1 /* Do not modify this file. Changes will be overwritten.                      */
2 /* Generated automatically by the ASN.1 to Wireshark dissector compiler       */
3 /* packet-kerberos.c                                                          */
4 /* asn2wrs.py -b -p kerberos -c ./kerberos.cnf -s ./packet-kerberos-template -D . -O ../.. KerberosV5Spec2.asn k5.asn RFC3244.asn RFC6113.asn SPAKE.asn */
5 
6 /* Input file: packet-kerberos-template.c */
7 
8 #line 1 "./asn1/kerberos/packet-kerberos-template.c"
9 /* packet-kerberos.c
10  * Routines for Kerberos
11  * Wes Hardaker (c) 2000
12  * wjhardaker@ucdavis.edu
13  * Richard Sharpe (C) 2002, rsharpe@samba.org, modularized a bit more and
14  *                          added AP-REQ and AP-REP dissection
15  *
16  * Ronnie Sahlberg (C) 2004, major rewrite for new ASN.1/BER API.
17  *                           decryption of kerberos blobs if keytab is provided
18  *
19  * See RFC 1510, and various I-Ds and other documents showing additions,
20  * e.g. ones listed under
21  *
22  *	http://clifford.neuman.name/krb-revisions/
23  *
24  * and
25  *
26  *	https://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-clarifications-07
27  *
28  * and
29  *
30  *  https://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-referrals-05
31  *
32  * Some structures from RFC2630
33  *
34  * Wireshark - Network traffic analyzer
35  * By Gerald Combs <gerald@wireshark.org>
36  * Copyright 1998 Gerald Combs
37  *
38  * SPDX-License-Identifier: GPL-2.0-or-later
39  */
40 
41 /*
42  * Some of the development of the Kerberos protocol decoder was sponsored by
43  * Cable Television Laboratories, Inc. ("CableLabs") based upon proprietary
44  * CableLabs' specifications. Your license and use of this protocol decoder
45  * does not mean that you are licensed to use the CableLabs'
46  * specifications.  If you have questions about this protocol, contact
47  * jf.mule [AT] cablelabs.com or c.stuart [AT] cablelabs.com for additional
48  * information.
49  */
50 
51 #include <config.h>
52 
53 #include <stdio.h>
54 
55 // krb5.h needs to be included before the defines in packet-kerberos.h
56 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
57 #ifdef _WIN32
58 /* prevent redefinition warnings in krb5's win-mac.h */
59 #define SSIZE_T_DEFINED
60 #endif /* _WIN32 */
61 #include <krb5.h>
62 #endif
63 
64 #include <epan/packet.h>
65 #include <epan/exceptions.h>
66 #include <epan/strutil.h>
67 #include <epan/conversation.h>
68 #include <epan/asn1.h>
69 #include <epan/expert.h>
70 #include <epan/prefs.h>
71 #include <wsutil/wsgcrypt.h>
72 #include <wsutil/file_util.h>
73 #include <wsutil/str_util.h>
74 #include <wsutil/pint.h>
75 #include "packet-kerberos.h"
76 #include "packet-netbios.h"
77 #include "packet-tcp.h"
78 #include "packet-ber.h"
79 #include "packet-pkinit.h"
80 #include "packet-cms.h"
81 #include "packet-windows-common.h"
82 
83 #include "read_keytab_file.h"
84 
85 #include "packet-dcerpc-netlogon.h"
86 #include "packet-dcerpc.h"
87 
88 #include "packet-gssapi.h"
89 #include "packet-x509af.h"
90 
91 #define KEY_USAGE_FAST_REQ_CHKSUM       50
92 #define KEY_USAGE_FAST_ENC              51
93 #define KEY_USAGE_FAST_REP              52
94 #define KEY_USAGE_FAST_FINISHED         53
95 #define KEY_USAGE_ENC_CHALLENGE_CLIENT  54
96 #define KEY_USAGE_ENC_CHALLENGE_KDC     55
97 
98 void proto_register_kerberos(void);
99 void proto_reg_handoff_kerberos(void);
100 
101 #define UDP_PORT_KERBEROS		88
102 #define TCP_PORT_KERBEROS		88
103 
104 #define ADDRESS_STR_BUFSIZ 256
105 
106 typedef struct kerberos_key {
107 	guint32 keytype;
108 	int keylength;
109 	const guint8 *keyvalue;
110 } kerberos_key_t;
111 
112 typedef void (*kerberos_key_save_fn)(tvbuff_t *tvb _U_, int offset _U_, int length _U_,
113 				     asn1_ctx_t *actx _U_, proto_tree *tree _U_,
114 				     int parent_hf_index _U_,
115 				     int hf_index _U_);
116 
117 typedef struct {
118 	guint32 msg_type;
119 	gboolean is_win2k_pkinit;
120 	guint32 errorcode;
121 	gboolean try_nt_status;
122 	guint32 etype;
123 	guint32 padata_type;
124 	guint32 is_enc_padata;
125 	guint32 enctype;
126 	kerberos_key_t key;
127 	proto_tree *key_tree;
128 	proto_item *key_hidden_item;
129 	tvbuff_t *key_tvb;
130 	kerberos_callbacks *callbacks;
131 	guint32 ad_type;
132 	guint32 addr_type;
133 	guint32 checksum_type;
134 #ifdef HAVE_KERBEROS
135 	enc_key_t *last_decryption_key;
136 	enc_key_t *last_added_key;
137 	tvbuff_t *last_ticket_enc_part_tvb;
138 #endif
139 	gint save_encryption_key_parent_hf_index;
140 	kerberos_key_save_fn save_encryption_key_fn;
141 	guint learnt_key_ids;
142 	guint missing_key_ids;
143 	wmem_list_t *decryption_keys;
144 	wmem_list_t *learnt_keys;
145 	wmem_list_t *missing_keys;
146 	guint32 within_PA_TGS_REQ;
147 #ifdef HAVE_KERBEROS
148 	enc_key_t *PA_TGS_REQ_key;
149 	enc_key_t *PA_TGS_REQ_subkey;
150 #endif
151 	guint32 fast_type;
152 	guint32 fast_armor_within_armor_value;
153 #ifdef HAVE_KERBEROS
154 	enc_key_t *PA_FAST_ARMOR_AP_key;
155 	enc_key_t *PA_FAST_ARMOR_AP_subkey;
156 	enc_key_t *fast_armor_key;
157 	enc_key_t *fast_strengthen_key;
158 #endif
159 } kerberos_private_data_t;
160 
161 static dissector_handle_t kerberos_handle_udp;
162 
163 /* Forward declarations */
164 static int dissect_kerberos_Applications(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
165 static int dissect_kerberos_AuthorizationData(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
166 static int dissect_kerberos_PA_ENC_TIMESTAMP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
167 #ifdef HAVE_KERBEROS
168 static int dissect_kerberos_PA_ENC_TS_ENC(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
169 #endif
170 static int dissect_kerberos_PA_PAC_REQUEST(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
171 static int dissect_kerberos_PA_S4U2Self(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
172 static int dissect_kerberos_PA_S4U_X509_USER(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
173 static int dissect_kerberos_ETYPE_INFO(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
174 static int dissect_kerberos_ETYPE_INFO2(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
175 static int dissect_kerberos_AD_IF_RELEVANT(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
176 static int dissect_kerberos_PA_AUTHENTICATION_SET_ELEM(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
177 static int dissect_kerberos_PA_FX_FAST_REQUEST(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
178 static int dissect_kerberos_EncryptedChallenge(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
179 static int dissect_kerberos_PA_KERB_KEY_LIST_REQ(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
180 static int dissect_kerberos_PA_KERB_KEY_LIST_REP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
181 static int dissect_kerberos_PA_FX_FAST_REPLY(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
182 static int dissect_kerberos_PA_PAC_OPTIONS(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
183 static int dissect_kerberos_KERB_AD_RESTRICTION_ENTRY(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
184 static int dissect_kerberos_SEQUENCE_OF_ENCTYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
185 static int dissect_kerberos_PA_SPAKE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
186 #ifdef HAVE_KERBEROS
187 static int dissect_kerberos_KrbFastReq(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
188 static int dissect_kerberos_KrbFastResponse(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
189 static int dissect_kerberos_FastOptions(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
190 #endif
191 
192 /* Desegment Kerberos over TCP messages */
193 static gboolean krb_desegment = TRUE;
194 
195 static gint proto_kerberos = -1;
196 
197 static gint hf_krb_rm_reserved = -1;
198 static gint hf_krb_rm_reclen = -1;
199 static gint hf_krb_provsrv_location = -1;
200 static gint hf_krb_pw_salt = -1;
201 static gint hf_krb_ext_error_nt_status = -1;
202 static gint hf_krb_ext_error_reserved = -1;
203 static gint hf_krb_ext_error_flags = -1;
204 static gint hf_krb_address_ip = -1;
205 static gint hf_krb_address_netbios = -1;
206 static gint hf_krb_address_ipv6 = -1;
207 static gint hf_krb_gssapi_len = -1;
208 static gint hf_krb_gssapi_bnd = -1;
209 static gint hf_krb_gssapi_dlgopt = -1;
210 static gint hf_krb_gssapi_dlglen = -1;
211 static gint hf_krb_gssapi_c_flag_deleg = -1;
212 static gint hf_krb_gssapi_c_flag_mutual = -1;
213 static gint hf_krb_gssapi_c_flag_replay = -1;
214 static gint hf_krb_gssapi_c_flag_sequence = -1;
215 static gint hf_krb_gssapi_c_flag_conf = -1;
216 static gint hf_krb_gssapi_c_flag_integ = -1;
217 static gint hf_krb_gssapi_c_flag_dce_style = -1;
218 static gint hf_krb_midl_version = -1;
219 static gint hf_krb_midl_hdr_len = -1;
220 static gint hf_krb_midl_fill_bytes = -1;
221 static gint hf_krb_midl_blob_len = -1;
222 static gint hf_krb_pac_signature_type = -1;
223 static gint hf_krb_pac_signature_signature = -1;
224 static gint hf_krb_w2k_pac_entries = -1;
225 static gint hf_krb_w2k_pac_version = -1;
226 static gint hf_krb_w2k_pac_type = -1;
227 static gint hf_krb_w2k_pac_size = -1;
228 static gint hf_krb_w2k_pac_offset = -1;
229 static gint hf_krb_pac_clientid = -1;
230 static gint hf_krb_pac_namelen = -1;
231 static gint hf_krb_pac_clientname = -1;
232 static gint hf_krb_pac_logon_info = -1;
233 static gint hf_krb_pac_credential_data = -1;
234 static gint hf_krb_pac_credential_info = -1;
235 static gint hf_krb_pac_credential_info_version = -1;
236 static gint hf_krb_pac_credential_info_etype = -1;
237 static gint hf_krb_pac_s4u_delegation_info = -1;
238 static gint hf_krb_pac_upn_dns_info = -1;
239 static gint hf_krb_pac_upn_flags = -1;
240 static gint hf_krb_pac_upn_dns_offset = -1;
241 static gint hf_krb_pac_upn_dns_len = -1;
242 static gint hf_krb_pac_upn_upn_offset = -1;
243 static gint hf_krb_pac_upn_upn_len = -1;
244 static gint hf_krb_pac_upn_upn_name = -1;
245 static gint hf_krb_pac_upn_dns_name = -1;
246 static gint hf_krb_pac_server_checksum = -1;
247 static gint hf_krb_pac_privsvr_checksum = -1;
248 static gint hf_krb_pac_client_info_type = -1;
249 static gint hf_krb_pac_client_claims_info = -1;
250 static gint hf_krb_pac_device_info = -1;
251 static gint hf_krb_pac_device_claims_info = -1;
252 static gint hf_krb_pac_ticket_checksum = -1;
253 static gint hf_krb_pa_supported_enctypes = -1;
254 static gint hf_krb_pa_supported_enctypes_des_cbc_crc = -1;
255 static gint hf_krb_pa_supported_enctypes_des_cbc_md5 = -1;
256 static gint hf_krb_pa_supported_enctypes_rc4_hmac = -1;
257 static gint hf_krb_pa_supported_enctypes_aes128_cts_hmac_sha1_96 = -1;
258 static gint hf_krb_pa_supported_enctypes_aes256_cts_hmac_sha1_96 = -1;
259 static gint hf_krb_pa_supported_enctypes_fast_supported = -1;
260 static gint hf_krb_pa_supported_enctypes_compound_identity_supported = -1;
261 static gint hf_krb_pa_supported_enctypes_claims_supported = -1;
262 static gint hf_krb_pa_supported_enctypes_resource_sid_compression_disabled = -1;
263 static gint hf_krb_ad_ap_options = -1;
264 static gint hf_krb_ad_ap_options_cbt = -1;
265 static gint hf_krb_ad_target_principal = -1;
266 static gint hf_krb_key_hidden_item = -1;
267 static gint hf_kerberos_KERB_TICKET_LOGON = -1;
268 static gint hf_kerberos_KERB_TICKET_LOGON_MessageType = -1;
269 static gint hf_kerberos_KERB_TICKET_LOGON_Flags = -1;
270 static gint hf_kerberos_KERB_TICKET_LOGON_ServiceTicketLength = -1;
271 static gint hf_kerberos_KERB_TICKET_LOGON_TicketGrantingTicketLength = -1;
272 static gint hf_kerberos_KERB_TICKET_LOGON_ServiceTicket = -1;
273 static gint hf_kerberos_KERB_TICKET_LOGON_TicketGrantingTicket = -1;
274 static gint hf_kerberos_KERB_TICKET_LOGON_FLAG_ALLOW_EXPIRED_TICKET = -1;
275 static gint hf_kerberos_KERB_TICKET_LOGON_FLAG_REDIRECTED = -1;
276 #ifdef HAVE_KERBEROS
277 static gint hf_kerberos_KrbFastResponse = -1;
278 static gint hf_kerberos_strengthen_key = -1;
279 static gint hf_kerberos_finished = -1;
280 static gint hf_kerberos_fast_options = -1;
281 static gint hf_kerberos_ticket_checksum = -1;
282 static gint hf_krb_patimestamp = -1;
283 static gint hf_krb_pausec = -1;
284 static gint hf_kerberos_FastOptions_reserved = -1;
285 static gint hf_kerberos_FastOptions_hide_client_names = -1;
286 static gint hf_kerberos_FastOptions_spare_bit2 = -1;
287 static gint hf_kerberos_FastOptions_spare_bit3 = -1;
288 static gint hf_kerberos_FastOptions_spare_bit4 = -1;
289 static gint hf_kerberos_FastOptions_spare_bit5 = -1;
290 static gint hf_kerberos_FastOptions_spare_bit6 = -1;
291 static gint hf_kerberos_FastOptions_spare_bit7 = -1;
292 static gint hf_kerberos_FastOptions_spare_bit8 = -1;
293 static gint hf_kerberos_FastOptions_spare_bit9 = -1;
294 static gint hf_kerberos_FastOptions_spare_bit10 = -1;
295 static gint hf_kerberos_FastOptions_spare_bit11 = -1;
296 static gint hf_kerberos_FastOptions_spare_bit12 = -1;
297 static gint hf_kerberos_FastOptions_spare_bit13 = -1;
298 static gint hf_kerberos_FastOptions_spare_bit14 = -1;
299 static gint hf_kerberos_FastOptions_spare_bit15 = -1;
300 static gint hf_kerberos_FastOptions_kdc_follow_referrals = -1;
301 
302 #endif
303 
304 /*--- Included file: packet-kerberos-hf.c ---*/
305 #line 1 "./asn1/kerberos/packet-kerberos-hf.c"
306 static int hf_kerberos_ticket = -1;               /* Ticket */
307 static int hf_kerberos_authenticator = -1;        /* Authenticator */
308 static int hf_kerberos_encTicketPart = -1;        /* EncTicketPart */
309 static int hf_kerberos_as_req = -1;               /* AS_REQ */
310 static int hf_kerberos_as_rep = -1;               /* AS_REP */
311 static int hf_kerberos_tgs_req = -1;              /* TGS_REQ */
312 static int hf_kerberos_tgs_rep = -1;              /* TGS_REP */
313 static int hf_kerberos_ap_req = -1;               /* AP_REQ */
314 static int hf_kerberos_ap_rep = -1;               /* AP_REP */
315 static int hf_kerberos_krb_safe = -1;             /* KRB_SAFE */
316 static int hf_kerberos_krb_priv = -1;             /* KRB_PRIV */
317 static int hf_kerberos_krb_cred = -1;             /* KRB_CRED */
318 static int hf_kerberos_encASRepPart = -1;         /* EncASRepPart */
319 static int hf_kerberos_encTGSRepPart = -1;        /* EncTGSRepPart */
320 static int hf_kerberos_encAPRepPart = -1;         /* EncAPRepPart */
321 static int hf_kerberos_encKrbPrivPart = -1;       /* ENC_KRB_PRIV_PART */
322 static int hf_kerberos_encKrbCredPart = -1;       /* EncKrbCredPart */
323 static int hf_kerberos_krb_error = -1;            /* KRB_ERROR */
324 static int hf_kerberos_name_type = -1;            /* NAME_TYPE */
325 static int hf_kerberos_name_string = -1;          /* SEQUENCE_OF_KerberosString */
326 static int hf_kerberos_name_string_item = -1;     /* KerberosString */
327 static int hf_kerberos_cname_string = -1;         /* SEQUENCE_OF_CNameString */
328 static int hf_kerberos_cname_string_item = -1;    /* CNameString */
329 static int hf_kerberos_sname_string = -1;         /* SEQUENCE_OF_SNameString */
330 static int hf_kerberos_sname_string_item = -1;    /* SNameString */
331 static int hf_kerberos_addr_type = -1;            /* ADDR_TYPE */
332 static int hf_kerberos_address = -1;              /* T_address */
333 static int hf_kerberos_HostAddresses_item = -1;   /* HostAddress */
334 static int hf_kerberos_AuthorizationData_item = -1;  /* AuthorizationData_item */
335 static int hf_kerberos_ad_type = -1;              /* AUTHDATA_TYPE */
336 static int hf_kerberos_ad_data = -1;              /* T_ad_data */
337 static int hf_kerberos_padata_type = -1;          /* PADATA_TYPE */
338 static int hf_kerberos_padata_value = -1;         /* T_padata_value */
339 static int hf_kerberos_keytype = -1;              /* T_keytype */
340 static int hf_kerberos_keyvalue = -1;             /* T_keyvalue */
341 static int hf_kerberos_cksumtype = -1;            /* CKSUMTYPE */
342 static int hf_kerberos_checksum = -1;             /* T_checksum */
343 static int hf_kerberos_etype = -1;                /* ENCTYPE */
344 static int hf_kerberos_kvno = -1;                 /* UInt32 */
345 static int hf_kerberos_encryptedTicketData_cipher = -1;  /* T_encryptedTicketData_cipher */
346 static int hf_kerberos_encryptedAuthorizationData_cipher = -1;  /* T_encryptedAuthorizationData_cipher */
347 static int hf_kerberos_encryptedAuthenticator_cipher = -1;  /* T_encryptedAuthenticator_cipher */
348 static int hf_kerberos_encryptedKDCREPData_cipher = -1;  /* T_encryptedKDCREPData_cipher */
349 static int hf_kerberos_encryptedAPREPData_cipher = -1;  /* T_encryptedAPREPData_cipher */
350 static int hf_kerberos_encryptedKrbPrivData_cipher = -1;  /* T_encryptedKrbPrivData_cipher */
351 static int hf_kerberos_encryptedKrbCredData_cipher = -1;  /* T_encryptedKrbCredData_cipher */
352 static int hf_kerberos_tkt_vno = -1;              /* INTEGER_5 */
353 static int hf_kerberos_realm = -1;                /* Realm */
354 static int hf_kerberos_sname = -1;                /* SName */
355 static int hf_kerberos_ticket_enc_part = -1;      /* EncryptedTicketData */
356 static int hf_kerberos_flags = -1;                /* TicketFlags */
357 static int hf_kerberos_encTicketPart_key = -1;    /* T_encTicketPart_key */
358 static int hf_kerberos_crealm = -1;               /* Realm */
359 static int hf_kerberos_cname = -1;                /* CName */
360 static int hf_kerberos_transited = -1;            /* TransitedEncoding */
361 static int hf_kerberos_authtime = -1;             /* KerberosTime */
362 static int hf_kerberos_starttime = -1;            /* KerberosTime */
363 static int hf_kerberos_endtime = -1;              /* KerberosTime */
364 static int hf_kerberos_renew_till = -1;           /* KerberosTime */
365 static int hf_kerberos_caddr = -1;                /* HostAddresses */
366 static int hf_kerberos_authorization_data = -1;   /* AuthorizationData */
367 static int hf_kerberos_tr_type = -1;              /* Int32 */
368 static int hf_kerberos_contents = -1;             /* OCTET_STRING */
369 static int hf_kerberos_pvno = -1;                 /* INTEGER_5 */
370 static int hf_kerberos_msg_type = -1;             /* MESSAGE_TYPE */
371 static int hf_kerberos_padata = -1;               /* SEQUENCE_OF_PA_DATA */
372 static int hf_kerberos_padata_item = -1;          /* PA_DATA */
373 static int hf_kerberos_req_body = -1;             /* KDC_REQ_BODY */
374 static int hf_kerberos_kdc_options = -1;          /* KDCOptions */
375 static int hf_kerberos_from = -1;                 /* KerberosTime */
376 static int hf_kerberos_till = -1;                 /* KerberosTime */
377 static int hf_kerberos_rtime = -1;                /* KerberosTime */
378 static int hf_kerberos_nonce = -1;                /* UInt32 */
379 static int hf_kerberos_kDC_REQ_BODY_etype = -1;   /* SEQUENCE_OF_ENCTYPE */
380 static int hf_kerberos_kDC_REQ_BODY_etype_item = -1;  /* ENCTYPE */
381 static int hf_kerberos_addresses = -1;            /* HostAddresses */
382 static int hf_kerberos_enc_authorization_data = -1;  /* EncryptedAuthorizationData */
383 static int hf_kerberos_additional_tickets = -1;   /* SEQUENCE_OF_Ticket */
384 static int hf_kerberos_additional_tickets_item = -1;  /* Ticket */
385 static int hf_kerberos_kDC_REP_enc_part = -1;     /* EncryptedKDCREPData */
386 static int hf_kerberos_encKDCRepPart_key = -1;    /* T_encKDCRepPart_key */
387 static int hf_kerberos_last_req = -1;             /* LastReq */
388 static int hf_kerberos_key_expiration = -1;       /* KerberosTime */
389 static int hf_kerberos_srealm = -1;               /* Realm */
390 static int hf_kerberos_encrypted_pa_data = -1;    /* T_encrypted_pa_data */
391 static int hf_kerberos_LastReq_item = -1;         /* LastReq_item */
392 static int hf_kerberos_lr_type = -1;              /* LR_TYPE */
393 static int hf_kerberos_lr_value = -1;             /* KerberosTime */
394 static int hf_kerberos_ap_options = -1;           /* APOptions */
395 static int hf_kerberos_authenticator_enc_part = -1;  /* EncryptedAuthenticator */
396 static int hf_kerberos_authenticator_vno = -1;    /* INTEGER_5 */
397 static int hf_kerberos_cksum = -1;                /* Checksum */
398 static int hf_kerberos_cusec = -1;                /* Microseconds */
399 static int hf_kerberos_ctime = -1;                /* KerberosTime */
400 static int hf_kerberos_authenticator_subkey = -1;  /* T_authenticator_subkey */
401 static int hf_kerberos_seq_number = -1;           /* UInt32 */
402 static int hf_kerberos_aP_REP_enc_part = -1;      /* EncryptedAPREPData */
403 static int hf_kerberos_encAPRepPart_subkey = -1;  /* T_encAPRepPart_subkey */
404 static int hf_kerberos_safe_body = -1;            /* KRB_SAFE_BODY */
405 static int hf_kerberos_kRB_SAFE_BODY_user_data = -1;  /* T_kRB_SAFE_BODY_user_data */
406 static int hf_kerberos_timestamp = -1;            /* KerberosTime */
407 static int hf_kerberos_usec = -1;                 /* Microseconds */
408 static int hf_kerberos_s_address = -1;            /* HostAddress */
409 static int hf_kerberos_r_address = -1;            /* HostAddress */
410 static int hf_kerberos_kRB_PRIV_enc_part = -1;    /* EncryptedKrbPrivData */
411 static int hf_kerberos_encKrbPrivPart_user_data = -1;  /* T_encKrbPrivPart_user_data */
412 static int hf_kerberos_tickets = -1;              /* SEQUENCE_OF_Ticket */
413 static int hf_kerberos_tickets_item = -1;         /* Ticket */
414 static int hf_kerberos_kRB_CRED_enc_part = -1;    /* EncryptedKrbCredData */
415 static int hf_kerberos_ticket_info = -1;          /* SEQUENCE_OF_KrbCredInfo */
416 static int hf_kerberos_ticket_info_item = -1;     /* KrbCredInfo */
417 static int hf_kerberos_krbCredInfo_key = -1;      /* T_krbCredInfo_key */
418 static int hf_kerberos_prealm = -1;               /* Realm */
419 static int hf_kerberos_pname = -1;                /* PrincipalName */
420 static int hf_kerberos_stime = -1;                /* KerberosTime */
421 static int hf_kerberos_susec = -1;                /* Microseconds */
422 static int hf_kerberos_error_code = -1;           /* ERROR_CODE */
423 static int hf_kerberos_e_text = -1;               /* KerberosString */
424 static int hf_kerberos_e_data = -1;               /* T_e_data */
425 static int hf_kerberos_e_checksum = -1;           /* Checksum */
426 static int hf_kerberos_METHOD_DATA_item = -1;     /* PA_DATA */
427 static int hf_kerberos_pA_ENC_TIMESTAMP_cipher = -1;  /* T_pA_ENC_TIMESTAMP_cipher */
428 static int hf_kerberos_info_salt = -1;            /* OCTET_STRING */
429 static int hf_kerberos_ETYPE_INFO_item = -1;      /* ETYPE_INFO_ENTRY */
430 static int hf_kerberos_info2_salt = -1;           /* KerberosString */
431 static int hf_kerberos_s2kparams = -1;            /* OCTET_STRING */
432 static int hf_kerberos_ETYPE_INFO2_item = -1;     /* ETYPE_INFO2_ENTRY */
433 static int hf_kerberos_server_name = -1;          /* PrincipalName */
434 static int hf_kerberos_include_pac = -1;          /* BOOLEAN */
435 static int hf_kerberos_name = -1;                 /* PrincipalName */
436 static int hf_kerberos_auth = -1;                 /* GeneralString */
437 static int hf_kerberos_user_id = -1;              /* S4UUserID */
438 static int hf_kerberos_checksum_01 = -1;          /* Checksum */
439 static int hf_kerberos_cname_01 = -1;             /* PrincipalName */
440 static int hf_kerberos_subject_certificate = -1;  /* T_subject_certificate */
441 static int hf_kerberos_options = -1;              /* BIT_STRING */
442 static int hf_kerberos_flags_01 = -1;             /* PAC_OPTIONS_FLAGS */
443 static int hf_kerberos_restriction_type = -1;     /* Int32 */
444 static int hf_kerberos_restriction = -1;          /* OCTET_STRING */
445 static int hf_kerberos_PA_KERB_KEY_LIST_REQ_item = -1;  /* ENCTYPE */
446 static int hf_kerberos_kerbKeyListRep_key = -1;   /* PA_KERB_KEY_LIST_REP_item */
447 static int hf_kerberos_newpasswd = -1;            /* OCTET_STRING */
448 static int hf_kerberos_targname = -1;             /* PrincipalName */
449 static int hf_kerberos_targrealm = -1;            /* Realm */
450 static int hf_kerberos_pa_type = -1;              /* PADATA_TYPE */
451 static int hf_kerberos_pa_hint = -1;              /* OCTET_STRING */
452 static int hf_kerberos_pa_value = -1;             /* OCTET_STRING */
453 static int hf_kerberos_armor_type = -1;           /* KrbFastArmorTypes */
454 static int hf_kerberos_armor_value = -1;          /* T_armor_value */
455 static int hf_kerberos_armored_data_request = -1;  /* KrbFastArmoredReq */
456 static int hf_kerberos_encryptedKrbFastReq_cipher = -1;  /* T_encryptedKrbFastReq_cipher */
457 static int hf_kerberos_armor = -1;                /* KrbFastArmor */
458 static int hf_kerberos_req_checksum = -1;         /* Checksum */
459 static int hf_kerberos_enc_fast_req = -1;         /* EncryptedKrbFastReq */
460 static int hf_kerberos_armored_data_reply = -1;   /* KrbFastArmoredRep */
461 static int hf_kerberos_encryptedKrbFastResponse_cipher = -1;  /* T_encryptedKrbFastResponse_cipher */
462 static int hf_kerberos_enc_fast_rep = -1;         /* EncryptedKrbFastResponse */
463 static int hf_kerberos_encryptedChallenge_cipher = -1;  /* T_encryptedChallenge_cipher */
464 static int hf_kerberos_cipher = -1;               /* OCTET_STRING */
465 static int hf_kerberos_groups = -1;               /* SEQUENCE_SIZE_1_MAX_OF_SPAKEGroup */
466 static int hf_kerberos_groups_item = -1;          /* SPAKEGroup */
467 static int hf_kerberos_group = -1;                /* SPAKEGroup */
468 static int hf_kerberos_pubkey = -1;               /* OCTET_STRING */
469 static int hf_kerberos_factors = -1;              /* SEQUENCE_SIZE_1_MAX_OF_SPAKESecondFactor */
470 static int hf_kerberos_factors_item = -1;         /* SPAKESecondFactor */
471 static int hf_kerberos_type = -1;                 /* SPAKESecondFactorType */
472 static int hf_kerberos_data = -1;                 /* OCTET_STRING */
473 static int hf_kerberos_factor = -1;               /* EncryptedSpakeResponseData */
474 static int hf_kerberos_support = -1;              /* SPAKESupport */
475 static int hf_kerberos_challenge = -1;            /* SPAKEChallenge */
476 static int hf_kerberos_response = -1;             /* SPAKEResponse */
477 static int hf_kerberos_encdata = -1;              /* EncryptedSpakeData */
478 /* named bits */
479 static int hf_kerberos_APOptions_reserved = -1;
480 static int hf_kerberos_APOptions_use_session_key = -1;
481 static int hf_kerberos_APOptions_mutual_required = -1;
482 static int hf_kerberos_TicketFlags_reserved = -1;
483 static int hf_kerberos_TicketFlags_forwardable = -1;
484 static int hf_kerberos_TicketFlags_forwarded = -1;
485 static int hf_kerberos_TicketFlags_proxiable = -1;
486 static int hf_kerberos_TicketFlags_proxy = -1;
487 static int hf_kerberos_TicketFlags_may_postdate = -1;
488 static int hf_kerberos_TicketFlags_postdated = -1;
489 static int hf_kerberos_TicketFlags_invalid = -1;
490 static int hf_kerberos_TicketFlags_renewable = -1;
491 static int hf_kerberos_TicketFlags_initial = -1;
492 static int hf_kerberos_TicketFlags_pre_authent = -1;
493 static int hf_kerberos_TicketFlags_hw_authent = -1;
494 static int hf_kerberos_TicketFlags_transited_policy_checked = -1;
495 static int hf_kerberos_TicketFlags_ok_as_delegate = -1;
496 static int hf_kerberos_TicketFlags_unused = -1;
497 static int hf_kerberos_TicketFlags_enc_pa_rep = -1;
498 static int hf_kerberos_TicketFlags_anonymous = -1;
499 static int hf_kerberos_KDCOptions_reserved = -1;
500 static int hf_kerberos_KDCOptions_forwardable = -1;
501 static int hf_kerberos_KDCOptions_forwarded = -1;
502 static int hf_kerberos_KDCOptions_proxiable = -1;
503 static int hf_kerberos_KDCOptions_proxy = -1;
504 static int hf_kerberos_KDCOptions_allow_postdate = -1;
505 static int hf_kerberos_KDCOptions_postdated = -1;
506 static int hf_kerberos_KDCOptions_unused7 = -1;
507 static int hf_kerberos_KDCOptions_renewable = -1;
508 static int hf_kerberos_KDCOptions_unused9 = -1;
509 static int hf_kerberos_KDCOptions_unused10 = -1;
510 static int hf_kerberos_KDCOptions_opt_hardware_auth = -1;
511 static int hf_kerberos_KDCOptions_unused12 = -1;
512 static int hf_kerberos_KDCOptions_unused13 = -1;
513 static int hf_kerberos_KDCOptions_constrained_delegation = -1;
514 static int hf_kerberos_KDCOptions_canonicalize = -1;
515 static int hf_kerberos_KDCOptions_request_anonymous = -1;
516 static int hf_kerberos_KDCOptions_unused17 = -1;
517 static int hf_kerberos_KDCOptions_unused18 = -1;
518 static int hf_kerberos_KDCOptions_unused19 = -1;
519 static int hf_kerberos_KDCOptions_unused20 = -1;
520 static int hf_kerberos_KDCOptions_unused21 = -1;
521 static int hf_kerberos_KDCOptions_unused22 = -1;
522 static int hf_kerberos_KDCOptions_unused23 = -1;
523 static int hf_kerberos_KDCOptions_unused24 = -1;
524 static int hf_kerberos_KDCOptions_unused25 = -1;
525 static int hf_kerberos_KDCOptions_disable_transited_check = -1;
526 static int hf_kerberos_KDCOptions_renewable_ok = -1;
527 static int hf_kerberos_KDCOptions_enc_tkt_in_skey = -1;
528 static int hf_kerberos_KDCOptions_unused29 = -1;
529 static int hf_kerberos_KDCOptions_renew = -1;
530 static int hf_kerberos_KDCOptions_validate = -1;
531 static int hf_kerberos_PAC_OPTIONS_FLAGS_claims = -1;
532 static int hf_kerberos_PAC_OPTIONS_FLAGS_branch_aware = -1;
533 static int hf_kerberos_PAC_OPTIONS_FLAGS_forward_to_full_dc = -1;
534 static int hf_kerberos_PAC_OPTIONS_FLAGS_resource_based_constrained_delegation = -1;
535 
536 /*--- End of included file: packet-kerberos-hf.c ---*/
537 #line 296 "./asn1/kerberos/packet-kerberos-template.c"
538 
539 /* Initialize the subtree pointers */
540 static gint ett_kerberos = -1;
541 static gint ett_krb_recordmark = -1;
542 static gint ett_krb_pac = -1;
543 static gint ett_krb_pac_drep = -1;
544 static gint ett_krb_pac_midl_blob = -1;
545 static gint ett_krb_pac_logon_info = -1;
546 static gint ett_krb_pac_credential_info = -1;
547 static gint ett_krb_pac_s4u_delegation_info = -1;
548 static gint ett_krb_pac_upn_dns_info = -1;
549 static gint ett_krb_pac_device_info = -1;
550 static gint ett_krb_pac_server_checksum = -1;
551 static gint ett_krb_pac_privsvr_checksum = -1;
552 static gint ett_krb_pac_client_info_type = -1;
553 static gint ett_krb_pac_ticket_checksum = -1;
554 static gint ett_krb_pa_supported_enctypes = -1;
555 static gint ett_krb_ad_ap_options = -1;
556 static gint ett_kerberos_KERB_TICKET_LOGON = -1;
557 #ifdef HAVE_KERBEROS
558 static gint ett_krb_pa_enc_ts_enc = -1;
559 static gint ett_kerberos_KrbFastFinished = -1;
560 static gint ett_kerberos_KrbFastResponse = -1;
561 static gint ett_kerberos_KrbFastReq = -1;
562 static gint ett_kerberos_FastOptions = -1;
563 #endif
564 
565 /*--- Included file: packet-kerberos-ett.c ---*/
566 #line 1 "./asn1/kerberos/packet-kerberos-ett.c"
567 static gint ett_kerberos_Applications = -1;
568 static gint ett_kerberos_PrincipalName = -1;
569 static gint ett_kerberos_SEQUENCE_OF_KerberosString = -1;
570 static gint ett_kerberos_CName = -1;
571 static gint ett_kerberos_SEQUENCE_OF_CNameString = -1;
572 static gint ett_kerberos_SName = -1;
573 static gint ett_kerberos_SEQUENCE_OF_SNameString = -1;
574 static gint ett_kerberos_HostAddress = -1;
575 static gint ett_kerberos_HostAddresses = -1;
576 static gint ett_kerberos_AuthorizationData = -1;
577 static gint ett_kerberos_AuthorizationData_item = -1;
578 static gint ett_kerberos_PA_DATA = -1;
579 static gint ett_kerberos_EncryptionKey = -1;
580 static gint ett_kerberos_Checksum = -1;
581 static gint ett_kerberos_EncryptedTicketData = -1;
582 static gint ett_kerberos_EncryptedAuthorizationData = -1;
583 static gint ett_kerberos_EncryptedAuthenticator = -1;
584 static gint ett_kerberos_EncryptedKDCREPData = -1;
585 static gint ett_kerberos_EncryptedAPREPData = -1;
586 static gint ett_kerberos_EncryptedKrbPrivData = -1;
587 static gint ett_kerberos_EncryptedKrbCredData = -1;
588 static gint ett_kerberos_Ticket_U = -1;
589 static gint ett_kerberos_EncTicketPart_U = -1;
590 static gint ett_kerberos_TransitedEncoding = -1;
591 static gint ett_kerberos_KDC_REQ = -1;
592 static gint ett_kerberos_SEQUENCE_OF_PA_DATA = -1;
593 static gint ett_kerberos_KDC_REQ_BODY = -1;
594 static gint ett_kerberos_SEQUENCE_OF_ENCTYPE = -1;
595 static gint ett_kerberos_SEQUENCE_OF_Ticket = -1;
596 static gint ett_kerberos_KDC_REP = -1;
597 static gint ett_kerberos_EncKDCRepPart = -1;
598 static gint ett_kerberos_LastReq = -1;
599 static gint ett_kerberos_LastReq_item = -1;
600 static gint ett_kerberos_AP_REQ_U = -1;
601 static gint ett_kerberos_Authenticator_U = -1;
602 static gint ett_kerberos_AP_REP_U = -1;
603 static gint ett_kerberos_EncAPRepPart_U = -1;
604 static gint ett_kerberos_KRB_SAFE_U = -1;
605 static gint ett_kerberos_KRB_SAFE_BODY = -1;
606 static gint ett_kerberos_KRB_PRIV_U = -1;
607 static gint ett_kerberos_EncKrbPrivPart = -1;
608 static gint ett_kerberos_KRB_CRED_U = -1;
609 static gint ett_kerberos_EncKrbCredPart_U = -1;
610 static gint ett_kerberos_SEQUENCE_OF_KrbCredInfo = -1;
611 static gint ett_kerberos_KrbCredInfo = -1;
612 static gint ett_kerberos_KRB_ERROR_U = -1;
613 static gint ett_kerberos_METHOD_DATA = -1;
614 static gint ett_kerberos_PA_ENC_TIMESTAMP = -1;
615 static gint ett_kerberos_ETYPE_INFO_ENTRY = -1;
616 static gint ett_kerberos_ETYPE_INFO = -1;
617 static gint ett_kerberos_ETYPE_INFO2_ENTRY = -1;
618 static gint ett_kerberos_ETYPE_INFO2 = -1;
619 static gint ett_kerberos_TGT_REQ = -1;
620 static gint ett_kerberos_TGT_REP = -1;
621 static gint ett_kerberos_APOptions = -1;
622 static gint ett_kerberos_TicketFlags = -1;
623 static gint ett_kerberos_KDCOptions = -1;
624 static gint ett_kerberos_PA_PAC_REQUEST = -1;
625 static gint ett_kerberos_PA_S4U2Self = -1;
626 static gint ett_kerberos_PA_S4U_X509_USER = -1;
627 static gint ett_kerberos_S4UUserID = -1;
628 static gint ett_kerberos_PAC_OPTIONS_FLAGS = -1;
629 static gint ett_kerberos_PA_PAC_OPTIONS = -1;
630 static gint ett_kerberos_KERB_AD_RESTRICTION_ENTRY_U = -1;
631 static gint ett_kerberos_PA_KERB_KEY_LIST_REQ = -1;
632 static gint ett_kerberos_PA_KERB_KEY_LIST_REP = -1;
633 static gint ett_kerberos_ChangePasswdData = -1;
634 static gint ett_kerberos_PA_AUTHENTICATION_SET_ELEM = -1;
635 static gint ett_kerberos_KrbFastArmor = -1;
636 static gint ett_kerberos_PA_FX_FAST_REQUEST = -1;
637 static gint ett_kerberos_EncryptedKrbFastReq = -1;
638 static gint ett_kerberos_KrbFastArmoredReq = -1;
639 static gint ett_kerberos_PA_FX_FAST_REPLY = -1;
640 static gint ett_kerberos_EncryptedKrbFastResponse = -1;
641 static gint ett_kerberos_KrbFastArmoredRep = -1;
642 static gint ett_kerberos_EncryptedChallenge = -1;
643 static gint ett_kerberos_EncryptedSpakeData = -1;
644 static gint ett_kerberos_EncryptedSpakeResponseData = -1;
645 static gint ett_kerberos_SPAKESupport = -1;
646 static gint ett_kerberos_SEQUENCE_SIZE_1_MAX_OF_SPAKEGroup = -1;
647 static gint ett_kerberos_SPAKEChallenge = -1;
648 static gint ett_kerberos_SEQUENCE_SIZE_1_MAX_OF_SPAKESecondFactor = -1;
649 static gint ett_kerberos_SPAKESecondFactor = -1;
650 static gint ett_kerberos_SPAKEResponse = -1;
651 static gint ett_kerberos_PA_SPAKE = -1;
652 
653 /*--- End of included file: packet-kerberos-ett.c ---*/
654 #line 323 "./asn1/kerberos/packet-kerberos-template.c"
655 
656 static expert_field ei_kerberos_missing_keytype = EI_INIT;
657 static expert_field ei_kerberos_decrypted_keytype = EI_INIT;
658 static expert_field ei_kerberos_learnt_keytype = EI_INIT;
659 static expert_field ei_kerberos_address = EI_INIT;
660 static expert_field ei_krb_gssapi_dlglen = EI_INIT;
661 
662 static dissector_handle_t krb4_handle=NULL;
663 
664 /* Global variables */
665 static guint32 gbl_keytype;
666 static gboolean gbl_do_col_info;
667 
668 
669 /*--- Included file: packet-kerberos-val.h ---*/
670 #line 1 "./asn1/kerberos/packet-kerberos-val.h"
671 #define id_krb5                        "1.3.6.1.5.2"
672 
673 typedef enum _KERBEROS_AUTHDATA_TYPE_enum {
674   KERBEROS_AD_IF_RELEVANT =   1,
675   KERBEROS_AD_INTENDED_FOR_SERVER =   2,
676   KERBEROS_AD_INTENDED_FOR_APPLICATION_CLASS =   3,
677   KERBEROS_AD_KDC_ISSUED =   4,
678   KERBEROS_AD_AND_OR =   5,
679   KERBEROS_AD_MANDATORY_TICKET_EXTENSIONS =   6,
680   KERBEROS_AD_IN_TICKET_EXTENSIONS =   7,
681   KERBEROS_AD_MANDATORY_FOR_KDC =   8,
682   KERBEROS_AD_INITIAL_VERIFIED_CAS =   9,
683   KERBEROS_AD_OSF_DCE =  64,
684   KERBEROS_AD_SESAME =  65,
685   KERBEROS_AD_OSF_DCE_PKI_CERTID =  66,
686   KERBEROS_AD_AUTHENTICATION_STRENGTH =  70,
687   KERBEROS_AD_FX_FAST_ARMOR =  71,
688   KERBEROS_AD_FX_FAST_USED =  72,
689   KERBEROS_AD_WIN2K_PAC = 128,
690   KERBEROS_AD_GSS_API_ETYPE_NEGOTIATION = 129,
691   KERBEROS_AD_TOKEN_RESTRICTIONS = 141,
692   KERBEROS_AD_LOCAL = 142,
693   KERBEROS_AD_AP_OPTIONS = 143,
694   KERBEROS_AD_TARGET_PRINCIPAL = 144,
695   KERBEROS_AD_SIGNTICKET_OLDER = -17,
696   KERBEROS_AD_SIGNTICKET = 512
697 } KERBEROS_AUTHDATA_TYPE_enum;
698 
699 /* enumerated values for ADDR_TYPE */
700 #define KERBEROS_ADDR_TYPE_IPV4   2
701 #define KERBEROS_ADDR_TYPE_CHAOS   5
702 #define KERBEROS_ADDR_TYPE_XEROX   6
703 #define KERBEROS_ADDR_TYPE_ISO   7
704 #define KERBEROS_ADDR_TYPE_DECNET  12
705 #define KERBEROS_ADDR_TYPE_APPLETALK  16
706 #define KERBEROS_ADDR_TYPE_NETBIOS  20
707 #define KERBEROS_ADDR_TYPE_IPV6  24
708 
709 typedef enum _KERBEROS_PADATA_TYPE_enum {
710   KERBEROS_PA_NONE =   0,
711   KERBEROS_PA_TGS_REQ =   1,
712   KERBEROS_PA_ENC_TIMESTAMP =   2,
713   KERBEROS_PA_PW_SALT =   3,
714   KERBEROS_PA_ENC_UNIX_TIME =   5,
715   KERBEROS_PA_SANDIA_SECUREID =   6,
716   KERBEROS_PA_SESAME =   7,
717   KERBEROS_PA_OSF_DCE =   8,
718   KERBEROS_PA_CYBERSAFE_SECUREID =   9,
719   KERBEROS_PA_AFS3_SALT =  10,
720   KERBEROS_PA_ETYPE_INFO =  11,
721   KERBEROS_PA_SAM_CHALLENGE =  12,
722   KERBEROS_PA_SAM_RESPONSE =  13,
723   KERBEROS_PA_PK_AS_REQ_19 =  14,
724   KERBEROS_PA_PK_AS_REP_19 =  15,
725   KERBEROS_PA_PK_AS_REQ =  16,
726   KERBEROS_PA_PK_AS_REP =  17,
727   KERBEROS_PA_PK_OCSP_RESPONSE =  18,
728   KERBEROS_PA_ETYPE_INFO2 =  19,
729   KERBEROS_PA_USE_SPECIFIED_KVNO =  20,
730   KERBEROS_PA_SAM_REDIRECT =  21,
731   KERBEROS_PA_GET_FROM_TYPED_DATA =  22,
732   KERBEROS_TD_PADATA =  22,
733   KERBEROS_PA_SAM_ETYPE_INFO =  23,
734   KERBEROS_PA_ALT_PRINC =  24,
735   KERBEROS_PA_SERVER_REFERRAL =  25,
736   KERBEROS_PA_SAM_CHALLENGE2 =  30,
737   KERBEROS_PA_SAM_RESPONSE2 =  31,
738   KERBEROS_PA_EXTRA_TGT =  41,
739   KERBEROS_TD_PKINIT_CMS_CERTIFICATES = 101,
740   KERBEROS_TD_KRB_PRINCIPAL = 102,
741   KERBEROS_TD_KRB_REALM = 103,
742   KERBEROS_TD_TRUSTED_CERTIFIERS = 104,
743   KERBEROS_TD_CERTIFICATE_INDEX = 105,
744   KERBEROS_TD_APP_DEFINED_ERROR = 106,
745   KERBEROS_TD_REQ_NONCE = 107,
746   KERBEROS_TD_REQ_SEQ = 108,
747   KERBEROS_TD_DH_PARAMETERS = 109,
748   KERBEROS_TD_CMS_DIGEST_ALGORITHMS = 111,
749   KERBEROS_TD_CERT_DIGEST_ALGORITHMS = 112,
750   KERBEROS_PA_PAC_REQUEST = 128,
751   KERBEROS_PA_FOR_USER = 129,
752   KERBEROS_PA_FOR_X509_USER = 130,
753   KERBEROS_PA_FOR_CHECK_DUPS = 131,
754   KERBEROS_PA_PK_AS_09_BINDING = 132,
755   KERBEROS_PA_FX_COOKIE = 133,
756   KERBEROS_PA_AUTHENTICATION_SET = 134,
757   KERBEROS_PA_AUTH_SET_SELECTED = 135,
758   KERBEROS_PA_FX_FAST = 136,
759   KERBEROS_PA_FX_ERROR = 137,
760   KERBEROS_PA_ENCRYPTED_CHALLENGE = 138,
761   KERBEROS_PA_OTP_CHALLENGE = 141,
762   KERBEROS_PA_OTP_REQUEST = 142,
763   KERBEROS_PA_OTP_CONFIRM = 143,
764   KERBEROS_PA_OTP_PIN_CHANGE = 144,
765   KERBEROS_PA_EPAK_AS_REQ = 145,
766   KERBEROS_PA_EPAK_AS_REP = 146,
767   KERBEROS_PA_PKINIT_KX = 147,
768   KERBEROS_PA_PKU2U_NAME = 148,
769   KERBEROS_PA_REQ_ENC_PA_REP = 149,
770   KERBEROS_PA_SPAKE = 151,
771   KERBEROS_PA_KERB_KEY_LIST_REQ = 161,
772   KERBEROS_PA_KERB_KEY_LIST_REP = 162,
773   KERBEROS_PA_SUPPORTED_ETYPES = 165,
774   KERBEROS_PA_EXTENDED_ERROR = 166,
775   KERBEROS_PA_PAC_OPTIONS = 167,
776   KERBEROS_PA_PROV_SRV_LOCATION =  -1
777 } KERBEROS_PADATA_TYPE_enum;
778 
779 typedef enum _KERBEROS_KRBFASTARMORTYPES_enum {
780   KERBEROS_FX_FAST_RESERVED =   0,
781   KERBEROS_FX_FAST_ARMOR_AP_REQUEST =   1
782 } KERBEROS_KRBFASTARMORTYPES_enum;
783 
784 /*--- End of included file: packet-kerberos-val.h ---*/
785 #line 337 "./asn1/kerberos/packet-kerberos-template.c"
786 
787 static void
788 call_kerberos_callbacks(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int tag, kerberos_callbacks *cb)
789 {
790 	if(!cb){
791 		return;
792 	}
793 
794 	while(cb->tag){
795 		if(cb->tag==tag){
796 			cb->callback(pinfo, tvb, tree);
797 			return;
798 		}
799 		cb++;
800 	}
801 	return;
802 }
803 
804 static kerberos_private_data_t*
805 kerberos_new_private_data(packet_info *pinfo)
806 {
807 	kerberos_private_data_t *p;
808 
809 	p = wmem_new0(pinfo->pool, kerberos_private_data_t);
810 	if (p == NULL) {
811 		return NULL;
812 	}
813 
814 	p->decryption_keys = wmem_list_new(pinfo->pool);
815 	p->learnt_keys = wmem_list_new(pinfo->pool);
816 	p->missing_keys = wmem_list_new(pinfo->pool);
817 
818 	return p;
819 }
820 
821 static kerberos_private_data_t*
822 kerberos_get_private_data(asn1_ctx_t *actx)
823 {
824 	if (!actx->private_data) {
825 		actx->private_data = kerberos_new_private_data(actx->pinfo);
826 	}
827 	return (kerberos_private_data_t *)(actx->private_data);
828 }
829 
830 static gboolean
831 kerberos_private_is_kdc_req(kerberos_private_data_t *private_data)
832 {
833 	switch (private_data->msg_type) {
834 	case KERBEROS_APPLICATIONS_AS_REQ:
835 	case KERBEROS_APPLICATIONS_TGS_REQ:
836 		return TRUE;
837 	}
838 
839 	return FALSE;
840 }
841 
842 gboolean
843 kerberos_is_win2k_pkinit(asn1_ctx_t *actx)
844 {
845 	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
846 
847 	return private_data->is_win2k_pkinit;
848 }
849 
850 #ifdef HAVE_KERBEROS
851 
852 /* Decrypt Kerberos blobs */
853 gboolean krb_decrypt = FALSE;
854 
855 /* keytab filename */
856 static const char *keytab_filename = "";
857 
858 void
859 read_keytab_file_from_preferences(void)
860 {
861 	static char *last_keytab = NULL;
862 
863 	if (!krb_decrypt) {
864 		return;
865 	}
866 
867 	if (keytab_filename == NULL) {
868 		return;
869 	}
870 
871 	if (last_keytab && !strcmp(last_keytab, keytab_filename)) {
872 		return;
873 	}
874 
875 	g_free(last_keytab);
876 	last_keytab = g_strdup(keytab_filename);
877 
878 	read_keytab_file(last_keytab);
879 }
880 #endif /* HAVE_KERBEROS */
881 
882 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
883 enc_key_t *enc_key_list=NULL;
884 static guint kerberos_longterm_ids = 0;
885 wmem_map_t *kerberos_longterm_keys = NULL;
886 static wmem_map_t *kerberos_all_keys = NULL;
887 static wmem_map_t *kerberos_app_session_keys = NULL;
888 
889 static gboolean
890 enc_key_list_cb(wmem_allocator_t* allocator _U_, wmem_cb_event_t event _U_, void *user_data _U_)
891 {
892 	enc_key_list = NULL;
893 	kerberos_longterm_ids = 0;
894 	/* keep the callback registered */
895 	return TRUE;
896 }
897 
898 static gint enc_key_cmp_id(gconstpointer k1, gconstpointer k2)
899 {
900 	const enc_key_t *key1 = (const enc_key_t *)k1;
901 	const enc_key_t *key2 = (const enc_key_t *)k2;
902 
903 	if (key1->fd_num < key2->fd_num) {
904 		return -1;
905 	}
906 	if (key1->fd_num > key2->fd_num) {
907 		return 1;
908 	}
909 
910 	if (key1->id < key2->id) {
911 		return -1;
912 	}
913 	if (key1->id > key2->id) {
914 		return 1;
915 	}
916 
917 	return 0;
918 }
919 
920 static gboolean
921 enc_key_content_equal(gconstpointer k1, gconstpointer k2)
922 {
923 	const enc_key_t *key1 = (const enc_key_t *)k1;
924 	const enc_key_t *key2 = (const enc_key_t *)k2;
925 	int cmp;
926 
927 	if (key1->keytype != key2->keytype) {
928 		return FALSE;
929 	}
930 
931 	if (key1->keylength != key2->keylength) {
932 		return FALSE;
933 	}
934 
935 	cmp = memcmp(key1->keyvalue, key2->keyvalue, key1->keylength);
936 	if (cmp != 0) {
937 		return FALSE;
938 	}
939 
940 	return TRUE;
941 }
942 
943 static guint
944 enc_key_content_hash(gconstpointer k)
945 {
946 	const enc_key_t *key = (const enc_key_t *)k;
947 	guint ret = 0;
948 
949 	ret += wmem_strong_hash((const guint8 *)&key->keytype,
950 				sizeof(key->keytype));
951 	ret += wmem_strong_hash((const guint8 *)&key->keylength,
952 				sizeof(key->keylength));
953 	ret += wmem_strong_hash((const guint8 *)key->keyvalue,
954 				key->keylength);
955 
956 	return ret;
957 }
958 
959 static void
960 kerberos_key_map_insert(wmem_map_t *key_map, enc_key_t *new_key)
961 {
962 	enc_key_t *existing = NULL;
963 	enc_key_t *cur = NULL;
964 	gint cmp;
965 
966 	existing = (enc_key_t *)wmem_map_lookup(key_map, new_key);
967 	if (existing == NULL) {
968 		wmem_map_insert(key_map, new_key, new_key);
969 		return;
970 	}
971 
972 	if (key_map != kerberos_all_keys) {
973 		/*
974 		 * It should already be linked to the existing key...
975 		 */
976 		return;
977 	}
978 
979 	if (existing->fd_num == -1 && new_key->fd_num != -1) {
980 		/*
981 		 * We can't reference a learnt key
982 		 * from a longterm key. As they have
983 		 * a shorter lifetime.
984 		 *
985 		 * So just let the learnt key remember the
986 		 * match.
987 		 */
988 		new_key->same_list = existing;
989 		new_key->num_same = existing->num_same + 1;
990 		return;
991 	}
992 
993 	/*
994 	 * If a key with the same content (keytype,keylength,keyvalue)
995 	 * already exists, we want the earliest key to be
996 	 * in the list.
997 	 */
998 	cmp = enc_key_cmp_id(new_key, existing);
999 	if (cmp == 0) {
1000 		/*
1001 		 * It's the same, nothing to do...
1002 		 */
1003 		return;
1004 	}
1005 	if (cmp < 0) {
1006 		/* The new key has should be added to the list. */
1007 		new_key->same_list = existing;
1008 		new_key->num_same = existing->num_same + 1;
1009 		wmem_map_insert(key_map, new_key, new_key);
1010 		return;
1011 	}
1012 
1013 	/*
1014 	 * We want to link the new_key to the existing one.
1015 	 *
1016 	 * But we want keep the list sorted, so we need to forward
1017 	 * to the correct spot.
1018 	 */
1019 	for (cur = existing; cur->same_list != NULL; cur = cur->same_list) {
1020 		cmp = enc_key_cmp_id(new_key, cur->same_list);
1021 		if (cmp == 0) {
1022 			/*
1023 			 * It's the same, nothing to do...
1024 			 */
1025 			return;
1026 		}
1027 
1028 		if (cmp < 0) {
1029 			/*
1030 			 * We found the correct spot,
1031 			 * the new_key should added
1032 			 * between existing and existing->same_list
1033 			 */
1034 			new_key->same_list = cur->same_list;
1035 			new_key->num_same = cur->num_same;
1036 			break;
1037 		}
1038 	}
1039 
1040 	/*
1041 	 * finally link new_key to existing
1042 	 * and fix up the numbers
1043 	 */
1044 	cur->same_list = new_key;
1045 	for (cur = existing; cur != new_key; cur = cur->same_list) {
1046 		cur->num_same += 1;
1047 	}
1048 
1049 	return;
1050 }
1051 
1052 struct insert_longterm_keys_into_key_map_state {
1053 	wmem_map_t *key_map;
1054 };
1055 
1056 static void insert_longterm_keys_into_key_map_cb(gpointer __key _U_,
1057 						 gpointer value,
1058 						 gpointer user_data)
1059 {
1060 	struct insert_longterm_keys_into_key_map_state *state =
1061 		(struct insert_longterm_keys_into_key_map_state *)user_data;
1062 	enc_key_t *key = (enc_key_t *)value;
1063 
1064 	kerberos_key_map_insert(state->key_map, key);
1065 }
1066 
1067 static void insert_longterm_keys_into_key_map(wmem_map_t *key_map)
1068 {
1069 	/*
1070 	 * Because the kerberos_longterm_keys are allocated on
1071 	 * wmem_epan_scope() and kerberos_all_keys are allocated
1072 	 * on wmem_file_scope(), we need to plug the longterm keys
1073 	 * back to kerberos_all_keys if a new file was loaded
1074 	 * and wmem_file_scope() got cleared.
