releasing package freeipa version 4.4.4-2

fix-opendnssec-install.diff: Updated for opendnssec 2.1.x. (LP: #1703836 )
control: Add a dependency on fonts-open-sans. (LP: #1656236 )
2025-02-25 18:55:28 -06:00 · 2017-10-09 10:42:06 +03:00 · 2017-10-09 10:41:50 +03:00 · 2017-10-09 10:07:45 +03:00 · 2017-05-17 21:20:14 +03:00 · 2017-05-17 21:19:20 +03:00
1299 changed files with 418204 additions and 70338 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -25,6 +25,7 @@ missing
 stamp-h1
 libtool
 build/
+compile

 # Python compilation
 *.pyc
@@ -59,19 +60,24 @@ freeipa2-dev-doc
 /install/ui/src/plugins
 !/install/ui/doc/Makefile

-/ipa-client/ipa-client.spec
-/ipa-client/ipa-getkeytab
-/ipa-client/ipa-join
-/ipa-client/ipa-rmkeytab
+/client/ipa-getkeytab
+/client/ipa-join
+/client/ipa-rmkeytab

 /ipatests/setup.py

+/ipaclient/setup.py
+
+/ipalib/setup.py
+!/ipalib/Makefile
+
 /ipapython/setup.py
 /ipapython/version.py
 !/ipapython/Makefile
-!/ipapython/py_default_encoding/Makefile

+/ipaplatform/__init__.py
 /ipaplatform/setup.py
 /ipaplatform/tasks.py
 /ipaplatform/services.py
 /ipaplatform/paths.py
+/ipaplatform/constants.py
--- a/.mailmap
+++ b/.mailmap
@@ -2,6 +2,8 @@ Ana Krivokapić  <akrivoka@redhat.com>  Ana Krivokapic <akrivoka@redhat.com>
 Adam Misnyovszki <amisnyov@redhat.com> <amisnyov@redhat.com>
 Endi Sukma Dewata <edewata@redhat.com>   System Administrator <root@dhcp-100-3-211.bos.redhat.com>
 Endi Sukma Dewata <edewata@redhat.com>
+Gabe Alford     <redhatrises@gmail.com>
+Ganna Kaihorodova <gkaihoro@redhat.com> <gkaihoro@example.com>
 Jan Zelený      <jzeleny@redhat.com>
 Jim Meyering    <meyering@redhat.com>  <jim@meyering.net>
 John Dennis     <jdennis@redhat.com>   <jdennis@VAIO>
@@ -22,6 +24,7 @@ Lubomír Rintel  <lubo.rintel@gooddata.com> Lubomir Rintel <lubo.rintel@gooddata
 Lukáš Slebodník <lslebodn@redhat.com>
 Martin Bašti    <mbasti@redhat.com>
 Martin Košek    <mkosek@redhat.com>
+Milan Kubík     <mkubik@redhat.com>
 Martin Nagy     <mnagy@redhat.com>     <mnagy@notas.(none)>
 Nathaniel McCallum <npmccallum@redhat.com> <nathaniel@themccallums.org>
 Nalin Dahyabhai <nalin@redhat.com>     <nalin@dahyabhai.net>
@@ -34,6 +37,8 @@ Pavel Zůna      <pzuna@redhat.com>     <root@testbox.winry>
 Pavel Zůna      <pzuna@redhat.com>     <root@webui.pzuna>
 Petr Špaček     <pspacek@redhat.com>
 Petr Voborník   <pvoborni@redhat.com>
+Pavel Vomáčka   <pvomacka@redhat.com>
+Pavel Vomáčka   <pvomacka@redhat.com>  tester <test@example.com>
 Rich Megginson  <rmeggins@redhat.com>  <rich@localhost.localdomain>
 Rob Crittenden  <rcritten@redhat.com>
 Rob Crittenden  <rcritten@redhat.com>  <rcrit@ike.greyoak.com>
@@ -46,6 +51,11 @@ Rob Crittenden  <rcritten@redhat.com>  <rcrit@tove.greyoak.com>
 Simo Sorce      <ssorce@redhat.com>    <simo@redhat.com>
 Sumit Bose      <sbose@redhat.com>     <sbose@ipa17-devel.ipa17.devel>
 Sumit Bose      <sbose@redhat.com>     <sbose@ipa18-devel.ipa18.devel>
+Tibor Dudlák    <tdudlak@redhat.com>   <tibor.dudlak@gmail.com>
+Thierry Bordaz  <tbordaz@redhat.com>
+Thierry Bordaz  <tbordaz@redhat.com>   <root@vm-205.idm.lab.eng.brq.redhat.com>
+Thierry Bordaz  <tbordaz@redhat.com>   <root@vm-035.idm.lab.eng.brq.redhat.com>
+Thierry Bordaz  <tbordaz@redhat.com>   <root@vm-058-107.abc.idm.lab.eng.brq.redhat.com>
 Tomáš Babej     <tbabej@redhat.com>
 Tomáš Babej     <tbabej@redhat.com>    <tomasbabej@gmail.com>
 William Jon McCann <mccann@jhu.edu>    <mccann@jhu.edu>
--- a/.tx/config
+++ b/.tx/config
@@ -1,8 +0,0 @@
-[main]
-host = https://www.transifex.com
-
-[freeipa.ipa]
-file_filter = install/po/<lang>.po
-source_file = install/po/ipa.pot
-source_lang = en
-
--- a/ACI.txt
+++ b/ACI.txt
@@ -22,6 +22,32 @@ dn: cn=automount,dc=ipa,dc=example
 aci: (targetattr = "automountmapname || description")(targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Modify Automount Maps";allow (write) groupdn = "ldap:///cn=System: Modify Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=automount,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=cas,cn=ca,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Add CA";allow (add) groupdn = "ldap:///cn=System: Add CA,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=cas,cn=ca,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Delete CA";allow (delete) groupdn = "ldap:///cn=System: Delete CA,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=cas,cn=ca,dc=ipa,dc=example
+aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Modify CA";allow (write) groupdn = "ldap:///cn=System: Modify CA,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=cas,cn=ca,dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacaid || ipacaissuerdn || ipacasubjectdn || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Read CAs";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=caacls,cn=ca,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Add CA ACL";allow (add) groupdn = "ldap:///cn=System: Add CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=caacls,cn=ca,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Delete CA ACL";allow (delete) groupdn = "ldap:///cn=System: Delete CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=caacls,cn=ca,dc=ipa,dc=example
+aci: (targetattr = "hostcategory || ipacacategory || ipacertprofilecategory || ipamemberca || ipamembercertprofile || memberhost || memberservice || memberuser || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Manage CA ACL Membership";allow (write) groupdn = "ldap:///cn=System: Manage CA ACL Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=caacls,cn=ca,dc=ipa,dc=example
+aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=caacls,cn=ca,dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Import Certificate Profile";allow (add) groupdn = "ldap:///cn=System: Import Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
+aci: (targetattr = "cn || description || ipacertprofilestoreissued")(targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Modify Certificate Profile";allow (write) groupdn = "ldap:///cn=System: Modify Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacertprofilestoreissued || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Read Certificate Profiles";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=ipaconfig,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=costemplates,cn=accounts,dc=ipa,dc=example
@@ -33,17 +59,27 @@ aci: (targetattr = "cospriority")(targetfilter = "(objectclass=costemplate)")(ve
 dn: cn=costemplates,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "cn || cospriority || createtimestamp || entryusn || krbpwdpolicyreference || modifytimestamp || objectclass")(targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Read Group Password Policy costemplate";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
-aci: (targetattr = "createtimestamp || entryusn || idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || idnspersistentsearch || idnszonerefresh || modifytimestamp || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsConfigObject)")(version 3.0;acl "permission:System: Read DNS Configuration";allow (read) groupdn = "ldap:///cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "createtimestamp || entryusn || idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || idnspersistentsearch || idnszonerefresh || ipadnsversion || modifytimestamp || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsConfigObject)")(version 3.0;acl "permission:System: Read DNS Configuration";allow (read) groupdn = "ldap:///cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
 aci: (targetattr = "idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || idnspersistentsearch || idnszonerefresh")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsConfigObject)")(version 3.0;acl "permission:System: Write DNS Configuration";allow (write) groupdn = "ldap:///cn=System: Write DNS Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
+aci: (targetattr = "idnsforwarders || idnsforwardpolicy || idnssoamname || idnssubstitutionvariable")(targetfilter = "(objectclass=idnsServerConfigObject)")(version 3.0;acl "permission:System: Modify DNS Servers Configuration";allow (write) groupdn = "ldap:///cn=System: Modify DNS Servers Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "createtimestamp || entryusn || idnsforwarders || idnsforwardpolicy || idnsserverid || idnssoamname || idnssubstitutionvariable || modifytimestamp || objectclass")(targetfilter = "(objectclass=idnsServerConfigObject)")(version 3.0;acl "permission:System: Read DNS Servers Configuration";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Servers Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
 aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Add DNS Entries";allow (add) groupdn = "ldap:///cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
-aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || entryusn || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "ipaprivatekey || ipapublickey || ipasecretkey || ipasecretkeyref || ipawrappingkey || ipawrappingmech || ipk11allowedmechanisms || ipk11alwaysauthenticate || ipk11alwayssensitive || ipk11checkvalue || ipk11copyable || ipk11decrypt || ipk11derive || ipk11destroyable || ipk11distrusted || ipk11encrypt || ipk11enddate || ipk11extractable || ipk11id || ipk11keygenmechanism || ipk11keytype || ipk11label || ipk11local || ipk11modifiable || ipk11neverextractable || ipk11private || ipk11publickeyinfo || ipk11sensitive || ipk11sign || ipk11signrecover || ipk11startdate || ipk11subject || ipk11trusted || ipk11uniqueid || ipk11unwrap || ipk11unwraptemplate || ipk11verify || ipk11verifyrecover || ipk11wrap || ipk11wraptemplate || ipk11wrapwithtrusted || objectclass")(target = "ldap:///cn=keys,cn=sec,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Manage DNSSEC keys";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Manage DNSSEC metadata";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "a6record || aaaarecord || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsdefaultttl || dnsttl || dsrecord || entryusn || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnstemplateattribute || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || entryusn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || modifytimestamp || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Read DNSSEC metadata";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
 aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
-aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Update DNS Entries";allow (write) groupdn = "ldap:///cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "a6record || aaaarecord || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsdefaultttl || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnstemplateattribute || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Update DNS Entries";allow (write) groupdn = "ldap:///cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=groups,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Add Groups";allow (add) groupdn = "ldap:///cn=System: Add Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=groups,cn=accounts,dc=ipa,dc=example
@@ -54,6 +90,8 @@ dn: dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || gidnumber || memberuid || modifytimestamp || objectclass")(target = "ldap:///cn=groups,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Group Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
 dn: cn=groups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "member || memberhost || memberof || memberuid || memberuser")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Group Membership";allow (compare,read,search) userdn = "ldap:///all";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || entryusn || gidnumber || memberuid || modifytimestamp || objectclass")(target = "ldap:///cn=groups,cn=*,cn=views,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Group Views Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
 dn: cn=groups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "businesscategory || cn || createtimestamp || description || entryusn || gidnumber || ipaexternalmember || ipantsecurityidentifier || ipauniqueid || mepmanagedby || modifytimestamp || o || objectclass || ou || owner || seealso")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";)
 dn: cn=groups,cn=accounts,dc=ipa,dc=example
@@ -93,23 +131,27 @@ aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipahost)")(ve
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "userpassword")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Enrollment Password";allow (write) groupdn = "ldap:///cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(&(!(memberOf=cn=ipaservers,cn=hostgroups,cn=accounts,dc=ipa,dc=example))(objectclass=ipahost))")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=computers,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "createtimestamp || entryusn || ipaallowedtoperform;read_keys || ipaallowedtoperform;write_keys || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab Permissions";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Manage Host Keytab Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=computers,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "krbcanonicalname || krbprincipalname")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Principals";allow (write) groupdn = "ldap:///cn=System: Manage Host Principals,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "description || l || macaddress || nshardwareplatform || nshostlocation || nsosversion || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Modify Hosts";allow (write) groupdn = "ldap:///cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "description || ipaassignedidview || krbprincipalauthind || l || macaddress || nshardwareplatform || nshostlocation || nsosversion || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Modify Hosts";allow (write) groupdn = "ldap:///cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || macaddress || modifytimestamp || objectclass")(target = "ldap:///cn=computers,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Host Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "memberof")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Host Membership";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "cn || createtimestamp || description || enrolledby || entryusn || fqdn || ipaclientversion || ipakrbauthzdata || ipasshpubkey || ipauniqueid || krbcanonicalname || krblastpwdchange || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || l || macaddress || managedby || modifytimestamp || nshardwareplatform || nshostlocation || nsosversion || objectclass || serverhostname || usercertificate || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Hosts";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "cn || createtimestamp || description || enrolledby || entryusn || fqdn || ipaassignedidview || ipaclientversion || ipakrbauthzdata || ipasshpubkey || ipauniqueid || krbcanonicalname || krblastpwdchange || krbpasswordexpiration || krbprincipalaliases || krbprincipalauthind || krbprincipalexpiration || krbprincipalname || l || macaddress || managedby || modifytimestamp || nshardwareplatform || nshostlocation || nsosversion || objectclass || serverhostname || usercertificate || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Hosts";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Remove Hosts";allow (delete) groupdn = "ldap:///cn=System: Remove Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Add Hostgroups";allow (add) groupdn = "ldap:///cn=System: Add Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "member")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Modify Hostgroup Membership";allow (write) groupdn = "ldap:///cn=System: Modify Hostgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "member")(targetfilter = "(&(!(cn=ipaservers))(objectclass=ipahostgroup))")(version 3.0;acl "permission:System: Modify Hostgroup Membership";allow (write) groupdn = "ldap:///cn=System: Modify Hostgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Modify Hostgroups";allow (write) groupdn = "ldap:///cn=System: Modify Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
@@ -118,12 +160,26 @@ dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "businesscategory || cn || createtimestamp || description || entryusn || ipauniqueid || modifytimestamp || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroups";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=System: Remove Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=views,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || description || entryusn || gidnumber || ipaanchoruuid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaGroupOverride)")(version 3.0;acl "permission:System: Read Group ID Overrides";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=views,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "createtimestamp || description || entryusn || gecos || gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell || modifytimestamp || objectclass || uid || uidnumber || usercertificate")(targetfilter = "(objectclass=ipaUserOverride)")(version 3.0;acl "permission:System: Read User ID Overrides";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=ranges,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaidrange)")(version 3.0;acl "permission:System: Read ID Ranges";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=views,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || objectclass")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Read ID Views";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example
 aci: (targetattr = "createtimestamp || entryusn || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "krbmaxrenewableage || krbmaxticketlife")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read User Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read User Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=locations,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permission:System: Add IPA Locations";allow (add) groupdn = "ldap:///cn=System: Add IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=locations,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "description")(targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permission:System: Modify IPA Locations";allow (write) groupdn = "ldap:///cn=System: Modify IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=locations,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "createtimestamp || description || entryusn || idnsname || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permission:System: Read IPA Locations";allow (compare,read,search) groupdn = "ldap:///cn=System: Read IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=locations,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permission:System: Remove IPA Locations";allow (delete) groupdn = "ldap:///cn=System: Remove IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=ng,cn=alt,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Add Netgroups";allow (add) groupdn = "ldap:///cn=System: Add Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=ng,cn=alt,dc=ipa,dc=example
@@ -138,6 +194,8 @@ dn: cn=ng,cn=alt,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipaenabledflag || ipauniqueid || modifytimestamp || nisdomainname || objectclass || usercategory")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Read Netgroups";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=ng,cn=alt,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Remove Netgroups";allow (delete) groupdn = "ldap:///cn=System: Remove Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=otp,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || ipatokenhotpauthwindow || ipatokenhotpsyncwindow || ipatokentotpauthwindow || ipatokentotpsyncwindow")(targetfilter = "(objectclass=ipatokenotpconfig)")(version 3.0;acl "permission:System: Read OTP Configuration";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "member")(targetfilter = "(objectclass=ipapermission)")(version 3.0;acl "permission:System: Modify Privilege Membership";allow (write) groupdn = "ldap:///cn=System: Modify Privilege Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
@@ -182,16 +240,64 @@ dn: cn=usermap,cn=selinux,dc=ipa,dc=example
 aci: (targetattr = "accesstime || cn || createtimestamp || description || entryusn || hostcategory || ipaenabledflag || ipaselinuxuser || ipauniqueid || member || memberhost || memberuser || modifytimestamp || objectclass || seealso || usercategory")(targetfilter = "(objectclass=ipaselinuxusermap)")(version 3.0;acl "permission:System: Read SELinux User Maps";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=usermap,cn=selinux,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipaselinuxusermap)")(version 3.0;acl "permission:System: Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=System: Remove SELinux User Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || entryusn || ipalocation || ipaserviceweight || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaConfigObject)")(version 3.0;acl "permission:System: Read Locations of IPA Servers";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Locations of IPA Servers,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || entryusn || ipaconfigstring || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaConfigObject)")(version 3.0;acl "permission:System: Read Status of Services on IPA Servers";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Status of Services on IPA Servers,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=services,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Add Services";allow (add) groupdn = "ldap:///cn=System: Add Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=services,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Manage Service Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Service Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=services,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Modify Services";allow (write) groupdn = "ldap:///cn=System: Modify Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "createtimestamp || entryusn || ipaallowedtoperform;read_keys || ipaallowedtoperform;write_keys || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Manage Service Keytab Permissions";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Manage Service Keytab Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=services,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "createtimestamp || entryusn || ipakrbauthzdata || ipakrbprincipalalias || ipauniqueid || krbcanonicalname || krblastpwdchange || krbobjectreferences || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || managedby || memberof || modifytimestamp || objectclass || usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Read Services";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "krbcanonicalname || krbprincipalname")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Manage Service Principals";allow (write) groupdn = "ldap:///cn=System: Manage Service Principals,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=services,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "krbprincipalauthind || usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Modify Services";allow (write) groupdn = "ldap:///cn=System: Modify Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=services,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "createtimestamp || entryusn || ipakrbauthzdata || ipakrbprincipalalias || ipauniqueid || krbcanonicalname || krblastpwdchange || krbobjectreferences || krbpasswordexpiration || krbprincipalaliases || krbprincipalauthind || krbprincipalexpiration || krbprincipalname || managedby || memberof || modifytimestamp || objectclass || usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Read Services";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=services,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Remove Services";allow (delete) groupdn = "ldap:///cn=System: Remove Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=groupofprincipals)")(version 3.0;acl "permission:System: Add Service Delegations";allow (add) groupdn = "ldap:///cn=System: Add Service Delegations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "ipaallowedtarget || memberprincipal")(targetfilter = "(objectclass=groupofprincipals)")(version 3.0;acl "permission:System: Modify Service Delegation Membership";allow (write) groupdn = "ldap:///cn=System: Modify Service Delegation Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || entryusn || ipaallowedtarget || memberprincipal || modifytimestamp || objectclass")(targetfilter = "(objectclass=groupofprincipals)")(version 3.0;acl "permission:System: Read Service Delegations";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Service Delegations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=groupofprincipals)")(version 3.0;acl "permission:System: Remove Service Delegations";allow (delete) groupdn = "ldap:///cn=System: Remove Service Delegations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=groupofprincipals)")(version 3.0;acl "permission:System: Add Service Delegations";allow (add) groupdn = "ldap:///cn=System: Add Service Delegations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "ipaallowedtarget || memberprincipal")(targetfilter = "(objectclass=groupofprincipals)")(version 3.0;acl "permission:System: Modify Service Delegation Membership";allow (write) groupdn = "ldap:///cn=System: Modify Service Delegation Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || entryusn || ipaallowedtarget || memberprincipal || modifytimestamp || objectclass")(targetfilter = "(objectclass=groupofprincipals)")(version 3.0;acl "permission:System: Read Service Delegations";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Service Delegations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=groupofprincipals)")(version 3.0;acl "permission:System: Remove Service Delegations";allow (delete) groupdn = "ldap:///cn=System: Remove Service Delegations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Add Stage User";allow (add) groupdn = "ldap:///cn=System: Add Stage User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Preserved Users";allow (write) groupdn = "ldap:///cn=System: Modify Preserved Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Modify Stage User";allow (write) groupdn = "ldap:///cn=System: Modify Stage User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=users,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "uid")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify User RDN";allow (write) groupdn = "ldap:///cn=System: Modify User RDN,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(target_from = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Preserve User";allow (moddn) groupdn = "ldap:///cn=System: Preserve User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read Preserved Users";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Preserved Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = "krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Stage User password";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Stage User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Stage Users";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Stage Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Remove Stage User";allow (delete) groupdn = "ldap:///cn=System: Remove Stage User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Remove preserved User";allow (delete) groupdn = "ldap:///cn=System: Remove preserved User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = "krblastpwdchange || krbpasswordexpiration || krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Reset Preserved User password";allow (read,search,write) groupdn = "ldap:///cn=System: Reset Preserved User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (target_to = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example")(target_from = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Undelete User";allow (moddn) groupdn = "ldap:///cn=System: Undelete User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=sudocmds,cn=sudo,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipasudocmd)")(version 3.0;acl "permission:System: Add Sudo Command";allow (add) groupdn = "ldap:///cn=System: Add Sudo Command,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=sudocmds,cn=sudo,dc=ipa,dc=example
@@ -221,7 +327,7 @@ aci: (targetattr = "cmdcategory || cn || createtimestamp || description || entry
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///anyone";)
 dn: cn=trusts,dc=ipa,dc=example
-aci: (targetattr = "cn || createtimestamp || entryusn || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrusteddomainsid || ipanttrustpartner || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "cn || createtimestamp || entryusn || ipantadditionalsuffixes || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrustdirection || ipanttrusteddomainsid || ipanttrustpartner || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=trusts,dc=ipa,dc=example
 aci: (targetattr = "gidnumber || krbprincipalname || uidnumber")(version 3.0;acl "permission:System: Read system trust accounts";allow (compare,read,search) groupdn = "ldap:///cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=groups,cn=accounts,dc=ipa,dc=example
@@ -231,13 +337,17 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User Certificates";allow (write) groupdn = "ldap:///cn=System: Manage User Certificates,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=users,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "krbcanonicalname || krbprincipalname")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User Principals";allow (write) groupdn = "ldap:///cn=System: Manage User Principals,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "businesscategory || carlicense || cn || description || displayname || employeetype || facsimiletelephonenumber || gecos || givenname || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "businesscategory || carlicense || cn || departmentnumber || description || displayname || employeenumber || employeetype || facsimiletelephonenumber || gecos || givenname || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || mail || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "*")(target = "ldap:///cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read UPG Definition";allow (compare,read,search) groupdn = "ldap:///cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "audio || businesscategory || carlicense || departmentnumber || destinationindicator || employeenumber || employeetype || fax || homephone || homepostaladdress || inetuserhttpurl || inetuserstatus || internationalisdnnumber || jpegphoto || l || labeleduri || mail || mobile || o || ou || pager || photo || physicaldeliveryofficename || postaladdress || postalcode || postofficebox || preferreddeliverymethod || preferredlanguage || registeredaddress || roomnumber || secretary || seealso || st || street || telephonenumber || teletexterminalidentifier || telexnumber || usercertificate || usersmimecertificate || x121address || x500uniqueidentifier")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Addressbook Attributes";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "audio || businesscategory || carlicense || departmentnumber || destinationindicator || employeenumber || employeetype || facsimiletelephonenumber || homephone || homepostaladdress || inetuserhttpurl || inetuserstatus || internationalisdnnumber || jpegphoto || l || labeleduri || mail || mobile || o || ou || pager || photo || physicaldeliveryofficename || postaladdress || postalcode || postofficebox || preferreddeliverymethod || preferredlanguage || registeredaddress || roomnumber || secretary || seealso || st || street || telephonenumber || teletexterminalidentifier || telexnumber || usercertificate || usersmimecertificate || x121address || x500uniqueidentifier")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Addressbook Attributes";allow (compare,read,search) userdn = "ldap:///all";)
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || gecos || gidnumber || homedirectory || loginshell || modifytimestamp || objectclass || uid || uidnumber")(target = "ldap:///cn=users,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read User Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
@@ -249,22 +359,66 @@ aci: (targetattr = "krblastadminunlock || krblastfailedauth || krblastpwdchange
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "memberof")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Membership";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "ntuniqueid || ntuseracctexpires || ntusercodepage || ntuserdeleteaccount || ntuserdomainid || ntuserlastlogoff || ntuserlastlogon")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User NT Attributes";allow (compare,read,search) groupdn = "ldap:///cn=System: Read User NT Attributes,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || displayname || entryusn || gecos || gidnumber || givenname || homedirectory || initials || ipantsecurityidentifier || loginshell || manager || modifytimestamp || objectclass || sn || title || uid || uidnumber")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Standard Attributes";allow (compare,read,search) userdn = "ldap:///anyone";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || entryusn || gecos || gidnumber || homedirectory || loginshell || modifytimestamp || objectclass || uid || uidnumber")(target = "ldap:///cn=users,cn=*,cn=views,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read User Views Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Remove Users";allow (delete) groupdn = "ldap:///cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "krblastadminunlock || krbloginfailedcount || nsaccountlock")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Unlock User";allow (write) groupdn = "ldap:///cn=System: Unlock User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVault)")(version 3.0;acl "permission:System: Add Vaults";allow (add) groupdn = "ldap:///cn=System: Add Vaults,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVault)")(version 3.0;acl "permission:System: Delete Vaults";allow (delete) groupdn = "ldap:///cn=System: Delete Vaults,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "member")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVault)")(version 3.0;acl "permission:System: Manage Vault Membership";allow (write) groupdn = "ldap:///cn=System: Manage Vault Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "owner")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVault)")(version 3.0;acl "permission:System: Manage Vault Ownership";allow (write) groupdn = "ldap:///cn=System: Manage Vault Ownership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || description || ipavaultpublickey || ipavaultsalt || ipavaulttype || objectclass")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVault)")(version 3.0;acl "permission:System: Modify Vaults";allow (write) groupdn = "ldap:///cn=System: Modify Vaults,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || description || entryusn || ipavaultpublickey || ipavaultsalt || ipavaulttype || member || memberhost || memberuser || modifytimestamp || objectclass || owner")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVault)")(version 3.0;acl "permission:System: Read Vaults";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Vaults,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVaultContainer)")(version 3.0;acl "permission:System: Add Vault Containers";allow (add) groupdn = "ldap:///cn=System: Add Vault Containers,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVaultContainer)")(version 3.0;acl "permission:System: Delete Vault Containers";allow (delete) groupdn = "ldap:///cn=System: Delete Vault Containers,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "owner")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVaultContainer)")(version 3.0;acl "permission:System: Manage Vault Container Ownership";allow (write) groupdn = "ldap:///cn=System: Manage Vault Container Ownership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || description || objectclass")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVaultContainer)")(version 3.0;acl "permission:System: Modify Vault Containers";allow (write) groupdn = "ldap:///cn=System: Modify Vault Containers,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || objectclass || owner")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVaultContainer)")(version 3.0;acl "permission:System: Read Vault Containers";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Vault Containers,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (target = "ldap:///cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example")(targetfilter = "(objectclass=pkiuser)")(version 3.0;acl "permission:System: Add CA Certificate For Renewal";allow (add) groupdn = "ldap:///cn=System: Add CA Certificate For Renewal,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertificate)")(version 3.0;acl "permission:System: Add Certificate Store Entry";allow (add) groupdn = "ldap:///cn=System: Add Certificate Store Entry,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "ipaanchoruuid")(target = "ldap:///cn=*,cn=compat,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaOverrideTarget)")(version 3.0;acl "permission:System: Compat Tree ID View targets";allow (compare,read,search) userdn = "ldap:///anyone";)
+dn: cn=CAcert,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cacertificate")(targetfilter = "(objectclass=pkica)")(version 3.0;acl "permission:System: Modify CA Certificate";allow (write) groupdn = "ldap:///cn=System: Modify CA Certificate,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "usercertificate")(target = "ldap:///cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example")(targetfilter = "(objectclass=pkiuser)")(version 3.0;acl "permission:System: Modify CA Certificate For Renewal";allow (write) groupdn = "ldap:///cn=System: Modify CA Certificate For Renewal,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cacertificate || ipacertissuerserial || ipaconfigstring || ipakeyextusage || ipakeytrust || ipakeyusage")(targetfilter = "(objectclass=ipacertificate)")(version 3.0;acl "permission:System: Modify Certificate Store Entry";allow (write) groupdn = "ldap:///cn=System: Modify Certificate Store Entry,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || ipantdomainguid || ipantfallbackprimarygroup || ipantflatname || ipantsecurityidentifier || modifytimestamp || objectclass")(target = "ldap:///cn=ad,cn=etc,dc=ipa,dc=example")(targetfilter = "(objectclass=ipantdomainattrs)")(version 3.0;acl "permission:System: Read AD Domains";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=CAcert,cn=ipa,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "authorityrevocationlist || cacertificate || certificaterevocationlist || cn || createtimestamp || crosscertificatepair || entryusn || modifytimestamp || objectclass")(targetfilter = "(objectclass=pkica)")(version 3.0;acl "permission:System: Read CA Certificate";allow (compare,read,search) userdn = "ldap:///anyone";)
 dn: cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || objectclass || usercertificate")(targetfilter = "(objectclass=pkiuser)")(version 3.0;acl "permission:System: Read CA Renewal Information";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cacertificate || cn || createtimestamp || entryusn || ipacertissuerserial || ipacertsubject || ipaconfigstring || ipakeyextusage || ipakeytrust || ipakeyusage || ipapublickey || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertificate)")(version 3.0;acl "permission:System: Read Certificate Store Entries";allow (compare,read,search) userdn = "ldap:///anyone";)
 dn: cn=dna,cn=ipa,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || dnahostname || dnaportnum || dnaremainingvalues || dnaremotebindmethod || dnaremoteconnprotocol || dnasecureportnum || entryusn || modifytimestamp || objectclass")(targetfilter = "(objectclass=dnasharedconfig)")(version 3.0;acl "permission:System: Read DNA Configuration";allow (compare,read,search) userdn = "ldap:///all";)
+dn: ou=profile,dc=ipa,dc=example
+aci: (targetattr = "attributemap || authenticationmethod || bindtimelimit || cn || createtimestamp || credentiallevel || defaultsearchbase || defaultsearchscope || defaultserverlist || dereferencealiases || entryusn || followreferrals || modifytimestamp || objectclass || objectclassmap || ou || preferredserverlist || profilettl || searchtimelimit || serviceauthenticationmethod || servicecredentiallevel || servicesearchdescriptor")(targetfilter = "(|(objectclass=organizationalUnit)(objectclass=DUAConfigProfile))")(version 3.0;acl "permission:System: Read DUA Profile";allow (compare,read,search) userdn = "ldap:///anyone";)
+dn: cn=Domain Level,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "createtimestamp || entryusn || ipadomainlevel || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipadomainlevelconfig)")(version 3.0;acl "permission:System: Read Domain Level";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || ipaconfigstring || modifytimestamp || objectclass")(targetfilter = "(objectclass=nscontainer)")(version 3.0;acl "permission:System: Read IPA Masters";allow (compare,read,search) groupdn = "ldap:///cn=System: Read IPA Masters,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=config
-aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5replicahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5replicalastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsubtreepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: Read Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=replication,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicachangecount || nsds5replicacleanruv || nsds5replicaid || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicatombstonepurgeinterval || nsds5replicatype || nsds5task || nsstate || objectclass")(targetfilter = "(objectclass=nsds5replica)")(version 3.0;acl "permission:System: Read Replication Information";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertificate)")(version 3.0;acl "permission:System: Remove Certificate Store Entry";allow (delete) groupdn = "ldap:///cn=System: Remove Certificate Store Entry,cn=permissions,cn=pbac,dc=ipa,dc=example";)
--- a/API.txt
+++ b/API.txt
--- a/BUILD.txt
+++ b/BUILD.txt
@@ -3,23 +3,30 @@ Here is a quickie guide to get you started in IPA development.
 Dependencies
 ------------

+For more information, see http://www.freeipa.org/page/Build
+
 The quickest way to get the dependencies needed for building is:

+# dnf builddep -b --spec freeipa.spec.in
+
+or
+
 # yum install rpm-build `grep "^BuildRequires" freeipa.spec.in | awk '{ print $2 }' | grep -v "^/"`

-This is currently (2014-02-11):
+This is currently (2015-05-07):

 yum install rpm-build 389-ds-base-devel svrcore-devel policycoreutils \
-systemd-units samba-devel samba-python libwbclient-devel samba4-devel \
-samba4-python libtalloc-devel libtevent-devel nspr-devel nss-devel \
-openssl-devel openldap-devel krb5-devel krb5-workstation libuuid-devel \
-libcurl-devel xmlrpc-c-devel popt-devel autoconf automake m4 libtool gettext \
-python-devel python-ldap python-setuptools python-krbV python-nss \
-python-netaddr python-kerberos python-rhsm pyOpenSSL pylint python-polib \
-libipa_hbac-python python-memcached sssd python-lxml python-pyasn1 \
-python-qrcode python-dns m2crypto check libsss_idmap-devel \
-libsss_nss_idmap-devel java-1.7.0-openjdk libverto-devel systemd \
-libunistring-devel python-lesscpy
+systemd-units samba-devel samba-python libtalloc-devel \
+libtevent-devel nspr-devel nss-devel openssl-devel openldap-devel krb5-devel \
+krb5-workstation libuuid-devel libcurl-devel xmlrpc-c-devel popt-devel \
+autoconf automake m4 libtool gettext python-devel python-ldap \
+python-setuptools python-nss python-netaddr python-gssapi \
+python-rhsm pyOpenSSL pylint python-polib libipa_hbac-python python-memcached \
+sssd python-lxml python-pyasn1 python-qrcode-core python-dns m2crypto \
+libsss_idmap-devel libsss_nss_idmap-devel java-headless rhino \
+libverto-devel systemd libunistring-devel python-lesscpy python-yubico \
+python-backports-ssl_match_hostname softhsm-devel openssl-devel \
+p11-kit-devel pki-base python-pytest-multihost python-pytest-sourceorder

 Building
 --------
@@ -47,8 +54,10 @@ install the rpms and then configure IPA using ipa-server-install.
 Get a TGT for the admin user with: kinit admin

 Next you'll need 2 sessions in the source tree. In the first session run
-python lite-server.py. In the second session you can run the ./ipa
-tool and it will make requests to the lite-server listening on 127.0.0.1:8080.
+python lite-server.py. In the second session copy /etc/ipa/default.conf into
+~/.ipa/default.conf and replace xmlrpc_uri with http://127.0.0.1:8888/ipa/xml.
+Finally run the ./ipa tool and it will make requests to the lite-server
+listening on 127.0.0.1:8888.

 This makes developing plugins much faster and you can also make use of the
 Python pdb debugger on the server side.
--- a/COPYING.openssl
+++ b/COPYING.openssl
@@ -0,0 +1,16 @@
+ADDITIONAL PERMISSIONS
+
+This file is a modification of the main license file (COPYING), which
+contains the license terms. It applies only to specific files in the
+tree that include an "OpenSSL license exception" disclaimer.
+
+In addition to the governing license (GPLv3), as a special exception,
+the copyright holders give permission to link the code of this program
+with the OpenSSL library, and distribute linked combinations including
+the two.
+You must obey the GNU General Public License in all respects for all of
+the code used other than OpenSSL. If you modify file(s) with this
+exception, you may extend this exception to your version of the file(s),
+but you are not obligated to do so. If you do not wish to do so, delete
+this exception statement from your version. If you delete the exception
+statement from all source files in the program, then also delete it here.
--- a/Contributors.txt
+++ b/Contributors.txt
@@ -4,36 +4,124 @@ The following people have contributed to the FreeIPA project.
 (Listed in alphabetical order within category)

 Developers:
+	Timo Aaltonen
+	Gabe Alford
 	Jr Aquino
-	Tomas Babej
+	Tomáš Babej
+	Martin Babinsky
+	Kyle Baker
+	Jan Barta
+	Martin Bašti
+	Sylvain Baubeau
+	Florence Blanc-Renaud
 	Alexander Bokovoy
+	Thierry Bordaz
+	Sumit Bose
+	François Cami
+	Xiao-Long Chen
 	Jan Cholasta
+	Yuri Chornoivan
+	Brian Cook
 	Rob Crittenden
+	Frank Cusack
 	Nalin Dahyabhai
+	Don Davis
 	John Dennis
-	Endi Dewata
+	Jason Gerard DeRose
+	Günther Deschner
+	Endi Sukma Dewata
+	Lenka Doudova
+	Benjamin Drung
+	Patrice Duc-Jacquet
+	Tibor Dudlák
+	Drew Erny
+	Oleg Fayans
+	Jérôme Fenal
+	Stephen Gallagher
+	James Groffen
+	Ondřej Hamada
+	Nick Hatch
+	Christian Heimes
 	Jakub Hrozek
-	Martin Kosek
+	Ganna Kaihorodova
+	Abhijeet Kasurde
 	Nathan Kinder
-	Ana Krivokapic
+	Krzysztof Klimonda
+	Nikolai Kondrashov
+	Martin Košek
+	Ludwig Krispenz
+	Ana Krivokapić
+	Tomas Krizek
+	Milan Kubík
+	Ian Kumlien
+	David Kupka
+	Robert Kuska
+	Peter Lacko
+	Stanislav Laznicka
+	Ade Lee
+	Ben Lipton
+	Karl MacMillan
+	Niranjan Mallapadi
+	Ales 'alich' Marecek
+	Francesco Marella
 	Nathaniel McCallum
-	Lynn Root
+	William Jon McCann
+	Kevin McCarthy
+	Mark McLoughlin
 	Rich Megginson
+	Jim Meyering
+	Adam Misnyovszki
+	Niranjan MR
+	Marko Myllynen
+	Martin Nagy
+	David O'Brien
+	Dmitri Pal
+	Jan Pazdziora
+	W. Michael Petullo
+	Gowrishankar Rajaiyan
+	Lubomír Rintel
+	Matt Rogers
+	Lynn Root
+	Pete Rowley
+	Lenka Ryznarova
+	Thorsten Scherf
+	Michael Simacek
+	Lars Sjostrom
+	Filip Skola
+	Lukáš Slebodník
 	Simo Sorce
+	Petr Špaček
+	David Spångberg
+	Diane Trout
+	Fraser Tweedale
 	Petr Viktorin
-	Petr Vobornik
+	Petr Voborník
+	Pavel Vomáčka
 	Andrew Wnuk
+	Jason Woods
 	Adam Young
+	Jan Zelený
+	Pavel Zůna

 Documentation:
+	Gabe Alford
+	Martin Bašti
+	Tomáš Čapek
 	Ella Deon Lackey
+	David O'Brien

 Testing:
+	Xiyang Dong
 	Michael Gregg
+	Steeve Goveas
 	Suzanne Hillman
 	Chandrasekar Kannan
+	Namita Krishnan
+	Varun Mylaraiah
+	Scott Poore
 	Gowrishankar Rajaiyan
 	Jenny Severance
+	Kaleemullah Siddiqui
 	Yi Zhang

 Translators:
@@ -51,6 +139,7 @@ Wiki, Solution and Idea Contributors:
 	James Hogarth
 	Dale Macartney
 	Viji V Nair
+	Bryce Nordgren
 	Ryan Thompson
 	David Zeuthen

@@ -60,29 +149,9 @@ Graphic Design and User Interaction Design:

 Management:
 	Scott Haines
+	Nathan Kinder
+	Martin Košek
 	Bob Lord
 	Dmitri Pal
 	Kevin Unthank
 	Karl Wirth
-
-Past and Occasional Contributors:
-	Sylvain Baubeau
-	Yuri Chornoivan
-	Frank Cusack
-	Don Davis
-	Jason DeRose
-	Gunther Deschner
-	Stephen Gallagher
-	Ondrej Hamada
-	Ian Kumlien
-	Karl MacMillan
-	Jon McCann
-	Kevin McCarthy
-	Jim Meyering
-	Martin Nagy
-	David O'Brien
-	Lubomir Rintel
-	Pete Rowley
-	Andreas Schneider
-	Jan Zeleny
-	Pavel Zuna
--- a/116
+++ b/116
@@ -1,7 +1,11 @@
+# IPA build system cannot cope with parallel build; disable parallel build
+.NOTPARALLEL:
+
 include VERSION

-SUBDIRS=daemons install ipapython ipa-client
-CLIENTDIRS=ipapython ipa-client
+SUBDIRS=asn1 daemons install ipapython ipalib
+CLIENTDIRS=ipapython ipalib client asn1
+CLIENTPYDIRS=ipaclient ipaplatform

 PRJ_PREFIX=freeipa

@@ -16,15 +20,16 @@ IPA_NUM_VERSION ?= $(shell printf %d%02d%02d $(IPA_VERSION_MAJOR) $(IPA_VERSION_
 # target.

 ifeq ($(IPA_VERSION_IS_GIT_SNAPSHOT),"yes")
-GIT_VERSION=$(shell git show --pretty=format:"%h" --stat HEAD 2>/dev/null|head -1)
+DATESTR:=$(shell date -u +'%Y%m%d%H%M')
+GIT_VERSION:=$(shell git show --pretty=format:"%h" --stat HEAD 2>/dev/null|head -1)
 ifneq ($(GIT_VERSION),)
-IPA_VERSION=$(IPA_VERSION_MAJOR).$(IPA_VERSION_MINOR).$(IPA_VERSION_RELEASE)GIT$(GIT_VERSION)
+IPA_VERSION=$(IPA_VERSION_MAJOR).$(IPA_VERSION_MINOR).$(IPA_VERSION_RELEASE).$(DATESTR)GIT$(GIT_VERSION)
 endif # in a git tree and git returned a version
 endif # git

 ifndef IPA_VERSION
-ifdef IPA_VERSION_PRE_RELEASE
-IPA_VERSION=$(IPA_VERSION_MAJOR).$(IPA_VERSION_MINOR).$(IPA_VERSION_RELEASE).pre$(IPA_VERSION_PRE_RELEASE)
+ifdef IPA_VERSION_ALPHA_RELEASE
+IPA_VERSION=$(IPA_VERSION_MAJOR).$(IPA_VERSION_MINOR).$(IPA_VERSION_RELEASE).alpha$(IPA_VERSION_ALPHA_RELEASE)
 else
 ifdef IPA_VERSION_BETA_RELEASE
 IPA_VERSION=$(IPA_VERSION_MAJOR).$(IPA_VERSION_MINOR).$(IPA_VERSION_RELEASE).beta$(IPA_VERSION_BETA_RELEASE)
@@ -35,7 +40,7 @@ else
 IPA_VERSION=$(IPA_VERSION_MAJOR).$(IPA_VERSION_MINOR).$(IPA_VERSION_RELEASE)
 endif # rc
 endif # beta
-endif # pre
+endif # alpha
 endif # ipa_version

 IPA_VENDOR_VERSION=$(IPA_VERSION)$(IPA_VENDOR_VERSION_SUFFIX)
@@ -49,7 +54,9 @@ LIBDIR ?= /usr/lib

 DEVELOPER_MODE ?= 0
 ifneq ($(DEVELOPER_MODE),0)
-LINT_OPTIONS=--no-fail
+LINT_IGNORE_FAIL=true
+else
+LINT_IGNORE_FAIL=false
 endif

 PYTHON ?= $(shell rpm -E %__python || echo /usr/bin/python2)
@@ -71,21 +78,35 @@ client: client-autogen
 	@for subdir in $(CLIENTDIRS); do \
 		(cd $$subdir && $(MAKE) all) || exit 1; \
 	done
-	cd ipaplatform && $(PYTHON) setup.py build
+	@for subdir in $(CLIENTPYDIRS); do \
+		(cd $$subdir && $(PYTHON) setup.py build); \
+	done
+
+check: bootstrap-autogen server tests
+	@for subdir in $(SUBDIRS); do \
+		(cd $$subdir && $(MAKE) check) || exit 1; \
+	done
+
+client-check: client-autogen
+	@for subdir in $(CLIENTDIRS); do \
+		(cd $$subdir && $(MAKE) check) || exit 1; \
+	done

 bootstrap-autogen: version-update client-autogen
 	@echo "Building IPA $(IPA_VERSION)"
+	cd asn1; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi
 	cd daemons; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR) --with-openldap; fi
 	cd install; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi

 client-autogen: version-update
-	cd ipa-client; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi
+	cd asn1; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi
+	cd client; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi
 	cd install; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi

 tests-man-autogen: version-update
 	cd ipatests/man; if [ ! -e Makefile ]; then ../../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi

-install: all server-install tests-install
+install: all server-install tests-install client-install
 	@for subdir in $(SUBDIRS); do \
 		(cd $$subdir && $(MAKE) $@) || exit 1; \
 	done
@@ -95,13 +116,13 @@ client-install: client client-dirs
 		(cd $$subdir && $(MAKE) install) || exit 1; \
 	done
 	cd install/po && $(MAKE) install || exit 1;
-	if [ "$(DESTDIR)" = "" ]; then \
-		$(PYTHON) setup-client.py install; \
-		(cd ipaplatform && $(PYTHON) setup.py install); \
-	else \
-		$(PYTHON) setup-client.py install --root $(DESTDIR); \
-		(cd ipaplatform && $(PYTHON) setup.py install --root $(DESTDIR)); \
-	fi
+	@for subdir in $(CLIENTPYDIRS); do \
+		if [ "$(DESTDIR)" = "" ]; then \
+			(cd $$subdir && $(PYTHON) setup.py install); \
+		else \
+			(cd $$subdir && $(PYTHON) setup.py install --root $(DESTDIR)); \
+		fi \
+	done

 client-dirs:
 	@if [ "$(DESTDIR)" != "" ] ; then \
@@ -112,10 +133,27 @@ client-dirs:
 		echo "Without those directories ipa-client-install will fail" ; \
 	fi

-lint: bootstrap-autogen
-	./make-lint $(LINT_OPTIONS)
-	$(MAKE) -C install/po validate-src-strings
+pylint: bootstrap-autogen
+	# find all python modules and executable python files outside modules for pylint check
+	FILES=`find . \
+		-type d -exec test -e '{}/__init__.py' \; -print -prune -o \
+		-path '*/.*' -o \
+		-path './dist/*' -o \
+		-path './lextab.py' -o \
+		-path './yacctab.py' -o \
+		-name '*~' -o \
+		-name \*.py -print -o \
+		-type f -exec grep -qsm1 '^#!.*\bpython' '{}' \; -print`; \
+	echo "Pylint is running, please wait ..."; \
+	PYTHONPATH=. pylint --rcfile=pylintrc $(PYLINTFLAGS) $$FILES || $(LINT_IGNORE_FAIL)

+po-validate:
+	$(MAKE) -C install/po validate-src-strings || $(LINT_IGNORE_FAIL)
+
+jslint:
+	cd install/ui; jsl -nologo -nosummary -nofilelisting -conf jsl.conf || $(LINT_IGNORE_FAIL)
+
+lint: pylint po-validate jslint

 test:
 	./make-test
@@ -132,36 +170,42 @@ version-update: release-update
 		> ipapython/setup.py
 	sed -e s/__VERSION__/$(IPA_VERSION)/ ipaplatform/setup.py.in \
 		> ipaplatform/setup.py
+	sed -e s/__VERSION__/$(IPA_VERSION)/ ipalib/setup.py.in \
+		> ipalib/setup.py
 	sed -e s/__VERSION__/$(IPA_VERSION)/ ipapython/version.py.in \
 		> ipapython/version.py
 	sed -e s/__VERSION__/$(IPA_VERSION)/ ipatests/setup.py.in \
 		> ipatests/setup.py
+	sed -e s/__VERSION__/$(IPA_VERSION)/ ipaclient/setup.py.in \
+		> ipaclient/setup.py
 	sed -e s/__NUM_VERSION__/$(IPA_NUM_VERSION)/ install/ui/src/libs/loader.js.in \
 		> install/ui/src/libs/loader.js
-	perl -pi -e "s:__API_VERSION__:$(IPA_API_VERSION_MAJOR).$(IPA_API_VERSION_MINOR):" install/ui/src/libs/loader.js
-	perl -pi -e "s:__NUM_VERSION__:$(IPA_NUM_VERSION):" ipapython/version.py
-	perl -pi -e "s:__VENDOR_VERSION__:$(IPA_VENDOR_VERSION):" ipapython/version.py
-	perl -pi -e "s:__API_VERSION__:$(IPA_API_VERSION_MAJOR).$(IPA_API_VERSION_MINOR):" ipapython/version.py
+	sed -i -e "s:__API_VERSION__:$(IPA_API_VERSION_MAJOR).$(IPA_API_VERSION_MINOR):" install/ui/src/libs/loader.js
+	sed -i -e "s:__NUM_VERSION__:$(IPA_NUM_VERSION):" ipapython/version.py
+	sed -i -e "s:__VENDOR_VERSION__:$(IPA_VENDOR_VERSION):" ipapython/version.py
+	sed -i -e "s:__API_VERSION__:$(IPA_API_VERSION_MAJOR).$(IPA_API_VERSION_MINOR):" ipapython/version.py
+	grep -Po '(?<=default: ).*' API.txt | sed -n -i -e "/__DEFAULT_PLUGINS__/!{p;b};r /dev/stdin" ipapython/version.py
 	touch -r ipapython/version.py.in ipapython/version.py
 	sed -e s/__VERSION__/$(IPA_VERSION)/ daemons/ipa-version.h.in \
 		> daemons/ipa-version.h
-	perl -pi -e "s:__NUM_VERSION__:$(IPA_NUM_VERSION):" daemons/ipa-version.h
-	perl -pi -e "s:__DATA_VERSION__:$(IPA_DATA_VERSION):" daemons/ipa-version.h
+	sed -i -e "s:__NUM_VERSION__:$(IPA_NUM_VERSION):" daemons/ipa-version.h
+	sed -i -e "s:__DATA_VERSION__:$(IPA_DATA_VERSION):" daemons/ipa-version.h

-	sed -e s/__VERSION__/$(IPA_VERSION)/ -e s/__RELEASE__/$(IPA_RPM_RELEASE)/ \
-		ipa-client/ipa-client.spec.in > ipa-client/ipa-client.spec
-	sed -e s/__VERSION__/$(IPA_VERSION)/ ipa-client/version.m4.in \
-		> ipa-client/version.m4
+	sed -e s/__VERSION__/$(IPA_VERSION)/ client/version.m4.in \
+		> client/version.m4

 	if [ "$(SUPPORTED_PLATFORM)" != "" ]; then \
-		rm -f ipaplatform/paths.py ipaplatform/services.py ipaplatform/tasks.py; \
+		sed -e s/__PLATFORM__/$(SUPPORTED_PLATFORM)/ \
+			ipaplatform/__init__.py.in > ipaplatform/__init__.py; \
+		rm -f ipaplatform/paths.py ipaplatform/services.py ipaplatform/tasks.py ipaplatform/constants.py; \
 		ln -s $(SUPPORTED_PLATFORM)/paths.py ipaplatform/paths.py; \
 		ln -s $(SUPPORTED_PLATFORM)/services.py ipaplatform/services.py; \
 		ln -s $(SUPPORTED_PLATFORM)/tasks.py ipaplatform/tasks.py; \
+		ln -s $(SUPPORTED_PLATFORM)/constants.py ipaplatform/constants.py; \
 	fi

 	if [ "$(SKIP_API_VERSION_CHECK)" != "yes" ]; then \
-		./makeapi --validate; \
+		./makeapi --validate && \
 		./makeaci --validate; \
 	fi

@@ -204,7 +248,7 @@ archive-cleanup:
 tarballs: local-archive
 	-mkdir -p dist/sources
 	# tar up clean sources
-	cd dist/$(TARBALL_PREFIX)/ipa-client; ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); make distclean
+	cd dist/$(TARBALL_PREFIX)/client; ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); make distclean
 	cd dist/$(TARBALL_PREFIX)/daemons; ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); make distclean
 	cd dist/$(TARBALL_PREFIX)/install; ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); make distclean
 	cd dist; tar cfz sources/$(TARBALL) $(TARBALL_PREFIX)
@@ -226,6 +270,7 @@ rpms: rpmroot rpmdistdir version-update lint tarballs
 	cp dist/sources/$(TARBALL) $(RPMBUILD)/SOURCES/.
 	rpmbuild --define "_topdir $(RPMBUILD)" -ba freeipa.spec
 	cp $(RPMBUILD)/RPMS/*/$(PRJ_PREFIX)-*-$(IPA_VERSION)-*.rpm dist/rpms/
+	cp $(RPMBUILD)/RPMS/*/python?-ipa*-$(IPA_VERSION)-*.rpm dist/rpms/
 	cp $(RPMBUILD)/SRPMS/$(PRJ_PREFIX)-$(IPA_VERSION)-*.src.rpm dist/srpms/
 	rm -rf $(RPMBUILD)

