Add asn1 file from Heimdal use som stuff from it add more dissection in the template and .cnf file.

svn path=/trunk/; revision=26484

5 files changed, 810 insertions, 47 deletions

diff --git a/asn1/kerberos/KerberosV5Spec2.asn b/asn1/kerberos/KerberosV5Spec2.asn
index 6256618816..72aa3ed35e 100644
--- a/asn1/kerberos/KerberosV5Spec2.asn
+++ b/asn1/kerberos/KerberosV5Spec2.asn
@@ -53,13 +53,15 @@ KerberosString  ::= GeneralString (IA5String)
 Realm           ::= KerberosString
 
 PrincipalName   ::= SEQUENCE {
-        name-type       [0] Int32,
+--        name-type       [0] Int32, Use the translationj from krb5.asn (Heimdahl)
+        name-type       [0] NAME-TYPE,
         name-string     [1] SEQUENCE OF KerberosString
 }
 
 KerberosTime    ::= GeneralizedTime -- with no fractional seconds
 
 HostAddress     ::= SEQUENCE  {
+--      addr-type       [0] ADDR-TYPE, use k5.asn
         addr-type       [0] Int32,
         address         [1] OCTET STRING
 }
@@ -79,7 +81,8 @@ AuthorizationData       ::= SEQUENCE OF SEQUENCE {
 
 PA-DATA         ::= SEQUENCE {
         -- NOTE: first tag is [1], not [0]
-        padata-type     [1] Int32,
+--        padata-type     [1] Int32, use k5.asn
+        padata-type     [1] PADATA-TYPE,
         padata-value    [2] OCTET STRING -- might be encoded AP-REQ
 }
 
@@ -88,7 +91,8 @@ KerberosFlags   ::= BIT STRING (SIZE (32..MAX))
                     -- but no fewer than 32
 
 EncryptedData   ::= SEQUENCE {
-        etype   [0] Int32 -- EncryptionType --,
+--        etype   [0] Int32 - - EncryptionType - -, Use k5.asn
+        etype   [0] ENCTYPE -- EncryptionType --,
         kvno    [1] UInt32 OPTIONAL,
         cipher  [2] OCTET STRING -- ciphertext
 }
@@ -99,7 +103,8 @@ EncryptionKey   ::= SEQUENCE {
 }
 
 Checksum        ::= SEQUENCE {
-        cksumtype       [0] Int32,
+--        cksumtype       [0] Int32, Use k5.asn
+        cksumtype       [0] CKSUMTYPE,
         checksum        [1] OCTET STRING
 }
 
@@ -130,8 +135,8 @@ TransitedEncoding       ::= SEQUENCE {
         tr-type         [0] Int32 -- must be registered --,
         contents        [1] OCTET STRING
 }
-
-TicketFlags     ::= KerberosFlags
+-- Use the k5.asn def
+-- TicketFlags     ::= KerberosFlags
         -- reserved(0),
         -- forwardable(1),
         -- forwarded(2),
@@ -156,7 +161,8 @@ KDC-REQ         ::= SEQUENCE {
         -- NOTE: first tag is [1], not [0]
         pvno            [1] INTEGER (5) ,
 --        msg-type        [2] INTEGER (10 - - AS - - | 12 - - TGS - -),
-        msg-type        [2] INTEGER,
+--        msg-type        [2] INTEGER, use k5.asn
+        msg-type        [2] MESSAGE-TYPE,
         padata          [3] SEQUENCE OF PA-DATA OPTIONAL
                             -- NOTE: not empty --,
         req-body        [4] KDC-REQ-BODY
@@ -174,7 +180,8 @@ KDC-REQ-BODY    ::= SEQUENCE {
         till                    [5] KerberosTime,
         rtime                   [6] KerberosTime OPTIONAL,
         nonce                   [7] UInt32,
-        etype                   [8] SEQUENCE OF Int32 -- EncryptionType
+--        etype                   [8] SEQUENCE OF Int32 - - EncryptionType Use k5.asn
+        etype                   [8] SEQUENCE OF ENCTYPE -- EncryptionType
                                     -- in preference order --,
         addresses               [9] HostAddresses OPTIONAL,
         enc-authorization-data  [10] EncryptedData OPTIONAL
@@ -183,7 +190,8 @@ KDC-REQ-BODY    ::= SEQUENCE {
                                         -- NOTE: not empty
 }
 
-KDCOptions      ::= KerberosFlags
+-- Use th k5.asn def
+--KDCOptions      ::= KerberosFlags
         -- reserved(0),
         -- forwardable(1),
         -- forwarded(2),
@@ -216,7 +224,8 @@ TGS-REP         ::= [APPLICATION 13] KDC-REP
 KDC-REP         ::= SEQUENCE {
         pvno            [0] INTEGER (5),
 --        msg-type        [1] INTEGER (11 - - AS - - | 13 - - TGS - -),
-        msg-type        [1] INTEGER,
+--        msg-type        [1] INTEGER, use k5.asn
+        msg-type        [1] MESSAGE-TYPE,
         padata          [2] SEQUENCE OF PA-DATA OPTIONAL
                                 -- NOTE: not empty --,
         crealm          [3] Realm,
@@ -243,23 +252,26 @@ EncKDCRepPart   ::= SEQUENCE {
         renew-till      [8] KerberosTime OPTIONAL,
         srealm          [9] Realm,
         sname           [10] PrincipalName,
-        caddr           [11] HostAddresses OPTIONAL
+        caddr           [11] HostAddresses OPTIONAL,
+	    encrypted-pa-data[12]	METHOD-DATA OPTIONAL -- from k5.asn
 }
 
 LastReq         ::=     SEQUENCE OF SEQUENCE {
-        lr-type         [0] Int32,
+--        lr-type         [0] Int32, Use k5.asn
+		lr-type         [0] LR-TYPE,
         lr-value        [1] KerberosTime
 }
 
