Further refactor GSS_API dissectors to pass gssapi_encrypt_info_t structure between dissectors instead of using packet_info.h

The only remaining explicit user of the packet_info members is the NTLMSSP dissector.  However, there may be "hidden" use of it in the spnego dissector passing between ASN.1 functions.
Someone more familiar with the protocols could possibly trim some of the "extra copies" between packet_info and gssapi_encrypt_info_t structure, but I went the "better safe than sorry" route.

Change-Id: I160d2cfccadc5f49b128609223cdff0162c3ca85
Reviewed-on: https://code.wireshark.org/review/11575
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Michael Mann <mmann78@netscape.net>

2 files changed, 213 insertions, 73 deletions

diff --git a/asn1/kerberos/packet-kerberos-template.h b/asn1/kerberos/packet-kerberos-template.h
index 871a1211a1..4ed6a6e8cc 100644
--- a/asn1/kerberos/packet-kerberos-template.h
+++ b/asn1/kerberos/packet-kerberos-template.h
@@ -100,6 +100,41 @@ void read_keytab_file_from_preferences(void);
 
 #endif /* HAVE_KERBEROS */
 
+/* encryption type constants */
+#define KRB5_ENCTYPE_NULL		0
+#define KRB5_ENCTYPE_DES_CBC_CRC	1
+#define KRB5_ENCTYPE_DES_CBC_MD4	2
+#define KRB5_ENCTYPE_DES_CBC_MD5	3
+#define KRB5_ENCTYPE_DES_CBC_RAW	4
+#define KRB5_ENCTYPE_DES3_CBC_SHA	5
+#define KRB5_ENCTYPE_DES3_CBC_RAW	6
+#define KRB5_ENCTYPE_DES_HMAC_SHA1	8
+#define KRB5_ENCTYPE_DSA_SHA1_CMS	9
+#define KRB5_ENCTYPE_RSA_MD5_CMS	10
+#define KRB5_ENCTYPE_RSA_SHA1_CMS	11
+#define KRB5_ENCTYPE_RC2_CBC_ENV	12
+#define KRB5_ENCTYPE_RSA_ENV		13
+#define KRB5_ENCTYPE_RSA_ES_OEAP_ENV	14
+#define KRB5_ENCTYPE_DES_EDE3_CBC_ENV	15
+#define KRB5_ENCTYPE_DES3_CBC_SHA1	16
+#define KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96 17
+#define KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96 18
+#define KRB5_ENCTYPE_DES_CBC_MD5_NT	20
+#define KERB_ENCTYPE_RC4_HMAC		23
+#define KERB_ENCTYPE_RC4_HMAC_EXP	24
+#define KRB5_ENCTYPE_UNKNOWN		0x1ff
+#define KRB5_ENCTYPE_LOCAL_DES3_HMAC_SHA1	0x7007
+#define KRB5_ENCTYPE_RC4_PLAIN_EXP	0xffffff73
+#define KRB5_ENCTYPE_RC4_PLAIN		0xffffff74
+#define KRB5_ENCTYPE_RC4_PLAIN_OLD_EXP	0xffffff78
+#define KRB5_ENCTYPE_RC4_HMAC_OLD_EXP	0xffffff79
+#define KRB5_ENCTYPE_RC4_PLAIN_OLD	0xffffff7a
+#define KRB5_ENCTYPE_RC4_HMAC_OLD	0xffffff7b
+#define KRB5_ENCTYPE_DES_PLAIN		0xffffff7c
+#define KRB5_ENCTYPE_RC4_SHA		0xffffff7d
+#define KRB5_ENCTYPE_RC4_LM		0xffffff7e
+#define KRB5_ENCTYPE_RC4_PLAIN2		0xffffff7f
+#define KRB5_ENCTYPE_RC4_MD4		0xffffff80
 
