Import Heimdal 7.5.0.vendor/heimdal/7.5.0vendor/heimdal

48 files changed, 4066 insertions, 972 deletions

diff --git a/lib/asn1/Makefile.am b/lib/asn1/Makefile.am
index 47158b88aa42..7c513d5bc120 100644
--- a/lib/asn1/Makefile.am
+++ b/lib/asn1/Makefile.am
@@ -4,6 +4,8 @@ include $(top_srcdir)/Makefile.am.common
 
 YFLAGS = -d -t
 
+AM_CPPFLAGS += $(ROKEN_RENAME)
+
 lib_LTLIBRARIES = libasn1.la
 libasn1_la_LDFLAGS = -version-info 8:0:0
 
@@ -37,6 +39,7 @@ gen_files_pkinit = asn1_pkinit_asn1.x
 gen_files_pkcs12 = asn1_pkcs12_asn1.x
 gen_files_pkcs8 = asn1_pkcs8_asn1.x
 gen_files_pkcs9 = asn1_pkcs9_asn1.x
+gen_files_test_template = test_template_asn1-template.x
 gen_files_test = asn1_test_asn1.x
 gen_files_digest = asn1_digest_asn1.x
 gen_files_kx509 = asn1_kx509_asn1.x
@@ -53,7 +56,7 @@ asn1_print_SOURCES = asn1_print.c
 check_der_SOURCES = check-der.c check-common.c check-common.h
 
 check_template_SOURCES = check-template.c check-common.c check-common.h
-nodist_check_template_SOURCES = $(gen_files_test:.x=.c)
+nodist_check_template_SOURCES = $(gen_files_test_template)
 
 dist_check_gen_SOURCES = check-gen.c check-common.c check-common.h
 nodist_check_gen_SOURCES = $(gen_files_test:.x=.c)
@@ -94,8 +97,10 @@ dist_libasn1base_la_SOURCES =			\
 	der_copy.c				\
 	der_cmp.c				\
 	der_format.c				\
+	fuzzer.c				\
 	heim_asn1.h				\
 	extra.c					\
+	roken_rename.h				\
 	template.c				\
 	timegm.c
 
@@ -134,7 +139,9 @@ CLEANFILES = \
 	$(gen_files_pkcs12) \
 	$(gen_files_digest) \
 	$(gen_files_kx509) \
-	$(gen_files_test) $(nodist_check_gen_SOURCES) \
+	$(gen_files_test) \
+	$(gen_files_test_template) \
+	$(nodist_check_gen_SOURCES) \
 	asn1_err.c asn1_err.h \
 	rfc2459_asn1_files rfc2459_asn1*.h* \
 	cms_asn1_files cms_asn1*.h* \
@@ -145,9 +152,12 @@ CLEANFILES = \
 	pkcs12_asn1_files pkcs12_asn1*.h* \
 	digest_asn1_files digest_asn1*.h* \
 	kx509_asn1_files kx509_asn1*.h* \
-	test_asn1_files test_asn1*.h*
+	test_asn1_files test_asn1*.h* \
+	test_template_asn1* \
+	asn1_*.x
 
-dist_include_HEADERS = der.h heim_asn1.h der-protos.h der-private.h
+dist_include_HEADERS = der.h heim_asn1.h
+dist_include_HEADERS += $(srcdir)/der-protos.h $(srcdir)/der-private.h
 dist_include_HEADERS += asn1-common.h
 
 nodist_include_HEADERS = asn1_err.h
@@ -170,6 +180,7 @@ priv_headers += pkcs9_asn1-priv.h
 priv_headers += pkcs12_asn1-priv.h
 priv_headers += digest_asn1-priv.h
 priv_headers += kx509_asn1-priv.h
+priv_headers += test_template_asn1.h test_template_asn1-priv.h
 priv_headers += test_asn1.h test_asn1-priv.h
 
 
@@ -193,6 +204,7 @@ $(gen_files_kx509) kx509_asn1.hx kx509_asn1-priv.hx: kx509_asn1_files
 $(gen_files_rfc2459) rfc2459_asn1.hx rfc2459_asn1-priv.hx: rfc2459_asn1_files
 $(gen_files_cms) cms_asn1.hx cms_asn1-priv.hx: cms_asn1_files
 $(gen_files_test) test_asn1.hx test_asn1-priv.hx: test_asn1_files
+$(gen_files_test_template) test_template_asn1.hx test_template_asn1-priv.hx: test_template_asn1_files
 
 rfc2459_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/rfc2459.asn1
 	$(ASN1_COMPILE) --one-code-file --preserve-binary=TBSCertificate --preserve-binary=TBSCRLCertList --preserve-binary=Name --sequence=GeneralNames --sequence=Extensions --sequence=CRLDistributionPoints $(srcdir)/rfc2459.asn1 rfc2459_asn1 || (rm -f rfc2459_asn1_files ; exit 1)
@@ -221,12 +233,16 @@ digest_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/digest.asn1
 kx509_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/kx509.asn1
 	$(ASN1_COMPILE) --one-code-file $(srcdir)/kx509.asn1 kx509_asn1 || (rm -f kx509_asn1_files ; exit 1)
 
+test_template_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/test.asn1
+	$(ASN1_COMPILE) --template --sequence=TESTSeqOf $(srcdir)/test.asn1 test_template_asn1 || (rm -f test_template_asn1_files ; exit 1)
+
 test_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/test.asn1
 	$(ASN1_COMPILE) --one-code-file --sequence=TESTSeqOf $(srcdir)/test.asn1 test_asn1 || (rm -f test_asn1_files ; exit 1)
 
 
 EXTRA_DIST =		\
 	NTMakefile	\
+	README.template \
 	asn1_compile-version.rc \
 	libasn1-exports.def \
 	cms.asn1	\
@@ -247,8 +263,19 @@ EXTRA_DIST =		\
 	test.gen	\
 	version-script.map
 
-$(srcdir)/der-protos.h:
+DER_PROTOS = $(srcdir)/der-protos.h $(srcdir)/der-private.h
+
+ALL_OBJECTS  = $(libasn1_la_OBJECTS)
+ALL_OBJECTS += $(libasn1base_la_OBJECTS)
+ALL_OBJECTS += $(asn1_print_OBJECTS)
+ALL_OBJECTS += $(asn1_compile_OBJECTS)
+ALL_OBJECTS += $(asn1_gen_OBJECTS)
+ALL_OBJECTS += $(check_template_OBJECTS)
+
+$(ALL_OBJECTS): $(DER_PROTOS) asn1_err.h
+
+$(srcdir)/der-protos.h: $(dist_libasn1base_la_SOURCES)
 	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -o der-protos.h $(dist_libasn1base_la_SOURCES) || rm -f der-protos.h
 
-$(srcdir)/der-private.h:
+$(srcdir)/der-private.h: $(dist_libasn1base_la_SOURCES)
 	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p der-private.h $(dist_libasn1base_la_SOURCES) || rm -f der-private.h
diff --git a/lib/asn1/Makefile.in b/lib/asn1/Makefile.in
index ab377b3090f2..6ab1aa514233 100644
--- a/lib/asn1/Makefile.in
+++ b/lib/asn1/Makefile.in
@@ -1,9 +1,8 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.15.1 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009  Free Software Foundation,
-# Inc.
+# Copyright (C) 1994-2017 Free Software Foundation, Inc.
+
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -24,6 +23,61 @@
 
 
 VPATH = @srcdir@
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -42,10 +96,6 @@ PRE_UNINSTALL = :
 POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
-DIST_COMMON = $(dist_include_HEADERS) $(srcdir)/Makefile.am \
-	$(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \
-	$(top_srcdir)/cf/Makefile.am.common ChangeLog asn1parse.c \
-	asn1parse.h lex.c
 @versionscript_TRUE@am__append_1 = $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
 noinst_PROGRAMS = asn1_gen$(EXEEXT)
 libexec_heimdal_PROGRAMS = asn1_compile$(EXEEXT) asn1_print$(EXEEXT)
@@ -67,8 +117,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/check-man.m4 \
 	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
 	$(top_srcdir)/cf/check-type-extra.m4 \
-	$(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \
-	$(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \
+	$(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/crypto.m4 \
 	$(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
 	$(top_srcdir)/cf/dispatch.m4 $(top_srcdir)/cf/dlopen.m4 \
 	$(top_srcdir)/cf/find-func-no-libs.m4 \
@@ -81,6 +130,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/cf/krb-bigendian.m4 \
 	$(top_srcdir)/cf/krb-func-getlogin.m4 \
 	$(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \
+	$(top_srcdir)/cf/krb-prog-perl.m4 \
 	$(top_srcdir)/cf/krb-readline.m4 \
 	$(top_srcdir)/cf/krb-struct-spwd.m4 \
 	$(top_srcdir)/cf/krb-struct-winsize.m4 \
@@ -100,6 +150,8 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
 	$(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(dist_include_HEADERS) \
+	$(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/include/config.h
 CONFIG_CLEAN_FILES =
@@ -125,6 +177,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
 am__installdirs = "$(DESTDIR)$(libdir)" \
 	"$(DESTDIR)$(libexec_heimdaldir)" "$(DESTDIR)$(includedir)" \
 	"$(DESTDIR)$(includedir)"
@@ -145,13 +203,17 @@ am__objects_10 = $(am__objects_1) $(am__objects_2) $(am__objects_3) \
 	$(am__objects_7) $(am__objects_8) $(am__objects_9)
 nodist_libasn1_la_OBJECTS = $(am__objects_10)
 libasn1_la_OBJECTS = $(nodist_libasn1_la_OBJECTS)
-libasn1_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 = 
+libasn1_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
 	$(libasn1_la_LDFLAGS) $(LDFLAGS) -o $@
 libasn1base_la_LIBADD =
 dist_libasn1base_la_OBJECTS = der.lo der_get.lo der_put.lo der_free.lo \
-	der_length.lo der_copy.lo der_cmp.lo der_format.lo extra.lo \
-	template.lo timegm.lo
+	der_length.lo der_copy.lo der_cmp.lo der_format.lo fuzzer.lo \
+	extra.lo template.lo timegm.lo
 nodist_libasn1base_la_OBJECTS = asn1_err.lo
 libasn1base_la_OBJECTS = $(dist_libasn1base_la_OBJECTS) \
 	$(nodist_libasn1base_la_OBJECTS)
@@ -189,34 +251,66 @@ check_gen_OBJECTS = $(dist_check_gen_OBJECTS) \
 check_gen_DEPENDENCIES = libasn1.la $(am__DEPENDENCIES_1)
 am_check_template_OBJECTS = check-template.$(OBJEXT) \
 	check-common.$(OBJEXT)
-nodist_check_template_OBJECTS = $(am__objects_11)
+am__objects_12 = test_template_asn1-template.$(OBJEXT)
+nodist_check_template_OBJECTS = $(am__objects_12)
 check_template_OBJECTS = $(am_check_template_OBJECTS) \
 	$(nodist_check_template_OBJECTS)
 check_template_DEPENDENCIES = $(am__DEPENDENCIES_2)
 check_timegm_SOURCES = check-timegm.c
 check_timegm_OBJECTS = check-timegm.$(OBJEXT)
 check_timegm_DEPENDENCIES = $(am__DEPENDENCIES_2)
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 am__mv = mv -f
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
-	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC      " $@;
+am__v_CC_1 = 
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
-	$(LDFLAGS) -o $@
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD    " $@;
+am__v_CCLD_1 = 
 @MAINTAINER_MODE_FALSE@am__skiplex = test -f $@ ||
-LEXCOMPILE = $(LEX) $(LFLAGS) $(AM_LFLAGS)
-LTLEXCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(LEX) $(LFLAGS) $(AM_LFLAGS)
+LEXCOMPILE = $(LEX) $(AM_LFLAGS) $(LFLAGS)
+LTLEXCOMPILE = $(LIBTOOL) $(AM_V_lt) $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(LEX) $(AM_LFLAGS) $(LFLAGS)
+AM_V_LEX = $(am__v_LEX_@AM_V@)
+am__v_LEX_ = $(am__v_LEX_@AM_DEFAULT_V@)
+am__v_LEX_0 = @echo "  LEX     " $@;
+am__v_LEX_1 = 
 YLWRAP = $(top_srcdir)/ylwrap
 @MAINTAINER_MODE_FALSE@am__skipyacc = test -f $@ ||
-YACCCOMPILE = $(YACC) $(YFLAGS) $(AM_YFLAGS)
-LTYACCCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
-	--mode=compile $(YACC) $(YFLAGS) $(AM_YFLAGS)
+am__yacc_c2h = sed -e s/cc$$/hh/ -e s/cpp$$/hpp/ -e s/cxx$$/hxx/ \
+		   -e s/c++$$/h++/ -e s/c$$/h/
+YACCCOMPILE = $(YACC) $(AM_YFLAGS) $(YFLAGS)
+LTYACCCOMPILE = $(LIBTOOL) $(AM_V_lt) $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(YACC) $(AM_YFLAGS) $(YFLAGS)
+AM_V_YACC = $(am__v_YACC_@AM_V@)
+am__v_YACC_ = $(am__v_YACC_@AM_DEFAULT_V@)
+am__v_YACC_0 = @echo "  YACC    " $@;
+am__v_YACC_1 = 
 SOURCES = $(nodist_libasn1_la_SOURCES) $(dist_libasn1base_la_SOURCES) \
 	$(nodist_libasn1base_la_SOURCES) $(asn1_compile_SOURCES) \
 	$(asn1_gen_SOURCES) $(asn1_print_SOURCES) check-ber.c \
@@ -227,16 +321,220 @@ DIST_SOURCES = $(dist_libasn1base_la_SOURCES) $(asn1_compile_SOURCES) \
 	$(asn1_gen_SOURCES) $(asn1_print_SOURCES) check-ber.c \
 	$(check_der_SOURCES) $(dist_check_gen_SOURCES) \
 	$(check_template_SOURCES) check-timegm.c
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 HEADERS = $(dist_include_HEADERS) $(nodist_include_HEADERS)
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates.  Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+  BEGIN { nonempty = 0; } \
+  { items[$$0] = 1; nonempty = 1; } \
+  END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique.  This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+  list='$(am__tagged_files)'; \
+  unique=`for i in $$list; do \
+    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+  done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
-am__tty_colors = \
-red=; grn=; lgn=; blu=; std=
+am__tty_colors_dummy = \
+  mgn= red= grn= lgn= blu= brg= std=; \
+  am__color_tests=no
+am__tty_colors = { \
+  $(am__tty_colors_dummy); \
+  if test "X$(AM_COLOR_TESTS)" = Xno; then \
+    am__color_tests=no; \
+  elif test "X$(AM_COLOR_TESTS)" = Xalways; then \
+    am__color_tests=yes; \
+  elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \
+    am__color_tests=yes; \
+  fi; \
+  if test $$am__color_tests = yes; then \
+    red=''; \
+    grn=''; \
+    lgn=''; \
+    blu=''; \
+    mgn=''; \
+    brg=''; \
+    std=''; \
+  fi; \
+}
+am__recheck_rx = ^[ 	]*:recheck:[ 	]*
+am__global_test_result_rx = ^[ 	]*:global-test-result:[ 	]*
+am__copy_in_global_log_rx = ^[ 	]*:copy-in-global-log:[ 	]*
+# A command that, given a newline-separated list of test names on the
+# standard input, print the name of the tests that are to be re-run
+# upon "make recheck".
+am__list_recheck_tests = $(AWK) '{ \
+  recheck = 1; \
+  while ((rc = (getline line < ($$0 ".trs"))) != 0) \
+    { \
+      if (rc < 0) \
+        { \
+          if ((getline line2 < ($$0 ".log")) < 0) \
+	    recheck = 0; \
+          break; \
+        } \
+      else if (line ~ /$(am__recheck_rx)[nN][Oo]/) \
+        { \
+          recheck = 0; \
+          break; \
+        } \
+      else if (line ~ /$(am__recheck_rx)[yY][eE][sS]/) \
+        { \
+          break; \
+        } \
+    }; \
+  if (recheck) \
+    print $$0; \
+  close ($$0 ".trs"); \
+  close ($$0 ".log"); \
+}'
+# A command that, given a newline-separated list of test names on the
+# standard input, create the global log from their .trs and .log files.
+am__create_global_log = $(AWK) ' \
+function fatal(msg) \
+{ \
+  print "fatal: making $@: " msg | "cat >&2"; \
+  exit 1; \
+} \
+function rst_section(header) \
+{ \
+  print header; \
+  len = length(header); \
+  for (i = 1; i <= len; i = i + 1) \
+    printf "="; \
+  printf "\n\n"; \
+} \
+{ \
+  copy_in_global_log = 1; \
+  global_test_result = "RUN"; \
+  while ((rc = (getline line < ($$0 ".trs"))) != 0) \
+    { \
+      if (rc < 0) \
+         fatal("failed to read from " $$0 ".trs"); \
+      if (line ~ /$(am__global_test_result_rx)/) \
+        { \
+          sub("$(am__global_test_result_rx)", "", line); \
+          sub("[ 	]*$$", "", line); \
+          global_test_result = line; \
+        } \
+      else if (line ~ /$(am__copy_in_global_log_rx)[nN][oO]/) \
+        copy_in_global_log = 0; \
+    }; \
+  if (copy_in_global_log) \
+    { \
+      rst_section(global_test_result ": " $$0); \
+      while ((rc = (getline line < ($$0 ".log"))) != 0) \
+      { \
+        if (rc < 0) \
+          fatal("failed to read from " $$0 ".log"); \
+        print line; \
+      }; \
+      printf "\n"; \
+    }; \
+  close ($$0 ".trs"); \
+  close ($$0 ".log"); \
+}'
+# Restructured Text title.
+am__rst_title = { sed 's/.*/   &   /;h;s/./=/g;p;x;s/ *$$//;p;g' && echo; }
+# Solaris 10 'make', and several other traditional 'make' implementations,
+# pass "-e" to $(SHELL), and POSIX 2008 even requires this.  Work around it
+# by disabling -e (using the XSI extension "set +e") if it's set.
+am__sh_e_setup = case $$- in *e*) set +e;; esac
+# Default flags passed to test drivers.
+am__common_driver_flags = \
+  --color-tests "$$am__color_tests" \
+  --enable-hard-errors "$$am__enable_hard_errors" \
+  --expect-failure "$$am__expect_failure"
+# To be inserted before the command running the test.  Creates the
+# directory for the log if needed.  Stores in $dir the directory
+# containing $f, in $tst the test, in $log the log.  Executes the
+# developer- defined test setup AM_TESTS_ENVIRONMENT (if any), and
+# passes TESTS_ENVIRONMENT.  Set up options for the wrapper that
+# will run the test scripts (or their associated LOG_COMPILER, if
+# thy have one).
+am__check_pre = \
+$(am__sh_e_setup);					\
+$(am__vpath_adj_setup) $(am__vpath_adj)			\
+$(am__tty_colors);					\
+srcdir=$(srcdir); export srcdir;			\
+case "$@" in						\
+  */*) am__odir=`echo "./$@" | sed 's|/[^/]*$$||'`;;	\
+    *) am__odir=.;; 					\
+esac;							\
+test "x$$am__odir" = x"." || test -d "$$am__odir" 	\
+  || $(MKDIR_P) "$$am__odir" || exit $$?;		\
+if test -f "./$$f"; then dir=./;			\
+elif test -f "$$f"; then dir=;				\
+else dir="$(srcdir)/"; fi;				\
+tst=$$dir$$f; log='$@'; 				\
+if test -n '$(DISABLE_HARD_ERRORS)'; then		\
+  am__enable_hard_errors=no; 				\
+else							\
+  am__enable_hard_errors=yes; 				\
+fi; 							\
+case " $(XFAIL_TESTS) " in				\
+  *[\ \	]$$f[\ \	]* | *[\ \	]$$dir$$f[\ \	]*) \
+    am__expect_failure=yes;;				\
+  *)							\
+    am__expect_failure=no;;				\
+esac; 							\
+$(AM_TESTS_ENVIRONMENT) $(TESTS_ENVIRONMENT)
+# A shell command to get the names of the tests scripts with any registered
+# extension removed (i.e., equivalently, the names of the test logs, with
+# the '.log' extension removed).  The result is saved in the shell variable
+# '$bases'.  This honors runtime overriding of TESTS and TEST_LOGS.  Sadly,
+# we cannot use something simpler, involving e.g., "$(TEST_LOGS:.log=)",
+# since that might cause problem with VPATH rewrites for suffix-less tests.
+# See also 'test-harness-vpath-rewrite.sh' and 'test-trs-basic.sh'.
+am__set_TESTS_bases = \
+  bases='$(TEST_LOGS)'; \
+  bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \
+  bases=`echo $$bases`
+RECHECK_LOGS = $(TEST_LOGS)
+AM_RECURSIVE_TARGETS = check recheck
+TEST_SUITE_LOG = test-suite.log
+TEST_EXTENSIONS = @EXEEXT@ .test
+LOG_DRIVER = $(SHELL) $(top_srcdir)/test-driver
+LOG_COMPILE = $(LOG_COMPILER) $(AM_LOG_FLAGS) $(LOG_FLAGS)
+am__set_b = \
+  case '$@' in \
+    */*) \
+      case '$*' in \
+        */*) b='$*';; \
+          *) b=`echo '$@' | sed 's/\.log$$//'`; \
+       esac;; \
+    *) \
+      b='$*';; \
+  esac
+am__test_logs1 = $(TESTS:=.log)
+am__test_logs2 = $(am__test_logs1:@EXEEXT@.log=.log)
+TEST_LOGS = $(am__test_logs2:.test.log=.log)
+TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/test-driver
+TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \
+	$(TEST_LOG_FLAGS)
+am__DIST_COMMON = $(srcdir)/Makefile.in \
+	$(top_srcdir)/Makefile.am.common \
+	$(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/depcomp \
+	$(top_srcdir)/test-driver $(top_srcdir)/ylwrap ChangeLog \
+	asn1parse.c asn1parse.h lex.c
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
+AS = @AS@
 ASN1_COMPILE = @ASN1_COMPILE@
 ASN1_COMPILE_DEP = @ASN1_COMPILE_DEP@
 AUTOCONF = @AUTOCONF@
@@ -255,12 +553,12 @@ COMPILE_ET = @COMPILE_ET@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
+DB1LIB = @DB1LIB@
+DB3LIB = @DB3LIB@
 DBHEADER = @DBHEADER@
-DBLIB = @DBLIB@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
 DIR_com_err = @DIR_com_err@
-DIR_hcrypto = @DIR_hcrypto@
 DIR_hdbdir = @DIR_hdbdir@
 DIR_roken = @DIR_roken@
 DLLTOOL = @DLLTOOL@
@@ -270,17 +568,17 @@ ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
+ENABLE_AFS_STRING_TO_KEY = @ENABLE_AFS_STRING_TO_KEY@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GCD_MIG = @GCD_MIG@
 GREP = @GREP@
 GROFF = @GROFF@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_hcrypto = @INCLUDE_hcrypto@
-INCLUDE_hesiod = @INCLUDE_hesiod@
-INCLUDE_krb4 = @INCLUDE_krb4@
 INCLUDE_libedit = @INCLUDE_libedit@
 INCLUDE_libintl = @INCLUDE_libintl@
 INCLUDE_openldap = @INCLUDE_openldap@
+INCLUDE_openssl_crypto = @INCLUDE_openssl_crypto@
 INCLUDE_readline = @INCLUDE_readline@
 INCLUDE_sqlite3 = @INCLUDE_sqlite3@
 INSTALL = @INSTALL@
@@ -299,12 +597,9 @@ LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
-LIB_NDBM = @LIB_NDBM@
-LIB_XauFileName = @LIB_XauFileName@
-LIB_XauReadAuth = @LIB_XauReadAuth@
-LIB_XauWriteAuth = @LIB_XauWriteAuth@
 LIB_bswap16 = @LIB_bswap16@
 LIB_bswap32 = @LIB_bswap32@
+LIB_bswap64 = @LIB_bswap64@
 LIB_com_err = @LIB_com_err@
 LIB_com_err_a = @LIB_com_err_a@
 LIB_com_err_so = @LIB_com_err_so@
@@ -313,6 +608,7 @@ LIB_db_create = @LIB_db_create@
 LIB_dbm_firstkey = @LIB_dbm_firstkey@
 LIB_dbopen = @LIB_dbopen@
 LIB_dispatch_async_f = @LIB_dispatch_async_f@
+LIB_dladdr = @LIB_dladdr@
 LIB_dlopen = @LIB_dlopen@
 LIB_dn_expand = @LIB_dn_expand@
 LIB_dns_search = @LIB_dns_search@
@@ -329,10 +625,8 @@ LIB_hcrypto = @LIB_hcrypto@
 LIB_hcrypto_a = @LIB_hcrypto_a@
 LIB_hcrypto_appl = @LIB_hcrypto_appl@
 LIB_hcrypto_so = @LIB_hcrypto_so@
-LIB_hesiod = @LIB_hesiod@
 LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
-LIB_krb4 = @LIB_krb4@
 LIB_libedit = @LIB_libedit@
 LIB_libintl = @LIB_libintl@
 LIB_loadquery = @LIB_loadquery@
@@ -340,6 +634,7 @@ LIB_logout = @LIB_logout@
 LIB_logwtmp = @LIB_logwtmp@
 LIB_openldap = @LIB_openldap@
 LIB_openpty = @LIB_openpty@
+LIB_openssl_crypto = @LIB_openssl_crypto@
 LIB_otp = @LIB_otp@
 LIB_pidfile = @LIB_pidfile@
 LIB_readline = @LIB_readline@
@@ -354,12 +649,15 @@ LIB_sqlite3 = @LIB_sqlite3@
 LIB_syslog = @LIB_syslog@
 LIB_tgetent = @LIB_tgetent@
 LIPO = @LIPO@
+LMDBLIB = @LMDBLIB@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAINT = @MAINT@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
 MKDIR_P = @MKDIR_P@
+NDBMLIB = @NDBMLIB@
 NM = @NM@
 NMEDIT = @NMEDIT@
 NO_AFS = @NO_AFS@
@@ -376,6 +674,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
 PTHREAD_LDADD = @PTHREAD_LDADD@
@@ -390,13 +689,7 @@ STRIP = @STRIP@
 VERSION = @VERSION@
 VERSIONING = @VERSIONING@
 WFLAGS = @WFLAGS@
-WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
-WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
-XMKMF = @XMKMF@
-X_CFLAGS = @X_CFLAGS@
-X_EXTRA_LIBS = @X_EXTRA_LIBS@
-X_LIBS = @X_LIBS@
-X_PRE_LIBS = @X_PRE_LIBS@
+WFLAGS_LITE = @WFLAGS_LITE@
 YACC = @YACC@
 YFLAGS = -d -t
 abs_builddir = @abs_builddir@
@@ -420,6 +713,8 @@ build_vendor = @build_vendor@
 builddir = @builddir@
 datadir = @datadir@
 datarootdir = @datarootdir@
+db_type = @db_type@
+db_type_preference = @db_type_preference@
 docdir = @docdir@
 dpagaix_cflags = @dpagaix_cflags@
 dpagaix_ldadd = @dpagaix_ldadd@
@@ -455,29 +750,37 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
-SUFFIXES = .et .h .x .z .hx .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
+SUFFIXES = .et .h .pc.in .pc .x .z .hx .1 .3 .5 .7 .8 .cat1 .cat3 \
+	.cat5 .cat7 .cat8
 DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include -I$(top_srcdir)/include
-AM_CPPFLAGS = $(INCLUDES_roken)
+AM_CPPFLAGS = $(INCLUDES_roken) $(ROKEN_RENAME)
 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
 CP = cp
 buildinclude = $(top_builddir)/include
+LIB_XauReadAuth = @LIB_XauReadAuth@
 LIB_el_init = @LIB_el_init@
 LIB_getattr = @LIB_getattr@
 LIB_getpwent_r = @LIB_getpwent_r@
 LIB_odm_initialize = @LIB_odm_initialize@
 LIB_setpcred = @LIB_setpcred@
-HESIODLIB = @HESIODLIB@
-HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
 libexec_heimdaldir = $(libexecdir)/heimdal
 NROFF_MAN = groff -mandoc -Tascii
-LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@NO_AFS_FALSE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@NO_AFS_TRUE@LIB_kafs = 
 @KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 
 @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
-LIB_heimbase = $(top_builddir)/base/libheimbase.la
+LIB_heimbase = $(top_builddir)/lib/base/libheimbase.la
 @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
+
+#silent-rules
+heim_verbose = $(heim_verbose_$(V))
+heim_verbose_ = $(heim_verbose_$(AM_DEFAULT_VERBOSITY))
+heim_verbose_0 = @echo "  GEN    "$@;
 lib_LTLIBRARIES = libasn1.la
 libasn1_la_LDFLAGS = -version-info 8:0:0 $(am__append_1)
 noinst_LTLIBRARIES = libasn1base.la
@@ -504,6 +807,7 @@ gen_files_pkinit = asn1_pkinit_asn1.x
 gen_files_pkcs12 = asn1_pkcs12_asn1.x
 gen_files_pkcs8 = asn1_pkcs8_asn1.x
 gen_files_pkcs9 = asn1_pkcs9_asn1.x
+gen_files_test_template = test_template_asn1-template.x
 gen_files_test = asn1_test_asn1.x
 gen_files_digest = asn1_digest_asn1.x
 gen_files_kx509 = asn1_kx509_asn1.x
@@ -511,7 +815,7 @@ asn1_gen_SOURCES = asn1_gen.c
 asn1_print_SOURCES = asn1_print.c
 check_der_SOURCES = check-der.c check-common.c check-common.h
 check_template_SOURCES = check-template.c check-common.c check-common.h
-nodist_check_template_SOURCES = $(gen_files_test:.x=.c)
+nodist_check_template_SOURCES = $(gen_files_test_template)
 dist_check_gen_SOURCES = check-gen.c check-common.c check-common.h
 nodist_check_gen_SOURCES = $(gen_files_test:.x=.c)
 build_HEADERZ = asn1-template.h
@@ -549,8 +853,10 @@ dist_libasn1base_la_SOURCES = \
 	der_copy.c				\
 	der_cmp.c				\
 	der_format.c				\
+	fuzzer.c				\
 	heim_asn1.h				\
 	extra.c					\
+	roken_rename.h				\
 	template.c				\
 	timegm.c
 
@@ -586,7 +892,9 @@ CLEANFILES = \
 	$(gen_files_pkcs12) \
 	$(gen_files_digest) \
 	$(gen_files_kx509) \
-	$(gen_files_test) $(nodist_check_gen_SOURCES) \
+	$(gen_files_test) \
+	$(gen_files_test_template) \
+	$(nodist_check_gen_SOURCES) \
 	asn1_err.c asn1_err.h \
 	rfc2459_asn1_files rfc2459_asn1*.h* \
 	cms_asn1_files cms_asn1*.h* \
@@ -597,19 +905,23 @@ CLEANFILES = \
 	pkcs12_asn1_files pkcs12_asn1*.h* \
 	digest_asn1_files digest_asn1*.h* \
 	kx509_asn1_files kx509_asn1*.h* \
-	test_asn1_files test_asn1*.h*
+	test_asn1_files test_asn1*.h* \
+	test_template_asn1* \
+	asn1_*.x
 
-dist_include_HEADERS = der.h heim_asn1.h der-protos.h der-private.h \
-	asn1-common.h
+dist_include_HEADERS = der.h heim_asn1.h $(srcdir)/der-protos.h \
+	$(srcdir)/der-private.h asn1-common.h
 nodist_include_HEADERS = asn1_err.h krb5_asn1.h pkinit_asn1.h \
 	cms_asn1.h rfc2459_asn1.h pkcs8_asn1.h pkcs9_asn1.h \
 	pkcs12_asn1.h digest_asn1.h kx509_asn1.h
 priv_headers = krb5_asn1-priv.h pkinit_asn1-priv.h cms_asn1-priv.h \
 	rfc2459_asn1-priv.h pkcs8_asn1-priv.h pkcs9_asn1-priv.h \
 	pkcs12_asn1-priv.h digest_asn1-priv.h kx509_asn1-priv.h \
-	test_asn1.h test_asn1-priv.h
+	test_template_asn1.h test_template_asn1-priv.h test_asn1.h \
+	test_asn1-priv.h
 EXTRA_DIST = \
 	NTMakefile	\
+	README.template \
 	asn1_compile-version.rc \
 	libasn1-exports.def \
 	cms.asn1	\
@@ -630,11 +942,15 @@ EXTRA_DIST = \
 	test.gen	\
 	version-script.map
 
+DER_PROTOS = $(srcdir)/der-protos.h $(srcdir)/der-private.h
+ALL_OBJECTS = $(libasn1_la_OBJECTS) $(libasn1base_la_OBJECTS) \
+	$(asn1_print_OBJECTS) $(asn1_compile_OBJECTS) \
+	$(asn1_gen_OBJECTS) $(check_template_OBJECTS)
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-am
 
 .SUFFIXES:
-.SUFFIXES: .et .h .x .z .hx .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .l .lo .o .obj .y
+.SUFFIXES: .et .h .pc.in .pc .x .z .hx .1 .3 .5 .7 .8 .cat1 .cat3 .cat5 .cat7 .cat8 .c .l .lo .log .o .obj .test .test$(EXEEXT) .trs .y
 $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
 	@for dep in $?; do \
 	  case '$(am__configure_deps)' in \
@@ -647,7 +963,6 @@ $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/asn1/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --foreign lib/asn1/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -656,6 +971,7 @@ Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
 	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
 	esac;
+$(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__empty):
 
 $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
@@ -665,9 +981,9 @@ $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
 $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 $(am__aclocal_m4_deps):
+
 install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)"
 	@list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \
 	list2=; for p in $$list; do \
 	  if test -f $$p; then \
@@ -675,6 +991,8 @@ install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 	  else :; fi; \
 	done; \
 	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(libdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(libdir)" || exit 1; \
 	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \
 	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \
 	}
@@ -690,25 +1008,31 @@ uninstall-libLTLIBRARIES:
 
 clean-libLTLIBRARIES:
 	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
-	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
+	@list='$(lib_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
 
 clean-noinstLTLIBRARIES:
 	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
-	@list='$(noinst_LTLIBRARIES)'; for p in $$list; do \
-	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
-	  test "$$dir" != "$$p" || dir=.; \
-	  echo "rm -f \"$${dir}/so_locations\""; \
-	  rm -f "$${dir}/so_locations"; \
-	done
-libasn1.la: $(libasn1_la_OBJECTS) $(libasn1_la_DEPENDENCIES) 
-	$(libasn1_la_LINK) -rpath $(libdir) $(libasn1_la_OBJECTS) $(libasn1_la_LIBADD) $(LIBS)
-libasn1base.la: $(libasn1base_la_OBJECTS) $(libasn1base_la_DEPENDENCIES) 
-	$(LINK)  $(libasn1base_la_OBJECTS) $(libasn1base_la_LIBADD) $(LIBS)
+	@list='$(noinst_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+
+libasn1.la: $(libasn1_la_OBJECTS) $(libasn1_la_DEPENDENCIES) $(EXTRA_libasn1_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(libasn1_la_LINK) -rpath $(libdir) $(libasn1_la_OBJECTS) $(libasn1_la_LIBADD) $(LIBS)
+
+libasn1base.la: $(libasn1base_la_OBJECTS) $(libasn1base_la_DEPENDENCIES) $(EXTRA_libasn1base_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK)  $(libasn1base_la_OBJECTS) $(libasn1base_la_LIBADD) $(LIBS)
 
 clean-checkPROGRAMS:
 	@list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
@@ -720,14 +1044,19 @@ clean-checkPROGRAMS:
 	rm -f $$list
 install-libexec_heimdalPROGRAMS: $(libexec_heimdal_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(libexec_heimdaldir)" || $(MKDIR_P) "$(DESTDIR)$(libexec_heimdaldir)"
 	@list='$(libexec_heimdal_PROGRAMS)'; test -n "$(libexec_heimdaldir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(libexec_heimdaldir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(libexec_heimdaldir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
-	while read p p1; do if test -f $$p || test -f $$p1; \
-	  then echo "$$p"; echo "$$p"; else :; fi; \
+	while read p p1; do if test -f $$p \
+	 || test -f $$p1 \
+	  ; then echo "$$p"; echo "$$p"; else :; fi; \
 	done | \
-	sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \
+	sed -e 'p;s,.*/,,;n;h' \
+	    -e 's|.*|.|' \
 	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
 	sed 'N;N;N;s,\n, ,g' | \
 	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
@@ -748,7 +1077,8 @@ uninstall-libexec_heimdalPROGRAMS:
 	@list='$(libexec_heimdal_PROGRAMS)'; test -n "$(libexec_heimdaldir)" || list=; \
 	files=`for p in $$list; do echo "$$p"; done | \
 	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
-	      -e 's/$$/$(EXEEXT)/' `; \
+	      -e 's/$$/$(EXEEXT)/' \
+	`; \
 	test -n "$$list" || exit 0; \
 	echo " ( cd '$(DESTDIR)$(libexec_heimdaldir)' && rm -f" $$files ")"; \
 	cd "$(DESTDIR)$(libexec_heimdaldir)" && rm -f $$files
@@ -770,30 +1100,38 @@ clean-noinstPROGRAMS:
 	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
 	echo " rm -f" $$list; \
 	rm -f $$list
-asn1_compile$(EXEEXT): $(asn1_compile_OBJECTS) $(asn1_compile_DEPENDENCIES) 
+
+asn1_compile$(EXEEXT): $(asn1_compile_OBJECTS) $(asn1_compile_DEPENDENCIES) $(EXTRA_asn1_compile_DEPENDENCIES) 
 	@rm -f asn1_compile$(EXEEXT)
-	$(LINK) $(asn1_compile_OBJECTS) $(asn1_compile_LDADD) $(LIBS)
-asn1_gen$(EXEEXT): $(asn1_gen_OBJECTS) $(asn1_gen_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) $(asn1_compile_OBJECTS) $(asn1_compile_LDADD) $(LIBS)
+
+asn1_gen$(EXEEXT): $(asn1_gen_OBJECTS) $(asn1_gen_DEPENDENCIES) $(EXTRA_asn1_gen_DEPENDENCIES) 
 	@rm -f asn1_gen$(EXEEXT)
-	$(LINK) $(asn1_gen_OBJECTS) $(asn1_gen_LDADD) $(LIBS)
-asn1_print$(EXEEXT): $(asn1_print_OBJECTS) $(asn1_print_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) $(asn1_gen_OBJECTS) $(asn1_gen_LDADD) $(LIBS)
+
+asn1_print$(EXEEXT): $(asn1_print_OBJECTS) $(asn1_print_DEPENDENCIES) $(EXTRA_asn1_print_DEPENDENCIES) 
 	@rm -f asn1_print$(EXEEXT)
-	$(LINK) $(asn1_print_OBJECTS) $(asn1_print_LDADD) $(LIBS)
-check-ber$(EXEEXT): $(check_ber_OBJECTS) $(check_ber_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) $(asn1_print_OBJECTS) $(asn1_print_LDADD) $(LIBS)
+
+check-ber$(EXEEXT): $(check_ber_OBJECTS) $(check_ber_DEPENDENCIES) $(EXTRA_check_ber_DEPENDENCIES) 
 	@rm -f check-ber$(EXEEXT)
-	$(LINK) $(check_ber_OBJECTS) $(check_ber_LDADD) $(LIBS)
-check-der$(EXEEXT): $(check_der_OBJECTS) $(check_der_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) $(check_ber_OBJECTS) $(check_ber_LDADD) $(LIBS)
+
+check-der$(EXEEXT): $(check_der_OBJECTS) $(check_der_DEPENDENCIES) $(EXTRA_check_der_DEPENDENCIES) 
 	@rm -f check-der$(EXEEXT)
-	$(LINK) $(check_der_OBJECTS) $(check_der_LDADD) $(LIBS)
-check-gen$(EXEEXT): $(check_gen_OBJECTS) $(check_gen_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) $(check_der_OBJECTS) $(check_der_LDADD) $(LIBS)
+
+check-gen$(EXEEXT): $(check_gen_OBJECTS) $(check_gen_DEPENDENCIES) $(EXTRA_check_gen_DEPENDENCIES) 
 	@rm -f check-gen$(EXEEXT)
-	$(LINK) $(check_gen_OBJECTS) $(check_gen_LDADD) $(LIBS)
-check-template$(EXEEXT): $(check_template_OBJECTS) $(check_template_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) $(check_gen_OBJECTS) $(check_gen_LDADD) $(LIBS)
+
+check-template$(EXEEXT): $(check_template_OBJECTS) $(check_template_DEPENDENCIES) $(EXTRA_check_template_DEPENDENCIES) 
 	@rm -f check-template$(EXEEXT)
-	$(LINK) $(check_template_OBJECTS) $(check_template_LDADD) $(LIBS)
-check-timegm$(EXEEXT): $(check_timegm_OBJECTS) $(check_timegm_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK) $(check_template_OBJECTS) $(check_template_LDADD) $(LIBS)
+
+check-timegm$(EXEEXT): $(check_timegm_OBJECTS) $(check_timegm_DEPENDENCIES) $(EXTRA_check_timegm_DEPENDENCIES) 
 	@rm -f check-timegm$(EXEEXT)
-	$(LINK) $(check_timegm_OBJECTS) $(check_timegm_LDADD) $(LIBS)
+	$(AM_V_CCLD)$(LINK) $(check_timegm_OBJECTS) $(check_timegm_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -830,6 +1168,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/der_length.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/der_put.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/extra.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fuzzer.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_copy.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_decode.Po@am__quote@
@@ -844,34 +1183,35 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/main.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/symbol.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/template.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_template_asn1-template.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/timegm.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
 
 .l.c:
-	$(am__skiplex) $(SHELL) $(YLWRAP) $< $(LEX_OUTPUT_ROOT).c $@ -- $(LEXCOMPILE)
+	$(AM_V_LEX)$(am__skiplex) $(SHELL) $(YLWRAP) $< $(LEX_OUTPUT_ROOT).c $@ -- $(LEXCOMPILE)
 