@@ -233,6 +278,7 @@ client-rpms: rpmroot rpmdistdir version-update lint tarballs
 	cp dist/sources/$(TARBALL) $(RPMBUILD)/SOURCES/.
 	rpmbuild --define "_topdir $(RPMBUILD)" --define "ONLY_CLIENT 1" -ba freeipa.spec
 	cp $(RPMBUILD)/RPMS/*/$(PRJ_PREFIX)-*-$(IPA_VERSION)-*.rpm dist/rpms/
+	cp $(RPMBUILD)/RPMS/*/python?-ipa*-$(IPA_VERSION)-*.rpm dist/rpms/
 	cp $(RPMBUILD)/SRPMS/$(PRJ_PREFIX)-$(IPA_VERSION)-*.src.rpm dist/srpms/
 	rm -rf $(RPMBUILD)

@@ -271,7 +317,7 @@ maintainer-clean: clean
 	rm -fr $(RPMBUILD) dist build
 	cd daemons && $(MAKE) maintainer-clean
 	cd install && $(MAKE) maintainer-clean
-	cd ipa-client && $(MAKE) maintainer-clean
+	cd client && $(MAKE) maintainer-clean
 	cd ipapython && $(MAKE) maintainer-clean
 	rm -f version.m4
 	rm -f freeipa.spec
--- a/27
+++ b/27
@@ -2,9 +2,10 @@
 # freeIPA Version                                      #
 #                                                      #
 # freeIPA versions are as follows                      #
-# 1.0.x                New production series           #
-# 1.0.x{pre,beta,rc}y  Preview/Testing, Beta & RC      #
-# 1.0.0GITabcdefg      Build from GIT                  #
+# 1.0.x                  New production series         #
+# 1.0.x{alpha,beta,rc}y  Alpha/Preview/Testing, Beta,  #
+#                           Release Candidate          #
+# 1.0.0GITabcdefg        Build from GIT                #
 #                                                      #
 ########################################################

@@ -19,18 +20,18 @@
 #  ->  "1.0.0"                                         #
 ########################################################
 IPA_VERSION_MAJOR=4
-IPA_VERSION_MINOR=0
-IPA_VERSION_RELEASE=5
+IPA_VERSION_MINOR=4
+IPA_VERSION_RELEASE=4

 ########################################################
-# For 'pre' releases the version will be               #
+# For 'alpha' releases the version will be             #
 #                                                      #
-# <MAJOR>.<MINOR>.<RELEASE>pre<PRE_RELEASE>            #
+# <MAJOR>.<MINOR>.<RELEASE>alpha<ALPHA_RELEASE>        #
 #                                                      #
-# e.g. IPA_VERSION_PRE_RELEASE=1                       #
-#  ->  "1.0.0pre1"                                     #
+# e.g. IPA_VERSION_ALPHA_RELEASE=1                     #
+#  ->  "1.0.0alpha1"                                   #
 ########################################################
-IPA_VERSION_PRE_RELEASE=
+IPA_VERSION_ALPHA_RELEASE=

 ########################################################
 # For 'beta' releases the version will be              #
@@ -62,7 +63,7 @@ IPA_VERSION_RC_RELEASE=
 # e.g. IPA_VERSION_IS_SVN_SNAPSHOT=yes                 #
 #  ->  "1.0.0GITabcdefg"                               #
 ########################################################
-IPA_VERSION_IS_GIT_SNAPSHOT="yes"
+IPA_VERSION_IS_GIT_SNAPSHOT="no"