1075 	 */
1076 	if (wmem_map_size(key_map) < wmem_map_size(kerberos_longterm_keys)) {
1077 		struct insert_longterm_keys_into_key_map_state state = {
1078 			.key_map = key_map,
1079 		};
1080 		/*
1081 		 * Reference all longterm keys into kerberos_all_keys
1082 		 */
1083 		wmem_map_foreach(kerberos_longterm_keys,
1084 				 insert_longterm_keys_into_key_map_cb,
1085 				 &state);
1086 	}
1087 }
1088 
1089 static void
1090 kerberos_key_list_append(wmem_list_t *key_list, enc_key_t *new_key)
1091 {
1092 	enc_key_t *existing = NULL;
1093 
1094 	existing = (enc_key_t *)wmem_list_find(key_list, new_key);
1095 	if (existing != NULL) {
1096 		return;
1097 	}
1098 
1099 	wmem_list_append(key_list, new_key);
1100 }
1101 
1102 static void
1103 add_encryption_key(packet_info *pinfo,
1104 		   kerberos_private_data_t *private_data,
1105 		   proto_tree *key_tree,
1106 		   proto_item *key_hidden_item,
1107 		   tvbuff_t *key_tvb,
1108 		   int keytype, int keylength, const char *keyvalue,
1109 		   const char *origin,
1110 		   enc_key_t *src1, enc_key_t *src2)
1111 {
1112 	wmem_allocator_t *key_scope = NULL;
1113 	enc_key_t *new_key = NULL;
1114 	const char *methodl = "learnt";
1115 	const char *methodu = "Learnt";
1116 	proto_item *item = NULL;
1117 
1118 	private_data->last_added_key = NULL;
1119 
1120 	if (src1 != NULL && src2 != NULL) {
1121 		methodl = "derived";
1122 		methodu = "Derived";
1123 	}
1124 
1125 	if(pinfo->fd->visited){
1126 		/*
1127 		 * We already processed this,
1128 		 * we can use a shortterm scope
1129 		 */
1130 		key_scope = pinfo->pool;
1131 	} else {
1132 		/*
1133 		 * As long as we have enc_key_list, we need to
1134 		 * use wmem_epan_scope(), when that's gone
1135 		 * we can dynamically select the scope based on
1136 		 * how long we'll need the particular key.
1137 		 */
1138 		key_scope = wmem_epan_scope();
1139 	}
1140 
1141 	new_key = wmem_new0(key_scope, enc_key_t);
1142 	g_snprintf(new_key->key_origin, KRB_MAX_ORIG_LEN, "%s %s in frame %u",
1143 		   methodl, origin, pinfo->num);
1144 	new_key->fd_num = pinfo->num;
1145 	new_key->id = ++private_data->learnt_key_ids;
1146 	g_snprintf(new_key->id_str, KRB_MAX_ID_STR_LEN, "%d.%u",
1147 		   new_key->fd_num, new_key->id);
1148 	new_key->keytype=keytype;
1149 	new_key->keylength=keylength;
1150 	memcpy(new_key->keyvalue, keyvalue, MIN(keylength, KRB_MAX_KEY_LENGTH));
1151 	new_key->src1 = src1;
1152 	new_key->src2 = src2;
1153 
1154 	if(!pinfo->fd->visited){
1155 		/*
1156 		 * Only keep it if we don't processed it before.
1157 		 */
1158 		new_key->next=enc_key_list;
1159 		enc_key_list=new_key;
1160 		insert_longterm_keys_into_key_map(kerberos_all_keys);
1161 		kerberos_key_map_insert(kerberos_all_keys, new_key);
1162 	}
1163 
1164 	item = proto_tree_add_expert_format(key_tree, pinfo, &ei_kerberos_learnt_keytype,
1165 			key_tvb, 0, keylength,
1166 			"%s %s keytype %d (id=%d.%u) (%02x%02x%02x%02x...)",
1167 			methodu, origin, keytype, pinfo->num, new_key->id,
1168 			keyvalue[0] & 0xFF, keyvalue[1] & 0xFF,
1169 			keyvalue[2] & 0xFF, keyvalue[3] & 0xFF);
1170 	if (item != NULL && key_hidden_item != NULL) {
1171 		proto_tree_move_item(key_tree, key_hidden_item, item);
1172 	}
1173 	if (src1 != NULL) {
1174 		enc_key_t *sek = src1;
1175 		expert_add_info_format(pinfo, item, &ei_kerberos_learnt_keytype,
1176 				       "SRC1 %s keytype %d (id=%s same=%u) (%02x%02x%02x%02x...)",
1177 				       sek->key_origin, sek->keytype,
1178 				       sek->id_str, sek->num_same,
1179 				       sek->keyvalue[0] & 0xFF, sek->keyvalue[1] & 0xFF,
1180 				       sek->keyvalue[2] & 0xFF, sek->keyvalue[3] & 0xFF);
1181 	}
1182 	if (src2 != NULL) {
1183 		enc_key_t *sek = src2;
1184 		expert_add_info_format(pinfo, item, &ei_kerberos_learnt_keytype,
1185 				       "SRC2 %s keytype %d (id=%s same=%u) (%02x%02x%02x%02x...)",
1186 				       sek->key_origin, sek->keytype,
1187 				       sek->id_str, sek->num_same,
1188 				       sek->keyvalue[0] & 0xFF, sek->keyvalue[1] & 0xFF,
1189 				       sek->keyvalue[2] & 0xFF, sek->keyvalue[3] & 0xFF);
1190 	}
1191 
1192 	kerberos_key_list_append(private_data->learnt_keys, new_key);
1193 	private_data->last_added_key = new_key;
1194 }
1195 
1196 static void
1197 save_encryption_key(tvbuff_t *tvb _U_, int offset _U_, int length _U_,
1198 		    asn1_ctx_t *actx _U_, proto_tree *tree _U_,
1199 		    int parent_hf_index _U_,
1200 		    int hf_index _U_)
1201 {
1202 	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
1203 	const char *parent = proto_registrar_get_name(parent_hf_index);
1204 	const char *element = proto_registrar_get_name(hf_index);
1205 	char origin[KRB_MAX_ORIG_LEN] = { 0, };
1206 
1207 	g_snprintf(origin, KRB_MAX_ORIG_LEN, "%s_%s", parent, element);
1208 
1209 	add_encryption_key(actx->pinfo,
1210 			   private_data,
1211 			   private_data->key_tree,
1212 			   private_data->key_hidden_item,
1213 			   private_data->key_tvb,
1214 			   private_data->key.keytype,
1215 			   private_data->key.keylength,
1216 			   private_data->key.keyvalue,
1217 			   origin,
1218 			   NULL,
1219 			   NULL);
1220 }
1221 
1222 static void
1223 save_Authenticator_subkey(tvbuff_t *tvb, int offset, int length,
1224 			  asn1_ctx_t *actx, proto_tree *tree,
1225 			  int parent_hf_index,
1226 			  int hf_index)
1227 {
1228 	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
1229 
1230 	save_encryption_key(tvb, offset, length, actx, tree, parent_hf_index, hf_index);
1231 
1232 	if (private_data->last_decryption_key == NULL) {
1233 		return;
1234 	}
1235 	if (private_data->last_added_key == NULL) {
1236 		return;
1237 	}
1238 
1239 	if (private_data->within_PA_TGS_REQ != 0) {
1240 		private_data->PA_TGS_REQ_key = private_data->last_decryption_key;
1241 		private_data->PA_TGS_REQ_subkey = private_data->last_added_key;
1242 	}
1243 	if (private_data->fast_armor_within_armor_value != 0) {
1244 		private_data->PA_FAST_ARMOR_AP_key = private_data->last_decryption_key;
1245 		private_data->PA_FAST_ARMOR_AP_subkey = private_data->last_added_key;
1246 	}
1247 }
1248 
1249 static void
1250 save_EncAPRepPart_subkey(tvbuff_t *tvb, int offset, int length,
1251 			 asn1_ctx_t *actx, proto_tree *tree,
1252 			 int parent_hf_index,
1253 			 int hf_index)
1254 {
1255 	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
1256 
1257 	save_encryption_key(tvb, offset, length, actx, tree, parent_hf_index, hf_index);
1258 
1259 	if (actx->pinfo->fd->visited) {
1260 		return;
1261 	}
1262 
1263 	if (private_data->last_added_key == NULL) {
1264 		return;
1265 	}
1266 
1267 	kerberos_key_map_insert(kerberos_app_session_keys, private_data->last_added_key);
1268 }
1269 
1270 static void
1271 save_EncKDCRepPart_key(tvbuff_t *tvb, int offset, int length,
1272 		       asn1_ctx_t *actx, proto_tree *tree,
1273 		       int parent_hf_index,
1274 		       int hf_index)
1275 {
1276 	save_encryption_key(tvb, offset, length, actx, tree, parent_hf_index, hf_index);
1277 }
1278 
1279 static void
1280 save_EncTicketPart_key(tvbuff_t *tvb, int offset, int length,
1281 		       asn1_ctx_t *actx, proto_tree *tree,
1282 		       int parent_hf_index,
1283 		       int hf_index)
1284 {
1285 	save_encryption_key(tvb, offset, length, actx, tree, parent_hf_index, hf_index);
1286 }
1287 
1288 static void
1289 save_KrbCredInfo_key(tvbuff_t *tvb, int offset, int length,
1290 		     asn1_ctx_t *actx, proto_tree *tree,
1291 		     int parent_hf_index,
1292 		     int hf_index)
1293 {
1294 	save_encryption_key(tvb, offset, length, actx, tree, parent_hf_index, hf_index);
1295 }
1296 
1297 static void
1298 save_KrbFastResponse_strengthen_key(tvbuff_t *tvb, int offset, int length,
1299 				    asn1_ctx_t *actx, proto_tree *tree,
1300 				    int parent_hf_index,
1301 				    int hf_index)
1302 {
1303 	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
1304 
1305 	save_encryption_key(tvb, offset, length, actx, tree, parent_hf_index, hf_index);
1306 
1307 	private_data->fast_strengthen_key = private_data->last_added_key;
1308 }
1309 
1310 static void used_encryption_key(proto_tree *tree, packet_info *pinfo,
1311 				kerberos_private_data_t *private_data,
1312 				enc_key_t *ek, int usage, tvbuff_t *cryptotvb,
1313 				const char *keymap_name,
1314 				guint keymap_size,
1315 				guint decryption_count)
1316 {
1317 	proto_item *item = NULL;
1318 	enc_key_t *sek = NULL;
1319 
1320 	item = proto_tree_add_expert_format(tree, pinfo, &ei_kerberos_decrypted_keytype,
1321 				     cryptotvb, 0, 0,
1322 				     "Decrypted keytype %d usage %d "
1323 				     "using %s (id=%s same=%u) (%02x%02x%02x%02x...)",
1324 				     ek->keytype, usage, ek->key_origin, ek->id_str, ek->num_same,
1325 				     ek->keyvalue[0] & 0xFF, ek->keyvalue[1] & 0xFF,
1326 				     ek->keyvalue[2] & 0xFF, ek->keyvalue[3] & 0xFF);
1327 	expert_add_info_format(pinfo, item, &ei_kerberos_decrypted_keytype,
1328 			       "Used keymap=%s num_keys=%u num_tries=%u)",
1329 			       keymap_name,
1330 			       keymap_size,
1331 			       decryption_count);
1332 	if (ek->src1 != NULL) {
1333 		sek = ek->src1;
1334 		expert_add_info_format(pinfo, item, &ei_kerberos_decrypted_keytype,
1335 				       "SRC1 %s keytype %d (id=%s same=%u) (%02x%02x%02x%02x...)",
1336 				       sek->key_origin, sek->keytype,
1337 				       sek->id_str, sek->num_same,
1338 				       sek->keyvalue[0] & 0xFF, sek->keyvalue[1] & 0xFF,
1339 				       sek->keyvalue[2] & 0xFF, sek->keyvalue[3] & 0xFF);
1340 	}
1341 	if (ek->src2 != NULL) {
1342 		sek = ek->src2;
1343 		expert_add_info_format(pinfo, item, &ei_kerberos_decrypted_keytype,
1344 				       "SRC2 %s keytype %d (id=%s same=%u) (%02x%02x%02x%02x...)",
1345 				       sek->key_origin, sek->keytype,
1346 				       sek->id_str, sek->num_same,
1347 				       sek->keyvalue[0] & 0xFF, sek->keyvalue[1] & 0xFF,
1348 				       sek->keyvalue[2] & 0xFF, sek->keyvalue[3] & 0xFF);
1349 	}
1350 	sek = ek->same_list;
1351 	while (sek != NULL) {
1352 		expert_add_info_format(pinfo, item, &ei_kerberos_decrypted_keytype,
1353 				       "Decrypted keytype %d usage %d "
1354 				       "using %s (id=%s same=%u) (%02x%02x%02x%02x...)",
1355 				       sek->keytype, usage, sek->key_origin, sek->id_str, sek->num_same,
1356 				       sek->keyvalue[0] & 0xFF, sek->keyvalue[1] & 0xFF,
1357 				       sek->keyvalue[2] & 0xFF, sek->keyvalue[3] & 0xFF);
1358 		sek = sek->same_list;
1359 	}
1360 	kerberos_key_list_append(private_data->decryption_keys, ek);
1361 	private_data->last_decryption_key = ek;
1362 }
1363 #endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */
1364 
1365 #ifdef HAVE_MIT_KERBEROS
1366 
1367 static void missing_encryption_key(proto_tree *tree, packet_info *pinfo,
1368 				   kerberos_private_data_t *private_data,
1369 				   int keytype, int usage, tvbuff_t *cryptotvb,
1370 				   const char *keymap_name,
1371 				   guint keymap_size,
1372 				   guint decryption_count)
1373 {
1374 	proto_item *item = NULL;
1375 	enc_key_t *mek = NULL;
1376 
1377 	mek = wmem_new0(pinfo->pool, enc_key_t);
1378 	g_snprintf(mek->key_origin, KRB_MAX_ORIG_LEN,
1379 		   "keytype %d usage %d missing in frame %u",
1380 		   keytype, usage, pinfo->num);
1381 	mek->fd_num = pinfo->num;
1382 	mek->id = ++private_data->missing_key_ids;
1383 	g_snprintf(mek->id_str, KRB_MAX_ID_STR_LEN, "missing.%u",
1384 		   mek->id);
1385 	mek->keytype=keytype;
1386 
1387 	item = proto_tree_add_expert_format(tree, pinfo, &ei_kerberos_missing_keytype,
1388 					    cryptotvb, 0, 0,
1389 					    "Missing keytype %d usage %d (id=%s)",
1390 					    keytype, usage, mek->id_str);
1391 	expert_add_info_format(pinfo, item, &ei_kerberos_missing_keytype,
1392 			       "Used keymap=%s num_keys=%u num_tries=%u)",
1393 			       keymap_name,
1394 			       keymap_size,
1395 			       decryption_count);
1396 
1397 	kerberos_key_list_append(private_data->missing_keys, mek);
1398 }
1399 
1400 #ifdef HAVE_KRB5_PAC_VERIFY
1401 static void used_signing_key(proto_tree *tree, packet_info *pinfo,
1402 			     kerberos_private_data_t *private_data,
1403 			     enc_key_t *ek, tvbuff_t *tvb,
1404 			     krb5_cksumtype checksum,
1405 			     const char *reason,
1406 			     const char *keymap_name,
1407 			     guint keymap_size,
1408 			     guint verify_count)
1409 {
1410 	proto_item *item = NULL;
1411 	enc_key_t *sek = NULL;
1412 
1413 	item = proto_tree_add_expert_format(tree, pinfo, &ei_kerberos_decrypted_keytype,
1414 				     tvb, 0, 0,
1415 				     "%s checksum %d keytype %d "
1416 				     "using %s (id=%s same=%u) (%02x%02x%02x%02x...)",
1417 				     reason, checksum, ek->keytype, ek->key_origin,
1418 				     ek->id_str, ek->num_same,
1419 				     ek->keyvalue[0] & 0xFF, ek->keyvalue[1] & 0xFF,
1420 				     ek->keyvalue[2] & 0xFF, ek->keyvalue[3] & 0xFF);
1421 	expert_add_info_format(pinfo, item, &ei_kerberos_decrypted_keytype,
1422 			       "Used keymap=%s num_keys=%u num_tries=%u)",
1423 			       keymap_name,
1424 			       keymap_size,
1425 			       verify_count);
1426 	sek = ek->same_list;
1427 	while (sek != NULL) {
1428 		expert_add_info_format(pinfo, item, &ei_kerberos_decrypted_keytype,
1429 				       "%s checksum %d keytype %d "
1430 				       "using %s (id=%s same=%u) (%02x%02x%02x%02x...)",
1431 				       reason, checksum, sek->keytype, sek->key_origin,
1432 				       sek->id_str, sek->num_same,
1433 				       sek->keyvalue[0] & 0xFF, sek->keyvalue[1] & 0xFF,
1434 				       sek->keyvalue[2] & 0xFF, sek->keyvalue[3] & 0xFF);
1435 		sek = sek->same_list;
1436 	}
1437 	kerberos_key_list_append(private_data->decryption_keys, ek);
1438 }
1439 
1440 static void missing_signing_key(proto_tree *tree, packet_info *pinfo,
1441 				kerberos_private_data_t *private_data,
1442 				tvbuff_t *tvb,
1443 				krb5_cksumtype checksum,
1444 				int keytype,
1445 				const char *reason,
1446 				const char *keymap_name,
1447 				guint keymap_size,
1448 				guint verify_count)
1449 {
1450 	proto_item *item = NULL;
1451 	enc_key_t *mek = NULL;
1452 
1453 	mek = wmem_new0(pinfo->pool, enc_key_t);
1454 	g_snprintf(mek->key_origin, KRB_MAX_ORIG_LEN,
1455 		   "checksum %d keytype %d missing in frame %u",
1456 		   checksum, keytype, pinfo->num);
1457 	mek->fd_num = pinfo->num;
1458 	mek->id = ++private_data->missing_key_ids;
1459 	g_snprintf(mek->id_str, KRB_MAX_ID_STR_LEN, "missing.%u",
1460 		   mek->id);
1461 	mek->keytype=keytype;
1462 
1463 	item = proto_tree_add_expert_format(tree, pinfo, &ei_kerberos_missing_keytype,
1464 					    tvb, 0, 0,
1465 					    "%s checksum %d keytype %d (id=%s)",
1466 					    reason, checksum, keytype, mek->id_str);
1467 	expert_add_info_format(pinfo, item, &ei_kerberos_missing_keytype,
1468 			       "Used keymap=%s num_keys=%u num_tries=%u)",
1469 			       keymap_name,
1470 			       keymap_size,
1471 			       verify_count);
1472 
1473 	kerberos_key_list_append(private_data->missing_keys, mek);
1474 }
1475 
1476 #endif /* HAVE_KRB5_PAC_VERIFY */
1477 
1478 static krb5_context krb5_ctx;
1479 
1480 #ifdef HAVE_KRB5_C_FX_CF2_SIMPLE
1481 static void
1482 krb5_fast_key(asn1_ctx_t *actx, proto_tree *tree, tvbuff_t *tvb,
1483 	      enc_key_t *ek1 _U_, const char *p1 _U_,
1484 	      enc_key_t *ek2 _U_, const char *p2 _U_,
1485 	      const char *origin _U_)
1486 {
1487 	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
1488 	krb5_error_code ret;
1489 	krb5_keyblock k1;
1490 	krb5_keyblock k2;
1491 	krb5_keyblock *k = NULL;
1492 
1493 	if (!krb_decrypt) {
1494 		return;
1495 	}
1496 
1497 	if (ek1 == NULL) {
1498 		return;
1499 	}
1500 
1501 	if (ek2 == NULL) {
1502 		return;
1503 	}
1504 
1505 	k1.magic = KV5M_KEYBLOCK;
1506 	k1.enctype = ek1->keytype;
1507 	k1.length = ek1->keylength;
1508 	k1.contents = (guint8 *)ek1->keyvalue;
1509 
1510 	k2.magic = KV5M_KEYBLOCK;
1511 	k2.enctype = ek2->keytype;
1512 	k2.length = ek2->keylength;
1513 	k2.contents = (guint8 *)ek2->keyvalue;
1514 
1515 	ret = krb5_c_fx_cf2_simple(krb5_ctx, &k1, p1, &k2, p2, &k);
1516 	if (ret != 0) {
1517 		return;
1518 	}
1519 
1520 	add_encryption_key(actx->pinfo,
1521 			   private_data,
1522 			   tree, NULL, tvb,
1523 			   k->enctype, k->length,
1524 			   (const char *)k->contents,
1525 			   origin,
1526 			   ek1, ek2);
1527 
1528 	krb5_free_keyblock(krb5_ctx, k);
1529 }
1530 #else /* HAVE_KRB5_C_FX_CF2_SIMPLE */
1531 static void
1532 krb5_fast_key(asn1_ctx_t *actx _U_, proto_tree *tree _U_, tvbuff_t *tvb _U_,
1533 	      enc_key_t *ek1 _U_, const char *p1 _U_,
1534 	      enc_key_t *ek2 _U_, const char *p2 _U_,
1535 	      const char *origin _U_)
1536 {
1537 }
1538 #endif /* HAVE_KRB5_C_FX_CF2_SIMPLE */
1539 
1540 USES_APPLE_DEPRECATED_API
1541 void
1542 read_keytab_file(const char *filename)
1543 {
1544 	krb5_keytab keytab;
1545 	krb5_error_code ret;
1546 	krb5_keytab_entry key;
1547 	krb5_kt_cursor cursor;
1548 	static gboolean first_time=TRUE;
1549 
1550 	if (filename == NULL || filename[0] == 0) {
1551 		return;
1552 	}
1553 
1554 	if(first_time){
1555 		first_time=FALSE;
1556 		ret = krb5_init_context(&krb5_ctx);
1557 		if(ret && ret != KRB5_CONFIG_CANTOPEN){
1558 			return;
1559 		}
1560 	}
1561 
1562 	/* should use a file in the wireshark users dir */
1563 	ret = krb5_kt_resolve(krb5_ctx, filename, &keytab);
1564 	if(ret){
1565 		fprintf(stderr, "KERBEROS ERROR: Badly formatted keytab filename :%s\n",filename);
1566 
1567 		return;
1568 	}
1569 
1570 	ret = krb5_kt_start_seq_get(krb5_ctx, keytab, &cursor);
1571 	if(ret){
1572 		fprintf(stderr, "KERBEROS ERROR: Could not open or could not read from keytab file :%s\n",filename);
1573 		return;
1574 	}
1575 
1576 	do{
1577 		ret = krb5_kt_next_entry(krb5_ctx, keytab, &key, &cursor);
1578 		if(ret==0){
1579 			enc_key_t *new_key;
1580 			int i;
1581 			char *pos;
1582 
1583 			new_key = wmem_new0(wmem_epan_scope(), enc_key_t);
1584 			new_key->fd_num = -1;
1585 			new_key->id = ++kerberos_longterm_ids;
1586 			g_snprintf(new_key->id_str, KRB_MAX_ID_STR_LEN, "keytab.%u", new_key->id);
1587 			new_key->next = enc_key_list;
1588 
1589 			/* generate origin string, describing where this key came from */
1590 			pos=new_key->key_origin;
1591 			pos+=MIN(KRB_MAX_ORIG_LEN,
1592 					 g_snprintf(pos, KRB_MAX_ORIG_LEN, "keytab principal "));
1593 			for(i=0;i<key.principal->length;i++){
1594 				pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
1595 						 g_snprintf(pos, (gulong)(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin)), "%s%s",(i?"/":""),(key.principal->data[i]).data));
1596 			}
1597 			pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
1598 					 g_snprintf(pos, (gulong)(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin)), "@%s",key.principal->realm.data));
1599 			*pos=0;
1600 			new_key->keytype=key.key.enctype;
1601 			new_key->keylength=key.key.length;
1602 			memcpy(new_key->keyvalue,
1603 			       key.key.contents,
1604 			       MIN(key.key.length, KRB_MAX_KEY_LENGTH));
1605 
1606 			enc_key_list=new_key;
1607 			ret = krb5_free_keytab_entry_contents(krb5_ctx, &key);
1608 			if (ret) {
1609 				fprintf(stderr, "KERBEROS ERROR: Could not release the entry: %d", ret);
1610 				ret = 0; /* try to continue with the next entry */
1611 			}
1612 			kerberos_key_map_insert(kerberos_longterm_keys, new_key);
1613 		}
1614 	}while(ret==0);
1615 
1616 	ret = krb5_kt_end_seq_get(krb5_ctx, keytab, &cursor);
1617 	if(ret){
1618 		fprintf(stderr, "KERBEROS ERROR: Could not release the keytab cursor: %d", ret);
1619 	}
1620 	ret = krb5_kt_close(krb5_ctx, keytab);
1621 	if(ret){
1622 		fprintf(stderr, "KERBEROS ERROR: Could not close the key table handle: %d", ret);
1623 	}
1624 }
1625 
1626 struct decrypt_krb5_with_cb_state {
1627 	proto_tree *tree;
1628 	packet_info *pinfo;
1629 	kerberos_private_data_t *private_data;
1630 	int usage;
1631 	int keytype;
1632 	tvbuff_t *cryptotvb;
1633 	krb5_error_code (*decrypt_cb_fn)(
1634 		const krb5_keyblock *key,
1635 		int usage,
1636 		void *decrypt_cb_data);
1637 	void *decrypt_cb_data;
1638 	guint count;
1639 	enc_key_t *ek;
1640 };
1641 
1642 static void
1643 decrypt_krb5_with_cb_try_key(gpointer __key _U_, gpointer value, gpointer userdata)
1644 {
1645 	struct decrypt_krb5_with_cb_state *state =
1646 		(struct decrypt_krb5_with_cb_state *)userdata;
1647 	enc_key_t *ek = (enc_key_t *)value;
1648 	krb5_error_code ret;
1649 	krb5_keytab_entry key;
1650 #ifdef HAVE_KRB5_C_FX_CF2_SIMPLE
1651 	enc_key_t *ak = state->private_data->fast_armor_key;
1652 	enc_key_t *sk = state->private_data->fast_strengthen_key;
1653 	gboolean try_with_armor_key = FALSE;
1654 	gboolean try_with_strengthen_key = FALSE;
1655 #endif
1656 
1657 	if (state->ek != NULL) {
1658 		/*
1659 		 * we're done.
1660 		 */
1661 		return;
1662 	}
1663 
1664 #ifdef HAVE_KRB5_C_FX_CF2_SIMPLE
1665 	if (ak != NULL && ak != ek && ak->keytype == state->keytype && ek->fd_num == -1) {
1666 		switch (state->usage) {
1667 		case KEY_USAGE_ENC_CHALLENGE_CLIENT:
1668 		case KEY_USAGE_ENC_CHALLENGE_KDC:
1669 			if (ek->fd_num == -1) {
1670 				/* Challenges are based on a long term key */
1671 				try_with_armor_key = TRUE;
1672 			}
1673 			break;
1674 		}
1675 
1676 		/*
1677 		 * If we already have a strengthen_key
1678 		 * we don't need to try with the armor key
1679 		 * again
1680 		 */
1681 		if (sk != NULL) {
1682 			try_with_armor_key = FALSE;
1683 		}
1684 	}
1685 
1686 	if (sk != NULL && sk != ek && sk->keytype == state->keytype && sk->keytype == ek->keytype) {
1687 		switch (state->usage) {
1688 		case 3:
1689 			if (ek->fd_num == -1) {
1690 				/* AS-REP is based on a long term key */
1691 				try_with_strengthen_key = TRUE;
1692 			}
1693 			break;
1694 		case 8:
1695 		case 9:
1696 			if (ek->fd_num != -1) {
1697 				/* TGS-REP is not based on a long term key */
1698 				try_with_strengthen_key = TRUE;
1699 			}
1700 			break;
1701 		}
1702 	}
1703 
1704 	if (try_with_armor_key) {
1705 		krb5_keyblock k1;
1706 		krb5_keyblock k2;
1707 		krb5_keyblock *k = NULL;
1708 		const char *p1 = NULL;
1709 
1710 		k1.magic = KV5M_KEYBLOCK;
1711 		k1.enctype = ak->keytype;
1712 		k1.length = ak->keylength;
1713 		k1.contents = (guint8 *)ak->keyvalue;
1714 
1715 		k2.magic = KV5M_KEYBLOCK;
1716 		k2.enctype = ek->keytype;
1717 		k2.length = ek->keylength;
1718 		k2.contents = (guint8 *)ek->keyvalue;
1719 
1720 		switch (state->usage) {
1721 		case KEY_USAGE_ENC_CHALLENGE_CLIENT:
1722 			p1 = "clientchallengearmor";
1723 			break;
1724 		case KEY_USAGE_ENC_CHALLENGE_KDC:
1725 			p1 = "kdcchallengearmor";
1726 			break;
1727 		default:
1728 			/*
1729 			 * Should never be called!
1730 			 */
1731 			/*
1732 			 * try the next one...
1733 			 */
1734 			return;
1735 		}
1736 
1737 		ret = krb5_c_fx_cf2_simple(krb5_ctx,
1738 					   &k1, p1,
1739 					   &k2, "challengelongterm",
1740 					   &k);
1741 		if (ret != 0) {
1742 			/*
1743 			 * try the next one...
1744 			 */
1745 			return;
1746 		}
1747 
1748 		state->count += 1;
1749 		ret = state->decrypt_cb_fn(k,
1750 					   state->usage,
1751 					   state->decrypt_cb_data);
1752 		if (ret == 0) {
1753 			add_encryption_key(state->pinfo,
1754 					   state->private_data,
1755 					   state->tree,
1756 					   NULL,
1757 					   state->cryptotvb,
1758 					   k->enctype, k->length,
1759 					   (const char *)k->contents,
1760 					   p1,
1761 					   ak, ek);
1762 			krb5_free_keyblock(krb5_ctx, k);
1763 			/*
1764 			 * remember the key and stop traversing
1765 			 */
1766 			state->ek = state->private_data->last_added_key;
1767 			return;
1768 		}
1769 		krb5_free_keyblock(krb5_ctx, k);
1770 		/*
1771 		 * don't stop traversing...
1772 		 * try the next one...
1773 		 */
1774 		return;
1775 	}
1776 
1777 	if (try_with_strengthen_key) {
1778 		krb5_keyblock k1;
1779 		krb5_keyblock k2;
1780 		krb5_keyblock *k = NULL;
1781 
1782 		k1.magic = KV5M_KEYBLOCK;
1783 		k1.enctype = sk->keytype;
1784 		k1.length = sk->keylength;
1785 		k1.contents = (guint8 *)sk->keyvalue;
1786 
1787 		k2.magic = KV5M_KEYBLOCK;
1788 		k2.enctype = ek->keytype;
1789 		k2.length = ek->keylength;
1790 		k2.contents = (guint8 *)ek->keyvalue;
1791 
1792 		ret = krb5_c_fx_cf2_simple(krb5_ctx,
1793 					   &k1, "strengthenkey",
1794 					   &k2, "replykey",
1795 					   &k);
1796 		if (ret != 0) {
1797 			/*
1798 			 * try the next one...
1799 			 */
1800 			return;
1801 		}
1802 
1803 		state->count += 1;
1804 		ret = state->decrypt_cb_fn(k,
1805 					   state->usage,
1806 					   state->decrypt_cb_data);
1807 		if (ret == 0) {
1808 			add_encryption_key(state->pinfo,
1809 					   state->private_data,
1810 					   state->tree,
1811 					   NULL,
1812 					   state->cryptotvb,
1813 					   k->enctype, k->length,
1814 					   (const char *)k->contents,
1815 					    "strengthen-reply-key",
1816 					   sk, ek);
1817 			krb5_free_keyblock(krb5_ctx, k);
1818 			/*
1819 			 * remember the key and stop traversing
1820 			 */
1821 			state->ek = state->private_data->last_added_key;
1822 			return;
1823 		}
1824 		krb5_free_keyblock(krb5_ctx, k);
1825 		/*
1826 		 * don't stop traversing...
1827 		 * try the next one...
1828 		 */
1829 		return;
1830 	}
1831 #endif /* HAVE_KRB5_C_FX_CF2_SIMPLE */
1832 
1833 	/* shortcircuit and bail out if enctypes are not matching */
1834 	if ((state->keytype != -1) && (ek->keytype != state->keytype)) {
1835 		/*
1836 		 * don't stop traversing...
1837 		 * try the next one...
1838 		 */
1839 		return;
1840 	}
1841 
1842 	key.key.enctype=ek->keytype;
1843 	key.key.length=ek->keylength;
1844 	key.key.contents=ek->keyvalue;
1845 	state->count += 1;
1846 	ret = state->decrypt_cb_fn(&(key.key),
1847 				   state->usage,
1848 				   state->decrypt_cb_data);
1849 	if (ret != 0) {
1850 		/*
1851 		 * don't stop traversing...
1852 		 * try the next one...
1853 		 */
1854 		return;
1855 	}
1856 
1857 	/*
1858 	 * we're done, remember the key
1859 	 */
1860 	state->ek = ek;
1861 }
1862 
1863 static krb5_error_code
1864 decrypt_krb5_with_cb(proto_tree *tree,
1865 		     packet_info *pinfo,
1866 		     kerberos_private_data_t *private_data,
1867 		     int usage,
1868 		     int keytype,
1869 		     tvbuff_t *cryptotvb,
1870 		     krb5_error_code (*decrypt_cb_fn)(
1871 			const krb5_keyblock *key,
1872 			int usage,
1873 			void *decrypt_cb_data),
1874 		     void *decrypt_cb_data)
1875 {
1876 	const char *key_map_name = NULL;
1877 	wmem_map_t *key_map = NULL;
1878 	struct decrypt_krb5_with_cb_state state = {
1879 		.tree = tree,
1880 		.pinfo = pinfo,
1881 		.private_data = private_data,
1882 		.usage = usage,
1883 		.cryptotvb = cryptotvb,
1884 		.keytype = keytype,
1885 		.decrypt_cb_fn = decrypt_cb_fn,
1886 		.decrypt_cb_data = decrypt_cb_data,
1887 	};
1888 
1889 	read_keytab_file_from_preferences();
1890 
1891 	switch (usage) {
1892 	case KRB5_KU_USAGE_INITIATOR_SEAL:
1893 	case KRB5_KU_USAGE_ACCEPTOR_SEAL:
1894 		key_map_name = "app_session_keys";
1895 		key_map = kerberos_app_session_keys;
1896 		break;
1897 	default:
1898 		key_map_name = "all_keys";
1899 		key_map = kerberos_all_keys;
1900 		insert_longterm_keys_into_key_map(key_map);
1901 		break;
1902 	}
1903 
1904 	wmem_map_foreach(key_map, decrypt_krb5_with_cb_try_key, &state);
1905 	if (state.ek != NULL) {
1906 		used_encryption_key(tree, pinfo, private_data,
1907 				    state.ek, usage, cryptotvb,
1908 				    key_map_name,
1909 				    wmem_map_size(key_map),
1910 				    state.count);
1911 		return 0;
1912 	}
1913 
1914 	missing_encryption_key(tree, pinfo, private_data,
1915 			       keytype, usage, cryptotvb,
1916 			       key_map_name,
1917 			       wmem_map_size(key_map),
1918 			       state.count);
1919 	return -1;
1920 }
1921 
1922 struct decrypt_krb5_data_state {
1923 	krb5_data input;
1924 	krb5_data output;
1925 };
1926 
1927 static krb5_error_code
1928 decrypt_krb5_data_cb(const krb5_keyblock *key,
1929 		     int usage,
1930 		     void *decrypt_cb_data)
1931 {
1932 	struct decrypt_krb5_data_state *state =
1933 		(struct decrypt_krb5_data_state *)decrypt_cb_data;
1934 	krb5_enc_data input;
1935 
1936 	memset(&input, 0, sizeof(input));
1937 	input.enctype = key->enctype;
1938 	input.ciphertext = state->input;
1939 
1940 	return krb5_c_decrypt(krb5_ctx,
1941 			      key,
1942 			      usage,
1943 			      0,
1944 			      &input,
1945 			      &state->output);
1946 }
1947 
1948 static guint8 *
1949 decrypt_krb5_data_private(proto_tree *tree _U_, packet_info *pinfo,
1950 			  kerberos_private_data_t *private_data,
1951 			  int usage, tvbuff_t *cryptotvb, int keytype,
1952 			  int *datalen)
1953 {
1954 #define HAVE_DECRYPT_KRB5_DATA_PRIVATE 1
1955 	struct decrypt_krb5_data_state state;
1956 	krb5_error_code ret;
1957 	int length = tvb_captured_length(cryptotvb);
1958 	const guint8 *cryptotext = tvb_get_ptr(cryptotvb, 0, length);
1959 
1960 	/* don't do anything if we are not attempting to decrypt data */
1961 	if(!krb_decrypt || length < 1){
1962 		return NULL;
1963 	}
1964 
1965 	/* make sure we have all the data we need */
1966 	if (tvb_captured_length(cryptotvb) < tvb_reported_length(cryptotvb)) {
1967 		return NULL;
1968 	}
1969 
1970 	memset(&state, 0, sizeof(state));
1971 	state.input.length = length;
1972 	state.input.data = (guint8 *)cryptotext;
1973 	state.output.data = (char *)wmem_alloc(pinfo->pool, length);
1974 	state.output.length = length;
1975 
1976 	ret = decrypt_krb5_with_cb(tree,
1977 				   pinfo,
1978 				   private_data,
1979 				   usage,
1980 				   keytype,
1981 				   cryptotvb,
1982 				   decrypt_krb5_data_cb,
1983 				   &state);
1984 	if (ret != 0) {
1985 		return NULL;
1986 	}
1987 
1988 	if (datalen) {
1989 		*datalen = state.output.length;
1990 	}
1991 	return (guint8 *)state.output.data;
1992 }
1993 
1994 guint8 *
1995 decrypt_krb5_data(proto_tree *tree _U_, packet_info *pinfo,
1996 					int usage,
1997 					tvbuff_t *cryptotvb,
1998 					int keytype,
1999 					int *datalen)
2000 {
2001 	kerberos_private_data_t *zero_private = kerberos_new_private_data(pinfo);
2002 	return decrypt_krb5_data_private(tree, pinfo, zero_private,
2003 					 usage, cryptotvb, keytype,
2004 					 datalen);
2005 }
2006 
2007 USES_APPLE_RST
2008 
2009 #ifdef KRB5_CRYPTO_TYPE_SIGN_ONLY
2010 struct decrypt_krb5_krb_cfx_dce_state {
2011 	const guint8 *gssapi_header_ptr;
2012 	guint gssapi_header_len;
2013 	tvbuff_t *gssapi_encrypted_tvb;
2014 	guint8 *gssapi_payload;
2015 	guint gssapi_payload_len;
2016 	const guint8 *gssapi_trailer_ptr;
2017 	guint gssapi_trailer_len;
2018 	tvbuff_t *checksum_tvb;
2019 	guint8 *checksum;
2020 	guint checksum_len;
2021 };
2022 
2023 static krb5_error_code
2024 decrypt_krb5_krb_cfx_dce_cb(const krb5_keyblock *key,
2025 			    int usage,
2026 			    void *decrypt_cb_data)
2027 {
2028 	struct decrypt_krb5_krb_cfx_dce_state *state =
2029 		(struct decrypt_krb5_krb_cfx_dce_state *)decrypt_cb_data;
2030 	unsigned int k5_headerlen = 0;
2031 	unsigned int k5_headerofs = 0;
2032 	unsigned int k5_trailerlen = 0;
2033 	unsigned int k5_trailerofs = 0;
2034 	size_t _k5_blocksize = 0;
2035 	guint k5_blocksize;
2036 	krb5_crypto_iov iov[6];
2037 	krb5_error_code ret;
2038 	guint checksum_remain = state->checksum_len;
2039 	guint checksum_crypt_len;
2040 
2041 	memset(iov, 0, sizeof(iov));
2042 
2043 	ret = krb5_c_crypto_length(krb5_ctx,
2044 				   key->enctype,
2045 				   KRB5_CRYPTO_TYPE_HEADER,
2046 				   &k5_headerlen);
2047 	if (ret != 0) {
2048 		return ret;
2049 	}
2050 	if (checksum_remain < k5_headerlen) {
2051 		return -1;
2052 	}
2053 	checksum_remain -= k5_headerlen;
2054 	k5_headerofs = checksum_remain;
2055 	ret = krb5_c_crypto_length(krb5_ctx,
2056 				   key->enctype,
2057 				   KRB5_CRYPTO_TYPE_TRAILER,
2058 				   &k5_trailerlen);
2059 	if (ret != 0) {
2060 		return ret;
2061 	}
2062 	if (checksum_remain < k5_trailerlen) {
2063 		return -1;
2064 	}
2065 	checksum_remain -= k5_trailerlen;
2066 	k5_trailerofs = checksum_remain;
2067 	checksum_crypt_len = checksum_remain;
2068 
2069 	ret = krb5_c_block_size(krb5_ctx,
2070 				key->enctype,
2071 				&_k5_blocksize);
2072 	if (ret != 0) {
2073 		return ret;
2074 	}
2075 	/*
2076 	 * The cast is required for the Windows build in order
2077 	 * to avoid the following warning.
2078 	 *
2079 	 * warning C4267: '-=': conversion from 'size_t' to 'guint',
2080 	 * possible loss of data
2081 	 */
2082 	k5_blocksize = (guint)_k5_blocksize;
2083 	if (checksum_remain < k5_blocksize) {
2084 		return -1;
2085 	}
2086 	checksum_remain -= k5_blocksize;
2087 	if (checksum_remain < 16) {
2088 		return -1;
2089 	}
2090 
2091 	tvb_memcpy(state->gssapi_encrypted_tvb,
2092 		   state->gssapi_payload,
2093 		   0,
2094 		   state->gssapi_payload_len);
2095 	tvb_memcpy(state->checksum_tvb,
2096 		   state->checksum,
2097 		   0,
2098 		   state->checksum_len);
2099 
2100 	iov[0].flags = KRB5_CRYPTO_TYPE_HEADER;
2101 	iov[0].data.data = state->checksum + k5_headerofs;
2102 	iov[0].data.length = k5_headerlen;
2103 
2104 	if (state->gssapi_header_ptr != NULL) {
2105 		iov[1].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY;
2106 		iov[1].data.data = (guint8 *)(guintptr)state->gssapi_header_ptr;
2107 		iov[1].data.length = state->gssapi_header_len;
2108 	} else {
2109 		iov[1].flags = KRB5_CRYPTO_TYPE_EMPTY;
2110 	}
2111 
2112 	iov[2].flags = KRB5_CRYPTO_TYPE_DATA;
2113 	iov[2].data.data = state->gssapi_payload;
2114 	iov[2].data.length = state->gssapi_payload_len;
2115 
2116 	if (state->gssapi_trailer_ptr != NULL) {
2117 		iov[3].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY;
2118 		iov[3].data.data = (guint8 *)(guintptr)state->gssapi_trailer_ptr;
2119 		iov[3].data.length = state->gssapi_trailer_len;
2120 	} else {
2121 		iov[3].flags = KRB5_CRYPTO_TYPE_EMPTY;
2122 	}
2123 
2124 	iov[4].flags = KRB5_CRYPTO_TYPE_DATA;
2125 	iov[4].data.data = state->checksum;
2126 	iov[4].data.length = checksum_crypt_len;
2127 
2128 	iov[5].flags = KRB5_CRYPTO_TYPE_TRAILER;
2129 	iov[5].data.data = state->checksum + k5_trailerofs;
2130 	iov[5].data.length = k5_trailerlen;
2131 
2132 	return krb5_c_decrypt_iov(krb5_ctx,
2133 				  key,
2134 				  usage,
2135 				  0,
2136 				  iov,
2137 				  6);
2138 }
2139 
2140 tvbuff_t *
2141 decrypt_krb5_krb_cfx_dce(proto_tree *tree,
2142 			 packet_info *pinfo,
2143 			 int usage,
2144 			 int keytype,
2145 			 tvbuff_t *gssapi_header_tvb,
2146 			 tvbuff_t *gssapi_encrypted_tvb,
2147 			 tvbuff_t *gssapi_trailer_tvb,
2148 			 tvbuff_t *checksum_tvb)
2149 {
2150 	struct decrypt_krb5_krb_cfx_dce_state state;
2151 	kerberos_private_data_t *zero_private = kerberos_new_private_data(pinfo);
2152 	tvbuff_t *gssapi_decrypted_tvb = NULL;
2153 	krb5_error_code ret;
2154 
2155 	/* don't do anything if we are not attempting to decrypt data */
2156 	if (!krb_decrypt) {
2157 		return NULL;
2158 	}
2159 
2160 	memset(&state, 0, sizeof(state));
2161 
2162 	/* make sure we have all the data we need */
2163 #define __CHECK_TVB_LEN(__tvb) (tvb_captured_length(__tvb) < tvb_reported_length(__tvb))
2164 	if (gssapi_header_tvb != NULL) {
2165 		if (__CHECK_TVB_LEN(gssapi_header_tvb)) {
2166 			return NULL;
2167 		}
2168 
2169 		state.gssapi_header_len = tvb_captured_length(gssapi_header_tvb);
2170 		state.gssapi_header_ptr = tvb_get_ptr(gssapi_header_tvb,
2171 						       0,
2172 						       state.gssapi_header_len);
2173 	}
2174 	if (gssapi_encrypted_tvb == NULL || __CHECK_TVB_LEN(gssapi_encrypted_tvb)) {
2175 		return NULL;
2176 	}
2177 	state.gssapi_encrypted_tvb = gssapi_encrypted_tvb;
2178 	state.gssapi_payload_len = tvb_captured_length(gssapi_encrypted_tvb);
2179 	state.gssapi_payload = (guint8 *)wmem_alloc0(pinfo->pool, state.gssapi_payload_len);
2180 	if (state.gssapi_payload == NULL) {
2181 		return NULL;
2182 	}
2183 	if (gssapi_trailer_tvb != NULL) {
2184 		if (__CHECK_TVB_LEN(gssapi_trailer_tvb)) {
2185 			return NULL;
2186 		}
2187 
2188 		state.gssapi_trailer_len = tvb_captured_length(gssapi_trailer_tvb);
2189 		state.gssapi_trailer_ptr = tvb_get_ptr(gssapi_trailer_tvb,
2190 						       0,
2191 						       state.gssapi_trailer_len);
2192 	}
2193 	if (checksum_tvb == NULL || __CHECK_TVB_LEN(checksum_tvb)) {
2194 		return NULL;
2195 	}
2196 	state.checksum_tvb = checksum_tvb;
2197 	state.checksum_len = tvb_captured_length(checksum_tvb);
2198 	state.checksum = (guint8 *)wmem_alloc0(pinfo->pool, state.checksum_len);
2199 	if (state.checksum == NULL) {
2200 		return NULL;
2201 	}
2202 
2203 	ret = decrypt_krb5_with_cb(tree,
2204 				   pinfo,
2205 				   zero_private,
2206 				   usage,
2207 				   keytype,
2208 				   gssapi_encrypted_tvb,
2209 				   decrypt_krb5_krb_cfx_dce_cb,
2210 				   &state);
2211 	wmem_free(pinfo->pool, state.checksum);
2212 	if (ret != 0) {
2213 		wmem_free(pinfo->pool, state.gssapi_payload);
2214 		return NULL;
2215 	}
2216 
2217 	gssapi_decrypted_tvb = tvb_new_child_real_data(gssapi_encrypted_tvb,
2218 						       state.gssapi_payload,
2219 						       state.gssapi_payload_len,
2220 						       state.gssapi_payload_len);
2221 	if (gssapi_decrypted_tvb == NULL) {
2222 		wmem_free(pinfo->pool, state.gssapi_payload);
2223 		return NULL;
2224 	}
2225 
2226 	return gssapi_decrypted_tvb;
2227 }
2228 #else /* NOT KRB5_CRYPTO_TYPE_SIGN_ONLY */
2229 #define NEED_DECRYPT_KRB5_KRB_CFX_DCE_NOOP 1
2230 #endif /* NOT KRB5_CRYPTO_TYPE_SIGN_ONLY */
2231 
2232 #ifdef HAVE_KRB5_PAC_VERIFY
2233 /*
2234  * macOS up to 10.14.5 only has a MIT shim layer on top
2235  * of heimdal. It means that krb5_pac_verify() is not available
2236  * in /usr/lib/libkrb5.dylib
2237  *
2238  * https://opensource.apple.com/tarballs/Heimdal/Heimdal-520.260.1.tar.gz
2239  * https://opensource.apple.com/tarballs/MITKerberosShim/MITKerberosShim-71.200.1.tar.gz
2240  */
2241 
2242 extern krb5_error_code
2243 krb5int_c_mandatory_cksumtype(krb5_context, krb5_enctype, krb5_cksumtype *);
2244 
2245 extern void krb5_free_enc_tkt_part(krb5_context, krb5_enc_tkt_part *);
2246 extern krb5_error_code
2247 decode_krb5_enc_tkt_part(const krb5_data *output, krb5_enc_tkt_part **rep);
2248 extern krb5_error_code
2249 encode_krb5_enc_tkt_part(const krb5_enc_tkt_part *rep, krb5_data **code);
2250 
2251 static int
2252 keytype_for_cksumtype(krb5_cksumtype checksum)
2253 {
2254 #define _ARRAY_SIZE(X) (sizeof(X) / sizeof((X)[0]))
2255 	static const int keytypes[] = {
2256 		18,
2257 		17,
2258 		23,
2259 	};
2260 	guint i;
2261 
2262 	for (i = 0; i < _ARRAY_SIZE(keytypes); i++) {
2263 		krb5_cksumtype checksumtype = 0;
2264 		krb5_error_code ret;
2265 
2266 		ret = krb5int_c_mandatory_cksumtype(krb5_ctx,
2267 						    keytypes[i],
2268 						    &checksumtype);
2269 		if (ret != 0) {
2270 			continue;
2271 		}
2272 		if (checksum == checksumtype) {
2273 			return keytypes[i];
2274 		}
2275 	}
2276 
2277 	return -1;
2278 }
2279 
2280 struct verify_krb5_pac_state {
2281 	krb5_pac pac;
2282 	krb5_cksumtype server_checksum;
2283 	guint server_count;
2284 	enc_key_t *server_ek;
2285 	krb5_cksumtype kdc_checksum;
2286 	guint kdc_count;
2287 	enc_key_t *kdc_ek;
2288 	krb5_cksumtype ticket_checksum_type;
2289 	const krb5_data *ticket_checksum_data;
2290 };
2291 
2292 static void
2293 verify_krb5_pac_try_server_key(gpointer __key _U_, gpointer value, gpointer userdata)
2294 {
2295 	struct verify_krb5_pac_state *state =
2296 		(struct verify_krb5_pac_state *)userdata;
2297 	enc_key_t *ek = (enc_key_t *)value;
2298 	krb5_keyblock keyblock;
2299 	krb5_cksumtype checksumtype = 0;
2300 	krb5_error_code ret;
2301 
2302 	if (state->server_checksum == 0) {
2303 		/*
2304 		 * nothing more todo, stop traversing.
2305 		 */
2306 		return;
2307 	}
2308 
2309 	if (state->server_ek != NULL) {
2310 		/*
2311 		 * we're done.
2312 		 */
2313 		return;
2314 	}
2315 
2316 	ret = krb5int_c_mandatory_cksumtype(krb5_ctx, ek->keytype,
2317 					    &checksumtype);
2318 	if (ret != 0) {
2319 		/*
2320 		 * the key is not usable, keep traversing.
2321 		 * try the next key...
2322 		 */
2323 		return;
2324 	}
2325 
2326 	keyblock.magic = KV5M_KEYBLOCK;
2327 	keyblock.enctype = ek->keytype;
2328 	keyblock.length = ek->keylength;
2329 	keyblock.contents = (guint8 *)ek->keyvalue;
2330 
2331 	if (checksumtype == state->server_checksum) {
2332 		state->server_count += 1;
2333 		ret = krb5_pac_verify(krb5_ctx, state->pac, 0, NULL,
2334 				      &keyblock, NULL);
2335 		if (ret == 0) {
2336 			state->server_ek = ek;
2337 		}
2338 	}
2339 }
2340 
2341 static void
2342 verify_krb5_pac_try_kdc_key(gpointer __key _U_, gpointer value, gpointer userdata)
2343 {
2344 	struct verify_krb5_pac_state *state =
2345 		(struct verify_krb5_pac_state *)userdata;
2346 	enc_key_t *ek = (enc_key_t *)value;
2347 	krb5_keyblock keyblock;
2348 	krb5_cksumtype checksumtype = 0;
2349 	krb5_error_code ret;
2350 
2351 	if (state->kdc_checksum == 0) {
2352 		/*
2353 		 * nothing more todo, stop traversing.
2354 		 */
2355 		return;
2356 	}
2357 
2358 	if (state->kdc_ek != NULL) {
2359 		/*
2360 		 * we're done.
2361 		 */
2362 		return;
2363 	}
2364 
2365 	ret = krb5int_c_mandatory_cksumtype(krb5_ctx, ek->keytype,
2366 					    &checksumtype);
2367 	if (ret != 0) {
2368 		/*
2369 		 * the key is not usable, keep traversing.
2370 		 * try the next key...
