Imported Debian patch 4.7.2-3

Imported Upstream version 4.7.2
2021-08-09 20:54:13 +02:00 · 2021-08-09 20:54:00 +02:00
2298 changed files with 1802095 additions and 333181 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,77 +0,0 @@
-# In-tree build files
-configure
-config.h
-config.h.in
-Makefile
-Makefile.in
-.deps/
-.libs/
-*.la
-*.lo
-*.log
-*.o
-*.trs
-version.m4
-aclocal.m4
-autom4te.cache/
-config.guess
-config.log
-config.status
-config.sub
-depcomp
-install-sh
-ltmain.sh
-missing
-stamp-h1
-libtool
-build/
-
-# Python compilation
-*.pyc
-py-compile
-
-# Developer documentation
-freeipa2-dev-doc
-~/doc/guide/Makefile
-
-# Root directory
-/freeipa.spec
-!/Makefile
-/dist/
-/RELEASE
-/rpmbuild/
-
-# Subdirectories
-/daemons/ipa-otpd/ipa-otpd
-/daemons/ipa-otpd/ipa-otpd.socket
-/daemons/ipa-otpd/ipa-otpd@.service
-/daemons/ipa-version.h
-/daemons/test-driver
-
-/install/po/test.po
-/install/po/test_locale/xh_ZA/LC_MESSAGES/ipa.mo
-!/install/ui/doc/Makefile.in
-/install/ui/release
-/install/ui/css/ipa.css
-/install/ui/src/dojo
-/install/ui/src/build
-/install/ui/src/libs/loader.js
-/install/ui/src/plugins
-!/install/ui/doc/Makefile
-
-/ipa-client/ipa-client.spec
-/ipa-client/ipa-getkeytab
-/ipa-client/ipa-join
-/ipa-client/ipa-rmkeytab
-
-/ipatests/setup.py
-
-/ipapython/setup.py
-/ipapython/version.py
-!/ipapython/Makefile
-!/ipapython/py_default_encoding/Makefile
-
-/ipaplatform/setup.py
-/ipaplatform/tasks.py
-/ipaplatform/services.py
-/ipaplatform/paths.py
--- a/.mailmap
+++ b/.mailmap
@ -2,6 +2,8 @@ Ana Krivokapić  <akrivoka@redhat.com>  Ana Krivokapic <akrivoka@redhat.com>
 Adam Misnyovszki <amisnyov@redhat.com> <amisnyov@redhat.com>
 Endi Sukma Dewata <edewata@redhat.com>   System Administrator <root@dhcp-100-3-211.bos.redhat.com>
 Endi Sukma Dewata <edewata@redhat.com>
+Gabe Alford     <redhatrises@gmail.com>
+Ganna Kaihorodova <gkaihoro@redhat.com> <gkaihoro@example.com>
 Jan Zelený      <jzeleny@redhat.com>
 Jim Meyering    <meyering@redhat.com>  <jim@meyering.net>
 John Dennis     <jdennis@redhat.com>   <jdennis@VAIO>
@ -22,6 +24,8 @@ Lubomír Rintel  <lubo.rintel@gooddata.com> Lubomir Rintel <lubo.rintel@gooddata
 Lukáš Slebodník <lslebodn@redhat.com>
 Martin Bašti    <mbasti@redhat.com>
 Martin Košek    <mkosek@redhat.com>
+Tomáš Křížek    <tkrizek@redhat.com>
+Milan Kubík     <mkubik@redhat.com>
 Martin Nagy     <mnagy@redhat.com>     <mnagy@notas.(none)>
 Nathaniel McCallum <npmccallum@redhat.com> <nathaniel@themccallums.org>
 Nalin Dahyabhai <nalin@redhat.com>     <nalin@dahyabhai.net>
@ -34,6 +38,8 @@ Pavel Zůna      <pzuna@redhat.com>     <root@testbox.winry>
 Pavel Zůna      <pzuna@redhat.com>     <root@webui.pzuna>
 Petr Špaček     <pspacek@redhat.com>
 Petr Voborník   <pvoborni@redhat.com>
+Pavel Vomáčka   <pvomacka@redhat.com>
+Pavel Vomáčka   <pvomacka@redhat.com>  tester <test@example.com>
 Rich Megginson  <rmeggins@redhat.com>  <rich@localhost.localdomain>
 Rob Crittenden  <rcritten@redhat.com>
 Rob Crittenden  <rcritten@redhat.com>  <rcrit@ike.greyoak.com>
@ -46,6 +52,11 @@ Rob Crittenden  <rcritten@redhat.com>  <rcrit@tove.greyoak.com>
 Simo Sorce      <ssorce@redhat.com>    <simo@redhat.com>
 Sumit Bose      <sbose@redhat.com>     <sbose@ipa17-devel.ipa17.devel>
 Sumit Bose      <sbose@redhat.com>     <sbose@ipa18-devel.ipa18.devel>
+Tibor Dudlák    <tdudlak@redhat.com>   <tibor.dudlak@gmail.com>
+Thierry Bordaz  <tbordaz@redhat.com>
+Thierry Bordaz  <tbordaz@redhat.com>   <root@vm-205.idm.lab.eng.brq.redhat.com>
+Thierry Bordaz  <tbordaz@redhat.com>   <root@vm-035.idm.lab.eng.brq.redhat.com>
+Thierry Bordaz  <tbordaz@redhat.com>   <root@vm-058-107.abc.idm.lab.eng.brq.redhat.com>
 Tomáš Babej     <tbabej@redhat.com>
 Tomáš Babej     <tbabej@redhat.com>    <tomasbabej@gmail.com>
 William Jon McCann <mccann@jhu.edu>    <mccann@jhu.edu>
--- a/.tx/config
+++ b/.tx/config
@ -1,8 +0,0 @@
-[main]
-host = https://www.transifex.com
-
-[freeipa.ipa]
-file_filter = install/po/<lang>.po
-source_file = install/po/ipa.pot
-source_lang = en
-
--- a/.wheelconstraints.in
+++ b/.wheelconstraints.in
@ -0,0 +1,13 @@
+# placeholder
+freeipa == @VERSION@
+ipa == @VERSION@
+# actual packages
+ipaclient == @VERSION@
+ipalib == @VERSION@
+ipaplatform == @VERSION@
+ipapython == @VERSION@
+ipaserver == @VERSION@
+ipatests == @VERSION@
+
+# upstream pylint 1.7.5 fixed bad python3 import of stat module
+pylint >= 1.7.5
--- a/1282
+++ b/1282
--- a/ACI.txt
+++ b/ACI.txt
@ -22,8 +22,46 @@ dn: cn=automount,dc=ipa,dc=example
 aci: (targetattr = "automountmapname || description")(targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Modify Automount Maps";allow (write) groupdn = "ldap:///cn=System: Modify Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=automount,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=cas,cn=ca,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Add CA";allow (add) groupdn = "ldap:///cn=System: Add CA,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=cas,cn=ca,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Delete CA";allow (delete) groupdn = "ldap:///cn=System: Delete CA,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=cas,cn=ca,dc=ipa,dc=example
+aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Modify CA";allow (write) groupdn = "ldap:///cn=System: Modify CA,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=cas,cn=ca,dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacaid || ipacaissuerdn || ipacasubjectdn || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Read CAs";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=caacls,cn=ca,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Add CA ACL";allow (add) groupdn = "ldap:///cn=System: Add CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=caacls,cn=ca,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Delete CA ACL";allow (delete) groupdn = "ldap:///cn=System: Delete CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=caacls,cn=ca,dc=ipa,dc=example
+aci: (targetattr = "hostcategory || ipacacategory || ipacertprofilecategory || ipamemberca || ipamembercertprofile || memberhost || memberservice || memberuser || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Manage CA ACL Membership";allow (write) groupdn = "ldap:///cn=System: Manage CA ACL Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=caacls,cn=ca,dc=ipa,dc=example
+aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=caacls,cn=ca,dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=certmap,dc=ipa,dc=example
+aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmap,dc=ipa,dc=example
+aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Import Certificate Profile";allow (add) groupdn = "ldap:///cn=System: Import Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
+aci: (targetattr = "cn || description || ipacertprofilestoreissued")(targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Modify Certificate Profile";allow (write) groupdn = "ldap:///cn=System: Modify Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacertprofilestoreissued || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Read Certificate Profiles";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=ipaconfig,cn=etc,dc=ipa,dc=example
-aci: (targetattr = "cn || createtimestamp || entryusn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "cn || createtimestamp || entryusn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipadomainresolutionorder || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=costemplates,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Add Group Password Policy costemplate";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=costemplates,cn=accounts,dc=ipa,dc=example
@ -33,27 +71,43 @@ aci: (targetattr = "cospriority")(targetfilter = "(objectclass=costemplate)")(ve
 dn: cn=costemplates,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "cn || cospriority || createtimestamp || entryusn || krbpwdpolicyreference || modifytimestamp || objectclass")(targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Read Group Password Policy costemplate";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
-aci: (targetattr = "createtimestamp || entryusn || idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || idnspersistentsearch || idnszonerefresh || modifytimestamp || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsConfigObject)")(version 3.0;acl "permission:System: Read DNS Configuration";allow (read) groupdn = "ldap:///cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "createtimestamp || entryusn || idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || idnspersistentsearch || idnszonerefresh || ipadnsversion || modifytimestamp || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsConfigObject)")(version 3.0;acl "permission:System: Read DNS Configuration";allow (read) groupdn = "ldap:///cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
 aci: (targetattr = "idnsallowsyncptr || idnsforwarders || idnsforwardpolicy || idnspersistentsearch || idnszonerefresh")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsConfigObject)")(version 3.0;acl "permission:System: Write DNS Configuration";allow (write) groupdn = "ldap:///cn=System: Write DNS Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
+aci: (targetattr = "idnsforwarders || idnsforwardpolicy || idnssoamname || idnssubstitutionvariable")(targetfilter = "(objectclass=idnsServerConfigObject)")(version 3.0;acl "permission:System: Modify DNS Servers Configuration";allow (write) groupdn = "ldap:///cn=System: Modify DNS Servers Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "createtimestamp || entryusn || idnsforwarders || idnsforwardpolicy || idnsserverid || idnssoamname || idnssubstitutionvariable || modifytimestamp || objectclass")(targetfilter = "(objectclass=idnsServerConfigObject)")(version 3.0;acl "permission:System: Read DNS Servers Configuration";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Servers Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
 aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Add DNS Entries";allow (add) groupdn = "ldap:///cn=System: Add DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
-aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || entryusn || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "ipaprivatekey || ipapublickey || ipasecretkey || ipasecretkeyref || ipawrappingkey || ipawrappingmech || ipk11allowedmechanisms || ipk11alwaysauthenticate || ipk11alwayssensitive || ipk11checkvalue || ipk11copyable || ipk11decrypt || ipk11derive || ipk11destroyable || ipk11distrusted || ipk11encrypt || ipk11enddate || ipk11extractable || ipk11id || ipk11keygenmechanism || ipk11keytype || ipk11label || ipk11local || ipk11modifiable || ipk11neverextractable || ipk11private || ipk11publickeyinfo || ipk11sensitive || ipk11sign || ipk11signrecover || ipk11startdate || ipk11subject || ipk11trusted || ipk11uniqueid || ipk11unwrap || ipk11unwraptemplate || ipk11verify || ipk11verifyrecover || ipk11wrap || ipk11wraptemplate || ipk11wrapwithtrusted || objectclass")(target = "ldap:///cn=keys,cn=sec,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Manage DNSSEC keys";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Manage DNSSEC metadata";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "a6record || aaaarecord || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsdefaultttl || dnsttl || dsrecord || entryusn || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnstemplateattribute || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord || urirecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || entryusn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || modifytimestamp || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example")(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Read DNSSEC metadata";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
 aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
-aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Update DNS Entries";allow (write) groupdn = "ldap:///cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "a6record || aaaarecord || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsdefaultttl || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnstemplateattribute || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord || urirecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Update DNS Entries";allow (write) groupdn = "ldap:///cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=groups,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Add Groups";allow (add) groupdn = "ldap:///cn=System: Add Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=groups,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "ipaexternalmember")(targetfilter = "(objectclass=ipaexternalgroup)")(version 3.0;acl "permission:System: Modify External Group Membership";allow (write) groupdn = "ldap:///cn=System: Modify External Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=groups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "member")(targetfilter = "(&(!(cn=admins))(objectclass=ipausergroup))")(version 3.0;acl "permission:System: Modify Group Membership";allow (write) groupdn = "ldap:///cn=System: Modify Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=groups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "cn || description || gidnumber || ipauniqueid || mepmanagedby || objectclass")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Modify Groups";allow (write) groupdn = "ldap:///cn=System: Modify Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=groups,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "ipaexternalmember")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read External Group Membership";allow (compare,read,search) userdn = "ldap:///all";)
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || gidnumber || memberuid || modifytimestamp || objectclass")(target = "ldap:///cn=groups,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Group Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
 dn: cn=groups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "member || memberhost || memberof || memberuid || memberuser")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Group Membership";allow (compare,read,search) userdn = "ldap:///all";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || entryusn || gidnumber || memberuid || modifytimestamp || objectclass")(target = "ldap:///cn=groups,cn=*,cn=views,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Group Views Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
 dn: cn=groups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "businesscategory || cn || createtimestamp || description || entryusn || gidnumber || ipaexternalmember || ipantsecurityidentifier || ipauniqueid || mepmanagedby || modifytimestamp || o || objectclass || ou || owner || seealso")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";)
 dn: cn=groups,cn=accounts,dc=ipa,dc=example
@ -93,23 +147,27 @@ aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipahost)")(ve
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "userpassword")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Enrollment Password";allow (write) groupdn = "ldap:///cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(&(!(memberOf=cn=ipaservers,cn=hostgroups,cn=accounts,dc=ipa,dc=example))(objectclass=ipahost))")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=computers,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "createtimestamp || entryusn || ipaallowedtoperform;read_keys || ipaallowedtoperform;write_keys || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab Permissions";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Manage Host Keytab Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=computers,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "krbcanonicalname || krbprincipalname")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Principals";allow (write) groupdn = "ldap:///cn=System: Manage Host Principals,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage Host SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "description || l || macaddress || nshardwareplatform || nshostlocation || nsosversion || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Modify Hosts";allow (write) groupdn = "ldap:///cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "description || ipaassignedidview || krbprincipalauthind || l || macaddress || nshardwareplatform || nshostlocation || nsosversion || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Modify Hosts";allow (write) groupdn = "ldap:///cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || macaddress || modifytimestamp || objectclass")(target = "ldap:///cn=computers,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Host Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "memberof")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Host Membership";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "cn || createtimestamp || description || enrolledby || entryusn || fqdn || ipaclientversion || ipakrbauthzdata || ipasshpubkey || ipauniqueid || krbcanonicalname || krblastpwdchange || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || l || macaddress || managedby || modifytimestamp || nshardwareplatform || nshostlocation || nsosversion || objectclass || serverhostname || usercertificate || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Hosts";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "cn || createtimestamp || description || enrolledby || entryusn || fqdn || ipaassignedidview || ipaclientversion || ipakrbauthzdata || ipasshpubkey || ipauniqueid || krbcanonicalname || krblastpwdchange || krbpasswordexpiration || krbprincipalaliases || krbprincipalauthind || krbprincipalexpiration || krbprincipalname || l || macaddress || managedby || modifytimestamp || nshardwareplatform || nshostlocation || nsosversion || objectclass || serverhostname || usercertificate || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Hosts";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Remove Hosts";allow (delete) groupdn = "ldap:///cn=System: Remove Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Add Hostgroups";allow (add) groupdn = "ldap:///cn=System: Add Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "member")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Modify Hostgroup Membership";allow (write) groupdn = "ldap:///cn=System: Modify Hostgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "member")(targetfilter = "(&(!(cn=ipaservers))(objectclass=ipahostgroup))")(version 3.0;acl "permission:System: Modify Hostgroup Membership";allow (write) groupdn = "ldap:///cn=System: Modify Hostgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Modify Hostgroups";allow (write) groupdn = "ldap:///cn=System: Modify Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
@ -118,12 +176,26 @@ dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "businesscategory || cn || createtimestamp || description || entryusn || ipauniqueid || modifytimestamp || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroups";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Remove Hostgroups";allow (delete) groupdn = "ldap:///cn=System: Remove Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=views,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || description || entryusn || gidnumber || ipaanchoruuid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaGroupOverride)")(version 3.0;acl "permission:System: Read Group ID Overrides";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=views,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "createtimestamp || description || entryusn || gecos || gidnumber || homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey || loginshell || modifytimestamp || objectclass || uid || uidnumber || usercertificate")(targetfilter = "(objectclass=ipaUserOverride)")(version 3.0;acl "permission:System: Read User ID Overrides";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=ranges,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaidrange)")(version 3.0;acl "permission:System: Read ID Ranges";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=views,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || description || entryusn || ipadomainresolutionorder || modifytimestamp || objectclass")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Read ID Views";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example
 aci: (targetattr = "createtimestamp || entryusn || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "krbmaxrenewableage || krbmaxticketlife")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read User Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read User Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=locations,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permission:System: Add IPA Locations";allow (add) groupdn = "ldap:///cn=System: Add IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=locations,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "description")(targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permission:System: Modify IPA Locations";allow (write) groupdn = "ldap:///cn=System: Modify IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=locations,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "createtimestamp || description || entryusn || idnsname || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permission:System: Read IPA Locations";allow (compare,read,search) groupdn = "ldap:///cn=System: Read IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=locations,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permission:System: Remove IPA Locations";allow (delete) groupdn = "ldap:///cn=System: Remove IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=ng,cn=alt,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Add Netgroups";allow (add) groupdn = "ldap:///cn=System: Add Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=ng,cn=alt,dc=ipa,dc=example
@ -138,6 +210,8 @@ dn: cn=ng,cn=alt,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipaenabledflag || ipauniqueid || modifytimestamp || nisdomainname || objectclass || usercategory")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Read Netgroups";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=ng,cn=alt,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Remove Netgroups";allow (delete) groupdn = "ldap:///cn=System: Remove Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=otp,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || ipatokenhotpauthwindow || ipatokenhotpsyncwindow || ipatokentotpauthwindow || ipatokentotpsyncwindow")(targetfilter = "(objectclass=ipatokenotpconfig)")(version 3.0;acl "permission:System: Read OTP Configuration";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "member")(targetfilter = "(objectclass=ipapermission)")(version 3.0;acl "permission:System: Modify Privilege Membership";allow (write) groupdn = "ldap:///cn=System: Modify Privilege Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
@ -160,6 +234,8 @@ dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example
 aci: (targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example
 aci: (targetattr = "cn || cospriority || createtimestamp || entryusn || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=radiusproxy,dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || description || entryusn || ipatokenradiusretries || ipatokenradiusserver || ipatokenradiustimeout || ipatokenusermapattribute || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipatokenradiusconfiguration)")(version 3.0;acl "permission:System: Read Radius Servers";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Radius Servers,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=Realm Domains,cn=ipa,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "associateddomain")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Modify Realm Domains";allow (write) groupdn = "ldap:///cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=Realm Domains,cn=ipa,cn=etc,dc=ipa,dc=example
@ -182,16 +258,64 @@ dn: cn=usermap,cn=selinux,dc=ipa,dc=example
 aci: (targetattr = "accesstime || cn || createtimestamp || description || entryusn || hostcategory || ipaenabledflag || ipaselinuxuser || ipauniqueid || member || memberhost || memberuser || modifytimestamp || objectclass || seealso || usercategory")(targetfilter = "(objectclass=ipaselinuxusermap)")(version 3.0;acl "permission:System: Read SELinux User Maps";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=usermap,cn=selinux,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipaselinuxusermap)")(version 3.0;acl "permission:System: Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=System: Remove SELinux User Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || entryusn || ipalocation || ipaserviceweight || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaConfigObject)")(version 3.0;acl "permission:System: Read Locations of IPA Servers";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Locations of IPA Servers,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || entryusn || ipaconfigstring || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaConfigObject)")(version 3.0;acl "permission:System: Read Status of Services on IPA Servers";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Status of Services on IPA Servers,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=services,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Add Services";allow (add) groupdn = "ldap:///cn=System: Add Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=services,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Manage Service Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Service Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=services,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Modify Services";allow (write) groupdn = "ldap:///cn=System: Modify Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "createtimestamp || entryusn || ipaallowedtoperform;read_keys || ipaallowedtoperform;write_keys || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Manage Service Keytab Permissions";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Manage Service Keytab Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=services,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "createtimestamp || entryusn || ipakrbauthzdata || ipakrbprincipalalias || ipauniqueid || krbcanonicalname || krblastpwdchange || krbobjectreferences || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || managedby || memberof || modifytimestamp || objectclass || usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Read Services";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "krbcanonicalname || krbprincipalname")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Manage Service Principals";allow (write) groupdn = "ldap:///cn=System: Manage Service Principals,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=services,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "krbprincipalauthind || usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Modify Services";allow (write) groupdn = "ldap:///cn=System: Modify Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=services,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "createtimestamp || entryusn || ipakrbauthzdata || ipakrbprincipalalias || ipauniqueid || krbcanonicalname || krblastpwdchange || krbobjectreferences || krbpasswordexpiration || krbprincipalaliases || krbprincipalauthind || krbprincipalexpiration || krbprincipalname || managedby || memberof || modifytimestamp || objectclass || usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Read Services";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=services,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Remove Services";allow (delete) groupdn = "ldap:///cn=System: Remove Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=groupofprincipals)")(version 3.0;acl "permission:System: Add Service Delegations";allow (add) groupdn = "ldap:///cn=System: Add Service Delegations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "ipaallowedtarget || memberprincipal")(targetfilter = "(objectclass=groupofprincipals)")(version 3.0;acl "permission:System: Modify Service Delegation Membership";allow (write) groupdn = "ldap:///cn=System: Modify Service Delegation Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || entryusn || ipaallowedtarget || memberprincipal || modifytimestamp || objectclass")(targetfilter = "(objectclass=groupofprincipals)")(version 3.0;acl "permission:System: Read Service Delegations";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Service Delegations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=groupofprincipals)")(version 3.0;acl "permission:System: Remove Service Delegations";allow (delete) groupdn = "ldap:///cn=System: Remove Service Delegations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=groupofprincipals)")(version 3.0;acl "permission:System: Add Service Delegations";allow (add) groupdn = "ldap:///cn=System: Add Service Delegations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "ipaallowedtarget || memberprincipal")(targetfilter = "(objectclass=groupofprincipals)")(version 3.0;acl "permission:System: Modify Service Delegation Membership";allow (write) groupdn = "ldap:///cn=System: Modify Service Delegation Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || entryusn || ipaallowedtarget || memberprincipal || modifytimestamp || objectclass")(targetfilter = "(objectclass=groupofprincipals)")(version 3.0;acl "permission:System: Read Service Delegations";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Service Delegations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=s4u2proxy,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=groupofprincipals)")(version 3.0;acl "permission:System: Remove Service Delegations";allow (delete) groupdn = "ldap:///cn=System: Remove Service Delegations,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Add Stage User";allow (add) groupdn = "ldap:///cn=System: Add Stage User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Preserved Users";allow (write) groupdn = "ldap:///cn=System: Modify Preserved Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Modify Stage User";allow (write) groupdn = "ldap:///cn=System: Modify Stage User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=users,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "uid")(target = "ldap:///uid=*,cn=users,cn=accounts,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify User RDN";allow (write) groupdn = "ldap:///cn=System: Modify User RDN,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(target_from = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Preserve User";allow (moddn) groupdn = "ldap:///cn=System: Preserve User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read Preserved Users";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Preserved Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = "krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Stage User password";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Stage User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Read Stage Users";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Stage Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=staged users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Remove Stage User";allow (delete) groupdn = "ldap:///cn=System: Remove Stage User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = "*")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=*)")(version 3.0;acl "permission:System: Remove preserved User";allow (delete) groupdn = "ldap:///cn=System: Remove preserved User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example
+aci: (targetattr = "krblastpwdchange || krbpasswordexpiration || krbprincipalkey || userpassword")(target = "ldap:///uid=*,cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Reset Preserved User password";allow (read,search,write) groupdn = "ldap:///cn=System: Reset Preserved User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (target_to = "ldap:///cn=users,cn=accounts,dc=ipa,dc=example")(target_from = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=ipa,dc=example")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Undelete User";allow (moddn) groupdn = "ldap:///cn=System: Undelete User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=sudocmds,cn=sudo,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipasudocmd)")(version 3.0;acl "permission:System: Add Sudo Command";allow (add) groupdn = "ldap:///cn=System: Add Sudo Command,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=sudocmds,cn=sudo,dc=ipa,dc=example
@ -221,7 +345,7 @@ aci: (targetattr = "cmdcategory || cn || createtimestamp || description || entry
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///anyone";)
 dn: cn=trusts,dc=ipa,dc=example
-aci: (targetattr = "cn || createtimestamp || entryusn || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrusteddomainsid || ipanttrustpartner || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "cn || createtimestamp || entryusn || ipantadditionalsuffixes || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrustdirection || ipanttrusteddomainsid || ipanttrustpartner || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=trusts,dc=ipa,dc=example
 aci: (targetattr = "gidnumber || krbprincipalname || uidnumber")(version 3.0;acl "permission:System: Read system trust accounts";allow (compare,read,search) groupdn = "ldap:///cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=groups,cn=accounts,dc=ipa,dc=example
@ -229,15 +353,21 @@ aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Add Users";allow (add) groupdn = "ldap:///cn=System: Add Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "krbpasswordexpiration || krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=users,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "ipacertmapdata || objectclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User Certificate Mappings";allow (write) groupdn = "ldap:///cn=System: Manage User Certificate Mappings,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=users,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User Certificates";allow (write) groupdn = "ldap:///cn=System: Manage User Certificates,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=users,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "krbcanonicalname || krbprincipalname")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User Principals";allow (write) groupdn = "ldap:///cn=System: Manage User Principals,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "businesscategory || carlicense || cn || description || displayname || employeetype || facsimiletelephonenumber || gecos || givenname || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "businesscategory || carlicense || cn || departmentnumber || description || displayname || employeenumber || employeetype || facsimiletelephonenumber || gecos || givenname || homedirectory || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || mail || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "*")(target = "ldap:///cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read UPG Definition";allow (compare,read,search) groupdn = "ldap:///cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "audio || businesscategory || carlicense || departmentnumber || destinationindicator || employeenumber || employeetype || fax || homephone || homepostaladdress || inetuserhttpurl || inetuserstatus || internationalisdnnumber || jpegphoto || l || labeleduri || mail || mobile || o || ou || pager || photo || physicaldeliveryofficename || postaladdress || postalcode || postofficebox || preferreddeliverymethod || preferredlanguage || registeredaddress || roomnumber || secretary || seealso || st || street || telephonenumber || teletexterminalidentifier || telexnumber || usercertificate || usersmimecertificate || x121address || x500uniqueidentifier")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Addressbook Attributes";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "audio || businesscategory || carlicense || departmentnumber || destinationindicator || employeenumber || employeetype || facsimiletelephonenumber || homephone || homepostaladdress || inetuserhttpurl || inetuserstatus || internationalisdnnumber || ipacertmapdata || jpegphoto || l || labeleduri || mail || mobile || o || ou || pager || photo || physicaldeliveryofficename || postaladdress || postalcode || postofficebox || preferreddeliverymethod || preferredlanguage || registeredaddress || roomnumber || secretary || seealso || st || street || telephonenumber || teletexterminalidentifier || telexnumber || usercertificate || usersmimecertificate || x121address || x500uniqueidentifier")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Addressbook Attributes";allow (compare,read,search) userdn = "ldap:///all";)
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || gecos || gidnumber || homedirectory || loginshell || modifytimestamp || objectclass || uid || uidnumber")(target = "ldap:///cn=users,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read User Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
@ -249,22 +379,66 @@ aci: (targetattr = "krblastadminunlock || krblastfailedauth || krblastpwdchange
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "memberof")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Membership";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
+aci: (targetattr = "ntuniqueid || ntuseracctexpires || ntusercodepage || ntuserdeleteaccount || ntuserdomainid || ntuserlastlogoff || ntuserlastlogon")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User NT Attributes";allow (compare,read,search) groupdn = "ldap:///cn=System: Read User NT Attributes,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || displayname || entryusn || gecos || gidnumber || givenname || homedirectory || initials || ipantsecurityidentifier || loginshell || manager || modifytimestamp || objectclass || sn || title || uid || uidnumber")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Standard Attributes";allow (compare,read,search) userdn = "ldap:///anyone";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || entryusn || gecos || gidnumber || homedirectory || loginshell || modifytimestamp || objectclass || uid || uidnumber")(target = "ldap:///cn=users,cn=*,cn=views,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read User Views Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Remove Users";allow (delete) groupdn = "ldap:///cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "krblastadminunlock || krbloginfailedcount || nsaccountlock")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Unlock User";allow (write) groupdn = "ldap:///cn=System: Unlock User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVault)")(version 3.0;acl "permission:System: Add Vaults";allow (add) groupdn = "ldap:///cn=System: Add Vaults,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVault)")(version 3.0;acl "permission:System: Delete Vaults";allow (delete) groupdn = "ldap:///cn=System: Delete Vaults,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "member")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVault)")(version 3.0;acl "permission:System: Manage Vault Membership";allow (write) groupdn = "ldap:///cn=System: Manage Vault Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "owner")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVault)")(version 3.0;acl "permission:System: Manage Vault Ownership";allow (write) groupdn = "ldap:///cn=System: Manage Vault Ownership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || description || ipavaultpublickey || ipavaultsalt || ipavaulttype || objectclass")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVault)")(version 3.0;acl "permission:System: Modify Vaults";allow (write) groupdn = "ldap:///cn=System: Modify Vaults,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || description || entryusn || ipavaultpublickey || ipavaultsalt || ipavaulttype || member || memberhost || memberuser || modifytimestamp || objectclass || owner")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVault)")(version 3.0;acl "permission:System: Read Vaults";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Vaults,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVaultContainer)")(version 3.0;acl "permission:System: Add Vault Containers";allow (add) groupdn = "ldap:///cn=System: Add Vault Containers,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVaultContainer)")(version 3.0;acl "permission:System: Delete Vault Containers";allow (delete) groupdn = "ldap:///cn=System: Delete Vault Containers,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "owner")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVaultContainer)")(version 3.0;acl "permission:System: Manage Vault Container Ownership";allow (write) groupdn = "ldap:///cn=System: Manage Vault Container Ownership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || description || objectclass")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVaultContainer)")(version 3.0;acl "permission:System: Modify Vault Containers";allow (write) groupdn = "ldap:///cn=System: Modify Vault Containers,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || objectclass || owner")(target = "ldap:///cn=vaults,cn=kra,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaVaultContainer)")(version 3.0;acl "permission:System: Read Vault Containers";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Vault Containers,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (target = "ldap:///cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example")(targetfilter = "(objectclass=pkiuser)")(version 3.0;acl "permission:System: Add CA Certificate For Renewal";allow (add) groupdn = "ldap:///cn=System: Add CA Certificate For Renewal,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertificate)")(version 3.0;acl "permission:System: Add Certificate Store Entry";allow (add) groupdn = "ldap:///cn=System: Add Certificate Store Entry,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: dc=ipa,dc=example
+aci: (targetattr = "ipaanchoruuid")(target = "ldap:///cn=*,cn=compat,dc=ipa,dc=example")(targetfilter = "(objectclass=ipaOverrideTarget)")(version 3.0;acl "permission:System: Compat Tree ID View targets";allow (compare,read,search) userdn = "ldap:///anyone";)
+dn: cn=CAcert,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cacertificate")(targetfilter = "(objectclass=pkica)")(version 3.0;acl "permission:System: Modify CA Certificate";allow (write) groupdn = "ldap:///cn=System: Modify CA Certificate,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "usercertificate")(target = "ldap:///cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example")(targetfilter = "(objectclass=pkiuser)")(version 3.0;acl "permission:System: Modify CA Certificate For Renewal";allow (write) groupdn = "ldap:///cn=System: Modify CA Certificate For Renewal,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cacertificate || ipacertissuerserial || ipaconfigstring || ipakeyextusage || ipakeytrust || ipakeyusage")(targetfilter = "(objectclass=ipacertificate)")(version 3.0;acl "permission:System: Modify Certificate Store Entry";allow (write) groupdn = "ldap:///cn=System: Modify Certificate Store Entry,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || ipantdomainguid || ipantfallbackprimarygroup || ipantflatname || ipantsecurityidentifier || modifytimestamp || objectclass")(target = "ldap:///cn=ad,cn=etc,dc=ipa,dc=example")(targetfilter = "(objectclass=ipantdomainattrs)")(version 3.0;acl "permission:System: Read AD Domains";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=CAcert,cn=ipa,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "authorityrevocationlist || cacertificate || certificaterevocationlist || cn || createtimestamp || crosscertificatepair || entryusn || modifytimestamp || objectclass")(targetfilter = "(objectclass=pkica)")(version 3.0;acl "permission:System: Read CA Certificate";allow (compare,read,search) userdn = "ldap:///anyone";)
 dn: cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || objectclass || usercertificate")(targetfilter = "(objectclass=pkiuser)")(version 3.0;acl "permission:System: Read CA Renewal Information";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cacertificate || cn || createtimestamp || entryusn || ipacertissuerserial || ipacertsubject || ipaconfigstring || ipakeyextusage || ipakeytrust || ipakeyusage || ipapublickey || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertificate)")(version 3.0;acl "permission:System: Read Certificate Store Entries";allow (compare,read,search) userdn = "ldap:///anyone";)
 dn: cn=dna,cn=ipa,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || dnahostname || dnaportnum || dnaremainingvalues || dnaremotebindmethod || dnaremoteconnprotocol || dnasecureportnum || entryusn || modifytimestamp || objectclass")(targetfilter = "(objectclass=dnasharedconfig)")(version 3.0;acl "permission:System: Read DNA Configuration";allow (compare,read,search) userdn = "ldap:///all";)
+dn: ou=profile,dc=ipa,dc=example
+aci: (targetattr = "attributemap || authenticationmethod || bindtimelimit || cn || createtimestamp || credentiallevel || defaultsearchbase || defaultsearchscope || defaultserverlist || dereferencealiases || entryusn || followreferrals || modifytimestamp || objectclass || objectclassmap || ou || preferredserverlist || profilettl || searchtimelimit || serviceauthenticationmethod || servicecredentiallevel || servicesearchdescriptor")(targetfilter = "(|(objectclass=organizationalUnit)(objectclass=DUAConfigProfile))")(version 3.0;acl "permission:System: Read DUA Profile";allow (compare,read,search) userdn = "ldap:///anyone";)
+dn: cn=Domain Level,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "createtimestamp || entryusn || ipadomainlevel || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipadomainlevelconfig)")(version 3.0;acl "permission:System: Read Domain Level";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || ipaconfigstring || modifytimestamp || objectclass")(targetfilter = "(objectclass=nscontainer)")(version 3.0;acl "permission:System: Read IPA Masters";allow (compare,read,search) groupdn = "ldap:///cn=System: Read IPA Masters,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=config
-aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5replicahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5replicalastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsubtreepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: Read Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=replication,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicachangecount || nsds5replicacleanruv || nsds5replicaid || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicatombstonepurgeinterval || nsds5replicatype || nsds5task || nsstate || objectclass")(targetfilter = "(objectclass=nsds5replica)")(version 3.0;acl "permission:System: Read Replication Information";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertificate)")(version 3.0;acl "permission:System: Remove Certificate Store Entry";allow (delete) groupdn = "ldap:///cn=System: Remove Certificate Store Entry,cn=permissions,cn=pbac,dc=ipa,dc=example";)
--- a/API.txt
+++ b/API.txt
--- a/BUILD.txt
+++ b/BUILD.txt
@ -1,41 +1,46 @@
-Here is a quickie guide to get you started in IPA development.
+Here is a quick guide to get you started in IPA development.

 Dependencies
 ------------

+For more information, see http://www.freeipa.org/page/Build
+
 The quickest way to get the dependencies needed for building is:

-# yum install rpm-build `grep "^BuildRequires" freeipa.spec.in | awk '{ print $2 }' | grep -v "^/"`
+# dnf builddep -b -D "with_wheels 1" -D "with_lint 1" --spec freeipa.spec.in --best --allowerasing --setopt=install_weak_deps=False

-This is currently (2014-02-11):
+TIP: For building with latest dependencies for freeipa master enable copr repo:

-yum install rpm-build 389-ds-base-devel svrcore-devel policycoreutils \
-systemd-units samba-devel samba-python libwbclient-devel samba4-devel \
-samba4-python libtalloc-devel libtevent-devel nspr-devel nss-devel \
-openssl-devel openldap-devel krb5-devel krb5-workstation libuuid-devel \
-libcurl-devel xmlrpc-c-devel popt-devel autoconf automake m4 libtool gettext \
-python-devel python-ldap python-setuptools python-krbV python-nss \
-python-netaddr python-kerberos python-rhsm pyOpenSSL pylint python-polib \
-libipa_hbac-python python-memcached sssd python-lxml python-pyasn1 \
-python-qrcode python-dns m2crypto check libsss_idmap-devel \
-libsss_nss_idmap-devel java-1.7.0-openjdk libverto-devel systemd \
-libunistring-devel python-lesscpy
+# dnf copr enable @freeipa/freeipa-master
+
+see: https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-master/

 Building
 --------

 From the root of the source tree run:
-$ make rpms
+$ ./makerpms.sh

 The resulting rpm packages are in dist/rpms:

 # yum --nogpgcheck localinstall dist/rpms/*
 # ipa-server-install

-It may be possible to do a simple make all install but this has not been
+You might tweak the build and run steps separatelly:
+$ autoreconf -i
+$ ./configure
+$ make
+$ make install
+
+It may be possible to do a simple make install but this has not been
 well-tested. Additional work is done in pre/post install scripts in the ipa
 spec file.

+To build only python2 packages on fedora following steps are required:
+$ autoreconf -i
+$ ./configure
+$ make rpms RPMBUILD_OPTS="--define 'with_python3 0'"
+
 Developing plugins
 ------------------

@ -47,8 +52,10 @@ install the rpms and then configure IPA using ipa-server-install.
 Get a TGT for the admin user with: kinit admin

 Next you'll need 2 sessions in the source tree. In the first session run
-python lite-server.py. In the second session you can run the ./ipa
-tool and it will make requests to the lite-server listening on 127.0.0.1:8080.
+```make lite-server```. In the second session copy /etc/ipa/default.conf into
+~/.ipa/default.conf and replace xmlrpc_uri with http://127.0.0.1:8888/ipa/xml.
+Finally run the ./ipa tool and it will make requests to the lite-server
+listening on 127.0.0.1:8888.

 This makes developing plugins much faster and you can also make use of the
 Python pdb debugger on the server side.
@ -59,9 +66,9 @@ changes are required.
 Testing
 -------

-For more information, see http://www.freeipa.org/page/Testing
+For more information, see https://www.freeipa.org/page/Testing

-We use python nosetests to test for regressions in the management framework
+We use python pytest to test for regressions in the management framework
 and plugins. All test dependencies are required by the freeipa-tests package.

 To run all of the tests you will need 2 sessions, one to run the lite-server
@ -75,6 +82,14 @@ Some tests may be skipped. For example, all the XML-RPC tests will be skipped
 if you haven't started the lite-server. The DNS tests will be skipped if
 the underlying IPA installation doesn't configure DNS, etc.

+To just execute fast unittest and code linters, use the fastcheck target.
+Fast tests only execute a subset of the test suite that does not depend on
+an initialized API and server instance. Fast linting just verifies modified
+files / lines.
+
+% make fastcheck
+
+
 API.txt
 -------
 The purpose of the file API.txt is to prevent accidental API changes. The
--- a/COPYING.openssl
+++ b/COPYING.openssl
@ -0,0 +1,16 @@
+ADDITIONAL PERMISSIONS
+
+This file is a modification of the main license file (COPYING), which
+contains the license terms. It applies only to specific files in the
+tree that include an "OpenSSL license exception" disclaimer.
+
+In addition to the governing license (GPLv3), as a special exception,
+the copyright holders give permission to link the code of this program
+with the OpenSSL library, and distribute linked combinations including
+the two.
+You must obey the GNU General Public License in all respects for all of
+the code used other than OpenSSL. If you modify file(s) with this
+exception, you may extend this exception to your version of the file(s),
+but you are not obligated to do so. If you do not wish to do so, delete
+this exception statement from your version. If you delete the exception
+statement from all source files in the program, then also delete it here.
--- a/Contributors.txt
+++ b/Contributors.txt
@ -4,53 +4,189 @@ The following people have contributed to the FreeIPA project.
 (Listed in alphabetical order within category)

 Developers:
+	Timo Aaltonen
+	Gabe Alford
 	Jr Aquino
-	Tomas Babej
+	Tomáš Babej
+	Martin Babinsky
+	Kyle Baker
+	Felipe Barreto
+	Jan Barta
+	Martin Bašti
+	Sylvain Baubeau
+	Florence Blanc-Renaud
 	Alexander Bokovoy
+	Thierry Bordaz
+	Sumit Bose
+	François Cami
+	Petr Čech
+	Xiao-Long Chen
 	Jan Cholasta
+	Yuri Chornoivan
+	Brian Cook
 	Rob Crittenden
+	Frank Cusack
 	Nalin Dahyabhai
+	Rishabh Dave
+	Don Davis
+	Nikhil Dehadrai
 	John Dennis
-	Endi Dewata
+	Jason Gerard DeRose
+	Günther Deschner
+	Endi Sukma Dewata
+	Lenka Doudova
+	Benjamin Drung
+	Patrice Duc-Jacquet
+	Tibor Dudlák
+	Lewis Eason
+	Drew Erny
+	Oleg Fayans
+	Jérôme Fenal
+	Fabiano Fidêncio
+	Stephen Gallagher
+	René Genz
+	James Groffen
+	Oliver Gutierrez
+	Ondřej Hamada
+	Robbie Harwood
+	Nick Hatch
+	Christian Heimes
 	Jakub Hrozek
-	Martin Kosek
+	Ganna Kaihorodova
+	Abhijeet Kasurde
 	Nathan Kinder
-	Ana Krivokapic
+	Krzysztof Klimonda
+	Alexander Koksharov
+	Nikolai Kondrashov
+	Martin Košek
+	David Kreitschmann
+	Ludwig Krispenz
+	Ana Krivokapić
+	Tomáš Křížek
+	Milan Kubík
+	Amit Kumar
+	Ian Kumlien
+	David Kupka
+	Robert Kuska
+	John L
+	Peter Lacko
+	Stanislav Laznicka
+	Ade Lee
+	Stanislav Levin
+	Ben Lipton
+	Karl MacMillan
+	Niranjan Mallapadi
+	Ales 'alich' Marecek
+	Francesco Marella
 	Nathaniel McCallum
-	Lynn Root
+	William Jon McCann
+	Kevin McCarthy
+	Mark McLoughlin
 	Rich Megginson
+	Sudhir Menon
+	Jim Meyering
+	Adam Misnyovszki
+	Takeshi MIZUTA
+	Anuja More
+	John Morris
+	Niranjan MR
+	Brian J. Murrell
+	Varun Mylaraiah
+	Marko Myllynen
+	Martin Nagy
+	Armando Neto
+	David O'Brien
+	Dmitri Pal
+	Jan Pazdziora
+	W. Michael Petullo
+	Pavel Picka
+	Orion Poplawski
+	Gowrishankar Rajaiyan
+	realsobek
+	Michal Reznik
+	Lubomír Rintel
+	Matt Rogers
+	Lynn Root
+	Pete Rowley
+	Lenka Ryznarova
+	Alexander Scheel
+	Thorsten Scherf
+	shanyin
+	Kaleemullah Siddiqui
+	Michael Simacek
+	Lars Sjostrom
+	Filip Skola
+	Aleksei Slaikovskii
+	Lukáš Slebodník
 	Simo Sorce
+	Petr Špaček
+	David Spångberg
+	Justin Stephenson
+	Diane Trout
+	Serhii Tsymbaliuk
+	Fraser Tweedale
 	Petr Viktorin
-	Petr Vobornik
+	Petr Voborník
+	Felipe Volpone
+	Pavel Vomáčka
 	Andrew Wnuk
+	Thomas Woerner
+	Jason Woods
 	Adam Young
+	Mohammad Rizwan Yusuf
+	Jan Zelený
+	Alex Zeleznikov
+	Michal Židek
+	Pavel Zůna

 Documentation:
+	Gabe Alford
+	Martin Bašti
+	Tomáš Čapek
 	Ella Deon Lackey
+	David O'Brien

 Testing:
+	Xiyang Dong
 	Michael Gregg
+	Steeve Goveas
 	Suzanne Hillman
 	Chandrasekar Kannan
+	Namita Krishnan
+	Varun Mylaraiah
+	Scott Poore
 	Gowrishankar Rajaiyan
 	Jenny Severance
+	Kaleemullah Siddiqui
 	Yi Zhang

 Translators:
-	Héctor Daniel Cabrera
-	Yuri Chornoivan
-	Teguh DC
-	Piotr Drąg
-	Jérôme Fenal
-	Gundachandru
-	Jake Li
+	Abhijeet Kasurde
+	Andi Chandler
 	Andrew Martynov
+	A S Alam
+	Emilio Herrera
+	Gundachandru
+	Héctor Daniel Cabrera
+	Jake Li
+	Jérôme Fenal
+	Marco Aurélio Krause
+	Martin Bašti
+	Olesya Gerasimenko
+	Paul Ritter
+	Pavel Vomacka
+	Piotr Drąg
+	Robert Antoni Buj Gelonch
 	Sankarshan Mukhopadhyay
+	Teguh DC
+	Yuri Chornoivan
+	Zdenek

 Wiki, Solution and Idea Contributors:
 	James Hogarth
 	Dale Macartney
 	Viji V Nair
+	Bryce Nordgren
 	Ryan Thompson
 	David Zeuthen

@ -60,29 +196,9 @@ Graphic Design and User Interaction Design:

 Management:
 	Scott Haines
+	Nathan Kinder
+	Martin Košek
 	Bob Lord
 	Dmitri Pal
 	Kevin Unthank
 	Karl Wirth
-
-Past and Occasional Contributors:
-	Sylvain Baubeau
-	Yuri Chornoivan
-	Frank Cusack
-	Don Davis
-	Jason DeRose
-	Gunther Deschner
-	Stephen Gallagher
-	Ondrej Hamada
-	Ian Kumlien
-	Karl MacMillan
-	Jon McCann
-	Kevin McCarthy
-	Jim Meyering
-	Martin Nagy
-	David O'Brien
-	Lubomir Rintel
-	Pete Rowley
-	Andreas Schneider
-	Jan Zeleny
-	Pavel Zuna
--- a/MANIFEST.in
+++ b/MANIFEST.in
@ -1,2 +0,0 @@
-include COPYING TODO lite-server.py
-include tests/*/*.py
--- a/277
+++ b/277
@ -1,277 +0,0 @@
-include VERSION
-
-SUBDIRS=daemons install ipapython ipa-client
-CLIENTDIRS=ipapython ipa-client
-
-PRJ_PREFIX=freeipa
-
-RPMBUILD ?= $(PWD)/rpmbuild
-TARGET ?= master
-
-SUPPORTED_PLATFORM ?= fedora
-
-IPA_NUM_VERSION ?= $(shell printf %d%02d%02d $(IPA_VERSION_MAJOR) $(IPA_VERSION_MINOR) $(IPA_VERSION_RELEASE))
-
-# After updating the version in VERSION you should run the version-update
-# target.
-
-ifeq ($(IPA_VERSION_IS_GIT_SNAPSHOT),"yes")
-GIT_VERSION=$(shell git show --pretty=format:"%h" --stat HEAD 2>/dev/null|head -1)
-ifneq ($(GIT_VERSION),)
-IPA_VERSION=$(IPA_VERSION_MAJOR).$(IPA_VERSION_MINOR).$(IPA_VERSION_RELEASE)GIT$(GIT_VERSION)
-endif # in a git tree and git returned a version
-endif # git
-
-ifndef IPA_VERSION
-ifdef IPA_VERSION_PRE_RELEASE
-IPA_VERSION=$(IPA_VERSION_MAJOR).$(IPA_VERSION_MINOR).$(IPA_VERSION_RELEASE).pre$(IPA_VERSION_PRE_RELEASE)
-else
-ifdef IPA_VERSION_BETA_RELEASE
-IPA_VERSION=$(IPA_VERSION_MAJOR).$(IPA_VERSION_MINOR).$(IPA_VERSION_RELEASE).beta$(IPA_VERSION_BETA_RELEASE)
-else
-ifdef IPA_VERSION_RC_RELEASE
-IPA_VERSION=$(IPA_VERSION_MAJOR).$(IPA_VERSION_MINOR).$(IPA_VERSION_RELEASE).rc$(IPA_VERSION_RC_RELEASE)
-else
-IPA_VERSION=$(IPA_VERSION_MAJOR).$(IPA_VERSION_MINOR).$(IPA_VERSION_RELEASE)
-endif # rc
-endif # beta
-endif # pre
-endif # ipa_version
-
-IPA_VENDOR_VERSION=$(IPA_VERSION)$(IPA_VENDOR_VERSION_SUFFIX)
-
-TARBALL_PREFIX=freeipa-$(IPA_VERSION)
-TARBALL=$(TARBALL_PREFIX).tar.gz
-
-IPA_RPM_RELEASE=$(shell cat RELEASE)
-
-LIBDIR ?= /usr/lib
-
-DEVELOPER_MODE ?= 0
-ifneq ($(DEVELOPER_MODE),0)
-LINT_OPTIONS=--no-fail
-endif
-
-PYTHON ?= $(shell rpm -E %__python || echo /usr/bin/python2)
-
-CFLAGS := -g -O2 -Wall -Wextra -Wformat-security -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers $(CFLAGS)
-export CFLAGS
-
-# Uncomment to increase Java stack size for Web UI build in case it fails
-# because of stack overflow exception. Default should be OK for most platforms.
-#JAVA_STACK_SIZE ?= 8m
-#export JAVA_STACK_SIZE
-
-all: bootstrap-autogen server tests
-	@for subdir in $(SUBDIRS); do \
-		(cd $$subdir && $(MAKE) $@) || exit 1; \
-	done
-
-client: client-autogen
-	@for subdir in $(CLIENTDIRS); do \
-		(cd $$subdir && $(MAKE) all) || exit 1; \
-	done
-	cd ipaplatform && $(PYTHON) setup.py build
-
-bootstrap-autogen: version-update client-autogen
-	@echo "Building IPA $(IPA_VERSION)"
-	cd daemons; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR) --with-openldap; fi
-	cd install; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi
-
-client-autogen: version-update
-	cd ipa-client; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi
-	cd install; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi
-
-tests-man-autogen: version-update
-	cd ipatests/man; if [ ! -e Makefile ]; then ../../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi
-
-install: all server-install tests-install
-	@for subdir in $(SUBDIRS); do \
-		(cd $$subdir && $(MAKE) $@) || exit 1; \
-	done
-
-client-install: client client-dirs
-	@for subdir in $(CLIENTDIRS); do \
-		(cd $$subdir && $(MAKE) install) || exit 1; \
-	done
-	cd install/po && $(MAKE) install || exit 1;
-	if [ "$(DESTDIR)" = "" ]; then \
-		$(PYTHON) setup-client.py install; \
-		(cd ipaplatform && $(PYTHON) setup.py install); \
-	else \
-		$(PYTHON) setup-client.py install --root $(DESTDIR); \
-		(cd ipaplatform && $(PYTHON) setup.py install --root $(DESTDIR)); \
-	fi
-
-client-dirs:
-	@if [ "$(DESTDIR)" != "" ] ; then \
-		mkdir -p $(DESTDIR)/etc/ipa ; \
-		mkdir -p $(DESTDIR)/var/lib/ipa-client/sysrestore ; \
-	else \
-		echo "DESTDIR was not set, please create /etc/ipa and /var/lib/ipa-client/sysrestore" ; \
-		echo "Without those directories ipa-client-install will fail" ; \
-	fi
-
-lint: bootstrap-autogen
-	./make-lint $(LINT_OPTIONS)
-	$(MAKE) -C install/po validate-src-strings
-
-
-test:
-	./make-test
-
-release-update:
-	if [ ! -e RELEASE ]; then echo 0 > RELEASE; fi
-
-version-update: release-update
-	sed -e s/__VERSION__/$(IPA_VERSION)/ -e s/__RELEASE__/$(IPA_RPM_RELEASE)/ \
-		freeipa.spec.in > freeipa.spec
-	sed -e s/__VERSION__/$(IPA_VERSION)/ version.m4.in \
-		> version.m4
-	sed -e s/__VERSION__/$(IPA_VERSION)/ ipapython/setup.py.in \
-		> ipapython/setup.py
-	sed -e s/__VERSION__/$(IPA_VERSION)/ ipaplatform/setup.py.in \
-		> ipaplatform/setup.py
-	sed -e s/__VERSION__/$(IPA_VERSION)/ ipapython/version.py.in \
-		> ipapython/version.py
-	sed -e s/__VERSION__/$(IPA_VERSION)/ ipatests/setup.py.in \
-		> ipatests/setup.py
-	sed -e s/__NUM_VERSION__/$(IPA_NUM_VERSION)/ install/ui/src/libs/loader.js.in \
-		> install/ui/src/libs/loader.js
-	perl -pi -e "s:__API_VERSION__:$(IPA_API_VERSION_MAJOR).$(IPA_API_VERSION_MINOR):" install/ui/src/libs/loader.js
-	perl -pi -e "s:__NUM_VERSION__:$(IPA_NUM_VERSION):" ipapython/version.py
-	perl -pi -e "s:__VENDOR_VERSION__:$(IPA_VENDOR_VERSION):" ipapython/version.py
-	perl -pi -e "s:__API_VERSION__:$(IPA_API_VERSION_MAJOR).$(IPA_API_VERSION_MINOR):" ipapython/version.py
-	touch -r ipapython/version.py.in ipapython/version.py
-	sed -e s/__VERSION__/$(IPA_VERSION)/ daemons/ipa-version.h.in \
-		> daemons/ipa-version.h
-	perl -pi -e "s:__NUM_VERSION__:$(IPA_NUM_VERSION):" daemons/ipa-version.h
-	perl -pi -e "s:__DATA_VERSION__:$(IPA_DATA_VERSION):" daemons/ipa-version.h
-
-	sed -e s/__VERSION__/$(IPA_VERSION)/ -e s/__RELEASE__/$(IPA_RPM_RELEASE)/ \
-		ipa-client/ipa-client.spec.in > ipa-client/ipa-client.spec
-	sed -e s/__VERSION__/$(IPA_VERSION)/ ipa-client/version.m4.in \
-		> ipa-client/version.m4
-
-	if [ "$(SUPPORTED_PLATFORM)" != "" ]; then \
-		rm -f ipaplatform/paths.py ipaplatform/services.py ipaplatform/tasks.py; \
-		ln -s $(SUPPORTED_PLATFORM)/paths.py ipaplatform/paths.py; \
-		ln -s $(SUPPORTED_PLATFORM)/services.py ipaplatform/services.py; \
-		ln -s $(SUPPORTED_PLATFORM)/tasks.py ipaplatform/tasks.py; \
-	fi
-
-	if [ "$(SKIP_API_VERSION_CHECK)" != "yes" ]; then \
-		./makeapi --validate; \
-		./makeaci --validate; \
-	fi
-
-server: version-update
-	$(PYTHON) setup.py build
-	cd ipaplatform && $(PYTHON) setup.py build
-
-server-install: server
-	if [ "$(DESTDIR)" = "" ]; then \
-		$(PYTHON) setup.py install; \
-		(cd ipaplatform && $(PYTHON) setup.py install); \
-	else \
-		$(PYTHON) setup.py install --root $(DESTDIR); \
-		(cd ipaplatform && $(PYTHON) setup.py install --root $(DESTDIR)); \
-	fi
-
-tests: version-update tests-man-autogen
-	cd ipatests; $(PYTHON) setup.py build
-	cd ipatests/man && $(MAKE) all
-
-tests-install: tests
-	if [ "$(DESTDIR)" = "" ]; then \
-		cd ipatests; $(PYTHON) setup.py install; \
-	else \
-		cd ipatests; $(PYTHON) setup.py install --root $(DESTDIR); \
-	fi
-	cd ipatests/man && $(MAKE) install
-
-archive:
-	-mkdir -p dist
-	git archive --format=tar --prefix=ipa/ $(TARGET) | (cd dist && tar xf -)
-
-local-archive:
-	-mkdir -p dist/$(TARBALL_PREFIX)
-	rsync -a --exclude=dist --exclude=.git --exclude=/build --exclude=rpmbuild . dist/$(TARBALL_PREFIX)
-
-archive-cleanup:
-	rm -fr dist/freeipa
-
-tarballs: local-archive
-	-mkdir -p dist/sources
-	# tar up clean sources
-	cd dist/$(TARBALL_PREFIX)/ipa-client; ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); make distclean
-	cd dist/$(TARBALL_PREFIX)/daemons; ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); make distclean
-	cd dist/$(TARBALL_PREFIX)/install; ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); make distclean
-	cd dist; tar cfz sources/$(TARBALL) $(TARBALL_PREFIX)
-	rm -rf dist/$(TARBALL_PREFIX)
-
-rpmroot:
-	rm -rf $(RPMBUILD)
-	mkdir -p $(RPMBUILD)/BUILD
-	mkdir -p $(RPMBUILD)/RPMS
-	mkdir -p $(RPMBUILD)/SOURCES
-	mkdir -p $(RPMBUILD)/SPECS
-	mkdir -p $(RPMBUILD)/SRPMS
-
-rpmdistdir:
-	mkdir -p dist/rpms
-	mkdir -p dist/srpms
-
-rpms: rpmroot rpmdistdir version-update lint tarballs
-	cp dist/sources/$(TARBALL) $(RPMBUILD)/SOURCES/.
-	rpmbuild --define "_topdir $(RPMBUILD)" -ba freeipa.spec
-	cp $(RPMBUILD)/RPMS/*/$(PRJ_PREFIX)-*-$(IPA_VERSION)-*.rpm dist/rpms/
-	cp $(RPMBUILD)/SRPMS/$(PRJ_PREFIX)-$(IPA_VERSION)-*.src.rpm dist/srpms/
-	rm -rf $(RPMBUILD)
-
-client-rpms: rpmroot rpmdistdir version-update lint tarballs
-	cp dist/sources/$(TARBALL) $(RPMBUILD)/SOURCES/.
-	rpmbuild --define "_topdir $(RPMBUILD)" --define "ONLY_CLIENT 1" -ba freeipa.spec
-	cp $(RPMBUILD)/RPMS/*/$(PRJ_PREFIX)-*-$(IPA_VERSION)-*.rpm dist/rpms/
-	cp $(RPMBUILD)/SRPMS/$(PRJ_PREFIX)-$(IPA_VERSION)-*.src.rpm dist/srpms/
-	rm -rf $(RPMBUILD)
-
-srpms: rpmroot rpmdistdir version-update lint tarballs
-	cp dist/sources/$(TARBALL) $(RPMBUILD)/SOURCES/.
-	rpmbuild --define "_topdir $(RPMBUILD)" -bs freeipa.spec
-	cp $(RPMBUILD)/SRPMS/$(PRJ_PREFIX)-$(IPA_VERSION)-*.src.rpm dist/srpms/
-	rm -rf $(RPMBUILD)
-
-
-repodata:
-	-createrepo -p dist
-
-dist: version-update archive tarballs archive-cleanup rpms repodata
-
-local-dist: bootstrap-autogen clean local-archive tarballs archive-cleanup rpms
-
-
-clean: version-update
-	@for subdir in $(SUBDIRS); do \
-		(cd $$subdir && $(MAKE) $@) || exit 1; \
-	done
-	rm -f *~
-
-distclean: version-update
-	touch daemons/NEWS daemons/README daemons/AUTHORS daemons/ChangeLog
-	touch install/NEWS install/README install/AUTHORS install/ChangeLog
-	@for subdir in $(SUBDIRS); do \
-		(cd $$subdir && $(MAKE) $@) || exit 1; \
-	done
-	rm -fr $(RPMBUILD) dist build
-	rm -f daemons/NEWS daemons/README daemons/AUTHORS daemons/ChangeLog
-	rm -f install/NEWS install/README install/AUTHORS install/ChangeLog
-
-maintainer-clean: clean
-	rm -fr $(RPMBUILD) dist build
-	cd daemons && $(MAKE) maintainer-clean
-	cd install && $(MAKE) maintainer-clean
-	cd ipa-client && $(MAKE) maintainer-clean
-	cd ipapython && $(MAKE) maintainer-clean
-	rm -f version.m4
-	rm -f freeipa.spec
--- a/Makefile.am
+++ b/Makefile.am
@ -0,0 +1,398 @@
+NULL =
+
+ACLOCAL_AMFLAGS = -I m4
+
+if ENABLE_SERVER
+    IPASERVER_SUBDIRS = ipaserver
+    SERVER_SUBDIRS = daemons init install
+endif
+
+if WITH_IPATESTS
+    IPATESTS_SUBDIRS = ipatests
+endif
+
+IPACLIENT_SUBDIRS = ipaclient ipalib ipaplatform ipapython
+PYTHON_SUBDIRS = $(IPACLIENT_SUBDIRS) $(IPATESTS_SUBDIRS) $(IPASERVER_SUBDIRS)
+IPA_PLACEHOLDERS = freeipa ipa ipaserver ipatests
+SUBDIRS = asn1 util client contrib po pypi $(PYTHON_SUBDIRS) $(SERVER_SUBDIRS)
+
+GENERATED_PYTHON_FILES = \
+	$(top_builddir)/ipaplatform/override.py \
+	$(top_builddir)/ipapython/version.py \
+	$(top_builddir)/makeaci \
+	$(top_builddir)/makeapi \
+	$(NULL)
+
+MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
+		   pylint_plugins.pyc pylint_plugins.pyo
+
+# user-facing scripts
+nodist_bin_SCRIPTS = ipa
+
+# files required for build but not installed
+nodist_noinst_SCRIPTS = \
+	makeapi \
+	makeaci \
+	$(NULL)
+
+dist_noinst_SCRIPTS = \
+	make-doc \
+	make-test \
+	pylint_plugins.py \
+	$(NULL)
+
+# templates
+dist_noinst_DATA = \
+	ipa.in		\
+	makeaci.in	\
+	makeapi.in	\
+	$(NULL)
+
+ipasetup.py: ipasetup.py.in $(CONFIG_STATUS)
+	$(AM_V_GEN)sed						\
+		-e 's|@VERSION[@]|$(VERSION)|g'			\
+		$< > $@
+
+.wheelconstraints: .wheelconstraints.in $(CONFIG_STATUS)
+	$(AM_V_GEN)sed						\
+		-e 's|@VERSION[@]|$(VERSION)|g'			\
+		$< > $@
+
+EXTRA_DIST = .mailmap \
+	     ACI.txt \
+	     API.txt \
+	     BUILD.txt \
+	     config.rpath \
+	     README.md \
+	     Contributors.txt \
+	     COPYING.openssl \
+	     contrib \
+	     doc \
+	     freeipa.spec.in \
+	     ipasetup.py.in \
+	     pylintrc \
+	     .wheelconstraints.in
+
+clean-local:
+	rm -rf "$(RPMBUILD)"
+	rm -rf "$(top_builddir)/dist"
+	rm -rf "$(top_builddir)/.tox"
+	rm -rf "$(top_srcdir)/__pycache__"
+	rm -f "$(top_builddir)"/$(PACKAGE)-*.tar.gz
+
+# convenience targets for RPM build
+.PHONY: rpmroot rpmdistdir version-update _dist-version-bakein _rpms-prep \
+	rpms _rpms-body srpms _srpms-body
+RPMBUILD ?= $(abs_builddir)/rpmbuild
+TARBALL = $(PACKAGE)-$(VERSION).tar.gz
+
+freeipa.spec: freeipa.spec.in $(top_builddir)/$(CONFIG_STATUS)
+	$(AM_V_GEN)sed						\
+		-e 's|@VERSION[@]|$(VERSION)|g'			\
+		-e 's|@VENDOR_SUFFIX[@]|$(VENDOR_SUFFIX)|g'	\
+		$< > $@
+
+rpmroot:
+	mkdir -p $(RPMBUILD)/BUILD
+	mkdir -p $(RPMBUILD)/RPMS
+	mkdir -p $(RPMBUILD)/SOURCES
+	mkdir -p $(RPMBUILD)/SPECS
+	mkdir -p $(RPMBUILD)/SRPMS
+
+rpmdistdir:
+	mkdir -p $(top_builddir)/dist/rpms
+	mkdir -p $(top_builddir)/dist/srpms
+
+# force IPA version re-generation (useful for build from Git)
+version-update:
+	touch $(srcdir)/VERSION.m4
+
+# convert Git snapshot version to static value usable from inside of tarball
+_dist-version-bakein:
+if !IS_GIT_SNAPSHOT
+	@echo "version-bakein target requires IPA_VERSION_IS_GIT_SNAPSHOT=yes"
+	exit 1
+endif !IS_GIT_SNAPSHOT
+	chmod u+w $(top_distdir)/VERSION.m4
+	$(SED) -e 's/^define(IPA_VERSION_IS_GIT_SNAPSHOT,.*)/define(IPA_VERSION_IS_GIT_SNAPSHOT, no)/' -i $(top_distdir)/VERSION.m4
+	$(SED) -e 's/^define(IPA_VERSION_PRE_RELEASE,\(.*\))/define(IPA_VERSION_PRE_RELEASE,\1.$(GIT_VERSION))/' -i $(top_distdir)/VERSION.m4
+	cd $(top_distdir) && autoconf  # re-generate configure from VERSION.m4
+
+if IS_GIT_SNAPSHOT
+VERSION_UPDATE_TARGET = version-update
+VERSION_BAKEIN_TARGET = _dist-version-bakein
+endif IS_GIT_SNAPSHOT
+
+# HACK to support IPA_VERSION_IS_GIT_SNAPSHOT:
+# touch VERSION.m4 will reexecute configure and change $(VERSION) used by dist
+# but it will not change $(VERSION) in already running target rpms.
+# We need to record new $(TARBALL) value used by dist for furher use
+# in rpms target.
+dist-hook: $(VERSION_BAKEIN_TARGET)
+	echo "$(TARBALL)" > $(top_builddir)/.tarball_name
+	echo "$(VERSION)" > $(top_builddir)/.version
+
+_rpms-prep: dist-gzip rpmroot rpmdistdir freeipa.spec
+	cp $(top_builddir)/$$(cat $(top_builddir)/.tarball_name) $(RPMBUILD)/SOURCES/
+	rm -f $(top_builddir)/.tarball_name
+
+rpms: $(VERSION_UPDATE_TARGET)
+	$(MAKE) _rpms-body
+
+_rpms-body: _rpms-prep
+	rpmbuild --define "_topdir $(RPMBUILD)" -ba $(top_builddir)/$(PACKAGE).spec  $(RPMBUILD_OPTS)
+	cp $(RPMBUILD)/RPMS/*/*$$(cat $(top_builddir)/.version)*.rpm $(top_builddir)/dist/rpms/
+	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
+	rm -f rm -f $(top_builddir)/.version
+
+srpms: $(VERSION_UPDATE_TARGET)
+	$(MAKE) _srpms-body
+
+_srpms-body: _rpms-prep
+	rpmbuild --define "_topdir $(RPMBUILD)" -bs $(top_builddir)/$(PACKAGE).spec $(RPMBUILD_OPTS)
+	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
+	rm -f rm -f $(top_builddir)/.version
+
+.PHONY: lite-server
+lite-server: $(GENERATED_PYTHON_FILES)
+	+$(MAKE) -C $(top_builddir)/install/ui
+	PYTHONPATH=$(top_srcdir) $(PYTHON) -bb \
+	    contrib/lite-server.py $(LITESERVER_ARGS)
+
+.PHONY: lint
+if WITH_POLINT
+POLINT_TARGET = polint
+endif WITH_POLINT
+if WITH_PYLINT
+PYLINT_TARGET = pylint
+endif WITH_PYLINT
+if WITH_JSLINT
+JSLINT_TARGET = jslint
+endif WITH_JSLINT
+lint: acilint apilint $(POLINT_TARGET) $(PYLINT_TARGET) $(JSLINT_TARGET)
+
+.PHONY: devcheck
+devcheck: all
+if ! WITH_POLINT
+	@echo "ERROR: polint not available"; exit 1
+endif
+if ! WITH_PYLINT
+	@echo "ERROR: pylint not available"; exit 1
+endif
+if ! WITH_JSLINT
+	@echo "ERROR: jslint not available"; exit 1
+endif
+if ! WITH_PYTHON2
+	@echo "ERROR: python2 not available"; exit 1
+endif
+	@ # run all linters, tests, and check with Python 2
+	PYTHONPATH=$(abspath $(top_srcdir)) $(PYTHON2) ipatests/ipa-run-tests \
+	    --ipaclient-unittests
+	$(MAKE) $(AM_MAKEFLAGS) acilint apilint polint jslint check
+	$(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON2) pylint
+if WITH_PYTHON3
+	@ # just tests, aci, api and pylint on Python 3
+	PYTHONPATH=$(abspath $(top_srcdir)) $(PYTHON3) ipatests/ipa-run-tests \
+	    --ipaclient-unittests
+	$(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON3) acilint apilint polint pylint jslint check
+else
+	@echo "WARNING: python3 not available"
+endif
+	@echo "All tests passed."
+
+.PHONY: fastcheck fasttest fastlint
+fastcheck:
+if WITH_PYTHON2
+	@$(MAKE) -j1 $(AM_MAKEFLAGS) PYTHON=$(PYTHON2) \
+	    fastlint fasttest apilint acilint
+endif
+if WITH_PYTHON3
+	@$(MAKE) -j1 $(AM_MAKEFLAGS) PYTHON=$(PYTHON3) \
+	     fastlint fasttest apilint acilint
+endif
+
+fasttest: $(GENERATED_PYTHON_FILES) ipasetup.py
+	@ # --ignore doubles speed of total test run compared to pytest.skip()
+	@ # on module.
+	PYTHONPATH=$(abspath $(top_srcdir)) $(PYTHON3) ipatests/ipa-run-tests \
+	    --skip-ipaapi \
+	    --ignore $(abspath $(top_srcdir))/ipatests/test_integration \
+	    --ignore $(abspath $(top_srcdir))/ipatests/test_xmlrpc
+
+fastlint: $(GENERATED_PYTHON_FILES) ipasetup.py
+if ! WITH_PYLINT
+	@echo "ERROR: pylint not available"; exit 1
+endif
+	@echo "Fast linting with $(PYTHON) from branch '$(GIT_BRANCH)'"
+
+	@MERGEBASE=$$(git merge-base --fork-point $(GIT_BRANCH)); \
+	FILES=$$(git diff --name-only --diff-filter=d $${MERGEBASE} \
+	    | grep -E '\.py$$'); \
+	if [ -n "$${FILES}" ]; then \
+	    echo -e "Fast linting files:\n$${FILES}\n"; \
+	    echo "pycodestyle"; \
+	    echo "-----------"; \
+	    git diff -U0 $${MERGEBASE} | \
+	        $(PYTHON) -m pycodestyle --diff || exit $$?; \
+	    echo -e "\npylint"; \
+	    echo "------"; \
+	    PYTHONPATH=$(abspath $(top_srcdir)) $(PYTHON) -m pylint \
+	        --rcfile=$(top_srcdir)/pylintrc \
+	        --load-plugins pylint_plugins \
+	        $${FILES} || exit $$?; \
+	else \
+	    echo "No modified Python files found"; \
+	fi
+
+
+.PHONY: $(top_builddir)/ipaplatform/override.py
+$(top_builddir)/ipaplatform/override.py:
+	(cd $(top_builddir)/ipaplatform && make override.py)
+
+.PHONY: $(top_builddir)/ipapython/version.py
+$(top_builddir)/ipapython/version.py:
+	(cd $(top_builddir)/ipapython && make version.py)
+
+.PHONY: acilint
+acilint: $(GENERATED_PYTHON_FILES)
+	cd $(srcdir); $(PYTHON) ./makeaci --validate
+
+.PHONY: apilint
+apilint: $(GENERATED_PYTHON_FILES)
+	cd $(srcdir); $(PYTHON) ./makeapi --validate
+
+.PHONY: polint
+polint:
+	$(MAKE) -C $(srcdir)/po PYTHON=$(PYTHON) \
+	    validate-src-strings validate-po test-gettext
+
+# Run pylint for all python files. Finds all python files/packages, skips
+# folders rpmbuild, freeipa-* and dist. Skip (match, but don't print) .*,
+# *.in, *~. Finally print all python files, including scripts that do not
+# have python extension.
+
+.PHONY: pylint
+
+if WITH_PYLINT
+pylint: $(GENERATED_PYTHON_FILES) ipasetup.py
+	@# build CLI scripts
+	$(MAKE) -C $(top_builddir)/install/tools
+	FILES=`find $(top_srcdir) \
+		-type d -exec test -e '{}/__init__.py' \; -print -prune -o \
+		-path './rpmbuild' -prune -o \
+		-path './freeipa-*' -prune -o \
+		-path './dist' -prune -o \
+		-path './pypi' -prune -o \
+		-path './.tox' -prune -o \
+		-name '.*' -o \
+		-name '*.in' -o \
+		-name '*~' -o \
+		-name '*.py' -print -o \
+		-type f -exec grep -qsm1 '^#!.*\bpython' '{}' \; -print`; \
+	echo "Pylint on $(PYTHON) is running, please wait ..."; \
+	PYTHONPATH=$(top_srcdir) $(PYTHON) -m pylint \
+		--rcfile=$(top_srcdir)/pylintrc \
+		--load-plugins pylint_plugins \
+		$${FILES}
+endif  # WITH_PYLINT
+
+.PHONY: jslint jslint-ui jslint-ui-test jslint-html \
+	$(top_builddir)/install/ui/src/libs/loader.js
+
+if WITH_JSLINT
+jslint: jslint-ui jslint-ui-test jslint-html
+
+$(top_builddir)/install/ui/src/libs/loader.js:
+	(cd $(top_builddir)/install/ui/src/libs && make loader.js)
+
+# create temporary symlinks to allow jslint to find libs/loader.js
+jslint-ui: $(top_builddir)/install/ui/src/libs/loader.js
+	cd $(top_srcdir)/install/ui;				\
+	jsl -nologo -nosummary -nofilelisting -conf jsl.conf;
+
+jslint-ui-test:
+	cd $(top_srcdir)/install/ui/test;			\
+	jsl -nologo -nosummary -nofilelisting -conf jsl.conf
+
+jslint-html:
+	cd $(top_srcdir)/install/html; 				\
+	jsl -nologo -nosummary -nofilelisting -conf jsl.conf
+endif  # WITH_JSLINT
+
+.PHONY: bdist_wheel wheel_bundle wheel_placeholder pypi_packages
+WHEELDISTDIR = $(top_builddir)/dist/wheels
+WHEELPYPIDIR = $(top_builddir)/dist/pypi
+WHEELBUNDLEDIR = $(top_builddir)/dist/bundle
+
+@MK_IFEQ@ ($(IPA_SERVER_WHEELS),1)
+    IPA_WHEEL_PACKAGES @MK_ASSIGN@ $(IPACLIENT_SUBDIRS) ipaplatform ipaserver
+    IPA_OMIT_INSTALL @MK_ASSIGN@ 0
+@MK_ELSE@
+    IPA_WHEEL_PACKAGES @MK_ASSIGN@ $(IPACLIENT_SUBDIRS)
+    IPA_OMIT_INSTALL @MK_ASSIGN@ 1
+@MK_ENDIF@
+
+# additional wheels for bundle, e.g. IPA_EXTRA_WHEELS="ipatests[webui] pylint"
+IPA_EXTRA_WHEELS=
+
+$(WHEELDISTDIR):
+	mkdir -p $(WHEELDISTDIR)
+
+$(WHEELBUNDLEDIR):
+	mkdir -p $(WHEELBUNDLEDIR)
+
+$(WHEELPYPIDIR):
+	mkdir -p $(WHEELPYPIDIR)
+
+bdist_wheel: $(WHEELDISTDIR)
+	rm -f $(foreach item,$(IPA_WHEEL_PACKAGES) ipatests,$(WHEELDISTDIR)/$(item)-*.whl)
+	export IPA_OMIT_INSTALL=$(IPA_OMIT_INSTALL); \
+	for dir in $(IPA_WHEEL_PACKAGES) ipatests; do \
+	    $(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \
+	done
+
+wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel .wheelconstraints
+	rm -f $(foreach item,$(IPA_WHEEL_PACKAGES) ipatests,$(WHEELBUNDLEDIR)/$(item)-*.whl)
+	@# dbus-python sometimes fails when MAKEFLAGS is set to -j2 or higher
+	MAKEFLAGS= $(PYTHON) -m pip wheel \
+	    --disable-pip-version-check \
+	    --constraint .wheelconstraints \
+	    --find-links $(WHEELDISTDIR) \
+	    --find-links $(WHEELBUNDLEDIR) \
+	    --wheel-dir $(WHEELBUNDLEDIR) \
+	    $(IPA_EXTRA_WHEELS) $(IPA_WHEEL_PACKAGES)
+
+pypi_packages: $(WHEELPYPIDIR) .wheelconstraints
+	rm -f $(WHEELPYPIDIR)/*
+	for dir in $(IPACLIENT_SUBDIRS); do \
+	    $(MAKE) $(AM_MAKEFLAGS) \
+	        IPA_OMIT_INSTALL=1 WHEELDISTDIR="$(abspath $(WHEELPYPIDIR))" \
+	        -C $${dir} bdist_wheel || exit 1; \
+	done
+	for dir in $(IPA_PLACEHOLDERS); do \
+	    $(MAKE) $(AM_MAKEFLAGS) \
+	        IPA_OMIT_INSTALL=1 WHEELDISTDIR="$(abspath $(WHEELPYPIDIR))" \
+	        -C $(top_srcdir)/pypi/$${dir} bdist_wheel || exit 1; \
+	done
+	@echo -e "\n\nTo upload packages to PyPI, run:\n"
+	@echo -e "    twine upload $(WHEELPYPIDIR)/*-$(VERSION)-py2.py3-none-any.whl\n"
+
+.PHONY: python_install
+python_install:
+	for dir in $(PYTHON_SUBDIRS); do \
+	    $(MAKE) $(AM_MAKEFLAGS) -C $${dir} install || exit 1; \
+	done
+
+.PHONY:
+strip-po:
+	$(MAKE) -C po strip-po
+
+PYTHON_SHEBANG = 					\
+	ipa	\
+	makeaci	\
+	makeapi	\
+	$(NULL)
+
+CLEANFILES = $(PYTHON_SHEBANG)
+
+include $(top_srcdir)/Makefile.pythonscripts.am
--- a/Makefile.in
+++ b/Makefile.in
--- a/Makefile.python.am
+++ b/Makefile.python.am
@ -0,0 +1,71 @@
+pkgname = $(shell basename "$(abs_srcdir)")
+pkgpythondir = $(pythondir)/$(pkgname)
+
+if VERBOSE_MAKE
+VERBOSITY="--verbose"
+else
+VERBOSITY="--quiet"
+endif !VERBOSE_MAKE
+
+# hack to handle back-in-the-hierarchy depedency on ipasetup.py
+.PHONY: $(top_builddir)/ipasetup.py
+$(top_builddir)/ipasetup.py:
+	(cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) ipasetup.py)
+
+all-local: $(top_builddir)/ipasetup.py
+	cd $(srcdir); $(PYTHON) setup.py \
+		$(VERBOSITY) \
+		build \
+		    --build-base "$(abs_builddir)/build"
+
+install-exec-local: $(top_builddir)/ipasetup.py
+	if [ "x$(pkginstall)" != "xfalse" ]; then \
+	    $(PYTHON) $(srcdir)/setup.py \
+		    $(VERBOSITY) \
+		    build \
+		        --build-base "$(abs_builddir)/build" \
+		    install \
+		        --prefix "$(DESTDIR)$(prefix)" \
+		        --single-version-externally-managed \
+		        --record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \
+		        --optimize 1 \
+		        $(PYTHON_INSTALL_EXTRA_OPTIONS); \
+	fi
+
+uninstall-local:
+	if [ -f "$(DESTDIR)$(pkgpythondir)/install_files.txt" ]; then \
+	    cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf ; \
+	fi
+	rm -rf "$(DESTDIR)$(pkgpythondir)"
+
+clean-local: $(top_builddir)/ipasetup.py
+	$(PYTHON) "$(srcdir)/setup.py" \
+	    clean \
+	        --all
+	        --build-base "$(abs_builddir)/build"
+	rm -rf "$(srcdir)/build" "$(srcdir)/dist" "$(srcdir)/MANIFEST"
+	find "$(srcdir)" \
+		-name "*.py[co]" -delete -o	\
+		-name "__pycache__" -delete -o	\
+		-name "*.egg-info" -exec rm -rf {} +
+
+# take list of all Python source files and copy them into distdir
+# SOURCES.txt does not contain directories so we need to create those
+dist-hook: $(top_builddir)/ipasetup.py
+	$(PYTHON) "$(srcdir)/setup.py" egg_info
+	PYTHON_SOURCES=$$(cat "$(srcdir)/$(pkgname).egg-info/SOURCES.txt") || exit $$?;	\
+	for FILEN in $${PYTHON_SOURCES}; 						\
+	do										\
+		if test -x "$(srcdir)/$${FILEN}"; then MODE=755; else MODE=644; fi;	\
+		$(INSTALL) -D -m $${MODE} "$(srcdir)/$${FILEN}" "$(distdir)/$${FILEN}" || exit $$?;	\
+	done
+
+WHEELDISTDIR = $(top_builddir)/dist/wheels
+.PHONY: bdist_wheel
+bdist_wheel: $(top_builddir)/ipasetup.py
+	rm -rf $(WHEELDISTDIR)/$(pkgname)-*.whl
+	$(PYTHON) "$(srcdir)/setup.py" \
+	    build \
+	        --build-base "$(abs_builddir)/build" \
+	    bdist_wheel \
+	        --dist-dir=$(WHEELDISTDIR)
--- a/Makefile.pythonscripts.am
+++ b/Makefile.pythonscripts.am
@ -0,0 +1,4 @@
+# special handling of Python scripts with auto-generated shebang line
+$(PYTHON_SHEBANG):%: %.in Makefile
+	$(AM_V_GEN)sed -e 's|@PYTHONSHEBANG[@]|#!$(PYTHON) -E|g' $< > $@
+	$(AM_V_GEN)chmod +x $@
--- a/92
+++ b/92
@ -1,92 +0,0 @@
-
-                               IPA Server
-
-  Overview
-  --------
-
-  FreeIPA allows Linux administrators to centrally manage identity,
-  authentication and access control aspects of Linux and UNIX systems
-  by providing simple to install and use command line and web based
-  managment tools.
-  FreeIPA is built on top of well known Open Source components and standard
-  protocols with a very strong focus on ease of management and automation
-  of installation and configuration tasks.
-  FreeIPA can seamlessly integrate into an Active Directory environment via
-  cross-realm Kerberos trust or user synchronization.
-
-  Benefits
-  --------
-
-  FreeIPA:
-  * Allows all your users to access all the machines with the same credentials
-    and security settings
-  * Allows users to access personal files transparently from any machine in
-    an authenticated and secure way
-  * Uses an advanced grouping mechanism to restrict network access to services
-    and files only to specific users
-  * Allows central management of security mechanisms like passwords,
-    SSH Public Keys, SUDO rules, Keytabs, Access Control Rules
-  * Enables delegation of selected administrative tasks to other power users
-  * Integrates into Active Directory environments
-
-  Components
-  ----------
-
-  The FreeIPA project provides unified installation and management
-  tools for the following components:
-
-  * LDAP Server - based on the 389 project (LDAP)
-    http://directory.fedoraproject.org/wiki/Main_Page
-
-  * KDC - based on MIT Kerberos implementation
-    http://k5wiki.kerberos.org/wiki/Main_Page
-
-  * PKI based on Dogtag project
-    http://pki.fedoraproject.org/wiki/PKI_Main_Page
-
-  * Samba libraries for Active Directory integration
-    http://www.samba.org/
-
-  * DNS Server based on BIND and the Bind-DynDB-LDAP plugin
-    https://www.isc.org/software/bind
-    https://fedorahosted.org/bind-dyndb-ldap
-
-
-  Project Website
-  ---------------
-
-  Releases, announcements and other information can be found on the IPA
-  server project page at <http://www.freeipa.org/>.
-
-  Documentation
-  -------------
-
-  The most up-to-date documentation can be found at
-  <http://freeipa.org/page/Documentation>.
-
-  Quick Start
-  -----------
-
-  To get started quickly, start here:
-  <http://www.freeipa.org/page/Quick_Start_Guide>
-
-  Licensing
-  ---------
-
-  Please see the file called COPYING.
-
-  Contacts
-  --------
-
-     * If you want to be informed about new code releases, bug fixes,
-       security fixes, general news and information about the IPA server
-       subscribe to the freeipa-announce mailing list at
-       <https://www.redhat.com/mailman/listinfo/freeipa-interest/>.
-
-     * If you have a bug report please submit it at:
-       <https://bugzilla.redhat.com>
-
-     * If you want to participate in actively developing IPA please
-       subscribe to the freeipa-devel mailing list at
-       <https://www.redhat.com/mailman/listinfo/freeipa-devel/> or join
-       us in IRC at irc://irc.freenode.net/freeipa
--- a/README.md
+++ b/README.md
@ -0,0 +1,79 @@
+# FreeIPA Server
+
+FreeIPA allows Linux administrators to centrally manage identity,
+authentication and access control aspects of Linux and UNIX systems
+by providing simple to install and use command line and web based
+management tools.
+
+FreeIPA is built on top of well known Open Source components and standard
+protocols with a very strong focus on ease of management and automation
+of installation and configuration tasks.
+
+FreeIPA can seamlessly integrate into an Active Directory environment via
+cross-realm Kerberos trust or user synchronization.
+
+## Benefits
+
+FreeIPA:
+
+* Allows all your users to access all the machines with the same credentials
+  and security settings
+* Allows users to access personal files transparently from any machine in
+  an authenticated and secure way
+* Uses an advanced grouping mechanism to restrict network access to services
+  and files only to specific users
+* Allows central management of security mechanisms like passwords,
+  SSH Public Keys, SUDO rules, Keytabs, Access Control Rules
+* Enables delegation of selected administrative tasks to other power users
+* Integrates into Active Directory environments
+
+## Components
+
+The FreeIPA project provides unified installation and management
+tools for the following components:
+
+* LDAP Server - based on the [389 project](http://www.port389.org/)
+* KDC - based on [MIT Kerberos](http://k5wiki.kerberos.org/wiki/Main_Page)
+  implementation
+* PKI based on [Dogtag project](http://pki.fedoraproject.org/wiki/PKI_Main_Page)
+* [Samba](http://www.samba.org/) libraries for Active Directory integration
+* DNS Server based on [BIND](https://www.isc.org/software/bind) and the
+  [Bind-DynDB-LDAP plugin](https://pagure.io/bind-dyndb-ldap)
+
+## Project Website
+
+Releases, announcements and other information can be found on the IPA
+server project page at http://www.freeipa.org/ .
+
+## Documentation
+
+The most up-to-date documentation can be found at
+http://freeipa.org/page/Documentation .
+
+## Quick Start
+
+To get started quickly, start here:
+http://www.freeipa.org/page/Quick_Start_Guide
+
+## For developers
+
+* Building FreeIPA from source
+    * http://www.freeipa.org/page/Build
+    * See the BUILD.txt file in the source root directory
+
+## Licensing
+
+Please see the file called COPYING.
+
+## Contacts
+
+* If you want to be informed about new code releases, bug fixes,
+  security fixes, general news and information about the IPA server
+  subscribe to the freeipa-announce mailing list at
+  https://www.redhat.com/mailman/listinfo/freeipa-interest/ .
+* If you have a bug report please submit it at:
+  https://pagure.io/freeipa/issues
+* If you want to participate in actively developing IPA please
+  subscribe to the freeipa-devel mailing list at
+  https://www.redhat.com/mailman/listinfo/freeipa-devel/ or join
+  us in IRC at <irc://irc.freenode.net/freeipa>
--- a/1
+++ b/1
@ -1 +0,0 @@
-0
--- a/93
+++ b/93
@ -1,93 +0,0 @@
-########################################################
-# freeIPA Version                                      #
-#                                                      #
-# freeIPA versions are as follows                      #
-# 1.0.x                New production series           #
-# 1.0.x{pre,beta,rc}y  Preview/Testing, Beta & RC      #
-# 1.0.0GITabcdefg      Build from GIT                  #
-#                                                      #
-########################################################
-
-########################################################
-# This are the main version numbers                    #
-#                                                      #
-# <MAJOR>.<MINOR>.<RELEASE>                            #
-#                                                      #
-# e.g. IPA_VERSION_MAJOR=1                             #
-#      IPA_VERSION_MINOR=0                             #
-#      IPA_VERSION_RELEASE=0                           #
-#  ->  "1.0.0"                                         #
-########################################################
-IPA_VERSION_MAJOR=4
-IPA_VERSION_MINOR=0
-IPA_VERSION_RELEASE=5
-
-########################################################
-# For 'pre' releases the version will be               #
-#                                                      #
-# <MAJOR>.<MINOR>.<RELEASE>pre<PRE_RELEASE>            #
-#                                                      #
-# e.g. IPA_VERSION_PRE_RELEASE=1                       #
-#  ->  "1.0.0pre1"                                     #
-########################################################
-IPA_VERSION_PRE_RELEASE=
-
-########################################################
-# For 'beta' releases the version will be              #
-#                                                      #
-# <MAJOR>.<MINOR>.<RELEASE>beta<BETA_RELEASE>          #
-#                                                      #
-# e.g. IPA_VERSION_BETA_RELEASE=1                      #
-#  ->  "1.0.0beta1"                                    #
-########################################################
-IPA_VERSION_BETA_RELEASE=
-
-########################################################
-# For 'rc' releases the version will be                #
-#                                                      #
-# <MAJOR>.<MINOR>.<RELEASE>rc<RC_RELEASE>              #
-#                                                      #
-# e.g. IPA_VERSION_RC_RELEASE=1                        #
-#  ->  "1.0.0rc1"                                      #
-########################################################
-IPA_VERSION_RC_RELEASE=
-
-########################################################
-# To mark GIT snapshots this should be set to 'yes'    #
-# in the development BRANCH, and set to 'no' only in   #
-# the IPA_X_X_RELEASE BRANCH                           #
-#                                                      #
-# <MAJOR>.<MINOR>.<RELEASE>GITxxx                      #
-#                                                      #
-# e.g. IPA_VERSION_IS_SVN_SNAPSHOT=yes                 #
-#  ->  "1.0.0GITabcdefg"                               #
-########################################################
-IPA_VERSION_IS_GIT_SNAPSHOT="yes"
-
-########################################################
-# The version of IPA data. This is used to identify    #
-# incompatibilities in data that could cause issues    #
-# with replication. If the built-in versions don't     #
-# match exactly then replication will fail.            #
-#                                                      #
-# The format is %Y%m%d%H%M%S                           #
-#                                                      #
-# e.g. IPA_DATA_VERSION=`date +%Y%m%d%H%M%S`           #
-#  ->  "20100614120000"                                #
-########################################################
-IPA_DATA_VERSION=20100614120000
-
-########################################################
-# The version of the IPA API. This controls which      #
-# client versions can use the XML-RPC and json APIs    #
-#                                                      #
-# A change to existing API requires a MAJOR version    #
-# update.  The addition of new API bumps the MINOR     #
-# version.                                             #
-#                                                      #
-# The format is a whole number                         #
-#                                                      #
-########################################################
-IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=101
-# Last change: mbasti - Allow '/' in permission name
--- a/VERSION.m4
+++ b/VERSION.m4
@ -0,0 +1,144 @@
+########################################################
+# FreeIPA Version                                      #
+#                                                      #
+# FreeIPA versions are as follows                      #
+# 1.0.x                  New production series         #
+# 1.0.x{alpha,beta,rc}y  Alpha/Preview/Testing, Beta,  #
+#                           Release Candidate          #
+# 1.0.0.dev20170102030405+gitabcdefg  Build from GIT   #
+#                                                      #
+########################################################
+
+########################################################
+# This are the main version numbers                    #
+#                                                      #
+# <MAJOR>.<MINOR>.<RELEASE>                            #
+#                                                      #
+# e.g. define(IPA_VERSION_MAJOR, 1)                    #
+#      define(IPA_VERSION_MINOR, 0)                    #
+#      define(IPA_VERSION_RELEASE, 0)                  #
+#  ->  "1.0.0"                                         #
+########################################################
+define(IPA_VERSION_MAJOR, 4)
+define(IPA_VERSION_MINOR, 7)
+define(IPA_VERSION_RELEASE, 2)
+
+########################################################
+# For 'pre' releases the version will be               #
+#                                                      #
+# <MAJOR>.<MINOR>.<RELEASE><PRE_RELEASE>               #
+#                                                      #
+# e.g. define(IPA_VERSION_PRE_RELEASE, rc1)            #
+#  ->  "1.0.0rc1"                                      #
+########################################################
+define(IPA_VERSION_PRE_RELEASE, )
+
+########################################################
+# To mark GIT snapshots this should be set to 'yes'    #
+# in the development BRANCH, and set to 'no' only in   #
+# the IPA_X_X_RELEASE BRANCH                           #
+#                                                      #
+# <MAJOR>.<MINOR>.<RELEASE>.dev<TIMESTAMP>+git<hash>   #
+#                                                      #
+# e.g. define(IPA_VERSION_IS_GIT_SNAPSHOT, yes)        #
+#  ->  "1.0.0.dev20170102030405+gitabcdefg"            #
+#                                                      #
+# This option works only with GNU m4:                  #
+# it requires esyscmd m4 macro.                        #
+########################################################
+define(IPA_VERSION_IS_GIT_SNAPSHOT, no)
+
+########################################################
+# git development branch:                              #
+#                                                      #
+# - master: define(IPA_GIT_BRANCH, master)             #
+# - ipa-X-X: define(IPA_GIT_BRANCH,                    #
+#       ipa-IPA_VERSION_MAJOR-IPA_VERSION_MINOR)       #
+########################################################
+dnl define(IPA_GIT_BRANCH, master)
+define(IPA_GIT_BRANCH, ipa-IPA_VERSION_MAJOR-IPA_VERSION_MINOR)
+
+########################################################
+# The version of IPA data. This is used to identify    #
+# incompatibilities in data that could cause issues    #
+# with replication. If the built-in versions don't     #
+# match exactly then replication will fail.            #
+#                                                      #
+# The format is %Y%m%d%H%M%S                           #
+#                                                      #
+# e.g. define(IPA_DATA_VERSION, 20100614120000)        #
+#  ->  "20100614120000"                                #
+########################################################
+define(IPA_DATA_VERSION, 20100614120000)
+
+########################################################
+# The version of the IPA API. This controls which      #
+# client versions can use the XML-RPC and json APIs    #
+#                                                      #
+# A change to existing API requires a MAJOR version    #
+# update.  The addition of new API bumps the MINOR     #
+# version.                                             #
+#                                                      #
+# The format is a whole number                         #
+#                                                      #
+########################################################
+define(IPA_API_VERSION_MAJOR, 2)
+define(IPA_API_VERSION_MINOR, 230)
+# Last change: Added `automember-find-orphans' command
+
+
+########################################################
+# Following values are auto-generated from values above
+# That way m4 madness lies
+########################################################
+
+########################################################
+# IPA_NUM_VERSION is auto-generated
+# format suitable for aritmetical comparison.
+########################################################
+dnl for some reason AC_SUBST([NUM_VERSION], [IPA_NUM_VERSION])
+dnl does not work when we use macro "format" instead of "esyscmd"
+define(IPA_NUM_VERSION, esyscmd(printf "%d%02d%02d" IPA_VERSION_MAJOR IPA_VERSION_MINOR IPA_VERSION_RELEASE))
+
+
+########################################################
+# IPA_API_VERSION: format is APImajor.APIminor
+########################################################
+define(IPA_API_VERSION, IPA_API_VERSION_MAJOR.IPA_API_VERSION_MINOR)
+
+
+########################################################
+# IPA_VERSION is one string formated according to rules
+# described on top of this file
+########################################################
+dnl helper for translit in IPA_VERSION
+define(NEWLINE,`
+')
+
+dnl Git snapshot: dev20170102030405+gitabcdefg
+define(IPA_GIT_VERSION, translit(dnl remove new lines from version (from esyscmd)
+ifelse(IPA_VERSION_IS_GIT_SNAPSHOT, yes,dnl
+dev
+esyscmd(date -u +'%Y%m%d%H%M')dnl 20170102030405
+git
+esyscmd(git log -1 --format="%h" HEAD),dnl abcdefg
+), NEWLINE))
+dnl IPA_GIT_VERSION end
+
+define(IPA_VERSION, translit(dnl remove new lines from version (from esyscmd)
+dnl 1.0.0
+IPA_VERSION_MAJOR.IPA_VERSION_MINOR.IPA_VERSION_RELEASE
+IPA_VERSION_PRE_RELEASE
+dnl version with Git snapshot: 1.0.0.dev20170102030405+gitabcdefg
+ifelse(IPA_VERSION_IS_GIT_SNAPSHOT, yes,
+.
+IPA_GIT_VERSION),
+NEWLINE)) dnl IPA_VERSION end
+
+dnl DEBUG: uncomment following lines and run command m4 VERSION.m4
+dnl `IPA_VERSION: ''IPA_VERSION'
+dnl `IPA_GIT_VERSION: ''IPA_GIT_VERSION'
+dnl `IPA_GIT_BRANCH: ''IPA_GIT_BRANCH'
+dnl `IPA_API_VERSION: ''IPA_API_VERSION'
+dnl `IPA_DATA_VERSION: ''IPA_DATA_VERSION'
+dnl `IPA_NUM_VERSION: ''IPA_NUM_VERSION'
--- a/aclocal.m4
+++ b/aclocal.m4
--- a/asn1/Makefile.am
+++ b/asn1/Makefile.am
@ -0,0 +1,8 @@
+SUBDIRS = asn1c
+
+AM_CPPFLAGS = -I$(top_srcdir)/util -I$(srcdir)/asn1c
+
+noinst_LTLIBRARIES=libipaasn1.la
+noinst_HEADERS=ipa_asn1.h
+libipaasn1_la_SOURCES=ipa_asn1.c
+libipaasn1_la_LIBADD=asn1c/libasn1c.la
--- a/asn1/Makefile.in
+++ b/asn1/Makefile.in
@ -0,0 +1,829 @@
+# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+
+VPATH = @srcdir@
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = asn1
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
+	$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
+	$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
+	$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
+	$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
+	$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
+	$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