 ########################################################
 # The version of IPA data. This is used to identify    #
@@ -89,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=101
-# Last change: mbasti - Allow '/' in permission name
+IPA_API_VERSION_MINOR=215
+# Last change: dns: re-introduce --raw in dnsrecord-del
--- a/asn1/Makefile.am
+++ b/asn1/Makefile.am
@@ -0,0 +1,8 @@
+SUBDIRS = asn1c
+
+AM_CPPFLAGS = -I../util -Iasn1c
+
+noinst_LTLIBRARIES=libipaasn1.la
+noinst_HEADERS=ipa_asn1.h
+libipaasn1_la_SOURCES=ipa_asn1.c
+libipaasn1_la_LIBADD=asn1c/libasn1c.la
--- a/asn1/README
+++ b/asn1/README
@@ -0,0 +1,17 @@
+libipaasn1.a is a small static convenience library used by other ipa
+binaries and modules. At the moment it is not meant to be a public shared
+library and stable interface, but may become one in future.
+
+The only files that should be manually modified are:
+* asn1c/ipa.asn1 - when new interfaces are added
+* ipa_asn1.[ch] - to add wrappers around interfaces
+
+ipa_asn1.[ch] are the public interface and they SHOULD NOT export generated
+structures so that the autogenerated code can change w/o impacting any other
+code except the internal library functions.
+
+To regenerate the automatically generated files run the following command:
+cd asn1c;
+make regenerate
+
+Remember to commit and add any new file to asn1c/Makefile.am
--- a/asn1/asn1c/BIT_STRING.c
+++ b/asn1/asn1c/BIT_STRING.c
@@ -0,0 +1,189 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_internal.h>
+#include <BIT_STRING.h>
+#include <asn_internal.h>
+
+/*
+ * BIT STRING basic type description.
+ */
+static ber_tlv_tag_t asn_DEF_BIT_STRING_tags[] = {
+	(ASN_TAG_CLASS_UNIVERSAL | (3 << 2))
+};
+static asn_OCTET_STRING_specifics_t asn_DEF_BIT_STRING_specs = {
+	sizeof(BIT_STRING_t),
+	offsetof(BIT_STRING_t, _asn_ctx),
+	ASN_OSUBV_BIT
+};
+asn_TYPE_descriptor_t asn_DEF_BIT_STRING = {
+	"BIT STRING",
+	"BIT_STRING",
+	OCTET_STRING_free,         /* Implemented in terms of OCTET STRING */
+	BIT_STRING_print,
+	BIT_STRING_constraint,
+	OCTET_STRING_decode_ber,   /* Implemented in terms of OCTET STRING */
+	OCTET_STRING_encode_der,   /* Implemented in terms of OCTET STRING */
+	OCTET_STRING_decode_xer_binary,
+	BIT_STRING_encode_xer,
+	OCTET_STRING_decode_uper,	/* Unaligned PER decoder */
+	OCTET_STRING_encode_uper,	/* Unaligned PER encoder */
+	0, /* Use generic outmost tag fetcher */
+	asn_DEF_BIT_STRING_tags,
+	sizeof(asn_DEF_BIT_STRING_tags)
+	  / sizeof(asn_DEF_BIT_STRING_tags[0]),
+	asn_DEF_BIT_STRING_tags,	/* Same as above */
+	sizeof(asn_DEF_BIT_STRING_tags)
+	  / sizeof(asn_DEF_BIT_STRING_tags[0]),
+	0,	/* No PER visible constraints */
+	0, 0,	/* No members */
+	&asn_DEF_BIT_STRING_specs
+};
+
+/*
+ * BIT STRING generic constraint.
+ */
+int
+BIT_STRING_constraint(asn_TYPE_descriptor_t *td, const void *sptr,
+		asn_app_constraint_failed_f *ctfailcb, void *app_key) {
+	const BIT_STRING_t *st = (const BIT_STRING_t *)sptr;
+
+	if(st && st->buf) {
+		if((st->size == 0 && st->bits_unused)
+		|| st->bits_unused < 0 || st->bits_unused > 7) {
+			_ASN_CTFAIL(app_key, td, sptr,
+				"%s: invalid padding byte (%s:%d)",
+				td->name, __FILE__, __LINE__);
+			return -1;
+		}
+	} else {
+		_ASN_CTFAIL(app_key, td, sptr,
+			"%s: value not given (%s:%d)",
+			td->name, __FILE__, __LINE__);
+		return -1;
+	}
+
+	return 0;
+}
+
+static char *_bit_pattern[16] = {
+	"0000", "0001", "0010", "0011", "0100", "0101", "0110", "0111",
+	"1000", "1001", "1010", "1011", "1100", "1101", "1110", "1111"
+};
+
+asn_enc_rval_t
+BIT_STRING_encode_xer(asn_TYPE_descriptor_t *td, void *sptr,
+	int ilevel, enum xer_encoder_flags_e flags,
+		asn_app_consume_bytes_f *cb, void *app_key) {
+	asn_enc_rval_t er;
+	char scratch[128];
+	char *p = scratch;
+	char *scend = scratch + (sizeof(scratch) - 10);
+	const BIT_STRING_t *st = (const BIT_STRING_t *)sptr;
+	int xcan = (flags & XER_F_CANONICAL);
+	uint8_t *buf;
+	uint8_t *end;
+
+	if(!st || !st->buf)
+		_ASN_ENCODE_FAILED;
+
+	er.encoded = 0;
+
+	buf = st->buf;
+	end = buf + st->size - 1;	/* Last byte is special */
+
+	/*
+	 * Binary dump
+	 */
+	for(; buf < end; buf++) {
+		int v = *buf;
+		int nline = xcan?0:(((buf - st->buf) % 8) == 0);
+		if(p >= scend || nline) {
+			er.encoded += p - scratch;
+			_ASN_CALLBACK(scratch, p - scratch);
+			p = scratch;
+			if(nline) _i_ASN_TEXT_INDENT(1, ilevel);
+		}
+		memcpy(p + 0, _bit_pattern[v >> 4], 4);
+		memcpy(p + 4, _bit_pattern[v & 0x0f], 4);
+		p += 8;
+	}
+
+	if(!xcan && ((buf - st->buf) % 8) == 0)
+		_i_ASN_TEXT_INDENT(1, ilevel);
+	er.encoded += p - scratch;
+	_ASN_CALLBACK(scratch, p - scratch);
+	p = scratch;
+
+	if(buf == end) {
+		int v = *buf;
+		int ubits = st->bits_unused;
+		int i;
+		for(i = 7; i >= ubits; i--)
+			*p++ = (v & (1 << i)) ? 0x31 : 0x30;
+		er.encoded += p - scratch;
+		_ASN_CALLBACK(scratch, p - scratch);
+	}
+
+	if(!xcan) _i_ASN_TEXT_INDENT(1, ilevel - 1);
+
+	_ASN_ENCODED_OK(er);
+cb_failed:
+	_ASN_ENCODE_FAILED;
+}
+
+
+/*
+ * BIT STRING specific contents printer.
+ */
+int
+BIT_STRING_print(asn_TYPE_descriptor_t *td, const void *sptr, int ilevel,
+		asn_app_consume_bytes_f *cb, void *app_key) {
+	static const char *h2c = "0123456789ABCDEF";
+	char scratch[64];
+	const BIT_STRING_t *st = (const BIT_STRING_t *)sptr;
+	uint8_t *buf;
+	uint8_t *end;
+	char *p = scratch;
+
+	(void)td;	/* Unused argument */
+
+	if(!st || !st->buf)
+		return (cb("<absent>", 8, app_key) < 0) ? -1 : 0;
+
+	ilevel++;
+	buf = st->buf;
+	end = buf + st->size;
+
+	/*
+	 * Hexadecimal dump.
+	 */
+	for(; buf < end; buf++) {
+		if((buf - st->buf) % 16 == 0 && (st->size > 16)
+				&& buf != st->buf) {
+			_i_INDENT(1);
+			/* Dump the string */
+			if(cb(scratch, p - scratch, app_key) < 0) return -1;
+			p = scratch;
+		}
+		*p++ = h2c[*buf >> 4];
+		*p++ = h2c[*buf & 0x0F];
+		*p++ = 0x20;
+	}
+
+	if(p > scratch) {
+		p--;	/* Eat the tailing space */
+
+		if((st->size > 16)) {
+			_i_INDENT(1);
+		}
+
+		/* Dump the incomplete 16-bytes row */
+		if(cb(scratch, p - scratch, app_key) < 0)
+			return -1;
+	}
+
+	return 0;
+}
+
--- a/asn1/asn1c/BIT_STRING.h
+++ b/asn1/asn1c/BIT_STRING.h
@@ -0,0 +1,33 @@
+/*-
+ * Copyright (c) 2003 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_BIT_STRING_H_
+#define	_BIT_STRING_H_
+
+#include <OCTET_STRING.h>	/* Some help from OCTET STRING */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct BIT_STRING_s {
+	uint8_t *buf;	/* BIT STRING body */
+	int size;	/* Size of the above buffer */
+
+	int bits_unused;/* Unused trailing bits in the last octet (0..7) */
+
+	asn_struct_ctx_t _asn_ctx;	/* Parsing across buffer boundaries */
+} BIT_STRING_t;
+
+extern asn_TYPE_descriptor_t asn_DEF_BIT_STRING;
+
+asn_struct_print_f BIT_STRING_print;	/* Human-readable output */
+asn_constr_check_f BIT_STRING_constraint;
+xer_type_encoder_f BIT_STRING_encode_xer;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _BIT_STRING_H_ */
--- a/asn1/asn1c/GKCurrentKeys.c
+++ b/asn1/asn1c/GKCurrentKeys.c
@@ -0,0 +1,59 @@
+/*
+ * Generated by asn1c-0.9.27 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy`
+ */
+
+#include "GKCurrentKeys.h"
+
+static asn_TYPE_member_t asn_MBR_GKCurrentKeys_1[] = {
+	{ ATF_NOFLAGS, 0, offsetof(struct GKCurrentKeys, serviceIdentity),
+		(ASN_TAG_CLASS_CONTEXT | (0 << 2)),
+		+1,	/* EXPLICIT tag at current level */
+		&asn_DEF_OCTET_STRING,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"serviceIdentity"
+		},
+};
+static ber_tlv_tag_t asn_DEF_GKCurrentKeys_tags_1[] = {
+	(ASN_TAG_CLASS_UNIVERSAL | (16 << 2))
+};
+static asn_TYPE_tag2member_t asn_MAP_GKCurrentKeys_tag2el_1[] = {
+    { (ASN_TAG_CLASS_CONTEXT | (0 << 2)), 0, 0, 0 } /* serviceIdentity */
+};
+static asn_SEQUENCE_specifics_t asn_SPC_GKCurrentKeys_specs_1 = {
+	sizeof(struct GKCurrentKeys),
+	offsetof(struct GKCurrentKeys, _asn_ctx),
+	asn_MAP_GKCurrentKeys_tag2el_1,
+	1,	/* Count of tags in the map */
+	0, 0, 0,	/* Optional elements (not needed) */
+	-1,	/* Start extensions */
+	-1	/* Stop extensions */
+};
+asn_TYPE_descriptor_t asn_DEF_GKCurrentKeys = {
+	"GKCurrentKeys",
+	"GKCurrentKeys",
+	SEQUENCE_free,
+	SEQUENCE_print,
+	SEQUENCE_constraint,
+	SEQUENCE_decode_ber,
+	SEQUENCE_encode_der,
+	SEQUENCE_decode_xer,
+	SEQUENCE_encode_xer,
+	0, 0,	/* No PER support, use "-gen-PER" to enable */
+	0,	/* Use generic outmost tag fetcher */
+	asn_DEF_GKCurrentKeys_tags_1,
+	sizeof(asn_DEF_GKCurrentKeys_tags_1)
+		/sizeof(asn_DEF_GKCurrentKeys_tags_1[0]), /* 1 */
+	asn_DEF_GKCurrentKeys_tags_1,	/* Same as above */
+	sizeof(asn_DEF_GKCurrentKeys_tags_1)
+		/sizeof(asn_DEF_GKCurrentKeys_tags_1[0]), /* 1 */
+	0,	/* No PER visible constraints */
+	asn_MBR_GKCurrentKeys_1,
+	1,	/* Elements count */
+	&asn_SPC_GKCurrentKeys_specs_1	/* Additional specs */
+};
+
--- a/asn1/asn1c/GKCurrentKeys.h
+++ b/asn1/asn1c/GKCurrentKeys.h
@@ -0,0 +1,38 @@
+/*
+ * Generated by asn1c-0.9.27 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy`
+ */
+
+#ifndef	_GKCurrentKeys_H_
+#define	_GKCurrentKeys_H_
+
+
+#include <asn_application.h>
+
+/* Including external dependencies */
+#include <OCTET_STRING.h>
+#include <constr_SEQUENCE.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* GKCurrentKeys */
+typedef struct GKCurrentKeys {
+	OCTET_STRING_t	 serviceIdentity;
+	
+	/* Context for parsing across buffer boundaries */
+	asn_struct_ctx_t _asn_ctx;
+} GKCurrentKeys_t;
+
+/* Implementation */
+extern asn_TYPE_descriptor_t asn_DEF_GKCurrentKeys;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _GKCurrentKeys_H_ */
+#include <asn_internal.h>
--- a/asn1/asn1c/GKNewKeys.c
+++ b/asn1/asn1c/GKNewKeys.c
@@ -0,0 +1,124 @@
+/*
+ * Generated by asn1c-0.9.27 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy`
+ */
+
+#include "GKNewKeys.h"
+
+static asn_TYPE_member_t asn_MBR_enctypes_3[] = {
+	{ ATF_POINTER, 0, 0,
+		(ASN_TAG_CLASS_UNIVERSAL | (2 << 2)),
+		0,
+		&asn_DEF_Int32,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		""
+		},
+};
+static ber_tlv_tag_t asn_DEF_enctypes_tags_3[] = {
+	(ASN_TAG_CLASS_CONTEXT | (1 << 2)),
+	(ASN_TAG_CLASS_UNIVERSAL | (16 << 2))
+};
+static asn_SET_OF_specifics_t asn_SPC_enctypes_specs_3 = {
+	sizeof(struct enctypes),
+	offsetof(struct enctypes, _asn_ctx),
+	0,	/* XER encoding is XMLDelimitedItemList */
+};
+static /* Use -fall-defs-global to expose */
+asn_TYPE_descriptor_t asn_DEF_enctypes_3 = {
+	"enctypes",
+	"enctypes",
+	SEQUENCE_OF_free,
+	SEQUENCE_OF_print,
+	SEQUENCE_OF_constraint,
+	SEQUENCE_OF_decode_ber,
+	SEQUENCE_OF_encode_der,
+	SEQUENCE_OF_decode_xer,
+	SEQUENCE_OF_encode_xer,
+	0, 0,	/* No PER support, use "-gen-PER" to enable */
+	0,	/* Use generic outmost tag fetcher */
+	asn_DEF_enctypes_tags_3,
+	sizeof(asn_DEF_enctypes_tags_3)
+		/sizeof(asn_DEF_enctypes_tags_3[0]), /* 2 */
+	asn_DEF_enctypes_tags_3,	/* Same as above */
+	sizeof(asn_DEF_enctypes_tags_3)
+		/sizeof(asn_DEF_enctypes_tags_3[0]), /* 2 */
+	0,	/* No PER visible constraints */
+	asn_MBR_enctypes_3,
+	1,	/* Single element */
+	&asn_SPC_enctypes_specs_3	/* Additional specs */
+};
+
+static asn_TYPE_member_t asn_MBR_GKNewKeys_1[] = {
+	{ ATF_NOFLAGS, 0, offsetof(struct GKNewKeys, serviceIdentity),
+		(ASN_TAG_CLASS_CONTEXT | (0 << 2)),
+		+1,	/* EXPLICIT tag at current level */
+		&asn_DEF_OCTET_STRING,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"serviceIdentity"
+		},
+	{ ATF_NOFLAGS, 0, offsetof(struct GKNewKeys, enctypes),
+		(ASN_TAG_CLASS_CONTEXT | (1 << 2)),
+		0,
+		&asn_DEF_enctypes_3,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"enctypes"
+		},
+	{ ATF_POINTER, 1, offsetof(struct GKNewKeys, password),
+		(ASN_TAG_CLASS_CONTEXT | (2 << 2)),
+		+1,	/* EXPLICIT tag at current level */
+		&asn_DEF_OCTET_STRING,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"password"
+		},
+};
+static ber_tlv_tag_t asn_DEF_GKNewKeys_tags_1[] = {
+	(ASN_TAG_CLASS_UNIVERSAL | (16 << 2))
+};
+static asn_TYPE_tag2member_t asn_MAP_GKNewKeys_tag2el_1[] = {
+    { (ASN_TAG_CLASS_CONTEXT | (0 << 2)), 0, 0, 0 }, /* serviceIdentity */
+    { (ASN_TAG_CLASS_CONTEXT | (1 << 2)), 1, 0, 0 }, /* enctypes */
+    { (ASN_TAG_CLASS_CONTEXT | (2 << 2)), 2, 0, 0 } /* password */
+};
+static asn_SEQUENCE_specifics_t asn_SPC_GKNewKeys_specs_1 = {
+	sizeof(struct GKNewKeys),
+	offsetof(struct GKNewKeys, _asn_ctx),
+	asn_MAP_GKNewKeys_tag2el_1,
+	3,	/* Count of tags in the map */
+	0, 0, 0,	/* Optional elements (not needed) */
+	-1,	/* Start extensions */
+	-1	/* Stop extensions */
+};
+asn_TYPE_descriptor_t asn_DEF_GKNewKeys = {
+	"GKNewKeys",
+	"GKNewKeys",
+	SEQUENCE_free,
+	SEQUENCE_print,
+	SEQUENCE_constraint,
+	SEQUENCE_decode_ber,
+	SEQUENCE_encode_der,
+	SEQUENCE_decode_xer,
+	SEQUENCE_encode_xer,
+	0, 0,	/* No PER support, use "-gen-PER" to enable */
+	0,	/* Use generic outmost tag fetcher */
+	asn_DEF_GKNewKeys_tags_1,
+	sizeof(asn_DEF_GKNewKeys_tags_1)
+		/sizeof(asn_DEF_GKNewKeys_tags_1[0]), /* 1 */
+	asn_DEF_GKNewKeys_tags_1,	/* Same as above */
+	sizeof(asn_DEF_GKNewKeys_tags_1)
+		/sizeof(asn_DEF_GKNewKeys_tags_1[0]), /* 1 */
+	0,	/* No PER visible constraints */
+	asn_MBR_GKNewKeys_1,
+	3,	/* Elements count */
+	&asn_SPC_GKNewKeys_specs_1	/* Additional specs */
+};
+
--- a/asn1/asn1c/GKNewKeys.h
+++ b/asn1/asn1c/GKNewKeys.h
@@ -0,0 +1,48 @@
+/*
+ * Generated by asn1c-0.9.27 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy`
+ */
+
+#ifndef	_GKNewKeys_H_
+#define	_GKNewKeys_H_
+
+
+#include <asn_application.h>
+
+/* Including external dependencies */
+#include <OCTET_STRING.h>
+#include "Int32.h"
+#include <asn_SEQUENCE_OF.h>
+#include <constr_SEQUENCE_OF.h>
+#include <constr_SEQUENCE.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* GKNewKeys */
+typedef struct GKNewKeys {
+	OCTET_STRING_t	 serviceIdentity;
+	struct enctypes {
+		A_SEQUENCE_OF(Int32_t) list;
+		
+		/* Context for parsing across buffer boundaries */
+		asn_struct_ctx_t _asn_ctx;
+	} enctypes;
+	OCTET_STRING_t	*password	/* OPTIONAL */;
+	
+	/* Context for parsing across buffer boundaries */
+	asn_struct_ctx_t _asn_ctx;
+} GKNewKeys_t;
+
+/* Implementation */
+extern asn_TYPE_descriptor_t asn_DEF_GKNewKeys;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _GKNewKeys_H_ */
+#include <asn_internal.h>
--- a/asn1/asn1c/GKReply.c
+++ b/asn1/asn1c/GKReply.c
@@ -0,0 +1,113 @@
+/*
+ * Generated by asn1c-0.9.27 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy`
+ */
+
+#include "GKReply.h"
+
+static asn_TYPE_member_t asn_MBR_keys_3[] = {
+	{ ATF_POINTER, 0, 0,
+		(ASN_TAG_CLASS_UNIVERSAL | (16 << 2)),
+		0,
+		&asn_DEF_KrbKey,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		""
+		},
+};
+static ber_tlv_tag_t asn_DEF_keys_tags_3[] = {
+	(ASN_TAG_CLASS_UNIVERSAL | (16 << 2))
+};
+static asn_SET_OF_specifics_t asn_SPC_keys_specs_3 = {
+	sizeof(struct keys),
+	offsetof(struct keys, _asn_ctx),
+	0,	/* XER encoding is XMLDelimitedItemList */
+};
+static /* Use -fall-defs-global to expose */
+asn_TYPE_descriptor_t asn_DEF_keys_3 = {
+	"keys",
+	"keys",
+	SEQUENCE_OF_free,
+	SEQUENCE_OF_print,
+	SEQUENCE_OF_constraint,
+	SEQUENCE_OF_decode_ber,
+	SEQUENCE_OF_encode_der,
+	SEQUENCE_OF_decode_xer,
+	SEQUENCE_OF_encode_xer,
+	0, 0,	/* No PER support, use "-gen-PER" to enable */
+	0,	/* Use generic outmost tag fetcher */
+	asn_DEF_keys_tags_3,
+	sizeof(asn_DEF_keys_tags_3)
+		/sizeof(asn_DEF_keys_tags_3[0]), /* 1 */
+	asn_DEF_keys_tags_3,	/* Same as above */
+	sizeof(asn_DEF_keys_tags_3)
+		/sizeof(asn_DEF_keys_tags_3[0]), /* 1 */
+	0,	/* No PER visible constraints */
+	asn_MBR_keys_3,
+	1,	/* Single element */
+	&asn_SPC_keys_specs_3	/* Additional specs */
+};
+
+static asn_TYPE_member_t asn_MBR_GKReply_1[] = {
+	{ ATF_NOFLAGS, 0, offsetof(struct GKReply, newkvno),
+		(ASN_TAG_CLASS_UNIVERSAL | (2 << 2)),
+		0,
+		&asn_DEF_Int32,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"newkvno"
+		},
+	{ ATF_NOFLAGS, 0, offsetof(struct GKReply, keys),
+		(ASN_TAG_CLASS_UNIVERSAL | (16 << 2)),
+		0,
+		&asn_DEF_keys_3,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"keys"
+		},
+};
+static ber_tlv_tag_t asn_DEF_GKReply_tags_1[] = {
+	(ASN_TAG_CLASS_UNIVERSAL | (16 << 2))
+};
+static asn_TYPE_tag2member_t asn_MAP_GKReply_tag2el_1[] = {
+    { (ASN_TAG_CLASS_UNIVERSAL | (2 << 2)), 0, 0, 0 }, /* newkvno */
+    { (ASN_TAG_CLASS_UNIVERSAL | (16 << 2)), 1, 0, 0 } /* keys */
+};
+static asn_SEQUENCE_specifics_t asn_SPC_GKReply_specs_1 = {
+	sizeof(struct GKReply),
+	offsetof(struct GKReply, _asn_ctx),
+	asn_MAP_GKReply_tag2el_1,
+	2,	/* Count of tags in the map */
+	0, 0, 0,	/* Optional elements (not needed) */
+	-1,	/* Start extensions */
+	-1	/* Stop extensions */
+};
+asn_TYPE_descriptor_t asn_DEF_GKReply = {
+	"GKReply",
+	"GKReply",
+	SEQUENCE_free,
+	SEQUENCE_print,
+	SEQUENCE_constraint,
+	SEQUENCE_decode_ber,
+	SEQUENCE_encode_der,
+	SEQUENCE_decode_xer,
+	SEQUENCE_encode_xer,
+	0, 0,	/* No PER support, use "-gen-PER" to enable */
+	0,	/* Use generic outmost tag fetcher */
+	asn_DEF_GKReply_tags_1,
+	sizeof(asn_DEF_GKReply_tags_1)
+		/sizeof(asn_DEF_GKReply_tags_1[0]), /* 1 */
+	asn_DEF_GKReply_tags_1,	/* Same as above */
+	sizeof(asn_DEF_GKReply_tags_1)
+		/sizeof(asn_DEF_GKReply_tags_1[0]), /* 1 */
+	0,	/* No PER visible constraints */
+	asn_MBR_GKReply_1,
+	2,	/* Elements count */
+	&asn_SPC_GKReply_specs_1	/* Additional specs */
+};
+
--- a/asn1/asn1c/GKReply.h
+++ b/asn1/asn1c/GKReply.h
@@ -0,0 +1,52 @@
+/*
+ * Generated by asn1c-0.9.27 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy`
+ */
+
+#ifndef	_GKReply_H_
+#define	_GKReply_H_
+
+
+#include <asn_application.h>
+
+/* Including external dependencies */
+#include "Int32.h"
+#include <asn_SEQUENCE_OF.h>
+#include <constr_SEQUENCE_OF.h>
+#include <constr_SEQUENCE.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Forward declarations */
+struct KrbKey;
+
+/* GKReply */
+typedef struct GKReply {
+	Int32_t	 newkvno;
+	struct keys {
+		A_SEQUENCE_OF(struct KrbKey) list;
+		
+		/* Context for parsing across buffer boundaries */
+		asn_struct_ctx_t _asn_ctx;
+	} keys;
+	
+	/* Context for parsing across buffer boundaries */
+	asn_struct_ctx_t _asn_ctx;
+} GKReply_t;
+
+/* Implementation */
+extern asn_TYPE_descriptor_t asn_DEF_GKReply;
+
+#ifdef __cplusplus
+}
+#endif
+
+/* Referred external types */
+#include "KrbKey.h"
+
+#endif	/* _GKReply_H_ */
+#include <asn_internal.h>
--- a/asn1/asn1c/GetKeytabControl.c
+++ b/asn1/asn1c/GetKeytabControl.c
@@ -0,0 +1,75 @@
+/*
+ * Generated by asn1c-0.9.27 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy`
+ */
+
+#include "GetKeytabControl.h"
+
+static asn_TYPE_member_t asn_MBR_GetKeytabControl_1[] = {
+	{ ATF_NOFLAGS, 0, offsetof(struct GetKeytabControl, choice.newkeys),
+		(ASN_TAG_CLASS_CONTEXT | (0 << 2)),
+		+1,	/* EXPLICIT tag at current level */
+		&asn_DEF_GKNewKeys,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"newkeys"
+		},
+	{ ATF_NOFLAGS, 0, offsetof(struct GetKeytabControl, choice.curkeys),
+		(ASN_TAG_CLASS_CONTEXT | (1 << 2)),
+		+1,	/* EXPLICIT tag at current level */
+		&asn_DEF_GKCurrentKeys,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"curkeys"
+		},
+	{ ATF_NOFLAGS, 0, offsetof(struct GetKeytabControl, choice.reply),
+		(ASN_TAG_CLASS_CONTEXT | (2 << 2)),
+		+1,	/* EXPLICIT tag at current level */
+		&asn_DEF_GKReply,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"reply"
+		},
+};
+static asn_TYPE_tag2member_t asn_MAP_GetKeytabControl_tag2el_1[] = {
+    { (ASN_TAG_CLASS_CONTEXT | (0 << 2)), 0, 0, 0 }, /* newkeys */
+    { (ASN_TAG_CLASS_CONTEXT | (1 << 2)), 1, 0, 0 }, /* curkeys */
+    { (ASN_TAG_CLASS_CONTEXT | (2 << 2)), 2, 0, 0 } /* reply */
+};
+static asn_CHOICE_specifics_t asn_SPC_GetKeytabControl_specs_1 = {
+	sizeof(struct GetKeytabControl),
+	offsetof(struct GetKeytabControl, _asn_ctx),
+	offsetof(struct GetKeytabControl, present),
+	sizeof(((struct GetKeytabControl *)0)->present),
+	asn_MAP_GetKeytabControl_tag2el_1,
+	3,	/* Count of tags in the map */
+	0,
+	-1	/* Extensions start */
+};
+asn_TYPE_descriptor_t asn_DEF_GetKeytabControl = {
+	"GetKeytabControl",
+	"GetKeytabControl",
+	CHOICE_free,
+	CHOICE_print,
+	CHOICE_constraint,
+	CHOICE_decode_ber,
+	CHOICE_encode_der,
+	CHOICE_decode_xer,
+	CHOICE_encode_xer,
+	0, 0,	/* No PER support, use "-gen-PER" to enable */
+	CHOICE_outmost_tag,
+	0,	/* No effective tags (pointer) */
+	0,	/* No effective tags (count) */
+	0,	/* No tags (pointer) */
+	0,	/* No tags (count) */
+	0,	/* No PER visible constraints */
+	asn_MBR_GetKeytabControl_1,
+	3,	/* Elements count */
+	&asn_SPC_GetKeytabControl_specs_1	/* Additional specs */
+};
+
--- a/asn1/asn1c/GetKeytabControl.h
+++ b/asn1/asn1c/GetKeytabControl.h
@@ -0,0 +1,53 @@
+/*
+ * Generated by asn1c-0.9.27 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy`
+ */
+
+#ifndef	_GetKeytabControl_H_
+#define	_GetKeytabControl_H_
+
+
+#include <asn_application.h>
+
+/* Including external dependencies */
+#include "GKNewKeys.h"
+#include "GKCurrentKeys.h"
+#include "GKReply.h"
+#include <constr_CHOICE.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Dependencies */
+typedef enum GetKeytabControl_PR {
+	GetKeytabControl_PR_NOTHING,	/* No components present */
+	GetKeytabControl_PR_newkeys,
+	GetKeytabControl_PR_curkeys,
+	GetKeytabControl_PR_reply
+} GetKeytabControl_PR;
+
+/* GetKeytabControl */
+typedef struct GetKeytabControl {
+	GetKeytabControl_PR present;
+	union GetKeytabControl_u {
+		GKNewKeys_t	 newkeys;
+		GKCurrentKeys_t	 curkeys;
+		GKReply_t	 reply;
+	} choice;
+	
+	/* Context for parsing across buffer boundaries */
+	asn_struct_ctx_t _asn_ctx;
+} GetKeytabControl_t;
+
+/* Implementation */
+extern asn_TYPE_descriptor_t asn_DEF_GetKeytabControl;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _GetKeytabControl_H_ */
+#include <asn_internal.h>
--- a/asn1/asn1c/INTEGER.c
+++ b/asn1/asn1c/INTEGER.c
--- a/asn1/asn1c/INTEGER.h
+++ b/asn1/asn1c/INTEGER.h
@@ -0,0 +1,82 @@
+/*-
+ * Copyright (c) 2003, 2005 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_INTEGER_H_
+#define	_INTEGER_H_
+
+#include <asn_application.h>
+#include <asn_codecs_prim.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef ASN__PRIMITIVE_TYPE_t INTEGER_t;
+
+extern asn_TYPE_descriptor_t asn_DEF_INTEGER;
+
+/* Map with <tag> to integer value association */
+typedef struct asn_INTEGER_enum_map_s {
+	long		 nat_value;	/* associated native integer value */
+	size_t		 enum_len;	/* strlen("tag") */
+	const char	*enum_name;	/* "tag" */
+} asn_INTEGER_enum_map_t;
+
+/* This type describes an enumeration for INTEGER and ENUMERATED types */
+typedef struct asn_INTEGER_specifics_s {
+	asn_INTEGER_enum_map_t *value2enum;	/* N -> "tag"; sorted by N */
+	unsigned int *enum2value;		/* "tag" => N; sorted by tag */
+	int map_count;				/* Elements in either map */
+	int extension;				/* This map is extensible */
+	int strict_enumeration;			/* Enumeration set is fixed */
+	int field_width;			/* Size of native integer */
+	int field_unsigned;			/* Signed=0, unsigned=1 */
+} asn_INTEGER_specifics_t;
+
+asn_struct_print_f INTEGER_print;
+ber_type_decoder_f INTEGER_decode_ber;
+der_type_encoder_f INTEGER_encode_der;
+xer_type_decoder_f INTEGER_decode_xer;
+xer_type_encoder_f INTEGER_encode_xer;
+per_type_decoder_f INTEGER_decode_uper;
+per_type_encoder_f INTEGER_encode_uper;
+
+/***********************************
+ * Some handy conversion routines. *
+ ***********************************/
+
+/*
+ * Returns 0 if it was possible to convert, -1 otherwise.
+ * -1/EINVAL: Mandatory argument missing
+ * -1/ERANGE: Value encoded is out of range for long representation
+ * -1/ENOMEM: Memory allocation failed (in asn_long2INTEGER()).
+ */
+int asn_INTEGER2long(const INTEGER_t *i, long *l);
+int asn_INTEGER2ulong(const INTEGER_t *i, unsigned long *l);
+int asn_long2INTEGER(INTEGER_t *i, long l);
+int asn_ulong2INTEGER(INTEGER_t *i, unsigned long l);
+
+/* A a reified version of strtol(3) with nicer error reporting. */
+enum asn_strtol_result_e {
+    ASN_STRTOL_ERROR_RANGE = -3,  /* Input outside of numeric range for long type */
+    ASN_STRTOL_ERROR_INVAL = -2,  /* Invalid data encountered (e.g., "+-") */
+    ASN_STRTOL_EXPECT_MORE = -1,  /* More data expected (e.g. "+") */
+    ASN_STRTOL_OK          =  0,  /* Conversion succeded, number ends at (*end) */
+    ASN_STRTOL_EXTRA_DATA  =  1,  /* Conversion succeded, but the string has extra stuff */
+};
+enum asn_strtol_result_e asn_strtol_lim(const char *str, const char **end, long *l);
+
+/* The asn_strtol is going to be DEPRECATED soon */
+enum asn_strtol_result_e asn_strtol(const char *str, const char *end, long *l);
+
+/*
+ * Convert the integer value into the corresponding enumeration map entry.
+ */
+const asn_INTEGER_enum_map_t *INTEGER_map_value2enum(asn_INTEGER_specifics_t *specs, long value);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _INTEGER_H_ */
--- a/asn1/asn1c/Int32.c
+++ b/asn1/asn1c/Int32.c
@@ -0,0 +1,126 @@
+/*
+ * Generated by asn1c-0.9.27 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy`
+ */
+
+#include "Int32.h"
+
+int
+Int32_constraint(asn_TYPE_descriptor_t *td, const void *sptr,
+			asn_app_constraint_failed_f *ctfailcb, void *app_key) {
+	long value;
+	
+	if(!sptr) {
+		_ASN_CTFAIL(app_key, td, sptr,
+			"%s: value not given (%s:%d)",
+			td->name, __FILE__, __LINE__);
+		return -1;
+	}
+	
+	value = *(const long *)sptr;
+	
+	if((value >= (-2147483647L - 1) && value <= 2147483647)) {
+		/* Constraint check succeeded */
+		return 0;
+	} else {
+		_ASN_CTFAIL(app_key, td, sptr,
+			"%s: constraint failed (%s:%d)",
+			td->name, __FILE__, __LINE__);
+		return -1;
+	}
+}
+
+/*
+ * This type is implemented using NativeInteger,
+ * so here we adjust the DEF accordingly.
+ */
+static void
+Int32_1_inherit_TYPE_descriptor(asn_TYPE_descriptor_t *td) {
+	td->free_struct    = asn_DEF_NativeInteger.free_struct;
+	td->print_struct   = asn_DEF_NativeInteger.print_struct;
+	td->check_constraints = asn_DEF_NativeInteger.check_constraints;
+	td->ber_decoder    = asn_DEF_NativeInteger.ber_decoder;
+	td->der_encoder    = asn_DEF_NativeInteger.der_encoder;
+	td->xer_decoder    = asn_DEF_NativeInteger.xer_decoder;
+	td->xer_encoder    = asn_DEF_NativeInteger.xer_encoder;
+	td->uper_decoder   = asn_DEF_NativeInteger.uper_decoder;
+	td->uper_encoder   = asn_DEF_NativeInteger.uper_encoder;
+	if(!td->per_constraints)
+		td->per_constraints = asn_DEF_NativeInteger.per_constraints;
+	td->elements       = asn_DEF_NativeInteger.elements;
+	td->elements_count = asn_DEF_NativeInteger.elements_count;
+	td->specifics      = asn_DEF_NativeInteger.specifics;
+}
+
+void
+Int32_free(asn_TYPE_descriptor_t *td,
+		void *struct_ptr, int contents_only) {
+	Int32_1_inherit_TYPE_descriptor(td);
+	td->free_struct(td, struct_ptr, contents_only);
+}
+
+int
+Int32_print(asn_TYPE_descriptor_t *td, const void *struct_ptr,
+		int ilevel, asn_app_consume_bytes_f *cb, void *app_key) {
+	Int32_1_inherit_TYPE_descriptor(td);
+	return td->print_struct(td, struct_ptr, ilevel, cb, app_key);
+}
+
+asn_dec_rval_t
+Int32_decode_ber(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td,
+		void **structure, const void *bufptr, size_t size, int tag_mode) {
+	Int32_1_inherit_TYPE_descriptor(td);
+	return td->ber_decoder(opt_codec_ctx, td, structure, bufptr, size, tag_mode);
+}
+
+asn_enc_rval_t
+Int32_encode_der(asn_TYPE_descriptor_t *td,
+		void *structure, int tag_mode, ber_tlv_tag_t tag,
+		asn_app_consume_bytes_f *cb, void *app_key) {
+	Int32_1_inherit_TYPE_descriptor(td);
+	return td->der_encoder(td, structure, tag_mode, tag, cb, app_key);
+}
+
+asn_dec_rval_t
+Int32_decode_xer(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td,
+		void **structure, const char *opt_mname, const void *bufptr, size_t size) {
+	Int32_1_inherit_TYPE_descriptor(td);
+	return td->xer_decoder(opt_codec_ctx, td, structure, opt_mname, bufptr, size);
+}
+
+asn_enc_rval_t
+Int32_encode_xer(asn_TYPE_descriptor_t *td, void *structure,
+		int ilevel, enum xer_encoder_flags_e flags,
+		asn_app_consume_bytes_f *cb, void *app_key) {
+	Int32_1_inherit_TYPE_descriptor(td);
+	return td->xer_encoder(td, structure, ilevel, flags, cb, app_key);
+}
+
+static ber_tlv_tag_t asn_DEF_Int32_tags_1[] = {
+	(ASN_TAG_CLASS_UNIVERSAL | (2 << 2))
+};
+asn_TYPE_descriptor_t asn_DEF_Int32 = {
+	"Int32",
+	"Int32",
+	Int32_free,
+	Int32_print,
+	Int32_constraint,
+	Int32_decode_ber,
+	Int32_encode_der,
+	Int32_decode_xer,
+	Int32_encode_xer,
+	0, 0,	/* No PER support, use "-gen-PER" to enable */
+	0,	/* Use generic outmost tag fetcher */
+	asn_DEF_Int32_tags_1,
+	sizeof(asn_DEF_Int32_tags_1)
+		/sizeof(asn_DEF_Int32_tags_1[0]), /* 1 */
+	asn_DEF_Int32_tags_1,	/* Same as above */
+	sizeof(asn_DEF_Int32_tags_1)
+		/sizeof(asn_DEF_Int32_tags_1[0]), /* 1 */
+	0,	/* No PER visible constraints */
+	0, 0,	/* No members */
+	0	/* No specifics */
+};
+
--- a/asn1/asn1c/Int32.h
+++ b/asn1/asn1c/Int32.h
@@ -0,0 +1,39 @@
+/*
+ * Generated by asn1c-0.9.27 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy`
+ */
+
+#ifndef	_Int32_H_
+#define	_Int32_H_
+
+
+#include <asn_application.h>
+
+/* Including external dependencies */
+#include <NativeInteger.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Int32 */
+typedef long	 Int32_t;
+
+/* Implementation */
+extern asn_TYPE_descriptor_t asn_DEF_Int32;
+asn_struct_free_f Int32_free;
+asn_struct_print_f Int32_print;
+asn_constr_check_f Int32_constraint;
+ber_type_decoder_f Int32_decode_ber;
+der_type_encoder_f Int32_encode_der;
+xer_type_decoder_f Int32_decode_xer;
+xer_type_encoder_f Int32_encode_xer;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _Int32_H_ */
+#include <asn_internal.h>
--- a/asn1/asn1c/KrbKey.c
+++ b/asn1/asn1c/KrbKey.c
@@ -0,0 +1,79 @@
+/*
+ * Generated by asn1c-0.9.27 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy`
+ */
+
+#include "KrbKey.h"
+
+static asn_TYPE_member_t asn_MBR_KrbKey_1[] = {
+	{ ATF_NOFLAGS, 0, offsetof(struct KrbKey, key),
+		(ASN_TAG_CLASS_CONTEXT | (0 << 2)),
+		+1,	/* EXPLICIT tag at current level */
+		&asn_DEF_TypeValuePair,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"key"
+		},
+	{ ATF_POINTER, 2, offsetof(struct KrbKey, salt),
+		(ASN_TAG_CLASS_CONTEXT | (1 << 2)),
+		+1,	/* EXPLICIT tag at current level */
+		&asn_DEF_TypeValuePair,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"salt"
+		},
+	{ ATF_POINTER, 1, offsetof(struct KrbKey, s2kparams),
+		(ASN_TAG_CLASS_CONTEXT | (2 << 2)),
+		+1,	/* EXPLICIT tag at current level */
+		&asn_DEF_OCTET_STRING,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"s2kparams"
+		},
+};
+static ber_tlv_tag_t asn_DEF_KrbKey_tags_1[] = {
+	(ASN_TAG_CLASS_UNIVERSAL | (16 << 2))
+};
+static asn_TYPE_tag2member_t asn_MAP_KrbKey_tag2el_1[] = {
+    { (ASN_TAG_CLASS_CONTEXT | (0 << 2)), 0, 0, 0 }, /* key */
+    { (ASN_TAG_CLASS_CONTEXT | (1 << 2)), 1, 0, 0 }, /* salt */
+    { (ASN_TAG_CLASS_CONTEXT | (2 << 2)), 2, 0, 0 } /* s2kparams */
+};
+static asn_SEQUENCE_specifics_t asn_SPC_KrbKey_specs_1 = {
+	sizeof(struct KrbKey),
+	offsetof(struct KrbKey, _asn_ctx),
+	asn_MAP_KrbKey_tag2el_1,
+	3,	/* Count of tags in the map */
+	0, 0, 0,	/* Optional elements (not needed) */
+	-1,	/* Start extensions */
+	-1	/* Stop extensions */
+};
+asn_TYPE_descriptor_t asn_DEF_KrbKey = {
+	"KrbKey",
+	"KrbKey",
+	SEQUENCE_free,
+	SEQUENCE_print,
+	SEQUENCE_constraint,
+	SEQUENCE_decode_ber,
+	SEQUENCE_encode_der,
+	SEQUENCE_decode_xer,
+	SEQUENCE_encode_xer,
+	0, 0,	/* No PER support, use "-gen-PER" to enable */
+	0,	/* Use generic outmost tag fetcher */
+	asn_DEF_KrbKey_tags_1,
+	sizeof(asn_DEF_KrbKey_tags_1)
+		/sizeof(asn_DEF_KrbKey_tags_1[0]), /* 1 */
+	asn_DEF_KrbKey_tags_1,	/* Same as above */
+	sizeof(asn_DEF_KrbKey_tags_1)
+		/sizeof(asn_DEF_KrbKey_tags_1[0]), /* 1 */
+	0,	/* No PER visible constraints */
+	asn_MBR_KrbKey_1,
+	3,	/* Elements count */
+	&asn_SPC_KrbKey_specs_1	/* Additional specs */
+};
+
--- a/asn1/asn1c/KrbKey.h
+++ b/asn1/asn1c/KrbKey.h
@@ -0,0 +1,47 @@
+/*
+ * Generated by asn1c-0.9.27 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy`
+ */
+
+#ifndef	_KrbKey_H_
+#define	_KrbKey_H_
+
+
+#include <asn_application.h>
+
+/* Including external dependencies */
+#include "TypeValuePair.h"
+#include <OCTET_STRING.h>
+#include <constr_SEQUENCE.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Forward declarations */
+struct TypeValuePair;
+
+/* KrbKey */
+typedef struct KrbKey {
+	TypeValuePair_t	 key;
+	struct TypeValuePair	*salt	/* OPTIONAL */;
+	OCTET_STRING_t	*s2kparams	/* OPTIONAL */;
+	
+	/* Context for parsing across buffer boundaries */
+	asn_struct_ctx_t _asn_ctx;
+} KrbKey_t;
+
+/* Implementation */
+extern asn_TYPE_descriptor_t asn_DEF_KrbKey;
+
+#ifdef __cplusplus
+}
+#endif
+
+/* Referred external types */
+#include "TypeValuePair.h"
+
+#endif	/* _KrbKey_H_ */
+#include <asn_internal.h>
--- a/asn1/asn1c/Makefile.am
+++ b/asn1/asn1c/Makefile.am
@@ -0,0 +1,95 @@
+NULL =
+
+ASN1C_SOURCES =			\
+	INTEGER.c		\
+	NativeEnumerated.c	\
+	NativeInteger.c		\
+	asn_SEQUENCE_OF.c	\
+	asn_SET_OF.c		\
+	constr_CHOICE.c		\
+	constr_SEQUENCE.c	\
+	constr_SEQUENCE_OF.c	\
+	constr_SET_OF.c		\
+	OCTET_STRING.c		\
+	BIT_STRING.c		\
+	asn_codecs_prim.c	\
+	ber_tlv_length.c	\
+	ber_tlv_tag.c		\
+	ber_decoder.c		\
+	der_encoder.c		\
+	constr_TYPE.c		\
+	constraints.c		\
+	xer_support.c		\
+	xer_decoder.c		\
+	xer_encoder.c		\
+	per_support.c		\
+	per_decoder.c		\
+	per_encoder.c		\
+	per_opentype.c		\
+	$(NULL)
+
+ASN1C_HEADERS =
+	INTEGER.h		\
+	NativeEnumerated.h	\
+	NativeInteger.h		\
+	asn_SEQUENCE_OF.h	\
+	asn_SET_OF.h		\
+	constr_CHOICE.h		\
+	constr_SEQUENCE.h	\
+	constr_SEQUENCE_OF.h	\
+	constr_SET_OF.h		\
+	asn_application.h	\
+	asn_system.h		\
+	asn_codecs.h		\
+	asn_internal.h		\
+	OCTET_STRING.h		\
+	BIT_STRING.h		\
+	asn_codecs_prim.h	\
+	ber_tlv_length.h	\
+	ber_tlv_tag.h		\
+	ber_decoder.h		\
+	der_encoder.h		\
+	constr_TYPE.h		\
+	constraints.h		\
+	xer_support.h		\
+	xer_decoder.h		\
+	xer_encoder.h		\
+	per_support.h		\
+	per_decoder.h		\
+	per_encoder.h		\
+	per_opentype.h		\
+	$(NULL)
+
+ASN1Cdir = .
+
+IPAASN1_SOURCES=		\
+	Int32.c			\
+	GetKeytabControl.c	\
+	GKNewKeys.c		\
+	GKCurrentKeys.c		\
+	GKReply.c		\
+	KrbKey.c		\
+	TypeValuePair.c		\
+	$(NULL)
+
+IPAASN1_HEADERS=		\
+	Int32.h			\
+	GetKeytabControl.h	\
+	GKNewKeys.h		\
+	GKCurrentKeys.h		\
+	GKReply.h		\
+	KrbKey.h		\
+	TypeValuePair.h		\
+	$(NULL)
+
+IPAASN1dir = .
+
+AM_CPPFLAGS = -I../../util
+
+noinst_LTLIBRARIES=libasn1c.la
+noinst_HEADERS=$(ASN1C_HEADERS) $(IPAASN1_HEADERS)
+libasn1c_la_SOURCES=$(ASN1C_SOURCES) $(IPAASN1_SOURCES)
+
+regenerate:
+	asn1c -fskeletons-copy -fnative-types ipa.asn1
+	rm -f converter-sample.c Makefile.am.sample
--- a/asn1/asn1c/NativeEnumerated.c
+++ b/asn1/asn1c/NativeEnumerated.c
@@ -0,0 +1,207 @@
+/*-
+ * Copyright (c) 2004, 2007 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+/*
+ * Read the NativeInteger.h for the explanation wrt. differences between
+ * INTEGER and NativeInteger.
+ * Basically, both are decoders and encoders of ASN.1 INTEGER type, but this
+ * implementation deals with the standard (machine-specific) representation
+ * of them instead of using the platform-independent buffer.
+ */
+#include <asn_internal.h>
+#include <NativeEnumerated.h>
+
+/*
+ * NativeEnumerated basic type description.
+ */
+static ber_tlv_tag_t asn_DEF_NativeEnumerated_tags[] = {
+	(ASN_TAG_CLASS_UNIVERSAL | (10 << 2))
+};
+asn_TYPE_descriptor_t asn_DEF_NativeEnumerated = {
+	"ENUMERATED",			/* The ASN.1 type is still ENUMERATED */
+	"ENUMERATED",
+	NativeInteger_free,
+	NativeInteger_print,
+	asn_generic_no_constraint,
+	NativeInteger_decode_ber,
+	NativeInteger_encode_der,
+	NativeInteger_decode_xer,
+	NativeEnumerated_encode_xer,
+	NativeEnumerated_decode_uper,
+	NativeEnumerated_encode_uper,
+	0, /* Use generic outmost tag fetcher */
+	asn_DEF_NativeEnumerated_tags,
+	sizeof(asn_DEF_NativeEnumerated_tags) / sizeof(asn_DEF_NativeEnumerated_tags[0]),
+	asn_DEF_NativeEnumerated_tags,	/* Same as above */
+	sizeof(asn_DEF_NativeEnumerated_tags) / sizeof(asn_DEF_NativeEnumerated_tags[0]),
+	0,	/* No PER visible constraints */
+	0, 0,	/* No members */
+	0	/* No specifics */
+};
+
+asn_enc_rval_t
+NativeEnumerated_encode_xer(asn_TYPE_descriptor_t *td, void *sptr,
+        int ilevel, enum xer_encoder_flags_e flags,
+                asn_app_consume_bytes_f *cb, void *app_key) {
+	asn_INTEGER_specifics_t *specs=(asn_INTEGER_specifics_t *)td->specifics;
+        asn_enc_rval_t er;
+        const long *native = (const long *)sptr;
+	const asn_INTEGER_enum_map_t *el;
+
+        (void)ilevel;
+        (void)flags;
+
+        if(!native) _ASN_ENCODE_FAILED;
+
+	el = INTEGER_map_value2enum(specs, *native);
+	if(el) {
+		size_t srcsize = el->enum_len + 5;
+		char *src = (char *)alloca(srcsize);
+
+		er.encoded = snprintf(src, srcsize, "<%s/>", el->enum_name);
+		assert(er.encoded > 0 && (size_t)er.encoded < srcsize);
+		if(cb(src, er.encoded, app_key) < 0) _ASN_ENCODE_FAILED;
+		_ASN_ENCODED_OK(er);
+	} else {
+		ASN_DEBUG("ASN.1 forbids dealing with "
+			"unknown value of ENUMERATED type");
+		_ASN_ENCODE_FAILED;
+	}
+}
+
+asn_dec_rval_t
+NativeEnumerated_decode_uper(asn_codec_ctx_t *opt_codec_ctx,
+	asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints,
+	void **sptr, asn_per_data_t *pd) {
+	asn_INTEGER_specifics_t *specs = (asn_INTEGER_specifics_t *)td->specifics;
+	asn_dec_rval_t rval = { RC_OK, 0 };
+	long *native = (long *)*sptr;
+	asn_per_constraint_t *ct;
+	long value;
+
+	(void)opt_codec_ctx;
+
+	if(constraints) ct = &constraints->value;
+	else if(td->per_constraints) ct = &td->per_constraints->value;
+	else _ASN_DECODE_FAILED;	/* Mandatory! */
+	if(!specs) _ASN_DECODE_FAILED;
+
+	if(!native) {
+		native = (long *)(*sptr = CALLOC(1, sizeof(*native)));
+		if(!native) _ASN_DECODE_FAILED;
+	}
+
+	ASN_DEBUG("Decoding %s as NativeEnumerated", td->name);
+
+	if(ct->flags & APC_EXTENSIBLE) {
+		int inext = per_get_few_bits(pd, 1);
+		if(inext < 0) _ASN_DECODE_STARVED;
+		if(inext) ct = 0;
+	}
+
+	if(ct && ct->range_bits >= 0) {
+		value = per_get_few_bits(pd, ct->range_bits);
+		if(value < 0) _ASN_DECODE_STARVED;
+		if(value >= (specs->extension
+			? specs->extension - 1 : specs->map_count))
+			_ASN_DECODE_FAILED;
+	} else {
+		if(!specs->extension)
+			_ASN_DECODE_FAILED;
+		/*
+		 * X.691, #10.6: normally small non-negative whole number;
+		 */
+		value = uper_get_nsnnwn(pd);
+		if(value < 0) _ASN_DECODE_STARVED;
+		value += specs->extension - 1;
+		if(value >= specs->map_count)
+			_ASN_DECODE_FAILED;
+	}
+
+	*native = specs->value2enum[value].nat_value;
+	ASN_DEBUG("Decoded %s = %ld", td->name, *native);
+
+	return rval;
+}
+
+static int
+NativeEnumerated__compar_value2enum(const void *ap, const void *bp) {
+	const asn_INTEGER_enum_map_t *a = ap;
+	const asn_INTEGER_enum_map_t *b = bp;
+	if(a->nat_value == b->nat_value)
+		return 0;
+	if(a->nat_value < b->nat_value)
+		return -1;
+	return 1;
+}
+
+asn_enc_rval_t
+NativeEnumerated_encode_uper(asn_TYPE_descriptor_t *td,
+	asn_per_constraints_t *constraints, void *sptr, asn_per_outp_t *po) {
+	asn_INTEGER_specifics_t *specs = (asn_INTEGER_specifics_t *)td->specifics;
+	asn_enc_rval_t er;
+	long native, value;
+	asn_per_constraint_t *ct;
+	int inext = 0;
+	asn_INTEGER_enum_map_t key;
+	asn_INTEGER_enum_map_t *kf;
+
+	if(!sptr) _ASN_ENCODE_FAILED;
+	if(!specs) _ASN_ENCODE_FAILED;
+
+	if(constraints) ct = &constraints->value;
+	else if(td->per_constraints) ct = &td->per_constraints->value;
+	else _ASN_ENCODE_FAILED;	/* Mandatory! */
+
+	ASN_DEBUG("Encoding %s as NativeEnumerated", td->name);
+
+	er.encoded = 0;
+
+	native = *(long *)sptr;
+	if(native < 0) _ASN_ENCODE_FAILED;
+
+	key.nat_value = native;
+	kf = bsearch(&key, specs->value2enum, specs->map_count,
+		sizeof(key), NativeEnumerated__compar_value2enum);
+	if(!kf) {
+		ASN_DEBUG("No element corresponds to %ld", native);
+		_ASN_ENCODE_FAILED;
+	}
+	value = kf - specs->value2enum;
+
+	if(ct->range_bits >= 0) {
+		int cmpWith = specs->extension
+				? specs->extension - 1 : specs->map_count;
+		if(value >= cmpWith)
+			inext = 1;
+	}
+	if(ct->flags & APC_EXTENSIBLE) {
+		if(per_put_few_bits(po, inext, 1))
+			_ASN_ENCODE_FAILED;
+		if(inext) ct = 0;
+	} else if(inext) {
+		_ASN_ENCODE_FAILED;
+	}
+
+	if(ct && ct->range_bits >= 0) {
+		if(per_put_few_bits(po, value, ct->range_bits))
+			_ASN_ENCODE_FAILED;
+		_ASN_ENCODED_OK(er);
+	}
+
+	if(!specs->extension)
+		_ASN_ENCODE_FAILED;
+
+	/*
+	 * X.691, #10.6: normally small non-negative whole number;
+	 */
+	ASN_DEBUG("value = %ld, ext = %d, inext = %d, res = %ld",
+		value, specs->extension, inext,
+		value - (inext ? (specs->extension - 1) : 0));
+	if(uper_put_nsnnwn(po, value - (inext ? (specs->extension - 1) : 0)))
+		_ASN_ENCODE_FAILED;
+
+	_ASN_ENCODED_OK(er);
+}
+
--- a/asn1/asn1c/NativeEnumerated.h
+++ b/asn1/asn1c/NativeEnumerated.h
@@ -0,0 +1,32 @@
+/*-
+ * Copyright (c) 2004, 2005, 2006 Lev Walkin <vlm@lionet.info>.
+ * All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+/*
+ * This type differs from the standard ENUMERATED in that it is modelled using
+ * the fixed machine type (long, int, short), so it can hold only values of
+ * limited length. There is no type (i.e., NativeEnumerated_t, any integer type
+ * will do).
+ * This type may be used when integer range is limited by subtype constraints.
+ */
+#ifndef	_NativeEnumerated_H_
+#define	_NativeEnumerated_H_
+
+#include <NativeInteger.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+extern asn_TYPE_descriptor_t asn_DEF_NativeEnumerated;
+
+xer_type_encoder_f NativeEnumerated_encode_xer;
+per_type_decoder_f NativeEnumerated_decode_uper;
+per_type_encoder_f NativeEnumerated_encode_uper;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _NativeEnumerated_H_ */
--- a/asn1/asn1c/NativeInteger.c
+++ b/asn1/asn1c/NativeInteger.c
@@ -0,0 +1,332 @@
+/*-
+ * Copyright (c) 2004, 2005, 2006 Lev Walkin <vlm@lionet.info>.
+ * All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+/*
+ * Read the NativeInteger.h for the explanation wrt. differences between
+ * INTEGER and NativeInteger.
+ * Basically, both are decoders and encoders of ASN.1 INTEGER type, but this
+ * implementation deals with the standard (machine-specific) representation
+ * of them instead of using the platform-independent buffer.
+ */
+#include <asn_internal.h>
+#include <NativeInteger.h>
+
+/*
+ * NativeInteger basic type description.
+ */
+static ber_tlv_tag_t asn_DEF_NativeInteger_tags[] = {
+	(ASN_TAG_CLASS_UNIVERSAL | (2 << 2))
+};
+asn_TYPE_descriptor_t asn_DEF_NativeInteger = {
+	"INTEGER",			/* The ASN.1 type is still INTEGER */
+	"INTEGER",
+	NativeInteger_free,
+	NativeInteger_print,
+	asn_generic_no_constraint,
+	NativeInteger_decode_ber,
+	NativeInteger_encode_der,
+	NativeInteger_decode_xer,
+	NativeInteger_encode_xer,
+	NativeInteger_decode_uper,	/* Unaligned PER decoder */
+	NativeInteger_encode_uper,	/* Unaligned PER encoder */
+	0, /* Use generic outmost tag fetcher */
+	asn_DEF_NativeInteger_tags,
+	sizeof(asn_DEF_NativeInteger_tags) / sizeof(asn_DEF_NativeInteger_tags[0]),
+	asn_DEF_NativeInteger_tags,	/* Same as above */
+	sizeof(asn_DEF_NativeInteger_tags) / sizeof(asn_DEF_NativeInteger_tags[0]),
+	0,	/* No PER visible constraints */
+	0, 0,	/* No members */
+	0	/* No specifics */
+};
+
+/*
+ * Decode INTEGER type.
+ */
+asn_dec_rval_t
+NativeInteger_decode_ber(asn_codec_ctx_t *opt_codec_ctx,
+	asn_TYPE_descriptor_t *td,
+	void **nint_ptr, const void *buf_ptr, size_t size, int tag_mode) {
+	asn_INTEGER_specifics_t *specs=(asn_INTEGER_specifics_t *)td->specifics;
+	long *native = (long *)*nint_ptr;
+	asn_dec_rval_t rval;
+	ber_tlv_len_t length;
+
+	/*
+	 * If the structure is not there, allocate it.
+	 */
+	if(native == NULL) {
+		native = (long *)(*nint_ptr = CALLOC(1, sizeof(*native)));
+		if(native == NULL) {
+			rval.code = RC_FAIL;
+			rval.consumed = 0;
+			return rval;
+		}
+	}
+
+	ASN_DEBUG("Decoding %s as INTEGER (tm=%d)",
+		td->name, tag_mode);
+
+	/*
+	 * Check tags.
+	 */
+	rval = ber_check_tags(opt_codec_ctx, td, 0, buf_ptr, size,
+			tag_mode, 0, &length, 0);
+	if(rval.code != RC_OK)
+		return rval;
+
+	ASN_DEBUG("%s length is %d bytes", td->name, (int)length);
+
+	/*
+	 * Make sure we have this length.
+	 */
+	buf_ptr = ((const char *)buf_ptr) + rval.consumed;
+	size -= rval.consumed;
+	if(length > (ber_tlv_len_t)size) {
+		rval.code = RC_WMORE;
+		rval.consumed = 0;
+		return rval;
+	}
+
+	/*
+	 * ASN.1 encoded INTEGER: buf_ptr, length
+	 * Fill the native, at the same time checking for overflow.
+	 * If overflow occured, return with RC_FAIL.
+	 */
+	{
+		INTEGER_t tmp;
+		union {
+			const void *constbuf;
+			void *nonconstbuf;
+		} unconst_buf;
+		long l;
+
+		unconst_buf.constbuf = buf_ptr;
+		tmp.buf = (uint8_t *)unconst_buf.nonconstbuf;
+		tmp.size = length;
+
+		if((specs&&specs->field_unsigned)
+			? asn_INTEGER2ulong(&tmp, (unsigned long *)&l) /* sic */
+			: asn_INTEGER2long(&tmp, &l)) {
+			rval.code = RC_FAIL;
+			rval.consumed = 0;
+			return rval;
+		}
+
+		*native = l;
+	}
+
+	rval.code = RC_OK;
+	rval.consumed += length;
+
+	ASN_DEBUG("Took %ld/%ld bytes to encode %s (%ld)",
+		(long)rval.consumed, (long)length, td->name, (long)*native);
+
+	return rval;
+}
+
+/*
+ * Encode the NativeInteger using the standard INTEGER type DER encoder.
+ */
+asn_enc_rval_t
+NativeInteger_encode_der(asn_TYPE_descriptor_t *sd, void *ptr,
+	int tag_mode, ber_tlv_tag_t tag,
+	asn_app_consume_bytes_f *cb, void *app_key) {
+	unsigned long native = *(unsigned long *)ptr;	/* Disable sign ext. */
+	asn_enc_rval_t erval;
+	INTEGER_t tmp;
+
+#ifdef	WORDS_BIGENDIAN		/* Opportunistic optimization */
+
+	tmp.buf = (uint8_t *)&native;
+	tmp.size = sizeof(native);
+
+#else	/* Works even if WORDS_BIGENDIAN is not set where should've been */
+	uint8_t buf[sizeof(native)];
+	uint8_t *p;
+
+	/* Prepare a fake INTEGER */
+	for(p = buf + sizeof(buf) - 1; p >= buf; p--, native >>= 8)
+		*p = (uint8_t)native;
+
+	tmp.buf = buf;
+	tmp.size = sizeof(buf);
+#endif	/* WORDS_BIGENDIAN */
+	
+	/* Encode fake INTEGER */
+	erval = INTEGER_encode_der(sd, &tmp, tag_mode, tag, cb, app_key);
+	if(erval.encoded == -1) {
+		assert(erval.structure_ptr == &tmp);
+		erval.structure_ptr = ptr;
+	}
+	return erval;
+}
+
+/*
+ * Decode the chunk of XML text encoding INTEGER.
+ */
+asn_dec_rval_t
+NativeInteger_decode_xer(asn_codec_ctx_t *opt_codec_ctx,
+	asn_TYPE_descriptor_t *td, void **sptr, const char *opt_mname,
+		const void *buf_ptr, size_t size) {
+	asn_INTEGER_specifics_t *specs=(asn_INTEGER_specifics_t *)td->specifics;
+	asn_dec_rval_t rval;
+	INTEGER_t st;
+	void *st_ptr = (void *)&st;
+	long *native = (long *)*sptr;
+
+	if(!native) {
+		native = (long *)(*sptr = CALLOC(1, sizeof(*native)));
+		if(!native) _ASN_DECODE_FAILED;
+	}
+
+	memset(&st, 0, sizeof(st));
+	rval = INTEGER_decode_xer(opt_codec_ctx, td, &st_ptr, 
+		opt_mname, buf_ptr, size);
+	if(rval.code == RC_OK) {
+		long l;
+		if((specs&&specs->field_unsigned)
+			? asn_INTEGER2ulong(&st, (unsigned long *)&l) /* sic */
+			: asn_INTEGER2long(&st, &l)) {
+			rval.code = RC_FAIL;
+			rval.consumed = 0;
+		} else {
+			*native = l;
+		}
+	} else {
+		/*
+		 * Cannot restart from the middle;
+		 * there is no place to save state in the native type.
+		 * Request a continuation from the very beginning.
+		 */
+		rval.consumed = 0;
+	}
+	ASN_STRUCT_FREE_CONTENTS_ONLY(asn_DEF_INTEGER, &st);
+	return rval;
+}
+
+
+asn_enc_rval_t
+NativeInteger_encode_xer(asn_TYPE_descriptor_t *td, void *sptr,
+	int ilevel, enum xer_encoder_flags_e flags,
+		asn_app_consume_bytes_f *cb, void *app_key) {
+	asn_INTEGER_specifics_t *specs=(asn_INTEGER_specifics_t *)td->specifics;
+	char scratch[32];	/* Enough for 64-bit int */
+	asn_enc_rval_t er;
+	const long *native = (const long *)sptr;
+
+	(void)ilevel;
+	(void)flags;
+
+	if(!native) _ASN_ENCODE_FAILED;
+
+	er.encoded = snprintf(scratch, sizeof(scratch),
+			(specs && specs->field_unsigned)
+			? "%lu" : "%ld", *native);
+	if(er.encoded <= 0 || (size_t)er.encoded >= sizeof(scratch)
+		|| cb(scratch, er.encoded, app_key) < 0)
+		_ASN_ENCODE_FAILED;
+
+	_ASN_ENCODED_OK(er);
+}
+
+asn_dec_rval_t
+NativeInteger_decode_uper(asn_codec_ctx_t *opt_codec_ctx,
+	asn_TYPE_descriptor_t *td,
+	asn_per_constraints_t *constraints, void **sptr, asn_per_data_t *pd) {
+
+	asn_INTEGER_specifics_t *specs=(asn_INTEGER_specifics_t *)td->specifics;
+	asn_dec_rval_t rval;
+	long *native = (long *)*sptr;
+	INTEGER_t tmpint;
+	void *tmpintptr = &tmpint;
+
+	(void)opt_codec_ctx;
+	ASN_DEBUG("Decoding NativeInteger %s (UPER)", td->name);
+
+	if(!native) {
+		native = (long *)(*sptr = CALLOC(1, sizeof(*native)));
+		if(!native) _ASN_DECODE_FAILED;
+	}
+
+	memset(&tmpint, 0, sizeof tmpint);
+	rval = INTEGER_decode_uper(opt_codec_ctx, td, constraints,
+				   &tmpintptr, pd);
+	if(rval.code == RC_OK) {
+		if((specs&&specs->field_unsigned)
+			? asn_INTEGER2ulong(&tmpint, (unsigned long *)native)
+			: asn_INTEGER2long(&tmpint, native))
+			rval.code = RC_FAIL;
+		else
+			ASN_DEBUG("NativeInteger %s got value %ld",
+				td->name, *native);
+	}
+	ASN_STRUCT_FREE_CONTENTS_ONLY(asn_DEF_INTEGER, &tmpint);
+
+	return rval;
+}
+
+asn_enc_rval_t
+NativeInteger_encode_uper(asn_TYPE_descriptor_t *td,
+	asn_per_constraints_t *constraints, void *sptr, asn_per_outp_t *po) {
+	asn_INTEGER_specifics_t *specs=(asn_INTEGER_specifics_t *)td->specifics;
+	asn_enc_rval_t er;
+	long native;
+	INTEGER_t tmpint;
+
+	if(!sptr) _ASN_ENCODE_FAILED;
+
+	native = *(long *)sptr;
+
+	ASN_DEBUG("Encoding NativeInteger %s %ld (UPER)", td->name, native);
+
+	memset(&tmpint, 0, sizeof(tmpint));
+	if((specs&&specs->field_unsigned)
+		? asn_ulong2INTEGER(&tmpint, native)
+		: asn_long2INTEGER(&tmpint, native))
+		_ASN_ENCODE_FAILED;
+	er = INTEGER_encode_uper(td, constraints, &tmpint, po);
+	ASN_STRUCT_FREE_CONTENTS_ONLY(asn_DEF_INTEGER, &tmpint);
+	return er;
+}
+
+/*
+ * INTEGER specific human-readable output.
+ */
+int
+NativeInteger_print(asn_TYPE_descriptor_t *td, const void *sptr, int ilevel,
+	asn_app_consume_bytes_f *cb, void *app_key) {
+	asn_INTEGER_specifics_t *specs=(asn_INTEGER_specifics_t *)td->specifics;
+	const long *native = (const long *)sptr;
+	char scratch[32];	/* Enough for 64-bit int */
+	int ret;
+
+	(void)td;	/* Unused argument */
+	(void)ilevel;	/* Unused argument */
+
+	if(native) {
+		ret = snprintf(scratch, sizeof(scratch),
+			(specs && specs->field_unsigned)
+			? "%lu" : "%ld", *native);
+		assert(ret > 0 && (size_t)ret < sizeof(scratch));
+		return (cb(scratch, ret, app_key) < 0) ? -1 : 0;
+	} else {
+		return (cb("<absent>", 8, app_key) < 0) ? -1 : 0;
+	}
+}
+
+void
+NativeInteger_free(asn_TYPE_descriptor_t *td, void *ptr, int contents_only) {
+
+	if(!td || !ptr)
+		return;
+
+	ASN_DEBUG("Freeing %s as INTEGER (%d, %p, Native)",
+		td->name, contents_only, ptr);
+
+	if(!contents_only) {
+		FREEMEM(ptr);
+	}
+}
+
--- a/asn1/asn1c/NativeInteger.h
+++ b/asn1/asn1c/NativeInteger.h
@@ -0,0 +1,37 @@
+/*-
+ * Copyright (c) 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+/*
+ * This type differs from the standard INTEGER in that it is modelled using
+ * the fixed machine type (long, int, short), so it can hold only values of
+ * limited length. There is no type (i.e., NativeInteger_t, any integer type
+ * will do).
+ * This type may be used when integer range is limited by subtype constraints.
+ */
+#ifndef	_NativeInteger_H_
+#define	_NativeInteger_H_
+
+#include <asn_application.h>
+#include <INTEGER.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+extern asn_TYPE_descriptor_t asn_DEF_NativeInteger;
+
+asn_struct_free_f  NativeInteger_free;
+asn_struct_print_f NativeInteger_print;
+ber_type_decoder_f NativeInteger_decode_ber;
+der_type_encoder_f NativeInteger_encode_der;
+xer_type_decoder_f NativeInteger_decode_xer;
+xer_type_encoder_f NativeInteger_encode_xer;
+per_type_decoder_f NativeInteger_decode_uper;
+per_type_encoder_f NativeInteger_encode_uper;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _NativeInteger_H_ */
--- a/asn1/asn1c/OCTET_STRING.c
+++ b/asn1/asn1c/OCTET_STRING.c
--- a/asn1/asn1c/OCTET_STRING.h
+++ b/asn1/asn1c/OCTET_STRING.h
@@ -0,0 +1,86 @@
+/*-
+ * Copyright (c) 2003 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_OCTET_STRING_H_
+#define	_OCTET_STRING_H_
+
+#include <asn_application.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct OCTET_STRING {
+	uint8_t *buf;	/* Buffer with consecutive OCTET_STRING bits */
+	int size;	/* Size of the buffer */
+
+	asn_struct_ctx_t _asn_ctx;	/* Parsing across buffer boundaries */
+} OCTET_STRING_t;
+
+extern asn_TYPE_descriptor_t asn_DEF_OCTET_STRING;
+
+asn_struct_free_f OCTET_STRING_free;
+asn_struct_print_f OCTET_STRING_print;
+asn_struct_print_f OCTET_STRING_print_utf8;
+ber_type_decoder_f OCTET_STRING_decode_ber;
+der_type_encoder_f OCTET_STRING_encode_der;
+xer_type_decoder_f OCTET_STRING_decode_xer_hex;		/* Hexadecimal */
+xer_type_decoder_f OCTET_STRING_decode_xer_binary;	/* 01010111010 */
+xer_type_decoder_f OCTET_STRING_decode_xer_utf8;	/* ASCII/UTF-8 */
+xer_type_encoder_f OCTET_STRING_encode_xer;
+xer_type_encoder_f OCTET_STRING_encode_xer_utf8;
+per_type_decoder_f OCTET_STRING_decode_uper;
+per_type_encoder_f OCTET_STRING_encode_uper;
+
+/******************************
+ * Handy conversion routines. *
+ ******************************/
+
+/*
+ * This function clears the previous value of the OCTET STRING (if any)
+ * and then allocates a new memory with the specified content (str/size).
+ * If size = -1, the size of the original string will be determined
+ * using strlen(str).
+ * If str equals to NULL, the function will silently clear the
+ * current contents of the OCTET STRING.
+ * Returns 0 if it was possible to perform operation, -1 otherwise.
+ */
+int OCTET_STRING_fromBuf(OCTET_STRING_t *s, const char *str, int size);
+
+/* Handy conversion from the C string into the OCTET STRING. */
+#define	OCTET_STRING_fromString(s, str)	OCTET_STRING_fromBuf(s, str, -1)
+
+/*
+ * Allocate and fill the new OCTET STRING and return a pointer to the newly
+ * allocated object. NULL is permitted in str: the function will just allocate
+ * empty OCTET STRING.
+ */
+OCTET_STRING_t *OCTET_STRING_new_fromBuf(asn_TYPE_descriptor_t *td,
+	const char *str, int size);
+
+/****************************
+ * Internally useful stuff. *
+ ****************************/
+
+typedef struct asn_OCTET_STRING_specifics_s {
+	/*
+	 * Target structure description.
+	 */
+	int struct_size;	/* Size of the structure */
+	int ctx_offset;		/* Offset of the asn_struct_ctx_t member */
+
+	enum asn_OS_Subvariant {
+		ASN_OSUBV_ANY,	/* The open type (ANY) */
+		ASN_OSUBV_BIT,	/* BIT STRING */
+		ASN_OSUBV_STR,	/* String types, not {BMP,Universal}String  */
+		ASN_OSUBV_U16,	/* 16-bit character (BMPString) */
+		ASN_OSUBV_U32	/* 32-bit character (UniversalString) */
+	} subvariant;
+} asn_OCTET_STRING_specifics_t;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _OCTET_STRING_H_ */
--- a/asn1/asn1c/TypeValuePair.c
+++ b/asn1/asn1c/TypeValuePair.c
@@ -0,0 +1,69 @@
+/*
+ * Generated by asn1c-0.9.27 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy`
+ */
+
+#include "TypeValuePair.h"
+
+static asn_TYPE_member_t asn_MBR_TypeValuePair_1[] = {
+	{ ATF_NOFLAGS, 0, offsetof(struct TypeValuePair, type),
+		(ASN_TAG_CLASS_CONTEXT | (0 << 2)),
+		+1,	/* EXPLICIT tag at current level */
+		&asn_DEF_Int32,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"type"
+		},
+	{ ATF_NOFLAGS, 0, offsetof(struct TypeValuePair, value),
+		(ASN_TAG_CLASS_CONTEXT | (1 << 2)),
+		+1,	/* EXPLICIT tag at current level */
+		&asn_DEF_OCTET_STRING,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"value"
+		},
+};
+static ber_tlv_tag_t asn_DEF_TypeValuePair_tags_1[] = {
+	(ASN_TAG_CLASS_UNIVERSAL | (16 << 2))
+};
+static asn_TYPE_tag2member_t asn_MAP_TypeValuePair_tag2el_1[] = {
+    { (ASN_TAG_CLASS_CONTEXT | (0 << 2)), 0, 0, 0 }, /* type */
+    { (ASN_TAG_CLASS_CONTEXT | (1 << 2)), 1, 0, 0 } /* value */
+};
+static asn_SEQUENCE_specifics_t asn_SPC_TypeValuePair_specs_1 = {
+	sizeof(struct TypeValuePair),
+	offsetof(struct TypeValuePair, _asn_ctx),
+	asn_MAP_TypeValuePair_tag2el_1,
+	2,	/* Count of tags in the map */
+	0, 0, 0,	/* Optional elements (not needed) */
+	-1,	/* Start extensions */
+	-1	/* Stop extensions */
+};
+asn_TYPE_descriptor_t asn_DEF_TypeValuePair = {
+	"TypeValuePair",
+	"TypeValuePair",
+	SEQUENCE_free,
+	SEQUENCE_print,
+	SEQUENCE_constraint,
+	SEQUENCE_decode_ber,
+	SEQUENCE_encode_der,
+	SEQUENCE_decode_xer,
+	SEQUENCE_encode_xer,
+	0, 0,	/* No PER support, use "-gen-PER" to enable */
+	0,	/* Use generic outmost tag fetcher */
+	asn_DEF_TypeValuePair_tags_1,
+	sizeof(asn_DEF_TypeValuePair_tags_1)
+		/sizeof(asn_DEF_TypeValuePair_tags_1[0]), /* 1 */
+	asn_DEF_TypeValuePair_tags_1,	/* Same as above */
+	sizeof(asn_DEF_TypeValuePair_tags_1)
+		/sizeof(asn_DEF_TypeValuePair_tags_1[0]), /* 1 */
+	0,	/* No PER visible constraints */
+	asn_MBR_TypeValuePair_1,
+	2,	/* Elements count */
+	&asn_SPC_TypeValuePair_specs_1	/* Additional specs */
+};
+
--- a/asn1/asn1c/TypeValuePair.h
+++ b/asn1/asn1c/TypeValuePair.h
@@ -0,0 +1,40 @@
+/*
+ * Generated by asn1c-0.9.27 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy`
+ */
+
+#ifndef	_TypeValuePair_H_
+#define	_TypeValuePair_H_
+
+
+#include <asn_application.h>
+
+/* Including external dependencies */
+#include "Int32.h"
+#include <OCTET_STRING.h>
+#include <constr_SEQUENCE.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* TypeValuePair */
+typedef struct TypeValuePair {
+	Int32_t	 type;
+	OCTET_STRING_t	 value;
+	
+	/* Context for parsing across buffer boundaries */
+	asn_struct_ctx_t _asn_ctx;
+} TypeValuePair_t;
+
+/* Implementation */
+extern asn_TYPE_descriptor_t asn_DEF_TypeValuePair;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _TypeValuePair_H_ */
+#include <asn_internal.h>
--- a/asn1/asn1c/asn_SEQUENCE_OF.c
+++ b/asn1/asn1c/asn_SEQUENCE_OF.c
@@ -0,0 +1,41 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_internal.h>
+#include <asn_SEQUENCE_OF.h>
+
+typedef A_SEQUENCE_OF(void) asn_sequence;
+
+void
+asn_sequence_del(void *asn_sequence_of_x, int number, int _do_free) {
+	asn_sequence *as = (asn_sequence *)asn_sequence_of_x;
+
+	if(as) {
+		void *ptr;
+		int n;
+
+		if(number < 0 || number >= as->count)
+			return;	/* Nothing to delete */
+
+		if(_do_free && as->free) {
+			ptr = as->array[number];
+		} else {
+			ptr = 0;
+		}
+
+		/*
+		 * Shift all elements to the left to hide the gap.
+		 */
+		--as->count;
+		for(n = number; n < as->count; n++)
+			as->array[n] = as->array[n+1];
+
+		/*
+		 * Invoke the third-party function only when the state
+		 * of the parent structure is consistent.
+		 */
+		if(ptr) as->free(ptr);
+	}
+}
+
--- a/asn1/asn1c/asn_SEQUENCE_OF.h
