asn1: Templates work for IMPLICIT; add build opt

Finally.  We're almost at parity for the template compiler.

Now we have a build option to use templating:

    `./configure --enable-asn1-templating`

Tests fail if you build `rfc2459.asn1` with `--template`.

TBD: Figure out what differences remain between the two compilers, and
     fix the templating compiler accordingly, adding tests along the
     way.

Making IMPLICIT tags work in the templating compiler turned out to be a
simple fix: don't attempt to do anything clever about IMPLICIT tags in
the template generator in the compiler other than denoting them --
instead leave all the smarts about IMPLICIT tags to the interpreter.
This might be a very slight pessimization, but also a great
simplification.

The result is very elegant: when the interpreter finds an IMPLICIT
tag it then recurses to find the template for the body of the type
so-tagged, and evaluates that.  Much more elegant than the code
generated by the non-template compiler, not least for not needing
any additional temporary memory allocation.

With this we finally have parity in basic testing of the template
compiler.  Indeed, for IMPLICIT tags the template compiler and
interpreter might even be better because they support IMPLICIT tags
with BER lengths, whereas the non-template compiler doesn't (mostly
because `der_replace_tag()` needs to be changed to support it.

And, of course, the template compiler is simply superior in that it
produces smaller code and is *much* easier to work with because the
functions to interpret templates are small and simple.  Which means we
can add more functions to deal with other encoding rules fairly
trivially.  It should be possible to add all of these with very little
work, almost all of it localized to `lib/asn1/template.c`:

 - PER  Packed Encoding Rules [X.691]
 - XER  XML Encoding Rules    [X.693]
 - OER  Octet Encoding Rules  [X.696] (intended to replace PER)
 - JER  JSON Encoding Rules   [X.697] (doubles as visual representation)
 - GSER Generic String E.R.s  [RFC3641] (a visual representation)

 - XDR  External Data Repr.   [STD67][RFC4506]

       (XDR is *not* an ASN.1 encoding rules specification, but it's a
        *lot* like PER/OER but with 4-octet alignment, and is specified
        for the syntax equivalent (XDR) of only a subset of ASN.1 syntax
        and semantics.)

All we'd have to do is add variants of `_asn1_{length,encode,decode}()`
for each set of rules, then generate per-type stub functions that call
them (as we already do for DER).

We could then have an encoding rule transliteration program that takes a
`TypeName` and some representation of a value encoded by some encoding
rules, and outputs the same thing encoded by a different set of rules.
This would double as a pretty-printer and parser if we do add support
for JER and/or GSER.  It would find the template for the given type
using `dlsym()` against some shared object (possibly `libasn1` itself).

Whereas generating source code for C (or whatever language) for
additional ERs requires much more work.  Plus, templates are much
smaller, and the interpreter is tiny, which yields much smaller text and
much smaller CPU icache/dcache footprint, which yields better
performance in many cases.

As well, the template system should be much easier to port to other
languages.  Though in the cases of, e.g., Rust, it would require use of
`unsafe` in the interpreter, so in fact the inverse might be true: that
it's easier to generate safe Rust code than to implement a template
interpreter in Rust.  Similarly for Haskell, OCAML, etc.  But wherever
the template interpreter is easy to implement, it's a huge win.

Note that implementing OER and PER using the templates as they are
currently would be a bit of a challenge, as the interpreter would have
to first do a pass of each SEQUENCE/SET to determine the size and
layout of the OER/PER sequence/set preamble by counting the number of
OPTIONAL/DEFAULT members, BOOLEAN members, and extensibility markers
with extensions present.  We could always generate more entries to
encode precomputed preamble metadata.  We would also need to add a
template entry type for extensibility markers, which currently we do
not.

configure.ac

@@ -138,6 +138,11 @@ if test "$enable_hdb_openldap_module" = yes -a "$with_openldap" = yes; then
 fi
 AM_CONDITIONAL(OPENLDAP_MODULE, test "$enable_hdb_openldap_module" = yes -a "$with_openldap" = yes)
 
+AC_ARG_ENABLE(asn1-templating, 
+	AS_HELP_STRING([--enable-asn1-templating],
+		[if you want disable to use of the ASN.1 templating compiler]))
+AM_CONDITIONAL(ASN1_TEMPLATING, test "x$enable_asn1_templating" = xyes)
+
 dnl
 dnl Optional modules, pk-init, digest, kx509
 dnl

lib/asn1/Makefile.am

@@ -145,7 +145,6 @@ check_gen_template_LDADD = \
 	libasn1.la \
 	$(LIB_roken)
 
