Note that pre-0.6 libpcap didn't handle HP-UX as well as 0.6 and later

[obnox/wireshark/wip.git] / packet-kerberos.c
diff --git a/packet-kerberos.c b/packet-kerberos.c

index 76a9ccff54ecf26f10c05a9a6af4f88c8d0e80ab..e6da1efcce3d51d28566fa2d8be37c77c15d37ee 100644 (file)
--- a/packet-kerberos.c
+++ b/packet-kerberos.c
@@ -3,11 +3,11 @@
   * Wes Hardaker (c) 2000
   * wjhardaker@ucdavis.edu
   *
- * $Id: packet-kerberos.c,v 1.8 2000/12/24 09:10:11 guy Exp $
+ * $Id: packet-kerberos.c,v 1.20 2002/01/21 07:36:36 guy Exp $
   *
   * Ethereal - Network traffic analyzer
- * By Gerald Combs <gerald@zing.org>
- * Copyright 1998 Didier Jorand
+ * By Gerald Combs <gerald@ethereal.com>
+ * Copyright 1998 Gerald Combs
   *
   * This program is free software; you can redistribute it and/or
   * modify it under the terms of the GNU General Public License
@@ -38,25 +38,27 @@
  
  #include <glib.h>
  
-#include "packet.h"
+#include <epan/packet.h>
  
-#include "strutil.h"
+#include <epan/strutil.h>
  
  #include "asn1.h"
  
  #define UDP_PORT_KERBEROS              88
  #define TCP_PORT_KERBEROS              88
  
-static gint ett_kerberos   = -1;
-static gint ett_preauth    = -1;
-static gint ett_addresses  = -1;
-static gint ett_request    = -1;
-static gint ett_princ      = -1;
-static gint ett_ticket     = -1;
-static gint ett_encrypted  = -1;
-static gint ett_etype      = -1;
  static gint proto_kerberos = -1;
  
+static gint ett_kerberos = -1;
+static gint ett_preauth = -1;
+static gint ett_addresses = -1;
+static gint ett_request = -1;
+static gint ett_princ = -1;
+static gint ett_ticket = -1;
+static gint ett_encrypted = -1;
+static gint ett_etype = -1;
+static gint ett_additional_tickets = -1;
+
  #define KRB5_MSG_AS_REQ   10   /* AS-REQ type */
  #define KRB5_MSG_AS_REP   11   /* AS-REP type */
  #define KRB5_MSG_TGS_REQ  12   /* TGS-REQ type */
@@ -93,11 +95,27 @@ static gint proto_kerberos = -1;
  #define KRB5_BODY_TILL                   5
  #define KRB5_BODY_RTIME                  6
  #define KRB5_BODY_NONCE                  7
-#define KRB5_BODY_ETYPE                  8
+#define KRB5_BODY_ENCTYPE                8
  #define KRB5_BODY_ADDRESSES              9
  #define KRB5_BODY_ENC_AUTHORIZATION_DATA 10
  #define KRB5_BODY_ADDITIONAL_TICKETS     11
  
+/* Type tags within KRB-ERROR */
+#define KRB5_ERROR_PVNO       0
+#define KRB5_ERROR_MSG_TYPE   1
+#define KRB5_ERROR_CTIME      2
+#define KRB5_ERROR_CUSEC      3
+#define KRB5_ERROR_STIME      4
+#define KRB5_ERROR_SUSEC      5
+#define KRB5_ERROR_ERROR_CODE 6
+#define KRB5_ERROR_CREALM     7
+#define KRB5_ERROR_CNAME      8
+#define KRB5_ERROR_REALM      9
+#define KRB5_ERROR_SNAME      10
+#define KRB5_ERROR_ETEXT      11
+#define KRB5_ERROR_EDATA      12
+
+/* address type constants */
  #define KRB5_ADDR_IPv4       0x02
  #define KRB5_ADDR_CHAOS      0x05
  #define KRB5_ADDR_XEROX      0x06
@@ -105,14 +123,34 @@ static gint proto_kerberos = -1;
  #define KRB5_ADDR_DECNET     0x0c
  #define KRB5_ADDR_APPLETALK  0x10
  
-#define KRB5_ETYPE_NULL                0
-#define KRB5_ETYPE_DES_CBC_CRC         1
-#define KRB5_ETYPE_DES_CBC_MD4         2
-#define KRB5_ETYPE_DES_CBC_MD5         3
-
-#define KRB5_PA_TGS_REQ       0x01
-#define KRB5_PA_ENC_TIMESTAMP 0x02
-#define KRB5_PA_PW_SALT       0x03
+/* encryption type constants */
+#define KRB5_ENCTYPE_NULL                0
+#define KRB5_ENCTYPE_DES_CBC_CRC         1
+#define KRB5_ENCTYPE_DES_CBC_MD4         2
+#define KRB5_ENCTYPE_DES_CBC_MD5         3
+#define KRB5_ENCTYPE_DES_CBC_RAW         4
+#define KRB5_ENCTYPE_DES3_CBC_SHA        5
+#define KRB5_ENCTYPE_DES3_CBC_RAW        6
+#define KRB5_ENCTYPE_DES_HMAC_SHA1       8
+#define KRB5_ENCTYPE_DES3_CBC_SHA1          0x10 
+#define KRB5_ENCTYPE_UNKNOWN                0x1ff
+#define KRB5_ENCTYPE_LOCAL_DES3_HMAC_SHA1   0x7007
+
+/* pre-authentication type constants */
+#define KRB5_PA_TGS_REQ                1
+#define KRB5_PA_ENC_TIMESTAMP          2
+#define KRB5_PA_PW_SALT                3
+#define KRB5_PA_ENC_ENCKEY             4
+#define KRB5_PA_ENC_UNIX_TIME          5
+#define KRB5_PA_ENC_SANDIA_SECURID     6
+#define KRB5_PA_SESAME                 7
+#define KRB5_PA_OSF_DCE                8
+#define KRB5_PA_CYBERSAFE_SECUREID     9
+#define KRB5_PA_AFS3_SALT              10
+#define KRB5_PA_ENCTYPE_INFO             11
+#define KRB5_PA_SAM_CHALLENGE          12
+#define KRB5_PA_SAM_RESPONSE           13
+#define KRB5_PA_DASS                   16
  
  /* Type tags within Ticket */
  #define KRB5_TKT_TKT_VNO  0
@@ -120,17 +158,161 @@ static gint proto_kerberos = -1;
  #define KRB5_TKT_SNAME    2
  #define KRB5_TKT_ENC_PART 3
  