+++ b/asn1/asn1c/asn_SEQUENCE_OF.h
@@ -0,0 +1,52 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	ASN_SEQUENCE_OF_H
+#define	ASN_SEQUENCE_OF_H
+
+#include <asn_SET_OF.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * SEQUENCE OF is the same as SET OF with a tiny difference:
+ * the delete operation preserves the initial order of elements
+ * and thus MAY operate in non-constant time.
+ */
+#define	A_SEQUENCE_OF(type)	A_SET_OF(type)
+
+#define	ASN_SEQUENCE_ADD(headptr, ptr)		\
+	asn_sequence_add((headptr), (ptr))
+
+/***********************************************
+ * Implementation of the SEQUENCE OF structure.
+ */
+
+#define	asn_sequence_add	asn_set_add
+#define	asn_sequence_empty	asn_set_empty
+
+/*
+ * Delete the element from the set by its number (base 0).
+ * This is NOT a constant-time operation.
+ * The order of elements is preserved.
+ * If _do_free is given AND the (*free) is initialized, the element
+ * will be freed using the custom (*free) function as well.
+ */
+void asn_sequence_del(void *asn_sequence_of_x, int number, int _do_free);
+
+/*
+ * Cope with different conversions requirements to/from void in C and C++.
+ * This is mostly useful for support library.
+ */
+typedef A_SEQUENCE_OF(void) asn_anonymous_sequence_;
+#define _A_SEQUENCE_FROM_VOID(ptr)	((asn_anonymous_sequence_ *)(ptr))
+#define _A_CSEQUENCE_FROM_VOID(ptr) 	((const asn_anonymous_sequence_ *)(ptr))
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* ASN_SEQUENCE_OF_H */
--- a/asn1/asn1c/asn_SET_OF.c
+++ b/asn1/asn1c/asn_SET_OF.c
@@ -0,0 +1,88 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_internal.h>
+#include <asn_SET_OF.h>
+#include <errno.h>
+
+/*
+ * Add another element into the set.
+ */
+int
+asn_set_add(void *asn_set_of_x, void *ptr) {
+	asn_anonymous_set_ *as = _A_SET_FROM_VOID(asn_set_of_x);
+
+	if(as == 0 || ptr == 0) {
+		errno = EINVAL;		/* Invalid arguments */
+		return -1;
+	}
+
+	/*
+	 * Make sure there's enough space to insert an element.
+	 */
+	if(as->count == as->size) {
+		int _newsize = as->size ? (as->size << 1) : 4;
+		void *_new_arr;
+		_new_arr = REALLOC(as->array, _newsize * sizeof(as->array[0]));
+		if(_new_arr) {
+			as->array = (void **)_new_arr;
+			as->size = _newsize;
+		} else {
+			/* ENOMEM */
+			return -1;
+		}
+	}
+
+	as->array[as->count++] = ptr;
+
+	return 0;
+}
+
+void
+asn_set_del(void *asn_set_of_x, int number, int _do_free) {
+	asn_anonymous_set_ *as = _A_SET_FROM_VOID(asn_set_of_x);
+
+	if(as) {
+		void *ptr;
+		if(number < 0 || number >= as->count)
+			return;
+
+		if(_do_free && as->free) {
+			ptr = as->array[number];
+		} else {
+			ptr = 0;
+		}
+
+		as->array[number] = as->array[--as->count];
+
+		/*
+		 * Invoke the third-party function only when the state
+		 * of the parent structure is consistent.
+		 */
+		if(ptr) as->free(ptr);
+	}
+}
+
+/*
+ * Free the contents of the set, do not free the set itself.
+ */
+void
+asn_set_empty(void *asn_set_of_x) {
+	asn_anonymous_set_ *as = _A_SET_FROM_VOID(asn_set_of_x);
+
+	if(as) {
+		if(as->array) {
+			if(as->free) {
+				while(as->count--)
+					as->free(as->array[as->count]);
+			}
+			FREEMEM(as->array);
+			as->array = 0;
+		}
+		as->count = 0;
+		as->size = 0;
+	}
+
+}
+
--- a/asn1/asn1c/asn_SET_OF.h
+++ b/asn1/asn1c/asn_SET_OF.h
@@ -0,0 +1,62 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	ASN_SET_OF_H
+#define	ASN_SET_OF_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define	A_SET_OF(type)					\
+	struct {					\
+		type **array;				\
+		int count;	/* Meaningful size */	\
+		int size;	/* Allocated size */	\
+		void (*free)(type *);			\
+	}
+
+#define	ASN_SET_ADD(headptr, ptr)		\
+	asn_set_add((headptr), (ptr))
+
+/*******************************************
+ * Implementation of the SET OF structure.
+ */
+
+/*
+ * Add another structure into the set by its pointer.
+ * RETURN VALUES:
+ * 0 for success and -1/errno for failure.
+ */
+int  asn_set_add(void *asn_set_of_x, void *ptr);
+
+/*
+ * Delete the element from the set by its number (base 0).
+ * This is a constant-time operation. The order of elements before the
+ * deleted ones is guaranteed, the order of elements after the deleted
+ * one is NOT guaranteed.
+ * If _do_free is given AND the (*free) is initialized, the element
+ * will be freed using the custom (*free) function as well.
+ */
+void asn_set_del(void *asn_set_of_x, int number, int _do_free);
+
+/*
+ * Empty the contents of the set. Will free the elements, if (*free) is given.
+ * Will NOT free the set itself.
+ */
+void asn_set_empty(void *asn_set_of_x);
+
+/*
+ * Cope with different conversions requirements to/from void in C and C++.
+ * This is mostly useful for support library.
+ */
+typedef A_SET_OF(void) asn_anonymous_set_;
+#define _A_SET_FROM_VOID(ptr)		((asn_anonymous_set_ *)(ptr))
+#define _A_CSET_FROM_VOID(ptr)		((const asn_anonymous_set_ *)(ptr))
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* ASN_SET_OF_H */
--- a/asn1/asn1c/asn_application.h
+++ b/asn1/asn1c/asn_application.h
@@ -0,0 +1,47 @@
+/*-
+ * Copyright (c) 2004, 2006 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+/*
+ * Application-level ASN.1 callbacks.
+ */
+#ifndef	_ASN_APPLICATION_H_
+#define	_ASN_APPLICATION_H_
+
+#include "asn_system.h"		/* for platform-dependent types */
+#include "asn_codecs.h"		/* for ASN.1 codecs specifics */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Generic type of an application-defined callback to return various
+ * types of data to the application.
+ * EXPECTED RETURN VALUES:
+ *  -1: Failed to consume bytes. Abort the mission.
+ * Non-negative return values indicate success, and ignored.
+ */
+typedef int (asn_app_consume_bytes_f)(const void *buffer, size_t size,
+	void *application_specific_key);
+
+/*
+ * A callback of this type is called whenever constraint validation fails
+ * on some ASN.1 type. See "constraints.h" for more details on constraint
+ * validation.
+ * This callback specifies a descriptor of the ASN.1 type which failed
+ * the constraint check, as well as human readable message on what
+ * particular constraint has failed.
+ */
+typedef void (asn_app_constraint_failed_f)(void *application_specific_key,
+	struct asn_TYPE_descriptor_s *type_descriptor_which_failed,
+	const void *structure_which_failed_ptr,
+	const char *error_message_format, ...) GCC_PRINTFLIKE(4, 5);
+
+#ifdef __cplusplus
+}
+#endif
+
+#include "constr_TYPE.h"	/* for asn_TYPE_descriptor_t */
+
+#endif	/* _ASN_APPLICATION_H_ */
--- a/asn1/asn1c/asn_codecs.h
+++ b/asn1/asn1c/asn_codecs.h
@@ -0,0 +1,109 @@
+/*-
+ * Copyright (c) 2003, 2004, 2005 Lev Walkin <vlm@lionet.info>.
+ * All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_ASN_CODECS_H_
+#define	_ASN_CODECS_H_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct asn_TYPE_descriptor_s;	/* Forward declaration */
+
+/*
+ * This structure defines a set of parameters that may be passed
+ * to every ASN.1 encoder or decoder function.
+ * WARNING: if max_stack_size member is set, and you are calling the
+ *   function pointers of the asn_TYPE_descriptor_t directly,
+ *   this structure must be ALLOCATED ON THE STACK!
+ *   If you can't always satisfy this requirement, use ber_decode(),
+ *   xer_decode() and uper_decode() functions instead.
+ */
+typedef struct asn_codec_ctx_s {
+	/*
+	 * Limit the decoder routines to use no (much) more stack than a given
+	 * number of bytes. Most of decoders are stack-based, and this
+	 * would protect against stack overflows if the number of nested
+	 * encodings is high.
+	 * The OCTET STRING, BIT STRING and ANY BER decoders are heap-based,
+	 * and are safe from this kind of overflow.
+	 * A value from getrlimit(RLIMIT_STACK) may be used to initialize
+	 * this variable. Be careful in multithreaded environments, as the
+	 * stack size is rather limited.
+	 */
+	size_t  max_stack_size; /* 0 disables stack bounds checking */
+} asn_codec_ctx_t;
+
+/*
+ * Type of the return value of the encoding functions (der_encode, xer_encode).
+ */
+typedef struct asn_enc_rval_s {
+	/*
+	 * Number of bytes encoded.
+	 * -1 indicates failure to encode the structure.
+	 * In this case, the members below this one are meaningful.
+	 */
+	ssize_t encoded;
+
+	/*
+	 * Members meaningful when (encoded == -1), for post mortem analysis.
+	 */
+
+	/* Type which cannot be encoded */
+	struct asn_TYPE_descriptor_s *failed_type;
+
+	/* Pointer to the structure of that type */
+	void *structure_ptr;
+} asn_enc_rval_t;
+#define	_ASN_ENCODE_FAILED do {					\
+	asn_enc_rval_t tmp_error;				\
+	tmp_error.encoded = -1;					\
+	tmp_error.failed_type = td;				\
+	tmp_error.structure_ptr = sptr;				\
+	ASN_DEBUG("Failed to encode element %s", td ? td->name : "");	\
+	return tmp_error;					\
+} while(0)
+#define	_ASN_ENCODED_OK(rval) do {				\
+	rval.structure_ptr = 0;					\
+	rval.failed_type = 0;					\
+	return rval;						\
+} while(0)
+
+/*
+ * Type of the return value of the decoding functions (ber_decode, xer_decode)
+ * 
+ * Please note that the number of consumed bytes is ALWAYS meaningful,
+ * even if code==RC_FAIL. This is to indicate the number of successfully
+ * decoded bytes, hence providing a possibility to fail with more diagnostics
+ * (i.e., print the offending remainder of the buffer).
+ */
+enum asn_dec_rval_code_e {
+	RC_OK,		/* Decoded successfully */
+	RC_WMORE,	/* More data expected, call again */
+	RC_FAIL		/* Failure to decode data */
+};
+typedef struct asn_dec_rval_s {
+	enum asn_dec_rval_code_e code;	/* Result code */
+	size_t consumed;		/* Number of bytes consumed */
+} asn_dec_rval_t;
+#define	_ASN_DECODE_FAILED do {					\
+	asn_dec_rval_t tmp_error;				\
+	tmp_error.code = RC_FAIL;				\
+	tmp_error.consumed = 0;					\
+	ASN_DEBUG("Failed to decode element %s", td ? td->name : "");	\
+	return tmp_error;					\
+} while(0)
+#define	_ASN_DECODE_STARVED do {				\
+	asn_dec_rval_t tmp_error;				\
+	tmp_error.code = RC_WMORE;				\
+	tmp_error.consumed = 0;					\
+	return tmp_error;					\
+} while(0)
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _ASN_CODECS_H_ */
--- a/asn1/asn1c/asn_codecs_prim.c
+++ b/asn1/asn1c/asn_codecs_prim.c
@@ -0,0 +1,312 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_internal.h>
+#include <asn_codecs_prim.h>
+#include <errno.h>
+
+/*
+ * Decode an always-primitive type.
+ */
+asn_dec_rval_t
+ber_decode_primitive(asn_codec_ctx_t *opt_codec_ctx,
+	asn_TYPE_descriptor_t *td,
+	void **sptr, const void *buf_ptr, size_t size, int tag_mode) {
+	ASN__PRIMITIVE_TYPE_t *st = (ASN__PRIMITIVE_TYPE_t *)*sptr;
+	asn_dec_rval_t rval;
+	ber_tlv_len_t length = 0; // =0 to avoid [incorrect] warning.
+
+	/*
+	 * If the structure is not there, allocate it.
+	 */
+	if(st == NULL) {
+		st = (ASN__PRIMITIVE_TYPE_t *)CALLOC(1, sizeof(*st));
+		if(st == NULL) _ASN_DECODE_FAILED;
+		*sptr = (void *)st;
+	}
+
+	ASN_DEBUG("Decoding %s as plain primitive (tm=%d)",
+		td->name, tag_mode);
+
+	/*
+	 * Check tags and extract value length.
+	 */
+	rval = ber_check_tags(opt_codec_ctx, td, 0, buf_ptr, size,
+			tag_mode, 0, &length, 0);
+	if(rval.code != RC_OK)
+		return rval;
+
+	ASN_DEBUG("%s length is %d bytes", td->name, (int)length);
+
+	/*
+	 * Make sure we have this length.
+	 */
+	buf_ptr = ((const char *)buf_ptr) + rval.consumed;
+	size -= rval.consumed;
+	if(length > (ber_tlv_len_t)size) {
+		rval.code = RC_WMORE;
+		rval.consumed = 0;
+		return rval;
+	}
+
+	st->size = (int)length;
+	/* The following better be optimized away. */
+	if(sizeof(st->size) != sizeof(length)
+			&& (ber_tlv_len_t)st->size != length) {
+		st->size = 0;
+		_ASN_DECODE_FAILED;
+	}
+
+	st->buf = (uint8_t *)MALLOC(length + 1);
+	if(!st->buf) {
+		st->size = 0;
+		_ASN_DECODE_FAILED;
+	}
+
+	memcpy(st->buf, buf_ptr, length);
+	st->buf[length] = '\0';		/* Just in case */
+
+	rval.code = RC_OK;
+	rval.consumed += length;
+
+	ASN_DEBUG("Took %ld/%ld bytes to encode %s",
+		(long)rval.consumed,
+		(long)length, td->name);
+
+	return rval;
+}
+
+/*
+ * Encode an always-primitive type using DER.
+ */
+asn_enc_rval_t
+der_encode_primitive(asn_TYPE_descriptor_t *td, void *sptr,
+	int tag_mode, ber_tlv_tag_t tag,
+	asn_app_consume_bytes_f *cb, void *app_key) {
+	asn_enc_rval_t erval;
+	ASN__PRIMITIVE_TYPE_t *st = (ASN__PRIMITIVE_TYPE_t *)sptr;
+
+	ASN_DEBUG("%s %s as a primitive type (tm=%d)",
+		cb?"Encoding":"Estimating", td->name, tag_mode);
+
+	erval.encoded = der_write_tags(td, st->size, tag_mode, 0, tag,
+		cb, app_key);
+	ASN_DEBUG("%s wrote tags %d", td->name, (int)erval.encoded);
+	if(erval.encoded == -1) {
+		erval.failed_type = td;
+		erval.structure_ptr = sptr;
+		return erval;
+	}
+
+	if(cb && st->buf) {
+		if(cb(st->buf, st->size, app_key) < 0) {
+			erval.encoded = -1;
+			erval.failed_type = td;
+			erval.structure_ptr = sptr;
+			return erval;
+		}
+	} else {
+		assert(st->buf || st->size == 0);
+	}
+
+	erval.encoded += st->size;
+	_ASN_ENCODED_OK(erval);
+}
+
+void
+ASN__PRIMITIVE_TYPE_free(asn_TYPE_descriptor_t *td, void *sptr,
+		int contents_only) {
+	ASN__PRIMITIVE_TYPE_t *st = (ASN__PRIMITIVE_TYPE_t *)sptr;
+
+	if(!td || !sptr)
+		return;
+
+	ASN_DEBUG("Freeing %s as a primitive type", td->name);
+
+	if(st->buf)
+		FREEMEM(st->buf);
+
+	if(!contents_only)
+		FREEMEM(st);
+}
+
+
+/*
+ * Local internal type passed around as an argument.
+ */
+struct xdp_arg_s {
+	asn_TYPE_descriptor_t *type_descriptor;
+	void *struct_key;
+	xer_primitive_body_decoder_f *prim_body_decoder;
+	int decoded_something;
+	int want_more;
+};
+
+/*
+ * Since some kinds of primitive values can be encoded using value-specific
+ * tags (<MINUS-INFINITY>, <enum-element>, etc), the primitive decoder must
+ * be supplied with such tags to parse them as needed.
+ */
+static int
+xer_decode__unexpected_tag(void *key, const void *chunk_buf, size_t chunk_size) {
+	struct xdp_arg_s *arg = (struct xdp_arg_s *)key;
+	enum xer_pbd_rval bret;
+
+	/*
+	 * The chunk_buf is guaranteed to start at '<'.
+	 */
+	assert(chunk_size && ((const char *)chunk_buf)[0] == 0x3c);
+
+	/*
+	 * Decoding was performed once already. Prohibit doing it again.
+	 */
+	if(arg->decoded_something)
+		return -1;
+
+	bret = arg->prim_body_decoder(arg->type_descriptor,
+		arg->struct_key, chunk_buf, chunk_size);
+	switch(bret) {
+	case XPBD_SYSTEM_FAILURE:
+	case XPBD_DECODER_LIMIT:
+	case XPBD_BROKEN_ENCODING:
+		break;
+	case XPBD_BODY_CONSUMED:
+		/* Tag decoded successfully */
+		arg->decoded_something = 1;
+		/* Fall through */
+	case XPBD_NOT_BODY_IGNORE:	/* Safe to proceed further */
+		return 0;
+	}
+
+	return -1;
+}
+
+static ssize_t
+xer_decode__primitive_body(void *key, const void *chunk_buf, size_t chunk_size, int have_more) {
+	struct xdp_arg_s *arg = (struct xdp_arg_s *)key;
+	enum xer_pbd_rval bret;
+	size_t lead_wsp_size;
+
+	if(arg->decoded_something) {
+		if(xer_whitespace_span(chunk_buf, chunk_size) == chunk_size) {
+			/*
+			 * Example:
+			 * "<INTEGER>123<!--/--> </INTEGER>"
+			 *                      ^- chunk_buf position.
+			 */
+			return chunk_size;
+		}
+		/*
+		 * Decoding was done once already. Prohibit doing it again.
+		 */
+		return -1;
+	}
+
+	if(!have_more) {
+		/*
+		 * If we've received something like "1", we can't really
+		 * tell whether it is really `1` or `123`, until we know
+		 * that there is no more data coming.
+		 * The have_more argument will be set to 1 once something
+		 * like this is available to the caller of this callback:
+		 * "1<tag_start..."
+		 */
+		arg->want_more = 1;
+		return -1;
+	}
+
+	lead_wsp_size = xer_whitespace_span(chunk_buf, chunk_size);
+	chunk_buf = (const char *)chunk_buf + lead_wsp_size;
+	chunk_size -= lead_wsp_size;
+
+	bret = arg->prim_body_decoder(arg->type_descriptor,
+		arg->struct_key, chunk_buf, chunk_size);
+	switch(bret) {
+	case XPBD_SYSTEM_FAILURE:
+	case XPBD_DECODER_LIMIT:
+	case XPBD_BROKEN_ENCODING:
+		break;
+	case XPBD_BODY_CONSUMED:
+		/* Tag decoded successfully */
+		arg->decoded_something = 1;
+		/* Fall through */
+	case XPBD_NOT_BODY_IGNORE:	/* Safe to proceed further */
+		return lead_wsp_size + chunk_size;
+	}
+
+	return -1;
+}
+
+
+asn_dec_rval_t
+xer_decode_primitive(asn_codec_ctx_t *opt_codec_ctx,
+	asn_TYPE_descriptor_t *td,
+	void **sptr,
+	size_t struct_size,
+	const char *opt_mname,
+	const void *buf_ptr, size_t size,
+	xer_primitive_body_decoder_f *prim_body_decoder
+) {
+	const char *xml_tag = opt_mname ? opt_mname : td->xml_tag;
+	asn_struct_ctx_t s_ctx;
+	struct xdp_arg_s s_arg;
+	asn_dec_rval_t rc;
+
+	/*
+	 * Create the structure if does not exist.
+	 */
+	if(!*sptr) {
+		*sptr = CALLOC(1, struct_size);
+		if(!*sptr) _ASN_DECODE_FAILED;
+	}
+
+	memset(&s_ctx, 0, sizeof(s_ctx));
+	s_arg.type_descriptor = td;
+	s_arg.struct_key = *sptr;
+	s_arg.prim_body_decoder = prim_body_decoder;
+	s_arg.decoded_something = 0;
+	s_arg.want_more = 0;
+
+	rc = xer_decode_general(opt_codec_ctx, &s_ctx, &s_arg,
+		xml_tag, buf_ptr, size,
+		xer_decode__unexpected_tag, xer_decode__primitive_body);
+	switch(rc.code) {
+	case RC_OK:
+		if(!s_arg.decoded_something) {
+			char ch;
+			ASN_DEBUG("Primitive body is not recognized, "
+				"supplying empty one");
+			/*
+			 * Decoding opportunity has come and gone.
+			 * Where's the result?
+			 * Try to feed with empty body, see if it eats it.
+			 */
+			if(prim_body_decoder(s_arg.type_descriptor,
+				s_arg.struct_key, &ch, 0)
+					!= XPBD_BODY_CONSUMED) {
+				/*
+				 * This decoder does not like empty stuff.
+				 */
+				_ASN_DECODE_FAILED;
+			}
+		}
+		break;
+	case RC_WMORE:
+		/*
+		 * Redo the whole thing later.
+		 * We don't have a context to save intermediate parsing state.
+		 */
+		rc.consumed = 0;
+		break;
+	case RC_FAIL:
+		rc.consumed = 0;
+		if(s_arg.want_more)
+			rc.code = RC_WMORE;
+		else
+			_ASN_DECODE_FAILED;
+		break;
+	}
+	return rc;
+}
+
--- a/asn1/asn1c/asn_codecs_prim.h
+++ b/asn1/asn1c/asn_codecs_prim.h
@@ -0,0 +1,53 @@
+/*-
+ * Copyright (c) 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	ASN_CODECS_PRIM_H
+#define	ASN_CODECS_PRIM_H
+
+#include <asn_application.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct ASN__PRIMITIVE_TYPE_s {
+	uint8_t *buf;	/* Buffer with consecutive primitive encoding bytes */
+	int size;	/* Size of the buffer */
+} ASN__PRIMITIVE_TYPE_t;	/* Do not use this type directly! */
+
+asn_struct_free_f ASN__PRIMITIVE_TYPE_free;
+ber_type_decoder_f ber_decode_primitive;
+der_type_encoder_f der_encode_primitive;
+
+/*
+ * A callback specification for the xer_decode_primitive() function below.
+ */
+enum xer_pbd_rval {
+	XPBD_SYSTEM_FAILURE,	/* System failure (memory shortage, etc) */
+	XPBD_DECODER_LIMIT,	/* Hit some decoder limitation or deficiency */
+	XPBD_BROKEN_ENCODING,	/* Encoding of a primitive body is broken */
+	XPBD_NOT_BODY_IGNORE,	/* Not a body format, but safe to ignore */
+	XPBD_BODY_CONSUMED	/* Body is recognized and consumed */
+};
+typedef enum xer_pbd_rval (xer_primitive_body_decoder_f)
+	(asn_TYPE_descriptor_t *td, void *struct_ptr,
+		const void *chunk_buf, size_t chunk_size);
+
+/*
+ * Specific function to decode simple primitive types.
+ * Also see xer_decode_general() in xer_decoder.h
+ */
+asn_dec_rval_t xer_decode_primitive(asn_codec_ctx_t *opt_codec_ctx,
+	asn_TYPE_descriptor_t *type_descriptor,
+	void **struct_ptr, size_t struct_size,
+	const char *opt_mname,
+	const void *buf_ptr, size_t size,
+	xer_primitive_body_decoder_f *prim_body_decoder
+);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* ASN_CODECS_PRIM_H */
--- a/asn1/asn1c/asn_internal.h
+++ b/asn1/asn1c/asn_internal.h
@@ -0,0 +1,126 @@
+/*-
+ * Copyright (c) 2003, 2004, 2005, 2007 Lev Walkin <vlm@lionet.info>.
+ * All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+/*
+ * Declarations internally useful for the ASN.1 support code.
+ */
+#ifndef	_ASN_INTERNAL_H_
+#define	_ASN_INTERNAL_H_
+
+#include "asn_application.h"	/* Application-visible API */
+
+#ifndef	__NO_ASSERT_H__		/* Include assert.h only for internal use. */
+#include <assert.h>		/* for assert() macro */
+#endif
+
+#ifdef	__cplusplus
+extern "C" {
+#endif
+
+/* Environment version might be used to avoid running with the old library */
+#define	ASN1C_ENVIRONMENT_VERSION	923	/* Compile-time version */
+int get_asn1c_environment_version(void);	/* Run-time version */
+
+#define	CALLOC(nmemb, size)	calloc(nmemb, size)
+#define	MALLOC(size)		malloc(size)
+#define	REALLOC(oldptr, size)	realloc(oldptr, size)
+#define	FREEMEM(ptr)		free(ptr)
+
+#define	asn_debug_indent	0
+#define ASN_DEBUG_INDENT_ADD(i) do{}while(0)
+
+/*
+ * A macro for debugging the ASN.1 internals.
+ * You may enable or override it.
+ */
+#ifndef	ASN_DEBUG	/* If debugging code is not defined elsewhere... */
+#if	EMIT_ASN_DEBUG == 1	/* And it was asked to emit this code... */
+#ifdef	__GNUC__
+#ifdef	ASN_THREAD_SAFE
+/* Thread safety requires sacrifice in output indentation:
+ * Retain empty definition of ASN_DEBUG_INDENT_ADD. */
+#else	/* !ASN_THREAD_SAFE */
+#undef  ASN_DEBUG_INDENT_ADD
+#undef  asn_debug_indent
+int asn_debug_indent;
+#define ASN_DEBUG_INDENT_ADD(i) do { asn_debug_indent += i; } while(0)
+#endif	/* ASN_THREAD_SAFE */
+#define	ASN_DEBUG(fmt, args...)	do {			\
+		int adi = asn_debug_indent;		\
+		while(adi--) fprintf(stderr, " ");	\
+		fprintf(stderr, fmt, ##args);		\
+		fprintf(stderr, " (%s:%d)\n",		\
+			__FILE__, __LINE__);		\
+	} while(0)
+#else	/* !__GNUC__ */
+void ASN_DEBUG_f(const char *fmt, ...);
+#define	ASN_DEBUG	ASN_DEBUG_f
+#endif	/* __GNUC__ */
+#else	/* EMIT_ASN_DEBUG != 1 */
+static inline void ASN_DEBUG(const char *fmt, ...) { (void)fmt; }
+#endif	/* EMIT_ASN_DEBUG */
+#endif	/* ASN_DEBUG */
+
+/*
+ * Invoke the application-supplied callback and fail, if something is wrong.
+ */
+#define	__ASN_E_cbc(buf, size)	(cb((buf), (size), app_key) < 0)
+#define	_ASN_E_CALLBACK(foo)	do {					\
+		if(foo)	goto cb_failed;					\
+	} while(0)
+#define	_ASN_CALLBACK(buf, size)					\
+	_ASN_E_CALLBACK(__ASN_E_cbc(buf, size))
+#define	_ASN_CALLBACK2(buf1, size1, buf2, size2)			\
+	_ASN_E_CALLBACK(__ASN_E_cbc(buf1, size1) || __ASN_E_cbc(buf2, size2))
+#define	_ASN_CALLBACK3(buf1, size1, buf2, size2, buf3, size3)		\
+	_ASN_E_CALLBACK(__ASN_E_cbc(buf1, size1)			\
+		|| __ASN_E_cbc(buf2, size2)				\
+		|| __ASN_E_cbc(buf3, size3))
+
+#define	_i_ASN_TEXT_INDENT(nl, level) do {				\
+	int __level = (level);						\
+	int __nl = ((nl) != 0);						\
+	int __i;							\
+	if(__nl) _ASN_CALLBACK("\n", 1);				\
+	if(__level < 0) __level = 0;					\
+	for(__i = 0; __i < __level; __i++)				\
+		_ASN_CALLBACK("    ", 4);				\
+	er.encoded += __nl + 4 * __level;				\
+} while(0)
+
+#define	_i_INDENT(nl)	do {						\
+	int __i;							\
+	if((nl) && cb("\n", 1, app_key) < 0) return -1;			\
+	for(__i = 0; __i < ilevel; __i++)				\
+		if(cb("    ", 4, app_key) < 0) return -1;		\
+} while(0)
+
+/*
+ * Check stack against overflow, if limit is set.
+ */
+#define	_ASN_DEFAULT_STACK_MAX	(30000)
+static inline int
+_ASN_STACK_OVERFLOW_CHECK(asn_codec_ctx_t *ctx) {
+	if(ctx && ctx->max_stack_size) {
+
+		/* ctx MUST be allocated on the stack */
+		ptrdiff_t usedstack = ((char *)ctx - (char *)&ctx);
+		if(usedstack > 0) usedstack = -usedstack; /* grows up! */
+
+		/* double negative required to avoid int wrap-around */
+		if(usedstack < -(ptrdiff_t)ctx->max_stack_size) {
+			ASN_DEBUG("Stack limit %ld reached",
+				(long)ctx->max_stack_size);
+			return -1;
+		}
+	}
+	return 0;
+}
+
+#ifdef	__cplusplus
+}
+#endif
+
+#endif	/* _ASN_INTERNAL_H_ */
--- a/asn1/asn1c/asn_system.h
+++ b/asn1/asn1c/asn_system.h
@@ -0,0 +1,129 @@
+/*-
+ * Copyright (c) 2003, 2004, 2007 Lev Walkin <vlm@lionet.info>.
+ * All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+/*
+ * Miscellaneous system-dependent types.
+ */
+#ifndef	_ASN_SYSTEM_H_
+#define	_ASN_SYSTEM_H_
+
+#ifdef	HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <stdio.h>	/* For snprintf(3) */
+#include <stdlib.h>	/* For *alloc(3) */
+#include <string.h>	/* For memcpy(3) */
+#include <sys/types.h>	/* For size_t */
+#include <limits.h>	/* For LONG_MAX */
+#include <stdarg.h>	/* For va_start */
+#include <stddef.h>	/* for offsetof and ptrdiff_t */
+
+#ifdef	_WIN32
+
+#include <malloc.h>
+#define	 snprintf	_snprintf
+#define	 vsnprintf	_vsnprintf
+
+/* To avoid linking with ws2_32.lib, here's the definition of ntohl() */
+#define sys_ntohl(l)	((((l) << 24)  & 0xff000000)	\
+			| (((l) << 8) & 0xff0000)	\
+			| (((l) >> 8)  & 0xff00)	\
+			| ((l >> 24) & 0xff))
+
+#ifdef _MSC_VER			/* MSVS.Net */
+#ifndef __cplusplus
+#define inline __inline
+#endif
+#ifndef	ASSUMESTDTYPES	/* Standard types have been defined elsewhere */
+#define	ssize_t		SSIZE_T
+typedef	char		int8_t;
+typedef	short		int16_t;
+typedef	int		int32_t;
+typedef	unsigned char	uint8_t;
+typedef	unsigned short	uint16_t;
+typedef	unsigned int	uint32_t;
+#endif	/* ASSUMESTDTYPES */
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+#include <float.h>
+#define isnan _isnan
+#define finite _finite
+#define copysign _copysign
+#define	ilogb	_logb
+#else	/* !_MSC_VER */
+#include <stdint.h>
+#endif	/* _MSC_VER */
+
+#else	/* !_WIN32 */
+
+#if defined(__vxworks)
+#include <types/vxTypes.h>
+#else	/* !defined(__vxworks) */
+
+#include <inttypes.h>	/* C99 specifies this file */
+/*
+ * 1. Earlier FreeBSD version didn't have <stdint.h>,
+ * but <inttypes.h> was present.
+ * 2. Sun Solaris requires <alloca.h> for alloca(3),
+ * but does not have <stdint.h>.
+ */
+#if	(!defined(__FreeBSD__) || !defined(_SYS_INTTYPES_H_))
+#if	defined(sun)
+#include <alloca.h>	/* For alloca(3) */
+#include <ieeefp.h>	/* for finite(3) */
+#elif	defined(__hpux)
+#ifdef	__GNUC__
+#include <alloca.h>	/* For alloca(3) */
+#else	/* !__GNUC__ */
+#define inline
+#endif	/* __GNUC__ */
+#else
+#include <stdint.h>	/* SUSv2+ and C99 specify this file, for uintXX_t */
+#endif	/* defined(sun) */
+#endif
+
+#include <netinet/in.h> /* for ntohl() */
+#define	sys_ntohl(foo)	ntohl(foo)
+
+#endif	/* defined(__vxworks) */
+
+#endif	/* _WIN32 */
+
+#if	__GNUC__ >= 3
+#ifndef	GCC_PRINTFLIKE
+#define	GCC_PRINTFLIKE(fmt,var)	__attribute__((format(printf,fmt,var)))
+#endif
+#ifndef	GCC_NOTUSED
+#define	GCC_NOTUSED		__attribute__((unused))
+#endif
+#else
+#ifndef	GCC_PRINTFLIKE
+#define	GCC_PRINTFLIKE(fmt,var)	/* nothing */
+#endif
+#ifndef	GCC_NOTUSED
+#define	GCC_NOTUSED
+#endif
+#endif
+
+/* Figure out if thread safety is requested */
+#if !defined(ASN_THREAD_SAFE) && (defined(THREAD_SAFE) || defined(_REENTRANT))
+#define	ASN_THREAD_SAFE
+#endif	/* Thread safety */
+
+#ifndef	offsetof	/* If not defined by <stddef.h> */
+#define	offsetof(s, m)	((ptrdiff_t)&(((s *)0)->m) - (ptrdiff_t)((s *)0))
+#endif	/* offsetof */
+
+#ifndef	MIN		/* Suitable for comparing primitive types (integers) */
+#if defined(__GNUC__)
+#define	MIN(a,b)	({ __typeof a _a = a; __typeof b _b = b;	\
+	((_a)<(_b)?(_a):(_b)); })
+#else	/* !__GNUC__ */
+#define	MIN(a,b)	((a)<(b)?(a):(b))	/* Unsafe variant */
+#endif /* __GNUC__ */
+#endif	/* MIN */
+
+#endif	/* _ASN_SYSTEM_H_ */
--- a/asn1/asn1c/ber_decoder.c
+++ b/asn1/asn1c/ber_decoder.c
@@ -0,0 +1,283 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_internal.h>
+
+#undef	ADVANCE
+#define	ADVANCE(num_bytes)	do {					\
+		size_t num = num_bytes;					\
+		ptr = ((const char *)ptr) + num;			\
+		size -= num;						\
+		consumed_myself += num;					\
+	} while(0)
+#undef	RETURN
+#define	RETURN(_code)	do {						\
+		asn_dec_rval_t rval;					\
+		rval.code = _code;					\
+		if(opt_ctx) opt_ctx->step = step; /* Save context */	\
+		if(_code == RC_OK || opt_ctx)				\
+			rval.consumed = consumed_myself;		\
+		else							\
+			rval.consumed = 0;	/* Context-free */	\
+		return rval;						\
+	} while(0)
+
+/*
+ * The BER decoder of any type.
+ */
+asn_dec_rval_t
+ber_decode(asn_codec_ctx_t *opt_codec_ctx,
+	asn_TYPE_descriptor_t *type_descriptor,
+	void **struct_ptr, const void *ptr, size_t size) {
+	asn_codec_ctx_t s_codec_ctx;
+
+	/*
+	 * Stack checker requires that the codec context
+	 * must be allocated on the stack.
+	 */
+	if(opt_codec_ctx) {
+		if(opt_codec_ctx->max_stack_size) {
+			s_codec_ctx = *opt_codec_ctx;
+			opt_codec_ctx = &s_codec_ctx;
+		}
+	} else {
+		/* If context is not given, be security-conscious anyway */
+		memset(&s_codec_ctx, 0, sizeof(s_codec_ctx));
+		s_codec_ctx.max_stack_size = _ASN_DEFAULT_STACK_MAX;
+		opt_codec_ctx = &s_codec_ctx;
+	}
+
+	/*
+	 * Invoke type-specific decoder.
+	 */
+	return type_descriptor->ber_decoder(opt_codec_ctx, type_descriptor,
+		struct_ptr,	/* Pointer to the destination structure */
+		ptr, size,	/* Buffer and its size */
+		0		/* Default tag mode is 0 */
+		);
+}
+
+/*
+ * Check the set of <TL<TL<TL...>>> tags matches the definition.
+ */
+asn_dec_rval_t
+ber_check_tags(asn_codec_ctx_t *opt_codec_ctx,
+		asn_TYPE_descriptor_t *td, asn_struct_ctx_t *opt_ctx,
+		const void *ptr, size_t size, int tag_mode, int last_tag_form,
+		ber_tlv_len_t *last_length, int *opt_tlv_form) {
+	ssize_t consumed_myself = 0;
+	ssize_t tag_len;
+	ssize_t len_len;
+	ber_tlv_tag_t tlv_tag;
+	ber_tlv_len_t tlv_len;
+	ber_tlv_len_t limit_len = -1;
+	int expect_00_terminators = 0;
+	int tlv_constr = -1;	/* If CHOICE, opt_tlv_form is not given */
+	int step = opt_ctx ? opt_ctx->step : 0;	/* Where we left previously */
+	int tagno;
+
+	/*
+	 * Make sure we didn't exceed the maximum stack size.
+	 */
+	if(_ASN_STACK_OVERFLOW_CHECK(opt_codec_ctx))
+		RETURN(RC_FAIL);
+
+	/*
+	 * So what does all this implicit skip stuff mean?
+	 * Imagine two types,
+	 * 	A ::= [5] IMPLICIT	T
+	 * 	B ::= [2] EXPLICIT	T
+	 * Where T is defined as
+	 *	T ::= [4] IMPLICIT SEQUENCE { ... }
+	 * 
+	 * Let's say, we are starting to decode type A, given the
+	 * following TLV stream: <5> <0>. What does this mean?
+	 * It means that the type A contains type T which is,
+	 * in turn, empty.
+	 * Remember though, that we are still in A. We cannot
+	 * just pass control to the type T decoder. Why? Because
+	 * the type T decoder expects <4> <0>, not <5> <0>.
+	 * So, we must make sure we are going to receive <5> while
+	 * still in A, then pass control to the T decoder, indicating
+	 * that the tag <4> was implicitly skipped. The decoder of T
+	 * hence will be prepared to treat <4> as valid tag, and decode
+	 * it appropriately.
+	 */
+
+	tagno = step	/* Continuing where left previously */
+		+ (tag_mode==1?-1:0)
+		;
+	ASN_DEBUG("ber_check_tags(%s, size=%ld, tm=%d, step=%d, tagno=%d)",
+		td->name, (long)size, tag_mode, step, tagno);
+	/* assert(td->tags_count >= 1) May not be the case for CHOICE or ANY */
+
+	if(tag_mode == 0 && tagno == td->tags_count) {
+		/*
+		 * This must be the _untagged_ ANY type,
+		 * which outermost tag isn't known in advance.
+		 * Fetch the tag and length separately.
+		 */
+		tag_len = ber_fetch_tag(ptr, size, &tlv_tag);
+		switch(tag_len) {
+		case -1: RETURN(RC_FAIL);
+		case 0: RETURN(RC_WMORE);
+		}
+		tlv_constr = BER_TLV_CONSTRUCTED(ptr);
+		len_len = ber_fetch_length(tlv_constr,
+			(const char *)ptr + tag_len, size - tag_len, &tlv_len);
+		switch(len_len) {
+		case -1: RETURN(RC_FAIL);
+		case 0: RETURN(RC_WMORE);
+		}
+		ASN_DEBUG("Advancing %ld in ANY case",
+			(long)(tag_len + len_len));
+		ADVANCE(tag_len + len_len);
+	} else {
+		assert(tagno < td->tags_count);	/* At least one loop */
+	}
+	for((void)tagno; tagno < td->tags_count; tagno++, step++) {
+
+		/*
+		 * Fetch and process T from TLV.
+		 */
+		tag_len = ber_fetch_tag(ptr, size, &tlv_tag);
+			ASN_DEBUG("Fetching tag from {%p,%ld}: "
+				"len %ld, step %d, tagno %d got %s",
+				ptr, (long)size,
+				(long)tag_len, step, tagno,
+				ber_tlv_tag_string(tlv_tag));
+		switch(tag_len) {
+		case -1: RETURN(RC_FAIL);
+		case 0: RETURN(RC_WMORE);
+		}
+
+		tlv_constr = BER_TLV_CONSTRUCTED(ptr);
+
+		/*
+		 * If {I}, don't check anything.
+		 * If {I,B,C}, check B and C unless we're at I.
+		 */
+		if(tag_mode != 0 && step == 0) {
+			/*
+			 * We don't expect tag to match here.
+			 * It's just because we don't know how the tag
+			 * is supposed to look like.
+			 */
+		} else {
+		    assert(tagno >= 0);	/* Guaranteed by the code above */
+		    if(tlv_tag != td->tags[tagno]) {
+			/*
+			 * Unexpected tag. Too bad.
+			 */
+		    	ASN_DEBUG("Expected: %s, "
+				"expectation failed (tn=%d, tm=%d)",
+				ber_tlv_tag_string(td->tags[tagno]),
+				tagno, tag_mode
+			);
+			RETURN(RC_FAIL);
+		    }
+		}
+
+		/*
+		 * Attention: if there are more tags expected,
+		 * ensure that the current tag is presented
+		 * in constructed form (it contains other tags!).
+		 * If this one is the last one, check that the tag form
+		 * matches the one given in descriptor.
+		 */
+		if(tagno < (td->tags_count - 1)) {
+			if(tlv_constr == 0) {
+				ASN_DEBUG("tlv_constr = %d, expfail",
+					tlv_constr);
+				RETURN(RC_FAIL);
+			}
+		} else {
+			if(last_tag_form != tlv_constr
+			&& last_tag_form != -1) {
+				ASN_DEBUG("last_tag_form %d != %d",
+					last_tag_form, tlv_constr);
+				RETURN(RC_FAIL);
+			}
+		}
+
+		/*
+		 * Fetch and process L from TLV.
+		 */
+		len_len = ber_fetch_length(tlv_constr,
+			(const char *)ptr + tag_len, size - tag_len, &tlv_len);
+		ASN_DEBUG("Fetching len = %ld", (long)len_len);
+		switch(len_len) {
+		case -1: RETURN(RC_FAIL);
+		case 0: RETURN(RC_WMORE);
+		}
+
+		/*
+		 * FIXME
+		 * As of today, the chain of tags
+		 * must either contain several indefinite length TLVs,
+		 * or several definite length ones.
+		 * No mixing is allowed.
+		 */
+		if(tlv_len == -1) {
+			/*
+			 * Indefinite length.
+			 */
+			if(limit_len == -1) {
+				expect_00_terminators++;
+			} else {
+				ASN_DEBUG("Unexpected indefinite length "
+					"in a chain of definite lengths");
+				RETURN(RC_FAIL);
+			}
+			ADVANCE(tag_len + len_len);
+			continue;
+		} else {
+			if(expect_00_terminators) {
+				ASN_DEBUG("Unexpected definite length "
+					"in a chain of indefinite lengths");
+				RETURN(RC_FAIL);
+			}
+		}
+
+		/*
+		 * Check that multiple TLVs specify ever decreasing length,
+		 * which is consistent.
+		 */
+		if(limit_len == -1) {
+			limit_len    = tlv_len + tag_len + len_len;
+			if(limit_len < 0) {
+				/* Too great tlv_len value? */
+				RETURN(RC_FAIL);
+			}
+		} else if(limit_len != tlv_len + tag_len + len_len) {
+			/*
+			 * Inner TLV specifies length which is inconsistent
+			 * with the outer TLV's length value.
+			 */
+			ASN_DEBUG("Outer TLV is %ld and inner is %ld",
+				(long)limit_len, (long)tlv_len);
+			RETURN(RC_FAIL);
+		}
+
+		ADVANCE(tag_len + len_len);
+
+		limit_len -= (tag_len + len_len);
+		if((ssize_t)size > limit_len) {
+			/*
+			 * Make sure that we won't consume more bytes
+			 * from the parent frame than the inferred limit.
+			 */
+			size = limit_len;
+		}
+	}
+
+	if(opt_tlv_form)
+		*opt_tlv_form = tlv_constr;
+	if(expect_00_terminators)
+		*last_length = -expect_00_terminators;
+	else
+		*last_length = tlv_len;
+
+	RETURN(RC_OK);
+}
--- a/asn1/asn1c/ber_decoder.h
+++ b/asn1/asn1c/ber_decoder.h
@@ -0,0 +1,64 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_BER_DECODER_H_
+#define	_BER_DECODER_H_
+
+#include <asn_application.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct asn_TYPE_descriptor_s;	/* Forward declaration */
+struct asn_codec_ctx_s;		/* Forward declaration */
+
+/*
+ * The BER decoder of any type.
+ * This function may be invoked directly from the application.
+ * The der_encode() function (der_encoder.h) is an opposite to ber_decode().
+ */
+asn_dec_rval_t ber_decode(struct asn_codec_ctx_s *opt_codec_ctx,
+	struct asn_TYPE_descriptor_s *type_descriptor,
+	void **struct_ptr,	/* Pointer to a target structure's pointer */
+	const void *buffer,	/* Data to be decoded */
+	size_t size		/* Size of that buffer */
+	);
+
+/*
+ * Type of generic function which decodes the byte stream into the structure.
+ */
+typedef asn_dec_rval_t (ber_type_decoder_f)(
+		struct asn_codec_ctx_s *opt_codec_ctx,
+		struct asn_TYPE_descriptor_s *type_descriptor,
+		void **struct_ptr, const void *buf_ptr, size_t size,
+		int tag_mode);
+
+/*******************************
+ * INTERNALLY USEFUL FUNCTIONS *
+ *******************************/
+
+/*
+ * Check that all tags correspond to the type definition (as given in head).
+ * On return, last_length would contain either a non-negative length of the
+ * value part of the last TLV, or the negative number of expected
+ * "end of content" sequences. The number may only be negative if the
+ * head->last_tag_form is non-zero.
+ */
+asn_dec_rval_t ber_check_tags(
+		struct asn_codec_ctx_s *opt_codec_ctx,	/* codec options */
+		struct asn_TYPE_descriptor_s *type_descriptor,
+		asn_struct_ctx_t *opt_ctx,	/* saved decoding context */
+		const void *ptr, size_t size,
+		int tag_mode,		/* {-1,0,1}: IMPLICIT, no, EXPLICIT */
+		int last_tag_form,	/* {-1,0:1}: any, primitive, constr */
+		ber_tlv_len_t *last_length,
+		int *opt_tlv_form	/* optional tag form */
+	);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _BER_DECODER_H_ */
--- a/asn1/asn1c/ber_tlv_length.c
+++ b/asn1/asn1c/ber_tlv_length.c
@@ -0,0 +1,178 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_internal.h>
+#include <ber_tlv_length.h>
+#include <ber_tlv_tag.h>
+
+ssize_t
+ber_fetch_length(int _is_constructed, const void *bufptr, size_t size,
+		ber_tlv_len_t *len_r) {
+	const uint8_t *buf = (const uint8_t *)bufptr;
+	unsigned oct;
+
+	if(size == 0)
+		return 0;	/* Want more */
+
+	oct = *(const uint8_t *)buf;
+	if((oct & 0x80) == 0) {
+		/*
+		 * Short definite length.
+		 */
+		*len_r = oct;	/* & 0x7F */
+		return 1;
+	} else {
+		ber_tlv_len_t len;
+		size_t skipped;
+
+		if(_is_constructed && oct == 0x80) {
+			*len_r = -1;	/* Indefinite length */
+			return 1;
+		}
+
+		if(oct == 0xff) {
+			/* Reserved in standard for future use. */
+			return -1;
+		}
+
+		oct &= 0x7F;	/* Leave only the 7 LS bits */
+		for(len = 0, buf++, skipped = 1;
+			oct && (++skipped <= size); buf++, oct--) {
+
+			len = (len << 8) | *buf;
+			if(len < 0
+			|| (len >> ((8 * sizeof(len)) - 8) && oct > 1)) {
+				/*
+				 * Too large length value.
+				 */
+				return -1;
+			}
+		}
+
+		if(oct == 0) {
+			ber_tlv_len_t lenplusepsilon = (size_t)len + 1024;
+			/*
+			 * Here length may be very close or equal to 2G.
+			 * However, the arithmetics used in some decoders
+			 * may add some (small) quantities to the length,
+			 * to check the resulting value against some limits.
+			 * This may result in integer wrap-around, which
+			 * we try to avoid by checking it earlier here.
+			 */
+			if(lenplusepsilon < 0) {
+				/* Too large length value */
+				return -1;
+			}
+
+			*len_r = len;
+			return skipped;
+		}
+
+		return 0;	/* Want more */
+	}
+
+}
+
+ssize_t
+ber_skip_length(asn_codec_ctx_t *opt_codec_ctx,
+		int _is_constructed, const void *ptr, size_t size) {
+	ber_tlv_len_t vlen;	/* Length of V in TLV */
+	ssize_t tl;		/* Length of L in TLV */
+	ssize_t ll;		/* Length of L in TLV */
+	size_t skip;
+
+	/*
+	 * Make sure we didn't exceed the maximum stack size.
+	 */
+	if(_ASN_STACK_OVERFLOW_CHECK(opt_codec_ctx))
+		return -1;
+
+	/*
+	 * Determine the size of L in TLV.
+	 */
+	ll = ber_fetch_length(_is_constructed, ptr, size, &vlen);
+	if(ll <= 0) return ll;
+
+	/*
+	 * Definite length.
+	 */
+	if(vlen >= 0) {
+		skip = ll + vlen;
+		if(skip > size)
+			return 0;	/* Want more */
+		return skip;
+	}
+
+	/*
+	 * Indefinite length!
+	 */
+	ASN_DEBUG("Skipping indefinite length");
+	for(skip = ll, ptr = ((const char *)ptr) + ll, size -= ll;;) {
+		ber_tlv_tag_t tag;
+
+		/* Fetch the tag */
+		tl = ber_fetch_tag(ptr, size, &tag);
+		if(tl <= 0) return tl;
+
+		ll = ber_skip_length(opt_codec_ctx,
+			BER_TLV_CONSTRUCTED(ptr),
+			((const char *)ptr) + tl, size - tl);
+		if(ll <= 0) return ll;
+
+		skip += tl + ll;
+
+		/*
+		 * This may be the end of the indefinite length structure,
+		 * two consecutive 0 octets.
+		 * Check if it is true.
+		 */
+		if(((const uint8_t *)ptr)[0] == 0
+		&& ((const uint8_t *)ptr)[1] == 0)
+			return skip;
+
+		ptr = ((const char *)ptr) + tl + ll;
+		size -= tl + ll;
+ 	}
+
+	/* UNREACHABLE */
+}
+
+size_t
+der_tlv_length_serialize(ber_tlv_len_t len, void *bufp, size_t size) {
+	size_t required_size;	/* Size of len encoding */
+	uint8_t *buf = (uint8_t *)bufp;
+	uint8_t *end;
+	size_t i;
+
+	if(len <= 127) {
+		/* Encoded in 1 octet */
+		if(size) *buf = (uint8_t)len;
+		return 1;
+	}
+
+	/*
+	 * Compute the size of the subsequent bytes.
+	 */
+	for(required_size = 1, i = 8; i < 8 * sizeof(len); i += 8) {
+		if(len >> i)
+			required_size++;
+		else
+			break;
+	}
+
+	if(size <= required_size)
+		return required_size + 1;
+
+	*buf++ = (uint8_t)(0x80 | required_size);  /* Length of the encoding */
+
+	/*
+	 * Produce the len encoding, space permitting.
+	 */
+	end = buf + required_size;
+	for(i -= 8; buf < end; i -= 8, buf++)
+		*buf = (uint8_t)(len >> i);
+
+	return required_size + 1;
+}
+
--- a/asn1/asn1c/ber_tlv_length.h
+++ b/asn1/asn1c/ber_tlv_length.h
@@ -0,0 +1,50 @@
+/*-
+ * Copyright (c) 2003 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_BER_TLV_LENGTH_H_
+#define	_BER_TLV_LENGTH_H_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef ssize_t ber_tlv_len_t;
+
+/*
+ * This function tries to fetch the length of the BER TLV value and place it
+ * in *len_r.
+ * RETURN VALUES:
+ *	 0:	More data expected than bufptr contains.
+ *	-1:	Fatal error deciphering length.
+ *	>0:	Number of bytes used from bufptr.
+ * On return with >0, len_r is constrained as -1..MAX, where -1 mean
+ * that the value is of indefinite length.
+ */
+ssize_t ber_fetch_length(int _is_constructed, const void *bufptr, size_t size,
+	ber_tlv_len_t *len_r);
+
+/*
+ * This function expects bufptr to be positioned over L in TLV.
+ * It returns number of bytes occupied by L and V together, suitable
+ * for skipping. The function properly handles indefinite length.
+ * RETURN VALUES:
+ * 	Standard {-1,0,>0} convention.
+ */
+ssize_t ber_skip_length(
+	struct asn_codec_ctx_s *opt_codec_ctx,	/* optional context */
+	int _is_constructed, const void *bufptr, size_t size);
+
+/*
+ * This function serializes the length (L from TLV) in DER format.
+ * It always returns number of bytes necessary to represent the length,
+ * it is a caller's responsibility to check the return value
+ * against the supplied buffer's size.
+ */
+size_t der_tlv_length_serialize(ber_tlv_len_t len, void *bufptr, size_t size);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _BER_TLV_LENGTH_H_ */
--- a/asn1/asn1c/ber_tlv_tag.c
+++ b/asn1/asn1c/ber_tlv_tag.c
@@ -0,0 +1,144 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_internal.h>
+#include <ber_tlv_tag.h>
+#include <errno.h>
+
+ssize_t
+ber_fetch_tag(const void *ptr, size_t size, ber_tlv_tag_t *tag_r) {
+	ber_tlv_tag_t val;
+	ber_tlv_tag_t tclass;
+	size_t skipped;
+
+	if(size == 0)
+		return 0;
+
+	val = *(const uint8_t *)ptr;
+	tclass = (val >> 6);
+	if((val &= 0x1F) != 0x1F) {
+		/*
+		 * Simple form: everything encoded in a single octet.
+		 * Tag Class is encoded using two least significant bits.
+		 */
+		*tag_r = (val << 2) | tclass;
+		return 1;
+	}
+
+	/*
+	 * Each octet contains 7 bits of useful information.
+	 * The MSB is 0 if it is the last octet of the tag.
+	 */
+	for(val = 0, ptr = ((const char *)ptr) + 1, skipped = 2;
+			skipped <= size;
+				ptr = ((const char *)ptr) + 1, skipped++) {
+		unsigned int oct = *(const uint8_t *)ptr;
+		if(oct & 0x80) {
+			val = (val << 7) | (oct & 0x7F);
+			/*
+			 * Make sure there are at least 9 bits spare
+			 * at the MS side of a value.
+			 */
+			if(val >> ((8 * sizeof(val)) - 9)) {
+				/*
+				 * We would not be able to accomodate
+				 * any more tag bits.
+				 */
+				return -1;
+			}
+		} else {
+			val = (val << 7) | oct;
+			*tag_r = (val << 2) | tclass;
+			return skipped;
+		}
+	}
+
+	return 0;	/* Want more */
+}
+
+
+ssize_t
+ber_tlv_tag_fwrite(ber_tlv_tag_t tag, FILE *f) {
+	char buf[sizeof("[APPLICATION ]") + 32];
+	ssize_t ret;
+
+	ret = ber_tlv_tag_snprint(tag, buf, sizeof(buf));
+	if(ret >= (ssize_t)sizeof(buf) || ret < 2) {
+		errno = EPERM;
+		return -1;
+	}
+
+	return fwrite(buf, 1, ret, f);
+}
+
+ssize_t
+ber_tlv_tag_snprint(ber_tlv_tag_t tag, char *buf, size_t size) {
+	char *type = 0;
+	int ret;
+
+	switch(tag & 0x3) {
+	case ASN_TAG_CLASS_UNIVERSAL:	type = "UNIVERSAL ";	break;
+	case ASN_TAG_CLASS_APPLICATION:	type = "APPLICATION ";	break;
+	case ASN_TAG_CLASS_CONTEXT:	type = "";		break;
+	case ASN_TAG_CLASS_PRIVATE:	type = "PRIVATE ";	break;
+	}
+
+	ret = snprintf(buf, size, "[%s%u]", type, ((unsigned)tag) >> 2);
+	if(ret <= 0 && size) buf[0] = '\0';	/* against broken libc's */
+
+	return ret;
+}
+
+char *
+ber_tlv_tag_string(ber_tlv_tag_t tag) {
+	static char buf[sizeof("[APPLICATION ]") + 32];
+
+	(void)ber_tlv_tag_snprint(tag, buf, sizeof(buf));
+
+	return buf;
+}
+
+
+size_t
+ber_tlv_tag_serialize(ber_tlv_tag_t tag, void *bufp, size_t size) {
+	int tclass = BER_TAG_CLASS(tag);
+	ber_tlv_tag_t tval = BER_TAG_VALUE(tag);
+	uint8_t *buf = (uint8_t *)bufp;
+	uint8_t *end;
+	size_t required_size;
+	size_t i;
+
+	if(tval <= 30) {
+		/* Encoded in 1 octet */
+		if(size) buf[0] = (tclass << 6) | tval;
+		return 1;
+	} else if(size) {
+		*buf++ = (tclass << 6) | 0x1F;
+		size--;
+	}
+
+	/*
+	 * Compute the size of the subsequent bytes.
+	 */
+	for(required_size = 1, i = 7; i < 8 * sizeof(tval); i += 7) {
+		if(tval >> i)
+			required_size++;
+		else
+			break;
+	}
+
+	if(size < required_size)
+		return required_size + 1;
+
+	/*
+	 * Fill in the buffer, space permitting.
+	 */
+	end = buf + required_size - 1;
+	for(i -= 7; buf < end; i -= 7, buf++)
+		*buf = 0x80 | ((tval >> i) & 0x7F);
+	*buf = (tval & 0x7F);	/* Last octet without high bit */
+
+	return required_size + 1;
+}
+
--- a/asn1/asn1c/ber_tlv_tag.h
+++ b/asn1/asn1c/ber_tlv_tag.h
@@ -0,0 +1,60 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_BER_TLV_TAG_H_
+#define	_BER_TLV_TAG_H_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+enum asn_tag_class {
+	ASN_TAG_CLASS_UNIVERSAL		= 0,	/* 0b00 */
+	ASN_TAG_CLASS_APPLICATION	= 1,	/* 0b01 */
+	ASN_TAG_CLASS_CONTEXT		= 2,	/* 0b10 */
+	ASN_TAG_CLASS_PRIVATE		= 3	/* 0b11 */
+};
+typedef unsigned ber_tlv_tag_t;	/* BER TAG from Tag-Length-Value */
+
+/*
+ * Tag class is encoded together with tag value for optimization purposes.
+ */
+#define	BER_TAG_CLASS(tag)	((tag) & 0x3)
+#define	BER_TAG_VALUE(tag)	((tag) >> 2)
+#define	BER_TLV_CONSTRUCTED(tagptr)	(((*(const uint8_t *)tagptr)&0x20)?1:0)
+
+#define	BER_TAGS_EQUAL(tag1, tag2)	((tag1) == (tag2))
+
+/*
+ * Several functions for printing the TAG in the canonical form
+ * (i.e. "[PRIVATE 0]").
+ * Return values correspond to their libc counterparts (if any).
+ */
+ssize_t ber_tlv_tag_snprint(ber_tlv_tag_t tag, char *buf, size_t buflen);
+ssize_t ber_tlv_tag_fwrite(ber_tlv_tag_t tag, FILE *);
+char *ber_tlv_tag_string(ber_tlv_tag_t tag);
+
+
+/*
+ * This function tries to fetch the tag from the input stream.
+ * RETURN VALUES:
+ * 	 0:	More data expected than bufptr contains.
+ * 	-1:	Fatal error deciphering tag.
+ *	>0:	Number of bytes used from bufptr. tag_r will contain the tag.
+ */
+ssize_t ber_fetch_tag(const void *bufptr, size_t size, ber_tlv_tag_t *tag_r);
+
+/*
+ * This function serializes the tag (T from TLV) in BER format.
+ * It always returns number of bytes necessary to represent the tag,
+ * it is a caller's responsibility to check the return value
+ * against the supplied buffer's size.
+ */
+size_t ber_tlv_tag_serialize(ber_tlv_tag_t tag, void *bufptr, size_t size);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _BER_TLV_TAG_H_ */
--- a/asn1/asn1c/constr_CHOICE.c
+++ b/asn1/asn1c/constr_CHOICE.c
--- a/asn1/asn1c/constr_CHOICE.h
+++ b/asn1/asn1c/constr_CHOICE.h
@@ -0,0 +1,57 @@
+/*-
+ * Copyright (c) 2003, 2004, 2005 Lev Walkin <vlm@lionet.info>.
+ * All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_CONSTR_CHOICE_H_
+#define	_CONSTR_CHOICE_H_
+
+#include <asn_application.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct asn_CHOICE_specifics_s {
+	/*
+	 * Target structure description.
+	 */
+	int struct_size;	/* Size of the target structure. */
+	int ctx_offset;		/* Offset of the asn_codec_ctx_t member */
+	int pres_offset;	/* Identifier of the present member */
+	int pres_size;		/* Size of the identifier (enum) */
+
+	/*
+	 * Tags to members mapping table.
+	 */
+	asn_TYPE_tag2member_t *tag2el;
+	int tag2el_count;
+
+	/* Canonical ordering of CHOICE elements, for PER */
+	int *canonical_order;
+
+	/*
+	 * Extensions-related stuff.
+	 */
+	int ext_start;		/* First member of extensions, or -1 */
+} asn_CHOICE_specifics_t;
+
+/*
+ * A set specialized functions dealing with the CHOICE type.
+ */
+asn_struct_free_f CHOICE_free;
+asn_struct_print_f CHOICE_print;
+asn_constr_check_f CHOICE_constraint;
+ber_type_decoder_f CHOICE_decode_ber;
+der_type_encoder_f CHOICE_encode_der;
+xer_type_decoder_f CHOICE_decode_xer;
+xer_type_encoder_f CHOICE_encode_xer;
+per_type_decoder_f CHOICE_decode_uper;
+per_type_encoder_f CHOICE_encode_uper;
+asn_outmost_tag_f CHOICE_outmost_tag;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _CONSTR_CHOICE_H_ */
--- a/asn1/asn1c/constr_SEQUENCE.c
+++ b/asn1/asn1c/constr_SEQUENCE.c
--- a/asn1/asn1c/constr_SEQUENCE.h
+++ b/asn1/asn1c/constr_SEQUENCE.h
@@ -0,0 +1,60 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_CONSTR_SEQUENCE_H_
+#define	_CONSTR_SEQUENCE_H_
+
+#include <asn_application.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct asn_SEQUENCE_specifics_s {
+	/*
+	 * Target structure description.
+	 */
+	int struct_size;	/* Size of the target structure. */
+	int ctx_offset;		/* Offset of the asn_struct_ctx_t member */
+
+	/*
+	 * Tags to members mapping table (sorted).
+	 */
+	asn_TYPE_tag2member_t *tag2el;
+	int tag2el_count;
+
+	/*
+	 * Optional members of the extensions root (roms) or additions (aoms).
+	 * Meaningful for PER.
+	 */
+	int *oms;		/* Optional MemberS */
+	int  roms_count;	/* Root optional members count */
+	int  aoms_count;	/* Additions optional members count */
+
+	/*
+	 * Description of an extensions group.
+	 */
+	int ext_after;		/* Extensions start after this member */
+	int ext_before;		/* Extensions stop before this member */
+} asn_SEQUENCE_specifics_t;
+
+
+/*
+ * A set specialized functions dealing with the SEQUENCE type.
+ */
+asn_struct_free_f SEQUENCE_free;
+asn_struct_print_f SEQUENCE_print;
+asn_constr_check_f SEQUENCE_constraint;
+ber_type_decoder_f SEQUENCE_decode_ber;
+der_type_encoder_f SEQUENCE_encode_der;
+xer_type_decoder_f SEQUENCE_decode_xer;
+xer_type_encoder_f SEQUENCE_encode_xer;
+per_type_decoder_f SEQUENCE_decode_uper;
+per_type_encoder_f SEQUENCE_encode_uper;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _CONSTR_SEQUENCE_H_ */
--- a/asn1/asn1c/constr_SEQUENCE_OF.c
+++ b/asn1/asn1c/constr_SEQUENCE_OF.c
@@ -0,0 +1,208 @@
+/*-
+ * Copyright (c) 2003, 2004, 2006 Lev Walkin <vlm@lionet.info>.
+ * All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_internal.h>
+#include <constr_SEQUENCE_OF.h>
+#include <asn_SEQUENCE_OF.h>
+
+/*
+ * The DER encoder of the SEQUENCE OF type.
+ */
+asn_enc_rval_t
+SEQUENCE_OF_encode_der(asn_TYPE_descriptor_t *td, void *ptr,
+	int tag_mode, ber_tlv_tag_t tag,
+	asn_app_consume_bytes_f *cb, void *app_key) {
+	asn_TYPE_member_t *elm = td->elements;
+	asn_anonymous_sequence_ *list = _A_SEQUENCE_FROM_VOID(ptr);
+	size_t computed_size = 0;
+	ssize_t encoding_size = 0;
+	asn_enc_rval_t erval;
+	int edx;
+
+	ASN_DEBUG("Estimating size of SEQUENCE OF %s", td->name);
+
+	/*
+	 * Gather the length of the underlying members sequence.
+	 */
+	for(edx = 0; edx < list->count; edx++) {
+		void *memb_ptr = list->array[edx];
+		if(!memb_ptr) continue;
+		erval = elm->type->der_encoder(elm->type, memb_ptr,
+			0, elm->tag,
+			0, 0);
+		if(erval.encoded == -1)
+			return erval;
+		computed_size += erval.encoded;
+	}
+
+	/*
+	 * Encode the TLV for the sequence itself.
+	 */
+	encoding_size = der_write_tags(td, computed_size, tag_mode, 1, tag,
+		cb, app_key);
+	if(encoding_size == -1) {
+		erval.encoded = -1;
+		erval.failed_type = td;
+		erval.structure_ptr = ptr;
+		return erval;
+	}
+
+	computed_size += encoding_size;
+	if(!cb) {
+		erval.encoded = computed_size;
+		_ASN_ENCODED_OK(erval);
+	}
+
+	ASN_DEBUG("Encoding members of SEQUENCE OF %s", td->name);
+
+	/*
+	 * Encode all members.
+	 */
+	for(edx = 0; edx < list->count; edx++) {
+		void *memb_ptr = list->array[edx];
+		if(!memb_ptr) continue;
+		erval = elm->type->der_encoder(elm->type, memb_ptr,
+			0, elm->tag,
+			cb, app_key);
+		if(erval.encoded == -1)
+			return erval;
+		encoding_size += erval.encoded;
+	}
+
+	if(computed_size != (size_t)encoding_size) {
+		/*
+		 * Encoded size is not equal to the computed size.
+		 */
+		erval.encoded = -1;
+		erval.failed_type = td;
+		erval.structure_ptr = ptr;
+	} else {
+		erval.encoded = computed_size;
+		erval.structure_ptr = 0;
+		erval.failed_type = 0;
+	}
+
+	return erval;
+}
+
+asn_enc_rval_t
+SEQUENCE_OF_encode_xer(asn_TYPE_descriptor_t *td, void *sptr,
+	int ilevel, enum xer_encoder_flags_e flags,
+		asn_app_consume_bytes_f *cb, void *app_key) {
+	asn_enc_rval_t er;
+        asn_SET_OF_specifics_t *specs = (asn_SET_OF_specifics_t *)td->specifics;
+	asn_TYPE_member_t *elm = td->elements;
+	asn_anonymous_sequence_ *list = _A_SEQUENCE_FROM_VOID(sptr);
+	const char *mname = specs->as_XMLValueList
+		? 0 : ((*elm->name) ? elm->name : elm->type->xml_tag);
+	unsigned int mlen = mname ? strlen(mname) : 0;
+	int xcan = (flags & XER_F_CANONICAL);
+	int i;
+
+	if(!sptr) _ASN_ENCODE_FAILED;
+
+	er.encoded = 0;
+
+	for(i = 0; i < list->count; i++) {
+		asn_enc_rval_t tmper;
+		void *memb_ptr = list->array[i];
+		if(!memb_ptr) continue;
+
+		if(mname) {
+			if(!xcan) _i_ASN_TEXT_INDENT(1, ilevel);
+			_ASN_CALLBACK3("<", 1, mname, mlen, ">", 1);
+		}
+
+		tmper = elm->type->xer_encoder(elm->type, memb_ptr,
+				ilevel + 1, flags, cb, app_key);
+		if(tmper.encoded == -1) return tmper;
+                if(tmper.encoded == 0 && specs->as_XMLValueList) {
+                        const char *name = elm->type->xml_tag;
+			size_t len = strlen(name);
+			if(!xcan) _i_ASN_TEXT_INDENT(1, ilevel + 1);
+			_ASN_CALLBACK3("<", 1, name, len, "/>", 2);
+                }
+
+		if(mname) {
+			_ASN_CALLBACK3("</", 2, mname, mlen, ">", 1);
+			er.encoded += 5;
+		}
+
+		er.encoded += (2 * mlen) + tmper.encoded;
+	}
+
+	if(!xcan) _i_ASN_TEXT_INDENT(1, ilevel - 1);
+
+	_ASN_ENCODED_OK(er);
+cb_failed:
+	_ASN_ENCODE_FAILED;
+}
+
+asn_enc_rval_t
+SEQUENCE_OF_encode_uper(asn_TYPE_descriptor_t *td,
+	asn_per_constraints_t *constraints, void *sptr, asn_per_outp_t *po) {
+	asn_anonymous_sequence_ *list;
+	asn_per_constraint_t *ct;
+	asn_enc_rval_t er;
+	asn_TYPE_member_t *elm = td->elements;
+	int seq;
+
+	if(!sptr) _ASN_ENCODE_FAILED;
+	list = _A_SEQUENCE_FROM_VOID(sptr);
+
+	er.encoded = 0;
+
+	ASN_DEBUG("Encoding %s as SEQUENCE OF (%d)", td->name, list->count);
+
+	if(constraints) ct = &constraints->size;
+	else if(td->per_constraints) ct = &td->per_constraints->size;
+	else ct = 0;
+
+	/* If extensible constraint, check if size is in root */
+	if(ct) {
+		int not_in_root = (list->count < ct->lower_bound
+				|| list->count > ct->upper_bound);
+		ASN_DEBUG("lb %ld ub %ld %s",
+			ct->lower_bound, ct->upper_bound,
+			ct->flags & APC_EXTENSIBLE ? "ext" : "fix");
+		if(ct->flags & APC_EXTENSIBLE) {
+			/* Declare whether size is in extension root */
+			if(per_put_few_bits(po, not_in_root, 1))
+				_ASN_ENCODE_FAILED;
+			if(not_in_root) ct = 0;
+		} else if(not_in_root && ct->effective_bits >= 0)
+			_ASN_ENCODE_FAILED;
+	}
+
+	if(ct && ct->effective_bits >= 0) {
+		/* X.691, #19.5: No length determinant */
+		if(per_put_few_bits(po, list->count - ct->lower_bound,
+				ct->effective_bits))
+			_ASN_ENCODE_FAILED;
+	}
+
+	for(seq = -1; seq < list->count;) {
+		ssize_t mayEncode;
+		if(seq < 0) seq = 0;
+		if(ct && ct->effective_bits >= 0) {
+			mayEncode = list->count;
+		} else {
+			mayEncode = uper_put_length(po, list->count - seq);
+			if(mayEncode < 0) _ASN_ENCODE_FAILED;
+		}
+
+		while(mayEncode--) {
+			void *memb_ptr = list->array[seq++];
+			if(!memb_ptr) _ASN_ENCODE_FAILED;
+			er = elm->type->uper_encoder(elm->type,
+				elm->per_constraints, memb_ptr, po);
+			if(er.encoded == -1)
+				_ASN_ENCODE_FAILED;
+		}
+	}
+
+	_ASN_ENCODED_OK(er);
+}
+
--- a/asn1/asn1c/constr_SEQUENCE_OF.h
+++ b/asn1/asn1c/constr_SEQUENCE_OF.h
@@ -0,0 +1,33 @@
+/*-
+ * Copyright (c) 2003, 2005 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_CONSTR_SEQUENCE_OF_H_
+#define	_CONSTR_SEQUENCE_OF_H_
+
+#include <asn_application.h>
+#include <constr_SET_OF.h>		/* Implemented using SET OF */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * A set specialized functions dealing with the SEQUENCE OF type.
+ * Generally implemented using SET OF.
+ */
+#define	SEQUENCE_OF_free	SET_OF_free
+#define	SEQUENCE_OF_print	SET_OF_print
+#define	SEQUENCE_OF_constraint	SET_OF_constraint
+#define	SEQUENCE_OF_decode_ber	SET_OF_decode_ber
+#define	SEQUENCE_OF_decode_xer	SET_OF_decode_xer
+#define	SEQUENCE_OF_decode_uper	SET_OF_decode_uper
+der_type_encoder_f SEQUENCE_OF_encode_der;
+xer_type_encoder_f SEQUENCE_OF_encode_xer;
+per_type_encoder_f SEQUENCE_OF_encode_uper;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _CONSTR_SET_OF_H_ */
--- a/asn1/asn1c/constr_SET_OF.c
+++ b/asn1/asn1c/constr_SET_OF.c
@@ -0,0 +1,953 @@
+/*-
+ * Copyright (c) 2003, 2004, 2005 Lev Walkin <vlm@lionet.info>.
+ * All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_internal.h>
+#include <constr_SET_OF.h>
+#include <asn_SET_OF.h>
+
+/*
+ * Number of bytes left for this structure.
+ * (ctx->left) indicates the number of bytes _transferred_ for the structure.
+ * (size) contains the number of bytes in the buffer passed.
+ */
+#define	LEFT	((size<(size_t)ctx->left)?size:(size_t)ctx->left)
+
+/*
+ * If the subprocessor function returns with an indication that it wants
+ * more data, it may well be a fatal decoding problem, because the
+ * size is constrained by the <TLV>'s L, even if the buffer size allows
+ * reading more data.
+ * For example, consider the buffer containing the following TLVs:
+ * <T:5><L:1><V> <T:6>...
+ * The TLV length clearly indicates that one byte is expected in V, but
+ * if the V processor returns with "want more data" even if the buffer
+ * contains way more data than the V processor have seen.
+ */
+#define	SIZE_VIOLATION	(ctx->left >= 0 && (size_t)ctx->left <= size)
+
+/*
+ * This macro "eats" the part of the buffer which is definitely "consumed",
+ * i.e. was correctly converted into local representation or rightfully skipped.
+ */
+#undef	ADVANCE
+#define	ADVANCE(num_bytes)	do {		\
+		size_t num = num_bytes;		\
+		ptr = ((const char *)ptr) + num;\
+		size -= num;			\
+		if(ctx->left >= 0)		\