-check_gen_CPPFLAGS = -DIMPLICIT_TAGGING_WORKS
 check_gen_LDADD = \
 	libasn1.la \
 	$(LIB_roken)
@@ -192,7 +191,7 @@ CLEANFILES = \
 	x690sample_asn1_files x690sample_asn1*.h* x690sample_asn1*.x \
 	test_asn1_files test_asn1*.h* test_asn1*.x \
 	test_template_asn1* \
-	asn1_*.x
+	asn1_*.tmp.c asn1_*.x
 
 dist_include_HEADERS = der.h heim_asn1.h
 dist_include_HEADERS += $(srcdir)/der-protos.h $(srcdir)/der-private.h
@@ -265,50 +264,58 @@ $(gen_files_x690sample) x690sample_asn1.hx x690sample_asn1-priv.hx: x690sample_a
 $(gen_files_test) test_asn1.hx test_asn1-priv.hx: test_asn1_files
 $(gen_files_test_template) test_template_asn1.hx test_template_asn1-priv.hx: test_template_asn1_files
 
+if ASN1_TEMPLATING
+TEMPLATE_OPTION=--template
+else
+TEMPLATE_OPTION=
+endif
+
+# XXX Currently using the template compiler for rfc2459.asn1 breaks
 rfc2459_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/rfc2459.asn1
 	$(ASN1_COMPILE) --one-code-file --option-file=$(srcdir)/rfc2459.opt $(srcdir)/rfc2459.asn1 rfc2459_asn1 || (rm -f rfc2459_asn1_files ; exit 1)
 
 rfc4043_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/rfc4043.asn1
-	$(ASN1_COMPILE) --one-code-file $(srcdir)/rfc4043.asn1 rfc4043_asn1 || (rm -f rfc4043_asn1_files ; exit 1)
+	$(ASN1_COMPILE) --one-code-file $(TEMPLATE_OPTION) $(srcdir)/rfc4043.asn1 rfc4043_asn1 || (rm -f rfc4043_asn1_files ; exit 1)
 
 rfc4108_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/rfc4108.asn1
-	$(ASN1_COMPILE) --one-code-file $(srcdir)/rfc4108.asn1 rfc4108_asn1 || (rm -f rfc4108_asn1_files ; exit 1)
+	$(ASN1_COMPILE) --one-code-file $(TEMPLATE_OPTION) $(srcdir)/rfc4108.asn1 rfc4108_asn1 || (rm -f rfc4108_asn1_files ; exit 1)
 
 tcg_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/tcg.asn1
-	$(ASN1_COMPILE) --prefix-enum --one-code-file $(srcdir)/tcg.asn1 tcg_asn1 || (rm -f tcg_asn1_files ; exit 1)
+	$(ASN1_COMPILE) --prefix-enum --one-code-file $(TEMPLATE_OPTION) $(srcdir)/tcg.asn1 tcg_asn1 || (rm -f tcg_asn1_files ; exit 1)
 
 cms_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/cms.asn1 $(srcdir)/cms.opt
-	$(ASN1_COMPILE) --one-code-file --option-file=$(srcdir)/cms.opt $(srcdir)/cms.asn1 cms_asn1 || (rm -f cms_asn1_files ; exit 1)
+	$(ASN1_COMPILE) --one-code-file $(TEMPLATE_OPTION) --option-file=$(srcdir)/cms.opt $(srcdir)/cms.asn1 cms_asn1 || (rm -f cms_asn1_files ; exit 1)
 
 crmf_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/crmf.asn1 $(srcdir)/crmf.opt
-	$(ASN1_COMPILE) --one-code-file --option-file=$(srcdir)/crmf.opt $(srcdir)/crmf.asn1 crmf_asn1 || (rm -f crmf_asn1_files ; exit 1)
+	$(ASN1_COMPILE) --one-code-file $(TEMPLATE_OPTION) --option-file=$(srcdir)/crmf.opt $(srcdir)/crmf.asn1 crmf_asn1 || (rm -f crmf_asn1_files ; exit 1)
 