 #include "packet-kerberos-exp.h"
 
diff --git a/asn1/spnego/packet-spnego-template.c b/asn1/spnego/packet-spnego-template.c
index 262eef5386..6041d4fedb 100644
--- a/asn1/spnego/packet-spnego-template.c
+++ b/asn1/spnego/packet-spnego-template.c
@@ -164,14 +164,36 @@ static const value_string spnego_krb5_seal_alg_vals[] = {
 static int
 dissect_spnego_krb5_getmic_base(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree);
 static int
-dissect_spnego_krb5_wrap_base(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint16 token_id);
+dissect_spnego_krb5_wrap_base(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint16 token_id, gssapi_encrypt_info_t* gssapi_encrypt);
 static int
 dissect_spnego_krb5_cfx_getmic_base(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree);
 static int
-dissect_spnego_krb5_cfx_wrap_base(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint16 token_id);
+dissect_spnego_krb5_cfx_wrap_base(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint16 token_id, gssapi_encrypt_info_t* gssapi_encrypt);
 
-static void
-dissect_spnego_krb5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
+
+/* XXX - This should be TEMPORARY until these members in are removed from packet_info */
+static void packet_info_to_gssapi_encrypt(packet_info *pinfo, gssapi_encrypt_info_t* encrypt_info)
+{
+	encrypt_info->decrypt_gssapi_tvb = pinfo->decrypt_gssapi_tvb;
+	encrypt_info->gssapi_wrap_tvb = pinfo->gssapi_wrap_tvb;
+	encrypt_info->gssapi_encrypted_tvb = pinfo->gssapi_encrypted_tvb;
+	encrypt_info->gssapi_decrypted_tvb = pinfo->gssapi_decrypted_tvb;
+	encrypt_info->gssapi_data_encrypted = pinfo->gssapi_data_encrypted;
+}
+
+static void gssapi_encrypt_to_packet_info(packet_info *pinfo, gssapi_encrypt_info_t* encrypt_info)
+{
+	pinfo->decrypt_gssapi_tvb = encrypt_info->decrypt_gssapi_tvb;
+	pinfo->gssapi_wrap_tvb = encrypt_info->gssapi_wrap_tvb;
+	pinfo->gssapi_encrypted_tvb = encrypt_info->gssapi_encrypted_tvb;
+	pinfo->gssapi_decrypted_tvb = encrypt_info->gssapi_decrypted_tvb;
+	pinfo->gssapi_data_encrypted = encrypt_info->gssapi_data_encrypted;
+}
+
+
+
+static int
+dissect_spnego_krb5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data)
 {
 	proto_item *item;
 	proto_tree *subtree;
@@ -183,6 +205,8 @@ dissect_spnego_krb5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 	gboolean pc, ind = 0;
 	gint32 tag;
 	guint32 len;
+	gssapi_encrypt_info_t* encrypt_info = (gssapi_encrypt_info_t*)data;
+	gssapi_encrypt_info_t pass_encrypt_info;
 	asn1_ctx_t asn1_ctx;
 	asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
 
@@ -254,7 +278,7 @@ dissect_spnego_krb5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 		 * return.
 		 */
 		dissect_kerberos_main(tvb, pinfo, subtree, FALSE, NULL);
-		return;
+		return tvb_captured_length(tvb);
 
 	    default:
 		proto_tree_add_expert_format(subtree, pinfo, &ei_spnego_unknown_header, tvb, offset, 0,
@@ -286,7 +310,28 @@ dissect_spnego_krb5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 	  break;
 
 	case KRB_TOKEN_WRAP:
-          offset = dissect_spnego_krb5_wrap_base(tvb, offset, pinfo, subtree, token_id);
+		/* XXX - This is setup to hopefully remove the need for these members in packet_info
+		* If data is supplied to dissector, use it.  Otherwise convert to packet_info
+		*/
+		if (encrypt_info != NULL)
+		{
+			pass_encrypt_info = *encrypt_info;
+		}
+		else
+		{
+			packet_info_to_gssapi_encrypt(pinfo, &pass_encrypt_info);
+		}
+
+		offset = dissect_spnego_krb5_wrap_base(tvb, offset, pinfo, subtree, token_id, &pass_encrypt_info);
+
+		if (encrypt_info != NULL)
+		{
+			*encrypt_info = pass_encrypt_info;
+		}
+		else
+		{
+			gssapi_encrypt_to_packet_info(pinfo, &pass_encrypt_info);
+		}
 	  break;
 
