diff --git a/asn1/Makefile.in b/asn1/Makefile.in
index b0ebe134f..947a5bf32 100644
--- a/asn1/Makefile.in
+++ b/asn1/Makefile.in
@@ -25,7 +25,7 @@ FOO_HDRS	= lex.h parse.h hash.h symbol.h gen.h
 PROG		= foo
 
 ASN1_SRCS	= der_get.c der_put.c
-ASN1_OBJS	= der_get.o der_put.o foo.o
+ASN1_OBJS	= foo.o der_get.o der_put.o
 ASN1_HDRS	=
 
 .c.o:
@@ -45,7 +45,7 @@ foo:		$(FOO_OBJS)
 libasn1.a:	$(ASN1_OBJS)
 		ar cr $@ $(ASN1_OBJS)
 
-foo.c foo.h:	k5.asn1
+foo.c foo.h:	k5.asn1 foo
 		./foo $(srcdir)/k5.asn1
 
 parse.h:	parse.c
diff --git a/asn1/gen.c b/asn1/gen.c
index 8e3839ded..3b9151ffc 100644
--- a/asn1/gen.c
+++ b/asn1/gen.c
@@ -379,6 +379,25 @@ decode_type (char *name, Type *t)
     decode_primitive ("octet_string", name);
     break;
   case TBitString:
+    /* XXX */
+    fprintf (codefile,
+	     "l = der_match_tag (p, len, UNIV, PRIM, UT_BitString);\n"
+	     "if(l < 0)\n"
+	     "return l;\n"
+	     "p += l;\n"
+	     "len -= l;\n"
+	     "ret += l;\n"
+	     "l = der_get_length (p, len, &reallen);\n"
+	     "if(l < 0)\n"
+	     "return l;\n"
+	     "p += l;\n"
+	     "len -= l;\n"
+	     "ret += l;\n"
+	     "if(len < reallen)\n"
+	     "return -1;\n"
+	     "p += reallen;\n"
+	     "len -= reallen;\n"
+	     "ret += reallen;\n");
     break;
   case TSequence: {
     Member *m;
@@ -427,13 +446,21 @@ decode_type (char *name, Type *t)
 	       "return -1;\n"
 	       "oldlen = len;\n"
 	       "len = newlen;\n");
+      if (m->optional)
+	fprintf (codefile,
+		 "%s = malloc(sizeof(*%s));\n",
+		 s, s);
       decode_type (s, m->type);
       fprintf (codefile,
 	       "len = oldlen - newlen;\n"
-	       "}\n");
-      if (!m->optional)
+	       "}\n"
+	       "else {\n");
+      if(m->optional)
+	fprintf (codefile,
+		 "%s = NULL;\n"
+		 "}\n", s);
+      else
 	fprintf (codefile,
-		 "else {\n"
 		 "return l;\n"
 		 "}\n");
       fprintf (codefile,
diff --git a/cache.c b/cache.c
index 6b3477fb0..f2937ef57 100644
--- a/cache.c
+++ b/cache.c
@@ -224,7 +224,8 @@ ret_principal(int fd,
 
   p = ALLOC(1, krb5_principal_data);
 
-  ret_int32(fd, &p->type);
+  if(ret_int32(fd, &p->type))
+    return -1;
   ret_int32(fd, &p->ncomp);
   ret_data(fd, &p->realm);
   p->comp = ALLOC(p->ncomp, krb5_data);
diff --git a/get_in_tkt.c b/get_in_tkt.c
index 1d6df71fc..b7ef635ab 100644
--- a/get_in_tkt.c
+++ b/get_in_tkt.c
@@ -179,7 +179,7 @@ krb5_get_in_tkt(krb5_context context,
      if (err) {
 	  return err;
      }
-     if(decode_AS_REP(resp.data, resp.length, &rep) < 0)
+     if(decode_AS_REP(resp.data, resp.length, &rep.part1) < 0)
        return ASN1_PARSE_ERROR;
 
      free (rep.part1.crealm);
@@ -213,6 +213,8 @@ krb5_get_in_tkt(krb5_context context,
 	  decrypt_proc = decrypt_tkt;
 
      err = (*decrypt_proc)(context, key, decryptarg, &rep);
+     if (err)
+       return err;
      memset (key->contents.data, 0, key->contents.length);
      krb5_data_free (&key->contents);
      free (key);
diff --git a/lib/asn1/Makefile.in b/lib/asn1/Makefile.in
index b0ebe134f..947a5bf32 100644
--- a/lib/asn1/Makefile.in
+++ b/lib/asn1/Makefile.in
@@ -25,7 +25,7 @@ FOO_HDRS	= lex.h parse.h hash.h symbol.h gen.h
 PROG		= foo
 
