Adding upstream version 4.2.2.upstream/4.2.2

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

9 files changed, 7971 insertions, 0 deletions

diff --git a/epan/dissectors/asn1/kerberos/CMakeLists.txt b/epan/dissectors/asn1/kerberos/CMakeLists.txt
new file mode 100644
index 00000000..a8b2a43c
--- /dev/null
+++ b/epan/dissectors/asn1/kerberos/CMakeLists.txt
@@ -0,0 +1,43 @@
+# CMakeLists.txt
+#
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+
+set( PROTOCOL_NAME kerberos )
+
+set( PROTO_OPT )
+
+set( EXPORT_FILES
+	${PROTOCOL_NAME}-exp.cnf
+)
+
+set( EXT_ASN_FILE_LIST
+)
+
+set( ASN_FILE_LIST
+	KerberosV5Spec2.asn
+	k5.asn
+	RFC3244.asn
+	RFC6113.asn
+	SPAKE.asn
+)
+
+set( EXTRA_DIST
+	${ASN_FILE_LIST}
+	packet-${PROTOCOL_NAME}-template.c
+	packet-${PROTOCOL_NAME}-template.h
+	${PROTOCOL_NAME}.cnf
+)
+
+set( SRC_FILES
+	${EXTRA_DIST}
+	${EXT_ASN_FILE_LIST}
+)
+
+set( A2W_FLAGS -b )
+
+ASN2WRS()
diff --git a/epan/dissectors/asn1/kerberos/KerberosV5Spec2.asn b/epan/dissectors/asn1/kerberos/KerberosV5Spec2.asn
new file mode 100644
index 00000000..f53f8552
--- /dev/null
+++ b/epan/dissectors/asn1/kerberos/KerberosV5Spec2.asn
@@ -0,0 +1,516 @@
+--http://www.ietf.org/rfc/rfc4120.txt?number=4120
+KerberosV5Spec2 {
+        iso(1) identified-organization(3) dod(6) internet(1)
+        security(5) kerberosV5(2) modules(4) krb5spec2(2)
+} DEFINITIONS EXPLICIT TAGS ::= BEGIN
+
+-- OID arc for KerberosV5
+--
+-- This OID may be used to identify Kerberos protocol messages
+-- encapsulated in other protocols.
+--
+-- This OID also designates the OID arc for KerberosV5-related OIDs.
+--
+-- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID.
+-- WS construct
+Applications ::= CHOICE {
+	ticket			Ticket,				-- 1 --
+	authenticator	Authenticator,		-- 2 --
+	encTicketPart	EncTicketPart,		-- 3 --
+	as-req			AS-REQ,				-- 10 --
+	as-rep			AS-REP,				-- 11 --
+	tgs-req			TGS-REQ,			-- 12 --
+	tgs-rep			TGS-REP,			-- 13 --
+	ap-req			AP-REQ,				-- 14 --
+	ap-rep			AP-REP,				-- 15 --
+	krb-safe		KRB-SAFE,			-- 20 --
+	krb-priv		KRB-PRIV,			-- 21 --
+	krb-cred		KRB-CRED,			-- 22 --
+	encASRepPart	EncASRepPart,		-- 25 --
+	encTGSRepPart	EncTGSRepPart,		-- 26 --
+	encAPRepPart	EncAPRepPart,		-- 27 --
+	encKrbPrivPart	ENC-KRB-PRIV-PART,	-- 28 --
+	encKrbCredPart	EncKrbCredPart,		-- 29 --
+	krb-error		KRB-ERROR			-- 30 --
+	}
+-- end WS construct
+id-krb5         OBJECT IDENTIFIER ::= {
+        iso(1) identified-organization(3) dod(6) internet(1)
+        security(5) kerberosV5(2)
+}
+
+Int32           ::= INTEGER (-2147483648..2147483647)
+                    -- signed values representable in 32 bits
+
+UInt32          ::= INTEGER (0..4294967295)
+                    -- unsigned 32 bit values
+
+Microseconds    ::= INTEGER (0..999999)
+                    -- microseconds
+
+KerberosString  ::= GeneralString (IA5String)
+CNameString  ::= GeneralString (IA5String)
+SNameString  ::= GeneralString (IA5String)
+
+Realm           ::= KerberosString
+
+PrincipalName   ::= SEQUENCE {
+--        name-type       [0] Int32, Use the translationj from krb5.asn (Heimdahl)
+        name-type       [0] NAME-TYPE,
+        name-string     [1] SEQUENCE OF KerberosString
+}
+
+CName   ::= SEQUENCE {
+        name-type       [0] NAME-TYPE,
+        cname-string    [1] SEQUENCE OF CNameString
+}
+
+SName   ::= SEQUENCE {
+        name-type       [0] NAME-TYPE,
+        sname-string    [1] SEQUENCE OF SNameString
+}
+
+KerberosTime    ::= GeneralizedTime -- with no fractional seconds
+
+HostAddress     ::= SEQUENCE  {
+--        addr-type       [0] Int32,
+        addr-type       [0] ADDR-TYPE, --use k5.asn
+        address         [1] OCTET STRING
+}
+
+-- NOTE: HostAddresses is always used as an OPTIONAL field and
+-- should not be empty.
+HostAddresses   -- NOTE: subtly different from rfc1510,
+                -- but has a value mapping and encodes the same
+        ::= SEQUENCE OF HostAddress
+
+-- NOTE: AuthorizationData is always used as an OPTIONAL field and
+-- should not be empty.
+AuthorizationData       ::= SEQUENCE OF SEQUENCE {
+        ad-type         [0] AUTHDATA-TYPE,
+        ad-data         [1] OCTET STRING
+}
+
+PA-DATA         ::= SEQUENCE {
+        -- NOTE: first tag is [1], not [0]
+--        padata-type     [1] Int32, use k5.asn
+        padata-type     [1] PADATA-TYPE,
+        padata-value    [2] OCTET STRING -- might be encoded AP-REQ
+}
+
+KerberosFlags   ::= BIT STRING (SIZE (32..MAX))
+                    -- minimum number of bits shall be sent,
+                    -- but no fewer than 32
+
+EncryptedData   ::= SEQUENCE {
+--        etype   [0] Int32 - - EncryptionType - -, Use k5.asn
+        etype   [0] ENCTYPE -- EncryptionType --,
+        kvno    [1] UInt32 OPTIONAL,
+        cipher  [2] OCTET STRING -- ciphertext
+}
+
+EncryptionKey   ::= SEQUENCE {
+        keytype         [0] Int32 -- actually encryption type --,
+        keyvalue        [1] OCTET STRING
+}
+
+Checksum        ::= SEQUENCE {
+--        cksumtype       [0] Int32, Use k5.asn
+        cksumtype       [0] CKSUMTYPE,
+        checksum        [1] OCTET STRING
+}
+
+EncryptedTicketData   ::= SEQUENCE {
+        etype   [0] ENCTYPE, -- EncryptionType - - Use k5.asn
+        kvno    [1] UInt32 OPTIONAL,
+        cipher  [2] OCTET STRING -- ciphertext
+}
+
+EncryptedAuthorizationData   ::= SEQUENCE {
+        etype   [0] ENCTYPE, -- EncryptionType - - Use k5.asn
+        kvno    [1] UInt32 OPTIONAL,
+        cipher  [2] OCTET STRING -- ciphertext
+}
+
+EncryptedAuthenticator   ::= SEQUENCE {
+        etype   [0] ENCTYPE, -- EncryptionType - - Use k5.asn
+        kvno    [1] UInt32 OPTIONAL,
+        cipher  [2] OCTET STRING -- ciphertext
+}
+
+EncryptedKDCREPData   ::= SEQUENCE {
+        etype   [0] ENCTYPE, -- EncryptionType - - Use k5.asn
+        kvno    [1] UInt32 OPTIONAL,
+        cipher  [2] OCTET STRING -- ciphertext
+}
+
+EncryptedAPREPData   ::= SEQUENCE {
+        etype   [0] ENCTYPE, -- EncryptionType - - Use k5.asn
+        kvno    [1] UInt32 OPTIONAL,
+        cipher  [2] OCTET STRING -- ciphertext
+}
+
+EncryptedKrbPrivData   ::= SEQUENCE {
+        etype   [0] ENCTYPE, -- EncryptionType - - Use k5.asn
+        kvno    [1] UInt32 OPTIONAL,
+        cipher  [2] OCTET STRING -- ciphertext
+}
+
+EncryptedKrbCredData   ::= SEQUENCE {
+        etype   [0] ENCTYPE, -- EncryptionType - - Use k5.asn
+        kvno    [1] UInt32 OPTIONAL,
+        cipher  [2] OCTET STRING -- ciphertext
+}
+
+Ticket          ::= [APPLICATION 1] SEQUENCE {
+        tkt-vno         [0] INTEGER (5),
+        realm           [1] Realm,
+        sname           [2] SName,
+        enc-part        [3] EncryptedTicketData 
+}
+
+-- Encrypted part of ticket
+EncTicketPart   ::= [APPLICATION 3] SEQUENCE {
+        flags                   [0] TicketFlags,
+        key                     [1] EncryptionKey,
+        crealm                  [2] Realm,
+        cname                   [3] CName,
+        transited               [4] TransitedEncoding,
+        authtime                [5] KerberosTime,
+        starttime               [6] KerberosTime OPTIONAL,
+        endtime                 [7] KerberosTime,
+        renew-till              [8] KerberosTime OPTIONAL,
+        caddr                   [9] HostAddresses OPTIONAL,
+        authorization-data      [10] AuthorizationData OPTIONAL
+}
+
+-- encoded Transited field
+TransitedEncoding       ::= SEQUENCE {
+        tr-type         [0] Int32 -- must be registered --,
+        contents        [1] OCTET STRING
+}
+-- Use the k5.asn def
+-- TicketFlags     ::= KerberosFlags
+        -- reserved(0),
+        -- forwardable(1),
+        -- forwarded(2),
+        -- proxiable(3),
+        -- proxy(4),
+        -- may-postdate(5),
+        -- postdated(6),
+        -- invalid(7),
+        -- renewable(8),
+        -- initial(9),
+        -- pre-authent(10),
+        -- hw-authent(11),
+-- the following are new since 1510
+        -- transited-policy-checked(12),
+        -- ok-as-delegate(13)
+
+AS-REQ          ::= [APPLICATION 10] KDC-REQ
+
+TGS-REQ         ::= [APPLICATION 12] KDC-REQ
+
+KDC-REQ         ::= SEQUENCE {
+        -- NOTE: first tag is [1], not [0]
+        pvno            [1] INTEGER (5) ,
+--        msg-type        [2] INTEGER (10 - - AS - - | 12 - - TGS - -),
+--        msg-type        [2] INTEGER, use k5.asn
+        msg-type        [2] MESSAGE-TYPE,
+        padata          [3] SEQUENCE OF PA-DATA OPTIONAL
+                            -- NOTE: not empty --,
+        req-body        [4] KDC-REQ-BODY
+}
+
+KDC-REQ-BODY    ::= SEQUENCE {
+        kdc-options             [0] KDCOptions,
+        cname                   [1] CName OPTIONAL
+                                    -- Used only in AS-REQ --,
+        realm                   [2] Realm
+                                    -- Server's realm
+                                    -- Also client's in AS-REQ --,
+        sname                   [3] SName OPTIONAL,
+        from                    [4] KerberosTime OPTIONAL,
+
+-- this field is not optional in the kerberos spec, however, in the packetcable spec it is optional
+-- make it optional here since normal kerberos will still decode the pdu correctly.
+        till                    [5] KerberosTime OPTIONAL, 
+
+        rtime                   [6] KerberosTime OPTIONAL,
+        nonce                   [7] UInt32,
+--        etype                   [8] SEQUENCE OF Int32 - - EncryptionType Use k5.asn
+        etype                   [8] SEQUENCE OF ENCTYPE -- EncryptionType
+                                    -- in preference order --,
+        addresses               [9] HostAddresses OPTIONAL,
+        enc-authorization-data  [10] EncryptedAuthorizationData OPTIONAL
+                                    -- AuthorizationData --,
+        additional-tickets      [11] SEQUENCE OF Ticket OPTIONAL
+                                        -- NOTE: not empty
+}
+
+-- Use th k5.asn def
+--KDCOptions      ::= KerberosFlags
+        -- reserved(0),
+        -- forwardable(1),
+        -- forwarded(2),
+        -- proxiable(3),
+        -- proxy(4),
+        -- allow-postdate(5),
+        -- postdated(6),
+        -- unused7(7),
+        -- renewable(8),
+        -- unused9(9),
+        -- unused10(10),
+        -- opt-hardware-auth(11),
+        -- unused12(12),
+        -- unused13(13),
+-- 15 is reserved for canonicalize
+        -- unused15(15),
+-- 26 was unused in 1510
+        -- disable-transited-check(26),
+--
+        -- renewable-ok(27),
+        -- enc-tkt-in-skey(28),
+        -- renew(30),
+        -- validate(31)
+
+AS-REP          ::= [APPLICATION 11] KDC-REP
+
+TGS-REP         ::= [APPLICATION 13] KDC-REP
+
+
+KDC-REP         ::= SEQUENCE {
+        pvno            [0] INTEGER (5),
+--        msg-type        [1] INTEGER (11 - - AS - - | 13 - - TGS - -),
+--        msg-type        [1] INTEGER, use k5.asn
+        msg-type        [1] MESSAGE-TYPE,
+        padata          [2] SEQUENCE OF PA-DATA OPTIONAL
+                                -- NOTE: not empty --,
+        crealm          [3] Realm,
+        cname           [4] CName,
+        ticket          [5] Ticket,
+        enc-part        [6] EncryptedKDCREPData
+                                -- EncASRepPart or EncTGSRepPart,
+                                -- as appropriate
+}
+
+EncASRepPart    ::= [APPLICATION 25] EncKDCRepPart
+
+EncTGSRepPart   ::= [APPLICATION 26] EncKDCRepPart
+
+EncKDCRepPart   ::= SEQUENCE {
+        key             [0] EncryptionKey,
+        last-req        [1] LastReq,
+        nonce           [2] UInt32,
+        key-expiration  [3] KerberosTime OPTIONAL,
+        flags           [4] TicketFlags,
+        authtime        [5] KerberosTime,
+        starttime       [6] KerberosTime OPTIONAL,
+        endtime         [7] KerberosTime,
+        renew-till      [8] KerberosTime OPTIONAL,
+        srealm          [9] Realm,
+        sname           [10] SName,
+        caddr           [11] HostAddresses OPTIONAL,
+	    encrypted-pa-data[12]	METHOD-DATA OPTIONAL -- from k5.asn
+}
+
+LastReq         ::=     SEQUENCE OF SEQUENCE {
+--        lr-type         [0] Int32, Use k5.asn
+		lr-type         [0] LR-TYPE,
+        lr-value        [1] KerberosTime
+}
+
+AP-REQ          ::= [APPLICATION 14] SEQUENCE {
+        pvno            [0] INTEGER (5),
+--        msg-type        [1] INTEGER (14), use k5.asn
+        msg-type        [1] MESSAGE-TYPE,
+        ap-options      [2] APOptions,
+        ticket          [3] Ticket,
+        authenticator   [4] EncryptedAuthenticator -- Authenticator
+}
+-- Use the krb5.asn def.
+--APOptions       ::= KerberosFlags
+        -- reserved(0),
+        -- use-session-key(1),
+        -- mutual-required(2)
+
+-- Unencrypted authenticator
+Authenticator   ::= [APPLICATION 2] SEQUENCE  {
+        authenticator-vno       [0] INTEGER (5),
+        crealm                  [1] Realm,
+        cname                   [2] CName,
+        cksum                   [3] Checksum OPTIONAL,
+        cusec                   [4] Microseconds,
+        ctime                   [5] KerberosTime,
+        subkey                  [6] EncryptionKey OPTIONAL,
+        seq-number              [7] UInt32 OPTIONAL,
+        authorization-data      [8] AuthorizationData OPTIONAL
+}
+
+AP-REP          ::= [APPLICATION 15] SEQUENCE {
+        pvno            [0] INTEGER (5),
+--        msg-type        [1] INTEGER (15), Use k5.asn
+        msg-type        [1] MESSAGE-TYPE,
+        enc-part        [2] EncryptedAPREPData -- EncAPRepPart
+}
+
+EncAPRepPart    ::= [APPLICATION 27] SEQUENCE {
+        ctime           [0] KerberosTime,
+        cusec           [1] Microseconds,
+        subkey          [2] EncryptionKey OPTIONAL,
+        seq-number      [3] UInt32 OPTIONAL
+}
+
+KRB-SAFE        ::= [APPLICATION 20] SEQUENCE {
+        pvno            [0] INTEGER (5),
+--        msg-type        [1] INTEGER (20), use k5.asn
+        msg-type        [1] MESSAGE-TYPE,
+        safe-body       [2] KRB-SAFE-BODY,
+        cksum           [3] Checksum
+}
+
+KRB-SAFE-BODY   ::= SEQUENCE {
+        user-data       [0] OCTET STRING,
+        timestamp       [1] KerberosTime OPTIONAL,
+        usec            [2] Microseconds OPTIONAL,
+        seq-number      [3] UInt32 OPTIONAL,
+        s-address       [4] HostAddress OPTIONAL, -- XXX this one is OPTIONAL in packetcable?  but mandatory in kerberos
+        r-address       [5] HostAddress OPTIONAL
+}
+
+KRB-PRIV        ::= [APPLICATION 21] SEQUENCE {
+        pvno            [0] INTEGER (5),
+--        msg-type        [1] INTEGER (21), Use k5.asn
+        msg-type        [1] MESSAGE-TYPE,
+                        -- NOTE: there is no [2] tag
+        enc-part        [3] EncryptedKrbPrivData -- EncKrbPrivPart
+}
+
+ENC-KRB-PRIV-PART  ::= [APPLICATION 28] EncKrbPrivPart
+
+EncKrbPrivPart  ::= SEQUENCE {
+        user-data       [0] OCTET STRING,
+        timestamp       [1] KerberosTime OPTIONAL,
+        usec            [2] Microseconds OPTIONAL,
+        seq-number      [3] UInt32 OPTIONAL,
+        s-address       [4] HostAddress -- sender's addr --,
+        r-address       [5] HostAddress OPTIONAL -- recip's addr
+}
+
+KRB-CRED        ::= [APPLICATION 22] SEQUENCE {
+        pvno            [0] INTEGER (5),
+--        msg-type        [1] INTEGER (22), use k5.asn
+        msg-type        [1] MESSAGE-TYPE,
+        tickets         [2] SEQUENCE OF Ticket,
+        enc-part        [3] EncryptedKrbCredData -- EncKrbCredPart
+}
+
+EncKrbCredPart  ::= [APPLICATION 29] SEQUENCE {
+        ticket-info     [0] SEQUENCE OF KrbCredInfo,
+        nonce           [1] UInt32 OPTIONAL,
+        timestamp       [2] KerberosTime OPTIONAL,
+        usec            [3] Microseconds OPTIONAL,
+        s-address       [4] HostAddress OPTIONAL,
+        r-address       [5] HostAddress OPTIONAL
+}
+
+KrbCredInfo     ::= SEQUENCE {
+        key             [0] EncryptionKey,
+        prealm          [1] Realm OPTIONAL,
+        pname           [2] PrincipalName OPTIONAL,
+        flags           [3] TicketFlags OPTIONAL,
+        authtime        [4] KerberosTime OPTIONAL,
+        starttime       [5] KerberosTime OPTIONAL,
+        endtime         [6] KerberosTime OPTIONAL,
+        renew-till      [7] KerberosTime OPTIONAL,
+        srealm          [8] Realm OPTIONAL,
+        sname           [9] SName OPTIONAL,
+        caddr           [10] HostAddresses OPTIONAL
+}
+
+KRB-ERROR       ::= [APPLICATION 30] SEQUENCE {
+        pvno            [0] INTEGER (5),
+--        msg-type        [1] INTEGER (30), use k5.asn
+        msg-type        [1] MESSAGE-TYPE,
+        ctime           [2] KerberosTime OPTIONAL,
+        cusec           [3] Microseconds OPTIONAL,
+        stime           [4] KerberosTime,
+        susec           [5] Microseconds,
+--        error-code      [6] Int32,
+        error-code      [6] ERROR-CODE, -- Use k5.asn
+        crealm          [7] Realm OPTIONAL,
+        cname           [8] CName OPTIONAL,
+        realm           [9] Realm -- service realm --,
+        sname           [10] SName -- service name --,
+        e-text          [11] KerberosString OPTIONAL,
+        e-data          [12] OCTET STRING OPTIONAL,
+        e-checksum      [13] Checksum OPTIONAL -- used by PacketCable
+}
+
+METHOD-DATA     ::= SEQUENCE OF PA-DATA
+
+TYPED-DATA      ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
+        data-type       [0] Int32,
+        data-value      [1] OCTET STRING OPTIONAL
+}
+
+-- preauth stuff follows
+
+PA-ENC-TIMESTAMP        ::= SEQUENCE {
+        etype   [0] ENCTYPE -- EncryptionType --,
+        kvno    [1] UInt32 OPTIONAL,
+        cipher  [2] OCTET STRING -- ciphertext 
+}
+
+PA-ENC-TS-ENC           ::= SEQUENCE {
+        patimestamp     [0] KerberosTime -- client's time --,
+        pausec          [1] Microseconds OPTIONAL
+}
+
+ETYPE-INFO-ENTRY        ::= SEQUENCE {
+--        etype           [0] Int32, use k5.asn
+        etype           [0] ENCTYPE,
+        salt            [1] OCTET STRING OPTIONAL
+}
+
+ETYPE-INFO              ::= SEQUENCE OF ETYPE-INFO-ENTRY
+
+ETYPE-INFO2-ENTRY       ::= SEQUENCE {
+--        etype           [0] Int32, use k5.asn
+        etype           [0] ENCTYPE,
+        salt            [1] KerberosString OPTIONAL,
+        s2kparams       [2] OCTET STRING OPTIONAL
+}
+
+ETYPE-INFO2             ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
+
+AD-IF-RELEVANT          ::= AuthorizationData
+
+AD-KDCIssued            ::= SEQUENCE {
+        ad-checksum     [0] Checksum,
+        i-realm         [1] Realm OPTIONAL,
+        i-sname         [2] SName OPTIONAL,
+        elements        [3] AuthorizationData
+}
+
+AD-AND-OR               ::= SEQUENCE {
+        condition-count [0] Int32,
+        elements        [1] AuthorizationData
+}
+
+AD-MANDATORY-FOR-KDC    ::= AuthorizationData
+
+TGT-REQ                 ::= SEQUENCE {
+        pvno            [0] INTEGER (5),
+        msg-type        [1] MESSAGE-TYPE (16),
+        server-name     [2] PrincipalName OPTIONAL,
+        realm           [3] Realm OPTIONAL
+}
+
+TGT-REP                 ::= SEQUENCE {
+        pvno            [0] INTEGER (5),
+        msg-type        [1] MESSAGE-TYPE (17),
+        ticket          [2] Ticket
+}
+
+END
diff --git a/epan/dissectors/asn1/kerberos/RFC3244.asn b/epan/dissectors/asn1/kerberos/RFC3244.asn
new file mode 100644
index 00000000..4dcd06e1
--- /dev/null
+++ b/epan/dissectors/asn1/kerberos/RFC3244.asn
@@ -0,0 +1,12 @@
+-- Extracted from RFC 3244
+
+RFC3244 DEFINITIONS ::=
+BEGIN
+
+ChangePasswdData ::=  SEQUENCE {
+	newpasswd[0]   OCTET STRING,
+	targname[1]    PrincipalName OPTIONAL,
+	targrealm[2]   Realm OPTIONAL
+}
+
+END
diff --git a/epan/dissectors/asn1/kerberos/RFC6113.asn b/epan/dissectors/asn1/kerberos/RFC6113.asn
new file mode 100644
index 00000000..0a3b7321
--- /dev/null
+++ b/epan/dissectors/asn1/kerberos/RFC6113.asn
@@ -0,0 +1,147 @@
+-- Extracted from RFC 6113
+
+KerberosPreauthFramework {
+	iso(1) identified-organization(3) dod(6) internet(1)
+	security(5) kerberosV5(2) modules(4) preauth-framework(3)
+} DEFINITIONS EXPLICIT TAGS ::= BEGIN
+
+IMPORTS
+	KerberosTime, PrincipalName, Realm, EncryptionKey, Checksum,
+	Int32, EncryptedData, PA-ENC-TS-ENC, PA-DATA, KDC-REQ-BODY,
+	Microseconds, KerberosFlags, UInt32
+		FROM KerberosV5Spec2 { iso(1) identified-organization(3)
+			dod(6) internet(1) security(5) kerberosV5(2)
+			modules(4) krb5spec2(2) };
+			-- as defined in RFC 4120.
+
+PA-AUTHENTICATION-SET ::= SEQUENCE OF PA-AUTHENTICATION-SET-ELEM
+
+PA-AUTHENTICATION-SET-ELEM ::= SEQUENCE {
+	pa-type      [0] PADATA-TYPE, -- use k5.asn Int32,
+		-- same as padata-type.
+	pa-hint      [1] OCTET STRING OPTIONAL,
+	pa-value     [2] OCTET STRING OPTIONAL,
+	...
+}
+
+KrbFastArmorTypes ::= INTEGER {
+	fX-FAST-reserved(0),
+	fX-FAST-ARMOR-AP-REQUEST(1) -- [RFC6113]
+}
+
+KrbFastArmor ::= SEQUENCE {
+	armor-type   [0] KrbFastArmorTypes,
+		-- Type of the armor.
+	armor-value  [1] OCTET STRING,
+		-- Value of the armor.
+	...
+}
+
+PA-FX-FAST-REQUEST ::= CHOICE {
+	armored-data [0] KrbFastArmoredReq,
+	...
+}
+
+EncryptedKrbFastReq   ::= SEQUENCE {
+        etype   [0] ENCTYPE -- EncryptionType --,
+        kvno    [1] UInt32 OPTIONAL,
+        cipher  [2] OCTET STRING -- ciphertext
+}
+
+KrbFastArmoredReq ::= SEQUENCE {
+	armor        [0] KrbFastArmor OPTIONAL,
+		-- Contains the armor that identifies the armor key.
+		-- MUST be present in AS-REQ.
+	req-checksum [1] Checksum,
+		-- For AS, contains the checksum performed over the type
+		-- KDC-REQ-BODY for the req-body field of the KDC-REQ
+		-- structure;
+		-- For TGS, contains the checksum performed over the type
+		-- AP-REQ in the PA-TGS-REQ padata.
+		-- The checksum key is the armor key, the checksum
+		-- type is the required checksum type for the enctype of
+		-- the armor key, and the key usage number is
+		-- KEY_USAGE_FAST_REQ_CHKSUM.
+	enc-fast-req [2] EncryptedKrbFastReq, -- KrbFastReq --
+		-- The encryption key is the armor key, and the key usage
+		-- number is KEY_USAGE_FAST_ENC.
+	...
+}
+
+KrbFastReq ::= SEQUENCE {
+	fast-options [0] FastOptions,
+		-- Additional options.
+	padata       [1] SEQUENCE OF PA-DATA,
+		-- padata typed holes.
+	req-body     [2] KDC-REQ-BODY,
+		-- Contains the KDC request body as defined in Section
+		-- 5.4.1 of [RFC4120].
+		-- This req-body field is preferred over the outer field
+		-- in the KDC request.
+		...
+}
+
+FastOptions ::= BIT STRING {
+	reserved(0),
+	hide-client-names(1),
+	kdc-follow-referrals(16)
+} (SIZE (32..MAX)) -- KerberosFlags
+
+PA-FX-FAST-REPLY ::= CHOICE {
+	armored-data [0] KrbFastArmoredRep,
+	...
+}
+
+EncryptedKrbFastResponse   ::= SEQUENCE {
+	etype   [0] ENCTYPE -- EncryptionType --,
+	kvno    [1] UInt32 OPTIONAL,
+	cipher  [2] OCTET STRING -- ciphertext
+}
+
+KrbFastArmoredRep ::= SEQUENCE {
+	enc-fast-rep      [0] EncryptedKrbFastResponse, -- KrbFastResponse --
+		-- The encryption key is the armor key in the request, and
+		-- the key usage number is KEY_USAGE_FAST_REP.
+	...
+}
+
+KrbFastResponse ::= SEQUENCE {
+	padata         [0] SEQUENCE OF PA-DATA,
+		-- padata typed holes.
+	strengthen-key [1] EncryptionKey OPTIONAL,
+		-- This, if present, strengthens the reply key for AS and
+		-- TGS.  MUST be present for TGS
+		-- MUST be absent in KRB-ERROR.
+	finished       [2] KrbFastFinished OPTIONAL,
+		-- Present in AS or TGS reply; absent otherwise.
+	nonce          [3] UInt32,
+		-- Nonce from the client request.
+	...
+}
+
+KrbFastFinished ::= SEQUENCE {
+	timestamp       [0] KerberosTime,
+	usec            [1] Microseconds,
+		-- timestamp and usec represent the time on the KDC when
+		-- the reply was generated.
+	crealm          [2] Realm,
+	cname           [3] PrincipalName,
+		-- Contains the client realm and the client name.
+	ticket-checksum [4] Checksum,
+		-- checksum of the ticket in the KDC-REP  using the armor
+		-- and the key usage is KEY_USAGE_FAST_FINISH.
+		-- The checksum type is the required checksum type
+		-- of the armor key.
+	...
+}
+
+EncryptedChallenge ::= SEQUENCE {
+	etype   [0] ENCTYPE -- EncryptionType --,
+	kvno    [1] UInt32 OPTIONAL,
+	cipher  [2] OCTET STRING -- ciphertext
+}
+		-- Encrypted PA-ENC-TS-ENC, encrypted in the challenge key
+		-- using key usage KEY_USAGE_ENC_CHALLENGE_CLIENT for the
+		-- client and KEY_USAGE_ENC_CHALLENGE_KDC for the KDC.
+
+END
diff --git a/epan/dissectors/asn1/kerberos/SPAKE.asn b/epan/dissectors/asn1/kerberos/SPAKE.asn
new file mode 100644
index 00000000..0c0d998d
--- /dev/null
+++ b/epan/dissectors/asn1/kerberos/SPAKE.asn
@@ -0,0 +1,86 @@
+-- Adapted from
+-- https://tools.ietf.org/id/draft-ietf-kitten-krb-spake-preauth-09.txt
+-- Appendix A.
+
+-- Copyright (c) 2019 IETF Trust and the persons identified as authors of the
+-- code. All rights reserved.
+--
+-- Redistribution and use in source and binary forms, with or without
+-- modification, is permitted pursuant to, and subject to the license terms
+-- contained in, the Simplified BSD License set forth in Section 4.c of the
+-- IETF Trust’s Legal Provisions Relating to IETF Documents
+-- (http://trustee.ietf.org/license-info).
+
+KerberosV5SPAKE {
+        iso(1) identified-organization(3) dod(6) internet(1)
+        security(5) kerberosV5(2) modules(4) spake(8)
+} DEFINITIONS EXPLICIT TAGS ::= BEGIN
+
+IMPORTS
+    EncryptedData, Int32
+      FROM KerberosV5Spec2 { iso(1) identified-organization(3)
+        dod(6) internet(1) security(5) kerberosV5(2) modules(4)
+        krb5spec2(2) };
+        -- as defined in RFC 4120.
+
+EncryptedSpakeData   ::= SEQUENCE {
+    etype   [0] ENCTYPE -- EncryptionType --,
+    kvno    [1] UInt32 OPTIONAL,
+    cipher  [2] OCTET STRING -- ciphertext
+}
+
+EncryptedSpakeResponseData   ::= SEQUENCE {
+    etype   [0] ENCTYPE -- EncryptionType --,
+    kvno    [1] UInt32 OPTIONAL,
+    cipher  [2] OCTET STRING -- ciphertext
+}
+
+SPAKEGroup ::= INTEGER {
+    sPAKEGroup-edwards25519(1),
+    sPAKEGroup-P-256(2),
+    sPAKEGroup-P-384(3),
+    sPAKEGroup-P-521(4)
+}
+
+SPAKESecondFactorType ::= INTEGER {
+    sPAKESecondFactor-SF-NONE(1)
+}
+
+SPAKESupport ::= SEQUENCE {
+    groups      [0] SEQUENCE (SIZE(1..MAX)) OF SPAKEGroup,
+    ...
+}
+
+SPAKEChallenge ::= SEQUENCE {
+    group       [0] SPAKEGroup,
+    pubkey      [1] OCTET STRING,
+    factors     [2] SEQUENCE (SIZE(1..MAX)) OF SPAKESecondFactor,
+    ...
+}
+
+SPAKESecondFactor ::= SEQUENCE {
+    type        [0] SPAKESecondFactorType,
+    data        [1] OCTET STRING OPTIONAL
+}
+
+SPAKEResponse ::= SEQUENCE {
+    pubkey      [0] OCTET STRING,
+    factor      [1] EncryptedSpakeResponseData, -- SPAKESecondFactor
+    ...
+}
+
+PA-SPAKE ::= CHOICE {
+    support     [0] SPAKESupport,
+    challenge   [1] SPAKEChallenge,
+    response    [2] SPAKEResponse,
+    encdata     [3] EncryptedSpakeData,
+    ...