+/* Principal name-type */
+#define KRB5_NT_UNKNOWN     0
+#define KRB5_NT_PRINCIPAL   1
+#define KRB5_NT_SRV_INST    2
+#define KRB5_NT_SRV_HST     3
+#define KRB5_NT_SRV_XHST    4
+#define KRB5_NT_UID     5
+
+/* error table constants */
+/* I prefixed the krb5_err.et constant names with KRB5_ET_ for these */
+#define KRB5_ET_KRB5KDC_ERR_NONE                         0
+#define KRB5_ET_KRB5KDC_ERR_NAME_EXP                     1
+#define KRB5_ET_KRB5KDC_ERR_SERVICE_EXP                  2
+#define KRB5_ET_KRB5KDC_ERR_BAD_PVNO                     3
+#define KRB5_ET_KRB5KDC_ERR_C_OLD_MAST_KVNO              4
+#define KRB5_ET_KRB5KDC_ERR_S_OLD_MAST_KVNO              5
+#define KRB5_ET_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN          6
+#define KRB5_ET_KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN          7
+#define KRB5_ET_KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE         8
+#define KRB5_ET_KRB5KDC_ERR_NULL_KEY                     9
+#define KRB5_ET_KRB5KDC_ERR_CANNOT_POSTDATE              10
+#define KRB5_ET_KRB5KDC_ERR_NEVER_VALID                  11
+#define KRB5_ET_KRB5KDC_ERR_POLICY                       12
+#define KRB5_ET_KRB5KDC_ERR_BADOPTION                    13
+#define KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP                 14
+#define KRB5_ET_KRB5KDC_ERR_SUMTYPE_NOSUPP               15
+#define KRB5_ET_KRB5KDC_ERR_PADATA_TYPE_NOSUPP           16
+#define KRB5_ET_KRB5KDC_ERR_TRTYPE_NOSUPP                17
+#define KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED               18
+#define KRB5_ET_KRB5KDC_ERR_SERVICE_REVOKED              19
+#define KRB5_ET_KRB5KDC_ERR_TGT_REVOKED                  20
+#define KRB5_ET_KRB5KDC_ERR_CLIENT_NOTYET                21
+#define KRB5_ET_KRB5KDC_ERR_SERVICE_NOTYET               22
+#define KRB5_ET_KRB5KDC_ERR_KEY_EXP                      23
+#define KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED               24
+#define KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED             25
+#define KRB5_ET_KRB5KDC_ERR_SERVER_NOMATCH               26
+#define KRB5_ET_KRB5KRB_AP_ERR_BAD_INTEGRITY             31
+#define KRB5_ET_KRB5KRB_AP_ERR_TKT_EXPIRED               32
+#define KRB5_ET_KRB5KRB_AP_ERR_TKT_NYV                   33
+#define KRB5_ET_KRB5KRB_AP_ERR_REPEAT                    34
+#define KRB5_ET_KRB5KRB_AP_ERR_NOT_US                    35
+#define KRB5_ET_KRB5KRB_AP_ERR_BADMATCH                  36
+#define KRB5_ET_KRB5KRB_AP_ERR_SKEW                      37
+#define KRB5_ET_KRB5KRB_AP_ERR_BADADDR                   38
+#define KRB5_ET_KRB5KRB_AP_ERR_BADVERSION                39
+#define KRB5_ET_KRB5KRB_AP_ERR_MSG_TYPE                  40
+#define KRB5_ET_KRB5KRB_AP_ERR_MODIFIED                  41
+#define KRB5_ET_KRB5KRB_AP_ERR_BADORDER                  42
+#define KRB5_ET_KRB5KRB_AP_ERR_ILL_CR_TKT                43
+#define KRB5_ET_KRB5KRB_AP_ERR_BADKEYVER                 44
+#define KRB5_ET_KRB5KRB_AP_ERR_NOKEY                     45
+#define KRB5_ET_KRB5KRB_AP_ERR_MUT_FAIL                  46
+#define KRB5_ET_KRB5KRB_AP_ERR_BADDIRECTION              47
+#define KRB5_ET_KRB5KRB_AP_ERR_METHOD                    48
+#define KRB5_ET_KRB5KRB_AP_ERR_BADSEQ                    49
+#define KRB5_ET_KRB5KRB_AP_ERR_INAPP_CKSUM               50
+#define KRB5_ET_KRB5KRB_ERR_GENERIC                      60
+#define KRB5_ET_KRB5KRB_ERR_FIELD_TOOLONG                61
+
+static const value_string krb5_error_codes[] = {
+       { KRB5_ET_KRB5KDC_ERR_NONE, "KRB5KDC_ERR_NONE" },
+       { KRB5_ET_KRB5KDC_ERR_NAME_EXP, "KRB5KDC_ERR_NAME_EXP" },
+       { KRB5_ET_KRB5KDC_ERR_SERVICE_EXP, "KRB5KDC_ERR_SERVICE_EXP" },
+       { KRB5_ET_KRB5KDC_ERR_BAD_PVNO, "KRB5KDC_ERR_BAD_PVNO" },
+       { KRB5_ET_KRB5KDC_ERR_C_OLD_MAST_KVNO, "KRB5KDC_ERR_C_OLD_MAST_KVNO" },
+       { KRB5_ET_KRB5KDC_ERR_S_OLD_MAST_KVNO, "KRB5KDC_ERR_S_OLD_MAST_KVNO" },
+       { KRB5_ET_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN" },
+       { KRB5_ET_KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN" },
+       { KRB5_ET_KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE, "KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE" },
+       { KRB5_ET_KRB5KDC_ERR_NULL_KEY, "KRB5KDC_ERR_NULL_KEY" },
+       { KRB5_ET_KRB5KDC_ERR_CANNOT_POSTDATE, "KRB5KDC_ERR_CANNOT_POSTDATE" },
+       { KRB5_ET_KRB5KDC_ERR_NEVER_VALID, "KRB5KDC_ERR_NEVER_VALID" },
+       { KRB5_ET_KRB5KDC_ERR_POLICY, "KRB5KDC_ERR_POLICY" },
+       { KRB5_ET_KRB5KDC_ERR_BADOPTION, "KRB5KDC_ERR_BADOPTION" },
+       { KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP, "KRB5KDC_ERR_ETYPE_NOSUPP" },
+       { KRB5_ET_KRB5KDC_ERR_SUMTYPE_NOSUPP, "KRB5KDC_ERR_SUMTYPE_NOSUPP" },
+       { KRB5_ET_KRB5KDC_ERR_PADATA_TYPE_NOSUPP, "KRB5KDC_ERR_PADATA_TYPE_NOSUPP" },
+       { KRB5_ET_KRB5KDC_ERR_TRTYPE_NOSUPP, "KRB5KDC_ERR_TRTYPE_NOSUPP" },
+       { KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED, "KRB5KDC_ERR_CLIENT_REVOKED" },
+       { KRB5_ET_KRB5KDC_ERR_SERVICE_REVOKED, "KRB5KDC_ERR_SERVICE_REVOKED" },
+       { KRB5_ET_KRB5KDC_ERR_TGT_REVOKED, "KRB5KDC_ERR_TGT_REVOKED" },
+       { KRB5_ET_KRB5KDC_ERR_CLIENT_NOTYET, "KRB5KDC_ERR_CLIENT_NOTYET" },
+       { KRB5_ET_KRB5KDC_ERR_SERVICE_NOTYET, "KRB5KDC_ERR_SERVICE_NOTYET" },
+       { KRB5_ET_KRB5KDC_ERR_KEY_EXP, "KRB5KDC_ERR_KEY_EXP" },
+       { KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED, "KRB5KDC_ERR_PREAUTH_FAILED" },
+       { KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED, "KRB5KDC_ERR_PREAUTH_REQUIRED" },
+       { KRB5_ET_KRB5KDC_ERR_SERVER_NOMATCH, "KRB5KDC_ERR_SERVER_NOMATCH" },
+       { KRB5_ET_KRB5KRB_AP_ERR_BAD_INTEGRITY, "KRB5KRB_AP_ERR_BAD_INTEGRITY" },
+       { KRB5_ET_KRB5KRB_AP_ERR_TKT_EXPIRED, "KRB5KRB_AP_ERR_TKT_EXPIRED" },
+       { KRB5_ET_KRB5KRB_AP_ERR_TKT_NYV, "KRB5KRB_AP_ERR_TKT_NYV" },
+       { KRB5_ET_KRB5KRB_AP_ERR_REPEAT, "KRB5KRB_AP_ERR_REPEAT" },
+       { KRB5_ET_KRB5KRB_AP_ERR_NOT_US, "KRB5KRB_AP_ERR_NOT_US" },
+       { KRB5_ET_KRB5KRB_AP_ERR_BADMATCH, "KRB5KRB_AP_ERR_BADMATCH" },
+       { KRB5_ET_KRB5KRB_AP_ERR_SKEW, "KRB5KRB_AP_ERR_SKEW" },
+       { KRB5_ET_KRB5KRB_AP_ERR_BADADDR, "KRB5KRB_AP_ERR_BADADDR" },
+       { KRB5_ET_KRB5KRB_AP_ERR_BADVERSION, "KRB5KRB_AP_ERR_BADVERSION" },
+       { KRB5_ET_KRB5KRB_AP_ERR_MSG_TYPE, "KRB5KRB_AP_ERR_MSG_TYPE" },
+       { KRB5_ET_KRB5KRB_AP_ERR_MODIFIED, "KRB5KRB_AP_ERR_MODIFIED" },
+       { KRB5_ET_KRB5KRB_AP_ERR_BADORDER, "KRB5KRB_AP_ERR_BADORDER" },
+       { KRB5_ET_KRB5KRB_AP_ERR_ILL_CR_TKT, "KRB5KRB_AP_ERR_ILL_CR_TKT" },
+       { KRB5_ET_KRB5KRB_AP_ERR_BADKEYVER, "KRB5KRB_AP_ERR_BADKEYVER" },
+       { KRB5_ET_KRB5KRB_AP_ERR_NOKEY, "KRB5KRB_AP_ERR_NOKEY" },
+       { KRB5_ET_KRB5KRB_AP_ERR_MUT_FAIL, "KRB5KRB_AP_ERR_MUT_FAIL" },
+       { KRB5_ET_KRB5KRB_AP_ERR_BADDIRECTION, "KRB5KRB_AP_ERR_BADDIRECTION" },
+       { KRB5_ET_KRB5KRB_AP_ERR_METHOD, "KRB5KRB_AP_ERR_METHOD" },
+       { KRB5_ET_KRB5KRB_AP_ERR_BADSEQ, "KRB5KRB_AP_ERR_BADSEQ" },
+       { KRB5_ET_KRB5KRB_AP_ERR_INAPP_CKSUM, "KRB5KRB_AP_ERR_INAPP_CKSUM" },
+       { KRB5_ET_KRB5KRB_ERR_GENERIC, "KRB5KRB_ERR_GENERIC" },
+       { KRB5_ET_KRB5KRB_ERR_FIELD_TOOLONG, "KRB5KRB_ERR_FIELD_TOOLONG" },
+       { 0, NULL }
+};
+
+
+static const value_string krb5_princ_types[] = {
+    { KRB5_NT_UNKNOWN              , "Unknown" },
+    { KRB5_NT_PRINCIPAL            , "Principal" },
+    { KRB5_NT_SRV_INST             , "Service and Instance" },
+    { KRB5_NT_SRV_HST              , "Service and Host" },
+    { KRB5_NT_SRV_XHST             , "Service and Host Components" },
+    { KRB5_NT_UID                  , "Unique ID" },
+    { 0                            , NULL },
+};
+
  static const value_string krb5_preauthentication_types[] = {
-    { KRB5_PA_TGS_REQ      , "PA-TGS-REQ" },
-    { KRB5_PA_ENC_TIMESTAMP, "PA-ENC-TIMESTAMP" },
-    { KRB5_PA_PW_SALT      , "PA-PW-SALT" },
+    { KRB5_PA_TGS_REQ              , "PA-TGS-REQ" },
+    { KRB5_PA_ENC_TIMESTAMP        , "PA-ENC-TIMESTAMP" },
+    { KRB5_PA_PW_SALT              , "PA-PW-SALT" },
+    { KRB5_PA_ENC_ENCKEY           , "PA-ENC-ENCKEY" },
+    { KRB5_PA_ENC_UNIX_TIME        , "PA-ENC-UNIX-TIME" },
+    { KRB5_PA_ENC_SANDIA_SECURID   , "PA-PW-SALT" },
+    { KRB5_PA_SESAME               , "PA-SESAME" },
+    { KRB5_PA_OSF_DCE              , "PA-OSF-DCE" },
+    { KRB5_PA_CYBERSAFE_SECUREID   , "PA-CYBERSAFE-SECURID" },
+    { KRB5_PA_AFS3_SALT            , "PA-AFS3-SALT" },
+    { KRB5_PA_ENCTYPE_INFO         , "PA-ENCTYPE-INFO" },
+    { KRB5_PA_SAM_CHALLENGE        , "PA-SAM-CHALLENGE" },
+    { KRB5_PA_SAM_RESPONSE         , "PA-SAM-RESPONSE" },
+    { KRB5_PA_DASS                 , "PA-DASS" },
+    { 0                            , NULL },
  };
  