 AP-REQ          ::= [APPLICATION 14] SEQUENCE {
         pvno            [0] INTEGER (5),
-        msg-type        [1] INTEGER (14),
+--        msg-type        [1] INTEGER (14), use k5.asn
+        msg-type        [1] MESSAGE-TYPE,
         ap-options      [2] APOptions,
         ticket          [3] Ticket,
         authenticator   [4] EncryptedData -- Authenticator
 }
-
-APOptions       ::= KerberosFlags
+-- Use the krb5.asn def.
+--APOptions       ::= KerberosFlags
         -- reserved(0),
         -- use-session-key(1),
         -- mutual-required(2)
@@ -279,7 +291,8 @@ Authenticator   ::= [APPLICATION 2] SEQUENCE  {
 
 AP-REP          ::= [APPLICATION 15] SEQUENCE {
         pvno            [0] INTEGER (5),
-        msg-type        [1] INTEGER (15),
+--        msg-type        [1] INTEGER (15), Use k5.asn
+        msg-type        [1] MESSAGE-TYPE,
         enc-part        [2] EncryptedData -- EncAPRepPart
 }
 
@@ -292,7 +305,8 @@ EncAPRepPart    ::= [APPLICATION 27] SEQUENCE {
 
 KRB-SAFE        ::= [APPLICATION 20] SEQUENCE {
         pvno            [0] INTEGER (5),
-        msg-type        [1] INTEGER (20),
+--        msg-type        [1] INTEGER (20), use k5.asn
+        msg-type        [1] MESSAGE-TYPE,
         safe-body       [2] KRB-SAFE-BODY,
         cksum           [3] Checksum
 }
@@ -308,7 +322,8 @@ KRB-SAFE-BODY   ::= SEQUENCE {
 
 KRB-PRIV        ::= [APPLICATION 21] SEQUENCE {
         pvno            [0] INTEGER (5),
-        msg-type        [1] INTEGER (21),
+--        msg-type        [1] INTEGER (21), Use k5.asn
+        msg-type        [1] MESSAGE-TYPE,
                         -- NOTE: there is no [2] tag
         enc-part        [3] EncryptedData -- EncKrbPrivPart
 }
@@ -324,7 +339,8 @@ EncKrbPrivPart  ::= [APPLICATION 28] SEQUENCE {
 
 KRB-CRED        ::= [APPLICATION 22] SEQUENCE {
         pvno            [0] INTEGER (5),
-        msg-type        [1] INTEGER (22),
+--        msg-type        [1] INTEGER (22), use k5.asn
+        msg-type        [1] MESSAGE-TYPE,
         tickets         [2] SEQUENCE OF Ticket,
         enc-part        [3] EncryptedData -- EncKrbCredPart
 }
@@ -354,7 +370,8 @@ KrbCredInfo     ::= SEQUENCE {
 
 KRB-ERROR       ::= [APPLICATION 30] SEQUENCE {
         pvno            [0] INTEGER (5),
-        msg-type        [1] INTEGER (30),
+--        msg-type        [1] INTEGER (30), use k5.asn
+        msg-type        [1] MESSAGE-TYPE,
         ctime           [2] KerberosTime OPTIONAL,
         cusec           [3] Microseconds OPTIONAL,
         stime           [4] KerberosTime,
@@ -385,14 +402,16 @@ PA-ENC-TS-ENC           ::= SEQUENCE {
 }
 
 ETYPE-INFO-ENTRY        ::= SEQUENCE {
-        etype           [0] Int32,
+--        etype           [0] Int32, use k5.asn
+        etype           [0] ENCTYPE,
         salt            [1] OCTET STRING OPTIONAL
 }
 
 ETYPE-INFO              ::= SEQUENCE OF ETYPE-INFO-ENTRY
 
 ETYPE-INFO2-ENTRY       ::= SEQUENCE {
-        etype           [0] Int32,
+--        etype           [0] Int32, use k5.asn
+        etype           [0] ENCTYPE,
         salt            [1] KerberosString OPTIONAL,
         s2kparams       [2] OCTET STRING OPTIONAL
 }
diff --git a/asn1/kerberos/Makefile.common b/asn1/kerberos/Makefile.common
index f5599f972d..f0825163aa 100644
--- a/asn1/kerberos/Makefile.common
+++ b/asn1/kerberos/Makefile.common
@@ -32,7 +32,8 @@ EXPORT_FILES = \
 
 EXT_ASN_FILE_LIST =
 
-ASN_FILE_LIST = KerberosV5Spec2.asn
+ASN_FILE_LIST = KerberosV5Spec2.asn \
+	k5.asn
 