+	$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/VERSION.m4 \
+	$(top_srcdir)/server.m4 $(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(noinst_HEADERS) \
+	$(am__DIST_COMMON)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+LTLIBRARIES = $(noinst_LTLIBRARIES)
+libipaasn1_la_DEPENDENCIES = asn1c/libasn1c.la
+am_libipaasn1_la_OBJECTS = ipa_asn1.lo
+libipaasn1_la_OBJECTS = $(am_libipaasn1_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 = 
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__maybe_remake_depfiles = depfiles
+am__depfiles_remade = ./$(DEPDIR)/ipa_asn1.Plo
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC      " $@;
+am__v_CC_1 = 
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD    " $@;
+am__v_CCLD_1 = 
+SOURCES = $(libipaasn1_la_SOURCES)
+DIST_SOURCES = $(libipaasn1_la_SOURCES)
+RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \
+	ctags-recursive dvi-recursive html-recursive info-recursive \
+	install-data-recursive install-dvi-recursive \
+	install-exec-recursive install-html-recursive \
+	install-info-recursive install-pdf-recursive \
+	install-ps-recursive install-recursive installcheck-recursive \
+	installdirs-recursive pdf-recursive ps-recursive \
+	tags-recursive uninstall-recursive
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+HEADERS = $(noinst_HEADERS)
+RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
+  distclean-recursive maintainer-clean-recursive
+am__recursive_targets = \
+  $(RECURSIVE_TARGETS) \
+  $(RECURSIVE_CLEAN_TARGETS) \
+  $(am__extra_recursive_targets)
+AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \
+	distdir distdir-am
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates.  Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+  BEGIN { nonempty = 0; } \
+  { items[$$0] = 1; nonempty = 1; } \
+  END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique.  This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+  list='$(am__tagged_files)'; \
+  unique=`for i in $$list; do \
+    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+  done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+DIST_SUBDIRS = $(SUBDIRS)
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp README
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+am__relativize = \
+  dir0=`pwd`; \
+  sed_first='s,^\([^/]*\)/.*$$,\1,'; \
+  sed_rest='s,^[^/]*/*,,'; \
+  sed_last='s,^.*/\([^/]*\)$$,\1,'; \
+  sed_butlast='s,/*[^/]*$$,,'; \
+  while test -n "$$dir1"; do \
+    first=`echo "$$dir1" | sed -e "$$sed_first"`; \
+    if test "$$first" != "."; then \
+      if test "$$first" = ".."; then \
+        dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
+        dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
+      else \
+        first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
+        if test "$$first2" = "$$first"; then \
+          dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
+        else \
+          dir2="../$$dir2"; \
+        fi; \
+        dir0="$$dir0"/"$$first"; \
+      fi; \
+    fi; \
+    dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
+  done; \
+  reldir="$$dir2"
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+API_VERSION = @API_VERSION@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
+CMOCKA_LIBS = @CMOCKA_LIBS@
+CONFIG_STATUS = @CONFIG_STATUS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
+CRYPTO_LIBS = @CRYPTO_LIBS@
+CYGPATH_W = @CYGPATH_W@
+DATA_VERSION = @DATA_VERSION@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DIRSRV_CFLAGS = @DIRSRV_CFLAGS@
+DIRSRV_LIBS = @DIRSRV_LIBS@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
+GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
+GIT_BRANCH = @GIT_BRANCH@
+GIT_VERSION = @GIT_VERSION@
+GMSGFMT = @GMSGFMT@
+GMSGFMT_015 = @GMSGFMT_015@
+GREP = @GREP@
+INI_CFLAGS = @INI_CFLAGS@
+INI_LIBS = @INI_LIBS@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+INTLLIBS = @INTLLIBS@
+INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
+IPAPLATFORM = @IPAPLATFORM@
+IPA_DATA_DIR = @IPA_DATA_DIR@
+IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
+JSLINT = @JSLINT@
+KRAD_LIBS = @KRAD_LIBS@
+KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
+KRB5_CFLAGS = @KRB5_CFLAGS@
+KRB5_LIBS = @KRB5_LIBS@
+LD = @LD@
+LDAP_CFLAGS = @LDAP_CFLAGS@
+LDAP_LIBS = @LDAP_LIBS@
+LDFLAGS = @LDFLAGS@
+LIBICONV = @LIBICONV@
+LIBINTL = @LIBINTL@
+LIBINTL_LIBS = @LIBINTL_LIBS@
+LIBOBJS = @LIBOBJS@
+LIBPDB_NAME = @LIBPDB_NAME@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIBVERTO_CFLAGS = @LIBVERTO_CFLAGS@
+LIBVERTO_LIBS = @LIBVERTO_LIBS@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBICONV = @LTLIBICONV@
+LTLIBINTL = @LTLIBINTL@
+LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MK_ASSIGN = @MK_ASSIGN@
+MK_ELSE = @MK_ELSE@
+MK_ENDIF = @MK_ENDIF@
+MK_IFEQ = @MK_IFEQ@
+MSGATTRIB = @MSGATTRIB@
+MSGFMT = @MSGFMT@
+MSGFMT_015 = @MSGFMT_015@
+MSGMERGE = @MSGMERGE@
+NAMED_GROUP = @NAMED_GROUP@
+NDRNBT_CFLAGS = @NDRNBT_CFLAGS@
+NDRNBT_LIBS = @NDRNBT_LIBS@
+NDRPAC_CFLAGS = @NDRPAC_CFLAGS@
+NDRPAC_LIBS = @NDRPAC_LIBS@
+NDR_CFLAGS = @NDR_CFLAGS@
+NDR_LIBS = @NDR_LIBS@
+NM = @NM@
+NMEDIT = @NMEDIT@
+NSPR_CFLAGS = @NSPR_CFLAGS@
+NSPR_LIBS = @NSPR_LIBS@
+NSS_CFLAGS = @NSS_CFLAGS@
+NSS_LIBS = @NSS_LIBS@
+NUM_VERSION = @NUM_VERSION@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+ODS_USER = @ODS_USER@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLATFORM_PYTHON = @PLATFORM_PYTHON@
+POPT_CFLAGS = @POPT_CFLAGS@
+POPT_LIBS = @POPT_LIBS@
+POSUB = @POSUB@
+PYLINT = @PYLINT@
+PYTHON = @PYTHON@
+PYTHON2 = @PYTHON2@
+PYTHON3 = @PYTHON3@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+RANLIB = @RANLIB@
+SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
+SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
+SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
+SASL_CFLAGS = @SASL_CFLAGS@
+SASL_LIBS = @SASL_LIBS@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SSSCERTMAP_CFLAGS = @SSSCERTMAP_CFLAGS@
+SSSCERTMAP_LIBS = @SSSCERTMAP_LIBS@
+SSSIDMAP_CFLAGS = @SSSIDMAP_CFLAGS@
+SSSIDMAP_LIBS = @SSSIDMAP_LIBS@
+SSSNSSIDMAP_CFLAGS = @SSSNSSIDMAP_CFLAGS@
+SSSNSSIDMAP_LIBS = @SSSNSSIDMAP_LIBS@
+STRIP = @STRIP@
+TALLOC_CFLAGS = @TALLOC_CFLAGS@
+TALLOC_LIBS = @TALLOC_LIBS@
+TEVENT_CFLAGS = @TEVENT_CFLAGS@
+TEVENT_LIBS = @TEVENT_LIBS@
+UNISTRING_LIBS = @UNISTRING_LIBS@
+UNLINK = @UNLINK@
+USE_NLS = @USE_NLS@
+UUID_CFLAGS = @UUID_CFLAGS@
+UUID_LIBS = @UUID_LIBS@
+VENDOR_SUFFIX = @VENDOR_SUFFIX@
+VERSION = @VERSION@
+XGETTEXT = @XGETTEXT@
+XGETTEXT_015 = @XGETTEXT_015@
+XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
+XMLRPC_CFLAGS = @XMLRPC_CFLAGS@
+XMLRPC_LIBS = @XMLRPC_LIBS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+i18ntests = @i18ntests@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+krb5rundir = @krb5rundir@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+sysconfenvdir = @sysconfenvdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+systemdtmpfilesdir = @systemdtmpfilesdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+SUBDIRS = asn1c
+AM_CPPFLAGS = -I$(top_srcdir)/util -I$(srcdir)/asn1c
+noinst_LTLIBRARIES = libipaasn1.la
+noinst_HEADERS = ipa_asn1.h
+libipaasn1_la_SOURCES = ipa_asn1.c
+libipaasn1_la_LIBADD = asn1c/libasn1c.la
+all: all-recursive
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign asn1/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign asn1/Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+
+libipaasn1.la: $(libipaasn1_la_OBJECTS) $(libipaasn1_la_DEPENDENCIES) $(EXTRA_libipaasn1_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK)  $(libipaasn1_la_OBJECTS) $(libipaasn1_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipa_asn1.Plo@am__quote@ # am--include-marker
+
+$(am__depfiles_remade):
+	@$(MKDIR_P) $(@D)
+	@echo '# dummy' >$@-t && $(am__mv) $@-t $@
+
+am--depfiles: $(am__depfiles_remade)
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run 'make' without going through this Makefile.
+# To change the values of 'make' variables: instead of editing Makefiles,
+# (1) if the variable is set in 'config.status', edit 'config.status'
+#     (which will cause the Makefiles to be regenerated when you run 'make');
+# (2) otherwise, pass the desired values on the 'make' command line.
+$(am__recursive_targets):
+	@fail=; \
+	if $(am__make_keepgoing); then \
+	  failcom='fail=yes'; \
+	else \
+	  failcom='exit 1'; \
+	fi; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	case "$@" in \
+	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+	  *) list='$(SUBDIRS)' ;; \
+	esac; \
+	for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  || eval $$failcom; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
+ID: $(am__tagged_files)
+	$(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-recursive
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	set x; \
+	here=`pwd`; \
+	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
+	  include_option=--etags-include; \
+	  empty_fix=.; \
+	else \
+	  include_option=--include; \
+	  empty_fix=; \
+	fi; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    test ! -f $$subdir/TAGS || \
+	      set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
+	  fi; \
+	done; \
+	$(am__define_uniq_tagged_files); \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: ctags-recursive
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	$(am__define_uniq_tagged_files); \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-recursive
+
+cscopelist-am: $(am__tagged_files)
+	list='$(am__tagged_files)'; \
+	case "$(srcdir)" in \
+	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+	  *) sdir=$(subdir)/$(srcdir) ;; \
+	esac; \
+	for i in $$list; do \
+	  if test -f "$$i"; then \
+	    echo "$(subdir)/$$i"; \
+	  else \
+	    echo "$$sdir/$$i"; \
+	  fi; \
+	done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) distdir-am
+
+distdir-am: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    $(am__make_dryrun) \
+	      || test -d "$(distdir)/$$subdir" \
+	      || $(MKDIR_P) "$(distdir)/$$subdir" \
+	      || exit 1; \
+	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
+	    $(am__relativize); \
+	    new_distdir=$$reldir; \
+	    dir1=$$subdir; dir2="$(top_distdir)"; \
+	    $(am__relativize); \
+	    new_top_distdir=$$reldir; \
+	    echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
+	    echo "     am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
+	    ($(am__cd) $$subdir && \
+	      $(MAKE) $(AM_MAKEFLAGS) \
+	        top_distdir="$$new_top_distdir" \
+	        distdir="$$new_distdir" \
+		am__remove_distdir=: \
+		am__skip_length_check=: \
+		am__skip_mode_fix=: \
+	        distdir) \
+	      || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-recursive
+all-am: Makefile $(LTLIBRARIES) $(HEADERS)
+installdirs: installdirs-recursive
+installdirs-am:
+install: install-recursive
+install-exec: install-exec-recursive
+install-data: install-data-recursive
+uninstall: uninstall-recursive
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-recursive
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-recursive
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-recursive
+		-rm -f ./$(DEPDIR)/ipa_asn1.Plo
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-recursive
+
+dvi-am:
+
+html: html-recursive
+
+html-am:
+
+info: info-recursive
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-recursive
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-recursive
+
+install-html-am:
+
+install-info: install-info-recursive
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-recursive
+
+install-pdf-am:
+
+install-ps: install-ps-recursive
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-recursive
+		-rm -f ./$(DEPDIR)/ipa_asn1.Plo
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-recursive
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-recursive
+
+pdf-am:
+
+ps: ps-recursive
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: $(am__recursive_targets) install-am install-strip
+
+.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am \
+	am--depfiles check check-am clean clean-generic clean-libtool \
+	clean-noinstLTLIBRARIES cscopelist-am ctags ctags-am distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	installdirs-am maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
+	uninstall-am
+
+.PRECIOUS: Makefile
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
--- a/asn1/README
+++ b/asn1/README
@ -0,0 +1,17 @@
+libipaasn1.a is a small static convenience library used by other ipa
+binaries and modules. At the moment it is not meant to be a public shared
+library and stable interface, but may become one in future.
+
+The only files that should be manually modified are:
+* asn1c/ipa.asn1 - when new interfaces are added
+* ipa_asn1.[ch] - to add wrappers around interfaces
+
+ipa_asn1.[ch] are the public interface and they SHOULD NOT export generated
+structures so that the autogenerated code can change w/o impacting any other
+code except the internal library functions.
+
+To regenerate the automatically generated files run the following command:
+cd asn1c;
+make regenerate
+
+Remember to commit and add any new file to asn1c/Makefile.am
--- a/asn1/asn1c/BIT_STRING.c
+++ b/asn1/asn1c/BIT_STRING.c
@ -0,0 +1,189 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_internal.h>
+#include <BIT_STRING.h>
+#include <asn_internal.h>
+
+/*
+ * BIT STRING basic type description.
+ */
+static const ber_tlv_tag_t asn_DEF_BIT_STRING_tags[] = {
+	(ASN_TAG_CLASS_UNIVERSAL | (3 << 2))
+};
+static asn_OCTET_STRING_specifics_t asn_DEF_BIT_STRING_specs = {
+	sizeof(BIT_STRING_t),
+	offsetof(BIT_STRING_t, _asn_ctx),
+	ASN_OSUBV_BIT
+};
+asn_TYPE_descriptor_t asn_DEF_BIT_STRING = {
+	"BIT STRING",
+	"BIT_STRING",
+	OCTET_STRING_free,         /* Implemented in terms of OCTET STRING */
+	BIT_STRING_print,
+	BIT_STRING_constraint,
+	OCTET_STRING_decode_ber,   /* Implemented in terms of OCTET STRING */
+	OCTET_STRING_encode_der,   /* Implemented in terms of OCTET STRING */
+	OCTET_STRING_decode_xer_binary,
+	BIT_STRING_encode_xer,
+	OCTET_STRING_decode_uper,	/* Unaligned PER decoder */
+	OCTET_STRING_encode_uper,	/* Unaligned PER encoder */
+	0, /* Use generic outmost tag fetcher */
+	asn_DEF_BIT_STRING_tags,
+	sizeof(asn_DEF_BIT_STRING_tags)
+	  / sizeof(asn_DEF_BIT_STRING_tags[0]),
+	asn_DEF_BIT_STRING_tags,	/* Same as above */
+	sizeof(asn_DEF_BIT_STRING_tags)
+	  / sizeof(asn_DEF_BIT_STRING_tags[0]),
+	0,	/* No PER visible constraints */
+	0, 0,	/* No members */
+	&asn_DEF_BIT_STRING_specs
+};
+
+/*
+ * BIT STRING generic constraint.
+ */
+int
+BIT_STRING_constraint(asn_TYPE_descriptor_t *td, const void *sptr,
+		asn_app_constraint_failed_f *ctfailcb, void *app_key) {
+	const BIT_STRING_t *st = (const BIT_STRING_t *)sptr;
+
+	if(st && st->buf) {
+		if((st->size == 0 && st->bits_unused)
+		|| st->bits_unused < 0 || st->bits_unused > 7) {
+			ASN__CTFAIL(app_key, td, sptr,
+				"%s: invalid padding byte (%s:%d)",
+				td->name, __FILE__, __LINE__);
+			return -1;
+		}
+	} else {
+		ASN__CTFAIL(app_key, td, sptr,
+			"%s: value not given (%s:%d)",
+			td->name, __FILE__, __LINE__);
+		return -1;
+	}
+
+	return 0;
+}
+
+static char *_bit_pattern[16] = {
+	"0000", "0001", "0010", "0011", "0100", "0101", "0110", "0111",
+	"1000", "1001", "1010", "1011", "1100", "1101", "1110", "1111"
+};
+
+asn_enc_rval_t
+BIT_STRING_encode_xer(asn_TYPE_descriptor_t *td, void *sptr,
+	int ilevel, enum xer_encoder_flags_e flags,
+		asn_app_consume_bytes_f *cb, void *app_key) {
+	asn_enc_rval_t er;
+	char scratch[128];
+	char *p = scratch;
+	char *scend = scratch + (sizeof(scratch) - 10);
+	const BIT_STRING_t *st = (const BIT_STRING_t *)sptr;
+	int xcan = (flags & XER_F_CANONICAL);
+	uint8_t *buf;
+	uint8_t *end;
+
+	if(!st || !st->buf)
+		ASN__ENCODE_FAILED;
+
+	er.encoded = 0;
+
+	buf = st->buf;
+	end = buf + st->size - 1;	/* Last byte is special */
+
+	/*
+	 * Binary dump
+	 */
+	for(; buf < end; buf++) {
+		int v = *buf;
+		int nline = xcan?0:(((buf - st->buf) % 8) == 0);
+		if(p >= scend || nline) {
+			er.encoded += p - scratch;
+			ASN__CALLBACK(scratch, p - scratch);
+			p = scratch;
+			if(nline) ASN__TEXT_INDENT(1, ilevel);
+		}
+		memcpy(p + 0, _bit_pattern[v >> 4], 4);
+		memcpy(p + 4, _bit_pattern[v & 0x0f], 4);
+		p += 8;
+	}
+
+	if(!xcan && ((buf - st->buf) % 8) == 0)
+		ASN__TEXT_INDENT(1, ilevel);
+	er.encoded += p - scratch;
+	ASN__CALLBACK(scratch, p - scratch);
+	p = scratch;
+
+	if(buf == end) {
+		int v = *buf;
+		int ubits = st->bits_unused;
+		int i;
+		for(i = 7; i >= ubits; i--)
+			*p++ = (v & (1 << i)) ? 0x31 : 0x30;
+		er.encoded += p - scratch;
+		ASN__CALLBACK(scratch, p - scratch);
+	}
+
+	if(!xcan) ASN__TEXT_INDENT(1, ilevel - 1);
+
+	ASN__ENCODED_OK(er);
+cb_failed:
+	ASN__ENCODE_FAILED;
+}
+
+
+/*
+ * BIT STRING specific contents printer.
+ */
+int
+BIT_STRING_print(asn_TYPE_descriptor_t *td, const void *sptr, int ilevel,
+		asn_app_consume_bytes_f *cb, void *app_key) {
+	const char * const h2c = "0123456789ABCDEF";
+	char scratch[64];
+	const BIT_STRING_t *st = (const BIT_STRING_t *)sptr;
+	uint8_t *buf;
+	uint8_t *end;
+	char *p = scratch;
+
+	(void)td;	/* Unused argument */
+
+	if(!st || !st->buf)
+		return (cb("<absent>", 8, app_key) < 0) ? -1 : 0;
+
+	ilevel++;
+	buf = st->buf;
+	end = buf + st->size;
+
+	/*
+	 * Hexadecimal dump.
+	 */
+	for(; buf < end; buf++) {
+		if((buf - st->buf) % 16 == 0 && (st->size > 16)
+				&& buf != st->buf) {
+			_i_INDENT(1);
+			/* Dump the string */
+			if(cb(scratch, p - scratch, app_key) < 0) return -1;
+			p = scratch;
+		}
+		*p++ = h2c[*buf >> 4];
+		*p++ = h2c[*buf & 0x0F];
+		*p++ = 0x20;
+	}
+
+	if(p > scratch) {
+		p--;	/* Eat the tailing space */
+
+		if((st->size > 16)) {
+			_i_INDENT(1);
+		}
+
+		/* Dump the incomplete 16-bytes row */
+		if(cb(scratch, p - scratch, app_key) < 0)
+			return -1;
+	}
+
+	return 0;
+}
+
--- a/asn1/asn1c/BIT_STRING.h
+++ b/asn1/asn1c/BIT_STRING.h
@ -0,0 +1,33 @@
+/*-
+ * Copyright (c) 2003 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_BIT_STRING_H_
+#define	_BIT_STRING_H_
+
+#include <OCTET_STRING.h>	/* Some help from OCTET STRING */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct BIT_STRING_s {
+	uint8_t *buf;	/* BIT STRING body */
+	int size;	/* Size of the above buffer */
+
+	int bits_unused;/* Unused trailing bits in the last octet (0..7) */
+
+	asn_struct_ctx_t _asn_ctx;	/* Parsing across buffer boundaries */
+} BIT_STRING_t;
+
+extern asn_TYPE_descriptor_t asn_DEF_BIT_STRING;
+
+asn_struct_print_f BIT_STRING_print;	/* Human-readable output */
+asn_constr_check_f BIT_STRING_constraint;
+xer_type_encoder_f BIT_STRING_encode_xer;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _BIT_STRING_H_ */
--- a/asn1/asn1c/GKCurrentKeys.c
+++ b/asn1/asn1c/GKCurrentKeys.c
@ -0,0 +1,59 @@
+/*
+ * Generated by asn1c-0.9.28 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy -fnative-types`
+ */
+
+#include "GKCurrentKeys.h"
+
+static asn_TYPE_member_t asn_MBR_GKCurrentKeys_1[] = {
+	{ ATF_NOFLAGS, 0, offsetof(struct GKCurrentKeys, serviceIdentity),
+		(ASN_TAG_CLASS_CONTEXT | (0 << 2)),
+		+1,	/* EXPLICIT tag at current level */
+		&asn_DEF_OCTET_STRING,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"serviceIdentity"
+		},
+};
+static const ber_tlv_tag_t asn_DEF_GKCurrentKeys_tags_1[] = {
+	(ASN_TAG_CLASS_UNIVERSAL | (16 << 2))
+};
+static const asn_TYPE_tag2member_t asn_MAP_GKCurrentKeys_tag2el_1[] = {
+    { (ASN_TAG_CLASS_CONTEXT | (0 << 2)), 0, 0, 0 } /* serviceIdentity */
+};
+static asn_SEQUENCE_specifics_t asn_SPC_GKCurrentKeys_specs_1 = {
+	sizeof(struct GKCurrentKeys),
+	offsetof(struct GKCurrentKeys, _asn_ctx),
+	asn_MAP_GKCurrentKeys_tag2el_1,
+	1,	/* Count of tags in the map */
+	0, 0, 0,	/* Optional elements (not needed) */
+	-1,	/* Start extensions */
+	-1	/* Stop extensions */
+};
+asn_TYPE_descriptor_t asn_DEF_GKCurrentKeys = {
+	"GKCurrentKeys",
+	"GKCurrentKeys",
+	SEQUENCE_free,
+	SEQUENCE_print,
+	SEQUENCE_constraint,
+	SEQUENCE_decode_ber,
+	SEQUENCE_encode_der,
+	SEQUENCE_decode_xer,
+	SEQUENCE_encode_xer,
+	0, 0,	/* No PER support, use "-gen-PER" to enable */
+	0,	/* Use generic outmost tag fetcher */
+	asn_DEF_GKCurrentKeys_tags_1,
+	sizeof(asn_DEF_GKCurrentKeys_tags_1)
+		/sizeof(asn_DEF_GKCurrentKeys_tags_1[0]), /* 1 */
+	asn_DEF_GKCurrentKeys_tags_1,	/* Same as above */
+	sizeof(asn_DEF_GKCurrentKeys_tags_1)
+		/sizeof(asn_DEF_GKCurrentKeys_tags_1[0]), /* 1 */
+	0,	/* No PER visible constraints */
+	asn_MBR_GKCurrentKeys_1,
+	1,	/* Elements count */
+	&asn_SPC_GKCurrentKeys_specs_1	/* Additional specs */
+};
+
--- a/asn1/asn1c/GKCurrentKeys.h
+++ b/asn1/asn1c/GKCurrentKeys.h
@ -0,0 +1,38 @@
+/*
+ * Generated by asn1c-0.9.28 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy -fnative-types`
+ */
+
+#ifndef	_GKCurrentKeys_H_
+#define	_GKCurrentKeys_H_
+
+
+#include <asn_application.h>
+
+/* Including external dependencies */
+#include <OCTET_STRING.h>
+#include <constr_SEQUENCE.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* GKCurrentKeys */
+typedef struct GKCurrentKeys {
+	OCTET_STRING_t	 serviceIdentity;
+	
+	/* Context for parsing across buffer boundaries */
+	asn_struct_ctx_t _asn_ctx;
+} GKCurrentKeys_t;
+
+/* Implementation */
+extern asn_TYPE_descriptor_t asn_DEF_GKCurrentKeys;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _GKCurrentKeys_H_ */
+#include <asn_internal.h>
--- a/asn1/asn1c/GKNewKeys.c
+++ b/asn1/asn1c/GKNewKeys.c
@ -0,0 +1,124 @@
+/*
+ * Generated by asn1c-0.9.28 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy -fnative-types`
+ */
+
+#include "GKNewKeys.h"
+
+static asn_TYPE_member_t asn_MBR_enctypes_3[] = {
+	{ ATF_POINTER, 0, 0,
+		(ASN_TAG_CLASS_UNIVERSAL | (2 << 2)),
+		0,
+		&asn_DEF_Int32,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		""
+		},
+};
+static const ber_tlv_tag_t asn_DEF_enctypes_tags_3[] = {
+	(ASN_TAG_CLASS_CONTEXT | (1 << 2)),
+	(ASN_TAG_CLASS_UNIVERSAL | (16 << 2))
+};
+static asn_SET_OF_specifics_t asn_SPC_enctypes_specs_3 = {
+	sizeof(struct enctypes),
+	offsetof(struct enctypes, _asn_ctx),
+	0,	/* XER encoding is XMLDelimitedItemList */
+};
+static /* Use -fall-defs-global to expose */
+asn_TYPE_descriptor_t asn_DEF_enctypes_3 = {
+	"enctypes",
+	"enctypes",
+	SEQUENCE_OF_free,
+	SEQUENCE_OF_print,
+	SEQUENCE_OF_constraint,
+	SEQUENCE_OF_decode_ber,
+	SEQUENCE_OF_encode_der,
+	SEQUENCE_OF_decode_xer,
+	SEQUENCE_OF_encode_xer,
+	0, 0,	/* No PER support, use "-gen-PER" to enable */
+	0,	/* Use generic outmost tag fetcher */
+	asn_DEF_enctypes_tags_3,
+	sizeof(asn_DEF_enctypes_tags_3)
+		/sizeof(asn_DEF_enctypes_tags_3[0]), /* 2 */
+	asn_DEF_enctypes_tags_3,	/* Same as above */
+	sizeof(asn_DEF_enctypes_tags_3)
+		/sizeof(asn_DEF_enctypes_tags_3[0]), /* 2 */
+	0,	/* No PER visible constraints */
+	asn_MBR_enctypes_3,
+	1,	/* Single element */
+	&asn_SPC_enctypes_specs_3	/* Additional specs */
+};
+
+static asn_TYPE_member_t asn_MBR_GKNewKeys_1[] = {
+	{ ATF_NOFLAGS, 0, offsetof(struct GKNewKeys, serviceIdentity),
+		(ASN_TAG_CLASS_CONTEXT | (0 << 2)),
+		+1,	/* EXPLICIT tag at current level */
+		&asn_DEF_OCTET_STRING,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"serviceIdentity"
+		},
+	{ ATF_NOFLAGS, 0, offsetof(struct GKNewKeys, enctypes),
+		(ASN_TAG_CLASS_CONTEXT | (1 << 2)),
+		0,
+		&asn_DEF_enctypes_3,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"enctypes"
+		},
+	{ ATF_POINTER, 1, offsetof(struct GKNewKeys, password),
+		(ASN_TAG_CLASS_CONTEXT | (2 << 2)),
+		+1,	/* EXPLICIT tag at current level */
+		&asn_DEF_OCTET_STRING,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"password"
+		},
+};
+static const ber_tlv_tag_t asn_DEF_GKNewKeys_tags_1[] = {
+	(ASN_TAG_CLASS_UNIVERSAL | (16 << 2))
+};
+static const asn_TYPE_tag2member_t asn_MAP_GKNewKeys_tag2el_1[] = {
+    { (ASN_TAG_CLASS_CONTEXT | (0 << 2)), 0, 0, 0 }, /* serviceIdentity */
+    { (ASN_TAG_CLASS_CONTEXT | (1 << 2)), 1, 0, 0 }, /* enctypes */
+    { (ASN_TAG_CLASS_CONTEXT | (2 << 2)), 2, 0, 0 } /* password */
+};
+static asn_SEQUENCE_specifics_t asn_SPC_GKNewKeys_specs_1 = {
+	sizeof(struct GKNewKeys),
+	offsetof(struct GKNewKeys, _asn_ctx),
+	asn_MAP_GKNewKeys_tag2el_1,
+	3,	/* Count of tags in the map */
+	0, 0, 0,	/* Optional elements (not needed) */
+	-1,	/* Start extensions */
+	-1	/* Stop extensions */
+};
+asn_TYPE_descriptor_t asn_DEF_GKNewKeys = {
+	"GKNewKeys",
+	"GKNewKeys",
+	SEQUENCE_free,
+	SEQUENCE_print,
+	SEQUENCE_constraint,
+	SEQUENCE_decode_ber,
+	SEQUENCE_encode_der,
+	SEQUENCE_decode_xer,
+	SEQUENCE_encode_xer,
+	0, 0,	/* No PER support, use "-gen-PER" to enable */
+	0,	/* Use generic outmost tag fetcher */
+	asn_DEF_GKNewKeys_tags_1,
+	sizeof(asn_DEF_GKNewKeys_tags_1)
+		/sizeof(asn_DEF_GKNewKeys_tags_1[0]), /* 1 */
+	asn_DEF_GKNewKeys_tags_1,	/* Same as above */
+	sizeof(asn_DEF_GKNewKeys_tags_1)
+		/sizeof(asn_DEF_GKNewKeys_tags_1[0]), /* 1 */
+	0,	/* No PER visible constraints */
+	asn_MBR_GKNewKeys_1,
+	3,	/* Elements count */
+	&asn_SPC_GKNewKeys_specs_1	/* Additional specs */
+};
+
--- a/asn1/asn1c/GKNewKeys.h
+++ b/asn1/asn1c/GKNewKeys.h
@ -0,0 +1,48 @@
+/*
+ * Generated by asn1c-0.9.28 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy -fnative-types`
+ */
+
+#ifndef	_GKNewKeys_H_
+#define	_GKNewKeys_H_
+
+
+#include <asn_application.h>
+
+/* Including external dependencies */
+#include <OCTET_STRING.h>
+#include "Int32.h"
+#include <asn_SEQUENCE_OF.h>
+#include <constr_SEQUENCE_OF.h>
+#include <constr_SEQUENCE.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* GKNewKeys */
+typedef struct GKNewKeys {
+	OCTET_STRING_t	 serviceIdentity;
+	struct enctypes {
+		A_SEQUENCE_OF(Int32_t) list;
+		
+		/* Context for parsing across buffer boundaries */
+		asn_struct_ctx_t _asn_ctx;
+	} enctypes;
+	OCTET_STRING_t	*password	/* OPTIONAL */;
+	
+	/* Context for parsing across buffer boundaries */
+	asn_struct_ctx_t _asn_ctx;
+} GKNewKeys_t;
+
+/* Implementation */
+extern asn_TYPE_descriptor_t asn_DEF_GKNewKeys;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _GKNewKeys_H_ */
+#include <asn_internal.h>
--- a/asn1/asn1c/GKReply.c
+++ b/asn1/asn1c/GKReply.c
@ -0,0 +1,113 @@
+/*
+ * Generated by asn1c-0.9.28 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy -fnative-types`
+ */
+
+#include "GKReply.h"
+
+static asn_TYPE_member_t asn_MBR_keys_3[] = {
+	{ ATF_POINTER, 0, 0,
+		(ASN_TAG_CLASS_UNIVERSAL | (16 << 2)),
+		0,
+		&asn_DEF_KrbKey,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		""
+		},
+};
+static const ber_tlv_tag_t asn_DEF_keys_tags_3[] = {
+	(ASN_TAG_CLASS_UNIVERSAL | (16 << 2))
+};
+static asn_SET_OF_specifics_t asn_SPC_keys_specs_3 = {
+	sizeof(struct keys),
+	offsetof(struct keys, _asn_ctx),
+	0,	/* XER encoding is XMLDelimitedItemList */
+};
+static /* Use -fall-defs-global to expose */
+asn_TYPE_descriptor_t asn_DEF_keys_3 = {
+	"keys",
+	"keys",
+	SEQUENCE_OF_free,
+	SEQUENCE_OF_print,
+	SEQUENCE_OF_constraint,
+	SEQUENCE_OF_decode_ber,
+	SEQUENCE_OF_encode_der,
+	SEQUENCE_OF_decode_xer,
+	SEQUENCE_OF_encode_xer,
+	0, 0,	/* No PER support, use "-gen-PER" to enable */
+	0,	/* Use generic outmost tag fetcher */
+	asn_DEF_keys_tags_3,
+	sizeof(asn_DEF_keys_tags_3)
+		/sizeof(asn_DEF_keys_tags_3[0]), /* 1 */
+	asn_DEF_keys_tags_3,	/* Same as above */
+	sizeof(asn_DEF_keys_tags_3)
+		/sizeof(asn_DEF_keys_tags_3[0]), /* 1 */
+	0,	/* No PER visible constraints */
+	asn_MBR_keys_3,
+	1,	/* Single element */
+	&asn_SPC_keys_specs_3	/* Additional specs */
+};
+
+static asn_TYPE_member_t asn_MBR_GKReply_1[] = {
+	{ ATF_NOFLAGS, 0, offsetof(struct GKReply, newkvno),
+		(ASN_TAG_CLASS_UNIVERSAL | (2 << 2)),
+		0,
+		&asn_DEF_Int32,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"newkvno"
+		},
+	{ ATF_NOFLAGS, 0, offsetof(struct GKReply, keys),
+		(ASN_TAG_CLASS_UNIVERSAL | (16 << 2)),
+		0,
+		&asn_DEF_keys_3,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"keys"
+		},
+};
+static const ber_tlv_tag_t asn_DEF_GKReply_tags_1[] = {
+	(ASN_TAG_CLASS_UNIVERSAL | (16 << 2))
+};
+static const asn_TYPE_tag2member_t asn_MAP_GKReply_tag2el_1[] = {
+    { (ASN_TAG_CLASS_UNIVERSAL | (2 << 2)), 0, 0, 0 }, /* newkvno */
+    { (ASN_TAG_CLASS_UNIVERSAL | (16 << 2)), 1, 0, 0 } /* keys */
+};
+static asn_SEQUENCE_specifics_t asn_SPC_GKReply_specs_1 = {
+	sizeof(struct GKReply),
+	offsetof(struct GKReply, _asn_ctx),
+	asn_MAP_GKReply_tag2el_1,
+	2,	/* Count of tags in the map */
+	0, 0, 0,	/* Optional elements (not needed) */
+	-1,	/* Start extensions */
+	-1	/* Stop extensions */
+};
+asn_TYPE_descriptor_t asn_DEF_GKReply = {
+	"GKReply",
+	"GKReply",
+	SEQUENCE_free,
+	SEQUENCE_print,
+	SEQUENCE_constraint,
+	SEQUENCE_decode_ber,
+	SEQUENCE_encode_der,
+	SEQUENCE_decode_xer,
+	SEQUENCE_encode_xer,
+	0, 0,	/* No PER support, use "-gen-PER" to enable */
+	0,	/* Use generic outmost tag fetcher */
+	asn_DEF_GKReply_tags_1,
+	sizeof(asn_DEF_GKReply_tags_1)
+		/sizeof(asn_DEF_GKReply_tags_1[0]), /* 1 */
+	asn_DEF_GKReply_tags_1,	/* Same as above */
+	sizeof(asn_DEF_GKReply_tags_1)
+		/sizeof(asn_DEF_GKReply_tags_1[0]), /* 1 */
+	0,	/* No PER visible constraints */
+	asn_MBR_GKReply_1,
+	2,	/* Elements count */
+	&asn_SPC_GKReply_specs_1	/* Additional specs */
+};
+
--- a/asn1/asn1c/GKReply.h
+++ b/asn1/asn1c/GKReply.h
@ -0,0 +1,52 @@
+/*
+ * Generated by asn1c-0.9.28 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy -fnative-types`
+ */
+
+#ifndef	_GKReply_H_
+#define	_GKReply_H_
+
+
+#include <asn_application.h>
+
+/* Including external dependencies */
+#include "Int32.h"
+#include <asn_SEQUENCE_OF.h>
+#include <constr_SEQUENCE_OF.h>
+#include <constr_SEQUENCE.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Forward declarations */
+struct KrbKey;
+
+/* GKReply */
+typedef struct GKReply {
+	Int32_t	 newkvno;
+	struct keys {
+		A_SEQUENCE_OF(struct KrbKey) list;
+		
+		/* Context for parsing across buffer boundaries */
+		asn_struct_ctx_t _asn_ctx;
+	} keys;
+	
+	/* Context for parsing across buffer boundaries */
+	asn_struct_ctx_t _asn_ctx;
+} GKReply_t;
+
+/* Implementation */
+extern asn_TYPE_descriptor_t asn_DEF_GKReply;
+
+#ifdef __cplusplus
+}
+#endif
+
+/* Referred external types */
+#include "KrbKey.h"
+
+#endif	/* _GKReply_H_ */
+#include <asn_internal.h>
--- a/asn1/asn1c/GetKeytabControl.c
+++ b/asn1/asn1c/GetKeytabControl.c
@ -0,0 +1,75 @@
+/*
+ * Generated by asn1c-0.9.28 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy -fnative-types`
+ */
+
+#include "GetKeytabControl.h"
+
+static asn_TYPE_member_t asn_MBR_GetKeytabControl_1[] = {
+	{ ATF_NOFLAGS, 0, offsetof(struct GetKeytabControl, choice.newkeys),
+		(ASN_TAG_CLASS_CONTEXT | (0 << 2)),
+		+1,	/* EXPLICIT tag at current level */
+		&asn_DEF_GKNewKeys,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"newkeys"
+		},
+	{ ATF_NOFLAGS, 0, offsetof(struct GetKeytabControl, choice.curkeys),
+		(ASN_TAG_CLASS_CONTEXT | (1 << 2)),
+		+1,	/* EXPLICIT tag at current level */
+		&asn_DEF_GKCurrentKeys,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"curkeys"
+		},
+	{ ATF_NOFLAGS, 0, offsetof(struct GetKeytabControl, choice.reply),
+		(ASN_TAG_CLASS_CONTEXT | (2 << 2)),
+		+1,	/* EXPLICIT tag at current level */
+		&asn_DEF_GKReply,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"reply"
+		},
+};
+static const asn_TYPE_tag2member_t asn_MAP_GetKeytabControl_tag2el_1[] = {
+    { (ASN_TAG_CLASS_CONTEXT | (0 << 2)), 0, 0, 0 }, /* newkeys */
+    { (ASN_TAG_CLASS_CONTEXT | (1 << 2)), 1, 0, 0 }, /* curkeys */
+    { (ASN_TAG_CLASS_CONTEXT | (2 << 2)), 2, 0, 0 } /* reply */
+};
+static asn_CHOICE_specifics_t asn_SPC_GetKeytabControl_specs_1 = {
+	sizeof(struct GetKeytabControl),
+	offsetof(struct GetKeytabControl, _asn_ctx),
+	offsetof(struct GetKeytabControl, present),
+	sizeof(((struct GetKeytabControl *)0)->present),
+	asn_MAP_GetKeytabControl_tag2el_1,
+	3,	/* Count of tags in the map */
+	0,
+	-1	/* Extensions start */
+};
+asn_TYPE_descriptor_t asn_DEF_GetKeytabControl = {
+	"GetKeytabControl",
+	"GetKeytabControl",
+	CHOICE_free,
+	CHOICE_print,
+	CHOICE_constraint,
+	CHOICE_decode_ber,
+	CHOICE_encode_der,
+	CHOICE_decode_xer,
+	CHOICE_encode_xer,
+	0, 0,	/* No PER support, use "-gen-PER" to enable */
+	CHOICE_outmost_tag,
+	0,	/* No effective tags (pointer) */
+	0,	/* No effective tags (count) */
+	0,	/* No tags (pointer) */
+	0,	/* No tags (count) */
+	0,	/* No PER visible constraints */
+	asn_MBR_GetKeytabControl_1,
+	3,	/* Elements count */
+	&asn_SPC_GetKeytabControl_specs_1	/* Additional specs */
+};
+
--- a/asn1/asn1c/GetKeytabControl.h
+++ b/asn1/asn1c/GetKeytabControl.h
@ -0,0 +1,53 @@
+/*
+ * Generated by asn1c-0.9.28 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy -fnative-types`
+ */
+
+#ifndef	_GetKeytabControl_H_
+#define	_GetKeytabControl_H_
+
+
+#include <asn_application.h>
+
+/* Including external dependencies */
+#include "GKNewKeys.h"
+#include "GKCurrentKeys.h"
+#include "GKReply.h"
+#include <constr_CHOICE.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Dependencies */
+typedef enum GetKeytabControl_PR {
+	GetKeytabControl_PR_NOTHING,	/* No components present */
+	GetKeytabControl_PR_newkeys,
+	GetKeytabControl_PR_curkeys,
+	GetKeytabControl_PR_reply
+} GetKeytabControl_PR;
+
+/* GetKeytabControl */
+typedef struct GetKeytabControl {
+	GetKeytabControl_PR present;
+	union GetKeytabControl_u {
+		GKNewKeys_t	 newkeys;
+		GKCurrentKeys_t	 curkeys;
+		GKReply_t	 reply;
+	} choice;
+	
+	/* Context for parsing across buffer boundaries */
+	asn_struct_ctx_t _asn_ctx;
+} GetKeytabControl_t;
+
+/* Implementation */
+extern asn_TYPE_descriptor_t asn_DEF_GetKeytabControl;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _GetKeytabControl_H_ */
+#include <asn_internal.h>
--- a/asn1/asn1c/INTEGER.c
+++ b/asn1/asn1c/INTEGER.c
--- a/asn1/asn1c/INTEGER.h
+++ b/asn1/asn1c/INTEGER.h
@ -0,0 +1,82 @@
+/*-
+ * Copyright (c) 2003, 2005 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_INTEGER_H_
+#define	_INTEGER_H_
+
+#include <asn_application.h>
+#include <asn_codecs_prim.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef ASN__PRIMITIVE_TYPE_t INTEGER_t;
+
+extern asn_TYPE_descriptor_t asn_DEF_INTEGER;
+
+/* Map with <tag> to integer value association */
+typedef struct asn_INTEGER_enum_map_s {
+	long		 nat_value;	/* associated native integer value */
+	size_t		 enum_len;	/* strlen("tag") */
+	const char	*enum_name;	/* "tag" */
+} asn_INTEGER_enum_map_t;
+
+/* This type describes an enumeration for INTEGER and ENUMERATED types */
+typedef const struct asn_INTEGER_specifics_s {
+	const asn_INTEGER_enum_map_t *value2enum;	/* N -> "tag"; sorted by N */
+	const unsigned int *enum2value;		/* "tag" => N; sorted by tag */
+	int map_count;				/* Elements in either map */
+	int extension;				/* This map is extensible */
+	int strict_enumeration;			/* Enumeration set is fixed */
+	int field_width;			/* Size of native integer */
+	int field_unsigned;			/* Signed=0, unsigned=1 */
+} asn_INTEGER_specifics_t;
+
+asn_struct_print_f INTEGER_print;
+ber_type_decoder_f INTEGER_decode_ber;
+der_type_encoder_f INTEGER_encode_der;
+xer_type_decoder_f INTEGER_decode_xer;
+xer_type_encoder_f INTEGER_encode_xer;
+per_type_decoder_f INTEGER_decode_uper;
+per_type_encoder_f INTEGER_encode_uper;
+
+/***********************************
+ * Some handy conversion routines. *
+ ***********************************/
+
+/*
+ * Returns 0 if it was possible to convert, -1 otherwise.
+ * -1/EINVAL: Mandatory argument missing
+ * -1/ERANGE: Value encoded is out of range for long representation
+ * -1/ENOMEM: Memory allocation failed (in asn_long2INTEGER()).
+ */
+int asn_INTEGER2long(const INTEGER_t *i, long *l);
+int asn_INTEGER2ulong(const INTEGER_t *i, unsigned long *l);
+int asn_long2INTEGER(INTEGER_t *i, long l);
+int asn_ulong2INTEGER(INTEGER_t *i, unsigned long l);
+
+/* A a reified version of strtol(3) with nicer error reporting. */
+enum asn_strtol_result_e {
+    ASN_STRTOL_ERROR_RANGE = -3,  /* Input outside of numeric range for long type */
+    ASN_STRTOL_ERROR_INVAL = -2,  /* Invalid data encountered (e.g., "+-") */
+    ASN_STRTOL_EXPECT_MORE = -1,  /* More data expected (e.g. "+") */
+    ASN_STRTOL_OK          =  0,  /* Conversion succeded, number ends at (*end) */
+    ASN_STRTOL_EXTRA_DATA  =  1   /* Conversion succeded, but the string has extra stuff */
+};
+enum asn_strtol_result_e asn_strtol_lim(const char *str, const char **end, long *l);
+
+/* The asn_strtol is going to be DEPRECATED soon */
+enum asn_strtol_result_e asn_strtol(const char *str, const char *end, long *l);
+
+/*
+ * Convert the integer value into the corresponding enumeration map entry.
+ */
+const asn_INTEGER_enum_map_t *INTEGER_map_value2enum(asn_INTEGER_specifics_t *specs, long value);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _INTEGER_H_ */
--- a/asn1/asn1c/Int32.c
+++ b/asn1/asn1c/Int32.c
@ -0,0 +1,126 @@
+/*
+ * Generated by asn1c-0.9.28 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy -fnative-types`
+ */
+
+#include "Int32.h"
+
+int
+Int32_constraint(asn_TYPE_descriptor_t *td, const void *sptr,
+			asn_app_constraint_failed_f *ctfailcb, void *app_key) {
+	long value;
+	
+	if(!sptr) {
+		ASN__CTFAIL(app_key, td, sptr,
+			"%s: value not given (%s:%d)",
+			td->name, __FILE__, __LINE__);
+		return -1;
+	}
+	
+	value = *(const long *)sptr;
+	
+	if((value >= (-2147483647L - 1) && value <= 2147483647)) {
+		/* Constraint check succeeded */
+		return 0;
+	} else {
+		ASN__CTFAIL(app_key, td, sptr,
+			"%s: constraint failed (%s:%d)",
+			td->name, __FILE__, __LINE__);
+		return -1;
+	}
+}
+
+/*
+ * This type is implemented using NativeInteger,
+ * so here we adjust the DEF accordingly.
+ */
+static void
+Int32_1_inherit_TYPE_descriptor(asn_TYPE_descriptor_t *td) {
+	td->free_struct    = asn_DEF_NativeInteger.free_struct;
+	td->print_struct   = asn_DEF_NativeInteger.print_struct;
+	td->check_constraints = asn_DEF_NativeInteger.check_constraints;
+	td->ber_decoder    = asn_DEF_NativeInteger.ber_decoder;
+	td->der_encoder    = asn_DEF_NativeInteger.der_encoder;
+	td->xer_decoder    = asn_DEF_NativeInteger.xer_decoder;
+	td->xer_encoder    = asn_DEF_NativeInteger.xer_encoder;
+	td->uper_decoder   = asn_DEF_NativeInteger.uper_decoder;
+	td->uper_encoder   = asn_DEF_NativeInteger.uper_encoder;
+	if(!td->per_constraints)
+		td->per_constraints = asn_DEF_NativeInteger.per_constraints;
+	td->elements       = asn_DEF_NativeInteger.elements;
+	td->elements_count = asn_DEF_NativeInteger.elements_count;
+	td->specifics      = asn_DEF_NativeInteger.specifics;
+}
+
+void
+Int32_free(asn_TYPE_descriptor_t *td,
+		void *struct_ptr, int contents_only) {
+	Int32_1_inherit_TYPE_descriptor(td);
+	td->free_struct(td, struct_ptr, contents_only);
+}
+
+int
+Int32_print(asn_TYPE_descriptor_t *td, const void *struct_ptr,
+		int ilevel, asn_app_consume_bytes_f *cb, void *app_key) {
+	Int32_1_inherit_TYPE_descriptor(td);
+	return td->print_struct(td, struct_ptr, ilevel, cb, app_key);
+}
+
+asn_dec_rval_t
+Int32_decode_ber(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td,
+		void **structure, const void *bufptr, size_t size, int tag_mode) {
+	Int32_1_inherit_TYPE_descriptor(td);
+	return td->ber_decoder(opt_codec_ctx, td, structure, bufptr, size, tag_mode);
+}
+
+asn_enc_rval_t
+Int32_encode_der(asn_TYPE_descriptor_t *td,
+		void *structure, int tag_mode, ber_tlv_tag_t tag,
+		asn_app_consume_bytes_f *cb, void *app_key) {
+	Int32_1_inherit_TYPE_descriptor(td);
+	return td->der_encoder(td, structure, tag_mode, tag, cb, app_key);
+}
+
+asn_dec_rval_t
+Int32_decode_xer(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td,
+		void **structure, const char *opt_mname, const void *bufptr, size_t size) {
+	Int32_1_inherit_TYPE_descriptor(td);
+	return td->xer_decoder(opt_codec_ctx, td, structure, opt_mname, bufptr, size);
+}
+
+asn_enc_rval_t
+Int32_encode_xer(asn_TYPE_descriptor_t *td, void *structure,
+		int ilevel, enum xer_encoder_flags_e flags,
+		asn_app_consume_bytes_f *cb, void *app_key) {
+	Int32_1_inherit_TYPE_descriptor(td);
+	return td->xer_encoder(td, structure, ilevel, flags, cb, app_key);
+}
+
+static const ber_tlv_tag_t asn_DEF_Int32_tags_1[] = {
+	(ASN_TAG_CLASS_UNIVERSAL | (2 << 2))
+};
+asn_TYPE_descriptor_t asn_DEF_Int32 = {
+	"Int32",
+	"Int32",
+	Int32_free,
+	Int32_print,
+	Int32_constraint,
+	Int32_decode_ber,
+	Int32_encode_der,
+	Int32_decode_xer,
+	Int32_encode_xer,
+	0, 0,	/* No PER support, use "-gen-PER" to enable */
+	0,	/* Use generic outmost tag fetcher */
+	asn_DEF_Int32_tags_1,
+	sizeof(asn_DEF_Int32_tags_1)
+		/sizeof(asn_DEF_Int32_tags_1[0]), /* 1 */
+	asn_DEF_Int32_tags_1,	/* Same as above */
+	sizeof(asn_DEF_Int32_tags_1)
+		/sizeof(asn_DEF_Int32_tags_1[0]), /* 1 */
+	0,	/* No PER visible constraints */
+	0, 0,	/* No members */
+	0	/* No specifics */
+};
+
--- a/asn1/asn1c/Int32.h
+++ b/asn1/asn1c/Int32.h
@ -0,0 +1,39 @@
+/*
+ * Generated by asn1c-0.9.28 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy -fnative-types`
+ */
+
+#ifndef	_Int32_H_
+#define	_Int32_H_
+
+
+#include <asn_application.h>
+
+/* Including external dependencies */
+#include <NativeInteger.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Int32 */
+typedef long	 Int32_t;
+
+/* Implementation */
+extern asn_TYPE_descriptor_t asn_DEF_Int32;
+asn_struct_free_f Int32_free;
+asn_struct_print_f Int32_print;
+asn_constr_check_f Int32_constraint;
+ber_type_decoder_f Int32_decode_ber;
+der_type_encoder_f Int32_encode_der;
+xer_type_decoder_f Int32_decode_xer;
+xer_type_encoder_f Int32_encode_xer;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _Int32_H_ */
+#include <asn_internal.h>
--- a/asn1/asn1c/KrbKey.c
+++ b/asn1/asn1c/KrbKey.c
@ -0,0 +1,79 @@
+/*
+ * Generated by asn1c-0.9.28 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy -fnative-types`
+ */
+
+#include "KrbKey.h"
+
+static asn_TYPE_member_t asn_MBR_KrbKey_1[] = {
+	{ ATF_NOFLAGS, 0, offsetof(struct KrbKey, key),
+		(ASN_TAG_CLASS_CONTEXT | (0 << 2)),
+		+1,	/* EXPLICIT tag at current level */
+		&asn_DEF_TypeValuePair,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"key"
+		},
+	{ ATF_POINTER, 2, offsetof(struct KrbKey, salt),
+		(ASN_TAG_CLASS_CONTEXT | (1 << 2)),
+		+1,	/* EXPLICIT tag at current level */
+		&asn_DEF_TypeValuePair,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"salt"
+		},
+	{ ATF_POINTER, 1, offsetof(struct KrbKey, s2kparams),
+		(ASN_TAG_CLASS_CONTEXT | (2 << 2)),
+		+1,	/* EXPLICIT tag at current level */
+		&asn_DEF_OCTET_STRING,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"s2kparams"
+		},
+};
+static const ber_tlv_tag_t asn_DEF_KrbKey_tags_1[] = {
+	(ASN_TAG_CLASS_UNIVERSAL | (16 << 2))
+};
+static const asn_TYPE_tag2member_t asn_MAP_KrbKey_tag2el_1[] = {
+    { (ASN_TAG_CLASS_CONTEXT | (0 << 2)), 0, 0, 0 }, /* key */
+    { (ASN_TAG_CLASS_CONTEXT | (1 << 2)), 1, 0, 0 }, /* salt */
+    { (ASN_TAG_CLASS_CONTEXT | (2 << 2)), 2, 0, 0 } /* s2kparams */
+};
+static asn_SEQUENCE_specifics_t asn_SPC_KrbKey_specs_1 = {
+	sizeof(struct KrbKey),
+	offsetof(struct KrbKey, _asn_ctx),
+	asn_MAP_KrbKey_tag2el_1,
+	3,	/* Count of tags in the map */
+	0, 0, 0,	/* Optional elements (not needed) */
+	-1,	/* Start extensions */
+	-1	/* Stop extensions */
+};
+asn_TYPE_descriptor_t asn_DEF_KrbKey = {
+	"KrbKey",
+	"KrbKey",
+	SEQUENCE_free,
+	SEQUENCE_print,
+	SEQUENCE_constraint,
+	SEQUENCE_decode_ber,
+	SEQUENCE_encode_der,
+	SEQUENCE_decode_xer,
+	SEQUENCE_encode_xer,
+	0, 0,	/* No PER support, use "-gen-PER" to enable */
+	0,	/* Use generic outmost tag fetcher */
+	asn_DEF_KrbKey_tags_1,
+	sizeof(asn_DEF_KrbKey_tags_1)
+		/sizeof(asn_DEF_KrbKey_tags_1[0]), /* 1 */
+	asn_DEF_KrbKey_tags_1,	/* Same as above */
+	sizeof(asn_DEF_KrbKey_tags_1)
+		/sizeof(asn_DEF_KrbKey_tags_1[0]), /* 1 */
+	0,	/* No PER visible constraints */
+	asn_MBR_KrbKey_1,
+	3,	/* Elements count */