+			ctx->left -= num;	\
+		consumed_myself += num;		\
+	} while(0)
+
+/*
+ * Switch to the next phase of parsing.
+ */
+#undef	NEXT_PHASE
+#undef	PHASE_OUT
+#define	NEXT_PHASE(ctx)	do {			\
+		ctx->phase++;			\
+		ctx->step = 0;			\
+	} while(0)
+#define	PHASE_OUT(ctx)	do { ctx->phase = 10; } while(0)
+
+/*
+ * Return a standardized complex structure.
+ */
+#undef	RETURN
+#define	RETURN(_code)	do {			\
+		rval.code = _code;		\
+		rval.consumed = consumed_myself;\
+		return rval;			\
+	} while(0)
+
+/*
+ * The decoder of the SET OF type.
+ */
+asn_dec_rval_t
+SET_OF_decode_ber(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td,
+	void **struct_ptr, const void *ptr, size_t size, int tag_mode) {
+	/*
+	 * Bring closer parts of structure description.
+	 */
+	asn_SET_OF_specifics_t *specs = (asn_SET_OF_specifics_t *)td->specifics;
+	asn_TYPE_member_t *elm = td->elements;	/* Single one */
+
+	/*
+	 * Parts of the structure being constructed.
+	 */
+	void *st = *struct_ptr;	/* Target structure. */
+	asn_struct_ctx_t *ctx;	/* Decoder context */
+
+	ber_tlv_tag_t tlv_tag;	/* T from TLV */
+	asn_dec_rval_t rval;	/* Return code from subparsers */
+
+	ssize_t consumed_myself = 0;	/* Consumed bytes from ptr */
+
+	ASN_DEBUG("Decoding %s as SET OF", td->name);
+	
+	/*
+	 * Create the target structure if it is not present already.
+	 */
+	if(st == 0) {
+		st = *struct_ptr = CALLOC(1, specs->struct_size);
+		if(st == 0) {
+			RETURN(RC_FAIL);
+		}
+	}
+
+	/*
+	 * Restore parsing context.
+	 */
+	ctx = (asn_struct_ctx_t *)((char *)st + specs->ctx_offset);
+	
+	/*
+	 * Start to parse where left previously
+	 */
+	switch(ctx->phase) {
+	case 0:
+		/*
+		 * PHASE 0.
+		 * Check that the set of tags associated with given structure
+		 * perfectly fits our expectations.
+		 */
+
+		rval = ber_check_tags(opt_codec_ctx, td, ctx, ptr, size,
+			tag_mode, 1, &ctx->left, 0);
+		if(rval.code != RC_OK) {
+			ASN_DEBUG("%s tagging check failed: %d",
+				td->name, rval.code);
+			return rval;
+		}
+
+		if(ctx->left >= 0)
+			ctx->left += rval.consumed; /* ?Substracted below! */
+		ADVANCE(rval.consumed);
+
+		ASN_DEBUG("Structure consumes %ld bytes, "
+			"buffer %ld", (long)ctx->left, (long)size);
+
+		NEXT_PHASE(ctx);
+		/* Fall through */
+	case 1:
+		/*
+		 * PHASE 1.
+		 * From the place where we've left it previously,
+		 * try to decode the next item.
+		 */
+	  for(;; ctx->step = 0) {
+		ssize_t tag_len;	/* Length of TLV's T */
+
+		if(ctx->step & 1)
+			goto microphase2;
+
+		/*
+		 * MICROPHASE 1: Synchronize decoding.
+		 */
+
+		if(ctx->left == 0) {
+			ASN_DEBUG("End of SET OF %s", td->name);
+			/*
+			 * No more things to decode.
+			 * Exit out of here.
+			 */
+			PHASE_OUT(ctx);
+			RETURN(RC_OK);
+		}
+
+		/*
+		 * Fetch the T from TLV.
+		 */
+		tag_len = ber_fetch_tag(ptr, LEFT, &tlv_tag);
+		switch(tag_len) {
+		case 0: if(!SIZE_VIOLATION) RETURN(RC_WMORE);
+			/* Fall through */
+		case -1: RETURN(RC_FAIL);
+		}
+
+		if(ctx->left < 0 && ((const uint8_t *)ptr)[0] == 0) {
+			if(LEFT < 2) {
+				if(SIZE_VIOLATION)
+					RETURN(RC_FAIL);
+				else
+					RETURN(RC_WMORE);
+			} else if(((const uint8_t *)ptr)[1] == 0) {
+				/*
+				 * Found the terminator of the
+				 * indefinite length structure.
+				 */
+				break;
+			}
+		}
+
+		/* Outmost tag may be unknown and cannot be fetched/compared */
+		if(elm->tag != (ber_tlv_tag_t)-1) {
+		    if(BER_TAGS_EQUAL(tlv_tag, elm->tag)) {
+			/*
+			 * The new list member of expected type has arrived.
+			 */
+		    } else {
+			ASN_DEBUG("Unexpected tag %s fixed SET OF %s",
+				ber_tlv_tag_string(tlv_tag), td->name);
+			ASN_DEBUG("%s SET OF has tag %s",
+				td->name, ber_tlv_tag_string(elm->tag));
+			RETURN(RC_FAIL);
+		    }
+		}
+
+		/*
+		 * MICROPHASE 2: Invoke the member-specific decoder.
+		 */
+		ctx->step |= 1;		/* Confirm entering next microphase */
+	microphase2:
+		
+		/*
+		 * Invoke the member fetch routine according to member's type
+		 */
+		rval = elm->type->ber_decoder(opt_codec_ctx,
+				elm->type, &ctx->ptr, ptr, LEFT, 0);
+		ASN_DEBUG("In %s SET OF %s code %d consumed %d",
+			td->name, elm->type->name,
+			rval.code, (int)rval.consumed);
+		switch(rval.code) {
+		case RC_OK:
+			{
+				asn_anonymous_set_ *list = _A_SET_FROM_VOID(st);
+				if(ASN_SET_ADD(list, ctx->ptr) != 0)
+					RETURN(RC_FAIL);
+				else
+					ctx->ptr = 0;
+			}
+			break;
+		case RC_WMORE: /* More data expected */
+			if(!SIZE_VIOLATION) {
+				ADVANCE(rval.consumed);
+				RETURN(RC_WMORE);
+			}
+			/* Fall through */
+		case RC_FAIL: /* Fatal error */
+			ASN_STRUCT_FREE(*elm->type, ctx->ptr);
+			ctx->ptr = 0;
+			RETURN(RC_FAIL);
+		} /* switch(rval) */
+		
+		ADVANCE(rval.consumed);
+	  }	/* for(all list members) */
+
+		NEXT_PHASE(ctx);
+	case 2:
+		/*
+		 * Read in all "end of content" TLVs.
+		 */
+		while(ctx->left < 0) {
+			if(LEFT < 2) {
+				if(LEFT > 0 && ((const char *)ptr)[0] != 0) {
+					/* Unexpected tag */
+					RETURN(RC_FAIL);
+				} else {
+					RETURN(RC_WMORE);
+				}
+			}
+			if(((const char *)ptr)[0] == 0
+			&& ((const char *)ptr)[1] == 0) {
+				ADVANCE(2);
+				ctx->left++;
+			} else {
+				RETURN(RC_FAIL);
+			}
+		}
+
+		PHASE_OUT(ctx);
+	}
+	
+	RETURN(RC_OK);
+}
+
+/*
+ * Internally visible buffer holding a single encoded element.
+ */
+struct _el_buffer {
+	uint8_t *buf;
+	size_t length;
+	size_t size;
+};
+/* Append bytes to the above structure */
+static int _el_addbytes(const void *buffer, size_t size, void *el_buf_ptr) {
+	struct _el_buffer *el_buf = (struct _el_buffer *)el_buf_ptr;
+
+	if(el_buf->length + size > el_buf->size)
+		return -1;
+
+	memcpy(el_buf->buf + el_buf->length, buffer, size);
+
+	el_buf->length += size;
+	return 0;
+}
+static int _el_buf_cmp(const void *ap, const void *bp) {
+	const struct _el_buffer *a = (const struct _el_buffer *)ap;
+	const struct _el_buffer *b = (const struct _el_buffer *)bp;
+	int ret;
+	size_t common_len;
+
+	if(a->length < b->length)
+		common_len = a->length;
+	else
+		common_len = b->length;
+
+	ret = memcmp(a->buf, b->buf, common_len);
+	if(ret == 0) {
+		if(a->length < b->length)
+			ret = -1;
+		else if(a->length > b->length)
+			ret = 1;
+	}
+
+	return ret;
+}
+
+/*
+ * The DER encoder of the SET OF type.
+ */
+asn_enc_rval_t
+SET_OF_encode_der(asn_TYPE_descriptor_t *td, void *ptr,
+	int tag_mode, ber_tlv_tag_t tag,
+	asn_app_consume_bytes_f *cb, void *app_key) {
+	asn_TYPE_member_t *elm = td->elements;
+	asn_TYPE_descriptor_t *elm_type = elm->type;
+	der_type_encoder_f *der_encoder = elm_type->der_encoder;
+	asn_anonymous_set_ *list = _A_SET_FROM_VOID(ptr);
+	size_t computed_size = 0;
+	ssize_t encoding_size = 0;
+	struct _el_buffer *encoded_els;
+	ssize_t eels_count = 0;
+	size_t max_encoded_len = 1;
+	asn_enc_rval_t erval;
+	int ret;
+	int edx;
+
+	ASN_DEBUG("Estimating size for SET OF %s", td->name);
+
+	/*
+	 * Gather the length of the underlying members sequence.
+	 */
+	for(edx = 0; edx < list->count; edx++) {
+		void *memb_ptr = list->array[edx];
+		if(!memb_ptr) continue;
+		erval = der_encoder(elm_type, memb_ptr, 0, elm->tag, 0, 0);
+		if(erval.encoded == -1)
+			return erval;
+		computed_size += erval.encoded;
+
+		/* Compute maximum encoding's size */
+		if(max_encoded_len < (size_t)erval.encoded)
+			max_encoded_len = erval.encoded;
+	}
+
+	/*
+	 * Encode the TLV for the sequence itself.
+	 */
+	encoding_size = der_write_tags(td, computed_size, tag_mode, 1, tag,
+		cb, app_key);
+	if(encoding_size == -1) {
+		erval.encoded = -1;
+		erval.failed_type = td;
+		erval.structure_ptr = ptr;
+		return erval;
+	}
+	computed_size += encoding_size;
+
+	if(!cb || list->count == 0) {
+		erval.encoded = computed_size;
+		_ASN_ENCODED_OK(erval);
+	}
+
+	/*
+	 * DER mandates dynamic sorting of the SET OF elements
+	 * according to their encodings. Build an array of the
+	 * encoded elements.
+	 */
+	encoded_els = (struct _el_buffer *)MALLOC(
+				list->count * sizeof(encoded_els[0]));
+	if(encoded_els == NULL) {
+		erval.encoded = -1;
+		erval.failed_type = td;
+		erval.structure_ptr = ptr;
+		return erval;
+	}
+
+	ASN_DEBUG("Encoding members of %s SET OF", td->name);
+
+	/*
+	 * Encode all members.
+	 */
+	for(edx = 0; edx < list->count; edx++) {
+		void *memb_ptr = list->array[edx];
+		struct _el_buffer *encoded_el = &encoded_els[eels_count];
+
+		if(!memb_ptr) continue;
+
+		/*
+		 * Prepare space for encoding.
+		 */
+		encoded_el->buf = (uint8_t *)MALLOC(max_encoded_len);
+		if(encoded_el->buf) {
+			encoded_el->length = 0;
+			encoded_el->size = max_encoded_len;
+		} else {
+			for(edx--; edx >= 0; edx--)
+				FREEMEM(encoded_els[edx].buf);
+			FREEMEM(encoded_els);
+			erval.encoded = -1;
+			erval.failed_type = td;
+			erval.structure_ptr = ptr;
+			return erval;
+		}
+
+		/*
+		 * Encode the member into the prepared space.
+		 */
+		erval = der_encoder(elm_type, memb_ptr, 0, elm->tag,
+			_el_addbytes, encoded_el);
+		if(erval.encoded == -1) {
+			for(; edx >= 0; edx--)
+				FREEMEM(encoded_els[edx].buf);
+			FREEMEM(encoded_els);
+			return erval;
+		}
+		encoding_size += erval.encoded;
+		eels_count++;
+	}
+
+	/*
+	 * Sort the encoded elements according to their encoding.
+	 */
+	qsort(encoded_els, eels_count, sizeof(encoded_els[0]), _el_buf_cmp);
+
+	/*
+	 * Report encoded elements to the application.
+	 * Dispose of temporary sorted members table.
+	 */
+	ret = 0;
+	for(edx = 0; edx < eels_count; edx++) {
+		struct _el_buffer *encoded_el = &encoded_els[edx];
+		/* Report encoded chunks to the application */
+		if(ret == 0
+		&& cb(encoded_el->buf, encoded_el->length, app_key) < 0)
+			ret = -1;
+		FREEMEM(encoded_el->buf);
+	}
+	FREEMEM(encoded_els);
+
+	if(ret || computed_size != (size_t)encoding_size) {
+		/*
+		 * Standard callback failed, or
+		 * encoded size is not equal to the computed size.
+		 */
+		erval.encoded = -1;
+		erval.failed_type = td;
+		erval.structure_ptr = ptr;
+	} else {
+		erval.encoded = computed_size;
+	}
+
+	_ASN_ENCODED_OK(erval);
+}
+
+#undef	XER_ADVANCE
+#define	XER_ADVANCE(num_bytes)	do {			\
+		size_t num = num_bytes;			\
+		buf_ptr = ((const char *)buf_ptr) + num;\
+		size -= num;				\
+		consumed_myself += num;			\
+	} while(0)
+
+/*
+ * Decode the XER (XML) data.
+ */
+asn_dec_rval_t
+SET_OF_decode_xer(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td,
+	void **struct_ptr, const char *opt_mname,
+		const void *buf_ptr, size_t size) {
+	/*
+	 * Bring closer parts of structure description.
+	 */
+	asn_SET_OF_specifics_t *specs = (asn_SET_OF_specifics_t *)td->specifics;
+	asn_TYPE_member_t *element = td->elements;
+	const char *elm_tag;
+	const char *xml_tag = opt_mname ? opt_mname : td->xml_tag;
+
+	/*
+	 * ... and parts of the structure being constructed.
+	 */
+	void *st = *struct_ptr;	/* Target structure. */
+	asn_struct_ctx_t *ctx;	/* Decoder context */
+
+	asn_dec_rval_t rval;		/* Return value from a decoder */
+	ssize_t consumed_myself = 0;	/* Consumed bytes from ptr */
+
+	/*
+	 * Create the target structure if it is not present already.
+	 */
+	if(st == 0) {
+		st = *struct_ptr = CALLOC(1, specs->struct_size);
+		if(st == 0) RETURN(RC_FAIL);
+	}
+
+	/* Which tag is expected for the downstream */
+	if(specs->as_XMLValueList) {
+		elm_tag = (specs->as_XMLValueList == 1) ? 0 : "";
+	} else {
+		elm_tag = (*element->name)
+				? element->name : element->type->xml_tag;
+	}
+
+	/*
+	 * Restore parsing context.
+	 */
+	ctx = (asn_struct_ctx_t *)((char *)st + specs->ctx_offset);
+
+	/*
+	 * Phases of XER/XML processing:
+	 * Phase 0: Check that the opening tag matches our expectations.
+	 * Phase 1: Processing body and reacting on closing tag.
+	 * Phase 2: Processing inner type.
+	 */
+	for(; ctx->phase <= 2;) {
+		pxer_chunk_type_e ch_type;	/* XER chunk type */
+		ssize_t ch_size;		/* Chunk size */
+		xer_check_tag_e tcv;		/* Tag check value */
+
+		/*
+		 * Go inside the inner member of a set.
+		 */
+		if(ctx->phase == 2) {
+			asn_dec_rval_t tmprval;
+
+			/* Invoke the inner type decoder, m.b. multiple times */
+			ASN_DEBUG("XER/SET OF element [%s]", elm_tag);
+			tmprval = element->type->xer_decoder(opt_codec_ctx,
+					element->type, &ctx->ptr, elm_tag,
+					buf_ptr, size);
+			if(tmprval.code == RC_OK) {
+				asn_anonymous_set_ *list = _A_SET_FROM_VOID(st);
+				if(ASN_SET_ADD(list, ctx->ptr) != 0)
+					RETURN(RC_FAIL);
+				ctx->ptr = 0;
+				XER_ADVANCE(tmprval.consumed);
+			} else {
+				XER_ADVANCE(tmprval.consumed);
+				RETURN(tmprval.code);
+			}
+			ctx->phase = 1;	/* Back to body processing */
+			ASN_DEBUG("XER/SET OF phase => %d", ctx->phase);
+			/* Fall through */
+		}
+
+		/*
+		 * Get the next part of the XML stream.
+		 */
+		ch_size = xer_next_token(&ctx->context,
+			buf_ptr, size, &ch_type);
+		switch(ch_size) {
+		case -1: RETURN(RC_FAIL);
+		case 0:  RETURN(RC_WMORE);
+		default:
+			switch(ch_type) {
+			case PXER_COMMENT:	/* Got XML comment */
+			case PXER_TEXT:		/* Ignore free-standing text */
+				XER_ADVANCE(ch_size);	/* Skip silently */
+				continue;
+			case PXER_TAG:
+				break;	/* Check the rest down there */
+			}
+		}
+
+		tcv = xer_check_tag(buf_ptr, ch_size, xml_tag);
+		ASN_DEBUG("XER/SET OF: tcv = %d, ph=%d t=%s",
+			tcv, ctx->phase, xml_tag);
+		switch(tcv) {
+		case XCT_CLOSING:
+			if(ctx->phase == 0) break;
+			ctx->phase = 0;
+			/* Fall through */
+		case XCT_BOTH:
+			if(ctx->phase == 0) {
+				/* No more things to decode */
+				XER_ADVANCE(ch_size);
+				ctx->phase = 3;	/* Phase out */
+				RETURN(RC_OK);
+			}
+			/* Fall through */
+		case XCT_OPENING:
+			if(ctx->phase == 0) {
+				XER_ADVANCE(ch_size);
+				ctx->phase = 1;	/* Processing body phase */
+				continue;
+			}
+			/* Fall through */
+		case XCT_UNKNOWN_OP:
+		case XCT_UNKNOWN_BO:
+
+			ASN_DEBUG("XER/SET OF: tcv=%d, ph=%d", tcv, ctx->phase);
+			if(ctx->phase == 1) {
+				/*
+				 * Process a single possible member.
+				 */
+				ctx->phase = 2;
+				continue;
+			}
+			/* Fall through */
+		default:
+			break;
+		}
+
+		ASN_DEBUG("Unexpected XML tag in SET OF");
+		break;
+	}
+
+	ctx->phase = 3;	/* "Phase out" on hard failure */
+	RETURN(RC_FAIL);
+}
+
+
+
+typedef struct xer_tmp_enc_s {
+	void *buffer;
+	size_t offset;
+	size_t size;
+} xer_tmp_enc_t;
+static int
+SET_OF_encode_xer_callback(const void *buffer, size_t size, void *key) {
+	xer_tmp_enc_t *t = (xer_tmp_enc_t *)key;
+	if(t->offset + size >= t->size) {
+		size_t newsize = (t->size << 2) + size;
+		void *p = REALLOC(t->buffer, newsize);
+		if(!p) return -1;
+		t->buffer = p;
+		t->size = newsize;
+	}
+	memcpy((char *)t->buffer + t->offset, buffer, size);
+	t->offset += size;
+	return 0;
+}
+static int
+SET_OF_xer_order(const void *aptr, const void *bptr) {
+	const xer_tmp_enc_t *a = (const xer_tmp_enc_t *)aptr;
+	const xer_tmp_enc_t *b = (const xer_tmp_enc_t *)bptr;
+	size_t minlen = a->offset;
+	int ret;
+	if(b->offset < minlen) minlen = b->offset;
+	/* Well-formed UTF-8 has this nice lexicographical property... */
+	ret = memcmp(a->buffer, b->buffer, minlen);
+	if(ret != 0) return ret;
+	if(a->offset == b->offset)
+		return 0;
+	if(a->offset == minlen)
+		return -1;
+	return 1;
+}
+
+
+asn_enc_rval_t
+SET_OF_encode_xer(asn_TYPE_descriptor_t *td, void *sptr,
+	int ilevel, enum xer_encoder_flags_e flags,
+		asn_app_consume_bytes_f *cb, void *app_key) {
+	asn_enc_rval_t er;
+	asn_SET_OF_specifics_t *specs = (asn_SET_OF_specifics_t *)td->specifics;
+	asn_TYPE_member_t *elm = td->elements;
+	asn_anonymous_set_ *list = _A_SET_FROM_VOID(sptr);
+	const char *mname = specs->as_XMLValueList
+		? 0 : ((*elm->name) ? elm->name : elm->type->xml_tag);
+	size_t mlen = mname ? strlen(mname) : 0;
+	int xcan = (flags & XER_F_CANONICAL);
+	xer_tmp_enc_t *encs = 0;
+	size_t encs_count = 0;
+	void *original_app_key = app_key;
+	asn_app_consume_bytes_f *original_cb = cb;
+	int i;
+
+	if(!sptr) _ASN_ENCODE_FAILED;
+
+	if(xcan) {
+		encs = (xer_tmp_enc_t *)MALLOC(list->count * sizeof(encs[0]));
+		if(!encs) _ASN_ENCODE_FAILED;
+		cb = SET_OF_encode_xer_callback;
+	}
+
+	er.encoded = 0;
+
+	for(i = 0; i < list->count; i++) {
+		asn_enc_rval_t tmper;
+
+		void *memb_ptr = list->array[i];
+		if(!memb_ptr) continue;
+
+		if(encs) {
+			memset(&encs[encs_count], 0, sizeof(encs[0]));
+			app_key = &encs[encs_count];
+			encs_count++;
+		}
+
+		if(mname) {
+			if(!xcan) _i_ASN_TEXT_INDENT(1, ilevel);
+			_ASN_CALLBACK3("<", 1, mname, mlen, ">", 1);
+		}
+
+		if(!xcan && specs->as_XMLValueList == 1)
+			_i_ASN_TEXT_INDENT(1, ilevel + 1);
+		tmper = elm->type->xer_encoder(elm->type, memb_ptr,
+				ilevel + (specs->as_XMLValueList != 2),
+				flags, cb, app_key);
+		if(tmper.encoded == -1) {
+			td = tmper.failed_type;
+			sptr = tmper.structure_ptr;
+			goto cb_failed;
+		}
+		if(tmper.encoded == 0 && specs->as_XMLValueList) {
+			const char *name = elm->type->xml_tag;
+			size_t len = strlen(name);
+			_ASN_CALLBACK3("<", 1, name, len, "/>", 2);
+		}
+
+		if(mname) {
+			_ASN_CALLBACK3("</", 2, mname, mlen, ">", 1);
+			er.encoded += 5;
+		}
+
+		er.encoded += (2 * mlen) + tmper.encoded;
+	}
+
+	if(!xcan) _i_ASN_TEXT_INDENT(1, ilevel - 1);
+
+	if(encs) {
+		xer_tmp_enc_t *enc = encs;
+		xer_tmp_enc_t *end = encs + encs_count;
+		ssize_t control_size = 0;
+
+		cb = original_cb;
+		app_key = original_app_key;
+		qsort(encs, encs_count, sizeof(encs[0]), SET_OF_xer_order);
+
+		for(; enc < end; enc++) {
+			_ASN_CALLBACK(enc->buffer, enc->offset);
+			FREEMEM(enc->buffer);
+			enc->buffer = 0;
+			control_size += enc->offset;
+		}
+		assert(control_size == er.encoded);
+	}
+
+	goto cleanup;
+cb_failed:
+	er.encoded = -1;
+	er.failed_type = td;
+	er.structure_ptr = sptr;
+cleanup:
+	if(encs) {
+		while(encs_count-- > 0) {
+			if(encs[encs_count].buffer)
+				FREEMEM(encs[encs_count].buffer);
+		}
+		FREEMEM(encs);
+	}
+	_ASN_ENCODED_OK(er);
+}
+
+int
+SET_OF_print(asn_TYPE_descriptor_t *td, const void *sptr, int ilevel,
+		asn_app_consume_bytes_f *cb, void *app_key) {
+	asn_TYPE_member_t *elm = td->elements;
+	const asn_anonymous_set_ *list = _A_CSET_FROM_VOID(sptr);
+	int ret;
+	int i;
+
+	if(!sptr) return (cb("<absent>", 8, app_key) < 0) ? -1 : 0;
+
+	/* Dump preamble */
+	if(cb(td->name, strlen(td->name), app_key) < 0
+	|| cb(" ::= {", 6, app_key) < 0)
+		return -1;
+
+	for(i = 0; i < list->count; i++) {
+		const void *memb_ptr = list->array[i];
+		if(!memb_ptr) continue;
+
+		_i_INDENT(1);
+
+		ret = elm->type->print_struct(elm->type, memb_ptr,
+			ilevel + 1, cb, app_key);
+		if(ret) return ret;
+	}
+
+	ilevel--;
+	_i_INDENT(1);
+
+	return (cb("}", 1, app_key) < 0) ? -1 : 0;
+}
+
+void
+SET_OF_free(asn_TYPE_descriptor_t *td, void *ptr, int contents_only) {
+	if(td && ptr) {
+		asn_SET_OF_specifics_t *specs;
+		asn_TYPE_member_t *elm = td->elements;
+		asn_anonymous_set_ *list = _A_SET_FROM_VOID(ptr);
+		asn_struct_ctx_t *ctx;	/* Decoder context */
+		int i;
+
+		/*
+		 * Could not use set_of_empty() because of (*free)
+		 * incompatibility.
+		 */
+		for(i = 0; i < list->count; i++) {
+			void *memb_ptr = list->array[i];
+			if(memb_ptr)
+			ASN_STRUCT_FREE(*elm->type, memb_ptr);
+		}
+		list->count = 0;	/* No meaningful elements left */
+
+		asn_set_empty(list);	/* Remove (list->array) */
+
+		specs = (asn_SET_OF_specifics_t *)td->specifics;
+		ctx = (asn_struct_ctx_t *)((char *)ptr + specs->ctx_offset);
+		if(ctx->ptr) {
+			ASN_STRUCT_FREE(*elm->type, ctx->ptr);
+			ctx->ptr = 0;
+		}
+
+		if(!contents_only) {
+			FREEMEM(ptr);
+		}
+	}
+}
+
+int
+SET_OF_constraint(asn_TYPE_descriptor_t *td, const void *sptr,
+		asn_app_constraint_failed_f *ctfailcb, void *app_key) {
+	asn_TYPE_member_t *elm = td->elements;
+	asn_constr_check_f *constr;
+	const asn_anonymous_set_ *list = _A_CSET_FROM_VOID(sptr);
+	int i;
+
+	if(!sptr) {
+		_ASN_CTFAIL(app_key, td, sptr,
+			"%s: value not given (%s:%d)",
+			td->name, __FILE__, __LINE__);
+		return -1;
+	}
+
+	constr = elm->memb_constraints;
+	if(!constr) constr = elm->type->check_constraints;
+
+	/*
+	 * Iterate over the members of an array.
+	 * Validate each in turn, until one fails.
+	 */
+	for(i = 0; i < list->count; i++) {
+		const void *memb_ptr = list->array[i];
+		int ret;
+
+		if(!memb_ptr) continue;
+
+		ret = constr(elm->type, memb_ptr, ctfailcb, app_key);
+		if(ret) return ret;
+	}
+
+	/*
+	 * Cannot inherit it eralier:
+	 * need to make sure we get the updated version.
+	 */
+	if(!elm->memb_constraints)
+		elm->memb_constraints = elm->type->check_constraints;
+
+	return 0;
+}
+
+asn_dec_rval_t
+SET_OF_decode_uper(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td,
+        asn_per_constraints_t *constraints, void **sptr, asn_per_data_t *pd) {
+	asn_dec_rval_t rv;
+        asn_SET_OF_specifics_t *specs = (asn_SET_OF_specifics_t *)td->specifics;
+	asn_TYPE_member_t *elm = td->elements;	/* Single one */
+	void *st = *sptr;
+	asn_anonymous_set_ *list;
+	asn_per_constraint_t *ct;
+	int repeat = 0;
+	ssize_t nelems;
+
+	if(_ASN_STACK_OVERFLOW_CHECK(opt_codec_ctx))
+		_ASN_DECODE_FAILED;
+
+	/*
+	 * Create the target structure if it is not present already.
+	 */
+	if(!st) {
+		st = *sptr = CALLOC(1, specs->struct_size);
+		if(!st) _ASN_DECODE_FAILED;
+	}                                                                       
+	list = _A_SET_FROM_VOID(st);
+
+	/* Figure out which constraints to use */
+	if(constraints) ct = &constraints->size;
+	else if(td->per_constraints) ct = &td->per_constraints->size;
+	else ct = 0;
+
+	if(ct && ct->flags & APC_EXTENSIBLE) {
+		int value = per_get_few_bits(pd, 1);
+		if(value < 0) _ASN_DECODE_STARVED;
+		if(value) ct = 0;	/* Not restricted! */
+	}
+
+	if(ct && ct->effective_bits >= 0) {
+		/* X.691, #19.5: No length determinant */
+		nelems = per_get_few_bits(pd, ct->effective_bits);
+		ASN_DEBUG("Preparing to fetch %ld+%ld elements from %s",
+			(long)nelems, ct->lower_bound, td->name);
+		if(nelems < 0)  _ASN_DECODE_STARVED;
+		nelems += ct->lower_bound;
+	} else {
+		nelems = -1;
+	}
+
+	do {
+		int i;
+		if(nelems < 0) {
+			nelems = uper_get_length(pd,
+				ct ? ct->effective_bits : -1, &repeat);
+			ASN_DEBUG("Got to decode %d elements (eff %d)",
+				(int)nelems, (int)(ct ? ct->effective_bits : -1));
+			if(nelems < 0) _ASN_DECODE_STARVED;
+		}
+
+		for(i = 0; i < nelems; i++) {
+			void *ptr = 0;
+			ASN_DEBUG("SET OF %s decoding", elm->type->name);
+			rv = elm->type->uper_decoder(opt_codec_ctx, elm->type,
+				elm->per_constraints, &ptr, pd);
+			ASN_DEBUG("%s SET OF %s decoded %d, %p",
+				td->name, elm->type->name, rv.code, ptr);
+			if(rv.code == RC_OK) {
+				if(ASN_SET_ADD(list, ptr) == 0)
+					continue;
+				ASN_DEBUG("Failed to add element into %s",
+					td->name);
+				/* Fall through */
+				rv.code = RC_FAIL;
+			} else {
+				ASN_DEBUG("Failed decoding %s of %s (SET OF)",
+					elm->type->name, td->name);
+			}
+			if(ptr) ASN_STRUCT_FREE(*elm->type, ptr);
+			return rv;
+		}
+
+		nelems = -1;	/* Allow uper_get_length() */
+	} while(repeat);
+
+	ASN_DEBUG("Decoded %s as SET OF", td->name);
+
+	rv.code = RC_OK;
+	rv.consumed = 0;
+	return rv;
+}
+
--- a/asn1/asn1c/constr_SET_OF.h
+++ b/asn1/asn1c/constr_SET_OF.h
@@ -0,0 +1,42 @@
+/*-
+ * Copyright (c) 2003 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_CONSTR_SET_OF_H_
+#define	_CONSTR_SET_OF_H_
+
+#include <asn_application.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct asn_SET_OF_specifics_s {
+	/*
+	 * Target structure description.
+	 */
+	int struct_size;	/* Size of the target structure. */
+	int ctx_offset;		/* Offset of the asn_struct_ctx_t member */
+
+	/* XER-specific stuff */
+	int as_XMLValueList;	/* The member type must be encoded like this */
+} asn_SET_OF_specifics_t;
+
+/*
+ * A set specialized functions dealing with the SET OF type.
+ */
+asn_struct_free_f SET_OF_free;
+asn_struct_print_f SET_OF_print;
+asn_constr_check_f SET_OF_constraint;
+ber_type_decoder_f SET_OF_decode_ber;
+der_type_encoder_f SET_OF_encode_der;
+xer_type_decoder_f SET_OF_decode_xer;
+xer_type_encoder_f SET_OF_encode_xer;
+per_type_decoder_f SET_OF_decode_uper;
+per_type_encoder_f SET_OF_encode_uper;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _CONSTR_SET_OF_H_ */
--- a/asn1/asn1c/constr_TYPE.c
+++ b/asn1/asn1c/constr_TYPE.c
@@ -0,0 +1,77 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_internal.h>
+#include <constr_TYPE.h>
+#include <errno.h>
+
+/*
+ * Version of the ASN.1 infrastructure shipped with compiler.
+ */
+int get_asn1c_environment_version() { return ASN1C_ENVIRONMENT_VERSION; }
+
+static asn_app_consume_bytes_f _print2fp;
+
+/*
+ * Return the outmost tag of the type.
+ */
+ber_tlv_tag_t
+asn_TYPE_outmost_tag(asn_TYPE_descriptor_t *type_descriptor,
+		const void *struct_ptr, int tag_mode, ber_tlv_tag_t tag) {
+
+	if(tag_mode)
+		return tag;
+
+	if(type_descriptor->tags_count)
+		return type_descriptor->tags[0];
+
+	return type_descriptor->outmost_tag(type_descriptor, struct_ptr, 0, 0);
+}
+
+/*
+ * Print the target language's structure in human readable form.
+ */
+int
+asn_fprint(FILE *stream, asn_TYPE_descriptor_t *td, const void *struct_ptr) {
+	if(!stream) stream = stdout;
+	if(!td || !struct_ptr) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	/* Invoke type-specific printer */
+	if(td->print_struct(td, struct_ptr, 1, _print2fp, stream))
+		return -1;
+
+	/* Terminate the output */
+	if(_print2fp("\n", 1, stream))
+		return -1;
+
+	return fflush(stream);
+}
+
+/* Dump the data into the specified stdio stream */
+static int
+_print2fp(const void *buffer, size_t size, void *app_key) {
+	FILE *stream = (FILE *)app_key;
+
+	if(fwrite(buffer, 1, size, stream) != size)
+		return -1;
+
+	return 0;
+}
+
+
+/*
+ * Some compilers do not support variable args macros.
+ * This function is a replacement of ASN_DEBUG() macro.
+ */
+void ASN_DEBUG_f(const char *fmt, ...);
+void ASN_DEBUG_f(const char *fmt, ...) {
+	va_list ap;
+	va_start(ap, fmt);
+	vfprintf(stderr, fmt, ap);
+	fprintf(stderr, "\n");
+	va_end(ap);
+}
--- a/asn1/asn1c/constr_TYPE.h
+++ b/asn1/asn1c/constr_TYPE.h
@@ -0,0 +1,180 @@
+/*-
+ * Copyright (c) 2003, 2004, 2005, 2006 Lev Walkin <vlm@lionet.info>.
+ * All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+/*
+ * This file contains the declaration structure called "ASN.1 Type Definition",
+ * which holds all information necessary for encoding and decoding routines.
+ * This structure even contains pointer to these encoding and decoding routines
+ * for each defined ASN.1 type.
+ */
+#ifndef	_CONSTR_TYPE_H_
+#define	_CONSTR_TYPE_H_
+
+#include <ber_tlv_length.h>
+#include <ber_tlv_tag.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct asn_TYPE_descriptor_s;	/* Forward declaration */
+struct asn_TYPE_member_s;	/* Forward declaration */
+
+/*
+ * This type provides the context information for various ASN.1 routines,
+ * primarily ones doing decoding. A member _asn_ctx of this type must be
+ * included into certain target language's structures, such as compound types.
+ */
+typedef struct asn_struct_ctx_s {
+	short phase;		/* Decoding phase */
+	short step;		/* Elementary step of a phase */
+	int context;		/* Other context information */
+	void *ptr;		/* Decoder-specific stuff (stack elements) */
+	ber_tlv_len_t left;	/* Number of bytes left, -1 for indefinite */
+} asn_struct_ctx_t;
+
+#include <ber_decoder.h>	/* Basic Encoding Rules decoder */
+#include <der_encoder.h>	/* Distinguished Encoding Rules encoder */
+#include <xer_decoder.h>	/* Decoder of XER (XML, text) */
+#include <xer_encoder.h>	/* Encoder into XER (XML, text) */
+#include <per_decoder.h>	/* Packet Encoding Rules decoder */
+#include <per_encoder.h>	/* Packet Encoding Rules encoder */
+#include <constraints.h>	/* Subtype constraints support */
+
+/*
+ * Free the structure according to its specification.
+ * If (free_contents_only) is set, the wrapper structure itself (struct_ptr)
+ * will not be freed. (It may be useful in case the structure is allocated
+ * statically or arranged on the stack, yet its elements are allocated
+ * dynamically.)
+ */
+typedef void (asn_struct_free_f)(
+		struct asn_TYPE_descriptor_s *type_descriptor,
+		void *struct_ptr, int free_contents_only);
+#define	ASN_STRUCT_FREE(asn_DEF, ptr)	(asn_DEF).free_struct(&(asn_DEF),ptr,0)
+#define	ASN_STRUCT_FREE_CONTENTS_ONLY(asn_DEF, ptr)	\
+					(asn_DEF).free_struct(&(asn_DEF),ptr,1)
+
+/*
+ * Print the structure according to its specification.
+ */
+typedef int (asn_struct_print_f)(
+		struct asn_TYPE_descriptor_s *type_descriptor,
+		const void *struct_ptr,
+		int level,	/* Indentation level */
+		asn_app_consume_bytes_f *callback, void *app_key);
+
+/*
+ * Return the outmost tag of the type.
+ * If the type is untagged CHOICE, the dynamic operation is performed.
+ * NOTE: This function pointer type is only useful internally.
+ * Do not use it in your application.
+ */
+typedef ber_tlv_tag_t (asn_outmost_tag_f)(
+		struct asn_TYPE_descriptor_s *type_descriptor,
+		const void *struct_ptr, int tag_mode, ber_tlv_tag_t tag);
+/* The instance of the above function type; used internally. */
+asn_outmost_tag_f asn_TYPE_outmost_tag;
+
+
+/*
+ * The definitive description of the destination language's structure.
+ */
+typedef struct asn_TYPE_descriptor_s {
+	char *name;	/* A name of the ASN.1 type. "" in some cases. */
+	char *xml_tag;	/* Name used in XML tag */
+
+	/*
+	 * Generalized functions for dealing with the specific type.
+	 * May be directly invoked by applications.
+	 */
+	asn_struct_free_f  *free_struct;	/* Free the structure */
+	asn_struct_print_f *print_struct;	/* Human readable output */
+	asn_constr_check_f *check_constraints;	/* Constraints validator */
+	ber_type_decoder_f *ber_decoder;	/* Generic BER decoder */
+	der_type_encoder_f *der_encoder;	/* Canonical DER encoder */
+	xer_type_decoder_f *xer_decoder;	/* Generic XER decoder */
+	xer_type_encoder_f *xer_encoder;	/* [Canonical] XER encoder */
+	per_type_decoder_f *uper_decoder;	/* Unaligned PER decoder */
+	per_type_encoder_f *uper_encoder;	/* Unaligned PER encoder */
+
+	/***********************************************************************
+	 * Internally useful members. Not to be used by applications directly. *
+	 **********************************************************************/
+
+	/*
+	 * Tags that are expected to occur.
+	 */
+	asn_outmost_tag_f  *outmost_tag;	/* <optional, internal> */
+	ber_tlv_tag_t *tags;	/* Effective tags sequence for this type */
+	int tags_count;		/* Number of tags which are expected */
+	ber_tlv_tag_t *all_tags;/* Every tag for BER/containment */
+	int all_tags_count;	/* Number of tags */
+
+	asn_per_constraints_t *per_constraints;	/* PER compiled constraints */
+
+	/*
+	 * An ASN.1 production type members (members of SEQUENCE, SET, CHOICE).
+	 */
+	struct asn_TYPE_member_s *elements;
+	int elements_count;
+
+	/*
+	 * Additional information describing the type, used by appropriate
+	 * functions above.
+	 */
+	void *specifics;
+} asn_TYPE_descriptor_t;
+
+/*
+ * This type describes an element of the constructed type,
+ * i.e. SEQUENCE, SET, CHOICE, etc.
+ */
+  enum asn_TYPE_flags_e {
+	ATF_NOFLAGS,
+	ATF_POINTER	= 0x01,	/* Represented by the pointer */
+	ATF_OPEN_TYPE	= 0x02	/* ANY type, without meaningful tag */
+  };
+typedef struct asn_TYPE_member_s {
+	enum asn_TYPE_flags_e flags;	/* Element's presentation flags */
+	int optional;	/* Following optional members, including current */
+	int memb_offset;		/* Offset of the element */
+	ber_tlv_tag_t tag;		/* Outmost (most immediate) tag */
+	int tag_mode;		/* IMPLICIT/no/EXPLICIT tag at current level */
+	asn_TYPE_descriptor_t *type;	/* Member type descriptor */
+	asn_constr_check_f *memb_constraints;	/* Constraints validator */
+	asn_per_constraints_t *per_constraints;	/* PER compiled constraints */
+	int (*default_value)(int setval, void **sptr);	/* DEFAULT <value> */
+	char *name;			/* ASN.1 identifier of the element */
+} asn_TYPE_member_t;
+
+/*
+ * BER tag to element number mapping.
+ */
+typedef struct asn_TYPE_tag2member_s {
+	ber_tlv_tag_t el_tag;	/* Outmost tag of the member */
+	int el_no;		/* Index of the associated member, base 0 */
+	int toff_first;		/* First occurence of the el_tag, relative */
+	int toff_last;		/* Last occurence of the el_tag, relatvie */
+} asn_TYPE_tag2member_t;
+
+/*
+ * This function is a wrapper around (td)->print_struct, which prints out
+ * the contents of the target language's structure (struct_ptr) into the
+ * file pointer (stream) in human readable form.
+ * RETURN VALUES:
+ * 	 0: The structure is printed.
+ * 	-1: Problem dumping the structure.
+ * (See also xer_fprint() in xer_encoder.h)
+ */
+int asn_fprint(FILE *stream,		/* Destination stream descriptor */
+	asn_TYPE_descriptor_t *td,	/* ASN.1 type descriptor */
+	const void *struct_ptr);	/* Structure to be printed */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _CONSTR_TYPE_H_ */
--- a/asn1/asn1c/constraints.c
+++ b/asn1/asn1c/constraints.c
@@ -0,0 +1,93 @@
+#include "asn_internal.h"
+#include "constraints.h"
+
+int
+asn_generic_no_constraint(asn_TYPE_descriptor_t *type_descriptor,
+	const void *struct_ptr, asn_app_constraint_failed_f *cb, void *key) {
+
+	(void)type_descriptor;	/* Unused argument */
+	(void)struct_ptr;	/* Unused argument */
+	(void)cb;	/* Unused argument */
+	(void)key;	/* Unused argument */
+
+	/* Nothing to check */
+	return 0;
+}
+
+int
+asn_generic_unknown_constraint(asn_TYPE_descriptor_t *type_descriptor,
+	const void *struct_ptr, asn_app_constraint_failed_f *cb, void *key) {
+
+	(void)type_descriptor;	/* Unused argument */
+	(void)struct_ptr;	/* Unused argument */
+	(void)cb;	/* Unused argument */
+	(void)key;	/* Unused argument */
+
+	/* Unknown how to check */
+	return 0;
+}
+
+struct errbufDesc {
+	asn_TYPE_descriptor_t *failed_type;
+	const void *failed_struct_ptr;
+	char *errbuf;
+	size_t errlen;
+};
+
+static void
+_asn_i_ctfailcb(void *key, asn_TYPE_descriptor_t *td, const void *sptr, const char *fmt, ...) {
+	struct errbufDesc *arg = key;
+	va_list ap;
+	ssize_t vlen;
+	ssize_t maxlen;
+
+	arg->failed_type = td;
+	arg->failed_struct_ptr = sptr;
+
+	maxlen = arg->errlen;
+	if(maxlen <= 0)
+		return;
+
+	va_start(ap, fmt);
+	vlen = vsnprintf(arg->errbuf, maxlen, fmt, ap);
+	va_end(ap);
+	if(vlen >= maxlen) {
+		arg->errbuf[maxlen-1] = '\0';	/* Ensuring libc correctness */
+		arg->errlen = maxlen - 1;	/* Not counting termination */
+		return;
+	} else if(vlen >= 0) {
+		arg->errbuf[vlen] = '\0';	/* Ensuring libc correctness */
+		arg->errlen = vlen;		/* Not counting termination */
+	} else {
+		/*
+		 * The libc on this system is broken.
+		 */
+		vlen = sizeof("<broken vsnprintf>") - 1;
+		maxlen--;
+		arg->errlen = vlen < maxlen ? vlen : maxlen;
+		memcpy(arg->errbuf, "<broken vsnprintf>", arg->errlen);
+		arg->errbuf[arg->errlen] = 0;
+	}
+
+	return;
+}
+
+int
+asn_check_constraints(asn_TYPE_descriptor_t *type_descriptor,
+		const void *struct_ptr, char *errbuf, size_t *errlen) {
+	struct errbufDesc arg;
+	int ret;
+
+	arg.failed_type = 0;
+	arg.failed_struct_ptr = 0;
+	arg.errbuf = errbuf;
+	arg.errlen = errlen ? *errlen : 0;
+
+	ret = type_descriptor->check_constraints(type_descriptor,
+		struct_ptr, _asn_i_ctfailcb, &arg);
+	if(ret == -1 && errlen)
+		*errlen = arg.errlen;
+
+	return ret;
+}
+
--- a/asn1/asn1c/constraints.h
+++ b/asn1/asn1c/constraints.h
@@ -0,0 +1,63 @@
+/*-
+ * Copyright (c) 2004, 2006 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_ASN1_CONSTRAINTS_VALIDATOR_H_
+#define	_ASN1_CONSTRAINTS_VALIDATOR_H_
+
+#include <asn_system.h>		/* Platform-dependent types */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct asn_TYPE_descriptor_s;		/* Forward declaration */
+
+/*
+ * Validate the structure according to the ASN.1 constraints.
+ * If errbuf and errlen are given, they shall be pointing to the appropriate
+ * buffer space and its length before calling this function. Alternatively,
+ * they could be passed as NULL's. If constraints validation fails,
+ * errlen will contain the actual number of bytes taken from the errbuf
+ * to encode an error message (properly 0-terminated).
+ * 
+ * RETURN VALUES:
+ * This function returns 0 in case all ASN.1 constraints are met
+ * and -1 if one or more constraints were failed.
+ */
+int
+asn_check_constraints(struct asn_TYPE_descriptor_s *type_descriptor,
+	const void *struct_ptr,	/* Target language's structure */
+	char *errbuf,		/* Returned error description */
+	size_t *errlen		/* Length of the error description */
+	);
+
+
+/*
+ * Generic type for constraint checking callback,
+ * associated with every type descriptor.
+ */
+typedef int (asn_constr_check_f)(
+	struct asn_TYPE_descriptor_s *type_descriptor,
+	const void *struct_ptr,
+	asn_app_constraint_failed_f *optional_callback,	/* Log the error */
+	void *optional_app_key		/* Opaque key passed to a callback */
+	);
+
+/*******************************
+ * INTERNALLY USEFUL FUNCTIONS *
+ *******************************/
+
+asn_constr_check_f asn_generic_no_constraint;	/* No constraint whatsoever */
+asn_constr_check_f asn_generic_unknown_constraint; /* Not fully supported */
+
+/*
+ * Invoke the callback with a complete error message.
+ */
+#define	_ASN_CTFAIL	if(ctfailcb) ctfailcb
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _ASN1_CONSTRAINTS_VALIDATOR_H_ */
--- a/asn1/asn1c/der_encoder.c
+++ b/asn1/asn1c/der_encoder.c
@@ -0,0 +1,199 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_internal.h>
+#include <errno.h>
+
+static ssize_t der_write_TL(ber_tlv_tag_t tag, ber_tlv_len_t len,
+	asn_app_consume_bytes_f *cb, void *app_key, int constructed);
+
+/*
+ * The DER encoder of any type.
+ */
+asn_enc_rval_t
+der_encode(asn_TYPE_descriptor_t *type_descriptor, void *struct_ptr,
+	asn_app_consume_bytes_f *consume_bytes, void *app_key) {
+
+	ASN_DEBUG("DER encoder invoked for %s",
+		type_descriptor->name);
+
+	/*
+	 * Invoke type-specific encoder.
+	 */
+	return type_descriptor->der_encoder(type_descriptor,
+		struct_ptr,	/* Pointer to the destination structure */
+		0, 0,
+		consume_bytes, app_key);
+}
+
+/*
+ * Argument type and callback necessary for der_encode_to_buffer().
+ */
+typedef struct enc_to_buf_arg {
+	void *buffer;
+	size_t left;
+} enc_to_buf_arg;
+static int encode_to_buffer_cb(const void *buffer, size_t size, void *key) {
+	enc_to_buf_arg *arg = (enc_to_buf_arg *)key;
+
+	if(arg->left < size)
+		return -1;	/* Data exceeds the available buffer size */
+
+	memcpy(arg->buffer, buffer, size);
+	arg->buffer = ((char *)arg->buffer) + size;
+	arg->left -= size;
+
+	return 0;
+}
+
+/*
+ * A variant of the der_encode() which encodes the data into the provided buffer
+ */
+asn_enc_rval_t
+der_encode_to_buffer(asn_TYPE_descriptor_t *type_descriptor, void *struct_ptr,
+	void *buffer, size_t buffer_size) {
+	enc_to_buf_arg arg;
+	asn_enc_rval_t ec;
+
+	arg.buffer = buffer;
+	arg.left = buffer_size;
+
+	ec = type_descriptor->der_encoder(type_descriptor,
+		struct_ptr,	/* Pointer to the destination structure */
+		0, 0, encode_to_buffer_cb, &arg);
+	if(ec.encoded != -1) {
+		assert(ec.encoded == (ssize_t)(buffer_size - arg.left));
+		/* Return the encoded contents size */
+	}
+	return ec;
+}
+
+
+/*
+ * Write out leading TL[v] sequence according to the type definition.
+ */
+ssize_t
+der_write_tags(asn_TYPE_descriptor_t *sd,
+		size_t struct_length,
+		int tag_mode, int last_tag_form,
+		ber_tlv_tag_t tag,	/* EXPLICIT or IMPLICIT tag */
+		asn_app_consume_bytes_f *cb,
+		void *app_key) {
+	ber_tlv_tag_t *tags;	/* Copy of tags stream */
+	int tags_count;		/* Number of tags */
+	size_t overall_length;
+	ssize_t *lens;
+	int i;
+
+	ASN_DEBUG("Writing tags (%s, tm=%d, tc=%d, tag=%s, mtc=%d)",
+		sd->name, tag_mode, sd->tags_count,
+		ber_tlv_tag_string(tag),
+		tag_mode
+			?(sd->tags_count+1
+				-((tag_mode == -1) && sd->tags_count))
+			:sd->tags_count
+	);
+
+	if(tag_mode) {
+		/*
+		 * Instead of doing shaman dance like we do in ber_check_tags(),
+		 * allocate a small array on the stack
+		 * and initialize it appropriately.
+		 */
+		int stag_offset;
+		tags = (ber_tlv_tag_t *)alloca((sd->tags_count + 1) * sizeof(ber_tlv_tag_t));
+		if(!tags) {	/* Can fail on !x86 */
+			errno = ENOMEM;
+			return -1;
+		}
+		tags_count = sd->tags_count
+			+ 1	/* EXPLICIT or IMPLICIT tag is given */
+			- ((tag_mode == -1) && sd->tags_count);
+		/* Copy tags over */
+		tags[0] = tag;
+		stag_offset = -1 + ((tag_mode == -1) && sd->tags_count);
+		for(i = 1; i < tags_count; i++)
+			tags[i] = sd->tags[i + stag_offset];
+	} else {
+		tags = sd->tags;
+		tags_count = sd->tags_count;
+	}
+
+	/* No tags to write */
+	if(tags_count == 0)
+		return 0;
+
+	lens = (ssize_t *)alloca(tags_count * sizeof(lens[0]));
+	if(!lens) {
+		errno = ENOMEM;
+		return -1;
+	}
+
+	/*
+	 * Array of tags is initialized.
+	 * Now, compute the size of the TLV pairs, from right to left.
+	 */
+	overall_length = struct_length;
+	for(i = tags_count - 1; i >= 0; --i) {
+		lens[i] = der_write_TL(tags[i], overall_length, 0, 0, 0);
+		if(lens[i] == -1) return -1;
+		overall_length += lens[i];
+		lens[i] = overall_length - lens[i];
+	}
+
+	if(!cb) return overall_length - struct_length;
+
+	ASN_DEBUG("Encoding %s TL sequence (%d elements)", sd->name,
+                  tags_count);
+
+	/*
+	 * Encode the TL sequence for real.
+	 */
+	for(i = 0; i < tags_count; i++) {
+		ssize_t len;
+		int _constr;
+
+		/* Check if this tag happens to be constructed */
+		_constr = (last_tag_form || i < (tags_count - 1));
+
+		len = der_write_TL(tags[i], lens[i], cb, app_key, _constr);
+		if(len == -1) return -1;
+	}
+
+	return overall_length - struct_length;
+}
+
+static ssize_t
+der_write_TL(ber_tlv_tag_t tag, ber_tlv_len_t len,
+		asn_app_consume_bytes_f *cb, void *app_key,
+		int constructed) {
+	uint8_t buf[32];
+	size_t size = 0;
+	int buf_size = cb?sizeof(buf):0;
+	ssize_t tmp;
+
+	/* Serialize tag (T from TLV) into possibly zero-length buffer */
+	tmp = ber_tlv_tag_serialize(tag, buf, buf_size);
+	if(tmp == -1 || tmp > (ssize_t)sizeof(buf)) return -1;
+	size += tmp;
+
+	/* Serialize length (L from TLV) into possibly zero-length buffer */
+	tmp = der_tlv_length_serialize(len, buf+size, buf_size?buf_size-size:0);
+	if(tmp == -1) return -1;
+	size += tmp;
+
+	if(size > sizeof(buf))
+		return -1;
+
+	/*
+	 * If callback is specified, invoke it, and check its return value.
+	 */
+	if(cb) {
+		if(constructed) *buf |= 0x20;
+		if(cb(buf, size, app_key) < 0)
+			return -1;
+	}
+
+	return size;
+}
--- a/asn1/asn1c/der_encoder.h
+++ b/asn1/asn1c/der_encoder.h
@@ -0,0 +1,68 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_DER_ENCODER_H_
+#define	_DER_ENCODER_H_
+
+#include <asn_application.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct asn_TYPE_descriptor_s;	/* Forward declaration */
+
+/*
+ * The DER encoder of any type. May be invoked by the application.
+ * The ber_decode() function (ber_decoder.h) is an opposite of der_encode().
+ */
+asn_enc_rval_t der_encode(struct asn_TYPE_descriptor_s *type_descriptor,
+		void *struct_ptr,	/* Structure to be encoded */
+		asn_app_consume_bytes_f *consume_bytes_cb,
+		void *app_key		/* Arbitrary callback argument */
+	);
+
+/* A variant of der_encode() which encodes data into the pre-allocated buffer */
+asn_enc_rval_t der_encode_to_buffer(
+		struct asn_TYPE_descriptor_s *type_descriptor,
+		void *struct_ptr,	/* Structure to be encoded */
+		void *buffer,		/* Pre-allocated buffer */
+		size_t buffer_size	/* Initial buffer size (maximum) */
+	);
+
+/*
+ * Type of the generic DER encoder.
+ */
+typedef asn_enc_rval_t (der_type_encoder_f)(
+		struct asn_TYPE_descriptor_s *type_descriptor,
+		void *struct_ptr,	/* Structure to be encoded */
+		int tag_mode,		/* {-1,0,1}: IMPLICIT, no, EXPLICIT */
+		ber_tlv_tag_t tag,
+		asn_app_consume_bytes_f *consume_bytes_cb,	/* Callback */
+		void *app_key		/* Arbitrary callback argument */
+	);
+
+
+/*******************************
+ * INTERNALLY USEFUL FUNCTIONS *
+ *******************************/
+
+/*
+ * Write out leading TL[v] sequence according to the type definition.
+ */
+ssize_t der_write_tags(
+		struct asn_TYPE_descriptor_s *type_descriptor,
+		size_t struct_length,
+		int tag_mode,		/* {-1,0,1}: IMPLICIT, no, EXPLICIT */
+		int last_tag_form,	/* {0,!0}: prim, constructed */
+		ber_tlv_tag_t tag,
+		asn_app_consume_bytes_f *consume_bytes_cb,
+		void *app_key
+	);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _DER_ENCODER_H_ */
--- a/asn1/asn1c/ipa.asn1
+++ b/asn1/asn1c/ipa.asn1
@@ -0,0 +1,37 @@
+KeytabModule DEFINITIONS ::= BEGIN
+
+    Int32 ::= INTEGER (-2147483648..2147483647)
+    -- signed values representable in 32 bits (from RFC4120)
+
+    GetKeytabControl ::= CHOICE {
+        newkeys     [0] GKNewKeys,
+        curkeys     [1] GKCurrentKeys,
+        reply       [2] GKReply
+    }
+
+    GKNewKeys ::= SEQUENCE {
+        serviceIdentity [0] OCTET STRING,
+        enctypes        [1] SEQUENCE OF Int32,
+        password        [2] OCTET STRING OPTIONAL
+    }
+
+    GKCurrentKeys ::= SEQUENCE {
+        serviceIdentity [0] OCTET STRING
+    }
+
+    GKReply ::= SEQUENCE {
+        newkvno     Int32,
+        keys        SEQUENCE OF KrbKey
+    }
+
+    KrbKey ::= SEQUENCE {
+        key         [0] TypeValuePair,
+        salt        [1] TypeValuePair OPTIONAL,
+        s2kparams   [2] OCTET STRING OPTIONAL
+    }
+
+    TypeValuePair ::= SEQUENCE {
+        type    [0] Int32,
+        value   [1] OCTET STRING
+    }
+END
--- a/asn1/asn1c/per_decoder.c
+++ b/asn1/asn1c/per_decoder.c
@@ -0,0 +1,93 @@
+#include <asn_application.h>
+#include <asn_internal.h>
+#include <per_decoder.h>
+
+/*
+ * Decode a "Production of a complete encoding", X.691#10.1.
+ * The complete encoding contains at least one byte, and is an integral
+ * multiple of 8 bytes.
+ */
+asn_dec_rval_t
+uper_decode_complete(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, void **sptr, const void *buffer, size_t size) {
+	asn_dec_rval_t rval;
+
+	rval = uper_decode(opt_codec_ctx, td, sptr, buffer, size, 0, 0);
+	if(rval.consumed) {
+		/*
+		 * We've always given 8-aligned data,
+		 * so convert bits to integral bytes.
+		 */
+		rval.consumed += 7;
+		rval.consumed >>= 3;
+	} else if(rval.code == RC_OK) {
+		if(size) {
+			if(((const uint8_t *)buffer)[0] == 0) {
+				rval.consumed = 1;	/* 1 byte */
+			} else {
+				ASN_DEBUG("Expecting single zeroed byte");
+				rval.code = RC_FAIL;
+			}
+		} else {
+			/* Must contain at least 8 bits. */
+			rval.code = RC_WMORE;
+		}
+	}
+
+	return rval;
+}
+
+asn_dec_rval_t
+uper_decode(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, void **sptr, const void *buffer, size_t size, int skip_bits, int unused_bits) {
+	asn_codec_ctx_t s_codec_ctx;
+	asn_dec_rval_t rval;
+	asn_per_data_t pd;
+
+	if(skip_bits < 0 || skip_bits > 7
+	|| unused_bits < 0 || unused_bits > 7
+	|| (unused_bits > 0 && !size))
+		_ASN_DECODE_FAILED;
+
+	/*
+	 * Stack checker requires that the codec context
+	 * must be allocated on the stack.
+	 */
+	if(opt_codec_ctx) {
+		if(opt_codec_ctx->max_stack_size) {
+			s_codec_ctx = *opt_codec_ctx;
+			opt_codec_ctx = &s_codec_ctx;
+		}
+	} else {
+		/* If context is not given, be security-conscious anyway */
+		memset(&s_codec_ctx, 0, sizeof(s_codec_ctx));
+		s_codec_ctx.max_stack_size = _ASN_DEFAULT_STACK_MAX;
+		opt_codec_ctx = &s_codec_ctx;
+	}
+
+	/* Fill in the position indicator */
+	memset(&pd, 0, sizeof(pd));
+	pd.buffer = (const uint8_t *)buffer;
+	pd.nboff = skip_bits;
+	pd.nbits = 8 * size - unused_bits; /* 8 is CHAR_BIT from <limits.h> */
+	if(pd.nboff > pd.nbits)
+		_ASN_DECODE_FAILED;
+
+	/*
+	 * Invoke type-specific decoder.
+	 */
+	if(!td->uper_decoder)
+		_ASN_DECODE_FAILED;	/* PER is not compiled in */
+	rval = td->uper_decoder(opt_codec_ctx, td, 0, sptr, &pd);
+	if(rval.code == RC_OK) {
+		/* Return the number of consumed bits */
+		rval.consumed = ((pd.buffer - (const uint8_t *)buffer) << 3)
+					+ pd.nboff - skip_bits;
+		ASN_DEBUG("PER decoding consumed %ld, counted %ld",
+			(long)rval.consumed, (long)pd.moved);
+		assert(rval.consumed == pd.moved);
+	} else {
+		/* PER codec is not a restartable */
+		rval.consumed = 0;
+	}
+	return rval;
+}
+
--- a/asn1/asn1c/per_decoder.h
+++ b/asn1/asn1c/per_decoder.h
@@ -0,0 +1,56 @@
+/*-
+ * Copyright (c) 2005, 2007 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_PER_DECODER_H_
+#define	_PER_DECODER_H_
+
+#include <asn_application.h>
+#include <per_support.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct asn_TYPE_descriptor_s;	/* Forward declaration */
+
+/*
+ * Unaligned PER decoder of a "complete encoding" as per X.691#10.1.
+ * On success, this call always returns (.consumed >= 1), as per X.691#10.1.3.
+ */
+asn_dec_rval_t uper_decode_complete(struct asn_codec_ctx_s *opt_codec_ctx,
+	struct asn_TYPE_descriptor_s *type_descriptor,	/* Type to decode */
+	void **struct_ptr,	/* Pointer to a target structure's pointer */
+	const void *buffer,	/* Data to be decoded */
+	size_t size		/* Size of data buffer */
+	);
+
+/*
+ * Unaligned PER decoder of any ASN.1 type. May be invoked by the application.
+ * WARNING: This call returns the number of BITS read from the stream. Beware.
+ */
+asn_dec_rval_t uper_decode(struct asn_codec_ctx_s *opt_codec_ctx,
+	struct asn_TYPE_descriptor_s *type_descriptor,	/* Type to decode */
+	void **struct_ptr,	/* Pointer to a target structure's pointer */
+	const void *buffer,	/* Data to be decoded */
+	size_t size,		/* Size of data buffer */
+	int skip_bits,		/* Number of unused leading bits, 0..7 */
+	int unused_bits		/* Number of unused tailing bits, 0..7 */
+	);
+
+
+/*
+ * Type of the type-specific PER decoder function.
+ */
+typedef asn_dec_rval_t (per_type_decoder_f)(asn_codec_ctx_t *opt_codec_ctx,
+		struct asn_TYPE_descriptor_s *type_descriptor,
+		asn_per_constraints_t *constraints,
+		void **struct_ptr,
+		asn_per_data_t *per_data
+	);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _PER_DECODER_H_ */
--- a/asn1/asn1c/per_encoder.c
+++ b/asn1/asn1c/per_encoder.c
@@ -0,0 +1,151 @@
+#include <asn_application.h>
+#include <asn_internal.h>
+#include <per_encoder.h>
+
+static asn_enc_rval_t uper_encode_internal(asn_TYPE_descriptor_t *td, asn_per_constraints_t *, void *sptr, asn_app_consume_bytes_f *cb, void *app_key);
+
+asn_enc_rval_t
+uper_encode(asn_TYPE_descriptor_t *td, void *sptr, asn_app_consume_bytes_f *cb, void *app_key) {
+	return uper_encode_internal(td, 0, sptr, cb, app_key);
+}
+
+/*
+ * Argument type and callback necessary for uper_encode_to_buffer().
+ */
+typedef struct enc_to_buf_arg {
+	void *buffer;
+	size_t left;
+} enc_to_buf_arg;
+static int encode_to_buffer_cb(const void *buffer, size_t size, void *key) {
+	enc_to_buf_arg *arg = (enc_to_buf_arg *)key;
+
+	if(arg->left < size)
+		return -1;	/* Data exceeds the available buffer size */
+
+	memcpy(arg->buffer, buffer, size);
+	arg->buffer = ((char *)arg->buffer) + size;
+	arg->left -= size;
+
+	return 0;
+}
+
+asn_enc_rval_t
+uper_encode_to_buffer(asn_TYPE_descriptor_t *td, void *sptr, void *buffer, size_t buffer_size) {
+	enc_to_buf_arg key;
+
+	key.buffer = buffer;
+	key.left = buffer_size;
+
+	if(td) ASN_DEBUG("Encoding \"%s\" using UNALIGNED PER", td->name);
+
+	return uper_encode_internal(td, 0, sptr, encode_to_buffer_cb, &key);
+}
+
+typedef struct enc_dyn_arg {
+	void *buffer;
+	size_t length;
+	size_t allocated;
+} enc_dyn_arg;
+static int
+encode_dyn_cb(const void *buffer, size_t size, void *key) {
+	enc_dyn_arg *arg = key;
+	if(arg->length + size >= arg->allocated) {
+		void *p;
+		arg->allocated = arg->allocated ? (arg->allocated << 2) : size;
+		p = REALLOC(arg->buffer, arg->allocated);
+		if(!p) {
+			FREEMEM(arg->buffer);
+			memset(arg, 0, sizeof(*arg));
+			return -1;
+		}
+		arg->buffer = p;
+	}
+	memcpy(((char *)arg->buffer) + arg->length, buffer, size);
+	arg->length += size;
+	return 0;
+}
+ssize_t
+uper_encode_to_new_buffer(asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints, void *sptr, void **buffer_r) {
+	asn_enc_rval_t er;
+	enc_dyn_arg key;
+
+	memset(&key, 0, sizeof(key));
+
+	er = uper_encode_internal(td, constraints, sptr, encode_dyn_cb, &key);
+	switch(er.encoded) {
+	case -1:
+		FREEMEM(key.buffer);
+		return -1;
+	case 0:
+		FREEMEM(key.buffer);
+		key.buffer = MALLOC(1);
+		if(key.buffer) {
+			*(char *)key.buffer = '\0';
+			*buffer_r = key.buffer;
+			return 1;
+		} else {
+			return -1;
+		}
+	default:
+		*buffer_r = key.buffer;
+		ASN_DEBUG("Complete encoded in %ld bits", (long)er.encoded);
+		return ((er.encoded + 7) >> 3);
+	}
+}
+
+/*
+ * Internally useful functions.
+ */
+
+/* Flush partially filled buffer */
+static int
+_uper_encode_flush_outp(asn_per_outp_t *po) {
+	uint8_t *buf;
+
+	if(po->nboff == 0 && po->buffer == po->tmpspace)
+		return 0;
+
+	buf = po->buffer + (po->nboff >> 3);
+	/* Make sure we account for the last, partially filled */
+	if(po->nboff & 0x07) {
+		buf[0] &= 0xff << (8 - (po->nboff & 0x07));
+		buf++;
+	}
+
+	return po->outper(po->tmpspace, buf - po->tmpspace, po->op_key);
+}
+
+static asn_enc_rval_t
+uper_encode_internal(asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints, void *sptr, asn_app_consume_bytes_f *cb, void *app_key) {
+	asn_per_outp_t po;
+	asn_enc_rval_t er;
+
+	/*
+	 * Invoke type-specific encoder.
+	 */
+	if(!td || !td->uper_encoder)
+		_ASN_ENCODE_FAILED;	/* PER is not compiled in */
+
+	po.buffer = po.tmpspace;
+	po.nboff = 0;
+	po.nbits = 8 * sizeof(po.tmpspace);
+	po.outper = cb;
+	po.op_key = app_key;
+	po.flushed_bytes = 0;
+
+	er = td->uper_encoder(td, constraints, sptr, &po);
+	if(er.encoded != -1) {
+		size_t bits_to_flush;
+
+		bits_to_flush = ((po.buffer - po.tmpspace) << 3) + po.nboff;
+
+		/* Set number of bits encoded to a firm value */
+		er.encoded = (po.flushed_bytes << 3) + bits_to_flush;
+
+		if(_uper_encode_flush_outp(&po))
+			_ASN_ENCODE_FAILED;
+	}
+
+	return er;
+}
+
--- a/asn1/asn1c/per_encoder.h
+++ b/asn1/asn1c/per_encoder.h
@@ -0,0 +1,69 @@
+/*-
+ * Copyright (c) 2006, 2007 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_PER_ENCODER_H_
+#define	_PER_ENCODER_H_
+
+#include <asn_application.h>
+#include <per_support.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct asn_TYPE_descriptor_s;	/* Forward declaration */
+
+/*
+ * Unaligned PER encoder of any ASN.1 type. May be invoked by the application.
+ * WARNING: This function returns the number of encoded bits in the .encoded
+ * field of the return value. Use the following formula to convert to bytes:
+ * 	bytes = ((.encoded + 7) / 8)
+ */
+asn_enc_rval_t uper_encode(struct asn_TYPE_descriptor_s *type_descriptor,
+	void *struct_ptr,	/* Structure to be encoded */
+	asn_app_consume_bytes_f *consume_bytes_cb,	/* Data collector */
+	void *app_key		/* Arbitrary callback argument */
+);
+
+/*
+ * A variant of uper_encode() which encodes data into the existing buffer
+ * WARNING: This function returns the number of encoded bits in the .encoded
+ * field of the return value.
+ */
+asn_enc_rval_t uper_encode_to_buffer(
+	struct asn_TYPE_descriptor_s *type_descriptor,
+	void *struct_ptr,	/* Structure to be encoded */
+	void *buffer,		/* Pre-allocated buffer */
+	size_t buffer_size	/* Initial buffer size (max) */
+);
+
+/*
+ * A variant of uper_encode_to_buffer() which allocates buffer itself.
+ * Returns the number of bytes in the buffer or -1 in case of failure.
+ * WARNING: This function produces a "Production of the complete encoding",
+ * with length of at least one octet. Contrast this to precise bit-packing
+ * encoding of uper_encode() and uper_encode_to_buffer().
+ */
+ssize_t uper_encode_to_new_buffer(
+	struct asn_TYPE_descriptor_s *type_descriptor,
+	asn_per_constraints_t *constraints,
+	void *struct_ptr,	/* Structure to be encoded */
+	void **buffer_r		/* Buffer allocated and returned */
+);
+
+/*
+ * Type of the generic PER encoder function.
+ */
+typedef asn_enc_rval_t (per_type_encoder_f)(
+	struct asn_TYPE_descriptor_s *type_descriptor,
+	asn_per_constraints_t *constraints,
+	void *struct_ptr,
+	asn_per_outp_t *per_output
+);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _PER_ENCODER_H_ */
--- a/asn1/asn1c/per_opentype.c
+++ b/asn1/asn1c/per_opentype.c
@@ -0,0 +1,378 @@
+/*
+ * Copyright (c) 2007 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_internal.h>
+#include <per_support.h>
+#include <constr_TYPE.h>
+#include <per_opentype.h>
+
+typedef struct uper_ugot_key {
+	asn_per_data_t oldpd;	/* Old per data source */
+	size_t unclaimed;
+	size_t ot_moved;	/* Number of bits moved by OT processing */
+	int repeat;
+} uper_ugot_key;
+
+static int uper_ugot_refill(asn_per_data_t *pd);
+static int per_skip_bits(asn_per_data_t *pd, int skip_nbits);
+static asn_dec_rval_t uper_sot_suck(asn_codec_ctx_t *, asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints, void **sptr, asn_per_data_t *pd);
+
+/*
+ * Encode an "open type field".
+ * #10.1, #10.2
+ */
+int
+uper_open_type_put(asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints, void *sptr, asn_per_outp_t *po) {
+	void *buf;
+	void *bptr;
+	ssize_t size;
+	size_t toGo;
+
+	ASN_DEBUG("Open type put %s ...", td->name);
+
+	size = uper_encode_to_new_buffer(td, constraints, sptr, &buf);
+	if(size <= 0) return -1;
+
+	for(bptr = buf, toGo = size; toGo;) {
+		ssize_t maySave = uper_put_length(po, toGo);
+		ASN_DEBUG("Prepending length %d to %s and allowing to save %d",
+			(int)size, td->name, (int)maySave);
+		if(maySave < 0) break;
+		if(per_put_many_bits(po, bptr, maySave * 8)) break;
+		bptr = (char *)bptr + maySave;
+		toGo -= maySave;
+	}
+
+	FREEMEM(buf);
+	if(toGo) return -1;
+
+	ASN_DEBUG("Open type put %s of length %ld + overhead (1byte?)",
+		td->name, (long)size);
+
+	return 0;
+}
+
+static asn_dec_rval_t
+uper_open_type_get_simple(asn_codec_ctx_t *ctx, asn_TYPE_descriptor_t *td,
+	asn_per_constraints_t *constraints, void **sptr, asn_per_data_t *pd) {
+	asn_dec_rval_t rv;
+	ssize_t chunk_bytes;
+	int repeat;
+	uint8_t *buf = 0;
+	size_t bufLen = 0;
+	size_t bufSize = 0;
+	asn_per_data_t spd;
+	size_t padding;
+
+	_ASN_STACK_OVERFLOW_CHECK(ctx);
+
+	ASN_DEBUG("Getting open type %s...", td->name);
+
+	do {
+		chunk_bytes = uper_get_length(pd, -1, &repeat);
+		if(chunk_bytes < 0) {
+			FREEMEM(buf);
+			_ASN_DECODE_STARVED;
+		}
+		if(bufLen + chunk_bytes > bufSize) {
+			void *ptr;
+			bufSize = chunk_bytes + (bufSize << 2);
+			ptr = REALLOC(buf, bufSize);
+			if(!ptr) {
+				FREEMEM(buf);
+				_ASN_DECODE_FAILED;
+			}
+			buf = ptr;
+		}
+		if(per_get_many_bits(pd, buf + bufLen, 0, chunk_bytes << 3)) {
+			FREEMEM(buf);
+			_ASN_DECODE_STARVED;
+		}
+		bufLen += chunk_bytes;
+	} while(repeat);
+
+	ASN_DEBUG("Getting open type %s encoded in %ld bytes", td->name,
+		(long)bufLen);
+
+	memset(&spd, 0, sizeof(spd));
+	spd.buffer = buf;
+	spd.nbits = bufLen << 3;
+
+	ASN_DEBUG_INDENT_ADD(+4);