 	case KRB_TOKEN_DELETE_SEC_CONTEXT:
@@ -298,7 +343,28 @@ dissect_spnego_krb5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 	  break;
 
 	case KRB_TOKEN_CFX_WRAP:
-          offset = dissect_spnego_krb5_cfx_wrap_base(tvb, offset, pinfo, subtree, token_id);
+		/* XXX - This is setup to hopefully remove the need for these members in packet_info
+		* If data is supplied to dissector, use it.  Otherwise convert to packet_info
+		*/
+		if (encrypt_info != NULL)
+		{
+			pass_encrypt_info = *encrypt_info;
+		}
+		else
+		{
+			packet_info_to_gssapi_encrypt(pinfo, &pass_encrypt_info);
+		}
+
+		offset = dissect_spnego_krb5_cfx_wrap_base(tvb, offset, pinfo, subtree, token_id, &pass_encrypt_info);
+
+		if (encrypt_info != NULL)
+		{
+			*encrypt_info = pass_encrypt_info;
+		}
+		else
+		{
+			gssapi_encrypt_to_packet_info(pinfo, &pass_encrypt_info);
+		}
 	  break;
 
 	default:
@@ -308,7 +374,7 @@ dissect_spnego_krb5(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 
  done:
 	proto_item_set_len(item, offset);
-	return;
+	return tvb_captured_length(tvb);
 }
 
 #ifdef HAVE_KERBEROS
@@ -443,9 +509,7 @@ gssapi_verify_pad(guint8 *wrapped_data, int wrapped_length,
 }
 
 static int
-decrypt_arcfour(packet_info *pinfo,
-	 guint8 *input_message_buffer,
-	 guint8 *output_message_buffer,
+decrypt_arcfour(gssapi_encrypt_info_t* gssapi_encrypt, guint8 *input_message_buffer, guint8 *output_message_buffer,
 	 guint8 *key_value, int key_size, int key_type)
 {
     guint8 Klocaldata[16];
@@ -459,22 +523,22 @@ decrypt_arcfour(packet_info *pinfo,
     int conf_flag;
     int padlen = 0;
 
-    datalen = tvb_captured_length(pinfo->gssapi_encrypted_tvb);
+    datalen = tvb_captured_length(gssapi_encrypt->gssapi_encrypted_tvb);
 
-    if(tvb_get_ntohs(pinfo->gssapi_wrap_tvb, 4)==0x1000){
+    if(tvb_get_ntohs(gssapi_encrypt->gssapi_wrap_tvb, 4)==0x1000){
 	conf_flag=1;
-    } else if (tvb_get_ntohs(pinfo->gssapi_wrap_tvb, 4)==0xffff){
+    } else if (tvb_get_ntohs(gssapi_encrypt->gssapi_wrap_tvb, 4)==0xffff){
 	conf_flag=0;
     } else {
 	return -3;
     }
 
-    if(tvb_get_ntohs(pinfo->gssapi_wrap_tvb, 6)!=0xffff){
+    if(tvb_get_ntohs(gssapi_encrypt->gssapi_wrap_tvb, 6)!=0xffff){
 	return -4;
     }
 
     ret = arcfour_mic_key(key_value, key_size, key_type,
-			  tvb_get_ptr(pinfo->gssapi_wrap_tvb, 16, 8),
+			  tvb_get_ptr(gssapi_encrypt->gssapi_wrap_tvb, 16, 8),
 			  8, /* SGN_CKSUM */
 			  k6_data);
     if (ret) {
@@ -485,7 +549,7 @@ decrypt_arcfour(packet_info *pinfo,
 	rc4_state_struct rc4_state;
 
 	crypt_rc4_init(&rc4_state, k6_data, sizeof(k6_data));
-	tvb_memcpy(pinfo->gssapi_wrap_tvb, SND_SEQ, 8, 8);
+	tvb_memcpy(gssapi_encrypt->gssapi_wrap_tvb, SND_SEQ, 8, 8);
 	crypt_rc4(&rc4_state, (guint8 *)SND_SEQ, 8);
 
 	memset(k6_data, 0, sizeof(k6_data));
@@ -514,12 +578,12 @@ decrypt_arcfour(packet_info *pinfo,
 	rc4_state_struct rc4_state;
 
