
+	/* stripped out newer enctypes */
  	pa.len = n;
     }
 
@@ -528,33 +587,9 @@ make_etype_info2_entry(ETYPE_INFO2_ENTRY *ent, Key *key)
 }
 
 /*
- * Return 1 if the client have only older enctypes, this is for
- * determining if the server should send ETYPE_INFO2 or not.
- */
-
-static int
-only_older_enctype_p(const KDC_REQ *req)
-{
-    int i;
-
-    for(i = 0; i < req->req_body.etype.len; i++) {
-	switch (req->req_body.etype.val[i]) {
-	case ETYPE_DES_CBC_CRC:
-	case ETYPE_DES_CBC_MD4:
-	case ETYPE_DES_CBC_MD5:
-	case ETYPE_DES3_CBC_SHA1:
-	case ETYPE_ARCFOUR_HMAC_MD5:
-	case ETYPE_ARCFOUR_HMAC_MD5_56:
-	    break;
-	default:
-	    return 0;
-	}
-    }
-    return 1;
-}
-
-/*
- *
+ * Return an ETYPE-INFO2. Enctypes are storted the same way as in the
+ * database (client supported enctypes first, then the unsupported
+ * enctypes).
  */
 
 static krb5_error_code
@@ -578,11 +613,11 @@ get_pa_etype_info2(krb5_context context,
 	return ENOMEM;
     memset(pa.val, 0, pa.len * sizeof(*pa.val));
 
-    for(j = 0; j < etypes_len; j++) {
-	for (i = 0; i < n; i++)
-	    if (pa.val[i].etype == etypes[j])
+    for(i = 0; i < client->keys.len; i++) {
+	for (j = 0; j < n; j++)
+	    if (pa.val[j].etype == client->keys.val[i].key.keytype)
 		goto skip1;
-	for(i = 0; i < client->keys.len; i++) {
+	for(j = 0; j < etypes_len; j++) {
 	    if(client->keys.val[i].key.keytype == etypes[j]) {
 		if (krb5_enctype_valid(context, etypes[j]) != 0)
 		    continue;
@@ -595,6 +630,7 @@ get_pa_etype_info2(krb5_context context,
 	}
     skip1:;
     }
+    /* send enctypes that the cliene doesn't know about too */
     for(i = 0; i < client->keys.len; i++) {
 	for(j = 0; j < etypes_len; j++) {
 	    if(client->keys.val[i].key.keytype == etypes[j])
@@ -959,7 +995,9 @@ _kdc_as_rep(krb5_context context,
 	if (b->cname->name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
 	    if (b->cname->name_string.len != 1) {
 		kdc_log(context, config, 0,
-			"AS-REQ malformed canon request from %s", from);
+			"AS-REQ malformed canon request from %s, "
+			"enterprise name with %d name components", 
+			from, b->cname->name_string.len);
 		ret = KRB5_PARSE_MALFORMED;
 		goto out;
 	    }
@@ -1395,6 +1433,12 @@ _kdc_as_rep(krb5_context context,
     copy_Realm(&server->entry.principal->realm, &rep.ticket.realm);
     _krb5_principal2principalname(&rep.ticket.sname, 
 				  server->entry.principal);
+    /* java 1.6 expects the name to be the same type, lets allow that
+     * uncomplicated name-types. */
+#define CNT(sp,t) (((sp)->sname->name_type) == KRB5_NT_##t)
+    if (CNT(b, UNKNOWN) || CNT(b, PRINCIPAL) || CNT(b, SRV_INST) || CNT(b, SRV_HST) || CNT(b, SRV_XHST))
+	rep.ticket.sname.name_type = b->sname->name_type;
+#undef CNT
 
     et.flags.initial = 1;
     if(client->entry.flags.forwardable && server->entry.flags.forwardable)
diff --git a/source4/heimdal/kdc/kx509.c b/source4/heimdal/kdc/kx509.c
index 8414ecb4b2a..b1b861efef8 100644
--- a/source4/heimdal/kdc/kx509.c
+++ b/source4/heimdal/kdc/kx509.c
@@ -36,7 +36,7 @@
 #include <rfc2459_asn1.h>
 #include <hx509.h>
 
-RCSID("$Id: kx509.c 19992 2007-01-20 09:06:18Z lha $");
+RCSID("$Id: kx509.c 21607 2007-07-17 07:04:52Z lha $");
 
 /*
  *
@@ -56,7 +56,7 @@ _kdc_try_kx509_request(void *ptr, size_t len, Kx509Request *req, size_t *size)
  *
  */
 
-static const char version_2_0[4] = {0 , 0, 2, 0};
+static const unsigned char version_2_0[4] = {0 , 0, 2, 0};
 
 static krb5_error_code
 verify_req_hash(krb5_context context, 
@@ -122,7 +122,7 @@ calculate_reply_hash(krb5_context context,
     if (rep->certificate)
 	HMAC_Update(&ctx, rep->certificate->data, rep->certificate->length);
     if (rep->e_text)
-	HMAC_Update(&ctx, *rep->e_text, strlen(*rep->e_text));
+	HMAC_Update(&ctx, (unsigned char *)*rep->e_text, strlen(*rep->e_text));
 
     HMAC_Final(&ctx, rep->hash->data, 0);
     HMAC_CTX_cleanup(&ctx);
diff --git a/source4/heimdal/kuser/kinit.c b/source4/heimdal/kuser/kinit.c
index 29a9bdd5c72..23fa7a5bafb 100644
--- a/source4/heimdal/kuser/kinit.c
+++ b/source4/heimdal/kuser/kinit.c
@@ -32,18 +32,10 @@
  */
 
 #include "kuser_locl.h"
-RCSID("$Id: kinit.c 20517 2007-04-22 10:42:26Z lha $");
+RCSID("$Id: kinit.c 21483 2007-07-10 16:40:46Z lha $");
 
 #include "krb5-v4compat.h"
 
-struct krb5_pk_identity;
-struct krb5_pk_cert;
-struct ContentInfo;
-struct _krb5_krb_auth_data;
-struct krb5_dh_moduli;
-struct krb5_plugin;
-enum plugin_type;
-#include "krb5-private.h"
 #include "heimntlm.h"
 
 int forwardable_flag	= -1;
diff --git a/source4/heimdal/lib/asn1/asn1_err.et b/source4/heimdal/lib/asn1/asn1_err.et
index 67af1a44fc3..c624e218e7c 100644
--- a/source4/heimdal/lib/asn1/asn1_err.et
+++ b/source4/heimdal/lib/asn1/asn1_err.et
@@ -3,7 +3,7 @@
 #
 # This might look like a com_err file, but is not
 #
-id "$Id: asn1_err.et 20010 2007-01-20 21:52:27Z lha $"
+id "$Id: asn1_err.et 21394 2007-07-02 10:14:43Z lha $"
 
 error_table asn1
 prefix ASN1
@@ -19,4 +19,7 @@ error_code BAD_FORMAT,		"ASN.1 badly-formatted encoding"
 error_code PARSE_ERROR,		"ASN.1 parse error"
 error_code EXTRA_DATA,		"ASN.1 extra data past end of end structure"
 error_code BAD_CHARACTER,	"ASN.1 invalid character in string"
+error_code MIN_CONSTRAINT,	"ASN.1 too few elements"
+error_code MAX_CONSTRAINT,	"ASN.1 too many elements"
+error_code EXACT_CONSTRAINT,	"ASN.1 wrong number of elements"
 end
diff --git a/source4/heimdal/lib/asn1/der_get.c b/source4/heimdal/lib/asn1/der_get.c
index 3022435b336..f232ce9a296 100644
--- a/source4/heimdal/lib/asn1/der_get.c
+++ b/source4/heimdal/lib/asn1/der_get.c
@@ -33,7 +33,7 @@
 
 #include "der_locl.h"
 
-RCSID("$Id: der_get.c 20570 2007-04-27 14:06:27Z lha $");
+RCSID("$Id: der_get.c 21369 2007-06-27 10:14:39Z lha $");
 
 #include <version.h>
 
@@ -336,32 +336,25 @@ generalizedtime2time (const char *s, time_t *t)
     *t = _der_timegm (&tm);
     return 0;
 }
-#undef timegm
 
 static int
 der_get_time (const unsigned char *p, size_t len, 
 	      time_t *data, size_t *size)
 {
-    heim_octet_string k;
     char *times;
-    size_t ret = 0;
-    size_t l;
     int e;
 
-    e = der_get_octet_string (p, len, &k, &l);
-    if (e) return e;
-    p += l;
-    len -= l;
-    ret += l;
-    times = realloc(k.data, k.length + 1);
-    if (times == NULL){
-	free(k.data);
+    if (len > len + 1 || len == 0)
+	return ASN1_BAD_LENGTH;
+
+    times = malloc(len + 1);
+    if (times == NULL)
 	return ENOMEM;
-    }
-    times[k.length] = 0;
+    memcpy(times, p, len);
+    times[len] = '\0';
     e = generalizedtime2time(times, data);
     free (times);
-    if(size) *size = ret;
+    if(size) *size = len;
     return e;
 }
 
diff --git a/source4/heimdal/lib/asn1/gen.c b/source4/heimdal/lib/asn1/gen.c
index cc1a3056def..26890212ae6 100644
--- a/source4/heimdal/lib/asn1/gen.c
+++ b/source4/heimdal/lib/asn1/gen.c
@@ -33,7 +33,7 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: gen.c 20670 2007-05-11 00:39:41Z lha $");
+RCSID("$Id: gen.c 21364 2007-06-27 08:51:06Z lha $");
 
 FILE *headerfile, *codefile, *logfile;
 
@@ -253,6 +253,7 @@ generate_header_of_codefile(const char *name)
 	     "#include <time.h>\n"
 	     "#include <string.h>\n"
 	     "#include <errno.h>\n"
+	     "#include <limits.h>\n"
 	     "#include <krb5-types.h>\n",
 	     orig_filename);
 
diff --git a/source4/heimdal/lib/asn1/gen_decode.c b/source4/heimdal/lib/asn1/gen_decode.c
index 7ebef6cdceb..face9ba47a0 100644
--- a/source4/heimdal/lib/asn1/gen_decode.c
+++ b/source4/heimdal/lib/asn1/gen_decode.c
@@ -34,7 +34,7 @@
 #include "gen_locl.h"
 #include "lex.h"
 
-RCSID("$Id: gen_decode.c 19572 2006-12-29 17:30:32Z lha $");
+RCSID("$Id: gen_decode.c 21503 2007-07-12 11:57:19Z lha $");
 
 static void
 decode_primitive (const char *typename, const char *name, const char *forwstr)
@@ -202,6 +202,32 @@ find_tag (const Type *t,
     }
 }
 
+static void
+range_check(const char *name,
+	    const char *length,
+	    const char *forwstr, 
+	    struct range *r)
+{
+    if (r->min == r->max + 2 || r->min < r->max)
+	fprintf (codefile,
+		 "if ((%s)->%s > %d) {\n"
+		 "e = ASN1_MAX_CONSTRAINT; %s;\n"
+		 "}\n",
+		 name, length, r->max, forwstr);
+    if (r->min - 1 == r->max || r->min < r->max)
+	fprintf (codefile,
+		 "if ((%s)->%s < %d) {\n"
+		 "e = ASN1_MIN_CONSTRAINT; %s;\n"
+		 "}\n",
+		 name, length, r->min, forwstr);
+    if (r->max == r->min)
+	fprintf (codefile,
+		 "if ((%s)->%s != %d) {\n"
+		 "e = ASN1_EXACT_CONSTRAINT; %s;\n"
+		 "}\n",
+		 name, length, r->min, forwstr);
+}
+
 static int
 decode_type (const char *name, const Type *t, int optional, 
 	     const char *forwstr, const char *tmpstr)
@@ -236,12 +262,14 @@ decode_type (const char *name, const Type *t, int optional,
     }
     case TInteger:
 	if(t->members) {
-	    char *s;
-	    asprintf(&s, "(int*)%s", name);
-	    if (s == NULL)
-		errx (1, "out of memory");
-	    decode_primitive ("integer", s, forwstr);
-	    free(s);
+	    fprintf(codefile,
+		    "{\n"
+		    "int enumint;\n");
+	    decode_primitive ("integer", "&enumint", forwstr);
+	    fprintf(codefile,
+		    "*%s = enumint;\n"
+		    "}\n",
+		    name);
 	} else if (t->range == NULL) {
 	    decode_primitive ("heim_integer", name, forwstr);
 	} else if (t->range->min == INT_MIN && t->range->max == INT_MAX) {
@@ -262,6 +290,8 @@ decode_type (const char *name, const Type *t, int optional,
 	break;
     case TOctetString:
 	decode_primitive ("octet_string", name, forwstr);
+	if (t->range)
+	    range_check(name, "length", forwstr, t->range);
 	break;
     case TBitString: {
 	Member *m;
@@ -394,19 +424,31 @@ decode_type (const char *name, const Type *t, int optional,
 		 "{\n"
 		 "size_t %s_origlen = len;\n"
 		 "size_t %s_oldret = ret;\n"
+		 "size_t %s_olen = 0;\n"
 		 "void *%s_tmp;\n"
 		 "ret = 0;\n"
 		 "(%s)->len = 0;\n"
-		 "(%s)->val = NULL;\n"
+		 "(%s)->val = NULL;\n",
+		 tmpstr,
+		 tmpstr,
+		 tmpstr,
+		 tmpstr,
+		 name,
+		 name);
+
+	fprintf (codefile,
 		 "while(ret < %s_origlen) {\n"
-		 "%s_tmp = realloc((%s)->val, "
-		 "    sizeof(*((%s)->val)) * ((%s)->len + 1));\n"
-		 "if (%s_tmp == NULL) { %s; }\n"
+		 "size_t %s_nlen = %s_olen + sizeof(*((%s)->val));\n"
+		 "if (%s_olen > %s_nlen) { e = ASN1_OVERFLOW; %s; }\n"
+		 "%s_olen = %s_nlen;\n"
+		 "%s_tmp = realloc((%s)->val, %s_olen);\n"
+		 "if (%s_tmp == NULL) { e = ENOMEM; %s; }\n"
 		 "(%s)->val = %s_tmp;\n",
-		 tmpstr, tmpstr, tmpstr,
-		 name, name,
+		 tmpstr,
+		 tmpstr, tmpstr, name,
+		 tmpstr, tmpstr, forwstr,
 		 tmpstr, tmpstr,
-		 name, name, name,
+		 tmpstr, name, tmpstr,
 		 tmpstr, forwstr, 
 		 name, tmpstr);
 
@@ -425,6 +467,8 @@ decode_type (const char *name, const Type *t, int optional,
 		 "}\n",
 		 name,
 		 tmpstr, tmpstr);
+	if (t->range)
+	    range_check(name, "len", forwstr, t->range);
 	free (n);
 	free (sname);
 	break;
diff --git a/source4/heimdal/lib/asn1/gen_encode.c b/source4/heimdal/lib/asn1/gen_encode.c
index b5337b1c430..9544514212f 100644
--- a/source4/heimdal/lib/asn1/gen_encode.c
+++ b/source4/heimdal/lib/asn1/gen_encode.c
@@ -33,7 +33,7 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: gen_encode.c 19572 2006-12-29 17:30:32Z lha $");
+RCSID("$Id: gen_encode.c 21503 2007-07-12 11:57:19Z lha $");
 
 static void
 encode_primitive (const char *typename, const char *name)
@@ -121,12 +121,12 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
 	break;
     case TInteger:
 	if(t->members) {
-	    char *s;
-	    asprintf(&s, "(const int*)%s", name);
-	    if(s == NULL)
-		errx(1, "out of memory");
-	    encode_primitive ("integer", s);
-	    free(s);
+	    fprintf(codefile,
+		    "{\n"
+		    "int enumint = (int)*%s;\n",
+		    name);
+	    encode_primitive ("integer", "&enumint");
+	    fprintf(codefile, "}\n;");
 	} else if (t->range == NULL) {
 	    encode_primitive ("heim_integer", name);
 	} else if (t->range->min == INT_MIN && t->range->max == INT_MAX) {
@@ -292,6 +292,11 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
 		"size_t elen, totallen = 0;\n"
 		"int eret;\n");
 
+	fprintf(codefile,
+		"if ((%s)->len > UINT_MAX/sizeof(val[0]))\n"
+		"return ERANGE;\n",
+		name);
+
 	fprintf(codefile,
 		"val = malloc(sizeof(val[0]) * (%s)->len);\n"
 		"if (val == NULL && (%s)->len != 0) return ENOMEM;\n",
diff --git a/source4/heimdal/lib/asn1/gen_length.c b/source4/heimdal/lib/asn1/gen_length.c
index a1f7cc66444..4cb5d45089f 100644
--- a/source4/heimdal/lib/asn1/gen_length.c
+++ b/source4/heimdal/lib/asn1/gen_length.c
@@ -33,7 +33,7 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: gen_length.c 19539 2006-12-28 17:15:05Z lha $");
+RCSID("$Id: gen_length.c 21503 2007-07-12 11:57:19Z lha $");
 
 static void
 length_primitive (const char *typename,
@@ -72,12 +72,11 @@ length_type (const char *name, const Type *t,
 	break;
     case TInteger:
 	if(t->members) {
-	    char *s;
-	    asprintf(&s, "(const int*)%s", name);
-	    if(s == NULL)
-		errx (1, "out of memory");
-	    length_primitive ("integer", s, variable);
-	    free(s);
+	    fprintf(codefile,
+		    "{\n"
+		    "int enumint = *%s;\n", name);
+	    length_primitive ("integer", "&enumint", variable);
+	    fprintf(codefile, "}\n");
 	} else if (t->range == NULL) {
 	    length_primitive ("heim_integer", name, variable);
 	} else if (t->range->min == INT_MIN && t->range->max == INT_MAX) {
diff --git a/source4/heimdal/lib/asn1/k5.asn1 b/source4/heimdal/lib/asn1/k5.asn1
index 14e9793fdc0..e3fe2b11e9a 100644
--- a/source4/heimdal/lib/asn1/k5.asn1
+++ b/source4/heimdal/lib/asn1/k5.asn1
@@ -1,4 +1,4 @@
--- $Id: k5.asn1 21092 2007-06-15 19:47:46Z lha $
+-- $Id: k5.asn1 21400 2007-07-02 19:57:31Z lha $
 
 KERBEROS5 DEFINITIONS ::=
 BEGIN
@@ -332,7 +332,7 @@ ETYPE-INFO2-ENTRY ::= SEQUENCE {
 	s2kparams[2]		OCTET STRING OPTIONAL
 }
 
-ETYPE-INFO2 ::= SEQUENCE OF ETYPE-INFO2-ENTRY
+ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
 
 METHOD-DATA ::= SEQUENCE OF PA-DATA
 
@@ -341,7 +341,7 @@ TypedData ::=   SEQUENCE {
 	data-value[1]		OCTET STRING OPTIONAL
 }
 
-TYPED-DATA ::= SEQUENCE OF TypedData
+TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData
 
 KDC-REQ-BODY ::= SEQUENCE {
 	kdc-options[0]		KDCOptions,
diff --git a/source4/heimdal/lib/asn1/lex.c b/source4/heimdal/lib/asn1/lex.c
index fe488eb904e..d628e4696f5 100644
--- a/source4/heimdal/lib/asn1/lex.c
+++ b/source4/heimdal/lib/asn1/lex.c
@@ -1,6 +1,5 @@
-#include "config.h"
 
-#line 3 "lex.yy.c"
+#line 3 "lex.c"
 
 #define  YY_INT_ALIGNED short int
 
@@ -343,6 +342,9 @@ FILE *yyin = (FILE *) 0, *yyout = (FILE *) 0;
 typedef int yy_state_type;
 
 extern int yylineno;
+
+int yylineno = 1;
+
 extern char *yytext;
 #define yytext_ptr yytext
 
@@ -824,7 +826,7 @@ char *yytext;
  * SUCH DAMAGE. 
  */
 
-/* $Id: lex.l,v 1.31 2006/10/21 11:57:22 lha Exp $ */
+/* $Id: lex.l 18738 2006-10-21 11:57:22Z lha $ */
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
@@ -849,7 +851,7 @@ static unsigned lineno = 1;
 static void unterminated(const char *, unsigned);
 
 /* This is for broken old lexes (solaris 10 and hpux) */
-#line 852 "lex.yy.c"
+#line 855 "lex.c"
 
 #define INITIAL 0
 
@@ -1004,7 +1006,7 @@ YY_DECL
     
 #line 68 "lex.l"
 
-#line 1007 "lex.yy.c"
+#line 1010 "lex.c"
 
 	if ( !(yy_init) )
 		{
@@ -1673,7 +1675,7 @@ YY_RULE_SETUP
 #line 274 "lex.l"
 ECHO;
 	YY_BREAK
-#line 1676 "lex.yy.c"
+#line 1679 "lex.c"
 case YY_STATE_EOF(INITIAL):
 	yyterminate();
 
@@ -2483,6 +2485,15 @@ static void yy_fatal_error (yyconst char* msg )
 
 /* Accessor  methods (get/set functions) to struct members. */
 
+/** Get the current line number.
+ * 
+ */
+int yyget_lineno  (void)
+{
+        
+    return yylineno;
+}
+
 /** Get the input stream.
  * 
  */
@@ -2516,6 +2527,16 @@ char *yyget_text  (void)
         return yytext;
 }
 
+/** Set the current line number.
+ * @param line_number
+ * 
+ */
+void yyset_lineno (int  line_number )
+{
+    
+    yylineno = line_number;
+}
+
 /** Set the input stream. This does not discard the current
  * input buffer.
  * @param in_str A readable stream.
diff --git a/source4/heimdal/lib/asn1/parse.c b/source4/heimdal/lib/asn1/parse.c
index d9cd23b6623..6a3e524e93a 100644
--- a/source4/heimdal/lib/asn1/parse.c
+++ b/source4/heimdal/lib/asn1/parse.c
@@ -16,7 +16,9 @@
    GNU General Public License for more details.
 