+}
+
+-- PA-SPAKE-HINT ::= SEQUENCE {
+--     groups      [0] SEQUENCE (SIZE(1..MAX)) OF Int32,
+--     factors     [1] SEQUENCE (SIZE(1..MAX)) OF SPAKESecondFactor
+-- }
+
+END
+
diff --git a/epan/dissectors/asn1/kerberos/k5.asn b/epan/dissectors/asn1/kerberos/k5.asn
new file mode 100644
index 00000000..1eb9120a
--- /dev/null
+++ b/epan/dissectors/asn1/kerberos/k5.asn
@@ -0,0 +1,891 @@
+-- Extracted from http://www.h5l.org/dist/src/heimdal-1.2.tar.gz
+-- Id: k5.asn1 22745 2008-03-24 12:07:54Z lha $
+-- Commented out stuff already in KerberosV5Spec2.asn
+KERBEROS5 DEFINITIONS ::=
+BEGIN
+
+NAME-TYPE ::= INTEGER {
+	kRB5-NT-UNKNOWN(0),	-- Name type not known
+	kRB5-NT-PRINCIPAL(1),	-- Just the name of the principal as in
+	kRB5-NT-SRV-INST(2),	-- Service and other unique instance (krbtgt)
+	kRB5-NT-SRV-HST(3),	-- Service with host name as instance
+	kRB5-NT-SRV-XHST(4),	-- Service with host as remaining components
+	kRB5-NT-UID(5),		-- Unique ID
+	kRB5-NT-X500-PRINCIPAL(6), -- PKINIT
+	kRB5-NT-SMTP-NAME(7),	-- Name in form of SMTP email name
+	kRB5-NT-ENTERPRISE-PRINCIPAL(10), -- Windows 2000 UPN
+	kRB5-NT-WELLKNOWN(11),	-- Wellknown
+	kRB5-NT-SRV-HST-DOMAIN(12), -- Domain based service with host name as instance (RFC5179)
+	kRB5-NT-ENT-PRINCIPAL-AND-ID(-130), -- Windows 2000 UPN and SID
+	kRB5-NT-MS-PRINCIPAL(-128), -- NT 4 style name
+	kRB5-NT-MS-PRINCIPAL-AND-ID(-129), -- NT style name and SID
+	kRB5-NT-NTLM(-1200), -- NTLM name, realm is domain
+	kRB5-NT-X509-GENERAL-NAME(-1201), -- x509 general name (base64 encoded)
+	kRB5-NT-GSS-HOSTBASED-SERVICE(-1202), -- not used; remove
+	kRB5-NT-CACHE-UUID(-1203), -- name is actually a uuid pointing to ccache, use client name in cache
+	kRB5-NT-SRV-HST-NEEDS-CANON (-195894762) -- Internal: indicates that name canonicalization is needed
+}
+
+-- message types
+
+MESSAGE-TYPE ::= INTEGER {
+	krb-as-req(10), -- Request for initial authentication
+	krb-as-rep(11), -- Response to KRB_AS_REQ request
+	krb-tgs-req(12), -- Request for authentication based on TGT
+	krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
+	krb-ap-req(14), -- application request to server
+	krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
+	krb-tgt-req(16), -- TGT-REQ used in U2U
+	krb-tgt-rep(17), -- TGT-REP used in U2U
+	krb-safe(20), -- Safe (checksummed) application message
+	krb-priv(21), -- Private (encrypted) application message
+	krb-cred(22), -- Private (encrypted) message to forward credentials
+	krb-error(30) -- Error response
+}
+
+
+-- pa-data types
+
+
+PADATA-TYPE ::= INTEGER {
+	pA-NONE(0),
+	pA-TGS-REQ(1),			-- [RFC4120]
+	pA-ENC-TIMESTAMP(2),		-- [RFC4120]
+	pA-PW-SALT(3),			-- [RFC4120]
+	-- [reserved](4), --		-- [RFC6113]
+	pA-ENC-UNIX-TIME(5),		-- (deprecated) [RFC4120]
+	pA-SANDIA-SECUREID(6),		-- [RFC4120]
+	pA-SESAME(7),			-- [RFC4120]
+	pA-OSF-DCE(8),			-- [RFC4120]
+	pA-CYBERSAFE-SECUREID(9),	-- [RFC4120]
+	pA-AFS3-SALT(10),		-- [RFC4120] [RFC3961]
+	pA-ETYPE-INFO(11),		-- [RFC4120]
+	pA-SAM-CHALLENGE(12),		-- [KRB-WG.SAM]
+	pA-SAM-RESPONSE(13),		-- [KRB-WG.SAM]
+	pA-PK-AS-REQ-19(14),		-- [PK-INIT-1999]
+	pA-PK-AS-REP-19(15),		-- [PK-INIT-1999]
+	pA-PK-AS-REQ(16),		-- [RFC4556]
+	pA-PK-AS-REP(17),		-- [RFC4556]
+	pA-PK-OCSP-RESPONSE(18),	-- [RFC4557]
+	pA-ETYPE-INFO2(19),		-- [RFC4120]
+	pA-USE-SPECIFIED-KVNO(20),	-- [RFC4120]
+--	pA-SVR-REFERRAL-INFO(20), --	-- [REFERRALS]
+	pA-SAM-REDIRECT(21),		-- [KRB-WG.SAM]
+	pA-GET-FROM-TYPED-DATA(22),	-- (embedded in typed data) [RFC4120]
+	tD-PADATA(22),			-- (embeds padata) [RFC4120]
+	pA-SAM-ETYPE-INFO(23),		-- (sam/otp) [KRB-WG.SAM]
+	pA-ALT-PRINC(24),		-- (crawdad@fnal.gov) [HW-AUTH]
+	pA-SERVER-REFERRAL(25),		-- [REFERRALS]
+	pA-SAM-CHALLENGE2(30),		-- (kenh@pobox.com) [KRB-WG.SAM]
+	pA-SAM-RESPONSE2(31),		-- (kenh@pobox.com) [KRB-WG.SAM]
+	pA-EXTRA-TGT(41),		-- Reserved extra TGT [RFC6113]
+--	pA-FX-FAST-ARMOR(71), --	-- fast armor
+	tD-PKINIT-CMS-CERTIFICATES(101),-- CertificateSet from CMS
+	tD-KRB-PRINCIPAL(102),		-- PrincipalName
+	tD-KRB-REALM(103),		-- Realm
+	tD-TRUSTED-CERTIFIERS(104),	-- [RFC4556]
+	tD-CERTIFICATE-INDEX(105),	-- [RFC4556]
+	tD-APP-DEFINED-ERROR(106),	-- Application specific [RFC6113]
+	tD-REQ-NONCE(107),		-- INTEGER [RFC6113]
+	tD-REQ-SEQ(108),		-- INTEGER [RFC6113]
+	tD-DH-PARAMETERS(109),		-- [RFC4556]
+	tD-CMS-DIGEST-ALGORITHMS(111),	-- [ALG-AGILITY]
+	tD-CERT-DIGEST-ALGORITHMS(112),	-- [ALG-AGILITY]
+	pA-PAC-REQUEST(128),		-- [MS-KILE]
+	pA-FOR-USER(129),		-- [MS-KILE]
+	pA-FOR-X509-USER(130),		-- [MS-KILE]
+	pA-FOR-CHECK-DUPS(131),		-- [MS-KILE]
+--	pA-AS-CHECKSUM(132), --		-- [MS-KILE]
+	pA-PK-AS-09-BINDING(132),	-- client send this to
+						-- tell KDC that is supports
+						-- the asCheckSum in the
+						--  PK-AS-REP
+	pA-FX-COOKIE(133),		-- [RFC6113]
+	pA-AUTHENTICATION-SET(134),	-- [RFC6113]
+	pA-AUTH-SET-SELECTED(135),	-- [RFC6113]
+	pA-FX-FAST(136),		-- [RFC6113]
+	pA-FX-ERROR(137),		-- [RFC6113]
+	pA-ENCRYPTED-CHALLENGE(138),	-- [RFC6113]
+	pA-OTP-CHALLENGE(141),		-- (gareth.richards@rsa.com) [OTP-PREAUTH]
+	pA-OTP-REQUEST(142),		-- (gareth.richards@rsa.com) [OTP-PREAUTH]
+	pA-OTP-CONFIRM(143),		-- (gareth.richards@rsa.com) [OTP-PREAUTH]
+	pA-OTP-PIN-CHANGE(144),		-- (gareth.richards@rsa.com) [OTP-PREAUTH]
+	pA-EPAK-AS-REQ(145),		-- (sshock@gmail.com) [RFC6113]
+	pA-EPAK-AS-REP(146),		-- (sshock@gmail.com) [RFC6113]
+	pA-PKINIT-KX(147),		-- [RFC6112]
+	pA-PKU2U-NAME(148),		-- [PKU2U]
+	pA-REQ-ENC-PA-REP(149), 	-- [RFC6806]
+	pA-AS-FRESHNESS(150),		-- [RFC8070]
+	pA-SPAKE(151),			-- draft-ietf-kitten-krb-spake-preauth-09
+	pA-REDHAT-IDP-OAUTH2(152),	-- (pbrezina@redhat.com)
+	pA-REDHAT-PASSKEY(153),		-- (pbrezina@redhat.com)
+	pA-KERB-KEY-LIST-REQ(161), -- [MS-KILE]
+	pA-KERB-KEY-LIST-REP(162), -- [MS-KILE]
+	pA-SUPPORTED-ETYPES(165),	-- [MS-KILE]
+	pA-EXTENDED-ERROR(166),		-- [MS-KILE]
+	pA-PAC-OPTIONS(167),		-- [MS-KILE]
+	pA-PROV-SRV-LOCATION(-1)	-- 0xffffffff (gint32)0xFF) packetcable stuff
+}
+
+AUTHDATA-TYPE ::= INTEGER {
+	aD-IF-RELEVANT(1),
+	aD-INTENDED-FOR-SERVER(2),
+	aD-INTENDED-FOR-APPLICATION-CLASS(3),
+	aD-KDC-ISSUED(4),
+	aD-AND-OR(5),
+	aD-MANDATORY-TICKET-EXTENSIONS(6),
+	aD-IN-TICKET-EXTENSIONS(7),
+	aD-MANDATORY-FOR-KDC(8),
+	aD-INITIAL-VERIFIED-CAS(9),
+	aD-OSF-DCE(64),
+	aD-SESAME(65),
+	aD-OSF-DCE-PKI-CERTID(66),
+	aD-authentication-strength(70),	-- [RFC6113]
+	aD-fx-fast-armor(71),		-- [RFC6113]
+	aD-fx-fast-used(72),			-- [RFC6113]
+	aD-WIN2K-PAC(128), 			-- [RFC4120] [MS-PAC]
+	aD-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
+	aD-TOKEN-RESTRICTIONS(141),		-- [MS-KILE]
+	aD-LOCAL(142),				-- [MS-KILE]
+	aD-AP-OPTIONS(143),			-- [MS-KILE]
+	aD-TARGET-PRINCIPAL(144),		-- [MS-KILE]
+	aD-SIGNTICKET-OLDER(-17),
+	-- aD-SIGNTICKET-OLD(142),
+	aD-SIGNTICKET(512)
+}
+
+-- checksumtypes
+
+CKSUMTYPE ::= INTEGER {
+	cKSUMTYPE-NONE(0),
+	cKSUMTYPE-CRC32(1),
+	cKSUMTYPE-RSA-MD4(2),
+	cKSUMTYPE-RSA-MD4-DES(3),
+	cKSUMTYPE-DES-MAC(4),
+	cKSUMTYPE-DES-MAC-K(5),
+	cKSUMTYPE-RSA-MD4-DES-K(6),
+	cKSUMTYPE-RSA-MD5(7),
+	cKSUMTYPE-RSA-MD5-DES(8),
+	cKSUMTYPE-RSA-MD5-DES3(9),
+	cKSUMTYPE-SHA1-OTHER(10),
+	cKSUMTYPE-HMAC-SHA1-DES3-KD(12),
+	cKSUMTYPE-HMAC-SHA1-DES3(13),
+	cKSUMTYPE-SHA1(14),
+	cKSUMTYPE-HMAC-SHA1-96-AES-128(15),
+	cKSUMTYPE-HMAC-SHA1-96-AES-256(16),
+	cKSUMTYPE-CMAC-CAMELLIA128(17),
+	cKSUMTYPE-CMAC-CAMELLIA256(18),
+	cKSUMTYPE-HMAC-SHA256-128-AES128(19),
+	cKSUMTYPE-HMAC-SHA384-192-AES256(20),
+	cKSUMTYPE-GSSAPI(--0x8003--32771),
+	cKSUMTYPE-HMAC-MD5(-138),	-- unofficial microsoft number
+	cKSUMTYPE-HMAC-MD5-ENC(-1138)	-- even more unofficial
+}
+
+--enctypes https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml#kerberos-parameters-1
+ENCTYPE ::= INTEGER {
+	eTYPE-NULL(0),
+	eTYPE-DES-CBC-CRC(1),
+	eTYPE-DES-CBC-MD4(2),
+	eTYPE-DES-CBC-MD5(3),
+	eTYPE-DES3-CBC-MD5(5),
+	eTYPE-OLD-DES3-CBC-SHA1(7),
+	eTYPE-SIGN-DSA-GENERATE(8),
+	eTYPE-DSA-SHA1(9),
+	eTYPE-RSA-MD5(10),
+	eTYPE-RSA-SHA1(11),
+	eTYPE-RC2-CBC(12),
+	eTYPE-RSA(13),
+	eTYPE-RSAES-OAEP(14),
+	eTYPE-DES-EDE3-CBC(15),
+	eTYPE-DES3-CBC-SHA1(16),	-- with key derivation
+	eTYPE-AES128-CTS-HMAC-SHA1-96(17),
+	eTYPE-AES256-CTS-HMAC-SHA1-96(18),
+	eTYPE-AES128-CTS-HMAC-SHA256-128(19), -- RFC 8009
+	eTYPE-AES256-CTS-HMAC-SHA384-192(20), -- RFC 8009
+	eTYPE-ARCFOUR-HMAC-MD5(23),
+	eTYPE-ARCFOUR-HMAC-MD5-56(24),
+	eTYPE-CAMELLIA128-CTS-CMAC(25),
+	eTYPE-CAMELLIA256-CTS-CMAC(26),
+	eTYPE-ENCTYPE-PK-CROSS(48),
+-- some "old" windows types
+	eTYPE-ARCFOUR-MD4(-128),
+	eTYPE-ARCFOUR-HMAC-OLD(-133),
+	eTYPE-ARCFOUR-HMAC-OLD-EXP(-135),
+-- these are for Heimdal internal use
+--	eTYPE-DES-CBC-NONE(-0x1000),
+	eTYPE-DES-CBC-NONE( -4096),
+--	eTYPE-DES3-CBC-NONE(-0x1001),
+	eTYPE-DES3-CBC-NONE(-4097),
+--	eTYPE-DES-CFB64-NONE(-0x1002),
+	eTYPE-DES-CFB64-NONE(-4098),
+--	eTYPE-DES-PCBC-NONE(-0x1003),
+	eTYPE-DES-PCBC-NONE(-4099),
+--	eTYPE-DIGEST-MD5-NONE(-0x1004),		- - private use, lukeh@padl.com
+	eTYPE-DIGEST-MD5-NONE(-4100),		-- private use, lukeh@padl.com
+--	eTYPE-CRAM-MD5-NONE(-0x1005)		- - private use, lukeh@padl.com
+	eTYPE-CRAM-MD5-NONE(-4101)		-- private use, lukeh@padl.com
+}
+
+-- addr-types (WS extension )
+ADDR-TYPE ::= INTEGER {
+    iPv4(2),
+    cHAOS(5),
+    xEROX(6),
+    iSO(7),
+    dECNET(12),
+    aPPLETALK(16),
+    nETBIOS(20),
+    iPv6(24)
+}
+
+-- error-codes (WS extension)
+ERROR-CODE ::= INTEGER {
+--error table constants
+	eRR-NONE(0),
+	eRR-NAME-EXP(1),
+	eRR-SERVICE-EXP(2),
+	eRR-BAD-PVNO(3),
+	eRR-C-OLD-MAST-KVNO(4),
+	eRR-S-OLD-MAST-KVNO(5),
+	eRR-C-PRINCIPAL-UNKNOWN(6),
+	eRR-S-PRINCIPAL-UNKNOWN(7),
+	eRR-PRINCIPAL-NOT-UNIQUE(8),
+	eRR-NULL-KEY(9),
+	eRR-CANNOT-POSTDATE(10),
+	eRR-NEVER-VALID(11),
+	eRR-POLICY(12),
+	eRR-BADOPTION(13),
+	eRR-ETYPE-NOSUPP(14),
+	eRR-SUMTYPE-NOSUPP(15),
+	eRR-PADATA-TYPE-NOSUPP(16),
+	eRR-TRTYPE-NOSUPP(17),
+	eRR-CLIENT-REVOKED(18),
+	eRR-SERVICE-REVOKED(19),
+	eRR-TGT-REVOKED(20),
+	eRR-CLIENT-NOTYET(21),
+	eRR-SERVICE-NOTYET(22),
+	eRR-KEY-EXP(23),
+	eRR-PREAUTH-FAILED(24),
+	eRR-PREAUTH-REQUIRED(25),
+	eRR-SERVER-NOMATCH(26),
+	eRR-MUST-USE-USER2USER(27),
+	eRR-PATH-NOT-ACCEPTED(28),
+	eRR-SVC-UNAVAILABLE(29),
+	eRR-BAD-INTEGRITY(31),
+	eRR-TKT-EXPIRED(32),
+	eRR-TKT-NYV(33),
+	eRR-REPEAT(34),
+	eRR-NOT-US(35),
+	eRR-BADMATCH(36),
+	eRR-SKEW(37),
+	eRR-BADADDR(38),
+	eRR-BADVERSION(39),
+	eRR-MSG-TYPE(40),
+	eRR-MODIFIED(41),
+	eRR-BADORDER(42),
+	eRR-ILL-CR-TKT(43),
+	eRR-BADKEYVER(44),
+	eRR-NOKEY(45),
+	eRR-MUT-FAIL(46),
+	eRR-BADDIRECTION(47),
+	eRR-METHOD(48),
+	eRR-BADSEQ(49),
+	eRR-INAPP-CKSUM(50),
+	pATH-NOT-ACCEPTED(51),
+	eRR-RESPONSE-TOO-BIG(52),
+	eRR-GENERIC(60),
+	eRR-FIELD-TOOLONG(61),
+	eRROR-CLIENT-NOT-TRUSTED(62),
+	eRROR-KDC-NOT-TRUSTED(63),
+	eRROR-INVALID-SIG(64),
+	eRR-KEY-TOO-WEAK(65),
+	eRR-CERTIFICATE-MISMATCH(66),
+	eRR-NO-TGT(67),
+	eRR-WRONG-REALM(68),
+	eRR-USER-TO-USER-REQUIRED(69),
+	eRR-CANT-VERIFY-CERTIFICATE(70),
+	eRR-INVALID-CERTIFICATE(71),
+	eRR-REVOKED-CERTIFICATE(72),
+	eRR-REVOCATION-STATUS-UNKNOWN(73),
+	eRR-REVOCATION-STATUS-UNAVAILABLE(74),
+	eRR-CLIENT-NAME-MISMATCH(75),
+	eRR-KDC-NAME-MISMATCH(76)
+}
+
+-- this is sugar to make something ASN1 does not have: unsigned
+
+Krb5uint32 ::= INTEGER (0..4294967295)
+Krb5int32 ::= INTEGER (-2147483648..2147483647)
+
+--KerberosString  ::= GeneralString
+
+--Realm ::= GeneralString
+--PrincipalName ::= SEQUENCE {
+--	name-type[0]		NAME-TYPE,
+--	name-string[1]		SEQUENCE OF GeneralString
+--}
+
+-- this is not part of RFC1510
+Principal ::= SEQUENCE {
+	name[0]		PrincipalName,
+	realm[1]		Realm
+}
+
+--HostAddress ::= SEQUENCE  {
+--	addr-type	[0]	Krb5int32,
+--	address		[1]	OCTET STRING
+--}
+
+-- This is from RFC1510.
+--
+-- HostAddresses ::= SEQUENCE OF SEQUENCE {
+-- 	addr-type[0]		Krb5int32,
+--	address[1]		OCTET STRING
+-- }
+
+-- This seems much better.
+--HostAddresses ::= SEQUENCE OF HostAddress
+
+
+--KerberosTime ::= GeneralizedTime - - Specifying UTC time zone (Z)
+
+--AuthorizationDataElement ::= SEQUENCE {
+--	ad-type[0]		Krb5int32,
+--	ad-data[1]		OCTET STRING
+--}
+
+--AuthorizationData ::= SEQUENCE OF AuthorizationDataElement
+
+APOptions ::= BIT STRING {
+	reserved(0),
+	use-session-key(1),
+	mutual-required(2)
+}
+
+TicketFlags ::= BIT STRING {
+	reserved(0),
+	forwardable(1),
+	forwarded(2),
+	proxiable(3),
+	proxy(4),
+	may-postdate(5),
+	postdated(6),
+	invalid(7),
+	renewable(8),
+	initial(9),
+	pre-authent(10),
+	hw-authent(11),
+	transited-policy-checked(12),
+	ok-as-delegate(13),
+	unused(14),
+	enc-pa-rep(15),
+	anonymous(16)
+}
+
+KDCOptions ::= BIT STRING {
+	reserved(0),
+	forwardable(1),
+	forwarded(2),
+	proxiable(3),
+	proxy(4),
+	allow-postdate(5),
+	postdated(6),
+	unused7(7),
+	renewable(8),
+	unused9(9),
+	unused10(10),
+	opt-hardware-auth(11), -- taken from KerberosV5Spec2.asn
+	unused12(12),
+	unused13(13),
+	constrained-delegation(14), -- ms extension (aka cname-in-addl-tkt)
+	canonicalize(15),
+	request-anonymous(16),
+	unused17(17),
+	unused18(18),
+	unused19(19),
+	unused20(20),
+	unused21(21),
+	unused22(22),
+	unused23(23),
+	unused24(24),
+	unused25(25),
+	disable-transited-check(26),
+	renewable-ok(27),
+	enc-tkt-in-skey(28),
+	unused29(29),
+	renew(30),
+	validate(31)
+}
+
+LR-TYPE ::= INTEGER {
+	lR-NONE(0),		-- no information
+	lR-INITIAL-TGT(1),	-- last initial TGT request
+	lR-INITIAL(2),		-- last initial request
+	lR-ISSUE-USE-TGT(3),	-- time of newest TGT used
+	lR-RENEWAL(4),		-- time of last renewal
+	lR-REQUEST(5),		-- time of last request (of any type)
+	lR-PW-EXPTIME(6),	-- expiration time of password
+	lR-ACCT-EXPTIME(7)	-- expiration time of account
+}
+
+--LastReq ::= SEQUENCE OF SEQUENCE {
+--	lr-type[0]		LR-TYPE,
+--	lr-value[1]		KerberosTime
+--}
+
+
+--EncryptedData ::= SEQUENCE {
+--	etype[0] 		ENCTYPE, - - EncryptionType
+--	kvno[1]			Krb5int32 OPTIONAL,
+--	cipher[2]		OCTET STRING - - ciphertext
+--}
+
+--EncryptionKey ::= SEQUENCE {
+--	keytype[0]		Krb5int32,
+--	keyvalue[1]		OCTET STRING
+--}
+
+-- encoded Transited field
+--TransitedEncoding ::= SEQUENCE {
+--	tr-type[0]		Krb5int32, - - must be registered
+--	contents[1]		OCTET STRING
+--}
+
+--Ticket ::= [APPLICATION 1] SEQUENCE {
+--	tkt-vno[0]		Krb5int32,
+--	realm[1]		Realm,
+--	sname[2]		PrincipalName,
+--	enc-part[3]		EncryptedData
+--}
+-- Encrypted part of ticket
+--EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+--	flags[0]		TicketFlags,
+--	key[1]			EncryptionKey,
+--	crealm[2]		Realm,
+--	cname[3]		PrincipalName,
+--	transited[4]		TransitedEncoding,
+--	authtime[5]		KerberosTime,
+--	starttime[6]		KerberosTime OPTIONAL,
+--	endtime[7]		KerberosTime,
+--	renew-till[8]		KerberosTime OPTIONAL,
+--	caddr[9]		HostAddresses OPTIONAL,
+--	authorization-data[10]	AuthorizationData OPTIONAL
+--}
+
+--Checksum ::= SEQUENCE {
+--	cksumtype[0]		CKSUMTYPE,
+--	checksum[1]		OCTET STRING
+--}
+
+--Authenticator ::= [APPLICATION 2] SEQUENCE    {
+--	authenticator-vno[0]	Krb5int32,
+--	crealm[1]		Realm,
+--	cname[2]		PrincipalName,
+--	cksum[3]		Checksum OPTIONAL,
+--	cusec[4]		Krb5int32,
+--	ctime[5]		KerberosTime,
+--	subkey[6]		EncryptionKey OPTIONAL,
+--	seq-number[7]		Krb5uint32 OPTIONAL,
+--	authorization-data[8]	AuthorizationData OPTIONAL
+--}
+
+--PA-DATA ::= SEQUENCE {
+	-- might be encoded AP-REQ
+--	padata-type[1]		PADATA-TYPE,
+--	padata-value[2]		OCTET STRING
+--}
+
+--ETYPE-INFO-ENTRY ::= SEQUENCE {
+--	etype[0]		ENCTYPE,
+--	salt[1]			OCTET STRING OPTIONAL,
+--	salttype[2]		Krb5int32 OPTIONAL
+--}
+
+--ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
+
+--ETYPE-INFO2-ENTRY ::= SEQUENCE {
+--	etype[0]		ENCTYPE,
+--	salt[1]			KerberosString OPTIONAL,
+--	s2kparams[2]		OCTET STRING OPTIONAL
+--}
+
+--ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
+
+-- METHOD-DATA ::= SEQUENCE OF PA-DATA
+
+--TypedData ::=   SEQUENCE {
+--	data-type[0]		Krb5int32,
+--	data-value[1]		OCTET STRING OPTIONAL
+--}
+
+--TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData
+
+--KDC-REQ-BODY ::= SEQUENCE {
+--	kdc-options[0]		KDCOptions,
+--	cname[1]		PrincipalName OPTIONAL, - - Used only in AS-REQ
+--	realm[2]		Realm,	- - Server's realm
+					-- Also client's in AS-REQ
+--	sname[3]		PrincipalName OPTIONAL,
+--	from[4]			KerberosTime OPTIONAL,
+--	till[5]			KerberosTime OPTIONAL,
+--	rtime[6]		KerberosTime OPTIONAL,
+--	nonce[7]		Krb5int32,
+--	etype[8]		SEQUENCE OF ENCTYPE, - - EncryptionType,
+					-- in preference order
+--	addresses[9]		HostAddresses OPTIONAL,
+--	enc-authorization-data[10] EncryptedData OPTIONAL,
+					-- Encrypted AuthorizationData encoding
+--	additional-tickets[11]	SEQUENCE OF Ticket OPTIONAL
+--}
+
+--KDC-REQ ::= SEQUENCE {
+--	pvno[1]			Krb5int32,
+--	msg-type[2]		MESSAGE-TYPE,
+--	padata[3]		METHOD-DATA OPTIONAL,
+--	req-body[4]		KDC-REQ-BODY
+--}
+
+--AS-REQ ::= [APPLICATION 10] KDC-REQ
+--TGS-REQ ::= [APPLICATION 12] KDC-REQ
+
+-- padata-type ::= PA-ENC-TIMESTAMP
+-- padata-value ::= EncryptedData - PA-ENC-TS-ENC
+
+--PA-ENC-TS-ENC ::= SEQUENCE {
+--	patimestamp[0]		KerberosTime, - - client's time
+--	pausec[1]		Krb5int32 OPTIONAL
+--}
+
+-- WS put extensions found elsewhere here
+-- draft-brezak-win2k-krb-authz-01
+-- MS-KILE: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile
+-- MS-SFU: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu
+PA-PAC-REQUEST ::= SEQUENCE {
+	include-pac[0]		BOOLEAN -- Indicates whether a PAC
+					-- should be included or not
+}
+
+-- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
+PROV-SRV-LOCATION ::= GeneralString
+
+--KDC-REP ::= SEQUENCE {
+--	pvno[0]			Krb5int32,
+--	msg-type[1]		MESSAGE-TYPE,
+--	padata[2]		METHOD-DATA OPTIONAL,
+--	crealm[3]		Realm,
+--	cname[4]		PrincipalName,
+--	ticket[5]		Ticket,
+--	enc-part[6]		EncryptedData
+--}
+
+--AS-REP ::= [APPLICATION 11] KDC-REP
+--TGS-REP ::= [APPLICATION 13] KDC-REP
+
+--EncKDCRepPart ::= SEQUENCE {
+--	key[0]			EncryptionKey,
+--	last-req[1]		LastReq,
+--	nonce[2]		Krb5int32,
+--	key-expiration[3]	KerberosTime OPTIONAL,
+--	flags[4]		TicketFlags,
+--	authtime[5]		KerberosTime,
+--	starttime[6]		KerberosTime OPTIONAL,
+--	endtime[7]		KerberosTime,
+--	renew-till[8]		KerberosTime OPTIONAL,
+--	srealm[9]		Realm,
+--	sname[10]		PrincipalName,
+--	caddr[11]		HostAddresses OPTIONAL,
+--	encrypted-pa-data[12]	METHOD-DATA OPTIONAL
+--}
+
+--EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
+--EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
+
+--AP-REQ ::= [APPLICATION 14] SEQUENCE {
+--	pvno[0]			Krb5int32,
+--	msg-type[1]		MESSAGE-TYPE,
+--	ap-options[2]		APOptions,
+--	ticket[3]		Ticket,
+--	authenticator[4]	EncryptedData
+--}
+
+--AP-REP ::= [APPLICATION 15] SEQUENCE {
+--	pvno[0]			Krb5int32,
+--	msg-type[1]		MESSAGE-TYPE,
+--	enc-part[2]		EncryptedData
+--}
+
+--EncAPRepPart ::= [APPLICATION 27]     SEQUENCE {
+--	ctime[0]		KerberosTime,
+--	cusec[1]		Krb5int32,
+--	subkey[2]		EncryptionKey OPTIONAL,
+--	seq-number[3]		Krb5uint32 OPTIONAL
+--}
+
+--KRB-SAFE-BODY ::= SEQUENCE {
+--	user-data[0]		OCTET STRING,
+--	timestamp[1]		KerberosTime OPTIONAL,
+--	usec[2]			Krb5int32 OPTIONAL,
+--	seq-number[3]		Krb5uint32 OPTIONAL,
+--	s-address[4]		HostAddress OPTIONAL,
+--	r-address[5]		HostAddress OPTIONAL
+--}
+
+--KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
+--	pvno[0]			Krb5int32,
+--	msg-type[1]		MESSAGE-TYPE,
+--	safe-body[2]		KRB-SAFE-BODY,
+--	cksum[3]		Checksum
+--}
+
+--KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
+--	pvno[0]			Krb5int32,
+--	msg-type[1]		MESSAGE-TYPE,
+--	enc-part[3]		EncryptedData
+--}
+--EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
+--	user-data[0]		OCTET STRING,
+--	timestamp[1]		KerberosTime OPTIONAL,
+--	usec[2]			Krb5int32 OPTIONAL,
+--	seq-number[3]		Krb5uint32 OPTIONAL,
+--	s-address[4]		HostAddress OPTIONAL, - - sender's addr
+--	r-address[5]		HostAddress OPTIONAL  - - recip's addr
+--}
+
+--KRB-CRED ::= [APPLICATION 22]   SEQUENCE {
+--	pvno[0]			Krb5int32,
+--	msg-type[1]		MESSAGE-TYPE, - - KRB_CRED
+--	tickets[2]		SEQUENCE OF Ticket,
+--	enc-part[3]		EncryptedData
+--}
+
+--KrbCredInfo ::= SEQUENCE {
+--	key[0]			EncryptionKey,
+--	prealm[1]		Realm OPTIONAL,
+--	pname[2]		PrincipalName OPTIONAL,
+--	flags[3]		TicketFlags OPTIONAL,
+--	authtime[4]		KerberosTime OPTIONAL,
+--	starttime[5]		KerberosTime OPTIONAL,
+--	endtime[6] 		KerberosTime OPTIONAL,
+--	renew-till[7]		KerberosTime OPTIONAL,
+--	srealm[8]		Realm OPTIONAL,
+--	sname[9]		PrincipalName OPTIONAL,
+--	caddr[10]		HostAddresses OPTIONAL
+--}
+
+--EncKrbCredPart ::= [APPLICATION 29]   SEQUENCE {
+--	ticket-info[0]		SEQUENCE OF KrbCredInfo,
+--	nonce[1]		Krb5int32 OPTIONAL,
+--	timestamp[2]		KerberosTime OPTIONAL,
+--	usec[3]			Krb5int32 OPTIONAL,
+--	s-address[4]		HostAddress OPTIONAL,
+--	r-address[5]		HostAddress OPTIONAL
+--}
+
+--KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
+--	pvno[0]			Krb5int32,
+--	msg-type[1]		MESSAGE-TYPE,
+--	ctime[2]		KerberosTime OPTIONAL,
+--	cusec[3]		Krb5int32 OPTIONAL,
+--	stime[4]		KerberosTime,
+--	susec[5]		Krb5int32,
+--	error-code[6]		Krb5int32,
+--	crealm[7]		Realm OPTIONAL,
+--	cname[8]		PrincipalName OPTIONAL,
+--	realm[9]		Realm, - - Correct realm
+--	sname[10]		PrincipalName, - - Correct name
+--	e-text[11]		GeneralString OPTIONAL,
+--	e-data[12]		OCTET STRING OPTIONAL
+--}
+
+ChangePasswdDataMS ::= SEQUENCE {
+	newpasswd[0]		OCTET STRING,
+	targname[1]		PrincipalName OPTIONAL,
+	targrealm[2]		Realm OPTIONAL
+}
+
+EtypeList ::= SEQUENCE OF Krb5int32
+	-- the client's proposed enctype list in
+	-- decreasing preference order, favorite choice first
+
+--krb5-pvno Krb5int32 ::= 5 - - current Kerberos protocol version number
+
+-- transited encodings
+
+--DOMAIN-X500-COMPRESS	Krb5int32 ::= 1
+
+-- authorization data primitives
+
+--AD-IF-RELEVANT ::= AuthorizationData
+
+--AD-KDCIssued ::= SEQUENCE {
+--	ad-checksum[0]		Checksum,
+--	i-realm[1]		Realm OPTIONAL,
+--	i-sname[2]		PrincipalName OPTIONAL,
+--	elements[3]		AuthorizationData
+--}
+
+--AD-AND-OR ::= SEQUENCE {
+--	condition-count[0]	INTEGER,
+--	elements[1]		AuthorizationData
+--}
+
+--AD-MANDATORY-FOR-KDC ::= AuthorizationData
+
+-- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2
+
+PA-SAM-TYPE ::= INTEGER {
+	pA-SAM-TYPE-ENIGMA(1),		-- Enigma Logic
+	pA-SAM-TYPE-DIGI-PATH(2),	-- Digital Pathways
+	pA-SAM-TYPE-SKEY-K0(3),		-- S/key where  KDC has key 0
+	pA-SAM-TYPE-SKEY(4),		-- Traditional S/Key
+	pA-SAM-TYPE-SECURID(5),		-- Security Dynamics
+	pA-SAM-TYPE-CRYPTOCARD(6)	-- CRYPTOCard
+}
+
+PA-SAM-REDIRECT ::= HostAddresses
+
+SAMFlags ::= BIT STRING {
+	use-sad-as-key(0),
+	send-encrypted-sad(1),
+	must-pk-encrypt-sad(2)
+}
+
+PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
+	sam-type[0]		Krb5int32,
+	sam-flags[1]		SAMFlags,
+	sam-type-name[2]	GeneralString OPTIONAL,
+	sam-track-id[3]		GeneralString OPTIONAL,
+	sam-challenge-label[4]	GeneralString OPTIONAL,
+	sam-challenge[5]	GeneralString OPTIONAL,
+	sam-response-prompt[6]	GeneralString OPTIONAL,
+	sam-pk-for-sad[7]	EncryptionKey OPTIONAL,
+	sam-nonce[8]		Krb5int32,
+	sam-etype[9]		Krb5int32,
+	...
+}
+
+PA-SAM-CHALLENGE-2 ::= SEQUENCE {
+	sam-body[0]		PA-SAM-CHALLENGE-2-BODY,
+	sam-cksum[1]		SEQUENCE OF Checksum, -- (1..MAX)
+	...
+}
+
+PA-SAM-RESPONSE-2 ::= SEQUENCE {
+	sam-type[0]		Krb5int32,
+	sam-flags[1]		SAMFlags,
+	sam-track-id[2]		GeneralString OPTIONAL,
+	sam-enc-nonce-or-sad[3]	EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
+	sam-nonce[4]		Krb5int32,
+	...
+}
+
+PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
+	sam-nonce[0]		Krb5int32,
+	sam-sad[1]		GeneralString OPTIONAL,
+	...
+}
+
+PA-S4U2Self ::= SEQUENCE {
+	name[0]		PrincipalName,
+        realm[1]	Realm,
+        cksum[2]	Checksum,
+        auth[3]		GeneralString
+}
+
+PA-S4U-X509-USER::= SEQUENCE {
+	user-id[0] S4UUserID,
+	checksum[1] Checksum
+}
+
+S4UUserID ::= SEQUENCE {
+	nonce [0] UInt32, -- the nonce in KDC-REQ-BODY
+	cname [1] PrincipalName OPTIONAL, -- Certificate mapping hints
+	crealm [2] Realm,
+	subject-certificate [3] OCTET STRING OPTIONAL,
+	options [4] BIT STRING OPTIONAL,
+	...
+}
+
+KRB5SignedPathPrincipals ::= SEQUENCE OF Principal
+
+-- never encoded on the wire, just used to checksum over
+KRB5SignedPathData ::= SEQUENCE {
+	encticket[0]	EncTicketPart,
+	delegated[1]	KRB5SignedPathPrincipals OPTIONAL
+}
+
+KRB5SignedPath ::= SEQUENCE {
+	-- DERcoded KRB5SignedPathData
+	-- krbtgt key (etype), KeyUsage = XXX
+	etype[0]	ENCTYPE,
+	cksum[1]	Checksum,
+	-- srvs delegated though
+	delegated[2]	KRB5SignedPathPrincipals OPTIONAL
+}
+
+PA-ClientCanonicalizedNames ::= SEQUENCE{
+	requested-name	[0] PrincipalName,
+	mapped-name	[1] PrincipalName
+}
+
+PA-ClientCanonicalized ::= SEQUENCE {
+	names		[0] PA-ClientCanonicalizedNames,
+	canon-checksum	[1] Checksum
+}
+
+AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
+	login-alias	[0] PrincipalName,
+	checksum	[1] Checksum
+}
+
+-- old ms referral
+PA-SvrReferralData ::= SEQUENCE {
+	referred-name   [1] PrincipalName OPTIONAL,
+	referred-realm  [0] Realm
+}
+
+PA-SERVER-REFERRAL-DATA ::= EncryptedData
+
+PA-ServerReferralData ::= SEQUENCE {
+	referred-realm		[0] Realm OPTIONAL,
+	true-principal-name	[1] PrincipalName OPTIONAL,
+	requested-principal-name [2] PrincipalName OPTIONAL,
+	referral-valid-until     [3] KerberosTime OPTIONAL,
+	...
+}
+
+PAC-OPTIONS-FLAGS ::= BIT STRING {
+	claims(0),
+	branch-aware(1),
+	forward-to-full-dc(2),
+	resource-based-constrained-delegation(3)
+}
+
+PA-PAC-OPTIONS ::= SEQUENCE {
+	flags [0] PAC-OPTIONS-FLAGS
+}
+
+-- [MS-KILE]
+-- captures show that [UNIVERSAL 16] is required to parse it
+KERB-AD-RESTRICTION-ENTRY ::= [UNIVERSAL 16] SEQUENCE {
+	restriction-type	[0] Int32,
+	restriction		[1] OCTET STRING -- LSAP_TOKEN_INFO_INTEGRITY structure
+}
+
+-- [MS-KILE]
+
+-- Section 2.2.11
+PA-KERB-KEY-LIST-REQ ::= SEQUENCE OF ENCTYPE
+
+-- Section 2.2.12
+
+-- This is EncryptionKey but we're redefining it so it's named
+PA-KERB-KEY-LIST-REP-Key ::= EncryptionKey
+
+PA-KERB-KEY-LIST-REP ::= SEQUENCE OF PA-KERB-KEY-LIST-REP-Key
+
+
+END
+
+-- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1
diff --git a/epan/dissectors/asn1/kerberos/kerberos.cnf b/epan/dissectors/asn1/kerberos/kerberos.cnf
new file mode 100644
index 00000000..fb7b92ae
--- /dev/null
+++ b/epan/dissectors/asn1/kerberos/kerberos.cnf
@@ -0,0 +1,691 @@
+# kerberos.cnf
+# kerberos conformation file
+# Copyright 2008 Anders Broman
+
+#.EXPORTS
+ChangePasswdData
+Applications ONLY_ENUM
+TGT-REQ
+TGT-REP
+
+#.FIELD_RENAME
+Authenticator/_untag/subkey authenticator_subkey
+KDC-REQ-BODY/etype kDC-REQ-BODY_etype
+KRB-SAFE-BODY/user-data kRB-SAFE-BODY_user_data
+EncKrbPrivPart/user-data encKrbPrivPart_user_data
+EncryptedTicketData/cipher encryptedTicketData_cipher
+EncryptedAuthenticator/cipher encryptedAuthenticator_cipher
+EncryptedAuthorizationData/cipher encryptedAuthorizationData_cipher
+EncryptedKDCREPData/cipher encryptedKDCREPData_cipher
+PA-ENC-TIMESTAMP/cipher pA-ENC-TIMESTAMP_cipher
+EncryptedAPREPData/cipher encryptedAPREPData_cipher
+EncryptedKrbPrivData/cipher encryptedKrbPrivData_cipher
+EncryptedKrbCredData/cipher encryptedKrbCredData_cipher
+EncryptedKrbFastReq/cipher encryptedKrbFastReq_cipher
+EncryptedKrbFastResponse/cipher encryptedKrbFastResponse_cipher
+EncryptedChallenge/cipher encryptedChallenge_cipher
+EncAPRepPart/_untag/subkey encAPRepPart_subkey
+EncTicketPart/_untag/key encTicketPart_key
+EncKDCRepPart/key encKDCRepPart_key
+KRB-CRED/_untag/enc-part kRB_CRED_enc_part
+KRB-PRIV/_untag/enc-part kRB_PRIV_enc_part
+KrbCredInfo/key krbCredInfo_key
+AP-REP/_untag/enc-part aP_REP_enc_part
+KDC-REP/enc-part kDC_REP_enc_part
+KDC-REP/padata rEP_SEQUENCE_OF_PA_DATA
+KDC-REQ/padata rEQ_SEQUENCE_OF_PA_DATA
+Ticket/_untag/enc-part ticket_enc_part
+ETYPE-INFO-ENTRY/salt info_salt
+ETYPE-INFO2-ENTRY/salt info2_salt
+AP-REQ/_untag/authenticator authenticator_enc_part
+PA-FX-FAST-REQUEST/armored-data armored_data_request
+PA-FX-FAST-REPLY/armored-data armored_data_reply
+PA-KERB-KEY-LIST-REP/_item kerbKeyListRep_key
+
+#.FIELD_ATTR
+KDC-REQ-BODY/etype      ABBREV=kdc-req-body.etype
+ETYPE-INFO-ENTRY/salt   ABBREV=info_salt
+ETYPE-INFO2-ENTRY/salt  ABBREV=info2_salt
+PA-KERB-KEY-LIST-REP/_item ABBREV=kerbKeyListRep.key NAME="key"
+
+#.OMIT_ASSIGNMENT
+AD-AND-OR
+AD-KDCIssued
+AD-LoginAlias
+AD-MANDATORY-FOR-KDC
+ChangePasswdDataMS
+EncryptedData
+EtypeList
+FastOptions
+KerberosFlags
+KrbFastFinished
+KrbFastResponse
+KrbFastReq
+KRB5SignedPath
+KRB5SignedPathData
+KRB5SignedPathPrincipals
+Krb5int32
+Krb5uint32
+PA-AUTHENTICATION-SET
+PA-ClientCanonicalized
+PA-ClientCanonicalizedNames
+PA-ENC-TS-ENC
+PA-ENC-SAM-RESPONSE-ENC
+PA-SAM-CHALLENGE-2
+PA-SAM-CHALLENGE-2-BODY
+PA-SAM-REDIRECT
+PA-SAM-RESPONSE-2
+PA-SAM-TYPE
+PA-SERVER-REFERRAL-DATA
+PA-ServerReferralData
+PA-SvrReferralData
+Principal
+PROV-SRV-LOCATION
+SAMFlags
+TYPED-DATA
+
+#.NO_EMIT ONLY_VALS
+Applications
+PA-FX-FAST-REPLY
+PA-FX-FAST-REQUEST
+
+#.MAKE_DEFINES
+ADDR-TYPE TYPE_PREFIX
+Applications TYPE_PREFIX
+
+#.MAKE_ENUM
+PADATA-TYPE PROT_PREFIX UPPER_CASE
+AUTHDATA-TYPE PROT_PREFIX UPPER_CASE
+KrbFastArmorTypes PROT_PREFIX UPPER_CASE
+
+#.FN_BODY MESSAGE-TYPE VAL_PTR = &msgtype
+  kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+  guint32 msgtype;
+
+%(DEFAULT_BODY)s
+
+#.FN_FTR MESSAGE-TYPE
+  if (gbl_do_col_info) {
+    col_add_str(actx->pinfo->cinfo, COL_INFO,
+      val_to_str(msgtype, krb5_msg_types,
+      "Unknown msg type %#x"));
+  }
+  gbl_do_col_info=FALSE;
+
+##if 0
+  /* append the application type to the tree */
+  proto_item_append_text(tree, " %s", val_to_str(msgtype, krb5_msg_types, "Unknown:0x%x"));
+##endif
+  if (private_data->msg_type == 0) {
+    private_data->msg_type = msgtype;
+  }
+
+#.FN_BODY ERROR-CODE VAL_PTR = &private_data->errorcode
+  kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+%(DEFAULT_BODY)s
+
+#.FN_FTR ERROR-CODE
+  if (private_data->errorcode) {
+    col_add_fstr(actx->pinfo->cinfo, COL_INFO,
+      "KRB Error: %s",
+      val_to_str(private_data->errorcode, krb5_error_codes,
+      "Unknown error code %#x"));
+  }
+
+#.END
+#.FN_BODY KRB-ERROR/_untag/e-data
+  kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+
+  switch (private_data->errorcode) {
+  case KRB5_ET_KRB5KDC_ERR_BADOPTION:
+  case KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED:
+  case KRB5_ET_KRB5KDC_ERR_KEY_EXP:
+  case KRB5_ET_KRB5KDC_ERR_POLICY:
+    /* ms windows kdc sends e-data of this type containing a "salt"
+     * that contains the nt_status code for these error codes.
+     */
+    private_data->try_nt_status = TRUE;
+    offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_kerberos_e_data, dissect_kerberos_PA_DATA);
+    break;
+  case KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED:
+  case KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED:
+  case KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP:
+  case KRB5_ET_KDC_ERR_WRONG_REALM:
+  case KRB5_ET_KDC_ERR_PREAUTH_EXPIRED:
+  case KRB5_ET_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED:
+  case KRB5_ET_KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET:
+  case KRB5_ET_KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS:
+    offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_kerberos_e_data, dissect_kerberos_T_rEP_SEQUENCE_OF_PA_DATA);
+    break;
+  default:
+    offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_kerberos_e_data, NULL);
+    break;
+  }
+
+
+#.FN_BODY PADATA-TYPE VAL_PTR=&(private_data->padata_type)
+  kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
+%(DEFAULT_BODY)s
+#.FN_FTR PADATA-TYPE
+  if(tree){
+    proto_item_append_text(tree, " %s",
+      val_to_str(private_data->padata_type, kerberos_PADATA_TYPE_vals,
+      "Unknown:%d"));
+  }
+
+#.FN_BODY KDC-REQ/padata
+  kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
+  struct _kerberos_PA_FX_FAST_REQUEST saved_stack = private_data->PA_FX_FAST_REQUEST;
+
+  /*
+   * we need to defer calling dissect_kerberos_PA_FX_FAST_REQUEST,
+   * see dissect_kerberos_defer_PA_FX_FAST_REQUEST()
+   */
+  private_data->PA_FX_FAST_REQUEST = (struct _kerberos_PA_FX_FAST_REQUEST) { .defer = TRUE, };
+%(DEFAULT_BODY)s
+  if (private_data->PA_FX_FAST_REQUEST.tvb != NULL) {
+    struct _kerberos_PA_FX_FAST_REQUEST used_stack = private_data->PA_FX_FAST_REQUEST;
+    private_data->PA_FX_FAST_REQUEST = (struct _kerberos_PA_FX_FAST_REQUEST) { .defer = FALSE, };
+
+    /*
+     * dissect_kerberos_defer_PA_FX_FAST_REQUEST() remembered
+     * a tvb, so replay dissect_kerberos_PA_FX_FAST_REQUEST()
+     * here.