+	rv = td->uper_decoder(ctx, td, constraints, sptr, &spd);
+	ASN_DEBUG_INDENT_ADD(-4);
+
+	if(rv.code == RC_OK) {
+		/* Check padding validity */
+		padding = spd.nbits - spd.nboff;
+                if ((padding < 8 ||
+		/* X.691#10.1.3 */
+		(spd.nboff == 0 && spd.nbits == 8 && spd.buffer == buf)) &&
+                    per_get_few_bits(&spd, padding) == 0) {
+			/* Everything is cool */
+			FREEMEM(buf);
+			return rv;
+		}
+		FREEMEM(buf);
+		if(padding >= 8) {
+			ASN_DEBUG("Too large padding %d in open type", (int)padding);
+			_ASN_DECODE_FAILED;
+		} else {
+			ASN_DEBUG("Non-zero padding");
+			_ASN_DECODE_FAILED;
+		}
+	} else {
+		FREEMEM(buf);
+		/* rv.code could be RC_WMORE, nonsense in this context */
+		rv.code = RC_FAIL; /* Noone would give us more */
+	}
+
+	return rv;
+}
+
+static asn_dec_rval_t GCC_NOTUSED
+uper_open_type_get_complex(asn_codec_ctx_t *ctx, asn_TYPE_descriptor_t *td,
+	asn_per_constraints_t *constraints, void **sptr, asn_per_data_t *pd) {
+	uper_ugot_key arg;
+	asn_dec_rval_t rv;
+	ssize_t padding;
+
+	_ASN_STACK_OVERFLOW_CHECK(ctx);
+
+	ASN_DEBUG("Getting open type %s from %s", td->name,
+		per_data_string(pd));
+	arg.oldpd = *pd;
+	arg.unclaimed = 0;
+	arg.ot_moved = 0;
+	arg.repeat = 1;
+	pd->refill = uper_ugot_refill;
+	pd->refill_key = &arg;
+	pd->nbits = pd->nboff;	/* 0 good bits at this point, will refill */
+	pd->moved = 0;	/* This now counts the open type size in bits */
+
+	ASN_DEBUG_INDENT_ADD(+4);
+	rv = td->uper_decoder(ctx, td, constraints, sptr, pd);
+	ASN_DEBUG_INDENT_ADD(-4);
+
+#define	UPDRESTOREPD	do {						\
+	/* buffer and nboff are valid, preserve them. */		\
+	pd->nbits = arg.oldpd.nbits - (pd->moved - arg.ot_moved);	\
+	pd->moved = arg.oldpd.moved + (pd->moved - arg.ot_moved);	\
+	pd->refill = arg.oldpd.refill;					\
+	pd->refill_key = arg.oldpd.refill_key;				\
+  } while(0)
+
+	if(rv.code != RC_OK) {
+		UPDRESTOREPD;
+		return rv;
+	}
+
+	ASN_DEBUG("OpenType %s pd%s old%s unclaimed=%d, repeat=%d", td->name,
+		per_data_string(pd),
+		per_data_string(&arg.oldpd),
+		(int)arg.unclaimed, (int)arg.repeat);
+
+	padding = pd->moved % 8;
+	if(padding) {
+		int32_t pvalue;
+		if(padding > 7) {
+			ASN_DEBUG("Too large padding %d in open type",
+				(int)padding);
+			rv.code = RC_FAIL;
+			UPDRESTOREPD;
+			return rv;
+		}
+		padding = 8 - padding;
+		ASN_DEBUG("Getting padding of %d bits", (int)padding);
+		pvalue = per_get_few_bits(pd, padding);
+		switch(pvalue) {
+		case -1:
+			ASN_DEBUG("Padding skip failed");
+			UPDRESTOREPD;
+			_ASN_DECODE_STARVED;
+		case 0: break;
+		default:
+			ASN_DEBUG("Non-blank padding (%d bits 0x%02x)",
+				(int)padding, (int)pvalue);
+			UPDRESTOREPD;
+			_ASN_DECODE_FAILED;
+		}
+	}
+	if(pd->nboff != pd->nbits) {
+		ASN_DEBUG("Open type %s overhead pd%s old%s", td->name,
+			per_data_string(pd), per_data_string(&arg.oldpd));
+		if(1) {
+			UPDRESTOREPD;
+			_ASN_DECODE_FAILED;
+		} else {
+			arg.unclaimed += pd->nbits - pd->nboff;
+		}
+	}
+
+	/* Adjust pd back so it points to original data */
+	UPDRESTOREPD;
+
+	/* Skip data not consumed by the decoder */
+	if(arg.unclaimed) {
+		ASN_DEBUG("Getting unclaimed %d", (int)arg.unclaimed);
+		switch(per_skip_bits(pd, arg.unclaimed)) {
+		case -1:
+			ASN_DEBUG("Claim of %d failed", (int)arg.unclaimed);
+			_ASN_DECODE_STARVED;
+		case 0:
+			ASN_DEBUG("Got claim of %d", (int)arg.unclaimed);
+			break;
+		default:
+			/* Padding must be blank */
+			ASN_DEBUG("Non-blank unconsumed padding");
+			_ASN_DECODE_FAILED;
+		}
+		arg.unclaimed = 0;
+	}
+
+	if(arg.repeat) {
+		ASN_DEBUG("Not consumed the whole thing");
+		rv.code = RC_FAIL;
+		return rv;
+	}
+
+	return rv;
+}
+
+
+asn_dec_rval_t
+uper_open_type_get(asn_codec_ctx_t *ctx, asn_TYPE_descriptor_t *td,
+	asn_per_constraints_t *constraints, void **sptr, asn_per_data_t *pd) {
+
+	return uper_open_type_get_simple(ctx, td, constraints, sptr, pd);
+}
+
+int
+uper_open_type_skip(asn_codec_ctx_t *ctx, asn_per_data_t *pd) {
+	asn_TYPE_descriptor_t s_td;
+	asn_dec_rval_t rv;
+
+	s_td.name = "<unknown extension>";
+	s_td.uper_decoder = uper_sot_suck;
+
+	rv = uper_open_type_get(ctx, &s_td, 0, 0, pd);
+	if(rv.code != RC_OK)
+		return -1;
+	else
+		return 0;
+}
+
+/*
+ * Internal functions.
+ */
+
+static asn_dec_rval_t
+uper_sot_suck(asn_codec_ctx_t *ctx, asn_TYPE_descriptor_t *td,
+	asn_per_constraints_t *constraints, void **sptr, asn_per_data_t *pd) {
+	asn_dec_rval_t rv;
+
+	(void)ctx;
+	(void)td;
+	(void)constraints;
+	(void)sptr;
+
+	while(per_get_few_bits(pd, 24) >= 0);
+
+	rv.code = RC_OK;
+	rv.consumed = pd->moved;
+
+	return rv;
+}
+
+static int
+uper_ugot_refill(asn_per_data_t *pd) {
+	uper_ugot_key *arg = pd->refill_key;
+	ssize_t next_chunk_bytes, next_chunk_bits;
+	ssize_t avail;
+
+	asn_per_data_t *oldpd = &arg->oldpd;
+
+	ASN_DEBUG("REFILLING pd->moved=%ld, oldpd->moved=%ld",
+		(long)pd->moved, (long)oldpd->moved);
+
+	/* Advance our position to where pd is */
+	oldpd->buffer = pd->buffer;
+	oldpd->nboff  = pd->nboff;
+	oldpd->nbits -= pd->moved - arg->ot_moved;
+	oldpd->moved += pd->moved - arg->ot_moved;
+	arg->ot_moved = pd->moved;
+
+	if(arg->unclaimed) {
+		/* Refill the container */
+		if(per_get_few_bits(oldpd, 1))
+			return -1;
+		if(oldpd->nboff == 0) {
+			assert(0);
+			return -1;
+		}
+		pd->buffer = oldpd->buffer;
+		pd->nboff = oldpd->nboff - 1;
+		pd->nbits = oldpd->nbits;
+		ASN_DEBUG("UNCLAIMED <- return from (pd->moved=%ld)",
+			(long)pd->moved);
+		return 0;
+	}
+
+	if(!arg->repeat) {
+		ASN_DEBUG("Want more but refill doesn't have it");
+		return -1;
+	}
+
+	next_chunk_bytes = uper_get_length(oldpd, -1, &arg->repeat);
+	ASN_DEBUG("Open type LENGTH %ld bytes at off %ld, repeat %ld",
+		(long)next_chunk_bytes, (long)oldpd->moved, (long)arg->repeat);
+	if(next_chunk_bytes < 0) return -1;
+	if(next_chunk_bytes == 0) {
+		pd->refill = 0;	/* No more refills, naturally */
+		assert(!arg->repeat);	/* Implementation guarantee */
+	}
+	next_chunk_bits = next_chunk_bytes << 3;
+	avail = oldpd->nbits - oldpd->nboff;
+	if(avail >= next_chunk_bits) {
+		pd->nbits = oldpd->nboff + next_chunk_bits;
+		arg->unclaimed = 0;
+		ASN_DEBUG("!+Parent frame %ld bits, alloting %ld [%ld..%ld] (%ld)",
+			(long)next_chunk_bits, (long)oldpd->moved,
+			(long)oldpd->nboff, (long)oldpd->nbits,
+			(long)(oldpd->nbits - oldpd->nboff));
+	} else {
+		pd->nbits = oldpd->nbits;
+		arg->unclaimed = next_chunk_bits - avail;
+		ASN_DEBUG("!-Parent frame %ld, require %ld, will claim %ld",
+			(long)avail, (long)next_chunk_bits,
+			(long)arg->unclaimed);
+	}
+	pd->buffer = oldpd->buffer;
+	pd->nboff = oldpd->nboff;
+	ASN_DEBUG("Refilled pd%s old%s",
+		per_data_string(pd), per_data_string(oldpd));
+	return 0;
+}
+
+static int
+per_skip_bits(asn_per_data_t *pd, int skip_nbits) {
+	int hasNonZeroBits = 0;
+	while(skip_nbits > 0) {
+		int skip;
+
+		/* per_get_few_bits() is more efficient when nbits <= 24 */
+		if(skip_nbits < 24)
+			skip = skip_nbits;
+		else
+			skip = 24;
+		skip_nbits -= skip;
+
+		switch(per_get_few_bits(pd, skip)) {
+		case -1: return -1;	/* Starving */
+		case 0: continue;	/* Skipped empty space */
+		default: hasNonZeroBits = 1; continue;
+		}
+	}
+	return hasNonZeroBits;
+}
--- a/asn1/asn1c/per_opentype.h
+++ b/asn1/asn1c/per_opentype.h
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2007 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_PER_OPENTYPE_H_
+#define	_PER_OPENTYPE_H_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+asn_dec_rval_t uper_open_type_get(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints, void **sptr, asn_per_data_t *pd);
+
+int uper_open_type_skip(asn_codec_ctx_t *opt_codec_ctx, asn_per_data_t *pd);
+
+int uper_open_type_put(asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints, void *sptr, asn_per_outp_t *po);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _PER_OPENTYPE_H_ */
--- a/asn1/asn1c/per_support.c
+++ b/asn1/asn1c/per_support.c
@@ -0,0 +1,483 @@
+/*
+ * Copyright (c) 2005-2014 Lev Walkin <vlm@lionet.info>.
+ * All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_system.h>
+#include <asn_internal.h>
+#include <per_support.h>
+
+char *
+per_data_string(asn_per_data_t *pd) {
+	static char buf[2][32];
+	static int n;
+	n = (n+1) % 2;
+	snprintf(buf[n], sizeof(buf),
+		"{m=%ld span %+ld[%d..%d] (%d)}",
+		(long)pd->moved,
+		(((long)pd->buffer) & 0xf),
+		(int)pd->nboff, (int)pd->nbits,
+		(int)(pd->nbits - pd->nboff));
+	return buf[n];
+}
+
+void
+per_get_undo(asn_per_data_t *pd, int nbits) {
+	if((ssize_t)pd->nboff < nbits) {
+		assert((ssize_t)pd->nboff < nbits);
+	} else {
+		pd->nboff -= nbits;
+		pd->moved -= nbits;
+	}
+}
+
+/*
+ * Extract a small number of bits (<= 31) from the specified PER data pointer.
+ */
+int32_t
+per_get_few_bits(asn_per_data_t *pd, int nbits) {
+	size_t off;	/* Next after last bit offset */
+	ssize_t nleft;	/* Number of bits left in this stream */
+	uint32_t accum;
+	const uint8_t *buf;
+
+	if(nbits < 0)
+		return -1;
+
+	nleft = pd->nbits - pd->nboff;
+	if(nbits > nleft) {
+		int32_t tailv, vhead;
+		if(!pd->refill || nbits > 31) return -1;
+		/* Accumulate unused bytes before refill */
+		ASN_DEBUG("Obtain the rest %d bits (want %d)",
+			(int)nleft, (int)nbits);
+		tailv = per_get_few_bits(pd, nleft);
+		if(tailv < 0) return -1;
+		/* Refill (replace pd contents with new data) */
+		if(pd->refill(pd))
+			return -1;
+		nbits -= nleft;
+		vhead = per_get_few_bits(pd, nbits);
+		/* Combine the rest of previous pd with the head of new one */
+		tailv = (tailv << nbits) | vhead;  /* Could == -1 */
+		return tailv;
+	}
+
+	/*
+	 * Normalize position indicator.
+	 */
+	if(pd->nboff >= 8) {
+		pd->buffer += (pd->nboff >> 3);
+		pd->nbits  -= (pd->nboff & ~0x07);
+		pd->nboff  &= 0x07;
+	}
+	pd->moved += nbits;
+	pd->nboff += nbits;
+	off = pd->nboff;
+	buf = pd->buffer;
+
+	/*
+	 * Extract specified number of bits.
+	 */
+	if(off <= 8)
+		accum = nbits ? (buf[0]) >> (8 - off) : 0;
+	else if(off <= 16)
+		accum = ((buf[0] << 8) + buf[1]) >> (16 - off);
+	else if(off <= 24)
+		accum = ((buf[0] << 16) + (buf[1] << 8) + buf[2]) >> (24 - off);
+	else if(off <= 31)
+		accum = ((buf[0] << 24) + (buf[1] << 16)
+			+ (buf[2] << 8) + (buf[3])) >> (32 - off);
+	else if(nbits <= 31) {
+		asn_per_data_t tpd = *pd;
+		/* Here are we with our 31-bits limit plus 1..7 bits offset. */
+		per_get_undo(&tpd, nbits);
+		/* The number of available bits in the stream allow
+		 * for the following operations to take place without
+		 * invoking the ->refill() function */
+		accum  = per_get_few_bits(&tpd, nbits - 24) << 24;
+		accum |= per_get_few_bits(&tpd, 24);
+	} else {
+		per_get_undo(pd, nbits);
+		return -1;
+	}
+
+	accum &= (((uint32_t)1 << nbits) - 1);
+
+	ASN_DEBUG("  [PER got %2d<=%2d bits => span %d %+ld[%d..%d]:%02x (%d) => 0x%x]",
+		(int)nbits, (int)nleft,
+		(int)pd->moved,
+		(((long)pd->buffer) & 0xf),
+		(int)pd->nboff, (int)pd->nbits,
+		pd->buffer[0],
+		(int)(pd->nbits - pd->nboff),
+		(int)accum);
+
+	return accum;
+}
+
+/*
+ * Extract a large number of bits from the specified PER data pointer.
+ */
+int
+per_get_many_bits(asn_per_data_t *pd, uint8_t *dst, int alright, int nbits) {
+	int32_t value;
+
+	if(alright && (nbits & 7)) {
+		/* Perform right alignment of a first few bits */
+		value = per_get_few_bits(pd, nbits & 0x07);
+		if(value < 0) return -1;
+		*dst++ = value;	/* value is already right-aligned */
+		nbits &= ~7;
+	}
+
+	while(nbits) {
+		if(nbits >= 24) {
+			value = per_get_few_bits(pd, 24);
+			if(value < 0) return -1;
+			*(dst++) = value >> 16;
+			*(dst++) = value >> 8;
+			*(dst++) = value;
+			nbits -= 24;
+		} else {
+			value = per_get_few_bits(pd, nbits);
+			if(value < 0) return -1;
+			if(nbits & 7) {	/* implies left alignment */
+				value <<= 8 - (nbits & 7),
+				nbits += 8 - (nbits & 7);
+				if(nbits > 24)
+					*dst++ = value >> 24;
+			}
+			if(nbits > 16)
+				*dst++ = value >> 16;
+			if(nbits > 8)
+				*dst++ = value >> 8;
+			*dst++ = value;
+			break;
+		}
+	}
+
+	return 0;
+}
+
+/*
+ * Get the length "n" from the stream.
+ */
+ssize_t
+uper_get_length(asn_per_data_t *pd, int ebits, int *repeat) {
+	ssize_t value;
+
+	*repeat = 0;
+
+	if(ebits >= 0) return per_get_few_bits(pd, ebits);
+
+	value = per_get_few_bits(pd, 8);
+	if(value < 0) return -1;
+	if((value & 128) == 0)	/* #10.9.3.6 */
+		return (value & 0x7F);
+	if((value & 64) == 0) {	/* #10.9.3.7 */
+		value = ((value & 63) << 8) | per_get_few_bits(pd, 8);
+		if(value < 0) return -1;
+		return value;
+	}
+	value &= 63;	/* this is "m" from X.691, #10.9.3.8 */
+	if(value < 1 || value > 4)
+		return -1;
+	*repeat = 1;
+	return (16384 * value);
+}
+
+/*
+ * Get the normally small length "n".
+ * This procedure used to decode length of extensions bit-maps
+ * for SET and SEQUENCE types.
+ */
+ssize_t
+uper_get_nslength(asn_per_data_t *pd) {
+	ssize_t length;
+
+	ASN_DEBUG("Getting normally small length");
+
+	if(per_get_few_bits(pd, 1) == 0) {
+		length = per_get_few_bits(pd, 6) + 1;
+		if(length <= 0) return -1;
+		ASN_DEBUG("l=%d", (int)length);
+		return length;
+	} else {
+		int repeat;
+		length = uper_get_length(pd, -1, &repeat);
+		if(length >= 0 && !repeat) return length;
+		return -1; /* Error, or do not support >16K extensions */
+	}
+}
+
+/*
+ * Get the normally small non-negative whole number.
+ * X.691, #10.6
+ */
+ssize_t
+uper_get_nsnnwn(asn_per_data_t *pd) {
+	ssize_t value;
+
+	value = per_get_few_bits(pd, 7);
+	if(value & 64) {	/* implicit (value < 0) */
+		value &= 63;
+		value <<= 2;
+		value |= per_get_few_bits(pd, 2);
+		if(value & 128)	/* implicit (value < 0) */
+			return -1;
+		if(value == 0)
+			return 0;
+		if(value >= 3)
+			return -1;
+		value = per_get_few_bits(pd, 8 * value);
+		return value;
+	}
+
+	return value;
+}
+
+/*
+ * X.691-11/2008, #11.6
+ * Encoding of a normally small non-negative whole number
+ */
+int
+uper_put_nsnnwn(asn_per_outp_t *po, int n) {
+	int bytes;
+
+	if(n <= 63) {
+		if(n < 0) return -1;
+		return per_put_few_bits(po, n, 7);
+	}
+	if(n < 256)
+		bytes = 1;
+	else if(n < 65536)
+		bytes = 2;
+	else if(n < 256 * 65536)
+		bytes = 3;
+	else
+		return -1;	/* This is not a "normally small" value */
+	if(per_put_few_bits(po, bytes, 8))
+		return -1;
+
+	return per_put_few_bits(po, n, 8 * bytes);
+}
+
+
+/* X.691-2008/11, #11.5.6 -> #11.3 */
+int uper_get_constrained_whole_number(asn_per_data_t *pd, unsigned long *out_value, int nbits) {
+	unsigned long lhalf;    /* Lower half of the number*/
+	long half;
+
+	if(nbits <= 31) {
+		half = per_get_few_bits(pd, nbits);
+		if(half < 0) return -1;
+		*out_value = half;
+		return 0;
+	}
+
+	if((size_t)nbits > 8 * sizeof(*out_value))
+		return -1;  /* RANGE */
+
+	half = per_get_few_bits(pd, 31);
+	if(half < 0) return -1;
+
+	if(uper_get_constrained_whole_number(pd, &lhalf, nbits - 31))
+		return -1;
+
+	*out_value = ((unsigned long)half << (nbits - 31)) | lhalf;
+	return 0;
+}
+
+
+/* X.691-2008/11, #11.5.6 -> #11.3 */
+int uper_put_constrained_whole_number_s(asn_per_outp_t *po, long v, int nbits) {
+	/*
+	 * Assume signed number can be safely coerced into
+	 * unsigned of the same range.
+	 * The following testing code will likely be optimized out
+	 * by compiler if it is true.
+	 */
+	unsigned long uvalue1 = ULONG_MAX;
+	         long svalue  = uvalue1;
+	unsigned long uvalue2 = svalue;
+	assert(uvalue1 == uvalue2);
+	return uper_put_constrained_whole_number_u(po, v, nbits);
+}
+
+int uper_put_constrained_whole_number_u(asn_per_outp_t *po, unsigned long v, int nbits) {
+	if(nbits <= 31) {
+		return per_put_few_bits(po, v, nbits);
+	} else {
+		/* Put higher portion first, followed by lower 31-bit */
+		if(uper_put_constrained_whole_number_u(po, v >> 31, nbits - 31))
+			return -1;
+		return per_put_few_bits(po, v, 31);
+	}
+}
+
+/*
+ * Put a small number of bits (<= 31).
+ */
+int
+per_put_few_bits(asn_per_outp_t *po, uint32_t bits, int obits) {
+	size_t off;	/* Next after last bit offset */
+	size_t omsk;	/* Existing last byte meaningful bits mask */
+	uint8_t *buf;
+
+	if(obits <= 0 || obits >= 32) return obits ? -1 : 0;
+
+	ASN_DEBUG("[PER put %d bits %x to %p+%d bits]",
+			obits, (int)bits, po->buffer, (int)po->nboff);
+
+	/*
+	 * Normalize position indicator.
+	 */
+	if(po->nboff >= 8) {
+		po->buffer += (po->nboff >> 3);
+		po->nbits  -= (po->nboff & ~0x07);
+		po->nboff  &= 0x07;
+	}
+
+	/*
+	 * Flush whole-bytes output, if necessary.
+	 */
+	if(po->nboff + obits > po->nbits) {
+		int complete_bytes = (po->buffer - po->tmpspace);
+		ASN_DEBUG("[PER output %ld complete + %ld]",
+			(long)complete_bytes, (long)po->flushed_bytes);
+		if(po->outper(po->tmpspace, complete_bytes, po->op_key) < 0)
+			return -1;
+		if(po->nboff)
+			po->tmpspace[0] = po->buffer[0];
+		po->buffer = po->tmpspace;
+		po->nbits = 8 * sizeof(po->tmpspace);
+		po->flushed_bytes += complete_bytes;
+	}
+
+	/*
+	 * Now, due to sizeof(tmpspace), we are guaranteed large enough space.
+	 */
+	buf = po->buffer;
+	omsk = ~((1 << (8 - po->nboff)) - 1);
+	off = (po->nboff + obits);
+
+	/* Clear data of debris before meaningful bits */
+	bits &= (((uint32_t)1 << obits) - 1);
+
+	ASN_DEBUG("[PER out %d %u/%x (t=%d,o=%d) %x&%x=%x]", obits,
+		(int)bits, (int)bits,
+		(int)po->nboff, (int)off,
+		buf[0], (int)(omsk&0xff),
+		(int)(buf[0] & omsk));
+
+	if(off <= 8)	/* Completely within 1 byte */
+		po->nboff = off,
+		bits <<= (8 - off),
+		buf[0] = (buf[0] & omsk) | bits;
+	else if(off <= 16)
+		po->nboff = off,
+		bits <<= (16 - off),
+		buf[0] = (buf[0] & omsk) | (bits >> 8),
+		buf[1] = bits;
+	else if(off <= 24)
+		po->nboff = off,
+		bits <<= (24 - off),
+		buf[0] = (buf[0] & omsk) | (bits >> 16),
+		buf[1] = bits >> 8,
+		buf[2] = bits;
+	else if(off <= 31)
+		po->nboff = off,
+		bits <<= (32 - off),
+		buf[0] = (buf[0] & omsk) | (bits >> 24),
+		buf[1] = bits >> 16,
+		buf[2] = bits >> 8,
+		buf[3] = bits;
+	else {
+		if(per_put_few_bits(po, bits >> (obits - 24), 24)) return -1;
+		if(per_put_few_bits(po, bits, obits - 24)) return -1;
+	}
+
+	ASN_DEBUG("[PER out %u/%x => %02x buf+%ld]",
+		(int)bits, (int)bits, buf[0],
+		(long)(po->buffer - po->tmpspace));
+
+	return 0;
+}
+
+
+/*
+ * Output a large number of bits.
+ */
+int
+per_put_many_bits(asn_per_outp_t *po, const uint8_t *src, int nbits) {
+
+	while(nbits) {
+		uint32_t value;
+
+		if(nbits >= 24) {
+			value = (src[0] << 16) | (src[1] << 8) | src[2];
+			src += 3;
+			nbits -= 24;
+			if(per_put_few_bits(po, value, 24))
+				return -1;
+		} else {
+			value = src[0];
+			if(nbits > 8)
+				value = (value << 8) | src[1];
+			if(nbits > 16)
+				value = (value << 8) | src[2];
+			if(nbits & 0x07)
+				value >>= (8 - (nbits & 0x07));
+			if(per_put_few_bits(po, value, nbits))
+				return -1;
+			break;
+		}
+	}
+
+	return 0;
+}
+
+/*
+ * Put the length "n" (or part of it) into the stream.
+ */
+ssize_t
+uper_put_length(asn_per_outp_t *po, size_t length) {
+
+	if(length <= 127)	/* #10.9.3.6 */
+		return per_put_few_bits(po, length, 8)
+			? -1 : (ssize_t)length;
+	else if(length < 16384)	/* #10.9.3.7 */
+		return per_put_few_bits(po, length|0x8000, 16)
+			? -1 : (ssize_t)length;
+
+	length >>= 14;
+	if(length > 4) length = 4;
+
+	return per_put_few_bits(po, 0xC0 | length, 8)
+			? -1 : (ssize_t)(length << 14);
+}
+
+
+/*
+ * Put the normally small length "n" into the stream.
+ * This procedure used to encode length of extensions bit-maps
+ * for SET and SEQUENCE types.
+ */
+int
+uper_put_nslength(asn_per_outp_t *po, size_t length) {
+
+	if(length <= 64) {
+		/* #10.9.3.4 */
+		if(length == 0) return -1;
+		return per_put_few_bits(po, length-1, 7) ? -1 : 0;
+	} else {
+		if(uper_put_length(po, length) != (ssize_t)length) {
+			/* This might happen in case of >16K extensions */
+			return -1;
+		}
+	}
+
+	return 0;
+}
+
--- a/asn1/asn1c/per_support.h
+++ b/asn1/asn1c/per_support.h
@@ -0,0 +1,135 @@
+/*
+ * Copyright (c) 2005-2014 Lev Walkin <vlm@lionet.info>.
+ * All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_PER_SUPPORT_H_
+#define	_PER_SUPPORT_H_
+
+#include <asn_system.h>		/* Platform-specific types */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Pre-computed PER constraints.
+ */
+typedef struct asn_per_constraint_s {
+	enum asn_per_constraint_flags {
+		APC_UNCONSTRAINED	= 0x0,	/* No PER visible constraints */
+		APC_SEMI_CONSTRAINED	= 0x1,	/* Constrained at "lb" */
+		APC_CONSTRAINED		= 0x2,	/* Fully constrained */
+		APC_EXTENSIBLE		= 0x4	/* May have extension */
+	} flags;
+	int  range_bits;		/* Full number of bits in the range */
+	int  effective_bits;		/* Effective bits */
+	long lower_bound;		/* "lb" value */
+	long upper_bound;		/* "ub" value */
+} asn_per_constraint_t;
+typedef struct asn_per_constraints_s {
+	asn_per_constraint_t value;
+	asn_per_constraint_t size;
+	int (*value2code)(unsigned int value);
+	int (*code2value)(unsigned int code);
+} asn_per_constraints_t;
+
+/*
+ * This structure describes a position inside an incoming PER bit stream.
+ */
+typedef struct asn_per_data_s {
+  const uint8_t *buffer;  /* Pointer to the octet stream */
+         size_t  nboff;   /* Bit offset to the meaningful bit */
+         size_t  nbits;   /* Number of bits in the stream */
+         size_t  moved;   /* Number of bits moved through this bit stream */
+  int (*refill)(struct asn_per_data_s *);
+  void *refill_key;
+} asn_per_data_t;
+
+/*
+ * Extract a small number of bits (<= 31) from the specified PER data pointer.
+ * This function returns -1 if the specified number of bits could not be
+ * extracted due to EOD or other conditions.
+ */
+int32_t per_get_few_bits(asn_per_data_t *per_data, int get_nbits);
+
+/* Undo the immediately preceeding "get_few_bits" operation */
+void per_get_undo(asn_per_data_t *per_data, int get_nbits);
+
+/*
+ * Extract a large number of bits from the specified PER data pointer.
+ * This function returns -1 if the specified number of bits could not be
+ * extracted due to EOD or other conditions.
+ */
+int per_get_many_bits(asn_per_data_t *pd, uint8_t *dst, int right_align,
+			int get_nbits);
+
+/*
+ * Get the length "n" from the Unaligned PER stream.
+ */
+ssize_t uper_get_length(asn_per_data_t *pd,
+			int effective_bound_bits,
+			int *repeat);
+
+/*
+ * Get the normally small length "n".
+ */
+ssize_t uper_get_nslength(asn_per_data_t *pd);
+
+/*
+ * Get the normally small non-negative whole number.
+ */
+ssize_t uper_get_nsnnwn(asn_per_data_t *pd);
+
+/* X.691-2008/11, #11.5.6 */
+int uper_get_constrained_whole_number(asn_per_data_t *pd, unsigned long *v, int nbits);
+
+/* Non-thread-safe debugging function, don't use it */
+char *per_data_string(asn_per_data_t *pd);
+
+/*
+ * This structure supports forming PER output.
+ */
+typedef struct asn_per_outp_s {
+	uint8_t *buffer;	/* Pointer into the (tmpspace) */
+	size_t nboff;		/* Bit offset to the meaningful bit */
+	size_t nbits;		/* Number of bits left in (tmpspace) */
+	uint8_t tmpspace[32];	/* Preliminary storage to hold data */
+	int (*outper)(const void *data, size_t size, void *op_key);
+	void *op_key;		/* Key for (outper) data callback */
+	size_t flushed_bytes;	/* Bytes already flushed through (outper) */
+} asn_per_outp_t;
+
+/* Output a small number of bits (<= 31) */
+int per_put_few_bits(asn_per_outp_t *per_data, uint32_t bits, int obits);
+
+/* Output a large number of bits */
+int per_put_many_bits(asn_per_outp_t *po, const uint8_t *src, int put_nbits);
+
+/* X.691-2008/11, #11.5 */
+int uper_put_constrained_whole_number_s(asn_per_outp_t *po, long v, int nbits);
+int uper_put_constrained_whole_number_u(asn_per_outp_t *po, unsigned long v, int nbits);
+
+/*
+ * Put the length "n" to the Unaligned PER stream.
+ * This function returns the number of units which may be flushed
+ * in the next units saving iteration.
+ */
+ssize_t uper_put_length(asn_per_outp_t *po, size_t whole_length);
+
+/*
+ * Put the normally small length "n" to the Unaligned PER stream.
+ * Returns 0 or -1.
+ */
+int uper_put_nslength(asn_per_outp_t *po, size_t length);
+
+/*
+ * Put the normally small non-negative whole number.
+ */
+int uper_put_nsnnwn(asn_per_outp_t *po, int n);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _PER_SUPPORT_H_ */
--- a/asn1/asn1c/xer_decoder.c
+++ b/asn1/asn1c/xer_decoder.c
@@ -0,0 +1,365 @@
+/*
+ * Copyright (c) 2004, 2005 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_application.h>
+#include <asn_internal.h>
+#include <xer_support.h>		/* XER/XML parsing support */
+
+
+/*
+ * Decode the XER encoding of a given type.
+ */
+asn_dec_rval_t
+xer_decode(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td,
+		void **struct_ptr, const void *buffer, size_t size) {
+	asn_codec_ctx_t s_codec_ctx;
+
+	/*
+	 * Stack checker requires that the codec context
+	 * must be allocated on the stack.
+	 */
+	if(opt_codec_ctx) {
+		if(opt_codec_ctx->max_stack_size) {
+			s_codec_ctx = *opt_codec_ctx;
+			opt_codec_ctx = &s_codec_ctx;
+		}
+	} else {
+		/* If context is not given, be security-conscious anyway */
+		memset(&s_codec_ctx, 0, sizeof(s_codec_ctx));
+		s_codec_ctx.max_stack_size = _ASN_DEFAULT_STACK_MAX;
+		opt_codec_ctx = &s_codec_ctx;
+	}
+
+	/*
+	 * Invoke type-specific decoder.
+	 */
+	return td->xer_decoder(opt_codec_ctx, td, struct_ptr, 0, buffer, size);
+}
+
+
+
+struct xer__cb_arg {
+	pxml_chunk_type_e	chunk_type;
+	size_t			chunk_size;
+	const void		*chunk_buf;
+	int callback_not_invoked;
+};
+
+static int
+xer__token_cb(pxml_chunk_type_e type, const void *_chunk_data, size_t _chunk_size, void *key) {
+	struct xer__cb_arg *arg = (struct xer__cb_arg *)key;
+	arg->chunk_type = type;
+	arg->chunk_size = _chunk_size;
+	arg->chunk_buf = _chunk_data;
+	arg->callback_not_invoked = 0;
+	return -1;	/* Terminate the XML parsing */
+}
+
+/*
+ * Fetch the next token from the XER/XML stream.
+ */
+ssize_t
+xer_next_token(int *stateContext, const void *buffer, size_t size, pxer_chunk_type_e *ch_type) {
+	struct xer__cb_arg arg;
+	int new_stateContext = *stateContext;
+	ssize_t ret;
+
+	arg.callback_not_invoked = 1;
+	ret = pxml_parse(&new_stateContext, buffer, size, xer__token_cb, &arg);
+	if(ret < 0) return -1;
+	if(arg.callback_not_invoked) {
+		assert(ret == 0);	/* No data was consumed */
+		return 0;		/* Try again with more data */
+	} else {
+		assert(arg.chunk_size);
+		assert(arg.chunk_buf == buffer);
+	}
+
+	/*
+	 * Translate the XML chunk types into more convenient ones.
+	 */
+	switch(arg.chunk_type) {
+	case PXML_TEXT:
+		*ch_type = PXER_TEXT;
+		break;
+	case PXML_TAG: return 0;	/* Want more */
+	case PXML_TAG_END:
+		*ch_type = PXER_TAG;
+		break;
+	case PXML_COMMENT:
+	case PXML_COMMENT_END:
+		*ch_type = PXER_COMMENT;
+		break;
+	}
+
+	*stateContext = new_stateContext;
+	return arg.chunk_size;
+}
+
+#define	CSLASH	0x2f	/* '/' */
+#define	LANGLE	0x3c	/* '<' */
+#define	RANGLE	0x3e	/* '>' */
+
+xer_check_tag_e
+xer_check_tag(const void *buf_ptr, int size, const char *need_tag) {
+	const char *buf = (const char *)buf_ptr;
+	const char *end;
+	xer_check_tag_e ct = XCT_OPENING;
+
+	if(size < 2 || buf[0] != LANGLE || buf[size-1] != RANGLE) {
+		if(size >= 2)
+			ASN_DEBUG("Broken XML tag: \"%c...%c\"",
+			buf[0], buf[size - 1]);
+		return XCT_BROKEN;
+	}
+
+	/*
+	 * Determine the tag class.
+	 */
+	if(buf[1] == CSLASH) {
+		buf += 2;	/* advance past "</" */
+		size -= 3;	/* strip "</" and ">" */
+		ct = XCT_CLOSING;
+		if(size > 0 && buf[size-1] == CSLASH)
+			return XCT_BROKEN;	/* </abc/> */
+	} else {
+		buf++;		/* advance past "<" */
+		size -= 2;	/* strip "<" and ">" */
+		if(size > 0 && buf[size-1] == CSLASH) {
+			ct = XCT_BOTH;
+			size--;	/* One more, for "/" */
+		}
+	}
+
+	/* Sometimes we don't care about the tag */
+	if(!need_tag || !*need_tag)
+		return (xer_check_tag_e)(XCT__UNK__MASK | ct);
+
+	/*
+	 * Determine the tag name.
+	 */
+	for(end = buf + size; buf < end; buf++, need_tag++) {
+		int b = *buf, n = *need_tag;
+		if(b != n) {
+			if(n == 0) {
+				switch(b) {
+				case 0x09: case 0x0a: case 0x0c: case 0x0d:
+				case 0x20:
+					/* "<abc def/>": whitespace is normal */
+					return ct;
+				}
+			}
+			return (xer_check_tag_e)(XCT__UNK__MASK | ct);
+		}
+		if(b == 0)
+			return XCT_BROKEN;	/* Embedded 0 in buf?! */
+	}
+	if(*need_tag)
+		return (xer_check_tag_e)(XCT__UNK__MASK | ct);
+
+	return ct;
+}
+
+
+#undef	ADVANCE
+#define	ADVANCE(num_bytes)	do {				\
+		size_t num = (num_bytes);			\
+		buf_ptr = ((const char *)buf_ptr) + num;	\
+		size -= num;					\
+		consumed_myself += num;				\
+	} while(0)
+
+#undef	RETURN
+#define	RETURN(_code)	do {					\
+		rval.code = _code;				\
+		rval.consumed = consumed_myself;		\
+		if(rval.code != RC_OK)				\
+			ASN_DEBUG("Failed with %d", rval.code);	\
+		return rval;					\
+	} while(0)
+
+#define	XER_GOT_BODY(chunk_buf, chunk_size, size)	do {	\
+		ssize_t converted_size = body_receiver		\
+			(struct_key, chunk_buf, chunk_size,	\
+				(size_t)chunk_size < size);	\
+		if(converted_size == -1) RETURN(RC_FAIL);	\
+		if(converted_size == 0				\
+			&& size == (size_t)chunk_size)		\
+			RETURN(RC_WMORE);			\
+		chunk_size = converted_size;			\
+	} while(0)
+#define	XER_GOT_EMPTY()	do {					\
+	if(body_receiver(struct_key, 0, 0, size > 0) == -1)	\
+			RETURN(RC_FAIL);			\
+	} while(0)
+
+/*
+ * Generalized function for decoding the primitive values.
+ */
+asn_dec_rval_t
+xer_decode_general(asn_codec_ctx_t *opt_codec_ctx,
+	asn_struct_ctx_t *ctx,	/* Type decoder context */
+	void *struct_key,
+	const char *xml_tag,	/* Expected XML tag */
+	const void *buf_ptr, size_t size,
+	int (*opt_unexpected_tag_decoder)
+		(void *struct_key, const void *chunk_buf, size_t chunk_size),
+	ssize_t (*body_receiver)
+		(void *struct_key, const void *chunk_buf, size_t chunk_size,
+			int have_more)
+	) {
+
+	asn_dec_rval_t rval;
+	ssize_t consumed_myself = 0;
+
+	(void)opt_codec_ctx;
+
+	/*
+	 * Phases of XER/XML processing:
+	 * Phase 0: Check that the opening tag matches our expectations.
+	 * Phase 1: Processing body and reacting on closing tag.
+	 */
+	if(ctx->phase > 1) RETURN(RC_FAIL);
+	for(;;) {
+		pxer_chunk_type_e ch_type;	/* XER chunk type */
+		ssize_t ch_size;		/* Chunk size */
+		xer_check_tag_e tcv;		/* Tag check value */
+
+		/*
+		 * Get the next part of the XML stream.
+		 */
+		ch_size = xer_next_token(&ctx->context, buf_ptr, size,
+			&ch_type);
+		switch(ch_size) {
+		case -1: RETURN(RC_FAIL);
+		case 0:
+			RETURN(RC_WMORE);
+		default:
+			switch(ch_type) {
+			case PXER_COMMENT:		/* Got XML comment */
+				ADVANCE(ch_size);	/* Skip silently */
+				continue;
+			case PXER_TEXT:
+				if(ctx->phase == 0) {
+					/*
+					 * We have to ignore whitespace here,
+					 * but in order to be forward compatible
+					 * with EXTENDED-XER (EMBED-VALUES, #25)
+					 * any text is just ignored here.
+					 */
+				} else {
+					XER_GOT_BODY(buf_ptr, ch_size, size);
+				}
+				ADVANCE(ch_size);
+				continue;
+			case PXER_TAG:
+				break;	/* Check the rest down there */
+			}
+		}
+
+		assert(ch_type == PXER_TAG && size);
+
+		tcv = xer_check_tag(buf_ptr, ch_size, xml_tag);
+		/*
+		 * Phase 0:
+		 * 	Expecting the opening tag
+		 * 	for the type being processed.
+		 * Phase 1:
+		 * 	Waiting for the closing XML tag.
+		 */
+		switch(tcv) {
+		case XCT_BOTH:
+			if(ctx->phase) break;
+			/* Finished decoding of an empty element */
+			XER_GOT_EMPTY();
+			ADVANCE(ch_size);
+			ctx->phase = 2;	/* Phase out */
+			RETURN(RC_OK);
+		case XCT_OPENING:
+			if(ctx->phase) break;
+			ADVANCE(ch_size);
+			ctx->phase = 1;	/* Processing body phase */
+			continue;
+		case XCT_CLOSING:
+			if(!ctx->phase) break;
+			ADVANCE(ch_size);
+			ctx->phase = 2;	/* Phase out */
+			RETURN(RC_OK);
+		case XCT_UNKNOWN_BO:
+			/*
+			 * Certain tags in the body may be expected.
+			 */
+			if(opt_unexpected_tag_decoder
+			&& opt_unexpected_tag_decoder(struct_key,
+					buf_ptr, ch_size) >= 0) {
+				/* Tag's processed fine */
+				ADVANCE(ch_size);
+				if(!ctx->phase) {
+					/* We are not expecting
+					 * the closing tag anymore. */
+					ctx->phase = 2;	/* Phase out */
+					RETURN(RC_OK);
+				}
+				continue;
+			}
+			/* Fall through */
+		default:
+			break;		/* Unexpected tag */
+		}
+
+		ASN_DEBUG("Unexpected XML tag (expected \"%s\")", xml_tag);
+		break;	/* Dark and mysterious things have just happened */
+	}
+
+	RETURN(RC_FAIL);
+}
+
+
+size_t
+xer_whitespace_span(const void *chunk_buf, size_t chunk_size) {
+	const char *p = (const char *)chunk_buf;
+	const char *pend = p + chunk_size;
+
+	for(; p < pend; p++) {
+		switch(*p) {
+		/* X.693, #8.1.4
+		 * HORISONTAL TAB (9)
+		 * LINE FEED (10) 
+		 * CARRIAGE RETURN (13) 
+		 * SPACE (32)
+		 */
+		case 0x09: case 0x0a: case 0x0d: case 0x20:
+			continue;
+		default:
+			break;
+		}
+		break;
+	}
+	return (p - (const char *)chunk_buf);
+}
+
+/*
+ * This is a vastly simplified, non-validating XML tree skipper.
+ */
+int
+xer_skip_unknown(xer_check_tag_e tcv, ber_tlv_len_t *depth) {
+	assert(*depth > 0);
+	switch(tcv) {
+	case XCT_BOTH:
+	case XCT_UNKNOWN_BO:
+		/* These negate each other. */
+		return 0;
+	case XCT_OPENING:
+	case XCT_UNKNOWN_OP:
+		++(*depth);
+		return 0;
+	case XCT_CLOSING:
+	case XCT_UNKNOWN_CL:
+		if(--(*depth) == 0)
+			return (tcv == XCT_CLOSING) ? 2 : 1;
+		return 0;
+	default:
+		return -1;
+	}
+}
--- a/asn1/asn1c/xer_decoder.h
+++ b/asn1/asn1c/xer_decoder.h
@@ -0,0 +1,105 @@
+/*-
+ * Copyright (c) 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_XER_DECODER_H_
+#define	_XER_DECODER_H_
+
+#include <asn_application.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct asn_TYPE_descriptor_s;	/* Forward declaration */
+
+/*
+ * The XER decoder of any ASN.1 type. May be invoked by the application.
+ */
+asn_dec_rval_t xer_decode(struct asn_codec_ctx_s *opt_codec_ctx,
+	struct asn_TYPE_descriptor_s *type_descriptor,
+	void **struct_ptr,	/* Pointer to a target structure's pointer */
+	const void *buffer,	/* Data to be decoded */
+	size_t size		/* Size of data buffer */
+	);
+
+/*
+ * Type of the type-specific XER decoder function.
+ */
+typedef asn_dec_rval_t (xer_type_decoder_f)(asn_codec_ctx_t *opt_codec_ctx,
+		struct asn_TYPE_descriptor_s *type_descriptor,
+		void **struct_ptr,
+		const char *opt_mname,	/* Member name */
+		const void *buf_ptr, size_t size
+	);
+
+/*******************************
+ * INTERNALLY USEFUL FUNCTIONS *
+ *******************************/
+
+/*
+ * Generalized function for decoding the primitive values.
+ * Used by more specialized functions, such as OCTET_STRING_decode_xer_utf8
+ * and others. This function should not be used by applications, as its API
+ * is subject to changes.
+ */
+asn_dec_rval_t xer_decode_general(asn_codec_ctx_t *opt_codec_ctx,
+	asn_struct_ctx_t *ctx,	/* Type decoder context */
+	void *struct_key,	/* Treated as opaque pointer */
+	const char *xml_tag,	/* Expected XML tag name */
+	const void *buf_ptr, size_t size,
+	int (*opt_unexpected_tag_decoder)
+		(void *struct_key, const void *chunk_buf, size_t chunk_size),
+	ssize_t (*body_receiver)
+		(void *struct_key, const void *chunk_buf, size_t chunk_size,
+			int have_more)
+	);
+
+
+/*
+ * Fetch the next XER (XML) token from the stream.
+ * The function returns the number of bytes occupied by the chunk type,
+ * returned in the _ch_type. The _ch_type is only set (and valid) when
+ * the return value is greater than 0.
+ */
+  typedef enum pxer_chunk_type {
+	PXER_TAG,	/* Complete XER tag */
+	PXER_TEXT,	/* Plain text between XER tags */
+	PXER_COMMENT	/* A comment, may be part of */
+  } pxer_chunk_type_e;
+ssize_t xer_next_token(int *stateContext,
+	const void *buffer, size_t size, pxer_chunk_type_e *_ch_type);
+
+/*
+ * This function checks the buffer against the tag name is expected to occur.
+ */
+  typedef enum xer_check_tag {
+	XCT_BROKEN	= 0,	/* The tag is broken */
+	XCT_OPENING	= 1,	/* This is the <opening> tag */
+	XCT_CLOSING	= 2,	/* This is the </closing> tag */
+	XCT_BOTH	= 3,	/* This is the <modified/> tag */
+	XCT__UNK__MASK	= 4,	/* Mask of everything unexpected */
+	XCT_UNKNOWN_OP	= 5,	/* Unexpected <opening> tag */
+	XCT_UNKNOWN_CL	= 6,	/* Unexpected </closing> tag */
+	XCT_UNKNOWN_BO	= 7	/* Unexpected <modified/> tag */
+  } xer_check_tag_e;
+xer_check_tag_e xer_check_tag(const void *buf_ptr, int size,
+		const char *need_tag);
+
+/*
+ * Get the number of bytes consisting entirely of XER whitespace characters.
+ * RETURN VALUES:
+ * >=0:	Number of whitespace characters in the string.
+ */
+size_t xer_whitespace_span(const void *chunk_buf, size_t chunk_size);
+
+/*
+ * Skip the series of anticipated extensions.
+ */
+int xer_skip_unknown(xer_check_tag_e tcv, ber_tlv_len_t *depth);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _XER_DECODER_H_ */
--- a/asn1/asn1c/xer_encoder.c
+++ b/asn1/asn1c/xer_encoder.c
@@ -0,0 +1,67 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_internal.h>
+#include <stdio.h>
+#include <errno.h>
+
+/*
+ * The XER encoder of any type. May be invoked by the application.
+ */
+asn_enc_rval_t
+xer_encode(asn_TYPE_descriptor_t *td, void *sptr,
+	enum xer_encoder_flags_e xer_flags,
+		asn_app_consume_bytes_f *cb, void *app_key) {
+	asn_enc_rval_t er, tmper;
+	const char *mname;
+	size_t mlen;
+	int xcan = (xer_flags & XER_F_CANONICAL) ? 1 : 2;
+
+	if(!td || !sptr) goto cb_failed;
+
+	mname = td->xml_tag;
+	mlen = strlen(mname);
+
+	_ASN_CALLBACK3("<", 1, mname, mlen, ">", 1);
+
+	tmper = td->xer_encoder(td, sptr, 1, xer_flags, cb, app_key);
+	if(tmper.encoded == -1) return tmper;
+
+	_ASN_CALLBACK3("</", 2, mname, mlen, ">\n", xcan);
+
+	er.encoded = 4 + xcan + (2 * mlen) + tmper.encoded;
+
+	_ASN_ENCODED_OK(er);
+cb_failed:
+	_ASN_ENCODE_FAILED;
+}
+
+/*
+ * This is a helper function for xer_fprint, which directs all incoming data
+ * into the provided file descriptor.
+ */
+static int
+xer__print2fp(const void *buffer, size_t size, void *app_key) {
+	FILE *stream = (FILE *)app_key;
+
+	if(fwrite(buffer, 1, size, stream) != size)
+		return -1;
+
+	return 0;
+}
+
+int
+xer_fprint(FILE *stream, asn_TYPE_descriptor_t *td, void *sptr) {
+	asn_enc_rval_t er;
+
+	if(!stream) stream = stdout;
+	if(!td || !sptr)
+		return -1;
+
+	er = xer_encode(td, sptr, XER_F_BASIC, xer__print2fp, stream);
+	if(er.encoded == -1)
+		return -1;
+
+	return fflush(stream);
+}
--- a/asn1/asn1c/xer_encoder.h
+++ b/asn1/asn1c/xer_encoder.h
@@ -0,0 +1,59 @@
+/*-
+ * Copyright (c) 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_XER_ENCODER_H_
+#define	_XER_ENCODER_H_
+
+#include <asn_application.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct asn_TYPE_descriptor_s;	/* Forward declaration */
+
+/* Flags used by the xer_encode() and (*xer_type_encoder_f), defined below */
+enum xer_encoder_flags_e {
+	/* Mode of encoding */
+	XER_F_BASIC	= 0x01,	/* BASIC-XER (pretty-printing) */
+	XER_F_CANONICAL	= 0x02	/* Canonical XER (strict rules) */
+};
+
+/*
+ * The XER encoder of any type. May be invoked by the application.
+ */
+asn_enc_rval_t xer_encode(struct asn_TYPE_descriptor_s *type_descriptor,
+		void *struct_ptr,	/* Structure to be encoded */
+		enum xer_encoder_flags_e xer_flags,
+		asn_app_consume_bytes_f *consume_bytes_cb,
+		void *app_key		/* Arbitrary callback argument */
+	);
+
+/*
+ * The variant of the above function which dumps the BASIC-XER (XER_F_BASIC)
+ * output into the chosen file pointer.
+ * RETURN VALUES:
+ * 	 0: The structure is printed.
+ * 	-1: Problem printing the structure.
+ * WARNING: No sensible errno value is returned.
+ */
+int xer_fprint(FILE *stream, struct asn_TYPE_descriptor_s *td, void *sptr);
+
+/*
+ * Type of the generic XER encoder.
+ */
+typedef asn_enc_rval_t (xer_type_encoder_f)(
+		struct asn_TYPE_descriptor_s *type_descriptor,
+		void *struct_ptr,	/* Structure to be encoded */
+		int ilevel,		/* Level of indentation */
+		enum xer_encoder_flags_e xer_flags,
+		asn_app_consume_bytes_f *consume_bytes_cb,	/* Callback */
+		void *app_key		/* Arbitrary callback argument */
+	);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _XER_ENCODER_H_ */
--- a/asn1/asn1c/xer_support.c
+++ b/asn1/asn1c/xer_support.c
@@ -0,0 +1,233 @@
+/*
+ * Copyright (c) 2003, 2004 X/IO Labs, xiolabs.com.
+ * Copyright (c) 2003, 2004, 2005 Lev Walkin <vlm@lionet.info>.
+ * 	All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_system.h>
+#include <xer_support.h>
+
+/* Parser states */
+typedef enum {
+	ST_TEXT,
+	ST_TAG_START,
+	ST_TAG_BODY,
+	ST_TAG_QUOTE_WAIT,
+	ST_TAG_QUOTED_STRING,
+	ST_TAG_UNQUOTED_STRING,
+	ST_COMMENT_WAIT_DASH1,	/* "<!--"[1] */
+	ST_COMMENT_WAIT_DASH2,	/* "<!--"[2] */
+	ST_COMMENT,
+	ST_COMMENT_CLO_DASH2,	/* "-->"[0] */
+	ST_COMMENT_CLO_RT	/* "-->"[1] */
+} pstate_e;
+
+static pxml_chunk_type_e final_chunk_type[] = {
+	PXML_TEXT,
+	PXML_TAG_END,
+	PXML_COMMENT_END,
+	PXML_TAG_END,
+	PXML_COMMENT_END,
+};
+
+
+static int
+_charclass[256] = {
+	0,0,0,0,0,0,0,0, 0,1,1,0,1,1,0,0,
+	0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,
+	1,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,
+	2,2,2,2,2,2,2,2, 2,2,0,0,0,0,0,0,	/* 01234567 89       */
+	0,3,3,3,3,3,3,3, 3,3,3,3,3,3,3,3,	/*  ABCDEFG HIJKLMNO */
+	3,3,3,3,3,3,3,3, 3,3,3,0,0,0,0,0,	/* PQRSTUVW XYZ      */
+	0,3,3,3,3,3,3,3, 3,3,3,3,3,3,3,3,	/*  abcdefg hijklmno */
+	3,3,3,3,3,3,3,3, 3,3,3,0,0,0,0,0	/* pqrstuvw xyz      */
+};
+#define WHITESPACE(c)	(_charclass[(unsigned char)(c)] == 1)
+#define ALNUM(c)	(_charclass[(unsigned char)(c)] >= 2)
+#define ALPHA(c)	(_charclass[(unsigned char)(c)] == 3)
+
+/* Aliases for characters, ASCII/UTF-8 */
+#define	EXCLAM	0x21	/* '!' */
+#define	CQUOTE	0x22	/* '"' */
+#define	CDASH	0x2d	/* '-' */
+#define	CSLASH	0x2f	/* '/' */
+#define	LANGLE	0x3c	/* '<' */
+#define	CEQUAL	0x3d	/* '=' */
+#define	RANGLE	0x3e	/* '>' */
+#define	CQUEST	0x3f	/* '?' */
+
+/* Invoke token callback */
+#define	TOKEN_CB_CALL(type, _ns, _current_too, _final) do {	\
+		int _ret;					\
+		pstate_e ns  = _ns;				\
+		ssize_t _sz = (p - chunk_start) + _current_too;	\
+		if (!_sz) {					\
+			/* Shortcut */				\
+			state = _ns;				\
+			break;					\
+		}						\
+		_ret = cb(type, chunk_start, _sz, key);		\
+		if(_ret < _sz) {				\
+			if(_current_too && _ret == -1)		\
+				state = ns;			\
+			goto finish;				\
+		}						\
+		chunk_start = p + _current_too;			\
+		state = ns;					\
+	} while(0)
+
+#define TOKEN_CB(_type, _ns, _current_too)			\
+	TOKEN_CB_CALL(_type, _ns, _current_too, 0)
+
+#define TOKEN_CB_FINAL(_type, _ns, _current_too)		\
+	TOKEN_CB_CALL(final_chunk_type[_type], _ns, _current_too, 1)
+
+/*
+ * Parser itself
+ */
+ssize_t pxml_parse(int *stateContext, const void *xmlbuf, size_t size, pxml_callback_f *cb, void *key) {
+	pstate_e state = (pstate_e)*stateContext;
+	const char *chunk_start = (const char *)xmlbuf;
+	const char *p = chunk_start;
+	const char *end = p + size;
+
+	for(; p < end; p++) {
+	  int C = *(const unsigned char *)p;
+	  switch(state) {
+	  case ST_TEXT:
+		/*
+		 * Initial state: we're in the middle of some text,
+		 * or just have started.
+		 */
+		if (C == LANGLE) 
+			/* We're now in the tag, probably */
+			TOKEN_CB(PXML_TEXT, ST_TAG_START, 0);
+		break;
+	  case ST_TAG_START:
+		if (ALPHA(C) || (C == CSLASH))
+			state = ST_TAG_BODY;
+		else if (C == EXCLAM)
+			state = ST_COMMENT_WAIT_DASH1;
+		else 
+			/*
+			 * Not characters and not whitespace.
+			 * Must be something like "3 < 4".
+			 */
+			TOKEN_CB(PXML_TEXT, ST_TEXT, 1);/* Flush as data */
+		break;
+	  case ST_TAG_BODY:
+		switch(C) {
+		case RANGLE:
+			/* End of the tag */
+			TOKEN_CB_FINAL(PXML_TAG, ST_TEXT, 1);
+			break;
+		case LANGLE:
+			/*
+			 * The previous tag wasn't completed, but still
+			 * recognized as valid. (Mozilla-compatible)
+			 */
+			TOKEN_CB_FINAL(PXML_TAG, ST_TAG_START, 0);	
+			break;
+		case CEQUAL:
+			state = ST_TAG_QUOTE_WAIT;
+			break;
+		}
+		break;
+	  case ST_TAG_QUOTE_WAIT:
+		/*
+		 * State after the equal sign ("=") in the tag.
+		 */
+		switch(C) {
+		case CQUOTE:
+			state = ST_TAG_QUOTED_STRING;
+			break;
+		case RANGLE:
+			/* End of the tag */
+			TOKEN_CB_FINAL(PXML_TAG, ST_TEXT, 1);
+			break;
+		default:
+			if(!WHITESPACE(C))
+				/* Unquoted string value */
+				state = ST_TAG_UNQUOTED_STRING;
+		}
+		break;
+	  case ST_TAG_QUOTED_STRING:
+		/*
+		 * Tag attribute's string value in quotes.
+		 */
+		if(C == CQUOTE) {
+			/* Return back to the tag state */
+			state = ST_TAG_BODY;
+		}
+		break;
+	  case ST_TAG_UNQUOTED_STRING:
+		if(C == RANGLE) {
+			/* End of the tag */
+			TOKEN_CB_FINAL(PXML_TAG, ST_TEXT, 1);
+		} else if(WHITESPACE(C)) {
+			/* Return back to the tag state */
+			state = ST_TAG_BODY;
+		}
+		break;
+	  case ST_COMMENT_WAIT_DASH1:
+		if(C == CDASH) {
+			state = ST_COMMENT_WAIT_DASH2;
+		} else {
+			/* Some ordinary tag. */
+			state = ST_TAG_BODY;
+		}
+		break;
+	  case ST_COMMENT_WAIT_DASH2:
+		if(C == CDASH) {
+			/* Seen "<--" */
+			state = ST_COMMENT;
+		} else {
+			/* Some ordinary tag */
+			state = ST_TAG_BODY;
+		}
+		break;
+	  case ST_COMMENT:
+		if(C == CDASH) {
+			state = ST_COMMENT_CLO_DASH2;
+		}
+		break;
+	  case ST_COMMENT_CLO_DASH2:
+		if(C == CDASH) {
+			state = ST_COMMENT_CLO_RT;
+		} else {
+			/* This is not an end of a comment */
+			state = ST_COMMENT;
+		}
+		break;
+	  case ST_COMMENT_CLO_RT:
+		if(C == RANGLE) {
+			TOKEN_CB_FINAL(PXML_COMMENT, ST_TEXT, 1);
+		} else if(C == CDASH) {
+			/* Maintain current state, still waiting for '>' */
+		} else {
+			state = ST_COMMENT;
+		}
+		break;
+	  } /* switch(*ptr) */
+	} /* for() */
+
+	/*
+	 * Flush the partially processed chunk, state permitting.
+	 */
+	if(p - chunk_start) {
+		switch (state) {
+		case ST_COMMENT:
+			TOKEN_CB(PXML_COMMENT, state, 0);
+			break;
+		case ST_TEXT:
+			TOKEN_CB(PXML_TEXT, state, 0);
+			break;
+		default: break;	/* a no-op */
+		}
+	}
+
+finish:
+	*stateContext = (int)state;
+	return chunk_start - (const char *)xmlbuf;
+}
+
--- a/asn1/asn1c/xer_support.h
+++ b/asn1/asn1c/xer_support.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 2003, 2004 X/IO Labs, xiolabs.com.
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_XER_SUPPORT_H_
+#define	_XER_SUPPORT_H_
+
+#include <asn_system.h>		/* Platform-specific types */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Types of data transferred to the application.
+ */
+typedef enum {
+	PXML_TEXT,	/* Plain text between XML tags. */
+	PXML_TAG,	/* A tag, starting with '<'. */
+	PXML_COMMENT,	/* An XML comment, including "<!--" and "-->". */
+	/* 
+	 * The following chunk types are reported if the chunk
+	 * terminates the specified XML element.
+	 */
+	PXML_TAG_END,		/* Tag ended */
+	PXML_COMMENT_END	/* Comment ended */
+} pxml_chunk_type_e;
+
+/*
+ * Callback function that is called by the parser when parsed data is
+ * available. The _opaque is the pointer to a field containing opaque user 
+ * data specified in pxml_create() call. The chunk type is _type and the text 
+ * data is the piece of buffer identified by _bufid (as supplied to
+ * pxml_feed() call) starting at offset _offset and of _size bytes size. 
+ * The chunk is NOT '\0'-terminated.
+ */
+typedef int (pxml_callback_f)(pxml_chunk_type_e _type,
+	const void *_chunk_data, size_t _chunk_size, void *_key);
+
+/*
+ * Parse the given buffer as it were a chunk of XML data.
+ * Invoke the specified callback each time the meaninful data is found.
+ * This function returns number of bytes consumed from the bufer.
+ * It will always be lesser than or equal to the specified _size.
+ * The next invocation of this function must account the difference.
+ */
+ssize_t pxml_parse(int *_stateContext, const void *_buf, size_t _size,
+	pxml_callback_f *cb, void *_key);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _XER_SUPPORT_H_ */
--- a/asn1/configure.ac
+++ b/asn1/configure.ac
@@ -0,0 +1,24 @@
+AC_PREREQ(2.59)
+m4_include(../version.m4)
+AC_INIT([ipa-server],
+        IPA_VERSION,
+        [https://hosted.fedoraproject.org/projects/freeipa/newticket])
+
+AC_CONFIG_HEADERS([config.h])
+AC_PROG_CC_C99
+LT_INIT
+
+AM_INIT_AUTOMAKE([foreign])
+
+AM_MAINTAINER_MODE
+
+AC_SUBST(VERSION)
+
+# Files
+
+AC_CONFIG_FILES([
+    Makefile
+    asn1c/Makefile
+])
+
+AC_OUTPUT
--- a/asn1/ipa_asn1.c
+++ b/asn1/ipa_asn1.c
@@ -0,0 +1,238 @@
+#include <stdbool.h>
+#include <sys/types.h>
+#include "ipa_asn1.h"
+#include "GetKeytabControl.h"
+
+static bool encode_GetKeytabControl(GetKeytabControl_t *gkctrl,
+                                    void **buf, size_t *len)
+{
+    asn_enc_rval_t rval;
+    char *buffer = NULL;
+    size_t buflen;
+    bool ret = false;
+
+    /* dry run to compute the size */
+    rval = der_encode(&asn_DEF_GetKeytabControl, gkctrl, NULL, NULL);
+    if (rval.encoded == -1) goto done;
+
+    buflen = rval.encoded;
+    buffer = malloc(buflen);
+    if (!buffer) goto done;
+
+    /* now for real */
+    rval = der_encode_to_buffer(&asn_DEF_GetKeytabControl,
+                                gkctrl, buffer, buflen);
+    if (rval.encoded == -1) goto done;
+
+    *buf = buffer;
+    *len = buflen;
+    ret = true;
+
+done:
+    if (!ret) {
+        free(buffer);
+    }
+    return ret;
+}
+
+bool ipaasn1_enc_getkt(bool newkt, const char *princ, const char *pwd,
+                       long *etypes, int numtypes, void **buf, size_t *len)
+{
+    GetKeytabControl_t gkctrl = { 0 };
+    bool ret = false;
+
+    if (newkt) {
+        gkctrl.present = GetKeytabControl_PR_newkeys;
+        if (OCTET_STRING_fromString(&gkctrl.choice.newkeys.serviceIdentity,
+                                    princ) != 0) goto done;
+
+        for (int i = 0; i < numtypes; i++) {
+            long *tmp;
+            tmp = malloc(sizeof(long));
+            if (!tmp) goto done;
+            *tmp = etypes[i];
+            ASN_SEQUENCE_ADD(&gkctrl.choice.newkeys.enctypes.list, tmp);
+        }
+
+        if (pwd) {
+            gkctrl.choice.newkeys.password =
+                OCTET_STRING_new_fromBuf(&asn_DEF_OCTET_STRING, pwd, -1);
+            if (!gkctrl.choice.newkeys.password) goto done;
+        }
+    } else {
+        gkctrl.present = GetKeytabControl_PR_curkeys;
+        if (OCTET_STRING_fromString(&gkctrl.choice.curkeys.serviceIdentity,
+                                    princ) != 0) goto done;
+    }
+
+    ret = encode_GetKeytabControl(&gkctrl, buf, len);
+
+done:
+    ASN_STRUCT_FREE_CONTENTS_ONLY(asn_DEF_GetKeytabControl, &gkctrl);
+    return ret;
+}
+
+bool ipaasn1_enc_getktreply(int kvno, struct keys_container *keys,
+                            void **buf, size_t *len)
+{
+    GetKeytabControl_t gkctrl = { 0 };
+    bool ret = false;
+    KrbKey_t *KK;
+
+    gkctrl.present = GetKeytabControl_PR_reply;
+    gkctrl.choice.reply.newkvno = kvno;
+
+    for (int i = 0; i < keys->nkeys; i++) {
+        KK = calloc(1, sizeof(KrbKey_t));
+        if (!KK) goto done;
+        KK->key.type = keys->ksdata[i].key.enctype;
+        KK->key.value.buf = malloc(keys->ksdata[i].key.length);
+        if (!KK->key.value.buf) goto done;
+        memcpy(KK->key.value.buf,
+               keys->ksdata[i].key.contents, keys->ksdata[i].key.length);
+        KK->key.value.size = keys->ksdata[i].key.length;
+
+        if (keys->ksdata[i].salt.data != NULL) {
+            KK->salt = calloc(1, sizeof(TypeValuePair_t));
+            if (!KK->salt) goto done;
+            KK->salt->type = keys->ksdata[i].salttype;
+            KK->salt->value.buf = malloc(keys->ksdata[i].salt.length);
+            if (!KK->salt->value.buf) goto done;
+            memcpy(KK->salt->value.buf,
+                   keys->ksdata[i].salt.data, keys->ksdata[i].salt.length);
+            KK->salt->value.size = keys->ksdata[i].salt.length;
+        }
+
+        /* KK->key.s2kparams not used for now */
+
+        ASN_SEQUENCE_ADD(&gkctrl.choice.reply.keys.list, KK);
+    }
+
+    ret = encode_GetKeytabControl(&gkctrl, buf, len);
+    KK = NULL;
+
+done:
+    ASN_STRUCT_FREE_CONTENTS_ONLY(asn_DEF_GetKeytabControl, &gkctrl);
+    if (KK) {
+        free(KK->key.value.buf);
+        if (KK->salt) {
+            free(KK->salt->value.buf);
+            free(KK->salt);
+        }
+        free(KK);
+    }
+    return ret;
+}
+
+static GetKeytabControl_t *decode_GetKeytabControl(void *buf, size_t len)
+{
+    GetKeytabControl_t *gkctrl = NULL;
+    asn_dec_rval_t rval;
+
+    rval = ber_decode(NULL, &asn_DEF_GetKeytabControl,
+                      (void **)&gkctrl, buf, len);
+    if (rval.code == RC_OK) {
+        return gkctrl;
+    }
+    return NULL;
+}
+
+bool ipaasn1_dec_getkt(void *buf, size_t len, bool *newkt,
+                       char **princ, char **pwd, long **etypes, int *numtypes)
+{
+    GetKeytabControl_t *gkctrl;
+    bool ret = false;
+    int num;
+
+    gkctrl = decode_GetKeytabControl(buf, len);
+    if (!gkctrl) return false;
+
+    switch (gkctrl->present) {
+    case GetKeytabControl_PR_newkeys:
+        *newkt = true;
+        *princ = strndup((char *)gkctrl->choice.newkeys.serviceIdentity.buf,
+                         gkctrl->choice.newkeys.serviceIdentity.size);
+        if (!*princ) goto done;
+
+        num = gkctrl->choice.newkeys.enctypes.list.count;
+        *etypes = malloc(num * sizeof(long));
+        *numtypes = 0;
+        if (!*etypes) goto done;
+        for (int i = 0; i < num; i++) {
+            (*etypes)[i] = *gkctrl->choice.newkeys.enctypes.list.array[i];
+            (*numtypes)++;
+        }
+
+        if (gkctrl->choice.newkeys.password) {
+            *pwd = strndup((char *)gkctrl->choice.newkeys.password->buf,
+                           gkctrl->choice.newkeys.password->size);
+            if (!*pwd) goto done;
+        }
+        break;
+    case GetKeytabControl_PR_curkeys:
+        *newkt = false;
+        *princ = strndup((char *)gkctrl->choice.curkeys.serviceIdentity.buf,
+                         gkctrl->choice.curkeys.serviceIdentity.size);
+        if (!*princ) goto done;
+        break;
+    default:
+        goto done;
+    }
+
+    ret = true;
+
+done:
+    ASN_STRUCT_FREE(asn_DEF_GetKeytabControl, gkctrl);
+    return ret;
+}
+
+bool ipaasn1_dec_getktreply(void *buf, size_t len,
+                            int *kvno, struct keys_container *keys)
+{
+    GetKeytabControl_t *gkctrl;
+    struct KrbKey *KK;
+    bool ret = false;
+    int nkeys;
+
+    gkctrl = decode_GetKeytabControl(buf, len);
+    if (!gkctrl) return false;
+
+    if (gkctrl->present != GetKeytabControl_PR_reply) goto done;
+
+    *kvno = gkctrl->choice.reply.newkvno;
+
+    nkeys = gkctrl->choice.reply.keys.list.count;
+
+    keys->nkeys = 0;
+    keys->ksdata = calloc(nkeys, sizeof(struct krb_key_salt));
+    if (!keys->ksdata) goto done;
+
+    for (int i = 0; i < nkeys; i++) {
+        KK = gkctrl->choice.reply.keys.list.array[i];
+        keys->ksdata[i].enctype = KK->key.type;
+        keys->ksdata[i].key.enctype = KK->key.type;
+        keys->ksdata[i].key.contents = malloc(KK->key.value.size);
+        if (!keys->ksdata[i].key.contents) goto done;
+        memcpy(keys->ksdata[i].key.contents,
+               KK->key.value.buf, KK->key.value.size);
+        keys->ksdata[i].key.length = KK->key.value.size;
+
+        if (KK->salt) {
+            keys->ksdata[i].salttype = KK->salt->type;
+            keys->ksdata[i].salt.data = malloc(KK->salt->value.size);
+            if (!keys->ksdata[i].salt.data) goto done;
+            memcpy(keys->ksdata[i].salt.data,
+                   KK->salt->value.buf, KK->salt->value.size);
+            keys->ksdata[i].salt.length = KK->salt->value.size;
+        }
+
+        /* KK->s2kparams is ignored for now */
+        keys->nkeys++;
+    }
+
+    ret = true;
+
+done:
+    ASN_STRUCT_FREE(asn_DEF_GetKeytabControl, gkctrl);
+    return ret;
+}
--- a/asn1/ipa_asn1.h
+++ b/asn1/ipa_asn1.h
@@ -0,0 +1,73 @@
+#pragma once
+
+#include "ipa_krb5.h"
+
+/**
+ * @brief Encodes a Get Keytab Request Control
+ *
+ * @param newkt     Whether this is a New Key request or a Current Key one
+ * @param princ     The principal the keys belong to (this is required)
+ * @param pwd       Optional, only for New Key reqs, the password to use to
+ *                  create the new keys
+ * @param etypes    Optional, only for New Key reqs, list of desired
+ *                  enctypes
+ * @param numtypes  Optional, Number of desired enctypes in etypes
+ * @param buf       A void pointer wil lcontain pointer to an allocated
+ *                  buffer with the serialized control, must be freed
+ * @param len       Length of the returned buffer
+ *
+ * @return          True on success or False on failure
+ */
+bool ipaasn1_enc_getkt(bool newkt, const char *princ, const char *pwd,
+                       long *etypes, int numtypes, void **buf, size_t *len);
+
+/**
+ * @brief Encodes a Get Keytab Reply Control
+ *
+ * @param kvno      The new key version number
+ * @param keys      A set of keys to return to the caller
+ * @param buf       A void pointer wil lcontain pointer to an allocated
+ *                  buffer with the serialized control, must be freed
+ * @param len       Length of the returned buffer
+ *
+ * @return          True on success or False on failure
+ */
+bool ipaasn1_enc_getktreply(int kvno, struct keys_container *keys,
+                            void **buf, size_t *len);
+
+/**
+ * @brief Decodes a Get Keytab Requst Control
+ *
+ * @param buf       A pointer to the serialized buffer
+ * @param len       The lenght of the buffer
+ * @param newkt     Returns whether this is a New Key or Current Key request
+ * @param princ     Returns the principal the keys belong to.
+ * @param pwd       Optional: The password to use to create keys
+ * @param etypes    Optional: The desired enctypes
+ * @param numtypes  Optional: Number of desired enctypes in etypes
+ *
+ * @return          True on success or False on failure
+ *
+ * NOTE: princ, pwd, etypes and numtypes should be zeroed before being
+ *       passed in input, and the caller may need to free them even in
+ *       case of failure.
+ */
+bool ipaasn1_dec_getkt(void *buf, size_t len, bool *newkt,
+                       char **princ, char **pwd,
+                       long **etypes, int *numtypes);
+
+/**
+ * @brief Decodes a Get Keytab Reply Control
+ *
+ * @param buf       A pointer to the serialized buffer
+ * @param len       The lenght of the buffer
+ * @param kvno      The new key version number
+ * @param keys      A set of keys generated by the server
+ *
+ * @return          True on success or False on failure
+ *
+ * NOTE: keys should be a zeroed structure and the caller may need to free
+ *       it even in case of failure.
+ */
+bool ipaasn1_dec_getktreply(void *buf, size_t len,
+                            int *kvno, struct keys_container *keys);
--- a/checks/check-ra.py
+++ b/checks/check-ra.py
@@ -30,6 +30,7 @@ server.  I don't exactly remember the steps, so ping him for help.