 # The packet-$(PROTOCOL_NAME)-template.h and $(PROTOCOL_NAME).asn
 # files do not exist # for all protocols: Please add/remove as required.
diff --git a/asn1/kerberos/k5.asn b/asn1/kerberos/k5.asn
new file mode 100644
index 0000000000..c3f35d2a42
--- /dev/null
+++ b/asn1/kerberos/k5.asn
@@ -0,0 +1,694 @@
+-- Extracted from http://www.h5l.org/dist/src/heimdal-1.2.tar.gz
+-- Id: k5.asn1 22745 2008-03-24 12:07:54Z lha $
+-- Commented out stuff already in KerberosV5Spec2.asn
+-- $Id$
+KERBEROS5 DEFINITIONS ::=
+BEGIN
+
+NAME-TYPE ::= INTEGER {
+	kRB5-NT-UNKNOWN(0),	-- Name type not known
+	kRB5-NT-PRINCIPAL(1),	-- Just the name of the principal as in
+	kRB5-NT-SRV-INST(2),	-- Service and other unique instance (krbtgt)
+	kRB5-NT-SRV-HST(3),	-- Service with host name as instance
+	kRB5-NT-SRV-XHST(4),	-- Service with host as remaining components
+	kRB5-NT-UID(5),		-- Unique ID
+	kRB5-NT-X500-PRINCIPAL(6), -- PKINIT
+	kRB5-NT-SMTP-NAME(7),	-- Name in form of SMTP email name
+	kRB5-NT-ENTERPRISE-PRINCIPAL(10), -- Windows 2000 UPN
+	kRB5-NT-ENT-PRINCIPAL-AND-ID(-130), -- Windows 2000 UPN and SID
+	kRB5-NT-MS-PRINCIPAL(-128), -- NT 4 style name
+	kRB5-NT-MS-PRINCIPAL-AND-ID(-129) -- NT style name and SID
+}
+
+-- message types
+
+MESSAGE-TYPE ::= INTEGER {
+	krb-as-req(10), -- Request for initial authentication
+	krb-as-rep(11), -- Response to KRB_AS_REQ request
+	krb-tgs-req(12), -- Request for authentication based on TGT
+	krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
+	krb-ap-req(14), -- application request to server
+	krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
+	krb-safe(20), -- Safe (checksummed) application message
+	krb-priv(21), -- Private (encrypted) application message
+	krb-cred(22), -- Private (encrypted) message to forward credentials
+	krb-error(30) -- Error response
+}
+
+
+-- pa-data types
+
+PADATA-TYPE ::= INTEGER {
+	kRB5-PADATA-NONE(0),
+	kRB5-PADATA-TGS-REQ(1),
+	kRB5-PADATA-AP-REQ(1),
+	kRB5-PADATA-ENC-TIMESTAMP(2),
+	kRB5-PADATA-PW-SALT(3),
+	kRB5-PADATA-ENC-UNIX-TIME(5),
+	kRB5-PADATA-SANDIA-SECUREID(6),
+	kRB5-PADATA-SESAME(7),
+	kRB5-PADATA-OSF-DCE(8),
+	kRB5-PADATA-CYBERSAFE-SECUREID(9),
+	kRB5-PADATA-AFS3-SALT(10),
+	kRB5-PADATA-ETYPE-INFO(11),
+	kRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
+	kRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
+	kRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
+	kRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
+	kRB5-PADATA-PK-AS-REQ-WIN(15), -- (PKINIT - old number)
+	kRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
+	kRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
+	kRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
+	kRB5-PADATA-ETYPE-INFO2(19),
+	kRB5-PADATA-USE-SPECIFIED-KVNO(20),
+	kRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
+	kRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
+	kRB5-PADATA-GET-FROM-TYPED-DATA(22),
+	kRB5-PADATA-SAM-ETYPE-INFO(23),
+	kRB5-PADATA-SERVER-REFERRAL(25),
+	kRB5-PADATA-TD-KRB-PRINCIPAL(102),	-- PrincipalName
+	kRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
+	kRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
+	kRB5-PADATA-TD-APP-DEFINED-ERROR(106),	-- application specific
+	kRB5-PADATA-TD-REQ-NONCE(107),		-- INTEGER
+	kRB5-PADATA-TD-REQ-SEQ(108),		-- INTEGER
+	kRB5-PADATA-PA-PAC-REQUEST(128),	-- jbrezak@exchange.microsoft.com
+	kRB5-PADATA-S4U2SELF(129),
+	kRB5-PADATA-PK-AS-09-BINDING(132),	-- client send this to 
+						-- tell KDC that is supports 
+						-- the asCheckSum in the
+						--  PK-AS-REP
+	kRB5-PADATA-CLIENT-CANONICALIZED(133)	-- 
+}
+
+AUTHDATA-TYPE ::= INTEGER {
+	kRB5-AUTHDATA-IF-RELEVANT(1),
+	kRB5-AUTHDATA-INTENDED-FOR-SERVER(2),
+	kRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
+	kRB5-AUTHDATA-KDC-ISSUED(4),
+	kRB5-AUTHDATA-AND-OR(5),
+	kRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
+	kRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
+	kRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
+	kRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9),