 krb5_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/krb5.asn1 $(srcdir)/krb5.opt
-	$(ASN1_COMPILE) --one-code-file --option-file=$(srcdir)/krb5.opt $(srcdir)/krb5.asn1 krb5_asn1 || (rm -f krb5_asn1_files ; exit 1)
+	$(ASN1_COMPILE) --one-code-file $(TEMPLATE_OPTION) --option-file=$(srcdir)/krb5.opt $(srcdir)/krb5.asn1 krb5_asn1 || (rm -f krb5_asn1_files ; exit 1)
 
 ocsp_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/ocsp.asn1
-	$(ASN1_COMPILE) --one-code-file --option-file=$(srcdir)/ocsp.opt $(srcdir)/ocsp.asn1 ocsp_asn1 || (rm -f ocsp_asn1_files ; exit 1)
+	$(ASN1_COMPILE) --one-code-file $(TEMPLATE_OPTION) --option-file=$(srcdir)/ocsp.opt $(srcdir)/ocsp.asn1 ocsp_asn1 || (rm -f ocsp_asn1_files ; exit 1)
 
 pkinit_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/pkinit.asn1
-	$(ASN1_COMPILE) --one-code-file $(srcdir)/pkinit.asn1 pkinit_asn1 || (rm -f pkinit_asn1_files ; exit 1)
+	$(ASN1_COMPILE) --one-code-file $(TEMPLATE_OPTION) $(srcdir)/pkinit.asn1 pkinit_asn1 || (rm -f pkinit_asn1_files ; exit 1)
 
 pkcs8_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/pkcs8.asn1
-	$(ASN1_COMPILE) --one-code-file $(srcdir)/pkcs8.asn1 pkcs8_asn1 || (rm -f pkcs8_asn1_files ; exit 1)
+	$(ASN1_COMPILE) --one-code-file $(TEMPLATE_OPTION) $(srcdir)/pkcs8.asn1 pkcs8_asn1 || (rm -f pkcs8_asn1_files ; exit 1)
 
 pkcs9_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/pkcs9.asn1
-	$(ASN1_COMPILE) --one-code-file $(srcdir)/pkcs9.asn1 pkcs9_asn1 || (rm -f pkcs9_asn1_files ; exit 1)
+	$(ASN1_COMPILE) --one-code-file $(TEMPLATE_OPTION) $(srcdir)/pkcs9.asn1 pkcs9_asn1 || (rm -f pkcs9_asn1_files ; exit 1)
 
 pkcs10_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/pkcs10.asn1
-	$(ASN1_COMPILE) --one-code-file --option-file=$(srcdir)/pkcs10.opt $(srcdir)/pkcs10.asn1 pkcs10_asn1 || (rm -f pkcs10_asn1_files ; exit 1)
+	$(ASN1_COMPILE) --one-code-file $(TEMPLATE_OPTION) --option-file=$(srcdir)/pkcs10.opt $(srcdir)/pkcs10.asn1 pkcs10_asn1 || (rm -f pkcs10_asn1_files ; exit 1)
 
+# XXX Currently using the template compiler for pkcs12.asn1 breaks
 pkcs12_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/pkcs12.asn1
 	$(ASN1_COMPILE) --one-code-file $(srcdir)/pkcs12.asn1 pkcs12_asn1 || (rm -f pkcs12_asn1_files ; exit 1)
 
 digest_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/digest.asn1
-	$(ASN1_COMPILE) --one-code-file $(srcdir)/digest.asn1 digest_asn1 || (rm -f digest_asn1_files ; exit 1)
+	$(ASN1_COMPILE) --one-code-file $(TEMPLATE_OPTION) $(srcdir)/digest.asn1 digest_asn1 || (rm -f digest_asn1_files ; exit 1)
 
 kx509_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/kx509.asn1
-	$(ASN1_COMPILE) --one-code-file $(srcdir)/kx509.asn1 kx509_asn1 || (rm -f kx509_asn1_files ; exit 1)
+	$(ASN1_COMPILE) --one-code-file $(TEMPLATE_OPTION) $(srcdir)/kx509.asn1 kx509_asn1 || (rm -f kx509_asn1_files ; exit 1)
 
 x690sample_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/x690sample.asn1
 	$(ASN1_COMPILE) --one-code-file $(srcdir)/x690sample.asn1 x690sample_asn1 || (rm -f x690sample_asn1_files ; exit 1)