+     */
+    dissect_kerberos_PA_FX_FAST_REQUEST(FALSE,
+                                        used_stack.tvb,
+                                        0,
+                                        actx,
+                                        used_stack.tree,
+                                        -1);
+  }
+  private_data->PA_FX_FAST_REQUEST = saved_stack;
+
+#.FN_BODY KDC-REP/padata
+%(DEFAULT_BODY)s
+
+#.FN_BODY PA-DATA/padata-value
+  proto_tree *sub_tree=tree;
+  kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
+
+  if(actx->created_item){
+    sub_tree=proto_item_add_subtree(actx->created_item, ett_kerberos_PA_DATA);
+  }
+
+  switch(private_data->padata_type){
+  case KERBEROS_PA_TGS_REQ:
+    private_data->within_PA_TGS_REQ++;
+    offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_Applications);
+    private_data->within_PA_TGS_REQ--;
+    break;
+  case KERBEROS_PA_PK_AS_REP_19:
+    private_data->is_win2k_pkinit = TRUE;
+    if (kerberos_private_is_kdc_req(private_data)) {
+      offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PA_PK_AS_REQ_Win2k);
+    } else {
+      offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PA_PK_AS_REP_Win2k);
+    }
+    break;
+  case KERBEROS_PA_PK_AS_REQ:
+    offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PaPkAsReq);
+    break;
+  case KERBEROS_PA_PK_AS_REP:
+    offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PaPkAsRep);
+    break;
+  case KERBEROS_PA_PAC_REQUEST:
+    offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_PAC_REQUEST);
+    break;
+  case KERBEROS_PA_FOR_USER: /* S4U2SELF */
+    offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_S4U2Self);
+    break;
+  case KERBEROS_PA_FOR_X509_USER:
+    if(private_data->msg_type == KRB5_MSG_AS_REQ){
+      offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_x509af_Certificate);
+    }else if(private_data->is_enc_padata){
+      offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, NULL);
+    }else{
+      offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_S4U_X509_USER);
+    }
+    break;
+  case KERBEROS_PA_PROV_SRV_LOCATION:
+    offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_krb5_PA_PROV_SRV_LOCATION);
+    break;
+  case KERBEROS_PA_ENC_TIMESTAMP:
+    offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_ENC_TIMESTAMP);
+    break;
+  case KERBEROS_PA_ETYPE_INFO:
+    offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_ETYPE_INFO);
+    break;
+  case KERBEROS_PA_ETYPE_INFO2:
+    offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_ETYPE_INFO2);
+    break;
+  case KERBEROS_PA_PW_SALT:
+    offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_krb5_PW_SALT);
+    break;
+  case KERBEROS_PA_AUTH_SET_SELECTED:
+    offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_AUTHENTICATION_SET_ELEM);
+    break;
+  case KERBEROS_PA_FX_FAST:
+    if (kerberos_private_is_kdc_req(private_data)) {
+      offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_defer_PA_FX_FAST_REQUEST);
+    }else{
+      offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_FX_FAST_REPLY);
+    }
+    break;
+  case KERBEROS_PA_FX_ERROR:
+    offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_Applications);
+    break;
+  case KERBEROS_PA_ENCRYPTED_CHALLENGE:
+    offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_EncryptedChallenge);
+    break;
+  case KERBEROS_PA_KERB_KEY_LIST_REQ:
+    offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset, hf_index, dissect_kerberos_PA_KERB_KEY_LIST_REQ);
+    break;
+  case KERBEROS_PA_KERB_KEY_LIST_REP:
+    offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset, hf_index, dissect_kerberos_PA_KERB_KEY_LIST_REP);
+    break;
+  case KERBEROS_PA_SUPPORTED_ETYPES:
+    offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_SUPPORTED_ENCTYPES);
+    break;
+  case KERBEROS_PA_PAC_OPTIONS:
+    offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset, hf_index, dissect_kerberos_PA_PAC_OPTIONS);
+    break;
+  case KERBEROS_PA_REQ_ENC_PA_REP:
+    offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_Checksum);
+    break;
+  case KERBEROS_PA_SPAKE:
+    offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_SPAKE);
+    break;
+  default:
+    offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, NULL);
+    break;
+  }
+
+#.FN_BODY HostAddress/address
+  gint8 appclass;
+  bool pc;
+  gint32 tag;
+  guint32 len;
+  const char *address_str;
+  proto_item *it=NULL;
+  kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+
+  /* read header and len for the octet string */
+  offset=dissect_ber_identifier(actx->pinfo, tree, tvb, offset, &appclass, &pc, &tag);
+  offset=dissect_ber_length(actx->pinfo, tree, tvb, offset, &len, NULL);
+
+  switch(private_data->addr_type){
+  case KERBEROS_ADDR_TYPE_IPV4:
+    it=proto_tree_add_item(tree, hf_krb_address_ip, tvb, offset, 4, ENC_BIG_ENDIAN);
+    address_str = tvb_ip_to_str(actx->pinfo->pool, tvb, offset);
+    break;
+  case KERBEROS_ADDR_TYPE_NETBIOS:
+    {
+    char netbios_name[(NETBIOS_NAME_LEN - 1)*4 + 1];
+    int netbios_name_type;
+    int netbios_name_len = (NETBIOS_NAME_LEN - 1)*4 + 1;
+
+    netbios_name_type = process_netbios_name(tvb_get_ptr(tvb, offset, 16), netbios_name, netbios_name_len);
+    address_str = wmem_strdup_printf(actx->pinfo->pool, "%s<%02x>", netbios_name, netbios_name_type);
+    it=proto_tree_add_string_format(tree, hf_krb_address_netbios, tvb, offset, 16, netbios_name, "NetBIOS Name: %s (%s)", address_str, netbios_name_type_descr(netbios_name_type));
+    }
+    break;
+  case KERBEROS_ADDR_TYPE_IPV6:
+    it=proto_tree_add_item(tree, hf_krb_address_ipv6, tvb, offset, INET6_ADDRLEN, ENC_NA);
+    address_str = tvb_ip6_to_str(actx->pinfo->pool, tvb, offset);
+    break;
+  default:
+    proto_tree_add_expert(tree, actx->pinfo, &ei_kerberos_address, tvb, offset, len);
+    address_str = NULL;
+    break;
+  }
+
+  /* push it up two levels in the decode pane */
+  if(it && address_str){
+    proto_item_append_text(proto_item_get_parent(it), " %s",address_str);
+    proto_item_append_text(proto_item_get_parent_nth(it, 2), " %s",address_str);
+  }
+
+  offset+=len;
+
+
+#.TYPE_ATTR
+#xxx TYPE = FT_UINT16  DISPLAY = BASE_DEC  STRINGS = VALS(xx_vals)
+
+#.FN_BODY ENCTYPE VAL_PTR=&(private_data->etype)
+  kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+%(DEFAULT_BODY)s
+
+#.FN_BODY EncryptedTicketData/cipher
+##ifdef HAVE_KERBEROS
+  offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_ticket_data);
+##else
+%(DEFAULT_BODY)s
+##endif
+
+#.FN_BODY EncryptedAuthorizationData/cipher
+##ifdef HAVE_KERBEROS
+  offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_authorization_data);
+##else
+%(DEFAULT_BODY)s
+##endif
+
+#.FN_BODY EncryptedAuthenticator/cipher
+##ifdef HAVE_KERBEROS
+  offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_authenticator_data);
+##else
+%(DEFAULT_BODY)s
+##endif
+
+#.FN_BODY EncryptedKDCREPData/cipher
+##ifdef HAVE_KERBEROS
+  offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_KDC_REP_data);
+##else
+%(DEFAULT_BODY)s
+##endif
+
+#.FN_BODY PA-ENC-TIMESTAMP/cipher
+##ifdef HAVE_KERBEROS
+  offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_PA_ENC_TIMESTAMP);
+##else
+%(DEFAULT_BODY)s
+##endif
+
+#.FN_BODY EncryptedAPREPData/cipher
+##ifdef HAVE_KERBEROS
+  offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_AP_REP_data);
+##else
+%(DEFAULT_BODY)s
+##endif
+
+#.FN_BODY EncryptedKrbPrivData/cipher
+##ifdef HAVE_KERBEROS
+  offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_PRIV_data);
+##else
+%(DEFAULT_BODY)s
+##endif
+
+#.FN_BODY EncryptedKrbCredData/cipher
+##ifdef HAVE_KERBEROS
+  offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_CRED_data);
+##else
+%(DEFAULT_BODY)s
+##endif
+
+#.FN_BODY CKSUMTYPE VAL_PTR=&(private_data->checksum_type)
+  kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+%(DEFAULT_BODY)s
+
+#.FN_BODY Checksum/checksum
+  tvbuff_t *next_tvb;
+  kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+
+  switch(private_data->checksum_type){
+  case KRB5_CHKSUM_GSSAPI:
+    offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &next_tvb);
+    dissect_krb5_rfc1964_checksum(actx, tree, next_tvb);
+    break;
+  default:
+    offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, NULL);
+    break;
+  }
+
+#.FN_BODY EncryptionKey/keytype VAL_PTR=&gbl_keytype
+  kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+
+  private_data->key_hidden_item = proto_tree_add_item(tree, hf_krb_key_hidden_item,
+                                                      tvb, 0, 0, ENC_NA);
+  if (private_data->key_hidden_item != NULL) {
+    proto_item_set_hidden(private_data->key_hidden_item);
+  }
+
+  offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
+                  &gbl_keytype);
+  private_data->key.keytype = gbl_keytype;
+
+#.FN_BODY EncryptionKey/keyvalue VAL_PTR=&out_tvb
+  tvbuff_t *out_tvb;
+  kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+
+%(DEFAULT_BODY)s
+
+  private_data->key.keylength = tvb_reported_length(out_tvb);
+  private_data->key.keyvalue = tvb_get_ptr(out_tvb, 0, private_data->key.keylength);
+  private_data->key_tree = tree;
+  private_data->key_tvb = out_tvb;
+
+#.FN_BODY EncryptionKey
+  kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+##ifdef HAVE_KERBEROS
+  int start_offset = offset;
+##endif
+
+  %(DEFAULT_BODY)s
+
+  if (private_data->key.keytype != 0 && private_data->key.keylength > 0) {
+##ifdef HAVE_KERBEROS
+    int length = offset - start_offset;
+    private_data->last_added_key = NULL;
+    private_data->save_encryption_key_fn(tvb, start_offset, length, actx, tree,
+                                         private_data->save_encryption_key_parent_hf_index,
+                                         hf_index);
+    private_data->last_added_key = NULL;
+##endif
+  }
+
+#.FN_BODY Authenticator/_untag/subkey
+  kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+  gint save_encryption_key_parent_hf_index = private_data->save_encryption_key_parent_hf_index;
+  kerberos_key_save_fn saved_encryption_key_fn = private_data->save_encryption_key_fn;
+  private_data->save_encryption_key_parent_hf_index = hf_kerberos_authenticator;
+##ifdef HAVE_KERBEROS
+  private_data->save_encryption_key_fn = save_Authenticator_subkey;
+##endif
+%(DEFAULT_BODY)s
+  private_data->save_encryption_key_parent_hf_index = save_encryption_key_parent_hf_index;
+  private_data->save_encryption_key_fn = saved_encryption_key_fn;
+
+#.FN_BODY EncAPRepPart/_untag/subkey
+  kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+  gint save_encryption_key_parent_hf_index = private_data->save_encryption_key_parent_hf_index;
+  kerberos_key_save_fn saved_encryption_key_fn = private_data->save_encryption_key_fn;
+  private_data->save_encryption_key_parent_hf_index = hf_kerberos_encAPRepPart;
+##ifdef HAVE_KERBEROS
+  private_data->save_encryption_key_fn = save_EncAPRepPart_subkey;
+##endif
+%(DEFAULT_BODY)s
+  private_data->save_encryption_key_parent_hf_index = save_encryption_key_parent_hf_index;
+  private_data->save_encryption_key_fn = saved_encryption_key_fn;
+
+#.FN_BODY EncKDCRepPart/key
+  kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+  gint save_encryption_key_parent_hf_index = private_data->save_encryption_key_parent_hf_index;
+  kerberos_key_save_fn saved_encryption_key_fn = private_data->save_encryption_key_fn;
+  switch (private_data->msg_type) {
+  case KERBEROS_APPLICATIONS_AS_REP:
+    private_data->save_encryption_key_parent_hf_index = hf_kerberos_encASRepPart;
+    break;
+  case KERBEROS_APPLICATIONS_TGS_REP:
+    private_data->save_encryption_key_parent_hf_index = hf_kerberos_encTGSRepPart;
+    break;
+  default:
+    private_data->save_encryption_key_parent_hf_index = -1;
+  }
+##ifdef HAVE_KERBEROS
+  private_data->save_encryption_key_fn = save_EncKDCRepPart_key;
+##endif
+%(DEFAULT_BODY)s
+  private_data->save_encryption_key_parent_hf_index = save_encryption_key_parent_hf_index;
+  private_data->save_encryption_key_fn = saved_encryption_key_fn;
+
+#.FN_BODY EncTicketPart/_untag/key
+  kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+  gint save_encryption_key_parent_hf_index = private_data->save_encryption_key_parent_hf_index;
+  kerberos_key_save_fn saved_encryption_key_fn = private_data->save_encryption_key_fn;
+  private_data->save_encryption_key_parent_hf_index = hf_kerberos_encTicketPart;
+##ifdef HAVE_KERBEROS
+  private_data->save_encryption_key_fn = save_EncTicketPart_key;
+##endif
+%(DEFAULT_BODY)s
+  private_data->save_encryption_key_parent_hf_index = save_encryption_key_parent_hf_index;
+  private_data->save_encryption_key_fn = saved_encryption_key_fn;
+
+#.FN_BODY KrbCredInfo/key
+  kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+  gint save_encryption_key_parent_hf_index = private_data->save_encryption_key_parent_hf_index;
+  kerberos_key_save_fn saved_encryption_key_fn = private_data->save_encryption_key_fn;
+  private_data->save_encryption_key_parent_hf_index = hf_kerberos_ticket_info_item;
+##ifdef HAVE_KERBEROS
+  private_data->save_encryption_key_fn = save_KrbCredInfo_key;
+##endif
+%(DEFAULT_BODY)s
+  private_data->save_encryption_key_parent_hf_index = save_encryption_key_parent_hf_index;
+  private_data->save_encryption_key_fn = saved_encryption_key_fn;
+
+#.FN_BODY PA-KERB-KEY-LIST-REP/_item
+  kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+  gint save_encryption_key_parent_hf_index = private_data->save_encryption_key_parent_hf_index;
+  kerberos_key_save_fn saved_encryption_key_fn = private_data->save_encryption_key_fn;
+  private_data->save_encryption_key_parent_hf_index = hf_kerberos_kerbKeyListRep_key;
+##ifdef HAVE_KERBEROS
+  private_data->save_encryption_key_fn = save_encryption_key;
+##endif
+%(DEFAULT_BODY)s
+  private_data->save_encryption_key_parent_hf_index = save_encryption_key_parent_hf_index;
+  private_data->save_encryption_key_fn = saved_encryption_key_fn;
+
+#.FN_BODY AUTHDATA-TYPE VAL_PTR=&(private_data->ad_type)
+  kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+%(DEFAULT_BODY)s
+
+#.FN_BODY AuthorizationData/_item/ad-data
+  kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+
+  switch(private_data->ad_type){
+  case KERBEROS_AD_WIN2K_PAC:
+    offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_krb5_AD_WIN2K_PAC);
+    break;
+  case KERBEROS_AD_IF_RELEVANT:
+    offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_kerberos_AD_IF_RELEVANT);
+    break;
+  case KERBEROS_AD_AUTHENTICATION_STRENGTH:
+    offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_kerberos_PA_AUTHENTICATION_SET_ELEM);
+    break;
+  case KERBEROS_AD_GSS_API_ETYPE_NEGOTIATION:
+    offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_kerberos_SEQUENCE_OF_ENCTYPE);
+    break;
+  case KERBEROS_AD_TOKEN_RESTRICTIONS:
+    offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_kerberos_KERB_AD_RESTRICTION_ENTRY);
+    break;
+  case KERBEROS_AD_AP_OPTIONS:
+    offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_kerberos_AD_AP_OPTIONS);
+    break;
+  case KERBEROS_AD_TARGET_PRINCIPAL:
+    offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_kerberos_AD_TARGET_PRINCIPAL);
+    break;
+  default:
+    offset=dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index, NULL);
+    break;
+  }
+
+#.FN_BODY S4UUserID/subject-certificate
+  offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset,hf_index, dissect_x509af_Certificate);
+
+#.FN_BODY ADDR-TYPE VAL_PTR=&(private_data->addr_type)
+  kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+%(DEFAULT_BODY)s
+
+#.FN_BODY KDC-REQ-BODY
+  conversation_t *conversation;
+
+  /*
+   * UDP replies to KDC_REQs are sent from the server back to the client's
+   * source port, similar to the way TFTP works.  Set up a conversation
+   * accordingly.
+   *
+   * Ref: Section 7.2.1 of
+   * http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-clarifications-07.txt
+   */
+  if (actx->pinfo->destport == UDP_PORT_KERBEROS && actx->pinfo->ptype == PT_UDP) {
+    conversation = find_conversation(actx->pinfo->num, &actx->pinfo->src, &actx->pinfo->dst, CONVERSATION_UDP,
+                      actx->pinfo->srcport, 0, NO_PORT_B);
+    if (conversation == NULL) {
+      conversation = conversation_new(actx->pinfo->num, &actx->pinfo->src, &actx->pinfo->dst, CONVERSATION_UDP,
+                      actx->pinfo->srcport, 0, NO_PORT2);
+      conversation_set_dissector(conversation, kerberos_handle_udp);
+    }
+  }
+
+  %(DEFAULT_BODY)s
+
+#.FN_BODY KRB-SAFE-BODY/user-data
+  kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
+  tvbuff_t *new_tvb;
+  offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &new_tvb);
+  if (new_tvb) {
+    call_kerberos_callbacks(actx->pinfo, tree, new_tvb, KRB_CBTAG_SAFE_USER_DATA, private_data->callbacks);
+  }
+
+#.FN_BODY EncKrbPrivPart/user-data
+  kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
+  tvbuff_t *new_tvb;
+  offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &new_tvb);
+  if (new_tvb) {
+    call_kerberos_callbacks(actx->pinfo, tree, new_tvb, KRB_CBTAG_PRIV_USER_DATA, private_data->callbacks);
+  }
+
+#.FN_HDR EncKDCRepPart/encrypted-pa-data
+  kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
+  private_data->is_enc_padata = TRUE;
+
+#.FN_FTR EncKDCRepPart/encrypted-pa-data
+  private_data->is_enc_padata = FALSE;
+
+#.FN_BODY EncryptedKrbFastReq/cipher
+##ifdef HAVE_KERBEROS
+  offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_KrbFastReq);
+##else
+%(DEFAULT_BODY)s
+##endif
+
+#.FN_BODY EncryptedKrbFastResponse/cipher
+##ifdef HAVE_KERBEROS
+  offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_KrbFastResponse);
+##else
+%(DEFAULT_BODY)s
+##endif
+
+#.FN_BODY EncryptedChallenge/cipher
+##ifdef HAVE_KERBEROS
+  offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_EncryptedChallenge);
+##else
+%(DEFAULT_BODY)s
+##endif
+
+#.FN_BODY KrbFastArmorTypes VAL_PTR=&(private_data->fast_type)
+  kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+%(DEFAULT_BODY)s
+
+#.FN_BODY KrbFastArmor/armor-value
+  kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+
+  switch(private_data->fast_type){
+  case KERBEROS_FX_FAST_ARMOR_AP_REQUEST:
+    private_data->fast_armor_within_armor_value++;
+    offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_kerberos_Applications);
+    private_data->fast_armor_within_armor_value--;
+    break;
+  default:
+    offset=dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index, NULL);
+    break;
+  }
+
+#.FN_BODY PA-SPAKE VAL_PTR=&(private_data->padata_type)
+  kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
+%(DEFAULT_BODY)s
+#.FN_FTR PA-SPAKE
+  if(tree){
+    proto_item_append_text(tree, " %s",
+      val_to_str(private_data->padata_type, kerberos_PA_SPAKE_vals,
+      "Unknown:%d"));
+  }
diff --git a/epan/dissectors/asn1/kerberos/packet-kerberos-template.c b/epan/dissectors/asn1/kerberos/packet-kerberos-template.c
new file mode 100644
index 00000000..49646377
--- /dev/null
+++ b/epan/dissectors/asn1/kerberos/packet-kerberos-template.c
@@ -0,0 +1,5451 @@
+/* packet-kerberos.c
+ * Routines for Kerberos
+ * Wes Hardaker (c) 2000
+ * wjhardaker@ucdavis.edu
+ * Richard Sharpe (C) 2002, rsharpe@samba.org, modularized a bit more and
+ *                          added AP-REQ and AP-REP dissection
+ *
+ * Ronnie Sahlberg (C) 2004, major rewrite for new ASN.1/BER API.
+ *                           decryption of kerberos blobs if keytab is provided
+ *
+ * See RFC 1510, and various I-Ds and other documents showing additions,
+ * e.g. ones listed under
+ *
+ *	http://clifford.neuman.name/krb-revisions/
+ *
+ * and
+ *
+ *	https://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-clarifications-07
+ *
+ * and
+ *
+ *  https://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-referrals-05
+ *
+ * Some structures from RFC2630
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+/*
+ * Some of the development of the Kerberos protocol decoder was sponsored by
+ * Cable Television Laboratories, Inc. ("CableLabs") based upon proprietary
+ * CableLabs' specifications. Your license and use of this protocol decoder
+ * does not mean that you are licensed to use the CableLabs'
+ * specifications.  If you have questions about this protocol, contact
+ * jf.mule [AT] cablelabs.com or c.stuart [AT] cablelabs.com for additional
+ * information.
+ */
+
+#include <config.h>
+
+#include <stdio.h>
+
+// krb5.h needs to be included before the defines in packet-kerberos.h
+#if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
+#ifdef _WIN32
+/* prevent redefinition warnings in krb5's win-mac.h */
+#define SSIZE_T_DEFINED
+#endif /* _WIN32 */
+#include <krb5.h>
+#endif
+
+#include <epan/packet.h>
+#include <epan/exceptions.h>
+#include <epan/strutil.h>
+#include <epan/conversation.h>
+#include <epan/asn1.h>
+#include <epan/expert.h>
+#include <epan/prefs.h>
+#include <wsutil/wsgcrypt.h>
+#include <wsutil/file_util.h>
+#include <wsutil/str_util.h>
+#include <wsutil/pint.h>
+#include "packet-kerberos.h"
+#include "packet-netbios.h"
+#include "packet-tcp.h"
+#include "packet-ber.h"
+#include "packet-pkinit.h"
+#include "packet-cms.h"
+#include "packet-windows-common.h"
+
+#include "read_keytab_file.h"
+
+#include "packet-dcerpc-netlogon.h"
+#include "packet-dcerpc.h"
+
+#include "packet-gssapi.h"
+#include "packet-x509af.h"
+
+#define KEY_USAGE_FAST_REQ_CHKSUM       50
+#define KEY_USAGE_FAST_ENC              51
+#define KEY_USAGE_FAST_REP              52
+#define KEY_USAGE_FAST_FINISHED         53
+#define KEY_USAGE_ENC_CHALLENGE_CLIENT  54
+#define KEY_USAGE_ENC_CHALLENGE_KDC     55
+
+void proto_register_kerberos(void);
+void proto_reg_handoff_kerberos(void);
+
+#define UDP_PORT_KERBEROS		88
+#define TCP_PORT_KERBEROS		88
+
+#define ADDRESS_STR_BUFSIZ 256
+
+typedef struct kerberos_key {
+	guint32 keytype;
+	int keylength;
+	const guint8 *keyvalue;
+} kerberos_key_t;
+
+typedef void (*kerberos_key_save_fn)(tvbuff_t *tvb _U_, int offset _U_, int length _U_,
+				     asn1_ctx_t *actx _U_, proto_tree *tree _U_,
+				     int parent_hf_index _U_,
+				     int hf_index _U_);
+
+typedef struct {
+	guint32 msg_type;
+	gboolean is_win2k_pkinit;
+	guint32 errorcode;
+	gboolean try_nt_status;
+	guint32 etype;
+	guint32 padata_type;
+	guint32 is_enc_padata;
+	guint32 enctype;
+	kerberos_key_t key;
+	proto_tree *key_tree;
+	proto_item *key_hidden_item;
+	tvbuff_t *key_tvb;
+	kerberos_callbacks *callbacks;
+	guint32 ad_type;
+	guint32 addr_type;
+	guint32 checksum_type;
+#ifdef HAVE_KERBEROS
+	enc_key_t *last_decryption_key;
+	enc_key_t *last_added_key;
+	tvbuff_t *last_ticket_enc_part_tvb;
+#endif
+	gint save_encryption_key_parent_hf_index;
+	kerberos_key_save_fn save_encryption_key_fn;
+	guint learnt_key_ids;
+	guint missing_key_ids;
+	wmem_list_t *decryption_keys;
+	wmem_list_t *learnt_keys;
+	wmem_list_t *missing_keys;
+	guint32 within_PA_TGS_REQ;
+	struct _kerberos_PA_FX_FAST_REQUEST {
+		gboolean defer;
+		tvbuff_t *tvb;
+		proto_tree *tree;
+	} PA_FX_FAST_REQUEST;
+#ifdef HAVE_KERBEROS
+	enc_key_t *PA_TGS_REQ_key;
+	enc_key_t *PA_TGS_REQ_subkey;
+#endif
+	guint32 fast_type;
+	guint32 fast_armor_within_armor_value;
+#ifdef HAVE_KERBEROS
+	enc_key_t *PA_FAST_ARMOR_AP_key;
+	enc_key_t *PA_FAST_ARMOR_AP_subkey;
+	enc_key_t *fast_armor_key;
+	enc_key_t *fast_strengthen_key;
+#endif
+} kerberos_private_data_t;
+
+static dissector_handle_t kerberos_handle_tcp;
+static dissector_handle_t kerberos_handle_udp;
+
+/* Forward declarations */
+static int dissect_kerberos_Applications(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_AuthorizationData(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_PA_ENC_TIMESTAMP(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+#ifdef HAVE_KERBEROS
+static int dissect_kerberos_PA_ENC_TS_ENC(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+#endif
+static int dissect_kerberos_PA_PAC_REQUEST(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_PA_S4U2Self(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_PA_S4U_X509_USER(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_ETYPE_INFO(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_ETYPE_INFO2(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_AD_IF_RELEVANT(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_PA_AUTHENTICATION_SET_ELEM(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_PA_FX_FAST_REQUEST(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_EncryptedChallenge(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_PA_KERB_KEY_LIST_REQ(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_PA_KERB_KEY_LIST_REP(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_PA_FX_FAST_REPLY(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_PA_PAC_OPTIONS(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_KERB_AD_RESTRICTION_ENTRY(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_SEQUENCE_OF_ENCTYPE(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_PA_SPAKE(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+#ifdef HAVE_KERBEROS
+static int dissect_kerberos_KrbFastReq(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_KrbFastResponse(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_FastOptions(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+#endif
+
+/* Desegment Kerberos over TCP messages */
+static gboolean krb_desegment = TRUE;
+
+static gint proto_kerberos = -1;
+
+static gint hf_krb_rm_reserved = -1;
+static gint hf_krb_rm_reclen = -1;
+static gint hf_krb_provsrv_location = -1;
+static gint hf_krb_pw_salt = -1;
+static gint hf_krb_ext_error_nt_status = -1;
+static gint hf_krb_ext_error_reserved = -1;
+static gint hf_krb_ext_error_flags = -1;
+static gint hf_krb_address_ip = -1;
+static gint hf_krb_address_netbios = -1;
+static gint hf_krb_address_ipv6 = -1;
+static gint hf_krb_gssapi_len = -1;
+static gint hf_krb_gssapi_bnd = -1;
+static gint hf_krb_gssapi_dlgopt = -1;
+static gint hf_krb_gssapi_dlglen = -1;
+static gint hf_krb_gssapi_c_flag_deleg = -1;
+static gint hf_krb_gssapi_c_flag_mutual = -1;
+static gint hf_krb_gssapi_c_flag_replay = -1;
+static gint hf_krb_gssapi_c_flag_sequence = -1;
+static gint hf_krb_gssapi_c_flag_conf = -1;
+static gint hf_krb_gssapi_c_flag_integ = -1;
+static gint hf_krb_gssapi_c_flag_dce_style = -1;
+static gint hf_krb_midl_version = -1;
+static gint hf_krb_midl_hdr_len = -1;
+static gint hf_krb_midl_fill_bytes = -1;
+static gint hf_krb_midl_blob_len = -1;
+static gint hf_krb_pac_signature_type = -1;
+static gint hf_krb_pac_signature_signature = -1;
+static gint hf_krb_w2k_pac_entries = -1;
+static gint hf_krb_w2k_pac_version = -1;
+static gint hf_krb_w2k_pac_type = -1;
+static gint hf_krb_w2k_pac_size = -1;
+static gint hf_krb_w2k_pac_offset = -1;
+static gint hf_krb_pac_clientid = -1;
+static gint hf_krb_pac_namelen = -1;
+static gint hf_krb_pac_clientname = -1;
+static gint hf_krb_pac_logon_info = -1;
+static gint hf_krb_pac_credential_data = -1;
+static gint hf_krb_pac_credential_info = -1;
+static gint hf_krb_pac_credential_info_version = -1;
+static gint hf_krb_pac_credential_info_etype = -1;
+static gint hf_krb_pac_s4u_delegation_info = -1;
+static gint hf_krb_pac_upn_dns_info = -1;
+static gint hf_krb_pac_upn_flags = -1;
+static gint hf_krb_pac_upn_flag_upn_constructed = -1;
+static gint hf_krb_pac_upn_flag_has_sam_name_and_sid = -1;
+static gint hf_krb_pac_upn_upn_offset = -1;
+static gint hf_krb_pac_upn_upn_len = -1;
+static gint hf_krb_pac_upn_upn_name = -1;
+static gint hf_krb_pac_upn_dns_offset = -1;
+static gint hf_krb_pac_upn_dns_len = -1;
+static gint hf_krb_pac_upn_dns_name = -1;
+static gint hf_krb_pac_upn_samaccountname_offset = -1;
+static gint hf_krb_pac_upn_samaccountname_len = -1;
+static gint hf_krb_pac_upn_samaccountname = -1;
+static gint hf_krb_pac_upn_objectsid_offset = -1;
+static gint hf_krb_pac_upn_objectsid_len = -1;
+static gint hf_krb_pac_server_checksum = -1;
+static gint hf_krb_pac_privsvr_checksum = -1;
+static gint hf_krb_pac_client_info_type = -1;
+static gint hf_krb_pac_client_claims_info = -1;
+static gint hf_krb_pac_device_info = -1;
+static gint hf_krb_pac_device_claims_info = -1;
+static gint hf_krb_pac_ticket_checksum = -1;
+static gint hf_krb_pac_attributes_info = -1;
+static gint hf_krb_pac_attributes_info_length = -1;
+static gint hf_krb_pac_attributes_info_flags = -1;
+static gint hf_krb_pac_attributes_info_flags_pac_was_requested = -1;
+static gint hf_krb_pac_attributes_info_flags_pac_was_given_implicitly = -1;
+static gint hf_krb_pac_requester_sid = -1;
+static gint hf_krb_pa_supported_enctypes = -1;
+static gint hf_krb_pa_supported_enctypes_des_cbc_crc = -1;
+static gint hf_krb_pa_supported_enctypes_des_cbc_md5 = -1;
+static gint hf_krb_pa_supported_enctypes_rc4_hmac = -1;
+static gint hf_krb_pa_supported_enctypes_aes128_cts_hmac_sha1_96 = -1;
+static gint hf_krb_pa_supported_enctypes_aes256_cts_hmac_sha1_96 = -1;
+static gint hf_krb_pa_supported_enctypes_fast_supported = -1;
+static gint hf_krb_pa_supported_enctypes_compound_identity_supported = -1;
+static gint hf_krb_pa_supported_enctypes_claims_supported = -1;
+static gint hf_krb_pa_supported_enctypes_resource_sid_compression_disabled = -1;
+static gint hf_krb_ad_ap_options = -1;
+static gint hf_krb_ad_ap_options_cbt = -1;
+static gint hf_krb_ad_target_principal = -1;
+static gint hf_krb_key_hidden_item = -1;
+static gint hf_kerberos_KERB_TICKET_LOGON = -1;
+static gint hf_kerberos_KERB_TICKET_LOGON_MessageType = -1;
+static gint hf_kerberos_KERB_TICKET_LOGON_Flags = -1;
+static gint hf_kerberos_KERB_TICKET_LOGON_ServiceTicketLength = -1;
+static gint hf_kerberos_KERB_TICKET_LOGON_TicketGrantingTicketLength = -1;
+static gint hf_kerberos_KERB_TICKET_LOGON_ServiceTicket = -1;
+static gint hf_kerberos_KERB_TICKET_LOGON_TicketGrantingTicket = -1;
+static gint hf_kerberos_KERB_TICKET_LOGON_FLAG_ALLOW_EXPIRED_TICKET = -1;
+static gint hf_kerberos_KERB_TICKET_LOGON_FLAG_REDIRECTED = -1;
+#ifdef HAVE_KERBEROS
+static gint hf_kerberos_KrbFastResponse = -1;
+static gint hf_kerberos_strengthen_key = -1;
+static gint hf_kerberos_finished = -1;
+static gint hf_kerberos_fast_options = -1;
+static gint hf_kerberos_ticket_checksum = -1;
+static gint hf_krb_patimestamp = -1;
+static gint hf_krb_pausec = -1;
+static gint hf_kerberos_FastOptions_reserved = -1;
+static gint hf_kerberos_FastOptions_hide_client_names = -1;
+static gint hf_kerberos_FastOptions_spare_bit2 = -1;
+static gint hf_kerberos_FastOptions_spare_bit3 = -1;
+static gint hf_kerberos_FastOptions_spare_bit4 = -1;
+static gint hf_kerberos_FastOptions_spare_bit5 = -1;
+static gint hf_kerberos_FastOptions_spare_bit6 = -1;
+static gint hf_kerberos_FastOptions_spare_bit7 = -1;
+static gint hf_kerberos_FastOptions_spare_bit8 = -1;
+static gint hf_kerberos_FastOptions_spare_bit9 = -1;
+static gint hf_kerberos_FastOptions_spare_bit10 = -1;
+static gint hf_kerberos_FastOptions_spare_bit11 = -1;
+static gint hf_kerberos_FastOptions_spare_bit12 = -1;
+static gint hf_kerberos_FastOptions_spare_bit13 = -1;
+static gint hf_kerberos_FastOptions_spare_bit14 = -1;
+static gint hf_kerberos_FastOptions_spare_bit15 = -1;
+static gint hf_kerberos_FastOptions_kdc_follow_referrals = -1;
+
+#endif
+#include "packet-kerberos-hf.c"
+
+/* Initialize the subtree pointers */
+static gint ett_kerberos = -1;
+static gint ett_krb_recordmark = -1;
+static gint ett_krb_pac = -1;
+static gint ett_krb_pac_drep = -1;
+static gint ett_krb_pac_midl_blob = -1;
+static gint ett_krb_pac_logon_info = -1;
+static gint ett_krb_pac_credential_info = -1;
+static gint ett_krb_pac_s4u_delegation_info = -1;
+static gint ett_krb_pac_upn_dns_info = -1;
+static gint ett_krb_pac_upn_dns_info_flags = -1;
+static gint ett_krb_pac_device_info = -1;
+static gint ett_krb_pac_server_checksum = -1;
+static gint ett_krb_pac_privsvr_checksum = -1;
+static gint ett_krb_pac_client_info_type = -1;
+static gint ett_krb_pac_ticket_checksum = -1;
+static gint ett_krb_pac_attributes_info = -1;
+static gint ett_krb_pac_attributes_info_flags = -1;
+static gint ett_krb_pac_requester_sid = -1;
+static gint ett_krb_pa_supported_enctypes = -1;
+static gint ett_krb_ad_ap_options = -1;
+static gint ett_kerberos_KERB_TICKET_LOGON = -1;
+#ifdef HAVE_KERBEROS
+static gint ett_krb_pa_enc_ts_enc = -1;
+static gint ett_kerberos_KrbFastFinished = -1;
+static gint ett_kerberos_KrbFastResponse = -1;
+static gint ett_kerberos_KrbFastReq = -1;
+static gint ett_kerberos_FastOptions = -1;
+#endif
+#include "packet-kerberos-ett.c"
+
+static expert_field ei_kerberos_missing_keytype = EI_INIT;
+static expert_field ei_kerberos_decrypted_keytype = EI_INIT;
+static expert_field ei_kerberos_learnt_keytype = EI_INIT;
+static expert_field ei_kerberos_address = EI_INIT;
+static expert_field ei_krb_gssapi_dlglen = EI_INIT;
+
+static dissector_handle_t krb4_handle=NULL;
+
+/* Global variables */
+static guint32 gbl_keytype;
+static gboolean gbl_do_col_info;
+
+#include "packet-kerberos-val.h"
+
+static void
+call_kerberos_callbacks(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int tag, kerberos_callbacks *cb)
+{
+	if(!cb){
+		return;
+	}
+
+	while(cb->tag){
+		if(cb->tag==tag){
+			cb->callback(pinfo, tvb, tree);
+			return;
+		}
+		cb++;
+	}
+	return;
+}
+
+static kerberos_private_data_t*
+kerberos_new_private_data(packet_info *pinfo)
+{
+	kerberos_private_data_t *p;
+
+	p = wmem_new0(pinfo->pool, kerberos_private_data_t);
+	if (p == NULL) {
+		return NULL;
+	}
+
+	p->decryption_keys = wmem_list_new(pinfo->pool);
+	p->learnt_keys = wmem_list_new(pinfo->pool);
+	p->missing_keys = wmem_list_new(pinfo->pool);
+
+	return p;
+}
+
+static kerberos_private_data_t*
+kerberos_get_private_data(asn1_ctx_t *actx)
+{
+	if (!actx->private_data) {
+		actx->private_data = kerberos_new_private_data(actx->pinfo);
+	}
+	return (kerberos_private_data_t *)(actx->private_data);
+}
+
+static bool
+kerberos_private_is_kdc_req(kerberos_private_data_t *private_data)
+{
+	switch (private_data->msg_type) {
+	case KERBEROS_APPLICATIONS_AS_REQ:
+	case KERBEROS_APPLICATIONS_TGS_REQ:
+		return TRUE;
+	}
+
+	return FALSE;
+}
+
+gboolean
+kerberos_is_win2k_pkinit(asn1_ctx_t *actx)
+{
+	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+
+	return private_data->is_win2k_pkinit;
+}
+
+static int dissect_kerberos_defer_PA_FX_FAST_REQUEST(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_)
+{
+	kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
+
+	/*
+	 * dissect_ber_octet_string_wcb() always passes
+	 * implicit_tag=FALSE, offset=0 and hf_index=-1
+	 *
+	 * It means we only need to remember tvb and tree
+	 * in order to replay dissect_kerberos_PA_FX_FAST_REQUEST()
+	 * in dissect_kerberos_T_rEQ_SEQUENCE_OF_PA_DATA()
+	 */
+	ws_assert(implicit_tag == FALSE);
+	ws_assert(offset == 0);
+	ws_assert(hf_index == -1);
+
+	if (private_data->PA_FX_FAST_REQUEST.defer) {
+		/*
+		 * Remember the tvb (and the optional tree)
+		 */
+		private_data->PA_FX_FAST_REQUEST.tvb = tvb;
+		private_data->PA_FX_FAST_REQUEST.tree = tree;
+		/*
+		 * only handle the first PA_FX_FAST_REQUEST...
+		 */
+		private_data->PA_FX_FAST_REQUEST.defer = FALSE;
+		return tvb_reported_length_remaining(tvb, offset);
+	}
+
+	return dissect_kerberos_PA_FX_FAST_REQUEST(implicit_tag, tvb, offset, actx, tree, hf_index);
+}
+
+#ifdef HAVE_KERBEROS
+
+/* Decrypt Kerberos blobs */
+gboolean krb_decrypt = FALSE;
+
+/* keytab filename */
+static const char *keytab_filename = "";
+
+void
+read_keytab_file_from_preferences(void)
+{
+	static char *last_keytab = NULL;
+
+	if (!krb_decrypt) {
+		return;
+	}
+
+	if (keytab_filename == NULL) {
+		return;
+	}
+
+	if (last_keytab && !strcmp(last_keytab, keytab_filename)) {
+		return;
+	}
+
+	g_free(last_keytab);
+	last_keytab = g_strdup(keytab_filename);
+
+	read_keytab_file(last_keytab);
+}
+#endif /* HAVE_KERBEROS */
+
+#if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
+enc_key_t *enc_key_list=NULL;
+static guint kerberos_longterm_ids = 0;
+wmem_map_t *kerberos_longterm_keys = NULL;
+static wmem_map_t *kerberos_all_keys = NULL;
+static wmem_map_t *kerberos_app_session_keys = NULL;
+
+static bool
+enc_key_list_cb(wmem_allocator_t* allocator _U_, wmem_cb_event_t event _U_, void *user_data _U_)
+{
+	enc_key_list = NULL;
+	kerberos_longterm_ids = 0;
+	/* keep the callback registered */
+	return TRUE;
+}
+
+static gint enc_key_cmp_id(gconstpointer k1, gconstpointer k2)
+{
+	const enc_key_t *key1 = (const enc_key_t *)k1;
+	const enc_key_t *key2 = (const enc_key_t *)k2;
+
+	if (key1->fd_num < key2->fd_num) {
+		return -1;
+	}
+	if (key1->fd_num > key2->fd_num) {
+		return 1;
+	}
+
+	if (key1->id < key2->id) {
+		return -1;
+	}
+	if (key1->id > key2->id) {
+		return 1;
+	}
+
+	return 0;
+}
+
+static gboolean
+enc_key_content_equal(gconstpointer k1, gconstpointer k2)
+{
+	const enc_key_t *key1 = (const enc_key_t *)k1;
+	const enc_key_t *key2 = (const enc_key_t *)k2;
+	int cmp;
+
+	if (key1->keytype != key2->keytype) {
+		return FALSE;
+	}
+
+	if (key1->keylength != key2->keylength) {
+		return FALSE;
+	}
+
+	cmp = memcmp(key1->keyvalue, key2->keyvalue, key1->keylength);
+	if (cmp != 0) {
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
+static guint
+enc_key_content_hash(gconstpointer k)
+{
+	const enc_key_t *key = (const enc_key_t *)k;
+	guint ret = 0;
+
+	ret += wmem_strong_hash((const guint8 *)&key->keytype,
+				sizeof(key->keytype));
+	ret += wmem_strong_hash((const guint8 *)&key->keylength,
+				sizeof(key->keylength));
+	ret += wmem_strong_hash((const guint8 *)key->keyvalue,
+				key->keylength);
+
+	return ret;
+}
+
+static void
+kerberos_key_map_insert(wmem_map_t *key_map, enc_key_t *new_key)
+{
+	enc_key_t *existing = NULL;
+	enc_key_t *cur = NULL;
+	gint cmp;
+
+	existing = (enc_key_t *)wmem_map_lookup(key_map, new_key);
+	if (existing == NULL) {
+		wmem_map_insert(key_map, new_key, new_key);
+		return;
+	}
+
+	if (key_map != kerberos_all_keys) {
+		/*
+		 * It should already be linked to the existing key...
+		 */
+		return;
+	}
+
+	if (existing->fd_num == -1 && new_key->fd_num != -1) {
+		/*
+		 * We can't reference a learnt key
+		 * from a longterm key. As they have
+		 * a shorter lifetime.
+		 *
+		 * So just let the learnt key remember the
+		 * match.
+		 */
+		new_key->same_list = existing;
+		new_key->num_same = existing->num_same + 1;
+		return;
+	}
+
+	/*
+	 * If a key with the same content (keytype,keylength,keyvalue)
+	 * already exists, we want the earliest key to be
+	 * in the list.
+	 */
+	cmp = enc_key_cmp_id(new_key, existing);
+	if (cmp == 0) {
+		/*
+		 * It's the same, nothing to do...
+		 */
+		return;
+	}
+	if (cmp < 0) {
+		/* The new key has should be added to the list. */
+		new_key->same_list = existing;
+		new_key->num_same = existing->num_same + 1;
+		wmem_map_insert(key_map, new_key, new_key);
+		return;
+	}
+
+	/*
+	 * We want to link the new_key to the existing one.
+	 *
+	 * But we want keep the list sorted, so we need to forward
+	 * to the correct spot.
+	 */
+	for (cur = existing; cur->same_list != NULL; cur = cur->same_list) {
+		cmp = enc_key_cmp_id(new_key, cur->same_list);
+		if (cmp == 0) {
+			/*
+			 * It's the same, nothing to do...