 ASN1_SRCS	= der_get.c der_put.c
-ASN1_OBJS	= der_get.o der_put.o foo.o
+ASN1_OBJS	= foo.o der_get.o der_put.o
 ASN1_HDRS	=
 
 .c.o:
@@ -45,7 +45,7 @@ foo:		$(FOO_OBJS)
 libasn1.a:	$(ASN1_OBJS)
 		ar cr $@ $(ASN1_OBJS)
 
-foo.c foo.h:	k5.asn1
+foo.c foo.h:	k5.asn1 foo
 		./foo $(srcdir)/k5.asn1
 
 parse.h:	parse.c
diff --git a/lib/asn1/gen.c b/lib/asn1/gen.c
index 8e3839ded..3b9151ffc 100644
--- a/lib/asn1/gen.c
+++ b/lib/asn1/gen.c
@@ -379,6 +379,25 @@ decode_type (char *name, Type *t)
     decode_primitive ("octet_string", name);
     break;
   case TBitString:
+    /* XXX */
+    fprintf (codefile,
+	     "l = der_match_tag (p, len, UNIV, PRIM, UT_BitString);\n"
+	     "if(l < 0)\n"
+	     "return l;\n"
+	     "p += l;\n"
+	     "len -= l;\n"
+	     "ret += l;\n"
+	     "l = der_get_length (p, len, &reallen);\n"
+	     "if(l < 0)\n"
+	     "return l;\n"
+	     "p += l;\n"
+	     "len -= l;\n"
+	     "ret += l;\n"
+	     "if(len < reallen)\n"
+	     "return -1;\n"
+	     "p += reallen;\n"
+	     "len -= reallen;\n"
+	     "ret += reallen;\n");
     break;
   case TSequence: {
     Member *m;
@@ -427,13 +446,21 @@ decode_type (char *name, Type *t)
 	       "return -1;\n"
 	       "oldlen = len;\n"
 	       "len = newlen;\n");
+      if (m->optional)
+	fprintf (codefile,
+		 "%s = malloc(sizeof(*%s));\n",
+		 s, s);
       decode_type (s, m->type);
       fprintf (codefile,
 	       "len = oldlen - newlen;\n"
-	       "}\n");
-      if (!m->optional)
+	       "}\n"
+	       "else {\n");
+      if(m->optional)
+	fprintf (codefile,
+		 "%s = NULL;\n"
+		 "}\n", s);
+      else
 	fprintf (codefile,
-		 "else {\n"
 		 "return l;\n"
 		 "}\n");
       fprintf (codefile,
diff --git a/lib/krb5/cache.c b/lib/krb5/cache.c
index 6b3477fb0..f2937ef57 100644
--- a/lib/krb5/cache.c
+++ b/lib/krb5/cache.c
@@ -224,7 +224,8 @@ ret_principal(int fd,
 
   p = ALLOC(1, krb5_principal_data);
 
-  ret_int32(fd, &p->type);
+  if(ret_int32(fd, &p->type))
+    return -1;
   ret_int32(fd, &p->ncomp);
   ret_data(fd, &p->realm);
   p->comp = ALLOC(p->ncomp, krb5_data);
diff --git a/lib/krb5/get_in_tkt.c b/lib/krb5/get_in_tkt.c
index 1d6df71fc..b7ef635ab 100644
--- a/lib/krb5/get_in_tkt.c
+++ b/lib/krb5/get_in_tkt.c
@@ -179,7 +179,7 @@ krb5_get_in_tkt(krb5_context context,
      if (err) {
 	  return err;
      }
-     if(decode_AS_REP(resp.data, resp.length, &rep) < 0)
+     if(decode_AS_REP(resp.data, resp.length, &rep.part1) < 0)
        return ASN1_PARSE_ERROR;
 
      free (rep.part1.crealm);
@@ -213,6 +213,8 @@ krb5_get_in_tkt(krb5_context context,
 	  decrypt_proc = decrypt_tkt;
 
      err = (*decrypt_proc)(context, key, decryptarg, &rep);
+     if (err)
+       return err;
      memset (key->contents.data, 0, key->contents.length);
      krb5_data_free (&key->contents);
      free (key);