2371 		 */
2372 		return;
2373 	}
2374 
2375 	keyblock.magic = KV5M_KEYBLOCK;
2376 	keyblock.enctype = ek->keytype;
2377 	keyblock.length = ek->keylength;
2378 	keyblock.contents = (guint8 *)ek->keyvalue;
2379 
2380 	if (checksumtype == state->kdc_checksum) {
2381 		state->kdc_count += 1;
2382 		ret = krb5_pac_verify(krb5_ctx, state->pac, 0, NULL,
2383 				      NULL, &keyblock);
2384 		if (ret == 0) {
2385 			state->kdc_ek = ek;
2386 		}
2387 	}
2388 }
2389 
2390 #define __KRB5_PAC_TICKET_CHECKSUM 16
2391 
2392 static void
2393 verify_krb5_pac_ticket_checksum(proto_tree *tree _U_,
2394 				asn1_ctx_t *actx _U_,
2395 				tvbuff_t *pactvb _U_,
2396 				struct verify_krb5_pac_state *state _U_)
2397 {
2398 #ifdef HAVE_DECODE_KRB5_ENC_TKT_PART
2399 	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
2400 	tvbuff_t *teptvb = private_data->last_ticket_enc_part_tvb;
2401 	guint teplength = 0;
2402 	const guint8 *tepbuffer = NULL;
2403 	krb5_data tepdata = { .length = 0, };
2404 	krb5_enc_tkt_part *tep = NULL;
2405 	krb5_data *tmpdata = NULL;
2406 	krb5_error_code ret;
2407 	krb5_authdata **recoded_container = NULL;
2408 	gint ad_orig_idx = -1;
2409 	krb5_authdata *ad_orig_ptr = NULL;
2410 	gint l0idx = 0;
2411 	krb5_keyblock kdc_key = { .magic = KV5M_KEYBLOCK, };
2412 	size_t checksum_length = 0;
2413 	krb5_checksum checksum = { .checksum_type = 0, };
2414 	krb5_boolean valid = FALSE;
2415 
2416 	if (state->kdc_ek == NULL) {
2417 		int keytype = keytype_for_cksumtype(state->ticket_checksum_type);
2418 		missing_signing_key(tree, actx->pinfo, private_data,
2419 				    pactvb, state->ticket_checksum_type,
2420 				    keytype,
2421 				    "Missing KDC (for ticket)",
2422 				    "kdc_checksum_key",
2423 				    0,
2424 				    0);
2425 		return;
2426 	}
2427 
2428 	if (teptvb == NULL) {
2429 		return;
2430 	}
2431 
2432 	teplength = tvb_captured_length(teptvb);
2433 	/* make sure we have all the data we need */
2434 	if (teplength < tvb_reported_length(teptvb)) {
2435 		return;
2436 	}
2437 
2438 	tepbuffer = tvb_get_ptr(teptvb, 0, teplength);
2439 	if (tepbuffer == NULL) {
2440 		return;
2441 	}
2442 
2443 	kdc_key.magic = KV5M_KEYBLOCK;
2444 	kdc_key.enctype = state->kdc_ek->keytype;
2445 	kdc_key.length = state->kdc_ek->keylength;
2446 	kdc_key.contents = (guint8 *)state->kdc_ek->keyvalue;
2447 
2448 	checksum.checksum_type = state->ticket_checksum_type;
2449 	checksum.length = state->ticket_checksum_data->length;
2450 	checksum.contents = (guint8 *)state->ticket_checksum_data->data;
2451 	if (checksum.length >= 4) {
2452 		checksum.length -= 4;
2453 		checksum.contents += 4;
2454 	}
2455 
2456 	ret = krb5_c_checksum_length(krb5_ctx,
2457 				     checksum.checksum_type,
2458 				     &checksum_length);
2459 	if (ret != 0) {
2460 		missing_signing_key(tree, actx->pinfo, private_data,
2461 				    pactvb, state->ticket_checksum_type,
2462 				    state->kdc_ek->keytype,
2463 				    "krb5_c_checksum_length failed for Ticket Signature",
2464 				    "kdc_checksum_key",
2465 				    1,
2466 				    0);
2467 		return;
2468 	}
2469 	checksum.length = MIN(checksum.length, (unsigned int)checksum_length);
2470 
2471 	tepdata.data = (void *)(uintptr_t)tepbuffer;
2472 	tepdata.length = teplength;
2473 
2474 	ret = decode_krb5_enc_tkt_part(&tepdata, &tep);
2475 	if (ret != 0) {
2476 		missing_signing_key(tree, actx->pinfo, private_data,
2477 				    pactvb, state->ticket_checksum_type,
2478 				    state->kdc_ek->keytype,
2479 				    "decode_krb5_enc_tkt_part failed",
2480 				    "kdc_checksum_key",
2481 				    1,
2482 				    0);
2483 		return;
2484 	}
2485 
2486 	for (l0idx = 0; tep->authorization_data[l0idx]; l0idx++) {
2487 		krb5_authdata *adl0 = tep->authorization_data[l0idx];
2488 		krb5_authdata **decoded_container = NULL;
2489 		krb5_authdata *ad_pac = NULL;
2490 		gint l1idx = 0;
2491 
2492 		if (adl0->ad_type != KRB5_AUTHDATA_IF_RELEVANT) {
2493 			continue;
2494 		}
2495 
2496 		ret = krb5_decode_authdata_container(krb5_ctx,
2497 						     KRB5_AUTHDATA_IF_RELEVANT,
2498 						     adl0,
2499 						     &decoded_container);
2500 		if (ret != 0) {
2501 			missing_signing_key(tree, actx->pinfo, private_data,
2502 					    pactvb, state->ticket_checksum_type,
2503 					    state->kdc_ek->keytype,
2504 					    "krb5_decode_authdata_container failed",
2505 					    "kdc_checksum_key",
2506 					    1,
2507 					    0);
2508 			krb5_free_enc_tkt_part(krb5_ctx, tep);
2509 			return;
2510 		}
2511 
2512 		for (l1idx = 0; decoded_container[l1idx]; l1idx++) {
2513 			krb5_authdata *adl1 = decoded_container[l1idx];
2514 
2515 			if (adl1->ad_type != KRB5_AUTHDATA_WIN2K_PAC) {
2516 				continue;
2517 			}
2518 
2519 			ad_pac = adl1;
2520 			break;
2521 		}
2522 
2523 		if (ad_pac == NULL) {
2524 			krb5_free_authdata(krb5_ctx, decoded_container);
2525 			continue;
2526 		}
2527 
2528 		ad_pac->length = 1;
2529 		ad_pac->contents[0] = '\0';
2530 
2531 		ret = krb5_encode_authdata_container(krb5_ctx,
2532 						     KRB5_AUTHDATA_IF_RELEVANT,
2533 						     decoded_container,
2534 						     &recoded_container);
2535 		krb5_free_authdata(krb5_ctx, decoded_container);
2536 		decoded_container = NULL;
2537 		if (ret != 0) {
2538 			missing_signing_key(tree, actx->pinfo, private_data,
2539 					    pactvb, state->ticket_checksum_type,
2540 					    state->kdc_ek->keytype,
2541 					    "krb5_encode_authdata_container failed",
2542 					    "kdc_checksum_key",
2543 					    1,
2544 					    0);
2545 			krb5_free_enc_tkt_part(krb5_ctx, tep);
2546 			return;
2547 		}
2548 
2549 		ad_orig_idx = l0idx;
2550 		ad_orig_ptr = adl0;
2551 		tep->authorization_data[l0idx] = recoded_container[0];
2552 		break;
2553 	}
2554 
2555 	ret = encode_krb5_enc_tkt_part(tep, &tmpdata);
2556 	if (ad_orig_ptr != NULL) {
2557 		tep->authorization_data[ad_orig_idx] = ad_orig_ptr;
2558 	}
2559 	krb5_free_enc_tkt_part(krb5_ctx, tep);
2560 	tep = NULL;
2561 	if (recoded_container != NULL) {
2562 		krb5_free_authdata(krb5_ctx, recoded_container);
2563 		recoded_container = NULL;
2564 	}
2565 	if (ret != 0) {
2566 		missing_signing_key(tree, actx->pinfo, private_data,
2567 				    pactvb, state->ticket_checksum_type,
2568 				    state->kdc_ek->keytype,
2569 				    "encode_krb5_enc_tkt_part failed",
2570 				    "kdc_checksum_key",
2571 				    1,
2572 				    0);
2573 		return;
2574 	}
2575 
2576 	ret = krb5_c_verify_checksum(krb5_ctx, &kdc_key,
2577 				     KRB5_KEYUSAGE_APP_DATA_CKSUM,
2578 				     tmpdata, &checksum, &valid);
2579 	krb5_free_data(krb5_ctx, tmpdata);
2580 	tmpdata = NULL;
2581 	if (ret != 0) {
2582 		missing_signing_key(tree, actx->pinfo, private_data,
2583 				    pactvb, state->ticket_checksum_type,
2584 				    state->kdc_ek->keytype,
2585 				    "krb5_c_verify_checksum failed for Ticket Signature",
2586 				    "kdc_checksum_key",
2587 				    1,
2588 				    1);
2589 		return;
2590 	}
2591 
2592 	if (valid == FALSE) {
2593 		missing_signing_key(tree, actx->pinfo, private_data,
2594 				    pactvb, state->ticket_checksum_type,
2595 				    state->kdc_ek->keytype,
2596 				    "Invalid Ticket",
2597 				    "kdc_checksum_key",
2598 				    1,
2599 				    1);
2600 		return;
2601 	}
2602 
2603 	used_signing_key(tree, actx->pinfo, private_data,
2604 			 state->kdc_ek, pactvb,
2605 			 state->ticket_checksum_type,
2606 			 "Verified Ticket",
2607 			 "kdc_checksum_key",
2608 			 1,
2609 			 1);
2610 #endif /* HAVE_DECODE_KRB5_ENC_TKT_PART */
2611 }
2612 
2613 static void
2614 verify_krb5_pac(proto_tree *tree _U_, asn1_ctx_t *actx, tvbuff_t *pactvb)
2615 {
2616 	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
2617 	krb5_error_code ret;
2618 	krb5_data checksum_data = {0,0,NULL};
2619 	krb5_data ticket_checksum_data = {0,0,NULL};
2620 	int length = tvb_captured_length(pactvb);
2621 	const guint8 *pacbuffer = NULL;
2622 	struct verify_krb5_pac_state state = {
2623 		.kdc_checksum = 0,
2624 	};
2625 
2626 	/* don't do anything if we are not attempting to decrypt data */
2627 	if(!krb_decrypt || length < 1){
2628 		return;
2629 	}
2630 
2631 	/* make sure we have all the data we need */
2632 	if (tvb_captured_length(pactvb) < tvb_reported_length(pactvb)) {
2633 		return;
2634 	}
2635 
2636 	pacbuffer = tvb_get_ptr(pactvb, 0, length);
2637 
2638 	ret = krb5_pac_parse(krb5_ctx, pacbuffer, length, &state.pac);
2639 	if (ret != 0) {
2640 		proto_tree_add_expert_format(tree, actx->pinfo, &ei_kerberos_decrypted_keytype,
2641 					     pactvb, 0, 0,
2642 					     "Failed to parse PAC buffer %d in frame %u",
2643 					     ret, actx->pinfo->fd->num);
2644 		return;
2645 	}
2646 
2647 	ret = krb5_pac_get_buffer(krb5_ctx, state.pac, KRB5_PAC_SERVER_CHECKSUM,
2648 				  &checksum_data);
2649 	if (ret == 0) {
2650 		state.server_checksum = pletoh32(checksum_data.data);
2651 		krb5_free_data_contents(krb5_ctx, &checksum_data);
2652 	};
2653 	ret = krb5_pac_get_buffer(krb5_ctx, state.pac, KRB5_PAC_PRIVSVR_CHECKSUM,
2654 				  &checksum_data);
2655 	if (ret == 0) {
2656 		state.kdc_checksum = pletoh32(checksum_data.data);
2657 		krb5_free_data_contents(krb5_ctx, &checksum_data);
2658 	};
2659 	ret = krb5_pac_get_buffer(krb5_ctx, state.pac,
2660 				  __KRB5_PAC_TICKET_CHECKSUM,
2661 				  &ticket_checksum_data);
2662 	if (ret == 0) {
2663 		state.ticket_checksum_data = &ticket_checksum_data;
2664 		state.ticket_checksum_type = pletoh32(ticket_checksum_data.data);
2665 	};
2666 
2667 	read_keytab_file_from_preferences();
2668 
2669 	wmem_map_foreach(kerberos_all_keys,
2670 			 verify_krb5_pac_try_server_key,
2671 			 &state);
2672 	if (state.server_ek != NULL) {
2673 		used_signing_key(tree, actx->pinfo, private_data,
2674 				 state.server_ek, pactvb,
2675 				 state.server_checksum, "Verified Server",
2676 				 "all_keys",
2677 				 wmem_map_size(kerberos_all_keys),
2678 				 state.server_count);
2679 	} else {
2680 		int keytype = keytype_for_cksumtype(state.server_checksum);
2681 		missing_signing_key(tree, actx->pinfo, private_data,
2682 				    pactvb, state.server_checksum, keytype,
2683 				    "Missing Server",
2684 				    "all_keys",
2685 				    wmem_map_size(kerberos_all_keys),
2686 				    state.server_count);
2687 	}
2688 	wmem_map_foreach(kerberos_longterm_keys,
2689 			 verify_krb5_pac_try_kdc_key,
2690 			 &state);
2691 	if (state.kdc_ek != NULL) {
2692 		used_signing_key(tree, actx->pinfo, private_data,
2693 				 state.kdc_ek, pactvb,
2694 				 state.kdc_checksum, "Verified KDC",
2695 				 "longterm_keys",
2696 				 wmem_map_size(kerberos_longterm_keys),
2697 				 state.kdc_count);
2698 	} else {
2699 		int keytype = keytype_for_cksumtype(state.kdc_checksum);
2700 		missing_signing_key(tree, actx->pinfo, private_data,
2701 				    pactvb, state.kdc_checksum, keytype,
2702 				    "Missing KDC",
2703 				    "longterm_keys",
2704 				    wmem_map_size(kerberos_longterm_keys),
2705 				    state.kdc_count);
2706 	}
2707 
2708 	if (state.ticket_checksum_type != 0) {
2709 		verify_krb5_pac_ticket_checksum(tree, actx, pactvb, &state);
2710 	}
2711 
2712 	if (state.ticket_checksum_data != NULL) {
2713 		krb5_free_data_contents(krb5_ctx, &ticket_checksum_data);
2714 	}
2715 
2716 	krb5_pac_free(krb5_ctx, state.pac);
2717 }
2718 #endif /* HAVE_KRB5_PAC_VERIFY */
2719 
2720 #elif defined(HAVE_HEIMDAL_KERBEROS)
2721 static krb5_context krb5_ctx;
2722 
2723 USES_APPLE_DEPRECATED_API
2724 
2725 static void
2726 krb5_fast_key(asn1_ctx_t *actx _U_, proto_tree *tree _U_, tvbuff_t *tvb _U_,
2727 	      enc_key_t *ek1 _U_, const char *p1 _U_,
2728 	      enc_key_t *ek2 _U_, const char *p2 _U_,
2729 	      const char *origin _U_)
2730 {
2731 /* TODO: use krb5_crypto_fx_cf2() from Heimdal */
2732 }
2733 void
2734 read_keytab_file(const char *filename)
2735 {
2736 	krb5_keytab keytab;
2737 	krb5_error_code ret;
2738 	krb5_keytab_entry key;
2739 	krb5_kt_cursor cursor;
2740 	enc_key_t *new_key;
2741 	static gboolean first_time=TRUE;
2742 
2743 	if (filename == NULL || filename[0] == 0) {
2744 		return;
2745 	}
2746 
2747 	if(first_time){
2748 		first_time=FALSE;
2749 		ret = krb5_init_context(&krb5_ctx);
2750 		if(ret){
2751 			return;
2752 		}
2753 	}
2754 
2755 	/* should use a file in the wireshark users dir */
2756 	ret = krb5_kt_resolve(krb5_ctx, filename, &keytab);
2757 	if(ret){
2758 		fprintf(stderr, "KERBEROS ERROR: Could not open keytab file :%s\n",filename);
2759 
2760 		return;
2761 	}
2762 
2763 	ret = krb5_kt_start_seq_get(krb5_ctx, keytab, &cursor);
2764 	if(ret){
2765 		fprintf(stderr, "KERBEROS ERROR: Could not read from keytab file :%s\n",filename);
2766 		return;
2767 	}
2768 
2769 	do{
2770 		ret = krb5_kt_next_entry(krb5_ctx, keytab, &key, &cursor);
2771 		if(ret==0){
2772 			unsigned int i;
2773 			char *pos;
2774 
2775 			new_key = wmem_new0(wmem_epan_scope(), enc_key_t);
2776 			new_key->fd_num = -1;
2777 			new_key->id = ++kerberos_longterm_ids;
2778 			g_snprintf(new_key->id_str, KRB_MAX_ID_STR_LEN, "keytab.%u", new_key->id);
2779 			new_key->next = enc_key_list;
2780 
2781 			/* generate origin string, describing where this key came from */
2782 			pos=new_key->key_origin;
2783 			pos+=MIN(KRB_MAX_ORIG_LEN,
2784 					 g_snprintf(pos, KRB_MAX_ORIG_LEN, "keytab principal "));
2785 			for(i=0;i<key.principal->name.name_string.len;i++){
2786 				pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
2787 						 g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "%s%s",(i?"/":""),key.principal->name.name_string.val[i]));
2788 			}
2789 			pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
2790 					 g_snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "@%s",key.principal->realm));
2791 			*pos=0;
2792 			new_key->keytype=key.keyblock.keytype;
2793 			new_key->keylength=(int)key.keyblock.keyvalue.length;
2794 			memcpy(new_key->keyvalue,
2795 			       key.keyblock.keyvalue.data,
2796 			       MIN((guint)key.keyblock.keyvalue.length, KRB_MAX_KEY_LENGTH));
2797 
2798 			enc_key_list=new_key;
2799 			ret = krb5_kt_free_entry(krb5_ctx, &key);
2800 			if (ret) {
2801 				fprintf(stderr, "KERBEROS ERROR: Could not release the entry: %d", ret);
2802 				ret = 0; /* try to continue with the next entry */
2803 			}
2804 			kerberos_key_map_insert(kerberos_longterm_keys, new_key);
2805 		}
2806 	}while(ret==0);
2807 
2808 	ret = krb5_kt_end_seq_get(krb5_ctx, keytab, &cursor);
2809 	if(ret){
2810 		fprintf(stderr, "KERBEROS ERROR: Could not release the keytab cursor: %d", ret);
2811 	}
2812 	ret = krb5_kt_close(krb5_ctx, keytab);
2813 	if(ret){
2814 		fprintf(stderr, "KERBEROS ERROR: Could not close the key table handle: %d", ret);
2815 	}
2816 
2817 }
2818 USES_APPLE_RST
2819 
2820 
2821 guint8 *
2822 decrypt_krb5_data(proto_tree *tree _U_, packet_info *pinfo,
2823 					int usage,
2824 					tvbuff_t *cryptotvb,
2825 					int keytype,
2826 					int *datalen)
2827 {
2828 	kerberos_private_data_t *zero_private = kerberos_new_private_data(pinfo);
2829 	krb5_error_code ret;
2830 	krb5_data data;
2831 	enc_key_t *ek;
2832 	int length = tvb_captured_length(cryptotvb);
2833 	const guint8 *cryptotext = tvb_get_ptr(cryptotvb, 0, length);
2834 
2835 	/* don't do anything if we are not attempting to decrypt data */
2836 	if(!krb_decrypt){
2837 		return NULL;
2838 	}
2839 
2840 	/* make sure we have all the data we need */
2841 	if (tvb_captured_length(cryptotvb) < tvb_reported_length(cryptotvb)) {
2842 		return NULL;
2843 	}
2844 
2845 	read_keytab_file_from_preferences();
2846 
2847 	for(ek=enc_key_list;ek;ek=ek->next){
2848 		krb5_keytab_entry key;
2849 		krb5_crypto crypto;
2850 		guint8 *cryptocopy; /* workaround for pre-0.6.1 heimdal bug */
2851 
2852 		/* shortcircuit and bail out if enctypes are not matching */
2853 		if((keytype != -1) && (ek->keytype != keytype)) {
2854 			continue;
2855 		}
2856 
2857 		key.keyblock.keytype=ek->keytype;
2858 		key.keyblock.keyvalue.length=ek->keylength;
2859 		key.keyblock.keyvalue.data=ek->keyvalue;
2860 		ret = krb5_crypto_init(krb5_ctx, &(key.keyblock), (krb5_enctype)ENCTYPE_NULL, &crypto);
2861 		if(ret){
2862 			return NULL;
2863 		}
2864 
2865 		/* pre-0.6.1 versions of Heimdal would sometimes change
2866 		   the cryptotext data even when the decryption failed.
2867 		   This would obviously not work since we iterate over the
2868 		   keys. So just give it a copy of the crypto data instead.
2869 		   This has been seen for RC4-HMAC blobs.
2870 		*/
2871 		cryptocopy = (guint8 *)wmem_memdup(pinfo->pool, cryptotext, length);
2872 		ret = krb5_decrypt_ivec(krb5_ctx, crypto, usage,
2873 								cryptocopy, length,
2874 								&data,
2875 								NULL);
2876 		if((ret == 0) && (length>0)){
2877 			char *user_data;
2878 
2879 			used_encryption_key(tree, pinfo, zero_private,
2880 					    ek, usage, cryptotvb,
2881 					    "enc_key_list", 0, 0);
2882 
2883 			krb5_crypto_destroy(krb5_ctx, crypto);
2884 			/* return a private wmem_alloced blob to the caller */
2885 			user_data = (char *)wmem_memdup(pinfo->pool, data.data, (guint)data.length);
2886 			if (datalen) {
2887 				*datalen = (int)data.length;
2888 			}
2889 			return user_data;
2890 		}
2891 		krb5_crypto_destroy(krb5_ctx, crypto);
2892 	}
2893 	return NULL;
2894 }
2895 
2896 #define NEED_DECRYPT_KRB5_KRB_CFX_DCE_NOOP 1
2897 
2898 #elif defined (HAVE_LIBNETTLE)
2899 
2900 #define SERVICE_KEY_SIZE (DES3_KEY_SIZE + 2)
2901 #define KEYTYPE_DES3_CBC_MD5 5	/* Currently the only one supported */
2902 
2903 typedef struct _service_key_t {
2904 	guint16 kvno;
2905 	int     keytype;
2906 	int     length;
2907 	guint8 *contents;
2908 	char    origin[KRB_MAX_ORIG_LEN+1];
2909 } service_key_t;
2910 GSList *service_key_list = NULL;
2911 
2912 
2913 static void
2914 add_encryption_key(packet_info *pinfo, int keytype, int keylength, const char *keyvalue, const char *origin)
2915 {
2916 	service_key_t *new_key;
2917 
2918 	if(pinfo->fd->visited){
2919 		return;
2920 	}
2921 
2922 	new_key = g_malloc(sizeof(service_key_t));
2923 	new_key->kvno = 0;
2924 	new_key->keytype = keytype;
2925 	new_key->length = keylength;
2926 	new_key->contents = g_memdup2(keyvalue, keylength);
2927 	g_snprintf(new_key->origin, KRB_MAX_ORIG_LEN, "%s learnt from frame %u", origin, pinfo->num);
2928 	service_key_list = g_slist_append(service_key_list, (gpointer) new_key);
2929 }
2930 
2931 static void
2932 save_encryption_key(tvbuff_t *tvb _U_, int offset _U_, int length _U_,
2933 		    asn1_ctx_t *actx _U_, proto_tree *tree _U_,
2934 		    int parent_hf_index _U_,
2935 		    int hf_index _U_)
2936 {
2937 	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
2938 	const char *parent = proto_registrar_get_name(parent_hf_index);
2939 	const char *element = proto_registrar_get_name(hf_index);
2940 	char origin[KRB_MAX_ORIG_LEN] = { 0, };
2941 
2942 	g_snprintf(origin, KRB_MAX_ORIG_LEN, "%s_%s", parent, element);
2943 
2944 	add_encryption_key(actx->pinfo,
2945 			   private_data->key.keytype,
2946 			   private_data->key.keylength,
2947 			   private_data->key.keyvalue,
2948 			   origin);
2949 }
2950 
2951 static void
2952 save_Authenticator_subkey(tvbuff_t *tvb, int offset, int length,
2953 			  asn1_ctx_t *actx, proto_tree *tree,
2954 			  int parent_hf_index,
2955 			  int hf_index)
2956 {
2957 	save_encryption_key(tvb, offset, length, actx, tree, parent_hf_index, hf_index);
2958 }
2959 
2960 static void
2961 save_EncAPRepPart_subkey(tvbuff_t *tvb, int offset, int length,
2962 			 asn1_ctx_t *actx, proto_tree *tree,
2963 			 int parent_hf_index,
2964 			 int hf_index)
2965 {
2966 	save_encryption_key(tvb, offset, length, actx, tree, parent_hf_index, hf_index);
2967 }
2968 
2969 static void
2970 save_EncKDCRepPart_key(tvbuff_t *tvb, int offset, int length,
2971 		       asn1_ctx_t *actx, proto_tree *tree,
2972 		       int parent_hf_index,
2973 		       int hf_index)
2974 {
2975 	save_encryption_key(tvb, offset, length, actx, tree, parent_hf_index, hf_index);
2976 }
2977 
2978 static void
2979 save_EncTicketPart_key(tvbuff_t *tvb, int offset, int length,
2980 		       asn1_ctx_t *actx, proto_tree *tree,
2981 		       int parent_hf_index,
2982 		       int hf_index)
2983 {
2984 	save_encryption_key(tvb, offset, length, actx, tree, parent_hf_index, hf_index);
2985 }
2986 
2987 static void
2988 save_KrbCredInfo_key(tvbuff_t *tvb, int offset, int length,
2989 		     asn1_ctx_t *actx, proto_tree *tree,
2990 		     int parent_hf_index,
2991 		     int hf_index)
2992 {
2993 	save_encryption_key(tvb, offset, length, actx, tree, parent_hf_index, hf_index);
2994 }
2995 
2996 static void
2997 save_KrbFastResponse_strengthen_key(tvbuff_t *tvb _U_, int offset _U_, int length _U_,
2998 				    asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_)
2999 {
3000 	save_encryption_key(tvb, offset, length, actx, tree, hf_index);
3001 }
3002 
3003 static void
3004 clear_keytab(void) {
3005 	GSList *ske;
3006 	service_key_t *sk;
3007 
3008 	for(ske = service_key_list; ske != NULL; ske = g_slist_next(ske)){
3009 		sk = (service_key_t *) ske->data;
3010 		if (sk) {
3011 			g_free(sk->contents);
3012 			g_free(sk);
3013 		}
3014 	}
3015 	g_slist_free(service_key_list);
3016 	service_key_list = NULL;
3017 }
3018 
3019 static void
3020 read_keytab_file(const char *service_key_file)
3021 {
3022 	FILE *skf;
3023 	ws_statb64 st;
3024 	service_key_t *sk;
3025 	unsigned char buf[SERVICE_KEY_SIZE];
3026 	int newline_skip = 0, count = 0;
3027 
3028 	if (service_key_file != NULL && ws_stat64 (service_key_file, &st) == 0) {
3029 
3030 		/* The service key file contains raw 192-bit (24 byte) 3DES keys.
3031 		 * There can be zero, one (\n), or two (\r\n) characters between
3032 		 * keys.  Trailing characters are ignored.
3033 		 */
3034 
3035 		/* XXX We should support the standard keytab format instead */
3036 		if (st.st_size > SERVICE_KEY_SIZE) {
3037 			if ( (st.st_size % (SERVICE_KEY_SIZE + 1) == 0) ||
3038 				 (st.st_size % (SERVICE_KEY_SIZE + 1) == SERVICE_KEY_SIZE) ) {
3039 				newline_skip = 1;
3040 			} else if ( (st.st_size % (SERVICE_KEY_SIZE + 2) == 0) ||
3041 				 (st.st_size % (SERVICE_KEY_SIZE + 2) == SERVICE_KEY_SIZE) ) {
3042 				newline_skip = 2;
3043 			}
3044 		}
3045 
3046 		skf = ws_fopen(service_key_file, "rb");
3047 		if (! skf) return;
3048 
3049 		while (fread(buf, SERVICE_KEY_SIZE, 1, skf) == 1) {
3050 			sk = g_malloc(sizeof(service_key_t));
3051 			sk->kvno = buf[0] << 8 | buf[1];
3052 			sk->keytype = KEYTYPE_DES3_CBC_MD5;
3053 			sk->length = DES3_KEY_SIZE;
3054 			sk->contents = g_memdup2(buf + 2, DES3_KEY_SIZE);
3055 			g_snprintf(sk->origin, KRB_MAX_ORIG_LEN, "3DES service key file, key #%d, offset %ld", count, ftell(skf));
3056 			service_key_list = g_slist_append(service_key_list, (gpointer) sk);
3057 			if (fseek(skf, newline_skip, SEEK_CUR) < 0) {
3058 				fprintf(stderr, "unable to seek...\n");
3059 				fclose(skf);
3060 				return;
3061 			}
3062 			count++;
3063 		}
3064 		fclose(skf);
3065 	}
3066 }
3067 
3068 #define CONFOUNDER_PLUS_CHECKSUM 24
3069 
3070 guint8 *
3071 decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
3072 					int _U_ usage,
3073 					tvbuff_t *cryptotvb,
3074 					int keytype,
3075 					int *datalen)
3076 {
3077 	tvbuff_t *encr_tvb;
3078 	guint8 *decrypted_data = NULL, *plaintext = NULL;
3079 	guint8 cls;
3080 	gboolean pc;
3081 	guint32 tag, item_len, data_len;
3082 	int id_offset, offset;
3083 	guint8 key[DES3_KEY_SIZE];
3084 	guint8 initial_vector[DES_BLOCK_SIZE];
3085 	gcry_md_hd_t md5_handle;
3086 	guint8 *digest;
3087 	guint8 zero_fill[] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
3088 	guint8 confounder[8];
3089 	gboolean ind;
3090 	GSList *ske;
3091 	service_key_t *sk;
3092 	struct des3_ctx ctx;
3093 	int length = tvb_captured_length(cryptotvb);
3094 	const guint8 *cryptotext = tvb_get_ptr(cryptotvb, 0, length);
3095 
3096 
3097 	/* don't do anything if we are not attempting to decrypt data */
3098 	if(!krb_decrypt){
3099 		return NULL;
3100 	}
3101 
3102 	/* make sure we have all the data we need */
3103 	if (tvb_captured_length(cryptotvb) < tvb_reported_length(cryptotvb)) {
3104 		return NULL;
3105 	}
3106 
3107 	if (keytype != KEYTYPE_DES3_CBC_MD5 || service_key_list == NULL) {
3108 		return NULL;
3109 	}
3110 
3111 	decrypted_data = wmem_alloc(pinfo->pool, length);
3112 	for(ske = service_key_list; ske != NULL; ske = g_slist_next(ske)){
3113 		gboolean do_continue = FALSE;
3114 		gboolean digest_ok;
3115 		sk = (service_key_t *) ske->data;
3116 
3117 		des_fix_parity(DES3_KEY_SIZE, key, sk->contents);
3118 
3119 		memset(initial_vector, 0, DES_BLOCK_SIZE);
3120 		des3_set_key(&ctx, key);
3121 		cbc_decrypt(&ctx, des3_decrypt, DES_BLOCK_SIZE, initial_vector,
3122 					length, decrypted_data, cryptotext);
3123 		encr_tvb = tvb_new_real_data(decrypted_data, length, length);
3124 
3125 		tvb_memcpy(encr_tvb, confounder, 0, 8);
3126 
3127 		/* We have to pull the decrypted data length from the decrypted
3128 		 * content.  If the key doesn't match or we otherwise get garbage,
3129 		 * an exception may get thrown while decoding the ASN.1 header.
3130 		 * Catch it, just in case.
3131 		 */
3132 		TRY {
3133 			id_offset = get_ber_identifier(encr_tvb, CONFOUNDER_PLUS_CHECKSUM, &cls, &pc, &tag);
3134 			offset = get_ber_length(encr_tvb, id_offset, &item_len, &ind);
3135 		}
3136 		CATCH_BOUNDS_ERRORS {
3137 			tvb_free(encr_tvb);
3138 			do_continue = TRUE;
3139 		}
3140 		ENDTRY;
3141 
3142 		if (do_continue) continue;
3143 
3144 		data_len = item_len + offset - CONFOUNDER_PLUS_CHECKSUM;
3145 		if ((int) item_len + offset > length) {
3146 			tvb_free(encr_tvb);
3147 			continue;
3148 		}
3149 
3150 		if (gcry_md_open(&md5_handle, GCRY_MD_MD5, 0)) {
3151 			return NULL;
3152 		}
3153 		gcry_md_write(md5_handle, confounder, 8);
3154 		gcry_md_write(md5_handle, zero_fill, 16);
3155 		gcry_md_write(md5_handle, decrypted_data + CONFOUNDER_PLUS_CHECKSUM, data_len);
3156 		digest = gcry_md_read(md5_handle, 0);
3157 
3158 		digest_ok = (tvb_memeql (encr_tvb, 8, digest, HASH_MD5_LENGTH) == 0);
3159 		gcry_md_close(md5_handle);
3160 		if (digest_ok) {
3161 			plaintext = (guint8* )tvb_memdup(pinfo->pool, encr_tvb, CONFOUNDER_PLUS_CHECKSUM, data_len);
3162 			tvb_free(encr_tvb);
3163 
3164 			if (datalen) {
3165 				*datalen = data_len;
3166 			}
3167 			return(plaintext);
3168 		}
3169 		tvb_free(encr_tvb);
3170 	}
3171 
3172 	return NULL;
3173 }
3174 
3175 #endif	/* HAVE_MIT_KERBEROS / HAVE_HEIMDAL_KERBEROS / HAVE_LIBNETTLE */
3176 
3177 #ifdef NEED_DECRYPT_KRB5_KRB_CFX_DCE_NOOP
3178 tvbuff_t *
3179 decrypt_krb5_krb_cfx_dce(proto_tree *tree _U_,
3180 			 packet_info *pinfo _U_,
3181 			 int usage _U_,
3182 			 int keytype _U_,
3183 			 tvbuff_t *gssapi_header_tvb _U_,
3184 			 tvbuff_t *gssapi_encrypted_tvb _U_,
3185 			 tvbuff_t *gssapi_trailer_tvb _U_,
3186 			 tvbuff_t *checksum_tvb _U_)
3187 {
3188 	return NULL;
3189 }
3190 #endif /* NEED_DECRYPT_KRB5_KRB_CFX_DCE_NOOP */
3191 
3192 #define	INET6_ADDRLEN	16
3193 
3194 /* TCP Record Mark */
3195 #define	KRB_RM_RESERVED	0x80000000U
3196 #define	KRB_RM_RECLEN	0x7fffffffU
3197 
3198 #define KRB5_MSG_TICKET			1	/* Ticket */
3199 #define KRB5_MSG_AUTHENTICATOR		2	/* Authenticator */
3200 #define KRB5_MSG_ENC_TICKET_PART	3	/* EncTicketPart */
3201 #define KRB5_MSG_AS_REQ			10	/* AS-REQ type */
3202 #define KRB5_MSG_AS_REP			11	/* AS-REP type */
3203 #define KRB5_MSG_TGS_REQ		12	/* TGS-REQ type */
3204 #define KRB5_MSG_TGS_REP		13	/* TGS-REP type */
3205 #define KRB5_MSG_AP_REQ			14	/* AP-REQ type */
3206 #define KRB5_MSG_AP_REP			15	/* AP-REP type */
3207 #define KRB5_MSG_TGT_REQ		16	/* TGT-REQ type */
3208 #define KRB5_MSG_TGT_REP		17	/* TGT-REP type */
3209 
3210 #define KRB5_MSG_SAFE			20	/* KRB-SAFE type */
3211 #define KRB5_MSG_PRIV			21	/* KRB-PRIV type */
3212 #define KRB5_MSG_CRED			22	/* KRB-CRED type */
3213 #define KRB5_MSG_ENC_AS_REP_PART	25	/* EncASRepPart */
3214 #define KRB5_MSG_ENC_TGS_REP_PART	26	/* EncTGSRepPart */
3215 #define KRB5_MSG_ENC_AP_REP_PART	27	/* EncAPRepPart */
3216 #define KRB5_MSG_ENC_KRB_PRIV_PART	28	/* EncKrbPrivPart */
3217 #define KRB5_MSG_ENC_KRB_CRED_PART	29	/* EncKrbCredPart */
3218 #define KRB5_MSG_ERROR			30	/* KRB-ERROR type */
3219 
3220 #define KRB5_CHKSUM_GSSAPI		0x8003
3221 /*
3222  * For KERB_ENCTYPE_RC4_HMAC and KERB_ENCTYPE_RC4_HMAC_EXP, see
3223  *
3224  *	https://tools.ietf.org/html/draft-brezak-win2k-krb-rc4-hmac-04
3225  *
3226  * unless it's expired.
3227  */
3228 
3229 /* Principal name-type */
3230 #define KRB5_NT_UNKNOWN		0
3231 #define KRB5_NT_PRINCIPAL	1
3232 #define KRB5_NT_SRV_INST	2
3233 #define KRB5_NT_SRV_HST		3
3234 #define KRB5_NT_SRV_XHST	4
3235 #define KRB5_NT_UID		5
3236 #define KRB5_NT_X500_PRINCIPAL	6
3237 #define KRB5_NT_SMTP_NAME	7
3238 #define KRB5_NT_ENTERPRISE	10
3239 
3240 /*
3241  * MS specific name types, from
3242  *
3243  *	http://msdn.microsoft.com/library/en-us/security/security/kerb_external_name.asp
3244  */
3245 #define KRB5_NT_MS_PRINCIPAL		-128
3246 #define KRB5_NT_MS_PRINCIPAL_AND_SID	-129
3247 #define KRB5_NT_ENT_PRINCIPAL_AND_SID	-130
3248 #define KRB5_NT_PRINCIPAL_AND_SID 	-131
3249 #define KRB5_NT_SRV_INST_AND_SID	-132
3250 
3251 /* error table constants */
3252 /* I prefixed the krb5_err.et constant names with KRB5_ET_ for these */
3253 #define KRB5_ET_KRB5KDC_ERR_NONE			0
3254 #define KRB5_ET_KRB5KDC_ERR_NAME_EXP			1
3255 #define KRB5_ET_KRB5KDC_ERR_SERVICE_EXP			2
3256 #define KRB5_ET_KRB5KDC_ERR_BAD_PVNO			3
3257 #define KRB5_ET_KRB5KDC_ERR_C_OLD_MAST_KVNO		4
3258 #define KRB5_ET_KRB5KDC_ERR_S_OLD_MAST_KVNO		5
3259 #define KRB5_ET_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN		6
3260 #define KRB5_ET_KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN		7
3261 #define KRB5_ET_KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE	8
3262 #define KRB5_ET_KRB5KDC_ERR_NULL_KEY			9
3263 #define KRB5_ET_KRB5KDC_ERR_CANNOT_POSTDATE		10
3264 #define KRB5_ET_KRB5KDC_ERR_NEVER_VALID			11
3265 #define KRB5_ET_KRB5KDC_ERR_POLICY			12
3266 #define KRB5_ET_KRB5KDC_ERR_BADOPTION			13
3267 #define KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP		14
3268 #define KRB5_ET_KRB5KDC_ERR_SUMTYPE_NOSUPP		15
3269 #define KRB5_ET_KRB5KDC_ERR_PADATA_TYPE_NOSUPP		16
3270 #define KRB5_ET_KRB5KDC_ERR_TRTYPE_NOSUPP		17
3271 #define KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED		18
3272 #define KRB5_ET_KRB5KDC_ERR_SERVICE_REVOKED		19
3273 #define KRB5_ET_KRB5KDC_ERR_TGT_REVOKED			20
3274 #define KRB5_ET_KRB5KDC_ERR_CLIENT_NOTYET		21
3275 #define KRB5_ET_KRB5KDC_ERR_SERVICE_NOTYET		22
3276 #define KRB5_ET_KRB5KDC_ERR_KEY_EXP			23
3277 #define KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED		24
3278 #define KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED		25
3279 #define KRB5_ET_KRB5KDC_ERR_SERVER_NOMATCH		26
3280 #define KRB5_ET_KRB5KDC_ERR_MUST_USE_USER2USER		27
3281 #define KRB5_ET_KRB5KDC_ERR_PATH_NOT_ACCEPTED		28
3282 #define KRB5_ET_KRB5KDC_ERR_SVC_UNAVAILABLE		29
3283 #define KRB5_ET_KRB5KRB_AP_ERR_BAD_INTEGRITY		31
3284 #define KRB5_ET_KRB5KRB_AP_ERR_TKT_EXPIRED		32
3285 #define KRB5_ET_KRB5KRB_AP_ERR_TKT_NYV			33
3286 #define KRB5_ET_KRB5KRB_AP_ERR_REPEAT			34
3287 #define KRB5_ET_KRB5KRB_AP_ERR_NOT_US			35
3288 #define KRB5_ET_KRB5KRB_AP_ERR_BADMATCH			36
3289 #define KRB5_ET_KRB5KRB_AP_ERR_SKEW			37
3290 #define KRB5_ET_KRB5KRB_AP_ERR_BADADDR			38
3291 #define KRB5_ET_KRB5KRB_AP_ERR_BADVERSION		39
3292 #define KRB5_ET_KRB5KRB_AP_ERR_MSG_TYPE			40
3293 #define KRB5_ET_KRB5KRB_AP_ERR_MODIFIED			41
3294 #define KRB5_ET_KRB5KRB_AP_ERR_BADORDER			42
3295 #define KRB5_ET_KRB5KRB_AP_ERR_ILL_CR_TKT		43
3296 #define KRB5_ET_KRB5KRB_AP_ERR_BADKEYVER		44
3297 #define KRB5_ET_KRB5KRB_AP_ERR_NOKEY			45
3298 #define KRB5_ET_KRB5KRB_AP_ERR_MUT_FAIL			46
3299 #define KRB5_ET_KRB5KRB_AP_ERR_BADDIRECTION		47
3300 #define KRB5_ET_KRB5KRB_AP_ERR_METHOD			48
3301 #define KRB5_ET_KRB5KRB_AP_ERR_BADSEQ			49
3302 #define KRB5_ET_KRB5KRB_AP_ERR_INAPP_CKSUM		50
3303 #define KRB5_ET_KRB5KDC_AP_PATH_NOT_ACCEPTED		51
3304 #define KRB5_ET_KRB5KRB_ERR_RESPONSE_TOO_BIG		52
3305 #define KRB5_ET_KRB5KRB_ERR_GENERIC			60
3306 #define KRB5_ET_KRB5KRB_ERR_FIELD_TOOLONG		61
3307 #define KRB5_ET_KDC_ERROR_CLIENT_NOT_TRUSTED		62
3308 #define KRB5_ET_KDC_ERROR_KDC_NOT_TRUSTED		63
3309 #define KRB5_ET_KDC_ERROR_INVALID_SIG			64
3310 #define KRB5_ET_KDC_ERR_KEY_TOO_WEAK			65
3311 #define KRB5_ET_KDC_ERR_CERTIFICATE_MISMATCH		66
3312 #define KRB5_ET_KRB_AP_ERR_NO_TGT			67
3313 #define KRB5_ET_KDC_ERR_WRONG_REALM			68
3314 #define KRB5_ET_KRB_AP_ERR_USER_TO_USER_REQUIRED	69
3315 #define KRB5_ET_KDC_ERR_CANT_VERIFY_CERTIFICATE		70
3316 #define KRB5_ET_KDC_ERR_INVALID_CERTIFICATE		71
3317 #define KRB5_ET_KDC_ERR_REVOKED_CERTIFICATE		72
3318 #define KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNKNOWN	73
3319 #define KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNAVAILABLE	74
3320 #define KRB5_ET_KDC_ERR_CLIENT_NAME_MISMATCH		75
3321 #define KRB5_ET_KDC_ERR_KDC_NAME_MISMATCH		76
3322 #define KRB5_ET_KDC_ERR_PREAUTH_EXPIRED			90
3323 #define KRB5_ET_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED	91
3324 #define KRB5_ET_KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET	92
3325 #define KRB5_ET_KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS	93
3326 
3327 static const value_string krb5_error_codes[] = {
3328 	{ KRB5_ET_KRB5KDC_ERR_NONE, "KRB5KDC_ERR_NONE" },
3329 	{ KRB5_ET_KRB5KDC_ERR_NAME_EXP, "KRB5KDC_ERR_NAME_EXP" },
3330 	{ KRB5_ET_KRB5KDC_ERR_SERVICE_EXP, "KRB5KDC_ERR_SERVICE_EXP" },
3331 	{ KRB5_ET_KRB5KDC_ERR_BAD_PVNO, "KRB5KDC_ERR_BAD_PVNO" },
3332 	{ KRB5_ET_KRB5KDC_ERR_C_OLD_MAST_KVNO, "KRB5KDC_ERR_C_OLD_MAST_KVNO" },
3333 	{ KRB5_ET_KRB5KDC_ERR_S_OLD_MAST_KVNO, "KRB5KDC_ERR_S_OLD_MAST_KVNO" },
3334 	{ KRB5_ET_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN" },
3335 	{ KRB5_ET_KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN" },
3336 	{ KRB5_ET_KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE, "KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE" },
3337 	{ KRB5_ET_KRB5KDC_ERR_NULL_KEY, "KRB5KDC_ERR_NULL_KEY" },
3338 	{ KRB5_ET_KRB5KDC_ERR_CANNOT_POSTDATE, "KRB5KDC_ERR_CANNOT_POSTDATE" },
3339 	{ KRB5_ET_KRB5KDC_ERR_NEVER_VALID, "KRB5KDC_ERR_NEVER_VALID" },
3340 	{ KRB5_ET_KRB5KDC_ERR_POLICY, "KRB5KDC_ERR_POLICY" },
3341 	{ KRB5_ET_KRB5KDC_ERR_BADOPTION, "KRB5KDC_ERR_BADOPTION" },
3342 	{ KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP, "KRB5KDC_ERR_ETYPE_NOSUPP" },
3343 	{ KRB5_ET_KRB5KDC_ERR_SUMTYPE_NOSUPP, "KRB5KDC_ERR_SUMTYPE_NOSUPP" },
3344 	{ KRB5_ET_KRB5KDC_ERR_PADATA_TYPE_NOSUPP, "KRB5KDC_ERR_PADATA_TYPE_NOSUPP" },
3345 	{ KRB5_ET_KRB5KDC_ERR_TRTYPE_NOSUPP, "KRB5KDC_ERR_TRTYPE_NOSUPP" },
3346 	{ KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED, "KRB5KDC_ERR_CLIENT_REVOKED" },
3347 	{ KRB5_ET_KRB5KDC_ERR_SERVICE_REVOKED, "KRB5KDC_ERR_SERVICE_REVOKED" },
3348 	{ KRB5_ET_KRB5KDC_ERR_TGT_REVOKED, "KRB5KDC_ERR_TGT_REVOKED" },
3349 	{ KRB5_ET_KRB5KDC_ERR_CLIENT_NOTYET, "KRB5KDC_ERR_CLIENT_NOTYET" },
3350 	{ KRB5_ET_KRB5KDC_ERR_SERVICE_NOTYET, "KRB5KDC_ERR_SERVICE_NOTYET" },
3351 	{ KRB5_ET_KRB5KDC_ERR_KEY_EXP, "KRB5KDC_ERR_KEY_EXP" },
3352 	{ KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED, "KRB5KDC_ERR_PREAUTH_FAILED" },
3353 	{ KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED, "KRB5KDC_ERR_PREAUTH_REQUIRED" },
3354 	{ KRB5_ET_KRB5KDC_ERR_SERVER_NOMATCH, "KRB5KDC_ERR_SERVER_NOMATCH" },
3355 	{ KRB5_ET_KRB5KDC_ERR_MUST_USE_USER2USER, "KRB5KDC_ERR_MUST_USE_USER2USER" },
3356 	{ KRB5_ET_KRB5KDC_ERR_PATH_NOT_ACCEPTED, "KRB5KDC_ERR_PATH_NOT_ACCEPTED" },
3357 	{ KRB5_ET_KRB5KDC_ERR_SVC_UNAVAILABLE, "KRB5KDC_ERR_SVC_UNAVAILABLE" },
3358 	{ KRB5_ET_KRB5KRB_AP_ERR_BAD_INTEGRITY, "KRB5KRB_AP_ERR_BAD_INTEGRITY" },
3359 	{ KRB5_ET_KRB5KRB_AP_ERR_TKT_EXPIRED, "KRB5KRB_AP_ERR_TKT_EXPIRED" },
3360 	{ KRB5_ET_KRB5KRB_AP_ERR_TKT_NYV, "KRB5KRB_AP_ERR_TKT_NYV" },
3361 	{ KRB5_ET_KRB5KRB_AP_ERR_REPEAT, "KRB5KRB_AP_ERR_REPEAT" },
3362 	{ KRB5_ET_KRB5KRB_AP_ERR_NOT_US, "KRB5KRB_AP_ERR_NOT_US" },
3363 	{ KRB5_ET_KRB5KRB_AP_ERR_BADMATCH, "KRB5KRB_AP_ERR_BADMATCH" },
3364 	{ KRB5_ET_KRB5KRB_AP_ERR_SKEW, "KRB5KRB_AP_ERR_SKEW" },
3365 	{ KRB5_ET_KRB5KRB_AP_ERR_BADADDR, "KRB5KRB_AP_ERR_BADADDR" },
3366 	{ KRB5_ET_KRB5KRB_AP_ERR_BADVERSION, "KRB5KRB_AP_ERR_BADVERSION" },
3367 	{ KRB5_ET_KRB5KRB_AP_ERR_MSG_TYPE, "KRB5KRB_AP_ERR_MSG_TYPE" },
3368 	{ KRB5_ET_KRB5KRB_AP_ERR_MODIFIED, "KRB5KRB_AP_ERR_MODIFIED" },
3369 	{ KRB5_ET_KRB5KRB_AP_ERR_BADORDER, "KRB5KRB_AP_ERR_BADORDER" },
3370 	{ KRB5_ET_KRB5KRB_AP_ERR_ILL_CR_TKT, "KRB5KRB_AP_ERR_ILL_CR_TKT" },
3371 	{ KRB5_ET_KRB5KRB_AP_ERR_BADKEYVER, "KRB5KRB_AP_ERR_BADKEYVER" },
3372 	{ KRB5_ET_KRB5KRB_AP_ERR_NOKEY, "KRB5KRB_AP_ERR_NOKEY" },
3373 	{ KRB5_ET_KRB5KRB_AP_ERR_MUT_FAIL, "KRB5KRB_AP_ERR_MUT_FAIL" },
3374 	{ KRB5_ET_KRB5KRB_AP_ERR_BADDIRECTION, "KRB5KRB_AP_ERR_BADDIRECTION" },
3375 	{ KRB5_ET_KRB5KRB_AP_ERR_METHOD, "KRB5KRB_AP_ERR_METHOD" },
3376 	{ KRB5_ET_KRB5KRB_AP_ERR_BADSEQ, "KRB5KRB_AP_ERR_BADSEQ" },
3377 	{ KRB5_ET_KRB5KRB_AP_ERR_INAPP_CKSUM, "KRB5KRB_AP_ERR_INAPP_CKSUM" },
3378 	{ KRB5_ET_KRB5KDC_AP_PATH_NOT_ACCEPTED, "KRB5KDC_AP_PATH_NOT_ACCEPTED" },
3379 	{ KRB5_ET_KRB5KRB_ERR_RESPONSE_TOO_BIG, "KRB5KRB_ERR_RESPONSE_TOO_BIG"},
3380 	{ KRB5_ET_KRB5KRB_ERR_GENERIC, "KRB5KRB_ERR_GENERIC" },
3381 	{ KRB5_ET_KRB5KRB_ERR_FIELD_TOOLONG, "KRB5KRB_ERR_FIELD_TOOLONG" },
3382 	{ KRB5_ET_KDC_ERROR_CLIENT_NOT_TRUSTED, "KDC_ERROR_CLIENT_NOT_TRUSTED" },
3383 	{ KRB5_ET_KDC_ERROR_KDC_NOT_TRUSTED, "KDC_ERROR_KDC_NOT_TRUSTED" },
3384 	{ KRB5_ET_KDC_ERROR_INVALID_SIG, "KDC_ERROR_INVALID_SIG" },
3385 	{ KRB5_ET_KDC_ERR_KEY_TOO_WEAK, "KDC_ERR_KEY_TOO_WEAK" },
3386 	{ KRB5_ET_KDC_ERR_CERTIFICATE_MISMATCH, "KDC_ERR_CERTIFICATE_MISMATCH" },
3387 	{ KRB5_ET_KRB_AP_ERR_NO_TGT, "KRB_AP_ERR_NO_TGT" },
3388 	{ KRB5_ET_KDC_ERR_WRONG_REALM, "KDC_ERR_WRONG_REALM" },
3389 	{ KRB5_ET_KRB_AP_ERR_USER_TO_USER_REQUIRED, "KRB_AP_ERR_USER_TO_USER_REQUIRED" },
3390 	{ KRB5_ET_KDC_ERR_CANT_VERIFY_CERTIFICATE, "KDC_ERR_CANT_VERIFY_CERTIFICATE" },
3391 	{ KRB5_ET_KDC_ERR_INVALID_CERTIFICATE, "KDC_ERR_INVALID_CERTIFICATE" },
3392 	{ KRB5_ET_KDC_ERR_REVOKED_CERTIFICATE, "KDC_ERR_REVOKED_CERTIFICATE" },
3393 	{ KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNKNOWN, "KDC_ERR_REVOCATION_STATUS_UNKNOWN" },
3394 	{ KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNAVAILABLE, "KDC_ERR_REVOCATION_STATUS_UNAVAILABLE" },
3395 	{ KRB5_ET_KDC_ERR_CLIENT_NAME_MISMATCH, "KDC_ERR_CLIENT_NAME_MISMATCH" },
3396 	{ KRB5_ET_KDC_ERR_KDC_NAME_MISMATCH, "KDC_ERR_KDC_NAME_MISMATCH" },
3397 	{ KRB5_ET_KDC_ERR_PREAUTH_EXPIRED, "KDC_ERR_PREAUTH_EXPIRED" },
3398 	{ KRB5_ET_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, "KDC_ERR_MORE_PREAUTH_DATA_REQUIRED" },
3399 	{ KRB5_ET_KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET, "KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET" },
3400 	{ KRB5_ET_KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS, "KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS" },
3401 	{ 0, NULL }
3402 };
3403 
3404 
3405 #define PAC_LOGON_INFO		1
3406 #define PAC_CREDENTIAL_TYPE	2
3407 #define PAC_SERVER_CHECKSUM	6
3408 #define PAC_PRIVSVR_CHECKSUM	7
3409 #define PAC_CLIENT_INFO_TYPE	10
3410 #define PAC_S4U_DELEGATION_INFO	11
3411 #define PAC_UPN_DNS_INFO	12
3412 #define PAC_CLIENT_CLAIMS_INFO	13
3413 #define PAC_DEVICE_INFO		14
3414 #define PAC_DEVICE_CLAIMS_INFO	15
3415 #define PAC_TICKET_CHECKSUM	16
3416 static const value_string w2k_pac_types[] = {
3417 	{ PAC_LOGON_INFO		, "Logon Info" },
3418 	{ PAC_CREDENTIAL_TYPE		, "Credential Type" },
3419 	{ PAC_SERVER_CHECKSUM		, "Server Checksum" },
3420 	{ PAC_PRIVSVR_CHECKSUM		, "Privsvr Checksum" },
3421 	{ PAC_CLIENT_INFO_TYPE		, "Client Info Type" },
3422 	{ PAC_S4U_DELEGATION_INFO	, "S4U Delegation Info" },
3423 	{ PAC_UPN_DNS_INFO		, "UPN DNS Info" },
3424 	{ PAC_CLIENT_CLAIMS_INFO	, "Client Claims Info" },
3425 	{ PAC_DEVICE_INFO		, "Device Info" },
3426 	{ PAC_DEVICE_CLAIMS_INFO	, "Device Claims Info" },
3427 	{ PAC_TICKET_CHECKSUM		, "Ticket Checksum" },
3428 	{ 0, NULL },
3429 };
3430 
3431 static const value_string krb5_msg_types[] = {
3432 	{ KRB5_MSG_TICKET,		"Ticket" },
3433 	{ KRB5_MSG_AUTHENTICATOR,	"Authenticator" },
3434 	{ KRB5_MSG_ENC_TICKET_PART,	"EncTicketPart" },
3435 	{ KRB5_MSG_TGS_REQ,		"TGS-REQ" },
3436 	{ KRB5_MSG_TGS_REP,		"TGS-REP" },
3437 	{ KRB5_MSG_AS_REQ,		"AS-REQ" },
3438 	{ KRB5_MSG_AS_REP,		"AS-REP" },
3439 	{ KRB5_MSG_AP_REQ,		"AP-REQ" },
3440 	{ KRB5_MSG_AP_REP,		"AP-REP" },
3441 	{ KRB5_MSG_TGT_REQ,		"TGT-REQ" },
3442 	{ KRB5_MSG_TGT_REP,		"TGT-REP" },
3443 	{ KRB5_MSG_SAFE,		"KRB-SAFE" },
3444 	{ KRB5_MSG_PRIV,		"KRB-PRIV" },
3445 	{ KRB5_MSG_CRED,		"KRB-CRED" },
3446 	{ KRB5_MSG_ENC_AS_REP_PART,	"EncASRepPart" },
3447 	{ KRB5_MSG_ENC_TGS_REP_PART,	"EncTGSRepPart" },
3448 	{ KRB5_MSG_ENC_AP_REP_PART,	"EncAPRepPart" },
3449 	{ KRB5_MSG_ENC_KRB_PRIV_PART,	"EncKrbPrivPart" },
3450 	{ KRB5_MSG_ENC_KRB_CRED_PART,	"EncKrbCredPart" },
3451 	{ KRB5_MSG_ERROR,		"KRB-ERROR" },
3452 	{ 0, NULL },
3453 };
3454 
3455 #define KRB5_GSS_C_DELEG_FLAG             0x01
3456 #define KRB5_GSS_C_MUTUAL_FLAG            0x02
3457 #define KRB5_GSS_C_REPLAY_FLAG            0x04
3458 #define KRB5_GSS_C_SEQUENCE_FLAG          0x08
3459 #define KRB5_GSS_C_CONF_FLAG              0x10
3460 #define KRB5_GSS_C_INTEG_FLAG             0x20
3461 #define KRB5_GSS_C_DCE_STYLE            0x1000
3462 
3463 static const true_false_string tfs_gss_flags_deleg = {
3464 	"Delegate credentials to remote peer",
3465 	"Do NOT delegate"
3466 };
3467 static const true_false_string tfs_gss_flags_mutual = {
3468 	"Request that remote peer authenticates itself",
3469 	"Mutual authentication NOT required"
3470 };
3471 static const true_false_string tfs_gss_flags_replay = {
3472 	"Enable replay protection for signed or sealed messages",
3473 	"Do NOT enable replay protection"
3474 };
3475 static const true_false_string tfs_gss_flags_sequence = {
3476 	"Enable Out-of-sequence detection for sign or sealed messages",
3477 	"Do NOT enable out-of-sequence detection"
3478 };
3479 static const true_false_string tfs_gss_flags_conf = {
3480 	"Confidentiality (sealing) may be invoked",
3481 	"Do NOT use Confidentiality (sealing)"
3482 };
3483 static const true_false_string tfs_gss_flags_integ = {
3484 	"Integrity protection (signing) may be invoked",
3485 	"Do NOT use integrity protection"
3486 };
3487 
3488 static const true_false_string tfs_gss_flags_dce_style = {
3489 	"DCE-STYLE",
3490 	"Not using DCE-STYLE"
3491 };
3492 
3493 #ifdef HAVE_KERBEROS
3494 static guint8 *
3495 decrypt_krb5_data_asn1(proto_tree *tree, asn1_ctx_t *actx,
3496 		       int usage, tvbuff_t *cryptotvb, int *datalen)
3497 {
3498 	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
3499 
3500 #ifdef HAVE_DECRYPT_KRB5_DATA_PRIVATE
3501 	return decrypt_krb5_data_private(tree, actx->pinfo, private_data,
3502 					 usage, cryptotvb,
3503 					 private_data->etype,
3504 					 datalen);
3505 #else
3506 	return decrypt_krb5_data(tree, actx->pinfo, usage, cryptotvb,
3507 				 private_data->etype, datalen);
3508 #endif
3509 }
3510 
3511 static int
3512 dissect_krb5_decrypt_ticket_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
3513 									proto_tree *tree, int hf_index _U_)
3514 {
3515 	guint8 *plaintext;
3516 	int length;
3517 	tvbuff_t *next_tvb;
3518 
3519 	next_tvb=tvb_new_subset_remaining(tvb, offset);
3520 	length=tvb_captured_length_remaining(tvb, offset);
3521 
3522 	/* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
3523 	 * 7.5.1
3524 	 * All Ticket encrypted parts use usage == 2
3525 	 */
3526 	plaintext=decrypt_krb5_data_asn1(tree, actx, 2, next_tvb, &length);
3527 
3528 	if(plaintext){
3529 		kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
3530 		tvbuff_t *last_ticket_enc_part_tvb = private_data->last_ticket_enc_part_tvb;
3531 		tvbuff_t *child_tvb;
3532 		child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
3533 
3534 		/* Add the decrypted data to the data source list. */
3535 		add_new_data_source(actx->pinfo, child_tvb, "Krb5 Ticket");
3536 
3537 		private_data->last_ticket_enc_part_tvb = child_tvb;
3538 		offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
3539 		private_data->last_ticket_enc_part_tvb = last_ticket_enc_part_tvb;
3540 	}
3541 	return offset;
3542 }
3543 
3544 static int
3545 dissect_krb5_decrypt_authenticator_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
3546 											proto_tree *tree, int hf_index _U_)
3547 {
3548 	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
3549 	guint8 *plaintext;
3550 	int length;
3551 	tvbuff_t *next_tvb;
3552 
3553 	next_tvb=tvb_new_subset_remaining(tvb, offset);
3554 	length=tvb_captured_length_remaining(tvb, offset);
3555 
3556 	/* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
3557 	 * 7.5.1
3558 	 * Authenticators are encrypted with usage
3559 	 * == 7 or
3560 	 * == 11
3561 	 *
3562 	 * 7.  TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator
3563 	 *     (includes TGS authenticator subkey), encrypted with the
3564 	 *     TGS session key (section 5.5.1)
3565 	 * 11. AP-REQ Authenticator (includes application
3566 	 *     authenticator subkey), encrypted with the application
3567 	 *     session key (section 5.5.1)
3568 	 */
3569 	if (private_data->within_PA_TGS_REQ > 0) {
3570 		plaintext=decrypt_krb5_data_asn1(tree, actx, 7, next_tvb, &length);
3571 	} else {
3572 		plaintext=decrypt_krb5_data_asn1(tree, actx, 11, next_tvb, &length);
3573 	}
3574 
3575 	if(plaintext){
3576 		tvbuff_t *child_tvb;
3577 		child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
3578 
3579 		/* Add the decrypted data to the data source list. */
3580 		add_new_data_source(actx->pinfo, child_tvb, "Krb5 Authenticator");
3581 
3582 		offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
3583 	}
3584 	return offset;
3585 }
3586 
3587 static int
3588 dissect_krb5_decrypt_authorization_data(gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
3589 					proto_tree *tree, int hf_index _U_)
3590 {
3591 	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
3592 	guint8 *plaintext;
3593 	int length;
3594 	tvbuff_t *next_tvb;
3595 
3596 	next_tvb=tvb_new_subset_remaining(tvb, offset);
3597 	length=tvb_captured_length_remaining(tvb, offset);
3598 
3599 	/* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
3600 	 * 7.5.1
3601 	 * Authenticators are encrypted with usage
3602 	 * == 5 or
3603 	 * == 4
3604 	 *
3605 	 * 4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with
3606 	 *    the TGS session key (section 5.4.1)
3607 	 * 5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with
3608 	 *    the TGS authenticator subkey (section 5.4.1)
3609 	 */
3610 	if (private_data->PA_TGS_REQ_subkey != NULL) {
3611 		plaintext=decrypt_krb5_data_asn1(tree, actx, 5, next_tvb, &length);
3612 	} else {
3613 		plaintext=decrypt_krb5_data_asn1(tree, actx, 4, next_tvb, &length);
3614 	}
3615 
3616 	if(plaintext){
3617 		tvbuff_t *child_tvb;
3618 		child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
3619 
3620 		/* Add the decrypted data to the data source list. */
3621 		add_new_data_source(actx->pinfo, child_tvb, "Krb5 AuthorizationData");
3622 
3623 		offset=dissect_kerberos_AuthorizationData(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
3624 	}
3625 	return offset;
3626 }
3627 
3628 static int
3629 dissect_krb5_decrypt_KDC_REP_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
3630 									proto_tree *tree, int hf_index _U_)
3631 {
3632 	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
3633 	guint8 *plaintext = NULL;
3634 	int length;
3635 	tvbuff_t *next_tvb;
3636 
3637 	next_tvb=tvb_new_subset_remaining(tvb, offset);
3638 	length=tvb_captured_length_remaining(tvb, offset);
3639 
3640 	/* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
3641 	 * 7.5.1
3642 	 * ASREP/TGSREP encryptedparts are encrypted with usage
3643 	 * == 3 or
3644 	 * == 8 or
3645 	 * == 9
3646 	 *
3647 	 * 3. AS-REP encrypted part (includes TGS session key or
3648 	 *    application session key), encrypted with the client key
3649 	 *    (section 5.4.2)
3650 	 *
3651 	 * 8. TGS-REP encrypted part (includes application session
3652 	 *    key), encrypted with the TGS session key (section
3653 	 *    5.4.2)
3654 	 * 9. TGS-REP encrypted part (includes application session
3655 	 *    key), encrypted with the TGS authenticator subkey
3656 	 *    (section 5.4.2)
3657 	 *
3658 	 * We currently don't have a way to find the TGS-REQ state
3659 	 * in order to check if an authenticator subkey was used.