+	&asn_SPC_KrbKey_specs_1	/* Additional specs */
+};
+
--- a/asn1/asn1c/KrbKey.h
+++ b/asn1/asn1c/KrbKey.h
@ -0,0 +1,47 @@
+/*
+ * Generated by asn1c-0.9.28 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy -fnative-types`
+ */
+
+#ifndef	_KrbKey_H_
+#define	_KrbKey_H_
+
+
+#include <asn_application.h>
+
+/* Including external dependencies */
+#include "TypeValuePair.h"
+#include <OCTET_STRING.h>
+#include <constr_SEQUENCE.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Forward declarations */
+struct TypeValuePair;
+
+/* KrbKey */
+typedef struct KrbKey {
+	TypeValuePair_t	 key;
+	struct TypeValuePair	*salt	/* OPTIONAL */;
+	OCTET_STRING_t	*s2kparams	/* OPTIONAL */;
+	
+	/* Context for parsing across buffer boundaries */
+	asn_struct_ctx_t _asn_ctx;
+} KrbKey_t;
+
+/* Implementation */
+extern asn_TYPE_descriptor_t asn_DEF_KrbKey;
+
+#ifdef __cplusplus
+}
+#endif
+
+/* Referred external types */
+#include "TypeValuePair.h"
+
+#endif	/* _KrbKey_H_ */
+#include <asn_internal.h>
--- a/asn1/asn1c/Makefile.am
+++ b/asn1/asn1c/Makefile.am
@ -0,0 +1,80 @@
+libasn1c_la_SOURCES =		\
+	asn_application.h	\
+	asn_codecs.h		\
+	asn_codecs_prim.c	\
+	asn_codecs_prim.h	\
+	asn_internal.h		\
+	asn_SEQUENCE_OF.c	\
+	asn_SEQUENCE_OF.h	\
+	asn_SET_OF.c		\
+	asn_SET_OF.h		\
+	asn_system.h		\
+	ber_decoder.c		\
+	ber_decoder.h		\
+	ber_tlv_length.c	\
+	ber_tlv_length.h	\
+	ber_tlv_tag.c		\
+	ber_tlv_tag.h		\
+	BIT_STRING.c		\
+	BIT_STRING.h		\
+	constraints.c		\
+	constraints.h		\
+	constr_CHOICE.c		\
+	constr_CHOICE.h		\
+	constr_SEQUENCE.c	\
+	constr_SEQUENCE.h	\
+	constr_SEQUENCE_OF.c	\
+	constr_SEQUENCE_OF.h	\
+	constr_SET_OF.c		\
+	constr_SET_OF.h		\
+	constr_TYPE.c		\
+	constr_TYPE.h		\
+	der_encoder.c		\
+	der_encoder.h		\
+	GetKeytabControl.c	\
+	GetKeytabControl.h	\
+	GKCurrentKeys.c		\
+	GKCurrentKeys.h		\
+	GKNewKeys.c		\
+	GKNewKeys.h		\
+	GKReply.c		\
+	GKReply.h		\
+	Int32.c			\
+	Int32.h			\
+	INTEGER.c		\
+	INTEGER.h		\
+	KrbKey.c		\
+	KrbKey.h		\
+	NativeEnumerated.c	\
+	NativeEnumerated.h	\
+	NativeInteger.c		\
+	NativeInteger.h		\
+	OCTET_STRING.c		\
+	OCTET_STRING.h		\
+	per_decoder.c		\
+	per_decoder.h		\
+	per_encoder.c		\
+	per_encoder.h		\
+	per_opentype.c		\
+	per_opentype.h		\
+	per_support.c		\
+	per_support.h		\
+	TypeValuePair.c		\
+	TypeValuePair.h		\
+	xer_decoder.c		\
+	xer_decoder.h		\
+	xer_encoder.c		\
+	xer_encoder.h		\
+	xer_support.c		\
+	xer_support.h
+
+EXTRA_DIST = ipa.asn1
+
+AM_CPPFLAGS = -I$(top_srcdir)/util
+
+noinst_LTLIBRARIES=libasn1c.la
+
+regenerate:
+	asn1c -fskeletons-copy -fnative-types ipa.asn1
+	$(SED) -i s/_BSD_SOURCE/_DEFAULT_SOURCE/g asn_system.h
+	rm -f converter-sample.c Makefile.am.sample
--- a/asn1/asn1c/Makefile.in
+++ b/asn1/asn1c/Makefile.in
@ -0,0 +1,900 @@
+# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = asn1/asn1c
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
+	$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
+	$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
+	$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
+	$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
+	$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
+	$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
+	$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/VERSION.m4 \
+	$(top_srcdir)/server.m4 $(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+LTLIBRARIES = $(noinst_LTLIBRARIES)
+libasn1c_la_LIBADD =
+am_libasn1c_la_OBJECTS = asn_codecs_prim.lo asn_SEQUENCE_OF.lo \
+	asn_SET_OF.lo ber_decoder.lo ber_tlv_length.lo ber_tlv_tag.lo \
+	BIT_STRING.lo constraints.lo constr_CHOICE.lo \
+	constr_SEQUENCE.lo constr_SEQUENCE_OF.lo constr_SET_OF.lo \
+	constr_TYPE.lo der_encoder.lo GetKeytabControl.lo \
+	GKCurrentKeys.lo GKNewKeys.lo GKReply.lo Int32.lo INTEGER.lo \
+	KrbKey.lo NativeEnumerated.lo NativeInteger.lo OCTET_STRING.lo \
+	per_decoder.lo per_encoder.lo per_opentype.lo per_support.lo \
+	TypeValuePair.lo xer_decoder.lo xer_encoder.lo xer_support.lo
+libasn1c_la_OBJECTS = $(am_libasn1c_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 = 
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__maybe_remake_depfiles = depfiles
+am__depfiles_remade = ./$(DEPDIR)/BIT_STRING.Plo \
+	./$(DEPDIR)/GKCurrentKeys.Plo ./$(DEPDIR)/GKNewKeys.Plo \
+	./$(DEPDIR)/GKReply.Plo ./$(DEPDIR)/GetKeytabControl.Plo \
+	./$(DEPDIR)/INTEGER.Plo ./$(DEPDIR)/Int32.Plo \
+	./$(DEPDIR)/KrbKey.Plo ./$(DEPDIR)/NativeEnumerated.Plo \
+	./$(DEPDIR)/NativeInteger.Plo ./$(DEPDIR)/OCTET_STRING.Plo \
+	./$(DEPDIR)/TypeValuePair.Plo ./$(DEPDIR)/asn_SEQUENCE_OF.Plo \
+	./$(DEPDIR)/asn_SET_OF.Plo ./$(DEPDIR)/asn_codecs_prim.Plo \
+	./$(DEPDIR)/ber_decoder.Plo ./$(DEPDIR)/ber_tlv_length.Plo \
+	./$(DEPDIR)/ber_tlv_tag.Plo ./$(DEPDIR)/constr_CHOICE.Plo \
+	./$(DEPDIR)/constr_SEQUENCE.Plo \
+	./$(DEPDIR)/constr_SEQUENCE_OF.Plo \
+	./$(DEPDIR)/constr_SET_OF.Plo ./$(DEPDIR)/constr_TYPE.Plo \
+	./$(DEPDIR)/constraints.Plo ./$(DEPDIR)/der_encoder.Plo \
+	./$(DEPDIR)/per_decoder.Plo ./$(DEPDIR)/per_encoder.Plo \
+	./$(DEPDIR)/per_opentype.Plo ./$(DEPDIR)/per_support.Plo \
+	./$(DEPDIR)/xer_decoder.Plo ./$(DEPDIR)/xer_encoder.Plo \
+	./$(DEPDIR)/xer_support.Plo
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC      " $@;
+am__v_CC_1 = 
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD    " $@;
+am__v_CCLD_1 = 
+SOURCES = $(libasn1c_la_SOURCES)
+DIST_SOURCES = $(libasn1c_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates.  Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+  BEGIN { nonempty = 0; } \
+  { items[$$0] = 1; nonempty = 1; } \
+  END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique.  This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+  list='$(am__tagged_files)'; \
+  unique=`for i in $$list; do \
+    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+  done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+API_VERSION = @API_VERSION@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
+CMOCKA_LIBS = @CMOCKA_LIBS@
+CONFIG_STATUS = @CONFIG_STATUS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
+CRYPTO_LIBS = @CRYPTO_LIBS@
+CYGPATH_W = @CYGPATH_W@
+DATA_VERSION = @DATA_VERSION@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DIRSRV_CFLAGS = @DIRSRV_CFLAGS@
+DIRSRV_LIBS = @DIRSRV_LIBS@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
+GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
+GIT_BRANCH = @GIT_BRANCH@
+GIT_VERSION = @GIT_VERSION@
+GMSGFMT = @GMSGFMT@
+GMSGFMT_015 = @GMSGFMT_015@
+GREP = @GREP@
+INI_CFLAGS = @INI_CFLAGS@
+INI_LIBS = @INI_LIBS@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+INTLLIBS = @INTLLIBS@
+INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
+IPAPLATFORM = @IPAPLATFORM@
+IPA_DATA_DIR = @IPA_DATA_DIR@
+IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
+JSLINT = @JSLINT@
+KRAD_LIBS = @KRAD_LIBS@
+KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
+KRB5_CFLAGS = @KRB5_CFLAGS@
+KRB5_LIBS = @KRB5_LIBS@
+LD = @LD@
+LDAP_CFLAGS = @LDAP_CFLAGS@
+LDAP_LIBS = @LDAP_LIBS@
+LDFLAGS = @LDFLAGS@
+LIBICONV = @LIBICONV@
+LIBINTL = @LIBINTL@
+LIBINTL_LIBS = @LIBINTL_LIBS@
+LIBOBJS = @LIBOBJS@
+LIBPDB_NAME = @LIBPDB_NAME@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIBVERTO_CFLAGS = @LIBVERTO_CFLAGS@
+LIBVERTO_LIBS = @LIBVERTO_LIBS@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBICONV = @LTLIBICONV@
+LTLIBINTL = @LTLIBINTL@
+LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MK_ASSIGN = @MK_ASSIGN@
+MK_ELSE = @MK_ELSE@
+MK_ENDIF = @MK_ENDIF@
+MK_IFEQ = @MK_IFEQ@
+MSGATTRIB = @MSGATTRIB@
+MSGFMT = @MSGFMT@
+MSGFMT_015 = @MSGFMT_015@
+MSGMERGE = @MSGMERGE@
+NAMED_GROUP = @NAMED_GROUP@
+NDRNBT_CFLAGS = @NDRNBT_CFLAGS@
+NDRNBT_LIBS = @NDRNBT_LIBS@
+NDRPAC_CFLAGS = @NDRPAC_CFLAGS@
+NDRPAC_LIBS = @NDRPAC_LIBS@
+NDR_CFLAGS = @NDR_CFLAGS@
+NDR_LIBS = @NDR_LIBS@
+NM = @NM@
+NMEDIT = @NMEDIT@
+NSPR_CFLAGS = @NSPR_CFLAGS@
+NSPR_LIBS = @NSPR_LIBS@
+NSS_CFLAGS = @NSS_CFLAGS@
+NSS_LIBS = @NSS_LIBS@
+NUM_VERSION = @NUM_VERSION@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+ODS_USER = @ODS_USER@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLATFORM_PYTHON = @PLATFORM_PYTHON@
+POPT_CFLAGS = @POPT_CFLAGS@
+POPT_LIBS = @POPT_LIBS@
+POSUB = @POSUB@
+PYLINT = @PYLINT@
+PYTHON = @PYTHON@
+PYTHON2 = @PYTHON2@
+PYTHON3 = @PYTHON3@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+RANLIB = @RANLIB@
+SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
+SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
+SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
+SASL_CFLAGS = @SASL_CFLAGS@
+SASL_LIBS = @SASL_LIBS@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SSSCERTMAP_CFLAGS = @SSSCERTMAP_CFLAGS@
+SSSCERTMAP_LIBS = @SSSCERTMAP_LIBS@
+SSSIDMAP_CFLAGS = @SSSIDMAP_CFLAGS@
+SSSIDMAP_LIBS = @SSSIDMAP_LIBS@
+SSSNSSIDMAP_CFLAGS = @SSSNSSIDMAP_CFLAGS@
+SSSNSSIDMAP_LIBS = @SSSNSSIDMAP_LIBS@
+STRIP = @STRIP@
+TALLOC_CFLAGS = @TALLOC_CFLAGS@
+TALLOC_LIBS = @TALLOC_LIBS@
+TEVENT_CFLAGS = @TEVENT_CFLAGS@
+TEVENT_LIBS = @TEVENT_LIBS@
+UNISTRING_LIBS = @UNISTRING_LIBS@
+UNLINK = @UNLINK@
+USE_NLS = @USE_NLS@
+UUID_CFLAGS = @UUID_CFLAGS@
+UUID_LIBS = @UUID_LIBS@
+VENDOR_SUFFIX = @VENDOR_SUFFIX@
+VERSION = @VERSION@
+XGETTEXT = @XGETTEXT@
+XGETTEXT_015 = @XGETTEXT_015@
+XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
+XMLRPC_CFLAGS = @XMLRPC_CFLAGS@
+XMLRPC_LIBS = @XMLRPC_LIBS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+i18ntests = @i18ntests@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+krb5rundir = @krb5rundir@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+sysconfenvdir = @sysconfenvdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+systemdtmpfilesdir = @systemdtmpfilesdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+libasn1c_la_SOURCES = \
+	asn_application.h	\
+	asn_codecs.h		\
+	asn_codecs_prim.c	\
+	asn_codecs_prim.h	\
+	asn_internal.h		\
+	asn_SEQUENCE_OF.c	\
+	asn_SEQUENCE_OF.h	\
+	asn_SET_OF.c		\
+	asn_SET_OF.h		\
+	asn_system.h		\
+	ber_decoder.c		\
+	ber_decoder.h		\
+	ber_tlv_length.c	\
+	ber_tlv_length.h	\
+	ber_tlv_tag.c		\
+	ber_tlv_tag.h		\
+	BIT_STRING.c		\
+	BIT_STRING.h		\
+	constraints.c		\
+	constraints.h		\
+	constr_CHOICE.c		\
+	constr_CHOICE.h		\
+	constr_SEQUENCE.c	\
+	constr_SEQUENCE.h	\
+	constr_SEQUENCE_OF.c	\
+	constr_SEQUENCE_OF.h	\
+	constr_SET_OF.c		\
+	constr_SET_OF.h		\
+	constr_TYPE.c		\
+	constr_TYPE.h		\
+	der_encoder.c		\
+	der_encoder.h		\
+	GetKeytabControl.c	\
+	GetKeytabControl.h	\
+	GKCurrentKeys.c		\
+	GKCurrentKeys.h		\
+	GKNewKeys.c		\
+	GKNewKeys.h		\
+	GKReply.c		\
+	GKReply.h		\
+	Int32.c			\
+	Int32.h			\
+	INTEGER.c		\
+	INTEGER.h		\
+	KrbKey.c		\
+	KrbKey.h		\
+	NativeEnumerated.c	\
+	NativeEnumerated.h	\
+	NativeInteger.c		\
+	NativeInteger.h		\
+	OCTET_STRING.c		\
+	OCTET_STRING.h		\
+	per_decoder.c		\
+	per_decoder.h		\
+	per_encoder.c		\
+	per_encoder.h		\
+	per_opentype.c		\
+	per_opentype.h		\
+	per_support.c		\
+	per_support.h		\
+	TypeValuePair.c		\
+	TypeValuePair.h		\
+	xer_decoder.c		\
+	xer_decoder.h		\
+	xer_encoder.c		\
+	xer_encoder.h		\
+	xer_support.c		\
+	xer_support.h
+
+EXTRA_DIST = ipa.asn1
+AM_CPPFLAGS = -I$(top_srcdir)/util
+noinst_LTLIBRARIES = libasn1c.la
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign asn1/asn1c/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign asn1/asn1c/Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+	-test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+	@list='$(noinst_LTLIBRARIES)'; \
+	locs=`for p in $$list; do echo $$p; done | \
+	      sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+	      sort -u`; \
+	test -z "$$locs" || { \
+	  echo rm -f $${locs}; \
+	  rm -f $${locs}; \
+	}
+
+libasn1c.la: $(libasn1c_la_OBJECTS) $(libasn1c_la_DEPENDENCIES) $(EXTRA_libasn1c_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(LINK)  $(libasn1c_la_OBJECTS) $(libasn1c_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/BIT_STRING.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/GKCurrentKeys.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/GKNewKeys.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/GKReply.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/GetKeytabControl.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/INTEGER.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/Int32.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/KrbKey.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/NativeEnumerated.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/NativeInteger.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/OCTET_STRING.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/TypeValuePair.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn_SEQUENCE_OF.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn_SET_OF.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn_codecs_prim.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ber_decoder.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ber_tlv_length.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ber_tlv_tag.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/constr_CHOICE.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/constr_SEQUENCE.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/constr_SEQUENCE_OF.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/constr_SET_OF.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/constr_TYPE.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/constraints.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/der_encoder.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/per_decoder.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/per_encoder.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/per_opentype.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/per_support.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xer_decoder.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xer_encoder.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xer_support.Plo@am__quote@ # am--include-marker
+
+$(am__depfiles_remade):
+	@$(MKDIR_P) $(@D)
+	@echo '# dummy' >$@-t && $(am__mv) $@-t $@
+
+am--depfiles: $(am__depfiles_remade)
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+	$(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	set x; \
+	here=`pwd`; \
+	$(am__define_uniq_tagged_files); \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	$(am__define_uniq_tagged_files); \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+	list='$(am__tagged_files)'; \
+	case "$(srcdir)" in \
+	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+	  *) sdir=$(subdir)/$(srcdir) ;; \
+	esac; \
+	for i in $$list; do \
+	  if test -f "$$i"; then \
+	    echo "$(subdir)/$$i"; \
+	  else \
+	    echo "$$sdir/$$i"; \
+	  fi; \
+	done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) distdir-am
+
+distdir-am: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+		-rm -f ./$(DEPDIR)/BIT_STRING.Plo
+	-rm -f ./$(DEPDIR)/GKCurrentKeys.Plo
+	-rm -f ./$(DEPDIR)/GKNewKeys.Plo
+	-rm -f ./$(DEPDIR)/GKReply.Plo
+	-rm -f ./$(DEPDIR)/GetKeytabControl.Plo
+	-rm -f ./$(DEPDIR)/INTEGER.Plo
+	-rm -f ./$(DEPDIR)/Int32.Plo
+	-rm -f ./$(DEPDIR)/KrbKey.Plo
+	-rm -f ./$(DEPDIR)/NativeEnumerated.Plo
+	-rm -f ./$(DEPDIR)/NativeInteger.Plo
+	-rm -f ./$(DEPDIR)/OCTET_STRING.Plo
+	-rm -f ./$(DEPDIR)/TypeValuePair.Plo
+	-rm -f ./$(DEPDIR)/asn_SEQUENCE_OF.Plo
+	-rm -f ./$(DEPDIR)/asn_SET_OF.Plo
+	-rm -f ./$(DEPDIR)/asn_codecs_prim.Plo
+	-rm -f ./$(DEPDIR)/ber_decoder.Plo
+	-rm -f ./$(DEPDIR)/ber_tlv_length.Plo
+	-rm -f ./$(DEPDIR)/ber_tlv_tag.Plo
+	-rm -f ./$(DEPDIR)/constr_CHOICE.Plo
+	-rm -f ./$(DEPDIR)/constr_SEQUENCE.Plo
+	-rm -f ./$(DEPDIR)/constr_SEQUENCE_OF.Plo
+	-rm -f ./$(DEPDIR)/constr_SET_OF.Plo
+	-rm -f ./$(DEPDIR)/constr_TYPE.Plo
+	-rm -f ./$(DEPDIR)/constraints.Plo
+	-rm -f ./$(DEPDIR)/der_encoder.Plo
+	-rm -f ./$(DEPDIR)/per_decoder.Plo
+	-rm -f ./$(DEPDIR)/per_encoder.Plo
+	-rm -f ./$(DEPDIR)/per_opentype.Plo
+	-rm -f ./$(DEPDIR)/per_support.Plo
+	-rm -f ./$(DEPDIR)/xer_decoder.Plo
+	-rm -f ./$(DEPDIR)/xer_encoder.Plo
+	-rm -f ./$(DEPDIR)/xer_support.Plo
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+		-rm -f ./$(DEPDIR)/BIT_STRING.Plo
+	-rm -f ./$(DEPDIR)/GKCurrentKeys.Plo
+	-rm -f ./$(DEPDIR)/GKNewKeys.Plo
+	-rm -f ./$(DEPDIR)/GKReply.Plo
+	-rm -f ./$(DEPDIR)/GetKeytabControl.Plo
+	-rm -f ./$(DEPDIR)/INTEGER.Plo
+	-rm -f ./$(DEPDIR)/Int32.Plo
+	-rm -f ./$(DEPDIR)/KrbKey.Plo
+	-rm -f ./$(DEPDIR)/NativeEnumerated.Plo
+	-rm -f ./$(DEPDIR)/NativeInteger.Plo
+	-rm -f ./$(DEPDIR)/OCTET_STRING.Plo
+	-rm -f ./$(DEPDIR)/TypeValuePair.Plo
+	-rm -f ./$(DEPDIR)/asn_SEQUENCE_OF.Plo
+	-rm -f ./$(DEPDIR)/asn_SET_OF.Plo
+	-rm -f ./$(DEPDIR)/asn_codecs_prim.Plo
+	-rm -f ./$(DEPDIR)/ber_decoder.Plo
+	-rm -f ./$(DEPDIR)/ber_tlv_length.Plo
+	-rm -f ./$(DEPDIR)/ber_tlv_tag.Plo
+	-rm -f ./$(DEPDIR)/constr_CHOICE.Plo
+	-rm -f ./$(DEPDIR)/constr_SEQUENCE.Plo
+	-rm -f ./$(DEPDIR)/constr_SEQUENCE_OF.Plo
+	-rm -f ./$(DEPDIR)/constr_SET_OF.Plo
+	-rm -f ./$(DEPDIR)/constr_TYPE.Plo
+	-rm -f ./$(DEPDIR)/constraints.Plo
+	-rm -f ./$(DEPDIR)/der_encoder.Plo
+	-rm -f ./$(DEPDIR)/per_decoder.Plo
+	-rm -f ./$(DEPDIR)/per_encoder.Plo
+	-rm -f ./$(DEPDIR)/per_opentype.Plo
+	-rm -f ./$(DEPDIR)/per_support.Plo
+	-rm -f ./$(DEPDIR)/xer_decoder.Plo
+	-rm -f ./$(DEPDIR)/xer_encoder.Plo
+	-rm -f ./$(DEPDIR)/xer_support.Plo
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \
+	clean-generic clean-libtool clean-noinstLTLIBRARIES \
+	cscopelist-am ctags ctags-am distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-man install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags tags-am uninstall uninstall-am
+
+.PRECIOUS: Makefile
+
+
+regenerate:
+	asn1c -fskeletons-copy -fnative-types ipa.asn1
+	$(SED) -i s/_BSD_SOURCE/_DEFAULT_SOURCE/g asn_system.h
+	rm -f converter-sample.c Makefile.am.sample
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
--- a/asn1/asn1c/NativeEnumerated.c
+++ b/asn1/asn1c/NativeEnumerated.c
@ -0,0 +1,207 @@
+/*-
+ * Copyright (c) 2004, 2007 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+/*
+ * Read the NativeInteger.h for the explanation wrt. differences between
+ * INTEGER and NativeInteger.
+ * Basically, both are decoders and encoders of ASN.1 INTEGER type, but this
+ * implementation deals with the standard (machine-specific) representation
+ * of them instead of using the platform-independent buffer.
+ */
+#include <asn_internal.h>
+#include <NativeEnumerated.h>
+
+/*
+ * NativeEnumerated basic type description.
+ */
+static const ber_tlv_tag_t asn_DEF_NativeEnumerated_tags[] = {
+	(ASN_TAG_CLASS_UNIVERSAL | (10 << 2))
+};
+asn_TYPE_descriptor_t asn_DEF_NativeEnumerated = {
+	"ENUMERATED",			/* The ASN.1 type is still ENUMERATED */
+	"ENUMERATED",
+	NativeInteger_free,
+	NativeInteger_print,
+	asn_generic_no_constraint,
+	NativeInteger_decode_ber,
+	NativeInteger_encode_der,
+	NativeInteger_decode_xer,
+	NativeEnumerated_encode_xer,
+	NativeEnumerated_decode_uper,
+	NativeEnumerated_encode_uper,
+	0, /* Use generic outmost tag fetcher */
+	asn_DEF_NativeEnumerated_tags,
+	sizeof(asn_DEF_NativeEnumerated_tags) / sizeof(asn_DEF_NativeEnumerated_tags[0]),
+	asn_DEF_NativeEnumerated_tags,	/* Same as above */
+	sizeof(asn_DEF_NativeEnumerated_tags) / sizeof(asn_DEF_NativeEnumerated_tags[0]),
+	0,	/* No PER visible constraints */
+	0, 0,	/* No members */
+	0	/* No specifics */
+};
+
+asn_enc_rval_t
+NativeEnumerated_encode_xer(asn_TYPE_descriptor_t *td, void *sptr,
+        int ilevel, enum xer_encoder_flags_e flags,
+                asn_app_consume_bytes_f *cb, void *app_key) {
+	asn_INTEGER_specifics_t *specs=(asn_INTEGER_specifics_t *)td->specifics;
+        asn_enc_rval_t er;
+        const long *native = (const long *)sptr;
+	const asn_INTEGER_enum_map_t *el;
+
+        (void)ilevel;
+        (void)flags;
+
+        if(!native) ASN__ENCODE_FAILED;
+
+	el = INTEGER_map_value2enum(specs, *native);
+	if(el) {
+		size_t srcsize = el->enum_len + 5;
+		char *src = (char *)alloca(srcsize);
+
+		er.encoded = snprintf(src, srcsize, "<%s/>", el->enum_name);
+		assert(er.encoded > 0 && (size_t)er.encoded < srcsize);
+		if(cb(src, er.encoded, app_key) < 0) ASN__ENCODE_FAILED;
+		ASN__ENCODED_OK(er);
+	} else {
+		ASN_DEBUG("ASN.1 forbids dealing with "
+			"unknown value of ENUMERATED type");
+		ASN__ENCODE_FAILED;
+	}
+}
+
+asn_dec_rval_t
+NativeEnumerated_decode_uper(asn_codec_ctx_t *opt_codec_ctx,
+	asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints,
+	void **sptr, asn_per_data_t *pd) {
+	asn_INTEGER_specifics_t *specs = (asn_INTEGER_specifics_t *)td->specifics;
+	asn_dec_rval_t rval = { RC_OK, 0 };
+	long *native = (long *)*sptr;
+	asn_per_constraint_t *ct;
+	long value;
+
+	(void)opt_codec_ctx;
+
+	if(constraints) ct = &constraints->value;
+	else if(td->per_constraints) ct = &td->per_constraints->value;
+	else ASN__DECODE_FAILED;	/* Mandatory! */
+	if(!specs) ASN__DECODE_FAILED;
+
+	if(!native) {
+		native = (long *)(*sptr = CALLOC(1, sizeof(*native)));
+		if(!native) ASN__DECODE_FAILED;
+	}
+
+	ASN_DEBUG("Decoding %s as NativeEnumerated", td->name);
+
+	if(ct->flags & APC_EXTENSIBLE) {
+		int inext = per_get_few_bits(pd, 1);
+		if(inext < 0) ASN__DECODE_STARVED;
+		if(inext) ct = 0;
+	}
+
+	if(ct && ct->range_bits >= 0) {
+		value = per_get_few_bits(pd, ct->range_bits);
+		if(value < 0) ASN__DECODE_STARVED;
+		if(value >= (specs->extension
+			? specs->extension - 1 : specs->map_count))
+			ASN__DECODE_FAILED;
+	} else {
+		if(!specs->extension)
+			ASN__DECODE_FAILED;
+		/*
+		 * X.691, #10.6: normally small non-negative whole number;
+		 */
+		value = uper_get_nsnnwn(pd);
+		if(value < 0) ASN__DECODE_STARVED;
+		value += specs->extension - 1;
+		if(value >= specs->map_count)
+			ASN__DECODE_FAILED;
+	}
+
+	*native = specs->value2enum[value].nat_value;
+	ASN_DEBUG("Decoded %s = %ld", td->name, *native);
+
+	return rval;
+}
+
+static int
+NativeEnumerated__compar_value2enum(const void *ap, const void *bp) {
+	const asn_INTEGER_enum_map_t *a = ap;
+	const asn_INTEGER_enum_map_t *b = bp;
+	if(a->nat_value == b->nat_value)
+		return 0;
+	if(a->nat_value < b->nat_value)
+		return -1;
+	return 1;
+}
+
+asn_enc_rval_t
+NativeEnumerated_encode_uper(asn_TYPE_descriptor_t *td,
+	asn_per_constraints_t *constraints, void *sptr, asn_per_outp_t *po) {
+	asn_INTEGER_specifics_t *specs = (asn_INTEGER_specifics_t *)td->specifics;
+	asn_enc_rval_t er;
+	long native, value;
+	asn_per_constraint_t *ct;
+	int inext = 0;
+	asn_INTEGER_enum_map_t key;
+	const asn_INTEGER_enum_map_t *kf;
+
+	if(!sptr) ASN__ENCODE_FAILED;
+	if(!specs) ASN__ENCODE_FAILED;
+
+	if(constraints) ct = &constraints->value;
+	else if(td->per_constraints) ct = &td->per_constraints->value;
+	else ASN__ENCODE_FAILED;	/* Mandatory! */
+
+	ASN_DEBUG("Encoding %s as NativeEnumerated", td->name);
+
+	er.encoded = 0;
+
+	native = *(long *)sptr;
+	if(native < 0) ASN__ENCODE_FAILED;
+
+	key.nat_value = native;
+	kf = bsearch(&key, specs->value2enum, specs->map_count,
+		sizeof(key), NativeEnumerated__compar_value2enum);
+	if(!kf) {
+		ASN_DEBUG("No element corresponds to %ld", native);
+		ASN__ENCODE_FAILED;
+	}
+	value = kf - specs->value2enum;
+
+	if(ct->range_bits >= 0) {
+		int cmpWith = specs->extension
+				? specs->extension - 1 : specs->map_count;
+		if(value >= cmpWith)
+			inext = 1;
+	}
+	if(ct->flags & APC_EXTENSIBLE) {
+		if(per_put_few_bits(po, inext, 1))
+			ASN__ENCODE_FAILED;
+		if(inext) ct = 0;
+	} else if(inext) {
+		ASN__ENCODE_FAILED;
+	}
+
+	if(ct && ct->range_bits >= 0) {
+		if(per_put_few_bits(po, value, ct->range_bits))
+			ASN__ENCODE_FAILED;
+		ASN__ENCODED_OK(er);
+	}
+
+	if(!specs->extension)
+		ASN__ENCODE_FAILED;
+
+	/*
+	 * X.691, #10.6: normally small non-negative whole number;
+	 */
+	ASN_DEBUG("value = %ld, ext = %d, inext = %d, res = %ld",
+		value, specs->extension, inext,
+		value - (inext ? (specs->extension - 1) : 0));
+	if(uper_put_nsnnwn(po, value - (inext ? (specs->extension - 1) : 0)))
+		ASN__ENCODE_FAILED;
+
+	ASN__ENCODED_OK(er);
+}
+
--- a/asn1/asn1c/NativeEnumerated.h
+++ b/asn1/asn1c/NativeEnumerated.h
@ -0,0 +1,32 @@
+/*-
+ * Copyright (c) 2004, 2005, 2006 Lev Walkin <vlm@lionet.info>.
+ * All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+/*
+ * This type differs from the standard ENUMERATED in that it is modelled using
+ * the fixed machine type (long, int, short), so it can hold only values of
+ * limited length. There is no type (i.e., NativeEnumerated_t, any integer type
+ * will do).
+ * This type may be used when integer range is limited by subtype constraints.
+ */
+#ifndef	_NativeEnumerated_H_
+#define	_NativeEnumerated_H_
+
+#include <NativeInteger.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+extern asn_TYPE_descriptor_t asn_DEF_NativeEnumerated;
+
+xer_type_encoder_f NativeEnumerated_encode_xer;
+per_type_decoder_f NativeEnumerated_decode_uper;
+per_type_encoder_f NativeEnumerated_encode_uper;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _NativeEnumerated_H_ */
--- a/asn1/asn1c/NativeInteger.c
+++ b/asn1/asn1c/NativeInteger.c
@ -0,0 +1,332 @@
+/*-
+ * Copyright (c) 2004, 2005, 2006 Lev Walkin <vlm@lionet.info>.
+ * All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+/*
+ * Read the NativeInteger.h for the explanation wrt. differences between
+ * INTEGER and NativeInteger.
+ * Basically, both are decoders and encoders of ASN.1 INTEGER type, but this
+ * implementation deals with the standard (machine-specific) representation
+ * of them instead of using the platform-independent buffer.
+ */
+#include <asn_internal.h>
+#include <NativeInteger.h>
+
+/*
+ * NativeInteger basic type description.
+ */
+static const ber_tlv_tag_t asn_DEF_NativeInteger_tags[] = {
+	(ASN_TAG_CLASS_UNIVERSAL | (2 << 2))
+};
+asn_TYPE_descriptor_t asn_DEF_NativeInteger = {
+	"INTEGER",			/* The ASN.1 type is still INTEGER */
+	"INTEGER",
+	NativeInteger_free,
+	NativeInteger_print,
+	asn_generic_no_constraint,
+	NativeInteger_decode_ber,
+	NativeInteger_encode_der,
+	NativeInteger_decode_xer,
+	NativeInteger_encode_xer,
+	NativeInteger_decode_uper,	/* Unaligned PER decoder */
+	NativeInteger_encode_uper,	/* Unaligned PER encoder */
+	0, /* Use generic outmost tag fetcher */
+	asn_DEF_NativeInteger_tags,
+	sizeof(asn_DEF_NativeInteger_tags) / sizeof(asn_DEF_NativeInteger_tags[0]),
+	asn_DEF_NativeInteger_tags,	/* Same as above */
+	sizeof(asn_DEF_NativeInteger_tags) / sizeof(asn_DEF_NativeInteger_tags[0]),
+	0,	/* No PER visible constraints */
+	0, 0,	/* No members */
+	0	/* No specifics */
+};
+
+/*
+ * Decode INTEGER type.
+ */
+asn_dec_rval_t
+NativeInteger_decode_ber(asn_codec_ctx_t *opt_codec_ctx,
+	asn_TYPE_descriptor_t *td,
+	void **nint_ptr, const void *buf_ptr, size_t size, int tag_mode) {
+	asn_INTEGER_specifics_t *specs=(asn_INTEGER_specifics_t *)td->specifics;
+	long *native = (long *)*nint_ptr;
+	asn_dec_rval_t rval;
+	ber_tlv_len_t length;
+
+	/*
+	 * If the structure is not there, allocate it.
+	 */
+	if(native == NULL) {
+		native = (long *)(*nint_ptr = CALLOC(1, sizeof(*native)));
+		if(native == NULL) {
+			rval.code = RC_FAIL;
+			rval.consumed = 0;
+			return rval;
+		}
+	}
+
+	ASN_DEBUG("Decoding %s as INTEGER (tm=%d)",
+		td->name, tag_mode);
+
+	/*
+	 * Check tags.
+	 */
+	rval = ber_check_tags(opt_codec_ctx, td, 0, buf_ptr, size,
+			tag_mode, 0, &length, 0);
+	if(rval.code != RC_OK)
+		return rval;
+
+	ASN_DEBUG("%s length is %d bytes", td->name, (int)length);
+
+	/*
+	 * Make sure we have this length.
+	 */
+	buf_ptr = ((const char *)buf_ptr) + rval.consumed;
+	size -= rval.consumed;
+	if(length > (ber_tlv_len_t)size) {
+		rval.code = RC_WMORE;
+		rval.consumed = 0;
+		return rval;
+	}
+
+	/*
+	 * ASN.1 encoded INTEGER: buf_ptr, length
+	 * Fill the native, at the same time checking for overflow.
+	 * If overflow occured, return with RC_FAIL.
+	 */
+	{
+		INTEGER_t tmp;
+		union {
+			const void *constbuf;
+			void *nonconstbuf;
+		} unconst_buf;
+		long l;
+
+		unconst_buf.constbuf = buf_ptr;
+		tmp.buf = (uint8_t *)unconst_buf.nonconstbuf;
+		tmp.size = length;
+
+		if((specs&&specs->field_unsigned)
+			? asn_INTEGER2ulong(&tmp, (unsigned long *)&l) /* sic */
+			: asn_INTEGER2long(&tmp, &l)) {
+			rval.code = RC_FAIL;
+			rval.consumed = 0;
+			return rval;
+		}
+
+		*native = l;
+	}
+
+	rval.code = RC_OK;
+	rval.consumed += length;
+
+	ASN_DEBUG("Took %ld/%ld bytes to encode %s (%ld)",
+		(long)rval.consumed, (long)length, td->name, (long)*native);
+
+	return rval;
+}
+
+/*
+ * Encode the NativeInteger using the standard INTEGER type DER encoder.
+ */
+asn_enc_rval_t
+NativeInteger_encode_der(asn_TYPE_descriptor_t *sd, void *ptr,
+	int tag_mode, ber_tlv_tag_t tag,
+	asn_app_consume_bytes_f *cb, void *app_key) {
+	unsigned long native = *(unsigned long *)ptr;	/* Disable sign ext. */
+	asn_enc_rval_t erval;
+	INTEGER_t tmp;
+
+#ifdef	WORDS_BIGENDIAN		/* Opportunistic optimization */
+
+	tmp.buf = (uint8_t *)&native;
+	tmp.size = sizeof(native);
+
+#else	/* Works even if WORDS_BIGENDIAN is not set where should've been */
+	uint8_t buf[sizeof(native)];
+	uint8_t *p;
+
+	/* Prepare a fake INTEGER */
+	for(p = buf + sizeof(buf) - 1; p >= buf; p--, native >>= 8)
+		*p = (uint8_t)native;
+
+	tmp.buf = buf;
+	tmp.size = sizeof(buf);
+#endif	/* WORDS_BIGENDIAN */
+	
+	/* Encode fake INTEGER */
+	erval = INTEGER_encode_der(sd, &tmp, tag_mode, tag, cb, app_key);
+	if(erval.encoded == -1) {
+		assert(erval.structure_ptr == &tmp);
+		erval.structure_ptr = ptr;
+	}
+	return erval;
+}
+
+/*
+ * Decode the chunk of XML text encoding INTEGER.
+ */
+asn_dec_rval_t
+NativeInteger_decode_xer(asn_codec_ctx_t *opt_codec_ctx,
+	asn_TYPE_descriptor_t *td, void **sptr, const char *opt_mname,
+		const void *buf_ptr, size_t size) {
+	asn_INTEGER_specifics_t *specs=(asn_INTEGER_specifics_t *)td->specifics;
+	asn_dec_rval_t rval;
+	INTEGER_t st;
+	void *st_ptr = (void *)&st;
+	long *native = (long *)*sptr;
+
+	if(!native) {
+		native = (long *)(*sptr = CALLOC(1, sizeof(*native)));
+		if(!native) ASN__DECODE_FAILED;
+	}
+
+	memset(&st, 0, sizeof(st));
+	rval = INTEGER_decode_xer(opt_codec_ctx, td, &st_ptr, 
+		opt_mname, buf_ptr, size);
+	if(rval.code == RC_OK) {
+		long l;
+		if((specs&&specs->field_unsigned)
+			? asn_INTEGER2ulong(&st, (unsigned long *)&l) /* sic */
+			: asn_INTEGER2long(&st, &l)) {
+			rval.code = RC_FAIL;
+			rval.consumed = 0;
+		} else {
+			*native = l;
+		}
+	} else {
+		/*
+		 * Cannot restart from the middle;
+		 * there is no place to save state in the native type.
+		 * Request a continuation from the very beginning.
+		 */
+		rval.consumed = 0;
+	}
+	ASN_STRUCT_FREE_CONTENTS_ONLY(asn_DEF_INTEGER, &st);
+	return rval;
+}
+
+
+asn_enc_rval_t
+NativeInteger_encode_xer(asn_TYPE_descriptor_t *td, void *sptr,
+	int ilevel, enum xer_encoder_flags_e flags,
+		asn_app_consume_bytes_f *cb, void *app_key) {
+	asn_INTEGER_specifics_t *specs=(asn_INTEGER_specifics_t *)td->specifics;
+	char scratch[32];	/* Enough for 64-bit int */
+	asn_enc_rval_t er;
+	const long *native = (const long *)sptr;
+
+	(void)ilevel;
+	(void)flags;
+
+	if(!native) ASN__ENCODE_FAILED;
+
+	er.encoded = snprintf(scratch, sizeof(scratch),
+			(specs && specs->field_unsigned)
+			? "%lu" : "%ld", *native);
+	if(er.encoded <= 0 || (size_t)er.encoded >= sizeof(scratch)
+		|| cb(scratch, er.encoded, app_key) < 0)
+		ASN__ENCODE_FAILED;
+
+	ASN__ENCODED_OK(er);
+}
+
+asn_dec_rval_t
+NativeInteger_decode_uper(asn_codec_ctx_t *opt_codec_ctx,
+	asn_TYPE_descriptor_t *td,
+	asn_per_constraints_t *constraints, void **sptr, asn_per_data_t *pd) {
+
+	asn_INTEGER_specifics_t *specs=(asn_INTEGER_specifics_t *)td->specifics;
+	asn_dec_rval_t rval;
+	long *native = (long *)*sptr;
+	INTEGER_t tmpint;
+	void *tmpintptr = &tmpint;
+
+	(void)opt_codec_ctx;
+	ASN_DEBUG("Decoding NativeInteger %s (UPER)", td->name);
+
+	if(!native) {
+		native = (long *)(*sptr = CALLOC(1, sizeof(*native)));
+		if(!native) ASN__DECODE_FAILED;
+	}
+
+	memset(&tmpint, 0, sizeof tmpint);
+	rval = INTEGER_decode_uper(opt_codec_ctx, td, constraints,
+				   &tmpintptr, pd);
+	if(rval.code == RC_OK) {
+		if((specs&&specs->field_unsigned)
+			? asn_INTEGER2ulong(&tmpint, (unsigned long *)native)
+			: asn_INTEGER2long(&tmpint, native))
+			rval.code = RC_FAIL;
+		else
+			ASN_DEBUG("NativeInteger %s got value %ld",
+				td->name, *native);
+	}
+	ASN_STRUCT_FREE_CONTENTS_ONLY(asn_DEF_INTEGER, &tmpint);
+
+	return rval;
+}
+
+asn_enc_rval_t
+NativeInteger_encode_uper(asn_TYPE_descriptor_t *td,
+	asn_per_constraints_t *constraints, void *sptr, asn_per_outp_t *po) {
+	asn_INTEGER_specifics_t *specs=(asn_INTEGER_specifics_t *)td->specifics;
+	asn_enc_rval_t er;
+	long native;
+	INTEGER_t tmpint;
+
+	if(!sptr) ASN__ENCODE_FAILED;
+
+	native = *(long *)sptr;
+
+	ASN_DEBUG("Encoding NativeInteger %s %ld (UPER)", td->name, native);
+
+	memset(&tmpint, 0, sizeof(tmpint));
+	if((specs&&specs->field_unsigned)
+		? asn_ulong2INTEGER(&tmpint, native)
+		: asn_long2INTEGER(&tmpint, native))
+		ASN__ENCODE_FAILED;
+	er = INTEGER_encode_uper(td, constraints, &tmpint, po);
+	ASN_STRUCT_FREE_CONTENTS_ONLY(asn_DEF_INTEGER, &tmpint);
+	return er;
+}
+
+/*
+ * INTEGER specific human-readable output.
+ */
+int
+NativeInteger_print(asn_TYPE_descriptor_t *td, const void *sptr, int ilevel,
+	asn_app_consume_bytes_f *cb, void *app_key) {
+	asn_INTEGER_specifics_t *specs=(asn_INTEGER_specifics_t *)td->specifics;
+	const long *native = (const long *)sptr;
+	char scratch[32];	/* Enough for 64-bit int */
+	int ret;
+
+	(void)td;	/* Unused argument */
+	(void)ilevel;	/* Unused argument */
+
+	if(native) {
+		ret = snprintf(scratch, sizeof(scratch),
+			(specs && specs->field_unsigned)
+			? "%lu" : "%ld", *native);
+		assert(ret > 0 && (size_t)ret < sizeof(scratch));
+		return (cb(scratch, ret, app_key) < 0) ? -1 : 0;
+	} else {
+		return (cb("<absent>", 8, app_key) < 0) ? -1 : 0;
+	}
+}
+
+void
+NativeInteger_free(asn_TYPE_descriptor_t *td, void *ptr, int contents_only) {
+
+	if(!td || !ptr)
+		return;
+
+	ASN_DEBUG("Freeing %s as INTEGER (%d, %p, Native)",
+		td->name, contents_only, ptr);
+
+	if(!contents_only) {
+		FREEMEM(ptr);
+	}
+}
+
--- a/asn1/asn1c/NativeInteger.h
+++ b/asn1/asn1c/NativeInteger.h
@ -0,0 +1,37 @@
+/*-
+ * Copyright (c) 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+/*
+ * This type differs from the standard INTEGER in that it is modelled using
+ * the fixed machine type (long, int, short), so it can hold only values of
+ * limited length. There is no type (i.e., NativeInteger_t, any integer type
+ * will do).
+ * This type may be used when integer range is limited by subtype constraints.
+ */
+#ifndef	_NativeInteger_H_
+#define	_NativeInteger_H_
+
+#include <asn_application.h>
+#include <INTEGER.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+extern asn_TYPE_descriptor_t asn_DEF_NativeInteger;
+
+asn_struct_free_f  NativeInteger_free;
+asn_struct_print_f NativeInteger_print;
+ber_type_decoder_f NativeInteger_decode_ber;
+der_type_encoder_f NativeInteger_encode_der;
+xer_type_decoder_f NativeInteger_decode_xer;
+xer_type_encoder_f NativeInteger_encode_xer;
+per_type_decoder_f NativeInteger_decode_uper;
+per_type_encoder_f NativeInteger_encode_uper;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _NativeInteger_H_ */
--- a/asn1/asn1c/OCTET_STRING.c
+++ b/asn1/asn1c/OCTET_STRING.c
--- a/asn1/asn1c/OCTET_STRING.h
+++ b/asn1/asn1c/OCTET_STRING.h
@ -0,0 +1,86 @@
+/*-
+ * Copyright (c) 2003 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_OCTET_STRING_H_
+#define	_OCTET_STRING_H_
+
+#include <asn_application.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct OCTET_STRING {
+	uint8_t *buf;	/* Buffer with consecutive OCTET_STRING bits */
+	int size;	/* Size of the buffer */
+
+	asn_struct_ctx_t _asn_ctx;	/* Parsing across buffer boundaries */
+} OCTET_STRING_t;
+
+extern asn_TYPE_descriptor_t asn_DEF_OCTET_STRING;
+
+asn_struct_free_f OCTET_STRING_free;
+asn_struct_print_f OCTET_STRING_print;
+asn_struct_print_f OCTET_STRING_print_utf8;
+ber_type_decoder_f OCTET_STRING_decode_ber;
+der_type_encoder_f OCTET_STRING_encode_der;
+xer_type_decoder_f OCTET_STRING_decode_xer_hex;		/* Hexadecimal */
+xer_type_decoder_f OCTET_STRING_decode_xer_binary;	/* 01010111010 */
+xer_type_decoder_f OCTET_STRING_decode_xer_utf8;	/* ASCII/UTF-8 */
+xer_type_encoder_f OCTET_STRING_encode_xer;
+xer_type_encoder_f OCTET_STRING_encode_xer_utf8;
+per_type_decoder_f OCTET_STRING_decode_uper;
+per_type_encoder_f OCTET_STRING_encode_uper;
+
+/******************************
+ * Handy conversion routines. *
+ ******************************/
+
+/*
+ * This function clears the previous value of the OCTET STRING (if any)
+ * and then allocates a new memory with the specified content (str/size).
+ * If size = -1, the size of the original string will be determined
+ * using strlen(str).
+ * If str equals to NULL, the function will silently clear the
+ * current contents of the OCTET STRING.
+ * Returns 0 if it was possible to perform operation, -1 otherwise.
+ */
+int OCTET_STRING_fromBuf(OCTET_STRING_t *s, const char *str, int size);
+
+/* Handy conversion from the C string into the OCTET STRING. */
+#define	OCTET_STRING_fromString(s, str)	OCTET_STRING_fromBuf(s, str, -1)
+
+/*
+ * Allocate and fill the new OCTET STRING and return a pointer to the newly
+ * allocated object. NULL is permitted in str: the function will just allocate
+ * empty OCTET STRING.
+ */
+OCTET_STRING_t *OCTET_STRING_new_fromBuf(asn_TYPE_descriptor_t *td,
+	const char *str, int size);
+
+/****************************
+ * Internally useful stuff. *
+ ****************************/
+
+typedef const struct asn_OCTET_STRING_specifics_s {
+	/*
+	 * Target structure description.
+	 */
+	int struct_size;	/* Size of the structure */
+	int ctx_offset;		/* Offset of the asn_struct_ctx_t member */
+
+	enum asn_OS_Subvariant {
+		ASN_OSUBV_ANY,	/* The open type (ANY) */
+		ASN_OSUBV_BIT,	/* BIT STRING */
+		ASN_OSUBV_STR,	/* String types, not {BMP,Universal}String  */
+		ASN_OSUBV_U16,	/* 16-bit character (BMPString) */
+		ASN_OSUBV_U32	/* 32-bit character (UniversalString) */
+	} subvariant;
+} asn_OCTET_STRING_specifics_t;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _OCTET_STRING_H_ */
--- a/asn1/asn1c/TypeValuePair.c
+++ b/asn1/asn1c/TypeValuePair.c
@ -0,0 +1,69 @@
+/*
+ * Generated by asn1c-0.9.28 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy -fnative-types`
+ */
+
+#include "TypeValuePair.h"
+
+static asn_TYPE_member_t asn_MBR_TypeValuePair_1[] = {
+	{ ATF_NOFLAGS, 0, offsetof(struct TypeValuePair, type),
+		(ASN_TAG_CLASS_CONTEXT | (0 << 2)),
+		+1,	/* EXPLICIT tag at current level */
+		&asn_DEF_Int32,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"type"
+		},
+	{ ATF_NOFLAGS, 0, offsetof(struct TypeValuePair, value),
+		(ASN_TAG_CLASS_CONTEXT | (1 << 2)),
+		+1,	/* EXPLICIT tag at current level */
+		&asn_DEF_OCTET_STRING,
+		0,	/* Defer constraints checking to the member type */
+		0,	/* PER is not compiled, use -gen-PER */
+		0,
+		"value"
+		},
+};
+static const ber_tlv_tag_t asn_DEF_TypeValuePair_tags_1[] = {
+	(ASN_TAG_CLASS_UNIVERSAL | (16 << 2))
+};
+static const asn_TYPE_tag2member_t asn_MAP_TypeValuePair_tag2el_1[] = {
+    { (ASN_TAG_CLASS_CONTEXT | (0 << 2)), 0, 0, 0 }, /* type */
+    { (ASN_TAG_CLASS_CONTEXT | (1 << 2)), 1, 0, 0 } /* value */
+};
+static asn_SEQUENCE_specifics_t asn_SPC_TypeValuePair_specs_1 = {
+	sizeof(struct TypeValuePair),
+	offsetof(struct TypeValuePair, _asn_ctx),
+	asn_MAP_TypeValuePair_tag2el_1,
+	2,	/* Count of tags in the map */
+	0, 0, 0,	/* Optional elements (not needed) */
+	-1,	/* Start extensions */
+	-1	/* Stop extensions */
+};
+asn_TYPE_descriptor_t asn_DEF_TypeValuePair = {
+	"TypeValuePair",
+	"TypeValuePair",
+	SEQUENCE_free,
+	SEQUENCE_print,
+	SEQUENCE_constraint,
+	SEQUENCE_decode_ber,
+	SEQUENCE_encode_der,
+	SEQUENCE_decode_xer,
+	SEQUENCE_encode_xer,
+	0, 0,	/* No PER support, use "-gen-PER" to enable */
+	0,	/* Use generic outmost tag fetcher */
+	asn_DEF_TypeValuePair_tags_1,
+	sizeof(asn_DEF_TypeValuePair_tags_1)
+		/sizeof(asn_DEF_TypeValuePair_tags_1[0]), /* 1 */
+	asn_DEF_TypeValuePair_tags_1,	/* Same as above */
+	sizeof(asn_DEF_TypeValuePair_tags_1)
+		/sizeof(asn_DEF_TypeValuePair_tags_1[0]), /* 1 */
+	0,	/* No PER visible constraints */
+	asn_MBR_TypeValuePair_1,
+	2,	/* Elements count */
+	&asn_SPC_TypeValuePair_specs_1	/* Additional specs */
+};
+
--- a/asn1/asn1c/TypeValuePair.h
+++ b/asn1/asn1c/TypeValuePair.h
@ -0,0 +1,40 @@
+/*
+ * Generated by asn1c-0.9.28 (http://lionet.info/asn1c)
+ * From ASN.1 module "KeytabModule"
+ * 	found in "ipa.asn1"
+ * 	`asn1c -fskeletons-copy -fnative-types`
+ */
+
+#ifndef	_TypeValuePair_H_
+#define	_TypeValuePair_H_
+
+
+#include <asn_application.h>
+
+/* Including external dependencies */
+#include "Int32.h"
+#include <OCTET_STRING.h>
+#include <constr_SEQUENCE.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* TypeValuePair */
+typedef struct TypeValuePair {
+	Int32_t	 type;
+	OCTET_STRING_t	 value;
+	
+	/* Context for parsing across buffer boundaries */
+	asn_struct_ctx_t _asn_ctx;
+} TypeValuePair_t;
+
+/* Implementation */
+extern asn_TYPE_descriptor_t asn_DEF_TypeValuePair;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _TypeValuePair_H_ */
+#include <asn_internal.h>
--- a/asn1/asn1c/asn_SEQUENCE_OF.c
+++ b/asn1/asn1c/asn_SEQUENCE_OF.c
@ -0,0 +1,41 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_internal.h>
+#include <asn_SEQUENCE_OF.h>
+
+typedef A_SEQUENCE_OF(void) asn_sequence;
+
+void
+asn_sequence_del(void *asn_sequence_of_x, int number, int _do_free) {
+	asn_sequence *as = (asn_sequence *)asn_sequence_of_x;
+
+	if(as) {
+		void *ptr;
+		int n;
+
+		if(number < 0 || number >= as->count)
+			return;	/* Nothing to delete */
+
+		if(_do_free && as->free) {
+			ptr = as->array[number];
+		} else {
+			ptr = 0;
+		}
+
+		/*
+		 * Shift all elements to the left to hide the gap.
+		 */
+		--as->count;
+		for(n = number; n < as->count; n++)
+			as->array[n] = as->array[n+1];
+
+		/*
+		 * Invoke the third-party function only when the state
+		 * of the parent structure is consistent.
+		 */
+		if(ptr) as->free(ptr);
+	}
+}
+
--- a/asn1/asn1c/asn_SEQUENCE_OF.h
+++ b/asn1/asn1c/asn_SEQUENCE_OF.h
@ -0,0 +1,52 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	ASN_SEQUENCE_OF_H
+#define	ASN_SEQUENCE_OF_H
+
+#include <asn_SET_OF.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * SEQUENCE OF is the same as SET OF with a tiny difference:
+ * the delete operation preserves the initial order of elements
+ * and thus MAY operate in non-constant time.
+ */
+#define	A_SEQUENCE_OF(type)	A_SET_OF(type)
+
+#define	ASN_SEQUENCE_ADD(headptr, ptr)		\
+	asn_sequence_add((headptr), (ptr))
+
+/***********************************************
+ * Implementation of the SEQUENCE OF structure.
+ */
+
+#define	asn_sequence_add	asn_set_add
+#define	asn_sequence_empty	asn_set_empty
+
+/*
+ * Delete the element from the set by its number (base 0).
+ * This is NOT a constant-time operation.
+ * The order of elements is preserved.
+ * If _do_free is given AND the (*free) is initialized, the element
+ * will be freed using the custom (*free) function as well.
+ */
+void asn_sequence_del(void *asn_sequence_of_x, int number, int _do_free);
+
+/*
+ * Cope with different conversions requirements to/from void in C and C++.
+ * This is mostly useful for support library.
+ */
+typedef A_SEQUENCE_OF(void) asn_anonymous_sequence_;
+#define _A_SEQUENCE_FROM_VOID(ptr)	((asn_anonymous_sequence_ *)(ptr))
+#define _A_CSEQUENCE_FROM_VOID(ptr) 	((const asn_anonymous_sequence_ *)(ptr))
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* ASN_SEQUENCE_OF_H */
--- a/asn1/asn1c/asn_SET_OF.c
+++ b/asn1/asn1c/asn_SET_OF.c
@ -0,0 +1,88 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_internal.h>
+#include <asn_SET_OF.h>
+#include <errno.h>
+
+/*