  static const value_string krb5_encryption_types[] = {
-    { KRB5_ETYPE_NULL           , "NULL" },
-    { KRB5_ETYPE_DES_CBC_CRC    , "des-cbc-crc" },
-    { KRB5_ETYPE_DES_CBC_MD4    , "des-cbc-md4" },
-    { KRB5_ETYPE_DES_CBC_MD5    , "des-cbc-md5" },
+    { KRB5_ENCTYPE_NULL           , "NULL" },
+    { KRB5_ENCTYPE_DES_CBC_CRC    , "des-cbc-crc" },
+    { KRB5_ENCTYPE_DES_CBC_MD4    , "des-cbc-md4" },
+    { KRB5_ENCTYPE_DES_CBC_MD5    , "des-cbc-md5" },
+    { KRB5_ENCTYPE_DES_CBC_RAW    , "des-cbc-raw" },
+    { KRB5_ENCTYPE_DES3_CBC_SHA   , "des3-cbc-sha" },
+    { KRB5_ENCTYPE_DES3_CBC_RAW   , "des3-cbc-raw" },
+    { KRB5_ENCTYPE_DES_HMAC_SHA1  , "des-hmac-sha1" },
+    { KRB5_ENCTYPE_DES3_CBC_SHA1  , "des3-cbc-sha1" },
+    { KRB5_ENCTYPE_UNKNOWN        , "unknown" },
+    { KRB5_ENCTYPE_LOCAL_DES3_HMAC_SHA1    , "local-des3-hmac-sha1" },
+    { 0                            , NULL },
  };
  
  static const value_string krb5_address_types[] = {
@@ -139,7 +321,8 @@ static const value_string krb5_address_types[] = {
      { KRB5_ADDR_XEROX,         "XEROX"},
      { KRB5_ADDR_ISO,           "ISO"},
      { KRB5_ADDR_DECNET,                "DECNET"},
-    { KRB5_ADDR_APPLETALK,     "APPLETALK"}
+    { KRB5_ADDR_APPLETALK,     "APPLETALK"},
+    { 0,                        NULL },
  };
  
  static const value_string krb5_msg_types[] = {
@@ -152,26 +335,25 @@ static const value_string krb5_msg_types[] = {
         { KRB5_MSG_SAFE,        "KRB-SAFE" },
         { KRB5_MSG_PRIV,        "KRB-PRIV" },
         { KRB5_MSG_CRED,        "KRB-CRED" },
-       { KRB5_MSG_ERROR,       "KRB-ERROR" }
+       { KRB5_MSG_ERROR,       "KRB-ERROR" },
+        { 0,                    NULL },
  };
  
  static int dissect_PrincipalName(char *title, ASN1_SCK *asn1p,
-                                 frame_data *fd, proto_tree *tree,
+                                 packet_info *pinfo, proto_tree *tree,
                                   int start_offset);
-static int dissect_Ticket(char *title, ASN1_SCK *asn1p, frame_data *fd,
+static int dissect_Ticket(char *title, ASN1_SCK *asn1p, packet_info *pinfo,
                            proto_tree *tree, int start_offset);
-static int dissect_EncryptedData(char *title, ASN1_SCK *asn1p, frame_data *fd,
-                                 proto_tree *tree, int start_offset);
-static int dissect_Addresses(char *title, ASN1_SCK *asn1p, frame_data *fd,
+static int dissect_EncryptedData(char *title, ASN1_SCK *asn1p,
+                                packet_info *pinfo, proto_tree *tree,
+                                int start_offset);
+static int dissect_Addresses(char *title, ASN1_SCK *asn1p, packet_info *pinfo,
                               proto_tree *tree, int start_offset);
  
  static const char *
  to_error_str(int ret) {
      switch (ret) {
  
-        case ASN1_ERR_EMPTY:
-            return("Ran out of data");
-
          case ASN1_ERR_EOC_MISMATCH:
              return("EOC mismatch");
  
@@ -192,10 +374,11 @@ to_error_str(int ret) {
  }
  
  static void
-krb_proto_tree_add_time(proto_tree *tree, int offset, int str_len,
-                        char *name, guchar *str) {
+krb_proto_tree_add_time(proto_tree *tree, tvbuff_t *tvb, int offset,
+                       int str_len, char *name, guchar *str)
+{
      if (tree)
-        proto_tree_add_text(tree, NullTVB, offset, str_len,
+        proto_tree_add_text(tree, tvb, offset, str_len,
                              "%s: %.4s-%.2s-%.2s %.2s:%.2s:%.2s (%.1s)",
                              name, str, str+4, str+6,
                              str+8, str+10, str+12,
@@ -209,41 +392,41 @@ krb_proto_tree_add_time(proto_tree *tree, int offset, int str_len,
   */
  
  #define KRB_HEAD_DECODE_OR_DIE(token) \
-   start = asn1p->pointer; \
+   start = asn1p->offset; \
     ret = asn1_header_decode (asn1p, &cls, &con, &tag, &def, &item_len); \
-   if (ret != ASN1_ERR_NOERROR && ret != ASN1_ERR_EMPTY) {\
-       if (check_col(fd, COL_INFO)) \
-           col_add_fstr(fd, COL_INFO, "ERROR: Problem at %s: %s", \
+   if (ret != ASN1_ERR_NOERROR) {\
+       if (check_col(pinfo->cinfo, COL_INFO)) \
+           col_add_fstr(pinfo->cinfo, COL_INFO, "ERROR: Problem at %s: %s", \
                      token, to_error_str(ret)); \
         return -1; \
     } \
     if (!def) {\
-       if (check_col(fd, COL_INFO)) \
-           col_add_fstr(fd, COL_INFO, "not definite: %s", token); \
+       if (check_col(pinfo->cinfo, COL_INFO)) \
+           col_add_fstr(pinfo->cinfo, COL_INFO, "not definite: %s", token); \
         fprintf(stderr,"not definite: %s\n", token); \
         return -1; \
     } \
-   offset += (asn1p->pointer - start);
+   offset += (asn1p->offset - start);
  