    --jderose 2009-02-13
 """
+from __future__ import print_function

 from os import path
 import sys
@@ -37,7 +38,7 @@ parent = path.dirname(path.dirname(path.abspath(__file__)))
 sys.path.insert(0, parent)
 verbose = True

-from base64 import b64encode, b64decode
+from base64 import b64decode
 from ipalib import api

 subject = u'CN=vm-070.idm.lab.bos.redhat.com'
@@ -72,16 +73,15 @@ api.finalize()
 ra = api.Backend.ra

 def assert_equal(trial, reference):
-    keys = reference.keys()
-    keys.sort()
+    keys = sorted(reference)
    for key in keys:
        reference_val = reference[key]
        trial_val = trial[key]

-        if reference_decode.has_key(key):
+        if key in reference_decode:
            reference_val = reference_decode[key](reference_val)

-        if trial_decode.has_key(key):
+        if key in trial_decode:
            trial_val = trial_decode[key](trial_val)

        assert reference_val == trial_val, \
@@ -90,15 +90,15 @@ def assert_equal(trial, reference):


 api.log.info('******** Testing ra.request_certificate() ********')
-request_result = ra.request_certificate(csr)
-if verbose: print "request_result=\n%s" % request_result
+request_result = ra.request_certificate(csr, ra.DEFAULT_PROFILE, None)
+if verbose: print("request_result=\n%s" % request_result)
 assert_equal(request_result,
             {'subject' : subject,
              })

 api.log.info('******** Testing ra.check_request_status() ********')
 status_result = ra.check_request_status(request_result['request_id'])
-if verbose: print "status_result=\n%s" % status_result
+if verbose: print("status_result=\n%s" % status_result)
 assert_equal(status_result,
             {'serial_number'       : request_result['serial_number'],
              'request_id'          : request_result['request_id'],
@@ -107,7 +107,7 @@ assert_equal(status_result,

 api.log.info('******** Testing ra.get_certificate() ********')
 get_result = ra.get_certificate(request_result['serial_number'])
-if verbose: print "get_result=\n%s" % get_result
+if verbose: print("get_result=\n%s" % get_result)
 assert_equal(get_result,
             {'serial_number' : request_result['serial_number'],
              'certificate'   : request_result['certificate'],
@@ -116,7 +116,7 @@ assert_equal(get_result,
 api.log.info('******** Testing ra.revoke_certificate() ********')
 revoke_result = ra.revoke_certificate(request_result['serial_number'],
                                      revocation_reason=6)  # Put on hold
-if verbose: print "revoke_result=\n%s" % revoke_result
+if verbose: print("revoke_result=\n%s" % revoke_result)
 assert_equal(revoke_result,
             {'revoked' : True
              })
@@ -124,7 +124,7 @@ assert_equal(revoke_result,

 api.log.info('******** Testing ra.take_certificate_off_hold() ********')
 unrevoke_result = ra.take_certificate_off_hold(request_result['serial_number'])
-if verbose: print "unrevoke_result=\n%s" % unrevoke_result
+if verbose: print("unrevoke_result=\n%s" % unrevoke_result)
 assert_equal(unrevoke_result,
             {'unrevoked' : True
              })
--- a/ipa-client/Makefile.am
+++ b/ipa-client/Makefile.am
@@ -14,22 +14,27 @@ export AM_CFLAGS

 KRB5_UTIL_DIR=../util
 KRB5_UTIL_SRCS=$(KRB5_UTIL_DIR)/ipa_krb5.c
+ASN1_UTIL_DIR=../asn1
+IPA_CONF_FILE=$(sysconfdir)/ipa/default.conf

 AM_CPPFLAGS =							\
 	-I.							\
 	-I$(srcdir)						\
 	-I$(KRB5_UTIL_DIR)					\
+	-I$(ASN1_UTIL_DIR)					\
 	-DPREFIX=\""$(prefix)"\" 				\
 	-DBINDIR=\""$(bindir)"\"				\
 	-DLIBDIR=\""$(libdir)"\" 				\
 	-DLIBEXECDIR=\""$(libexecdir)"\"			\
 	-DDATADIR=\""$(datadir)"\"				\
 	-DLOCALEDIR=\""$(localedir)"\"				\
+	-DIPACONFFILE=\""$(IPA_CONF_FILE)"\"			\
 	$(KRB5_CFLAGS)						\
 	$(OPENLDAP_CFLAGS)					\
 	$(SASL_CFLAGS)						\
 	$(POPT_CFLAGS)						\
 	$(WARN_CFLAGS)						\
+	$(INI_CFLAGS)						\
 	$(NULL)

 sbin_PROGRAMS =			\
@@ -38,6 +43,12 @@ sbin_PROGRAMS =			\
 	ipa-join		\
 	$(NULL)

+sbin_SCRIPTS =			\
+	ipa-client-install	\
+	ipa-client-automount	\
+	ipa-certupdate		\
+	$(NULL)
+
 ipa_getkeytab_SOURCES =		\
 	ipa-getkeytab.c		\
 	ipa-client-common.c	\
@@ -45,11 +56,13 @@ ipa_getkeytab_SOURCES =		\
 	$(NULL)

 ipa_getkeytab_LDADD = 		\
+	../asn1/libipaasn1.la	\
 	$(KRB5_LIBS)		\
 	$(OPENLDAP_LIBS)	\
 	$(SASL_LIBS)		\
 	$(POPT_LIBS)		\
 	$(LIBINTL_LIBS)         \
+	$(INI_LIBS)		\
 	$(NULL)

 ipa_rmkeytab_SOURCES =		\
@@ -80,20 +93,12 @@ ipa_join_LDADD = 		\
 	$(NULL)

 SUBDIRS =			\
-	ipaclient		\
-	ipa-install		\
+	../asn1			\
 	man			\
 	$(NULL)

 EXTRA_DIST =			\
-	ipa-client.spec		\
-	COPYING			\
-	AUTHORS			\
-	INSTALL			\
-	README			\
-	HACKING			\
-	NEWS			\
-	ChangeLog		\
+	$(sbin_SCRIPTS)		\
 	$(NULL)

 DISTCLEANFILES =		\
@@ -117,26 +122,5 @@ MAINTAINERCLEANFILES =		\
 	config.h.*		\
 	aclocal.m4		\
 	version.m4		\
-	ipa-client.spec		\
-	py-compile		\
 	$(NULL)

-# Creating ChangeLog from hg log (taken from cairo/Makefile.am):
-
-ChangeLog: $(srcdir)/ChangeLog
-
-$(srcdir)/ChangeLog:
-	@if test -d "$(srcdir)/../.hg"; then \
-	  (cd "$(srcdir)" && \
-	  ./missing --run hg log --verbose) | fmt --split-only > $@.tmp \
-	  && mv -f $@.tmp $@ \
-	  || ($(RM) $@.tmp; \
-	      echo Failed to generate ChangeLog, your ChangeLog may be outdated >&2; \
-	      (test -f $@ || echo hg log is required to generate this file >> $@)); \
-	else \
-	  test -f $@ || \
-	  (echo A hg checkout and hg -log is required to generate ChangeLog >&2 && \
-	  echo A hg checkout and hg log is required to generate this file >> $@); \
-	fi
-
-.PHONY: ChangeLog $(srcdir)/ChangeLog
--- a/ipa-client/config.c
+++ b/ipa-client/config.c
--- a/ipa-client/configure.ac
+++ b/ipa-client/configure.ac
@@ -3,11 +3,10 @@ m4_include(version.m4)
 AC_INIT([ipa-client],
        IPA_VERSION,
        [https://hosted.fedoraproject.org/projects/freeipa/newticket])
-LT_INIT()
-AC_PROG_LIBTOOL
+LT_INIT

-AC_CONFIG_SRCDIR([ipaclient/__init__.py])
 AC_CONFIG_HEADERS([config.h])
+AC_CONFIG_SUBDIRS([../asn1])

 AM_INIT_AUTOMAKE([foreign])

@@ -139,18 +138,6 @@ AC_CHECK_HEADER(sasl/sasl.h, [], [AC_MSG_ERROR([sasl/sasl.h not found])])
 AC_CHECK_LIB(sasl2, sasl_client_init, [SASL_LIBS="-lsasl2"])
 AC_SUBST(SASL_LIBS)

-dnl ---------------------------------------------------------------------------
-dnl - Check for Python
-dnl ---------------------------------------------------------------------------
-
-AC_MSG_NOTICE([Checking for Python])
-have_python=no
-AM_PATH_PYTHON(2.3)
-
-if test "x$PYTHON" = "x" ; then
-  AC_MSG_ERROR([Python not found])
-fi
-
 dnl ---------------------------------------------------------------------------
 dnl - Check for CURL
 dnl ---------------------------------------------------------------------------
@@ -190,6 +177,34 @@ fi
 LIBS="$SAVELIBS"
 AC_SUBST(LIBINTL_LIBS)

+dnl ---------------------------------------------------------------------------
+dnl - Check for libini_config
+dnl ---------------------------------------------------------------------------
+PKG_CHECK_MODULES([LIBINI_CONFIG], [ini_config >= 1.2.0], [have_libini_config=1], [have_libini_config=])
+if test x$have_libini_config = x; then
+    AC_MSG_WARN([Could not find LIBINI_CONFIG headers])
+else
+    INI_CONFIG_CFLAGS="`$PKG_CONFIG --cflags ini_config`"
+    INI_CONFIG_LIBS="`$PKG_CONFIG --libs ini_config`"
+    AC_CHECK_LIB(ini_config, ini_config_file_open, [],
+                 [AC_MSG_WARN([ini_config library must support ini_config_file_open])],
+                 [$INI_CONFIG_LIBS])
+    AC_CHECK_LIB(ini_config, ini_config_augment, [],
+                 [AC_MSG_WARN([ini_config library must support ini_config_augment])],
+                 [$INI_CONFIG_LIBS])
+fi
+
+if test x$have_libini_config = x1; then
+    INI_CFLAGS="$INI_CONFIG_CFLAGS"
+    INI_LIBS="$INI_CONFIG_LIBS"
+else
+    AC_MSG_ERROR([ini_config development packages not available])
+fi
+
+AC_SUBST(INI_LIBS)
+AC_SUBST(INI_CFLAGS)
+
+
 dnl ---------------------------------------------------------------------------
 dnl - Set the data install directory since we don't use pkgdatadir
 dnl ---------------------------------------------------------------------------
@@ -205,8 +220,7 @@ dnl ---------------------------------------------------------------------------

 AC_CONFIG_FILES([
    Makefile
-    ipaclient/Makefile
-    ipa-install/Makefile
+    ../asn1/Makefile
    man/Makefile
 ])

--- a/client/ipa-certupdate
+++ b/client/ipa-certupdate
@@ -1,5 +1,5 @@
-# Authors:
-#   Tomas Babej <tbabej@redhat.com>
+#! /usr/bin/python2 -E
+# Authors: Jan Cholasta <jcholast@redhat.com>
 #
 # Copyright (C) 2014  Red Hat
 # see file 'COPYING' for use and warranty information
@@ -16,7 +16,8 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#

-'''
-Module containing platform-specific functionality for every platform.
-'''
+from ipaclient.ipa_certupdate import CertUpdate
+
+CertUpdate.run_cli()
--- a/ipa-client/ipa-install/ipa-client-automount
+++ b/ipa-client/ipa-install/ipa-client-automount
@@ -21,13 +21,16 @@
 #
 # Configure the automount client for ldap.