    You should have received a copy of the GNU General Public License
-   along with this program; if not, see <http://www.gnu.org/licenses/>.  */
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin Street, Fifth Floor,
+   Boston, MA 02110-1301, USA.  */
 
 /* As a special exception, you may create a larger work that contains
    part or all of the Bison parser skeleton and distribute that work
@@ -259,7 +261,7 @@
 #include "gen_locl.h"
 #include "der.h"
 
-RCSID("$Id: parse.y 19539 2006-12-28 17:15:05Z lha $");
+RCSID("$Id: parse.y 21597 2007-07-16 18:48:58Z lha $");
 
 static Type *new_type (Typetype t);
 static struct constraint_spec *new_constraint_spec(enum ctype);
@@ -300,7 +302,7 @@ typedef union YYSTYPE
 {
     int constant;
     struct value *value;
-    struct range range;
+    struct range *range;
     char *name;
     Type *type;
     Member *member;
@@ -538,18 +540,18 @@ union yyalloc
 #endif
 
 /* YYFINAL -- State number of the termination state.  */
-#define YYFINAL  4
+#define YYFINAL  6
 /* YYLAST -- Last index in YYTABLE.  */
-#define YYLAST   169
+#define YYLAST   195
 
 /* YYNTOKENS -- Number of terminals.  */
 #define YYNTOKENS  98
 /* YYNNTS -- Number of nonterminals.  */
-#define YYNNTS  67
+#define YYNNTS  68
 /* YYNRULES -- Number of rules.  */
-#define YYNRULES  131
+#define YYNRULES  136
 /* YYNRULES -- Number of states.  */
-#define YYNSTATES  202
+#define YYNSTATES  214
 
 /* YYTRANSLATE(YYLEX) -- Bison symbol number corresponding to YYLEX.  */
 #define YYUNDEFTOK  2
@@ -603,80 +605,83 @@ static const yytype_uint8 yytranslate[] =
    YYRHS.  */
 static const yytype_uint16 yyprhs[] =
 {
-       0,     0,     3,    12,    15,    18,    21,    22,    25,    26,
-      29,    30,    34,    35,    37,    38,    40,    43,    48,    50,
-      53,    55,    57,    61,    63,    67,    69,    71,    73,    75,
-      77,    79,    81,    83,    85,    87,    89,    91,    93,    95,
-      97,    99,   101,   103,   109,   111,   114,   119,   121,   125,
-     129,   134,   139,   141,   144,   150,   153,   156,   158,   163,
-     167,   171,   176,   180,   184,   189,   191,   193,   195,   197,
-     199,   202,   206,   208,   210,   212,   215,   219,   225,   230,
-     234,   239,   240,   242,   244,   246,   247,   249,   251,   256,
-     258,   260,   262,   264,   266,   268,   270,   272,   274,   278,
-     282,   285,   287,   290,   294,   296,   300,   305,   307,   308,
-     312,   313,   316,   321,   323,   325,   327,   329,   331,   333,
-     335,   337,   339,   341,   343,   345,   347,   349,   351,   353,
-     355,   357
+       0,     0,     3,    13,    16,    19,    22,    23,    26,    27,
+      30,    31,    35,    36,    38,    39,    41,    44,    49,    51,
+      54,    56,    58,    62,    64,    68,    70,    72,    74,    76,
+      78,    80,    82,    84,    86,    88,    90,    92,    94,    96,
+      98,   100,   102,   104,   110,   116,   122,   126,   128,   131,
+     136,   138,   142,   146,   151,   156,   158,   161,   167,   170,
+     174,   176,   177,   180,   185,   189,   194,   199,   203,   207,
+     212,   214,   216,   218,   220,   222,   225,   229,   231,   233,
+     235,   238,   242,   248,   253,   257,   262,   263,   265,   267,
+     269,   270,   272,   274,   279,   281,   283,   285,   287,   289,
+     291,   293,   295,   297,   301,   305,   308,   310,   313,   317,
+     319,   323,   328,   330,   331,   335,   336,   339,   344,   346,
+     348,   350,   352,   354,   356,   358,   360,   362,   364,   366,
+     368,   370,   372,   374,   376,   378,   380
 };
 
 /* YYRHS -- A `-1'-separated list of the rules' RHS.  */
 static const yytype_int16 yyrhs[] =
 {
-      99,     0,    -1,    86,    21,   100,   101,    84,     8,   102,
-      24,    -1,    27,    70,    -1,    38,    70,    -1,     7,    70,
-      -1,    -1,    29,    39,    -1,    -1,   103,   107,    -1,    -1,
-      40,   104,    90,    -1,    -1,   105,    -1,    -1,   106,    -1,
-     105,   106,    -1,   109,    32,    86,   150,    -1,   108,    -1,
-     108,   107,    -1,   110,    -1,   142,    -1,    86,    91,   109,
-      -1,    86,    -1,    86,    84,   111,    -1,   112,    -1,   129,
-      -1,   132,    -1,   120,    -1,   113,    -1,   143,    -1,   128,
-      -1,   118,    -1,   115,    -1,   123,    -1,   121,    -1,   122,
-      -1,   124,    -1,   125,    -1,   126,    -1,   127,    -1,   138,
-      -1,    11,    -1,    92,   154,    83,   154,    93,    -1,    43,
-      -1,    43,   114,    -1,    43,    94,   116,    95,    -1,   117,
-      -1,   116,    91,   117,    -1,   116,    91,    85,    -1,    86,
-      92,   162,    93,    -1,    25,    94,   119,    95,    -1,   116,
-      -1,     9,    67,    -1,     9,    67,    94,   148,    95,    -1,
-      51,    37,    -1,    52,    67,    -1,    49,    -1,    64,    94,
-     145,    95,    -1,    64,    94,    95,    -1,    64,    53,   111,
-      -1,    65,    94,   145,    95,    -1,    65,    94,    95,    -1,
-      65,    53,   111,    -1,    14,    94,   145,    95,    -1,   130,
-      -1,   131,    -1,    86,    -1,    34,    -1,    77,    -1,   111,
-     133,    -1,    92,   134,    93,    -1,   135,    -1,   136,    -1,
-     137,    -1,    19,   111,    -1,    23,    12,   154,    -1,    19,
-     111,    23,    12,   154,    -1,    18,    12,    94,    95,    -1,
-     139,   141,   111,    -1,    96,   140,    89,    97,    -1,    -1,
-      76,    -1,     6,    -1,    60,    -1,    -1,    27,    -1,    38,
-      -1,    86,   111,    84,   154,    -1,   144,    -1,    33,    -1,
-      78,    -1,    61,    -1,    81,    -1,    36,    -1,    10,    -1,
-      79,    -1,   147,    -1,   145,    91,   147,    -1,   145,    91,
-      85,    -1,    86,   111,    -1,   146,    -1,   146,    54,    -1,
-     146,    20,   154,    -1,   149,    -1,   148,    91,   149,    -1,
-      86,    92,    89,    93,    -1,   151,    -1,    -1,    94,   152,
-      95,    -1,    -1,   153,   152,    -1,    86,    92,    89,    93,
-      -1,    86,    -1,    89,    -1,   155,    -1,   156,    -1,   160,
-      -1,   159,    -1,   161,    -1,   164,    -1,   163,    -1,   157,
-      -1,   158,    -1,    86,    -1,    88,    -1,    71,    -1,    31,
-      -1,   162,    -1,    89,    -1,    49,    -1,   151,    -1
+      99,     0,    -1,    86,   151,    21,   100,   101,    84,     8,
+     102,    24,    -1,    27,    70,    -1,    38,    70,    -1,     7,
+      70,    -1,    -1,    29,    39,    -1,    -1,   103,   107,    -1,
+      -1,    40,   104,    90,    -1,    -1,   105,    -1,    -1,   106,
+      -1,   105,   106,    -1,   109,    32,    86,   151,    -1,   108,
+      -1,   108,   107,    -1,   110,    -1,   143,    -1,    86,    91,
+     109,    -1,    86,    -1,    86,    84,   111,    -1,   112,    -1,
+     130,    -1,   133,    -1,   120,    -1,   113,    -1,   144,    -1,
+     129,    -1,   118,    -1,   115,    -1,   123,    -1,   121,    -1,
+     122,    -1,   125,    -1,   126,    -1,   127,    -1,   128,    -1,
+     139,    -1,    11,    -1,    92,   155,    83,   155,    93,    -1,
+      92,   155,    83,    46,    93,    -1,    92,    47,    83,   155,
+      93,    -1,    92,   155,    93,    -1,    43,    -1,    43,   114,
+      -1,    43,    94,   116,    95,    -1,   117,    -1,   116,    91,
+     117,    -1,   116,    91,    85,    -1,    86,    92,   163,    93,
+      -1,    25,    94,   119,    95,    -1,   116,    -1,     9,    67,
+      -1,     9,    67,    94,   149,    95,    -1,    51,    37,    -1,
+      52,    67,   124,    -1,    49,    -1,    -1,    66,   114,    -1,
+      64,    94,   146,    95,    -1,    64,    94,    95,    -1,    64,
+     124,    53,   111,    -1,    65,    94,   146,    95,    -1,    65,
+      94,    95,    -1,    65,    53,   111,    -1,    14,    94,   146,
+      95,    -1,   131,    -1,   132,    -1,    86,    -1,    34,    -1,
+      77,    -1,   111,   134,    -1,    92,   135,    93,    -1,   136,
+      -1,   137,    -1,   138,    -1,    19,   111,    -1,    23,    12,
+     155,    -1,    19,   111,    23,    12,   155,    -1,    18,    12,
+      94,    95,    -1,   140,   142,   111,    -1,    96,   141,    89,
+      97,    -1,    -1,    76,    -1,     6,    -1,    60,    -1,    -1,
+      27,    -1,    38,    -1,    86,   111,    84,   155,    -1,   145,
+      -1,    33,    -1,    78,    -1,    61,    -1,    81,    -1,    36,
+      -1,    10,    -1,    79,    -1,   148,    -1,   146,    91,   148,
+      -1,   146,    91,    85,    -1,    86,   111,    -1,   147,    -1,
+     147,    54,    -1,   147,    20,   155,    -1,   150,    -1,   149,
+      91,   150,    -1,    86,    92,    89,    93,    -1,   152,    -1,
+      -1,    94,   153,    95,    -1,    -1,   154,   153,    -1,    86,
+      92,    89,    93,    -1,    86,    -1,    89,    -1,   156,    -1,
+     157,    -1,   161,    -1,   160,    -1,   162,    -1,   165,    -1,
+     164,    -1,   158,    -1,   159,    -1,    86,    -1,    88,    -1,
+      71,    -1,    31,    -1,   163,    -1,    89,    -1,    49,    -1,
+     152,    -1
 };
 
 /* YYRLINE[YYN] -- source line where rule number YYN was defined.  */
 static const yytype_uint16 yyrline[] =
 {
-       0,   231,   231,   238,   239,   241,   243,   246,   248,   251,
-     252,   255,   256,   259,   260,   263,   264,   267,   278,   279,
-     282,   283,   286,   292,   300,   310,   311,   312,   315,   316,
-     317,   318,   319,   320,   321,   322,   323,   324,   325,   326,
-     327,   328,   331,   338,   348,   353,   360,   368,   374,   379,
-     383,   396,   404,   407,   414,   422,   428,   435,   442,   448,
-     456,   464,   470,   478,   486,   493,   494,   497,   508,   513,
-     520,   536,   542,   545,   546,   549,   555,   563,   573,   579,
-     592,   601,   604,   608,   612,   619,   622,   626,   633,   644,
-     647,   652,   657,   662,   667,   672,   677,   685,   691,   696,
-     707,   718,   724,   730,   738,   744,   751,   764,   765,   768,
-     775,   778,   789,   793,   804,   810,   811,   814,   815,   816,
-     817,   818,   821,   824,   827,   838,   846,   852,   860,   868,
-     871,   876
+       0,   233,   233,   240,   241,   243,   245,   248,   250,   253,
+     254,   257,   258,   261,   262,   265,   266,   269,   280,   281,
+     284,   285,   288,   294,   302,   312,   313,   314,   317,   318,
+     319,   320,   321,   322,   323,   324,   325,   326,   327,   328,
+     329,   330,   333,   340,   350,   358,   366,   377,   382,   388,
+     396,   402,   407,   411,   424,   432,   435,   442,   450,   456,
+     465,   473,   474,   479,   485,   493,   502,   508,   516,   524,
+     531,   532,   535,   546,   551,   558,   574,   580,   583,   584,
+     587,   593,   601,   611,   617,   630,   639,   642,   646,   650,
+     657,   660,   664,   671,   682,   685,   690,   695,   700,   705,
+     710,   715,   723,   729,   734,   745,   756,   762,   768,   776,
+     782,   789,   802,   803,   806,   813,   816,   827,   831,   842,
+     848,   849,   852,   853,   854,   855,   856,   859,   862,   865,
+     876,   884,   890,   898,   906,   909,   914
 };
 #endif
 
@@ -712,7 +717,7 @@ static const char *const yytname[] =
   "TypeAssignment", "Type", "BuiltinType", "BooleanType", "range",
   "IntegerType", "NamedNumberList", "NamedNumber", "EnumeratedType",
   "Enumerations", "BitStringType", "ObjectIdentifierType",
-  "OctetStringType", "NullType", "SequenceType", "SequenceOfType",
+  "OctetStringType", "NullType", "size", "SequenceType", "SequenceOfType",
   "SetType", "SetOfType", "ChoiceType", "ReferencedType", "DefinedType",
   "UsefulType", "ConstrainedType", "Constraint", "ConstraintSpec",
   "GeneralConstraint", "ContentsConstraint", "UserDefinedConstraint",
@@ -751,35 +756,35 @@ static const yytype_uint8 yyr1[] =
      102,   103,   103,   104,   104,   105,   105,   106,   107,   107,
      108,   108,   109,   109,   110,   111,   111,   111,   112,   112,
      112,   112,   112,   112,   112,   112,   112,   112,   112,   112,
-     112,   112,   113,   114,   115,   115,   115,   116,   116,   116,
-     117,   118,   119,   120,   120,   121,   122,   123,   124,   124,
-     125,   126,   126,   127,   128,   129,   129,   130,   131,   131,
-     132,   133,   134,   135,   135,   136,   136,   136,   137,   138,
-     139,   140,   140,   140,   140,   141,   141,   141,   142,   143,
-     144,   144,   144,   144,   144,   144,   144,   145,   145,   145,
-     146,   147,   147,   147,   148,   148,   149,   150,   150,   151,
-     152,   152,   153,   153,   153,   154,   154,   155,   155,   155,
-     155,   155,   156,   157,   158,   159,   160,   160,   161,   162,
-     163,   164
+     112,   112,   113,   114,   114,   114,   114,   115,   115,   115,
+     116,   116,   116,   117,   118,   119,   120,   120,   121,   122,
+     123,   124,   124,   125,   125,   126,   127,   127,   128,   129,
+     130,   130,   131,   132,   132,   133,   134,   135,   136,   136,
+     137,   137,   137,   138,   139,   140,   141,   141,   141,   141,
+     142,   142,   142,   143,   144,   145,   145,   145,   145,   145,
+     145,   145,   146,   146,   146,   147,   148,   148,   148,   149,
+     149,   150,   151,   151,   152,   153,   153,   154,   154,   154,
+     155,   155,   156,   156,   156,   156,   156,   157,   158,   159,
+     160,   161,   161,   162,   163,   164,   165
 };
 
 /* YYR2[YYN] -- Number of symbols composing right hand side of rule YYN.  */
 static const yytype_uint8 yyr2[] =
 {
-       0,     2,     8,     2,     2,     2,     0,     2,     0,     2,
+       0,     2,     9,     2,     2,     2,     0,     2,     0,     2,
        0,     3,     0,     1,     0,     1,     2,     4,     1,     2,
        1,     1,     3,     1,     3,     1,     1,     1,     1,     1,
        1,     1,     1,     1,     1,     1,     1,     1,     1,     1,
-       1,     1,     1,     5,     1,     2,     4,     1,     3,     3,
-       4,     4,     1,     2,     5,     2,     2,     1,     4,     3,
-       3,     4,     3,     3,     4,     1,     1,     1,     1,     1,
-       2,     3,     1,     1,     1,     2,     3,     5,     4,     3,
-       4,     0,     1,     1,     1,     0,     1,     1,     4,     1,
-       1,     1,     1,     1,     1,     1,     1,     1,     3,     3,
-       2,     1,     2,     3,     1,     3,     4,     1,     0,     3,
-       0,     2,     4,     1,     1,     1,     1,     1,     1,     1,
+       1,     1,     1,     5,     5,     5,     3,     1,     2,     4,
+       1,     3,     3,     4,     4,     1,     2,     5,     2,     3,
+       1,     0,     2,     4,     3,     4,     4,     3,     3,     4,
+       1,     1,     1,     1,     1,     2,     3,     1,     1,     1,
+       2,     3,     5,     4,     3,     4,     0,     1,     1,     1,
+       0,     1,     1,     4,     1,     1,     1,     1,     1,     1,
+       1,     1,     1,     3,     3,     2,     1,     2,     3,     1,
+       3,     4,     1,     0,     3,     0,     2,     4,     1,     1,
        1,     1,     1,     1,     1,     1,     1,     1,     1,     1,
-       1,     1
+       1,     1,     1,     1,     1,     1,     1
 };
 