  #define CHECK_APPLICATION_TYPE(expected_tag) \
      (cls == ASN1_APL && con == ASN1_CON && tag == expected_tag)
  
  #define DIE_IF_NOT_APPLICATION_TYPE(token, expected_tag) \
      if (!CHECK_APPLICATION_TYPE(expected_tag)) \
-        DIE_WITH_BAD_TYPE(token);
+        DIE_WITH_BAD_TYPE(token, expected_tag);
  
  #define CHECK_CONTEXT_TYPE(expected_tag) \
      (cls == ASN1_CTX && con == ASN1_CON && tag == expected_tag)
  
  #define DIE_IF_NOT_CONTEXT_TYPE(token, expected_tag) \
      if (!CHECK_CONTEXT_TYPE(expected_tag)) \
-        DIE_WITH_BAD_TYPE(token);
+        DIE_WITH_BAD_TYPE(token, expected_tag);
  
-#define DIE_WITH_BAD_TYPE(token) \
+#define DIE_WITH_BAD_TYPE(token, expected_tag) \
      { \
-      if (check_col(fd, COL_INFO)) \
-         col_add_fstr(fd, COL_INFO, "ERROR: Problem at %s: %s", \
-                      token, to_error_str(ASN1_ERR_WRONG_TYPE)); \
+      if (check_col(pinfo->cinfo, COL_INFO)) \
+         col_add_fstr(pinfo->cinfo, COL_INFO, "ERROR: Problem at %s: %s (tag=%d exp=%d)", \
+                      token, to_error_str(ASN1_ERR_WRONG_TYPE), tag, expected_tag); \
        return -1; \
      }
  
@@ -257,9 +440,9 @@ krb_proto_tree_add_time(proto_tree *tree, int offset, int str_len,
  
  #define KRB_SEQ_HEAD_DECODE_OR_DIE(token) \
     ret = asn1_sequence_decode (asn1p, &item_len, &header_len); \
-   if (ret != ASN1_ERR_NOERROR && ret != ASN1_ERR_EMPTY) {\
-       if (check_col(fd, COL_INFO)) \
-           col_add_fstr(fd, COL_INFO, "ERROR: Problem at %s: %s", \
+   if (ret != ASN1_ERR_NOERROR) {\
+       if (check_col(pinfo->cinfo, COL_INFO)) \
+           col_add_fstr(pinfo->cinfo, COL_INFO, "ERROR: Problem at %s: %s", \
                      token, to_error_str(ret)); \
         return -1; \
     } \
@@ -268,8 +451,8 @@ krb_proto_tree_add_time(proto_tree *tree, int offset, int str_len,
  #define KRB_DECODE_OR_DIE(token, fn, val) \
      ret = fn (asn1p, &val, &length); \
      if (ret != ASN1_ERR_NOERROR) { \
-       if (check_col(fd, COL_INFO)) \
-         col_add_fstr(fd, COL_INFO, "ERROR: Problem at %s: %s", \
+       if (check_col(pinfo->cinfo, COL_INFO)) \
+         col_add_fstr(pinfo->cinfo, COL_INFO, "ERROR: Problem at %s: %s", \
                       token, to_error_str(ret)); \
          return -1; \
      } \
@@ -280,8 +463,8 @@ krb_proto_tree_add_time(proto_tree *tree, int offset, int str_len,
  #define KRB_DECODE_STRING_OR_DIE(token, expected_tag, val, val_len, item_len) \
      ret = asn1_string_decode (asn1p, &val, &val_len, &item_len, expected_tag); \
      if (ret != ASN1_ERR_NOERROR) { \
-       if (check_col(fd, COL_INFO)) \
-         col_add_fstr(fd, COL_INFO, "ERROR: Problem at %s: %s", \
+       if (check_col(pinfo->cinfo, COL_INFO)) \
+         col_add_fstr(pinfo->cinfo, COL_INFO, "ERROR: Problem at %s: %s", \
                       token, to_error_str(ret)); \
          return -1; \
      }
@@ -311,20 +494,20 @@ dissect_type_value_pair(ASN1_SCK *asn1p, int *inoff,
      int offset = *inoff;
      guint cls, con, tag;
      gboolean def;
-    const guchar *start;
+    int start;
      guint tmp_len;
      int ret;
  
      /* SEQUENCE */
-    start = asn1p->pointer;
+    start = asn1p->offset;
      asn1_header_decode (asn1p, &cls, &con, &tag, &def, &tmp_len);
-    offset += (asn1p->pointer - start);
+    offset += (asn1p->offset - start);
  
      /* INT */
      /* wrapper */
-    start = asn1p->pointer;
+    start = asn1p->offset;
      asn1_header_decode (asn1p, &cls, &con, &tag, &def, &tmp_len);
-    offset += (asn1p->pointer - start);
+    offset += (asn1p->offset - start);
  
      if (type_off)
          *type_off = offset;
@@ -339,10 +522,10 @@ dissect_type_value_pair(ASN1_SCK *asn1p, int *inoff,
  
      /* OCTET STRING (or generic data) */
      /* wrapper */
-    start = asn1p->pointer;
+    start = asn1p->offset;
      asn1_header_decode (asn1p, &cls, &con, &tag, &def, val_len);
      asn1_header_decode (asn1p, &cls, &con, &tag, &def, val_len);
-    offset += asn1p->pointer - start;
+    offset += asn1p->offset - start;
      
      if (val_off)
          *val_off = offset;
@@ -354,21 +537,23 @@ dissect_type_value_pair(ASN1_SCK *asn1p, int *inoff,
  }
  
  static gboolean
-dissect_kerberos_main(const u_char *pd, int offset, frame_data *fd,
-                      proto_tree *tree)
+dissect_kerberos_main(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
  {
+    int offset = 0;
      proto_tree *kerberos_tree = NULL;
      proto_tree *etype_tree = NULL;
      proto_tree *preauth_tree = NULL;
      proto_tree *request_tree = NULL;
+    proto_tree *additional_tickets_tree = NULL;
      ASN1_SCK asn1, *asn1p = &asn1;
      proto_item *item = NULL;
  
-    guint length;
+    gint length;
      guint cls, con, tag;
      gboolean def;
-    guint item_len, total_len;
-    const guchar *start;
+    gint item_len;
+    guint total_len;
+    int start, end, message_end, sequence_end;
  
      int ret;
  
@@ -384,17 +569,17 @@ dissect_kerberos_main(const u_char *pd, int offset, frame_data *fd,
      guchar *str;
      int tmp_pos1, tmp_pos2;
  
-    if (tree) {
-        item = proto_tree_add_item(tree, proto_kerberos, NullTVB, offset,
-                                   END_OF_FRAME, FALSE);
-        kerberos_tree = proto_item_add_subtree(item, ett_kerberos);
-    }
-
-    asn1_open(&asn1, &pd[offset], END_OF_FRAME);
+    asn1_open(&asn1, tvb, 0);
  
      /* top header */
      KRB_HEAD_DECODE_OR_DIE("top");
      protocol_message_type = tag;
+    if (tree) {
+        item = proto_tree_add_item(tree, proto_kerberos, tvb, offset,
+                                   item_len, FALSE);
+        kerberos_tree = proto_item_add_subtree(item, ett_kerberos);
+    }
+    message_end = asn1p->offset + item_len;
      
      /* second header */
      KRB_HEAD_DECODE_OR_DIE("top2");
@@ -404,7 +589,7 @@ dissect_kerberos_main(const u_char *pd, int offset, frame_data *fd,
      KRB_DECODE_UINT32_OR_DIE("version", version);
  
      if (kerberos_tree) {
-        proto_tree_add_text(kerberos_tree, NullTVB, offset, length,
+        proto_tree_add_text(kerberos_tree, tvb, offset, length,
                              "Version: %d",
                              version);
      }
@@ -415,15 +600,15 @@ dissect_kerberos_main(const u_char *pd, int offset, frame_data *fd,
      KRB_DECODE_UINT32_OR_DIE("message-type", msg_type);
  
      if (kerberos_tree) {
-        proto_tree_add_text(kerberos_tree, NullTVB, offset, length,
+        proto_tree_add_text(kerberos_tree, tvb, offset, length,
                              "MSG Type: %s",
                              val_to_str(msg_type, krb5_msg_types,
                                         "Unknown msg type %#x"));
      }
      offset += length;
  