+from __future__ import print_function
+
 import sys
 import os
-import urlparse
 import time
 import tempfile
+import gssapi

 import SSSDConfig
+from six.moves.urllib.parse import urlsplit

 from optparse import OptionParser
 from ipalib import api, errors
@@ -35,17 +38,13 @@ from ipapython import sysrestore
 from ipapython import ipautil
 from ipaclient import ipadiscovery
 from ipaclient import ipachangeconf
-from ipapython.ipa_log_manager import *
+from ipapython.ipa_log_manager import root_logger, standard_logging_setup
 from ipapython.dn import DN
+from ipaplatform.constants import constants
 from ipaplatform.tasks import tasks
 from ipaplatform import services
 from ipaplatform.paths import paths

-AUTOFS_CONF = paths.SYSCONFIG_AUTOFS
-NSSWITCH_CONF = paths.NSSWITCH_CONF
-AUTOFS_LDAP_AUTH = paths.AUTOFS_LDAP_AUTH_CONF
-NFS_CONF = paths.SYSCONFIG_NFS
-IDMAPD_CONF = paths.IDMAPD_CONF

 def parse_options():
    usage = "%prog [options]\n"
@@ -81,7 +80,7 @@ def wait_for_sssd():
        try:
            ipautil.run(["getent", "passwd", "admin@%s" % api.env.realm])
            found = True
-        except Exception, e:
+        except Exception as e:
            time.sleep(1)
            n = n + 1

@@ -90,30 +89,30 @@ def wait_for_sssd():
        err_msg = ("Unable to find 'admin' user with "
                   "'getent passwd admin@%s'!" % api.env.realm)
        root_logger.debug(err_msg)
-        print err_msg
-        print "This may mean that sssd didn't re-start properly after the configuration changes."
+        print(err_msg)
+        print("This may mean that sssd didn't re-start properly after the configuration changes.")

 def configure_xml(fstore):
    from lxml import etree

-    fstore.backup_file(AUTOFS_LDAP_AUTH)
+    fstore.backup_file(paths.AUTOFS_LDAP_AUTH_CONF)

    try:
-        f = open(AUTOFS_LDAP_AUTH, 'r')
+        f = open(paths.AUTOFS_LDAP_AUTH_CONF, 'r')
        lines = f.read()
        f.close()

        saslconf = etree.fromstring(lines)
        element = saslconf.xpath('//autofs_ldap_sasl_conf')
        root = saslconf.getroottree()
-    except IOError, e:
+    except IOError as e:
        root_logger.debug('Unable to open file %s' % e)
        root_logger.debug('Creating new from template')
        element = [etree.Element('autofs_ldap_sasl_conf')]
        root = element[0].getroottree()

    if len(element) != 1:
-        raise RuntimeError('Unable to parse %s' % AUTOFS_LDAP_AUTH)
+        raise RuntimeError('Unable to parse %s' % paths.AUTOFS_LDAP_AUTH_CONF)

    element[0].set('usetls', 'no')
    element[0].set('tlsrequired', 'no')
@@ -121,20 +120,20 @@ def configure_xml(fstore):
    element[0].set('authtype', 'GSSAPI')
    element[0].set('clientprinc', 'host/%s@%s' % (api.env.host, api.env.realm))

-    newconf = open(AUTOFS_LDAP_AUTH, 'w')
+    newconf = open(paths.AUTOFS_LDAP_AUTH_CONF, 'w')
    try:
        root.write(newconf, pretty_print=True, xml_declaration=True, encoding='UTF-8')
        newconf.close()
-    except IOError, e:
-        print "Unable to write %s: %s" % (AUTOFS_LDAP_AUTH, e)
-    print "Configured %s" % AUTOFS_LDAP_AUTH
+    except IOError as e:
+        print("Unable to write %s: %s" % (paths.AUTOFS_LDAP_AUTH_CONF, e))
+    print("Configured %s" % paths.AUTOFS_LDAP_AUTH_CONF)

 def configure_nsswitch(fstore, options):
    """
    Point automount to ldap in nsswitch.conf. This function is for non-SSSD
    setups only
    """
-    fstore.backup_file(NSSWITCH_CONF)
+    fstore.backup_file(paths.NSSWITCH_CONF)

    conf = ipachangeconf.IPAChangeConf("IPA Installer")
    conf.setOptionAssignment(':')
@@ -144,16 +143,16 @@ def configure_nsswitch(fstore, options):
    opts = [{'name':'automount', 'type':'option', 'action':'set', 'value':nss_value},
            {'name':'empty', 'type':'empty'}]

-    conf.changeConf(NSSWITCH_CONF, opts)
+    conf.changeConf(paths.NSSWITCH_CONF, opts)

-    print "Configured %s" % NSSWITCH_CONF
+    print("Configured %s" % paths.NSSWITCH_CONF)

 def configure_autofs_sssd(fstore, statestore, autodiscover, options):
    try:
        sssdconfig = SSSDConfig.SSSDConfig()
        sssdconfig.import_config()
        domains = sssdconfig.list_active_domains()
-    except Exception, e:
+    except Exception as e:
        sys.exit(e)

    try:
@@ -195,7 +194,7 @@ def configure_autofs_sssd(fstore, statestore, autodiscover, options):

    sssd = services.service('sssd')
    sssd.restart()
-    print "Restarting sssd, waiting for it to become available."
+    print("Restarting sssd, waiting for it to become available.")
    wait_for_sssd()

 def configure_autofs(fstore, statestore, autodiscover, server, options):
@@ -221,11 +220,11 @@ def configure_autofs(fstore, statestore, autodiscover, server, options):
    }

    ipautil.backup_config_and_replace_variables(fstore,
-        AUTOFS_CONF, replacevars=replacevars)
-    tasks.restore_context(AUTOFS_CONF)
+        paths.SYSCONFIG_AUTOFS, replacevars=replacevars)
+    tasks.restore_context(paths.SYSCONFIG_AUTOFS)
    statestore.backup_state('autofs', 'sssd', False)

-    print "Configured %s" % AUTOFS_CONF
+    print("Configured %s" % paths.SYSCONFIG_AUTOFS)

 def configure_autofs_common(fstore, statestore, options):
    autofs = services.knownservices.autofs
@@ -233,27 +232,27 @@ def configure_autofs_common(fstore, statestore, options):
    statestore.backup_state('autofs', 'running', autofs.is_running())
    try:
        autofs.restart()
-        print "Started %s" % autofs.service_name
-    except Exception, e:
+        print("Started %s" % autofs.service_name)
+    except Exception as e:
        root_logger.error("%s failed to restart: %s", autofs.service_name, e)
    try:
        autofs.enable()
-    except Exception, e:
-        print "Failed to configure automatic startup of the %s daemon" % (autofs.service_name)
+    except Exception as e:
+        print("Failed to configure automatic startup of the %s daemon" % (autofs.service_name))
        root_logger.error("Failed to enable automatic startup of the %s daemon: %s" % (autofs.service_name, str(e)))

 def uninstall(fstore, statestore):
-    print "Restoring configuration"
-    if fstore.has_file(AUTOFS_CONF):
-        fstore.restore_file(AUTOFS_CONF)
-    if fstore.has_file(NSSWITCH_CONF):
-        fstore.restore_file(NSSWITCH_CONF)
-    if fstore.has_file(AUTOFS_LDAP_AUTH):
-        fstore.restore_file(AUTOFS_LDAP_AUTH)
-    if fstore.has_file(NFS_CONF):
-        fstore.restore_file(NFS_CONF)
-    if fstore.has_file(IDMAPD_CONF):
-        fstore.restore_file(IDMAPD_CONF)
+    print("Restoring configuration")
+    if fstore.has_file(paths.SYSCONFIG_AUTOFS):
+        fstore.restore_file(paths.SYSCONFIG_AUTOFS)
+    if fstore.has_file(paths.NSSWITCH_CONF):
+        fstore.restore_file(paths.NSSWITCH_CONF)
+    if fstore.has_file(paths.AUTOFS_LDAP_AUTH_CONF):
+        fstore.restore_file(paths.AUTOFS_LDAP_AUTH_CONF)
+    if fstore.has_file(paths.SYSCONFIG_NFS):
+        fstore.restore_file(paths.SYSCONFIG_NFS)
+    if fstore.has_file(paths.IDMAPD_CONF):
+        fstore.restore_file(paths.IDMAPD_CONF)
    if statestore.has_state('autofs'):
        enabled = statestore.restore_state('autofs', 'enabled')
        running = statestore.restore_state('autofs', 'running')
@@ -284,8 +283,8 @@ def uninstall(fstore, statestore):
                sssd = services.service('sssd')
                sssd.restart()
                wait_for_sssd()
-            except Exception, e:
-                print 'Unable to restore SSSD configuration: %s' % str(e)
+            except Exception as e:
+                print('Unable to restore SSSD configuration: %s' % str(e))
                root_logger.debug('Unable to restore SSSD configuration: %s' % str(e))
    if statestore.has_state('rpcidmapd'):
        enabled = statestore.restore_state('rpcidmapd', 'enabled')
@@ -311,35 +310,45 @@ def configure_nfs(fstore, statestore):
    Configure secure NFS
    """
    replacevars = {
-        'SECURE_NFS': 'yes',
+        constants.SECURE_NFS_VAR: 'yes',
    }
    ipautil.backup_config_and_replace_variables(fstore,
-        NFS_CONF, replacevars=replacevars)
-    tasks.restore_context(NFS_CONF)
+        paths.SYSCONFIG_NFS, replacevars=replacevars)
+    tasks.restore_context(paths.SYSCONFIG_NFS)

-    print "Configured %s" % NFS_CONF
+    print("Configured %s" % paths.SYSCONFIG_NFS)

-    replacevars = {
-        'Domain': api.env.domain,
-    }
-    ipautil.backup_config_and_replace_variables(fstore,
-        IDMAPD_CONF, replacevars=replacevars)
-    tasks.restore_context(IDMAPD_CONF)
+    # Prepare the changes
+    # We need to use IPAChangeConf as simple regexp substitution
+    # does not cut it here
+    conf = ipachangeconf.IPAChangeConf("IPA automount installer")
+    conf.case_insensitive_sections = False
+    conf.setOptionAssignment(" = ")
+    conf.setSectionNameDelimiters(("[", "]"))

-    print "Configured %s" % IDMAPD_CONF
+    changes = [conf.setOption('Domain', api.env.domain)]
+    section_with_changes = [conf.setSection('General', changes)]
+
+    # Backup the file and apply the changes
+    fstore.backup_file(paths.IDMAPD_CONF)
+    conf.changeConf(paths.IDMAPD_CONF, section_with_changes)
+
+    tasks.restore_context(paths.IDMAPD_CONF)
+
+    print("Configured %s" % paths.IDMAPD_CONF)

    rpcidmapd = services.knownservices.rpcidmapd
    statestore.backup_state('rpcidmapd', 'enabled', rpcidmapd.is_enabled())
    statestore.backup_state('rpcidmapd', 'running', rpcidmapd.is_running())
    try:
        rpcidmapd.restart()
-        print "Started %s" % rpcidmapd.service_name
-    except Exception, e:
+        print("Started %s" % rpcidmapd.service_name)
+    except Exception as e:
        root_logger.error("%s failed to restart: %s", rpcidmapd.service_name, e)
    try:
        rpcidmapd.enable()
-    except Exception, e:
-        print "Failed to configure automatic startup of the %s daemon" % (rpcidmapd.service_name)
+    except Exception as e:
+        print("Failed to configure automatic startup of the %s daemon" % (rpcidmapd.service_name))
        root_logger.error("Failed to enable automatic startup of the %s daemon: %s" % (rpcidmapd.service_name, str(e)))

    rpcgssd = services.knownservices.rpcgssd
@@ -347,13 +356,13 @@ def configure_nfs(fstore, statestore):
    statestore.backup_state('rpcgssd', 'running', rpcgssd.is_running())
    try:
        rpcgssd.restart()
-        print "Started %s" % rpcgssd.service_name
-    except Exception, e:
+        print("Started %s" % rpcgssd.service_name)
+    except Exception as e:
        root_logger.error("%s failed to restart: %s", rpcgssd.service_name, e)
    try:
        rpcgssd.enable()
-    except Exception, e:
-        print "Failed to configure automatic startup of the %s daemon" % (rpcgssd.service_name)
+    except Exception as e:
+        print("Failed to configure automatic startup of the %s daemon" % (rpcgssd.service_name))
        root_logger.error("Failed to enable automatic startup of the %s daemon: %s" % (rpcgssd.service_name, str(e)))

 def main():
@@ -369,6 +378,9 @@ def main():
        paths.IPACLIENT_INSTALL_LOG, verbose=False, debug=options.debug,
        filemode='a', console_format='%(message)s')

+    if options.uninstall:
+        return uninstall(fstore, statestore)
+
    cfg = dict(
        context='cli_installer',
        in_server=False,
@@ -379,8 +391,9 @@ def main():
    api.bootstrap(**cfg)
    api.finalize()

-    if options.uninstall:
-        return uninstall(fstore, statestore)
+    ca_cert_path = None
+    if os.path.exists(paths.IPA_CA_CRT):
+        ca_cert_path = paths.IPA_CA_CRT

    if statestore.has_state('autofs'):
        sys.exit('automount is already configured on this system.\n')
@@ -389,12 +402,12 @@ def main():
    servers = []
    ds = ipadiscovery.IPADiscovery()
    if not options.server:
-        print "Searching for IPA server..."
-        ret = ds.search()
+        print("Searching for IPA server...")
+        ret = ds.search(ca_cert_path=ca_cert_path)
        root_logger.debug('Executing DNS discovery')
        if ret == ipadiscovery.NO_LDAP_SERVER:
            root_logger.debug('Autodiscovery did not find LDAP server')
-            s = urlparse.urlsplit(api.env.xmlrpc_uri)
+            s = urlsplit(api.env.xmlrpc_uri)
            server = [s.netloc]
            root_logger.debug('Setting server to %s' % s.netloc)
        else:
@@ -406,54 +419,57 @@ def main():
    else:
        server = options.server
        root_logger.debug("Verifying that %s is an IPA server" % server)
-        ldapret = ds.ipacheckldap(server, api.env.realm)
+        ldapret = ds.ipacheckldap(server, api.env.realm, ca_cert_path)
        if ldapret[0] == ipadiscovery.NO_ACCESS_TO_LDAP:
-            print "Anonymous access to the LDAP server is disabled."
-            print "Proceeding without strict verification."
-            print "Note: This is not an error if anonymous access has been explicitly restricted."
+            print("Anonymous access to the LDAP server is disabled.")
+            print("Proceeding without strict verification.")
+            print("Note: This is not an error if anonymous access has been explicitly restricted.")
+        elif ldapret[0] == ipadiscovery.NO_TLS_LDAP:
+            root_logger.warning("Unencrypted access to LDAP is not supported.")
        elif ldapret[0] != 0:
            sys.exit('Unable to confirm that %s is an IPA server' % server)

    if not autodiscover:
-        print "IPA server: %s" % server
+        print("IPA server: %s" % server)
        root_logger.debug('Using fixed server %s' % server)
    else:
-        print "IPA server: DNS discovery"
+        print("IPA server: DNS discovery")
        root_logger.debug('Configuring to use DNS discovery')

    search_base = str(DN(('cn', options.location), api.env.container_automount, api.env.basedn))
-    print "Location: %s" % options.location
+    print("Location: %s" % options.location)
    root_logger.debug('Using automount location %s' % options.location)

-    # Verify that the location is valid
-    (ccache_fd, ccache_name) = tempfile.mkstemp()
-    os.close(ccache_fd)
+    ccache_dir = tempfile.mkdtemp()
+    ccache_name = os.path.join(ccache_dir, 'ccache')
    try:
        try:
+            host_princ = str('host/%s@%s' % (api.env.host, api.env.realm))
+            ipautil.kinit_keytab(host_princ, paths.KRB5_KEYTAB, ccache_name)
            os.environ['KRB5CCNAME'] = ccache_name
-            ipautil.run([paths.KINIT, '-k', '-t', paths.KRB5_KEYTAB, 'host/%s@%s' % (api.env.host, api.env.realm)])
-        except ipautil.CalledProcessError, e:
-            sys.exit("Failed to obtain host TGT.")
+        except gssapi.exceptions.GSSError as e:
+            sys.exit("Failed to obtain host TGT: %s" % e)
        # Now we have a TGT, connect to IPA
        try:
            api.Backend.rpcclient.connect()
-        except errors.KerberosError, e:
+        except errors.KerberosError as e:
            sys.exit('Cannot connect to the server due to ' + str(e))
        try:
            # Use the RPC directly so older servers are supported
            result = api.Backend.rpcclient.forward(
                'automountlocation_show',
-                unicode(options.location),
+                ipautil.fsdecode(options.location),
                version=u'2.0',
            )
-        except errors.VersionError, e:
+        except errors.VersionError as e:
            sys.exit('This client is incompatible: ' + str(e))
        except errors.NotFound:
            sys.exit("Automount location '%s' does not exist" % options.location)
-        except errors.PublicError, e:
+        except errors.PublicError as e:
            sys.exit("Cannot connect to the server due to generic error: %s" % str(e))
    finally:
        os.remove(ccache_name)
+        os.rmdir(ccache_dir)

    if not options.unattended and not ipautil.user_input("Continue to configure the system with these values?", False):
        sys.exit("Installation aborted")
@@ -468,9 +484,9 @@ def main():
            configure_xml(fstore)
            configure_autofs(fstore, statestore, autodiscover, server, options)
        configure_autofs_common(fstore, statestore, options)
-    except Exception, e:
+    except Exception as e:
        root_logger.debug('Raised exception %s' % e)
-        print "Installation failed. Rolling back changes."
+        print("Installation failed. Rolling back changes.")
        uninstall(fstore, statestore)
        return 1

@@ -481,9 +497,9 @@ try:
        sys.exit("\nMust be run as root\n")

    sys.exit(main())
-except SystemExit, e:
+except SystemExit as e:
    sys.exit(e)
-except RuntimeError, e:
+except RuntimeError as e:
    sys.exit(e)
 except (KeyboardInterrupt, EOFError):
    sys.exit(1)
--- a/ipa-client/ipa-client-common.c
+++ b/ipa-client/ipa-client-common.c
--- a/ipa-client/ipa-client-common.h
+++ b/ipa-client/ipa-client-common.h
@@ -17,8 +17,7 @@
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

-#ifndef __IPA_CLIENT_COMMON_H
-#define __IPA_CLIENT_COMMON_H
+#pragma once

 #include <libintl.h>
 #define _(STRING) gettext(STRING)
@@ -29,5 +28,3 @@
 #endif

 int init_gettext(void);
-
-#endif /* __IPA_CLIENT_COMMON_H */
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
--- a/ipa-client/ipa-getkeytab.c
+++ b/ipa-client/ipa-getkeytab.c
@@ -36,10 +36,12 @@
 #include <ldap.h>
 #include <sasl/sasl.h>
 #include <popt.h>
+#include <ini_configobj.h>

 #include "config.h"

 #include "ipa_krb5.h"
+#include "ipa_asn1.h"
 #include "ipa-client-common.h"

 static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *sit)
@@ -265,14 +267,18 @@ static int ipa_ldap_extended_op(LDAP *ld, const char *reqoid,
        return ret;
    }

-    /* wait max 10 secs for the answer */
-    tv.tv_sec = 10;
+    /* wait max 100 secs for the answer */
+    tv.tv_sec = 100;
    tv.tv_usec = 0;
    ret = ldap_result(ld, msgid, 1, &tv, &res);
    if (ret == -1) {
        fprintf(stderr, _("Failed to get result: %s\n"), ldap_err2string(ret));
        goto done;
    }
+    else if (res == NULL) {
+        fprintf(stderr, _("Timeout exceeded."));
+        goto done;
+    }

    ret = ldap_parse_extended_result(ld, res, &retoid, &retdata, 0);
    if (ret != LDAP_SUCCESS) {
@@ -295,14 +301,15 @@ done:
    return ret;
 }

-static BerElement *get_control_data(LDAPControl **list, const char *repoid)
+static int find_control_data(LDAPControl **list, const char *repoid,
+                             struct berval *data)
 {
    LDAPControl *control = NULL;
    int i;

    if (!list) {
        fprintf(stderr, _("Missing reply control list!\n"));
-        return NULL;
+        return LDAP_OPERATIONS_ERROR;
    }

    for (i = 0; list[i]; i++) {
@@ -312,10 +319,22 @@ static BerElement *get_control_data(LDAPControl **list, const char *repoid)
    }
    if (!control) {
        fprintf(stderr, _("Missing reply control!\n"));
-        return NULL;
+        return LDAP_OPERATIONS_ERROR;
    }

-    return ber_init(&control->ldctl_value);
+    *data = control->ldctl_value;
+    return LDAP_SUCCESS;
+}
+
+static BerElement *get_control_data(LDAPControl **list, const char *repoid)
+{
+    struct berval data;
+    int ret;
+
+    ret = find_control_data(list, repoid, &data);
+    if (ret != LDAP_SUCCESS) return NULL;
+
+    return ber_init(&data);
 }

 static int ldap_set_keytab(krb5_context krbctx,
@@ -435,124 +454,42 @@ error_out:
 	return -1;
 }

-/* Format of getkeytab control
- *
- * KeytabGetRequest ::= CHOICE {
- *     newkeys      [0] Newkeys,
- *     curkeys      [1] CurrentKeys,
- *     reply        [2] Reply
- * }
- *
- * NewKeys ::= SEQUENCE {
- *     serviceIdentity [0] OCTET STRING,
- *     enctypes        [1] SEQUENCE OF Int16
- *     password        [2] OCTET STRING OPTIONAL,
- * }
- *
- * CurrentKeys ::= SEQUENCE {
- *     serviceIdentity [0] OCTET STRING,
- * }
- *
- * Reply ::= SEQUENCE {
- *     new_kvno        Int32
- *     keys            SEQUENCE OF KrbKey,
- * }
- *
- * KrbKey ::= SEQUENCE {
- *     key       [0] EncryptionKey,
- *     salt      [1] KrbSalt OPTIONAL,
- *     s2kparams [2] OCTET STRING OPTIONAL,
- * }
- *
- * EncryptionKey ::= SEQUENCE {
- *     keytype   [0] Int32,
- *     keyvalue  [1] OCTET STRING
- * }
- *
- * KrbSalt ::= SEQUENCE {
- *     type      [0] Int32,
- *     salt      [1] OCTET STRING
- * }
- */
-
-#define GK_REQUEST_NEWKEYS (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 0)
-#define GK_REQUEST_CURKEYS (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)
-#define GKREQ_SVCNAME_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)
-#define GKREQ_ENCTYPES_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)
-#define GKREQ_PASSWORD_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 2)
-
+/* use asn1c generated code to fill up control */
 static struct berval *create_getkeytab_control(const char *svc_princ, bool gen,
                                               const char *password,
                                               struct krb_key_salt *encsalts,
                                               int num_encsalts)
 {
-    struct berval *bval = NULL;
-    BerElement *be;
-    ber_tag_t ctag;
-    ber_int_t e;
-    int ret, i;
-
-    be = ber_alloc_t(LBER_USE_DER);
-    if (!be) {
-        return NULL;
-    }
+    struct berval *result = NULL;
+    void *buffer = NULL;
+    size_t buflen;
+    long ets[num_encsalts];
+    bool ret;
+    int i;

    if (gen) {
-        ctag = GK_REQUEST_NEWKEYS;
-    } else {
-        ctag = GK_REQUEST_CURKEYS;
-    }
-
-    ret = ber_printf(be, "t{ts", ctag, GKREQ_SVCNAME_TAG, svc_princ);
-    if (ret == -1) {
-        ber_free(be, 1);
-        goto done;
-    }
-
-    if (gen) {
-        ret = ber_printf(be, "t{", GKREQ_ENCTYPES_TAG);
-        if (ret == -1) {
-            ber_free(be, 1);
-            goto done;
-        }
        for (i = 0; i < num_encsalts; i++) {
-            e = encsalts[i].enctype;
-            ret = ber_printf(be, "i", e);
-            if (ret == -1) {
-                ber_free(be, 1);
-                goto done;
-            }
-        }
-        ret = ber_printf(be, "}");
-        if (ret == -1) {
-            ber_free(be, 1);
-            goto done;
-        }
-
-        if (password) {
-            ret = ber_printf(be, "ts", GKREQ_PASSWORD_TAG, password);
-            if (ret == -1) {
-                ber_free(be, 1);
-                goto done;
-            }
+            ets[i] = encsalts[i].enctype;
        }
    }
+    ret = ipaasn1_enc_getkt(gen, svc_princ,
+                            password, ets, num_encsalts,
+                            &buffer, &buflen);
+    if (!ret) goto done;

-    ret = ber_printf(be, "}");
-    if (ret == -1) {
-        ber_free(be, 1);
-        goto done;
-    }
+    result = malloc(sizeof(struct berval));
+    if (!result) goto done;

-    ret = ber_flatten(be, &bval);
-    if (ret == -1) {
-        ber_free(be, 1);
-        goto done;
-    }
+    result->bv_val = buffer;
+    result->bv_len = buflen;

 done:
-    ber_free(be, 1);
-    return bval;
+    if (result == NULL) {
+        if (buffer) {
+            free(buffer);
+        }
+    }
+    return result;
 }

 #define GK_REPLY_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 2)
@@ -571,13 +508,8 @@ static int ldap_get_keytab(krb5_context krbctx, bool generate, char *password,
    struct berval *control = NULL;
    LDAP *ld = NULL;
    LDAPControl **srvctrl = NULL;
-    BerElement *ber = NULL;
-    ber_tag_t rtag;
-    ber_tag_t ctag;
-    ber_len_t tlen;
-    ber_int_t vno;
-    ber_int_t tint;
-    struct berval tbval;
+    struct berval data;
+    bool res;
    int ret;

    *err_msg = NULL;
@@ -609,98 +541,19 @@ static int ldap_get_keytab(krb5_context krbctx, bool generate, char *password,
        goto done;
    }

-    ber = get_control_data(srvctrl, KEYTAB_GET_OID);
-    if (!ber) {
-        *err_msg = _("Failed to find or parse reply control!\n");
+    ret = find_control_data(srvctrl, KEYTAB_GET_OID, &data);
+    if (ret != LDAP_SUCCESS) goto done;
+
+    res = ipaasn1_dec_getktreply(data.bv_val, data.bv_len, kvno, keys);
+    if (!res) {
+        *err_msg = _("Failed to decode control reply!\n");
        ret = LDAP_OPERATIONS_ERROR;
        goto done;
    }

-    rtag = ber_scanf(ber, "t{i{", &ctag, &vno);
-    if (rtag == LBER_ERROR || ctag != GK_REPLY_TAG) {
-        *err_msg = _("Failed to parse control head!\n");
-        ret = LDAP_OPERATIONS_ERROR;
-        goto done;
-    }
-
-    keys->nkeys = 0;
-    keys->ksdata = NULL;
-
-    rtag = ber_peek_tag(ber, &tlen);
-    for (int i = 0; rtag == LBER_SEQUENCE; i++) {
-        if ((i % 5) == 0) {
-            struct krb_key_salt *ksdata;
-            ksdata = realloc(keys->ksdata,
-                             (i + 5) * sizeof(struct krb_key_salt));
-            if (!ksdata) {
-                *err_msg = _("Out of memory!\n");
-                ret = LDAP_OPERATIONS_ERROR;
-                goto done;
-            }
-            keys->ksdata = ksdata;
-        }
-        memset(&keys->ksdata[i], 0, sizeof(struct krb_key_salt));
-        keys->nkeys = i + 1;
-
-        rtag = ber_scanf(ber, "{t{io}", &ctag, &tint, &tbval);
-        if (rtag == LBER_ERROR || ctag != GKREP_KEY_TAG) {
-            *err_msg = _("Failed to parse enctype in key data!\n");
-            ret = LDAP_OPERATIONS_ERROR;
-            goto done;
-        }
-        keys->ksdata[i].enctype = tint;
-        keys->ksdata[i].key.enctype = tint;
-        keys->ksdata[i].key.length = tbval.bv_len;
-        keys->ksdata[i].key.contents = malloc(tbval.bv_len);
-        if (!keys->ksdata[i].key.contents) {
-            *err_msg = _("Out of memory!\n");
-            ret = LDAP_OPERATIONS_ERROR;
-            goto done;
-        }
-        memcpy(keys->ksdata[i].key.contents, tbval.bv_val, tbval.bv_len);
-        ber_memfree(tbval.bv_val);
-
-        rtag = ber_peek_tag(ber, &tlen);
-        if (rtag == GKREP_SALT_TAG) {
-            rtag = ber_scanf(ber, "t{io}", &ctag, &tint, &tbval);
-            if (rtag == LBER_ERROR) {
-                *err_msg = _("Failed to parse salt in key data!\n");
-                ret = LDAP_OPERATIONS_ERROR;
-                goto done;
-            }
-            keys->ksdata[i].salttype = tint;
-            keys->ksdata[i].salt.length = tbval.bv_len;
-            keys->ksdata[i].salt.data = malloc(tbval.bv_len);
-            if (!keys->ksdata[i].salt.data) {
-                *err_msg = _("Out of memory!\n");
-                ret = LDAP_OPERATIONS_ERROR;
-                goto done;
-            }
-            memcpy(keys->ksdata[i].salt.data, tbval.bv_val, tbval.bv_len);
-            ber_memfree(tbval.bv_val);
-        }
-        rtag = ber_scanf(ber, "}");
-        if (rtag == LBER_ERROR) {
-            *err_msg = _("Failed to parse ending of key data!\n");
-            ret = LDAP_OPERATIONS_ERROR;
-            goto done;
-        }
-
-        rtag = ber_peek_tag(ber, &tlen);
-    }
-
-    rtag = ber_scanf(ber, "}}");
-    if (rtag == LBER_ERROR) {
-        *err_msg = _("Failed to parse ending of control!\n");
-        ret = LDAP_OPERATIONS_ERROR;
-        goto done;
-    }
-
-    *kvno = vno;
    ret = LDAP_SUCCESS;

 done:
-    if (ber) ber_free(ber, 1);
    if (ld) ldap_unbind_ext(ld, NULL, NULL);
    if (control) ber_bvfree(control);
    free(es);
@@ -748,6 +601,81 @@ static char *ask_password(krb5_context krbctx)
    return password;
 }

+struct ipa_config {
+    const char *server_name;
+};
+
+static int config_from_file(struct ini_cfgobj *cfgctx)
+{
+    struct ini_cfgfile *fctx = NULL;
+    char **errors = NULL;
+    int ret;
+
+    ret = ini_config_file_open(IPACONFFILE, 0, &fctx);
+    if (ret) {
+        fprintf(stderr, _("Failed to open config file %s\n"), IPACONFFILE);
+        return ret;
+    }
+
+    ret = ini_config_parse(fctx,
+                           INI_STOP_ON_ANY,
+                           INI_MS_MERGE | INI_MV1S_ALLOW | INI_MV2S_ALLOW,
+                           INI_PARSE_NOWRAP,
+                           cfgctx);
+    if (ret) {
+        fprintf(stderr, _("Failed to parse config file %s\n"), IPACONFFILE);
+        if (ini_config_error_count(cfgctx)) {
+            ini_config_get_errors(cfgctx, &errors);
+            if (errors) {
+                ini_config_print_errors(stderr, errors);
+                ini_config_free_errors(errors);
+            }
+        }
+        ini_config_file_destroy(fctx);
+        return ret;
+    }
+
+    ini_config_file_destroy(fctx);
+    return 0;
+}
+
+int read_ipa_config(struct ipa_config **ipacfg)
+{
+    struct ini_cfgobj *cfgctx = NULL;
+    struct value_obj *obj = NULL;
+    int ret;
+
+    *ipacfg = calloc(1, sizeof(struct ipa_config));
+    if (!*ipacfg) {
+        return ENOMEM;
+    }
+
+    ret = ini_config_create(&cfgctx);
+    if (ret) {
+        return ENOENT;
+    }
+
+    ret = config_from_file(cfgctx);
+    if (ret) {
+        ini_config_destroy(cfgctx);
+        return EINVAL;
+    }
+
+    ret = ini_get_config_valueobj("global", "server", cfgctx,
+                                  INI_GET_LAST_VALUE, &obj);
+    if (ret != 0 || obj == NULL) {
+        /* if called on an IPA server we need to look for 'host' instead */
+        ret = ini_get_config_valueobj("global", "host", cfgctx,
+                                      INI_GET_LAST_VALUE, &obj);
+    }
+
+    if (ret == 0 && obj != NULL) {
+        (*ipacfg)->server_name = ini_get_string_config_value(obj, &ret);
+    }
+
+    return 0;
+}
+
 int main(int argc, const char *argv[])
 {
 	static const char *server = NULL;
@@ -794,7 +722,7 @@ int main(int argc, const char *argv[])
 	char *password = NULL;
 	krb5_context krbctx;
 	krb5_ccache ccache;
-	krb5_principal uprinc;
+	krb5_principal uprinc = NULL;
 	krb5_principal sprinc;
 	krb5_error_code krberr;
 	struct keys_container keys = { 0 };
@@ -805,7 +733,7 @@ int main(int argc, const char *argv[])

    ret = init_gettext();
    if (ret) {
-        exit(1);
+        fprintf(stderr, "Failed to load translations\n");
    }

 	krberr = krb5_init_context(&krbctx);
@@ -840,7 +768,7 @@ int main(int argc, const char *argv[])
 		exit (0);
 	}

-	if (ret != -1 || !server || !principal || !keytab || permitted_enctypes) {
+	if (ret != -1 || !principal || !keytab || permitted_enctypes) {
 		if (!quiet) {
 			poptPrintUsage(pc, stderr, 0);
 		}
@@ -855,6 +783,21 @@ int main(int argc, const char *argv[])
 		exit(10);
 	}

+    if (!server) {
+        struct ipa_config *ipacfg = NULL;
+
+        ret = read_ipa_config(&ipacfg);
+        if (ret == 0) {
+            server = ipacfg->server_name;
+            ipacfg->server_name = NULL;
+        }
+        free(ipacfg);
+        if (!server) {
+            fprintf(stderr, _("Server name not provided and unavailable\n"));
+            exit(2);
+        }
+    }
+
    if (askpass && retrieve) {
        fprintf(stderr, _("Incompatible options provided (-r and -P)\n"));
        exit(2);
--- a/ipa-client/ipa-join.c
+++ b/ipa-client/ipa-join.c
@@ -208,8 +208,11 @@ connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
    struct berval bindpw_bv;

    if (debug) {
-        ldapdebug=2;
+        ldapdebug = 2;
        ret = ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldapdebug);
+        if (ret != LDAP_OPT_SUCCESS) {
+            goto fail;
+        }
    }

    if (ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, CAFILE) != LDAP_OPT_SUCCESS)
@@ -463,14 +466,12 @@ static int
 join_ldap(const char *ipaserver, char *hostname, char ** binddn, const char *bindpw, const char *basedn, const char **princ, const char **subject, int quiet)
 {
    LDAP *ld;
-    char *filter = NULL;
    int rval = 0;
    char *oidresult = NULL;
    struct berval valrequest;
    struct berval *valresult = NULL;
    int rc, ret;
    char *ldap_base = NULL;
-    char *search_base = NULL;

    *binddn = NULL;
    *princ = NULL;
@@ -542,16 +543,12 @@ join_ldap(const char *ipaserver, char *hostname, char ** binddn, const char *bin
    *princ = strdup(valresult->bv_val);

 ldap_done:
-
-    free(filter);
-    free(search_base);
-    free(ldap_base);
-
    if (ld != NULL) {
        ldap_unbind_ext(ld, NULL, NULL);
    }

 done:
+    free(ldap_base);
    if (valresult) ber_bvfree(valresult);
    if (oidresult) free(oidresult);
    return rval;
@@ -815,7 +812,8 @@ unenroll_host(const char *server, const char *hostname, const char *ktname, int
        if (!quiet)
            fprintf(stderr, _("Error parsing \"%1$s\": %2$s.\n"),
                            principal, error_message(krberr));
-        return krberr;
+        rval = 4;
+        goto cleanup;
    }
    strcpy(tgs, KRB5_TGS_NAME);
    snprintf(tgs + strlen(tgs), sizeof(tgs) - strlen(tgs), "/%.*s",
@@ -833,7 +831,8 @@ unenroll_host(const char *server, const char *hostname, const char *ktname, int
        if (!quiet)
            fprintf(stderr, _("Error obtaining initial credentials: %s.\n"),
                    error_message(krberr));
-        return krberr;
+        rval = 19;
+        goto cleanup;
    }

    krberr = krb5_cc_resolve(krbctx, "MEMORY:ipa-join", &ccache);
@@ -852,7 +851,8 @@ unenroll_host(const char *server, const char *hostname, const char *ktname, int
            fprintf(stderr,
                    _("Error storing creds in credential cache: %s.\n"),
                    error_message(krberr));
-        return krberr;
+        rval = 19;
+        goto cleanup;
    }
    krb5_cc_close(krbctx, ccache);
    ccache = NULL;
@@ -914,6 +914,7 @@ cleanup:

    free(user_agent);
    if (keytab) krb5_kt_close(krbctx, keytab);
+    free(host);
    free((char *)principal);
    free((char *)ipaserver);
    if (princ) krb5_free_principal(krbctx, princ);
@@ -1129,7 +1130,7 @@ main(int argc, const char **argv) {

    ret = init_gettext();
    if (ret) {
-        exit(2);
+        fprintf(stderr, "Failed to load translations\n");
    }

    pc = poptGetContext("ipa-join", argc, (const char **)argv, options, 0);
--- a/ipa-client/ipa-rmkeytab.c
+++ b/ipa-client/ipa-rmkeytab.c
@@ -168,10 +168,10 @@ main(int argc, const char **argv)
        { "debug", 'd', POPT_ARG_NONE, &debug, 0,
          _("Print debugging information"), _("Debugging output") },
        { "principal", 'p', POPT_ARG_STRING, &principal, 0,
-          _("The principal to get a keytab for (ex: ftp/ftp.example.com@EXAMPLE.COM)"),
+          _("The principal to remove from the keytab (ex: ftp/ftp.example.com@EXAMPLE.COM)"),
          _("Kerberos Service Principal Name") },
        { "keytab", 'k', POPT_ARG_STRING, &keytab, 0,
-          _("File were to store the keytab information"), _("Keytab File Name") },
+          _("The keytab file to remove the principcal(s) from"), _("Keytab File Name") },
        { "realm", 'r', POPT_ARG_STRING, &realm, 0,
          _("Remove all principals in this realm"), _("Realm name") },
        POPT_AUTOHELP
@@ -180,7 +180,7 @@ main(int argc, const char **argv)

    ret = init_gettext();
    if (ret) {
-        exit(1);
+        fprintf(stderr, "Failed to load translations\n");
    }

    memset(&ktid, 0, sizeof(ktid));
--- a/ipa-client/man/Makefile.am
+++ b/ipa-client/man/Makefile.am
@@ -9,6 +9,7 @@ man1_MANS = 				\
 		ipa-rmkeytab.1		\
 		ipa-client-install.1	\
 		ipa-client-automount.1	\
+		ipa-certupdate.1	\
 		ipa-join.1

 man5_MANS =				\
--- a/ipa-client/man/default.conf.5
+++ b/ipa-client/man/default.conf.5
@@ -47,14 +47,14 @@ Valid lines consist of an option name, an equals sign and a value. Spaces surrou

 Values should not be quoted, the quotes will not be stripped.

-.np
+.DS L
    # Wrong \- don't include quotes
    verbose = "True"

    # Right \- Properly formatted options
    verbose = True
    verbose=True
-.fi
+.DE

 Options must appear in the section named [global]. There are no other sections defined or used currently.

@@ -66,16 +66,16 @@ The following options are relevant for the server:
 Specifies the base DN to use when performing LDAP operations. The base must be in DN format (dc=example,dc=com).
 .TP
 .B ca_agent_port <port>
-Specifies the secure CA agent port. The default is 9443 for Dogtag 9, and 8443 for Dogtag 10.
+Specifies the secure CA agent port. The default is 8443.
 .TP
 .B ca_ee_port <port>
-Specifies the secure CA end user port. The default is 9444 for Dogtag 9, and 8443 for Dogtag 10.
+Specifies the secure CA end user port. The default is 8443.
 .TP
 .B ca_host <hostname>
 Specifies the hostname of the dogtag CA server. The default is the hostname of the IPA server.
 .TP
 .B ca_port <port>
-Specifies the insecure CA end user port. The default is 9180 for Dogtag 9, and 8080 for Dogtag 10.
+Specifies the insecure CA end user port. The default is 8080.
 .TP
 .B context <context>
 Specifies the context that IPA is being executed in. IPA may operate differently depending on the context. The current defined contexts are cli and server. Additionally this value is used to load /etc/ipa/\fBcontext\fR.conf to provide context\-specific configuration. For example, if you want to always perform client requests in verbose mode but do not want to have verbose enabled on the server, add the verbose option to \fI/etc/ipa/cli.conf\fR.
@@ -96,7 +96,7 @@ Specifies whether the CA is acting as an RA agent, such as when dogtag is being
 Specifies whether an IPA client should attempt to fall back and try other services if the first connection fails.
 .TP
 .B host <hostname>
-Specifies the hostname of the IPA server. This value is used to construct URL values on the client and server.
+Specifies the local system hostname.
 .TP
 .B in_server <boolean>
 Specifies whether requests should be forwarded to an IPA server or handled locally. This is used internally by IPA in a similar way as context. The same IPA framework is used by the ipa command\-line tool and the server. This setting tells the framework whether it should execute the command as if on the server or forward it via XML\-RPC to a remote server.
@@ -140,7 +140,7 @@ Note: logger names are a dot ('.') separated list forming a path
 in the logger tree.  The dot character is also a regular
 expression metacharacter (matches any character) therefore you
 will usually need to escape the dot in the logger names by
-preceeding it with a backslash.
+preceding it with a backslash.
 .TP
 .B mode <mode>
 Specifies the mode the server is running in. The currently support values are \fBproduction\fR and \fBdevelopment\fR. When running in production mode some self\-tests are skipped to improve performance.
@@ -164,7 +164,10 @@ Specifies the length of time authentication credentials cached in the session ar
 Specifies how the expiration of a session is computed. With \fBinactivity_timeout\fR the expiration time is advanced by the value of session_auth_duration everytime the user accesses the service. With \fBfrom_start\fR the session expiration is the start of the user's session plus the value of session_auth_duration.
 .TP
 .B server <hostname>
-Specifies the IPA Server hostname. This option is deprecated.
+Specifies the IPA Server hostname.
+.TP
+.B skip_version_check <boolean>
+Skip client vs. server API version checking. Can lead to errors/strange behavior when newer clients talk to older servers. Use with caution.
 .TP
 .B startup_timeout <time in seconds>
 Controls the amount of time waited when starting a service. The default value is 120 seconds.
@@ -221,6 +224,7 @@ The following define the containers for the IPA server. Containers define where
  container_sudocmdgroup: cn=sudocmdgroups,cn=sudo
  container_sudorule: cn=sudorules,cn=sudo
  container_user: cn=users,cn=accounts
+  container_vault: cn=vaults,cn=kra
  container_virtual: cn=virtual operations,cn=etc

 .SH "FILES"
--- a/client/man/ipa-certupdate.1
+++ b/client/man/ipa-certupdate.1
@@ -0,0 +1,39 @@
+.\" A man page for ipa-certupdate
+.\" Copyright (C) 2014 Red Hat, Inc.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation, either version 3 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+.\" General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program.  If not, see <http://www.gnu.org/licenses/>.
+.\"
+.\" Author: Jan Cholasta <jcholast@redhat.com>
+.\"
+.TH "ipa-certupdate" "1" "Jul 2 2014" "FreeIPA" "FreeIPA Manual Pages"
+.SH "NAME"
+ipa\-certupdate \- Update local IPA certificate databases with certificates from the server
+.SH "SYNOPSIS"
+\fBipa\-certupdate\fR [\fIOPTIONS\fR...]
+.SH "DESCRIPTION"
+\fBipa\-certupdate\fR can be used to update local IPA certificate databases with certificates from the server.
+.SH "OPTIONS"
+.TP
+\fB\-v\fR, \fB\-\-verbose\fR
+Print debugging information.
+.TP
+\fB\-q\fR, \fB\-\-quiet\fR
+Output only errors.
+.TP
+\fB\-\-log\-file\fR=\fIFILE\fR
+Log to the given file.
+.SH "EXIT STATUS"
+0 if the command was successful
+
+1 if an error occurred
--- a/Show More
+++ b/Show More