 .y.c:
-	$(am__skipyacc) $(SHELL) $(YLWRAP) $< y.tab.c $@ y.tab.h $*.h y.output $*.output -- $(YACCCOMPILE)
+	$(AM_V_YACC)$(am__skipyacc) $(SHELL) $(YLWRAP) $< y.tab.c $@ y.tab.h `echo $@ | $(am__yacc_c2h)` y.output $*.output -- $(YACCCOMPILE)
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -880,8 +1220,11 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-dist_includeHEADERS: $(dist_include_HEADERS)
 	@$(NORMAL_INSTALL)
-	test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)"
 	@list='$(dist_include_HEADERS)'; test -n "$(includedir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(includedir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(includedir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -895,13 +1238,14 @@ uninstall-dist_includeHEADERS:
 	@$(NORMAL_UNINSTALL)
 	@list='$(dist_include_HEADERS)'; test -n "$(includedir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(includedir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(includedir)" && rm -f $$files
+	dir='$(DESTDIR)$(includedir)'; $(am__uninstall_files_from_dir)
 install-nodist_includeHEADERS: $(nodist_include_HEADERS)
 	@$(NORMAL_INSTALL)
-	test -z "$(includedir)" || $(MKDIR_P) "$(DESTDIR)$(includedir)"
 	@list='$(nodist_include_HEADERS)'; test -n "$(includedir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(includedir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(includedir)" || exit 1; \
+	fi; \
 	for p in $$list; do \
 	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; \
@@ -915,30 +1259,17 @@ uninstall-nodist_includeHEADERS:
 	@$(NORMAL_UNINSTALL)
 	@list='$(nodist_include_HEADERS)'; test -n "$(includedir)" || list=; \
 	files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
-	test -n "$$files" || exit 0; \
-	echo " ( cd '$(DESTDIR)$(includedir)' && rm -f" $$files ")"; \
-	cd "$(DESTDIR)$(includedir)" && rm -f $$files
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
-	mkid -fID $$unique
-tags: TAGS
-
-TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
+	dir='$(DESTDIR)$(includedir)'; $(am__uninstall_files_from_dir)
+
+ID: $(am__tagged_files)
+	$(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
 	set x; \
 	here=`pwd`; \
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	$(am__define_uniq_tagged_files); \
 	shift; \
 	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
@@ -950,15 +1281,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	      $$unique; \
 	  fi; \
 	fi
-ctags: CTAGS
-CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
-		$(TAGS_FILES) $(LISP)
-	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
-	unique=`for i in $$list; do \
-	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
-	  done | \
-	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
-	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	$(am__define_uniq_tagged_files); \
 	test -z "$(CTAGS_ARGS)$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
 	     $$unique
@@ -967,101 +1294,215 @@ GTAGS:
 	here=`$(am__cd) $(top_builddir) && pwd` \
 	  && $(am__cd) $(top_srcdir) \
 	  && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+	list='$(am__tagged_files)'; \
+	case "$(srcdir)" in \
+	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+	  *) sdir=$(subdir)/$(srcdir) ;; \
+	esac; \
+	for i in $$list; do \
+	  if test -f "$$i"; then \
+	    echo "$(subdir)/$$i"; \
+	  else \
+	    echo "$$sdir/$$i"; \
+	  fi; \
+	done >> $(top_builddir)/cscope.files
 
 distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
-check-TESTS: $(TESTS)
-	@failed=0; all=0; xfail=0; xpass=0; skip=0; \
-	srcdir=$(srcdir); export srcdir; \
-	list=' $(TESTS) '; \
-	$(am__tty_colors); \
-	if test -n "$$list"; then \
-	  for tst in $$list; do \
-	    if test -f ./$$tst; then dir=./; \
-	    elif test -f $$tst; then dir=; \
-	    else dir="$(srcdir)/"; fi; \
-	    if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
-	      all=`expr $$all + 1`; \
-	      case " $(XFAIL_TESTS) " in \
-	      *[\ \	]$$tst[\ \	]*) \
-		xpass=`expr $$xpass + 1`; \
-		failed=`expr $$failed + 1`; \
-		col=$$red; res=XPASS; \
-	      ;; \
-	      *) \
-		col=$$grn; res=PASS; \
-	      ;; \
-	      esac; \
-	    elif test $$? -ne 77; then \
-	      all=`expr $$all + 1`; \
-	      case " $(XFAIL_TESTS) " in \
-	      *[\ \	]$$tst[\ \	]*) \
-		xfail=`expr $$xfail + 1`; \
-		col=$$lgn; res=XFAIL; \
-	      ;; \
-	      *) \
-		failed=`expr $$failed + 1`; \
-		col=$$red; res=FAIL; \
-	      ;; \
-	      esac; \
-	    else \
-	      skip=`expr $$skip + 1`; \
-	      col=$$blu; res=SKIP; \
-	    fi; \
-	    echo "$${col}$$res$${std}: $$tst"; \
-	  done; \
-	  if test "$$all" -eq 1; then \
-	    tests="test"; \
-	    All=""; \
-	  else \
-	    tests="tests"; \
-	    All="All "; \
+# Recover from deleted '.trs' file; this should ensure that
+# "rm -f foo.log; make foo.trs" re-run 'foo.test', and re-create
+# both 'foo.log' and 'foo.trs'.  Break the recipe in two subshells
+# to avoid problems with "make -n".
+.log.trs:
+	rm -f $< $@
+	$(MAKE) $(AM_MAKEFLAGS) $<
+
+# Leading 'am--fnord' is there to ensure the list of targets does not
+# expand to empty, as could happen e.g. with make check TESTS=''.
+am--fnord $(TEST_LOGS) $(TEST_LOGS:.log=.trs): $(am__force_recheck)
+am--force-recheck:
+	@:
+
+$(TEST_SUITE_LOG): $(TEST_LOGS)
+	@$(am__set_TESTS_bases); \
+	am__f_ok () { test -f "$$1" && test -r "$$1"; }; \
+	redo_bases=`for i in $$bases; do \
+	              am__f_ok $$i.trs && am__f_ok $$i.log || echo $$i; \
+	            done`; \
+	if test -n "$$redo_bases"; then \
+	  redo_logs=`for i in $$redo_bases; do echo $$i.log; done`; \
+	  redo_results=`for i in $$redo_bases; do echo $$i.trs; done`; \
+	  if $(am__make_dryrun); then :; else \
+	    rm -f $$redo_logs && rm -f $$redo_results || exit 1; \
 	  fi; \
-	  if test "$$failed" -eq 0; then \
-	    if test "$$xfail" -eq 0; then \
-	      banner="$$All$$all $$tests passed"; \
-	    else \
-	      if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
-	      banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
-	    fi; \
-	  else \
-	    if test "$$xpass" -eq 0; then \
-	      banner="$$failed of $$all $$tests failed"; \
+	fi; \
+	if test -n "$$am__remaking_logs"; then \
+	  echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \
+	       "recursion detected" >&2; \
+	elif test -n "$$redo_logs"; then \
+	  am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \
+	fi; \
+	if $(am__make_dryrun); then :; else \
+	  st=0;  \
+	  errmsg="fatal: making $(TEST_SUITE_LOG): failed to create"; \
+	  for i in $$redo_bases; do \
+	    test -f $$i.trs && test -r $$i.trs \
+	      || { echo "$$errmsg $$i.trs" >&2; st=1; }; \
+	    test -f $$i.log && test -r $$i.log \
+	      || { echo "$$errmsg $$i.log" >&2; st=1; }; \
+	  done; \
+	  test $$st -eq 0 || exit 1; \
+	fi
+	@$(am__sh_e_setup); $(am__tty_colors); $(am__set_TESTS_bases); \
+	ws='[ 	]'; \
+	results=`for b in $$bases; do echo $$b.trs; done`; \
+	test -n "$$results" || results=/dev/null; \
+	all=`  grep "^$$ws*:test-result:"           $$results | wc -l`; \
+	pass=` grep "^$$ws*:test-result:$$ws*PASS"  $$results | wc -l`; \
+	fail=` grep "^$$ws*:test-result:$$ws*FAIL"  $$results | wc -l`; \
+	skip=` grep "^$$ws*:test-result:$$ws*SKIP"  $$results | wc -l`; \
+	xfail=`grep "^$$ws*:test-result:$$ws*XFAIL" $$results | wc -l`; \
+	xpass=`grep "^$$ws*:test-result:$$ws*XPASS" $$results | wc -l`; \
+	error=`grep "^$$ws*:test-result:$$ws*ERROR" $$results | wc -l`; \
+	if test `expr $$fail + $$xpass + $$error` -eq 0; then \
+	  success=true; \
+	else \
+	  success=false; \
+	fi; \
+	br='==================='; br=$$br$$br$$br$$br; \
+	result_count () \
+	{ \
+	    if test x"$$1" = x"--maybe-color"; then \
+	      maybe_colorize=yes; \
+	    elif test x"$$1" = x"--no-color"; then \
+	      maybe_colorize=no; \
 	    else \
-	      if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
-	      banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
+	      echo "$@: invalid 'result_count' usage" >&2; exit 4; \
 	    fi; \
-	  fi; \
-	  dashes="$$banner"; \
-	  skipped=""; \
-	  if test "$$skip" -ne 0; then \
-	    if test "$$skip" -eq 1; then \
-	      skipped="($$skip test was not run)"; \
+	    shift; \
+	    desc=$$1 count=$$2; \
+	    if test $$maybe_colorize = yes && test $$count -gt 0; then \
+	      color_start=$$3 color_end=$$std; \
 	    else \
-	      skipped="($$skip tests were not run)"; \
+	      color_start= color_end=; \
 	    fi; \
-	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
-	      dashes="$$skipped"; \
-	  fi; \
-	  report=""; \
-	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
-	    report="Please report to $(PACKAGE_BUGREPORT)"; \
-	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
-	      dashes="$$report"; \
-	  fi; \
-	  dashes=`echo "$$dashes" | sed s/./=/g`; \
-	  if test "$$failed" -eq 0; then \
-	    echo "$$grn$$dashes"; \
-	  else \
-	    echo "$$red$$dashes"; \
-	  fi; \
-	  echo "$$banner"; \
-	  test -z "$$skipped" || echo "$$skipped"; \
-	  test -z "$$report" || echo "$$report"; \
-	  echo "$$dashes$$std"; \
-	  test "$$failed" -eq 0; \
-	else :; fi
+	    echo "$${color_start}# $$desc $$count$${color_end}"; \
+	}; \
+	create_testsuite_report () \
+	{ \
+	  result_count $$1 "TOTAL:" $$all   "$$brg"; \
+	  result_count $$1 "PASS: " $$pass  "$$grn"; \
+	  result_count $$1 "SKIP: " $$skip  "$$blu"; \
+	  result_count $$1 "XFAIL:" $$xfail "$$lgn"; \
+	  result_count $$1 "FAIL: " $$fail  "$$red"; \
+	  result_count $$1 "XPASS:" $$xpass "$$red"; \
+	  result_count $$1 "ERROR:" $$error "$$mgn"; \
+	}; \
+	{								\
+	  echo "$(PACKAGE_STRING): $(subdir)/$(TEST_SUITE_LOG)" |	\
+	    $(am__rst_title);						\
+	  create_testsuite_report --no-color;				\
+	  echo;								\
+	  echo ".. contents:: :depth: 2";				\
+	  echo;								\
+	  for b in $$bases; do echo $$b; done				\
+	    | $(am__create_global_log);					\
+	} >$(TEST_SUITE_LOG).tmp || exit 1;				\
+	mv $(TEST_SUITE_LOG).tmp $(TEST_SUITE_LOG);			\
+	if $$success; then						\
+	  col="$$grn";							\
+	 else								\
+	  col="$$red";							\
+	  test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG);		\
+	fi;								\
+	echo "$${col}$$br$${std}"; 					\
+	echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}";	\
+	echo "$${col}$$br$${std}"; 					\
+	create_testsuite_report --maybe-color;				\
+	echo "$$col$$br$$std";						\
+	if $$success; then :; else					\
+	  echo "$${col}See $(subdir)/$(TEST_SUITE_LOG)$${std}";		\
+	  if test -n "$(PACKAGE_BUGREPORT)"; then			\
+	    echo "$${col}Please report to $(PACKAGE_BUGREPORT)$${std}";	\
+	  fi;								\
+	  echo "$$col$$br$$std";					\
+	fi;								\
+	$$success || exit 1
+
+check-TESTS:
+	@list='$(RECHECK_LOGS)';           test -z "$$list" || rm -f $$list
+	@list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list
+	@test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
+	@set +e; $(am__set_TESTS_bases); \
+	log_list=`for i in $$bases; do echo $$i.log; done`; \
+	trs_list=`for i in $$bases; do echo $$i.trs; done`; \
+	log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \
+	$(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \
+	exit $$?;
+recheck: all $(check_PROGRAMS)
+	@test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
+	@set +e; $(am__set_TESTS_bases); \
+	bases=`for i in $$bases; do echo $$i; done \
+	         | $(am__list_recheck_tests)` || exit 1; \
+	log_list=`for i in $$bases; do echo $$i.log; done`; \
+	log_list=`echo $$log_list`; \
+	$(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) \
+	        am__force_recheck=am--force-recheck \
+	        TEST_LOGS="$$log_list"; \
+	exit $$?
+check-der.log: check-der$(EXEEXT)
+	@p='check-der$(EXEEXT)'; \
+	b='check-der'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
+check-gen.log: check-gen$(EXEEXT)
+	@p='check-gen$(EXEEXT)'; \
+	b='check-gen'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
+check-timegm.log: check-timegm$(EXEEXT)
+	@p='check-timegm$(EXEEXT)'; \
+	b='check-timegm'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
+check-ber.log: check-ber$(EXEEXT)
+	@p='check-ber$(EXEEXT)'; \
+	b='check-ber'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
+check-template.log: check-template$(EXEEXT)
+	@p='check-template$(EXEEXT)'; \
+	b='check-template'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
+.test.log:
+	@p='$<'; \
+	$(am__set_b); \
+	$(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
+@am__EXEEXT_TRUE@.test$(EXEEXT).log:
+@am__EXEEXT_TRUE@	@p='$<'; \
+@am__EXEEXT_TRUE@	$(am__set_b); \
+@am__EXEEXT_TRUE@	$(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \
+@am__EXEEXT_TRUE@	--log-file $$b.log --trs-file $$b.trs \
+@am__EXEEXT_TRUE@	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
+@am__EXEEXT_TRUE@	"$$tst" $(AM_TESTS_FD_REDIRECT)
 
 distdir: $(DISTFILES)
 	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
@@ -1117,11 +1558,19 @@ install-am: all-am
 
 installcheck: installcheck-am
 install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
-	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
-	  `test -z '$(STRIP)' || \
-	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
 mostlyclean-generic:
+	-test -z "$(TEST_LOGS)" || rm -f $(TEST_LOGS)
+	-test -z "$(TEST_LOGS:.log=.trs)" || rm -f $(TEST_LOGS:.log=.trs)
+	-test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
 
 clean-generic:
 	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
@@ -1169,10 +1618,9 @@ install-dvi: install-dvi-am
 
 install-dvi-am:
 
-install-exec-am: install-libLTLIBRARIES \
+install-exec-am: install-exec-local install-libLTLIBRARIES \
 	install-libexec_heimdalPROGRAMS
-	@$(NORMAL_INSTALL)
-	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+
 install-html: install-html-am
 
 install-html-am:
@@ -1217,45 +1665,59 @@ uninstall-am: uninstall-dist_includeHEADERS uninstall-libLTLIBRARIES \
 	@$(NORMAL_INSTALL)
 	$(MAKE) $(AM_MAKEFLAGS) uninstall-hook
 .MAKE: all check check-am install install-am install-data-am \
-	install-exec-am install-strip uninstall-am
+	install-strip uninstall-am
 
-.PHONY: CTAGS GTAGS all all-am all-local check check-TESTS check-am \
-	check-local clean clean-checkPROGRAMS clean-generic \
+.PHONY: CTAGS GTAGS TAGS all all-am all-local check check-TESTS \
+	check-am check-local clean clean-checkPROGRAMS clean-generic \
 	clean-libLTLIBRARIES clean-libexec_heimdalPROGRAMS \
 	clean-libtool clean-noinstLTLIBRARIES clean-noinstPROGRAMS \
-	ctags dist-hook distclean distclean-compile distclean-generic \
-	distclean-libtool distclean-tags distdir dvi dvi-am html \
-	html-am info info-am install install-am install-data \
-	install-data-am install-data-hook install-dist_includeHEADERS \
-	install-dvi install-dvi-am install-exec install-exec-am \
-	install-exec-hook install-html install-html-am install-info \
-	install-info-am install-libLTLIBRARIES \
-	install-libexec_heimdalPROGRAMS install-man \
-	install-nodist_includeHEADERS install-pdf install-pdf-am \
-	install-ps install-ps-am install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
+	cscopelist-am ctags ctags-am dist-hook distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am \
+	install-data-hook install-dist_includeHEADERS install-dvi \
+	install-dvi-am install-exec install-exec-am install-exec-local \
+	install-html install-html-am install-info install-info-am \
+	install-libLTLIBRARIES install-libexec_heimdalPROGRAMS \
+	install-man install-nodist_includeHEADERS install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
 	maintainer-clean-generic mostlyclean mostlyclean-compile \
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-dist_includeHEADERS \
-	uninstall-hook uninstall-libLTLIBRARIES \
-	uninstall-libexec_heimdalPROGRAMS \
+	recheck tags tags-am uninstall uninstall-am \
+	uninstall-dist_includeHEADERS uninstall-hook \
+	uninstall-libLTLIBRARIES uninstall-libexec_heimdalPROGRAMS \
 	uninstall-nodist_includeHEADERS
 
+.PRECIOUS: Makefile
+
 
 install-suid-programs:
 	@foo='$(bin_SUIDS)'; \
 	for file in $$foo; do \
-	x=$(DESTDIR)$(bindir)/$$file; \
-	if chown 0:0 $$x && chmod u+s $$x; then :; else \
-	echo "*"; \
-	echo "* Failed to install $$x setuid root"; \
-	echo "*"; \
-	fi; done
+		x=$(DESTDIR)$(bindir)/$$file; \
+		if chown 0:0 $$x && chmod u+s $$x; then :; else \
+			echo "*"; \
+			echo "* Failed to install $$x setuid root"; \
+			echo "*"; \
+		fi; \
+	done
+
+install-exec-local: install-suid-programs
+
+codesign-all:
+	@if [ X"$$CODE_SIGN_IDENTITY" != X ] ; then \
+		foo='$(bin_PROGRAMS) $(sbin_PROGRAMS) $(libexec_PROGRAMS)' ; \
+		for file in $$foo ; do \
+			echo "CODESIGN $$file" ; \
+			codesign -f -s "$$CODE_SIGN_IDENTITY" $$file || exit 1 ; \
+		done ; \
+	fi
 
-install-exec-hook: install-suid-programs
+all-local: codesign-all
 
-install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS)
-	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
+install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS) $(noinst_HEADERS)
+	@foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(noinst_HEADERS)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -1263,7 +1725,7 @@ install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_incl
 		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
 		: ; else \
 			echo " $(CP) $$file $(buildinclude)/$$f"; \
-			$(CP) $$file $(buildinclude)/$$f; \
+			$(CP) $$file $(buildinclude)/$$f || true; \
 		fi ; \
 	done ; \
 	foo='$(nobase_include_HEADERS)'; \
@@ -1320,6 +1782,8 @@ check-local::
 	$(NROFF_MAN) $< > $@
 .5.cat5:
 	$(NROFF_MAN) $< > $@
+.7.cat7:
+	$(NROFF_MAN) $< > $@
 .8.cat8:
 	$(NROFF_MAN) $< > $@
 
@@ -1362,6 +1826,19 @@ dist-cat5-mans:
 		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
 	done
 
+dist-cat7-mans:
+	@foo='$(man7_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.7) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat7/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
 dist-cat8-mans:
 	@foo='$(man8_MANS)'; \
 	bar='$(man_MANS)'; \
@@ -1375,13 +1852,13 @@ dist-cat8-mans:
 		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
 	done
 
-dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat7-mans dist-cat8-mans
 
 install-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man7_MANS) $(man8_MANS)
 
 uninstall-cat-mans:
-	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man7_MANS) $(man8_MANS)
 
 install-data-hook: install-cat-mans
 uninstall-hook: uninstall-cat-mans
@@ -1431,6 +1908,7 @@ $(gen_files_kx509) kx509_asn1.hx kx509_asn1-priv.hx: kx509_asn1_files
 $(gen_files_rfc2459) rfc2459_asn1.hx rfc2459_asn1-priv.hx: rfc2459_asn1_files
 $(gen_files_cms) cms_asn1.hx cms_asn1-priv.hx: cms_asn1_files
 $(gen_files_test) test_asn1.hx test_asn1-priv.hx: test_asn1_files
+$(gen_files_test_template) test_template_asn1.hx test_template_asn1-priv.hx: test_template_asn1_files
 
 rfc2459_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/rfc2459.asn1
 	$(ASN1_COMPILE) --one-code-file --preserve-binary=TBSCertificate --preserve-binary=TBSCRLCertList --preserve-binary=Name --sequence=GeneralNames --sequence=Extensions --sequence=CRLDistributionPoints $(srcdir)/rfc2459.asn1 rfc2459_asn1 || (rm -f rfc2459_asn1_files ; exit 1)
@@ -1459,13 +1937,18 @@ digest_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/digest.asn1
 kx509_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/kx509.asn1
 	$(ASN1_COMPILE) --one-code-file $(srcdir)/kx509.asn1 kx509_asn1 || (rm -f kx509_asn1_files ; exit 1)
 
+test_template_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/test.asn1
+	$(ASN1_COMPILE) --template --sequence=TESTSeqOf $(srcdir)/test.asn1 test_template_asn1 || (rm -f test_template_asn1_files ; exit 1)
+
 test_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/test.asn1
 	$(ASN1_COMPILE) --one-code-file --sequence=TESTSeqOf $(srcdir)/test.asn1 test_asn1 || (rm -f test_asn1_files ; exit 1)
 
-$(srcdir)/der-protos.h:
+$(ALL_OBJECTS): $(DER_PROTOS) asn1_err.h
+
+$(srcdir)/der-protos.h: $(dist_libasn1base_la_SOURCES)
 	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -o der-protos.h $(dist_libasn1base_la_SOURCES) || rm -f der-protos.h
 
-$(srcdir)/der-private.h:
+$(srcdir)/der-private.h: $(dist_libasn1base_la_SOURCES)
 	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p der-private.h $(dist_libasn1base_la_SOURCES) || rm -f der-private.h
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/lib/asn1/NTMakefile b/lib/asn1/NTMakefile
index 1ee62b198795..01dc9971b86f 100644
--- a/lib/asn1/NTMakefile
+++ b/lib/asn1/NTMakefile
@@ -31,7 +31,7 @@
 
 RELDIR=lib\asn1
 
-intcflags=-I$(SRCDIR) -I$(OBJ)
+intcflags=-I$(SRCDIR) -I$(OBJ) -DROKEN_RENAME
 
 !include ../../windows/NTMakefile.w32
 
@@ -318,11 +318,11 @@ test-binaries: $(TEST_BINARIES)
 
 test-run:
 	cd $(OBJ)
-	check-der.exe
-	check-gen.exe
-	check-timegm.exe
-	check-ber.exe
-	check-template.exe
+	-check-der.exe
+	-check-gen.exe
+	-check-timegm.exe
+	-check-ber.exe
+	-check-template.exe
 	cd $(SRC)
 
 test:: test-binaries test-run
diff --git a/lib/asn1/README.template b/lib/asn1/README.template
new file mode 100644
index 000000000000..874c8fb0b8f0
--- /dev/null
+++ b/lib/asn1/README.template
@@ -0,0 +1,131 @@
+#!/bin/sh
+
+size .libs/libasn1.dylib
+size .libs/libasn1base.a | awk '{sum += $1} END {print sum}' | sed 's/^/TEXT baselib: /'
+size .libs/asn1_*.o | awk '{sum += $1} END {print sum}' | sed 's/^/generated code stubs: /'
+size *_asn1-template.o | awk '{sum += $1} END {print sum}' | sed 's/^/TEXT stubs: /'
+
+exit 0
+
+Notes about the template parser:
+
+- assumption: code is large, tables smaller
+
+- how to generate template based stubs:
+
+	make check asn1_compile_FLAGS=--template > log
+
+- pretty much the same as the generate code, except uses tables instead of code
+
+TODO:
+	- Make hdb work
+
+	- Fuzzing tests
+
+	- Performance testing
+
+	- ASN1_MALLOC_ENCODE() as a function, replaces encode_ and length_
+
+	- Fix SIZE constraits
+
+	- Compact types that only contain on entry to not having a header.
+
+
+SIZE - Futher down is later generations of the template parser
+
+	code:
+	==================
+	__TEXT	__DATA	__OBJC	others	dec	hex
+	462848	12288	0	323584	798720	c3000 (O2)
+
+	trivial types:
+	==================
+	__TEXT	__DATA	__OBJC	others	dec	hex
+	446464	12288	0	323584	782336	bf000 (O2)
+
+	OPTIONAL
+	==================
+	__TEXT	__DATA	__OBJC	others	dec	hex
+	425984	16384	0	323584	765952	bb000 (O2)
+
+	SEQ OF
+	==================
+	__TEXT	__DATA	__OBJC	others	dec	hex
+	368640	32768	0	327680	729088	b2000 (O2)
+	348160	32768	0	327680	708608	ad000 (Os)
+
+	BOOLEAN
+	==================
+	339968	32768	0	327680	700416	ab000 (Os)
+
+	TYPE_EXTERNAL:
+	==================
+	331776	32768	0	327680	692224	a9000 (Os)
+
+	SET OF
+	==================
+	327680	32768	0	327680	688128	a8000 (Os)
+
+	TYPE_EXTERNAL everywhere
+	==================
+	__TEXT	__DATA	__OBJC	others	dec	hex
+	167936	69632	0	327680	565248	8a000 (Os)
+
+	TAG uses ->ptr (header and trailer)
+	==================
+	229376	102400	0	421888	753664	b8000 (O0)
+
+	TAG uses ->ptr (header only)
+	==================
+	221184	77824	0	421888	720896	b0000 (O0)
+
+	BER support for octet string (not working)
+	==================
+	180224	73728	0	417792	671744	a4000 (O2)
+
+	CHOICE and BIT STRING missign
+	==================
+	__TEXT	__DATA	__OBJC	others	dec	hex
+	172032	73728	0	417792	663552	a2000 (Os)
+
+	No accessor functions to global variable
+	==================
+	__TEXT	__DATA	__OBJC	others	dec	hex
+	159744	73728	0	393216	626688	99000 (Os)
+
+	All types tables (except choice) (id still objects)
+	==================
+	__TEXT	__DATA	__OBJC	others	dec	hex
+	167936	77824	0	421888	667648	a3000
+	base lib: 22820
+
+	__TEXT	__DATA	__OBJC	others	dec	hex
+	==================
+	167936	77824	0	421888	667648	a3000 (Os)
+	baselib: 22820
+	generated code stubs: 41472
+	TEXT stubs: 112560
+
+	All types, id still objects
+	==================
+	__TEXT	__DATA	__OBJC	others	dec	hex
+	155648	81920	0	430080	667648	a3000 (Os)
+	TEXT baselib: 23166
+	generated code stubs: 20796
+	TEXT stubs: 119891
+
+	All types, id still objects, dup compression
+	==================
+	__TEXT	__DATA	__OBJC	others	dec	hex
+	143360	65536	0	376832	585728	8f000 (Os)
+	TEXT baselib: 23166
+	generated code stubs: 20796
+	TEXT stubs: 107147
+
+	All types, dup compression, id vars
+	==================
+	__TEXT	__DATA	__OBJC	others	dec	hex
+	131072	65536	0	352256	548864	86000
+	TEXT baselib: 23166
+	generated code stubs: 7536
+	TEXT stubs: 107147
diff --git a/lib/asn1/asn1-common.h b/lib/asn1/asn1-common.h
index 4083ebc23dd6..8a935d3740c2 100644
--- a/lib/asn1/asn1-common.h
+++ b/lib/asn1/asn1-common.h
@@ -7,21 +7,26 @@
 #ifndef __asn1_common_definitions__
 #define __asn1_common_definitions__
 
+#ifndef __HEIM_BASE_DATA__
+#define __HEIM_BASE_DATA__ 1
+struct heim_base_data {
+	size_t length;
+	void *data;
+};
+#endif
+
 typedef struct heim_integer {
     size_t length;
     void *data;
     int negative;
 } heim_integer;
 
-typedef struct heim_octet_string {
-    size_t length;
-    void *data;
-} heim_octet_string;
+typedef struct heim_base_data heim_octet_string;
 
 typedef char *heim_general_string;
 typedef char *heim_utf8_string;
-typedef struct heim_octet_string heim_printable_string;
-typedef struct heim_octet_string heim_ia5_string;
+typedef struct heim_base_data heim_printable_string;
+typedef struct heim_base_data heim_ia5_string;
 
 typedef struct heim_bmp_string {
     size_t length;
@@ -45,8 +50,8 @@ typedef struct heim_bit_string {
     void *data;
 } heim_bit_string;
 
-typedef struct heim_octet_string heim_any;
-typedef struct heim_octet_string heim_any_set;
+typedef struct heim_base_data heim_any;
+typedef struct heim_base_data heim_any_set;
 
 #define ASN1_MALLOC_ENCODE(T, B, BL, S, L, R)                  \
   do {                                                         \
diff --git a/lib/asn1/asn1-template.h b/lib/asn1/asn1-template.h
index 107706ce8340..3c0400a4c706 100644
--- a/lib/asn1/asn1-template.h
+++ b/lib/asn1/asn1-template.h
@@ -90,7 +90,7 @@
 
 struct asn1_template {
     uint32_t tt;
-    size_t offset;
+    uint32_t offset;
     const void *ptr;
 };
 
@@ -118,7 +118,9 @@ enum template_types {
     A1T_IMEMBER = 0,
     A1T_HEIM_INTEGER,
     A1T_INTEGER,
+    A1T_INTEGER64,
     A1T_UNSIGNED,
+    A1T_UNSIGNED64,
     A1T_GENERAL_STRING,
     A1T_OCTET_STRING,
     A1T_OCTET_STRING_BER,
@@ -134,8 +136,72 @@ enum template_types {
     A1T_BOOLEAN,
     A1T_OID,
     A1T_TELETEX_STRING,
-    A1T_NULL
+    A1T_NUM_ENTRY
 };
 
+extern struct asn1_type_func asn1_template_prim[A1T_NUM_ENTRY];
+
+#define ABORT_ON_ERROR() abort()
+
+#define DPOC(data,offset) ((const void *)(((const unsigned char *)data)  + offset))
+#define DPO(data,offset) ((void *)(((unsigned char *)data)  + offset))
+
+/*
+ * These functions are needed by the generated template stubs and are
+ * really internal functions. Since they are part of der-private.h
+ * that contains extra prototypes that really a private we included a
+ * copy here.
+ */
+
+int
+_asn1_copy_top (
+	const struct asn1_template * /*t*/,
+	const void * /*from*/,
+	void * /*to*/);
+
+void
+_asn1_free_top(const struct asn1_template *t,
+	       void *data);
+
+int
+_asn1_decode_top (
+	const struct asn1_template * /*t*/,
+	unsigned /*flags*/,
+	const unsigned char * /*p*/,
+	size_t /*len*/,
+	void * /*data*/,
+	size_t * /*size*/);
+
+int
+_asn1_encode (
+	const struct asn1_template * /*t*/,
+	unsigned char * /*p*/,
+	size_t /*len*/,
+	const void * /*data*/,
+	size_t * /*size*/);
+
+int
+_asn1_encode_fuzzer (
+	const struct asn1_template * /*t*/,
+	unsigned char * /*p*/,
+	size_t /*len*/,
+	const void * /*data*/,
+	size_t * /*size*/);
+
+void
+_asn1_free (
+	const struct asn1_template * /*t*/,
+	void * /*data*/);
+
+size_t
+_asn1_length (
+	const struct asn1_template * /*t*/,
+	const void * /*data*/);
+
+size_t
+_asn1_length_fuzzer (
+	const struct asn1_template * /*t*/,
+	const void * /*data*/);
+
 
 #endif
diff --git a/lib/asn1/asn1_gen.c b/lib/asn1/asn1_gen.c
index 01dc68051622..58532ee700a1 100644
--- a/lib/asn1/asn1_gen.c
+++ b/lib/asn1/asn1_gen.c
@@ -150,8 +150,8 @@ doit(const char *fn)
 static int version_flag;
 static int help_flag;
 struct getargs args[] = {
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 0, arg_flag, &help_flag }
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 0, arg_flag, &help_flag, NULL, NULL }
 };
 int num_args = sizeof(args) / sizeof(args[0]);
 
diff --git a/lib/asn1/asn1_print.c b/lib/asn1/asn1_print.c
index 84446e0d8b98..e90204f9cfe0 100644
--- a/lib/asn1/asn1_print.c
+++ b/lib/asn1/asn1_print.c
@@ -174,14 +174,14 @@ loop (unsigned char *buf, size_t len, int indent)
 		printf ("(length %lu), ", (unsigned long)length);
 
 		if (inner_flag) {
-		    Der_class class;
-		    Der_type type;
-		    unsigned int tag;
+		    Der_class class2;
+		    Der_type type2;
+		    unsigned int tag2;
 
 		    ret = der_get_tag(str.data, str.length,
-				      &class, &type, &tag, &sz);
+				      &class2, &type2, &tag2, &sz);
 		    if (ret || sz > str.length ||
-			type != CONS || tag != UT_Sequence)
+			type2 != CONS || tag2 != UT_Sequence)
 			goto just_an_octet_string;
 
 		    printf("{\n");
@@ -315,10 +315,11 @@ doit (const char *filename)
 static int version_flag;
 static int help_flag;
 struct getargs args[] = {
-    { "indent", 0, arg_negative_flag, &indent_flag },
-    { "inner", 0, arg_flag, &inner_flag, "try to parse inner structures of OCTET STRING" },
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 0, arg_flag, &help_flag }
+    { "indent", 0, arg_negative_flag, &indent_flag, NULL, NULL },
+    { "inner", 0, arg_flag, &inner_flag,
+      "try to parse inner structures of OCTET STRING", NULL },
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 0, arg_flag, &help_flag, NULL, NULL }
 };
 int num_args = sizeof(args) / sizeof(args[0]);
 
diff --git a/lib/asn1/asn1parse.c b/lib/asn1/asn1parse.c
index 0e04fabf6296..f05441eace9b 100644
--- a/lib/asn1/asn1parse.c
+++ b/lib/asn1/asn1parse.c
@@ -255,14 +255,13 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include <stdint.h>
 #include <string.h>
 #include "symbol.h"
 #include "lex.h"
 #include "gen_locl.h"
 #include "der.h"
 
-RCSID("$Id$");
-
 static Type *new_type (Typetype t);
 static struct constraint_spec *new_constraint_spec(enum ctype);
 static Type *new_tag(int tagclass, int tagvalue, int tagenv, Type *oldtype);
@@ -276,6 +275,8 @@ struct string_list {
     struct string_list *next;
 };
 
+static int default_tag_env = TE_EXPLICIT;
+
 /* Declarations for Bison */
 #define YYMALLOC malloc
 #define YYFREE   free
@@ -302,9 +303,9 @@ struct string_list {
 
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
 typedef union YYSTYPE
-#line 71 "asn1parse.y"
+#line 72 "asn1parse.y"
 {
-    int constant;
+    int64_t constant;
     struct value *value;
     struct range *range;
     char *name;
@@ -318,7 +319,7 @@ typedef union YYSTYPE
     struct constraint_spec *constraint_spec;
 }
 /* Line 193 of yacc.c.  */
-#line 322 "asn1parse.c"
+#line 323 "asn1parse.c"
 	YYSTYPE;
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
 # define YYSTYPE_IS_DECLARED 1
@@ -331,7 +332,7 @@ typedef union YYSTYPE
 
 
 /* Line 216 of yacc.c.  */
-#line 335 "asn1parse.c"
+#line 336 "asn1parse.c"
 
 #ifdef short
 # undef short
@@ -674,21 +675,21 @@ static const yytype_int16 yyrhs[] =
 /* YYRLINE[YYN] -- source line where rule number YYN was defined.  */
 static const yytype_uint16 yyrline[] =
 {
-       0,   239,   239,   246,   247,   249,   251,   254,   256,   259,
-     260,   263,   264,   267,   268,   271,   272,   275,   287,   293,
-     294,   297,   298,   301,   302,   305,   311,   319,   329,   330,
-     331,   334,   335,   336,   337,   338,   339,   340,   341,   342,
-     343,   344,   345,   346,   347,   350,   357,   367,   375,   383,
-     394,   399,   405,   413,   419,   424,   428,   441,   449,   452,
-     459,   467,   473,   482,   490,   491,   496,   502,   510,   519,
-     525,   533,   541,   548,   549,   552,   563,   568,   575,   591,
-     597,   600,   601,   604,   610,   618,   628,   634,   647,   656,
-     659,   663,   667,   674,   677,   681,   688,   699,   702,   707,
-     712,   717,   722,   727,   732,   737,   745,   751,   756,   767,
-     778,   784,   790,   798,   804,   811,   824,   825,   828,   835,
-     838,   849,   853,   864,   870,   871,   874,   875,   876,   877,
-     878,   881,   884,   887,   898,   906,   912,   920,   928,   931,
-     936
+       0,   240,   240,   247,   249,   251,   253,   256,   258,   261,
+     262,   265,   266,   269,   270,   273,   274,   277,   289,   295,
+     296,   299,   300,   303,   304,   307,   313,   321,   331,   332,
+     333,   336,   337,   338,   339,   340,   341,   342,   343,   344,
+     345,   346,   347,   348,   349,   352,   359,   369,   377,   385,
+     396,   401,   407,   415,   421,   426,   430,   443,   451,   454,
+     461,   469,   475,   489,   497,   498,   503,   509,   517,   532,
+     538,   546,   554,   561,   562,   565,   576,   581,   588,   604,
+     610,   613,   614,   617,   623,   631,   641,   647,   665,   674,
+     677,   681,   685,   692,   695,   699,   706,   717,   720,   725,
+     730,   735,   740,   745,   750,   755,   763,   769,   774,   785,
+     796,   802,   808,   816,   822,   829,   842,   843,   846,   853,
+     856,   867,   871,   882,   888,   889,   892,   893,   894,   895,
+     896,   899,   902,   905,   916,   924,   930,   938,   946,   949,
+     954
 };
 #endif
 
@@ -1774,29 +1775,34 @@ yyreduce:
   switch (yyn)
     {
         case 2:
-#line 241 "asn1parse.y"
+#line 242 "asn1parse.y"
     {
 			checkundefined();
 		}
     break;
 
-  case 4:
+  case 3:
 #line 248 "asn1parse.y"
-    { lex_error_message("implicit tagging is not supported"); }
+    { default_tag_env = TE_EXPLICIT; }
     break;
 