 /* YYDEFACT[STATE-NAME] -- Default rule to reduce with in state
@@ -787,79 +792,81 @@ static const yytype_uint8 yyr2[] =
    means the default is an error.  */
 static const yytype_uint8 yydefact[] =
 {
-       0,     0,     0,     6,     1,     0,     0,     0,     8,     5,
-       3,     4,     0,     0,     7,     0,    10,    14,     0,     0,
-      23,     0,    13,    15,     0,     2,     0,     9,    18,    20,
-      21,     0,    11,    16,     0,     0,    95,    42,     0,     0,
-      90,    68,    94,    44,    57,     0,     0,    92,     0,     0,
-      69,    91,    96,    93,     0,    67,    81,     0,    25,    29,
-      33,    32,    28,    35,    36,    34,    37,    38,    39,    40,
-      31,    26,    65,    66,    27,    41,    85,    30,    89,    19,
-      22,   108,    53,     0,     0,     0,     0,    45,    55,    56,
-       0,     0,     0,     0,    24,    83,    84,    82,     0,     0,
-       0,    70,    86,    87,     0,   110,    17,   107,     0,     0,
-       0,   101,    97,     0,    52,    47,     0,   127,   130,   126,
-     124,   125,   129,   131,     0,   115,   116,   122,   123,   118,
-     117,   119,   128,   121,   120,     0,    60,    59,     0,    63,
-      62,     0,     0,    88,     0,     0,     0,     0,    72,    73,
-      74,    79,   113,   114,     0,   110,     0,     0,   104,   100,
-       0,    64,     0,   102,     0,     0,    51,     0,    46,    58,
-      61,    80,     0,    75,     0,    71,     0,   109,   111,     0,
-       0,    54,    99,    98,   103,     0,    49,    48,     0,     0,
-       0,    76,     0,     0,   105,    50,    43,    78,     0,   112,
-     106,    77
+       0,   113,     0,   115,     0,   112,     1,   118,   119,     0,
+     115,     6,     0,   114,   116,     0,     0,     0,     8,     0,
+       5,     3,     4,     0,     0,   117,     7,     0,    10,    14,
+       0,     0,    23,     0,    13,    15,     0,     2,     0,     9,
+      18,    20,    21,     0,    11,    16,     0,     0,   100,    42,
+       0,     0,    95,    73,    99,    47,    60,     0,     0,    97,
+      61,     0,    74,    96,   101,    98,     0,    72,    86,     0,
+      25,    29,    33,    32,    28,    35,    36,    34,    37,    38,
+      39,    40,    31,    26,    70,    71,    27,    41,    90,    30,
+      94,    19,    22,   113,    56,     0,     0,     0,     0,    48,
+      58,    61,     0,     0,     0,     0,     0,    24,    88,    89,
+      87,     0,     0,     0,    75,    91,    92,     0,    17,     0,
+       0,     0,   106,   102,     0,    55,    50,     0,   132,     0,
+     135,   131,   129,   130,   134,   136,     0,   120,   121,   127,
+     128,   123,   122,   124,   133,   126,   125,     0,    59,    62,
+      64,     0,     0,    68,    67,     0,     0,    93,     0,     0,
+       0,     0,    77,    78,    79,    84,     0,     0,   109,   105,
+       0,    69,     0,   107,     0,     0,    54,     0,     0,    46,
+      49,    63,    65,    66,    85,     0,    80,     0,    76,     0,
+       0,    57,   104,   103,   108,     0,    52,    51,     0,     0,
+       0,     0,     0,    81,     0,   110,    53,    45,    44,    43,
+      83,     0,   111,    82
 };
 
 /* YYDEFGOTO[NTERM-NUM].  */
 static const yytype_int16 yydefgoto[] =
 {
-      -1,     2,     8,    13,    18,    19,    21,    22,    23,    27,
-      28,    24,    29,    57,    58,    59,    87,    60,   114,   115,
-      61,   116,    62,    63,    64,    65,    66,    67,    68,    69,
-      70,    71,    72,    73,    74,   101,   147,   148,   149,   150,
-      75,    76,    98,   104,    30,    77,    78,   110,   111,   112,
-     157,   158,   106,   123,   154,   155,   124,   125,   126,   127,
-     128,   129,   130,   131,   132,   133,   134
+      -1,     2,    18,    24,    30,    31,    33,    34,    35,    39,
+      40,    36,    41,    69,    70,    71,    99,    72,   125,   126,
+      73,   127,    74,    75,    76,    77,   104,    78,    79,    80,
+      81,    82,    83,    84,    85,    86,   114,   161,   162,   163,
+     164,    87,    88,   111,   117,    42,    89,    90,   121,   122,
+     123,   167,   168,     4,   135,     9,    10,   136,   137,   138,
+     139,   140,   141,   142,   143,   144,   145,   146
 };
 
 /* YYPACT[STATE-NUM] -- Index in YYTABLE of the portion describing
    STATE-NUM.  */
-#define YYPACT_NINF -100
+#define YYPACT_NINF -113
 static const yytype_int16 yypact[] =
 {
-     -65,    19,    33,     5,  -100,   -29,   -17,    11,    53,  -100,
-    -100,  -100,    47,    13,  -100,    90,   -34,    18,    81,    20,
-      16,    21,    18,  -100,    76,  -100,    -7,  -100,    20,  -100,
-    -100,    18,  -100,  -100,    23,    43,  -100,  -100,    24,    25,
-    -100,  -100,  -100,    -4,  -100,    77,    46,  -100,   -48,   -45,
-    -100,  -100,  -100,  -100,    51,  -100,     4,   -64,  -100,  -100,
-    -100,  -100,  -100,  -100,  -100,  -100,  -100,  -100,  -100,  -100,
-    -100,  -100,  -100,  -100,  -100,  -100,   -16,  -100,  -100,  -100,
-    -100,    26,    27,    31,    36,    52,    36,  -100,  -100,  -100,
-      51,   -71,    51,   -70,    32,  -100,  -100,  -100,    37,    52,
-      12,  -100,  -100,  -100,    51,   -39,  -100,  -100,    39,    51,
-     -78,    -6,  -100,    35,    40,  -100,    38,  -100,  -100,  -100,
-    -100,  -100,  -100,  -100,    56,  -100,  -100,  -100,  -100,  -100,
-    -100,  -100,  -100,  -100,  -100,   -72,    32,  -100,   -57,    32,
-    -100,   -36,    45,  -100,   122,    51,   123,    50,  -100,  -100,
-    -100,    32,    44,  -100,    49,   -39,    57,   -22,  -100,    32,
-     -19,  -100,    52,  -100,    59,    10,  -100,    52,  -100,  -100,
-    -100,  -100,    58,   -14,    52,  -100,    61,  -100,  -100,    62,
-      39,  -100,  -100,  -100,  -100,    60,  -100,  -100,    63,    64,
-     133,  -100,    65,    67,  -100,  -100,  -100,  -100,    52,  -100,
-    -100,  -100
+     -74,   -67,    38,   -69,    23,  -113,  -113,   -44,  -113,   -41,
+     -69,     4,   -26,  -113,  -113,    -3,     1,    10,    52,   -10,
+    -113,  -113,  -113,    45,    13,  -113,  -113,    77,   -35,    15,
+      64,    19,    17,    20,    15,  -113,    85,  -113,    25,  -113,
+      19,  -113,  -113,    15,  -113,  -113,    27,    47,  -113,  -113,
+      26,    29,  -113,  -113,  -113,   -30,  -113,    89,    61,  -113,
+     -57,   -47,  -113,  -113,  -113,  -113,    82,  -113,    -4,   -68,
+    -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,
+    -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,   -17,  -113,
+    -113,  -113,  -113,   -67,    35,    33,    46,    51,    46,  -113,
+    -113,    69,    44,   -73,    88,    82,   -72,    56,  -113,  -113,
+    -113,    49,    93,     7,  -113,  -113,  -113,    82,  -113,    58,
+      82,   -76,   -13,  -113,    57,    59,  -113,    60,  -113,    68,
+    -113,  -113,  -113,  -113,  -113,  -113,   -75,  -113,  -113,  -113,
+    -113,  -113,  -113,  -113,  -113,  -113,  -113,   -63,  -113,  -113,
+    -113,   -62,    82,    56,  -113,   -46,    65,  -113,   141,    82,
+     142,    63,  -113,  -113,  -113,    56,    66,   -38,  -113,    56,
+     -16,  -113,    93,  -113,    76,    -7,  -113,    93,    81,  -113,
+    -113,  -113,    56,  -113,  -113,    72,   -19,    93,  -113,    83,
+      58,  -113,  -113,  -113,  -113,    78,  -113,  -113,    80,    84,
+      87,    62,   162,  -113,    90,  -113,  -113,  -113,  -113,  -113,
+    -113,    93,  -113,  -113
 };
 
 /* YYPGOTO[NTERM-NUM].  */
 static const yytype_int16 yypgoto[] =
 {
-    -100,  -100,  -100,  -100,  -100,  -100,  -100,  -100,   132,   127,
-    -100,   126,  -100,   -53,  -100,  -100,  -100,  -100,    75,    -3,
-    -100,  -100,  -100,  -100,  -100,  -100,  -100,  -100,  -100,  -100,
-    -100,  -100,  -100,  -100,  -100,  -100,  -100,  -100,  -100,  -100,
-    -100,  -100,  -100,  -100,  -100,  -100,  -100,     0,  -100,     3,
-    -100,   -15,  -100,    83,    14,  -100,   -99,  -100,  -100,  -100,
-    -100,  -100,  -100,  -100,     2,  -100,  -100
+    -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,   150,   136,
+    -113,   143,  -113,   -65,  -113,  -113,    86,  -113,    91,    16,
+    -113,  -113,  -113,  -113,  -113,  -113,    92,  -113,  -113,  -113,
+    -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,
+    -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,   -60,  -113,
+      22,  -113,    -5,    97,     2,   184,  -113,  -112,  -113,  -113,
+    -113,  -113,  -113,  -113,  -113,    21,  -113,  -113
 };
 
 /* YYTABLE[YYPACT[STATE-NUM]].  What to do in state STATE-NUM.  If
@@ -869,71 +876,78 @@ static const yytype_int16 yypgoto[] =
 #define YYTABLE_NINF -13
 static const yytype_int16 yytable[] =
 {
-     143,    94,    35,    36,    37,    90,    17,    38,    92,   190,
-      95,   102,     5,   160,   162,   109,   109,   161,    39,   165,
-      99,     1,   103,   168,   137,   140,    40,    41,   100,    42,
-     144,   145,     6,     4,   160,   146,    43,   136,   169,   139,
-       3,     9,    44,     7,    45,    46,    91,   152,   163,    93,
-     153,   151,   -12,    10,    47,   160,   159,    48,    49,   170,
-      35,    36,    37,   184,    96,    38,   182,   109,   188,   180,
-      50,    51,    52,   181,    53,   191,    39,    54,   100,    55,
-      97,    11,    12,   117,    40,    41,    14,    42,    85,    56,
-      86,   138,   173,   141,    43,   186,   113,    15,    16,   201,
-      44,   118,    45,    46,    20,    25,    26,    31,    34,    81,
-      82,    32,    47,    89,    88,    48,    49,   109,    83,    84,
-     105,   108,   113,   119,   100,   156,   142,   164,    50,    51,
-      52,   165,    53,   166,   172,   174,   176,    55,   120,   167,
-     121,   122,   171,   175,   177,   198,   105,    56,   122,   179,
-     192,   193,   189,   195,    33,    79,   196,    80,   199,   197,
-     200,   135,   187,   183,   107,   194,   185,     0,     0,   178
+     157,   107,   108,     5,   202,    29,   105,   172,   178,   102,
+     115,    15,     1,   120,   120,   170,   112,     7,   179,   171,
+       8,   116,   150,   154,   113,   158,   159,     3,   175,   170,
+     160,    16,   180,   181,    47,    48,    49,   103,     6,    50,
+     153,   173,    17,   151,    11,   170,   155,   106,    12,   183,
+      51,   -12,   165,   190,    13,   169,   109,   191,    52,    53,
+     194,    54,    97,    19,    98,   198,   200,    20,    55,   192,
+     120,    21,   110,   113,    56,   203,    57,    58,   196,   124,
+      22,    23,   128,    25,    26,    28,    59,   182,    37,    60,
+      61,    47,    48,    49,   186,     5,    50,    27,   129,   213,
+     130,    32,    62,    63,    64,    38,    65,    51,    43,    66,
+      44,    67,   128,    93,    94,    52,    53,    46,    54,   120,
+      95,    68,   131,    96,   128,    55,   100,   199,   101,   119,
+     130,    56,   124,    57,    58,   102,    97,   132,   156,   133,
+     134,   152,   130,    59,   166,     3,    60,    61,   113,   174,
+     175,   177,   131,   185,   187,   176,   188,   210,   189,    62,
+      63,    64,   184,    65,   131,   134,   201,   132,    67,   133,
+     134,   206,   204,   207,   211,     3,    91,   208,    68,   132,
+     209,   133,   134,   212,    45,   205,    92,     3,   149,   147,
+     118,   197,   193,   148,    14,   195
 };
 
-static const yytype_int16 yycheck[] =
+static const yytype_uint8 yycheck[] =
 {
-      99,    54,     9,    10,    11,    53,    40,    14,    53,    23,
-       6,    27,     7,    91,    20,    86,    86,    95,    25,    91,
-      84,    86,    38,    95,    95,    95,    33,    34,    92,    36,
-      18,    19,    27,     0,    91,    23,    43,    90,    95,    92,
-      21,    70,    49,    38,    51,    52,    94,    86,    54,    94,
-      89,   104,    86,    70,    61,    91,   109,    64,    65,    95,
-       9,    10,    11,   162,    60,    14,    85,    86,   167,    91,
-      77,    78,    79,    95,    81,   174,    25,    84,    92,    86,
-      76,    70,    29,    31,    33,    34,    39,    36,    92,    96,
-      94,    91,   145,    93,    43,    85,    86,    84,     8,   198,
-      49,    49,    51,    52,    86,    24,    86,    91,    32,    86,
-      67,    90,    61,    67,    37,    64,    65,    86,    94,    94,
-      94,    94,    86,    71,    92,    86,    89,    92,    77,    78,
-      79,    91,    81,    95,    12,    12,    92,    86,    86,    83,
-      88,    89,    97,    93,    95,    12,    94,    96,    89,    92,
-      89,    89,    94,    93,    22,    28,    93,    31,    93,    95,
-      93,    86,   165,   160,    81,   180,   164,    -1,    -1,   155
+     112,    66,     6,     1,    23,    40,    53,    20,    83,    66,
+      27,     7,    86,    86,    86,    91,    84,    86,    93,    95,
+      89,    38,    95,    95,    92,    18,    19,    94,    91,    91,
+      23,    27,    95,    95,     9,    10,    11,    94,     0,    14,
+     105,    54,    38,   103,    21,    91,   106,    94,    92,    95,
+      25,    86,   117,    91,    95,   120,    60,    95,    33,    34,
+     172,    36,    92,    89,    94,   177,   178,    70,    43,    85,
+      86,    70,    76,    92,    49,   187,    51,    52,    85,    86,
+      70,    29,    31,    93,    39,     8,    61,   152,    24,    64,
+      65,     9,    10,    11,   159,    93,    14,    84,    47,   211,
+      49,    86,    77,    78,    79,    86,    81,    25,    91,    84,
+      90,    86,    31,    86,    67,    33,    34,    32,    36,    86,
+      94,    96,    71,    94,    31,    43,    37,    46,    67,    94,
+      49,    49,    86,    51,    52,    66,    92,    86,    89,    88,
+      89,    53,    49,    61,    86,    94,    64,    65,    92,    92,
+      91,    83,    71,    12,    12,    95,    93,    95,    92,    77,
+      78,    79,    97,    81,    71,    89,    94,    86,    86,    88,
+      89,    93,    89,    93,    12,    94,    40,    93,    96,    86,
+      93,    88,    89,    93,    34,   190,    43,    94,   102,    98,
+      93,   175,   170,   101,    10,   174
 };
 
 /* YYSTOS[STATE-NUM] -- The (internal number of the) accessing
    symbol of state STATE-NUM.  */
 static const yytype_uint8 yystos[] =
 {
-       0,    86,    99,    21,     0,     7,    27,    38,   100,    70,
-      70,    70,    29,   101,    39,    84,     8,    40,   102,   103,
-      86,   104,   105,   106,   109,    24,    86,   107,   108,   110,
-     142,    91,    90,   106,    32,     9,    10,    11,    14,    25,
-      33,    34,    36,    43,    49,    51,    52,    61,    64,    65,
-      77,    78,    79,    81,    84,    86,    96,   111,   112,   113,
-     115,   118,   120,   121,   122,   123,   124,   125,   126,   127,
-     128,   129,   130,   131,   132,   138,   139,   143,   144,   107,
-     109,    86,    67,    94,    94,    92,    94,   114,    37,    67,
-      53,    94,    53,    94,   111,     6,    60,    76,   140,    84,
-      92,   133,    27,    38,   141,    94,   150,   151,    94,    86,
-     145,   146,   147,    86,   116,   117,   119,    31,    49,    71,
-      86,    88,    89,   151,   154,   155,   156,   157,   158,   159,
-     160,   161,   162,   163,   164,   116,   111,    95,   145,   111,
-      95,   145,    89,   154,    18,    19,    23,   134,   135,   136,
-     137,   111,    86,    89,   152,   153,    86,   148,   149,   111,
-      91,    95,    20,    54,    92,    91,    95,    83,    95,    95,
-      95,    97,    12,   111,    12,    93,    92,    95,   152,    92,
-      91,    95,    85,   147,   154,   162,    85,   117,   154,    94,
-      23,   154,    89,    89,   149,    93,    93,    95,    12,    93,
-      93,   154
+       0,    86,    99,    94,   151,   152,     0,    86,    89,   153,
+     154,    21,    92,    95,   153,     7,    27,    38,   100,    89,
+      70,    70,    70,    29,   101,    93,    39,    84,     8,    40,
+     102,   103,    86,   104,   105,   106,   109,    24,    86,   107,
+     108,   110,   143,    91,    90,   106,    32,     9,    10,    11,
+      14,    25,    33,    34,    36,    43,    49,    51,    52,    61,
+      64,    65,    77,    78,    79,    81,    84,    86,    96,   111,
+     112,   113,   115,   118,   120,   121,   122,   123,   125,   126,
+     127,   128,   129,   130,   131,   132,   133,   139,   140,   144,
+     145,   107,   109,    86,    67,    94,    94,    92,    94,   114,
+      37,    67,    66,    94,   124,    53,    94,   111,     6,    60,
+      76,   141,    84,    92,   134,    27,    38,   142,   151,    94,
+      86,   146,   147,   148,    86,   116,   117,   119,    31,    47,
+      49,    71,    86,    88,    89,   152,   155,   156,   157,   158,
+     159,   160,   161,   162,   163,   164,   165,   116,   124,   114,
+      95,   146,    53,   111,    95,   146,    89,   155,    18,    19,
+      23,   135,   136,   137,   138,   111,    86,   149,   150,   111,
+      91,    95,    20,    54,    92,    91,    95,    83,    83,    93,
+      95,    95,   111,    95,    97,    12,   111,    12,    93,    92,
+      91,    95,    85,   148,   155,   163,    85,   117,   155,    46,
+     155,    94,    23,   155,    89,   150,    93,    93,    93,    93,
+      95,    12,    93,   155
 };
 