 	crypt_rc4_init(&rc4_state, k6_data, sizeof(k6_data));
-	tvb_memcpy(pinfo->gssapi_wrap_tvb, Confounder, 24, 8);
+	tvb_memcpy(gssapi_encrypt->gssapi_wrap_tvb, Confounder, 24, 8);
 	crypt_rc4(&rc4_state, Confounder, 8);
 	memcpy(output_message_buffer, input_message_buffer, datalen);
 	crypt_rc4(&rc4_state, output_message_buffer, datalen);
     } else {
-	tvb_memcpy(pinfo->gssapi_wrap_tvb, Confounder, 24, 8);
+	tvb_memcpy(gssapi_encrypt->gssapi_wrap_tvb, Confounder, 24, 8);
 	memcpy(output_message_buffer,
 		input_message_buffer,
 	        datalen);
@@ -527,7 +591,7 @@ decrypt_arcfour(packet_info *pinfo,
     memset(k6_data, 0, sizeof(k6_data));
 
     /* only normal (i.e. non DCE style  wrapping use padding ? */
-    if(pinfo->decrypt_gssapi_tvb==DECRYPT_GSSAPI_NORMAL){
+    if(gssapi_encrypt->decrypt_gssapi_tvb==DECRYPT_GSSAPI_NORMAL){
 	ret = gssapi_verify_pad(output_message_buffer,datalen,datalen, &padlen);
     	if (ret) {
 	    return -9;
@@ -536,11 +600,11 @@ decrypt_arcfour(packet_info *pinfo,
     }
 
     /* don't know what the checksum looks like for dce style gssapi */
-    if(pinfo->decrypt_gssapi_tvb==DECRYPT_GSSAPI_NORMAL){
+    if(gssapi_encrypt->decrypt_gssapi_tvb==DECRYPT_GSSAPI_NORMAL){
 	ret = arcfour_mic_cksum(key_value, key_size,
 			    KRB5_KU_USAGE_SEAL,
 			    cksum_data,
-			    tvb_get_ptr(pinfo->gssapi_wrap_tvb, 0, 8), 8,
+			    tvb_get_ptr(gssapi_encrypt->gssapi_wrap_tvb, 0, 8), 8,
 			    Confounder, sizeof(Confounder),
 			    output_message_buffer,
 			    datalen + padlen);
@@ -548,7 +612,7 @@ decrypt_arcfour(packet_info *pinfo,
 	    return -10;
 	}
 
-	cmp = tvb_memeql(pinfo->gssapi_wrap_tvb, 16, cksum_data, 8); /* SGN_CKSUM */
+	cmp = tvb_memeql(gssapi_encrypt->gssapi_wrap_tvb, 16, cksum_data, 8); /* SGN_CKSUM */
 	if (cmp) {
 	    return -11;
 	}
@@ -562,7 +626,7 @@ decrypt_arcfour(packet_info *pinfo,
 #if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
 
 static void
-decrypt_gssapi_krb_arcfour_wrap(proto_tree *tree _U_, packet_info *pinfo, tvbuff_t *tvb, int keytype)
+decrypt_gssapi_krb_arcfour_wrap(proto_tree *tree _U_, packet_info *pinfo, tvbuff_t *tvb, int keytype, gssapi_encrypt_info_t* gssapi_encrypt)
 {
 	int ret;
 	enc_key_t *ek;
@@ -572,8 +636,8 @@ decrypt_gssapi_krb_arcfour_wrap(proto_tree *tree _U_, packet_info *pinfo, tvbuff
 	guint8 *cryptocopy=NULL; /* workaround for pre-0.6.1 heimdal bug */
 	guint8 *output_message_buffer;
 
-	length=tvb_captured_length(pinfo->gssapi_encrypted_tvb);
-	original_data=tvb_get_ptr(pinfo->gssapi_encrypted_tvb, 0, length);
+	length=tvb_captured_length(gssapi_encrypt->gssapi_encrypted_tvb);
+	original_data=tvb_get_ptr(gssapi_encrypt->gssapi_encrypted_tvb, 0, length);
 