+			 */
+			return;
+		}
+
+		if (cmp < 0) {
+			/*
+			 * We found the correct spot,
+			 * the new_key should added
+			 * between existing and existing->same_list
+			 */
+			new_key->same_list = cur->same_list;
+			new_key->num_same = cur->num_same;
+			break;
+		}
+	}
+
+	/*
+	 * finally link new_key to existing
+	 * and fix up the numbers
+	 */
+	cur->same_list = new_key;
+	for (cur = existing; cur != new_key; cur = cur->same_list) {
+		cur->num_same += 1;
+	}
+
+	return;
+}
+
+struct insert_longterm_keys_into_key_map_state {
+	wmem_map_t *key_map;
+};
+
+static void insert_longterm_keys_into_key_map_cb(gpointer __key _U_,
+						 gpointer value,
+						 gpointer user_data)
+{
+	struct insert_longterm_keys_into_key_map_state *state =
+		(struct insert_longterm_keys_into_key_map_state *)user_data;
+	enc_key_t *key = (enc_key_t *)value;
+
+	kerberos_key_map_insert(state->key_map, key);
+}
+
+static void insert_longterm_keys_into_key_map(wmem_map_t *key_map)
+{
+	/*
+	 * Because the kerberos_longterm_keys are allocated on
+	 * wmem_epan_scope() and kerberos_all_keys are allocated
+	 * on wmem_file_scope(), we need to plug the longterm keys
+	 * back to kerberos_all_keys if a new file was loaded
+	 * and wmem_file_scope() got cleared.
+	 */
+	if (wmem_map_size(key_map) < wmem_map_size(kerberos_longterm_keys)) {
+		struct insert_longterm_keys_into_key_map_state state = {
+			.key_map = key_map,
+		};
+		/*
+		 * Reference all longterm keys into kerberos_all_keys
+		 */
+		wmem_map_foreach(kerberos_longterm_keys,
+				 insert_longterm_keys_into_key_map_cb,
+				 &state);
+	}
+}
+
+static void
+kerberos_key_list_append(wmem_list_t *key_list, enc_key_t *new_key)
+{
+	enc_key_t *existing = NULL;
+
+	existing = (enc_key_t *)wmem_list_find(key_list, new_key);
+	if (existing != NULL) {
+		return;
+	}
+
+	wmem_list_append(key_list, new_key);
+}
+
+static void
+add_encryption_key(packet_info *pinfo,
+		   kerberos_private_data_t *private_data,
+		   proto_tree *key_tree,
+		   proto_item *key_hidden_item,
+		   tvbuff_t *key_tvb,
+		   int keytype, int keylength, const char *keyvalue,
+		   const char *origin,
+		   enc_key_t *src1, enc_key_t *src2)
+{
+	wmem_allocator_t *key_scope = NULL;
+	enc_key_t *new_key = NULL;
+	const char *methodl = "learnt";
+	const char *methodu = "Learnt";
+	proto_item *item = NULL;
+
+	private_data->last_added_key = NULL;
+
+	if (src1 != NULL && src2 != NULL) {
+		methodl = "derived";
+		methodu = "Derived";
+	}
+
+	if(pinfo->fd->visited){
+		/*
+		 * We already processed this,
+		 * we can use a shortterm scope
+		 */
+		key_scope = pinfo->pool;
+	} else {
+		/*
+		 * As long as we have enc_key_list, we need to
+		 * use wmem_epan_scope(), when that's gone
+		 * we can dynamically select the scope based on
+		 * how long we'll need the particular key.
+		 */
+		key_scope = wmem_epan_scope();
+	}
+
+	new_key = wmem_new0(key_scope, enc_key_t);
+	snprintf(new_key->key_origin, KRB_MAX_ORIG_LEN, "%s %s in frame %u",
+		   methodl, origin, pinfo->num);
+	new_key->fd_num = pinfo->num;
+	new_key->id = ++private_data->learnt_key_ids;
+	snprintf(new_key->id_str, KRB_MAX_ID_STR_LEN, "%d.%u",
+		   new_key->fd_num, new_key->id);
+	new_key->keytype=keytype;
+	new_key->keylength=keylength;
+	memcpy(new_key->keyvalue, keyvalue, MIN(keylength, KRB_MAX_KEY_LENGTH));
+	new_key->src1 = src1;
+	new_key->src2 = src2;
+
+	if(!pinfo->fd->visited){
+		/*
+		 * Only keep it if we don't processed it before.
+		 */
+		new_key->next=enc_key_list;
+		enc_key_list=new_key;
+		insert_longterm_keys_into_key_map(kerberos_all_keys);
+		kerberos_key_map_insert(kerberos_all_keys, new_key);
+	}
+
+	item = proto_tree_add_expert_format(key_tree, pinfo, &ei_kerberos_learnt_keytype,
+			key_tvb, 0, keylength,
+			"%s %s keytype %d (id=%d.%u) (%02x%02x%02x%02x...)",
+			methodu, origin, keytype, pinfo->num, new_key->id,
+			keyvalue[0] & 0xFF, keyvalue[1] & 0xFF,
+			keyvalue[2] & 0xFF, keyvalue[3] & 0xFF);
+	if (item != NULL && key_hidden_item != NULL) {
+		proto_tree_move_item(key_tree, key_hidden_item, item);
+	}
+	if (src1 != NULL) {
+		enc_key_t *sek = src1;
+		expert_add_info_format(pinfo, item, &ei_kerberos_learnt_keytype,
+				       "SRC1 %s keytype %d (id=%s same=%u) (%02x%02x%02x%02x...)",
+				       sek->key_origin, sek->keytype,
+				       sek->id_str, sek->num_same,
+				       sek->keyvalue[0] & 0xFF, sek->keyvalue[1] & 0xFF,
+				       sek->keyvalue[2] & 0xFF, sek->keyvalue[3] & 0xFF);
+	}
+	if (src2 != NULL) {
+		enc_key_t *sek = src2;
+		expert_add_info_format(pinfo, item, &ei_kerberos_learnt_keytype,
+				       "SRC2 %s keytype %d (id=%s same=%u) (%02x%02x%02x%02x...)",
+				       sek->key_origin, sek->keytype,
+				       sek->id_str, sek->num_same,
+				       sek->keyvalue[0] & 0xFF, sek->keyvalue[1] & 0xFF,
+				       sek->keyvalue[2] & 0xFF, sek->keyvalue[3] & 0xFF);
+	}
+
+	kerberos_key_list_append(private_data->learnt_keys, new_key);
+	private_data->last_added_key = new_key;
+}
+
+static void
+save_encryption_key(tvbuff_t *tvb _U_, int offset _U_, int length _U_,
+		    asn1_ctx_t *actx _U_, proto_tree *tree _U_,
+		    int parent_hf_index _U_,
+		    int hf_index _U_)
+{
+	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+	const char *parent = proto_registrar_get_name(parent_hf_index);
+	const char *element = proto_registrar_get_name(hf_index);
+	char origin[KRB_MAX_ORIG_LEN] = { 0, };
+
+	snprintf(origin, KRB_MAX_ORIG_LEN, "%s_%s", parent, element);
+
+	add_encryption_key(actx->pinfo,
+			   private_data,
+			   private_data->key_tree,
+			   private_data->key_hidden_item,
+			   private_data->key_tvb,
+			   private_data->key.keytype,
+			   private_data->key.keylength,
+			   private_data->key.keyvalue,
+			   origin,
+			   NULL,
+			   NULL);
+}
+
+static void
+save_Authenticator_subkey(tvbuff_t *tvb, int offset, int length,
+			  asn1_ctx_t *actx, proto_tree *tree,
+			  int parent_hf_index,
+			  int hf_index)
+{
+	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+
+	save_encryption_key(tvb, offset, length, actx, tree, parent_hf_index, hf_index);
+
+	if (private_data->last_decryption_key == NULL) {
+		return;
+	}
+	if (private_data->last_added_key == NULL) {
+		return;
+	}
+
+	if (private_data->within_PA_TGS_REQ != 0) {
+		private_data->PA_TGS_REQ_key = private_data->last_decryption_key;
+		private_data->PA_TGS_REQ_subkey = private_data->last_added_key;
+	}
+	if (private_data->fast_armor_within_armor_value != 0) {
+		private_data->PA_FAST_ARMOR_AP_key = private_data->last_decryption_key;
+		private_data->PA_FAST_ARMOR_AP_subkey = private_data->last_added_key;
+	}
+}
+
+static void
+save_EncAPRepPart_subkey(tvbuff_t *tvb, int offset, int length,
+			 asn1_ctx_t *actx, proto_tree *tree,
+			 int parent_hf_index,
+			 int hf_index)
+{
+	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+
+	save_encryption_key(tvb, offset, length, actx, tree, parent_hf_index, hf_index);
+
+	if (actx->pinfo->fd->visited) {
+		return;
+	}
+
+	if (private_data->last_added_key == NULL) {
+		return;
+	}
+
+	kerberos_key_map_insert(kerberos_app_session_keys, private_data->last_added_key);
+}
+
+static void
+save_EncKDCRepPart_key(tvbuff_t *tvb, int offset, int length,
+		       asn1_ctx_t *actx, proto_tree *tree,
+		       int parent_hf_index,
+		       int hf_index)
+{
+	save_encryption_key(tvb, offset, length, actx, tree, parent_hf_index, hf_index);
+}
+
+static void
+save_EncTicketPart_key(tvbuff_t *tvb, int offset, int length,
+		       asn1_ctx_t *actx, proto_tree *tree,
+		       int parent_hf_index,
+		       int hf_index)
+{
+	save_encryption_key(tvb, offset, length, actx, tree, parent_hf_index, hf_index);
+}
+
+static void
+save_KrbCredInfo_key(tvbuff_t *tvb, int offset, int length,
+		     asn1_ctx_t *actx, proto_tree *tree,
+		     int parent_hf_index,
+		     int hf_index)
+{
+	save_encryption_key(tvb, offset, length, actx, tree, parent_hf_index, hf_index);
+}
+
+static void
+save_KrbFastResponse_strengthen_key(tvbuff_t *tvb, int offset, int length,
+				    asn1_ctx_t *actx, proto_tree *tree,
+				    int parent_hf_index,
+				    int hf_index)
+{
+	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+
+	save_encryption_key(tvb, offset, length, actx, tree, parent_hf_index, hf_index);
+
+	private_data->fast_strengthen_key = private_data->last_added_key;
+}
+
+static void used_encryption_key(proto_tree *tree, packet_info *pinfo,
+				kerberos_private_data_t *private_data,
+				enc_key_t *ek, int usage, tvbuff_t *cryptotvb,
+				const char *keymap_name,
+				guint keymap_size,
+				guint decryption_count)
+{
+	proto_item *item = NULL;
+	enc_key_t *sek = NULL;
+
+	item = proto_tree_add_expert_format(tree, pinfo, &ei_kerberos_decrypted_keytype,
+				     cryptotvb, 0, 0,
+				     "Decrypted keytype %d usage %d "
+				     "using %s (id=%s same=%u) (%02x%02x%02x%02x...)",
+				     ek->keytype, usage, ek->key_origin, ek->id_str, ek->num_same,
+				     ek->keyvalue[0] & 0xFF, ek->keyvalue[1] & 0xFF,
+				     ek->keyvalue[2] & 0xFF, ek->keyvalue[3] & 0xFF);
+	expert_add_info_format(pinfo, item, &ei_kerberos_decrypted_keytype,
+			       "Used keymap=%s num_keys=%u num_tries=%u)",
+			       keymap_name,
+			       keymap_size,
+			       decryption_count);
+	if (ek->src1 != NULL) {
+		sek = ek->src1;
+		expert_add_info_format(pinfo, item, &ei_kerberos_decrypted_keytype,
+				       "SRC1 %s keytype %d (id=%s same=%u) (%02x%02x%02x%02x...)",
+				       sek->key_origin, sek->keytype,
+				       sek->id_str, sek->num_same,
+				       sek->keyvalue[0] & 0xFF, sek->keyvalue[1] & 0xFF,
+				       sek->keyvalue[2] & 0xFF, sek->keyvalue[3] & 0xFF);
+	}
+	if (ek->src2 != NULL) {
+		sek = ek->src2;
+		expert_add_info_format(pinfo, item, &ei_kerberos_decrypted_keytype,
+				       "SRC2 %s keytype %d (id=%s same=%u) (%02x%02x%02x%02x...)",
+				       sek->key_origin, sek->keytype,
+				       sek->id_str, sek->num_same,
+				       sek->keyvalue[0] & 0xFF, sek->keyvalue[1] & 0xFF,
+				       sek->keyvalue[2] & 0xFF, sek->keyvalue[3] & 0xFF);
+	}
+	sek = ek->same_list;
+	while (sek != NULL) {
+		expert_add_info_format(pinfo, item, &ei_kerberos_decrypted_keytype,
+				       "Decrypted keytype %d usage %d "
+				       "using %s (id=%s same=%u) (%02x%02x%02x%02x...)",
+				       sek->keytype, usage, sek->key_origin, sek->id_str, sek->num_same,
+				       sek->keyvalue[0] & 0xFF, sek->keyvalue[1] & 0xFF,
+				       sek->keyvalue[2] & 0xFF, sek->keyvalue[3] & 0xFF);
+		sek = sek->same_list;
+	}
+	kerberos_key_list_append(private_data->decryption_keys, ek);
+	private_data->last_decryption_key = ek;
+}
+#endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */
+
+#ifdef HAVE_MIT_KERBEROS
+
+static void missing_encryption_key(proto_tree *tree, packet_info *pinfo,
+				   kerberos_private_data_t *private_data,
+				   int keytype, int usage, tvbuff_t *cryptotvb,
+				   const char *keymap_name,
+				   guint keymap_size,
+				   guint decryption_count)
+{
+	proto_item *item = NULL;
+	enc_key_t *mek = NULL;
+
+	mek = wmem_new0(pinfo->pool, enc_key_t);
+	snprintf(mek->key_origin, KRB_MAX_ORIG_LEN,
+		   "keytype %d usage %d missing in frame %u",
+		   keytype, usage, pinfo->num);
+	mek->fd_num = pinfo->num;
+	mek->id = ++private_data->missing_key_ids;
+	snprintf(mek->id_str, KRB_MAX_ID_STR_LEN, "missing.%u",
+		   mek->id);
+	mek->keytype=keytype;
+
+	item = proto_tree_add_expert_format(tree, pinfo, &ei_kerberos_missing_keytype,
+					    cryptotvb, 0, 0,
+					    "Missing keytype %d usage %d (id=%s)",
+					    keytype, usage, mek->id_str);
+	expert_add_info_format(pinfo, item, &ei_kerberos_missing_keytype,
+			       "Used keymap=%s num_keys=%u num_tries=%u)",
+			       keymap_name,
+			       keymap_size,
+			       decryption_count);
+
+	kerberos_key_list_append(private_data->missing_keys, mek);
+}
+
+#ifdef HAVE_KRB5_PAC_VERIFY
+static void used_signing_key(proto_tree *tree, packet_info *pinfo,
+			     kerberos_private_data_t *private_data,
+			     enc_key_t *ek, tvbuff_t *tvb,
+			     krb5_cksumtype checksum,
+			     const char *reason,
+			     const char *keymap_name,
+			     guint keymap_size,
+			     guint verify_count)
+{
+	proto_item *item = NULL;
+	enc_key_t *sek = NULL;
+
+	item = proto_tree_add_expert_format(tree, pinfo, &ei_kerberos_decrypted_keytype,
+				     tvb, 0, 0,
+				     "%s checksum %d keytype %d "
+				     "using %s (id=%s same=%u) (%02x%02x%02x%02x...)",
+				     reason, checksum, ek->keytype, ek->key_origin,
+				     ek->id_str, ek->num_same,
+				     ek->keyvalue[0] & 0xFF, ek->keyvalue[1] & 0xFF,
+				     ek->keyvalue[2] & 0xFF, ek->keyvalue[3] & 0xFF);
+	expert_add_info_format(pinfo, item, &ei_kerberos_decrypted_keytype,
+			       "Used keymap=%s num_keys=%u num_tries=%u)",
+			       keymap_name,
+			       keymap_size,
+			       verify_count);
+	sek = ek->same_list;
+	while (sek != NULL) {
+		expert_add_info_format(pinfo, item, &ei_kerberos_decrypted_keytype,
+				       "%s checksum %d keytype %d "
+				       "using %s (id=%s same=%u) (%02x%02x%02x%02x...)",
+				       reason, checksum, sek->keytype, sek->key_origin,
+				       sek->id_str, sek->num_same,
+				       sek->keyvalue[0] & 0xFF, sek->keyvalue[1] & 0xFF,
+				       sek->keyvalue[2] & 0xFF, sek->keyvalue[3] & 0xFF);
+		sek = sek->same_list;
+	}
+	kerberos_key_list_append(private_data->decryption_keys, ek);
+}
+
+static void missing_signing_key(proto_tree *tree, packet_info *pinfo,
+				kerberos_private_data_t *private_data,
+				tvbuff_t *tvb,
+				krb5_cksumtype checksum,
+				int keytype,
+				const char *reason,
+				const char *keymap_name,
+				guint keymap_size,
+				guint verify_count)
+{
+	proto_item *item = NULL;
+	enc_key_t *mek = NULL;
+
+	mek = wmem_new0(pinfo->pool, enc_key_t);
+	snprintf(mek->key_origin, KRB_MAX_ORIG_LEN,
+		   "checksum %d keytype %d missing in frame %u",
+		   checksum, keytype, pinfo->num);
+	mek->fd_num = pinfo->num;
+	mek->id = ++private_data->missing_key_ids;
+	snprintf(mek->id_str, KRB_MAX_ID_STR_LEN, "missing.%u",
+		   mek->id);
+	mek->keytype=keytype;
+
+	item = proto_tree_add_expert_format(tree, pinfo, &ei_kerberos_missing_keytype,
+					    tvb, 0, 0,
+					    "%s checksum %d keytype %d (id=%s)",
+					    reason, checksum, keytype, mek->id_str);
+	expert_add_info_format(pinfo, item, &ei_kerberos_missing_keytype,
+			       "Used keymap=%s num_keys=%u num_tries=%u)",
+			       keymap_name,
+			       keymap_size,
+			       verify_count);
+
+	kerberos_key_list_append(private_data->missing_keys, mek);
+}
+
+#endif /* HAVE_KRB5_PAC_VERIFY */
+
+static krb5_context krb5_ctx;
+
+#ifdef HAVE_KRB5_C_FX_CF2_SIMPLE
+static void
+krb5_fast_key(asn1_ctx_t *actx, proto_tree *tree, tvbuff_t *tvb,
+	      enc_key_t *ek1 _U_, const char *p1 _U_,
+	      enc_key_t *ek2 _U_, const char *p2 _U_,
+	      const char *origin _U_)
+{
+	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+	krb5_error_code ret;
+	krb5_keyblock k1;
+	krb5_keyblock k2;
+	krb5_keyblock *k = NULL;
+
+	if (!krb_decrypt) {
+		return;
+	}
+
+	if (ek1 == NULL) {
+		return;
+	}
+
+	if (ek2 == NULL) {
+		return;
+	}
+
+	k1.magic = KV5M_KEYBLOCK;
+	k1.enctype = ek1->keytype;
+	k1.length = ek1->keylength;
+	k1.contents = (guint8 *)ek1->keyvalue;
+
+	k2.magic = KV5M_KEYBLOCK;
+	k2.enctype = ek2->keytype;
+	k2.length = ek2->keylength;
+	k2.contents = (guint8 *)ek2->keyvalue;
+
+	ret = krb5_c_fx_cf2_simple(krb5_ctx, &k1, p1, &k2, p2, &k);
+	if (ret != 0) {
+		return;
+	}
+
+	add_encryption_key(actx->pinfo,
+			   private_data,
+			   tree, NULL, tvb,
+			   k->enctype, k->length,
+			   (const char *)k->contents,
+			   origin,
+			   ek1, ek2);
+
+	krb5_free_keyblock(krb5_ctx, k);
+}
+#else /* HAVE_KRB5_C_FX_CF2_SIMPLE */
+static void
+krb5_fast_key(asn1_ctx_t *actx _U_, proto_tree *tree _U_, tvbuff_t *tvb _U_,
+	      enc_key_t *ek1 _U_, const char *p1 _U_,
+	      enc_key_t *ek2 _U_, const char *p2 _U_,
+	      const char *origin _U_)
+{
+}
+#endif /* HAVE_KRB5_C_FX_CF2_SIMPLE */
+
+USES_APPLE_DEPRECATED_API
+void
+read_keytab_file(const char *filename)
+{
+	krb5_keytab keytab;
+	krb5_error_code ret;
+	krb5_keytab_entry key;
+	krb5_kt_cursor cursor;
+	static gboolean first_time=TRUE;
+
+	if (filename == NULL || filename[0] == 0) {
+		return;
+	}
+
+	if(first_time){
+		first_time=FALSE;
+		ret = krb5_init_context(&krb5_ctx);
+		if(ret && ret != KRB5_CONFIG_CANTOPEN){
+			return;
+		}
+	}
+
+	/* should use a file in the wireshark users dir */
+	ret = krb5_kt_resolve(krb5_ctx, filename, &keytab);
+	if(ret){
+		fprintf(stderr, "KERBEROS ERROR: Badly formatted keytab filename :%s\n",filename);
+
+		return;
+	}
+
+	ret = krb5_kt_start_seq_get(krb5_ctx, keytab, &cursor);
+	if(ret){
+		fprintf(stderr, "KERBEROS ERROR: Could not open or could not read from keytab file :%s\n",filename);
+		return;
+	}
+
+	do{
+		ret = krb5_kt_next_entry(krb5_ctx, keytab, &key, &cursor);
+		if(ret==0){
+			enc_key_t *new_key;
+			int i;
+			char *pos;
+
+			new_key = wmem_new0(wmem_epan_scope(), enc_key_t);
+			new_key->fd_num = -1;
+			new_key->id = ++kerberos_longterm_ids;
+			snprintf(new_key->id_str, KRB_MAX_ID_STR_LEN, "keytab.%u", new_key->id);
+			new_key->next = enc_key_list;
+
+			/* generate origin string, describing where this key came from */
+			pos=new_key->key_origin;
+			pos+=MIN(KRB_MAX_ORIG_LEN,
+					 snprintf(pos, KRB_MAX_ORIG_LEN, "keytab principal "));
+			for(i=0;i<key.principal->length;i++){
+				pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
+						 snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "%s%s",(i?"/":""),(key.principal->data[i]).data));
+			}
+			pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
+					 snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "@%s",key.principal->realm.data));
+			*pos=0;
+			new_key->keytype=key.key.enctype;
+			new_key->keylength=key.key.length;
+			memcpy(new_key->keyvalue,
+			       key.key.contents,
+			       MIN(key.key.length, KRB_MAX_KEY_LENGTH));
+
+			enc_key_list=new_key;
+			ret = krb5_free_keytab_entry_contents(krb5_ctx, &key);
+			if (ret) {
+				fprintf(stderr, "KERBEROS ERROR: Could not release the entry: %d", ret);
+				ret = 0; /* try to continue with the next entry */
+			}
+			kerberos_key_map_insert(kerberos_longterm_keys, new_key);
+		}
+	}while(ret==0);
+
+	ret = krb5_kt_end_seq_get(krb5_ctx, keytab, &cursor);
+	if(ret){
+		fprintf(stderr, "KERBEROS ERROR: Could not release the keytab cursor: %d", ret);
+	}
+	ret = krb5_kt_close(krb5_ctx, keytab);
+	if(ret){
+		fprintf(stderr, "KERBEROS ERROR: Could not close the key table handle: %d", ret);
+	}
+}
+
+struct decrypt_krb5_with_cb_state {
+	proto_tree *tree;
+	packet_info *pinfo;
+	kerberos_private_data_t *private_data;
+	int usage;
+	int keytype;
+	tvbuff_t *cryptotvb;
+	krb5_error_code (*decrypt_cb_fn)(
+		const krb5_keyblock *key,
+		int usage,
+		void *decrypt_cb_data);
+	void *decrypt_cb_data;
+	guint count;
+	enc_key_t *ek;
+};
+
+static void
+decrypt_krb5_with_cb_try_key(gpointer __key _U_, gpointer value, gpointer userdata)
+{
+	struct decrypt_krb5_with_cb_state *state =
+		(struct decrypt_krb5_with_cb_state *)userdata;
+	enc_key_t *ek = (enc_key_t *)value;
+	krb5_error_code ret;
+	krb5_keytab_entry key;
+#ifdef HAVE_KRB5_C_FX_CF2_SIMPLE
+	enc_key_t *ak = state->private_data->fast_armor_key;
+	enc_key_t *sk = state->private_data->fast_strengthen_key;
+	gboolean try_with_armor_key = FALSE;
+	gboolean try_with_strengthen_key = FALSE;
+#endif
+
+	if (state->ek != NULL) {
+		/*
+		 * we're done.
+		 */
+		return;
+	}
+
+#ifdef HAVE_KRB5_C_FX_CF2_SIMPLE
+	if (ak != NULL && ak != ek && ak->keytype == state->keytype && ek->fd_num == -1) {
+		switch (state->usage) {
+		case KEY_USAGE_ENC_CHALLENGE_CLIENT:
+		case KEY_USAGE_ENC_CHALLENGE_KDC:
+			if (ek->fd_num == -1) {
+				/* Challenges are based on a long term key */
+				try_with_armor_key = TRUE;
+			}
+			break;
+		}
+
+		/*
+		 * If we already have a strengthen_key
+		 * we don't need to try with the armor key
+		 * again
+		 */
+		if (sk != NULL) {
+			try_with_armor_key = FALSE;
+		}
+	}
+
+	if (sk != NULL && sk != ek && sk->keytype == state->keytype && sk->keytype == ek->keytype) {
+		switch (state->usage) {
+		case 3:
+			if (ek->fd_num == -1) {
+				/* AS-REP is based on a long term key */
+				try_with_strengthen_key = TRUE;
+			}
+			break;
+		case 8:
+		case 9:
+			if (ek->fd_num != -1) {
+				/* TGS-REP is not based on a long term key */
+				try_with_strengthen_key = TRUE;
+			}
+			break;
+		}
+	}
+
+	if (try_with_armor_key) {
+		krb5_keyblock k1;
+		krb5_keyblock k2;
+		krb5_keyblock *k = NULL;
+		const char *p1 = NULL;
+
+		k1.magic = KV5M_KEYBLOCK;
+		k1.enctype = ak->keytype;
+		k1.length = ak->keylength;
+		k1.contents = (guint8 *)ak->keyvalue;
+
+		k2.magic = KV5M_KEYBLOCK;
+		k2.enctype = ek->keytype;
+		k2.length = ek->keylength;
+		k2.contents = (guint8 *)ek->keyvalue;
+
+		switch (state->usage) {
+		case KEY_USAGE_ENC_CHALLENGE_CLIENT:
+			p1 = "clientchallengearmor";
+			break;
+		case KEY_USAGE_ENC_CHALLENGE_KDC:
+			p1 = "kdcchallengearmor";
+			break;
+		default:
+			/*
+			 * Should never be called!
+			 */
+			/*
+			 * try the next one...
+			 */
+			return;
+		}
+
+		ret = krb5_c_fx_cf2_simple(krb5_ctx,
+					   &k1, p1,
+					   &k2, "challengelongterm",
+					   &k);
+		if (ret != 0) {
+			/*
+			 * try the next one...
+			 */
+			return;
+		}
+
+		state->count += 1;
+		ret = state->decrypt_cb_fn(k,
+					   state->usage,
+					   state->decrypt_cb_data);
+		if (ret == 0) {
+			add_encryption_key(state->pinfo,
+					   state->private_data,
+					   state->tree,
+					   NULL,
+					   state->cryptotvb,
+					   k->enctype, k->length,
+					   (const char *)k->contents,
+					   p1,
+					   ak, ek);
+			krb5_free_keyblock(krb5_ctx, k);
+			/*
+			 * remember the key and stop traversing
+			 */
+			state->ek = state->private_data->last_added_key;
+			return;
+		}
+		krb5_free_keyblock(krb5_ctx, k);
+		/*
+		 * don't stop traversing...
+		 * try the next one...
+		 */
+		return;
+	}
+
+	if (try_with_strengthen_key) {
+		krb5_keyblock k1;
+		krb5_keyblock k2;
+		krb5_keyblock *k = NULL;
+
+		k1.magic = KV5M_KEYBLOCK;
+		k1.enctype = sk->keytype;
+		k1.length = sk->keylength;
+		k1.contents = (guint8 *)sk->keyvalue;
+
+		k2.magic = KV5M_KEYBLOCK;
+		k2.enctype = ek->keytype;
+		k2.length = ek->keylength;
+		k2.contents = (guint8 *)ek->keyvalue;
+
+		ret = krb5_c_fx_cf2_simple(krb5_ctx,
+					   &k1, "strengthenkey",
+					   &k2, "replykey",
+					   &k);
+		if (ret != 0) {
+			/*
+			 * try the next one...
+			 */
+			return;
+		}
+
+		state->count += 1;
+		ret = state->decrypt_cb_fn(k,
+					   state->usage,
+					   state->decrypt_cb_data);
+		if (ret == 0) {
+			add_encryption_key(state->pinfo,
+					   state->private_data,
+					   state->tree,
+					   NULL,
+					   state->cryptotvb,
+					   k->enctype, k->length,
+					   (const char *)k->contents,
+					    "strengthen-reply-key",
+					   sk, ek);
+			krb5_free_keyblock(krb5_ctx, k);
+			/*
+			 * remember the key and stop traversing
+			 */
+			state->ek = state->private_data->last_added_key;
+			return;
+		}
+		krb5_free_keyblock(krb5_ctx, k);
+		/*
+		 * don't stop traversing...
+		 * try the next one...
+		 */
+		return;
+	}
+#endif /* HAVE_KRB5_C_FX_CF2_SIMPLE */
+
+	/* shortcircuit and bail out if enctypes are not matching */
+	if ((state->keytype != -1) && (ek->keytype != state->keytype)) {
+		/*
+		 * don't stop traversing...
+		 * try the next one...
+		 */
+		return;
+	}
+
+	key.key.enctype=ek->keytype;
+	key.key.length=ek->keylength;
+	key.key.contents=ek->keyvalue;
+	state->count += 1;
+	ret = state->decrypt_cb_fn(&(key.key),
+				   state->usage,
+				   state->decrypt_cb_data);
+	if (ret != 0) {
+		/*
+		 * don't stop traversing...
+		 * try the next one...
+		 */
+		return;
+	}
+
+	/*
+	 * we're done, remember the key
+	 */
+	state->ek = ek;
+}
+
+static krb5_error_code
+decrypt_krb5_with_cb(proto_tree *tree,
+		     packet_info *pinfo,
+		     kerberos_private_data_t *private_data,
+		     int usage,
+		     int keytype,
+		     tvbuff_t *cryptotvb,
+		     krb5_error_code (*decrypt_cb_fn)(
+			const krb5_keyblock *key,
+			int usage,
+			void *decrypt_cb_data),
+		     void *decrypt_cb_data)
+{
+	const char *key_map_name = NULL;
+	wmem_map_t *key_map = NULL;
+	struct decrypt_krb5_with_cb_state state = {
+		.tree = tree,
+		.pinfo = pinfo,
+		.private_data = private_data,
+		.usage = usage,
+		.cryptotvb = cryptotvb,
+		.keytype = keytype,
+		.decrypt_cb_fn = decrypt_cb_fn,
+		.decrypt_cb_data = decrypt_cb_data,
+	};
+
+	read_keytab_file_from_preferences();
+
+	switch (usage) {
+	case KRB5_KU_USAGE_INITIATOR_SEAL:
+	case KRB5_KU_USAGE_ACCEPTOR_SEAL:
+		key_map_name = "app_session_keys";
+		key_map = kerberos_app_session_keys;
+		break;
+	default:
+		key_map_name = "all_keys";
+		key_map = kerberos_all_keys;
+		insert_longterm_keys_into_key_map(key_map);
+		break;
+	}
+
+	wmem_map_foreach(key_map, decrypt_krb5_with_cb_try_key, &state);
+	if (state.ek != NULL) {
+		used_encryption_key(tree, pinfo, private_data,
+				    state.ek, usage, cryptotvb,
+				    key_map_name,
+				    wmem_map_size(key_map),
+				    state.count);
+		return 0;
+	}
+
+	missing_encryption_key(tree, pinfo, private_data,
+			       keytype, usage, cryptotvb,
+			       key_map_name,
+			       wmem_map_size(key_map),
+			       state.count);
+	return -1;
+}
+
+struct decrypt_krb5_data_state {
+	krb5_data input;
+	krb5_data output;
+};
+
+static krb5_error_code
+decrypt_krb5_data_cb(const krb5_keyblock *key,
+		     int usage,
+		     void *decrypt_cb_data)
+{
+	struct decrypt_krb5_data_state *state =
+		(struct decrypt_krb5_data_state *)decrypt_cb_data;
+	krb5_enc_data input;
+
+	memset(&input, 0, sizeof(input));
+	input.enctype = key->enctype;
+	input.ciphertext = state->input;
+
+	return krb5_c_decrypt(krb5_ctx,
+			      key,
+			      usage,
+			      0,
+			      &input,
+			      &state->output);
+}
+
+static guint8 *
+decrypt_krb5_data_private(proto_tree *tree _U_, packet_info *pinfo,
+			  kerberos_private_data_t *private_data,
+			  int usage, tvbuff_t *cryptotvb, int keytype,
+			  int *datalen)
+{
+#define HAVE_DECRYPT_KRB5_DATA_PRIVATE 1
+	struct decrypt_krb5_data_state state;
+	krb5_error_code ret;
+	int length = tvb_captured_length(cryptotvb);
+	const guint8 *cryptotext = tvb_get_ptr(cryptotvb, 0, length);
+
+	/* don't do anything if we are not attempting to decrypt data */
+	if(!krb_decrypt || length < 1){
+		return NULL;
+	}
+
+	/* make sure we have all the data we need */
+	if (tvb_captured_length(cryptotvb) < tvb_reported_length(cryptotvb)) {
+		return NULL;
+	}
+
+	memset(&state, 0, sizeof(state));
+	state.input.length = length;
+	state.input.data = (guint8 *)cryptotext;
+	state.output.data = (char *)wmem_alloc(pinfo->pool, length);
+	state.output.length = length;
+
+	ret = decrypt_krb5_with_cb(tree,
+				   pinfo,
+				   private_data,
+				   usage,
+				   keytype,
+				   cryptotvb,
+				   decrypt_krb5_data_cb,
+				   &state);
+	if (ret != 0) {
+		return NULL;
+	}
+
+	if (datalen) {
+		*datalen = state.output.length;
+	}
+	return (guint8 *)state.output.data;
+}
+
+guint8 *
+decrypt_krb5_data(proto_tree *tree _U_, packet_info *pinfo,
+					int usage,
+					tvbuff_t *cryptotvb,
+					int keytype,
+					int *datalen)
+{
+	kerberos_private_data_t *zero_private = kerberos_new_private_data(pinfo);
+	return decrypt_krb5_data_private(tree, pinfo, zero_private,
+					 usage, cryptotvb, keytype,
+					 datalen);
+}
+
+USES_APPLE_RST
+
+#ifdef KRB5_CRYPTO_TYPE_SIGN_ONLY
+struct decrypt_krb5_krb_cfx_dce_state {
+	const guint8 *gssapi_header_ptr;
+	guint gssapi_header_len;
+	tvbuff_t *gssapi_encrypted_tvb;
+	guint8 *gssapi_payload;
+	guint gssapi_payload_len;
+	const guint8 *gssapi_trailer_ptr;
+	guint gssapi_trailer_len;
+	tvbuff_t *checksum_tvb;
+	guint8 *checksum;
+	guint checksum_len;
+};
+
+static krb5_error_code
+decrypt_krb5_krb_cfx_dce_cb(const krb5_keyblock *key,
+			    int usage,
+			    void *decrypt_cb_data)
+{
+	struct decrypt_krb5_krb_cfx_dce_state *state =
+		(struct decrypt_krb5_krb_cfx_dce_state *)decrypt_cb_data;
+	unsigned int k5_headerlen = 0;
+	unsigned int k5_headerofs = 0;
+	unsigned int k5_trailerlen = 0;
+	unsigned int k5_trailerofs = 0;
+	size_t _k5_blocksize = 0;
+	guint k5_blocksize;
+	krb5_crypto_iov iov[6];
+	krb5_error_code ret;
+	guint checksum_remain = state->checksum_len;
+	guint checksum_crypt_len;
+
+	memset(iov, 0, sizeof(iov));
+
+	ret = krb5_c_crypto_length(krb5_ctx,
+				   key->enctype,
+				   KRB5_CRYPTO_TYPE_HEADER,
+				   &k5_headerlen);
+	if (ret != 0) {
+		return ret;
+	}
+	if (checksum_remain < k5_headerlen) {
+		return -1;
+	}
+	checksum_remain -= k5_headerlen;
+	k5_headerofs = checksum_remain;
+	ret = krb5_c_crypto_length(krb5_ctx,
+				   key->enctype,
+				   KRB5_CRYPTO_TYPE_TRAILER,
+				   &k5_trailerlen);
+	if (ret != 0) {
+		return ret;
+	}
+	if (checksum_remain < k5_trailerlen) {
+		return -1;
+	}
+	checksum_remain -= k5_trailerlen;
+	k5_trailerofs = checksum_remain;
+	checksum_crypt_len = checksum_remain;
+
+	ret = krb5_c_block_size(krb5_ctx,
+				key->enctype,
+				&_k5_blocksize);
+	if (ret != 0) {
+		return ret;
+	}
+	/*
+	 * The cast is required for the Windows build in order
+	 * to avoid the following warning.
+	 *
+	 * warning C4267: '-=': conversion from 'size_t' to 'guint',
+	 * possible loss of data
+	 */
+	k5_blocksize = (guint)_k5_blocksize;
+	if (checksum_remain < k5_blocksize) {
+		return -1;
+	}
+	checksum_remain -= k5_blocksize;
+	if (checksum_remain < 16) {
+		return -1;
+	}
+
+	tvb_memcpy(state->gssapi_encrypted_tvb,
+		   state->gssapi_payload,
+		   0,
+		   state->gssapi_payload_len);
+	tvb_memcpy(state->checksum_tvb,
+		   state->checksum,
+		   0,
+		   state->checksum_len);
+
+	iov[0].flags = KRB5_CRYPTO_TYPE_HEADER;
+	iov[0].data.data = state->checksum + k5_headerofs;
+	iov[0].data.length = k5_headerlen;
+
+	if (state->gssapi_header_ptr != NULL) {
+		iov[1].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY;
+		iov[1].data.data = (guint8 *)(guintptr)state->gssapi_header_ptr;
+		iov[1].data.length = state->gssapi_header_len;
+	} else {
+		iov[1].flags = KRB5_CRYPTO_TYPE_EMPTY;
+	}
+
+	iov[2].flags = KRB5_CRYPTO_TYPE_DATA;
+	iov[2].data.data = state->gssapi_payload;
+	iov[2].data.length = state->gssapi_payload_len;
+
+	if (state->gssapi_trailer_ptr != NULL) {
+		iov[3].flags = KRB5_CRYPTO_TYPE_SIGN_ONLY;
+		iov[3].data.data = (guint8 *)(guintptr)state->gssapi_trailer_ptr;
+		iov[3].data.length = state->gssapi_trailer_len;
+	} else {
+		iov[3].flags = KRB5_CRYPTO_TYPE_EMPTY;
+	}
+
+	iov[4].flags = KRB5_CRYPTO_TYPE_DATA;
+	iov[4].data.data = state->checksum;
+	iov[4].data.length = checksum_crypt_len;
+
+	iov[5].flags = KRB5_CRYPTO_TYPE_TRAILER;
+	iov[5].data.data = state->checksum + k5_trailerofs;
+	iov[5].data.length = k5_trailerlen;
+
+	return krb5_c_decrypt_iov(krb5_ctx,
+				  key,
+				  usage,
+				  0,
+				  iov,
+				  6);
+}
+
+tvbuff_t *
+decrypt_krb5_krb_cfx_dce(proto_tree *tree,
+			 packet_info *pinfo,
+			 int usage,
+			 int keytype,
+			 tvbuff_t *gssapi_header_tvb,
+			 tvbuff_t *gssapi_encrypted_tvb,
+			 tvbuff_t *gssapi_trailer_tvb,
+			 tvbuff_t *checksum_tvb)
+{
+	struct decrypt_krb5_krb_cfx_dce_state state;
+	kerberos_private_data_t *zero_private = kerberos_new_private_data(pinfo);
+	tvbuff_t *gssapi_decrypted_tvb = NULL;
+	krb5_error_code ret;
+
+	/* don't do anything if we are not attempting to decrypt data */
+	if (!krb_decrypt) {
+		return NULL;
+	}
+
+	memset(&state, 0, sizeof(state));
+
+	/* make sure we have all the data we need */
+#define __CHECK_TVB_LEN(__tvb) (tvb_captured_length(__tvb) < tvb_reported_length(__tvb))
+	if (gssapi_header_tvb != NULL) {
+		if (__CHECK_TVB_LEN(gssapi_header_tvb)) {
+			return NULL;
+		}
+
+		state.gssapi_header_len = tvb_captured_length(gssapi_header_tvb);
+		state.gssapi_header_ptr = tvb_get_ptr(gssapi_header_tvb,
+						       0,
+						       state.gssapi_header_len);
+	}
+	if (gssapi_encrypted_tvb == NULL || __CHECK_TVB_LEN(gssapi_encrypted_tvb)) {
+		return NULL;
+	}
+	state.gssapi_encrypted_tvb = gssapi_encrypted_tvb;
+	state.gssapi_payload_len = tvb_captured_length(gssapi_encrypted_tvb);
+	state.gssapi_payload = (guint8 *)wmem_alloc0(pinfo->pool, state.gssapi_payload_len);
+	if (state.gssapi_payload == NULL) {
+		return NULL;
+	}
+	if (gssapi_trailer_tvb != NULL) {
+		if (__CHECK_TVB_LEN(gssapi_trailer_tvb)) {
+			return NULL;
+		}
+
+		state.gssapi_trailer_len = tvb_captured_length(gssapi_trailer_tvb);
+		state.gssapi_trailer_ptr = tvb_get_ptr(gssapi_trailer_tvb,
+						       0,
+						       state.gssapi_trailer_len);
+	}
+	if (checksum_tvb == NULL || __CHECK_TVB_LEN(checksum_tvb)) {
+		return NULL;
+	}
+	state.checksum_tvb = checksum_tvb;
+	state.checksum_len = tvb_captured_length(checksum_tvb);
+	state.checksum = (guint8 *)wmem_alloc0(pinfo->pool, state.checksum_len);
+	if (state.checksum == NULL) {
+		return NULL;
+	}
+
+	ret = decrypt_krb5_with_cb(tree,
+				   pinfo,
+				   zero_private,
+				   usage,
+				   keytype,
+				   gssapi_encrypted_tvb,
+				   decrypt_krb5_krb_cfx_dce_cb,
+				   &state);
+	wmem_free(pinfo->pool, state.checksum);
+	if (ret != 0) {
+		wmem_free(pinfo->pool, state.gssapi_payload);
+		return NULL;
+	}
+
+	gssapi_decrypted_tvb = tvb_new_child_real_data(gssapi_encrypted_tvb,
+						       state.gssapi_payload,
+						       state.gssapi_payload_len,
+						       state.gssapi_payload_len);
+	if (gssapi_decrypted_tvb == NULL) {
+		wmem_free(pinfo->pool, state.gssapi_payload);
+		return NULL;
+	}
+
+	return gssapi_decrypted_tvb;
+}
+#else /* NOT KRB5_CRYPTO_TYPE_SIGN_ONLY */
+#define NEED_DECRYPT_KRB5_KRB_CFX_DCE_NOOP 1
+#endif /* NOT KRB5_CRYPTO_TYPE_SIGN_ONLY */
+
+#ifdef HAVE_KRB5_PAC_VERIFY
+/*
+ * macOS up to 10.14.5 only has a MIT shim layer on top
+ * of heimdal. It means that krb5_pac_verify() is not available
+ * in /usr/lib/libkrb5.dylib
+ *
+ * https://opensource.apple.com/tarballs/Heimdal/Heimdal-520.260.1.tar.gz
+ * https://opensource.apple.com/tarballs/MITKerberosShim/MITKerberosShim-71.200.1.tar.gz
+ */
+
+extern krb5_error_code
+krb5int_c_mandatory_cksumtype(krb5_context, krb5_enctype, krb5_cksumtype *);
+
+extern void krb5_free_enc_tkt_part(krb5_context, krb5_enc_tkt_part *);
+extern krb5_error_code
+decode_krb5_enc_tkt_part(const krb5_data *output, krb5_enc_tkt_part **rep);
+extern krb5_error_code
+encode_krb5_enc_tkt_part(const krb5_enc_tkt_part *rep, krb5_data **code);
+
+static int
+keytype_for_cksumtype(krb5_cksumtype checksum)
+{
+#define _ARRAY_SIZE(X) (sizeof(X) / sizeof((X)[0]))
+	static const int keytypes[] = {
+		18,
+		17,
+		23,
+	};
+	guint i;
+
+	for (i = 0; i < _ARRAY_SIZE(keytypes); i++) {
+		krb5_cksumtype checksumtype = 0;
+		krb5_error_code ret;
+
+		ret = krb5int_c_mandatory_cksumtype(krb5_ctx,
+						    keytypes[i],
+						    &checksumtype);
+		if (ret != 0) {
+			continue;
+		}
+		if (checksum == checksumtype) {
+			return keytypes[i];
+		}
+	}
+
+	return -1;
+}
+
+struct verify_krb5_pac_state {
+	krb5_pac pac;
+	krb5_cksumtype server_checksum;
+	guint server_count;
+	enc_key_t *server_ek;
+	krb5_cksumtype kdc_checksum;
+	guint kdc_count;
+	enc_key_t *kdc_ek;
+	krb5_cksumtype ticket_checksum_type;
+	const krb5_data *ticket_checksum_data;
+};
+
+static void
+verify_krb5_pac_try_server_key(gpointer __key _U_, gpointer value, gpointer userdata)
+{
+	struct verify_krb5_pac_state *state =
+		(struct verify_krb5_pac_state *)userdata;
+	enc_key_t *ek = (enc_key_t *)value;
+	krb5_keyblock keyblock;
+	krb5_cksumtype checksumtype = 0;
+	krb5_error_code ret;
+
+	if (state->server_checksum == 0) {
+		/*
+		 * nothing more todo, stop traversing.