 #define yyerrok		(yyerrstatus = 0)
@@ -1748,29 +1762,29 @@ yyreduce:
   switch (yyn)
     {
         case 2:
-#line 233 "parse.y"
+#line 235 "parse.y"
     {
 			checkundefined();
 		}
     break;
 
   case 4:
-#line 240 "parse.y"
+#line 242 "parse.y"
     { error_message("implicit tagging is not supported"); }
     break;
 
   case 5:
-#line 242 "parse.y"
+#line 244 "parse.y"
     { error_message("automatic tagging is not supported"); }
     break;
 
   case 7:
-#line 247 "parse.y"
+#line 249 "parse.y"
     { error_message("no extensibility options supported"); }
     break;
 
   case 17:
-#line 268 "parse.y"
+#line 270 "parse.y"
     { 
 		    struct string_list *sl;
 		    for(sl = (yyvsp[(1) - (4)].sl); sl != NULL; sl = sl->next) {
@@ -1782,7 +1796,7 @@ yyreduce:
     break;
 
   case 22:
-#line 287 "parse.y"
+#line 289 "parse.y"
     {
 		    (yyval.sl) = emalloc(sizeof(*(yyval.sl)));
 		    (yyval.sl)->string = (yyvsp[(1) - (3)].name);
@@ -1791,7 +1805,7 @@ yyreduce:
     break;
 
   case 23:
-#line 293 "parse.y"
+#line 295 "parse.y"
     {
 		    (yyval.sl) = emalloc(sizeof(*(yyval.sl)));
 		    (yyval.sl)->string = (yyvsp[(1) - (1)].name);
@@ -1800,7 +1814,7 @@ yyreduce:
     break;
 
   case 24:
-#line 301 "parse.y"
+#line 303 "parse.y"
     {
 		    Symbol *s = addsym ((yyvsp[(1) - (3)].name));
 		    s->stype = Stype;
@@ -1811,7 +1825,7 @@ yyreduce:
     break;
 
   case 42:
-#line 332 "parse.y"
+#line 334 "parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_Boolean, 
 				     TE_EXPLICIT, new_type(TBoolean));
@@ -1819,36 +1833,70 @@ yyreduce:
     break;
 
   case 43:
-#line 339 "parse.y"
+#line 341 "parse.y"
     {
-			if((yyvsp[(2) - (5)].value)->type != integervalue || 
-			   (yyvsp[(4) - (5)].value)->type != integervalue)
-				error_message("Non-integer value used in range");
-			(yyval.range).min = (yyvsp[(2) - (5)].value)->u.integervalue;
-			(yyval.range).max = (yyvsp[(4) - (5)].value)->u.integervalue;
+		    if((yyvsp[(2) - (5)].value)->type != integervalue)
+			error_message("Non-integer used in first part of range");
+		    if((yyvsp[(2) - (5)].value)->type != integervalue)
+			error_message("Non-integer in second part of range");
+		    (yyval.range) = ecalloc(1, sizeof(*(yyval.range)));
+		    (yyval.range)->min = (yyvsp[(2) - (5)].value)->u.integervalue;
+		    (yyval.range)->max = (yyvsp[(4) - (5)].value)->u.integervalue;
 		}
     break;
 
   case 44:
-#line 349 "parse.y"
+#line 351 "parse.y"
+    {		
+		    if((yyvsp[(2) - (5)].value)->type != integervalue)
+			error_message("Non-integer in first part of range");
+		    (yyval.range) = ecalloc(1, sizeof(*(yyval.range)));
+		    (yyval.range)->min = (yyvsp[(2) - (5)].value)->u.integervalue;
+		    (yyval.range)->max = (yyvsp[(2) - (5)].value)->u.integervalue - 1;
+		}
+    break;
+
+  case 45:
+#line 359 "parse.y"
+    {		
+		    if((yyvsp[(4) - (5)].value)->type != integervalue)
+			error_message("Non-integer in second part of range");
+		    (yyval.range) = ecalloc(1, sizeof(*(yyval.range)));
+		    (yyval.range)->min = (yyvsp[(4) - (5)].value)->u.integervalue + 2;
+		    (yyval.range)->max = (yyvsp[(4) - (5)].value)->u.integervalue;
+		}
+    break;
+
+  case 46:
+#line 367 "parse.y"
+    {
+		    if((yyvsp[(2) - (3)].value)->type != integervalue)
+			error_message("Non-integer used in limit");
+		    (yyval.range) = ecalloc(1, sizeof(*(yyval.range)));
+		    (yyval.range)->min = (yyvsp[(2) - (3)].value)->u.integervalue;
+		    (yyval.range)->max = (yyvsp[(2) - (3)].value)->u.integervalue;
+		}
+    break;
+
+  case 47:
+#line 378 "parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_Integer, 
 				     TE_EXPLICIT, new_type(TInteger));
 		}
     break;
 
-  case 45:
-#line 354 "parse.y"
+  case 48:
+#line 383 "parse.y"
     {
 			(yyval.type) = new_type(TInteger);
-			(yyval.type)->range = emalloc(sizeof(*(yyval.type)->range));
-			*((yyval.type)->range) = (yyvsp[(2) - (2)].range);
+			(yyval.type)->range = (yyvsp[(2) - (2)].range);
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_Integer, TE_EXPLICIT, (yyval.type));
 		}
     break;
 
-  case 46:
-#line 361 "parse.y"
+  case 49:
+#line 389 "parse.y"
     {
 		  (yyval.type) = new_type(TInteger);
 		  (yyval.type)->members = (yyvsp[(3) - (4)].members);
@@ -1856,8 +1904,8 @@ yyreduce:
 		}
     break;
 
-  case 47:
-#line 369 "parse.y"
+  case 50:
+#line 397 "parse.y"
     {
 			(yyval.members) = emalloc(sizeof(*(yyval.members)));
 			ASN1_TAILQ_INIT((yyval.members));
@@ -1865,21 +1913,21 @@ yyreduce:
 		}
     break;
 
-  case 48:
-#line 375 "parse.y"
+  case 51:
+#line 403 "parse.y"
     {
 			ASN1_TAILQ_INSERT_TAIL((yyvsp[(1) - (3)].members), (yyvsp[(3) - (3)].member), members);
 			(yyval.members) = (yyvsp[(1) - (3)].members);
 		}
     break;
 
-  case 49:
-#line 380 "parse.y"
+  case 52:
+#line 408 "parse.y"
     { (yyval.members) = (yyvsp[(1) - (3)].members); }
     break;
 
-  case 50:
-#line 384 "parse.y"
+  case 53:
+#line 412 "parse.y"
     {
 			(yyval.member) = emalloc(sizeof(*(yyval.member)));
 			(yyval.member)->name = (yyvsp[(1) - (4)].name);
@@ -1892,8 +1940,8 @@ yyreduce:
 		}
     break;
 
-  case 51:
-#line 397 "parse.y"
+  case 54:
+#line 425 "parse.y"
     {
 		  (yyval.type) = new_type(TInteger);
 		  (yyval.type)->members = (yyvsp[(3) - (4)].members);
@@ -1901,8 +1949,8 @@ yyreduce:
 		}
     break;
 
-  case 53:
-#line 408 "parse.y"
+  case 56:
+#line 436 "parse.y"
     {
 		  (yyval.type) = new_type(TBitString);
 		  (yyval.type)->members = emalloc(sizeof(*(yyval.type)->members));
@@ -1911,8 +1959,8 @@ yyreduce:
 		}
     break;
 
-  case 54:
-#line 415 "parse.y"
+  case 57:
+#line 443 "parse.y"
     {
 		  (yyval.type) = new_type(TBitString);
 		  (yyval.type)->members = (yyvsp[(4) - (5)].members);
@@ -1920,68 +1968,81 @@ yyreduce:
 		}
     break;
 
-  case 55:
-#line 423 "parse.y"
+  case 58:
+#line 451 "parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_OID, 
 				     TE_EXPLICIT, new_type(TOID));
 		}
     break;
 
-  case 56:
-#line 429 "parse.y"
+  case 59:
+#line 457 "parse.y"
     {
-			(yyval.type) = new_tag(ASN1_C_UNIV, UT_OctetString, 
-				     TE_EXPLICIT, new_type(TOctetString));
+		    Type *t = new_type(TOctetString);
+		    t->range = (yyvsp[(3) - (3)].range);
+		    (yyval.type) = new_tag(ASN1_C_UNIV, UT_OctetString, 
+				 TE_EXPLICIT, t);
 		}
     break;
 
-  case 57:
-#line 436 "parse.y"
+  case 60:
+#line 466 "parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_Null, 
 				     TE_EXPLICIT, new_type(TNull));
 		}
     break;
 
-  case 58:
-#line 443 "parse.y"
-    {
-		  (yyval.type) = new_type(TSequence);
-		  (yyval.type)->members = (yyvsp[(3) - (4)].members);
-		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, (yyval.type));
-		}
-    break;
-
-  case 59:
-#line 449 "parse.y"
-    {
-		  (yyval.type) = new_type(TSequence);
-		  (yyval.type)->members = NULL;
-		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, (yyval.type));
-		}
-    break;
-
-  case 60:
-#line 457 "parse.y"
-    {
-		  (yyval.type) = new_type(TSequenceOf);
-		  (yyval.type)->subtype = (yyvsp[(3) - (3)].type);
-		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, (yyval.type));
-		}
-    break;
-
   case 61:
-#line 465 "parse.y"
-    {
-		  (yyval.type) = new_type(TSet);
-		  (yyval.type)->members = (yyvsp[(3) - (4)].members);
-		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Set, TE_EXPLICIT, (yyval.type));
-		}
+#line 473 "parse.y"
+    { (yyval.range) = NULL; }
     break;
 
   case 62:
-#line 471 "parse.y"
+#line 475 "parse.y"
+    { (yyval.range) = (yyvsp[(2) - (2)].range); }
+    break;
+
+  case 63:
+#line 480 "parse.y"
+    {
+		  (yyval.type) = new_type(TSequence);
+		  (yyval.type)->members = (yyvsp[(3) - (4)].members);
+		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, (yyval.type));
+		}
+    break;
+
+  case 64:
+#line 486 "parse.y"
+    {
+		  (yyval.type) = new_type(TSequence);
+		  (yyval.type)->members = NULL;
+		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, (yyval.type));
+		}
+    break;
+
+  case 65:
+#line 494 "parse.y"
+    {
+		  (yyval.type) = new_type(TSequenceOf);
+		  (yyval.type)->range = (yyvsp[(2) - (4)].range);
+		  (yyval.type)->subtype = (yyvsp[(4) - (4)].type);
+		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, (yyval.type));
+		}
+    break;
+
+  case 66:
+#line 503 "parse.y"
+    {
+		  (yyval.type) = new_type(TSet);
+		  (yyval.type)->members = (yyvsp[(3) - (4)].members);
+		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Set, TE_EXPLICIT, (yyval.type));
+		}
+    break;
+
+  case 67:
+#line 509 "parse.y"
     {
 		  (yyval.type) = new_type(TSet);
 		  (yyval.type)->members = NULL;
@@ -1989,8 +2050,8 @@ yyreduce:
 		}
     break;
 
-  case 63:
-#line 479 "parse.y"
+  case 68:
+#line 517 "parse.y"
     {
 		  (yyval.type) = new_type(TSetOf);
 		  (yyval.type)->subtype = (yyvsp[(3) - (3)].type);
@@ -1998,16 +2059,16 @@ yyreduce:
 		}
     break;
 
-  case 64:
-#line 487 "parse.y"
+  case 69:
+#line 525 "parse.y"
     {
 		  (yyval.type) = new_type(TChoice);
 		  (yyval.type)->members = (yyvsp[(3) - (4)].members);
 		}
     break;
 
-  case 67:
-#line 498 "parse.y"
+  case 72:
+#line 536 "parse.y"
     {
 		  Symbol *s = addsym((yyvsp[(1) - (1)].name));
 		  (yyval.type) = new_type(TType);
@@ -2018,24 +2079,24 @@ yyreduce:
 		}
     break;
 
-  case 68:
-#line 509 "parse.y"
+  case 73:
+#line 547 "parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_GeneralizedTime, 
 				     TE_EXPLICIT, new_type(TGeneralizedTime));
 		}
     break;
 
-  case 69:
-#line 514 "parse.y"
+  case 74:
+#line 552 "parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_UTCTime, 
 				     TE_EXPLICIT, new_type(TUTCTime));
 		}
     break;
 
-  case 70:
-#line 521 "parse.y"
+  case 75:
+#line 559 "parse.y"
     {
 		    /* if (Constraint.type == contentConstrant) {
 		       assert(Constraint.u.constraint.type == octetstring|bitstring-w/o-NamedBitList); // remember to check type reference too
@@ -2050,15 +2111,15 @@ yyreduce:
 		}
     break;
 
-  case 71:
-#line 537 "parse.y"
+  case 76:
+#line 575 "parse.y"
     {
 		    (yyval.constraint_spec) = (yyvsp[(2) - (3)].constraint_spec);
 		}
     break;
 
-  case 75:
-#line 550 "parse.y"
+  case 80:
+#line 588 "parse.y"
     {
 		    (yyval.constraint_spec) = new_constraint_spec(CT_CONTENTS);
 		    (yyval.constraint_spec)->u.content.type = (yyvsp[(2) - (2)].type);
@@ -2066,8 +2127,8 @@ yyreduce:
 		}
     break;
 
-  case 76:
-#line 556 "parse.y"
+  case 81:
+#line 594 "parse.y"
     {
 		    if ((yyvsp[(3) - (3)].value)->type != objectidentifiervalue)
 			error_message("Non-OID used in ENCODED BY constraint");
@@ -2077,8 +2138,8 @@ yyreduce:
 		}
     break;
 
-  case 77:
-#line 564 "parse.y"
+  case 82:
+#line 602 "parse.y"
     {
 		    if ((yyvsp[(5) - (5)].value)->type != objectidentifiervalue)
 			error_message("Non-OID used in ENCODED BY constraint");
@@ -2088,15 +2149,15 @@ yyreduce:
 		}
     break;
 
-  case 78:
-#line 574 "parse.y"
+  case 83:
+#line 612 "parse.y"
     {
 		    (yyval.constraint_spec) = new_constraint_spec(CT_USER);
 		}
     break;
 
-  case 79:
-#line 580 "parse.y"
+  case 84:
+#line 618 "parse.y"
     {
 			(yyval.type) = new_type(TTag);
 			(yyval.type)->tag = (yyvsp[(1) - (3)].tag);
@@ -2109,8 +2170,8 @@ yyreduce:
 		}
     break;
 
-  case 80:
-#line 593 "parse.y"
+  case 85:
+#line 631 "parse.y"
     {
 			(yyval.tag).tagclass = (yyvsp[(2) - (4)].constant);
 			(yyval.tag).tagvalue = (yyvsp[(3) - (4)].constant);
@@ -2118,57 +2179,57 @@ yyreduce:
 		}
     break;
 
-  case 81:
-#line 601 "parse.y"
+  case 86:
+#line 639 "parse.y"
     {
 			(yyval.constant) = ASN1_C_CONTEXT;
 		}
     break;
 
-  case 82:
-#line 605 "parse.y"
+  case 87:
+#line 643 "parse.y"
     {
 			(yyval.constant) = ASN1_C_UNIV;
 		}
     break;
 
-  case 83:
-#line 609 "parse.y"
+  case 88:
+#line 647 "parse.y"
     {
 			(yyval.constant) = ASN1_C_APPL;
 		}
     break;
 
-  case 84:
-#line 613 "parse.y"
+  case 89:
+#line 651 "parse.y"
     {
 			(yyval.constant) = ASN1_C_PRIVATE;
 		}
     break;
 
-  case 85:
-#line 619 "parse.y"
+  case 90:
+#line 657 "parse.y"
     {
 			(yyval.constant) = TE_EXPLICIT;
 		}
     break;
 
-  case 86:
-#line 623 "parse.y"
+  case 91:
+#line 661 "parse.y"
     {
 			(yyval.constant) = TE_EXPLICIT;
 		}
     break;
 
-  case 87:
-#line 627 "parse.y"
+  case 92:
+#line 665 "parse.y"
     {
 			(yyval.constant) = TE_IMPLICIT;
 		}
     break;
 
-  case 88:
-#line 634 "parse.y"
+  case 93:
+#line 672 "parse.y"
     {
 			Symbol *s;
 			s = addsym ((yyvsp[(1) - (4)].name));
@@ -2179,64 +2240,64 @@ yyreduce:
 		}
     break;
 
-  case 90:
-#line 648 "parse.y"
+  case 95:
+#line 686 "parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_GeneralString, 
 				     TE_EXPLICIT, new_type(TGeneralString));
 		}
     break;
 
-  case 91:
-#line 653 "parse.y"
+  case 96:
+#line 691 "parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_UTF8String, 
 				     TE_EXPLICIT, new_type(TUTF8String));
 		}
     break;
 
-  case 92:
-#line 658 "parse.y"
+  case 97:
+#line 696 "parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_PrintableString, 
 				     TE_EXPLICIT, new_type(TPrintableString));
 		}
     break;
 
-  case 93:
-#line 663 "parse.y"
+  case 98:
+#line 701 "parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_VisibleString, 
 				     TE_EXPLICIT, new_type(TVisibleString));
 		}
     break;
 
-  case 94:
-#line 668 "parse.y"
+  case 99:
+#line 706 "parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_IA5String, 
 				     TE_EXPLICIT, new_type(TIA5String));
 		}
     break;
 
-  case 95:
-#line 673 "parse.y"
+  case 100:
+#line 711 "parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_BMPString, 
 				     TE_EXPLICIT, new_type(TBMPString));
 		}
     break;
 
-  case 96:
-#line 678 "parse.y"
+  case 101:
+#line 716 "parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_UniversalString, 
 				     TE_EXPLICIT, new_type(TUniversalString));
 		}
     break;
 
-  case 97:
-#line 686 "parse.y"
+  case 102:
+#line 724 "parse.y"
     {
 			(yyval.members) = emalloc(sizeof(*(yyval.members)));
 			ASN1_TAILQ_INIT((yyval.members));
@@ -2244,16 +2305,16 @@ yyreduce:
 		}
     break;
 
-  case 98:
-#line 692 "parse.y"
+  case 103:
+#line 730 "parse.y"
     {
 			ASN1_TAILQ_INSERT_TAIL((yyvsp[(1) - (3)].members), (yyvsp[(3) - (3)].member), members);
 			(yyval.members) = (yyvsp[(1) - (3)].members);
 		}
     break;
 
-  case 99:
-#line 697 "parse.y"
+  case 104:
+#line 735 "parse.y"
     {
 		        struct member *m = ecalloc(1, sizeof(*m));
 			m->name = estrdup("...");
@@ -2264,8 +2325,8 @@ yyreduce:
 		}
     break;
 
-  case 100:
-#line 708 "parse.y"
+  case 105:
+#line 746 "parse.y"
     {
 		  (yyval.member) = emalloc(sizeof(*(yyval.member)));
 		  (yyval.member)->name = (yyvsp[(1) - (2)].name);
@@ -2276,8 +2337,8 @@ yyreduce:
 		}
     break;
 
-  case 101:
-#line 719 "parse.y"
+  case 106:
+#line 757 "parse.y"
     {
 			(yyval.member) = (yyvsp[(1) - (1)].member);
 			(yyval.member)->optional = 0;
@@ -2285,8 +2346,8 @@ yyreduce:
 		}
     break;
 
-  case 102:
-#line 725 "parse.y"
+  case 107:
+#line 763 "parse.y"
     {
 			(yyval.member) = (yyvsp[(1) - (2)].member);
 			(yyval.member)->optional = 1;
@@ -2294,8 +2355,8 @@ yyreduce:
 		}
     break;
 
-  case 103:
-#line 731 "parse.y"
+  case 108:
+#line 769 "parse.y"
     {
 			(yyval.member) = (yyvsp[(1) - (3)].member);
 			(yyval.member)->optional = 0;
@@ -2303,8 +2364,8 @@ yyreduce:
 		}
     break;
 
-  case 104:
-#line 739 "parse.y"
+  case 109:
+#line 777 "parse.y"
     {
 			(yyval.members) = emalloc(sizeof(*(yyval.members)));
 			ASN1_TAILQ_INIT((yyval.members));
@@ -2312,16 +2373,16 @@ yyreduce:
 		}
     break;
 
-  case 105:
-#line 745 "parse.y"
+  case 110:
+#line 783 "parse.y"
     {
 			ASN1_TAILQ_INSERT_TAIL((yyvsp[(1) - (3)].members), (yyvsp[(3) - (3)].member), members);
 			(yyval.members) = (yyvsp[(1) - (3)].members);
 		}
     break;
 
-  case 106:
-#line 752 "parse.y"
+  case 111:
+#line 790 "parse.y"
     {
 		  (yyval.member) = emalloc(sizeof(*(yyval.member)));
 		  (yyval.member)->name = (yyvsp[(1) - (4)].name);
@@ -2334,27 +2395,27 @@ yyreduce:
 		}
     break;
 
-  case 108:
-#line 765 "parse.y"
+  case 113:
+#line 803 "parse.y"
     { (yyval.objid) = NULL; }
     break;
 
-  case 109:
-#line 769 "parse.y"
+  case 114:
+#line 807 "parse.y"
     {
 			(yyval.objid) = (yyvsp[(2) - (3)].objid);
 		}
     break;
 
-  case 110:
-#line 775 "parse.y"
+  case 115:
+#line 813 "parse.y"
     {
 			(yyval.objid) = NULL;
 		}
     break;
 
-  case 111:
-#line 779 "parse.y"
+  case 116:
+#line 817 "parse.y"
     {
 		        if ((yyvsp[(2) - (2)].objid)) {
 				(yyval.objid) = (yyvsp[(2) - (2)].objid);
@@ -2365,15 +2426,15 @@ yyreduce:
 		}
     break;
 