-  case 5:
+  case 4:
 #line 250 "asn1parse.y"
+    { default_tag_env = TE_IMPLICIT; }
+    break;
+
+  case 5:
+#line 252 "asn1parse.y"
     { lex_error_message("automatic tagging is not supported"); }
     break;
 
   case 7:
-#line 255 "asn1parse.y"
+#line 257 "asn1parse.y"
     { lex_error_message("no extensibility options supported"); }
     break;
 
   case 17:
-#line 276 "asn1parse.y"
+#line 278 "asn1parse.y"
     {
 		    struct string_list *sl;
 		    for(sl = (yyvsp[(1) - (4)].sl); sl != NULL; sl = sl->next) {
@@ -1809,7 +1815,7 @@ yyreduce:
     break;
 
   case 18:
-#line 288 "asn1parse.y"
+#line 290 "asn1parse.y"
     {
 		    struct string_list *sl;
 		    for(sl = (yyvsp[(2) - (3)].sl); sl != NULL; sl = sl->next)
@@ -1818,7 +1824,7 @@ yyreduce:
     break;
 
   case 25:
-#line 306 "asn1parse.y"
+#line 308 "asn1parse.y"
     {
 		    (yyval.sl) = emalloc(sizeof(*(yyval.sl)));
 		    (yyval.sl)->string = (yyvsp[(1) - (3)].name);
@@ -1827,7 +1833,7 @@ yyreduce:
     break;
 
   case 26:
-#line 312 "asn1parse.y"
+#line 314 "asn1parse.y"
     {
 		    (yyval.sl) = emalloc(sizeof(*(yyval.sl)));
 		    (yyval.sl)->string = (yyvsp[(1) - (1)].name);
@@ -1836,7 +1842,7 @@ yyreduce:
     break;
 
   case 27:
-#line 320 "asn1parse.y"
+#line 322 "asn1parse.y"
     {
 		    Symbol *s = addsym ((yyvsp[(1) - (3)].name));
 		    s->stype = Stype;
@@ -1847,7 +1853,7 @@ yyreduce:
     break;
 
   case 45:
-#line 351 "asn1parse.y"
+#line 353 "asn1parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_Boolean,
 				     TE_EXPLICIT, new_type(TBoolean));
@@ -1855,7 +1861,7 @@ yyreduce:
     break;
 
   case 46:
-#line 358 "asn1parse.y"
+#line 360 "asn1parse.y"
     {
 		    if((yyvsp[(2) - (5)].value)->type != integervalue)
 			lex_error_message("Non-integer used in first part of range");
@@ -1868,29 +1874,29 @@ yyreduce:
     break;
 
   case 47:
-#line 368 "asn1parse.y"
+#line 370 "asn1parse.y"
     {
 		    if((yyvsp[(2) - (5)].value)->type != integervalue)
 			lex_error_message("Non-integer in first part of range");
 		    (yyval.range) = ecalloc(1, sizeof(*(yyval.range)));
 		    (yyval.range)->min = (yyvsp[(2) - (5)].value)->u.integervalue;
-		    (yyval.range)->max = (yyvsp[(2) - (5)].value)->u.integervalue - 1;
+		    (yyval.range)->max = INT_MAX;
 		}
     break;
 
   case 48:
-#line 376 "asn1parse.y"
+#line 378 "asn1parse.y"
     {
 		    if((yyvsp[(4) - (5)].value)->type != integervalue)
 			lex_error_message("Non-integer in second part of range");
 		    (yyval.range) = ecalloc(1, sizeof(*(yyval.range)));
-		    (yyval.range)->min = (yyvsp[(4) - (5)].value)->u.integervalue + 2;
+		    (yyval.range)->min = INT_MIN;
 		    (yyval.range)->max = (yyvsp[(4) - (5)].value)->u.integervalue;
 		}
     break;
 
   case 49:
-#line 384 "asn1parse.y"
+#line 386 "asn1parse.y"
     {
 		    if((yyvsp[(2) - (3)].value)->type != integervalue)
 			lex_error_message("Non-integer used in limit");
@@ -1901,7 +1907,7 @@ yyreduce:
     break;
 
   case 50:
-#line 395 "asn1parse.y"
+#line 397 "asn1parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_Integer,
 				     TE_EXPLICIT, new_type(TInteger));
@@ -1909,7 +1915,7 @@ yyreduce:
     break;
 
   case 51:
-#line 400 "asn1parse.y"
+#line 402 "asn1parse.y"
     {
 			(yyval.type) = new_type(TInteger);
 			(yyval.type)->range = (yyvsp[(2) - (2)].range);
@@ -1918,7 +1924,7 @@ yyreduce:
     break;
 
   case 52:
-#line 406 "asn1parse.y"
+#line 408 "asn1parse.y"
     {
 		  (yyval.type) = new_type(TInteger);
 		  (yyval.type)->members = (yyvsp[(3) - (4)].members);
@@ -1927,7 +1933,7 @@ yyreduce:
     break;
 
   case 53:
-#line 414 "asn1parse.y"
+#line 416 "asn1parse.y"
     {
 			(yyval.members) = emalloc(sizeof(*(yyval.members)));
 			ASN1_TAILQ_INIT((yyval.members));
@@ -1936,7 +1942,7 @@ yyreduce:
     break;
 
   case 54:
-#line 420 "asn1parse.y"
+#line 422 "asn1parse.y"
     {
 			ASN1_TAILQ_INSERT_TAIL((yyvsp[(1) - (3)].members), (yyvsp[(3) - (3)].member), members);
 			(yyval.members) = (yyvsp[(1) - (3)].members);
@@ -1944,12 +1950,12 @@ yyreduce:
     break;
 
   case 55:
-#line 425 "asn1parse.y"
+#line 427 "asn1parse.y"
     { (yyval.members) = (yyvsp[(1) - (3)].members); }
     break;
 
   case 56:
-#line 429 "asn1parse.y"
+#line 431 "asn1parse.y"
     {
 			(yyval.member) = emalloc(sizeof(*(yyval.member)));
 			(yyval.member)->name = (yyvsp[(1) - (4)].name);
@@ -1963,7 +1969,7 @@ yyreduce:
     break;
 
   case 57:
-#line 442 "asn1parse.y"
+#line 444 "asn1parse.y"
     {
 		  (yyval.type) = new_type(TInteger);
 		  (yyval.type)->members = (yyvsp[(3) - (4)].members);
@@ -1972,7 +1978,7 @@ yyreduce:
     break;
 
   case 59:
-#line 453 "asn1parse.y"
+#line 455 "asn1parse.y"
     {
 		  (yyval.type) = new_type(TBitString);
 		  (yyval.type)->members = emalloc(sizeof(*(yyval.type)->members));
@@ -1982,7 +1988,7 @@ yyreduce:
     break;
 
   case 60:
-#line 460 "asn1parse.y"
+#line 462 "asn1parse.y"
     {
 		  (yyval.type) = new_type(TBitString);
 		  (yyval.type)->members = (yyvsp[(4) - (5)].members);
@@ -1991,7 +1997,7 @@ yyreduce:
     break;
 
   case 61:
-#line 468 "asn1parse.y"
+#line 470 "asn1parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_OID,
 				     TE_EXPLICIT, new_type(TOID));
@@ -1999,17 +2005,22 @@ yyreduce:
     break;
 
   case 62:
-#line 474 "asn1parse.y"
+#line 476 "asn1parse.y"
     {
 		    Type *t = new_type(TOctetString);
 		    t->range = (yyvsp[(3) - (3)].range);
+		    if (t->range) {
+			if (t->range->min < 0)
+			    lex_error_message("can't use a negative SIZE range "
+					      "length for OCTET STRING");
+		    }
 		    (yyval.type) = new_tag(ASN1_C_UNIV, UT_OctetString,
 				 TE_EXPLICIT, t);
 		}
     break;
 
   case 63:
-#line 483 "asn1parse.y"
+#line 490 "asn1parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_Null,
 				     TE_EXPLICIT, new_type(TNull));
@@ -2017,72 +2028,78 @@ yyreduce:
     break;
 
   case 64:
-#line 490 "asn1parse.y"
+#line 497 "asn1parse.y"
     { (yyval.range) = NULL; }
     break;
 
   case 65:
-#line 492 "asn1parse.y"
+#line 499 "asn1parse.y"
     { (yyval.range) = (yyvsp[(2) - (2)].range); }
     break;
 
   case 66:
-#line 497 "asn1parse.y"
+#line 504 "asn1parse.y"
     {
 		  (yyval.type) = new_type(TSequence);
 		  (yyval.type)->members = (yyvsp[(3) - (4)].members);
-		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, (yyval.type));
+		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Sequence, default_tag_env, (yyval.type));
 		}
     break;
 
   case 67:
-#line 503 "asn1parse.y"
+#line 510 "asn1parse.y"
     {
 		  (yyval.type) = new_type(TSequence);
 		  (yyval.type)->members = NULL;
-		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, (yyval.type));
+		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Sequence, default_tag_env, (yyval.type));
 		}
     break;
 
   case 68:
-#line 511 "asn1parse.y"
+#line 518 "asn1parse.y"
     {
 		  (yyval.type) = new_type(TSequenceOf);
 		  (yyval.type)->range = (yyvsp[(2) - (4)].range);
+		  if ((yyval.type)->range) {
+		      if ((yyval.type)->range->min < 0)
+			  lex_error_message("can't use a negative SIZE range "
+					    "length for SEQUENCE OF");
+		    }
+
 		  (yyval.type)->subtype = (yyvsp[(4) - (4)].type);
-		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, (yyval.type));
+		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Sequence, default_tag_env, (yyval.type));
 		}
     break;
 
   case 69:
-#line 520 "asn1parse.y"
+#line 533 "asn1parse.y"
     {
 		  (yyval.type) = new_type(TSet);
 		  (yyval.type)->members = (yyvsp[(3) - (4)].members);
-		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Set, TE_EXPLICIT, (yyval.type));
+		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Set, default_tag_env, (yyval.type));
 		}
     break;
 
   case 70:
-#line 526 "asn1parse.y"
+#line 539 "asn1parse.y"
     {
 		  (yyval.type) = new_type(TSet);
 		  (yyval.type)->members = NULL;
-		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Set, TE_EXPLICIT, (yyval.type));
+		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Set, default_tag_env, (yyval.type));
 		}
     break;
 
   case 71:
-#line 534 "asn1parse.y"
+#line 547 "asn1parse.y"
     {
 		  (yyval.type) = new_type(TSetOf);
 		  (yyval.type)->subtype = (yyvsp[(3) - (3)].type);
-		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Set, TE_EXPLICIT, (yyval.type));
+		  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Set, default_tag_env, (yyval.type));
 		}
     break;
 
   case 72:
-#line 542 "asn1parse.y"
+#line 555 "asn1parse.y"
     {
 		  (yyval.type) = new_type(TChoice);
 		  (yyval.type)->members = (yyvsp[(3) - (4)].members);
@@ -2090,7 +2107,7 @@ yyreduce:
     break;
 
   case 75:
-#line 553 "asn1parse.y"
+#line 566 "asn1parse.y"
     {
 		  Symbol *s = addsym((yyvsp[(1) - (1)].name));
 		  (yyval.type) = new_type(TType);
@@ -2102,7 +2119,7 @@ yyreduce:
     break;
 
   case 76:
-#line 564 "asn1parse.y"
+#line 577 "asn1parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_GeneralizedTime,
 				     TE_EXPLICIT, new_type(TGeneralizedTime));
@@ -2110,7 +2127,7 @@ yyreduce:
     break;
 
   case 77:
-#line 569 "asn1parse.y"
+#line 582 "asn1parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_UTCTime,
 				     TE_EXPLICIT, new_type(TUTCTime));
@@ -2118,7 +2135,7 @@ yyreduce:
     break;
 
   case 78:
-#line 576 "asn1parse.y"
+#line 589 "asn1parse.y"
     {
 		    /* if (Constraint.type == contentConstrant) {
 		       assert(Constraint.u.constraint.type == octetstring|bitstring-w/o-NamedBitList); // remember to check type reference too
@@ -2134,14 +2151,14 @@ yyreduce:
     break;
 
   case 79:
-#line 592 "asn1parse.y"
+#line 605 "asn1parse.y"
     {
 		    (yyval.constraint_spec) = (yyvsp[(2) - (3)].constraint_spec);
 		}
     break;
 
   case 83:
-#line 605 "asn1parse.y"
+#line 618 "asn1parse.y"
     {
 		    (yyval.constraint_spec) = new_constraint_spec(CT_CONTENTS);
 		    (yyval.constraint_spec)->u.content.type = (yyvsp[(2) - (2)].type);
@@ -2150,7 +2167,7 @@ yyreduce:
     break;
 
   case 84:
-#line 611 "asn1parse.y"
+#line 624 "asn1parse.y"
     {
 		    if ((yyvsp[(3) - (3)].value)->type != objectidentifiervalue)
 			lex_error_message("Non-OID used in ENCODED BY constraint");
@@ -2161,7 +2178,7 @@ yyreduce:
     break;
 
   case 85:
-#line 619 "asn1parse.y"
+#line 632 "asn1parse.y"
     {
 		    if ((yyvsp[(5) - (5)].value)->type != objectidentifiervalue)
 			lex_error_message("Non-OID used in ENCODED BY constraint");
@@ -2172,86 +2189,91 @@ yyreduce:
     break;
 
   case 86:
-#line 629 "asn1parse.y"
+#line 642 "asn1parse.y"
     {
 		    (yyval.constraint_spec) = new_constraint_spec(CT_USER);
 		}
     break;
 
   case 87:
-#line 635 "asn1parse.y"
+#line 648 "asn1parse.y"
     {
 			(yyval.type) = new_type(TTag);
 			(yyval.type)->tag = (yyvsp[(1) - (3)].tag);
 			(yyval.type)->tag.tagenv = (yyvsp[(2) - (3)].constant);
-			if((yyvsp[(3) - (3)].type)->type == TTag && (yyvsp[(2) - (3)].constant) == TE_IMPLICIT) {
+			if (template_flag) {
+			    (yyval.type)->subtype = (yyvsp[(3) - (3)].type);
+			} else {
+			    if((yyvsp[(3) - (3)].type)->type == TTag && (yyvsp[(2) - (3)].constant) == TE_IMPLICIT) {
 				(yyval.type)->subtype = (yyvsp[(3) - (3)].type)->subtype;
 				free((yyvsp[(3) - (3)].type));
-			} else
+			    } else {
 				(yyval.type)->subtype = (yyvsp[(3) - (3)].type);
+			    }
+			}
 		}
     break;
 
   case 88:
-#line 648 "asn1parse.y"
+#line 666 "asn1parse.y"
     {
 			(yyval.tag).tagclass = (yyvsp[(2) - (4)].constant);
 			(yyval.tag).tagvalue = (yyvsp[(3) - (4)].constant);
-			(yyval.tag).tagenv = TE_EXPLICIT;
+			(yyval.tag).tagenv = default_tag_env;
 		}
     break;
 
   case 89:
-#line 656 "asn1parse.y"
+#line 674 "asn1parse.y"
     {
 			(yyval.constant) = ASN1_C_CONTEXT;
 		}
     break;
 
   case 90:
-#line 660 "asn1parse.y"
+#line 678 "asn1parse.y"
     {
 			(yyval.constant) = ASN1_C_UNIV;
 		}
     break;
 
   case 91:
-#line 664 "asn1parse.y"
+#line 682 "asn1parse.y"
     {
 			(yyval.constant) = ASN1_C_APPL;
 		}
     break;
 
   case 92:
-#line 668 "asn1parse.y"
+#line 686 "asn1parse.y"
     {
 			(yyval.constant) = ASN1_C_PRIVATE;
 		}
     break;
 
   case 93:
-#line 674 "asn1parse.y"
+#line 692 "asn1parse.y"
     {
-			(yyval.constant) = TE_EXPLICIT;
+			(yyval.constant) = default_tag_env;
 		}
     break;
 
   case 94:
-#line 678 "asn1parse.y"
+#line 696 "asn1parse.y"
     {
-			(yyval.constant) = TE_EXPLICIT;
+			(yyval.constant) = default_tag_env;
 		}
     break;
 
   case 95:
-#line 682 "asn1parse.y"
+#line 700 "asn1parse.y"
     {
 			(yyval.constant) = TE_IMPLICIT;
 		}
     break;
 
   case 96:
-#line 689 "asn1parse.y"
+#line 707 "asn1parse.y"
     {
 			Symbol *s;
 			s = addsym ((yyvsp[(1) - (4)].name));
@@ -2263,7 +2285,7 @@ yyreduce:
     break;
 
   case 98:
-#line 703 "asn1parse.y"
+#line 721 "asn1parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_GeneralString,
 				     TE_EXPLICIT, new_type(TGeneralString));
@@ -2271,7 +2293,7 @@ yyreduce:
     break;
 
   case 99:
-#line 708 "asn1parse.y"
+#line 726 "asn1parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_TeletexString,
 				     TE_EXPLICIT, new_type(TTeletexString));
@@ -2279,7 +2301,7 @@ yyreduce:
     break;
 
   case 100:
-#line 713 "asn1parse.y"
+#line 731 "asn1parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_UTF8String,
 				     TE_EXPLICIT, new_type(TUTF8String));
@@ -2287,7 +2309,7 @@ yyreduce:
     break;
 
   case 101:
-#line 718 "asn1parse.y"
+#line 736 "asn1parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_PrintableString,
 				     TE_EXPLICIT, new_type(TPrintableString));
@@ -2295,7 +2317,7 @@ yyreduce:
     break;
 
   case 102:
-#line 723 "asn1parse.y"
+#line 741 "asn1parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_VisibleString,
 				     TE_EXPLICIT, new_type(TVisibleString));
@@ -2303,7 +2325,7 @@ yyreduce:
     break;
 
   case 103:
-#line 728 "asn1parse.y"
+#line 746 "asn1parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_IA5String,
 				     TE_EXPLICIT, new_type(TIA5String));
@@ -2311,7 +2333,7 @@ yyreduce:
     break;
 
   case 104:
-#line 733 "asn1parse.y"
+#line 751 "asn1parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_BMPString,
 				     TE_EXPLICIT, new_type(TBMPString));
@@ -2319,7 +2341,7 @@ yyreduce:
     break;
 
   case 105:
-#line 738 "asn1parse.y"
+#line 756 "asn1parse.y"
     {
 			(yyval.type) = new_tag(ASN1_C_UNIV, UT_UniversalString,
 				     TE_EXPLICIT, new_type(TUniversalString));
@@ -2327,7 +2349,7 @@ yyreduce:
     break;
 
   case 106:
-#line 746 "asn1parse.y"
+#line 764 "asn1parse.y"
     {
 			(yyval.members) = emalloc(sizeof(*(yyval.members)));
 			ASN1_TAILQ_INIT((yyval.members));
@@ -2336,7 +2358,7 @@ yyreduce:
     break;
 
   case 107:
-#line 752 "asn1parse.y"
+#line 770 "asn1parse.y"
     {
 			ASN1_TAILQ_INSERT_TAIL((yyvsp[(1) - (3)].members), (yyvsp[(3) - (3)].member), members);
 			(yyval.members) = (yyvsp[(1) - (3)].members);
@@ -2344,7 +2366,7 @@ yyreduce:
     break;
 
   case 108:
-#line 757 "asn1parse.y"
+#line 775 "asn1parse.y"
     {
 		        struct member *m = ecalloc(1, sizeof(*m));
 			m->name = estrdup("...");
@@ -2356,7 +2378,7 @@ yyreduce:
     break;
 
   case 109:
-#line 768 "asn1parse.y"
+#line 786 "asn1parse.y"
     {
 		  (yyval.member) = emalloc(sizeof(*(yyval.member)));
 		  (yyval.member)->name = (yyvsp[(1) - (2)].name);
@@ -2368,7 +2390,7 @@ yyreduce:
     break;
 
   case 110:
-#line 779 "asn1parse.y"
+#line 797 "asn1parse.y"
     {
 			(yyval.member) = (yyvsp[(1) - (1)].member);
 			(yyval.member)->optional = 0;
@@ -2377,7 +2399,7 @@ yyreduce:
     break;
 
   case 111:
-#line 785 "asn1parse.y"
+#line 803 "asn1parse.y"
     {
 			(yyval.member) = (yyvsp[(1) - (2)].member);
 			(yyval.member)->optional = 1;
@@ -2386,7 +2408,7 @@ yyreduce:
     break;
 
   case 112:
-#line 791 "asn1parse.y"
+#line 809 "asn1parse.y"
     {
 			(yyval.member) = (yyvsp[(1) - (3)].member);
 			(yyval.member)->optional = 0;
@@ -2395,7 +2417,7 @@ yyreduce:
     break;
 
   case 113:
-#line 799 "asn1parse.y"
+#line 817 "asn1parse.y"
     {
 			(yyval.members) = emalloc(sizeof(*(yyval.members)));
 			ASN1_TAILQ_INIT((yyval.members));
@@ -2404,7 +2426,7 @@ yyreduce:
     break;
 
   case 114:
-#line 805 "asn1parse.y"
+#line 823 "asn1parse.y"
     {
 			ASN1_TAILQ_INSERT_TAIL((yyvsp[(1) - (3)].members), (yyvsp[(3) - (3)].member), members);
 			(yyval.members) = (yyvsp[(1) - (3)].members);
@@ -2412,7 +2434,7 @@ yyreduce:
     break;
 
   case 115:
-#line 812 "asn1parse.y"
+#line 830 "asn1parse.y"
     {
 		  (yyval.member) = emalloc(sizeof(*(yyval.member)));
 		  (yyval.member)->name = (yyvsp[(1) - (4)].name);
@@ -2426,26 +2448,26 @@ yyreduce:
     break;
 
   case 117:
-#line 825 "asn1parse.y"
+#line 843 "asn1parse.y"
     { (yyval.objid) = NULL; }
     break;
 
   case 118:
-#line 829 "asn1parse.y"
+#line 847 "asn1parse.y"
     {
 			(yyval.objid) = (yyvsp[(2) - (3)].objid);
 		}
     break;
 
   case 119:
-#line 835 "asn1parse.y"
+#line 853 "asn1parse.y"
     {
 			(yyval.objid) = NULL;
 		}
     break;
 
   case 120:
-#line 839 "asn1parse.y"
+#line 857 "asn1parse.y"
     {
 		        if ((yyvsp[(2) - (2)].objid)) {
 				(yyval.objid) = (yyvsp[(2) - (2)].objid);
@@ -2457,14 +2479,14 @@ yyreduce:
     break;
 
   case 121:
-#line 850 "asn1parse.y"
+#line 868 "asn1parse.y"
     {
 			(yyval.objid) = new_objid((yyvsp[(1) - (4)].name), (yyvsp[(3) - (4)].constant));
 		}
     break;
 
   case 122:
-#line 854 "asn1parse.y"
+#line 872 "asn1parse.y"
     {
 		    Symbol *s = addsym((yyvsp[(1) - (1)].name));
 		    if(s->stype != SValue ||
@@ -2478,14 +2500,14 @@ yyreduce:
     break;
 
   case 123:
-#line 865 "asn1parse.y"
+#line 883 "asn1parse.y"
     {
 		    (yyval.objid) = new_objid(NULL, (yyvsp[(1) - (1)].constant));
 		}
     break;
 
   case 133:
-#line 888 "asn1parse.y"
+#line 906 "asn1parse.y"
     {
 			Symbol *s = addsym((yyvsp[(1) - (1)].name));
 			if(s->stype != SValue)
@@ -2497,7 +2519,7 @@ yyreduce:
     break;
 
   case 134:
-#line 899 "asn1parse.y"
+#line 917 "asn1parse.y"
     {
 			(yyval.value) = emalloc(sizeof(*(yyval.value)));
 			(yyval.value)->type = stringvalue;
@@ -2506,7 +2528,7 @@ yyreduce:
     break;
 
   case 135:
-#line 907 "asn1parse.y"
+#line 925 "asn1parse.y"
     {
 			(yyval.value) = emalloc(sizeof(*(yyval.value)));
 			(yyval.value)->type = booleanvalue;
@@ -2515,7 +2537,7 @@ yyreduce:
     break;
 
   case 136:
-#line 913 "asn1parse.y"
+#line 931 "asn1parse.y"
     {
 			(yyval.value) = emalloc(sizeof(*(yyval.value)));
 			(yyval.value)->type = booleanvalue;
@@ -2524,7 +2546,7 @@ yyreduce:
     break;
 
   case 137:
-#line 921 "asn1parse.y"
+#line 939 "asn1parse.y"
     {
 			(yyval.value) = emalloc(sizeof(*(yyval.value)));
 			(yyval.value)->type = integervalue;
@@ -2533,13 +2555,13 @@ yyreduce:
     break;
 
   case 139:
-#line 932 "asn1parse.y"
+#line 950 "asn1parse.y"
     {
 		}
     break;
 
   case 140:
-#line 937 "asn1parse.y"
+#line 955 "asn1parse.y"
     {
 			(yyval.value) = emalloc(sizeof(*(yyval.value)));
 			(yyval.value)->type = objectidentifiervalue;
@@ -2549,7 +2571,7 @@ yyreduce:
 
 
 /* Line 1267 of yacc.c.  */
-#line 2553 "asn1parse.c"
+#line 2575 "asn1parse.c"
       default: break;
     }
   YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
@@ -2763,7 +2785,7 @@ yyreturn:
 }
 
 
-#line 944 "asn1parse.y"
+#line 962 "asn1parse.y"
 
 
 void
@@ -2810,11 +2832,14 @@ add_oid_to_tail(struct objid *head, struct objid *tail)
     o->next = tail;
 }
 
+static unsigned long idcounter;
+
 static Type *
 new_type (Typetype tt)
 {
     Type *t = ecalloc(1, sizeof(*t));
     t->type = tt;
+    t->id = idcounter++;
     return t;
 }
 
diff --git a/lib/asn1/asn1parse.h b/lib/asn1/asn1parse.h
index 69b7d6dc1a4a..3b59959ffbd2 100644
--- a/lib/asn1/asn1parse.h
+++ b/lib/asn1/asn1parse.h
@@ -222,9 +222,9 @@
 
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
 typedef union YYSTYPE
-#line 71 "asn1parse.y"
+#line 72 "asn1parse.y"
 {
-    int constant;
+    int64_t constant;
     struct value *value;
     struct range *range;
     char *name;
diff --git a/lib/asn1/asn1parse.y b/lib/asn1/asn1parse.y
index e3bea6ce0ac9..88299f08b565 100644
--- a/lib/asn1/asn1parse.y
+++ b/lib/asn1/asn1parse.y
@@ -41,14 +41,13 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include <stdint.h>
 #include <string.h>
 #include "symbol.h"
 #include "lex.h"
 #include "gen_locl.h"
 #include "der.h"
 
-RCSID("$Id$");
-
 static Type *new_type (Typetype t);
 static struct constraint_spec *new_constraint_spec(enum ctype);
 static Type *new_tag(int tagclass, int tagvalue, int tagenv, Type *oldtype);
@@ -62,6 +61,8 @@ struct string_list {
     struct string_list *next;
 };
 
+static int default_tag_env = TE_EXPLICIT;
+
 /* Declarations for Bison */
 #define YYMALLOC malloc
 #define YYFREE   free
@@ -69,7 +70,7 @@ struct string_list {
 %}
 
 %union {
-    int constant;
+    int64_t constant;
     struct value *value;
     struct range *range;
     char *name;
@@ -243,9 +244,10 @@ ModuleDefinition: IDENTIFIER objid_opt kw_DEFINITIONS TagDefault ExtensionDefaul
 		}
 		;
 
-TagDefault	: kw_EXPLICIT kw_TAGS
+TagDefault	: kw_EXPLICIT kw_TAGS 
+			{ default_tag_env = TE_EXPLICIT; }
 		| kw_IMPLICIT kw_TAGS
-		      { lex_error_message("implicit tagging is not supported"); }
+			{ default_tag_env = TE_IMPLICIT; }
 		| kw_AUTOMATIC kw_TAGS
 		      { lex_error_message("automatic tagging is not supported"); }
 		| /* empty */
@@ -370,14 +372,14 @@ range		: '(' Value RANGE Value ')'
 			lex_error_message("Non-integer in first part of range");
 		    $$ = ecalloc(1, sizeof(*$$));
 		    $$->min = $2->u.integervalue;
-		    $$->max = $2->u.integervalue - 1;
+		    $$->max = INT_MAX;
 		}
 		| '(' kw_MIN RANGE Value ')'
 		{
 		    if($4->type != integervalue)
 			lex_error_message("Non-integer in second part of range");
 		    $$ = ecalloc(1, sizeof(*$$));
-		    $$->min = $4->u.integervalue + 2;
+		    $$->min = INT_MIN;
 		    $$->max = $4->u.integervalue;
 		}
 		| '(' Value ')'
@@ -474,6 +476,11 @@ OctetStringType	: kw_OCTET kw_STRING size
 		{
 		    Type *t = new_type(TOctetString);
 		    t->range = $3;
+		    if (t->range) {
+			if (t->range->min < 0)
+			    lex_error_message("can't use a negative SIZE range "
+					      "length for OCTET STRING");
+		    }
 		    $$ = new_tag(ASN1_C_UNIV, UT_OctetString,
 				 TE_EXPLICIT, t);
 		}
@@ -497,13 +504,13 @@ SequenceType	: kw_SEQUENCE '{' /* ComponentTypeLists */ ComponentTypeList '}'
 		{
 		  $$ = new_type(TSequence);
 		  $$->members = $3;
-		  $$ = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, $$);
+		  $$ = new_tag(ASN1_C_UNIV, UT_Sequence, default_tag_env, $$);
 		}
 		| kw_SEQUENCE '{' '}'
 		{
 		  $$ = new_type(TSequence);
 		  $$->members = NULL;
-		  $$ = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, $$);
+		  $$ = new_tag(ASN1_C_UNIV, UT_Sequence, default_tag_env, $$);
 		}
 		;
 
@@ -511,8 +518,14 @@ SequenceOfType	: kw_SEQUENCE size kw_OF Type
 		{
 		  $$ = new_type(TSequenceOf);
 		  $$->range = $2;
+		  if ($$->range) {
+		      if ($$->range->min < 0)
+			  lex_error_message("can't use a negative SIZE range "
+					    "length for SEQUENCE OF");
+		    }
+
 		  $$->subtype = $4;
-		  $$ = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, $$);
+		  $$ = new_tag(ASN1_C_UNIV, UT_Sequence, default_tag_env, $$);
 		}
 		;
 
@@ -520,13 +533,13 @@ SetType		: kw_SET '{' /* ComponentTypeLists */ ComponentTypeList '}'
 		{
 		  $$ = new_type(TSet);
 		  $$->members = $3;
-		  $$ = new_tag(ASN1_C_UNIV, UT_Set, TE_EXPLICIT, $$);
+		  $$ = new_tag(ASN1_C_UNIV, UT_Set, default_tag_env, $$);
 		}
 		| kw_SET '{' '}'
 		{
 		  $$ = new_type(TSet);
 		  $$->members = NULL;
-		  $$ = new_tag(ASN1_C_UNIV, UT_Set, TE_EXPLICIT, $$);
+		  $$ = new_tag(ASN1_C_UNIV, UT_Set, default_tag_env, $$);
 		}
 		;
 
@@ -534,7 +547,7 @@ SetOfType	: kw_SET kw_OF Type
 		{
 		  $$ = new_type(TSetOf);
 		  $$->subtype = $3;
-		  $$ = new_tag(ASN1_C_UNIV, UT_Set, TE_EXPLICIT, $$);
+		  $$ = new_tag(ASN1_C_UNIV, UT_Set, default_tag_env, $$);
 		}
 		;
 
@@ -636,11 +649,16 @@ TaggedType	: Tag tagenv Type
 			$$ = new_type(TTag);
 			$$->tag = $1;
 			$$->tag.tagenv = $2;
-			if($3->type == TTag && $2 == TE_IMPLICIT) {
+			if (template_flag) {
+			    $$->subtype = $3;
+			} else {
+			    if($3->type == TTag && $2 == TE_IMPLICIT) {
 				$$->subtype = $3->subtype;
 				free($3);
-			} else
+			    } else {
 				$$->subtype = $3;
+			    }
+			}
 		}
 		;
 
@@ -648,7 +666,7 @@ Tag		: '[' Class NUMBER ']'
 		{
 			$$.tagclass = $2;
 			$$.tagvalue = $3;
-			$$.tagenv = TE_EXPLICIT;
+			$$.tagenv = default_tag_env;
 		}
 		;
 
@@ -672,11 +690,11 @@ Class		: /* */
 
 tagenv		: /* */
 		{
-			$$ = TE_EXPLICIT;
+			$$ = default_tag_env;
 		}
 		| kw_EXPLICIT
 		{
-			$$ = TE_EXPLICIT;
+			$$ = default_tag_env;
 		}
 		| kw_IMPLICIT
 		{
@@ -987,11 +1005,14 @@ add_oid_to_tail(struct objid *head, struct objid *tail)
     o->next = tail;
 }
 
+static unsigned long idcounter;
+
 static Type *
 new_type (Typetype tt)
 {
     Type *t = ecalloc(1, sizeof(*t));
     t->type = tt;
+    t->id = idcounter++;
     return t;
 }
 
diff --git a/lib/asn1/check-common.c b/lib/asn1/check-common.c
index ac96b91b18ea..7eadc0109f52 100644
--- a/lib/asn1/check-common.c
+++ b/lib/asn1/check-common.c
@@ -33,9 +33,7 @@
  * SUCH DAMAGE.
  */
 
-#ifdef HAVE_CONFIG_H
 #include <config.h>
-#endif
 #ifdef HAVE_SYS_MMAN_H
 #include <sys/mman.h>
 #endif
@@ -47,8 +45,6 @@
 #include "asn1-common.h"
 #include "check-common.h"
 
-RCSID("$Id$");
-
 struct map_page {
     void *start;
     size_t size;
diff --git a/lib/asn1/check-common.h b/lib/asn1/check-common.h
index 9ecbdbc35ded..c10fec28ca13 100644
--- a/lib/asn1/check-common.h
+++ b/lib/asn1/check-common.h
@@ -33,9 +33,26 @@
  * SUCH DAMAGE.
  */
 
+#define IF_OPT_COMPARE(ac,bc,e) \
+	if (((ac)->e == NULL && (bc)->e != NULL) || (((ac)->e != NULL && (bc)->e == NULL))) return 1; if ((ac)->e)
+#define COMPARE_OPT_STRING(ac,bc,e) \
+	do { if (strcmp(*(ac)->e, *(bc)->e) != 0) return 1; } while(0)
+#define COMPARE_OPT_OCTET_STRING(ac,bc,e) \
+	do { if ((ac)->e->length != (bc)->e->length || memcmp((ac)->e->data, (bc)->e->data, (ac)->e->length) != 0) return 1; } while(0)
+#define COMPARE_STRING(ac,bc,e) \
+	do { if (strcmp((ac)->e, (bc)->e) != 0) return 1; } while(0)
+#define COMPARE_INTEGER(ac,bc,e) \
+	do { if ((ac)->e != (bc)->e) return 1; } while(0)
+#define COMPARE_OPT_INTEGER(ac,bc,e) \
+	do { if (*(ac)->e != *(bc)->e) return 1; } while(0)
+#define COMPARE_MEM(ac,bc,e,len) \
+	do { if (memcmp((ac)->e, (bc)->e,len) != 0) return 1; } while(0)
+#define COMPARE_OCTET_STRING(ac,bc,e) \
+	do { if ((ac)->e.length != (bc)->e.length || memcmp((ac)->e.data, (bc)->e.data, (ac)->e.length) != 0) return 1; } while(0)
+
 struct test_case {
     void *val;
-    int byte_len;
+    ssize_t byte_len;
     const char *bytes;
     char *name;
 };
diff --git a/lib/asn1/check-der.c b/lib/asn1/check-der.c
index fa80a425410f..007197eb1fdc 100644
--- a/lib/asn1/check-der.c
+++ b/lib/asn1/check-der.c
@@ -58,16 +58,16 @@ static int
 test_integer (void)
 {
     struct test_case tests[] = {
-	{NULL, 1, "\x00"},
-	{NULL, 1, "\x7f"},
-	{NULL, 2, "\x00\x80"},
-	{NULL, 2, "\x01\x00"},
-	{NULL, 1, "\x80"},
-	{NULL, 2, "\xff\x7f"},
-	{NULL, 1, "\xff"},
-	{NULL, 2, "\xff\x01"},
-	{NULL, 2, "\x00\xff"},
-	{NULL, 4, "\x7f\xff\xff\xff"}
+	{NULL, 1, "\x00", 		NULL },
+	{NULL, 1, "\x7f", 		NULL },
+	{NULL, 2, "\x00\x80", 		NULL },
+	{NULL, 2, "\x01\x00", 		NULL },
+	{NULL, 1, "\x80", 		NULL },
+	{NULL, 2, "\xff\x7f", 		NULL },
+	{NULL, 1, "\xff", 		NULL },
+	{NULL, 2, "\xff\x01", 		NULL },
+	{NULL, 2, "\x00\xff", 		NULL },
+	{NULL, 4, "\x7f\xff\xff\xff", 	NULL }
     };
 
     int values[] = {0, 127, 128, 256, -128, -129, -1, -255, 255,
@@ -184,14 +184,14 @@ static int
 test_unsigned (void)
 {
     struct test_case tests[] = {
-	{NULL, 1, "\x00"},
-	{NULL, 1, "\x7f"},
-	{NULL, 2, "\x00\x80"},
-	{NULL, 2, "\x01\x00"},
-	{NULL, 2, "\x02\x00"},
-	{NULL, 3, "\x00\x80\x00"},
-	{NULL, 5, "\x00\x80\x00\x00\x00"},
-	{NULL, 4, "\x7f\xff\xff\xff"}
+	{NULL, 1, "\x00", 			NULL },
+	{NULL, 1, "\x7f", 			NULL },
+	{NULL, 2, "\x00\x80", 			NULL },
+	{NULL, 2, "\x01\x00", 			NULL },
+	{NULL, 2, "\x02\x00", 			NULL },
+	{NULL, 3, "\x00\x80\x00", 		NULL },
+	{NULL, 5, "\x00\x80\x00\x00\x00",	NULL },
+	{NULL, 4, "\x7f\xff\xff\xff", 		NULL }
     };
 
     unsigned int values[] = {0, 127, 128, 256, 512, 32768,
@@ -222,13 +222,7 @@ test_unsigned (void)
 static int
 cmp_octet_string (void *a, void *b)
 {
-    heim_octet_string *oa = (heim_octet_string *)a;
-    heim_octet_string *ob = (heim_octet_string *)b;
-
-    if (oa->length != ob->length)
-	return ob->length - oa->length;
-
-    return (memcmp (oa->data, ob->data, oa->length));
+    return der_heim_octet_string_cmp(a, b);
 }
 
 static int
@@ -237,7 +231,7 @@ test_octet_string (void)
     heim_octet_string s1 = {8, "\x01\x23\x45\x67\x89\xab\xcd\xef"};
 
     struct test_case tests[] = {
-	{NULL, 8, "\x01\x23\x45\x67\x89\xab\xcd\xef"}
+	{NULL, 8, "\x01\x23\x45\x67\x89\xab\xcd\xef", NULL }
     };
     int ntests = sizeof(tests) / sizeof(*tests);
     int ret;
@@ -278,8 +272,8 @@ test_bmp_string (void)
     heim_bmp_string s2 = { 2, bmp_d2 };
 
     struct test_case tests[] = {
-	{NULL, 2, "\x00\x20"},
-	{NULL, 4, "\x00\x20\x00\x20"}
+	{NULL, 2, "\x00\x20", 		NULL },
+	{NULL, 4, "\x00\x20\x00\x20", 	NULL }
     };
     int ntests = sizeof(tests) / sizeof(*tests);
     int ret;
@@ -326,8 +320,8 @@ test_universal_string (void)
     heim_universal_string s2 = { 2, universal_d2 };
 
     struct test_case tests[] = {
-	{NULL, 4, "\x00\x00\x00\x20"},
-	{NULL, 8, "\x00\x00\x00\x20\x00\x00\x00\x20"}
+	{NULL, 4, "\x00\x00\x00\x20", 			NULL },
+	{NULL, 8, "\x00\x00\x00\x20\x00\x00\x00\x20", 	NULL }
     };
     int ntests = sizeof(tests) / sizeof(*tests);
     int ret;
@@ -370,7 +364,7 @@ test_general_string (void)
     char *s1 = "Test User 1";
 
     struct test_case tests[] = {
-	{NULL, 11, "\x54\x65\x73\x74\x20\x55\x73\x65\x72\x20\x31"}
+	{NULL, 11, "\x54\x65\x73\x74\x20\x55\x73\x65\x72\x20\x31", NULL }
     };
     int ret, ntests = sizeof(tests) / sizeof(*tests);
 
@@ -397,15 +391,15 @@ cmp_generalized_time (void *a, void *b)
     time_t *ta = (time_t *)a;
     time_t *tb = (time_t *)b;
 
-    return *tb - *ta;
+    return (int)(*tb - *ta);
 }
 
 static int
 test_generalized_time (void)
 {
     struct test_case tests[] = {
-	{NULL, 15, "19700101000000Z"},
-	{NULL, 15, "19851106210627Z"}
+	{NULL, 15, "19700101000000Z", 		NULL },
+	{NULL, 15, "19851106210627Z", 		NULL }
     };
     time_t values[] = {0, 500159187};
     int i, ret;
@@ -446,10 +440,10 @@ static int
 test_oid (void)
 {
     struct test_case tests[] = {
-	{NULL, 2, "\x29\x01"},
-	{NULL, 1, "\x29"},
-	{NULL, 2, "\xff\x01"},
-	{NULL, 1, "\xff"}
+	{NULL, 2, "\x29\x01", 		NULL },
+	{NULL, 1, "\x29", 		NULL },
+	{NULL, 2, "\xff\x01", 		NULL },
+	{NULL, 1, "\xff", 		NULL }
     };
     heim_oid values[] = {
 	{ 3, oid_comp1 },
@@ -490,7 +484,7 @@ static int
 test_bit_string (void)
 {
     struct test_case tests[] = {
-	{NULL, 1, "\x00"}
+	{NULL, 1, "\x00", 		NULL }
     };
     heim_bit_string values[] = {
 	{ 0, "" }
@@ -528,13 +522,13 @@ static int
 test_heim_integer (void)
 {
     struct test_case tests[] = {
-	{NULL, 2, "\xfe\x01"},
-	{NULL, 2, "\xef\x01"},
-	{NULL, 3, "\xff\x00\xff"},
-	{NULL, 3, "\xff\x01\x00"},
-	{NULL, 1, "\x00"},
-	{NULL, 1, "\x01"},
-	{NULL, 2, "\x00\x80"}
+	{NULL, 2, "\xfe\x01", 		NULL },
+	{NULL, 2, "\xef\x01", 		NULL },
+	{NULL, 3, "\xff\x00\xff", 	NULL },
+	{NULL, 3, "\xff\x01\x00", 	NULL },
+	{NULL, 1, "\x00", 		NULL },
+	{NULL, 1, "\x01", 		NULL },
+	{NULL, 2, "\x00\x80", 		NULL }
     };
 
     heim_integer values[] = {
@@ -592,8 +586,8 @@ static int
 test_boolean (void)
 {
     struct test_case tests[] = {
-	{NULL, 1, "\xff"},
-	{NULL, 1, "\x00"}
+	{NULL, 1, "\xff", 		NULL },
+	{NULL, 1, "\x00", 		NULL }
     };
 
     int values[] = { 1, 0 };
@@ -1075,6 +1069,104 @@ corner_tag(void)
     return 0;
 }
 
+struct randomcheck {
+    asn1_type_decode decoder;
+    asn1_type_release release;
+    size_t typesize;
+    size_t inputsize;
+} randomcheck[] = {
+#define el(name, type, maxlen) {			\
+	(asn1_type_decode)der_get_##name,		\
+	(asn1_type_release)der_free_##name,		\
+	sizeof(type), 					\
+	maxlen						\
+    }
+    el(integer, int, 6),
+    el(heim_integer, heim_integer, 12),
+    el(integer, int, 6),
+    el(unsigned, unsigned, 6),
+    el(general_string, heim_general_string, 12),
+    el(octet_string, heim_octet_string, 12),
+    { (asn1_type_decode)der_get_octet_string_ber,
+      (asn1_type_release)der_free_octet_string,
+      sizeof(heim_octet_string), 20 },
+    el(generalized_time, time_t, 20),
+    el(utctime, time_t, 20),
+    el(bit_string, heim_bit_string, 10),
+    el(oid, heim_oid, 10),
+    { NULL, NULL, 0, 0 }
+#undef el
+};
+
+static void
+asn1rand(uint8_t *randbytes, size_t len)
+{
+    while (len) {
+	*randbytes++ = rk_random();
+	len--;
+    }
+}
+
+static int
+check_random(void)
+{
+    struct randomcheck *r = randomcheck;
+    uint8_t *input;
+    void *type;
+    size_t size, insize;
+    int ret;
+
+    while (r->decoder) {
+	type = emalloc(r->typesize);
+	memset(type, 0, r->typesize);
+
+	input = emalloc(r->inputsize);
+
+	/* try all zero first */
+	memset(input, 0, r->inputsize);
+
+	ret = r->decoder(input, r->inputsize, type, &size);
+	if (ret)
+	    r->release(type);
+	
+	/* try all one first */
+	memset(input, 0xff, r->inputsize);
+	ret = r->decoder(input, r->inputsize, type, &size);
+	if (ret)
+	    r->release(type);
+
+	/* try 0x41 too */
+	memset(input, 0x41, r->inputsize);
+	ret = r->decoder(input, r->inputsize, type, &size);
+	if (ret)
+	    r->release(type);
+
+	/* random */
+	asn1rand(input, r->inputsize);
+	ret = r->decoder(input, r->inputsize, type, &size);
+	if (ret)
+	    r->release(type);
+
+	/* let make buffer smaller */
+	insize = r->inputsize;
+	do {
+	    insize--;
+	    asn1rand(input, insize);
+
+	    ret = r->decoder(input, insize, type, &size);
+	    if (ret == 0)
+		r->release(type);
+	} while(insize > 0);
+
+	free(type);
+
+	r++;
+    }
+    return 0;
+}
+
+
+
 int
 main(int argc, char **argv)
 {
@@ -1110,6 +1202,7 @@ main(int argc, char **argv)
     ret += test_misc_cmp();
     ret += corner_generalized_time();
     ret += corner_tag();
+    ret += check_random();
 
     return ret;
 }
diff --git a/lib/asn1/check-gen.c b/lib/asn1/check-gen.c
index e686f166cfa0..bf2da8e7519a 100644
--- a/lib/asn1/check-gen.c
+++ b/lib/asn1/check-gen.c
@@ -33,9 +33,7 @@
  * SUCH DAMAGE.
  */
 
-#ifdef HAVE_CONFIG_H
 #include <config.h>
-#endif
 #include <stdio.h>
 #include <string.h>
 #include <err.h>
@@ -48,32 +46,15 @@
 #include <heim_asn1.h>
 #include <rfc2459_asn1.h>
 #include <test_asn1.h>
+#include <cms_asn1.h>
 
 #include "check-common.h"
 
-RCSID("$Id$");
-
 static char *lha_principal[] = { "lha" };
 static char *lharoot_princ[] = { "lha", "root" };
 static char *datan_princ[] = { "host", "nutcracker.e.kth.se" };
 static char *nada_tgt_principal[] = { "krbtgt", "NADA.KTH.SE" };
 
