From 553cd32c2ee170cb8cf8d7b221c1512f3d86999e Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sat, 25 Jul 2015 14:52:47 +0000
Subject: Expand ASN.1 template macros - no change in generated assembly.

---
 src/lib/libcrypto/krb5/krb5_asn.c         | 411 +++++++++++++++++----
 src/lib/libcrypto/ocsp/ocsp_asn.c         | 572 ++++++++++++++++++++++++++----
 src/lib/libssl/src/crypto/krb5/krb5_asn.c | 411 +++++++++++++++++----
 src/lib/libssl/src/crypto/ocsp/ocsp_asn.c | 572 ++++++++++++++++++++++++++----
 4 files changed, 1694 insertions(+), 272 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libcrypto/krb5/krb5_asn.c b/src/lib/libcrypto/krb5/krb5_asn.c
index 1a95e62935..4713fce37b 100644
--- a/src/lib/libcrypto/krb5/krb5_asn.c
+++ b/src/lib/libcrypto/krb5/krb5_asn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: krb5_asn.c,v 1.3 2015/02/09 16:04:46 jsing Exp $ */
+/* $OpenBSD: krb5_asn.c,v 1.4 2015/07/25 14:49:45 jsing Exp $ */
 /* Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project,
 ** using ocsp/{*.h,*asn*.c} as a starting point
 */
@@ -60,11 +60,39 @@
 #include <openssl/krb5_asn.h>
 
 
-ASN1_SEQUENCE(KRB5_ENCDATA) = {
-	ASN1_EXP(KRB5_ENCDATA, etype,		ASN1_INTEGER,	  0),
-	ASN1_EXP_OPT(KRB5_ENCDATA, kvno,	ASN1_INTEGER,	  1),
-	ASN1_EXP(KRB5_ENCDATA, cipher,		ASN1_OCTET_STRING,2)
-} ASN1_SEQUENCE_END(KRB5_ENCDATA)
+static const ASN1_TEMPLATE KRB5_ENCDATA_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 0,
+		.offset = offsetof(KRB5_ENCDATA, etype),
+		.field_name = "etype",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 1,
+		.offset = offsetof(KRB5_ENCDATA, kvno),
+		.field_name = "kvno",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 2,
+		.offset = offsetof(KRB5_ENCDATA, cipher),
+		.field_name = "cipher",
+		.item = &ASN1_OCTET_STRING_it,
+	},
+};
+
+const ASN1_ITEM KRB5_ENCDATA_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = KRB5_ENCDATA_seq_tt,
+	.tcount = sizeof(KRB5_ENCDATA_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(KRB5_ENCDATA),
+	.sname = "KRB5_ENCDATA",
+};
 
 
 KRB5_ENCDATA *
@@ -93,10 +121,32 @@ KRB5_ENCDATA_free(KRB5_ENCDATA *a)
 }
 
 
-ASN1_SEQUENCE(KRB5_PRINCNAME) = {
-	ASN1_EXP(KRB5_PRINCNAME, nametype,	ASN1_INTEGER,	  0),
-	ASN1_EXP_SEQUENCE_OF(KRB5_PRINCNAME, namestring, ASN1_GENERALSTRING, 1)
-} ASN1_SEQUENCE_END(KRB5_PRINCNAME)
+static const ASN1_TEMPLATE KRB5_PRINCNAME_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 0,
+		.offset = offsetof(KRB5_PRINCNAME, nametype),
+		.field_name = "nametype",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF,
+		.tag = 1,
+		.offset = offsetof(KRB5_PRINCNAME, namestring),
+		.field_name = "namestring",
+		.item = &ASN1_GENERALSTRING_it,
+	},
+};
+
+const ASN1_ITEM KRB5_PRINCNAME_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = KRB5_PRINCNAME_seq_tt,
+	.tcount = sizeof(KRB5_PRINCNAME_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(KRB5_PRINCNAME),
+	.sname = "KRB5_PRINCNAME",
+};
 
 
 KRB5_PRINCNAME *
@@ -126,12 +176,46 @@ KRB5_PRINCNAME_free(KRB5_PRINCNAME *a)
 
 
 /* [APPLICATION 1] = 0x61 */
-ASN1_SEQUENCE(KRB5_TKTBODY) = {
-	ASN1_EXP(KRB5_TKTBODY, tktvno,		ASN1_INTEGER,	  0),
-	ASN1_EXP(KRB5_TKTBODY, realm, 		ASN1_GENERALSTRING, 1),
-	ASN1_EXP(KRB5_TKTBODY, sname,		KRB5_PRINCNAME,	  2),
-	ASN1_EXP(KRB5_TKTBODY, encdata,		KRB5_ENCDATA,	  3)
-} ASN1_SEQUENCE_END(KRB5_TKTBODY)
+static const ASN1_TEMPLATE KRB5_TKTBODY_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 0,
+		.offset = offsetof(KRB5_TKTBODY, tktvno),
+		.field_name = "tktvno",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 1,
+		.offset = offsetof(KRB5_TKTBODY, realm),
+		.field_name = "realm",
+		.item = &ASN1_GENERALSTRING_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 2,
+		.offset = offsetof(KRB5_TKTBODY, sname),
+		.field_name = "sname",
+		.item = &KRB5_PRINCNAME_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 3,
+		.offset = offsetof(KRB5_TKTBODY, encdata),
+		.field_name = "encdata",
+		.item = &KRB5_ENCDATA_it,
+	},
+};
+
+const ASN1_ITEM KRB5_TKTBODY_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = KRB5_TKTBODY_seq_tt,
+	.tcount = sizeof(KRB5_TKTBODY_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(KRB5_TKTBODY),
+	.sname = "KRB5_TKTBODY",
+};
 
 
 KRB5_TKTBODY *
@@ -160,10 +244,23 @@ KRB5_TKTBODY_free(KRB5_TKTBODY *a)
 }
 
 
-ASN1_ITEM_TEMPLATE(KRB5_TICKET) = 
-	ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_EXPTAG|ASN1_TFLG_APPLICATION, 1,
-			KRB5_TICKET, KRB5_TKTBODY)
-ASN1_ITEM_TEMPLATE_END(KRB5_TICKET)
+static const ASN1_TEMPLATE KRB5_TICKET_item_tt =  {
+	.flags = ASN1_TFLG_EXPTAG | ASN1_TFLG_APPLICATION,
+	.tag = 1,
+	.offset = 0,
+	.field_name = "KRB5_TICKET",
+	.item = &KRB5_TKTBODY_it,
+};
+
+const ASN1_ITEM KRB5_TICKET_it = {
+	.itype = ASN1_ITYPE_PRIMITIVE,
+	.utype = -1,
+	.templates = &KRB5_TICKET_item_tt,
+	.tcount = 0,
+	.funcs = NULL,
+	.size = 0,
+	.sname = "KRB5_TICKET",
+};
 
 
 KRB5_TICKET *
@@ -193,13 +290,53 @@ KRB5_TICKET_free(KRB5_TICKET *a)
 
 
 /* [APPLICATION 14] = 0x6e */
-ASN1_SEQUENCE(KRB5_APREQBODY) = {
-	ASN1_EXP(KRB5_APREQBODY, pvno,		ASN1_INTEGER,	  0),
-	ASN1_EXP(KRB5_APREQBODY, msgtype,	ASN1_INTEGER,	  1),
-	ASN1_EXP(KRB5_APREQBODY, apoptions,	ASN1_BIT_STRING,  2),
-	ASN1_EXP(KRB5_APREQBODY, ticket, 	KRB5_TICKET,	  3),
-	ASN1_EXP(KRB5_APREQBODY, authenticator,	KRB5_ENCDATA,	  4),
-} ASN1_SEQUENCE_END(KRB5_APREQBODY)
+static const ASN1_TEMPLATE KRB5_APREQBODY_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 0,
+		.offset = offsetof(KRB5_APREQBODY, pvno),
+		.field_name = "pvno",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 1,
+		.offset = offsetof(KRB5_APREQBODY, msgtype),
+		.field_name = "msgtype",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 2,
+		.offset = offsetof(KRB5_APREQBODY, apoptions),
+		.field_name = "apoptions",
+		.item = &ASN1_BIT_STRING_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 3,
+		.offset = offsetof(KRB5_APREQBODY, ticket),
+		.field_name = "ticket",
+		.item = &KRB5_TICKET_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 4,
+		.offset = offsetof(KRB5_APREQBODY, authenticator),
+		.field_name = "authenticator",
+		.item = &KRB5_ENCDATA_it,
+	},
+};
+
+const ASN1_ITEM KRB5_APREQBODY_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = KRB5_APREQBODY_seq_tt,
+	.tcount = sizeof(KRB5_APREQBODY_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(KRB5_APREQBODY),
+	.sname = "KRB5_APREQBODY",
+};
 
 
 KRB5_APREQBODY *
@@ -227,10 +364,23 @@ KRB5_APREQBODY_free(KRB5_APREQBODY *a)
 	ASN1_item_free((ASN1_VALUE *)a, &KRB5_APREQBODY_it);
 }
 
-ASN1_ITEM_TEMPLATE(KRB5_APREQ) = 
-	ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_EXPTAG|ASN1_TFLG_APPLICATION, 14,
-			KRB5_APREQ, KRB5_APREQBODY)
-ASN1_ITEM_TEMPLATE_END(KRB5_APREQ)
+static const ASN1_TEMPLATE KRB5_APREQ_item_tt =  {
+	.flags = ASN1_TFLG_EXPTAG | ASN1_TFLG_APPLICATION,
+	.tag = 14,
+	.offset = 0,
+	.field_name = "KRB5_APREQ",
+	.item = &KRB5_APREQBODY_it,
+};
+
+const ASN1_ITEM KRB5_APREQ_it = {
+	.itype = ASN1_ITYPE_PRIMITIVE,
+	.utype = -1,
+	.templates = &KRB5_APREQ_item_tt,
+	.tcount = 0,
+	.funcs = NULL,
+	.size = 0,
+	.sname = "KRB5_APREQ",
+};
 
 
 KRB5_APREQ *
@@ -261,10 +411,32 @@ KRB5_APREQ_free(KRB5_APREQ *a)
 