+	kRB5-AUTHDATA-OSF-DCE(64),
+	kRB5-AUTHDATA-SESAME(65),
+	kRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
+	kRB5-AUTHDATA-WIN2K-PAC(128),
+	kRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
+	kRB5-AUTHDATA-SIGNTICKET(-17)
+}
+
+-- checksumtypes
+
+CKSUMTYPE ::= INTEGER {
+	cKSUMTYPE-NONE(0),
+	cKSUMTYPE-CRC32(1),
+	cKSUMTYPE-RSA-MD4(2),
+	cKSUMTYPE-RSA-MD4-DES(3),
+	cKSUMTYPE-DES-MAC(4),
+	cKSUMTYPE-DES-MAC-K(5),
+	cKSUMTYPE-RSA-MD4-DES-K(6),
+	cKSUMTYPE-RSA-MD5(7),
+	cKSUMTYPE-RSA-MD5-DES(8),
+	cKSUMTYPE-RSA-MD5-DES3(9),
+	cKSUMTYPE-SHA1-OTHER(10),
+	cKSUMTYPE-HMAC-SHA1-DES3(12),
+	cKSUMTYPE-SHA1(14),
+	cKSUMTYPE-HMAC-SHA1-96-AES-128(15),
+	cKSUMTYPE-HMAC-SHA1-96-AES-256(16),
+	cKSUMTYPE-GSSAPI(--0x8003--32771),
+	cKSUMTYPE-HMAC-MD5(-138),	-- unofficial microsoft number
+	cKSUMTYPE-HMAC-MD5-ENC(-1138)	-- even more unofficial
+}
+
+--enctypes
+ENCTYPE ::= INTEGER {
+	eTYPE-NULL(0),
+	eTYPE-DES-CBC-CRC(1),
+	eTYPE-DES-CBC-MD4(2),
+	eTYPE-DES-CBC-MD5(3),
+	eTYPE-DES3-CBC-MD5(5),
+	eTYPE-OLD-DES3-CBC-SHA1(7),
+	eTYPE-SIGN-DSA-GENERATE(8),
+	eTYPE-ENCRYPT-RSA-PRIV(9),
+	eTYPE-ENCRYPT-RSA-PUB(10),
+	eTYPE-DES3-CBC-SHA1(16),	-- with key derivation
+	eTYPE-AES128-CTS-HMAC-SHA1-96(17),
+	eTYPE-AES256-CTS-HMAC-SHA1-96(18),
+	eTYPE-ARCFOUR-HMAC-MD5(23),
+	eTYPE-ARCFOUR-HMAC-MD5-56(24),
+	eTYPE-ENCTYPE-PK-CROSS(48),
+-- some "old" windows types
+	eTYPE-ARCFOUR-MD4(-128),
+	eTYPE-ARCFOUR-HMAC-OLD(-133),
+	eTYPE-ARCFOUR-HMAC-OLD-EXP(-135),
+-- these are for Heimdal internal use
+--	eTYPE-DES-CBC-NONE(-0x1000),
+	eTYPE-DES-CBC-NONE( -4096),
+--	eTYPE-DES3-CBC-NONE(-0x1001),
+	eTYPE-DES3-CBC-NONE(-4097),
+--	eTYPE-DES-CFB64-NONE(-0x1002),
+	eTYPE-DES-CFB64-NONE(-4098),
+--	eTYPE-DES-PCBC-NONE(-0x1003),
+	eTYPE-DES-PCBC-NONE(-4099),
+--	eTYPE-DIGEST-MD5-NONE(-0x1004),		- - private use, lukeh@padl.com
+	eTYPE-DIGEST-MD5-NONE(-4100),		-- private use, lukeh@padl.com
+--	eTYPE-CRAM-MD5-NONE(-0x1005)		- - private use, lukeh@padl.com
+	eTYPE-CRAM-MD5-NONE(-4101)		-- private use, lukeh@padl.com
+}
+
+-- addr-types (WS extension )
+ADDR-TYPE ::= INTEGER {
+    kRB5-ADDR-IPv4(2),
+    kRB5-ADDR-CHAOS(5),
+    kRB5-ADDR-XEROX(6),
+    kRB5-ADDR-ISO(7),
+    kRB5-ADDR-DECNET(12),
+    kRB5-ADDR-APPLETALK(16),
+    kRB5-ADDR-NETBIOS(20),
+    kRB5-ADDR-IPv6(24)
+}
+
+
+
+-- this is sugar to make something ASN1 does not have: unsigned
+
+Krb5uint32 ::= INTEGER (0..4294967295)
+Krb5int32 ::= INTEGER (-2147483648..2147483647)
+
+--KerberosString  ::= GeneralString
+
+--Realm ::= GeneralString
+--PrincipalName ::= SEQUENCE {
+--	name-type[0]		NAME-TYPE,
+--	name-string[1]		SEQUENCE OF GeneralString
+--}
+
+-- this is not part of RFC1510
+Principal ::= SEQUENCE {
+	name[0]		PrincipalName,
+	realm[1]		Realm
+}
+
+--HostAddress ::= SEQUENCE  {
+--	addr-type	[0]	Krb5int32,
+--	address		[1]	OCTET STRING
+--}
+
+-- This is from RFC1510.
+--
+-- HostAddresses ::= SEQUENCE OF SEQUENCE {
+-- 	addr-type[0]		Krb5int32,
+--	address[1]		OCTET STRING
+-- }
+
+-- This seems much better.
+--HostAddresses ::= SEQUENCE OF HostAddress
+
+
+--KerberosTime ::= GeneralizedTime - - Specifying UTC time zone (Z)
+
+--AuthorizationDataElement ::= SEQUENCE {
+--	ad-type[0]		Krb5int32,
+--	ad-data[1]		OCTET STRING
+--}
+
+--AuthorizationData ::= SEQUENCE OF AuthorizationDataElement
+
+APOptions ::= BIT STRING {
+	reserved(0),
+	use-session-key(1),
+	mutual-required(2)
+}
+
+TicketFlags ::= BIT STRING {
+	reserved(0),
+	forwardable(1),
+	forwarded(2),
+	proxiable(3),
+	proxy(4),
+	may-postdate(5),
+	postdated(6),
+	invalid(7),
+	renewable(8),
+	initial(9),
+	pre-authent(10),
+	hw-authent(11),
+	transited-policy-checked(12),
+	ok-as-delegate(13),
+	anonymous(14)
+}
+
+KDCOptions ::= BIT STRING {
+	reserved(0),
+	forwardable(1),
+	forwarded(2),
+	proxiable(3),
+	proxy(4),
+	allow-postdate(5),
+	postdated(6),
+	unused7(7),
+	renewable(8),
+	unused9(9),
+	unused10(10),
+	unused11(11),
+	request-anonymous(14),
+	canonicalize(15),
+	constrained-delegation(16), -- ms extension
+	disable-transited-check(26),
+	renewable-ok(27),