 	/* don't do anything if we are not attempting to decrypt data */
 /*
@@ -600,26 +664,24 @@ decrypt_gssapi_krb_arcfour_wrap(proto_tree *tree _U_, packet_info *pinfo, tvbuff
 		  This has been seen for RC4-HMAC blobs.
 		*/
 		memcpy(cryptocopy, original_data, length);
-		ret=decrypt_arcfour(pinfo,
+		ret=decrypt_arcfour(gssapi_encrypt,
 				cryptocopy,
 				output_message_buffer,
 				ek->keyvalue,
 				ek->keylength,
-				ek->keytype
-					    );
+				ek->keytype);
 		if (ret >= 0) {
 			expert_add_info_format(pinfo, NULL, &ei_spnego_decrypted_keytype,
 								   "Decrypted keytype %d in frame %u using %s",
 								   ek->keytype, pinfo->fd->num, ek->key_origin);
 
-			pinfo->gssapi_decrypted_tvb=tvb_new_child_real_data(tvb,
+			gssapi_encrypt->gssapi_decrypted_tvb=tvb_new_child_real_data(tvb,
 				output_message_buffer,
 				ret, ret);
-			add_new_data_source(pinfo, pinfo->gssapi_decrypted_tvb, "Decrypted GSS-Krb5");
+			add_new_data_source(pinfo, gssapi_encrypt->gssapi_decrypted_tvb, "Decrypted GSS-Krb5");
 			return;
 		}
 	}
-	return;
 }
 
 /* borrowed from heimdal */
@@ -670,13 +732,12 @@ rrc_rotate(guint8 *data, int len, guint16 rrc, int unrotate)
 #define KRB5_KU_USAGE_INITIATOR_SIGN	25
 
 static void
-decrypt_gssapi_krb_cfx_wrap(proto_tree *tree _U_,
+decrypt_gssapi_krb_cfx_wrap(proto_tree *tree,
 			    packet_info *pinfo,
 			    tvbuff_t *checksum_tvb,
-			    tvbuff_t *encrypted_tvb,
+			    gssapi_encrypt_info_t* gssapi_encrypt,
 			    guint16 ec,
 			    guint16 rrc,
-			    gboolean is_dce,
 			    int keytype,
 			    unsigned int usage)
 {
@@ -690,22 +751,22 @@ decrypt_gssapi_krb_cfx_wrap(proto_tree *tree _U_,
 		return;
 	}
 
-	datalen = tvb_captured_length(checksum_tvb) + tvb_captured_length(encrypted_tvb);
+	datalen = tvb_captured_length(checksum_tvb) + tvb_captured_length(gssapi_encrypt->gssapi_encrypted_tvb);
 
 	rotated = (guint8 *)wmem_alloc(pinfo->pool, datalen);
 
 	tvb_memcpy(checksum_tvb, rotated,
 		   0, tvb_captured_length(checksum_tvb));
-	tvb_memcpy(encrypted_tvb, rotated + tvb_captured_length(checksum_tvb),
-		   0, tvb_captured_length(encrypted_tvb));
+	tvb_memcpy(gssapi_encrypt->gssapi_encrypted_tvb, rotated + tvb_captured_length(checksum_tvb),
+		   0, tvb_captured_length(gssapi_encrypt->gssapi_encrypted_tvb));
 
-	if (is_dce) {
+	if (gssapi_encrypt->decrypt_gssapi_tvb==DECRYPT_GSSAPI_DCE) {
 		rrc += ec;
 	}
 
 	rrc_rotate(rotated, datalen, rrc, TRUE);
 
-	next_tvb=tvb_new_child_real_data(encrypted_tvb, rotated,
+	next_tvb=tvb_new_child_real_data(gssapi_encrypt->gssapi_encrypted_tvb, rotated,
 					 datalen, datalen);
 	add_new_data_source(pinfo, next_tvb, "GSSAPI CFX");
 
@@ -715,18 +776,16 @@ decrypt_gssapi_krb_cfx_wrap(proto_tree *tree _U_,
 	if (output) {
 		guint8 *outdata;
 