3660 	 *
3661 	 * But if we client used FAST and we got a strengthen_key,
3662 	 * we're sure an authenticator subkey was used.
3663 	 *
3664 	 * Windows don't use an authenticator subkey without FAST,
3665 	 * but heimdal does.
3666 	 *
3667 	 * For now try 8 before 9 in order to avoid overhead and false
3668 	 * positives for the 'kerberos.missing_keytype' filter in pure
3669 	 * windows captures.
3670 	 */
3671 	switch (private_data->msg_type) {
3672 	case KERBEROS_APPLICATIONS_AS_REP:
3673 		plaintext=decrypt_krb5_data_asn1(tree, actx, 3, next_tvb, &length);
3674 		break;
3675 	case KERBEROS_APPLICATIONS_TGS_REP:
3676 		if (private_data->fast_strengthen_key != NULL) {
3677 			plaintext=decrypt_krb5_data_asn1(tree, actx, 9, next_tvb, &length);
3678 		} else {
3679 			plaintext=decrypt_krb5_data_asn1(tree, actx, 8, next_tvb, &length);
3680 			if(!plaintext){
3681 				plaintext=decrypt_krb5_data_asn1(tree, actx, 9, next_tvb, &length);
3682 			}
3683 		}
3684 		break;
3685 	}
3686 
3687 	if(plaintext){
3688 		tvbuff_t *child_tvb;
3689 		child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
3690 
3691 		/* Add the decrypted data to the data source list. */
3692 		add_new_data_source(actx->pinfo, child_tvb, "Krb5 KDC-REP");
3693 
3694 		offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
3695 	}
3696 	return offset;
3697 }
3698 
3699 static int
3700 dissect_krb5_decrypt_PA_ENC_TIMESTAMP (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
3701 										proto_tree *tree, int hf_index _U_)
3702 {
3703 	guint8 *plaintext;
3704 	int length;
3705 	tvbuff_t *next_tvb;
3706 
3707 	next_tvb=tvb_new_subset_remaining(tvb, offset);
3708 	length=tvb_captured_length_remaining(tvb, offset);
3709 
3710 	/* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
3711 	 * 7.5.1
3712 	 * AS-REQ PA_ENC_TIMESTAMP are encrypted with usage
3713 	 * == 1
3714 	 */
3715 	plaintext=decrypt_krb5_data_asn1(tree, actx, 1, next_tvb, &length);
3716 
3717 	if(plaintext){
3718 		tvbuff_t *child_tvb;
3719 		child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
3720 
3721 		/* Add the decrypted data to the data source list. */
3722 		add_new_data_source(actx->pinfo, child_tvb, "Krb5 EncTimestamp");
3723 
3724 		offset=dissect_kerberos_PA_ENC_TS_ENC(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
3725 	}
3726 	return offset;
3727 }
3728 
3729 static int
3730 dissect_krb5_decrypt_AP_REP_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
3731 									proto_tree *tree, int hf_index _U_)
3732 {
3733 	guint8 *plaintext;
3734 	int length;
3735 	tvbuff_t *next_tvb;
3736 
3737 	next_tvb=tvb_new_subset_remaining(tvb, offset);
3738 	length=tvb_captured_length_remaining(tvb, offset);
3739 
3740 	/* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
3741 	 * 7.5.1
3742 	 * AP-REP are encrypted with usage == 12
3743 	 */
3744 	plaintext=decrypt_krb5_data_asn1(tree, actx, 12, next_tvb, &length);
3745 
3746 	if(plaintext){
3747 		tvbuff_t *child_tvb;
3748 		child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
3749 
3750 		/* Add the decrypted data to the data source list. */
3751 		add_new_data_source(actx->pinfo, child_tvb, "Krb5 AP-REP");
3752 
3753 		offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
3754 	}
3755 	return offset;
3756 }
3757 
3758 static int
3759 dissect_krb5_decrypt_PRIV_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
3760 									proto_tree *tree, int hf_index _U_)
3761 {
3762 	guint8 *plaintext;
3763 	int length;
3764 	tvbuff_t *next_tvb;
3765 
3766 	next_tvb=tvb_new_subset_remaining(tvb, offset);
3767 	length=tvb_captured_length_remaining(tvb, offset);
3768 
3769 	/* RFC4120 :
3770 	 * EncKrbPrivPart encrypted with usage
3771 	 * == 13
3772 	 */
3773 	plaintext=decrypt_krb5_data_asn1(tree, actx, 13, next_tvb, &length);
3774 
3775 	if(plaintext){
3776 		tvbuff_t *child_tvb;
3777 		child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
3778 
3779 		/* Add the decrypted data to the data source list. */
3780 		add_new_data_source(actx->pinfo, child_tvb, "Krb5 PRIV");
3781 
3782 		offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
3783 	}
3784 	return offset;
3785 }
3786 
3787 static int
3788 dissect_krb5_decrypt_CRED_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
3789 									proto_tree *tree, int hf_index _U_)
3790 {
3791 	guint8 *plaintext;
3792 	int length;
3793 	tvbuff_t *next_tvb;
3794 
3795 	next_tvb=tvb_new_subset_remaining(tvb, offset);
3796 	length=tvb_captured_length_remaining(tvb, offset);
3797 
3798 	/* RFC4120 :
3799 	 * EncKrbCredPart encrypted with usage
3800 	 * == 14
3801 	 */
3802 	plaintext=decrypt_krb5_data_asn1(tree, actx, 14, next_tvb, &length);
3803 
3804 	if(plaintext){
3805 		tvbuff_t *child_tvb;
3806 		child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
3807 
3808 		/* Add the decrypted data to the data source list. */
3809 		add_new_data_source(actx->pinfo, child_tvb, "Krb5 CRED");
3810 
3811 		offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
3812 	}
3813 	return offset;
3814 }
3815 
3816 static int
3817 dissect_krb5_decrypt_KrbFastReq(gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
3818 				proto_tree *tree, int hf_index _U_)
3819 {
3820 	guint8 *plaintext;
3821 	int length;
3822 	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
3823 	tvbuff_t *next_tvb;
3824 
3825 	next_tvb=tvb_new_subset_remaining(tvb, offset);
3826 	length=tvb_captured_length_remaining(tvb, offset);
3827 
3828 	private_data->fast_armor_key = NULL;
3829 	if (private_data->PA_FAST_ARMOR_AP_subkey != NULL) {
3830 		krb5_fast_key(actx, tree, tvb,
3831 			      private_data->PA_FAST_ARMOR_AP_subkey,
3832 			      "subkeyarmor",
3833 			      private_data->PA_FAST_ARMOR_AP_key,
3834 			      "ticketarmor",
3835 			      "KrbFastReq_FAST_armorKey");
3836 		if (private_data->PA_TGS_REQ_subkey != NULL) {
3837 			enc_key_t *explicit_armor_key = private_data->last_added_key;
3838 
3839 			/*
3840 			 * See [MS-KILE] 3.3.5.7.4 Compound Identity
3841 			 */
3842 			krb5_fast_key(actx, tree, tvb,
3843 				      explicit_armor_key,
3844 				      "explicitarmor",
3845 				      private_data->PA_TGS_REQ_subkey,
3846 				      "tgsarmor",
3847 				      "KrbFastReq_explicitArmorKey");
3848 		}
3849 		private_data->fast_armor_key = private_data->last_added_key;
3850 	} else if (private_data->PA_TGS_REQ_subkey != NULL) {
3851 		krb5_fast_key(actx, tree, tvb,
3852 			      private_data->PA_TGS_REQ_subkey,
3853 			      "subkeyarmor",
3854 			      private_data->PA_TGS_REQ_key,
3855 			      "ticketarmor",
3856 			      "KrbFastReq_TGS_armorKey");
3857 		private_data->fast_armor_key = private_data->last_added_key;
3858 	}
3859 
3860 	/* RFC6113 :
3861 	 * KrbFastResponse encrypted with usage
3862 	 * KEY_USAGE_FAST_ENC 51
3863 	 */
3864 	plaintext=decrypt_krb5_data_asn1(tree, actx, KEY_USAGE_FAST_ENC,
3865 					 next_tvb, &length);
3866 
3867 	if(plaintext){
3868 		tvbuff_t *child_tvb;
3869 		child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
3870 
3871 		/* Add the decrypted data to the data source list. */
3872 		add_new_data_source(actx->pinfo, child_tvb, "Krb5 FastReq");
3873 
3874 		offset=dissect_kerberos_KrbFastReq(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
3875 	}
3876 	return offset;
3877 }
3878 
3879 static int
3880 dissect_krb5_decrypt_KrbFastResponse(gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
3881 				     proto_tree *tree, int hf_index _U_)
3882 {
3883 	guint8 *plaintext;
3884 	int length;
3885 	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
3886 	tvbuff_t *next_tvb;
3887 
3888 	next_tvb=tvb_new_subset_remaining(tvb, offset);
3889 	length=tvb_captured_length_remaining(tvb, offset);
3890 
3891 	/*
3892 	 * RFC6113 :
3893 	 * KrbFastResponse encrypted with usage
3894 	 * KEY_USAGE_FAST_REP 52
3895 	 */
3896 	plaintext=decrypt_krb5_data_asn1(tree, actx, KEY_USAGE_FAST_REP,
3897 					 next_tvb, &length);
3898 
3899 	if(plaintext){
3900 		tvbuff_t *child_tvb;
3901 		child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
3902 
3903 		/* Add the decrypted data to the data source list. */
3904 		add_new_data_source(actx->pinfo, child_tvb, "Krb5 FastRep");
3905 
3906 		private_data->fast_armor_key = private_data->last_decryption_key;
3907 		offset=dissect_kerberos_KrbFastResponse(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
3908 	}
3909 	return offset;
3910 }
3911 
3912 static int
3913 dissect_krb5_decrypt_EncryptedChallenge(gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
3914 					proto_tree *tree, int hf_index _U_)
3915 {
3916 	guint8 *plaintext;
3917 	int length;
3918 	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
3919 	tvbuff_t *next_tvb;
3920 	int usage = 0;
3921 	const char *name = NULL;
3922 
3923 	next_tvb=tvb_new_subset_remaining(tvb, offset);
3924 	length=tvb_captured_length_remaining(tvb, offset);
3925 
3926 	/* RFC6113 :
3927 	 * KEY_USAGE_ENC_CHALLENGE_CLIENT  54
3928 	 * KEY_USAGE_ENC_CHALLENGE_KDC     55
3929 	 */
3930 	if (kerberos_private_is_kdc_req(private_data)) {
3931 		usage = KEY_USAGE_ENC_CHALLENGE_CLIENT;
3932 		name = "Krb5 CHALLENGE_CLIENT";
3933 	} else {
3934 		usage = KEY_USAGE_ENC_CHALLENGE_KDC;
3935 		name = "Krb5 CHALLENGE_KDC";
3936 	}
3937 	plaintext=decrypt_krb5_data_asn1(tree, actx, usage, next_tvb, &length);
3938 
3939 	if(plaintext){
3940 		tvbuff_t *child_tvb;
3941 		child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
3942 
3943 		/* Add the decrypted data to the data source list. */
3944 		add_new_data_source(actx->pinfo, child_tvb, name);
3945 
3946 		offset=dissect_kerberos_PA_ENC_TS_ENC(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
3947 	}
3948 	return offset;
3949 }
3950 #endif /* HAVE_KERBEROS */
3951 
3952 static int * const hf_krb_pa_supported_enctypes_fields[] = {
3953 	&hf_krb_pa_supported_enctypes_des_cbc_crc,
3954 	&hf_krb_pa_supported_enctypes_des_cbc_md5,
3955 	&hf_krb_pa_supported_enctypes_rc4_hmac,
3956 	&hf_krb_pa_supported_enctypes_aes128_cts_hmac_sha1_96,
3957 	&hf_krb_pa_supported_enctypes_aes256_cts_hmac_sha1_96,
3958 	&hf_krb_pa_supported_enctypes_fast_supported,
3959 	&hf_krb_pa_supported_enctypes_compound_identity_supported,
3960 	&hf_krb_pa_supported_enctypes_claims_supported,
3961 	&hf_krb_pa_supported_enctypes_resource_sid_compression_disabled,
3962 	NULL,
3963 };
3964 
3965 static int
3966 dissect_kerberos_PA_SUPPORTED_ENCTYPES(gboolean implicit_tag _U_, tvbuff_t *tvb _U_,
3967 				       int offset _U_, asn1_ctx_t *actx _U_,
3968 				       proto_tree *tree _U_, int hf_index _U_)
3969 {
3970 	actx->created_item = proto_tree_add_bitmask(tree, tvb, offset,
3971 						    hf_krb_pa_supported_enctypes,
3972 						    ett_krb_pa_supported_enctypes,
3973 						    hf_krb_pa_supported_enctypes_fields,
3974 						    ENC_LITTLE_ENDIAN);
3975 	offset += 4;
3976 
3977 	return offset;
3978 }
3979 
3980 static int * const hf_krb_ad_ap_options_fields[] = {
3981 	&hf_krb_ad_ap_options_cbt,
3982 	NULL,
3983 };
3984 
3985 
3986 static int
3987 dissect_kerberos_AD_AP_OPTIONS(gboolean implicit_tag _U_, tvbuff_t *tvb _U_,
3988 			       int offset _U_, asn1_ctx_t *actx _U_,
3989 			       proto_tree *tree _U_, int hf_index _U_)
3990 {
3991 	actx->created_item = proto_tree_add_bitmask(tree, tvb, offset,
3992 						    hf_krb_ad_ap_options,
3993 						    ett_krb_ad_ap_options,
3994 						    hf_krb_ad_ap_options_fields,
3995 						    ENC_LITTLE_ENDIAN);
3996 	offset += 4;
3997 
3998 	return offset;
3999 }
4000 
4001 static int
4002 dissect_kerberos_AD_TARGET_PRINCIPAL(gboolean implicit_tag _U_, tvbuff_t *tvb _U_,
4003 				     int offset _U_, asn1_ctx_t *actx _U_,
4004 				     proto_tree *tree _U_, int hf_index _U_)
4005 {
4006 	int tp_offset, tp_len;
4007 	guint16 bc;
4008 
4009 	bc = tvb_reported_length_remaining(tvb, offset);
4010 	tp_offset = offset;
4011 	tp_len = bc;
4012 	proto_tree_add_item(tree, hf_krb_ad_target_principal, tvb,
4013 			    tp_offset, tp_len,
4014 			    ENC_UTF_16 | ENC_LITTLE_ENDIAN);
4015 
4016 	return offset;
4017 }
4018 
4019 /* Dissect a GSSAPI checksum as per RFC1964. This is NOT ASN.1 encoded.
4020  */
4021 static int
4022 dissect_krb5_rfc1964_checksum(asn1_ctx_t *actx _U_, proto_tree *tree, tvbuff_t *tvb)
4023 {
4024 	int offset=0;
4025 	guint32 len;
4026 	guint16 dlglen;
4027 
4028 	/* Length of Bnd field */
4029 	len=tvb_get_letohl(tvb, offset);
4030 	proto_tree_add_item(tree, hf_krb_gssapi_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4031 	offset += 4;
4032 
4033 	/* Bnd field */
4034 	proto_tree_add_item(tree, hf_krb_gssapi_bnd, tvb, offset, len, ENC_NA);
4035 	offset += len;
4036 
4037 
4038 	/* flags */
4039 	proto_tree_add_item(tree, hf_krb_gssapi_c_flag_dce_style, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4040 	proto_tree_add_item(tree, hf_krb_gssapi_c_flag_integ, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4041 	proto_tree_add_item(tree, hf_krb_gssapi_c_flag_conf, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4042 	proto_tree_add_item(tree, hf_krb_gssapi_c_flag_sequence, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4043 	proto_tree_add_item(tree, hf_krb_gssapi_c_flag_replay, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4044 	proto_tree_add_item(tree, hf_krb_gssapi_c_flag_mutual, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4045 	proto_tree_add_item(tree, hf_krb_gssapi_c_flag_deleg, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4046 	offset += 4;
4047 
4048 	/* the next fields are optional so we have to check that we have
4049 	 * more data in our buffers */
4050 	if(tvb_reported_length_remaining(tvb, offset)<2){
4051 		return offset;
4052 	}
4053 	/* dlgopt identifier */
4054 	proto_tree_add_item(tree, hf_krb_gssapi_dlgopt, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4055 	offset += 2;
4056 
4057 	if(tvb_reported_length_remaining(tvb, offset)<2){
4058 		return offset;
4059 	}
4060 	/* dlglen identifier */
4061 	dlglen=tvb_get_letohs(tvb, offset);
4062 	proto_tree_add_item(tree, hf_krb_gssapi_dlglen, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4063 	offset += 2;
4064 
4065 	if(dlglen!=tvb_reported_length_remaining(tvb, offset)){
4066 		proto_tree_add_expert_format(tree, actx->pinfo, &ei_krb_gssapi_dlglen, tvb, 0, 0,
4067 				"Error: DlgLen:%d is not the same as number of bytes remaining:%d", dlglen, tvb_captured_length_remaining(tvb, offset));
4068 		return offset;
4069 	}
4070 
4071 	/* this should now be a KRB_CRED message */
4072 	offset=dissect_kerberos_Applications(FALSE, tvb, offset, actx, tree, /* hf_index */ -1);
4073 
4074 	return offset;
4075 }
4076 
4077 static int
4078 dissect_krb5_PA_PROV_SRV_LOCATION(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_)
4079 {
4080 	offset=dissect_ber_GeneralString(actx, tree, tvb, offset, hf_krb_provsrv_location, NULL, 0);
4081 
4082 	return offset;
4083 }
4084 
4085 static int
4086 dissect_krb5_PW_SALT(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_)
4087 {
4088 	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
4089 	gint length;
4090 	guint32 nt_status = 0;
4091 	guint32 reserved = 0;
4092 	guint32 flags = 0;
4093 
4094 	/*
4095 	 * Microsoft stores a special 12 byte blob here
4096 	 * [MS-KILE] 2.2.1 KERB-EXT-ERROR
4097 	 * guint32 NT_status
4098 	 * guint32 reserved (== 0)
4099 	 * guint32 flags (at least 0x00000001 is set)
4100 	 */
4101 	length = tvb_reported_length_remaining(tvb, offset);
4102 	if (length <= 0) {
4103 		return offset;
4104 	}
4105 	if (length != 12) {
4106 		goto no_error;
4107 	}
4108 
4109 	if (private_data->errorcode == 0) {
4110 		goto no_error;
4111 	}
4112 
4113 	if (!private_data->try_nt_status) {
4114 		goto no_error;
4115 	}
4116 
4117 	nt_status = tvb_get_letohl(tvb, offset);
4118 	reserved = tvb_get_letohl(tvb, offset + 4);
4119 	flags = tvb_get_letohl(tvb, offset + 8);
4120 
4121 	if (nt_status == 0 || reserved != 0 || flags == 0) {
4122 		goto no_error;
4123 	}
4124 
4125 	proto_tree_add_item(tree, hf_krb_ext_error_nt_status, tvb, offset, 4,
4126 			ENC_LITTLE_ENDIAN);
4127 	col_append_fstr(actx->pinfo->cinfo, COL_INFO,
4128 			" NT Status: %s",
4129 			val_to_str(nt_status, NT_errors,
4130 			"Unknown error code %#x"));
4131 	offset += 4;
4132 
4133 	proto_tree_add_item(tree, hf_krb_ext_error_reserved, tvb, offset, 4,
4134 			ENC_LITTLE_ENDIAN);
4135 	offset += 4;
4136 
4137 	proto_tree_add_item(tree, hf_krb_ext_error_flags, tvb, offset, 4,
4138 			ENC_LITTLE_ENDIAN);
4139 	offset += 4;
4140 
4141 	return offset;
4142 
4143  no_error:
4144 	proto_tree_add_item(tree, hf_krb_pw_salt, tvb, offset, length, ENC_NA);
4145 	offset += length;
4146 
4147 	return offset;
4148 }
4149 
4150 static int
4151 dissect_krb5_PAC_DREP(proto_tree *parent_tree, tvbuff_t *tvb, int offset, guint8 *drep)
4152 {
4153 	proto_tree *tree;
4154 	guint8 val;
4155 
4156 	tree = proto_tree_add_subtree(parent_tree, tvb, offset, 16, ett_krb_pac_drep, NULL, "DREP");
4157 
4158 	val = tvb_get_guint8(tvb, offset);
4159 	proto_tree_add_uint(tree, hf_dcerpc_drep_byteorder, tvb, offset, 1, val>>4);
4160 
4161 	offset++;
4162 
4163 	if (drep) {
4164 		*drep = val;
4165 	}
4166 
4167 	return offset;
4168 }
4169 
4170 /* This might be some sort of header that MIDL generates when creating
4171  * marshalling/unmarshalling code for blobs that are not to be transported
4172  * ontop of DCERPC and where the DREP fields specifying things such as
4173  * endianess and similar are not available.
4174  */
4175 static int
4176 dissect_krb5_PAC_NDRHEADERBLOB(proto_tree *parent_tree, tvbuff_t *tvb, int offset, guint8 *drep, asn1_ctx_t *actx _U_)
4177 {
4178 	proto_tree *tree;
4179 
4180 	tree = proto_tree_add_subtree(parent_tree, tvb, offset, 16, ett_krb_pac_midl_blob, NULL, "MES header");
4181 
4182 	/* modified DREP field that is used for stuff that is transporetd ontop
4183 	   of non dcerpc
4184 	*/
4185 	proto_tree_add_item(tree, hf_krb_midl_version, tvb, offset, 1, ENC_LITTLE_ENDIAN);
4186 	offset++;
4187 
4188 	offset = dissect_krb5_PAC_DREP(tree, tvb, offset, drep);
4189 
4190 
4191 	proto_tree_add_item(tree, hf_krb_midl_hdr_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4192 	offset+=2;
4193 
4194 	proto_tree_add_item(tree, hf_krb_midl_fill_bytes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4195 	offset += 4;
4196 
4197 	/* length of blob that follows */
4198 	proto_tree_add_item(tree, hf_krb_midl_blob_len, tvb, offset, 8, ENC_LITTLE_ENDIAN);
4199 	offset += 8;
4200 
4201 	return offset;
4202 }
4203 
4204 static int
4205 dissect_krb5_PAC_LOGON_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4206 {
4207 	proto_item *item;
4208 	proto_tree *tree;
4209 	guint8 drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
4210 	static dcerpc_info di;      /* fake dcerpc_info struct */
4211 	static dcerpc_call_value call_data;
4212 
4213 	item = proto_tree_add_item(parent_tree, hf_krb_pac_logon_info, tvb, offset, -1, ENC_NA);
4214 	tree = proto_item_add_subtree(item, ett_krb_pac_logon_info);
4215 
4216 	/* skip the first 16 bytes, they are some magic created by the idl
4217 	 * compiler   the first 4 bytes might be flags?
4218 	 */
4219 	offset = dissect_krb5_PAC_NDRHEADERBLOB(tree, tvb, offset, &drep[0], actx);
4220 
4221 	/* the PAC_LOGON_INFO blob */
4222 	/* fake whatever state the dcerpc runtime support needs */
4223 	di.conformant_run=0;
4224 	/* we need di->call_data->flags.NDR64 == 0 */
4225 	di.call_data=&call_data;
4226 	init_ndr_pointer_list(&di);
4227 	offset = dissect_ndr_pointer(tvb, offset, actx->pinfo, tree, &di, drep,
4228 									netlogon_dissect_PAC_LOGON_INFO, NDR_POINTER_UNIQUE,
4229 									"PAC_LOGON_INFO:", -1);
4230 
4231 	return offset;
4232 }
4233 
4234 
4235 static int
4236 dissect_krb5_PAC_CREDENTIAL_DATA(proto_tree *parent_tree, tvbuff_t *tvb, int offset, packet_info *pinfo _U_)
4237 {
4238 	proto_tree_add_item(parent_tree, hf_krb_pac_credential_data, tvb, offset, -1, ENC_NA);
4239 
4240 	return offset;
4241 }
4242 
4243 static int
4244 dissect_krb5_PAC_CREDENTIAL_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx)
4245 {
4246 	proto_item *item;
4247 	proto_tree *tree;
4248 	guint8 *plaintext = NULL;
4249 	int plainlen = 0;
4250 	int length = 0;
4251 #define KRB5_KU_OTHER_ENCRYPTED 16
4252 #ifdef  HAVE_KERBEROS
4253 	guint32 etype;
4254 	tvbuff_t *next_tvb;
4255 	int usage = KRB5_KU_OTHER_ENCRYPTED;
4256 #endif
4257 
4258 	item = proto_tree_add_item(parent_tree, hf_krb_pac_credential_info, tvb, offset, -1, ENC_NA);
4259 	tree = proto_item_add_subtree(item, ett_krb_pac_credential_info);
4260 
4261 	/* version */
4262 	proto_tree_add_item(tree, hf_krb_pac_credential_info_version, tvb,
4263 			    offset, 4, ENC_LITTLE_ENDIAN);
4264 	offset+=4;
4265 
4266 #ifdef HAVE_KERBEROS
4267 	/* etype */
4268 	etype = tvb_get_letohl(tvb, offset);
4269 #endif
4270 	proto_tree_add_item(tree, hf_krb_pac_credential_info_etype, tvb,
4271 			    offset, 4, ENC_LITTLE_ENDIAN);
4272 	offset+=4;
4273 
4274 #ifdef HAVE_KERBEROS
4275 	/* data */
4276 	next_tvb=tvb_new_subset_remaining(tvb, offset);
4277 	length=tvb_captured_length_remaining(tvb, offset);
4278 
4279 	plaintext=decrypt_krb5_data(tree, actx->pinfo, usage, next_tvb, (int)etype, &plainlen);
4280 #endif
4281 
4282 	if (plaintext != NULL) {
4283 		tvbuff_t *child_tvb;
4284 		child_tvb = tvb_new_child_real_data(tvb, plaintext, plainlen, plainlen);
4285 
4286 		/* Add the decrypted data to the data source list. */
4287 		add_new_data_source(actx->pinfo, child_tvb, "Krb5 PAC_CREDENTIAL");
4288 
4289 		dissect_krb5_PAC_CREDENTIAL_DATA(tree, child_tvb, 0, actx->pinfo);
4290 	}
4291 
4292 	return offset + length;
4293 }
4294 
4295 static int
4296 dissect_krb5_PAC_S4U_DELEGATION_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx)
4297 {
4298 	proto_item *item;
4299 	proto_tree *tree;
4300 	guint8 drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
4301 	static dcerpc_info di;      /* fake dcerpc_info struct */
4302 	static dcerpc_call_value call_data;
4303 
4304 	item = proto_tree_add_item(parent_tree, hf_krb_pac_s4u_delegation_info, tvb, offset, -1, ENC_NA);
4305 	tree = proto_item_add_subtree(item, ett_krb_pac_s4u_delegation_info);
4306 
4307 	/* skip the first 16 bytes, they are some magic created by the idl
4308 	 * compiler   the first 4 bytes might be flags?
4309 	 */
4310 	offset = dissect_krb5_PAC_NDRHEADERBLOB(tree, tvb, offset, &drep[0], actx);
4311 
4312 
4313 	/* the S4U_DELEGATION_INFO blob. See [MS-PAC] */
4314 	/* fake whatever state the dcerpc runtime support needs */
4315 	di.conformant_run=0;
4316 	/* we need di->call_data->flags.NDR64 == 0 */
4317 	di.call_data=&call_data;
4318 	init_ndr_pointer_list(&di);
4319 	offset = dissect_ndr_pointer(tvb, offset, actx->pinfo, tree, &di, drep,
4320 									netlogon_dissect_PAC_S4U_DELEGATION_INFO, NDR_POINTER_UNIQUE,
4321 									"PAC_S4U_DELEGATION_INFO:", -1);
4322 
4323 	return offset;
4324 }
4325 
4326 static int
4327 dissect_krb5_PAC_UPN_DNS_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4328 {
4329 	proto_item *item;
4330 	proto_tree *tree;
4331 	guint16 dns_offset, dns_len;
4332 	guint16 upn_offset, upn_len;
4333 
4334 	item = proto_tree_add_item(parent_tree, hf_krb_pac_upn_dns_info, tvb, offset, -1, ENC_NA);
4335 	tree = proto_item_add_subtree(item, ett_krb_pac_upn_dns_info);
4336 
4337 	/* upn */
4338 	upn_len = tvb_get_letohs(tvb, offset);
4339 	proto_tree_add_item(tree, hf_krb_pac_upn_upn_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4340 	offset+=2;
4341 	upn_offset = tvb_get_letohs(tvb, offset);
4342 	proto_tree_add_item(tree, hf_krb_pac_upn_upn_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4343 	offset+=2;
4344 
4345 	/* dns */
4346 	dns_len = tvb_get_letohs(tvb, offset);
4347 	proto_tree_add_item(tree, hf_krb_pac_upn_dns_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4348 	offset+=2;
4349 	dns_offset = tvb_get_letohs(tvb, offset);
4350 	proto_tree_add_item(tree, hf_krb_pac_upn_dns_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
4351 	offset+=2;
4352 
4353 	/* flags */
4354 	proto_tree_add_item(tree, hf_krb_pac_upn_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4355 
4356 	/* upn */
4357 	proto_tree_add_item(tree, hf_krb_pac_upn_upn_name, tvb, upn_offset, upn_len, ENC_UTF_16|ENC_LITTLE_ENDIAN);
4358 
4359 	/* dns */
4360 	proto_tree_add_item(tree, hf_krb_pac_upn_dns_name, tvb, dns_offset, dns_len, ENC_UTF_16|ENC_LITTLE_ENDIAN);
4361 
4362 	return dns_offset;
4363 }
4364 
4365 static int
4366 dissect_krb5_PAC_CLIENT_CLAIMS_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4367 {
4368 	int length = tvb_captured_length_remaining(tvb, offset);
4369 
4370 	if (length == 0) {
4371 		return offset;
4372 	}
4373 
4374 	proto_tree_add_item(parent_tree, hf_krb_pac_client_claims_info, tvb, offset, -1, ENC_NA);
4375 
4376 	return offset;
4377 }
4378 
4379 static int
4380 dissect_krb5_PAC_DEVICE_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4381 {
4382 	proto_item *item;
4383 	proto_tree *tree;
4384 	guint8 drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
4385 	static dcerpc_info di;      /* fake dcerpc_info struct */
4386 	static dcerpc_call_value call_data;
4387 
4388 	item = proto_tree_add_item(parent_tree, hf_krb_pac_device_info, tvb, offset, -1, ENC_NA);
4389 	tree = proto_item_add_subtree(item, ett_krb_pac_device_info);
4390 
4391 	/* skip the first 16 bytes, they are some magic created by the idl
4392 	 * compiler   the first 4 bytes might be flags?
4393 	 */
4394 	offset = dissect_krb5_PAC_NDRHEADERBLOB(tree, tvb, offset, &drep[0], actx);
4395 
4396 	/* the PAC_DEVICE_INFO blob */
4397 	/* fake whatever state the dcerpc runtime support needs */
4398 	di.conformant_run=0;
4399 	/* we need di->call_data->flags.NDR64 == 0 */
4400 	di.call_data=&call_data;
4401 	init_ndr_pointer_list(&di);
4402 	offset = dissect_ndr_pointer(tvb, offset, actx->pinfo, tree, &di, drep,
4403 				     netlogon_dissect_PAC_DEVICE_INFO, NDR_POINTER_UNIQUE,
4404 				     "PAC_DEVICE_INFO:", -1);
4405 
4406 	return offset;
4407 }
4408 
4409 static int
4410 dissect_krb5_PAC_DEVICE_CLAIMS_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4411 {
4412 	int length = tvb_captured_length_remaining(tvb, offset);
4413 
4414 	if (length == 0) {
4415 		return offset;
4416 	}
4417 
4418 	proto_tree_add_item(parent_tree, hf_krb_pac_device_claims_info, tvb, offset, -1, ENC_NA);
4419 
4420 	return offset;
4421 }
4422 
4423 static int
4424 dissect_krb5_PAC_SERVER_CHECKSUM(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4425 {
4426 	proto_item *item;
4427 	proto_tree *tree;
4428 
4429 	item = proto_tree_add_item(parent_tree, hf_krb_pac_server_checksum, tvb, offset, -1, ENC_NA);
4430 	tree = proto_item_add_subtree(item, ett_krb_pac_server_checksum);
4431 
4432 	/* signature type */
4433 	proto_tree_add_item(tree, hf_krb_pac_signature_type, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4434 	offset+=4;
4435 
4436 	/* signature data */
4437 	proto_tree_add_item(tree, hf_krb_pac_signature_signature, tvb, offset, -1, ENC_NA);
4438 
4439 	return offset;
4440 }
4441 
4442 static int
4443 dissect_krb5_PAC_PRIVSVR_CHECKSUM(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4444 {
4445 	proto_item *item;
4446 	proto_tree *tree;
4447 
4448 	item = proto_tree_add_item(parent_tree, hf_krb_pac_privsvr_checksum, tvb, offset, -1, ENC_NA);
4449 	tree = proto_item_add_subtree(item, ett_krb_pac_privsvr_checksum);
4450 
4451 	/* signature type */
4452 	proto_tree_add_item(tree, hf_krb_pac_signature_type, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4453 	offset+=4;
4454 
4455 	/* signature data */
4456 	proto_tree_add_item(tree, hf_krb_pac_signature_signature, tvb, offset, -1, ENC_NA);
4457 
4458 	return offset;
4459 }
4460 
4461 static int
4462 dissect_krb5_PAC_CLIENT_INFO_TYPE(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4463 {
4464 	proto_item *item;
4465 	proto_tree *tree;
4466 	guint16 namelen;
4467 
4468 	item = proto_tree_add_item(parent_tree, hf_krb_pac_client_info_type, tvb, offset, -1, ENC_NA);
4469 	tree = proto_item_add_subtree(item, ett_krb_pac_client_info_type);
4470 
4471 	/* clientid */
4472 	offset = dissect_nt_64bit_time(tvb, tree, offset, hf_krb_pac_clientid);
4473 
4474 	/* name length */
4475 	namelen=tvb_get_letohs(tvb, offset);
4476 	proto_tree_add_uint(tree, hf_krb_pac_namelen, tvb, offset, 2, namelen);
4477 	offset+=2;
4478 
4479 	/* client name */
4480 	proto_tree_add_item(tree, hf_krb_pac_clientname, tvb, offset, namelen, ENC_UTF_16|ENC_LITTLE_ENDIAN);
4481 	offset+=namelen;
4482 
4483 	return offset;
4484 }
4485 
4486 static int
4487 dissect_krb5_PAC_TICKET_CHECKSUM(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
4488 {
4489 	proto_item *item;
4490 	proto_tree *tree;
4491 
4492 	item = proto_tree_add_item(parent_tree, hf_krb_pac_ticket_checksum, tvb, offset, -1, ENC_NA);
4493 	tree = proto_item_add_subtree(item, ett_krb_pac_ticket_checksum);
4494 
4495 	/* signature type */
4496 	proto_tree_add_item(tree, hf_krb_pac_signature_type, tvb, offset, 4, ENC_LITTLE_ENDIAN);
4497 	offset+=4;
4498 
4499 	/* signature data */
4500 	proto_tree_add_item(tree, hf_krb_pac_signature_signature, tvb, offset, -1, ENC_NA);
4501 
4502 	return offset;
4503 }
4504 
4505 static int
4506 dissect_krb5_AD_WIN2K_PAC_struct(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx)
4507 {
4508 	guint32 pac_type;
4509 	guint32 pac_size;
4510 	guint32 pac_offset;
4511 	proto_item *it=NULL;
4512 	proto_tree *tr=NULL;
4513 	tvbuff_t *next_tvb;
4514 
4515 	/* type of pac data */
4516 	pac_type=tvb_get_letohl(tvb, offset);
4517 	it=proto_tree_add_uint(tree, hf_krb_w2k_pac_type, tvb, offset, 4, pac_type);
4518 	tr=proto_item_add_subtree(it, ett_krb_pac);
4519 
4520 	offset += 4;
4521 
4522 	/* size of pac data */
4523 	pac_size=tvb_get_letohl(tvb, offset);
4524 	proto_tree_add_uint(tr, hf_krb_w2k_pac_size, tvb, offset, 4, pac_size);
4525 	offset += 4;
4526 
4527 	/* offset to pac data */
4528 	pac_offset=tvb_get_letohl(tvb, offset);
4529 	proto_tree_add_uint(tr, hf_krb_w2k_pac_offset, tvb, offset, 4, pac_offset);
4530 	offset += 8;
4531 
4532 	next_tvb=tvb_new_subset_length_caplen(tvb, pac_offset, pac_size, pac_size);
4533 	switch(pac_type){
4534 	case PAC_LOGON_INFO:
4535 		dissect_krb5_PAC_LOGON_INFO(tr, next_tvb, 0, actx);
4536 		break;
4537 	case PAC_CREDENTIAL_TYPE:
4538 		dissect_krb5_PAC_CREDENTIAL_INFO(tr, next_tvb, 0, actx);
4539 		break;
4540 	case PAC_SERVER_CHECKSUM:
4541 		dissect_krb5_PAC_SERVER_CHECKSUM(tr, next_tvb, 0, actx);
4542 		break;
4543 	case PAC_PRIVSVR_CHECKSUM:
4544 		dissect_krb5_PAC_PRIVSVR_CHECKSUM(tr, next_tvb, 0, actx);
4545 		break;
4546 	case PAC_CLIENT_INFO_TYPE:
4547 		dissect_krb5_PAC_CLIENT_INFO_TYPE(tr, next_tvb, 0, actx);
4548 		break;
4549 	case PAC_S4U_DELEGATION_INFO:
4550 		dissect_krb5_PAC_S4U_DELEGATION_INFO(tr, next_tvb, 0, actx);
4551 		break;
4552 	case PAC_UPN_DNS_INFO:
4553 		dissect_krb5_PAC_UPN_DNS_INFO(tr, next_tvb, 0, actx);
4554 		break;
4555 	case PAC_CLIENT_CLAIMS_INFO:
4556 		dissect_krb5_PAC_CLIENT_CLAIMS_INFO(tr, next_tvb, 0, actx);
4557 		break;
4558 	case PAC_DEVICE_INFO:
4559 		dissect_krb5_PAC_DEVICE_INFO(tr, next_tvb, 0, actx);
4560 		break;
4561 	case PAC_DEVICE_CLAIMS_INFO:
4562 		dissect_krb5_PAC_DEVICE_CLAIMS_INFO(tr, next_tvb, 0, actx);
4563 		break;
4564 	case PAC_TICKET_CHECKSUM:
4565 		dissect_krb5_PAC_TICKET_CHECKSUM(tr, next_tvb, 0, actx);
4566 		break;
4567 
4568 	default:
4569 		break;
4570 	}
4571 	return offset;
4572 }
4573 
4574 static int
4575 dissect_krb5_AD_WIN2K_PAC(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_)
4576 {
4577 	guint32 entries;
4578 	guint32 version;
4579 	guint32 i;
4580 
4581 #if defined(HAVE_MIT_KERBEROS) && defined(HAVE_KRB5_PAC_VERIFY)
4582 	verify_krb5_pac(tree, actx, tvb);
4583 #endif
4584 
4585 	/* first in the PAC structure comes the number of entries */
4586 	entries=tvb_get_letohl(tvb, offset);
4587 	proto_tree_add_uint(tree, hf_krb_w2k_pac_entries, tvb, offset, 4, entries);
4588 	offset += 4;
4589 
4590 	/* second comes the version */
4591 	version=tvb_get_letohl(tvb, offset);
4592 	proto_tree_add_uint(tree, hf_krb_w2k_pac_version, tvb, offset, 4, version);
4593 	offset += 4;
4594 
4595 	for(i=0;i<entries;i++){
4596 		offset=dissect_krb5_AD_WIN2K_PAC_struct(tree, tvb, offset, actx);
4597 	}
4598 
4599 	return offset;
4600 }
4601 
4602 
4603 /*--- Included file: packet-kerberos-fn.c ---*/
4604 #line 1 "./asn1/kerberos/packet-kerberos-fn.c"
4605 
4606 
4607 static int
4608 dissect_kerberos_INTEGER_5(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
4609   offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
4610                                                 NULL);
4611 
4612   return offset;
4613 }
4614 
4615 
4616 
4617 static int
4618 dissect_kerberos_KerberosString(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
4619   offset = dissect_ber_restricted_string(implicit_tag, BER_UNI_TAG_GeneralString,
4620                                             actx, tree, tvb, offset, hf_index,
4621                                             NULL);
4622 
4623   return offset;
4624 }
4625 
4626 
4627 
4628 static int
4629 dissect_kerberos_Realm(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
4630   offset = dissect_kerberos_KerberosString(implicit_tag, tvb, offset, actx, tree, hf_index);
4631 
4632   return offset;
4633 }
4634 
4635 
4636 static const value_string kerberos_NAME_TYPE_vals[] = {
4637   {   0, "kRB5-NT-UNKNOWN" },
4638   {   1, "kRB5-NT-PRINCIPAL" },
4639   {   2, "kRB5-NT-SRV-INST" },
4640   {   3, "kRB5-NT-SRV-HST" },
4641   {   4, "kRB5-NT-SRV-XHST" },
4642   {   5, "kRB5-NT-UID" },
4643   {   6, "kRB5-NT-X500-PRINCIPAL" },
4644   {   7, "kRB5-NT-SMTP-NAME" },
4645   {  10, "kRB5-NT-ENTERPRISE-PRINCIPAL" },
4646   {  11, "kRB5-NT-WELLKNOWN" },
4647   {  12, "kRB5-NT-SRV-HST-DOMAIN" },
4648   { -130, "kRB5-NT-ENT-PRINCIPAL-AND-ID" },
4649   { -128, "kRB5-NT-MS-PRINCIPAL" },
4650   { -129, "kRB5-NT-MS-PRINCIPAL-AND-ID" },
4651   { -1200, "kRB5-NT-NTLM" },
4652   { -1201, "kRB5-NT-X509-GENERAL-NAME" },
4653   { -1202, "kRB5-NT-GSS-HOSTBASED-SERVICE" },
4654   { -1203, "kRB5-NT-CACHE-UUID" },
4655   { -195894762, "kRB5-NT-SRV-HST-NEEDS-CANON" },
4656   { 0, NULL }
4657 };
4658 
4659 
4660 static int
4661 dissect_kerberos_NAME_TYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
4662   offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
4663                                                 NULL);
4664 
4665   return offset;
4666 }
4667 
4668 
4669 
4670 static int
4671 dissect_kerberos_SNameString(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
4672   offset = dissect_ber_restricted_string(implicit_tag, BER_UNI_TAG_GeneralString,
4673                                             actx, tree, tvb, offset, hf_index,
4674                                             NULL);
4675 
4676   return offset;
4677 }
4678 
4679 
4680 static const ber_sequence_t SEQUENCE_OF_SNameString_sequence_of[1] = {
4681   { &hf_kerberos_sname_string_item, BER_CLASS_UNI, BER_UNI_TAG_GeneralString, BER_FLAGS_NOOWNTAG, dissect_kerberos_SNameString },
4682 };
4683 
4684 static int
4685 dissect_kerberos_SEQUENCE_OF_SNameString(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
4686   offset = dissect_ber_sequence_of(implicit_tag, actx, tree, tvb, offset,
4687                                       SEQUENCE_OF_SNameString_sequence_of, hf_index, ett_kerberos_SEQUENCE_OF_SNameString);
4688 
4689   return offset;
4690 }
4691 
4692 
4693 static const ber_sequence_t SName_sequence[] = {
4694   { &hf_kerberos_name_type  , BER_CLASS_CON, 0, 0, dissect_kerberos_NAME_TYPE },
4695   { &hf_kerberos_sname_string, BER_CLASS_CON, 1, 0, dissect_kerberos_SEQUENCE_OF_SNameString },
4696   { NULL, 0, 0, 0, NULL }
4697 };
4698 
4699 static int
4700 dissect_kerberos_SName(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
4701   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
4702                                    SName_sequence, hf_index, ett_kerberos_SName);
4703 
4704   return offset;
4705 }
4706 
4707 
4708 static const value_string kerberos_ENCTYPE_vals[] = {
4709   {   0, "eTYPE-NULL" },
4710   {   1, "eTYPE-DES-CBC-CRC" },
4711   {   2, "eTYPE-DES-CBC-MD4" },
4712   {   3, "eTYPE-DES-CBC-MD5" },
4713   {   5, "eTYPE-DES3-CBC-MD5" },
4714   {   7, "eTYPE-OLD-DES3-CBC-SHA1" },
4715   {   8, "eTYPE-SIGN-DSA-GENERATE" },
4716   {   9, "eTYPE-DSA-SHA1" },
4717   {  10, "eTYPE-RSA-MD5" },
4718   {  11, "eTYPE-RSA-SHA1" },
4719   {  12, "eTYPE-RC2-CBC" },
4720   {  13, "eTYPE-RSA" },
4721   {  14, "eTYPE-RSAES-OAEP" },
4722   {  15, "eTYPE-DES-EDE3-CBC" },
4723   {  16, "eTYPE-DES3-CBC-SHA1" },
4724   {  17, "eTYPE-AES128-CTS-HMAC-SHA1-96" },
4725   {  18, "eTYPE-AES256-CTS-HMAC-SHA1-96" },
4726   {  19, "eTYPE-AES128-CTS-HMAC-SHA256-128" },
4727   {  20, "eTYPE-AES256-CTS-HMAC-SHA384-192" },
4728   {  23, "eTYPE-ARCFOUR-HMAC-MD5" },
4729   {  24, "eTYPE-ARCFOUR-HMAC-MD5-56" },
4730   {  25, "eTYPE-CAMELLIA128-CTS-CMAC" },
4731   {  26, "eTYPE-CAMELLIA256-CTS-CMAC" },
4732   {  48, "eTYPE-ENCTYPE-PK-CROSS" },
4733   { -128, "eTYPE-ARCFOUR-MD4" },
4734   { -133, "eTYPE-ARCFOUR-HMAC-OLD" },
4735   { -135, "eTYPE-ARCFOUR-HMAC-OLD-EXP" },
4736   { -4096, "eTYPE-DES-CBC-NONE" },
4737   { -4097, "eTYPE-DES3-CBC-NONE" },
4738   { -4098, "eTYPE-DES-CFB64-NONE" },
4739   { -4099, "eTYPE-DES-PCBC-NONE" },
4740   { -4100, "eTYPE-DIGEST-MD5-NONE" },
4741   { -4101, "eTYPE-CRAM-MD5-NONE" },
4742   { 0, NULL }
4743 };
4744 
4745 
4746 static int
4747 dissect_kerberos_ENCTYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
4748 #line 323 "./asn1/kerberos/kerberos.cnf"
4749   kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
4750   offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
4751                                                 &(private_data->etype));
4752 
4753 
4754 
4755 
4756   return offset;
4757 }
4758 
4759 
4760 
4761 static int
4762 dissect_kerberos_UInt32(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
4763   offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
4764                                                 NULL);
4765 
4766   return offset;
4767 }
4768 
4769 
4770 
4771 static int
4772 dissect_kerberos_T_encryptedTicketData_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
4773 #line 327 "./asn1/kerberos/kerberos.cnf"
4774 #ifdef HAVE_KERBEROS
4775   offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_ticket_data);
4776 #else
4777   offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
4778                                        NULL);
4779 
4780 #endif
4781 
4782 
4783 
4784   return offset;
4785 }
4786 
4787 
4788 static const ber_sequence_t EncryptedTicketData_sequence[] = {
4789   { &hf_kerberos_etype      , BER_CLASS_CON, 0, 0, dissect_kerberos_ENCTYPE },
4790   { &hf_kerberos_kvno       , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_UInt32 },
4791   { &hf_kerberos_encryptedTicketData_cipher, BER_CLASS_CON, 2, 0, dissect_kerberos_T_encryptedTicketData_cipher },
4792   { NULL, 0, 0, 0, NULL }
4793 };
4794 
4795 static int
4796 dissect_kerberos_EncryptedTicketData(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
4797   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
4798                                    EncryptedTicketData_sequence, hf_index, ett_kerberos_EncryptedTicketData);
4799 
4800   return offset;
4801 }
4802 
4803 
4804 static const ber_sequence_t Ticket_U_sequence[] = {
4805   { &hf_kerberos_tkt_vno    , BER_CLASS_CON, 0, 0, dissect_kerberos_INTEGER_5 },
4806   { &hf_kerberos_realm      , BER_CLASS_CON, 1, 0, dissect_kerberos_Realm },
4807   { &hf_kerberos_sname      , BER_CLASS_CON, 2, 0, dissect_kerberos_SName },
4808   { &hf_kerberos_ticket_enc_part, BER_CLASS_CON, 3, 0, dissect_kerberos_EncryptedTicketData },
4809   { NULL, 0, 0, 0, NULL }
4810 };
4811 
4812 static int
4813 dissect_kerberos_Ticket_U(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
4814   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
4815                                    Ticket_U_sequence, hf_index, ett_kerberos_Ticket_U);
4816 
4817   return offset;
4818 }
4819 
4820 
4821 
4822 static int
4823 dissect_kerberos_Ticket(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
4824   offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
4825                                       hf_index, BER_CLASS_APP, 1, FALSE, dissect_kerberos_Ticket_U);
4826 
4827   return offset;
4828 }
4829 
4830 
4831 
4832 static int
4833 dissect_kerberos_CNameString(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
4834   offset = dissect_ber_restricted_string(implicit_tag, BER_UNI_TAG_GeneralString,
4835                                             actx, tree, tvb, offset, hf_index,
4836                                             NULL);
4837 
4838   return offset;
4839 }
4840 
4841 
4842 static const ber_sequence_t SEQUENCE_OF_CNameString_sequence_of[1] = {
4843   { &hf_kerberos_cname_string_item, BER_CLASS_UNI, BER_UNI_TAG_GeneralString, BER_FLAGS_NOOWNTAG, dissect_kerberos_CNameString },
4844 };
4845 
4846 static int
4847 dissect_kerberos_SEQUENCE_OF_CNameString(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
4848   offset = dissect_ber_sequence_of(implicit_tag, actx, tree, tvb, offset,
4849                                       SEQUENCE_OF_CNameString_sequence_of, hf_index, ett_kerberos_SEQUENCE_OF_CNameString);
4850 
4851   return offset;
4852 }
4853 
4854 
4855 static const ber_sequence_t CName_sequence[] = {
4856   { &hf_kerberos_name_type  , BER_CLASS_CON, 0, 0, dissect_kerberos_NAME_TYPE },
4857   { &hf_kerberos_cname_string, BER_CLASS_CON, 1, 0, dissect_kerberos_SEQUENCE_OF_CNameString },
4858   { NULL, 0, 0, 0, NULL }
4859 };
4860 
4861 static int
4862 dissect_kerberos_CName(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
4863   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
4864                                    CName_sequence, hf_index, ett_kerberos_CName);
4865 
4866   return offset;
4867 }
4868 
4869 
4870 static const value_string kerberos_CKSUMTYPE_vals[] = {
4871   {   0, "cKSUMTYPE-NONE" },
4872   {   1, "cKSUMTYPE-CRC32" },
4873   {   2, "cKSUMTYPE-RSA-MD4" },
4874   {   3, "cKSUMTYPE-RSA-MD4-DES" },
4875   {   4, "cKSUMTYPE-DES-MAC" },
4876   {   5, "cKSUMTYPE-DES-MAC-K" },
4877   {   6, "cKSUMTYPE-RSA-MD4-DES-K" },
4878   {   7, "cKSUMTYPE-RSA-MD5" },
4879   {   8, "cKSUMTYPE-RSA-MD5-DES" },
4880   {   9, "cKSUMTYPE-RSA-MD5-DES3" },
4881   {  10, "cKSUMTYPE-SHA1-OTHER" },
4882   {  12, "cKSUMTYPE-HMAC-SHA1-DES3-KD" },
4883   {  13, "cKSUMTYPE-HMAC-SHA1-DES3" },
4884   {  14, "cKSUMTYPE-SHA1" },
4885   {  15, "cKSUMTYPE-HMAC-SHA1-96-AES-128" },
4886   {  16, "cKSUMTYPE-HMAC-SHA1-96-AES-256" },
4887   {  17, "cKSUMTYPE-CMAC-CAMELLIA128" },
4888   {  18, "cKSUMTYPE-CMAC-CAMELLIA256" },
4889   {  19, "cKSUMTYPE-HMAC-SHA256-128-AES128" },
4890   {  20, "cKSUMTYPE-HMAC-SHA384-192-AES256" },
4891   { 32771, "cKSUMTYPE-GSSAPI" },
4892   { -138, "cKSUMTYPE-HMAC-MD5" },
4893   { -1138, "cKSUMTYPE-HMAC-MD5-ENC" },
4894   { 0, NULL }
4895 };
4896 
4897 
4898 static int
4899 dissect_kerberos_CKSUMTYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
4900 #line 383 "./asn1/kerberos/kerberos.cnf"
4901   kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
4902   offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
4903                                                 &(private_data->checksum_type));
4904 
4905 
4906 
4907 
4908   return offset;
4909 }
4910 
4911 
4912 
4913 static int
4914 dissect_kerberos_T_checksum(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
4915 #line 387 "./asn1/kerberos/kerberos.cnf"
4916   tvbuff_t *next_tvb;
4917   kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
4918 
4919   switch(private_data->checksum_type){
4920   case KRB5_CHKSUM_GSSAPI:
4921     offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &next_tvb);
4922     dissect_krb5_rfc1964_checksum(actx, tree, next_tvb);
4923     break;
4924   default:
4925     offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, NULL);
4926     break;
4927   }
4928 
4929 
4930 
4931   return offset;
4932 }
4933 
4934 
4935 static const ber_sequence_t Checksum_sequence[] = {
4936   { &hf_kerberos_cksumtype  , BER_CLASS_CON, 0, 0, dissect_kerberos_CKSUMTYPE },
4937   { &hf_kerberos_checksum   , BER_CLASS_CON, 1, 0, dissect_kerberos_T_checksum },
4938   { NULL, 0, 0, 0, NULL }
4939 };
4940 
4941 static int
4942 dissect_kerberos_Checksum(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
4943   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
4944                                    Checksum_sequence, hf_index, ett_kerberos_Checksum);
4945 
4946   return offset;
4947 }
4948 
4949 
4950 
4951 static int
4952 dissect_kerberos_Microseconds(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
4953   offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
4954                                                 NULL);
4955 
4956   return offset;
4957 }
4958 
4959 
4960 
4961 static int
4962 dissect_kerberos_KerberosTime(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
4963   offset = dissect_ber_GeneralizedTime(implicit_tag, actx, tree, tvb, offset, hf_index);
4964 
4965   return offset;
4966 }
4967 
4968 
4969 
4970 static int
4971 dissect_kerberos_Int32(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
4972   offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
4973                                                 NULL);
4974 
4975   return offset;
4976 }
4977 
4978 
4979 
4980 static int
4981 dissect_kerberos_T_keytype(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
4982 #line 401 "./asn1/kerberos/kerberos.cnf"
4983   kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
4984 
4985   private_data->key_hidden_item = proto_tree_add_item(tree, hf_krb_key_hidden_item,
4986                                                       tvb, 0, 0, ENC_NA);
4987   if (private_data->key_hidden_item != NULL) {
4988     proto_item_set_hidden(private_data->key_hidden_item);
4989   }
4990 
4991   offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
4992                   &gbl_keytype);
4993   private_data->key.keytype = gbl_keytype;
4994 
4995 
4996 
4997   return offset;
4998 }
4999 
5000 
5001 
5002 static int
5003 dissect_kerberos_T_keyvalue(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5004 #line 414 "./asn1/kerberos/kerberos.cnf"
5005   tvbuff_t *out_tvb;
5006   kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
5007 
5008   offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
5009                                        &out_tvb);
5010 
5011 
5012   private_data->key.keylength = tvb_reported_length(out_tvb);
5013   private_data->key.keyvalue = tvb_get_ptr(out_tvb, 0, private_data->key.keylength);
5014   private_data->key_tree = tree;
5015   private_data->key_tvb = out_tvb;
5016 
5017 
5018 
5019   return offset;
5020 }
5021 
5022 
5023 static const ber_sequence_t EncryptionKey_sequence[] = {
5024   { &hf_kerberos_keytype    , BER_CLASS_CON, 0, 0, dissect_kerberos_T_keytype },
5025   { &hf_kerberos_keyvalue   , BER_CLASS_CON, 1, 0, dissect_kerberos_T_keyvalue },
5026   { NULL, 0, 0, 0, NULL }
5027 };
5028 
5029 static int
5030 dissect_kerberos_EncryptionKey(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5031 #line 425 "./asn1/kerberos/kerberos.cnf"
5032   kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
5033 #ifdef HAVE_KERBEROS
5034   int start_offset = offset;
5035 #endif
5036 
5037     offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
5038                                    EncryptionKey_sequence, hf_index, ett_kerberos_EncryptionKey);
5039 
5040 
5041   if (private_data->key.keytype != 0 && private_data->key.keylength > 0) {
5042 #ifdef HAVE_KERBEROS
5043     int length = offset - start_offset;
5044     private_data->last_added_key = NULL;
5045     private_data->save_encryption_key_fn(tvb, start_offset, length, actx, tree,
5046                                          private_data->save_encryption_key_parent_hf_index,
5047                                          hf_index);
5048     private_data->last_added_key = NULL;
5049 #endif
5050   }
5051 
5052 
5053 
5054   return offset;
5055 }
5056 
5057 
5058 
5059 static int
5060 dissect_kerberos_T_authenticator_subkey(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5061 #line 444 "./asn1/kerberos/kerberos.cnf"
5062   kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
5063   gint save_encryption_key_parent_hf_index = private_data->save_encryption_key_parent_hf_index;
5064   kerberos_key_save_fn saved_encryption_key_fn = private_data->save_encryption_key_fn;
5065   private_data->save_encryption_key_parent_hf_index = hf_kerberos_authenticator;
5066 #ifdef HAVE_KERBEROS
5067   private_data->save_encryption_key_fn = save_Authenticator_subkey;
5068 #endif
5069   offset = dissect_kerberos_EncryptionKey(implicit_tag, tvb, offset, actx, tree, hf_index);
5070 
5071   private_data->save_encryption_key_parent_hf_index = save_encryption_key_parent_hf_index;
5072   private_data->save_encryption_key_fn = saved_encryption_key_fn;
5073 
5074 
5075 