lib/asn1/NTMakefile

@@ -63,6 +63,8 @@ gen_files_pkcs10	= $(OBJ)\asn1_pkcs10_asn1.x
 
 gen_files_test		= $(OBJ)\asn1_test_asn1.x
 
+gen_files_test_template	= $(OBJ)\test_template_asn1-template.x
+
 gen_files_digest	= $(OBJ)\asn1_digest_asn1.x
 
 gen_files_kx509		= $(OBJ)\asn1_kx509_asn1.x
@@ -122,6 +124,7 @@ LIBASN1_OBJS=	\
 	$(OBJ)\der_copy.obj			\
 	$(OBJ)\der_cmp.obj			\
 	$(OBJ)\der_format.obj			\
+	$(OBJ)\template.obj			\
 	$(OBJ)\extra.obj			\
 	$(OBJ)\timegm.obj			\
 	$(gen_files_rfc2459:.x=.obj)		\
@@ -201,6 +204,8 @@ $(gen_files_x690sample:.x=.c)	    : $$(@R).x
 
 $(gen_files_test:.x=.c)	    : $$(@R).x
 
+$(gen_files_test_template:.x=.c)	    : $$(@R).x
+
 $(gen_files_krb5) $(OBJ)\krb5_asn1.hx: $(BINDIR)\asn1_compile.exe krb5.asn1 krb5.opt
 	cd $(OBJ)
 	$(BINDIR)\asn1_compile.exe \
@@ -331,6 +336,14 @@ $(gen_files_test) $(OBJ)\test_asn1.hx: $(BINDIR)\asn1_compile.exe test.asn1
 	|| ($(RM) $(OBJ)\test_asn1.h ; exit /b 1)
 	cd $(SRCDIR)
 
+$(gen_files_test_template) $(OBJ)\test_template_asn1.hx: $(BINDIR)\asn1_compile.exe test.asn1
+	cd $(OBJ)
+	$(BINDIR)\asn1_compile.exe \
+		--template --sequence=TESTSeqOf \
+		$(SRCDIR)\test.asn1 test_template_asn1 \
+	|| ($(RM) $(OBJ)\test_template_asn1.h ; exit /b 1)
+	cd $(SRCDIR)
+
 INCFILES=			    \
 	$(INCDIR)\der.h		    \
 	$(INCDIR)\heim_asn1.h	    \
@@ -342,41 +355,43 @@ INCFILES=			    \
 