-
-#define IF_OPT_COMPARE(ac,bc,e) \
-	if (((ac)->e == NULL && (bc)->e != NULL) || (((ac)->e != NULL && (bc)->e == NULL))) return 1; if ((ab)->e)
-#define COMPARE_OPT_STRING(ac,bc,e) \
-	do { if (strcmp(*(ac)->e, *(bc)->e) != 0) return 1; } while(0)
-#define COMPARE_OPT_OCTECT_STRING(ac,bc,e) \
-	do { if ((ac)->e->length != (bc)->e->length || memcmp((ac)->e->data, (bc)->e->data, (ac)->e->length) != 0) return 1; } while(0)
-#define COMPARE_STRING(ac,bc,e) \
-	do { if (strcmp((ac)->e, (bc)->e) != 0) return 1; } while(0)
-#define COMPARE_INTEGER(ac,bc,e) \
-	do { if ((ac)->e != (bc)->e) return 1; } while(0)
-#define COMPARE_OPT_INTEGER(ac,bc,e) \
-	do { if (*(ac)->e != *(bc)->e) return 1; } while(0)
-#define COMPARE_MEM(ac,bc,e,len) \
-	do { if (memcmp((ac)->e, (bc)->e,len) != 0) return 1; } while(0)
-
 static int
 cmp_principal (void *a, void *b)
 {
@@ -98,18 +79,21 @@ test_principal (void)
     struct test_case tests[] = {
 	{ NULL, 29,
 	  "\x30\x1b\xa0\x10\x30\x0e\xa0\x03\x02\x01\x01\xa1\x07\x30\x05\x1b"
-	  "\x03\x6c\x68\x61\xa1\x07\x1b\x05\x53\x55\x2e\x53\x45"
+	  "\x03\x6c\x68\x61\xa1\x07\x1b\x05\x53\x55\x2e\x53\x45",
+	  NULL
 	},
 	{ NULL, 35,
 	  "\x30\x21\xa0\x16\x30\x14\xa0\x03\x02\x01\x01\xa1\x0d\x30\x0b\x1b"
 	  "\x03\x6c\x68\x61\x1b\x04\x72\x6f\x6f\x74\xa1\x07\x1b\x05\x53\x55"
-	  "\x2e\x53\x45"
+	  "\x2e\x53\x45",
+	  NULL
 	},
 	{ NULL, 54,
 	  "\x30\x34\xa0\x26\x30\x24\xa0\x03\x02\x01\x03\xa1\x1d\x30\x1b\x1b"
 	  "\x04\x68\x6f\x73\x74\x1b\x13\x6e\x75\x74\x63\x72\x61\x63\x6b\x65"
 	  "\x72\x2e\x65\x2e\x6b\x74\x68\x2e\x73\x65\xa1\x0a\x1b\x08\x45\x2e"
-	  "\x4b\x54\x48\x2e\x53\x45"
+	  "\x4b\x54\x48\x2e\x53\x45",
+	  NULL
 	}
     };
 
@@ -171,7 +155,8 @@ test_authenticator (void)
 	  "\x45\x2e\x4b\x54\x48\x2e\x53\x45\xa2\x10\x30\x0e\xa0"
 	  "\x03\x02\x01\x01\xa1\x07\x30\x05\x1b\x03\x6c\x68\x61"
 	  "\xa4\x03\x02\x01\x0a\xa5\x11\x18\x0f\x31\x39\x37\x30"
-	  "\x30\x31\x30\x31\x30\x30\x30\x31\x33\x39\x5a"
+	  "\x30\x31\x30\x31\x30\x30\x30\x31\x33\x39\x5a",
+	  NULL
 	},
 	{ NULL, 67,
 	  "\x62\x41\x30\x3f\xa0\x03\x02\x01\x05\xa1\x07\x1b\x05"
@@ -179,7 +164,8 @@ test_authenticator (void)
 	  "\x01\xa1\x0d\x30\x0b\x1b\x03\x6c\x68\x61\x1b\x04\x72"
 	  "\x6f\x6f\x74\xa4\x04\x02\x02\x01\x24\xa5\x11\x18\x0f"
 	  "\x31\x39\x37\x30\x30\x31\x30\x31\x30\x30\x31\x36\x33"
-	  "\x39\x5a"
+	  "\x39\x5a",
+	  NULL
 	}
     };
 
@@ -251,7 +237,7 @@ cmp_KRB_ERROR (void *a, void *b)
 	COMPARE_OPT_STRING(aa,ab,e_text);
     }
     IF_OPT_COMPARE(aa,ab,e_data) {
-	/* COMPARE_OPT_OCTECT_STRING(aa,ab,e_data); */
+	/* COMPARE_OPT_OCTET_STRING(aa,ab,e_data); */
     }
 
     return 0;
@@ -532,7 +518,7 @@ test_time (void)
 	  "time 1" },
 	{ NULL,  17,
 	  "\x18\x0f\x32\x30\x30\x39\x30\x35\x32\x34\x30\x32\x30\x32\x34\x30"
-	  "\x5a"
+	  "\x5a",
 	  "time 2" }
     };
 
@@ -668,6 +654,91 @@ test_cert(void)
     return 0;
 }
 
+struct {
+    const char *sd;
+    size_t len;
+} signeddata[] = {
+    {
+	"\x30\x80\x02\x01\x03\x31\x0b\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a"
+	"\x05\x00\x30\x80\x06\x07\x2b\x06\x01\x05\x02\x03\x03\xa0\x80\x24"
+	"\x80\x04\x50\x30\x4e\xa0\x2b\x30\x29\xa0\x03\x02\x01\x12\xa1\x22"
+	"\x04\x20\x78\xf4\x86\x31\xc6\xc2\xc9\xcb\xef\x0c\xd7\x3a\x2a\xcd"
+	"\x8c\x13\x34\x83\xb1\x5c\xa8\xbe\xbf\x2f\xea\xd2\xbb\xd8\x8c\x18"
+	"\x47\x01\xa1\x1f\x30\x1d\xa0\x03\x02\x01\x0c\xa1\x16\x04\x14\xa6"
+	"\x2c\x52\xb2\x80\x98\x30\x40\xbc\x5f\xb0\x77\x2d\x8a\xd7\xa1\xda"
+	"\x3c\xc5\x62\x00\x00\x00\x00\x00\x00\xa0\x82\x02\x09\x30\x82\x02"
+	"\x05\x30\x82\x01\x6e\xa0\x03\x02\x01\x02\x02\x04\x49\x75\x57\xbf"
+	"\x30\x0b\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x05\x30\x3b\x31"
+	"\x1f\x30\x1d\x06\x03\x55\x04\x03\x0c\x16\x63\x6f\x6d\x2e\x61\x70"
+	"\x70\x6c\x65\x2e\x6b\x65\x72\x62\x65\x72\x6f\x73\x2e\x6b\x64\x63"
+	"\x31\x18\x30\x16\x06\x03\x55\x04\x0a\x0c\x0f\x53\x79\x73\x74\x65"
+	"\x6d\x20\x49\x64\x65\x6e\x74\x69\x74\x79\x30\x1e\x17\x0d\x30\x39"
+	"\x31\x32\x30\x34\x30\x30\x32\x30\x32\x34\x5a\x17\x0d\x32\x39\x31"
+	"\x31\x32\x39\x30\x30\x32\x30\x32\x34\x5a\x30\x3b\x31\x1f\x30\x1d"
+	"\x06\x03\x55\x04\x03\x0c\x16\x63\x6f\x6d\x2e\x61\x70\x70\x6c\x65"
+	"\x2e\x6b\x65\x72\x62\x65\x72\x6f\x73\x2e\x6b\x64\x63\x31\x18\x30"
+	"\x16\x06\x03\x55\x04\x0a\x0c\x0f\x53\x79\x73\x74\x65\x6d\x20\x49"
+	"\x64\x65\x6e\x74\x69\x74\x79\x30\x81\x9f\x30\x0d\x06\x09\x2a\x86"
+	"\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x81\x8d\x00\x30\x81\x89"
+	"\x02\x81\x81\x00\xb2\xc5\x4b\x34\xe3\x93\x99\xbb\xaa\xd1\x70\x62"
+	"\x6c\x9c\xcc\xa6\xbc\x47\xc3\x23\xff\x15\xb9\x11\x27\x0a\xf8\x55"
+	"\x4c\xb2\x43\x34\x75\xad\x55\xbb\xb9\x8a\xd0\x25\x64\xa4\x8c\x82"
+	"\x74\x5d\x89\x52\xe2\x76\x75\x08\x67\xb5\x9c\x9c\x69\x86\x0c\x6d"
+	"\x79\xf7\xa0\xbe\x42\x8f\x90\x46\x0c\x18\xf4\x7a\x56\x17\xa4\x65"
+	"\x00\x3a\x5e\x3e\xbf\xbc\xf5\xe2\x2c\x26\x03\x52\xdd\xd4\x85\x3f"
+	"\x03\xd7\x0c\x45\x7f\xff\xdd\x1e\x70\x6c\x9f\xb0\x8c\xd0\x33\xad"
+	"\x92\x54\x17\x9d\x88\x89\x1a\xee\xef\xf7\x96\x3e\x68\xc3\xd1\x60"
+	"\x47\x86\x80\x5d\x02\x03\x01\x00\x01\xa3\x18\x30\x16\x30\x14\x06"
+	"\x03\x55\x1d\x25\x04\x0d\x30\x0b\x06\x09\x2a\x86\x48\x86\xf7\x63"
+	"\x64\x04\x04\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x05"
+	"\x05\x00\x03\x81\x81\x00\x9b\xbb\xaa\x63\x66\xd8\x70\x84\x3e\xf6"
+	"\xa1\x3b\xf3\xe6\xd7\x3d\xfc\x4f\xc9\x45\xaa\x31\x43\x8d\xb5\x72"
+	"\xe4\x34\x95\x7b\x6e\x5f\xe5\xc8\x5e\xaf\x12\x08\x6d\xd7\x25\x76"
+	"\x40\xd5\xdc\x83\x7f\x2f\x74\xd1\x63\xc0\x7c\x26\x4d\x53\x10\xe7"
+	"\xfa\xcc\xf2\x60\x41\x63\xdf\x56\xd6\xd9\xc0\xb4\xd0\x73\x99\x54"
+	"\x40\xad\x90\x79\x2d\xd2\x5e\xcb\x13\x22\x2b\xd0\x76\xef\x8a\x48"
+	"\xfd\xb2\x6e\xca\x04\x4e\x91\x3f\xb4\x63\xad\x22\x3a\xf7\x20\x9c"
+	"\x4c\x0e\x47\x78\xe5\x2a\x85\x0e\x90\x7a\xce\x46\xe6\x15\x02\xb0"
+	"\x83\xe7\xac\xfa\x92\xf8\x31\x81\xe8\x30\x81\xe5\x02\x01\x01\x30"
+	"\x43\x30\x3b\x31\x1f\x30\x1d\x06\x03\x55\x04\x03\x0c\x16\x63\x6f"
+	"\x6d\x2e\x61\x70\x70\x6c\x65\x2e\x6b\x65\x72\x62\x65\x72\x6f\x73"
+	"\x2e\x6b\x64\x63\x31\x18\x30\x16\x06\x03\x55\x04\x0a\x0c\x0f\x53"
+	"\x79\x73\x74\x65\x6d\x20\x49\x64\x65\x6e\x74\x69\x74\x79\x02\x04"
+	"\x49\x75\x57\xbf\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x30"
+	"\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x04\x81"
+	"\x80\x50\x2c\x69\xe1\xd2\xc4\xd1\xcc\xdc\xe0\xe9\x8a\x6b\x6a\x97"
+	"\x1b\xb4\xe0\xa8\x20\xbe\x09\x6d\xe1\x55\x5f\x07\x70\x94\x2e\x14"
+	"\xed\x4e\xb1\x69\x75\x40\xbb\x99\x87\xed\x23\x50\x27\x5f\xaa\xc4"
+	"\x84\x60\x06\xfe\x45\xfd\x7e\x1b\x18\xe0\x0b\x77\x35\x2a\xb2\xf2"
+	"\xe0\x88\x31\xad\x82\x31\x4a\xbc\x6d\x71\x62\xe6\x4d\x33\xb4\x09"
+	"\x6e\x3f\x14\x12\xf2\x89\x29\x31\x84\x60\x2b\xa8\x2d\xe6\xca\x2f"
+	"\x03\x3d\xd4\x69\x89\xb3\x98\xfd\xac\x63\x14\xaf\x6a\x52\x2a\xac"
+	"\xe3\x8e\xfa\x21\x41\x8f\xcc\x04\x2d\x52\xee\x49\x54\x0d\x58\x51"
+	"\x77\x00\x00",
+	883
+    }
+};
+
+static int
+test_SignedData(void)
+{
+    SignedData sd;
+    size_t size, i;
+    int ret;
+
+    for (i = 0; i < sizeof(signeddata) / sizeof(signeddata[0]); i++) {
+
+	ret = decode_SignedData((unsigned char *)signeddata[i].sd,
+				signeddata[i].len, &sd, &size);
+	if (ret)
+	    return ret;
+
+	free_SignedData(&sd);
+    }
+
+    return 0;
+}
+
 
 static int
 cmp_TESTLargeTag (void *a, void *b)
@@ -765,6 +836,132 @@ check_tag_length(void)
 }
 
 static int
+check_tag_length64(void)
+{
+    struct test_data td[] = {
+	{ 1, 3, 3, "\x02\x01\x00"},
+	{ 1, 7, 7, "\x02\x05\x01\xff\xff\xff\xff"},
+	{ 1, 7, 7, "\x02\x05\x02\x00\x00\x00\x00"},
+	{ 1, 9, 9, "\x02\x07\x7f\xff\xff\xff\xff\xff\xff"},
+	{ 1, 10, 10, "\x02\x08\x00\x80\x00\x00\x00\x00\x00\x00"},
+	{ 1, 10, 10, "\x02\x08\x7f\xff\xff\xff\xff\xff\xff\xff"},
+	{ 1, 11, 11, "\x02\x09\x00\xff\xff\xff\xff\xff\xff\xff\xff"},
+	{ 0, 3, 0, "\x02\x02\x00"},
+	{ 0, 3, 0, "\x02\x7f\x7f"},
+	{ 0, 4, 0, "\x02\x03\x00\x80"},
+	{ 0, 4, 0, "\x02\x7f\x01\x00"},
+	{ 0, 5, 0, "\x02\xff\x7f\x02\x00"}
+    };
+    size_t sz;
+    TESTuint64 values[] = {0, 8589934591LL, 8589934592LL,
+			   36028797018963967LL, 36028797018963968LL,
+			   9223372036854775807LL, 18446744073709551615ULL,
+			   0, 127, 128, 256, 512 };
+    TESTuint64 u;
+    int i, ret, failed = 0;
+    void *buf;
+
+    if (sizeof(TESTuint64) != sizeof(uint64_t)) {
+	ret += 1;
+	printf("sizeof(TESTuint64) %d != sizeof(uint64_t) %d\n",
+	       (int)sizeof(TESTuint64), (int)sizeof(uint64_t));
+    }
+
+    for (i = 0; i < sizeof(td)/sizeof(td[0]); i++) {
+	struct map_page *page;
+
+	buf = map_alloc(OVERRUN, td[i].data, td[i].len, &page);
+
+	ret = decode_TESTuint64(buf, td[i].len, &u, &sz);
+	if (ret) {
+	    if (td[i].ok) {
+		printf("failed with tag len test %d\n", i);
+		printf("ret = %d\n", ret);
+		failed = 1;
+	    }
+	} else {
+	    if (td[i].ok == 0) {
+		printf("failed with success for tag len test %d\n", i);
+		failed = 1;
+	    }
+	    if (td[i].expected_len != sz) {
+		printf("wrong expected size for tag test %d\n", i);
+		printf("sz = %lu\n", (unsigned long)sz);
+		failed = 1;
+	    }
+	    if (values[i] != u) {
+		printf("wrong value for tag test %d\n", i);
+		printf("Expected value: %llu\nActual value: %llu\n",
+		       (unsigned long long)values[i], (unsigned long long)u);
+		failed = 1;
+	    }
+	}
+	map_free(page, "test", "decode");
+    }
+    return failed;
+}
+
+static int
+check_tag_length64s(void)
+{
+    struct test_data td[] = {
+	{ 1, 3, 3, "\x02\x01\x00"},
+	{ 1, 7, 7, "\x02\x05\xfe\x00\x00\x00\x01"},
+	{ 1, 7, 7, "\x02\x05\xfe\x00\x00\x00\x00"},
+	{ 1, 9, 9, "\x02\x07\x80\x00\x00\x00\x00\x00\x01"},
+	{ 1, 9, 9, "\x02\x07\x80\x00\x00\x00\x00\x00\x00"},
+	{ 1, 10, 10, "\x02\x08\x80\x00\x00\x00\x00\x00\x00\x01"},
+	{ 1, 9, 9, "\x02\x07\x80\x00\x00\x00\x00\x00\x01"},
+	{ 0, 3, 0, "\x02\x02\x00"},
+	{ 0, 3, 0, "\x02\x7f\x7f"},
+	{ 0, 4, 0, "\x02\x03\x00\x80"},
+	{ 0, 4, 0, "\x02\x7f\x01\x00"},
+	{ 0, 5, 0, "\x02\xff\x7f\x02\x00"}
+    };
+    size_t sz;
+    TESTint64 values[] = {0, -8589934591LL, -8589934592LL,
+			   -36028797018963967LL, -36028797018963968LL,
+			   -9223372036854775807LL, -36028797018963967LL,
+			   0, 127, 128, 256, 512 };
+    TESTint64 u;
+    int i, ret, failed = 0;
+    void *buf;
+
+    for (i = 0; i < sizeof(td)/sizeof(td[0]); i++) {
+	struct map_page *page;
+
+	buf = map_alloc(OVERRUN, td[i].data, td[i].len, &page);
+
+	ret = decode_TESTint64(buf, td[i].len, &u, &sz);
+	if (ret) {
+	    if (td[i].ok) {
+		printf("failed with tag len test %d\n", i);
+		printf("ret = %d\n", ret);
+		failed = 1;
+	    }
+	} else {
+	    if (td[i].ok == 0) {
+		printf("failed with success for tag len test %d\n", i);
+		failed = 1;
+	    }
+	    if (td[i].expected_len != sz) {
+		printf("wrong expected size for tag test %d\n", i);
+		printf("sz = %lu\n", (unsigned long)sz);
+		failed = 1;
+	    }
+	    if (values[i] != u) {
+		printf("wrong value for tag test %d\n", i);
+		printf("Expected value: %lld\nActual value: %lld\n",
+		       (long long)values[i], (long long)u);
+		failed = 1;
+	    }
+	}
+	map_free(page, "test", "decode");
+    }
+    return failed;
+}
+
+static int
 cmp_TESTChoice (void *a, void *b)
 {
     return 0;
@@ -818,6 +1015,7 @@ test_choice (void)
     return ret;
 }
 
+#ifdef IMPLICIT_TAGGING_WORKS
 static int
 cmp_TESTImplicit (void *a, void *b)
 {
@@ -829,27 +1027,30 @@ cmp_TESTImplicit (void *a, void *b)
     COMPARE_INTEGER(aa,ab,ti3);
     return 0;
 }
+#endif
 
 /*
 UNIV CONS Sequence 14
   CONTEXT PRIM 0 1 00
   CONTEXT CONS 1 6
-   CONTEXT CONS 127 3
-     UNIV PRIM Integer 1 02
+    CONTEXT CONS 127 3
+      UNIV PRIM Integer 1 02
   CONTEXT PRIM 2 1 03
 */
 
 static int
 test_implicit (void)
 {
+    int ret = 0;
+#ifdef IMPLICIT_TAGGING_WORKS
     struct test_case tests[] = {
-	{ NULL,  16,
-	  "\x30\x0e\x80\x01\x00\xa1\x06\xbf"
-	  "\x7f\x03\x02\x01\x02\x82\x01\x03",
+	{ NULL,  18,
+	  "\x30\x10\x80\x01\x00\xa1\x06\xbf"
+	  "\x7f\x03\x02\x01\x02\xa2\x03\x84\x01\x03",
 	  "implicit 1" }
     };
 
-    int ret = 0, ntests = sizeof(tests) / sizeof(*tests);
+    int ntests = sizeof(tests) / sizeof(*tests);
     TESTImplicit c0;
 
     memset(&c0, 0, sizeof(c0));
@@ -866,7 +1067,6 @@ test_implicit (void)
 			 cmp_TESTImplicit,
 			 (generic_copy)copy_TESTImplicit);
 
-#ifdef IMPLICIT_TAGGING_WORKS
     ret += generic_test (tests, ntests, sizeof(TESTImplicit2),
 			 (generic_encode)encode_TESTImplicit2,
 			 (generic_length)length_TESTImplicit2,
@@ -892,7 +1092,7 @@ cmp_TESTAlloc (void *a, void *b)
     COMPARE_INTEGER(aa,ab,three);
 
     IF_OPT_COMPARE(aa,ab,tagless2) {
-	COMPARE_OPT_OCTECT_STRING(aa, ab, tagless2);
+	COMPARE_OPT_OCTET_STRING(aa, ab, tagless2);
     }
 
     return 0;
@@ -1059,7 +1259,7 @@ check_fail_largetag(void)
 	{NULL, 0, "", "empty buffer"},
 	{NULL, 7, "\x30\x05\xa1\x03\x02\x02\x01",
 	 "one too short" },
-	{NULL, 7, "\x30\x04\xa1\x03\x02\x02\x01"
+	{NULL, 7, "\x30\x04\xa1\x03\x02\x02\x01",
 	 "two too short" },
 	{NULL, 7, "\x30\x03\xa1\x03\x02\x02\x01",
 	 "three too short" },
@@ -1094,7 +1294,7 @@ check_fail_sequence(void)
 	{NULL, 0, "", "empty buffer"},
 	{NULL, 24,
 	 "\x30\x16\xa0\x03\x02\x01\x01\xa1\x08\x30\x06\xbf\x7f\x03\x02\x01\x01"
-	 "\x02\x01\x01\xa2\x03\x02\x01\x01"
+	 "\x02\x01\x01\xa2\x03\x02\x01\x01",
 	 "missing one byte from the end, internal length ok"},
 	{NULL, 25,
 	 "\x30\x18\xa0\x03\x02\x01\x01\xa1\x08\x30\x06\xbf\x7f\x03\x02\x01\x01"
@@ -1129,6 +1329,30 @@ check_fail_choice(void)
 }
 
 static int
+check_fail_Ticket(void)
+{
+    char buf[100];
+    size_t i;
+    int ret;
+    struct test_case test;
+    Ticket ticket;
+
+    for (i = 0; i < sizeof(buf); i++) {
+	memset(buf, 0, sizeof(buf));
+	memset(&ticket, 0, sizeof(ticket));
+	test.val = &ticket;
+	test.byte_len = i;
+	test.bytes = buf;
+	test.name = "zero life";
+	ret = generic_decode_fail(&test, 1, sizeof(Ticket),
+				  (generic_decode)decode_Ticket);
+	if (ret)
+	    return ret;
+    }
+    return 0;
+}
+
+static int
 check_seq(void)
 {
     TESTSeqOf seq;
@@ -1276,6 +1500,276 @@ check_TESTMechTypeList(void)
     return 0;
 }
 
+#ifdef IMPLICIT_TAGGING_WORKS
+static int
+cmp_TESTSeqOf4(void *a, void *b)
+{
+    TESTSeqOf4 *aa = a;
+    TESTSeqOf4 *ab = b;
+    int i;
+
+    IF_OPT_COMPARE(aa, ab, b1) {
+	COMPARE_INTEGER(aa->b1, ab->b1, len);
+	for (i = 0; i < aa->b1->len; ++i) {
+	    COMPARE_INTEGER(aa->b1->val+i, ab->b1->val+i, u1);
+	    COMPARE_INTEGER(aa->b1->val+i, ab->b1->val+i, u2);
+	    COMPARE_OCTET_STRING(aa->b1->val+i, ab->b1->val+i, s1);
+	    COMPARE_OCTET_STRING(aa->b1->val+i, ab->b1->val+i, s2);
+	}
+    }
+    IF_OPT_COMPARE(aa, ab, b2) {
+	COMPARE_INTEGER(aa->b2, ab->b2, len);
+	for (i = 0; i < aa->b2->len; ++i) {
+	    COMPARE_INTEGER(aa->b2->val+i, ab->b2->val+i, u1);
+	    COMPARE_INTEGER(aa->b2->val+i, ab->b2->val+i, u2);
+	    COMPARE_INTEGER(aa->b2->val+i, ab->b2->val+i, u3);
+	    COMPARE_OCTET_STRING(aa->b2->val+i, ab->b2->val+i, s1);
+	    COMPARE_OCTET_STRING(aa->b2->val+i, ab->b2->val+i, s2);
+	    COMPARE_OCTET_STRING(aa->b2->val+i, ab->b2->val+i, s3);
+	}
+    }
+    IF_OPT_COMPARE(aa, ab, b3) {
+	COMPARE_INTEGER(aa->b3, ab->b3, len);
+	for (i = 0; i < aa->b3->len; ++i) {
+	    COMPARE_INTEGER(aa->b3->val+i, ab->b3->val+i, u1);
+	    COMPARE_INTEGER(aa->b3->val+i, ab->b3->val+i, u2);
+	    COMPARE_INTEGER(aa->b3->val+i, ab->b3->val+i, u3);
+	    COMPARE_INTEGER(aa->b3->val+i, ab->b3->val+i, u4);
+	    COMPARE_OCTET_STRING(aa->b3->val+i, ab->b3->val+i, s1);
+	    COMPARE_OCTET_STRING(aa->b3->val+i, ab->b3->val+i, s2);
+	    COMPARE_OCTET_STRING(aa->b3->val+i, ab->b3->val+i, s3);
+	    COMPARE_OCTET_STRING(aa->b3->val+i, ab->b3->val+i, s4);
+	}
+    }
+    return 0;
+}
+#endif  /* IMPLICIT_TAGGING_WORKS */
+
+static int
+test_seq4 (void)
+{
+    int ret = 0;
+#ifdef IMPLICIT_TAGGING_WORKS
+    struct test_case tests[] = {
+	{ NULL,  2,
+	  "\x30\x00",
+	  "seq4 0" },
+	{ NULL,  4,
+	  "\x30\x02" "\xa1\x00",
+	  "seq4 1" },
+	{ NULL,  8,
+	  "\x30\x06" "\xa0\x02\x30\x00" "\xa1\x00",
+	  "seq4 2" },
+	{ NULL,  2 + (2 + 0x18) + (2 + 0x27) + (2 + 0x31),
+	  "\x30\x76"					/* 2 SEQ */
+	   "\xa0\x18\x30\x16"				/* 4 [0] SEQ */
+	    "\x30\x14"					/* 2 SEQ */
+	     "\x04\x00"					/* 2 OCTET-STRING */
+             "\x04\x02\x01\x02"				/* 4 OCTET-STRING */
+	     "\x02\x01\x01"				/* 3 INT */
+	     "\x02\x09\x00\xff\xff\xff\xff\xff\xff\xff\xff"
+							/* 11 INT */
+	   "\xa1\x27"					/* 2 [1] IMPL SEQ */
+	    "\x30\x25"					/* 2 SEQ */
+	     "\x02\x01\x01"				/* 3 INT */
+	     "\x02\x09\x00\xff\xff\xff\xff\xff\xff\xff\xff"
+							/* 11 INT */
+	     "\x02\x09\x00\x80\x00\x00\x00\x00\x00\x00\x00"
+							/* 11 INT */
+	     "\x04\x00"					/* 2 OCTET-STRING */
+             "\x04\x02\x01\x02"				/* 4 OCTET-STRING */
+             "\x04\x04\x00\x01\x02\x03"			/* 6 OCTET-STRING */
+	   "\xa2\x31"					/* 2 [2] IMPL SEQ */
+	    "\x30\x2f"					/* 2 SEQ */
+	     "\x04\x00"					/* 2 OCTET-STRING */
+	     "\x02\x01\x01"				/* 3 INT */
+             "\x04\x02\x01\x02"				/* 4 OCTET-STRING */
+	     "\x02\x09\x00\xff\xff\xff\xff\xff\xff\xff\xff"
+							/* 11 INT */
+             "\x04\x04\x00\x01\x02\x03"			/* 6 OCTET-STRING */
+	     "\x02\x09\x00\x80\x00\x00\x00\x00\x00\x00\x00"
+							/* 11 INT */
+	     "\x04\x01\x00"				/* 3 OCTET-STRING */
+	     "\x02\x05\x01\x00\x00\x00\x00",		/* 7 INT */
+	  "seq4 3" },
+    };
+
+    int ntests = sizeof(tests) / sizeof(*tests);
+    TESTSeqOf4 c[4];
+    struct TESTSeqOf4_b1 b1[4];
+    struct TESTSeqOf4_b2 b2[4];
+    struct TESTSeqOf4_b3 b3[4];
+    struct TESTSeqOf4_b1_val b1val[4];
+    struct TESTSeqOf4_b2_val b2val[4];
+    struct TESTSeqOf4_b3_val b3val[4];
+
+    c[0].b1 = NULL;
+    c[0].b2 = NULL;
+    c[0].b3 = NULL;
+    tests[0].val = &c[0];
+
+    b2[1].len = 0;
+    b2[1].val = NULL;
+    c[1].b1 = NULL;
+    c[1].b2 = &b2[1];
+    c[1].b3 = NULL;
+    tests[1].val = &c[1];
+
+    b1[2].len = 0;
+    b1[2].val = NULL;
+    b2[2].len = 0;
+    b2[2].val = NULL;
+    c[2].b1 = &b1[2];
+    c[2].b2 = &b2[2];
+    c[2].b3 = NULL;
+    tests[2].val = &c[2];
+
+    b1val[3].s1.data = "";
+    b1val[3].s1.length = 0;
+    b1val[3].u1 = 1LL;
+    b1val[3].s2.data = "\x01\x02";
+    b1val[3].s2.length = 2;
+    b1val[3].u2 = -1LL;
+
+    b2val[3].s1.data = "";
+    b2val[3].s1.length = 0;
+    b2val[3].u1 = 1LL;
+    b2val[3].s2.data = "\x01\x02";
+    b2val[3].s2.length = 2;
+    b2val[3].u2 = -1LL;
+    b2val[3].s3.data = "\x00\x01\x02\x03";
+    b2val[3].s3.length = 4;
+    b2val[3].u3 = 1LL<<63;
+
+    b3val[3].s1.data = "";
+    b3val[3].s1.length = 0;
+    b3val[3].u1 = 1LL;
+    b3val[3].s2.data = "\x01\x02";
+    b3val[3].s2.length = 2;
+    b3val[3].u2 = -1LL;
+    b3val[3].s3.data = "\x00\x01\x02\x03";
+    b3val[3].s3.length = 4;
+    b3val[3].u3 = 1LL<<63;
+    b3val[3].s4.data = "\x00";
+    b3val[3].s4.length = 1;
+    b3val[3].u4 = 1LL<<32;
+
+    b1[3].len = 1;
+    b1[3].val = &b1val[3];
+    b2[3].len = 1;
+    b2[3].val = &b2val[3];
+    b3[3].len = 1;
+    b3[3].val = &b3val[3];
+    c[3].b1 = &b1[3];
+    c[3].b2 = &b2[3];
+    c[3].b3 = &b3[3];
+    tests[3].val = &c[3];
+
+    ret += generic_test (tests, ntests, sizeof(TESTSeqOf4),
+			 (generic_encode)encode_TESTSeqOf4,
+			 (generic_length)length_TESTSeqOf4,
+			 (generic_decode)decode_TESTSeqOf4,
+			 (generic_free)free_TESTSeqOf4,
+			 cmp_TESTSeqOf4,
+			 (generic_copy)copy_TESTSeqOf4);
+#endif  /* IMPLICIT_TAGGING_WORKS */
+    return ret;
+}
+
+static int
+cmp_test_seqof5 (void *a, void *b)
+{
+    TESTSeqOf5 *aval = a;
+    TESTSeqOf5 *bval = b;
+
+    IF_OPT_COMPARE(aval, bval, outer) {
+            COMPARE_INTEGER(&aval->outer->inner, &bval->outer->inner, u0);
+            COMPARE_OCTET_STRING(&aval->outer->inner, &bval->outer->inner, s0);
+            COMPARE_INTEGER(&aval->outer->inner, &bval->outer->inner, u1);
+            COMPARE_OCTET_STRING(&aval->outer->inner, &bval->outer->inner, s1);
+            COMPARE_INTEGER(&aval->outer->inner, &bval->outer->inner, u2);
+            COMPARE_OCTET_STRING(&aval->outer->inner, &bval->outer->inner, s2);
+            COMPARE_INTEGER(&aval->outer->inner, &bval->outer->inner, u3);
+            COMPARE_OCTET_STRING(&aval->outer->inner, &bval->outer->inner, s3);
+            COMPARE_INTEGER(&aval->outer->inner, &bval->outer->inner, u4);
+            COMPARE_OCTET_STRING(&aval->outer->inner, &bval->outer->inner, s4);
+            COMPARE_INTEGER(&aval->outer->inner, &bval->outer->inner, u5);
+            COMPARE_OCTET_STRING(&aval->outer->inner, &bval->outer->inner, s5);
+            COMPARE_INTEGER(&aval->outer->inner, &bval->outer->inner, u6);
+            COMPARE_OCTET_STRING(&aval->outer->inner, &bval->outer->inner, s6);
+            COMPARE_INTEGER(&aval->outer->inner, &bval->outer->inner, u7);
+            COMPARE_OCTET_STRING(&aval->outer->inner, &bval->outer->inner, s7);
+    }
+    return 0;
+}
+
+static int
+test_seqof5(void)
+{
+    struct test_case tests[] = {
+	{ NULL,  2, "\x30\x00", "seq5 0" },
+	{ NULL,  126,
+          "\x30\x7c"                                            /* SEQ */
+            "\x30\x7a"                                          /* SEQ */
+              "\x30\x78"                                        /* SEQ */
+                "\x02\x01\x01"                                  /* INT 1 */
+                "\x04\x06\x01\x01\x01\x01\x01\x01"              /* "\0x1"x6 */
+                "\x02\x09\x00\xff\xff\xff\xff\xff\xff\xff\xfe"  /* INT ~1 */
+                "\x04\x06\x02\x02\x02\x02\x02\x02"              /* "\x02"x6 */
+                "\x02\x01\x02"                                  /* INT 2 */
+                "\x04\x06\x03\x03\x03\x03\x03\x03"              /* "\x03"x6 */
+                "\x02\x09\x00\xff\xff\xff\xff\xff\xff\xff\xfd"  /* INT ~2 */
+                "\x04\x06\x04\x04\x04\x04\x04\x04"              /* ... */
+                "\x02\x01\x03"
+                "\x04\x06\x05\x05\x05\x05\x05\x05"
+                "\x02\x09\x00\xff\xff\xff\xff\xff\xff\xff\xfc"
+                "\x04\x06\x06\x06\x06\x06\x06\x06"
+                "\x02\x01\x04"
+                "\x04\x06\x07\x07\x07\x07\x07\x07"
+                "\x02\x09\x00\xff\xff\xff\xff\xff\xff\xff\xfb"
+                "\x04\x06\x08\x08\x08\x08\x08\x08",
+          "seq5 1" },
+    };
+
+    int ret = 0, ntests = sizeof(tests) / sizeof(*tests);
+    TESTSeqOf5 c[2];
+    struct TESTSeqOf5_outer outer;
+    struct TESTSeqOf5_outer_inner inner;
+    TESTuint64 u[8];
+    heim_octet_string s[8];
+    int i;
+
+    c[0].outer = NULL;
+    tests[0].val = &c[0];
+
+    for (i = 0; i < 8; ++i) {
+        u[i] = (i&1) == 0 ? i/2+1 : ~(i/2+1);
+        s[i].data = memset(malloc(s[i].length = 6), i+1, 6);
+    }
+
+    inner.u0 = u[0]; inner.u1 = u[1]; inner.u2 = u[2]; inner.u3 = u[3];
+    inner.u4 = u[4]; inner.u5 = u[5]; inner.u6 = u[6]; inner.u7 = u[7];
+    inner.s0 = s[0]; inner.s1 = s[1]; inner.s2 = s[2]; inner.s3 = s[3];
+    inner.s4 = s[4]; inner.s5 = s[5]; inner.s6 = s[6]; inner.s7 = s[7];
+
+    outer.inner = inner;
+    c[1].outer = &outer;
+    tests[1].val = &c[1];
+
+    ret += generic_test (tests, ntests, sizeof(TESTSeqOf5),
+			 (generic_encode)encode_TESTSeqOf5,
+			 (generic_length)length_TESTSeqOf5,
+			 (generic_decode)decode_TESTSeqOf5,
+			 (generic_free)free_TESTSeqOf5,
+			 cmp_test_seqof5,
+			 NULL);
+
+    for (i = 0; i < 8; ++i)
+        free(s[i].data);
+
+    return ret;
+}
+
 int
 main(int argc, char **argv)
 {
@@ -1291,21 +1785,28 @@ main(int argc, char **argv)
     ret += test_cert();
 
     ret += check_tag_length();
+    ret += check_tag_length64();
+    ret += check_tag_length64s();
     ret += test_large_tag();
     ret += test_choice();
 
     ret += test_implicit();
+
     ret += test_taglessalloc();
     ret += test_optional();
 
     ret += check_fail_largetag();
     ret += check_fail_sequence();
     ret += check_fail_choice();
+    ret += check_fail_Ticket();
 
     ret += check_seq();
     ret += check_seq_of_size();
+    ret += test_SignedData();
 
     ret += check_TESTMechTypeList();
+    ret += test_seq4();
+    ret += test_seqof5();
 
     return ret;
 }
diff --git a/lib/asn1/check-template.c b/lib/asn1/check-template.c
index 44d50168a963..72e42274b3f7 100644
--- a/lib/asn1/check-template.c
+++ b/lib/asn1/check-template.c
@@ -46,6 +46,7 @@
 #include <test_asn1.h>
 
 #include "check-common.h"
+#include "der_locl.h"
 
 static int
 cmp_dummy (void *a, void *b)
@@ -54,6 +55,44 @@ cmp_dummy (void *a, void *b)
 }
 
 static int
+test_uint64(void)
+{
+    struct test_case tests[] = {
+        { NULL, 3, "\x02\x01\x00", "uint64 0" },
+        { NULL, 7, "\x02\x05\x01\xff\xff\xff\xff", "uint64 1" },
+        { NULL, 7, "\x02\x05\x02\x00\x00\x00\x00", "uint64 2" },
+        { NULL, 9, "\x02\x07\x7f\xff\xff\xff\xff\xff\xff", "uint64 3" },
+        { NULL, 10, "\x02\x08\x00\x80\x00\x00\x00\x00\x00\x00", "uint64 4" },
+        { NULL, 10, "\x02\x08\x7f\xff\xff\xff\xff\xff\xff\xff", "uint64 5" },
+        { NULL, 11, "\x02\x09\x00\xff\xff\xff\xff\xff\xff\xff\xff", "uint64 6" }
+    };
+
+    size_t i;
+    int ret = 0, ntests = sizeof(tests) / sizeof(*tests);
+    TESTuint64 values[] = { 0, 8589934591LL, 8589934592LL,
+                           36028797018963967LL, 36028797018963968LL,
+                           9223372036854775807LL, 18446744073709551615ULL };
+
+    for (i = 0; i < ntests; i++)
+       tests[i].val = &values[i];
+
+    if (sizeof(TESTuint64) != sizeof(uint64_t)) {
+       ret += 1;
+       printf("sizeof(TESTuint64) %d != sizeof(uint64_t) %d\n",
+              (int)sizeof(TESTuint64), (int)sizeof(uint64_t));
+    }
+
+    ret += generic_test (tests, ntests, sizeof(TESTuint64),
+                        (generic_encode)encode_TESTuint64,
+                        (generic_length)length_TESTuint64,
+                        (generic_decode)decode_TESTuint64,
+                        (generic_free)free_TESTuint64,
+                        cmp_dummy,
+                        NULL);
+    return ret;
+}
+
+static int
 test_seqofseq(void)
 {
     struct test_case tests[] = {
@@ -241,15 +280,240 @@ test_seqof3(void)
 }
 