5076   return offset;
5077 }
5078 
5079 
5080 static const value_string kerberos_AUTHDATA_TYPE_vals[] = {
5081   { KERBEROS_AD_IF_RELEVANT, "aD-IF-RELEVANT" },
5082   { KERBEROS_AD_INTENDED_FOR_SERVER, "aD-INTENDED-FOR-SERVER" },
5083   { KERBEROS_AD_INTENDED_FOR_APPLICATION_CLASS, "aD-INTENDED-FOR-APPLICATION-CLASS" },
5084   { KERBEROS_AD_KDC_ISSUED, "aD-KDC-ISSUED" },
5085   { KERBEROS_AD_AND_OR, "aD-AND-OR" },
5086   { KERBEROS_AD_MANDATORY_TICKET_EXTENSIONS, "aD-MANDATORY-TICKET-EXTENSIONS" },
5087   { KERBEROS_AD_IN_TICKET_EXTENSIONS, "aD-IN-TICKET-EXTENSIONS" },
5088   { KERBEROS_AD_MANDATORY_FOR_KDC, "aD-MANDATORY-FOR-KDC" },
5089   { KERBEROS_AD_INITIAL_VERIFIED_CAS, "aD-INITIAL-VERIFIED-CAS" },
5090   { KERBEROS_AD_OSF_DCE, "aD-OSF-DCE" },
5091   { KERBEROS_AD_SESAME, "aD-SESAME" },
5092   { KERBEROS_AD_OSF_DCE_PKI_CERTID, "aD-OSF-DCE-PKI-CERTID" },
5093   { KERBEROS_AD_AUTHENTICATION_STRENGTH, "aD-authentication-strength" },
5094   { KERBEROS_AD_FX_FAST_ARMOR, "aD-fx-fast-armor" },
5095   { KERBEROS_AD_FX_FAST_USED, "aD-fx-fast-used" },
5096   { KERBEROS_AD_WIN2K_PAC, "aD-WIN2K-PAC" },
5097   { KERBEROS_AD_GSS_API_ETYPE_NEGOTIATION, "aD-GSS-API-ETYPE-NEGOTIATION" },
5098   { KERBEROS_AD_TOKEN_RESTRICTIONS, "aD-TOKEN-RESTRICTIONS" },
5099   { KERBEROS_AD_LOCAL, "aD-LOCAL" },
5100   { KERBEROS_AD_AP_OPTIONS, "aD-AP-OPTIONS" },
5101   { KERBEROS_AD_TARGET_PRINCIPAL, "aD-TARGET-PRINCIPAL" },
5102   { KERBEROS_AD_SIGNTICKET_OLDER, "aD-SIGNTICKET-OLDER" },
5103   { KERBEROS_AD_SIGNTICKET, "aD-SIGNTICKET" },
5104   { 0, NULL }
5105 };
5106 
5107 
5108 static int
5109 dissect_kerberos_AUTHDATA_TYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5110 #line 525 "./asn1/kerberos/kerberos.cnf"
5111   kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
5112   offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
5113                                                 &(private_data->ad_type));
5114 
5115 
5116 
5117 
5118   return offset;
5119 }
5120 
5121 
5122 
5123 static int
5124 dissect_kerberos_T_ad_data(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5125 #line 529 "./asn1/kerberos/kerberos.cnf"
5126   kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
5127 
5128   switch(private_data->ad_type){
5129   case KERBEROS_AD_WIN2K_PAC:
5130     offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_krb5_AD_WIN2K_PAC);
5131     break;
5132   case KERBEROS_AD_IF_RELEVANT:
5133     offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_kerberos_AD_IF_RELEVANT);
5134     break;
5135   case KERBEROS_AD_AUTHENTICATION_STRENGTH:
5136     offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_kerberos_PA_AUTHENTICATION_SET_ELEM);
5137     break;
5138   case KERBEROS_AD_GSS_API_ETYPE_NEGOTIATION:
5139     offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_kerberos_SEQUENCE_OF_ENCTYPE);
5140     break;
5141   case KERBEROS_AD_TOKEN_RESTRICTIONS:
5142     offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_kerberos_KERB_AD_RESTRICTION_ENTRY);
5143     break;
5144   case KERBEROS_AD_AP_OPTIONS:
5145     offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_kerberos_AD_AP_OPTIONS);
5146     break;
5147   case KERBEROS_AD_TARGET_PRINCIPAL:
5148     offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_kerberos_AD_TARGET_PRINCIPAL);
5149     break;
5150   default:
5151     offset=dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index, NULL);
5152     break;
5153   }
5154 
5155 
5156 
5157   return offset;
5158 }
5159 
5160 
5161 static const ber_sequence_t AuthorizationData_item_sequence[] = {
5162   { &hf_kerberos_ad_type    , BER_CLASS_CON, 0, 0, dissect_kerberos_AUTHDATA_TYPE },
5163   { &hf_kerberos_ad_data    , BER_CLASS_CON, 1, 0, dissect_kerberos_T_ad_data },
5164   { NULL, 0, 0, 0, NULL }
5165 };
5166 
5167 static int
5168 dissect_kerberos_AuthorizationData_item(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5169   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
5170                                    AuthorizationData_item_sequence, hf_index, ett_kerberos_AuthorizationData_item);
5171 
5172   return offset;
5173 }
5174 
5175 
5176 static const ber_sequence_t AuthorizationData_sequence_of[1] = {
5177   { &hf_kerberos_AuthorizationData_item, BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_kerberos_AuthorizationData_item },
5178 };
5179 
5180 static int
5181 dissect_kerberos_AuthorizationData(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5182   offset = dissect_ber_sequence_of(implicit_tag, actx, tree, tvb, offset,
5183                                       AuthorizationData_sequence_of, hf_index, ett_kerberos_AuthorizationData);
5184 
5185   return offset;
5186 }
5187 
5188 
5189 static const ber_sequence_t Authenticator_U_sequence[] = {
5190   { &hf_kerberos_authenticator_vno, BER_CLASS_CON, 0, 0, dissect_kerberos_INTEGER_5 },
5191   { &hf_kerberos_crealm     , BER_CLASS_CON, 1, 0, dissect_kerberos_Realm },
5192   { &hf_kerberos_cname      , BER_CLASS_CON, 2, 0, dissect_kerberos_CName },
5193   { &hf_kerberos_cksum      , BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL, dissect_kerberos_Checksum },
5194   { &hf_kerberos_cusec      , BER_CLASS_CON, 4, 0, dissect_kerberos_Microseconds },
5195   { &hf_kerberos_ctime      , BER_CLASS_CON, 5, 0, dissect_kerberos_KerberosTime },
5196   { &hf_kerberos_authenticator_subkey, BER_CLASS_CON, 6, BER_FLAGS_OPTIONAL, dissect_kerberos_T_authenticator_subkey },
5197   { &hf_kerberos_seq_number , BER_CLASS_CON, 7, BER_FLAGS_OPTIONAL, dissect_kerberos_UInt32 },
5198   { &hf_kerberos_authorization_data, BER_CLASS_CON, 8, BER_FLAGS_OPTIONAL, dissect_kerberos_AuthorizationData },
5199   { NULL, 0, 0, 0, NULL }
5200 };
5201 
5202 static int
5203 dissect_kerberos_Authenticator_U(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5204   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
5205                                    Authenticator_U_sequence, hf_index, ett_kerberos_Authenticator_U);
5206 
5207   return offset;
5208 }
5209 
5210 
5211 
5212 static int
5213 dissect_kerberos_Authenticator(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5214   offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
5215                                       hf_index, BER_CLASS_APP, 2, FALSE, dissect_kerberos_Authenticator_U);
5216 
5217   return offset;
5218 }
5219 
5220 
5221 static int * const TicketFlags_bits[] = {
5222   &hf_kerberos_TicketFlags_reserved,
5223   &hf_kerberos_TicketFlags_forwardable,
5224   &hf_kerberos_TicketFlags_forwarded,
5225   &hf_kerberos_TicketFlags_proxiable,
5226   &hf_kerberos_TicketFlags_proxy,
5227   &hf_kerberos_TicketFlags_may_postdate,
5228   &hf_kerberos_TicketFlags_postdated,
5229   &hf_kerberos_TicketFlags_invalid,
5230   &hf_kerberos_TicketFlags_renewable,
5231   &hf_kerberos_TicketFlags_initial,
5232   &hf_kerberos_TicketFlags_pre_authent,
5233   &hf_kerberos_TicketFlags_hw_authent,
5234   &hf_kerberos_TicketFlags_transited_policy_checked,
5235   &hf_kerberos_TicketFlags_ok_as_delegate,
5236   &hf_kerberos_TicketFlags_unused,
5237   &hf_kerberos_TicketFlags_enc_pa_rep,
5238   &hf_kerberos_TicketFlags_anonymous,
5239   NULL
5240 };
5241 
5242 static int
5243 dissect_kerberos_TicketFlags(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5244   offset = dissect_ber_bitstring(implicit_tag, actx, tree, tvb, offset,
5245                                     TicketFlags_bits, 17, hf_index, ett_kerberos_TicketFlags,
5246                                     NULL);
5247 
5248   return offset;
5249 }
5250 
5251 
5252 
5253 static int
5254 dissect_kerberos_T_encTicketPart_key(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5255 #line 489 "./asn1/kerberos/kerberos.cnf"
5256   kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
5257   gint save_encryption_key_parent_hf_index = private_data->save_encryption_key_parent_hf_index;
5258   kerberos_key_save_fn saved_encryption_key_fn = private_data->save_encryption_key_fn;
5259   private_data->save_encryption_key_parent_hf_index = hf_kerberos_encTicketPart;
5260 #ifdef HAVE_KERBEROS
5261   private_data->save_encryption_key_fn = save_EncTicketPart_key;
5262 #endif
5263   offset = dissect_kerberos_EncryptionKey(implicit_tag, tvb, offset, actx, tree, hf_index);
5264 
5265   private_data->save_encryption_key_parent_hf_index = save_encryption_key_parent_hf_index;
5266   private_data->save_encryption_key_fn = saved_encryption_key_fn;
5267 
5268 
5269 
5270   return offset;
5271 }
5272 
5273 
5274 
5275 static int
5276 dissect_kerberos_OCTET_STRING(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5277   offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
5278                                        NULL);
5279 
5280   return offset;
5281 }
5282 
5283 
5284 static const ber_sequence_t TransitedEncoding_sequence[] = {
5285   { &hf_kerberos_tr_type    , BER_CLASS_CON, 0, 0, dissect_kerberos_Int32 },
5286   { &hf_kerberos_contents   , BER_CLASS_CON, 1, 0, dissect_kerberos_OCTET_STRING },
5287   { NULL, 0, 0, 0, NULL }
5288 };
5289 
5290 static int
5291 dissect_kerberos_TransitedEncoding(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5292   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
5293                                    TransitedEncoding_sequence, hf_index, ett_kerberos_TransitedEncoding);
5294 
5295   return offset;
5296 }
5297 
5298 
5299 static const value_string kerberos_ADDR_TYPE_vals[] = {
5300   { KERBEROS_ADDR_TYPE_IPV4, "iPv4" },
5301   { KERBEROS_ADDR_TYPE_CHAOS, "cHAOS" },
5302   { KERBEROS_ADDR_TYPE_XEROX, "xEROX" },
5303   { KERBEROS_ADDR_TYPE_ISO, "iSO" },
5304   { KERBEROS_ADDR_TYPE_DECNET, "dECNET" },
5305   { KERBEROS_ADDR_TYPE_APPLETALK, "aPPLETALK" },
5306   { KERBEROS_ADDR_TYPE_NETBIOS, "nETBIOS" },
5307   { KERBEROS_ADDR_TYPE_IPV6, "iPv6" },
5308   { 0, NULL }
5309 };
5310 
5311 
5312 static int
5313 dissect_kerberos_ADDR_TYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5314 #line 562 "./asn1/kerberos/kerberos.cnf"
5315   kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
5316   offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
5317                                                 &(private_data->addr_type));
5318 
5319 
5320 
5321 
5322   return offset;
5323 }
5324 
5325 
5326 
5327 static int
5328 dissect_kerberos_T_address(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5329 #line 272 "./asn1/kerberos/kerberos.cnf"
5330   gint8 appclass;
5331   gboolean pc;
5332   gint32 tag;
5333   guint32 len;
5334   const char *address_str;
5335   proto_item *it=NULL;
5336   kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
5337 
5338   /* read header and len for the octet string */
5339   offset=dissect_ber_identifier(actx->pinfo, tree, tvb, offset, &appclass, &pc, &tag);
5340   offset=dissect_ber_length(actx->pinfo, tree, tvb, offset, &len, NULL);
5341 
5342   switch(private_data->addr_type){
5343   case KERBEROS_ADDR_TYPE_IPV4:
5344     it=proto_tree_add_item(tree, hf_krb_address_ip, tvb, offset, 4, ENC_BIG_ENDIAN);
5345     address_str = tvb_ip_to_str(actx->pinfo->pool, tvb, offset);
5346     break;
5347   case KERBEROS_ADDR_TYPE_NETBIOS:
5348     {
5349     char netbios_name[(NETBIOS_NAME_LEN - 1)*4 + 1];
5350     int netbios_name_type;
5351     int netbios_name_len = (NETBIOS_NAME_LEN - 1)*4 + 1;
5352 
5353     netbios_name_type = process_netbios_name(tvb_get_ptr(tvb, offset, 16), netbios_name, netbios_name_len);
5354     address_str = wmem_strdup_printf(actx->pinfo->pool, "%s<%02x>", netbios_name, netbios_name_type);
5355     it=proto_tree_add_string_format(tree, hf_krb_address_netbios, tvb, offset, 16, netbios_name, "NetBIOS Name: %s (%s)", address_str, netbios_name_type_descr(netbios_name_type));
5356     }
5357     break;
5358   case KERBEROS_ADDR_TYPE_IPV6:
5359     it=proto_tree_add_item(tree, hf_krb_address_ipv6, tvb, offset, INET6_ADDRLEN, ENC_NA);
5360     address_str = tvb_ip6_to_str(actx->pinfo->pool, tvb, offset);
5361     break;
5362   default:
5363     proto_tree_add_expert(tree, actx->pinfo, &ei_kerberos_address, tvb, offset, len);
5364     address_str = NULL;
5365     break;
5366   }
5367 
5368   /* push it up two levels in the decode pane */
5369   if(it && address_str){
5370     proto_item_append_text(proto_item_get_parent(it), " %s",address_str);
5371     proto_item_append_text(proto_item_get_parent_nth(it, 2), " %s",address_str);
5372   }
5373 
5374   offset+=len;
5375 
5376 
5377 
5378 
5379   return offset;
5380 }
5381 
5382 
5383 static const ber_sequence_t HostAddress_sequence[] = {
5384   { &hf_kerberos_addr_type  , BER_CLASS_CON, 0, 0, dissect_kerberos_ADDR_TYPE },
5385   { &hf_kerberos_address    , BER_CLASS_CON, 1, 0, dissect_kerberos_T_address },
5386   { NULL, 0, 0, 0, NULL }
5387 };
5388 
5389 static int
5390 dissect_kerberos_HostAddress(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5391   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
5392                                    HostAddress_sequence, hf_index, ett_kerberos_HostAddress);
5393 
5394   return offset;
5395 }
5396 
5397 
5398 static const ber_sequence_t HostAddresses_sequence_of[1] = {
5399   { &hf_kerberos_HostAddresses_item, BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_kerberos_HostAddress },
5400 };
5401 
5402 static int
5403 dissect_kerberos_HostAddresses(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5404   offset = dissect_ber_sequence_of(implicit_tag, actx, tree, tvb, offset,
5405                                       HostAddresses_sequence_of, hf_index, ett_kerberos_HostAddresses);
5406 
5407   return offset;
5408 }
5409 
5410 
5411 static const ber_sequence_t EncTicketPart_U_sequence[] = {
5412   { &hf_kerberos_flags      , BER_CLASS_CON, 0, 0, dissect_kerberos_TicketFlags },
5413   { &hf_kerberos_encTicketPart_key, BER_CLASS_CON, 1, 0, dissect_kerberos_T_encTicketPart_key },
5414   { &hf_kerberos_crealm     , BER_CLASS_CON, 2, 0, dissect_kerberos_Realm },
5415   { &hf_kerberos_cname      , BER_CLASS_CON, 3, 0, dissect_kerberos_CName },
5416   { &hf_kerberos_transited  , BER_CLASS_CON, 4, 0, dissect_kerberos_TransitedEncoding },
5417   { &hf_kerberos_authtime   , BER_CLASS_CON, 5, 0, dissect_kerberos_KerberosTime },
5418   { &hf_kerberos_starttime  , BER_CLASS_CON, 6, BER_FLAGS_OPTIONAL, dissect_kerberos_KerberosTime },
5419   { &hf_kerberos_endtime    , BER_CLASS_CON, 7, 0, dissect_kerberos_KerberosTime },
5420   { &hf_kerberos_renew_till , BER_CLASS_CON, 8, BER_FLAGS_OPTIONAL, dissect_kerberos_KerberosTime },
5421   { &hf_kerberos_caddr      , BER_CLASS_CON, 9, BER_FLAGS_OPTIONAL, dissect_kerberos_HostAddresses },
5422   { &hf_kerberos_authorization_data, BER_CLASS_CON, 10, BER_FLAGS_OPTIONAL, dissect_kerberos_AuthorizationData },
5423   { NULL, 0, 0, 0, NULL }
5424 };
5425 
5426 static int
5427 dissect_kerberos_EncTicketPart_U(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5428   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
5429                                    EncTicketPart_U_sequence, hf_index, ett_kerberos_EncTicketPart_U);
5430 
5431   return offset;
5432 }
5433 
5434 
5435 
5436 static int
5437 dissect_kerberos_EncTicketPart(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5438   offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
5439                                       hf_index, BER_CLASS_APP, 3, FALSE, dissect_kerberos_EncTicketPart_U);
5440 
5441   return offset;
5442 }
5443 
5444 
5445 static const value_string kerberos_MESSAGE_TYPE_vals[] = {
5446   {  10, "krb-as-req" },
5447   {  11, "krb-as-rep" },
5448   {  12, "krb-tgs-req" },
5449   {  13, "krb-tgs-rep" },
5450   {  14, "krb-ap-req" },
5451   {  15, "krb-ap-rep" },
5452   {  16, "krb-tgt-req" },
5453   {  17, "krb-tgt-rep" },
5454   {  20, "krb-safe" },
5455   {  21, "krb-priv" },
5456   {  22, "krb-cred" },
5457   {  30, "krb-error" },
5458   { 0, NULL }
5459 };
5460 
5461 
5462 static int
5463 dissect_kerberos_MESSAGE_TYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5464 #line 100 "./asn1/kerberos/kerberos.cnf"
5465   kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
5466   guint32 msgtype;
5467 
5468   offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
5469                                                 &msgtype);
5470 
5471 
5472 
5473 
5474 #line 106 "./asn1/kerberos/kerberos.cnf"
5475   if (gbl_do_col_info) {
5476     col_add_str(actx->pinfo->cinfo, COL_INFO,
5477       val_to_str(msgtype, krb5_msg_types,
5478       "Unknown msg type %#x"));
5479   }
5480   gbl_do_col_info=FALSE;
5481 
5482 #if 0
5483   /* append the application type to the tree */
5484   proto_item_append_text(tree, " %s", val_to_str(msgtype, krb5_msg_types, "Unknown:0x%x"));
5485 #endif
5486   if (private_data->msg_type == 0) {
5487     private_data->msg_type = msgtype;
5488   }
5489 
5490 
5491   return offset;
5492 }
5493 
5494 
5495 static const value_string kerberos_PADATA_TYPE_vals[] = {
5496   { KERBEROS_PA_NONE, "pA-NONE" },
5497   { KERBEROS_PA_TGS_REQ, "pA-TGS-REQ" },
5498   { KERBEROS_PA_ENC_TIMESTAMP, "pA-ENC-TIMESTAMP" },
5499   { KERBEROS_PA_PW_SALT, "pA-PW-SALT" },
5500   { KERBEROS_PA_ENC_UNIX_TIME, "pA-ENC-UNIX-TIME" },
5501   { KERBEROS_PA_SANDIA_SECUREID, "pA-SANDIA-SECUREID" },
5502   { KERBEROS_PA_SESAME, "pA-SESAME" },
5503   { KERBEROS_PA_OSF_DCE, "pA-OSF-DCE" },
5504   { KERBEROS_PA_CYBERSAFE_SECUREID, "pA-CYBERSAFE-SECUREID" },
5505   { KERBEROS_PA_AFS3_SALT, "pA-AFS3-SALT" },
5506   { KERBEROS_PA_ETYPE_INFO, "pA-ETYPE-INFO" },
5507   { KERBEROS_PA_SAM_CHALLENGE, "pA-SAM-CHALLENGE" },
5508   { KERBEROS_PA_SAM_RESPONSE, "pA-SAM-RESPONSE" },
5509   { KERBEROS_PA_PK_AS_REQ_19, "pA-PK-AS-REQ-19" },
5510   { KERBEROS_PA_PK_AS_REP_19, "pA-PK-AS-REP-19" },
5511   { KERBEROS_PA_PK_AS_REQ, "pA-PK-AS-REQ" },
5512   { KERBEROS_PA_PK_AS_REP, "pA-PK-AS-REP" },
5513   { KERBEROS_PA_PK_OCSP_RESPONSE, "pA-PK-OCSP-RESPONSE" },
5514   { KERBEROS_PA_ETYPE_INFO2, "pA-ETYPE-INFO2" },
5515   { KERBEROS_PA_USE_SPECIFIED_KVNO, "pA-USE-SPECIFIED-KVNO" },
5516   { KERBEROS_PA_SAM_REDIRECT, "pA-SAM-REDIRECT" },
5517   { KERBEROS_PA_GET_FROM_TYPED_DATA, "pA-GET-FROM-TYPED-DATA" },
5518   { KERBEROS_TD_PADATA, "tD-PADATA" },
5519   { KERBEROS_PA_SAM_ETYPE_INFO, "pA-SAM-ETYPE-INFO" },
5520   { KERBEROS_PA_ALT_PRINC, "pA-ALT-PRINC" },
5521   { KERBEROS_PA_SERVER_REFERRAL, "pA-SERVER-REFERRAL" },
5522   { KERBEROS_PA_SAM_CHALLENGE2, "pA-SAM-CHALLENGE2" },
5523   { KERBEROS_PA_SAM_RESPONSE2, "pA-SAM-RESPONSE2" },
5524   { KERBEROS_PA_EXTRA_TGT, "pA-EXTRA-TGT" },
5525   { KERBEROS_TD_PKINIT_CMS_CERTIFICATES, "tD-PKINIT-CMS-CERTIFICATES" },
5526   { KERBEROS_TD_KRB_PRINCIPAL, "tD-KRB-PRINCIPAL" },
5527   { KERBEROS_TD_KRB_REALM, "tD-KRB-REALM" },
5528   { KERBEROS_TD_TRUSTED_CERTIFIERS, "tD-TRUSTED-CERTIFIERS" },
5529   { KERBEROS_TD_CERTIFICATE_INDEX, "tD-CERTIFICATE-INDEX" },
5530   { KERBEROS_TD_APP_DEFINED_ERROR, "tD-APP-DEFINED-ERROR" },
5531   { KERBEROS_TD_REQ_NONCE, "tD-REQ-NONCE" },
5532   { KERBEROS_TD_REQ_SEQ, "tD-REQ-SEQ" },
5533   { KERBEROS_TD_DH_PARAMETERS, "tD-DH-PARAMETERS" },
5534   { KERBEROS_TD_CMS_DIGEST_ALGORITHMS, "tD-CMS-DIGEST-ALGORITHMS" },
5535   { KERBEROS_TD_CERT_DIGEST_ALGORITHMS, "tD-CERT-DIGEST-ALGORITHMS" },
5536   { KERBEROS_PA_PAC_REQUEST, "pA-PAC-REQUEST" },
5537   { KERBEROS_PA_FOR_USER, "pA-FOR-USER" },
5538   { KERBEROS_PA_FOR_X509_USER, "pA-FOR-X509-USER" },
5539   { KERBEROS_PA_FOR_CHECK_DUPS, "pA-FOR-CHECK-DUPS" },
5540   { KERBEROS_PA_PK_AS_09_BINDING, "pA-PK-AS-09-BINDING" },
5541   { KERBEROS_PA_FX_COOKIE, "pA-FX-COOKIE" },
5542   { KERBEROS_PA_AUTHENTICATION_SET, "pA-AUTHENTICATION-SET" },
5543   { KERBEROS_PA_AUTH_SET_SELECTED, "pA-AUTH-SET-SELECTED" },
5544   { KERBEROS_PA_FX_FAST, "pA-FX-FAST" },
5545   { KERBEROS_PA_FX_ERROR, "pA-FX-ERROR" },
5546   { KERBEROS_PA_ENCRYPTED_CHALLENGE, "pA-ENCRYPTED-CHALLENGE" },
5547   { KERBEROS_PA_OTP_CHALLENGE, "pA-OTP-CHALLENGE" },
5548   { KERBEROS_PA_OTP_REQUEST, "pA-OTP-REQUEST" },
5549   { KERBEROS_PA_OTP_CONFIRM, "pA-OTP-CONFIRM" },
5550   { KERBEROS_PA_OTP_PIN_CHANGE, "pA-OTP-PIN-CHANGE" },
5551   { KERBEROS_PA_EPAK_AS_REQ, "pA-EPAK-AS-REQ" },
5552   { KERBEROS_PA_EPAK_AS_REP, "pA-EPAK-AS-REP" },
5553   { KERBEROS_PA_PKINIT_KX, "pA-PKINIT-KX" },
5554   { KERBEROS_PA_PKU2U_NAME, "pA-PKU2U-NAME" },
5555   { KERBEROS_PA_REQ_ENC_PA_REP, "pA-REQ-ENC-PA-REP" },
5556   { KERBEROS_PA_SPAKE, "pA-SPAKE" },
5557   { KERBEROS_PA_KERB_KEY_LIST_REQ, "pA-KERB-KEY-LIST-REQ" },
5558   { KERBEROS_PA_KERB_KEY_LIST_REP, "pA-KERB-KEY-LIST-REP" },
5559   { KERBEROS_PA_SUPPORTED_ETYPES, "pA-SUPPORTED-ETYPES" },
5560   { KERBEROS_PA_EXTENDED_ERROR, "pA-EXTENDED-ERROR" },
5561   { KERBEROS_PA_PAC_OPTIONS, "pA-PAC-OPTIONS" },
5562   { KERBEROS_PA_PROV_SRV_LOCATION, "pA-PROV-SRV-LOCATION" },
5563   { 0, NULL }
5564 };
5565 
5566 
5567 static int
5568 dissect_kerberos_PADATA_TYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5569 #line 165 "./asn1/kerberos/kerberos.cnf"
5570   kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
5571   offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
5572                                                 &(private_data->padata_type));
5573 
5574 
5575 
5576 #line 168 "./asn1/kerberos/kerberos.cnf"
5577   if(tree){
5578     proto_item_append_text(tree, " %s",
5579       val_to_str(private_data->padata_type, kerberos_PADATA_TYPE_vals,
5580       "Unknown:%d"));
5581   }
5582 
5583 
5584   return offset;
5585 }
5586 
5587 
5588 
5589 static int
5590 dissect_kerberos_T_padata_value(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5591 #line 175 "./asn1/kerberos/kerberos.cnf"
5592   proto_tree *sub_tree=tree;
5593   kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
5594 
5595   if(actx->created_item){
5596     sub_tree=proto_item_add_subtree(actx->created_item, ett_kerberos_PA_DATA);
5597   }
5598 
5599   switch(private_data->padata_type){
5600   case KERBEROS_PA_TGS_REQ:
5601     private_data->within_PA_TGS_REQ++;
5602     offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_Applications);
5603     private_data->within_PA_TGS_REQ--;
5604     break;
5605   case KERBEROS_PA_PK_AS_REP_19:
5606     private_data->is_win2k_pkinit = TRUE;
5607     if (kerberos_private_is_kdc_req(private_data)) {
5608       offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PA_PK_AS_REQ_Win2k);
5609     } else {
5610       offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PA_PK_AS_REP_Win2k);
5611     }
5612     break;
5613   case KERBEROS_PA_PK_AS_REQ:
5614     offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PaPkAsReq);
5615     break;
5616   case KERBEROS_PA_PK_AS_REP:
5617     offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PaPkAsRep);
5618     break;
5619   case KERBEROS_PA_PAC_REQUEST:
5620     offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_PAC_REQUEST);
5621     break;
5622   case KERBEROS_PA_FOR_USER: /* S4U2SELF */
5623     offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_S4U2Self);
5624     break;
5625   case KERBEROS_PA_FOR_X509_USER:
5626     if(private_data->msg_type == KRB5_MSG_AS_REQ){
5627       offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_x509af_Certificate);
5628     }else if(private_data->is_enc_padata){
5629       offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, NULL);
5630     }else{
5631       offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_S4U_X509_USER);
5632     }
5633     break;
5634   case KERBEROS_PA_PROV_SRV_LOCATION:
5635     offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_krb5_PA_PROV_SRV_LOCATION);
5636     break;
5637   case KERBEROS_PA_ENC_TIMESTAMP:
5638     offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_ENC_TIMESTAMP);
5639     break;
5640   case KERBEROS_PA_ETYPE_INFO:
5641     offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_ETYPE_INFO);
5642     break;
5643   case KERBEROS_PA_ETYPE_INFO2:
5644     offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_ETYPE_INFO2);
5645     break;
5646   case KERBEROS_PA_PW_SALT:
5647     offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_krb5_PW_SALT);
5648     break;
5649   case KERBEROS_PA_AUTH_SET_SELECTED:
5650     offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_AUTHENTICATION_SET_ELEM);
5651     break;
5652   case KERBEROS_PA_FX_FAST:
5653     if (kerberos_private_is_kdc_req(private_data)) {
5654       offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_FX_FAST_REQUEST);
5655     }else{
5656       offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_FX_FAST_REPLY);
5657     }
5658     break;
5659   case KERBEROS_PA_FX_ERROR:
5660     offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_Applications);
5661     break;
5662   case KERBEROS_PA_ENCRYPTED_CHALLENGE:
5663     offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_EncryptedChallenge);
5664     break;
5665   case KERBEROS_PA_KERB_KEY_LIST_REQ:
5666     offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset, hf_index, dissect_kerberos_PA_KERB_KEY_LIST_REQ);
5667     break;
5668   case KERBEROS_PA_KERB_KEY_LIST_REP:
5669     offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset, hf_index, dissect_kerberos_PA_KERB_KEY_LIST_REP);
5670     break;
5671   case KERBEROS_PA_SUPPORTED_ETYPES:
5672     offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_SUPPORTED_ENCTYPES);
5673     break;
5674   case KERBEROS_PA_PAC_OPTIONS:
5675     offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset, hf_index, dissect_kerberos_PA_PAC_OPTIONS);
5676     break;
5677   case KERBEROS_PA_REQ_ENC_PA_REP:
5678     offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_Checksum);
5679     break;
5680   case KERBEROS_PA_SPAKE:
5681     offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_SPAKE);
5682     break;
5683   default:
5684     offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, NULL);
5685     break;
5686   }
5687 
5688 
5689 
5690   return offset;
5691 }
5692 
5693 
5694 static const ber_sequence_t PA_DATA_sequence[] = {
5695   { &hf_kerberos_padata_type, BER_CLASS_CON, 1, 0, dissect_kerberos_PADATA_TYPE },
5696   { &hf_kerberos_padata_value, BER_CLASS_CON, 2, 0, dissect_kerberos_T_padata_value },
5697   { NULL, 0, 0, 0, NULL }
5698 };
5699 
5700 static int
5701 dissect_kerberos_PA_DATA(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5702   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
5703                                    PA_DATA_sequence, hf_index, ett_kerberos_PA_DATA);
5704 
5705   return offset;
5706 }
5707 
5708 
5709 static const ber_sequence_t SEQUENCE_OF_PA_DATA_sequence_of[1] = {
5710   { &hf_kerberos_padata_item, BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_kerberos_PA_DATA },
5711 };
5712 
5713 static int
5714 dissect_kerberos_SEQUENCE_OF_PA_DATA(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5715   offset = dissect_ber_sequence_of(implicit_tag, actx, tree, tvb, offset,
5716                                       SEQUENCE_OF_PA_DATA_sequence_of, hf_index, ett_kerberos_SEQUENCE_OF_PA_DATA);
5717 
5718   return offset;
5719 }
5720 
5721 
5722 static int * const KDCOptions_bits[] = {
5723   &hf_kerberos_KDCOptions_reserved,
5724   &hf_kerberos_KDCOptions_forwardable,
5725   &hf_kerberos_KDCOptions_forwarded,
5726   &hf_kerberos_KDCOptions_proxiable,
5727   &hf_kerberos_KDCOptions_proxy,
5728   &hf_kerberos_KDCOptions_allow_postdate,
5729   &hf_kerberos_KDCOptions_postdated,
5730   &hf_kerberos_KDCOptions_unused7,
5731   &hf_kerberos_KDCOptions_renewable,
5732   &hf_kerberos_KDCOptions_unused9,
5733   &hf_kerberos_KDCOptions_unused10,
5734   &hf_kerberos_KDCOptions_opt_hardware_auth,
5735   &hf_kerberos_KDCOptions_unused12,
5736   &hf_kerberos_KDCOptions_unused13,
5737   &hf_kerberos_KDCOptions_constrained_delegation,
5738   &hf_kerberos_KDCOptions_canonicalize,
5739   &hf_kerberos_KDCOptions_request_anonymous,
5740   &hf_kerberos_KDCOptions_unused17,
5741   &hf_kerberos_KDCOptions_unused18,
5742   &hf_kerberos_KDCOptions_unused19,
5743   &hf_kerberos_KDCOptions_unused20,
5744   &hf_kerberos_KDCOptions_unused21,
5745   &hf_kerberos_KDCOptions_unused22,
5746   &hf_kerberos_KDCOptions_unused23,
5747   &hf_kerberos_KDCOptions_unused24,
5748   &hf_kerberos_KDCOptions_unused25,
5749   &hf_kerberos_KDCOptions_disable_transited_check,
5750   &hf_kerberos_KDCOptions_renewable_ok,
5751   &hf_kerberos_KDCOptions_enc_tkt_in_skey,
5752   &hf_kerberos_KDCOptions_unused29,
5753   &hf_kerberos_KDCOptions_renew,
5754   &hf_kerberos_KDCOptions_validate,
5755   NULL
5756 };
5757 
5758 static int
5759 dissect_kerberos_KDCOptions(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5760   offset = dissect_ber_bitstring(implicit_tag, actx, tree, tvb, offset,
5761                                     KDCOptions_bits, 32, hf_index, ett_kerberos_KDCOptions,
5762                                     NULL);
5763 
5764   return offset;
5765 }
5766 
5767 
5768 static const ber_sequence_t SEQUENCE_OF_ENCTYPE_sequence_of[1] = {
5769   { &hf_kerberos_kDC_REQ_BODY_etype_item, BER_CLASS_UNI, BER_UNI_TAG_INTEGER, BER_FLAGS_NOOWNTAG, dissect_kerberos_ENCTYPE },
5770 };
5771 
5772 static int
5773 dissect_kerberos_SEQUENCE_OF_ENCTYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5774   offset = dissect_ber_sequence_of(implicit_tag, actx, tree, tvb, offset,
5775                                       SEQUENCE_OF_ENCTYPE_sequence_of, hf_index, ett_kerberos_SEQUENCE_OF_ENCTYPE);
5776 
5777   return offset;
5778 }
5779 
5780 
5781 
5782 static int
5783 dissect_kerberos_T_encryptedAuthorizationData_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5784 #line 334 "./asn1/kerberos/kerberos.cnf"
5785 #ifdef HAVE_KERBEROS
5786   offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_authorization_data);
5787 #else
5788   offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
5789                                        NULL);
5790 
5791 #endif
5792 
5793 
5794 
5795   return offset;
5796 }
5797 
5798 
5799 static const ber_sequence_t EncryptedAuthorizationData_sequence[] = {
5800   { &hf_kerberos_etype      , BER_CLASS_CON, 0, 0, dissect_kerberos_ENCTYPE },
5801   { &hf_kerberos_kvno       , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_UInt32 },
5802   { &hf_kerberos_encryptedAuthorizationData_cipher, BER_CLASS_CON, 2, 0, dissect_kerberos_T_encryptedAuthorizationData_cipher },
5803   { NULL, 0, 0, 0, NULL }
5804 };
5805 
5806 static int
5807 dissect_kerberos_EncryptedAuthorizationData(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5808   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
5809                                    EncryptedAuthorizationData_sequence, hf_index, ett_kerberos_EncryptedAuthorizationData);
5810 
5811   return offset;
5812 }
5813 
5814 
5815 static const ber_sequence_t SEQUENCE_OF_Ticket_sequence_of[1] = {
5816   { &hf_kerberos_additional_tickets_item, BER_CLASS_APP, 1, BER_FLAGS_NOOWNTAG, dissect_kerberos_Ticket },
5817 };
5818 
5819 static int
5820 dissect_kerberos_SEQUENCE_OF_Ticket(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5821   offset = dissect_ber_sequence_of(implicit_tag, actx, tree, tvb, offset,
5822                                       SEQUENCE_OF_Ticket_sequence_of, hf_index, ett_kerberos_SEQUENCE_OF_Ticket);
5823 
5824   return offset;
5825 }
5826 
5827 
5828 static const ber_sequence_t KDC_REQ_BODY_sequence[] = {
5829   { &hf_kerberos_kdc_options, BER_CLASS_CON, 0, 0, dissect_kerberos_KDCOptions },
5830   { &hf_kerberos_cname      , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_CName },
5831   { &hf_kerberos_realm      , BER_CLASS_CON, 2, 0, dissect_kerberos_Realm },
5832   { &hf_kerberos_sname      , BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL, dissect_kerberos_SName },
5833   { &hf_kerberos_from       , BER_CLASS_CON, 4, BER_FLAGS_OPTIONAL, dissect_kerberos_KerberosTime },
5834   { &hf_kerberos_till       , BER_CLASS_CON, 5, BER_FLAGS_OPTIONAL, dissect_kerberos_KerberosTime },
5835   { &hf_kerberos_rtime      , BER_CLASS_CON, 6, BER_FLAGS_OPTIONAL, dissect_kerberos_KerberosTime },
5836   { &hf_kerberos_nonce      , BER_CLASS_CON, 7, 0, dissect_kerberos_UInt32 },
5837   { &hf_kerberos_kDC_REQ_BODY_etype, BER_CLASS_CON, 8, 0, dissect_kerberos_SEQUENCE_OF_ENCTYPE },
5838   { &hf_kerberos_addresses  , BER_CLASS_CON, 9, BER_FLAGS_OPTIONAL, dissect_kerberos_HostAddresses },
5839   { &hf_kerberos_enc_authorization_data, BER_CLASS_CON, 10, BER_FLAGS_OPTIONAL, dissect_kerberos_EncryptedAuthorizationData },
5840   { &hf_kerberos_additional_tickets, BER_CLASS_CON, 11, BER_FLAGS_OPTIONAL, dissect_kerberos_SEQUENCE_OF_Ticket },
5841   { NULL, 0, 0, 0, NULL }
5842 };
5843 
5844 static int
5845 dissect_kerberos_KDC_REQ_BODY(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5846 #line 566 "./asn1/kerberos/kerberos.cnf"
5847   conversation_t *conversation;
5848 
5849   /*
5850    * UDP replies to KDC_REQs are sent from the server back to the client's
5851    * source port, similar to the way TFTP works.  Set up a conversation
5852    * accordingly.
5853    *
5854    * Ref: Section 7.2.1 of
5855    * http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-clarifications-07.txt
5856    */
5857   if (actx->pinfo->destport == UDP_PORT_KERBEROS && actx->pinfo->ptype == PT_UDP) {
5858     conversation = find_conversation(actx->pinfo->num, &actx->pinfo->src, &actx->pinfo->dst, ENDPOINT_UDP,
5859                       actx->pinfo->srcport, 0, NO_PORT_B);
5860     if (conversation == NULL) {
5861       conversation = conversation_new(actx->pinfo->num, &actx->pinfo->src, &actx->pinfo->dst, ENDPOINT_UDP,
5862                       actx->pinfo->srcport, 0, NO_PORT2);
5863       conversation_set_dissector(conversation, kerberos_handle_udp);
5864     }
5865   }
5866 
5867     offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
5868                                    KDC_REQ_BODY_sequence, hf_index, ett_kerberos_KDC_REQ_BODY);
5869 
5870 
5871 
5872 
5873   return offset;
5874 }
5875 
5876 
5877 static const ber_sequence_t KDC_REQ_sequence[] = {
5878   { &hf_kerberos_pvno       , BER_CLASS_CON, 1, 0, dissect_kerberos_INTEGER_5 },
5879   { &hf_kerberos_msg_type   , BER_CLASS_CON, 2, 0, dissect_kerberos_MESSAGE_TYPE },
5880   { &hf_kerberos_padata     , BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL, dissect_kerberos_SEQUENCE_OF_PA_DATA },
5881   { &hf_kerberos_req_body   , BER_CLASS_CON, 4, 0, dissect_kerberos_KDC_REQ_BODY },
5882   { NULL, 0, 0, 0, NULL }
5883 };
5884 
5885 static int
5886 dissect_kerberos_KDC_REQ(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5887   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
5888                                    KDC_REQ_sequence, hf_index, ett_kerberos_KDC_REQ);
5889 
5890   return offset;
5891 }
5892 
5893 
5894 
5895 static int
5896 dissect_kerberos_AS_REQ(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5897   offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
5898                                       hf_index, BER_CLASS_APP, 10, FALSE, dissect_kerberos_KDC_REQ);
5899 
5900   return offset;
5901 }
5902 
5903 
5904 
5905 static int
5906 dissect_kerberos_T_encryptedKDCREPData_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5907 #line 348 "./asn1/kerberos/kerberos.cnf"
5908 #ifdef HAVE_KERBEROS
5909   offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_KDC_REP_data);
5910 #else
5911   offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
5912                                        NULL);
5913 
5914 #endif
5915 
5916 
5917 
5918   return offset;
5919 }
5920 
5921 
5922 static const ber_sequence_t EncryptedKDCREPData_sequence[] = {
5923   { &hf_kerberos_etype      , BER_CLASS_CON, 0, 0, dissect_kerberos_ENCTYPE },
5924   { &hf_kerberos_kvno       , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_UInt32 },
5925   { &hf_kerberos_encryptedKDCREPData_cipher, BER_CLASS_CON, 2, 0, dissect_kerberos_T_encryptedKDCREPData_cipher },
5926   { NULL, 0, 0, 0, NULL }
5927 };
5928 
5929 static int
5930 dissect_kerberos_EncryptedKDCREPData(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5931   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
5932                                    EncryptedKDCREPData_sequence, hf_index, ett_kerberos_EncryptedKDCREPData);
5933 
5934   return offset;
5935 }
5936 
5937 
5938 static const ber_sequence_t KDC_REP_sequence[] = {
5939   { &hf_kerberos_pvno       , BER_CLASS_CON, 0, 0, dissect_kerberos_INTEGER_5 },
5940   { &hf_kerberos_msg_type   , BER_CLASS_CON, 1, 0, dissect_kerberos_MESSAGE_TYPE },
5941   { &hf_kerberos_padata     , BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL, dissect_kerberos_SEQUENCE_OF_PA_DATA },
5942   { &hf_kerberos_crealm     , BER_CLASS_CON, 3, 0, dissect_kerberos_Realm },
5943   { &hf_kerberos_cname      , BER_CLASS_CON, 4, 0, dissect_kerberos_CName },
5944   { &hf_kerberos_ticket     , BER_CLASS_CON, 5, 0, dissect_kerberos_Ticket },
5945   { &hf_kerberos_kDC_REP_enc_part, BER_CLASS_CON, 6, 0, dissect_kerberos_EncryptedKDCREPData },
5946   { NULL, 0, 0, 0, NULL }
5947 };
5948 
5949 static int
5950 dissect_kerberos_KDC_REP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5951   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
5952                                    KDC_REP_sequence, hf_index, ett_kerberos_KDC_REP);
5953 
5954   return offset;
5955 }
5956 
5957 
5958 
5959 static int
5960 dissect_kerberos_AS_REP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5961   offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
5962                                       hf_index, BER_CLASS_APP, 11, FALSE, dissect_kerberos_KDC_REP);
5963 
5964   return offset;
5965 }
5966 
5967 
5968 
5969 static int
5970 dissect_kerberos_TGS_REQ(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5971   offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
5972                                       hf_index, BER_CLASS_APP, 12, FALSE, dissect_kerberos_KDC_REQ);
5973 
5974   return offset;
5975 }
5976 
5977 
5978 
5979 static int
5980 dissect_kerberos_TGS_REP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5981   offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
5982                                       hf_index, BER_CLASS_APP, 13, FALSE, dissect_kerberos_KDC_REP);
5983 
5984   return offset;
5985 }
5986 
5987 
5988 static int * const APOptions_bits[] = {
5989   &hf_kerberos_APOptions_reserved,
5990   &hf_kerberos_APOptions_use_session_key,
5991   &hf_kerberos_APOptions_mutual_required,
5992   NULL
5993 };
5994 
5995 static int
5996 dissect_kerberos_APOptions(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
5997   offset = dissect_ber_bitstring(implicit_tag, actx, tree, tvb, offset,
5998                                     APOptions_bits, 3, hf_index, ett_kerberos_APOptions,
5999                                     NULL);
6000 
6001   return offset;
6002 }
6003 
6004 
6005 
6006 static int
6007 dissect_kerberos_T_encryptedAuthenticator_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6008 #line 341 "./asn1/kerberos/kerberos.cnf"
6009 #ifdef HAVE_KERBEROS
6010   offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_authenticator_data);
6011 #else
6012   offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
6013                                        NULL);
6014 
6015 #endif
6016 
6017 
6018 
6019   return offset;
6020 }
6021 
6022 
6023 static const ber_sequence_t EncryptedAuthenticator_sequence[] = {
6024   { &hf_kerberos_etype      , BER_CLASS_CON, 0, 0, dissect_kerberos_ENCTYPE },
6025   { &hf_kerberos_kvno       , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_UInt32 },
6026   { &hf_kerberos_encryptedAuthenticator_cipher, BER_CLASS_CON, 2, 0, dissect_kerberos_T_encryptedAuthenticator_cipher },
6027   { NULL, 0, 0, 0, NULL }
6028 };
6029 
6030 static int
6031 dissect_kerberos_EncryptedAuthenticator(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6032   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
6033                                    EncryptedAuthenticator_sequence, hf_index, ett_kerberos_EncryptedAuthenticator);
6034 
6035   return offset;
6036 }
6037 
6038 
6039 static const ber_sequence_t AP_REQ_U_sequence[] = {
6040   { &hf_kerberos_pvno       , BER_CLASS_CON, 0, 0, dissect_kerberos_INTEGER_5 },
6041   { &hf_kerberos_msg_type   , BER_CLASS_CON, 1, 0, dissect_kerberos_MESSAGE_TYPE },
6042   { &hf_kerberos_ap_options , BER_CLASS_CON, 2, 0, dissect_kerberos_APOptions },
6043   { &hf_kerberos_ticket     , BER_CLASS_CON, 3, 0, dissect_kerberos_Ticket },
6044   { &hf_kerberos_authenticator_enc_part, BER_CLASS_CON, 4, 0, dissect_kerberos_EncryptedAuthenticator },
6045   { NULL, 0, 0, 0, NULL }
6046 };
6047 
6048 static int
6049 dissect_kerberos_AP_REQ_U(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6050   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
6051                                    AP_REQ_U_sequence, hf_index, ett_kerberos_AP_REQ_U);
6052 
6053   return offset;
6054 }
6055 
6056 
6057 
6058 static int
6059 dissect_kerberos_AP_REQ(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6060   offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
6061                                       hf_index, BER_CLASS_APP, 14, FALSE, dissect_kerberos_AP_REQ_U);
6062 
6063   return offset;
6064 }
6065 
6066 
6067 
6068 static int
6069 dissect_kerberos_T_encryptedAPREPData_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6070 #line 362 "./asn1/kerberos/kerberos.cnf"
6071 #ifdef HAVE_KERBEROS
6072   offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_AP_REP_data);
6073 #else
6074   offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
6075                                        NULL);
6076 
6077 #endif
6078 
6079 
6080 
6081   return offset;
6082 }
6083 
6084 
6085 static const ber_sequence_t EncryptedAPREPData_sequence[] = {
6086   { &hf_kerberos_etype      , BER_CLASS_CON, 0, 0, dissect_kerberos_ENCTYPE },
6087   { &hf_kerberos_kvno       , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_UInt32 },
6088   { &hf_kerberos_encryptedAPREPData_cipher, BER_CLASS_CON, 2, 0, dissect_kerberos_T_encryptedAPREPData_cipher },
6089   { NULL, 0, 0, 0, NULL }
6090 };
6091 
6092 static int
6093 dissect_kerberos_EncryptedAPREPData(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6094   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
6095                                    EncryptedAPREPData_sequence, hf_index, ett_kerberos_EncryptedAPREPData);
6096 
6097   return offset;
6098 }
6099 
6100 
6101 static const ber_sequence_t AP_REP_U_sequence[] = {
6102   { &hf_kerberos_pvno       , BER_CLASS_CON, 0, 0, dissect_kerberos_INTEGER_5 },
6103   { &hf_kerberos_msg_type   , BER_CLASS_CON, 1, 0, dissect_kerberos_MESSAGE_TYPE },
6104   { &hf_kerberos_aP_REP_enc_part, BER_CLASS_CON, 2, 0, dissect_kerberos_EncryptedAPREPData },
6105   { NULL, 0, 0, 0, NULL }
6106 };
6107 
6108 static int
6109 dissect_kerberos_AP_REP_U(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6110   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
6111                                    AP_REP_U_sequence, hf_index, ett_kerberos_AP_REP_U);
6112 
6113   return offset;
6114 }
6115 
6116 
6117 
6118 static int
6119 dissect_kerberos_AP_REP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6120   offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
6121                                       hf_index, BER_CLASS_APP, 15, FALSE, dissect_kerberos_AP_REP_U);
6122 
6123   return offset;
6124 }
6125 
6126 
6127 
6128 static int
6129 dissect_kerberos_T_kRB_SAFE_BODY_user_data(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6130 #line 589 "./asn1/kerberos/kerberos.cnf"
6131   kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
6132   tvbuff_t *new_tvb;
6133   offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &new_tvb);
6134   if (new_tvb) {
6135     call_kerberos_callbacks(actx->pinfo, tree, new_tvb, KRB_CBTAG_SAFE_USER_DATA, private_data->callbacks);
6136   }
6137 
6138 
6139 
6140   return offset;
6141 }
6142 
6143 
6144 static const ber_sequence_t KRB_SAFE_BODY_sequence[] = {
6145   { &hf_kerberos_kRB_SAFE_BODY_user_data, BER_CLASS_CON, 0, 0, dissect_kerberos_T_kRB_SAFE_BODY_user_data },
6146   { &hf_kerberos_timestamp  , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_KerberosTime },
6147   { &hf_kerberos_usec       , BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL, dissect_kerberos_Microseconds },
6148   { &hf_kerberos_seq_number , BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL, dissect_kerberos_UInt32 },
6149   { &hf_kerberos_s_address  , BER_CLASS_CON, 4, BER_FLAGS_OPTIONAL, dissect_kerberos_HostAddress },
6150   { &hf_kerberos_r_address  , BER_CLASS_CON, 5, BER_FLAGS_OPTIONAL, dissect_kerberos_HostAddress },
6151   { NULL, 0, 0, 0, NULL }
6152 };
6153 
6154 static int
6155 dissect_kerberos_KRB_SAFE_BODY(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6156   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
6157                                    KRB_SAFE_BODY_sequence, hf_index, ett_kerberos_KRB_SAFE_BODY);
6158 
6159   return offset;
6160 }
6161 
6162 
6163 static const ber_sequence_t KRB_SAFE_U_sequence[] = {
6164   { &hf_kerberos_pvno       , BER_CLASS_CON, 0, 0, dissect_kerberos_INTEGER_5 },
6165   { &hf_kerberos_msg_type   , BER_CLASS_CON, 1, 0, dissect_kerberos_MESSAGE_TYPE },
6166   { &hf_kerberos_safe_body  , BER_CLASS_CON, 2, 0, dissect_kerberos_KRB_SAFE_BODY },
6167   { &hf_kerberos_cksum      , BER_CLASS_CON, 3, 0, dissect_kerberos_Checksum },
6168   { NULL, 0, 0, 0, NULL }
6169 };
6170 
6171 static int
6172 dissect_kerberos_KRB_SAFE_U(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6173   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
6174                                    KRB_SAFE_U_sequence, hf_index, ett_kerberos_KRB_SAFE_U);
6175 
6176   return offset;
6177 }
6178 
6179 
6180 
6181 static int
6182 dissect_kerberos_KRB_SAFE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6183   offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
6184                                       hf_index, BER_CLASS_APP, 20, FALSE, dissect_kerberos_KRB_SAFE_U);
6185 
6186   return offset;
6187 }
6188 
6189 
6190 
6191 static int
6192 dissect_kerberos_T_encryptedKrbPrivData_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6193 #line 369 "./asn1/kerberos/kerberos.cnf"
6194 #ifdef HAVE_KERBEROS
6195   offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_PRIV_data);
6196 #else
6197   offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
6198                                        NULL);
6199 
6200 #endif
6201 
6202 
6203 
6204   return offset;
6205 }
6206 
6207 
6208 static const ber_sequence_t EncryptedKrbPrivData_sequence[] = {
6209   { &hf_kerberos_etype      , BER_CLASS_CON, 0, 0, dissect_kerberos_ENCTYPE },
6210   { &hf_kerberos_kvno       , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_UInt32 },
6211   { &hf_kerberos_encryptedKrbPrivData_cipher, BER_CLASS_CON, 2, 0, dissect_kerberos_T_encryptedKrbPrivData_cipher },
6212   { NULL, 0, 0, 0, NULL }
6213 };
6214 
6215 static int
6216 dissect_kerberos_EncryptedKrbPrivData(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6217   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
6218                                    EncryptedKrbPrivData_sequence, hf_index, ett_kerberos_EncryptedKrbPrivData);
6219 
6220   return offset;
6221 }
6222 
6223 
6224 static const ber_sequence_t KRB_PRIV_U_sequence[] = {
6225   { &hf_kerberos_pvno       , BER_CLASS_CON, 0, 0, dissect_kerberos_INTEGER_5 },
6226   { &hf_kerberos_msg_type   , BER_CLASS_CON, 1, 0, dissect_kerberos_MESSAGE_TYPE },
6227   { &hf_kerberos_kRB_PRIV_enc_part, BER_CLASS_CON, 3, 0, dissect_kerberos_EncryptedKrbPrivData },
6228   { NULL, 0, 0, 0, NULL }
6229 };
6230 
6231 static int
6232 dissect_kerberos_KRB_PRIV_U(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6233   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
6234                                    KRB_PRIV_U_sequence, hf_index, ett_kerberos_KRB_PRIV_U);
6235 
6236   return offset;
6237 }
6238 
6239 
6240 
6241 static int
6242 dissect_kerberos_KRB_PRIV(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6243   offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
6244                                       hf_index, BER_CLASS_APP, 21, FALSE, dissect_kerberos_KRB_PRIV_U);
6245 
6246   return offset;
6247 }
6248 
6249 
6250 
6251 static int
6252 dissect_kerberos_T_encryptedKrbCredData_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6253 #line 376 "./asn1/kerberos/kerberos.cnf"
6254 #ifdef HAVE_KERBEROS
6255   offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_CRED_data);
6256 #else
6257   offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
6258                                        NULL);
6259 
6260 #endif
6261 
6262 
6263 
6264   return offset;
6265 }
6266 
6267 
6268 static const ber_sequence_t EncryptedKrbCredData_sequence[] = {
6269   { &hf_kerberos_etype      , BER_CLASS_CON, 0, 0, dissect_kerberos_ENCTYPE },
6270   { &hf_kerberos_kvno       , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_UInt32 },