 /*  Authenticator stuff 	*/
 
-ASN1_SEQUENCE(KRB5_CHECKSUM) = {
-	ASN1_EXP(KRB5_CHECKSUM, ctype,		ASN1_INTEGER,	  0),
-	ASN1_EXP(KRB5_CHECKSUM, checksum,	ASN1_OCTET_STRING,1)
-} ASN1_SEQUENCE_END(KRB5_CHECKSUM)
+static const ASN1_TEMPLATE KRB5_CHECKSUM_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 0,
+		.offset = offsetof(KRB5_CHECKSUM, ctype),
+		.field_name = "ctype",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 1,
+		.offset = offsetof(KRB5_CHECKSUM, checksum),
+		.field_name = "checksum",
+		.item = &ASN1_OCTET_STRING_it,
+	},
+};
+
+const ASN1_ITEM KRB5_CHECKSUM_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = KRB5_CHECKSUM_seq_tt,
+	.tcount = sizeof(KRB5_CHECKSUM_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(KRB5_CHECKSUM),
+	.sname = "KRB5_CHECKSUM",
+};
 
 
 KRB5_CHECKSUM *
@@ -293,10 +465,32 @@ KRB5_CHECKSUM_free(KRB5_CHECKSUM *a)
 }
 
 
-ASN1_SEQUENCE(KRB5_ENCKEY) = {
-	ASN1_EXP(KRB5_ENCKEY,	ktype,		ASN1_INTEGER,	  0),
-	ASN1_EXP(KRB5_ENCKEY,	keyvalue,	ASN1_OCTET_STRING,1)
-} ASN1_SEQUENCE_END(KRB5_ENCKEY)
+static const ASN1_TEMPLATE KRB5_ENCKEY_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 0,
+		.offset = offsetof(KRB5_ENCKEY, ktype),
+		.field_name = "ktype",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 1,
+		.offset = offsetof(KRB5_ENCKEY, keyvalue),
+		.field_name = "keyvalue",
+		.item = &ASN1_OCTET_STRING_it,
+	},
+};
+
+const ASN1_ITEM KRB5_ENCKEY_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = KRB5_ENCKEY_seq_tt,
+	.tcount = sizeof(KRB5_ENCKEY_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(KRB5_ENCKEY),
+	.sname = "KRB5_ENCKEY",
+};
 
 
 KRB5_ENCKEY *
@@ -326,10 +520,32 @@ KRB5_ENCKEY_free(KRB5_ENCKEY *a)
 
 
 /* SEQ OF SEQ; see ASN1_EXP_SEQUENCE_OF_OPT() below */
-ASN1_SEQUENCE(KRB5_AUTHDATA) = {
-	ASN1_EXP(KRB5_AUTHDATA,	adtype,		ASN1_INTEGER,	  0),
-	ASN1_EXP(KRB5_AUTHDATA,	addata, 	ASN1_OCTET_STRING,1)
-} ASN1_SEQUENCE_END(KRB5_AUTHDATA)
+static const ASN1_TEMPLATE KRB5_AUTHDATA_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 0,
+		.offset = offsetof(KRB5_AUTHDATA, adtype),
+		.field_name = "adtype",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 1,
+		.offset = offsetof(KRB5_AUTHDATA, addata),
+		.field_name = "addata",
+		.item = &ASN1_OCTET_STRING_it,
+	},
+};
+
+const ASN1_ITEM KRB5_AUTHDATA_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = KRB5_AUTHDATA_seq_tt,
+	.tcount = sizeof(KRB5_AUTHDATA_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(KRB5_AUTHDATA),
+	.sname = "KRB5_AUTHDATA",
+};
 
 
 KRB5_AUTHDATA *
@@ -359,18 +575,81 @@ KRB5_AUTHDATA_free(KRB5_AUTHDATA *a)
 
 
 /* [APPLICATION 2] = 0x62 */
-ASN1_SEQUENCE(KRB5_AUTHENTBODY) = {
-	ASN1_EXP(KRB5_AUTHENTBODY,	avno,	ASN1_INTEGER,	  0),
-	ASN1_EXP(KRB5_AUTHENTBODY,	crealm,	ASN1_GENERALSTRING, 1),
-	ASN1_EXP(KRB5_AUTHENTBODY,	cname,	KRB5_PRINCNAME,	  2),
-	ASN1_EXP_OPT(KRB5_AUTHENTBODY,	cksum,	KRB5_CHECKSUM,	  3),
-	ASN1_EXP(KRB5_AUTHENTBODY,	cusec,	ASN1_INTEGER,	  4),
-	ASN1_EXP(KRB5_AUTHENTBODY,	ctime,	ASN1_GENERALIZEDTIME, 5),
-	ASN1_EXP_OPT(KRB5_AUTHENTBODY,	subkey,	KRB5_ENCKEY,	  6),
-	ASN1_EXP_OPT(KRB5_AUTHENTBODY,	seqnum,	ASN1_INTEGER,	  7),
-	ASN1_EXP_SEQUENCE_OF_OPT
-		    (KRB5_AUTHENTBODY,	authorization,	KRB5_AUTHDATA, 8),
-} ASN1_SEQUENCE_END(KRB5_AUTHENTBODY)
+static const ASN1_TEMPLATE KRB5_AUTHENTBODY_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 0,
+		.offset = offsetof(KRB5_AUTHENTBODY, avno),
+		.field_name = "avno",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 1,
+		.offset = offsetof(KRB5_AUTHENTBODY, crealm),
+		.field_name = "crealm",
+		.item = &ASN1_GENERALSTRING_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 2,
+		.offset = offsetof(KRB5_AUTHENTBODY, cname),
+		.field_name = "cname",
+		.item = &KRB5_PRINCNAME_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 3,
+		.offset = offsetof(KRB5_AUTHENTBODY, cksum),
+		.field_name = "cksum",
+		.item = &KRB5_CHECKSUM_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 4,
+		.offset = offsetof(KRB5_AUTHENTBODY, cusec),
+		.field_name = "cusec",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 5,
+		.offset = offsetof(KRB5_AUTHENTBODY, ctime),
+		.field_name = "ctime",
+		.item = &ASN1_GENERALIZEDTIME_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 6,
+		.offset = offsetof(KRB5_AUTHENTBODY, subkey),
+		.field_name = "subkey",
+		.item = &KRB5_ENCKEY_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 7,
+		.offset = offsetof(KRB5_AUTHENTBODY, seqnum),
+		.field_name = "seqnum",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
+		.tag = 8,
+		.offset = offsetof(KRB5_AUTHENTBODY, authorization),
+		.field_name = "authorization",
+		.item = &KRB5_AUTHDATA_it,
+	},
+};
+
+const ASN1_ITEM KRB5_AUTHENTBODY_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = KRB5_AUTHENTBODY_seq_tt,
+	.tcount = sizeof(KRB5_AUTHENTBODY_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(KRB5_AUTHENTBODY),
+	.sname = "KRB5_AUTHENTBODY",
+};
 
 
 KRB5_AUTHENTBODY *
@@ -398,10 +677,23 @@ KRB5_AUTHENTBODY_free(KRB5_AUTHENTBODY *a)
 	ASN1_item_free((ASN1_VALUE *)a, &KRB5_AUTHENTBODY_it);
 }
 
-ASN1_ITEM_TEMPLATE(KRB5_AUTHENT) = 
-	ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_EXPTAG|ASN1_TFLG_APPLICATION, 2,
-			KRB5_AUTHENT, KRB5_AUTHENTBODY)
-ASN1_ITEM_TEMPLATE_END(KRB5_AUTHENT)
+static const ASN1_TEMPLATE KRB5_AUTHENT_item_tt =  {
+	.flags = ASN1_TFLG_EXPTAG | ASN1_TFLG_APPLICATION,
+	.tag = 2,
+	.offset = 0,
+	.field_name = "KRB5_AUTHENT",
+	.item = &KRB5_AUTHENTBODY_it,
+};
+
+const ASN1_ITEM KRB5_AUTHENT_it = {
+	.itype = ASN1_ITYPE_PRIMITIVE,
+	.utype = -1,
+	.templates = &KRB5_AUTHENT_item_tt,
+	.tcount = 0,
+	.funcs = NULL,
+	.size = 0,
+	.sname = "KRB5_AUTHENT",
+};
 
 
 KRB5_AUTHENT *
@@ -428,4 +720,3 @@ KRB5_AUTHENT_free(KRB5_AUTHENT *a)
 {
 	ASN1_item_free((ASN1_VALUE *)a, &KRB5_AUTHENT_it);
 }
-
diff --git a/src/lib/libcrypto/ocsp/ocsp_asn.c b/src/lib/libcrypto/ocsp/ocsp_asn.c
index 6ca21af89a..72e7638c75 100644
--- a/src/lib/libcrypto/ocsp/ocsp_asn.c
+++ b/src/lib/libcrypto/ocsp/ocsp_asn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_asn.c,v 1.7 2015/02/09 16:04:46 jsing Exp $ */
+/* $OpenBSD: ocsp_asn.c,v 1.8 2015/07/25 14:52:47 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -59,11 +59,39 @@
 #include <openssl/asn1t.h>
 #include <openssl/ocsp.h>
 
-ASN1_SEQUENCE(OCSP_SIGNATURE) = {
-	ASN1_SIMPLE(OCSP_SIGNATURE, signatureAlgorithm, X509_ALGOR),
-	ASN1_SIMPLE(OCSP_SIGNATURE, signature, ASN1_BIT_STRING),
-	ASN1_EXP_SEQUENCE_OF_OPT(OCSP_SIGNATURE, certs, X509, 0)
-} ASN1_SEQUENCE_END(OCSP_SIGNATURE)
+static const ASN1_TEMPLATE OCSP_SIGNATURE_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_SIGNATURE, signatureAlgorithm),
+		.field_name = "signatureAlgorithm",
+		.item = &X509_ALGOR_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_SIGNATURE, signature),
+		.field_name = "signature",
+		.item = &ASN1_BIT_STRING_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(OCSP_SIGNATURE, certs),
+		.field_name = "certs",
+		.item = &X509_it,
+	},
+};
+
+const ASN1_ITEM OCSP_SIGNATURE_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OCSP_SIGNATURE_seq_tt,
+	.tcount = sizeof(OCSP_SIGNATURE_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_SIGNATURE),
+	.sname = "OCSP_SIGNATURE",
+};
 
 
 OCSP_SIGNATURE *
@@ -91,12 +119,46 @@ OCSP_SIGNATURE_free(OCSP_SIGNATURE *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OCSP_SIGNATURE_it);
 }
 