+	enc-tkt-in-skey(28),
+	renew(30),
+	validate(31)
+}
+
+LR-TYPE ::= INTEGER {
+	lR-NONE(0),		-- no information
+	lR-INITIAL-TGT(1),	-- last initial TGT request
+	lR-INITIAL(2),		-- last initial request
+	lR-ISSUE-USE-TGT(3),	-- time of newest TGT used
+	lR-RENEWAL(4),		-- time of last renewal
+	lR-REQUEST(5),		-- time of last request (of any type)
+	lR-PW-EXPTIME(6),	-- expiration time of password
+	lR-ACCT-EXPTIME(7)	-- expiration time of account
+}
+
+--LastReq ::= SEQUENCE OF SEQUENCE {
+--	lr-type[0]		LR-TYPE,
+--	lr-value[1]		KerberosTime
+--}
+
+
+--EncryptedData ::= SEQUENCE {
+--	etype[0] 		ENCTYPE, - - EncryptionType
+--	kvno[1]			Krb5int32 OPTIONAL,
+--	cipher[2]		OCTET STRING - - ciphertext
+--}
+
+--EncryptionKey ::= SEQUENCE {
+--	keytype[0]		Krb5int32,
+--	keyvalue[1]		OCTET STRING
+--}
+
+-- encoded Transited field
+--TransitedEncoding ::= SEQUENCE {
+--	tr-type[0]		Krb5int32, - - must be registered
+--	contents[1]		OCTET STRING
+--}
+
+--Ticket ::= [APPLICATION 1] SEQUENCE {
+--	tkt-vno[0]		Krb5int32,
+--	realm[1]		Realm,
+--	sname[2]		PrincipalName,
+--	enc-part[3]		EncryptedData
+--}
+-- Encrypted part of ticket
+--EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+--	flags[0]		TicketFlags,
+--	key[1]			EncryptionKey,
+--	crealm[2]		Realm,
+--	cname[3]		PrincipalName,
+--	transited[4]		TransitedEncoding,
+--	authtime[5]		KerberosTime,
+--	starttime[6]		KerberosTime OPTIONAL,
+--	endtime[7]		KerberosTime,
+--	renew-till[8]		KerberosTime OPTIONAL,
+--	caddr[9]		HostAddresses OPTIONAL,
+--	authorization-data[10]	AuthorizationData OPTIONAL
+--}
+
+--Checksum ::= SEQUENCE {
+--	cksumtype[0]		CKSUMTYPE,
+--	checksum[1]		OCTET STRING
+--}
+
+--Authenticator ::= [APPLICATION 2] SEQUENCE    {
+--	authenticator-vno[0]	Krb5int32,
+--	crealm[1]		Realm,
+--	cname[2]		PrincipalName,
+--	cksum[3]		Checksum OPTIONAL,
+--	cusec[4]		Krb5int32,
+--	ctime[5]		KerberosTime,
+--	subkey[6]		EncryptionKey OPTIONAL,
+--	seq-number[7]		Krb5uint32 OPTIONAL,
+--	authorization-data[8]	AuthorizationData OPTIONAL
+--}
+
+--PA-DATA ::= SEQUENCE {
+	-- might be encoded AP-REQ
+--	padata-type[1]		PADATA-TYPE,
+--	padata-value[2]		OCTET STRING
+--}
+
+--ETYPE-INFO-ENTRY ::= SEQUENCE {
+--	etype[0]		ENCTYPE,
+--	salt[1]			OCTET STRING OPTIONAL,
+--	salttype[2]		Krb5int32 OPTIONAL
+--}
+
+--ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
+
+--ETYPE-INFO2-ENTRY ::= SEQUENCE {
+--	etype[0]		ENCTYPE,
+--	salt[1]			KerberosString OPTIONAL,
+--	s2kparams[2]		OCTET STRING OPTIONAL
+--}
+
+--ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
+
+-- METHOD-DATA ::= SEQUENCE OF PA-DATA
+
+--TypedData ::=   SEQUENCE {
+--	data-type[0]		Krb5int32,
+--	data-value[1]		OCTET STRING OPTIONAL
+--}
+
+--TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData
+
+--KDC-REQ-BODY ::= SEQUENCE {
+--	kdc-options[0]		KDCOptions,
+--	cname[1]		PrincipalName OPTIONAL, - - Used only in AS-REQ
+--	realm[2]		Realm,	- - Server's realm
+					-- Also client's in AS-REQ
+--	sname[3]		PrincipalName OPTIONAL,
+--	from[4]			KerberosTime OPTIONAL,
+--	till[5]			KerberosTime OPTIONAL,
+--	rtime[6]		KerberosTime OPTIONAL,
+--	nonce[7]		Krb5int32,
+--	etype[8]		SEQUENCE OF ENCTYPE, - - EncryptionType,
+					-- in preference order
+--	addresses[9]		HostAddresses OPTIONAL,
+--	enc-authorization-data[10] EncryptedData OPTIONAL,
+					-- Encrypted AuthorizationData encoding
+--	additional-tickets[11]	SEQUENCE OF Ticket OPTIONAL
+--}
+
+--KDC-REQ ::= SEQUENCE {
+--	pvno[1]			Krb5int32,
+--	msg-type[2]		MESSAGE-TYPE,
+--	padata[3]		METHOD-DATA OPTIONAL,
+--	req-body[4]		KDC-REQ-BODY
+--}
+
+--AS-REQ ::= [APPLICATION 10] KDC-REQ
+--TGS-REQ ::= [APPLICATION 12] KDC-REQ
+
+-- padata-type ::= PA-ENC-TIMESTAMP
+-- padata-value ::= EncryptedData - PA-ENC-TS-ENC
+
+--PA-ENC-TS-ENC ::= SEQUENCE {
+--	patimestamp[0]		KerberosTime, - - client's time
+--	pausec[1]		Krb5int32 OPTIONAL
+--}
+
+-- draft-brezak-win2k-krb-authz-01
+PA-PAC-REQUEST ::= SEQUENCE {
+	include-pac[0]		BOOLEAN -- Indicates whether a PAC 
+					-- should be included or not
+}
+