 
+static int
+test_seqof4(void)
+{
+    struct test_case tests[] = {
+	{ NULL,  2,
+	  "\x30\x00",
+	  "seq4 0" },
+	{ NULL,  4,
+	  "\x30\x02" "\xa1\x00",
+	  "seq4 1" },
+	{ NULL,  8,
+	  "\x30\x06" "\xa0\x02\x30\x00" "\xa1\x00",
+	  "seq4 2" },
+	{ NULL,  2 + (2 + 0x18) + (2 + 0x27) + (2 + 0x31),
+	  "\x30\x76"					/* 2 SEQ */
+	   "\xa0\x18\x30\x16"				/* 4 [0] SEQ */
+	    "\x30\x14"					/* 2 SEQ */
+	     "\x04\x00"					/* 2 OCTET-STRING */
+             "\x04\x02\x01\x02"				/* 4 OCTET-STRING */
+	     "\x02\x01\x01"				/* 3 INT */
+	     "\x02\x09\x00\xff\xff\xff\xff\xff\xff\xff\xff"
+							/* 11 INT */
+	   "\xa1\x27"					/* 2 [1] IMPL SEQ */
+	    "\x30\x25"					/* 2 SEQ */
+	     "\x02\x01\x01"				/* 3 INT */
+	     "\x02\x09\x00\xff\xff\xff\xff\xff\xff\xff\xff"
+							/* 11 INT */
+	     "\x02\x09\x00\x80\x00\x00\x00\x00\x00\x00\x00"
+							/* 11 INT */
+	     "\x04\x00"					/* 2 OCTET-STRING */
+             "\x04\x02\x01\x02"				/* 4 OCTET-STRING */
+             "\x04\x04\x00\x01\x02\x03"			/* 6 OCTET-STRING */
+	   "\xa2\x31"					/* 2 [2] IMPL SEQ */
+	    "\x30\x2f"					/* 2 SEQ */
+	     "\x04\x00"					/* 2 OCTET-STRING */
+	     "\x02\x01\x01"				/* 3 INT */
+             "\x04\x02\x01\x02"				/* 4 OCTET-STRING */
+	     "\x02\x09\x00\xff\xff\xff\xff\xff\xff\xff\xff"
+							/* 11 INT */
+             "\x04\x04\x00\x01\x02\x03"			/* 6 OCTET-STRING */
+	     "\x02\x09\x00\x80\x00\x00\x00\x00\x00\x00\x00"
+							/* 11 INT */
+	     "\x04\x01\x00"				/* 3 OCTET-STRING */
+	     "\x02\x05\x01\x00\x00\x00\x00",		/* 7 INT */
+	  "seq4 3" },
+    };
+
+    int ret = 0, ntests = sizeof(tests) / sizeof(*tests);
+    TESTSeqOf4 c[4];
+    struct TESTSeqOf4_b1 b1[4];
+    struct TESTSeqOf4_b2 b2[4];
+    struct TESTSeqOf4_b3 b3[4];
+    struct TESTSeqOf4_b1_val b1val[4];
+    struct TESTSeqOf4_b2_val b2val[4];
+    struct TESTSeqOf4_b3_val b3val[4];
+
+    c[0].b1 = NULL;
+    c[0].b2 = NULL;
+    c[0].b3 = NULL;
+    tests[0].val = &c[0];
+
+    b2[1].len = 0;
+    b2[1].val = NULL;
+    c[1].b1 = NULL;
+    c[1].b2 = &b2[1];
+    c[1].b3 = NULL;
+    tests[1].val = &c[1];
+
+    b1[2].len = 0;
+    b1[2].val = NULL;
+    b2[2].len = 0;
+    b2[2].val = NULL;
+    c[2].b1 = &b1[2];
+    c[2].b2 = &b2[2];
+    c[2].b3 = NULL;
+    tests[2].val = &c[2];
+
+    b1val[3].s1.data = "";
+    b1val[3].s1.length = 0;
+    b1val[3].u1 = 1LL;
+    b1val[3].s2.data = "\x01\x02";
+    b1val[3].s2.length = 2;
+    b1val[3].u2 = -1LL;
+
+    b2val[3].s1.data = "";
+    b2val[3].s1.length = 0;
+    b2val[3].u1 = 1LL;
+    b2val[3].s2.data = "\x01\x02";
+    b2val[3].s2.length = 2;
+    b2val[3].u2 = -1LL;
+    b2val[3].s3.data = "\x00\x01\x02\x03";
+    b2val[3].s3.length = 4;
+    b2val[3].u3 = 1LL<<63;
+
+    b3val[3].s1.data = "";
+    b3val[3].s1.length = 0;
+    b3val[3].u1 = 1LL;
+    b3val[3].s2.data = "\x01\x02";
+    b3val[3].s2.length = 2;
+    b3val[3].u2 = -1LL;
+    b3val[3].s3.data = "\x00\x01\x02\x03";
+    b3val[3].s3.length = 4;
+    b3val[3].u3 = 1LL<<63;
+    b3val[3].s4.data = "\x00";
+    b3val[3].s4.length = 1;
+    b3val[3].u4 = 1LL<<32;
+
+    b1[3].len = 1;
+    b1[3].val = &b1val[3];
+    b2[3].len = 1;
+    b2[3].val = &b2val[3];
+    b3[3].len = 1;
+    b3[3].val = &b3val[3];
+    c[3].b1 = &b1[3];
+    c[3].b2 = &b2[3];
+    c[3].b3 = &b3[3];
+    tests[3].val = &c[3];
+
+    ret += generic_test (tests, ntests, sizeof(TESTSeqOf4),
+			 (generic_encode)encode_TESTSeqOf4,
+			 (generic_length)length_TESTSeqOf4,
+			 (generic_decode)decode_TESTSeqOf4,
+			 (generic_free)free_TESTSeqOf4,
+			 cmp_dummy,
+			 NULL);
+    return ret;
+}
+
+static int
+cmp_test_seqof5 (void *a, void *b)
+{
+    TESTSeqOf5 *aval = a;
+    TESTSeqOf5 *bval = b;
+
+    IF_OPT_COMPARE(aval, bval, outer) {
+            COMPARE_INTEGER(&aval->outer->inner, &bval->outer->inner, u0);
+            COMPARE_OCTET_STRING(&aval->outer->inner, &bval->outer->inner, s0);
+            COMPARE_INTEGER(&aval->outer->inner, &bval->outer->inner, u1);
+            COMPARE_OCTET_STRING(&aval->outer->inner, &bval->outer->inner, s1);
+            COMPARE_INTEGER(&aval->outer->inner, &bval->outer->inner, u2);
+            COMPARE_OCTET_STRING(&aval->outer->inner, &bval->outer->inner, s2);
+            COMPARE_INTEGER(&aval->outer->inner, &bval->outer->inner, u3);
+            COMPARE_OCTET_STRING(&aval->outer->inner, &bval->outer->inner, s3);
+            COMPARE_INTEGER(&aval->outer->inner, &bval->outer->inner, u4);
+            COMPARE_OCTET_STRING(&aval->outer->inner, &bval->outer->inner, s4);
+            COMPARE_INTEGER(&aval->outer->inner, &bval->outer->inner, u5);
+            COMPARE_OCTET_STRING(&aval->outer->inner, &bval->outer->inner, s5);
+            COMPARE_INTEGER(&aval->outer->inner, &bval->outer->inner, u6);
+            COMPARE_OCTET_STRING(&aval->outer->inner, &bval->outer->inner, s6);
+            COMPARE_INTEGER(&aval->outer->inner, &bval->outer->inner, u7);
+            COMPARE_OCTET_STRING(&aval->outer->inner, &bval->outer->inner, s7);
+    }
+    return 0;
+}
+
+static int
+test_seqof5(void)
+{
+    struct test_case tests[] = {
+	{ NULL,  2, "\x30\x00", "seq5 0" },
+	{ NULL,  126,
+          "\x30\x7c"                                            /* SEQ */
+            "\x30\x7a"                                          /* SEQ */
+              "\x30\x78"                                        /* SEQ */
+                "\x02\x01\x01"                                  /* INT 1 */
+                "\x04\x06\x01\x01\x01\x01\x01\x01"              /* "\0x1"x6 */
+                "\x02\x09\x00\xff\xff\xff\xff\xff\xff\xff\xfe"  /* INT ~1 */
+                "\x04\x06\x02\x02\x02\x02\x02\x02"              /* "\x02"x6 */
+                "\x02\x01\x02"                                  /* INT 2 */
+                "\x04\x06\x03\x03\x03\x03\x03\x03"              /* "\x03"x6 */
+                "\x02\x09\x00\xff\xff\xff\xff\xff\xff\xff\xfd"  /* INT ~2 */
+                "\x04\x06\x04\x04\x04\x04\x04\x04"              /* ... */
+                "\x02\x01\x03"
+                "\x04\x06\x05\x05\x05\x05\x05\x05"
+                "\x02\x09\x00\xff\xff\xff\xff\xff\xff\xff\xfc"
+                "\x04\x06\x06\x06\x06\x06\x06\x06"
+                "\x02\x01\x04"
+                "\x04\x06\x07\x07\x07\x07\x07\x07"
+                "\x02\x09\x00\xff\xff\xff\xff\xff\xff\xff\xfb"
+                "\x04\x06\x08\x08\x08\x08\x08\x08",
+          "seq5 1" },
+    };
+
+    int ret = 0, ntests = sizeof(tests) / sizeof(*tests);
+    TESTSeqOf5 c[2];
+    struct TESTSeqOf5_outer outer;
+    struct TESTSeqOf5_outer_inner inner;
+    TESTuint64 u[8];
+    heim_octet_string s[8];
+    int i;
+
+    c[0].outer = NULL;
+    tests[0].val = &c[0];
+
+    for (i = 0; i < 8; ++i) {
+        u[i] = (i&1) == 0 ? i/2+1 : ~(i/2+1);
+        s[i].data = memset(malloc(s[i].length = 6), i+1, 6);
+    }
+
+    inner.u0 = u[0]; inner.u1 = u[1]; inner.u2 = u[2]; inner.u3 = u[3];
+    inner.u4 = u[4]; inner.u5 = u[5]; inner.u6 = u[6]; inner.u7 = u[7];
+    inner.s0 = s[0]; inner.s1 = s[1]; inner.s2 = s[2]; inner.s3 = s[3];
+    inner.s4 = s[4]; inner.s5 = s[5]; inner.s6 = s[6]; inner.s7 = s[7];
+
+    outer.inner = inner;
+    c[1].outer = &outer;
+    tests[1].val = &c[1];
+
+    ret += generic_test (tests, ntests, sizeof(TESTSeqOf5),
+			 (generic_encode)encode_TESTSeqOf5,
+			 (generic_length)length_TESTSeqOf5,
+			 (generic_decode)decode_TESTSeqOf5,
+			 (generic_free)free_TESTSeqOf5,
+			 cmp_test_seqof5,
+			 NULL);
+
+    for (i = 0; i < 8; ++i)
+        free(s[i].data);
+
+    return ret;
+}
+
 int
 main(int argc, char **argv)
 {
     int ret = 0;
 
+    ret += test_uint64();
     ret += test_seqofseq();
     ret += test_seqofseq2();
     ret += test_seqof2();
     ret += test_seqof3();
+    ret += test_seqof4();
+    ret += test_seqof5();
 
     return ret;
 }
diff --git a/lib/asn1/der-private.h b/lib/asn1/der-private.h
index 555f71bd004d..14866dccea57 100644
--- a/lib/asn1/der-private.h
+++ b/lib/asn1/der-private.h
@@ -5,6 +5,20 @@
 #include <stdarg.h>
 
 int
+_asn1_bmember_isset_bit (
+	const void */*data*/,
+	unsigned int /*bit*/,
+	size_t /*size*/);
+
+void
+_asn1_bmember_put_bit (
+	unsigned char */*p*/,
+	const void */*data*/,
+	unsigned int /*bit*/,
+	size_t /*size*/,
+	unsigned int */*bitset*/);
+
+int
 _asn1_copy (
 	const struct asn1_template */*t*/,
 	const void */*from*/,
@@ -42,16 +56,37 @@ _asn1_encode (
 	const void */*data*/,
 	size_t */*size*/);
 
+int
+_asn1_encode_fuzzer (
+	const struct asn1_template */*t*/,
+	unsigned char */*p*/,
+	size_t /*len*/,
+	const void */*data*/,
+	size_t */*size*/);
+
 void
 _asn1_free (
 	const struct asn1_template */*t*/,
 	void */*data*/);
 
+void
+_asn1_free_top (
+	const struct asn1_template */*t*/,
+	void */*data*/);
+
 size_t
 _asn1_length (
 	const struct asn1_template */*t*/,
 	const void */*data*/);
 
+size_t
+_asn1_length_fuzzer (
+	const struct asn1_template */*t*/,
+	const void */*data*/);
+
+size_t
+_asn1_sizeofType (const struct asn1_template */*t*/);
+
 struct tm *
 _der_gmtime (
 	time_t /*t*/,
@@ -71,8 +106,14 @@ size_t
 _heim_len_int (int /*val*/);
 
 size_t
+_heim_len_int64 (int64_t /*val*/);
+
+size_t
 _heim_len_unsigned (unsigned /*val*/);
 
+size_t
+_heim_len_unsigned64 (uint64_t /*val*/);
+
 int
 _heim_time2generalizedtime (
 	time_t /*t*/,
diff --git a/lib/asn1/der-protos.h b/lib/asn1/der-protos.h
index 3b3d81d175fb..9f709411778d 100644
--- a/lib/asn1/der-protos.h
+++ b/lib/asn1/der-protos.h
@@ -1,6 +1,7 @@
 /* This is a generated file */
 #ifndef __der_protos_h__
 #define __der_protos_h__
+#ifndef DOXY
 
 #include <stdarg.h>
 
@@ -9,6 +10,18 @@ extern "C" {
 #endif
 
 int
+asn1_fuzzer_done (void);
+
+int
+asn1_fuzzer_method (const char */*mode*/);
+
+void
+asn1_fuzzer_next (void);
+
+void
+asn1_fuzzer_reset (void);
+
+int
 copy_heim_any (
 	const heim_any */*from*/,
 	heim_any */*to*/);
@@ -68,6 +81,11 @@ der_copy_integer (
 	int */*to*/);
 
 int
+der_copy_integer64 (
+	const int64_t */*from*/,
+	int64_t */*to*/);
+
+int
 der_copy_octet_string (
 	const heim_octet_string */*from*/,
 	heim_octet_string */*to*/);
@@ -93,6 +111,11 @@ der_copy_unsigned (
 	unsigned */*to*/);
 
 int
+der_copy_unsigned64 (
+	const uint64_t */*from*/,
+	uint64_t */*to*/);
+
+int
 der_copy_utctime (
 	const time_t */*from*/,
 	time_t */*to*/);
@@ -129,6 +152,9 @@ void
 der_free_integer (int */*i*/);
 
 void
+der_free_integer64 (int64_t */*i*/);
+
+void
 der_free_octet_string (heim_octet_string */*k*/);
 
 void
@@ -144,6 +170,9 @@ void
 der_free_unsigned (unsigned */*u*/);
 
 void
+der_free_unsigned64 (uint64_t */*u*/);
+
+void
 der_free_utctime (time_t */*t*/);
 
 void
@@ -215,6 +244,13 @@ der_get_integer (
 	size_t */*size*/);
 
 int
+der_get_integer64 (
+	const unsigned char */*p*/,
+	size_t /*len*/,
+	int64_t */*ret*/,
+	size_t */*size*/);
+
+int
 der_get_length (
 	const unsigned char */*p*/,
 	size_t /*len*/,
@@ -253,7 +289,7 @@ int
 der_get_tag (
 	const unsigned char */*p*/,
 	size_t /*len*/,
-	Der_class */*class*/,
+	Der_class */*cls*/,
 	Der_type */*type*/,
 	unsigned int */*tag*/,
 	size_t */*size*/);
@@ -285,6 +321,13 @@ der_get_unsigned (
 	size_t */*size*/);
 
 int
+der_get_unsigned64 (
+	const unsigned char */*p*/,
+	size_t /*len*/,
+	uint64_t */*ret*/,
+	size_t */*size*/);
+
+int
 der_get_utctime (
 	const unsigned char */*p*/,
 	size_t /*len*/,
@@ -368,6 +411,9 @@ size_t
 der_length_integer (const int */*data*/);
 
 size_t
+der_length_integer64 (const int64_t */*data*/);
+
+size_t
 der_length_len (size_t /*len*/);
 
 size_t
@@ -389,6 +435,9 @@ size_t
 der_length_unsigned (const unsigned */*data*/);
 
 size_t
+der_length_unsigned64 (const uint64_t */*data*/);
+
+size_t
 der_length_utctime (const time_t */*t*/);
 
 size_t
@@ -401,7 +450,7 @@ int
 der_match_tag (
 	const unsigned char */*p*/,
 	size_t /*len*/,
-	Der_class /*class*/,
+	Der_class /*cls*/,
 	Der_type /*type*/,
 	unsigned int /*tag*/,
 	size_t */*size*/);
@@ -410,7 +459,7 @@ int
 der_match_tag2 (
 	const unsigned char */*p*/,
 	size_t /*len*/,
-	Der_class /*class*/,
+	Der_class /*cls*/,
 	Der_type */*type*/,
 	unsigned int /*tag*/,
 	size_t */*size*/);
@@ -419,7 +468,7 @@ int
 der_match_tag_and_length (
 	const unsigned char */*p*/,
 	size_t /*len*/,
-	Der_class /*class*/,
+	Der_class /*cls*/,
 	Der_type */*type*/,
 	unsigned int /*tag*/,
 	size_t */*length_ret*/,
@@ -509,6 +558,13 @@ der_put_integer (
 	size_t */*size*/);
 
 int
+der_put_integer64 (
+	unsigned char */*p*/,
+	size_t /*len*/,
+	const int64_t */*v*/,
+	size_t */*size*/);
+
+int
 der_put_length (
 	unsigned char */*p*/,
 	size_t /*len*/,
@@ -570,6 +626,13 @@ der_put_unsigned (
 	size_t */*size*/);
 
 int
+der_put_unsigned64 (
+	unsigned char */*p*/,
+	size_t /*len*/,
+	const uint64_t */*v*/,
+	size_t */*size*/);
+
+int
 der_put_utctime (
 	unsigned char */*p*/,
 	size_t /*len*/,
@@ -625,4 +688,5 @@ length_heim_any_set (const heim_any */*data*/);
 }
 #endif
 
+#endif /* DOXY */
 #endif /* __der_protos_h__ */
diff --git a/lib/asn1/der.h b/lib/asn1/der.h
index f20cdb83ca51..f7323486454d 100644
--- a/lib/asn1/der.h
+++ b/lib/asn1/der.h
@@ -36,6 +36,8 @@
 #ifndef __DER_H__
 #define __DER_H__
 
+#include <stdint.h>
+
 typedef enum {
     ASN1_C_UNIV = 0,
     ASN1_C_APPL = 1,
diff --git a/lib/asn1/der_cmp.c b/lib/asn1/der_cmp.c
index 468ccb2d040c..f4612c469f60 100644
--- a/lib/asn1/der_cmp.c
+++ b/lib/asn1/der_cmp.c
@@ -37,7 +37,7 @@ int
 der_heim_oid_cmp(const heim_oid *p, const heim_oid *q)
 {
     if (p->length != q->length)
-	return p->length - q->length;
+	return (int)(p->length - q->length);
     return memcmp(p->components,
 		  q->components,
 		  p->length * sizeof(*p->components));
@@ -48,7 +48,7 @@ der_heim_octet_string_cmp(const heim_octet_string *p,
 			  const heim_octet_string *q)
 {
     if (p->length != q->length)
-	return p->length - q->length;
+	return (int)(p->length - q->length);
     return memcmp(p->data, q->data, p->length);
 }
 
@@ -70,12 +70,13 @@ int
 der_heim_bit_string_cmp(const heim_bit_string *p,
 			const heim_bit_string *q)
 {
-    int i, r1, r2;
+    int r1, r2;
+    size_t i;
     if (p->length != q->length)
-	return p->length - q->length;
+	return (int)(p->length - q->length);
     i = memcmp(p->data, q->data, p->length / 8);
     if (i)
-	return i;
+	return (int)i;
     if ((p->length % 8) == 0)
 	return 0;
     i = (p->length / 8);
@@ -94,7 +95,7 @@ der_heim_integer_cmp(const heim_integer *p,
     if (p->negative != q->negative)
 	return q->negative - p->negative;
     if (p->length != q->length)
-	return p->length - q->length;
+	return (int)(p->length - q->length);
     return memcmp(p->data, q->data, p->length);
 }
 
@@ -102,7 +103,7 @@ int
 der_heim_bmp_string_cmp(const heim_bmp_string *p, const heim_bmp_string *q)
 {
     if (p->length != q->length)
-	return p->length - q->length;
+	return (int)(p->length - q->length);
     return memcmp(p->data, q->data, q->length * sizeof(q->data[0]));
 }
 
@@ -111,6 +112,6 @@ der_heim_universal_string_cmp(const heim_universal_string *p,
 			      const heim_universal_string *q)
 {
     if (p->length != q->length)
-	return p->length - q->length;
+	return (int)(p->length - q->length);
     return memcmp(p->data, q->data, q->length * sizeof(q->data[0]));
 }
diff --git a/lib/asn1/der_copy.c b/lib/asn1/der_copy.c
index 3a0a8c5ffa6a..87f1a0d5ac81 100644
--- a/lib/asn1/der_copy.c
+++ b/lib/asn1/der_copy.c
@@ -55,6 +55,13 @@ der_copy_integer (const int *from, int *to)
 }
 
 int
+der_copy_integer64 (const int64_t *from, int64_t *to)
+{
+    *to = *from;
+    return 0;
+}
+
+int
 der_copy_unsigned (const unsigned *from, unsigned *to)
 {
     *to = *from;
@@ -62,6 +69,13 @@ der_copy_unsigned (const unsigned *from, unsigned *to)
 }
 
 int
+der_copy_unsigned64 (const uint64_t *from, uint64_t *to)
+{
+    *to = *from;
+    return 0;
+}
+
+int
 der_copy_generalized_time (const time_t *from, time_t *to)
 {
     *to = *from;
diff --git a/lib/asn1/der_format.c b/lib/asn1/der_format.c
index 4f06c1b01fd9..0aaabed87ed8 100644
--- a/lib/asn1/der_format.c
+++ b/lib/asn1/der_format.c
@@ -163,7 +163,7 @@ der_parse_heim_oid (const char *str, const char *sep, heim_oid *data)
 	    free(s);
 	    return EINVAL;
 	}
-	data->components[data->length++] = l;
+	data->components[data->length++] = (unsigned int)l;
     }
     free(s);
     return 0;
diff --git a/lib/asn1/der_free.c b/lib/asn1/der_free.c
index 4bae5fc2338f..1584cfcb299e 100644
--- a/lib/asn1/der_free.c
+++ b/lib/asn1/der_free.c
@@ -51,12 +51,24 @@ der_free_integer (int *i)
 }
 
 void
+der_free_integer64 (int64_t *i)
+{
+    *i = 0;
+}
+
+void
 der_free_unsigned (unsigned *u)
 {
     *u = 0;
 }
 
 void
+der_free_unsigned64 (uint64_t *u)
+{
+    *u = 0;
+}
+
+void
 der_free_generalized_time(time_t *t)
 {
     *t = 0;
diff --git a/lib/asn1/der_get.c b/lib/asn1/der_get.c
index 3112da86f93b..f0495f33e498 100644
--- a/lib/asn1/der_get.c
+++ b/lib/asn1/der_get.c
@@ -48,9 +48,28 @@ der_get_unsigned (const unsigned char *p, size_t len,
     unsigned val = 0;
     size_t oldlen = len;
 
-    if (len == sizeof(unsigned) + 1 && p[0] == 0)
+    if (len == sizeof(val) + 1 && p[0] == 0)
 	;
-    else if (len > sizeof(unsigned))
+    else if (len > sizeof(val))
+	return ASN1_OVERRUN;
+
+    while (len--)
+	val = val * 256 + *p++;
+    *ret = val;
+    if(size) *size = oldlen;
+    return 0;
+}
+
+int
+der_get_unsigned64 (const unsigned char *p, size_t len,
+                   uint64_t *ret, size_t *size)
+{
+    uint64_t val = 0;
+    size_t oldlen = len;
+
+    if (len == sizeof(val) + 1 && p[0] == 0)
+       ;
+    else if (len > sizeof(val))
 	return ASN1_OVERRUN;
 
     while (len--)
@@ -67,7 +86,7 @@ der_get_integer (const unsigned char *p, size_t len,
     int val = 0;
     size_t oldlen = len;
 
-    if (len > sizeof(int))
+    if (len > sizeof(val))
 	return ASN1_OVERRUN;
 
     if (len > 0) {
@@ -81,6 +100,27 @@ der_get_integer (const unsigned char *p, size_t len,
 }
 
 int
+der_get_integer64 (const unsigned char *p, size_t len,
+		   int64_t *ret, size_t *size)
+{
+    int64_t val = 0;
+    size_t oldlen = len;
+
+    if (len > sizeof(val))
+        return ASN1_OVERRUN;
+
+    if (len > 0) {
+       val = (signed char)*p++;
+       while (--len)
+           val = val * 256 + *p++;
+    }
+    *ret = val;
+    if(size) *size = oldlen;
+    return 0;
+}
+
+
+int
 der_get_length (const unsigned char *p, size_t len,
 		size_t *val, size_t *size)
 {
@@ -143,18 +183,22 @@ der_get_general_string (const unsigned char *p, size_t len,
 	 */
 	while ((size_t)(p1 - p) < len && *p1 == '\0')
 	    p1++;
-       if ((size_t)(p1 - p) != len)
+	if ((size_t)(p1 - p) != len) {
+	    *str = NULL;
 	    return ASN1_BAD_CHARACTER;
+	}
     }
-    if (len > len + 1)
+    if (len == SIZE_MAX) {
+	*str = NULL;
 	return ASN1_BAD_LENGTH;
+    }
 
-    s = malloc (len + 1);
+    *str = s = malloc (len + 1);
     if (s == NULL)
 	return ENOMEM;
     memcpy (s, p, len);
     s[len] = '\0';
-    *str = s;
+
     if(size) *size = len;
     return 0;
 }
@@ -166,14 +210,23 @@ der_get_utf8string (const unsigned char *p, size_t len,
     return der_get_general_string(p, len, str, size);
 }
 
+#define gen_data_zero(_data) \
+	do { (_data)->length = 0; (_data)->data = NULL; } while(0)
+
 int
 der_get_printable_string(const unsigned char *p, size_t len,
 			 heim_printable_string *str, size_t *size)
 {
+    if (len == SIZE_MAX) {
+	gen_data_zero(str);
+	return ASN1_BAD_LENGTH;
+    }
     str->length = len;
     str->data = malloc(len + 1);
-    if (str->data == NULL)
+    if (str->data == NULL) {
+	gen_data_zero(str);
 	return ENOMEM;
+    }
     memcpy(str->data, p, len);
     ((char *)str->data)[len] = '\0';
     if(size) *size = len;
@@ -193,14 +246,20 @@ der_get_bmp_string (const unsigned char *p, size_t len,
 {
     size_t i;
 
-    if (len & 1)
+    if (len & 1) {
+	gen_data_zero(data);
 	return ASN1_BAD_FORMAT;
+    }
     data->length = len / 2;
-    if (data->length > UINT_MAX/sizeof(data->data[0]))
+    if (data->length > UINT_MAX/sizeof(data->data[0])) {
+	gen_data_zero(data);
 	return ERANGE;
+    }
     data->data = malloc(data->length * sizeof(data->data[0]));
-    if (data->data == NULL && data->length != 0)
+    if (data->data == NULL && data->length != 0) {
+	gen_data_zero(data);
 	return ENOMEM;
+    }
 
     for (i = 0; i < data->length; i++) {
 	data->data[i] = (p[0] << 8) | p[1];
@@ -208,8 +267,7 @@ der_get_bmp_string (const unsigned char *p, size_t len,
 	/* check for NUL in the middle of the string */
 	if (data->data[i] == 0 && i != (data->length - 1)) {
 	    free(data->data);
-	    data->data = NULL;
-	    data->length = 0;
+	    gen_data_zero(data);
 	    return ASN1_BAD_CHARACTER;
 	}
     }
@@ -224,14 +282,20 @@ der_get_universal_string (const unsigned char *p, size_t len,
 {
     size_t i;
 
-    if (len & 3)
+    if (len & 3) {
+	gen_data_zero(data);
 	return ASN1_BAD_FORMAT;
+    }
     data->length = len / 4;
-    if (data->length > UINT_MAX/sizeof(data->data[0]))
+    if (data->length > UINT_MAX/sizeof(data->data[0])) {
+	gen_data_zero(data);
 	return ERANGE;
+    }
     data->data = malloc(data->length * sizeof(data->data[0]));
-    if (data->data == NULL && data->length != 0)
+    if (data->data == NULL && data->length != 0) {
+	gen_data_zero(data);
 	return ENOMEM;
+    }
 
     for (i = 0; i < data->length; i++) {
 	data->data[i] = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
@@ -239,8 +303,7 @@ der_get_universal_string (const unsigned char *p, size_t len,
 	/* check for NUL in the middle of the string */
 	if (data->data[i] == 0 && i != (data->length - 1)) {
 	    free(data->data);
-	    data->data = NULL;
-	    data->length = 0;
+	    gen_data_zero(data);
 	    return ASN1_BAD_CHARACTER;
 	}
     }
@@ -274,7 +337,7 @@ der_get_octet_string_ber (const unsigned char *p, size_t len,
 {
     int e;
     Der_type type;
-    Der_class class;
+    Der_class cls;
     unsigned int tag, depth = 0;
     size_t l, datalen, oldlen = len;
 
@@ -282,9 +345,9 @@ der_get_octet_string_ber (const unsigned char *p, size_t len,
     data->data = NULL;
 
     while (len) {
-	e = der_get_tag (p, len, &class, &type, &tag, &l);
+	e = der_get_tag (p, len, &cls, &type, &tag, &l);
 	if (e) goto out;
-	if (class != ASN1_C_UNIV) {
+	if (cls != ASN1_C_UNIV) {
 	    e = ASN1_BAD_ID;
 	    goto out;
 	}
@@ -430,7 +493,7 @@ der_get_time (const unsigned char *p, size_t len,
     char *times;
     int e;
 
-    if (len > len + 1 || len == 0)
+    if (len == SIZE_MAX || len == 0)
 	return ASN1_BAD_LENGTH;
 
     times = malloc(len + 1);
@@ -468,7 +531,7 @@ der_get_oid (const unsigned char *p, size_t len,
     if (len < 1)
 	return ASN1_OVERRUN;
 
-    if (len > len + 1)
+    if (len == SIZE_MAX)
 	return ASN1_BAD_LENGTH;
 
     if (len + 1 > UINT_MAX/sizeof(data->components[0]))
@@ -508,13 +571,13 @@ der_get_oid (const unsigned char *p, size_t len,
 
 int
 der_get_tag (const unsigned char *p, size_t len,
-	     Der_class *class, Der_type *type,
+	     Der_class *cls, Der_type *type,
 	     unsigned int *tag, size_t *size)
 {
     size_t ret = 0;
     if (len < 1)
 	return ASN1_OVERRUN;
-    *class = (Der_class)(((*p) >> 6) & 0x03);
+    *cls = (Der_class)(((*p) >> 6) & 0x03);
     *type = (Der_type)(((*p) >> 5) & 0x01);
     *tag = (*p) & 0x1f;
     p++; len--; ret++;
@@ -540,13 +603,13 @@ der_get_tag (const unsigned char *p, size_t len,
 
 int
 der_match_tag (const unsigned char *p, size_t len,
-	       Der_class class, Der_type type,
+	       Der_class cls, Der_type type,
 	       unsigned int tag, size_t *size)
 {
     Der_type thistype;
     int e;
 
-    e = der_match_tag2(p, len, class, &thistype, tag, size);
+    e = der_match_tag2(p, len, cls, &thistype, tag, size);
     if (e) return e;
     if (thistype != type) return ASN1_BAD_ID;
     return 0;
@@ -554,7 +617,7 @@ der_match_tag (const unsigned char *p, size_t len,
 
 int
 der_match_tag2 (const unsigned char *p, size_t len,
-		Der_class class, Der_type *type,
+		Der_class cls, Der_type *type,
 		unsigned int tag, size_t *size)
 {
     size_t l;
@@ -564,7 +627,7 @@ der_match_tag2 (const unsigned char *p, size_t len,
 
     e = der_get_tag (p, len, &thisclass, type, &thistag, &l);
     if (e) return e;
-    if (class != thisclass)
+    if (cls != thisclass)
 	return ASN1_BAD_ID;
     if(tag > thistag)
 	return ASN1_MISPLACED_FIELD;
@@ -576,13 +639,13 @@ der_match_tag2 (const unsigned char *p, size_t len,
 
 int
 der_match_tag_and_length (const unsigned char *p, size_t len,
-			  Der_class class, Der_type *type, unsigned int tag,
+			  Der_class cls, Der_type *type, unsigned int tag,
 			  size_t *length_ret, size_t *size)
 {
     size_t l, ret = 0;
     int e;
 
-    e = der_match_tag2 (p, len, class, type, tag, &l);
+    e = der_match_tag2 (p, len, cls, type, tag, &l);
     if (e) return e;
     p += l;
     len -= l;
@@ -633,14 +696,19 @@ der_get_bit_string (const unsigned char *p, size_t len,
      * any of them will cause a interger overrun */
     if ((len - 1) >> (sizeof(len) * 8 - 3))
 	return ASN1_OVERRUN;
-    data->length = (len - 1) * 8;
-    data->data = malloc(len - 1);
-    if (data->data == NULL && (len - 1) != 0)
-	return ENOMEM;
-    /* copy data is there is data to copy */
-    if (len - 1 != 0) {
-      memcpy (data->data, p + 1, len - 1);
-      data->length -= p[0];
+    /*
+     * If there is data to copy, do that now.
+     */
+    if (len - 1 > 0) {
+	data->length = (len - 1) * 8;
+	data->data = malloc(len - 1);
+	if (data->data == NULL)
+	    return ENOMEM;
+	memcpy (data->data, p + 1, len - 1);
+	data->length -= p[0];
+    } else {
+	data->data = NULL;
+	data->length = 0;
     }
     if(size) *size = len;
     return 0;
diff --git a/lib/asn1/der_length.c b/lib/asn1/der_length.c
index db82025861ea..684ba9bc6f32 100644
--- a/lib/asn1/der_length.c
+++ b/lib/asn1/der_length.c
@@ -56,6 +56,24 @@ _heim_len_unsigned (unsigned val)
 }
 
 size_t
+_heim_len_unsigned64 (uint64_t val)
+{
+    size_t ret = 0;
+    int last_val_gt_128;
+
+    do {
+	++ret;
+	last_val_gt_128 = (val >= 128);
+	val /= 256;
+    } while (val);
+
+    if(last_val_gt_128)
+	ret++;
+
+    return ret;
+}
+
+size_t
 _heim_len_int (int val)
 {
     unsigned char q;
@@ -82,6 +100,33 @@ _heim_len_int (int val)
     return ret;
 }
 
+size_t
+_heim_len_int64 (int64_t val)
+{
+    unsigned char q;
+    size_t ret = 0;
+
+    if (val >= 0) {
+	do {
+	    q = val % 256;
+	    ret++;
+	    val /= 256;
+	} while(val);
+	if(q >= 128)
+	    ret++;
+    } else {
+	val = ~val;
+	do {
+	    q = ~(val % 256);
+	    ret++;
+	    val /= 256;
+	} while(val);
+	if(q < 128)
+	    ret++;
+    }
+    return ret;
+}
+
 static size_t
 len_oid (const heim_oid *oid)
 {
@@ -135,12 +180,24 @@ der_length_integer (const int *data)
 }
 
 size_t
+der_length_integer64 (const int64_t *data)
+{
+    return _heim_len_int64 (*data);
+}
+
+size_t
 der_length_unsigned (const unsigned *data)
 {
     return _heim_len_unsigned(*data);
 }
 
 size_t
+der_length_unsigned64 (const uint64_t *data)
+{
+    return _heim_len_unsigned64(*data);
+}
+
+size_t
 der_length_enumerated (const unsigned *data)
 {
   return _heim_len_int (*data);
diff --git a/lib/asn1/der_put.c b/lib/asn1/der_put.c
index 0b276d1ebdce..843d09f5cdc1 100644
--- a/lib/asn1/der_put.c
+++ b/lib/asn1/der_put.c
@@ -76,6 +76,38 @@ der_put_unsigned (unsigned char *p, size_t len, const unsigned *v, size_t *size)
 }
 
 int
+der_put_unsigned64 (unsigned char *p, size_t len, const uint64_t *v, size_t *size)
+{
+    unsigned char *base = p;
+    uint64_t val = *v;
+
+    if (val) {
+       while (len > 0 && val) {
+           *p-- = val % 256;
+           val /= 256;
+           --len;
+       }
+       if (val != 0)
+           return ASN1_OVERFLOW;
+       else {
+           if(p[1] >= 128) {
+               if(len < 1)
+                   return ASN1_OVERFLOW;
+               *p-- = 0;
+           }
+           *size = base - p;
+           return 0;
+       }
+    } else if (len < 1)
+       return ASN1_OVERFLOW;
+    else {
+       *p    = 0;
+       *size = 1;
+       return 0;
+    }
+}
+
+int
 der_put_integer (unsigned char *p, size_t len, const int *v, size_t *size)
 {
     unsigned char *base = p;
@@ -115,6 +147,46 @@ der_put_integer (unsigned char *p, size_t len, const int *v, size_t *size)
     return 0;
 }
 
+int
+der_put_integer64 (unsigned char *p, size_t len, const int64_t *v, size_t *size)
+{
+    unsigned char *base = p;
+    int64_t val = *v;
+
+    if(val >= 0) {
+       do {
+           if(len < 1)
+               return ASN1_OVERFLOW;
+           *p-- = val % 256;
+           len--;
+           val /= 256;
+       } while(val);
+       if(p[1] >= 128) {
+           if(len < 1)
+               return ASN1_OVERFLOW;
+           *p-- = 0;
+           len--;
+       }
+    } else {
+       val = ~val;
+       do {
+           if(len < 1)
+               return ASN1_OVERFLOW;
+           *p-- = ~(val % 256);
+           len--;
+           val /= 256;
+       } while(val);
+       if(p[1] < 128) {
+           if(len < 1)
+               return ASN1_OVERFLOW;
+           *p-- = 0xff;
+           len--;
+       }
+    }
+    *size = base - p;
+    return 0;
+}
+
 
 int
 der_put_length (unsigned char *p, size_t len, size_t val, size_t *size)
@@ -267,7 +339,8 @@ der_put_heim_integer (unsigned char *p, size_t len,
     len -= data->length;
 
     if (data->negative) {
-	int i, carry;
+	ssize_t i;
+	int carry;
 	for (i = data->length - 1, carry = 1; i >= 0; i--) {
 	    *p = buf[i] ^ 0xff;
 	    if (carry)
@@ -343,7 +416,7 @@ der_put_oid (unsigned char *p, size_t len,
 	     const heim_oid *data, size_t *size)
 {
     unsigned char *base = p;
-    int n;
+    size_t n;
 
     for (n = data->length - 1; n >= 2; --n) {
 	unsigned u = data->components[n];
@@ -429,12 +502,14 @@ _heim_time2generalizedtime (time_t t, heim_octet_string *s, int gtimep)
      struct tm tm;
      const size_t len = gtimep ? 15 : 13;
 
+     s->data = NULL;
+     s->length = 0;
+     if (_der_gmtime(t, &tm) == NULL)
+	 return ASN1_BAD_TIMEFORMAT;
      s->data = malloc(len + 1);
      if (s->data == NULL)
 	 return ENOMEM;
      s->length = len;
-     if (_der_gmtime(t, &tm) == NULL)
-	 return ASN1_BAD_TIMEFORMAT;
      if (gtimep)
 	 snprintf (s->data, len + 1, "%04d%02d%02d%02d%02d%02dZ",
 		   tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday,
@@ -468,12 +543,12 @@ der_put_bit_string (unsigned char *p, size_t len,
 int
 _heim_der_set_sort(const void *a1, const void *a2)
 {
-    const struct heim_octet_string *s1 = a1, *s2 = a2;
+    const heim_octet_string *s1 = a1, *s2 = a2;
     int ret;
 
     ret = memcmp(s1->data, s2->data,
 		 s1->length < s2->length ? s1->length : s2->length);
     if(ret)
 	return ret;
-    return s1->length - s2->length;
+    return (int)(s1->length - s2->length);
 }
diff --git a/lib/asn1/digest.asn1 b/lib/asn1/digest.asn1
index 027402f1efe2..7a73993e3cf5 100644
--- a/lib/asn1/digest.asn1
+++ b/lib/asn1/digest.asn1
@@ -24,7 +24,7 @@ DigestInit ::= SEQUENCE {
 }
 