6271   { &hf_kerberos_encryptedKrbCredData_cipher, BER_CLASS_CON, 2, 0, dissect_kerberos_T_encryptedKrbCredData_cipher },
6272   { NULL, 0, 0, 0, NULL }
6273 };
6274 
6275 static int
6276 dissect_kerberos_EncryptedKrbCredData(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6277   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
6278                                    EncryptedKrbCredData_sequence, hf_index, ett_kerberos_EncryptedKrbCredData);
6279 
6280   return offset;
6281 }
6282 
6283 
6284 static const ber_sequence_t KRB_CRED_U_sequence[] = {
6285   { &hf_kerberos_pvno       , BER_CLASS_CON, 0, 0, dissect_kerberos_INTEGER_5 },
6286   { &hf_kerberos_msg_type   , BER_CLASS_CON, 1, 0, dissect_kerberos_MESSAGE_TYPE },
6287   { &hf_kerberos_tickets    , BER_CLASS_CON, 2, 0, dissect_kerberos_SEQUENCE_OF_Ticket },
6288   { &hf_kerberos_kRB_CRED_enc_part, BER_CLASS_CON, 3, 0, dissect_kerberos_EncryptedKrbCredData },
6289   { NULL, 0, 0, 0, NULL }
6290 };
6291 
6292 static int
6293 dissect_kerberos_KRB_CRED_U(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6294   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
6295                                    KRB_CRED_U_sequence, hf_index, ett_kerberos_KRB_CRED_U);
6296 
6297   return offset;
6298 }
6299 
6300 
6301 
6302 static int
6303 dissect_kerberos_KRB_CRED(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6304   offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
6305                                       hf_index, BER_CLASS_APP, 22, FALSE, dissect_kerberos_KRB_CRED_U);
6306 
6307   return offset;
6308 }
6309 
6310 
6311 
6312 static int
6313 dissect_kerberos_T_encKDCRepPart_key(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6314 #line 468 "./asn1/kerberos/kerberos.cnf"
6315   kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
6316   gint save_encryption_key_parent_hf_index = private_data->save_encryption_key_parent_hf_index;
6317   kerberos_key_save_fn saved_encryption_key_fn = private_data->save_encryption_key_fn;
6318   switch (private_data->msg_type) {
6319   case KERBEROS_APPLICATIONS_AS_REP:
6320     private_data->save_encryption_key_parent_hf_index = hf_kerberos_encASRepPart;
6321     break;
6322   case KERBEROS_APPLICATIONS_TGS_REP:
6323     private_data->save_encryption_key_parent_hf_index = hf_kerberos_encTGSRepPart;
6324     break;
6325   default:
6326     private_data->save_encryption_key_parent_hf_index = -1;
6327   }
6328 #ifdef HAVE_KERBEROS
6329   private_data->save_encryption_key_fn = save_EncKDCRepPart_key;
6330 #endif
6331   offset = dissect_kerberos_EncryptionKey(implicit_tag, tvb, offset, actx, tree, hf_index);
6332 
6333   private_data->save_encryption_key_parent_hf_index = save_encryption_key_parent_hf_index;
6334   private_data->save_encryption_key_fn = saved_encryption_key_fn;
6335 
6336 
6337 
6338   return offset;
6339 }
6340 
6341 
6342 static const value_string kerberos_LR_TYPE_vals[] = {
6343   {   0, "lR-NONE" },
6344   {   1, "lR-INITIAL-TGT" },
6345   {   2, "lR-INITIAL" },
6346   {   3, "lR-ISSUE-USE-TGT" },
6347   {   4, "lR-RENEWAL" },
6348   {   5, "lR-REQUEST" },
6349   {   6, "lR-PW-EXPTIME" },
6350   {   7, "lR-ACCT-EXPTIME" },
6351   { 0, NULL }
6352 };
6353 
6354 
6355 static int
6356 dissect_kerberos_LR_TYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6357   offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
6358                                                 NULL);
6359 
6360   return offset;
6361 }
6362 
6363 
6364 static const ber_sequence_t LastReq_item_sequence[] = {
6365   { &hf_kerberos_lr_type    , BER_CLASS_CON, 0, 0, dissect_kerberos_LR_TYPE },
6366   { &hf_kerberos_lr_value   , BER_CLASS_CON, 1, 0, dissect_kerberos_KerberosTime },
6367   { NULL, 0, 0, 0, NULL }
6368 };
6369 
6370 static int
6371 dissect_kerberos_LastReq_item(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6372   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
6373                                    LastReq_item_sequence, hf_index, ett_kerberos_LastReq_item);
6374 
6375   return offset;
6376 }
6377 
6378 
6379 static const ber_sequence_t LastReq_sequence_of[1] = {
6380   { &hf_kerberos_LastReq_item, BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_kerberos_LastReq_item },
6381 };
6382 
6383 static int
6384 dissect_kerberos_LastReq(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6385   offset = dissect_ber_sequence_of(implicit_tag, actx, tree, tvb, offset,
6386                                       LastReq_sequence_of, hf_index, ett_kerberos_LastReq);
6387 
6388   return offset;
6389 }
6390 
6391 
6392 static const ber_sequence_t METHOD_DATA_sequence_of[1] = {
6393   { &hf_kerberos_METHOD_DATA_item, BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_kerberos_PA_DATA },
6394 };
6395 
6396 static int
6397 dissect_kerberos_METHOD_DATA(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6398   offset = dissect_ber_sequence_of(implicit_tag, actx, tree, tvb, offset,
6399                                       METHOD_DATA_sequence_of, hf_index, ett_kerberos_METHOD_DATA);
6400 
6401   return offset;
6402 }
6403 
6404 
6405 
6406 static int
6407 dissect_kerberos_T_encrypted_pa_data(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6408 #line 605 "./asn1/kerberos/kerberos.cnf"
6409   kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
6410   private_data->is_enc_padata = TRUE;
6411 
6412 
6413   offset = dissect_kerberos_METHOD_DATA(implicit_tag, tvb, offset, actx, tree, hf_index);
6414 
6415 #line 609 "./asn1/kerberos/kerberos.cnf"
6416   private_data->is_enc_padata = FALSE;
6417 
6418 
6419   return offset;
6420 }
6421 
6422 
6423 static const ber_sequence_t EncKDCRepPart_sequence[] = {
6424   { &hf_kerberos_encKDCRepPart_key, BER_CLASS_CON, 0, 0, dissect_kerberos_T_encKDCRepPart_key },
6425   { &hf_kerberos_last_req   , BER_CLASS_CON, 1, 0, dissect_kerberos_LastReq },
6426   { &hf_kerberos_nonce      , BER_CLASS_CON, 2, 0, dissect_kerberos_UInt32 },
6427   { &hf_kerberos_key_expiration, BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL, dissect_kerberos_KerberosTime },
6428   { &hf_kerberos_flags      , BER_CLASS_CON, 4, 0, dissect_kerberos_TicketFlags },
6429   { &hf_kerberos_authtime   , BER_CLASS_CON, 5, 0, dissect_kerberos_KerberosTime },
6430   { &hf_kerberos_starttime  , BER_CLASS_CON, 6, BER_FLAGS_OPTIONAL, dissect_kerberos_KerberosTime },
6431   { &hf_kerberos_endtime    , BER_CLASS_CON, 7, 0, dissect_kerberos_KerberosTime },
6432   { &hf_kerberos_renew_till , BER_CLASS_CON, 8, BER_FLAGS_OPTIONAL, dissect_kerberos_KerberosTime },
6433   { &hf_kerberos_srealm     , BER_CLASS_CON, 9, 0, dissect_kerberos_Realm },
6434   { &hf_kerberos_sname      , BER_CLASS_CON, 10, 0, dissect_kerberos_SName },
6435   { &hf_kerberos_caddr      , BER_CLASS_CON, 11, BER_FLAGS_OPTIONAL, dissect_kerberos_HostAddresses },
6436   { &hf_kerberos_encrypted_pa_data, BER_CLASS_CON, 12, BER_FLAGS_OPTIONAL, dissect_kerberos_T_encrypted_pa_data },
6437   { NULL, 0, 0, 0, NULL }
6438 };
6439 
6440 static int
6441 dissect_kerberos_EncKDCRepPart(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6442   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
6443                                    EncKDCRepPart_sequence, hf_index, ett_kerberos_EncKDCRepPart);
6444 
6445   return offset;
6446 }
6447 
6448 
6449 
6450 static int
6451 dissect_kerberos_EncASRepPart(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6452   offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
6453                                       hf_index, BER_CLASS_APP, 25, FALSE, dissect_kerberos_EncKDCRepPart);
6454 
6455   return offset;
6456 }
6457 
6458 
6459 
6460 static int
6461 dissect_kerberos_EncTGSRepPart(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6462   offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
6463                                       hf_index, BER_CLASS_APP, 26, FALSE, dissect_kerberos_EncKDCRepPart);
6464 
6465   return offset;
6466 }
6467 
6468 
6469 
6470 static int
6471 dissect_kerberos_T_encAPRepPart_subkey(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6472 #line 456 "./asn1/kerberos/kerberos.cnf"
6473   kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
6474   gint save_encryption_key_parent_hf_index = private_data->save_encryption_key_parent_hf_index;
6475   kerberos_key_save_fn saved_encryption_key_fn = private_data->save_encryption_key_fn;
6476   private_data->save_encryption_key_parent_hf_index = hf_kerberos_encAPRepPart;
6477 #ifdef HAVE_KERBEROS
6478   private_data->save_encryption_key_fn = save_EncAPRepPart_subkey;
6479 #endif
6480   offset = dissect_kerberos_EncryptionKey(implicit_tag, tvb, offset, actx, tree, hf_index);
6481 
6482   private_data->save_encryption_key_parent_hf_index = save_encryption_key_parent_hf_index;
6483   private_data->save_encryption_key_fn = saved_encryption_key_fn;
6484 
6485 
6486 
6487   return offset;
6488 }
6489 
6490 
6491 static const ber_sequence_t EncAPRepPart_U_sequence[] = {
6492   { &hf_kerberos_ctime      , BER_CLASS_CON, 0, 0, dissect_kerberos_KerberosTime },
6493   { &hf_kerberos_cusec      , BER_CLASS_CON, 1, 0, dissect_kerberos_Microseconds },
6494   { &hf_kerberos_encAPRepPart_subkey, BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL, dissect_kerberos_T_encAPRepPart_subkey },
6495   { &hf_kerberos_seq_number , BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL, dissect_kerberos_UInt32 },
6496   { NULL, 0, 0, 0, NULL }
6497 };
6498 
6499 static int
6500 dissect_kerberos_EncAPRepPart_U(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6501   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
6502                                    EncAPRepPart_U_sequence, hf_index, ett_kerberos_EncAPRepPart_U);
6503 
6504   return offset;
6505 }
6506 
6507 
6508 
6509 static int
6510 dissect_kerberos_EncAPRepPart(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6511   offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
6512                                       hf_index, BER_CLASS_APP, 27, FALSE, dissect_kerberos_EncAPRepPart_U);
6513 
6514   return offset;
6515 }
6516 
6517 
6518 
6519 static int
6520 dissect_kerberos_T_encKrbPrivPart_user_data(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6521 #line 597 "./asn1/kerberos/kerberos.cnf"
6522   kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
6523   tvbuff_t *new_tvb;
6524   offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &new_tvb);
6525   if (new_tvb) {
6526     call_kerberos_callbacks(actx->pinfo, tree, new_tvb, KRB_CBTAG_PRIV_USER_DATA, private_data->callbacks);
6527   }
6528 
6529 
6530 
6531   return offset;
6532 }
6533 
6534 
6535 static const ber_sequence_t EncKrbPrivPart_sequence[] = {
6536   { &hf_kerberos_encKrbPrivPart_user_data, BER_CLASS_CON, 0, 0, dissect_kerberos_T_encKrbPrivPart_user_data },
6537   { &hf_kerberos_timestamp  , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_KerberosTime },
6538   { &hf_kerberos_usec       , BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL, dissect_kerberos_Microseconds },
6539   { &hf_kerberos_seq_number , BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL, dissect_kerberos_UInt32 },
6540   { &hf_kerberos_s_address  , BER_CLASS_CON, 4, 0, dissect_kerberos_HostAddress },
6541   { &hf_kerberos_r_address  , BER_CLASS_CON, 5, BER_FLAGS_OPTIONAL, dissect_kerberos_HostAddress },
6542   { NULL, 0, 0, 0, NULL }
6543 };
6544 
6545 static int
6546 dissect_kerberos_EncKrbPrivPart(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6547   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
6548                                    EncKrbPrivPart_sequence, hf_index, ett_kerberos_EncKrbPrivPart);
6549 
6550   return offset;
6551 }
6552 
6553 
6554 
6555 static int
6556 dissect_kerberos_ENC_KRB_PRIV_PART(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6557   offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
6558                                       hf_index, BER_CLASS_APP, 28, FALSE, dissect_kerberos_EncKrbPrivPart);
6559 
6560   return offset;
6561 }
6562 
6563 
6564 
6565 static int
6566 dissect_kerberos_T_krbCredInfo_key(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6567 #line 501 "./asn1/kerberos/kerberos.cnf"
6568   kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
6569   gint save_encryption_key_parent_hf_index = private_data->save_encryption_key_parent_hf_index;
6570   kerberos_key_save_fn saved_encryption_key_fn = private_data->save_encryption_key_fn;
6571   private_data->save_encryption_key_parent_hf_index = hf_kerberos_ticket_info_item;
6572 #ifdef HAVE_KERBEROS
6573   private_data->save_encryption_key_fn = save_KrbCredInfo_key;
6574 #endif
6575   offset = dissect_kerberos_EncryptionKey(implicit_tag, tvb, offset, actx, tree, hf_index);
6576 
6577   private_data->save_encryption_key_parent_hf_index = save_encryption_key_parent_hf_index;
6578   private_data->save_encryption_key_fn = saved_encryption_key_fn;
6579 
6580 
6581 
6582   return offset;
6583 }
6584 
6585 
6586 static const ber_sequence_t SEQUENCE_OF_KerberosString_sequence_of[1] = {
6587   { &hf_kerberos_name_string_item, BER_CLASS_UNI, BER_UNI_TAG_GeneralString, BER_FLAGS_NOOWNTAG, dissect_kerberos_KerberosString },
6588 };
6589 
6590 static int
6591 dissect_kerberos_SEQUENCE_OF_KerberosString(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6592   offset = dissect_ber_sequence_of(implicit_tag, actx, tree, tvb, offset,
6593                                       SEQUENCE_OF_KerberosString_sequence_of, hf_index, ett_kerberos_SEQUENCE_OF_KerberosString);
6594 
6595   return offset;
6596 }
6597 
6598 
6599 static const ber_sequence_t PrincipalName_sequence[] = {
6600   { &hf_kerberos_name_type  , BER_CLASS_CON, 0, 0, dissect_kerberos_NAME_TYPE },
6601   { &hf_kerberos_name_string, BER_CLASS_CON, 1, 0, dissect_kerberos_SEQUENCE_OF_KerberosString },
6602   { NULL, 0, 0, 0, NULL }
6603 };
6604 
6605 static int
6606 dissect_kerberos_PrincipalName(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6607   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
6608                                    PrincipalName_sequence, hf_index, ett_kerberos_PrincipalName);
6609 
6610   return offset;
6611 }
6612 
6613 
6614 static const ber_sequence_t KrbCredInfo_sequence[] = {
6615   { &hf_kerberos_krbCredInfo_key, BER_CLASS_CON, 0, 0, dissect_kerberos_T_krbCredInfo_key },
6616   { &hf_kerberos_prealm     , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_Realm },
6617   { &hf_kerberos_pname      , BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL, dissect_kerberos_PrincipalName },
6618   { &hf_kerberos_flags      , BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL, dissect_kerberos_TicketFlags },
6619   { &hf_kerberos_authtime   , BER_CLASS_CON, 4, BER_FLAGS_OPTIONAL, dissect_kerberos_KerberosTime },
6620   { &hf_kerberos_starttime  , BER_CLASS_CON, 5, BER_FLAGS_OPTIONAL, dissect_kerberos_KerberosTime },
6621   { &hf_kerberos_endtime    , BER_CLASS_CON, 6, BER_FLAGS_OPTIONAL, dissect_kerberos_KerberosTime },
6622   { &hf_kerberos_renew_till , BER_CLASS_CON, 7, BER_FLAGS_OPTIONAL, dissect_kerberos_KerberosTime },
6623   { &hf_kerberos_srealm     , BER_CLASS_CON, 8, BER_FLAGS_OPTIONAL, dissect_kerberos_Realm },
6624   { &hf_kerberos_sname      , BER_CLASS_CON, 9, BER_FLAGS_OPTIONAL, dissect_kerberos_SName },
6625   { &hf_kerberos_caddr      , BER_CLASS_CON, 10, BER_FLAGS_OPTIONAL, dissect_kerberos_HostAddresses },
6626   { NULL, 0, 0, 0, NULL }
6627 };
6628 
6629 static int
6630 dissect_kerberos_KrbCredInfo(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6631   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
6632                                    KrbCredInfo_sequence, hf_index, ett_kerberos_KrbCredInfo);
6633 
6634   return offset;
6635 }
6636 
6637 
6638 static const ber_sequence_t SEQUENCE_OF_KrbCredInfo_sequence_of[1] = {
6639   { &hf_kerberos_ticket_info_item, BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_kerberos_KrbCredInfo },
6640 };
6641 
6642 static int
6643 dissect_kerberos_SEQUENCE_OF_KrbCredInfo(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6644   offset = dissect_ber_sequence_of(implicit_tag, actx, tree, tvb, offset,
6645                                       SEQUENCE_OF_KrbCredInfo_sequence_of, hf_index, ett_kerberos_SEQUENCE_OF_KrbCredInfo);
6646 
6647   return offset;
6648 }
6649 
6650 
6651 static const ber_sequence_t EncKrbCredPart_U_sequence[] = {
6652   { &hf_kerberos_ticket_info, BER_CLASS_CON, 0, 0, dissect_kerberos_SEQUENCE_OF_KrbCredInfo },
6653   { &hf_kerberos_nonce      , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_UInt32 },
6654   { &hf_kerberos_timestamp  , BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL, dissect_kerberos_KerberosTime },
6655   { &hf_kerberos_usec       , BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL, dissect_kerberos_Microseconds },
6656   { &hf_kerberos_s_address  , BER_CLASS_CON, 4, BER_FLAGS_OPTIONAL, dissect_kerberos_HostAddress },
6657   { &hf_kerberos_r_address  , BER_CLASS_CON, 5, BER_FLAGS_OPTIONAL, dissect_kerberos_HostAddress },
6658   { NULL, 0, 0, 0, NULL }
6659 };
6660 
6661 static int
6662 dissect_kerberos_EncKrbCredPart_U(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6663   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
6664                                    EncKrbCredPart_U_sequence, hf_index, ett_kerberos_EncKrbCredPart_U);
6665 
6666   return offset;
6667 }
6668 
6669 
6670 
6671 static int
6672 dissect_kerberos_EncKrbCredPart(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6673   offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
6674                                       hf_index, BER_CLASS_APP, 29, FALSE, dissect_kerberos_EncKrbCredPart_U);
6675 
6676   return offset;
6677 }
6678 
6679 
6680 static const value_string kerberos_ERROR_CODE_vals[] = {
6681   {   0, "eRR-NONE" },
6682   {   1, "eRR-NAME-EXP" },
6683   {   2, "eRR-SERVICE-EXP" },
6684   {   3, "eRR-BAD-PVNO" },
6685   {   4, "eRR-C-OLD-MAST-KVNO" },
6686   {   5, "eRR-S-OLD-MAST-KVNO" },
6687   {   6, "eRR-C-PRINCIPAL-UNKNOWN" },
6688   {   7, "eRR-S-PRINCIPAL-UNKNOWN" },
6689   {   8, "eRR-PRINCIPAL-NOT-UNIQUE" },
6690   {   9, "eRR-NULL-KEY" },
6691   {  10, "eRR-CANNOT-POSTDATE" },
6692   {  11, "eRR-NEVER-VALID" },
6693   {  12, "eRR-POLICY" },
6694   {  13, "eRR-BADOPTION" },
6695   {  14, "eRR-ETYPE-NOSUPP" },
6696   {  15, "eRR-SUMTYPE-NOSUPP" },
6697   {  16, "eRR-PADATA-TYPE-NOSUPP" },
6698   {  17, "eRR-TRTYPE-NOSUPP" },
6699   {  18, "eRR-CLIENT-REVOKED" },
6700   {  19, "eRR-SERVICE-REVOKED" },
6701   {  20, "eRR-TGT-REVOKED" },
6702   {  21, "eRR-CLIENT-NOTYET" },
6703   {  22, "eRR-SERVICE-NOTYET" },
6704   {  23, "eRR-KEY-EXP" },
6705   {  24, "eRR-PREAUTH-FAILED" },
6706   {  25, "eRR-PREAUTH-REQUIRED" },
6707   {  26, "eRR-SERVER-NOMATCH" },
6708   {  27, "eRR-MUST-USE-USER2USER" },
6709   {  28, "eRR-PATH-NOT-ACCEPTED" },
6710   {  29, "eRR-SVC-UNAVAILABLE" },
6711   {  31, "eRR-BAD-INTEGRITY" },
6712   {  32, "eRR-TKT-EXPIRED" },
6713   {  33, "eRR-TKT-NYV" },
6714   {  34, "eRR-REPEAT" },
6715   {  35, "eRR-NOT-US" },
6716   {  36, "eRR-BADMATCH" },
6717   {  37, "eRR-SKEW" },
6718   {  38, "eRR-BADADDR" },
6719   {  39, "eRR-BADVERSION" },
6720   {  40, "eRR-MSG-TYPE" },
6721   {  41, "eRR-MODIFIED" },
6722   {  42, "eRR-BADORDER" },
6723   {  43, "eRR-ILL-CR-TKT" },
6724   {  44, "eRR-BADKEYVER" },
6725   {  45, "eRR-NOKEY" },
6726   {  46, "eRR-MUT-FAIL" },
6727   {  47, "eRR-BADDIRECTION" },
6728   {  48, "eRR-METHOD" },
6729   {  49, "eRR-BADSEQ" },
6730   {  50, "eRR-INAPP-CKSUM" },
6731   {  51, "pATH-NOT-ACCEPTED" },
6732   {  52, "eRR-RESPONSE-TOO-BIG" },
6733   {  60, "eRR-GENERIC" },
6734   {  61, "eRR-FIELD-TOOLONG" },
6735   {  62, "eRROR-CLIENT-NOT-TRUSTED" },
6736   {  63, "eRROR-KDC-NOT-TRUSTED" },
6737   {  64, "eRROR-INVALID-SIG" },
6738   {  65, "eRR-KEY-TOO-WEAK" },
6739   {  66, "eRR-CERTIFICATE-MISMATCH" },
6740   {  67, "eRR-NO-TGT" },
6741   {  68, "eRR-WRONG-REALM" },
6742   {  69, "eRR-USER-TO-USER-REQUIRED" },
6743   {  70, "eRR-CANT-VERIFY-CERTIFICATE" },
6744   {  71, "eRR-INVALID-CERTIFICATE" },
6745   {  72, "eRR-REVOKED-CERTIFICATE" },
6746   {  73, "eRR-REVOCATION-STATUS-UNKNOWN" },
6747   {  74, "eRR-REVOCATION-STATUS-UNAVAILABLE" },
6748   {  75, "eRR-CLIENT-NAME-MISMATCH" },
6749   {  76, "eRR-KDC-NAME-MISMATCH" },
6750   { 0, NULL }
6751 };
6752 
6753 
6754 static int
6755 dissect_kerberos_ERROR_CODE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6756 #line 122 "./asn1/kerberos/kerberos.cnf"
6757   kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
6758   offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
6759                                                 &private_data->errorcode);
6760 
6761 
6762 
6763 
6764 #line 126 "./asn1/kerberos/kerberos.cnf"
6765   if (private_data->errorcode) {
6766     col_add_fstr(actx->pinfo->cinfo, COL_INFO,
6767       "KRB Error: %s",
6768       val_to_str(private_data->errorcode, krb5_error_codes,
6769       "Unknown error code %#x"));
6770   }
6771 
6772 
6773   return offset;
6774 }
6775 
6776 
6777 
6778 static int
6779 dissect_kerberos_T_e_data(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6780 #line 135 "./asn1/kerberos/kerberos.cnf"
6781   kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
6782 
6783   switch (private_data->errorcode) {
6784   case KRB5_ET_KRB5KDC_ERR_BADOPTION:
6785   case KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED:
6786   case KRB5_ET_KRB5KDC_ERR_KEY_EXP:
6787   case KRB5_ET_KRB5KDC_ERR_POLICY:
6788     /* ms windows kdc sends e-data of this type containing a "salt"
6789      * that contains the nt_status code for these error codes.
6790      */
6791     private_data->try_nt_status = TRUE;
6792     offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_kerberos_e_data, dissect_kerberos_PA_DATA);
6793     break;
6794   case KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED:
6795   case KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED:
6796   case KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP:
6797   case KRB5_ET_KDC_ERR_WRONG_REALM:
6798   case KRB5_ET_KDC_ERR_PREAUTH_EXPIRED:
6799   case KRB5_ET_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED:
6800   case KRB5_ET_KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET:
6801   case KRB5_ET_KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS:
6802     offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_kerberos_e_data, dissect_kerberos_SEQUENCE_OF_PA_DATA);
6803     break;
6804   default:
6805     offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_kerberos_e_data, NULL);
6806     break;
6807   }
6808 
6809 
6810 
6811 
6812   return offset;
6813 }
6814 
6815 
6816 static const ber_sequence_t KRB_ERROR_U_sequence[] = {
6817   { &hf_kerberos_pvno       , BER_CLASS_CON, 0, 0, dissect_kerberos_INTEGER_5 },
6818   { &hf_kerberos_msg_type   , BER_CLASS_CON, 1, 0, dissect_kerberos_MESSAGE_TYPE },
6819   { &hf_kerberos_ctime      , BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL, dissect_kerberos_KerberosTime },
6820   { &hf_kerberos_cusec      , BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL, dissect_kerberos_Microseconds },
6821   { &hf_kerberos_stime      , BER_CLASS_CON, 4, 0, dissect_kerberos_KerberosTime },
6822   { &hf_kerberos_susec      , BER_CLASS_CON, 5, 0, dissect_kerberos_Microseconds },
6823   { &hf_kerberos_error_code , BER_CLASS_CON, 6, 0, dissect_kerberos_ERROR_CODE },
6824   { &hf_kerberos_crealm     , BER_CLASS_CON, 7, BER_FLAGS_OPTIONAL, dissect_kerberos_Realm },
6825   { &hf_kerberos_cname      , BER_CLASS_CON, 8, BER_FLAGS_OPTIONAL, dissect_kerberos_CName },
6826   { &hf_kerberos_realm      , BER_CLASS_CON, 9, 0, dissect_kerberos_Realm },
6827   { &hf_kerberos_sname      , BER_CLASS_CON, 10, 0, dissect_kerberos_SName },
6828   { &hf_kerberos_e_text     , BER_CLASS_CON, 11, BER_FLAGS_OPTIONAL, dissect_kerberos_KerberosString },
6829   { &hf_kerberos_e_data     , BER_CLASS_CON, 12, BER_FLAGS_OPTIONAL, dissect_kerberos_T_e_data },
6830   { &hf_kerberos_e_checksum , BER_CLASS_CON, 13, BER_FLAGS_OPTIONAL, dissect_kerberos_Checksum },
6831   { NULL, 0, 0, 0, NULL }
6832 };
6833 
6834 static int
6835 dissect_kerberos_KRB_ERROR_U(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6836   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
6837                                    KRB_ERROR_U_sequence, hf_index, ett_kerberos_KRB_ERROR_U);
6838 
6839   return offset;
6840 }
6841 
6842 
6843 
6844 static int
6845 dissect_kerberos_KRB_ERROR(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6846   offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
6847                                       hf_index, BER_CLASS_APP, 30, FALSE, dissect_kerberos_KRB_ERROR_U);
6848 
6849   return offset;
6850 }
6851 
6852 
6853 static const ber_choice_t Applications_choice[] = {
6854   { KERBEROS_APPLICATIONS_TICKET, &hf_kerberos_ticket     , BER_CLASS_APP, 1, BER_FLAGS_NOOWNTAG, dissect_kerberos_Ticket },
6855   { KERBEROS_APPLICATIONS_AUTHENTICATOR, &hf_kerberos_authenticator, BER_CLASS_APP, 2, BER_FLAGS_NOOWNTAG, dissect_kerberos_Authenticator },
6856   { KERBEROS_APPLICATIONS_ENCTICKETPART, &hf_kerberos_encTicketPart, BER_CLASS_APP, 3, BER_FLAGS_NOOWNTAG, dissect_kerberos_EncTicketPart },
6857   { KERBEROS_APPLICATIONS_AS_REQ, &hf_kerberos_as_req     , BER_CLASS_APP, 10, BER_FLAGS_NOOWNTAG, dissect_kerberos_AS_REQ },
6858   { KERBEROS_APPLICATIONS_AS_REP, &hf_kerberos_as_rep     , BER_CLASS_APP, 11, BER_FLAGS_NOOWNTAG, dissect_kerberos_AS_REP },
6859   { KERBEROS_APPLICATIONS_TGS_REQ, &hf_kerberos_tgs_req    , BER_CLASS_APP, 12, BER_FLAGS_NOOWNTAG, dissect_kerberos_TGS_REQ },
6860   { KERBEROS_APPLICATIONS_TGS_REP, &hf_kerberos_tgs_rep    , BER_CLASS_APP, 13, BER_FLAGS_NOOWNTAG, dissect_kerberos_TGS_REP },
6861   { KERBEROS_APPLICATIONS_AP_REQ, &hf_kerberos_ap_req     , BER_CLASS_APP, 14, BER_FLAGS_NOOWNTAG, dissect_kerberos_AP_REQ },
6862   { KERBEROS_APPLICATIONS_AP_REP, &hf_kerberos_ap_rep     , BER_CLASS_APP, 15, BER_FLAGS_NOOWNTAG, dissect_kerberos_AP_REP },
6863   { KERBEROS_APPLICATIONS_KRB_SAFE, &hf_kerberos_krb_safe   , BER_CLASS_APP, 20, BER_FLAGS_NOOWNTAG, dissect_kerberos_KRB_SAFE },
6864   { KERBEROS_APPLICATIONS_KRB_PRIV, &hf_kerberos_krb_priv   , BER_CLASS_APP, 21, BER_FLAGS_NOOWNTAG, dissect_kerberos_KRB_PRIV },
6865   { KERBEROS_APPLICATIONS_KRB_CRED, &hf_kerberos_krb_cred   , BER_CLASS_APP, 22, BER_FLAGS_NOOWNTAG, dissect_kerberos_KRB_CRED },
6866   { KERBEROS_APPLICATIONS_ENCASREPPART, &hf_kerberos_encASRepPart, BER_CLASS_APP, 25, BER_FLAGS_NOOWNTAG, dissect_kerberos_EncASRepPart },
6867   { KERBEROS_APPLICATIONS_ENCTGSREPPART, &hf_kerberos_encTGSRepPart, BER_CLASS_APP, 26, BER_FLAGS_NOOWNTAG, dissect_kerberos_EncTGSRepPart },
6868   { KERBEROS_APPLICATIONS_ENCAPREPPART, &hf_kerberos_encAPRepPart, BER_CLASS_APP, 27, BER_FLAGS_NOOWNTAG, dissect_kerberos_EncAPRepPart },
6869   { KERBEROS_APPLICATIONS_ENCKRBPRIVPART, &hf_kerberos_encKrbPrivPart, BER_CLASS_APP, 28, BER_FLAGS_NOOWNTAG, dissect_kerberos_ENC_KRB_PRIV_PART },
6870   { KERBEROS_APPLICATIONS_ENCKRBCREDPART, &hf_kerberos_encKrbCredPart, BER_CLASS_APP, 29, BER_FLAGS_NOOWNTAG, dissect_kerberos_EncKrbCredPart },
6871   { KERBEROS_APPLICATIONS_KRB_ERROR, &hf_kerberos_krb_error  , BER_CLASS_APP, 30, BER_FLAGS_NOOWNTAG, dissect_kerberos_KRB_ERROR },
6872   { 0, NULL, 0, 0, 0, NULL }
6873 };
6874 
6875 static int
6876 dissect_kerberos_Applications(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6877   offset = dissect_ber_choice(actx, tree, tvb, offset,
6878                                  Applications_choice, hf_index, ett_kerberos_Applications,
6879                                  NULL);
6880 
6881   return offset;
6882 }
6883 
6884 
6885 
6886 static int
6887 dissect_kerberos_T_pA_ENC_TIMESTAMP_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6888 #line 355 "./asn1/kerberos/kerberos.cnf"
6889 #ifdef HAVE_KERBEROS
6890   offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_PA_ENC_TIMESTAMP);
6891 #else
6892   offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
6893                                        NULL);
6894 
6895 #endif
6896 
6897 
6898 
6899   return offset;
6900 }
6901 
6902 
6903 static const ber_sequence_t PA_ENC_TIMESTAMP_sequence[] = {
6904   { &hf_kerberos_etype      , BER_CLASS_CON, 0, 0, dissect_kerberos_ENCTYPE },
6905   { &hf_kerberos_kvno       , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_UInt32 },
6906   { &hf_kerberos_pA_ENC_TIMESTAMP_cipher, BER_CLASS_CON, 2, 0, dissect_kerberos_T_pA_ENC_TIMESTAMP_cipher },
6907   { NULL, 0, 0, 0, NULL }
6908 };
6909 
6910 static int
6911 dissect_kerberos_PA_ENC_TIMESTAMP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6912   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
6913                                    PA_ENC_TIMESTAMP_sequence, hf_index, ett_kerberos_PA_ENC_TIMESTAMP);
6914 
6915   return offset;
6916 }
6917 
6918 
6919 static const ber_sequence_t ETYPE_INFO_ENTRY_sequence[] = {
6920   { &hf_kerberos_etype      , BER_CLASS_CON, 0, 0, dissect_kerberos_ENCTYPE },
6921   { &hf_kerberos_info_salt  , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_OCTET_STRING },
6922   { NULL, 0, 0, 0, NULL }
6923 };
6924 
6925 static int
6926 dissect_kerberos_ETYPE_INFO_ENTRY(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6927   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
6928                                    ETYPE_INFO_ENTRY_sequence, hf_index, ett_kerberos_ETYPE_INFO_ENTRY);
6929 
6930   return offset;
6931 }
6932 
6933 
6934 static const ber_sequence_t ETYPE_INFO_sequence_of[1] = {
6935   { &hf_kerberos_ETYPE_INFO_item, BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_kerberos_ETYPE_INFO_ENTRY },
6936 };
6937 
6938 static int
6939 dissect_kerberos_ETYPE_INFO(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6940   offset = dissect_ber_sequence_of(implicit_tag, actx, tree, tvb, offset,
6941                                       ETYPE_INFO_sequence_of, hf_index, ett_kerberos_ETYPE_INFO);
6942 
6943   return offset;
6944 }
6945 
6946 
6947 static const ber_sequence_t ETYPE_INFO2_ENTRY_sequence[] = {
6948   { &hf_kerberos_etype      , BER_CLASS_CON, 0, 0, dissect_kerberos_ENCTYPE },
6949   { &hf_kerberos_info2_salt , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_KerberosString },
6950   { &hf_kerberos_s2kparams  , BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL, dissect_kerberos_OCTET_STRING },
6951   { NULL, 0, 0, 0, NULL }
6952 };
6953 
6954 static int
6955 dissect_kerberos_ETYPE_INFO2_ENTRY(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6956   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
6957                                    ETYPE_INFO2_ENTRY_sequence, hf_index, ett_kerberos_ETYPE_INFO2_ENTRY);
6958 
6959   return offset;
6960 }
6961 
6962 
6963 static const ber_sequence_t ETYPE_INFO2_sequence_of[1] = {
6964   { &hf_kerberos_ETYPE_INFO2_item, BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_kerberos_ETYPE_INFO2_ENTRY },
6965 };
6966 
6967 static int
6968 dissect_kerberos_ETYPE_INFO2(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6969   offset = dissect_ber_sequence_of(implicit_tag, actx, tree, tvb, offset,
6970                                       ETYPE_INFO2_sequence_of, hf_index, ett_kerberos_ETYPE_INFO2);
6971 
6972   return offset;
6973 }
6974 
6975 
6976 
6977 static int
6978 dissect_kerberos_AD_IF_RELEVANT(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6979   offset = dissect_kerberos_AuthorizationData(implicit_tag, tvb, offset, actx, tree, hf_index);
6980 
6981   return offset;
6982 }
6983 
6984 
6985 static const ber_sequence_t TGT_REQ_sequence[] = {
6986   { &hf_kerberos_pvno       , BER_CLASS_CON, 0, 0, dissect_kerberos_INTEGER_5 },
6987   { &hf_kerberos_msg_type   , BER_CLASS_CON, 1, 0, dissect_kerberos_MESSAGE_TYPE },
6988   { &hf_kerberos_server_name, BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL, dissect_kerberos_PrincipalName },
6989   { &hf_kerberos_realm      , BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL, dissect_kerberos_Realm },
6990   { NULL, 0, 0, 0, NULL }
6991 };
6992 
6993 int
6994 dissect_kerberos_TGT_REQ(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
6995   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
6996                                    TGT_REQ_sequence, hf_index, ett_kerberos_TGT_REQ);
6997 
6998   return offset;
6999 }
7000 
7001 
7002 static const ber_sequence_t TGT_REP_sequence[] = {
7003   { &hf_kerberos_pvno       , BER_CLASS_CON, 0, 0, dissect_kerberos_INTEGER_5 },
7004   { &hf_kerberos_msg_type   , BER_CLASS_CON, 1, 0, dissect_kerberos_MESSAGE_TYPE },
7005   { &hf_kerberos_ticket     , BER_CLASS_CON, 2, 0, dissect_kerberos_Ticket },
7006   { NULL, 0, 0, 0, NULL }
7007 };
7008 
7009 int
7010 dissect_kerberos_TGT_REP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7011   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
7012                                    TGT_REP_sequence, hf_index, ett_kerberos_TGT_REP);
7013 
7014   return offset;
7015 }
7016 
7017 
7018 
7019 static int
7020 dissect_kerberos_BOOLEAN(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7021   offset = dissect_ber_boolean(implicit_tag, actx, tree, tvb, offset, hf_index, NULL);
7022 
7023   return offset;
7024 }
7025 
7026 
7027 static const ber_sequence_t PA_PAC_REQUEST_sequence[] = {
7028   { &hf_kerberos_include_pac, BER_CLASS_CON, 0, 0, dissect_kerberos_BOOLEAN },
7029   { NULL, 0, 0, 0, NULL }
7030 };
7031 
7032 static int
7033 dissect_kerberos_PA_PAC_REQUEST(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7034   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
7035                                    PA_PAC_REQUEST_sequence, hf_index, ett_kerberos_PA_PAC_REQUEST);
7036 
7037   return offset;
7038 }
7039 
7040 
7041 
7042 static int
7043 dissect_kerberos_GeneralString(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7044   offset = dissect_ber_restricted_string(implicit_tag, BER_UNI_TAG_GeneralString,
7045                                             actx, tree, tvb, offset, hf_index,
7046                                             NULL);
7047 
7048   return offset;
7049 }
7050 
7051 
7052 static const ber_sequence_t PA_S4U2Self_sequence[] = {
7053   { &hf_kerberos_name       , BER_CLASS_CON, 0, 0, dissect_kerberos_PrincipalName },
7054   { &hf_kerberos_realm      , BER_CLASS_CON, 1, 0, dissect_kerberos_Realm },
7055   { &hf_kerberos_cksum      , BER_CLASS_CON, 2, 0, dissect_kerberos_Checksum },
7056   { &hf_kerberos_auth       , BER_CLASS_CON, 3, 0, dissect_kerberos_GeneralString },
7057   { NULL, 0, 0, 0, NULL }
7058 };
7059 
7060 static int
7061 dissect_kerberos_PA_S4U2Self(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7062   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
7063                                    PA_S4U2Self_sequence, hf_index, ett_kerberos_PA_S4U2Self);
7064 
7065   return offset;
7066 }
7067 
7068 
7069 
7070 static int
7071 dissect_kerberos_T_subject_certificate(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7072 #line 559 "./asn1/kerberos/kerberos.cnf"
7073   offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset,hf_index, dissect_x509af_Certificate);
7074 
7075 
7076 
7077   return offset;
7078 }
7079 
7080 
7081 
7082 static int
7083 dissect_kerberos_BIT_STRING(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7084   offset = dissect_ber_bitstring(implicit_tag, actx, tree, tvb, offset,
7085                                     NULL, 0, hf_index, -1,
7086                                     NULL);
7087 
7088   return offset;
7089 }
7090 
7091 
7092 static const ber_sequence_t S4UUserID_sequence[] = {
7093   { &hf_kerberos_nonce      , BER_CLASS_CON, 0, 0, dissect_kerberos_UInt32 },
7094   { &hf_kerberos_cname_01   , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_PrincipalName },
7095   { &hf_kerberos_crealm     , BER_CLASS_CON, 2, 0, dissect_kerberos_Realm },
7096   { &hf_kerberos_subject_certificate, BER_CLASS_CON, 3, BER_FLAGS_OPTIONAL, dissect_kerberos_T_subject_certificate },
7097   { &hf_kerberos_options    , BER_CLASS_CON, 4, BER_FLAGS_OPTIONAL, dissect_kerberos_BIT_STRING },
7098   { NULL, 0, 0, 0, NULL }
7099 };
7100 
7101 static int
7102 dissect_kerberos_S4UUserID(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7103   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
7104                                    S4UUserID_sequence, hf_index, ett_kerberos_S4UUserID);
7105 
7106   return offset;
7107 }
7108 
7109 
7110 static const ber_sequence_t PA_S4U_X509_USER_sequence[] = {
7111   { &hf_kerberos_user_id    , BER_CLASS_CON, 0, 0, dissect_kerberos_S4UUserID },
7112   { &hf_kerberos_checksum_01, BER_CLASS_CON, 1, 0, dissect_kerberos_Checksum },
7113   { NULL, 0, 0, 0, NULL }
7114 };
7115 
7116 static int
7117 dissect_kerberos_PA_S4U_X509_USER(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7118   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
7119                                    PA_S4U_X509_USER_sequence, hf_index, ett_kerberos_PA_S4U_X509_USER);
7120 
7121   return offset;
7122 }
7123 
7124 
7125 static int * const PAC_OPTIONS_FLAGS_bits[] = {
7126   &hf_kerberos_PAC_OPTIONS_FLAGS_claims,
7127   &hf_kerberos_PAC_OPTIONS_FLAGS_branch_aware,
7128   &hf_kerberos_PAC_OPTIONS_FLAGS_forward_to_full_dc,
7129   &hf_kerberos_PAC_OPTIONS_FLAGS_resource_based_constrained_delegation,
7130   NULL
7131 };
7132 
7133 static int
7134 dissect_kerberos_PAC_OPTIONS_FLAGS(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7135   offset = dissect_ber_bitstring(implicit_tag, actx, tree, tvb, offset,
7136                                     PAC_OPTIONS_FLAGS_bits, 4, hf_index, ett_kerberos_PAC_OPTIONS_FLAGS,
7137                                     NULL);
7138 
7139   return offset;
7140 }
7141 
7142 
7143 static const ber_sequence_t PA_PAC_OPTIONS_sequence[] = {
7144   { &hf_kerberos_flags_01   , BER_CLASS_CON, 0, 0, dissect_kerberos_PAC_OPTIONS_FLAGS },
7145   { NULL, 0, 0, 0, NULL }
7146 };
7147 
7148 static int
7149 dissect_kerberos_PA_PAC_OPTIONS(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7150   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
7151                                    PA_PAC_OPTIONS_sequence, hf_index, ett_kerberos_PA_PAC_OPTIONS);
7152 
7153   return offset;
7154 }
7155 
7156 
7157 static const ber_sequence_t KERB_AD_RESTRICTION_ENTRY_U_sequence[] = {
7158   { &hf_kerberos_restriction_type, BER_CLASS_CON, 0, 0, dissect_kerberos_Int32 },
7159   { &hf_kerberos_restriction, BER_CLASS_CON, 1, 0, dissect_kerberos_OCTET_STRING },
7160   { NULL, 0, 0, 0, NULL }
7161 };
7162 
7163 static int
7164 dissect_kerberos_KERB_AD_RESTRICTION_ENTRY_U(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7165   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
7166                                    KERB_AD_RESTRICTION_ENTRY_U_sequence, hf_index, ett_kerberos_KERB_AD_RESTRICTION_ENTRY_U);
7167 
7168   return offset;
7169 }
7170 
7171 
7172 
7173 static int
7174 dissect_kerberos_KERB_AD_RESTRICTION_ENTRY(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7175   offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
7176                                       hf_index, BER_CLASS_UNI, 16, FALSE, dissect_kerberos_KERB_AD_RESTRICTION_ENTRY_U);
7177 
7178   return offset;
7179 }
7180 
7181 
7182 static const ber_sequence_t PA_KERB_KEY_LIST_REQ_sequence_of[1] = {
7183   { &hf_kerberos_PA_KERB_KEY_LIST_REQ_item, BER_CLASS_UNI, BER_UNI_TAG_INTEGER, BER_FLAGS_NOOWNTAG, dissect_kerberos_ENCTYPE },
7184 };
7185 
7186 static int
7187 dissect_kerberos_PA_KERB_KEY_LIST_REQ(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7188   offset = dissect_ber_sequence_of(implicit_tag, actx, tree, tvb, offset,
7189                                       PA_KERB_KEY_LIST_REQ_sequence_of, hf_index, ett_kerberos_PA_KERB_KEY_LIST_REQ);
7190 
7191   return offset;
7192 }
7193 
7194 
7195 
7196 static int
7197 dissect_kerberos_PA_KERB_KEY_LIST_REP_Key(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7198   offset = dissect_kerberos_EncryptionKey(implicit_tag, tvb, offset, actx, tree, hf_index);
7199 
7200   return offset;
7201 }
7202 
7203 
7204 
7205 static int
7206 dissect_kerberos_PA_KERB_KEY_LIST_REP_item(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7207 #line 513 "./asn1/kerberos/kerberos.cnf"
7208   kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
7209   gint save_encryption_key_parent_hf_index = private_data->save_encryption_key_parent_hf_index;
7210   kerberos_key_save_fn saved_encryption_key_fn = private_data->save_encryption_key_fn;
7211   private_data->save_encryption_key_parent_hf_index = hf_kerberos_kerbKeyListRep_key;
7212 #ifdef HAVE_KERBEROS
7213   private_data->save_encryption_key_fn = save_encryption_key;
7214 #endif
7215   offset = dissect_kerberos_PA_KERB_KEY_LIST_REP_Key(implicit_tag, tvb, offset, actx, tree, hf_index);
7216 
7217   private_data->save_encryption_key_parent_hf_index = save_encryption_key_parent_hf_index;
7218   private_data->save_encryption_key_fn = saved_encryption_key_fn;
7219 
7220 
7221 
7222   return offset;
7223 }
7224 
7225 
7226 static const ber_sequence_t PA_KERB_KEY_LIST_REP_sequence_of[1] = {
7227   { &hf_kerberos_kerbKeyListRep_key, BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_kerberos_PA_KERB_KEY_LIST_REP_item },
7228 };
7229 
7230 static int
7231 dissect_kerberos_PA_KERB_KEY_LIST_REP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7232   offset = dissect_ber_sequence_of(implicit_tag, actx, tree, tvb, offset,
7233                                       PA_KERB_KEY_LIST_REP_sequence_of, hf_index, ett_kerberos_PA_KERB_KEY_LIST_REP);
7234 
7235   return offset;
7236 }
7237 
7238 
7239 static const ber_sequence_t ChangePasswdData_sequence[] = {
7240   { &hf_kerberos_newpasswd  , BER_CLASS_CON, 0, 0, dissect_kerberos_OCTET_STRING },
7241   { &hf_kerberos_targname   , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_PrincipalName },
7242   { &hf_kerberos_targrealm  , BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL, dissect_kerberos_Realm },
7243   { NULL, 0, 0, 0, NULL }
7244 };
7245 
7246 int
7247 dissect_kerberos_ChangePasswdData(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7248   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
7249                                    ChangePasswdData_sequence, hf_index, ett_kerberos_ChangePasswdData);
7250 
7251   return offset;
7252 }
7253 
7254 
7255 static const ber_sequence_t PA_AUTHENTICATION_SET_ELEM_sequence[] = {
7256   { &hf_kerberos_pa_type    , BER_CLASS_CON, 0, 0, dissect_kerberos_PADATA_TYPE },
7257   { &hf_kerberos_pa_hint    , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_OCTET_STRING },
7258   { &hf_kerberos_pa_value   , BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL, dissect_kerberos_OCTET_STRING },
7259   { NULL, 0, 0, 0, NULL }
7260 };
7261 
7262 static int
7263 dissect_kerberos_PA_AUTHENTICATION_SET_ELEM(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7264   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
7265                                    PA_AUTHENTICATION_SET_ELEM_sequence, hf_index, ett_kerberos_PA_AUTHENTICATION_SET_ELEM);
7266 
7267   return offset;
7268 }
7269 
7270 
7271 static const value_string kerberos_KrbFastArmorTypes_vals[] = {
7272   { KERBEROS_FX_FAST_RESERVED, "fX-FAST-reserved" },
7273   { KERBEROS_FX_FAST_ARMOR_AP_REQUEST, "fX-FAST-ARMOR-AP-REQUEST" },
7274   { 0, NULL }
7275 };
7276 
7277 
7278 static int
7279 dissect_kerberos_KrbFastArmorTypes(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7280 #line 636 "./asn1/kerberos/kerberos.cnf"
7281   kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
7282   offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
7283                                                 &(private_data->fast_type));
7284 
7285 
7286 
7287 
7288   return offset;
7289 }
7290 
7291 
7292 
7293 static int
7294 dissect_kerberos_T_armor_value(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7295 #line 640 "./asn1/kerberos/kerberos.cnf"
7296   kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
7297 
7298   switch(private_data->fast_type){
7299   case KERBEROS_FX_FAST_ARMOR_AP_REQUEST:
7300     private_data->fast_armor_within_armor_value++;
7301     offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_kerberos_Applications);
7302     private_data->fast_armor_within_armor_value--;
7303     break;
7304   default:
7305     offset=dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index, NULL);
7306     break;
7307   }
7308 
7309 
7310 
7311   return offset;
7312 }
7313 
7314 
7315 static const ber_sequence_t KrbFastArmor_sequence[] = {
7316   { &hf_kerberos_armor_type , BER_CLASS_CON, 0, 0, dissect_kerberos_KrbFastArmorTypes },
7317   { &hf_kerberos_armor_value, BER_CLASS_CON, 1, 0, dissect_kerberos_T_armor_value },
7318   { NULL, 0, 0, 0, NULL }
7319 };
7320 
7321 static int
7322 dissect_kerberos_KrbFastArmor(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7323   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
7324                                    KrbFastArmor_sequence, hf_index, ett_kerberos_KrbFastArmor);
7325 
7326   return offset;
7327 }
7328 
7329 
7330 
7331 static int
7332 dissect_kerberos_T_encryptedKrbFastReq_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7333 #line 612 "./asn1/kerberos/kerberos.cnf"
7334 #ifdef HAVE_KERBEROS
7335   offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_KrbFastReq);
7336 #else
7337   offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
7338                                        NULL);
7339 
7340 #endif
7341   return offset;
7342 
7343 
7344 
7345   return offset;
7346 }
7347 
7348 
7349 static const ber_sequence_t EncryptedKrbFastReq_sequence[] = {
7350   { &hf_kerberos_etype      , BER_CLASS_CON, 0, 0, dissect_kerberos_ENCTYPE },
7351   { &hf_kerberos_kvno       , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_UInt32 },
7352   { &hf_kerberos_encryptedKrbFastReq_cipher, BER_CLASS_CON, 2, 0, dissect_kerberos_T_encryptedKrbFastReq_cipher },
7353   { NULL, 0, 0, 0, NULL }
7354 };
7355 
7356 static int
7357 dissect_kerberos_EncryptedKrbFastReq(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7358   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
7359                                    EncryptedKrbFastReq_sequence, hf_index, ett_kerberos_EncryptedKrbFastReq);
7360 
7361   return offset;
7362 }
7363 
7364 
7365 static const ber_sequence_t KrbFastArmoredReq_sequence[] = {
7366   { &hf_kerberos_armor      , BER_CLASS_CON, 0, BER_FLAGS_OPTIONAL, dissect_kerberos_KrbFastArmor },
7367   { &hf_kerberos_req_checksum, BER_CLASS_CON, 1, 0, dissect_kerberos_Checksum },
7368   { &hf_kerberos_enc_fast_req, BER_CLASS_CON, 2, 0, dissect_kerberos_EncryptedKrbFastReq },
7369   { NULL, 0, 0, 0, NULL }
7370 };
7371 
7372 static int
7373 dissect_kerberos_KrbFastArmoredReq(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7374   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
7375                                    KrbFastArmoredReq_sequence, hf_index, ett_kerberos_KrbFastArmoredReq);
7376 
7377   return offset;
7378 }
7379 
7380 
7381 static const ber_choice_t PA_FX_FAST_REQUEST_choice[] = {
7382   {   0, &hf_kerberos_armored_data_request, BER_CLASS_CON, 0, 0, dissect_kerberos_KrbFastArmoredReq },
7383   { 0, NULL, 0, 0, 0, NULL }
7384 };
7385 
7386 static int
7387 dissect_kerberos_PA_FX_FAST_REQUEST(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7388   offset = dissect_ber_choice(actx, tree, tvb, offset,
7389                                  PA_FX_FAST_REQUEST_choice, hf_index, ett_kerberos_PA_FX_FAST_REQUEST,
7390                                  NULL);
7391 
7392   return offset;
7393 }
7394 
7395 
7396 
7397 static int
7398 dissect_kerberos_T_encryptedKrbFastResponse_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7399 #line 620 "./asn1/kerberos/kerberos.cnf"
7400 #ifdef HAVE_KERBEROS
7401   offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_KrbFastResponse);
7402 #else
7403   offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
7404                                        NULL);
7405 
7406 #endif
7407   return offset;
7408 
7409 
7410 
7411   return offset;
7412 }
7413 
7414 
7415 static const ber_sequence_t EncryptedKrbFastResponse_sequence[] = {
7416   { &hf_kerberos_etype      , BER_CLASS_CON, 0, 0, dissect_kerberos_ENCTYPE },
7417   { &hf_kerberos_kvno       , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_UInt32 },
7418   { &hf_kerberos_encryptedKrbFastResponse_cipher, BER_CLASS_CON, 2, 0, dissect_kerberos_T_encryptedKrbFastResponse_cipher },
7419   { NULL, 0, 0, 0, NULL }
7420 };
7421 
7422 static int
7423 dissect_kerberos_EncryptedKrbFastResponse(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7424   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