-ASN1_SEQUENCE(OCSP_CERTID) = {
-	ASN1_SIMPLE(OCSP_CERTID, hashAlgorithm, X509_ALGOR),
-	ASN1_SIMPLE(OCSP_CERTID, issuerNameHash, ASN1_OCTET_STRING),
-	ASN1_SIMPLE(OCSP_CERTID, issuerKeyHash, ASN1_OCTET_STRING),
-	ASN1_SIMPLE(OCSP_CERTID, serialNumber, ASN1_INTEGER)
-} ASN1_SEQUENCE_END(OCSP_CERTID)
+static const ASN1_TEMPLATE OCSP_CERTID_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_CERTID, hashAlgorithm),
+		.field_name = "hashAlgorithm",
+		.item = &X509_ALGOR_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_CERTID, issuerNameHash),
+		.field_name = "issuerNameHash",
+		.item = &ASN1_OCTET_STRING_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_CERTID, issuerKeyHash),
+		.field_name = "issuerKeyHash",
+		.item = &ASN1_OCTET_STRING_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_CERTID, serialNumber),
+		.field_name = "serialNumber",
+		.item = &ASN1_INTEGER_it,
+	},
+};
+
+const ASN1_ITEM OCSP_CERTID_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OCSP_CERTID_seq_tt,
+	.tcount = sizeof(OCSP_CERTID_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_CERTID),
+	.sname = "OCSP_CERTID",
+};
 
 
 OCSP_CERTID *
@@ -124,10 +186,32 @@ OCSP_CERTID_free(OCSP_CERTID *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OCSP_CERTID_it);
 }
 
-ASN1_SEQUENCE(OCSP_ONEREQ) = {
-	ASN1_SIMPLE(OCSP_ONEREQ, reqCert, OCSP_CERTID),
-	ASN1_EXP_SEQUENCE_OF_OPT(OCSP_ONEREQ, singleRequestExtensions, X509_EXTENSION, 0)
-} ASN1_SEQUENCE_END(OCSP_ONEREQ)
+static const ASN1_TEMPLATE OCSP_ONEREQ_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_ONEREQ, reqCert),
+		.field_name = "reqCert",
+		.item = &OCSP_CERTID_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(OCSP_ONEREQ, singleRequestExtensions),
+		.field_name = "singleRequestExtensions",
+		.item = &X509_EXTENSION_it,
+	},
+};
+
+const ASN1_ITEM OCSP_ONEREQ_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OCSP_ONEREQ_seq_tt,
+	.tcount = sizeof(OCSP_ONEREQ_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_ONEREQ),
+	.sname = "OCSP_ONEREQ",
+};
 
 
 OCSP_ONEREQ *
@@ -155,12 +239,46 @@ OCSP_ONEREQ_free(OCSP_ONEREQ *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OCSP_ONEREQ_it);
 }
 
-ASN1_SEQUENCE(OCSP_REQINFO) = {
-	ASN1_EXP_OPT(OCSP_REQINFO, version, ASN1_INTEGER, 0),
-	ASN1_EXP_OPT(OCSP_REQINFO, requestorName, GENERAL_NAME, 1),
-	ASN1_SEQUENCE_OF(OCSP_REQINFO, requestList, OCSP_ONEREQ),
-	ASN1_EXP_SEQUENCE_OF_OPT(OCSP_REQINFO, requestExtensions, X509_EXTENSION, 2)
-} ASN1_SEQUENCE_END(OCSP_REQINFO)
+static const ASN1_TEMPLATE OCSP_REQINFO_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(OCSP_REQINFO, version),
+		.field_name = "version",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 1,
+		.offset = offsetof(OCSP_REQINFO, requestorName),
+		.field_name = "requestorName",
+		.item = &GENERAL_NAME_it,
+	},
+	{
+		.flags = ASN1_TFLG_SEQUENCE_OF,
+		.tag = 0,
+		.offset = offsetof(OCSP_REQINFO, requestList),
+		.field_name = "requestList",
+		.item = &OCSP_ONEREQ_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
+		.tag = 2,
+		.offset = offsetof(OCSP_REQINFO, requestExtensions),
+		.field_name = "requestExtensions",
+		.item = &X509_EXTENSION_it,
+	},
+};
+
+const ASN1_ITEM OCSP_REQINFO_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OCSP_REQINFO_seq_tt,
+	.tcount = sizeof(OCSP_REQINFO_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_REQINFO),
+	.sname = "OCSP_REQINFO",
+};
 
 
 OCSP_REQINFO *
@@ -188,10 +306,32 @@ OCSP_REQINFO_free(OCSP_REQINFO *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OCSP_REQINFO_it);
 }
 
-ASN1_SEQUENCE(OCSP_REQUEST) = {
-	ASN1_SIMPLE(OCSP_REQUEST, tbsRequest, OCSP_REQINFO),
-	ASN1_EXP_OPT(OCSP_REQUEST, optionalSignature, OCSP_SIGNATURE, 0)
-} ASN1_SEQUENCE_END(OCSP_REQUEST)
+static const ASN1_TEMPLATE OCSP_REQUEST_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_REQUEST, tbsRequest),
+		.field_name = "tbsRequest",
+		.item = &OCSP_REQINFO_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(OCSP_REQUEST, optionalSignature),
+		.field_name = "optionalSignature",
+		.item = &OCSP_SIGNATURE_it,
+	},
+};
+
+const ASN1_ITEM OCSP_REQUEST_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OCSP_REQUEST_seq_tt,
+	.tcount = sizeof(OCSP_REQUEST_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_REQUEST),
+	.sname = "OCSP_REQUEST",
+};
 
 
 OCSP_REQUEST *
@@ -221,10 +361,32 @@ OCSP_REQUEST_free(OCSP_REQUEST *a)
 
 /* OCSP_RESPONSE templates */
 
-ASN1_SEQUENCE(OCSP_RESPBYTES) = {
-	ASN1_SIMPLE(OCSP_RESPBYTES, responseType, ASN1_OBJECT),
-	ASN1_SIMPLE(OCSP_RESPBYTES, response, ASN1_OCTET_STRING)
-} ASN1_SEQUENCE_END(OCSP_RESPBYTES)
+static const ASN1_TEMPLATE OCSP_RESPBYTES_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_RESPBYTES, responseType),
+		.field_name = "responseType",
+		.item = &ASN1_OBJECT_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_RESPBYTES, response),
+		.field_name = "response",
+		.item = &ASN1_OCTET_STRING_it,
+	},
+};
+
+const ASN1_ITEM OCSP_RESPBYTES_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OCSP_RESPBYTES_seq_tt,
+	.tcount = sizeof(OCSP_RESPBYTES_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_RESPBYTES),
+	.sname = "OCSP_RESPBYTES",
+};
 
 
 OCSP_RESPBYTES *
@@ -252,10 +414,32 @@ OCSP_RESPBYTES_free(OCSP_RESPBYTES *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OCSP_RESPBYTES_it);
 }
 
-ASN1_SEQUENCE(OCSP_RESPONSE) = {
-	ASN1_SIMPLE(OCSP_RESPONSE, responseStatus, ASN1_ENUMERATED),
-	ASN1_EXP_OPT(OCSP_RESPONSE, responseBytes, OCSP_RESPBYTES, 0)
-} ASN1_SEQUENCE_END(OCSP_RESPONSE)
+static const ASN1_TEMPLATE OCSP_RESPONSE_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_RESPONSE, responseStatus),
+		.field_name = "responseStatus",
+		.item = &ASN1_ENUMERATED_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(OCSP_RESPONSE, responseBytes),
+		.field_name = "responseBytes",
+		.item = &OCSP_RESPBYTES_it,
+	},
+};
+
+const ASN1_ITEM OCSP_RESPONSE_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OCSP_RESPONSE_seq_tt,
+	.tcount = sizeof(OCSP_RESPONSE_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_RESPONSE),
+	.sname = "OCSP_RESPONSE",
+};
 
 
 OCSP_RESPONSE *
@@ -283,10 +467,32 @@ OCSP_RESPONSE_free(OCSP_RESPONSE *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OCSP_RESPONSE_it);
 }
 
-ASN1_CHOICE(OCSP_RESPID) = {
-	ASN1_EXP(OCSP_RESPID, value.byName, X509_NAME, 1),
-	ASN1_EXP(OCSP_RESPID, value.byKey, ASN1_OCTET_STRING, 2)
-} ASN1_CHOICE_END(OCSP_RESPID)
+static const ASN1_TEMPLATE OCSP_RESPID_ch_tt[] = {
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 1,
+		.offset = offsetof(OCSP_RESPID, value.byName),
+		.field_name = "value.byName",
+		.item = &X509_NAME_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 2,
+		.offset = offsetof(OCSP_RESPID, value.byKey),
+		.field_name = "value.byKey",
+		.item = &ASN1_OCTET_STRING_it,
+	},
+};
+
+const ASN1_ITEM OCSP_RESPID_it = {
+	.itype = ASN1_ITYPE_CHOICE,
+	.utype = offsetof(OCSP_RESPID, type),
+	.templates = OCSP_RESPID_ch_tt,
+	.tcount = sizeof(OCSP_RESPID_ch_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_RESPID),
+	.sname = "OCSP_RESPID",
+};
 
 
 OCSP_RESPID *
@@ -314,10 +520,32 @@ OCSP_RESPID_free(OCSP_RESPID *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OCSP_RESPID_it);
 }
 
-ASN1_SEQUENCE(OCSP_REVOKEDINFO) = {
-	ASN1_SIMPLE(OCSP_REVOKEDINFO, revocationTime, ASN1_GENERALIZEDTIME),
-	ASN1_EXP_OPT(OCSP_REVOKEDINFO, revocationReason, ASN1_ENUMERATED, 0)
-} ASN1_SEQUENCE_END(OCSP_REVOKEDINFO)
+static const ASN1_TEMPLATE OCSP_REVOKEDINFO_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_REVOKEDINFO, revocationTime),
+		.field_name = "revocationTime",
+		.item = &ASN1_GENERALIZEDTIME_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(OCSP_REVOKEDINFO, revocationReason),
+		.field_name = "revocationReason",
+		.item = &ASN1_ENUMERATED_it,
+	},
+};
+
+const ASN1_ITEM OCSP_REVOKEDINFO_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OCSP_REVOKEDINFO_seq_tt,
+	.tcount = sizeof(OCSP_REVOKEDINFO_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_REVOKEDINFO),
+	.sname = "OCSP_REVOKEDINFO",
+};
 