+ * Add another element into the set.
+ */
+int
+asn_set_add(void *asn_set_of_x, void *ptr) {
+	asn_anonymous_set_ *as = _A_SET_FROM_VOID(asn_set_of_x);
+
+	if(as == 0 || ptr == 0) {
+		errno = EINVAL;		/* Invalid arguments */
+		return -1;
+	}
+
+	/*
+	 * Make sure there's enough space to insert an element.
+	 */
+	if(as->count == as->size) {
+		int _newsize = as->size ? (as->size << 1) : 4;
+		void *_new_arr;
+		_new_arr = REALLOC(as->array, _newsize * sizeof(as->array[0]));
+		if(_new_arr) {
+			as->array = (void **)_new_arr;
+			as->size = _newsize;
+		} else {
+			/* ENOMEM */
+			return -1;
+		}
+	}
+
+	as->array[as->count++] = ptr;
+
+	return 0;
+}
+
+void
+asn_set_del(void *asn_set_of_x, int number, int _do_free) {
+	asn_anonymous_set_ *as = _A_SET_FROM_VOID(asn_set_of_x);
+
+	if(as) {
+		void *ptr;
+		if(number < 0 || number >= as->count)
+			return;
+
+		if(_do_free && as->free) {
+			ptr = as->array[number];
+		} else {
+			ptr = 0;
+		}
+
+		as->array[number] = as->array[--as->count];
+
+		/*
+		 * Invoke the third-party function only when the state
+		 * of the parent structure is consistent.
+		 */
+		if(ptr) as->free(ptr);
+	}
+}
+
+/*
+ * Free the contents of the set, do not free the set itself.
+ */
+void
+asn_set_empty(void *asn_set_of_x) {
+	asn_anonymous_set_ *as = _A_SET_FROM_VOID(asn_set_of_x);
+
+	if(as) {
+		if(as->array) {
+			if(as->free) {
+				while(as->count--)
+					as->free(as->array[as->count]);
+			}
+			FREEMEM(as->array);
+			as->array = 0;
+		}
+		as->count = 0;
+		as->size = 0;
+	}
+
+}
+
--- a/asn1/asn1c/asn_SET_OF.h
+++ b/asn1/asn1c/asn_SET_OF.h
@ -0,0 +1,62 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	ASN_SET_OF_H
+#define	ASN_SET_OF_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define	A_SET_OF(type)					\
+	struct {					\
+		type **array;				\
+		int count;	/* Meaningful size */	\
+		int size;	/* Allocated size */	\
+		void (*free)(type *);			\
+	}
+
+#define	ASN_SET_ADD(headptr, ptr)		\
+	asn_set_add((headptr), (ptr))
+
+/*******************************************
+ * Implementation of the SET OF structure.
+ */
+
+/*
+ * Add another structure into the set by its pointer.
+ * RETURN VALUES:
+ * 0 for success and -1/errno for failure.
+ */
+int  asn_set_add(void *asn_set_of_x, void *ptr);
+
+/*
+ * Delete the element from the set by its number (base 0).
+ * This is a constant-time operation. The order of elements before the
+ * deleted ones is guaranteed, the order of elements after the deleted
+ * one is NOT guaranteed.
+ * If _do_free is given AND the (*free) is initialized, the element
+ * will be freed using the custom (*free) function as well.
+ */
+void asn_set_del(void *asn_set_of_x, int number, int _do_free);
+
+/*
+ * Empty the contents of the set. Will free the elements, if (*free) is given.
+ * Will NOT free the set itself.
+ */
+void asn_set_empty(void *asn_set_of_x);
+
+/*
+ * Cope with different conversions requirements to/from void in C and C++.
+ * This is mostly useful for support library.
+ */
+typedef A_SET_OF(void) asn_anonymous_set_;
+#define _A_SET_FROM_VOID(ptr)		((asn_anonymous_set_ *)(ptr))
+#define _A_CSET_FROM_VOID(ptr)		((const asn_anonymous_set_ *)(ptr))
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* ASN_SET_OF_H */
--- a/asn1/asn1c/asn_application.h
+++ b/asn1/asn1c/asn_application.h
@ -0,0 +1,47 @@
+/*-
+ * Copyright (c) 2004, 2006 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+/*
+ * Application-level ASN.1 callbacks.
+ */
+#ifndef	ASN_APPLICATION_H
+#define	ASN_APPLICATION_H
+
+#include "asn_system.h"		/* for platform-dependent types */
+#include "asn_codecs.h"		/* for ASN.1 codecs specifics */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Generic type of an application-defined callback to return various
+ * types of data to the application.
+ * EXPECTED RETURN VALUES:
+ *  -1: Failed to consume bytes. Abort the mission.
+ * Non-negative return values indicate success, and ignored.
+ */
+typedef int (asn_app_consume_bytes_f)(const void *buffer, size_t size,
+	void *application_specific_key);
+
+/*
+ * A callback of this type is called whenever constraint validation fails
+ * on some ASN.1 type. See "constraints.h" for more details on constraint
+ * validation.
+ * This callback specifies a descriptor of the ASN.1 type which failed
+ * the constraint check, as well as human readable message on what
+ * particular constraint has failed.
+ */
+typedef void (asn_app_constraint_failed_f)(void *application_specific_key,
+	struct asn_TYPE_descriptor_s *type_descriptor_which_failed,
+	const void *structure_which_failed_ptr,
+	const char *error_message_format, ...) GCC_PRINTFLIKE(4, 5);
+
+#ifdef __cplusplus
+}
+#endif
+
+#include "constr_TYPE.h"	/* for asn_TYPE_descriptor_t */
+
+#endif	/* ASN_APPLICATION_H */
--- a/asn1/asn1c/asn_codecs.h
+++ b/asn1/asn1c/asn_codecs.h
@ -0,0 +1,109 @@
+/*-
+ * Copyright (c) 2003, 2004, 2005 Lev Walkin <vlm@lionet.info>.
+ * All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	ASN_CODECS_H
+#define	ASN_CODECS_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct asn_TYPE_descriptor_s;	/* Forward declaration */
+
+/*
+ * This structure defines a set of parameters that may be passed
+ * to every ASN.1 encoder or decoder function.
+ * WARNING: if max_stack_size member is set, and you are calling the
+ *   function pointers of the asn_TYPE_descriptor_t directly,
+ *   this structure must be ALLOCATED ON THE STACK!
+ *   If you can't always satisfy this requirement, use ber_decode(),
+ *   xer_decode() and uper_decode() functions instead.
+ */
+typedef struct asn_codec_ctx_s {
+	/*
+	 * Limit the decoder routines to use no (much) more stack than a given
+	 * number of bytes. Most of decoders are stack-based, and this
+	 * would protect against stack overflows if the number of nested
+	 * encodings is high.
+	 * The OCTET STRING, BIT STRING and ANY BER decoders are heap-based,
+	 * and are safe from this kind of overflow.
+	 * A value from getrlimit(RLIMIT_STACK) may be used to initialize
+	 * this variable. Be careful in multithreaded environments, as the
+	 * stack size is rather limited.
+	 */
+	size_t  max_stack_size; /* 0 disables stack bounds checking */
+} asn_codec_ctx_t;
+
+/*
+ * Type of the return value of the encoding functions (der_encode, xer_encode).
+ */
+typedef struct asn_enc_rval_s {
+	/*
+	 * Number of bytes encoded.
+	 * -1 indicates failure to encode the structure.
+	 * In this case, the members below this one are meaningful.
+	 */
+	ssize_t encoded;
+
+	/*
+	 * Members meaningful when (encoded == -1), for post mortem analysis.
+	 */
+
+	/* Type which cannot be encoded */
+	struct asn_TYPE_descriptor_s *failed_type;
+
+	/* Pointer to the structure of that type */
+	void *structure_ptr;
+} asn_enc_rval_t;
+#define	ASN__ENCODE_FAILED do {					\
+	asn_enc_rval_t tmp_error;				\
+	tmp_error.encoded = -1;					\
+	tmp_error.failed_type = td;				\
+	tmp_error.structure_ptr = sptr;				\
+	ASN_DEBUG("Failed to encode element %s", td ? td->name : "");	\
+	return tmp_error;					\
+} while(0)
+#define	ASN__ENCODED_OK(rval) do {				\
+	rval.structure_ptr = 0;					\
+	rval.failed_type = 0;					\
+	return rval;						\
+} while(0)
+
+/*
+ * Type of the return value of the decoding functions (ber_decode, xer_decode)
+ * 
+ * Please note that the number of consumed bytes is ALWAYS meaningful,
+ * even if code==RC_FAIL. This is to indicate the number of successfully
+ * decoded bytes, hence providing a possibility to fail with more diagnostics
+ * (i.e., print the offending remainder of the buffer).
+ */
+enum asn_dec_rval_code_e {
+	RC_OK,		/* Decoded successfully */
+	RC_WMORE,	/* More data expected, call again */
+	RC_FAIL		/* Failure to decode data */
+};
+typedef struct asn_dec_rval_s {
+	enum asn_dec_rval_code_e code;	/* Result code */
+	size_t consumed;		/* Number of bytes consumed */
+} asn_dec_rval_t;
+#define	ASN__DECODE_FAILED do {					\
+	asn_dec_rval_t tmp_error;				\
+	tmp_error.code = RC_FAIL;				\
+	tmp_error.consumed = 0;					\
+	ASN_DEBUG("Failed to decode element %s", td ? td->name : "");	\
+	return tmp_error;					\
+} while(0)
+#define	ASN__DECODE_STARVED do {				\
+	asn_dec_rval_t tmp_error;				\
+	tmp_error.code = RC_WMORE;				\
+	tmp_error.consumed = 0;					\
+	return tmp_error;					\
+} while(0)
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* ASN_CODECS_H */
--- a/asn1/asn1c/asn_codecs_prim.c
+++ b/asn1/asn1c/asn_codecs_prim.c
@ -0,0 +1,312 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_internal.h>
+#include <asn_codecs_prim.h>
+#include <errno.h>
+
+/*
+ * Decode an always-primitive type.
+ */
+asn_dec_rval_t
+ber_decode_primitive(asn_codec_ctx_t *opt_codec_ctx,
+	asn_TYPE_descriptor_t *td,
+	void **sptr, const void *buf_ptr, size_t size, int tag_mode) {
+	ASN__PRIMITIVE_TYPE_t *st = (ASN__PRIMITIVE_TYPE_t *)*sptr;
+	asn_dec_rval_t rval;
+	ber_tlv_len_t length = 0; /* =0 to avoid [incorrect] warning. */
+
+	/*
+	 * If the structure is not there, allocate it.
+	 */
+	if(st == NULL) {
+		st = (ASN__PRIMITIVE_TYPE_t *)CALLOC(1, sizeof(*st));
+		if(st == NULL) ASN__DECODE_FAILED;
+		*sptr = (void *)st;
+	}
+
+	ASN_DEBUG("Decoding %s as plain primitive (tm=%d)",
+		td->name, tag_mode);
+
+	/*
+	 * Check tags and extract value length.
+	 */
+	rval = ber_check_tags(opt_codec_ctx, td, 0, buf_ptr, size,
+			tag_mode, 0, &length, 0);
+	if(rval.code != RC_OK)
+		return rval;
+
+	ASN_DEBUG("%s length is %d bytes", td->name, (int)length);
+
+	/*
+	 * Make sure we have this length.
+	 */
+	buf_ptr = ((const char *)buf_ptr) + rval.consumed;
+	size -= rval.consumed;
+	if(length > (ber_tlv_len_t)size) {
+		rval.code = RC_WMORE;
+		rval.consumed = 0;
+		return rval;
+	}
+
+	st->size = (int)length;
+	/* The following better be optimized away. */
+	if(sizeof(st->size) != sizeof(length)
+			&& (ber_tlv_len_t)st->size != length) {
+		st->size = 0;
+		ASN__DECODE_FAILED;
+	}
+
+	st->buf = (uint8_t *)MALLOC(length + 1);
+	if(!st->buf) {
+		st->size = 0;
+		ASN__DECODE_FAILED;
+	}
+
+	memcpy(st->buf, buf_ptr, length);
+	st->buf[length] = '\0';		/* Just in case */
+
+	rval.code = RC_OK;
+	rval.consumed += length;
+
+	ASN_DEBUG("Took %ld/%ld bytes to encode %s",
+		(long)rval.consumed,
+		(long)length, td->name);
+
+	return rval;
+}
+
+/*
+ * Encode an always-primitive type using DER.
+ */
+asn_enc_rval_t
+der_encode_primitive(asn_TYPE_descriptor_t *td, void *sptr,
+	int tag_mode, ber_tlv_tag_t tag,
+	asn_app_consume_bytes_f *cb, void *app_key) {
+	asn_enc_rval_t erval;
+	ASN__PRIMITIVE_TYPE_t *st = (ASN__PRIMITIVE_TYPE_t *)sptr;
+
+	ASN_DEBUG("%s %s as a primitive type (tm=%d)",
+		cb?"Encoding":"Estimating", td->name, tag_mode);
+
+	erval.encoded = der_write_tags(td, st->size, tag_mode, 0, tag,
+		cb, app_key);
+	ASN_DEBUG("%s wrote tags %d", td->name, (int)erval.encoded);
+	if(erval.encoded == -1) {
+		erval.failed_type = td;
+		erval.structure_ptr = sptr;
+		return erval;
+	}
+
+	if(cb && st->buf) {
+		if(cb(st->buf, st->size, app_key) < 0) {
+			erval.encoded = -1;
+			erval.failed_type = td;
+			erval.structure_ptr = sptr;
+			return erval;
+		}
+	} else {
+		assert(st->buf || st->size == 0);
+	}
+
+	erval.encoded += st->size;
+	ASN__ENCODED_OK(erval);
+}
+
+void
+ASN__PRIMITIVE_TYPE_free(asn_TYPE_descriptor_t *td, void *sptr,
+		int contents_only) {
+	ASN__PRIMITIVE_TYPE_t *st = (ASN__PRIMITIVE_TYPE_t *)sptr;
+
+	if(!td || !sptr)
+		return;
+
+	ASN_DEBUG("Freeing %s as a primitive type", td->name);
+
+	if(st->buf)
+		FREEMEM(st->buf);
+
+	if(!contents_only)
+		FREEMEM(st);
+}
+
+
+/*
+ * Local internal type passed around as an argument.
+ */
+struct xdp_arg_s {
+	asn_TYPE_descriptor_t *type_descriptor;
+	void *struct_key;
+	xer_primitive_body_decoder_f *prim_body_decoder;
+	int decoded_something;
+	int want_more;
+};
+
+/*
+ * Since some kinds of primitive values can be encoded using value-specific
+ * tags (<MINUS-INFINITY>, <enum-element>, etc), the primitive decoder must
+ * be supplied with such tags to parse them as needed.
+ */
+static int
+xer_decode__unexpected_tag(void *key, const void *chunk_buf, size_t chunk_size) {
+	struct xdp_arg_s *arg = (struct xdp_arg_s *)key;
+	enum xer_pbd_rval bret;
+
+	/*
+	 * The chunk_buf is guaranteed to start at '<'.
+	 */
+	assert(chunk_size && ((const char *)chunk_buf)[0] == 0x3c);
+
+	/*
+	 * Decoding was performed once already. Prohibit doing it again.
+	 */
+	if(arg->decoded_something)
+		return -1;
+
+	bret = arg->prim_body_decoder(arg->type_descriptor,
+		arg->struct_key, chunk_buf, chunk_size);
+	switch(bret) {
+	case XPBD_SYSTEM_FAILURE:
+	case XPBD_DECODER_LIMIT:
+	case XPBD_BROKEN_ENCODING:
+		break;
+	case XPBD_BODY_CONSUMED:
+		/* Tag decoded successfully */
+		arg->decoded_something = 1;
+		/* Fall through */
+	case XPBD_NOT_BODY_IGNORE:	/* Safe to proceed further */
+		return 0;
+	}
+
+	return -1;
+}
+
+static ssize_t
+xer_decode__primitive_body(void *key, const void *chunk_buf, size_t chunk_size, int have_more) {
+	struct xdp_arg_s *arg = (struct xdp_arg_s *)key;
+	enum xer_pbd_rval bret;
+	size_t lead_wsp_size;
+
+	if(arg->decoded_something) {
+		if(xer_whitespace_span(chunk_buf, chunk_size) == chunk_size) {
+			/*
+			 * Example:
+			 * "<INTEGER>123<!--/--> </INTEGER>"
+			 *                      ^- chunk_buf position.
+			 */
+			return chunk_size;
+		}
+		/*
+		 * Decoding was done once already. Prohibit doing it again.
+		 */
+		return -1;
+	}
+
+	if(!have_more) {
+		/*
+		 * If we've received something like "1", we can't really
+		 * tell whether it is really `1` or `123`, until we know
+		 * that there is no more data coming.
+		 * The have_more argument will be set to 1 once something
+		 * like this is available to the caller of this callback:
+		 * "1<tag_start..."
+		 */
+		arg->want_more = 1;
+		return -1;
+	}
+
+	lead_wsp_size = xer_whitespace_span(chunk_buf, chunk_size);
+	chunk_buf = (const char *)chunk_buf + lead_wsp_size;
+	chunk_size -= lead_wsp_size;
+
+	bret = arg->prim_body_decoder(arg->type_descriptor,
+		arg->struct_key, chunk_buf, chunk_size);
+	switch(bret) {
+	case XPBD_SYSTEM_FAILURE:
+	case XPBD_DECODER_LIMIT:
+	case XPBD_BROKEN_ENCODING:
+		break;
+	case XPBD_BODY_CONSUMED:
+		/* Tag decoded successfully */
+		arg->decoded_something = 1;
+		/* Fall through */
+	case XPBD_NOT_BODY_IGNORE:	/* Safe to proceed further */
+		return lead_wsp_size + chunk_size;
+	}
+
+	return -1;
+}
+
+
+asn_dec_rval_t
+xer_decode_primitive(asn_codec_ctx_t *opt_codec_ctx,
+	asn_TYPE_descriptor_t *td,
+	void **sptr,
+	size_t struct_size,
+	const char *opt_mname,
+	const void *buf_ptr, size_t size,
+	xer_primitive_body_decoder_f *prim_body_decoder
+) {
+	const char *xml_tag = opt_mname ? opt_mname : td->xml_tag;
+	asn_struct_ctx_t s_ctx;
+	struct xdp_arg_s s_arg;
+	asn_dec_rval_t rc;
+
+	/*
+	 * Create the structure if does not exist.
+	 */
+	if(!*sptr) {
+		*sptr = CALLOC(1, struct_size);
+		if(!*sptr) ASN__DECODE_FAILED;
+	}
+
+	memset(&s_ctx, 0, sizeof(s_ctx));
+	s_arg.type_descriptor = td;
+	s_arg.struct_key = *sptr;
+	s_arg.prim_body_decoder = prim_body_decoder;
+	s_arg.decoded_something = 0;
+	s_arg.want_more = 0;
+
+	rc = xer_decode_general(opt_codec_ctx, &s_ctx, &s_arg,
+		xml_tag, buf_ptr, size,
+		xer_decode__unexpected_tag, xer_decode__primitive_body);
+	switch(rc.code) {
+	case RC_OK:
+		if(!s_arg.decoded_something) {
+			char ch;
+			ASN_DEBUG("Primitive body is not recognized, "
+				"supplying empty one");
+			/*
+			 * Decoding opportunity has come and gone.
+			 * Where's the result?
+			 * Try to feed with empty body, see if it eats it.
+			 */
+			if(prim_body_decoder(s_arg.type_descriptor,
+				s_arg.struct_key, &ch, 0)
+					!= XPBD_BODY_CONSUMED) {
+				/*
+				 * This decoder does not like empty stuff.
+				 */
+				ASN__DECODE_FAILED;
+			}
+		}
+		break;
+	case RC_WMORE:
+		/*
+		 * Redo the whole thing later.
+		 * We don't have a context to save intermediate parsing state.
+		 */
+		rc.consumed = 0;
+		break;
+	case RC_FAIL:
+		rc.consumed = 0;
+		if(s_arg.want_more)
+			rc.code = RC_WMORE;
+		else
+			ASN__DECODE_FAILED;
+		break;
+	}
+	return rc;
+}
+
--- a/asn1/asn1c/asn_codecs_prim.h
+++ b/asn1/asn1c/asn_codecs_prim.h
@ -0,0 +1,53 @@
+/*-
+ * Copyright (c) 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	ASN_CODECS_PRIM_H
+#define	ASN_CODECS_PRIM_H
+
+#include <asn_application.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct ASN__PRIMITIVE_TYPE_s {
+	uint8_t *buf;	/* Buffer with consecutive primitive encoding bytes */
+	int size;	/* Size of the buffer */
+} ASN__PRIMITIVE_TYPE_t;	/* Do not use this type directly! */
+
+asn_struct_free_f ASN__PRIMITIVE_TYPE_free;
+ber_type_decoder_f ber_decode_primitive;
+der_type_encoder_f der_encode_primitive;
+
+/*
+ * A callback specification for the xer_decode_primitive() function below.
+ */
+enum xer_pbd_rval {
+	XPBD_SYSTEM_FAILURE,	/* System failure (memory shortage, etc) */
+	XPBD_DECODER_LIMIT,	/* Hit some decoder limitation or deficiency */
+	XPBD_BROKEN_ENCODING,	/* Encoding of a primitive body is broken */
+	XPBD_NOT_BODY_IGNORE,	/* Not a body format, but safe to ignore */
+	XPBD_BODY_CONSUMED	/* Body is recognized and consumed */
+};
+typedef enum xer_pbd_rval (xer_primitive_body_decoder_f)
+	(asn_TYPE_descriptor_t *td, void *struct_ptr,
+		const void *chunk_buf, size_t chunk_size);
+
+/*
+ * Specific function to decode simple primitive types.
+ * Also see xer_decode_general() in xer_decoder.h
+ */
+asn_dec_rval_t xer_decode_primitive(asn_codec_ctx_t *opt_codec_ctx,
+	asn_TYPE_descriptor_t *type_descriptor,
+	void **struct_ptr, size_t struct_size,
+	const char *opt_mname,
+	const void *buf_ptr, size_t size,
+	xer_primitive_body_decoder_f *prim_body_decoder
+);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* ASN_CODECS_PRIM_H */
--- a/asn1/asn1c/asn_internal.h
+++ b/asn1/asn1c/asn_internal.h
@ -0,0 +1,128 @@
+/*-
+ * Copyright (c) 2003, 2004, 2005, 2007 Lev Walkin <vlm@lionet.info>.
+ * All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+/*
+ * Declarations internally useful for the ASN.1 support code.
+ */
+#ifndef	ASN_INTERNAL_H
+#define	ASN_INTERNAL_H
+
+#include "asn_application.h"	/* Application-visible API */
+
+#ifndef	__NO_ASSERT_H__		/* Include assert.h only for internal use. */
+#include <assert.h>		/* for assert() macro */
+#endif
+
+#ifdef	__cplusplus
+extern "C" {
+#endif
+
+/* Environment version might be used to avoid running with the old library */
+#define	ASN1C_ENVIRONMENT_VERSION	923	/* Compile-time version */
+int get_asn1c_environment_version(void);	/* Run-time version */
+
+#define	CALLOC(nmemb, size)	calloc(nmemb, size)
+#define	MALLOC(size)		malloc(size)
+#define	REALLOC(oldptr, size)	realloc(oldptr, size)
+#define	FREEMEM(ptr)		free(ptr)
+
+#define	asn_debug_indent	0
+#define ASN_DEBUG_INDENT_ADD(i) do{}while(0)
+
+/*
+ * A macro for debugging the ASN.1 internals.
+ * You may enable or override it.
+ */
+#ifndef	ASN_DEBUG	/* If debugging code is not defined elsewhere... */
+#if	EMIT_ASN_DEBUG == 1	/* And it was asked to emit this code... */
+#ifdef	__GNUC__
+#ifdef	ASN_THREAD_SAFE
+/* Thread safety requires sacrifice in output indentation:
+ * Retain empty definition of ASN_DEBUG_INDENT_ADD. */
+#else	/* !ASN_THREAD_SAFE */
+#undef  ASN_DEBUG_INDENT_ADD
+#undef  asn_debug_indent
+int asn_debug_indent;
+#define ASN_DEBUG_INDENT_ADD(i) do { asn_debug_indent += i; } while(0)
+#endif	/* ASN_THREAD_SAFE */
+#define	ASN_DEBUG(fmt, args...)	do {			\
+		int adi = asn_debug_indent;		\
+		while(adi--) fprintf(stderr, " ");	\
+		fprintf(stderr, fmt, ##args);		\
+		fprintf(stderr, " (%s:%d)\n",		\
+			__FILE__, __LINE__);		\
+	} while(0)
+#else	/* !__GNUC__ */
+void ASN_DEBUG_f(const char *fmt, ...);
+#define	ASN_DEBUG	ASN_DEBUG_f
+#endif	/* __GNUC__ */
+#else	/* EMIT_ASN_DEBUG != 1 */
+static void ASN_DEBUG(const char *fmt, ...) { (void)fmt; }
+#endif	/* EMIT_ASN_DEBUG */
+#endif	/* ASN_DEBUG */
+
+/*
+ * Invoke the application-supplied callback and fail, if something is wrong.
+ */
+#define	ASN__E_cbc(buf, size)	(cb((buf), (size), app_key) < 0)
+#define	ASN__E_CALLBACK(foo)	do {					\
+		if(foo)	goto cb_failed;					\
+	} while(0)
+#define	ASN__CALLBACK(buf, size)					\
+	ASN__E_CALLBACK(ASN__E_cbc(buf, size))
+#define	ASN__CALLBACK2(buf1, size1, buf2, size2)			\
+	ASN__E_CALLBACK(ASN__E_cbc(buf1, size1) || ASN__E_cbc(buf2, size2))
+#define	ASN__CALLBACK3(buf1, size1, buf2, size2, buf3, size3)		\
+	ASN__E_CALLBACK(ASN__E_cbc(buf1, size1)			\
+		|| ASN__E_cbc(buf2, size2)				\
+		|| ASN__E_cbc(buf3, size3))
+
+#define	ASN__TEXT_INDENT(nl, level) do {            \
+        int tmp_level = (level);                    \
+        int tmp_nl = ((nl) != 0);                   \
+        int tmp_i;                                  \
+        if(tmp_nl) ASN__CALLBACK("\n", 1);          \
+        if(tmp_level < 0) tmp_level = 0;            \
+        for(tmp_i = 0; tmp_i < tmp_level; tmp_i++)  \
+            ASN__CALLBACK("    ", 4);               \
+        er.encoded += tmp_nl + 4 * tmp_level;       \
+    } while(0)
+
+#define	_i_INDENT(nl)	do {                        \
+        int tmp_i;                                  \
+        if((nl) && cb("\n", 1, app_key) < 0)        \
+            return -1;                              \
+        for(tmp_i = 0; tmp_i < ilevel; tmp_i++)     \
+            if(cb("    ", 4, app_key) < 0)          \
+                return -1;                          \
+    } while(0)
+
+/*
+ * Check stack against overflow, if limit is set.
+ */
+#define	ASN__DEFAULT_STACK_MAX	(30000)
+static int __attribute__((unused))
+ASN__STACK_OVERFLOW_CHECK(asn_codec_ctx_t *ctx) {
+	if(ctx && ctx->max_stack_size) {
+
+		/* ctx MUST be allocated on the stack */
+		ptrdiff_t usedstack = ((char *)ctx - (char *)&ctx);
+		if(usedstack > 0) usedstack = -usedstack; /* grows up! */
+
+		/* double negative required to avoid int wrap-around */
+		if(usedstack < -(ptrdiff_t)ctx->max_stack_size) {
+			ASN_DEBUG("Stack limit %ld reached",
+				(long)ctx->max_stack_size);
+			return -1;
+		}
+	}
+	return 0;
+}
+
+#ifdef	__cplusplus
+}
+#endif
+
+#endif	/* ASN_INTERNAL_H */
--- a/asn1/asn1c/asn_system.h
+++ b/asn1/asn1c/asn_system.h
@ -0,0 +1,137 @@
+/*-
+ * Copyright (c) 2003, 2004, 2007 Lev Walkin <vlm@lionet.info>.
+ * All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+/*
+ * Miscellaneous system-dependent types.
+ */
+#ifndef	ASN_SYSTEM_H
+#define	ASN_SYSTEM_H
+
+#ifdef	HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#ifndef _DEFAULT_SOURCE
+#define _DEFAULT_SOURCE /* for snprintf() on some linux systems  */
+#endif
+
+#include <stdio.h>	/* For snprintf(3) */
+#include <stdlib.h>	/* For *alloc(3) */
+#include <string.h>	/* For memcpy(3) */
+#include <sys/types.h>	/* For size_t */
+#include <limits.h>	/* For LONG_MAX */
+#include <stdarg.h>	/* For va_start */
+#include <stddef.h>	/* for offsetof and ptrdiff_t */
+
+#ifdef	HAVE_ALLOCA_H
+#include <alloca.h>	/* For alloca(3) */
+#endif
+
+#ifdef	_WIN32
+
+#include <malloc.h>
+#define	 snprintf	_snprintf
+#define	 vsnprintf	_vsnprintf
+
+/* To avoid linking with ws2_32.lib, here's the definition of ntohl() */
+#define sys_ntohl(l)	((((l) << 24)  & 0xff000000)	\
+			| (((l) << 8) & 0xff0000)	\
+			| (((l) >> 8)  & 0xff00)	\
+			| ((l >> 24) & 0xff))
+
+#ifdef _MSC_VER			/* MSVS.Net */
+#ifndef __cplusplus
+#define inline __inline
+#endif
+#ifndef	ASSUMESTDTYPES	/* Standard types have been defined elsewhere */
+#define	ssize_t		SSIZE_T
+typedef	char		int8_t;
+typedef	short		int16_t;
+typedef	int		int32_t;
+typedef	unsigned char	uint8_t;
+typedef	unsigned short	uint16_t;
+typedef	unsigned int	uint32_t;
+#endif	/* ASSUMESTDTYPES */
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+#include <float.h>
+#define isnan _isnan
+#define finite _finite
+#define copysign _copysign
+#define	ilogb	_logb
+#else	/* !_MSC_VER */
+#include <stdint.h>
+#endif	/* _MSC_VER */
+
+#else	/* !_WIN32 */
+
+#if defined(__vxworks)
+#include <types/vxTypes.h>
+#else	/* !defined(__vxworks) */
+
+#include <inttypes.h>	/* C99 specifies this file */
+/*
+ * 1. Earlier FreeBSD version didn't have <stdint.h>,
+ * but <inttypes.h> was present.
+ * 2. Sun Solaris requires <alloca.h> for alloca(3),
+ * but does not have <stdint.h>.
+ */
+#if	(!defined(__FreeBSD__) || !defined(_SYS_INTTYPES_H_))
+#if	defined(sun)
+#include <alloca.h>	/* For alloca(3) */
+#include <ieeefp.h>	/* for finite(3) */
+#elif	defined(__hpux)
+#ifdef	__GNUC__
+#include <alloca.h>	/* For alloca(3) */
+#else	/* !__GNUC__ */
+#define inline
+#endif	/* __GNUC__ */
+#else
+#include <stdint.h>	/* SUSv2+ and C99 specify this file, for uintXX_t */
+#endif	/* defined(sun) */
+#endif
+
+#include <netinet/in.h> /* for ntohl() */
+#define	sys_ntohl(foo)	ntohl(foo)
+
+#endif	/* defined(__vxworks) */
+
+#endif	/* _WIN32 */
+
+#if	__GNUC__ >= 3
+#ifndef	GCC_PRINTFLIKE
+#define	GCC_PRINTFLIKE(fmt,var)	__attribute__((format(printf,fmt,var)))
+#endif
+#ifndef	GCC_NOTUSED
+#define	GCC_NOTUSED		__attribute__((unused))
+#endif
+#else
+#ifndef	GCC_PRINTFLIKE
+#define	GCC_PRINTFLIKE(fmt,var)	/* nothing */
+#endif
+#ifndef	GCC_NOTUSED
+#define	GCC_NOTUSED
+#endif
+#endif
+
+/* Figure out if thread safety is requested */
+#if !defined(ASN_THREAD_SAFE) && (defined(THREAD_SAFE) || defined(_REENTRANT))
+#define	ASN_THREAD_SAFE
+#endif	/* Thread safety */
+
+#ifndef	offsetof	/* If not defined by <stddef.h> */
+#define	offsetof(s, m)	((ptrdiff_t)&(((s *)0)->m) - (ptrdiff_t)((s *)0))
+#endif	/* offsetof */
+
+#ifndef	MIN		/* Suitable for comparing primitive types (integers) */
+#if defined(__GNUC__)
+#define	MIN(a,b)	({ __typeof a _a = a; __typeof b _b = b;	\
+	((_a)<(_b)?(_a):(_b)); })
+#else	/* !__GNUC__ */
+#define	MIN(a,b)	((a)<(b)?(a):(b))	/* Unsafe variant */
+#endif /* __GNUC__ */
+#endif	/* MIN */
+
+#endif	/* ASN_SYSTEM_H */
--- a/asn1/asn1c/ber_decoder.c
+++ b/asn1/asn1c/ber_decoder.c
@ -0,0 +1,283 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_internal.h>
+
+#undef	ADVANCE
+#define	ADVANCE(num_bytes)	do {					\
+		size_t num = num_bytes;					\
+		ptr = ((const char *)ptr) + num;			\
+		size -= num;						\
+		consumed_myself += num;					\
+	} while(0)
+#undef	RETURN
+#define	RETURN(_code)	do {						\
+		asn_dec_rval_t rval;					\
+		rval.code = _code;					\
+		if(opt_ctx) opt_ctx->step = step; /* Save context */	\
+		if(_code == RC_OK || opt_ctx)				\
+			rval.consumed = consumed_myself;		\
+		else							\
+			rval.consumed = 0;	/* Context-free */	\
+		return rval;						\
+	} while(0)
+
+/*
+ * The BER decoder of any type.
+ */
+asn_dec_rval_t
+ber_decode(asn_codec_ctx_t *opt_codec_ctx,
+	asn_TYPE_descriptor_t *type_descriptor,
+	void **struct_ptr, const void *ptr, size_t size) {
+	asn_codec_ctx_t s_codec_ctx;
+
+	/*
+	 * Stack checker requires that the codec context
+	 * must be allocated on the stack.
+	 */
+	if(opt_codec_ctx) {
+		if(opt_codec_ctx->max_stack_size) {
+			s_codec_ctx = *opt_codec_ctx;
+			opt_codec_ctx = &s_codec_ctx;
+		}
+	} else {
+		/* If context is not given, be security-conscious anyway */
+		memset(&s_codec_ctx, 0, sizeof(s_codec_ctx));
+		s_codec_ctx.max_stack_size = ASN__DEFAULT_STACK_MAX;
+		opt_codec_ctx = &s_codec_ctx;
+	}
+
+	/*
+	 * Invoke type-specific decoder.
+	 */
+	return type_descriptor->ber_decoder(opt_codec_ctx, type_descriptor,
+		struct_ptr,	/* Pointer to the destination structure */
+		ptr, size,	/* Buffer and its size */
+		0		/* Default tag mode is 0 */
+		);
+}
+
+/*
+ * Check the set of <TL<TL<TL...>>> tags matches the definition.
+ */
+asn_dec_rval_t
+ber_check_tags(asn_codec_ctx_t *opt_codec_ctx,
+		asn_TYPE_descriptor_t *td, asn_struct_ctx_t *opt_ctx,
+		const void *ptr, size_t size, int tag_mode, int last_tag_form,
+		ber_tlv_len_t *last_length, int *opt_tlv_form) {
+	ssize_t consumed_myself = 0;
+	ssize_t tag_len;
+	ssize_t len_len;
+	ber_tlv_tag_t tlv_tag;
+	ber_tlv_len_t tlv_len;
+	ber_tlv_len_t limit_len = -1;
+	int expect_00_terminators = 0;
+	int tlv_constr = -1;	/* If CHOICE, opt_tlv_form is not given */
+	int step = opt_ctx ? opt_ctx->step : 0;	/* Where we left previously */
+	int tagno;
+
+	/*
+	 * Make sure we didn't exceed the maximum stack size.
+	 */
+	if(ASN__STACK_OVERFLOW_CHECK(opt_codec_ctx))
+		RETURN(RC_FAIL);
+
+	/*
+	 * So what does all this implicit skip stuff mean?
+	 * Imagine two types,
+	 * 	A ::= [5] IMPLICIT	T
+	 * 	B ::= [2] EXPLICIT	T
+	 * Where T is defined as
+	 *	T ::= [4] IMPLICIT SEQUENCE { ... }
+	 * 
+	 * Let's say, we are starting to decode type A, given the
+	 * following TLV stream: <5> <0>. What does this mean?
+	 * It means that the type A contains type T which is,
+	 * in turn, empty.
+	 * Remember though, that we are still in A. We cannot
+	 * just pass control to the type T decoder. Why? Because
+	 * the type T decoder expects <4> <0>, not <5> <0>.
+	 * So, we must make sure we are going to receive <5> while
+	 * still in A, then pass control to the T decoder, indicating
+	 * that the tag <4> was implicitly skipped. The decoder of T
+	 * hence will be prepared to treat <4> as valid tag, and decode
+	 * it appropriately.
+	 */
+
+	tagno = step	/* Continuing where left previously */
+		+ (tag_mode==1?-1:0)
+		;
+	ASN_DEBUG("ber_check_tags(%s, size=%ld, tm=%d, step=%d, tagno=%d)",
+		td->name, (long)size, tag_mode, step, tagno);
+	/* assert(td->tags_count >= 1) May not be the case for CHOICE or ANY */
+
+	if(tag_mode == 0 && tagno == td->tags_count) {
+		/*
+		 * This must be the _untagged_ ANY type,
+		 * which outermost tag isn't known in advance.
+		 * Fetch the tag and length separately.
+		 */
+		tag_len = ber_fetch_tag(ptr, size, &tlv_tag);
+		switch(tag_len) {
+		case -1: RETURN(RC_FAIL);
+		case 0: RETURN(RC_WMORE);
+		}
+		tlv_constr = BER_TLV_CONSTRUCTED(ptr);
+		len_len = ber_fetch_length(tlv_constr,
+			(const char *)ptr + tag_len, size - tag_len, &tlv_len);
+		switch(len_len) {
+		case -1: RETURN(RC_FAIL);
+		case 0: RETURN(RC_WMORE);
+		}
+		ASN_DEBUG("Advancing %ld in ANY case",
+			(long)(tag_len + len_len));
+		ADVANCE(tag_len + len_len);
+	} else {
+		assert(tagno < td->tags_count);	/* At least one loop */
+	}
+	for((void)tagno; tagno < td->tags_count; tagno++, step++) {
+
+		/*
+		 * Fetch and process T from TLV.
+		 */
+		tag_len = ber_fetch_tag(ptr, size, &tlv_tag);
+			ASN_DEBUG("Fetching tag from {%p,%ld}: "
+				"len %ld, step %d, tagno %d got %s",
+				ptr, (long)size,
+				(long)tag_len, step, tagno,
+				ber_tlv_tag_string(tlv_tag));
+		switch(tag_len) {
+		case -1: RETURN(RC_FAIL);
+		case 0: RETURN(RC_WMORE);
+		}
+
+		tlv_constr = BER_TLV_CONSTRUCTED(ptr);
+
+		/*
+		 * If {I}, don't check anything.
+		 * If {I,B,C}, check B and C unless we're at I.
+		 */
+		if(tag_mode != 0 && step == 0) {
+			/*
+			 * We don't expect tag to match here.
+			 * It's just because we don't know how the tag
+			 * is supposed to look like.
+			 */
+		} else {
+		    assert(tagno >= 0);	/* Guaranteed by the code above */
+		    if(tlv_tag != td->tags[tagno]) {
+			/*
+			 * Unexpected tag. Too bad.
+			 */
+		    	ASN_DEBUG("Expected: %s, "
+				"expectation failed (tn=%d, tm=%d)",
+				ber_tlv_tag_string(td->tags[tagno]),
+				tagno, tag_mode
+			);
+			RETURN(RC_FAIL);
+		    }
+		}
+
+		/*
+		 * Attention: if there are more tags expected,
+		 * ensure that the current tag is presented
+		 * in constructed form (it contains other tags!).
+		 * If this one is the last one, check that the tag form
+		 * matches the one given in descriptor.
+		 */
+		if(tagno < (td->tags_count - 1)) {
+			if(tlv_constr == 0) {
+				ASN_DEBUG("tlv_constr = %d, expfail",
+					tlv_constr);
+				RETURN(RC_FAIL);
+			}
+		} else {
+			if(last_tag_form != tlv_constr
+			&& last_tag_form != -1) {
+				ASN_DEBUG("last_tag_form %d != %d",
+					last_tag_form, tlv_constr);
+				RETURN(RC_FAIL);
+			}
+		}
+
+		/*
+		 * Fetch and process L from TLV.
+		 */
+		len_len = ber_fetch_length(tlv_constr,
+			(const char *)ptr + tag_len, size - tag_len, &tlv_len);
+		ASN_DEBUG("Fetching len = %ld", (long)len_len);
+		switch(len_len) {
+		case -1: RETURN(RC_FAIL);
+		case 0: RETURN(RC_WMORE);
+		}
+
+		/*
+		 * FIXME
+		 * As of today, the chain of tags
+		 * must either contain several indefinite length TLVs,
+		 * or several definite length ones.
+		 * No mixing is allowed.
+		 */
+		if(tlv_len == -1) {
+			/*
+			 * Indefinite length.
+			 */
+			if(limit_len == -1) {
+				expect_00_terminators++;
+			} else {
+				ASN_DEBUG("Unexpected indefinite length "
+					"in a chain of definite lengths");
+				RETURN(RC_FAIL);
+			}
+			ADVANCE(tag_len + len_len);
+			continue;
+		} else {
+			if(expect_00_terminators) {
+				ASN_DEBUG("Unexpected definite length "
+					"in a chain of indefinite lengths");
+				RETURN(RC_FAIL);
+			}
+		}
+
+		/*
+		 * Check that multiple TLVs specify ever decreasing length,
+		 * which is consistent.
+		 */
+		if(limit_len == -1) {
+			limit_len    = tlv_len + tag_len + len_len;
+			if(limit_len < 0) {
+				/* Too great tlv_len value? */
+				RETURN(RC_FAIL);
+			}
+		} else if(limit_len != tlv_len + tag_len + len_len) {
+			/*
+			 * Inner TLV specifies length which is inconsistent
+			 * with the outer TLV's length value.
+			 */
+			ASN_DEBUG("Outer TLV is %ld and inner is %ld",
+				(long)limit_len, (long)tlv_len);
+			RETURN(RC_FAIL);
+		}
+
+		ADVANCE(tag_len + len_len);
+
+		limit_len -= (tag_len + len_len);
+		if((ssize_t)size > limit_len) {
+			/*
+			 * Make sure that we won't consume more bytes
+			 * from the parent frame than the inferred limit.
+			 */
+			size = limit_len;
+		}
+	}
+
+	if(opt_tlv_form)
+		*opt_tlv_form = tlv_constr;
+	if(expect_00_terminators)
+		*last_length = -expect_00_terminators;
+	else
+		*last_length = tlv_len;
+
+	RETURN(RC_OK);
+}
--- a/asn1/asn1c/ber_decoder.h
+++ b/asn1/asn1c/ber_decoder.h
@ -0,0 +1,64 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_BER_DECODER_H_
+#define	_BER_DECODER_H_
+
+#include <asn_application.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct asn_TYPE_descriptor_s;	/* Forward declaration */
+struct asn_codec_ctx_s;		/* Forward declaration */
+
+/*
+ * The BER decoder of any type.
+ * This function may be invoked directly from the application.
+ * The der_encode() function (der_encoder.h) is an opposite to ber_decode().
+ */
+asn_dec_rval_t ber_decode(struct asn_codec_ctx_s *opt_codec_ctx,
+	struct asn_TYPE_descriptor_s *type_descriptor,
+	void **struct_ptr,	/* Pointer to a target structure's pointer */
+	const void *buffer,	/* Data to be decoded */
+	size_t size		/* Size of that buffer */
+	);
+
+/*
+ * Type of generic function which decodes the byte stream into the structure.
+ */
+typedef asn_dec_rval_t (ber_type_decoder_f)(
+		struct asn_codec_ctx_s *opt_codec_ctx,
+		struct asn_TYPE_descriptor_s *type_descriptor,
+		void **struct_ptr, const void *buf_ptr, size_t size,
+		int tag_mode);
+
+/*******************************
+ * INTERNALLY USEFUL FUNCTIONS *
+ *******************************/
+
+/*
+ * Check that all tags correspond to the type definition (as given in head).
+ * On return, last_length would contain either a non-negative length of the
+ * value part of the last TLV, or the negative number of expected
+ * "end of content" sequences. The number may only be negative if the
+ * head->last_tag_form is non-zero.
+ */
+asn_dec_rval_t ber_check_tags(
+		struct asn_codec_ctx_s *opt_codec_ctx,	/* codec options */
+		struct asn_TYPE_descriptor_s *type_descriptor,
+		asn_struct_ctx_t *opt_ctx,	/* saved decoding context */
+		const void *ptr, size_t size,
+		int tag_mode,		/* {-1,0,1}: IMPLICIT, no, EXPLICIT */
+		int last_tag_form,	/* {-1,0:1}: any, primitive, constr */
+		ber_tlv_len_t *last_length,
+		int *opt_tlv_form	/* optional tag form */
+	);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _BER_DECODER_H_ */
--- a/asn1/asn1c/ber_tlv_length.c
+++ b/asn1/asn1c/ber_tlv_length.c
@ -0,0 +1,178 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_internal.h>
+#include <ber_tlv_length.h>
+#include <ber_tlv_tag.h>
+
+ssize_t
+ber_fetch_length(int _is_constructed, const void *bufptr, size_t size,
+		ber_tlv_len_t *len_r) {
+	const uint8_t *buf = (const uint8_t *)bufptr;
+	unsigned oct;
+
+	if(size == 0)
+		return 0;	/* Want more */
+
+	oct = *(const uint8_t *)buf;
+	if((oct & 0x80) == 0) {
+		/*
+		 * Short definite length.
+		 */
+		*len_r = oct;	/* & 0x7F */
+		return 1;
+	} else {
+		ber_tlv_len_t len;
+		size_t skipped;
+
+		if(_is_constructed && oct == 0x80) {
+			*len_r = -1;	/* Indefinite length */
+			return 1;
+		}
+
+		if(oct == 0xff) {
+			/* Reserved in standard for future use. */
+			return -1;
+		}
+
+		oct &= 0x7F;	/* Leave only the 7 LS bits */
+		for(len = 0, buf++, skipped = 1;
+			oct && (++skipped <= size); buf++, oct--) {
+
+			len = (len << 8) | *buf;
+			if(len < 0
+			|| (len >> ((8 * sizeof(len)) - 8) && oct > 1)) {
+				/*
+				 * Too large length value.
+				 */
+				return -1;
+			}
+		}
+
+		if(oct == 0) {
+			ber_tlv_len_t lenplusepsilon = (size_t)len + 1024;
+			/*
+			 * Here length may be very close or equal to 2G.
+			 * However, the arithmetics used in some decoders
+			 * may add some (small) quantities to the length,
+			 * to check the resulting value against some limits.
+			 * This may result in integer wrap-around, which
+			 * we try to avoid by checking it earlier here.
+			 */
+			if(lenplusepsilon < 0) {
+				/* Too large length value */
+				return -1;
+			}
+
+			*len_r = len;
+			return skipped;
+		}
+
+		return 0;	/* Want more */
+	}
+
+}
+
+ssize_t
+ber_skip_length(asn_codec_ctx_t *opt_codec_ctx,
+		int _is_constructed, const void *ptr, size_t size) {
+	ber_tlv_len_t vlen;	/* Length of V in TLV */
+	ssize_t tl;		/* Length of L in TLV */
+	ssize_t ll;		/* Length of L in TLV */
+	size_t skip;
+
+	/*
+	 * Make sure we didn't exceed the maximum stack size.
+	 */
+	if(ASN__STACK_OVERFLOW_CHECK(opt_codec_ctx))
+		return -1;
+
+	/*
+	 * Determine the size of L in TLV.
+	 */
+	ll = ber_fetch_length(_is_constructed, ptr, size, &vlen);
+	if(ll <= 0) return ll;
+
+	/*
+	 * Definite length.
+	 */
+	if(vlen >= 0) {
+		skip = ll + vlen;
+		if(skip > size)
+			return 0;	/* Want more */
+		return skip;
+	}
+
+	/*
+	 * Indefinite length!
+	 */
+	ASN_DEBUG("Skipping indefinite length");
+	for(skip = ll, ptr = ((const char *)ptr) + ll, size -= ll;;) {
+		ber_tlv_tag_t tag;
+
+		/* Fetch the tag */
+		tl = ber_fetch_tag(ptr, size, &tag);
+		if(tl <= 0) return tl;
+
+		ll = ber_skip_length(opt_codec_ctx,
+			BER_TLV_CONSTRUCTED(ptr),
+			((const char *)ptr) + tl, size - tl);
+		if(ll <= 0) return ll;
+
+		skip += tl + ll;
+
+		/*
+		 * This may be the end of the indefinite length structure,
+		 * two consecutive 0 octets.
+		 * Check if it is true.
+		 */
+		if(((const uint8_t *)ptr)[0] == 0
+		&& ((const uint8_t *)ptr)[1] == 0)
+			return skip;
+
+		ptr = ((const char *)ptr) + tl + ll;
+		size -= tl + ll;
+ 	}
+
+	/* UNREACHABLE */
+}
+
+size_t
+der_tlv_length_serialize(ber_tlv_len_t len, void *bufp, size_t size) {
+	size_t required_size;	/* Size of len encoding */
+	uint8_t *buf = (uint8_t *)bufp;
+	uint8_t *end;
+	size_t i;
+
+	if(len <= 127) {
+		/* Encoded in 1 octet */
+		if(size) *buf = (uint8_t)len;
+		return 1;
+	}
+
+	/*
+	 * Compute the size of the subsequent bytes.
+	 */
+	for(required_size = 1, i = 8; i < 8 * sizeof(len); i += 8) {
+		if(len >> i)
+			required_size++;
+		else
+			break;
+	}
+
+	if(size <= required_size)
+		return required_size + 1;
+
+	*buf++ = (uint8_t)(0x80 | required_size);  /* Length of the encoding */
+
+	/*
+	 * Produce the len encoding, space permitting.
+	 */
+	end = buf + required_size;
+	for(i -= 8; buf < end; i -= 8, buf++)
+		*buf = (uint8_t)(len >> i);
+
+	return required_size + 1;
+}
+
--- a/asn1/asn1c/ber_tlv_length.h
+++ b/asn1/asn1c/ber_tlv_length.h
@ -0,0 +1,50 @@
+/*-
+ * Copyright (c) 2003 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_BER_TLV_LENGTH_H_
+#define	_BER_TLV_LENGTH_H_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef ssize_t ber_tlv_len_t;
+
+/*
+ * This function tries to fetch the length of the BER TLV value and place it
+ * in *len_r.
+ * RETURN VALUES:
+ *	 0:	More data expected than bufptr contains.
+ *	-1:	Fatal error deciphering length.
+ *	>0:	Number of bytes used from bufptr.
+ * On return with >0, len_r is constrained as -1..MAX, where -1 mean
+ * that the value is of indefinite length.
+ */
+ssize_t ber_fetch_length(int _is_constructed, const void *bufptr, size_t size,
+	ber_tlv_len_t *len_r);
+
+/*
+ * This function expects bufptr to be positioned over L in TLV.
+ * It returns number of bytes occupied by L and V together, suitable
+ * for skipping. The function properly handles indefinite length.
+ * RETURN VALUES:
+ * 	Standard {-1,0,>0} convention.
+ */
+ssize_t ber_skip_length(
+	struct asn_codec_ctx_s *opt_codec_ctx,	/* optional context */
+	int _is_constructed, const void *bufptr, size_t size);
+
+/*
+ * This function serializes the length (L from TLV) in DER format.
+ * It always returns number of bytes necessary to represent the length,
+ * it is a caller's responsibility to check the return value
+ * against the supplied buffer's size.
+ */
+size_t der_tlv_length_serialize(ber_tlv_len_t len, void *bufptr, size_t size);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _BER_TLV_LENGTH_H_ */
--- a/asn1/asn1c/ber_tlv_tag.c
+++ b/asn1/asn1c/ber_tlv_tag.c
@ -0,0 +1,144 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_internal.h>
+#include <ber_tlv_tag.h>
+#include <errno.h>
+
+ssize_t
+ber_fetch_tag(const void *ptr, size_t size, ber_tlv_tag_t *tag_r) {
+	ber_tlv_tag_t val;
+	ber_tlv_tag_t tclass;
+	size_t skipped;
+
+	if(size == 0)
+		return 0;
+
+	val = *(const uint8_t *)ptr;
+	tclass = (val >> 6);
+	if((val &= 0x1F) != 0x1F) {
+		/*
+		 * Simple form: everything encoded in a single octet.
+		 * Tag Class is encoded using two least significant bits.
+		 */
+		*tag_r = (val << 2) | tclass;
+		return 1;
+	}
+
+	/*
+	 * Each octet contains 7 bits of useful information.
+	 * The MSB is 0 if it is the last octet of the tag.
+	 */
+	for(val = 0, ptr = ((const char *)ptr) + 1, skipped = 2;
+			skipped <= size;
+				ptr = ((const char *)ptr) + 1, skipped++) {
+		unsigned int oct = *(const uint8_t *)ptr;
+		if(oct & 0x80) {
+			val = (val << 7) | (oct & 0x7F);
+			/*
+			 * Make sure there are at least 9 bits spare
+			 * at the MS side of a value.
+			 */
+			if(val >> ((8 * sizeof(val)) - 9)) {
+				/*
+				 * We would not be able to accomodate
+				 * any more tag bits.
+				 */
+				return -1;
+			}
+		} else {
+			val = (val << 7) | oct;
+			*tag_r = (val << 2) | tclass;
+			return skipped;
+		}
+	}
+
+	return 0;	/* Want more */
+}
+
+
+ssize_t
+ber_tlv_tag_fwrite(ber_tlv_tag_t tag, FILE *f) {
+	char buf[sizeof("[APPLICATION ]") + 32];
+	ssize_t ret;
+
+	ret = ber_tlv_tag_snprint(tag, buf, sizeof(buf));
+	if(ret >= (ssize_t)sizeof(buf) || ret < 2) {
+		errno = EPERM;
+		return -1;
+	}
+
+	return fwrite(buf, 1, ret, f);
+}
+
+ssize_t
+ber_tlv_tag_snprint(ber_tlv_tag_t tag, char *buf, size_t size) {
+	char *type = 0;
+	int ret;
+
+	switch(tag & 0x3) {
+	case ASN_TAG_CLASS_UNIVERSAL:	type = "UNIVERSAL ";	break;
+	case ASN_TAG_CLASS_APPLICATION:	type = "APPLICATION ";	break;
+	case ASN_TAG_CLASS_CONTEXT:	type = "";		break;
+	case ASN_TAG_CLASS_PRIVATE:	type = "PRIVATE ";	break;
+	}
+
+	ret = snprintf(buf, size, "[%s%u]", type, ((unsigned)tag) >> 2);
+	if(ret <= 0 && size) buf[0] = '\0';	/* against broken libc's */
+
+	return ret;
+}
+
+char *
+ber_tlv_tag_string(ber_tlv_tag_t tag) {
+	static char buf[sizeof("[APPLICATION ]") + 32];
+
+	(void)ber_tlv_tag_snprint(tag, buf, sizeof(buf));
+
+	return buf;
+}
+
+
+size_t
+ber_tlv_tag_serialize(ber_tlv_tag_t tag, void *bufp, size_t size) {
+	int tclass = BER_TAG_CLASS(tag);
+	ber_tlv_tag_t tval = BER_TAG_VALUE(tag);
+	uint8_t *buf = (uint8_t *)bufp;
+	uint8_t *end;
+	size_t required_size;
+	size_t i;
+
+	if(tval <= 30) {
+		/* Encoded in 1 octet */