+		 */
+		return;
+	}
+
+	if (state->server_ek != NULL) {
+		/*
+		 * we're done.
+		 */
+		return;
+	}
+
+	ret = krb5int_c_mandatory_cksumtype(krb5_ctx, ek->keytype,
+					    &checksumtype);
+	if (ret != 0) {
+		/*
+		 * the key is not usable, keep traversing.
+		 * try the next key...
+		 */
+		return;
+	}
+
+	keyblock.magic = KV5M_KEYBLOCK;
+	keyblock.enctype = ek->keytype;
+	keyblock.length = ek->keylength;
+	keyblock.contents = (guint8 *)ek->keyvalue;
+
+	if (checksumtype == state->server_checksum) {
+		state->server_count += 1;
+		ret = krb5_pac_verify(krb5_ctx, state->pac, 0, NULL,
+				      &keyblock, NULL);
+		if (ret == 0) {
+			state->server_ek = ek;
+		}
+	}
+}
+
+static void
+verify_krb5_pac_try_kdc_key(gpointer __key _U_, gpointer value, gpointer userdata)
+{
+	struct verify_krb5_pac_state *state =
+		(struct verify_krb5_pac_state *)userdata;
+	enc_key_t *ek = (enc_key_t *)value;
+	krb5_keyblock keyblock;
+	krb5_cksumtype checksumtype = 0;
+	krb5_error_code ret;
+
+	if (state->kdc_checksum == 0) {
+		/*
+		 * nothing more todo, stop traversing.
+		 */
+		return;
+	}
+
+	if (state->kdc_ek != NULL) {
+		/*
+		 * we're done.
+		 */
+		return;
+	}
+
+	ret = krb5int_c_mandatory_cksumtype(krb5_ctx, ek->keytype,
+					    &checksumtype);
+	if (ret != 0) {
+		/*
+		 * the key is not usable, keep traversing.
+		 * try the next key...
+		 */
+		return;
+	}
+
+	keyblock.magic = KV5M_KEYBLOCK;
+	keyblock.enctype = ek->keytype;
+	keyblock.length = ek->keylength;
+	keyblock.contents = (guint8 *)ek->keyvalue;
+
+	if (checksumtype == state->kdc_checksum) {
+		state->kdc_count += 1;
+		ret = krb5_pac_verify(krb5_ctx, state->pac, 0, NULL,
+				      NULL, &keyblock);
+		if (ret == 0) {
+			state->kdc_ek = ek;
+		}
+	}
+}
+
+#define __KRB5_PAC_TICKET_CHECKSUM 16
+
+static void
+verify_krb5_pac_ticket_checksum(proto_tree *tree _U_,
+				asn1_ctx_t *actx _U_,
+				tvbuff_t *pactvb _U_,
+				struct verify_krb5_pac_state *state _U_)
+{
+#ifdef HAVE_DECODE_KRB5_ENC_TKT_PART
+	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+	tvbuff_t *teptvb = private_data->last_ticket_enc_part_tvb;
+	guint teplength = 0;
+	const guint8 *tepbuffer = NULL;
+	krb5_data tepdata = { .length = 0, };
+	krb5_enc_tkt_part *tep = NULL;
+	krb5_data *tmpdata = NULL;
+	krb5_error_code ret;
+	krb5_authdata **recoded_container = NULL;
+	gint ad_orig_idx = -1;
+	krb5_authdata *ad_orig_ptr = NULL;
+	gint l0idx = 0;
+	krb5_keyblock kdc_key = { .magic = KV5M_KEYBLOCK, };
+	size_t checksum_length = 0;
+	krb5_checksum checksum = { .checksum_type = 0, };
+	krb5_boolean valid = FALSE;
+
+	if (state->kdc_ek == NULL) {
+		int keytype = keytype_for_cksumtype(state->ticket_checksum_type);
+		missing_signing_key(tree, actx->pinfo, private_data,
+				    pactvb, state->ticket_checksum_type,
+				    keytype,
+				    "Missing KDC (for ticket)",
+				    "kdc_checksum_key",
+				    0,
+				    0);
+		return;
+	}
+
+	if (teptvb == NULL) {
+		return;
+	}
+
+	teplength = tvb_captured_length(teptvb);
+	/* make sure we have all the data we need */
+	if (teplength < tvb_reported_length(teptvb)) {
+		return;
+	}
+
+	tepbuffer = tvb_get_ptr(teptvb, 0, teplength);
+	if (tepbuffer == NULL) {
+		return;
+	}
+
+	kdc_key.magic = KV5M_KEYBLOCK;
+	kdc_key.enctype = state->kdc_ek->keytype;
+	kdc_key.length = state->kdc_ek->keylength;
+	kdc_key.contents = (guint8 *)state->kdc_ek->keyvalue;
+
+	checksum.checksum_type = state->ticket_checksum_type;
+	checksum.length = state->ticket_checksum_data->length;
+	checksum.contents = (guint8 *)state->ticket_checksum_data->data;
+	if (checksum.length >= 4) {
+		checksum.length -= 4;
+		checksum.contents += 4;
+	}
+
+	ret = krb5_c_checksum_length(krb5_ctx,
+				     checksum.checksum_type,
+				     &checksum_length);
+	if (ret != 0) {
+		missing_signing_key(tree, actx->pinfo, private_data,
+				    pactvb, state->ticket_checksum_type,
+				    state->kdc_ek->keytype,
+				    "krb5_c_checksum_length failed for Ticket Signature",
+				    "kdc_checksum_key",
+				    1,
+				    0);
+		return;
+	}
+	checksum.length = MIN(checksum.length, (unsigned int)checksum_length);
+
+	tepdata.data = (void *)(uintptr_t)tepbuffer;
+	tepdata.length = teplength;
+
+	ret = decode_krb5_enc_tkt_part(&tepdata, &tep);
+	if (ret != 0) {
+		missing_signing_key(tree, actx->pinfo, private_data,
+				    pactvb, state->ticket_checksum_type,
+				    state->kdc_ek->keytype,
+				    "decode_krb5_enc_tkt_part failed",
+				    "kdc_checksum_key",
+				    1,
+				    0);
+		return;
+	}
+
+	for (l0idx = 0; tep->authorization_data[l0idx]; l0idx++) {
+		krb5_authdata *adl0 = tep->authorization_data[l0idx];
+		krb5_authdata **decoded_container = NULL;
+		krb5_authdata *ad_pac = NULL;
+		gint l1idx = 0;
+
+		if (adl0->ad_type != KRB5_AUTHDATA_IF_RELEVANT) {
+			continue;
+		}
+
+		ret = krb5_decode_authdata_container(krb5_ctx,
+						     KRB5_AUTHDATA_IF_RELEVANT,
+						     adl0,
+						     &decoded_container);
+		if (ret != 0) {
+			missing_signing_key(tree, actx->pinfo, private_data,
+					    pactvb, state->ticket_checksum_type,
+					    state->kdc_ek->keytype,
+					    "krb5_decode_authdata_container failed",
+					    "kdc_checksum_key",
+					    1,
+					    0);
+			krb5_free_enc_tkt_part(krb5_ctx, tep);
+			return;
+		}
+
+		for (l1idx = 0; decoded_container[l1idx]; l1idx++) {
+			krb5_authdata *adl1 = decoded_container[l1idx];
+
+			if (adl1->ad_type != KRB5_AUTHDATA_WIN2K_PAC) {
+				continue;
+			}
+
+			ad_pac = adl1;
+			break;
+		}
+
+		if (ad_pac == NULL) {
+			krb5_free_authdata(krb5_ctx, decoded_container);
+			continue;
+		}
+
+		ad_pac->length = 1;
+		ad_pac->contents[0] = '\0';
+
+		ret = krb5_encode_authdata_container(krb5_ctx,
+						     KRB5_AUTHDATA_IF_RELEVANT,
+						     decoded_container,
+						     &recoded_container);
+		krb5_free_authdata(krb5_ctx, decoded_container);
+		decoded_container = NULL;
+		if (ret != 0) {
+			missing_signing_key(tree, actx->pinfo, private_data,
+					    pactvb, state->ticket_checksum_type,
+					    state->kdc_ek->keytype,
+					    "krb5_encode_authdata_container failed",
+					    "kdc_checksum_key",
+					    1,
+					    0);
+			krb5_free_enc_tkt_part(krb5_ctx, tep);
+			return;
+		}
+
+		ad_orig_idx = l0idx;
+		ad_orig_ptr = adl0;
+		tep->authorization_data[l0idx] = recoded_container[0];
+		break;
+	}
+
+	ret = encode_krb5_enc_tkt_part(tep, &tmpdata);
+	if (ad_orig_ptr != NULL) {
+		tep->authorization_data[ad_orig_idx] = ad_orig_ptr;
+	}
+	krb5_free_enc_tkt_part(krb5_ctx, tep);
+	tep = NULL;
+	if (recoded_container != NULL) {
+		krb5_free_authdata(krb5_ctx, recoded_container);
+		recoded_container = NULL;
+	}
+	if (ret != 0) {
+		missing_signing_key(tree, actx->pinfo, private_data,
+				    pactvb, state->ticket_checksum_type,
+				    state->kdc_ek->keytype,
+				    "encode_krb5_enc_tkt_part failed",
+				    "kdc_checksum_key",
+				    1,
+				    0);
+		return;
+	}
+
+	ret = krb5_c_verify_checksum(krb5_ctx, &kdc_key,
+				     KRB5_KEYUSAGE_APP_DATA_CKSUM,
+				     tmpdata, &checksum, &valid);
+	krb5_free_data(krb5_ctx, tmpdata);
+	tmpdata = NULL;
+	if (ret != 0) {
+		missing_signing_key(tree, actx->pinfo, private_data,
+				    pactvb, state->ticket_checksum_type,
+				    state->kdc_ek->keytype,
+				    "krb5_c_verify_checksum failed for Ticket Signature",
+				    "kdc_checksum_key",
+				    1,
+				    1);
+		return;
+	}
+
+	if (valid == FALSE) {
+		missing_signing_key(tree, actx->pinfo, private_data,
+				    pactvb, state->ticket_checksum_type,
+				    state->kdc_ek->keytype,
+				    "Invalid Ticket",
+				    "kdc_checksum_key",
+				    1,
+				    1);
+		return;
+	}
+
+	used_signing_key(tree, actx->pinfo, private_data,
+			 state->kdc_ek, pactvb,
+			 state->ticket_checksum_type,
+			 "Verified Ticket",
+			 "kdc_checksum_key",
+			 1,
+			 1);
+#endif /* HAVE_DECODE_KRB5_ENC_TKT_PART */
+}
+
+static void
+verify_krb5_pac(proto_tree *tree _U_, asn1_ctx_t *actx, tvbuff_t *pactvb)
+{
+	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+	krb5_error_code ret;
+	krb5_data checksum_data = {0,0,NULL};
+	krb5_data ticket_checksum_data = {0,0,NULL};
+	int length = tvb_captured_length(pactvb);
+	const guint8 *pacbuffer = NULL;
+	struct verify_krb5_pac_state state = {
+		.kdc_checksum = 0,
+	};
+
+	/* don't do anything if we are not attempting to decrypt data */
+	if(!krb_decrypt || length < 1){
+		return;
+	}
+
+	/* make sure we have all the data we need */
+	if (tvb_captured_length(pactvb) < tvb_reported_length(pactvb)) {
+		return;
+	}
+
+	pacbuffer = tvb_get_ptr(pactvb, 0, length);
+
+	ret = krb5_pac_parse(krb5_ctx, pacbuffer, length, &state.pac);
+	if (ret != 0) {
+		proto_tree_add_expert_format(tree, actx->pinfo, &ei_kerberos_decrypted_keytype,
+					     pactvb, 0, 0,
+					     "Failed to parse PAC buffer %d in frame %u",
+					     ret, actx->pinfo->fd->num);
+		return;
+	}
+
+	ret = krb5_pac_get_buffer(krb5_ctx, state.pac, KRB5_PAC_SERVER_CHECKSUM,
+				  &checksum_data);
+	if (ret == 0) {
+		state.server_checksum = pletoh32(checksum_data.data);
+		krb5_free_data_contents(krb5_ctx, &checksum_data);
+	};
+	ret = krb5_pac_get_buffer(krb5_ctx, state.pac, KRB5_PAC_PRIVSVR_CHECKSUM,
+				  &checksum_data);
+	if (ret == 0) {
+		state.kdc_checksum = pletoh32(checksum_data.data);
+		krb5_free_data_contents(krb5_ctx, &checksum_data);
+	};
+	ret = krb5_pac_get_buffer(krb5_ctx, state.pac,
+				  __KRB5_PAC_TICKET_CHECKSUM,
+				  &ticket_checksum_data);
+	if (ret == 0) {
+		state.ticket_checksum_data = &ticket_checksum_data;
+		state.ticket_checksum_type = pletoh32(ticket_checksum_data.data);
+	};
+
+	read_keytab_file_from_preferences();
+
+	wmem_map_foreach(kerberos_all_keys,
+			 verify_krb5_pac_try_server_key,
+			 &state);
+	if (state.server_ek != NULL) {
+		used_signing_key(tree, actx->pinfo, private_data,
+				 state.server_ek, pactvb,
+				 state.server_checksum, "Verified Server",
+				 "all_keys",
+				 wmem_map_size(kerberos_all_keys),
+				 state.server_count);
+	} else {
+		int keytype = keytype_for_cksumtype(state.server_checksum);
+		missing_signing_key(tree, actx->pinfo, private_data,
+				    pactvb, state.server_checksum, keytype,
+				    "Missing Server",
+				    "all_keys",
+				    wmem_map_size(kerberos_all_keys),
+				    state.server_count);
+	}
+	wmem_map_foreach(kerberos_longterm_keys,
+			 verify_krb5_pac_try_kdc_key,
+			 &state);
+	if (state.kdc_ek != NULL) {
+		used_signing_key(tree, actx->pinfo, private_data,
+				 state.kdc_ek, pactvb,
+				 state.kdc_checksum, "Verified KDC",
+				 "longterm_keys",
+				 wmem_map_size(kerberos_longterm_keys),
+				 state.kdc_count);
+	} else {
+		int keytype = keytype_for_cksumtype(state.kdc_checksum);
+		missing_signing_key(tree, actx->pinfo, private_data,
+				    pactvb, state.kdc_checksum, keytype,
+				    "Missing KDC",
+				    "longterm_keys",
+				    wmem_map_size(kerberos_longterm_keys),
+				    state.kdc_count);
+	}
+
+	if (state.ticket_checksum_type != 0) {
+		verify_krb5_pac_ticket_checksum(tree, actx, pactvb, &state);
+	}
+
+	if (state.ticket_checksum_data != NULL) {
+		krb5_free_data_contents(krb5_ctx, &ticket_checksum_data);
+	}
+
+	krb5_pac_free(krb5_ctx, state.pac);
+}
+#endif /* HAVE_KRB5_PAC_VERIFY */
+
+#elif defined(HAVE_HEIMDAL_KERBEROS)
+static krb5_context krb5_ctx;
+
+USES_APPLE_DEPRECATED_API
+
+static void
+krb5_fast_key(asn1_ctx_t *actx _U_, proto_tree *tree _U_, tvbuff_t *tvb _U_,
+	      enc_key_t *ek1 _U_, const char *p1 _U_,
+	      enc_key_t *ek2 _U_, const char *p2 _U_,
+	      const char *origin _U_)
+{
+/* TODO: use krb5_crypto_fx_cf2() from Heimdal */
+}
+void
+read_keytab_file(const char *filename)
+{
+	krb5_keytab keytab;
+	krb5_error_code ret;
+	krb5_keytab_entry key;
+	krb5_kt_cursor cursor;
+	enc_key_t *new_key;
+	static gboolean first_time=TRUE;
+
+	if (filename == NULL || filename[0] == 0) {
+		return;
+	}
+
+	if(first_time){
+		first_time=FALSE;
+		ret = krb5_init_context(&krb5_ctx);
+		if(ret){
+			return;
+		}
+	}
+
+	/* should use a file in the wireshark users dir */
+	ret = krb5_kt_resolve(krb5_ctx, filename, &keytab);
+	if(ret){
+		fprintf(stderr, "KERBEROS ERROR: Could not open keytab file :%s\n",filename);
+
+		return;
+	}
+
+	ret = krb5_kt_start_seq_get(krb5_ctx, keytab, &cursor);
+	if(ret){
+		fprintf(stderr, "KERBEROS ERROR: Could not read from keytab file :%s\n",filename);
+		return;
+	}
+
+	do{
+		ret = krb5_kt_next_entry(krb5_ctx, keytab, &key, &cursor);
+		if(ret==0){
+			unsigned int i;
+			char *pos;
+
+			new_key = wmem_new0(wmem_epan_scope(), enc_key_t);
+			new_key->fd_num = -1;
+			new_key->id = ++kerberos_longterm_ids;
+			snprintf(new_key->id_str, KRB_MAX_ID_STR_LEN, "keytab.%u", new_key->id);
+			new_key->next = enc_key_list;
+
+			/* generate origin string, describing where this key came from */
+			pos=new_key->key_origin;
+			pos+=MIN(KRB_MAX_ORIG_LEN,
+					 snprintf(pos, KRB_MAX_ORIG_LEN, "keytab principal "));
+			for(i=0;i<key.principal->name.name_string.len;i++){
+				pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
+						 snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "%s%s",(i?"/":""),key.principal->name.name_string.val[i]));
+			}
+			pos+=MIN(KRB_MAX_ORIG_LEN-(pos-new_key->key_origin),
+					 snprintf(pos, KRB_MAX_ORIG_LEN-(pos-new_key->key_origin), "@%s",key.principal->realm));
+			*pos=0;
+			new_key->keytype=key.keyblock.keytype;
+			new_key->keylength=(int)key.keyblock.keyvalue.length;
+			memcpy(new_key->keyvalue,
+			       key.keyblock.keyvalue.data,
+			       MIN((guint)key.keyblock.keyvalue.length, KRB_MAX_KEY_LENGTH));
+
+			enc_key_list=new_key;
+			ret = krb5_kt_free_entry(krb5_ctx, &key);
+			if (ret) {
+				fprintf(stderr, "KERBEROS ERROR: Could not release the entry: %d", ret);
+				ret = 0; /* try to continue with the next entry */
+			}
+			kerberos_key_map_insert(kerberos_longterm_keys, new_key);
+		}
+	}while(ret==0);
+
+	ret = krb5_kt_end_seq_get(krb5_ctx, keytab, &cursor);
+	if(ret){
+		fprintf(stderr, "KERBEROS ERROR: Could not release the keytab cursor: %d", ret);
+	}
+	ret = krb5_kt_close(krb5_ctx, keytab);
+	if(ret){
+		fprintf(stderr, "KERBEROS ERROR: Could not close the key table handle: %d", ret);
+	}
+
+}
+USES_APPLE_RST
+
+
+guint8 *
+decrypt_krb5_data(proto_tree *tree _U_, packet_info *pinfo,
+					int usage,
+					tvbuff_t *cryptotvb,
+					int keytype,
+					int *datalen)
+{
+	kerberos_private_data_t *zero_private = kerberos_new_private_data(pinfo);
+	krb5_error_code ret;
+	krb5_data data;
+	enc_key_t *ek;
+	int length = tvb_captured_length(cryptotvb);
+	const guint8 *cryptotext = tvb_get_ptr(cryptotvb, 0, length);
+
+	/* don't do anything if we are not attempting to decrypt data */
+	if(!krb_decrypt){
+		return NULL;
+	}
+
+	/* make sure we have all the data we need */
+	if (tvb_captured_length(cryptotvb) < tvb_reported_length(cryptotvb)) {
+		return NULL;
+	}
+
+	read_keytab_file_from_preferences();
+
+	for(ek=enc_key_list;ek;ek=ek->next){
+		krb5_keytab_entry key;
+		krb5_crypto crypto;
+		guint8 *cryptocopy; /* workaround for pre-0.6.1 heimdal bug */
+
+		/* shortcircuit and bail out if enctypes are not matching */
+		if((keytype != -1) && (ek->keytype != keytype)) {
+			continue;
+		}
+
+		key.keyblock.keytype=ek->keytype;
+		key.keyblock.keyvalue.length=ek->keylength;
+		key.keyblock.keyvalue.data=ek->keyvalue;
+		ret = krb5_crypto_init(krb5_ctx, &(key.keyblock), (krb5_enctype)ENCTYPE_NULL, &crypto);
+		if(ret){
+			return NULL;
+		}
+
+		/* pre-0.6.1 versions of Heimdal would sometimes change
+		   the cryptotext data even when the decryption failed.
+		   This would obviously not work since we iterate over the
+		   keys. So just give it a copy of the crypto data instead.
+		   This has been seen for RC4-HMAC blobs.
+		*/
+		cryptocopy = (guint8 *)wmem_memdup(pinfo->pool, cryptotext, length);
+		ret = krb5_decrypt_ivec(krb5_ctx, crypto, usage,
+								cryptocopy, length,
+								&data,
+								NULL);
+		if((ret == 0) && (length>0)){
+			char *user_data;
+
+			used_encryption_key(tree, pinfo, zero_private,
+					    ek, usage, cryptotvb,
+					    "enc_key_list", 0, 0);
+
+			krb5_crypto_destroy(krb5_ctx, crypto);
+			/* return a private wmem_alloced blob to the caller */
+			user_data = (char *)wmem_memdup(pinfo->pool, data.data, (guint)data.length);
+			if (datalen) {
+				*datalen = (int)data.length;
+			}
+			return user_data;
+		}
+		krb5_crypto_destroy(krb5_ctx, crypto);
+	}
+	return NULL;
+}
+
+#define NEED_DECRYPT_KRB5_KRB_CFX_DCE_NOOP 1
+
+#elif defined (HAVE_LIBNETTLE)
+
+#define SERVICE_KEY_SIZE (DES3_KEY_SIZE + 2)
+#define KEYTYPE_DES3_CBC_MD5 5	/* Currently the only one supported */
+
+typedef struct _service_key_t {
+	guint16 kvno;
+	int     keytype;
+	int     length;
+	guint8 *contents;
+	char    origin[KRB_MAX_ORIG_LEN+1];
+} service_key_t;
+GSList *service_key_list = NULL;
+
+
+static void
+add_encryption_key(packet_info *pinfo, int keytype, int keylength, const char *keyvalue, const char *origin)
+{
+	service_key_t *new_key;
+
+	if(pinfo->fd->visited){
+		return;
+	}
+
+	new_key = g_malloc(sizeof(service_key_t));
+	new_key->kvno = 0;
+	new_key->keytype = keytype;
+	new_key->length = keylength;
+	new_key->contents = g_memdup2(keyvalue, keylength);
+	snprintf(new_key->origin, KRB_MAX_ORIG_LEN, "%s learnt from frame %u", origin, pinfo->num);
+	service_key_list = g_slist_append(service_key_list, (gpointer) new_key);
+}
+
+static void
+save_encryption_key(tvbuff_t *tvb _U_, int offset _U_, int length _U_,
+		    asn1_ctx_t *actx _U_, proto_tree *tree _U_,
+		    int parent_hf_index _U_,
+		    int hf_index _U_)
+{
+	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+	const char *parent = proto_registrar_get_name(parent_hf_index);
+	const char *element = proto_registrar_get_name(hf_index);
+	char origin[KRB_MAX_ORIG_LEN] = { 0, };
+
+	snprintf(origin, KRB_MAX_ORIG_LEN, "%s_%s", parent, element);
+
+	add_encryption_key(actx->pinfo,
+			   private_data->key.keytype,
+			   private_data->key.keylength,
+			   private_data->key.keyvalue,
+			   origin);
+}
+
+static void
+save_Authenticator_subkey(tvbuff_t *tvb, int offset, int length,
+			  asn1_ctx_t *actx, proto_tree *tree,
+			  int parent_hf_index,
+			  int hf_index)
+{
+	save_encryption_key(tvb, offset, length, actx, tree, parent_hf_index, hf_index);
+}
+
+static void
+save_EncAPRepPart_subkey(tvbuff_t *tvb, int offset, int length,
+			 asn1_ctx_t *actx, proto_tree *tree,
+			 int parent_hf_index,
+			 int hf_index)
+{
+	save_encryption_key(tvb, offset, length, actx, tree, parent_hf_index, hf_index);
+}
+
+static void
+save_EncKDCRepPart_key(tvbuff_t *tvb, int offset, int length,
+		       asn1_ctx_t *actx, proto_tree *tree,
+		       int parent_hf_index,
+		       int hf_index)
+{
+	save_encryption_key(tvb, offset, length, actx, tree, parent_hf_index, hf_index);
+}
+
+static void
+save_EncTicketPart_key(tvbuff_t *tvb, int offset, int length,
+		       asn1_ctx_t *actx, proto_tree *tree,
+		       int parent_hf_index,
+		       int hf_index)
+{
+	save_encryption_key(tvb, offset, length, actx, tree, parent_hf_index, hf_index);
+}
+
+static void
+save_KrbCredInfo_key(tvbuff_t *tvb, int offset, int length,
+		     asn1_ctx_t *actx, proto_tree *tree,
+		     int parent_hf_index,
+		     int hf_index)
+{
+	save_encryption_key(tvb, offset, length, actx, tree, parent_hf_index, hf_index);
+}
+
+static void
+save_KrbFastResponse_strengthen_key(tvbuff_t *tvb _U_, int offset _U_, int length _U_,
+				    asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_)
+{
+	save_encryption_key(tvb, offset, length, actx, tree, hf_index);
+}
+
+static void
+clear_keytab(void) {
+	GSList *ske;
+	service_key_t *sk;
+
+	for(ske = service_key_list; ske != NULL; ske = g_slist_next(ske)){
+		sk = (service_key_t *) ske->data;
+		if (sk) {
+			g_free(sk->contents);
+			g_free(sk);
+		}
+	}
+	g_slist_free(service_key_list);
+	service_key_list = NULL;
+}
+
+static void
+read_keytab_file(const char *service_key_file)
+{
+	FILE *skf;
+	ws_statb64 st;
+	service_key_t *sk;
+	unsigned char buf[SERVICE_KEY_SIZE];
+	int newline_skip = 0, count = 0;
+
+	if (service_key_file != NULL && ws_stat64 (service_key_file, &st) == 0) {
+
+		/* The service key file contains raw 192-bit (24 byte) 3DES keys.
+		 * There can be zero, one (\n), or two (\r\n) characters between
+		 * keys.  Trailing characters are ignored.
+		 */
+
+		/* XXX We should support the standard keytab format instead */
+		if (st.st_size > SERVICE_KEY_SIZE) {
+			if ( (st.st_size % (SERVICE_KEY_SIZE + 1) == 0) ||
+				 (st.st_size % (SERVICE_KEY_SIZE + 1) == SERVICE_KEY_SIZE) ) {
+				newline_skip = 1;
+			} else if ( (st.st_size % (SERVICE_KEY_SIZE + 2) == 0) ||
+				 (st.st_size % (SERVICE_KEY_SIZE + 2) == SERVICE_KEY_SIZE) ) {
+				newline_skip = 2;
+			}
+		}
+
+		skf = ws_fopen(service_key_file, "rb");
+		if (! skf) return;
+
+		while (fread(buf, SERVICE_KEY_SIZE, 1, skf) == 1) {
+			sk = g_malloc(sizeof(service_key_t));
+			sk->kvno = buf[0] << 8 | buf[1];
+			sk->keytype = KEYTYPE_DES3_CBC_MD5;
+			sk->length = DES3_KEY_SIZE;
+			sk->contents = g_memdup2(buf + 2, DES3_KEY_SIZE);
+			snprintf(sk->origin, KRB_MAX_ORIG_LEN, "3DES service key file, key #%d, offset %ld", count, ftell(skf));
+			service_key_list = g_slist_append(service_key_list, (gpointer) sk);
+			if (fseek(skf, newline_skip, SEEK_CUR) < 0) {
+				fprintf(stderr, "unable to seek...\n");
+				fclose(skf);
+				return;
+			}
+			count++;
+		}
+		fclose(skf);
+	}
+}
+
+#define CONFOUNDER_PLUS_CHECKSUM 24
+
+guint8 *
+decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
+					int _U_ usage,
+					tvbuff_t *cryptotvb,
+					int keytype,
+					int *datalen)
+{
+	tvbuff_t *encr_tvb;
+	guint8 *decrypted_data = NULL, *plaintext = NULL;
+	guint8 cls;
+	bool pc;
+	guint32 tag, item_len, data_len;
+	int id_offset, offset;
+	guint8 key[DES3_KEY_SIZE];
+	guint8 initial_vector[DES_BLOCK_SIZE];
+	gcry_md_hd_t md5_handle;
+	guint8 *digest;
+	guint8 zero_fill[] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
+	guint8 confounder[8];
+	bool ind;
+	GSList *ske;
+	service_key_t *sk;
+	struct des3_ctx ctx;
+	int length = tvb_captured_length(cryptotvb);
+	const guint8 *cryptotext = tvb_get_ptr(cryptotvb, 0, length);
+
+
+	/* don't do anything if we are not attempting to decrypt data */
+	if(!krb_decrypt){
+		return NULL;
+	}
+
+	/* make sure we have all the data we need */
+	if (tvb_captured_length(cryptotvb) < tvb_reported_length(cryptotvb)) {
+		return NULL;
+	}
+
+	if (keytype != KEYTYPE_DES3_CBC_MD5 || service_key_list == NULL) {
+		return NULL;
+	}
+
+	decrypted_data = wmem_alloc(pinfo->pool, length);
+	for(ske = service_key_list; ske != NULL; ske = g_slist_next(ske)){
+		gboolean do_continue = FALSE;
+		gboolean digest_ok;
+		sk = (service_key_t *) ske->data;
+
+		des_fix_parity(DES3_KEY_SIZE, key, sk->contents);
+
+		memset(initial_vector, 0, DES_BLOCK_SIZE);
+		des3_set_key(&ctx, key);
+		cbc_decrypt(&ctx, des3_decrypt, DES_BLOCK_SIZE, initial_vector,
+					length, decrypted_data, cryptotext);
+		encr_tvb = tvb_new_real_data(decrypted_data, length, length);
+
+		tvb_memcpy(encr_tvb, confounder, 0, 8);
+
+		/* We have to pull the decrypted data length from the decrypted
+		 * content.  If the key doesn't match or we otherwise get garbage,
+		 * an exception may get thrown while decoding the ASN.1 header.
+		 * Catch it, just in case.
+		 */
+		TRY {
+			id_offset = get_ber_identifier(encr_tvb, CONFOUNDER_PLUS_CHECKSUM, &cls, &pc, &tag);
+			offset = get_ber_length(encr_tvb, id_offset, &item_len, &ind);
+		}
+		CATCH_BOUNDS_ERRORS {
+			tvb_free(encr_tvb);
+			do_continue = TRUE;
+		}
+		ENDTRY;
+
+		if (do_continue) continue;
+
+		data_len = item_len + offset - CONFOUNDER_PLUS_CHECKSUM;
+		if ((int) item_len + offset > length) {
+			tvb_free(encr_tvb);
+			continue;
+		}
+
+		if (gcry_md_open(&md5_handle, GCRY_MD_MD5, 0)) {
+			return NULL;
+		}
+		gcry_md_write(md5_handle, confounder, 8);
+		gcry_md_write(md5_handle, zero_fill, 16);
+		gcry_md_write(md5_handle, decrypted_data + CONFOUNDER_PLUS_CHECKSUM, data_len);
+		digest = gcry_md_read(md5_handle, 0);
+
+		digest_ok = (tvb_memeql (encr_tvb, 8, digest, HASH_MD5_LENGTH) == 0);
+		gcry_md_close(md5_handle);
+		if (digest_ok) {
+			plaintext = (guint8* )tvb_memdup(pinfo->pool, encr_tvb, CONFOUNDER_PLUS_CHECKSUM, data_len);
+			tvb_free(encr_tvb);
+
+			if (datalen) {
+				*datalen = data_len;
+			}
+			return(plaintext);
+		}
+		tvb_free(encr_tvb);
+	}
+
+	return NULL;
+}
+
+#endif	/* HAVE_MIT_KERBEROS / HAVE_HEIMDAL_KERBEROS / HAVE_LIBNETTLE */
+
+#ifdef NEED_DECRYPT_KRB5_KRB_CFX_DCE_NOOP
+tvbuff_t *
+decrypt_krb5_krb_cfx_dce(proto_tree *tree _U_,
+			 packet_info *pinfo _U_,
+			 int usage _U_,
+			 int keytype _U_,
+			 tvbuff_t *gssapi_header_tvb _U_,
+			 tvbuff_t *gssapi_encrypted_tvb _U_,
+			 tvbuff_t *gssapi_trailer_tvb _U_,
+			 tvbuff_t *checksum_tvb _U_)
+{
+	return NULL;
+}
+#endif /* NEED_DECRYPT_KRB5_KRB_CFX_DCE_NOOP */
+
+#define	INET6_ADDRLEN	16
+
+/* TCP Record Mark */
+#define	KRB_RM_RESERVED	0x80000000U
+#define	KRB_RM_RECLEN	0x7fffffffU
+
+#define KRB5_MSG_TICKET			1	/* Ticket */
+#define KRB5_MSG_AUTHENTICATOR		2	/* Authenticator */
+#define KRB5_MSG_ENC_TICKET_PART	3	/* EncTicketPart */
+#define KRB5_MSG_AS_REQ			10	/* AS-REQ type */
+#define KRB5_MSG_AS_REP			11	/* AS-REP type */
+#define KRB5_MSG_TGS_REQ		12	/* TGS-REQ type */
+#define KRB5_MSG_TGS_REP		13	/* TGS-REP type */
+#define KRB5_MSG_AP_REQ			14	/* AP-REQ type */
+#define KRB5_MSG_AP_REP			15	/* AP-REP type */
+#define KRB5_MSG_TGT_REQ		16	/* TGT-REQ type */
+#define KRB5_MSG_TGT_REP		17	/* TGT-REP type */
+
+#define KRB5_MSG_SAFE			20	/* KRB-SAFE type */
+#define KRB5_MSG_PRIV			21	/* KRB-PRIV type */
+#define KRB5_MSG_CRED			22	/* KRB-CRED type */
+#define KRB5_MSG_ENC_AS_REP_PART	25	/* EncASRepPart */
+#define KRB5_MSG_ENC_TGS_REP_PART	26	/* EncTGSRepPart */
+#define KRB5_MSG_ENC_AP_REP_PART	27	/* EncAPRepPart */
+#define KRB5_MSG_ENC_KRB_PRIV_PART	28	/* EncKrbPrivPart */
+#define KRB5_MSG_ENC_KRB_CRED_PART	29	/* EncKrbCredPart */
+#define KRB5_MSG_ERROR			30	/* KRB-ERROR type */
+
+#define KRB5_CHKSUM_GSSAPI		0x8003
+/*
+ * For KERB_ENCTYPE_RC4_HMAC and KERB_ENCTYPE_RC4_HMAC_EXP, see
+ *
+ *	https://tools.ietf.org/html/draft-brezak-win2k-krb-rc4-hmac-04
+ *
+ * unless it's expired.