 
 OCSP_REVOKEDINFO *
@@ -345,11 +573,39 @@ OCSP_REVOKEDINFO_free(OCSP_REVOKEDINFO *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OCSP_REVOKEDINFO_it);
 }
 
-ASN1_CHOICE(OCSP_CERTSTATUS) = {
-	ASN1_IMP(OCSP_CERTSTATUS, value.good, ASN1_NULL, 0),
-	ASN1_IMP(OCSP_CERTSTATUS, value.revoked, OCSP_REVOKEDINFO, 1),
-	ASN1_IMP(OCSP_CERTSTATUS, value.unknown, ASN1_NULL, 2)
-} ASN1_CHOICE_END(OCSP_CERTSTATUS)
+static const ASN1_TEMPLATE OCSP_CERTSTATUS_ch_tt[] = {
+	{
+		.flags = ASN1_TFLG_IMPLICIT,
+		.tag = 0,
+		.offset = offsetof(OCSP_CERTSTATUS, value.good),
+		.field_name = "value.good",
+		.item = &ASN1_NULL_it,
+	},
+	{
+		.flags = ASN1_TFLG_IMPLICIT,
+		.tag = 1,
+		.offset = offsetof(OCSP_CERTSTATUS, value.revoked),
+		.field_name = "value.revoked",
+		.item = &OCSP_REVOKEDINFO_it,
+	},
+	{
+		.flags = ASN1_TFLG_IMPLICIT,
+		.tag = 2,
+		.offset = offsetof(OCSP_CERTSTATUS, value.unknown),
+		.field_name = "value.unknown",
+		.item = &ASN1_NULL_it,
+	},
+};
+
+const ASN1_ITEM OCSP_CERTSTATUS_it = {
+	.itype = ASN1_ITYPE_CHOICE,
+	.utype = offsetof(OCSP_CERTSTATUS, type),
+	.templates = OCSP_CERTSTATUS_ch_tt,
+	.tcount = sizeof(OCSP_CERTSTATUS_ch_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_CERTSTATUS),
+	.sname = "OCSP_CERTSTATUS",
+};
 
 
 OCSP_CERTSTATUS *
@@ -377,13 +633,53 @@ OCSP_CERTSTATUS_free(OCSP_CERTSTATUS *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OCSP_CERTSTATUS_it);
 }
 
-ASN1_SEQUENCE(OCSP_SINGLERESP) = {
-	ASN1_SIMPLE(OCSP_SINGLERESP, certId, OCSP_CERTID),
-	ASN1_SIMPLE(OCSP_SINGLERESP, certStatus, OCSP_CERTSTATUS),
-	ASN1_SIMPLE(OCSP_SINGLERESP, thisUpdate, ASN1_GENERALIZEDTIME),
-	ASN1_EXP_OPT(OCSP_SINGLERESP, nextUpdate, ASN1_GENERALIZEDTIME, 0),
-	ASN1_EXP_SEQUENCE_OF_OPT(OCSP_SINGLERESP, singleExtensions, X509_EXTENSION, 1)
-} ASN1_SEQUENCE_END(OCSP_SINGLERESP)
+static const ASN1_TEMPLATE OCSP_SINGLERESP_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_SINGLERESP, certId),
+		.field_name = "certId",
+		.item = &OCSP_CERTID_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_SINGLERESP, certStatus),
+		.field_name = "certStatus",
+		.item = &OCSP_CERTSTATUS_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_SINGLERESP, thisUpdate),
+		.field_name = "thisUpdate",
+		.item = &ASN1_GENERALIZEDTIME_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(OCSP_SINGLERESP, nextUpdate),
+		.field_name = "nextUpdate",
+		.item = &ASN1_GENERALIZEDTIME_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
+		.tag = 1,
+		.offset = offsetof(OCSP_SINGLERESP, singleExtensions),
+		.field_name = "singleExtensions",
+		.item = &X509_EXTENSION_it,
+	},
+};
+
+const ASN1_ITEM OCSP_SINGLERESP_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OCSP_SINGLERESP_seq_tt,
+	.tcount = sizeof(OCSP_SINGLERESP_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_SINGLERESP),
+	.sname = "OCSP_SINGLERESP",
+};
 
 
 OCSP_SINGLERESP *
@@ -411,13 +707,53 @@ OCSP_SINGLERESP_free(OCSP_SINGLERESP *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OCSP_SINGLERESP_it);
 }
 
-ASN1_SEQUENCE(OCSP_RESPDATA) = {
-	ASN1_EXP_OPT(OCSP_RESPDATA, version, ASN1_INTEGER, 0),
-	ASN1_SIMPLE(OCSP_RESPDATA, responderId, OCSP_RESPID),
-	ASN1_SIMPLE(OCSP_RESPDATA, producedAt, ASN1_GENERALIZEDTIME),
-	ASN1_SEQUENCE_OF(OCSP_RESPDATA, responses, OCSP_SINGLERESP),
-	ASN1_EXP_SEQUENCE_OF_OPT(OCSP_RESPDATA, responseExtensions, X509_EXTENSION, 1)
-} ASN1_SEQUENCE_END(OCSP_RESPDATA)
+static const ASN1_TEMPLATE OCSP_RESPDATA_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(OCSP_RESPDATA, version),
+		.field_name = "version",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_RESPDATA, responderId),
+		.field_name = "responderId",
+		.item = &OCSP_RESPID_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_RESPDATA, producedAt),
+		.field_name = "producedAt",
+		.item = &ASN1_GENERALIZEDTIME_it,
+	},
+	{
+		.flags = ASN1_TFLG_SEQUENCE_OF,
+		.tag = 0,
+		.offset = offsetof(OCSP_RESPDATA, responses),
+		.field_name = "responses",
+		.item = &OCSP_SINGLERESP_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
+		.tag = 1,
+		.offset = offsetof(OCSP_RESPDATA, responseExtensions),
+		.field_name = "responseExtensions",
+		.item = &X509_EXTENSION_it,
+	},
+};
+
+const ASN1_ITEM OCSP_RESPDATA_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OCSP_RESPDATA_seq_tt,
+	.tcount = sizeof(OCSP_RESPDATA_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_RESPDATA),
+	.sname = "OCSP_RESPDATA",
+};
 
 
 OCSP_RESPDATA *
@@ -445,12 +781,46 @@ OCSP_RESPDATA_free(OCSP_RESPDATA *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OCSP_RESPDATA_it);
 }
 
-ASN1_SEQUENCE(OCSP_BASICRESP) = {
-	ASN1_SIMPLE(OCSP_BASICRESP, tbsResponseData, OCSP_RESPDATA),
-	ASN1_SIMPLE(OCSP_BASICRESP, signatureAlgorithm, X509_ALGOR),
-	ASN1_SIMPLE(OCSP_BASICRESP, signature, ASN1_BIT_STRING),
-	ASN1_EXP_SEQUENCE_OF_OPT(OCSP_BASICRESP, certs, X509, 0)
-} ASN1_SEQUENCE_END(OCSP_BASICRESP)
+static const ASN1_TEMPLATE OCSP_BASICRESP_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_BASICRESP, tbsResponseData),
+		.field_name = "tbsResponseData",
+		.item = &OCSP_RESPDATA_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_BASICRESP, signatureAlgorithm),
+		.field_name = "signatureAlgorithm",
+		.item = &X509_ALGOR_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_BASICRESP, signature),
+		.field_name = "signature",
+		.item = &ASN1_BIT_STRING_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(OCSP_BASICRESP, certs),
+		.field_name = "certs",
+		.item = &X509_it,
+	},
+};
+
+const ASN1_ITEM OCSP_BASICRESP_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OCSP_BASICRESP_seq_tt,
+	.tcount = sizeof(OCSP_BASICRESP_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_BASICRESP),
+	.sname = "OCSP_BASICRESP",
+};
 
 
 OCSP_BASICRESP *
@@ -478,11 +848,39 @@ OCSP_BASICRESP_free(OCSP_BASICRESP *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OCSP_BASICRESP_it);
 }
 
-ASN1_SEQUENCE(OCSP_CRLID) = {
-	ASN1_EXP_OPT(OCSP_CRLID, crlUrl, ASN1_IA5STRING, 0),
-	ASN1_EXP_OPT(OCSP_CRLID, crlNum, ASN1_INTEGER, 1),
-	ASN1_EXP_OPT(OCSP_CRLID, crlTime, ASN1_GENERALIZEDTIME, 2)
-} ASN1_SEQUENCE_END(OCSP_CRLID)
+static const ASN1_TEMPLATE OCSP_CRLID_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(OCSP_CRLID, crlUrl),
+		.field_name = "crlUrl",
+		.item = &ASN1_IA5STRING_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 1,
+		.offset = offsetof(OCSP_CRLID, crlNum),
+		.field_name = "crlNum",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 2,
+		.offset = offsetof(OCSP_CRLID, crlTime),
+		.field_name = "crlTime",
+		.item = &ASN1_GENERALIZEDTIME_it,
+	},
+};
+
+const ASN1_ITEM OCSP_CRLID_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OCSP_CRLID_seq_tt,
+	.tcount = sizeof(OCSP_CRLID_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_CRLID),
+	.sname = "OCSP_CRLID",
+};
 
 
 OCSP_CRLID *
@@ -510,10 +908,32 @@ OCSP_CRLID_free(OCSP_CRLID *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OCSP_CRLID_it);
 }
 
-ASN1_SEQUENCE(OCSP_SERVICELOC) = {
-	ASN1_SIMPLE(OCSP_SERVICELOC, issuer, X509_NAME),
-	ASN1_SEQUENCE_OF_OPT(OCSP_SERVICELOC, locator, ACCESS_DESCRIPTION)
-} ASN1_SEQUENCE_END(OCSP_SERVICELOC)
+static const ASN1_TEMPLATE OCSP_SERVICELOC_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_SERVICELOC, issuer),
+		.field_name = "issuer",
+		.item = &X509_NAME_it,
+	},
+	{
+		.flags = ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(OCSP_SERVICELOC, locator),
+		.field_name = "locator",
+		.item = &ACCESS_DESCRIPTION_it,
+	},
+};
+
+const ASN1_ITEM OCSP_SERVICELOC_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OCSP_SERVICELOC_seq_tt,
+	.tcount = sizeof(OCSP_SERVICELOC_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_SERVICELOC),
+	.sname = "OCSP_SERVICELOC",
+};
 