 $(INCDIR)\der-protos.h: $(OBJ)\der-protos.h
 
-GENINCFILES=				\
-	$(INCDIR)\asn1_err.h		\
-	$(INCDIR)\cms_asn1.h		\
-	$(INCDIR)\crmf_asn1.h		\
-	$(INCDIR)\digest_asn1.h		\
-	$(INCDIR)\krb5_asn1.h		\
-	$(INCDIR)\kx509_asn1.h		\
-	$(INCDIR)\ocsp_asn1.h		\
-	$(INCDIR)\pkcs12_asn1.h		\
-	$(INCDIR)\pkcs8_asn1.h		\
-	$(INCDIR)\pkcs9_asn1.h		\
-	$(INCDIR)\pkcs10_asn1.h		\
-	$(INCDIR)\pkinit_asn1.h		\
-	$(INCDIR)\rfc2459_asn1.h	\
-	$(INCDIR)\rfc4043_asn1.h	\
-	$(INCDIR)\rfc4108_asn1.h	\
-	$(INCDIR)\tcg_asn1.h		\
-	$(INCDIR)\x690sample_asn1.h	\
-	$(OBJ)\krb5_asn1-priv.h		\
-	$(OBJ)\ocsp_asn1-priv.h		\
-	$(OBJ)\pkinit_asn1-priv.h	\
-	$(OBJ)\cms_asn1-priv.h		\
-	$(OBJ)\crmf_asn1-priv.h		\
-	$(OBJ)\rfc2459_asn1-priv.h	\
-	$(OBJ)\rfc4043_asn1-priv.h	\
-	$(OBJ)\rfc4108_asn1-priv.h	\
-	$(OBJ)\tcg_asn1-priv.h		\
-	$(OBJ)\x690sample_asn1-priv.h	\
-	$(OBJ)\pkcs8_asn1-priv.h	\
-	$(OBJ)\pkcs9_asn1-priv.h	\
-	$(OBJ)\pkcs10_asn1-priv.h	\
-	$(OBJ)\pkcs12_asn1-priv.h	\
-	$(OBJ)\digest_asn1-priv.h	\
-	$(OBJ)\kx509_asn1-priv.h	\
-	$(OBJ)\test_asn1.h		\
+GENINCFILES=					\
+	$(INCDIR)\asn1_err.h			\
+	$(INCDIR)\cms_asn1.h			\
+	$(INCDIR)\crmf_asn1.h			\
+	$(INCDIR)\digest_asn1.h			\
+	$(INCDIR)\krb5_asn1.h			\
+	$(INCDIR)\kx509_asn1.h			\
+	$(INCDIR)\ocsp_asn1.h			\
+	$(INCDIR)\pkcs12_asn1.h			\
+	$(INCDIR)\pkcs8_asn1.h			\
+	$(INCDIR)\pkcs9_asn1.h			\
+	$(INCDIR)\pkcs10_asn1.h			\
+	$(INCDIR)\pkinit_asn1.h			\
+	$(INCDIR)\rfc2459_asn1.h		\
+	$(INCDIR)\rfc4043_asn1.h		\
+	$(INCDIR)\rfc4108_asn1.h		\
+	$(INCDIR)\tcg_asn1.h			\
+	$(INCDIR)\x690sample_asn1.h		\
+	$(OBJ)\krb5_asn1-priv.h			\
+	$(OBJ)\ocsp_asn1-priv.h			\
+	$(OBJ)\pkinit_asn1-priv.h		\
+	$(OBJ)\cms_asn1-priv.h			\
+	$(OBJ)\crmf_asn1-priv.h			\
+	$(OBJ)\rfc2459_asn1-priv.h		\
+	$(OBJ)\rfc4043_asn1-priv.h		\
+	$(OBJ)\rfc4108_asn1-priv.h		\
+	$(OBJ)\tcg_asn1-priv.h			\
+	$(OBJ)\x690sample_asn1-priv.h		\
+	$(OBJ)\pkcs8_asn1-priv.h		\
+	$(OBJ)\pkcs9_asn1-priv.h		\
+	$(OBJ)\pkcs10_asn1-priv.h		\
+	$(OBJ)\pkcs12_asn1-priv.h		\
+	$(OBJ)\digest_asn1-priv.h		\
+	$(OBJ)\kx509_asn1-priv.h		\
+	$(OBJ)\test_template_asn1.h		\
+	$(OBJ)\test_template_asn1-priv.h	\
+	$(OBJ)\test_asn1.h			\
 	$(OBJ)\test_asn1-priv.h
 
 libasn1_base_SOURCES=	\
@@ -390,6 +405,7 @@ libasn1_base_SOURCES=	\
 	der_copy.c	\
 	der_cmp.c	\
 	der_format.c	\
+	template.c	\
 	heim_asn1.h	\
 	extra.c		\
 	timegm.c
@@ -419,11 +435,12 @@ clean::
 	-$(RM) $(LIBEXECDIR)\asn1_gen.*
 
 TEST_BINARIES=\
-	$(OBJ)\check-der.exe	\
-	$(OBJ)\check-gen.exe	\
-	$(OBJ)\check-timegm.exe \
-	$(OBJ)\check-ber.exe	\
-	$(OBJ)\check-template.exe \
+	$(OBJ)\check-der.exe		\
+	$(OBJ)\check-gen.exe		\
+	$(OBJ)\check-gen-template.exe	\
+	$(OBJ)\check-timegm.exe 	\
+	$(OBJ)\check-ber.exe		\
+	$(OBJ)\check-template.exe
 
 test-binaries: $(TEST_BINARIES)
 
@@ -431,6 +448,7 @@ test-run:
 	cd $(OBJ)
 	-check-der.exe
 	-check-gen.exe
+	-check-gen-template.exe
 	-check-timegm.exe
 	-check-ber.exe
 	-check-template.exe
@@ -456,6 +474,11 @@ $(OBJ)\check-gen.exe: $(OBJ)\check-gen.obj $(OBJ)\check-common.obj \
 	$(EXECONLINK)
 	$(EXEPREP_NODIST)
 