+		if(size) buf[0] = (tclass << 6) | tval;
+		return 1;
+	} else if(size) {
+		*buf++ = (tclass << 6) | 0x1F;
+		size--;
+	}
+
+	/*
+	 * Compute the size of the subsequent bytes.
+	 */
+	for(required_size = 1, i = 7; i < 8 * sizeof(tval); i += 7) {
+		if(tval >> i)
+			required_size++;
+		else
+			break;
+	}
+
+	if(size < required_size)
+		return required_size + 1;
+
+	/*
+	 * Fill in the buffer, space permitting.
+	 */
+	end = buf + required_size - 1;
+	for(i -= 7; buf < end; i -= 7, buf++)
+		*buf = 0x80 | ((tval >> i) & 0x7F);
+	*buf = (tval & 0x7F);	/* Last octet without high bit */
+
+	return required_size + 1;
+}
+
--- a/asn1/asn1c/ber_tlv_tag.h
+++ b/asn1/asn1c/ber_tlv_tag.h
@ -0,0 +1,60 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_BER_TLV_TAG_H_
+#define	_BER_TLV_TAG_H_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+enum asn_tag_class {
+	ASN_TAG_CLASS_UNIVERSAL		= 0,	/* 0b00 */
+	ASN_TAG_CLASS_APPLICATION	= 1,	/* 0b01 */
+	ASN_TAG_CLASS_CONTEXT		= 2,	/* 0b10 */
+	ASN_TAG_CLASS_PRIVATE		= 3	/* 0b11 */
+};
+typedef unsigned ber_tlv_tag_t;	/* BER TAG from Tag-Length-Value */
+
+/*
+ * Tag class is encoded together with tag value for optimization purposes.
+ */
+#define	BER_TAG_CLASS(tag)	((tag) & 0x3)
+#define	BER_TAG_VALUE(tag)	((tag) >> 2)
+#define	BER_TLV_CONSTRUCTED(tagptr)	(((*(const uint8_t *)tagptr)&0x20)?1:0)
+
+#define	BER_TAGS_EQUAL(tag1, tag2)	((tag1) == (tag2))
+
+/*
+ * Several functions for printing the TAG in the canonical form
+ * (i.e. "[PRIVATE 0]").
+ * Return values correspond to their libc counterparts (if any).
+ */
+ssize_t ber_tlv_tag_snprint(ber_tlv_tag_t tag, char *buf, size_t buflen);
+ssize_t ber_tlv_tag_fwrite(ber_tlv_tag_t tag, FILE *);
+char *ber_tlv_tag_string(ber_tlv_tag_t tag);
+
+
+/*
+ * This function tries to fetch the tag from the input stream.
+ * RETURN VALUES:
+ * 	 0:	More data expected than bufptr contains.
+ * 	-1:	Fatal error deciphering tag.
+ *	>0:	Number of bytes used from bufptr. tag_r will contain the tag.
+ */
+ssize_t ber_fetch_tag(const void *bufptr, size_t size, ber_tlv_tag_t *tag_r);
+
+/*
+ * This function serializes the tag (T from TLV) in BER format.
+ * It always returns number of bytes necessary to represent the tag,
+ * it is a caller's responsibility to check the return value
+ * against the supplied buffer's size.
+ */
+size_t ber_tlv_tag_serialize(ber_tlv_tag_t tag, void *bufptr, size_t size);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _BER_TLV_TAG_H_ */
--- a/asn1/asn1c/constr_CHOICE.c
+++ b/asn1/asn1c/constr_CHOICE.c
--- a/asn1/asn1c/constr_CHOICE.h
+++ b/asn1/asn1c/constr_CHOICE.h
@ -0,0 +1,57 @@
+/*-
+ * Copyright (c) 2003, 2004, 2005 Lev Walkin <vlm@lionet.info>.
+ * All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_CONSTR_CHOICE_H_
+#define	_CONSTR_CHOICE_H_
+
+#include <asn_application.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef const struct asn_CHOICE_specifics_s {
+	/*
+	 * Target structure description.
+	 */
+	int struct_size;	/* Size of the target structure. */
+	int ctx_offset;		/* Offset of the asn_codec_ctx_t member */
+	int pres_offset;	/* Identifier of the present member */
+	int pres_size;		/* Size of the identifier (enum) */
+
+	/*
+	 * Tags to members mapping table.
+	 */
+	const asn_TYPE_tag2member_t *tag2el;
+	int tag2el_count;
+
+	/* Canonical ordering of CHOICE elements, for PER */
+	int *canonical_order;
+
+	/*
+	 * Extensions-related stuff.
+	 */
+	int ext_start;		/* First member of extensions, or -1 */
+} asn_CHOICE_specifics_t;
+
+/*
+ * A set specialized functions dealing with the CHOICE type.
+ */
+asn_struct_free_f CHOICE_free;
+asn_struct_print_f CHOICE_print;
+asn_constr_check_f CHOICE_constraint;
+ber_type_decoder_f CHOICE_decode_ber;
+der_type_encoder_f CHOICE_encode_der;
+xer_type_decoder_f CHOICE_decode_xer;
+xer_type_encoder_f CHOICE_encode_xer;
+per_type_decoder_f CHOICE_decode_uper;
+per_type_encoder_f CHOICE_encode_uper;
+asn_outmost_tag_f CHOICE_outmost_tag;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _CONSTR_CHOICE_H_ */
--- a/asn1/asn1c/constr_SEQUENCE.c
+++ b/asn1/asn1c/constr_SEQUENCE.c
--- a/asn1/asn1c/constr_SEQUENCE.h
+++ b/asn1/asn1c/constr_SEQUENCE.h
@ -0,0 +1,60 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_CONSTR_SEQUENCE_H_
+#define	_CONSTR_SEQUENCE_H_
+
+#include <asn_application.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef const struct asn_SEQUENCE_specifics_s {
+	/*
+	 * Target structure description.
+	 */
+	int struct_size;	/* Size of the target structure. */
+	int ctx_offset;		/* Offset of the asn_struct_ctx_t member */
+
+	/*
+	 * Tags to members mapping table (sorted).
+	 */
+	const asn_TYPE_tag2member_t *tag2el;
+	int tag2el_count;
+
+	/*
+	 * Optional members of the extensions root (roms) or additions (aoms).
+	 * Meaningful for PER.
+	 */
+	const int *oms;		/* Optional MemberS */
+	int  roms_count;	/* Root optional members count */
+	int  aoms_count;	/* Additions optional members count */
+
+	/*
+	 * Description of an extensions group.
+	 */
+	int ext_after;		/* Extensions start after this member */
+	int ext_before;		/* Extensions stop before this member */
+} asn_SEQUENCE_specifics_t;
+
+
+/*
+ * A set specialized functions dealing with the SEQUENCE type.
+ */
+asn_struct_free_f SEQUENCE_free;
+asn_struct_print_f SEQUENCE_print;
+asn_constr_check_f SEQUENCE_constraint;
+ber_type_decoder_f SEQUENCE_decode_ber;
+der_type_encoder_f SEQUENCE_encode_der;
+xer_type_decoder_f SEQUENCE_decode_xer;
+xer_type_encoder_f SEQUENCE_encode_xer;
+per_type_decoder_f SEQUENCE_decode_uper;
+per_type_encoder_f SEQUENCE_encode_uper;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _CONSTR_SEQUENCE_H_ */
--- a/asn1/asn1c/constr_SEQUENCE_OF.c
+++ b/asn1/asn1c/constr_SEQUENCE_OF.c
@ -0,0 +1,208 @@
+/*-
+ * Copyright (c) 2003, 2004, 2006 Lev Walkin <vlm@lionet.info>.
+ * All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_internal.h>
+#include <constr_SEQUENCE_OF.h>
+#include <asn_SEQUENCE_OF.h>
+
+/*
+ * The DER encoder of the SEQUENCE OF type.
+ */
+asn_enc_rval_t
+SEQUENCE_OF_encode_der(asn_TYPE_descriptor_t *td, void *ptr,
+	int tag_mode, ber_tlv_tag_t tag,
+	asn_app_consume_bytes_f *cb, void *app_key) {
+	asn_TYPE_member_t *elm = td->elements;
+	asn_anonymous_sequence_ *list = _A_SEQUENCE_FROM_VOID(ptr);
+	size_t computed_size = 0;
+	ssize_t encoding_size = 0;
+	asn_enc_rval_t erval;
+	int edx;
+
+	ASN_DEBUG("Estimating size of SEQUENCE OF %s", td->name);
+
+	/*
+	 * Gather the length of the underlying members sequence.
+	 */
+	for(edx = 0; edx < list->count; edx++) {
+		void *memb_ptr = list->array[edx];
+		if(!memb_ptr) continue;
+		erval = elm->type->der_encoder(elm->type, memb_ptr,
+			0, elm->tag,
+			0, 0);
+		if(erval.encoded == -1)
+			return erval;
+		computed_size += erval.encoded;
+	}
+
+	/*
+	 * Encode the TLV for the sequence itself.
+	 */
+	encoding_size = der_write_tags(td, computed_size, tag_mode, 1, tag,
+		cb, app_key);
+	if(encoding_size == -1) {
+		erval.encoded = -1;
+		erval.failed_type = td;
+		erval.structure_ptr = ptr;
+		return erval;
+	}
+
+	computed_size += encoding_size;
+	if(!cb) {
+		erval.encoded = computed_size;
+		ASN__ENCODED_OK(erval);
+	}
+
+	ASN_DEBUG("Encoding members of SEQUENCE OF %s", td->name);
+
+	/*
+	 * Encode all members.
+	 */
+	for(edx = 0; edx < list->count; edx++) {
+		void *memb_ptr = list->array[edx];
+		if(!memb_ptr) continue;
+		erval = elm->type->der_encoder(elm->type, memb_ptr,
+			0, elm->tag,
+			cb, app_key);
+		if(erval.encoded == -1)
+			return erval;
+		encoding_size += erval.encoded;
+	}
+
+	if(computed_size != (size_t)encoding_size) {
+		/*
+		 * Encoded size is not equal to the computed size.
+		 */
+		erval.encoded = -1;
+		erval.failed_type = td;
+		erval.structure_ptr = ptr;
+	} else {
+		erval.encoded = computed_size;
+		erval.structure_ptr = 0;
+		erval.failed_type = 0;
+	}
+
+	return erval;
+}
+
+asn_enc_rval_t
+SEQUENCE_OF_encode_xer(asn_TYPE_descriptor_t *td, void *sptr,
+	int ilevel, enum xer_encoder_flags_e flags,
+		asn_app_consume_bytes_f *cb, void *app_key) {
+	asn_enc_rval_t er;
+        asn_SET_OF_specifics_t *specs = (asn_SET_OF_specifics_t *)td->specifics;
+	asn_TYPE_member_t *elm = td->elements;
+	asn_anonymous_sequence_ *list = _A_SEQUENCE_FROM_VOID(sptr);
+	const char *mname = specs->as_XMLValueList
+		? 0 : ((*elm->name) ? elm->name : elm->type->xml_tag);
+	unsigned int mlen = mname ? strlen(mname) : 0;
+	int xcan = (flags & XER_F_CANONICAL);
+	int i;
+
+	if(!sptr) ASN__ENCODE_FAILED;
+
+	er.encoded = 0;
+
+	for(i = 0; i < list->count; i++) {
+		asn_enc_rval_t tmper;
+		void *memb_ptr = list->array[i];
+		if(!memb_ptr) continue;
+
+		if(mname) {
+			if(!xcan) ASN__TEXT_INDENT(1, ilevel);
+			ASN__CALLBACK3("<", 1, mname, mlen, ">", 1);
+		}
+
+		tmper = elm->type->xer_encoder(elm->type, memb_ptr,
+				ilevel + 1, flags, cb, app_key);
+		if(tmper.encoded == -1) return tmper;
+                if(tmper.encoded == 0 && specs->as_XMLValueList) {
+                        const char *name = elm->type->xml_tag;
+			size_t len = strlen(name);
+			if(!xcan) ASN__TEXT_INDENT(1, ilevel + 1);
+			ASN__CALLBACK3("<", 1, name, len, "/>", 2);
+                }
+
+		if(mname) {
+			ASN__CALLBACK3("</", 2, mname, mlen, ">", 1);
+			er.encoded += 5;
+		}
+
+		er.encoded += (2 * mlen) + tmper.encoded;
+	}
+
+	if(!xcan) ASN__TEXT_INDENT(1, ilevel - 1);
+
+	ASN__ENCODED_OK(er);
+cb_failed:
+	ASN__ENCODE_FAILED;
+}
+
+asn_enc_rval_t
+SEQUENCE_OF_encode_uper(asn_TYPE_descriptor_t *td,
+	asn_per_constraints_t *constraints, void *sptr, asn_per_outp_t *po) {
+	asn_anonymous_sequence_ *list;
+	asn_per_constraint_t *ct;
+	asn_enc_rval_t er;
+	asn_TYPE_member_t *elm = td->elements;
+	int seq;
+
+	if(!sptr) ASN__ENCODE_FAILED;
+	list = _A_SEQUENCE_FROM_VOID(sptr);
+
+	er.encoded = 0;
+
+	ASN_DEBUG("Encoding %s as SEQUENCE OF (%d)", td->name, list->count);
+
+	if(constraints) ct = &constraints->size;
+	else if(td->per_constraints) ct = &td->per_constraints->size;
+	else ct = 0;
+
+	/* If extensible constraint, check if size is in root */
+	if(ct) {
+		int not_in_root = (list->count < ct->lower_bound
+				|| list->count > ct->upper_bound);
+		ASN_DEBUG("lb %ld ub %ld %s",
+			ct->lower_bound, ct->upper_bound,
+			ct->flags & APC_EXTENSIBLE ? "ext" : "fix");
+		if(ct->flags & APC_EXTENSIBLE) {
+			/* Declare whether size is in extension root */
+			if(per_put_few_bits(po, not_in_root, 1))
+				ASN__ENCODE_FAILED;
+			if(not_in_root) ct = 0;
+		} else if(not_in_root && ct->effective_bits >= 0)
+			ASN__ENCODE_FAILED;
+	}
+
+	if(ct && ct->effective_bits >= 0) {
+		/* X.691, #19.5: No length determinant */
+		if(per_put_few_bits(po, list->count - ct->lower_bound,
+				ct->effective_bits))
+			ASN__ENCODE_FAILED;
+	}
+
+	for(seq = -1; seq < list->count;) {
+		ssize_t mayEncode;
+		if(seq < 0) seq = 0;
+		if(ct && ct->effective_bits >= 0) {
+			mayEncode = list->count;
+		} else {
+			mayEncode = uper_put_length(po, list->count - seq);
+			if(mayEncode < 0) ASN__ENCODE_FAILED;
+		}
+
+		while(mayEncode--) {
+			void *memb_ptr = list->array[seq++];
+			if(!memb_ptr) ASN__ENCODE_FAILED;
+			er = elm->type->uper_encoder(elm->type,
+				elm->per_constraints, memb_ptr, po);
+			if(er.encoded == -1)
+				ASN__ENCODE_FAILED;
+		}
+	}
+
+	ASN__ENCODED_OK(er);
+}
+
--- a/asn1/asn1c/constr_SEQUENCE_OF.h
+++ b/asn1/asn1c/constr_SEQUENCE_OF.h
@ -0,0 +1,33 @@
+/*-
+ * Copyright (c) 2003, 2005 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_CONSTR_SEQUENCE_OF_H_
+#define	_CONSTR_SEQUENCE_OF_H_
+
+#include <asn_application.h>
+#include <constr_SET_OF.h>		/* Implemented using SET OF */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * A set specialized functions dealing with the SEQUENCE OF type.
+ * Generally implemented using SET OF.
+ */
+#define	SEQUENCE_OF_free	SET_OF_free
+#define	SEQUENCE_OF_print	SET_OF_print
+#define	SEQUENCE_OF_constraint	SET_OF_constraint
+#define	SEQUENCE_OF_decode_ber	SET_OF_decode_ber
+#define	SEQUENCE_OF_decode_xer	SET_OF_decode_xer
+#define	SEQUENCE_OF_decode_uper	SET_OF_decode_uper
+der_type_encoder_f SEQUENCE_OF_encode_der;
+xer_type_encoder_f SEQUENCE_OF_encode_xer;
+per_type_encoder_f SEQUENCE_OF_encode_uper;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _CONSTR_SET_OF_H_ */
--- a/asn1/asn1c/constr_SET_OF.c
+++ b/asn1/asn1c/constr_SET_OF.c
@ -0,0 +1,954 @@
+/*-
+ * Copyright (c) 2003, 2004, 2005 Lev Walkin <vlm@lionet.info>.
+ * All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_internal.h>
+#include <constr_SET_OF.h>
+#include <asn_SET_OF.h>
+
+/*
+ * Number of bytes left for this structure.
+ * (ctx->left) indicates the number of bytes _transferred_ for the structure.
+ * (size) contains the number of bytes in the buffer passed.
+ */
+#define	LEFT	((size<(size_t)ctx->left)?size:(size_t)ctx->left)
+
+/*
+ * If the subprocessor function returns with an indication that it wants
+ * more data, it may well be a fatal decoding problem, because the
+ * size is constrained by the <TLV>'s L, even if the buffer size allows
+ * reading more data.
+ * For example, consider the buffer containing the following TLVs:
+ * <T:5><L:1><V> <T:6>...
+ * The TLV length clearly indicates that one byte is expected in V, but
+ * if the V processor returns with "want more data" even if the buffer
+ * contains way more data than the V processor have seen.
+ */
+#define	SIZE_VIOLATION	(ctx->left >= 0 && (size_t)ctx->left <= size)
+
+/*
+ * This macro "eats" the part of the buffer which is definitely "consumed",
+ * i.e. was correctly converted into local representation or rightfully skipped.
+ */
+#undef	ADVANCE
+#define	ADVANCE(num_bytes)	do {		\
+		size_t num = num_bytes;		\
+		ptr = ((const char *)ptr) + num;\
+		size -= num;			\
+		if(ctx->left >= 0)		\
+			ctx->left -= num;	\
+		consumed_myself += num;		\
+	} while(0)
+
+/*
+ * Switch to the next phase of parsing.
+ */
+#undef	NEXT_PHASE
+#undef	PHASE_OUT
+#define	NEXT_PHASE(ctx)	do {			\
+		ctx->phase++;			\
+		ctx->step = 0;			\
+	} while(0)
+#define	PHASE_OUT(ctx)	do { ctx->phase = 10; } while(0)
+
+/*
+ * Return a standardized complex structure.
+ */
+#undef	RETURN
+#define	RETURN(_code)	do {			\
+		rval.code = _code;		\
+		rval.consumed = consumed_myself;\
+		return rval;			\
+	} while(0)
+
+/*
+ * The decoder of the SET OF type.
+ */
+asn_dec_rval_t
+SET_OF_decode_ber(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td,
+	void **struct_ptr, const void *ptr, size_t size, int tag_mode) {
+	/*
+	 * Bring closer parts of structure description.
+	 */
+	asn_SET_OF_specifics_t *specs = (asn_SET_OF_specifics_t *)td->specifics;
+	asn_TYPE_member_t *elm = td->elements;	/* Single one */
+
+	/*
+	 * Parts of the structure being constructed.
+	 */
+	void *st = *struct_ptr;	/* Target structure. */
+	asn_struct_ctx_t *ctx;	/* Decoder context */
+
+	ber_tlv_tag_t tlv_tag;	/* T from TLV */
+	asn_dec_rval_t rval;	/* Return code from subparsers */
+
+	ssize_t consumed_myself = 0;	/* Consumed bytes from ptr */
+
+	ASN_DEBUG("Decoding %s as SET OF", td->name);
+	
+	/*
+	 * Create the target structure if it is not present already.
+	 */
+	if(st == 0) {
+		st = *struct_ptr = CALLOC(1, specs->struct_size);
+		if(st == 0) {
+			RETURN(RC_FAIL);
+		}
+	}
+
+	/*
+	 * Restore parsing context.
+	 */
+	ctx = (asn_struct_ctx_t *)((char *)st + specs->ctx_offset);
+	
+	/*
+	 * Start to parse where left previously
+	 */
+	switch(ctx->phase) {
+	case 0:
+		/*
+		 * PHASE 0.
+		 * Check that the set of tags associated with given structure
+		 * perfectly fits our expectations.
+		 */
+
+		rval = ber_check_tags(opt_codec_ctx, td, ctx, ptr, size,
+			tag_mode, 1, &ctx->left, 0);
+		if(rval.code != RC_OK) {
+			ASN_DEBUG("%s tagging check failed: %d",
+				td->name, rval.code);
+			return rval;
+		}
+
+		if(ctx->left >= 0)
+			ctx->left += rval.consumed; /* ?Substracted below! */
+		ADVANCE(rval.consumed);
+
+		ASN_DEBUG("Structure consumes %ld bytes, "
+			"buffer %ld", (long)ctx->left, (long)size);
+
+		NEXT_PHASE(ctx);
+		/* Fall through */
+	case 1:
+		/*
+		 * PHASE 1.
+		 * From the place where we've left it previously,
+		 * try to decode the next item.
+		 */
+	  for(;; ctx->step = 0) {
+		ssize_t tag_len;	/* Length of TLV's T */
+
+		if(ctx->step & 1)
+			goto microphase2;
+
+		/*
+		 * MICROPHASE 1: Synchronize decoding.
+		 */
+
+		if(ctx->left == 0) {
+			ASN_DEBUG("End of SET OF %s", td->name);
+			/*
+			 * No more things to decode.
+			 * Exit out of here.
+			 */
+			PHASE_OUT(ctx);
+			RETURN(RC_OK);
+		}
+
+		/*
+		 * Fetch the T from TLV.
+		 */
+		tag_len = ber_fetch_tag(ptr, LEFT, &tlv_tag);
+		switch(tag_len) {
+		case 0: if(!SIZE_VIOLATION) RETURN(RC_WMORE);
+			/* Fall through */
+		case -1: RETURN(RC_FAIL);
+		}
+
+		if(ctx->left < 0 && ((const uint8_t *)ptr)[0] == 0) {
+			if(LEFT < 2) {
+				if(SIZE_VIOLATION)
+					RETURN(RC_FAIL);
+				else
+					RETURN(RC_WMORE);
+			} else if(((const uint8_t *)ptr)[1] == 0) {
+				/*
+				 * Found the terminator of the
+				 * indefinite length structure.
+				 */
+				break;
+			}
+		}
+
+		/* Outmost tag may be unknown and cannot be fetched/compared */
+		if(elm->tag != (ber_tlv_tag_t)-1) {
+		    if(BER_TAGS_EQUAL(tlv_tag, elm->tag)) {
+			/*
+			 * The new list member of expected type has arrived.
+			 */
+		    } else {
+			ASN_DEBUG("Unexpected tag %s fixed SET OF %s",
+				ber_tlv_tag_string(tlv_tag), td->name);
+			ASN_DEBUG("%s SET OF has tag %s",
+				td->name, ber_tlv_tag_string(elm->tag));
+			RETURN(RC_FAIL);
+		    }
+		}
+
+		/*
+		 * MICROPHASE 2: Invoke the member-specific decoder.
+		 */
+		ctx->step |= 1;		/* Confirm entering next microphase */
+	microphase2:
+		
+		/*
+		 * Invoke the member fetch routine according to member's type
+		 */
+		rval = elm->type->ber_decoder(opt_codec_ctx,
+				elm->type, &ctx->ptr, ptr, LEFT, 0);
+		ASN_DEBUG("In %s SET OF %s code %d consumed %d",
+			td->name, elm->type->name,
+			rval.code, (int)rval.consumed);
+		switch(rval.code) {
+		case RC_OK:
+			{
+				asn_anonymous_set_ *list = _A_SET_FROM_VOID(st);
+				if(ASN_SET_ADD(list, ctx->ptr) != 0)
+					RETURN(RC_FAIL);
+				else
+					ctx->ptr = 0;
+			}
+			break;
+		case RC_WMORE: /* More data expected */
+			if(!SIZE_VIOLATION) {
+				ADVANCE(rval.consumed);
+				RETURN(RC_WMORE);
+			}
+			/* Fall through */
+		case RC_FAIL: /* Fatal error */
+			ASN_STRUCT_FREE(*elm->type, ctx->ptr);
+			ctx->ptr = 0;
+			RETURN(RC_FAIL);
+		} /* switch(rval) */
+		
+		ADVANCE(rval.consumed);
+	  }	/* for(all list members) */
+
+		NEXT_PHASE(ctx);
+	case 2:
+		/*
+		 * Read in all "end of content" TLVs.
+		 */
+		while(ctx->left < 0) {
+			if(LEFT < 2) {
+				if(LEFT > 0 && ((const char *)ptr)[0] != 0) {
+					/* Unexpected tag */
+					RETURN(RC_FAIL);
+				} else {
+					RETURN(RC_WMORE);
+				}
+			}
+			if(((const char *)ptr)[0] == 0
+			&& ((const char *)ptr)[1] == 0) {
+				ADVANCE(2);
+				ctx->left++;
+			} else {
+				RETURN(RC_FAIL);
+			}
+		}
+
+		PHASE_OUT(ctx);
+	}
+	
+	RETURN(RC_OK);
+}
+
+/*
+ * Internally visible buffer holding a single encoded element.
+ */
+struct _el_buffer {
+	uint8_t *buf;
+	size_t length;
+	size_t size;
+};
+/* Append bytes to the above structure */
+static int _el_addbytes(const void *buffer, size_t size, void *el_buf_ptr) {
+	struct _el_buffer *el_buf = (struct _el_buffer *)el_buf_ptr;
+
+	if(el_buf->length + size > el_buf->size)
+		return -1;
+
+	memcpy(el_buf->buf + el_buf->length, buffer, size);
+
+	el_buf->length += size;
+	return 0;
+}
+static int _el_buf_cmp(const void *ap, const void *bp) {
+	const struct _el_buffer *a = (const struct _el_buffer *)ap;
+	const struct _el_buffer *b = (const struct _el_buffer *)bp;
+	int ret;
+	size_t common_len;
+
+	if(a->length < b->length)
+		common_len = a->length;
+	else
+		common_len = b->length;
+
+	ret = memcmp(a->buf, b->buf, common_len);
+	if(ret == 0) {
+		if(a->length < b->length)
+			ret = -1;
+		else if(a->length > b->length)
+			ret = 1;
+	}
+
+	return ret;
+}
+
+/*
+ * The DER encoder of the SET OF type.
+ */
+asn_enc_rval_t
+SET_OF_encode_der(asn_TYPE_descriptor_t *td, void *ptr,
+	int tag_mode, ber_tlv_tag_t tag,
+	asn_app_consume_bytes_f *cb, void *app_key) {
+	asn_TYPE_member_t *elm = td->elements;
+	asn_TYPE_descriptor_t *elm_type = elm->type;
+	der_type_encoder_f *der_encoder = elm_type->der_encoder;
+	asn_anonymous_set_ *list = _A_SET_FROM_VOID(ptr);
+	size_t computed_size = 0;
+	ssize_t encoding_size = 0;
+	struct _el_buffer *encoded_els;
+	ssize_t eels_count = 0;
+	size_t max_encoded_len = 1;
+	asn_enc_rval_t erval;
+	int ret;
+	int edx;
+
+	ASN_DEBUG("Estimating size for SET OF %s", td->name);
+
+	/*
+	 * Gather the length of the underlying members sequence.
+	 */
+	for(edx = 0; edx < list->count; edx++) {
+		void *memb_ptr = list->array[edx];
+		if(!memb_ptr) continue;
+		erval = der_encoder(elm_type, memb_ptr, 0, elm->tag, 0, 0);
+		if(erval.encoded == -1)
+			return erval;
+		computed_size += erval.encoded;
+
+		/* Compute maximum encoding's size */
+		if(max_encoded_len < (size_t)erval.encoded)
+			max_encoded_len = erval.encoded;
+	}
+
+	/*
+	 * Encode the TLV for the sequence itself.
+	 */
+	encoding_size = der_write_tags(td, computed_size, tag_mode, 1, tag,
+		cb, app_key);
+	if(encoding_size == -1) {
+		erval.encoded = -1;
+		erval.failed_type = td;
+		erval.structure_ptr = ptr;
+		return erval;
+	}
+	computed_size += encoding_size;
+
+	if(!cb || list->count == 0) {
+		erval.encoded = computed_size;
+		ASN__ENCODED_OK(erval);
+	}
+
+	/*
+	 * DER mandates dynamic sorting of the SET OF elements
+	 * according to their encodings. Build an array of the
+	 * encoded elements.
+	 */
+	encoded_els = (struct _el_buffer *)MALLOC(
+				list->count * sizeof(encoded_els[0]));
+	if(encoded_els == NULL) {
+		erval.encoded = -1;
+		erval.failed_type = td;
+		erval.structure_ptr = ptr;
+		return erval;
+	}
+
+	ASN_DEBUG("Encoding members of %s SET OF", td->name);
+
+	/*
+	 * Encode all members.
+	 */
+	for(edx = 0; edx < list->count; edx++) {
+		void *memb_ptr = list->array[edx];
+		struct _el_buffer *encoded_el = &encoded_els[eels_count];
+
+		if(!memb_ptr) continue;
+
+		/*
+		 * Prepare space for encoding.
+		 */
+		encoded_el->buf = (uint8_t *)MALLOC(max_encoded_len);
+		if(encoded_el->buf) {
+			encoded_el->length = 0;
+			encoded_el->size = max_encoded_len;
+		} else {
+			for(edx--; edx >= 0; edx--)
+				FREEMEM(encoded_els[edx].buf);
+			FREEMEM(encoded_els);
+			erval.encoded = -1;
+			erval.failed_type = td;
+			erval.structure_ptr = ptr;
+			return erval;
+		}
+
+		/*
+		 * Encode the member into the prepared space.
+		 */
+		erval = der_encoder(elm_type, memb_ptr, 0, elm->tag,
+			_el_addbytes, encoded_el);
+		if(erval.encoded == -1) {
+			for(; edx >= 0; edx--)
+				FREEMEM(encoded_els[edx].buf);
+			FREEMEM(encoded_els);
+			return erval;
+		}
+		encoding_size += erval.encoded;
+		eels_count++;
+	}
+
+	/*
+	 * Sort the encoded elements according to their encoding.
+	 */
+	qsort(encoded_els, eels_count, sizeof(encoded_els[0]), _el_buf_cmp);
+
+	/*
+	 * Report encoded elements to the application.
+	 * Dispose of temporary sorted members table.
+	 */
+	ret = 0;
+	for(edx = 0; edx < eels_count; edx++) {
+		struct _el_buffer *encoded_el = &encoded_els[edx];
+		/* Report encoded chunks to the application */
+		if(ret == 0
+		&& cb(encoded_el->buf, encoded_el->length, app_key) < 0)
+			ret = -1;
+		FREEMEM(encoded_el->buf);
+	}
+	FREEMEM(encoded_els);
+
+	if(ret || computed_size != (size_t)encoding_size) {
+		/*
+		 * Standard callback failed, or
+		 * encoded size is not equal to the computed size.
+		 */
+		erval.encoded = -1;
+		erval.failed_type = td;
+		erval.structure_ptr = ptr;
+	} else {
+		erval.encoded = computed_size;
+	}
+
+	ASN__ENCODED_OK(erval);
+}
+
+#undef	XER_ADVANCE
+#define	XER_ADVANCE(num_bytes)	do {			\
+		size_t num = num_bytes;			\
+		buf_ptr = ((const char *)buf_ptr) + num;\
+		size -= num;				\
+		consumed_myself += num;			\
+	} while(0)
+
+/*
+ * Decode the XER (XML) data.
+ */
+asn_dec_rval_t
+SET_OF_decode_xer(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td,
+	void **struct_ptr, const char *opt_mname,
+		const void *buf_ptr, size_t size) {
+	/*
+	 * Bring closer parts of structure description.
+	 */
+	asn_SET_OF_specifics_t *specs = (asn_SET_OF_specifics_t *)td->specifics;
+	asn_TYPE_member_t *element = td->elements;
+	const char *elm_tag;
+	const char *xml_tag = opt_mname ? opt_mname : td->xml_tag;
+
+	/*
+	 * ... and parts of the structure being constructed.
+	 */
+	void *st = *struct_ptr;	/* Target structure. */
+	asn_struct_ctx_t *ctx;	/* Decoder context */
+
+	asn_dec_rval_t rval;		/* Return value from a decoder */
+	ssize_t consumed_myself = 0;	/* Consumed bytes from ptr */
+
+	/*
+	 * Create the target structure if it is not present already.
+	 */
+	if(st == 0) {
+		st = *struct_ptr = CALLOC(1, specs->struct_size);
+		if(st == 0) RETURN(RC_FAIL);
+	}
+
+	/* Which tag is expected for the downstream */
+	if(specs->as_XMLValueList) {
+		elm_tag = (specs->as_XMLValueList == 1) ? 0 : "";
+	} else {
+		elm_tag = (*element->name)
+				? element->name : element->type->xml_tag;
+	}
+
+	/*
+	 * Restore parsing context.
+	 */
+	ctx = (asn_struct_ctx_t *)((char *)st + specs->ctx_offset);
+
+	/*
+	 * Phases of XER/XML processing:
+	 * Phase 0: Check that the opening tag matches our expectations.
+	 * Phase 1: Processing body and reacting on closing tag.
+	 * Phase 2: Processing inner type.
+	 */
+	for(; ctx->phase <= 2;) {
+		pxer_chunk_type_e ch_type;	/* XER chunk type */
+		ssize_t ch_size;		/* Chunk size */
+		xer_check_tag_e tcv;		/* Tag check value */
+
+		/*
+		 * Go inside the inner member of a set.
+		 */
+		if(ctx->phase == 2) {
+			asn_dec_rval_t tmprval;
+
+			/* Invoke the inner type decoder, m.b. multiple times */
+			ASN_DEBUG("XER/SET OF element [%s]", elm_tag);
+			tmprval = element->type->xer_decoder(opt_codec_ctx,
+					element->type, &ctx->ptr, elm_tag,
+					buf_ptr, size);
+			if(tmprval.code == RC_OK) {
+				asn_anonymous_set_ *list = _A_SET_FROM_VOID(st);
+				if(ASN_SET_ADD(list, ctx->ptr) != 0)
+					RETURN(RC_FAIL);
+				ctx->ptr = 0;
+				XER_ADVANCE(tmprval.consumed);
+			} else {
+				XER_ADVANCE(tmprval.consumed);
+				RETURN(tmprval.code);
+			}
+			ctx->phase = 1;	/* Back to body processing */
+			ASN_DEBUG("XER/SET OF phase => %d", ctx->phase);
+			/* Fall through */
+		}
+
+		/*
+		 * Get the next part of the XML stream.
+		 */
+		ch_size = xer_next_token(&ctx->context,
+			buf_ptr, size, &ch_type);
+		if(ch_size == -1) {
+            RETURN(RC_FAIL);
+        } else {
+			switch(ch_type) {
+            case PXER_WMORE:
+                RETURN(RC_WMORE);
+			case PXER_COMMENT:	/* Got XML comment */
+			case PXER_TEXT:		/* Ignore free-standing text */
+				XER_ADVANCE(ch_size);	/* Skip silently */
+				continue;
+			case PXER_TAG:
+				break;	/* Check the rest down there */
+			}
+		}
+
+		tcv = xer_check_tag(buf_ptr, ch_size, xml_tag);
+		ASN_DEBUG("XER/SET OF: tcv = %d, ph=%d t=%s",
+			tcv, ctx->phase, xml_tag);
+		switch(tcv) {
+		case XCT_CLOSING:
+			if(ctx->phase == 0) break;
+			ctx->phase = 0;
+			/* Fall through */
+		case XCT_BOTH:
+			if(ctx->phase == 0) {
+				/* No more things to decode */
+				XER_ADVANCE(ch_size);
+				ctx->phase = 3;	/* Phase out */
+				RETURN(RC_OK);
+			}
+			/* Fall through */
+		case XCT_OPENING:
+			if(ctx->phase == 0) {
+				XER_ADVANCE(ch_size);
+				ctx->phase = 1;	/* Processing body phase */
+				continue;
+			}
+			/* Fall through */
+		case XCT_UNKNOWN_OP:
+		case XCT_UNKNOWN_BO:
+
+			ASN_DEBUG("XER/SET OF: tcv=%d, ph=%d", tcv, ctx->phase);
+			if(ctx->phase == 1) {
+				/*
+				 * Process a single possible member.
+				 */
+				ctx->phase = 2;
+				continue;
+			}
+			/* Fall through */
+		default:
+			break;
+		}
+
+		ASN_DEBUG("Unexpected XML tag in SET OF");
+		break;
+	}
+
+	ctx->phase = 3;	/* "Phase out" on hard failure */
+	RETURN(RC_FAIL);
+}
+
+
+
+typedef struct xer_tmp_enc_s {
+	void *buffer;
+	size_t offset;
+	size_t size;
+} xer_tmp_enc_t;
+static int
+SET_OF_encode_xer_callback(const void *buffer, size_t size, void *key) {
+	xer_tmp_enc_t *t = (xer_tmp_enc_t *)key;
+	if(t->offset + size >= t->size) {
+		size_t newsize = (t->size << 2) + size;
+		void *p = REALLOC(t->buffer, newsize);
+		if(!p) return -1;
+		t->buffer = p;
+		t->size = newsize;
+	}
+	memcpy((char *)t->buffer + t->offset, buffer, size);
+	t->offset += size;
+	return 0;
+}
+static int
+SET_OF_xer_order(const void *aptr, const void *bptr) {
+	const xer_tmp_enc_t *a = (const xer_tmp_enc_t *)aptr;
+	const xer_tmp_enc_t *b = (const xer_tmp_enc_t *)bptr;
+	size_t minlen = a->offset;
+	int ret;
+	if(b->offset < minlen) minlen = b->offset;
+	/* Well-formed UTF-8 has this nice lexicographical property... */
+	ret = memcmp(a->buffer, b->buffer, minlen);
+	if(ret != 0) return ret;
+	if(a->offset == b->offset)
+		return 0;
+	if(a->offset == minlen)
+		return -1;
+	return 1;
+}
+
+
+asn_enc_rval_t
+SET_OF_encode_xer(asn_TYPE_descriptor_t *td, void *sptr,
+	int ilevel, enum xer_encoder_flags_e flags,
+		asn_app_consume_bytes_f *cb, void *app_key) {
+	asn_enc_rval_t er;
+	asn_SET_OF_specifics_t *specs = (asn_SET_OF_specifics_t *)td->specifics;
+	asn_TYPE_member_t *elm = td->elements;
+	asn_anonymous_set_ *list = _A_SET_FROM_VOID(sptr);
+	const char *mname = specs->as_XMLValueList
+		? 0 : ((*elm->name) ? elm->name : elm->type->xml_tag);
+	size_t mlen = mname ? strlen(mname) : 0;
+	int xcan = (flags & XER_F_CANONICAL);
+	xer_tmp_enc_t *encs = 0;
+	size_t encs_count = 0;
+	void *original_app_key = app_key;
+	asn_app_consume_bytes_f *original_cb = cb;
+	int i;
+
+	if(!sptr) ASN__ENCODE_FAILED;
+
+	if(xcan) {
+		encs = (xer_tmp_enc_t *)MALLOC(list->count * sizeof(encs[0]));
+		if(!encs) ASN__ENCODE_FAILED;
+		cb = SET_OF_encode_xer_callback;
+	}
+
+	er.encoded = 0;
+
+	for(i = 0; i < list->count; i++) {
+		asn_enc_rval_t tmper;
+
+		void *memb_ptr = list->array[i];
+		if(!memb_ptr) continue;
+
+		if(encs) {
+			memset(&encs[encs_count], 0, sizeof(encs[0]));
+			app_key = &encs[encs_count];
+			encs_count++;
+		}
+
+		if(mname) {
+			if(!xcan) ASN__TEXT_INDENT(1, ilevel);
+			ASN__CALLBACK3("<", 1, mname, mlen, ">", 1);
+		}
+
+		if(!xcan && specs->as_XMLValueList == 1)
+			ASN__TEXT_INDENT(1, ilevel + 1);
+		tmper = elm->type->xer_encoder(elm->type, memb_ptr,
+				ilevel + (specs->as_XMLValueList != 2),
+				flags, cb, app_key);
+		if(tmper.encoded == -1) {
+			td = tmper.failed_type;
+			sptr = tmper.structure_ptr;
+			goto cb_failed;
+		}
+		if(tmper.encoded == 0 && specs->as_XMLValueList) {
+			const char *name = elm->type->xml_tag;
+			size_t len = strlen(name);
+			ASN__CALLBACK3("<", 1, name, len, "/>", 2);
+		}
+
+		if(mname) {
+			ASN__CALLBACK3("</", 2, mname, mlen, ">", 1);
+			er.encoded += 5;
+		}
+
+		er.encoded += (2 * mlen) + tmper.encoded;
+	}
+
+	if(!xcan) ASN__TEXT_INDENT(1, ilevel - 1);
+
+	if(encs) {
+		xer_tmp_enc_t *enc = encs;
+		xer_tmp_enc_t *end = encs + encs_count;
+		ssize_t control_size = 0;
+
+		cb = original_cb;
+		app_key = original_app_key;
+		qsort(encs, encs_count, sizeof(encs[0]), SET_OF_xer_order);
+
+		for(; enc < end; enc++) {
+			ASN__CALLBACK(enc->buffer, enc->offset);
+			FREEMEM(enc->buffer);
+			enc->buffer = 0;
+			control_size += enc->offset;
+		}
+		assert(control_size == er.encoded);
+	}
+
+	goto cleanup;
+cb_failed:
+	er.encoded = -1;
+	er.failed_type = td;
+	er.structure_ptr = sptr;
+cleanup:
+	if(encs) {
+		while(encs_count-- > 0) {
+			if(encs[encs_count].buffer)
+				FREEMEM(encs[encs_count].buffer);
+		}
+		FREEMEM(encs);
+	}
+	ASN__ENCODED_OK(er);
+}
+
+int
+SET_OF_print(asn_TYPE_descriptor_t *td, const void *sptr, int ilevel,
+		asn_app_consume_bytes_f *cb, void *app_key) {
+	asn_TYPE_member_t *elm = td->elements;
+	const asn_anonymous_set_ *list = _A_CSET_FROM_VOID(sptr);
+	int ret;
+	int i;
+
+	if(!sptr) return (cb("<absent>", 8, app_key) < 0) ? -1 : 0;
+
+	/* Dump preamble */
+	if(cb(td->name, strlen(td->name), app_key) < 0
+	|| cb(" ::= {", 6, app_key) < 0)
+		return -1;
+
+	for(i = 0; i < list->count; i++) {
+		const void *memb_ptr = list->array[i];
+		if(!memb_ptr) continue;
+
+		_i_INDENT(1);
+
+		ret = elm->type->print_struct(elm->type, memb_ptr,
+			ilevel + 1, cb, app_key);
+		if(ret) return ret;
+	}
+
+	ilevel--;
+	_i_INDENT(1);
+
+	return (cb("}", 1, app_key) < 0) ? -1 : 0;
+}
+
+void
+SET_OF_free(asn_TYPE_descriptor_t *td, void *ptr, int contents_only) {
+	if(td && ptr) {
+		asn_SET_OF_specifics_t *specs;
+		asn_TYPE_member_t *elm = td->elements;
+		asn_anonymous_set_ *list = _A_SET_FROM_VOID(ptr);
+		asn_struct_ctx_t *ctx;	/* Decoder context */
+		int i;
+
+		/*
+		 * Could not use set_of_empty() because of (*free)
+		 * incompatibility.
+		 */
+		for(i = 0; i < list->count; i++) {
+			void *memb_ptr = list->array[i];
+			if(memb_ptr)
+			ASN_STRUCT_FREE(*elm->type, memb_ptr);
+		}
+		list->count = 0;	/* No meaningful elements left */
+
+		asn_set_empty(list);	/* Remove (list->array) */
+
+		specs = (asn_SET_OF_specifics_t *)td->specifics;
+		ctx = (asn_struct_ctx_t *)((char *)ptr + specs->ctx_offset);
+		if(ctx->ptr) {
+			ASN_STRUCT_FREE(*elm->type, ctx->ptr);
+			ctx->ptr = 0;
+		}
+
+		if(!contents_only) {
+			FREEMEM(ptr);
+		}
+	}
+}
+
+int
+SET_OF_constraint(asn_TYPE_descriptor_t *td, const void *sptr,
+		asn_app_constraint_failed_f *ctfailcb, void *app_key) {
+	asn_TYPE_member_t *elm = td->elements;
+	asn_constr_check_f *constr;
+	const asn_anonymous_set_ *list = _A_CSET_FROM_VOID(sptr);
+	int i;
+
+	if(!sptr) {
+		ASN__CTFAIL(app_key, td, sptr,
+			"%s: value not given (%s:%d)",
+			td->name, __FILE__, __LINE__);
+		return -1;
+	}
+
+	constr = elm->memb_constraints;
+	if(!constr) constr = elm->type->check_constraints;
+
+	/*
+	 * Iterate over the members of an array.
+	 * Validate each in turn, until one fails.
+	 */
+	for(i = 0; i < list->count; i++) {
+		const void *memb_ptr = list->array[i];
+		int ret;
+
+		if(!memb_ptr) continue;
+
+		ret = constr(elm->type, memb_ptr, ctfailcb, app_key);
+		if(ret) return ret;
+	}
+
+	/*
+	 * Cannot inherit it earlier:
+	 * need to make sure we get the updated version.
+	 */
+	if(!elm->memb_constraints)
+		elm->memb_constraints = elm->type->check_constraints;
+
+	return 0;
+}
+
+asn_dec_rval_t
+SET_OF_decode_uper(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td,
+        asn_per_constraints_t *constraints, void **sptr, asn_per_data_t *pd) {
+	asn_dec_rval_t rv;
+        asn_SET_OF_specifics_t *specs = (asn_SET_OF_specifics_t *)td->specifics;
+	asn_TYPE_member_t *elm = td->elements;	/* Single one */
+	void *st = *sptr;
+	asn_anonymous_set_ *list;
+	asn_per_constraint_t *ct;
+	int repeat = 0;
+	ssize_t nelems;
+
+	if(ASN__STACK_OVERFLOW_CHECK(opt_codec_ctx))
+		ASN__DECODE_FAILED;
+
+	/*
+	 * Create the target structure if it is not present already.
+	 */
+	if(!st) {
+		st = *sptr = CALLOC(1, specs->struct_size);
+		if(!st) ASN__DECODE_FAILED;
+	}                                                                       
+	list = _A_SET_FROM_VOID(st);
+
+	/* Figure out which constraints to use */
+	if(constraints) ct = &constraints->size;
+	else if(td->per_constraints) ct = &td->per_constraints->size;
+	else ct = 0;
+
+	if(ct && ct->flags & APC_EXTENSIBLE) {
+		int value = per_get_few_bits(pd, 1);
+		if(value < 0) ASN__DECODE_STARVED;
+		if(value) ct = 0;	/* Not restricted! */
+	}
+
+	if(ct && ct->effective_bits >= 0) {
+		/* X.691, #19.5: No length determinant */
+		nelems = per_get_few_bits(pd, ct->effective_bits);
+		ASN_DEBUG("Preparing to fetch %ld+%ld elements from %s",
+			(long)nelems, ct->lower_bound, td->name);
+		if(nelems < 0)  ASN__DECODE_STARVED;
+		nelems += ct->lower_bound;
+	} else {
+		nelems = -1;
+	}
+
+	do {
+		int i;
+		if(nelems < 0) {
+			nelems = uper_get_length(pd,
+				ct ? ct->effective_bits : -1, &repeat);
+			ASN_DEBUG("Got to decode %d elements (eff %d)",
+				(int)nelems, (int)(ct ? ct->effective_bits : -1));
+			if(nelems < 0) ASN__DECODE_STARVED;
+		}
+
+		for(i = 0; i < nelems; i++) {
+			void *ptr = 0;
+			ASN_DEBUG("SET OF %s decoding", elm->type->name);
+			rv = elm->type->uper_decoder(opt_codec_ctx, elm->type,
+				elm->per_constraints, &ptr, pd);
+			ASN_DEBUG("%s SET OF %s decoded %d, %p",
+				td->name, elm->type->name, rv.code, ptr);
+			if(rv.code == RC_OK) {
+				if(ASN_SET_ADD(list, ptr) == 0)
+					continue;
+				ASN_DEBUG("Failed to add element into %s",
+					td->name);
+				/* Fall through */
+				rv.code = RC_FAIL;
+			} else {
+				ASN_DEBUG("Failed decoding %s of %s (SET OF)",
+					elm->type->name, td->name);
+			}
+			if(ptr) ASN_STRUCT_FREE(*elm->type, ptr);
+			return rv;
+		}
+
+		nelems = -1;	/* Allow uper_get_length() */
+	} while(repeat);
+
+	ASN_DEBUG("Decoded %s as SET OF", td->name);
+
+	rv.code = RC_OK;
+	rv.consumed = 0;
+	return rv;
+}
+
--- a/asn1/asn1c/constr_SET_OF.h
+++ b/asn1/asn1c/constr_SET_OF.h
@ -0,0 +1,42 @@
+/*-
+ * Copyright (c) 2003 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_CONSTR_SET_OF_H_
+#define	_CONSTR_SET_OF_H_
+
+#include <asn_application.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef const struct asn_SET_OF_specifics_s {
+	/*
+	 * Target structure description.
+	 */
+	int struct_size;	/* Size of the target structure. */
+	int ctx_offset;		/* Offset of the asn_struct_ctx_t member */
+
+	/* XER-specific stuff */
+	int as_XMLValueList;	/* The member type must be encoded like this */
+} asn_SET_OF_specifics_t;
+
+/*
+ * A set specialized functions dealing with the SET OF type.
+ */
+asn_struct_free_f SET_OF_free;
+asn_struct_print_f SET_OF_print;
+asn_constr_check_f SET_OF_constraint;
+ber_type_decoder_f SET_OF_decode_ber;
+der_type_encoder_f SET_OF_encode_der;
+xer_type_decoder_f SET_OF_decode_xer;
+xer_type_encoder_f SET_OF_encode_xer;
+per_type_decoder_f SET_OF_decode_uper;
+per_type_encoder_f SET_OF_encode_uper;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _CONSTR_SET_OF_H_ */
--- a/asn1/asn1c/constr_TYPE.c
+++ b/asn1/asn1c/constr_TYPE.c
@ -0,0 +1,77 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_internal.h>
+#include <constr_TYPE.h>
+#include <errno.h>
+
+/*
+ * Version of the ASN.1 infrastructure shipped with compiler.
+ */
+int get_asn1c_environment_version() { return ASN1C_ENVIRONMENT_VERSION; }
+
+static asn_app_consume_bytes_f _print2fp;
+
+/*
+ * Return the outmost tag of the type.
+ */
+ber_tlv_tag_t
+asn_TYPE_outmost_tag(const asn_TYPE_descriptor_t *type_descriptor,
+		const void *struct_ptr, int tag_mode, ber_tlv_tag_t tag) {
+
+	if(tag_mode)
+		return tag;
+
+	if(type_descriptor->tags_count)
+		return type_descriptor->tags[0];
+
+	return type_descriptor->outmost_tag(type_descriptor, struct_ptr, 0, 0);
+}
+
+/*
+ * Print the target language's structure in human readable form.
+ */
+int
+asn_fprint(FILE *stream, asn_TYPE_descriptor_t *td, const void *struct_ptr) {
+	if(!stream) stream = stdout;
+	if(!td || !struct_ptr) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	/* Invoke type-specific printer */
+	if(td->print_struct(td, struct_ptr, 1, _print2fp, stream))
+		return -1;
+
+	/* Terminate the output */
+	if(_print2fp("\n", 1, stream))
+		return -1;
+
+	return fflush(stream);
+}
+
+/* Dump the data into the specified stdio stream */
+static int
+_print2fp(const void *buffer, size_t size, void *app_key) {
+	FILE *stream = (FILE *)app_key;
+
+	if(fwrite(buffer, 1, size, stream) != size)
+		return -1;
+
+	return 0;
+}
+
+
+/*
+ * Some compilers do not support variable args macros.
+ * This function is a replacement of ASN_DEBUG() macro.
+ */
+void ASN_DEBUG_f(const char *fmt, ...);
+void ASN_DEBUG_f(const char *fmt, ...) {
+	va_list ap;
+	va_start(ap, fmt);
+	vfprintf(stderr, fmt, ap);
+	fprintf(stderr, "\n");
+	va_end(ap);
+}
--- a/asn1/asn1c/constr_TYPE.h
+++ b/asn1/asn1c/constr_TYPE.h
@ -0,0 +1,180 @@
+/*-
+ * Copyright (c) 2003, 2004, 2005, 2006 Lev Walkin <vlm@lionet.info>.
+ * All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+/*
+ * This file contains the declaration structure called "ASN.1 Type Definition",
+ * which holds all information necessary for encoding and decoding routines.
+ * This structure even contains pointer to these encoding and decoding routines
+ * for each defined ASN.1 type.
+ */
+#ifndef	_CONSTR_TYPE_H_
+#define	_CONSTR_TYPE_H_
+
+#include <ber_tlv_length.h>
+#include <ber_tlv_tag.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct asn_TYPE_descriptor_s;	/* Forward declaration */
+struct asn_TYPE_member_s;	/* Forward declaration */
+
+/*
+ * This type provides the context information for various ASN.1 routines,
+ * primarily ones doing decoding. A member _asn_ctx of this type must be
+ * included into certain target language's structures, such as compound types.
+ */
+typedef struct asn_struct_ctx_s {
+	short phase;		/* Decoding phase */
+	short step;		/* Elementary step of a phase */
+	int context;		/* Other context information */
+	void *ptr;		/* Decoder-specific stuff (stack elements) */
+	ber_tlv_len_t left;	/* Number of bytes left, -1 for indefinite */
+} asn_struct_ctx_t;
+
+#include <ber_decoder.h>	/* Basic Encoding Rules decoder */
+#include <der_encoder.h>	/* Distinguished Encoding Rules encoder */
+#include <xer_decoder.h>	/* Decoder of XER (XML, text) */
+#include <xer_encoder.h>	/* Encoder into XER (XML, text) */
+#include <per_decoder.h>	/* Packet Encoding Rules decoder */
+#include <per_encoder.h>	/* Packet Encoding Rules encoder */
+#include <constraints.h>	/* Subtype constraints support */
+
+/*
+ * Free the structure according to its specification.
+ * If (free_contents_only) is set, the wrapper structure itself (struct_ptr)
+ * will not be freed. (It may be useful in case the structure is allocated
+ * statically or arranged on the stack, yet its elements are allocated
+ * dynamically.)
+ */
+typedef void (asn_struct_free_f)(
+		struct asn_TYPE_descriptor_s *type_descriptor,
+		void *struct_ptr, int free_contents_only);
+#define	ASN_STRUCT_FREE(asn_DEF, ptr)	(asn_DEF).free_struct(&(asn_DEF),ptr,0)
+#define	ASN_STRUCT_FREE_CONTENTS_ONLY(asn_DEF, ptr)	\
+					(asn_DEF).free_struct(&(asn_DEF),ptr,1)
+
+/*
+ * Print the structure according to its specification.
+ */
+typedef int (asn_struct_print_f)(
+		struct asn_TYPE_descriptor_s *type_descriptor,
+		const void *struct_ptr,
+		int level,	/* Indentation level */
+		asn_app_consume_bytes_f *callback, void *app_key);
+
+/*
+ * Return the outmost tag of the type.
+ * If the type is untagged CHOICE, the dynamic operation is performed.
+ * NOTE: This function pointer type is only useful internally.
+ * Do not use it in your application.
+ */
+typedef ber_tlv_tag_t (asn_outmost_tag_f)(
+		const struct asn_TYPE_descriptor_s *type_descriptor,
+		const void *struct_ptr, int tag_mode, ber_tlv_tag_t tag);
+/* The instance of the above function type; used internally. */
+asn_outmost_tag_f asn_TYPE_outmost_tag;
+
+
+/*
+ * The definitive description of the destination language's structure.
+ */
+typedef struct asn_TYPE_descriptor_s {
+	const char *name;	/* A name of the ASN.1 type. "" in some cases. */
+	const char *xml_tag;	/* Name used in XML tag */
+
+	/*
+	 * Generalized functions for dealing with the specific type.
+	 * May be directly invoked by applications.
+	 */
+	asn_struct_free_f  *free_struct;	/* Free the structure */
+	asn_struct_print_f *print_struct;	/* Human readable output */
+	asn_constr_check_f *check_constraints;	/* Constraints validator */
+	ber_type_decoder_f *ber_decoder;	/* Generic BER decoder */
+	der_type_encoder_f *der_encoder;	/* Canonical DER encoder */
+	xer_type_decoder_f *xer_decoder;	/* Generic XER decoder */
+	xer_type_encoder_f *xer_encoder;	/* [Canonical] XER encoder */
+	per_type_decoder_f *uper_decoder;	/* Unaligned PER decoder */
+	per_type_encoder_f *uper_encoder;	/* Unaligned PER encoder */
+
+	/***********************************************************************
+	 * Internally useful members. Not to be used by applications directly. *