-    if (check_col(fd, COL_INFO))
-        col_add_str(fd, COL_INFO, val_to_str(msg_type, krb5_msg_types,
+    if (check_col(pinfo->cinfo, COL_INFO))
+        col_add_str(pinfo->cinfo, COL_INFO, val_to_str(msg_type, krb5_msg_types,
                                               "Unknown msg type %#x"));
  
          /* is preauthentication present? */
@@ -437,26 +622,26 @@ dissect_kerberos_main(const u_char *pd, int offset, frame_data *fd,
          /* pre-authentication supplied */
  
          if (tree) {
-            item = proto_tree_add_text(kerberos_tree, NullTVB, offset,
+            item = proto_tree_add_text(kerberos_tree, tvb, offset,
                                         item_len, "Pre-Authentication");
              preauth_tree = proto_item_add_subtree(item, ett_preauth);
          }
  
          KRB_HEAD_DECODE_OR_DIE("sequence of pa-data");
-        start = asn1p->pointer + item_len;
+        end = asn1p->offset + item_len;
  
-        while(start > asn1p->pointer) {
+        while(asn1p->offset < end) {
              dissect_type_value_pair(asn1p, &offset,
                                      &preauth_type, &item_len, &tmp_pos1,
                                      &str, &str_len, &tmp_pos2);
  
              if (preauth_tree) {
-                proto_tree_add_text(preauth_tree, NullTVB, tmp_pos1,
+                proto_tree_add_text(preauth_tree, tvb, tmp_pos1,
                                      item_len, "Type: %s",
                                      val_to_str(preauth_type,
                                                 krb5_preauthentication_types,
                                                 "Unknown preauth type %#x"));
-                proto_tree_add_text(preauth_tree, NullTVB, tmp_pos2,
+                proto_tree_add_text(preauth_tree, tvb, tmp_pos2,
                                      str_len, "Value: %s",
                                      bytes_to_str(str, str_len));
              }
@@ -502,10 +687,11 @@ dissect_kerberos_main(const u_char *pd, int offset, frame_data *fd,
          /* request body */
          KRB_HEAD_DECODE_OR_DIE("body-sequence");
          if (tree) {
-            item = proto_tree_add_text(kerberos_tree, NullTVB, offset,
+            item = proto_tree_add_text(kerberos_tree, tvb, offset,
                                         item_len, "Request");
              request_tree = proto_item_add_subtree(item, ett_request);
          }
+        sequence_end = asn1p->offset + item_len;
  
          /* kdc options */
          KRB_HEAD_DECODE_OR_DIE("kdc options");
@@ -513,17 +699,18 @@ dissect_kerberos_main(const u_char *pd, int offset, frame_data *fd,
          KRB_HEAD_DECODE_OR_DIE("kdc options:bits");
  
          if (request_tree) {
-                proto_tree_add_text(request_tree, NullTVB, offset, item_len,
+                proto_tree_add_text(request_tree, tvb, offset, item_len,
                                      "Options: %s",
-                                    bytes_to_str(asn1.pointer, item_len));
+                                    tvb_bytes_to_str(asn1p->tvb, asn1p->offset,
+                                                     item_len));
          }
          offset += item_len;
-        asn1.pointer += item_len;
+        asn1p->offset += item_len;
  
          KRB_HEAD_DECODE_OR_DIE("Client Name or Realm");
  
          if (CHECK_CONTEXT_TYPE(KRB5_BODY_CNAME)) {
-            item_len = dissect_PrincipalName("Client Name", asn1p, fd,
+            item_len = dissect_PrincipalName("Client Name", asn1p, pinfo,
                                               request_tree, offset);
              if (item_len == -1)
                  return -1;
@@ -534,14 +721,14 @@ dissect_kerberos_main(const u_char *pd, int offset, frame_data *fd,
          DIE_IF_NOT_CONTEXT_TYPE("Realm", KRB5_BODY_REALM);
          KRB_DECODE_GENERAL_STRING_OR_DIE("Realm", str, str_len, item_len);
          if (request_tree) {
-            proto_tree_add_text(request_tree, NullTVB, offset, item_len,
+            proto_tree_add_text(request_tree, tvb, offset, item_len,
                                  "Realm: %.*s", str_len, str);
          }
          offset += item_len;
  
          KRB_HEAD_DECODE_OR_DIE("Server Name");
          if (CHECK_CONTEXT_TYPE(KRB5_BODY_SNAME)) {
-            item_len = dissect_PrincipalName("Server Name", asn1p, fd,
+            item_len = dissect_PrincipalName("Server Name", asn1p, pinfo,
                                               request_tree, offset);
              if (item_len == -1)
                  return -1;
@@ -551,7 +738,7 @@ dissect_kerberos_main(const u_char *pd, int offset, frame_data *fd,
  
          if (CHECK_CONTEXT_TYPE(KRB5_BODY_FROM)) {
              KRB_DECODE_GENERAL_TIME_OR_DIE("From", str, str_len, item_len);
-            krb_proto_tree_add_time(request_tree, offset, item_len,
+            krb_proto_tree_add_time(request_tree, asn1p->tvb, offset, item_len,
                                      "Start Time", str);
              offset += item_len;
              KRB_HEAD_DECODE_OR_DIE("Till");
@@ -559,14 +746,14 @@ dissect_kerberos_main(const u_char *pd, int offset, frame_data *fd,
  
          DIE_IF_NOT_CONTEXT_TYPE("Till", KRB5_BODY_TILL);
          KRB_DECODE_GENERAL_TIME_OR_DIE("Till", str, str_len, item_len);
-        krb_proto_tree_add_time(request_tree, offset, item_len,
+        krb_proto_tree_add_time(request_tree, asn1p->tvb, offset, item_len,
                                  "End Time", str);
          offset += item_len;
  
          KRB_HEAD_DECODE_OR_DIE("Renewable Until or Nonce");
          if (CHECK_CONTEXT_TYPE(KRB5_BODY_RTIME)) {
              KRB_DECODE_GENERAL_TIME_OR_DIE("Renewable Until", str, str_len, item_len);
-            krb_proto_tree_add_time(request_tree, offset, item_len,
+            krb_proto_tree_add_time(request_tree, asn1p->tvb, offset, item_len,
                                      "Renewable Until", str);
              offset += item_len;
              KRB_HEAD_DECODE_OR_DIE("Nonce");
@@ -575,17 +762,17 @@ dissect_kerberos_main(const u_char *pd, int offset, frame_data *fd,
          DIE_IF_NOT_CONTEXT_TYPE("Nonce", KRB5_BODY_NONCE);
          KRB_DECODE_UINT32_OR_DIE("Nonce", tmp_int);
          if (request_tree) {
-            proto_tree_add_text(request_tree, NullTVB, offset, length,
+            proto_tree_add_text(request_tree, tvb, offset, length,
                                  "Random Number: %u",
                                  tmp_int);
          }
          offset += length;
          
          KRB_DECODE_CONTEXT_HEAD_OR_DIE("encryption type spot",
-                                              KRB5_BODY_ETYPE);
+                                              KRB5_BODY_ENCTYPE);
          KRB_HEAD_DECODE_OR_DIE("encryption type list");
          if (kerberos_tree) {
-            item = proto_tree_add_text(request_tree, NullTVB, offset,
+            item = proto_tree_add_text(request_tree, tvb, offset,
                                         item_len, "Encryption Types");
              etype_tree = proto_item_add_subtree(item, ett_etype);
          }
@@ -593,7 +780,7 @@ dissect_kerberos_main(const u_char *pd, int offset, frame_data *fd,
          while(total_len > 0) {
              KRB_DECODE_UINT32_OR_DIE("encryption type", tmp_int);
              if (etype_tree) {
-                proto_tree_add_text(etype_tree, NullTVB, offset, length,
+                proto_tree_add_text(etype_tree, tvb, offset, length,
                                      "Type: %s",
                                      val_to_str(tmp_int,
                                                 krb5_encryption_types,
@@ -603,16 +790,50 @@ dissect_kerberos_main(const u_char *pd, int offset, frame_data *fd,
              total_len -= length;
          }
  
-        KRB_HEAD_DECODE_OR_DIE("addresses");
+        if (asn1p->offset >= sequence_end)
+            break;
+        KRB_HEAD_DECODE_OR_DIE("addresses or enc-authorization-data");
          if (CHECK_CONTEXT_TYPE(KRB5_BODY_ADDRESSES)) {
-            /* pre-authentication supplied */
+            /* addresses supplied */
  