+ */
+
+/* Principal name-type */
+#define KRB5_NT_UNKNOWN		0
+#define KRB5_NT_PRINCIPAL	1
+#define KRB5_NT_SRV_INST	2
+#define KRB5_NT_SRV_HST		3
+#define KRB5_NT_SRV_XHST	4
+#define KRB5_NT_UID		5
+#define KRB5_NT_X500_PRINCIPAL	6
+#define KRB5_NT_SMTP_NAME	7
+#define KRB5_NT_ENTERPRISE	10
+
+/*
+ * MS specific name types, from
+ *
+ *	http://msdn.microsoft.com/library/en-us/security/security/kerb_external_name.asp
+ */
+#define KRB5_NT_MS_PRINCIPAL		-128
+#define KRB5_NT_MS_PRINCIPAL_AND_SID	-129
+#define KRB5_NT_ENT_PRINCIPAL_AND_SID	-130
+#define KRB5_NT_PRINCIPAL_AND_SID 	-131
+#define KRB5_NT_SRV_INST_AND_SID	-132
+
+/* error table constants */
+/* I prefixed the krb5_err.et constant names with KRB5_ET_ for these */
+#define KRB5_ET_KRB5KDC_ERR_NONE			0
+#define KRB5_ET_KRB5KDC_ERR_NAME_EXP			1
+#define KRB5_ET_KRB5KDC_ERR_SERVICE_EXP			2
+#define KRB5_ET_KRB5KDC_ERR_BAD_PVNO			3
+#define KRB5_ET_KRB5KDC_ERR_C_OLD_MAST_KVNO		4
+#define KRB5_ET_KRB5KDC_ERR_S_OLD_MAST_KVNO		5
+#define KRB5_ET_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN		6
+#define KRB5_ET_KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN		7
+#define KRB5_ET_KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE	8
+#define KRB5_ET_KRB5KDC_ERR_NULL_KEY			9
+#define KRB5_ET_KRB5KDC_ERR_CANNOT_POSTDATE		10
+#define KRB5_ET_KRB5KDC_ERR_NEVER_VALID			11
+#define KRB5_ET_KRB5KDC_ERR_POLICY			12
+#define KRB5_ET_KRB5KDC_ERR_BADOPTION			13
+#define KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP		14
+#define KRB5_ET_KRB5KDC_ERR_SUMTYPE_NOSUPP		15
+#define KRB5_ET_KRB5KDC_ERR_PADATA_TYPE_NOSUPP		16
+#define KRB5_ET_KRB5KDC_ERR_TRTYPE_NOSUPP		17
+#define KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED		18
+#define KRB5_ET_KRB5KDC_ERR_SERVICE_REVOKED		19
+#define KRB5_ET_KRB5KDC_ERR_TGT_REVOKED			20
+#define KRB5_ET_KRB5KDC_ERR_CLIENT_NOTYET		21
+#define KRB5_ET_KRB5KDC_ERR_SERVICE_NOTYET		22
+#define KRB5_ET_KRB5KDC_ERR_KEY_EXP			23
+#define KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED		24
+#define KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED		25
+#define KRB5_ET_KRB5KDC_ERR_SERVER_NOMATCH		26
+#define KRB5_ET_KRB5KDC_ERR_MUST_USE_USER2USER		27
+#define KRB5_ET_KRB5KDC_ERR_PATH_NOT_ACCEPTED		28
+#define KRB5_ET_KRB5KDC_ERR_SVC_UNAVAILABLE		29
+#define KRB5_ET_KRB5KRB_AP_ERR_BAD_INTEGRITY		31
+#define KRB5_ET_KRB5KRB_AP_ERR_TKT_EXPIRED		32
+#define KRB5_ET_KRB5KRB_AP_ERR_TKT_NYV			33
+#define KRB5_ET_KRB5KRB_AP_ERR_REPEAT			34
+#define KRB5_ET_KRB5KRB_AP_ERR_NOT_US			35
+#define KRB5_ET_KRB5KRB_AP_ERR_BADMATCH			36
+#define KRB5_ET_KRB5KRB_AP_ERR_SKEW			37
+#define KRB5_ET_KRB5KRB_AP_ERR_BADADDR			38
+#define KRB5_ET_KRB5KRB_AP_ERR_BADVERSION		39
+#define KRB5_ET_KRB5KRB_AP_ERR_MSG_TYPE			40
+#define KRB5_ET_KRB5KRB_AP_ERR_MODIFIED			41
+#define KRB5_ET_KRB5KRB_AP_ERR_BADORDER			42
+#define KRB5_ET_KRB5KRB_AP_ERR_ILL_CR_TKT		43
+#define KRB5_ET_KRB5KRB_AP_ERR_BADKEYVER		44
+#define KRB5_ET_KRB5KRB_AP_ERR_NOKEY			45
+#define KRB5_ET_KRB5KRB_AP_ERR_MUT_FAIL			46
+#define KRB5_ET_KRB5KRB_AP_ERR_BADDIRECTION		47
+#define KRB5_ET_KRB5KRB_AP_ERR_METHOD			48
+#define KRB5_ET_KRB5KRB_AP_ERR_BADSEQ			49
+#define KRB5_ET_KRB5KRB_AP_ERR_INAPP_CKSUM		50
+#define KRB5_ET_KRB5KDC_AP_PATH_NOT_ACCEPTED		51
+#define KRB5_ET_KRB5KRB_ERR_RESPONSE_TOO_BIG		52
+#define KRB5_ET_KRB5KRB_ERR_GENERIC			60
+#define KRB5_ET_KRB5KRB_ERR_FIELD_TOOLONG		61
+#define KRB5_ET_KDC_ERROR_CLIENT_NOT_TRUSTED		62
+#define KRB5_ET_KDC_ERROR_KDC_NOT_TRUSTED		63
+#define KRB5_ET_KDC_ERROR_INVALID_SIG			64
+#define KRB5_ET_KDC_ERR_KEY_TOO_WEAK			65
+#define KRB5_ET_KDC_ERR_CERTIFICATE_MISMATCH		66
+#define KRB5_ET_KRB_AP_ERR_NO_TGT			67
+#define KRB5_ET_KDC_ERR_WRONG_REALM			68
+#define KRB5_ET_KRB_AP_ERR_USER_TO_USER_REQUIRED	69
+#define KRB5_ET_KDC_ERR_CANT_VERIFY_CERTIFICATE		70
+#define KRB5_ET_KDC_ERR_INVALID_CERTIFICATE		71
+#define KRB5_ET_KDC_ERR_REVOKED_CERTIFICATE		72
+#define KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNKNOWN	73
+#define KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNAVAILABLE	74
+#define KRB5_ET_KDC_ERR_CLIENT_NAME_MISMATCH		75
+#define KRB5_ET_KDC_ERR_KDC_NAME_MISMATCH		76
+#define KRB5_ET_KDC_ERR_PREAUTH_EXPIRED			90
+#define KRB5_ET_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED	91
+#define KRB5_ET_KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET	92
+#define KRB5_ET_KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS	93
+
+static const value_string krb5_error_codes[] = {
+	{ KRB5_ET_KRB5KDC_ERR_NONE, "KRB5KDC_ERR_NONE" },
+	{ KRB5_ET_KRB5KDC_ERR_NAME_EXP, "KRB5KDC_ERR_NAME_EXP" },
+	{ KRB5_ET_KRB5KDC_ERR_SERVICE_EXP, "KRB5KDC_ERR_SERVICE_EXP" },
+	{ KRB5_ET_KRB5KDC_ERR_BAD_PVNO, "KRB5KDC_ERR_BAD_PVNO" },
+	{ KRB5_ET_KRB5KDC_ERR_C_OLD_MAST_KVNO, "KRB5KDC_ERR_C_OLD_MAST_KVNO" },
+	{ KRB5_ET_KRB5KDC_ERR_S_OLD_MAST_KVNO, "KRB5KDC_ERR_S_OLD_MAST_KVNO" },
+	{ KRB5_ET_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN" },
+	{ KRB5_ET_KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN" },
+	{ KRB5_ET_KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE, "KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE" },
+	{ KRB5_ET_KRB5KDC_ERR_NULL_KEY, "KRB5KDC_ERR_NULL_KEY" },
+	{ KRB5_ET_KRB5KDC_ERR_CANNOT_POSTDATE, "KRB5KDC_ERR_CANNOT_POSTDATE" },
+	{ KRB5_ET_KRB5KDC_ERR_NEVER_VALID, "KRB5KDC_ERR_NEVER_VALID" },
+	{ KRB5_ET_KRB5KDC_ERR_POLICY, "KRB5KDC_ERR_POLICY" },
+	{ KRB5_ET_KRB5KDC_ERR_BADOPTION, "KRB5KDC_ERR_BADOPTION" },
+	{ KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP, "KRB5KDC_ERR_ETYPE_NOSUPP" },
+	{ KRB5_ET_KRB5KDC_ERR_SUMTYPE_NOSUPP, "KRB5KDC_ERR_SUMTYPE_NOSUPP" },
+	{ KRB5_ET_KRB5KDC_ERR_PADATA_TYPE_NOSUPP, "KRB5KDC_ERR_PADATA_TYPE_NOSUPP" },
+	{ KRB5_ET_KRB5KDC_ERR_TRTYPE_NOSUPP, "KRB5KDC_ERR_TRTYPE_NOSUPP" },
+	{ KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED, "KRB5KDC_ERR_CLIENT_REVOKED" },
+	{ KRB5_ET_KRB5KDC_ERR_SERVICE_REVOKED, "KRB5KDC_ERR_SERVICE_REVOKED" },
+	{ KRB5_ET_KRB5KDC_ERR_TGT_REVOKED, "KRB5KDC_ERR_TGT_REVOKED" },
+	{ KRB5_ET_KRB5KDC_ERR_CLIENT_NOTYET, "KRB5KDC_ERR_CLIENT_NOTYET" },
+	{ KRB5_ET_KRB5KDC_ERR_SERVICE_NOTYET, "KRB5KDC_ERR_SERVICE_NOTYET" },
+	{ KRB5_ET_KRB5KDC_ERR_KEY_EXP, "KRB5KDC_ERR_KEY_EXP" },
+	{ KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED, "KRB5KDC_ERR_PREAUTH_FAILED" },
+	{ KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED, "KRB5KDC_ERR_PREAUTH_REQUIRED" },
+	{ KRB5_ET_KRB5KDC_ERR_SERVER_NOMATCH, "KRB5KDC_ERR_SERVER_NOMATCH" },
+	{ KRB5_ET_KRB5KDC_ERR_MUST_USE_USER2USER, "KRB5KDC_ERR_MUST_USE_USER2USER" },
+	{ KRB5_ET_KRB5KDC_ERR_PATH_NOT_ACCEPTED, "KRB5KDC_ERR_PATH_NOT_ACCEPTED" },
+	{ KRB5_ET_KRB5KDC_ERR_SVC_UNAVAILABLE, "KRB5KDC_ERR_SVC_UNAVAILABLE" },
+	{ KRB5_ET_KRB5KRB_AP_ERR_BAD_INTEGRITY, "KRB5KRB_AP_ERR_BAD_INTEGRITY" },
+	{ KRB5_ET_KRB5KRB_AP_ERR_TKT_EXPIRED, "KRB5KRB_AP_ERR_TKT_EXPIRED" },
+	{ KRB5_ET_KRB5KRB_AP_ERR_TKT_NYV, "KRB5KRB_AP_ERR_TKT_NYV" },
+	{ KRB5_ET_KRB5KRB_AP_ERR_REPEAT, "KRB5KRB_AP_ERR_REPEAT" },
+	{ KRB5_ET_KRB5KRB_AP_ERR_NOT_US, "KRB5KRB_AP_ERR_NOT_US" },
+	{ KRB5_ET_KRB5KRB_AP_ERR_BADMATCH, "KRB5KRB_AP_ERR_BADMATCH" },
+	{ KRB5_ET_KRB5KRB_AP_ERR_SKEW, "KRB5KRB_AP_ERR_SKEW" },
+	{ KRB5_ET_KRB5KRB_AP_ERR_BADADDR, "KRB5KRB_AP_ERR_BADADDR" },
+	{ KRB5_ET_KRB5KRB_AP_ERR_BADVERSION, "KRB5KRB_AP_ERR_BADVERSION" },
+	{ KRB5_ET_KRB5KRB_AP_ERR_MSG_TYPE, "KRB5KRB_AP_ERR_MSG_TYPE" },
+	{ KRB5_ET_KRB5KRB_AP_ERR_MODIFIED, "KRB5KRB_AP_ERR_MODIFIED" },
+	{ KRB5_ET_KRB5KRB_AP_ERR_BADORDER, "KRB5KRB_AP_ERR_BADORDER" },
+	{ KRB5_ET_KRB5KRB_AP_ERR_ILL_CR_TKT, "KRB5KRB_AP_ERR_ILL_CR_TKT" },
+	{ KRB5_ET_KRB5KRB_AP_ERR_BADKEYVER, "KRB5KRB_AP_ERR_BADKEYVER" },
+	{ KRB5_ET_KRB5KRB_AP_ERR_NOKEY, "KRB5KRB_AP_ERR_NOKEY" },
+	{ KRB5_ET_KRB5KRB_AP_ERR_MUT_FAIL, "KRB5KRB_AP_ERR_MUT_FAIL" },
+	{ KRB5_ET_KRB5KRB_AP_ERR_BADDIRECTION, "KRB5KRB_AP_ERR_BADDIRECTION" },
+	{ KRB5_ET_KRB5KRB_AP_ERR_METHOD, "KRB5KRB_AP_ERR_METHOD" },
+	{ KRB5_ET_KRB5KRB_AP_ERR_BADSEQ, "KRB5KRB_AP_ERR_BADSEQ" },
+	{ KRB5_ET_KRB5KRB_AP_ERR_INAPP_CKSUM, "KRB5KRB_AP_ERR_INAPP_CKSUM" },
+	{ KRB5_ET_KRB5KDC_AP_PATH_NOT_ACCEPTED, "KRB5KDC_AP_PATH_NOT_ACCEPTED" },
+	{ KRB5_ET_KRB5KRB_ERR_RESPONSE_TOO_BIG, "KRB5KRB_ERR_RESPONSE_TOO_BIG"},
+	{ KRB5_ET_KRB5KRB_ERR_GENERIC, "KRB5KRB_ERR_GENERIC" },
+	{ KRB5_ET_KRB5KRB_ERR_FIELD_TOOLONG, "KRB5KRB_ERR_FIELD_TOOLONG" },
+	{ KRB5_ET_KDC_ERROR_CLIENT_NOT_TRUSTED, "KDC_ERROR_CLIENT_NOT_TRUSTED" },
+	{ KRB5_ET_KDC_ERROR_KDC_NOT_TRUSTED, "KDC_ERROR_KDC_NOT_TRUSTED" },
+	{ KRB5_ET_KDC_ERROR_INVALID_SIG, "KDC_ERROR_INVALID_SIG" },
+	{ KRB5_ET_KDC_ERR_KEY_TOO_WEAK, "KDC_ERR_KEY_TOO_WEAK" },
+	{ KRB5_ET_KDC_ERR_CERTIFICATE_MISMATCH, "KDC_ERR_CERTIFICATE_MISMATCH" },
+	{ KRB5_ET_KRB_AP_ERR_NO_TGT, "KRB_AP_ERR_NO_TGT" },
+	{ KRB5_ET_KDC_ERR_WRONG_REALM, "KDC_ERR_WRONG_REALM" },
+	{ KRB5_ET_KRB_AP_ERR_USER_TO_USER_REQUIRED, "KRB_AP_ERR_USER_TO_USER_REQUIRED" },
+	{ KRB5_ET_KDC_ERR_CANT_VERIFY_CERTIFICATE, "KDC_ERR_CANT_VERIFY_CERTIFICATE" },
+	{ KRB5_ET_KDC_ERR_INVALID_CERTIFICATE, "KDC_ERR_INVALID_CERTIFICATE" },
+	{ KRB5_ET_KDC_ERR_REVOKED_CERTIFICATE, "KDC_ERR_REVOKED_CERTIFICATE" },
+	{ KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNKNOWN, "KDC_ERR_REVOCATION_STATUS_UNKNOWN" },
+	{ KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNAVAILABLE, "KDC_ERR_REVOCATION_STATUS_UNAVAILABLE" },
+	{ KRB5_ET_KDC_ERR_CLIENT_NAME_MISMATCH, "KDC_ERR_CLIENT_NAME_MISMATCH" },
+	{ KRB5_ET_KDC_ERR_KDC_NAME_MISMATCH, "KDC_ERR_KDC_NAME_MISMATCH" },
+	{ KRB5_ET_KDC_ERR_PREAUTH_EXPIRED, "KDC_ERR_PREAUTH_EXPIRED" },
+	{ KRB5_ET_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, "KDC_ERR_MORE_PREAUTH_DATA_REQUIRED" },
+	{ KRB5_ET_KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET, "KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET" },
+	{ KRB5_ET_KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS, "KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS" },
+	{ 0, NULL }
+};
+
+
+#define PAC_LOGON_INFO		1
+#define PAC_CREDENTIAL_TYPE	2
+#define PAC_SERVER_CHECKSUM	6
+#define PAC_PRIVSVR_CHECKSUM	7
+#define PAC_CLIENT_INFO_TYPE	10
+#define PAC_S4U_DELEGATION_INFO	11
+#define PAC_UPN_DNS_INFO	12
+#define PAC_CLIENT_CLAIMS_INFO	13
+#define PAC_DEVICE_INFO		14
+#define PAC_DEVICE_CLAIMS_INFO	15
+#define PAC_TICKET_CHECKSUM	16
+#define PAC_ATTRIBUTES_INFO	17
+#define PAC_REQUESTER_SID	18
+static const value_string w2k_pac_types[] = {
+	{ PAC_LOGON_INFO		, "Logon Info" },
+	{ PAC_CREDENTIAL_TYPE		, "Credential Type" },
+	{ PAC_SERVER_CHECKSUM		, "Server Checksum" },
+	{ PAC_PRIVSVR_CHECKSUM		, "Privsvr Checksum" },
+	{ PAC_CLIENT_INFO_TYPE		, "Client Info Type" },
+	{ PAC_S4U_DELEGATION_INFO	, "S4U Delegation Info" },
+	{ PAC_UPN_DNS_INFO		, "UPN DNS Info" },
+	{ PAC_CLIENT_CLAIMS_INFO	, "Client Claims Info" },
+	{ PAC_DEVICE_INFO		, "Device Info" },
+	{ PAC_DEVICE_CLAIMS_INFO	, "Device Claims Info" },
+	{ PAC_TICKET_CHECKSUM		, "Ticket Checksum" },
+	{ PAC_ATTRIBUTES_INFO		, "Attributes Info" },
+	{ PAC_REQUESTER_SID		, "Requester Sid" },
+	{ 0, NULL },
+};
+
+static const value_string krb5_msg_types[] = {
+	{ KRB5_MSG_TICKET,		"Ticket" },
+	{ KRB5_MSG_AUTHENTICATOR,	"Authenticator" },
+	{ KRB5_MSG_ENC_TICKET_PART,	"EncTicketPart" },
+	{ KRB5_MSG_TGS_REQ,		"TGS-REQ" },
+	{ KRB5_MSG_TGS_REP,		"TGS-REP" },
+	{ KRB5_MSG_AS_REQ,		"AS-REQ" },
+	{ KRB5_MSG_AS_REP,		"AS-REP" },
+	{ KRB5_MSG_AP_REQ,		"AP-REQ" },
+	{ KRB5_MSG_AP_REP,		"AP-REP" },
+	{ KRB5_MSG_TGT_REQ,		"TGT-REQ" },
+	{ KRB5_MSG_TGT_REP,		"TGT-REP" },
+	{ KRB5_MSG_SAFE,		"KRB-SAFE" },
+	{ KRB5_MSG_PRIV,		"KRB-PRIV" },
+	{ KRB5_MSG_CRED,		"KRB-CRED" },
+	{ KRB5_MSG_ENC_AS_REP_PART,	"EncASRepPart" },
+	{ KRB5_MSG_ENC_TGS_REP_PART,	"EncTGSRepPart" },
+	{ KRB5_MSG_ENC_AP_REP_PART,	"EncAPRepPart" },
+	{ KRB5_MSG_ENC_KRB_PRIV_PART,	"EncKrbPrivPart" },
+	{ KRB5_MSG_ENC_KRB_CRED_PART,	"EncKrbCredPart" },
+	{ KRB5_MSG_ERROR,		"KRB-ERROR" },
+	{ 0, NULL },
+};
+
+#define KRB5_GSS_C_DELEG_FLAG             0x01
+#define KRB5_GSS_C_MUTUAL_FLAG            0x02
+#define KRB5_GSS_C_REPLAY_FLAG            0x04
+#define KRB5_GSS_C_SEQUENCE_FLAG          0x08
+#define KRB5_GSS_C_CONF_FLAG              0x10
+#define KRB5_GSS_C_INTEG_FLAG             0x20
+#define KRB5_GSS_C_DCE_STYLE            0x1000
+
+static const true_false_string tfs_gss_flags_deleg = {
+	"Delegate credentials to remote peer",
+	"Do NOT delegate"
+};
+static const true_false_string tfs_gss_flags_mutual = {
+	"Request that remote peer authenticates itself",
+	"Mutual authentication NOT required"
+};
+static const true_false_string tfs_gss_flags_replay = {
+	"Enable replay protection for signed or sealed messages",
+	"Do NOT enable replay protection"
+};
+static const true_false_string tfs_gss_flags_sequence = {
+	"Enable Out-of-sequence detection for sign or sealed messages",
+	"Do NOT enable out-of-sequence detection"
+};
+static const true_false_string tfs_gss_flags_conf = {
+	"Confidentiality (sealing) may be invoked",
+	"Do NOT use Confidentiality (sealing)"
+};
+static const true_false_string tfs_gss_flags_integ = {
+	"Integrity protection (signing) may be invoked",
+	"Do NOT use integrity protection"
+};
+
+static const true_false_string tfs_gss_flags_dce_style = {
+	"DCE-STYLE",
+	"Not using DCE-STYLE"
+};
+
+#ifdef HAVE_KERBEROS
+static guint8 *
+decrypt_krb5_data_asn1(proto_tree *tree, asn1_ctx_t *actx,
+		       int usage, tvbuff_t *cryptotvb, int *datalen)
+{
+	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+
+#ifdef HAVE_DECRYPT_KRB5_DATA_PRIVATE
+	return decrypt_krb5_data_private(tree, actx->pinfo, private_data,
+					 usage, cryptotvb,
+					 private_data->etype,
+					 datalen);
+#else
+	return decrypt_krb5_data(tree, actx->pinfo, usage, cryptotvb,
+				 private_data->etype, datalen);
+#endif
+}
+
+static int
+dissect_krb5_decrypt_ticket_data (bool imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
+									proto_tree *tree, int hf_index _U_)
+{
+	guint8 *plaintext;
+	int length;
+	tvbuff_t *next_tvb;
+
+	next_tvb=tvb_new_subset_remaining(tvb, offset);
+	length=tvb_captured_length_remaining(tvb, offset);
+
+	/* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
+	 * 7.5.1
+	 * All Ticket encrypted parts use usage == 2
+	 */
+	plaintext=decrypt_krb5_data_asn1(tree, actx, 2, next_tvb, &length);
+
+	if(plaintext){
+		kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+		tvbuff_t *last_ticket_enc_part_tvb = private_data->last_ticket_enc_part_tvb;
+		tvbuff_t *child_tvb;
+		child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
+
+		/* Add the decrypted data to the data source list. */
+		add_new_data_source(actx->pinfo, child_tvb, "Krb5 Ticket");
+
+		private_data->last_ticket_enc_part_tvb = child_tvb;
+		offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
+		private_data->last_ticket_enc_part_tvb = last_ticket_enc_part_tvb;
+	}
+	return offset;
+}
+
+static int
+dissect_krb5_decrypt_authenticator_data (bool imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
+											proto_tree *tree, int hf_index _U_)
+{
+	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+	guint8 *plaintext;
+	int length;
+	tvbuff_t *next_tvb;
+
+	next_tvb=tvb_new_subset_remaining(tvb, offset);
+	length=tvb_captured_length_remaining(tvb, offset);
+
+	/* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
+	 * 7.5.1
+	 * Authenticators are encrypted with usage
+	 * == 7 or
+	 * == 11
+	 *
+	 * 7.  TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator
+	 *     (includes TGS authenticator subkey), encrypted with the
+	 *     TGS session key (section 5.5.1)
+	 * 11. AP-REQ Authenticator (includes application
+	 *     authenticator subkey), encrypted with the application
+	 *     session key (section 5.5.1)
+	 */
+	if (private_data->within_PA_TGS_REQ > 0) {
+		plaintext=decrypt_krb5_data_asn1(tree, actx, 7, next_tvb, &length);
+	} else {
+		plaintext=decrypt_krb5_data_asn1(tree, actx, 11, next_tvb, &length);
+	}
+
+	if(plaintext){
+		tvbuff_t *child_tvb;
+		child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
+
+		/* Add the decrypted data to the data source list. */
+		add_new_data_source(actx->pinfo, child_tvb, "Krb5 Authenticator");
+
+		offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
+	}
+	return offset;
+}
+
+static int
+dissect_krb5_decrypt_authorization_data(bool imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
+					proto_tree *tree, int hf_index _U_)
+{
+	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+	guint8 *plaintext;
+	int length;
+	tvbuff_t *next_tvb;
+
+	next_tvb=tvb_new_subset_remaining(tvb, offset);
+	length=tvb_captured_length_remaining(tvb, offset);
+
+	/* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
+	 * 7.5.1
+	 * Authenticators are encrypted with usage
+	 * == 5 or
+	 * == 4
+	 *
+	 * 4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with
+	 *    the TGS session key (section 5.4.1)
+	 * 5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with
+	 *    the TGS authenticator subkey (section 5.4.1)
+	 */
+	if (private_data->PA_TGS_REQ_subkey != NULL) {
+		plaintext=decrypt_krb5_data_asn1(tree, actx, 5, next_tvb, &length);
+	} else {
+		plaintext=decrypt_krb5_data_asn1(tree, actx, 4, next_tvb, &length);
+	}
+
+	if(plaintext){
+		tvbuff_t *child_tvb;
+		child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
+
+		/* Add the decrypted data to the data source list. */
+		add_new_data_source(actx->pinfo, child_tvb, "Krb5 AuthorizationData");
+
+		offset=dissect_kerberos_AuthorizationData(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
+	}
+	return offset;
+}
+
+static int
+dissect_krb5_decrypt_KDC_REP_data (bool imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
+									proto_tree *tree, int hf_index _U_)
+{
+	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+	guint8 *plaintext = NULL;
+	int length;
+	tvbuff_t *next_tvb;
+
+	next_tvb=tvb_new_subset_remaining(tvb, offset);
+	length=tvb_captured_length_remaining(tvb, offset);
+
+	/* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
+	 * 7.5.1
+	 * ASREP/TGSREP encryptedparts are encrypted with usage
+	 * == 3 or
+	 * == 8 or
+	 * == 9
+	 *
+	 * 3. AS-REP encrypted part (includes TGS session key or
+	 *    application session key), encrypted with the client key
+	 *    (section 5.4.2)
+	 *
+	 * 8. TGS-REP encrypted part (includes application session
+	 *    key), encrypted with the TGS session key (section
+	 *    5.4.2)
+	 * 9. TGS-REP encrypted part (includes application session
+	 *    key), encrypted with the TGS authenticator subkey
+	 *    (section 5.4.2)
+	 *
+	 * We currently don't have a way to find the TGS-REQ state
+	 * in order to check if an authenticator subkey was used.
+	 *
+	 * But if we client used FAST and we got a strengthen_key,
+	 * we're sure an authenticator subkey was used.
+	 *
+	 * Windows don't use an authenticator subkey without FAST,
+	 * but heimdal does.
+	 *
+	 * For now try 8 before 9 in order to avoid overhead and false
+	 * positives for the 'kerberos.missing_keytype' filter in pure
+	 * windows captures.
+	 */
+	switch (private_data->msg_type) {
+	case KERBEROS_APPLICATIONS_AS_REP:
+		plaintext=decrypt_krb5_data_asn1(tree, actx, 3, next_tvb, &length);
+		break;
+	case KERBEROS_APPLICATIONS_TGS_REP:
+		if (private_data->fast_strengthen_key != NULL) {
+			plaintext=decrypt_krb5_data_asn1(tree, actx, 9, next_tvb, &length);
+		} else {
+			plaintext=decrypt_krb5_data_asn1(tree, actx, 8, next_tvb, &length);
+			if(!plaintext){
+				plaintext=decrypt_krb5_data_asn1(tree, actx, 9, next_tvb, &length);
+			}
+		}
+		break;
+	}
+
+	if(plaintext){
+		tvbuff_t *child_tvb;
+		child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
+
+		/* Add the decrypted data to the data source list. */
+		add_new_data_source(actx->pinfo, child_tvb, "Krb5 KDC-REP");
+
+		offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
+	}
+	return offset;
+}
+
+static int
+dissect_krb5_decrypt_PA_ENC_TIMESTAMP (bool imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
+										proto_tree *tree, int hf_index _U_)
+{
+	guint8 *plaintext;
+	int length;
+	tvbuff_t *next_tvb;
+
+	next_tvb=tvb_new_subset_remaining(tvb, offset);
+	length=tvb_captured_length_remaining(tvb, offset);
+
+	/* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
+	 * 7.5.1
+	 * AS-REQ PA_ENC_TIMESTAMP are encrypted with usage
+	 * == 1
+	 */
+	plaintext=decrypt_krb5_data_asn1(tree, actx, 1, next_tvb, &length);
+
+	if(plaintext){
+		tvbuff_t *child_tvb;
+		child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
+
+		/* Add the decrypted data to the data source list. */
+		add_new_data_source(actx->pinfo, child_tvb, "Krb5 EncTimestamp");
+
+		offset=dissect_kerberos_PA_ENC_TS_ENC(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
+	}
+	return offset;
+}
+
+static int
+dissect_krb5_decrypt_AP_REP_data (bool imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
+									proto_tree *tree, int hf_index _U_)
+{
+	guint8 *plaintext;
+	int length;
+	tvbuff_t *next_tvb;
+
+	next_tvb=tvb_new_subset_remaining(tvb, offset);
+	length=tvb_captured_length_remaining(tvb, offset);
+
+	/* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
+	 * 7.5.1
+	 * AP-REP are encrypted with usage == 12
+	 */
+	plaintext=decrypt_krb5_data_asn1(tree, actx, 12, next_tvb, &length);
+
+	if(plaintext){
+		tvbuff_t *child_tvb;
+		child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
+
+		/* Add the decrypted data to the data source list. */
+		add_new_data_source(actx->pinfo, child_tvb, "Krb5 AP-REP");
+
+		offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
+	}
+	return offset;
+}
+
+static int
+dissect_krb5_decrypt_PRIV_data (bool imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
+									proto_tree *tree, int hf_index _U_)
+{
+	guint8 *plaintext;
+	int length;
+	tvbuff_t *next_tvb;
+
+	next_tvb=tvb_new_subset_remaining(tvb, offset);
+	length=tvb_captured_length_remaining(tvb, offset);
+
+	/* RFC4120 :
+	 * EncKrbPrivPart encrypted with usage
+	 * == 13
+	 */
+	plaintext=decrypt_krb5_data_asn1(tree, actx, 13, next_tvb, &length);
+
+	if(plaintext){
+		tvbuff_t *child_tvb;
+		child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
+
+		/* Add the decrypted data to the data source list. */
+		add_new_data_source(actx->pinfo, child_tvb, "Krb5 PRIV");
+
+		offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
+	}
+	return offset;
+}
+
+static int
+dissect_krb5_decrypt_CRED_data (bool imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
+									proto_tree *tree, int hf_index _U_)
+{
+	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+	guint8 *plaintext;
+	int length;
+	tvbuff_t *next_tvb;
+
+	next_tvb=tvb_new_subset_remaining(tvb, offset);
+	length=tvb_captured_length_remaining(tvb, offset);
+
+	if (private_data->etype == 0) {
+		offset=dissect_kerberos_Applications(FALSE, next_tvb, 0, actx , tree, /* hf_index*/ -1);
+		return offset;
+	}
+
+	/* RFC4120 :
+	 * EncKrbCredPart encrypted with usage
+	 * == 14
+	 */
+	plaintext=decrypt_krb5_data_asn1(tree, actx, 14, next_tvb, &length);
+
+	if(plaintext){
+		tvbuff_t *child_tvb;
+		child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
+
+		/* Add the decrypted data to the data source list. */
+		add_new_data_source(actx->pinfo, child_tvb, "Krb5 CRED");
+
+		offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
+	}
+	return offset;
+}
+
+static int
+dissect_krb5_decrypt_KrbFastReq(bool imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
+				proto_tree *tree, int hf_index _U_)
+{
+	guint8 *plaintext;
+	int length;
+	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+	tvbuff_t *next_tvb;
+
+	next_tvb=tvb_new_subset_remaining(tvb, offset);
+	length=tvb_captured_length_remaining(tvb, offset);
+
+	private_data->fast_armor_key = NULL;
+	if (private_data->PA_FAST_ARMOR_AP_subkey != NULL) {
+		krb5_fast_key(actx, tree, tvb,
+			      private_data->PA_FAST_ARMOR_AP_subkey,
+			      "subkeyarmor",
+			      private_data->PA_FAST_ARMOR_AP_key,
+			      "ticketarmor",
+			      "KrbFastReq_FAST_armorKey");
+		if (private_data->PA_TGS_REQ_subkey != NULL) {
+			enc_key_t *explicit_armor_key = private_data->last_added_key;
+
+			/*
+			 * See [MS-KILE] 3.3.5.7.4 Compound Identity
+			 */
+			krb5_fast_key(actx, tree, tvb,
+				      explicit_armor_key,
+				      "explicitarmor",
+				      private_data->PA_TGS_REQ_subkey,
+				      "tgsarmor",
+				      "KrbFastReq_explicitArmorKey");
+		}
+		private_data->fast_armor_key = private_data->last_added_key;
+	} else if (private_data->PA_TGS_REQ_subkey != NULL) {
+		krb5_fast_key(actx, tree, tvb,
+			      private_data->PA_TGS_REQ_subkey,
+			      "subkeyarmor",
+			      private_data->PA_TGS_REQ_key,
+			      "ticketarmor",
+			      "KrbFastReq_TGS_armorKey");
+		private_data->fast_armor_key = private_data->last_added_key;
+	}
+
+	/* RFC6113 :
+	 * KrbFastResponse encrypted with usage
+	 * KEY_USAGE_FAST_ENC 51
+	 */
+	plaintext=decrypt_krb5_data_asn1(tree, actx, KEY_USAGE_FAST_ENC,
+					 next_tvb, &length);
+
+	if(plaintext){
+		tvbuff_t *child_tvb;
+		child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
+
+		/* Add the decrypted data to the data source list. */
+		add_new_data_source(actx->pinfo, child_tvb, "Krb5 FastReq");
+
+		offset=dissect_kerberos_KrbFastReq(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
+	}
+	return offset;
+}
+
+static int
+dissect_krb5_decrypt_KrbFastResponse(bool imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
+				     proto_tree *tree, int hf_index _U_)
+{
+	guint8 *plaintext;
+	int length;
+	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+	tvbuff_t *next_tvb;
+
+	next_tvb=tvb_new_subset_remaining(tvb, offset);
+	length=tvb_captured_length_remaining(tvb, offset);
+
+	/*
+	 * RFC6113 :
+	 * KrbFastResponse encrypted with usage
+	 * KEY_USAGE_FAST_REP 52
+	 */
+	plaintext=decrypt_krb5_data_asn1(tree, actx, KEY_USAGE_FAST_REP,
+					 next_tvb, &length);
+
+	if(plaintext){
+		tvbuff_t *child_tvb;
+		child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
+
+		/* Add the decrypted data to the data source list. */
+		add_new_data_source(actx->pinfo, child_tvb, "Krb5 FastRep");
+
+		private_data->fast_armor_key = private_data->last_decryption_key;
+		offset=dissect_kerberos_KrbFastResponse(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
+	}
+	return offset;
+}
+
+static int
+dissect_krb5_decrypt_EncryptedChallenge(bool imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
+					proto_tree *tree, int hf_index _U_)
+{
+	guint8 *plaintext;
+	int length;
+	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+	tvbuff_t *next_tvb;
+	int usage = 0;
+	const char *name = NULL;
+
+	next_tvb=tvb_new_subset_remaining(tvb, offset);
+	length=tvb_captured_length_remaining(tvb, offset);
+
+	/* RFC6113 :
+	 * KEY_USAGE_ENC_CHALLENGE_CLIENT  54
+	 * KEY_USAGE_ENC_CHALLENGE_KDC     55
+	 */
+	if (kerberos_private_is_kdc_req(private_data)) {
+		usage = KEY_USAGE_ENC_CHALLENGE_CLIENT;
+		name = "Krb5 CHALLENGE_CLIENT";
+	} else {
+		usage = KEY_USAGE_ENC_CHALLENGE_KDC;
+		name = "Krb5 CHALLENGE_KDC";
+	}
+	plaintext=decrypt_krb5_data_asn1(tree, actx, usage, next_tvb, &length);
+
+	if(plaintext){
+		tvbuff_t *child_tvb;
+		child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
+
+		/* Add the decrypted data to the data source list. */
+		add_new_data_source(actx->pinfo, child_tvb, name);
+
+		offset=dissect_kerberos_PA_ENC_TS_ENC(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
+	}
+	return offset;
+}
+#endif /* HAVE_KERBEROS */
+
+static int * const hf_krb_pa_supported_enctypes_fields[] = {
+	&hf_krb_pa_supported_enctypes_des_cbc_crc,
+	&hf_krb_pa_supported_enctypes_des_cbc_md5,
+	&hf_krb_pa_supported_enctypes_rc4_hmac,
+	&hf_krb_pa_supported_enctypes_aes128_cts_hmac_sha1_96,
+	&hf_krb_pa_supported_enctypes_aes256_cts_hmac_sha1_96,
+	&hf_krb_pa_supported_enctypes_fast_supported,
+	&hf_krb_pa_supported_enctypes_compound_identity_supported,
+	&hf_krb_pa_supported_enctypes_claims_supported,
+	&hf_krb_pa_supported_enctypes_resource_sid_compression_disabled,
+	NULL,
+};
+
+static int
+dissect_kerberos_PA_SUPPORTED_ENCTYPES(bool implicit_tag _U_, tvbuff_t *tvb _U_,
+				       int offset _U_, asn1_ctx_t *actx _U_,
+				       proto_tree *tree _U_, int hf_index _U_)
+{
+	actx->created_item = proto_tree_add_bitmask(tree, tvb, offset,
+						    hf_krb_pa_supported_enctypes,
+						    ett_krb_pa_supported_enctypes,
+						    hf_krb_pa_supported_enctypes_fields,
+						    ENC_LITTLE_ENDIAN);
+	offset += 4;
+
+	return offset;
+}
+
+static int * const hf_krb_ad_ap_options_fields[] = {
+	&hf_krb_ad_ap_options_cbt,
+	NULL,
+};
+
+
+static int
+dissect_kerberos_AD_AP_OPTIONS(bool implicit_tag _U_, tvbuff_t *tvb _U_,
+			       int offset _U_, asn1_ctx_t *actx _U_,
+			       proto_tree *tree _U_, int hf_index _U_)
+{
+	actx->created_item = proto_tree_add_bitmask(tree, tvb, offset,
+						    hf_krb_ad_ap_options,
+						    ett_krb_ad_ap_options,
+						    hf_krb_ad_ap_options_fields,
+						    ENC_LITTLE_ENDIAN);
+	offset += 4;
+
+	return offset;
+}
+
+static int
+dissect_kerberos_AD_TARGET_PRINCIPAL(bool implicit_tag _U_, tvbuff_t *tvb _U_,
+				     int offset _U_, asn1_ctx_t *actx _U_,
+				     proto_tree *tree _U_, int hf_index _U_)
+{
+	int tp_offset, tp_len;
+	guint16 bc;
+
+	bc = tvb_reported_length_remaining(tvb, offset);
+	tp_offset = offset;
+	tp_len = bc;
+	proto_tree_add_item(tree, hf_krb_ad_target_principal, tvb,
+			    tp_offset, tp_len,
+			    ENC_UTF_16 | ENC_LITTLE_ENDIAN);
+
+	return offset;
+}
+
+/* Dissect a GSSAPI checksum as per RFC1964. This is NOT ASN.1 encoded.
+ */
+static int
+dissect_krb5_rfc1964_checksum(asn1_ctx_t *actx _U_, proto_tree *tree, tvbuff_t *tvb)
+{
+	int offset=0;
+	guint32 len;
+	guint16 dlglen;
+
+	/* Length of Bnd field */
+	len=tvb_get_letohl(tvb, offset);
+	proto_tree_add_item(tree, hf_krb_gssapi_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+	offset += 4;
+
+	/* Bnd field */
+	proto_tree_add_item(tree, hf_krb_gssapi_bnd, tvb, offset, len, ENC_NA);
+	offset += len;
+
+
+	/* flags */
+	proto_tree_add_item(tree, hf_krb_gssapi_c_flag_dce_style, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+	proto_tree_add_item(tree, hf_krb_gssapi_c_flag_integ, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+	proto_tree_add_item(tree, hf_krb_gssapi_c_flag_conf, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+	proto_tree_add_item(tree, hf_krb_gssapi_c_flag_sequence, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+	proto_tree_add_item(tree, hf_krb_gssapi_c_flag_replay, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+	proto_tree_add_item(tree, hf_krb_gssapi_c_flag_mutual, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+	proto_tree_add_item(tree, hf_krb_gssapi_c_flag_deleg, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+	offset += 4;
+
+	/* the next fields are optional so we have to check that we have
+	 * more data in our buffers */
+	if(tvb_reported_length_remaining(tvb, offset)<2){
+		return offset;
+	}
+	/* dlgopt identifier */
+	proto_tree_add_item(tree, hf_krb_gssapi_dlgopt, tvb, offset, 2, ENC_LITTLE_ENDIAN);
+	offset += 2;
+
+	if(tvb_reported_length_remaining(tvb, offset)<2){
+		return offset;
+	}
+	/* dlglen identifier */
+	dlglen=tvb_get_letohs(tvb, offset);
+	proto_tree_add_item(tree, hf_krb_gssapi_dlglen, tvb, offset, 2, ENC_LITTLE_ENDIAN);
+	offset += 2;
+
+	if(dlglen!=tvb_reported_length_remaining(tvb, offset)){
+		proto_tree_add_expert_format(tree, actx->pinfo, &ei_krb_gssapi_dlglen, tvb, 0, 0,
+				"Error: DlgLen:%d is not the same as number of bytes remaining:%d", dlglen, tvb_captured_length_remaining(tvb, offset));
+		return offset;
+	}
+
+	/* this should now be a KRB_CRED message */
+	offset=dissect_kerberos_Applications(FALSE, tvb, offset, actx, tree, /* hf_index */ -1);
+
+	return offset;
+}
+
+static int
+dissect_krb5_PA_PROV_SRV_LOCATION(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_)
+{
+	offset=dissect_ber_GeneralString(actx, tree, tvb, offset, hf_krb_provsrv_location, NULL, 0);
+
+	return offset;
+}
+
+static int
+dissect_krb5_PW_SALT(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_)
+{
+	kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+	gint length;
+	guint32 nt_status = 0;
+	guint32 reserved = 0;
+	guint32 flags = 0;
+
+	/*
+	 * Microsoft stores a special 12 byte blob here
+	 * [MS-KILE] 2.2.1 KERB-EXT-ERROR
+	 * guint32 NT_status
+	 * guint32 reserved (== 0)
+	 * guint32 flags (at least 0x00000001 is set)
+	 */
+	length = tvb_reported_length_remaining(tvb, offset);
+	if (length <= 0) {
+		return offset;
+	}
+	if (length != 12) {
+		goto no_error;
+	}
+
+	if (private_data->errorcode == 0) {
+		goto no_error;
+	}
+
+	if (!private_data->try_nt_status) {
+		goto no_error;
+	}
+
+	nt_status = tvb_get_letohl(tvb, offset);
+	reserved = tvb_get_letohl(tvb, offset + 4);
+	flags = tvb_get_letohl(tvb, offset + 8);
+
+	if (nt_status == 0 || reserved != 0 || flags == 0) {
+		goto no_error;
+	}
+
+	proto_tree_add_item(tree, hf_krb_ext_error_nt_status, tvb, offset, 4,
+			ENC_LITTLE_ENDIAN);
+	col_append_fstr(actx->pinfo->cinfo, COL_INFO,
+			" NT Status: %s",
+			val_to_str(nt_status, NT_errors,
+			"Unknown error code %#x"));
+	offset += 4;
+
+	proto_tree_add_item(tree, hf_krb_ext_error_reserved, tvb, offset, 4,
+			ENC_LITTLE_ENDIAN);
+	offset += 4;
+
+	proto_tree_add_item(tree, hf_krb_ext_error_flags, tvb, offset, 4,
+			ENC_LITTLE_ENDIAN);
+	offset += 4;
+
+	return offset;
+
+ no_error:
+	proto_tree_add_item(tree, hf_krb_pw_salt, tvb, offset, length, ENC_NA);
+	offset += length;
+
+	return offset;
+}
+
+static int
+dissect_krb5_PAC_DREP(proto_tree *parent_tree, tvbuff_t *tvb, int offset, guint8 *drep)
+{
+	proto_tree *tree;
+	guint8 val;
+
+	tree = proto_tree_add_subtree(parent_tree, tvb, offset, 16, ett_krb_pac_drep, NULL, "DREP");
+
+	val = tvb_get_guint8(tvb, offset);
+	proto_tree_add_uint(tree, hf_dcerpc_drep_byteorder, tvb, offset, 1, val>>4);
+
+	offset++;
+
+	if (drep) {
+		*drep = val;
+	}
+
+	return offset;
+}
+
+/* This might be some sort of header that MIDL generates when creating
+ * marshalling/unmarshalling code for blobs that are not to be transported
+ * ontop of DCERPC and where the DREP fields specifying things such as
+ * endianess and similar are not available.