+$(OBJ)\check-gen-template.exe: $(OBJ)\check-gen.obj $(OBJ)\check-common.obj \
+		$(LIBHEIMDAL) $(LIBROKEN) $(gen_files_test_template:.x=.obj)
+	$(EXECONLINK)
+	$(EXEPREP_NODIST)
+
 $(OBJ)\check-timegm.exe: $(OBJ)\check-timegm.obj \
 		$(LIBHEIMDAL) $(LIBROKEN)
 	$(EXECONLINK)

lib/asn1/check-gen.c

@@ -1016,7 +1016,6 @@ test_choice (void)
     return ret;
 }
 
-#ifdef IMPLICIT_TAGGING_WORKS
 static int
 cmp_TESTImplicit (void *a, void *b)
 {
@@ -1105,7 +1104,6 @@ test_implicit (void)
 
     return ret;
 }
-#endif
 
 static int
 cmp_TESTAlloc (void *a, void *b)
@@ -1883,9 +1881,7 @@ main(int argc, char **argv)
     DO_ONE(test_large_tag);
     DO_ONE(test_choice);
 
-#ifdef IMPLICIT_TAGGING_WORKS
     DO_ONE(test_implicit);
-#endif
 
     DO_ONE(test_taglessalloc);
     DO_ONE(test_optional);

lib/asn1/cms.asn1

@@ -5,7 +5,7 @@ CMS DEFINITIONS ::= BEGIN
 
 IMPORTS CertificateSerialNumber, AlgorithmIdentifier, Name,
 	Attribute, Certificate, SubjectKeyIdentifier FROM rfc2459
-	heim_any, heim_any_set FROM heim;
+	heim_any FROM heim;
 
 id-pkcs7 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
          us(840) rsadsi(113549) pkcs(1) pkcs7(7) }

lib/asn1/gen_seq.c

@@ -38,7 +38,7 @@ RCSID("$Id$");
 static FILE *
 get_code_file(void)
 {
-    if (!one_code_file && templatefile)
+    if (!one_code_file && template_flag && templatefile)
         return templatefile;
     return codefile;
 }

lib/asn1/gen_template.c

@@ -666,43 +666,13 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
         int prim = !(t->tag.tagclass != ASN1_C_UNIV &&
                      t->tag.tagenv == TE_EXPLICIT) &&
             is_primitive_type(t->subtype);
-	struct type *subtype;
 
 	fprintf(get_code_file(), "/* template_members: %s %s %s */\n", basetype, implicit ? "imp" : "exp", tagimplicit ? "imp" : "exp");
 
-	if (tagimplicit) {
-
-	    struct type *type = t->subtype;
-	    int have_tag = 0;
-
-	    while (!have_tag) {
-		if (type->type == TTag) {
-		    fprintf(get_code_file(), "/* template_members: imp skip tag */\n");
-		    type = type->subtype;
-		    have_tag = 1;
-		} else if(type->type == TType && type->symbol && type->symbol->type) {
-		    /* XXX really, we should stop here and find a
-		     * pointer to where this is encoded instead of
-		     * generated an new structure and hope that the
-		     * optimizer catch it later.
-		     */
-		    subtype_is_struct = is_struct(type, isstruct);
-		    fprintf(get_code_file(), "/* template_members: imp skip type %s isstruct: %d */\n",
-			    type->symbol->name, subtype_is_struct);
-		    type = type->symbol->type;
-		} else {
-		    have_tag = 1;
-		}
-	    }
-	    subtype = type;
-	} else {
-	    subtype = t->subtype;
-	}
-
 	if (subtype_is_struct)
 	    sename = basetype;
 	else
-	    sename = symbol_name(basetype, subtype);
+	    sename = symbol_name(basetype, t->subtype);
 
 	if (asprintf(&tname, "tag_%s_%lu", name ? name : "", tag_counter++) < 0 || tname == NULL)
 	    errx(1, "malloc");
@@ -712,7 +682,7 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
 	    errx(1, "malloc");
 
 	generate_template_type(elname, &dupname, NULL, sename, name,
-			       subtype, 0, subtype_is_struct, 0);
+			       t->subtype, 0, subtype_is_struct, 0);
 
 	add_line_pointer(temp, dupname, poffset,
 			 "A1_TAG_T(%s,%s,%s)%s%s",

lib/asn1/kx509.asn1

@@ -7,8 +7,7 @@
 
 KX509 DEFINITIONS ::= BEGIN
 IMPORTS Extensions FROM rfc2459
-        KerberosTime FROM krb5
-        KRB5PrincipalName FROM pkinit;
+        KerberosTime FROM krb5;
 