-            offset = dissect_Addresses("Addresses", asn1p, fd, kerberos_tree,
+            length = dissect_Addresses("Addresses", asn1p, pinfo, kerberos_tree,
                                         offset);
              if (offset == -1)
                  return -1;
-            KRB_HEAD_DECODE_OR_DIE("auth-data");
+            offset += length;
+            if (asn1p->offset >= sequence_end)
+                break;
+            KRB_HEAD_DECODE_OR_DIE("enc-authorization-data or additional-tickets");
+        }
+
+        if (CHECK_CONTEXT_TYPE(KRB5_BODY_ENC_AUTHORIZATION_DATA)) {
+            /* enc-authorization-data supplied */
+            length = dissect_EncryptedData("Encrypted Payload", asn1p, pinfo,
+                                           kerberos_tree, offset);
+            if (length == -1)
+                return -1;
+            offset += length;
+            if (asn1p->offset >= sequence_end)
+                break;
+            KRB_HEAD_DECODE_OR_DIE("additional-tickets");
+        }
+
+        /* additional-tickets supplied */
+        if (tree) {
+            item = proto_tree_add_text(kerberos_tree, tvb, offset,
+                                       item_len, "Additional Tickets");
+            additional_tickets_tree = proto_item_add_subtree(item, ett_additional_tickets);
+        }
+        end = asn1p->offset + item_len;
+        while(asn1p->offset < end) {
+            KRB_DECODE_CONTEXT_HEAD_OR_DIE("ticket", KRB5_KDC_REP_TICKET);
+            length = dissect_Ticket("ticket", asn1p, pinfo, additional_tickets_tree,
+                                    offset);
+            if (length == -1)
+                return -1;
+            offset += length;
          }
+
          break;
  
      case KRB5_MSG_AS_REP:
@@ -632,53 +853,186 @@ dissect_kerberos_main(const u_char *pd, int offset, frame_data *fd,
     }
  */
  
-        if (tag == KRB5_KDC_REP_CREALM) {
-            KRB_DECODE_GENERAL_STRING_OR_DIE("realm name", str, str_len, item_len);
-            if (kerberos_tree) {
-                proto_tree_add_text(kerberos_tree, NullTVB, offset, item_len,
-                                    "Realm: %.*s", str_len, str);
-            }
-            offset += item_len;
-        } else {
-            DIE_WITH_BAD_TYPE("crealm");
+       DIE_IF_NOT_CONTEXT_TYPE("crealm", KRB5_KDC_REP_CREALM);
+        KRB_DECODE_GENERAL_STRING_OR_DIE("realm name", str, str_len, item_len);
+        if (kerberos_tree) {
+            proto_tree_add_text(kerberos_tree, tvb, offset, item_len,
+                                "Realm: %.*s", str_len, str);
          }
+        offset += item_len;
  
          KRB_DECODE_CONTEXT_HEAD_OR_DIE("cname", KRB5_KDC_REP_CNAME);
-        item_len = dissect_PrincipalName("Client Name", asn1p, fd,
+        item_len = dissect_PrincipalName("Client Name", asn1p, pinfo,
                                           kerberos_tree, offset);
          if (item_len == -1)
              return -1;
          offset += item_len;
          
          KRB_DECODE_CONTEXT_HEAD_OR_DIE("ticket", KRB5_KDC_REP_TICKET);
-        offset = dissect_Ticket("ticket", asn1p, fd, kerberos_tree, offset);
-        if (offset == -1)
+        length = dissect_Ticket("ticket", asn1p, pinfo, kerberos_tree, offset);
+        if (length == -1)
              return -1;
+        offset += length;
  
          KRB_DECODE_CONTEXT_HEAD_OR_DIE("enc-msg-part",
                                                KRB5_KDC_REP_ENC_PART);
-        offset = dissect_EncryptedData("Encrypted Payload", asn1p, fd,
+        length = dissect_EncryptedData("Encrypted Payload", asn1p, pinfo,
                                         kerberos_tree, offset);
-        if (offset == -1)
+        if (length == -1)
              return -1;
+        offset += length;
+        break;
+
+    case KRB5_MSG_ERROR:
+/*
+  KRB-ERROR ::=   [APPLICATION 30] SEQUENCE {
+                   pvno[0]               INTEGER,
+                   msg-type[1]           INTEGER,
+                   ctime[2]              KerberosTime OPTIONAL,
+                   cusec[3]              INTEGER OPTIONAL,
+                   stime[4]              KerberosTime,
+                   susec[5]              INTEGER,
+                   error-code[6]         INTEGER,
+                   crealm[7]             Realm OPTIONAL,
+                   cname[8]              PrincipalName OPTIONAL,
+                   realm[9]              Realm, -- Correct realm
+                   sname[10]             PrincipalName, -- Correct name
+                   e-text[11]            GeneralString OPTIONAL,
+                   e-data[12]            OCTET STRING OPTIONAL
+   }
+  }
+
+*/
+
+       /* ctime */
+        if (CHECK_CONTEXT_TYPE(KRB5_ERROR_CTIME)) {
+            KRB_DECODE_GENERAL_TIME_OR_DIE("ctime", str, str_len, item_len);
+            krb_proto_tree_add_time(kerberos_tree, asn1p->tvb, offset, item_len,
+                                    "ctime", str);
+            offset += item_len;
+                       KRB_HEAD_DECODE_OR_DIE("cusec");
+        }
+
+       /* cusec */
+        if (CHECK_CONTEXT_TYPE(KRB5_ERROR_CUSEC)) {
+                       KRB_DECODE_UINT32_OR_DIE("cusec", tmp_int);
+           if (kerberos_tree) {
+               proto_tree_add_text(kerberos_tree, tvb, offset, length,
+                                   "cusec: %u",
+                                   tmp_int);
+           }
+
+            offset += item_len;
+                       KRB_HEAD_DECODE_OR_DIE("sutime");
+        }
+
+       DIE_IF_NOT_CONTEXT_TYPE("sutime", KRB5_ERROR_STIME);
+       KRB_DECODE_GENERAL_TIME_OR_DIE("stime", str, str_len, item_len);
+       krb_proto_tree_add_time(kerberos_tree, asn1p->tvb, offset, item_len,
+                                   "stime", str);
+       offset += item_len;
+
+       KRB_HEAD_DECODE_OR_DIE("susec");
+       DIE_IF_NOT_CONTEXT_TYPE("susec", KRB5_ERROR_SUSEC);             
+       KRB_DECODE_UINT32_OR_DIE("susec", tmp_int);
+       if (kerberos_tree) {
+               proto_tree_add_text(kerberos_tree, tvb, offset, length,
+                                   "susec: %u",
+                                   tmp_int);
+       }
+       offset += item_len;
+
+       KRB_HEAD_DECODE_OR_DIE("errcode");
+       DIE_IF_NOT_CONTEXT_TYPE("errcode", KRB5_ERROR_ERROR_CODE);
+       KRB_DECODE_UINT32_OR_DIE("errcode", tmp_int);
+       if (kerberos_tree) {
+           proto_tree_add_text(kerberos_tree, tvb, offset, length,
+                               "Error Code: %s",
+                               val_to_str(tmp_int, krb5_error_codes,
+                                           "Unknown error code %#x"));
+       }
+        offset += item_len;
+       KRB_HEAD_DECODE_OR_DIE("crealm");
+
+        if (CHECK_CONTEXT_TYPE(KRB5_ERROR_CREALM)) {
+               KRB_DECODE_GENERAL_STRING_OR_DIE("crealm", str, str_len, item_len);
+               if (kerberos_tree) {
+                   proto_tree_add_text(kerberos_tree, tvb, offset, item_len,
+                                       "crealm: %.*s", str_len, str);
+               }
+               offset += item_len;
+               KRB_HEAD_DECODE_OR_DIE("cname");
+       }
+
+       if (CHECK_CONTEXT_TYPE(KRB5_ERROR_CNAME)) {
+           item_len = dissect_PrincipalName("cname", asn1p, pinfo,
+                                         kerberos_tree, offset);
+           if (item_len == -1)
+               return -1;
+           offset += item_len;
+           KRB_HEAD_DECODE_OR_DIE("realm");
+       }
+
+       DIE_IF_NOT_CONTEXT_TYPE("realm", KRB5_ERROR_REALM);
+        KRB_DECODE_GENERAL_STRING_OR_DIE("realm", str, str_len, item_len);
+        if (kerberos_tree) {
+            proto_tree_add_text(kerberos_tree, tvb, offset, item_len,
+                                "realm: %.*s", str_len, str);
+        }
+        offset += item_len;
+       KRB_HEAD_DECODE_OR_DIE("sname");
+
+       DIE_IF_NOT_CONTEXT_TYPE("sname", KRB5_ERROR_SNAME);
+       item_len = dissect_PrincipalName("sname", asn1p, pinfo,
+                                         kerberos_tree, offset);
+       if (item_len == -1)
+               return -1;
+       offset += item_len;
+
+        if (asn1p->offset >= message_end)
+            break;
+       KRB_HEAD_DECODE_OR_DIE("e-text");
+       if ( CHECK_CONTEXT_TYPE(KRB5_ERROR_ETEXT) ) {
+            KRB_DECODE_GENERAL_STRING_OR_DIE("etext", str, str_len, item_len);
+            if (kerberos_tree) {
+               proto_tree_add_text(kerberos_tree, tvb, offset, item_len,
+                                       "etext: %.*s", str_len, str);
+            }
+            offset += item_len;
+            if (asn1p->offset >= message_end)
+                break;
+           KRB_HEAD_DECODE_OR_DIE("e-data");
+       }
+
+       if ( CHECK_CONTEXT_TYPE(KRB5_ERROR_EDATA) ) {
+           guchar *data;
+           guint data_len;
+
+           KRB_DECODE_OCTET_STRING_OR_DIE("e-data", data, data_len, item_len);
+
+           if (kerberos_tree) {
+               proto_tree_add_text(kerberos_tree, tvb, offset, data_len,
+                            "Error Data: %s", bytes_to_str(data, item_len));
+           }
+           offset += data_len;
+       }
+
          break;
      }
      return offset;
  }
  