-		outdata = (guint8 *)g_memdup(output, tvb_captured_length(encrypted_tvb));
+		outdata = (guint8 *)g_memdup(output, tvb_captured_length(gssapi_encrypt->gssapi_encrypted_tvb));
 		g_free(output);
 
-		pinfo->gssapi_decrypted_tvb=tvb_new_child_real_data(encrypted_tvb,
+		gssapi_encrypt->gssapi_decrypted_tvb=tvb_new_child_real_data(gssapi_encrypt->gssapi_encrypted_tvb,
 			outdata,
-			tvb_captured_length(encrypted_tvb),
-			tvb_captured_length(encrypted_tvb));
-		add_new_data_source(pinfo, pinfo->gssapi_decrypted_tvb, "Decrypted GSS-Krb5");
-		tvb_set_free_cb(pinfo->gssapi_decrypted_tvb, g_free);
-		return;
+			tvb_captured_length(gssapi_encrypt->gssapi_encrypted_tvb),
+			tvb_captured_length(gssapi_encrypt->gssapi_encrypted_tvb));
+		add_new_data_source(pinfo, gssapi_encrypt->gssapi_decrypted_tvb, "Decrypted GSS-Krb5");
+		tvb_set_free_cb(gssapi_encrypt->gssapi_decrypted_tvb, g_free);
 	}
-	return;
 }
 
 #endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */
@@ -746,7 +805,8 @@ dissect_spnego_krb5_wrap_base(tvbuff_t *tvb, int offset, packet_info *pinfo
 #ifndef HAVE_KERBEROS
 	_U_
 #endif
-    )
+	, gssapi_encrypt_info_t* gssapi_encrypt
+	)
 {
 	guint16 sgn_alg, seal_alg;
 #ifdef HAVE_KERBEROS
@@ -809,15 +869,15 @@ dissect_spnego_krb5_wrap_base(tvbuff_t *tvb, int offset, packet_info *pinfo
 	}
 
 	/* Is the data encrypted? */
-	pinfo->gssapi_data_encrypted=(seal_alg!=KRB_SEAL_ALG_NONE);
+	gssapi_encrypt->gssapi_data_encrypted=(seal_alg!=KRB_SEAL_ALG_NONE);
 
 #ifdef HAVE_KERBEROS
 #define GSS_ARCFOUR_WRAP_TOKEN_SIZE 32
-	if(pinfo->decrypt_gssapi_tvb){
+	if(gssapi_encrypt->decrypt_gssapi_tvb){
 		/* if the caller did not provide a tvb, then we just use
 		   whatever is left of our current tvb.
 		*/
-		if(!pinfo->gssapi_encrypted_tvb){
+		if(!gssapi_encrypt->gssapi_encrypted_tvb){
 			int len;
 			len=tvb_reported_length_remaining(tvb,offset);
 			if(len>tvb_captured_length_remaining(tvb, offset)){
@@ -826,7 +886,7 @@ dissect_spnego_krb5_wrap_base(tvbuff_t *tvb, int offset, packet_info *pinfo
 				*/
 				return offset;
 			}
-			pinfo->gssapi_encrypted_tvb = tvb_new_subset_length(
+			gssapi_encrypt->gssapi_encrypted_tvb = tvb_new_subset_length(
 					tvb, offset, len);
 		}
 
@@ -837,8 +897,8 @@ dissect_spnego_krb5_wrap_base(tvbuff_t *tvb, int offset, packet_info *pinfo
 			/* do we need to create a tvb for the wrapper
 			   as well ?
 			*/
-			if(!pinfo->gssapi_wrap_tvb){
-				pinfo->gssapi_wrap_tvb = tvb_new_subset_length(
+			if(!gssapi_encrypt->gssapi_wrap_tvb){
+				gssapi_encrypt->gssapi_wrap_tvb = tvb_new_subset_length(
 					tvb, start_offset-2,
 					GSS_ARCFOUR_WRAP_TOKEN_SIZE);
 			}
@@ -846,7 +906,8 @@ dissect_spnego_krb5_wrap_base(tvbuff_t *tvb, int offset, packet_info *pinfo
 			decrypt_gssapi_krb_arcfour_wrap(tree,
 				pinfo,
 				tvb,
-				23 /* rc4-hmac */);
+				KERB_ENCTYPE_RC4_HMAC,
+				gssapi_encrypt);
 #endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */
 		}
 	}
@@ -958,6 +1019,7 @@ dissect_spnego_krb5_cfx_wrap_base(tvbuff_t *tvb, int offset, packet_info *pinfo
 	_U_
 #endif
     , proto_tree *tree, guint16 token_id _U_
+    , gssapi_encrypt_info_t* gssapi_encrypt
     )
 {
 	guint8 flags;
@@ -979,7 +1041,7 @@ dissect_spnego_krb5_cfx_wrap_base(tvbuff_t *tvb, int offset, packet_info *pinfo
 	flags = tvb_get_guint8(tvb, offset);
 	offset = dissect_spnego_krb5_cfx_flags(tvb, offset, tree, flags);
 