 
 OCSP_SERVICELOC *
diff --git a/src/lib/libssl/src/crypto/krb5/krb5_asn.c b/src/lib/libssl/src/crypto/krb5/krb5_asn.c
index 1a95e62935..4713fce37b 100644
--- a/src/lib/libssl/src/crypto/krb5/krb5_asn.c
+++ b/src/lib/libssl/src/crypto/krb5/krb5_asn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: krb5_asn.c,v 1.3 2015/02/09 16:04:46 jsing Exp $ */
+/* $OpenBSD: krb5_asn.c,v 1.4 2015/07/25 14:49:45 jsing Exp $ */
 /* Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project,
 ** using ocsp/{*.h,*asn*.c} as a starting point
 */
@@ -60,11 +60,39 @@
 #include <openssl/krb5_asn.h>
 
 
-ASN1_SEQUENCE(KRB5_ENCDATA) = {
-	ASN1_EXP(KRB5_ENCDATA, etype,		ASN1_INTEGER,	  0),
-	ASN1_EXP_OPT(KRB5_ENCDATA, kvno,	ASN1_INTEGER,	  1),
-	ASN1_EXP(KRB5_ENCDATA, cipher,		ASN1_OCTET_STRING,2)
-} ASN1_SEQUENCE_END(KRB5_ENCDATA)
+static const ASN1_TEMPLATE KRB5_ENCDATA_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 0,
+		.offset = offsetof(KRB5_ENCDATA, etype),
+		.field_name = "etype",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 1,
+		.offset = offsetof(KRB5_ENCDATA, kvno),
+		.field_name = "kvno",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 2,
+		.offset = offsetof(KRB5_ENCDATA, cipher),
+		.field_name = "cipher",
+		.item = &ASN1_OCTET_STRING_it,
+	},
+};
+
+const ASN1_ITEM KRB5_ENCDATA_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = KRB5_ENCDATA_seq_tt,
+	.tcount = sizeof(KRB5_ENCDATA_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(KRB5_ENCDATA),
+	.sname = "KRB5_ENCDATA",
+};
 
 
 KRB5_ENCDATA *
@@ -93,10 +121,32 @@ KRB5_ENCDATA_free(KRB5_ENCDATA *a)
 }
 
 
-ASN1_SEQUENCE(KRB5_PRINCNAME) = {
-	ASN1_EXP(KRB5_PRINCNAME, nametype,	ASN1_INTEGER,	  0),
-	ASN1_EXP_SEQUENCE_OF(KRB5_PRINCNAME, namestring, ASN1_GENERALSTRING, 1)
-} ASN1_SEQUENCE_END(KRB5_PRINCNAME)
+static const ASN1_TEMPLATE KRB5_PRINCNAME_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 0,
+		.offset = offsetof(KRB5_PRINCNAME, nametype),
+		.field_name = "nametype",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF,
+		.tag = 1,
+		.offset = offsetof(KRB5_PRINCNAME, namestring),
+		.field_name = "namestring",
+		.item = &ASN1_GENERALSTRING_it,
+	},
+};
+
+const ASN1_ITEM KRB5_PRINCNAME_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = KRB5_PRINCNAME_seq_tt,
+	.tcount = sizeof(KRB5_PRINCNAME_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(KRB5_PRINCNAME),
+	.sname = "KRB5_PRINCNAME",
+};
 
 
 KRB5_PRINCNAME *
@@ -126,12 +176,46 @@ KRB5_PRINCNAME_free(KRB5_PRINCNAME *a)
 
 
 /* [APPLICATION 1] = 0x61 */
-ASN1_SEQUENCE(KRB5_TKTBODY) = {
-	ASN1_EXP(KRB5_TKTBODY, tktvno,		ASN1_INTEGER,	  0),
-	ASN1_EXP(KRB5_TKTBODY, realm, 		ASN1_GENERALSTRING, 1),
-	ASN1_EXP(KRB5_TKTBODY, sname,		KRB5_PRINCNAME,	  2),
-	ASN1_EXP(KRB5_TKTBODY, encdata,		KRB5_ENCDATA,	  3)
-} ASN1_SEQUENCE_END(KRB5_TKTBODY)
+static const ASN1_TEMPLATE KRB5_TKTBODY_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 0,
+		.offset = offsetof(KRB5_TKTBODY, tktvno),
+		.field_name = "tktvno",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 1,
+		.offset = offsetof(KRB5_TKTBODY, realm),
+		.field_name = "realm",
+		.item = &ASN1_GENERALSTRING_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 2,
+		.offset = offsetof(KRB5_TKTBODY, sname),
+		.field_name = "sname",
+		.item = &KRB5_PRINCNAME_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 3,
+		.offset = offsetof(KRB5_TKTBODY, encdata),
+		.field_name = "encdata",
+		.item = &KRB5_ENCDATA_it,
+	},
+};
+
+const ASN1_ITEM KRB5_TKTBODY_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = KRB5_TKTBODY_seq_tt,
+	.tcount = sizeof(KRB5_TKTBODY_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(KRB5_TKTBODY),
+	.sname = "KRB5_TKTBODY",
+};
 
 
 KRB5_TKTBODY *
@@ -160,10 +244,23 @@ KRB5_TKTBODY_free(KRB5_TKTBODY *a)
 }
 
 
-ASN1_ITEM_TEMPLATE(KRB5_TICKET) = 
-	ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_EXPTAG|ASN1_TFLG_APPLICATION, 1,
-			KRB5_TICKET, KRB5_TKTBODY)
-ASN1_ITEM_TEMPLATE_END(KRB5_TICKET)
+static const ASN1_TEMPLATE KRB5_TICKET_item_tt =  {
+	.flags = ASN1_TFLG_EXPTAG | ASN1_TFLG_APPLICATION,
+	.tag = 1,
+	.offset = 0,
+	.field_name = "KRB5_TICKET",
+	.item = &KRB5_TKTBODY_it,
+};
+
+const ASN1_ITEM KRB5_TICKET_it = {
+	.itype = ASN1_ITYPE_PRIMITIVE,
+	.utype = -1,
+	.templates = &KRB5_TICKET_item_tt,
+	.tcount = 0,
+	.funcs = NULL,
+	.size = 0,
+	.sname = "KRB5_TICKET",
+};
 
 
 KRB5_TICKET *
@@ -193,13 +290,53 @@ KRB5_TICKET_free(KRB5_TICKET *a)
 
 
 /* [APPLICATION 14] = 0x6e */
-ASN1_SEQUENCE(KRB5_APREQBODY) = {
-	ASN1_EXP(KRB5_APREQBODY, pvno,		ASN1_INTEGER,	  0),
-	ASN1_EXP(KRB5_APREQBODY, msgtype,	ASN1_INTEGER,	  1),
-	ASN1_EXP(KRB5_APREQBODY, apoptions,	ASN1_BIT_STRING,  2),
-	ASN1_EXP(KRB5_APREQBODY, ticket, 	KRB5_TICKET,	  3),
-	ASN1_EXP(KRB5_APREQBODY, authenticator,	KRB5_ENCDATA,	  4),
-} ASN1_SEQUENCE_END(KRB5_APREQBODY)
+static const ASN1_TEMPLATE KRB5_APREQBODY_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 0,
+		.offset = offsetof(KRB5_APREQBODY, pvno),
+		.field_name = "pvno",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 1,
+		.offset = offsetof(KRB5_APREQBODY, msgtype),
+		.field_name = "msgtype",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 2,
+		.offset = offsetof(KRB5_APREQBODY, apoptions),
+		.field_name = "apoptions",
+		.item = &ASN1_BIT_STRING_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 3,
+		.offset = offsetof(KRB5_APREQBODY, ticket),
+		.field_name = "ticket",
+		.item = &KRB5_TICKET_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 4,
+		.offset = offsetof(KRB5_APREQBODY, authenticator),
+		.field_name = "authenticator",
+		.item = &KRB5_ENCDATA_it,
+	},
+};
+
+const ASN1_ITEM KRB5_APREQBODY_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = KRB5_APREQBODY_seq_tt,
+	.tcount = sizeof(KRB5_APREQBODY_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(KRB5_APREQBODY),
+	.sname = "KRB5_APREQBODY",
+};
 
 
 KRB5_APREQBODY *
@@ -227,10 +364,23 @@ KRB5_APREQBODY_free(KRB5_APREQBODY *a)
 	ASN1_item_free((ASN1_VALUE *)a, &KRB5_APREQBODY_it);
 }
 
-ASN1_ITEM_TEMPLATE(KRB5_APREQ) = 
-	ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_EXPTAG|ASN1_TFLG_APPLICATION, 14,
-			KRB5_APREQ, KRB5_APREQBODY)
-ASN1_ITEM_TEMPLATE_END(KRB5_APREQ)
+static const ASN1_TEMPLATE KRB5_APREQ_item_tt =  {
+	.flags = ASN1_TFLG_EXPTAG | ASN1_TFLG_APPLICATION,
+	.tag = 14,
+	.offset = 0,
+	.field_name = "KRB5_APREQ",
+	.item = &KRB5_APREQBODY_it,
+};
+
+const ASN1_ITEM KRB5_APREQ_it = {
+	.itype = ASN1_ITYPE_PRIMITIVE,
+	.utype = -1,
+	.templates = &KRB5_APREQ_item_tt,
+	.tcount = 0,
+	.funcs = NULL,
+	.size = 0,
+	.sname = "KRB5_APREQ",
+};
 
 
 KRB5_APREQ *
@@ -261,10 +411,32 @@ KRB5_APREQ_free(KRB5_APREQ *a)
 