+-- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
+PROV-SRV-LOCATION ::= GeneralString
+
+--KDC-REP ::= SEQUENCE {
+--	pvno[0]			Krb5int32,
+--	msg-type[1]		MESSAGE-TYPE,
+--	padata[2]		METHOD-DATA OPTIONAL,
+--	crealm[3]		Realm,
+--	cname[4]		PrincipalName,
+--	ticket[5]		Ticket,
+--	enc-part[6]		EncryptedData
+--}
+
+--AS-REP ::= [APPLICATION 11] KDC-REP
+--TGS-REP ::= [APPLICATION 13] KDC-REP
+
+--EncKDCRepPart ::= SEQUENCE {
+--	key[0]			EncryptionKey,
+--	last-req[1]		LastReq,
+--	nonce[2]		Krb5int32,
+--	key-expiration[3]	KerberosTime OPTIONAL,
+--	flags[4]		TicketFlags,
+--	authtime[5]		KerberosTime,
+--	starttime[6]		KerberosTime OPTIONAL,
+--	endtime[7]		KerberosTime,
+--	renew-till[8]		KerberosTime OPTIONAL,
+--	srealm[9]		Realm,
+--	sname[10]		PrincipalName,
+--	caddr[11]		HostAddresses OPTIONAL,
+--	encrypted-pa-data[12]	METHOD-DATA OPTIONAL
+--}
+
+--EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
+--EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
+
+--AP-REQ ::= [APPLICATION 14] SEQUENCE {
+--	pvno[0]			Krb5int32,
+--	msg-type[1]		MESSAGE-TYPE,
+--	ap-options[2]		APOptions,
+--	ticket[3]		Ticket,
+--	authenticator[4]	EncryptedData
+--}
+
+--AP-REP ::= [APPLICATION 15] SEQUENCE {
+--	pvno[0]			Krb5int32,
+--	msg-type[1]		MESSAGE-TYPE,
+--	enc-part[2]		EncryptedData
+--}
+
+--EncAPRepPart ::= [APPLICATION 27]     SEQUENCE {
+--	ctime[0]		KerberosTime,
+--	cusec[1]		Krb5int32,
+--	subkey[2]		EncryptionKey OPTIONAL,
+--	seq-number[3]		Krb5uint32 OPTIONAL
+--}
+
+--KRB-SAFE-BODY ::= SEQUENCE {
+--	user-data[0]		OCTET STRING,
+--	timestamp[1]		KerberosTime OPTIONAL,
+--	usec[2]			Krb5int32 OPTIONAL,
+--	seq-number[3]		Krb5uint32 OPTIONAL,
+--	s-address[4]		HostAddress OPTIONAL,
+--	r-address[5]		HostAddress OPTIONAL
+--}
+
+--KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
+--	pvno[0]			Krb5int32,
+--	msg-type[1]		MESSAGE-TYPE,
+--	safe-body[2]		KRB-SAFE-BODY,
+--	cksum[3]		Checksum
+--}
+
+--KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
+--	pvno[0]			Krb5int32,
+--	msg-type[1]		MESSAGE-TYPE,
+--	enc-part[3]		EncryptedData
+--}
+--EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
+--	user-data[0]		OCTET STRING,
+--	timestamp[1]		KerberosTime OPTIONAL,
+--	usec[2]			Krb5int32 OPTIONAL,
+--	seq-number[3]		Krb5uint32 OPTIONAL,
+--	s-address[4]		HostAddress OPTIONAL, - - sender's addr
+--	r-address[5]		HostAddress OPTIONAL  - - recip's addr
+--}
+
+--KRB-CRED ::= [APPLICATION 22]   SEQUENCE {
+--	pvno[0]			Krb5int32,
+--	msg-type[1]		MESSAGE-TYPE, - - KRB_CRED
+--	tickets[2]		SEQUENCE OF Ticket,
+--	enc-part[3]		EncryptedData
+--}
+
+--KrbCredInfo ::= SEQUENCE {
+--	key[0]			EncryptionKey,
+--	prealm[1]		Realm OPTIONAL,
+--	pname[2]		PrincipalName OPTIONAL,
+--	flags[3]		TicketFlags OPTIONAL,
+--	authtime[4]		KerberosTime OPTIONAL,
+--	starttime[5]		KerberosTime OPTIONAL,
+--	endtime[6] 		KerberosTime OPTIONAL,
+--	renew-till[7]		KerberosTime OPTIONAL,
+--	srealm[8]		Realm OPTIONAL,
+--	sname[9]		PrincipalName OPTIONAL,
+--	caddr[10]		HostAddresses OPTIONAL
+--}
+
+--EncKrbCredPart ::= [APPLICATION 29]   SEQUENCE {
+--	ticket-info[0]		SEQUENCE OF KrbCredInfo,
+--	nonce[1]		Krb5int32 OPTIONAL,
+--	timestamp[2]		KerberosTime OPTIONAL,
+--	usec[3]			Krb5int32 OPTIONAL,
+--	s-address[4]		HostAddress OPTIONAL,
+--	r-address[5]		HostAddress OPTIONAL
+--}
+
+--KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
+--	pvno[0]			Krb5int32,
+--	msg-type[1]		MESSAGE-TYPE,
+--	ctime[2]		KerberosTime OPTIONAL,
+--	cusec[3]		Krb5int32 OPTIONAL,
+--	stime[4]		KerberosTime,
+--	susec[5]		Krb5int32,
+--	error-code[6]		Krb5int32,
+--	crealm[7]		Realm OPTIONAL,
+--	cname[8]		PrincipalName OPTIONAL,
+--	realm[9]		Realm, - - Correct realm
+--	sname[10]		PrincipalName, - - Correct name
+--	e-text[11]		GeneralString OPTIONAL,
+--	e-data[12]		OCTET STRING OPTIONAL
+--}
+
+ChangePasswdDataMS ::= SEQUENCE {
+	newpasswd[0]		OCTET STRING,
+	targname[1]		PrincipalName OPTIONAL,
+	targrealm[2]		Realm OPTIONAL
+}
+
+EtypeList ::= SEQUENCE OF Krb5int32