  static void
-dissect_kerberos(const u_char *pd, int offset, frame_data *fd, proto_tree *tree)
+dissect_kerberos(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
  {
-    OLD_CHECK_DISPLAY_AS_DATA(proto_kerberos, pd, offset, fd, tree);
+    if (check_col(pinfo->cinfo, COL_PROTOCOL))
+        col_set_str(pinfo->cinfo, COL_PROTOCOL, "KRB5");
  
-    if (check_col(fd, COL_PROTOCOL))
-        col_set_str(fd, COL_PROTOCOL, "KRB5");
-
-    dissect_kerberos_main(pd, offset, fd, tree);
+    dissect_kerberos_main(tvb, pinfo, tree);
  }
  
  static int
-dissect_PrincipalName(char *title, ASN1_SCK *asn1p, frame_data *fd,
+dissect_PrincipalName(char *title, ASN1_SCK *asn1p, packet_info *pinfo,
                         proto_tree *tree, int start_offset)
  {
  /*
@@ -692,7 +1046,7 @@ dissect_PrincipalName(char *title, ASN1_SCK *asn1p, frame_data *fd,
  
      guint32 princ_type;
  
-    const guchar *start;
+    int start;
      guint cls, con, tag;
      guint header_len, item_len, total_len, type_len;
      int ret;
@@ -710,7 +1064,7 @@ dissect_PrincipalName(char *title, ASN1_SCK *asn1p, frame_data *fd,
      KRB_SEQ_HEAD_DECODE_OR_DIE("principal section");
  
      if (tree) {
-      item = proto_tree_add_text(tree, NullTVB, start_offset,
+      item = proto_tree_add_text(tree, asn1p->tvb, start_offset,
                                   (offset - start_offset) + item_len, "%s",
                                   title);
        princ_tree = proto_item_add_subtree(item, ett_princ);
@@ -726,17 +1080,37 @@ dissect_PrincipalName(char *title, ASN1_SCK *asn1p, frame_data *fd,
      offset += length;
  
      if (princ_tree) {
-      proto_tree_add_text(princ_tree, NullTVB, type_offset, type_len,
-                          "Type: %u", princ_type);
+      proto_tree_add_text(princ_tree, asn1p->tvb, type_offset, type_len,
+                                               "Type: %s",
+                                               val_to_str(princ_type, krb5_princ_types,
+                                           "Unknown name type %#x"));
      }
  
      KRB_DECODE_CONTEXT_HEAD_OR_DIE("principal name-string", 1);
      KRB_SEQ_HEAD_DECODE_OR_DIE("principal name-string sequence-of");
      total_len = item_len;
+    if (total_len == 0) {
+      /* There are no name strings in this PrincipalName, so we can't
+         put any in the top-level item. */
+      return offset - start_offset;
+    }
+
+    /* Put the first name string in the top-level item. */
+    KRB_DECODE_GENERAL_STRING_OR_DIE("principal name", name, name_len, item_len);
+    if (princ_tree) {
+        proto_item_set_text(item, "%s: %.*s", title, (int) name_len, name);
+        proto_tree_add_text(princ_tree, asn1p->tvb, offset, item_len,
+                            "Name: %.*s", (int) name_len, name);
+    }
+    total_len -= item_len;
+    offset += item_len;
+
+    /* Now process the rest of the strings.
+       XXX - put them in the item as well? */
      while (total_len > 0) {
          KRB_DECODE_GENERAL_STRING_OR_DIE("principal name", name, name_len, item_len);
          if (princ_tree) {
-            proto_tree_add_text(princ_tree, NullTVB, offset, item_len,
+            proto_tree_add_text(princ_tree, asn1p->tvb, offset, item_len,
                                  "Name: %.*s", (int) name_len, name);
          }
          total_len -= item_len;
@@ -746,12 +1120,12 @@ dissect_PrincipalName(char *title, ASN1_SCK *asn1p, frame_data *fd,
  }
  
  static int
-dissect_Addresses(char *title, ASN1_SCK *asn1p, frame_data *fd,
+dissect_Addresses(char *title, ASN1_SCK *asn1p, packet_info *pinfo,
                    proto_tree *tree, int start_offset) {
      proto_tree *address_tree = NULL;
      int offset = start_offset;
  
-    const guchar *start;
+    int start, end;
      guint cls, con, tag;
      guint item_len;
      int ret;
@@ -767,44 +1141,45 @@ dissect_Addresses(char *title, ASN1_SCK *asn1p, frame_data *fd,
  
      KRB_HEAD_DECODE_OR_DIE("sequence of addresses");
      if (tree) {
-        item = proto_tree_add_text(tree, NullTVB, offset,
+        item = proto_tree_add_text(tree, asn1p->tvb, offset,
                                     item_len, "Addresses");
          address_tree = proto_item_add_subtree(item, ett_addresses);
      }
  
-    start = asn1p->pointer + item_len;
+    start = offset;
+    end = asn1p->offset + item_len;
  
-    while(start > asn1p->pointer) {
+    while(asn1p->offset < end) {
          dissect_type_value_pair(asn1p, &offset,
                                  &address_type, &item_len, &tmp_pos1,
                                  &str, &str_len, &tmp_pos2);
  
          if (address_tree) {
-            proto_tree_add_text(address_tree, NullTVB, tmp_pos1,
+            proto_tree_add_text(address_tree, asn1p->tvb, tmp_pos1,
                                  item_len, "Type: %s",
                                  val_to_str(address_type, krb5_address_types,
                                             "Unknown address type %#x"));
              switch(address_type) {
                  case KRB5_ADDR_IPv4:
-                    proto_tree_add_text(address_tree, NullTVB, tmp_pos2,
+                    proto_tree_add_text(address_tree, asn1p->tvb, tmp_pos2,
                                          str_len, "Value: %d.%d.%d.%d",
                                          str[0], str[1], str[2], str[3]);
                      break;
                      
                  default:
-                    proto_tree_add_text(address_tree, NullTVB, tmp_pos2,
+                    proto_tree_add_text(address_tree, asn1p->tvb, tmp_pos2,
                                          str_len, "Value: %s",
                                          bytes_to_str(str, str_len));
              }
          }
      }
      
-    return offset;
+    return offset - start_offset;
  }
  
  static int
-dissect_EncryptedData(char *title, ASN1_SCK *asn1p, frame_data *fd,
-                      proto_tree *tree, int start_offset)
+dissect_EncryptedData(char *title, ASN1_SCK *asn1p, packet_info *pinfo,
+                     proto_tree *tree, int start_offset)
  {
  /*
     EncryptedData ::=   SEQUENCE {
@@ -816,7 +1191,7 @@ dissect_EncryptedData(char *title, ASN1_SCK *asn1p, frame_data *fd,
      proto_tree *encr_tree = NULL;
      int offset = start_offset;
  