-  case 112:
-#line 790 "parse.y"
+  case 117:
+#line 828 "parse.y"
     {
 			(yyval.objid) = new_objid((yyvsp[(1) - (4)].name), (yyvsp[(3) - (4)].constant));
 		}
     break;
 
-  case 113:
-#line 794 "parse.y"
+  case 118:
+#line 832 "parse.y"
     {
 		    Symbol *s = addsym((yyvsp[(1) - (1)].name));
 		    if(s->stype != SValue ||
@@ -2386,15 +2447,15 @@ yyreduce:
 		}
     break;
 
-  case 114:
-#line 805 "parse.y"
+  case 119:
+#line 843 "parse.y"
     {
 		    (yyval.objid) = new_objid(NULL, (yyvsp[(1) - (1)].constant));
 		}
     break;
 
-  case 124:
-#line 828 "parse.y"
+  case 129:
+#line 866 "parse.y"
     {
 			Symbol *s = addsym((yyvsp[(1) - (1)].name));
 			if(s->stype != SValue)
@@ -2405,8 +2466,8 @@ yyreduce:
 		}
     break;
 
-  case 125:
-#line 839 "parse.y"
+  case 130:
+#line 877 "parse.y"
     {
 			(yyval.value) = emalloc(sizeof(*(yyval.value)));
 			(yyval.value)->type = stringvalue;
@@ -2414,8 +2475,8 @@ yyreduce:
 		}
     break;
 
-  case 126:
-#line 847 "parse.y"
+  case 131:
+#line 885 "parse.y"
     {
 			(yyval.value) = emalloc(sizeof(*(yyval.value)));
 			(yyval.value)->type = booleanvalue;
@@ -2423,8 +2484,8 @@ yyreduce:
 		}
     break;
 
-  case 127:
-#line 853 "parse.y"
+  case 132:
+#line 891 "parse.y"
     {
 			(yyval.value) = emalloc(sizeof(*(yyval.value)));
 			(yyval.value)->type = booleanvalue;
@@ -2432,8 +2493,8 @@ yyreduce:
 		}
     break;
 
-  case 128:
-#line 861 "parse.y"
+  case 133:
+#line 899 "parse.y"
     {
 			(yyval.value) = emalloc(sizeof(*(yyval.value)));
 			(yyval.value)->type = integervalue;
@@ -2441,14 +2502,14 @@ yyreduce:
 		}
     break;
 
-  case 130:
-#line 872 "parse.y"
+  case 135:
+#line 910 "parse.y"
     {
 		}
     break;
 
-  case 131:
-#line 877 "parse.y"
+  case 136:
+#line 915 "parse.y"
     {
 			(yyval.value) = emalloc(sizeof(*(yyval.value)));
 			(yyval.value)->type = objectidentifiervalue;
@@ -2458,7 +2519,7 @@ yyreduce:
 
 
 /* Line 1267 of yacc.c.  */
-#line 2464 "parse.c"
+#line 2523 "parse.c"
       default: break;
     }
   YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
@@ -2672,7 +2733,7 @@ yyreturn:
 }
 
 
-#line 884 "parse.y"
+#line 922 "parse.y"
 
 
 void
diff --git a/source4/heimdal/lib/asn1/parse.h b/source4/heimdal/lib/asn1/parse.h
index a0c26d50f15..5e73094f9e6 100644
--- a/source4/heimdal/lib/asn1/parse.h
+++ b/source4/heimdal/lib/asn1/parse.h
@@ -16,7 +16,9 @@
    GNU General Public License for more details.
 
    You should have received a copy of the GNU General Public License
-   along with this program; if not, see <http://www.gnu.org/licenses/>.  */
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin Street, Fifth Floor,
+   Boston, MA 02110-1301, USA.  */
 
 /* As a special exception, you may create a larger work that contains
    part or all of the Bison parser skeleton and distribute that work
@@ -224,7 +226,7 @@ typedef union YYSTYPE
 {
     int constant;
     struct value *value;
-    struct range range;
+    struct range *range;
     char *name;
     Type *type;
     Member *member;
diff --git a/source4/heimdal/lib/asn1/rfc2459.asn1 b/source4/heimdal/lib/asn1/rfc2459.asn1
index 71f197eba77..0ec3b695ebe 100644
--- a/source4/heimdal/lib/asn1/rfc2459.asn1
+++ b/source4/heimdal/lib/asn1/rfc2459.asn1
@@ -169,7 +169,7 @@ Extension  ::=  SEQUENCE  {
      extnValue   OCTET STRING
 }
 
-Extensions  ::=  SEQUENCE OF Extension --  SIZE (1..MAX) 
+Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
 
 TBSCertificate  ::=  SEQUENCE  {
      version         [0]  Version OPTIONAL, -- EXPLICIT nnn DEFAULT 1,
@@ -232,7 +232,7 @@ GeneralName ::= CHOICE {
 	registeredID			[8]     IMPLICIT OBJECT IDENTIFIER
 }
 
-GeneralNames ::= SEQUENCE -- SIZE (1..MAX) -- OF GeneralName
+GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
 
 id-x509-ce-keyUsage OBJECT IDENTIFIER ::=  { id-x509-ce 15 }
 
@@ -320,7 +320,7 @@ DistributionPointReasonFlags ::= BIT STRING {
 }
 
 DistributionPointName ::= CHOICE {
-	fullName                [0]     IMPLICIT -- GeneralNames --  SEQUENCE -- SIZE (1..MAX) -- OF GeneralName,
+	fullName                [0]     IMPLICIT -- GeneralNames --  SEQUENCE SIZE (1..MAX) OF GeneralName,
 	nameRelativeToCRLIssuer [1]     RelativeDistinguishedName
 }
 
@@ -330,7 +330,7 @@ DistributionPoint ::= SEQUENCE {
 	cRLIssuer               [2]     IMPLICIT heim_any -- GeneralNames -- OPTIONAL
 }
 
-CRLDistributionPoints ::= SEQUENCE -- SIZE (1..MAX) -- OF DistributionPoint
+CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
 
 
 -- rfc3279
@@ -449,11 +449,20 @@ id-pkix-kp-emailProtection OBJECT IDENTIFIER ::= { id-pkix-kp 4 }
 id-pkix-kp-timeStamping OBJECT IDENTIFIER ::= { id-pkix-kp 8 }
 id-pkix-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-pkix-kp 9 }
 
--- RFC 3820 Proxy Certificate Profile
-
 id-pkix-pe OBJECT IDENTIFIER ::= { id-pkix 1 }
 
-id-pe-proxyCertInfo OBJECT IDENTIFIER ::= { id-pkix-pe 14 }
+id-pkix-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pkix-pe 1 }
+
+AccessDescription  ::=  SEQUENCE {
+	accessMethod          OBJECT IDENTIFIER,
+	accessLocation        GeneralName
+}
+
+AuthorityInfoAccessSyntax ::= SEQUENCE SIZE (1..MAX) OF AccessDescription
+
+-- RFC 3820 Proxy Certificate Profile
+
+id-pkix-pe-proxyCertInfo OBJECT IDENTIFIER ::= { id-pkix-pe 14 }
 
 id-pkix-ppl  OBJECT IDENTIFIER ::= { id-pkix 21 }
 
diff --git a/source4/heimdal/lib/asn1/test.asn1 b/source4/heimdal/lib/asn1/test.asn1
index 98b507a4da6..b2f58a20c2c 100644
--- a/source4/heimdal/lib/asn1/test.asn1
+++ b/source4/heimdal/lib/asn1/test.asn1
@@ -1,4 +1,4 @@
--- $Id: test.asn1 18013 2006-09-05 14:00:44Z lha $ --
+-- $Id: test.asn1 21455 2007-07-10 12:51:19Z lha $ --
 
 TEST DEFINITIONS ::=
 
@@ -85,4 +85,11 @@ TESTUSERCONSTRAINED ::= OCTET STRING (CONSTRAINED BY { -- meh -- })
 
 TESTSeqOf ::= SEQUENCE OF TESTInteger
 
+TESTSeqSizeOf1 ::= SEQUENCE SIZE (2) OF TESTInteger
+TESTSeqSizeOf2 ::= SEQUENCE SIZE (1..2) OF TESTInteger
+TESTSeqSizeOf3 ::= SEQUENCE SIZE (1..MAX) OF TESTInteger
+TESTSeqSizeOf4 ::= SEQUENCE SIZE (MIN..2) OF TESTInteger
+
+TESTOSSize1 ::= OCTET STRING SIZE (1..2)
+
 END
diff --git a/source4/heimdal/lib/asn1/timegm.c b/source4/heimdal/lib/asn1/timegm.c
index a6776458cf9..33b9684a5d8 100644
--- a/source4/heimdal/lib/asn1/timegm.c
+++ b/source4/heimdal/lib/asn1/timegm.c
@@ -33,7 +33,7 @@
 
 #include "der_locl.h"
 
-RCSID("$Id: timegm.c 18607 2006-10-19 16:19:32Z lha $");
+RCSID("$Id: timegm.c 21366 2007-06-27 10:06:22Z lha $");
 
 static int
 is_leap(unsigned y)
@@ -43,8 +43,8 @@ is_leap(unsigned y)
 }
 
 /* 
- * This is a simplifed version of _der_timegm that doesn't accept out
- * of bound values that timegm(3) normally accepts but those are not
+ * This is a simplifed version of timegm(3) that doesn't accept out of
+ * bound values that timegm(3) normally accepts but those are not
  * valid in asn1 encodings.
  */
 
diff --git a/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c b/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c
index d6e448a223a..cb1b62308c0 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c
@@ -27,7 +27,7 @@
  */
 
 #include "mech_locl.h"
-RCSID("$Id: gss_acquire_cred.c 20626 2007-05-08 13:56:49Z lha $");
+RCSID("$Id: gss_acquire_cred.c 21478 2007-07-10 16:32:01Z lha $");
 
 OM_uint32
 gss_acquire_cred(OM_uint32 *minor_status,
@@ -50,7 +50,7 @@ gss_acquire_cred(OM_uint32 *minor_status,
 	int i;
 
 	*minor_status = 0;
-	if (actual_mechs)
+	if (output_cred_handle)
 	    *output_cred_handle = GSS_C_NO_CREDENTIAL;
 	if (actual_mechs)
 	    *actual_mechs = GSS_C_NO_OID_SET;
@@ -106,8 +106,9 @@ gss_acquire_cred(OM_uint32 *minor_status,
 			continue;
 
 		if (desired_name != GSS_C_NO_NAME) {
-			mn = _gss_find_mn(name, &mechs->elements[i]);
-			if (!mn)
+			major_status = _gss_find_mn(minor_status, name,
+						    &mechs->elements[i], &mn);
+			if (major_status != GSS_S_COMPLETE)
 				continue;
 		}
 
diff --git a/source4/heimdal/lib/gssapi/mech/gss_add_cred.c b/source4/heimdal/lib/gssapi/mech/gss_add_cred.c
index 4947c5c30ed..09b592b5da7 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_add_cred.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_add_cred.c
@@ -27,7 +27,7 @@
  */
 
 #include "mech_locl.h"
-RCSID("$Id: gss_add_cred.c 20626 2007-05-08 13:56:49Z lha $");
+RCSID("$Id: gss_add_cred.c 21474 2007-07-10 16:30:23Z lha $");
 
 static struct _gss_mechanism_cred *
 _gss_copy_cred(struct _gss_mechanism_cred *mc)
@@ -136,11 +136,13 @@ gss_add_cred(OM_uint32 *minor_status,
 	 * Figure out a suitable mn, if any.
 	 */
 	if (desired_name) {
-		mn = _gss_find_mn((struct _gss_name *) desired_name,
-			desired_mech);
-		if (!mn) {
+		major_status = _gss_find_mn(minor_status,
+					    (struct _gss_name *) desired_name,
+					    desired_mech,
+					    &mn);
+		if (major_status != GSS_S_COMPLETE) {
 			free(new_cred);
-			return (GSS_S_BAD_NAME);
+			return major_status;
 		}
 	} else {
 		mn = 0;
diff --git a/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c b/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c
index 1437a9bc7b5..c950c03166b 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c
@@ -27,7 +27,7 @@
  */
 
 #include "mech_locl.h"
-RCSID("$Id: gss_canonicalize_name.c 19928 2007-01-16 10:37:54Z lha $");
+RCSID("$Id: gss_canonicalize_name.c 21476 2007-07-10 16:31:27Z lha $");
 
 OM_uint32
 gss_canonicalize_name(OM_uint32 *minor_status,
@@ -44,10 +44,9 @@ gss_canonicalize_name(OM_uint32 *minor_status,
 	*minor_status = 0;
 	*output_name = 0;
 
-	mn = _gss_find_mn(name, mech_type);
-	if (!mn) {
-		return (GSS_S_BAD_MECH);
-	}
+	major_status = _gss_find_mn(minor_status, name, mech_type, &mn);
+	if (major_status)
+		return major_status;
 
 	m = mn->gmn_mech;
 	major_status = m->gm_canonicalize_name(minor_status,
diff --git a/source4/heimdal/lib/gssapi/mech/gss_compare_name.c b/source4/heimdal/lib/gssapi/mech/gss_compare_name.c
index 147ad60c94e..617ff13d984 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_compare_name.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_compare_name.c
@@ -27,7 +27,7 @@
  */
 
 #include "mech_locl.h"
-RCSID("$Id: gss_compare_name.c 17700 2006-06-28 09:00:26Z lha $");
+RCSID("$Id: gss_compare_name.c 21475 2007-07-10 16:31:03Z lha $");
 
 OM_uint32
 gss_compare_name(OM_uint32 *minor_status,
@@ -57,8 +57,11 @@ gss_compare_name(OM_uint32 *minor_status,
 		struct _gss_mechanism_name *mn2;
 
 		SLIST_FOREACH(mn1, &name1->gn_mn, gmn_link) {
-			mn2 = _gss_find_mn(name2, mn1->gmn_mech_oid);
-			if (mn2) {
+			OM_uint32 major_status;
+
+			major_status = _gss_find_mn(minor_status, name2,
+						    mn1->gmn_mech_oid, &mn2);
+			if (major_status == GSS_S_COMPLETE) {
 				return (mn1->gmn_mech->gm_compare_name(
 						minor_status,
 						mn1->gmn_name,
diff --git a/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c b/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c
index 4ff81fdf2df..f38c840b314 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c
@@ -27,7 +27,7 @@
  */
 
 #include "mech_locl.h"
-RCSID("$Id: gss_duplicate_name.c 21219 2007-06-20 08:27:11Z lha $");
+RCSID("$Id: gss_duplicate_name.c 21480 2007-07-10 16:32:32Z lha $");
 
 OM_uint32 gss_duplicate_name(OM_uint32 *minor_status,
     const gss_name_t src_name,
@@ -54,7 +54,9 @@ OM_uint32 gss_duplicate_name(OM_uint32 *minor_status,
 		new_name = (struct _gss_name *) *dest_name;
 		
 		SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
-			_gss_find_mn(new_name, mn->gmn_mech_oid);
+		    struct _gss_mechanism_name *mn2;
+		    _gss_find_mn(minor_status, new_name, 
+				 mn->gmn_mech_oid, &mn2);
 		}
 	} else {
 		new_name = malloc(sizeof(struct _gss_name));
diff --git a/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c
index c1c058d146c..b9a1680dcb3 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c
@@ -27,7 +27,7 @@
  */
 
 #include "mech_locl.h"
-RCSID("$Id: gss_init_sec_context.c 19957 2007-01-17 13:48:11Z lha $");
+RCSID("$Id: gss_init_sec_context.c 21479 2007-07-10 16:32:19Z lha $");
 
 static gss_cred_id_t
 _gss_mech_cred_find(gss_cred_id_t cred_handle, gss_OID mech_type)
@@ -109,11 +109,11 @@ gss_init_sec_context(OM_uint32 * minor_status,
 	/*
 	 * Find the MN for this mechanism.
 	 */
-	mn = _gss_find_mn(name, mech_type);
-	if (mn == NULL) {
+	major_status = _gss_find_mn(minor_status, name, mech_type, &mn);
+	if (major_status != GSS_S_COMPLETE) {
 		if (allocated_ctx)
 			free(ctx);
-		return GSS_S_BAD_NAME;
+		return major_status;
 	}
 
 	/*
diff --git a/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c b/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c
index 604027490ef..f1a18afb13a 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c
@@ -28,7 +28,7 @@
 
 #include "mech_locl.h"
 #include <heim_threads.h>
-RCSID("$Id: gss_mech_switch.c 20625 2007-05-08 13:55:03Z lha $");
+RCSID("$Id: gss_mech_switch.c 21700 2007-07-26 19:08:34Z lha $");
 
 #ifndef _PATH_GSS_MECH
 #define _PATH_GSS_MECH	"/etc/gss/mech"
@@ -223,9 +223,9 @@ _gss_load_mech(void)
 	add_builtin(__gss_spnego_initialize());
 	add_builtin(__gss_ntlm_initialize());
 
+#ifdef HAVE_DLOPEN
 	fp = fopen(_PATH_GSS_MECH, "r");
 	if (!fp) {
-/*		perror(_PATH_GSS_MECH); */
 		HEIMDAL_MUTEX_unlock(&_gss_mech_mutex);
 		return;
 	}
@@ -316,6 +316,7 @@ _gss_load_mech(void)
 		continue;
 	}
 	fclose(fp);
+#endif
 	HEIMDAL_MUTEX_unlock(&_gss_mech_mutex);
 }
 
diff --git a/source4/heimdal/lib/gssapi/mech/gss_names.c b/source4/heimdal/lib/gssapi/mech/gss_names.c
index 3ab609c1929..f78672d8374 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_names.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_names.c
@@ -27,15 +27,18 @@
  */
 
 #include "mech_locl.h"
-RCSID("$Id: gss_names.c 19928 2007-01-16 10:37:54Z lha $");
+RCSID("$Id: gss_names.c 21473 2007-07-10 16:29:53Z lha $");
 
-struct _gss_mechanism_name *
-_gss_find_mn(struct _gss_name *name, gss_OID mech)
+OM_uint32
+_gss_find_mn(OM_uint32 *minor_status, struct _gss_name *name, gss_OID mech, 
+	     struct _gss_mechanism_name **output_mn)
 {
-	OM_uint32 major_status, minor_status;
+	OM_uint32 major_status;
 	gssapi_mech_interface m;
 	struct _gss_mechanism_name *mn;
 
+	*output_mn = NULL;
+
 	SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
 		if (gss_oid_equal(mech, mn->gmn_mech_oid))
 			break;
@@ -47,34 +50,36 @@ _gss_find_mn(struct _gss_name *name, gss_OID mech)
 		 * MN but it is from a different mech), give up now.
 		 */
 		if (!name->gn_value.value)
-			return (0);
+			return GSS_S_BAD_NAME;
 
 		m = __gss_get_mechanism(mech);
 		if (!m)
-			return (0);
+			return (GSS_S_BAD_MECH);
 
 		mn = malloc(sizeof(struct _gss_mechanism_name));
 		if (!mn)
-			return (0);
+			return GSS_S_FAILURE;
 		
-		major_status = m->gm_import_name(&minor_status,
+		major_status = m->gm_import_name(minor_status,
 		    &name->gn_value,
 		    (name->gn_type.elements
 			? &name->gn_type : GSS_C_NO_OID),
 		    &mn->gmn_name);
 		if (major_status != GSS_S_COMPLETE) {
-			_gss_mg_error(m, major_status, minor_status);
+			_gss_mg_error(m, major_status, *minor_status);
 			free(mn);
-			return (0);
+			return major_status;
 		}
 
 		mn->gmn_mech = m;
 		mn->gmn_mech_oid = &m->gm_mech_oid;
 		SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link);
 	}
-	return (mn);
+	*output_mn = mn;
+	return 0;
 }
 
+
 /*
  * Make a name from an MN.
  */
diff --git a/source4/heimdal/lib/gssapi/mech/gss_oid_to_str.c b/source4/heimdal/lib/gssapi/mech/gss_oid_to_str.c
index 3195370b777..e2cecaf6b44 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_oid_to_str.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_oid_to_str.c
@@ -32,7 +32,7 @@
  */
 