+	-- the client's proposed enctype list in
+	-- decreasing preference order, favorite choice first
+
+--krb5-pvno Krb5int32 ::= 5 - - current Kerberos protocol version number
+
+-- transited encodings
+
+--DOMAIN-X500-COMPRESS	Krb5int32 ::= 1
+
+-- authorization data primitives
+
+--AD-IF-RELEVANT ::= AuthorizationData
+
+--AD-KDCIssued ::= SEQUENCE {
+--	ad-checksum[0]		Checksum,
+--	i-realm[1]		Realm OPTIONAL,
+--	i-sname[2]		PrincipalName OPTIONAL,
+--	elements[3]		AuthorizationData
+--}
+
+--AD-AND-OR ::= SEQUENCE {
+--	condition-count[0]	INTEGER,
+--	elements[1]		AuthorizationData
+--}
+
+--AD-MANDATORY-FOR-KDC ::= AuthorizationData
+
+-- PA-SAM-RESPONSE-2/PA-SAM-RESPONSE-2
+
+PA-SAM-TYPE ::= INTEGER {
+	pA-SAM-TYPE-ENIGMA(1),		-- Enigma Logic
+	pA-SAM-TYPE-DIGI-PATH(2),	-- Digital Pathways
+	pA-SAM-TYPE-SKEY-K0(3),		-- S/key where  KDC has key 0
+	pA-SAM-TYPE-SKEY(4),		-- Traditional S/Key
+	pA-SAM-TYPE-SECURID(5),		-- Security Dynamics
+	pA-SAM-TYPE-CRYPTOCARD(6)	-- CRYPTOCard
+}
+
+PA-SAM-REDIRECT ::= HostAddresses
+
+SAMFlags ::= BIT STRING {
+	use-sad-as-key(0),
+	send-encrypted-sad(1),
+	must-pk-encrypt-sad(2)
+}
+
+PA-SAM-CHALLENGE-2-BODY ::= SEQUENCE {
+	sam-type[0]		Krb5int32,
+	sam-flags[1]		SAMFlags,
+	sam-type-name[2]	GeneralString OPTIONAL,
+	sam-track-id[3]		GeneralString OPTIONAL,
+	sam-challenge-label[4]	GeneralString OPTIONAL,
+	sam-challenge[5]	GeneralString OPTIONAL,
+	sam-response-prompt[6]	GeneralString OPTIONAL,
+	sam-pk-for-sad[7]	EncryptionKey OPTIONAL,
+	sam-nonce[8]		Krb5int32,
+	sam-etype[9]		Krb5int32,
+	...
+}
+
+PA-SAM-CHALLENGE-2 ::= SEQUENCE {
+	sam-body[0]		PA-SAM-CHALLENGE-2-BODY,
+	sam-cksum[1]		SEQUENCE OF Checksum, -- (1..MAX)
+	...
+}
+
+PA-SAM-RESPONSE-2 ::= SEQUENCE {
+	sam-type[0]		Krb5int32,
+	sam-flags[1]		SAMFlags,
+	sam-track-id[2]		GeneralString OPTIONAL,
+	sam-enc-nonce-or-sad[3]	EncryptedData, -- PA-ENC-SAM-RESPONSE-ENC
+	sam-nonce[4]		Krb5int32,
+	...
+}
+
+PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
+	sam-nonce[0]		Krb5int32,
+	sam-sad[1]		GeneralString OPTIONAL,
+	...
+}
+
+PA-S4U2Self ::= SEQUENCE {
+	name[0]		PrincipalName,
+        realm[1]	Realm,
+        cksum[2]	Checksum,
+        auth[3]		GeneralString
+}
+
+KRB5SignedPathPrincipals ::= SEQUENCE OF Principal
+
+-- never encoded on the wire, just used to checksum over
+KRB5SignedPathData ::= SEQUENCE {
+	encticket[0]	EncTicketPart,
+	delegated[1]	KRB5SignedPathPrincipals OPTIONAL
+}
+
+KRB5SignedPath ::= SEQUENCE {
+	-- DERcoded KRB5SignedPathData
+	-- krbtgt key (etype), KeyUsage = XXX 
+	etype[0]	ENCTYPE,
+	cksum[1]	Checksum,
+	-- srvs delegated though
+	delegated[2]	KRB5SignedPathPrincipals OPTIONAL
+}
+
+PA-ClientCanonicalizedNames ::= SEQUENCE{
+	requested-name	[0] PrincipalName,
+	mapped-name	[1] PrincipalName
+}
+
+PA-ClientCanonicalized ::= SEQUENCE {
+	names		[0] PA-ClientCanonicalizedNames,
+	canon-checksum	[1] Checksum
+}
+
+AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
+	login-alias	[0] PrincipalName,
+	checksum	[1] Checksum
+}
+
+-- old ms referral
+PA-SvrReferralData ::= SEQUENCE {
+	referred-name   [1] PrincipalName OPTIONAL,
+	referred-realm  [0] Realm
+}
+
+PA-SERVER-REFERRAL-DATA ::= EncryptedData
+
+PA-ServerReferralData ::= SEQUENCE {
+	referred-realm		[0] Realm OPTIONAL,
+	true-principal-name	[1] PrincipalName OPTIONAL,
+	requested-principal-name [2] PrincipalName OPTIONAL,
+	referral-valid-until     [3] KerberosTime OPTIONAL,
+	...
+}
+-- WS put extensions found elsewere here
+-- http://msdn.microsoft.com/en-us/library/cc206948.aspx
+--
+KERB-PA-PAC-REQUEST ::= SEQUENCE { 
+include-pac[0] BOOLEAN --If TRUE, and no pac present, include PAC. 
+                       --If FALSE, and PAC present, remove PAC 
+} 
+END
+
+-- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1
diff --git a/asn1/kerberos/kerberos.cnf b/asn1/kerberos/kerberos.cnf
index 451bb7cfca..9b74a2d5fe 100644
--- a/asn1/kerberos/kerberos.cnf
+++ b/asn1/kerberos/kerberos.cnf
@@ -12,7 +12,7 @@ Realm
 EncryptedData/etype encryptedData_etype
 KDC-REQ-BODY/etype kDC-REQ-BODY_etype
 