 /*  Authenticator stuff 	*/
 
-ASN1_SEQUENCE(KRB5_CHECKSUM) = {
-	ASN1_EXP(KRB5_CHECKSUM, ctype,		ASN1_INTEGER,	  0),
-	ASN1_EXP(KRB5_CHECKSUM, checksum,	ASN1_OCTET_STRING,1)
-} ASN1_SEQUENCE_END(KRB5_CHECKSUM)
+static const ASN1_TEMPLATE KRB5_CHECKSUM_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 0,
+		.offset = offsetof(KRB5_CHECKSUM, ctype),
+		.field_name = "ctype",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 1,
+		.offset = offsetof(KRB5_CHECKSUM, checksum),
+		.field_name = "checksum",
+		.item = &ASN1_OCTET_STRING_it,
+	},
+};
+
+const ASN1_ITEM KRB5_CHECKSUM_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = KRB5_CHECKSUM_seq_tt,
+	.tcount = sizeof(KRB5_CHECKSUM_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(KRB5_CHECKSUM),
+	.sname = "KRB5_CHECKSUM",
+};
 
 
 KRB5_CHECKSUM *
@@ -293,10 +465,32 @@ KRB5_CHECKSUM_free(KRB5_CHECKSUM *a)
 }
 
 
-ASN1_SEQUENCE(KRB5_ENCKEY) = {
-	ASN1_EXP(KRB5_ENCKEY,	ktype,		ASN1_INTEGER,	  0),
-	ASN1_EXP(KRB5_ENCKEY,	keyvalue,	ASN1_OCTET_STRING,1)
-} ASN1_SEQUENCE_END(KRB5_ENCKEY)
+static const ASN1_TEMPLATE KRB5_ENCKEY_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 0,
+		.offset = offsetof(KRB5_ENCKEY, ktype),
+		.field_name = "ktype",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 1,
+		.offset = offsetof(KRB5_ENCKEY, keyvalue),
+		.field_name = "keyvalue",
+		.item = &ASN1_OCTET_STRING_it,
+	},
+};
+
+const ASN1_ITEM KRB5_ENCKEY_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = KRB5_ENCKEY_seq_tt,
+	.tcount = sizeof(KRB5_ENCKEY_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(KRB5_ENCKEY),
+	.sname = "KRB5_ENCKEY",
+};
 
 
 KRB5_ENCKEY *
@@ -326,10 +520,32 @@ KRB5_ENCKEY_free(KRB5_ENCKEY *a)
 
 
 /* SEQ OF SEQ; see ASN1_EXP_SEQUENCE_OF_OPT() below */
-ASN1_SEQUENCE(KRB5_AUTHDATA) = {
-	ASN1_EXP(KRB5_AUTHDATA,	adtype,		ASN1_INTEGER,	  0),
-	ASN1_EXP(KRB5_AUTHDATA,	addata, 	ASN1_OCTET_STRING,1)
-} ASN1_SEQUENCE_END(KRB5_AUTHDATA)
+static const ASN1_TEMPLATE KRB5_AUTHDATA_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 0,
+		.offset = offsetof(KRB5_AUTHDATA, adtype),
+		.field_name = "adtype",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 1,
+		.offset = offsetof(KRB5_AUTHDATA, addata),
+		.field_name = "addata",
+		.item = &ASN1_OCTET_STRING_it,
+	},
+};
+
+const ASN1_ITEM KRB5_AUTHDATA_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = KRB5_AUTHDATA_seq_tt,
+	.tcount = sizeof(KRB5_AUTHDATA_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(KRB5_AUTHDATA),
+	.sname = "KRB5_AUTHDATA",
+};
 
 
 KRB5_AUTHDATA *
@@ -359,18 +575,81 @@ KRB5_AUTHDATA_free(KRB5_AUTHDATA *a)
 
 
 /* [APPLICATION 2] = 0x62 */
-ASN1_SEQUENCE(KRB5_AUTHENTBODY) = {
-	ASN1_EXP(KRB5_AUTHENTBODY,	avno,	ASN1_INTEGER,	  0),
-	ASN1_EXP(KRB5_AUTHENTBODY,	crealm,	ASN1_GENERALSTRING, 1),
-	ASN1_EXP(KRB5_AUTHENTBODY,	cname,	KRB5_PRINCNAME,	  2),
-	ASN1_EXP_OPT(KRB5_AUTHENTBODY,	cksum,	KRB5_CHECKSUM,	  3),
-	ASN1_EXP(KRB5_AUTHENTBODY,	cusec,	ASN1_INTEGER,	  4),
-	ASN1_EXP(KRB5_AUTHENTBODY,	ctime,	ASN1_GENERALIZEDTIME, 5),
-	ASN1_EXP_OPT(KRB5_AUTHENTBODY,	subkey,	KRB5_ENCKEY,	  6),
-	ASN1_EXP_OPT(KRB5_AUTHENTBODY,	seqnum,	ASN1_INTEGER,	  7),
-	ASN1_EXP_SEQUENCE_OF_OPT
-		    (KRB5_AUTHENTBODY,	authorization,	KRB5_AUTHDATA, 8),
-} ASN1_SEQUENCE_END(KRB5_AUTHENTBODY)
+static const ASN1_TEMPLATE KRB5_AUTHENTBODY_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 0,
+		.offset = offsetof(KRB5_AUTHENTBODY, avno),
+		.field_name = "avno",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 1,
+		.offset = offsetof(KRB5_AUTHENTBODY, crealm),
+		.field_name = "crealm",
+		.item = &ASN1_GENERALSTRING_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 2,
+		.offset = offsetof(KRB5_AUTHENTBODY, cname),
+		.field_name = "cname",
+		.item = &KRB5_PRINCNAME_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 3,
+		.offset = offsetof(KRB5_AUTHENTBODY, cksum),
+		.field_name = "cksum",
+		.item = &KRB5_CHECKSUM_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 4,
+		.offset = offsetof(KRB5_AUTHENTBODY, cusec),
+		.field_name = "cusec",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 5,
+		.offset = offsetof(KRB5_AUTHENTBODY, ctime),
+		.field_name = "ctime",
+		.item = &ASN1_GENERALIZEDTIME_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 6,
+		.offset = offsetof(KRB5_AUTHENTBODY, subkey),
+		.field_name = "subkey",
+		.item = &KRB5_ENCKEY_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 7,
+		.offset = offsetof(KRB5_AUTHENTBODY, seqnum),
+		.field_name = "seqnum",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
+		.tag = 8,
+		.offset = offsetof(KRB5_AUTHENTBODY, authorization),
+		.field_name = "authorization",
+		.item = &KRB5_AUTHDATA_it,
+	},
+};
+
+const ASN1_ITEM KRB5_AUTHENTBODY_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = KRB5_AUTHENTBODY_seq_tt,
+	.tcount = sizeof(KRB5_AUTHENTBODY_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(KRB5_AUTHENTBODY),
+	.sname = "KRB5_AUTHENTBODY",
+};
 
 
 KRB5_AUTHENTBODY *
@@ -398,10 +677,23 @@ KRB5_AUTHENTBODY_free(KRB5_AUTHENTBODY *a)
 	ASN1_item_free((ASN1_VALUE *)a, &KRB5_AUTHENTBODY_it);
 }
 
-ASN1_ITEM_TEMPLATE(KRB5_AUTHENT) = 
-	ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_EXPTAG|ASN1_TFLG_APPLICATION, 2,
-			KRB5_AUTHENT, KRB5_AUTHENTBODY)
-ASN1_ITEM_TEMPLATE_END(KRB5_AUTHENT)
+static const ASN1_TEMPLATE KRB5_AUTHENT_item_tt =  {
+	.flags = ASN1_TFLG_EXPTAG | ASN1_TFLG_APPLICATION,
+	.tag = 2,
+	.offset = 0,
+	.field_name = "KRB5_AUTHENT",
+	.item = &KRB5_AUTHENTBODY_it,
+};
+
+const ASN1_ITEM KRB5_AUTHENT_it = {
+	.itype = ASN1_ITYPE_PRIMITIVE,
+	.utype = -1,
+	.templates = &KRB5_AUTHENT_item_tt,
+	.tcount = 0,
+	.funcs = NULL,
+	.size = 0,
+	.sname = "KRB5_AUTHENT",
+};
 
 
 KRB5_AUTHENT *
@@ -428,4 +720,3 @@ KRB5_AUTHENT_free(KRB5_AUTHENT *a)
 {
 	ASN1_item_free((ASN1_VALUE *)a, &KRB5_AUTHENT_it);
 }
-
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_asn.c b/src/lib/libssl/src/crypto/ocsp/ocsp_asn.c
index 6ca21af89a..72e7638c75 100644
--- a/src/lib/libssl/src/crypto/ocsp/ocsp_asn.c
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp_asn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_asn.c,v 1.7 2015/02/09 16:04:46 jsing Exp $ */
+/* $OpenBSD: ocsp_asn.c,v 1.8 2015/07/25 14:52:47 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -59,11 +59,39 @@
 #include <openssl/asn1t.h>
 #include <openssl/ocsp.h>
 
-ASN1_SEQUENCE(OCSP_SIGNATURE) = {
-	ASN1_SIMPLE(OCSP_SIGNATURE, signatureAlgorithm, X509_ALGOR),
-	ASN1_SIMPLE(OCSP_SIGNATURE, signature, ASN1_BIT_STRING),
-	ASN1_EXP_SEQUENCE_OF_OPT(OCSP_SIGNATURE, certs, X509, 0)
-} ASN1_SEQUENCE_END(OCSP_SIGNATURE)
+static const ASN1_TEMPLATE OCSP_SIGNATURE_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_SIGNATURE, signatureAlgorithm),
+		.field_name = "signatureAlgorithm",
+		.item = &X509_ALGOR_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_SIGNATURE, signature),
+		.field_name = "signature",
+		.item = &ASN1_BIT_STRING_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(OCSP_SIGNATURE, certs),
+		.field_name = "certs",
+		.item = &X509_it,
+	},
+};
+
+const ASN1_ITEM OCSP_SIGNATURE_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OCSP_SIGNATURE_seq_tt,
+	.tcount = sizeof(OCSP_SIGNATURE_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_SIGNATURE),
+	.sname = "OCSP_SIGNATURE",
+};
 
 
 OCSP_SIGNATURE *
@@ -91,12 +119,46 @@ OCSP_SIGNATURE_free(OCSP_SIGNATURE *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OCSP_SIGNATURE_it);
 }
 