 DigestInitReply ::= SEQUENCE {
-    nonce		UTF8String,	-- service nonce/challange
+    nonce		UTF8String,	-- service nonce/challenge
     opaque		UTF8String,	-- server state
     identifier		[0] UTF8String OPTIONAL
 }
@@ -78,7 +78,7 @@ NTLMInitReply ::= SEQUENCE {
     flags		[0] INTEGER (0..4294967295),
     opaque		[1] OCTET STRING,
     targetname		[2] UTF8String,
-    challange		[3] OCTET STRING,
+    challenge		[3] OCTET STRING,
     targetinfo		[4] OCTET STRING OPTIONAL
 }
 
diff --git a/lib/asn1/fuzzer.c b/lib/asn1/fuzzer.c
new file mode 100644
index 000000000000..527f7e99856d
--- /dev/null
+++ b/lib/asn1/fuzzer.c
@@ -0,0 +1,742 @@
+/*
+ * Copyright (c) 2009 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Portions Copyright (c) 2009 - 2010 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "der_locl.h"
+#include <com_err.h>
+
+enum trigger_method { FOFF, FRANDOM, FLINEAR, FLINEAR_SIZE };
+
+#ifdef ASN1_FUZZER
+static enum trigger_method method = FOFF;
+
+/* FLINEAR */
+static unsigned long fnum, fcur, fsize;
+#endif
+
+int
+asn1_fuzzer_method(const char *mode)
+{
+#ifdef ASN1_FUZZER
+    if (mode == NULL || strcasecmp(mode, "off") == 0) {
+	method = FOFF;
+    } else if (strcasecmp(mode, "random") == 0) {
+	method = FRANDOM;
+    } else if (strcasecmp(mode, "linear") == 0) {
+	method = FLINEAR;
+    } else if (strcasecmp(mode, "linear-size") == 0) {
+	method = FLINEAR_SIZE;
+    } else
+	return 1;
+    return 0;
+#else
+    return 1;
+#endif
+}
+
+void
+asn1_fuzzer_reset(void)
+{
+#ifdef ASN1_FUZZER
+    fcur = 0;
+    fsize = 0;
+    fnum = 0;
+#endif
+}
+
+void
+asn1_fuzzer_next(void)
+{
+#ifdef ASN1_FUZZER
+    fcur = 0;
+    fsize = 0;
+    fnum++;
+#endif
+}
+
+int
+asn1_fuzzer_done(void)
+{
+#ifndef ASN1_FUZZER
+    abort();
+#else
+    /* since code paths */
+    return (fnum > 10000);
+#endif
+}
+
+#ifdef ASN1_FUZZER
+
+static int
+fuzzer_trigger(unsigned int chance)
+{
+    switch(method) {
+    case FOFF:
+	return 0;
+    case FRANDOM:
+	if ((rk_random() % chance) != 1)
+	    return 0;
+	return 1;
+    case FLINEAR:
+	if (fnum == fcur++)
+	    return 1;
+	return 0;
+    case FLINEAR_SIZE:
+	return 0;
+    }
+    return 0;
+}
+
+static int
+fuzzer_size_trigger(unsigned long *cur)
+{
+    if (method != FLINEAR_SIZE)
+	return 0;
+    if (fnum == (*cur)++)
+	return 1;
+    return 0;
+}
+
+static size_t
+fuzzer_length_len (size_t len)
+{
+    if (fuzzer_size_trigger(&fsize)) {
+	len = 0;
+    } else if (fuzzer_size_trigger(&fsize)) {
+	len = 129;
+    } else if (fuzzer_size_trigger(&fsize)) {
+	len = 0xffff;
+    }
+
+    if (len < 128)
+	return 1;
+    else {
+	int ret = 0;
+	do {
+	    ++ret;
+	    len /= 256;
+	} while (len);
+	return ret + 1;
+    }
+}
+
+static int
+fuzzer_put_length (unsigned char *p, size_t len, size_t val, size_t *size)
+{
+    if (len < 1)
+	return ASN1_OVERFLOW;
+
+    if (fuzzer_size_trigger(&fcur)) {
+	val = 0;
+    } else if (fuzzer_size_trigger(&fcur)) {
+	val = 129;
+    } else if (fuzzer_size_trigger(&fcur)) {
+	val = 0xffff;
+    }
+
+    if (val < 128) {
+	*p = val;
+	*size = 1;
+    } else {
+	size_t l = 0;
+
+	while(val > 0) {
+	    if(len < 2)
+		return ASN1_OVERFLOW;
+	    *p-- = val % 256;
+	    val /= 256;
+	    len--;
+	    l++;
+	}
+	*p = 0x80 | l;
+	if(size)
+	    *size = l + 1;
+    }
+    return 0;
+}
+
+static int
+fuzzer_put_tag (unsigned char *p, size_t len, Der_class class, Der_type type,
+		unsigned int tag, size_t *size)
+{
+    unsigned fcont = 0;
+
+    if (tag <= 30) {
+	if (len < 1)
+	    return ASN1_OVERFLOW;
+	if (fuzzer_trigger(100))
+	    *p = MAKE_TAG(class, type, 0x1f);
+	else
+	    *p = MAKE_TAG(class, type, tag);
+	*size = 1;
+    } else {
+	size_t ret = 0;
+	unsigned int continuation = 0;
+
+	do {
+	    if (len < 1)
+		return ASN1_OVERFLOW;
+	    *p-- = tag % 128 | continuation;
+	    len--;
+	    ret++;
+	    tag /= 128;
+	    continuation = 0x80;
+	} while(tag > 0);
+	if (len < 1)
+	    return ASN1_OVERFLOW;
+	if (fuzzer_trigger(100))
+	    *p-- = MAKE_TAG(class, type, 0);
+	else
+	    *p-- = MAKE_TAG(class, type, 0x1f);
+	ret++;
+	*size = ret;
+    }
+    return 0;
+}
+
+static int
+fuzzer_put_length_and_tag (unsigned char *p, size_t len, size_t len_val,
+			   Der_class class, Der_type type,
+			   unsigned int tag, size_t *size)
+{
+    size_t ret = 0;
+    size_t l;
+    int e;
+
+    e = fuzzer_put_length (p, len, len_val, &l);
+    if(e)
+	return e;
+    p -= l;
+    len -= l;
+    ret += l;
+    e = fuzzer_put_tag (p, len, class, type, tag, &l);
+    if(e)
+	return e;
+
+    ret += l;
+    *size = ret;
+    return 0;
+}
+
+static int
+fuzzer_put_general_string (unsigned char *p, size_t len,
+			   const heim_general_string *str, size_t *size)
+{
+    size_t slen = strlen(*str);
+
+    if (len < slen)
+	return ASN1_OVERFLOW;
+    p -= slen;
+    if (slen >= 2 && fuzzer_trigger(100)) {
+	memcpy(p+1, *str, slen);
+	memcpy(p+1, "%s", 2);
+    } else if (slen >= 2 && fuzzer_trigger(100)) {
+	memcpy(p+1, *str, slen);
+	memcpy(p+1, "%n", 2);
+    } else if (slen >= 4 && fuzzer_trigger(100)) {
+	memcpy(p+1, *str, slen);
+	memcpy(p+1, "%10n", 4);
+    } else if (slen >= 10 && fuzzer_trigger(100)) {
+	memcpy(p+1, *str, slen);
+	memcpy(p+1, "%n%n%n%n%n", 10);
+    } else if (slen >= 10 && fuzzer_trigger(100)) {
+	memcpy(p+1, *str, slen);
+	memcpy(p+1, "%n%p%s%d%x", 10);
+    } else if (slen >= 7 && fuzzer_trigger(100)) {
+	memcpy(p+1, *str, slen);
+	memcpy(p+1, "%.1024d", 7);
+    } else if (slen >= 7 && fuzzer_trigger(100)) {
+	memcpy(p+1, *str, slen);
+	memcpy(p+1, "%.2049d", 7);
+    } else if (fuzzer_trigger(100)) {
+	memset(p+1, 0, slen);
+    } else if (fuzzer_trigger(100)) {
+	memset(p+1, 0xff, slen);
+    } else if (fuzzer_trigger(100)) {
+	memset(p+1, 'A', slen);
+    } else {
+	memcpy(p+1, *str, slen);
+    }
+    *size = slen;
+    return 0;
+}
+
+
+struct asn1_type_func fuzzerprim[A1T_NUM_ENTRY] = {
+#define fuzel(name, type) {				\
+	(asn1_type_encode)fuzzer_put_##name,		\
+	(asn1_type_decode)der_get_##name,		\
+	(asn1_type_length)der_length_##name,		\
+	(asn1_type_copy)der_copy_##name,		\
+	(asn1_type_release)der_free_##name,		\
+	sizeof(type)					\
+    }
+#define el(name, type) {				\
+	(asn1_type_encode)der_put_##name,		\
+	(asn1_type_decode)der_get_##name,		\
+	(asn1_type_length)der_length_##name,		\
+	(asn1_type_copy)der_copy_##name,		\
+	(asn1_type_release)der_free_##name,		\
+	sizeof(type)					\
+    }
+#define elber(name, type) {				\
+	(asn1_type_encode)der_put_##name,		\
+	(asn1_type_decode)der_get_##name##_ber,		\
+	(asn1_type_length)der_length_##name,		\
+	(asn1_type_copy)der_copy_##name,		\
+	(asn1_type_release)der_free_##name,		\
+	sizeof(type)					\
+    }
+    el(integer, int),
+    el(integer64, int64_t),
+    el(heim_integer, heim_integer),
+    el(integer, int),
+    el(unsigned, unsigned),
+    el(uninteger64, uint64_t),
+    fuzel(general_string, heim_general_string),
+    el(octet_string, heim_octet_string),
+    elber(octet_string, heim_octet_string),
+    el(ia5_string, heim_ia5_string),
+    el(bmp_string, heim_bmp_string),
+    el(universal_string, heim_universal_string),
+    el(printable_string, heim_printable_string),
+    el(visible_string, heim_visible_string),
+    el(utf8string, heim_utf8_string),
+    el(generalized_time, time_t),
+    el(utctime, time_t),
+    el(bit_string, heim_bit_string),
+    { (asn1_type_encode)der_put_boolean, (asn1_type_decode)der_get_boolean,
+      (asn1_type_length)der_length_boolean, (asn1_type_copy)der_copy_integer,
+      (asn1_type_release)der_free_integer, sizeof(int)
+    },
+    el(oid, heim_oid),
+    el(general_string, heim_general_string),
+#undef fuzel
+#undef el
+#undef elber
+};
+
+
+
+int
+_asn1_encode_fuzzer(const struct asn1_template *t,
+		    unsigned char *p, size_t len,
+		    const void *data, size_t *size)
+{
+    size_t elements = A1_HEADER_LEN(t);
+    int ret = 0;
+    size_t oldlen = len;
+
+    t += A1_HEADER_LEN(t);
+
+    while (elements) {
+	switch (t->tt & A1_OP_MASK) {
+	case A1_OP_TYPE:
+	case A1_OP_TYPE_EXTERN: {
+	    size_t newsize;
+	    const void *el = DPOC(data, t->offset);
+
+	    if (t->tt & A1_FLAG_OPTIONAL) {
+		void **pel = (void **)el;
+		if (*pel == NULL)
+		    break;
+		el = *pel;
+	    }
+
+	    if ((t->tt & A1_OP_MASK) == A1_OP_TYPE) {
+		ret = _asn1_encode_fuzzer(t->ptr, p, len, el, &newsize);
+	    } else {
+		const struct asn1_type_func *f = t->ptr;
+		ret = (f->encode)(p, len, el, &newsize);
+	    }
+
+	    if (ret)
+		return ret;
+	    p -= newsize; len -= newsize;
+
+	    break;
+	}
+	case A1_OP_TAG: {
+	    const void *olddata = data;
+	    size_t l, datalen;
+
+	    data = DPOC(data, t->offset);
+
+	    if (t->tt & A1_FLAG_OPTIONAL) {
+		void **el = (void **)data;
+		if (*el == NULL) {
+		    data = olddata;
+		    break;
+		}
+		data = *el;
+	    }
+
+	    ret = _asn1_encode_fuzzer(t->ptr, p, len, data, &datalen);
+	    if (ret)
+		return ret;
+
+	    len -= datalen; p -= datalen;
+
+	    ret = fuzzer_put_length_and_tag(p, len, datalen,
+					    A1_TAG_CLASS(t->tt),
+					    A1_TAG_TYPE(t->tt),
+					    A1_TAG_TAG(t->tt), &l);
+	    if (ret)
+		return ret;
+
+	    p -= l; len -= l;
+
+	    data = olddata;
+
+	    break;
+	}
+	case A1_OP_PARSE: {
+	    unsigned int type = A1_PARSE_TYPE(t->tt);
+	    size_t newsize;
+	    const void *el = DPOC(data, t->offset);
+
+	    if (type > sizeof(fuzzerprim)/sizeof(fuzzerprim[0])) {
+		ABORT_ON_ERROR();
+		return ASN1_PARSE_ERROR;
+	    }
+
+	    ret = (fuzzerprim[type].encode)(p, len, el, &newsize);
+	    if (ret)
+		return ret;
+	    p -= newsize; len -= newsize;
+
+	    break;
+	}
+	case A1_OP_SETOF: {
+	    const struct template_of *el = DPOC(data, t->offset);
+	    size_t ellen = _asn1_sizeofType(t->ptr);
+	    heim_octet_string *val;
+	    unsigned char *elptr = el->val;
+	    size_t i, totallen;
+
+	    if (el->len == 0)
+		break;
+
+	    if (el->len > UINT_MAX/sizeof(val[0]))
+		return ERANGE;
+
+	    val = malloc(sizeof(val[0]) * el->len);
+	    if (val == NULL)
+		return ENOMEM;
+
+	    for(totallen = 0, i = 0; i < el->len; i++) {
+		unsigned char *next;
+		size_t l;
+
+		val[i].length = _asn1_length(t->ptr, elptr);
+		val[i].data = malloc(val[i].length);
+
+		ret = _asn1_encode_fuzzer(t->ptr, DPO(val[i].data, val[i].length - 1),
+					  val[i].length, elptr, &l);
+		if (ret)
+		    break;
+
+		next = elptr + ellen;
+		if (next < elptr) {
+		    ret = ASN1_OVERFLOW;
+		    break;
+		}
+		elptr = next;
+		totallen += val[i].length;
+	    }
+	    if (ret == 0 && totallen > len)
+		ret = ASN1_OVERFLOW;
+	    if (ret) {
+		do {
+		    free(val[i].data);
+		} while(i-- > 0);
+		free(val);
+		return ret;
+	    }
+
+	    len -= totallen;
+
+	    qsort(val, el->len, sizeof(val[0]), _heim_der_set_sort);
+
+	    i = el->len - 1;
+	    do {
+		p -= val[i].length;
+		memcpy(p + 1, val[i].data, val[i].length);
+		free(val[i].data);
+	    } while(i-- > 0);
+	    free(val);
+
+	    break;
+
+	}
+	case A1_OP_SEQOF: {
+	    struct template_of *el = DPO(data, t->offset);
+	    size_t ellen = _asn1_sizeofType(t->ptr);
+	    size_t newsize;
+	    unsigned int i;
+	    unsigned char *elptr = el->val;
+
+	    if (el->len == 0)
+		break;
+
+	    elptr += ellen * (el->len - 1);
+	   
+	    for (i = 0; i < el->len; i++) {
+		ret = _asn1_encode_fuzzer(t->ptr, p, len,
+				   elptr,
+				   &newsize);
+		if (ret)
+		    return ret;
+		p -= newsize; len -= newsize;
+		elptr -= ellen;
+	    }
+
+	    break;
+	}
+	case A1_OP_BMEMBER: {
+	    const struct asn1_template *bmember = t->ptr;
+	    size_t size = bmember->offset;
+	    size_t elements = A1_HEADER_LEN(bmember);
+	    size_t pos;
+	    unsigned char c = 0;
+	    unsigned int bitset = 0;
+	    int rfc1510 = (bmember->tt & A1_HBF_RFC1510);
+
+	    bmember += elements;
+
+	    if (rfc1510)
+		pos = 31;
+	    else
+		pos = bmember->offset;
+
+	    while (elements && len) {
+		while (bmember->offset / 8 < pos / 8) {
+		    if (rfc1510 || bitset || c) {
+			if (len < 1)
+			    return ASN1_OVERFLOW;
+			*p-- = c; len--;
+		    }
+		    c = 0;
+		    pos -= 8;
+		}
+		_asn1_bmember_put_bit(&c, data, bmember->offset, size, &bitset);
+		elements--; bmember--;
+	    }
+	    if (rfc1510 || bitset) {
+		if (len < 1)
+		    return ASN1_OVERFLOW;
+		*p-- = c; len--;
+	    }
+	   
+	    if (len < 1)
+		return ASN1_OVERFLOW;
+	    if (rfc1510 || bitset == 0)
+		*p-- = 0;
+	    else
+		*p-- = bitset - 1;
+
+	    len--;
+
+	    break;
+	}
+	case A1_OP_CHOICE: {
+	    const struct asn1_template *choice = t->ptr;
+	    const unsigned int *element = DPOC(data, choice->offset);
+	    size_t datalen;
+	    const void *el;
+
+	    if (*element > A1_HEADER_LEN(choice)) {
+		printf("element: %d\n", *element);
+		return ASN1_PARSE_ERROR;
+	    }
+
+	    if (*element == 0) {
+		ret += der_put_octet_string(p, len,
+					    DPOC(data, choice->tt), &datalen);
+	    } else {
+		choice += *element;
+		el = DPOC(data, choice->offset);
+		ret = _asn1_encode_fuzzer(choice->ptr, p, len, el, &datalen);
+		if (ret)
+		    return ret;
+	    }	   
+	    len -= datalen; p -= datalen;
+
+	    break;
+	}
+	default:
+	    ABORT_ON_ERROR();
+	}
+	t--;
+	elements--;
+    }
+
+    if (fuzzer_trigger(1000)) {
+	memset(p + 1, 0, oldlen - len);
+    } else if (fuzzer_trigger(1000)) {
+	memset(p + 1, 0x41, oldlen - len);
+    } else if (fuzzer_trigger(1000)) {
+	memset(p + 1, 0xff, oldlen - len);
+    }
+
+    if (size)
+	*size = oldlen - len;
+
+    return 0;
+}
+
+size_t
+_asn1_length_fuzzer(const struct asn1_template *t, const void *data)
+{
+    size_t elements = A1_HEADER_LEN(t);
+    size_t ret = 0;
+
+    t += A1_HEADER_LEN(t);
+
+    while (elements) {
+	switch (t->tt & A1_OP_MASK) {
+	case A1_OP_TYPE:
+	case A1_OP_TYPE_EXTERN: {
+	    const void *el = DPOC(data, t->offset);
+
+	    if (t->tt & A1_FLAG_OPTIONAL) {
+		void **pel = (void **)el;
+		if (*pel == NULL)
+		    break;
+		el = *pel;
+	    }
+
+	    if ((t->tt & A1_OP_MASK) == A1_OP_TYPE) {
+		ret += _asn1_length(t->ptr, el);
+	    } else {
+		const struct asn1_type_func *f = t->ptr;
+		ret += (f->length)(el);
+	    }
+	    break;
+	}
+	case A1_OP_TAG: {
+	    size_t datalen;
+	    const void *olddata = data;
+
+	    data = DPO(data, t->offset);
+
+	    if (t->tt & A1_FLAG_OPTIONAL) {
+		void **el = (void **)data;
+		if (*el == NULL) {
+		    data = olddata;
+		    break;
+		}
+		data = *el;
+	    }
+	    datalen = _asn1_length(t->ptr, data);
+	    ret += der_length_tag(A1_TAG_TAG(t->tt)) + fuzzer_length_len(datalen);
+	    ret += datalen;
+	    data = olddata;
+	    break;
+	}
+	case A1_OP_PARSE: {
+	    unsigned int type = A1_PARSE_TYPE(t->tt);
+	    const void *el = DPOC(data, t->offset);
+
+	    if (type >= sizeof(asn1_template_prim)/sizeof(asn1_template_prim[0])) {
+		ABORT_ON_ERROR();
+		break;
+	    }
+	    ret += (asn1_template_prim[type].length)(el);
+	    break;
+	}
+	case A1_OP_SETOF:
+	case A1_OP_SEQOF: {
+	    const struct template_of *el = DPOC(data, t->offset);
+	    size_t ellen = _asn1_sizeofType(t->ptr);
+	    const unsigned char *element = el->val;
+	    unsigned int i;
+
+	    for (i = 0; i < el->len; i++) {
+		ret += _asn1_length(t->ptr, element);
+		element += ellen;
+	    }
+
+	    break;
+	}
+	case A1_OP_BMEMBER: {
+	    const struct asn1_template *bmember = t->ptr;
+	    size_t size = bmember->offset;
+	    size_t elements = A1_HEADER_LEN(bmember);
+	    int rfc1510 = (bmember->tt & A1_HBF_RFC1510);
+
+	    if (rfc1510) {
+		ret += 5;
+	    } else {
+
+		ret += 1;
+
+		bmember += elements;
+
+		while (elements) {
+		    if (_asn1_bmember_isset_bit(data, bmember->offset, size)) {
+			ret += (bmember->offset / 8) + 1;
+			break;
+		    }
+		    elements--; bmember--;
+		}
+	    }
+	    break;
+	}
+	case A1_OP_CHOICE: {
+	    const struct asn1_template *choice = t->ptr;
+	    const unsigned int *element = DPOC(data, choice->offset);
+
+	    if (*element > A1_HEADER_LEN(choice))
+		break;
+
+	    if (*element == 0) {
+		ret += der_length_octet_string(DPOC(data, choice->tt));
+	    } else {
+		choice += *element;
+		ret += _asn1_length(choice->ptr, DPOC(data, choice->offset));
+	    }
+	    break;
+	}
+	default:
+	    ABORT_ON_ERROR();
+	    break;
+	}
+	elements--;
+	t--;
+    }
+    return ret;
+}
+
+#endif /* ASN1_FUZZER */
diff --git a/lib/asn1/gen.c b/lib/asn1/gen.c
index 2194b329ce1d..3773647c29d7 100644
--- a/lib/asn1/gen.c
+++ b/lib/asn1/gen.c
@@ -148,7 +148,7 @@ init_generate (const char *filename, const char *base)
     fn = NULL;
 
     /* template file */
-    if (asprintf(&template, "%s-template.c", headerbase) < 0 || template == NULL)
+    if (asprintf(&template, "%s-template.x", headerbase) < 0 || template == NULL)
 	errx(1, "malloc");
     fprintf (headerfile,
 	     "/* Generated from %s */\n"
@@ -163,6 +163,15 @@ init_generate (const char *filename, const char *base)
     fprintf (headerfile,
 	     "#ifndef __asn1_common_definitions__\n"
 	     "#define __asn1_common_definitions__\n\n");
+	fprintf (headerfile,
+		 "#ifndef __HEIM_BASE_DATA__\n"
+		 "#define __HEIM_BASE_DATA__ 1\n"
+		 "struct heim_base_data {\n"
+		 "    size_t length;\n"
+		 "    void *data;\n"
+		 "};\n"
+		 "typedef struct heim_base_data heim_octet_string;\n"
+		 "#endif\n\n");
     fprintf (headerfile,
 	     "typedef struct heim_integer {\n"
 	     "  size_t length;\n"
@@ -170,21 +179,16 @@ init_generate (const char *filename, const char *base)
 	     "  int negative;\n"
 	     "} heim_integer;\n\n");
     fprintf (headerfile,
-	     "typedef struct heim_octet_string {\n"
-	     "  size_t length;\n"
-	     "  void *data;\n"
-	     "} heim_octet_string;\n\n");
-    fprintf (headerfile,
 	     "typedef char *heim_general_string;\n\n"
 	     );
     fprintf (headerfile,
 	     "typedef char *heim_utf8_string;\n\n"
 	     );
     fprintf (headerfile,
-	     "typedef struct heim_octet_string heim_printable_string;\n\n"
+	     "typedef struct heim_base_data heim_printable_string;\n\n"
 	     );
     fprintf (headerfile,
-	     "typedef struct heim_octet_string heim_ia5_string;\n\n"
+	     "typedef struct heim_base_data heim_ia5_string;\n\n"
 	     );
     fprintf (headerfile,
 	     "typedef struct heim_bmp_string {\n"
@@ -210,8 +214,8 @@ init_generate (const char *filename, const char *base)
 	     "  void *data;\n"
 	     "} heim_bit_string;\n\n");
     fprintf (headerfile,
-	     "typedef struct heim_octet_string heim_any;\n"
-	     "typedef struct heim_octet_string heim_any_set;\n\n");
+	     "typedef struct heim_base_data heim_any;\n"
+	     "typedef struct heim_base_data heim_any_set;\n\n");
     fputs("#define ASN1_MALLOC_ENCODE(T, B, BL, S, L, R)                  \\\n"
 	  "  do {                                                         \\\n"
 	  "    (BL) = length_##T((S));                                    \\\n"
@@ -265,14 +269,14 @@ init_generate (const char *filename, const char *base)
 	     "#include <string.h>\n"
 	     "#include <errno.h>\n"
 	     "#include <limits.h>\n"
-	     "#include <krb5-types.h>\n",
-	     filename);
+	     "#include <%s>\n",
+	     filename,
+	     type_file_string);
 
     fprintf (templatefile,
 	     "#include <%s>\n"
 	     "#include <%s>\n"
 	     "#include <der.h>\n"
-	     "#include <der-private.h>\n"
 	     "#include <asn1-template.h>\n",
 	     header, privheader);
 
@@ -290,9 +294,10 @@ close_generate (void)
         fclose (privheaderfile);
     if (templatefile)
         fclose (templatefile);
-    if (logfile)
+    if (logfile) {
         fprintf (logfile, "\n");
         fclose (logfile);
+    }
 }
 
 void
@@ -303,7 +308,8 @@ gen_assign_defval(const char *var, struct value *val)
 	fprintf(codefile, "if((%s = strdup(\"%s\")) == NULL)\nreturn ENOMEM;\n", var, val->u.stringvalue);
 	break;
     case integervalue:
-	fprintf(codefile, "%s = %d;\n", var, val->u.integervalue);
+	fprintf(codefile, "%s = %lld;\n",
+		var, (long long)val->u.integervalue);
 	break;
     case booleanvalue:
 	if(val->u.booleanvalue)
@@ -324,7 +330,8 @@ gen_compare_defval(const char *var, struct value *val)
 	fprintf(codefile, "if(strcmp(%s, \"%s\") != 0)\n", var, val->u.stringvalue);
 	break;
     case integervalue:
-	fprintf(codefile, "if(%s != %d)\n", var, val->u.integervalue);
+	fprintf(codefile, "if(%s != %lld)\n",
+		var, (long long)val->u.integervalue);
 	break;
     case booleanvalue:
 	if(val->u.booleanvalue)
@@ -350,7 +357,8 @@ generate_header_of_codefile(const char *name)
     codefile = fopen (filename, "w");
     if (codefile == NULL)
 	err (1, "fopen %s", filename);
-    fprintf(logfile, "%s ", filename);
+    if (logfile)
+        fprintf(logfile, "%s ", filename);
     free(filename);
     filename = NULL;
     fprintf (codefile,
@@ -363,19 +371,22 @@ generate_header_of_codefile(const char *name)
 	     "#include <string.h>\n"
 	     "#include <errno.h>\n"
 	     "#include <limits.h>\n"
-	     "#include <krb5-types.h>\n",
-	     orig_filename);
+	     "#include <%s>\n",
+	     orig_filename,
+	     type_file_string);
 
     fprintf (codefile,
-	     "#include <%s>\n"
-	     "#include <%s>\n",
+	     "#include \"%s\"\n"
+	     "#include \"%s\"\n",
 	     header, privheader);
     fprintf (codefile,
 	     "#include <asn1_err.h>\n"
 	     "#include <der.h>\n"
-	     "#include <der-private.h>\n"
-	     "#include <asn1-template.h>\n"
-	     "#include <parse_units.h>\n\n");
+	     "#include <asn1-template.h>\n\n");
+
+    if (parse_units_flag)
+	fprintf (codefile,
+		 "#include <parse_units.h>\n\n");
 
 }
 
@@ -397,8 +408,9 @@ generate_constant (const Symbol *s)
     case booleanvalue:
 	break;
     case integervalue:
-	fprintf (headerfile, "enum { %s = %d };\n\n",
-		 s->gen_name, s->value->u.integervalue);
+	fprintf (headerfile, "enum { %s = %lld };\n\n",
+		 s->gen_name,
+		 (long long)s->value->u.integervalue);
 	break;
     case nullvalue:
 	break;
@@ -406,7 +418,7 @@ generate_constant (const Symbol *s)
 	break;
     case objectidentifiervalue: {
 	struct objid *o, **list;
-	unsigned int i, len;
+	size_t i, len;
 	char *gen_upper;
 
 	if (!one_code_file)
@@ -433,16 +445,16 @@ generate_constant (const Symbol *s)
 		    o->label ? o->label : "label-less", o->value);
 	}
 
-	fprintf (codefile, "static unsigned oid_%s_variable_num[%d] =  {",
-		 s->gen_name, len);
+	fprintf (codefile, "static unsigned oid_%s_variable_num[%lu] =  {",
+		 s->gen_name, (unsigned long)len);
 	for (i = len ; i > 0; i--) {
 	    fprintf(codefile, "%d%s ", list[i - 1]->value, i > 1 ? "," : "");
 	}
 	fprintf(codefile, "};\n");
 
 	fprintf (codefile, "const heim_oid asn1_oid_%s = "
-		 "{ %d, oid_%s_variable_num };\n\n",
-		 s->gen_name, len, s->gen_name);
+		 "{ %lu, oid_%s_variable_num };\n\n",
+		 s->gen_name, (unsigned long)len, s->gen_name);
 
 	free(list);
 
@@ -540,8 +552,9 @@ define_asn1 (int level, Type *t)
 	if(t->members == NULL) {
             fprintf (headerfile, "INTEGER");
 	    if (t->range)
-		fprintf (headerfile, " (%d..%d)",
-			 t->range->min, t->range->max);
+		fprintf (headerfile, " (%lld..%lld)",
+			 (long long)t->range->min,
+			 (long long)t->range->max);
         } else {
 	    Member *m;
             fprintf (headerfile, "INTEGER {\n");
@@ -582,7 +595,7 @@ define_asn1 (int level, Type *t)
     case TSet:
     case TSequence: {
 	Member *m;
-	int max_width = 0;
+	size_t max_width = 0;
 
 	if(t->type == TChoice)
 	    fprintf(headerfile, "CHOICE {\n");
@@ -597,13 +610,13 @@ define_asn1 (int level, Type *t)
 	max_width += 3;
 	if(max_width < 16) max_width = 16;
 	ASN1_TAILQ_FOREACH(m, t->members, members) {
-	    int width = max_width;
+	    size_t width = max_width;
 	    space(level + 1);
 	    if (m->ellipsis) {
 		fprintf (headerfile, "...");
 	    } else {
 		width -= fprintf(headerfile, "%s", m->name);
-		fprintf(headerfile, "%*s", width, "");
+		fprintf(headerfile, "%*s", (int)width, "");
 		define_asn1(level + 1, m->type);
 		if(m->optional)
 		    fprintf(headerfile, " OPTIONAL");
@@ -723,15 +736,17 @@ define_type (int level, const char *name, const char *basename, Type *t, int typ
             fprintf (headerfile, "} %s;\n", name);
 	} else if (t->range == NULL) {
 	    fprintf (headerfile, "heim_integer %s;\n", name);
-	} else if (t->range->min == INT_MIN && t->range->max == INT_MAX) {
+	} else if (t->range->min < INT_MIN && t->range->max <= INT64_MAX) {
+	    fprintf (headerfile, "int64_t %s;\n", name);
+	} else if (t->range->min >= 0 && t->range->max > UINT_MAX) {
+	    fprintf (headerfile, "uint64_t %s;\n", name);
+	} else if (t->range->min >= INT_MIN && t->range->max <= INT_MAX) {
 	    fprintf (headerfile, "int %s;\n", name);
-	} else if (t->range->min == 0 && t->range->max == UINT_MAX) {
-	    fprintf (headerfile, "unsigned int %s;\n", name);
-	} else if (t->range->min == 0 && t->range->max == INT_MAX) {
+	} else if (t->range->min >= 0 && t->range->max <= UINT_MAX) {
 	    fprintf (headerfile, "unsigned int %s;\n", name);
 	} else
-	    errx(1, "%s: unsupported range %d -> %d",
-		 name, t->range->min, t->range->max);
+	    errx(1, "%s: unsupported range %lld -> %lld",
+		 name, (long long)t->range->min, (long long)t->range->max);
 	break;
     case TBoolean:
 	space(level);
@@ -744,7 +759,7 @@ define_type (int level, const char *name, const char *basename, Type *t, int typ
     case TBitString: {
 	Member *m;
 	Type i;
-	struct range range = { 0, INT_MAX };
+	struct range range = { 0, UINT_MAX };
 
 	i.type = TInteger;
 	i.range = &range;
@@ -843,7 +858,7 @@ define_type (int level, const char *name, const char *basename, Type *t, int typ
     case TSetOf:
     case TSequenceOf: {
 	Type i;
-	struct range range = { 0, INT_MAX };
+	struct range range = { 0, UINT_MAX };
 
 	getnewbasename(&newbasename, typedefp, basename, name);
 
@@ -888,7 +903,7 @@ define_type (int level, const char *name, const char *basename, Type *t, int typ
 	    fprintf(headerfile, "heim_octet_string _save;\n");
 	}
 	space(level + 1);
-	fprintf (headerfile, "enum {\n");
+	fprintf (headerfile, "enum %s_enum {\n", newbasename);
 	m = have_ellipsis(t);
 	if (m) {
 	    space(level + 2);
diff --git a/lib/asn1/gen_decode.c b/lib/asn1/gen_decode.c
index 9d816d5400d7..650017fa6b90 100644
--- a/lib/asn1/gen_decode.c
+++ b/lib/asn1/gen_decode.c
@@ -189,22 +189,22 @@ range_check(const char *name,
 {
     if (r->min == r->max + 2 || r->min < r->max)
 	fprintf (codefile,
-		 "if ((%s)->%s > %d) {\n"
+		 "if ((%s)->%s > %lld) {\n"
 		 "e = ASN1_MAX_CONSTRAINT; %s;\n"
 		 "}\n",
-		 name, length, r->max, forwstr);
-    if (r->min - 1 == r->max || r->min < r->max)
+		 name, length, (long long)r->max, forwstr);
+    if ((r->min - 1 == r->max || r->min < r->max) && r->min > 0)
 	fprintf (codefile,
-		 "if ((%s)->%s < %d) {\n"
+		 "if ((%s)->%s < %lld) {\n"
 		 "e = ASN1_MIN_CONSTRAINT; %s;\n"
 		 "}\n",
-		 name, length, r->min, forwstr);
+		 name, length, (long long)r->min, forwstr);
     if (r->max == r->min)
 	fprintf (codefile,
-		 "if ((%s)->%s != %d) {\n"
+		 "if ((%s)->%s != %lld) {\n"
 		 "e = ASN1_EXACT_CONSTRAINT; %s;\n"
 		 "}\n",
-		 name, length, r->min, forwstr);
+		 name, length, (long long)r->min, forwstr);
 }
 
 static int
@@ -242,6 +242,14 @@ decode_type (const char *name, const Type *t, int optional,
     }
     case TInteger:
 	if(t->members) {
+	    /*
+	     * This will produce a worning, how its hard to fix since:
+	     * if its enum to an NameType, we can add appriate
+	     * type-cast. If its not though, we have to figure out if
+	     * there is negative enum enum and use appropriate
+	     * signness and size on the intertype we cast the result
+	     * too.
+	     */
 	    fprintf(codefile,
 		    "{\n"
 		    "int enumint;\n");
@@ -252,15 +260,17 @@ decode_type (const char *name, const Type *t, int optional,
 		    name);
 	} else if (t->range == NULL) {
 	    decode_primitive ("heim_integer", name, forwstr);
-	} else if (t->range->min == INT_MIN && t->range->max == INT_MAX) {
+	} else if (t->range->min < INT_MIN && t->range->max <= INT64_MAX) {
+	    decode_primitive ("integer64", name, forwstr);
+	} else if (t->range->min >= 0 && t->range->max > UINT_MAX) {
+	    decode_primitive ("unsigned64", name, forwstr);
+	} else if (t->range->min >= INT_MIN && t->range->max <= INT_MAX) {
 	    decode_primitive ("integer", name, forwstr);
-	} else if (t->range->min == 0 && t->range->max == UINT_MAX) {
-	    decode_primitive ("unsigned", name, forwstr);
-	} else if (t->range->min == 0 && t->range->max == INT_MAX) {
+	} else if (t->range->min >= 0 && t->range->max <= UINT_MAX) {
 	    decode_primitive ("unsigned", name, forwstr);
 	} else
-	    errx(1, "%s: unsupported range %d -> %d",
-		 name, t->range->min, t->range->max);
+	    errx(1, "%s: unsupported range %lld -> %lld",
+		 name, (long long)t->range->min, (long long)t->range->max);
 	break;
     case TBoolean:
       decode_primitive ("boolean", name, forwstr);
diff --git a/lib/asn1/gen_encode.c b/lib/asn1/gen_encode.c
index 1bd47484d83a..60433a00e705 100644
--- a/lib/asn1/gen_encode.c
+++ b/lib/asn1/gen_encode.c
@@ -33,8 +33,6 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id$");
-
 static void
 encode_primitive (const char *typename, const char *name)
 {
@@ -50,7 +48,7 @@ classname(Der_class class)
 {
     const char *cn[] = { "ASN1_C_UNIV", "ASN1_C_APPL",
 			 "ASN1_C_CONTEXT", "ASN1_C_PRIV" };
-    if(class < ASN1_C_UNIV || class > ASN1_C_PRIVATE)
+    if ((int)class >= sizeof(cn) / sizeof(cn[0]))
 	return "???";
     return cn[class];
 }
@@ -129,15 +127,18 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
 	    fprintf(codefile, "}\n;");
 	} else if (t->range == NULL) {
 	    encode_primitive ("heim_integer", name);
-	} else if (t->range->min == INT_MIN && t->range->max == INT_MAX) {
+	} else if (t->range->min < INT_MIN && t->range->max <= INT64_MAX) {
+	    encode_primitive ("integer64", name);
+	} else if (t->range->min >= 0 && t->range->max > UINT_MAX) {
+	    encode_primitive ("unsigned64", name);
+	} else if (t->range->min >= INT_MIN && t->range->max <= INT_MAX) {
 	    encode_primitive ("integer", name);
-	} else if (t->range->min == 0 && t->range->max == UINT_MAX) {
-	    encode_primitive ("unsigned", name);
-	} else if (t->range->min == 0 && t->range->max == INT_MAX) {
+	} else if (t->range->min >= 0 && t->range->max <= UINT_MAX) {
 	    encode_primitive ("unsigned", name);
 	} else
-	    errx(1, "%s: unsupported range %d -> %d",
-		 name, t->range->min, t->range->max);
+	    errx(1, "%s: unsupported range %lld -> %lld",
+		 name, (long long)t->range->min, (long long)t->range->max);
+
 	constructed = 0;
 	break;
     case TBoolean:
@@ -287,7 +288,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
 
 	fprintf(codefile,
 		"{\n"
-		"struct heim_octet_string *val;\n"
+		"heim_octet_string *val;\n"
 		"size_t elen = 0, totallen = 0;\n"
 		"int eret = 0;\n");
 
diff --git a/lib/asn1/gen_glue.c b/lib/asn1/gen_glue.c
index 5ab93305a24e..773ce787d5ed 100644
--- a/lib/asn1/gen_glue.c
+++ b/lib/asn1/gen_glue.c
@@ -147,7 +147,8 @@ generate_glue (const Type *t, const char *gen_name)
 	if (!ASN1_TAILQ_EMPTY(t->members)) {
 	    generate_2int (t, gen_name);
 	    generate_int2 (t, gen_name);
-	    generate_units (t, gen_name);
+	    if (parse_units_flag)
+		generate_units (t, gen_name);
 	}
 	break;
     default :
diff --git a/lib/asn1/gen_length.c b/lib/asn1/gen_length.c
index 20b5adfe5d02..7a8a725a0ad1 100644
--- a/lib/asn1/gen_length.c
+++ b/lib/asn1/gen_length.c
@@ -80,16 +80,17 @@ length_type (const char *name, const Type *t,
 	    fprintf(codefile, "}\n");
 	} else if (t->range == NULL) {
 	    length_primitive ("heim_integer", name, variable);
-	} else if (t->range->min == INT_MIN && t->range->max == INT_MAX) {
+	} else if (t->range->min < INT_MIN && t->range->max <= INT64_MAX) {
+	    length_primitive ("integer64", name, variable);
+	} else if (t->range->min >= 0 && t->range->max > UINT_MAX) {
+	    length_primitive ("unsigned64", name, variable);
+	} else if (t->range->min >= INT_MIN && t->range->max <= INT_MAX) {
 	    length_primitive ("integer", name, variable);
-	} else if (t->range->min == 0 && t->range->max == UINT_MAX) {
-	    length_primitive ("unsigned", name, variable);
-	} else if (t->range->min == 0 && t->range->max == INT_MAX) {
+	} else if (t->range->min >= 0 && t->range->max <= UINT_MAX) {
 	    length_primitive ("unsigned", name, variable);
 	} else
-	    errx(1, "%s: unsupported range %d -> %d",
-		 name, t->range->min, t->range->max);
-
+	    errx(1, "%s: unsupported range %lld -> %lld",
+		 name, (long long)t->range->min, (long long)t->range->max);
 	break;
     case TBoolean:
 	fprintf (codefile, "%s += 1;\n", variable);
@@ -188,14 +189,15 @@ length_type (const char *name, const Type *t,
 	fprintf (codefile,
 		 "{\n"
 		 "size_t %s_oldret = %s;\n"
-		 "int i;\n"
+		 "unsigned int n_%s;\n"
 		 "%s = 0;\n",
-		 tmpstr, variable, variable);
+		 tmpstr, variable, tmpstr, variable);
 
-	fprintf (codefile, "for(i = (%s)->len - 1; i >= 0; --i){\n", name);
+	fprintf (codefile, "for(n_%s = (%s)->len; n_%s > 0; --n_%s){\n",
+		 tmpstr, name, tmpstr, tmpstr);
 	fprintf (codefile, "size_t %s_for_oldret = %s;\n"
 		 "%s = 0;\n", tmpstr, variable, variable);
-	if (asprintf (&n, "&(%s)->val[i]", name) < 0  || n == NULL)
+	if (asprintf (&n, "&(%s)->val[n_%s - 1]", name, tmpstr) < 0  || n == NULL)
 	    errx(1, "malloc");
 	if (asprintf (&sname, "%s_S_Of", tmpstr) < 0 || sname == NULL)
 	    errx(1, "malloc");
diff --git a/lib/asn1/gen_locl.h b/lib/asn1/gen_locl.h
index 9e87b0c578c7..288631e98469 100644
--- a/lib/asn1/gen_locl.h
+++ b/lib/asn1/gen_locl.h
@@ -92,10 +92,13 @@ void gen_template_import(const Symbol *);
 
 
 extern FILE *privheaderfile, *headerfile, *codefile, *logfile, *templatefile;
+extern const char *fuzzer_string;
 extern int support_ber;
 extern int template_flag;
 extern int rfc1510_bitstring;
 extern int one_code_file;
+extern int parse_units_flag;
+extern char *type_file_string;
 
 extern int error_flag;
 
diff --git a/lib/asn1/gen_template.c b/lib/asn1/gen_template.c
index edd68e122380..d469201e554d 100644
--- a/lib/asn1/gen_template.c
+++ b/lib/asn1/gen_template.c
@@ -3,7 +3,7 @@
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  *
- * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ * Portions Copyright (c) 2009 - 2010 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -52,11 +52,13 @@ integer_symbol(const char *basename, const Type *t)
 	return "int"; /* XXX enum foo */
     else if (t->range == NULL)
 	return "heim_integer";
-    else if (t->range->min == INT_MIN && t->range->max == INT_MAX)
+    else if (t->range->min < INT_MIN && t->range->max <= INT64_MAX)
+	return "int64_t";
+    else if (t->range->min >= 0 && t->range->max > UINT_MAX)
+	return "uint64_t";
+    else if (t->range->min >= INT_MIN && t->range->max <= INT_MAX)
 	return "int";
-    else if (t->range->min == 0 && t->range->max == UINT_MAX)
-	return "unsigned";
-    else if (t->range->min == 0 && t->range->max == INT_MAX)
+    else if (t->range->min >= 0 && t->range->max <= UINT_MAX)
 	return "unsigned";
     else {
 	abort();
@@ -114,6 +116,12 @@ ia5string_symbol(const char *basename, const Type *t)
 }
 
 static const char *
+teletexstring_symbol(const char *basename, const Type *t)
+{
+    return "heim_teletex_string";
+}
+
+static const char *
 visiblestring_symbol(const char *basename, const Type *t)
 {
     return "heim_visible_string";
@@ -164,6 +172,7 @@ struct {
     { TGeneralString, generalstring_symbol, 0 },
     { TGeneralizedTime, time_symbol, 0 },
     { TIA5String, ia5string_symbol, 0 },
+    { TTeletexString, generalstring_symbol, 0 },
     { TInteger, integer_symbol, 0 },
     { TOID, oid_symbol, 0 },
     { TOctetString, octetstring_symbol, 0 },
@@ -175,6 +184,7 @@ struct {
     { TType, ttype_symbol, 1 },
     { TUTCTime, time_symbol, 0 },
     { TUniversalString, universalstring_symbol, 0 },
+    { TTeletexString, teletexstring_symbol, 0 },
     { TVisibleString,  visiblestring_symbol, 0 },
     { TUTF8String, utf8string_symbol, 0 },
     { TChoice, sequence_symbol, 1 },
@@ -221,12 +231,12 @@ symbol_name(const char *basename, const Type *t)
 
 
 static char *
-partial_offset(const char *basetype, const char *name, int need_offset)
+partial_offset(const char *basetype, const char *name, int need_offset, int isstruct)
 {
     char *str;
     if (name == NULL || need_offset == 0)
 	return strdup("0");
-    if (asprintf(&str, "offsetof(struct %s, %s)", basetype, name) < 0 || str == NULL)
+    if (asprintf(&str, "offsetof(%s%s, %s)", isstruct ? "struct " : "", basetype, name) < 0 || str == NULL)
 	errx(1, "malloc");
     return str;
 }
@@ -250,13 +260,13 @@ struct tlist {
 
 ASN1_TAILQ_HEAD(tlisthead, tlist);
 
-static void tlist_header(struct tlist *, const char *, ...) __attribute__((__format__(__printf__, 2, 3)));
+static void tlist_header(struct tlist *, const char *, ...) __attribute__ ((__format__ (__printf__, 2, 3)));
 static struct template *
-    add_line(struct templatehead *, const char *, ...) __attribute__((__format__(__printf__, 2, 3)));
+    add_line(struct templatehead *, const char *, ...) __attribute__ ((__format__ (__printf__, 2, 3)));
 static int tlist_cmp(const struct tlist *, const struct tlist *);
 
 static void add_line_pointer(struct templatehead *, const char *, const char *, const char *, ...)
-    __attribute__((__format__(__printf__, 4, 5)));
+    __attribute__ ((__format__ (__printf__, 4, 5)));
 
 
 static struct tlisthead tlistmaster = ASN1_TAILQ_HEAD_INITIALIZER(tlistmaster);
@@ -306,7 +316,7 @@ tlist_print(struct tlist *tl)
     unsigned int i = 1;
     FILE *f = get_code_file();
 