-#.FN_BODY KDC-REQ/msg-type VAL_PTR = &msgtype
+#.FN_BODY MESSAGE-TYPE VAL_PTR = &msgtype
 guint32 msgtype;
 
 %(DEFAULT_BODY)s
@@ -29,9 +29,8 @@ guint32 msgtype;
 #.FN_BODY Int32 VAL_PTR = actx->value_ptr
 %(DEFAULT_BODY)s
 
-#.FN_BODY PA-DATA/padata-type
-/* Calling Int32 returns the value in ctx->value_ptr */
-actx->value_ptr = &krb_PA_DATA_type;
+#.FN_BODY PADATA-TYPE VAL_PTR = &krb_PA_DATA_type
+
 %(DEFAULT_BODY)s
 
 krb_PA_DATA_type&=0xff; /*this is really just one single byte */
@@ -50,49 +49,42 @@ proto_tree *sub_tree=tree;
 
 	switch(krb_PA_DATA_type){
 	case KRB5_PA_TGS_REQ:
-		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_kerberos_padata_value, dissect_kerberos_Applications);
+		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_Applications);
  		break;
 	case KRB5_PA_PK_AS_REQ:
-		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_kerberos_padata_value, dissect_pkinit_PaPkAsReq);
+		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PaPkAsReq);
  		break;
  	case KRB5_PA_PK_AS_REP:
-		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_kerberos_padata_value, dissect_pkinit_PaPkAsRep);
+		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PaPkAsRep);
  		break;
-		/*
 	case KRB5_PA_PAC_REQUEST:
-		offset=dissect_ber_old_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_kerberos_padata_value, dissect_krb5_PA_PAC_REQUEST);
+		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_KERB_PA_PAC_REQUEST);
 		break;
 	case KRB5_PA_S4U2SELF:
-		offset=dissect_ber_old_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_kerberos_padata_value, dissect_krb5_PA_S4U2SELF);
+		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_S4U2Self);
  		break;
 	case KRB5_PA_PROV_SRV_LOCATION:
-		offset=dissect_ber_old_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_kerberos_padata_value, dissect_krb5_PA_PROV_SRV_LOCATION);
+		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_krb5_PA_PROV_SRV_LOCATION);
  		break;
- 		*/
 	case KRB5_PA_ENC_TIMESTAMP:
-		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_kerberos_padata_value, dissect_kerberos_PA_ENC_TIMESTAMP);
+		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_ENC_TIMESTAMP);
  		break;
- 		/*
 	case KRB5_PA_ENCTYPE_INFO:
-		offset=dissect_ber_old_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_kerberos_padata_value, dissect_krb5_PA_ENCTYPE_INFO);
+		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_ETYPE_INFO);
  		break;
 	case KRB5_PA_ENCTYPE_INFO2:
-		offset=dissect_ber_old_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_kerberos_padata_value, dissect_krb5_PA_ENCTYPE_INFO2);
+		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_ETYPE_INFO2);
  		break;
 	case KRB5_PA_PW_SALT:
-		offset=dissect_ber_old_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_kerberos_padata_value, dissect_krb5_PW_SALT);
+		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_krb5_PW_SALT);
  		break;
-	*/
 	default:
-		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_kerberos_padata_value, NULL);
+		offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, NULL);
 	}
 /*qqq*/
 
 
 #.TYPE_ATTR
-KDC-REQ/msg-type  TYPE = FT_UINT32  DISPLAY = BASE_DEC  STRINGS = VALS(krb5_msg_types)
-# this does not work for some reason :(
-EncryptedData/etype  TYPE = FT_UINT32  DISPLAY = BASE_DEC  STRINGS = VALS(krb5_encryption_types)
-
+#xxx TYPE = FT_UINT16  DISPLAY = BASE_DEC  STRINGS = VALS(xx_vals)
 
 
diff --git a/asn1/kerberos/packet-kerberos-template.c b/asn1/kerberos/packet-kerberos-template.c
index 529e2379ee..8344952fc2 100644
--- a/asn1/kerberos/packet-kerberos-template.c
+++ b/asn1/kerberos/packet-kerberos-template.c
@@ -118,7 +118,10 @@ static gboolean do_col_info;
 /* Forward declarations */
 static int dissect_kerberos_Applications(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
 static int dissect_kerberos_PA_ENC_TIMESTAMP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
-
+static int dissect_kerberos_KERB_PA_PAC_REQUEST(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_PA_S4U2Self(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_ETYPE_INFO(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_ETYPE_INFO2(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
 /* Desegment Kerberos over TCP messages */
 static gboolean krb_desegment = TRUE;
 
@@ -128,6 +131,9 @@ static struct { const char *set; const char *unset; } bitval = { "Set", "Not set
 
 static gint hf_krb_rm_reserved = -1;
 static gint hf_krb_rm_reclen = -1;
+static gint hf_krb_provsrv_location = -1;
+static gint hf_krb_smb_nt_status = -1;
+static gint hf_krb_smb_unknown = -1;
 #include "packet-kerberos-hf.c"
 
 /* Initialize the subtree pointers */
@@ -1253,6 +1259,48 @@ dissect_krb5_decrypt_authenticator_data (proto_tree *tree, tvbuff_t *tvb, int of
 }
 #endif
 
+static int
+dissect_krb5_PA_PROV_SRV_LOCATION(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_)
+{
+	offset=dissect_ber_GeneralString(actx, tree, tvb, offset, hf_krb_provsrv_location, NULL, 0);
+
+	return offset;
+}
+
+static int
+dissect_krb5_PW_SALT(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_)
+{
+	guint32 nt_status;
+
+	/* Microsoft stores a special 12 byte blob here
+	 * guint32 NT_status
+	 * guint32 unknown
+	 * guint32 unknown
+	 * decode everything as this blob for now until we see if anyone
+	 * else ever uses it   or we learn how to tell wether this
+	 * is such an MS blob or not.
+	 */
+	proto_tree_add_item(tree, hf_krb_smb_nt_status, tvb, offset, 4,
+			TRUE);
+	nt_status=tvb_get_letohl(tvb, offset);
+	if(nt_status && check_col(actx->pinfo->cinfo, COL_INFO)) {
+		col_append_fstr(actx->pinfo->cinfo, COL_INFO,
+			" NT Status: %s",
+			val_to_str(nt_status, NT_errors,
+			"Unknown error code %#x"));
+	}
+	offset += 4;
+
+	proto_tree_add_item(tree, hf_krb_smb_unknown, tvb, offset, 4,
+			TRUE);
+	offset += 4;
+
+	proto_tree_add_item(tree, hf_krb_smb_unknown, tvb, offset, 4,
+			TRUE);
+	offset += 4;
+
+	return offset;
+}
 
 #include "packet-kerberos-fn.c"
 
@@ -1482,6 +1530,15 @@ void proto_register_kerberos(void) {
 	{ &hf_krb_rm_reclen, {
 	    "Record Length", "kerberos.rm.length", FT_UINT32, BASE_DEC,
 	    NULL, KRB_RM_RECLEN, "Record length", HFILL }},
+	{ &hf_krb_provsrv_location, {
+	    "PROVSRV Location", "kerberos.provsrv_location", FT_STRING, BASE_NONE,
+	    NULL, 0, "PacketCable PROV SRV Location", HFILL }},
+	{ &hf_krb_smb_nt_status,
+		{ "NT Status", "kerberos.smb.nt_status", FT_UINT32, BASE_HEX,
+		VALS(NT_errors), 0, "NT Status code", HFILL }},
+	{ &hf_krb_smb_unknown,
+		{ "Unknown", "kerberos.smb.unknown", FT_UINT32, BASE_HEX,
+		NULL, 0, "unknown", HFILL }},
 
 #include "packet-kerberos-hfarr.c"
   };