+	 **********************************************************************/
+
+	/*
+	 * Tags that are expected to occur.
+	 */
+	asn_outmost_tag_f  *outmost_tag;	/* <optional, internal> */
+	const ber_tlv_tag_t *tags;	/* Effective tags sequence for this type */
+	int tags_count;			/* Number of tags which are expected */
+	const ber_tlv_tag_t *all_tags;	/* Every tag for BER/containment */
+	int all_tags_count;		/* Number of tags */
+
+	asn_per_constraints_t *per_constraints;	/* PER compiled constraints */
+
+	/*
+	 * An ASN.1 production type members (members of SEQUENCE, SET, CHOICE).
+	 */
+	struct asn_TYPE_member_s *elements;
+	int elements_count;
+
+	/*
+	 * Additional information describing the type, used by appropriate
+	 * functions above.
+	 */
+	const void *specifics;
+} asn_TYPE_descriptor_t;
+
+/*
+ * This type describes an element of the constructed type,
+ * i.e. SEQUENCE, SET, CHOICE, etc.
+ */
+  enum asn_TYPE_flags_e {
+	ATF_NOFLAGS,
+	ATF_POINTER	= 0x01,	/* Represented by the pointer */
+	ATF_OPEN_TYPE	= 0x02	/* ANY type, without meaningful tag */
+  };
+typedef struct asn_TYPE_member_s {
+	enum asn_TYPE_flags_e flags;	/* Element's presentation flags */
+	int optional;	/* Following optional members, including current */
+	int memb_offset;		/* Offset of the element */
+	ber_tlv_tag_t tag;		/* Outmost (most immediate) tag */
+	int tag_mode;		/* IMPLICIT/no/EXPLICIT tag at current level */
+	asn_TYPE_descriptor_t *type;	/* Member type descriptor */
+	asn_constr_check_f *memb_constraints;	/* Constraints validator */
+	asn_per_constraints_t *per_constraints;	/* PER compiled constraints */
+	int (*default_value)(int setval, void **sptr);	/* DEFAULT <value> */
+	const char *name;			/* ASN.1 identifier of the element */
+} asn_TYPE_member_t;
+
+/*
+ * BER tag to element number mapping.
+ */
+typedef struct asn_TYPE_tag2member_s {
+	ber_tlv_tag_t el_tag;	/* Outmost tag of the member */
+	int el_no;		/* Index of the associated member, base 0 */
+	int toff_first;		/* First occurence of the el_tag, relative */
+	int toff_last;		/* Last occurence of the el_tag, relatvie */
+} asn_TYPE_tag2member_t;
+
+/*
+ * This function is a wrapper around (td)->print_struct, which prints out
+ * the contents of the target language's structure (struct_ptr) into the
+ * file pointer (stream) in human readable form.
+ * RETURN VALUES:
+ * 	 0: The structure is printed.
+ * 	-1: Problem dumping the structure.
+ * (See also xer_fprint() in xer_encoder.h)
+ */
+int asn_fprint(FILE *stream,		/* Destination stream descriptor */
+	asn_TYPE_descriptor_t *td,	/* ASN.1 type descriptor */
+	const void *struct_ptr);	/* Structure to be printed */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _CONSTR_TYPE_H_ */
--- a/asn1/asn1c/constraints.c
+++ b/asn1/asn1c/constraints.c
@ -0,0 +1,93 @@
+#include "asn_internal.h"
+#include "constraints.h"
+
+int
+asn_generic_no_constraint(asn_TYPE_descriptor_t *type_descriptor,
+	const void *struct_ptr, asn_app_constraint_failed_f *cb, void *key) {
+
+	(void)type_descriptor;	/* Unused argument */
+	(void)struct_ptr;	/* Unused argument */
+	(void)cb;	/* Unused argument */
+	(void)key;	/* Unused argument */
+
+	/* Nothing to check */
+	return 0;
+}
+
+int
+asn_generic_unknown_constraint(asn_TYPE_descriptor_t *type_descriptor,
+	const void *struct_ptr, asn_app_constraint_failed_f *cb, void *key) {
+
+	(void)type_descriptor;	/* Unused argument */
+	(void)struct_ptr;	/* Unused argument */
+	(void)cb;	/* Unused argument */
+	(void)key;	/* Unused argument */
+
+	/* Unknown how to check */
+	return 0;
+}
+
+struct errbufDesc {
+	asn_TYPE_descriptor_t *failed_type;
+	const void *failed_struct_ptr;
+	char *errbuf;
+	size_t errlen;
+};
+
+static void
+_asn_i_ctfailcb(void *key, asn_TYPE_descriptor_t *td, const void *sptr, const char *fmt, ...) {
+	struct errbufDesc *arg = key;
+	va_list ap;
+	ssize_t vlen;
+	ssize_t maxlen;
+
+	arg->failed_type = td;
+	arg->failed_struct_ptr = sptr;
+
+	maxlen = arg->errlen;
+	if(maxlen <= 0)
+		return;
+
+	va_start(ap, fmt);
+	vlen = vsnprintf(arg->errbuf, maxlen, fmt, ap);
+	va_end(ap);
+	if(vlen >= maxlen) {
+		arg->errbuf[maxlen-1] = '\0';	/* Ensuring libc correctness */
+		arg->errlen = maxlen - 1;	/* Not counting termination */
+		return;
+	} else if(vlen >= 0) {
+		arg->errbuf[vlen] = '\0';	/* Ensuring libc correctness */
+		arg->errlen = vlen;		/* Not counting termination */
+	} else {
+		/*
+		 * The libc on this system is broken.
+		 */
+		vlen = sizeof("<broken vsnprintf>") - 1;
+		maxlen--;
+		arg->errlen = vlen < maxlen ? vlen : maxlen;
+		memcpy(arg->errbuf, "<broken vsnprintf>", arg->errlen);
+		arg->errbuf[arg->errlen] = 0;
+	}
+
+	return;
+}
+
+int
+asn_check_constraints(asn_TYPE_descriptor_t *type_descriptor,
+		const void *struct_ptr, char *errbuf, size_t *errlen) {
+	struct errbufDesc arg;
+	int ret;
+
+	arg.failed_type = 0;
+	arg.failed_struct_ptr = 0;
+	arg.errbuf = errbuf;
+	arg.errlen = errlen ? *errlen : 0;
+
+	ret = type_descriptor->check_constraints(type_descriptor,
+		struct_ptr, _asn_i_ctfailcb, &arg);
+	if(ret == -1 && errlen)
+		*errlen = arg.errlen;
+
+	return ret;
+}
+
--- a/asn1/asn1c/constraints.h
+++ b/asn1/asn1c/constraints.h
@ -0,0 +1,63 @@
+/*-
+ * Copyright (c) 2004, 2006 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	ASN1_CONSTRAINTS_VALIDATOR_H
+#define	ASN1_CONSTRAINTS_VALIDATOR_H
+
+#include <asn_system.h>		/* Platform-dependent types */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct asn_TYPE_descriptor_s;		/* Forward declaration */
+
+/*
+ * Validate the structure according to the ASN.1 constraints.
+ * If errbuf and errlen are given, they shall be pointing to the appropriate
+ * buffer space and its length before calling this function. Alternatively,
+ * they could be passed as NULL's. If constraints validation fails,
+ * errlen will contain the actual number of bytes taken from the errbuf
+ * to encode an error message (properly 0-terminated).
+ * 
+ * RETURN VALUES:
+ * This function returns 0 in case all ASN.1 constraints are met
+ * and -1 if one or more constraints were failed.
+ */
+int
+asn_check_constraints(struct asn_TYPE_descriptor_s *type_descriptor,
+	const void *struct_ptr,	/* Target language's structure */
+	char *errbuf,		/* Returned error description */
+	size_t *errlen		/* Length of the error description */
+	);
+
+
+/*
+ * Generic type for constraint checking callback,
+ * associated with every type descriptor.
+ */
+typedef int (asn_constr_check_f)(
+	struct asn_TYPE_descriptor_s *type_descriptor,
+	const void *struct_ptr,
+	asn_app_constraint_failed_f *optional_callback,	/* Log the error */
+	void *optional_app_key		/* Opaque key passed to a callback */
+	);
+
+/*******************************
+ * INTERNALLY USEFUL FUNCTIONS *
+ *******************************/
+
+asn_constr_check_f asn_generic_no_constraint;	/* No constraint whatsoever */
+asn_constr_check_f asn_generic_unknown_constraint; /* Not fully supported */
+
+/*
+ * Invoke the callback with a complete error message.
+ */
+#define	ASN__CTFAIL	if(ctfailcb) ctfailcb
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* ASN1_CONSTRAINTS_VALIDATOR_H */
--- a/asn1/asn1c/der_encoder.c
+++ b/asn1/asn1c/der_encoder.c
@ -0,0 +1,201 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_internal.h>
+#include <errno.h>
+
+static ssize_t der_write_TL(ber_tlv_tag_t tag, ber_tlv_len_t len,
+	asn_app_consume_bytes_f *cb, void *app_key, int constructed);
+
+/*
+ * The DER encoder of any type.
+ */
+asn_enc_rval_t
+der_encode(asn_TYPE_descriptor_t *type_descriptor, void *struct_ptr,
+	asn_app_consume_bytes_f *consume_bytes, void *app_key) {
+
+	ASN_DEBUG("DER encoder invoked for %s",
+		type_descriptor->name);
+
+	/*
+	 * Invoke type-specific encoder.
+	 */
+	return type_descriptor->der_encoder(type_descriptor,
+		struct_ptr,	/* Pointer to the destination structure */
+		0, 0,
+		consume_bytes, app_key);
+}
+
+/*
+ * Argument type and callback necessary for der_encode_to_buffer().
+ */
+typedef struct enc_to_buf_arg {
+	void *buffer;
+	size_t left;
+} enc_to_buf_arg;
+static int encode_to_buffer_cb(const void *buffer, size_t size, void *key) {
+	enc_to_buf_arg *arg = (enc_to_buf_arg *)key;
+
+	if(arg->left < size)
+		return -1;	/* Data exceeds the available buffer size */
+
+	memcpy(arg->buffer, buffer, size);
+	arg->buffer = ((char *)arg->buffer) + size;
+	arg->left -= size;
+
+	return 0;
+}
+
+/*
+ * A variant of the der_encode() which encodes the data into the provided buffer
+ */
+asn_enc_rval_t
+der_encode_to_buffer(asn_TYPE_descriptor_t *type_descriptor, void *struct_ptr,
+	void *buffer, size_t buffer_size) {
+	enc_to_buf_arg arg;
+	asn_enc_rval_t ec;
+
+	arg.buffer = buffer;
+	arg.left = buffer_size;
+
+	ec = type_descriptor->der_encoder(type_descriptor,
+		struct_ptr,	/* Pointer to the destination structure */
+		0, 0, encode_to_buffer_cb, &arg);
+	if(ec.encoded != -1) {
+		assert(ec.encoded == (ssize_t)(buffer_size - arg.left));
+		/* Return the encoded contents size */
+	}
+	return ec;
+}
+
+
+/*
+ * Write out leading TL[v] sequence according to the type definition.
+ */
+ssize_t
+der_write_tags(asn_TYPE_descriptor_t *sd,
+		size_t struct_length,
+		int tag_mode, int last_tag_form,
+		ber_tlv_tag_t tag,	/* EXPLICIT or IMPLICIT tag */
+		asn_app_consume_bytes_f *cb,
+		void *app_key) {
+	const ber_tlv_tag_t *tags;	/* Copy of tags stream */
+	int tags_count;			/* Number of tags */
+	size_t overall_length;
+	ssize_t *lens;
+	int i;
+
+	ASN_DEBUG("Writing tags (%s, tm=%d, tc=%d, tag=%s, mtc=%d)",
+		sd->name, tag_mode, sd->tags_count,
+		ber_tlv_tag_string(tag),
+		tag_mode
+			?(sd->tags_count+1
+				-((tag_mode == -1) && sd->tags_count))
+			:sd->tags_count
+	);
+
+	if(tag_mode) {
+		/*
+		 * Instead of doing shaman dance like we do in ber_check_tags(),
+		 * allocate a small array on the stack
+		 * and initialize it appropriately.
+		 */
+		int stag_offset;
+		ber_tlv_tag_t *tags_buf;
+		tags_buf = (ber_tlv_tag_t *)alloca((sd->tags_count + 1) * sizeof(ber_tlv_tag_t));
+		if(!tags_buf) {	/* Can fail on !x86 */
+			errno = ENOMEM;
+			return -1;
+		}
+		tags_count = sd->tags_count
+			+ 1	/* EXPLICIT or IMPLICIT tag is given */
+			- ((tag_mode == -1) && sd->tags_count);
+		/* Copy tags over */
+		tags_buf[0] = tag;
+		stag_offset = -1 + ((tag_mode == -1) && sd->tags_count);
+		for(i = 1; i < tags_count; i++)
+			tags_buf[i] = sd->tags[i + stag_offset];
+		tags = tags_buf;
+	} else {
+		tags = sd->tags;
+		tags_count = sd->tags_count;
+	}
+
+	/* No tags to write */
+	if(tags_count == 0)
+		return 0;
+
+	lens = (ssize_t *)alloca(tags_count * sizeof(lens[0]));
+	if(!lens) {
+		errno = ENOMEM;
+		return -1;
+	}
+
+	/*
+	 * Array of tags is initialized.
+	 * Now, compute the size of the TLV pairs, from right to left.
+	 */
+	overall_length = struct_length;
+	for(i = tags_count - 1; i >= 0; --i) {
+		lens[i] = der_write_TL(tags[i], overall_length, 0, 0, 0);
+		if(lens[i] == -1) return -1;
+		overall_length += lens[i];
+		lens[i] = overall_length - lens[i];
+	}
+
+	if(!cb) return overall_length - struct_length;
+
+	ASN_DEBUG("%s %s TL sequence (%d elements)",
+		cb?"Encoding":"Estimating", sd->name, tags_count);
+
+	/*
+	 * Encode the TL sequence for real.
+	 */
+	for(i = 0; i < tags_count; i++) {
+		ssize_t len;
+		int _constr;
+
+		/* Check if this tag happens to be constructed */
+		_constr = (last_tag_form || i < (tags_count - 1));
+
+		len = der_write_TL(tags[i], lens[i], cb, app_key, _constr);
+		if(len == -1) return -1;
+	}
+
+	return overall_length - struct_length;
+}
+
+static ssize_t
+der_write_TL(ber_tlv_tag_t tag, ber_tlv_len_t len,
+		asn_app_consume_bytes_f *cb, void *app_key,
+		int constructed) {
+	uint8_t buf[32];
+	size_t size = 0;
+	int buf_size = cb?sizeof(buf):0;
+	ssize_t tmp;
+
+	/* Serialize tag (T from TLV) into possibly zero-length buffer */
+	tmp = ber_tlv_tag_serialize(tag, buf, buf_size);
+	if(tmp == -1 || tmp > (ssize_t)sizeof(buf)) return -1;
+	size += tmp;
+
+	/* Serialize length (L from TLV) into possibly zero-length buffer */
+	tmp = der_tlv_length_serialize(len, buf+size, buf_size?buf_size-size:0);
+	if(tmp == -1) return -1;
+	size += tmp;
+
+	if(size > sizeof(buf))
+		return -1;
+
+	/*
+	 * If callback is specified, invoke it, and check its return value.
+	 */
+	if(cb) {
+		if(constructed) *buf |= 0x20;
+		if(cb(buf, size, app_key) < 0)
+			return -1;
+	}
+
+	return size;
+}
--- a/asn1/asn1c/der_encoder.h
+++ b/asn1/asn1c/der_encoder.h
@ -0,0 +1,68 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_DER_ENCODER_H_
+#define	_DER_ENCODER_H_
+
+#include <asn_application.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct asn_TYPE_descriptor_s;	/* Forward declaration */
+
+/*
+ * The DER encoder of any type. May be invoked by the application.
+ * The ber_decode() function (ber_decoder.h) is an opposite of der_encode().
+ */
+asn_enc_rval_t der_encode(struct asn_TYPE_descriptor_s *type_descriptor,
+		void *struct_ptr,	/* Structure to be encoded */
+		asn_app_consume_bytes_f *consume_bytes_cb,
+		void *app_key		/* Arbitrary callback argument */
+	);
+
+/* A variant of der_encode() which encodes data into the pre-allocated buffer */
+asn_enc_rval_t der_encode_to_buffer(
+		struct asn_TYPE_descriptor_s *type_descriptor,
+		void *struct_ptr,	/* Structure to be encoded */
+		void *buffer,		/* Pre-allocated buffer */
+		size_t buffer_size	/* Initial buffer size (maximum) */
+	);
+
+/*
+ * Type of the generic DER encoder.
+ */
+typedef asn_enc_rval_t (der_type_encoder_f)(
+		struct asn_TYPE_descriptor_s *type_descriptor,
+		void *struct_ptr,	/* Structure to be encoded */
+		int tag_mode,		/* {-1,0,1}: IMPLICIT, no, EXPLICIT */
+		ber_tlv_tag_t tag,
+		asn_app_consume_bytes_f *consume_bytes_cb,	/* Callback */
+		void *app_key		/* Arbitrary callback argument */
+	);
+
+
+/*******************************
+ * INTERNALLY USEFUL FUNCTIONS *
+ *******************************/
+
+/*
+ * Write out leading TL[v] sequence according to the type definition.
+ */
+ssize_t der_write_tags(
+		struct asn_TYPE_descriptor_s *type_descriptor,
+		size_t struct_length,
+		int tag_mode,		/* {-1,0,1}: IMPLICIT, no, EXPLICIT */
+		int last_tag_form,	/* {0,!0}: prim, constructed */
+		ber_tlv_tag_t tag,
+		asn_app_consume_bytes_f *consume_bytes_cb,
+		void *app_key
+	);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _DER_ENCODER_H_ */
--- a/asn1/asn1c/ipa.asn1
+++ b/asn1/asn1c/ipa.asn1
@ -0,0 +1,37 @@
+KeytabModule DEFINITIONS ::= BEGIN
+
+    Int32 ::= INTEGER (-2147483648..2147483647)
+    -- signed values representable in 32 bits (from RFC4120)
+
+    GetKeytabControl ::= CHOICE {
+        newkeys     [0] GKNewKeys,
+        curkeys     [1] GKCurrentKeys,
+        reply       [2] GKReply
+    }
+
+    GKNewKeys ::= SEQUENCE {
+        serviceIdentity [0] OCTET STRING,
+        enctypes        [1] SEQUENCE OF Int32,
+        password        [2] OCTET STRING OPTIONAL
+    }
+
+    GKCurrentKeys ::= SEQUENCE {
+        serviceIdentity [0] OCTET STRING
+    }
+
+    GKReply ::= SEQUENCE {
+        newkvno     Int32,
+        keys        SEQUENCE OF KrbKey
+    }
+
+    KrbKey ::= SEQUENCE {
+        key         [0] TypeValuePair,
+        salt        [1] TypeValuePair OPTIONAL,
+        s2kparams   [2] OCTET STRING OPTIONAL
+    }
+
+    TypeValuePair ::= SEQUENCE {
+        type    [0] Int32,
+        value   [1] OCTET STRING
+    }
+END
--- a/asn1/asn1c/per_decoder.c
+++ b/asn1/asn1c/per_decoder.c
@ -0,0 +1,93 @@
+#include <asn_application.h>
+#include <asn_internal.h>
+#include <per_decoder.h>
+
+/*
+ * Decode a "Production of a complete encoding", X.691#10.1.
+ * The complete encoding contains at least one byte, and is an integral
+ * multiple of 8 bytes.
+ */
+asn_dec_rval_t
+uper_decode_complete(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, void **sptr, const void *buffer, size_t size) {
+	asn_dec_rval_t rval;
+
+	rval = uper_decode(opt_codec_ctx, td, sptr, buffer, size, 0, 0);
+	if(rval.consumed) {
+		/*
+		 * We've always given 8-aligned data,
+		 * so convert bits to integral bytes.
+		 */
+		rval.consumed += 7;
+		rval.consumed >>= 3;
+	} else if(rval.code == RC_OK) {
+		if(size) {
+			if(((const uint8_t *)buffer)[0] == 0) {
+				rval.consumed = 1;	/* 1 byte */
+			} else {
+				ASN_DEBUG("Expecting single zeroed byte");
+				rval.code = RC_FAIL;
+			}
+		} else {
+			/* Must contain at least 8 bits. */
+			rval.code = RC_WMORE;
+		}
+	}
+
+	return rval;
+}
+
+asn_dec_rval_t
+uper_decode(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, void **sptr, const void *buffer, size_t size, int skip_bits, int unused_bits) {
+	asn_codec_ctx_t s_codec_ctx;
+	asn_dec_rval_t rval;
+	asn_per_data_t pd;
+
+	if(skip_bits < 0 || skip_bits > 7
+	|| unused_bits < 0 || unused_bits > 7
+	|| (unused_bits > 0 && !size))
+		ASN__DECODE_FAILED;
+
+	/*
+	 * Stack checker requires that the codec context
+	 * must be allocated on the stack.
+	 */
+	if(opt_codec_ctx) {
+		if(opt_codec_ctx->max_stack_size) {
+			s_codec_ctx = *opt_codec_ctx;
+			opt_codec_ctx = &s_codec_ctx;
+		}
+	} else {
+		/* If context is not given, be security-conscious anyway */
+		memset(&s_codec_ctx, 0, sizeof(s_codec_ctx));
+		s_codec_ctx.max_stack_size = ASN__DEFAULT_STACK_MAX;
+		opt_codec_ctx = &s_codec_ctx;
+	}
+
+	/* Fill in the position indicator */
+	memset(&pd, 0, sizeof(pd));
+	pd.buffer = (const uint8_t *)buffer;
+	pd.nboff = skip_bits;
+	pd.nbits = 8 * size - unused_bits; /* 8 is CHAR_BIT from <limits.h> */
+	if(pd.nboff > pd.nbits)
+		ASN__DECODE_FAILED;
+
+	/*
+	 * Invoke type-specific decoder.
+	 */
+	if(!td->uper_decoder)
+		ASN__DECODE_FAILED;	/* PER is not compiled in */
+	rval = td->uper_decoder(opt_codec_ctx, td, 0, sptr, &pd);
+	if(rval.code == RC_OK) {
+		/* Return the number of consumed bits */
+		rval.consumed = ((pd.buffer - (const uint8_t *)buffer) << 3)
+					+ pd.nboff - skip_bits;
+		ASN_DEBUG("PER decoding consumed %ld, counted %ld",
+			(long)rval.consumed, (long)pd.moved);
+		assert(rval.consumed == pd.moved);
+	} else {
+		/* PER codec is not a restartable */
+		rval.consumed = 0;
+	}
+	return rval;
+}
+
--- a/asn1/asn1c/per_decoder.h
+++ b/asn1/asn1c/per_decoder.h
@ -0,0 +1,56 @@
+/*-
+ * Copyright (c) 2005, 2007 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_PER_DECODER_H_
+#define	_PER_DECODER_H_
+
+#include <asn_application.h>
+#include <per_support.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct asn_TYPE_descriptor_s;	/* Forward declaration */
+
+/*
+ * Unaligned PER decoder of a "complete encoding" as per X.691#10.1.
+ * On success, this call always returns (.consumed >= 1), as per X.691#10.1.3.
+ */
+asn_dec_rval_t uper_decode_complete(struct asn_codec_ctx_s *opt_codec_ctx,
+	struct asn_TYPE_descriptor_s *type_descriptor,	/* Type to decode */
+	void **struct_ptr,	/* Pointer to a target structure's pointer */
+	const void *buffer,	/* Data to be decoded */
+	size_t size		/* Size of data buffer */
+	);
+
+/*
+ * Unaligned PER decoder of any ASN.1 type. May be invoked by the application.
+ * WARNING: This call returns the number of BITS read from the stream. Beware.
+ */
+asn_dec_rval_t uper_decode(struct asn_codec_ctx_s *opt_codec_ctx,
+	struct asn_TYPE_descriptor_s *type_descriptor,	/* Type to decode */
+	void **struct_ptr,	/* Pointer to a target structure's pointer */
+	const void *buffer,	/* Data to be decoded */
+	size_t size,		/* Size of data buffer */
+	int skip_bits,		/* Number of unused leading bits, 0..7 */
+	int unused_bits		/* Number of unused tailing bits, 0..7 */
+	);
+
+
+/*
+ * Type of the type-specific PER decoder function.
+ */
+typedef asn_dec_rval_t (per_type_decoder_f)(asn_codec_ctx_t *opt_codec_ctx,
+		struct asn_TYPE_descriptor_s *type_descriptor,
+		asn_per_constraints_t *constraints,
+		void **struct_ptr,
+		asn_per_data_t *per_data
+	);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _PER_DECODER_H_ */
--- a/asn1/asn1c/per_encoder.c
+++ b/asn1/asn1c/per_encoder.c
@ -0,0 +1,151 @@
+#include <asn_application.h>
+#include <asn_internal.h>
+#include <per_encoder.h>
+
+static asn_enc_rval_t uper_encode_internal(asn_TYPE_descriptor_t *td, asn_per_constraints_t *, void *sptr, asn_app_consume_bytes_f *cb, void *app_key);
+
+asn_enc_rval_t
+uper_encode(asn_TYPE_descriptor_t *td, void *sptr, asn_app_consume_bytes_f *cb, void *app_key) {
+	return uper_encode_internal(td, 0, sptr, cb, app_key);
+}
+
+/*
+ * Argument type and callback necessary for uper_encode_to_buffer().
+ */
+typedef struct enc_to_buf_arg {
+	void *buffer;
+	size_t left;
+} enc_to_buf_arg;
+static int encode_to_buffer_cb(const void *buffer, size_t size, void *key) {
+	enc_to_buf_arg *arg = (enc_to_buf_arg *)key;
+
+	if(arg->left < size)
+		return -1;	/* Data exceeds the available buffer size */
+
+	memcpy(arg->buffer, buffer, size);
+	arg->buffer = ((char *)arg->buffer) + size;
+	arg->left -= size;
+
+	return 0;
+}
+
+asn_enc_rval_t
+uper_encode_to_buffer(asn_TYPE_descriptor_t *td, void *sptr, void *buffer, size_t buffer_size) {
+	enc_to_buf_arg key;
+
+	key.buffer = buffer;
+	key.left = buffer_size;
+
+	if(td) ASN_DEBUG("Encoding \"%s\" using UNALIGNED PER", td->name);
+
+	return uper_encode_internal(td, 0, sptr, encode_to_buffer_cb, &key);
+}
+
+typedef struct enc_dyn_arg {
+	void *buffer;
+	size_t length;
+	size_t allocated;
+} enc_dyn_arg;
+static int
+encode_dyn_cb(const void *buffer, size_t size, void *key) {
+	enc_dyn_arg *arg = key;
+	if(arg->length + size >= arg->allocated) {
+		void *p;
+		arg->allocated = arg->allocated ? (arg->allocated << 2) : size;
+		p = REALLOC(arg->buffer, arg->allocated);
+		if(!p) {
+			FREEMEM(arg->buffer);
+			memset(arg, 0, sizeof(*arg));
+			return -1;
+		}
+		arg->buffer = p;
+	}
+	memcpy(((char *)arg->buffer) + arg->length, buffer, size);
+	arg->length += size;
+	return 0;
+}
+ssize_t
+uper_encode_to_new_buffer(asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints, void *sptr, void **buffer_r) {
+	asn_enc_rval_t er;
+	enc_dyn_arg key;
+
+	memset(&key, 0, sizeof(key));
+
+	er = uper_encode_internal(td, constraints, sptr, encode_dyn_cb, &key);
+	switch(er.encoded) {
+	case -1:
+		FREEMEM(key.buffer);
+		return -1;
+	case 0:
+		FREEMEM(key.buffer);
+		key.buffer = MALLOC(1);
+		if(key.buffer) {
+			*(char *)key.buffer = '\0';
+			*buffer_r = key.buffer;
+			return 1;
+		} else {
+			return -1;
+		}
+	default:
+		*buffer_r = key.buffer;
+		ASN_DEBUG("Complete encoded in %ld bits", (long)er.encoded);
+		return ((er.encoded + 7) >> 3);
+	}
+}
+
+/*
+ * Internally useful functions.
+ */
+
+/* Flush partially filled buffer */
+static int
+_uper_encode_flush_outp(asn_per_outp_t *po) {
+	uint8_t *buf;
+
+	if(po->nboff == 0 && po->buffer == po->tmpspace)
+		return 0;
+
+	buf = po->buffer + (po->nboff >> 3);
+	/* Make sure we account for the last, partially filled */
+	if(po->nboff & 0x07) {
+		buf[0] &= 0xff << (8 - (po->nboff & 0x07));
+		buf++;
+	}
+
+	return po->outper(po->tmpspace, buf - po->tmpspace, po->op_key);
+}
+
+static asn_enc_rval_t
+uper_encode_internal(asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints, void *sptr, asn_app_consume_bytes_f *cb, void *app_key) {
+	asn_per_outp_t po;
+	asn_enc_rval_t er;
+
+	/*
+	 * Invoke type-specific encoder.
+	 */
+	if(!td || !td->uper_encoder)
+		ASN__ENCODE_FAILED;	/* PER is not compiled in */
+
+	po.buffer = po.tmpspace;
+	po.nboff = 0;
+	po.nbits = 8 * sizeof(po.tmpspace);
+	po.outper = cb;
+	po.op_key = app_key;
+	po.flushed_bytes = 0;
+
+	er = td->uper_encoder(td, constraints, sptr, &po);
+	if(er.encoded != -1) {
+		size_t bits_to_flush;
+
+		bits_to_flush = ((po.buffer - po.tmpspace) << 3) + po.nboff;
+
+		/* Set number of bits encoded to a firm value */
+		er.encoded = (po.flushed_bytes << 3) + bits_to_flush;
+
+		if(_uper_encode_flush_outp(&po))
+			ASN__ENCODE_FAILED;
+	}
+
+	return er;
+}
+
--- a/asn1/asn1c/per_encoder.h
+++ b/asn1/asn1c/per_encoder.h
@ -0,0 +1,69 @@
+/*-
+ * Copyright (c) 2006, 2007 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_PER_ENCODER_H_
+#define	_PER_ENCODER_H_
+
+#include <asn_application.h>
+#include <per_support.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct asn_TYPE_descriptor_s;	/* Forward declaration */
+
+/*
+ * Unaligned PER encoder of any ASN.1 type. May be invoked by the application.
+ * WARNING: This function returns the number of encoded bits in the .encoded
+ * field of the return value. Use the following formula to convert to bytes:
+ * 	bytes = ((.encoded + 7) / 8)
+ */
+asn_enc_rval_t uper_encode(struct asn_TYPE_descriptor_s *type_descriptor,
+	void *struct_ptr,	/* Structure to be encoded */
+	asn_app_consume_bytes_f *consume_bytes_cb,	/* Data collector */
+	void *app_key		/* Arbitrary callback argument */
+);
+
+/*
+ * A variant of uper_encode() which encodes data into the existing buffer
+ * WARNING: This function returns the number of encoded bits in the .encoded
+ * field of the return value.
+ */
+asn_enc_rval_t uper_encode_to_buffer(
+	struct asn_TYPE_descriptor_s *type_descriptor,
+	void *struct_ptr,	/* Structure to be encoded */
+	void *buffer,		/* Pre-allocated buffer */
+	size_t buffer_size	/* Initial buffer size (max) */
+);
+
+/*
+ * A variant of uper_encode_to_buffer() which allocates buffer itself.
+ * Returns the number of bytes in the buffer or -1 in case of failure.
+ * WARNING: This function produces a "Production of the complete encoding",
+ * with length of at least one octet. Contrast this to precise bit-packing
+ * encoding of uper_encode() and uper_encode_to_buffer().
+ */
+ssize_t uper_encode_to_new_buffer(
+	struct asn_TYPE_descriptor_s *type_descriptor,
+	asn_per_constraints_t *constraints,
+	void *struct_ptr,	/* Structure to be encoded */
+	void **buffer_r		/* Buffer allocated and returned */
+);
+
+/*
+ * Type of the generic PER encoder function.
+ */
+typedef asn_enc_rval_t (per_type_encoder_f)(
+	struct asn_TYPE_descriptor_s *type_descriptor,
+	asn_per_constraints_t *constraints,
+	void *struct_ptr,
+	asn_per_outp_t *per_output
+);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _PER_ENCODER_H_ */
--- a/asn1/asn1c/per_opentype.c
+++ b/asn1/asn1c/per_opentype.c
@ -0,0 +1,378 @@
+/*
+ * Copyright (c) 2007 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_internal.h>
+#include <per_support.h>
+#include <constr_TYPE.h>
+#include <per_opentype.h>
+
+typedef struct uper_ugot_key {
+	asn_per_data_t oldpd;	/* Old per data source */
+	size_t unclaimed;
+	size_t ot_moved;	/* Number of bits moved by OT processing */
+	int repeat;
+} uper_ugot_key;
+
+static int uper_ugot_refill(asn_per_data_t *pd);
+static int per_skip_bits(asn_per_data_t *pd, int skip_nbits);
+static asn_dec_rval_t uper_sot_suck(asn_codec_ctx_t *, asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints, void **sptr, asn_per_data_t *pd);
+
+/*
+ * Encode an "open type field".
+ * #10.1, #10.2
+ */
+int
+uper_open_type_put(asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints, void *sptr, asn_per_outp_t *po) {
+	void *buf;
+	void *bptr;
+	ssize_t size;
+	size_t toGo;
+
+	ASN_DEBUG("Open type put %s ...", td->name);
+
+	size = uper_encode_to_new_buffer(td, constraints, sptr, &buf);
+	if(size <= 0) return -1;
+
+	for(bptr = buf, toGo = size; toGo;) {
+		ssize_t maySave = uper_put_length(po, toGo);
+		ASN_DEBUG("Prepending length %d to %s and allowing to save %d",
+			(int)size, td->name, (int)maySave);
+		if(maySave < 0) break;
+		if(per_put_many_bits(po, bptr, maySave * 8)) break;
+		bptr = (char *)bptr + maySave;
+		toGo -= maySave;
+	}
+
+	FREEMEM(buf);
+	if(toGo) return -1;
+
+	ASN_DEBUG("Open type put %s of length %ld + overhead (1byte?)",
+		td->name, (long)size);
+
+	return 0;
+}
+
+static asn_dec_rval_t
+uper_open_type_get_simple(asn_codec_ctx_t *ctx, asn_TYPE_descriptor_t *td,
+	asn_per_constraints_t *constraints, void **sptr, asn_per_data_t *pd) {
+	asn_dec_rval_t rv;
+	ssize_t chunk_bytes;
+	int repeat;
+	uint8_t *buf = 0;
+	size_t bufLen = 0;
+	size_t bufSize = 0;
+	asn_per_data_t spd;
+	size_t padding;
+
+	ASN__STACK_OVERFLOW_CHECK(ctx);
+
+	ASN_DEBUG("Getting open type %s...", td->name);
+
+	do {
+		chunk_bytes = uper_get_length(pd, -1, &repeat);
+		if(chunk_bytes < 0) {
+			FREEMEM(buf);
+			ASN__DECODE_STARVED;
+		}
+		if(bufLen + chunk_bytes > bufSize) {
+			void *ptr;
+			bufSize = chunk_bytes + (bufSize << 2);
+			ptr = REALLOC(buf, bufSize);
+			if(!ptr) {
+				FREEMEM(buf);
+				ASN__DECODE_FAILED;
+			}
+			buf = ptr;
+		}
+		if(per_get_many_bits(pd, buf + bufLen, 0, chunk_bytes << 3)) {
+			FREEMEM(buf);
+			ASN__DECODE_STARVED;
+		}
+		bufLen += chunk_bytes;
+	} while(repeat);
+
+	ASN_DEBUG("Getting open type %s encoded in %ld bytes", td->name,
+		(long)bufLen);
+
+	memset(&spd, 0, sizeof(spd));
+	spd.buffer = buf;
+	spd.nbits = bufLen << 3;
+
+	ASN_DEBUG_INDENT_ADD(+4);
+	rv = td->uper_decoder(ctx, td, constraints, sptr, &spd);
+	ASN_DEBUG_INDENT_ADD(-4);
+
+	if(rv.code == RC_OK) {
+		/* Check padding validity */
+		padding = spd.nbits - spd.nboff;
+                if ((padding < 8 ||
+		/* X.691#10.1.3 */
+		(spd.nboff == 0 && spd.nbits == 8 && spd.buffer == buf)) &&
+                    per_get_few_bits(&spd, padding) == 0) {
+			/* Everything is cool */
+			FREEMEM(buf);
+			return rv;
+		}
+		FREEMEM(buf);
+		if(padding >= 8) {
+			ASN_DEBUG("Too large padding %d in open type", (int)padding);
+			ASN__DECODE_FAILED;
+		} else {
+			ASN_DEBUG("Non-zero padding");
+			ASN__DECODE_FAILED;
+		}
+	} else {
+		FREEMEM(buf);
+		/* rv.code could be RC_WMORE, nonsense in this context */
+		rv.code = RC_FAIL; /* Noone would give us more */
+	}
+
+	return rv;
+}
+
+static asn_dec_rval_t GCC_NOTUSED
+uper_open_type_get_complex(asn_codec_ctx_t *ctx, asn_TYPE_descriptor_t *td,
+	asn_per_constraints_t *constraints, void **sptr, asn_per_data_t *pd) {
+	uper_ugot_key arg;
+	asn_dec_rval_t rv;
+	ssize_t padding;
+
+	ASN__STACK_OVERFLOW_CHECK(ctx);
+
+	ASN_DEBUG("Getting open type %s from %s", td->name,
+		per_data_string(pd));
+	arg.oldpd = *pd;
+	arg.unclaimed = 0;
+	arg.ot_moved = 0;
+	arg.repeat = 1;
+	pd->refill = uper_ugot_refill;
+	pd->refill_key = &arg;
+	pd->nbits = pd->nboff;	/* 0 good bits at this point, will refill */
+	pd->moved = 0;	/* This now counts the open type size in bits */
+
+	ASN_DEBUG_INDENT_ADD(+4);
+	rv = td->uper_decoder(ctx, td, constraints, sptr, pd);
+	ASN_DEBUG_INDENT_ADD(-4);
+
+#define	UPDRESTOREPD	do {						\
+	/* buffer and nboff are valid, preserve them. */		\
+	pd->nbits = arg.oldpd.nbits - (pd->moved - arg.ot_moved);	\
+	pd->moved = arg.oldpd.moved + (pd->moved - arg.ot_moved);	\
+	pd->refill = arg.oldpd.refill;					\
+	pd->refill_key = arg.oldpd.refill_key;				\
+  } while(0)
+
+	if(rv.code != RC_OK) {
+		UPDRESTOREPD;
+		return rv;
+	}
+
+	ASN_DEBUG("OpenType %s pd%s old%s unclaimed=%d, repeat=%d", td->name,
+		per_data_string(pd),
+		per_data_string(&arg.oldpd),
+		(int)arg.unclaimed, (int)arg.repeat);
+
+	padding = pd->moved % 8;
+	if(padding) {
+		int32_t pvalue;
+		if(padding > 7) {
+			ASN_DEBUG("Too large padding %d in open type",
+				(int)padding);
+			rv.code = RC_FAIL;
+			UPDRESTOREPD;
+			return rv;
+		}
+		padding = 8 - padding;
+		ASN_DEBUG("Getting padding of %d bits", (int)padding);
+		pvalue = per_get_few_bits(pd, padding);
+		switch(pvalue) {
+		case -1:
+			ASN_DEBUG("Padding skip failed");
+			UPDRESTOREPD;
+			ASN__DECODE_STARVED;
+		case 0: break;
+		default:
+			ASN_DEBUG("Non-blank padding (%d bits 0x%02x)",
+				(int)padding, (int)pvalue);
+			UPDRESTOREPD;
+			ASN__DECODE_FAILED;
+		}
+	}
+	if(pd->nboff != pd->nbits) {
+		ASN_DEBUG("Open type %s overhead pd%s old%s", td->name,
+			per_data_string(pd), per_data_string(&arg.oldpd));
+		if(1) {
+			UPDRESTOREPD;
+			ASN__DECODE_FAILED;
+		} else {
+			arg.unclaimed += pd->nbits - pd->nboff;
+		}
+	}
+
+	/* Adjust pd back so it points to original data */
+	UPDRESTOREPD;
+
+	/* Skip data not consumed by the decoder */
+	if(arg.unclaimed) {
+		ASN_DEBUG("Getting unclaimed %d", (int)arg.unclaimed);
+		switch(per_skip_bits(pd, arg.unclaimed)) {
+		case -1:
+			ASN_DEBUG("Claim of %d failed", (int)arg.unclaimed);
+			ASN__DECODE_STARVED;
+		case 0:
+			ASN_DEBUG("Got claim of %d", (int)arg.unclaimed);
+			break;
+		default:
+			/* Padding must be blank */
+			ASN_DEBUG("Non-blank unconsumed padding");
+			ASN__DECODE_FAILED;
+		}
+		arg.unclaimed = 0;
+	}
+
+	if(arg.repeat) {
+		ASN_DEBUG("Not consumed the whole thing");
+		rv.code = RC_FAIL;
+		return rv;
+	}
+
+	return rv;
+}
+
+
+asn_dec_rval_t
+uper_open_type_get(asn_codec_ctx_t *ctx, asn_TYPE_descriptor_t *td,
+	asn_per_constraints_t *constraints, void **sptr, asn_per_data_t *pd) {
+
+	return uper_open_type_get_simple(ctx, td, constraints, sptr, pd);
+}
+
+int
+uper_open_type_skip(asn_codec_ctx_t *ctx, asn_per_data_t *pd) {
+	asn_TYPE_descriptor_t s_td;
+	asn_dec_rval_t rv;
+
+	s_td.name = "<unknown extension>";
+	s_td.uper_decoder = uper_sot_suck;
+
+	rv = uper_open_type_get(ctx, &s_td, 0, 0, pd);
+	if(rv.code != RC_OK)
+		return -1;
+	else
+		return 0;
+}
+
+/*
+ * Internal functions.
+ */
+
+static asn_dec_rval_t
+uper_sot_suck(asn_codec_ctx_t *ctx, asn_TYPE_descriptor_t *td,
+	asn_per_constraints_t *constraints, void **sptr, asn_per_data_t *pd) {
+	asn_dec_rval_t rv;
+
+	(void)ctx;
+	(void)td;
+	(void)constraints;
+	(void)sptr;
+
+	while(per_get_few_bits(pd, 24) >= 0);
+
+	rv.code = RC_OK;
+	rv.consumed = pd->moved;
+
+	return rv;
+}
+
+static int
+uper_ugot_refill(asn_per_data_t *pd) {
+	uper_ugot_key *arg = pd->refill_key;
+	ssize_t next_chunk_bytes, next_chunk_bits;
+	ssize_t avail;
+
+	asn_per_data_t *oldpd = &arg->oldpd;
+
+	ASN_DEBUG("REFILLING pd->moved=%ld, oldpd->moved=%ld",
+		(long)pd->moved, (long)oldpd->moved);
+
+	/* Advance our position to where pd is */
+	oldpd->buffer = pd->buffer;
+	oldpd->nboff  = pd->nboff;
+	oldpd->nbits -= pd->moved - arg->ot_moved;
+	oldpd->moved += pd->moved - arg->ot_moved;
+	arg->ot_moved = pd->moved;
+
+	if(arg->unclaimed) {
+		/* Refill the container */
+		if(per_get_few_bits(oldpd, 1))
+			return -1;
+		if(oldpd->nboff == 0) {
+			assert(0);
+			return -1;
+		}
+		pd->buffer = oldpd->buffer;
+		pd->nboff = oldpd->nboff - 1;
+		pd->nbits = oldpd->nbits;
+		ASN_DEBUG("UNCLAIMED <- return from (pd->moved=%ld)",
+			(long)pd->moved);
+		return 0;
+	}
+
+	if(!arg->repeat) {
+		ASN_DEBUG("Want more but refill doesn't have it");
+		return -1;
+	}
+
+	next_chunk_bytes = uper_get_length(oldpd, -1, &arg->repeat);
+	ASN_DEBUG("Open type LENGTH %ld bytes at off %ld, repeat %ld",
+		(long)next_chunk_bytes, (long)oldpd->moved, (long)arg->repeat);
+	if(next_chunk_bytes < 0) return -1;
+	if(next_chunk_bytes == 0) {
+		pd->refill = 0;	/* No more refills, naturally */
+		assert(!arg->repeat);	/* Implementation guarantee */
+	}
+	next_chunk_bits = next_chunk_bytes << 3;
+	avail = oldpd->nbits - oldpd->nboff;
+	if(avail >= next_chunk_bits) {
+		pd->nbits = oldpd->nboff + next_chunk_bits;
+		arg->unclaimed = 0;
+		ASN_DEBUG("!+Parent frame %ld bits, alloting %ld [%ld..%ld] (%ld)",
+			(long)next_chunk_bits, (long)oldpd->moved,
+			(long)oldpd->nboff, (long)oldpd->nbits,
+			(long)(oldpd->nbits - oldpd->nboff));
+	} else {
+		pd->nbits = oldpd->nbits;
+		arg->unclaimed = next_chunk_bits - avail;
+		ASN_DEBUG("!-Parent frame %ld, require %ld, will claim %ld",
+			(long)avail, (long)next_chunk_bits,
+			(long)arg->unclaimed);
+	}
+	pd->buffer = oldpd->buffer;
+	pd->nboff = oldpd->nboff;
+	ASN_DEBUG("Refilled pd%s old%s",
+		per_data_string(pd), per_data_string(oldpd));
+	return 0;
+}
+
+static int
+per_skip_bits(asn_per_data_t *pd, int skip_nbits) {
+	int hasNonZeroBits = 0;
+	while(skip_nbits > 0) {
+		int skip;
+
+		/* per_get_few_bits() is more efficient when nbits <= 24 */
+		if(skip_nbits < 24)
+			skip = skip_nbits;
+		else
+			skip = 24;
+		skip_nbits -= skip;
+
+		switch(per_get_few_bits(pd, skip)) {
+		case -1: return -1;	/* Starving */
+		case 0: continue;	/* Skipped empty space */
+		default: hasNonZeroBits = 1; continue;
+		}
+	}
+	return hasNonZeroBits;
+}
--- a/asn1/asn1c/per_opentype.h
+++ b/asn1/asn1c/per_opentype.h
@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2007 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_PER_OPENTYPE_H_
+#define	_PER_OPENTYPE_H_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+asn_dec_rval_t uper_open_type_get(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints, void **sptr, asn_per_data_t *pd);
+
+int uper_open_type_skip(asn_codec_ctx_t *opt_codec_ctx, asn_per_data_t *pd);
+
+int uper_open_type_put(asn_TYPE_descriptor_t *td, asn_per_constraints_t *constraints, void *sptr, asn_per_outp_t *po);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _PER_OPENTYPE_H_ */
--- a/asn1/asn1c/per_support.c
+++ b/asn1/asn1c/per_support.c
@ -0,0 +1,483 @@
+/*
+ * Copyright (c) 2005-2014 Lev Walkin <vlm@lionet.info>.
+ * All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_system.h>
+#include <asn_internal.h>
+#include <per_support.h>
+
+char *
+per_data_string(asn_per_data_t *pd) {
+	static char buf[2][32];
+	static int n;
+	n = (n+1) % 2;
+	snprintf(buf[n], sizeof(buf[n]),
+		"{m=%ld span %+ld[%d..%d] (%d)}",
+		(long)pd->moved,
+		(((long)pd->buffer) & 0xf),
+		(int)pd->nboff, (int)pd->nbits,
+		(int)(pd->nbits - pd->nboff));
+	return buf[n];
+}
+
+void
+per_get_undo(asn_per_data_t *pd, int nbits) {
+	if((ssize_t)pd->nboff < nbits) {
+		assert((ssize_t)pd->nboff < nbits);
+	} else {
+		pd->nboff -= nbits;
+		pd->moved -= nbits;
+	}
+}
+
+/*
+ * Extract a small number of bits (<= 31) from the specified PER data pointer.
+ */
+int32_t
+per_get_few_bits(asn_per_data_t *pd, int nbits) {
+	size_t off;	/* Next after last bit offset */
+	ssize_t nleft;	/* Number of bits left in this stream */
+	uint32_t accum;
+	const uint8_t *buf;
+
+	if(nbits < 0)
+		return -1;
+
+	nleft = pd->nbits - pd->nboff;
+	if(nbits > nleft) {
+		int32_t tailv, vhead;
+		if(!pd->refill || nbits > 31) return -1;
+		/* Accumulate unused bytes before refill */
+		ASN_DEBUG("Obtain the rest %d bits (want %d)",
+			(int)nleft, (int)nbits);
+		tailv = per_get_few_bits(pd, nleft);
+		if(tailv < 0) return -1;
+		/* Refill (replace pd contents with new data) */
+		if(pd->refill(pd))
+			return -1;
+		nbits -= nleft;
+		vhead = per_get_few_bits(pd, nbits);
+		/* Combine the rest of previous pd with the head of new one */
+		tailv = (tailv << nbits) | vhead;  /* Could == -1 */
+		return tailv;
+	}
+
+	/*
+	 * Normalize position indicator.
+	 */
+	if(pd->nboff >= 8) {
+		pd->buffer += (pd->nboff >> 3);
+		pd->nbits  -= (pd->nboff & ~0x07);
+		pd->nboff  &= 0x07;
+	}
+	pd->moved += nbits;
+	pd->nboff += nbits;
+	off = pd->nboff;
+	buf = pd->buffer;
+
+	/*
+	 * Extract specified number of bits.
+	 */
+	if(off <= 8)
+		accum = nbits ? (buf[0]) >> (8 - off) : 0;
+	else if(off <= 16)
+		accum = ((buf[0] << 8) + buf[1]) >> (16 - off);
+	else if(off <= 24)
+		accum = ((buf[0] << 16) + (buf[1] << 8) + buf[2]) >> (24 - off);
+	else if(off <= 31)
+		accum = ((buf[0] << 24) + (buf[1] << 16)
+			+ (buf[2] << 8) + (buf[3])) >> (32 - off);
+	else if(nbits <= 31) {
+		asn_per_data_t tpd = *pd;
+		/* Here are we with our 31-bits limit plus 1..7 bits offset. */
+		per_get_undo(&tpd, nbits);
+		/* The number of available bits in the stream allow
+		 * for the following operations to take place without
+		 * invoking the ->refill() function */
+		accum  = per_get_few_bits(&tpd, nbits - 24) << 24;
+		accum |= per_get_few_bits(&tpd, 24);
+	} else {
+		per_get_undo(pd, nbits);
+		return -1;
+	}
+
+	accum &= (((uint32_t)1 << nbits) - 1);
+
+	ASN_DEBUG("  [PER got %2d<=%2d bits => span %d %+ld[%d..%d]:%02x (%d) => 0x%x]",
+		(int)nbits, (int)nleft,
+		(int)pd->moved,
+		(((long)pd->buffer) & 0xf),
+		(int)pd->nboff, (int)pd->nbits,
+		((pd->buffer != NULL)?pd->buffer[0]:0),
+		(int)(pd->nbits - pd->nboff),
+		(int)accum);
+
+	return accum;
+}
+
+/*
+ * Extract a large number of bits from the specified PER data pointer.
+ */
+int
+per_get_many_bits(asn_per_data_t *pd, uint8_t *dst, int alright, int nbits) {
+	int32_t value;
+
+	if(alright && (nbits & 7)) {
+		/* Perform right alignment of a first few bits */
+		value = per_get_few_bits(pd, nbits & 0x07);
+		if(value < 0) return -1;
+		*dst++ = value;	/* value is already right-aligned */
+		nbits &= ~7;
+	}
+
+	while(nbits) {
+		if(nbits >= 24) {
+			value = per_get_few_bits(pd, 24);
+			if(value < 0) return -1;
+			*(dst++) = value >> 16;
+			*(dst++) = value >> 8;
+			*(dst++) = value;
+			nbits -= 24;
+		} else {
+			value = per_get_few_bits(pd, nbits);
+			if(value < 0) return -1;
+			if(nbits & 7) {	/* implies left alignment */
+				value <<= 8 - (nbits & 7),
+				nbits += 8 - (nbits & 7);
+				if(nbits > 24)
+					*dst++ = value >> 24;
+			}
+			if(nbits > 16)
+				*dst++ = value >> 16;
+			if(nbits > 8)
+				*dst++ = value >> 8;
+			*dst++ = value;
+			break;
+		}
+	}
+
+	return 0;
+}
+
+/*
+ * Get the length "n" from the stream.
+ */
+ssize_t
+uper_get_length(asn_per_data_t *pd, int ebits, int *repeat) {
+	ssize_t value;
+
+	*repeat = 0;
+
+	if(ebits >= 0) return per_get_few_bits(pd, ebits);
+
+	value = per_get_few_bits(pd, 8);
+	if(value < 0) return -1;
+	if((value & 128) == 0)	/* #10.9.3.6 */
+		return (value & 0x7F);
+	if((value & 64) == 0) {	/* #10.9.3.7 */
+		value = ((value & 63) << 8) | per_get_few_bits(pd, 8);
+		if(value < 0) return -1;
+		return value;
+	}
+	value &= 63;	/* this is "m" from X.691, #10.9.3.8 */
+	if(value < 1 || value > 4)
+		return -1;
+	*repeat = 1;
+	return (16384 * value);
+}
+
+/*
+ * Get the normally small length "n".
+ * This procedure used to decode length of extensions bit-maps
+ * for SET and SEQUENCE types.
+ */
+ssize_t
+uper_get_nslength(asn_per_data_t *pd) {
+	ssize_t length;
+
+	ASN_DEBUG("Getting normally small length");
+
+	if(per_get_few_bits(pd, 1) == 0) {
+		length = per_get_few_bits(pd, 6) + 1;
+		if(length <= 0) return -1;
+		ASN_DEBUG("l=%d", (int)length);
+		return length;
+	} else {
+		int repeat;
+		length = uper_get_length(pd, -1, &repeat);
+		if(length >= 0 && !repeat) return length;
+		return -1; /* Error, or do not support >16K extensions */
+	}
+}
+
+/*
+ * Get the normally small non-negative whole number.
+ * X.691, #10.6
+ */
+ssize_t
+uper_get_nsnnwn(asn_per_data_t *pd) {
+	ssize_t value;
+
+	value = per_get_few_bits(pd, 7);
+	if(value & 64) {	/* implicit (value < 0) */
+		value &= 63;
+		value <<= 2;
+		value |= per_get_few_bits(pd, 2);
+		if(value & 128)	/* implicit (value < 0) */
+			return -1;
+		if(value == 0)
+			return 0;
+		if(value >= 3)
+			return -1;
+		value = per_get_few_bits(pd, 8 * value);
+		return value;
+	}
+
+	return value;
+}
+
+/*
+ * X.691-11/2008, #11.6
+ * Encoding of a normally small non-negative whole number
+ */
+int
+uper_put_nsnnwn(asn_per_outp_t *po, int n) {
+	int bytes;
+
+	if(n <= 63) {
+		if(n < 0) return -1;
+		return per_put_few_bits(po, n, 7);
+	}
+	if(n < 256)
+		bytes = 1;
+	else if(n < 65536)
+		bytes = 2;
+	else if(n < 256 * 65536)
+		bytes = 3;
+	else
+		return -1;	/* This is not a "normally small" value */
+	if(per_put_few_bits(po, bytes, 8))
+		return -1;
+
+	return per_put_few_bits(po, n, 8 * bytes);
+}
+
+
+/* X.691-2008/11, #11.5.6 -> #11.3 */
+int uper_get_constrained_whole_number(asn_per_data_t *pd, unsigned long *out_value, int nbits) {
+	unsigned long lhalf;    /* Lower half of the number*/
+	long half;
+
+	if(nbits <= 31) {
+		half = per_get_few_bits(pd, nbits);
+		if(half < 0) return -1;
+		*out_value = half;
+		return 0;
+	}
+
+	if((size_t)nbits > 8 * sizeof(*out_value))
+		return -1;  /* RANGE */
+
+	half = per_get_few_bits(pd, 31);
+	if(half < 0) return -1;
+
+	if(uper_get_constrained_whole_number(pd, &lhalf, nbits - 31))
+		return -1;
+
+	*out_value = ((unsigned long)half << (nbits - 31)) | lhalf;
+	return 0;
+}
+
+
+/* X.691-2008/11, #11.5.6 -> #11.3 */
+int uper_put_constrained_whole_number_s(asn_per_outp_t *po, long v, int nbits) {
+	/*
+	 * Assume signed number can be safely coerced into
+	 * unsigned of the same range.