 #include "mech_locl.h"
-RCSID("$Id: gss_oid_to_str.c 19963 2007-01-17 16:01:22Z lha $");
+RCSID("$Id: gss_oid_to_str.c 21409 2007-07-04 14:19:11Z lha $");
 
 OM_uint32
 gss_oid_to_str(OM_uint32 *minor_status, gss_OID oid, gss_buffer_t oid_str)
@@ -44,6 +44,9 @@ gss_oid_to_str(OM_uint32 *minor_status, gss_OID oid, gss_buffer_t oid_str)
 
     _mg_buffer_zero(oid_str);
 
+    if (oid == GSS_C_NULL_OID)
+	return GSS_S_FAILURE;
+
     ret = der_get_oid (oid->elements, oid->length, &o, &size);
     if (ret) {
 	*minor_status = ret;
diff --git a/source4/heimdal/lib/gssapi/mech/name.h b/source4/heimdal/lib/gssapi/mech/name.h
index 2252150a06f..7c9ba33d85c 100644
--- a/source4/heimdal/lib/gssapi/mech/name.h
+++ b/source4/heimdal/lib/gssapi/mech/name.h
@@ -24,7 +24,7 @@
  * SUCH DAMAGE.
  *
  *	$FreeBSD: src/lib/libgssapi/name.h,v 1.1 2005/12/29 14:40:20 dfr Exp $
- *	$Id: name.h 18246 2006-10-05 18:36:07Z lha $
+ *	$Id: name.h 21477 2007-07-10 16:31:44Z lha $
  */
 
 struct _gss_mechanism_name {
@@ -41,7 +41,8 @@ struct _gss_name {
 	struct _gss_mechanism_name_list gn_mn;	/* list of MNs */
 };
 
-struct _gss_mechanism_name *
-	_gss_find_mn(struct _gss_name *name, gss_OID mech);
+OM_uint32
+	_gss_find_mn(OM_uint32 *, struct _gss_name *, gss_OID, 
+	      struct _gss_mechanism_name **);
 struct _gss_name *
 	_gss_make_name(gssapi_mech_interface m, gss_name_t new_mn);
diff --git a/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c b/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c
index d20c913bf01..1afe26f1e39 100644
--- a/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c
+++ b/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c
@@ -33,7 +33,7 @@
 
 #include "spnego/spnego_locl.h"
 
-RCSID("$Id: accept_sec_context.c 21243 2007-06-20 15:16:22Z lha $");
+RCSID("$Id: accept_sec_context.c 21461 2007-07-10 14:01:13Z lha $");
 
 static OM_uint32
 send_reject (OM_uint32 *minor_status,
@@ -555,23 +555,16 @@ acceptor_start
     int get_mic = 0;
     int first_ok = 0;
 
-    if (src_name)
-	*src_name = GSS_C_NO_NAME;
-
     mech_output_token.value = NULL;
     mech_output_token.length = 0;
     mech_buf.value = NULL;
 
-    if (*context_handle == GSS_C_NO_CONTEXT) {
-	ret = _gss_spnego_alloc_sec_context(minor_status,
-					    context_handle);
-	if (ret != GSS_S_COMPLETE)
-	    return ret;
-
-	if (input_token_buffer->length == 0) {
-	    return send_supported_mechs (minor_status, output_token);
-	}
-    }
+    if (input_token_buffer->length == 0)
+	return send_supported_mechs (minor_status, output_token);
+	
+    ret = _gss_spnego_alloc_sec_context(minor_status, context_handle);
+    if (ret != GSS_S_COMPLETE)
+	return ret;
 
     ctx = (gssspnego_ctx)*context_handle;
 
diff --git a/source4/heimdal/lib/gssapi/spnego/spnego.asn1 b/source4/heimdal/lib/gssapi/spnego/spnego.asn1
index aed67dc4ae7..058f10ba3ad 100644
--- a/source4/heimdal/lib/gssapi/spnego/spnego.asn1
+++ b/source4/heimdal/lib/gssapi/spnego/spnego.asn1
@@ -1,4 +1,4 @@
--- $Id: spnego.asn1 19420 2006-12-18 18:28:49Z lha $
+-- $Id: spnego.asn1 21403 2007-07-04 08:13:12Z lha $
 
 SPNEGO DEFINITIONS ::=
 BEGIN
@@ -8,34 +8,34 @@ MechType::= OBJECT IDENTIFIER
 MechTypeList ::= SEQUENCE OF MechType
 
 ContextFlags ::= BIT STRING {
-        delegFlag       (0),
-        mutualFlag      (1),
-        replayFlag      (2),
-        sequenceFlag    (3),
-        anonFlag        (4),
-        confFlag        (5),
-        integFlag       (6)
+    delegFlag       (0),
+    mutualFlag      (1),
+    replayFlag      (2),
+    sequenceFlag    (3),
+    anonFlag        (4),
+    confFlag        (5),
+    integFlag       (6)
 }
 
 NegHints ::= SEQUENCE {
-    hintName       [0]  GeneralString                          OPTIONAL,
-    hintAddress    [1]  OCTET STRING                           OPTIONAL
+    hintName       [0]  GeneralString	OPTIONAL,
+    hintAddress    [1]  OCTET STRING	OPTIONAL
 } 
 
 NegTokenInitWin ::= SEQUENCE {
-                            mechTypes       [0] MechTypeList,
-                            reqFlags        [1] ContextFlags   OPTIONAL,
-                            mechToken       [2] OCTET STRING   OPTIONAL,
-			    negHints        [3] NegHints       OPTIONAL
-			     }
+    mechTypes       [0] MechTypeList,
+    reqFlags        [1] ContextFlags   OPTIONAL,
+    mechToken       [2] OCTET STRING   OPTIONAL,
+    negHints        [3] NegHints       OPTIONAL
+}
 
 NegTokenInit ::= SEQUENCE {
-                            mechTypes       [0] MechTypeList,
-                            reqFlags        [1] ContextFlags   OPTIONAL,
-                            mechToken       [2] OCTET STRING   OPTIONAL,
-			    mechListMIC	    [3] OCTET STRING   OPTIONAL
-                         }
-
+    mechTypes       [0] MechTypeList,
+    reqFlags        [1] ContextFlags   OPTIONAL,
+    mechToken       [2] OCTET STRING   OPTIONAL,
+    mechListMIC	    [3] OCTET STRING   OPTIONAL,
+    ...
+}
 
 -- NB: negResult is not OPTIONAL in the new SPNEGO spec but
 -- Windows clients do not always send it
@@ -47,7 +47,8 @@ NegTokenResp ::= SEQUENCE {
                             request-mic         (3) }          OPTIONAL,
     supportedMech  [1] MechType                                OPTIONAL,
     responseToken  [2] OCTET STRING                            OPTIONAL,
-    mechListMIC    [3] OCTET STRING                            OPTIONAL
+    mechListMIC    [3] OCTET STRING                            OPTIONAL,
+    ...
 }
 
 NegotiationToken ::= CHOICE {
diff --git a/source4/heimdal/lib/hcrypto/hmac.c b/source4/heimdal/lib/hcrypto/hmac.c
index 848b987a90c..b8156e38d44 100644
--- a/source4/heimdal/lib/hcrypto/hmac.c
+++ b/source4/heimdal/lib/hcrypto/hmac.c
@@ -52,8 +52,10 @@ HMAC_Init_ex(HMAC_CTX *ctx,
 
     if (ctx->md != md) {
 	ctx->md = md;
-	if (ctx->buf)
+	if (ctx->buf) {
+	    memset(ctx->buf, 0, ctx->key_length);
 	    free (ctx->buf);
+	}
 	ctx->key_length = EVP_MD_size(ctx->md);
 	ctx->buf = malloc(ctx->key_length);
     }
@@ -67,10 +69,14 @@ HMAC_Init_ex(HMAC_CTX *ctx,
 	keylen = EVP_MD_size(ctx->md);
     }
 
-    if (ctx->opad)
+    if (ctx->opad) {
+	memset(ctx->opad, 0, ctx->key_length);
 	free(ctx->opad);
-    if (ctx->ipad)
+    }
+    if (ctx->ipad) {
+	memset(ctx->ipad, 0, ctx->key_length);
 	free(ctx->ipad);
+    }
 
     ctx->opad = malloc(EVP_MD_block_size(ctx->md));
     ctx->ipad = malloc(EVP_MD_block_size(ctx->md));
diff --git a/source4/heimdal/lib/hx509/ca.c b/source4/heimdal/lib/hx509/ca.c
index 0e48269aa47..bf8fe1be1a4 100644
--- a/source4/heimdal/lib/hx509/ca.c
+++ b/source4/heimdal/lib/hx509/ca.c
@@ -33,7 +33,7 @@
 
 #include "hx_locl.h"
 #include <pkinit_asn1.h>
-RCSID("$Id: ca.c 20904 2007-06-05 01:58:45Z lha $");
+RCSID("$Id: ca.c 21379 2007-06-28 07:38:17Z lha $");
 
 struct hx509_ca_tbs {
     hx509_name subject;
@@ -1002,7 +1002,7 @@ ca_sign(hx509_context context,
 	if (size != data.length)
 	    _hx509_abort("internal ASN.1 encoder error");
 	ret = add_extension(context, tbsc, 0,
-			    oid_id_pe_proxyCertInfo(),
+			    oid_id_pkix_pe_proxyCertInfo(),
 			    &data);
 	free(data.data);
 	if (ret)
diff --git a/source4/heimdal/lib/hx509/cert.c b/source4/heimdal/lib/hx509/cert.c
index caf163f8e4b..b7f19d152a9 100644
--- a/source4/heimdal/lib/hx509/cert.c
+++ b/source4/heimdal/lib/hx509/cert.c
@@ -32,7 +32,7 @@
  */
 
 #include "hx_locl.h"
-RCSID("$Id: cert.c 21294 2007-06-25 14:37:15Z lha $");
+RCSID("$Id: cert.c 21380 2007-06-28 07:38:38Z lha $");
 #include "crypto-headers.h"
 #include <rtbl.h>
 
@@ -898,7 +898,7 @@ is_proxy_cert(hx509_context context,
     if (rinfo)
 	memset(rinfo, 0, sizeof(*rinfo));
 
-    e = find_extension(cert, oid_id_pe_proxyCertInfo(), &i);
+    e = find_extension(cert, oid_id_pkix_pe_proxyCertInfo(), &i);
     if (e == NULL) {
 	hx509_clear_error_string(context);
 	return HX509_EXTENSION_NOT_FOUND;
diff --git a/source4/heimdal/lib/hx509/hx509-private.h b/source4/heimdal/lib/hx509/hx509-private.h
index 451c3c89f2b..acbc3218c64 100644
--- a/source4/heimdal/lib/hx509/hx509-private.h
+++ b/source4/heimdal/lib/hx509/hx509-private.h
@@ -314,14 +314,6 @@ _hx509_pbe_decrypt (
 	const heim_octet_string */*econtent*/,
 	heim_octet_string */*content*/);
 
-int
-_hx509_pbe_encrypt (
-	hx509_context /*context*/,
-	hx509_lock /*lock*/,
-	const AlgorithmIdentifier */*ai*/,
-	const heim_octet_string */*content*/,
-	heim_octet_string */*econtent*/);
-
 void
 _hx509_pi_printf (
 	int (*/*func*/)(void *, const char *),
@@ -422,35 +414,11 @@ _hx509_request_add_email (
 void
 _hx509_request_free (hx509_request */*req*/);
 
-int
-_hx509_request_get_SubjectPublicKeyInfo (
-	hx509_context /*context*/,
-	hx509_request /*req*/,
-	SubjectPublicKeyInfo */*key*/);
-
-int
-_hx509_request_get_name (
-	hx509_context /*context*/,
-	hx509_request /*req*/,
-	hx509_name */*name*/);
-
 int
 _hx509_request_init (
 	hx509_context /*context*/,
 	hx509_request */*req*/);
 
-int
-_hx509_request_parse (
-	hx509_context /*context*/,
-	const char */*path*/,
-	hx509_request */*req*/);
-
-int
-_hx509_request_print (
-	hx509_context /*context*/,
-	hx509_request /*req*/,
-	FILE */*f*/);
-
 int
 _hx509_request_set_SubjectPublicKeyInfo (
 	hx509_context /*context*/,
diff --git a/source4/heimdal/lib/hx509/ks_p11.c b/source4/heimdal/lib/hx509/ks_p11.c
index b899005b333..e3066bbcfac 100644
--- a/source4/heimdal/lib/hx509/ks_p11.c
+++ b/source4/heimdal/lib/hx509/ks_p11.c
@@ -32,7 +32,7 @@
  */
 
 #include "hx_locl.h"
-RCSID("$Id: ks_p11.c 21085 2007-06-13 06:39:53Z lha $");
+RCSID("$Id: ks_p11.c 21387 2007-06-28 08:53:45Z lha $");
 #ifdef HAVE_DLFCN_H
 #include <dlfcn.h>
 #endif
@@ -1129,8 +1129,17 @@ p11_printinfo(hx509_context context,
 		MECHNAME(CKM_RSA_X_509, "rsa-x-509");
 		MECHNAME(CKM_MD5_RSA_PKCS, "md5-rsa-pkcs");
 		MECHNAME(CKM_SHA1_RSA_PKCS, "sha1-rsa-pkcs");
+		MECHNAME(CKM_SHA256_RSA_PKCS, "sha256-rsa-pkcs");
+		MECHNAME(CKM_SHA384_RSA_PKCS, "sha384-rsa-pkcs");
+		MECHNAME(CKM_SHA512_RSA_PKCS, "sha512-rsa-pkcs");
 		MECHNAME(CKM_RIPEMD160_RSA_PKCS, "ripemd160-rsa-pkcs");
 		MECHNAME(CKM_RSA_PKCS_OAEP, "rsa-pkcs-oaep");
+		MECHNAME(CKM_SHA512_HMAC, "sha512-hmac");
+		MECHNAME(CKM_SHA512, "sha512");
+		MECHNAME(CKM_SHA384_HMAC, "sha384-hmac");
+		MECHNAME(CKM_SHA384, "sha384");
+		MECHNAME(CKM_SHA256_HMAC, "sha256-hmac");
+		MECHNAME(CKM_SHA256, "sha256");
 		MECHNAME(CKM_SHA_1, "sha1");
 		MECHNAME(CKM_MD5, "md5");
 		MECHNAME(CKM_MD2, "md2");
diff --git a/source4/heimdal/lib/hx509/peer.c b/source4/heimdal/lib/hx509/peer.c
index eccedf10433..e90f8f34b06 100644
--- a/source4/heimdal/lib/hx509/peer.c
+++ b/source4/heimdal/lib/hx509/peer.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006 Kungliga Tekniska H�gskolan
+ * Copyright (c) 2006 - 2007 Kungliga Tekniska H�gskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,7 +32,7 @@
  */
 
 #include "hx_locl.h"
-RCSID("$Id: peer.c 20938 2007-06-06 20:51:34Z lha $");
+RCSID("$Id: peer.c 21481 2007-07-10 16:33:23Z lha $");
 
 int
 hx509_peer_info_alloc(hx509_context context, hx509_peer_info *peer)
@@ -143,7 +143,7 @@ hx509_peer_info_parse(hx509_peer_info peer,
 
 int
 hx509_peer_info_unparse(hx509_peer_info peer,
-		     heim_octet_string *data)
+			heim_octet_string *data)
 {
     return 0;
 }
diff --git a/source4/heimdal/lib/hx509/print.c b/source4/heimdal/lib/hx509/print.c
index dc9d4cfa58c..e6f71ea2ceb 100644
--- a/source4/heimdal/lib/hx509/print.c
+++ b/source4/heimdal/lib/hx509/print.c
@@ -32,7 +32,7 @@
  */
 
 #include "hx_locl.h"
-RCSID("$Id: print.c 20908 2007-06-05 02:59:33Z lha $");
+RCSID("$Id: print.c 21381 2007-06-28 08:29:22Z lha $");
 
 
 struct hx509_validate_ctx_data {
@@ -591,11 +591,50 @@ check_proxyCertInfo(hx509_validate_ctx ctx,
 		    enum critical_flag cf, 
 		    const Extension *e)
 {
+    check_Null(ctx, status, cf, e);
     status->isproxy = 1;
+    return 0;
+}
+
+static int
+check_authorityInfoAccess(hx509_validate_ctx ctx, 
+			  struct cert_status *status,
+			  enum critical_flag cf, 
+			  const Extension *e)
+{
+    AuthorityInfoAccessSyntax aia;
+    size_t size;
+    int ret, i;
+
+    check_Null(ctx, status, cf, e);
+
+    ret = decode_AuthorityInfoAccessSyntax(e->extnValue.data, 
+					   e->extnValue.length,
+					   &aia, &size);
+    if (ret) {
+	printf("\tret = %d while decoding AuthorityInfoAccessSyntax\n", ret);
+	return 0;
+    }
+
+    for (i = 0; i < aia.len; i++) {
+	char *str;
+	validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+		       "\ttype: ");
+	hx509_oid_print(&aia.val[i].accessMethod, validate_vprint, ctx);
+	hx509_general_name_unparse(&aia.val[i].accessLocation, &str);
+	validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+		       "\n\tdirname: %s\n", str);
+	free(str);
+    }
+    free_AuthorityInfoAccessSyntax(&aia);
 
     return 0;
 }
 
+/*
+ *
+ */
+
 struct {
     const char *name;
     const heim_oid *(*oid)(void);
@@ -628,8 +667,11 @@ struct {
     { ext(extKeyUsage, Null), D_C },
     { ext(freshestCRL, Null), M_N_C },
     { ext(inhibitAnyPolicy, Null), M_C },
-    { "proxyCertInfo", oid_id_pe_proxyCertInfo, 
-      check_proxyCertInfo, M_C },
+#undef ext
+#define ext(name, checkname) #name, &oid_id_pkix_pe_##name, check_##checkname 
+    { ext(proxyCertInfo, proxyCertInfo), M_C },
+    { ext(authorityInfoAccess, authorityInfoAccess), M_C },
+#undef ext
     { "US Fed PKI - PIV Interim", oid_id_uspkicommon_piv_interim, 
       check_Null, D_C },
     { "Netscape cert comment", oid_id_netscape_cert_comment, 
diff --git a/source4/heimdal/lib/krb5/cache.c b/source4/heimdal/lib/krb5/cache.c
index 5be3935f2bb..59aae40d289 100644
--- a/source4/heimdal/lib/krb5/cache.c
+++ b/source4/heimdal/lib/krb5/cache.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: cache.c 20503 2007-04-21 22:03:56Z lha $");
+RCSID("$Id: cache.c 21498 2007-07-11 09:41:43Z lha $");
 
 /*
  * Add a new ccache type with operations `ops', overwriting any
@@ -338,6 +338,35 @@ _krb5_expand_default_cc_name(krb5_context context, const char *str, char **res)
     return 0;
 }
 
+/*
+ * Return non-zero if envirnoment that will determine default krb5cc
+ * name has changed.
+ */
+
+static int
+environment_changed(krb5_context context)
+{
+    const char *e;
+
+    if(issuid())
+	return 0;
+
+    e = getenv("KRB5CCNAME");
+    if (e == NULL) {
+	if (context->default_cc_name_env) {
+	    free(context->default_cc_name_env);
+	    context->default_cc_name_env = NULL;
+	    return 1;
+	}
+    } else {
+	if (context->default_cc_name_env == NULL)
+	    return 1;
+	if (strcmp(e, context->default_cc_name_env) != 0)
+	    return 1;
+    }
+    return 0;
+}
+
 /*
  * Set the default cc name for `context' to `name'.
  */
@@ -353,8 +382,12 @@ krb5_cc_set_default_name(krb5_context context, const char *name)
 
 	if(!issuid()) {
 	    e = getenv("KRB5CCNAME");
-	    if (e)
+	    if (e) {
 		p = strdup(e);
+		if (context->default_cc_name_env)
+		    free(context->default_cc_name_env);
+		context->default_cc_name_env = strdup(e);
+	    }
 	}
 	if (e == NULL) {
 	    e = krb5_config_get_string(context, NULL, "libdefaults",
@@ -389,7 +422,7 @@ krb5_cc_set_default_name(krb5_context context, const char *name)
 const char* KRB5_LIB_FUNCTION
 krb5_cc_default_name(krb5_context context)
 {
-    if (context->default_cc_name == NULL)
+    if (context->default_cc_name == NULL || environment_changed(context))
 	krb5_cc_set_default_name(context, NULL);
 
     return context->default_cc_name;
diff --git a/source4/heimdal/lib/krb5/changepw.c b/source4/heimdal/lib/krb5/changepw.c
index 3ceb6df89ca..703cf43eb6f 100644
--- a/source4/heimdal/lib/krb5/changepw.c
+++ b/source4/heimdal/lib/krb5/changepw.c
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: changepw.c 17442 2006-05-05 09:31:15Z lha $");
+RCSID("$Id: changepw.c 21505 2007-07-12 12:28:38Z lha $");
 
 static void
 str2data (krb5_data *d,
@@ -46,10 +46,12 @@ str2data (krb5_data *d,
 	  ...)
 {
     va_list args;
+    char *str;
 
     va_start(args, fmt);
-    d->length = vasprintf ((char **)&d->data, fmt, args);
+    d->length = vasprintf (&str, fmt, args);
     va_end(args);
+    d->data = str;
 }
 