7425                                    EncryptedKrbFastResponse_sequence, hf_index, ett_kerberos_EncryptedKrbFastResponse);
7426 
7427   return offset;
7428 }
7429 
7430 
7431 static const ber_sequence_t KrbFastArmoredRep_sequence[] = {
7432   { &hf_kerberos_enc_fast_rep, BER_CLASS_CON, 0, 0, dissect_kerberos_EncryptedKrbFastResponse },
7433   { NULL, 0, 0, 0, NULL }
7434 };
7435 
7436 static int
7437 dissect_kerberos_KrbFastArmoredRep(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7438   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
7439                                    KrbFastArmoredRep_sequence, hf_index, ett_kerberos_KrbFastArmoredRep);
7440 
7441   return offset;
7442 }
7443 
7444 
7445 static const ber_choice_t PA_FX_FAST_REPLY_choice[] = {
7446   {   0, &hf_kerberos_armored_data_reply, BER_CLASS_CON, 0, 0, dissect_kerberos_KrbFastArmoredRep },
7447   { 0, NULL, 0, 0, 0, NULL }
7448 };
7449 
7450 static int
7451 dissect_kerberos_PA_FX_FAST_REPLY(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7452   offset = dissect_ber_choice(actx, tree, tvb, offset,
7453                                  PA_FX_FAST_REPLY_choice, hf_index, ett_kerberos_PA_FX_FAST_REPLY,
7454                                  NULL);
7455 
7456   return offset;
7457 }
7458 
7459 
7460 
7461 static int
7462 dissect_kerberos_T_encryptedChallenge_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7463 #line 628 "./asn1/kerberos/kerberos.cnf"
7464 #ifdef HAVE_KERBEROS
7465   offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_EncryptedChallenge);
7466 #else
7467   offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
7468                                        NULL);
7469 
7470 #endif
7471   return offset;
7472 
7473 
7474 
7475   return offset;
7476 }
7477 
7478 
7479 static const ber_sequence_t EncryptedChallenge_sequence[] = {
7480   { &hf_kerberos_etype      , BER_CLASS_CON, 0, 0, dissect_kerberos_ENCTYPE },
7481   { &hf_kerberos_kvno       , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_UInt32 },
7482   { &hf_kerberos_encryptedChallenge_cipher, BER_CLASS_CON, 2, 0, dissect_kerberos_T_encryptedChallenge_cipher },
7483   { NULL, 0, 0, 0, NULL }
7484 };
7485 
7486 static int
7487 dissect_kerberos_EncryptedChallenge(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7488   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
7489                                    EncryptedChallenge_sequence, hf_index, ett_kerberos_EncryptedChallenge);
7490 
7491   return offset;
7492 }
7493 
7494 
7495 static const ber_sequence_t EncryptedSpakeData_sequence[] = {
7496   { &hf_kerberos_etype      , BER_CLASS_CON, 0, 0, dissect_kerberos_ENCTYPE },
7497   { &hf_kerberos_kvno       , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_UInt32 },
7498   { &hf_kerberos_cipher     , BER_CLASS_CON, 2, 0, dissect_kerberos_OCTET_STRING },
7499   { NULL, 0, 0, 0, NULL }
7500 };
7501 
7502 static int
7503 dissect_kerberos_EncryptedSpakeData(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7504   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
7505                                    EncryptedSpakeData_sequence, hf_index, ett_kerberos_EncryptedSpakeData);
7506 
7507   return offset;
7508 }
7509 
7510 
7511 static const ber_sequence_t EncryptedSpakeResponseData_sequence[] = {
7512   { &hf_kerberos_etype      , BER_CLASS_CON, 0, 0, dissect_kerberos_ENCTYPE },
7513   { &hf_kerberos_kvno       , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_UInt32 },
7514   { &hf_kerberos_cipher     , BER_CLASS_CON, 2, 0, dissect_kerberos_OCTET_STRING },
7515   { NULL, 0, 0, 0, NULL }
7516 };
7517 
7518 static int
7519 dissect_kerberos_EncryptedSpakeResponseData(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7520   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
7521                                    EncryptedSpakeResponseData_sequence, hf_index, ett_kerberos_EncryptedSpakeResponseData);
7522 
7523   return offset;
7524 }
7525 
7526 
7527 static const value_string kerberos_SPAKEGroup_vals[] = {
7528   {   1, "sPAKEGroup-edwards25519" },
7529   {   2, "sPAKEGroup-P-256" },
7530   {   3, "sPAKEGroup-P-384" },
7531   {   4, "sPAKEGroup-P-521" },
7532   { 0, NULL }
7533 };
7534 
7535 
7536 static int
7537 dissect_kerberos_SPAKEGroup(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7538   offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
7539                                                 NULL);
7540 
7541   return offset;
7542 }
7543 
7544 
7545 static const value_string kerberos_SPAKESecondFactorType_vals[] = {
7546   {   1, "sPAKESecondFactor-SF-NONE" },
7547   { 0, NULL }
7548 };
7549 
7550 
7551 static int
7552 dissect_kerberos_SPAKESecondFactorType(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7553   offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
7554                                                 NULL);
7555 
7556   return offset;
7557 }
7558 
7559 
7560 static const ber_sequence_t SEQUENCE_SIZE_1_MAX_OF_SPAKEGroup_sequence_of[1] = {
7561   { &hf_kerberos_groups_item, BER_CLASS_UNI, BER_UNI_TAG_INTEGER, BER_FLAGS_NOOWNTAG, dissect_kerberos_SPAKEGroup },
7562 };
7563 
7564 static int
7565 dissect_kerberos_SEQUENCE_SIZE_1_MAX_OF_SPAKEGroup(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7566   offset = dissect_ber_sequence_of(implicit_tag, actx, tree, tvb, offset,
7567                                       SEQUENCE_SIZE_1_MAX_OF_SPAKEGroup_sequence_of, hf_index, ett_kerberos_SEQUENCE_SIZE_1_MAX_OF_SPAKEGroup);
7568 
7569   return offset;
7570 }
7571 
7572 
7573 static const ber_sequence_t SPAKESupport_sequence[] = {
7574   { &hf_kerberos_groups     , BER_CLASS_CON, 0, 0, dissect_kerberos_SEQUENCE_SIZE_1_MAX_OF_SPAKEGroup },
7575   { NULL, 0, 0, 0, NULL }
7576 };
7577 
7578 static int
7579 dissect_kerberos_SPAKESupport(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7580   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
7581                                    SPAKESupport_sequence, hf_index, ett_kerberos_SPAKESupport);
7582 
7583   return offset;
7584 }
7585 
7586 
7587 static const ber_sequence_t SPAKESecondFactor_sequence[] = {
7588   { &hf_kerberos_type       , BER_CLASS_CON, 0, 0, dissect_kerberos_SPAKESecondFactorType },
7589   { &hf_kerberos_data       , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_OCTET_STRING },
7590   { NULL, 0, 0, 0, NULL }
7591 };
7592 
7593 static int
7594 dissect_kerberos_SPAKESecondFactor(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7595   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
7596                                    SPAKESecondFactor_sequence, hf_index, ett_kerberos_SPAKESecondFactor);
7597 
7598   return offset;
7599 }
7600 
7601 
7602 static const ber_sequence_t SEQUENCE_SIZE_1_MAX_OF_SPAKESecondFactor_sequence_of[1] = {
7603   { &hf_kerberos_factors_item, BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_kerberos_SPAKESecondFactor },
7604 };
7605 
7606 static int
7607 dissect_kerberos_SEQUENCE_SIZE_1_MAX_OF_SPAKESecondFactor(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7608   offset = dissect_ber_sequence_of(implicit_tag, actx, tree, tvb, offset,
7609                                       SEQUENCE_SIZE_1_MAX_OF_SPAKESecondFactor_sequence_of, hf_index, ett_kerberos_SEQUENCE_SIZE_1_MAX_OF_SPAKESecondFactor);
7610 
7611   return offset;
7612 }
7613 
7614 
7615 static const ber_sequence_t SPAKEChallenge_sequence[] = {
7616   { &hf_kerberos_group      , BER_CLASS_CON, 0, 0, dissect_kerberos_SPAKEGroup },
7617   { &hf_kerberos_pubkey     , BER_CLASS_CON, 1, 0, dissect_kerberos_OCTET_STRING },
7618   { &hf_kerberos_factors    , BER_CLASS_CON, 2, 0, dissect_kerberos_SEQUENCE_SIZE_1_MAX_OF_SPAKESecondFactor },
7619   { NULL, 0, 0, 0, NULL }
7620 };
7621 
7622 static int
7623 dissect_kerberos_SPAKEChallenge(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7624   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
7625                                    SPAKEChallenge_sequence, hf_index, ett_kerberos_SPAKEChallenge);
7626 
7627   return offset;
7628 }
7629 
7630 
7631 static const ber_sequence_t SPAKEResponse_sequence[] = {
7632   { &hf_kerberos_pubkey     , BER_CLASS_CON, 0, 0, dissect_kerberos_OCTET_STRING },
7633   { &hf_kerberos_factor     , BER_CLASS_CON, 1, 0, dissect_kerberos_EncryptedSpakeResponseData },
7634   { NULL, 0, 0, 0, NULL }
7635 };
7636 
7637 static int
7638 dissect_kerberos_SPAKEResponse(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7639   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
7640                                    SPAKEResponse_sequence, hf_index, ett_kerberos_SPAKEResponse);
7641 
7642   return offset;
7643 }
7644 
7645 
7646 static const value_string kerberos_PA_SPAKE_vals[] = {
7647   {   0, "support" },
7648   {   1, "challenge" },
7649   {   2, "response" },
7650   {   3, "encdata" },
7651   { 0, NULL }
7652 };
7653 
7654 static const ber_choice_t PA_SPAKE_choice[] = {
7655   {   0, &hf_kerberos_support    , BER_CLASS_CON, 0, 0, dissect_kerberos_SPAKESupport },
7656   {   1, &hf_kerberos_challenge  , BER_CLASS_CON, 1, 0, dissect_kerberos_SPAKEChallenge },
7657   {   2, &hf_kerberos_response   , BER_CLASS_CON, 2, 0, dissect_kerberos_SPAKEResponse },
7658   {   3, &hf_kerberos_encdata    , BER_CLASS_CON, 3, 0, dissect_kerberos_EncryptedSpakeData },
7659   { 0, NULL, 0, 0, 0, NULL }
7660 };
7661 
7662 static int
7663 dissect_kerberos_PA_SPAKE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7664 #line 654 "./asn1/kerberos/kerberos.cnf"
7665   kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
7666   offset = dissect_ber_choice(actx, tree, tvb, offset,
7667                                  PA_SPAKE_choice, hf_index, ett_kerberos_PA_SPAKE,
7668                                  &(private_data->padata_type));
7669 
7670 
7671 
7672 #line 657 "./asn1/kerberos/kerberos.cnf"
7673   if(tree){
7674     proto_item_append_text(tree, " %s",
7675       val_to_str(private_data->padata_type, kerberos_PA_SPAKE_vals,
7676       "Unknown:%d"));
7677   }
7678 
7679   return offset;
7680 }
7681 
7682 
7683 /*--- End of included file: packet-kerberos-fn.c ---*/
7684 #line 4154 "./asn1/kerberos/packet-kerberos-template.c"
7685 
7686 #ifdef HAVE_KERBEROS
7687 static const ber_sequence_t PA_ENC_TS_ENC_sequence[] = {
7688 	{ &hf_krb_patimestamp, BER_CLASS_CON, 0, 0, dissect_kerberos_KerberosTime },
7689 	{ &hf_krb_pausec     , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_Microseconds },
7690 	{ NULL, 0, 0, 0, NULL }
7691 };
7692 
7693 static int
7694 dissect_kerberos_PA_ENC_TS_ENC(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7695 	offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
7696 									PA_ENC_TS_ENC_sequence, hf_index, ett_krb_pa_enc_ts_enc);
7697 	return offset;
7698 }
7699 
7700 static int
7701 dissect_kerberos_T_strengthen_key(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7702 #line 491 "./asn1/kerberos/kerberos.cnf"
7703   kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
7704   gint save_encryption_key_parent_hf_index = private_data->save_encryption_key_parent_hf_index;
7705   kerberos_key_save_fn saved_encryption_key_fn = private_data->save_encryption_key_fn;
7706   private_data->save_encryption_key_parent_hf_index = hf_kerberos_KrbFastResponse;
7707 #ifdef HAVE_KERBEROS
7708   private_data->save_encryption_key_fn = save_KrbFastResponse_strengthen_key;
7709 #endif
7710   offset = dissect_kerberos_EncryptionKey(implicit_tag, tvb, offset, actx, tree, hf_index);
7711 
7712   private_data->save_encryption_key_parent_hf_index = save_encryption_key_parent_hf_index;
7713   private_data->save_encryption_key_fn = saved_encryption_key_fn;
7714   return offset;
7715 }
7716 
7717 static const ber_sequence_t KrbFastFinished_sequence[] = {
7718   { &hf_kerberos_timestamp  , BER_CLASS_CON, 0, 0, dissect_kerberos_KerberosTime },
7719   { &hf_kerberos_usec       , BER_CLASS_CON, 1, 0, dissect_kerberos_Microseconds },
7720   { &hf_kerberos_crealm     , BER_CLASS_CON, 2, 0, dissect_kerberos_Realm },
7721   { &hf_kerberos_cname_01   , BER_CLASS_CON, 3, 0, dissect_kerberos_PrincipalName },
7722   { &hf_kerberos_ticket_checksum, BER_CLASS_CON, 4, 0, dissect_kerberos_Checksum },
7723   { NULL, 0, 0, 0, NULL }
7724 };
7725 
7726 static int
7727 dissect_kerberos_KrbFastFinished(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7728   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
7729                                    KrbFastFinished_sequence, hf_index, ett_kerberos_KrbFastFinished);
7730 
7731   return offset;
7732 }
7733 
7734 static const ber_sequence_t KrbFastResponse_sequence[] = {
7735   { &hf_kerberos_padata     , BER_CLASS_CON, 0, 0, dissect_kerberos_SEQUENCE_OF_PA_DATA },
7736   { &hf_kerberos_strengthen_key, BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_T_strengthen_key },
7737   { &hf_kerberos_finished   , BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL, dissect_kerberos_KrbFastFinished },
7738   { &hf_kerberos_nonce      , BER_CLASS_CON, 3, 0, dissect_kerberos_UInt32 },
7739   { NULL, 0, 0, 0, NULL }
7740 };
7741 
7742 static int
7743 dissect_kerberos_KrbFastResponse(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7744   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
7745                                    KrbFastResponse_sequence, hf_index, ett_kerberos_KrbFastResponse);
7746 
7747   return offset;
7748 }
7749 
7750 static const ber_sequence_t KrbFastReq_sequence[] = {
7751   { &hf_kerberos_fast_options, BER_CLASS_CON, 0, 0, dissect_kerberos_FastOptions },
7752   { &hf_kerberos_padata     , BER_CLASS_CON, 1, 0, dissect_kerberos_SEQUENCE_OF_PA_DATA },
7753   { &hf_kerberos_req_body   , BER_CLASS_CON, 2, 0, dissect_kerberos_KDC_REQ_BODY },
7754   { NULL, 0, 0, 0, NULL }
7755 };
7756 
7757 static int
7758 dissect_kerberos_KrbFastReq(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7759   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
7760                                    KrbFastReq_sequence, hf_index, ett_kerberos_KrbFastReq);
7761 
7762   return offset;
7763 }
7764 
7765 static int * const FastOptions_bits[] = {
7766   &hf_kerberos_FastOptions_reserved,
7767   &hf_kerberos_FastOptions_hide_client_names,
7768   &hf_kerberos_FastOptions_spare_bit2,
7769   &hf_kerberos_FastOptions_spare_bit3,
7770   &hf_kerberos_FastOptions_spare_bit4,
7771   &hf_kerberos_FastOptions_spare_bit5,
7772   &hf_kerberos_FastOptions_spare_bit6,
7773   &hf_kerberos_FastOptions_spare_bit7,
7774   &hf_kerberos_FastOptions_spare_bit8,
7775   &hf_kerberos_FastOptions_spare_bit9,
7776   &hf_kerberos_FastOptions_spare_bit10,
7777   &hf_kerberos_FastOptions_spare_bit11,
7778   &hf_kerberos_FastOptions_spare_bit12,
7779   &hf_kerberos_FastOptions_spare_bit13,
7780   &hf_kerberos_FastOptions_spare_bit14,
7781   &hf_kerberos_FastOptions_spare_bit15,
7782   &hf_kerberos_FastOptions_kdc_follow_referrals,
7783   NULL
7784 };
7785 
7786 static int
7787 dissect_kerberos_FastOptions(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
7788   offset = dissect_ber_bitstring(implicit_tag, actx, tree, tvb, offset,
7789                                     FastOptions_bits, 17, hf_index, ett_kerberos_FastOptions,
7790                                     NULL);
7791 
7792   return offset;
7793 }
7794 
7795 #endif /* HAVE_KERBEROS */
7796 
7797 /* Make wrappers around exported functions for now */
7798 int
7799 dissect_krb5_Checksum(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
7800 {
7801 	return dissect_kerberos_Checksum(FALSE, tvb, offset, actx, tree, hf_kerberos_cksum);
7802 
7803 }
7804 
7805 int
7806 dissect_krb5_ctime(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
7807 {
7808 	return dissect_kerberos_KerberosTime(FALSE, tvb, offset, actx, tree, hf_kerberos_ctime);
7809 }
7810 
7811 
7812 int
7813 dissect_krb5_cname(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
7814 {
7815 	return dissect_kerberos_PrincipalName(FALSE, tvb, offset, actx, tree, hf_kerberos_cname);
7816 }
7817 int
7818 dissect_krb5_realm(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
7819 {
7820 	return dissect_kerberos_Realm(FALSE, tvb, offset, actx, tree, hf_kerberos_realm);
7821 }
7822 
7823 struct kerberos_display_key_state {
7824 	proto_tree *tree;
7825 	packet_info *pinfo;
7826 	expert_field *expindex;
7827 	const char *name;
7828 	tvbuff_t *tvb;
7829 	gint start;
7830 	gint length;
7831 };
7832 
7833 static void
7834 #ifdef HAVE_KERBEROS
7835 kerberos_display_key(gpointer data, gpointer userdata)
7836 #else
7837 kerberos_display_key(gpointer data _U_, gpointer userdata _U_)
7838 #endif
7839 {
7840 #ifdef HAVE_KERBEROS
7841 	struct kerberos_display_key_state *state =
7842 		(struct kerberos_display_key_state *)userdata;
7843 	const enc_key_t *ek = (const enc_key_t *)data;
7844 	proto_item *item = NULL;
7845 	enc_key_t *sek = NULL;
7846 
7847 	item = proto_tree_add_expert_format(state->tree,
7848 					    state->pinfo,
7849 					    state->expindex,
7850 					    state->tvb,
7851 					    state->start,
7852 					    state->length,
7853 					    "%s %s keytype %d (id=%s same=%u) (%02x%02x%02x%02x...)",
7854 					    state->name,
7855 					    ek->key_origin, ek->keytype,
7856 					    ek->id_str, ek->num_same,
7857 					    ek->keyvalue[0] & 0xFF, ek->keyvalue[1] & 0xFF,
7858 					    ek->keyvalue[2] & 0xFF, ek->keyvalue[3] & 0xFF);
7859 	if (ek->src1 != NULL) {
7860 		sek = ek->src1;
7861 		expert_add_info_format(state->pinfo,
7862 				       item,
7863 				       state->expindex,
7864 				       "SRC1 %s keytype %d (id=%s same=%u) (%02x%02x%02x%02x...)",
7865 				       sek->key_origin, sek->keytype,
7866 				       sek->id_str, sek->num_same,
7867 				       sek->keyvalue[0] & 0xFF, sek->keyvalue[1] & 0xFF,
7868 				       sek->keyvalue[2] & 0xFF, sek->keyvalue[3] & 0xFF);
7869 	}
7870 	if (ek->src2 != NULL) {
7871 		sek = ek->src2;
7872 		expert_add_info_format(state->pinfo,
7873 				       item,
7874 				       state->expindex,
7875 				       "SRC2 %s keytype %d (id=%s same=%u) (%02x%02x%02x%02x...)",
7876 				       sek->key_origin, sek->keytype,
7877 				       sek->id_str, sek->num_same,
7878 				       sek->keyvalue[0] & 0xFF, sek->keyvalue[1] & 0xFF,
7879 				       sek->keyvalue[2] & 0xFF, sek->keyvalue[3] & 0xFF);
7880 	}
7881 	sek = ek->same_list;
7882 	while (sek != NULL) {
7883 		expert_add_info_format(state->pinfo,
7884 				       item,
7885 				       state->expindex,
7886 				       "%s %s keytype %d (id=%s same=%u) (%02x%02x%02x%02x...)",
7887 				       state->name,
7888 				       sek->key_origin, sek->keytype,
7889 				       sek->id_str, sek->num_same,
7890 				       sek->keyvalue[0] & 0xFF, sek->keyvalue[1] & 0xFF,
7891 				       sek->keyvalue[2] & 0xFF, sek->keyvalue[3] & 0xFF);
7892 		sek = sek->same_list;
7893 	}
7894 #endif /* HAVE_KERBEROS */
7895 }
7896 
7897 static const value_string KERB_LOGON_SUBMIT_TYPE[] = {
7898     { 2, "KerbInteractiveLogon" },
7899     { 6, "KerbSmartCardLogon" },
7900     { 7, "KerbWorkstationUnlockLogon" },
7901     { 8, "KerbSmartCardUnlockLogon" },
7902     { 9, "KerbProxyLogon" },
7903     { 10, "KerbTicketLogon" },
7904     { 11, "KerbTicketUnlockLogon" },
7905     { 12, "KerbS4ULogon" },
7906     { 13, "KerbCertificateLogon" },
7907     { 14, "KerbCertificateS4ULogon" },
7908     { 15, "KerbCertificateUnlockLogon" },
7909     { 0, NULL }
7910 };
7911 
7912 
7913 #define KERB_LOGON_FLAG_ALLOW_EXPIRED_TICKET 0x1
7914 #define KERB_LOGON_FLAG_REDIRECTED           0x2
7915 
7916 static int* const ktl_flags_bits[] = {
7917 	&hf_kerberos_KERB_TICKET_LOGON_FLAG_ALLOW_EXPIRED_TICKET,
7918 	&hf_kerberos_KERB_TICKET_LOGON_FLAG_REDIRECTED,
7919 	NULL
7920 };
7921 
7922 int
7923 dissect_kerberos_KERB_TICKET_LOGON(tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree)
7924 {
7925 	proto_item *item;
7926 	proto_tree *subtree;
7927 	guint32 ServiceTicketLength;
7928 	guint32 TicketGrantingTicketLength;
7929 	int orig_offset;
7930 
7931 	if (tvb_captured_length(tvb) < 32)
7932 		return offset;
7933 
7934 	item = proto_tree_add_item(tree, hf_kerberos_KERB_TICKET_LOGON, tvb, offset, -1, ENC_NA);
7935 	subtree = proto_item_add_subtree(item, ett_kerberos_KERB_TICKET_LOGON);
7936 
7937 	proto_tree_add_item(subtree, hf_kerberos_KERB_TICKET_LOGON_MessageType, tvb, offset, 4,
7938 			    ENC_LITTLE_ENDIAN);
7939 	offset+=4;
7940 
7941 	proto_tree_add_bitmask(subtree, tvb, offset, hf_kerberos_KERB_TICKET_LOGON_Flags,
7942 			       ett_kerberos, ktl_flags_bits, ENC_LITTLE_ENDIAN);
7943 	offset+=4;
7944 
7945 	ServiceTicketLength = tvb_get_letohl(tvb, offset);
7946 	proto_tree_add_item(subtree, hf_kerberos_KERB_TICKET_LOGON_ServiceTicketLength, tvb,
7947 			    offset, 4, ENC_LITTLE_ENDIAN);
7948 	offset+=4;
7949 
7950 	TicketGrantingTicketLength = tvb_get_letohl(tvb, offset);
7951 	proto_tree_add_item(subtree, hf_kerberos_KERB_TICKET_LOGON_TicketGrantingTicketLength,
7952 			    tvb, offset, 4, ENC_LITTLE_ENDIAN);
7953 	offset+=4;
7954 
7955 	/* Skip two PUCHAR of ServiceTicket and TicketGrantingTicket */
7956 	offset+=16;
7957 
7958 	if (ServiceTicketLength == 0)
7959 		return offset;
7960 
7961 	orig_offset = offset;
7962 	offset = dissect_kerberos_Ticket(FALSE, tvb, offset, actx, subtree,
7963 					 hf_kerberos_KERB_TICKET_LOGON_ServiceTicket);
7964 
7965 	if ((unsigned)(offset-orig_offset) != ServiceTicketLength)
7966 		return offset;
7967 
7968 	if (TicketGrantingTicketLength == 0)
7969 		return offset;
7970 
7971 	offset = dissect_kerberos_KRB_CRED(FALSE, tvb, offset, actx, subtree,
7972 					   hf_kerberos_KERB_TICKET_LOGON_TicketGrantingTicket);
7973 
7974 	if ((unsigned)(offset-orig_offset) != ServiceTicketLength + TicketGrantingTicketLength)
7975 		return offset;
7976 
7977 	return offset;
7978 }
7979 
7980 static gint
7981 dissect_kerberos_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7982     gboolean dci, gboolean do_col_protocol, gboolean have_rm,
7983     kerberos_callbacks *cb)
7984 {
7985 	volatile int offset = 0;
7986 	proto_tree *volatile kerberos_tree = NULL;
7987 	proto_item *volatile item = NULL;
7988 	kerberos_private_data_t *private_data = NULL;
7989 	asn1_ctx_t asn1_ctx;
7990 
7991 	/* TCP record mark and length */
7992 	guint32 krb_rm = 0;
7993 	gint krb_reclen = 0;
7994 
7995 	gbl_do_col_info=dci;
7996 
7997 	if (have_rm) {
7998 		krb_rm = tvb_get_ntohl(tvb, offset);
7999 		krb_reclen = kerberos_rm_to_reclen(krb_rm);
8000 		/*
8001 		 * What is a reasonable size limit?
8002 		 */
8003 		if (krb_reclen > 10 * 1024 * 1024) {
8004 			return (-1);
8005 		}
8006 
8007 		if (do_col_protocol) {
8008 			col_set_str(pinfo->cinfo, COL_PROTOCOL, "KRB5");
8009 		}
8010 
8011 		if (tree) {
8012 			item = proto_tree_add_item(tree, proto_kerberos, tvb, 0, -1, ENC_NA);
8013 			kerberos_tree = proto_item_add_subtree(item, ett_kerberos);
8014 		}
8015 
8016 		show_krb_recordmark(kerberos_tree, tvb, offset, krb_rm);
8017 		offset += 4;
8018 	} else {
8019 		/* Do some sanity checking here,
8020 		 * All krb5 packets start with a TAG class that is BER_CLASS_APP
8021 		 * and a tag value that is either of the values below:
8022 		 * If it doesn't look like kerberos, return 0 and let someone else have
8023 		 * a go at it.
8024 		 */
8025 		gint8 tmp_class;
8026 		gboolean tmp_pc;
8027 		gint32 tmp_tag;
8028 
8029 		get_ber_identifier(tvb, offset, &tmp_class, &tmp_pc, &tmp_tag);
8030 		if(tmp_class!=BER_CLASS_APP){
8031 			return 0;
8032 		}
8033 		switch(tmp_tag){
8034 			case KRB5_MSG_TICKET:
8035 			case KRB5_MSG_AUTHENTICATOR:
8036 			case KRB5_MSG_ENC_TICKET_PART:
8037 			case KRB5_MSG_AS_REQ:
8038 			case KRB5_MSG_AS_REP:
8039 			case KRB5_MSG_TGS_REQ:
8040 			case KRB5_MSG_TGS_REP:
8041 			case KRB5_MSG_AP_REQ:
8042 			case KRB5_MSG_AP_REP:
8043 			case KRB5_MSG_ENC_AS_REP_PART:
8044 			case KRB5_MSG_ENC_TGS_REP_PART:
8045 			case KRB5_MSG_ENC_AP_REP_PART:
8046 			case KRB5_MSG_ENC_KRB_PRIV_PART:
8047 			case KRB5_MSG_ENC_KRB_CRED_PART:
8048 			case KRB5_MSG_SAFE:
8049 			case KRB5_MSG_PRIV:
8050 			case KRB5_MSG_ERROR:
8051 				break;
8052 			default:
8053 				return 0;
8054 		}
8055 		if (do_col_protocol) {
8056 			col_set_str(pinfo->cinfo, COL_PROTOCOL, "KRB5");
8057 		}
8058 		if (gbl_do_col_info) {
8059 			col_clear(pinfo->cinfo, COL_INFO);
8060 		}
8061 		if (tree) {
8062 			item = proto_tree_add_item(tree, proto_kerberos, tvb, 0, -1, ENC_NA);
8063 			kerberos_tree = proto_item_add_subtree(item, ett_kerberos);
8064 		}
8065 	}
8066 	asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
8067 	asn1_ctx.private_data = NULL;
8068 	private_data = kerberos_get_private_data(&asn1_ctx);
8069 	private_data->callbacks = cb;
8070 
8071 	TRY {
8072 		offset=dissect_kerberos_Applications(FALSE, tvb, offset, &asn1_ctx , kerberos_tree, /* hf_index */ -1);
8073 	} CATCH_BOUNDS_ERRORS {
8074 		RETHROW;
8075 	} ENDTRY;
8076 
8077 	if (kerberos_tree != NULL) {
8078 		struct kerberos_display_key_state display_state = {
8079 			.tree = kerberos_tree,
8080 			.pinfo = pinfo,
8081 			.expindex = &ei_kerberos_learnt_keytype,
8082 			.name = "Provides",
8083 			.tvb = tvb,
8084 		};
8085 
8086 		wmem_list_foreach(private_data->learnt_keys,
8087 				  kerberos_display_key,
8088 				  &display_state);
8089 	}
8090 
8091 	if (kerberos_tree != NULL) {
8092 		struct kerberos_display_key_state display_state = {
8093 			.tree = kerberos_tree,
8094 			.pinfo = pinfo,
8095 			.expindex = &ei_kerberos_missing_keytype,
8096 			.name = "Missing",
8097 			.tvb = tvb,
8098 		};
8099 
8100 		wmem_list_foreach(private_data->missing_keys,
8101 				  kerberos_display_key,
8102 				  &display_state);
8103 	}
8104 
8105 	if (kerberos_tree != NULL) {
8106 		struct kerberos_display_key_state display_state = {
8107 			.tree = kerberos_tree,
8108 			.pinfo = pinfo,
8109 			.expindex = &ei_kerberos_decrypted_keytype,
8110 			.name = "Used",
8111 			.tvb = tvb,
8112 		};
8113 
8114 		wmem_list_foreach(private_data->decryption_keys,
8115 				  kerberos_display_key,
8116 				  &display_state);
8117 	}
8118 
8119 	proto_item_set_len(item, offset);
8120 	return offset;
8121 }
8122 
8123 /*
8124  * Display the TCP record mark.
8125  */
8126 void
8127 show_krb_recordmark(proto_tree *tree, tvbuff_t *tvb, gint start, guint32 krb_rm)
8128 {
8129 	gint rec_len;
8130 	proto_tree *rm_tree;
8131 
8132 	if (tree == NULL)
8133 		return;
8134 
8135 	rec_len = kerberos_rm_to_reclen(krb_rm);
8136 	rm_tree = proto_tree_add_subtree_format(tree, tvb, start, 4, ett_krb_recordmark, NULL,
8137 		"Record Mark: %u %s", rec_len, plurality(rec_len, "byte", "bytes"));
8138 	proto_tree_add_boolean(rm_tree, hf_krb_rm_reserved, tvb, start, 4, krb_rm);
8139 	proto_tree_add_uint(rm_tree, hf_krb_rm_reclen, tvb, start, 4, krb_rm);
8140 }
8141 
8142 gint
8143 dissect_kerberos_main(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int do_col_info, kerberos_callbacks *cb)
8144 {
8145 	return (dissect_kerberos_common(tvb, pinfo, tree, do_col_info, FALSE, FALSE, cb));
8146 }
8147 
8148 guint32
8149 kerberos_output_keytype(void)
8150 {
8151 	return gbl_keytype;
8152 }
8153 
8154 static gint
8155 dissect_kerberos_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
8156 {
8157 	/* Some weird kerberos implementation apparently do krb4 on the krb5 port.
8158 	   Since all (except weirdo transarc krb4 stuff) use
8159 	   an opcode <=16 in the first byte, use this to see if it might
8160 	   be krb4.
8161 	   All krb5 commands start with an APPL tag and thus is >=0x60
8162 	   so if first byte is <=16  just blindly assume it is krb4 then
8163 	*/
8164 	if(tvb_captured_length(tvb) >= 1 && tvb_get_guint8(tvb, 0)<=0x10){
8165 		if(krb4_handle){
8166 			gboolean res;
8167 
8168 			res=call_dissector_only(krb4_handle, tvb, pinfo, tree, NULL);
8169 			return res;
8170 		}else{
8171 			return 0;
8172 		}
8173 	}
8174 
8175 
8176 	return dissect_kerberos_common(tvb, pinfo, tree, TRUE, TRUE, FALSE, NULL);
8177 }
8178 
8179 gint
8180 kerberos_rm_to_reclen(guint krb_rm)
8181 {
8182     return (krb_rm & KRB_RM_RECLEN);
8183 }
8184 
8185 guint
8186 get_krb_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset, void *data _U_)
8187 {
8188 	guint krb_rm;
8189 	gint pdulen;
8190 
8191 	krb_rm = tvb_get_ntohl(tvb, offset);
8192 	pdulen = kerberos_rm_to_reclen(krb_rm);
8193 	return (pdulen + 4);
8194 }
8195 static void
8196 kerberos_prefs_apply_cb(void) {
8197 #ifdef HAVE_LIBNETTLE
8198 	clear_keytab();
8199 	read_keytab_file(keytab_filename);
8200 #endif
8201 }
8202 
8203 static int
8204 dissect_kerberos_tcp_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
8205 {
8206 	pinfo->fragmented = TRUE;
8207 	if (dissect_kerberos_common(tvb, pinfo, tree, TRUE, TRUE, TRUE, NULL) < 0) {
8208 		/*
8209 		 * The dissector failed to recognize this as a valid
8210 		 * Kerberos message.  Mark it as a continuation packet.
8211 		 */
8212 		col_set_str(pinfo->cinfo, COL_INFO, "Continuation");
8213 	}
8214 
8215 	return tvb_captured_length(tvb);
8216 }
8217 
8218 static int
8219 dissect_kerberos_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data)
8220 {
8221 	col_set_str(pinfo->cinfo, COL_PROTOCOL, "KRB5");
8222 	col_clear(pinfo->cinfo, COL_INFO);
8223 
8224 	tcp_dissect_pdus(tvb, pinfo, tree, krb_desegment, 4, get_krb_pdu_len,
8225 					 dissect_kerberos_tcp_pdu, data);
8226 	return tvb_captured_length(tvb);
8227 }
8228 
8229 /*--- proto_register_kerberos -------------------------------------------*/
8230 void proto_register_kerberos(void) {
8231 
8232 	/* List of fields */
8233 
8234 	static hf_register_info hf[] = {
8235 	{ &hf_krb_rm_reserved, {
8236 		"Reserved", "kerberos.rm.reserved", FT_BOOLEAN, 32,
8237 		TFS(&tfs_set_notset), KRB_RM_RESERVED, "Record mark reserved bit", HFILL }},
8238 	{ &hf_krb_rm_reclen, {
8239 		"Record Length", "kerberos.rm.length", FT_UINT32, BASE_DEC,
8240 		NULL, KRB_RM_RECLEN, NULL, HFILL }},
8241 	{ &hf_krb_provsrv_location, {
8242 		"PROVSRV Location", "kerberos.provsrv_location", FT_STRING, BASE_NONE,
8243 		NULL, 0, "PacketCable PROV SRV Location", HFILL }},
8244 	{ &hf_krb_pw_salt,
8245 		{ "pw-salt", "kerberos.pw_salt", FT_BYTES, BASE_NONE,
8246 		NULL, 0, NULL, HFILL }},
8247 	{ &hf_krb_ext_error_nt_status, /* we keep kerberos.smb.nt_status for compat reasons */
8248 		{ "NT Status", "kerberos.smb.nt_status", FT_UINT32, BASE_HEX,
8249 		VALS(NT_errors), 0, "NT Status code", HFILL }},
8250 	{ &hf_krb_ext_error_reserved,
8251 		{ "Reserved", "kerberos.ext_error.reserved", FT_UINT32, BASE_HEX,
8252 		NULL, 0, NULL, HFILL }},
8253 	{ &hf_krb_ext_error_flags,
8254 		{ "Flags", "kerberos.ext_error.flags", FT_UINT32, BASE_HEX,
8255 		NULL, 0, NULL, HFILL }},
8256 	{ &hf_krb_address_ip, {
8257 		"IP Address", "kerberos.addr_ip", FT_IPv4, BASE_NONE,
8258 		NULL, 0, NULL, HFILL }},
8259 	{ &hf_krb_address_ipv6, {
8260 		"IPv6 Address", "kerberos.addr_ipv6", FT_IPv6, BASE_NONE,
8261 		NULL, 0, NULL, HFILL }},
8262 	{ &hf_krb_address_netbios, {
8263 		"NetBIOS Address", "kerberos.addr_nb", FT_STRING, BASE_NONE,
8264 		NULL, 0, "NetBIOS Address and type", HFILL }},
8265 	{ &hf_krb_gssapi_len, {
8266 		"Length", "kerberos.gssapi.len", FT_UINT32, BASE_DEC,
8267 		NULL, 0, "Length of GSSAPI Bnd field", HFILL }},
8268 	{ &hf_krb_gssapi_bnd, {
8269 		"Bnd", "kerberos.gssapi.bdn", FT_BYTES, BASE_NONE,
8270 		NULL, 0, "GSSAPI Bnd field", HFILL }},
8271 	{ &hf_krb_gssapi_c_flag_deleg, {
8272 		"Deleg", "kerberos.gssapi.checksum.flags.deleg", FT_BOOLEAN, 32,
8273 		TFS(&tfs_gss_flags_deleg), KRB5_GSS_C_DELEG_FLAG, NULL, HFILL }},
8274 	{ &hf_krb_gssapi_c_flag_mutual, {
8275 		"Mutual", "kerberos.gssapi.checksum.flags.mutual", FT_BOOLEAN, 32,
8276 		TFS(&tfs_gss_flags_mutual), KRB5_GSS_C_MUTUAL_FLAG, NULL, HFILL }},
8277 	{ &hf_krb_gssapi_c_flag_replay, {
8278 		"Replay", "kerberos.gssapi.checksum.flags.replay", FT_BOOLEAN, 32,
8279 		TFS(&tfs_gss_flags_replay), KRB5_GSS_C_REPLAY_FLAG, NULL, HFILL }},
8280 	{ &hf_krb_gssapi_c_flag_sequence, {
8281 		"Sequence", "kerberos.gssapi.checksum.flags.sequence", FT_BOOLEAN, 32,
8282 		TFS(&tfs_gss_flags_sequence), KRB5_GSS_C_SEQUENCE_FLAG, NULL, HFILL }},
8283 	{ &hf_krb_gssapi_c_flag_conf, {
8284 		"Conf", "kerberos.gssapi.checksum.flags.conf", FT_BOOLEAN, 32,
8285 		TFS(&tfs_gss_flags_conf), KRB5_GSS_C_CONF_FLAG, NULL, HFILL }},
8286 	{ &hf_krb_gssapi_c_flag_integ, {
8287 		"Integ", "kerberos.gssapi.checksum.flags.integ", FT_BOOLEAN, 32,
8288 		TFS(&tfs_gss_flags_integ), KRB5_GSS_C_INTEG_FLAG, NULL, HFILL }},
8289 	{ &hf_krb_gssapi_c_flag_dce_style, {
8290 		"DCE-style", "kerberos.gssapi.checksum.flags.dce-style", FT_BOOLEAN, 32,
8291 		TFS(&tfs_gss_flags_dce_style), KRB5_GSS_C_DCE_STYLE, NULL, HFILL }},
8292 	{ &hf_krb_gssapi_dlgopt, {
8293 		"DlgOpt", "kerberos.gssapi.dlgopt", FT_UINT16, BASE_DEC,
8294 		NULL, 0, "GSSAPI DlgOpt", HFILL }},
8295 	{ &hf_krb_gssapi_dlglen, {
8296 		"DlgLen", "kerberos.gssapi.dlglen", FT_UINT16, BASE_DEC,
8297 		NULL, 0, "GSSAPI DlgLen", HFILL }},
8298 	{ &hf_krb_midl_blob_len, {
8299 		"Blob Length", "kerberos.midl_blob_len", FT_UINT64, BASE_DEC,
8300 		NULL, 0, "Length of NDR encoded data that follows", HFILL }},
8301 	{ &hf_krb_midl_fill_bytes, {
8302 		"Fill bytes", "kerberos.midl.fill_bytes", FT_UINT32, BASE_HEX,
8303 		NULL, 0, "Just some fill bytes", HFILL }},
8304 	{ &hf_krb_midl_version, {
8305 	"Version", "kerberos.midl.version", FT_UINT8, BASE_DEC,
8306 	NULL, 0, "Version of pickling", HFILL }},
8307 	{ &hf_krb_midl_hdr_len, {
8308 		"HDR Length", "kerberos.midl.hdr_len", FT_UINT16, BASE_DEC,
8309 		NULL, 0, "Length of header", HFILL }},
8310 	{ &hf_krb_pac_signature_type, {
8311 		"Type", "kerberos.pac.signature.type", FT_INT32, BASE_DEC,
8312 		NULL, 0, "PAC Signature Type", HFILL }},
8313 	{ &hf_krb_pac_signature_signature, {
8314 		"Signature", "kerberos.pac.signature.signature", FT_BYTES, BASE_NONE,
8315 		NULL, 0, "A PAC signature blob", HFILL }},
8316 	{ &hf_krb_w2k_pac_entries, {
8317 		"Num Entries", "kerberos.pac.entries", FT_UINT32, BASE_DEC,
8318 		NULL, 0, "Number of W2k PAC entries", HFILL }},
8319 	{ &hf_krb_w2k_pac_version, {
8320 		"Version", "kerberos.pac.version", FT_UINT32, BASE_DEC,
8321 		NULL, 0, "Version of PAC structures", HFILL }},
8322 	{ &hf_krb_w2k_pac_type, {
8323 		"Type", "kerberos.pac.type", FT_UINT32, BASE_DEC,
8324 		VALS(w2k_pac_types), 0, "Type of W2k PAC entry", HFILL }},
8325 	{ &hf_krb_w2k_pac_size, {
8326 		"Size", "kerberos.pac.size", FT_UINT32, BASE_DEC,
8327 		NULL, 0, "Size of W2k PAC entry", HFILL }},
8328 	{ &hf_krb_w2k_pac_offset, {
8329 		"Offset", "kerberos.pac.offset", FT_UINT32, BASE_DEC,
8330 		NULL, 0, "Offset to W2k PAC entry", HFILL }},
8331 	{ &hf_krb_pac_clientid, {
8332 		"ClientID", "kerberos.pac.clientid", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
8333 		NULL, 0, "ClientID Timestamp", HFILL }},
8334 	{ &hf_krb_pac_namelen, {
8335 		"Name Length", "kerberos.pac.namelen", FT_UINT16, BASE_DEC,
8336 		NULL, 0, "Length of client name", HFILL }},
8337 	{ &hf_krb_pac_clientname, {
8338 		"Name", "kerberos.pac.name", FT_STRING, BASE_NONE,
8339 		NULL, 0, "Name of the Client in the PAC structure", HFILL }},
8340 	{ &hf_krb_pac_logon_info, {
8341 		"PAC_LOGON_INFO", "kerberos.pac_logon_info", FT_BYTES, BASE_NONE,
8342 		NULL, 0, "PAC_LOGON_INFO structure", HFILL }},
8343 	{ &hf_krb_pac_credential_data, {
8344 		"PAC_CREDENTIAL_DATA", "kerberos.pac_credential_data", FT_BYTES, BASE_NONE,
8345 		NULL, 0, "PAC_CREDENTIAL_DATA structure", HFILL }},
8346 	{ &hf_krb_pac_credential_info, {
8347 		"PAC_CREDENTIAL_INFO", "kerberos.pac_credential_info", FT_BYTES, BASE_NONE,
8348 		NULL, 0, "PAC_CREDENTIAL_INFO structure", HFILL }},
8349 	{ &hf_krb_pac_credential_info_version, {
8350 		"Version", "kerberos.pac_credential_info.version", FT_UINT32, BASE_DEC,
8351 		NULL, 0, NULL, HFILL }},
8352 	{ &hf_krb_pac_credential_info_etype, {
8353 		"Etype", "kerberos.pac_credential_info.etype", FT_UINT32, BASE_DEC,
8354 		NULL, 0, NULL, HFILL }},
8355 	{ &hf_krb_pac_server_checksum, {
8356 		"PAC_SERVER_CHECKSUM", "kerberos.pac_server_checksum", FT_BYTES, BASE_NONE,
8357 		NULL, 0, "PAC_SERVER_CHECKSUM structure", HFILL }},
8358 	{ &hf_krb_pac_privsvr_checksum, {
8359 		"PAC_PRIVSVR_CHECKSUM", "kerberos.pac_privsvr_checksum", FT_BYTES, BASE_NONE,
8360 		NULL, 0, "PAC_PRIVSVR_CHECKSUM structure", HFILL }},
8361 	{ &hf_krb_pac_client_info_type, {
8362 		"PAC_CLIENT_INFO_TYPE", "kerberos.pac_client_info_type", FT_BYTES, BASE_NONE,
8363 		NULL, 0, "PAC_CLIENT_INFO_TYPE structure", HFILL }},
8364 	{ &hf_krb_pac_s4u_delegation_info, {
8365 		"PAC_S4U_DELEGATION_INFO", "kerberos.pac_s4u_delegation_info", FT_BYTES, BASE_NONE,
8366 		NULL, 0, "PAC_S4U_DELEGATION_INFO structure", HFILL }},
8367 	{ &hf_krb_pac_upn_dns_info, {
8368 		"UPN_DNS_INFO", "kerberos.pac_upn_dns_info", FT_BYTES, BASE_NONE,
8369 		NULL, 0, "UPN_DNS_INFO structure", HFILL }},
8370 	{ &hf_krb_pac_upn_flags, {
8371 		"Flags", "kerberos.pac.upn.flags", FT_UINT32, BASE_HEX,
8372 		NULL, 0, "UPN flags", HFILL }},
8373 	{ &hf_krb_pac_upn_dns_offset, {
8374 		"DNS Offset", "kerberos.pac.upn.dns_offset", FT_UINT16, BASE_DEC,
8375 		NULL, 0, NULL, HFILL }},
8376 	{ &hf_krb_pac_upn_dns_len, {
8377 		"DNS Len", "kerberos.pac.upn.dns_len", FT_UINT16, BASE_DEC,
8378 		NULL, 0, NULL, HFILL }},
8379 	{ &hf_krb_pac_upn_upn_offset, {
8380 		"UPN Offset", "kerberos.pac.upn.upn_offset", FT_UINT16, BASE_DEC,
8381 		NULL, 0, NULL, HFILL }},
8382 	{ &hf_krb_pac_upn_upn_len, {
8383 		"UPN Len", "kerberos.pac.upn.upn_len", FT_UINT16, BASE_DEC,
8384 		NULL, 0, NULL, HFILL }},
8385 	{ &hf_krb_pac_upn_upn_name, {
8386 		"UPN Name", "kerberos.pac.upn.upn_name", FT_STRING, BASE_NONE,
8387 		NULL, 0, NULL, HFILL }},
8388 	{ &hf_krb_pac_upn_dns_name, {
8389 		"DNS Name", "kerberos.pac.upn.dns_name", FT_STRING, BASE_NONE,
8390 		NULL, 0, NULL, HFILL }},
8391 	{ &hf_krb_pac_client_claims_info, {
8392 		"PAC_CLIENT_CLAIMS_INFO", "kerberos.pac_client_claims_info", FT_BYTES, BASE_NONE,
8393 		NULL, 0, "PAC_CLIENT_CLAIMS_INFO structure", HFILL }},
8394 	{ &hf_krb_pac_device_info, {
8395 		"PAC_DEVICE_INFO", "kerberos.pac_device_info", FT_BYTES, BASE_NONE,
8396 		NULL, 0, "PAC_DEVICE_INFO structure", HFILL }},
8397 	{ &hf_krb_pac_device_claims_info, {
8398 		"PAC_DEVICE_CLAIMS_INFO", "kerberos.pac_device_claims_info", FT_BYTES, BASE_NONE,
8399 		NULL, 0, "PAC_DEVICE_CLAIMS_INFO structure", HFILL }},
8400 	{ &hf_krb_pac_ticket_checksum, {
8401 		"PAC_TICKET_CHECKSUM", "kerberos.pac_ticket_checksum", FT_BYTES, BASE_NONE,
8402 		NULL, 0, "PAC_TICKET_CHECKSUM structure", HFILL }},
8403 	{ &hf_krb_pa_supported_enctypes,
8404 	  { "SupportedEnctypes", "kerberos.supported_entypes",
8405 	    FT_UINT32, BASE_HEX, NULL, 0, NULL, HFILL }},
8406 	{ &hf_krb_pa_supported_enctypes_des_cbc_crc,
8407 	  { "des-cbc-crc", "kerberos.supported_entypes.des-cbc-crc",
8408 		FT_BOOLEAN, 32, TFS(&tfs_supported_not_supported), 0x00000001, NULL, HFILL }},
8409 	{ &hf_krb_pa_supported_enctypes_des_cbc_md5,
8410 	  { "des-cbc-md5", "kerberos.supported_entypes.des-cbc-md5",
8411 		FT_BOOLEAN, 32, TFS(&tfs_supported_not_supported), 0x00000002, NULL, HFILL }},
8412 	{ &hf_krb_pa_supported_enctypes_rc4_hmac,
8413 	  { "rc4-hmac", "kerberos.supported_entypes.rc4-hmac",
8414 		FT_BOOLEAN, 32, TFS(&tfs_supported_not_supported), 0x00000004, NULL, HFILL }},
8415 	{ &hf_krb_pa_supported_enctypes_aes128_cts_hmac_sha1_96,
8416 	  { "aes128-cts-hmac-sha1-96", "kerberos.supported_entypes.aes128-cts-hmac-sha1-96",
8417 		FT_BOOLEAN, 32, TFS(&tfs_supported_not_supported), 0x00000008, NULL, HFILL }},
8418 	{ &hf_krb_pa_supported_enctypes_aes256_cts_hmac_sha1_96,
8419 	  { "aes256-cts-hmac-sha1-96", "kerberos.supported_entypes.aes256-cts-hmac-sha1-96",
8420 		FT_BOOLEAN, 32, TFS(&tfs_supported_not_supported), 0x00000010, NULL, HFILL }},
8421 	{ &hf_krb_pa_supported_enctypes_fast_supported,
8422 	  { "fast-supported", "kerberos.supported_entypes.fast-supported",
8423 		FT_BOOLEAN, 32, TFS(&tfs_supported_not_supported), 0x00010000, NULL, HFILL }},
8424 	{ &hf_krb_pa_supported_enctypes_compound_identity_supported,
8425 	  { "compound-identity-supported", "kerberos.supported_entypes.compound-identity-supported",
8426 		FT_BOOLEAN, 32, TFS(&tfs_supported_not_supported), 0x00020000, NULL, HFILL }},
8427 	{ &hf_krb_pa_supported_enctypes_claims_supported,
8428 	  { "claims-supported", "kerberos.supported_entypes.claims-supported",
8429 		FT_BOOLEAN, 32, TFS(&tfs_supported_not_supported), 0x00040000, NULL, HFILL }},
8430 	{ &hf_krb_pa_supported_enctypes_resource_sid_compression_disabled,
8431 	  { "resource-sid-compression-disabled", "kerberos.supported_entypes.resource-sid-compression-disabled",
8432 		FT_BOOLEAN, 32, TFS(&tfs_supported_not_supported), 0x00080000, NULL, HFILL }},
8433 	{ &hf_krb_ad_ap_options,
8434 	  { "AD-AP-Options", "kerberos.ad_ap_options",
8435 	    FT_UINT32, BASE_HEX, NULL, 0, NULL, HFILL }},
8436 	{ &hf_krb_ad_ap_options_cbt,
8437 	  { "ChannelBindings", "kerberos.ad_ap_options.cbt",
8438 		FT_BOOLEAN, 32, TFS(&tfs_set_notset), 0x00004000, NULL, HFILL }},
8439 	{ &hf_krb_ad_target_principal,
8440 	  { "Target Principal", "kerberos.ad_target_principal",
8441 	    FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }},
8442 	{ &hf_krb_key_hidden_item,
8443 	  { "KeyHiddenItem", "krb5.key_hidden_item",
8444 	    FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
8445     { &hf_kerberos_KERB_TICKET_LOGON,
8446       { "KERB_TICKET_LOGON", "kerberos.KERB_TICKET_LOGON",
8447         FT_NONE, BASE_NONE, NULL, 0,
8448         NULL, HFILL }},
8449     { &hf_kerberos_KERB_TICKET_LOGON_MessageType,
8450       { "MessageType", "kerberos.KERB_TICKET_LOGON.MessageType",
8451         FT_UINT32, BASE_DEC, VALS(KERB_LOGON_SUBMIT_TYPE), 0,
8452         NULL, HFILL }},
8453     { &hf_kerberos_KERB_TICKET_LOGON_Flags,
8454       { "Flags", "kerberos.KERB_TICKET_LOGON.Flags",
8455         FT_UINT32, BASE_DEC, NULL, 0,
8456         NULL, HFILL }},
8457     { &hf_kerberos_KERB_TICKET_LOGON_ServiceTicketLength,
8458       { "ServiceTicketLength", "kerberos.KERB_TICKET_LOGON.ServiceTicketLength",
8459         FT_UINT32, BASE_DEC, NULL, 0,
8460         NULL, HFILL }},
8461     { &hf_kerberos_KERB_TICKET_LOGON_TicketGrantingTicketLength,
8462       { "TicketGrantingTicketLength", "kerberos.KERB_TICKET_LOGON.TicketGrantingTicketLength",
8463         FT_UINT32, BASE_DEC, NULL, 0,
8464         NULL, HFILL }},
8465     { &hf_kerberos_KERB_TICKET_LOGON_ServiceTicket,
8466       { "ServiceTicket", "kerberos.KERB_TICKET_LOGON.ServiceTicket",
8467         FT_NONE, BASE_NONE, NULL, 0,
8468         NULL, HFILL }},
8469     { &hf_kerberos_KERB_TICKET_LOGON_TicketGrantingTicket,
8470       { "TicketGrantingTicket", "kerberos.KERB_TICKET_LOGON.TicketGrantingTicket",
8471         FT_NONE, BASE_NONE, NULL, 0,
8472         NULL, HFILL }},
8473     { &hf_kerberos_KERB_TICKET_LOGON_FLAG_ALLOW_EXPIRED_TICKET,
8474       { "allow_expired_ticket", "kerberos.KERB_TICKET_LOGON.FLAG_ALLOW_EXPIRED_TICKET",
8475         FT_BOOLEAN, 32, NULL, KERB_LOGON_FLAG_ALLOW_EXPIRED_TICKET,
8476         NULL, HFILL }},
8477     { &hf_kerberos_KERB_TICKET_LOGON_FLAG_REDIRECTED,
8478       { "redirected", "kerberos.KERB_TICKET_LOGON.FLAG_REDIRECTED",
8479         FT_BOOLEAN, 32, NULL, KERB_LOGON_FLAG_REDIRECTED,
8480         NULL, HFILL }},
8481 #ifdef HAVE_KERBEROS
8482 	{ &hf_kerberos_KrbFastResponse,
8483 	   { "KrbFastResponse", "kerberos.KrbFastResponse_element",
8484 	    FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
8485 	{ &hf_kerberos_strengthen_key,
8486       { "strengthen-key", "kerberos.strengthen_key_element",
8487         FT_NONE, BASE_NONE, NULL, 0,
8488         NULL, HFILL }},
8489     { &hf_kerberos_finished,
8490       { "finished", "kerberos.finished_element",
8491         FT_NONE, BASE_NONE, NULL, 0,
8492         "KrbFastFinished", HFILL }},
8493     { &hf_kerberos_fast_options,
8494       { "fast-options", "kerberos.fast_options",
8495         FT_BYTES, BASE_NONE, NULL, 0,
8496         "FastOptions", HFILL }},
8497     { &hf_kerberos_FastOptions_reserved,
8498       { "reserved", "kerberos.FastOptions.reserved",
8499         FT_BOOLEAN, 8, NULL, 0x80,
8500         NULL, HFILL }},
8501     { &hf_kerberos_FastOptions_hide_client_names,
8502       { "hide-client-names", "kerberos.FastOptions.hide.client.names",
8503         FT_BOOLEAN, 8, NULL, 0x40,
8504         NULL, HFILL }},
8505     { &hf_kerberos_FastOptions_spare_bit2,
8506       { "spare_bit2", "kerberos.FastOptions.spare.bit2",
8507         FT_BOOLEAN, 8, NULL, 0x20,
8508         NULL, HFILL }},
8509     { &hf_kerberos_FastOptions_spare_bit3,
8510       { "spare_bit3", "kerberos.FastOptions.spare.bit3",
8511         FT_BOOLEAN, 8, NULL, 0x10,
8512         NULL, HFILL }},
8513     { &hf_kerberos_FastOptions_spare_bit4,
8514       { "spare_bit4", "kerberos.FastOptions.spare.bit4",
8515         FT_BOOLEAN, 8, NULL, 0x08,
8516         NULL, HFILL }},
8517     { &hf_kerberos_FastOptions_spare_bit5,
8518       { "spare_bit5", "kerberos.FastOptions.spare.bit5",
8519         FT_BOOLEAN, 8, NULL, 0x04,
8520         NULL, HFILL }},
8521     { &hf_kerberos_FastOptions_spare_bit6,
8522       { "spare_bit6", "kerberos.FastOptions.spare.bit6",
8523         FT_BOOLEAN, 8, NULL, 0x02,
8524         NULL, HFILL }},
8525     { &hf_kerberos_FastOptions_spare_bit7,
8526       { "spare_bit7", "kerberos.FastOptions.spare.bit7",
8527         FT_BOOLEAN, 8, NULL, 0x01,
8528         NULL, HFILL }},
8529     { &hf_kerberos_FastOptions_spare_bit8,
8530       { "spare_bit8", "kerberos.FastOptions.spare.bit8",
8531         FT_BOOLEAN, 8, NULL, 0x80,
8532         NULL, HFILL }},
8533     { &hf_kerberos_FastOptions_spare_bit9,
8534       { "spare_bit9", "kerberos.FastOptions.spare.bit9",
8535         FT_BOOLEAN, 8, NULL, 0x40,
8536         NULL, HFILL }},
8537     { &hf_kerberos_FastOptions_spare_bit10,
8538       { "spare_bit10", "kerberos.FastOptions.spare.bit10",
8539         FT_BOOLEAN, 8, NULL, 0x20,
8540         NULL, HFILL }},
8541     { &hf_kerberos_FastOptions_spare_bit11,
8542       { "spare_bit11", "kerberos.FastOptions.spare.bit11",
8543         FT_BOOLEAN, 8, NULL, 0x10,
8544         NULL, HFILL }},
8545     { &hf_kerberos_FastOptions_spare_bit12,
8546       { "spare_bit12", "kerberos.FastOptions.spare.bit12",
8547         FT_BOOLEAN, 8, NULL, 0x08,
8548         NULL, HFILL }},
8549     { &hf_kerberos_FastOptions_spare_bit13,
8550       { "spare_bit13", "kerberos.FastOptions.spare.bit13",
8551         FT_BOOLEAN, 8, NULL, 0x04,
8552         NULL, HFILL }},
8553     { &hf_kerberos_FastOptions_spare_bit14,
8554       { "spare_bit14", "kerberos.FastOptions.spare.bit14",
8555         FT_BOOLEAN, 8, NULL, 0x02,
8556         NULL, HFILL }},
8557     { &hf_kerberos_FastOptions_spare_bit15,
8558       { "spare_bit15", "kerberos.FastOptions.spare.bit15",
8559         FT_BOOLEAN, 8, NULL, 0x01,
8560         NULL, HFILL }},
8561     { &hf_kerberos_FastOptions_kdc_follow_referrals,
8562       { "kdc-follow-referrals", "kerberos.FastOptions.kdc.follow.referrals",
8563         FT_BOOLEAN, 8, NULL, 0x80,
8564         NULL, HFILL }},
8565     { &hf_kerberos_ticket_checksum,
8566       { "ticket-checksum", "kerberos.ticket_checksum_element",
8567         FT_NONE, BASE_NONE, NULL, 0,
8568         "Checksum", HFILL }},
8569     { &hf_krb_patimestamp,
8570       { "patimestamp", "kerberos.patimestamp",
8571         FT_STRING, BASE_NONE, NULL, 0, "KerberosTime", HFILL }},
8572     { &hf_krb_pausec,
8573       { "pausec", "kerberos.pausec",
8574         FT_UINT32, BASE_DEC, NULL, 0, "Microseconds", HFILL }},
8575 #endif /* HAVE_KERBEROS */
8576 
8577 
8578 /*--- Included file: packet-kerberos-hfarr.c ---*/
8579 #line 1 "./asn1/kerberos/packet-kerberos-hfarr.c"
8580     { &hf_kerberos_ticket,
8581       { "ticket", "kerberos.ticket_element",
8582         FT_NONE, BASE_NONE, NULL, 0,
8583         NULL, HFILL }},
8584     { &hf_kerberos_authenticator,
8585       { "authenticator", "kerberos.authenticator_element",
8586         FT_NONE, BASE_NONE, NULL, 0,
8587         NULL, HFILL }},
8588     { &hf_kerberos_encTicketPart,
8589       { "encTicketPart", "kerberos.encTicketPart_element",
8590         FT_NONE, BASE_NONE, NULL, 0,
8591         NULL, HFILL }},
8592     { &hf_kerberos_as_req,
8593       { "as-req", "kerberos.as_req_element",
8594         FT_NONE, BASE_NONE, NULL, 0,
8595         NULL, HFILL }},
8596     { &hf_kerberos_as_rep,
8597       { "as-rep", "kerberos.as_rep_element",
8598         FT_NONE, BASE_NONE, NULL, 0,
8599         NULL, HFILL }},
8600     { &hf_kerberos_tgs_req,
8601       { "tgs-req", "kerberos.tgs_req_element",
8602         FT_NONE, BASE_NONE, NULL, 0,
8603         NULL, HFILL }},
8604     { &hf_kerberos_tgs_rep,
8605       { "tgs-rep", "kerberos.tgs_rep_element",
8606         FT_NONE, BASE_NONE, NULL, 0,
8607         NULL, HFILL }},
8608     { &hf_kerberos_ap_req,
8609       { "ap-req", "kerberos.ap_req_element",
8610         FT_NONE, BASE_NONE, NULL, 0,
8611         NULL, HFILL }},
8612     { &hf_kerberos_ap_rep,
8613       { "ap-rep", "kerberos.ap_rep_element",
8614         FT_NONE, BASE_NONE, NULL, 0,
8615         NULL, HFILL }},
8616     { &hf_kerberos_krb_safe,