-ASN1_SEQUENCE(OCSP_CERTID) = {
-	ASN1_SIMPLE(OCSP_CERTID, hashAlgorithm, X509_ALGOR),
-	ASN1_SIMPLE(OCSP_CERTID, issuerNameHash, ASN1_OCTET_STRING),
-	ASN1_SIMPLE(OCSP_CERTID, issuerKeyHash, ASN1_OCTET_STRING),
-	ASN1_SIMPLE(OCSP_CERTID, serialNumber, ASN1_INTEGER)
-} ASN1_SEQUENCE_END(OCSP_CERTID)
+static const ASN1_TEMPLATE OCSP_CERTID_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_CERTID, hashAlgorithm),
+		.field_name = "hashAlgorithm",
+		.item = &X509_ALGOR_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_CERTID, issuerNameHash),
+		.field_name = "issuerNameHash",
+		.item = &ASN1_OCTET_STRING_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_CERTID, issuerKeyHash),
+		.field_name = "issuerKeyHash",
+		.item = &ASN1_OCTET_STRING_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_CERTID, serialNumber),
+		.field_name = "serialNumber",
+		.item = &ASN1_INTEGER_it,
+	},
+};
+
+const ASN1_ITEM OCSP_CERTID_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OCSP_CERTID_seq_tt,
+	.tcount = sizeof(OCSP_CERTID_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_CERTID),
+	.sname = "OCSP_CERTID",
+};
 
 
 OCSP_CERTID *
@@ -124,10 +186,32 @@ OCSP_CERTID_free(OCSP_CERTID *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OCSP_CERTID_it);
 }
 
-ASN1_SEQUENCE(OCSP_ONEREQ) = {
-	ASN1_SIMPLE(OCSP_ONEREQ, reqCert, OCSP_CERTID),
-	ASN1_EXP_SEQUENCE_OF_OPT(OCSP_ONEREQ, singleRequestExtensions, X509_EXTENSION, 0)
-} ASN1_SEQUENCE_END(OCSP_ONEREQ)
+static const ASN1_TEMPLATE OCSP_ONEREQ_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_ONEREQ, reqCert),
+		.field_name = "reqCert",
+		.item = &OCSP_CERTID_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(OCSP_ONEREQ, singleRequestExtensions),
+		.field_name = "singleRequestExtensions",
+		.item = &X509_EXTENSION_it,
+	},
+};
+
+const ASN1_ITEM OCSP_ONEREQ_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OCSP_ONEREQ_seq_tt,
+	.tcount = sizeof(OCSP_ONEREQ_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_ONEREQ),
+	.sname = "OCSP_ONEREQ",
+};
 
 
 OCSP_ONEREQ *
@@ -155,12 +239,46 @@ OCSP_ONEREQ_free(OCSP_ONEREQ *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OCSP_ONEREQ_it);
 }
 
-ASN1_SEQUENCE(OCSP_REQINFO) = {
-	ASN1_EXP_OPT(OCSP_REQINFO, version, ASN1_INTEGER, 0),
-	ASN1_EXP_OPT(OCSP_REQINFO, requestorName, GENERAL_NAME, 1),
-	ASN1_SEQUENCE_OF(OCSP_REQINFO, requestList, OCSP_ONEREQ),
-	ASN1_EXP_SEQUENCE_OF_OPT(OCSP_REQINFO, requestExtensions, X509_EXTENSION, 2)
-} ASN1_SEQUENCE_END(OCSP_REQINFO)
+static const ASN1_TEMPLATE OCSP_REQINFO_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(OCSP_REQINFO, version),
+		.field_name = "version",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 1,
+		.offset = offsetof(OCSP_REQINFO, requestorName),
+		.field_name = "requestorName",
+		.item = &GENERAL_NAME_it,
+	},
+	{
+		.flags = ASN1_TFLG_SEQUENCE_OF,
+		.tag = 0,
+		.offset = offsetof(OCSP_REQINFO, requestList),
+		.field_name = "requestList",
+		.item = &OCSP_ONEREQ_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
+		.tag = 2,
+		.offset = offsetof(OCSP_REQINFO, requestExtensions),
+		.field_name = "requestExtensions",
+		.item = &X509_EXTENSION_it,
+	},
+};
+
+const ASN1_ITEM OCSP_REQINFO_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OCSP_REQINFO_seq_tt,
+	.tcount = sizeof(OCSP_REQINFO_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_REQINFO),
+	.sname = "OCSP_REQINFO",
+};
 
 
 OCSP_REQINFO *
@@ -188,10 +306,32 @@ OCSP_REQINFO_free(OCSP_REQINFO *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OCSP_REQINFO_it);
 }
 
-ASN1_SEQUENCE(OCSP_REQUEST) = {
-	ASN1_SIMPLE(OCSP_REQUEST, tbsRequest, OCSP_REQINFO),
-	ASN1_EXP_OPT(OCSP_REQUEST, optionalSignature, OCSP_SIGNATURE, 0)
-} ASN1_SEQUENCE_END(OCSP_REQUEST)
+static const ASN1_TEMPLATE OCSP_REQUEST_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_REQUEST, tbsRequest),
+		.field_name = "tbsRequest",
+		.item = &OCSP_REQINFO_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(OCSP_REQUEST, optionalSignature),
+		.field_name = "optionalSignature",
+		.item = &OCSP_SIGNATURE_it,
+	},
+};
+
+const ASN1_ITEM OCSP_REQUEST_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OCSP_REQUEST_seq_tt,
+	.tcount = sizeof(OCSP_REQUEST_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_REQUEST),
+	.sname = "OCSP_REQUEST",
+};
 
 
 OCSP_REQUEST *
@@ -221,10 +361,32 @@ OCSP_REQUEST_free(OCSP_REQUEST *a)
 
 /* OCSP_RESPONSE templates */
 
-ASN1_SEQUENCE(OCSP_RESPBYTES) = {
-	ASN1_SIMPLE(OCSP_RESPBYTES, responseType, ASN1_OBJECT),
-	ASN1_SIMPLE(OCSP_RESPBYTES, response, ASN1_OCTET_STRING)
-} ASN1_SEQUENCE_END(OCSP_RESPBYTES)
+static const ASN1_TEMPLATE OCSP_RESPBYTES_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_RESPBYTES, responseType),
+		.field_name = "responseType",
+		.item = &ASN1_OBJECT_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_RESPBYTES, response),
+		.field_name = "response",
+		.item = &ASN1_OCTET_STRING_it,
+	},
+};
+
+const ASN1_ITEM OCSP_RESPBYTES_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OCSP_RESPBYTES_seq_tt,
+	.tcount = sizeof(OCSP_RESPBYTES_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_RESPBYTES),
+	.sname = "OCSP_RESPBYTES",
+};
 
 
 OCSP_RESPBYTES *
@@ -252,10 +414,32 @@ OCSP_RESPBYTES_free(OCSP_RESPBYTES *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OCSP_RESPBYTES_it);
 }
 
-ASN1_SEQUENCE(OCSP_RESPONSE) = {
-	ASN1_SIMPLE(OCSP_RESPONSE, responseStatus, ASN1_ENUMERATED),
-	ASN1_EXP_OPT(OCSP_RESPONSE, responseBytes, OCSP_RESPBYTES, 0)
-} ASN1_SEQUENCE_END(OCSP_RESPONSE)
+static const ASN1_TEMPLATE OCSP_RESPONSE_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_RESPONSE, responseStatus),
+		.field_name = "responseStatus",
+		.item = &ASN1_ENUMERATED_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(OCSP_RESPONSE, responseBytes),
+		.field_name = "responseBytes",
+		.item = &OCSP_RESPBYTES_it,
+	},
+};
+
+const ASN1_ITEM OCSP_RESPONSE_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OCSP_RESPONSE_seq_tt,
+	.tcount = sizeof(OCSP_RESPONSE_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_RESPONSE),
+	.sname = "OCSP_RESPONSE",
+};
 
 
 OCSP_RESPONSE *
@@ -283,10 +467,32 @@ OCSP_RESPONSE_free(OCSP_RESPONSE *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OCSP_RESPONSE_it);
 }
 
-ASN1_CHOICE(OCSP_RESPID) = {
-	ASN1_EXP(OCSP_RESPID, value.byName, X509_NAME, 1),
-	ASN1_EXP(OCSP_RESPID, value.byKey, ASN1_OCTET_STRING, 2)
-} ASN1_CHOICE_END(OCSP_RESPID)
+static const ASN1_TEMPLATE OCSP_RESPID_ch_tt[] = {
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 1,
+		.offset = offsetof(OCSP_RESPID, value.byName),
+		.field_name = "value.byName",
+		.item = &X509_NAME_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 2,
+		.offset = offsetof(OCSP_RESPID, value.byKey),
+		.field_name = "value.byKey",
+		.item = &ASN1_OCTET_STRING_it,
+	},
+};
+
+const ASN1_ITEM OCSP_RESPID_it = {
+	.itype = ASN1_ITYPE_CHOICE,
+	.utype = offsetof(OCSP_RESPID, type),
+	.templates = OCSP_RESPID_ch_tt,
+	.tcount = sizeof(OCSP_RESPID_ch_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_RESPID),
+	.sname = "OCSP_RESPID",
+};
 
 
 OCSP_RESPID *
@@ -314,10 +520,32 @@ OCSP_RESPID_free(OCSP_RESPID *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OCSP_RESPID_it);
 }
 
-ASN1_SEQUENCE(OCSP_REVOKEDINFO) = {
-	ASN1_SIMPLE(OCSP_REVOKEDINFO, revocationTime, ASN1_GENERALIZEDTIME),
-	ASN1_EXP_OPT(OCSP_REVOKEDINFO, revocationReason, ASN1_ENUMERATED, 0)
-} ASN1_SEQUENCE_END(OCSP_REVOKEDINFO)
+static const ASN1_TEMPLATE OCSP_REVOKEDINFO_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_REVOKEDINFO, revocationTime),
+		.field_name = "revocationTime",
+		.item = &ASN1_GENERALIZEDTIME_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(OCSP_REVOKEDINFO, revocationReason),
+		.field_name = "revocationReason",
+		.item = &ASN1_ENUMERATED_it,
+	},
+};
+
+const ASN1_ITEM OCSP_REVOKEDINFO_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OCSP_REVOKEDINFO_seq_tt,
+	.tcount = sizeof(OCSP_REVOKEDINFO_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_REVOKEDINFO),
+	.sname = "OCSP_REVOKEDINFO",
+};
 
 
 OCSP_REVOKEDINFO *
@@ -345,11 +573,39 @@ OCSP_REVOKEDINFO_free(OCSP_REVOKEDINFO *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OCSP_REVOKEDINFO_it);
 }
 