+ */
+static int
+dissect_krb5_PAC_NDRHEADERBLOB(proto_tree *parent_tree, tvbuff_t *tvb, int offset, guint8 *drep, asn1_ctx_t *actx _U_)
+{
+	proto_tree *tree;
+
+	tree = proto_tree_add_subtree(parent_tree, tvb, offset, 16, ett_krb_pac_midl_blob, NULL, "MES header");
+
+	/* modified DREP field that is used for stuff that is transporetd ontop
+	   of non dcerpc
+	*/
+	proto_tree_add_item(tree, hf_krb_midl_version, tvb, offset, 1, ENC_LITTLE_ENDIAN);
+	offset++;
+
+	offset = dissect_krb5_PAC_DREP(tree, tvb, offset, drep);
+
+
+	proto_tree_add_item(tree, hf_krb_midl_hdr_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
+	offset+=2;
+
+	proto_tree_add_item(tree, hf_krb_midl_fill_bytes, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+	offset += 4;
+
+	/* length of blob that follows */
+	proto_tree_add_item(tree, hf_krb_midl_blob_len, tvb, offset, 8, ENC_LITTLE_ENDIAN);
+	offset += 8;
+
+	return offset;
+}
+
+static int
+dissect_krb5_PAC_LOGON_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+	proto_item *item;
+	proto_tree *tree;
+	guint8 drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
+	static dcerpc_info di;      /* fake dcerpc_info struct */
+	static dcerpc_call_value call_data;
+
+	item = proto_tree_add_item(parent_tree, hf_krb_pac_logon_info, tvb, offset, -1, ENC_NA);
+	tree = proto_item_add_subtree(item, ett_krb_pac_logon_info);
+
+	/* skip the first 16 bytes, they are some magic created by the idl
+	 * compiler   the first 4 bytes might be flags?
+	 */
+	offset = dissect_krb5_PAC_NDRHEADERBLOB(tree, tvb, offset, &drep[0], actx);
+
+	/* the PAC_LOGON_INFO blob */
+	/* fake whatever state the dcerpc runtime support needs */
+	di.conformant_run=0;
+	/* we need di->call_data->flags.NDR64 == 0 */
+	di.call_data=&call_data;
+	init_ndr_pointer_list(&di);
+	offset = dissect_ndr_pointer(tvb, offset, actx->pinfo, tree, &di, drep,
+									netlogon_dissect_PAC_LOGON_INFO, NDR_POINTER_UNIQUE,
+									"PAC_LOGON_INFO:", -1);
+
+	return offset;
+}
+
+
+static int
+dissect_krb5_PAC_CREDENTIAL_DATA(proto_tree *parent_tree, tvbuff_t *tvb, int offset, packet_info *pinfo _U_)
+{
+	proto_tree_add_item(parent_tree, hf_krb_pac_credential_data, tvb, offset, -1, ENC_NA);
+
+	return offset;
+}
+
+static int
+dissect_krb5_PAC_CREDENTIAL_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx)
+{
+	proto_item *item;
+	proto_tree *tree;
+	guint8 *plaintext = NULL;
+	int plainlen = 0;
+	int length = 0;
+#define KRB5_KU_OTHER_ENCRYPTED 16
+#ifdef  HAVE_KERBEROS
+	guint32 etype;
+	tvbuff_t *next_tvb;
+	int usage = KRB5_KU_OTHER_ENCRYPTED;
+#endif
+
+	item = proto_tree_add_item(parent_tree, hf_krb_pac_credential_info, tvb, offset, -1, ENC_NA);
+	tree = proto_item_add_subtree(item, ett_krb_pac_credential_info);
+
+	/* version */
+	proto_tree_add_item(tree, hf_krb_pac_credential_info_version, tvb,
+			    offset, 4, ENC_LITTLE_ENDIAN);
+	offset+=4;
+
+#ifdef HAVE_KERBEROS
+	/* etype */
+	etype = tvb_get_letohl(tvb, offset);
+#endif
+	proto_tree_add_item(tree, hf_krb_pac_credential_info_etype, tvb,
+			    offset, 4, ENC_LITTLE_ENDIAN);
+	offset+=4;
+
+#ifdef HAVE_KERBEROS
+	/* data */
+	next_tvb=tvb_new_subset_remaining(tvb, offset);
+	length=tvb_captured_length_remaining(tvb, offset);
+
+	plaintext=decrypt_krb5_data(tree, actx->pinfo, usage, next_tvb, (int)etype, &plainlen);
+#endif
+
+	if (plaintext != NULL) {
+		tvbuff_t *child_tvb;
+		child_tvb = tvb_new_child_real_data(tvb, plaintext, plainlen, plainlen);
+
+		/* Add the decrypted data to the data source list. */
+		add_new_data_source(actx->pinfo, child_tvb, "Krb5 PAC_CREDENTIAL");
+
+		dissect_krb5_PAC_CREDENTIAL_DATA(tree, child_tvb, 0, actx->pinfo);
+	}
+
+	return offset + length;
+}
+
+static int
+dissect_krb5_PAC_S4U_DELEGATION_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx)
+{
+	proto_item *item;
+	proto_tree *tree;
+	guint8 drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
+	static dcerpc_info di;      /* fake dcerpc_info struct */
+	static dcerpc_call_value call_data;
+
+	item = proto_tree_add_item(parent_tree, hf_krb_pac_s4u_delegation_info, tvb, offset, -1, ENC_NA);
+	tree = proto_item_add_subtree(item, ett_krb_pac_s4u_delegation_info);
+
+	/* skip the first 16 bytes, they are some magic created by the idl
+	 * compiler   the first 4 bytes might be flags?
+	 */
+	offset = dissect_krb5_PAC_NDRHEADERBLOB(tree, tvb, offset, &drep[0], actx);
+
+
+	/* the S4U_DELEGATION_INFO blob. See [MS-PAC] */
+	/* fake whatever state the dcerpc runtime support needs */
+	di.conformant_run=0;
+	/* we need di->call_data->flags.NDR64 == 0 */
+	di.call_data=&call_data;
+	init_ndr_pointer_list(&di);
+	offset = dissect_ndr_pointer(tvb, offset, actx->pinfo, tree, &di, drep,
+									netlogon_dissect_PAC_S4U_DELEGATION_INFO, NDR_POINTER_UNIQUE,
+									"PAC_S4U_DELEGATION_INFO:", -1);
+
+	return offset;
+}
+
+#define PAC_UPN_DNS_FLAG_CONSTRUCTED		0x00000001
+#define PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID	0x00000002
+static const true_false_string tfs_krb_pac_upn_flag_upn_constructed = {
+	"UPN Name is Constructed",
+	"UPN Name is NOT Constructed",
+};
+static const true_false_string tfs_krb_pac_upn_flag_has_sam_name_and_sid = {
+	"SAM_NAME and SID are included",
+	"SAM_NAME and SID are NOT included",
+};
+static int * const hf_krb_pac_upn_flags_fields[] = {
+	&hf_krb_pac_upn_flag_upn_constructed,
+	&hf_krb_pac_upn_flag_has_sam_name_and_sid,
+	NULL
+};
+
+static int
+dissect_krb5_PAC_UPN_DNS_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+	proto_item *item;
+	proto_tree *tree;
+	guint16 dns_offset, dns_len;
+	guint16 upn_offset, upn_len;
+	guint16 samaccountname_offset = 0, samaccountname_len = 0;
+	guint16 objectsid_offset = 0, objectsid_len = 0;
+	guint32 flags;
+
+	item = proto_tree_add_item(parent_tree, hf_krb_pac_upn_dns_info, tvb, offset, -1, ENC_NA);
+	tree = proto_item_add_subtree(item, ett_krb_pac_upn_dns_info);
+
+	/* upn */
+	upn_len = tvb_get_letohs(tvb, offset);
+	proto_tree_add_item(tree, hf_krb_pac_upn_upn_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
+	offset+=2;
+	upn_offset = tvb_get_letohs(tvb, offset);
+	proto_tree_add_item(tree, hf_krb_pac_upn_upn_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
+	offset+=2;
+
+	/* dns */
+	dns_len = tvb_get_letohs(tvb, offset);
+	proto_tree_add_item(tree, hf_krb_pac_upn_dns_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
+	offset+=2;
+	dns_offset = tvb_get_letohs(tvb, offset);
+	proto_tree_add_item(tree, hf_krb_pac_upn_dns_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
+	offset+=2;
+
+	/* flags */
+	flags = tvb_get_letohl(tvb, offset);
+	proto_tree_add_bitmask(tree, tvb, offset,
+			       hf_krb_pac_upn_flags,
+			       ett_krb_pac_upn_dns_info_flags,
+			       hf_krb_pac_upn_flags_fields,
+			       ENC_LITTLE_ENDIAN);
+	offset+=4;
+
+	if (flags & PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID) {
+		samaccountname_len = tvb_get_letohs(tvb, offset);
+		proto_tree_add_item(tree, hf_krb_pac_upn_samaccountname_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
+		offset+=2;
+		samaccountname_offset = tvb_get_letohs(tvb, offset);
+		proto_tree_add_item(tree, hf_krb_pac_upn_samaccountname_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
+		offset+=2;
+
+		objectsid_len = tvb_get_letohs(tvb, offset);
+		proto_tree_add_item(tree, hf_krb_pac_upn_objectsid_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
+		offset+=2;
+		objectsid_offset = tvb_get_letohs(tvb, offset);
+		proto_tree_add_item(tree, hf_krb_pac_upn_objectsid_offset, tvb, offset, 2, ENC_LITTLE_ENDIAN);
+		/* offset+=2; */
+	}
+
+	/* upn */
+	proto_tree_add_item(tree, hf_krb_pac_upn_upn_name, tvb, upn_offset, upn_len, ENC_UTF_16|ENC_LITTLE_ENDIAN);
+
+	/* dns */
+	proto_tree_add_item(tree, hf_krb_pac_upn_dns_name, tvb, dns_offset, dns_len, ENC_UTF_16|ENC_LITTLE_ENDIAN);
+
+	/* samaccountname */
+	if (samaccountname_offset != 0 && samaccountname_len != 0) {
+		proto_tree_add_item(tree, hf_krb_pac_upn_samaccountname, tvb, samaccountname_offset, samaccountname_len, ENC_UTF_16|ENC_LITTLE_ENDIAN);
+	}
+	/* objectsid */
+	if (objectsid_offset != 0 && objectsid_len != 0) {
+		tvbuff_t *sid_tvb;
+		sid_tvb=tvb_new_subset_length(tvb, objectsid_offset, objectsid_len);
+		dissect_nt_sid(sid_tvb, 0, tree, "objectSid", NULL, -1);
+	}
+
+	return dns_offset;
+}
+
+static int
+dissect_krb5_PAC_CLIENT_CLAIMS_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+	int length = tvb_captured_length_remaining(tvb, offset);
+
+	if (length == 0) {
+		return offset;
+	}
+
+	proto_tree_add_item(parent_tree, hf_krb_pac_client_claims_info, tvb, offset, -1, ENC_NA);
+
+	return offset;
+}
+
+static int
+dissect_krb5_PAC_DEVICE_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+	proto_item *item;
+	proto_tree *tree;
+	guint8 drep[4] = { 0x10, 0x00, 0x00, 0x00}; /* fake DREP struct */
+	static dcerpc_info di;      /* fake dcerpc_info struct */
+	static dcerpc_call_value call_data;
+
+	item = proto_tree_add_item(parent_tree, hf_krb_pac_device_info, tvb, offset, -1, ENC_NA);
+	tree = proto_item_add_subtree(item, ett_krb_pac_device_info);
+
+	/* skip the first 16 bytes, they are some magic created by the idl
+	 * compiler   the first 4 bytes might be flags?
+	 */
+	offset = dissect_krb5_PAC_NDRHEADERBLOB(tree, tvb, offset, &drep[0], actx);
+
+	/* the PAC_DEVICE_INFO blob */
+	/* fake whatever state the dcerpc runtime support needs */
+	di.conformant_run=0;
+	/* we need di->call_data->flags.NDR64 == 0 */
+	di.call_data=&call_data;
+	init_ndr_pointer_list(&di);
+	offset = dissect_ndr_pointer(tvb, offset, actx->pinfo, tree, &di, drep,
+				     netlogon_dissect_PAC_DEVICE_INFO, NDR_POINTER_UNIQUE,
+				     "PAC_DEVICE_INFO:", -1);
+
+	return offset;
+}
+
+static int
+dissect_krb5_PAC_DEVICE_CLAIMS_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+	int length = tvb_captured_length_remaining(tvb, offset);
+
+	if (length == 0) {
+		return offset;
+	}
+
+	proto_tree_add_item(parent_tree, hf_krb_pac_device_claims_info, tvb, offset, -1, ENC_NA);
+
+	return offset;
+}
+
+static int
+dissect_krb5_PAC_SERVER_CHECKSUM(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+	proto_item *item;
+	proto_tree *tree;
+
+	item = proto_tree_add_item(parent_tree, hf_krb_pac_server_checksum, tvb, offset, -1, ENC_NA);
+	tree = proto_item_add_subtree(item, ett_krb_pac_server_checksum);
+
+	/* signature type */
+	proto_tree_add_item(tree, hf_krb_pac_signature_type, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+	offset+=4;
+
+	/* signature data */
+	proto_tree_add_item(tree, hf_krb_pac_signature_signature, tvb, offset, -1, ENC_NA);
+
+	return offset;
+}
+
+static int
+dissect_krb5_PAC_PRIVSVR_CHECKSUM(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+	proto_item *item;
+	proto_tree *tree;
+
+	item = proto_tree_add_item(parent_tree, hf_krb_pac_privsvr_checksum, tvb, offset, -1, ENC_NA);
+	tree = proto_item_add_subtree(item, ett_krb_pac_privsvr_checksum);
+
+	/* signature type */
+	proto_tree_add_item(tree, hf_krb_pac_signature_type, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+	offset+=4;
+
+	/* signature data */
+	proto_tree_add_item(tree, hf_krb_pac_signature_signature, tvb, offset, -1, ENC_NA);
+
+	return offset;
+}
+
+static int
+dissect_krb5_PAC_CLIENT_INFO_TYPE(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+	proto_item *item;
+	proto_tree *tree;
+	guint16 namelen;
+
+	item = proto_tree_add_item(parent_tree, hf_krb_pac_client_info_type, tvb, offset, -1, ENC_NA);
+	tree = proto_item_add_subtree(item, ett_krb_pac_client_info_type);
+
+	/* clientid */
+	offset = dissect_nt_64bit_time(tvb, tree, offset, hf_krb_pac_clientid);
+
+	/* name length */
+	namelen=tvb_get_letohs(tvb, offset);
+	proto_tree_add_uint(tree, hf_krb_pac_namelen, tvb, offset, 2, namelen);
+	offset+=2;
+
+	/* client name */
+	proto_tree_add_item(tree, hf_krb_pac_clientname, tvb, offset, namelen, ENC_UTF_16|ENC_LITTLE_ENDIAN);
+	offset+=namelen;
+
+	return offset;
+}
+
+static int
+dissect_krb5_PAC_TICKET_CHECKSUM(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+	proto_item *item;
+	proto_tree *tree;
+
+	item = proto_tree_add_item(parent_tree, hf_krb_pac_ticket_checksum, tvb, offset, -1, ENC_NA);
+	tree = proto_item_add_subtree(item, ett_krb_pac_ticket_checksum);
+
+	/* signature type */
+	proto_tree_add_item(tree, hf_krb_pac_signature_type, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+	offset+=4;
+
+	/* signature data */
+	proto_tree_add_item(tree, hf_krb_pac_signature_signature, tvb, offset, -1, ENC_NA);
+
+	return offset;
+}
+
+#define PAC_ATTRIBUTE_FLAG_PAC_WAS_REQUESTED		0x00000001
+#define PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY	0x00000002
+static const true_false_string tfs_krb_pac_attributes_info_pac_was_requested = {
+	"PAC was requested",
+	"PAC was NOT requested",
+};
+static const true_false_string tfs_krb_pac_attributes_info_pac_was_given_implicitly = {
+	"PAC was given implicitly",
+	"PAC was NOT given implicitly",
+};
+static int * const hf_krb_pac_attributes_info_flags_fields[] = {
+	&hf_krb_pac_attributes_info_flags_pac_was_requested,
+	&hf_krb_pac_attributes_info_flags_pac_was_given_implicitly,
+	NULL
+};
+
+static int
+dissect_krb5_PAC_ATTRIBUTES_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+	proto_item *item;
+	proto_tree *tree;
+
+	item = proto_tree_add_item(parent_tree, hf_krb_pac_attributes_info, tvb, offset, -1, ENC_NA);
+	tree = proto_item_add_subtree(item, ett_krb_pac_attributes_info);
+
+	/* flags length*/
+	proto_tree_add_item(tree, hf_krb_pac_attributes_info_length, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+	offset+=4;
+
+	/* flags */
+	proto_tree_add_bitmask(tree, tvb, offset,
+			       hf_krb_pac_attributes_info_flags,
+			       ett_krb_pac_attributes_info_flags,
+			       hf_krb_pac_attributes_info_flags_fields,
+			       ENC_LITTLE_ENDIAN);
+	offset+=4;
+
+	return offset;
+}
+
+static int
+dissect_krb5_PAC_REQUESTER_SID(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+	proto_item *item;
+	proto_tree *tree;
+
+	item = proto_tree_add_item(parent_tree, hf_krb_pac_requester_sid, tvb, offset, -1, ENC_NA);
+	tree = proto_item_add_subtree(item, ett_krb_pac_requester_sid);
+
+	offset = dissect_nt_sid(tvb, offset, tree, "RequesterSid", NULL, -1);
+
+	return offset;
+}
+
+static int
+dissect_krb5_AD_WIN2K_PAC_struct(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx)
+{
+	guint32 pac_type;
+	guint32 pac_size;
+	guint32 pac_offset;
+	proto_item *it=NULL;
+	proto_tree *tr=NULL;
+	tvbuff_t *next_tvb;
+
+	/* type of pac data */
+	pac_type=tvb_get_letohl(tvb, offset);
+	it=proto_tree_add_uint(tree, hf_krb_w2k_pac_type, tvb, offset, 4, pac_type);
+	tr=proto_item_add_subtree(it, ett_krb_pac);
+
+	offset += 4;
+
+	/* size of pac data */
+	pac_size=tvb_get_letohl(tvb, offset);
+	proto_tree_add_uint(tr, hf_krb_w2k_pac_size, tvb, offset, 4, pac_size);
+	offset += 4;
+
+	/* offset to pac data */
+	pac_offset=tvb_get_letohl(tvb, offset);
+	proto_tree_add_uint(tr, hf_krb_w2k_pac_offset, tvb, offset, 4, pac_offset);
+	offset += 8;
+
+	next_tvb=tvb_new_subset_length_caplen(tvb, pac_offset, pac_size, pac_size);
+	switch(pac_type){
+	case PAC_LOGON_INFO:
+		dissect_krb5_PAC_LOGON_INFO(tr, next_tvb, 0, actx);
+		break;
+	case PAC_CREDENTIAL_TYPE:
+		dissect_krb5_PAC_CREDENTIAL_INFO(tr, next_tvb, 0, actx);
+		break;
+	case PAC_SERVER_CHECKSUM:
+		dissect_krb5_PAC_SERVER_CHECKSUM(tr, next_tvb, 0, actx);
+		break;
+	case PAC_PRIVSVR_CHECKSUM:
+		dissect_krb5_PAC_PRIVSVR_CHECKSUM(tr, next_tvb, 0, actx);
+		break;
+	case PAC_CLIENT_INFO_TYPE:
+		dissect_krb5_PAC_CLIENT_INFO_TYPE(tr, next_tvb, 0, actx);
+		break;
+	case PAC_S4U_DELEGATION_INFO:
+		dissect_krb5_PAC_S4U_DELEGATION_INFO(tr, next_tvb, 0, actx);
+		break;
+	case PAC_UPN_DNS_INFO:
+		dissect_krb5_PAC_UPN_DNS_INFO(tr, next_tvb, 0, actx);
+		break;
+	case PAC_CLIENT_CLAIMS_INFO:
+		dissect_krb5_PAC_CLIENT_CLAIMS_INFO(tr, next_tvb, 0, actx);
+		break;
+	case PAC_DEVICE_INFO:
+		dissect_krb5_PAC_DEVICE_INFO(tr, next_tvb, 0, actx);
+		break;
+	case PAC_DEVICE_CLAIMS_INFO:
+		dissect_krb5_PAC_DEVICE_CLAIMS_INFO(tr, next_tvb, 0, actx);
+		break;
+	case PAC_TICKET_CHECKSUM:
+		dissect_krb5_PAC_TICKET_CHECKSUM(tr, next_tvb, 0, actx);
+		break;
+	case PAC_ATTRIBUTES_INFO:
+		dissect_krb5_PAC_ATTRIBUTES_INFO(tr, next_tvb, 0, actx);
+		break;
+	case PAC_REQUESTER_SID:
+		dissect_krb5_PAC_REQUESTER_SID(tr, next_tvb, 0, actx);
+		break;
+
+	default:
+		break;
+	}
+	return offset;
+}
+
+static int
+dissect_krb5_AD_WIN2K_PAC(bool implicit_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree, int hf_index _U_)
+{
+	guint32 entries;
+	guint32 version;
+	guint32 i;
+
+#if defined(HAVE_MIT_KERBEROS) && defined(HAVE_KRB5_PAC_VERIFY)
+	verify_krb5_pac(tree, actx, tvb);
+#endif
+
+	/* first in the PAC structure comes the number of entries */
+	entries=tvb_get_letohl(tvb, offset);
+	proto_tree_add_uint(tree, hf_krb_w2k_pac_entries, tvb, offset, 4, entries);
+	offset += 4;
+
+	/* second comes the version */
+	version=tvb_get_letohl(tvb, offset);
+	proto_tree_add_uint(tree, hf_krb_w2k_pac_version, tvb, offset, 4, version);
+	offset += 4;
+
+	for(i=0;i<entries;i++){
+		offset=dissect_krb5_AD_WIN2K_PAC_struct(tree, tvb, offset, actx);
+	}
+
+	return offset;
+}
+
+#include "packet-kerberos-fn.c"
+
+#ifdef HAVE_KERBEROS
+static const ber_sequence_t PA_ENC_TS_ENC_sequence[] = {
+	{ &hf_krb_patimestamp, BER_CLASS_CON, 0, 0, dissect_kerberos_KerberosTime },
+	{ &hf_krb_pausec     , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_Microseconds },
+	{ NULL, 0, 0, 0, NULL }
+};
+
+static int
+dissect_kerberos_PA_ENC_TS_ENC(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+	offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
+									PA_ENC_TS_ENC_sequence, hf_index, ett_krb_pa_enc_ts_enc);
+	return offset;
+}
+
+static int
+dissect_kerberos_T_strengthen_key(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+  kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+  gint save_encryption_key_parent_hf_index = private_data->save_encryption_key_parent_hf_index;
+  kerberos_key_save_fn saved_encryption_key_fn = private_data->save_encryption_key_fn;
+  private_data->save_encryption_key_parent_hf_index = hf_kerberos_KrbFastResponse;
+#ifdef HAVE_KERBEROS
+  private_data->save_encryption_key_fn = save_KrbFastResponse_strengthen_key;
+#endif
+  offset = dissect_kerberos_EncryptionKey(implicit_tag, tvb, offset, actx, tree, hf_index);
+
+  private_data->save_encryption_key_parent_hf_index = save_encryption_key_parent_hf_index;
+  private_data->save_encryption_key_fn = saved_encryption_key_fn;
+  return offset;
+}
+
+static const ber_sequence_t KrbFastFinished_sequence[] = {
+  { &hf_kerberos_timestamp  , BER_CLASS_CON, 0, 0, dissect_kerberos_KerberosTime },
+  { &hf_kerberos_usec       , BER_CLASS_CON, 1, 0, dissect_kerberos_Microseconds },
+  { &hf_kerberos_crealm     , BER_CLASS_CON, 2, 0, dissect_kerberos_Realm },
+  { &hf_kerberos_cname_01   , BER_CLASS_CON, 3, 0, dissect_kerberos_PrincipalName },
+  { &hf_kerberos_ticket_checksum, BER_CLASS_CON, 4, 0, dissect_kerberos_Checksum },
+  { NULL, 0, 0, 0, NULL }
+};
+
+static int
+dissect_kerberos_KrbFastFinished(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+  offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
+                                   KrbFastFinished_sequence, hf_index, ett_kerberos_KrbFastFinished);
+
+  return offset;
+}
+
+static const ber_sequence_t KrbFastResponse_sequence[] = {
+  { &hf_kerberos_rEP_SEQUENCE_OF_PA_DATA, BER_CLASS_CON, 0, 0, dissect_kerberos_T_rEP_SEQUENCE_OF_PA_DATA },
+  { &hf_kerberos_strengthen_key, BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_T_strengthen_key },
+  { &hf_kerberos_finished   , BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL, dissect_kerberos_KrbFastFinished },
+  { &hf_kerberos_nonce      , BER_CLASS_CON, 3, 0, dissect_kerberos_UInt32 },
+  { NULL, 0, 0, 0, NULL }
+};
+
+static int
+dissect_kerberos_KrbFastResponse(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+  offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
+                                   KrbFastResponse_sequence, hf_index, ett_kerberos_KrbFastResponse);
+
+  return offset;
+}
+
+static const ber_sequence_t KrbFastReq_sequence[] = {
+  { &hf_kerberos_fast_options, BER_CLASS_CON, 0, 0, dissect_kerberos_FastOptions },
+  { &hf_kerberos_rEQ_SEQUENCE_OF_PA_DATA, BER_CLASS_CON, 1, 0, dissect_kerberos_T_rEQ_SEQUENCE_OF_PA_DATA },
+  { &hf_kerberos_req_body   , BER_CLASS_CON, 2, 0, dissect_kerberos_KDC_REQ_BODY },
+  { NULL, 0, 0, 0, NULL }
+};
+
+static int
+dissect_kerberos_KrbFastReq(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+  kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+  struct _kerberos_PA_FX_FAST_REQUEST saved_stack = private_data->PA_FX_FAST_REQUEST;
+  private_data->PA_FX_FAST_REQUEST = (struct _kerberos_PA_FX_FAST_REQUEST) { .defer = FALSE, };
+  offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
+                                   KrbFastReq_sequence, hf_index, ett_kerberos_KrbFastReq);
+  private_data->PA_FX_FAST_REQUEST = saved_stack;
+
+  return offset;
+}
+
+static int * const FastOptions_bits[] = {
+  &hf_kerberos_FastOptions_reserved,
+  &hf_kerberos_FastOptions_hide_client_names,
+  &hf_kerberos_FastOptions_spare_bit2,
+  &hf_kerberos_FastOptions_spare_bit3,
+  &hf_kerberos_FastOptions_spare_bit4,
+  &hf_kerberos_FastOptions_spare_bit5,
+  &hf_kerberos_FastOptions_spare_bit6,
+  &hf_kerberos_FastOptions_spare_bit7,
+  &hf_kerberos_FastOptions_spare_bit8,
+  &hf_kerberos_FastOptions_spare_bit9,
+  &hf_kerberos_FastOptions_spare_bit10,
+  &hf_kerberos_FastOptions_spare_bit11,
+  &hf_kerberos_FastOptions_spare_bit12,
+  &hf_kerberos_FastOptions_spare_bit13,
+  &hf_kerberos_FastOptions_spare_bit14,
+  &hf_kerberos_FastOptions_spare_bit15,
+  &hf_kerberos_FastOptions_kdc_follow_referrals,
+  NULL
+};
+
+static int
+dissect_kerberos_FastOptions(bool implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+  offset = dissect_ber_bitstring(implicit_tag, actx, tree, tvb, offset,
+                                    FastOptions_bits, 17, hf_index, ett_kerberos_FastOptions,
+                                    NULL);
+
+  return offset;
+}
+
+#endif /* HAVE_KERBEROS */
+
+/* Make wrappers around exported functions for now */
+int
+dissect_krb5_Checksum(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+	return dissect_kerberos_Checksum(FALSE, tvb, offset, actx, tree, hf_kerberos_cksum);
+
+}
+
+int
+dissect_krb5_ctime(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+	return dissect_kerberos_KerberosTime(FALSE, tvb, offset, actx, tree, hf_kerberos_ctime);
+}
+
+
+int
+dissect_krb5_cname(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+	return dissect_kerberos_PrincipalName(FALSE, tvb, offset, actx, tree, hf_kerberos_cname);
+}
+int
+dissect_krb5_realm(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+	return dissect_kerberos_Realm(FALSE, tvb, offset, actx, tree, hf_kerberos_realm);
+}
+
+struct kerberos_display_key_state {
+	proto_tree *tree;
+	packet_info *pinfo;
+	expert_field *expindex;
+	const char *name;
+	tvbuff_t *tvb;
+	gint start;
+	gint length;
+};
+
+static void
+#ifdef HAVE_KERBEROS
+kerberos_display_key(gpointer data, gpointer userdata)
+#else
+kerberos_display_key(gpointer data _U_, gpointer userdata _U_)
+#endif
+{
+#ifdef HAVE_KERBEROS
+	struct kerberos_display_key_state *state =
+		(struct kerberos_display_key_state *)userdata;
+	const enc_key_t *ek = (const enc_key_t *)data;
+	proto_item *item = NULL;
+	enc_key_t *sek = NULL;
+
+	item = proto_tree_add_expert_format(state->tree,
+					    state->pinfo,
+					    state->expindex,
+					    state->tvb,
+					    state->start,
+					    state->length,
+					    "%s %s keytype %d (id=%s same=%u) (%02x%02x%02x%02x...)",
+					    state->name,
+					    ek->key_origin, ek->keytype,
+					    ek->id_str, ek->num_same,
+					    ek->keyvalue[0] & 0xFF, ek->keyvalue[1] & 0xFF,
+					    ek->keyvalue[2] & 0xFF, ek->keyvalue[3] & 0xFF);
+	if (ek->src1 != NULL) {
+		sek = ek->src1;
+		expert_add_info_format(state->pinfo,
+				       item,
+				       state->expindex,
+				       "SRC1 %s keytype %d (id=%s same=%u) (%02x%02x%02x%02x...)",
+				       sek->key_origin, sek->keytype,
+				       sek->id_str, sek->num_same,
+				       sek->keyvalue[0] & 0xFF, sek->keyvalue[1] & 0xFF,
+				       sek->keyvalue[2] & 0xFF, sek->keyvalue[3] & 0xFF);
+	}
+	if (ek->src2 != NULL) {
+		sek = ek->src2;
+		expert_add_info_format(state->pinfo,
+				       item,
+				       state->expindex,
+				       "SRC2 %s keytype %d (id=%s same=%u) (%02x%02x%02x%02x...)",
+				       sek->key_origin, sek->keytype,
+				       sek->id_str, sek->num_same,
+				       sek->keyvalue[0] & 0xFF, sek->keyvalue[1] & 0xFF,
+				       sek->keyvalue[2] & 0xFF, sek->keyvalue[3] & 0xFF);
+	}
+	sek = ek->same_list;
+	while (sek != NULL) {
+		expert_add_info_format(state->pinfo,
+				       item,
+				       state->expindex,
+				       "%s %s keytype %d (id=%s same=%u) (%02x%02x%02x%02x...)",
+				       state->name,
+				       sek->key_origin, sek->keytype,
+				       sek->id_str, sek->num_same,
+				       sek->keyvalue[0] & 0xFF, sek->keyvalue[1] & 0xFF,
+				       sek->keyvalue[2] & 0xFF, sek->keyvalue[3] & 0xFF);
+		sek = sek->same_list;
+	}
+#endif /* HAVE_KERBEROS */
+}
+
+static const value_string KERB_LOGON_SUBMIT_TYPE[] = {
+    { 2, "KerbInteractiveLogon" },
+    { 6, "KerbSmartCardLogon" },
+    { 7, "KerbWorkstationUnlockLogon" },
+    { 8, "KerbSmartCardUnlockLogon" },
+    { 9, "KerbProxyLogon" },
+    { 10, "KerbTicketLogon" },
+    { 11, "KerbTicketUnlockLogon" },
+    { 12, "KerbS4ULogon" },
+    { 13, "KerbCertificateLogon" },
+    { 14, "KerbCertificateS4ULogon" },
+    { 15, "KerbCertificateUnlockLogon" },
+    { 0, NULL }
+};
+
+
+#define KERB_LOGON_FLAG_ALLOW_EXPIRED_TICKET 0x1
+#define KERB_LOGON_FLAG_REDIRECTED           0x2
+
+static int* const ktl_flags_bits[] = {
+	&hf_kerberos_KERB_TICKET_LOGON_FLAG_ALLOW_EXPIRED_TICKET,
+	&hf_kerberos_KERB_TICKET_LOGON_FLAG_REDIRECTED,
+	NULL
+};
+
+int
+dissect_kerberos_KERB_TICKET_LOGON(tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree)
+{
+	proto_item *item;
+	proto_tree *subtree;
+	guint32 ServiceTicketLength;
+	guint32 TicketGrantingTicketLength;
+	int orig_offset;
+
+	if (tvb_captured_length(tvb) < 32)
+		return offset;
+
+	item = proto_tree_add_item(tree, hf_kerberos_KERB_TICKET_LOGON, tvb, offset, -1, ENC_NA);
+	subtree = proto_item_add_subtree(item, ett_kerberos_KERB_TICKET_LOGON);
+
+	proto_tree_add_item(subtree, hf_kerberos_KERB_TICKET_LOGON_MessageType, tvb, offset, 4,
+			    ENC_LITTLE_ENDIAN);
+	offset+=4;
+
+	proto_tree_add_bitmask(subtree, tvb, offset, hf_kerberos_KERB_TICKET_LOGON_Flags,
+			       ett_kerberos, ktl_flags_bits, ENC_LITTLE_ENDIAN);
+	offset+=4;
+
+	ServiceTicketLength = tvb_get_letohl(tvb, offset);
+	proto_tree_add_item(subtree, hf_kerberos_KERB_TICKET_LOGON_ServiceTicketLength, tvb,
+			    offset, 4, ENC_LITTLE_ENDIAN);
+	offset+=4;
+
+	TicketGrantingTicketLength = tvb_get_letohl(tvb, offset);
+	proto_tree_add_item(subtree, hf_kerberos_KERB_TICKET_LOGON_TicketGrantingTicketLength,
+			    tvb, offset, 4, ENC_LITTLE_ENDIAN);
+	offset+=4;
+
+	/* Skip two PUCHAR of ServiceTicket and TicketGrantingTicket */
+	offset+=16;
+
+	if (ServiceTicketLength == 0)
+		return offset;
+
+	orig_offset = offset;
+	offset = dissect_kerberos_Ticket(FALSE, tvb, offset, actx, subtree,
+					 hf_kerberos_KERB_TICKET_LOGON_ServiceTicket);
+
+	if ((unsigned)(offset-orig_offset) != ServiceTicketLength)
+		return offset;
+
+	if (TicketGrantingTicketLength == 0)
+		return offset;
+
+	offset = dissect_kerberos_KRB_CRED(FALSE, tvb, offset, actx, subtree,
+					   hf_kerberos_KERB_TICKET_LOGON_TicketGrantingTicket);
+
+	if ((unsigned)(offset-orig_offset) != ServiceTicketLength + TicketGrantingTicketLength)
+		return offset;
+
+	return offset;
+}
+
+static gint
+dissect_kerberos_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
+    bool dci, bool do_col_protocol, bool have_rm,
+    kerberos_callbacks *cb)
+{
+	volatile int offset = 0;
+	proto_tree *volatile kerberos_tree = NULL;
+	proto_item *volatile item = NULL;
+	kerberos_private_data_t *private_data = NULL;
+	asn1_ctx_t asn1_ctx;
+
+	/* TCP record mark and length */
+	guint32 krb_rm = 0;
+	gint krb_reclen = 0;
+
+	gbl_do_col_info=dci;
+
+	if (have_rm) {
+		krb_rm = tvb_get_ntohl(tvb, offset);
+		krb_reclen = kerberos_rm_to_reclen(krb_rm);
+		/*
+		 * What is a reasonable size limit?
+		 */
+		if (krb_reclen > 10 * 1024 * 1024) {
+			return (-1);
+		}
+
+		if (do_col_protocol) {
+			col_set_str(pinfo->cinfo, COL_PROTOCOL, "KRB5");
+		}
+
+		if (tree) {
+			item = proto_tree_add_item(tree, proto_kerberos, tvb, 0, -1, ENC_NA);
+			kerberos_tree = proto_item_add_subtree(item, ett_kerberos);
+		}
+
+		show_krb_recordmark(kerberos_tree, tvb, offset, krb_rm);
+		offset += 4;
+	} else {
+		/* Do some sanity checking here,
+		 * All krb5 packets start with a TAG class that is BER_CLASS_APP
+		 * and a tag value that is either of the values below:
+		 * If it doesn't look like kerberos, return 0 and let someone else have
+		 * a go at it.
+		 */
+		gint8 tmp_class;
+		bool tmp_pc;
+		gint32 tmp_tag;
+
+		get_ber_identifier(tvb, offset, &tmp_class, &tmp_pc, &tmp_tag);
+		if(tmp_class!=BER_CLASS_APP){
+			return 0;
+		}
+		switch(tmp_tag){
+			case KRB5_MSG_TICKET:
+			case KRB5_MSG_AUTHENTICATOR:
+			case KRB5_MSG_ENC_TICKET_PART:
+			case KRB5_MSG_AS_REQ:
+			case KRB5_MSG_AS_REP:
+			case KRB5_MSG_TGS_REQ:
+			case KRB5_MSG_TGS_REP:
+			case KRB5_MSG_AP_REQ:
+			case KRB5_MSG_AP_REP:
+			case KRB5_MSG_ENC_AS_REP_PART:
+			case KRB5_MSG_ENC_TGS_REP_PART:
+			case KRB5_MSG_ENC_AP_REP_PART:
+			case KRB5_MSG_ENC_KRB_PRIV_PART:
+			case KRB5_MSG_ENC_KRB_CRED_PART:
+			case KRB5_MSG_SAFE:
+			case KRB5_MSG_PRIV:
+			case KRB5_MSG_ERROR:
+				break;
+			default:
+				return 0;
+		}
+		if (do_col_protocol) {
+			col_set_str(pinfo->cinfo, COL_PROTOCOL, "KRB5");
+		}
+		if (gbl_do_col_info) {
+			col_clear(pinfo->cinfo, COL_INFO);
+		}
+		if (tree) {
+			item = proto_tree_add_item(tree, proto_kerberos, tvb, 0, -1, ENC_NA);
+			kerberos_tree = proto_item_add_subtree(item, ett_kerberos);
+		}
+	}
+	asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
+	asn1_ctx.private_data = NULL;
+	private_data = kerberos_get_private_data(&asn1_ctx);
+	private_data->callbacks = cb;
+
+	TRY {
+		offset=dissect_kerberos_Applications(FALSE, tvb, offset, &asn1_ctx , kerberos_tree, /* hf_index */ -1);
+	} CATCH_BOUNDS_ERRORS {
+		RETHROW;
+	} ENDTRY;
+
+	if (kerberos_tree != NULL) {
+		struct kerberos_display_key_state display_state = {
+			.tree = kerberos_tree,
+			.pinfo = pinfo,
+			.expindex = &ei_kerberos_learnt_keytype,
+			.name = "Provides",
+			.tvb = tvb,
+		};
+
+		wmem_list_foreach(private_data->learnt_keys,
+				  kerberos_display_key,
+				  &display_state);
+	}
+
+	if (kerberos_tree != NULL) {
+		struct kerberos_display_key_state display_state = {
+			.tree = kerberos_tree,
+			.pinfo = pinfo,
+			.expindex = &ei_kerberos_missing_keytype,
+			.name = "Missing",
+			.tvb = tvb,
+		};
+
+		wmem_list_foreach(private_data->missing_keys,
+				  kerberos_display_key,
+				  &display_state);
+	}
+
+	if (kerberos_tree != NULL) {
+		struct kerberos_display_key_state display_state = {
+			.tree = kerberos_tree,
+			.pinfo = pinfo,
+			.expindex = &ei_kerberos_decrypted_keytype,
+			.name = "Used",
+			.tvb = tvb,
+		};
+
+		wmem_list_foreach(private_data->decryption_keys,
+				  kerberos_display_key,
+				  &display_state);
+	}
+
+	proto_item_set_len(item, offset);
+	return offset;
+}
+
+/*
+ * Display the TCP record mark.
+ */
+void
+show_krb_recordmark(proto_tree *tree, tvbuff_t *tvb, gint start, guint32 krb_rm)
+{
+	gint rec_len;
+	proto_tree *rm_tree;
+
+	if (tree == NULL)
+		return;
+
+	rec_len = kerberos_rm_to_reclen(krb_rm);
+	rm_tree = proto_tree_add_subtree_format(tree, tvb, start, 4, ett_krb_recordmark, NULL,
+		"Record Mark: %u %s", rec_len, plurality(rec_len, "byte", "bytes"));
+	proto_tree_add_boolean(rm_tree, hf_krb_rm_reserved, tvb, start, 4, krb_rm);
+	proto_tree_add_uint(rm_tree, hf_krb_rm_reclen, tvb, start, 4, krb_rm);
+}
+
+gint
+dissect_kerberos_main(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int do_col_info, kerberos_callbacks *cb)
+{
+	return (dissect_kerberos_common(tvb, pinfo, tree, do_col_info, FALSE, FALSE, cb));
+}
+
+guint32
+kerberos_output_keytype(void)
+{
+	return gbl_keytype;
+}
+
+static gint
+dissect_kerberos_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
+{
+	/* Some weird kerberos implementation apparently do krb4 on the krb5 port.
+	   Since all (except weirdo transarc krb4 stuff) use
+	   an opcode <=16 in the first byte, use this to see if it might
+	   be krb4.
+	   All krb5 commands start with an APPL tag and thus is >=0x60
+	   so if first byte is <=16  just blindly assume it is krb4 then
+	*/
+	if(tvb_captured_length(tvb) >= 1 && tvb_get_guint8(tvb, 0)<=0x10){
+		if(krb4_handle){
+			gboolean res;
+
+			res=call_dissector_only(krb4_handle, tvb, pinfo, tree, NULL);
+			return res;
+		}else{
+			return 0;
+		}
+	}
+
+
+	return dissect_kerberos_common(tvb, pinfo, tree, TRUE, TRUE, FALSE, NULL);
+}
+
+gint
+kerberos_rm_to_reclen(guint krb_rm)
+{
+    return (krb_rm & KRB_RM_RECLEN);
+}
+
+guint
+get_krb_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset, void *data _U_)
+{
+	guint krb_rm;
+	gint pdulen;
+
+	krb_rm = tvb_get_ntohl(tvb, offset);
+	pdulen = kerberos_rm_to_reclen(krb_rm);
+	return (pdulen + 4);
+}
+static void
+kerberos_prefs_apply_cb(void) {
+#ifdef HAVE_LIBNETTLE
+	clear_keytab();
+	read_keytab_file(keytab_filename);
+#endif
+}
+
+static int
+dissect_kerberos_tcp_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
+{
+	pinfo->fragmented = TRUE;
+	if (dissect_kerberos_common(tvb, pinfo, tree, TRUE, TRUE, TRUE, NULL) < 0) {
+		/*
+		 * The dissector failed to recognize this as a valid
+		 * Kerberos message.  Mark it as a continuation packet.