 KX509-ERROR-CODE ::= INTEGER {
 	KX509-STATUS-GOOD(0),

lib/asn1/libasn1-exports.def

@@ -1,4 +1,9 @@
 EXPORTS
+	_asn1_decode_top
+	_asn1_encode
+	_asn1_length
+	_asn1_free_top
+	_asn1_copy_top
 	add_AttributeValues
 	add_AuthorizationData
 	add_CertificatePolicies

lib/asn1/pkcs8.asn1

@@ -4,8 +4,7 @@ PKCS8 DEFINITIONS ::=
 
 BEGIN
 
-IMPORTS	Attribute, AlgorithmIdentifier FROM rfc2459
-	heim_any, heim_any_set FROM heim;
+IMPORTS	Attribute, AlgorithmIdentifier FROM rfc2459;
 
 PKCS8PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
 

lib/asn1/pkinit.asn1

@@ -3,7 +3,7 @@
 PKINIT DEFINITIONS ::= BEGIN
 
 IMPORTS EncryptionKey, PrincipalName, Realm, KerberosTime, Checksum, Ticket FROM krb5
-	IssuerAndSerialNumber, ContentInfo FROM cms
+	IssuerAndSerialNumber FROM cms
 	SubjectPublicKeyInfo, AlgorithmIdentifier FROM rfc2459
 	heim_any FROM heim;
 

lib/asn1/pku2u.asn1

@@ -2,10 +2,8 @@
 
 PKU2U DEFINITIONS ::= BEGIN
 
-IMPORTS heim_any_set FROM heim
-	Checksum FROM krb5
-	GeneralName FROM rfc2459
-	;
+IMPORTS Checksum FROM krb5
+	GeneralName FROM rfc2459;
 
 GSS_KRB5_FINISHED ::= SEQUENCE {
 	gss-mic [1] Checksum,
@@ -29,4 +27,4 @@ InitiatorNameAssertion ::= SEQUENCE {
 	targetName [1] TargetName OPTIONAL
 }
 
-END
+END

lib/asn1/tcg.asn1

@@ -1,8 +1,6 @@
 TCG DEFINITIONS ::= BEGIN
 
-IMPORTS CertificateSerialNumber, AlgorithmIdentifier, Name,
-        Attribute, Certificate, SubjectKeyIdentifier FROM rfc2459
-        heim_any, heim_any_set FROM heim;
+IMPORTS AlgorithmIdentifier FROM rfc2459;
 
 
 -- BEGIN Heimdal commentary

lib/asn1/template.c

@@ -320,15 +320,30 @@ _asn1_decode(const struct asn1_template *t, unsigned flags,
 
             if (replace_tag) {
                 const struct asn1_template *subtype = t->ptr;
+                int have_tag = 0;
 
-                if (A1_HEADER_LEN(subtype++) != 1) {
-                    ret = _asn1_decode(t->ptr, subflags, p, datalen, data, &newsize);
-                } else {
-                    subtype = subtype->ptr;
-                    if (A1_HEADER_LEN(subtype++) != 1)
-                        ret = _asn1_decode(t->ptr, subflags, p, datalen, data, &newsize);
-                    else
+                /*
+                 * So, we have an IMPLICIT tag.  What we want to do is find the
+                 * template for the body of the type so-tagged.  That's going
+                 * to be a template that has a tag that isn't itself IMPLICIT.
+                 *
+                 * So we chase the pointer in the template until we find such a
+                 * thing, then decode using that template.
+                 */
+                while (!have_tag) {
+                    subtype++;
+                    if ((subtype->tt & A1_OP_MASK) == A1_OP_TAG)
+                        replace_tag = (subtype->tt & A1_FLAG_IMPLICIT) && is_tagged(t->ptr);
+                    if (replace_tag) {
+                        subtype = subtype->ptr;
+                        continue;
+                    }
+                    if ((subtype->tt & A1_OP_MASK) == A1_OP_TAG) {
                         ret = _asn1_decode(subtype->ptr, subflags, p, datalen, data, &newsize);
+                        have_tag = 1;
+                    } else {
+                        subtype = subtype->ptr;
+                    }
                 }
             } else {
                 ret = _asn1_decode(t->ptr, subflags, p, datalen, data, &newsize);

lib/asn1/x690sample.asn1

@@ -1,8 +1,5 @@
 x690sample DEFINITIONS ::= BEGIN
 
-IMPORTS heim_any,
- heim_any_set FROM heim;
-
 -- This is taken from Appendix A of X.690.
 --
 -- This doesn't exercise every feature, like OPTIONAL, not really DEFAULT, not