-ASN1_CHOICE(OCSP_CERTSTATUS) = {
-	ASN1_IMP(OCSP_CERTSTATUS, value.good, ASN1_NULL, 0),
-	ASN1_IMP(OCSP_CERTSTATUS, value.revoked, OCSP_REVOKEDINFO, 1),
-	ASN1_IMP(OCSP_CERTSTATUS, value.unknown, ASN1_NULL, 2)
-} ASN1_CHOICE_END(OCSP_CERTSTATUS)
+static const ASN1_TEMPLATE OCSP_CERTSTATUS_ch_tt[] = {
+	{
+		.flags = ASN1_TFLG_IMPLICIT,
+		.tag = 0,
+		.offset = offsetof(OCSP_CERTSTATUS, value.good),
+		.field_name = "value.good",
+		.item = &ASN1_NULL_it,
+	},
+	{
+		.flags = ASN1_TFLG_IMPLICIT,
+		.tag = 1,
+		.offset = offsetof(OCSP_CERTSTATUS, value.revoked),
+		.field_name = "value.revoked",
+		.item = &OCSP_REVOKEDINFO_it,
+	},
+	{
+		.flags = ASN1_TFLG_IMPLICIT,
+		.tag = 2,
+		.offset = offsetof(OCSP_CERTSTATUS, value.unknown),
+		.field_name = "value.unknown",
+		.item = &ASN1_NULL_it,
+	},
+};
+
+const ASN1_ITEM OCSP_CERTSTATUS_it = {
+	.itype = ASN1_ITYPE_CHOICE,
+	.utype = offsetof(OCSP_CERTSTATUS, type),
+	.templates = OCSP_CERTSTATUS_ch_tt,
+	.tcount = sizeof(OCSP_CERTSTATUS_ch_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_CERTSTATUS),
+	.sname = "OCSP_CERTSTATUS",
+};
 
 
 OCSP_CERTSTATUS *
@@ -377,13 +633,53 @@ OCSP_CERTSTATUS_free(OCSP_CERTSTATUS *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OCSP_CERTSTATUS_it);
 }
 
-ASN1_SEQUENCE(OCSP_SINGLERESP) = {
-	ASN1_SIMPLE(OCSP_SINGLERESP, certId, OCSP_CERTID),
-	ASN1_SIMPLE(OCSP_SINGLERESP, certStatus, OCSP_CERTSTATUS),
-	ASN1_SIMPLE(OCSP_SINGLERESP, thisUpdate, ASN1_GENERALIZEDTIME),
-	ASN1_EXP_OPT(OCSP_SINGLERESP, nextUpdate, ASN1_GENERALIZEDTIME, 0),
-	ASN1_EXP_SEQUENCE_OF_OPT(OCSP_SINGLERESP, singleExtensions, X509_EXTENSION, 1)
-} ASN1_SEQUENCE_END(OCSP_SINGLERESP)
+static const ASN1_TEMPLATE OCSP_SINGLERESP_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_SINGLERESP, certId),
+		.field_name = "certId",
+		.item = &OCSP_CERTID_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_SINGLERESP, certStatus),
+		.field_name = "certStatus",
+		.item = &OCSP_CERTSTATUS_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_SINGLERESP, thisUpdate),
+		.field_name = "thisUpdate",
+		.item = &ASN1_GENERALIZEDTIME_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(OCSP_SINGLERESP, nextUpdate),
+		.field_name = "nextUpdate",
+		.item = &ASN1_GENERALIZEDTIME_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
+		.tag = 1,
+		.offset = offsetof(OCSP_SINGLERESP, singleExtensions),
+		.field_name = "singleExtensions",
+		.item = &X509_EXTENSION_it,
+	},
+};
+
+const ASN1_ITEM OCSP_SINGLERESP_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OCSP_SINGLERESP_seq_tt,
+	.tcount = sizeof(OCSP_SINGLERESP_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_SINGLERESP),
+	.sname = "OCSP_SINGLERESP",
+};
 
 
 OCSP_SINGLERESP *
@@ -411,13 +707,53 @@ OCSP_SINGLERESP_free(OCSP_SINGLERESP *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OCSP_SINGLERESP_it);
 }
 
-ASN1_SEQUENCE(OCSP_RESPDATA) = {
-	ASN1_EXP_OPT(OCSP_RESPDATA, version, ASN1_INTEGER, 0),
-	ASN1_SIMPLE(OCSP_RESPDATA, responderId, OCSP_RESPID),
-	ASN1_SIMPLE(OCSP_RESPDATA, producedAt, ASN1_GENERALIZEDTIME),
-	ASN1_SEQUENCE_OF(OCSP_RESPDATA, responses, OCSP_SINGLERESP),
-	ASN1_EXP_SEQUENCE_OF_OPT(OCSP_RESPDATA, responseExtensions, X509_EXTENSION, 1)
-} ASN1_SEQUENCE_END(OCSP_RESPDATA)
+static const ASN1_TEMPLATE OCSP_RESPDATA_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(OCSP_RESPDATA, version),
+		.field_name = "version",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_RESPDATA, responderId),
+		.field_name = "responderId",
+		.item = &OCSP_RESPID_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_RESPDATA, producedAt),
+		.field_name = "producedAt",
+		.item = &ASN1_GENERALIZEDTIME_it,
+	},
+	{
+		.flags = ASN1_TFLG_SEQUENCE_OF,
+		.tag = 0,
+		.offset = offsetof(OCSP_RESPDATA, responses),
+		.field_name = "responses",
+		.item = &OCSP_SINGLERESP_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
+		.tag = 1,
+		.offset = offsetof(OCSP_RESPDATA, responseExtensions),
+		.field_name = "responseExtensions",
+		.item = &X509_EXTENSION_it,
+	},
+};
+
+const ASN1_ITEM OCSP_RESPDATA_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OCSP_RESPDATA_seq_tt,
+	.tcount = sizeof(OCSP_RESPDATA_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_RESPDATA),
+	.sname = "OCSP_RESPDATA",
+};
 
 
 OCSP_RESPDATA *
@@ -445,12 +781,46 @@ OCSP_RESPDATA_free(OCSP_RESPDATA *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OCSP_RESPDATA_it);
 }
 
-ASN1_SEQUENCE(OCSP_BASICRESP) = {
-	ASN1_SIMPLE(OCSP_BASICRESP, tbsResponseData, OCSP_RESPDATA),
-	ASN1_SIMPLE(OCSP_BASICRESP, signatureAlgorithm, X509_ALGOR),
-	ASN1_SIMPLE(OCSP_BASICRESP, signature, ASN1_BIT_STRING),
-	ASN1_EXP_SEQUENCE_OF_OPT(OCSP_BASICRESP, certs, X509, 0)
-} ASN1_SEQUENCE_END(OCSP_BASICRESP)
+static const ASN1_TEMPLATE OCSP_BASICRESP_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_BASICRESP, tbsResponseData),
+		.field_name = "tbsResponseData",
+		.item = &OCSP_RESPDATA_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_BASICRESP, signatureAlgorithm),
+		.field_name = "signatureAlgorithm",
+		.item = &X509_ALGOR_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_BASICRESP, signature),
+		.field_name = "signature",
+		.item = &ASN1_BIT_STRING_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(OCSP_BASICRESP, certs),
+		.field_name = "certs",
+		.item = &X509_it,
+	},
+};
+
+const ASN1_ITEM OCSP_BASICRESP_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OCSP_BASICRESP_seq_tt,
+	.tcount = sizeof(OCSP_BASICRESP_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_BASICRESP),
+	.sname = "OCSP_BASICRESP",
+};
 
 
 OCSP_BASICRESP *
@@ -478,11 +848,39 @@ OCSP_BASICRESP_free(OCSP_BASICRESP *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OCSP_BASICRESP_it);
 }
 
-ASN1_SEQUENCE(OCSP_CRLID) = {
-	ASN1_EXP_OPT(OCSP_CRLID, crlUrl, ASN1_IA5STRING, 0),
-	ASN1_EXP_OPT(OCSP_CRLID, crlNum, ASN1_INTEGER, 1),
-	ASN1_EXP_OPT(OCSP_CRLID, crlTime, ASN1_GENERALIZEDTIME, 2)
-} ASN1_SEQUENCE_END(OCSP_CRLID)
+static const ASN1_TEMPLATE OCSP_CRLID_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(OCSP_CRLID, crlUrl),
+		.field_name = "crlUrl",
+		.item = &ASN1_IA5STRING_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 1,
+		.offset = offsetof(OCSP_CRLID, crlNum),
+		.field_name = "crlNum",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 2,
+		.offset = offsetof(OCSP_CRLID, crlTime),
+		.field_name = "crlTime",
+		.item = &ASN1_GENERALIZEDTIME_it,
+	},
+};
+
+const ASN1_ITEM OCSP_CRLID_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OCSP_CRLID_seq_tt,
+	.tcount = sizeof(OCSP_CRLID_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_CRLID),
+	.sname = "OCSP_CRLID",
+};
 
 
 OCSP_CRLID *
@@ -510,10 +908,32 @@ OCSP_CRLID_free(OCSP_CRLID *a)
 	ASN1_item_free((ASN1_VALUE *)a, &OCSP_CRLID_it);
 }
 
-ASN1_SEQUENCE(OCSP_SERVICELOC) = {
-	ASN1_SIMPLE(OCSP_SERVICELOC, issuer, X509_NAME),
-	ASN1_SEQUENCE_OF_OPT(OCSP_SERVICELOC, locator, ACCESS_DESCRIPTION)
-} ASN1_SEQUENCE_END(OCSP_SERVICELOC)
+static const ASN1_TEMPLATE OCSP_SERVICELOC_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OCSP_SERVICELOC, issuer),
+		.field_name = "issuer",
+		.item = &X509_NAME_it,
+	},
+	{
+		.flags = ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(OCSP_SERVICELOC, locator),
+		.field_name = "locator",
+		.item = &ACCESS_DESCRIPTION_it,
+	},
+};
+
+const ASN1_ITEM OCSP_SERVICELOC_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OCSP_SERVICELOC_seq_tt,
+	.tcount = sizeof(OCSP_SERVICELOC_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OCSP_SERVICELOC),
+	.sname = "OCSP_SERVICELOC",
+};
 
 
 OCSP_SERVICELOC *
-- 
cgit v1.2.3-55-g6feb