+		 */
+		col_set_str(pinfo->cinfo, COL_INFO, "Continuation");
+	}
+
+	return tvb_captured_length(tvb);
+}
+
+static int
+dissect_kerberos_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data)
+{
+	col_set_str(pinfo->cinfo, COL_PROTOCOL, "KRB5");
+	col_clear(pinfo->cinfo, COL_INFO);
+
+	tcp_dissect_pdus(tvb, pinfo, tree, krb_desegment, 4, get_krb_pdu_len,
+					 dissect_kerberos_tcp_pdu, data);
+	return tvb_captured_length(tvb);
+}
+
+/*--- proto_register_kerberos -------------------------------------------*/
+void proto_register_kerberos(void) {
+
+	/* List of fields */
+
+	static hf_register_info hf[] = {
+	{ &hf_krb_rm_reserved, {
+		"Reserved", "kerberos.rm.reserved", FT_BOOLEAN, 32,
+		TFS(&tfs_set_notset), KRB_RM_RESERVED, "Record mark reserved bit", HFILL }},
+	{ &hf_krb_rm_reclen, {
+		"Record Length", "kerberos.rm.length", FT_UINT32, BASE_DEC,
+		NULL, KRB_RM_RECLEN, NULL, HFILL }},
+	{ &hf_krb_provsrv_location, {
+		"PROVSRV Location", "kerberos.provsrv_location", FT_STRING, BASE_NONE,
+		NULL, 0, "PacketCable PROV SRV Location", HFILL }},
+	{ &hf_krb_pw_salt,
+		{ "pw-salt", "kerberos.pw_salt", FT_BYTES, BASE_NONE,
+		NULL, 0, NULL, HFILL }},
+	{ &hf_krb_ext_error_nt_status, /* we keep kerberos.smb.nt_status for compat reasons */
+		{ "NT Status", "kerberos.smb.nt_status", FT_UINT32, BASE_HEX,
+		VALS(NT_errors), 0, "NT Status code", HFILL }},
+	{ &hf_krb_ext_error_reserved,
+		{ "Reserved", "kerberos.ext_error.reserved", FT_UINT32, BASE_HEX,
+		NULL, 0, NULL, HFILL }},
+	{ &hf_krb_ext_error_flags,
+		{ "Flags", "kerberos.ext_error.flags", FT_UINT32, BASE_HEX,
+		NULL, 0, NULL, HFILL }},
+	{ &hf_krb_address_ip, {
+		"IP Address", "kerberos.addr_ip", FT_IPv4, BASE_NONE,
+		NULL, 0, NULL, HFILL }},
+	{ &hf_krb_address_ipv6, {
+		"IPv6 Address", "kerberos.addr_ipv6", FT_IPv6, BASE_NONE,
+		NULL, 0, NULL, HFILL }},
+	{ &hf_krb_address_netbios, {
+		"NetBIOS Address", "kerberos.addr_nb", FT_STRING, BASE_NONE,
+		NULL, 0, "NetBIOS Address and type", HFILL }},
+	{ &hf_krb_gssapi_len, {
+		"Length", "kerberos.gssapi.len", FT_UINT32, BASE_DEC,
+		NULL, 0, "Length of GSSAPI Bnd field", HFILL }},
+	{ &hf_krb_gssapi_bnd, {
+		"Bnd", "kerberos.gssapi.bdn", FT_BYTES, BASE_NONE,
+		NULL, 0, "GSSAPI Bnd field", HFILL }},
+	{ &hf_krb_gssapi_c_flag_deleg, {
+		"Deleg", "kerberos.gssapi.checksum.flags.deleg", FT_BOOLEAN, 32,
+		TFS(&tfs_gss_flags_deleg), KRB5_GSS_C_DELEG_FLAG, NULL, HFILL }},
+	{ &hf_krb_gssapi_c_flag_mutual, {
+		"Mutual", "kerberos.gssapi.checksum.flags.mutual", FT_BOOLEAN, 32,
+		TFS(&tfs_gss_flags_mutual), KRB5_GSS_C_MUTUAL_FLAG, NULL, HFILL }},
+	{ &hf_krb_gssapi_c_flag_replay, {
+		"Replay", "kerberos.gssapi.checksum.flags.replay", FT_BOOLEAN, 32,
+		TFS(&tfs_gss_flags_replay), KRB5_GSS_C_REPLAY_FLAG, NULL, HFILL }},
+	{ &hf_krb_gssapi_c_flag_sequence, {
+		"Sequence", "kerberos.gssapi.checksum.flags.sequence", FT_BOOLEAN, 32,
+		TFS(&tfs_gss_flags_sequence), KRB5_GSS_C_SEQUENCE_FLAG, NULL, HFILL }},
+	{ &hf_krb_gssapi_c_flag_conf, {
+		"Conf", "kerberos.gssapi.checksum.flags.conf", FT_BOOLEAN, 32,
+		TFS(&tfs_gss_flags_conf), KRB5_GSS_C_CONF_FLAG, NULL, HFILL }},
+	{ &hf_krb_gssapi_c_flag_integ, {
+		"Integ", "kerberos.gssapi.checksum.flags.integ", FT_BOOLEAN, 32,
+		TFS(&tfs_gss_flags_integ), KRB5_GSS_C_INTEG_FLAG, NULL, HFILL }},
+	{ &hf_krb_gssapi_c_flag_dce_style, {
+		"DCE-style", "kerberos.gssapi.checksum.flags.dce-style", FT_BOOLEAN, 32,
+		TFS(&tfs_gss_flags_dce_style), KRB5_GSS_C_DCE_STYLE, NULL, HFILL }},
+	{ &hf_krb_gssapi_dlgopt, {
+		"DlgOpt", "kerberos.gssapi.dlgopt", FT_UINT16, BASE_DEC,
+		NULL, 0, "GSSAPI DlgOpt", HFILL }},
+	{ &hf_krb_gssapi_dlglen, {
+		"DlgLen", "kerberos.gssapi.dlglen", FT_UINT16, BASE_DEC,
+		NULL, 0, "GSSAPI DlgLen", HFILL }},
+	{ &hf_krb_midl_blob_len, {
+		"Blob Length", "kerberos.midl_blob_len", FT_UINT64, BASE_DEC,
+		NULL, 0, "Length of NDR encoded data that follows", HFILL }},
+	{ &hf_krb_midl_fill_bytes, {
+		"Fill bytes", "kerberos.midl.fill_bytes", FT_UINT32, BASE_HEX,
+		NULL, 0, "Just some fill bytes", HFILL }},
+	{ &hf_krb_midl_version, {
+	"Version", "kerberos.midl.version", FT_UINT8, BASE_DEC,
+	NULL, 0, "Version of pickling", HFILL }},
+	{ &hf_krb_midl_hdr_len, {
+		"HDR Length", "kerberos.midl.hdr_len", FT_UINT16, BASE_DEC,
+		NULL, 0, "Length of header", HFILL }},
+	{ &hf_krb_pac_signature_type, {
+		"Type", "kerberos.pac.signature.type", FT_INT32, BASE_DEC,
+		NULL, 0, "PAC Signature Type", HFILL }},
+	{ &hf_krb_pac_signature_signature, {
+		"Signature", "kerberos.pac.signature.signature", FT_BYTES, BASE_NONE,
+		NULL, 0, "A PAC signature blob", HFILL }},
+	{ &hf_krb_w2k_pac_entries, {
+		"Num Entries", "kerberos.pac.entries", FT_UINT32, BASE_DEC,
+		NULL, 0, "Number of W2k PAC entries", HFILL }},
+	{ &hf_krb_w2k_pac_version, {
+		"Version", "kerberos.pac.version", FT_UINT32, BASE_DEC,
+		NULL, 0, "Version of PAC structures", HFILL }},
+	{ &hf_krb_w2k_pac_type, {
+		"Type", "kerberos.pac.type", FT_UINT32, BASE_DEC,
+		VALS(w2k_pac_types), 0, "Type of W2k PAC entry", HFILL }},
+	{ &hf_krb_w2k_pac_size, {
+		"Size", "kerberos.pac.size", FT_UINT32, BASE_DEC,
+		NULL, 0, "Size of W2k PAC entry", HFILL }},
+	{ &hf_krb_w2k_pac_offset, {
+		"Offset", "kerberos.pac.offset", FT_UINT32, BASE_DEC,
+		NULL, 0, "Offset to W2k PAC entry", HFILL }},
+	{ &hf_krb_pac_clientid, {
+		"ClientID", "kerberos.pac.clientid", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
+		NULL, 0, "ClientID Timestamp", HFILL }},
+	{ &hf_krb_pac_namelen, {
+		"Name Length", "kerberos.pac.namelen", FT_UINT16, BASE_DEC,
+		NULL, 0, "Length of client name", HFILL }},
+	{ &hf_krb_pac_clientname, {
+		"Name", "kerberos.pac.name", FT_STRING, BASE_NONE,
+		NULL, 0, "Name of the Client in the PAC structure", HFILL }},
+	{ &hf_krb_pac_logon_info, {
+		"PAC_LOGON_INFO", "kerberos.pac_logon_info", FT_BYTES, BASE_NONE,
+		NULL, 0, "PAC_LOGON_INFO structure", HFILL }},
+	{ &hf_krb_pac_credential_data, {
+		"PAC_CREDENTIAL_DATA", "kerberos.pac_credential_data", FT_BYTES, BASE_NONE,
+		NULL, 0, "PAC_CREDENTIAL_DATA structure", HFILL }},
+	{ &hf_krb_pac_credential_info, {
+		"PAC_CREDENTIAL_INFO", "kerberos.pac_credential_info", FT_BYTES, BASE_NONE,
+		NULL, 0, "PAC_CREDENTIAL_INFO structure", HFILL }},
+	{ &hf_krb_pac_credential_info_version, {
+		"Version", "kerberos.pac_credential_info.version", FT_UINT32, BASE_DEC,
+		NULL, 0, NULL, HFILL }},
+	{ &hf_krb_pac_credential_info_etype, {
+		"Etype", "kerberos.pac_credential_info.etype", FT_UINT32, BASE_DEC,
+		NULL, 0, NULL, HFILL }},
+	{ &hf_krb_pac_server_checksum, {
+		"PAC_SERVER_CHECKSUM", "kerberos.pac_server_checksum", FT_BYTES, BASE_NONE,
+		NULL, 0, "PAC_SERVER_CHECKSUM structure", HFILL }},
+	{ &hf_krb_pac_privsvr_checksum, {
+		"PAC_PRIVSVR_CHECKSUM", "kerberos.pac_privsvr_checksum", FT_BYTES, BASE_NONE,
+		NULL, 0, "PAC_PRIVSVR_CHECKSUM structure", HFILL }},
+	{ &hf_krb_pac_client_info_type, {
+		"PAC_CLIENT_INFO_TYPE", "kerberos.pac_client_info_type", FT_BYTES, BASE_NONE,
+		NULL, 0, "PAC_CLIENT_INFO_TYPE structure", HFILL }},
+	{ &hf_krb_pac_s4u_delegation_info, {
+		"PAC_S4U_DELEGATION_INFO", "kerberos.pac_s4u_delegation_info", FT_BYTES, BASE_NONE,
+		NULL, 0, "PAC_S4U_DELEGATION_INFO structure", HFILL }},
+	{ &hf_krb_pac_upn_dns_info, {
+		"UPN_DNS_INFO", "kerberos.pac_upn_dns_info", FT_BYTES, BASE_NONE,
+		NULL, 0, "UPN_DNS_INFO structure", HFILL }},
+	{ &hf_krb_pac_upn_flags, {
+		"Flags", "kerberos.pac.upn.flags", FT_UINT32, BASE_HEX,
+		NULL, 0, "UPN flags", HFILL }},
+	{ &hf_krb_pac_upn_flag_upn_constructed, {
+		"UPN Name Constructed",
+		"kerberos.pac.upn.flags.upn_constructed",
+		FT_BOOLEAN, 32,
+		TFS(&tfs_krb_pac_upn_flag_upn_constructed),
+		PAC_UPN_DNS_FLAG_CONSTRUCTED,
+		"Is the UPN Name constructed?", HFILL }},
+	{ &hf_krb_pac_upn_flag_has_sam_name_and_sid, {
+		"SAM_NAME and SID Included",
+		"kerberos.pac.upn.flags.has_sam_name_and_sid",
+		FT_BOOLEAN, 32,
+		TFS(&tfs_krb_pac_upn_flag_has_sam_name_and_sid),
+		PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID,
+		"Are SAM_NAME and SID included?", HFILL }},
+	{ &hf_krb_pac_upn_upn_offset, {
+		"UPN Offset", "kerberos.pac.upn.upn_offset", FT_UINT16, BASE_DEC,
+		NULL, 0, NULL, HFILL }},
+	{ &hf_krb_pac_upn_upn_len, {
+		"UPN Len", "kerberos.pac.upn.upn_len", FT_UINT16, BASE_DEC,
+		NULL, 0, NULL, HFILL }},
+	{ &hf_krb_pac_upn_upn_name, {
+		"UPN Name", "kerberos.pac.upn.upn_name", FT_STRING, BASE_NONE,
+		NULL, 0, NULL, HFILL }},
+	{ &hf_krb_pac_upn_dns_offset, {
+		"DNS Offset", "kerberos.pac.upn.dns_offset", FT_UINT16, BASE_DEC,
+		NULL, 0, NULL, HFILL }},
+	{ &hf_krb_pac_upn_dns_len, {
+		"DNS Len", "kerberos.pac.upn.dns_len", FT_UINT16, BASE_DEC,
+		NULL, 0, NULL, HFILL }},
+	{ &hf_krb_pac_upn_dns_name, {
+		"DNS Name", "kerberos.pac.upn.dns_name", FT_STRING, BASE_NONE,
+		NULL, 0, NULL, HFILL }},
+	{ &hf_krb_pac_upn_samaccountname_offset, {
+		"sAMAccountName Offset", "kerberos.pac.upn.samaccountname_offset", FT_UINT16, BASE_DEC,
+		NULL, 0, NULL, HFILL }},
+	{ &hf_krb_pac_upn_samaccountname_len, {
+		"sAMAccountName Len", "kerberos.pac.upn.samaccountname_len", FT_UINT16, BASE_DEC,
+		NULL, 0, NULL, HFILL }},
+	{ &hf_krb_pac_upn_samaccountname, {
+		"sAMAccountName", "kerberos.pac.upn.samaccountname", FT_STRING, BASE_NONE,
+		NULL, 0, NULL, HFILL }},
+	{ &hf_krb_pac_upn_objectsid_offset, {
+		"objectSid Offset", "kerberos.pac.upn.objectsid_offset", FT_UINT16, BASE_DEC,
+		NULL, 0, NULL, HFILL }},
+	{ &hf_krb_pac_upn_objectsid_len, {
+		"objectSid Len", "kerberos.pac.upn.objectsid_len", FT_UINT16, BASE_DEC,
+		NULL, 0, NULL, HFILL }},
+	{ &hf_krb_pac_client_claims_info, {
+		"PAC_CLIENT_CLAIMS_INFO", "kerberos.pac_client_claims_info", FT_BYTES, BASE_NONE,
+		NULL, 0, "PAC_CLIENT_CLAIMS_INFO structure", HFILL }},
+	{ &hf_krb_pac_device_info, {
+		"PAC_DEVICE_INFO", "kerberos.pac_device_info", FT_BYTES, BASE_NONE,
+		NULL, 0, "PAC_DEVICE_INFO structure", HFILL }},
+	{ &hf_krb_pac_device_claims_info, {
+		"PAC_DEVICE_CLAIMS_INFO", "kerberos.pac_device_claims_info", FT_BYTES, BASE_NONE,
+		NULL, 0, "PAC_DEVICE_CLAIMS_INFO structure", HFILL }},
+	{ &hf_krb_pac_ticket_checksum, {
+		"PAC_TICKET_CHECKSUM", "kerberos.pac_ticket_checksum", FT_BYTES, BASE_NONE,
+		NULL, 0, "PAC_TICKET_CHECKSUM structure", HFILL }},
+	{ &hf_krb_pac_attributes_info, {
+		"PAC_ATTRIBUTES_INFO", "kerberos.pac_attributes_info", FT_BYTES, BASE_NONE,
+		NULL, 0, "PAC_ATTRIBUTES_INFO structure", HFILL }},
+	{ &hf_krb_pac_attributes_info_length, {
+		"Flags Valid Length", "kerberos.pac.attributes_info.length", FT_UINT32, BASE_DEC,
+		NULL, 0, NULL, HFILL }},
+	{ &hf_krb_pac_attributes_info_flags, {
+		"Flags", "kerberos.pac.attributes_info.flags",
+		FT_UINT32, BASE_HEX, NULL, 0, NULL, HFILL }},
+	{ &hf_krb_pac_attributes_info_flags_pac_was_requested, {
+		"PAC Requested",
+		"kerberos.pac.attributes.flags.pac_was_requested",
+		FT_BOOLEAN, 32,
+		TFS(&tfs_krb_pac_attributes_info_pac_was_requested),
+		PAC_ATTRIBUTE_FLAG_PAC_WAS_REQUESTED,
+		"Was a PAC requested?", HFILL }},
+	{ &hf_krb_pac_attributes_info_flags_pac_was_given_implicitly, {
+		"PAC given Implicitly",
+		"kerberos.pac.attributes.flags.pac_was_given_implicitly",
+		FT_BOOLEAN, 32,
+		TFS(&tfs_krb_pac_attributes_info_pac_was_given_implicitly),
+		PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY,
+		"Was PAC given implicitly?", HFILL }},
+	{ &hf_krb_pac_requester_sid, {
+		"PAC_REQUESTER_SID", "kerberos.pac_requester_sid", FT_BYTES, BASE_NONE,
+		NULL, 0, "PAC_REQUESTER_SID structure", HFILL }},
+	{ &hf_krb_pa_supported_enctypes,
+	  { "SupportedEnctypes", "kerberos.supported_entypes",
+	    FT_UINT32, BASE_HEX, NULL, 0, NULL, HFILL }},
+	{ &hf_krb_pa_supported_enctypes_des_cbc_crc,
+	  { "des-cbc-crc", "kerberos.supported_entypes.des-cbc-crc",
+		FT_BOOLEAN, 32, TFS(&tfs_supported_not_supported), 0x00000001, NULL, HFILL }},
+	{ &hf_krb_pa_supported_enctypes_des_cbc_md5,
+	  { "des-cbc-md5", "kerberos.supported_entypes.des-cbc-md5",
+		FT_BOOLEAN, 32, TFS(&tfs_supported_not_supported), 0x00000002, NULL, HFILL }},
+	{ &hf_krb_pa_supported_enctypes_rc4_hmac,
+	  { "rc4-hmac", "kerberos.supported_entypes.rc4-hmac",
+		FT_BOOLEAN, 32, TFS(&tfs_supported_not_supported), 0x00000004, NULL, HFILL }},
+	{ &hf_krb_pa_supported_enctypes_aes128_cts_hmac_sha1_96,
+	  { "aes128-cts-hmac-sha1-96", "kerberos.supported_entypes.aes128-cts-hmac-sha1-96",
+		FT_BOOLEAN, 32, TFS(&tfs_supported_not_supported), 0x00000008, NULL, HFILL }},
+	{ &hf_krb_pa_supported_enctypes_aes256_cts_hmac_sha1_96,
+	  { "aes256-cts-hmac-sha1-96", "kerberos.supported_entypes.aes256-cts-hmac-sha1-96",
+		FT_BOOLEAN, 32, TFS(&tfs_supported_not_supported), 0x00000010, NULL, HFILL }},
+	{ &hf_krb_pa_supported_enctypes_fast_supported,
+	  { "fast-supported", "kerberos.supported_entypes.fast-supported",
+		FT_BOOLEAN, 32, TFS(&tfs_supported_not_supported), 0x00010000, NULL, HFILL }},
+	{ &hf_krb_pa_supported_enctypes_compound_identity_supported,
+	  { "compound-identity-supported", "kerberos.supported_entypes.compound-identity-supported",
+		FT_BOOLEAN, 32, TFS(&tfs_supported_not_supported), 0x00020000, NULL, HFILL }},
+	{ &hf_krb_pa_supported_enctypes_claims_supported,
+	  { "claims-supported", "kerberos.supported_entypes.claims-supported",
+		FT_BOOLEAN, 32, TFS(&tfs_supported_not_supported), 0x00040000, NULL, HFILL }},
+	{ &hf_krb_pa_supported_enctypes_resource_sid_compression_disabled,
+	  { "resource-sid-compression-disabled", "kerberos.supported_entypes.resource-sid-compression-disabled",
+		FT_BOOLEAN, 32, TFS(&tfs_supported_not_supported), 0x00080000, NULL, HFILL }},
+	{ &hf_krb_ad_ap_options,
+	  { "AD-AP-Options", "kerberos.ad_ap_options",
+	    FT_UINT32, BASE_HEX, NULL, 0, NULL, HFILL }},
+	{ &hf_krb_ad_ap_options_cbt,
+	  { "ChannelBindings", "kerberos.ad_ap_options.cbt",
+		FT_BOOLEAN, 32, TFS(&tfs_set_notset), 0x00004000, NULL, HFILL }},
+	{ &hf_krb_ad_target_principal,
+	  { "Target Principal", "kerberos.ad_target_principal",
+	    FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }},
+	{ &hf_krb_key_hidden_item,
+	  { "KeyHiddenItem", "krb5.key_hidden_item",
+	    FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
+    { &hf_kerberos_KERB_TICKET_LOGON,
+      { "KERB_TICKET_LOGON", "kerberos.KERB_TICKET_LOGON",
+        FT_NONE, BASE_NONE, NULL, 0,
+        NULL, HFILL }},
+    { &hf_kerberos_KERB_TICKET_LOGON_MessageType,
+      { "MessageType", "kerberos.KERB_TICKET_LOGON.MessageType",
+        FT_UINT32, BASE_DEC, VALS(KERB_LOGON_SUBMIT_TYPE), 0,
+        NULL, HFILL }},
+    { &hf_kerberos_KERB_TICKET_LOGON_Flags,
+      { "Flags", "kerberos.KERB_TICKET_LOGON.Flags",
+        FT_UINT32, BASE_DEC, NULL, 0,
+        NULL, HFILL }},
+    { &hf_kerberos_KERB_TICKET_LOGON_ServiceTicketLength,
+      { "ServiceTicketLength", "kerberos.KERB_TICKET_LOGON.ServiceTicketLength",
+        FT_UINT32, BASE_DEC, NULL, 0,
+        NULL, HFILL }},
+    { &hf_kerberos_KERB_TICKET_LOGON_TicketGrantingTicketLength,
+      { "TicketGrantingTicketLength", "kerberos.KERB_TICKET_LOGON.TicketGrantingTicketLength",
+        FT_UINT32, BASE_DEC, NULL, 0,
+        NULL, HFILL }},
+    { &hf_kerberos_KERB_TICKET_LOGON_ServiceTicket,
+      { "ServiceTicket", "kerberos.KERB_TICKET_LOGON.ServiceTicket",
+        FT_NONE, BASE_NONE, NULL, 0,
+        NULL, HFILL }},
+    { &hf_kerberos_KERB_TICKET_LOGON_TicketGrantingTicket,
+      { "TicketGrantingTicket", "kerberos.KERB_TICKET_LOGON.TicketGrantingTicket",
+        FT_NONE, BASE_NONE, NULL, 0,
+        NULL, HFILL }},
+    { &hf_kerberos_KERB_TICKET_LOGON_FLAG_ALLOW_EXPIRED_TICKET,
+      { "allow_expired_ticket", "kerberos.KERB_TICKET_LOGON.FLAG_ALLOW_EXPIRED_TICKET",
+        FT_BOOLEAN, 32, NULL, KERB_LOGON_FLAG_ALLOW_EXPIRED_TICKET,
+        NULL, HFILL }},
+    { &hf_kerberos_KERB_TICKET_LOGON_FLAG_REDIRECTED,
+      { "redirected", "kerberos.KERB_TICKET_LOGON.FLAG_REDIRECTED",
+        FT_BOOLEAN, 32, NULL, KERB_LOGON_FLAG_REDIRECTED,
+        NULL, HFILL }},
+#ifdef HAVE_KERBEROS
+	{ &hf_kerberos_KrbFastResponse,
+	   { "KrbFastResponse", "kerberos.KrbFastResponse_element",
+	    FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
+	{ &hf_kerberos_strengthen_key,
+      { "strengthen-key", "kerberos.strengthen_key_element",
+        FT_NONE, BASE_NONE, NULL, 0,
+        NULL, HFILL }},
+    { &hf_kerberos_finished,
+      { "finished", "kerberos.finished_element",
+        FT_NONE, BASE_NONE, NULL, 0,
+        "KrbFastFinished", HFILL }},
+    { &hf_kerberos_fast_options,
+      { "fast-options", "kerberos.fast_options",
+        FT_BYTES, BASE_NONE, NULL, 0,
+        "FastOptions", HFILL }},
+    { &hf_kerberos_FastOptions_reserved,
+      { "reserved", "kerberos.FastOptions.reserved",
+        FT_BOOLEAN, 8, NULL, 0x80,
+        NULL, HFILL }},
+    { &hf_kerberos_FastOptions_hide_client_names,
+      { "hide-client-names", "kerberos.FastOptions.hide.client.names",
+        FT_BOOLEAN, 8, NULL, 0x40,
+        NULL, HFILL }},
+    { &hf_kerberos_FastOptions_spare_bit2,
+      { "spare_bit2", "kerberos.FastOptions.spare.bit2",
+        FT_BOOLEAN, 8, NULL, 0x20,
+        NULL, HFILL }},
+    { &hf_kerberos_FastOptions_spare_bit3,
+      { "spare_bit3", "kerberos.FastOptions.spare.bit3",
+        FT_BOOLEAN, 8, NULL, 0x10,
+        NULL, HFILL }},
+    { &hf_kerberos_FastOptions_spare_bit4,
+      { "spare_bit4", "kerberos.FastOptions.spare.bit4",
+        FT_BOOLEAN, 8, NULL, 0x08,
+        NULL, HFILL }},
+    { &hf_kerberos_FastOptions_spare_bit5,
+      { "spare_bit5", "kerberos.FastOptions.spare.bit5",
+        FT_BOOLEAN, 8, NULL, 0x04,
+        NULL, HFILL }},
+    { &hf_kerberos_FastOptions_spare_bit6,
+      { "spare_bit6", "kerberos.FastOptions.spare.bit6",
+        FT_BOOLEAN, 8, NULL, 0x02,
+        NULL, HFILL }},
+    { &hf_kerberos_FastOptions_spare_bit7,
+      { "spare_bit7", "kerberos.FastOptions.spare.bit7",
+        FT_BOOLEAN, 8, NULL, 0x01,
+        NULL, HFILL }},
+    { &hf_kerberos_FastOptions_spare_bit8,
+      { "spare_bit8", "kerberos.FastOptions.spare.bit8",
+        FT_BOOLEAN, 8, NULL, 0x80,
+        NULL, HFILL }},
+    { &hf_kerberos_FastOptions_spare_bit9,
+      { "spare_bit9", "kerberos.FastOptions.spare.bit9",
+        FT_BOOLEAN, 8, NULL, 0x40,
+        NULL, HFILL }},
+    { &hf_kerberos_FastOptions_spare_bit10,
+      { "spare_bit10", "kerberos.FastOptions.spare.bit10",
+        FT_BOOLEAN, 8, NULL, 0x20,
+        NULL, HFILL }},
+    { &hf_kerberos_FastOptions_spare_bit11,
+      { "spare_bit11", "kerberos.FastOptions.spare.bit11",
+        FT_BOOLEAN, 8, NULL, 0x10,
+        NULL, HFILL }},
+    { &hf_kerberos_FastOptions_spare_bit12,
+      { "spare_bit12", "kerberos.FastOptions.spare.bit12",
+        FT_BOOLEAN, 8, NULL, 0x08,
+        NULL, HFILL }},
+    { &hf_kerberos_FastOptions_spare_bit13,
+      { "spare_bit13", "kerberos.FastOptions.spare.bit13",
+        FT_BOOLEAN, 8, NULL, 0x04,
+        NULL, HFILL }},
+    { &hf_kerberos_FastOptions_spare_bit14,
+      { "spare_bit14", "kerberos.FastOptions.spare.bit14",
+        FT_BOOLEAN, 8, NULL, 0x02,
+        NULL, HFILL }},
+    { &hf_kerberos_FastOptions_spare_bit15,
+      { "spare_bit15", "kerberos.FastOptions.spare.bit15",
+        FT_BOOLEAN, 8, NULL, 0x01,
+        NULL, HFILL }},
+    { &hf_kerberos_FastOptions_kdc_follow_referrals,
+      { "kdc-follow-referrals", "kerberos.FastOptions.kdc.follow.referrals",
+        FT_BOOLEAN, 8, NULL, 0x80,
+        NULL, HFILL }},
+    { &hf_kerberos_ticket_checksum,
+      { "ticket-checksum", "kerberos.ticket_checksum_element",
+        FT_NONE, BASE_NONE, NULL, 0,
+        "Checksum", HFILL }},
+    { &hf_krb_patimestamp,
+      { "patimestamp", "kerberos.patimestamp",
+        FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0, "KerberosTime", HFILL }},
+    { &hf_krb_pausec,
+      { "pausec", "kerberos.pausec",
+        FT_UINT32, BASE_DEC, NULL, 0, "Microseconds", HFILL }},
+#endif /* HAVE_KERBEROS */
+
+#include "packet-kerberos-hfarr.c"
+	};
+
+	/* List of subtrees */
+	static gint *ett[] = {
+		&ett_kerberos,
+		&ett_krb_recordmark,
+		&ett_krb_pac,
+		&ett_krb_pac_drep,
+		&ett_krb_pac_midl_blob,
+		&ett_krb_pac_logon_info,
+		&ett_krb_pac_credential_info,
+		&ett_krb_pac_s4u_delegation_info,
+		&ett_krb_pac_upn_dns_info,
+		&ett_krb_pac_upn_dns_info_flags,
+		&ett_krb_pac_device_info,
+		&ett_krb_pac_server_checksum,
+		&ett_krb_pac_privsvr_checksum,
+		&ett_krb_pac_client_info_type,
+		&ett_krb_pac_ticket_checksum,
+		&ett_krb_pac_attributes_info,
+		&ett_krb_pac_attributes_info_flags,
+		&ett_krb_pac_requester_sid,
+		&ett_krb_pa_supported_enctypes,
+		&ett_krb_ad_ap_options,
+		&ett_kerberos_KERB_TICKET_LOGON,
+#ifdef HAVE_KERBEROS
+		&ett_krb_pa_enc_ts_enc,
+	    &ett_kerberos_KrbFastFinished,
+	    &ett_kerberos_KrbFastResponse,
+        &ett_kerberos_KrbFastReq,
+        &ett_kerberos_FastOptions,
+#endif
+#include "packet-kerberos-ettarr.c"
+	};
+
+	static ei_register_info ei[] = {
+		{ &ei_kerberos_missing_keytype, { "kerberos.missing_keytype", PI_DECRYPTION, PI_WARN, "Missing keytype", EXPFILL }},
+		{ &ei_kerberos_decrypted_keytype, { "kerberos.decrypted_keytype", PI_SECURITY, PI_CHAT, "Decrypted keytype", EXPFILL }},
+		{ &ei_kerberos_learnt_keytype, { "kerberos.learnt_keytype", PI_SECURITY, PI_CHAT, "Learnt keytype", EXPFILL }},
+		{ &ei_kerberos_address, { "kerberos.address.unknown", PI_UNDECODED, PI_WARN, "KRB Address: I don't know how to parse this type of address yet", EXPFILL }},
+		{ &ei_krb_gssapi_dlglen, { "kerberos.gssapi.dlglen.error", PI_MALFORMED, PI_ERROR, "DlgLen is not the same as number of bytes remaining", EXPFILL }},
+	};
+
+	expert_module_t* expert_krb;
+	module_t *krb_module;
+
+	proto_kerberos = proto_register_protocol("Kerberos", "KRB5", "kerberos");
+	proto_register_field_array(proto_kerberos, hf, array_length(hf));
+	proto_register_subtree_array(ett, array_length(ett));
+	expert_krb = expert_register_protocol(proto_kerberos);
+	expert_register_field_array(expert_krb, ei, array_length(ei));
+
+	/* Register dissectors */
+	kerberos_handle_udp = register_dissector("kerberos.udp", dissect_kerberos_udp, proto_kerberos);
+	kerberos_handle_tcp = register_dissector("kerberos.tcp", dissect_kerberos_tcp, proto_kerberos);
+
+	/* Register preferences */
+	krb_module = prefs_register_protocol(proto_kerberos, kerberos_prefs_apply_cb);
+	prefs_register_bool_preference(krb_module, "desegment",
+	"Reassemble Kerberos over TCP messages spanning multiple TCP segments",
+	"Whether the Kerberos dissector should reassemble messages spanning multiple TCP segments."
+	" To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
+	&krb_desegment);
+#ifdef HAVE_KERBEROS
+	prefs_register_bool_preference(krb_module, "decrypt",
+	"Try to decrypt Kerberos blobs",
+	"Whether the dissector should try to decrypt "
+	"encrypted Kerberos blobs. This requires that the proper "
+	"keytab file is installed as well.", &krb_decrypt);
+
+	prefs_register_filename_preference(krb_module, "file",
+				   "Kerberos keytab file",
+				   "The keytab file containing all the secrets",
+				   &keytab_filename, FALSE);
+
+#if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
+	wmem_register_callback(wmem_epan_scope(), enc_key_list_cb, NULL);
+	kerberos_longterm_keys = wmem_map_new(wmem_epan_scope(),
+					      enc_key_content_hash,
+					      enc_key_content_equal);
+	kerberos_all_keys = wmem_map_new_autoreset(wmem_epan_scope(),
+						   wmem_file_scope(),
+						   enc_key_content_hash,
+						   enc_key_content_equal);
+	kerberos_app_session_keys = wmem_map_new_autoreset(wmem_epan_scope(),
+							   wmem_file_scope(),
+							   enc_key_content_hash,
+							   enc_key_content_equal);
+#endif /* defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS) */
+#endif /* HAVE_KERBEROS */
+
+}
+static int wrap_dissect_gss_kerb(tvbuff_t *tvb, int offset, packet_info *pinfo,
+				 proto_tree *tree, dcerpc_info *di _U_,guint8 *drep _U_)
+{
+	tvbuff_t *auth_tvb;
+
+	auth_tvb = tvb_new_subset_remaining(tvb, offset);
+
+	dissect_kerberos_main(auth_tvb, pinfo, tree, FALSE, NULL);
+
+	return tvb_captured_length_remaining(tvb, offset);
+}
+
+
+static dcerpc_auth_subdissector_fns gss_kerb_auth_connect_fns = {
+	wrap_dissect_gss_kerb,                      /* Bind */
+	wrap_dissect_gss_kerb,                      /* Bind ACK */
+	wrap_dissect_gss_kerb,                      /* AUTH3 */
+	NULL,                                       /* Request verifier */
+	NULL,                                       /* Response verifier */
+	NULL,                                       /* Request data */
+	NULL                                        /* Response data */
+};
+
+static dcerpc_auth_subdissector_fns gss_kerb_auth_sign_fns = {
+	wrap_dissect_gss_kerb,                      /* Bind */
+	wrap_dissect_gss_kerb,                      /* Bind ACK */
+	wrap_dissect_gss_kerb,                      /* AUTH3 */
+	wrap_dissect_gssapi_verf,                   /* Request verifier */
+	wrap_dissect_gssapi_verf,                   /* Response verifier */
+	NULL,                                       /* Request data */
+	NULL                                        /* Response data */
+};
+
+static dcerpc_auth_subdissector_fns gss_kerb_auth_seal_fns = {
+	wrap_dissect_gss_kerb,                      /* Bind */
+	wrap_dissect_gss_kerb,                      /* Bind ACK */
+	wrap_dissect_gss_kerb,                      /* AUTH3 */
+	wrap_dissect_gssapi_verf,                   /* Request verifier */
+	wrap_dissect_gssapi_verf,                   /* Response verifier */
+	wrap_dissect_gssapi_payload,                /* Request data */
+	wrap_dissect_gssapi_payload                 /* Response data */
+};
+
+
+
+void
+proto_reg_handoff_kerberos(void)
+{
+	krb4_handle = find_dissector_add_dependency("krb4", proto_kerberos);
+
+	dissector_add_uint_with_preference("udp.port", UDP_PORT_KERBEROS, kerberos_handle_udp);
+	dissector_add_uint_with_preference("tcp.port", TCP_PORT_KERBEROS, kerberos_handle_tcp);
+
+	register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_CONNECT,
+									  DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS,
+									  &gss_kerb_auth_connect_fns);
+
+	register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_INTEGRITY,
+									  DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS,
+									  &gss_kerb_auth_sign_fns);
+
+	register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY,
+									  DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS,
+									  &gss_kerb_auth_seal_fns);
+}
+
+/*
+ * Editor modelines  -  https://www.wireshark.org/tools/modelines.html
+ *
+ * Local variables:
+ * c-basic-offset: 8
+ * tab-width: 8
+ * indent-tabs-mode: t
+ * End:
+ *
+ * vi: set shiftwidth=8 tabstop=8 noexpandtab:
+ * :indentSize=8:tabSize=8:noTabs=false:
+ */
diff --git a/epan/dissectors/asn1/kerberos/packet-kerberos-template.h b/epan/dissectors/asn1/kerberos/packet-kerberos-template.h
new file mode 100644
index 00000000..4f776ae9
--- /dev/null
+++ b/epan/dissectors/asn1/kerberos/packet-kerberos-template.h
@@ -0,0 +1,134 @@
+/* packet-kerberos.h
+ * Routines for kerberos packet dissection
+ * Copyright 2007, Anders Broman <anders.broman@ericsson.com>
+ *
+ * Wireshark - Network traffic analyzer
+ * By Gerald Combs <gerald@wireshark.org>
+ * Copyright 1998 Gerald Combs
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#ifndef __PACKET_KERBEROS_H
+#define __PACKET_KERBEROS_H
+
+#include "ws_symbol_export.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */
+
+#ifndef KRB5_KU_USAGE_ACCEPTOR_SEAL
+#define KRB5_KU_USAGE_ACCEPTOR_SEAL     22
+#endif
+#ifndef KRB5_KU_USAGE_ACCEPTOR_SIGN
+#define KRB5_KU_USAGE_ACCEPTOR_SIGN     23
+#endif
+#ifndef KRB5_KU_USAGE_INITIATOR_SEAL
+#define KRB5_KU_USAGE_INITIATOR_SEAL    24
+#endif
+#ifndef KRB5_KU_USAGE_INITIATOR_SIGN
+#define KRB5_KU_USAGE_INITIATOR_SIGN    25
+#endif
+
+/* This is a list of callback functions a caller can use to specify that
+   octet strings in kerberos to be passed back to application specific
+   dissectors, outside of kerberos.
+   This is used for dissection of application specific data for PacketCable
+   KRB_SAFE user data and eventually to pass kerberos session keys
+   to future DCERPC decryption and other uses.
+   The list is terminated by {0, NULL }
+*/
+#define KRB_CBTAG_SAFE_USER_DATA	        1
+#define KRB_CBTAG_PRIV_USER_DATA	        2
+typedef struct _kerberos_callbacks {
+	int tag;
+	int (*callback)(packet_info *pinfo, tvbuff_t *tvb, proto_tree *tree);
+} kerberos_callbacks;
+
+/* Function prototypes */
+
+gboolean
+kerberos_is_win2k_pkinit(asn1_ctx_t *actx);
+
+gint
+dissect_kerberos_main(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, gboolean do_col_info, kerberos_callbacks *cb);
+
+int
+dissect_krb5_Checksum(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_);
+
+int
+dissect_krb5_ctime(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_);
+
+int dissect_krb5_cname(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_);
+int dissect_krb5_realm(proto_tree *tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_);
+guint32 kerberos_output_keytype(void);
+
+guint get_krb_pdu_len(packet_info *, tvbuff_t *tvb, int offset, void *data _U_);
+
+gint kerberos_rm_to_reclen(guint krb_rm);
+
+void
+show_krb_recordmark(proto_tree *tree, tvbuff_t *tvb, gint start, guint32 krb_rm);
+
+int
+dissect_kerberos_KERB_TICKET_LOGON(tvbuff_t *tvb, int offset, asn1_ctx_t *actx, proto_tree *tree);
+
+#ifdef HAVE_KERBEROS
+#define KRB_MAX_ORIG_LEN	256
+#define KRB_MAX_KEY_LENGTH	32
+/*
+ * "18446744073709551615.18446744073709551615"
+ * sizeof("18446744073709551615") includes '\0',
+ * which is used once for '.' and then for '\0'.
+ */
+#define KRB_MAX_ID_STR_LEN (sizeof("18446744073709551615")*2)
+
+#if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
+typedef struct _enc_key_t {
+	struct _enc_key_t	*next;
+	int keytype;
+	int keylength;
+	guint8 keyvalue[KRB_MAX_KEY_LENGTH];
+	char key_origin[KRB_MAX_ORIG_LEN+1];
+	int fd_num; /* remember where we learned a key */
+	guint id; /* a unique id of the key, relative to fd_num */
+	char id_str[KRB_MAX_ID_STR_LEN+1];
+	struct _enc_key_t	*same_list;
+	guint num_same;
+	struct _enc_key_t	*src1;
+	struct _enc_key_t	*src2;
+} enc_key_t;
+extern enc_key_t *enc_key_list;
+extern wmem_map_t *kerberos_longterm_keys;
+
+guint8 *
+decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
+			int usage,
+			tvbuff_t *crypototvb,
+			int keytype,
+			int *datalen);
+
+tvbuff_t *
+decrypt_krb5_krb_cfx_dce(proto_tree *tree,
+			 packet_info *pinfo,
+			 int usage,
+			 int keytype,
+			 tvbuff_t *gssapi_header_tvb,
+			 tvbuff_t *gssapi_encrypted_tvb,
+			 tvbuff_t *gssapi_trailer_tvb,
+			 tvbuff_t *checksum_tvb);
+
+#endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */
+
+extern gboolean krb_decrypt;
+
+#endif /* HAVE_KERBEROS */
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+
+#include "packet-kerberos-exp.h"
+
+#endif  /* __PACKET_KERBEROS_H */