-    fprintf(f, "static const struct asn1_template asn1_%s[] = {\n", tl->name);
+    fprintf(f, "const struct asn1_template asn1_%s[] = {\n", tl->name);
     fprintf(f, "/* 0 */ %s,\n", tl->header);
     ASN1_TAILQ_FOREACH(q, &tl->template, members) {
 	int last = (ASN1_TAILQ_LAST(&tl->template, templatehead) == q);
@@ -331,6 +341,10 @@ tlist_cmp_name(const char *tname, const char *qname)
 {
     struct tlist *tl = tlist_find_by_name(tname);
     struct tlist *ql = tlist_find_by_name(qname);
+    if (tl == NULL)
+	return 1;
+    if (ql == NULL)
+	return -1;
     return tlist_cmp(tl, ql);
 }
 
@@ -431,7 +445,7 @@ use_extern(const Symbol *s)
 }
 
 static int
-is_struct(Type *t, int isstruct)
+is_struct(const Type *t, int isstruct)
 {
     size_t i;
 
@@ -463,24 +477,28 @@ compact_tag(const Type *t)
 }
 
 static void
-template_members(struct templatehead *temp, const char *basetype, const char *name, const Type *t, int optional, int isstruct, int need_offset)
+template_members(struct templatehead *temp, const char *basetype, const char *name, const Type *t, int optional, int implicit, int isstruct, int need_offset)
 {
     char *poffset = NULL;
 
     if (optional && t->type != TTag && t->type != TType)
 	errx(1, "%s...%s is optional and not a (TTag or TType)", basetype, name);
 
-    poffset = partial_offset(basetype, name, need_offset);
+    poffset = partial_offset(basetype, name, need_offset, isstruct);
 
     switch (t->type) {
     case TType:
 	if (use_extern(t->symbol)) {
-	    add_line(temp, "{ A1_OP_TYPE_EXTERN %s, %s, &asn1_extern_%s}",
+	    add_line(temp, "{ A1_OP_TYPE_EXTERN %s%s, %s, &asn1_extern_%s}",
 		     optional ? "|A1_FLAG_OPTIONAL" : "",
+		     implicit ? "|A1_FLAG_IMPLICIT" : "",
 		     poffset, t->symbol->gen_name);
 	} else {
 	    add_line_pointer(temp, t->symbol->gen_name, poffset,
-			     "A1_OP_TYPE %s", optional ? "|A1_FLAG_OPTIONAL" : "");
+			     "A1_OP_TYPE %s%s",
+			     optional ? "|A1_FLAG_OPTIONAL" : "",
+			     implicit ? "|A1_FLAG_IMPLICIT" : "");
+
 	}
 	break;
     case TInteger: {
@@ -490,15 +508,17 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
 	    itype = "IMEMBER";
 	else if (t->range == NULL)
 	    itype = "HEIM_INTEGER";
-	else if (t->range->min == INT_MIN && t->range->max == INT_MAX)
+	else if (t->range->min < INT_MIN && t->range->max <= INT64_MAX)
+	    itype = "INTEGER64";
+	else if (t->range->min >= 0 && t->range->max > UINT_MAX)
+	    itype = "UNSIGNED64";
+	else if (t->range->min >= INT_MIN && t->range->max <= INT_MAX)
 	    itype = "INTEGER";
-	else if (t->range->min == 0 && t->range->max == UINT_MAX)
-	    itype = "UNSIGNED";
-	else if (t->range->min == 0 && t->range->max == INT_MAX)
+	else if (t->range->min >= 0 && t->range->max <= UINT_MAX)
 	    itype = "UNSIGNED";
 	else
-	    errx(1, "%s: unsupported range %d -> %d",
-		 name, t->range->min, t->range->max);
+	    errx(1, "%s: unsupported range %lld -> %lld",
+		 name, (long long)t->range->min, (long long)t->range->max);
 
 	add_line(temp, "{ A1_PARSE_T(A1T_%s), %s, NULL }", itype, poffset);
 	break;
@@ -545,19 +565,22 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
     case TNull:
 	break;
     case TBitString: {
-	struct templatehead template = ASN1_TAILQ_HEAD_INITIALIZER(template);
+	struct templatehead template;
 	struct template *q;
 	Member *m;
 	size_t count = 0, i;
 	char *bname = NULL;
 	FILE *f = get_code_file();
+	static unsigned long bmember_counter = 0;
+
+	ASN1_TAILQ_INIT(&template);
 
 	if (ASN1_TAILQ_EMPTY(t->members)) {
 	    add_line(temp, "{ A1_PARSE_T(A1T_HEIM_BIT_STRING), %s, NULL }", poffset);
 	    break;
 	}
 
-	if (asprintf(&bname, "bmember_%s_%p", name ? name : "", t) < 0 || bname == NULL)
+	if (asprintf(&bname, "bmember_%s_%lu", name ? name : "", bmember_counter++) < 0 || bname == NULL)
 	    errx(1, "malloc");
 	output_name(bname);
 
@@ -589,6 +612,8 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
     case TSequence: {
 	Member *m;
 
+	fprintf(get_code_file(), "/* tsequence: members isstruct: %d */\n", isstruct);
+
 	ASN1_TAILQ_FOREACH(m, t->members, members) {
 	    char *newbasename = NULL;
 
@@ -603,7 +628,7 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
 	    if (newbasename == NULL)
 		errx(1, "malloc");
 
-	    template_members(temp, newbasename, m->gen_name, m->type, m->optional, isstruct, 1);
+	    template_members(temp, newbasename, m->gen_name, m->type, m->optional, 0, isstruct, 1);
 
 	    free(newbasename);
 	}
@@ -614,13 +639,47 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
 	char *tname = NULL, *elname = NULL;
 	const char *sename, *dupname;
 	int subtype_is_struct = is_struct(t->subtype, isstruct);
+	static unsigned long tag_counter = 0;
+	int tagimplicit = (t->tag.tagenv == TE_IMPLICIT);
+	struct type *subtype;
+
+	fprintf(get_code_file(), "/* template_members: %s %s %s */\n", basetype, implicit ? "imp" : "exp", tagimplicit ? "imp" : "exp");
+
+	if (tagimplicit) {
+
+	    struct type *type = t->subtype;
+	    int have_tag = 0;
+
+	    while (!have_tag) {
+		if (type->type == TTag) {
+		    fprintf(get_code_file(), "/* template_members: imp skip tag */\n");
+		    type = type->subtype;
+		    have_tag = 1;
+		} else if(type->type == TType && type->symbol && type->symbol->type) {
+		    /* XXX really, we should stop here and find a
+		     * pointer to where this is encoded instead of
+		     * generated an new structure and hope that the
+		     * optimizer catch it later.
+		     */
+		    subtype_is_struct = is_struct(type, isstruct);
+		    fprintf(get_code_file(), "/* template_members: imp skip type %s isstruct: %d */\n",
+			    type->symbol->name, subtype_is_struct);
+		    type = type->symbol->type;
+		} else {
+		    have_tag = 1;
+		}
+	    }
+	    subtype = type;
+	} else {
+	    subtype = t->subtype;
+	}
 
 	if (subtype_is_struct)
 	    sename = basetype;
 	else
-	    sename = symbol_name(basetype, t->subtype);
+	    sename = symbol_name(basetype, subtype);
 
-	if (asprintf(&tname, "tag_%s_%p", name ? name : "", t) < 0 || tname == NULL)
+	if (asprintf(&tname, "tag_%s_%lu", name ? name : "", tag_counter++) < 0 || tname == NULL)
 	    errx(1, "malloc");
 	output_name(tname);
 
@@ -628,14 +687,15 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
 	    errx(1, "malloc");
 
 	generate_template_type(elname, &dupname, NULL, sename, name,
-			       t->subtype, 0, subtype_is_struct, 0);
+			       subtype, 0, subtype_is_struct, 0);
 
 	add_line_pointer(temp, dupname, poffset,
-			 "A1_TAG_T(%s,%s,%s)%s",
+			 "A1_TAG_T(%s,%s,%s)%s%s",
 			 classname(t->tag.tagclass),
-			 is_primitive_type(t->subtype->type)  ? "PRIM" : "CONS",
+			 is_primitive_type(subtype->type)  ? "PRIM" : "CONS",
 			 valuename(t->tag.tagclass, t->tag.tagvalue),
-			 optional ? "|A1_FLAG_OPTIONAL" : "");
+			 optional ? "|A1_FLAG_OPTIONAL" : "",
+			 tagimplicit ? "|A1_FLAG_IMPLICIT" : "");
 
 	free(tname);
 	free(elname);
@@ -647,6 +707,7 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
 	const char *type = NULL, *tname, *dupname;
 	char *sename = NULL, *elname = NULL;
 	int subtype_is_struct = is_struct(t->subtype, 0);
+	static unsigned long seof_counter = 0;
 
 	if (name && subtype_is_struct) {
 	    tname = "seofTstruct";
@@ -670,7 +731,7 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
 	else if (t->type == TSequenceOf) type = "A1_OP_SEQOF";
 	else abort();
 
-	if (asprintf(&elname, "%s_%s_%p", basetype, tname, t) < 0 || elname == NULL)
+	if (asprintf(&elname, "%s_%s_%lu", basetype, tname, seof_counter++) < 0 || elname == NULL)
 	    errx(1, "malloc");
 
 	generate_template_type(elname, &dupname, NULL, sename, NULL, t->subtype,
@@ -681,7 +742,7 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
 	break;
     }
     case TChoice: {
-	struct templatehead template = ASN1_TAILQ_HEAD_INITIALIZER(template);
+	struct templatehead template;
 	struct template *q;
 	size_t count = 0, i;
 	char *tname = NULL;
@@ -689,9 +750,12 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
 	Member *m;
 	int ellipsis = 0;
 	char *e;
+	static unsigned long choice_counter = 0;
+
+	ASN1_TAILQ_INIT(&template);
 
-	if (asprintf(&tname, "asn1_choice_%s_%s%x",
-		     basetype, name ? name : "", (unsigned int)(uintptr_t)t) < 0 || tname == NULL)
+	if (asprintf(&tname, "asn1_choice_%s_%s%lu",
+		     basetype, name ? name : "", choice_counter++) < 0 || tname == NULL)
 	    errx(1, "malloc");
 
 	ASN1_TAILQ_FOREACH(m, t->members, members) {
@@ -803,12 +867,20 @@ generate_template_type(const char *varname,
 		       int optional, int isstruct, int need_offset)
 {
     struct tlist *tl;
-    const char *dup;
+    const char *d;
+    char *szt = NULL;
     int have_ellipsis = 0;
+    int implicit = 0;
+    int n;
 
     tl = tlist_new(varname);
 
-    template_members(&tl->template, basetype, name, type, optional, isstruct, need_offset);
+    if (type->type == TTag)
+	implicit = (type->tag.tagenv == TE_IMPLICIT);
+
+    fprintf(get_code_file(), "extern const struct asn1_template asn1_%s[];\n", tl->name);
+
+    template_members(&tl->template, basetype, name, type, optional, implicit, isstruct, need_offset);
 
     /* if its a sequence or set type, check if there is a ellipsis */
     if (type->type == TSequence || type->type == TSet) {
@@ -819,19 +891,34 @@ generate_template_type(const char *varname,
 	}
     }
 
+    if (isstruct)
+	if (name)
+	    n = asprintf(&szt, "struct %s_%s", basetype, name);
+	else
+	    n = asprintf(&szt, "struct %s", basetype);
+    else
+	n = asprintf(&szt, "%s", basetype);
+    if (n < 0 || szt == NULL)
+	errx(1, "malloc");
+
     if (ASN1_TAILQ_EMPTY(&tl->template) && compact_tag(type)->type != TNull)
 	errx(1, "Tag %s...%s with no content ?", basetype, name ? name : "");
 
-    tlist_header(tl, "{ 0%s%s, sizeof(%s%s), ((void *)%lu) }",
+    fprintf(get_code_file(), "/* generate_template_type: %s */\n", tl->name);
+
+    tlist_header(tl, "{ 0%s%s, sizeof(%s), ((void *)%lu) }",
 		 (symname && preserve_type(symname)) ? "|A1_HF_PRESERVE" : "",
-		 have_ellipsis ? "|A1_HF_ELLIPSIS" : "",
-		 isstruct ? "struct " : "", basetype, tlist_count(tl));
-
-    dup = tlist_find_dup(tl);
-    if (dup) {
-	if (strcmp(dup, tl->name) == 0)
-	    errx(1, "found dup of ourself");
-	*dupname = dup;
+		 have_ellipsis ? "|A1_HF_ELLIPSIS" : "", szt, tlist_count(tl));
+
+    free(szt);
+
+    d = tlist_find_dup(tl);
+    if (d) {
+#if 0
+	if (strcmp(d, tl->name) == 0)
+	    errx(1, "found dup of ourself: %s", d);
+#endif
+	*dupname = d;
     } else {
 	*dupname = tl->name;
 	tlist_print(tl);
@@ -871,11 +958,12 @@ generate_template(const Symbol *s)
 	    "int\n"
 	    "encode_%s(unsigned char *p, size_t len, const %s *data, size_t *size)\n"
 	    "{\n"
-	    "    return _asn1_encode(asn1_%s, p, len, data, size);\n"
+	    "    return _asn1_encode%s(asn1_%s, p, len, data, size);\n"
 	    "}\n"
 	    "\n",
 	    s->gen_name,
 	    s->gen_name,
+	    fuzzer_string,
 	    dupname);
 
     fprintf(f,
@@ -883,11 +971,12 @@ generate_template(const Symbol *s)
 	    "size_t\n"
 	    "length_%s(const %s *data)\n"
 	    "{\n"
-	    "    return _asn1_length(asn1_%s, data);\n"
+	    "    return _asn1_length%s(asn1_%s, data);\n"
 	    "}\n"
 	    "\n",
 	    s->gen_name,
 	    s->gen_name,
+	    fuzzer_string,
 	    dupname);
 
 
@@ -896,7 +985,7 @@ generate_template(const Symbol *s)
 	    "void\n"
 	    "free_%s(%s *data)\n"
 	    "{\n"
-	    "    _asn1_free(asn1_%s, data);\n"
+	    "    _asn1_free_top(asn1_%s, data);\n"
 	    "}\n"
 	    "\n",
 	    s->gen_name,
diff --git a/lib/asn1/krb5.asn1 b/lib/asn1/krb5.asn1
index 568fe0cd04b4..12986ea4e064 100644
--- a/lib/asn1/krb5.asn1
+++ b/lib/asn1/krb5.asn1
@@ -63,6 +63,8 @@ EXPORTS
 	PA-ServerReferralData,
 	PA-SvrReferralData,
 	PADATA-TYPE,
+	PA-FX-FAST-REQUEST,
+	PA-FX-FAST-REPLY,
 	Principal,
 	PrincipalName,
 	Principals,
@@ -72,7 +74,19 @@ EXPORTS
 	Ticket,
 	TicketFlags,
 	TransitedEncoding,
-	TypedData
+	TypedData,
+	KrbFastResponse,
+	KrbFastFinished,
+	KrbFastReq,
+	KrbFastArmor,
+	KDCFastState,
+	KDCFastCookie,
+	KDC-PROXY-MESSAGE,
+	KERB-TIMES,
+	KERB-CRED,
+	KERB-TGS-REQ-IN,
+	KERB-TGS-REQ-OUT,
+	KERB-ARMOR-SERVICE-REPLY
 	;
 
 NAME-TYPE ::= INTEGER {
@@ -86,10 +100,15 @@ NAME-TYPE ::= INTEGER {
 	KRB5_NT_SMTP_NAME(7),	-- Name in form of SMTP email name
 	KRB5_NT_ENTERPRISE_PRINCIPAL(10), -- Windows 2000 UPN
 	KRB5_NT_WELLKNOWN(11),	-- Wellknown
+	KRB5_NT_SRV_HST_DOMAIN(12), -- Domain based service with host name as instance (RFC5179)
 	KRB5_NT_ENT_PRINCIPAL_AND_ID(-130), -- Windows 2000 UPN and SID
 	KRB5_NT_MS_PRINCIPAL(-128), -- NT 4 style name
 	KRB5_NT_MS_PRINCIPAL_AND_ID(-129), -- NT style name and SID
-	KRB5_NT_NTLM(-1200) -- NTLM name, realm is domain
+	KRB5_NT_NTLM(-1200), -- NTLM name, realm is domain
+	KRB5_NT_X509_GENERAL_NAME(-1201), -- x509 general name (base64 encoded)
+	KRB5_NT_GSS_HOSTBASED_SERVICE(-1202), -- not used; remove
+	KRB5_NT_CACHE_UUID(-1203), -- name is actually a uuid pointing to ccache, use client name in cache
+	KRB5_NT_SRV_HST_NEEDS_CANON (-195894762) -- Internal: indicates that name canonicalization is needed
 }
 
 -- message types
@@ -142,6 +161,7 @@ PADATA-TYPE ::= INTEGER {
 	KRB5-PADATA-SAM-CHALLENGE2(30),		-- (kenh@pobox.com)
 	KRB5-PADATA-SAM-RESPONSE2(31),		-- (kenh@pobox.com)
 	KRB5-PA-EXTRA-TGT(41),			-- Reserved extra TGT
+	KRB5-PADATA-FX-FAST-ARMOR(71),		-- fast armor
 	KRB5-PADATA-TD-KRB-PRINCIPAL(102),	-- PrincipalName
 	KRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
 	KRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
@@ -157,7 +177,6 @@ PADATA-TYPE ::= INTEGER {
 						-- tell KDC that is supports
 						-- the asCheckSum in the
 						--  PK-AS-REP
-	KRB5-PADATA-CLIENT-CANONICALIZED(133),	-- referals
 	KRB5-PADATA-FX-COOKIE(133),		-- krb-wg-preauth-framework
 	KRB5-PADATA-AUTHENTICATION-SET(134),	-- krb-wg-preauth-framework
 	KRB5-PADATA-AUTH-SET-SELECTED(135),	-- krb-wg-preauth-framework
@@ -214,6 +233,8 @@ CKSUMTYPE ::= INTEGER {
 	CKSUMTYPE_SHA1(14),
 	CKSUMTYPE_HMAC_SHA1_96_AES_128(15),
 	CKSUMTYPE_HMAC_SHA1_96_AES_256(16),
+	CKSUMTYPE_HMAC_SHA256_128_AES128(19),
+	CKSUMTYPE_HMAC_SHA384_192_AES256(20),
 	CKSUMTYPE_GSSAPI(0x8003),
 	CKSUMTYPE_HMAC_MD5(-138),	-- unofficial microsoft number
 	CKSUMTYPE_HMAC_MD5_ENC(-1138)	-- even more unofficial
@@ -233,6 +254,8 @@ ENCTYPE ::= INTEGER {
 	KRB5_ENCTYPE_DES3_CBC_SHA1(16),	-- with key derivation
 	KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96(17),
 	KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96(18),
+	KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128(19),
+	KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192(20),
 	KRB5_ENCTYPE_ARCFOUR_HMAC_MD5(23),
 	KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56(24),
 	KRB5_ENCTYPE_ENCTYPE_PK_CROSS(48),
@@ -319,8 +342,8 @@ TicketFlags ::= BIT STRING {
 	hw-authent(11),
 	transited-policy-checked(12),
 	ok-as-delegate(13),
-	anonymous(14),
-	enc-pa-rep(15)
+	enc-pa-rep(15),
+	anonymous(16)
 }
 
 KDCOptions ::= BIT STRING {
@@ -332,9 +355,9 @@ KDCOptions ::= BIT STRING {
 	allow-postdate(5),
 	postdated(6),
 	renewable(8),
-	request-anonymous(14),
+	constrained-delegation(14), -- ms extension (aka cname-in-addl-tkt)
 	canonicalize(15),
-	constrained-delegation(16), -- ms extension
+	request-anonymous(16),
 	disable-transited-check(26),
 	renewable-ok(27),
 	enc-tkt-in-skey(28),
@@ -361,7 +384,7 @@ LastReq ::= SEQUENCE OF SEQUENCE {
 
 EncryptedData ::= SEQUENCE {
 	etype[0] 		ENCTYPE, -- EncryptionType
-	kvno[1]			krb5uint32 OPTIONAL,
+	kvno[1]			krb5int32 OPTIONAL,
 	cipher[2]		OCTET STRING -- ciphertext
 }
 
@@ -732,16 +755,6 @@ KRB5SignedPath ::= SEQUENCE {
 	method_data[3]  METHOD-DATA OPTIONAL
 }
 
-PA-ClientCanonicalizedNames ::= SEQUENCE{
-	requested-name	[0] PrincipalName,
-	mapped-name	[1] PrincipalName
-}
-
-PA-ClientCanonicalized ::= SEQUENCE {
-	names		[0] PA-ClientCanonicalizedNames,
-	canon-checksum	[1] Checksum
-}
-
 AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
 	login-alias	[0] PrincipalName,
 	checksum	[1] Checksum
@@ -766,12 +779,12 @@ PA-ServerReferralData ::= SEQUENCE {
 FastOptions ::= BIT STRING {
 	    reserved(0),
 	    hide-client-names(1),
-	    kdc-follow--referrals(16)
+	    kdc-follow-referrals(16)
 }
 
 KrbFastReq ::= SEQUENCE {
 	fast-options [0] FastOptions,
-	padata       [1] SEQUENCE OF PA-DATA,
+	padata       [1] METHOD-DATA,
 	req-body     [2] KDC-REQ-BODY,
 	...
 }
@@ -798,15 +811,15 @@ KrbFastFinished ::= SEQUENCE {
 	usec        [1] krb5int32,
 	crealm      [2] Realm,
 	cname       [3] PrincipalName,
-	checksum    [4] Checksum,
-	ticket-checksum [5] Checksum,
+	ticket-checksum [4] Checksum,
 	...
 }
 
 KrbFastResponse ::= SEQUENCE {
-	padata      [0] SEQUENCE OF PA-DATA,
-	rep-key     [1] EncryptionKey OPTIONAL,
-	finished    [2] KrbFastFinished OPTIONAL,
+	padata      	[0] METHOD-DATA,
+        strengthen-key	[1] EncryptionKey OPTIONAL,
+	finished	[2] KrbFastFinished OPTIONAL,
+        nonce		[3] krb5uint32,
 	...
 }
 
@@ -820,6 +833,89 @@ PA-FX-FAST-REPLY ::= CHOICE {
 	...
 }
 
+KDCFastFlags ::= BIT STRING {
+	use_reply_key(0),
+	reply_key_used(1),
+	reply_key_replaced(2),
+	kdc_verfied(3)
+}
+
+-- KDCFastState is stored in FX_COOKIE
+KDCFastState ::= SEQUENCE {
+	flags [0] KDCFastFlags,
+	expiration [1] GeneralizedTime,
+	fast-state [2] METHOD-DATA,
+	expected-pa-types [3] SEQUENCE OF PADATA-TYPE OPTIONAL
+}
+
+KDCFastCookie ::= SEQUENCE {
+	version [0] UTF8String,
+	cookie [1] EncryptedData
+}
+
+KDC-PROXY-MESSAGE ::= SEQUENCE {
+	kerb-message	[0] OCTET STRING,
+	target-domain	[1] Realm OPTIONAL,
+	dclocator-hint	[2] INTEGER OPTIONAL
+}
+
+-- these messages are used in the GSSCred communication and is not part of Kerberos propper
+
+KERB-TIMES ::= SEQUENCE {
+	authtime	[0] KerberosTime,
+	starttime	[1] KerberosTime,
+	endtime		[2] KerberosTime,
+	renew_till	[3] KerberosTime
+}
+
+KERB-CRED ::= SEQUENCE {
+	client		[0] Principal,
+	server		[1] Principal,
+	keyblock	[2] EncryptionKey,
+	times		[3] KERB-TIMES,
+	ticket		[4] OCTET STRING,
+	authdata	[5] OCTET STRING,
+	addresses	[6] HostAddresses,
+	flags		[7] TicketFlags
+}
+
+KERB-TGS-REQ-IN ::= SEQUENCE {
+	cache		[0] OCTET STRING SIZE (16),
+	addrs		[1] HostAddresses,
+	flags		[2] krb5uint32,
+	imp		[3] Principal OPTIONAL,
+	ticket		[4] OCTET STRING OPTIONAL,
+	in_cred		[5] KERB-CRED,
+	krbtgt		[6] KERB-CRED,
+	padata		[7] METHOD-DATA
+}
+
+KERB-TGS-REQ-OUT ::= SEQUENCE {
+	subkey		[0] EncryptionKey OPTIONAL,
+	t		[1] TGS-REQ
+}
+
+
+
+KERB-TGS-REP-IN ::= SEQUENCE {
+	cache		[0] OCTET STRING SIZE (16),
+	subkey		[1] EncryptionKey OPTIONAL,
+	in_cred		[2] KERB-CRED,
+	t		[3] TGS-REP
+}
+
+KERB-TGS-REP-OUT ::= SEQUENCE {
+	cache		[0] OCTET STRING SIZE (16),
+	cred		[1] KERB-CRED,
+	subkey		[2] EncryptionKey
+}
+
+KERB-ARMOR-SERVICE-REPLY ::= SEQUENCE {
+	armor		[0] KrbFastArmor,
+	armor-key	[1] EncryptionKey
+}
+
+
 END
 
 -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1
diff --git a/lib/asn1/lex.c b/lib/asn1/lex.c
index 3f2dc92e2775..810c00c30935 100644
--- a/lib/asn1/lex.c
+++ b/lib/asn1/lex.c
@@ -46,6 +46,7 @@ typedef int16_t flex_int16_t;
 typedef uint16_t flex_uint16_t;
 typedef int32_t flex_int32_t;
 typedef uint32_t flex_uint32_t;
+typedef uint64_t flex_uint64_t;
 #else
 typedef signed char flex_int8_t;
 typedef short int flex_int16_t;
@@ -354,7 +355,7 @@ static void yy_fatal_error (yyconst char msg[]  );
  */
 #define YY_DO_BEFORE_ACTION \
 	(yytext_ptr) = yy_bp; \
-	yyleng = (size_t) (yy_cp - yy_bp); \
+	yyleng = (yy_size_t) (yy_cp - yy_bp); \
 	(yy_hold_char) = *yy_cp; \
 	*yy_cp = '\0'; \
 	(yy_c_buf_p) = yy_cp;
@@ -790,7 +791,7 @@ char *yytext;
 #line 1 "lex.l"
 #line 2 "lex.l"
 /*
- * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2017 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  *
@@ -830,6 +831,7 @@ char *yytext;
 #include <stdio.h>
 #include <stdarg.h>
 #include <stdlib.h>
+#include <stdint.h>
 #include <string.h>
 #ifdef HAVE_UNISTD_H
 #include <unistd.h>
@@ -847,7 +849,7 @@ static unsigned lineno = 1;
 static void unterminated(const char *, unsigned);
 
 /* This is for broken old lexes (solaris 10 and hpux) */
-#line 851 "lex.c"
+#line 853 "lex.c"
 
 #define INITIAL 0
 
@@ -1029,9 +1031,9 @@ YY_DECL
 	register char *yy_cp, *yy_bp;
 	register int yy_act;
     
-#line 68 "lex.l"
+#line 69 "lex.l"
 
-#line 1035 "lex.c"
+#line 1037 "lex.c"
 
 	if ( !(yy_init) )
 		{
@@ -1116,427 +1118,427 @@ do_action:	/* This label is used only to access EOF actions. */
 
 case 1:
 YY_RULE_SETUP
-#line 69 "lex.l"
+#line 70 "lex.l"
 { return kw_ABSENT; }
 	YY_BREAK
 case 2:
 YY_RULE_SETUP
-#line 70 "lex.l"
+#line 71 "lex.l"
 { return kw_ABSTRACT_SYNTAX; }
 	YY_BREAK
 case 3:
 YY_RULE_SETUP
-#line 71 "lex.l"
+#line 72 "lex.l"
 { return kw_ALL; }
 	YY_BREAK
 case 4:
 YY_RULE_SETUP
-#line 72 "lex.l"
+#line 73 "lex.l"
 { return kw_APPLICATION; }
 	YY_BREAK
 case 5:
 YY_RULE_SETUP
-#line 73 "lex.l"
+#line 74 "lex.l"
 { return kw_AUTOMATIC; }
 	YY_BREAK
 case 6:
 YY_RULE_SETUP
-#line 74 "lex.l"
+#line 75 "lex.l"
 { return kw_BEGIN; }
 	YY_BREAK
 case 7:
 YY_RULE_SETUP
-#line 75 "lex.l"
+#line 76 "lex.l"
 { return kw_BIT; }
 	YY_BREAK
 case 8:
 YY_RULE_SETUP
-#line 76 "lex.l"
+#line 77 "lex.l"
 { return kw_BMPString; }
 	YY_BREAK
 case 9:
 YY_RULE_SETUP
-#line 77 "lex.l"
+#line 78 "lex.l"
 { return kw_BOOLEAN; }
 	YY_BREAK
 case 10:
 YY_RULE_SETUP
-#line 78 "lex.l"
+#line 79 "lex.l"
 { return kw_BY; }
 	YY_BREAK
 case 11:
 YY_RULE_SETUP
-#line 79 "lex.l"
+#line 80 "lex.l"
 { return kw_CHARACTER; }
 	YY_BREAK
 case 12:
 YY_RULE_SETUP
-#line 80 "lex.l"
+#line 81 "lex.l"
 { return kw_CHOICE; }
 	YY_BREAK
 case 13:
 YY_RULE_SETUP
-#line 81 "lex.l"
+#line 82 "lex.l"
 { return kw_CLASS; }
 	YY_BREAK
 case 14:
 YY_RULE_SETUP
-#line 82 "lex.l"
+#line 83 "lex.l"
 { return kw_COMPONENT; }
 	YY_BREAK
 case 15:
 YY_RULE_SETUP
-#line 83 "lex.l"
+#line 84 "lex.l"
 { return kw_COMPONENTS; }
 	YY_BREAK
 case 16:
 YY_RULE_SETUP
-#line 84 "lex.l"
+#line 85 "lex.l"
 { return kw_CONSTRAINED; }
 	YY_BREAK
 case 17:
 YY_RULE_SETUP
-#line 85 "lex.l"
+#line 86 "lex.l"
 { return kw_CONTAINING; }
 	YY_BREAK
 case 18:
 YY_RULE_SETUP
-#line 86 "lex.l"
+#line 87 "lex.l"
 { return kw_DEFAULT; }
 	YY_BREAK
 case 19:
 YY_RULE_SETUP
-#line 87 "lex.l"
+#line 88 "lex.l"
 { return kw_DEFINITIONS; }
 	YY_BREAK
 case 20:
 YY_RULE_SETUP
-#line 88 "lex.l"
+#line 89 "lex.l"
 { return kw_EMBEDDED; }
 	YY_BREAK
 case 21:
 YY_RULE_SETUP
-#line 89 "lex.l"
+#line 90 "lex.l"
 { return kw_ENCODED; }
 	YY_BREAK
 case 22:
 YY_RULE_SETUP
-#line 90 "lex.l"
+#line 91 "lex.l"
 { return kw_END; }
 	YY_BREAK
 case 23:
 YY_RULE_SETUP
-#line 91 "lex.l"
+#line 92 "lex.l"
 { return kw_ENUMERATED; }
 	YY_BREAK
 case 24:
 YY_RULE_SETUP
-#line 92 "lex.l"
+#line 93 "lex.l"
 { return kw_EXCEPT; }
 	YY_BREAK
 case 25:
 YY_RULE_SETUP
-#line 93 "lex.l"
+#line 94 "lex.l"
 { return kw_EXPLICIT; }
 	YY_BREAK
 case 26:
 YY_RULE_SETUP
-#line 94 "lex.l"
+#line 95 "lex.l"
 { return kw_EXPORTS; }
 	YY_BREAK
 case 27:
 YY_RULE_SETUP
-#line 95 "lex.l"
+#line 96 "lex.l"
 { return kw_EXTENSIBILITY; }
 	YY_BREAK
 case 28:
 YY_RULE_SETUP
-#line 96 "lex.l"
+#line 97 "lex.l"
 { return kw_EXTERNAL; }
 	YY_BREAK
 case 29:
 YY_RULE_SETUP
-#line 97 "lex.l"
+#line 98 "lex.l"
 { return kw_FALSE; }
 	YY_BREAK
 case 30:
 YY_RULE_SETUP
-#line 98 "lex.l"
+#line 99 "lex.l"
 { return kw_FROM; }
 	YY_BREAK
 case 31:
 YY_RULE_SETUP
-#line 99 "lex.l"
+#line 100 "lex.l"
 { return kw_GeneralString; }
 	YY_BREAK
 case 32:
 YY_RULE_SETUP
-#line 100 "lex.l"
+#line 101 "lex.l"
 { return kw_GeneralizedTime; }
 	YY_BREAK
 case 33:
 YY_RULE_SETUP
-#line 101 "lex.l"
+#line 102 "lex.l"
 { return kw_GraphicString; }
 	YY_BREAK
 case 34:
 YY_RULE_SETUP
-#line 102 "lex.l"
+#line 103 "lex.l"
 { return kw_IA5String; }
 	YY_BREAK
 case 35:
 YY_RULE_SETUP
-#line 103 "lex.l"
+#line 104 "lex.l"
 { return kw_IDENTIFIER; }
 	YY_BREAK
 case 36:
 YY_RULE_SETUP
-#line 104 "lex.l"
+#line 105 "lex.l"
 { return kw_IMPLICIT; }
 	YY_BREAK
 case 37:
 YY_RULE_SETUP
-#line 105 "lex.l"
+#line 106 "lex.l"
 { return kw_IMPLIED; }
 	YY_BREAK
 case 38:
 YY_RULE_SETUP
-#line 106 "lex.l"
+#line 107 "lex.l"
 { return kw_IMPORTS; }
 	YY_BREAK
 case 39:
 YY_RULE_SETUP
-#line 107 "lex.l"
+#line 108 "lex.l"
 { return kw_INCLUDES; }
 	YY_BREAK
 case 40:
 YY_RULE_SETUP
-#line 108 "lex.l"
+#line 109 "lex.l"
 { return kw_INSTANCE; }
 	YY_BREAK
 case 41:
 YY_RULE_SETUP
-#line 109 "lex.l"
+#line 110 "lex.l"
 { return kw_INTEGER; }
 	YY_BREAK
 case 42:
 YY_RULE_SETUP
-#line 110 "lex.l"
+#line 111 "lex.l"
 { return kw_INTERSECTION; }
 	YY_BREAK
 case 43:
 YY_RULE_SETUP
-#line 111 "lex.l"
+#line 112 "lex.l"
 { return kw_ISO646String; }
 	YY_BREAK
 case 44:
 YY_RULE_SETUP
-#line 112 "lex.l"
+#line 113 "lex.l"
 { return kw_MAX; }
 	YY_BREAK
 case 45:
 YY_RULE_SETUP
-#line 113 "lex.l"
+#line 114 "lex.l"
 { return kw_MIN; }
 	YY_BREAK
 case 46:
 YY_RULE_SETUP
-#line 114 "lex.l"
+#line 115 "lex.l"
 { return kw_MINUS_INFINITY; }
 	YY_BREAK
 case 47:
 YY_RULE_SETUP
-#line 115 "lex.l"
+#line 116 "lex.l"
 { return kw_NULL; }
 	YY_BREAK
 case 48:
 YY_RULE_SETUP
-#line 116 "lex.l"
+#line 117 "lex.l"
 { return kw_NumericString; }
 	YY_BREAK
 case 49:
 YY_RULE_SETUP
-#line 117 "lex.l"
+#line 118 "lex.l"
 { return kw_OBJECT; }
 	YY_BREAK
 case 50:
 YY_RULE_SETUP
-#line 118 "lex.l"
+#line 119 "lex.l"
 { return kw_OCTET; }
 	YY_BREAK
 case 51:
 YY_RULE_SETUP
-#line 119 "lex.l"
+#line 120 "lex.l"
 { return kw_OF; }
 	YY_BREAK
 case 52:
 YY_RULE_SETUP
-#line 120 "lex.l"
+#line 121 "lex.l"
 { return kw_OPTIONAL; }
 	YY_BREAK
 case 53:
 YY_RULE_SETUP
-#line 121 "lex.l"
+#line 122 "lex.l"
 { return kw_ObjectDescriptor; }
 	YY_BREAK
 case 54:
 YY_RULE_SETUP
-#line 122 "lex.l"
+#line 123 "lex.l"
 { return kw_PATTERN; }
 	YY_BREAK
 case 55:
 YY_RULE_SETUP
-#line 123 "lex.l"
+#line 124 "lex.l"
 { return kw_PDV; }
 	YY_BREAK
 case 56:
 YY_RULE_SETUP
-#line 124 "lex.l"
+#line 125 "lex.l"
 { return kw_PLUS_INFINITY; }
 	YY_BREAK
 case 57:
 YY_RULE_SETUP
-#line 125 "lex.l"
+#line 126 "lex.l"
 { return kw_PRESENT; }
 	YY_BREAK
 case 58:
 YY_RULE_SETUP
-#line 126 "lex.l"
+#line 127 "lex.l"
 { return kw_PRIVATE; }
 	YY_BREAK
 case 59:
 YY_RULE_SETUP
-#line 127 "lex.l"
+#line 128 "lex.l"
 { return kw_PrintableString; }
 	YY_BREAK
 case 60:
 YY_RULE_SETUP
-#line 128 "lex.l"
+#line 129 "lex.l"
 { return kw_REAL; }
 	YY_BREAK
 case 61:
 YY_RULE_SETUP
-#line 129 "lex.l"
+#line 130 "lex.l"
 { return kw_RELATIVE_OID; }
 	YY_BREAK
 case 62:
 YY_RULE_SETUP
-#line 130 "lex.l"
+#line 131 "lex.l"
 { return kw_SEQUENCE; }
 	YY_BREAK
 case 63:
 YY_RULE_SETUP
-#line 131 "lex.l"
+#line 132 "lex.l"
 { return kw_SET; }
 	YY_BREAK
 case 64:
 YY_RULE_SETUP
-#line 132 "lex.l"
+#line 133 "lex.l"
 { return kw_SIZE; }
 	YY_BREAK
 case 65:
 YY_RULE_SETUP
-#line 133 "lex.l"
+#line 134 "lex.l"
 { return kw_STRING; }
 	YY_BREAK
 case 66:
 YY_RULE_SETUP
-#line 134 "lex.l"
+#line 135 "lex.l"
 { return kw_SYNTAX; }
 	YY_BREAK
 case 67:
 YY_RULE_SETUP
-#line 135 "lex.l"
+#line 136 "lex.l"
 { return kw_T61String; }
 	YY_BREAK
 case 68:
 YY_RULE_SETUP
-#line 136 "lex.l"
+#line 137 "lex.l"
 { return kw_TAGS; }
 	YY_BREAK
 case 69:
 YY_RULE_SETUP
-#line 137 "lex.l"
+#line 138 "lex.l"
 { return kw_TRUE; }
 	YY_BREAK
 case 70:
 YY_RULE_SETUP
-#line 138 "lex.l"
+#line 139 "lex.l"
 { return kw_TYPE_IDENTIFIER; }
 	YY_BREAK
 case 71:
 YY_RULE_SETUP
-#line 139 "lex.l"
+#line 140 "lex.l"
 { return kw_TeletexString; }
 	YY_BREAK
 case 72:
 YY_RULE_SETUP
-#line 140 "lex.l"
+#line 141 "lex.l"
 { return kw_UNION; }
 	YY_BREAK
 case 73:
 YY_RULE_SETUP
-#line 141 "lex.l"
+#line 142 "lex.l"
 { return kw_UNIQUE; }
 	YY_BREAK
 case 74:
 YY_RULE_SETUP
-#line 142 "lex.l"
+#line 143 "lex.l"
 { return kw_UNIVERSAL; }
 	YY_BREAK
 case 75:
 YY_RULE_SETUP
-#line 143 "lex.l"
+#line 144 "lex.l"
 { return kw_UTCTime; }
 	YY_BREAK
 case 76:
 YY_RULE_SETUP
-#line 144 "lex.l"
+#line 145 "lex.l"
 { return kw_UTF8String; }
 	YY_BREAK
 case 77:
 YY_RULE_SETUP
-#line 145 "lex.l"
+#line 146 "lex.l"
 { return kw_UniversalString; }
 	YY_BREAK
 case 78:
 YY_RULE_SETUP
-#line 146 "lex.l"
+#line 147 "lex.l"
 { return kw_VideotexString; }
 	YY_BREAK
 case 79:
 YY_RULE_SETUP
-#line 147 "lex.l"
+#line 148 "lex.l"
 { return kw_VisibleString; }
 	YY_BREAK
 case 80:
 YY_RULE_SETUP
-#line 148 "lex.l"
+#line 149 "lex.l"
 { return kw_WITH; }
 	YY_BREAK
 case 81:
 YY_RULE_SETUP
-#line 149 "lex.l"
+#line 150 "lex.l"
 { return *yytext; }
 	YY_BREAK
 case 82:
 YY_RULE_SETUP
-#line 150 "lex.l"
+#line 151 "lex.l"
 { return *yytext; }
 	YY_BREAK
 case 83:
 YY_RULE_SETUP
-#line 151 "lex.l"
+#line 152 "lex.l"
 { return *yytext; }
 	YY_BREAK
 case 84:
 YY_RULE_SETUP
-#line 152 "lex.l"
+#line 153 "lex.l"
 { return EEQUAL; }
 	YY_BREAK
 case 85:
 YY_RULE_SETUP
-#line 153 "lex.l"
+#line 154 "lex.l"
 {
 			    int c, start_lineno = lineno;
 			    int f = 0;
@@ -1559,7 +1561,7 @@ YY_RULE_SETUP
 	YY_BREAK
 case 86:
 YY_RULE_SETUP
-#line 172 "lex.l"
+#line 173 "lex.l"
 {
 			    int c, start_lineno = lineno;
 			    int level = 1;
@@ -1603,7 +1605,7 @@ YY_RULE_SETUP
 	YY_BREAK
 case 87:
 YY_RULE_SETUP
-#line 212 "lex.l"
+#line 213 "lex.l"
 {
 			    int start_lineno = lineno;
 			    int c;
@@ -1651,9 +1653,9 @@ YY_RULE_SETUP
 	YY_BREAK
 case 88:
 YY_RULE_SETUP
-#line 257 "lex.l"
+#line 258 "lex.l"
 { char *e, *y = yytext;
-			  yylval.constant = strtol((const char *)yytext,
+			  yylval.constant = strtoll((const char *)yytext,
 						   &e, 0);
 			  if(e == y)
 			    lex_error_message("malformed constant (%s)", yytext);
@@ -1663,7 +1665,7 @@ YY_RULE_SETUP
 	YY_BREAK
 case 89:
 YY_RULE_SETUP
-#line 265 "lex.l"
+#line 266 "lex.l"
 {
 			  yylval.name =  estrdup ((const char *)yytext);
 			  return IDENTIFIER;
@@ -1671,36 +1673,36 @@ YY_RULE_SETUP
 	YY_BREAK
 case 90:
 YY_RULE_SETUP
-#line 269 "lex.l"
+#line 270 "lex.l"
 ;
 	YY_BREAK
 case 91:
 /* rule 91 can match eol */
 YY_RULE_SETUP
-#line 270 "lex.l"
+#line 271 "lex.l"
 { ++lineno; }
 	YY_BREAK
 case 92:
 YY_RULE_SETUP
-#line 271 "lex.l"
+#line 272 "lex.l"
 { return ELLIPSIS; }
 	YY_BREAK
 case 93:
 YY_RULE_SETUP
-#line 272 "lex.l"
+#line 273 "lex.l"
 { return RANGE; }
 	YY_BREAK
 case 94:
 YY_RULE_SETUP
-#line 273 "lex.l"
+#line 274 "lex.l"
 { lex_error_message("Ignoring char(%c)\n", *yytext); }
 	YY_BREAK
 case 95:
 YY_RULE_SETUP
-#line 274 "lex.l"
+#line 275 "lex.l"
 ECHO;
 	YY_BREAK
-#line 1704 "lex.c"
+#line 1706 "lex.c"
 case YY_STATE_EOF(INITIAL):
 	yyterminate();
 