-    const guchar *start;
+    int start;
      guint cls, con, tag;
      guint header_len, item_len, data_len;
      int ret;
@@ -831,7 +1206,7 @@ dissect_EncryptedData(char *title, ASN1_SCK *asn1p, frame_data *fd,
      KRB_SEQ_HEAD_DECODE_OR_DIE("encrypted data section");
  
      if (tree) {
-        item = proto_tree_add_text(tree, NullTVB, start_offset,
+        item = proto_tree_add_text(tree, asn1p->tvb, start_offset,
                                     (offset - start_offset) + item_len,
                                     "Encrypted Data: %s", title);
          encr_tree = proto_item_add_subtree(item, ett_princ);
@@ -841,7 +1216,7 @@ dissect_EncryptedData(char *title, ASN1_SCK *asn1p, frame_data *fd,
      KRB_DECODE_CONTEXT_HEAD_OR_DIE("encryption type", 0);
      KRB_DECODE_UINT32_OR_DIE("encr-type", val);
      if (encr_tree) {
-        proto_tree_add_text(encr_tree, NullTVB, offset, length,
+        proto_tree_add_text(encr_tree, asn1p->tvb, offset, length,
                              "Type: %s",
                              val_to_str(val, krb5_encryption_types,
                                         "Unknown encryption type %#x"));
@@ -853,7 +1228,7 @@ dissect_EncryptedData(char *title, ASN1_SCK *asn1p, frame_data *fd,
      if (CHECK_CONTEXT_TYPE(1)) {
        KRB_DECODE_UINT32_OR_DIE("kvno", val);
        if (encr_tree) {
-          proto_tree_add_text(encr_tree, NullTVB, offset, length,
+          proto_tree_add_text(encr_tree, asn1p->tvb, offset, length,
                                "KVNO: %d", val);
        }
        offset += length;
@@ -864,17 +1239,17 @@ dissect_EncryptedData(char *title, ASN1_SCK *asn1p, frame_data *fd,
      KRB_DECODE_OCTET_STRING_OR_DIE("cipher", data, data_len, item_len);
  
      if (encr_tree) {
-        proto_tree_add_text(encr_tree, NullTVB, offset, data_len,
-                            "Cipher: %s", bytes_to_str(data, item_len));
+        proto_tree_add_text(encr_tree, asn1p->tvb, offset, data_len,
+                            "CipherText: %s", bytes_to_str(data, item_len));
      }
      offset += data_len;
      
-    return offset;
+    return offset - start_offset;
  }
  
  static int
-dissect_Ticket(char *title, ASN1_SCK *asn1p, frame_data *fd, proto_tree *tree,
-               int start_offset)
+dissect_Ticket(char *title, ASN1_SCK *asn1p, packet_info *pinfo,
+              proto_tree *tree, int start_offset)
  {
  /*
     Ticket ::=                    [APPLICATION 1] SEQUENCE {
@@ -887,13 +1262,14 @@ dissect_Ticket(char *title, ASN1_SCK *asn1p, frame_data *fd, proto_tree *tree,
      proto_tree *ticket_tree = NULL;
      int offset = start_offset;
  
-    const guchar *start;
+    int start;
      guint cls, con, tag;
-    guint header_len, item_len, total_len;
+    guint header_len, total_len;
+    gint item_len;
      int ret;
  
      proto_item *item = NULL;
-    guint length;
+    gint length;
      gboolean def;
      guint32 val;
  
@@ -905,7 +1281,7 @@ dissect_Ticket(char *title, ASN1_SCK *asn1p, frame_data *fd, proto_tree *tree,
      total_len = item_len;
  
      if (tree) {
-        item = proto_tree_add_text(tree, NullTVB, start_offset,
+        item = proto_tree_add_text(tree, asn1p->tvb, start_offset,
                                     (offset - start_offset) + item_len,
                                     "Ticket");
          ticket_tree = proto_item_add_subtree(item, ett_ticket);
@@ -915,7 +1291,7 @@ dissect_Ticket(char *title, ASN1_SCK *asn1p, frame_data *fd, proto_tree *tree,
      KRB_DECODE_CONTEXT_HEAD_OR_DIE("Ticket tkt-vno", KRB5_TKT_TKT_VNO);
      KRB_DECODE_UINT32_OR_DIE("Ticket tkt-vno", val);
      if (ticket_tree) {
-        proto_tree_add_text(ticket_tree, NullTVB, offset, length,
+        proto_tree_add_text(ticket_tree, asn1p->tvb, offset, length,
                              "Version: %u", val);
      }
      offset += length;
@@ -925,7 +1301,7 @@ dissect_Ticket(char *title, ASN1_SCK *asn1p, frame_data *fd, proto_tree *tree,
      KRB_DECODE_CONTEXT_HEAD_OR_DIE("Ticket realm", KRB5_TKT_REALM);
      KRB_DECODE_GENERAL_STRING_OR_DIE("Ticket realm string", str, str_len, item_len);
      if (ticket_tree) {
-        proto_tree_add_text(ticket_tree, NullTVB, offset, item_len,
+        proto_tree_add_text(ticket_tree, asn1p->tvb, offset, item_len,
                              "Realm: %.*s", str_len, str);
      }
      offset += item_len;
@@ -933,7 +1309,7 @@ dissect_Ticket(char *title, ASN1_SCK *asn1p, frame_data *fd, proto_tree *tree,
  
      /* server name (sname) */
      KRB_DECODE_CONTEXT_HEAD_OR_DIE("Ticket sname", KRB5_TKT_SNAME);
-    item_len = dissect_PrincipalName("Service Name", asn1p, fd, ticket_tree,
+    item_len = dissect_PrincipalName("Service Name", asn1p, pinfo, ticket_tree,
                                       offset);
      if (item_len == -1)
          return -1;
@@ -941,12 +1317,13 @@ dissect_Ticket(char *title, ASN1_SCK *asn1p, frame_data *fd, proto_tree *tree,
  
      /* encrypted part */
      KRB_DECODE_CONTEXT_HEAD_OR_DIE("enc-part", KRB5_TKT_ENC_PART);
-    offset = dissect_EncryptedData("Ticket data", asn1p, fd, ticket_tree,
-                                   offset);
-    if (offset == -1)
+    length = dissect_EncryptedData("Ticket data", asn1p, pinfo, ticket_tree,
+                                  offset);
+    if (length == -1)
          return -1;
+    offset += length;
  
-    return offset;
+    return offset - start_offset;
  }
  
  
@@ -965,8 +1342,9 @@ proto_register_kerberos(void) {
          &ett_ticket,
          &ett_addresses,
          &ett_etype,
+        &ett_additional_tickets,
      };
-    proto_kerberos = proto_register_protocol("Kerberos", "kerberos");
+    proto_kerberos = proto_register_protocol("Kerberos", "KRB5", "kerberos");
  /*
      proto_register_field_array(proto_kerberos, hf, array_length(hf));
  */
@@ -976,8 +1354,11 @@ proto_register_kerberos(void) {
  void
  proto_reg_handoff_kerberos(void)
  {
-       old_dissector_add("udp.port", UDP_PORT_KERBEROS, dissect_kerberos);
-       old_dissector_add("tcp.port", TCP_PORT_KERBEROS, dissect_kerberos);
+    dissector_handle_t kerberos_handle;
+
+    kerberos_handle = create_dissector_handle(dissect_kerberos, proto_kerberos);
+    dissector_add("udp.port", UDP_PORT_KERBEROS, kerberos_handle);
+    dissector_add("tcp.port", TCP_PORT_KERBEROS, kerberos_handle);
  }
  
  /*
@@ -1243,16 +1624,16 @@ proto_reg_handoff_kerberos(void)
        METHOD-DATA ::=    SEQUENCE {
                           method-type[0]   INTEGER,
                           method-data[1]   OCTET STRING OPTIONAL
-       }
+      }
  
-          EncryptionKey ::=   SEQUENCE {
-                              keytype[0]    INTEGER,
-                              keyvalue[1]   OCTET STRING
-          }
+      EncryptionKey ::=   SEQUENCE {
+                         keytype[0]    INTEGER,
+                         keyvalue[1]   OCTET STRING
+      }
  
-            Checksum ::=   SEQUENCE {
-                           cksumtype[0]   INTEGER,
-                           checksum[1]    OCTET STRING
-            }
+      Checksum ::=   SEQUENCE {
+                         cksumtype[0]   INTEGER,
+                         checksum[1]    OCTET STRING
+      }
  
  */