-	pinfo->gssapi_data_encrypted=(flags & 2);
+	gssapi_encrypt->gssapi_data_encrypted=(flags & 2);
 
 	/* Skip the filler */
 
@@ -1009,7 +1071,7 @@ dissect_spnego_krb5_cfx_wrap_base(tvbuff_t *tvb, int offset, packet_info *pinfo
 
 	/* Checksum of plaintext padded data */
 
-	if (pinfo->gssapi_data_encrypted) {
+	if (gssapi_encrypt->gssapi_data_encrypted) {
 		checksum_size = 44 + ec;
 
 		proto_tree_add_item(tree, hf_spnego_krb5_sgn_cksum, tvb, offset,
@@ -1046,7 +1108,7 @@ dissect_spnego_krb5_cfx_wrap_base(tvbuff_t *tvb, int offset, packet_info *pinfo
 #endif
 
 		returned_offset = offset;
-		pinfo->gssapi_wrap_tvb = tvb_new_subset_length(tvb, offset,
+		gssapi_encrypt->gssapi_wrap_tvb = tvb_new_subset_length(tvb, offset,
 						inner_token_len);
 
 		offset += inner_token_len;
@@ -1067,11 +1129,11 @@ dissect_spnego_krb5_cfx_wrap_base(tvbuff_t *tvb, int offset, packet_info *pinfo
 		return returned_offset;
 	}
 
-	if(pinfo->decrypt_gssapi_tvb){
+	if(gssapi_encrypt->decrypt_gssapi_tvb){
 		/* if the caller did not provide a tvb, then we just use
 		   whatever is left of our current tvb.
 		*/
-		if(!pinfo->gssapi_encrypted_tvb){
+		if(!gssapi_encrypt->gssapi_encrypted_tvb){
 			int len;
 			len=tvb_reported_length_remaining(tvb,offset);
 			if(len>tvb_captured_length_remaining(tvb, offset)){
@@ -1080,16 +1142,16 @@ dissect_spnego_krb5_cfx_wrap_base(tvbuff_t *tvb, int offset, packet_info *pinfo
 				*/
 				return offset;
 			}
-			pinfo->gssapi_encrypted_tvb = tvb_new_subset(
+			gssapi_encrypt->gssapi_encrypted_tvb = tvb_new_subset(
 					tvb, offset, len, len);
 		}
 
-		if (pinfo->gssapi_data_encrypted) {
+		if (gssapi_encrypt->gssapi_data_encrypted) {
 			/* do we need to create a tvb for the wrapper
 			   as well ?
 			*/
-			if(!pinfo->gssapi_wrap_tvb){
-				pinfo->gssapi_wrap_tvb = tvb_new_subset_length(
+			if(!gssapi_encrypt->gssapi_wrap_tvb){
+				gssapi_encrypt->gssapi_wrap_tvb = tvb_new_subset_length(
 					tvb, start_offset-2,
 					offset - (start_offset-2));
 			}
@@ -1100,15 +1162,14 @@ dissect_spnego_krb5_cfx_wrap_base(tvbuff_t *tvb, int offset, packet_info *pinfo
 {
 	tvbuff_t *checksum_tvb = tvb_new_subset_length(tvb, 16, checksum_size);
 