8617       { "krb-safe", "kerberos.krb_safe_element",
8618         FT_NONE, BASE_NONE, NULL, 0,
8619         NULL, HFILL }},
8620     { &hf_kerberos_krb_priv,
8621       { "krb-priv", "kerberos.krb_priv_element",
8622         FT_NONE, BASE_NONE, NULL, 0,
8623         NULL, HFILL }},
8624     { &hf_kerberos_krb_cred,
8625       { "krb-cred", "kerberos.krb_cred_element",
8626         FT_NONE, BASE_NONE, NULL, 0,
8627         NULL, HFILL }},
8628     { &hf_kerberos_encASRepPart,
8629       { "encASRepPart", "kerberos.encASRepPart_element",
8630         FT_NONE, BASE_NONE, NULL, 0,
8631         NULL, HFILL }},
8632     { &hf_kerberos_encTGSRepPart,
8633       { "encTGSRepPart", "kerberos.encTGSRepPart_element",
8634         FT_NONE, BASE_NONE, NULL, 0,
8635         NULL, HFILL }},
8636     { &hf_kerberos_encAPRepPart,
8637       { "encAPRepPart", "kerberos.encAPRepPart_element",
8638         FT_NONE, BASE_NONE, NULL, 0,
8639         NULL, HFILL }},
8640     { &hf_kerberos_encKrbPrivPart,
8641       { "encKrbPrivPart", "kerberos.encKrbPrivPart_element",
8642         FT_NONE, BASE_NONE, NULL, 0,
8643         "ENC_KRB_PRIV_PART", HFILL }},
8644     { &hf_kerberos_encKrbCredPart,
8645       { "encKrbCredPart", "kerberos.encKrbCredPart_element",
8646         FT_NONE, BASE_NONE, NULL, 0,
8647         NULL, HFILL }},
8648     { &hf_kerberos_krb_error,
8649       { "krb-error", "kerberos.krb_error_element",
8650         FT_NONE, BASE_NONE, NULL, 0,
8651         NULL, HFILL }},
8652     { &hf_kerberos_name_type,
8653       { "name-type", "kerberos.name_type",
8654         FT_INT32, BASE_DEC, VALS(kerberos_NAME_TYPE_vals), 0,
8655         NULL, HFILL }},
8656     { &hf_kerberos_name_string,
8657       { "name-string", "kerberos.name_string",
8658         FT_UINT32, BASE_DEC, NULL, 0,
8659         "SEQUENCE_OF_KerberosString", HFILL }},
8660     { &hf_kerberos_name_string_item,
8661       { "KerberosString", "kerberos.KerberosString",
8662         FT_STRING, BASE_NONE, NULL, 0,
8663         NULL, HFILL }},
8664     { &hf_kerberos_cname_string,
8665       { "cname-string", "kerberos.cname_string",
8666         FT_UINT32, BASE_DEC, NULL, 0,
8667         "SEQUENCE_OF_CNameString", HFILL }},
8668     { &hf_kerberos_cname_string_item,
8669       { "CNameString", "kerberos.CNameString",
8670         FT_STRING, BASE_NONE, NULL, 0,
8671         NULL, HFILL }},
8672     { &hf_kerberos_sname_string,
8673       { "sname-string", "kerberos.sname_string",
8674         FT_UINT32, BASE_DEC, NULL, 0,
8675         "SEQUENCE_OF_SNameString", HFILL }},
8676     { &hf_kerberos_sname_string_item,
8677       { "SNameString", "kerberos.SNameString",
8678         FT_STRING, BASE_NONE, NULL, 0,
8679         NULL, HFILL }},
8680     { &hf_kerberos_addr_type,
8681       { "addr-type", "kerberos.addr_type",
8682         FT_INT32, BASE_DEC, VALS(kerberos_ADDR_TYPE_vals), 0,
8683         NULL, HFILL }},
8684     { &hf_kerberos_address,
8685       { "address", "kerberos.address",
8686         FT_BYTES, BASE_NONE, NULL, 0,
8687         NULL, HFILL }},
8688     { &hf_kerberos_HostAddresses_item,
8689       { "HostAddress", "kerberos.HostAddress_element",
8690         FT_NONE, BASE_NONE, NULL, 0,
8691         NULL, HFILL }},
8692     { &hf_kerberos_AuthorizationData_item,
8693       { "AuthorizationData item", "kerberos.AuthorizationData_item_element",
8694         FT_NONE, BASE_NONE, NULL, 0,
8695         NULL, HFILL }},
8696     { &hf_kerberos_ad_type,
8697       { "ad-type", "kerberos.ad_type",
8698         FT_INT32, BASE_DEC, VALS(kerberos_AUTHDATA_TYPE_vals), 0,
8699         "AUTHDATA_TYPE", HFILL }},
8700     { &hf_kerberos_ad_data,
8701       { "ad-data", "kerberos.ad_data",
8702         FT_BYTES, BASE_NONE, NULL, 0,
8703         NULL, HFILL }},
8704     { &hf_kerberos_padata_type,
8705       { "padata-type", "kerberos.padata_type",
8706         FT_INT32, BASE_DEC, VALS(kerberos_PADATA_TYPE_vals), 0,
8707         NULL, HFILL }},
8708     { &hf_kerberos_padata_value,
8709       { "padata-value", "kerberos.padata_value",
8710         FT_BYTES, BASE_NONE, NULL, 0,
8711         NULL, HFILL }},
8712     { &hf_kerberos_keytype,
8713       { "keytype", "kerberos.keytype",
8714         FT_INT32, BASE_DEC, NULL, 0,
8715         NULL, HFILL }},
8716     { &hf_kerberos_keyvalue,
8717       { "keyvalue", "kerberos.keyvalue",
8718         FT_BYTES, BASE_NONE, NULL, 0,
8719         NULL, HFILL }},
8720     { &hf_kerberos_cksumtype,
8721       { "cksumtype", "kerberos.cksumtype",
8722         FT_INT32, BASE_DEC, VALS(kerberos_CKSUMTYPE_vals), 0,
8723         NULL, HFILL }},
8724     { &hf_kerberos_checksum,
8725       { "checksum", "kerberos.checksum",
8726         FT_BYTES, BASE_NONE, NULL, 0,
8727         NULL, HFILL }},
8728     { &hf_kerberos_etype,
8729       { "etype", "kerberos.etype",
8730         FT_INT32, BASE_DEC, VALS(kerberos_ENCTYPE_vals), 0,
8731         "ENCTYPE", HFILL }},
8732     { &hf_kerberos_kvno,
8733       { "kvno", "kerberos.kvno",
8734         FT_UINT32, BASE_DEC, NULL, 0,
8735         "UInt32", HFILL }},
8736     { &hf_kerberos_encryptedTicketData_cipher,
8737       { "cipher", "kerberos.cipher",
8738         FT_BYTES, BASE_NONE, NULL, 0,
8739         "T_encryptedTicketData_cipher", HFILL }},
8740     { &hf_kerberos_encryptedAuthorizationData_cipher,
8741       { "cipher", "kerberos.cipher",
8742         FT_BYTES, BASE_NONE, NULL, 0,
8743         "T_encryptedAuthorizationData_cipher", HFILL }},
8744     { &hf_kerberos_encryptedAuthenticator_cipher,
8745       { "cipher", "kerberos.cipher",
8746         FT_BYTES, BASE_NONE, NULL, 0,
8747         "T_encryptedAuthenticator_cipher", HFILL }},
8748     { &hf_kerberos_encryptedKDCREPData_cipher,
8749       { "cipher", "kerberos.cipher",
8750         FT_BYTES, BASE_NONE, NULL, 0,
8751         "T_encryptedKDCREPData_cipher", HFILL }},
8752     { &hf_kerberos_encryptedAPREPData_cipher,
8753       { "cipher", "kerberos.cipher",
8754         FT_BYTES, BASE_NONE, NULL, 0,
8755         "T_encryptedAPREPData_cipher", HFILL }},
8756     { &hf_kerberos_encryptedKrbPrivData_cipher,
8757       { "cipher", "kerberos.cipher",
8758         FT_BYTES, BASE_NONE, NULL, 0,
8759         "T_encryptedKrbPrivData_cipher", HFILL }},
8760     { &hf_kerberos_encryptedKrbCredData_cipher,
8761       { "cipher", "kerberos.cipher",
8762         FT_BYTES, BASE_NONE, NULL, 0,
8763         "T_encryptedKrbCredData_cipher", HFILL }},
8764     { &hf_kerberos_tkt_vno,
8765       { "tkt-vno", "kerberos.tkt_vno",
8766         FT_UINT32, BASE_DEC, NULL, 0,
8767         "INTEGER_5", HFILL }},
8768     { &hf_kerberos_realm,
8769       { "realm", "kerberos.realm",
8770         FT_STRING, BASE_NONE, NULL, 0,
8771         NULL, HFILL }},
8772     { &hf_kerberos_sname,
8773       { "sname", "kerberos.sname_element",
8774         FT_NONE, BASE_NONE, NULL, 0,
8775         NULL, HFILL }},
8776     { &hf_kerberos_ticket_enc_part,
8777       { "enc-part", "kerberos.enc_part_element",
8778         FT_NONE, BASE_NONE, NULL, 0,
8779         "EncryptedTicketData", HFILL }},
8780     { &hf_kerberos_flags,
8781       { "flags", "kerberos.flags",
8782         FT_BYTES, BASE_NONE, NULL, 0,
8783         "TicketFlags", HFILL }},
8784     { &hf_kerberos_encTicketPart_key,
8785       { "key", "kerberos.key_element",
8786         FT_NONE, BASE_NONE, NULL, 0,
8787         "T_encTicketPart_key", HFILL }},
8788     { &hf_kerberos_crealm,
8789       { "crealm", "kerberos.crealm",
8790         FT_STRING, BASE_NONE, NULL, 0,
8791         "Realm", HFILL }},
8792     { &hf_kerberos_cname,
8793       { "cname", "kerberos.cname_element",
8794         FT_NONE, BASE_NONE, NULL, 0,
8795         NULL, HFILL }},
8796     { &hf_kerberos_transited,
8797       { "transited", "kerberos.transited_element",
8798         FT_NONE, BASE_NONE, NULL, 0,
8799         "TransitedEncoding", HFILL }},
8800     { &hf_kerberos_authtime,
8801       { "authtime", "kerberos.authtime",
8802         FT_STRING, BASE_NONE, NULL, 0,
8803         "KerberosTime", HFILL }},
8804     { &hf_kerberos_starttime,
8805       { "starttime", "kerberos.starttime",
8806         FT_STRING, BASE_NONE, NULL, 0,
8807         "KerberosTime", HFILL }},
8808     { &hf_kerberos_endtime,
8809       { "endtime", "kerberos.endtime",
8810         FT_STRING, BASE_NONE, NULL, 0,
8811         "KerberosTime", HFILL }},
8812     { &hf_kerberos_renew_till,
8813       { "renew-till", "kerberos.renew_till",
8814         FT_STRING, BASE_NONE, NULL, 0,
8815         "KerberosTime", HFILL }},
8816     { &hf_kerberos_caddr,
8817       { "caddr", "kerberos.caddr",
8818         FT_UINT32, BASE_DEC, NULL, 0,
8819         "HostAddresses", HFILL }},
8820     { &hf_kerberos_authorization_data,
8821       { "authorization-data", "kerberos.authorization_data",
8822         FT_UINT32, BASE_DEC, NULL, 0,
8823         "AuthorizationData", HFILL }},
8824     { &hf_kerberos_tr_type,
8825       { "tr-type", "kerberos.tr_type",
8826         FT_INT32, BASE_DEC, NULL, 0,
8827         "Int32", HFILL }},
8828     { &hf_kerberos_contents,
8829       { "contents", "kerberos.contents",
8830         FT_BYTES, BASE_NONE, NULL, 0,
8831         "OCTET_STRING", HFILL }},
8832     { &hf_kerberos_pvno,
8833       { "pvno", "kerberos.pvno",
8834         FT_UINT32, BASE_DEC, NULL, 0,
8835         "INTEGER_5", HFILL }},
8836     { &hf_kerberos_msg_type,
8837       { "msg-type", "kerberos.msg_type",
8838         FT_INT32, BASE_DEC, VALS(kerberos_MESSAGE_TYPE_vals), 0,
8839         "MESSAGE_TYPE", HFILL }},
8840     { &hf_kerberos_padata,
8841       { "padata", "kerberos.padata",
8842         FT_UINT32, BASE_DEC, NULL, 0,
8843         "SEQUENCE_OF_PA_DATA", HFILL }},
8844     { &hf_kerberos_padata_item,
8845       { "PA-DATA", "kerberos.PA_DATA_element",
8846         FT_NONE, BASE_NONE, NULL, 0,
8847         NULL, HFILL }},
8848     { &hf_kerberos_req_body,
8849       { "req-body", "kerberos.req_body_element",
8850         FT_NONE, BASE_NONE, NULL, 0,
8851         "KDC_REQ_BODY", HFILL }},
8852     { &hf_kerberos_kdc_options,
8853       { "kdc-options", "kerberos.kdc_options",
8854         FT_BYTES, BASE_NONE, NULL, 0,
8855         "KDCOptions", HFILL }},
8856     { &hf_kerberos_from,
8857       { "from", "kerberos.from",
8858         FT_STRING, BASE_NONE, NULL, 0,
8859         "KerberosTime", HFILL }},
8860     { &hf_kerberos_till,
8861       { "till", "kerberos.till",
8862         FT_STRING, BASE_NONE, NULL, 0,
8863         "KerberosTime", HFILL }},
8864     { &hf_kerberos_rtime,
8865       { "rtime", "kerberos.rtime",
8866         FT_STRING, BASE_NONE, NULL, 0,
8867         "KerberosTime", HFILL }},
8868     { &hf_kerberos_nonce,
8869       { "nonce", "kerberos.nonce",
8870         FT_UINT32, BASE_DEC, NULL, 0,
8871         "UInt32", HFILL }},
8872     { &hf_kerberos_kDC_REQ_BODY_etype,
8873       { "etype", "kerberos.kdc-req-body.etype",
8874         FT_UINT32, BASE_DEC, NULL, 0,
8875         "SEQUENCE_OF_ENCTYPE", HFILL }},
8876     { &hf_kerberos_kDC_REQ_BODY_etype_item,
8877       { "ENCTYPE", "kerberos.ENCTYPE",
8878         FT_INT32, BASE_DEC, VALS(kerberos_ENCTYPE_vals), 0,
8879         NULL, HFILL }},
8880     { &hf_kerberos_addresses,
8881       { "addresses", "kerberos.addresses",
8882         FT_UINT32, BASE_DEC, NULL, 0,
8883         "HostAddresses", HFILL }},
8884     { &hf_kerberos_enc_authorization_data,
8885       { "enc-authorization-data", "kerberos.enc_authorization_data_element",
8886         FT_NONE, BASE_NONE, NULL, 0,
8887         "EncryptedAuthorizationData", HFILL }},
8888     { &hf_kerberos_additional_tickets,
8889       { "additional-tickets", "kerberos.additional_tickets",
8890         FT_UINT32, BASE_DEC, NULL, 0,
8891         "SEQUENCE_OF_Ticket", HFILL }},
8892     { &hf_kerberos_additional_tickets_item,
8893       { "Ticket", "kerberos.Ticket_element",
8894         FT_NONE, BASE_NONE, NULL, 0,
8895         NULL, HFILL }},
8896     { &hf_kerberos_kDC_REP_enc_part,
8897       { "enc-part", "kerberos.enc_part_element",
8898         FT_NONE, BASE_NONE, NULL, 0,
8899         "EncryptedKDCREPData", HFILL }},
8900     { &hf_kerberos_encKDCRepPart_key,
8901       { "key", "kerberos.key_element",
8902         FT_NONE, BASE_NONE, NULL, 0,
8903         "T_encKDCRepPart_key", HFILL }},
8904     { &hf_kerberos_last_req,
8905       { "last-req", "kerberos.last_req",
8906         FT_UINT32, BASE_DEC, NULL, 0,
8907         "LastReq", HFILL }},
8908     { &hf_kerberos_key_expiration,
8909       { "key-expiration", "kerberos.key_expiration",
8910         FT_STRING, BASE_NONE, NULL, 0,
8911         "KerberosTime", HFILL }},
8912     { &hf_kerberos_srealm,
8913       { "srealm", "kerberos.srealm",
8914         FT_STRING, BASE_NONE, NULL, 0,
8915         "Realm", HFILL }},
8916     { &hf_kerberos_encrypted_pa_data,
8917       { "encrypted-pa-data", "kerberos.encrypted_pa_data",
8918         FT_UINT32, BASE_DEC, NULL, 0,
8919         NULL, HFILL }},
8920     { &hf_kerberos_LastReq_item,
8921       { "LastReq item", "kerberos.LastReq_item_element",
8922         FT_NONE, BASE_NONE, NULL, 0,
8923         NULL, HFILL }},
8924     { &hf_kerberos_lr_type,
8925       { "lr-type", "kerberos.lr_type",
8926         FT_INT32, BASE_DEC, VALS(kerberos_LR_TYPE_vals), 0,
8927         NULL, HFILL }},
8928     { &hf_kerberos_lr_value,
8929       { "lr-value", "kerberos.lr_value",
8930         FT_STRING, BASE_NONE, NULL, 0,
8931         "KerberosTime", HFILL }},
8932     { &hf_kerberos_ap_options,
8933       { "ap-options", "kerberos.ap_options",
8934         FT_BYTES, BASE_NONE, NULL, 0,
8935         "APOptions", HFILL }},
8936     { &hf_kerberos_authenticator_enc_part,
8937       { "authenticator", "kerberos.authenticator_element",
8938         FT_NONE, BASE_NONE, NULL, 0,
8939         "EncryptedAuthenticator", HFILL }},
8940     { &hf_kerberos_authenticator_vno,
8941       { "authenticator-vno", "kerberos.authenticator_vno",
8942         FT_UINT32, BASE_DEC, NULL, 0,
8943         "INTEGER_5", HFILL }},
8944     { &hf_kerberos_cksum,
8945       { "cksum", "kerberos.cksum_element",
8946         FT_NONE, BASE_NONE, NULL, 0,
8947         "Checksum", HFILL }},
8948     { &hf_kerberos_cusec,
8949       { "cusec", "kerberos.cusec",
8950         FT_UINT32, BASE_DEC, NULL, 0,
8951         "Microseconds", HFILL }},
8952     { &hf_kerberos_ctime,
8953       { "ctime", "kerberos.ctime",
8954         FT_STRING, BASE_NONE, NULL, 0,
8955         "KerberosTime", HFILL }},
8956     { &hf_kerberos_authenticator_subkey,
8957       { "subkey", "kerberos.subkey_element",
8958         FT_NONE, BASE_NONE, NULL, 0,
8959         "T_authenticator_subkey", HFILL }},
8960     { &hf_kerberos_seq_number,
8961       { "seq-number", "kerberos.seq_number",
8962         FT_UINT32, BASE_DEC, NULL, 0,
8963         "UInt32", HFILL }},
8964     { &hf_kerberos_aP_REP_enc_part,
8965       { "enc-part", "kerberos.enc_part_element",
8966         FT_NONE, BASE_NONE, NULL, 0,
8967         "EncryptedAPREPData", HFILL }},
8968     { &hf_kerberos_encAPRepPart_subkey,
8969       { "subkey", "kerberos.subkey_element",
8970         FT_NONE, BASE_NONE, NULL, 0,
8971         "T_encAPRepPart_subkey", HFILL }},
8972     { &hf_kerberos_safe_body,
8973       { "safe-body", "kerberos.safe_body_element",
8974         FT_NONE, BASE_NONE, NULL, 0,
8975         "KRB_SAFE_BODY", HFILL }},
8976     { &hf_kerberos_kRB_SAFE_BODY_user_data,
8977       { "user-data", "kerberos.user_data",
8978         FT_BYTES, BASE_NONE, NULL, 0,
8979         "T_kRB_SAFE_BODY_user_data", HFILL }},
8980     { &hf_kerberos_timestamp,
8981       { "timestamp", "kerberos.timestamp",
8982         FT_STRING, BASE_NONE, NULL, 0,
8983         "KerberosTime", HFILL }},
8984     { &hf_kerberos_usec,
8985       { "usec", "kerberos.usec",
8986         FT_UINT32, BASE_DEC, NULL, 0,
8987         "Microseconds", HFILL }},
8988     { &hf_kerberos_s_address,
8989       { "s-address", "kerberos.s_address_element",
8990         FT_NONE, BASE_NONE, NULL, 0,
8991         "HostAddress", HFILL }},
8992     { &hf_kerberos_r_address,
8993       { "r-address", "kerberos.r_address_element",
8994         FT_NONE, BASE_NONE, NULL, 0,
8995         "HostAddress", HFILL }},
8996     { &hf_kerberos_kRB_PRIV_enc_part,
8997       { "enc-part", "kerberos.enc_part_element",
8998         FT_NONE, BASE_NONE, NULL, 0,
8999         "EncryptedKrbPrivData", HFILL }},
9000     { &hf_kerberos_encKrbPrivPart_user_data,
9001       { "user-data", "kerberos.user_data",
9002         FT_BYTES, BASE_NONE, NULL, 0,
9003         "T_encKrbPrivPart_user_data", HFILL }},
9004     { &hf_kerberos_tickets,
9005       { "tickets", "kerberos.tickets",
9006         FT_UINT32, BASE_DEC, NULL, 0,
9007         "SEQUENCE_OF_Ticket", HFILL }},
9008     { &hf_kerberos_tickets_item,
9009       { "Ticket", "kerberos.Ticket_element",
9010         FT_NONE, BASE_NONE, NULL, 0,
9011         NULL, HFILL }},
9012     { &hf_kerberos_kRB_CRED_enc_part,
9013       { "enc-part", "kerberos.enc_part_element",
9014         FT_NONE, BASE_NONE, NULL, 0,
9015         "EncryptedKrbCredData", HFILL }},
9016     { &hf_kerberos_ticket_info,
9017       { "ticket-info", "kerberos.ticket_info",
9018         FT_UINT32, BASE_DEC, NULL, 0,
9019         "SEQUENCE_OF_KrbCredInfo", HFILL }},
9020     { &hf_kerberos_ticket_info_item,
9021       { "KrbCredInfo", "kerberos.KrbCredInfo_element",
9022         FT_NONE, BASE_NONE, NULL, 0,
9023         NULL, HFILL }},
9024     { &hf_kerberos_krbCredInfo_key,
9025       { "key", "kerberos.key_element",
9026         FT_NONE, BASE_NONE, NULL, 0,
9027         "T_krbCredInfo_key", HFILL }},
9028     { &hf_kerberos_prealm,
9029       { "prealm", "kerberos.prealm",
9030         FT_STRING, BASE_NONE, NULL, 0,
9031         "Realm", HFILL }},
9032     { &hf_kerberos_pname,
9033       { "pname", "kerberos.pname_element",
9034         FT_NONE, BASE_NONE, NULL, 0,
9035         "PrincipalName", HFILL }},
9036     { &hf_kerberos_stime,
9037       { "stime", "kerberos.stime",
9038         FT_STRING, BASE_NONE, NULL, 0,
9039         "KerberosTime", HFILL }},
9040     { &hf_kerberos_susec,
9041       { "susec", "kerberos.susec",
9042         FT_UINT32, BASE_DEC, NULL, 0,
9043         "Microseconds", HFILL }},
9044     { &hf_kerberos_error_code,
9045       { "error-code", "kerberos.error_code",
9046         FT_INT32, BASE_DEC, VALS(kerberos_ERROR_CODE_vals), 0,
9047         NULL, HFILL }},
9048     { &hf_kerberos_e_text,
9049       { "e-text", "kerberos.e_text",
9050         FT_STRING, BASE_NONE, NULL, 0,
9051         "KerberosString", HFILL }},
9052     { &hf_kerberos_e_data,
9053       { "e-data", "kerberos.e_data",
9054         FT_BYTES, BASE_NONE, NULL, 0,
9055         NULL, HFILL }},
9056     { &hf_kerberos_e_checksum,
9057       { "e-checksum", "kerberos.e_checksum_element",
9058         FT_NONE, BASE_NONE, NULL, 0,
9059         "Checksum", HFILL }},
9060     { &hf_kerberos_METHOD_DATA_item,
9061       { "PA-DATA", "kerberos.PA_DATA_element",
9062         FT_NONE, BASE_NONE, NULL, 0,
9063         NULL, HFILL }},
9064     { &hf_kerberos_pA_ENC_TIMESTAMP_cipher,
9065       { "cipher", "kerberos.cipher",
9066         FT_BYTES, BASE_NONE, NULL, 0,
9067         "T_pA_ENC_TIMESTAMP_cipher", HFILL }},
9068     { &hf_kerberos_info_salt,
9069       { "salt", "kerberos.info_salt",
9070         FT_BYTES, BASE_NONE, NULL, 0,
9071         "OCTET_STRING", HFILL }},
9072     { &hf_kerberos_ETYPE_INFO_item,
9073       { "ETYPE-INFO-ENTRY", "kerberos.ETYPE_INFO_ENTRY_element",
9074         FT_NONE, BASE_NONE, NULL, 0,
9075         NULL, HFILL }},
9076     { &hf_kerberos_info2_salt,
9077       { "salt", "kerberos.info2_salt",
9078         FT_STRING, BASE_NONE, NULL, 0,
9079         "KerberosString", HFILL }},
9080     { &hf_kerberos_s2kparams,
9081       { "s2kparams", "kerberos.s2kparams",
9082         FT_BYTES, BASE_NONE, NULL, 0,
9083         "OCTET_STRING", HFILL }},
9084     { &hf_kerberos_ETYPE_INFO2_item,
9085       { "ETYPE-INFO2-ENTRY", "kerberos.ETYPE_INFO2_ENTRY_element",
9086         FT_NONE, BASE_NONE, NULL, 0,
9087         NULL, HFILL }},
9088     { &hf_kerberos_server_name,
9089       { "server-name", "kerberos.server_name_element",
9090         FT_NONE, BASE_NONE, NULL, 0,
9091         "PrincipalName", HFILL }},
9092     { &hf_kerberos_include_pac,
9093       { "include-pac", "kerberos.include_pac",
9094         FT_BOOLEAN, BASE_NONE, NULL, 0,
9095         "BOOLEAN", HFILL }},
9096     { &hf_kerberos_name,
9097       { "name", "kerberos.name_element",
9098         FT_NONE, BASE_NONE, NULL, 0,
9099         "PrincipalName", HFILL }},
9100     { &hf_kerberos_auth,
9101       { "auth", "kerberos.auth",
9102         FT_STRING, BASE_NONE, NULL, 0,
9103         "GeneralString", HFILL }},
9104     { &hf_kerberos_user_id,
9105       { "user-id", "kerberos.user_id_element",
9106         FT_NONE, BASE_NONE, NULL, 0,
9107         "S4UUserID", HFILL }},
9108     { &hf_kerberos_checksum_01,
9109       { "checksum", "kerberos.checksum_element",
9110         FT_NONE, BASE_NONE, NULL, 0,
9111         NULL, HFILL }},
9112     { &hf_kerberos_cname_01,
9113       { "cname", "kerberos.cname_element",
9114         FT_NONE, BASE_NONE, NULL, 0,
9115         "PrincipalName", HFILL }},
9116     { &hf_kerberos_subject_certificate,
9117       { "subject-certificate", "kerberos.subject_certificate",
9118         FT_BYTES, BASE_NONE, NULL, 0,
9119         "T_subject_certificate", HFILL }},
9120     { &hf_kerberos_options,
9121       { "options", "kerberos.options",
9122         FT_BYTES, BASE_NONE, NULL, 0,
9123         "BIT_STRING", HFILL }},
9124     { &hf_kerberos_flags_01,
9125       { "flags", "kerberos.flags",
9126         FT_BYTES, BASE_NONE, NULL, 0,
9127         "PAC_OPTIONS_FLAGS", HFILL }},
9128     { &hf_kerberos_restriction_type,
9129       { "restriction-type", "kerberos.restriction_type",
9130         FT_INT32, BASE_DEC, NULL, 0,
9131         "Int32", HFILL }},
9132     { &hf_kerberos_restriction,
9133       { "restriction", "kerberos.restriction",
9134         FT_BYTES, BASE_NONE, NULL, 0,
9135         "OCTET_STRING", HFILL }},
9136     { &hf_kerberos_PA_KERB_KEY_LIST_REQ_item,
9137       { "ENCTYPE", "kerberos.ENCTYPE",
9138         FT_INT32, BASE_DEC, VALS(kerberos_ENCTYPE_vals), 0,
9139         NULL, HFILL }},
9140     { &hf_kerberos_kerbKeyListRep_key,
9141       { "key", "kerberos.kerbKeyListRep.key_element",
9142         FT_NONE, BASE_NONE, NULL, 0,
9143         "PA_KERB_KEY_LIST_REP_item", HFILL }},
9144     { &hf_kerberos_newpasswd,
9145       { "newpasswd", "kerberos.newpasswd",
9146         FT_BYTES, BASE_NONE, NULL, 0,
9147         "OCTET_STRING", HFILL }},
9148     { &hf_kerberos_targname,
9149       { "targname", "kerberos.targname_element",
9150         FT_NONE, BASE_NONE, NULL, 0,
9151         "PrincipalName", HFILL }},
9152     { &hf_kerberos_targrealm,
9153       { "targrealm", "kerberos.targrealm",
9154         FT_STRING, BASE_NONE, NULL, 0,
9155         "Realm", HFILL }},
9156     { &hf_kerberos_pa_type,
9157       { "pa-type", "kerberos.pa_type",
9158         FT_INT32, BASE_DEC, VALS(kerberos_PADATA_TYPE_vals), 0,
9159         "PADATA_TYPE", HFILL }},
9160     { &hf_kerberos_pa_hint,
9161       { "pa-hint", "kerberos.pa_hint",
9162         FT_BYTES, BASE_NONE, NULL, 0,
9163         "OCTET_STRING", HFILL }},
9164     { &hf_kerberos_pa_value,
9165       { "pa-value", "kerberos.pa_value",
9166         FT_BYTES, BASE_NONE, NULL, 0,
9167         "OCTET_STRING", HFILL }},
9168     { &hf_kerberos_armor_type,
9169       { "armor-type", "kerberos.armor_type",
9170         FT_INT32, BASE_DEC, VALS(kerberos_KrbFastArmorTypes_vals), 0,
9171         "KrbFastArmorTypes", HFILL }},
9172     { &hf_kerberos_armor_value,
9173       { "armor-value", "kerberos.armor_value",
9174         FT_BYTES, BASE_NONE, NULL, 0,
9175         NULL, HFILL }},
9176     { &hf_kerberos_armored_data_request,
9177       { "armored-data", "kerberos.armored_data_element",
9178         FT_NONE, BASE_NONE, NULL, 0,
9179         "KrbFastArmoredReq", HFILL }},
9180     { &hf_kerberos_encryptedKrbFastReq_cipher,
9181       { "cipher", "kerberos.cipher",
9182         FT_BYTES, BASE_NONE, NULL, 0,
9183         "T_encryptedKrbFastReq_cipher", HFILL }},
9184     { &hf_kerberos_armor,
9185       { "armor", "kerberos.armor_element",
9186         FT_NONE, BASE_NONE, NULL, 0,
9187         "KrbFastArmor", HFILL }},
9188     { &hf_kerberos_req_checksum,
9189       { "req-checksum", "kerberos.req_checksum_element",
9190         FT_NONE, BASE_NONE, NULL, 0,
9191         "Checksum", HFILL }},
9192     { &hf_kerberos_enc_fast_req,
9193       { "enc-fast-req", "kerberos.enc_fast_req_element",
9194         FT_NONE, BASE_NONE, NULL, 0,
9195         "EncryptedKrbFastReq", HFILL }},
9196     { &hf_kerberos_armored_data_reply,
9197       { "armored-data", "kerberos.armored_data_element",
9198         FT_NONE, BASE_NONE, NULL, 0,
9199         "KrbFastArmoredRep", HFILL }},
9200     { &hf_kerberos_encryptedKrbFastResponse_cipher,
9201       { "cipher", "kerberos.cipher",
9202         FT_BYTES, BASE_NONE, NULL, 0,
9203         "T_encryptedKrbFastResponse_cipher", HFILL }},
9204     { &hf_kerberos_enc_fast_rep,
9205       { "enc-fast-rep", "kerberos.enc_fast_rep_element",
9206         FT_NONE, BASE_NONE, NULL, 0,
9207         "EncryptedKrbFastResponse", HFILL }},
9208     { &hf_kerberos_encryptedChallenge_cipher,
9209       { "cipher", "kerberos.cipher",
9210         FT_BYTES, BASE_NONE, NULL, 0,
9211         "T_encryptedChallenge_cipher", HFILL }},
9212     { &hf_kerberos_cipher,
9213       { "cipher", "kerberos.cipher",
9214         FT_BYTES, BASE_NONE, NULL, 0,
9215         "OCTET_STRING", HFILL }},
9216     { &hf_kerberos_groups,
9217       { "groups", "kerberos.groups",
9218         FT_UINT32, BASE_DEC, NULL, 0,
9219         "SEQUENCE_SIZE_1_MAX_OF_SPAKEGroup", HFILL }},
9220     { &hf_kerberos_groups_item,
9221       { "SPAKEGroup", "kerberos.SPAKEGroup",
9222         FT_INT32, BASE_DEC, VALS(kerberos_SPAKEGroup_vals), 0,
9223         NULL, HFILL }},
9224     { &hf_kerberos_group,
9225       { "group", "kerberos.group",
9226         FT_INT32, BASE_DEC, VALS(kerberos_SPAKEGroup_vals), 0,
9227         "SPAKEGroup", HFILL }},
9228     { &hf_kerberos_pubkey,
9229       { "pubkey", "kerberos.pubkey",
9230         FT_BYTES, BASE_NONE, NULL, 0,
9231         "OCTET_STRING", HFILL }},
9232     { &hf_kerberos_factors,
9233       { "factors", "kerberos.factors",
9234         FT_UINT32, BASE_DEC, NULL, 0,
9235         "SEQUENCE_SIZE_1_MAX_OF_SPAKESecondFactor", HFILL }},
9236     { &hf_kerberos_factors_item,
9237       { "SPAKESecondFactor", "kerberos.SPAKESecondFactor_element",
9238         FT_NONE, BASE_NONE, NULL, 0,
9239         NULL, HFILL }},
9240     { &hf_kerberos_type,
9241       { "type", "kerberos.type",
9242         FT_INT32, BASE_DEC, VALS(kerberos_SPAKESecondFactorType_vals), 0,
9243         "SPAKESecondFactorType", HFILL }},
9244     { &hf_kerberos_data,
9245       { "data", "kerberos.data",
9246         FT_BYTES, BASE_NONE, NULL, 0,
9247         "OCTET_STRING", HFILL }},
9248     { &hf_kerberos_factor,
9249       { "factor", "kerberos.factor_element",
9250         FT_NONE, BASE_NONE, NULL, 0,
9251         "EncryptedSpakeResponseData", HFILL }},
9252     { &hf_kerberos_support,
9253       { "support", "kerberos.support_element",
9254         FT_NONE, BASE_NONE, NULL, 0,
9255         "SPAKESupport", HFILL }},
9256     { &hf_kerberos_challenge,
9257       { "challenge", "kerberos.challenge_element",
9258         FT_NONE, BASE_NONE, NULL, 0,
9259         "SPAKEChallenge", HFILL }},
9260     { &hf_kerberos_response,
9261       { "response", "kerberos.response_element",
9262         FT_NONE, BASE_NONE, NULL, 0,
9263         "SPAKEResponse", HFILL }},
9264     { &hf_kerberos_encdata,
9265       { "encdata", "kerberos.encdata_element",
9266         FT_NONE, BASE_NONE, NULL, 0,
9267         "EncryptedSpakeData", HFILL }},
9268     { &hf_kerberos_APOptions_reserved,
9269       { "reserved", "kerberos.APOptions.reserved",
9270         FT_BOOLEAN, 8, NULL, 0x80,
9271         NULL, HFILL }},
9272     { &hf_kerberos_APOptions_use_session_key,
9273       { "use-session-key", "kerberos.APOptions.use.session.key",
9274         FT_BOOLEAN, 8, NULL, 0x40,
9275         NULL, HFILL }},
9276     { &hf_kerberos_APOptions_mutual_required,
9277       { "mutual-required", "kerberos.APOptions.mutual.required",
9278         FT_BOOLEAN, 8, NULL, 0x20,
9279         NULL, HFILL }},
9280     { &hf_kerberos_TicketFlags_reserved,
9281       { "reserved", "kerberos.TicketFlags.reserved",
9282         FT_BOOLEAN, 8, NULL, 0x80,
9283         NULL, HFILL }},
9284     { &hf_kerberos_TicketFlags_forwardable,
9285       { "forwardable", "kerberos.TicketFlags.forwardable",
9286         FT_BOOLEAN, 8, NULL, 0x40,
9287         NULL, HFILL }},
9288     { &hf_kerberos_TicketFlags_forwarded,
9289       { "forwarded", "kerberos.TicketFlags.forwarded",
9290         FT_BOOLEAN, 8, NULL, 0x20,
9291         NULL, HFILL }},
9292     { &hf_kerberos_TicketFlags_proxiable,
9293       { "proxiable", "kerberos.TicketFlags.proxiable",
9294         FT_BOOLEAN, 8, NULL, 0x10,
9295         NULL, HFILL }},
9296     { &hf_kerberos_TicketFlags_proxy,
9297       { "proxy", "kerberos.TicketFlags.proxy",
9298         FT_BOOLEAN, 8, NULL, 0x08,
9299         NULL, HFILL }},
9300     { &hf_kerberos_TicketFlags_may_postdate,
9301       { "may-postdate", "kerberos.TicketFlags.may.postdate",
9302         FT_BOOLEAN, 8, NULL, 0x04,
9303         NULL, HFILL }},
9304     { &hf_kerberos_TicketFlags_postdated,
9305       { "postdated", "kerberos.TicketFlags.postdated",
9306         FT_BOOLEAN, 8, NULL, 0x02,
9307         NULL, HFILL }},
9308     { &hf_kerberos_TicketFlags_invalid,
9309       { "invalid", "kerberos.TicketFlags.invalid",
9310         FT_BOOLEAN, 8, NULL, 0x01,
9311         NULL, HFILL }},
9312     { &hf_kerberos_TicketFlags_renewable,
9313       { "renewable", "kerberos.TicketFlags.renewable",
9314         FT_BOOLEAN, 8, NULL, 0x80,
9315         NULL, HFILL }},
9316     { &hf_kerberos_TicketFlags_initial,
9317       { "initial", "kerberos.TicketFlags.initial",
9318         FT_BOOLEAN, 8, NULL, 0x40,
9319         NULL, HFILL }},
9320     { &hf_kerberos_TicketFlags_pre_authent,
9321       { "pre-authent", "kerberos.TicketFlags.pre.authent",
9322         FT_BOOLEAN, 8, NULL, 0x20,
9323         NULL, HFILL }},
9324     { &hf_kerberos_TicketFlags_hw_authent,
9325       { "hw-authent", "kerberos.TicketFlags.hw.authent",
9326         FT_BOOLEAN, 8, NULL, 0x10,
9327         NULL, HFILL }},
9328     { &hf_kerberos_TicketFlags_transited_policy_checked,
9329       { "transited-policy-checked", "kerberos.TicketFlags.transited.policy.checked",
9330         FT_BOOLEAN, 8, NULL, 0x08,
9331         NULL, HFILL }},
9332     { &hf_kerberos_TicketFlags_ok_as_delegate,
9333       { "ok-as-delegate", "kerberos.TicketFlags.ok.as.delegate",
9334         FT_BOOLEAN, 8, NULL, 0x04,
9335         NULL, HFILL }},
9336     { &hf_kerberos_TicketFlags_unused,
9337       { "unused", "kerberos.TicketFlags.unused",
9338         FT_BOOLEAN, 8, NULL, 0x02,
9339         NULL, HFILL }},
9340     { &hf_kerberos_TicketFlags_enc_pa_rep,
9341       { "enc-pa-rep", "kerberos.TicketFlags.enc.pa.rep",
9342         FT_BOOLEAN, 8, NULL, 0x01,
9343         NULL, HFILL }},
9344     { &hf_kerberos_TicketFlags_anonymous,
9345       { "anonymous", "kerberos.TicketFlags.anonymous",
9346         FT_BOOLEAN, 8, NULL, 0x80,
9347         NULL, HFILL }},
9348     { &hf_kerberos_KDCOptions_reserved,
9349       { "reserved", "kerberos.KDCOptions.reserved",
9350         FT_BOOLEAN, 8, NULL, 0x80,
9351         NULL, HFILL }},
9352     { &hf_kerberos_KDCOptions_forwardable,
9353       { "forwardable", "kerberos.KDCOptions.forwardable",
9354         FT_BOOLEAN, 8, NULL, 0x40,
9355         NULL, HFILL }},
9356     { &hf_kerberos_KDCOptions_forwarded,
9357       { "forwarded", "kerberos.KDCOptions.forwarded",
9358         FT_BOOLEAN, 8, NULL, 0x20,
9359         NULL, HFILL }},
9360     { &hf_kerberos_KDCOptions_proxiable,
9361       { "proxiable", "kerberos.KDCOptions.proxiable",
9362         FT_BOOLEAN, 8, NULL, 0x10,
9363         NULL, HFILL }},
9364     { &hf_kerberos_KDCOptions_proxy,
9365       { "proxy", "kerberos.KDCOptions.proxy",
9366         FT_BOOLEAN, 8, NULL, 0x08,
9367         NULL, HFILL }},
9368     { &hf_kerberos_KDCOptions_allow_postdate,
9369       { "allow-postdate", "kerberos.KDCOptions.allow.postdate",
9370         FT_BOOLEAN, 8, NULL, 0x04,
9371         NULL, HFILL }},
9372     { &hf_kerberos_KDCOptions_postdated,
9373       { "postdated", "kerberos.KDCOptions.postdated",
9374         FT_BOOLEAN, 8, NULL, 0x02,
9375         NULL, HFILL }},
9376     { &hf_kerberos_KDCOptions_unused7,
9377       { "unused7", "kerberos.KDCOptions.unused7",
9378         FT_BOOLEAN, 8, NULL, 0x01,
9379         NULL, HFILL }},
9380     { &hf_kerberos_KDCOptions_renewable,
9381       { "renewable", "kerberos.KDCOptions.renewable",
9382         FT_BOOLEAN, 8, NULL, 0x80,
9383         NULL, HFILL }},
9384     { &hf_kerberos_KDCOptions_unused9,
9385       { "unused9", "kerberos.KDCOptions.unused9",
9386         FT_BOOLEAN, 8, NULL, 0x40,
9387         NULL, HFILL }},
9388     { &hf_kerberos_KDCOptions_unused10,
9389       { "unused10", "kerberos.KDCOptions.unused10",
9390         FT_BOOLEAN, 8, NULL, 0x20,
9391         NULL, HFILL }},
9392     { &hf_kerberos_KDCOptions_opt_hardware_auth,
9393       { "opt-hardware-auth", "kerberos.KDCOptions.opt.hardware.auth",
9394         FT_BOOLEAN, 8, NULL, 0x10,
9395         NULL, HFILL }},
9396     { &hf_kerberos_KDCOptions_unused12,
9397       { "unused12", "kerberos.KDCOptions.unused12",
9398         FT_BOOLEAN, 8, NULL, 0x08,
9399         NULL, HFILL }},
9400     { &hf_kerberos_KDCOptions_unused13,
9401       { "unused13", "kerberos.KDCOptions.unused13",
9402         FT_BOOLEAN, 8, NULL, 0x04,
9403         NULL, HFILL }},
9404     { &hf_kerberos_KDCOptions_constrained_delegation,
9405       { "constrained-delegation", "kerberos.KDCOptions.constrained.delegation",
9406         FT_BOOLEAN, 8, NULL, 0x02,
9407         NULL, HFILL }},
9408     { &hf_kerberos_KDCOptions_canonicalize,
9409       { "canonicalize", "kerberos.KDCOptions.canonicalize",
9410         FT_BOOLEAN, 8, NULL, 0x01,
9411         NULL, HFILL }},
9412     { &hf_kerberos_KDCOptions_request_anonymous,
9413       { "request-anonymous", "kerberos.KDCOptions.request.anonymous",
9414         FT_BOOLEAN, 8, NULL, 0x80,
9415         NULL, HFILL }},
9416     { &hf_kerberos_KDCOptions_unused17,
9417       { "unused17", "kerberos.KDCOptions.unused17",
9418         FT_BOOLEAN, 8, NULL, 0x40,
9419         NULL, HFILL }},
9420     { &hf_kerberos_KDCOptions_unused18,
9421       { "unused18", "kerberos.KDCOptions.unused18",
9422         FT_BOOLEAN, 8, NULL, 0x20,
9423         NULL, HFILL }},
9424     { &hf_kerberos_KDCOptions_unused19,
9425       { "unused19", "kerberos.KDCOptions.unused19",
9426         FT_BOOLEAN, 8, NULL, 0x10,
9427         NULL, HFILL }},
9428     { &hf_kerberos_KDCOptions_unused20,
9429       { "unused20", "kerberos.KDCOptions.unused20",
9430         FT_BOOLEAN, 8, NULL, 0x08,
9431         NULL, HFILL }},
9432     { &hf_kerberos_KDCOptions_unused21,
9433       { "unused21", "kerberos.KDCOptions.unused21",
9434         FT_BOOLEAN, 8, NULL, 0x04,
9435         NULL, HFILL }},
9436     { &hf_kerberos_KDCOptions_unused22,
9437       { "unused22", "kerberos.KDCOptions.unused22",
9438         FT_BOOLEAN, 8, NULL, 0x02,
9439         NULL, HFILL }},
9440     { &hf_kerberos_KDCOptions_unused23,
9441       { "unused23", "kerberos.KDCOptions.unused23",
9442         FT_BOOLEAN, 8, NULL, 0x01,
9443         NULL, HFILL }},
9444     { &hf_kerberos_KDCOptions_unused24,
9445       { "unused24", "kerberos.KDCOptions.unused24",
9446         FT_BOOLEAN, 8, NULL, 0x80,
9447         NULL, HFILL }},
9448     { &hf_kerberos_KDCOptions_unused25,
9449       { "unused25", "kerberos.KDCOptions.unused25",
9450         FT_BOOLEAN, 8, NULL, 0x40,
9451         NULL, HFILL }},
9452     { &hf_kerberos_KDCOptions_disable_transited_check,
9453       { "disable-transited-check", "kerberos.KDCOptions.disable.transited.check",
9454         FT_BOOLEAN, 8, NULL, 0x20,
9455         NULL, HFILL }},
9456     { &hf_kerberos_KDCOptions_renewable_ok,
9457       { "renewable-ok", "kerberos.KDCOptions.renewable.ok",
9458         FT_BOOLEAN, 8, NULL, 0x10,
9459         NULL, HFILL }},
9460     { &hf_kerberos_KDCOptions_enc_tkt_in_skey,
9461       { "enc-tkt-in-skey", "kerberos.KDCOptions.enc.tkt.in.skey",
9462         FT_BOOLEAN, 8, NULL, 0x08,
9463         NULL, HFILL }},
9464     { &hf_kerberos_KDCOptions_unused29,
9465       { "unused29", "kerberos.KDCOptions.unused29",
9466         FT_BOOLEAN, 8, NULL, 0x04,
9467         NULL, HFILL }},
9468     { &hf_kerberos_KDCOptions_renew,
9469       { "renew", "kerberos.KDCOptions.renew",
9470         FT_BOOLEAN, 8, NULL, 0x02,
9471         NULL, HFILL }},
9472     { &hf_kerberos_KDCOptions_validate,
9473       { "validate", "kerberos.KDCOptions.validate",
9474         FT_BOOLEAN, 8, NULL, 0x01,
9475         NULL, HFILL }},
9476     { &hf_kerberos_PAC_OPTIONS_FLAGS_claims,
9477       { "claims", "kerberos.PAC.OPTIONS.FLAGS.claims",
9478         FT_BOOLEAN, 8, NULL, 0x80,
9479         NULL, HFILL }},
9480     { &hf_kerberos_PAC_OPTIONS_FLAGS_branch_aware,
9481       { "branch-aware", "kerberos.PAC.OPTIONS.FLAGS.branch.aware",
9482         FT_BOOLEAN, 8, NULL, 0x40,
9483         NULL, HFILL }},
9484     { &hf_kerberos_PAC_OPTIONS_FLAGS_forward_to_full_dc,
9485       { "forward-to-full-dc", "kerberos.PAC.OPTIONS.FLAGS.forward.to.full.dc",
9486         FT_BOOLEAN, 8, NULL, 0x20,
9487         NULL, HFILL }},
9488     { &hf_kerberos_PAC_OPTIONS_FLAGS_resource_based_constrained_delegation,
9489       { "resource-based-constrained-delegation", "kerberos.PAC.OPTIONS.FLAGS.resource.based.constrained.delegation",
9490         FT_BOOLEAN, 8, NULL, 0x10,
9491         NULL, HFILL }},
9492 
9493 /*--- End of included file: packet-kerberos-hfarr.c ---*/
9494 #line 5047 "./asn1/kerberos/packet-kerberos-template.c"
9495 	};
9496 
9497 	/* List of subtrees */
9498 	static gint *ett[] = {
9499 		&ett_kerberos,
9500 		&ett_krb_recordmark,
9501 		&ett_krb_pac,
9502 		&ett_krb_pac_drep,
9503 		&ett_krb_pac_midl_blob,
9504 		&ett_krb_pac_logon_info,
9505 		&ett_krb_pac_credential_info,
9506 		&ett_krb_pac_s4u_delegation_info,
9507 		&ett_krb_pac_upn_dns_info,
9508 		&ett_krb_pac_device_info,
9509 		&ett_krb_pac_server_checksum,
9510 		&ett_krb_pac_privsvr_checksum,
9511 		&ett_krb_pac_client_info_type,
9512 		&ett_krb_pac_ticket_checksum,
9513 		&ett_krb_pa_supported_enctypes,
9514 		&ett_krb_ad_ap_options,
9515 		&ett_kerberos_KERB_TICKET_LOGON,
9516 #ifdef HAVE_KERBEROS
9517 		&ett_krb_pa_enc_ts_enc,
9518 	    &ett_kerberos_KrbFastFinished,
9519 	    &ett_kerberos_KrbFastResponse,
9520         &ett_kerberos_KrbFastReq,
9521         &ett_kerberos_FastOptions,
9522 #endif
9523 
9524 /*--- Included file: packet-kerberos-ettarr.c ---*/
9525 #line 1 "./asn1/kerberos/packet-kerberos-ettarr.c"
9526     &ett_kerberos_Applications,
9527     &ett_kerberos_PrincipalName,
9528     &ett_kerberos_SEQUENCE_OF_KerberosString,
9529     &ett_kerberos_CName,
9530     &ett_kerberos_SEQUENCE_OF_CNameString,
9531     &ett_kerberos_SName,
9532     &ett_kerberos_SEQUENCE_OF_SNameString,
9533     &ett_kerberos_HostAddress,
9534     &ett_kerberos_HostAddresses,
9535     &ett_kerberos_AuthorizationData,
9536     &ett_kerberos_AuthorizationData_item,
9537     &ett_kerberos_PA_DATA,
9538     &ett_kerberos_EncryptionKey,
9539     &ett_kerberos_Checksum,
9540     &ett_kerberos_EncryptedTicketData,
9541     &ett_kerberos_EncryptedAuthorizationData,
9542     &ett_kerberos_EncryptedAuthenticator,
9543     &ett_kerberos_EncryptedKDCREPData,
9544     &ett_kerberos_EncryptedAPREPData,
9545     &ett_kerberos_EncryptedKrbPrivData,
9546     &ett_kerberos_EncryptedKrbCredData,
9547     &ett_kerberos_Ticket_U,
9548     &ett_kerberos_EncTicketPart_U,
9549     &ett_kerberos_TransitedEncoding,
9550     &ett_kerberos_KDC_REQ,
9551     &ett_kerberos_SEQUENCE_OF_PA_DATA,
9552     &ett_kerberos_KDC_REQ_BODY,
9553     &ett_kerberos_SEQUENCE_OF_ENCTYPE,
9554     &ett_kerberos_SEQUENCE_OF_Ticket,
9555     &ett_kerberos_KDC_REP,
9556     &ett_kerberos_EncKDCRepPart,
9557     &ett_kerberos_LastReq,
9558     &ett_kerberos_LastReq_item,
9559     &ett_kerberos_AP_REQ_U,
9560     &ett_kerberos_Authenticator_U,
9561     &ett_kerberos_AP_REP_U,
9562     &ett_kerberos_EncAPRepPart_U,
9563     &ett_kerberos_KRB_SAFE_U,
9564     &ett_kerberos_KRB_SAFE_BODY,
9565     &ett_kerberos_KRB_PRIV_U,
9566     &ett_kerberos_EncKrbPrivPart,
9567     &ett_kerberos_KRB_CRED_U,
9568     &ett_kerberos_EncKrbCredPart_U,
9569     &ett_kerberos_SEQUENCE_OF_KrbCredInfo,
9570     &ett_kerberos_KrbCredInfo,
9571     &ett_kerberos_KRB_ERROR_U,
9572     &ett_kerberos_METHOD_DATA,
9573     &ett_kerberos_PA_ENC_TIMESTAMP,
9574     &ett_kerberos_ETYPE_INFO_ENTRY,
9575     &ett_kerberos_ETYPE_INFO,
9576     &ett_kerberos_ETYPE_INFO2_ENTRY,
9577     &ett_kerberos_ETYPE_INFO2,
9578     &ett_kerberos_TGT_REQ,
9579     &ett_kerberos_TGT_REP,
9580     &ett_kerberos_APOptions,
9581     &ett_kerberos_TicketFlags,
9582     &ett_kerberos_KDCOptions,
9583     &ett_kerberos_PA_PAC_REQUEST,
9584     &ett_kerberos_PA_S4U2Self,
9585     &ett_kerberos_PA_S4U_X509_USER,
9586     &ett_kerberos_S4UUserID,
9587     &ett_kerberos_PAC_OPTIONS_FLAGS,
9588     &ett_kerberos_PA_PAC_OPTIONS,
9589     &ett_kerberos_KERB_AD_RESTRICTION_ENTRY_U,
9590     &ett_kerberos_PA_KERB_KEY_LIST_REQ,
9591     &ett_kerberos_PA_KERB_KEY_LIST_REP,
9592     &ett_kerberos_ChangePasswdData,
9593     &ett_kerberos_PA_AUTHENTICATION_SET_ELEM,
9594     &ett_kerberos_KrbFastArmor,
9595     &ett_kerberos_PA_FX_FAST_REQUEST,
9596     &ett_kerberos_EncryptedKrbFastReq,
9597     &ett_kerberos_KrbFastArmoredReq,
9598     &ett_kerberos_PA_FX_FAST_REPLY,
9599     &ett_kerberos_EncryptedKrbFastResponse,
9600     &ett_kerberos_KrbFastArmoredRep,
9601     &ett_kerberos_EncryptedChallenge,
9602     &ett_kerberos_EncryptedSpakeData,
9603     &ett_kerberos_EncryptedSpakeResponseData,
9604     &ett_kerberos_SPAKESupport,
9605     &ett_kerberos_SEQUENCE_SIZE_1_MAX_OF_SPAKEGroup,
9606     &ett_kerberos_SPAKEChallenge,
9607     &ett_kerberos_SEQUENCE_SIZE_1_MAX_OF_SPAKESecondFactor,
9608     &ett_kerberos_SPAKESecondFactor,
9609     &ett_kerberos_SPAKEResponse,
9610     &ett_kerberos_PA_SPAKE,
9611 
9612 /*--- End of included file: packet-kerberos-ettarr.c ---*/
9613 #line 5076 "./asn1/kerberos/packet-kerberos-template.c"
9614 	};
9615 
9616 	static ei_register_info ei[] = {
9617 		{ &ei_kerberos_missing_keytype, { "kerberos.missing_keytype", PI_DECRYPTION, PI_WARN, "Missing keytype", EXPFILL }},
9618 		{ &ei_kerberos_decrypted_keytype, { "kerberos.decrypted_keytype", PI_SECURITY, PI_CHAT, "Decrypted keytype", EXPFILL }},
9619 		{ &ei_kerberos_learnt_keytype, { "kerberos.learnt_keytype", PI_SECURITY, PI_CHAT, "Learnt keytype", EXPFILL }},
9620 		{ &ei_kerberos_address, { "kerberos.address.unknown", PI_UNDECODED, PI_WARN, "KRB Address: I don't know how to parse this type of address yet", EXPFILL }},
9621 		{ &ei_krb_gssapi_dlglen, { "kerberos.gssapi.dlglen.error", PI_MALFORMED, PI_ERROR, "DlgLen is not the same as number of bytes remaining", EXPFILL }},
9622 	};
9623 
9624 	expert_module_t* expert_krb;
9625 	module_t *krb_module;
9626 
9627 	proto_kerberos = proto_register_protocol("Kerberos", "KRB5", "kerberos");
9628 	proto_register_field_array(proto_kerberos, hf, array_length(hf));
9629 	proto_register_subtree_array(ett, array_length(ett));
9630 	expert_krb = expert_register_protocol(proto_kerberos);
9631 	expert_register_field_array(expert_krb, ei, array_length(ei));
9632 
9633 	/* Register preferences */
9634 	krb_module = prefs_register_protocol(proto_kerberos, kerberos_prefs_apply_cb);
9635 	prefs_register_bool_preference(krb_module, "desegment",
9636 	"Reassemble Kerberos over TCP messages spanning multiple TCP segments",
9637 	"Whether the Kerberos dissector should reassemble messages spanning multiple TCP segments."
9638 	" To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
9639 	&krb_desegment);
9640 #ifdef HAVE_KERBEROS
9641 	prefs_register_bool_preference(krb_module, "decrypt",
9642 	"Try to decrypt Kerberos blobs",
9643 	"Whether the dissector should try to decrypt "
9644 	"encrypted Kerberos blobs. This requires that the proper "
9645 	"keytab file is installed as well.", &krb_decrypt);
9646 
9647 	prefs_register_filename_preference(krb_module, "file",
9648 				   "Kerberos keytab file",
9649 				   "The keytab file containing all the secrets",
9650 				   &keytab_filename, FALSE);
9651 
9652 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
9653 	wmem_register_callback(wmem_epan_scope(), enc_key_list_cb, NULL);
9654 	kerberos_longterm_keys = wmem_map_new(wmem_epan_scope(),
9655 					      enc_key_content_hash,
9656 					      enc_key_content_equal);
9657 	kerberos_all_keys = wmem_map_new_autoreset(wmem_epan_scope(),
9658 						   wmem_file_scope(),
9659 						   enc_key_content_hash,
9660 						   enc_key_content_equal);
9661 	kerberos_app_session_keys = wmem_map_new_autoreset(wmem_epan_scope(),
9662 							   wmem_file_scope(),
9663 							   enc_key_content_hash,
9664 							   enc_key_content_equal);
9665 #endif /* defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS) */
9666 #endif /* HAVE_KERBEROS */
9667 
9668 }
9669 static int wrap_dissect_gss_kerb(tvbuff_t *tvb, int offset, packet_info *pinfo,
9670 				 proto_tree *tree, dcerpc_info *di _U_,guint8 *drep _U_)
9671 {
9672 	tvbuff_t *auth_tvb;
9673 
9674 	auth_tvb = tvb_new_subset_remaining(tvb, offset);
9675 
9676 	dissect_kerberos_main(auth_tvb, pinfo, tree, FALSE, NULL);
9677 
9678 	return tvb_captured_length_remaining(tvb, offset);
9679 }
9680 
9681 
9682 static dcerpc_auth_subdissector_fns gss_kerb_auth_connect_fns = {
9683 	wrap_dissect_gss_kerb,                      /* Bind */
9684 	wrap_dissect_gss_kerb,                      /* Bind ACK */
9685 	wrap_dissect_gss_kerb,                      /* AUTH3 */
9686 	NULL,                                       /* Request verifier */
9687 	NULL,                                       /* Response verifier */
9688 	NULL,                                       /* Request data */
9689 	NULL                                        /* Response data */
9690 };
9691 
9692 static dcerpc_auth_subdissector_fns gss_kerb_auth_sign_fns = {
9693 	wrap_dissect_gss_kerb,                      /* Bind */
9694 	wrap_dissect_gss_kerb,                      /* Bind ACK */
9695 	wrap_dissect_gss_kerb,                      /* AUTH3 */
9696 	wrap_dissect_gssapi_verf,                   /* Request verifier */
9697 	wrap_dissect_gssapi_verf,                   /* Response verifier */
9698 	NULL,                                       /* Request data */
9699 	NULL                                        /* Response data */
9700 };
9701 
9702 static dcerpc_auth_subdissector_fns gss_kerb_auth_seal_fns = {
9703 	wrap_dissect_gss_kerb,                      /* Bind */
9704 	wrap_dissect_gss_kerb,                      /* Bind ACK */
9705 	wrap_dissect_gss_kerb,                      /* AUTH3 */
9706 	wrap_dissect_gssapi_verf,                   /* Request verifier */
9707 	wrap_dissect_gssapi_verf,                   /* Response verifier */
9708 	wrap_dissect_gssapi_payload,                /* Request data */
9709 	wrap_dissect_gssapi_payload                 /* Response data */
9710 };
9711 
9712 
9713 
9714 void
9715 proto_reg_handoff_kerberos(void)
9716 {
9717 	dissector_handle_t kerberos_handle_tcp;
9718 
9719 	krb4_handle = find_dissector_add_dependency("krb4", proto_kerberos);
9720 
9721 	kerberos_handle_udp = create_dissector_handle(dissect_kerberos_udp,
9722 	proto_kerberos);
9723 
9724 	kerberos_handle_tcp = create_dissector_handle(dissect_kerberos_tcp,
9725 	proto_kerberos);
9726 
9727 	dissector_add_uint_with_preference("udp.port", UDP_PORT_KERBEROS, kerberos_handle_udp);
9728 	dissector_add_uint_with_preference("tcp.port", TCP_PORT_KERBEROS, kerberos_handle_tcp);
9729 
9730 	register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_CONNECT,
9731 									  DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS,
9732 									  &gss_kerb_auth_connect_fns);
9733 
9734 	register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_INTEGRITY,
9735 									  DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS,
9736 									  &gss_kerb_auth_sign_fns);
9737 
9738 	register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY,
9739 									  DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS,
9740 									  &gss_kerb_auth_seal_fns);
9741 }
9742 
9743 /*
9744  * Editor modelines  -  https://www.wireshark.org/tools/modelines.html
9745  *
9746  * Local variables:
9747  * c-basic-offset: 8
9748  * tab-width: 8
9749  * indent-tabs-mode: t
9750  * End:
9751  *
9752  * vi: set shiftwidth=8 tabstop=8 noexpandtab:
9753  * :indentSize=8:tabSize=8:noTabs=false:
9754  */
9755