 /*
diff --git a/source4/heimdal/lib/krb5/get_cred.c b/source4/heimdal/lib/krb5/get_cred.c
index 8a0af23e408..7c3f128ae59 100644
--- a/source4/heimdal/lib/krb5/get_cred.c
+++ b/source4/heimdal/lib/krb5/get_cred.c
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: get_cred.c 21327 2007-06-26 10:54:15Z lha $");
+RCSID("$Id: get_cred.c 21669 2007-07-22 11:29:13Z lha $");
 
 /*
  * Take the `body' and encode it into `padata' using the credentials
@@ -1224,9 +1224,10 @@ krb5_get_renewed_creds(krb5_context context,
 {
     krb5_error_code ret;
     krb5_kdc_flags flags;
-    krb5_creds in, *template;
+    krb5_creds in, *template, *out = NULL;
 
     memset(&in, 0, sizeof(in));
+    memset(creds, 0, sizeof(*creds));
 
     ret = krb5_copy_principal(context, client, &in.client);
     if (ret)
@@ -1263,9 +1264,14 @@ krb5_get_renewed_creds(krb5_context context,
 	krb5_free_creds (context, template);
     }
 
-    ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL, &in, &creds);
+    ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL, &in, &out);
     krb5_free_principal(context, in.client);
     krb5_free_principal(context, in.server);
+    if (ret)
+	return ret;
+
+    ret = krb5_copy_creds_contents(context, out, creds);
+    krb5_free_creds(context, out);
 
     return ret;
 }
diff --git a/source4/heimdal/lib/krb5/init_creds.c b/source4/heimdal/lib/krb5/init_creds.c
index 5bdf23d97f0..bd250cef2bd 100644
--- a/source4/heimdal/lib/krb5/init_creds.c
+++ b/source4/heimdal/lib/krb5/init_creds.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: init_creds.c 20541 2007-04-23 12:19:14Z lha $");
+RCSID("$Id: init_creds.c 21712 2007-07-27 14:23:41Z lha $");
 
 void KRB5_LIB_FUNCTION
 krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt)
@@ -225,9 +225,8 @@ krb5_get_init_creds_opt_set_default_flags(krb5_context context,
 	krb5_get_init_creds_opt_set_renew_life(opt, t);
 
     krb5_appdefault_boolean(context, appname, realm, "no-addresses", 
-			    FALSE, &b);
-    if (b)
-	krb5_get_init_creds_opt_set_addressless (context, opt, TRUE);
+			    KRB5_ADDRESSLESS_DEFAULT, &b);
+    krb5_get_init_creds_opt_set_addressless (context, opt, b);
 
 #if 0
     krb5_appdefault_boolean(context, appname, realm, "anonymous", FALSE, &b);
diff --git a/source4/heimdal/lib/krb5/init_creds_pw.c b/source4/heimdal/lib/krb5/init_creds_pw.c
index 1676da3bd62..0043b5ef3c1 100644
--- a/source4/heimdal/lib/krb5/init_creds_pw.c
+++ b/source4/heimdal/lib/krb5/init_creds_pw.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2005 Kungliga Tekniska H�gskolan
+ * Copyright (c) 1997 - 2007 Kungliga Tekniska H�gskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: init_creds_pw.c 21061 2007-06-12 17:56:30Z lha $");
+RCSID("$Id: init_creds_pw.c 21428 2007-07-10 12:31:58Z lha $");
 
 typedef struct krb5_get_init_creds_ctx {
     KDCOptions flags;
diff --git a/source4/heimdal/lib/krb5/krb5-private.h b/source4/heimdal/lib/krb5/krb5-private.h
index a551c42ecd1..9a84dde61a7 100644
--- a/source4/heimdal/lib/krb5/krb5-private.h
+++ b/source4/heimdal/lib/krb5/krb5-private.h
@@ -383,7 +383,7 @@ _krb5_pk_verify_sign (
 krb5_error_code
 _krb5_plugin_find (
 	krb5_context /*context*/,
-	enum plugin_type /*type*/,
+	enum krb5_plugin_type /*type*/,
 	const char */*name*/,
 	struct krb5_plugin **/*list*/);
 
@@ -399,7 +399,7 @@ _krb5_plugin_get_symbol (struct krb5_plugin */*p*/);
 krb5_error_code
 _krb5_plugin_register (
 	krb5_context /*context*/,
-	enum plugin_type /*type*/,
+	enum krb5_plugin_type /*type*/,
 	const char */*name*/,
 	void */*symbol*/);
 
diff --git a/source4/heimdal/lib/krb5/krb5-protos.h b/source4/heimdal/lib/krb5/krb5-protos.h
index 058496434e0..740b394be8a 100644
--- a/source4/heimdal/lib/krb5/krb5-protos.h
+++ b/source4/heimdal/lib/krb5/krb5-protos.h
@@ -2243,14 +2243,6 @@ krb5_get_pw_salt (
 	krb5_const_principal /*principal*/,
 	krb5_salt */*salt*/);
 
-krb5_error_code KRB5_LIB_FUNCTION
-krb5_get_renewed_creds (
-	krb5_context /*context*/,
-	krb5_creds */*creds*/,
-	krb5_const_principal /*client*/,
-	krb5_ccache /*ccache*/,
-	const char */*in_tkt_service*/);
-
 krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_server_rcache (
 	krb5_context /*context*/,
diff --git a/source4/heimdal/lib/krb5/krb5-v4compat.h b/source4/heimdal/lib/krb5/krb5-v4compat.h
index 2ea534cfe3a..dfd7e944607 100644
--- a/source4/heimdal/lib/krb5/krb5-v4compat.h
+++ b/source4/heimdal/lib/krb5/krb5-v4compat.h
@@ -31,11 +31,13 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: krb5-v4compat.h 17442 2006-05-05 09:31:15Z lha $ */
+/* $Id: krb5-v4compat.h 21575 2007-07-16 07:44:54Z lha $ */
 
 #ifndef __KRB5_V4COMPAT_H__
 #define __KRB5_V4COMPAT_H__
 
+#include "krb_err.h"
+
 /* 
  * This file must only be included with v4 compat glue stuff in
  * heimdal sources.
@@ -57,56 +59,10 @@
 #define		AUTH_MSG_KDC_RENEW			(10<<1)
 #define 	AUTH_MSG_DIE				(63<<1)
 
-/* values for kerb error codes */
-
-#define		KERB_ERR_OK				 0
-#define		KERB_ERR_NAME_EXP			 1
-#define		KERB_ERR_SERVICE_EXP			 2
-#define		KERB_ERR_AUTH_EXP			 3
-#define		KERB_ERR_PKT_VER			 4
-#define		KERB_ERR_NAME_MAST_KEY_VER		 5
-#define		KERB_ERR_SERV_MAST_KEY_VER		 6
-#define		KERB_ERR_BYTE_ORDER			 7
-#define		KERB_ERR_PRINCIPAL_UNKNOWN		 8
-#define		KERB_ERR_PRINCIPAL_NOT_UNIQUE		 9
-#define		KERB_ERR_NULL_KEY			10
-#define		KERB_ERR_TIMEOUT			11
-
-
-/* Error codes returned from the KDC */
-#define		KDC_OK		0	/* Request OK */
-#define		KDC_NAME_EXP	1	/* Principal expired */
-#define		KDC_SERVICE_EXP	2	/* Service expired */
-#define		KDC_AUTH_EXP	3	/* Auth expired */
-#define		KDC_PKT_VER	4	/* Protocol version unknown */
-#define		KDC_P_MKEY_VER	5	/* Wrong master key version */
-#define		KDC_S_MKEY_VER 	6	/* Wrong master key version */
-#define		KDC_BYTE_ORDER	7	/* Byte order unknown */
-#define		KDC_PR_UNKNOWN	8	/* Principal unknown */
-#define		KDC_PR_N_UNIQUE 9	/* Principal not unique */
-#define		KDC_NULL_KEY   10	/* Principal has null key */
-#define		KDC_GEN_ERR    20	/* Generic error from KDC */
-
 /* General definitions */
 #define		KSUCCESS	0
 #define		KFAILURE	255
 
-/* Values returned by rd_ap_req */
-#define		RD_AP_OK	0	/* Request authentic */
-#define		RD_AP_UNDEC    31	/* Can't decode authenticator */
-#define		RD_AP_EXP      32	/* Ticket expired */
-#define		RD_AP_NYV      33	/* Ticket not yet valid */
-#define		RD_AP_REPEAT   34	/* Repeated request */
-#define		RD_AP_NOT_US   35	/* The ticket isn't for us */
-#define		RD_AP_INCON    36	/* Request is inconsistent */
-#define		RD_AP_TIME     37	/* delta_t too big */
-#define		RD_AP_BADD     38	/* Incorrect net address */
-#define		RD_AP_VERSION  39	/* protocol version mismatch */
-#define		RD_AP_MSG_TYPE 40	/* invalid msg type */
-#define		RD_AP_MODIFIED 41	/* message stream modified */
-#define		RD_AP_ORDER    42	/* message out of order */
-#define		RD_AP_UNAUTHOR 43	/* unauthorized request */
-
 /* */
 
 #define		MAX_KTXT_LEN	1250
diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h
index 345fe70764f..4f9a63bf054 100644
--- a/source4/heimdal/lib/krb5/krb5.h
+++ b/source4/heimdal/lib/krb5/krb5.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: krb5.h 21252 2007-06-21 04:18:28Z lha $ */
+/* $Id: krb5.h 21551 2007-07-15 09:03:39Z lha $ */
 
 #ifndef __KRB5_H__
 #define __KRB5_H__
@@ -436,11 +436,6 @@ typedef struct krb5_config_binding krb5_config_binding;
 
 typedef krb5_config_binding krb5_config_section;
 
-enum {
-    KRB5_PKINIT_WIN2K		= 1,	/* wire compatible with Windows 2k */
-    KRB5_PKINIT_PACKET_CABLE	= 2	/* use packet cable standard */
-};
-
 typedef struct krb5_ticket {
     EncTicketPart ticket;
     krb5_principal client;
@@ -766,6 +761,12 @@ typedef struct krb5_sendto_ctx *krb5_sendto_ctx;
 
 typedef krb5_error_code (*krb5_sendto_ctx_func)(krb5_context, krb5_sendto_ctx, void *, const krb5_data *, int *);
 
+struct krb5_plugin;
+enum krb5_plugin_type {
+    PLUGIN_TYPE_DATA = 1,
+    PLUGIN_TYPE_FUNC
+};
+
 struct credentials; /* this is to keep the compiler happy */
 struct getargs;
 struct sockaddr;
diff --git a/source4/heimdal/lib/krb5/krb5_locl.h b/source4/heimdal/lib/krb5/krb5_locl.h
index 87169fc4307..b41e6e1182e 100644
--- a/source4/heimdal/lib/krb5/krb5_locl.h
+++ b/source4/heimdal/lib/krb5/krb5_locl.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: krb5_locl.h 20261 2007-02-18 00:32:22Z lha $ */
+/* $Id: krb5_locl.h 21552 2007-07-15 09:04:00Z lha $ */
 
 #ifndef __KRB5_LOCL_H__
 #define __KRB5_LOCL_H__
@@ -148,12 +148,6 @@ struct krb5_dh_moduli;
 /* v4 glue */
 struct _krb5_krb_auth_data;
 
-struct krb5_plugin;
-enum plugin_type {
-    PLUGIN_TYPE_DATA = 1,
-    PLUGIN_TYPE_FUNC
-};
-
 #include <der.h>
 
 #include <krb5.h>
@@ -236,7 +230,7 @@ typedef struct krb5_context_data {
     char error_buf[256];
     krb5_addresses *ignore_addresses;
     char *default_cc_name;
-    int pkinit_flags;
+    char *default_cc_name_env;
     void *mutex;			/* protects error_string/error_buf */
     int large_msg_size;
     int dns_canonicalize_hostname;
diff --git a/source4/heimdal/lib/krb5/krb_err.et b/source4/heimdal/lib/krb5/krb_err.et
new file mode 100644
index 00000000000..f7dbb6ce7a6
--- /dev/null
+++ b/source4/heimdal/lib/krb5/krb_err.et
@@ -0,0 +1,63 @@
+#
+# Error messages for the krb4 library
+#
+# This might look like a com_err file, but is not
+#
+id "$Id: krb_err.et,v 1.7 1998/03/29 14:19:52 bg Exp $"
+
+error_table krb
+
+prefix KRB4ET
+ec KSUCCESS,		"Kerberos 4 successful"
+ec KDC_NAME_EXP,	"Kerberos 4 principal expired"
+ec KDC_SERVICE_EXP,	"Kerberos 4 service expired"
+ec KDC_AUTH_EXP,	"Kerberos 4 auth expired"
+ec KDC_PKT_VER,		"Incorrect Kerberos 4 master key version"
+ec KDC_P_MKEY_VER,	"Incorrect Kerberos 4 master key version"
+ec KDC_S_MKEY_VER,	"Incorrect Kerberos 4 master key version"
+ec KDC_BYTE_ORDER,	"Kerberos 4 byte order unknown"
+ec KDC_PR_UNKNOWN,	"Kerberos 4 principal unknown"
+ec KDC_PR_N_UNIQUE,	"Kerberos 4 principal not unique"
+ec KDC_NULL_KEY,	"Kerberos 4 principal has null key"
+index 20
+ec KDC_GEN_ERR,		"Generic error from KDC (Kerberos 4)"
+ec GC_TKFIL,		"Can't read Kerberos 4 ticket file"
+ec GC_NOTKT,		"Can't find Kerberos 4 ticket or TGT"
+index 26
+ec MK_AP_TGTEXP,	"Kerberos 4 TGT Expired"
+index 31
+ec RD_AP_UNDEC,		"Kerberos 4: Can't decode authenticator"
+ec RD_AP_EXP,		"Kerberos 4 ticket expired"
+ec RD_AP_NYV,		"Kerberos 4 ticket not yet valid"
+ec RD_AP_REPEAT,	"Kerberos 4: Repeated request"
+ec RD_AP_NOT_US,	"The Kerberos 4 ticket isn't for us"
+ec RD_AP_INCON,		"Kerberos 4 request inconsistent"
+ec RD_AP_TIME,		"Kerberos 4: delta_t too big"
+ec RD_AP_BADD,		"Kerberos 4: incorrect net address"
+ec RD_AP_VERSION,	"Kerberos protocol not version 4"
+ec RD_AP_MSG_TYPE,	"Kerberos 4: invalid msg type"
+ec RD_AP_MODIFIED,	"Kerberos 4: message stream modified"
+ec RD_AP_ORDER,		"Kerberos 4: message out of order"
+ec RD_AP_UNAUTHOR,	"Kerberos 4: unauthorized request"
+index 51
+ec GT_PW_NULL,		"Kerberos 4: current PW is null"
+ec GT_PW_BADPW,		"Kerberos 4: Incorrect current password"
+ec GT_PW_PROT,		"Kerberos 4 protocol error"
+ec GT_PW_KDCERR,	"Error returned by KDC (Kerberos 4)"
+ec GT_PW_NULLTKT,	"Null Kerberos 4 ticket returned by KDC"
+ec SKDC_RETRY,		"Kerberos 4: Retry count exceeded"
+ec SKDC_CANT,		"Kerberos 4: Can't send request"
+index 61
+ec INTK_W_NOTALL,	"Kerberos 4: not all tickets returned"
+ec INTK_BADPW,		"Kerberos 4: incorrect password"
+ec INTK_PROT,		"Kerberos 4: Protocol Error"
+index 70
+ec INTK_ERR,		"Other error in Kerberos 4"
+ec AD_NOTGT,		"Don't have Kerberos 4 ticket-granting ticket"
+index 76
+ec NO_TKT_FIL,		"No Kerberos 4 ticket file found"
+ec TKT_FIL_ACC,		"Couldn't access Kerberos 4 ticket file"
+ec TKT_FIL_LCK,		"Couldn't lock Kerberos 4 ticket file"
+ec TKT_FIL_FMT,		"Bad Kerberos 4 ticket file format"
+ec TKT_FIL_INI,		"Kerberos 4: tf_init not called first"
+ec KNAME_FMT,		"Bad Kerberos 4 name format"
diff --git a/source4/heimdal/lib/krb5/krbhst.c b/source4/heimdal/lib/krb5/krbhst.c
index 69b52dd808c..094fd4f9c64 100644
--- a/source4/heimdal/lib/krb5/krbhst.c
+++ b/source4/heimdal/lib/krb5/krbhst.c
@@ -35,7 +35,7 @@
 #include <resolve.h>
 #include "locate_plugin.h"
 
-RCSID("$Id: krbhst.c 21131 2007-06-18 20:48:09Z lha $");
+RCSID("$Id: krbhst.c 21457 2007-07-10 12:53:25Z lha $");
 
 static int
 string_to_proto(const char *string)
@@ -919,8 +919,10 @@ gethostlist(krb5_context context, const char *realm,
 
     while(krb5_krbhst_next(context, handle, &hostinfo) == 0)
 	nhost++;
-    if(nhost == 0)
+    if(nhost == 0) {
+	krb5_set_error_string(context, "No KDC found for realm %s", realm);
 	return KRB5_KDC_UNREACH;
+    }
     *hostlist = calloc(nhost + 1, sizeof(**hostlist));
     if(*hostlist == NULL) {
 	krb5_krbhst_free(context, handle);
diff --git a/source4/heimdal/lib/krb5/pkinit.c b/source4/heimdal/lib/krb5/pkinit.c
index 105cab554d8..c8587770f4c 100755
--- a/source4/heimdal/lib/krb5/pkinit.c
+++ b/source4/heimdal/lib/krb5/pkinit.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: pkinit.c 21321 2007-06-26 05:21:56Z lha $");
+RCSID("$Id: pkinit.c 21684 2007-07-23 23:09:10Z lha $");
 
 struct krb5_dh_moduli {
     char *name;
@@ -645,8 +645,6 @@ _krb5_pk_mk_padata(krb5_context context,
 						req_body->realm,
 						"pkinit_win2k",
 						NULL);
-    if (context->pkinit_flags & KRB5_PKINIT_WIN2K)
-	win2k_compat = 1;
 
     if (win2k_compat) {
 	ctx->require_binding = 
@@ -1721,7 +1719,7 @@ _krb5_free_moduli(struct krb5_dh_moduli **moduli)
     free(moduli);
 }
 
-static const char *default_moduli =
+static const char *default_moduli_RFC2412_MODP_group2 =
     /* name */
     "RFC2412-MODP-group2 "
     /* bits */
@@ -1743,6 +1741,37 @@ static const char *default_moduli =
     "F71C35FD" "AD44CFD2" "D74F9208" "BE258FF3" "24943328" "F67329C0"
     "FFFFFFFF" "FFFFFFFF";
 