+	 * The following testing code will likely be optimized out
+	 * by compiler if it is true.
+	 */
+	unsigned long uvalue1 = ULONG_MAX;
+	         long svalue  = uvalue1;
+	unsigned long uvalue2 = svalue;
+	assert(uvalue1 == uvalue2);
+	return uper_put_constrained_whole_number_u(po, v, nbits);
+}
+
+int uper_put_constrained_whole_number_u(asn_per_outp_t *po, unsigned long v, int nbits) {
+	if(nbits <= 31) {
+		return per_put_few_bits(po, v, nbits);
+	} else {
+		/* Put higher portion first, followed by lower 31-bit */
+		if(uper_put_constrained_whole_number_u(po, v >> 31, nbits - 31))
+			return -1;
+		return per_put_few_bits(po, v, 31);
+	}
+}
+
+/*
+ * Put a small number of bits (<= 31).
+ */
+int
+per_put_few_bits(asn_per_outp_t *po, uint32_t bits, int obits) {
+	size_t off;	/* Next after last bit offset */
+	size_t omsk;	/* Existing last byte meaningful bits mask */
+	uint8_t *buf;
+
+	if(obits <= 0 || obits >= 32) return obits ? -1 : 0;
+
+	ASN_DEBUG("[PER put %d bits %x to %p+%d bits]",
+			obits, (int)bits, po->buffer, (int)po->nboff);
+
+	/*
+	 * Normalize position indicator.
+	 */
+	if(po->nboff >= 8) {
+		po->buffer += (po->nboff >> 3);
+		po->nbits  -= (po->nboff & ~0x07);
+		po->nboff  &= 0x07;
+	}
+
+	/*
+	 * Flush whole-bytes output, if necessary.
+	 */
+	if(po->nboff + obits > po->nbits) {
+		int complete_bytes = (po->buffer - po->tmpspace);
+		ASN_DEBUG("[PER output %ld complete + %ld]",
+			(long)complete_bytes, (long)po->flushed_bytes);
+		if(po->outper(po->tmpspace, complete_bytes, po->op_key) < 0)
+			return -1;
+		if(po->nboff)
+			po->tmpspace[0] = po->buffer[0];
+		po->buffer = po->tmpspace;
+		po->nbits = 8 * sizeof(po->tmpspace);
+		po->flushed_bytes += complete_bytes;
+	}
+
+	/*
+	 * Now, due to sizeof(tmpspace), we are guaranteed large enough space.
+	 */
+	buf = po->buffer;
+	omsk = ~((1 << (8 - po->nboff)) - 1);
+	off = (po->nboff + obits);
+
+	/* Clear data of debris before meaningful bits */
+	bits &= (((uint32_t)1 << obits) - 1);
+
+	ASN_DEBUG("[PER out %d %u/%x (t=%d,o=%d) %x&%x=%x]", obits,
+		(int)bits, (int)bits,
+		(int)po->nboff, (int)off,
+		buf[0], (int)(omsk&0xff),
+		(int)(buf[0] & omsk));
+
+	if(off <= 8)	/* Completely within 1 byte */
+		po->nboff = off,
+		bits <<= (8 - off),
+		buf[0] = (buf[0] & omsk) | bits;
+	else if(off <= 16)
+		po->nboff = off,
+		bits <<= (16 - off),
+		buf[0] = (buf[0] & omsk) | (bits >> 8),
+		buf[1] = bits;
+	else if(off <= 24)
+		po->nboff = off,
+		bits <<= (24 - off),
+		buf[0] = (buf[0] & omsk) | (bits >> 16),
+		buf[1] = bits >> 8,
+		buf[2] = bits;
+	else if(off <= 31)
+		po->nboff = off,
+		bits <<= (32 - off),
+		buf[0] = (buf[0] & omsk) | (bits >> 24),
+		buf[1] = bits >> 16,
+		buf[2] = bits >> 8,
+		buf[3] = bits;
+	else {
+		per_put_few_bits(po, bits >> (obits - 24), 24);
+		per_put_few_bits(po, bits, obits - 24);
+	}
+
+	ASN_DEBUG("[PER out %u/%x => %02x buf+%ld]",
+		(int)bits, (int)bits, buf[0],
+		(long)(po->buffer - po->tmpspace));
+
+	return 0;
+}
+
+
+/*
+ * Output a large number of bits.
+ */
+int
+per_put_many_bits(asn_per_outp_t *po, const uint8_t *src, int nbits) {
+
+	while(nbits) {
+		uint32_t value;
+
+		if(nbits >= 24) {
+			value = (src[0] << 16) | (src[1] << 8) | src[2];
+			src += 3;
+			nbits -= 24;
+			if(per_put_few_bits(po, value, 24))
+				return -1;
+		} else {
+			value = src[0];
+			if(nbits > 8)
+				value = (value << 8) | src[1];
+			if(nbits > 16)
+				value = (value << 8) | src[2];
+			if(nbits & 0x07)
+				value >>= (8 - (nbits & 0x07));
+			if(per_put_few_bits(po, value, nbits))
+				return -1;
+			break;
+		}
+	}
+
+	return 0;
+}
+
+/*
+ * Put the length "n" (or part of it) into the stream.
+ */
+ssize_t
+uper_put_length(asn_per_outp_t *po, size_t length) {
+
+	if(length <= 127)	/* #10.9.3.6 */
+		return per_put_few_bits(po, length, 8)
+			? -1 : (ssize_t)length;
+	else if(length < 16384)	/* #10.9.3.7 */
+		return per_put_few_bits(po, length|0x8000, 16)
+			? -1 : (ssize_t)length;
+
+	length >>= 14;
+	if(length > 4) length = 4;
+
+	return per_put_few_bits(po, 0xC0 | length, 8)
+			? -1 : (ssize_t)(length << 14);
+}
+
+
+/*
+ * Put the normally small length "n" into the stream.
+ * This procedure used to encode length of extensions bit-maps
+ * for SET and SEQUENCE types.
+ */
+int
+uper_put_nslength(asn_per_outp_t *po, size_t length) {
+
+	if(length <= 64) {
+		/* #10.9.3.4 */
+		if(length == 0) return -1;
+		return per_put_few_bits(po, length-1, 7) ? -1 : 0;
+	} else {
+		if(uper_put_length(po, length) != (ssize_t)length) {
+			/* This might happen in case of >16K extensions */
+			return -1;
+		}
+	}
+
+	return 0;
+}
+
--- a/asn1/asn1c/per_support.h
+++ b/asn1/asn1c/per_support.h
@ -0,0 +1,135 @@
+/*
+ * Copyright (c) 2005-2014 Lev Walkin <vlm@lionet.info>.
+ * All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_PER_SUPPORT_H_
+#define	_PER_SUPPORT_H_
+
+#include <asn_system.h>		/* Platform-specific types */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Pre-computed PER constraints.
+ */
+typedef const struct asn_per_constraint_s {
+	enum asn_per_constraint_flags {
+		APC_UNCONSTRAINED	= 0x0,	/* No PER visible constraints */
+		APC_SEMI_CONSTRAINED	= 0x1,	/* Constrained at "lb" */
+		APC_CONSTRAINED		= 0x2,	/* Fully constrained */
+		APC_EXTENSIBLE		= 0x4	/* May have extension */
+	} flags;
+	int  range_bits;		/* Full number of bits in the range */
+	int  effective_bits;		/* Effective bits */
+	long lower_bound;		/* "lb" value */
+	long upper_bound;		/* "ub" value */
+} asn_per_constraint_t;
+typedef const struct asn_per_constraints_s {
+	struct asn_per_constraint_s value;
+	struct asn_per_constraint_s size;
+	int (*value2code)(unsigned int value);
+	int (*code2value)(unsigned int code);
+} asn_per_constraints_t;
+
+/*
+ * This structure describes a position inside an incoming PER bit stream.
+ */
+typedef struct asn_per_data_s {
+  const uint8_t *buffer;  /* Pointer to the octet stream */
+         size_t  nboff;   /* Bit offset to the meaningful bit */
+         size_t  nbits;   /* Number of bits in the stream */
+         size_t  moved;   /* Number of bits moved through this bit stream */
+  int (*refill)(struct asn_per_data_s *);
+  void *refill_key;
+} asn_per_data_t;
+
+/*
+ * Extract a small number of bits (<= 31) from the specified PER data pointer.
+ * This function returns -1 if the specified number of bits could not be
+ * extracted due to EOD or other conditions.
+ */
+int32_t per_get_few_bits(asn_per_data_t *per_data, int get_nbits);
+
+/* Undo the immediately preceeding "get_few_bits" operation */
+void per_get_undo(asn_per_data_t *per_data, int get_nbits);
+
+/*
+ * Extract a large number of bits from the specified PER data pointer.
+ * This function returns -1 if the specified number of bits could not be
+ * extracted due to EOD or other conditions.
+ */
+int per_get_many_bits(asn_per_data_t *pd, uint8_t *dst, int right_align,
+			int get_nbits);
+
+/*
+ * Get the length "n" from the Unaligned PER stream.
+ */
+ssize_t uper_get_length(asn_per_data_t *pd,
+			int effective_bound_bits,
+			int *repeat);
+
+/*
+ * Get the normally small length "n".
+ */
+ssize_t uper_get_nslength(asn_per_data_t *pd);
+
+/*
+ * Get the normally small non-negative whole number.
+ */
+ssize_t uper_get_nsnnwn(asn_per_data_t *pd);
+
+/* X.691-2008/11, #11.5.6 */
+int uper_get_constrained_whole_number(asn_per_data_t *pd, unsigned long *v, int nbits);
+
+/* Non-thread-safe debugging function, don't use it */
+char *per_data_string(asn_per_data_t *pd);
+
+/*
+ * This structure supports forming PER output.
+ */
+typedef struct asn_per_outp_s {
+	uint8_t *buffer;	/* Pointer into the (tmpspace) */
+	size_t nboff;		/* Bit offset to the meaningful bit */
+	size_t nbits;		/* Number of bits left in (tmpspace) */
+	uint8_t tmpspace[32];	/* Preliminary storage to hold data */
+	int (*outper)(const void *data, size_t size, void *op_key);
+	void *op_key;		/* Key for (outper) data callback */
+	size_t flushed_bytes;	/* Bytes already flushed through (outper) */
+} asn_per_outp_t;
+
+/* Output a small number of bits (<= 31) */
+int per_put_few_bits(asn_per_outp_t *per_data, uint32_t bits, int obits);
+
+/* Output a large number of bits */
+int per_put_many_bits(asn_per_outp_t *po, const uint8_t *src, int put_nbits);
+
+/* X.691-2008/11, #11.5 */
+int uper_put_constrained_whole_number_s(asn_per_outp_t *po, long v, int nbits);
+int uper_put_constrained_whole_number_u(asn_per_outp_t *po, unsigned long v, int nbits);
+
+/*
+ * Put the length "n" to the Unaligned PER stream.
+ * This function returns the number of units which may be flushed
+ * in the next units saving iteration.
+ */
+ssize_t uper_put_length(asn_per_outp_t *po, size_t whole_length);
+
+/*
+ * Put the normally small length "n" to the Unaligned PER stream.
+ * Returns 0 or -1.
+ */
+int uper_put_nslength(asn_per_outp_t *po, size_t length);
+
+/*
+ * Put the normally small non-negative whole number.
+ */
+int uper_put_nsnnwn(asn_per_outp_t *po, int n);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _PER_SUPPORT_H_ */
--- a/asn1/asn1c/xer_decoder.c
+++ b/asn1/asn1c/xer_decoder.c
@ -0,0 +1,368 @@
+/*
+ * Copyright (c) 2004, 2005 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_application.h>
+#include <asn_internal.h>
+#include <xer_support.h>		/* XER/XML parsing support */
+
+
+/*
+ * Decode the XER encoding of a given type.
+ */
+asn_dec_rval_t
+xer_decode(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td,
+		void **struct_ptr, const void *buffer, size_t size) {
+	asn_codec_ctx_t s_codec_ctx;
+
+	/*
+	 * Stack checker requires that the codec context
+	 * must be allocated on the stack.
+	 */
+	if(opt_codec_ctx) {
+		if(opt_codec_ctx->max_stack_size) {
+			s_codec_ctx = *opt_codec_ctx;
+			opt_codec_ctx = &s_codec_ctx;
+		}
+	} else {
+		/* If context is not given, be security-conscious anyway */
+		memset(&s_codec_ctx, 0, sizeof(s_codec_ctx));
+		s_codec_ctx.max_stack_size = ASN__DEFAULT_STACK_MAX;
+		opt_codec_ctx = &s_codec_ctx;
+	}
+
+	/*
+	 * Invoke type-specific decoder.
+	 */
+	return td->xer_decoder(opt_codec_ctx, td, struct_ptr, 0, buffer, size);
+}
+
+
+
+struct xer__cb_arg {
+	pxml_chunk_type_e	chunk_type;
+	size_t			chunk_size;
+	const void		*chunk_buf;
+	int callback_not_invoked;
+};
+
+static int
+xer__token_cb(pxml_chunk_type_e type, const void *_chunk_data, size_t _chunk_size, void *key) {
+	struct xer__cb_arg *arg = (struct xer__cb_arg *)key;
+	arg->chunk_type = type;
+	arg->chunk_size = _chunk_size;
+	arg->chunk_buf = _chunk_data;
+	arg->callback_not_invoked = 0;
+	return -1;	/* Terminate the XML parsing */
+}
+
+/*
+ * Fetch the next token from the XER/XML stream.
+ */
+ssize_t
+xer_next_token(int *stateContext, const void *buffer, size_t size, pxer_chunk_type_e *ch_type) {
+	struct xer__cb_arg arg;
+	int new_stateContext = *stateContext;
+	ssize_t ret;
+
+	arg.callback_not_invoked = 1;
+	ret = pxml_parse(&new_stateContext, buffer, size, xer__token_cb, &arg);
+	if(ret < 0) return -1;
+	if(arg.callback_not_invoked) {
+		assert(ret == 0);	/* No data was consumed */
+        *ch_type = PXER_WMORE;
+		return 0;		/* Try again with more data */
+	} else {
+		assert(arg.chunk_size);
+		assert(arg.chunk_buf == buffer);
+	}
+
+	/*
+	 * Translate the XML chunk types into more convenient ones.
+	 */
+	switch(arg.chunk_type) {
+	case PXML_TEXT:
+		*ch_type = PXER_TEXT;
+		break;
+	case PXML_TAG:
+        *ch_type = PXER_WMORE;
+        return 0;	/* Want more */
+	case PXML_TAG_END:
+		*ch_type = PXER_TAG;
+		break;
+	case PXML_COMMENT:
+	case PXML_COMMENT_END:
+		*ch_type = PXER_COMMENT;
+		break;
+	}
+
+	*stateContext = new_stateContext;
+	return arg.chunk_size;
+}
+
+#define	CSLASH	0x2f	/* '/' */
+#define	LANGLE	0x3c	/* '<' */
+#define	RANGLE	0x3e	/* '>' */
+
+xer_check_tag_e
+xer_check_tag(const void *buf_ptr, int size, const char *need_tag) {
+	const char *buf = (const char *)buf_ptr;
+	const char *end;
+	xer_check_tag_e ct = XCT_OPENING;
+
+	if(size < 2 || buf[0] != LANGLE || buf[size-1] != RANGLE) {
+		if(size >= 2)
+			ASN_DEBUG("Broken XML tag: \"%c...%c\"",
+			buf[0], buf[size - 1]);
+		return XCT_BROKEN;
+	}
+
+	/*
+	 * Determine the tag class.
+	 */
+	if(buf[1] == CSLASH) {
+		buf += 2;	/* advance past "</" */
+		size -= 3;	/* strip "</" and ">" */
+		ct = XCT_CLOSING;
+		if(size > 0 && buf[size-1] == CSLASH)
+			return XCT_BROKEN;	/* </abc/> */
+	} else {
+		buf++;		/* advance past "<" */
+		size -= 2;	/* strip "<" and ">" */
+		if(size > 0 && buf[size-1] == CSLASH) {
+			ct = XCT_BOTH;
+			size--;	/* One more, for "/" */
+		}
+	}
+
+	/* Sometimes we don't care about the tag */
+	if(!need_tag || !*need_tag)
+		return (xer_check_tag_e)(XCT__UNK__MASK | ct);
+
+	/*
+	 * Determine the tag name.
+	 */
+	for(end = buf + size; buf < end; buf++, need_tag++) {
+		int b = *buf, n = *need_tag;
+		if(b != n) {
+			if(n == 0) {
+				switch(b) {
+				case 0x09: case 0x0a: case 0x0c: case 0x0d:
+				case 0x20:
+					/* "<abc def/>": whitespace is normal */
+					return ct;
+				}
+			}
+			return (xer_check_tag_e)(XCT__UNK__MASK | ct);
+		}
+		if(b == 0)
+			return XCT_BROKEN;	/* Embedded 0 in buf?! */
+	}
+	if(*need_tag)
+		return (xer_check_tag_e)(XCT__UNK__MASK | ct);
+
+	return ct;
+}
+
+
+#undef	ADVANCE
+#define	ADVANCE(num_bytes)	do {				\
+		size_t num = (num_bytes);			\
+		buf_ptr = ((const char *)buf_ptr) + num;	\
+		size -= num;					\
+		consumed_myself += num;				\
+	} while(0)
+
+#undef	RETURN
+#define	RETURN(_code)	do {					\
+		rval.code = _code;				\
+		rval.consumed = consumed_myself;		\
+		if(rval.code != RC_OK)				\
+			ASN_DEBUG("Failed with %d", rval.code);	\
+		return rval;					\
+	} while(0)
+
+#define	XER_GOT_BODY(chunk_buf, chunk_size, size)	do {	\
+		ssize_t converted_size = body_receiver		\
+			(struct_key, chunk_buf, chunk_size,	\
+				(size_t)chunk_size < size);	\
+		if(converted_size == -1) RETURN(RC_FAIL);	\
+		if(converted_size == 0				\
+			&& size == (size_t)chunk_size)		\
+			RETURN(RC_WMORE);			\
+		chunk_size = converted_size;			\
+	} while(0)
+#define	XER_GOT_EMPTY()	do {					\
+	if(body_receiver(struct_key, 0, 0, size > 0) == -1)	\
+			RETURN(RC_FAIL);			\
+	} while(0)
+
+/*
+ * Generalized function for decoding the primitive values.
+ */
+asn_dec_rval_t
+xer_decode_general(asn_codec_ctx_t *opt_codec_ctx,
+	asn_struct_ctx_t *ctx,	/* Type decoder context */
+	void *struct_key,
+	const char *xml_tag,	/* Expected XML tag */
+	const void *buf_ptr, size_t size,
+	int (*opt_unexpected_tag_decoder)
+		(void *struct_key, const void *chunk_buf, size_t chunk_size),
+	ssize_t (*body_receiver)
+		(void *struct_key, const void *chunk_buf, size_t chunk_size,
+			int have_more)
+	) {
+
+	asn_dec_rval_t rval;
+	ssize_t consumed_myself = 0;
+
+	(void)opt_codec_ctx;
+
+	/*
+	 * Phases of XER/XML processing:
+	 * Phase 0: Check that the opening tag matches our expectations.
+	 * Phase 1: Processing body and reacting on closing tag.
+	 */
+	if(ctx->phase > 1) RETURN(RC_FAIL);
+	for(;;) {
+		pxer_chunk_type_e ch_type;	/* XER chunk type */
+		ssize_t ch_size;		/* Chunk size */
+		xer_check_tag_e tcv;		/* Tag check value */
+
+		/*
+		 * Get the next part of the XML stream.
+		 */
+		ch_size = xer_next_token(&ctx->context, buf_ptr, size,
+			&ch_type);
+		if(ch_size == -1) {
+            RETURN(RC_FAIL);
+        } else {
+			switch(ch_type) {
+			case PXER_WMORE:
+                RETURN(RC_WMORE);
+			case PXER_COMMENT:		/* Got XML comment */
+				ADVANCE(ch_size);	/* Skip silently */
+				continue;
+			case PXER_TEXT:
+				if(ctx->phase == 0) {
+					/*
+					 * We have to ignore whitespace here,
+					 * but in order to be forward compatible
+					 * with EXTENDED-XER (EMBED-VALUES, #25)
+					 * any text is just ignored here.
+					 */
+				} else {
+					XER_GOT_BODY(buf_ptr, ch_size, size);
+				}
+				ADVANCE(ch_size);
+				continue;
+			case PXER_TAG:
+				break;	/* Check the rest down there */
+			}
+		}
+
+		assert(ch_type == PXER_TAG && size);
+
+		tcv = xer_check_tag(buf_ptr, ch_size, xml_tag);
+		/*
+		 * Phase 0:
+		 * 	Expecting the opening tag
+		 * 	for the type being processed.
+		 * Phase 1:
+		 * 	Waiting for the closing XML tag.
+		 */
+		switch(tcv) {
+		case XCT_BOTH:
+			if(ctx->phase) break;
+			/* Finished decoding of an empty element */
+			XER_GOT_EMPTY();
+			ADVANCE(ch_size);
+			ctx->phase = 2;	/* Phase out */
+			RETURN(RC_OK);
+		case XCT_OPENING:
+			if(ctx->phase) break;
+			ADVANCE(ch_size);
+			ctx->phase = 1;	/* Processing body phase */
+			continue;
+		case XCT_CLOSING:
+			if(!ctx->phase) break;
+			ADVANCE(ch_size);
+			ctx->phase = 2;	/* Phase out */
+			RETURN(RC_OK);
+		case XCT_UNKNOWN_BO:
+			/*
+			 * Certain tags in the body may be expected.
+			 */
+			if(opt_unexpected_tag_decoder
+			&& opt_unexpected_tag_decoder(struct_key,
+					buf_ptr, ch_size) >= 0) {
+				/* Tag's processed fine */
+				ADVANCE(ch_size);
+				if(!ctx->phase) {
+					/* We are not expecting
+					 * the closing tag anymore. */
+					ctx->phase = 2;	/* Phase out */
+					RETURN(RC_OK);
+				}
+				continue;
+			}
+			/* Fall through */
+		default:
+			break;		/* Unexpected tag */
+		}
+
+		ASN_DEBUG("Unexpected XML tag (expected \"%s\")", xml_tag);
+		break;	/* Dark and mysterious things have just happened */
+	}
+
+	RETURN(RC_FAIL);
+}
+
+
+size_t
+xer_whitespace_span(const void *chunk_buf, size_t chunk_size) {
+	const char *p = (const char *)chunk_buf;
+	const char *pend = p + chunk_size;
+
+	for(; p < pend; p++) {
+		switch(*p) {
+		/* X.693, #8.1.4
+		 * HORISONTAL TAB (9)
+		 * LINE FEED (10) 
+		 * CARRIAGE RETURN (13) 
+		 * SPACE (32)
+		 */
+		case 0x09: case 0x0a: case 0x0d: case 0x20:
+			continue;
+		default:
+			break;
+		}
+		break;
+	}
+	return (p - (const char *)chunk_buf);
+}
+
+/*
+ * This is a vastly simplified, non-validating XML tree skipper.
+ */
+int
+xer_skip_unknown(xer_check_tag_e tcv, ber_tlv_len_t *depth) {
+	assert(*depth > 0);
+	switch(tcv) {
+	case XCT_BOTH:
+	case XCT_UNKNOWN_BO:
+		/* These negate each other. */
+		return 0;
+	case XCT_OPENING:
+	case XCT_UNKNOWN_OP:
+		++(*depth);
+		return 0;
+	case XCT_CLOSING:
+	case XCT_UNKNOWN_CL:
+		if(--(*depth) == 0)
+			return (tcv == XCT_CLOSING) ? 2 : 1;
+		return 0;
+	default:
+		return -1;
+	}
+}
--- a/asn1/asn1c/xer_decoder.h
+++ b/asn1/asn1c/xer_decoder.h
@ -0,0 +1,106 @@
+/*-
+ * Copyright (c) 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_XER_DECODER_H_
+#define	_XER_DECODER_H_
+
+#include <asn_application.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct asn_TYPE_descriptor_s;	/* Forward declaration */
+
+/*
+ * The XER decoder of any ASN.1 type. May be invoked by the application.
+ */
+asn_dec_rval_t xer_decode(struct asn_codec_ctx_s *opt_codec_ctx,
+	struct asn_TYPE_descriptor_s *type_descriptor,
+	void **struct_ptr,	/* Pointer to a target structure's pointer */
+	const void *buffer,	/* Data to be decoded */
+	size_t size		/* Size of data buffer */
+	);
+
+/*
+ * Type of the type-specific XER decoder function.
+ */
+typedef asn_dec_rval_t (xer_type_decoder_f)(asn_codec_ctx_t *opt_codec_ctx,
+		struct asn_TYPE_descriptor_s *type_descriptor,
+		void **struct_ptr,
+		const char *opt_mname,	/* Member name */
+		const void *buf_ptr, size_t size
+	);
+
+/*******************************
+ * INTERNALLY USEFUL FUNCTIONS *
+ *******************************/
+
+/*
+ * Generalized function for decoding the primitive values.
+ * Used by more specialized functions, such as OCTET_STRING_decode_xer_utf8
+ * and others. This function should not be used by applications, as its API
+ * is subject to changes.
+ */
+asn_dec_rval_t xer_decode_general(asn_codec_ctx_t *opt_codec_ctx,
+	asn_struct_ctx_t *ctx,	/* Type decoder context */
+	void *struct_key,	/* Treated as opaque pointer */
+	const char *xml_tag,	/* Expected XML tag name */
+	const void *buf_ptr, size_t size,
+	int (*opt_unexpected_tag_decoder)
+		(void *struct_key, const void *chunk_buf, size_t chunk_size),
+	ssize_t (*body_receiver)
+		(void *struct_key, const void *chunk_buf, size_t chunk_size,
+			int have_more)
+	);
+
+
+/*
+ * Fetch the next XER (XML) token from the stream.
+ * The function returns the number of bytes occupied by the chunk type,
+ * returned in the _ch_type. The _ch_type is only set (and valid) when
+ * the return value is >= 0.
+ */
+  typedef enum pxer_chunk_type {
+	PXER_WMORE,     /* Chunk type is not clear, more data expected. */
+	PXER_TAG,	    /* Complete XER tag */
+	PXER_TEXT,	    /* Plain text between XER tags */
+	PXER_COMMENT	/* A comment, may be part of */
+  } pxer_chunk_type_e;
+ssize_t xer_next_token(int *stateContext,
+	const void *buffer, size_t size, pxer_chunk_type_e *_ch_type);
+
+/*
+ * This function checks the buffer against the tag name is expected to occur.
+ */
+  typedef enum xer_check_tag {
+	XCT_BROKEN	= 0,	/* The tag is broken */
+	XCT_OPENING	= 1,	/* This is the <opening> tag */
+	XCT_CLOSING	= 2,	/* This is the </closing> tag */
+	XCT_BOTH	= 3,	/* This is the <modified/> tag */
+	XCT__UNK__MASK	= 4,	/* Mask of everything unexpected */
+	XCT_UNKNOWN_OP	= 5,	/* Unexpected <opening> tag */
+	XCT_UNKNOWN_CL	= 6,	/* Unexpected </closing> tag */
+	XCT_UNKNOWN_BO	= 7	/* Unexpected <modified/> tag */
+  } xer_check_tag_e;
+xer_check_tag_e xer_check_tag(const void *buf_ptr, int size,
+		const char *need_tag);
+
+/*
+ * Get the number of bytes consisting entirely of XER whitespace characters.
+ * RETURN VALUES:
+ * >=0:	Number of whitespace characters in the string.
+ */
+size_t xer_whitespace_span(const void *chunk_buf, size_t chunk_size);
+
+/*
+ * Skip the series of anticipated extensions.
+ */
+int xer_skip_unknown(xer_check_tag_e tcv, ber_tlv_len_t *depth);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _XER_DECODER_H_ */
--- a/asn1/asn1c/xer_encoder.c
+++ b/asn1/asn1c/xer_encoder.c
@ -0,0 +1,67 @@
+/*-
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_internal.h>
+#include <stdio.h>
+#include <errno.h>
+
+/*
+ * The XER encoder of any type. May be invoked by the application.
+ */
+asn_enc_rval_t
+xer_encode(asn_TYPE_descriptor_t *td, void *sptr,
+	enum xer_encoder_flags_e xer_flags,
+		asn_app_consume_bytes_f *cb, void *app_key) {
+	asn_enc_rval_t er, tmper;
+	const char *mname;
+	size_t mlen;
+	int xcan = (xer_flags & XER_F_CANONICAL) ? 1 : 2;
+
+	if(!td || !sptr) goto cb_failed;
+
+	mname = td->xml_tag;
+	mlen = strlen(mname);
+
+	ASN__CALLBACK3("<", 1, mname, mlen, ">", 1);
+
+	tmper = td->xer_encoder(td, sptr, 1, xer_flags, cb, app_key);
+	if(tmper.encoded == -1) return tmper;
+
+	ASN__CALLBACK3("</", 2, mname, mlen, ">\n", xcan);
+
+	er.encoded = 4 + xcan + (2 * mlen) + tmper.encoded;
+
+	ASN__ENCODED_OK(er);
+cb_failed:
+	ASN__ENCODE_FAILED;
+}
+
+/*
+ * This is a helper function for xer_fprint, which directs all incoming data
+ * into the provided file descriptor.
+ */
+static int
+xer__print2fp(const void *buffer, size_t size, void *app_key) {
+	FILE *stream = (FILE *)app_key;
+
+	if(fwrite(buffer, 1, size, stream) != size)
+		return -1;
+
+	return 0;
+}
+
+int
+xer_fprint(FILE *stream, asn_TYPE_descriptor_t *td, void *sptr) {
+	asn_enc_rval_t er;
+
+	if(!stream) stream = stdout;
+	if(!td || !sptr)
+		return -1;
+
+	er = xer_encode(td, sptr, XER_F_BASIC, xer__print2fp, stream);
+	if(er.encoded == -1)
+		return -1;
+
+	return fflush(stream);
+}
--- a/asn1/asn1c/xer_encoder.h
+++ b/asn1/asn1c/xer_encoder.h
@ -0,0 +1,59 @@
+/*-
+ * Copyright (c) 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_XER_ENCODER_H_
+#define	_XER_ENCODER_H_
+
+#include <asn_application.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct asn_TYPE_descriptor_s;	/* Forward declaration */
+
+/* Flags used by the xer_encode() and (*xer_type_encoder_f), defined below */
+enum xer_encoder_flags_e {
+	/* Mode of encoding */
+	XER_F_BASIC	= 0x01,	/* BASIC-XER (pretty-printing) */
+	XER_F_CANONICAL	= 0x02	/* Canonical XER (strict rules) */
+};
+
+/*
+ * The XER encoder of any type. May be invoked by the application.
+ */
+asn_enc_rval_t xer_encode(struct asn_TYPE_descriptor_s *type_descriptor,
+		void *struct_ptr,	/* Structure to be encoded */
+		enum xer_encoder_flags_e xer_flags,
+		asn_app_consume_bytes_f *consume_bytes_cb,
+		void *app_key		/* Arbitrary callback argument */
+	);
+
+/*
+ * The variant of the above function which dumps the BASIC-XER (XER_F_BASIC)
+ * output into the chosen file pointer.
+ * RETURN VALUES:
+ * 	 0: The structure is printed.
+ * 	-1: Problem printing the structure.
+ * WARNING: No sensible errno value is returned.
+ */
+int xer_fprint(FILE *stream, struct asn_TYPE_descriptor_s *td, void *sptr);
+
+/*
+ * Type of the generic XER encoder.
+ */
+typedef asn_enc_rval_t (xer_type_encoder_f)(
+		struct asn_TYPE_descriptor_s *type_descriptor,
+		void *struct_ptr,	/* Structure to be encoded */
+		int ilevel,		/* Level of indentation */
+		enum xer_encoder_flags_e xer_flags,
+		asn_app_consume_bytes_f *consume_bytes_cb,	/* Callback */
+		void *app_key		/* Arbitrary callback argument */
+	);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _XER_ENCODER_H_ */
--- a/asn1/asn1c/xer_support.c
+++ b/asn1/asn1c/xer_support.c
@ -0,0 +1,227 @@
+/*
+ * Copyright (c) 2003, 2004 X/IO Labs, xiolabs.com.
+ * Copyright (c) 2003, 2004, 2005 Lev Walkin <vlm@lionet.info>.
+ * 	All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#include <asn_system.h>
+#include <xer_support.h>
+
+/* Parser states */
+typedef enum {
+	ST_TEXT,
+	ST_TAG_START,
+	ST_TAG_BODY,
+	ST_TAG_QUOTE_WAIT,
+	ST_TAG_QUOTED_STRING,
+	ST_TAG_UNQUOTED_STRING,
+	ST_COMMENT_WAIT_DASH1,	/* "<!--"[1] */
+	ST_COMMENT_WAIT_DASH2,	/* "<!--"[2] */
+	ST_COMMENT,
+	ST_COMMENT_CLO_DASH2,	/* "-->"[0] */
+	ST_COMMENT_CLO_RT	/* "-->"[1] */
+} pstate_e;
+
+static const int
+_charclass[256] = {
+	0,0,0,0,0,0,0,0, 0,1,1,0,1,1,0,0,
+	0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,
+	1,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,
+	2,2,2,2,2,2,2,2, 2,2,0,0,0,0,0,0,	/* 01234567 89       */
+	0,3,3,3,3,3,3,3, 3,3,3,3,3,3,3,3,	/*  ABCDEFG HIJKLMNO */
+	3,3,3,3,3,3,3,3, 3,3,3,0,0,0,0,0,	/* PQRSTUVW XYZ      */
+	0,3,3,3,3,3,3,3, 3,3,3,3,3,3,3,3,	/*  abcdefg hijklmno */
+	3,3,3,3,3,3,3,3, 3,3,3,0,0,0,0,0	/* pqrstuvw xyz      */
+};
+#define WHITESPACE(c)	(_charclass[(unsigned char)(c)] == 1)
+#define ALNUM(c)	(_charclass[(unsigned char)(c)] >= 2)
+#define ALPHA(c)	(_charclass[(unsigned char)(c)] == 3)
+
+/* Aliases for characters, ASCII/UTF-8 */
+#define	EXCLAM	0x21	/* '!' */
+#define	CQUOTE	0x22	/* '"' */
+#define	CDASH	0x2d	/* '-' */
+#define	CSLASH	0x2f	/* '/' */
+#define	LANGLE	0x3c	/* '<' */
+#define	CEQUAL	0x3d	/* '=' */
+#define	RANGLE	0x3e	/* '>' */
+#define	CQUEST	0x3f	/* '?' */
+
+/* Invoke token callback */
+#define	TOKEN_CB_CALL(type, _ns, _current_too, _final) do {	\
+		int _ret;					\
+		pstate_e ns  = _ns;				\
+		ssize_t _sz = (p - chunk_start) + _current_too;	\
+		if (!_sz) {					\
+			/* Shortcut */				\
+			state = _ns;				\
+			break;					\
+		}						\
+		_ret = cb(type, chunk_start, _sz, key);		\
+		if(_ret < _sz) {				\
+			if(_current_too && _ret == -1)		\
+				state = ns;			\
+			goto finish;				\
+		}						\
+		chunk_start = p + _current_too;			\
+		state = ns;					\
+	} while(0)
+
+#define TOKEN_CB(_type, _ns, _current_too)			\
+	TOKEN_CB_CALL(_type, _ns, _current_too, 0)
+
+#define PXML_TAG_FINAL_CHUNK_TYPE      PXML_TAG_END
+#define PXML_COMMENT_FINAL_CHUNK_TYPE  PXML_COMMENT_END
+
+#define TOKEN_CB_FINAL(_type, _ns, _current_too)		\
+	TOKEN_CB_CALL( _type ## _FINAL_CHUNK_TYPE , _ns, _current_too, 1)
+
+/*
+ * Parser itself
+ */
+ssize_t pxml_parse(int *stateContext, const void *xmlbuf, size_t size, pxml_callback_f *cb, void *key) {
+	pstate_e state = (pstate_e)*stateContext;
+	const char *chunk_start = (const char *)xmlbuf;
+	const char *p = chunk_start;
+	const char *end = p + size;
+
+	for(; p < end; p++) {
+	  int C = *(const unsigned char *)p;
+	  switch(state) {
+	  case ST_TEXT:
+		/*
+		 * Initial state: we're in the middle of some text,
+		 * or just have started.
+		 */
+		if (C == LANGLE) 
+			/* We're now in the tag, probably */
+			TOKEN_CB(PXML_TEXT, ST_TAG_START, 0);
+		break;
+	  case ST_TAG_START:
+		if (ALPHA(C) || (C == CSLASH))
+			state = ST_TAG_BODY;
+		else if (C == EXCLAM)
+			state = ST_COMMENT_WAIT_DASH1;
+		else 
+			/*
+			 * Not characters and not whitespace.
+			 * Must be something like "3 < 4".
+			 */
+			TOKEN_CB(PXML_TEXT, ST_TEXT, 1);/* Flush as data */
+		break;
+	  case ST_TAG_BODY:
+		switch(C) {
+		case RANGLE:
+			/* End of the tag */
+			TOKEN_CB_FINAL(PXML_TAG, ST_TEXT, 1);
+			break;
+		case LANGLE:
+			/*
+			 * The previous tag wasn't completed, but still
+			 * recognized as valid. (Mozilla-compatible)
+			 */
+			TOKEN_CB_FINAL(PXML_TAG, ST_TAG_START, 0);	
+			break;
+		case CEQUAL:
+			state = ST_TAG_QUOTE_WAIT;
+			break;
+		}
+		break;
+	  case ST_TAG_QUOTE_WAIT:
+		/*
+		 * State after the equal sign ("=") in the tag.
+		 */
+		switch(C) {
+		case CQUOTE:
+			state = ST_TAG_QUOTED_STRING;
+			break;
+		case RANGLE:
+			/* End of the tag */
+			TOKEN_CB_FINAL(PXML_TAG, ST_TEXT, 1);
+			break;
+		default:
+			if(!WHITESPACE(C))
+				/* Unquoted string value */
+				state = ST_TAG_UNQUOTED_STRING;
+		}
+		break;
+	  case ST_TAG_QUOTED_STRING:
+		/*
+		 * Tag attribute's string value in quotes.
+		 */
+		if(C == CQUOTE) {
+			/* Return back to the tag state */
+			state = ST_TAG_BODY;
+		}
+		break;
+	  case ST_TAG_UNQUOTED_STRING:
+		if(C == RANGLE) {
+			/* End of the tag */
+			TOKEN_CB_FINAL(PXML_TAG, ST_TEXT, 1);
+		} else if(WHITESPACE(C)) {
+			/* Return back to the tag state */
+			state = ST_TAG_BODY;
+		}
+		break;
+	  case ST_COMMENT_WAIT_DASH1:
+		if(C == CDASH) {
+			state = ST_COMMENT_WAIT_DASH2;
+		} else {
+			/* Some ordinary tag. */
+			state = ST_TAG_BODY;
+		}
+		break;
+	  case ST_COMMENT_WAIT_DASH2:
+		if(C == CDASH) {
+			/* Seen "<--" */
+			state = ST_COMMENT;
+		} else {
+			/* Some ordinary tag */
+			state = ST_TAG_BODY;
+		}
+		break;
+	  case ST_COMMENT:
+		if(C == CDASH) {
+			state = ST_COMMENT_CLO_DASH2;
+		}
+		break;
+	  case ST_COMMENT_CLO_DASH2:
+		if(C == CDASH) {
+			state = ST_COMMENT_CLO_RT;
+		} else {
+			/* This is not an end of a comment */
+			state = ST_COMMENT;
+		}
+		break;
+	  case ST_COMMENT_CLO_RT:
+		if(C == RANGLE) {
+			TOKEN_CB_FINAL(PXML_COMMENT, ST_TEXT, 1);
+		} else if(C == CDASH) {
+			/* Maintain current state, still waiting for '>' */
+		} else {
+			state = ST_COMMENT;
+		}
+		break;
+	  } /* switch(*ptr) */
+	} /* for() */
+
+	/*
+	 * Flush the partially processed chunk, state permitting.
+	 */
+	if(p - chunk_start) {
+		switch (state) {
+		case ST_COMMENT:
+			TOKEN_CB(PXML_COMMENT, state, 0);
+			break;
+		case ST_TEXT:
+			TOKEN_CB(PXML_TEXT, state, 0);
+			break;
+		default: break;	/* a no-op */
+		}
+	}
+
+finish:
+	*stateContext = (int)state;
+	return chunk_start - (const char *)xmlbuf;
+}
+
--- a/asn1/asn1c/xer_support.h
+++ b/asn1/asn1c/xer_support.h
@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 2003, 2004 X/IO Labs, xiolabs.com.
+ * Copyright (c) 2003, 2004 Lev Walkin <vlm@lionet.info>. All rights reserved.
+ * Redistribution and modifications are permitted subject to BSD license.
+ */
+#ifndef	_XER_SUPPORT_H_
+#define	_XER_SUPPORT_H_
+
+#include <asn_system.h>		/* Platform-specific types */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Types of data transferred to the application.
+ */
+typedef enum {
+	PXML_TEXT,	/* Plain text between XML tags. */
+	PXML_TAG,	/* A tag, starting with '<'. */
+	PXML_COMMENT,	/* An XML comment, including "<!--" and "-->". */
+	/* 
+	 * The following chunk types are reported if the chunk
+	 * terminates the specified XML element.
+	 */
+	PXML_TAG_END,		/* Tag ended */
+	PXML_COMMENT_END	/* Comment ended */
+} pxml_chunk_type_e;
+
+/*
+ * Callback function that is called by the parser when parsed data is
+ * available. The _opaque is the pointer to a field containing opaque user 
+ * data specified in pxml_create() call. The chunk type is _type and the text 
+ * data is the piece of buffer identified by _bufid (as supplied to
+ * pxml_feed() call) starting at offset _offset and of _size bytes size. 
+ * The chunk is NOT '\0'-terminated.
+ */
+typedef int (pxml_callback_f)(pxml_chunk_type_e _type,
+	const void *_chunk_data, size_t _chunk_size, void *_key);
+
+/*
+ * Parse the given buffer as it were a chunk of XML data.
+ * Invoke the specified callback each time the meaninful data is found.
+ * This function returns number of bytes consumed from the bufer.
+ * It will always be lesser than or equal to the specified _size.
+ * The next invocation of this function must account the difference.
+ */
+ssize_t pxml_parse(int *_stateContext, const void *_buf, size_t _size,
+	pxml_callback_f *cb, void *_key);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* _XER_SUPPORT_H_ */
--- a/asn1/ipa_asn1.c
+++ b/asn1/ipa_asn1.c
@ -0,0 +1,238 @@
+#include <stdbool.h>
+#include <sys/types.h>
+#include "ipa_asn1.h"
+#include "GetKeytabControl.h"
+
+static bool encode_GetKeytabControl(GetKeytabControl_t *gkctrl,
+                                    void **buf, size_t *len)
+{
+    asn_enc_rval_t rval;
+    char *buffer = NULL;
+    size_t buflen;
+    bool ret = false;
+
+    /* dry run to compute the size */
+    rval = der_encode(&asn_DEF_GetKeytabControl, gkctrl, NULL, NULL);
+    if (rval.encoded == -1) goto done;
+
+    buflen = rval.encoded;
+    buffer = malloc(buflen);
+    if (!buffer) goto done;
+
+    /* now for real */
+    rval = der_encode_to_buffer(&asn_DEF_GetKeytabControl,
+                                gkctrl, buffer, buflen);
+    if (rval.encoded == -1) goto done;
+
+    *buf = buffer;
+    *len = buflen;
+    ret = true;
+
+done:
+    if (!ret) {
+        free(buffer);
+    }
+    return ret;
+}
+
+bool ipaasn1_enc_getkt(bool newkt, const char *princ, const char *pwd,
+                       long *etypes, int numtypes, void **buf, size_t *len)
+{
+    GetKeytabControl_t gkctrl = { 0 };
+    bool ret = false;
+
+    if (newkt) {
+        gkctrl.present = GetKeytabControl_PR_newkeys;
+        if (OCTET_STRING_fromString(&gkctrl.choice.newkeys.serviceIdentity,
+                                    princ) != 0) goto done;
+
+        for (int i = 0; i < numtypes; i++) {
+            long *tmp;
+            tmp = malloc(sizeof(long));
+            if (!tmp) goto done;
+            *tmp = etypes[i];
+            ASN_SEQUENCE_ADD(&gkctrl.choice.newkeys.enctypes.list, tmp);
+        }
+
+        if (pwd) {
+            gkctrl.choice.newkeys.password =
+                OCTET_STRING_new_fromBuf(&asn_DEF_OCTET_STRING, pwd, -1);
+            if (!gkctrl.choice.newkeys.password) goto done;
+        }
+    } else {
+        gkctrl.present = GetKeytabControl_PR_curkeys;
+        if (OCTET_STRING_fromString(&gkctrl.choice.curkeys.serviceIdentity,
+                                    princ) != 0) goto done;
+    }
+
+    ret = encode_GetKeytabControl(&gkctrl, buf, len);
+
+done:
+    ASN_STRUCT_FREE_CONTENTS_ONLY(asn_DEF_GetKeytabControl, &gkctrl);
+    return ret;
+}
+
+bool ipaasn1_enc_getktreply(int kvno, struct keys_container *keys,
+                            void **buf, size_t *len)
+{
+    GetKeytabControl_t gkctrl = { 0 };
+    bool ret = false;
+    KrbKey_t *KK;
+
+    gkctrl.present = GetKeytabControl_PR_reply;
+    gkctrl.choice.reply.newkvno = kvno;
+
+    for (int i = 0; i < keys->nkeys; i++) {
+        KK = calloc(1, sizeof(KrbKey_t));
+        if (!KK) goto done;
+        KK->key.type = keys->ksdata[i].key.enctype;
+        KK->key.value.buf = malloc(keys->ksdata[i].key.length);
+        if (!KK->key.value.buf) goto done;
+        memcpy(KK->key.value.buf,
+               keys->ksdata[i].key.contents, keys->ksdata[i].key.length);
+        KK->key.value.size = keys->ksdata[i].key.length;
+
+        if (keys->ksdata[i].salt.data != NULL) {
+            KK->salt = calloc(1, sizeof(TypeValuePair_t));
+            if (!KK->salt) goto done;
+            KK->salt->type = keys->ksdata[i].salttype;
+            KK->salt->value.buf = malloc(keys->ksdata[i].salt.length);
+            if (!KK->salt->value.buf) goto done;
+            memcpy(KK->salt->value.buf,
+                   keys->ksdata[i].salt.data, keys->ksdata[i].salt.length);
+            KK->salt->value.size = keys->ksdata[i].salt.length;
+        }
+
+        /* KK->key.s2kparams not used for now */
+
+        ASN_SEQUENCE_ADD(&gkctrl.choice.reply.keys.list, KK);
+    }
+
+    ret = encode_GetKeytabControl(&gkctrl, buf, len);
+    KK = NULL;
+
+done:
+    ASN_STRUCT_FREE_CONTENTS_ONLY(asn_DEF_GetKeytabControl, &gkctrl);
+    if (KK) {
+        free(KK->key.value.buf);
+        if (KK->salt) {
+            free(KK->salt->value.buf);
+            free(KK->salt);
+        }
+        free(KK);
+    }
+    return ret;
+}
+
+static GetKeytabControl_t *decode_GetKeytabControl(void *buf, size_t len)
+{
+    GetKeytabControl_t *gkctrl = NULL;
+    asn_dec_rval_t rval;
+
+    rval = ber_decode(NULL, &asn_DEF_GetKeytabControl,
+                      (void **)&gkctrl, buf, len);
+    if (rval.code == RC_OK) {
+        return gkctrl;
+    }
+    return NULL;
+}
+
+bool ipaasn1_dec_getkt(void *buf, size_t len, bool *newkt,
+                       char **princ, char **pwd, long **etypes, int *numtypes)
+{
+    GetKeytabControl_t *gkctrl;
+    bool ret = false;
+    int num;
+
+    gkctrl = decode_GetKeytabControl(buf, len);
+    if (!gkctrl) return false;
+
+    switch (gkctrl->present) {
+    case GetKeytabControl_PR_newkeys:
+        *newkt = true;
+        *princ = strndup((char *)gkctrl->choice.newkeys.serviceIdentity.buf,
+                         gkctrl->choice.newkeys.serviceIdentity.size);
+        if (!*princ) goto done;
+
+        num = gkctrl->choice.newkeys.enctypes.list.count;
+        *etypes = malloc(num * sizeof(long));
+        *numtypes = 0;
+        if (!*etypes) goto done;
+        for (int i = 0; i < num; i++) {
+            (*etypes)[i] = *gkctrl->choice.newkeys.enctypes.list.array[i];
+            (*numtypes)++;
+        }
+
+        if (gkctrl->choice.newkeys.password) {
+            *pwd = strndup((char *)gkctrl->choice.newkeys.password->buf,
+                           gkctrl->choice.newkeys.password->size);
+            if (!*pwd) goto done;
+        }
+        break;
+    case GetKeytabControl_PR_curkeys:
+        *newkt = false;
+        *princ = strndup((char *)gkctrl->choice.curkeys.serviceIdentity.buf,
+                         gkctrl->choice.curkeys.serviceIdentity.size);
+        if (!*princ) goto done;
+        break;
+    default:
+        goto done;
+    }
+
+    ret = true;
+
+done:
+    ASN_STRUCT_FREE(asn_DEF_GetKeytabControl, gkctrl);
+    return ret;
+}
+
+bool ipaasn1_dec_getktreply(void *buf, size_t len,
+                            int *kvno, struct keys_container *keys)
+{
+    GetKeytabControl_t *gkctrl;
+    struct KrbKey *KK;
+    bool ret = false;
+    int nkeys;
+
+    gkctrl = decode_GetKeytabControl(buf, len);
+    if (!gkctrl) return false;
+
+    if (gkctrl->present != GetKeytabControl_PR_reply) goto done;
+
+    *kvno = gkctrl->choice.reply.newkvno;
+
+    nkeys = gkctrl->choice.reply.keys.list.count;
+
+    keys->nkeys = 0;
+    keys->ksdata = calloc(nkeys, sizeof(struct krb_key_salt));
+    if (!keys->ksdata) goto done;
+
+    for (int i = 0; i < nkeys; i++) {
+        KK = gkctrl->choice.reply.keys.list.array[i];
+        keys->ksdata[i].enctype = KK->key.type;
+        keys->ksdata[i].key.enctype = KK->key.type;
+        keys->ksdata[i].key.contents = malloc(KK->key.value.size);
+        if (!keys->ksdata[i].key.contents) goto done;
+        memcpy(keys->ksdata[i].key.contents,
+               KK->key.value.buf, KK->key.value.size);
+        keys->ksdata[i].key.length = KK->key.value.size;
+
+        if (KK->salt) {
+            keys->ksdata[i].salttype = KK->salt->type;
+            keys->ksdata[i].salt.data = malloc(KK->salt->value.size);
+            if (!keys->ksdata[i].salt.data) goto done;
+            memcpy(keys->ksdata[i].salt.data,
+                   KK->salt->value.buf, KK->salt->value.size);
+            keys->ksdata[i].salt.length = KK->salt->value.size;
+        }
+
+        /* KK->s2kparams is ignored for now */
+        keys->nkeys++;
+    }
+
+    ret = true;
+
+done:
+    ASN_STRUCT_FREE(asn_DEF_GetKeytabControl, gkctrl);
+    return ret;
+}
--- a/asn1/ipa_asn1.h
+++ b/asn1/ipa_asn1.h
@ -0,0 +1,73 @@
+#pragma once
+
+#include "ipa_krb5.h"
+
+/**
+ * @brief Encodes a Get Keytab Request Control
+ *
+ * @param newkt     Whether this is a New Key request or a Current Key one
+ * @param princ     The principal the keys belong to (this is required)
+ * @param pwd       Optional, only for New Key reqs, the password to use to
+ *                  create the new keys
+ * @param etypes    Optional, only for New Key reqs, list of desired
+ *                  enctypes
+ * @param numtypes  Optional, Number of desired enctypes in etypes
+ * @param buf       A void pointer wil lcontain pointer to an allocated
+ *                  buffer with the serialized control, must be freed
+ * @param len       Length of the returned buffer
+ *
+ * @return          True on success or False on failure
+ */
+bool ipaasn1_enc_getkt(bool newkt, const char *princ, const char *pwd,
+                       long *etypes, int numtypes, void **buf, size_t *len);
+
+/**
+ * @brief Encodes a Get Keytab Reply Control
+ *
+ * @param kvno      The new key version number
+ * @param keys      A set of keys to return to the caller
+ * @param buf       A void pointer wil lcontain pointer to an allocated
+ *                  buffer with the serialized control, must be freed
+ * @param len       Length of the returned buffer
+ *
+ * @return          True on success or False on failure
+ */
+bool ipaasn1_enc_getktreply(int kvno, struct keys_container *keys,
+                            void **buf, size_t *len);
+
+/**
+ * @brief Decodes a Get Keytab Requst Control
+ *
+ * @param buf       A pointer to the serialized buffer
+ * @param len       The lenght of the buffer
+ * @param newkt     Returns whether this is a New Key or Current Key request
+ * @param princ     Returns the principal the keys belong to.
+ * @param pwd       Optional: The password to use to create keys
+ * @param etypes    Optional: The desired enctypes
+ * @param numtypes  Optional: Number of desired enctypes in etypes
+ *
+ * @return          True on success or False on failure
+ *
+ * NOTE: princ, pwd, etypes and numtypes should be zeroed before being
+ *       passed in input, and the caller may need to free them even in
+ *       case of failure.
+ */
+bool ipaasn1_dec_getkt(void *buf, size_t len, bool *newkt,
+                       char **princ, char **pwd,
+                       long **etypes, int *numtypes);
+
+/**
+ * @brief Decodes a Get Keytab Reply Control
+ *
+ * @param buf       A pointer to the serialized buffer
+ * @param len       The lenght of the buffer
+ * @param kvno      The new key version number
+ * @param keys      A set of keys generated by the server
+ *
+ * @return          True on success or False on failure
+ *
+ * NOTE: keys should be a zeroed structure and the caller may need to free
+ *       it even in case of failure.
+ */
+bool ipaasn1_dec_getktreply(void *buf, size_t len,
+                            int *kvno, struct keys_container *keys);
--- a/autogen.sh
+++ b/autogen.sh
@ -1,3 +0,0 @@
-#!/bin/sh
-autoreconf -i -f
-./configure ${1+"$@"}
--- a/checks/README
+++ b/checks/README
@ -1,3 +0,0 @@
-This directory is for integration tests that require a live backend (LDAP,
-Certificate Server, etc.).  It's named "checks" so nose wont discover tests
-here.
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Timo Aaltonen	cf130d9898	Imported Debian patch 4.7.2-3	2021-08-09 20:54:13 +02:00
Mario Fetka	a791de49a2	Imported Upstream version 4.7.2	2021-08-09 20:54:00 +02:00