-	if (pinfo->gssapi_data_encrypted) {
-		if(pinfo->gssapi_encrypted_tvb){
+	if (gssapi_encrypt->gssapi_data_encrypted) {
+		if(gssapi_encrypt->gssapi_encrypted_tvb){
 			decrypt_gssapi_krb_cfx_wrap(tree,
 				pinfo,
 				checksum_tvb,
-				pinfo->gssapi_encrypted_tvb,
+				gssapi_encrypt,
 				ec,
 				rrc,
-				(pinfo->decrypt_gssapi_tvb==DECRYPT_GSSAPI_DCE)?TRUE:FALSE,
 				-1,
 				(flags & 0x0001)?
 				KRB5_KU_USAGE_ACCEPTOR_SEAL:
@@ -1186,12 +1247,14 @@ dissect_spnego_krb5_cfx_getmic_base(tvbuff_t *tvb, int offset, packet_info *pinf
  * getting it accepted.
  */
 static int
-dissect_spnego_krb5_wrap(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, void *data _U_)
+dissect_spnego_krb5_wrap(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, void *data)
 {
 	proto_item *item;
 	proto_tree *subtree;
 	int offset = 0;
 	guint16 token_id;
+	gssapi_encrypt_info_t* encrypt_info = (gssapi_encrypt_info_t*)data;
+	gssapi_encrypt_info_t pass_encrypt_info;
 
 	item = proto_tree_add_item(tree, hf_spnego_krb5, tvb, 0, -1, ENC_NA);
 
@@ -1217,7 +1280,28 @@ dissect_spnego_krb5_wrap(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree
 	  break;
 
 	case KRB_TOKEN_WRAP:
-          offset = dissect_spnego_krb5_wrap_base(tvb, offset, pinfo, subtree, token_id);
+		/* XXX - This is setup to hopefully remove the need for these members in packet_info
+		* If data is supplied to dissector, use it.  Otherwise convert to packet_info
+		*/
+		if (encrypt_info != NULL)
+		{
+			pass_encrypt_info = *encrypt_info;
+		}
+		else
+		{
+			packet_info_to_gssapi_encrypt(pinfo, &pass_encrypt_info);
+		}
+
+		offset = dissect_spnego_krb5_wrap_base(tvb, offset, pinfo, subtree, token_id, &pass_encrypt_info);
+
+		if (encrypt_info != NULL)
+		{
+			*encrypt_info = pass_encrypt_info;
+		}
+		else
+		{
+			gssapi_encrypt_to_packet_info(pinfo, &pass_encrypt_info);
+		}
 	  break;
 
 	case KRB_TOKEN_CFX_GETMIC:
@@ -1225,7 +1309,28 @@ dissect_spnego_krb5_wrap(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree
 	  break;
 
 	case KRB_TOKEN_CFX_WRAP:
-          offset = dissect_spnego_krb5_cfx_wrap_base(tvb, offset, pinfo, subtree, token_id);
+		/* XXX - This is setup to hopefully remove the need for these members in packet_info
+		* If data is supplied to dissector, use it.  Otherwise convert to packet_info
+		*/
+		if (encrypt_info != NULL)
+		{
+			pass_encrypt_info = *encrypt_info;
+		}
+		else
+		{
+			packet_info_to_gssapi_encrypt(pinfo, &pass_encrypt_info);
+		}
+
+		offset = dissect_spnego_krb5_cfx_wrap_base(tvb, offset, pinfo, subtree, token_id, &pass_encrypt_info);
+
+		if (encrypt_info != NULL)
+		{
+			*encrypt_info = pass_encrypt_info;
+		}
+		else
+		{
+			gssapi_encrypt_to_packet_info(pinfo, &pass_encrypt_info);
+		}
 	  break;
 
 	default:
@@ -1439,7 +1544,7 @@ void proto_register_spnego(void) {
 						    "SPNEGO-KRB5",
 						    "spnego-krb5");
 
-	register_dissector("spnego-krb5", dissect_spnego_krb5, proto_spnego_krb5);
+	new_register_dissector("spnego-krb5", dissect_spnego_krb5, proto_spnego_krb5);
 	new_register_dissector("spnego-krb5-wrap", dissect_spnego_krb5_wrap, proto_spnego_krb5);
 
 	/* Register fields and subtrees */