+static const char *default_moduli_rfc3526_MODP_group14 =
+    /* name */
+    "rfc3526-MODP-group14 "
+    /* bits */
+    "1760 "
+    /* p */
+    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
+    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
+    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
+    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
+    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
+    "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
+    "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
+    "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
+    "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
+    "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
+    "15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF "
+    /* g */
+    "02 "
+    /* q */
+    "7FFFFFFF" "FFFFFFFF" "E487ED51" "10B4611A" "62633145" "C06E0E68"
+    "94812704" "4533E63A" "0105DF53" "1D89CD91" "28A5043C" "C71A026E"
+    "F7CA8CD9" "E69D218D" "98158536" "F92F8A1B" "A7F09AB6" "B6A8E122"
+    "F242DABB" "312F3F63" "7A262174" "D31BF6B5" "85FFAE5B" "7A035BF6"
+    "F71C35FD" "AD44CFD2" "D74F9208" "BE258FF3" "24943328" "F6722D9E"
+    "E1003E5C" "50B1DF82" "CC6D241B" "0E2AE9CD" "348B1FD4" "7E9267AF"
+    "C1B2AE91" "EE51D6CB" "0E3179AB" "1042A95D" "CF6A9483" "B84B4B36"
+    "B3861AA7" "255E4C02" "78BA3604" "650C10BE" "19482F23" "171B671D"
+    "F1CF3B96" "0C074301" "CD93C1D1" "7603D147" "DAE2AEF8" "37A62964"
+    "EF15E5FB" "4AAC0B8C" "1CCAA4BE" "754AB572" "8AE9130C" "4C7D0288"
+    "0AB9472D" "45565534" "7FFFFFFF" "FFFFFFFF";
 
 krb5_error_code
 _krb5_parse_moduli(krb5_context context, const char *file,
@@ -1757,19 +1786,28 @@ _krb5_parse_moduli(krb5_context context, const char *file,
 
     *moduli = NULL;
 
-    m = calloc(1, sizeof(m[0]) * 2);
+    m = calloc(1, sizeof(m[0]) * 3);
     if (m == NULL) {
 	krb5_set_error_string(context, "malloc: out of memory");
 	return ENOMEM;
     }
 
-    strlcpy(buf, default_moduli, sizeof(buf));
+    strlcpy(buf, default_moduli_rfc3526_MODP_group14, sizeof(buf));
     ret = _krb5_parse_moduli_line(context, "builtin", 1, buf,  &m[0]);
     if (ret) {
 	_krb5_free_moduli(m);
 	return ret;
     }
-    n = 1;
+    n++;
+
+    strlcpy(buf, default_moduli_RFC2412_MODP_group2, sizeof(buf));
+    ret = _krb5_parse_moduli_line(context, "builtin", 1, buf,  &m[1]);
+    if (ret) {
+	_krb5_free_moduli(m);
+	return ret;
+    }
+    n++;
+
 
     if (file == NULL)
 	file = MODULI_FILE;
diff --git a/source4/heimdal/lib/krb5/plugin.c b/source4/heimdal/lib/krb5/plugin.c
index 68317a12c0d..43fa3f5b45a 100644
--- a/source4/heimdal/lib/krb5/plugin.c
+++ b/source4/heimdal/lib/krb5/plugin.c
@@ -32,7 +32,7 @@
  */
 
 #include "krb5_locl.h"
-RCSID("$Id: plugin.c 21134 2007-06-18 21:02:23Z lha $");
+RCSID("$Id: plugin.c 21702 2007-07-26 19:13:53Z lha $");
 #ifdef HAVE_DLFCN_H
 #include <dlfcn.h>
 #endif
@@ -45,7 +45,7 @@ struct krb5_plugin {
 };
 
 struct plugin {
-    enum plugin_type type;
+    enum krb5_plugin_type type;
     void *name;
     void *symbol;
     struct plugin *next;
@@ -76,9 +76,11 @@ _krb5_plugin_get_next(struct krb5_plugin *p)
  *
  */
 
+#ifdef HAVE_DLOPEN
+
 static krb5_error_code
 loadlib(krb5_context context,
-	enum plugin_type type,
+	enum krb5_plugin_type type,
 	const char *name,
 	const char *lib,
 	struct krb5_plugin **e)
@@ -113,10 +115,11 @@ loadlib(krb5_context context,
 
     return 0;
 }
+#endif /* HAVE_DLOPEN */
 
 krb5_error_code
 _krb5_plugin_register(krb5_context context,
-		      enum plugin_type type,
+		      enum krb5_plugin_type type,
 		      const char *name, 
 		      void *symbol)
 {
@@ -146,7 +149,7 @@ _krb5_plugin_register(krb5_context context,
 
 krb5_error_code
 _krb5_plugin_find(krb5_context context,
-		  enum plugin_type type,
+		  enum krb5_plugin_type type,
 		  const char *name, 
 		  struct krb5_plugin **list)
 {
@@ -181,6 +184,8 @@ _krb5_plugin_find(krb5_context context,
     }
     HEIMDAL_MUTEX_unlock(&plugin_mutex);
 
+#ifdef HAVE_DLOPEN
+
     dirs = krb5_config_get_strings(context, NULL, "libdefaults", 
 				   "plugin_dir", NULL);
     if (dirs == NULL) {
@@ -213,6 +218,7 @@ _krb5_plugin_find(krb5_context context,
     }
     if (dirs != sysdirs)
 	krb5_config_free_strings(dirs);
+#endif /* HAVE_DLOPEN */
 
     if (*list == NULL) {
 	krb5_set_error_string(context, "Did not find a plugin for %s", name);
diff --git a/source4/heimdal/lib/krb5/rd_priv.c b/source4/heimdal/lib/krb5/rd_priv.c
index d3920dd9417..47b5df85b23 100644
--- a/source4/heimdal/lib/krb5/rd_priv.c
+++ b/source4/heimdal/lib/krb5/rd_priv.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2003 Kungliga Tekniska H�gskolan
+ * Copyright (c) 1997-2007 Kungliga Tekniska H�gskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: rd_priv.c 17056 2006-04-12 16:18:10Z lha $");
+RCSID("$Id: rd_priv.c 21770 2007-08-01 04:04:33Z lha $");
 
 krb5_error_code KRB5_LIB_FUNCTION
 krb5_rd_priv(krb5_context context,
@@ -55,13 +55,17 @@ krb5_rd_priv(krb5_context context,
 
     if ((auth_context->flags & 
 	 (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
-	outdata == NULL)
+	outdata == NULL) {
+	krb5_clear_error_string (context);
 	return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
+    }
 
     memset(&priv, 0, sizeof(priv));
     ret = decode_KRB_PRIV (inbuf->data, inbuf->length, &priv, &len);
-    if (ret) 
+    if (ret) {
+	krb5_clear_error_string (context);
 	goto failure;
+    }
     if (priv.pvno != 5) {
 	krb5_clear_error_string (context);
 	ret = KRB5KRB_AP_ERR_BADVERSION;
@@ -94,8 +98,10 @@ krb5_rd_priv(krb5_context context,
 
     ret = decode_EncKrbPrivPart (plain.data, plain.length, &part, &len);
     krb5_data_free (&plain);
-    if (ret) 
+    if (ret) {
+	krb5_clear_error_string (context);
 	goto failure;
+    }
   
     /* check sender address */
 
diff --git a/source4/heimdal/lib/krb5/v4_glue.c b/source4/heimdal/lib/krb5/v4_glue.c
index d42fbec3a50..3f99df6391c 100644
--- a/source4/heimdal/lib/krb5/v4_glue.c
+++ b/source4/heimdal/lib/krb5/v4_glue.c
@@ -32,7 +32,7 @@
  */
 
 #include "krb5_locl.h"
-RCSID("$Id: v4_glue.c 17442 2006-05-05 09:31:15Z lha $");
+RCSID("$Id: v4_glue.c 21572 2007-07-16 05:13:08Z lha $");
 
 #include "krb5-v4compat.h"
 
@@ -351,12 +351,12 @@ storage_to_etext(krb5_context context,
 
     size = krb5_storage_seek(sp, 0, SEEK_END);
     if (size < 0)
-	return EINVAL;
+	return KRB4ET_RD_AP_UNDEC;
     size = 8 - (size & 7);
 
     ret = krb5_storage_write(sp, eightzeros, size);
     if (ret != size)
-	return EINVAL;
+	return KRB4ET_RD_AP_UNDEC;
 
     ret = krb5_storage_to_data(sp, &data);
     if (ret)
@@ -435,7 +435,7 @@ _krb5_krb_create_ticket(krb5_context context,
 			     session->keyvalue.data, 
 			     session->keyvalue.length);
     if (ret != session->keyvalue.length) {
-	ret = EINVAL;
+	ret = KRB4ET_INTK_PROT;
 	goto error;
     }
 
@@ -487,7 +487,7 @@ _krb5_krb_create_ciph(krb5_context context,
 			     session->keyvalue.data, 
 			     session->keyvalue.length);
     if (ret != session->keyvalue.length) {
-	ret = EINVAL;
+	ret = KRB4ET_INTK_PROT;
 	goto error;
     }
 
@@ -497,7 +497,7 @@ _krb5_krb_create_ciph(krb5_context context,
     RCHECK(ret, krb5_store_int8(sp, ticket->length), error);
     ret = krb5_storage_write(sp, ticket->data, ticket->length);
     if (ret != ticket->length) {
-	ret = EINVAL;
+	ret = KRB4ET_INTK_PROT;
 	goto error;
     }
     RCHECK(ret, krb5_store_int32(sp, kdc_time), error);
@@ -550,7 +550,7 @@ _krb5_krb_create_auth_reply(krb5_context context,
     RCHECK(ret, krb5_store_int16(sp, cipher->length), error);
     ret = krb5_storage_write(sp, cipher->data, cipher->length);
     if (ret != cipher->length) {
-	ret = EINVAL;
+	ret = KRB4ET_INTK_PROT;
 	goto error;
     }
 
@@ -599,6 +599,9 @@ _krb5_krb_cr_err_reply(krb5_context context,
     RCHECK(ret, krb5_store_int8(sp, AUTH_MSG_ERR_REPLY), error);
     RCHECK(ret, put_nir(sp, name, inst, realm), error);
     RCHECK(ret, krb5_store_int32(sp, time_ws), error);
+    /* If its a Kerberos 4 error-code, remove the et BASE */
+    if (e >= ERROR_TABLE_BASE_krb && e <= ERROR_TABLE_BASE_krb + 255)
+	e -= ERROR_TABLE_BASE_krb;
     RCHECK(ret, krb5_store_int32(sp, e), error);
     RCHECK(ret, krb5_store_stringz(sp, e_string), error);
 
@@ -623,7 +626,7 @@ get_v4_stringz(krb5_storage *sp, char **str, size_t max_len)
     if (strlen(*str) > max_len) {
 	free(*str);
 	*str = NULL;
-	return EINVAL;
+	return KRB4ET_INTK_PROT;
     }
     return 0;
 }
@@ -662,7 +665,7 @@ _krb5_krb_decomp_ticket(krb5_context context,
 	return ENOMEM;
     }
 
-    krb5_storage_set_eof_code(sp, EINVAL); /* XXX */
+    krb5_storage_set_eof_code(sp, KRB4ET_INTK_PROT);
 
     RCHECK(ret, krb5_ret_int8(sp, &ad->k_flags), error);
     RCHECK(ret, get_v4_stringz(sp, &ad->pname, ANAME_SZ), error);
@@ -672,7 +675,7 @@ _krb5_krb_decomp_ticket(krb5_context context,
 	
     size = krb5_storage_read(sp, des_key, sizeof(des_key));
     if (size != sizeof(des_key)) {
-	ret = EINVAL; /* XXX */
+	ret = KRB4ET_INTK_PROT;
 	goto error;
     }
 
@@ -770,26 +773,32 @@ _krb5_krb_rd_req(krb5_context context,
 	return ENOMEM;
     }
 
-    krb5_storage_set_eof_code(sp, EINVAL); /* XXX */
+    krb5_storage_set_eof_code(sp, KRB4ET_INTK_PROT);
 
     ret = krb5_ret_int8(sp, &pvno);
-    if (ret)
+    if (ret) {
+	krb5_set_error_string(context, "Failed reading v4 pvno");
 	goto error;
+    }
 
     if (pvno != KRB_PROT_VERSION) {
-	ret = EINVAL; /* XXX */
+	ret = KRB4ET_RD_AP_VERSION;
+	krb5_set_error_string(context, "Failed v4 pvno not 4");
 	goto error;
     }
 
     ret = krb5_ret_int8(sp, &type);
-    if (ret)
+    if (ret) {
+	krb5_set_error_string(context, "Failed readin v4 type");
 	goto error;
+    }
 
     little_endian = type & 1;
     type &= ~1;
     
     if(type != AUTH_MSG_APPL_REQUEST && type != AUTH_MSG_APPL_REQUEST_MUTUAL) {
-	ret = EINVAL; /* RD_AP_MSG_TYPE */
+	ret = KRB4ET_RD_AP_MSG_TYPE;
+	krb5_set_error_string(context, "Not a valid v4 request type");
 	goto error;
     }
 
@@ -801,7 +810,8 @@ _krb5_krb_rd_req(krb5_context context,
 
     size = krb5_storage_read(sp, ticket.data, ticket.length);
     if (size != ticket.length) {
-	ret = EINVAL;
+	ret = KRB4ET_INTK_PROT;
+	krb5_set_error_string(context, "Failed reading v4 ticket");
 	goto error;
     }
 
@@ -815,7 +825,8 @@ _krb5_krb_rd_req(krb5_context context,
 
     size = krb5_storage_read(sp, eaut.data, eaut.length);
     if (size != eaut.length) {
-	ret = EINVAL;
+	ret = KRB4ET_INTK_PROT;
+	krb5_set_error_string(context, "Failed reading v4 authenticator");
 	goto error;
     }
 
@@ -828,8 +839,8 @@ _krb5_krb_rd_req(krb5_context context,
 
     sp = krb5_storage_from_data(&aut);
     if (sp == NULL) {
-	krb5_set_error_string(context, "alloc: out of memory");
 	ret = ENOMEM;
+	krb5_set_error_string(context, "alloc: out of memory");
 	goto error;
     }
 
@@ -849,19 +860,22 @@ _krb5_krb_rd_req(krb5_context context,
     if (strcmp(ad->pname, r_name) != 0 ||
 	strcmp(ad->pinst, r_instance) != 0 ||
 	strcmp(ad->prealm, r_realm) != 0) {
-	ret = EINVAL; /* RD_AP_INCON */
+	krb5_set_error_string(context, "v4 principal mismatch");
+	ret = KRB4ET_RD_AP_INCON;
 	goto error;
     }
     
-    if (from_addr && from_addr != ad->address) {
-	ret = EINVAL; /* RD_AP_BADD */
+    if (from_addr && ad->address && from_addr != ad->address) {
+	krb5_set_error_string(context, "v4 bad address in ticket");
+	ret = KRB4ET_RD_AP_BADD;
 	goto error;
     }
 
     gettimeofday(&tv, NULL);
     delta_t = abs((int)(tv.tv_sec - r_time_sec));
     if (delta_t > CLOCK_SKEW) {
-        ret = EINVAL; /* RD_AP_TIME */
+        ret = KRB4ET_RD_AP_TIME;
+	krb5_set_error_string(context, "v4 clock skew");
 	goto error;
     }
 
@@ -870,12 +884,14 @@ _krb5_krb_rd_req(krb5_context context,
     tkt_age = tv.tv_sec - ad->time_sec;
     
     if ((tkt_age < 0) && (-tkt_age > CLOCK_SKEW)) {
-        ret = EINVAL; /* RD_AP_NYV */
+        ret = KRB4ET_RD_AP_NYV;
+	krb5_set_error_string(context, "v4 clock skew for expiration");
 	goto error;
     }
 
     if (tv.tv_sec > _krb5_krb_life_to_time(ad->time_sec, ad->life)) {
-	ret = EINVAL; /* RD_AP_EXP */
+	ret = KRB4ET_RD_AP_EXP;
+	krb5_set_error_string(context, "v4 ticket expired");
 	goto error;
     }
 
diff --git a/source4/heimdal/lib/ntlm/ntlm.c b/source4/heimdal/lib/ntlm/ntlm.c
index 1961c7fa22f..671bf329e86 100644
--- a/source4/heimdal/lib/ntlm/ntlm.c
+++ b/source4/heimdal/lib/ntlm/ntlm.c
@@ -33,7 +33,7 @@
 
 #include <config.h>
 
-RCSID("$Id: ntlm.c 21317 2007-06-25 19:22:02Z lha $");
+RCSID("$Id: ntlm.c 21604 2007-07-17 06:48:55Z lha $");
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -1105,7 +1105,7 @@ heim_ntlm_verify_ntlm2(const void *key, size_t len,
     HMAC_CTX_init(&c);
     HMAC_Init_ex(&c, ntlmv2, 16, EVP_md5(), NULL);
     HMAC_Update(&c, serverchallange, 8);
-    HMAC_Update(&c, ((char *)answer->data) + 16, answer->length - 16);
+    HMAC_Update(&c, ((unsigned char *)answer->data) + 16, answer->length - 16);
     HMAC_Final(&c, serveranswer, &hmaclen);
     HMAC_CTX_cleanup(&c);
 
diff --git a/source4/heimdal_build/config.mk b/source4/heimdal_build/config.mk
index 73187c31dcb..940d9cdb9ce 100644
--- a/source4/heimdal_build/config.mk
+++ b/source4/heimdal_build/config.mk
@@ -259,7 +259,8 @@ OBJ_FILES = \
 	../heimdal/lib/krb5/warn.o \
 	../heimdal/lib/krb5/krb5_err.o \
 	../heimdal/lib/krb5/heim_err.o \
-	../heimdal/lib/krb5/k524_err.o
+	../heimdal/lib/krb5/k524_err.o \
+	../heimdal/lib/krb5/krb_err.o
 # End SUBSYSTEM HEIMDAL_KRB5
 #######################
 
@@ -568,10 +569,15 @@ include perl_path_wrapper.sh asn1_deps.pl heimdal/lib/asn1/CMS.asn1 cms_asn1 hei
 include perl_path_wrapper.sh asn1_deps.pl heimdal/lib/hx509/ocsp.asn1 ocsp_asn1 heimdal/lib/hx509 --preserve-binary=OCSPTBSRequest --preserve-binary=OCSPResponseData|
 include perl_path_wrapper.sh asn1_deps.pl heimdal/lib/asn1/kx509.asn1 kx509_asn1 heimdal/lib/asn1|
 include perl_path_wrapper.sh asn1_deps.pl heimdal/lib/hx509/pkcs10.asn1 pkcs10_asn1 heimdal/lib/hx509 --preserve-binary=CertificationRequestInfo|
+
+#
+# Ensure to update ../static_deps.mk when you add a new entry here!
+#
 include perl_path_wrapper.sh et_deps.pl heimdal/lib/asn1/asn1_err.et heimdal/lib/asn1|
 include perl_path_wrapper.sh et_deps.pl heimdal/lib/hdb/hdb_err.et heimdal/lib/hdb|
 include perl_path_wrapper.sh et_deps.pl heimdal/lib/krb5/heim_err.et heimdal/lib/krb5|
 include perl_path_wrapper.sh et_deps.pl heimdal/lib/krb5/k524_err.et heimdal/lib/krb5|
+include perl_path_wrapper.sh et_deps.pl heimdal/lib/krb5/krb_err.et heimdal/lib/krb5|
 include perl_path_wrapper.sh et_deps.pl heimdal/lib/krb5/krb5_err.et heimdal/lib/krb5|
 include perl_path_wrapper.sh et_deps.pl heimdal/lib/gssapi/krb5/gkrb5_err.et heimdal/lib/gssapi|
 include perl_path_wrapper.sh et_deps.pl heimdal/lib/hx509/hx509_err.et heimdal/lib/hx509|
diff --git a/source4/static_deps.mk b/source4/static_deps.mk
index 34bb1263c19..1c9173b32c6 100644
--- a/source4/static_deps.mk
+++ b/source4/static_deps.mk
@@ -35,6 +35,7 @@ heimdal_basics: \
        heimdal/lib/hdb/hdb_err.h \
        heimdal/lib/krb5/heim_err.h \
        heimdal/lib/krb5/k524_err.h \
+       heimdal/lib/krb5/krb_err.h \
        heimdal/lib/krb5/krb5_err.h \
        heimdal/lib/gssapi/gkrb5_err.h \
        heimdal/lib/hx509/hx509_err.h