@@ -2697,17 +2699,15 @@ void yyfree (void * ptr )
 
 #define YYTABLES_NAME "yytables"
 
-#line 274 "lex.l"
+#line 275 "lex.l"
 
 
 
-#ifndef yywrap /* XXX */
 int
 yywrap ()
 {
      return 1;
 }
-#endif
 
 void
 lex_error_message (const char *format, ...)
diff --git a/lib/asn1/lex.l b/lib/asn1/lex.l
index 2d32020266c8..9f38665a70f9 100644
--- a/lib/asn1/lex.l
+++ b/lib/asn1/lex.l
@@ -1,6 +1,6 @@
 %{
 /*
- * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2017 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  *
@@ -40,6 +40,7 @@
 #include <stdio.h>
 #include <stdarg.h>
 #include <stdlib.h>
+#include <stdint.h>
 #include <string.h>
 #ifdef HAVE_UNISTD_H
 #include <unistd.h>
@@ -255,7 +256,7 @@ WITH			{ return kw_WITH; }
 			}
 
 -?0x[0-9A-Fa-f]+|-?[0-9]+ { char *e, *y = yytext;
-			  yylval.constant = strtol((const char *)yytext,
+			  yylval.constant = strtoll((const char *)yytext,
 						   &e, 0);
 			  if(e == y)
 			    lex_error_message("malformed constant (%s)", yytext);
@@ -273,13 +274,11 @@ WITH			{ return kw_WITH; }
 .			{ lex_error_message("Ignoring char(%c)\n", *yytext); }
 %%
 
-#ifndef yywrap /* XXX */
 int
 yywrap ()
 {
      return 1;
 }
-#endif
 
 void
 lex_error_message (const char *format, ...)
diff --git a/lib/asn1/libasn1-exports.def b/lib/asn1/libasn1-exports.def
index 6dfb93ea054c..62f4337ad89f 100644
--- a/lib/asn1/libasn1-exports.def
+++ b/lib/asn1/libasn1-exports.def
@@ -58,9 +58,15 @@ EXPORTS
 	asn1_oid_id_ecPublicKey	DATA
 	asn1_oid_id_ec_group_secp160r1	DATA
 	asn1_oid_id_ec_group_secp160r2	DATA
+	asn1_oid_id_ec_group_secp224r1	DATA
 	asn1_oid_id_ec_group_secp256r1	DATA
+	asn1_oid_id_ec_group_secp384r1	DATA
+	asn1_oid_id_ec_group_secp521r1	DATA
 	asn1_oid_id_ecdsa_with_SHA1	DATA
+	asn1_oid_id_ecdsa_with_SHA224   DATA
 	asn1_oid_id_ecdsa_with_SHA256	DATA
+	asn1_oid_id_ecdsa_with_SHA384   DATA
+	asn1_oid_id_ecdsa_with_SHA512   DATA
 	asn1_oid_id_heim_rsa_pkcs1_x509	DATA
 	asn1_oid_id_ms_cert_enroll_domaincontroller	DATA
 	asn1_oid_id_ms_client_authentication	DATA
@@ -299,6 +305,8 @@ EXPORTS
 	copy_IssuerAndSerialNumber
 	copy_KDCDHKeyInfo
 	copy_KDCDHKeyInfo_Win2k
+	copy_KDCFastCookie
+	copy_KDCFastState
 	copy_KDCOptions
 	copy_KDC_REP
 	copy_KDC_REQ
@@ -346,8 +354,6 @@ EXPORTS
 	copy_OriginatorInfo
 	copy_OtherName
 	copy_PADATA_TYPE
-	copy_PA_ClientCanonicalized
-	copy_PA_ClientCanonicalizedNames
 	copy_PA_DATA
 	copy_PA_ENC_SAM_RESPONSE_ENC
 	copy_PA_ENC_TS_ENC
@@ -551,6 +557,8 @@ EXPORTS
 	decode_IssuerAndSerialNumber
 	decode_KDCDHKeyInfo
 	decode_KDCDHKeyInfo_Win2k
+	decode_KDCFastCookie
+	decode_KDCFastState
 	decode_KDCOptions
 	decode_KDC_REP
 	decode_KDC_REQ
@@ -598,8 +606,6 @@ EXPORTS
 	decode_OriginatorInfo
 	decode_OtherName
 	decode_PADATA_TYPE
-	decode_PA_ClientCanonicalized
-	decode_PA_ClientCanonicalizedNames
 	decode_PA_DATA
 	decode_PA_ENC_SAM_RESPONSE_ENC
 	decode_PA_ENC_TS_ENC
@@ -699,11 +705,13 @@ EXPORTS
 	der_copy_heim_integer
 	der_copy_ia5_string
 	der_copy_integer
+	der_copy_integer64
 	der_copy_octet_string
 	der_copy_oid
 	der_copy_printable_string
 	der_copy_universal_string
 	der_copy_unsigned
+	der_copy_unsigned64
 	der_copy_utctime
 	der_copy_utf8string
 	der_copy_visible_string
@@ -714,11 +722,13 @@ EXPORTS
 	der_free_heim_integer
 	der_free_ia5_string
 	der_free_integer
+	der_free_integer64
 	der_free_octet_string
 	der_free_oid
 	der_free_printable_string
 	der_free_universal_string
 	der_free_unsigned
+	der_free_unsigned64
 	der_free_utctime
 	der_free_utf8string
 	der_free_visible_string
@@ -732,6 +742,7 @@ EXPORTS
 	der_get_heim_integer
 	der_get_ia5_string
 	der_get_integer
+	der_get_integer64
 	der_get_length
 	der_get_octet_string
 	der_get_octet_string_ber
@@ -744,6 +755,7 @@ EXPORTS
 	der_get_type_num
 	der_get_universal_string
 	der_get_unsigned
+	der_get_unsigned64
 	der_get_utctime
 	der_get_utf8string
 	der_get_visible_string
@@ -763,6 +775,7 @@ EXPORTS
 	der_length_heim_integer
 	der_length_ia5_string
 	der_length_integer
+	der_length_integer64
 	der_length_len
 	der_length_octet_string
 	der_length_oid
@@ -770,6 +783,7 @@ EXPORTS
 	der_length_tag
 	der_length_universal_string
 	der_length_unsigned
+	der_length_unsigned64
 	der_length_utctime
 	der_length_utf8string
 	der_length_visible_string
@@ -789,6 +803,7 @@ EXPORTS
 	der_put_heim_integer
 	der_put_ia5_string
 	der_put_integer
+	der_put_integer64
 	der_put_length
 	der_put_length_and_tag
 	der_put_octet_string
@@ -797,6 +812,7 @@ EXPORTS
 	der_put_tag
 	der_put_universal_string
 	der_put_unsigned
+	der_put_unsigned64
 	der_put_utctime
 	der_put_utf8string
 	der_put_visible_string
@@ -911,6 +927,8 @@ EXPORTS
 	encode_IssuerAndSerialNumber
 	encode_KDCDHKeyInfo
 	encode_KDCDHKeyInfo_Win2k
+	encode_KDCFastCookie
+	encode_KDCFastState
 	encode_KDCOptions
 	encode_KDC_REP
 	encode_KDC_REQ
@@ -958,8 +976,6 @@ EXPORTS
 	encode_OriginatorInfo
 	encode_OtherName
 	encode_PADATA_TYPE
-	encode_PA_ClientCanonicalized
-	encode_PA_ClientCanonicalizedNames
 	encode_PA_DATA
 	encode_PA_ENC_SAM_RESPONSE_ENC
 	encode_PA_ENC_TS_ENC
@@ -1163,6 +1179,8 @@ EXPORTS
 	free_IssuerAndSerialNumber
 	free_KDCDHKeyInfo
 	free_KDCDHKeyInfo_Win2k
+	free_KDCFastCookie
+	free_KDCFastState
 	free_KDCOptions
 	free_KDC_REP
 	free_KDC_REQ
@@ -1210,8 +1228,6 @@ EXPORTS
 	free_OriginatorInfo
 	free_OtherName
 	free_PADATA_TYPE
-	free_PA_ClientCanonicalized
-	free_PA_ClientCanonicalizedNames
 	free_PA_DATA
 	free_PA_ENC_SAM_RESPONSE_ENC
 	free_PA_ENC_TS_ENC
@@ -1426,6 +1442,8 @@ EXPORTS
 	length_IssuerAndSerialNumber
 	length_KDCDHKeyInfo
 	length_KDCDHKeyInfo_Win2k
+	length_KDCFastCookie
+	length_KDCFastState
 	length_KDCOptions
 	length_KDC_REP
 	length_KDC_REQ
@@ -1473,8 +1491,6 @@ EXPORTS
 	length_OriginatorInfo
 	length_OtherName
 	length_PADATA_TYPE
-	length_PA_ClientCanonicalized
-	length_PA_ClientCanonicalizedNames
 	length_PA_DATA
 	length_PA_ENC_SAM_RESPONSE_ENC
 	length_PA_ENC_TS_ENC
diff --git a/lib/asn1/main.c b/lib/asn1/main.c
index f22dc8792c27..80038cd37fdb 100644
--- a/lib/asn1/main.c
+++ b/lib/asn1/main.c
@@ -35,8 +35,6 @@
 #include <getarg.h>
 #include "lex.h"
 
-RCSID("$Id$");
-
 extern FILE *yyin;
 
 static getarg_strings preserve;
@@ -62,24 +60,31 @@ seq_type(const char *p)
     return 0;
 }
 
+const char *fuzzer_string = "";
+int fuzzer_flag;
 int support_ber;
 int template_flag;
 int rfc1510_bitstring;
 int one_code_file;
 char *option_file;
+int parse_units_flag = 1;
+char *type_file_string = "krb5-types.h";
 int version_flag;
 int help_flag;
 struct getargs args[] = {
-    { "template", 0, arg_flag, &template_flag },
-    { "encode-rfc1510-bit-string", 0, arg_flag, &rfc1510_bitstring },
-    { "decode-dce-ber", 0, arg_flag, &support_ber },
-    { "support-ber", 0, arg_flag, &support_ber },
-    { "preserve-binary", 0, arg_strings, &preserve },
-    { "sequence", 0, arg_strings, &seq },
-    { "one-code-file", 0, arg_flag, &one_code_file },
-    { "option-file", 0, arg_string, &option_file },
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 0, arg_flag, &help_flag }
+    { "fuzzer", 0, arg_flag, &fuzzer_flag, NULL, NULL },
+    { "template", 0, arg_flag, &template_flag, NULL, NULL },
+    { "encode-rfc1510-bit-string", 0, arg_flag, &rfc1510_bitstring, NULL, NULL },
+    { "decode-dce-ber", 0, arg_flag, &support_ber, NULL, NULL },
+    { "support-ber", 0, arg_flag, &support_ber, NULL, NULL },
+    { "preserve-binary", 0, arg_strings, &preserve, NULL, NULL },
+    { "sequence", 0, arg_strings, &seq, NULL, NULL },
+    { "one-code-file", 0, arg_flag, &one_code_file, NULL, NULL },
+    { "option-file", 0, arg_string, &option_file, NULL, NULL },
+    { "parse-units", 0, arg_negative_flag, &parse_units_flag, NULL, NULL },
+    { "type-file", 0, arg_string, &type_file_string, NULL, NULL },
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 0, arg_flag, &help_flag, NULL, NULL }
 };
 int num_args = sizeof(args) / sizeof(args[0]);
 
@@ -100,7 +105,7 @@ main(int argc, char **argv)
     const char *name = NULL;
     int optidx = 0;
     char **arg = NULL;
-    size_t len = 0, i;
+    int len = 0, i;
 
     setprogname(argv[0]);
     if(getarg(args, num_args, argc, argv, &optidx))
@@ -180,6 +185,16 @@ main(int argc, char **argv)
 	}
     }
 
+    if (fuzzer_flag) {
+	if (!template_flag) {
+	    printf("can't do fuzzer w/o --template");
+	    exit(1);
+	}
+#ifdef ASN1_FUZZER
+	fuzzer_string = "_fuzzer";
+#endif
+    }
+
 
     init_generate (file, name);
 
diff --git a/lib/asn1/pkinit.asn1 b/lib/asn1/pkinit.asn1
index f36ebf0b32fb..325752f41fae 100644
--- a/lib/asn1/pkinit.asn1
+++ b/lib/asn1/pkinit.asn1
@@ -17,6 +17,8 @@ id-pkrkeydata  OBJECT IDENTIFIER  ::= { id-pkinit 3 }
 id-pkekuoid    OBJECT IDENTIFIER  ::= { id-pkinit 4 }
 id-pkkdcekuoid OBJECT IDENTIFIER  ::= { id-pkinit 5 }
 
+id-apple-system-id OBJECT IDENTIFIER ::= { 1 2 840 113635 100 4 4 }
+
 id-pkinit-kdf OBJECT IDENTIFIER           ::= { id-pkinit 6 }
 id-pkinit-kdf-ah-sha1 OBJECT IDENTIFIER   ::= { id-pkinit-kdf 1 }
 id-pkinit-kdf-ah-sha256 OBJECT IDENTIFIER ::= { id-pkinit-kdf 2 }
diff --git a/lib/asn1/rfc2459.asn1 b/lib/asn1/rfc2459.asn1
index 5df9e41fffd2..3b8bab7c73bf 100644
--- a/lib/asn1/rfc2459.asn1
+++ b/lib/asn1/rfc2459.asn1
@@ -88,10 +88,22 @@ id-ecMQV OBJECT IDENTIFIER ::= {
        iso(1) identified-organization(3) certicom(132) schemes(1)
        ecmqv(13) }
 
+id-ecdsa-with-SHA512 OBJECT IDENTIFIER ::= {
+     iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
+     ecdsa-with-SHA2(3) 4 }
+
+id-ecdsa-with-SHA384 OBJECT IDENTIFIER ::= {
+     iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
+     ecdsa-with-SHA2(3) 3 }
+
 id-ecdsa-with-SHA256 OBJECT IDENTIFIER ::= {
      iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
      ecdsa-with-SHA2(3) 2 }
 
+id-ecdsa-with-SHA224 OBJECT IDENTIFIER ::= {
+     iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
+     ecdsa-with-SHA2(3) 1 }
+
 id-ecdsa-with-SHA1 OBJECT IDENTIFIER ::= {
      iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1 }
 
@@ -107,6 +119,15 @@ id-ec-group-secp160r1 OBJECT IDENTIFIER ::= {
 id-ec-group-secp160r2 OBJECT IDENTIFIER ::= {
        iso(1) identified-organization(3) certicom(132) 0 30 }
 
+id-ec-group-secp224r1 OBJECT IDENTIFIER ::= {
+       iso(1) identified-organization(3) certicom(132) 0 33 }
+
+id-ec-group-secp384r1 OBJECT IDENTIFIER ::= {
+       iso(1) identified-organization(3) certicom(132) 0 34 }
+
+id-ec-group-secp521r1 OBJECT IDENTIFIER ::= {
+       iso(1) identified-organization(3) certicom(132) 0 35 }
+
 -- DSA
 
 id-x9-57 OBJECT IDENTIFIER ::= {
@@ -128,6 +149,8 @@ id-at-stateOrProvinceName	OBJECT IDENTIFIER ::= { id-x520-at 8 }
 id-at-streetAddress		OBJECT IDENTIFIER ::= { id-x520-at 9 }
 id-at-organizationName		OBJECT IDENTIFIER ::= { id-x520-at 10 }
 id-at-organizationalUnitName	OBJECT IDENTIFIER ::= { id-x520-at 11 }
+id-at-title			OBJECT IDENTIFIER ::= { id-x520-at 12 }
+id-at-description		OBJECT IDENTIFIER ::= { id-x520-at 13 }
 id-at-name			OBJECT IDENTIFIER ::= { id-x520-at 41 }
 id-at-givenName			OBJECT IDENTIFIER ::= { id-x520-at 42 }
 id-at-initials			OBJECT IDENTIFIER ::= { id-x520-at 43 }
@@ -239,7 +262,7 @@ ValidationParms ::= SEQUENCE {
 DomainParameters ::= SEQUENCE {
 	p		INTEGER, -- odd prime, p=jq +1
 	g		INTEGER, -- generator, g
-	q		INTEGER, -- factor of p-1
+	q		INTEGER OPTIONAL, -- factor of p-1
 	j		INTEGER OPTIONAL, -- subgroup factor
 	validationParms	ValidationParms OPTIONAL -- ValidationParms
 }
diff --git a/lib/asn1/roken_rename.h b/lib/asn1/roken_rename.h
new file mode 100644
index 000000000000..76e108a5574f
--- /dev/null
+++ b/lib/asn1/roken_rename.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+#ifndef __roken_rename_h__
+#define __roken_rename_h__
+
+#ifndef HAVE_STRTOLL
+#define strtoll rk_strtoll
+#endif
+#ifndef HAVE_STRTOULL
+#define strtoull rk_strtoull
+#endif
+
+#endif /* __roken_rename_h__ */
diff --git a/lib/asn1/symbol.c b/lib/asn1/symbol.c
index b05f68fa74a9..a090ee95c7ab 100644
--- a/lib/asn1/symbol.c
+++ b/lib/asn1/symbol.c
@@ -78,7 +78,7 @@ addsym(char *name)
     key.name = name;
     s = (Symbol *) hashtabsearch(htab, (void *) &key);
     if (s == NULL) {
-	s = (Symbol *) emalloc(sizeof(*s));
+	s = (Symbol *) ecalloc(1, sizeof(*s));
 	s->name = name;
 	s->gen_name = estrdup(name);
 	output_name(s->gen_name);
diff --git a/lib/asn1/symbol.h b/lib/asn1/symbol.h
index a39c8f46512d..97b4db7263a7 100644
--- a/lib/asn1/symbol.h
+++ b/lib/asn1/symbol.h
@@ -78,7 +78,7 @@ struct value {
     } type;
     union {
 	int booleanvalue;
-	int integervalue;
+	int64_t integervalue;
 	char *stringvalue;
 	struct objid *objectidentifiervalue;
     } u;
@@ -109,8 +109,12 @@ struct tagtype {
 };
 
 struct range {
-    int min;
-    int max;
+    /*
+     * We can't represent unsigned 64-bit ranges because max might be
+     * negative...
+     */
+    int64_t min;
+    int64_t max;
 };
 
 enum ctype { CT_CONTENTS, CT_USER } ;
@@ -125,6 +129,7 @@ struct type {
     struct tagtype tag;
     struct range *range;
     struct constraint_spec *constraint;
+    unsigned long id;
 };
 
 typedef struct type Type;
diff --git a/lib/asn1/template.c b/lib/asn1/template.c
index 3e0b6932357e..fe0dc6c2f773 100644
--- a/lib/asn1/template.c
+++ b/lib/asn1/template.c
@@ -3,7 +3,7 @@
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  *
- * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ * Portions Copyright (c) 2009 - 2010 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -36,17 +36,7 @@
 #include "der_locl.h"
 #include <com_err.h>
 
-#if 0
-#define ABORT_ON_ERROR() abort()
-#else
-#define ABORT_ON_ERROR() do { } while(0)
-#endif
-
-#define DPOC(data,offset) ((const void *)(((const unsigned char *)data)  + offset))
-#define DPO(data,offset) ((void *)(((unsigned char *)data)  + offset))
-
-
-static struct asn1_type_func prim[] = {
+struct asn1_type_func asn1_template_prim[A1T_NUM_ENTRY] = {
 #define el(name, type) {				\
 	(asn1_type_encode)der_put_##name,		\
 	(asn1_type_decode)der_get_##name,		\
@@ -66,7 +56,9 @@ static struct asn1_type_func prim[] = {
     el(integer, int),
     el(heim_integer, heim_integer),
     el(integer, int),
+    el(integer64, int64_t),
     el(unsigned, unsigned),
+    el(unsigned64, uint64_t),
     el(general_string, heim_general_string),
     el(octet_string, heim_octet_string),
     elber(octet_string, heim_octet_string),
@@ -89,8 +81,8 @@ static struct asn1_type_func prim[] = {
 #undef elber
 };
 
-static size_t
-sizeofType(const struct asn1_template *t)
+size_t
+_asn1_sizeofType(const struct asn1_template *t)
 {
     return t->offset;
 }
@@ -106,8 +98,8 @@ sizeofType(const struct asn1_template *t)
  */
 
 static void
-bmember_get_bit(const unsigned char *p, void *data,
-		unsigned int bit, size_t size)
+_asn1_bmember_get_bit(const unsigned char *p, void *data,
+		      unsigned int bit, size_t size)
 {
     unsigned int localbit = bit % 8;
     if ((*p >> (7 - localbit)) & 1) {
@@ -119,8 +111,8 @@ bmember_get_bit(const unsigned char *p, void *data,
     }
 }
 
-static int
-bmember_isset_bit(const void *data, unsigned int bit, size_t size)
+int
+_asn1_bmember_isset_bit(const void *data, unsigned int bit, size_t size)
 {
 #ifdef WORDS_BIGENDIAN
     if ((*(unsigned int *)data) & (1 << ((size * 8) - bit - 1)))
@@ -133,13 +125,13 @@ bmember_isset_bit(const void *data, unsigned int bit, size_t size)
 #endif
 }
 
-static void
-bmember_put_bit(unsigned char *p, const void *data, unsigned int bit,
-		size_t size, unsigned int *bitset)
+void
+_asn1_bmember_put_bit(unsigned char *p, const void *data, unsigned int bit,
+		      size_t size, unsigned int *bitset)
 {
     unsigned int localbit = bit % 8;
 
-    if (bmember_isset_bit(data, bit, size)) {
+    if (_asn1_bmember_isset_bit(data, bit, size)) {
 	*p |= (1 << (7 - localbit));
 	if (*bitset == 0)
 	    *bitset = (7 - localbit) + 1;
@@ -166,19 +158,19 @@ _asn1_decode(const struct asn1_template *t, unsigned flags,
 	switch (t->tt & A1_OP_MASK) {
 	case A1_OP_TYPE:
 	case A1_OP_TYPE_EXTERN: {
-	    size_t newsize, size;
+	    size_t newsize, elsize;
 	    void *el = DPO(data, t->offset);
 	    void **pel = (void **)el;
 
 	    if ((t->tt & A1_OP_MASK) == A1_OP_TYPE) {
-		size = sizeofType(t->ptr);
+		elsize = _asn1_sizeofType(t->ptr);
 	    } else {
 		const struct asn1_type_func *f = t->ptr;
-		size = f->size;
+		elsize = f->size;
 	    }
 
 	    if (t->tt & A1_FLAG_OPTIONAL) {
-		*pel = calloc(1, size);
+		*pel = calloc(1, elsize);
 		if (*pel == NULL)
 		    return ENOMEM;
 		el = *pel;
@@ -250,7 +242,7 @@ _asn1_decode(const struct asn1_template *t, unsigned flags,
 
 	    if (t->tt & A1_FLAG_OPTIONAL) {
 		void **el = (void **)data;
-		size_t ellen = sizeofType(t->ptr);
+		size_t ellen = _asn1_sizeofType(t->ptr);
 
 		*el = calloc(1, ellen);
 		if (*el == NULL)
@@ -262,8 +254,13 @@ _asn1_decode(const struct asn1_template *t, unsigned flags,
 	    if (ret)
 		return ret;
 
-	    if (newsize != datalen)
+	    if (is_indefinite) {
+		/* If we use indefinite encoding, the newsize is the datasize. */
+		datalen = newsize;
+	    } else if (newsize != datalen) {
+		/* Check for hidden data that might be after the real tag */
 		return ASN1_EXTRA_DATA;
+	    }
 
 	    len -= datalen;
 	    p += datalen;
@@ -300,12 +297,12 @@ _asn1_decode(const struct asn1_template *t, unsigned flags,
 	    if (flags & A1_PF_INDEFINTE)
 		type++;
 
-	    if (type >= sizeof(prim)/sizeof(prim[0])) {
+	    if (type >= sizeof(asn1_template_prim)/sizeof(asn1_template_prim[0])) {
 		ABORT_ON_ERROR();
 		return ASN1_PARSE_ERROR;
 	    }
 
-	    ret = (prim[type].decode)(p, len, el, &newsize);
+	    ret = (asn1_template_prim[type].decode)(p, len, el, &newsize);
 	    if (ret)
 		return ret;
 	    p += newsize; len -= newsize;
@@ -316,7 +313,7 @@ _asn1_decode(const struct asn1_template *t, unsigned flags,
 	case A1_OP_SEQOF: {
 	    struct template_of *el = DPO(data, t->offset);
 	    size_t newsize;
-	    size_t ellen = sizeofType(t->ptr);
+	    size_t ellen = _asn1_sizeofType(t->ptr);
 	    size_t vallength = 0;
 
 	    while (len > 0) {
@@ -345,19 +342,19 @@ _asn1_decode(const struct asn1_template *t, unsigned flags,
 	}
 	case A1_OP_BMEMBER: {
 	    const struct asn1_template *bmember = t->ptr;
-	    size_t size = bmember->offset;
-	    size_t elements = A1_HEADER_LEN(bmember);
+	    size_t bsize = bmember->offset;
+	    size_t belements = A1_HEADER_LEN(bmember);
 	    size_t pos = 0;
 
 	    bmember++;
 
-	    memset(data, 0, size);
+	    memset(data, 0, bsize);
 
 	    if (len < 1)
 		return ASN1_OVERRUN;
 	    p++; len--;
 
-	    while (elements && len) {
+	    while (belements && len) {
 		while (bmember->offset / 8 > pos / 8) {
 		    if (len < 1)
 			break;
@@ -365,8 +362,8 @@ _asn1_decode(const struct asn1_template *t, unsigned flags,
 		    pos += 8;
 		}
 		if (len) {
-		    bmember_get_bit(p, data, bmember->offset, size);
-		    elements--; bmember++;
+		    _asn1_bmember_get_bit(p, data, bmember->offset, bsize);
+		    belements--; bmember++;
 		}
 	    }
 	    len = 0;
@@ -378,6 +375,9 @@ _asn1_decode(const struct asn1_template *t, unsigned flags,
 	    size_t datalen;
 	    unsigned int i;
 
+	    /* provide a saner value as default, we should have a NO element value */
+	    *element = 1;
+	   
 	    for (i = 1; i < A1_HEADER_LEN(choice) + 1; i++) {
 		/* should match first tag instead, store it in choice.tt */
 		ret = _asn1_decode(choice[i].ptr, 0, p, len,
@@ -513,12 +513,12 @@ _asn1_encode(const struct asn1_template *t, unsigned char *p, size_t len, const
 	    size_t newsize;
 	    const void *el = DPOC(data, t->offset);
 
-	    if (type > sizeof(prim)/sizeof(prim[0])) {
+	    if (type >= sizeof(asn1_template_prim)/sizeof(asn1_template_prim[0])) {
 		ABORT_ON_ERROR();
 		return ASN1_PARSE_ERROR;
 	    }
 
-	    ret = (prim[type].encode)(p, len, el, &newsize);
+	    ret = (asn1_template_prim[type].encode)(p, len, el, &newsize);
 	    if (ret)
 		return ret;
 	    p -= newsize; len -= newsize;
@@ -527,8 +527,8 @@ _asn1_encode(const struct asn1_template *t, unsigned char *p, size_t len, const
 	}
 	case A1_OP_SETOF: {
 	    const struct template_of *el = DPOC(data, t->offset);
-	    size_t ellen = sizeofType(t->ptr);
-	    struct heim_octet_string *val;
+	    size_t ellen = _asn1_sizeofType(t->ptr);
+	    heim_octet_string *val;
 	    unsigned char *elptr = el->val;
 	    size_t i, totallen;
 
@@ -538,7 +538,7 @@ _asn1_encode(const struct asn1_template *t, unsigned char *p, size_t len, const
 	    if (el->len > UINT_MAX/sizeof(val[0]))
 		return ERANGE;
 
-	    val = malloc(sizeof(val[0]) * el->len);
+	    val = calloc(el->len, sizeof(val[0]));
 	    if (val == NULL)
 		return ENOMEM;
 
@@ -547,7 +547,13 @@ _asn1_encode(const struct asn1_template *t, unsigned char *p, size_t len, const
 		size_t l;
 
 		val[i].length = _asn1_length(t->ptr, elptr);
-		val[i].data = malloc(val[i].length);
+		if (val[i].length) {
+		    val[i].data = malloc(val[i].length);
+		    if (val[i].data == NULL) {
+			ret = ENOMEM;
+			break;
+		    }
+		}
 
 		ret = _asn1_encode(t->ptr, DPO(val[i].data, val[i].length - 1),
 				   val[i].length, elptr, &l);
@@ -565,9 +571,8 @@ _asn1_encode(const struct asn1_template *t, unsigned char *p, size_t len, const
 	    if (ret == 0 && totallen > len)
 		ret = ASN1_OVERFLOW;
 	    if (ret) {
-		do {
+		for (i = 0; i < el->len; i++)
 		    free(val[i].data);
-		} while(i-- > 0);
 		free(val);
 		return ret;
 	    }
@@ -589,7 +594,7 @@ _asn1_encode(const struct asn1_template *t, unsigned char *p, size_t len, const
 	}
 	case A1_OP_SEQOF: {
 	    struct template_of *el = DPO(data, t->offset);
-	    size_t ellen = sizeofType(t->ptr);
+	    size_t ellen = _asn1_sizeofType(t->ptr);
 	    size_t newsize;
 	    unsigned int i;
 	    unsigned char *elptr = el->val;
@@ -613,21 +618,21 @@ _asn1_encode(const struct asn1_template *t, unsigned char *p, size_t len, const
 	}
 	case A1_OP_BMEMBER: {
 	    const struct asn1_template *bmember = t->ptr;
-	    size_t size = bmember->offset;
-	    size_t elements = A1_HEADER_LEN(bmember);
+	    size_t bsize = bmember->offset;
+	    size_t belements = A1_HEADER_LEN(bmember);
 	    size_t pos;
 	    unsigned char c = 0;
 	    unsigned int bitset = 0;
 	    int rfc1510 = (bmember->tt & A1_HBF_RFC1510);
 
-	    bmember += elements;
+	    bmember += belements;
 
 	    if (rfc1510)
 		pos = 31;
 	    else
 		pos = bmember->offset;
 
-	    while (elements && len) {
+	    while (belements && len) {
 		while (bmember->offset / 8 < pos / 8) {
 		    if (rfc1510 || bitset || c) {
 			if (len < 1)
@@ -637,8 +642,8 @@ _asn1_encode(const struct asn1_template *t, unsigned char *p, size_t len, const
 		    c = 0;
 		    pos -= 8;
 		}
-		bmember_put_bit(&c, data, bmember->offset, size, &bitset);
-		elements--; bmember--;
+		_asn1_bmember_put_bit(&c, data, bmember->offset, bsize, &bitset);
+		belements--; bmember--;
 	    }
 	    if (rfc1510 || bitset) {
 		if (len < 1)
@@ -747,17 +752,17 @@ _asn1_length(const struct asn1_template *t, const void *data)
 	    unsigned int type = A1_PARSE_TYPE(t->tt);
 	    const void *el = DPOC(data, t->offset);
 
-	    if (type > sizeof(prim)/sizeof(prim[0])) {
+	    if (type >= sizeof(asn1_template_prim)/sizeof(asn1_template_prim[0])) {
 		ABORT_ON_ERROR();
 		break;
 	    }
-	    ret += (prim[type].length)(el);
+	    ret += (asn1_template_prim[type].length)(el);
 	    break;
 	}
 	case A1_OP_SETOF:
 	case A1_OP_SEQOF: {
 	    const struct template_of *el = DPOC(data, t->offset);
-	    size_t ellen = sizeofType(t->ptr);
+	    size_t ellen = _asn1_sizeofType(t->ptr);
 	    const unsigned char *element = el->val;
 	    unsigned int i;
 
@@ -771,7 +776,7 @@ _asn1_length(const struct asn1_template *t, const void *data)
 	case A1_OP_BMEMBER: {
 	    const struct asn1_template *bmember = t->ptr;
 	    size_t size = bmember->offset;
-	    size_t elements = A1_HEADER_LEN(bmember);
+	    size_t belements = A1_HEADER_LEN(bmember);
 	    int rfc1510 = (bmember->tt & A1_HBF_RFC1510);
 
 	    if (rfc1510) {
@@ -780,14 +785,14 @@ _asn1_length(const struct asn1_template *t, const void *data)
 
 		ret += 1;
 
-		bmember += elements;
+		bmember += belements;
 
-		while (elements) {
-		    if (bmember_isset_bit(data, bmember->offset, size)) {
+		while (belements) {
+		    if (_asn1_bmember_isset_bit(data, bmember->offset, size)) {
 			ret += (bmember->offset / 8) + 1;
 			break;
 		    }
-		    elements--; bmember--;
+		    belements--; bmember--;
 		}
 	    }
 	    break;
@@ -855,11 +860,11 @@ _asn1_free(const struct asn1_template *t, void *data)
 	    unsigned int type = A1_PARSE_TYPE(t->tt);
 	    void *el = DPO(data, t->offset);
 
-	    if (type > sizeof(prim)/sizeof(prim[0])) {
+	    if (type >= sizeof(asn1_template_prim)/sizeof(asn1_template_prim[0])) {
 		ABORT_ON_ERROR();
 		break;
 	    }
-	    (prim[type].release)(el);
+	    (asn1_template_prim[type].release)(el);
 	    break;
 	}
 	case A1_OP_TAG: {
@@ -882,7 +887,7 @@ _asn1_free(const struct asn1_template *t, void *data)
 	case A1_OP_SETOF:
 	case A1_OP_SEQOF: {
 	    struct template_of *el = DPO(data, t->offset);
-	    size_t ellen = sizeofType(t->ptr);
+	    size_t ellen = _asn1_sizeofType(t->ptr);
 	    unsigned char *element = el->val;
 	    unsigned int i;
 
@@ -947,7 +952,7 @@ _asn1_copy(const struct asn1_template *t, const void *from, void *to)
 	    size_t size;
 
 	    if ((t->tt & A1_OP_MASK) == A1_OP_TYPE) {
-		size = sizeofType(t->ptr);
+		size = _asn1_sizeofType(t->ptr);
 	    } else {
 		const struct asn1_type_func *f = t->ptr;
 		size = f->size;
@@ -985,11 +990,11 @@ _asn1_copy(const struct asn1_template *t, const void *from, void *to)
 	    const void *fel = DPOC(from, t->offset);
 	    void *tel = DPO(to, t->offset);
 
-	    if (type > sizeof(prim)/sizeof(prim[0])) {
+	    if (type >= sizeof(asn1_template_prim)/sizeof(asn1_template_prim[0])) {
 		ABORT_ON_ERROR();
 		return ASN1_PARSE_ERROR;
 	    }
-	    ret = (prim[type].copy)(fel, tel);
+	    ret = (asn1_template_prim[type].copy)(fel, tel);
 	    if (ret)
 		return ret;
 	    break;
@@ -1012,14 +1017,14 @@ _asn1_copy(const struct asn1_template *t, const void *from, void *to)
 		}
 		from = *fel;
 
-		to = *tel = calloc(1, sizeofType(t->ptr));
+		to = *tel = calloc(1, _asn1_sizeofType(t->ptr));
 		if (to == NULL)
 		    return ENOMEM;
 	    }
 
 	    ret = _asn1_copy(t->ptr, from, to);
 	    if (ret) {
-		if (t->tt & A1_FLAG_OPTIONAL) {
+		if (tel) {
 		    free(*tel);
 		    *tel = NULL;
 		}
@@ -1035,7 +1040,7 @@ _asn1_copy(const struct asn1_template *t, const void *from, void *to)
 	case A1_OP_SEQOF: {
 	    const struct template_of *fel = DPOC(from, t->offset);
 	    struct template_of *tel = DPO(to, t->offset);
-	    size_t ellen = sizeofType(t->ptr);
+	    size_t ellen = _asn1_sizeofType(t->ptr);
 	    unsigned int i;
 
 	    tel->val = calloc(fel->len, ellen);
@@ -1097,10 +1102,8 @@ _asn1_decode_top(const struct asn1_template *t, unsigned flags, const unsigned c
     int ret;
     memset(data, 0, t->offset);
     ret = _asn1_decode(t, flags, p, len, data, size);
-    if (ret) {
-	_asn1_free(t, data);
-	memset(data, 0, t->offset);
-    }
+    if (ret)
+	_asn1_free_top(t, data);
 
     return ret;
 }
@@ -1111,9 +1114,15 @@ _asn1_copy_top(const struct asn1_template *t, const void *from, void *to)
     int ret;
     memset(to, 0, t->offset);
     ret = _asn1_copy(t, from, to);
-    if (ret) {
-	_asn1_free(t, to);
-	memset(to, 0, t->offset);
-    }
+    if (ret)
+	_asn1_free_top(t, to);
+
     return ret;
 }
+
+void
+_asn1_free_top(const struct asn1_template *t, void *data)
+{
+    _asn1_free(t, data);
+    memset(data, 0, t->offset);
+}
diff --git a/lib/asn1/test.asn1 b/lib/asn1/test.asn1
index 89154e337c8f..206e1c328d47 100644
--- a/lib/asn1/test.asn1
+++ b/lib/asn1/test.asn1
@@ -7,6 +7,8 @@ BEGIN
 IMPORTS heim_any FROM heim;
 
 TESTuint32 ::= INTEGER (0..4294967295)
+TESTuint64 ::= INTEGER(0..18446744073709551615)
+TESTint64 ::= INTEGER(-9223372036854775808..9223372036854775807)
 
 TESTLargeTag ::= SEQUENCE {
 	foo[127] INTEGER (-2147483648..2147483647),
@@ -46,7 +48,7 @@ TESTImplicit ::= SEQUENCE {
 
 TESTImplicit2 ::= SEQUENCE {
 	ti1[0] IMPLICIT TESTInteger,
-	ti2[1] IMPLICIT TESTLargeTag,
+--	ti2[1] IMPLICIT TESTLargeTag,   this is disabled since the IMPLICT encoder does't get the types right when stepping inside an structure --
 	ti3[2] IMPLICIT TESTInteger3
 }
 
@@ -96,7 +98,7 @@ TESTSeqOf ::= SEQUENCE OF TESTInteger
 TESTSeqSizeOf1 ::= SEQUENCE SIZE (2) OF TESTInteger
 TESTSeqSizeOf2 ::= SEQUENCE SIZE (1..2) OF TESTInteger
 TESTSeqSizeOf3 ::= SEQUENCE SIZE (1..MAX) OF TESTInteger
-TESTSeqSizeOf4 ::= SEQUENCE SIZE (MIN..2) OF TESTInteger
+TESTSeqSizeOf4 ::= SEQUENCE SIZE (0..2) OF TESTInteger
 
 TESTOSSize1 ::= OCTET STRING SIZE (1..2)
 
@@ -121,6 +123,60 @@ TESTSeqOf3 ::= SEQUENCE {
 	strings SEQUENCE OF GeneralString OPTIONAL
 }
 
+-- Larger/more complex to increase odds of out-of-bounds
+-- read/writes if miscoded
+
+TESTSeqOf4 ::= SEQUENCE {
+	b1 [0] SEQUENCE OF SEQUENCE {
+		s1 OCTET STRING,
+		s2 OCTET STRING,
+		u1 TESTuint64,
+		u2 TESTuint64
+	} OPTIONAL,
+	b2 [1] IMPLICIT SEQUENCE OF SEQUENCE {
+		u1 TESTuint64,
+		u2 TESTuint64,
+		u3 TESTuint64,
+		s1 OCTET STRING,
+		s2 OCTET STRING,
+		s3 OCTET STRING
+	} OPTIONAL,
+	b3 [2] IMPLICIT SEQUENCE OF SEQUENCE {
+		s1 OCTET STRING,
+		u1 TESTuint64,
+		s2 OCTET STRING,
+		u2 TESTuint64,
+		s3 OCTET STRING,
+		u3 TESTuint64,
+		s4 OCTET STRING,
+		u4 TESTuint64
+	} OPTIONAL
+}
+
+TESTSeqOf5 ::= SEQUENCE {
+        outer SEQUENCE {
+          inner SEQUENCE {
+                        u0 TESTuint64,
+                        s0 OCTET STRING,
+                        u1 TESTuint64,
+                        s1 OCTET STRING,
+                        u2 TESTuint64,
+                        s2 OCTET STRING,
+                        u3 TESTuint64,
+                        s3 OCTET STRING,
+                        u4 TESTuint64,
+                        s4 OCTET STRING,
+                        u5 TESTuint64,
+                        s5 OCTET STRING,
+                        u6 TESTuint64,
+                        s6 OCTET STRING,
+                        u7 TESTuint64,
+                        s7 OCTET STRING
+                }
+            }
+        OPTIONAL
+}
+
 TESTPreserve ::= SEQUENCE {
 	zero [0] TESTInteger,
 	one [1] TESTInteger
diff --git a/lib/asn1/timegm.c b/lib/asn1/timegm.c
index d9f4adbd5591..4746fa80b891 100644
--- a/lib/asn1/timegm.c
+++ b/lib/asn1/timegm.c
@@ -102,7 +102,7 @@ _der_gmtime(time_t t, struct tm *tm)
 
     tm->tm_sec = secday % 60;
     tm->tm_min = (secday % 3600) / 60;
-    tm->tm_hour = secday / 3600;
+    tm->tm_hour = (int)(secday / 3600);
 
     /*
      * Refuse to calculate time ~ 2000 years into the future, this is
@@ -130,7 +130,7 @@ _der_gmtime(time_t t, struct tm *tm)
 	days -= daysinmonth;
 	tm->tm_mon++;
     }
-    tm->tm_mday = days + 1;
+    tm->tm_mday = (int)(days + 1);
 
     return tm;
 }